diff --git a/.gitignore b/.gitignore index 268b07b..5dbaaaf 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/openssl-3.0.7-hobbled.tar.gz +SOURCES/openssl-3.0.7.tar.gz diff --git a/.openssl.metadata b/.openssl.metadata index 68776d7..da37925 100644 --- a/.openssl.metadata +++ b/.openssl.metadata @@ -1 +1 @@ -54ab0e36f279f260196ac3274631bee93ab01d81 SOURCES/openssl-3.0.7-hobbled.tar.gz +f20736d6aae36bcbfa9aba0d358c71601833bf27 SOURCES/openssl-3.0.7.tar.gz diff --git a/SOURCES/0010-Add-changes-to-ectest-and-eccurve.patch b/SOURCES/0010-Add-changes-to-ectest-and-eccurve.patch new file mode 100644 index 0000000..aac242b --- /dev/null +++ b/SOURCES/0010-Add-changes-to-ectest-and-eccurve.patch @@ -0,0 +1,1127 @@ +diff -up ./crypto/ec/ec_curve.c.remove-ec ./crypto/ec/ec_curve.c +--- ./crypto/ec/ec_curve.c.remove-ec 2023-03-13 16:50:09.278933578 +0100 ++++ ./crypto/ec/ec_curve.c 2023-03-21 12:38:57.696531941 +0100 +@@ -32,38 +32,6 @@ typedef struct { + /* the nist prime curves */ + static const struct { + EC_CURVE_DATA h; +- unsigned char data[20 + 24 * 6]; +-} _EC_NIST_PRIME_192 = { +- { +- NID_X9_62_prime_field, 20, 24, 1 +- }, +- { +- /* seed */ +- 0x30, 0x45, 0xAE, 0x6F, 0xC8, 0x42, 0x2F, 0x64, 0xED, 0x57, 0x95, 0x28, +- 0xD3, 0x81, 0x20, 0xEA, 0xE1, 0x21, 0x96, 0xD5, +- /* p */ +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- /* a */ +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC, +- /* b */ +- 0x64, 0x21, 0x05, 0x19, 0xE5, 0x9C, 0x80, 0xE7, 0x0F, 0xA7, 0xE9, 0xAB, +- 0x72, 0x24, 0x30, 0x49, 0xFE, 0xB8, 0xDE, 0xEC, 0xC1, 0x46, 0xB9, 0xB1, +- /* x */ +- 0x18, 0x8D, 0xA8, 0x0E, 0xB0, 0x30, 0x90, 0xF6, 0x7C, 0xBF, 0x20, 0xEB, +- 0x43, 0xA1, 0x88, 0x00, 0xF4, 0xFF, 0x0A, 0xFD, 0x82, 0xFF, 0x10, 0x12, +- /* y */ +- 0x07, 0x19, 0x2b, 0x95, 0xff, 0xc8, 0xda, 0x78, 0x63, 0x10, 0x11, 0xed, +- 0x6b, 0x24, 0xcd, 0xd5, 0x73, 0xf9, 0x77, 0xa1, 0x1e, 0x79, 0x48, 0x11, +- /* order */ +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0x99, 0xDE, 0xF8, 0x36, 0x14, 0x6B, 0xC9, 0xB1, 0xB4, 0xD2, 0x28, 0x31 +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; + unsigned char data[20 + 28 * 6]; + } _EC_NIST_PRIME_224 = { + { +@@ -200,187 +168,6 @@ static const struct { + } + }; + +-# ifndef FIPS_MODULE +-/* the x9.62 prime curves (minus the nist prime curves) */ +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[20 + 24 * 6]; +-} _EC_X9_62_PRIME_192V2 = { +- { +- NID_X9_62_prime_field, 20, 24, 1 +- }, +- { +- /* seed */ +- 0x31, 0xA9, 0x2E, 0xE2, 0x02, 0x9F, 0xD1, 0x0D, 0x90, 0x1B, 0x11, 0x3E, +- 0x99, 0x07, 0x10, 0xF0, 0xD2, 0x1A, 0xC6, 0xB6, +- /* p */ +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- /* a */ +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC, +- /* b */ +- 0xCC, 0x22, 0xD6, 0xDF, 0xB9, 0x5C, 0x6B, 0x25, 0xE4, 0x9C, 0x0D, 0x63, +- 0x64, 0xA4, 0xE5, 0x98, 0x0C, 0x39, 0x3A, 0xA2, 0x16, 0x68, 0xD9, 0x53, +- /* x */ +- 0xEE, 0xA2, 0xBA, 0xE7, 0xE1, 0x49, 0x78, 0x42, 0xF2, 0xDE, 0x77, 0x69, +- 0xCF, 0xE9, 0xC9, 0x89, 0xC0, 0x72, 0xAD, 0x69, 0x6F, 0x48, 0x03, 0x4A, +- /* y */ +- 0x65, 0x74, 0xd1, 0x1d, 0x69, 0xb6, 0xec, 0x7a, 0x67, 0x2b, 0xb8, 0x2a, +- 0x08, 0x3d, 0xf2, 0xf2, 0xb0, 0x84, 0x7d, 0xe9, 0x70, 0xb2, 0xde, 0x15, +- /* order */ +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, +- 0x5F, 0xB1, 0xA7, 0x24, 0xDC, 0x80, 0x41, 0x86, 0x48, 0xD8, 0xDD, 0x31 +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[20 + 24 * 6]; +-} _EC_X9_62_PRIME_192V3 = { +- { +- NID_X9_62_prime_field, 20, 24, 1 +- }, +- { +- /* seed */ +- 0xC4, 0x69, 0x68, 0x44, 0x35, 0xDE, 0xB3, 0x78, 0xC4, 0xB6, 0x5C, 0xA9, +- 0x59, 0x1E, 0x2A, 0x57, 0x63, 0x05, 0x9A, 0x2E, +- /* p */ +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- /* a */ +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC, +- /* b */ +- 0x22, 0x12, 0x3D, 0xC2, 0x39, 0x5A, 0x05, 0xCA, 0xA7, 0x42, 0x3D, 0xAE, +- 0xCC, 0xC9, 0x47, 0x60, 0xA7, 0xD4, 0x62, 0x25, 0x6B, 0xD5, 0x69, 0x16, +- /* x */ +- 0x7D, 0x29, 0x77, 0x81, 0x00, 0xC6, 0x5A, 0x1D, 0xA1, 0x78, 0x37, 0x16, +- 0x58, 0x8D, 0xCE, 0x2B, 0x8B, 0x4A, 0xEE, 0x8E, 0x22, 0x8F, 0x18, 0x96, +- /* y */ +- 0x38, 0xa9, 0x0f, 0x22, 0x63, 0x73, 0x37, 0x33, 0x4b, 0x49, 0xdc, 0xb6, +- 0x6a, 0x6d, 0xc8, 0xf9, 0x97, 0x8a, 0xca, 0x76, 0x48, 0xa9, 0x43, 0xb0, +- /* order */ +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0x7A, 0x62, 0xD0, 0x31, 0xC8, 0x3F, 0x42, 0x94, 0xF6, 0x40, 0xEC, 0x13 +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[20 + 30 * 6]; +-} _EC_X9_62_PRIME_239V1 = { +- { +- NID_X9_62_prime_field, 20, 30, 1 +- }, +- { +- /* seed */ +- 0xE4, 0x3B, 0xB4, 0x60, 0xF0, 0xB8, 0x0C, 0xC0, 0xC0, 0xB0, 0x75, 0x79, +- 0x8E, 0x94, 0x80, 0x60, 0xF8, 0x32, 0x1B, 0x7D, +- /* p */ +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- /* a */ +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC, +- /* b */ +- 0x6B, 0x01, 0x6C, 0x3B, 0xDC, 0xF1, 0x89, 0x41, 0xD0, 0xD6, 0x54, 0x92, +- 0x14, 0x75, 0xCA, 0x71, 0xA9, 0xDB, 0x2F, 0xB2, 0x7D, 0x1D, 0x37, 0x79, +- 0x61, 0x85, 0xC2, 0x94, 0x2C, 0x0A, +- /* x */ +- 0x0F, 0xFA, 0x96, 0x3C, 0xDC, 0xA8, 0x81, 0x6C, 0xCC, 0x33, 0xB8, 0x64, +- 0x2B, 0xED, 0xF9, 0x05, 0xC3, 0xD3, 0x58, 0x57, 0x3D, 0x3F, 0x27, 0xFB, +- 0xBD, 0x3B, 0x3C, 0xB9, 0xAA, 0xAF, +- /* y */ +- 0x7d, 0xeb, 0xe8, 0xe4, 0xe9, 0x0a, 0x5d, 0xae, 0x6e, 0x40, 0x54, 0xca, +- 0x53, 0x0b, 0xa0, 0x46, 0x54, 0xb3, 0x68, 0x18, 0xce, 0x22, 0x6b, 0x39, +- 0xfc, 0xcb, 0x7b, 0x02, 0xf1, 0xae, +- /* order */ +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0x7F, 0xFF, 0xFF, 0x9E, 0x5E, 0x9A, 0x9F, 0x5D, 0x90, 0x71, 0xFB, 0xD1, +- 0x52, 0x26, 0x88, 0x90, 0x9D, 0x0B +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[20 + 30 * 6]; +-} _EC_X9_62_PRIME_239V2 = { +- { +- NID_X9_62_prime_field, 20, 30, 1 +- }, +- { +- /* seed */ +- 0xE8, 0xB4, 0x01, 0x16, 0x04, 0x09, 0x53, 0x03, 0xCA, 0x3B, 0x80, 0x99, +- 0x98, 0x2B, 0xE0, 0x9F, 0xCB, 0x9A, 0xE6, 0x16, +- /* p */ +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- /* a */ +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC, +- /* b */ +- 0x61, 0x7F, 0xAB, 0x68, 0x32, 0x57, 0x6C, 0xBB, 0xFE, 0xD5, 0x0D, 0x99, +- 0xF0, 0x24, 0x9C, 0x3F, 0xEE, 0x58, 0xB9, 0x4B, 0xA0, 0x03, 0x8C, 0x7A, +- 0xE8, 0x4C, 0x8C, 0x83, 0x2F, 0x2C, +- /* x */ +- 0x38, 0xAF, 0x09, 0xD9, 0x87, 0x27, 0x70, 0x51, 0x20, 0xC9, 0x21, 0xBB, +- 0x5E, 0x9E, 0x26, 0x29, 0x6A, 0x3C, 0xDC, 0xF2, 0xF3, 0x57, 0x57, 0xA0, +- 0xEA, 0xFD, 0x87, 0xB8, 0x30, 0xE7, +- /* y */ +- 0x5b, 0x01, 0x25, 0xe4, 0xdb, 0xea, 0x0e, 0xc7, 0x20, 0x6d, 0xa0, 0xfc, +- 0x01, 0xd9, 0xb0, 0x81, 0x32, 0x9f, 0xb5, 0x55, 0xde, 0x6e, 0xf4, 0x60, +- 0x23, 0x7d, 0xff, 0x8b, 0xe4, 0xba, +- /* order */ +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0x80, 0x00, 0x00, 0xCF, 0xA7, 0xE8, 0x59, 0x43, 0x77, 0xD4, 0x14, 0xC0, +- 0x38, 0x21, 0xBC, 0x58, 0x20, 0x63 +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[20 + 30 * 6]; +-} _EC_X9_62_PRIME_239V3 = { +- { +- NID_X9_62_prime_field, 20, 30, 1 +- }, +- { +- /* seed */ +- 0x7D, 0x73, 0x74, 0x16, 0x8F, 0xFE, 0x34, 0x71, 0xB6, 0x0A, 0x85, 0x76, +- 0x86, 0xA1, 0x94, 0x75, 0xD3, 0xBF, 0xA2, 0xFF, +- /* p */ +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- /* a */ +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC, +- /* b */ +- 0x25, 0x57, 0x05, 0xFA, 0x2A, 0x30, 0x66, 0x54, 0xB1, 0xF4, 0xCB, 0x03, +- 0xD6, 0xA7, 0x50, 0xA3, 0x0C, 0x25, 0x01, 0x02, 0xD4, 0x98, 0x87, 0x17, +- 0xD9, 0xBA, 0x15, 0xAB, 0x6D, 0x3E, +- /* x */ +- 0x67, 0x68, 0xAE, 0x8E, 0x18, 0xBB, 0x92, 0xCF, 0xCF, 0x00, 0x5C, 0x94, +- 0x9A, 0xA2, 0xC6, 0xD9, 0x48, 0x53, 0xD0, 0xE6, 0x60, 0xBB, 0xF8, 0x54, +- 0xB1, 0xC9, 0x50, 0x5F, 0xE9, 0x5A, +- /* y */ +- 0x16, 0x07, 0xe6, 0x89, 0x8f, 0x39, 0x0c, 0x06, 0xbc, 0x1d, 0x55, 0x2b, +- 0xad, 0x22, 0x6f, 0x3b, 0x6f, 0xcf, 0xe4, 0x8b, 0x6e, 0x81, 0x84, 0x99, +- 0xaf, 0x18, 0xe3, 0xed, 0x6c, 0xf3, +- /* order */ +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0x7F, 0xFF, 0xFF, 0x97, 0x5D, 0xEB, 0x41, 0xB3, 0xA6, 0x05, 0x7C, 0x3C, +- 0x43, 0x21, 0x46, 0x52, 0x65, 0x51 +- } +-}; +-#endif /* FIPS_MODULE */ +- + static const struct { + EC_CURVE_DATA h; + unsigned char data[20 + 32 * 6]; +@@ -423,294 +210,6 @@ static const struct { + /* the secg prime curves (minus the nist and x9.62 prime curves) */ + static const struct { + EC_CURVE_DATA h; +- unsigned char data[20 + 14 * 6]; +-} _EC_SECG_PRIME_112R1 = { +- { +- NID_X9_62_prime_field, 20, 14, 1 +- }, +- { +- /* seed */ +- 0x00, 0xF5, 0x0B, 0x02, 0x8E, 0x4D, 0x69, 0x6E, 0x67, 0x68, 0x75, 0x61, +- 0x51, 0x75, 0x29, 0x04, 0x72, 0x78, 0x3F, 0xB1, +- /* p */ +- 0xDB, 0x7C, 0x2A, 0xBF, 0x62, 0xE3, 0x5E, 0x66, 0x80, 0x76, 0xBE, 0xAD, +- 0x20, 0x8B, +- /* a */ +- 0xDB, 0x7C, 0x2A, 0xBF, 0x62, 0xE3, 0x5E, 0x66, 0x80, 0x76, 0xBE, 0xAD, +- 0x20, 0x88, +- /* b */ +- 0x65, 0x9E, 0xF8, 0xBA, 0x04, 0x39, 0x16, 0xEE, 0xDE, 0x89, 0x11, 0x70, +- 0x2B, 0x22, +- /* x */ +- 0x09, 0x48, 0x72, 0x39, 0x99, 0x5A, 0x5E, 0xE7, 0x6B, 0x55, 0xF9, 0xC2, +- 0xF0, 0x98, +- /* y */ +- 0xa8, 0x9c, 0xe5, 0xaf, 0x87, 0x24, 0xc0, 0xa2, 0x3e, 0x0e, 0x0f, 0xf7, +- 0x75, 0x00, +- /* order */ +- 0xDB, 0x7C, 0x2A, 0xBF, 0x62, 0xE3, 0x5E, 0x76, 0x28, 0xDF, 0xAC, 0x65, +- 0x61, 0xC5 +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[20 + 14 * 6]; +-} _EC_SECG_PRIME_112R2 = { +- { +- NID_X9_62_prime_field, 20, 14, 4 +- }, +- { +- /* seed */ +- 0x00, 0x27, 0x57, 0xA1, 0x11, 0x4D, 0x69, 0x6E, 0x67, 0x68, 0x75, 0x61, +- 0x51, 0x75, 0x53, 0x16, 0xC0, 0x5E, 0x0B, 0xD4, +- /* p */ +- 0xDB, 0x7C, 0x2A, 0xBF, 0x62, 0xE3, 0x5E, 0x66, 0x80, 0x76, 0xBE, 0xAD, +- 0x20, 0x8B, +- /* a */ +- 0x61, 0x27, 0xC2, 0x4C, 0x05, 0xF3, 0x8A, 0x0A, 0xAA, 0xF6, 0x5C, 0x0E, +- 0xF0, 0x2C, +- /* b */ +- 0x51, 0xDE, 0xF1, 0x81, 0x5D, 0xB5, 0xED, 0x74, 0xFC, 0xC3, 0x4C, 0x85, +- 0xD7, 0x09, +- /* x */ +- 0x4B, 0xA3, 0x0A, 0xB5, 0xE8, 0x92, 0xB4, 0xE1, 0x64, 0x9D, 0xD0, 0x92, +- 0x86, 0x43, +- /* y */ +- 0xad, 0xcd, 0x46, 0xf5, 0x88, 0x2e, 0x37, 0x47, 0xde, 0xf3, 0x6e, 0x95, +- 0x6e, 0x97, +- /* order */ +- 0x36, 0xDF, 0x0A, 0xAF, 0xD8, 0xB8, 0xD7, 0x59, 0x7C, 0xA1, 0x05, 0x20, +- 0xD0, 0x4B +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[20 + 16 * 6]; +-} _EC_SECG_PRIME_128R1 = { +- { +- NID_X9_62_prime_field, 20, 16, 1 +- }, +- { +- /* seed */ +- 0x00, 0x0E, 0x0D, 0x4D, 0x69, 0x6E, 0x67, 0x68, 0x75, 0x61, 0x51, 0x75, +- 0x0C, 0xC0, 0x3A, 0x44, 0x73, 0xD0, 0x36, 0x79, +- /* p */ +- 0xFF, 0xFF, 0xFF, 0xFD, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFF, +- /* a */ +- 0xFF, 0xFF, 0xFF, 0xFD, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFC, +- /* b */ +- 0xE8, 0x75, 0x79, 0xC1, 0x10, 0x79, 0xF4, 0x3D, 0xD8, 0x24, 0x99, 0x3C, +- 0x2C, 0xEE, 0x5E, 0xD3, +- /* x */ +- 0x16, 0x1F, 0xF7, 0x52, 0x8B, 0x89, 0x9B, 0x2D, 0x0C, 0x28, 0x60, 0x7C, +- 0xA5, 0x2C, 0x5B, 0x86, +- /* y */ +- 0xcf, 0x5a, 0xc8, 0x39, 0x5b, 0xaf, 0xeb, 0x13, 0xc0, 0x2d, 0xa2, 0x92, +- 0xdd, 0xed, 0x7a, 0x83, +- /* order */ +- 0xFF, 0xFF, 0xFF, 0xFE, 0x00, 0x00, 0x00, 0x00, 0x75, 0xA3, 0x0D, 0x1B, +- 0x90, 0x38, 0xA1, 0x15 +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[20 + 16 * 6]; +-} _EC_SECG_PRIME_128R2 = { +- { +- NID_X9_62_prime_field, 20, 16, 4 +- }, +- { +- /* seed */ +- 0x00, 0x4D, 0x69, 0x6E, 0x67, 0x68, 0x75, 0x61, 0x51, 0x75, 0x12, 0xD8, +- 0xF0, 0x34, 0x31, 0xFC, 0xE6, 0x3B, 0x88, 0xF4, +- /* p */ +- 0xFF, 0xFF, 0xFF, 0xFD, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFF, +- /* a */ +- 0xD6, 0x03, 0x19, 0x98, 0xD1, 0xB3, 0xBB, 0xFE, 0xBF, 0x59, 0xCC, 0x9B, +- 0xBF, 0xF9, 0xAE, 0xE1, +- /* b */ +- 0x5E, 0xEE, 0xFC, 0xA3, 0x80, 0xD0, 0x29, 0x19, 0xDC, 0x2C, 0x65, 0x58, +- 0xBB, 0x6D, 0x8A, 0x5D, +- /* x */ +- 0x7B, 0x6A, 0xA5, 0xD8, 0x5E, 0x57, 0x29, 0x83, 0xE6, 0xFB, 0x32, 0xA7, +- 0xCD, 0xEB, 0xC1, 0x40, +- /* y */ +- 0x27, 0xb6, 0x91, 0x6a, 0x89, 0x4d, 0x3a, 0xee, 0x71, 0x06, 0xfe, 0x80, +- 0x5f, 0xc3, 0x4b, 0x44, +- /* order */ +- 0x3F, 0xFF, 0xFF, 0xFF, 0x7F, 0xFF, 0xFF, 0xFF, 0xBE, 0x00, 0x24, 0x72, +- 0x06, 0x13, 0xB5, 0xA3 +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[0 + 21 * 6]; +-} _EC_SECG_PRIME_160K1 = { +- { +- NID_X9_62_prime_field, 0, 21, 1 +- }, +- { +- /* no seed */ +- /* p */ +- 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xAC, 0x73, +- /* a */ +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- /* b */ +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, +- /* x */ +- 0x00, 0x3B, 0x4C, 0x38, 0x2C, 0xE3, 0x7A, 0xA1, 0x92, 0xA4, 0x01, 0x9E, +- 0x76, 0x30, 0x36, 0xF4, 0xF5, 0xDD, 0x4D, 0x7E, 0xBB, +- /* y */ +- 0x00, 0x93, 0x8c, 0xf9, 0x35, 0x31, 0x8f, 0xdc, 0xed, 0x6b, 0xc2, 0x82, +- 0x86, 0x53, 0x17, 0x33, 0xc3, 0xf0, 0x3c, 0x4f, 0xee, +- /* order */ +- 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0xB8, +- 0xFA, 0x16, 0xDF, 0xAB, 0x9A, 0xCA, 0x16, 0xB6, 0xB3 +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[20 + 21 * 6]; +-} _EC_SECG_PRIME_160R1 = { +- { +- NID_X9_62_prime_field, 20, 21, 1 +- }, +- { +- /* seed */ +- 0x10, 0x53, 0xCD, 0xE4, 0x2C, 0x14, 0xD6, 0x96, 0xE6, 0x76, 0x87, 0x56, +- 0x15, 0x17, 0x53, 0x3B, 0xF3, 0xF8, 0x33, 0x45, +- /* p */ +- 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x7F, 0xFF, 0xFF, 0xFF, +- /* a */ +- 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x7F, 0xFF, 0xFF, 0xFC, +- /* b */ +- 0x00, 0x1C, 0x97, 0xBE, 0xFC, 0x54, 0xBD, 0x7A, 0x8B, 0x65, 0xAC, 0xF8, +- 0x9F, 0x81, 0xD4, 0xD4, 0xAD, 0xC5, 0x65, 0xFA, 0x45, +- /* x */ +- 0x00, 0x4A, 0x96, 0xB5, 0x68, 0x8E, 0xF5, 0x73, 0x28, 0x46, 0x64, 0x69, +- 0x89, 0x68, 0xC3, 0x8B, 0xB9, 0x13, 0xCB, 0xFC, 0x82, +- /* y */ +- 0x00, 0x23, 0xa6, 0x28, 0x55, 0x31, 0x68, 0x94, 0x7d, 0x59, 0xdc, 0xc9, +- 0x12, 0x04, 0x23, 0x51, 0x37, 0x7a, 0xc5, 0xfb, 0x32, +- /* order */ +- 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0xF4, +- 0xC8, 0xF9, 0x27, 0xAE, 0xD3, 0xCA, 0x75, 0x22, 0x57 +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[20 + 21 * 6]; +-} _EC_SECG_PRIME_160R2 = { +- { +- NID_X9_62_prime_field, 20, 21, 1 +- }, +- { +- /* seed */ +- 0xB9, 0x9B, 0x99, 0xB0, 0x99, 0xB3, 0x23, 0xE0, 0x27, 0x09, 0xA4, 0xD6, +- 0x96, 0xE6, 0x76, 0x87, 0x56, 0x15, 0x17, 0x51, +- /* p */ +- 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xAC, 0x73, +- /* a */ +- 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xAC, 0x70, +- /* b */ +- 0x00, 0xB4, 0xE1, 0x34, 0xD3, 0xFB, 0x59, 0xEB, 0x8B, 0xAB, 0x57, 0x27, +- 0x49, 0x04, 0x66, 0x4D, 0x5A, 0xF5, 0x03, 0x88, 0xBA, +- /* x */ +- 0x00, 0x52, 0xDC, 0xB0, 0x34, 0x29, 0x3A, 0x11, 0x7E, 0x1F, 0x4F, 0xF1, +- 0x1B, 0x30, 0xF7, 0x19, 0x9D, 0x31, 0x44, 0xCE, 0x6D, +- /* y */ +- 0x00, 0xfe, 0xaf, 0xfe, 0xf2, 0xe3, 0x31, 0xf2, 0x96, 0xe0, 0x71, 0xfa, +- 0x0d, 0xf9, 0x98, 0x2c, 0xfe, 0xa7, 0xd4, 0x3f, 0x2e, +- /* order */ +- 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x35, +- 0x1E, 0xE7, 0x86, 0xA8, 0x18, 0xF3, 0xA1, 0xA1, 0x6B +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[0 + 24 * 6]; +-} _EC_SECG_PRIME_192K1 = { +- { +- NID_X9_62_prime_field, 0, 24, 1 +- }, +- { +- /* no seed */ +- /* p */ +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xEE, 0x37, +- /* a */ +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- /* b */ +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, +- /* x */ +- 0xDB, 0x4F, 0xF1, 0x0E, 0xC0, 0x57, 0xE9, 0xAE, 0x26, 0xB0, 0x7D, 0x02, +- 0x80, 0xB7, 0xF4, 0x34, 0x1D, 0xA5, 0xD1, 0xB1, 0xEA, 0xE0, 0x6C, 0x7D, +- /* y */ +- 0x9b, 0x2f, 0x2f, 0x6d, 0x9c, 0x56, 0x28, 0xa7, 0x84, 0x41, 0x63, 0xd0, +- 0x15, 0xbe, 0x86, 0x34, 0x40, 0x82, 0xaa, 0x88, 0xd9, 0x5e, 0x2f, 0x9d, +- /* order */ +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, +- 0x26, 0xF2, 0xFC, 0x17, 0x0F, 0x69, 0x46, 0x6A, 0x74, 0xDE, 0xFD, 0x8D +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[0 + 29 * 6]; +-} _EC_SECG_PRIME_224K1 = { +- { +- NID_X9_62_prime_field, 0, 29, 1 +- }, +- { +- /* no seed */ +- /* p */ +- 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFE, 0xFF, 0xFF, 0xE5, 0x6D, +- /* a */ +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x00, 0x00, 0x00, +- /* b */ +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x00, 0x00, 0x05, +- /* x */ +- 0x00, 0xA1, 0x45, 0x5B, 0x33, 0x4D, 0xF0, 0x99, 0xDF, 0x30, 0xFC, 0x28, +- 0xA1, 0x69, 0xA4, 0x67, 0xE9, 0xE4, 0x70, 0x75, 0xA9, 0x0F, 0x7E, 0x65, +- 0x0E, 0xB6, 0xB7, 0xA4, 0x5C, +- /* y */ +- 0x00, 0x7e, 0x08, 0x9f, 0xed, 0x7f, 0xba, 0x34, 0x42, 0x82, 0xca, 0xfb, +- 0xd6, 0xf7, 0xe3, 0x19, 0xf7, 0xc0, 0xb0, 0xbd, 0x59, 0xe2, 0xca, 0x4b, +- 0xdb, 0x55, 0x6d, 0x61, 0xa5, +- /* order */ +- 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x01, 0xDC, 0xE8, 0xD2, 0xEC, 0x61, 0x84, 0xCA, 0xF0, 0xA9, +- 0x71, 0x76, 0x9F, 0xB1, 0xF7 +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; + unsigned char data[0 + 32 * 6]; + } _EC_SECG_PRIME_256K1 = { + { +@@ -745,102 +244,6 @@ static const struct { + } + }; + +-/* some wap/wtls curves */ +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[0 + 15 * 6]; +-} _EC_WTLS_8 = { +- { +- NID_X9_62_prime_field, 0, 15, 1 +- }, +- { +- /* no seed */ +- /* p */ +- 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFD, 0xE7, +- /* a */ +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x00, +- /* b */ +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x03, +- /* x */ +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x01, +- /* y */ +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x02, +- /* order */ +- 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0xEC, 0xEA, 0x55, 0x1A, +- 0xD8, 0x37, 0xE9 +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[0 + 21 * 6]; +-} _EC_WTLS_9 = { +- { +- NID_X9_62_prime_field, 0, 21, 1 +- }, +- { +- /* no seed */ +- /* p */ +- 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC, 0x80, 0x8F, +- /* a */ +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- /* b */ +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, +- /* x */ +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, +- /* y */ +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, +- /* order */ +- 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0xCD, +- 0xC9, 0x8A, 0xE0, 0xE2, 0xDE, 0x57, 0x4A, 0xBF, 0x33 +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[0 + 28 * 6]; +-} _EC_WTLS_12 = { +- { +- NID_X9_62_prime_field, 0, 28, 1 +- }, +- { +- /* no seed */ +- /* p */ +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x00, 0x01, +- /* a */ +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFE, +- /* b */ +- 0xB4, 0x05, 0x0A, 0x85, 0x0C, 0x04, 0xB3, 0xAB, 0xF5, 0x41, 0x32, 0x56, +- 0x50, 0x44, 0xB0, 0xB7, 0xD7, 0xBF, 0xD8, 0xBA, 0x27, 0x0B, 0x39, 0x43, +- 0x23, 0x55, 0xFF, 0xB4, +- /* x */ +- 0xB7, 0x0E, 0x0C, 0xBD, 0x6B, 0xB4, 0xBF, 0x7F, 0x32, 0x13, 0x90, 0xB9, +- 0x4A, 0x03, 0xC1, 0xD3, 0x56, 0xC2, 0x11, 0x22, 0x34, 0x32, 0x80, 0xD6, +- 0x11, 0x5C, 0x1D, 0x21, +- /* y */ +- 0xbd, 0x37, 0x63, 0x88, 0xb5, 0xf7, 0x23, 0xfb, 0x4c, 0x22, 0xdf, 0xe6, +- 0xcd, 0x43, 0x75, 0xa0, 0x5a, 0x07, 0x47, 0x64, 0x44, 0xd5, 0x81, 0x99, +- 0x85, 0x00, 0x7e, 0x34, +- /* order */ +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0x16, 0xA2, 0xE0, 0xB8, 0xF0, 0x3E, 0x13, 0xDD, 0x29, 0x45, +- 0x5C, 0x5C, 0x2A, 0x3D +- } +-}; + #endif /* FIPS_MODULE */ + + #ifndef OPENSSL_NO_EC2M +@@ -2238,198 +1641,6 @@ static const struct { + #ifndef FIPS_MODULE + static const struct { + EC_CURVE_DATA h; +- unsigned char data[0 + 20 * 6]; +-} _EC_brainpoolP160r1 = { +- { +- NID_X9_62_prime_field, 0, 20, 1 +- }, +- { +- /* no seed */ +- /* p */ +- 0xE9, 0x5E, 0x4A, 0x5F, 0x73, 0x70, 0x59, 0xDC, 0x60, 0xDF, 0xC7, 0xAD, +- 0x95, 0xB3, 0xD8, 0x13, 0x95, 0x15, 0x62, 0x0F, +- /* a */ +- 0x34, 0x0E, 0x7B, 0xE2, 0xA2, 0x80, 0xEB, 0x74, 0xE2, 0xBE, 0x61, 0xBA, +- 0xDA, 0x74, 0x5D, 0x97, 0xE8, 0xF7, 0xC3, 0x00, +- /* b */ +- 0x1E, 0x58, 0x9A, 0x85, 0x95, 0x42, 0x34, 0x12, 0x13, 0x4F, 0xAA, 0x2D, +- 0xBD, 0xEC, 0x95, 0xC8, 0xD8, 0x67, 0x5E, 0x58, +- /* x */ +- 0xBE, 0xD5, 0xAF, 0x16, 0xEA, 0x3F, 0x6A, 0x4F, 0x62, 0x93, 0x8C, 0x46, +- 0x31, 0xEB, 0x5A, 0xF7, 0xBD, 0xBC, 0xDB, 0xC3, +- /* y */ +- 0x16, 0x67, 0xCB, 0x47, 0x7A, 0x1A, 0x8E, 0xC3, 0x38, 0xF9, 0x47, 0x41, +- 0x66, 0x9C, 0x97, 0x63, 0x16, 0xDA, 0x63, 0x21, +- /* order */ +- 0xE9, 0x5E, 0x4A, 0x5F, 0x73, 0x70, 0x59, 0xDC, 0x60, 0xDF, 0x59, 0x91, +- 0xD4, 0x50, 0x29, 0x40, 0x9E, 0x60, 0xFC, 0x09 +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[0 + 20 * 6]; +-} _EC_brainpoolP160t1 = { +- { +- NID_X9_62_prime_field, 0, 20, 1 +- }, +- { +- /* no seed */ +- /* p */ +- 0xE9, 0x5E, 0x4A, 0x5F, 0x73, 0x70, 0x59, 0xDC, 0x60, 0xDF, 0xC7, 0xAD, +- 0x95, 0xB3, 0xD8, 0x13, 0x95, 0x15, 0x62, 0x0F, +- /* a */ +- 0xE9, 0x5E, 0x4A, 0x5F, 0x73, 0x70, 0x59, 0xDC, 0x60, 0xDF, 0xC7, 0xAD, +- 0x95, 0xB3, 0xD8, 0x13, 0x95, 0x15, 0x62, 0x0C, +- /* b */ +- 0x7A, 0x55, 0x6B, 0x6D, 0xAE, 0x53, 0x5B, 0x7B, 0x51, 0xED, 0x2C, 0x4D, +- 0x7D, 0xAA, 0x7A, 0x0B, 0x5C, 0x55, 0xF3, 0x80, +- /* x */ +- 0xB1, 0x99, 0xB1, 0x3B, 0x9B, 0x34, 0xEF, 0xC1, 0x39, 0x7E, 0x64, 0xBA, +- 0xEB, 0x05, 0xAC, 0xC2, 0x65, 0xFF, 0x23, 0x78, +- /* y */ +- 0xAD, 0xD6, 0x71, 0x8B, 0x7C, 0x7C, 0x19, 0x61, 0xF0, 0x99, 0x1B, 0x84, +- 0x24, 0x43, 0x77, 0x21, 0x52, 0xC9, 0xE0, 0xAD, +- /* order */ +- 0xE9, 0x5E, 0x4A, 0x5F, 0x73, 0x70, 0x59, 0xDC, 0x60, 0xDF, 0x59, 0x91, +- 0xD4, 0x50, 0x29, 0x40, 0x9E, 0x60, 0xFC, 0x09 +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[0 + 24 * 6]; +-} _EC_brainpoolP192r1 = { +- { +- NID_X9_62_prime_field, 0, 24, 1 +- }, +- { +- /* no seed */ +- /* p */ +- 0xC3, 0x02, 0xF4, 0x1D, 0x93, 0x2A, 0x36, 0xCD, 0xA7, 0xA3, 0x46, 0x30, +- 0x93, 0xD1, 0x8D, 0xB7, 0x8F, 0xCE, 0x47, 0x6D, 0xE1, 0xA8, 0x62, 0x97, +- /* a */ +- 0x6A, 0x91, 0x17, 0x40, 0x76, 0xB1, 0xE0, 0xE1, 0x9C, 0x39, 0xC0, 0x31, +- 0xFE, 0x86, 0x85, 0xC1, 0xCA, 0xE0, 0x40, 0xE5, 0xC6, 0x9A, 0x28, 0xEF, +- /* b */ +- 0x46, 0x9A, 0x28, 0xEF, 0x7C, 0x28, 0xCC, 0xA3, 0xDC, 0x72, 0x1D, 0x04, +- 0x4F, 0x44, 0x96, 0xBC, 0xCA, 0x7E, 0xF4, 0x14, 0x6F, 0xBF, 0x25, 0xC9, +- /* x */ +- 0xC0, 0xA0, 0x64, 0x7E, 0xAA, 0xB6, 0xA4, 0x87, 0x53, 0xB0, 0x33, 0xC5, +- 0x6C, 0xB0, 0xF0, 0x90, 0x0A, 0x2F, 0x5C, 0x48, 0x53, 0x37, 0x5F, 0xD6, +- /* y */ +- 0x14, 0xB6, 0x90, 0x86, 0x6A, 0xBD, 0x5B, 0xB8, 0x8B, 0x5F, 0x48, 0x28, +- 0xC1, 0x49, 0x00, 0x02, 0xE6, 0x77, 0x3F, 0xA2, 0xFA, 0x29, 0x9B, 0x8F, +- /* order */ +- 0xC3, 0x02, 0xF4, 0x1D, 0x93, 0x2A, 0x36, 0xCD, 0xA7, 0xA3, 0x46, 0x2F, +- 0x9E, 0x9E, 0x91, 0x6B, 0x5B, 0xE8, 0xF1, 0x02, 0x9A, 0xC4, 0xAC, 0xC1 +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[0 + 24 * 6]; +-} _EC_brainpoolP192t1 = { +- { +- NID_X9_62_prime_field, 0, 24, 1 +- }, +- { +- /* no seed */ +- /* p */ +- 0xC3, 0x02, 0xF4, 0x1D, 0x93, 0x2A, 0x36, 0xCD, 0xA7, 0xA3, 0x46, 0x30, +- 0x93, 0xD1, 0x8D, 0xB7, 0x8F, 0xCE, 0x47, 0x6D, 0xE1, 0xA8, 0x62, 0x97, +- /* a */ +- 0xC3, 0x02, 0xF4, 0x1D, 0x93, 0x2A, 0x36, 0xCD, 0xA7, 0xA3, 0x46, 0x30, +- 0x93, 0xD1, 0x8D, 0xB7, 0x8F, 0xCE, 0x47, 0x6D, 0xE1, 0xA8, 0x62, 0x94, +- /* b */ +- 0x13, 0xD5, 0x6F, 0xFA, 0xEC, 0x78, 0x68, 0x1E, 0x68, 0xF9, 0xDE, 0xB4, +- 0x3B, 0x35, 0xBE, 0xC2, 0xFB, 0x68, 0x54, 0x2E, 0x27, 0x89, 0x7B, 0x79, +- /* x */ +- 0x3A, 0xE9, 0xE5, 0x8C, 0x82, 0xF6, 0x3C, 0x30, 0x28, 0x2E, 0x1F, 0xE7, +- 0xBB, 0xF4, 0x3F, 0xA7, 0x2C, 0x44, 0x6A, 0xF6, 0xF4, 0x61, 0x81, 0x29, +- /* y */ +- 0x09, 0x7E, 0x2C, 0x56, 0x67, 0xC2, 0x22, 0x3A, 0x90, 0x2A, 0xB5, 0xCA, +- 0x44, 0x9D, 0x00, 0x84, 0xB7, 0xE5, 0xB3, 0xDE, 0x7C, 0xCC, 0x01, 0xC9, +- /* order */ +- 0xC3, 0x02, 0xF4, 0x1D, 0x93, 0x2A, 0x36, 0xCD, 0xA7, 0xA3, 0x46, 0x2F, +- 0x9E, 0x9E, 0x91, 0x6B, 0x5B, 0xE8, 0xF1, 0x02, 0x9A, 0xC4, 0xAC, 0xC1 +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[0 + 28 * 6]; +-} _EC_brainpoolP224r1 = { +- { +- NID_X9_62_prime_field, 0, 28, 1 +- }, +- { +- /* no seed */ +- /* p */ +- 0xD7, 0xC1, 0x34, 0xAA, 0x26, 0x43, 0x66, 0x86, 0x2A, 0x18, 0x30, 0x25, +- 0x75, 0xD1, 0xD7, 0x87, 0xB0, 0x9F, 0x07, 0x57, 0x97, 0xDA, 0x89, 0xF5, +- 0x7E, 0xC8, 0xC0, 0xFF, +- /* a */ +- 0x68, 0xA5, 0xE6, 0x2C, 0xA9, 0xCE, 0x6C, 0x1C, 0x29, 0x98, 0x03, 0xA6, +- 0xC1, 0x53, 0x0B, 0x51, 0x4E, 0x18, 0x2A, 0xD8, 0xB0, 0x04, 0x2A, 0x59, +- 0xCA, 0xD2, 0x9F, 0x43, +- /* b */ +- 0x25, 0x80, 0xF6, 0x3C, 0xCF, 0xE4, 0x41, 0x38, 0x87, 0x07, 0x13, 0xB1, +- 0xA9, 0x23, 0x69, 0xE3, 0x3E, 0x21, 0x35, 0xD2, 0x66, 0xDB, 0xB3, 0x72, +- 0x38, 0x6C, 0x40, 0x0B, +- /* x */ +- 0x0D, 0x90, 0x29, 0xAD, 0x2C, 0x7E, 0x5C, 0xF4, 0x34, 0x08, 0x23, 0xB2, +- 0xA8, 0x7D, 0xC6, 0x8C, 0x9E, 0x4C, 0xE3, 0x17, 0x4C, 0x1E, 0x6E, 0xFD, +- 0xEE, 0x12, 0xC0, 0x7D, +- /* y */ +- 0x58, 0xAA, 0x56, 0xF7, 0x72, 0xC0, 0x72, 0x6F, 0x24, 0xC6, 0xB8, 0x9E, +- 0x4E, 0xCD, 0xAC, 0x24, 0x35, 0x4B, 0x9E, 0x99, 0xCA, 0xA3, 0xF6, 0xD3, +- 0x76, 0x14, 0x02, 0xCD, +- /* order */ +- 0xD7, 0xC1, 0x34, 0xAA, 0x26, 0x43, 0x66, 0x86, 0x2A, 0x18, 0x30, 0x25, +- 0x75, 0xD0, 0xFB, 0x98, 0xD1, 0x16, 0xBC, 0x4B, 0x6D, 0xDE, 0xBC, 0xA3, +- 0xA5, 0xA7, 0x93, 0x9F +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[0 + 28 * 6]; +-} _EC_brainpoolP224t1 = { +- { +- NID_X9_62_prime_field, 0, 28, 1 +- }, +- { +- /* no seed */ +- /* p */ +- 0xD7, 0xC1, 0x34, 0xAA, 0x26, 0x43, 0x66, 0x86, 0x2A, 0x18, 0x30, 0x25, +- 0x75, 0xD1, 0xD7, 0x87, 0xB0, 0x9F, 0x07, 0x57, 0x97, 0xDA, 0x89, 0xF5, +- 0x7E, 0xC8, 0xC0, 0xFF, +- /* a */ +- 0xD7, 0xC1, 0x34, 0xAA, 0x26, 0x43, 0x66, 0x86, 0x2A, 0x18, 0x30, 0x25, +- 0x75, 0xD1, 0xD7, 0x87, 0xB0, 0x9F, 0x07, 0x57, 0x97, 0xDA, 0x89, 0xF5, +- 0x7E, 0xC8, 0xC0, 0xFC, +- /* b */ +- 0x4B, 0x33, 0x7D, 0x93, 0x41, 0x04, 0xCD, 0x7B, 0xEF, 0x27, 0x1B, 0xF6, +- 0x0C, 0xED, 0x1E, 0xD2, 0x0D, 0xA1, 0x4C, 0x08, 0xB3, 0xBB, 0x64, 0xF1, +- 0x8A, 0x60, 0x88, 0x8D, +- /* x */ +- 0x6A, 0xB1, 0xE3, 0x44, 0xCE, 0x25, 0xFF, 0x38, 0x96, 0x42, 0x4E, 0x7F, +- 0xFE, 0x14, 0x76, 0x2E, 0xCB, 0x49, 0xF8, 0x92, 0x8A, 0xC0, 0xC7, 0x60, +- 0x29, 0xB4, 0xD5, 0x80, +- /* y */ +- 0x03, 0x74, 0xE9, 0xF5, 0x14, 0x3E, 0x56, 0x8C, 0xD2, 0x3F, 0x3F, 0x4D, +- 0x7C, 0x0D, 0x4B, 0x1E, 0x41, 0xC8, 0xCC, 0x0D, 0x1C, 0x6A, 0xBD, 0x5F, +- 0x1A, 0x46, 0xDB, 0x4C, +- /* order */ +- 0xD7, 0xC1, 0x34, 0xAA, 0x26, 0x43, 0x66, 0x86, 0x2A, 0x18, 0x30, 0x25, +- 0x75, 0xD0, 0xFB, 0x98, 0xD1, 0x16, 0xBC, 0x4B, 0x6D, 0xDE, 0xBC, 0xA3, +- 0xA5, 0xA7, 0x93, 0x9F +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; + unsigned char data[0 + 32 * 6]; + } _EC_brainpoolP256r1 = { + { +@@ -2854,8 +2065,6 @@ static const ec_list_element curve_list[ + "NIST/SECG curve over a 521 bit prime field"}, + + /* X9.62 curves */ +- {NID_X9_62_prime192v1, &_EC_NIST_PRIME_192.h, 0, +- "NIST/X9.62/SECG curve over a 192 bit prime field"}, + {NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h, + # if defined(ECP_NISTZ256_ASM) + EC_GFp_nistz256_method, +@@ -2899,25 +2108,6 @@ static const ec_list_element curve_list[ + static const ec_list_element curve_list[] = { + /* prime field curves */ + /* secg curves */ +- {NID_secp112r1, &_EC_SECG_PRIME_112R1.h, 0, +- "SECG/WTLS curve over a 112 bit prime field"}, +- {NID_secp112r2, &_EC_SECG_PRIME_112R2.h, 0, +- "SECG curve over a 112 bit prime field"}, +- {NID_secp128r1, &_EC_SECG_PRIME_128R1.h, 0, +- "SECG curve over a 128 bit prime field"}, +- {NID_secp128r2, &_EC_SECG_PRIME_128R2.h, 0, +- "SECG curve over a 128 bit prime field"}, +- {NID_secp160k1, &_EC_SECG_PRIME_160K1.h, 0, +- "SECG curve over a 160 bit prime field"}, +- {NID_secp160r1, &_EC_SECG_PRIME_160R1.h, 0, +- "SECG curve over a 160 bit prime field"}, +- {NID_secp160r2, &_EC_SECG_PRIME_160R2.h, 0, +- "SECG/WTLS curve over a 160 bit prime field"}, +- /* SECG secp192r1 is the same as X9.62 prime192v1 and hence omitted */ +- {NID_secp192k1, &_EC_SECG_PRIME_192K1.h, 0, +- "SECG curve over a 192 bit prime field"}, +- {NID_secp224k1, &_EC_SECG_PRIME_224K1.h, 0, +- "SECG curve over a 224 bit prime field"}, + # ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 + {NID_secp224r1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method, + "NIST/SECG curve over a 224 bit prime field"}, +@@ -2945,18 +2135,6 @@ static const ec_list_element curve_list[ + # endif + "NIST/SECG curve over a 521 bit prime field"}, + /* X9.62 curves */ +- {NID_X9_62_prime192v1, &_EC_NIST_PRIME_192.h, 0, +- "NIST/X9.62/SECG curve over a 192 bit prime field"}, +- {NID_X9_62_prime192v2, &_EC_X9_62_PRIME_192V2.h, 0, +- "X9.62 curve over a 192 bit prime field"}, +- {NID_X9_62_prime192v3, &_EC_X9_62_PRIME_192V3.h, 0, +- "X9.62 curve over a 192 bit prime field"}, +- {NID_X9_62_prime239v1, &_EC_X9_62_PRIME_239V1.h, 0, +- "X9.62 curve over a 239 bit prime field"}, +- {NID_X9_62_prime239v2, &_EC_X9_62_PRIME_239V2.h, 0, +- "X9.62 curve over a 239 bit prime field"}, +- {NID_X9_62_prime239v3, &_EC_X9_62_PRIME_239V3.h, 0, +- "X9.62 curve over a 239 bit prime field"}, + {NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h, + # if defined(ECP_NISTZ256_ASM) + EC_GFp_nistz256_method, +@@ -3053,22 +2231,12 @@ static const ec_list_element curve_list[ + {NID_wap_wsg_idm_ecid_wtls5, &_EC_X9_62_CHAR2_163V1.h, 0, + "X9.62 curve over a 163 bit binary field"}, + # endif +- {NID_wap_wsg_idm_ecid_wtls6, &_EC_SECG_PRIME_112R1.h, 0, +- "SECG/WTLS curve over a 112 bit prime field"}, +- {NID_wap_wsg_idm_ecid_wtls7, &_EC_SECG_PRIME_160R2.h, 0, +- "SECG/WTLS curve over a 160 bit prime field"}, +- {NID_wap_wsg_idm_ecid_wtls8, &_EC_WTLS_8.h, 0, +- "WTLS curve over a 112 bit prime field"}, +- {NID_wap_wsg_idm_ecid_wtls9, &_EC_WTLS_9.h, 0, +- "WTLS curve over a 160 bit prime field"}, + # ifndef OPENSSL_NO_EC2M + {NID_wap_wsg_idm_ecid_wtls10, &_EC_NIST_CHAR2_233K.h, 0, + "NIST/SECG/WTLS curve over a 233 bit binary field"}, + {NID_wap_wsg_idm_ecid_wtls11, &_EC_NIST_CHAR2_233B.h, 0, + "NIST/SECG/WTLS curve over a 233 bit binary field"}, + # endif +- {NID_wap_wsg_idm_ecid_wtls12, &_EC_WTLS_12.h, 0, +- "WTLS curve over a 224 bit prime field"}, + # ifndef OPENSSL_NO_EC2M + /* IPSec curves */ + {NID_ipsec3, &_EC_IPSEC_155_ID3.h, 0, +@@ -3079,18 +2247,6 @@ static const ec_list_element curve_list[ + "\tNot suitable for ECDSA.\n\tQuestionable extension field!"}, + # endif + /* brainpool curves */ +- {NID_brainpoolP160r1, &_EC_brainpoolP160r1.h, 0, +- "RFC 5639 curve over a 160 bit prime field"}, +- {NID_brainpoolP160t1, &_EC_brainpoolP160t1.h, 0, +- "RFC 5639 curve over a 160 bit prime field"}, +- {NID_brainpoolP192r1, &_EC_brainpoolP192r1.h, 0, +- "RFC 5639 curve over a 192 bit prime field"}, +- {NID_brainpoolP192t1, &_EC_brainpoolP192t1.h, 0, +- "RFC 5639 curve over a 192 bit prime field"}, +- {NID_brainpoolP224r1, &_EC_brainpoolP224r1.h, 0, +- "RFC 5639 curve over a 224 bit prime field"}, +- {NID_brainpoolP224t1, &_EC_brainpoolP224t1.h, 0, +- "RFC 5639 curve over a 224 bit prime field"}, + {NID_brainpoolP256r1, &_EC_brainpoolP256r1.h, 0, + "RFC 5639 curve over a 256 bit prime field"}, + {NID_brainpoolP256t1, &_EC_brainpoolP256t1.h, 0, +diff -up ./test/ectest.c.remove-ec ./test/ectest.c +--- ./test/ectest.c.remove-ec 2023-03-13 18:39:30.544642912 +0100 ++++ ./test/ectest.c 2023-03-20 07:27:26.403212965 +0100 +@@ -175,184 +175,26 @@ static int prime_field_tests(void) + || !TEST_ptr(p = BN_new()) + || !TEST_ptr(a = BN_new()) + || !TEST_ptr(b = BN_new()) +- || !TEST_true(BN_hex2bn(&p, "17")) +- || !TEST_true(BN_hex2bn(&a, "1")) +- || !TEST_true(BN_hex2bn(&b, "1")) +- || !TEST_ptr(group = EC_GROUP_new_curve_GFp(p, a, b, ctx)) +- || !TEST_true(EC_GROUP_get_curve(group, p, a, b, ctx))) ++ /* ++ * applications should use EC_GROUP_new_curve_GFp so ++ * that the library gets to choose the EC_METHOD ++ */ ++ || !TEST_ptr(group = EC_GROUP_new(EC_GFp_mont_method()))) + goto err; + +- TEST_info("Curve defined by Weierstrass equation"); +- TEST_note(" y^2 = x^3 + a*x + b (mod p)"); +- test_output_bignum("a", a); +- test_output_bignum("b", b); +- test_output_bignum("p", p); +- + buf[0] = 0; + if (!TEST_ptr(P = EC_POINT_new(group)) + || !TEST_ptr(Q = EC_POINT_new(group)) + || !TEST_ptr(R = EC_POINT_new(group)) +- || !TEST_true(EC_POINT_set_to_infinity(group, P)) +- || !TEST_true(EC_POINT_is_at_infinity(group, P)) +- || !TEST_true(EC_POINT_oct2point(group, Q, buf, 1, ctx)) +- || !TEST_true(EC_POINT_add(group, P, P, Q, ctx)) +- || !TEST_true(EC_POINT_is_at_infinity(group, P)) + || !TEST_ptr(x = BN_new()) + || !TEST_ptr(y = BN_new()) + || !TEST_ptr(z = BN_new()) +- || !TEST_ptr(yplusone = BN_new()) +- || !TEST_true(BN_hex2bn(&x, "D")) +- || !TEST_true(EC_POINT_set_compressed_coordinates(group, Q, x, 1, ctx))) +- goto err; +- +- if (!TEST_int_gt(EC_POINT_is_on_curve(group, Q, ctx), 0)) { +- if (!TEST_true(EC_POINT_get_affine_coordinates(group, Q, x, y, ctx))) +- goto err; +- TEST_info("Point is not on curve"); +- test_output_bignum("x", x); +- test_output_bignum("y", y); +- goto err; +- } +- +- TEST_note("A cyclic subgroup:"); +- k = 100; +- do { +- if (!TEST_int_ne(k--, 0)) +- goto err; +- +- if (EC_POINT_is_at_infinity(group, P)) { +- TEST_note(" point at infinity"); +- } else { +- if (!TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, +- ctx))) +- goto err; +- +- test_output_bignum("x", x); +- test_output_bignum("y", y); +- } +- +- if (!TEST_true(EC_POINT_copy(R, P)) +- || !TEST_true(EC_POINT_add(group, P, P, Q, ctx))) +- goto err; +- +- } while (!EC_POINT_is_at_infinity(group, P)); +- +- if (!TEST_true(EC_POINT_add(group, P, Q, R, ctx)) +- || !TEST_true(EC_POINT_is_at_infinity(group, P))) +- goto err; +- +- len = +- EC_POINT_point2oct(group, Q, POINT_CONVERSION_COMPRESSED, buf, +- sizeof(buf), ctx); +- if (!TEST_size_t_ne(len, 0) +- || !TEST_true(EC_POINT_oct2point(group, P, buf, len, ctx)) +- || !TEST_int_eq(0, EC_POINT_cmp(group, P, Q, ctx))) +- goto err; +- test_output_memory("Generator as octet string, compressed form:", +- buf, len); +- +- len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_UNCOMPRESSED, +- buf, sizeof(buf), ctx); +- if (!TEST_size_t_ne(len, 0) +- || !TEST_true(EC_POINT_oct2point(group, P, buf, len, ctx)) +- || !TEST_int_eq(0, EC_POINT_cmp(group, P, Q, ctx))) +- goto err; +- test_output_memory("Generator as octet string, uncompressed form:", +- buf, len); +- +- len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_HYBRID, +- buf, sizeof(buf), ctx); +- if (!TEST_size_t_ne(len, 0) +- || !TEST_true(EC_POINT_oct2point(group, P, buf, len, ctx)) +- || !TEST_int_eq(0, EC_POINT_cmp(group, P, Q, ctx))) +- goto err; +- test_output_memory("Generator as octet string, hybrid form:", +- buf, len); +- +- if (!TEST_true(EC_POINT_invert(group, P, ctx)) +- || !TEST_int_eq(0, EC_POINT_cmp(group, P, R, ctx)) +- +- /* +- * Curve secp160r1 (Certicom Research SEC 2 Version 1.0, section 2.4.2, +- * 2000) -- not a NIST curve, but commonly used +- */ +- +- || !TEST_true(BN_hex2bn(&p, "FFFFFFFF" +- "FFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFF")) +- || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL)) +- || !TEST_true(BN_hex2bn(&a, "FFFFFFFF" +- "FFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFC")) +- || !TEST_true(BN_hex2bn(&b, "1C97BEFC" +- "54BD7A8B65ACF89F81D4D4ADC565FA45")) +- || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx)) +- || !TEST_true(BN_hex2bn(&x, "4A96B568" +- "8EF573284664698968C38BB913CBFC82")) +- || !TEST_true(BN_hex2bn(&y, "23a62855" +- "3168947d59dcc912042351377ac5fb32")) +- || !TEST_true(BN_add(yplusone, y, BN_value_one())) +- /* +- * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, +- * and therefore setting the coordinates should fail. +- */ +- || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone, +- ctx)) +- || !TEST_true(EC_POINT_set_affine_coordinates(group, P, x, y, ctx)) +- || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0) +- || !TEST_true(BN_hex2bn(&z, "0100000000" +- "000000000001F4C8F927AED3CA752257")) +- || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one())) +- || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx))) +- goto err; +- TEST_info("SEC2 curve secp160r1 -- Generator"); +- test_output_bignum("x", x); +- test_output_bignum("y", y); +- /* G_y value taken from the standard: */ +- if (!TEST_true(BN_hex2bn(&z, "23a62855" +- "3168947d59dcc912042351377ac5fb32")) +- || !TEST_BN_eq(y, z) +- || !TEST_int_eq(EC_GROUP_get_degree(group), 160) +- || !group_order_tests(group) +- +- /* Curve P-192 (FIPS PUB 186-2, App. 6) */ +- +- || !TEST_true(BN_hex2bn(&p, "FFFFFFFFFFFFFFFF" +- "FFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF")) +- || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL)) +- || !TEST_true(BN_hex2bn(&a, "FFFFFFFFFFFFFFFF" +- "FFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC")) +- || !TEST_true(BN_hex2bn(&b, "64210519E59C80E7" +- "0FA7E9AB72243049FEB8DEECC146B9B1")) +- || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx)) +- || !TEST_true(BN_hex2bn(&x, "188DA80EB03090F6" +- "7CBF20EB43A18800F4FF0AFD82FF1012")) +- || !TEST_true(EC_POINT_set_compressed_coordinates(group, P, x, 1, ctx)) +- || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0) +- || !TEST_true(BN_hex2bn(&z, "FFFFFFFFFFFFFFFF" +- "FFFFFFFF99DEF836146BC9B1B4D22831")) +- || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one())) +- || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx))) ++ || !TEST_ptr(yplusone = BN_new())) + goto err; + +- TEST_info("NIST curve P-192 -- Generator"); +- test_output_bignum("x", x); +- test_output_bignum("y", y); +- /* G_y value taken from the standard: */ +- if (!TEST_true(BN_hex2bn(&z, "07192B95FFC8DA78" +- "631011ED6B24CDD573F977A11E794811")) +- || !TEST_BN_eq(y, z) +- || !TEST_true(BN_add(yplusone, y, BN_value_one())) +- /* +- * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, +- * and therefore setting the coordinates should fail. +- */ +- || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone, +- ctx)) +- || !TEST_int_eq(EC_GROUP_get_degree(group), 192) +- || !group_order_tests(group) +- + /* Curve P-224 (FIPS PUB 186-2, App. 6) */ + +- || !TEST_true(BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFF" ++ if (!TEST_true(BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFF" + "FFFFFFFF000000000000000000000001")) + || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL)) + || !TEST_true(BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFF" +@@ -3015,7 +2857,7 @@ int setup_tests(void) + return 0; + + ADD_TEST(parameter_test); +- ADD_TEST(cofactor_range_test); ++ /* ADD_TEST(cofactor_range_test); */ + ADD_ALL_TESTS(cardinality_test, crv_len); + ADD_TEST(prime_field_tests); + #ifndef OPENSSL_NO_EC2M diff --git a/SOURCES/0011-Remove-EC-curves.patch b/SOURCES/0011-Remove-EC-curves.patch index 10e200c..3bc38cb 100644 --- a/SOURCES/0011-Remove-EC-curves.patch +++ b/SOURCES/0011-Remove-EC-curves.patch @@ -1,19 +1,16 @@ -diff -up openssl-3.0.0-alpha13/apps/speed.c.ec-curves openssl-3.0.0-alpha13/apps/speed.c ---- openssl-3.0.0-alpha13/apps/speed.c.ec-curves 2021-04-10 12:12:00.620129302 +0200 -+++ openssl-3.0.0-alpha13/apps/speed.c 2021-04-10 12:18:11.872369417 +0200 -@@ -364,68 +364,23 @@ static double ffdh_results[FFDH_NUM][1]; +diff -up ./apps/speed.c.ec-curves ./apps/speed.c +--- ./apps/speed.c.ec-curves 2023-03-14 04:44:12.545437892 +0100 ++++ ./apps/speed.c 2023-03-14 04:48:28.606729067 +0100 +@@ -366,7 +366,7 @@ static double ffdh_results[FFDH_NUM][1]; #endif /* OPENSSL_NO_DH */ enum ec_curves_t { - R_EC_P160, R_EC_P192, R_EC_P224, R_EC_P256, R_EC_P384, R_EC_P521, --#ifndef OPENSSL_NO_EC2M -- R_EC_K163, R_EC_K233, R_EC_K283, R_EC_K409, R_EC_K571, -- R_EC_B163, R_EC_B233, R_EC_B283, R_EC_B409, R_EC_B571, --#endif -- R_EC_BRP256R1, R_EC_BRP256T1, R_EC_BRP384R1, R_EC_BRP384T1, -- R_EC_BRP512R1, R_EC_BRP512T1, ECDSA_NUM + R_EC_P224, R_EC_P256, R_EC_P384, R_EC_P521, -+ ECDSA_NUM + #ifndef OPENSSL_NO_EC2M + R_EC_K163, R_EC_K233, R_EC_K283, R_EC_K409, R_EC_K571, + R_EC_B163, R_EC_B233, R_EC_B283, R_EC_B409, R_EC_B571, +@@ -376,8 +376,6 @@ enum ec_curves_t { }; /* list of ecdsa curves */ static const OPT_PAIR ecdsa_choices[ECDSA_NUM] = { @@ -22,26 +19,7 @@ diff -up openssl-3.0.0-alpha13/apps/speed.c.ec-curves openssl-3.0.0-alpha13/apps {"ecdsap224", R_EC_P224}, {"ecdsap256", R_EC_P256}, {"ecdsap384", R_EC_P384}, - {"ecdsap521", R_EC_P521}, --#ifndef OPENSSL_NO_EC2M -- {"ecdsak163", R_EC_K163}, -- {"ecdsak233", R_EC_K233}, -- {"ecdsak283", R_EC_K283}, -- {"ecdsak409", R_EC_K409}, -- {"ecdsak571", R_EC_K571}, -- {"ecdsab163", R_EC_B163}, -- {"ecdsab233", R_EC_B233}, -- {"ecdsab283", R_EC_B283}, -- {"ecdsab409", R_EC_B409}, -- {"ecdsab571", R_EC_B571}, --#endif -- {"ecdsabrp256r1", R_EC_BRP256R1}, -- {"ecdsabrp256t1", R_EC_BRP256T1}, -- {"ecdsabrp384r1", R_EC_BRP384R1}, -- {"ecdsabrp384t1", R_EC_BRP384T1}, -- {"ecdsabrp512r1", R_EC_BRP512R1}, -- {"ecdsabrp512t1", R_EC_BRP512T1} - }; +@@ -404,8 +402,6 @@ static const OPT_PAIR ecdsa_choices[ECDS enum { R_EC_X25519 = ECDSA_NUM, R_EC_X448, EC_NUM }; /* list of ecdh curves, extension of |ecdsa_choices| list above */ static const OPT_PAIR ecdh_choices[EC_NUM] = { @@ -50,29 +28,7 @@ diff -up openssl-3.0.0-alpha13/apps/speed.c.ec-curves openssl-3.0.0-alpha13/apps {"ecdhp224", R_EC_P224}, {"ecdhp256", R_EC_P256}, {"ecdhp384", R_EC_P384}, - {"ecdhp521", R_EC_P521}, --#ifndef OPENSSL_NO_EC2M -- {"ecdhk163", R_EC_K163}, -- {"ecdhk233", R_EC_K233}, -- {"ecdhk283", R_EC_K283}, -- {"ecdhk409", R_EC_K409}, -- {"ecdhk571", R_EC_K571}, -- {"ecdhb163", R_EC_B163}, -- {"ecdhb233", R_EC_B233}, -- {"ecdhb283", R_EC_B283}, -- {"ecdhb409", R_EC_B409}, -- {"ecdhb571", R_EC_B571}, --#endif -- {"ecdhbrp256r1", R_EC_BRP256R1}, -- {"ecdhbrp256t1", R_EC_BRP256T1}, -- {"ecdhbrp384r1", R_EC_BRP384R1}, -- {"ecdhbrp384t1", R_EC_BRP384T1}, -- {"ecdhbrp512r1", R_EC_BRP512R1}, -- {"ecdhbrp512t1", R_EC_BRP512T1}, - {"ecdhx25519", R_EC_X25519}, - {"ecdhx448", R_EC_X448} - }; -@@ -1449,31 +1404,10 @@ int speed_main(int argc, char **argv) +@@ -1422,8 +1418,6 @@ int speed_main(int argc, char **argv) */ static const EC_CURVE ec_curves[EC_NUM] = { /* Prime Curves */ @@ -81,367 +37,10 @@ diff -up openssl-3.0.0-alpha13/apps/speed.c.ec-curves openssl-3.0.0-alpha13/apps {"nistp224", NID_secp224r1, 224}, {"nistp256", NID_X9_62_prime256v1, 256}, {"nistp384", NID_secp384r1, 384}, - {"nistp521", NID_secp521r1, 521}, --#ifndef OPENSSL_NO_EC2M -- /* Binary Curves */ -- {"nistk163", NID_sect163k1, 163}, -- {"nistk233", NID_sect233k1, 233}, -- {"nistk283", NID_sect283k1, 283}, -- {"nistk409", NID_sect409k1, 409}, -- {"nistk571", NID_sect571k1, 571}, -- {"nistb163", NID_sect163r2, 163}, -- {"nistb233", NID_sect233r1, 233}, -- {"nistb283", NID_sect283r1, 283}, -- {"nistb409", NID_sect409r1, 409}, -- {"nistb571", NID_sect571r1, 571}, --#endif -- {"brainpoolP256r1", NID_brainpoolP256r1, 256}, -- {"brainpoolP256t1", NID_brainpoolP256t1, 256}, -- {"brainpoolP384r1", NID_brainpoolP384r1, 384}, -- {"brainpoolP384t1", NID_brainpoolP384t1, 384}, -- {"brainpoolP512r1", NID_brainpoolP512r1, 512}, -- {"brainpoolP512t1", NID_brainpoolP512t1, 512}, - /* Other and ECDH only ones */ - {"X25519", NID_X25519, 253}, - {"X448", NID_X448, 448} -diff -up openssl-3.0.0-alpha13/test/ecdsatest.h.ec-curves openssl-3.0.0-alpha13/test/ecdsatest.h ---- openssl-3.0.0-alpha13/test/ecdsatest.h.ec-curves 2021-04-10 12:07:43.158013028 +0200 -+++ openssl-3.0.0-alpha13/test/ecdsatest.h 2021-04-10 12:11:21.601828737 +0200 -@@ -32,23 +32,6 @@ typedef struct { - } ecdsa_cavs_kat_t; - - static const ecdsa_cavs_kat_t ecdsa_cavs_kats[] = { -- /* prime KATs from X9.62 */ -- {NID_X9_62_prime192v1, NID_sha1, -- "616263", /* "abc" */ -- "1a8d598fc15bf0fd89030b5cb1111aeb92ae8baf5ea475fb", -- "0462b12d60690cdcf330babab6e69763b471f994dd702d16a563bf5ec08069705ffff65e" -- "5ca5c0d69716dfcb3474373902", -- "fa6de29746bbeb7f8bb1e761f85f7dfb2983169d82fa2f4e", -- "885052380ff147b734c330c43d39b2c4a89f29b0f749fead", -- "e9ecc78106def82bf1070cf1d4d804c3cb390046951df686"}, -- {NID_X9_62_prime239v1, NID_sha1, -- "616263", /* "abc" */ -- "7ef7c6fabefffdea864206e80b0b08a9331ed93e698561b64ca0f7777f3d", -- "045b6dc53bc61a2548ffb0f671472de6c9521a9d2d2534e65abfcbd5fe0c707fd9f1ed2e" -- "65f09f6ce0893baf5e8e31e6ae82ea8c3592335be906d38dee", -- "656c7196bf87dcc5d1f1020906df2782360d36b2de7a17ece37d503784af", -- "2cb7f36803ebb9c427c58d8265f11fc5084747133078fc279de874fbecb0", -- "2eeae988104e9c2234a3c2beb1f53bfa5dc11ff36a875d1e3ccb1f7e45cf"}, - /* prime KATs from NIST CAVP */ - {NID_secp224r1, NID_sha224, - "699325d6fc8fbbb4981a6ded3c3a54ad2e4e3db8a5669201912064c64e700c139248cdc1" -diff -up openssl-3.0.0-alpha13/test/recipes/15-test_genec.t.ec-curves openssl-3.0.0-alpha13/test/recipes/15-test_genec.t ---- openssl-3.0.0-alpha13/test/recipes/15-test_genec.t.ec-curves 2021-04-10 11:59:37.453332668 +0200 -+++ openssl-3.0.0-alpha13/test/recipes/15-test_genec.t 2021-04-10 12:03:43.363538976 +0200 -@@ -41,45 +41,11 @@ plan skip_all => "This test is unsupport - if disabled("ec"); - - my @prime_curves = qw( -- secp112r1 -- secp112r2 -- secp128r1 -- secp128r2 -- secp160k1 -- secp160r1 -- secp160r2 -- secp192k1 -- secp224k1 - secp224r1 - secp256k1 - secp384r1 - secp521r1 -- prime192v1 -- prime192v2 -- prime192v3 -- prime239v1 -- prime239v2 -- prime239v3 - prime256v1 -- wap-wsg-idm-ecid-wtls6 -- wap-wsg-idm-ecid-wtls7 -- wap-wsg-idm-ecid-wtls8 -- wap-wsg-idm-ecid-wtls9 -- wap-wsg-idm-ecid-wtls12 -- brainpoolP160r1 -- brainpoolP160t1 -- brainpoolP192r1 -- brainpoolP192t1 -- brainpoolP224r1 -- brainpoolP224t1 -- brainpoolP256r1 -- brainpoolP256t1 -- brainpoolP320r1 -- brainpoolP320t1 -- brainpoolP384r1 -- brainpoolP384t1 -- brainpoolP512r1 -- brainpoolP512t1 - ); - - my @binary_curves = qw( -@@ -136,7 +102,6 @@ push(@other_curves, 'SM2') - if !disabled("sm2"); - - my @curve_aliases = qw( -- P-192 - P-224 - P-256 - P-384 -diff -up openssl-3.0.0-alpha13/test/recipes/06-test_algorithmid.t.ec-curves openssl-3.0.0-alpha13/test/recipes/06-test_algorithmid.t ---- openssl-3.0.0-alpha13/test/recipes/06-test_algorithmid.t.ec-curves 2021-04-10 12:40:59.871858764 +0200 -+++ openssl-3.0.0-alpha13/test/recipes/06-test_algorithmid.t 2021-04-10 12:41:41.140455070 +0200 -@@ -33,7 +33,7 @@ my %certs_info = - 'ee-cert-ec-named-explicit' => 'ca-cert-ec-explicit', - 'ee-cert-ec-named-named' => 'ca-cert-ec-named', - # 'server-ed448-cert' => 'root-ed448-cert' -- 'server-ecdsa-brainpoolP256r1-cert' => 'rootcert', -+ # 'server-ecdsa-brainpoolP256r1-cert' => 'rootcert', - ) - ) - ); -diff -up openssl-3.0.0-alpha13/test/recipes/15-test_ec.t.ec-curves openssl-3.0.0-alpha13/test/recipes/15-test_ec.t -diff -up openssl-3.0.0-alpha13/test/recipes/20-test_cli_fips.t.ec-curves openssl-3.0.0-alpha13/test/recipes/20-test_cli_fips.t -diff -up openssl-3.0.0-alpha13/test/recipes/30-test_acvp.t.ec-curves openssl-3.0.0-alpha13/test/recipes/30-test_acvp.t -diff -up openssl-3.0.0-alpha13/test/ssl-tests/20-cert-select.cnf.ec-curves openssl-3.0.0-alpha13/test/ssl-tests/20-cert-select.cnf ---- openssl-3.0.0-alpha13/test/ssl-tests/20-cert-select.cnf.ec-curves 2021-04-10 13:21:52.123040226 +0200 -+++ openssl-3.0.0-alpha13/test/ssl-tests/20-cert-select.cnf 2021-04-10 13:28:20.856023985 +0200 -@@ -776,14 +776,12 @@ server = 22-ECDSA with brainpool-server - client = 22-ECDSA with brainpool-client - - [22-ECDSA with brainpool-server] --Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem -+Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem - CipherString = DEFAULT --Groups = brainpoolP256r1 --PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem -+PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem - - [22-ECDSA with brainpool-client] - CipherString = aECDSA --Groups = brainpoolP256r1 - MaxProtocol = TLSv1.2 - RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem - VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -@@ -791,9 +789,6 @@ VerifyMode = Peer - - [test-22] - ExpectedResult = Success --ExpectedServerCANames = empty --ExpectedServerCertType = brainpoolP256r1 --ExpectedServerSignType = EC - - - # =========================================================== -@@ -1741,9 +1736,9 @@ server = 53-TLS 1.3 ECDSA with brainpool - client = 53-TLS 1.3 ECDSA with brainpool-client - - [53-TLS 1.3 ECDSA with brainpool-server] --Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem -+Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem - CipherString = DEFAULT --PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem -+PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem - - [53-TLS 1.3 ECDSA with brainpool-client] - CipherString = DEFAULT -@@ -1754,7 +1749,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/ro - VerifyMode = Peer - - [test-53] --ExpectedResult = ServerFail -+ExpectedResult = Success - - - # =========================================================== -diff -up openssl-3.0.0-alpha13/test/ssl-tests/20-cert-select.cnf.in.ec-curves openssl-3.0.0-alpha13/test/ssl-tests/20-cert-select.cnf.in ---- openssl-3.0.0-alpha13/test/ssl-tests/20-cert-select.cnf.in.ec-curves 2021-04-10 13:22:06.275221662 +0200 -+++ openssl-3.0.0-alpha13/test/ssl-tests/20-cert-select.cnf.in 2021-04-10 13:35:18.774623319 +0200 -@@ -428,21 +428,21 @@ my @tests_non_fips = ( - { - name => "ECDSA with brainpool", - server => { -- "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"), -- "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"), -- "Groups" => "brainpoolP256r1", -+ "Certificate" => test_pem("server-ecdsa-cert.pem"), -+ "PrivateKey" => test_pem("server-ecdsa-key.pem"), -+ #"Groups" => "brainpoolP256r1", - }, - client => { - "MaxProtocol" => "TLSv1.2", - "CipherString" => "aECDSA", - "RequestCAFile" => test_pem("root-cert.pem"), -- "Groups" => "brainpoolP256r1", -+ #"Groups" => "brainpoolP256r1", - }, - test => { -- "ExpectedServerCertType" =>, "brainpoolP256r1", -- "ExpectedServerSignType" =>, "EC", -+ #"ExpectedServerCertType" =>, "brainpoolP256r1", -+ #"ExpectedServerSignType" =>, "EC", - # Note: certificate_authorities not sent for TLS < 1.3 -- "ExpectedServerCANames" =>, "empty", -+ #"ExpectedServerCANames" =>, "empty", - "ExpectedResult" => "Success" - }, - }, -@@ -915,8 +915,8 @@ my @tests_tls_1_3_non_fips = ( - { - name => "TLS 1.3 ECDSA with brainpool", - server => { -- "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"), -- "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"), -+ "Certificate" => test_pem("server-ecdsa-cert.pem"), -+ "PrivateKey" => test_pem("server-ecdsa-key.pem"), - }, - client => { - "RequestCAFile" => test_pem("root-cert.pem"), -@@ -924,7 +924,7 @@ my @tests_tls_1_3_non_fips = ( - "MaxProtocol" => "TLSv1.3" - }, - test => { -- "ExpectedResult" => "ServerFail" -+ "ExpectedResult" => "Success" - }, - }, - ); -diff -up openssl-3.0.0-alpha13/test/recipes/20-test_cli_fips.t.ec-curves openssl-3.0.0-alpha13/test/recipes/20-test_cli_fips.t ---- openssl-3.0.0-alpha13/test/recipes/20-test_cli_fips.t.ec-curves 2021-04-10 14:00:22.482782216 +0200 -+++ openssl-3.0.0-alpha13/test/recipes/20-test_cli_fips.t 2021-04-10 14:08:50.769727651 +0200 -@@ -158,60 +158,6 @@ sub tsignverify { - $testtext); - } - --SKIP : { -- skip "FIPS EC tests because of no ec in this build", 1 -- if disabled("ec"); -- -- subtest EC => sub { -- my $testtext_prefix = 'EC'; -- my $a_fips_curve = 'prime256v1'; -- my $fips_key = $testtext_prefix.'.fips.priv.pem'; -- my $fips_pub_key = $testtext_prefix.'.fips.pub.pem'; -- my $a_nonfips_curve = 'brainpoolP256r1'; -- my $nonfips_key = $testtext_prefix.'.nonfips.priv.pem'; -- my $nonfips_pub_key = $testtext_prefix.'.nonfips.pub.pem'; -- my $testtext = ''; -- my $curvename = ''; -- -- plan tests => 5 + $tsignverify_count; -- -- $ENV{OPENSSL_CONF} = $defaultconf; -- $curvename = $a_nonfips_curve; -- $testtext = $testtext_prefix.': '. -- 'Generate a key with a non-FIPS algorithm with the default provider'; -- ok(run(app(['openssl', 'genpkey', '-algorithm', 'EC', -- '-pkeyopt', 'ec_paramgen_curve:'.$curvename, -- '-out', $nonfips_key])), -- $testtext); -- -- pubfrompriv($testtext_prefix, $nonfips_key, $nonfips_pub_key, "non-FIPS"); -- -- $ENV{OPENSSL_CONF} = $fipsconf; -- -- $curvename = $a_fips_curve; -- $testtext = $testtext_prefix.': '. -- 'Generate a key with a FIPS algorithm'; -- ok(run(app(['openssl', 'genpkey', '-algorithm', 'EC', -- '-pkeyopt', 'ec_paramgen_curve:'.$curvename, -- '-out', $fips_key])), -- $testtext); -- -- pubfrompriv($testtext_prefix, $fips_key, $fips_pub_key, "FIPS"); -- -- $curvename = $a_nonfips_curve; -- $testtext = $testtext_prefix.': '. -- 'Generate a key with a non-FIPS algorithm'. -- ' (should fail)'; -- ok(!run(app(['openssl', 'genpkey', '-algorithm', 'EC', -- '-pkeyopt', 'ec_paramgen_curve:'.$curvename, -- '-out', $testtext_prefix.'.'.$curvename.'.priv.pem'])), -- $testtext); -- -- tsignverify($testtext_prefix, $fips_key, $fips_pub_key, $nonfips_key, -- $nonfips_pub_key); -- }; --} -- - SKIP: { - skip "FIPS RSA tests because of no rsa in this build", 1 - if disabled("rsa"); -diff -up openssl-3.0.0-alpha13/test/recipes/20-test_cli_fips.t.ec-curves openssl-3.0.0-alpha13/test/recipes/20-test_cli_fips.t ---- openssl-3.0.0-alpha13/test/recipes/20-test_cli_fips.t.ec-curves 2021-04-10 14:23:09.805468483 +0200 -+++ openssl-3.0.0-alpha13/test/recipes/20-test_cli_fips.t 2021-04-10 14:23:33.002784265 +0200 -@@ -26,7 +26,7 @@ use platform; - my $no_check = disabled("fips") || disabled('fips-securitychecks'); - plan skip_all => "Test only supported in a fips build with security checks" - if $no_check; --plan tests => 11; -+plan tests => 10; - - my $fipsmodule = bldtop_file('providers', platform->dso('fips')); - my $fipsconf = srctop_file("test", "fips-and-base.cnf"); -diff -up openssl-3.0.0-alpha13/test/ssl-tests/20-cert-select.cnf.ec-curves openssl-3.0.0-alpha13/test/ssl-tests/20-cert-select.cnf ---- openssl-3.0.0-alpha13/test/ssl-tests/20-cert-select.cnf.ec-curves 2021-04-10 17:52:46.478721611 +0200 -+++ openssl-3.0.0-alpha13/test/ssl-tests/20-cert-select.cnf 2021-04-10 17:54:11.371688446 +0200 -@@ -1710,20 +1710,18 @@ server = 52-TLS 1.3 ECDSA with brainpool - client = 52-TLS 1.3 ECDSA with brainpool but no suitable groups-client - - [52-TLS 1.3 ECDSA with brainpool but no suitable groups-server] --Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem -+Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem - CipherString = DEFAULT --Groups = brainpoolP256r1 --PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem -+PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem - - [52-TLS 1.3 ECDSA with brainpool but no suitable groups-client] - CipherString = aECDSA --Groups = brainpoolP256r1 - RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem - VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem - VerifyMode = Peer - - [test-52] --ExpectedResult = ClientFail -+ExpectedResult = Success - - - # =========================================================== -diff -up openssl-3.0.0-alpha13/test/ssl-tests/20-cert-select.cnf.in.ec-curves openssl-3.0.0-alpha13/test/ssl-tests/20-cert-select.cnf.in ---- openssl-3.0.0-alpha13/test/ssl-tests/20-cert-select.cnf.in.ec-curves 2021-04-10 17:53:03.317913390 +0200 -+++ openssl-3.0.0-alpha13/test/ssl-tests/20-cert-select.cnf.in 2021-04-10 17:55:22.507498606 +0200 -@@ -896,20 +896,20 @@ my @tests_tls_1_3_non_fips = ( - { - name => "TLS 1.3 ECDSA with brainpool but no suitable groups", - server => { -- "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"), -- "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"), -- "Groups" => "brainpoolP256r1", -+ "Certificate" => test_pem("server-ecdsa-cert.pem"), -+ "PrivateKey" => test_pem("server-ecdsa-key.pem"), -+ #"Groups" => "brainpoolP256r1", - }, - client => { - "CipherString" => "aECDSA", - "RequestCAFile" => test_pem("root-cert.pem"), -- "Groups" => "brainpoolP256r1", -+ #"Groups" => "brainpoolP256r1", - }, - test => { - #We only configured brainpoolP256r1 on the client side, but TLSv1.3 - #is enabled and this group is not allowed in TLSv1.3. Therefore this - #should fail -- "ExpectedResult" => "ClientFail" -+ "ExpectedResult" => "Success" - }, - }, - { -diff -up openssl-3.0.0-alpha13/crypto/evp/ec_support.c.ec-curves openssl-3.0.0-alpha13/crypto/evp/ec_support.c ---- openssl-3.0.0-alpha13/crypto/evp/ec_support.c.ec-curves 2021-04-11 11:13:14.236891844 +0200 -+++ openssl-3.0.0-alpha13/crypto/evp/ec_support.c 2021-04-11 11:12:05.128098714 +0200 -@@ -20,99 +20,13 @@ typedef struct ec_name2nid_st { +diff -up ./crypto/evp/ec_support.c.ec-curves ./crypto/evp/ec_support.c +--- ./crypto/evp/ec_support.c.ec-curves 2023-03-14 06:22:41.542310442 +0100 ++++ ./crypto/evp/ec_support.c 2023-03-21 11:24:18.378451683 +0100 +@@ -20,89 +20,15 @@ typedef struct ec_name2nid_st { static const EC_NAME2NID curve_list[] = { /* prime field curves */ /* secg curves */ @@ -453,7 +52,7 @@ diff -up openssl-3.0.0-alpha13/crypto/evp/ec_support.c.ec-curves openssl-3.0.0-a - {"secp160r1", NID_secp160r1 }, - {"secp160r2", NID_secp160r2 }, - {"secp192k1", NID_secp192k1 }, - {"secp224k1", NID_secp224k1 }, +- {"secp224k1", NID_secp224k1 }, {"secp224r1", NID_secp224r1 }, {"secp256k1", NID_secp256k1 }, {"secp384r1", NID_secp384r1 }, @@ -466,8 +65,8 @@ diff -up openssl-3.0.0-alpha13/crypto/evp/ec_support.c.ec-curves openssl-3.0.0-a - {"prime239v2", NID_X9_62_prime239v2 }, - {"prime239v3", NID_X9_62_prime239v3 }, {"prime256v1", NID_X9_62_prime256v1 }, -- /* characteristic two field curves */ -- /* NIST/SECG curves */ + /* characteristic two field curves */ + /* NIST/SECG curves */ - {"sect113r1", NID_sect113r1 }, - {"sect113r2", NID_sect113r2 }, - {"sect131r1", NID_sect131r1 }, @@ -521,29 +120,28 @@ diff -up openssl-3.0.0-alpha13/crypto/evp/ec_support.c.ec-curves openssl-3.0.0-a - /* IPSec curves */ - {"Oakley-EC2N-3", NID_ipsec3 }, - {"Oakley-EC2N-4", NID_ipsec4 }, -- /* brainpool curves */ + /* brainpool curves */ - {"brainpoolP160r1", NID_brainpoolP160r1 }, - {"brainpoolP160t1", NID_brainpoolP160t1 }, - {"brainpoolP192r1", NID_brainpoolP192r1 }, - {"brainpoolP192t1", NID_brainpoolP192t1 }, - {"brainpoolP224r1", NID_brainpoolP224r1 }, - {"brainpoolP224t1", NID_brainpoolP224t1 }, -- {"brainpoolP256r1", NID_brainpoolP256r1 }, -- {"brainpoolP256t1", NID_brainpoolP256t1 }, -- {"brainpoolP320r1", NID_brainpoolP320r1 }, -- {"brainpoolP320t1", NID_brainpoolP320t1 }, -- {"brainpoolP384r1", NID_brainpoolP384r1 }, -- {"brainpoolP384t1", NID_brainpoolP384t1 }, -- {"brainpoolP512r1", NID_brainpoolP512r1 }, -- {"brainpoolP512t1", NID_brainpoolP512t1 }, + {"brainpoolP256r1", NID_brainpoolP256r1 }, + {"brainpoolP256t1", NID_brainpoolP256t1 }, + {"brainpoolP320r1", NID_brainpoolP320r1 }, +@@ -111,8 +37,6 @@ static const EC_NAME2NID curve_list[] = + {"brainpoolP384t1", NID_brainpoolP384t1 }, + {"brainpoolP512r1", NID_brainpoolP512r1 }, + {"brainpoolP512t1", NID_brainpoolP512t1 }, - /* SM2 curve */ - {"SM2", NID_sm2 }, }; const char *OSSL_EC_curve_nid2name(int nid) -diff -up openssl-3.0.0-alpha13/test/acvp_test.inc.ec-curves openssl-3.0.0-alpha13/test/acvp_test.inc ---- openssl-3.0.0-alpha13/test/acvp_test.inc.ec-curves 2021-04-11 13:46:57.286828933 +0200 -+++ openssl-3.0.0-alpha13/test/acvp_test.inc 2021-04-11 13:48:01.356704526 +0200 +diff -up ./test/acvp_test.inc.ec-curves ./test/acvp_test.inc +--- ./test/acvp_test.inc.ec-curves 2023-03-14 06:38:20.563712586 +0100 ++++ ./test/acvp_test.inc 2023-03-14 06:39:01.631080059 +0100 @@ -212,15 +212,6 @@ static const unsigned char ecdsa_sigver_ }; static const struct ecdsa_sigver_st ecdsa_sigver_data[] = { @@ -560,4466 +158,100 @@ diff -up openssl-3.0.0-alpha13/test/acvp_test.inc.ec-curves openssl-3.0.0-alpha1 "SHA2-512", "P-521", ITM(ecdsa_sigver_msg1), -diff -up openssl-3.0.0-alpha13/test/recipes/65-test_cmp_protect.t.ec-curves openssl-3.0.0-alpha13/test/recipes/65-test_cmp_protect.t ---- openssl-3.0.0-alpha13/test/recipes/65-test_cmp_protect.t.ec-curves 2021-04-11 21:45:04.949948725 +0200 -+++ openssl-3.0.0-alpha13/test/recipes/65-test_cmp_protect.t 2021-04-11 21:44:09.585283604 +0200 -@@ -7,7 +7,6 @@ - # this file except in compliance with the License. You can obtain a copy - # in the file LICENSE in the source distribution or at - # https://www.openssl.org/source/license.html -- - use strict; - use OpenSSL::Test qw/:DEFAULT data_file srctop_file srctop_dir bldtop_file bldtop_dir/; - use OpenSSL::Test::Utils; -@@ -27,7 +26,7 @@ plan skip_all => "This test is not suppo - plan skip_all => "This test is not supported in a shared library build on Windows" - if $^O eq 'MSWin32' && !disabled("shared"); - --plan tests => 2 + ($no_fips ? 0 : 1); #fips test -+plan skip_all => 2 + ($no_fips ? 0 : 1); #fips test +diff -up ./test/ecdsatest.h.ec-curves ./test/ecdsatest.h +--- ./test/ecdsatest.h.ec-curves 2023-03-14 04:49:16.148154472 +0100 ++++ ./test/ecdsatest.h 2023-03-14 04:51:01.376096037 +0100 +@@ -32,23 +32,6 @@ typedef struct { + } ecdsa_cavs_kat_t; - my @basic_cmd = ("cmp_protect_test", - data_file("server.pem"), -diff -up openssl-3.0.0-alpha13/test/recipes/65-test_cmp_vfy.t.ec-curves openssl-3.0.0-alpha13/test/recipes/65-test_cmp_vfy.t ---- openssl-3.0.0-alpha13/test/recipes/65-test_cmp_vfy.t.ec-curves 2021-04-11 21:45:25.414194574 +0200 -+++ openssl-3.0.0-alpha13/test/recipes/65-test_cmp_vfy.t 2021-04-11 21:44:40.786658440 +0200 -@@ -7,7 +7,6 @@ - # this file except in compliance with the License. You can obtain a copy - # in the file LICENSE in the source distribution or at - # https://www.openssl.org/source/license.html -- - use strict; - use OpenSSL::Test qw/:DEFAULT data_file srctop_file srctop_dir bldtop_file bldtop_dir/; - use OpenSSL::Test::Utils; -@@ -27,7 +26,7 @@ plan skip_all => "This test is not suppo - plan skip_all => "This test is not supported in a no-ec build" + static const ecdsa_cavs_kat_t ecdsa_cavs_kats[] = { +- /* prime KATs from X9.62 */ +- {NID_X9_62_prime192v1, NID_sha1, +- "616263", /* "abc" */ +- "1a8d598fc15bf0fd89030b5cb1111aeb92ae8baf5ea475fb", +- "0462b12d60690cdcf330babab6e69763b471f994dd702d16a563bf5ec08069705ffff65e" +- "5ca5c0d69716dfcb3474373902", +- "fa6de29746bbeb7f8bb1e761f85f7dfb2983169d82fa2f4e", +- "885052380ff147b734c330c43d39b2c4a89f29b0f749fead", +- "e9ecc78106def82bf1070cf1d4d804c3cb390046951df686"}, +- {NID_X9_62_prime239v1, NID_sha1, +- "616263", /* "abc" */ +- "7ef7c6fabefffdea864206e80b0b08a9331ed93e698561b64ca0f7777f3d", +- "045b6dc53bc61a2548ffb0f671472de6c9521a9d2d2534e65abfcbd5fe0c707fd9f1ed2e" +- "65f09f6ce0893baf5e8e31e6ae82ea8c3592335be906d38dee", +- "656c7196bf87dcc5d1f1020906df2782360d36b2de7a17ece37d503784af", +- "2cb7f36803ebb9c427c58d8265f11fc5084747133078fc279de874fbecb0", +- "2eeae988104e9c2234a3c2beb1f53bfa5dc11ff36a875d1e3ccb1f7e45cf"}, + /* prime KATs from NIST CAVP */ + {NID_secp224r1, NID_sha224, + "699325d6fc8fbbb4981a6ded3c3a54ad2e4e3db8a5669201912064c64e700c139248cdc1" +diff -up ./test/recipes/15-test_genec.t.ec-curves ./test/recipes/15-test_genec.t +--- ./test/recipes/15-test_genec.t.ec-curves 2023-03-14 04:51:45.215488277 +0100 ++++ ./test/recipes/15-test_genec.t 2023-03-21 11:26:58.613885435 +0100 +@@ -41,37 +41,11 @@ plan skip_all => "This test is unsupport if disabled("ec"); - --plan tests => 2 + ($no_fips ? 0 : 1); #fips test -+plan skip_all => 2 + ($no_fips ? 0 : 1); #fips test - - my @basic_cmd = ("cmp_vfy_test", - data_file("server.crt"), data_file("client.crt"), -diff -up openssl-3.0.0-alpha15/crypto/evp/ec_support.c.ec-curves openssl-3.0.0-alpha15/crypto/evp/ec_support.c ---- openssl-3.0.0-alpha15/crypto/evp/ec_support.c.ec-curves 2021-04-23 18:15:12.571691284 +0200 -+++ openssl-3.0.0-alpha15/crypto/evp/ec_support.c 2021-04-23 18:16:00.803087403 +0200 -@@ -28,7 +28,6 @@ static const EC_NAME2NID curve_list[] = - static const EC_NAME2NID curve_list[] = { - /* prime field curves */ - /* secg curves */ -- {"secp224k1", NID_secp224k1 }, - {"secp224r1", NID_secp224r1 }, - {"secp256k1", NID_secp256k1 }, - {"secp384r1", NID_secp384r1 }, -diff -up openssl-3.0.0-alpha15/apps/speed.c.ec-curves openssl-3.0.0-alpha15/apps/speed.c ---- openssl-3.0.0-alpha15/apps/speed.c.ec-curves 2021-04-26 14:25:44.049991942 +0200 -+++ openssl-3.0.0-alpha15/apps/speed.c 2021-04-26 14:36:10.643570273 +0200 -@@ -1439,8 +1439,8 @@ int speed_main(int argc, char **argv) - OPENSSL_assert(ec_curves[EC_NUM - 1].nid == NID_X448); - OPENSSL_assert(strcmp(ecdh_choices[EC_NUM - 1].name, "ecdhx448") == 0); - -- OPENSSL_assert(ec_curves[ECDSA_NUM - 1].nid == NID_brainpoolP512t1); -- OPENSSL_assert(strcmp(ecdsa_choices[ECDSA_NUM - 1].name, "ecdsabrp512t1") == 0); -+ OPENSSL_assert(ec_curves[ECDSA_NUM - 1].nid == NID_secp521r1); -+ OPENSSL_assert(strcmp(ecdsa_choices[ECDSA_NUM - 1].name, "ecdsap521") == 0); - - #ifndef OPENSSL_NO_SM2 - OPENSSL_assert(sm2_curves[SM2_NUM - 1].nid == NID_sm2); -diff -up openssl-3.0.0-alpha16/test/evp_extra_test.c.ec-curves openssl-3.0.0-alpha16/test/evp_extra_test.c ---- openssl-3.0.0-alpha16/test/evp_extra_test.c.ec-curves 2021-05-10 14:44:28.932751551 +0200 -+++ openssl-3.0.0-alpha16/test/evp_extra_test.c 2021-05-10 14:45:21.537238883 +0200 -@@ -2701,13 +2701,12 @@ err: - - #ifndef OPENSSL_NO_EC - static int ecpub_nids[] = { -- NID_brainpoolP256r1, NID_X9_62_prime256v1, -+ NID_X9_62_prime256v1, - NID_secp384r1, NID_secp521r1, - # ifndef OPENSSL_NO_EC2M - NID_sect233k1, NID_sect233r1, NID_sect283r1, - NID_sect409k1, NID_sect409r1, NID_sect571k1, NID_sect571r1, - # endif -- NID_brainpoolP384r1, NID_brainpoolP512r1 - }; - - static int test_ecpub(int idx) -diff -up openssl-3.0.0-alpha16/test/recipes/30-test_evp_data/evppkey_mismatch.txt.ec-curves openssl-3.0.0-alpha16/test/recipes/30-test_evp_data/evppkey_mismatch.txt ---- openssl-3.0.0-alpha16/test/recipes/30-test_evp_data/evppkey_mismatch.txt.ec-curves 2021-05-17 10:45:03.968368782 +0200 -+++ openssl-3.0.0-alpha16/test/recipes/30-test_evp_data/evppkey_mismatch.txt 2021-05-17 10:45:54.211747865 +0200 -@@ -31,12 +31,6 @@ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAELBUP - x/iUJAcsJxl9eLM7kg6VzbZk6ZDc8M/qDZTiqOavnQ5YBW5lMQSSW5/myQ== - -----END PUBLIC KEY----- - --PublicKey=KAS-ECC-CDH_K-163_C0-PUBLIC -------BEGIN PUBLIC KEY----- --MEAwEAYHKoZIzj0CAQYFK4EEAAEDLAAEBx+LKHfWAn2cGt5CRPLeoSaS7yPVBcFe --53YiHHK4SzR844PzgGe4nD6a -------END PUBLIC KEY----- -- - PrivateKey = RSA-2048 - -----BEGIN PRIVATE KEY----- - MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDNAIHqeyrh6gbV -@@ -77,9 +71,3 @@ Result = KEYPAIR_TYPE_MISMATCH - - PrivPubKeyPair = RSA-2048:P-256-PUBLIC - Result = KEYPAIR_TYPE_MISMATCH -- --PrivPubKeyPair = RSA-2048:KAS-ECC-CDH_K-163_C0-PUBLIC --Result = KEYPAIR_TYPE_MISMATCH -- --PrivPubKeyPair = Alice-25519:KAS-ECC-CDH_K-163_C0-PUBLIC --Result = KEYPAIR_TYPE_MISMATCH -diff -up openssl-3.0.0-alpha16/test/recipes/30-test_evp.t.ec-curves openssl-3.0.0-alpha16/test/recipes/30-test_evp.t ---- openssl-3.0.0-alpha16/test/recipes/30-test_evp.t.ec-curves 2021-05-17 10:49:28.050844977 +0200 -+++ openssl-3.0.0-alpha16/test/recipes/30-test_evp.t 2021-05-17 10:53:53.480444576 +0200 -@@ -111,7 +111,6 @@ my @defltfiles = qw( - evppkey_kdf_tls1_prf.txt - evppkey_rsa.txt - ); --push @defltfiles, qw(evppkey_brainpool.txt) unless $no_ec; - push @defltfiles, qw(evppkey_sm2.txt) unless $no_sm2; - - plan tests => -diff -up openssl-3.0.0-beta1/test/recipes/30-test_evp_data/evppkey_ecc.txt.remove-ec openssl-3.0.0-beta1/test/recipes/30-test_evp_data/evppkey_ecc.txt ---- openssl-3.0.0-beta1/test/recipes/30-test_evp_data/evppkey_ecc.txt.remove-ec 2021-06-29 16:24:56.863303499 +0200 -+++ openssl-3.0.0-beta1/test/recipes/30-test_evp_data/evppkey_ecc.txt 2021-06-29 16:38:04.189996425 +0200 -@@ -11,1949 +11,6 @@ - # PrivPubKeyPair Sign Verify VerifyRecover - # and continue until a blank line. Lines starting with a pound sign are ignored. - --Title=c2pnb163v1 curve tests -- --PrivateKey=ALICE_cf_c2pnb163v1 -------BEGIN PRIVATE KEY----- --MDYCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAAEEHDAaAgEBBBUD1JfG8cLNP9418YW+hVhriqH6O5Y= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_c2pnb163v1_PUB -------BEGIN PUBLIC KEY----- --MEMwEwYHKoZIzj0CAQYIKoZIzj0DAAEDLAAEBXgoOgVlWTLQnrQZXgQuSBcIS3bQAlXQ+yJhS03B --4G8rKQXbrc0mvWsF -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_c2pnb163v1:ALICE_cf_c2pnb163v1_PUB -- --PrivateKey=BOB_cf_c2pnb163v1 -------BEGIN PRIVATE KEY----- --MDYCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAAEEHDAaAgEBBBUAc3EaoMmMORTzQhMkhPIXY+/jUSI= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_c2pnb163v1_PUB -------BEGIN PUBLIC KEY----- --MEMwEwYHKoZIzj0CAQYIKoZIzj0DAAEDLAAEBn9J0jo39aFVZqhBsAKZ6bViAu6zBC8WaFGExnpZ --KuBh8tP8VSTHPCHF -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_c2pnb163v1:BOB_cf_c2pnb163v1_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_c2pnb163v1 --PeerKey=BOB_cf_c2pnb163v1_PUB --SharedSecret=065dd38fb6de7f394778e1bf65d840a2c0e7219acd -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_c2pnb163v1 --PeerKey=ALICE_cf_c2pnb163v1_PUB --SharedSecret=065dd38fb6de7f394778e1bf65d840a2c0e7219acd -- --# ECC CDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_c2pnb163v1 --PeerKey=BOB_cf_c2pnb163v1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=066fc46e8cc4327634dd127748020f2de6aab67585 -- --# ECC CDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_c2pnb163v1 --PeerKey=ALICE_cf_c2pnb163v1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=066fc46e8cc4327634dd127748020f2de6aab67585 -- --PublicKey=MALICE_cf_c2pnb163v1_PUB -------BEGIN PUBLIC KEY----- --MEMwEwYHKoZIzj0CAQYIKoZIzj0DAAEDLAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC8JxepS05nN --/piKdhDD3dDKXUih -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Availablein = default --Derive=BOB_cf_c2pnb163v1 --PeerKey=MALICE_cf_c2pnb163v1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Availablein = default --Derive=ALICE_cf_c2pnb163v1 --PeerKey=MALICE_cf_c2pnb163v1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=c2pnb163v2 curve tests -- --PrivateKey=ALICE_cf_c2pnb163v2 -------BEGIN PRIVATE KEY----- --MDYCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAAIEHDAaAgEBBBUA4KFv7c1dygtVbdp/g2z2TqLAHkI= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_c2pnb163v2_PUB -------BEGIN PUBLIC KEY----- --MEMwEwYHKoZIzj0CAQYIKoZIzj0DAAIDLAAEAVnlL7lMBaASwCIJaf9x2LgNPVmEAb43huHQlo3Q --4PzawHXQoYm/qgDd -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_c2pnb163v2:ALICE_cf_c2pnb163v2_PUB -- --PrivateKey=BOB_cf_c2pnb163v2 -------BEGIN PRIVATE KEY----- --MDYCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAAIEHDAaAgEBBBUCEdYqClRWIl2m+X34e+DB2iZSxmQ= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_c2pnb163v2_PUB -------BEGIN PUBLIC KEY----- --MEMwEwYHKoZIzj0CAQYIKoZIzj0DAAIDLAAEAVWNIKn7/WMfzuNnd5ws9J0DI2CfBkEJizZHAFqy --kBF3juAQuARgxuT6 -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_c2pnb163v2:BOB_cf_c2pnb163v2_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_c2pnb163v2 --PeerKey=BOB_cf_c2pnb163v2_PUB --SharedSecret=0078ebb986d4f9b0aa0bc4af99e82c2bd24130f3f4 -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_c2pnb163v2 --PeerKey=ALICE_cf_c2pnb163v2_PUB --SharedSecret=0078ebb986d4f9b0aa0bc4af99e82c2bd24130f3f4 -- --# ECC CDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_c2pnb163v2 --PeerKey=BOB_cf_c2pnb163v2_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=069a80bcd45987fd1c874cd9dc5453207a09b61d41 -- --# ECC CDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_c2pnb163v2 --PeerKey=ALICE_cf_c2pnb163v2_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=069a80bcd45987fd1c874cd9dc5453207a09b61d41 -- --PublicKey=MALICE_cf_c2pnb163v2_PUB -------BEGIN PUBLIC KEY----- --MEMwEwYHKoZIzj0CAQYIKoZIzj0DAAIDLAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAABuVBl1V5uysY --n6HANPEoMoK+7Sv0 -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Availablein = default --Derive=BOB_cf_c2pnb163v2 --PeerKey=MALICE_cf_c2pnb163v2_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Availablein = default --Derive=ALICE_cf_c2pnb163v2 --PeerKey=MALICE_cf_c2pnb163v2_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=c2pnb163v3 curve tests -- --PrivateKey=ALICE_cf_c2pnb163v3 -------BEGIN PRIVATE KEY----- --MDYCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAAMEHDAaAgEBBBUBItB0y/QeJ+cCh9yoHf0zqLVyMZc= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_c2pnb163v3_PUB -------BEGIN PUBLIC KEY----- --MEMwEwYHKoZIzj0CAQYIKoZIzj0DAAMDLAAEBx1HRyjuBMjt+vlbWaQbKOpNvWKFAslzEbPv6MpK --YnObLnq34LRuWznb -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_c2pnb163v3:ALICE_cf_c2pnb163v3_PUB -- --PrivateKey=BOB_cf_c2pnb163v3 -------BEGIN PRIVATE KEY----- --MDYCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAAMEHDAaAgEBBBUAXVHUHeP8Ioz7IqXOWbjaUXEHE5M= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_c2pnb163v3_PUB -------BEGIN PUBLIC KEY----- --MEMwEwYHKoZIzj0CAQYIKoZIzj0DAAMDLAAEAqXF7rsAZ40Z1PT4TeeC45RKTxP4AJBAdfuknJ/J --DZnBLhxBwtqnfUpA -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_c2pnb163v3:BOB_cf_c2pnb163v3_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_c2pnb163v3 --PeerKey=BOB_cf_c2pnb163v3_PUB --SharedSecret=07fd2ffe9b18973c51caeadbc2154b97a9a0390be9 -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_c2pnb163v3 --PeerKey=ALICE_cf_c2pnb163v3_PUB --SharedSecret=07fd2ffe9b18973c51caeadbc2154b97a9a0390be9 -- --# ECC CDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_c2pnb163v3 --PeerKey=BOB_cf_c2pnb163v3_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=06f7daf1c963594e1a13f9f17b62aaab2934872c16 -- --# ECC CDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_c2pnb163v3 --PeerKey=ALICE_cf_c2pnb163v3_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=06f7daf1c963594e1a13f9f17b62aaab2934872c16 -- --PublicKey=MALICE_cf_c2pnb163v3_PUB -------BEGIN PUBLIC KEY----- --MEMwEwYHKoZIzj0CAQYIKoZIzj0DAAMDLAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAA7jRlUg9oaLK --LwAuHF8g5Y0JjJnI -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Availablein = default --Derive=BOB_cf_c2pnb163v3 --PeerKey=MALICE_cf_c2pnb163v3_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Availablein = default --Derive=ALICE_cf_c2pnb163v3 --PeerKey=MALICE_cf_c2pnb163v3_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=c2pnb176v1 curve tests -- --PrivateKey=ALICE_cf_c2pnb176v1 -------BEGIN PRIVATE KEY----- --MDYCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAAQEHDAaAgEBBBUAaZ1jV1jM9meV5iiNGPU/WMSfWOM= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_c2pnb176v1_PUB -------BEGIN PUBLIC KEY----- --MEUwEwYHKoZIzj0CAQYIKoZIzj0DAAQDLgAEPjME7IV6Tuz2P++wIT60hRxTkk0M0PNgvqYcUoCI --iw3girDLhNzOu3IQ8Ac= -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_c2pnb176v1:ALICE_cf_c2pnb176v1_PUB -- --PrivateKey=BOB_cf_c2pnb176v1 -------BEGIN PRIVATE KEY----- --MDYCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAAQEHDAaAgEBBBUAreyYbcF+ONIf64KmeSzV82OI/50= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_c2pnb176v1_PUB -------BEGIN PUBLIC KEY----- --MEUwEwYHKoZIzj0CAQYIKoZIzj0DAAQDLgAEpJn1IDmFj5LceLGfY2wlhI1VHq5vJ+qNIAOXVZhX --uMtp6pzy63rCEK53bgs= -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_c2pnb176v1:BOB_cf_c2pnb176v1_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_c2pnb176v1 --PeerKey=BOB_cf_c2pnb176v1_PUB --SharedSecret=3a8021848ee0b2c1c377404267a515225781c181e6ab -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_c2pnb176v1 --PeerKey=ALICE_cf_c2pnb176v1_PUB --SharedSecret=3a8021848ee0b2c1c377404267a515225781c181e6ab -- --# ECC CDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_c2pnb176v1 --PeerKey=BOB_cf_c2pnb176v1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=b06cdc633b56e813d63326c69d2cfa335352279540ac -- --# ECC CDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_c2pnb176v1 --PeerKey=ALICE_cf_c2pnb176v1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=b06cdc633b56e813d63326c69d2cfa335352279540ac -- --PublicKey=MALICE_cf_c2pnb176v1_PUB -------BEGIN PUBLIC KEY----- --MEUwEwYHKoZIzj0CAQYIKoZIzj0DAAQDLgAE4ePri2opCoAUJIUQnaQlvDaxZd9bsdKnjWSvh+FL --zXV3l5j8K3pow+GJBE4= -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Availablein = default --Derive=BOB_cf_c2pnb176v1 --PeerKey=MALICE_cf_c2pnb176v1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Availablein = default --Derive=ALICE_cf_c2pnb176v1 --PeerKey=MALICE_cf_c2pnb176v1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=c2pnb208w1 curve tests -- --PrivateKey=ALICE_cf_c2pnb208w1 -------BEGIN PRIVATE KEY----- --MDoCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAAoEIDAeAgEBBBkAiENroXMYNbK/7DQQwCpbXk00gnVd --XF2k -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_c2pnb208w1_PUB -------BEGIN PUBLIC KEY----- --ME0wEwYHKoZIzj0CAQYIKoZIzj0DAAoDNgAEL+IHOL2IfeLRiE6Wqsc0Frqjq7t/JnBmhN1lMB9Y --Yj3+Btcne4CPWf8KvfGjAdMs6JKP4A== -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_c2pnb208w1:ALICE_cf_c2pnb208w1_PUB -- --PrivateKey=BOB_cf_c2pnb208w1 -------BEGIN PRIVATE KEY----- --MDoCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAAoEIDAeAgEBBBkAY1GZLynO/IDWwOOjEWUE7k+I/MkP --cJot -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_c2pnb208w1_PUB -------BEGIN PUBLIC KEY----- --ME0wEwYHKoZIzj0CAQYIKoZIzj0DAAoDNgAENBvdzCDOIvu9zo7reJq1ummhR+0jaDc+EoSlW984 --cl9FTi/JJznwC+RNgwVfJ1WKJun1YA== -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_c2pnb208w1:BOB_cf_c2pnb208w1_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_c2pnb208w1 --PeerKey=BOB_cf_c2pnb208w1_PUB --SharedSecret=ba32bf80c0f7ab53cb083f267a902a1ad6396eb283237fad91cd -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_c2pnb208w1 --PeerKey=ALICE_cf_c2pnb208w1_PUB --SharedSecret=ba32bf80c0f7ab53cb083f267a902a1ad6396eb283237fad91cd -- --# ECC CDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_c2pnb208w1 --PeerKey=BOB_cf_c2pnb208w1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=f09f5fc8bf20677558bc65939bf1b7fbbbe2579702729304258b -- --# ECC CDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_c2pnb208w1 --PeerKey=ALICE_cf_c2pnb208w1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=f09f5fc8bf20677558bc65939bf1b7fbbbe2579702729304258b -- --PublicKey=MALICE_cf_c2pnb208w1_PUB -------BEGIN PUBLIC KEY----- --ME0wEwYHKoZIzj0CAQYIKoZIzj0DAAoDNgAEfuWB9pBZQin+VnmqgYVpbUpKxSQsnXxNqiDtVwqJ --oPkHxRWnu5e7qI2idMcqaKDeeniUaA== -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Availablein = default --Derive=BOB_cf_c2pnb208w1 --PeerKey=MALICE_cf_c2pnb208w1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Availablein = default --Derive=ALICE_cf_c2pnb208w1 --PeerKey=MALICE_cf_c2pnb208w1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=c2pnb272w1 curve tests -- --PrivateKey=ALICE_cf_c2pnb272w1 -------BEGIN PRIVATE KEY----- --MEICAQAwEwYHKoZIzj0CAQYIKoZIzj0DABAEKDAmAgEBBCEA0SoHwKAgKb7WQ+s0w1iNBemDZ3+f --StHU67fpP7YoF8U= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_c2pnb272w1_PUB -------BEGIN PUBLIC KEY----- --MF0wEwYHKoZIzj0CAQYIKoZIzj0DABADRgAE0IH60bGi46FDzEprGZ8EBK5uMMcVke/txeBRNGHQ --DzG68r3EMLZkOfE1+g04MN7HgY7zt3jMYb8ImyLRmvqR2abjs6c= -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_c2pnb272w1:ALICE_cf_c2pnb272w1_PUB -- --PrivateKey=BOB_cf_c2pnb272w1 -------BEGIN PRIVATE KEY----- --MEICAQAwEwYHKoZIzj0CAQYIKoZIzj0DABAEKDAmAgEBBCEAFqB5GbPJ4d+X7ye7m05l/OirDqfn --MOsOJ6xObBph3zQ= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_c2pnb272w1_PUB -------BEGIN PUBLIC KEY----- --MF0wEwYHKoZIzj0CAQYIKoZIzj0DABADRgAEIeIkcMHAuOgvHt2Wp52vVe0DYPNnUX79t/mLSx03 --cUlDmcxL7vIXdx9hB4OmQBYbm+YLDNfTFGAIlDfr2tELpVVPWPo= -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_c2pnb272w1:BOB_cf_c2pnb272w1_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_c2pnb272w1 --PeerKey=BOB_cf_c2pnb272w1_PUB --SharedSecret=cfebd65006520a40f081d8940edf0ebb8e54491ba1499d9f3c63deecee84ddc07142 -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_c2pnb272w1 --PeerKey=ALICE_cf_c2pnb272w1_PUB --SharedSecret=cfebd65006520a40f081d8940edf0ebb8e54491ba1499d9f3c63deecee84ddc07142 -- --# ECC CDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_c2pnb272w1 --PeerKey=BOB_cf_c2pnb272w1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=756fc20b27352ac74e5135359c63d375d2732c6d02f25cd526155bac0882a9211dd4 -- --# ECC CDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_c2pnb272w1 --PeerKey=ALICE_cf_c2pnb272w1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=756fc20b27352ac74e5135359c63d375d2732c6d02f25cd526155bac0882a9211dd4 -- --PublicKey=MALICE_cf_c2pnb272w1_PUB -------BEGIN PUBLIC KEY----- --MF0wEwYHKoZIzj0CAQYIKoZIzj0DABADRgAEvID3AM7qzpKDnOLFY00+E7EKZz/vS/pXgsUA3bWN --oJF8ElXFXv59s/SykQBCTHPqzmUbVmrXmtD44Kt1wUBRJfuwxy4= -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Availablein = default --Derive=BOB_cf_c2pnb272w1 --PeerKey=MALICE_cf_c2pnb272w1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Availablein = default --Derive=ALICE_cf_c2pnb272w1 --PeerKey=MALICE_cf_c2pnb272w1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=c2pnb304w1 curve tests -- --PrivateKey=ALICE_cf_c2pnb304w1 -------BEGIN PRIVATE KEY----- --MEYCAQAwEwYHKoZIzj0CAQYIKoZIzj0DABEELDAqAgEBBCUAqJxh50ZIUXOJ1HE3cVkech9OTTPJ --8jy/v5cFcO0X6dykHgnZ -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_c2pnb304w1_PUB -------BEGIN PUBLIC KEY----- --MGUwEwYHKoZIzj0CAQYIKoZIzj0DABEDTgAEvoaqRX6qiNQiFH1BhgLCPTpYszoRhmlLirkvlw/Q --iXBlfQ7U4g+iRR/kmu2RlwwOHgNNL+mWcvLkFfS8Kr4jzv1EY1Ecx96n21l0YQ== -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_c2pnb304w1:ALICE_cf_c2pnb304w1_PUB -- --PrivateKey=BOB_cf_c2pnb304w1 -------BEGIN PRIVATE KEY----- --MEYCAQAwEwYHKoZIzj0CAQYIKoZIzj0DABEELDAqAgEBBCUAOScHepX+IwqC8TjyAJI1bkR3cYYt --X9BbqYM9GQfVNSLHntTg -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_c2pnb304w1_PUB -------BEGIN PUBLIC KEY----- --MGUwEwYHKoZIzj0CAQYIKoZIzj0DABEDTgAEYuAq/6Yw5HxMeMohlWmwl+ZK4ZQucfr1tWDKwhDb --kAOUO2P/Q/H+uelM3VVwxeu6A1kaX7K0UZpNa96NRBwI4aevc+vOxCgYkGt9BA== -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_c2pnb304w1:BOB_cf_c2pnb304w1_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_c2pnb304w1 --PeerKey=BOB_cf_c2pnb304w1_PUB --SharedSecret=bfddf9f923210e8231a702e3a1c987cf27661de1bc243c1890e437d67d9f49c6ccfadc035d9d -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_c2pnb304w1 --PeerKey=ALICE_cf_c2pnb304w1_PUB --SharedSecret=bfddf9f923210e8231a702e3a1c987cf27661de1bc243c1890e437d67d9f49c6ccfadc035d9d -- --# ECC CDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_c2pnb304w1 --PeerKey=BOB_cf_c2pnb304w1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=0c7afb3143f93ef2166c05437a1757a62c916ff1751c6d456dd7f2356dcbc75df48015eb5ce8 -- --# ECC CDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_c2pnb304w1 --PeerKey=ALICE_cf_c2pnb304w1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=0c7afb3143f93ef2166c05437a1757a62c916ff1751c6d456dd7f2356dcbc75df48015eb5ce8 -- --PublicKey=MALICE_cf_c2pnb304w1_PUB -------BEGIN PUBLIC KEY----- --MGUwEwYHKoZIzj0CAQYIKoZIzj0DABEDTgAEBZ5FuthQt0mxTJ8NQWN2J37kYT8ySD893IXEmXYP --fMTr+CSNkf/sfF/13GEdVGnHmBgCH61sPWG69RgzdjRPprZFZxXjubIWYkp0DQ== -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Availablein = default --Derive=BOB_cf_c2pnb304w1 --PeerKey=MALICE_cf_c2pnb304w1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Availablein = default --Derive=ALICE_cf_c2pnb304w1 --PeerKey=MALICE_cf_c2pnb304w1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=c2pnb368w1 curve tests -- --PrivateKey=ALICE_cf_c2pnb368w1 -------BEGIN PRIVATE KEY----- --ME4CAQAwEwYHKoZIzj0CAQYIKoZIzj0DABMENDAyAgEBBC0AXeSTXsHb2PEH12tZL8w2q6evA2mi --KfLLIa1c29BTmM//oWdKpqeuvwMIBto= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_c2pnb368w1_PUB -------BEGIN PUBLIC KEY----- --MHUwEwYHKoZIzj0CAQYIKoZIzj0DABMDXgAEmEBXcvMgnHwJW7wAKM4cqboco6zF01J9ntUwoACI --euvf3cpPXBvxUawJXfO9FwFRQabDRagGP99Walidd2JW8nWDWZgZMKj15Wh+4bp2dZHc2tPIIHHd --3makbwQ= -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_c2pnb368w1:ALICE_cf_c2pnb368w1_PUB -- --PrivateKey=BOB_cf_c2pnb368w1 -------BEGIN PRIVATE KEY----- --ME4CAQAwEwYHKoZIzj0CAQYIKoZIzj0DABMENDAyAgEBBC0Aq1R9M/mCMbJMj6VBUpBkS4HXywEz --Qun6d6uXgyU4LZRszA7Dz9+eKbXEMsk= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_c2pnb368w1_PUB -------BEGIN PUBLIC KEY----- --MHUwEwYHKoZIzj0CAQYIKoZIzj0DABMDXgAEJOSnsaXA9wb5p8CGLPvYI47Yf3IdZSbWQ3Sn6G2v --At+zYlpzGax1oJ1CW8fGA0Gu0RnvAfDeW9vgrtzshH1Vy/Ni6a7LPho99PtUP2nzUBnv+hfhFSra --gqfRaOs= -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_c2pnb368w1:BOB_cf_c2pnb368w1_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_c2pnb368w1 --PeerKey=BOB_cf_c2pnb368w1_PUB --SharedSecret=008d20ede3961be3b01051d6fdae63db43865664804d432293a2edb13dcc8be0fe5b0c655297a84b9067a29c2a6f -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_c2pnb368w1 --PeerKey=ALICE_cf_c2pnb368w1_PUB --SharedSecret=008d20ede3961be3b01051d6fdae63db43865664804d432293a2edb13dcc8be0fe5b0c655297a84b9067a29c2a6f -- --# ECC CDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_c2pnb368w1 --PeerKey=BOB_cf_c2pnb368w1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=df32ddeeffa029aeadabad000a79c3154a0ddd0aeacf4e3de426f5c10096eff8912038c64d4c899131dcd4df2561 -- --# ECC CDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_c2pnb368w1 --PeerKey=ALICE_cf_c2pnb368w1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=df32ddeeffa029aeadabad000a79c3154a0ddd0aeacf4e3de426f5c10096eff8912038c64d4c899131dcd4df2561 -- --PublicKey=MALICE_cf_c2pnb368w1_PUB -------BEGIN PUBLIC KEY----- --MHUwEwYHKoZIzj0CAQYIKoZIzj0DABMDXgAEWDn/U9rymClM/a0Q1mawHjQjvpxSehRWstSE+2Sd --ubcZowJ+rw5LsEZteQyeVrCpKYUiIBmIVuFb2LDjtNLIJD1lr8C+vdco24ciLS9RzF/Dc9X+tcIj --726e1BE= -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Availablein = default --Derive=BOB_cf_c2pnb368w1 --PeerKey=MALICE_cf_c2pnb368w1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Availablein = default --Derive=ALICE_cf_c2pnb368w1 --PeerKey=MALICE_cf_c2pnb368w1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=c2tnb191v1 curve tests -- --PrivateKey=ALICE_cf_c2tnb191v1 -------BEGIN PRIVATE KEY----- --MDkCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAAUEHzAdAgEBBBgXyG7A4BvSmjKEl3aU+FQUt02p9U7x --Jk4= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_c2tnb191v1_PUB -------BEGIN PUBLIC KEY----- --MEkwEwYHKoZIzj0CAQYIKoZIzj0DAAUDMgAEG9iuZmnhz2H/YQKmVUaO//fm7hvV+CP5c2iszpR3 --7lRimqLWHPyvKgcP+PRCIUom -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_c2tnb191v1:ALICE_cf_c2tnb191v1_PUB -- --PrivateKey=BOB_cf_c2tnb191v1 -------BEGIN PRIVATE KEY----- --MDkCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAAUEHzAdAgEBBBg4+2hv9x9HxFy0c2c1XESDdgOamHu0 --MTU= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_c2tnb191v1_PUB -------BEGIN PUBLIC KEY----- --MEkwEwYHKoZIzj0CAQYIKoZIzj0DAAUDMgAEdO/4ii8gi8eQfBrv3XmsOETwIfT8OIpBW/kUoHD+ --adqalcB6SIWOfoJReDLcpxAD -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_c2tnb191v1:BOB_cf_c2tnb191v1_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_c2tnb191v1 --PeerKey=BOB_cf_c2tnb191v1_PUB --SharedSecret=2ee8a85151c397600984285307c14f0ea0e4c2071d753a99 -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_c2tnb191v1 --PeerKey=ALICE_cf_c2tnb191v1_PUB --SharedSecret=2ee8a85151c397600984285307c14f0ea0e4c2071d753a99 -- --# ECC CDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_c2tnb191v1 --PeerKey=BOB_cf_c2tnb191v1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=334051dfd62237e69e280ce2fab979bd77260f8dfe4df989 -- --# ECC CDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_c2tnb191v1 --PeerKey=ALICE_cf_c2tnb191v1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=334051dfd62237e69e280ce2fab979bd77260f8dfe4df989 -- --PublicKey=MALICE_cf_c2tnb191v1_PUB -------BEGIN PUBLIC KEY----- --MEkwEwYHKoZIzj0CAQYIKoZIzj0DAAUDMgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcPEwZ1wj --iNoFyzyANZl8IDB0fF1RmZD6 -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Availablein = default --Derive=BOB_cf_c2tnb191v1 --PeerKey=MALICE_cf_c2tnb191v1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Availablein = default --Derive=ALICE_cf_c2tnb191v1 --PeerKey=MALICE_cf_c2tnb191v1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=c2tnb191v2 curve tests -- --PrivateKey=ALICE_cf_c2tnb191v2 -------BEGIN PRIVATE KEY----- --MDkCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAAYEHzAdAgEBBBgQZHIQIPrAsbJqq4ZX3JdMrZAkaIGP --jbo= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_c2tnb191v2_PUB -------BEGIN PUBLIC KEY----- --MEkwEwYHKoZIzj0CAQYIKoZIzj0DAAYDMgAEAyQdwZYRIiv7O4/WRLDKJ249TM8dr2Y+Oz8rSxCI --UVvJT/Jv9m462J6Iz1XOohhP -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_c2tnb191v2:ALICE_cf_c2tnb191v2_PUB -- --PrivateKey=BOB_cf_c2tnb191v2 -------BEGIN PRIVATE KEY----- --MDkCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAAYEHzAdAgEBBBgThhW6d5QDaqM8yhm16q6Pu/VFBpf7 --wcs= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_c2tnb191v2_PUB -------BEGIN PUBLIC KEY----- --MEkwEwYHKoZIzj0CAQYIKoZIzj0DAAYDMgAEBVkB4O6fFvGzMHv4BF51muFA0npOGKoOdKbIIMQY --JBIoz1RNNXTcgdpguLcrvcPJ -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_c2tnb191v2:BOB_cf_c2tnb191v2_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_c2tnb191v2 --PeerKey=BOB_cf_c2tnb191v2_PUB --SharedSecret=711f90cb2aaea65e939065cbd1896affe1d490ba14571400 -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_c2tnb191v2 --PeerKey=ALICE_cf_c2tnb191v2_PUB --SharedSecret=711f90cb2aaea65e939065cbd1896affe1d490ba14571400 -- --# ECC CDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_c2tnb191v2 --PeerKey=BOB_cf_c2tnb191v2_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=1740db5b771fa2889d3ec7c1ba8eeffa7741f0ee62433dce -- --# ECC CDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_c2tnb191v2 --PeerKey=ALICE_cf_c2tnb191v2_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=1740db5b771fa2889d3ec7c1ba8eeffa7741f0ee62433dce -- --PublicKey=MALICE_cf_c2tnb191v2_PUB -------BEGIN PUBLIC KEY----- --MEkwEwYHKoZIzj0CAQYIKoZIzj0DAAYDMgAEA3yPV6Ilx7PU7dWIDzgKzFV07LNsn1EhMyLQaa5U --2vqunpWef+/CaO2pFBcwwW+x -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Availablein = default --Derive=BOB_cf_c2tnb191v2 --PeerKey=MALICE_cf_c2tnb191v2_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Availablein = default --Derive=ALICE_cf_c2tnb191v2 --PeerKey=MALICE_cf_c2tnb191v2_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=c2tnb191v3 curve tests -- --PrivateKey=ALICE_cf_c2tnb191v3 -------BEGIN PRIVATE KEY----- --MDkCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAAcEHzAdAgEBBBgTPjf06B01Jq59qU1iczNuA29WfW+b --erU= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_c2tnb191v3_PUB -------BEGIN PUBLIC KEY----- --MEkwEwYHKoZIzj0CAQYIKoZIzj0DAAcDMgAEL4NGEUX2CXY18MyoH1inKq5kde9RGr25ODm/0BEX --HWsGvDE2HC+6pL2BMl3MRCty -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_c2tnb191v3:ALICE_cf_c2tnb191v3_PUB -- --PrivateKey=BOB_cf_c2tnb191v3 -------BEGIN PRIVATE KEY----- --MDkCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAAcEHzAdAgEBBBgUC2bC465JTXYLUaaET/r5n7X85gRH --iSQ= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_c2tnb191v3_PUB -------BEGIN PUBLIC KEY----- --MEkwEwYHKoZIzj0CAQYIKoZIzj0DAAcDMgAEPKekNkT9mQ8KRCTR2RwCFkhNvsjL+/mLHYzbMrYe --QFIb5QwXAdbg2tEOl7yj9qkk -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_c2tnb191v3:BOB_cf_c2tnb191v3_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_c2tnb191v3 --PeerKey=BOB_cf_c2tnb191v3_PUB --SharedSecret=196200f7ea06c43c35516b995cf4a4dd4151dbd0ed998561 -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_c2tnb191v3 --PeerKey=ALICE_cf_c2tnb191v3_PUB --SharedSecret=196200f7ea06c43c35516b995cf4a4dd4151dbd0ed998561 -- --# ECC CDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_c2tnb191v3 --PeerKey=BOB_cf_c2tnb191v3_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=311939377670a8a1ed1ee17f9dd182167da00c5a19e2e109 -- --# ECC CDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_c2tnb191v3 --PeerKey=ALICE_cf_c2tnb191v3_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=311939377670a8a1ed1ee17f9dd182167da00c5a19e2e109 -- --PublicKey=MALICE_cf_c2tnb191v3_PUB -------BEGIN PUBLIC KEY----- --MEkwEwYHKoZIzj0CAQYIKoZIzj0DAAcDMgAESvPjWlLnANK2j38hHZ0uqueaniovkhwwdJZjrmUk --n5vQBTxUzkIkMjL33v6Lr3z7 -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Availablein = default --Derive=BOB_cf_c2tnb191v3 --PeerKey=MALICE_cf_c2tnb191v3_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Availablein = default --Derive=ALICE_cf_c2tnb191v3 --PeerKey=MALICE_cf_c2tnb191v3_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=c2tnb239v1 curve tests -- --PrivateKey=ALICE_cf_c2tnb239v1 -------BEGIN PRIVATE KEY----- --MD8CAQAwEwYHKoZIzj0CAQYIKoZIzj0DAAsEJTAjAgEBBB4fMJDhCEiuEf/RF6oGjHVcNwN+wCYG --rJMnJLIXiCI= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_c2tnb239v1_PUB -------BEGIN PUBLIC KEY----- --MFUwEwYHKoZIzj0CAQYIKoZIzj0DAAsDPgAEUgG/uMWy4k0R/kbVJEapF6r5ik4Q9WPsDXAd0856 --dVL8PvBXgixk2tKfyY1xUVebcEVlgdZP1pN1Xyvi -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_c2tnb239v1:ALICE_cf_c2tnb239v1_PUB -- --PrivateKey=BOB_cf_c2tnb239v1 -------BEGIN PRIVATE KEY----- --MD8CAQAwEwYHKoZIzj0CAQYIKoZIzj0DAAsEJTAjAgEBBB4JLDwVJQw3+00FiZBDWFErd7PXnchH --sfpZeV3i5FM= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_c2tnb239v1_PUB -------BEGIN PUBLIC KEY----- --MFUwEwYHKoZIzj0CAQYIKoZIzj0DAAsDPgAEcwKt31cWaoFUd7QxYSdwgMDOqEhjPbD3Z9AfR3tc --G77/MY5z1oQegqImBog645vtPWI8lZd1zcl6QYRS -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_c2tnb239v1:BOB_cf_c2tnb239v1_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_c2tnb239v1 --PeerKey=BOB_cf_c2tnb239v1_PUB --SharedSecret=413ea943cdf40c45795c77aeea7099b81cc42566067924d1fdbae42ddf99 -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_c2tnb239v1 --PeerKey=ALICE_cf_c2tnb239v1_PUB --SharedSecret=413ea943cdf40c45795c77aeea7099b81cc42566067924d1fdbae42ddf99 -- --# ECC CDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_c2tnb239v1 --PeerKey=BOB_cf_c2tnb239v1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=1f1e5a6084492e895c35d76a5d2b4a3fafbd96c4b2230ea71cc1c711fa38 -- --# ECC CDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_c2tnb239v1 --PeerKey=ALICE_cf_c2tnb239v1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=1f1e5a6084492e895c35d76a5d2b4a3fafbd96c4b2230ea71cc1c711fa38 -- --PublicKey=MALICE_cf_c2tnb239v1_PUB -------BEGIN PUBLIC KEY----- --MFUwEwYHKoZIzj0CAQYIKoZIzj0DAAsDPgAEJFn89FF7xaa5m+XGxWKFwCH+Mu4rbxwi6lvhuEuT --Itl/OAosALFh8xpt+N5gmKtUdhpjyok2udC4B/mY -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Availablein = default --Derive=BOB_cf_c2tnb239v1 --PeerKey=MALICE_cf_c2tnb239v1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Availablein = default --Derive=ALICE_cf_c2tnb239v1 --PeerKey=MALICE_cf_c2tnb239v1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=c2tnb239v2 curve tests -- --PrivateKey=ALICE_cf_c2tnb239v2 -------BEGIN PRIVATE KEY----- --MD8CAQAwEwYHKoZIzj0CAQYIKoZIzj0DAAwEJTAjAgEBBB4KU4YKdzFOkl6M1biHkxtVGD2uNXr6 --GbEcp4PbJKU= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_c2tnb239v2_PUB -------BEGIN PUBLIC KEY----- --MFUwEwYHKoZIzj0CAQYIKoZIzj0DAAwDPgAEKzpycflUrsyqVV/+fzvC2+AuX3r0b0Syn8acvn78 --VnKA9mZKwPLWhnMJcLyzarIzc/6/UcfYGNmTyUlG -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_c2tnb239v2:ALICE_cf_c2tnb239v2_PUB -- --PrivateKey=BOB_cf_c2tnb239v2 -------BEGIN PRIVATE KEY----- --MD8CAQAwEwYHKoZIzj0CAQYIKoZIzj0DAAwEJTAjAgEBBB4HZQLKGKBpIKiyTq6XYZWQNph1oGP+ --JLwCwn7lYx0= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_c2tnb239v2_PUB -------BEGIN PUBLIC KEY----- --MFUwEwYHKoZIzj0CAQYIKoZIzj0DAAwDPgAETPSkhMs3JW3BG66FSfCov76JKdcRiBhMCW453Wku --N7yBxBmWjeclHhnXIzfc4qM4qf9n3KzMSXejPVYg -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_c2tnb239v2:BOB_cf_c2tnb239v2_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_c2tnb239v2 --PeerKey=BOB_cf_c2tnb239v2_PUB --SharedSecret=2e738f14795b2e19ee791c1bf30c5e462ca6c6ed0ec5c6c6402d0730cf4c -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_c2tnb239v2 --PeerKey=ALICE_cf_c2tnb239v2_PUB --SharedSecret=2e738f14795b2e19ee791c1bf30c5e462ca6c6ed0ec5c6c6402d0730cf4c -- --# ECC CDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_c2tnb239v2 --PeerKey=BOB_cf_c2tnb239v2_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=7662d8b94d3f0d20eb8e112ca8b7d5699d81f35902df5b77561977df3946 -- --# ECC CDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_c2tnb239v2 --PeerKey=ALICE_cf_c2tnb239v2_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=7662d8b94d3f0d20eb8e112ca8b7d5699d81f35902df5b77561977df3946 -- --PublicKey=MALICE_cf_c2tnb239v2_PUB -------BEGIN PUBLIC KEY----- --MFUwEwYHKoZIzj0CAQYIKoZIzj0DAAwDPgAES8fLc5mtVI0HqgKRJ7mN8MU1B0FBkiim6jCHYJf3 --JYUX3Gn3Ai11cHie+nVb3z51jSkpDQENHESTv5K2 -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Availablein = default --Derive=BOB_cf_c2tnb239v2 --PeerKey=MALICE_cf_c2tnb239v2_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Availablein = default --Derive=ALICE_cf_c2tnb239v2 --PeerKey=MALICE_cf_c2tnb239v2_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=c2tnb239v3 curve tests -- --PrivateKey=ALICE_cf_c2tnb239v3 -------BEGIN PRIVATE KEY----- --MD8CAQAwEwYHKoZIzj0CAQYIKoZIzj0DAA0EJTAjAgEBBB4BZZXtcMw5GrpgHJLx4D8z7M6ocWdv --rDl2fV9ObC8= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_c2tnb239v3_PUB -------BEGIN PUBLIC KEY----- --MFUwEwYHKoZIzj0CAQYIKoZIzj0DAA0DPgAEOu2HIAUX+r6IbRlrPUJUBDL814dR++maVAAkUIjD --H33ewqcI9ZLtpvuR8P8hgRNUTXlh1GWgrB6F21Eo -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_c2tnb239v3:ALICE_cf_c2tnb239v3_PUB -- --PrivateKey=BOB_cf_c2tnb239v3 -------BEGIN PRIVATE KEY----- --MD8CAQAwEwYHKoZIzj0CAQYIKoZIzj0DAA0EJTAjAgEBBB4BDxw3SA54y6uYOW1n4yZaUK22J9ef --XG3HcQX+4i0= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_c2tnb239v3_PUB -------BEGIN PUBLIC KEY----- --MFUwEwYHKoZIzj0CAQYIKoZIzj0DAA0DPgAEVaEi76wyzlpzkkSElf4SmGZ7kf1ghHMP82HkGk7K --BC10zUyppoSOAr0eX4pHAkDUF1m/KGoJa7QcJJww -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_c2tnb239v3:BOB_cf_c2tnb239v3_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_c2tnb239v3 --PeerKey=BOB_cf_c2tnb239v3_PUB --SharedSecret=6a756022ec2ea89b0fa757824909707102acf3b7da39dc625c6252eb4c48 -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_c2tnb239v3 --PeerKey=ALICE_cf_c2tnb239v3_PUB --SharedSecret=6a756022ec2ea89b0fa757824909707102acf3b7da39dc625c6252eb4c48 -- --# ECC CDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_c2tnb239v3 --PeerKey=BOB_cf_c2tnb239v3_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=3240e19dd8c290e5e1749df60ad0166dd9dbfad645e518b4948e14f774ce -- --# ECC CDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_c2tnb239v3 --PeerKey=ALICE_cf_c2tnb239v3_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=3240e19dd8c290e5e1749df60ad0166dd9dbfad645e518b4948e14f774ce -- --PublicKey=MALICE_cf_c2tnb239v3_PUB -------BEGIN PUBLIC KEY----- --MFUwEwYHKoZIzj0CAQYIKoZIzj0DAA0DPgAELe/znC87/2ucKX7mXUUyiUvg67slWRdH+WHDct9d --LcXDyB342ZN1nm0NCAmBMcLjohX0Zza0ji3YNjT1 -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Availablein = default --Derive=BOB_cf_c2tnb239v3 --PeerKey=MALICE_cf_c2tnb239v3_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Availablein = default --Derive=ALICE_cf_c2tnb239v3 --PeerKey=MALICE_cf_c2tnb239v3_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=c2tnb359v1 curve tests -- --PrivateKey=ALICE_cf_c2tnb359v1 -------BEGIN PRIVATE KEY----- --ME4CAQAwEwYHKoZIzj0CAQYIKoZIzj0DABIENDAyAgEBBC0Afea/a1NrRf6rRRr/UDsI559ADTFP --Bd5HaS33laTZkCdNLITw1UUrESUIOiU= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_c2tnb359v1_PUB -------BEGIN PUBLIC KEY----- --MHMwEwYHKoZIzj0CAQYIKoZIzj0DABIDXAAEZMJU3QF9UJJp2m6qyCnhPuVlPKPHtav3DCgH27SY --RLMN7C4rRmqiJakD11QtOforOgbPW5r/v7t4TUWIlq8jV7kapJNtxQtg/S87L0NQGgHBq/lnJL8x --fN3Y -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_c2tnb359v1:ALICE_cf_c2tnb359v1_PUB -- --PrivateKey=BOB_cf_c2tnb359v1 -------BEGIN PRIVATE KEY----- --ME4CAQAwEwYHKoZIzj0CAQYIKoZIzj0DABIENDAyAgEBBC0Aaw+yr7Atz8CXjLsbI5msXLqxFoMr --esHVfU53i6ucCsnPTWSDWSb5CePtI9g= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_c2tnb359v1_PUB -------BEGIN PUBLIC KEY----- --MHMwEwYHKoZIzj0CAQYIKoZIzj0DABIDXAAEUQde0iyDHbsFJZ459d4zUhsrJYAkqndmEBRwSlg5 --ZNX8SSS79Zf2HsQl+LWIZyzeYzoHobKXufChw9/H4ThS58VwV5/0hoE929PIgJ1MSEqr5LvJXi+b --R8fe -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_c2tnb359v1:BOB_cf_c2tnb359v1_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_c2tnb359v1 --PeerKey=BOB_cf_c2tnb359v1_PUB --SharedSecret=623a71122b5acad467d40d97ef8d8fd46541d8c41d7de6ba181c24e2714c1bc35bcefcf089af69c406eedecc12 -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_c2tnb359v1 --PeerKey=ALICE_cf_c2tnb359v1_PUB --SharedSecret=623a71122b5acad467d40d97ef8d8fd46541d8c41d7de6ba181c24e2714c1bc35bcefcf089af69c406eedecc12 -- --# ECC CDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_c2tnb359v1 --PeerKey=BOB_cf_c2tnb359v1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=1c9c4cea3251dace2cb763eabf60f106cc1b03f2491e6f20d7bea78e062f8f14c4e82e4d43786eefa44d33f7e9 -- --# ECC CDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_c2tnb359v1 --PeerKey=ALICE_cf_c2tnb359v1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=1c9c4cea3251dace2cb763eabf60f106cc1b03f2491e6f20d7bea78e062f8f14c4e82e4d43786eefa44d33f7e9 -- --PublicKey=MALICE_cf_c2tnb359v1_PUB -------BEGIN PUBLIC KEY----- --MHMwEwYHKoZIzj0CAQYIKoZIzj0DABIDXAAEDW1DxeJfyPPnxX4WiLM5ZnX9AypqqeKj7FTHxanl --++A6FgVFjUCatt8Sr4xnSc3zDE0kh6f/wS9SbtCAi74i8HAX5SJiccCMPRkw6kBuHZgiG8EmFJ53 --OEQw -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Availablein = default --Derive=BOB_cf_c2tnb359v1 --PeerKey=MALICE_cf_c2tnb359v1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Availablein = default --Derive=ALICE_cf_c2tnb359v1 --PeerKey=MALICE_cf_c2tnb359v1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=c2tnb431r1 curve tests -- --PrivateKey=ALICE_cf_c2tnb431r1 -------BEGIN PRIVATE KEY----- --MFYCAQAwEwYHKoZIzj0CAQYIKoZIzj0DABQEPDA6AgEBBDUAG1rgUnH3+PSxqlzt9+QTWv7PrYxz --Qgqj5A2Mqi0LbdixVDciVSSgrU6keVu72oCmHVP+OQ== -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_c2tnb431r1_PUB -------BEGIN PUBLIC KEY----- --MIGFMBMGByqGSM49AgEGCCqGSM49AwAUA24ABFcQEDic9pYxtxStk/oBxafqyUux1kvEOOwR4FxJ --pGEMTh8B+YfkWuq+IDY5zSqNKtg7cRlAFX2dlHhRSvNxrN3DJCrhe/TQq8SIYawcqEQnM39F8hHM --7VQJLEsBpJ/WUonwMJXknjgfONP7GA== -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_c2tnb431r1:ALICE_cf_c2tnb431r1_PUB -- --PrivateKey=BOB_cf_c2tnb431r1 -------BEGIN PRIVATE KEY----- --MFYCAQAwEwYHKoZIzj0CAQYIKoZIzj0DABQEPDA6AgEBBDUBOsZrpI6hTgImR8DBhKOOrh2SvcT/ --VwmzYnbuCRrtr/zwIQcqKKI1ztlrl+kxFxJfk5L7UQ== -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_c2tnb431r1_PUB -------BEGIN PUBLIC KEY----- --MIGFMBMGByqGSM49AgEGCCqGSM49AwAUA24ABHeTG6xjbsKKxn4oYQt9qUM9LrSPZfY11XsBmROc --fb9kEbBLU+QixSbYZOrqPasesDV9dApDXF+w6EfIeNyJEK5Lk+aXamrn7fRMUAQ2m7+Odp87GgA+ --8Cg6YpgbK314SK5STziqoZwzEISJ9w== -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_c2tnb431r1:BOB_cf_c2tnb431r1_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_c2tnb431r1 --PeerKey=BOB_cf_c2tnb431r1_PUB --SharedSecret=1c9a64de0b706f0e562d5144ceeb4806ce8782865dc0e3fab694967955bd40afc79bf9241ef4a173fbf9baeac0d416392fb13bdc6978 -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_c2tnb431r1 --PeerKey=ALICE_cf_c2tnb431r1_PUB --SharedSecret=1c9a64de0b706f0e562d5144ceeb4806ce8782865dc0e3fab694967955bd40afc79bf9241ef4a173fbf9baeac0d416392fb13bdc6978 -- --# ECC CDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_c2tnb431r1 --PeerKey=BOB_cf_c2tnb431r1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=059e2ea2d0d8bad5005a9401196ebb1633377c7ded8ec58a0398cf1d0f42ea82614f68cb836ecfc33612b8a705b4c3b7b4ed12eb6e22 -- --# ECC CDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_c2tnb431r1 --PeerKey=ALICE_cf_c2tnb431r1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=059e2ea2d0d8bad5005a9401196ebb1633377c7ded8ec58a0398cf1d0f42ea82614f68cb836ecfc33612b8a705b4c3b7b4ed12eb6e22 -- --PublicKey=MALICE_cf_c2tnb431r1_PUB -------BEGIN PUBLIC KEY----- --MIGFMBMGByqGSM49AgEGCCqGSM49AwAUA24ABA/cHJ1bNJ2l3GcrT67WEoU0w/Ajy28T9X4XLv8a --5EpnkembeFlRG8ILplDcZimE8kjNQWynAk+NbJRsIU/XLzcm7VXkkqEkx/yCQ/TOcbeB3qrpzWYr --F3Cls9x60wuFYNc9d6eIe4B+puz9IQ== -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Availablein = default --Derive=BOB_cf_c2tnb431r1 --PeerKey=MALICE_cf_c2tnb431r1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Availablein = default --Derive=ALICE_cf_c2tnb431r1 --PeerKey=MALICE_cf_c2tnb431r1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=prime192v2 curve tests -- --PrivateKey=ALICE_cf_prime192v2 -------BEGIN PRIVATE KEY----- --MDkCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQIEHzAdAgEBBBh6rcgPFDmA2P4CGSrC7ii9DAjepljX --sMM= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_prime192v2_PUB -------BEGIN PUBLIC KEY----- --MEkwEwYHKoZIzj0CAQYIKoZIzj0DAQIDMgAET6wOPoDU3BeU7VKozsGEvDeJs//9Z/aNEcbbLQ0d --g5IzsS/XMJzifjCJZgNsb7mi -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_prime192v2:ALICE_cf_prime192v2_PUB -- --PrivateKey=BOB_cf_prime192v2 -------BEGIN PRIVATE KEY----- --MDkCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQIEHzAdAgEBBBja4R9iZuiu95XEuM1558ArTwNnAl7M --xqI= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_prime192v2_PUB -------BEGIN PUBLIC KEY----- --MEkwEwYHKoZIzj0CAQYIKoZIzj0DAQIDMgAEcgWNAOL4pZCmouZl+be+rC0yLAJkm2YuPWs+FX2u --Y6OU1aHkkspZTC1uUVWjchy5 -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_prime192v2:BOB_cf_prime192v2_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_prime192v2 --PeerKey=BOB_cf_prime192v2_PUB --SharedSecret=ae2ff9f1f9f24e6d281dc78993d9f71913e1e105965000a1 -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_prime192v2 --PeerKey=ALICE_cf_prime192v2_PUB --SharedSecret=ae2ff9f1f9f24e6d281dc78993d9f71913e1e105965000a1 -- --Title=prime192v3 curve tests -- --PrivateKey=ALICE_cf_prime192v3 -------BEGIN PRIVATE KEY----- --MDkCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQMEHzAdAgEBBBij5blPQRKM1/9c57YDZXIIue80MDqx --Igw= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_prime192v3_PUB -------BEGIN PUBLIC KEY----- --MEkwEwYHKoZIzj0CAQYIKoZIzj0DAQMDMgAE1+mLeiT/jjHO71IL/C/ZcnF6+yj9FV6eqfuPdHAi --MsDRFCB6/h8TcCUFuospu5l0 -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_prime192v3:ALICE_cf_prime192v3_PUB -- --PrivateKey=BOB_cf_prime192v3 -------BEGIN PRIVATE KEY----- --MDkCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQMEHzAdAgEBBBhgFP4fFLtm/yk5tsosBUBKTg370FOu --92g= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_prime192v3_PUB -------BEGIN PUBLIC KEY----- --MEkwEwYHKoZIzj0CAQYIKoZIzj0DAQMDMgAEv35bOz0xqLeJqpZdZ8LyiUgsJMBEtN2UMJm8blX2 --vMWAgEeLhzar86BUlS7dZwS7 -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_prime192v3:BOB_cf_prime192v3_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_prime192v3 --PeerKey=BOB_cf_prime192v3_PUB --SharedSecret=9e562ecbe29c510a13b0daea822ec864c2a9684d2a382812 -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_prime192v3 --PeerKey=ALICE_cf_prime192v3_PUB --SharedSecret=9e562ecbe29c510a13b0daea822ec864c2a9684d2a382812 -- --Title=prime239v1 curve tests -- --PrivateKey=ALICE_cf_prime239v1 -------BEGIN PRIVATE KEY----- --MD8CAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQQEJTAjAgEBBB5nH2mt/GUx+I/60NlcuQlrdupDXwMY --SF/w+SUTNqY= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_prime239v1_PUB -------BEGIN PUBLIC KEY----- --MFUwEwYHKoZIzj0CAQYIKoZIzj0DAQQDPgAEMqQLCgDR9njkq9QELuOu+J/9YGcxJHULdvxHImLW --RXqBUM5Xea+Qk2SKIpWcogxr2zFeQyeLj2bQysuo -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_prime239v1:ALICE_cf_prime239v1_PUB -- --PrivateKey=BOB_cf_prime239v1 -------BEGIN PRIVATE KEY----- --MD8CAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQQEJTAjAgEBBB5RZgYV+j+zhwI12zCzB+mdPofMx0kB --jZ9gplgXxzk= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_prime239v1_PUB -------BEGIN PUBLIC KEY----- --MFUwEwYHKoZIzj0CAQYIKoZIzj0DAQQDPgAEBR5m/kllh025oO4GvqALkjRliVv7q4x8ro/tkYnT --L2U4hkT6xUeRu9QC4KOz7KUVH+nBbQASL4XQg/3C -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_prime239v1:BOB_cf_prime239v1_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_prime239v1 --PeerKey=BOB_cf_prime239v1_PUB --SharedSecret=196b1d0206d4f87c313c266bfb12c90dd1f1f64b89bfc16518086b9801b8 -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_prime239v1 --PeerKey=ALICE_cf_prime239v1_PUB --SharedSecret=196b1d0206d4f87c313c266bfb12c90dd1f1f64b89bfc16518086b9801b8 -- --Title=prime239v2 curve tests -- --PrivateKey=ALICE_cf_prime239v2 -------BEGIN PRIVATE KEY----- --MD8CAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQUEJTAjAgEBBB5uLCwofbD2Suc/iIRhXJsPqZ4me87h --+tFevsg1pPE= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_prime239v2_PUB -------BEGIN PUBLIC KEY----- --MFUwEwYHKoZIzj0CAQYIKoZIzj0DAQUDPgAETH77jXHBItV673gTNK/HTFldo4VxPiscbideUgKd --CWjdVsXebgAZbqQwf0h9QWcIgM7K7ODdW5kCuZ1G -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_prime239v2:ALICE_cf_prime239v2_PUB -- --PrivateKey=BOB_cf_prime239v2 -------BEGIN PRIVATE KEY----- --MD8CAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQUEJTAjAgEBBB5nlF+ouuw3Ljkgy3pHkCN+/JoHAMyT --KY0wlvJdo/w= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_prime239v2_PUB -------BEGIN PUBLIC KEY----- --MFUwEwYHKoZIzj0CAQYIKoZIzj0DAQUDPgAELUQYo0UH8HbK/RMD2jVphBU+iB4OTOfvaaTlHq06 --dcJ8a9a+mAQKhb1OZVEq1n4nQsgRiI1rPxugVERM -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_prime239v2:BOB_cf_prime239v2_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_prime239v2 --PeerKey=BOB_cf_prime239v2_PUB --SharedSecret=1d18ca6366bceba3c1477daa0e08202088abcf14fc2b8fbf98ba95858fcf -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_prime239v2 --PeerKey=ALICE_cf_prime239v2_PUB --SharedSecret=1d18ca6366bceba3c1477daa0e08202088abcf14fc2b8fbf98ba95858fcf -- --Title=prime239v3 curve tests -- --PrivateKey=ALICE_cf_prime239v3 -------BEGIN PRIVATE KEY----- --MD8CAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQYEJTAjAgEBBB5J95JRhBDTzlyAPAfu6T2Pb9vK0NKu --Y9AfhA2G+mI= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_prime239v3_PUB -------BEGIN PUBLIC KEY----- --MFUwEwYHKoZIzj0CAQYIKoZIzj0DAQYDPgAEZEN48pqgLF08Yjj/8BLM2Nr5ZhpYxyBurbzKRuBb --GLpzZLteJN9vZjN7ouNpMxLVUFQxTOwpsvUw86Lk -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_prime239v3:ALICE_cf_prime239v3_PUB -- --PrivateKey=BOB_cf_prime239v3 -------BEGIN PRIVATE KEY----- --MD8CAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQYEJTAjAgEBBB5Z7rMZML1xeryBaYYr+QuMiQxHT44I --d9bmIVvG3dM= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_prime239v3_PUB -------BEGIN PUBLIC KEY----- --MFUwEwYHKoZIzj0CAQYIKoZIzj0DAQYDPgAEQUWKqohAPAoIYEZOvc1QwSlcB+gW0febaNxGOy47 --LaIWdsNM7GJVP9xpdSwm/L+Dip/oH4E59f3SiOAd -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_prime239v3:BOB_cf_prime239v3_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_prime239v3 --PeerKey=BOB_cf_prime239v3_PUB --SharedSecret=4dcc2c67c5993162ed71ebb33077bbb85395b0d3eec2311aa404e45901a0 -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_prime239v3 --PeerKey=ALICE_cf_prime239v3_PUB --SharedSecret=4dcc2c67c5993162ed71ebb33077bbb85395b0d3eec2311aa404e45901a0 -- --Title=secp112r1 curve tests -- --PrivateKey=ALICE_cf_secp112r1 -------BEGIN PRIVATE KEY----- --MCwCAQAwEAYHKoZIzj0CAQYFK4EEAAYEFTATAgEBBA6zC5ZzEIIdvY4Q7DS0uw== -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_secp112r1_PUB -------BEGIN PUBLIC KEY----- --MDIwEAYHKoZIzj0CAQYFK4EEAAYDHgAEYIawfjH3qRrJJWwuG3Ys5ZhDJsmdWi34aHgKAA== -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_secp112r1:ALICE_cf_secp112r1_PUB -- --PrivateKey=BOB_cf_secp112r1 -------BEGIN PRIVATE KEY----- --MCwCAQAwEAYHKoZIzj0CAQYFK4EEAAYEFTATAgEBBA6WPx4YxBODium8BKDw0A== -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_secp112r1_PUB -------BEGIN PUBLIC KEY----- --MDIwEAYHKoZIzj0CAQYFK4EEAAYDHgAEchh3iQdPN1rrzrpdZRQ95G6tvdwEBQ+gfu1tvA== -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_secp112r1:BOB_cf_secp112r1_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_secp112r1 --PeerKey=BOB_cf_secp112r1_PUB --SharedSecret=4ddd1d504b444d4be67ba2e4610a -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_secp112r1 --PeerKey=ALICE_cf_secp112r1_PUB --SharedSecret=4ddd1d504b444d4be67ba2e4610a -- --Title=secp112r2 curve tests -- --PrivateKey=ALICE_cf_secp112r2 -------BEGIN PRIVATE KEY----- --MCwCAQAwEAYHKoZIzj0CAQYFK4EEAAcEFTATAgEBBA4GcvIx97ePHdAiH0Z9EA== -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_secp112r2_PUB -------BEGIN PUBLIC KEY----- --MDIwEAYHKoZIzj0CAQYFK4EEAAcDHgAEHK9uNAILHBmPZdKKh79/nzYE0HbvC//rA7i0Xw== -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_secp112r2:ALICE_cf_secp112r2_PUB -- --PrivateKey=BOB_cf_secp112r2 -------BEGIN PRIVATE KEY----- --MCwCAQAwEAYHKoZIzj0CAQYFK4EEAAcEFTATAgEBBA4WzpVFZnZv9mvtpnYNyw== -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_secp112r2_PUB -------BEGIN PUBLIC KEY----- --MDIwEAYHKoZIzj0CAQYFK4EEAAcDHgAEUzBLNQupqUpGgmZl9JVjKBpwusl52rFg5OVFJA== -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_secp112r2:BOB_cf_secp112r2_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_secp112r2 --PeerKey=BOB_cf_secp112r2_PUB --SharedSecret=a6d05c7ba5128a9685c705b5030b -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_secp112r2 --PeerKey=ALICE_cf_secp112r2_PUB --SharedSecret=a6d05c7ba5128a9685c705b5030b -- --# ECC CDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_secp112r2 --PeerKey=BOB_cf_secp112r2_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=04f3280e92c269d794aa779efcef -- --# ECC CDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_secp112r2 --PeerKey=ALICE_cf_secp112r2_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=04f3280e92c269d794aa779efcef -- --PublicKey=MALICE_cf_secp112r2_PUB -------BEGIN PUBLIC KEY----- --MDIwEAYHKoZIzj0CAQYFK4EEAAcDHgAEsf2N4SfUZWtXPrUTmEyr71I/JSn8VtzQsFHuqQ== -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Availablein = default --Derive=BOB_cf_secp112r2 --PeerKey=MALICE_cf_secp112r2_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Availablein = default --Derive=ALICE_cf_secp112r2 --PeerKey=MALICE_cf_secp112r2_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=secp128r1 curve tests -- --PrivateKey=ALICE_cf_secp128r1 -------BEGIN PRIVATE KEY----- --MC4CAQAwEAYHKoZIzj0CAQYFK4EEABwEFzAVAgEBBBB+RX18d0+gKpdcKbJJTrEZ -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_secp128r1_PUB -------BEGIN PUBLIC KEY----- --MDYwEAYHKoZIzj0CAQYFK4EEABwDIgAEG0XMAdrAZOPUW6L9ADU8XK8sZr7dtIcDinSWU1zSV9s= -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_secp128r1:ALICE_cf_secp128r1_PUB -- --PrivateKey=BOB_cf_secp128r1 -------BEGIN PRIVATE KEY----- --MC4CAQAwEAYHKoZIzj0CAQYFK4EEABwEFzAVAgEBBBB/J9/eClt9mimGwOcOsjJF -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_secp128r1_PUB -------BEGIN PUBLIC KEY----- --MDYwEAYHKoZIzj0CAQYFK4EEABwDIgAE82nknsOS+u8mybP0KJqQhvm83gbPNTZOcvm0ZDVR5sU= -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_secp128r1:BOB_cf_secp128r1_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_secp128r1 --PeerKey=BOB_cf_secp128r1_PUB --SharedSecret=5020f1b759da1f737a61a29a268d7669 -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_secp128r1 --PeerKey=ALICE_cf_secp128r1_PUB --SharedSecret=5020f1b759da1f737a61a29a268d7669 -- --Title=secp128r2 curve tests -- --PrivateKey=ALICE_cf_secp128r2 -------BEGIN PRIVATE KEY----- --MC4CAQAwEAYHKoZIzj0CAQYFK4EEAB0EFzAVAgEBBBALPaUYCnPgNiLhez93Z1Gi -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_secp128r2_PUB -------BEGIN PUBLIC KEY----- --MDYwEAYHKoZIzj0CAQYFK4EEAB0DIgAEOKiPRGtZXwxmvTr35NmUkNsAGGk9RKNA4D5BE9ZrjZQ= -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_secp128r2:ALICE_cf_secp128r2_PUB -- --PrivateKey=BOB_cf_secp128r2 -------BEGIN PRIVATE KEY----- --MC4CAQAwEAYHKoZIzj0CAQYFK4EEAB0EFzAVAgEBBBARg3vb436QgyHdyt6l/b6G -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_secp128r2_PUB -------BEGIN PUBLIC KEY----- --MDYwEAYHKoZIzj0CAQYFK4EEAB0DIgAELph7h27BYjIINC2EddcpIOxKbdz8Xe7h3Az1ZuR9bAI= -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_secp128r2:BOB_cf_secp128r2_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_secp128r2 --PeerKey=BOB_cf_secp128r2_PUB --SharedSecret=8f4d8c75141e9b084328222440eb5dfa -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_secp128r2 --PeerKey=ALICE_cf_secp128r2_PUB --SharedSecret=8f4d8c75141e9b084328222440eb5dfa -- --# ECC CDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_secp128r2 --PeerKey=BOB_cf_secp128r2_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=baaa0c16e16eef291001475d638e4830 -- --# ECC CDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_secp128r2 --PeerKey=ALICE_cf_secp128r2_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=baaa0c16e16eef291001475d638e4830 -- --PublicKey=MALICE_cf_secp128r2_PUB -------BEGIN PUBLIC KEY----- --MDYwEAYHKoZIzj0CAQYFK4EEAB0DIgAE6h6RzJIp6HLR6RDOPtyzGDurkuE9aAaZqHosPTnkLxQ= -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Availablein = default --Derive=BOB_cf_secp128r2 --PeerKey=MALICE_cf_secp128r2_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Availablein = default --Derive=ALICE_cf_secp128r2 --PeerKey=MALICE_cf_secp128r2_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=secp160k1 curve tests -- --PrivateKey=ALICE_cf_secp160k1 -------BEGIN PRIVATE KEY----- --MDMCAQAwEAYHKoZIzj0CAQYFK4EEAAkEHDAaAgEBBBUAlxTBO50KwFwWKPtk1rutu68m+zI= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_secp160k1_PUB -------BEGIN PUBLIC KEY----- --MD4wEAYHKoZIzj0CAQYFK4EEAAkDKgAEcVWIjtPZn1cHckclpn5jKDCphQUVHxFN5tSeFG9wsJZT --EvqPyLS64w== -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_secp160k1:ALICE_cf_secp160k1_PUB -- --PrivateKey=BOB_cf_secp160k1 -------BEGIN PRIVATE KEY----- --MDMCAQAwEAYHKoZIzj0CAQYFK4EEAAkEHDAaAgEBBBUAdrPkoNkRVUloiuwzruQszSUuwpY= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_secp160k1_PUB -------BEGIN PUBLIC KEY----- --MD4wEAYHKoZIzj0CAQYFK4EEAAkDKgAESGN41cAj8Fg4pAJM7FUKHiawbCR0b9unMpZWxqOKeW1/ --bxT/CqEkyw== -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_secp160k1:BOB_cf_secp160k1_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_secp160k1 --PeerKey=BOB_cf_secp160k1_PUB --SharedSecret=b738a0bf17f3271a9a155bfdfe2f0f1d51494d42 -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_secp160k1 --PeerKey=ALICE_cf_secp160k1_PUB --SharedSecret=b738a0bf17f3271a9a155bfdfe2f0f1d51494d42 -- --Title=secp160r1 curve tests -- --PrivateKey=ALICE_cf_secp160r1 -------BEGIN PRIVATE KEY----- --MDMCAQAwEAYHKoZIzj0CAQYFK4EEAAgEHDAaAgEBBBUAR6m1+jIBuJnSKx9fHmyAYhsnYe8= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_secp160r1_PUB -------BEGIN PUBLIC KEY----- --MD4wEAYHKoZIzj0CAQYFK4EEAAgDKgAEO78GZuBaCfJjHK97c9N21z+4mm37b5x7/Hr3Xc4pUbtb --OoNj/A+W9w== -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_secp160r1:ALICE_cf_secp160r1_PUB -- --PrivateKey=BOB_cf_secp160r1 -------BEGIN PRIVATE KEY----- --MDMCAQAwEAYHKoZIzj0CAQYFK4EEAAgEHDAaAgEBBBUATqvd54Jj7TbnrLAd2dMYCpExLws= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_secp160r1_PUB -------BEGIN PUBLIC KEY----- --MD4wEAYHKoZIzj0CAQYFK4EEAAgDKgAEBKDbBSPTwmb00MFvMtJMxQ2YDmcPOZHE8YbVr5hp8s5J --Jwy17FaNNg== -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_secp160r1:BOB_cf_secp160r1_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_secp160r1 --PeerKey=BOB_cf_secp160r1_PUB --SharedSecret=1912ea7b9bb1de5b8d3cef83e7a6e7a917816541 -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_secp160r1 --PeerKey=ALICE_cf_secp160r1_PUB --SharedSecret=1912ea7b9bb1de5b8d3cef83e7a6e7a917816541 -- --Title=secp160r2 curve tests -- --PrivateKey=ALICE_cf_secp160r2 -------BEGIN PRIVATE KEY----- --MDMCAQAwEAYHKoZIzj0CAQYFK4EEAB4EHDAaAgEBBBUA3IsVg4R4paXaPATDHvzfnvM+vjQ= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_secp160r2_PUB -------BEGIN PUBLIC KEY----- --MD4wEAYHKoZIzj0CAQYFK4EEAB4DKgAE4V+25YCpVkKF6NF/UPc1SYxohYWcf3qT3JDoPRhnm/rj --mSqCCA6gUw== -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_secp160r2:ALICE_cf_secp160r2_PUB -- --PrivateKey=BOB_cf_secp160r2 -------BEGIN PRIVATE KEY----- --MDMCAQAwEAYHKoZIzj0CAQYFK4EEAB4EHDAaAgEBBBUAYT/5C7UpD17DnZm4ObswmGFMI1Q= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_secp160r2_PUB -------BEGIN PUBLIC KEY----- --MD4wEAYHKoZIzj0CAQYFK4EEAB4DKgAEB7YVzBmzhnIdouvN/nb8VMXCqO8dkhmebyVzoD0oAzuH --nN+SfWr6aQ== -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_secp160r2:BOB_cf_secp160r2_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_secp160r2 --PeerKey=BOB_cf_secp160r2_PUB --SharedSecret=ccb9cae5c9487ff60c487bd1b39a62eb4680e9b6 -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_secp160r2 --PeerKey=ALICE_cf_secp160r2_PUB --SharedSecret=ccb9cae5c9487ff60c487bd1b39a62eb4680e9b6 -- --Title=secp192k1 curve tests -- --PrivateKey=ALICE_cf_secp192k1 -------BEGIN PRIVATE KEY----- --MDYCAQAwEAYHKoZIzj0CAQYFK4EEAB8EHzAdAgEBBBikVZrCZQB7ZtkhNfQYpjKHZ9KxXgooJ90= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_secp192k1_PUB -------BEGIN PUBLIC KEY----- --MEYwEAYHKoZIzj0CAQYFK4EEAB8DMgAEyV4EzMZglBXtYdn38hNTrCGflAsJprMkxkOlw58chZ25 --6EAu7gVvYDTpnRkymKyH -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_secp192k1:ALICE_cf_secp192k1_PUB -- --PrivateKey=BOB_cf_secp192k1 -------BEGIN PRIVATE KEY----- --MDYCAQAwEAYHKoZIzj0CAQYFK4EEAB8EHzAdAgEBBBiJQ/PunKGk9QPUyqIBGMgHKKg+yxJr5io= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_secp192k1_PUB -------BEGIN PUBLIC KEY----- --MEYwEAYHKoZIzj0CAQYFK4EEAB8DMgAE990Tnmh9QQQHVHuLpfrAsgjvB9R2MJXzhBZN1WvtxLqF --OZ2oFMP0Kfcr7HbI7a5j -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_secp192k1:BOB_cf_secp192k1_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_secp192k1 --PeerKey=BOB_cf_secp192k1_PUB --SharedSecret=a46a6bfb279d4dc30cffac585d1fbec905dbe46aca5e3c9d -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_secp192k1 --PeerKey=ALICE_cf_secp192k1_PUB --SharedSecret=a46a6bfb279d4dc30cffac585d1fbec905dbe46aca5e3c9d -- --Title=secp224k1 curve tests -- --PrivateKey=ALICE_cf_secp224k1 -------BEGIN PRIVATE KEY----- --MDsCAQAwEAYHKoZIzj0CAQYFK4EEACAEJDAiAgEBBB0AZPk3TzxGhX7TljBBhJDLBfulAMp6Bh3W --w40Qyg== -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_secp224k1_PUB -------BEGIN PUBLIC KEY----- --ME4wEAYHKoZIzj0CAQYFK4EEACADOgAE4o7LGdJDixqJZ5imnqaX4IeE55NG4W0HEe72LVC7pmn2 --e3m7uC92ZQhduF9lJli4dXD5en/1wkE= -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_secp224k1:ALICE_cf_secp224k1_PUB -- --PrivateKey=BOB_cf_secp224k1 -------BEGIN PRIVATE KEY----- --MDsCAQAwEAYHKoZIzj0CAQYFK4EEACAEJDAiAgEBBB0AdQ02GguRy3yHOjLkpoWb27QA/L1abfWe --q2xUfA== -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_secp224k1_PUB -------BEGIN PUBLIC KEY----- --ME4wEAYHKoZIzj0CAQYFK4EEACADOgAEzp00m0DaADn1mGiDCT7K1LZnoj/vCxHPowUDC9yQd17K --KpJM5sGILrTkkgxqtt5pBeYE1NC1QUQ= -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_secp224k1:BOB_cf_secp224k1_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_secp224k1 --PeerKey=BOB_cf_secp224k1_PUB --SharedSecret=6f7b9d16c9c1d3a5c84b6028f2a4fed9ae8e02455e678a27243bcc48 -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_secp224k1 --PeerKey=ALICE_cf_secp224k1_PUB --SharedSecret=6f7b9d16c9c1d3a5c84b6028f2a4fed9ae8e02455e678a27243bcc48 -- - Title=secp256k1 curve tests - - PrivateKey=ALICE_cf_secp256k1 -@@ -1998,1323 +55,6 @@ Derive=BOB_cf_secp256k1 - PeerKey=ALICE_cf_secp256k1_PUB - SharedSecret=a4745cc4d19cabb9e5cb0abdd5c604cab2846a4638ad844ed9175f3cadda2da1 - --Title=sect113r1 curve tests -- --PrivateKey=ALICE_cf_sect113r1 -------BEGIN PRIVATE KEY----- --MC0CAQAwEAYHKoZIzj0CAQYFK4EEAAQEFjAUAgEBBA8ALw9CgsuNBkkhhUHE8bQ= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_sect113r1_PUB -------BEGIN PUBLIC KEY----- --MDQwEAYHKoZIzj0CAQYFK4EEAAQDIAAEASO9jcamlg1pRE7JffrTAe9kyRZO2xrymHXoGdnA -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_sect113r1:ALICE_cf_sect113r1_PUB -- --PrivateKey=BOB_cf_sect113r1 -------BEGIN PRIVATE KEY----- --MC0CAQAwEAYHKoZIzj0CAQYFK4EEAAQEFjAUAgEBBA8A/9qbs8sTFNkjS9/4CuM= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_sect113r1_PUB -------BEGIN PUBLIC KEY----- --MDQwEAYHKoZIzj0CAQYFK4EEAAQDIAAEATykaf/cvJzLOUto1EbbAEz/3++nut6q0dcJOQeV -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_sect113r1:BOB_cf_sect113r1_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_sect113r1 --PeerKey=BOB_cf_sect113r1_PUB --SharedSecret=01ed16f1948dcb368a54004237842d -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_sect113r1 --PeerKey=ALICE_cf_sect113r1_PUB --SharedSecret=01ed16f1948dcb368a54004237842d -- --# ECC CDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_sect113r1 --PeerKey=BOB_cf_sect113r1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=012e5f3e348c2a8a88d9590a639219 -- --# ECC CDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_sect113r1 --PeerKey=ALICE_cf_sect113r1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=012e5f3e348c2a8a88d9590a639219 -- --PublicKey=MALICE_cf_sect113r1_PUB -------BEGIN PUBLIC KEY----- --MDQwEAYHKoZIzj0CAQYFK4EEAAQDIAAEAAAAAAAAAAAAAAAAAAAAAd+TqiBXnTd/lyA/OFsR -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Availablein = default --Derive=BOB_cf_sect113r1 --PeerKey=MALICE_cf_sect113r1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Availablein = default --Derive=ALICE_cf_sect113r1 --PeerKey=MALICE_cf_sect113r1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=sect113r2 curve tests -- --PrivateKey=ALICE_cf_sect113r2 -------BEGIN PRIVATE KEY----- --MC0CAQAwEAYHKoZIzj0CAQYFK4EEAAUEFjAUAgEBBA8AvovirHrqTxoKJ3l+7y0= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_sect113r2_PUB -------BEGIN PUBLIC KEY----- --MDQwEAYHKoZIzj0CAQYFK4EEAAUDIAAEAFvQ4JgQTS8kjGeVfuITAS81qNcOQvt3PYa1HuCk -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_sect113r2:ALICE_cf_sect113r2_PUB -- --PrivateKey=BOB_cf_sect113r2 -------BEGIN PRIVATE KEY----- --MC0CAQAwEAYHKoZIzj0CAQYFK4EEAAUEFjAUAgEBBA8ArUjgvp/goxRYb4WuQ80= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_sect113r2_PUB -------BEGIN PUBLIC KEY----- --MDQwEAYHKoZIzj0CAQYFK4EEAAUDIAAEAUoS3of8y28meYu/NoI5AVdhJZCuDjMqFHTriWY4 -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_sect113r2:BOB_cf_sect113r2_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_sect113r2 --PeerKey=BOB_cf_sect113r2_PUB --SharedSecret=0057a287ba1ea05cb4735e673647e1 -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_sect113r2 --PeerKey=ALICE_cf_sect113r2_PUB --SharedSecret=0057a287ba1ea05cb4735e673647e1 -- --# ECC CDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_sect113r2 --PeerKey=BOB_cf_sect113r2_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=00fec2454e46732aca42b22b6d4f13 -- --# ECC CDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_sect113r2 --PeerKey=ALICE_cf_sect113r2_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=00fec2454e46732aca42b22b6d4f13 -- --PublicKey=MALICE_cf_sect113r2_PUB -------BEGIN PUBLIC KEY----- --MDQwEAYHKoZIzj0CAQYFK4EEAAUDIAAEAAAAAAAAAAAAAAAAAAAAAR3dbPHrhFekzJ7Azskr -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Availablein = default --Derive=BOB_cf_sect113r2 --PeerKey=MALICE_cf_sect113r2_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Availablein = default --Derive=ALICE_cf_sect113r2 --PeerKey=MALICE_cf_sect113r2_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=sect131r1 curve tests -- --PrivateKey=ALICE_cf_sect131r1 -------BEGIN PRIVATE KEY----- --MC8CAQAwEAYHKoZIzj0CAQYFK4EEABYEGDAWAgEBBBEA5C6zHMQM7pXPZ6cJz72Niw== -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_sect131r1_PUB -------BEGIN PUBLIC KEY----- --MDgwEAYHKoZIzj0CAQYFK4EEABYDJAAEBXCuXD6wOOif91GUlJNKXf8FBNw8crgqi5aEJEZbCdBJ --Ag== -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_sect131r1:ALICE_cf_sect131r1_PUB -- --PrivateKey=BOB_cf_sect131r1 -------BEGIN PRIVATE KEY----- --MC8CAQAwEAYHKoZIzj0CAQYFK4EEABYEGDAWAgEBBBEDYZmjiokBJ/SnTv8sskBR3A== -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_sect131r1_PUB -------BEGIN PUBLIC KEY----- --MDgwEAYHKoZIzj0CAQYFK4EEABYDJAAEB8vGy3OQXwWKcJUSSJbCtpMBjFgJeZxzAaI420+B1B+1 --5A== -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_sect131r1:BOB_cf_sect131r1_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_sect131r1 --PeerKey=BOB_cf_sect131r1_PUB --SharedSecret=05346248f77f81fff50cc656e119976871 -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_sect131r1 --PeerKey=ALICE_cf_sect131r1_PUB --SharedSecret=05346248f77f81fff50cc656e119976871 -- --# ECC CDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_sect131r1 --PeerKey=BOB_cf_sect131r1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=01f151ae26efa507acc2597356baf7e8ab -- --# ECC CDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_sect131r1 --PeerKey=ALICE_cf_sect131r1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=01f151ae26efa507acc2597356baf7e8ab -- --PublicKey=MALICE_cf_sect131r1_PUB -------BEGIN PUBLIC KEY----- --MDgwEAYHKoZIzj0CAQYFK4EEABYDJAAEAAAAAAAAAAAAAAAAAAAAAAABfiJEFG0vRzEGxk2BxjmK --zw== -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Availablein = default --Derive=BOB_cf_sect131r1 --PeerKey=MALICE_cf_sect131r1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Availablein = default --Derive=ALICE_cf_sect131r1 --PeerKey=MALICE_cf_sect131r1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=sect131r2 curve tests -- --PrivateKey=ALICE_cf_sect131r2 -------BEGIN PRIVATE KEY----- --MC8CAQAwEAYHKoZIzj0CAQYFK4EEABcEGDAWAgEBBBEBnZRUKAQetk5kyUwhIaAyxg== -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_sect131r2_PUB -------BEGIN PUBLIC KEY----- --MDgwEAYHKoZIzj0CAQYFK4EEABcDJAAEA5+Y20L8q989I4jnKknZ7hcGlQ6RUIGni9RahT88kB/d --dw== -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_sect131r2:ALICE_cf_sect131r2_PUB -- --PrivateKey=BOB_cf_sect131r2 -------BEGIN PRIVATE KEY----- --MC8CAQAwEAYHKoZIzj0CAQYFK4EEABcEGDAWAgEBBBEBnafx9vcMeoCqj/1YNuflzw== -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_sect131r2_PUB -------BEGIN PUBLIC KEY----- --MDgwEAYHKoZIzj0CAQYFK4EEABcDJAAEB2G2uNkhQNjjl0/Ov6UYpxoFaWNXO+qy7poV6cdrFN7z --pA== -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_sect131r2:BOB_cf_sect131r2_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_sect131r2 --PeerKey=BOB_cf_sect131r2_PUB --SharedSecret=058d8a8be33068ed8c1dc9f551ef2c3f3c -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_sect131r2 --PeerKey=ALICE_cf_sect131r2_PUB --SharedSecret=058d8a8be33068ed8c1dc9f551ef2c3f3c -- --# ECC CDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_sect131r2 --PeerKey=BOB_cf_sect131r2_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=037b16d85f27c2c878ef96c79a536f89a5 -- --# ECC CDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_sect131r2 --PeerKey=ALICE_cf_sect131r2_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=037b16d85f27c2c878ef96c79a536f89a5 -- --PublicKey=MALICE_cf_sect131r2_PUB -------BEGIN PUBLIC KEY----- --MDgwEAYHKoZIzj0CAQYFK4EEABcDJAAEAAAAAAAAAAAAAAAAAAAAAAAGG5fiIbgziwBZHVzTYqCY --1w== -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Availablein = default --Derive=BOB_cf_sect131r2 --PeerKey=MALICE_cf_sect131r2_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Availablein = default --Derive=ALICE_cf_sect131r2 --PeerKey=MALICE_cf_sect131r2_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=sect163r1 curve tests -- --PrivateKey=ALICE_cf_sect163r1 -------BEGIN PRIVATE KEY----- --MDMCAQAwEAYHKoZIzj0CAQYFK4EEAAIEHDAaAgEBBBUAlbn4x1UGJnAimsXufB/UvUaxU5U= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_sect163r1_PUB -------BEGIN PUBLIC KEY----- --MEAwEAYHKoZIzj0CAQYFK4EEAAIDLAAEA0f195HCcD4D+7wWyl3QuPkRovG/ATy5l7fpMl4BNIg/ --sbtEXluCzANF -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_sect163r1:ALICE_cf_sect163r1_PUB -- --PrivateKey=BOB_cf_sect163r1 -------BEGIN PRIVATE KEY----- --MDMCAQAwEAYHKoZIzj0CAQYFK4EEAAIEHDAaAgEBBBUAoStq6Fjb7nB2PNL6WrzKKqhCGdE= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_sect163r1_PUB -------BEGIN PUBLIC KEY----- --MEAwEAYHKoZIzj0CAQYFK4EEAAIDLAAEAul/oBKr9B5MsPHWGF+q07j0JC+WAxj1JzfcIXR98n+r --9FHWU5LC5pDM -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_sect163r1:BOB_cf_sect163r1_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_sect163r1 --PeerKey=BOB_cf_sect163r1_PUB --SharedSecret=06135eef489fe613c0d8bd522a2a640ff7ae6fb73d -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_sect163r1 --PeerKey=ALICE_cf_sect163r1_PUB --SharedSecret=06135eef489fe613c0d8bd522a2a640ff7ae6fb73d -- --# ECC CDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_sect163r1 --PeerKey=BOB_cf_sect163r1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=0580f5e8efb242a19ae1023acbcab8702c799751e7 -- --# ECC CDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_sect163r1 --PeerKey=ALICE_cf_sect163r1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=0580f5e8efb242a19ae1023acbcab8702c799751e7 -- --PublicKey=MALICE_cf_sect163r1_PUB -------BEGIN PUBLIC KEY----- --MEAwEAYHKoZIzj0CAQYFK4EEAAIDLAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJkXolVuGFa8fqmk --cs0Bv7iJuVg1 -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Availablein = default --Derive=BOB_cf_sect163r1 --PeerKey=MALICE_cf_sect163r1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Availablein = default --Derive=ALICE_cf_sect163r1 --PeerKey=MALICE_cf_sect163r1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=sect193r1 curve tests -- --PrivateKey=ALICE_cf_sect193r1 -------BEGIN PRIVATE KEY----- --MDcCAQAwEAYHKoZIzj0CAQYFK4EEABgEIDAeAgEBBBkACmcvidKWLtPFB2xqg76F8VhM1Njzrkgo -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_sect193r1_PUB -------BEGIN PUBLIC KEY----- --MEgwEAYHKoZIzj0CAQYFK4EEABgDNAAEAeqP0VQobenduwtf4MPmlYQVDjUmxKq50QFHnaBfzwXY --1TYShZZgBr0R6a5dUGCbiF0= -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_sect193r1:ALICE_cf_sect193r1_PUB -- --PrivateKey=BOB_cf_sect193r1 -------BEGIN PRIVATE KEY----- --MDcCAQAwEAYHKoZIzj0CAQYFK4EEABgEIDAeAgEBBBkAKlSknQ66vpuLjC1mbQyfHOTdJ5Kw5jMh -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_sect193r1_PUB -------BEGIN PUBLIC KEY----- --MEgwEAYHKoZIzj0CAQYFK4EEABgDNAAEAaFZVIeqfV9wbPydaBSJKSWJjVyFVSB/QQB5rHonYQmK --f40zok8PJS6ratIcZwk/n20= -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_sect193r1:BOB_cf_sect193r1_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_sect193r1 --PeerKey=BOB_cf_sect193r1_PUB --SharedSecret=012b8849991814f8c7ed9d40cf9dc204c3a83e0b10675543a5 -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_sect193r1 --PeerKey=ALICE_cf_sect193r1_PUB --SharedSecret=012b8849991814f8c7ed9d40cf9dc204c3a83e0b10675543a5 -- --# ECC CDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_sect193r1 --PeerKey=BOB_cf_sect193r1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=0110180a18844859c52f6f012909522a2d87b5ab143bc80a55 -- --# ECC CDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_sect193r1 --PeerKey=ALICE_cf_sect193r1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=0110180a18844859c52f6f012909522a2d87b5ab143bc80a55 -- --PublicKey=MALICE_cf_sect193r1_PUB -------BEGIN PUBLIC KEY----- --MEgwEAYHKoZIzj0CAQYFK4EEABgDNAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHeX7PX3e5n --zROUg6/STkLp1D+L51L9+wY= -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Availablein = default --Derive=BOB_cf_sect193r1 --PeerKey=MALICE_cf_sect193r1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Availablein = default --Derive=ALICE_cf_sect193r1 --PeerKey=MALICE_cf_sect193r1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=sect193r2 curve tests -- --PrivateKey=ALICE_cf_sect193r2 -------BEGIN PRIVATE KEY----- --MDcCAQAwEAYHKoZIzj0CAQYFK4EEABkEIDAeAgEBBBkAhjkv8lXK/nPp3Qc4IwL/29JUKWi2VBMp -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_sect193r2_PUB -------BEGIN PUBLIC KEY----- --MEgwEAYHKoZIzj0CAQYFK4EEABkDNAAEAIn7oSu3adu4ChNXniHKkMIv9gT24rpzzwAeCTDPIkUT --kJ+Tit6e4RpgkB/dph4V+uI= -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_sect193r2:ALICE_cf_sect193r2_PUB -- --PrivateKey=BOB_cf_sect193r2 -------BEGIN PRIVATE KEY----- --MDcCAQAwEAYHKoZIzj0CAQYFK4EEABkEIDAeAgEBBBkAwGkR3qSQdfh7Q6KbJ4lH5FShGsX8o/jD -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_sect193r2_PUB -------BEGIN PUBLIC KEY----- --MEgwEAYHKoZIzj0CAQYFK4EEABkDNAAEAFdSLKI0tlwZDpkndutOLsnHii1aJO8snwEJ0m/AZgMp --xiDevOQ/xE9SpMX25W7YqkU= -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_sect193r2:BOB_cf_sect193r2_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_sect193r2 --PeerKey=BOB_cf_sect193r2_PUB --SharedSecret=01e2f66a63c24c1de8a399c484228a5ad5b6d911c6e5e83ae3 -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_sect193r2 --PeerKey=ALICE_cf_sect193r2_PUB --SharedSecret=01e2f66a63c24c1de8a399c484228a5ad5b6d911c6e5e83ae3 -- --# ECC CDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_sect193r2 --PeerKey=BOB_cf_sect193r2_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=00bc82d393bd74406683aea003977a86a109f444a833652e43 -- --# ECC CDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_sect193r2 --PeerKey=ALICE_cf_sect193r2_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=00bc82d393bd74406683aea003977a86a109f444a833652e43 -- --PublicKey=MALICE_cf_sect193r2_PUB -------BEGIN PUBLIC KEY----- --MEgwEAYHKoZIzj0CAQYFK4EEABkDNAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFfdLEkrvsO --Y7+6QpEvOay9A4MJCUZfZmI= -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Availablein = default --Derive=BOB_cf_sect193r2 --PeerKey=MALICE_cf_sect193r2_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Availablein = default --Derive=ALICE_cf_sect193r2 --PeerKey=MALICE_cf_sect193r2_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=sect239k1 curve tests -- --PrivateKey=ALICE_cf_sect239k1 -------BEGIN PRIVATE KEY----- --MDwCAQAwEAYHKoZIzj0CAQYFK4EEAAMEJTAjAgEBBB4G4nbQDUtTnkrPOvDGIlhH9XdjirUSbTI5 --5z6lf7o= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_sect239k1_PUB -------BEGIN PUBLIC KEY----- --MFIwEAYHKoZIzj0CAQYFK4EEAAMDPgAEf5paOMjzcnpVAPMQnIkikE4K2jne3ubX2TD1P3aedknF --lUr6tOU4BsiUQJACF90rQ9/KdeR5mYvYHzvI -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_sect239k1:ALICE_cf_sect239k1_PUB -- --PrivateKey=BOB_cf_sect239k1 -------BEGIN PRIVATE KEY----- --MDwCAQAwEAYHKoZIzj0CAQYFK4EEAAMEJTAjAgEBBB4e0F0NpepAF+iNrEtoZeo4TrQFspkUNLcx --Ly4Klfg= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_sect239k1_PUB -------BEGIN PUBLIC KEY----- --MFIwEAYHKoZIzj0CAQYFK4EEAAMDPgAEKnjJ4RHe+EiElXMrF4ou7VGy1pn0ZiO17FouF31Zbvjc --TcbhfE6ziXM8sekQJBwcwRKQ9+G/Qzq/2A9x -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_sect239k1:BOB_cf_sect239k1_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_sect239k1 --PeerKey=BOB_cf_sect239k1_PUB --SharedSecret=0ef54c7b7dbf55d4278e7a6924dc4833c63ec708e820d501cacdfb4935d5 -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_sect239k1 --PeerKey=ALICE_cf_sect239k1_PUB --SharedSecret=0ef54c7b7dbf55d4278e7a6924dc4833c63ec708e820d501cacdfb4935d5 -- --# ECC CDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_sect239k1 --PeerKey=BOB_cf_sect239k1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=592e4b33ac99624fe7f2f879cf52f12a70f189c5d90785db26a12e0a46c0 -- --# ECC CDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_sect239k1 --PeerKey=ALICE_cf_sect239k1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=592e4b33ac99624fe7f2f879cf52f12a70f189c5d90785db26a12e0a46c0 -- --PublicKey=MALICE_cf_sect239k1_PUB -------BEGIN PUBLIC KEY----- --MFIwEAYHKoZIzj0CAQYFK4EEAAMDPgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAA --AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Availablein = default --Derive=BOB_cf_sect239k1 --PeerKey=MALICE_cf_sect239k1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Availablein = default --Derive=ALICE_cf_sect239k1 --PeerKey=MALICE_cf_sect239k1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=wap-wsg-idm-ecid-wtls10 curve tests -- --PrivateKey=ALICE_cf_wap-wsg-idm-ecid-wtls10 -------BEGIN PRIVATE KEY----- --MDsCAQAwEAYHKoZIzj0CAQYFZysBBAoEJDAiAgEBBB1zvDMHGgcytka5KvlvQvJzTA4l2ts2NzBp --SJiGyw== -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_wap-wsg-idm-ecid-wtls10_PUB -------BEGIN PUBLIC KEY----- --MFIwEAYHKoZIzj0CAQYFZysBBAoDPgAEAZkrhWBz/Q4GB8DY4Ia114ew6H7Eg7ri2uxwxd3rAZs5 --/ShvunNyndjCt3Qaq8sulBM0nUyERSDakyD+ -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_wap-wsg-idm-ecid-wtls10:ALICE_cf_wap-wsg-idm-ecid-wtls10_PUB -- --PrivateKey=BOB_cf_wap-wsg-idm-ecid-wtls10 -------BEGIN PRIVATE KEY----- --MDsCAQAwEAYHKoZIzj0CAQYFZysBBAoEJDAiAgEBBB1SowkHU79PqokOfgllN53rNS8a3h1wFBY0 --dKPkQg== -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_wap-wsg-idm-ecid-wtls10_PUB -------BEGIN PUBLIC KEY----- --MFIwEAYHKoZIzj0CAQYFZysBBAoDPgAEAGavw4ChHCoWplAumMEBwJgJ2aYtw+utu4vhWnscAPIT --IJ4IiIGj18rCFBap1sgVbpXjhEBLYg6Itwv2 -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_wap-wsg-idm-ecid-wtls10:BOB_cf_wap-wsg-idm-ecid-wtls10_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_wap-wsg-idm-ecid-wtls10 --PeerKey=BOB_cf_wap-wsg-idm-ecid-wtls10_PUB --SharedSecret=0194ef5d80fdfe9df366b2273b983c3dbd440faf76964fcfc06c509f289d -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_wap-wsg-idm-ecid-wtls10 --PeerKey=ALICE_cf_wap-wsg-idm-ecid-wtls10_PUB --SharedSecret=0194ef5d80fdfe9df366b2273b983c3dbd440faf76964fcfc06c509f289d -- --# ECC CDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_wap-wsg-idm-ecid-wtls10 --PeerKey=BOB_cf_wap-wsg-idm-ecid-wtls10_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=01bedc5cdf63fbf18c3e2bc9765e12f7990c0c0c64f0267ae7c37b9f49f0 -- --# ECC CDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_wap-wsg-idm-ecid-wtls10 --PeerKey=ALICE_cf_wap-wsg-idm-ecid-wtls10_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=01bedc5cdf63fbf18c3e2bc9765e12f7990c0c0c64f0267ae7c37b9f49f0 -- --PublicKey=MALICE_cf_wap-wsg-idm-ecid-wtls10_PUB -------BEGIN PUBLIC KEY----- --MFIwEAYHKoZIzj0CAQYFZysBBAoDPgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAA --AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Availablein = default --Derive=BOB_cf_wap-wsg-idm-ecid-wtls10 --PeerKey=MALICE_cf_wap-wsg-idm-ecid-wtls10_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Availablein = default --Derive=ALICE_cf_wap-wsg-idm-ecid-wtls10 --PeerKey=MALICE_cf_wap-wsg-idm-ecid-wtls10_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=wap-wsg-idm-ecid-wtls11 curve tests -- --PrivateKey=ALICE_cf_wap-wsg-idm-ecid-wtls11 -------BEGIN PRIVATE KEY----- --MDwCAQAwEAYHKoZIzj0CAQYFZysBBAsEJTAjAgEBBB4AkzS3zoqHNCLug/nwoYMQW3UigmZ9t56k --5jp+FiY= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_wap-wsg-idm-ecid-wtls11_PUB -------BEGIN PUBLIC KEY----- --MFIwEAYHKoZIzj0CAQYFZysBBAsDPgAEABttgKKYeGZRmcH/5UZR56lOSgbU4TH2AuIhvj88AL6H --zTCX9elzXpck+u22bnmkuvL2A8XKB5+fabMR -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_wap-wsg-idm-ecid-wtls11:ALICE_cf_wap-wsg-idm-ecid-wtls11_PUB -- --PrivateKey=BOB_cf_wap-wsg-idm-ecid-wtls11 -------BEGIN PRIVATE KEY----- --MDwCAQAwEAYHKoZIzj0CAQYFZysBBAsEJTAjAgEBBB4AWU05mbqPxsB749llNON1//l0w8RJJ3z5 --h/kzfNM= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_wap-wsg-idm-ecid-wtls11_PUB -------BEGIN PUBLIC KEY----- --MFIwEAYHKoZIzj0CAQYFZysBBAsDPgAEAL6Xj/KCmXAQAAo847t0bl0wqBrteWRg93OvIJsPAAOE --ehdIgJyruc3KsH0RFlipu5QD8pnGSIXvif19 -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_wap-wsg-idm-ecid-wtls11:BOB_cf_wap-wsg-idm-ecid-wtls11_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_wap-wsg-idm-ecid-wtls11 --PeerKey=BOB_cf_wap-wsg-idm-ecid-wtls11_PUB --SharedSecret=01ac8a23ddeeafb4d3bb243fe409f2f9c8b1a3fc11d4690da583f2e21637 -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_wap-wsg-idm-ecid-wtls11 --PeerKey=ALICE_cf_wap-wsg-idm-ecid-wtls11_PUB --SharedSecret=01ac8a23ddeeafb4d3bb243fe409f2f9c8b1a3fc11d4690da583f2e21637 -- --# ECC CDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_wap-wsg-idm-ecid-wtls11 --PeerKey=BOB_cf_wap-wsg-idm-ecid-wtls11_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=01b9992992572d3a59d424f8c9cc195576461ed6c1dadf6fb523717fab19 -- --# ECC CDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_wap-wsg-idm-ecid-wtls11 --PeerKey=ALICE_cf_wap-wsg-idm-ecid-wtls11_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=01b9992992572d3a59d424f8c9cc195576461ed6c1dadf6fb523717fab19 -- --PublicKey=MALICE_cf_wap-wsg-idm-ecid-wtls11_PUB -------BEGIN PUBLIC KEY----- --MFIwEAYHKoZIzj0CAQYFZysBBAsDPgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYf4 --Vie5eHTnR+4x4G1xyq7qUvISU+X5RtBh2pE4 -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Availablein = default --Derive=BOB_cf_wap-wsg-idm-ecid-wtls11 --PeerKey=MALICE_cf_wap-wsg-idm-ecid-wtls11_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Availablein = default --Derive=ALICE_cf_wap-wsg-idm-ecid-wtls11 --PeerKey=MALICE_cf_wap-wsg-idm-ecid-wtls11_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=wap-wsg-idm-ecid-wtls12 curve tests -- --PrivateKey=ALICE_cf_wap-wsg-idm-ecid-wtls12 -------BEGIN PRIVATE KEY----- --MDoCAQAwEAYHKoZIzj0CAQYFZysBBAwEIzAhAgEBBBxwvll9Eb9mm2Xadq1evIi1zIK+6u0Nv8bP --LI9a -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_wap-wsg-idm-ecid-wtls12_PUB -------BEGIN PUBLIC KEY----- --ME4wEAYHKoZIzj0CAQYFZysBBAwDOgAE0t0WqG/pFsiCt6agmebw3FCEWAzf9BpNLuzoCkPEe0Li --bqn5udrckL6s3stwCTVFaZUfY2qS9QE= -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_wap-wsg-idm-ecid-wtls12:ALICE_cf_wap-wsg-idm-ecid-wtls12_PUB -- --PrivateKey=BOB_cf_wap-wsg-idm-ecid-wtls12 -------BEGIN PRIVATE KEY----- --MDoCAQAwEAYHKoZIzj0CAQYFZysBBAwEIzAhAgEBBBz+5P6gpqXxbeXvvaD5W9Ft69BTxcn7zc6q --K3Ax -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_wap-wsg-idm-ecid-wtls12_PUB -------BEGIN PUBLIC KEY----- --ME4wEAYHKoZIzj0CAQYFZysBBAwDOgAEvyxedqaWkoAOMjaV5W3/tJpheiHAR0zV6BlIeUuGP2mx --+xsOK9/QB7hzipq9cXx1K/dXu58EoSY= -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_wap-wsg-idm-ecid-wtls12:BOB_cf_wap-wsg-idm-ecid-wtls12_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_wap-wsg-idm-ecid-wtls12 --PeerKey=BOB_cf_wap-wsg-idm-ecid-wtls12_PUB --SharedSecret=a3b3f20af8c33a0f5c246b4b9d9dda1cd40c294d1f53365d18a8b54b -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_wap-wsg-idm-ecid-wtls12 --PeerKey=ALICE_cf_wap-wsg-idm-ecid-wtls12_PUB --SharedSecret=a3b3f20af8c33a0f5c246b4b9d9dda1cd40c294d1f53365d18a8b54b -- --Title=wap-wsg-idm-ecid-wtls1 curve tests -- --PrivateKey=ALICE_cf_wap-wsg-idm-ecid-wtls1 -------BEGIN PRIVATE KEY----- --MCwCAQAwEAYHKoZIzj0CAQYFZysBBAEEFTATAgEBBA5ZNASTt4/g6XPQwRiQ0Q== -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_wap-wsg-idm-ecid-wtls1_PUB -------BEGIN PUBLIC KEY----- --MDQwEAYHKoZIzj0CAQYFZysBBAEDIAAEACBNPI48xxsPVQBy07jRAAcWzbIkMo8BQotxpfGJ -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_wap-wsg-idm-ecid-wtls1:ALICE_cf_wap-wsg-idm-ecid-wtls1_PUB -- --PrivateKey=BOB_cf_wap-wsg-idm-ecid-wtls1 -------BEGIN PRIVATE KEY----- --MCwCAQAwEAYHKoZIzj0CAQYFZysBBAEEFTATAgEBBA6+0x9qk0NIKHSRvlTemQ== -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_wap-wsg-idm-ecid-wtls1_PUB -------BEGIN PUBLIC KEY----- --MDQwEAYHKoZIzj0CAQYFZysBBAEDIAAEAEeHMSBTx/EtOu+bjBinALHSkQuJyiP3mg1tu+I2 -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_wap-wsg-idm-ecid-wtls1:BOB_cf_wap-wsg-idm-ecid-wtls1_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_wap-wsg-idm-ecid-wtls1 --PeerKey=BOB_cf_wap-wsg-idm-ecid-wtls1_PUB --SharedSecret=0040ba2fadc1da97c973e5e59ade31 -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_wap-wsg-idm-ecid-wtls1 --PeerKey=ALICE_cf_wap-wsg-idm-ecid-wtls1_PUB --SharedSecret=0040ba2fadc1da97c973e5e59ade31 -- --# ECC CDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_wap-wsg-idm-ecid-wtls1 --PeerKey=BOB_cf_wap-wsg-idm-ecid-wtls1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=008919696215a89e03d6c4c9265d6b -- --# ECC CDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_wap-wsg-idm-ecid-wtls1 --PeerKey=ALICE_cf_wap-wsg-idm-ecid-wtls1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=008919696215a89e03d6c4c9265d6b -- --PublicKey=MALICE_cf_wap-wsg-idm-ecid-wtls1_PUB -------BEGIN PUBLIC KEY----- --MDQwEAYHKoZIzj0CAQYFZysBBAEDIAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Availablein = default --Derive=BOB_cf_wap-wsg-idm-ecid-wtls1 --PeerKey=MALICE_cf_wap-wsg-idm-ecid-wtls1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Availablein = default --Derive=ALICE_cf_wap-wsg-idm-ecid-wtls1 --PeerKey=MALICE_cf_wap-wsg-idm-ecid-wtls1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=wap-wsg-idm-ecid-wtls3 curve tests -- --PrivateKey=ALICE_cf_wap-wsg-idm-ecid-wtls3 -------BEGIN PRIVATE KEY----- --MDMCAQAwEAYHKoZIzj0CAQYFZysBBAMEHDAaAgEBBBUDO2cHbqQBUxuJBl6UT9UrasuRVrI= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_wap-wsg-idm-ecid-wtls3_PUB -------BEGIN PUBLIC KEY----- --MEAwEAYHKoZIzj0CAQYFZysBBAMDLAAEBRIzvK9o7eO2NGmtPFV/zo9/1mlvBwjG7+e6hbPG1KdI --01f8oGBuXMQH -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_wap-wsg-idm-ecid-wtls3:ALICE_cf_wap-wsg-idm-ecid-wtls3_PUB -- --PrivateKey=BOB_cf_wap-wsg-idm-ecid-wtls3 -------BEGIN PRIVATE KEY----- --MDMCAQAwEAYHKoZIzj0CAQYFZysBBAMEHDAaAgEBBBUAhZv9WZ00bDnU9MOaqEegP771nes= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_wap-wsg-idm-ecid-wtls3_PUB -------BEGIN PUBLIC KEY----- --MEAwEAYHKoZIzj0CAQYFZysBBAMDLAAEAYOspjEbzyZw61jCtUrxARr+w66nBH+73QIvlaRVSG/4 --hlBUf5kmG4Yn -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_wap-wsg-idm-ecid-wtls3:BOB_cf_wap-wsg-idm-ecid-wtls3_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_wap-wsg-idm-ecid-wtls3 --PeerKey=BOB_cf_wap-wsg-idm-ecid-wtls3_PUB --SharedSecret=0311924428a839b7dcada662722945e62bf1131f4f -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_wap-wsg-idm-ecid-wtls3 --PeerKey=ALICE_cf_wap-wsg-idm-ecid-wtls3_PUB --SharedSecret=0311924428a839b7dcada662722945e62bf1131f4f -- --# ECC CDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_wap-wsg-idm-ecid-wtls3 --PeerKey=BOB_cf_wap-wsg-idm-ecid-wtls3_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=047f1aee6a1a1d7c9c1f0e8dce4349429f737aa658 -- --# ECC CDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_wap-wsg-idm-ecid-wtls3 --PeerKey=ALICE_cf_wap-wsg-idm-ecid-wtls3_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=047f1aee6a1a1d7c9c1f0e8dce4349429f737aa658 -- --PublicKey=MALICE_cf_wap-wsg-idm-ecid-wtls3_PUB -------BEGIN PUBLIC KEY----- --MEAwEAYHKoZIzj0CAQYFZysBBAMDLAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA --AAAAAAAAAAAB -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Availablein = default --Derive=BOB_cf_wap-wsg-idm-ecid-wtls3 --PeerKey=MALICE_cf_wap-wsg-idm-ecid-wtls3_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Availablein = default --Derive=ALICE_cf_wap-wsg-idm-ecid-wtls3 --PeerKey=MALICE_cf_wap-wsg-idm-ecid-wtls3_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=wap-wsg-idm-ecid-wtls4 curve tests -- --PrivateKey=ALICE_cf_wap-wsg-idm-ecid-wtls4 -------BEGIN PRIVATE KEY----- --MC0CAQAwEAYHKoZIzj0CAQYFZysBBAQEFjAUAgEBBA8ACFOrBbOh5LjNtJQCuEE= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_wap-wsg-idm-ecid-wtls4_PUB -------BEGIN PUBLIC KEY----- --MDQwEAYHKoZIzj0CAQYFZysBBAQDIAAEAW3K4Mus5+KAJVGLzEYrAYuCJSEYXFTo17aW0TwN -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_wap-wsg-idm-ecid-wtls4:ALICE_cf_wap-wsg-idm-ecid-wtls4_PUB -- --PrivateKey=BOB_cf_wap-wsg-idm-ecid-wtls4 -------BEGIN PRIVATE KEY----- --MC0CAQAwEAYHKoZIzj0CAQYFZysBBAQEFjAUAgEBBA8Auz4XRc3Rg0bNcbrray8= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_wap-wsg-idm-ecid-wtls4_PUB -------BEGIN PUBLIC KEY----- --MDQwEAYHKoZIzj0CAQYFZysBBAQDIAAEAI0F7ixGqOhnYpsuR80nAdTdSXM+YbcUbLe/U/xG -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_wap-wsg-idm-ecid-wtls4:BOB_cf_wap-wsg-idm-ecid-wtls4_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_wap-wsg-idm-ecid-wtls4 --PeerKey=BOB_cf_wap-wsg-idm-ecid-wtls4_PUB --SharedSecret=0077378ddfdadff704a0b6646949e7 -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_wap-wsg-idm-ecid-wtls4 --PeerKey=ALICE_cf_wap-wsg-idm-ecid-wtls4_PUB --SharedSecret=0077378ddfdadff704a0b6646949e7 -- --# ECC CDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_wap-wsg-idm-ecid-wtls4 --PeerKey=BOB_cf_wap-wsg-idm-ecid-wtls4_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=008f3713fe1ff1fa5d5041899817d1 -- --# ECC CDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_wap-wsg-idm-ecid-wtls4 --PeerKey=ALICE_cf_wap-wsg-idm-ecid-wtls4_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=008f3713fe1ff1fa5d5041899817d1 -- --PublicKey=MALICE_cf_wap-wsg-idm-ecid-wtls4_PUB -------BEGIN PUBLIC KEY----- --MDQwEAYHKoZIzj0CAQYFZysBBAQDIAAEAAAAAAAAAAAAAAAAAAAAAd+TqiBXnTd/lyA/OFsR -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Availablein = default --Derive=BOB_cf_wap-wsg-idm-ecid-wtls4 --PeerKey=MALICE_cf_wap-wsg-idm-ecid-wtls4_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Availablein = default --Derive=ALICE_cf_wap-wsg-idm-ecid-wtls4 --PeerKey=MALICE_cf_wap-wsg-idm-ecid-wtls4_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=wap-wsg-idm-ecid-wtls5 curve tests -- --PrivateKey=ALICE_cf_wap-wsg-idm-ecid-wtls5 -------BEGIN PRIVATE KEY----- --MDMCAQAwEAYHKoZIzj0CAQYFZysBBAUEHDAaAgEBBBUD9gVh3zbLTA7BuRVVi9T8QKZ1uco= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_wap-wsg-idm-ecid-wtls5_PUB -------BEGIN PUBLIC KEY----- --MEAwEAYHKoZIzj0CAQYFZysBBAUDLAAEAH5xyUrvbuN+tWmRhwqrQfFHPHNUBKtAGvJuvSFVwTKk --uFzn9fPvIDe6 -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_wap-wsg-idm-ecid-wtls5:ALICE_cf_wap-wsg-idm-ecid-wtls5_PUB -- --PrivateKey=BOB_cf_wap-wsg-idm-ecid-wtls5 -------BEGIN PRIVATE KEY----- --MDMCAQAwEAYHKoZIzj0CAQYFZysBBAUEHDAaAgEBBBUAr9ZlmuO7bNfqB42xUivJXyVHKNI= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_wap-wsg-idm-ecid-wtls5_PUB -------BEGIN PUBLIC KEY----- --MEAwEAYHKoZIzj0CAQYFZysBBAUDLAAEBdXxEk0L2XAVzRNLPcnMxGXXyDfZAoA1Qw2XpOfVWIVR --jdoMGRgUuJmO -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_wap-wsg-idm-ecid-wtls5:BOB_cf_wap-wsg-idm-ecid-wtls5_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_wap-wsg-idm-ecid-wtls5 --PeerKey=BOB_cf_wap-wsg-idm-ecid-wtls5_PUB --SharedSecret=0190c68d80e94fbe9f193ae7d9a156bf0b8d097c23 -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_wap-wsg-idm-ecid-wtls5 --PeerKey=ALICE_cf_wap-wsg-idm-ecid-wtls5_PUB --SharedSecret=0190c68d80e94fbe9f193ae7d9a156bf0b8d097c23 -- --# ECC CDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_wap-wsg-idm-ecid-wtls5 --PeerKey=BOB_cf_wap-wsg-idm-ecid-wtls5_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=00aabc9b45c200e41294aa922ab06da6655731e0ea -- --# ECC CDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_wap-wsg-idm-ecid-wtls5 --PeerKey=ALICE_cf_wap-wsg-idm-ecid-wtls5_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=00aabc9b45c200e41294aa922ab06da6655731e0ea -- --PublicKey=MALICE_cf_wap-wsg-idm-ecid-wtls5_PUB -------BEGIN PUBLIC KEY----- --MEAwEAYHKoZIzj0CAQYFZysBBAUDLAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC8JxepS05nN/piK --dhDD3dDKXUih -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Availablein = default --Derive=BOB_cf_wap-wsg-idm-ecid-wtls5 --PeerKey=MALICE_cf_wap-wsg-idm-ecid-wtls5_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Availablein = default --Derive=ALICE_cf_wap-wsg-idm-ecid-wtls5 --PeerKey=MALICE_cf_wap-wsg-idm-ecid-wtls5_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=wap-wsg-idm-ecid-wtls6 curve tests -- --PrivateKey=ALICE_cf_wap-wsg-idm-ecid-wtls6 -------BEGIN PRIVATE KEY----- --MCwCAQAwEAYHKoZIzj0CAQYFZysBBAYEFTATAgEBBA4ayMbswPbvYMwpwo80jA== -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_wap-wsg-idm-ecid-wtls6_PUB -------BEGIN PUBLIC KEY----- --MDIwEAYHKoZIzj0CAQYFZysBBAYDHgAERPw/8Ip/RrXr0gMgLGRQeiQ4Qd6W+Li0ylGKzg== -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_wap-wsg-idm-ecid-wtls6:ALICE_cf_wap-wsg-idm-ecid-wtls6_PUB -- --PrivateKey=BOB_cf_wap-wsg-idm-ecid-wtls6 -------BEGIN PRIVATE KEY----- --MCwCAQAwEAYHKoZIzj0CAQYFZysBBAYEFTATAgEBBA6kbCpFt3tX2hYBQHMXbg== -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_wap-wsg-idm-ecid-wtls6_PUB -------BEGIN PUBLIC KEY----- --MDIwEAYHKoZIzj0CAQYFZysBBAYDHgAEhJXqpYGxE/l1X/LiBeyRbIcyzqPxUP5Tkv3U3w== -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_wap-wsg-idm-ecid-wtls6:BOB_cf_wap-wsg-idm-ecid-wtls6_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_wap-wsg-idm-ecid-wtls6 --PeerKey=BOB_cf_wap-wsg-idm-ecid-wtls6_PUB --SharedSecret=b4cae255268f11a1e46fecad04c2 -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_wap-wsg-idm-ecid-wtls6 --PeerKey=ALICE_cf_wap-wsg-idm-ecid-wtls6_PUB --SharedSecret=b4cae255268f11a1e46fecad04c2 -- --Title=wap-wsg-idm-ecid-wtls7 curve tests -- --PrivateKey=ALICE_cf_wap-wsg-idm-ecid-wtls7 -------BEGIN PRIVATE KEY----- --MDMCAQAwEAYHKoZIzj0CAQYFZysBBAcEHDAaAgEBBBUABcyzh4ot9ck/j4/3ehK0aYngYoM= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_wap-wsg-idm-ecid-wtls7_PUB -------BEGIN PUBLIC KEY----- --MD4wEAYHKoZIzj0CAQYFZysBBAcDKgAEwQLnZ70n45RLqRtAGNzEa3Rl/9nwyjqYUtw2eeHhnNLT --feGY4CNH0w== -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_wap-wsg-idm-ecid-wtls7:ALICE_cf_wap-wsg-idm-ecid-wtls7_PUB -- --PrivateKey=BOB_cf_wap-wsg-idm-ecid-wtls7 -------BEGIN PRIVATE KEY----- --MDMCAQAwEAYHKoZIzj0CAQYFZysBBAcEHDAaAgEBBBUAPyrGRY1SR13hKQswS6yXs8w8PUQ= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_wap-wsg-idm-ecid-wtls7_PUB -------BEGIN PUBLIC KEY----- --MD4wEAYHKoZIzj0CAQYFZysBBAcDKgAEZGN44YbN5r3zcNtOHrvbQLt8/lE7BHp4D/9eKLmwFDn1 --QneRu3xwPA== -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_wap-wsg-idm-ecid-wtls7:BOB_cf_wap-wsg-idm-ecid-wtls7_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_wap-wsg-idm-ecid-wtls7 --PeerKey=BOB_cf_wap-wsg-idm-ecid-wtls7_PUB --SharedSecret=ae9f5bcc6457c0422866bf855921eabc42b7121a -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_wap-wsg-idm-ecid-wtls7 --PeerKey=ALICE_cf_wap-wsg-idm-ecid-wtls7_PUB --SharedSecret=ae9f5bcc6457c0422866bf855921eabc42b7121a -- --Title=wap-wsg-idm-ecid-wtls8 curve tests -- --PrivateKey=ALICE_cf_wap-wsg-idm-ecid-wtls8 -------BEGIN PRIVATE KEY----- --MC0CAQAwEAYHKoZIzj0CAQYFZysBBAgEFjAUAgEBBA8AnkC18b3pH2O5TIYIqAQ= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_wap-wsg-idm-ecid-wtls8_PUB -------BEGIN PUBLIC KEY----- --MDIwEAYHKoZIzj0CAQYFZysBBAgDHgAEJD0h4HEfchwxqhp9eMHh9gczQKHX4MtWVoAxKQ== -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_wap-wsg-idm-ecid-wtls8:ALICE_cf_wap-wsg-idm-ecid-wtls8_PUB -- --PrivateKey=BOB_cf_wap-wsg-idm-ecid-wtls8 -------BEGIN PRIVATE KEY----- --MC0CAQAwEAYHKoZIzj0CAQYFZysBBAgEFjAUAgEBBA8AXxPMnqbl3rOuIM5nsvc= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_wap-wsg-idm-ecid-wtls8_PUB -------BEGIN PUBLIC KEY----- --MDIwEAYHKoZIzj0CAQYFZysBBAgDHgAEZawmRmzr9P+jihImUi6ykOzaSH484JhMKNdrgw== -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_wap-wsg-idm-ecid-wtls8:BOB_cf_wap-wsg-idm-ecid-wtls8_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_wap-wsg-idm-ecid-wtls8 --PeerKey=BOB_cf_wap-wsg-idm-ecid-wtls8_PUB --SharedSecret=48baf4f1f5e8a0eb5dae28ef6290 -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_wap-wsg-idm-ecid-wtls8 --PeerKey=ALICE_cf_wap-wsg-idm-ecid-wtls8_PUB --SharedSecret=48baf4f1f5e8a0eb5dae28ef6290 -- --Title=wap-wsg-idm-ecid-wtls9 curve tests -- --PrivateKey=ALICE_cf_wap-wsg-idm-ecid-wtls9 -------BEGIN PRIVATE KEY----- --MDMCAQAwEAYHKoZIzj0CAQYFZysBBAkEHDAaAgEBBBUALwvuKs3RLthMAsChbqKjXw6vTYo= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_wap-wsg-idm-ecid-wtls9_PUB -------BEGIN PUBLIC KEY----- --MD4wEAYHKoZIzj0CAQYFZysBBAkDKgAET0ppOvd9DU4v+tkKDQ5wRBrN1FwD9+F9t5l3Im+mz3rw --DB/RYdZuUg== -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_wap-wsg-idm-ecid-wtls9:ALICE_cf_wap-wsg-idm-ecid-wtls9_PUB -- --PrivateKey=BOB_cf_wap-wsg-idm-ecid-wtls9 -------BEGIN PRIVATE KEY----- --MDMCAQAwEAYHKoZIzj0CAQYFZysBBAkEHDAaAgEBBBUAgeb/vqEM7X5AAAxyBu3M+C8pWLM= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_wap-wsg-idm-ecid-wtls9_PUB -------BEGIN PUBLIC KEY----- --MD4wEAYHKoZIzj0CAQYFZysBBAkDKgAEWc37LGt6lt90iF4lhtDYNFdjAqoczebuNgzGff/Uq8ov --a3EVJ9yK1A== -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_wap-wsg-idm-ecid-wtls9:BOB_cf_wap-wsg-idm-ecid-wtls9_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_wap-wsg-idm-ecid-wtls9 --PeerKey=BOB_cf_wap-wsg-idm-ecid-wtls9_PUB --SharedSecret=948d3030e95cead39a1bb3d8a01c2be178517ba7 -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_wap-wsg-idm-ecid-wtls9 --PeerKey=ALICE_cf_wap-wsg-idm-ecid-wtls9_PUB --SharedSecret=948d3030e95cead39a1bb3d8a01c2be178517ba7 -- --# tests: 484 -- --Title=zero x-coord regression tests -- --PrivateKey=ALICE_zero_prime192v1 -------BEGIN PRIVATE KEY----- --MDkCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQEEHzAdAgEBBBhaPNk8jG5hSG6y8tUqUoOaNNsZ3APU --pps= -------END PRIVATE KEY----- -- --PublicKey=BOB_zero_prime192v1_PUB -------BEGIN PUBLIC KEY----- --MEkwEwYHKoZIzj0CAQYIKoZIzj0DAQEDMgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAe2hWBe5g --DLNj216pEvK7XjoKLg5gNg8S -------END PUBLIC KEY----- -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_zero_prime192v1 --PeerKey=BOB_zero_prime192v1_PUB --SharedSecret=baaffd49a8399d2ad52cbbe24d47b67afb4b3cf436f1cd65 -- --PrivateKey=ALICE_zero_prime192v2 - -----BEGIN PRIVATE KEY----- - MDkCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQIEHzAdAgEBBBj1AIQMJ7jqYIKCvxYAS+qKMmKmH0to - 41k= -@@ -3422,72 +162,6 @@ Derive=ALICE_zero_prime256v1 - PeerKey=BOB_zero_prime256v1_PUB - SharedSecret=c4f5607deb8501f1a4ba23fce4122a4343a17ada2c86a9c8e0d03d92d4a4c84c --PrivateKey=ALICE_zero_secp112r2 -------BEGIN PRIVATE KEY----- --MCwCAQAwEAYHKoZIzj0CAQYFK4EEAAcEFTATAgEBBA4hh3tRkG3tnA0496ffMw== -------END PRIVATE KEY----- -- --PublicKey=BOB_zero_secp112r2_PUB -------BEGIN PUBLIC KEY----- --MDIwEAYHKoZIzj0CAQYFK4EEAAcDHgAEAAAAAAAAAAAAAAAAAAAS5eEOWDV/Wk7w4djyDQ== -------END PUBLIC KEY----- -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_zero_secp112r2 --PeerKey=BOB_zero_secp112r2_PUB --SharedSecret=958cc1cb425713678830a4d7d95e -- --PrivateKey=ALICE_zero_secp128r1 -------BEGIN PRIVATE KEY----- --MC4CAQAwEAYHKoZIzj0CAQYFK4EEABwEFzAVAgEBBBCykSzic/h3T2K6SkSP1SGt -------END PRIVATE KEY----- -- --PublicKey=BOB_zero_secp128r1_PUB -------BEGIN PUBLIC KEY----- --MDYwEAYHKoZIzj0CAQYFK4EEABwDIgAEAAAAAAAAAAAAAAAAAAAAAABya8M5aeOpNG3z799IdHc= -------END PUBLIC KEY----- -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_zero_secp128r1 --PeerKey=BOB_zero_secp128r1_PUB --SharedSecret=5235d452066f126cd7e99eea00fd3068 -- --PrivateKey=ALICE_zero_secp160r1 -------BEGIN PRIVATE KEY----- --MDMCAQAwEAYHKoZIzj0CAQYFK4EEAAgEHDAaAgEBBBUACoRnbig69XLlh5VcRexpbbn5zwA= -------END PRIVATE KEY----- -- --PublicKey=BOB_zero_secp160r1_PUB -------BEGIN PUBLIC KEY----- --MD4wEAYHKoZIzj0CAQYFK4EEAAgDKgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAG/w1po29wYlxlygXs --MGfbiGg5ng== -------END PUBLIC KEY----- -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_zero_secp160r1 --PeerKey=BOB_zero_secp160r1_PUB --SharedSecret=9ccd0ab8d093b6acdb3fe14c3736a0dfe61a4666 -- --PrivateKey=ALICE_zero_secp160r2 -------BEGIN PRIVATE KEY----- --MDMCAQAwEAYHKoZIzj0CAQYFK4EEAB4EHDAaAgEBBBUAQFGxInSw1eAvd45E9TUdbXtJGnA= -------END PRIVATE KEY----- -- --PublicKey=BOB_zero_secp160r2_PUB -------BEGIN PUBLIC KEY----- --MD4wEAYHKoZIzj0CAQYFK4EEAB4DKgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAZtSBSZqfmXp47v5z2 --ZZZl2JFxDg== -------END PUBLIC KEY----- -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_zero_secp160r2 --PeerKey=BOB_zero_secp160r2_PUB --SharedSecret=303e0a282ac86f463fe834cb51b0057be42ed5ab -- - PrivateKey=ALICE_zero_secp384r1 - -----BEGIN PRIVATE KEY----- - ME4CAQAwEAYHKoZIzj0CAQYFK4EEACIENzA1AgEBBDD6kgzKbg28zbQyVTdC0IdHbm0UCQt2Rdbi -@@ -3526,76 +200,6 @@ Derive=ALICE_zero_secp521r1 - PeerKey=BOB_zero_secp521r1_PUB - SharedSecret=003fc3028f61db94b20c7cd177923b6e73f12f0ab067c9ce8866755e3c82abb39c9863cde74fa80b32520bd7dd0eb156c30c08911503b67b2661f1264d09bb231423 - --PrivateKey=ALICE_zero_wap-wsg-idm-ecid-wtls7 -------BEGIN PRIVATE KEY----- --MDMCAQAwEAYHKoZIzj0CAQYFZysBBAcEHDAaAgEBBBUAoGng7WzYr4P9vtdc3BS/UiNWmc0= -------END PRIVATE KEY----- -- --PublicKey=BOB_zero_wap-wsg-idm-ecid-wtls7_PUB -------BEGIN PUBLIC KEY----- --MD4wEAYHKoZIzj0CAQYFZysBBAcDKgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAZtSBSZqfmXp47v5z2 --ZZZl2JFxDg== -------END PUBLIC KEY----- -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_zero_wap-wsg-idm-ecid-wtls7 --PeerKey=BOB_zero_wap-wsg-idm-ecid-wtls7_PUB --SharedSecret=6582fc03bbb340fcf24a5fe8fcdf722655efa8b9 -- --# tests: 14 -- --Title=prime192v1 curve tests -- --PrivateKey=ALICE_cf_prime192v1 -------BEGIN PRIVATE KEY----- --MDkCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQEEHzAdAgEBBBhQFYLaobJ47BVWWZv/ByY8Ti69m/U9 --TeI= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_prime192v1_PUB -------BEGIN PUBLIC KEY----- --MEkwEwYHKoZIzj0CAQYIKoZIzj0DAQEDMgAEHYbt14KzucSpmKMrlDx1IGz/a28nDs21OjKgx3BK --PZ78UrllIr69kgrYUKsRg4sd -------END PUBLIC KEY----- -- --PrivPubKeyPair=ALICE_cf_prime192v1:ALICE_cf_prime192v1_PUB -- --PrivateKey=BOB_cf_prime192v1 -------BEGIN PRIVATE KEY----- --MDkCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQEEHzAdAgEBBBhsbmKHAtygIqirkmUXSbniDJOx0/fI --CWM= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_prime192v1_PUB -------BEGIN PUBLIC KEY----- --MEkwEwYHKoZIzj0CAQYIKoZIzj0DAQEDMgAEJA+FQcXq5Axzv8pLDslxq1QVt1hjN2i0TgoO6Yxp --bAekMot69VorE8ibSzgJixXJ -------END PUBLIC KEY----- -- --PrivPubKeyPair=BOB_cf_prime192v1:BOB_cf_prime192v1_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_prime192v1 --PeerKey=BOB_cf_prime192v1_PUB --SharedSecret=e36cad3b0f8d00f60f090440a76df47896713ae61421c354 -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_prime192v1 --PeerKey=ALICE_cf_prime192v1_PUB --SharedSecret=e36cad3b0f8d00f60f090440a76df47896713ae61421c354 -- --# ECDH Bob with Alice peer : curves with less than 112 bits of strength cannot --# be used for Key agreement in fips mode --Availablein = fips --Derive=BOB_cf_prime192v1 --Securitycheck = 1 --PeerKey=ALICE_cf_prime192v1_PUB --SharedSecret=e36cad3b0f8d00f60f090440a76df47896713ae61421c354 --Result = DERIVE_SET_PEER_ERROR -- - Title=prime256v1 curve tests - - PrivateKey=ALICE_cf_prime256v1 -@@ -3759,743 +363,3 @@ SharedSecret=01dd4aa9037bb4ad298b420998d - Derive=BOB_cf_secp521r1 - PeerKey=ALICE_cf_secp521r1_PUB - SharedSecret=01dd4aa9037bb4ad298b420998dcd32b3a9af1cda8b7919e372aeb4e54ccfb4d2409a340ed896bfbc5dd462f8d96b8784bc17b29db3ca04700e6ec752f9bec777695 -- --Title=sect163k1 curve tests -- --PrivateKey=ALICE_cf_sect163k1 -------BEGIN PRIVATE KEY----- --MDMCAQAwEAYHKoZIzj0CAQYFK4EEAAEEHDAaAgEBBBUB905PYfmej8LzbzX6Bg51GJzXQjQ= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_sect163k1_PUB -------BEGIN PUBLIC KEY----- --MEAwEAYHKoZIzj0CAQYFK4EEAAEDLAAEBfvs5A1hD8YySP9O2ub8GEUfotVuBpfRx4GIHdAfx8wV --1UVeTRnyAlWU -------END PUBLIC KEY----- -- --PrivPubKeyPair=ALICE_cf_sect163k1:ALICE_cf_sect163k1_PUB -- --PrivateKey=BOB_cf_sect163k1 -------BEGIN PRIVATE KEY----- --MDMCAQAwEAYHKoZIzj0CAQYFK4EEAAEEHDAaAgEBBBUCHPtCjJ4/K8ylQBcLlb5VE0bkaUE= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_sect163k1_PUB -------BEGIN PUBLIC KEY----- --MEAwEAYHKoZIzj0CAQYFK4EEAAEDLAAEBvgfX1mTRlt6Z4TE1D1MNWo4loH4AoeYa6oowK104LKk --nsdg7isQ8XBD -------END PUBLIC KEY----- -- --PrivPubKeyPair=BOB_cf_sect163k1:BOB_cf_sect163k1_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_sect163k1 --PeerKey=BOB_cf_sect163k1_PUB --SharedSecret=04d0e40788c5ce5220818055277cae53eac55c1e6b -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_sect163k1 --PeerKey=ALICE_cf_sect163k1_PUB --SharedSecret=04d0e40788c5ce5220818055277cae53eac55c1e6b -- --# ECC CDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_sect163k1 --PeerKey=BOB_cf_sect163k1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=04c902a91110244d89110034dd2b099c49cbab6c77 -- --# ECC CDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_sect163k1 --PeerKey=ALICE_cf_sect163k1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=04c902a91110244d89110034dd2b099c49cbab6c77 -- --PublicKey=MALICE_cf_sect163k1_PUB -------BEGIN PUBLIC KEY----- --MEAwEAYHKoZIzj0CAQYFK4EEAAEDLAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA --AAAAAAAAAAAB -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Availablein = default --Derive=BOB_cf_sect163k1 --PeerKey=MALICE_cf_sect163k1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Availablein = default --Derive=ALICE_cf_sect163k1 --PeerKey=MALICE_cf_sect163k1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=sect163r2 curve tests -- --PrivateKey=ALICE_cf_sect163r2 -------BEGIN PRIVATE KEY----- --MDMCAQAwEAYHKoZIzj0CAQYFK4EEAA8EHDAaAgEBBBUBjCs/M3N31jsAueYrOq21vdETwAI= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_sect163r2_PUB -------BEGIN PUBLIC KEY----- --MEAwEAYHKoZIzj0CAQYFK4EEAA8DLAAEBd8Z1/HpA+89hF4I98EST3svWns3BAEbhWmL/fgxk2uu --YwVrmqhgqH/C -------END PUBLIC KEY----- -- --PrivPubKeyPair=ALICE_cf_sect163r2:ALICE_cf_sect163r2_PUB -- --PrivateKey=BOB_cf_sect163r2 -------BEGIN PRIVATE KEY----- --MDMCAQAwEAYHKoZIzj0CAQYFK4EEAA8EHDAaAgEBBBUBsiouT9Df+mwHWrpPg1JSrY9nqlI= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_sect163r2_PUB -------BEGIN PUBLIC KEY----- --MEAwEAYHKoZIzj0CAQYFK4EEAA8DLAAEBULqBZ+nhLhDEMYY8NEEzZ126MdxAcFXWv8zmPEH9505 --8vT5zU3aq6HV -------END PUBLIC KEY----- -- --PrivPubKeyPair=BOB_cf_sect163r2:BOB_cf_sect163r2_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_sect163r2 --PeerKey=BOB_cf_sect163r2_PUB --SharedSecret=019f829a53c4e6544bdec1395a23082169efaf369d -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_sect163r2 --PeerKey=ALICE_cf_sect163r2_PUB --SharedSecret=019f829a53c4e6544bdec1395a23082169efaf369d -- --# ECC CDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_sect163r2 --PeerKey=BOB_cf_sect163r2_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=048870d39235ecbc16a000ee478833509b9318a53f -- --# ECC CDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_sect163r2 --PeerKey=ALICE_cf_sect163r2_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=048870d39235ecbc16a000ee478833509b9318a53f -- --PublicKey=MALICE_cf_sect163r2_PUB -------BEGIN PUBLIC KEY----- --MEAwEAYHKoZIzj0CAQYFK4EEAA8DLAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAsJbhbrfiSdZPSHD --ZtqJwDlp802l -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Availablein = default --Derive=BOB_cf_sect163r2 --PeerKey=MALICE_cf_sect163r2_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Availablein = default --Derive=ALICE_cf_sect163r2 --PeerKey=MALICE_cf_sect163r2_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=sect233k1 curve tests -- --PrivateKey=ALICE_cf_sect233k1 -------BEGIN PRIVATE KEY----- --MDsCAQAwEAYHKoZIzj0CAQYFK4EEABoEJDAiAgEBBB0z/3heNFjJL+2sAT/38yRsN3kt2iXz7u+y --Gua8Kw== -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_sect233k1_PUB -------BEGIN PUBLIC KEY----- --MFIwEAYHKoZIzj0CAQYFK4EEABoDPgAEALQyn0zJmOrHm4S2EIjxRe899PadBnfpYjLKWGvpAIzf --MEG861Nv1IYJkmkO1xlfNHeeRtqFgsQVFKZh -------END PUBLIC KEY----- -- --PrivPubKeyPair=ALICE_cf_sect233k1:ALICE_cf_sect233k1_PUB -- --PrivateKey=BOB_cf_sect233k1 -------BEGIN PRIVATE KEY----- --MDsCAQAwEAYHKoZIzj0CAQYFK4EEABoEJDAiAgEBBB1I0ucrC4d9i6Z+0cbar5r7uKpF5iiQkSJA --DFMTUA== -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_sect233k1_PUB -------BEGIN PUBLIC KEY----- --MFIwEAYHKoZIzj0CAQYFK4EEABoDPgAEAatdqazxSghJ568CBFyMXhEvVeAiLewOY/jk9H5DAOB4 --ufNGbdd131KLaKPivB38a6n5Y+2BVSJangow -------END PUBLIC KEY----- -- --PrivPubKeyPair=BOB_cf_sect233k1:BOB_cf_sect233k1_PUB -- --# ECDH Alice with Bob peer --Derive=ALICE_cf_sect233k1 --PeerKey=BOB_cf_sect233k1_PUB --SharedSecret=012145026e8de65973c154e085456fc5539ba9e25663e7f5816abfcab310 -- --# ECDH Bob with Alice peer --Derive=BOB_cf_sect233k1 --PeerKey=ALICE_cf_sect233k1_PUB --SharedSecret=012145026e8de65973c154e085456fc5539ba9e25663e7f5816abfcab310 -- --# ECC CDH Alice with Bob peer --Derive=ALICE_cf_sect233k1 --PeerKey=BOB_cf_sect233k1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=00ff7d6c6b80f39d2ae68fbd00adbcd75fa599ed0bc1aac0e3f49c1c164d -- --# ECC CDH Bob with Alice peer --Derive=BOB_cf_sect233k1 --PeerKey=ALICE_cf_sect233k1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=00ff7d6c6b80f39d2ae68fbd00adbcd75fa599ed0bc1aac0e3f49c1c164d -- --PublicKey=MALICE_cf_sect233k1_PUB -------BEGIN PUBLIC KEY----- --MFIwEAYHKoZIzj0CAQYFK4EEABoDPgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAA --AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Derive=BOB_cf_sect233k1 --PeerKey=MALICE_cf_sect233k1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Derive=ALICE_cf_sect233k1 --PeerKey=MALICE_cf_sect233k1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=sect233r1 curve tests -- --PrivateKey=ALICE_cf_sect233r1 -------BEGIN PRIVATE KEY----- --MDwCAQAwEAYHKoZIzj0CAQYFK4EEABsEJTAjAgEBBB4ATcy7zVpIsJ9rl5EIDmzRz5wxjrDIQyDm --HP3Pt8Y= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_sect233r1_PUB -------BEGIN PUBLIC KEY----- --MFIwEAYHKoZIzj0CAQYFK4EEABsDPgAEAQMQHiJ44LiCnZkEg1zyww1h+idTbsw8E07P33WUAUfD --NeQ4hWEhTXPnytIbEhFKpnd3j/FbyZnJqxh8 -------END PUBLIC KEY----- -- --PrivPubKeyPair=ALICE_cf_sect233r1:ALICE_cf_sect233r1_PUB -- --PrivateKey=BOB_cf_sect233r1 -------BEGIN PRIVATE KEY----- --MDwCAQAwEAYHKoZIzj0CAQYFK4EEABsEJTAjAgEBBB4ALpOlFn4OfiIAkRAZGOsn7L6W3XoQBSV8 --mQVC2pw= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_sect233r1_PUB -------BEGIN PUBLIC KEY----- --MFIwEAYHKoZIzj0CAQYFK4EEABsDPgAEAJQw+NWqFJXYw4dVMovzvw76OYnYOTaDaEPNW8ECAQbl --TzzbBSTp5iqM13mP0/Bo4OO66NS3lA9e/GTO -------END PUBLIC KEY----- -- --PrivPubKeyPair=BOB_cf_sect233r1:BOB_cf_sect233r1_PUB -- --# ECDH Alice with Bob peer --Derive=ALICE_cf_sect233r1 --PeerKey=BOB_cf_sect233r1_PUB --SharedSecret=00209d2995a63f1e8b7a5c33dee5abb602e32e1835ae8bb57eb264d8d795 -- --# ECDH Bob with Alice peer --Derive=BOB_cf_sect233r1 --PeerKey=ALICE_cf_sect233r1_PUB --SharedSecret=00209d2995a63f1e8b7a5c33dee5abb602e32e1835ae8bb57eb264d8d795 -- --# ECC CDH Alice with Bob peer --Derive=ALICE_cf_sect233r1 --PeerKey=BOB_cf_sect233r1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=00c3cd1d38a65f5e421399409a76cec1136bc84149f054a7f55e7980c612 -- --# ECC CDH Bob with Alice peer --Derive=BOB_cf_sect233r1 --PeerKey=ALICE_cf_sect233r1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=00c3cd1d38a65f5e421399409a76cec1136bc84149f054a7f55e7980c612 -- --PublicKey=MALICE_cf_sect233r1_PUB -------BEGIN PUBLIC KEY----- --MFIwEAYHKoZIzj0CAQYFK4EEABsDPgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYf4 --Vie5eHTnR+4x4G1xyq7qUvISU+X5RtBh2pE4 -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Derive=BOB_cf_sect233r1 --PeerKey=MALICE_cf_sect233r1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Derive=ALICE_cf_sect233r1 --PeerKey=MALICE_cf_sect233r1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=sect283k1 curve tests -- --PrivateKey=ALICE_cf_sect283k1 -------BEGIN PRIVATE KEY----- --MEICAQAwEAYHKoZIzj0CAQYFK4EEABAEKzApAgEBBCQAY1Mi9rST7PiP1t03qYRczV/kSZ+VjQu8 --5EFCgxyvkaLManw= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_sect283k1_PUB -------BEGIN PUBLIC KEY----- --MF4wEAYHKoZIzj0CAQYFK4EEABADSgAEBMjBO8WoxHS/vz8po52WZGxS+RK5yolrUe6tfbAMA3Sd --5/JjBDVjOz95vM4gUnqzUWHN5nKBQtj6HiU9Q/R+zqg98OiQKTyA -------END PUBLIC KEY----- -- --PrivPubKeyPair=ALICE_cf_sect283k1:ALICE_cf_sect283k1_PUB -- --PrivateKey=BOB_cf_sect283k1 -------BEGIN PRIVATE KEY----- --MEICAQAwEAYHKoZIzj0CAQYFK4EEABAEKzApAgEBBCQBCZC8Is+YSjgXJBBDioEl6gu14QpGHllD --1J6957vBTPSQdH0= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_sect283k1_PUB -------BEGIN PUBLIC KEY----- --MF4wEAYHKoZIzj0CAQYFK4EEABADSgAEAGEQKZVHYAlvtjHrFyZVm12qUb5j+T5/WNoC962+kwUM --QkBYA5BpuG8Knlugq1iB31whPAgRCZfdLKHpHRPJSfXvKyUIdeUm -------END PUBLIC KEY----- -- --PrivPubKeyPair=BOB_cf_sect283k1:BOB_cf_sect283k1_PUB -- --# ECDH Alice with Bob peer --Derive=ALICE_cf_sect283k1 --PeerKey=BOB_cf_sect283k1_PUB --SharedSecret=03f67c88bdc230b43773d17fdb4d0a980556d074ceccee726932160e4ed965e3be72803c -- --# ECDH Bob with Alice peer --Derive=BOB_cf_sect283k1 --PeerKey=ALICE_cf_sect283k1_PUB --SharedSecret=03f67c88bdc230b43773d17fdb4d0a980556d074ceccee726932160e4ed965e3be72803c -- --# ECC CDH Alice with Bob peer --Derive=ALICE_cf_sect283k1 --PeerKey=BOB_cf_sect283k1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=0677ba01c84d139609ca145cb5b6079fc9ca67f59c9c913e47cad1073f1d1dfaddde0169 -- --# ECC CDH Bob with Alice peer --Derive=BOB_cf_sect283k1 --PeerKey=ALICE_cf_sect283k1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=0677ba01c84d139609ca145cb5b6079fc9ca67f59c9c913e47cad1073f1d1dfaddde0169 -- --PublicKey=MALICE_cf_sect283k1_PUB -------BEGIN PUBLIC KEY----- --MF4wEAYHKoZIzj0CAQYFK4EEABADSgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA --AAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Derive=BOB_cf_sect283k1 --PeerKey=MALICE_cf_sect283k1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Derive=ALICE_cf_sect283k1 --PeerKey=MALICE_cf_sect283k1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=sect283r1 curve tests -- --PrivateKey=ALICE_cf_sect283r1 -------BEGIN PRIVATE KEY----- --MEICAQAwEAYHKoZIzj0CAQYFK4EEABEEKzApAgEBBCQCQ5pqKvPxDysd1pi2Bv8Z11cFhsRZfuaf --4Pi0hpGr4ubZcHE= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_sect283r1_PUB -------BEGIN PUBLIC KEY----- --MF4wEAYHKoZIzj0CAQYFK4EEABEDSgAEBcsrGDgO7pbGybQX/00gRHtQq3+X9XrGb7Uzv9Nabwc/ --kntnBMF0I2KU+aaTjQx1GVtmNf7CvFwPLEBnfKjJAjekjsGyIqoq -------END PUBLIC KEY----- -- --PrivPubKeyPair=ALICE_cf_sect283r1:ALICE_cf_sect283r1_PUB -- --PrivateKey=BOB_cf_sect283r1 -------BEGIN PRIVATE KEY----- --MEICAQAwEAYHKoZIzj0CAQYFK4EEABEEKzApAgEBBCQDxItnY3cDCrX/jGnVuAKDPaySZCr3E83Q --UdFnP6YIykt7+Pg= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_sect283r1_PUB -------BEGIN PUBLIC KEY----- --MF4wEAYHKoZIzj0CAQYFK4EEABEDSgAEBJ2C9BCkX0YRfs2ufgUKvreUXFWp2AGK+iHlZB4N3LqO --PKpmAkrAeCMty6mw2mEnOR5HA1d4Ee+z7/NJgJJ80Ra9bFnreOW3 -------END PUBLIC KEY----- -- --PrivPubKeyPair=BOB_cf_sect283r1:BOB_cf_sect283r1_PUB -- --# ECDH Alice with Bob peer --Derive=ALICE_cf_sect283r1 --PeerKey=BOB_cf_sect283r1_PUB --SharedSecret=0424259cf09727574fb863cab7c27d8fe3835e96433110a45a951f94347fc81939ec4773 -- --# ECDH Bob with Alice peer --Derive=BOB_cf_sect283r1 --PeerKey=ALICE_cf_sect283r1_PUB --SharedSecret=0424259cf09727574fb863cab7c27d8fe3835e96433110a45a951f94347fc81939ec4773 -- --# ECC CDH Alice with Bob peer --Derive=ALICE_cf_sect283r1 --PeerKey=BOB_cf_sect283r1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=01c2a542654ce85b17456ed75b6bca6b6eb761580913670debc426a3525f236df0e875c8 -- --# ECC CDH Bob with Alice peer --Derive=BOB_cf_sect283r1 --PeerKey=ALICE_cf_sect283r1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=01c2a542654ce85b17456ed75b6bca6b6eb761580913670debc426a3525f236df0e875c8 -- --PublicKey=MALICE_cf_sect283r1_PUB -------BEGIN PUBLIC KEY----- --MF4wEAYHKoZIzj0CAQYFK4EEABEDSgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA --AAAAByvMnFeSsevoGYMIn7b4NaL9IgowRCTKF8CCrhdEKu3pubP2 -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Derive=BOB_cf_sect283r1 --PeerKey=MALICE_cf_sect283r1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Derive=ALICE_cf_sect283r1 --PeerKey=MALICE_cf_sect283r1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=sect409k1 curve tests -- --PrivateKey=ALICE_cf_sect409k1 -------BEGIN PRIVATE KEY----- --MFECAQAwEAYHKoZIzj0CAQYFK4EEACQEOjA4AgEBBDMOthcLahkXFgM0wjOzm767D1A72sFRGlhb --bVH+EB7z2WpIcPX4OD+M4Y1pf/a7wSaoSAo= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_sect409k1_PUB -------BEGIN PUBLIC KEY----- --MH4wEAYHKoZIzj0CAQYFK4EEACQDagAEAbiYYpeFgCMsZFMzQaiwMJDrC+mCMT7KmhYtD5EMMgLW --5OvhaqYdpRf49A8LOtVcRT7J5gGcMrXQgmQeS3FenA5owWnB2NIgrTNf5d8AAEtrOupsJ4c3kL6e --aAzayZ1+UCEj8skbC9U= -------END PUBLIC KEY----- -- --PrivPubKeyPair=ALICE_cf_sect409k1:ALICE_cf_sect409k1_PUB -- --PrivateKey=BOB_cf_sect409k1 -------BEGIN PRIVATE KEY----- --MFECAQAwEAYHKoZIzj0CAQYFK4EEACQEOjA4AgEBBDMO43ldQllTewdZwffH4OEXdzBrLwabKsn4 --6/hjgIAaYda/pt4yCEQLMp18QgtfMey5ENI= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_sect409k1_PUB -------BEGIN PUBLIC KEY----- --MH4wEAYHKoZIzj0CAQYFK4EEACQDagAEAVTQj6hRizVmOx4Z6vroN/zMkmAY+QhkQ0CnFeJ0AydY --Fv+f+/420vMC1Mhqsc9VzPMmIAH6ZrgGKDsd4Ce9JUtYE0rVhGeiG2RaN1U5RlhVK4avkWhFlyQ5 --vuu4aApQiWE3yQd9v/I= -------END PUBLIC KEY----- -- --PrivPubKeyPair=BOB_cf_sect409k1:BOB_cf_sect409k1_PUB -- --# ECDH Alice with Bob peer --Derive=ALICE_cf_sect409k1 --PeerKey=BOB_cf_sect409k1_PUB --SharedSecret=01fbe13188588c9d1ac3a8a2680ea9a009b28e4b7d7fa4efcb1a22553876fb7973616819fd87c75e5b8ce6e3628595e4ce12edb0 -- --# ECDH Bob with Alice peer --Derive=BOB_cf_sect409k1 --PeerKey=ALICE_cf_sect409k1_PUB --SharedSecret=01fbe13188588c9d1ac3a8a2680ea9a009b28e4b7d7fa4efcb1a22553876fb7973616819fd87c75e5b8ce6e3628595e4ce12edb0 -- --# ECC CDH Alice with Bob peer --Derive=ALICE_cf_sect409k1 --PeerKey=BOB_cf_sect409k1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=007e9485f7234bb2255bb40e51f4be867cb0ef31f8e489a697b31b51c4d5346daaee51e96ae6f9636e6e3af56095fe28755325ee -- --# ECC CDH Bob with Alice peer --Derive=BOB_cf_sect409k1 --PeerKey=ALICE_cf_sect409k1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=007e9485f7234bb2255bb40e51f4be867cb0ef31f8e489a697b31b51c4d5346daaee51e96ae6f9636e6e3af56095fe28755325ee -- --PublicKey=MALICE_cf_sect409k1_PUB -------BEGIN PUBLIC KEY----- --MH4wEAYHKoZIzj0CAQYFK4EEACQDagAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA --AAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA --AAAAAAAAAAAAAAAAAAA= -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Derive=BOB_cf_sect409k1 --PeerKey=MALICE_cf_sect409k1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Derive=ALICE_cf_sect409k1 --PeerKey=MALICE_cf_sect409k1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=sect409r1 curve tests -- --PrivateKey=ALICE_cf_sect409r1 -------BEGIN PRIVATE KEY----- --MFICAQAwEAYHKoZIzj0CAQYFK4EEACUEOzA5AgEBBDQAxSC9lST5dtfXQI1Ug9VMMoue3GGni5ON --+gieyXK2KKbd29KAPs4/AOd8kX2wQDsZPO7E -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_sect409r1_PUB -------BEGIN PUBLIC KEY----- --MH4wEAYHKoZIzj0CAQYFK4EEACUDagAEASAvXAM15DJerAu1JttpBuMJK1/fEfFohu2iEpt3r7Ui --iQoER6HUsWiw1hhcJyTv7WzpJQHFWrOlJMe/KjmQa/CygSc65YHDzG27oUL+KGdQUGc79ZRSwl/q --fGZqa3D+bDVMwrhmZto= -------END PUBLIC KEY----- -- --PrivPubKeyPair=ALICE_cf_sect409r1:ALICE_cf_sect409r1_PUB -- --PrivateKey=BOB_cf_sect409r1 -------BEGIN PRIVATE KEY----- --MFICAQAwEAYHKoZIzj0CAQYFK4EEACUEOzA5AgEBBDQARen+1P3JQzBgOv0pUYwsZTPRVLpqqDAU --7mKL2lk9eH7zSGmtNoMvP2m1S2dBnXxFY/bV -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_sect409r1_PUB -------BEGIN PUBLIC KEY----- --MH4wEAYHKoZIzj0CAQYFK4EEACUDagAEAbDUw066TtdfOpDvrlKosEyqUNEG7rY+AKvDqKw+HOzf --sUTYee6cEf71oqJ1sCKPQiYzlwCu/HLQeWPxISE6Uo+53kkeJml2xpMBwoE25Gq/DSS61dR7SRTZ --+sUmumbIuGzbrjtMRmw= -------END PUBLIC KEY----- -- --PrivPubKeyPair=BOB_cf_sect409r1:BOB_cf_sect409r1_PUB -- --# ECDH Alice with Bob peer --Derive=ALICE_cf_sect409r1 --PeerKey=BOB_cf_sect409r1_PUB --SharedSecret=00a751259cdb3b445ce71a40a01a2189dfce70226111190505fc6eabe4e5a05bff7af55f2015e1ffcab6aea7ea9a6e74905da2a1 -- --# ECDH Bob with Alice peer --Derive=BOB_cf_sect409r1 --PeerKey=ALICE_cf_sect409r1_PUB --SharedSecret=00a751259cdb3b445ce71a40a01a2189dfce70226111190505fc6eabe4e5a05bff7af55f2015e1ffcab6aea7ea9a6e74905da2a1 -- --# ECC CDH Alice with Bob peer --Derive=ALICE_cf_sect409r1 --PeerKey=BOB_cf_sect409r1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=0115a31aed416c5089d74a263ec300aff13a5329c6ad27de950ae0b0917b40a3464fccf5691ac9633a51e5177a82b15cfc434aad -- --# ECC CDH Bob with Alice peer --Derive=BOB_cf_sect409r1 --PeerKey=ALICE_cf_sect409r1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=0115a31aed416c5089d74a263ec300aff13a5329c6ad27de950ae0b0917b40a3464fccf5691ac9633a51e5177a82b15cfc434aad -- --PublicKey=MALICE_cf_sect409r1_PUB -------BEGIN PUBLIC KEY----- --MH4wEAYHKoZIzj0CAQYFK4EEACUDagAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA --AAAAAAAAAAAAAAAAAAAAAAAAAACZNffkdo7i7yL5tKKfU8tdk6su0K185XwbJkn96JWVDPZXZ3My --bFKKSOJ7hyrM8Lwl1e8= -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Derive=BOB_cf_sect409r1 --PeerKey=MALICE_cf_sect409r1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Derive=ALICE_cf_sect409r1 --PeerKey=MALICE_cf_sect409r1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=sect571k1 curve tests -- --PrivateKey=ALICE_cf_sect571k1 -------BEGIN PRIVATE KEY----- --MGYCAQAwEAYHKoZIzj0CAQYFK4EEACYETzBNAgEBBEgB4agvk7Qdf9bVb9aMVdtXL0MuVw6dTleB --zrpPMYty/piI5GWkQEGVp4OJSjF1BGgWmtYSYlV0oI8jJ7hfWTjVGfVWix4ipb8= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_sect571k1_PUB -------BEGIN PUBLIC KEY----- --MIGnMBAGByqGSM49AgEGBSuBBAAmA4GSAAQDUZq0ZrgYpTXNpOptjExaur0K9FAYHv1j9cvAptwX --dcmQf3VqekMkGZCfNdqNeqCajG3QHRkBHe4FZhWr3FXi8whvvr463lUDf+t46un1kE6FTYfhILGa --sBZm7OdfkarYd9TXBbmnkFA+XkyPlkM1+6daM3/WmnegK+TYghFDXLgwiyF8s0ElllF7z38Gmc4= -------END PUBLIC KEY----- -- --PrivPubKeyPair=ALICE_cf_sect571k1:ALICE_cf_sect571k1_PUB -- --PrivateKey=BOB_cf_sect571k1 -------BEGIN PRIVATE KEY----- --MGYCAQAwEAYHKoZIzj0CAQYFK4EEACYETzBNAgEBBEgA3pINxGOI7L9M+Mil+bm/udPwI4xu7ubJ --p3aoOepTXW94laf8wjFLcQnRUwH87Vbq9VLQEfCAFvr2vZoBc+5asnNuDhRNNeQ= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_sect571k1_PUB -------BEGIN PUBLIC KEY----- --MIGnMBAGByqGSM49AgEGBSuBBAAmA4GSAAQDZRr5GCSq2uzGxmWNB+bED7zye18Rr/KehwXrbn1r --rKtR8fe+dg2V15FieC3qZe/wCpMtyp79VmEabGi6iGLlAN/rUE81URsA/K7GVpmklslV5gmwryR0 --3E7jGKPFesun9iNtmpgM18P9y3aJd4Qr4hMlwW2Nyw187l6QB/W2e/i+8vKXFTLHlz5WLAyAcpA= -------END PUBLIC KEY----- -- --PrivPubKeyPair=BOB_cf_sect571k1:BOB_cf_sect571k1_PUB -- --# ECDH Alice with Bob peer --Derive=ALICE_cf_sect571k1 --PeerKey=BOB_cf_sect571k1_PUB --SharedSecret=02b79c92cee50dc5b9fdddce36d4fa2e28d7d178cd74e575961f39429496305b38815c840c2e66327435c044ed885ec964068531251a2112717602532e8b6d5411db2fe05c1ac18c -- --# ECDH Bob with Alice peer --Derive=BOB_cf_sect571k1 --PeerKey=ALICE_cf_sect571k1_PUB --SharedSecret=02b79c92cee50dc5b9fdddce36d4fa2e28d7d178cd74e575961f39429496305b38815c840c2e66327435c044ed885ec964068531251a2112717602532e8b6d5411db2fe05c1ac18c -- --# ECC CDH Alice with Bob peer --Derive=ALICE_cf_sect571k1 --PeerKey=BOB_cf_sect571k1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=063aea789492c9727a5a6b7f24e8d3d377c70ee8e86b13664e191a53b1905e90e78b85960b1881db5160c7c5cacca0d686d9e104140d565eeeec17426f93d3a7ba639ecd716b43d2 -- --# ECC CDH Bob with Alice peer --Derive=BOB_cf_sect571k1 --PeerKey=ALICE_cf_sect571k1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=063aea789492c9727a5a6b7f24e8d3d377c70ee8e86b13664e191a53b1905e90e78b85960b1881db5160c7c5cacca0d686d9e104140d565eeeec17426f93d3a7ba639ecd716b43d2 -- --PublicKey=MALICE_cf_sect571k1_PUB -------BEGIN PUBLIC KEY----- --MIGnMBAGByqGSM49AgEGBSuBBAAmA4GSAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA --AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAA --AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE= -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Derive=BOB_cf_sect571k1 --PeerKey=MALICE_cf_sect571k1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Derive=ALICE_cf_sect571k1 --PeerKey=MALICE_cf_sect571k1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=sect571r1 curve tests -- --PrivateKey=ALICE_cf_sect571r1 -------BEGIN PRIVATE KEY----- --MGYCAQAwEAYHKoZIzj0CAQYFK4EEACcETzBNAgEBBEgAxfL2/gUsmJonvDMR95Azq1ySgXMlKSRk --+PL+WaS92ZyOo45HaC7RpH5sdkf4b948u6y1BXOxGZuORXy6lgbgZ1Zx2UgL3cI= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_sect571r1_PUB -------BEGIN PUBLIC KEY----- --MIGnMBAGByqGSM49AgEGBSuBBAAnA4GSAAQBK5L9ccIWacU2A1srZ35opPu6kcbEOsBPmvj/rlMS --fFrdMOcagOYfcD0/ouYHPhvkHbr9k87IlQJfnV6ZNRA4PmWSp/FjkNwETm/fqTCUQHti/qqnKH7R --Ed4fYROLFGvz+PX6E20SryOt1vrmoRyC7Z5FVmgMVOQQ1AaBNAHi3+IPtKx41YdXdbqHJxuI5jE= -------END PUBLIC KEY----- -- --PrivPubKeyPair=ALICE_cf_sect571r1:ALICE_cf_sect571r1_PUB -- --PrivateKey=BOB_cf_sect571r1 -------BEGIN PRIVATE KEY----- --MGYCAQAwEAYHKoZIzj0CAQYFK4EEACcETzBNAgEBBEgAzcRvASPpWi0ybpOGlj0Lozz01C2a5oDA --G5alib1EmZKcpVULxJXn75FQlTKpkUEuWUgA4yk5X5DTiScUuh4LDhaF3AFhsEY= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_sect571r1_PUB -------BEGIN PUBLIC KEY----- --MIGnMBAGByqGSM49AgEGBSuBBAAnA4GSAAQH3dnL22NajtqDWTX6qD14w1BOlpHFBUPTr24VySlh --kiiBlOF95u7hFr/hSb7gm/3f+IVKyE18Sh2kR4KaxWcPWKY5xKTiqiICT7hCistuzNRt8gR+kNOT --c1rETMV6ZruZinwzEWWWjwJf6612oy2HG3CX3B8Rm+a3sS0q6IzowEwqmDv6v9bMTFk8bsCv0Fk= -------END PUBLIC KEY----- -- --PrivPubKeyPair=BOB_cf_sect571r1:BOB_cf_sect571r1_PUB -- --# ECDH Alice with Bob peer --Derive=ALICE_cf_sect571r1 --PeerKey=BOB_cf_sect571r1_PUB --SharedSecret=0031f9879fa75b8c67ba81ee861be634e2b53aa79f834e9a8ca4df7f4461bcb02f083d9fa5b4767f881a710caa6524b58eb626623ba394961d46535204c26d165089e7d4f7be1827 -- --# ECDH Bob with Alice peer --Derive=BOB_cf_sect571r1 --PeerKey=ALICE_cf_sect571r1_PUB --SharedSecret=0031f9879fa75b8c67ba81ee861be634e2b53aa79f834e9a8ca4df7f4461bcb02f083d9fa5b4767f881a710caa6524b58eb626623ba394961d46535204c26d165089e7d4f7be1827 -- --# ECC CDH Alice with Bob peer --Derive=ALICE_cf_sect571r1 --PeerKey=BOB_cf_sect571r1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=012e8c2c1554988fe20c5ae7d11cdcfe15c7c6e8d2b6f46a43a45d724bfc7b415ea7594d5c16f770a95d6e65bbcb1f34619db95e89f4fecbcb0bc6a3f92d52df6a49b0e7773e0ac0 -- --# ECC CDH Bob with Alice peer --Derive=BOB_cf_sect571r1 --PeerKey=ALICE_cf_sect571r1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=012e8c2c1554988fe20c5ae7d11cdcfe15c7c6e8d2b6f46a43a45d724bfc7b415ea7594d5c16f770a95d6e65bbcb1f34619db95e89f4fecbcb0bc6a3f92d52df6a49b0e7773e0ac0 -- --PublicKey=MALICE_cf_sect571r1_PUB -------BEGIN PUBLIC KEY----- --MIGnMBAGByqGSM49AgEGBSuBBAAnA4GSAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA --AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHMtVWZAwgtd1zmgWN/9WC --aNQcWRNUKesEHXqhJVkC5jYsSACodKsLYFNrWEYM0gwG8DQONZSn93G+38EM45tkaZsIRDt2HEM= -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Derive=BOB_cf_sect571r1 --PeerKey=MALICE_cf_sect571r1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Derive=ALICE_cf_sect571r1 --PeerKey=MALICE_cf_sect571r1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -diff -up openssl-3.0.0-beta1/test/recipes/30-test_evp_data/evppkey_ecc.txt.remove-ec openssl-3.0.0-beta1/test/recipes/30-test_evp_data/evppkey_ecc.txt ---- openssl-3.0.0-beta1/test/recipes/30-test_evp_data/evppkey_ecc.txt.remove-ec 2021-06-30 10:51:23.258816802 +0200 -+++ openssl-3.0.0-beta1/test/recipes/30-test_evp_data/evppkey_ecc.txt 2021-06-30 11:25:33.504721672 +0200 -@@ -1,3 +1,4 @@ -+ - # - # Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. - # -@@ -55,151 +56,6 @@ Derive=BOB_cf_secp256k1 - PeerKey=ALICE_cf_secp256k1_PUB - SharedSecret=a4745cc4d19cabb9e5cb0abdd5c604cab2846a4638ad844ed9175f3cadda2da1 - -------BEGIN PRIVATE KEY----- --MDkCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQIEHzAdAgEBBBj1AIQMJ7jqYIKCvxYAS+qKMmKmH0to --41k= -------END PRIVATE KEY----- -- --PublicKey=BOB_zero_prime192v2_PUB -------BEGIN PUBLIC KEY----- --MEkwEwYHKoZIzj0CAQYIKoZIzj0DAQIDMgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4Gj7Qqt --2wx/jwFlKgvE4rnd50LspdMk -------END PUBLIC KEY----- -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_zero_prime192v2 --PeerKey=BOB_zero_prime192v2_PUB --SharedSecret=b8f200a4b87064f2e8600685ca3e69b8e661a117aabc770b -- --PrivateKey=ALICE_zero_prime192v3 -------BEGIN PRIVATE KEY----- --MDkCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQMEHzAdAgEBBBh/maLQMSlea9BfLqGy5NPuK0YAH/cz --GqI= -------END PRIVATE KEY----- -- --PublicKey=BOB_zero_prime192v3_PUB -------BEGIN PUBLIC KEY----- --MEkwEwYHKoZIzj0CAQYIKoZIzj0DAQMDMgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAZEzb63e2 --3MKatRLR9Y1M5JEdI9jwMocI -------END PUBLIC KEY----- -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_zero_prime192v3 --PeerKey=BOB_zero_prime192v3_PUB --SharedSecret=b5de857d355bc5b9e270a4c290ea9728d764d8b243ff5d8d -- --PrivateKey=ALICE_zero_prime239v1 -------BEGIN PRIVATE KEY----- --MD8CAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQQEJTAjAgEBBB5pYWzRYI+c6O7NXCt0H2kw8XRL3rhe --4MrJT8j++CI= -------END PRIVATE KEY----- -- --PublicKey=BOB_zero_prime239v1_PUB -------BEGIN PUBLIC KEY----- --MFUwEwYHKoZIzj0CAQYIKoZIzj0DAQQDPgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA --Ox02uwNNLFuvDRn5ip8TxvW0W22R7UzJa9Av6/nh -------END PUBLIC KEY----- -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_zero_prime239v1 --PeerKey=BOB_zero_prime239v1_PUB --SharedSecret=6b6206408bd05d42daa2cd224c401a1230b44e184f17b82f385f22dac215 -- --PrivateKey=ALICE_zero_prime239v2 -------BEGIN PRIVATE KEY----- --MD8CAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQUEJTAjAgEBBB5l8bB7Cpmr7vyx9FiOT2wEF3YOFbDG --bmRr3Vi/xr4= -------END PRIVATE KEY----- -- --PublicKey=BOB_zero_prime239v2_PUB -------BEGIN PUBLIC KEY----- --MFUwEwYHKoZIzj0CAQYIKoZIzj0DAQUDPgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA --IOg3VJGQ89d1GWg4Igxcj5xpDmJiP8tv+e4mxt5U -------END PUBLIC KEY----- -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_zero_prime239v2 --PeerKey=BOB_zero_prime239v2_PUB --SharedSecret=772c2819c960c78f28f21f6542b7409294fad1f84567c44c4b7678dc0e42 -- --PrivateKey=ALICE_zero_prime239v3 -------BEGIN PRIVATE KEY----- --MD8CAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQYEJTAjAgEBBB5HF5FABzUOTYMZg9UdZTx/oRERm/fU --M/+otKzpLjA= -------END PRIVATE KEY----- -- --PublicKey=BOB_zero_prime239v3_PUB -------BEGIN PUBLIC KEY----- --MFUwEwYHKoZIzj0CAQYIKoZIzj0DAQYDPgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA --AsZ4u6r3qQI78EYBpiSgWjqNpoeShjr5piecMBWj -------END PUBLIC KEY----- -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_zero_prime239v3 --PeerKey=BOB_zero_prime239v3_PUB --SharedSecret=56a71f5dd1611e8032c3e2d8224d86e5e8c2fc6480d74c0e282282decd43 -- --PrivateKey=ALICE_zero_prime256v1 -------BEGIN PRIVATE KEY----- --MEECAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQcEJzAlAgEBBCDXhMb6aR4JR2+l2tmgYqP0r8S4jtym --yH++awvF2nGhhg== -------END PRIVATE KEY----- -- --PublicKey=BOB_zero_prime256v1_PUB -------BEGIN PUBLIC KEY----- --MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA --AABmSFx4Di+D1yQzvV2EoGu2VBwq8x2uhxcov4VqF0+T9A== -------END PUBLIC KEY----- -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_zero_prime256v1 --PeerKey=BOB_zero_prime256v1_PUB --SharedSecret=c4f5607deb8501f1a4ba23fce4122a4343a17ada2c86a9c8e0d03d92d4a4c84c -- --PrivateKey=ALICE_zero_secp384r1 -------BEGIN PRIVATE KEY----- --ME4CAQAwEAYHKoZIzj0CAQYFK4EEACIENzA1AgEBBDD6kgzKbg28zbQyVTdC0IdHbm0UCQt2Rdbi --VVHJeYRSnNpFOiFLaOsGOmwoeZzj6jc= -------END PRIVATE KEY----- -- --PublicKey=BOB_zero_secp384r1_PUB -------BEGIN PUBLIC KEY----- --MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA --AAAAAAAAAAAAAAAAAAAAPPme8E9RpepjC6P5+WDdWToUyb45/SvSFdO0sIqq+Gu/kn8sRuUqsG+3 --QriFDlIe -------END PUBLIC KEY----- -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_zero_secp384r1 --PeerKey=BOB_zero_secp384r1_PUB --SharedSecret=b1cfeaeef51dfd487d3a8b2849f1592e04d63f2d2c88b310a6290ebfe5399f5ffe954eabd0619231393e56c35b242986 -- --PrivateKey=ALICE_zero_secp521r1 -------BEGIN PRIVATE KEY----- --MGACAQAwEAYHKoZIzj0CAQYFK4EEACMESTBHAgEBBEIAbddDLMUWbAsY7l3vbNDmntXuAUcDYPg5 --w/cgUwSCIvrV9MBeSG8AWqT16riHmHlsn+XI5PAJM6eij3JDahnu9Mo= -------END PRIVATE KEY----- -- --PublicKey=BOB_zero_secp521r1_PUB -------BEGIN PUBLIC KEY----- --MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA --AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0g7J/qa1d8ENJsobtEb0CymeZIsa --1Qiq0GiJb+4/jmFLxjBU1Xcr8Bpl1BLgvKqOll0vXTMtfzn4RtRArgAfT4c= -------END PUBLIC KEY----- -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_zero_secp521r1 --PeerKey=BOB_zero_secp521r1_PUB --SharedSecret=003fc3028f61db94b20c7cd177923b6e73f12f0ab067c9ce8866755e3c82abb39c9863cde74fa80b32520bd7dd0eb156c30c08911503b67b2661f1264d09bb231423 -- - Title=prime256v1 curve tests - - PrivateKey=ALICE_cf_prime256v1 -diff -up openssl-3.0.7/test/recipes/15-test_ec.t.skipshort openssl-3.0.7/test/recipes/15-test_ec.t ---- openssl-3.0.7/test/recipes/15-test_ec.t.skipshort 2022-11-23 12:40:55.324395782 +0100 -+++ openssl-3.0.7/test/recipes/15-test_ec.t 2022-11-23 12:42:12.478094387 +0100 -@@ -90,7 +90,7 @@ subtest 'Ed448 conversions -- public key - - subtest 'Check loading of fips and non-fips keys' => sub { - plan skip_all => "FIPS is disabled" -- if $no_fips; -+ if 1; #Red Hat specific, original value is $no_fips; - - plan tests => 2; + my @prime_curves = qw( +- secp112r1 +- secp112r2 +- secp128r1 +- secp128r2 +- secp160k1 +- secp160r1 +- secp160r2 +- secp192k1 +- secp224k1 + secp224r1 + secp256k1 + secp384r1 + secp521r1 +- prime192v1 +- prime192v2 +- prime192v3 +- prime239v1 +- prime239v2 +- prime239v3 + prime256v1 +- wap-wsg-idm-ecid-wtls6 +- wap-wsg-idm-ecid-wtls7 +- wap-wsg-idm-ecid-wtls8 +- wap-wsg-idm-ecid-wtls9 +- wap-wsg-idm-ecid-wtls12 +- brainpoolP160r1 +- brainpoolP160t1 +- brainpoolP192r1 +- brainpoolP192t1 +- brainpoolP224r1 +- brainpoolP224t1 + brainpoolP256r1 + brainpoolP256t1 + brainpoolP320r1 +@@ -136,7 +110,6 @@ push(@other_curves, 'SM2') + if !disabled("sm2"); + my @curve_aliases = qw( +- P-192 + P-224 + P-256 + P-384 +diff -up openssl-3.0.7/crypto/evp/ec_support.c.ec-remove openssl-3.0.7/crypto/evp/ec_support.c +--- openssl-3.0.7/crypto/evp/ec_support.c.ec-remove 2023-07-06 10:30:10.152621369 +0200 ++++ openssl-3.0.7/crypto/evp/ec_support.c 2023-07-06 10:34:00.557091758 +0200 +@@ -74,17 +74,6 @@ int ossl_ec_curve_name2nid(const char *n + /* Functions to translate between common NIST curve names and NIDs */ + + static const EC_NAME2NID nist_curves[] = { +- {"B-163", NID_sect163r2}, +- {"B-233", NID_sect233r1}, +- {"B-283", NID_sect283r1}, +- {"B-409", NID_sect409r1}, +- {"B-571", NID_sect571r1}, +- {"K-163", NID_sect163k1}, +- {"K-233", NID_sect233k1}, +- {"K-283", NID_sect283k1}, +- {"K-409", NID_sect409k1}, +- {"K-571", NID_sect571k1}, +- {"P-192", NID_X9_62_prime192v1}, + {"P-224", NID_secp224r1}, + {"P-256", NID_X9_62_prime256v1}, + {"P-384", NID_secp384r1}, diff --git a/SOURCES/0013-skipped-tests-EC-curves.patch b/SOURCES/0013-skipped-tests-EC-curves.patch new file mode 100644 index 0000000..0c81d4c --- /dev/null +++ b/SOURCES/0013-skipped-tests-EC-curves.patch @@ -0,0 +1,36 @@ +diff -up ./test/recipes/15-test_ec.t.skip-tests ./test/recipes/15-test_ec.t +--- ./test/recipes/15-test_ec.t.skip-tests 2023-03-14 13:42:38.865508269 +0100 ++++ ./test/recipes/15-test_ec.t 2023-03-14 13:43:36.237021635 +0100 +@@ -90,7 +90,7 @@ subtest 'Ed448 conversions -- public key + + subtest 'Check loading of fips and non-fips keys' => sub { + plan skip_all => "FIPS is disabled" +- if $no_fips; ++ if 1; #Red Hat specific, original value is $no_fips; + + plan tests => 2; + +diff -up ./test/recipes/65-test_cmp_protect.t.skip-tests ./test/recipes/65-test_cmp_protect.t +--- ./test/recipes/65-test_cmp_protect.t.skip-tests 2023-03-14 10:13:11.342056559 +0100 ++++ ./test/recipes/65-test_cmp_protect.t 2023-03-14 10:14:42.643873496 +0100 +@@ -27,7 +27,7 @@ plan skip_all => "This test is not suppo + plan skip_all => "This test is not supported in a shared library build on Windows" + if $^O eq 'MSWin32' && !disabled("shared"); + +-plan tests => 2 + ($no_fips ? 0 : 1); #fips test ++plan skip_all => 2 + ($no_fips ? 0 : 1); #fips test + + my @basic_cmd = ("cmp_protect_test", + data_file("server.pem"), +diff -up ./test/recipes/65-test_cmp_vfy.t.skip-tests ./test/recipes/65-test_cmp_vfy.t +--- ./test/recipes/65-test_cmp_vfy.t.skip-tests 2023-03-14 10:13:38.106296042 +0100 ++++ ./test/recipes/65-test_cmp_vfy.t 2023-03-14 10:16:56.496071178 +0100 +@@ -27,7 +27,7 @@ plan skip_all => "This test is not suppo + plan skip_all => "This test is not supported in a no-ec build" + if disabled("ec"); + +-plan tests => 2 + ($no_fips ? 0 : 1); #fips test ++plan skip_all => 2 + ($no_fips ? 0 : 1); #fips test + + my @basic_cmd = ("cmp_vfy_test", + data_file("server.crt"), data_file("client.crt"), diff --git a/SOURCES/0032-Force-fips.patch b/SOURCES/0032-Force-fips.patch index 1a4ea0d..5f82475 100644 --- a/SOURCES/0032-Force-fips.patch +++ b/SOURCES/0032-Force-fips.patch @@ -7,6 +7,14 @@ diff -up openssl-3.0.1/crypto/provider_conf.c.fipsact openssl-3.0.1/crypto/provider_conf.c --- openssl-3.0.1/crypto/provider_conf.c.fipsact 2022-05-12 12:44:31.199034948 +0200 +++ openssl-3.0.1/crypto/provider_conf.c 2022-05-12 12:49:17.468318373 +0200 +@@ -36,6 +36,7 @@ static int prov_already_activated(const + #include + #include + #include ++#include + #include + #include + #include @@ -136,58 +136,18 @@ static int prov_already_activated(const return 0; } @@ -143,17 +151,28 @@ diff -up openssl-3.0.1/crypto/provider_conf.c.fipsact openssl-3.0.1/crypto/provi } else { OSSL_PROVIDER_INFO entry; -@@ -306,6 +317,19 @@ static int provider_conf_init(CONF_IMODU +@@ -306,6 +317,30 @@ static int provider_conf_init(CONF_IMODU return 0; } + if (ossl_get_kernel_fips_flag() != 0) { /* XXX from provider_conf_load */ + OSSL_LIB_CTX *libctx = NCONF_get0_libctx((CONF *)cnf); -+ PROVIDER_CONF_GLOBAL *pcgbl -+ = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX, -+ &provider_conf_ossl_ctx_method); -+ if (provider_conf_activate(libctx, "fips", NULL, NULL, 0, NULL) != 1) -+ return 0; ++# define FIPS_LOCAL_CONF OPENSSLDIR "/fips_local.cnf" ++ ++ if (access(FIPS_LOCAL_CONF, R_OK) == 0) { ++ CONF *fips_conf = NCONF_new_ex(libctx, NCONF_default()); ++ if (NCONF_load(fips_conf, FIPS_LOCAL_CONF, NULL) <= 0) ++ return 0; ++ ++ if (provider_conf_load(libctx, "fips", "fips_sect", fips_conf) != 1) { ++ NCONF_free(fips_conf); ++ return 0; ++ } ++ NCONF_free(fips_conf); ++ } else { ++ if (provider_conf_activate(libctx, "fips", NULL, NULL, 0, NULL) != 1) ++ return 0; ++ } + if (provider_conf_activate(libctx, "base", NULL, NULL, 0, NULL) != 1) + return 0; + if (EVP_default_properties_enable_fips(libctx, 1) != 1) diff --git a/SOURCES/0044-FIPS-140-3-keychecks.patch b/SOURCES/0044-FIPS-140-3-keychecks.patch index a0ec627..38efa07 100644 --- a/SOURCES/0044-FIPS-140-3-keychecks.patch +++ b/SOURCES/0044-FIPS-140-3-keychecks.patch @@ -35,7 +35,7 @@ diff -up openssl-3.0.1/crypto/dh/dh_key.c.fips3 openssl-3.0.1/crypto/dh/dh_key.c if (BN_num_bits(dh->params.p) > OPENSSL_DH_MAX_MODULUS_BITS) { ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE); -@@ -354,8 +367,23 @@ static int generate_key(DH *dh) +@@ -354,8 +367,21 @@ static int generate_key(DH *dh) if (!ossl_dh_generate_public_key(ctx, dh, priv_key, pub_key)) goto err; @@ -50,9 +50,7 @@ diff -up openssl-3.0.1/crypto/dh/dh_key.c.fips3 openssl-3.0.1/crypto/dh/dh_key.c dh->priv_key = priv_key; +#ifdef FIPS_MODULE + if (ossl_dh_check_pairwise(dh) <= 0) { -+ dh->pub_key = dh->priv_key = NULL; -+ ERR_raise(ERR_LIB_DH, DH_R_CHECK_PUBKEY_INVALID); -+ goto err; ++ abort(); + } +#endif + @@ -89,99 +87,276 @@ diff -up openssl-3.0.1/providers/implementations/exchange/ecdh_exch.c.fips3 open retlen = ECDH_compute_key(secret, size, ppubkey, privk, NULL); -diff -up openssl-3.0.1/crypto/ec/ec_key.c.fips3 openssl-3.0.1/crypto/ec/ec_key.c ---- openssl-3.0.1/crypto/ec/ec_key.c.fips3 2022-07-25 14:03:34.420222507 +0200 -+++ openssl-3.0.1/crypto/ec/ec_key.c 2022-07-25 14:09:00.728164294 +0200 -@@ -336,6 +336,11 @@ static int ec_generate_key(EC_KEY *eckey +diff -up openssl-3.0.7/providers/implementations/keymgmt/ec_kmgmt.c.pairwise openssl-3.0.7/providers/implementations/keymgmt/ec_kmgmt.c +--- openssl-3.0.7/providers/implementations/keymgmt/ec_kmgmt.c.pairwise 2023-02-20 11:44:18.451884117 +0100 ++++ openssl-3.0.7/providers/implementations/keymgmt/ec_kmgmt.c 2023-02-20 12:39:46.037063842 +0100 +@@ -982,8 +982,17 @@ struct ec_gen_ctx { + int selection; + int ecdh_mode; + EC_GROUP *gen_group; ++#ifdef FIPS_MODULE ++ void *ecdsa_sig_ctx; ++#endif + }; - OSSL_SELF_TEST_get_callback(eckey->libctx, &cb, &cbarg); - ok = ecdsa_keygen_pairwise_test(eckey, cb, cbarg); -+ +#ifdef FIPS_MODULE -+ ok &= ossl_ec_key_public_check(eckey, ctx); -+ ok &= ossl_ec_key_pairwise_check(eckey, ctx); -+#endif /* FIPS_MODULE */ ++void *ecdsa_newctx(void *provctx, const char *propq); ++void ecdsa_freectx(void *vctx); ++int do_ec_pct(void *, const char *, void *); ++#endif ++ + static void *ec_gen_init(void *provctx, int selection, + const OSSL_PARAM params[]) + { +@@ -1002,6 +1011,10 @@ static void *ec_gen_init(void *provctx, + OPENSSL_free(gctx); + gctx = NULL; } - err: - /* Step (9): If there is an error return an invalid keypair. */ -diff -up openssl-3.0.1/crypto/rsa/rsa_gen.c.fips3 openssl-3.0.1/crypto/rsa/rsa_gen.c ---- openssl-3.0.1/crypto/rsa/rsa_gen.c.fips3 2022-07-25 17:02:17.807271297 +0200 -+++ openssl-3.0.1/crypto/rsa/rsa_gen.c 2022-07-25 17:18:24.931959649 +0200 -@@ -23,6 +23,7 @@ - #include - #include "internal/cryptlib.h" - #include -+#include - #include - #include "prov/providercommon.h" - #include "rsa_local.h" -@@ -476,52 +476,43 @@ static int rsa_keygen(OSSL_LIB_CTX *libc - static int rsa_keygen_pairwise_test(RSA *rsa, OSSL_CALLBACK *cb, void *cbarg) ++#ifdef FIPS_MODULE ++ if (gctx != NULL) ++ gctx->ecdsa_sig_ctx = ecdsa_newctx(provctx, NULL); ++#endif + return gctx; + } + +@@ -1272,6 +1285,12 @@ static void *ec_gen(void *genctx, OSSL_C + + if (gctx->ecdh_mode != -1) + ret = ret && ossl_ec_set_ecdh_cofactor_mode(ec, gctx->ecdh_mode); ++#ifdef FIPS_MODULE ++ /* Pairwise consistency test */ ++ if ((gctx->selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0 ++ && do_ec_pct(gctx->ecdsa_sig_ctx, "sha256", ec) != 1) ++ abort(); ++#endif + + if (gctx->group_check != NULL) + ret = ret && ossl_ec_set_check_group_type_from_name(ec, gctx->group_check); +@@ -1341,7 +1359,10 @@ static void ec_gen_cleanup(void *genctx) + + if (gctx == NULL) + return; +- ++#ifdef FIPS_MODULE ++ ecdsa_freectx(gctx->ecdsa_sig_ctx); ++ gctx->ecdsa_sig_ctx = NULL; ++#endif + EC_GROUP_free(gctx->gen_group); + BN_free(gctx->p); + BN_free(gctx->a); +diff -up openssl-3.0.7/providers/implementations/signature/ecdsa_sig.c.pairwise openssl-3.0.7/providers/implementations/signature/ecdsa_sig.c +--- openssl-3.0.7/providers/implementations/signature/ecdsa_sig.c.pairwise 2023-02-20 11:50:23.035194347 +0100 ++++ openssl-3.0.7/providers/implementations/signature/ecdsa_sig.c 2023-02-20 12:19:10.809768979 +0100 +@@ -32,7 +32,7 @@ + #include "crypto/ec.h" + #include "prov/der_ec.h" + +-static OSSL_FUNC_signature_newctx_fn ecdsa_newctx; ++OSSL_FUNC_signature_newctx_fn ecdsa_newctx; + static OSSL_FUNC_signature_sign_init_fn ecdsa_sign_init; + static OSSL_FUNC_signature_verify_init_fn ecdsa_verify_init; + static OSSL_FUNC_signature_sign_fn ecdsa_sign; +@@ -43,7 +43,7 @@ static OSSL_FUNC_signature_digest_sign_f + static OSSL_FUNC_signature_digest_verify_init_fn ecdsa_digest_verify_init; + static OSSL_FUNC_signature_digest_verify_update_fn ecdsa_digest_signverify_update; + static OSSL_FUNC_signature_digest_verify_final_fn ecdsa_digest_verify_final; +-static OSSL_FUNC_signature_freectx_fn ecdsa_freectx; ++OSSL_FUNC_signature_freectx_fn ecdsa_freectx; + static OSSL_FUNC_signature_dupctx_fn ecdsa_dupctx; + static OSSL_FUNC_signature_get_ctx_params_fn ecdsa_get_ctx_params; + static OSSL_FUNC_signature_gettable_ctx_params_fn ecdsa_gettable_ctx_params; +@@ -104,7 +104,7 @@ typedef struct { + #endif + } PROV_ECDSA_CTX; + +-static void *ecdsa_newctx(void *provctx, const char *propq) ++void *ecdsa_newctx(void *provctx, const char *propq) { - int ret = 0; -- unsigned int ciphertxt_len; -- unsigned char *ciphertxt = NULL; -- const unsigned char plaintxt[16] = {0}; -- unsigned char *decoded = NULL; -- unsigned int decoded_len; -- unsigned int plaintxt_len = (unsigned int)sizeof(plaintxt_len); -- int padding = RSA_PKCS1_PADDING; -+ unsigned int signature_len; -+ unsigned char *signature = NULL; - OSSL_SELF_TEST *st = NULL; -+ static const unsigned char dgst[] = { -+ 0x7f, 0x83, 0xb1, 0x65, 0x7f, 0xf1, 0xfc, 0x53, 0xb9, 0x2d, 0xc1, 0x81, -+ 0x48, 0xa1, 0xd6, 0x5d, 0xfc, 0x2d, 0x4b, 0x1f, 0xa3, 0xd6, 0x77, 0x28, -+ 0x4a, 0xdd, 0xd2, 0x00, 0x12, 0x6d, 0x90, 0x69 -+ }; - - st = OSSL_SELF_TEST_new(cb, cbarg); - if (st == NULL) - goto err; - OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_PCT, -+ /* No special name for RSA signature PCT*/ - OSSL_SELF_TEST_DESC_PCT_RSA_PKCS1); - -- ciphertxt_len = RSA_size(rsa); -+ signature_len = RSA_size(rsa); -- /* -- * RSA_private_encrypt() and RSA_private_decrypt() requires the 'to' -- * parameter to be a maximum of RSA_size() - allocate space for both. -- */ -- ciphertxt = OPENSSL_zalloc(ciphertxt_len * 2); -- if (ciphertxt == NULL) -+ signature = OPENSSL_zalloc(signature_len); -+ if (signature == NULL) - goto err; -- decoded = ciphertxt + ciphertxt_len; + PROV_ECDSA_CTX *ctx; -- ciphertxt_len = RSA_public_encrypt(plaintxt_len, plaintxt, ciphertxt, rsa, -- padding); -- if (ciphertxt_len <= 0) -+ if (RSA_sign(NID_sha256, dgst, sizeof(dgst), signature, &signature_len, rsa) <= 0) - goto err; -- if (ciphertxt_len == plaintxt_len -- && memcmp(ciphertxt, plaintxt, plaintxt_len) == 0) +@@ -370,7 +370,7 @@ int ecdsa_digest_verify_final(void *vctx + return ecdsa_verify(ctx, sig, siglen, digest, (size_t)dlen); + } + +-static void ecdsa_freectx(void *vctx) ++void ecdsa_freectx(void *vctx) + { + PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx; + +@@ -581,6 +581,35 @@ static const OSSL_PARAM *ecdsa_settable_ + return EVP_MD_settable_ctx_params(ctx->md); + } + ++#ifdef FIPS_MODULE ++int do_ec_pct(void *vctx, const char *mdname, void *ec) ++{ ++ static const unsigned char data[32]; ++ unsigned char sigbuf[256]; ++ size_t siglen = sizeof(sigbuf); + -+ if (signature_len <= 0) - goto err; ++ if (ecdsa_digest_sign_init(vctx, mdname, ec, NULL) <= 0) ++ return 0; ++ ++ if (ecdsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0) ++ return 0; ++ ++ if (ecdsa_digest_sign_final(vctx, sigbuf, &siglen, sizeof(sigbuf)) <= 0) ++ return 0; ++ ++ if (ecdsa_digest_verify_init(vctx, mdname, ec, NULL) <= 0) ++ return 0; ++ ++ if (ecdsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0) ++ return 0; ++ ++ if (ecdsa_digest_verify_final(vctx, sigbuf, siglen) <= 0) ++ return 0; ++ ++ return 1; ++} ++#endif ++ + const OSSL_DISPATCH ossl_ecdsa_signature_functions[] = { + { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))ecdsa_newctx }, + { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))ecdsa_sign_init }, +diff -up openssl-3.0.7/providers/implementations/keymgmt/rsa_kmgmt.c.pairwise openssl-3.0.7/providers/implementations/keymgmt/rsa_kmgmt.c +--- openssl-3.0.7/providers/implementations/keymgmt/rsa_kmgmt.c.pairwise 2023-02-20 16:04:27.103364713 +0100 ++++ openssl-3.0.7/providers/implementations/keymgmt/rsa_kmgmt.c 2023-02-20 16:14:13.848119419 +0100 +@@ -434,6 +434,7 @@ struct rsa_gen_ctx { + #if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS) + /* ACVP test parameters */ + OSSL_PARAM *acvp_test_params; ++ void *prov_rsa_ctx; + #endif + }; + +@@ -447,6 +448,12 @@ static int rsa_gencb(int p, int n, BN_GE + return gctx->cb(params, gctx->cbarg); + } -- OSSL_SELF_TEST_oncorrupt_byte(st, ciphertxt); -+ OSSL_SELF_TEST_oncorrupt_byte(st, signature); ++#ifdef FIPS_MODULE ++void *rsa_newctx(void *provctx, const char *propq); ++void rsa_freectx(void *vctx); ++int do_rsa_pct(void *, const char *, void *); ++#endif ++ + static void *gen_init(void *provctx, int selection, int rsa_type, + const OSSL_PARAM params[]) + { +@@ -474,6 +481,10 @@ static void *gen_init(void *provctx, int -- decoded_len = RSA_private_decrypt(ciphertxt_len, ciphertxt, decoded, rsa, -- padding); -- if (decoded_len != plaintxt_len -- || memcmp(decoded, plaintxt, decoded_len) != 0) -+ if (RSA_verify(NID_sha256, dgst, sizeof(dgst), signature, signature_len, rsa) <= 0) + if (!rsa_gen_set_params(gctx, params)) goto err; ++#ifdef FIPS_MODULE ++ if (gctx != NULL) ++ gctx->prov_rsa_ctx = rsa_newctx(provctx, NULL); ++#endif + return gctx; - ret = 1; err: - OSSL_SELF_TEST_onend(st, ret); - OSSL_SELF_TEST_free(st); -- OPENSSL_free(ciphertxt); -+ OPENSSL_free(signature); +@@ -630,6 +641,11 @@ static void *rsa_gen(void *genctx, OSSL_ + + rsa = rsa_tmp; + rsa_tmp = NULL; ++#ifdef FIPS_MODULE ++ /* Pairwise consistency test */ ++ if (do_rsa_pct(gctx->prov_rsa_ctx, "sha256", rsa) != 1) ++ abort(); ++#endif + err: + BN_GENCB_free(gencb); + RSA_free(rsa_tmp); +@@ -645,6 +662,8 @@ static void rsa_gen_cleanup(void *genctx + #if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS) + ossl_rsa_acvp_test_gen_params_free(gctx->acvp_test_params); + gctx->acvp_test_params = NULL; ++ rsa_freectx(gctx->prov_rsa_ctx); ++ gctx->prov_rsa_ctx = NULL; + #endif + BN_clear_free(gctx->pub_exp); + OPENSSL_free(gctx); +diff -up openssl-3.0.7/providers/implementations/signature/rsa_sig.c.pairwise openssl-3.0.7/providers/implementations/signature/rsa_sig.c +--- openssl-3.0.7/providers/implementations/signature/rsa_sig.c.pairwise 2023-02-20 16:04:22.548327811 +0100 ++++ openssl-3.0.7/providers/implementations/signature/rsa_sig.c 2023-02-20 16:17:50.064871695 +0100 +@@ -36,7 +36,7 @@ + + #define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1 + +-static OSSL_FUNC_signature_newctx_fn rsa_newctx; ++OSSL_FUNC_signature_newctx_fn rsa_newctx; + static OSSL_FUNC_signature_sign_init_fn rsa_sign_init; + static OSSL_FUNC_signature_verify_init_fn rsa_verify_init; + static OSSL_FUNC_signature_verify_recover_init_fn rsa_verify_recover_init; +@@ -49,7 +49,7 @@ static OSSL_FUNC_signature_digest_sign_f + static OSSL_FUNC_signature_digest_verify_init_fn rsa_digest_verify_init; + static OSSL_FUNC_signature_digest_verify_update_fn rsa_digest_signverify_update; + static OSSL_FUNC_signature_digest_verify_final_fn rsa_digest_verify_final; +-static OSSL_FUNC_signature_freectx_fn rsa_freectx; ++OSSL_FUNC_signature_freectx_fn rsa_freectx; + static OSSL_FUNC_signature_dupctx_fn rsa_dupctx; + static OSSL_FUNC_signature_get_ctx_params_fn rsa_get_ctx_params; + static OSSL_FUNC_signature_gettable_ctx_params_fn rsa_gettable_ctx_params; +@@ -172,7 +172,7 @@ static int rsa_check_parameters(PROV_RSA + return 1; + } + +-static void *rsa_newctx(void *provctx, const char *propq) ++void *rsa_newctx(void *provctx, const char *propq) + { + PROV_RSA_CTX *prsactx = NULL; + char *propq_copy = NULL; +@@ -990,7 +990,7 @@ int rsa_digest_verify_final(void *vprsac + return rsa_verify(vprsactx, sig, siglen, digest, (size_t)dlen); + } - return ret; +-static void rsa_freectx(void *vprsactx) ++void rsa_freectx(void *vprsactx) + { + PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; + +@@ -1504,6 +1504,45 @@ static const OSSL_PARAM *rsa_settable_ct + return EVP_MD_settable_ctx_params(prsactx->md); } + ++#ifdef FIPS_MODULE ++int do_rsa_pct(void *vctx, const char *mdname, void *rsa) ++{ ++ static const unsigned char data[32]; ++ unsigned char *sigbuf = NULL; ++ size_t siglen = 0; ++ int ret = 0; ++ ++ if (rsa_digest_sign_init(vctx, mdname, rsa, NULL) <= 0) ++ return 0; ++ ++ if (rsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0) ++ return 0; ++ ++ if (rsa_digest_sign_final(vctx, NULL, &siglen, 0) <= 0) ++ return 0; ++ ++ if ((sigbuf = OPENSSL_malloc(siglen)) == NULL) ++ return 0; ++ ++ if (rsa_digest_sign_final(vctx, sigbuf, &siglen, siglen) <= 0) ++ goto err; ++ ++ if (rsa_digest_verify_init(vctx, mdname, rsa, NULL) <= 0) ++ goto err; ++ ++ if (rsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0) ++ goto err; ++ ++ if (rsa_digest_verify_final(vctx, sigbuf, siglen) <= 0) ++ goto err; ++ ret = 1; ++ ++ err: ++ OPENSSL_free(sigbuf); ++ return ret; ++} ++#endif ++ + const OSSL_DISPATCH ossl_rsa_signature_functions[] = { + { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))rsa_newctx }, + { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))rsa_sign_init }, diff --git a/SOURCES/0045-FIPS-services-minimize.patch b/SOURCES/0045-FIPS-services-minimize.patch index abb13e0..2ba9aab 100644 --- a/SOURCES/0045-FIPS-services-minimize.patch +++ b/SOURCES/0045-FIPS-services-minimize.patch @@ -434,9 +434,9 @@ diff -up openssl-3.0.1/test/recipes/30-test_evp.t.fipsmin3 openssl-3.0.1/test/re + evpkdf_x942_des.txt + evpmac_cmac_des.txt + ) unless $no_des; + push @defltfiles, qw(evppkey_brainpool.txt) unless $no_ec; push @defltfiles, qw(evppkey_sm2.txt) unless $no_sm2; - plan tests => diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evpmac_common.txt.fipsmin3 openssl-3.0.1/test/recipes/30-test_evp_data/evpmac_common.txt --- openssl-3.0.1/test/recipes/30-test_evp_data/evpmac_common.txt.fipsmin3 2022-05-05 14:46:32.721700697 +0200 +++ openssl-3.0.1/test/recipes/30-test_evp_data/evpmac_common.txt 2022-05-05 14:51:40.205418897 +0200 @@ -697,6 +697,26 @@ diff -up openssl-3.0.1/ssl/ssl_ciph.c.nokrsa openssl-3.0.1/ssl/ssl_ciph.c diff -up openssl-3.0.1/providers/implementations/signature/rsa_sig.c.fipskeylen openssl-3.0.1/providers/implementations/signature/rsa_sig.c --- openssl-3.0.1/providers/implementations/signature/rsa_sig.c.fipskeylen 2022-05-23 14:58:07.764281242 +0200 +++ openssl-3.0.1/providers/implementations/signature/rsa_sig.c 2022-05-23 15:10:29.327993616 +0200 +@@ -692,6 +692,19 @@ static int rsa_verify_recover(void *vprs + { + PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; + int ret; ++# ifdef FIPS_MODULE ++ size_t rsabits = RSA_bits(prsactx->rsa); ++ ++ if (rsabits < 2048) { ++ if (rsabits != 1024 ++ && rsabits != 1280 ++ && rsabits != 1536 ++ && rsabits != 1792) { ++ ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH); ++ return 0; ++ } ++ } ++# endif + + if (!ossl_prov_is_running()) + return 0; @@ -770,6 +770,19 @@ static int rsa_verify(void *vprsactx, co { PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; @@ -717,3 +737,19 @@ diff -up openssl-3.0.1/providers/implementations/signature/rsa_sig.c.fipskeylen if (!ossl_prov_is_running()) return 0; +diff -up openssl-3.0.7/apps/ecparam.c.minfips openssl-3.0.7/apps/ecparam.c +--- openssl-3.0.7/apps/ecparam.c.minfips 2023-06-24 09:58:57.773344910 +0200 ++++ openssl-3.0.7/apps/ecparam.c 2023-06-26 09:18:06.843859405 +0200 +@@ -79,7 +79,11 @@ static int list_builtin_curves(BIO *out) + const char *comment = curves[n].comment; + const char *sname = OBJ_nid2sn(curves[n].nid); + +- if ((curves[n].nid == NID_secp256k1) && EVP_default_properties_is_fips_enabled(NULL)) ++ if (((curves[n].nid == NID_secp256k1) || (curves[n].nid == NID_brainpoolP256r1) ++ || (curves[n].nid == NID_brainpoolP256t1) || (curves[n].nid == NID_brainpoolP320r1) ++ || (curves[n].nid == NID_brainpoolP320t1) || (curves[n].nid == NID_brainpoolP384r1) ++ || (curves[n].nid == NID_brainpoolP384t1) || (curves[n].nid == NID_brainpoolP512r1) ++ || (curves[n].nid == NID_brainpoolP512t1)) && EVP_default_properties_is_fips_enabled(NULL)) + continue; + + if (comment == NULL) diff --git a/SOURCES/0049-Selectively-disallow-SHA1-signatures.patch b/SOURCES/0049-Selectively-disallow-SHA1-signatures.patch index f18e099..d453f97 100644 --- a/SOURCES/0049-Selectively-disallow-SHA1-signatures.patch +++ b/SOURCES/0049-Selectively-disallow-SHA1-signatures.patch @@ -399,7 +399,7 @@ index 325e855333..bea397f0c1 100644 #define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1 +#define RSA_DEFAULT_DIGEST_NAME_NONLEGACY OSSL_DIGEST_NAME_SHA2_256 - static OSSL_FUNC_signature_newctx_fn rsa_newctx; + OSSL_FUNC_signature_newctx_fn rsa_newctx; static OSSL_FUNC_signature_sign_init_fn rsa_sign_init; @@ -289,10 +291,15 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname, diff --git a/SOURCES/0058-FIPS-limit-rsa-encrypt.patch b/SOURCES/0058-FIPS-limit-rsa-encrypt.patch index 6dcf7c0..b9cc3aa 100644 --- a/SOURCES/0058-FIPS-limit-rsa-encrypt.patch +++ b/SOURCES/0058-FIPS-limit-rsa-encrypt.patch @@ -19,7 +19,7 @@ diff -up openssl-3.0.1/providers/implementations/asymciphers/rsa_enc.c.no_bad_pa +# ifdef FIPS_MODULE +static int fips_padding_allowed(const PROV_RSA_CTX *prsactx) +{ -+ if (prsactx->pad_mode == RSA_PKCS1_PADDING ++ if (prsactx->pad_mode == RSA_PKCS1_PADDING || prsactx->pad_mode == RSA_NO_PADDING + || prsactx->pad_mode == RSA_PKCS1_WITH_TLS_PADDING) + return 0; + diff --git a/SOURCES/0076-FIPS-140-3-DRBG.patch b/SOURCES/0076-FIPS-140-3-DRBG.patch index 0d91598..4a276f7 100644 --- a/SOURCES/0076-FIPS-140-3-DRBG.patch +++ b/SOURCES/0076-FIPS-140-3-DRBG.patch @@ -92,6 +92,22 @@ diff -up openssl-3.0.1/providers/implementations/rands/drbg.c.fipsrand openssl-3 /* Reseed using our sources in addition */ entropylen = get_entropy(drbg, &entropy, drbg->strength, drbg->min_entropylen, drbg->max_entropylen, +@@ -669,8 +669,14 @@ int ossl_prov_drbg_generate(PROV_DRBG *d + reseed_required = 1; + } + if (drbg->parent != NULL +- && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter) ++ && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter) { ++#ifdef FIPS_MODULE ++ /* Red Hat patches provide chain reseeding when necessary so just sync counters*/ ++ drbg->parent_reseed_counter = get_parent_reseed_count(drbg); ++#else + reseed_required = 1; ++#endif ++ } + + if (reseed_required || prediction_resistance) { + if (!ossl_prov_drbg_reseed(drbg, prediction_resistance, NULL, 0, diff -up openssl-3.0.1/crypto/rand/prov_seed.c.fipsrand openssl-3.0.1/crypto/rand/prov_seed.c --- openssl-3.0.1/crypto/rand/prov_seed.c.fipsrand 2022-08-04 12:17:52.148556301 +0200 +++ openssl-3.0.1/crypto/rand/prov_seed.c 2022-08-04 12:19:41.783533552 +0200 @@ -127,3 +143,15 @@ diff -up openssl-3.0.1/providers/implementations/rands/crngt.c.fipsrand openssl- if (bytes_needed < min_len) bytes_needed = min_len; if (bytes_needed > max_len) +diff -up openssl-3.0.7/providers/implementations/rands/drbg_local.h.drbg openssl-3.0.7/providers/implementations/rands/drbg_local.h +--- openssl-3.0.7/providers/implementations/rands/drbg_local.h.drbg 2023-03-13 12:17:47.705538612 +0100 ++++ openssl-3.0.7/providers/implementations/rands/drbg_local.h 2023-03-13 12:18:03.060702092 +0100 +@@ -38,7 +38,7 @@ + * + * The value is in bytes. + */ +-#define CRNGT_BUFSIZ 16 ++#define CRNGT_BUFSIZ 32 + + /* + * Maximum input size for the DRBG (entropy, nonce, personalization string) diff --git a/SOURCES/0078-Add-FIPS-indicator-parameter-to-HKDF.patch b/SOURCES/0078-Add-FIPS-indicator-parameter-to-HKDF.patch deleted file mode 100644 index b54d0fa..0000000 --- a/SOURCES/0078-Add-FIPS-indicator-parameter-to-HKDF.patch +++ /dev/null @@ -1,138 +0,0 @@ -From 0c4aaedf29a1ed1559762515bfeaa5923925e18f Mon Sep 17 00:00:00 2001 -From: Clemens Lang -Date: Thu, 11 Aug 2022 09:27:12 +0200 -Subject: [PATCH 1/2] Add FIPS indicator parameter to HKDF - -NIST considers HKDF only acceptable when used as in TLS 1.3, and -otherwise unapproved. Add an explicit indicator attached to the -EVP_KDF_CTX that can be queried using EVP_KDF_CTX_get_params() to -determine whether the KDF operation was approved after performing it. - -Signed-off-by: Clemens Lang -Related: rhbz#2114772 ---- - include/crypto/evp.h | 7 ++++ - include/openssl/core_names.h | 1 + - include/openssl/kdf.h | 4 ++ - providers/implementations/kdfs/hkdf.c | 53 +++++++++++++++++++++++++++ - 4 files changed, 65 insertions(+) - -diff --git a/include/crypto/evp.h b/include/crypto/evp.h -index e70d8e9e84..76fb990de4 100644 ---- a/include/crypto/evp.h -+++ b/include/crypto/evp.h -@@ -219,6 +219,13 @@ struct evp_mac_st { - OSSL_FUNC_mac_set_ctx_params_fn *set_ctx_params; - }; - -+#ifdef FIPS_MODULE -+/* According to NIST Special Publication 800-131Ar2, Section 8: Deriving -+ * Additional Keys from a Cryptographic Key, "[t]he length of the -+ * key-derivation key [i.e., the input key] shall be at least 112 bits". */ -+# define EVP_KDF_FIPS_MIN_KEY_LEN (112 / 8) -+#endif -+ - struct evp_kdf_st { - OSSL_PROVIDER *prov; - int name_id; -diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h -index 21c94d0488..c019afbbb0 100644 ---- a/include/openssl/core_names.h -+++ b/include/openssl/core_names.h -@@ -223,6 +223,7 @@ extern "C" { - #define OSSL_KDF_PARAM_X942_SUPP_PUBINFO "supp-pubinfo" - #define OSSL_KDF_PARAM_X942_SUPP_PRIVINFO "supp-privinfo" - #define OSSL_KDF_PARAM_X942_USE_KEYBITS "use-keybits" -+#define OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator" - - /* Known KDF names */ - #define OSSL_KDF_NAME_HKDF "HKDF" -diff --git a/include/openssl/kdf.h b/include/openssl/kdf.h -index 0983230a48..86171635ea 100644 ---- a/include/openssl/kdf.h -+++ b/include/openssl/kdf.h -@@ -63,6 +63,10 @@ int EVP_KDF_names_do_all(const EVP_KDF *kdf, - # define EVP_KDF_HKDF_MODE_EXTRACT_ONLY 1 - # define EVP_KDF_HKDF_MODE_EXPAND_ONLY 2 - -+# define EVP_KDF_REDHAT_FIPS_INDICATOR_UNDETERMINED 0 -+# define EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED 1 -+# define EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2 -+ - #define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV 65 - #define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI 66 - #define EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV 67 -diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c -index afdb7138e1..6f06fa58fe 100644 ---- a/providers/implementations/kdfs/hkdf.c -+++ b/providers/implementations/kdfs/hkdf.c -@@ -298,6 +298,56 @@ static int kdf_hkdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) - return 0; - return OSSL_PARAM_set_size_t(p, sz); - } -+ -+#ifdef FIPS_MODULE -+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR)) -+ != NULL) { -+ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_UNDETERMINED; -+ switch (ctx->mode) { -+ case EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND: -+ /* TLS 1.3 never uses extract-and-expand */ -+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; -+ break; -+ case EVP_KDF_HKDF_MODE_EXTRACT_ONLY: -+ { -+ /* When TLS 1.3 uses extract, the following holds: -+ * 1. The salt length matches the hash length, and either -+ * 2.1. the key is all zeroes and matches the hash length, or -+ * 2.2. the key originates from a PSK (resumption_master_secret -+ * or some externally esablished key), or an ECDH or DH key -+ * derivation. See -+ * https://www.rfc-editor.org/rfc/rfc8446#section-7.1. -+ * Unfortunately at this point, we cannot verify where the key -+ * comes from, so all we can do is check the salt length. -+ */ -+ const EVP_MD *md = ossl_prov_digest_md(&ctx->digest); -+ if (md != NULL && ctx->salt_len == (size_t) EVP_MD_get_size(md)) -+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED; -+ else -+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; -+ } -+ break; -+ case EVP_KDF_HKDF_MODE_EXPAND_ONLY: -+ /* When TLS 1.3 uses expand, it always provides a label that -+ * contains an uint16 for the length, followed by between 7 and 255 -+ * bytes for a label string that starts with "tls13 " or "dtls13". -+ * For compatibility with future versions, we only check for "tls" -+ * or "dtls". See -+ * https://www.rfc-editor.org/rfc/rfc8446#section-7.1 and -+ * https://www.rfc-editor.org/rfc/rfc9147#section-5.9. */ -+ if (ctx->label != NULL -+ && ctx->label_len >= 2 /* length */ + 4 /* "dtls" */ -+ && (strncmp("tls", (const char *)ctx->label + 2, 3) == 0 || -+ strncmp("dtls", (const char *)ctx->label + 2, 4) == 0)) -+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED; -+ else -+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; -+ break; -+ } -+ return OSSL_PARAM_set_int(p, fips_indicator); -+ } -+#endif /* defined(FIPS_MODULE) */ -+ - return -2; - } - -@@ -306,6 +356,9 @@ static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx, - { - static const OSSL_PARAM known_gettable_ctx_params[] = { - OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), -+#ifdef FIPS_MODULE -+ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL), -+#endif /* defined(FIPS_MODULE) */ - OSSL_PARAM_END - }; - return known_gettable_ctx_params; --- -2.38.1 - diff --git a/SOURCES/0078-KDF-Add-FIPS-indicators.patch b/SOURCES/0078-KDF-Add-FIPS-indicators.patch new file mode 100644 index 0000000..40e390a --- /dev/null +++ b/SOURCES/0078-KDF-Add-FIPS-indicators.patch @@ -0,0 +1,906 @@ +From 2290280617183863eb15425b8925765966723725 Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Thu, 11 Aug 2022 09:27:12 +0200 +Subject: KDF: Add FIPS indicators + +FIPS requires a number of restrictions on the parameters of the various +key derivation functions implemented in OpenSSL. The KDFs that use +digest algorithms usually should not allow SHAKE (due to FIPS 140-3 IG +C.C). Additionally, some application-specific KDFs have further +restrictions defined in SP 800-135r1. + +Generally, all KDFs shall use a key-derivation key length of at least +112 bits due to SP 800-131Ar2 section 8. Additionally any use of a KDF +to generate and output length of less than 112 bits will also set the +indicator to unapproved. + +Add explicit indicators to all KDFs usable in FIPS mode except for +PBKDF2 (which has its specific FIPS limits already implemented). The +indicator can be queried using EVP_KDF_CTX_get_params() after setting +the required parameters and keys for the KDF. + +Our FIPS provider implements SHA1, SHA2 (both -256 and -512, and the +truncated variants -224 and -384) and SHA3 (-256 and -512, and the +truncated versions -224 and -384), as well as SHAKE-128 and -256. + +The SHAKE functions are generally not allowed in KDFs. For the rest, the +support matrix is: + + KDF | SHA-1 | SHA-2 | SHA-2 truncated | SHA-3 | SHA-3 truncated +========================================================================== +KBKDF | x | x | x | x | x +HKDF | x | x | x | x | x +TLS1PRF | | SHA-{256,384,512} only | | +SSHKDF | x | x | x | | +SSKDF | x | x | x | x | x +X9.63KDF | | x | x | x | x +X9.42-ASN1 | x | x | x | x | x +TLS1.3PRF | | SHA-{256,384} only | | + +Signed-off-by: Clemens Lang +Resolves: rhbz#2160733 rhbz#2164763 +Related: rhbz#2114772 rhbz#2141695 +--- + include/crypto/evp.h | 7 ++ + include/openssl/core_names.h | 1 + + include/openssl/kdf.h | 4 + + providers/implementations/kdfs/hkdf.c | 100 +++++++++++++++++++++- + providers/implementations/kdfs/kbkdf.c | 82 ++++++++++++++++-- + providers/implementations/kdfs/sshkdf.c | 75 +++++++++++++++- + providers/implementations/kdfs/sskdf.c | 100 +++++++++++++++++++++- + providers/implementations/kdfs/tls1_prf.c | 74 +++++++++++++++- + providers/implementations/kdfs/x942kdf.c | 67 ++++++++++++++- + 9 files changed, 488 insertions(+), 22 deletions(-) + +diff --git a/include/crypto/evp.h b/include/crypto/evp.h +index e70d8e9e84..76fb990de4 100644 +--- a/include/crypto/evp.h ++++ b/include/crypto/evp.h +@@ -219,6 +219,13 @@ struct evp_mac_st { + OSSL_FUNC_mac_set_ctx_params_fn *set_ctx_params; + }; + ++#ifdef FIPS_MODULE ++/* According to NIST Special Publication 800-131Ar2, Section 8: Deriving ++ * Additional Keys from a Cryptographic Key, "[t]he length of the ++ * key-derivation key [i.e., the input key] shall be at least 112 bits". */ ++# define EVP_KDF_FIPS_MIN_KEY_LEN (112 / 8) ++#endif ++ + struct evp_kdf_st { + OSSL_PROVIDER *prov; + int name_id; +diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h +index 6bed5a8a67..680bfbc7cc 100644 +--- a/include/openssl/core_names.h ++++ b/include/openssl/core_names.h +@@ -223,6 +223,7 @@ extern "C" { + #define OSSL_KDF_PARAM_X942_SUPP_PUBINFO "supp-pubinfo" + #define OSSL_KDF_PARAM_X942_SUPP_PRIVINFO "supp-privinfo" + #define OSSL_KDF_PARAM_X942_USE_KEYBITS "use-keybits" ++#define OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator" + + /* Known KDF names */ + #define OSSL_KDF_NAME_HKDF "HKDF" +diff --git a/include/openssl/kdf.h b/include/openssl/kdf.h +index 0983230a48..86171635ea 100644 +--- a/include/openssl/kdf.h ++++ b/include/openssl/kdf.h +@@ -63,6 +63,10 @@ int EVP_KDF_names_do_all(const EVP_KDF *kdf, + # define EVP_KDF_HKDF_MODE_EXTRACT_ONLY 1 + # define EVP_KDF_HKDF_MODE_EXPAND_ONLY 2 + ++# define EVP_KDF_REDHAT_FIPS_INDICATOR_UNDETERMINED 0 ++# define EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED 1 ++# define EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2 ++ + #define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV 65 + #define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI 66 + #define EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV 67 +diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c +index dfa7786bde..f01e40ff5a 100644 +--- a/providers/implementations/kdfs/hkdf.c ++++ b/providers/implementations/kdfs/hkdf.c +@@ -42,6 +42,7 @@ static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_hkdf_settable_ctx_params; + static OSSL_FUNC_kdf_set_ctx_params_fn kdf_hkdf_set_ctx_params; + static OSSL_FUNC_kdf_gettable_ctx_params_fn kdf_hkdf_gettable_ctx_params; + static OSSL_FUNC_kdf_get_ctx_params_fn kdf_hkdf_get_ctx_params; ++static OSSL_FUNC_kdf_newctx_fn kdf_tls1_3_new; + static OSSL_FUNC_kdf_derive_fn kdf_tls1_3_derive; + static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_tls1_3_settable_ctx_params; + static OSSL_FUNC_kdf_set_ctx_params_fn kdf_tls1_3_set_ctx_params; +@@ -85,6 +86,10 @@ typedef struct { + size_t data_len; + unsigned char info[HKDF_MAXBUF]; + size_t info_len; ++ int is_tls13; ++#ifdef FIPS_MODULE ++ int fips_indicator; ++#endif /* defined(FIPS_MODULE) */ + } KDF_HKDF; + + static void *kdf_hkdf_new(void *provctx) +@@ -170,6 +175,11 @@ static int kdf_hkdf_derive(void *vctx, unsigned char *key, size_t keylen, + return 0; + } + ++#ifdef FIPS_MODULE ++ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN) ++ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++#endif /* defined(FIPS_MODULE) */ ++ + switch (ctx->mode) { + case EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND: + default: +@@ -332,15 +342,78 @@ static int kdf_hkdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) + { + KDF_HKDF *ctx = (KDF_HKDF *)vctx; + OSSL_PARAM *p; ++ int any_valid = 0; /* set to 1 when at least one parameter was valid */ + + if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) { + size_t sz = kdf_hkdf_size(ctx); + +- if (sz == 0) ++ any_valid = 1; ++ ++ if (sz == 0 || !OSSL_PARAM_set_size_t(p, sz)) + return 0; +- return OSSL_PARAM_set_size_t(p, sz); + } +- return -2; ++ ++#ifdef FIPS_MODULE ++ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR)) ++ != NULL) { ++ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED; ++ const EVP_MD *md = ossl_prov_digest_md(&ctx->digest); ++ ++ any_valid = 1; ++ ++ /* According to NIST Special Publication 800-131Ar2, Section 8: ++ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of ++ * the key-derivation key [i.e., the input key] shall be at least 112 ++ * bits". */ ++ if (ctx->key_len < EVP_KDF_FIPS_MIN_KEY_LEN) ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ ++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module ++ * Verification Program, Section D.B and NIST Special Publication ++ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security ++ * strength < 112 bits is legacy use only, so all derived keys should ++ * be longer than that. If a derived key has ever been shorter than ++ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we ++ * should also set the returned FIPS indicator to unapproved. */ ++ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED) ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ ++ if (ctx->is_tls13) { ++ if (md != NULL ++ && !EVP_MD_is_a(md, "SHA2-256") ++ && !EVP_MD_is_a(md, "SHA2-384")) { ++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic ++ * Module Validation Program, Section 2.4.B, (5): "The TLS 1.3 ++ * key derivation function documented in Section 7.1 of RFC ++ * 8446. This is considered an approved CVL because the ++ * underlying functions performed within the TLS 1.3 KDF map to ++ * NIST approved standards, namely: SP 800-133rev2 (Section 6.3 ++ * Option #3), SP 800-56Crev2, and SP 800-108." ++ * ++ * RFC 8446 appendix B.4 only lists SHA-256 and SHA-384. */ ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ } ++ } else { ++ if (md != NULL ++ && (EVP_MD_is_a(md, "SHAKE-128") || ++ EVP_MD_is_a(md, "SHAKE-256"))) { ++ /* HKDF is a SP 800-56Cr2 TwoStep KDF, for which all SHA-1, ++ * SHA-2 and SHA-3 are approved. SHAKE is not approved, because ++ * of FIPS 140-3 IG, section C.C: "The SHAKE128 and SHAKE256 ++ * extendable-output functions may only be used as the ++ * standalone algorithms." */ ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ } ++ } ++ if (!OSSL_PARAM_set_int(p, fips_indicator)) ++ return 0; ++ } ++#endif /* defined(FIPS_MODULE) */ ++ ++ if (!any_valid) ++ return -2; ++ ++ return 1; + } + + static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx, +@@ -348,6 +421,9 @@ static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx, + { + static const OSSL_PARAM known_gettable_ctx_params[] = { + OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), ++#ifdef FIPS_MODULE ++ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL), ++#endif /* defined(FIPS_MODULE) */ + OSSL_PARAM_END + }; + return known_gettable_ctx_params; +@@ -677,6 +753,17 @@ static int prov_tls13_hkdf_generate_secret(OSSL_LIB_CTX *libctx, + return ret; + } + ++static void *kdf_tls1_3_new(void *provctx) ++{ ++ KDF_HKDF *hkdf = kdf_hkdf_new(provctx); ++ ++ if (hkdf != NULL) ++ hkdf->is_tls13 = 1; ++ ++ return hkdf; ++} ++ ++ + static int kdf_tls1_3_derive(void *vctx, unsigned char *key, size_t keylen, + const OSSL_PARAM params[]) + { +@@ -692,6 +779,11 @@ static int kdf_tls1_3_derive(void *vctx, unsigned char *key, size_t keylen, + return 0; + } + ++#ifdef FIPS_MODULE ++ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN) ++ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++#endif /* defined(FIPS_MODULE) */ ++ + switch (ctx->mode) { + default: + return 0; +@@ -769,7 +861,7 @@ static const OSSL_PARAM *kdf_tls1_3_settable_ctx_params(ossl_unused void *ctx, + } + + const OSSL_DISPATCH ossl_kdf_tls1_3_kdf_functions[] = { +- { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_hkdf_new }, ++ { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_tls1_3_new }, + { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_hkdf_free }, + { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_hkdf_reset }, + { OSSL_FUNC_KDF_DERIVE, (void(*)(void))kdf_tls1_3_derive }, +diff --git a/providers/implementations/kdfs/kbkdf.c b/providers/implementations/kdfs/kbkdf.c +index a542f84dfa..6b6dfb94ac 100644 +--- a/providers/implementations/kdfs/kbkdf.c ++++ b/providers/implementations/kdfs/kbkdf.c +@@ -59,6 +59,9 @@ typedef struct { + kbkdf_mode mode; + EVP_MAC_CTX *ctx_init; + ++ /* HMAC digest algorithm, if any; used to compute FIPS indicator */ ++ PROV_DIGEST digest; ++ + /* Names are lowercased versions of those found in SP800-108. */ + int r; + unsigned char *ki; +@@ -70,6 +73,9 @@ typedef struct { + size_t iv_len; + int use_l; + int use_separator; ++#ifdef FIPS_MODULE ++ int fips_indicator; ++#endif /* defined(FIPS_MODULE) */ + } KBKDF; + + /* Definitions needed for typechecking. */ +@@ -138,6 +144,7 @@ static void kbkdf_reset(void *vctx) + void *provctx = ctx->provctx; + + EVP_MAC_CTX_free(ctx->ctx_init); ++ ossl_prov_digest_reset(&ctx->digest); + OPENSSL_clear_free(ctx->context, ctx->context_len); + OPENSSL_clear_free(ctx->label, ctx->label_len); + OPENSSL_clear_free(ctx->ki, ctx->ki_len); +@@ -240,6 +247,11 @@ static int kbkdf_derive(void *vctx, unsigned char *key, size_t keylen, + return 0; + } + ++#ifdef FIPS_MODULE ++ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN) ++ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++#endif /* defined(FIPS_MODULE) */ ++ + h = EVP_MAC_CTX_get_mac_size(ctx->ctx_init); + if (h == 0) + goto done; +@@ -297,6 +309,9 @@ static int kbkdf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) + return 0; + } + ++ if (!ossl_prov_digest_load_from_params(&ctx->digest, params, libctx)) ++ return 0; ++ + p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_MODE); + if (p != NULL + && OPENSSL_strncasecmp("counter", p->data, p->data_size) == 0) { +@@ -363,20 +378,77 @@ static const OSSL_PARAM *kbkdf_settable_ctx_params(ossl_unused void *ctx, + static int kbkdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) + { + OSSL_PARAM *p; ++ int any_valid = 0; /* set to 1 when at least one parameter was valid */ + + p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE); +- if (p == NULL) ++ if (p != NULL) { ++ any_valid = 1; ++ ++ /* KBKDF can produce results as large as you like. */ ++ if (!OSSL_PARAM_set_size_t(p, SIZE_MAX)) ++ return 0; ++ } ++ ++#ifdef FIPS_MODULE ++ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR); ++ if (p != NULL) { ++ KBKDF *ctx = (KBKDF *)vctx; ++ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED; ++ ++ any_valid = 1; ++ ++ /* According to NIST Special Publication 800-131Ar2, Section 8: ++ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of ++ * the key-derivation key [i.e., the input key] shall be at least 112 ++ * bits". */ ++ if (ctx->ki_len < EVP_KDF_FIPS_MIN_KEY_LEN) ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ ++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module ++ * Verification Program, Section D.B and NIST Special Publication ++ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security ++ * strength < 112 bits is legacy use only, so all derived keys should ++ * be longer than that. If a derived key has ever been shorter than ++ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we ++ * should also set the returned FIPS indicator to unapproved. */ ++ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED) ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ ++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module ++ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256 ++ * extendable-output functions may only be used as the standalone ++ * algorithms." Note that the digest is only used when the MAC ++ * algorithm is HMAC. */ ++ if (ctx->ctx_init != NULL ++ && EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx->ctx_init), OSSL_MAC_NAME_HMAC)) { ++ const EVP_MD *md = ossl_prov_digest_md(&ctx->digest); ++ if (md != NULL ++ && (EVP_MD_is_a(md, "SHAKE-128") || EVP_MD_is_a(md, "SHAKE-256"))) { ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ } ++ } ++ ++ if (!OSSL_PARAM_set_int(p, fips_indicator)) ++ return 0; ++ } ++#endif ++ ++ if (!any_valid) + return -2; + +- /* KBKDF can produce results as large as you like. */ +- return OSSL_PARAM_set_size_t(p, SIZE_MAX); ++ return 1; + } + + static const OSSL_PARAM *kbkdf_gettable_ctx_params(ossl_unused void *ctx, + ossl_unused void *provctx) + { +- static const OSSL_PARAM known_gettable_ctx_params[] = +- { OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), OSSL_PARAM_END }; ++ static const OSSL_PARAM known_gettable_ctx_params[] = { ++ OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), ++#ifdef FIPS_MODULE ++ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL), ++#endif /* defined(FIPS_MODULE) */ ++ OSSL_PARAM_END ++ }; + return known_gettable_ctx_params; + } + +diff --git a/providers/implementations/kdfs/sshkdf.c b/providers/implementations/kdfs/sshkdf.c +index c592ba72f1..4a52b38266 100644 +--- a/providers/implementations/kdfs/sshkdf.c ++++ b/providers/implementations/kdfs/sshkdf.c +@@ -48,6 +48,9 @@ typedef struct { + char type; /* X */ + unsigned char *session_id; + size_t session_id_len; ++#ifdef FIPS_MODULE ++ int fips_indicator; ++#endif /* defined(FIPS_MODULE) */ + } KDF_SSHKDF; + + static void *kdf_sshkdf_new(void *provctx) +@@ -126,6 +129,12 @@ static int kdf_sshkdf_derive(void *vctx, unsigned char *key, size_t keylen, + ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_TYPE); + return 0; + } ++ ++#ifdef FIPS_MODULE ++ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN) ++ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++#endif /* defined(FIPS_MODULE) */ ++ + return SSHKDF(md, ctx->key, ctx->key_len, + ctx->xcghash, ctx->xcghash_len, + ctx->session_id, ctx->session_id_len, +@@ -194,10 +203,67 @@ static const OSSL_PARAM *kdf_sshkdf_settable_ctx_params(ossl_unused void *ctx, + static int kdf_sshkdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) + { + OSSL_PARAM *p; ++ int any_valid = 0; /* set to 1 when at least one parameter was valid */ + +- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) +- return OSSL_PARAM_set_size_t(p, SIZE_MAX); +- return -2; ++ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) { ++ any_valid = 1; ++ ++ if (!OSSL_PARAM_set_size_t(p, SIZE_MAX)) ++ return 0; ++ } ++ ++#ifdef FIPS_MODULE ++ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR); ++ if (p != NULL) { ++ KDF_SSHKDF *ctx = vctx; ++ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED; ++ ++ any_valid = 1; ++ ++ /* According to NIST Special Publication 800-131Ar2, Section 8: ++ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of ++ * the key-derivation key [i.e., the input key] shall be at least 112 ++ * bits". */ ++ if (ctx->key_len < EVP_KDF_FIPS_MIN_KEY_LEN) ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ ++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module ++ * Verification Program, Section D.B and NIST Special Publication ++ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security ++ * strength < 112 bits is legacy use only, so all derived keys should ++ * be longer than that. If a derived key has ever been shorter than ++ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we ++ * should also set the returned FIPS indicator to unapproved. */ ++ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED) ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ ++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module ++ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256 ++ * extendable-output functions may only be used as the standalone ++ * algorithms." ++ * ++ * Additionally, SP 800-135r1 section 5.2 specifies that the hash ++ * function used in SSHKDF "is one of the hash functions specified in ++ * FIPS 180-3.", which rules out SHA-3 and truncated variants of SHA-2. ++ * */ ++ if (ctx->digest.md != NULL ++ && !EVP_MD_is_a(ctx->digest.md, "SHA-1") ++ && !EVP_MD_is_a(ctx->digest.md, "SHA2-224") ++ && !EVP_MD_is_a(ctx->digest.md, "SHA2-256") ++ && !EVP_MD_is_a(ctx->digest.md, "SHA2-384") ++ && !EVP_MD_is_a(ctx->digest.md, "SHA2-512")) { ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ } ++ ++ if (!OSSL_PARAM_set_int(p, fips_indicator)) ++ return 0; ++ } ++#endif ++ ++ if (!any_valid) ++ return -2; ++ ++ return 1; + } + + static const OSSL_PARAM *kdf_sshkdf_gettable_ctx_params(ossl_unused void *ctx, +@@ -205,6 +271,9 @@ static const OSSL_PARAM *kdf_sshkdf_gettable_ctx_params(ossl_unused void *ctx, + { + static const OSSL_PARAM known_gettable_ctx_params[] = { + OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), ++#ifdef FIPS_MODULE ++ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL), ++#endif /* defined(FIPS_MODULE) */ + OSSL_PARAM_END + }; + return known_gettable_ctx_params; +diff --git a/providers/implementations/kdfs/sskdf.c b/providers/implementations/kdfs/sskdf.c +index eb54972e1c..23865cd70f 100644 +--- a/providers/implementations/kdfs/sskdf.c ++++ b/providers/implementations/kdfs/sskdf.c +@@ -62,6 +62,10 @@ typedef struct { + unsigned char *salt; + size_t salt_len; + size_t out_len; /* optional KMAC parameter */ ++ int is_x963kdf; ++#ifdef FIPS_MODULE ++ int fips_indicator; ++#endif /* defined(FIPS_MODULE) */ + } KDF_SSKDF; + + #define SSKDF_MAX_INLEN (1<<30) +@@ -73,6 +77,7 @@ typedef struct { + static const unsigned char kmac_custom_str[] = { 0x4B, 0x44, 0x46 }; + + static OSSL_FUNC_kdf_newctx_fn sskdf_new; ++static OSSL_FUNC_kdf_newctx_fn x963kdf_new; + static OSSL_FUNC_kdf_freectx_fn sskdf_free; + static OSSL_FUNC_kdf_reset_fn sskdf_reset; + static OSSL_FUNC_kdf_derive_fn sskdf_derive; +@@ -296,6 +301,16 @@ static void *sskdf_new(void *provctx) + return ctx; + } + ++static void *x963kdf_new(void *provctx) ++{ ++ KDF_SSKDF *ctx = sskdf_new(provctx); ++ ++ if (ctx) ++ ctx->is_x963kdf = 1; ++ ++ return ctx; ++} ++ + static void sskdf_reset(void *vctx) + { + KDF_SSKDF *ctx = (KDF_SSKDF *)vctx; +@@ -361,6 +376,11 @@ static int sskdf_derive(void *vctx, unsigned char *key, size_t keylen, + } + md = ossl_prov_digest_md(&ctx->digest); + ++#ifdef FIPS_MODULE ++ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN) ++ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++#endif /* defined(FIPS_MODULE) */ ++ + if (ctx->macctx != NULL) { + /* H(x) = KMAC or H(x) = HMAC */ + int ret; +@@ -442,6 +462,11 @@ static int x963kdf_derive(void *vctx, unsigned char *key, size_t keylen, + return 0; + } + ++#ifdef FIPS_MODULE ++ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN) ++ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++#endif /* defined(FIPS_MODULE) */ ++ + return SSKDF_hash_kdm(md, ctx->secret, ctx->secret_len, + ctx->info, ctx->info_len, 1, key, keylen); + } +@@ -514,10 +539,74 @@ static int sskdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) + { + KDF_SSKDF *ctx = (KDF_SSKDF *)vctx; + OSSL_PARAM *p; ++ int any_valid = 0; /* set to 1 when at least one parameter was valid */ ++ ++ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) { ++ any_valid = 1; ++ ++ if (!OSSL_PARAM_set_size_t(p, sskdf_size(ctx))) ++ return 0; ++ } + +- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) +- return OSSL_PARAM_set_size_t(p, sskdf_size(ctx)); +- return -2; ++#ifdef FIPS_MODULE ++ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR); ++ if (p != NULL) { ++ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED; ++ ++ any_valid = 1; ++ ++ /* According to NIST Special Publication 800-131Ar2, Section 8: ++ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of ++ * the key-derivation key [i.e., the input key] shall be at least 112 ++ * bits". */ ++ if (ctx->secret_len < EVP_KDF_FIPS_MIN_KEY_LEN) ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ ++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module ++ * Verification Program, Section D.B and NIST Special Publication ++ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security ++ * strength < 112 bits is legacy use only, so all derived keys should ++ * be longer than that. If a derived key has ever been shorter than ++ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we ++ * should also set the returned FIPS indicator to unapproved. */ ++ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED) ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ ++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module ++ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256 ++ * extendable-output functions may only be used as the standalone ++ * algorithms." */ ++ if (ctx->macctx == NULL ++ || (ctx->macctx != NULL && ++ EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx->macctx), OSSL_MAC_NAME_HMAC))) { ++ if (ctx->digest.md != NULL ++ && (EVP_MD_is_a(ctx->digest.md, "SHAKE-128") || ++ EVP_MD_is_a(ctx->digest.md, "SHAKE-256"))) { ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ } ++ ++ /* Table H-3 in ANS X9.63-2001 says that 160-bit hash functions ++ * should only be used for 80-bit key agreement, but FIPS 140-3 ++ * requires a security strength of 112 bits, so SHA-1 cannot be ++ * used with X9.63. See the discussion in ++ * https://github.com/usnistgov/ACVP/issues/1403#issuecomment-1435300395. ++ */ ++ if (ctx->is_x963kdf ++ && ctx->digest.md != NULL ++ && EVP_MD_is_a(ctx->digest.md, "SHA-1")) { ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ } ++ } ++ ++ if (!OSSL_PARAM_set_int(p, fips_indicator)) ++ return 0; ++ } ++#endif ++ ++ if (!any_valid) ++ return -2; ++ ++ return 1; + } + + static const OSSL_PARAM *sskdf_gettable_ctx_params(ossl_unused void *ctx, +@@ -525,6 +614,9 @@ static const OSSL_PARAM *sskdf_gettable_ctx_params(ossl_unused void *ctx, + { + static const OSSL_PARAM known_gettable_ctx_params[] = { + OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), ++#ifdef FIPS_MODULE ++ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, 0), ++#endif /* defined(FIPS_MODULE) */ + OSSL_PARAM_END + }; + return known_gettable_ctx_params; +@@ -545,7 +637,7 @@ const OSSL_DISPATCH ossl_kdf_sskdf_functions[] = { + }; + + const OSSL_DISPATCH ossl_kdf_x963_kdf_functions[] = { +- { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))sskdf_new }, ++ { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))x963kdf_new }, + { OSSL_FUNC_KDF_FREECTX, (void(*)(void))sskdf_free }, + { OSSL_FUNC_KDF_RESET, (void(*)(void))sskdf_reset }, + { OSSL_FUNC_KDF_DERIVE, (void(*)(void))x963kdf_derive }, +diff --git a/providers/implementations/kdfs/tls1_prf.c b/providers/implementations/kdfs/tls1_prf.c +index a4d64b9352..f6782a6ca2 100644 +--- a/providers/implementations/kdfs/tls1_prf.c ++++ b/providers/implementations/kdfs/tls1_prf.c +@@ -93,6 +93,13 @@ typedef struct { + /* Buffer of concatenated seed data */ + unsigned char seed[TLS1_PRF_MAXBUF]; + size_t seedlen; ++ ++ /* MAC digest algorithm; used to compute FIPS indicator */ ++ PROV_DIGEST digest; ++ ++#ifdef FIPS_MODULE ++ int fips_indicator; ++#endif /* defined(FIPS_MODULE) */ + } TLS1_PRF; + + static void *kdf_tls1_prf_new(void *provctx) +@@ -129,6 +136,7 @@ static void kdf_tls1_prf_reset(void *vctx) + EVP_MAC_CTX_free(ctx->P_sha1); + OPENSSL_clear_free(ctx->sec, ctx->seclen); + OPENSSL_cleanse(ctx->seed, ctx->seedlen); ++ ossl_prov_digest_reset(&ctx->digest); + memset(ctx, 0, sizeof(*ctx)); + ctx->provctx = provctx; + } +@@ -157,6 +165,10 @@ static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, size_t keylen, + ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); + return 0; + } ++#ifdef FIPS_MODULE ++ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN) ++ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++#endif /* defined(FIPS_MODULE) */ + + return tls1_prf_alg(ctx->P_hash, ctx->P_sha1, + ctx->sec, ctx->seclen, +@@ -191,6 +203,9 @@ static int kdf_tls1_prf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) + } + } + ++ if (!ossl_prov_digest_load_from_params(&ctx->digest, params, libctx)) ++ return 0; ++ + if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SECRET)) != NULL) { + OPENSSL_clear_free(ctx->sec, ctx->seclen); + ctx->sec = NULL; +@@ -232,10 +247,60 @@ static const OSSL_PARAM *kdf_tls1_prf_settable_ctx_params( + static int kdf_tls1_prf_get_ctx_params(void *vctx, OSSL_PARAM params[]) + { + OSSL_PARAM *p; ++#ifdef FIPS_MODULE ++ TLS1_PRF *ctx = vctx; ++#endif /* defined(FIPS_MODULE) */ ++ int any_valid = 0; /* set to 1 when at least one parameter was valid */ ++ ++ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) { ++ any_valid = 1; ++ ++ if (!OSSL_PARAM_set_size_t(p, SIZE_MAX)) ++ return 0; ++ } ++ ++#ifdef FIPS_MODULE ++ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR); ++ if (p != NULL) { ++ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED; ++ ++ any_valid = 1; ++ ++ /* According to NIST Special Publication 800-131Ar2, Section 8: ++ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of ++ * the key-derivation key [i.e., the input key] shall be at least 112 ++ * bits". */ ++ if (ctx->seclen < EVP_KDF_FIPS_MIN_KEY_LEN) ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ ++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module ++ * Verification Program, Section D.B and NIST Special Publication ++ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security ++ * strength < 112 bits is legacy use only, so all derived keys should ++ * be longer than that. If a derived key has ever been shorter than ++ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we ++ * should also set the returned FIPS indicator to unapproved. */ ++ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED) ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ ++ /* SP 800-135r1 section 4.2.2 says TLS 1.2 KDF is approved when "(3) ++ * P_HASH uses either SHA-256, SHA-384 or SHA-512." */ ++ if (ctx->digest.md != NULL ++ && !EVP_MD_is_a(ctx->digest.md, "SHA2-256") ++ && !EVP_MD_is_a(ctx->digest.md, "SHA2-384") ++ && !EVP_MD_is_a(ctx->digest.md, "SHA2-512")) { ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ } ++ ++ if (!OSSL_PARAM_set_int(p, fips_indicator)) ++ return 0; ++ } ++#endif + +- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) +- return OSSL_PARAM_set_size_t(p, SIZE_MAX); +- return -2; ++ if (!any_valid) ++ return -2; ++ ++ return 1; + } + + static const OSSL_PARAM *kdf_tls1_prf_gettable_ctx_params( +@@ -243,6 +308,9 @@ static const OSSL_PARAM *kdf_tls1_prf_gettable_ctx_params( + { + static const OSSL_PARAM known_gettable_ctx_params[] = { + OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), ++#ifdef FIPS_MODULE ++ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, 0), ++#endif /* defined(FIPS_MODULE) */ + OSSL_PARAM_END + }; + return known_gettable_ctx_params; +diff --git a/providers/implementations/kdfs/x942kdf.c b/providers/implementations/kdfs/x942kdf.c +index b1bc6f7e1b..8173fc2cc7 100644 +--- a/providers/implementations/kdfs/x942kdf.c ++++ b/providers/implementations/kdfs/x942kdf.c +@@ -13,10 +13,13 @@ + #include + #include + #include ++#include + #include + #include + #include "internal/packet.h" + #include "internal/der.h" ++#include "internal/nelem.h" ++#include "crypto/evp.h" + #include "prov/provider_ctx.h" + #include "prov/providercommon.h" + #include "prov/implementations.h" +@@ -47,6 +50,9 @@ typedef struct { + const unsigned char *cek_oid; + size_t cek_oid_len; + int use_keybits; ++#ifdef FIPS_MODULE ++ int fips_indicator; ++#endif /* defined(FIPS_MODULE) */ + } KDF_X942; + + /* +@@ -460,6 +466,10 @@ static int x942kdf_derive(void *vctx, unsigned char *key, size_t keylen, + ERR_raise(ERR_LIB_PROV, PROV_R_BAD_ENCODING); + return 0; + } ++#ifdef FIPS_MODULE ++ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN) ++ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++#endif /* defined(FIPS_MODULE) */ + ret = x942kdf_hash_kdm(md, ctx->secret, ctx->secret_len, + der, der_len, ctr, key, keylen); + OPENSSL_free(der); +@@ -563,10 +573,58 @@ static int x942kdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) + { + KDF_X942 *ctx = (KDF_X942 *)vctx; + OSSL_PARAM *p; ++ int any_valid = 0; /* set to 1 when at least one parameter was valid */ + +- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) +- return OSSL_PARAM_set_size_t(p, x942kdf_size(ctx)); +- return -2; ++ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) { ++ any_valid = 1; ++ ++ if (!OSSL_PARAM_set_size_t(p, x942kdf_size(ctx))) ++ return 0; ++ } ++ ++#ifdef FIPS_MODULE ++ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR); ++ if (p != NULL) { ++ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED; ++ ++ any_valid = 1; ++ ++ /* According to NIST Special Publication 800-131Ar2, Section 8: ++ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of ++ * the key-derivation key [i.e., the input key] shall be at least 112 ++ * bits". */ ++ if (ctx->secret_len < EVP_KDF_FIPS_MIN_KEY_LEN) ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ ++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module ++ * Verification Program, Section D.B and NIST Special Publication ++ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security ++ * strength < 112 bits is legacy use only, so all derived keys should ++ * be longer than that. If a derived key has ever been shorter than ++ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we ++ * should also set the returned FIPS indicator to unapproved. */ ++ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED) ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ ++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module ++ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256 ++ * extendable-output functions may only be used as the standalone ++ * algorithms." */ ++ if (ctx->digest.md != NULL ++ && (EVP_MD_is_a(ctx->digest.md, "SHAKE-128") || ++ EVP_MD_is_a(ctx->digest.md, "SHAKE-256"))) { ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ } ++ ++ if (!OSSL_PARAM_set_int(p, fips_indicator)) ++ return 0; ++ } ++#endif ++ ++ if (!any_valid) ++ return -2; ++ ++ return 1; + } + + static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx, +@@ -574,6 +632,9 @@ static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx, + { + static const OSSL_PARAM known_gettable_ctx_params[] = { + OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), ++#ifdef FIPS_MODULE ++ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, 0), ++#endif /* defined(FIPS_MODULE) */ + OSSL_PARAM_END + }; + return known_gettable_ctx_params; +-- +2.39.2 + diff --git a/SOURCES/0082-kbkdf-Add-explicit-FIPS-indicator-for-key-length.patch b/SOURCES/0082-kbkdf-Add-explicit-FIPS-indicator-for-key-length.patch deleted file mode 100644 index 8542af9..0000000 --- a/SOURCES/0082-kbkdf-Add-explicit-FIPS-indicator-for-key-length.patch +++ /dev/null @@ -1,74 +0,0 @@ -From 185fbbfea732588187c81d1b2cafb3e1fae9eb77 Mon Sep 17 00:00:00 2001 -From: Clemens Lang -Date: Thu, 17 Nov 2022 16:38:45 +0100 -Subject: [PATCH 2/2] kbkdf: Add explicit FIPS indicator for key length - -NIST SP 800-131Ar2, section 8 "Deriving Additional Keys from -a Cryptographic Key" says that for KDFs defined in SP 800-108, "[t]he -length of the key-derivation key shall be at least 112 bits". It further -specifies that HMAC-based KDFs "with a key whose length is at least 112 -bits" are acceptable. - -Add an explicit indicator for SP 800-108 KDFs that will mark shorter key -lengths as unapproved. The indicator can be queried from the EVP_KDF_CTX -object using EVP_KDF_CTX_get_params() with the - OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR -parameter. - -Signed-off-by: Clemens Lang ---- - providers/implementations/kdfs/kbkdf.c | 32 +++++++++++++++++++++----- - 1 file changed, 26 insertions(+), 6 deletions(-) - -diff --git a/providers/implementations/kdfs/kbkdf.c b/providers/implementations/kdfs/kbkdf.c -index a542f84dfa..93a8a10537 100644 ---- a/providers/implementations/kdfs/kbkdf.c -+++ b/providers/implementations/kdfs/kbkdf.c -@@ -365,18 +365,38 @@ static int kbkdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) - OSSL_PARAM *p; - - p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE); -- if (p == NULL) -- return -2; -+ if (p != NULL) -+ /* KBKDF can produce results as large as you like. */ -+ return OSSL_PARAM_set_size_t(p, SIZE_MAX); -+ -+#ifdef FIPS_MODULE -+ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR); -+ if (p != NULL) { -+ KBKDF *ctx = (KBKDF *)vctx; -+ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED; -+ /* According to NIST Special Publication 800-131Ar2, Section 8: -+ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of -+ * the key-derivation key [i.e., the input key] shall be at least 112 -+ * bits". */ -+ if (ctx->ki_len < EVP_KDF_FIPS_MIN_KEY_LEN) -+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; -+ return OSSL_PARAM_set_int(p, fips_indicator); -+ } -+#endif - -- /* KBKDF can produce results as large as you like. */ -- return OSSL_PARAM_set_size_t(p, SIZE_MAX); -+ return -2; - } - - static const OSSL_PARAM *kbkdf_gettable_ctx_params(ossl_unused void *ctx, - ossl_unused void *provctx) - { -- static const OSSL_PARAM known_gettable_ctx_params[] = -- { OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), OSSL_PARAM_END }; -+ static const OSSL_PARAM known_gettable_ctx_params[] = { -+ OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), -+#ifdef FIPS_MODULE -+ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL), -+#endif /* defined(FIPS_MODULE) */ -+ OSSL_PARAM_END -+ }; - return known_gettable_ctx_params; - } - --- -2.38.1 - diff --git a/SOURCES/0088-signature-Add-indicator-for-PSS-salt-length.patch b/SOURCES/0088-signature-Add-indicator-for-PSS-salt-length.patch index 97a0679..20024d3 100644 --- a/SOURCES/0088-signature-Add-indicator-for-PSS-salt-length.patch +++ b/SOURCES/0088-signature-Add-indicator-for-PSS-salt-length.patch @@ -35,6 +35,9 @@ EVP_PKEY_CTX_get_params() with the OSSL_SIGNATURE_PARAM_REDHAT_FIPS_INDICATOR parameter. +We also add indicator for RSA_NO_PADDING here to avoid patch-over-patch. +Dmitry Belyavskiy + Signed-off-by: Clemens Lang --- include/openssl/core_names.h | 1 + @@ -73,7 +76,7 @@ diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implement index 49e7f9158a..0c45008a00 100644 --- a/providers/implementations/signature/rsa_sig.c +++ b/providers/implementations/signature/rsa_sig.c -@@ -1127,6 +1127,21 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params) +@@ -1127,6 +1127,24 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params) } } @@ -87,6 +90,9 @@ index 49e7f9158a..0c45008a00 100644 + } else if (rsa_pss_compute_saltlen(prsactx) > EVP_MD_get_size(prsactx->md)) { + fips_indicator = EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_NOT_APPROVED; + } ++ } else if (prsactx->pad_mode == RSA_NO_PADDING) { ++ if (prsactx->md == NULL) /* Should always be the case */ ++ fips_indicator = EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_NOT_APPROVED; + } + return OSSL_PARAM_set_int(p, fips_indicator); + } diff --git a/SOURCES/0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch b/SOURCES/0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch new file mode 100644 index 0000000..65bae6f --- /dev/null +++ b/SOURCES/0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch @@ -0,0 +1,344 @@ +From 8a2d1b22ede5eeca4d104bb027b84f3ecfc69549 Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Thu, 11 May 2023 12:51:59 +0200 +Subject: [PATCH] DH: Disable FIPS 186-4 type parameters in FIPS mode + +For DH parameter and key pair generation/verification, the DSA +procedures specified in FIPS 186-4 are used. With the release of FIPS +186-5 and the removal of DSA, the approved status of these groups is in +peril. Once the transition for DSA ends (this transition will be 1 year +long and start once CMVP has published the guidance), no more +submissions claiming DSA will be allowed. Hence, FIPS 186-type +parameters will also be automatically non-approved. + +In the FIPS provider, disable validation of any DH parameters that are +not well-known groups, and remove DH parameter generation completely. + +Adjust tests to use well-known groups or larger DH groups where this +change would now cause failures, and skip tests that are expected to +fail due to this change. + +Related: rhbz#2169757, rhbz#2169757 +Signed-off-by: Clemens Lang +--- + crypto/dh/dh_backend.c | 10 ++++ + crypto/dh/dh_check.c | 12 ++-- + crypto/dh/dh_gen.c | 12 +++- + crypto/dh/dh_key.c | 13 ++-- + crypto/dh/dh_pmeth.c | 10 +++- + providers/implementations/keymgmt/dh_kmgmt.c | 5 ++ + test/endecode_test.c | 4 +- + test/evp_libctx_test.c | 2 +- + test/helpers/predefined_dhparams.c | 62 ++++++++++++++++++++ + test/helpers/predefined_dhparams.h | 1 + + test/recipes/80-test_cms.t | 4 +- + test/recipes/80-test_ssl_old.t | 3 + + 12 files changed, 118 insertions(+), 20 deletions(-) + +diff --git a/crypto/dh/dh_backend.c b/crypto/dh/dh_backend.c +index 726843fd30..24c65ca84f 100644 +--- a/crypto/dh/dh_backend.c ++++ b/crypto/dh/dh_backend.c +@@ -53,6 +53,16 @@ int ossl_dh_params_fromdata(DH *dh, const OSSL_PARAM params[]) + if (!dh_ffc_params_fromdata(dh, params)) + return 0; + ++#ifdef FIPS_MODULE ++ if (!ossl_dh_is_named_safe_prime_group(dh)) { ++ ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS, ++ "FIPS 186-4 type domain parameters no longer allowed in" ++ " FIPS mode, since the required validation routines" ++ " were removed from FIPS 186-5"); ++ return 0; ++ } ++#endif ++ + param_priv_len = + OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_DH_PRIV_LEN); + if (param_priv_len != NULL +diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c +index 0b391910d6..75581ca347 100644 +--- a/crypto/dh/dh_check.c ++++ b/crypto/dh/dh_check.c +@@ -57,13 +57,15 @@ int DH_check_params(const DH *dh, int *ret) + nid = DH_get_nid((DH *)dh); + if (nid != NID_undef) + return 1; ++ + /* +- * OR +- * (2b) FFC domain params conform to FIPS-186-4 explicit domain param +- * validity tests. ++ * FIPS 186-4 explicit domain parameters are no longer supported in FIPS mode. + */ +- return ossl_ffc_params_FIPS186_4_validate(dh->libctx, &dh->params, +- FFC_PARAM_TYPE_DH, ret, NULL); ++ ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS, ++ "FIPS 186-4 type domain parameters no longer allowed in" ++ " FIPS mode, since the required validation routines were" ++ " removed from FIPS 186-5"); ++ return 0; + } + #else + int DH_check_params(const DH *dh, int *ret) +diff --git a/crypto/dh/dh_gen.c b/crypto/dh/dh_gen.c +index aec6b85316..9c55121067 100644 +--- a/crypto/dh/dh_gen.c ++++ b/crypto/dh/dh_gen.c +@@ -38,18 +38,26 @@ static int dh_builtin_genparams(DH *ret, int prime_len, int generator, + int ossl_dh_generate_ffc_parameters(DH *dh, int type, int pbits, int qbits, + BN_GENCB *cb) + { +- int ret, res; ++ int ret = 0; + + #ifndef FIPS_MODULE ++ int res; ++ + if (type == DH_PARAMGEN_TYPE_FIPS_186_2) + ret = ossl_ffc_params_FIPS186_2_generate(dh->libctx, &dh->params, + FFC_PARAM_TYPE_DH, + pbits, qbits, &res, cb); + else +-#endif + ret = ossl_ffc_params_FIPS186_4_generate(dh->libctx, &dh->params, + FFC_PARAM_TYPE_DH, + pbits, qbits, &res, cb); ++#else ++ /* In FIPS mode, we no longer support FIPS 186-4 domain parameters */ ++ ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS, ++ "FIPS 186-4 type domain parameters no longer allowed in" ++ " FIPS mode, since the required generation routines were" ++ " removed from FIPS 186-5"); ++#endif + if (ret > 0) + dh->dirty_cnt++; + return ret; +diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c +index 4e9705beef..14c0b0b6b3 100644 +--- a/crypto/dh/dh_key.c ++++ b/crypto/dh/dh_key.c +@@ -308,8 +308,12 @@ static int generate_key(DH *dh) + goto err; + } else { + #ifdef FIPS_MODULE +- if (dh->params.q == NULL) +- goto err; ++ ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS, ++ "FIPS 186-4 type domain parameters no longer" ++ " allowed in FIPS mode, since the required" ++ " generation routines were removed from FIPS" ++ " 186-5"); ++ goto err; + #else + if (dh->params.q == NULL) { + /* secret exponent length, must satisfy 2^(l-1) <= p */ +@@ -330,9 +334,7 @@ static int generate_key(DH *dh) + if (!BN_clear_bit(priv_key, 0)) + goto err; + } +- } else +-#endif +- { ++ } else { + /* Do a partial check for invalid p, q, g */ + if (!ossl_ffc_params_simple_validate(dh->libctx, &dh->params, + FFC_PARAM_TYPE_DH, NULL)) +@@ -348,6 +350,7 @@ static int generate_key(DH *dh) + priv_key)) + goto err; + } ++#endif + } + } + +diff --git a/crypto/dh/dh_pmeth.c b/crypto/dh/dh_pmeth.c +index f201eede0d..30f90d15be 100644 +--- a/crypto/dh/dh_pmeth.c ++++ b/crypto/dh/dh_pmeth.c +@@ -305,13 +305,17 @@ static DH *ffc_params_generate(OSSL_LIB_CTX *libctx, DH_PKEY_CTX *dctx, + prime_len, subprime_len, &res, + pcb); + else +-# endif +- /* For FIPS we always use the DH_PARAMGEN_TYPE_FIPS_186_4 generator */ +- if (dctx->paramgen_type >= DH_PARAMGEN_TYPE_FIPS_186_2) + rv = ossl_ffc_params_FIPS186_4_generate(libctx, &ret->params, + FFC_PARAM_TYPE_DH, + prime_len, subprime_len, &res, + pcb); ++# else ++ /* In FIPS mode, we no longer support FIPS 186-4 domain parameters */ ++ ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS, ++ "FIPS 186-4 type domain parameters no longer allowed in" ++ " FIPS mode, since the required generation routines were" ++ " removed from FIPS 186-5"); ++# endif + if (rv <= 0) { + DH_free(ret); + return NULL; +diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c +index 9a7dde7c66..b3e7bca5ac 100644 +--- a/providers/implementations/keymgmt/dh_kmgmt.c ++++ b/providers/implementations/keymgmt/dh_kmgmt.c +@@ -414,6 +414,11 @@ static int dh_validate(const void *keydata, int selection, int checktype) + if ((selection & DH_POSSIBLE_SELECTIONS) == 0) + return 1; /* nothing to validate */ + ++#ifdef FIPS_MODULE ++ /* In FIPS provider, always check the domain parameters to disallow ++ * operations on keys with FIPS 186-4 params. */ ++ selection |= OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS; ++#endif + if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0) { + /* + * Both of these functions check parameters. DH_check_params_ex() +diff --git a/test/endecode_test.c b/test/endecode_test.c +index e3f7b81f69..1b63daaed5 100644 +--- a/test/endecode_test.c ++++ b/test/endecode_test.c +@@ -80,10 +80,10 @@ static EVP_PKEY *make_template(const char *type, OSSL_PARAM *genparams) + * for testing only. Use a minimum key size of 2048 for security purposes. + */ + if (strcmp(type, "DH") == 0) +- return get_dh512(keyctx); ++ return get_dh2048(keyctx); + + if (strcmp(type, "X9.42 DH") == 0) +- return get_dhx512(keyctx); ++ return get_dhx_ffdhe2048(keyctx); + # endif + + /* +diff --git a/test/evp_libctx_test.c b/test/evp_libctx_test.c +index 2448c35a14..92d484fb12 100644 +--- a/test/evp_libctx_test.c ++++ b/test/evp_libctx_test.c +@@ -188,7 +188,7 @@ static int do_dh_param_keygen(int tstid, const BIGNUM **bn) + + if (!TEST_ptr(gen_ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey_parm, NULL)) + || !TEST_int_gt(EVP_PKEY_keygen_init(gen_ctx), 0) +- || !TEST_int_eq(EVP_PKEY_keygen(gen_ctx, &pkey), expected)) ++ || !TEST_int_eq(EVP_PKEY_keygen(gen_ctx, &pkey) == 1, expected)) + goto err; + + if (expected) { +diff --git a/test/helpers/predefined_dhparams.c b/test/helpers/predefined_dhparams.c +index 4bdadc4143..e5186e4b4a 100644 +--- a/test/helpers/predefined_dhparams.c ++++ b/test/helpers/predefined_dhparams.c +@@ -116,6 +116,68 @@ EVP_PKEY *get_dhx512(OSSL_LIB_CTX *libctx) + dhx512_q, sizeof(dhx512_q)); + } + ++EVP_PKEY *get_dhx_ffdhe2048(OSSL_LIB_CTX *libctx) ++{ ++ /* This is RFC 7919 ffdhe2048, since Red Hat removes support for ++ * non-well-known groups in FIPS mode. */ ++ static unsigned char dhx_p[] = { ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xad, 0xf8, 0x54, 0x58, ++ 0xa2, 0xbb, 0x4a, 0x9a, 0xaf, 0xdc, 0x56, 0x20, 0x27, 0x3d, 0x3c, 0xf1, ++ 0xd8, 0xb9, 0xc5, 0x83, 0xce, 0x2d, 0x36, 0x95, 0xa9, 0xe1, 0x36, 0x41, ++ 0x14, 0x64, 0x33, 0xfb, 0xcc, 0x93, 0x9d, 0xce, 0x24, 0x9b, 0x3e, 0xf9, ++ 0x7d, 0x2f, 0xe3, 0x63, 0x63, 0x0c, 0x75, 0xd8, 0xf6, 0x81, 0xb2, 0x02, ++ 0xae, 0xc4, 0x61, 0x7a, 0xd3, 0xdf, 0x1e, 0xd5, 0xd5, 0xfd, 0x65, 0x61, ++ 0x24, 0x33, 0xf5, 0x1f, 0x5f, 0x06, 0x6e, 0xd0, 0x85, 0x63, 0x65, 0x55, ++ 0x3d, 0xed, 0x1a, 0xf3, 0xb5, 0x57, 0x13, 0x5e, 0x7f, 0x57, 0xc9, 0x35, ++ 0x98, 0x4f, 0x0c, 0x70, 0xe0, 0xe6, 0x8b, 0x77, 0xe2, 0xa6, 0x89, 0xda, ++ 0xf3, 0xef, 0xe8, 0x72, 0x1d, 0xf1, 0x58, 0xa1, 0x36, 0xad, 0xe7, 0x35, ++ 0x30, 0xac, 0xca, 0x4f, 0x48, 0x3a, 0x79, 0x7a, 0xbc, 0x0a, 0xb1, 0x82, ++ 0xb3, 0x24, 0xfb, 0x61, 0xd1, 0x08, 0xa9, 0x4b, 0xb2, 0xc8, 0xe3, 0xfb, ++ 0xb9, 0x6a, 0xda, 0xb7, 0x60, 0xd7, 0xf4, 0x68, 0x1d, 0x4f, 0x42, 0xa3, ++ 0xde, 0x39, 0x4d, 0xf4, 0xae, 0x56, 0xed, 0xe7, 0x63, 0x72, 0xbb, 0x19, ++ 0x0b, 0x07, 0xa7, 0xc8, 0xee, 0x0a, 0x6d, 0x70, 0x9e, 0x02, 0xfc, 0xe1, ++ 0xcd, 0xf7, 0xe2, 0xec, 0xc0, 0x34, 0x04, 0xcd, 0x28, 0x34, 0x2f, 0x61, ++ 0x91, 0x72, 0xfe, 0x9c, 0xe9, 0x85, 0x83, 0xff, 0x8e, 0x4f, 0x12, 0x32, ++ 0xee, 0xf2, 0x81, 0x83, 0xc3, 0xfe, 0x3b, 0x1b, 0x4c, 0x6f, 0xad, 0x73, ++ 0x3b, 0xb5, 0xfc, 0xbc, 0x2e, 0xc2, 0x20, 0x05, 0xc5, 0x8e, 0xf1, 0x83, ++ 0x7d, 0x16, 0x83, 0xb2, 0xc6, 0xf3, 0x4a, 0x26, 0xc1, 0xb2, 0xef, 0xfa, ++ 0x88, 0x6b, 0x42, 0x38, 0x61, 0x28, 0x5c, 0x97, 0xff, 0xff, 0xff, 0xff, ++ 0xff, 0xff, 0xff, 0xff ++ }; ++ static unsigned char dhx_g[] = { ++ 0x02 ++ }; ++ static unsigned char dhx_q[] = { ++ 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xd6, 0xfc, 0x2a, 0x2c, ++ 0x51, 0x5d, 0xa5, 0x4d, 0x57, 0xee, 0x2b, 0x10, 0x13, 0x9e, 0x9e, 0x78, ++ 0xec, 0x5c, 0xe2, 0xc1, 0xe7, 0x16, 0x9b, 0x4a, 0xd4, 0xf0, 0x9b, 0x20, ++ 0x8a, 0x32, 0x19, 0xfd, 0xe6, 0x49, 0xce, 0xe7, 0x12, 0x4d, 0x9f, 0x7c, ++ 0xbe, 0x97, 0xf1, 0xb1, 0xb1, 0x86, 0x3a, 0xec, 0x7b, 0x40, 0xd9, 0x01, ++ 0x57, 0x62, 0x30, 0xbd, 0x69, 0xef, 0x8f, 0x6a, 0xea, 0xfe, 0xb2, 0xb0, ++ 0x92, 0x19, 0xfa, 0x8f, 0xaf, 0x83, 0x37, 0x68, 0x42, 0xb1, 0xb2, 0xaa, ++ 0x9e, 0xf6, 0x8d, 0x79, 0xda, 0xab, 0x89, 0xaf, 0x3f, 0xab, 0xe4, 0x9a, ++ 0xcc, 0x27, 0x86, 0x38, 0x70, 0x73, 0x45, 0xbb, 0xf1, 0x53, 0x44, 0xed, ++ 0x79, 0xf7, 0xf4, 0x39, 0x0e, 0xf8, 0xac, 0x50, 0x9b, 0x56, 0xf3, 0x9a, ++ 0x98, 0x56, 0x65, 0x27, 0xa4, 0x1d, 0x3c, 0xbd, 0x5e, 0x05, 0x58, 0xc1, ++ 0x59, 0x92, 0x7d, 0xb0, 0xe8, 0x84, 0x54, 0xa5, 0xd9, 0x64, 0x71, 0xfd, ++ 0xdc, 0xb5, 0x6d, 0x5b, 0xb0, 0x6b, 0xfa, 0x34, 0x0e, 0xa7, 0xa1, 0x51, ++ 0xef, 0x1c, 0xa6, 0xfa, 0x57, 0x2b, 0x76, 0xf3, 0xb1, 0xb9, 0x5d, 0x8c, ++ 0x85, 0x83, 0xd3, 0xe4, 0x77, 0x05, 0x36, 0xb8, 0x4f, 0x01, 0x7e, 0x70, ++ 0xe6, 0xfb, 0xf1, 0x76, 0x60, 0x1a, 0x02, 0x66, 0x94, 0x1a, 0x17, 0xb0, ++ 0xc8, 0xb9, 0x7f, 0x4e, 0x74, 0xc2, 0xc1, 0xff, 0xc7, 0x27, 0x89, 0x19, ++ 0x77, 0x79, 0x40, 0xc1, 0xe1, 0xff, 0x1d, 0x8d, 0xa6, 0x37, 0xd6, 0xb9, ++ 0x9d, 0xda, 0xfe, 0x5e, 0x17, 0x61, 0x10, 0x02, 0xe2, 0xc7, 0x78, 0xc1, ++ 0xbe, 0x8b, 0x41, 0xd9, 0x63, 0x79, 0xa5, 0x13, 0x60, 0xd9, 0x77, 0xfd, ++ 0x44, 0x35, 0xa1, 0x1c, 0x30, 0x94, 0x2e, 0x4b, 0xff, 0xff, 0xff, 0xff, ++ 0xff, 0xff, 0xff, 0xff ++ }; ++ ++ return get_dh_from_pg(libctx, "X9.42 DH", ++ dhx_p, sizeof(dhx_p), ++ dhx_g, sizeof(dhx_g), ++ dhx_q, sizeof(dhx_q)); ++} ++ + EVP_PKEY *get_dh1024dsa(OSSL_LIB_CTX *libctx) + { + static unsigned char dh1024_p[] = { +diff --git a/test/helpers/predefined_dhparams.h b/test/helpers/predefined_dhparams.h +index f0e8709062..2ff6d6e721 100644 +--- a/test/helpers/predefined_dhparams.h ++++ b/test/helpers/predefined_dhparams.h +@@ -12,6 +12,7 @@ + #ifndef OPENSSL_NO_DH + EVP_PKEY *get_dh512(OSSL_LIB_CTX *libctx); + EVP_PKEY *get_dhx512(OSSL_LIB_CTX *libctx); ++EVP_PKEY *get_dhx_ffdhe2048(OSSL_LIB_CTX *libctx); + EVP_PKEY *get_dh1024dsa(OSSL_LIB_CTX *libct); + EVP_PKEY *get_dh2048(OSSL_LIB_CTX *libctx); + EVP_PKEY *get_dh4096(OSSL_LIB_CTX *libctx); +diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t +index cabbe3ecdf..efe56c5665 100644 +--- a/test/recipes/80-test_cms.t ++++ b/test/recipes/80-test_cms.t +@@ -627,10 +627,10 @@ my @smime_cms_param_tests = ( + ], + + [ "enveloped content test streaming S/MIME format, X9.42 DH", +- [ "{cmd1}", @prov, "-encrypt", "-in", $smcont, ++ [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont, + "-stream", "-out", "{output}.cms", + "-recip", catfile($smdir, "smdh.pem"), "-aes128" ], +- [ "{cmd2}", @prov, "-decrypt", "-recip", catfile($smdir, "smdh.pem"), ++ [ "{cmd2}", @defaultprov, "-decrypt", "-recip", catfile($smdir, "smdh.pem"), + "-in", "{output}.cms", "-out", "{output}.txt" ], + \&final_compare + ] +diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t +index 8c52b637fc..31ed54621b 100644 +--- a/test/recipes/80-test_ssl_old.t ++++ b/test/recipes/80-test_ssl_old.t +@@ -390,6 +390,9 @@ sub testssl { + skip "skipping dhe1024dsa test", 1 + if ($no_dh); + ++ skip "FIPS 186-4 type DH groups are no longer supported by the FIPS provider", 1 ++ if $provider eq "fips"; ++ + ok(run(test([@ssltest, "-bio_pair", "-dhe1024dsa", "-v"])), + 'test sslv2/sslv3 with 1024bit DHE via BIO pair'); + } +-- +2.40.1 + diff --git a/SOURCES/0109-fips-Zeroize-out-in-fips-selftest.patch b/SOURCES/0109-fips-Zeroize-out-in-fips-selftest.patch new file mode 100644 index 0000000..3cd48df --- /dev/null +++ b/SOURCES/0109-fips-Zeroize-out-in-fips-selftest.patch @@ -0,0 +1,26 @@ +From 9dbc6069665690bd238caa7622647ea8ac94124f Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Mon, 13 Feb 2023 11:01:44 +0100 +Subject: fips: Zeroize `out` in fips selftest + +Signed-off-by: Clemens Lang +Resolves: rhbz#2169314 +--- + providers/fips/self_test.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c +index 80d048a847..11a989209c 100644 +--- a/providers/fips/self_test.c ++++ b/providers/fips/self_test.c +@@ -221,6 +221,7 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex + goto err; + ret = 1; + err: ++ OPENSSL_cleanse(out, sizeof(out)); + OSSL_SELF_TEST_onend(ev, ret); + EVP_MAC_CTX_free(ctx); + EVP_MAC_free(mac); +-- +2.39.1 + diff --git a/SOURCES/0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch b/SOURCES/0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch new file mode 100644 index 0000000..5cb8ce4 --- /dev/null +++ b/SOURCES/0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch @@ -0,0 +1,101 @@ +From 589eb3898896c1ac916bc20069ecd5adb8534850 Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Fri, 17 Feb 2023 15:31:08 +0100 +Subject: [PATCH] GCM: Implement explicit FIPS indicator for IV gen + +Implementation Guidance for FIPS 140-3 and the Cryptographic Module +Verification Program, Section C.H requires guarantees about the +uniqueness of key/iv pairs, and proposes a few approaches to ensure +this. Provide an indicator for option 2 "The IV may be generated +internally at its entirety randomly." + +Resolves: rhbz#2168289 +Signed-off-by: Clemens Lang +--- + include/openssl/core_names.h | 1 + + include/openssl/evp.h | 4 +++ + .../implementations/ciphers/ciphercommon.c | 4 +++ + .../ciphers/ciphercommon_gcm.c | 25 +++++++++++++++++++ + 4 files changed, 34 insertions(+) + +diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h +index 680bfbc7cc..832502a034 100644 +--- a/include/openssl/core_names.h ++++ b/include/openssl/core_names.h +@@ -97,6 +97,7 @@ extern "C" { + #define OSSL_CIPHER_PARAM_CTS_MODE "cts_mode" /* utf8_string */ + /* For passing the AlgorithmIdentifier parameter in DER form */ + #define OSSL_CIPHER_PARAM_ALGORITHM_ID_PARAMS "alg_id_param" /* octet_string */ ++#define OSSL_CIPHER_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator" /* int */ + + #define OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_SEND_FRAGMENT \ + "tls1multi_maxsndfrag" /* uint */ +diff --git a/include/openssl/evp.h b/include/openssl/evp.h +index 49e8e1df78..ec2ba46fbd 100644 +--- a/include/openssl/evp.h ++++ b/include/openssl/evp.h +@@ -746,6 +746,10 @@ void EVP_CIPHER_CTX_set_flags(EVP_CIPHER_CTX *ctx, int flags); + void EVP_CIPHER_CTX_clear_flags(EVP_CIPHER_CTX *ctx, int flags); + int EVP_CIPHER_CTX_test_flags(const EVP_CIPHER_CTX *ctx, int flags); + ++# define EVP_CIPHER_REDHAT_FIPS_INDICATOR_UNDETERMINED 0 ++# define EVP_CIPHER_REDHAT_FIPS_INDICATOR_APPROVED 1 ++# define EVP_CIPHER_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2 ++ + __owur int EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, + const unsigned char *key, const unsigned char *iv); + /*__owur*/ int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx, +diff --git a/providers/implementations/ciphers/ciphercommon.c b/providers/implementations/ciphers/ciphercommon.c +index fa383165d8..716add7339 100644 +--- a/providers/implementations/ciphers/ciphercommon.c ++++ b/providers/implementations/ciphers/ciphercommon.c +@@ -149,6 +149,10 @@ static const OSSL_PARAM cipher_aead_known_gettable_ctx_params[] = { + OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, NULL, 0), + OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD, NULL), + OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TLS1_GET_IV_GEN, NULL, 0), ++ /* normally we would hide this under an #ifdef FIPS_MODULE, but that does ++ * not work in ciphercommon.c because it is compiled only once into ++ * libcommon.a */ ++ OSSL_PARAM_int(OSSL_CIPHER_PARAM_REDHAT_FIPS_INDICATOR, NULL), + OSSL_PARAM_END + }; + const OSSL_PARAM *ossl_cipher_aead_gettable_ctx_params( +diff --git a/providers/implementations/ciphers/ciphercommon_gcm.c b/providers/implementations/ciphers/ciphercommon_gcm.c +index ed95c97ff4..db7910eb0e 100644 +--- a/providers/implementations/ciphers/ciphercommon_gcm.c ++++ b/providers/implementations/ciphers/ciphercommon_gcm.c +@@ -224,6 +224,31 @@ int ossl_gcm_get_ctx_params(void *vctx, OSSL_PARAM params[]) + || !getivgen(ctx, p->data, p->data_size)) + return 0; + } ++ ++ /* We would usually hide this under #ifdef FIPS_MODULE, but ++ * ciphercommon_gcm.c is only compiled once into libcommon.a, so ifdefs do ++ * not work here. */ ++ p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_REDHAT_FIPS_INDICATOR); ++ if (p != NULL) { ++ int fips_indicator = EVP_CIPHER_REDHAT_FIPS_INDICATOR_APPROVED; ++ ++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module ++ * Verification Program, Section C.H requires guarantees about the ++ * uniqueness of key/iv pairs, and proposes a few approaches to ensure ++ * this. This provides an indicator for option 2 "The IV may be ++ * generated internally at its entirety randomly." Note that one of the ++ * conditions of this option is that "The IV length shall be at least ++ * 96 bits (per SP 800-38D)." We do not specically check for this ++ * condition here, because gcm_iv_generate will fail in this case. */ ++ if (ctx->enc && !ctx->iv_gen_rand) ++ fips_indicator = EVP_CIPHER_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ ++ if (!OSSL_PARAM_set_int(p, fips_indicator)) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); ++ return 0; ++ } ++ } ++ + return 1; + } + +-- +2.39.1 + diff --git a/SOURCES/0111-fips-Use-salt-16-bytes-in-PBKDF2-selftest.patch b/SOURCES/0111-fips-Use-salt-16-bytes-in-PBKDF2-selftest.patch new file mode 100644 index 0000000..3868089 --- /dev/null +++ b/SOURCES/0111-fips-Use-salt-16-bytes-in-PBKDF2-selftest.patch @@ -0,0 +1,82 @@ +From 56090fca0a0c8b6cf1782aced0a02349358aae7d Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Fri, 3 Mar 2023 12:22:03 +0100 +Subject: [PATCH 1/2] fips: Use salt >= 16 bytes in PBKDF2 selftest + +NIST SP 800-132 [1] section 5.1 says "[t]he length of the +randomly-generated portion of the salt shall be at least +128 bits", which implies that the salt for PBKDF2 must be at least 16 +bytes long (see also Appendix A.2.1). + +The FIPS 140-3 IG [2] section 10.3.A requires that "the lengths and the +properties of the Password and Salt parameters, as well as the desired +length of the Master Key used in a CAST shall be among those supported +by the module in the approved mode." + +As a consequence, the salt length in the self test must be at least 16 +bytes long for FIPS 140-3 compliance. Switch the self test to use the +only test vector from RFC 6070 that uses salt that is long enough to +fulfil this requirement. Since RFC 6070 does not provide expected +results for PBKDF2 with HMAC-SHA256, use the output from [3], which was +generated with python cryptography, which was tested against the RFC +6070 vectors with HMAC-SHA1. + + [1]: https://doi.org/10.6028/NIST.SP.800-132 + [2]: https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf + [3]: https://github.com/brycx/Test-Vector-Generation/blob/master/PBKDF2/pbkdf2-hmac-sha2-test-vectors.md + +Signed-off-by: Clemens Lang + +Reviewed-by: Paul Dale +Reviewed-by: Dmitry Belyavskiy +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/20429) + +(cherry picked from commit 451cb23c41c90d5a02902b3a77551aa9ee1c6956) +--- + providers/fips/self_test_data.inc | 22 ++++++++++++++++------ + 1 file changed, 16 insertions(+), 6 deletions(-) + +diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc +index 8ae8cd6f4a..03adf28f3c 100644 +--- a/providers/fips/self_test_data.inc ++++ b/providers/fips/self_test_data.inc +@@ -361,19 +361,29 @@ static const ST_KAT_PARAM x963kdf_params[] = { + }; + + static const char pbkdf2_digest[] = "SHA256"; ++/* ++ * Input parameters from RFC 6070, vector 5 (because it is the only one with ++ * a salt >= 16 bytes, which NIST SP 800-132 section 5.1 requires). The ++ * expected output is taken from ++ * https://github.com/brycx/Test-Vector-Generation/blob/master/PBKDF2/pbkdf2-hmac-sha2-test-vectors.md, ++ * which ran these test vectors with SHA-256. ++ */ + static const unsigned char pbkdf2_password[] = { +- 0x70, 0x61, 0x73, 0x73, 0x00, 0x77, 0x6f, 0x72, +- 0x64 ++ 0x70, 0x61, 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64, 0x50, 0x41, 0x53, 0x53, ++ 0x57, 0x4f, 0x52, 0x44, 0x70, 0x61, 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64 + }; + static const unsigned char pbkdf2_salt[] = { +- 0x73, 0x61, 0x00, 0x6c, 0x74 ++ 0x73, 0x61, 0x6c, 0x74, 0x53, 0x41, 0x4c, 0x54, 0x73, 0x61, 0x6c, 0x74, ++ 0x53, 0x41, 0x4c, 0x54, 0x73, 0x61, 0x6c, 0x74, 0x53, 0x41, 0x4c, 0x54, ++ 0x73, 0x61, 0x6c, 0x74, 0x53, 0x41, 0x4c, 0x54, 0x73, 0x61, 0x6c, 0x74 + }; + static const unsigned char pbkdf2_expected[] = { +- 0x89, 0xb6, 0x9d, 0x05, 0x16, 0xf8, 0x29, 0x89, +- 0x3c, 0x69, 0x62, 0x26, 0x65, 0x0a, 0x86, 0x87, ++ 0x34, 0x8c, 0x89, 0xdb, 0xcb, 0xd3, 0x2b, 0x2f, 0x32, 0xd8, 0x14, 0xb8, ++ 0x11, 0x6e, 0x84, 0xcf, 0x2b, 0x17, 0x34, 0x7e, 0xbc, 0x18, 0x00, 0x18, ++ 0x1c + }; + static int pbkdf2_iterations = 4096; +-static int pbkdf2_pkcs5 = 1; ++static int pbkdf2_pkcs5 = 0; + static const ST_KAT_PARAM pbkdf2_params[] = { + ST_KAT_PARAM_UTF8STRING(OSSL_KDF_PARAM_DIGEST, pbkdf2_digest), + ST_KAT_PARAM_OCTET(OSSL_KDF_PARAM_PASSWORD, pbkdf2_password), +-- +2.39.2 + diff --git a/SOURCES/0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch b/SOURCES/0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch new file mode 100644 index 0000000..2e869e2 --- /dev/null +++ b/SOURCES/0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch @@ -0,0 +1,80 @@ +From fa96a2f493276e7a57512e8c3d535052586f1525 Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Mon, 6 Mar 2023 12:32:04 +0100 +Subject: [PATCH 2/2] pbdkf2: Set indicator if pkcs5 param disabled checks + +The pbkdf2 implementation in the FIPS provider supports the checks +required by NIST, but allows disabling these checks by setting the +OSSL_KDF_PARAM_PKCS5 parameter to 1. The implementation must indicate +that the use of this configuration is not approved in FIPS mode. Add an +explicit indicator to provide this indication. + +Resolves: rhbz#2175145 +Signed-off-by: Clemens Lang +--- + providers/implementations/kdfs/pbkdf2.c | 40 +++++++++++++++++++++++-- + 1 file changed, 37 insertions(+), 3 deletions(-) + +diff --git a/providers/implementations/kdfs/pbkdf2.c b/providers/implementations/kdfs/pbkdf2.c +index aa0adce5e6..6df8c6d321 100644 +--- a/providers/implementations/kdfs/pbkdf2.c ++++ b/providers/implementations/kdfs/pbkdf2.c +@@ -251,11 +251,42 @@ static const OSSL_PARAM *kdf_pbkdf2_settable_ctx_params(ossl_unused void *ctx, + + static int kdf_pbkdf2_get_ctx_params(void *vctx, OSSL_PARAM params[]) + { ++#ifdef FIPS_MODULE ++ KDF_PBKDF2 *ctx = (KDF_PBKDF2 *)vctx; ++#endif /* defined(FIPS_MODULE) */ + OSSL_PARAM *p; ++ int any_valid = 0; /* set to 1 when at least one parameter was valid */ ++ ++ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) { ++ any_valid = 1; ++ ++ if (!OSSL_PARAM_set_size_t(p, SIZE_MAX)) ++ return 0; ++ } ++ ++#ifdef FIPS_MODULE ++ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR)) ++ != NULL) { ++ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED; ++ ++ /* The lower_bound_checks parameter enables checks required by FIPS. If ++ * those checks are disabled, the PBKDF2 implementation will also ++ * support non-approved parameters (e.g., salt lengths < 16 bytes, see ++ * NIST SP 800-132 section 5.1). */ ++ if (!ctx->lower_bound_checks) ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; + +- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) +- return OSSL_PARAM_set_size_t(p, SIZE_MAX); +- return -2; ++ if (!OSSL_PARAM_set_int(p, fips_indicator)) ++ return 0; ++ ++ any_valid = 1; ++ } ++#endif /* defined(FIPS_MODULE) */ ++ ++ if (!any_valid) ++ return -2; ++ ++ return 1; + } + + static const OSSL_PARAM *kdf_pbkdf2_gettable_ctx_params(ossl_unused void *ctx, +@@ -263,6 +294,9 @@ static const OSSL_PARAM *kdf_pbkdf2_gettable_ctx_params(ossl_unused void *ctx, + { + static const OSSL_PARAM known_gettable_ctx_params[] = { + OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), ++#ifdef FIPS_MODULE ++ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL), ++#endif /* defined(FIPS_MODULE) */ + OSSL_PARAM_END + }; + return known_gettable_ctx_params; +-- +2.39.2 + diff --git a/SOURCES/0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch b/SOURCES/0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch new file mode 100644 index 0000000..4c648d8 --- /dev/null +++ b/SOURCES/0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch @@ -0,0 +1,150 @@ +From ee6e381e4140efd5365ddf27a12055859103cf59 Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Fri, 17 Mar 2023 15:39:15 +0100 +Subject: [PATCH] asymciphers, kem: Add explicit FIPS indicator + +NIST SP 800-56Br2 section 6.4.2.1 requires either explicit key +confirmation (section 6.4.2.3.2), or assurance from a trusted third +party (section 6.4.2.3.1) for the KTS-OAEP key transport scheme and key +agreement schemes, but explicit key confirmation is not implemented and +cannot be implemented without protocol changes, and the FIPS provider +does not implement trusted third party validation, since it relies on +its callers to do that. We must thus mark RSA-OAEP encryption and RSASVE +as unapproved until we have received clarification from NIST on how +library modules such as OpenSSL should implement TTP validation. + +This does not affect RSA-OAEP decryption, because it is approved as +a component according to the FIPS 140-3 IG, section 2.4.G. + +Resolves: rhbz#2179331 +Signed-off-by: Clemens Lang +--- + include/openssl/core_names.h | 2 ++ + include/openssl/evp.h | 4 +++ + .../implementations/asymciphers/rsa_enc.c | 24 +++++++++++++++ + providers/implementations/kem/rsa_kem.c | 30 ++++++++++++++++++- + 4 files changed, 59 insertions(+), 1 deletion(-) + +diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h +index 832502a034..e15d208421 100644 +--- a/include/openssl/core_names.h ++++ b/include/openssl/core_names.h +@@ -477,6 +477,7 @@ extern "C" { + #ifdef FIPS_MODULE + #define OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED "redhat-kat-oaep-seed" + #endif ++#define OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator" + + /* + * Encoder / decoder parameters +@@ -503,6 +504,7 @@ extern "C" { + + /* KEM parameters */ + #define OSSL_KEM_PARAM_OPERATION "operation" ++#define OSSL_KEM_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator" /* int */ + + /* OSSL_KEM_PARAM_OPERATION values */ + #define OSSL_KEM_PARAM_OPERATION_RSASVE "RSASVE" +diff --git a/include/openssl/evp.h b/include/openssl/evp.h +index ec2ba46fbd..3803b03422 100644 +--- a/include/openssl/evp.h ++++ b/include/openssl/evp.h +@@ -1757,6 +1757,10 @@ OSSL_DEPRECATEDIN_3_0 size_t EVP_PKEY_meth_get_count(void); + OSSL_DEPRECATEDIN_3_0 const EVP_PKEY_METHOD *EVP_PKEY_meth_get0(size_t idx); + # endif + ++# define EVP_PKEY_REDHAT_FIPS_INDICATOR_UNDETERMINED 0 ++# define EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED 1 ++# define EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2 ++ + EVP_KEYMGMT *EVP_KEYMGMT_fetch(OSSL_LIB_CTX *ctx, const char *algorithm, + const char *properties); + int EVP_KEYMGMT_up_ref(EVP_KEYMGMT *keymgmt); +diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c +index 568452ec56..2e7ea632d7 100644 +--- a/providers/implementations/asymciphers/rsa_enc.c ++++ b/providers/implementations/asymciphers/rsa_enc.c +@@ -399,6 +399,27 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params) + if (p != NULL && !OSSL_PARAM_set_uint(p, prsactx->alt_version)) + return 0; + ++#ifdef FIPS_MODULE ++ p = OSSL_PARAM_locate(params, OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR); ++ if (p != NULL) { ++ int fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED; ++ ++ /* NIST SP 800-56Br2 section 6.4.2.1 requires either explicit key ++ * confirmation (section 6.4.2.3.2), or assurance from a trusted third ++ * party (section 6.4.2.3.1) for the KTS-OAEP key transport scheme, but ++ * explicit key confirmation is not implemented here and cannot be ++ * implemented without protocol changes, and the FIPS provider does not ++ * implement trusted third party validation, since it relies on its ++ * callers to do that. We must thus mark RSA-OAEP as unapproved until ++ * we have received clarification from NIST on how library modules such ++ * as OpenSSL should implement TTP validation. */ ++ fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ ++ if (!OSSL_PARAM_set_int(p, fips_indicator)) ++ return 0; ++ } ++#endif /* defined(FIPS_MODULE) */ ++ + return 1; + } + +@@ -465,6 +493,7 @@ static const OSSL_PARAM known_gettable_ctx_params[] = { + OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL), + #ifdef FIPS_MODULE + OSSL_PARAM_octet_string(OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED, NULL, 0), ++ OSSL_PARAM_int(OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR, NULL), + #endif /* FIPS_MODULE */ + OSSL_PARAM_END + }; +diff --git a/providers/implementations/kem/rsa_kem.c b/providers/implementations/kem/rsa_kem.c +index 882cf16125..b4cc0f9237 100644 +--- a/providers/implementations/kem/rsa_kem.c ++++ b/providers/implementations/kem/rsa_kem.c +@@ -151,11 +151,39 @@ static int rsakem_decapsulate_init(void *vprsactx, void *vrsa, + static int rsakem_get_ctx_params(void *vprsactx, OSSL_PARAM *params) + { + PROV_RSA_CTX *ctx = (PROV_RSA_CTX *)vprsactx; ++#ifdef FIPS_MODULE ++ OSSL_PARAM *p; ++#endif /* defined(FIPS_MODULE) */ ++ ++ if (ctx == NULL) ++ return 0; ++ ++#ifdef FIPS_MODULE ++ p = OSSL_PARAM_locate(params, OSSL_KEM_PARAM_REDHAT_FIPS_INDICATOR); ++ if (p != NULL) { ++ /* NIST SP 800-56Br2 section 6.4.2.1 requires either explicit key ++ * confirmation (section 6.4.2.3.2), or assurance from a trusted third ++ * party (section 6.4.2.3.1) for key agreement or key transport, but ++ * explicit key confirmation is not implemented here and cannot be ++ * implemented without protocol changes, and the FIPS provider does not ++ * implement trusted third party validation, since it relies on its ++ * callers to do that. We must thus mark RSASVE unapproved until we ++ * have received clarification from NIST on how library modules such as ++ * OpenSSL should implement TTP validation. */ ++ int fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ ++ if (!OSSL_PARAM_set_int(p, fips_indicator)) ++ return 0; ++ } ++#endif /* defined(FIPS_MODULE) */ + +- return ctx != NULL; ++ return 1; + } + + static const OSSL_PARAM known_gettable_rsakem_ctx_params[] = { ++#ifdef FIPS_MODULE ++ OSSL_PARAM_int(OSSL_KEM_PARAM_REDHAT_FIPS_INDICATOR, NULL), ++#endif /* defined(FIPS_MODULE) */ + OSSL_PARAM_END + }; + +-- +2.39.2 + diff --git a/SOURCES/0114-FIPS-enforce-EMS-support.patch b/SOURCES/0114-FIPS-enforce-EMS-support.patch new file mode 100644 index 0000000..d10901f --- /dev/null +++ b/SOURCES/0114-FIPS-enforce-EMS-support.patch @@ -0,0 +1,539 @@ +diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt +index e90e5dc03339..f391e756475c 100644 +--- a/crypto/err/openssl.txt ++++ b/crypto/err/openssl.txt +@@ -1006,6 +1006,7 @@ PROV_R_BN_ERROR:160:bn error + PROV_R_CIPHER_OPERATION_FAILED:102:cipher operation failed + PROV_R_DERIVATION_FUNCTION_INIT_FAILED:205:derivation function init failed + PROV_R_DIGEST_NOT_ALLOWED:174:digest not allowed ++PROV_R_EMS_NOT_ENABLED:233:ems not enabled + PROV_R_ENTROPY_SOURCE_STRENGTH_TOO_WEAK:186:entropy source strength too weak + PROV_R_ERROR_INSTANTIATING_DRBG:188:error instantiating drbg + PROV_R_ERROR_RETRIEVING_ENTROPY:189:error retrieving entropy +diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h +index 173a81d28bbe..5e5be567a578 100644 +--- a/include/openssl/core_names.h ++++ b/include/openssl/core_names.h +@@ -21,11 +21,12 @@ extern "C" { + #define OSSL_PROV_PARAM_CORE_MODULE_FILENAME "module-filename" /* utf8_ptr */ + + /* Well known parameter names that Providers can define */ +-#define OSSL_PROV_PARAM_NAME "name" /* utf8_ptr */ +-#define OSSL_PROV_PARAM_VERSION "version" /* utf8_ptr */ +-#define OSSL_PROV_PARAM_BUILDINFO "buildinfo" /* utf8_ptr */ +-#define OSSL_PROV_PARAM_STATUS "status" /* uint */ +-#define OSSL_PROV_PARAM_SECURITY_CHECKS "security-checks" /* uint */ ++#define OSSL_PROV_PARAM_NAME "name" /* utf8_ptr */ ++#define OSSL_PROV_PARAM_VERSION "version" /* utf8_ptr */ ++#define OSSL_PROV_PARAM_BUILDINFO "buildinfo" /* utf8_ptr */ ++#define OSSL_PROV_PARAM_STATUS "status" /* uint */ ++#define OSSL_PROV_PARAM_SECURITY_CHECKS "security-checks" /* uint */ ++#define OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK "tls1-prf-ems-check" /* uint */ + + /* Self test callback parameters */ + #define OSSL_PROV_PARAM_SELF_TEST_PHASE "st-phase" /* utf8_string */ +diff --git a/include/openssl/fips_names.h b/include/openssl/fips_names.h +index 0fdf5440c7cb..3f29369b3f92 100644 +--- a/include/openssl/fips_names.h ++++ b/include/openssl/fips_names.h +@@ -53,6 +53,14 @@ extern "C" { + */ + # define OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS "security-checks" + ++/* ++ * A boolean that determines if the runtime FIPS check for TLS1_PRF EMS is performed. ++ * This is disabled by default. ++ * ++ * Type: OSSL_PARAM_UTF8_STRING ++ */ ++# define OSSL_PROV_FIPS_PARAM_TLS1_PRF_EMS_CHECK "tls1-prf-ems-check" ++ + # ifdef __cplusplus + } + # endif +diff --git a/include/openssl/proverr.h b/include/openssl/proverr.h +index 3685430f5d3e..bf4dc135f592 100644 +--- a/include/openssl/proverr.h ++++ b/include/openssl/proverr.h +@@ -32,6 +32,7 @@ + # define PROV_R_CIPHER_OPERATION_FAILED 102 + # define PROV_R_DERIVATION_FUNCTION_INIT_FAILED 205 + # define PROV_R_DIGEST_NOT_ALLOWED 174 ++# define PROV_R_EMS_NOT_ENABLED 233 + # define PROV_R_ENTROPY_SOURCE_STRENGTH_TOO_WEAK 186 + # define PROV_R_ERROR_INSTANTIATING_DRBG 188 + # define PROV_R_ERROR_RETRIEVING_ENTROPY 189 +diff --git a/providers/common/include/prov/securitycheck.h b/providers/common/include/prov/securitycheck.h +index 4a7f85f71186..62e60cc0103f 100644 +--- a/providers/common/include/prov/securitycheck.h ++++ b/providers/common/include/prov/securitycheck.h +@@ -28,3 +28,4 @@ int ossl_digest_get_approved_nid(const EVP_MD *md); + int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md, + int sha1_allowed); + int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx); ++int ossl_tls1_prf_ems_check_enabled(OSSL_LIB_CTX *libctx); +diff --git a/providers/common/provider_err.c b/providers/common/provider_err.c +index f6144072aa04..954aabe80cfc 100644 +--- a/providers/common/provider_err.c ++++ b/providers/common/provider_err.c +@@ -33,6 +33,7 @@ static const ERR_STRING_DATA PROV_str_reasons[] = { + "derivation function init failed"}, + {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_DIGEST_NOT_ALLOWED), + "digest not allowed"}, ++ {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_EMS_NOT_ENABLED), "ems not enabled"}, + {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_ENTROPY_SOURCE_STRENGTH_TOO_WEAK), + "entropy source strength too weak"}, + {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_ERROR_INSTANTIATING_DRBG), +diff --git a/providers/common/securitycheck_default.c b/providers/common/securitycheck_default.c +index de7f0d3a0a57..63c875ecd0b7 100644 +--- a/providers/common/securitycheck_default.c ++++ b/providers/common/securitycheck_default.c +@@ -22,6 +22,12 @@ int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx) + return 0; + } + ++/* Disable the ems check in the default provider */ ++int ossl_tls1_prf_ems_check_enabled(OSSL_LIB_CTX *libctx) ++{ ++ return 0; ++} ++ + int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md, + int sha1_allowed) + { +diff --git a/providers/common/securitycheck_fips.c b/providers/common/securitycheck_fips.c +index b7659bd395c3..2bc8a5992685 100644 +--- a/providers/common/securitycheck_fips.c ++++ b/providers/common/securitycheck_fips.c +@@ -20,6 +20,7 @@ + #include "prov/securitycheck.h" + + int FIPS_security_check_enabled(OSSL_LIB_CTX *libctx); ++int FIPS_tls_prf_ems_check(OSSL_LIB_CTX *libctx); + + int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx) + { +@@ -30,6 +31,11 @@ int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx) + #endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */ + } + ++int ossl_tls1_prf_ems_check_enabled(OSSL_LIB_CTX *libctx) ++{ ++ return FIPS_tls_prf_ems_check(libctx); ++} ++ + int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md, + int sha1_allowed) + { +diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c +index b86b27d236f3..b881f46f36ad 100644 +--- a/providers/fips/fipsprov.c ++++ b/providers/fips/fipsprov.c +@@ -47,6 +47,7 @@ static OSSL_FUNC_provider_query_operation_fn fips_query; + #define ALG(NAMES, FUNC) ALGC(NAMES, FUNC, NULL) + extern OSSL_FUNC_core_thread_start_fn *c_thread_start; + int FIPS_security_check_enabled(OSSL_LIB_CTX *libctx); ++int FIPS_tls_prf_ems_check(OSSL_LIB_CTX *libctx); + + /* + * Should these function pointers be stored in the provider side provctx? Could +@@ -82,7 +83,9 @@ typedef struct fips_global_st { + const OSSL_CORE_HANDLE *handle; + SELF_TEST_POST_PARAMS selftest_params; + int fips_security_checks; ++ int fips_tls1_prf_ems_check; + const char *fips_security_check_option; ++ const char *fips_tls1_prf_ems_check_option; + } FIPS_GLOBAL; + + static void *fips_prov_ossl_ctx_new(OSSL_LIB_CTX *libctx) +@@ -94,6 +97,9 @@ void *ossl_fips_prov_ossl_ctx_new(OSSL_LIB_CTX *libctx) + fgbl->fips_security_checks = 1; + fgbl->fips_security_check_option = "1"; + ++ fgbl->fips_tls1_prf_ems_check = 1; /* Enabled by default */ ++ fgbl->fips_tls1_prf_ems_check_option = "1"; ++ + return fgbl; + } + +@@ -109,6 +115,7 @@ static const OSSL_PARAM fips_param_types[] = { + OSSL_PARAM_DEFN(OSSL_PROV_PARAM_BUILDINFO, OSSL_PARAM_UTF8_PTR, NULL, 0), + OSSL_PARAM_DEFN(OSSL_PROV_PARAM_STATUS, OSSL_PARAM_INTEGER, NULL, 0), + OSSL_PARAM_DEFN(OSSL_PROV_PARAM_SECURITY_CHECKS, OSSL_PARAM_INTEGER, NULL, 0), ++ OSSL_PARAM_DEFN(OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK, OSSL_PARAM_INTEGER, NULL, 0), + OSSL_PARAM_END + }; + +@@ -119,9 +126,10 @@ static int fips_get_params_from_core(FIPS_GLOBAL *fgbl) + * NOTE: inside core_get_params() these will be loaded from config items + * stored inside prov->parameters (except for + * OSSL_PROV_PARAM_CORE_MODULE_FILENAME). +- * OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS is not a self test parameter. ++ * OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS and ++ * OSSL_PROV_FIPS_PARAM_TLS1_PRF_EMS_CHECK are not self test parameters. + */ +- OSSL_PARAM core_params[8], *p = core_params; ++ OSSL_PARAM core_params[9], *p = core_params; + + *p++ = OSSL_PARAM_construct_utf8_ptr( + OSSL_PROV_PARAM_CORE_MODULE_FILENAME, +@@ -151,6 +159,10 @@ static int fips_get_params_from_core(FIPS_GLOBAL *fgbl) + OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS, + (char **)&fgbl->fips_security_check_option, + sizeof(fgbl->fips_security_check_option)); ++ *p++ = OSSL_PARAM_construct_utf8_ptr( ++ OSSL_PROV_FIPS_PARAM_TLS1_PRF_EMS_CHECK, ++ (char **)&fgbl->fips_tls1_prf_ems_check_option, ++ sizeof(fgbl->fips_tls1_prf_ems_check_option)); + *p = OSSL_PARAM_construct_end(); + + if (!c_get_params(fgbl->handle, core_params)) { +@@ -187,6 +199,9 @@ static int fips_get_params(void *provctx, OSSL_PARAM params[]) + p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_SECURITY_CHECKS); + if (p != NULL && !OSSL_PARAM_set_int(p, fgbl->fips_security_checks)) + return 0; ++ p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK); ++ if (p != NULL && !OSSL_PARAM_set_int(p, fgbl->fips_tls1_prf_ems_check)) ++ return 0; + return 1; + } + +@@ -703,6 +718,11 @@ int OSSL_provider_init_int(const OSSL_CORE_HANDLE *handle, + && strcmp(fgbl->fips_security_check_option, "0") == 0) + fgbl->fips_security_checks = 0; + ++ /* Disable the ems check if it's disabled in the fips config file. */ ++ if (fgbl->fips_tls1_prf_ems_check_option != NULL ++ && strcmp(fgbl->fips_tls1_prf_ems_check_option, "0") == 0) ++ fgbl->fips_tls1_prf_ems_check = 0; ++ + ossl_prov_cache_exported_algorithms(fips_ciphers, exported_fips_ciphers); + + if (!SELF_TEST_post(&fgbl->selftest_params, 0)) { +@@ -898,6 +918,15 @@ int FIPS_security_check_enabled(OSSL_LIB_CTX *libctx) + return fgbl->fips_security_checks; + } + ++int FIPS_tls_prf_ems_check(OSSL_LIB_CTX *libctx) ++{ ++ FIPS_GLOBAL *fgbl = ossl_lib_ctx_get_data(libctx, ++ OSSL_LIB_CTX_FIPS_PROV_INDEX, ++ &fips_prov_ossl_ctx_method); ++ ++ return fgbl->fips_tls1_prf_ems_check; ++} ++ + void OSSL_SELF_TEST_get_callback(OSSL_LIB_CTX *libctx, OSSL_CALLBACK **cb, + void **cbarg) + { +diff --git a/providers/implementations/kdfs/tls1_prf.c b/providers/implementations/kdfs/tls1_prf.c +index 8a3807308408..2c2dbf31cc0b 100644 +--- a/providers/implementations/kdfs/tls1_prf.c ++++ b/providers/implementations/kdfs/tls1_prf.c +@@ -45,6 +45,13 @@ + * A(0) = seed + * A(i) = HMAC_(secret, A(i-1)) + */ ++ ++/* ++ * Low level APIs (such as DH) are deprecated for public use, but still ok for ++ * internal use. ++ */ ++#include "internal/deprecated.h" ++ + #include + #include + #include +@@ -60,6 +67,7 @@ + #include "prov/providercommon.h" + #include "prov/implementations.h" + #include "prov/provider_util.h" ++#include "prov/securitycheck.h" + #include "e_os.h" + + static OSSL_FUNC_kdf_newctx_fn kdf_tls1_prf_new; +@@ -78,6 +86,8 @@ static int tls1_prf_alg(EVP_MAC_CTX *mdctx, EVP_MAC_CTX *sha1ctx, + unsigned char *out, size_t olen); + + #define TLS1_PRF_MAXBUF 1024 ++#define TLS_MD_MASTER_SECRET_CONST "\x6d\x61\x73\x74\x65\x72\x20\x73\x65\x63\x72\x65\x74" ++#define TLS_MD_MASTER_SECRET_CONST_SIZE 13 + + /* TLS KDF kdf context structure */ + typedef struct { +@@ -160,6 +170,7 @@ static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, size_t keylen, + const OSSL_PARAM params[]) + { + TLS1_PRF *ctx = (TLS1_PRF *)vctx; ++ OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx); + + if (!ossl_prov_is_running() || !kdf_tls1_prf_set_ctx_params(ctx, params)) + return 0; +@@ -181,6 +192,27 @@ static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, size_t keylen, + ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; + #endif /* defined(FIPS_MODULE) */ + ++ /* ++ * The seed buffer is prepended with a label. ++ * If EMS mode is enforced then the label "master secret" is not allowed, ++ * We do the check this way since the PRF is used for other purposes, as well ++ * as "extended master secret". ++ */ ++#ifdef FIPS_MODULE ++ if (ctx->seedlen >= TLS_MD_MASTER_SECRET_CONST_SIZE ++ && memcmp(ctx->seed, TLS_MD_MASTER_SECRET_CONST, ++ TLS_MD_MASTER_SECRET_CONST_SIZE) == 0) ++ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++#endif /* defined(FIPS_MODULE) */ ++ if (ossl_tls1_prf_ems_check_enabled(libctx)) { ++ if (ctx->seedlen >= TLS_MD_MASTER_SECRET_CONST_SIZE ++ && memcmp(ctx->seed, TLS_MD_MASTER_SECRET_CONST, ++ TLS_MD_MASTER_SECRET_CONST_SIZE) == 0) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_EMS_NOT_ENABLED); ++ return 0; ++ } ++ } ++ + return tls1_prf_alg(ctx->P_hash, ctx->P_sha1, + ctx->sec, ctx->seclen, + ctx->seed, ctx->seedlen, +diff --git a/test/sslapitest.c b/test/sslapitest.c +index 3a8242d2d8c8..b0fbb504689e 100644 +--- a/test/sslapitest.c ++++ b/test/sslapitest.c +@@ -99,6 +99,7 @@ static char *tmpfilename = NULL; + static char *dhfile = NULL; + + static int is_fips = 0; ++static int fips_ems_check = 0; + + #define LOG_BUFFER_SIZE 2048 + static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0}; +@@ -796,7 +797,7 @@ static int test_no_ems(void) + { + SSL_CTX *cctx = NULL, *sctx = NULL; + SSL *clientssl = NULL, *serverssl = NULL; +- int testresult = 0; ++ int testresult = 0, status; + + if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(), + TLS1_VERSION, TLS1_2_VERSION, +@@ -812,19 +813,25 @@ static int test_no_ems(void) + goto end; + } + +- if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) { +- printf("Creating SSL connection failed\n"); +- goto end; +- } +- +- if (SSL_get_extms_support(serverssl)) { +- printf("Server reports Extended Master Secret support\n"); +- goto end; +- } +- +- if (SSL_get_extms_support(clientssl)) { +- printf("Client reports Extended Master Secret support\n"); +- goto end; ++ status = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE); ++ if (fips_ems_check) { ++ if (status == 1) { ++ printf("When FIPS uses the EMS check a connection that doesnt use EMS should fail\n"); ++ goto end; ++ } ++ } else { ++ if (!status) { ++ printf("Creating SSL connection failed\n"); ++ goto end; ++ } ++ if (SSL_get_extms_support(serverssl)) { ++ printf("Server reports Extended Master Secret support\n"); ++ goto end; ++ } ++ if (SSL_get_extms_support(clientssl)) { ++ printf("Client reports Extended Master Secret support\n"); ++ goto end; ++ } + } + testresult = 1; + +@@ -10740,9 +10747,24 @@ int setup_tests(void) + && !TEST_false(OSSL_PROVIDER_available(libctx, "default"))) + return 0; + +- if (strcmp(modulename, "fips") == 0) ++ if (strcmp(modulename, "fips") == 0) { ++ OSSL_PROVIDER *prov = NULL; ++ OSSL_PARAM params[2]; ++ + is_fips = 1; + ++ prov = OSSL_PROVIDER_load(libctx, "fips"); ++ if (prov != NULL) { ++ /* Query the fips provider to check if the check ems option is enabled */ ++ params[0] = ++ OSSL_PARAM_construct_int(OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK, ++ &fips_ems_check); ++ params[1] = OSSL_PARAM_construct_end(); ++ OSSL_PROVIDER_get_params(prov, params); ++ OSSL_PROVIDER_unload(prov); ++ } ++ } ++ + /* + * We add, but don't load the test "tls-provider". We'll load it when we + * need it. +@@ -10816,6 +10838,12 @@ int setup_tests(void) + if (privkey8192 == NULL) + goto err; + ++ if (fips_ems_check) { ++#ifndef OPENSSL_NO_TLS1_2 ++ ADD_TEST(test_no_ems); ++#endif ++ return 1; ++ } + #if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK) + # if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3) + ADD_ALL_TESTS(test_ktls, NUM_KTLS_TEST_CIPHERS * 4); +diff -up openssl-3.0.7/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt.xxx openssl-3.0.7/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt +--- openssl-3.0.7/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt.xxx 2023-04-17 13:04:21.078501747 +0200 ++++ openssl-3.0.7/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt 2023-04-17 13:11:03.189059638 +0200 +@@ -13,6 +13,7 @@ + + Title = TLS12 PRF tests (from NIST test vectors) + ++Availablein = default + KDF = TLS1-PRF + Ctrl.digest = digest:SHA256 + Ctrl.Secret = hexsecret:f8938ecc9edebc5030c0c6a441e213cd24e6f770a50dda07876f8d55da062bcadb386b411fd4fe4313a604fce6c17fbc +@@ -21,6 +22,16 @@ Ctrl.client_random = hexseed:36c129d01a3 + Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae043abfb50053fce + Output = 202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf + ++Availablein = fips ++KDF = TLS1-PRF ++Ctrl.digest = digest:SHA256 ++Ctrl.Secret = hexsecret:f8938ecc9edebc5030c0c6a441e213cd24e6f770a50dda07876f8d55da062bcadb386b411fd4fe4313a604fce6c17fbc ++Ctrl.label = seed:master secret ++Ctrl.client_random = hexseed:36c129d01a3200894b9179faac589d9835d58775f9b5ea3587cb8fd0364cae8c ++Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae043abfb50053fce ++Output = 202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf ++Result = KDF_DERIVE_ERROR ++ + KDF = TLS1-PRF + Ctrl.digest = digest:SHA256 + Ctrl.Secret = hexsecret:202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf +diff -up openssl-3.0.7/ssl/t1_enc.c.noems openssl-3.0.7/ssl/t1_enc.c +--- openssl-3.0.7/ssl/t1_enc.c.noems 2023-05-05 11:15:57.934415272 +0200 ++++ openssl-3.0.7/ssl/t1_enc.c 2023-05-05 11:39:03.578163778 +0200 +@@ -20,6 +20,7 @@ + #include + #include + #include ++#include + + /* seed1 through seed5 are concatenated */ + static int tls1_PRF(SSL *s, +@@ -75,8 +76,14 @@ static int tls1_PRF(SSL *s, + } + + err: +- if (fatal) +- SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); ++ if (fatal) { ++ /* The calls to this function are local so it's safe to implement the check */ ++ if (FIPS_mode() && seed1_len >= TLS_MD_MASTER_SECRET_CONST_SIZE ++ && memcmp(seed1, TLS_MD_MASTER_SECRET_CONST, TLS_MD_MASTER_SECRET_CONST_SIZE) == 0) ++ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_UNSUPPORTED); ++ else ++ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); ++ } + else + ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); + EVP_KDF_CTX_free(kctx); +diff -up openssl-3.0.7/ssl/statem/extensions_srvr.c.noems openssl-3.0.7/ssl/statem/extensions_srvr.c +--- openssl-3.0.7/ssl/statem/extensions_srvr.c.noems 2023-05-05 17:14:04.663800271 +0200 ++++ openssl-3.0.7/ssl/statem/extensions_srvr.c 2023-05-05 17:20:33.764599507 +0200 +@@ -11,6 +11,7 @@ + #include "../ssl_local.h" + #include "statem_local.h" + #include "internal/cryptlib.h" ++#include + + #define COOKIE_STATE_FORMAT_VERSION 1 + +@@ -1552,8 +1553,13 @@ EXT_RETURN tls_construct_stoc_etm(SSL *s + EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context, + X509 *x, size_t chainidx) + { +- if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0) ++ if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0) { ++ if (FIPS_mode() && !(SSL_get_options(s) & SSL_OP_RH_PERMIT_NOEMS_FIPS) ) { ++ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_UNSUPPORTED); ++ return EXT_RETURN_FAIL; ++ } + return EXT_RETURN_NOT_SENT; ++ } + + if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret) + || !WPACKET_put_bytes_u16(pkt, 0)) { +diff -up openssl-3.0.7/include/openssl/ssl.h.in.fipsems openssl-3.0.7/include/openssl/ssl.h.in +--- openssl-3.0.7/include/openssl/ssl.h.in.fipsems 2023-07-11 12:35:27.951610366 +0200 ++++ openssl-3.0.7/include/openssl/ssl.h.in 2023-07-11 12:36:25.234754680 +0200 +@@ -412,6 +412,7 @@ typedef int (*SSL_async_callback_fn)(SSL + * interoperability with CryptoPro CSP 3.x + */ + # define SSL_OP_CRYPTOPRO_TLSEXT_BUG SSL_OP_BIT(31) ++# define SSL_OP_RH_PERMIT_NOEMS_FIPS SSL_OP_BIT(48) + + /* + * Option "collections." +diff -up openssl-3.0.7/ssl/ssl_conf.c.fipsems openssl-3.0.7/ssl/ssl_conf.c +--- openssl-3.0.7/ssl/ssl_conf.c.fipsems 2023-07-11 12:36:51.465278672 +0200 ++++ openssl-3.0.7/ssl/ssl_conf.c 2023-07-11 12:44:53.365675720 +0200 +@@ -387,6 +387,7 @@ static const ssl_conf_cmd_tbl ssl_conf_c + SSL_FLAG_TBL("ClientRenegotiation", + SSL_OP_ALLOW_CLIENT_RENEGOTIATION), + SSL_FLAG_TBL_INV("EncryptThenMac", SSL_OP_NO_ENCRYPT_THEN_MAC), ++ SSL_FLAG_TBL("RHNoEnforceEMSinFIPS", SSL_OP_RH_PERMIT_NOEMS_FIPS), + SSL_FLAG_TBL("NoRenegotiation", SSL_OP_NO_RENEGOTIATION), + SSL_FLAG_TBL("AllowNoDHEKEX", SSL_OP_ALLOW_NO_DHE_KEX), + SSL_FLAG_TBL("PrioritizeChaCha", SSL_OP_PRIORITIZE_CHACHA), +diff -up openssl-3.0.7/doc/man3/SSL_CONF_cmd.pod.fipsems openssl-3.0.7/doc/man3/SSL_CONF_cmd.pod +--- openssl-3.0.7/doc/man3/SSL_CONF_cmd.pod.fipsems 2023-07-12 13:54:22.508235187 +0200 ++++ openssl-3.0.7/doc/man3/SSL_CONF_cmd.pod 2023-07-12 13:56:51.089613902 +0200 +@@ -524,6 +524,9 @@ B: use extended ma + default. Inverse of B: that is, + B<-ExtendedMasterSecret> is the same as setting B. + ++B: allow establishing connections without EMS in FIPS mode. ++This is a RedHat-based OS specific option, and normally it should be set up via crypto policies. ++ + B: use CA names extension, enabled by + default. Inverse of B: that is, + B<-CANames> is the same as setting B. +diff -up openssl-3.0.7/doc/man5/fips_config.pod.fipsems openssl-3.0.7/doc/man5/fips_config.pod +--- openssl-3.0.7/doc/man5/fips_config.pod.fipsems 2023-07-12 15:39:57.732206731 +0200 ++++ openssl-3.0.7/doc/man5/fips_config.pod 2023-07-12 15:53:45.722885419 +0200 +@@ -11,6 +11,19 @@ automatically loaded when the system is + environment variable B is set. See the documentation + for more information. + ++Red Hat Enterprise Linux uses a supplementary config for FIPS module located in ++OpenSSL configuration directory and managed by crypto policies. If present, it ++should have format ++ ++ [fips_sect] ++ tls1-prf-ems-check = 0 ++ activate = 1 ++ ++The B option specifies whether FIPS module will require the ++presence of extended master secret or not. ++ ++The B option enforces FIPS provider activation. ++ + =head1 COPYRIGHT + + Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. diff --git a/SOURCES/0115-CVE-2023-0464.patch b/SOURCES/0115-CVE-2023-0464.patch new file mode 100644 index 0000000..97f3b6d --- /dev/null +++ b/SOURCES/0115-CVE-2023-0464.patch @@ -0,0 +1,195 @@ +diff --git a/crypto/x509/pcy_local.h b/crypto/x509/pcy_local.h +index 18b53cc09e..cba107ca03 100644 +--- a/crypto/x509/pcy_local.h ++++ b/crypto/x509/pcy_local.h +@@ -111,6 +111,11 @@ struct X509_POLICY_LEVEL_st { + }; + + struct X509_POLICY_TREE_st { ++ /* The number of nodes in the tree */ ++ size_t node_count; ++ /* The maximum number of nodes in the tree */ ++ size_t node_maximum; ++ + /* This is the tree 'level' data */ + X509_POLICY_LEVEL *levels; + int nlevel; +@@ -157,7 +162,8 @@ X509_POLICY_NODE *ossl_policy_tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk, + X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, + X509_POLICY_DATA *data, + X509_POLICY_NODE *parent, +- X509_POLICY_TREE *tree); ++ X509_POLICY_TREE *tree, ++ int extra_data); + void ossl_policy_node_free(X509_POLICY_NODE *node); + int ossl_policy_node_match(const X509_POLICY_LEVEL *lvl, + const X509_POLICY_NODE *node, const ASN1_OBJECT *oid); +diff --git a/crypto/x509/pcy_node.c b/crypto/x509/pcy_node.c +index 9d9a7ea179..450f95a655 100644 +--- a/crypto/x509/pcy_node.c ++++ b/crypto/x509/pcy_node.c +@@ -59,10 +59,15 @@ X509_POLICY_NODE *ossl_policy_level_find_node(const X509_POLICY_LEVEL *level, + X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, + X509_POLICY_DATA *data, + X509_POLICY_NODE *parent, +- X509_POLICY_TREE *tree) ++ X509_POLICY_TREE *tree, ++ int extra_data) + { + X509_POLICY_NODE *node; + ++ /* Verify that the tree isn't too large. This mitigates CVE-2023-0464 */ ++ if (tree->node_maximum > 0 && tree->node_count >= tree->node_maximum) ++ return NULL; ++ + node = OPENSSL_zalloc(sizeof(*node)); + if (node == NULL) { + ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE); +@@ -70,7 +75,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, + } + node->data = data; + node->parent = parent; +- if (level) { ++ if (level != NULL) { + if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) { + if (level->anyPolicy) + goto node_error; +@@ -90,7 +95,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, + } + } + +- if (tree) { ++ if (extra_data) { + if (tree->extra_data == NULL) + tree->extra_data = sk_X509_POLICY_DATA_new_null(); + if (tree->extra_data == NULL){ +@@ -103,6 +108,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, + } + } + ++ tree->node_count++; + if (parent) + parent->nchild++; + +diff --git a/crypto/x509/pcy_tree.c b/crypto/x509/pcy_tree.c +index fa45da5117..f953a05a41 100644 +--- a/crypto/x509/pcy_tree.c ++++ b/crypto/x509/pcy_tree.c +@@ -14,6 +14,17 @@ + + #include "pcy_local.h" + ++/* ++ * If the maximum number of nodes in the policy tree isn't defined, set it to ++ * a generous default of 1000 nodes. ++ * ++ * Defining this to be zero means unlimited policy tree growth which opens the ++ * door on CVE-2023-0464. ++ */ ++#ifndef OPENSSL_POLICY_TREE_NODES_MAX ++# define OPENSSL_POLICY_TREE_NODES_MAX 1000 ++#endif ++ + static void expected_print(BIO *channel, + X509_POLICY_LEVEL *lev, X509_POLICY_NODE *node, + int indent) +@@ -163,6 +174,9 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, + return X509_PCY_TREE_INTERNAL; + } + ++ /* Limit the growth of the tree to mitigate CVE-2023-0464 */ ++ tree->node_maximum = OPENSSL_POLICY_TREE_NODES_MAX; ++ + /* + * http://tools.ietf.org/html/rfc5280#section-6.1.2, figure 3. + * +@@ -180,7 +194,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, + if ((data = ossl_policy_data_new(NULL, + OBJ_nid2obj(NID_any_policy), 0)) == NULL) + goto bad_tree; +- if (ossl_policy_level_add_node(level, data, NULL, tree) == NULL) { ++ if (ossl_policy_level_add_node(level, data, NULL, tree, 1) == NULL) { + ossl_policy_data_free(data); + goto bad_tree; + } +@@ -239,7 +253,8 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, + * Return value: 1 on success, 0 otherwise + */ + static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr, +- X509_POLICY_DATA *data) ++ X509_POLICY_DATA *data, ++ X509_POLICY_TREE *tree) + { + X509_POLICY_LEVEL *last = curr - 1; + int i, matched = 0; +@@ -249,13 +264,13 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr, + X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(last->nodes, i); + + if (ossl_policy_node_match(last, node, data->valid_policy)) { +- if (ossl_policy_level_add_node(curr, data, node, NULL) == NULL) ++ if (ossl_policy_level_add_node(curr, data, node, tree, 0) == NULL) + return 0; + matched = 1; + } + } + if (!matched && last->anyPolicy) { +- if (ossl_policy_level_add_node(curr, data, last->anyPolicy, NULL) == NULL) ++ if (ossl_policy_level_add_node(curr, data, last->anyPolicy, tree, 0) == NULL) + return 0; + } + return 1; +@@ -268,7 +283,8 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr, + * Return value: 1 on success, 0 otherwise. + */ + static int tree_link_nodes(X509_POLICY_LEVEL *curr, +- const X509_POLICY_CACHE *cache) ++ const X509_POLICY_CACHE *cache, ++ X509_POLICY_TREE *tree) + { + int i; + +@@ -276,7 +292,7 @@ static int tree_link_nodes(X509_POLICY_LEVEL *curr, + X509_POLICY_DATA *data = sk_X509_POLICY_DATA_value(cache->data, i); + + /* Look for matching nodes in previous level */ +- if (!tree_link_matching_nodes(curr, data)) ++ if (!tree_link_matching_nodes(curr, data, tree)) + return 0; + } + return 1; +@@ -307,7 +323,7 @@ static int tree_add_unmatched(X509_POLICY_LEVEL *curr, + /* Curr may not have anyPolicy */ + data->qualifier_set = cache->anyPolicy->qualifier_set; + data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS; +- if (ossl_policy_level_add_node(curr, data, node, tree) == NULL) { ++ if (ossl_policy_level_add_node(curr, data, node, tree, 1) == NULL) { + ossl_policy_data_free(data); + return 0; + } +@@ -370,7 +386,7 @@ static int tree_link_any(X509_POLICY_LEVEL *curr, + /* Finally add link to anyPolicy */ + if (last->anyPolicy && + ossl_policy_level_add_node(curr, cache->anyPolicy, +- last->anyPolicy, NULL) == NULL) ++ last->anyPolicy, tree, 0) == NULL) + return 0; + return 1; + } +@@ -553,7 +569,7 @@ static int tree_calculate_user_set(X509_POLICY_TREE *tree, + extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS + | POLICY_DATA_FLAG_EXTRA_NODE; + node = ossl_policy_level_add_node(NULL, extra, anyPolicy->parent, +- tree); ++ tree, 1); + } + if (!tree->user_policies) { + tree->user_policies = sk_X509_POLICY_NODE_new_null(); +@@ -580,7 +596,7 @@ static int tree_evaluate(X509_POLICY_TREE *tree) + + for (i = 1; i < tree->nlevel; i++, curr++) { + cache = ossl_policy_cache_set(curr->cert); +- if (!tree_link_nodes(curr, cache)) ++ if (!tree_link_nodes(curr, cache, tree)) + return X509_PCY_TREE_INTERNAL; + + if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY) diff --git a/SOURCES/0116-CVE-2023-0465.patch b/SOURCES/0116-CVE-2023-0465.patch new file mode 100644 index 0000000..3a9acb5 --- /dev/null +++ b/SOURCES/0116-CVE-2023-0465.patch @@ -0,0 +1,179 @@ +diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c +index 9384f1da9b..a0282c3ef1 100644 +--- a/crypto/x509/x509_vfy.c ++++ b/crypto/x509/x509_vfy.c +@@ -1654,15 +1654,23 @@ static int check_policy(X509_STORE_CTX *ctx) + goto memerr; + /* Invalid or inconsistent extensions */ + if (ret == X509_PCY_TREE_INVALID) { +- int i; ++ int i, cbcalled = 0; + + /* Locate certificates with bad extensions and notify callback. */ +- for (i = 1; i < sk_X509_num(ctx->chain); i++) { ++ for (i = 0; i < sk_X509_num(ctx->chain); i++) { + X509 *x = sk_X509_value(ctx->chain, i); + ++ if ((x->ex_flags & EXFLAG_INVALID_POLICY) != 0) ++ cbcalled = 1; + CB_FAIL_IF((x->ex_flags & EXFLAG_INVALID_POLICY) != 0, + ctx, x, i, X509_V_ERR_INVALID_POLICY_EXTENSION); + } ++ if (!cbcalled) { ++ /* Should not be able to get here */ ++ ERR_raise(ERR_LIB_X509, ERR_R_INTERNAL_ERROR); ++ return 0; ++ } ++ /* The callback ignored the error so we return success */ + return 1; + } + if (ret == X509_PCY_TREE_FAILURE) { +diff --git a/test/certs/ca-pol-cert.pem b/test/certs/ca-pol-cert.pem +new file mode 100644 +index 0000000000..244af3292b +--- /dev/null ++++ b/test/certs/ca-pol-cert.pem +@@ -0,0 +1,19 @@ ++-----BEGIN CERTIFICATE----- ++MIIDFzCCAf+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 ++IENBMCAXDTIzMDMwODEyMjMxNloYDzIxMjMwMzA5MTIyMzE2WjANMQswCQYDVQQD ++DAJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJadpD0ASxxfxsvd ++j9IxsogVzMSGLFziaYuE9KejU9+R479RifvwfBANO62sNWJ19X//9G5UjwWmkiOz ++n1k50DkYsBBA3mJzik6wjt/c58lBIlSEgAgpvDU8ht8w3t20JP9+YqXAeugqFj/W ++l9rFQtsvaWSRywjXVlp5fxuEQelNnXcJEKhsKTNExsBUZebo4/J1BWpklWzA9P0l ++YW5INvDAAwcF1nzlEf0Y6Eot03IMNyg2MTE4hehxjdgCSci8GYnFirE/ojXqqpAc ++ZGh7r2dqWgZUD1Dh+bT2vjrUzj8eTH3GdzI+oljt29102JIUaqj3yzRYkah8FLF9 ++CLNNsUcCAwEAAaN7MHkwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYwHQYD ++VR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8GA1UdIwQYMBaAFI71Ja8em2uE ++PXyAmslTnE1y96NSMBkGA1UdIAQSMBAwDgYMKwYBBAGBgVy8+0cBMA0GCSqGSIb3 ++DQEBCwUAA4IBAQBbE+MO9mewWIUY2kt85yhl0oZtvVxbn9K2Hty59ItwJGRNfzx7 ++Ge7KgawkvNzMOXmj6qf8TpbJnf41ZLWdRyVZBVyIwrAKIVw1VxfGh8aEifHKN97H ++unZkBPcUkAhUJSiC1BOD/euaMYqOi8QwiI702Q6q1NBY1/UKnV/ZIBLecnqfj9vZ ++7T0wKxrwGYBztP4pNcxCmBoD9Dg+Dx3ZElo0WXyO4SOh/BgrsKJHKyhbuTpjrI/g ++DhcINRp6+lIzuFBtJ67+YXnAEspb3lKMk0YL/LXrCNF2scdmNfOPwHi+OKBqt69C ++9FJyWFEMxx2qm/ENE9sbOswgJRnKkaAqHBHx ++-----END CERTIFICATE----- +diff --git a/test/certs/ee-cert-policies-bad.pem b/test/certs/ee-cert-policies-bad.pem +new file mode 100644 +index 0000000000..0fcd6372b3 +--- /dev/null ++++ b/test/certs/ee-cert-policies-bad.pem +@@ -0,0 +1,20 @@ ++-----BEGIN CERTIFICATE----- ++MIIDTTCCAjWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg ++Fw0yMzAzMDgxMjIzMzJaGA8yMTIzMDMwOTEyMjMzMlowGTEXMBUGA1UEAwwOc2Vy ++dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY ++YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT ++5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l ++Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1 ++U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5 ++ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn ++iIQPYf55NB9KiR+3AgMBAAGjgakwgaYwHQYDVR0OBBYEFOeb4iqtimw6y3ZR5Y4H ++mCKX4XOiMB8GA1UdIwQYMBaAFLQRM/HX4l73U54gIhBPhga/H8leMAkGA1UdEwQC ++MAAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGQYDVR0RBBIwEIIOc2VydmVyLmV4YW1w ++bGUwKQYDVR0gBCIwIDAOBgwrBgEEAYGBXLz7RwEwDgYMKwYBBAGBgVy8+0cBMA0G ++CSqGSIb3DQEBCwUAA4IBAQArwtwNO++7kStcJeMg3ekz2D/m/8UEjTA1rknBjQiQ ++P0FK7tNeRqus9i8PxthNWk+biRayvDzaGIBV7igpDBPfXemDgmW9Adc4MKyiQDfs ++YfkHi3xJKvsK2fQmyCs2InVDaKpVAkNFcgAW8nSOhGliqIxLb0EOLoLNwaktou0N ++XQHmRzY8S7aIr8K9Qo9y/+MLar+PS4h8l6FkLLkTICiFzE4/wje5S3NckAnadRJa ++QpjwM2S6NuA+tYWuOcN//r7BSpW/AZKanYWPzHMrKlqCh+9o7sthPd72+hObG9kx ++wSGdzfStNK1I1zM5LiI08WtXCvR6AfLANTo2x1AYhSxF ++-----END CERTIFICATE----- +diff --git a/test/certs/ee-cert-policies.pem b/test/certs/ee-cert-policies.pem +new file mode 100644 +index 0000000000..2f06d7433f +--- /dev/null ++++ b/test/certs/ee-cert-policies.pem +@@ -0,0 +1,20 @@ ++-----BEGIN CERTIFICATE----- ++MIIDPTCCAiWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg ++Fw0yMzAzMDgxMjIzMjNaGA8yMTIzMDMwOTEyMjMyM1owGTEXMBUGA1UEAwwOc2Vy ++dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY ++YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT ++5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l ++Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1 ++U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5 ++ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn ++iIQPYf55NB9KiR+3AgMBAAGjgZkwgZYwHQYDVR0OBBYEFOeb4iqtimw6y3ZR5Y4H ++mCKX4XOiMB8GA1UdIwQYMBaAFLQRM/HX4l73U54gIhBPhga/H8leMAkGA1UdEwQC ++MAAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGQYDVR0RBBIwEIIOc2VydmVyLmV4YW1w ++bGUwGQYDVR0gBBIwEDAOBgwrBgEEAYGBXLz7RwEwDQYJKoZIhvcNAQELBQADggEB ++AGbWslmAAdMX3+5ChcnFrX+NqDGoyhb3PTgWdtlQB5qtWdIt4rSxN50OcQxFTX0D ++QOBabSzR0DDKrgfBe4waL19WsdEvR9GyO4M7ASze/A3IEZue9C9k0n7Vq8zDaAZl ++CiR/Zqo9nAOuhKHMgmC/NjUlX7STv5pJVgc4SH8VEKmSRZDmNihaOalUtK5X8/Oa ++dawKxsZcaP5IKnOEPPKjtVNJxBu5CXywJHsO0GcoDEnEx1/NLdFoJ6WFw8NuTyDK ++NGLq2MHEdyKaigHQlptEs9bXyu9McJjzbx0uXj3BenRULASreccFej0L1RU6jDlk ++D3brBn24UISaFRZoB7jsjok= ++-----END CERTIFICATE----- +diff --git a/test/certs/mkcert.sh b/test/certs/mkcert.sh +index c3f7ac14b5..a57d9f38dc 100755 +--- a/test/certs/mkcert.sh ++++ b/test/certs/mkcert.sh +@@ -119,11 +119,12 @@ genca() { + local OPTIND=1 + local purpose= + +- while getopts p: o ++ while getopts p:c: o + do + case $o in + p) purpose="$OPTARG";; +- *) echo "Usage: $0 genca [-p EKU] cn keyname certname cakeyname cacertname" >&2 ++ c) certpol="$OPTARG";; ++ *) echo "Usage: $0 genca [-p EKU][-c policyoid] cn keyname certname cakeyname cacertname" >&2 + return 1;; + esac + done +@@ -146,6 +147,10 @@ genca() { + if [ -n "$NC" ]; then + exts=$(printf "%s\nnameConstraints = %s\n" "$exts" "$NC") + fi ++ if [ -n "$certpol" ]; then ++ exts=$(printf "%s\ncertificatePolicies = %s\n" "$exts" "$certpol") ++ fi ++ + csr=$(req "$key" "CN = $cn") || return 1 + echo "$csr" | + cert "$cert" "$exts" -CA "${cacert}.pem" -CAkey "${cakey}.pem" \ +diff --git a/test/certs/setup.sh b/test/certs/setup.sh +index 2240cd9df0..76ceadc7d8 100755 +--- a/test/certs/setup.sh ++++ b/test/certs/setup.sh +@@ -440,3 +440,9 @@ OPENSSL_SIGALG=ED448 OPENSSL_KEYALG=ed448 ./mkcert.sh genee ed448 \ + + # critical id-pkix-ocsp-no-check extension + ./mkcert.sh geneeextra server.example ee-key ee-cert-ocsp-nocheck ca-key ca-cert "1.3.6.1.5.5.7.48.1.5=critical,DER:05:00" ++ ++# certificatePolicies extension ++./mkcert.sh genca -c "1.3.6.1.4.1.16604.998855.1" "CA" ca-key ca-pol-cert root-key root-cert ++./mkcert.sh geneeextra server.example ee-key ee-cert-policies ca-key ca-cert "certificatePolicies=1.3.6.1.4.1.16604.998855.1" ++# We can create a cert with a duplicate policy oid - but its actually invalid! ++./mkcert.sh geneeextra server.example ee-key ee-cert-policies-bad ca-key ca-cert "certificatePolicies=1.3.6.1.4.1.16604.998855.1,1.3.6.1.4.1.16604.998855.1" +diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t +index 2a4c36e86d..818c9ac50d 100644 +--- a/test/recipes/25-test_verify.t ++++ b/test/recipes/25-test_verify.t +@@ -29,7 +29,7 @@ sub verify { + run(app([@args])); + } + +-plan tests => 163; ++plan tests => 165; + + # Canonical success + ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]), +@@ -516,3 +516,14 @@ SKIP: { + ok(run(app([ qw(openssl verify -trusted), $rsapluscert_file, $cert_file ])), + 'Mixed key + cert file test'); + } ++ ++# Certificate Policies ++ok(verify("ee-cert-policies", "", ["root-cert"], ["ca-pol-cert"], ++ "-policy_check", "-policy", "1.3.6.1.4.1.16604.998855.1", ++ "-explicit_policy"), ++ "Certificate policy"); ++ ++ok(!verify("ee-cert-policies-bad", "", ["root-cert"], ["ca-pol-cert"], ++ "-policy_check", "-policy", "1.3.6.1.4.1.16604.998855.1", ++ "-explicit_policy"), ++ "Bad certificate policy"); diff --git a/SOURCES/0117-CVE-2023-0466.patch b/SOURCES/0117-CVE-2023-0466.patch new file mode 100644 index 0000000..ef06edf --- /dev/null +++ b/SOURCES/0117-CVE-2023-0466.patch @@ -0,0 +1,27 @@ +diff --git a/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/doc/man3/X509_VERIFY_PARAM_set_flags.pod +index 75a1677022..43c1900bca 100644 +--- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod ++++ b/doc/man3/X509_VERIFY_PARAM_set_flags.pod +@@ -98,8 +98,9 @@ B. + X509_VERIFY_PARAM_set_time() sets the verification time in B to + B. Normally the current time is used. + +-X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled +-by default) and adds B to the acceptable policy set. ++X509_VERIFY_PARAM_add0_policy() adds B to the acceptable policy set. ++Contrary to preexisting documentation of this function it does not enable ++policy checking. + + X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled + by default) and sets the acceptable policy set to B. Any existing +@@ -400,6 +401,10 @@ The X509_VERIFY_PARAM_get_hostflags() function was added in OpenSSL 1.1.0i. + The X509_VERIFY_PARAM_get0_host(), X509_VERIFY_PARAM_get0_email(), + and X509_VERIFY_PARAM_get1_ip_asc() functions were added in OpenSSL 3.0. + ++The function X509_VERIFY_PARAM_add0_policy() was historically documented as ++enabling policy checking however the implementation has never done this. ++The documentation was changed to align with the implementation. ++ + =head1 COPYRIGHT + + Copyright 2009-2022 The OpenSSL Project Authors. All Rights Reserved. diff --git a/SOURCES/0118-CVE-2023-1255.patch b/SOURCES/0118-CVE-2023-1255.patch new file mode 100644 index 0000000..91efb20 --- /dev/null +++ b/SOURCES/0118-CVE-2023-1255.patch @@ -0,0 +1,20 @@ +--- a/crypto/aes/asm/aesv8-armx.pl ++++ b/crypto/aes/asm/aesv8-armx.pl +@@ -3353,7 +3353,7 @@ $code.=<<___ if ($flavour =~ /64/); + .align 4 + .Lxts_dec_tail4x: + add $inp,$inp,#16 +- vld1.32 {$dat0},[$inp],#16 ++ tst $tailcnt,#0xf + veor $tmp1,$dat1,$tmp0 + vst1.8 {$tmp1},[$out],#16 + veor $tmp2,$dat2,$tmp2 +@@ -3362,6 +3362,8 @@ $code.=<<___ if ($flavour =~ /64/); + veor $tmp4,$dat4,$tmp4 + vst1.8 {$tmp3-$tmp4},[$out],#32 + ++ b.eq .Lxts_dec_abort ++ vld1.32 {$dat0},[$inp],#16 + b .Lxts_done + .align 4 + .Lxts_outer_dec_tail: diff --git a/SOURCES/0120-RSA-PKCS15-implicit-rejection.patch b/SOURCES/0120-RSA-PKCS15-implicit-rejection.patch new file mode 100644 index 0000000..3cb36bb --- /dev/null +++ b/SOURCES/0120-RSA-PKCS15-implicit-rejection.patch @@ -0,0 +1,1354 @@ +diff --git a/crypto/cms/cms_env.c b/crypto/cms/cms_env.c +index d25504a03f7..c55511011f6 100644 +--- a/crypto/cms/cms_env.c ++++ b/crypto/cms/cms_env.c +@@ -608,6 +608,13 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms, + if (!ossl_cms_env_asn1_ctrl(ri, 1)) + goto err; + ++ if (EVP_PKEY_is_a(pkey, "RSA")) ++ /* upper layer CMS code incorrectly assumes that a successful RSA ++ * decryption means that the key matches ciphertext (which never ++ * was the case, implicit rejection or not), so to make it work ++ * disable implicit rejection for RSA keys */ ++ EVP_PKEY_CTX_ctrl_str(ktri->pctx, "rsa_pkcs1_implicit_rejection", "0"); ++ + if (EVP_PKEY_decrypt(ktri->pctx, NULL, &eklen, + ktri->encryptedKey->data, + ktri->encryptedKey->length) <= 0) +diff --git a/crypto/evp/ctrl_params_translate.c b/crypto/evp/ctrl_params_translate.c +index 56ed5ea6d68..f64c1fcb2ac 100644 +--- a/crypto/evp/ctrl_params_translate.c ++++ b/crypto/evp/ctrl_params_translate.c +@@ -2201,6 +2201,12 @@ static const struct translation_st evp_pkey_ctx_translations[] = { + EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL, NULL, NULL, + OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL, OSSL_PARAM_OCTET_STRING, NULL }, + ++ { SET, EVP_PKEY_RSA, 0, EVP_PKEY_OP_TYPE_CRYPT, ++ EVP_PKEY_CTRL_RSA_IMPLICIT_REJECTION, NULL, ++ "rsa_pkcs1_implicit_rejection", ++ OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, OSSL_PARAM_UNSIGNED_INTEGER, ++ NULL }, ++ + { SET, EVP_PKEY_RSA_PSS, 0, EVP_PKEY_OP_TYPE_GEN, + EVP_PKEY_CTRL_MD, "rsa_pss_keygen_md", NULL, + OSSL_ALG_PARAM_DIGEST, OSSL_PARAM_UTF8_STRING, fix_md }, +diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c +index 31b368bda3b..8a46ab471df 100644 +--- a/crypto/pkcs7/pk7_doit.c ++++ b/crypto/pkcs7/pk7_doit.c +@@ -163,6 +163,13 @@ static int pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen, + if (EVP_PKEY_decrypt_init(pctx) <= 0) + goto err; + ++ if (EVP_PKEY_is_a(pkey, "RSA")) ++ /* upper layer pkcs7 code incorrectly assumes that a successful RSA ++ * decryption means that the key matches ciphertext (which never ++ * was the case, implicit rejection or not), so to make it work ++ * disable implicit rejection for RSA keys */ ++ EVP_PKEY_CTX_ctrl_str(pctx, "rsa_pkcs1_implicit_rejection", "0"); ++ + if (EVP_PKEY_decrypt(pctx, NULL, &eklen, + ri->enc_key->data, ri->enc_key->length) <= 0) + goto err; +diff --git a/crypto/rsa/rsa_ossl.c b/crypto/rsa/rsa_ossl.c +index 54e2a1c61ca..094a6632b66 100644 +--- a/crypto/rsa/rsa_ossl.c ++++ b/crypto/rsa/rsa_ossl.c +@@ -17,6 +17,9 @@ + #include "crypto/bn.h" + #include "rsa_local.h" + #include "internal/constant_time.h" ++#include ++#include ++#include + + static int rsa_ossl_public_encrypt(int flen, const unsigned char *from, + unsigned char *to, RSA *rsa, int padding); +@@ -372,8 +375,13 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, + BIGNUM *f, *ret; + int j, num = 0, r = -1; + unsigned char *buf = NULL; ++ unsigned char d_hash[SHA256_DIGEST_LENGTH] = {0}; ++ HMAC_CTX *hmac = NULL; ++ unsigned int md_len = SHA256_DIGEST_LENGTH; ++ unsigned char kdk[SHA256_DIGEST_LENGTH] = {0}; + BN_CTX *ctx = NULL; + int local_blinding = 0; ++ EVP_MD *md = NULL; + /* + * Used only if the blinding structure is shared. A non-NULL unblind + * instructs rsa_blinding_convert() and rsa_blinding_invert() to store +@@ -382,6 +390,12 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, + BIGNUM *unblind = NULL; + BN_BLINDING *blinding = NULL; + ++ /* ++ * we need the value of the private exponent to perform implicit rejection ++ */ ++ if ((rsa->flags & RSA_FLAG_EXT_PKEY) && (padding == RSA_PKCS1_PADDING)) ++ padding = RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING; ++ + if ((ctx = BN_CTX_new_ex(rsa->libctx)) == NULL) + goto err; + BN_CTX_start(ctx); +@@ -405,6 +419,11 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, + goto err; + } + ++ if (flen < 1) { ++ ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_SMALL); ++ goto err; ++ } ++ + /* make data into a big number */ + if (BN_bin2bn(from, (int)flen, f) == NULL) + goto err; +@@ -471,6 +490,81 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, + BN_free(d); + } + ++ /* ++ * derive the Key Derivation Key from private exponent and public ++ * ciphertext ++ */ ++ if (padding == RSA_PKCS1_PADDING) { ++ /* ++ * because we use d as a handle to rsa->d we need to keep it local and ++ * free before any further use of rsa->d ++ */ ++ BIGNUM *d = BN_new(); ++ if (d == NULL) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE); ++ goto err; ++ } ++ if (rsa->d == NULL) { ++ ERR_raise(ERR_LIB_RSA, RSA_R_MISSING_PRIVATE_KEY); ++ BN_free(d); ++ goto err; ++ } ++ BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); ++ if (BN_bn2binpad(d, buf, num) < 0) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ BN_free(d); ++ goto err; ++ } ++ BN_free(d); ++ ++ /* ++ * we use hardcoded hash so that migrating between versions that use ++ * different hash doesn't provide a Bleichenbacher oracle: ++ * if the attacker can see that different versions return different ++ * messages for the same ciphertext, they'll know that the message is ++ * syntethically generated, which means that the padding check failed ++ */ ++ md = EVP_MD_fetch(rsa->libctx, "sha256", NULL); ++ if (md == NULL) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ goto err; ++ } ++ ++ if (EVP_Digest(buf, num, d_hash, NULL, md, NULL) <= 0) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ goto err; ++ } ++ ++ hmac = HMAC_CTX_new(); ++ if (hmac == NULL) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE); ++ goto err; ++ } ++ ++ if (HMAC_Init_ex(hmac, d_hash, sizeof(d_hash), md, NULL) <= 0) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ goto err; ++ } ++ ++ if (flen < num) { ++ memset(buf, 0, num - flen); ++ if (HMAC_Update(hmac, buf, num - flen) <= 0) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ goto err; ++ } ++ } ++ if (HMAC_Update(hmac, from, flen) <= 0) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ goto err; ++ } ++ ++ md_len = SHA256_DIGEST_LENGTH; ++ if (HMAC_Final(hmac, kdk, &md_len) <= 0) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ goto err; ++ } ++ } ++ + if (blinding) { + /* + * ossl_bn_rsa_do_unblind() combines blinding inversion and +@@ -471,9 +545,12 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, + } + + switch (padding) { +- case RSA_PKCS1_PADDING: ++ case RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING: + r = RSA_padding_check_PKCS1_type_2(to, num, buf, j, num); + break; ++ case RSA_PKCS1_PADDING: ++ r = ossl_rsa_padding_check_PKCS1_type_2(rsa->libctx, to, num, buf, j, num, kdk); ++ break; + case RSA_PKCS1_OAEP_PADDING: + r = RSA_padding_check_PKCS1_OAEP(to, num, buf, j, num, NULL, 0); + break; +@@ -500,6 +597,8 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, + #endif + + err: ++ HMAC_CTX_free(hmac); ++ EVP_MD_free(md); + BN_CTX_end(ctx); + BN_CTX_free(ctx); + OPENSSL_clear_free(buf, num); +diff --git a/crypto/rsa/rsa_pk1.c b/crypto/rsa/rsa_pk1.c +index 5f72fe1735d..04fb0e4ed5e 100644 +--- a/crypto/rsa/rsa_pk1.c ++++ b/crypto/rsa/rsa_pk1.c +@@ -21,10 +21,14 @@ + #include + /* Just for the SSL_MAX_MASTER_KEY_LENGTH value */ + #include ++#include ++#include ++#include + #include "internal/cryptlib.h" + #include "crypto/rsa.h" + #include "rsa_local.h" + ++ + int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen, + const unsigned char *from, int flen) + { +@@ -271,6 +275,254 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen, + return constant_time_select_int(good, mlen, -1); + } + ++ ++static int ossl_rsa_prf(OSSL_LIB_CTX *ctx, ++ unsigned char *to, int tlen, ++ const char *label, int llen, ++ const unsigned char *kdk, ++ uint16_t bitlen) ++{ ++ int pos; ++ int ret = -1; ++ uint16_t iter = 0; ++ unsigned char be_iter[sizeof(iter)]; ++ unsigned char be_bitlen[sizeof(bitlen)]; ++ HMAC_CTX *hmac = NULL; ++ EVP_MD *md = NULL; ++ unsigned char hmac_out[SHA256_DIGEST_LENGTH]; ++ unsigned int md_len; ++ ++ if (tlen * 8 != bitlen) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ return ret; ++ } ++ ++ be_bitlen[0] = (bitlen >> 8) & 0xff; ++ be_bitlen[1] = bitlen & 0xff; ++ ++ hmac = HMAC_CTX_new(); ++ if (hmac == NULL) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ goto err; ++ } ++ ++ /* ++ * we use hardcoded hash so that migrating between versions that use ++ * different hash doesn't provide a Bleichenbacher oracle: ++ * if the attacker can see that different versions return different ++ * messages for the same ciphertext, they'll know that the message is ++ * syntethically generated, which means that the padding check failed ++ */ ++ md = EVP_MD_fetch(ctx, "sha256", NULL); ++ if (md == NULL) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ goto err; ++ } ++ ++ if (HMAC_Init_ex(hmac, kdk, SHA256_DIGEST_LENGTH, md, NULL) <= 0) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ goto err; ++ } ++ ++ for (pos = 0; pos < tlen; pos += SHA256_DIGEST_LENGTH, iter++) { ++ if (HMAC_Init_ex(hmac, NULL, 0, NULL, NULL) <= 0) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ goto err; ++ } ++ ++ be_iter[0] = (iter >> 8) & 0xff; ++ be_iter[1] = iter & 0xff; ++ ++ if (HMAC_Update(hmac, be_iter, sizeof(be_iter)) <= 0) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ goto err; ++ } ++ if (HMAC_Update(hmac, (unsigned char *)label, llen) <= 0) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ goto err; ++ } ++ if (HMAC_Update(hmac, be_bitlen, sizeof(be_bitlen)) <= 0) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ goto err; ++ } ++ ++ /* ++ * HMAC_Final requires the output buffer to fit the whole MAC ++ * value, so we need to use the intermediate buffer for the last ++ * unaligned block ++ */ ++ md_len = SHA256_DIGEST_LENGTH; ++ if (pos + SHA256_DIGEST_LENGTH > tlen) { ++ if (HMAC_Final(hmac, hmac_out, &md_len) <= 0) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ goto err; ++ } ++ memcpy(to + pos, hmac_out, tlen - pos); ++ } else { ++ if (HMAC_Final(hmac, to + pos, &md_len) <= 0) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ goto err; ++ } ++ } ++ } ++ ++ ret = 0; ++ ++err: ++ HMAC_CTX_free(hmac); ++ EVP_MD_free(md); ++ return ret; ++} ++ ++/* ++ * ossl_rsa_padding_check_PKCS1_type_2() checks and removes the PKCS#1 type 2 ++ * padding from a decrypted RSA message. Unlike the ++ * RSA_padding_check_PKCS1_type_2() it will not return an error in case it ++ * detects a padding error, rather it will return a deterministically generated ++ * random message. In other words it will perform an implicit rejection ++ * of an invalid padding. This means that the returned value does not indicate ++ * if the padding of the encrypted message was correct or not, making ++ * side channel attacks like the ones described by Bleichenbacher impossible ++ * without access to the full decrypted value and a brute-force search of ++ * remaining padding bytes ++ */ ++int ossl_rsa_padding_check_PKCS1_type_2(OSSL_LIB_CTX *ctx, ++ unsigned char *to, int tlen, ++ const unsigned char *from, int flen, ++ int num, unsigned char *kdk) ++{ ++/* ++ * We need to generate a random length for the synthethic message, to avoid ++ * bias towards zero and avoid non-constant timeness of DIV, we prepare ++ * 128 values to check if they are not too large for the used key size, ++ * and use 0 in case none of them are small enough, as 2^-128 is a good enough ++ * safety margin ++ */ ++#define MAX_LEN_GEN_TRIES 128 ++ unsigned char *synthetic = NULL; ++ int synthethic_length; ++ uint16_t len_candidate; ++ unsigned char candidate_lengths[MAX_LEN_GEN_TRIES * sizeof(len_candidate)]; ++ uint16_t len_mask; ++ uint16_t max_sep_offset; ++ int synth_msg_index = 0; ++ int ret = -1; ++ int i, j; ++ unsigned int good, found_zero_byte; ++ int zero_index = 0, msg_index; ++ ++ /* ++ * If these checks fail then either the message in publicly invalid, or ++ * we've been called incorrectly. We can fail immediately. ++ * Since this code is called only internally by openssl, those are just ++ * sanity checks ++ */ ++ if (num != flen || tlen <= 0 || flen <= 0) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ return -1; ++ } ++ ++ /* Generate a random message to return in case the padding checks fail */ ++ synthetic = OPENSSL_malloc(flen); ++ if (synthetic == NULL) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE); ++ return -1; ++ } ++ ++ if (ossl_rsa_prf(ctx, synthetic, flen, "message", 7, kdk, flen * 8) < 0) ++ goto err; ++ ++ /* decide how long the random message should be */ ++ if (ossl_rsa_prf(ctx, candidate_lengths, sizeof(candidate_lengths), ++ "length", 6, kdk, ++ MAX_LEN_GEN_TRIES * sizeof(len_candidate) * 8) < 0) ++ goto err; ++ ++ /* ++ * max message size is the size of the modulus size less 2 bytes for ++ * version and padding type and a minimum of 8 bytes padding ++ */ ++ len_mask = max_sep_offset = flen - 2 - 8; ++ /* ++ * we want a mask so lets propagate the high bit to all positions less ++ * significant than it ++ */ ++ len_mask |= len_mask >> 1; ++ len_mask |= len_mask >> 2; ++ len_mask |= len_mask >> 4; ++ len_mask |= len_mask >> 8; ++ ++ synthethic_length = 0; ++ for (i = 0; i < MAX_LEN_GEN_TRIES * (int)sizeof(len_candidate); ++ i += sizeof(len_candidate)) { ++ len_candidate = (candidate_lengths[i] << 8) | candidate_lengths[i + 1]; ++ len_candidate &= len_mask; ++ ++ synthethic_length = constant_time_select_int( ++ constant_time_lt(len_candidate, max_sep_offset), ++ len_candidate, synthethic_length); ++ } ++ ++ synth_msg_index = flen - synthethic_length; ++ ++ /* we have alternative message ready, check the real one */ ++ good = constant_time_is_zero(from[0]); ++ good &= constant_time_eq(from[1], 2); ++ ++ /* then look for the padding|message separator (the first zero byte) */ ++ found_zero_byte = 0; ++ for (i = 2; i < flen; i++) { ++ unsigned int equals0 = constant_time_is_zero(from[i]); ++ zero_index = constant_time_select_int(~found_zero_byte & equals0, ++ i, zero_index); ++ found_zero_byte |= equals0; ++ } ++ ++ /* ++ * padding must be at least 8 bytes long, and it starts two bytes into ++ * |from|. If we never found a 0-byte, then |zero_index| is 0 and the check ++ * also fails. ++ */ ++ good &= constant_time_ge(zero_index, 2 + 8); ++ ++ /* ++ * Skip the zero byte. This is incorrect if we never found a zero-byte ++ * but in this case we also do not copy the message out. ++ */ ++ msg_index = zero_index + 1; ++ ++ /* ++ * old code returned an error in case the decrypted message wouldn't fit ++ * into the |to|, since that would leak information, return the synthethic ++ * message instead ++ */ ++ good &= constant_time_ge(tlen, num - msg_index); ++ ++ msg_index = constant_time_select_int(good, msg_index, synth_msg_index); ++ ++ /* ++ * since at this point the |msg_index| does not provide the signal ++ * indicating if the padding check failed or not, we don't have to worry ++ * about leaking the length of returned message, we still need to ensure ++ * that we read contents of both buffers so that cache accesses don't leak ++ * the value of |good| ++ */ ++ for (i = msg_index, j = 0; i < flen && j < tlen; i++, j++) ++ to[j] = constant_time_select_8(good, from[i], synthetic[i]); ++ ret = j; ++ ++err: ++ /* ++ * the only time ret < 0 is when the ciphertext is publicly invalid ++ * or we were called with invalid parameters, so we don't have to perform ++ * a side-channel secure raising of the error ++ */ ++ if (ret < 0) ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ OPENSSL_free(synthetic); ++ return ret; ++} ++ + /* + * ossl_rsa_padding_check_PKCS1_type_2_TLS() checks and removes the PKCS1 type 2 + * padding from a decrypted RSA message in a TLS signature. The result is stored +diff --git a/crypto/rsa/rsa_pmeth.c b/crypto/rsa/rsa_pmeth.c +index 8b35e5c3c6d..c67b20baf56 100644 +--- a/crypto/rsa/rsa_pmeth.c ++++ b/crypto/rsa/rsa_pmeth.c +@@ -52,6 +52,8 @@ typedef struct { + /* OAEP label */ + unsigned char *oaep_label; + size_t oaep_labellen; ++ /* if to use implicit rejection in PKCS#1 v1.5 decryption */ ++ int implicit_rejection; + } RSA_PKEY_CTX; + + /* True if PSS parameters are restricted */ +@@ -72,6 +74,7 @@ static int pkey_rsa_init(EVP_PKEY_CTX *ctx) + /* Maximum for sign, auto for verify */ + rctx->saltlen = RSA_PSS_SALTLEN_AUTO; + rctx->min_saltlen = -1; ++ rctx->implicit_rejection = 1; + ctx->data = rctx; + ctx->keygen_info = rctx->gentmp; + ctx->keygen_info_count = 2; +@@ -97,6 +100,7 @@ static int pkey_rsa_copy(EVP_PKEY_CTX *dst, const EVP_PKEY_CTX *src) + dctx->md = sctx->md; + dctx->mgf1md = sctx->mgf1md; + dctx->saltlen = sctx->saltlen; ++ dctx->implicit_rejection = sctx->implicit_rejection; + if (sctx->oaep_label) { + OPENSSL_free(dctx->oaep_label); + dctx->oaep_label = OPENSSL_memdup(sctx->oaep_label, sctx->oaep_labellen); +@@ -345,6 +349,7 @@ static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx, + const unsigned char *in, size_t inlen) + { + int ret; ++ int pad_mode; + RSA_PKEY_CTX *rctx = ctx->data; + /* + * Discard const. Its marked as const because this may be a cached copy of +@@ -365,7 +370,12 @@ static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx, + rctx->oaep_labellen, + rctx->md, rctx->mgf1md); + } else { +- ret = RSA_private_decrypt(inlen, in, out, rsa, rctx->pad_mode); ++ if (rctx->pad_mode == RSA_PKCS1_PADDING && ++ rctx->implicit_rejection == 0) ++ pad_mode = RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING; ++ else ++ pad_mode = rctx->pad_mode; ++ ret = RSA_private_decrypt(inlen, in, out, rsa, pad_mode); + } + *outlen = constant_time_select_s(constant_time_msb_s(ret), *outlen, ret); + ret = constant_time_select_int(constant_time_msb(ret), ret, 1); +@@ -585,6 +595,14 @@ static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) + *(unsigned char **)p2 = rctx->oaep_label; + return rctx->oaep_labellen; + ++ case EVP_PKEY_CTRL_RSA_IMPLICIT_REJECTION: ++ if (rctx->pad_mode != RSA_PKCS1_PADDING) { ++ ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_PADDING_MODE); ++ return -2; ++ } ++ rctx->implicit_rejection = p1; ++ return 1; ++ + case EVP_PKEY_CTRL_DIGESTINIT: + case EVP_PKEY_CTRL_PKCS7_SIGN: + #ifndef OPENSSL_NO_CMS +diff --git a/doc/man1/openssl-pkeyutl.pod.in b/doc/man1/openssl-pkeyutl.pod.in +index b0054ead66f..dd878297987 100644 +--- a/doc/man1/openssl-pkeyutl.pod.in ++++ b/doc/man1/openssl-pkeyutl.pod.in +@@ -240,6 +240,11 @@ signed or verified directly instead of using a B structure. If a + digest is set then the a B structure is used and its the length + must correspond to the digest type. + ++Note, for B padding, as a protection against Bleichenbacher attack, ++the decryption will not fail in case of padding check failures. Use B ++and manual inspection of the decrypted message to verify if the decrypted ++value has correct PKCS#1 v1.5 padding. ++ + For B mode only encryption and decryption is supported. + + For B if the digest type is set it is used to format the block data +@@ -267,6 +272,16 @@ explicitly set in PSS mode then the signing digest is used. + Sets the digest used for the OAEP hash function. If not explicitly set then + SHA1 is used. + ++=item BI ++ ++Disables (when set to 0) or enables (when set to 1) the use of implicit ++rejection with PKCS#1 v1.5 decryption. When enabled (the default), as a ++protection against Bleichenbacher attack, the library will generate a ++deterministic random plaintext that it will return to the caller in case ++of padding check failure. ++When disabled, it's the callers' responsibility to handle the returned ++errors in a side-channel free manner. ++ + =back + + =head1 RSA-PSS ALGORITHM +diff --git a/doc/man1/openssl-rsautl.pod.in b/doc/man1/openssl-rsautl.pod.in +index 186e49e5e49..eab34979de3 100644 +--- a/doc/man1/openssl-rsautl.pod.in ++++ b/doc/man1/openssl-rsautl.pod.in +@@ -105,6 +105,11 @@ The padding to use: PKCS#1 v1.5 (the default), PKCS#1 OAEP, + ANSI X9.31, or no padding, respectively. + For signatures, only B<-pkcs> and B<-raw> can be used. + ++Note: because of protection against Bleichenbacher attacks, decryption ++using PKCS#1 v1.5 mode will not return errors in case padding check failed. ++Use B<-raw> and inspect the returned value manually to check if the ++padding is correct. ++ + =item B<-hexdump> + + Hex dump the output data. +diff --git a/doc/man3/EVP_PKEY_CTX_ctrl.pod b/doc/man3/EVP_PKEY_CTX_ctrl.pod +index 9b96f42dbc9..f7957e95f7f 100644 +--- a/doc/man3/EVP_PKEY_CTX_ctrl.pod ++++ b/doc/man3/EVP_PKEY_CTX_ctrl.pod +@@ -393,6 +393,15 @@ this behaviour should be tolerated then + OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION should be set to the actual + negotiated protocol version. Otherwise it should be left unset. + ++Similarly to the B above, since OpenSSL version ++3.1.0, the use of B will return a randomly generated message ++instead of padding errors in case padding checks fail. Applications that ++want to remain secure while using earlier versions of OpenSSL, still need to ++handle both the error code from the RSA decryption operation and the ++returned message in a side channel secure manner. ++This protection against Bleichenbacher attacks can be disabled by setting ++the OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION (an unsigned integer) to 0. ++ + =head2 DSA parameters + + EVP_PKEY_CTX_set_dsa_paramgen_bits() sets the number of bits used for DSA +diff --git a/doc/man3/EVP_PKEY_decrypt.pod b/doc/man3/EVP_PKEY_decrypt.pod +index 0cd1a6548d0..462265c5a67 100644 +--- a/doc/man3/EVP_PKEY_decrypt.pod ++++ b/doc/man3/EVP_PKEY_decrypt.pod +@@ -51,6 +51,18 @@ return 1 for success and 0 or a negative value for failure. In particular a + return value of -2 indicates the operation is not supported by the public key + algorithm. + ++=head1 WARNINGS ++ ++In OpenSSL versions before 3.1.0, when used in PKCS#1 v1.5 padding, ++both the return value from the EVP_PKEY_decrypt() and the B provided ++information useful in mounting a Bleichenbacher attack against the ++used private key. They had to processed in a side-channel free way. ++ ++Since version 3.1.0, the EVP_PKEY_decrypt() method when used with PKCS#1 ++v1.5 padding doesn't return an error in case it detects an error in padding, ++instead it returns a pseudo-randomly generated message, removing the need ++of side-channel secure code from applications using OpenSSL. ++ + =head1 EXAMPLES + + Decrypt data using OAEP (for RSA keys): +diff --git a/doc/man3/RSA_padding_add_PKCS1_type_1.pod b/doc/man3/RSA_padding_add_PKCS1_type_1.pod +index 9f7025c4975..36ae18563f2 100644 +--- a/doc/man3/RSA_padding_add_PKCS1_type_1.pod ++++ b/doc/man3/RSA_padding_add_PKCS1_type_1.pod +@@ -121,8 +121,8 @@ L. + + =head1 WARNINGS + +-The result of RSA_padding_check_PKCS1_type_2() is a very sensitive +-information which can potentially be used to mount a Bleichenbacher ++The result of RSA_padding_check_PKCS1_type_2() is exactly the ++information which is used to mount a classical Bleichenbacher + padding oracle attack. This is an inherent weakness in the PKCS #1 + v1.5 padding design. Prefer PKCS1_OAEP padding. If that is not + possible, the result of RSA_padding_check_PKCS1_type_2() should be +@@ -137,6 +137,9 @@ as this would create a small timing side channel which could be + used to mount a Bleichenbacher attack against any padding mode + including PKCS1_OAEP. + ++You should prefer the use of EVP PKEY APIs for PKCS#1 v1.5 decryption ++as they implement the necessary workarounds internally. ++ + =head1 SEE ALSO + + L, +diff --git a/doc/man3/RSA_public_encrypt.pod b/doc/man3/RSA_public_encrypt.pod +index 1d38073aead..bd3f835ac6d 100644 +--- a/doc/man3/RSA_public_encrypt.pod ++++ b/doc/man3/RSA_public_encrypt.pod +@@ -52,8 +52,8 @@ Encrypting user data directly with RSA is insecure. + + =back + +-B must not be more than RSA_size(B) - 11 for the PKCS #1 v1.5 +-based padding modes, not more than RSA_size(B) - 42 for ++When encrypting B must not be more than RSA_size(B) - 11 for the ++PKCS #1 v1.5 based padding modes, not more than RSA_size(B) - 42 for + RSA_PKCS1_OAEP_PADDING and exactly RSA_size(B) for RSA_NO_PADDING. + When a padding mode other than RSA_NO_PADDING is in use, then + RSA_public_encrypt() will include some random bytes into the ciphertext +@@ -92,6 +92,13 @@ which can potentially be used to mount a Bleichenbacher padding oracle + attack. This is an inherent weakness in the PKCS #1 v1.5 padding + design. Prefer RSA_PKCS1_OAEP_PADDING. + ++In OpenSSL before version 3.1.0, both the return value and the length of ++returned value could be used to mount the Bleichenbacher attack. ++Since version 3.1.0, OpenSSL does not return an error in case of padding ++checks failed. Instead it generates a random message based on used private ++key and provided ciphertext so that application code doesn't have to implement ++a side-channel secure error handling. ++ + =head1 CONFORMING TO + + SSL, PKCS #1 v2.0 +diff --git a/doc/man7/provider-asym_cipher.pod b/doc/man7/provider-asym_cipher.pod +index ac3f6271969..cb770c9e857 100644 +--- a/doc/man7/provider-asym_cipher.pod ++++ b/doc/man7/provider-asym_cipher.pod +@@ -235,6 +235,15 @@ The TLS protocol version first requested by the client. + The negotiated TLS protocol version. See + B on the page L. + ++=item "implicit-rejection" (B) ++ ++Gets of sets the use of the implicit rejection mechanism for RSA PKCS#1 v1.5 ++decryption. When set (non zero value), the decryption API will return ++a deterministically random value if the PKCS#1 v1.5 padding check fails. ++This makes explotation of the Bleichenbacher significantly harder, even ++if the code using the RSA decryption API is not implemented in side-channel ++free manner. Set by default. ++ + =back + + OSSL_FUNC_asym_cipher_gettable_ctx_params() and OSSL_FUNC_asym_cipher_settable_ctx_params() +diff --git a/include/crypto/rsa.h b/include/crypto/rsa.h +index 949873d0ee3..f267e5d9d1c 100644 +--- a/include/crypto/rsa.h ++++ b/include/crypto/rsa.h +@@ -83,6 +83,10 @@ int ossl_rsa_param_decode(RSA *rsa, const X509_ALGOR *alg); + RSA *ossl_rsa_key_from_pkcs8(const PKCS8_PRIV_KEY_INFO *p8inf, + OSSL_LIB_CTX *libctx, const char *propq); + ++int ossl_rsa_padding_check_PKCS1_type_2(OSSL_LIB_CTX *ctx, ++ unsigned char *to, int tlen, ++ const unsigned char *from, int flen, ++ int num, unsigned char *kdk); + int ossl_rsa_padding_check_PKCS1_type_2_TLS(OSSL_LIB_CTX *ctx, unsigned char *to, + size_t tlen, + const unsigned char *from, +diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h +index e6c4758a33e..6e4a4f8539d 100644 +--- a/include/openssl/core_names.h ++++ b/include/openssl/core_names.h +@@ -302,6 +302,7 @@ extern "C" { + #define OSSL_PKEY_PARAM_DIST_ID "distid" + #define OSSL_PKEY_PARAM_PUB_KEY "pub" + #define OSSL_PKEY_PARAM_PRIV_KEY "priv" ++#define OSSL_PKEY_PARAM_IMPLICIT_REJECTION "implicit-rejection" + #define OSSL_PKEY_PARAM_REDHAT_SIGN_KAT_K "rh_sign_kat_k" + + /* Diffie-Hellman/DSA Parameters */ +@@ -482,6 +483,7 @@ extern "C" { + #define OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL "oaep-label" + #define OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION "tls-client-version" + #define OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION "tls-negotiated-version" ++#define OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION "implicit-rejection" + #ifdef FIPS_MODULE + #define OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED "redhat-kat-oaep-seed" + #endif +diff --git a/include/openssl/rsa.h b/include/openssl/rsa.h +index bce21258227..167427d3c48 100644 +--- a/include/openssl/rsa.h ++++ b/include/openssl/rsa.h +@@ -189,6 +189,8 @@ int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX *ctx, unsigned char **label); + + # define EVP_PKEY_CTRL_RSA_KEYGEN_PRIMES (EVP_PKEY_ALG_CTRL + 13) + ++# define EVP_PKEY_CTRL_RSA_IMPLICIT_REJECTION (EVP_PKEY_ALG_CTRL + 14) ++ + # define RSA_PKCS1_PADDING 1 + # define RSA_NO_PADDING 3 + # define RSA_PKCS1_OAEP_PADDING 4 +@@ -198,6 +200,9 @@ int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX *ctx, unsigned char **label); + # define RSA_PKCS1_PSS_PADDING 6 + # define RSA_PKCS1_WITH_TLS_PADDING 7 + ++/* internal RSA_ only */ ++# define RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING 8 ++ + # define RSA_PKCS1_PADDING_SIZE 11 + + # define RSA_set_app_data(s,arg) RSA_set_ex_data(s,0,arg) +diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c +index 3d331ea8dfd..fbafb84f8cb 100644 +--- a/providers/implementations/asymciphers/rsa_enc.c ++++ b/providers/implementations/asymciphers/rsa_enc.c +@@ -75,6 +75,8 @@ typedef struct { + /* TLS padding */ + unsigned int client_version; + unsigned int alt_version; ++ /* PKCS#1 v1.5 decryption mode */ ++ unsigned int implicit_rejection; + #ifdef FIPS_MODULE + char *redhat_st_oaep_seed; + #endif /* FIPS_MODULE */ +@@ -107,6 +109,7 @@ static int rsa_init(void *vprsactx, void *vrsa, const OSSL_PARAM params[], + RSA_free(prsactx->rsa); + prsactx->rsa = vrsa; + prsactx->operation = operation; ++ prsactx->implicit_rejection = 1; + + switch (RSA_test_flags(prsactx->rsa, RSA_FLAG_TYPE_MASK)) { + case RSA_FLAG_TYPE_RSA: +@@ -195,6 +198,7 @@ static int rsa_decrypt(void *vprsactx, unsigned char *out, size_t *outlen, + { + PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; + int ret; ++ int pad_mode; + size_t len = RSA_size(prsactx->rsa); + + if (!ossl_prov_is_running()) +@@ -270,8 +274,12 @@ static int rsa_decrypt(void *vprsactx, unsigned char *out, size_t *outlen, + } + OPENSSL_free(tbuf); + } else { +- ret = RSA_private_decrypt(inlen, in, out, prsactx->rsa, +- prsactx->pad_mode); ++ if ((prsactx->implicit_rejection == 0) && ++ (prsactx->pad_mode == RSA_PKCS1_PADDING)) ++ pad_mode = RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING; ++ else ++ pad_mode = prsactx->pad_mode; ++ ret = RSA_private_decrypt(inlen, in, out, prsactx->rsa, pad_mode); + } + *outlen = constant_time_select_s(constant_time_msb_s(ret), *outlen, ret); + ret = constant_time_select_int(constant_time_msb(ret), 0, 1); +@@ -395,6 +403,10 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params) + } + #endif /* defined(FIPS_MODULE) */ + ++ p = OSSL_PARAM_locate(params, OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION); ++ if (p != NULL && !OSSL_PARAM_set_uint(p, prsactx->implicit_rejection)) ++ return 0; ++ + return 1; + } + +@@ -406,6 +418,7 @@ static const OSSL_PARAM known_gettable_ctx_params[] = { + NULL, 0), + OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION, NULL), + OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL), ++ OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, NULL), + #ifdef FIPS_MODULE + OSSL_PARAM_octet_string(OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED, NULL, 0), + OSSL_PARAM_int(OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR, NULL), +@@ -543,6 +556,14 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) + return 0; + prsactx->alt_version = alt_version; + } ++ p = OSSL_PARAM_locate_const(params, OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION); ++ if (p != NULL) { ++ unsigned int implicit_rejection; ++ ++ if (!OSSL_PARAM_get_uint(p, &implicit_rejection)) ++ return 0; ++ prsactx->implicit_rejection = implicit_rejection; ++ } + + return 1; + } +@@ -555,6 +576,7 @@ static const OSSL_PARAM known_settable_ctx_params[] = { + OSSL_PARAM_octet_string(OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL, NULL, 0), + OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION, NULL), + OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL), ++ OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, NULL), + OSSL_PARAM_END + }; + +diff --git a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt +index b8d8bb2993e..a3d01eec457 100644 +--- a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt ++++ b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt +@@ -253,9 +253,25 @@ Decrypt = RSA-2048 + Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A78 + Output = "Hello World" + ++Availablein = default ++# Note: disable the Bleichenbacher workaround to see if it passes ++Decrypt = RSA-2048 ++Ctrl = rsa_pkcs1_implicit_rejection:0 ++Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A78 ++Output = "Hello World" ++ ++Availablein = default ++# Corrupted ciphertext ++# Note: output is generated synthethically by the Bleichenbacher workaround ++Decrypt = RSA-2048 ++Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A79 ++Output = 4cbb988d6a46228379132b0b5f8c249b3860043848c93632fb982c807c7c82fffc7a9ef83f4908f890373ac181ffea6381e103bcaa27e65638b6ecebef38b59ed4226a9d12af675cfcb634d8c40e7a7aff ++ + # Corrupted ciphertext + Availablein = default ++# Note: disable the Bleichenbacher workaround to see if it fails + Decrypt = RSA-2048 ++Ctrl = rsa_pkcs1_implicit_rejection:0 + Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A79 + Output = "Hello World" + Result = KEYOP_ERROR +@@ -277,6 +297,462 @@ Derive = RSA-2048 + Result = KEYOP_INIT_ERROR + Reason = operation not supported for this keytype + ++# Test vectors for the Bleichenbacher workaround ++ ++PrivateKey = RSA-2048-2 ++-----BEGIN RSA PRIVATE KEY----- ++MIIEowIBAAKCAQEAyMyDlxQJjaVsqiNkD5PciZfBY3KWj8Gwxt9RE8HJTosh5IrS ++KX5lQZARtObY9ec7G3iyV0ADIdHva2AtTsjOjRQclJBetK0wZjmkkgZTS25/JgdC ++Ppff/RM8iNchOZ3vvH6WzNy9fzquH+iScSv7SSmBfVEWZkQKH6y3ogj16hZZEK3Y ++o/LUlyAjYMy2MgJPDQcWnBkY8xb3lLFDrvVOyHUipMApePlomYC/+/ZJwwfoGBm/ +++IQJY41IvZS+FStZ/2SfoL1inQ/6GBPDq/S1a9PC6lRl3/oUWJKSqdiiStJr5+4F ++EHQbY4LUPIPVv6QKRmE9BivkRVF9vK8MtOGnaQIDAQABAoIBABRVAQ4PLVh2Y6Zm ++pv8czbvw7dgQBkbQKgI5IpCJksStOeVWWSlybvZQjDpxFY7wtv91HTnQdYC7LS8G ++MhBELQYD/1DbvXs1/iybsZpHoa+FpMJJAeAsqLWLeRmyDt8yqs+/Ua20vEthubfp ++aMqk1XD3DvGNgGMiiJPkfUOe/KeTJZvPLNEIo9hojN8HjnrHmZafIznSwfUiuWlo ++RimpM7quwmgWJeq4T05W9ER+nYj7mhmc9xAj4OJXsURBszyE07xnyoAx0mEmGBA6 ++egpAhEJi912IkM1hblH5A1SI/W4Jnej/bWWk/xGCVIB8n1jS+7qLoVHcjGi+NJyX ++eiBOBMECgYEA+PWta6gokxvqRZuKP23AQdI0gkCcJXHpY/MfdIYColY3GziD7UWe ++z5cFJkWe3RbgVSL1pF2UdRsuwtrycsf4gWpSwA0YCAFxY02omdeXMiL1G5N2MFSG ++lqn32MJKWUl8HvzUVc+5fuhtK200lyszL9owPwSZm062tcwLsz53Yd0CgYEAznou ++O0mpC5YzChLcaCvfvfuujdbcA7YUeu+9V1dD8PbaTYYjUGG3Gv2crS00Al5WrIaw ++93Q+s14ay8ojeJVCRGW3Bu0iF15XGMjHC2cD6o9rUQ+UW+SOWja7PDyRcytYnfwF ++1y2AkDGURSvaITSGR+xylD8RqEbmL66+jrU2sP0CgYB2/hXxiuI5zfHfa0RcpLxr ++uWjXiMIZM6T13NKAAz1nEgYswIpt8gTB+9C+RjB0Q+bdSmRWN1Qp1OA4yiVvrxyb ++3pHGsXt2+BmV+RxIy768e/DjSUwINZ5OjNalh9e5bWIh/X4PtcVXXwgu5XdpeYBx ++sru0oyI4FRtHMUu2VHkDEQKBgQCZiEiwVUmaEAnLx9KUs2sf/fICDm5zZAU+lN4a ++AA3JNAWH9+JydvaM32CNdTtjN3sDtvQITSwCfEs4lgpiM7qe2XOLdvEOp1vkVgeL ++9wH2fMaz8/3BhuZDNsdrNy6AkQ7ICwrcwj0C+5rhBIaigkgHW06n5W3fzziC5FFW ++FHGikQKBgGQ790ZCn32DZnoGUwITR++/wF5jUfghqd67YODszeUAWtnp7DHlWPfp ++LCkyjnRWnXzvfHTKvCs1XtQBoaCRS048uwZITlgZYFEWntFMqi76bqBE4FTSYUTM ++FinFUBBVigThM/RLfCRNrCW/kTxXuJDuSfVIJZzWNAT+9oWdz5da ++-----END RSA PRIVATE KEY----- ++ ++# corresponding public key ++PublicKey = RSA-2048-2-PUBLIC ++-----BEGIN PUBLIC KEY----- ++MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyMyDlxQJjaVsqiNkD5Pc ++iZfBY3KWj8Gwxt9RE8HJTosh5IrSKX5lQZARtObY9ec7G3iyV0ADIdHva2AtTsjO ++jRQclJBetK0wZjmkkgZTS25/JgdCPpff/RM8iNchOZ3vvH6WzNy9fzquH+iScSv7 ++SSmBfVEWZkQKH6y3ogj16hZZEK3Yo/LUlyAjYMy2MgJPDQcWnBkY8xb3lLFDrvVO ++yHUipMApePlomYC/+/ZJwwfoGBm/+IQJY41IvZS+FStZ/2SfoL1inQ/6GBPDq/S1 ++a9PC6lRl3/oUWJKSqdiiStJr5+4FEHQbY4LUPIPVv6QKRmE9BivkRVF9vK8MtOGn ++aQIDAQAB ++-----END PUBLIC KEY----- ++ ++PrivPubKeyPair = RSA-2048-2:RSA-2048-2-PUBLIC ++ ++# RSA decrypt ++ ++# a random positive test case ++Availablein = default ++Decrypt = RSA-2048-2 ++Input = 8bfe264e85d3bdeaa6b8851b8e3b956ee3d226fd3f69063a86880173a273d9f283b2eebdd1ed35f7e02d91c571981b6737d5320bd8396b0f3ad5b019daec1b0aab3cbbc026395f4fd14f13673f2dfc81f9b660ec26ac381e6db3299b4e460b43fab9955df2b3cfaa20e900e19c856238fd371899c2bf2ce8c868b76754e5db3b036533fd603746be13c10d4e3e6022ebc905d20c2a7f32b215a4cd53b3f44ca1c327d2c2b651145821c08396c89071f665349c25e44d2733cd9305985ceef6430c3cf57af5fa224089221218fa34737c79c446d28a94c41c96e4e92ac53fbcf384dea8419ea089f8784445a492c812eb0d409467f75afd7d4d1078886205a066 ++Output = "lorem ipsum dolor sit amet" ++ ++Availablein = default ++# a random negative test case decrypting to empty ++Decrypt = RSA-2048-2 ++Input = 20aaa8adbbc593a924ba1c5c7990b5c2242ae4b99d0fe636a19a4cf754edbcee774e472fe028160ed42634f8864900cb514006da642cae6ae8c7d087caebcfa6dad1551301e130344989a1d462d4164505f6393933450c67bc6d39d8f5160907cabc251b737925a1cf21e5c6aa5781b7769f6a2a583d97cce008c0f8b6add5f0b2bd80bee60237aa39bb20719fe75749f4bc4e42466ef5a861ae3a92395c7d858d430bfe38040f445ea93fa2958b503539800ffa5ce5f8cf51fa8171a91f36cb4f4575e8de6b4d3f096ee140b938fd2f50ee13f0d050222e2a72b0a3069ff3a6738e82c87090caa5aed4fcbe882c49646aa250b98f12f83c8d528113614a29e7 ++Output = ++ ++Availablein = default ++# invalid decrypting to max length message ++Decrypt = RSA-2048-2 ++Input = 48cceab10f39a4db32f60074feea473cbcdb7accf92e150417f76b44756b190e843e79ec12aa85083a21f5437e7bad0a60482e601198f9d86923239c8786ee728285afd0937f7dde12717f28389843d7375912b07b991f4fdb0190fced8ba665314367e8c5f9d2981d0f5128feeb46cb50fc237e64438a86df198dd0209364ae3a842d77532b66b7ef263b83b1541ed671b120dfd660462e2107a4ee7b964e734a7bd68d90dda61770658a3c242948532da32648687e0318286473f675b412d6468f013f14d760a358dfcad3cda2afeec5e268a37d250c37f722f468a70dfd92d7294c3c1ee1e7f8843b7d16f9f37ef35748c3ae93aa155cdcdfeb4e78567303 ++Output = 22d850137b9eebe092b24f602dc5bb7918c16bd89ddbf20467b119d205f9c2e4bd7d2592cf1e532106e0f33557565923c73a02d4f09c0c22bea89148183e60317f7028b3aa1f261f91c979393101d7e15f4067e63979b32751658ef769610fe97cf9cef3278b3117d384051c3b1d82c251c2305418c8f6840530e631aad63e70e20e025bcd8efb54c92ec6d3b106a2f8e64eeff7d38495b0fc50c97138af4b1c0a67a1c4e27b077b8439332edfa8608dfeae653cd6a628ac550395f7e74390e42c11682234870925eeaa1fa71b76cf1f2ee3bda69f6717033ff8b7c95c9799e7a3bea5e7e4a1c359772fb6b1c6e6c516661dfe30c3 ++ ++Availablein = default ++# invalid decrypting to message with length specified by second to last value from PRF ++Decrypt = RSA-2048-2 ++Input = 1439e08c3f84c1a7fec74ce07614b20e01f6fa4e8c2a6cffdc3520d8889e5d9a950c6425798f85d4be38d300ea5695f13ecd4cb389d1ff5b82484b494d6280ab7fa78e645933981cb934cce8bfcd114cc0e6811eefa47aae20af638a1cd163d2d3366186d0a07df0c81f6c9f3171cf3561472e98a6006bf75ddb457bed036dcce199369de7d94ef2c68e8467ee0604eea2b3009479162a7891ba5c40cab17f49e1c438cb6eaea4f76ce23cce0e483ff0e96fa790ea15be67671814342d0a23f4a20262b6182e72f3a67cd289711503c85516a9ed225422f98b116f1ab080a80abd6f0216df88d8cfd67c139243be8dd78502a7aaf6bc99d7da71bcdf627e7354 ++Output = 0f9b ++ ++Availablein = default ++# invalid decrypting to message with length specified by third to last value from PRF ++Decrypt = RSA-2048-2 ++Input = 1690ebcceece2ce024f382e467cf8510e74514120937978576caf684d4a02ad569e8d76cbe365a060e00779de2f0865ccf0d923de3b4783a4e2c74f422e2f326086c390b658ba47f31ab013aa80f468c71256e5fa5679b24e83cd82c3d1e05e398208155de2212993cd2b8bab6987cf4cc1293f19909219439d74127545e9ed8a706961b8ee2119f6bfacafbef91b75a789ba65b8b833bc6149cf49b5c4d2c6359f62808659ba6541e1cd24bf7f7410486b5103f6c0ea29334ea6f4975b17387474fe920710ea61568d7b7c0a7916acf21665ad5a31c4eabcde44f8fb6120d8457afa1f3c85d517cda364af620113ae5a3c52a048821731922737307f77a1081 ++Output = 4f02 ++ ++# positive test with 11 byte long value ++Availablein = default ++Decrypt = RSA-2048-2 ++Input = 6213634593332c485cef783ea2846e3d6e8b0e005cd8293eaebbaa5079712fd681579bdfbbda138ae4d9d952917a03c92398ec0cb2bb0c6b5a8d55061fed0d0d8d72473563152648cfe640b335dc95331c21cb133a91790fa93ae44497c128708970d2beeb77e8721b061b1c44034143734a77be8220877415a6dba073c3871605380542a9f25252a4babe8331cdd53cf828423f3cc70b560624d0581fb126b2ed4f4ed358f0eb8065cf176399ac1a846a31055f9ae8c9c24a1ba050bc20842125bc1753158f8065f3adb9cc16bfdf83816bdf38b624f12022c5a6fbfe29bc91542be8c0208a770bcd677dc597f5557dc2ce28a11bf3e3857f158717a33f6592 ++Output = "lorem ipsum" ++ ++# positive test with 11 byte long value and zero padded ciphertext ++Availablein = default ++Decrypt = RSA-2048-2 ++Input = 00a2e8f114ea8d05d12dc843e3cc3b2edc8229ff2a028bda29ba9d55e3cd02911902fef1f42a075bf05e8016e8567213d6f260fa49e360779dd81aeea3e04c2cb567e0d72b98bf754014561b7511e083d20e0bfb9cd23f8a0d3c88900c49d2fcd5843ff0765607b2026f28202a87aa94678aed22a0c20724541394cd8f44e373eba1d2bae98f516c1e2ba3d86852d064f856b1daf24795e767a2b90396e50743e3150664afab131fe40ea405dcf572dd1079af1d3f0392ccadcca0a12740dbb213b925ca2a06b1bc1383e83a658c82ba2e7427342379084d5f66b544579f07664cb26edd4f10fd913fdbc0de05ef887d4d1ec1ac95652397ea7fd4e4759fda8b ++Output = "lorem ipsum" ++ ++# positive test with 11 byte long value and zero truncated ciphertext ++Availablein = default ++Decrypt = RSA-2048-2 ++Input = a2e8f114ea8d05d12dc843e3cc3b2edc8229ff2a028bda29ba9d55e3cd02911902fef1f42a075bf05e8016e8567213d6f260fa49e360779dd81aeea3e04c2cb567e0d72b98bf754014561b7511e083d20e0bfb9cd23f8a0d3c88900c49d2fcd5843ff0765607b2026f28202a87aa94678aed22a0c20724541394cd8f44e373eba1d2bae98f516c1e2ba3d86852d064f856b1daf24795e767a2b90396e50743e3150664afab131fe40ea405dcf572dd1079af1d3f0392ccadcca0a12740dbb213b925ca2a06b1bc1383e83a658c82ba2e7427342379084d5f66b544579f07664cb26edd4f10fd913fdbc0de05ef887d4d1ec1ac95652397ea7fd4e4759fda8b ++Output = "lorem ipsum" ++ ++# positive test with 11 byte long value and double zero padded ciphertext ++Availablein = default ++Decrypt = RSA-2048-2 ++Input = 00001f71879b426127f7dead621f7380a7098cf7d22173aa27991b143c46d53383c209bd0c9c00d84078037e715f6b98c65005a77120070522ede51d472c87ef94b94ead4c5428ee108a345561658301911ec5a8f7dd43ed4a3957fd29fb02a3529bf63f8040d3953490939bd8f78b2a3404b6fb5ff70a4bfdaac5c541d6bcce49c9778cc390be24cbef1d1eca7e870457241d3ff72ca44f9f56bdf31a890fa5eb3a9107b603ccc9d06a5dd911a664c82b6abd4fe036f8db8d5a070c2d86386ae18d97adc1847640c211d91ff5c3387574a26f8ef27ca7f48d2dd1f0c7f14b81cc9d33ee6853031d3ecf10a914ffd90947909c8011fd30249219348ebff76bfc ++Output = "lorem ipsum" ++ ++# positive test with 11 byte long value and double zero truncated ciphertext ++Availablein = default ++Decrypt = RSA-2048-2 ++Input = 1f71879b426127f7dead621f7380a7098cf7d22173aa27991b143c46d53383c209bd0c9c00d84078037e715f6b98c65005a77120070522ede51d472c87ef94b94ead4c5428ee108a345561658301911ec5a8f7dd43ed4a3957fd29fb02a3529bf63f8040d3953490939bd8f78b2a3404b6fb5ff70a4bfdaac5c541d6bcce49c9778cc390be24cbef1d1eca7e870457241d3ff72ca44f9f56bdf31a890fa5eb3a9107b603ccc9d06a5dd911a664c82b6abd4fe036f8db8d5a070c2d86386ae18d97adc1847640c211d91ff5c3387574a26f8ef27ca7f48d2dd1f0c7f14b81cc9d33ee6853031d3ecf10a914ffd90947909c8011fd30249219348ebff76bfc ++Output = "lorem ipsum" ++ ++# positive that generates a 0 byte long synthethic message internally ++Availablein = default ++Decrypt = RSA-2048-2 ++Input = b5e49308f6e9590014ffaffc5b8560755739dd501f1d4e9227a7d291408cf4b753f292322ff8bead613bf2caa181b221bc38caf6392deafb28eb21ad60930841ed02fd6225cc9c463409adbe7d8f32440212fbe3881c51375bb09565efb22e62b071472fb38676e5b4e23a0617db5d14d93519ac0007a30a9c822eb31c38b57fcb1be29608fcf1ca2abdcaf5d5752bbc2b5ac7dba5afcff4a5641da360dd01f7112539b1ed46cdb550a3b1006559b9fe1891030ec80f0727c42401ddd6cbb5e3c80f312df6ec89394c5a7118f573105e7ab00fe57833c126141b50a935224842addfb479f75160659ba28877b512bb9a93084ad8bec540f92640f63a11a010e0 ++Output = "lorem ipsum" ++ ++# positive that generates a 245 byte long synthethic message internally ++Availablein = default ++Decrypt = RSA-2048-2 ++Input = 1ea0b50ca65203d0a09280d39704b24fe6e47800189db5033f202761a78bafb270c5e25abd1f7ecc6e7abc4f26d1b0cd9b8c648d529416ee64ccbdd7aa72a771d0353262b543f0e436076f40a1095f5c7dfd10dcf0059ccb30e92dfa5e0156618215f1c3ff3aa997a9d999e506924f5289e3ac72e5e2086cc7b499d71583ed561028671155db4005bee01800a7cdbdae781dd32199b8914b5d4011dd6ff11cd26d46aad54934d293b0bc403dd211bf13b5a5c6836a5e769930f437ffd8634fb7371776f4bc88fa6c271d8aa6013df89ae6470154497c4ac861be2a1c65ebffec139bf7aaba3a81c7c5cdd84da9af5d3edfb957848074686b5837ecbcb6a41c50 ++Output = "lorem ipsum" ++ ++Availablein = default ++# a random negative test that generates an 11 byte long message ++Decrypt = RSA-2048-2 ++Input = 5f02f4b1f46935c742ebe62b6f05aa0a3286aab91a49b34780adde6410ab46f7386e05748331864ac98e1da63686e4babe3a19ed40a7f5ceefb89179596aab07ab1015e03b8f825084dab028b6731288f2e511a4b314b6ea3997d2e8fe2825cef8897cbbdfb6c939d441d6e04948414bb69e682927ef8576c9a7090d4aad0e74c520d6d5ce63a154720f00b76de8cc550b1aa14f016d63a7b6d6eaa1f7dbe9e50200d3159b3d099c900116bf4eba3b94204f18b1317b07529751abf64a26b0a0bf1c8ce757333b3d673211b67cc0653f2fe2620d57c8b6ee574a0323a167eab1106d9bc7fd90d415be5f1e9891a0e6c709f4fc0404e8226f8477b4e939b36eb2 ++Output = af9ac70191c92413cb9f2d ++ ++Availablein = default ++# an otherwise correct plaintext, but with wrong first byte ++# (0x01 instead of 0x00), generates a random 11 byte long plaintext ++Decrypt = RSA-2048-2 ++Input = 9b2ec9c0c917c98f1ad3d0119aec6be51ae3106e9af1914d48600ab6a2c0c0c8ae02a2dc3039906ff3aac904af32ec798fd65f3ad1afa2e69400e7c1de81f5728f3b3291f38263bc7a90a0563e43ce7a0d4ee9c0d8a716621ca5d3d081188769ce1b131af7d35b13dea99153579c86db31fe07d5a2c14d621b77854e48a8df41b5798563af489a291e417b6a334c63222627376118c02c53b6e86310f728734ffc86ef9d7c8bf56c0c841b24b82b59f51aee4526ba1c4268506d301e4ebc498c6aebb6fd5258c876bf900bac8ca4d309dd522f6a6343599a8bc3760f422c10c72d0ad527ce4af1874124ace3d99bb74db8d69d2528db22c3a37644640f95c05f ++Output = a1f8c9255c35cfba403ccc ++ ++Availablein = default ++# an otherwise correct plaintext, but with wrong second byte ++# (0x01 instead of 0x02), generates a random 11 byte long plaintext ++Decrypt = RSA-2048-2 ++Input = 782c2b59a21a511243820acedd567c136f6d3090c115232a82a5efb0b178285f55b5ec2d2bac96bf00d6592ea7cdc3341610c8fb07e527e5e2d20cfaf2c7f23e375431f45e998929a02f25fd95354c33838090bca838502259e92d86d568bc2cdb132fab2a399593ca60a015dc2bb1afcd64fef8a3834e17e5358d822980dc446e845b3ab4702b1ee41fe5db716d92348d5091c15d35a110555a35deb4650a5a1d2c98025d42d4544f8b32aa6a5e02dc02deaed9a7313b73b49b0d4772a3768b0ea0db5846ace6569cae677bf67fb0acf3c255dc01ec8400c963b6e49b1067728b4e563d7e1e1515664347b92ee64db7efb5452357a02fff7fcb7437abc2e579 ++Output = e6d700309ca0ed62452254 ++ ++Availablein = default ++# an invalid ciphertext, with a zero byte in first byte of ++# ciphertext, decrypts to a random 11 byte long synthethic ++# plaintext ++Decrypt = RSA-2048-2 ++Input = 0096136621faf36d5290b16bd26295de27f895d1faa51c800dafce73d001d60796cd4e2ac3fa2162131d859cd9da5a0c8a42281d9a63e5f353971b72e36b5722e4ac444d77f892a5443deb3dca49fa732fe855727196e23c26eeac55eeced8267a209ebc0f92f4656d64a6c13f7f7ce544ebeb0f668fe3a6c0f189e4bcd5ea12b73cf63e0c8350ee130dd62f01e5c97a1e13f52fde96a9a1bc9936ce734fdd61f27b18216f1d6de87f49cf4f2ea821fb8efd1f92cdad529baf7e31aff9bff4074f2cad2b4243dd15a711adcf7de900851fbd6bcb53dac399d7c880531d06f25f7002e1aaf1722765865d2c2b902c7736acd27bc6cbd3e38b560e2eecf7d4b576 ++Output = ba27b1842e7c21c0e7ef6a ++ ++Availablein = default ++# an invalid ciphertext, with a zero byte removed from first byte of ++# ciphertext, decrypts to a random 11 byte long synthethic ++# plaintext ++Decrypt = RSA-2048-2 ++Input = 96136621faf36d5290b16bd26295de27f895d1faa51c800dafce73d001d60796cd4e2ac3fa2162131d859cd9da5a0c8a42281d9a63e5f353971b72e36b5722e4ac444d77f892a5443deb3dca49fa732fe855727196e23c26eeac55eeced8267a209ebc0f92f4656d64a6c13f7f7ce544ebeb0f668fe3a6c0f189e4bcd5ea12b73cf63e0c8350ee130dd62f01e5c97a1e13f52fde96a9a1bc9936ce734fdd61f27b18216f1d6de87f49cf4f2ea821fb8efd1f92cdad529baf7e31aff9bff4074f2cad2b4243dd15a711adcf7de900851fbd6bcb53dac399d7c880531d06f25f7002e1aaf1722765865d2c2b902c7736acd27bc6cbd3e38b560e2eecf7d4b576 ++Output = ba27b1842e7c21c0e7ef6a ++ ++Availablein = default ++# an invalid ciphertext, with two zero bytes in first bytes of ++# ciphertext, decrypts to a random 11 byte long synthethic ++# plaintext ++Decrypt = RSA-2048-2 ++Input = 0000587cccc6b264bdfe0dc2149a988047fa921801f3502ea64624c510c6033d2f427e3f136c26e88ea9f6519e86a542cec96aad1e5e9013c3cc203b6de15a69183050813af5c9ad79703136d4b92f50ce171eefc6aa7988ecf02f319ffc5eafd6ee7a137f8fce64b255bb1b8dd19cfe767d64fdb468b9b2e9e7a0c24dae03239c8c714d3f40b7ee9c4e59ac15b17e4d328f1100756bce17133e8e7493b54e5006c3cbcdacd134130c5132a1edebdbd01a0c41452d16ed7a0788003c34730d0808e7e14c797a21f2b45a8aa1644357fd5e988f99b017d9df37563a354c788dc0e2f9466045622fa3f3e17db63414d27761f57392623a2bef6467501c63e8d645 ++Output = d5cf555b1d6151029a429a ++ ++Availablein = default ++# an invalid ciphertext, with two zero bytes removed from first bytes of ++# ciphertext, decrypts to a random 11 byte long synthethic ++# plaintext ++Decrypt = RSA-2048-2 ++Input = 587cccc6b264bdfe0dc2149a988047fa921801f3502ea64624c510c6033d2f427e3f136c26e88ea9f6519e86a542cec96aad1e5e9013c3cc203b6de15a69183050813af5c9ad79703136d4b92f50ce171eefc6aa7988ecf02f319ffc5eafd6ee7a137f8fce64b255bb1b8dd19cfe767d64fdb468b9b2e9e7a0c24dae03239c8c714d3f40b7ee9c4e59ac15b17e4d328f1100756bce17133e8e7493b54e5006c3cbcdacd134130c5132a1edebdbd01a0c41452d16ed7a0788003c34730d0808e7e14c797a21f2b45a8aa1644357fd5e988f99b017d9df37563a354c788dc0e2f9466045622fa3f3e17db63414d27761f57392623a2bef6467501c63e8d645 ++Output = d5cf555b1d6151029a429a ++ ++Availablein = default ++# and invalid ciphertext, otherwise valid but starting with 000002, decrypts ++# to random 11 byte long synthethic plaintext ++Decrypt = RSA-2048-2 ++Input = 1786550ce8d8433052e01ecba8b76d3019f1355b212ac9d0f5191b023325a7e7714b7802f8e9a17c4cb3cd3a84041891471b10ca1fcfb5d041d34c82e6d0011cf4dc76b90e9c2e0743590579d55bcd7857057152c4a8040361343d1d22ba677d62b011407c652e234b1d663af25e2386251d7409190f19fc8ec3f9374fdf1254633874ce2ec2bff40ad0cb473f9761ec7b68da45a4bd5e33f5d7dac9b9a20821df9406b653f78a95a6c0ea0a4d57f867e4db22c17bf9a12c150f809a7b72b6db86c22a8732241ebf3c6a4f2cf82671d917aba8bc61052b40ccddd743a94ea9b538175106201971cca9d136d25081739aaf6cd18b2aecf9ad320ea3f89502f955 ++Output = 3d4a054d9358209e9cbbb9 ++ ++Availablein = default ++# negative test with otherwise valid padding but a zero byte in first byte ++# of padding ++Decrypt = RSA-2048-2 ++Input = 179598823812d2c58a7eb50521150a48bcca8b4eb53414018b6bca19f4801456c5e36a940037ac516b0d6412ba44ec6b4f268a55ef1c5ffbf18a2f4e3522bb7b6ed89774b79bffa22f7d3102165565642de0d43a955e96a1f2e80e5430671d7266eb4f905dc8ff5e106dc5588e5b0289e49a4913940e392a97062616d2bda38155471b7d360cfb94681c702f60ed2d4de614ea72bf1c53160e63179f6c5b897b59492bee219108309f0b7b8cb2b136c346a5e98b8b4b8415fb1d713bae067911e3057f1c335b4b7e39101eafd5d28f0189037e4334f4fdb9038427b1d119a6702aa8233319cc97d496cc289ae8c956ddc84042659a2d43d6aa22f12b81ab884e ++Output = 1f037dd717b07d3e7f7359 ++ ++Availablein = default ++# negative test with otherwise valid padding but a zero byte at the eigth ++# byte of padding ++Decrypt = RSA-2048-2 ++Input = a7a340675a82c30e22219a55bc07cdf36d47d01834c1834f917f18b517419ce9de2a96460e745024436470ed85e94297b283537d52189c406a3f533cb405cc6a9dba46b482ce98b6e3dd52d8fce2237425617e38c11fbc46b61897ef200d01e4f25f5f6c4c5b38cd0de38ba11908b86595a8036a08a42a3d05b79600a97ac18ba368a08d6cf6ccb624f6e8002afc75599fba4de3d4f3ba7d208391ebe8d21f8282b18e2c10869eb2702e68f9176b42b0ddc9d763f0c86ba0ff92c957aaeab76d9ab8da52ea297ec11d92d770146faa1b300e0f91ef969b53e7d2907ffc984e9a9c9d11fb7d6cba91972059b46506b035efec6575c46d7114a6b935864858445f ++Output = 63cb0bf65fc8255dd29e17 ++ ++Availablein = default ++# negative test with an otherwise valid plaintext but with missing separator ++# byte ++Decrypt = RSA-2048-2 ++Input = 3d1b97e7aa34eaf1f4fc171ceb11dcfffd9a46a5b6961205b10b302818c1fcc9f4ec78bf18ea0cee7e9fa5b16fb4c611463b368b3312ac11cf9c06b7cf72b54e284848a508d3f02328c62c2999d0fb60929f81783c7a256891bc2ff4d91df2af96a24fc5701a1823af939ce6dbdc510608e3d41eec172ad2d51b9fc61b4217c923cadcf5bac321355ef8be5e5f090cdc2bd0c697d9058247db3ad613fdce87d2955a6d1c948a5160f93da21f731d74137f5d1f53a1923adb513d2e6e1589d44cc079f4c6ddd471d38ac82d20d8b1d21f8d65f3b6907086809f4123e08d86fb38729585de026a485d8f0e703fd4772f6668febf67df947b82195fa3867e3a3065 ++Output = 6f09a0b62699337c497b0b ++ ++# Test vectors for the Bleichenbacher workaround (2049 bit key size) ++ ++PrivateKey = RSA-2049 ++-----BEGIN RSA PRIVATE KEY----- ++MIIEpQIBAAKCAQEBVfiJVWoXdfHHp3hqULGLwoyemG7eVmfKs5uEEk6Q66dcHbCD ++rD5EO7qU3CNWD3XjqBaToqQ73HQm2MTq/mjIXeD+dX9uSbue1EfmAkMIANuwTOsi ++5/pXoY0zj7ZgJs20Z+cMwEDn02fvQDx78ePfYkZQCUYx8h6v0vtbyRX/BDeazRES ++9zLAtGYHwXjTiiD1LtpQny+cBAXVEGnoDM+UFVTQRwRnUFw89UHqCJffyfQAzssp ++j/x1M3LZ9pM68XTMQO2W1GcDFzO5f4zd0/krw6A+qFdsQX8kAHteT3UBEFtUTen6 ++3N/635jftLsFuBmfP4Ws/ZH3qaCUuaOD9QSQlwIDAQABAoIBAQEZwrP1CnrWFSZ5 ++1/9RCVisLYym8AKFkvMy1VoWc2F4qOZ/F+cFzjAOPodUclEAYBP5dNCj20nvNEyl ++omo0wEUHBNDkIuDOI6aUJcFf77bybhBu7/ZMyLnXRC5NpOjIUAjq6zZYWaIpT6OT ++e8Jr5WMy59geLBYO9jXMUoqnvlXmM6cj28Hha6KeUrKa7y+eVlT9wGZrsPwlSsvo ++DmOHTw9fAgeC48nc/CUg0MnEp7Y05FA/u0k+Gq/us/iL16EzmHJdrm/jmed1zV1M ++8J/IODR8TJjasaSIPM5iBRNhWvqhCmM2jm17ed9BZqsWJznvUVpEAu4eBgHFpVvH ++HfDjDt+BAoGBAYj2k2DwHhjZot4pUlPSUsMeRHbOpf97+EE99/3jVlI83JdoBfhP ++wN3sdw3wbO0GXIETSHVLNGrxaXVod/07PVaGgsh4fQsxTvasZ9ZegTM5i2Kgg8D4 ++dlxa1A1agfm73OJSftfpUAjLECnLTKvR+em+38KGyWVSJV2n6rGSF473AoGBAN7H ++zxHa3oOkxD0vgBl/If1dRv1XtDH0T+gaHeN/agkf/ARk7ZcdyFCINa3mzF9Wbzll ++YTqLNnmMkubiP1LvkH6VZ+NBvrxTNxiWJfu+qx87ez+S/7JoHm71p4SowtePfC2J ++qqok0s7b0GaBz+ZcNse/o8W6E1FiIi71wukUyYNhAoGAEgk/OnPK7dkPYKME5FQC +++HGrMsjJVbCa9GOjvkNw8tVYSpq7q2n9sDHqRPmEBl0EYehAqyGIhmAONxVUbIsL ++ha0m04y0MI9S0H+ZRH2R8IfzndNAONsuk46XrQU6cfvtZ3Xh3IcY5U5sr35lRn2c ++ut3H52XIWJ4smN/cJcpOyoECgYEAjM5hNHnPlgj392wkXPkbtJXWHp3mSISQVLTd ++G0MW8/mBQg3AlXi/eRb+RpHPrppk5jQLhgMjRSPyXXe2amb8PuWTqfGN6l32PtX3 ++3+udILpppb71Wf+w7JTbcl9v9uq7o9SVR8DKdPA+AeweSQ0TmqCnlHuNZizOSjwP ++G16GF0ECgYEA+ZWbNMS8qM5IiHgbMbHptdit9dDT4+1UXoNn0/hUW6ZEMriHMDXv ++iBwrzeANGAn5LEDYeDe1xPms9Is2uNxTpZVhpFZSNALR6Po68wDlTJG2PmzuBv5t ++5mbzkpWCoD4fRU53ifsHgaTW+7Um74gWIf0erNIUZuTN2YrtEPTnb3k= ++-----END RSA PRIVATE KEY----- ++ ++# corresponding public key ++PublicKey = RSA-2049-PUBLIC ++-----BEGIN PUBLIC KEY----- ++MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEBVfiJVWoXdfHHp3hqULGL ++woyemG7eVmfKs5uEEk6Q66dcHbCDrD5EO7qU3CNWD3XjqBaToqQ73HQm2MTq/mjI ++XeD+dX9uSbue1EfmAkMIANuwTOsi5/pXoY0zj7ZgJs20Z+cMwEDn02fvQDx78ePf ++YkZQCUYx8h6v0vtbyRX/BDeazRES9zLAtGYHwXjTiiD1LtpQny+cBAXVEGnoDM+U ++FVTQRwRnUFw89UHqCJffyfQAzsspj/x1M3LZ9pM68XTMQO2W1GcDFzO5f4zd0/kr ++w6A+qFdsQX8kAHteT3UBEFtUTen63N/635jftLsFuBmfP4Ws/ZH3qaCUuaOD9QSQ ++lwIDAQAB ++-----END PUBLIC KEY----- ++ ++PrivPubKeyPair = RSA-2049:RSA-2049-PUBLIC ++ ++# RSA decrypt ++ ++Availablein = default ++# malformed that generates length specified by 3rd last value from PRF ++Decrypt = RSA-2049 ++Input = 00b26f6404b82649629f2704494282443776929122e279a9cf30b0c6fe8122a0a9042870d97cc8ef65490fe58f031eb2442352191f5fbc311026b5147d32df914599f38b825ebb824af0d63f2d541a245c5775d1c4b78630e4996cc5fe413d38455a776cf4edcc0aa7fccb31c584d60502ed2b77398f536e137ff7ba6430e9258e21c2db5b82f5380f566876110ac4c759178900fbad7ab70ea07b1daf7a1639cbb4196543a6cbe8271f35dddb8120304f6eef83059e1c5c5678710f904a6d760c4d1d8ad076be17904b9e69910040b47914a0176fb7eea0c06444a6c4b86d674d19a556a1de5490373cb01ce31bbd15a5633362d3d2cd7d4af1b4c5121288b894 ++Output = 42 ++ ++# simple positive test case ++Availablein = default ++Decrypt = RSA-2049 ++Input = 013300edbf0bb3571e59889f7ed76970bf6d57e1c89bbb6d1c3991d9df8e65ed54b556d928da7d768facb395bbcc81e9f8573b45cf8195dbd85d83a59281cddf4163aec11b53b4140053e3bd109f787a7c3cec31d535af1f50e0598d85d96d91ea01913d07097d25af99c67464ebf2bb396fb28a9233e56f31f7e105d71a23e9ef3b736d1e80e713d1691713df97334779552fc94b40dd733c7251bc522b673d3ec9354af3dd4ad44fa71c0662213a57ada1d75149697d0eb55c053aaed5ffd0b815832f454179519d3736fb4faf808416071db0d0f801aca8548311ee708c131f4be658b15f6b54256872c2903ac708bd43b017b073b5707bc84c2cd9da70e967 ++Output = "lorem ipsum" ++ ++# positive test case with null padded ciphertext ++Availablein = default ++Decrypt = RSA-2049 ++Input = 0002aadf846a329fadc6760980303dbd87bfadfa78c2015ce4d6c5782fd9d3f1078bd3c0a2c5bfbdd1c024552e5054d98b5bcdc94e476dd280e64d650089326542ce7c61d4f1ab40004c2e6a88a883613568556a10f3f9edeab67ae8dddc1e6b0831c2793d2715de943f7ce34c5c05d1b09f14431fde566d17e76c9feee90d86a2c158616ec81dda0c642f58c0ba8fa4495843124a7235d46fb4069715a51bf710fd024259131ba94da73597ace494856c94e7a3ec261545793b0990279b15fa91c7fd13dbfb1df2f221dab9fa9f7c1d21e48aa49f6aaecbabf5ee76dc6c2af2317ffb4e303115386a97f8729afc3d0c89419669235f1a3a69570e0836c79fc162 ++Output = "lorem ipsum" ++ ++# positive test case with null truncated ciphertext ++Availablein = default ++Decrypt = RSA-2049 ++Input = 02aadf846a329fadc6760980303dbd87bfadfa78c2015ce4d6c5782fd9d3f1078bd3c0a2c5bfbdd1c024552e5054d98b5bcdc94e476dd280e64d650089326542ce7c61d4f1ab40004c2e6a88a883613568556a10f3f9edeab67ae8dddc1e6b0831c2793d2715de943f7ce34c5c05d1b09f14431fde566d17e76c9feee90d86a2c158616ec81dda0c642f58c0ba8fa4495843124a7235d46fb4069715a51bf710fd024259131ba94da73597ace494856c94e7a3ec261545793b0990279b15fa91c7fd13dbfb1df2f221dab9fa9f7c1d21e48aa49f6aaecbabf5ee76dc6c2af2317ffb4e303115386a97f8729afc3d0c89419669235f1a3a69570e0836c79fc162 ++Output = "lorem ipsum" ++ ++# positive test case with double null padded ciphertext ++Availablein = default ++Decrypt = RSA-2049 ++Input = 0000f36da3b72d8ff6ded74e7efd08c01908f3f5f0de7b55eab92b5f875190809c39d4162e1e6649618f854fd84aeab03970d16bb814e999852c06de38d82b95c0f32e2a7b5714021fe303389be9c0eac24c90a6b7210f929d390fabf903d44e04110bb7a7fd6c383c275804721efa6d7c93aa64c0bb2b18d97c5220a846c66a4895ae52adddbe2a9996825e013585adcec4b32ba61d782737bd343e5fabd68e8a95b8b1340318559860792dd70dffbe05a1052b54cbfb48cfa7bb3c19cea52076bddac5c25ee276f153a610f6d06ed696d192d8ae4507ffae4e5bdda10a625d6b67f32f7cffcd48dee2431fe66f6105f9d17e611cdcc674868e81692a360f4052 ++Output = "lorem ipsum" ++ ++# positive test case with double null truncated ciphertext ++Availablein = default ++Decrypt = RSA-2049 ++Input = f36da3b72d8ff6ded74e7efd08c01908f3f5f0de7b55eab92b5f875190809c39d4162e1e6649618f854fd84aeab03970d16bb814e999852c06de38d82b95c0f32e2a7b5714021fe303389be9c0eac24c90a6b7210f929d390fabf903d44e04110bb7a7fd6c383c275804721efa6d7c93aa64c0bb2b18d97c5220a846c66a4895ae52adddbe2a9996825e013585adcec4b32ba61d782737bd343e5fabd68e8a95b8b1340318559860792dd70dffbe05a1052b54cbfb48cfa7bb3c19cea52076bddac5c25ee276f153a610f6d06ed696d192d8ae4507ffae4e5bdda10a625d6b67f32f7cffcd48dee2431fe66f6105f9d17e611cdcc674868e81692a360f4052 ++Output = "lorem ipsum" ++ ++Availablein = default ++# a random negative test case that generates an 11 byte long message ++Decrypt = RSA-2049 ++Input = 00f910200830fc8fff478e99e145f1474b312e2512d0f90b8cef77f8001d09861688c156d1cbaf8a8957f7ebf35f724466952d0524cad48aad4fba1e45ce8ea27e8f3ba44131b7831b62d60c0762661f4c1d1a88cd06263a259abf1ba9e6b0b172069afb86a7e88387726f8ab3adb30bfd6b3f6be6d85d5dfd044e7ef052395474a9cbb1c3667a92780b43a22693015af6c513041bdaf87d43b24ddd244e791eeaea1066e1f4917117b3a468e22e0f7358852bb981248de4d720add2d15dccba6280355935b67c96f9dcb6c419cc38ab9f6fba2d649ef2066e0c34c9f788ae49babd9025fa85b21113e56ce4f43aa134c512b030dd7ac7ce82e76f0be9ce09ebca ++Output = 1189b6f5498fd6df532b00 ++ ++Availablein = default ++# otherwise correct plaintext, but with wrong first byte (0x01 instead of 0x00) ++Decrypt = RSA-2049 ++Input = 002c9ddc36ba4cf0038692b2d3a1c61a4bb3786a97ce2e46a3ba74d03158aeef456ce0f4db04dda3fe062268a1711250a18c69778a6280d88e133a16254e1f0e30ce8dac9b57d2e39a2f7d7be3ee4e08aec2fdbe8dadad7fdbf442a29a8fb40857407bf6be35596b8eefb5c2b3f58b894452c2dc54a6123a1a38d642e23751746597e08d71ac92704adc17803b19e131b4d1927881f43b0200e6f95658f559f912c889b4cd51862784364896cd6e8618f485a992f82997ad6a0917e32ae5872eaf850092b2d6c782ad35f487b79682333c1750c685d7d32ab3e1538f31dcaa5e7d5d2825875242c83947308dcf63ba4bfff20334c9c140c837dbdbae7a8dee72ff ++Output = f6d0f5b78082fe61c04674 ++ ++Availablein = default ++# otherwise correct plaintext, but with wrong second byte (0x01 instead of 0x02) ++Decrypt = RSA-2049 ++Input = 00c5d77826c1ab7a34d6390f9d342d5dbe848942e2618287952ba0350d7de6726112e9cebc391a0fae1839e2bf168229e3e0d71d4161801509f1f28f6e1487ca52df05c466b6b0a6fbbe57a3268a970610ec0beac39ec0fa67babce1ef2a86bf77466dc127d7d0d2962c20e66593126f276863cd38dc6351428f884c1384f67cad0a0ffdbc2af16711fb68dc559b96b37b4f04cd133ffc7d79c43c42ca4948fa895b9daeb853150c8a5169849b730cc77d68b0217d6c0e3dbf38d751a1998186633418367e7576530566c23d6d4e0da9b038d0bb5169ce40133ea076472d055001f0135645940fd08ea44269af2604c8b1ba225053d6db9ab43577689401bdc0f3 ++Output = 1ab287fcef3ff17067914d ++ ++# RSA decrypt with 3072 bit keys ++PrivateKey = RSA-3072 ++-----BEGIN RSA PRIVATE KEY----- ++MIIG5AIBAAKCAYEAr9ccqtXp9bjGw2cHCkfxnX5mrt4YpbJ0H7PE0zQ0VgaSotkJ ++72iI7GAv9rk68ljudDA8MBr81O2+xDMR3cjdvwDdu+OG0zuNDiKxtEk23EiYcbhS ++N7NM50etj9sMTk0dqnqt8HOFxchzLMt9Wkni5QyIPH16wQ7Wp02ayQ35EpkFoX1K ++CHIQ/Hi20EseuWlILBGm7recUOWxbz8lT3VxUosvFxargW1uygcnveqYBZMpcw64 ++wzznHWHdSsOTtiVuB6wdEk8CANHD4FpMG8fx7S/IPlcZnP5ZCLEAh+J/vZfSwkIU ++YZxxR8j778o5vCVnYqaCNTH34jTWjq56DZ+vEN0V6VI3gMfVrlgJStUlqQY7TDP5 ++XhAG2i6xLTdDaJSVwfICPkBzU8XrPkyhxIz/gaEJANFIIOuAGvTxpZbEuc6aUx/P ++ilTZ/9ckJYtu7CAQjfb9/XbUrgO6fqWY3LDkooCElYcob01/JWzoXl61Z5sdrMH5 ++CVZJty5foHKusAN5AgMBAAECggGAJRfqyzr+9L/65gOY35lXpdKhVKgzaNjhWEKy ++9Z7gn3kZe9LvHprdr4eG9rQSdEdAXjBCsh8vULeqc3cWgMO7y2wiWl1f9rVsRxwY ++gqCjOwrxZaPtbCSdx3g+a8dYrDfmVy0z/jJQeO2VJlDy65YEkC75mlEaERnRPE/J ++pDoXXc37+xoUAP4XCTtpzTzbiV9lQy6iGV+QURxzNrWKaF2s/y2vTF6S5WWxZlrm ++DlErqplluAjV/xGc63zWksv5IAZ6+s2An2a+cG2iaBCseQ2xVslI5v5YG8mEkVf0 ++2kk/OmSwxuEZ4DGxB/hDbOKRYLRYuPnxCV/esZJjOE/1OHVXvE8QtANN6EFwO60s ++HnacI4U+tjCjbRBh3UbipruvdDqX8LMsNvUMGjci3vOjlNkcLgeL8J15Xs3l5WuC ++Avl0Am91/FbpoN1qiPLny3jvEpjMbGUgfKRb03GIgHtPzbHmDdjluFZI+376i2/d ++RI85dBqNmAn+Fjrz3kW6wkpahByBAoHBAOSj2DDXPosxxoLidP/J/RKsMT0t0FE9 ++UFcNt+tHYv6hk+e7VAuUqUpd3XQqz3P13rnK4xvSOsVguyeU/WgmH4ID9XGSgpBP ++Rh6s7izn4KAJeqfI26vTPxvyaZEqB4JxT6k7SerENus95zSn1v/f2MLBQ16EP8cJ +++QSOVCoZfEhUK+srherQ9eZKpj0OwBUrP4VhLdymv96r8xddWX1AVj4OBi2RywKI ++gAgv6fjwkb292jFu6x6FjKRNKwKK6c3jqQKBwQDE4c0Oz0KYYV4feJun3iL9UJSv ++StGsKVDuljA4WiBAmigMZTii/u0DFEjibiLWcJOnH53HTr0avA6c6D1nCwJ2qxyF ++rHNN2L+cdMx/7L1zLR11+InvRgpIGbpeGwHeIzJVUYG3b6llRJMZimBvAMr9ipM1 ++bkVvIjt1G9W1ypeuKzm6d/t8F0yC7AIYZWDV4nvxiiY8whLZzGawHR2iZz8pfUwb ++7URbTvxdsGE27Kq9gstU0PzEJpnU1goCJ7/gA1ECgcBA8w5B6ZM5xV0H5z6nPwDm ++IgYmw/HucgV1hU8exfuoK8wxQvTACW4B0yJKkrK11T1899aGG7VYRn9D4j4OLO48 ++Z9V8esseJXbc1fEezovvymGOci984xiFXtqAQzk44+lmQJJh33VeZApe2eLocvVH ++ddEmc1kOuJWFpszf3LeCcG69cnKrXsrLrZ8Frz//g3aa9B0sFi5hGeWHWJxISVN2 ++c1Nr9IN/57i/GqVTcztjdCAcdM7Tr8phDg7OvRlnxGkCgcEAuYhMFBuulyiSaTff ++/3ZvJKYOJ45rPkEFGoD/2ercn+RlvyCYGcoAEjnIYVEGlWwrSH+b0NlbjVkQsD6O ++to8CeE/RpgqX8hFCqC7NE/RFp8cpDyXy3j/zqnRMUyhCP1KNuScBBZs9V8gikxv6 ++ukBWCk3PYbeTySHKRBbB8vmCrMfhM96jaBIQsQO1CcZnVceDo1/bnsAIwaREVMxr ++Q8LmG7QOx/Z0x1MMsUFoqzilwccC09/JgxMZPh+h+Nv6jiCxAoHBAOEqQgFAfSdR ++ya60LLH55q803NRFMamuKiPbVJLzwiKfbjOiiopmQOS/LxxqIzeMXlYV4OsSvxTo ++G7mcTOFRtU5hKCK+t8qeQQpa/dsMpiHllwArnRyBjIVgL5lFKRpHUGLsavU/T1IH ++mtgaxZo32dXvcAh1+ndCHVBwbHTOF4conA+g+Usp4bZSSWn5nU4oIizvSVpG7SGe ++0GngdxH9Usdqbvzcip1EKeHRTZrHIEYmB+x0LaRIB3dwZNidK3TkKw== ++-----END RSA PRIVATE KEY----- ++ ++PublicKey = RSA-3072-PUBLIC ++-----BEGIN PUBLIC KEY----- ++MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAr9ccqtXp9bjGw2cHCkfx ++nX5mrt4YpbJ0H7PE0zQ0VgaSotkJ72iI7GAv9rk68ljudDA8MBr81O2+xDMR3cjd ++vwDdu+OG0zuNDiKxtEk23EiYcbhSN7NM50etj9sMTk0dqnqt8HOFxchzLMt9Wkni ++5QyIPH16wQ7Wp02ayQ35EpkFoX1KCHIQ/Hi20EseuWlILBGm7recUOWxbz8lT3Vx ++UosvFxargW1uygcnveqYBZMpcw64wzznHWHdSsOTtiVuB6wdEk8CANHD4FpMG8fx ++7S/IPlcZnP5ZCLEAh+J/vZfSwkIUYZxxR8j778o5vCVnYqaCNTH34jTWjq56DZ+v ++EN0V6VI3gMfVrlgJStUlqQY7TDP5XhAG2i6xLTdDaJSVwfICPkBzU8XrPkyhxIz/ ++gaEJANFIIOuAGvTxpZbEuc6aUx/PilTZ/9ckJYtu7CAQjfb9/XbUrgO6fqWY3LDk ++ooCElYcob01/JWzoXl61Z5sdrMH5CVZJty5foHKusAN5AgMBAAE= ++-----END PUBLIC KEY----- ++ ++PrivPubKeyPair = RSA-3072:RSA-3072-PUBLIC ++ ++Availablein = default ++# a random invalid ciphertext that generates an empty synthethic one ++Decrypt = RSA-3072 ++Input = 5e956cd9652f4a2ece902931013e09662b6a9257ad1e987fb75f73a0606df2a4b04789770820c2e02322c4e826f767bd895734a01e20609c3be4517a7a2a589ea1cdc137beb73eb38dac781b52e863de9620f79f9b90fd5b953651fcbfef4a9f1cc07421d511a87dd6942caab6a5a0f4df473e62defb529a7de1509ab99c596e1dff1320402298d8be73a896cc86c38ae3f2f576e9ea70cc28ad575cb0f854f0be43186baa9c18e29c47c6ca77135db79c811231b7c1730955887d321fdc06568382b86643cf089b10e35ab23e827d2e5aa7b4e99ff2e914f302351819eb4d1693243b35f8bf1d42d08f8ec4acafa35f747a4a975a28643ec630d8e4fa5be59d81995660a14bb64c1fea5146d6b11f92da6a3956dd5cb5e0d747cf2ea23f81617769185336263d46ef4c144b754de62a6337342d6c85a95f19f015724546ee3fc4823eca603dbc1dc01c2d5ed50bd72d8e96df2dc048edde0081284068283fc5e73a6139851abf2f29977d0b3d160c883a42a37efba1be05c1a0b1741d7ddf59 ++Output = ++ ++Availablein = default ++# a random invalid that has PRF output with a length one byte too long ++# in the last value ++Decrypt = RSA-3072 ++Input = 7db0390d75fcf9d4c59cf27b264190d856da9abd11e92334d0e5f71005cfed865a711dfa28b791188374b61916dbc11339bf14b06f5f3f68c206c5607380e13da3129bfb744157e1527dd6fdf6651248b028a496ae1b97702d44706043cdaa7a59c0f41367303f21f268968bf3bd2904db3ae5239b55f8b438d93d7db9d1666c071c0857e2ec37757463769c54e51f052b2a71b04c2869e9e7049a1037b8429206c99726f07289bac18363e7eb2a5b417f47c37a55090cda676517b3549c873f2fe95da9681752ec9864b069089a2ed2f340c8b04ee00079055a817a3355b46ac7dc00d17f4504ccfbcfcadb0c04cb6b22069e179385ae1eafabad5521bac2b8a8ee1dfff59a22eb3fdacfc87175d10d7894cfd869d056057dd9944b869c1784fcc27f731bc46171d39570fbffbadf082d33f6352ecf44aca8d9478e53f5a5b7c852b401e8f5f74da49da91e65bdc97765a9523b7a0885a6f8afe5759d58009fbfa837472a968e6ae92026a5e0202a395483095302d6c3985b5f5831c521a271 ++Output = 56a3bea054e01338be9b7d7957539c ++ ++Availablein = default ++# a random invalid that generates a synthethic of maximum size ++Decrypt = RSA-3072 ++Input = 1715065322522dff85049800f6a29ab5f98c465020467414b2a44127fe9446da47fa18047900f99afe67c2df6f50160bb8e90bff296610fde632b3859d4d0d2e644f23835028c46cca01b84b88231d7e03154edec6627bcba23de76740d839851fa12d74c8f92e540c73fe837b91b7d699b311997d5f0f7864c486d499c3a79c111faaacbe4799597a25066c6200215c3d158f3817c1aa57f18bdaad0be1658da9da93f5cc6c3c4dd72788af57adbb6a0c26f42d32d95b8a4f95e8c6feb2f8a5d53b19a50a0b7cbc25e055ad03e5ace8f3f7db13e57759f67b65d143f08cca15992c6b2aae643390483de111c2988d4e76b42596266005103c8de6044fb7398eb3c28a864fa672de5fd8774510ff45e05969a11a4c7d3f343e331190d2dcf24fb9154ba904dc94af98afc5774a9617d0418fe6d13f8245c7d7626c176138dd698a23547c25f27c2b98ea4d8a45c7842b81888e4cc14e5b72e9cf91f56956c93dbf2e5f44a8282a7813157fc481ff1371a0f66b31797e81ebdb09a673d4db96d6 ++Output = 7b036fcd6243900e4236c894e2462c17738acc87e01a76f4d95cb9a328d9acde81650283b8e8f60a217e3bdee835c7b222ad4c85d0acdb9a309bd2a754609a65dec50f3aa04c6d5891034566b9563d42668ede1f8992b17753a2132e28970584e255efc8b45a41c5dbd7567f014acec5fe6fdb6d484790360a913ebb9defcd74ff377f2a8ba46d2ed85f733c9a3da08eb57ecedfafda806778f03c66b2c5d2874cec1c291b2d49eb194c7b5d0dd2908ae90f4843268a2c45563092ade08acb6ab481a08176102fc803fbb2f8ad11b0e1531bd37df543498daf180b12017f4d4d426ca29b4161075534bfb914968088a9d13785d0adc0e2580d3548494b2a9e91605f2b27e6cc701c796f0de7c6f471f6ab6cb9272a1ed637ca32a60d117505d82af3c1336104afb537d01a8f70b510e1eebf4869cb976c419473795a66c7f5e6e20a8094b1bb603a74330c537c5c0698c31538bd2e138c1275a1bdf24c5fa8ab3b7b526324e7918a382d1363b3d463764222150e04 ++ ++# a positive test case that decrypts to 9 byte long value ++Availablein = default ++Decrypt = RSA-3072 ++Input = 6c60845a854b4571f678941ae35a2ac03f67c21e21146f9db1f2306be9f136453b86ad55647d4f7b5c9e62197aaff0c0e40a3b54c4cde14e774b1c5959b6c2a2302896ffae1f73b00b862a20ff4304fe06cea7ff30ecb3773ca9af27a0b54547350d7c07dfb0a39629c7e71e83fc5af9b2adbaf898e037f1de696a3f328cf45af7ec9aff7173854087fb8fbf34be981efbd8493f9438d1b2ba2a86af082662aa46ae9adfbec51e5f3d9550a4dd1dcb7c8969c9587a6edc82a8cabbc785c40d9fbd12064559fb769450ac3e47e87bc046148130d7eaa843e4b3ccef3675d0630500803cb7ffee3882378c1a404e850c3e20707bb745e42b13c18786c4976076ed9fa8fd0ff15e571bef02cbbe2f90c908ac3734a433b73e778d4d17fcc28f49185ebc6e8536a06d293202d94496453bfdf1c2c7833a3f99fa38ca8a81f42eaa529d603b890308a319c0ab63a35ff8ebac965f6278f5a7e5d622be5d5fe55f0ca3ec993d55430d2bf59c5d3e860e90c16d91a04596f6fdf60d89ed95d88c036dde ++Output = "forty two" ++ ++# a positive test case with null padded ciphertext ++Availablein = default ++Decrypt = RSA-3072 ++Input = 00f4d565a3286784dbb85327db8807ae557ead229f92aba945cecda5225f606a7d6130edeeb6f26724d1eff1110f9eb18dc3248140ee3837e6688391e78796c526791384f045e21b6b853fb6342a11f309eb77962f37ce23925af600847fbd30e6e07e57de50b606e6b7f288cc777c1a6834f27e6edace508452128916eef7788c8bb227e3548c6a761cc4e9dd1a3584176dc053ba3500adb1d5e1611291654f12dfc5722832f635db3002d73f9defc310ace62c63868d341619c7ee15b20243b3371e05078e11219770c701d9f341af35df1bc729de294825ff2e416aa11526612852777eb131f9c45151eb144980d70608d2fc4043477368369aa0fe487a48bd57e66b00c3c58f941549f5ec050fca64449debe7a0c4ac51e55cb71620a70312aa4bd85fac1410c9c7f9d6ec610b7d11bf8faeffa20255d1a1bead9297d0aa8765cd2805847d639bc439f4a6c896e2008f746f9590ff4596de5ddde000ed666c452c978043ff4298461eb5a26d5e63d821438627f91201924bf7f2aeee1727 ++Output = "forty two" ++ ++# a positive test case with null truncated ciphertext ++Availablein = default ++Decrypt = RSA-3072 ++Input = f4d565a3286784dbb85327db8807ae557ead229f92aba945cecda5225f606a7d6130edeeb6f26724d1eff1110f9eb18dc3248140ee3837e6688391e78796c526791384f045e21b6b853fb6342a11f309eb77962f37ce23925af600847fbd30e6e07e57de50b606e6b7f288cc777c1a6834f27e6edace508452128916eef7788c8bb227e3548c6a761cc4e9dd1a3584176dc053ba3500adb1d5e1611291654f12dfc5722832f635db3002d73f9defc310ace62c63868d341619c7ee15b20243b3371e05078e11219770c701d9f341af35df1bc729de294825ff2e416aa11526612852777eb131f9c45151eb144980d70608d2fc4043477368369aa0fe487a48bd57e66b00c3c58f941549f5ec050fca64449debe7a0c4ac51e55cb71620a70312aa4bd85fac1410c9c7f9d6ec610b7d11bf8faeffa20255d1a1bead9297d0aa8765cd2805847d639bc439f4a6c896e2008f746f9590ff4596de5ddde000ed666c452c978043ff4298461eb5a26d5e63d821438627f91201924bf7f2aeee1727 ++Output = "forty two" ++ ++# a positive test case with double null padded ciphertext ++Availablein = default ++Decrypt = RSA-3072 ++Input = 00001ec97ac981dfd9dcc7a7389fdfa9d361141dac80c23a060410d472c16094e6cdffc0c3684d84aa402d7051dfccb2f6da33f66985d2a259f5b7fbf39ac537e95c5b7050eb18844a0513abef812cc8e74a3c5240009e6e805dcadf532bc1a2702d5acc9e585fad5b89d461fcc1397351cdce35171523758b171dc041f412e42966de7f94856477356d06f2a6b40e3ff0547562a4d91bbf1338e9e049facbee8b20171164505468cd308997447d3dc4b0acb49e7d368fedd8c734251f30a83491d2506f3f87318cc118823244a393dc7c5c739a2733d93e1b13db6840a9429947357f47b23fbe39b7d2d61e5ee26f9946c4632f6c4699e452f412a26641d4751135400713cd56ec66f0370423d55d2af70f5e7ad0adea8e4a0d904a01e4ac272eba4af1a029dd53eb71f115bf31f7a6c8b19a6523adeecc0d4c3c107575e38572a8f8474ccad163e46e2e8b08111132aa97a16fb588c9b7e37b3b3d7490381f3c55d1a9869a0fd42cd86fed59ecec78cb6b2dfd06a497f5afe3419691314ba0 ++Output = "forty two" ++ ++# a positive test case with double null truncated ciphertext ++Availablein = default ++Decrypt = RSA-3072 ++Input = 1ec97ac981dfd9dcc7a7389fdfa9d361141dac80c23a060410d472c16094e6cdffc0c3684d84aa402d7051dfccb2f6da33f66985d2a259f5b7fbf39ac537e95c5b7050eb18844a0513abef812cc8e74a3c5240009e6e805dcadf532bc1a2702d5acc9e585fad5b89d461fcc1397351cdce35171523758b171dc041f412e42966de7f94856477356d06f2a6b40e3ff0547562a4d91bbf1338e9e049facbee8b20171164505468cd308997447d3dc4b0acb49e7d368fedd8c734251f30a83491d2506f3f87318cc118823244a393dc7c5c739a2733d93e1b13db6840a9429947357f47b23fbe39b7d2d61e5ee26f9946c4632f6c4699e452f412a26641d4751135400713cd56ec66f0370423d55d2af70f5e7ad0adea8e4a0d904a01e4ac272eba4af1a029dd53eb71f115bf31f7a6c8b19a6523adeecc0d4c3c107575e38572a8f8474ccad163e46e2e8b08111132aa97a16fb588c9b7e37b3b3d7490381f3c55d1a9869a0fd42cd86fed59ecec78cb6b2dfd06a497f5afe3419691314ba0 ++Output = "forty two" ++ ++Availablein = default ++# a random negative test case that generates a 9 byte long message ++Decrypt = RSA-3072 ++Input = 5c8555f5cef627c15d37f85c7f5fd6e499264ea4b8e3f9112023aeb722eb38d8eac2be3751fd5a3785ab7f2d59fa3728e5be8c3de78a67464e30b21ee23b5484bb3cd06d0e1c6ad25649c8518165653eb80488bfb491b20c04897a6772f69292222fc5ef50b5cf9efc6d60426a449b6c489569d48c83488df629d695653d409ce49a795447fcec2c58a1a672e4a391401d428baaf781516e11e323d302fcf20f6eab2b2dbe53a48c987e407c4d7e1cb41131329138313d330204173a4f3ff06c6fadf970f0ed1005d0b27e35c3d11693e0429e272d583e57b2c58d24315c397856b34485dcb077665592b747f889d34febf2be8fce66c265fd9fc3575a6286a5ce88b4b413a08efc57a07a8f57a999605a837b0542695c0d189e678b53662ecf7c3d37d9dbeea585eebfaf79141118e06762c2381fe27ca6288edddc19fd67cd64f16b46e06d8a59ac530f22cd83cc0bc4e37feb52015cbb2283043ccf5e78a4eb7146827d7a466b66c8a4a4826c1bad68123a7f2d00fc1736525ff90c058f56 ++Output = 257906ca6de8307728 ++ ++Availablein = default ++# a random negative test case that generates a 9 byte long message based on ++# second to last value from PRF ++Decrypt = RSA-3072 ++Input = 758c215aa6acd61248062b88284bf43c13cb3b3d02410be4238607442f1c0216706e21a03a2c10eb624a63322d854da195c017b76fea83e274fa371834dcd2f3b7accf433fc212ad76c0bac366e1ed32e25b279f94129be7c64d6e162adc08ccebc0cfe8e926f01c33ab9c065f0e0ac83ae5137a4cb66702615ad68a35707d8676d2740d7c1a954680c83980e19778ed11eed3a7c2dbdfc461a9bbef671c1bc00c882d361d29d5f80c42bdf5efec886c34138f83369c6933b2ac4e93e764265351b4a0083f040e14f511f09b22f96566138864e4e6ff24da4810095da98e0585410951538ced2f757a277ff8e17172f06572c9024eeae503f176fd46eb6c5cd9ba07af11cde31dccac12eb3a4249a7bfd3b19797ad1656984bfcbf6f74e8f99d8f1ac420811f3d166d87f935ef15ae858cf9e72c8e2b547bf16c3fb09a8c9bf88fd2e5d38bf24ed610896131a84df76b9f920fe76d71fff938e9199f3b8cd0c11fd0201f9139d7673a871a9e7d4adc3bbe360c8813617cd60a90128fbe34c9d5 ++Output = 043383c929060374ed ++ ++Availablein = default ++# a random negative test that generates message based on 3rd last value from ++# PRF ++Decrypt = RSA-3072 ++Input = 7b22d5e62d287968c6622171a1f75db4b0fd15cdf3134a1895d235d56f8d8fe619f2bf4868174a91d7601a82975d2255190d28b869141d7c395f0b8c4e2be2b2c1b4ffc12ce749a6f6803d4cfe7fba0a8d6949c04151f981c0d84592aa2ff25d1bd3ce5d10cb03daca6b496c6ad40d30bfa8acdfd02cdb9326c4bdd93b949c9dc46caa8f0e5f429785bce64136a429a3695ee674b647452bea1b0c6de9c5f1e8760d5ef6d5a9cfff40457b023d3c233c1dcb323e7808103e73963b2eafc928c9eeb0ee3294955415c1ddd9a1bb7e138fecd79a3cb89c57bd2305524624814aaf0fd1acbf379f7f5b39421f12f115ba488d380586095bb53f174fae424fa4c8e3b299709cd344b9f949b1ab57f1c645d7ed3c8f81d5594197355029fee8960970ff59710dc0e5eb50ea6f4c3938e3f89ed7933023a2c2ddffaba07be147f686828bd7d520f300507ed6e71bdaee05570b27bc92741108ac2eb433f028e138dd6d63067bc206ea2d826a7f41c0d613daed020f0f30f4e272e9618e0a8c39018a83 ++Output = 70263fa6050534b9e0 ++ ++Availablein = default ++# an otherwise valid plaintext, but with wrong first byte (0x01 instead of 0x00) ++Decrypt = RSA-3072 ++Input = 6db80adb5ff0a768caf1378ecc382a694e7d1bde2eff4ba12c48aaf794ded7a994a5b2b57acec20dbec4ae385c9dd531945c0f197a5496908725fc99d88601a17d3bb0b2d38d2c1c3100f39955a4cb3dbed5a38bf900f23d91e173640e4ec655c84fdfe71fcdb12a386108fcf718c9b7af37d39703e882436224c877a2235e8344fba6c951eb7e2a4d1d1de81fb463ac1b880f6cc0e59ade05c8ce35179ecd09546731fc07b141d3d6b342a97ae747e61a9130f72d37ac5a2c30215b6cbd66c7db893810df58b4c457b4b54f34428247d584e0fa71062446210db08254fb9ead1ba1a393c724bd291f0cf1a7143f32df849051dc896d7d176fef3b57ab6dffd626d0c3044e9edb2e3d012ace202d2581df01bec7e9aa0727a6650dd373d374f0bc0f4a611f8139dfe97d63e70c6188f4df5b672e47c51d8aa567097293fbff127c75ec690b43407578b73c85451710a0cece58fd497d7f7bd36a8a92783ef7dc6265dff52aac8b70340b996508d39217f2783ce6fc91a1cc94bb2ac487b84f62 ++Output = 6d8d3a094ff3afff4c ++ ++Availablein = default ++# an otherwise valid plaintext, but with wrong second byte (0x01 instead of 0x02) ++Decrypt = RSA-3072 ++Input = 417328c034458563079a4024817d0150340c34e25ae16dcad690623f702e5c748a6ebb3419ff48f486f83ba9df35c05efbd7f40613f0fc996c53706c30df6bba6dcd4a40825f96133f3c21638a342bd4663dffbd0073980dac47f8c1dd8e97ce1412e4f91f2a8adb1ac2b1071066efe8d718bbb88ca4a59bd61500e826f2365255a409bece0f972df97c3a55e09289ef5fa815a2353ef393fd1aecfc888d611c16aec532e5148be15ef1bf2834b8f75bb26db08b66d2baad6464f8439d1986b533813321dbb180080910f233bcc4dd784fb21871aef41be08b7bfad4ecc3b68f228cb5317ac6ec1227bc7d0e452037ba918ee1da9fdb8393ae93b1e937a8d4691a17871d5092d2384b6190a53df888f65b951b05ed4ad57fe4b0c6a47b5b22f32a7f23c1a234c9feb5d8713d949686760680da4db454f4acad972470033472b9864d63e8d23eefc87ebcf464ecf33f67fbcdd48eab38c5292586b36aef5981ed2fa07b2f9e23fc57d9eb71bfff4111c857e9fff23ceb31e72592e70c874b4936 ++Output = c6ae80ffa80bc184b0 ++ ++Availablein = default ++# an otherwise valid plaintext, but with zero byte in first byte of padding ++Decrypt = RSA-3072 ++Input = 8542c626fe533467acffcd4e617692244c9b5a3bf0a215c5d64891ced4bf4f9591b4b2aedff9843057986d81631b0acb3704ec2180e5696e8bd15b217a0ec36d2061b0e2182faa3d1c59bd3f9086a10077a3337a3f5da503ec3753535ffd25b837a12f2541afefd0cffb0224b8f874e4bed13949e105c075ed44e287c5ae03b155e06b90ed247d2c07f1ef3323e3508cce4e4074606c54172ad74d12f8c3a47f654ad671104bf7681e5b061862747d9afd37e07d8e0e2291e01f14a95a1bb4cbb47c304ef067595a3947ee2d722067e38a0f046f43ec29cac6a8801c6e3e9a2331b1d45a7aa2c6af3205be382dd026e389614ee095665a611ab2e8dced2ee1c9d08ac9de11aef5b3803fc9a9ce8231ec87b5fed386fb92ee3db995a89307bcba844bd0a691c29ae51216e949dfc813133cb06a07265fd807bcb3377f6adb0a481d9b7f442003115895939773e6b95371c4febef29edae946fa245e7c50729e2e558cfaad773d1fd5f67b457a6d9d17a847c6fcbdb103a86f35f228cefc06cea0 ++Output = a8a9301daa01bb25c7 ++ ++Availablein = default ++# an otherwise valid plaintext, but with zero byte in eight byte of padding ++Decrypt = RSA-3072 ++Input = 449dfa237a70a99cb0351793ec8677882021c2aa743580bf6a0ea672055cffe8303ac42855b1d1f3373aae6af09cb9074180fc963e9d1478a4f98b3b4861d3e7f0aa8560cf603711f139db77667ca14ba3a1acdedfca9ef4603d6d7eb0645bfc805304f9ad9d77d34762ce5cd84bd3ec9d35c30e3be72a1e8d355d5674a141b5530659ad64ebb6082e6f73a80832ab6388912538914654d34602f4b3b1c78589b4a5d964b2efcca1dc7004c41f6cafcb5a7159a7fc7c0398604d0edbd4c8f4f04067da6a153a05e7cbeea13b5ee412400ef7d4f3106f4798da707ec37a11286df2b7a204856d5ff773613fd1e453a7114b78e347d3e8078e1cb3276b3562486ba630bf719697e0073a123c3e60ebb5c7a1ccff4279faffa2402bc1109f8d559d6766e73591943dfcf25ba10c3762f02af85187799b8b4b135c3990793a6fd32642f1557405ba55cc7cf7336a0e967073c5fa50743f9cc5e3017c172d9898d2af83345e71b3e0c22ab791eacb6484a32ec60ebc226ec9deaee91b1a0560c2b571 ++Output = 6c716fe01d44398018 ++ ++Availablein = default ++# an otherwise valid plaintext, but with null separator missing ++Decrypt = RSA-3072 ++Input = a7a5c99e50da48769ecb779d9abe86ef9ec8c38c6f43f17c7f2d7af608a4a1bd6cf695b47e97c191c61fb5a27318d02f495a176b9fae5a55b5d3fabd1d8aae4957e3879cb0c60f037724e11be5f30f08fc51c033731f14b44b414d11278cd3dba7e1c8bfe208d2b2bb7ec36366dacb6c88b24cd79ab394adf19dbbc21dfa5788bacbadc6a62f79cf54fd8cf585c615b5c0eb94c35aa9de25321c8ffefb8916bbaa2697cb2dd82ee98939df9b6704cee77793edd2b4947d82e00e5749664970736c59a84197bd72b5c71e36aae29cd39af6ac73a368edbc1ca792e1309f442aafcd77c992c88f8e4863149f221695cb7b0236e75b2339a02c4ea114854372c306b9412d8eedb600a31532002f2cea07b4df963a093185e4607732e46d753b540974fb5a5c3f9432df22e85bb17611370966c5522fd23f2ad3484341ba7fd8885fc8e6d379a611d13a2aca784fba2073208faad2137bf1979a0fa146c1880d4337db3274269493bab44a1bcd0681f7227ffdf589c2e925ed9d36302509d1109ba4 ++Output = aa2de6cde4e2442884 ++ + # RSA PSS key tests + + # PSS only key, no parameter restrictions diff --git a/SOURCES/0121-FIPS-cms-defaults.patch b/SOURCES/0121-FIPS-cms-defaults.patch new file mode 100644 index 0000000..7598512 --- /dev/null +++ b/SOURCES/0121-FIPS-cms-defaults.patch @@ -0,0 +1,65 @@ +diff -up openssl-3.0.7/apps/cms.c.fips_cms openssl-3.0.7/apps/cms.c +--- openssl-3.0.7/apps/cms.c.fips_cms 2023-05-18 14:03:56.360555106 +0200 ++++ openssl-3.0.7/apps/cms.c 2023-05-18 14:13:33.765183185 +0200 +@@ -20,6 +20,7 @@ + #include + #include + #include ++#include + + static int save_certs(char *signerfile, STACK_OF(X509) *signers); + static int cms_cb(int ok, X509_STORE_CTX *ctx); +@@ -810,12 +811,16 @@ int cms_main(int argc, char **argv) + + if (operation == SMIME_ENCRYPT) { + if (!cipher) { ++ if (FIPS_mode()) { ++ cipher = (EVP_CIPHER *)EVP_aes_128_cbc(); ++ } else { + #ifndef OPENSSL_NO_DES +- cipher = (EVP_CIPHER *)EVP_des_ede3_cbc(); ++ cipher = (EVP_CIPHER *)EVP_des_ede3_cbc(); + #else +- BIO_printf(bio_err, "No cipher selected\n"); +- goto end; ++ BIO_printf(bio_err, "No cipher selected\n"); ++ goto end; + #endif ++ } + } + + if (secret_key && !secret_keyid) { +diff -up openssl-3.0.7/crypto/cms/cms_env.c.fips_cms openssl-3.0.7/crypto/cms/cms_env.c +--- openssl-3.0.7/crypto/cms/cms_env.c.fips_cms 2023-05-22 10:06:50.276528155 +0200 ++++ openssl-3.0.7/crypto/cms/cms_env.c 2023-05-22 10:08:58.406073945 +0200 +@@ -14,6 +14,7 @@ + #include + #include + #include ++#include + #include "internal/sizes.h" + #include "crypto/asn1.h" + #include "crypto/evp.h" +@@ -321,6 +321,10 @@ static int cms_RecipientInfo_ktri_init(C + return 0; + if (EVP_PKEY_encrypt_init(ktri->pctx) <= 0) + return 0; ++ if (FIPS_mode()) { ++ if (EVP_PKEY_CTX_ctrl_str(ktri->pctx, "rsa_padding_mode", "oaep") <= 0) ++ return 0; ++ } + } else if (!ossl_cms_env_asn1_ctrl(ri, 0)) + return 0; + return 1; +@@ -484,6 +489,11 @@ static int cms_RecipientInfo_ktri_encryp + + if (EVP_PKEY_encrypt_init(pctx) <= 0) + goto err; ++ ++ if (FIPS_mode()) { ++ if (EVP_PKEY_CTX_ctrl_str(pctx, "rsa_padding_mode", "oaep") <= 0) ++ goto err; ++ } + } + + if (EVP_PKEY_encrypt(pctx, NULL, &eklen, ec->key, ec->keylen) <= 0) diff --git a/SOURCES/0122-CVE-2023-2650.patch b/SOURCES/0122-CVE-2023-2650.patch new file mode 100644 index 0000000..ba56969 --- /dev/null +++ b/SOURCES/0122-CVE-2023-2650.patch @@ -0,0 +1,30 @@ +diff --git a/crypto/objects/obj_dat.c b/crypto/objects/obj_dat.c +index 01cde00e98..c0e55197a0 100644 +--- a/crypto/objects/obj_dat.c ++++ b/crypto/objects/obj_dat.c +@@ -443,6 +443,25 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name) + first = 1; + bl = NULL; + ++ /* ++ * RFC 2578 (STD 58) says this about OBJECT IDENTIFIERs: ++ * ++ * > 3.5. OBJECT IDENTIFIER values ++ * > ++ * > An OBJECT IDENTIFIER value is an ordered list of non-negative ++ * > numbers. For the SMIv2, each number in the list is referred to as a ++ * > sub-identifier, there are at most 128 sub-identifiers in a value, ++ * > and each sub-identifier has a maximum value of 2^32-1 (4294967295 ++ * > decimal). ++ * ++ * So a legitimate OID according to this RFC is at most (32 * 128 / 7), ++ * i.e. 586 bytes long. ++ * ++ * Ref: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5 ++ */ ++ if (len > 586) ++ goto err; ++ + while (len > 0) { + l = 0; + use_bn = 0; diff --git a/SOURCES/0123-ibmca-atexit-crash.patch b/SOURCES/0123-ibmca-atexit-crash.patch new file mode 100644 index 0000000..893e598 --- /dev/null +++ b/SOURCES/0123-ibmca-atexit-crash.patch @@ -0,0 +1,244 @@ +diff --git a/crypto/context.c b/crypto/context.c +index bdfc4d02a3f0..548665fba265 100644 +--- a/crypto/context.c ++++ b/crypto/context.c +@@ -15,6 +15,7 @@ + #include "internal/bio.h" + #include "internal/provider.h" + #include "crypto/ctype.h" ++#include "crypto/rand.h" + + # include + # include +@@ -271,6 +272,20 @@ OSSL_LIB_CTX *OSSL_LIB_CTX_set0_default(OSSL_LIB_CTX *libctx) + + return NULL; + } ++ ++void ossl_release_default_drbg_ctx(void) ++{ ++ int dynidx = default_context_int.dyn_indexes[OSSL_LIB_CTX_DRBG_INDEX]; ++ ++ /* early release of the DRBG in global default libctx, no locking */ ++ if (dynidx != -1) { ++ void *data; ++ ++ data = CRYPTO_get_ex_data(&default_context_int.data, dynidx); ++ ossl_rand_ctx_free(data); ++ CRYPTO_set_ex_data(&default_context_int.data, dynidx, NULL); ++ } ++} + #endif + + OSSL_LIB_CTX *ossl_lib_ctx_get_concrete(OSSL_LIB_CTX *ctx) +diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c +index c453d3226133..f341d915db76 100644 +--- a/crypto/rand/rand_lib.c ++++ b/crypto/rand/rand_lib.c +@@ -96,6 +96,7 @@ void ossl_rand_cleanup_int(void) + CRYPTO_THREAD_lock_free(rand_meth_lock); + rand_meth_lock = NULL; + # endif ++ ossl_release_default_drbg_ctx(); + rand_inited = 0; + } + +@@ -469,7 +470,7 @@ static void *rand_ossl_ctx_new(OSSL_LIB_CTX *libctx) + return NULL; + } + +-static void rand_ossl_ctx_free(void *vdgbl) ++void ossl_rand_ctx_free(void *vdgbl) + { + RAND_GLOBAL *dgbl = vdgbl; + +@@ -494,7 +495,7 @@ static void rand_ossl_ctx_free(void *vdgbl) + static const OSSL_LIB_CTX_METHOD rand_drbg_ossl_ctx_method = { + OSSL_LIB_CTX_METHOD_PRIORITY_2, + rand_ossl_ctx_new, +- rand_ossl_ctx_free, ++ ossl_rand_ctx_free, + }; + + static RAND_GLOBAL *rand_get_global(OSSL_LIB_CTX *libctx) +diff --git a/engines/e_dasync.c b/engines/e_dasync.c +index 5a303a9f8528..7974106ae219 100644 +--- a/engines/e_dasync.c ++++ b/engines/e_dasync.c +@@ -139,6 +139,14 @@ static int dasync_aes128_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + const unsigned char *in, size_t inl); + static int dasync_aes128_cbc_cleanup(EVP_CIPHER_CTX *ctx); + ++static int dasync_aes256_ctr_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, ++ void *ptr); ++static int dasync_aes256_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, ++ const unsigned char *iv, int enc); ++static int dasync_aes256_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, ++ const unsigned char *in, size_t inl); ++static int dasync_aes256_ctr_cleanup(EVP_CIPHER_CTX *ctx); ++ + static int dasync_aes128_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, + int arg, void *ptr); + static int dasync_aes128_cbc_hmac_sha1_init_key(EVP_CIPHER_CTX *ctx, +@@ -171,6 +179,12 @@ static const EVP_CIPHER *dasync_aes_128_cbc(void) + return _hidden_aes_128_cbc; + } + ++static EVP_CIPHER *_hidden_aes_256_ctr = NULL; ++static const EVP_CIPHER *dasync_aes_256_ctr(void) ++{ ++ return _hidden_aes_256_ctr; ++} ++ + /* + * Holds the EVP_CIPHER object for aes_128_cbc_hmac_sha1 in this engine. Set up + * once only during engine bind and can then be reused many times. +@@ -192,8 +206,10 @@ static const EVP_CIPHER *dasync_aes_128_cbc_hmac_sha1(void) + static void destroy_ciphers(void) + { + EVP_CIPHER_meth_free(_hidden_aes_128_cbc); ++ EVP_CIPHER_meth_free(_hidden_aes_256_ctr); + EVP_CIPHER_meth_free(_hidden_aes_128_cbc_hmac_sha1); + _hidden_aes_128_cbc = NULL; ++ _hidden_aes_256_ctr = NULL; + _hidden_aes_128_cbc_hmac_sha1 = NULL; + } + +@@ -202,6 +218,7 @@ static int dasync_ciphers(ENGINE *e, const EVP_CIPHER **cipher, + + static int dasync_cipher_nids[] = { + NID_aes_128_cbc, ++ NID_aes_256_ctr, + NID_aes_128_cbc_hmac_sha1, + 0 + }; +@@ -284,6 +301,30 @@ static int bind_dasync(ENGINE *e) + _hidden_aes_128_cbc = NULL; + } + ++ _hidden_aes_256_ctr = EVP_CIPHER_meth_new(NID_aes_256_ctr, ++ 1 /* block size */, ++ 32 /* key len */); ++ if (_hidden_aes_256_ctr == NULL ++ || !EVP_CIPHER_meth_set_iv_length(_hidden_aes_256_ctr,16) ++ || !EVP_CIPHER_meth_set_flags(_hidden_aes_256_ctr, ++ EVP_CIPH_FLAG_DEFAULT_ASN1 ++ | EVP_CIPH_CTR_MODE ++ | EVP_CIPH_FLAG_PIPELINE ++ | EVP_CIPH_CUSTOM_COPY) ++ || !EVP_CIPHER_meth_set_init(_hidden_aes_256_ctr, ++ dasync_aes256_init_key) ++ || !EVP_CIPHER_meth_set_do_cipher(_hidden_aes_256_ctr, ++ dasync_aes256_ctr_cipher) ++ || !EVP_CIPHER_meth_set_cleanup(_hidden_aes_256_ctr, ++ dasync_aes256_ctr_cleanup) ++ || !EVP_CIPHER_meth_set_ctrl(_hidden_aes_256_ctr, ++ dasync_aes256_ctr_ctrl) ++ || !EVP_CIPHER_meth_set_impl_ctx_size(_hidden_aes_256_ctr, ++ sizeof(struct dasync_pipeline_ctx))) { ++ EVP_CIPHER_meth_free(_hidden_aes_256_ctr); ++ _hidden_aes_256_ctr = NULL; ++ } ++ + _hidden_aes_128_cbc_hmac_sha1 = EVP_CIPHER_meth_new( + NID_aes_128_cbc_hmac_sha1, + 16 /* block size */, +@@ -445,6 +486,9 @@ static int dasync_ciphers(ENGINE *e, const EVP_CIPHER **cipher, + case NID_aes_128_cbc: + *cipher = dasync_aes_128_cbc(); + break; ++ case NID_aes_256_ctr: ++ *cipher = dasync_aes_256_ctr(); ++ break; + case NID_aes_128_cbc_hmac_sha1: + *cipher = dasync_aes_128_cbc_hmac_sha1(); + break; +@@ -779,6 +823,29 @@ static int dasync_aes128_cbc_cleanup(EVP_CIPHER_CTX *ctx) + return dasync_cipher_cleanup_helper(ctx, EVP_aes_128_cbc()); + } + ++static int dasync_aes256_ctr_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, ++ void *ptr) ++{ ++ return dasync_cipher_ctrl_helper(ctx, type, arg, ptr, 0, EVP_aes_256_ctr()); ++} ++ ++static int dasync_aes256_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, ++ const unsigned char *iv, int enc) ++{ ++ return dasync_cipher_init_key_helper(ctx, key, iv, enc, EVP_aes_256_ctr()); ++} ++ ++static int dasync_aes256_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, ++ const unsigned char *in, size_t inl) ++{ ++ return dasync_cipher_helper(ctx, out, in, inl, EVP_aes_256_ctr()); ++} ++ ++static int dasync_aes256_ctr_cleanup(EVP_CIPHER_CTX *ctx) ++{ ++ return dasync_cipher_cleanup_helper(ctx, EVP_aes_256_ctr()); ++} ++ + + /* + * AES128 CBC HMAC SHA1 Implementation +diff --git a/include/crypto/rand.h b/include/crypto/rand.h +index 6a71a339c812..165deaf95c5e 100644 +--- a/include/crypto/rand.h ++++ b/include/crypto/rand.h +@@ -125,4 +125,5 @@ void ossl_rand_cleanup_nonce(ossl_unused const OSSL_CORE_HANDLE *handle, + size_t ossl_pool_acquire_entropy(RAND_POOL *pool); + int ossl_pool_add_nonce_data(RAND_POOL *pool); + ++void ossl_rand_ctx_free(void *vdgbl); + #endif +diff --git a/include/internal/cryptlib.h b/include/internal/cryptlib.h +index 1291299b6e50..934d4b089c20 100644 +--- a/include/internal/cryptlib.h ++++ b/include/internal/cryptlib.h +@@ -199,6 +199,8 @@ int ossl_lib_ctx_run_once(OSSL_LIB_CTX *ctx, unsigned int idx, + int ossl_lib_ctx_onfree(OSSL_LIB_CTX *ctx, ossl_lib_ctx_onfree_fn onfreefn); + const char *ossl_lib_ctx_get_descriptor(OSSL_LIB_CTX *libctx); + ++void ossl_release_default_drbg_ctx(void); ++ + OSSL_LIB_CTX *ossl_crypto_ex_data_get_ossl_lib_ctx(const CRYPTO_EX_DATA *ad); + int ossl_crypto_new_ex_data_ex(OSSL_LIB_CTX *ctx, int class_index, void *obj, + CRYPTO_EX_DATA *ad); +diff --git a/test/recipes/05-test_rand.t b/test/recipes/05-test_rand.t +index 4da1e64cb6da..3f352db9df3a 100644 +--- a/test/recipes/05-test_rand.t ++++ b/test/recipes/05-test_rand.t +@@ -11,9 +11,30 @@ use warnings; + use OpenSSL::Test; + use OpenSSL::Test::Utils; + +-plan tests => 3; ++plan tests => 5; + setup("test_rand"); + + ok(run(test(["rand_test"]))); + ok(run(test(["drbgtest"]))); + ok(run(test(["rand_status_test"]))); ++ ++SKIP: { ++ skip "engine is not supported by this OpenSSL build", 2 ++ if disabled("engine") || disabled("dynamic-engine"); ++ ++ my $success; ++ my @randdata; ++ my $expected = '0102030405060708090a0b0c0d0e0f10'; ++ ++ @randdata = run(app(['openssl', 'rand', '-engine', 'ossltest', '-hex', '16' ]), ++ capture => 1, statusvar => \$success); ++ chomp(@randdata); ++ ok($success and $randdata[0] eq $expected, ++ "rand with ossltest: Check rand output is as expected"); ++ ++ @randdata = run(app(['openssl', 'rand', '-engine', 'dasync', '-hex', '16' ]), ++ capture => 1, statusvar => \$success); ++ chomp(@randdata); ++ ok($success and length($randdata[0]) == 32, ++ "rand with dasync: Check rand output is of expected length"); ++} diff --git a/SOURCES/ec_curve.c b/SOURCES/ec_curve.c deleted file mode 100644 index 64ac40b..0000000 --- a/SOURCES/ec_curve.c +++ /dev/null @@ -1,628 +0,0 @@ -/* - * Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved. - * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved - * - * Licensed under the Apache License 2.0 (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html - */ - -/* - * ECDSA low level APIs are deprecated for public use, but still ok for - * internal use. - */ -#include "internal/deprecated.h" - -#include -#include "ec_local.h" -#include -#include -#include -#include -#include "internal/nelem.h" - -typedef struct { - int field_type, /* either NID_X9_62_prime_field or - * NID_X9_62_characteristic_two_field */ - seed_len, param_len; - unsigned int cofactor; /* promoted to BN_ULONG */ -} EC_CURVE_DATA; - -/* the nist prime curves */ -static const struct { - EC_CURVE_DATA h; - unsigned char data[20 + 28 * 6]; -} _EC_NIST_PRIME_224 = { - { - NID_X9_62_prime_field, 20, 28, 1 - }, - { - /* seed */ - 0xBD, 0x71, 0x34, 0x47, 0x99, 0xD5, 0xC7, 0xFC, 0xDC, 0x45, 0xB5, 0x9F, - 0xA3, 0xB9, 0xAB, 0x8F, 0x6A, 0x94, 0x8B, 0xC5, - /* p */ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x01, - /* a */ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFE, - /* b */ - 0xB4, 0x05, 0x0A, 0x85, 0x0C, 0x04, 0xB3, 0xAB, 0xF5, 0x41, 0x32, 0x56, - 0x50, 0x44, 0xB0, 0xB7, 0xD7, 0xBF, 0xD8, 0xBA, 0x27, 0x0B, 0x39, 0x43, - 0x23, 0x55, 0xFF, 0xB4, - /* x */ - 0xB7, 0x0E, 0x0C, 0xBD, 0x6B, 0xB4, 0xBF, 0x7F, 0x32, 0x13, 0x90, 0xB9, - 0x4A, 0x03, 0xC1, 0xD3, 0x56, 0xC2, 0x11, 0x22, 0x34, 0x32, 0x80, 0xD6, - 0x11, 0x5C, 0x1D, 0x21, - /* y */ - 0xbd, 0x37, 0x63, 0x88, 0xb5, 0xf7, 0x23, 0xfb, 0x4c, 0x22, 0xdf, 0xe6, - 0xcd, 0x43, 0x75, 0xa0, 0x5a, 0x07, 0x47, 0x64, 0x44, 0xd5, 0x81, 0x99, - 0x85, 0x00, 0x7e, 0x34, - /* order */ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0x16, 0xA2, 0xE0, 0xB8, 0xF0, 0x3E, 0x13, 0xDD, 0x29, 0x45, - 0x5C, 0x5C, 0x2A, 0x3D - } -}; - -static const struct { - EC_CURVE_DATA h; - unsigned char data[20 + 48 * 6]; -} _EC_NIST_PRIME_384 = { - { - NID_X9_62_prime_field, 20, 48, 1 - }, - { - /* seed */ - 0xA3, 0x35, 0x92, 0x6A, 0xA3, 0x19, 0xA2, 0x7A, 0x1D, 0x00, 0x89, 0x6A, - 0x67, 0x73, 0xA4, 0x82, 0x7A, 0xCD, 0xAC, 0x73, - /* p */ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, - /* a */ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFC, - /* b */ - 0xB3, 0x31, 0x2F, 0xA7, 0xE2, 0x3E, 0xE7, 0xE4, 0x98, 0x8E, 0x05, 0x6B, - 0xE3, 0xF8, 0x2D, 0x19, 0x18, 0x1D, 0x9C, 0x6E, 0xFE, 0x81, 0x41, 0x12, - 0x03, 0x14, 0x08, 0x8F, 0x50, 0x13, 0x87, 0x5A, 0xC6, 0x56, 0x39, 0x8D, - 0x8A, 0x2E, 0xD1, 0x9D, 0x2A, 0x85, 0xC8, 0xED, 0xD3, 0xEC, 0x2A, 0xEF, - /* x */ - 0xAA, 0x87, 0xCA, 0x22, 0xBE, 0x8B, 0x05, 0x37, 0x8E, 0xB1, 0xC7, 0x1E, - 0xF3, 0x20, 0xAD, 0x74, 0x6E, 0x1D, 0x3B, 0x62, 0x8B, 0xA7, 0x9B, 0x98, - 0x59, 0xF7, 0x41, 0xE0, 0x82, 0x54, 0x2A, 0x38, 0x55, 0x02, 0xF2, 0x5D, - 0xBF, 0x55, 0x29, 0x6C, 0x3A, 0x54, 0x5E, 0x38, 0x72, 0x76, 0x0A, 0xB7, - /* y */ - 0x36, 0x17, 0xde, 0x4a, 0x96, 0x26, 0x2c, 0x6f, 0x5d, 0x9e, 0x98, 0xbf, - 0x92, 0x92, 0xdc, 0x29, 0xf8, 0xf4, 0x1d, 0xbd, 0x28, 0x9a, 0x14, 0x7c, - 0xe9, 0xda, 0x31, 0x13, 0xb5, 0xf0, 0xb8, 0xc0, 0x0a, 0x60, 0xb1, 0xce, - 0x1d, 0x7e, 0x81, 0x9d, 0x7a, 0x43, 0x1d, 0x7c, 0x90, 0xea, 0x0e, 0x5f, - /* order */ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xC7, 0x63, 0x4D, 0x81, 0xF4, 0x37, 0x2D, 0xDF, 0x58, 0x1A, 0x0D, 0xB2, - 0x48, 0xB0, 0xA7, 0x7A, 0xEC, 0xEC, 0x19, 0x6A, 0xCC, 0xC5, 0x29, 0x73 - } -}; - -static const struct { - EC_CURVE_DATA h; - unsigned char data[20 + 66 * 6]; -} _EC_NIST_PRIME_521 = { - { - NID_X9_62_prime_field, 20, 66, 1 - }, - { - /* seed */ - 0xD0, 0x9E, 0x88, 0x00, 0x29, 0x1C, 0xB8, 0x53, 0x96, 0xCC, 0x67, 0x17, - 0x39, 0x32, 0x84, 0xAA, 0xA0, 0xDA, 0x64, 0xBA, - /* p */ - 0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - /* a */ - 0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC, - /* b */ - 0x00, 0x51, 0x95, 0x3E, 0xB9, 0x61, 0x8E, 0x1C, 0x9A, 0x1F, 0x92, 0x9A, - 0x21, 0xA0, 0xB6, 0x85, 0x40, 0xEE, 0xA2, 0xDA, 0x72, 0x5B, 0x99, 0xB3, - 0x15, 0xF3, 0xB8, 0xB4, 0x89, 0x91, 0x8E, 0xF1, 0x09, 0xE1, 0x56, 0x19, - 0x39, 0x51, 0xEC, 0x7E, 0x93, 0x7B, 0x16, 0x52, 0xC0, 0xBD, 0x3B, 0xB1, - 0xBF, 0x07, 0x35, 0x73, 0xDF, 0x88, 0x3D, 0x2C, 0x34, 0xF1, 0xEF, 0x45, - 0x1F, 0xD4, 0x6B, 0x50, 0x3F, 0x00, - /* x */ - 0x00, 0xC6, 0x85, 0x8E, 0x06, 0xB7, 0x04, 0x04, 0xE9, 0xCD, 0x9E, 0x3E, - 0xCB, 0x66, 0x23, 0x95, 0xB4, 0x42, 0x9C, 0x64, 0x81, 0x39, 0x05, 0x3F, - 0xB5, 0x21, 0xF8, 0x28, 0xAF, 0x60, 0x6B, 0x4D, 0x3D, 0xBA, 0xA1, 0x4B, - 0x5E, 0x77, 0xEF, 0xE7, 0x59, 0x28, 0xFE, 0x1D, 0xC1, 0x27, 0xA2, 0xFF, - 0xA8, 0xDE, 0x33, 0x48, 0xB3, 0xC1, 0x85, 0x6A, 0x42, 0x9B, 0xF9, 0x7E, - 0x7E, 0x31, 0xC2, 0xE5, 0xBD, 0x66, - /* y */ - 0x01, 0x18, 0x39, 0x29, 0x6a, 0x78, 0x9a, 0x3b, 0xc0, 0x04, 0x5c, 0x8a, - 0x5f, 0xb4, 0x2c, 0x7d, 0x1b, 0xd9, 0x98, 0xf5, 0x44, 0x49, 0x57, 0x9b, - 0x44, 0x68, 0x17, 0xaf, 0xbd, 0x17, 0x27, 0x3e, 0x66, 0x2c, 0x97, 0xee, - 0x72, 0x99, 0x5e, 0xf4, 0x26, 0x40, 0xc5, 0x50, 0xb9, 0x01, 0x3f, 0xad, - 0x07, 0x61, 0x35, 0x3c, 0x70, 0x86, 0xa2, 0x72, 0xc2, 0x40, 0x88, 0xbe, - 0x94, 0x76, 0x9f, 0xd1, 0x66, 0x50, - /* order */ - 0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFA, 0x51, 0x86, - 0x87, 0x83, 0xBF, 0x2F, 0x96, 0x6B, 0x7F, 0xCC, 0x01, 0x48, 0xF7, 0x09, - 0xA5, 0xD0, 0x3B, 0xB5, 0xC9, 0xB8, 0x89, 0x9C, 0x47, 0xAE, 0xBB, 0x6F, - 0xB7, 0x1E, 0x91, 0x38, 0x64, 0x09 - } -}; - -static const struct { - EC_CURVE_DATA h; - unsigned char data[20 + 32 * 6]; -} _EC_X9_62_PRIME_256V1 = { - { - NID_X9_62_prime_field, 20, 32, 1 - }, - { - /* seed */ - 0xC4, 0x9D, 0x36, 0x08, 0x86, 0xE7, 0x04, 0x93, 0x6A, 0x66, 0x78, 0xE1, - 0x13, 0x9D, 0x26, 0xB7, 0x81, 0x9F, 0x7E, 0x90, - /* p */ - 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - /* a */ - 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC, - /* b */ - 0x5A, 0xC6, 0x35, 0xD8, 0xAA, 0x3A, 0x93, 0xE7, 0xB3, 0xEB, 0xBD, 0x55, - 0x76, 0x98, 0x86, 0xBC, 0x65, 0x1D, 0x06, 0xB0, 0xCC, 0x53, 0xB0, 0xF6, - 0x3B, 0xCE, 0x3C, 0x3E, 0x27, 0xD2, 0x60, 0x4B, - /* x */ - 0x6B, 0x17, 0xD1, 0xF2, 0xE1, 0x2C, 0x42, 0x47, 0xF8, 0xBC, 0xE6, 0xE5, - 0x63, 0xA4, 0x40, 0xF2, 0x77, 0x03, 0x7D, 0x81, 0x2D, 0xEB, 0x33, 0xA0, - 0xF4, 0xA1, 0x39, 0x45, 0xD8, 0x98, 0xC2, 0x96, - /* y */ - 0x4f, 0xe3, 0x42, 0xe2, 0xfe, 0x1a, 0x7f, 0x9b, 0x8e, 0xe7, 0xeb, 0x4a, - 0x7c, 0x0f, 0x9e, 0x16, 0x2b, 0xce, 0x33, 0x57, 0x6b, 0x31, 0x5e, 0xce, - 0xcb, 0xb6, 0x40, 0x68, 0x37, 0xbf, 0x51, 0xf5, - /* order */ - 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xBC, 0xE6, 0xFA, 0xAD, 0xA7, 0x17, 0x9E, 0x84, - 0xF3, 0xB9, 0xCA, 0xC2, 0xFC, 0x63, 0x25, 0x51 - } -}; - -static const struct { - EC_CURVE_DATA h; - unsigned char data[0 + 32 * 6]; -} _EC_SECG_PRIME_256K1 = { - { - NID_X9_62_prime_field, 0, 32, 1 - }, - { - /* no seed */ - /* p */ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x2F, - /* a */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - /* b */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, - /* x */ - 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, - 0xCE, 0x87, 0x0B, 0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, - 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17, 0x98, - /* y */ - 0x48, 0x3a, 0xda, 0x77, 0x26, 0xa3, 0xc4, 0x65, 0x5d, 0xa4, 0xfb, 0xfc, - 0x0e, 0x11, 0x08, 0xa8, 0xfd, 0x17, 0xb4, 0x48, 0xa6, 0x85, 0x54, 0x19, - 0x9c, 0x47, 0xd0, 0x8f, 0xfb, 0x10, 0xd4, 0xb8, - /* order */ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFE, 0xBA, 0xAE, 0xDC, 0xE6, 0xAF, 0x48, 0xA0, 0x3B, - 0xBF, 0xD2, 0x5E, 0x8C, 0xD0, 0x36, 0x41, 0x41 - } -}; - -typedef struct _ec_list_element_st { - int nid; - const EC_CURVE_DATA *data; - const EC_METHOD *(*meth) (void); - const char *comment; -} ec_list_element; - -#ifdef FIPS_MODULE -static const ec_list_element curve_list[] = { - /* prime field curves */ - /* secg curves */ - {NID_secp224r1, &_EC_NIST_PRIME_224.h, -# if !defined(OPENSSL_NO_EC_NISTP_64_GCC_128) - EC_GFp_nistp224_method, -# else - 0, -# endif - "NIST/SECG curve over a 224 bit prime field"}, - /* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */ - {NID_secp384r1, &_EC_NIST_PRIME_384.h, -# if defined(S390X_EC_ASM) - EC_GFp_s390x_nistp384_method, -# else - 0, -# endif - "NIST/SECG curve over a 384 bit prime field"}, - - {NID_secp521r1, &_EC_NIST_PRIME_521.h, -# if defined(S390X_EC_ASM) - EC_GFp_s390x_nistp521_method, -# elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128) - EC_GFp_nistp521_method, -# else - 0, -# endif - "NIST/SECG curve over a 521 bit prime field"}, - - /* X9.62 curves */ - {NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h, -# if defined(ECP_NISTZ256_ASM) - EC_GFp_nistz256_method, -# elif defined(S390X_EC_ASM) - EC_GFp_s390x_nistp256_method, -# elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128) - EC_GFp_nistp256_method, -# else - 0, -# endif - "X9.62/SECG curve over a 256 bit prime field"}, -}; - -#else - -static const ec_list_element curve_list[] = { - /* prime field curves */ - /* secg curves */ -# ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 - {NID_secp224r1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method, - "NIST/SECG curve over a 224 bit prime field"}, -# else - {NID_secp224r1, &_EC_NIST_PRIME_224.h, 0, - "NIST/SECG curve over a 224 bit prime field"}, -# endif - {NID_secp256k1, &_EC_SECG_PRIME_256K1.h, 0, - "SECG curve over a 256 bit prime field"}, - /* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */ - {NID_secp384r1, &_EC_NIST_PRIME_384.h, -# if defined(S390X_EC_ASM) - EC_GFp_s390x_nistp384_method, -# else - 0, -# endif - "NIST/SECG curve over a 384 bit prime field"}, - {NID_secp521r1, &_EC_NIST_PRIME_521.h, -# if defined(S390X_EC_ASM) - EC_GFp_s390x_nistp521_method, -# elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128) - EC_GFp_nistp521_method, -# else - 0, -# endif - "NIST/SECG curve over a 521 bit prime field"}, - /* X9.62 curves */ - {NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h, -# if defined(ECP_NISTZ256_ASM) - EC_GFp_nistz256_method, -# elif defined(S390X_EC_ASM) - EC_GFp_s390x_nistp256_method, -# elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128) - EC_GFp_nistp256_method, -# else - 0, -# endif - "X9.62/SECG curve over a 256 bit prime field"}, -}; -#endif /* FIPS_MODULE */ - -#define curve_list_length OSSL_NELEM(curve_list) - -static const ec_list_element *ec_curve_nid2curve(int nid) -{ - size_t i; - - if (nid <= 0) - return NULL; - - for (i = 0; i < curve_list_length; i++) { - if (curve_list[i].nid == nid) - return &curve_list[i]; - } - return NULL; -} - -static EC_GROUP *ec_group_new_from_data(OSSL_LIB_CTX *libctx, - const char *propq, - const ec_list_element curve) -{ - EC_GROUP *group = NULL; - EC_POINT *P = NULL; - BN_CTX *ctx = NULL; - BIGNUM *p = NULL, *a = NULL, *b = NULL, *x = NULL, *y = NULL, *order = - NULL; - int ok = 0; - int seed_len, param_len; - const EC_METHOD *meth; - const EC_CURVE_DATA *data; - const unsigned char *params; - - /* If no curve data curve method must handle everything */ - if (curve.data == NULL) - return ossl_ec_group_new_ex(libctx, propq, - curve.meth != NULL ? curve.meth() : NULL); - - if ((ctx = BN_CTX_new_ex(libctx)) == NULL) { - ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE); - goto err; - } - - data = curve.data; - seed_len = data->seed_len; - param_len = data->param_len; - params = (const unsigned char *)(data + 1); /* skip header */ - params += seed_len; /* skip seed */ - - if ((p = BN_bin2bn(params + 0 * param_len, param_len, NULL)) == NULL - || (a = BN_bin2bn(params + 1 * param_len, param_len, NULL)) == NULL - || (b = BN_bin2bn(params + 2 * param_len, param_len, NULL)) == NULL) { - ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); - goto err; - } - - if (curve.meth != 0) { - meth = curve.meth(); - if (((group = ossl_ec_group_new_ex(libctx, propq, meth)) == NULL) || - (!(group->meth->group_set_curve(group, p, a, b, ctx)))) { - ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB); - goto err; - } - } else if (data->field_type == NID_X9_62_prime_field) { - if ((group = EC_GROUP_new_curve_GFp(p, a, b, ctx)) == NULL) { - ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB); - goto err; - } - } -#ifndef OPENSSL_NO_EC2M - else { /* field_type == - * NID_X9_62_characteristic_two_field */ - - if ((group = EC_GROUP_new_curve_GF2m(p, a, b, ctx)) == NULL) { - ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB); - goto err; - } - } -#endif - - EC_GROUP_set_curve_name(group, curve.nid); - - if ((P = EC_POINT_new(group)) == NULL) { - ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB); - goto err; - } - - if ((x = BN_bin2bn(params + 3 * param_len, param_len, NULL)) == NULL - || (y = BN_bin2bn(params + 4 * param_len, param_len, NULL)) == NULL) { - ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); - goto err; - } - if (!EC_POINT_set_affine_coordinates(group, P, x, y, ctx)) { - ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB); - goto err; - } - if ((order = BN_bin2bn(params + 5 * param_len, param_len, NULL)) == NULL - || !BN_set_word(x, (BN_ULONG)data->cofactor)) { - ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); - goto err; - } - if (!EC_GROUP_set_generator(group, P, order, x)) { - ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB); - goto err; - } - if (seed_len) { - if (!EC_GROUP_set_seed(group, params - seed_len, seed_len)) { - ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB); - goto err; - } - } - ok = 1; - err: - if (!ok) { - EC_GROUP_free(group); - group = NULL; - } - EC_POINT_free(P); - BN_CTX_free(ctx); - BN_free(p); - BN_free(a); - BN_free(b); - BN_free(order); - BN_free(x); - BN_free(y); - return group; -} - -EC_GROUP *EC_GROUP_new_by_curve_name_ex(OSSL_LIB_CTX *libctx, const char *propq, - int nid) -{ - EC_GROUP *ret = NULL; - const ec_list_element *curve; - - if ((curve = ec_curve_nid2curve(nid)) == NULL - || (ret = ec_group_new_from_data(libctx, propq, *curve)) == NULL) { -#ifndef FIPS_MODULE - ERR_raise_data(ERR_LIB_EC, EC_R_UNKNOWN_GROUP, - "name=%s", OBJ_nid2sn(nid)); -#else - ERR_raise(ERR_LIB_EC, EC_R_UNKNOWN_GROUP); -#endif - return NULL; - } - - return ret; -} - -#ifndef FIPS_MODULE -EC_GROUP *EC_GROUP_new_by_curve_name(int nid) -{ - return EC_GROUP_new_by_curve_name_ex(NULL, NULL, nid); -} -#endif - -size_t EC_get_builtin_curves(EC_builtin_curve *r, size_t nitems) -{ - size_t i, min; - - if (r == NULL || nitems == 0) - return curve_list_length; - - min = nitems < curve_list_length ? nitems : curve_list_length; - - for (i = 0; i < min; i++) { - r[i].nid = curve_list[i].nid; - r[i].comment = curve_list[i].comment; - } - - return curve_list_length; -} - -const char *EC_curve_nid2nist(int nid) -{ - return ossl_ec_curve_nid2nist_int(nid); -} - -int EC_curve_nist2nid(const char *name) -{ - return ossl_ec_curve_nist2nid_int(name); -} - -#define NUM_BN_FIELDS 6 -/* - * Validates EC domain parameter data for known named curves. - * This can be used when a curve is loaded explicitly (without a curve - * name) or to validate that domain parameters have not been modified. - * - * Returns: The nid associated with the found named curve, or NID_undef - * if not found. If there was an error it returns -1. - */ -int ossl_ec_curve_nid_from_params(const EC_GROUP *group, BN_CTX *ctx) -{ - int ret = -1, nid, len, field_type, param_len; - size_t i, seed_len; - const unsigned char *seed, *params_seed, *params; - unsigned char *param_bytes = NULL; - const EC_CURVE_DATA *data; - const EC_POINT *generator = NULL; - const BIGNUM *cofactor = NULL; - /* An array of BIGNUMs for (p, a, b, x, y, order) */ - BIGNUM *bn[NUM_BN_FIELDS] = {NULL, NULL, NULL, NULL, NULL, NULL}; - - /* Use the optional named curve nid as a search field */ - nid = EC_GROUP_get_curve_name(group); - field_type = EC_GROUP_get_field_type(group); - seed_len = EC_GROUP_get_seed_len(group); - seed = EC_GROUP_get0_seed(group); - cofactor = EC_GROUP_get0_cofactor(group); - - BN_CTX_start(ctx); - - /* - * The built-in curves contains data fields (p, a, b, x, y, order) that are - * all zero-padded to be the same size. The size of the padding is - * determined by either the number of bytes in the field modulus (p) or the - * EC group order, whichever is larger. - */ - param_len = BN_num_bytes(group->order); - len = BN_num_bytes(group->field); - if (len > param_len) - param_len = len; - - /* Allocate space to store the padded data for (p, a, b, x, y, order) */ - param_bytes = OPENSSL_malloc(param_len * NUM_BN_FIELDS); - if (param_bytes == NULL) - goto end; - - /* Create the bignums */ - for (i = 0; i < NUM_BN_FIELDS; ++i) { - if ((bn[i] = BN_CTX_get(ctx)) == NULL) - goto end; - } - /* - * Fill in the bn array with the same values as the internal curves - * i.e. the values are p, a, b, x, y, order. - */ - /* Get p, a & b */ - if (!(EC_GROUP_get_curve(group, bn[0], bn[1], bn[2], ctx) - && ((generator = EC_GROUP_get0_generator(group)) != NULL) - /* Get x & y */ - && EC_POINT_get_affine_coordinates(group, generator, bn[3], bn[4], ctx) - /* Get order */ - && EC_GROUP_get_order(group, bn[5], ctx))) - goto end; - - /* - * Convert the bignum array to bytes that are joined together to form - * a single buffer that contains data for all fields. - * (p, a, b, x, y, order) are all zero padded to be the same size. - */ - for (i = 0; i < NUM_BN_FIELDS; ++i) { - if (BN_bn2binpad(bn[i], ¶m_bytes[i*param_len], param_len) <= 0) - goto end; - } - - for (i = 0; i < curve_list_length; i++) { - const ec_list_element curve = curve_list[i]; - - data = curve.data; - /* Get the raw order byte data */ - params_seed = (const unsigned char *)(data + 1); /* skip header */ - params = params_seed + data->seed_len; - - /* Look for unique fields in the fixed curve data */ - if (data->field_type == field_type - && param_len == data->param_len - && (nid <= 0 || nid == curve.nid) - /* check the optional cofactor (ignore if its zero) */ - && (BN_is_zero(cofactor) - || BN_is_word(cofactor, (const BN_ULONG)curve.data->cofactor)) - /* Check the optional seed (ignore if its not set) */ - && (data->seed_len == 0 || seed_len == 0 - || ((size_t)data->seed_len == seed_len - && memcmp(params_seed, seed, seed_len) == 0)) - /* Check that the groups params match the built-in curve params */ - && memcmp(param_bytes, params, param_len * NUM_BN_FIELDS) - == 0) { - ret = curve.nid; - goto end; - } - } - /* Gets here if the group was not found */ - ret = NID_undef; -end: - OPENSSL_free(param_bytes); - BN_CTX_end(ctx); - return ret; -} diff --git a/SOURCES/ectest.c b/SOURCES/ectest.c deleted file mode 100644 index b2708ea..0000000 --- a/SOURCES/ectest.c +++ /dev/null @@ -1,2311 +0,0 @@ -/* - * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. - * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved - * - * Licensed under the Apache License 2.0 (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html - */ - -/* - * EC_KEY low level APIs are deprecated for public use, but still ok for - * internal use. - */ -#include "internal/deprecated.h" - -#include -#include "internal/nelem.h" -#include "testutil.h" - -#include -#ifndef OPENSSL_NO_ENGINE -# include -#endif -#include -#include -#include -#include -#include -#include -#include -#include -#include - -static size_t crv_len = 0; -static EC_builtin_curve *curves = NULL; - -/* test multiplication with group order, long and negative scalars */ -static int group_order_tests(EC_GROUP *group) -{ - BIGNUM *n1 = NULL, *n2 = NULL, *order = NULL; - EC_POINT *P = NULL, *Q = NULL, *R = NULL, *S = NULL; - const EC_POINT *G = NULL; - BN_CTX *ctx = NULL; - int i = 0, r = 0; - - if (!TEST_ptr(n1 = BN_new()) - || !TEST_ptr(n2 = BN_new()) - || !TEST_ptr(order = BN_new()) - || !TEST_ptr(ctx = BN_CTX_new()) - || !TEST_ptr(G = EC_GROUP_get0_generator(group)) - || !TEST_ptr(P = EC_POINT_new(group)) - || !TEST_ptr(Q = EC_POINT_new(group)) - || !TEST_ptr(R = EC_POINT_new(group)) - || !TEST_ptr(S = EC_POINT_new(group))) - goto err; - - if (!TEST_true(EC_GROUP_get_order(group, order, ctx)) - || !TEST_true(EC_POINT_mul(group, Q, order, NULL, NULL, ctx)) - || !TEST_true(EC_POINT_is_at_infinity(group, Q)) -#ifndef OPENSSL_NO_DEPRECATED_3_0 - || !TEST_true(EC_GROUP_precompute_mult(group, ctx)) -#endif - || !TEST_true(EC_POINT_mul(group, Q, order, NULL, NULL, ctx)) - || !TEST_true(EC_POINT_is_at_infinity(group, Q)) - || !TEST_true(EC_POINT_copy(P, G)) - || !TEST_true(BN_one(n1)) - || !TEST_true(EC_POINT_mul(group, Q, n1, NULL, NULL, ctx)) - || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx)) - || !TEST_true(BN_sub(n1, order, n1)) - || !TEST_true(EC_POINT_mul(group, Q, n1, NULL, NULL, ctx)) - || !TEST_true(EC_POINT_invert(group, Q, ctx)) - || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx))) - goto err; - - for (i = 1; i <= 2; i++) { -#ifndef OPENSSL_NO_DEPRECATED_3_0 - const BIGNUM *scalars[6]; - const EC_POINT *points[6]; -#endif - - if (!TEST_true(BN_set_word(n1, i)) - /* - * If i == 1, P will be the predefined generator for which - * EC_GROUP_precompute_mult has set up precomputation. - */ - || !TEST_true(EC_POINT_mul(group, P, n1, NULL, NULL, ctx)) - || (i == 1 && !TEST_int_eq(0, EC_POINT_cmp(group, P, G, ctx))) - || !TEST_true(BN_one(n1)) - /* n1 = 1 - order */ - || !TEST_true(BN_sub(n1, n1, order)) - || !TEST_true(EC_POINT_mul(group, Q, NULL, P, n1, ctx)) - || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx)) - - /* n2 = 1 + order */ - || !TEST_true(BN_add(n2, order, BN_value_one())) - || !TEST_true(EC_POINT_mul(group, Q, NULL, P, n2, ctx)) - || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx)) - - /* n2 = (1 - order) * (1 + order) = 1 - order^2 */ - || !TEST_true(BN_mul(n2, n1, n2, ctx)) - || !TEST_true(EC_POINT_mul(group, Q, NULL, P, n2, ctx)) - || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx))) - goto err; - - /* n2 = order^2 - 1 */ - BN_set_negative(n2, 0); - if (!TEST_true(EC_POINT_mul(group, Q, NULL, P, n2, ctx)) - /* Add P to verify the result. */ - || !TEST_true(EC_POINT_add(group, Q, Q, P, ctx)) - || !TEST_true(EC_POINT_is_at_infinity(group, Q)) - || !TEST_false(EC_POINT_is_at_infinity(group, P))) - goto err; - -#ifndef OPENSSL_NO_DEPRECATED_3_0 - /* Exercise EC_POINTs_mul, including corner cases. */ - scalars[0] = scalars[1] = BN_value_one(); - points[0] = points[1] = P; - - if (!TEST_true(EC_POINTs_mul(group, R, NULL, 2, points, scalars, ctx)) - || !TEST_true(EC_POINT_dbl(group, S, points[0], ctx)) - || !TEST_int_eq(0, EC_POINT_cmp(group, R, S, ctx))) - goto err; - - scalars[0] = n1; - points[0] = Q; /* => infinity */ - scalars[1] = n2; - points[1] = P; /* => -P */ - scalars[2] = n1; - points[2] = Q; /* => infinity */ - scalars[3] = n2; - points[3] = Q; /* => infinity */ - scalars[4] = n1; - points[4] = P; /* => P */ - scalars[5] = n2; - points[5] = Q; /* => infinity */ - if (!TEST_true(EC_POINTs_mul(group, P, NULL, 6, points, scalars, ctx)) - || !TEST_true(EC_POINT_is_at_infinity(group, P))) - goto err; -#endif - } - - r = 1; -err: - if (r == 0 && i != 0) - TEST_info(i == 1 ? "allowing precomputation" : - "without precomputation"); - EC_POINT_free(P); - EC_POINT_free(Q); - EC_POINT_free(R); - EC_POINT_free(S); - BN_free(n1); - BN_free(n2); - BN_free(order); - BN_CTX_free(ctx); - return r; -} - -static int prime_field_tests(void) -{ - BN_CTX *ctx = NULL; - BIGNUM *p = NULL, *a = NULL, *b = NULL, *scalar3 = NULL; - EC_GROUP *group = NULL; - EC_POINT *P = NULL, *Q = NULL, *R = NULL; - BIGNUM *x = NULL, *y = NULL, *z = NULL, *yplusone = NULL; -#ifndef OPENSSL_NO_DEPRECATED_3_0 - const EC_POINT *points[4]; - const BIGNUM *scalars[4]; -#endif - unsigned char buf[100]; - size_t len, r = 0; - int k; - - if (!TEST_ptr(ctx = BN_CTX_new()) - || !TEST_ptr(p = BN_new()) - || !TEST_ptr(a = BN_new()) - || !TEST_ptr(b = BN_new()) - /* - * applications should use EC_GROUP_new_curve_GFp so - * that the library gets to choose the EC_METHOD - */ - || !TEST_ptr(group = EC_GROUP_new(EC_GFp_mont_method()))) - goto err; - - buf[0] = 0; - if (!TEST_ptr(P = EC_POINT_new(group)) - || !TEST_ptr(Q = EC_POINT_new(group)) - || !TEST_ptr(R = EC_POINT_new(group)) - || !TEST_ptr(x = BN_new()) - || !TEST_ptr(y = BN_new()) - || !TEST_ptr(z = BN_new()) - || !TEST_ptr(yplusone = BN_new())) - goto err; - - /* Curve P-224 (FIPS PUB 186-2, App. 6) */ - - if (!TEST_true(BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFF" - "FFFFFFFF000000000000000000000001")) - || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL)) - || !TEST_true(BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFF" - "FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFE")) - || !TEST_true(BN_hex2bn(&b, "B4050A850C04B3ABF5413256" - "5044B0B7D7BFD8BA270B39432355FFB4")) - || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx)) - || !TEST_true(BN_hex2bn(&x, "B70E0CBD6BB4BF7F321390B9" - "4A03C1D356C21122343280D6115C1D21")) - || !TEST_true(EC_POINT_set_compressed_coordinates(group, P, x, 0, ctx)) - || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0) - || !TEST_true(BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFF" - "FFFF16A2E0B8F03E13DD29455C5C2A3D")) - || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one())) - || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx))) - goto err; - - TEST_info("NIST curve P-224 -- Generator"); - test_output_bignum("x", x); - test_output_bignum("y", y); - /* G_y value taken from the standard: */ - if (!TEST_true(BN_hex2bn(&z, "BD376388B5F723FB4C22DFE6" - "CD4375A05A07476444D5819985007E34")) - || !TEST_BN_eq(y, z) - || !TEST_true(BN_add(yplusone, y, BN_value_one())) - /* - * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, - * and therefore setting the coordinates should fail. - */ - || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone, - ctx)) - || !TEST_int_eq(EC_GROUP_get_degree(group), 224) - || !group_order_tests(group) - - /* Curve P-256 (FIPS PUB 186-2, App. 6) */ - - || !TEST_true(BN_hex2bn(&p, "FFFFFFFF000000010000000000000000" - "00000000FFFFFFFFFFFFFFFFFFFFFFFF")) - || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL)) - || !TEST_true(BN_hex2bn(&a, "FFFFFFFF000000010000000000000000" - "00000000FFFFFFFFFFFFFFFFFFFFFFFC")) - || !TEST_true(BN_hex2bn(&b, "5AC635D8AA3A93E7B3EBBD55769886BC" - "651D06B0CC53B0F63BCE3C3E27D2604B")) - || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx)) - - || !TEST_true(BN_hex2bn(&x, "6B17D1F2E12C4247F8BCE6E563A440F2" - "77037D812DEB33A0F4A13945D898C296")) - || !TEST_true(EC_POINT_set_compressed_coordinates(group, P, x, 1, ctx)) - || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0) - || !TEST_true(BN_hex2bn(&z, "FFFFFFFF00000000FFFFFFFFFFFFFFFF" - "BCE6FAADA7179E84F3B9CAC2FC632551")) - || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one())) - || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx))) - goto err; - - TEST_info("NIST curve P-256 -- Generator"); - test_output_bignum("x", x); - test_output_bignum("y", y); - /* G_y value taken from the standard: */ - if (!TEST_true(BN_hex2bn(&z, "4FE342E2FE1A7F9B8EE7EB4A7C0F9E16" - "2BCE33576B315ECECBB6406837BF51F5")) - || !TEST_BN_eq(y, z) - || !TEST_true(BN_add(yplusone, y, BN_value_one())) - /* - * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, - * and therefore setting the coordinates should fail. - */ - || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone, - ctx)) - || !TEST_int_eq(EC_GROUP_get_degree(group), 256) - || !group_order_tests(group) - - /* Curve P-384 (FIPS PUB 186-2, App. 6) */ - - || !TEST_true(BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" - "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE" - "FFFFFFFF0000000000000000FFFFFFFF")) - || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL)) - || !TEST_true(BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" - "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE" - "FFFFFFFF0000000000000000FFFFFFFC")) - || !TEST_true(BN_hex2bn(&b, "B3312FA7E23EE7E4988E056BE3F82D19" - "181D9C6EFE8141120314088F5013875A" - "C656398D8A2ED19D2A85C8EDD3EC2AEF")) - || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx)) - - || !TEST_true(BN_hex2bn(&x, "AA87CA22BE8B05378EB1C71EF320AD74" - "6E1D3B628BA79B9859F741E082542A38" - "5502F25DBF55296C3A545E3872760AB7")) - || !TEST_true(EC_POINT_set_compressed_coordinates(group, P, x, 1, ctx)) - || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0) - || !TEST_true(BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" - "FFFFFFFFFFFFFFFFC7634D81F4372DDF" - "581A0DB248B0A77AECEC196ACCC52973")) - || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one())) - || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx))) - goto err; - - TEST_info("NIST curve P-384 -- Generator"); - test_output_bignum("x", x); - test_output_bignum("y", y); - /* G_y value taken from the standard: */ - if (!TEST_true(BN_hex2bn(&z, "3617DE4A96262C6F5D9E98BF9292DC29" - "F8F41DBD289A147CE9DA3113B5F0B8C0" - "0A60B1CE1D7E819D7A431D7C90EA0E5F")) - || !TEST_BN_eq(y, z) - || !TEST_true(BN_add(yplusone, y, BN_value_one())) - /* - * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, - * and therefore setting the coordinates should fail. - */ - || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone, - ctx)) - || !TEST_int_eq(EC_GROUP_get_degree(group), 384) - || !group_order_tests(group) - - /* Curve P-521 (FIPS PUB 186-2, App. 6) */ - || !TEST_true(BN_hex2bn(&p, "1FF" - "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" - "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" - "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" - "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF")) - || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL)) - || !TEST_true(BN_hex2bn(&a, "1FF" - "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" - "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" - "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" - "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC")) - || !TEST_true(BN_hex2bn(&b, "051" - "953EB9618E1C9A1F929A21A0B68540EE" - "A2DA725B99B315F3B8B489918EF109E1" - "56193951EC7E937B1652C0BD3BB1BF07" - "3573DF883D2C34F1EF451FD46B503F00")) - || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx)) - || !TEST_true(BN_hex2bn(&x, "C6" - "858E06B70404E9CD9E3ECB662395B442" - "9C648139053FB521F828AF606B4D3DBA" - "A14B5E77EFE75928FE1DC127A2FFA8DE" - "3348B3C1856A429BF97E7E31C2E5BD66")) - || !TEST_true(EC_POINT_set_compressed_coordinates(group, P, x, 0, ctx)) - || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0) - || !TEST_true(BN_hex2bn(&z, "1FF" - "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" - "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA" - "51868783BF2F966B7FCC0148F709A5D0" - "3BB5C9B8899C47AEBB6FB71E91386409")) - || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one())) - || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx))) - goto err; - - TEST_info("NIST curve P-521 -- Generator"); - test_output_bignum("x", x); - test_output_bignum("y", y); - /* G_y value taken from the standard: */ - if (!TEST_true(BN_hex2bn(&z, "118" - "39296A789A3BC0045C8A5FB42C7D1BD9" - "98F54449579B446817AFBD17273E662C" - "97EE72995EF42640C550B9013FAD0761" - "353C7086A272C24088BE94769FD16650")) - || !TEST_BN_eq(y, z) - || !TEST_true(BN_add(yplusone, y, BN_value_one())) - /* - * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, - * and therefore setting the coordinates should fail. - */ - || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone, - ctx)) - || !TEST_int_eq(EC_GROUP_get_degree(group), 521) - || !group_order_tests(group) - - /* more tests using the last curve */ - - /* Restore the point that got mangled in the (x, y + 1) test. */ - || !TEST_true(EC_POINT_set_affine_coordinates(group, P, x, y, ctx)) - || !TEST_true(EC_POINT_copy(Q, P)) - || !TEST_false(EC_POINT_is_at_infinity(group, Q)) - || !TEST_true(EC_POINT_dbl(group, P, P, ctx)) - || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0) - || !TEST_true(EC_POINT_invert(group, Q, ctx)) /* P = -2Q */ - || !TEST_true(EC_POINT_add(group, R, P, Q, ctx)) - || !TEST_true(EC_POINT_add(group, R, R, Q, ctx)) - || !TEST_true(EC_POINT_is_at_infinity(group, R)) /* R = P + 2Q */ - || !TEST_false(EC_POINT_is_at_infinity(group, Q))) - goto err; - -#ifndef OPENSSL_NO_DEPRECATED_3_0 - TEST_note("combined multiplication ..."); - points[0] = Q; - points[1] = Q; - points[2] = Q; - points[3] = Q; - - if (!TEST_true(EC_GROUP_get_order(group, z, ctx)) - || !TEST_true(BN_add(y, z, BN_value_one())) - || !TEST_BN_even(y) - || !TEST_true(BN_rshift1(y, y))) - goto err; - - scalars[0] = y; /* (group order + 1)/2, so y*Q + y*Q = Q */ - scalars[1] = y; - - /* z is still the group order */ - if (!TEST_true(EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx)) - || !TEST_true(EC_POINTs_mul(group, R, z, 2, points, scalars, ctx)) - || !TEST_int_eq(0, EC_POINT_cmp(group, P, R, ctx)) - || !TEST_int_eq(0, EC_POINT_cmp(group, R, Q, ctx)) - || !TEST_true(BN_rand(y, BN_num_bits(y), 0, 0)) - || !TEST_true(BN_add(z, z, y))) - goto err; - BN_set_negative(z, 1); - scalars[0] = y; - scalars[1] = z; /* z = -(order + y) */ - - if (!TEST_true(EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx)) - || !TEST_true(EC_POINT_is_at_infinity(group, P)) - || !TEST_true(BN_rand(x, BN_num_bits(y) - 1, 0, 0)) - || !TEST_true(BN_add(z, x, y))) - goto err; - BN_set_negative(z, 1); - scalars[0] = x; - scalars[1] = y; - scalars[2] = z; /* z = -(x+y) */ - - if (!TEST_ptr(scalar3 = BN_new())) - goto err; - BN_zero(scalar3); - scalars[3] = scalar3; - - if (!TEST_true(EC_POINTs_mul(group, P, NULL, 4, points, scalars, ctx)) - || !TEST_true(EC_POINT_is_at_infinity(group, P))) - goto err; -#endif - TEST_note(" ok\n"); - r = 1; -err: - BN_CTX_free(ctx); - BN_free(p); - BN_free(a); - BN_free(b); - EC_GROUP_free(group); - EC_POINT_free(P); - EC_POINT_free(Q); - EC_POINT_free(R); - BN_free(x); - BN_free(y); - BN_free(z); - BN_free(yplusone); - BN_free(scalar3); - return r; -} - -static int internal_curve_test(int n) -{ - EC_GROUP *group = NULL; - int nid = curves[n].nid; - - if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(nid))) { - TEST_info("EC_GROUP_new_curve_name() failed with curve %s\n", - OBJ_nid2sn(nid)); - return 0; - } - if (!TEST_true(EC_GROUP_check(group, NULL))) { - TEST_info("EC_GROUP_check() failed with curve %s\n", OBJ_nid2sn(nid)); - EC_GROUP_free(group); - return 0; - } - EC_GROUP_free(group); - return 1; -} - -static int internal_curve_test_method(int n) -{ - int r, nid = curves[n].nid; - EC_GROUP *group; - - if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(nid))) { - TEST_info("Curve %s failed\n", OBJ_nid2sn(nid)); - return 0; - } - r = group_order_tests(group); - EC_GROUP_free(group); - return r; -} - -static int group_field_test(void) -{ - int r = 1; - BIGNUM *secp521r1_field = NULL; - BIGNUM *sect163r2_field = NULL; - EC_GROUP *secp521r1_group = NULL; - EC_GROUP *sect163r2_group = NULL; - - BN_hex2bn(&secp521r1_field, - "01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" - "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" - "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" - "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" - "FFFF"); - - - BN_hex2bn(§163r2_field, - "08000000000000000000000000000000" - "00000000C9"); - - secp521r1_group = EC_GROUP_new_by_curve_name(NID_secp521r1); - if (BN_cmp(secp521r1_field, EC_GROUP_get0_field(secp521r1_group))) - r = 0; - - # ifndef OPENSSL_NO_EC2M - sect163r2_group = EC_GROUP_new_by_curve_name(NID_sect163r2); - if (BN_cmp(sect163r2_field, EC_GROUP_get0_field(sect163r2_group))) - r = 0; - # endif - - EC_GROUP_free(secp521r1_group); - EC_GROUP_free(sect163r2_group); - BN_free(secp521r1_field); - BN_free(sect163r2_field); - return r; -} -/* - * nistp_test_params contains magic numbers for testing - * several NIST curves with characteristic > 3. - */ -struct nistp_test_params { - const int nid; - int degree; - /* - * Qx, Qy and D are taken from - * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/ECDSA_Prime.pdf - * Otherwise, values are standard curve parameters from FIPS 180-3 - */ - const char *p, *a, *b, *Qx, *Qy, *Gx, *Gy, *order, *d; -}; - -static const struct nistp_test_params nistp_tests_params[] = { - { - /* P-224 */ - NID_secp224r1, - 224, - /* p */ - "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000001", - /* a */ - "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFE", - /* b */ - "B4050A850C04B3ABF54132565044B0B7D7BFD8BA270B39432355FFB4", - /* Qx */ - "E84FB0B8E7000CB657D7973CF6B42ED78B301674276DF744AF130B3E", - /* Qy */ - "4376675C6FC5612C21A0FF2D2A89D2987DF7A2BC52183B5982298555", - /* Gx */ - "B70E0CBD6BB4BF7F321390B94A03C1D356C21122343280D6115C1D21", - /* Gy */ - "BD376388B5F723FB4C22DFE6CD4375A05A07476444D5819985007E34", - /* order */ - "FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2E0B8F03E13DD29455C5C2A3D", - /* d */ - "3F0C488E987C80BE0FEE521F8D90BE6034EC69AE11CA72AA777481E8", - }, - { - /* P-256 */ - NID_X9_62_prime256v1, - 256, - /* p */ - "ffffffff00000001000000000000000000000000ffffffffffffffffffffffff", - /* a */ - "ffffffff00000001000000000000000000000000fffffffffffffffffffffffc", - /* b */ - "5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b", - /* Qx */ - "b7e08afdfe94bad3f1dc8c734798ba1c62b3a0ad1e9ea2a38201cd0889bc7a19", - /* Qy */ - "3603f747959dbf7a4bb226e41928729063adc7ae43529e61b563bbc606cc5e09", - /* Gx */ - "6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296", - /* Gy */ - "4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5", - /* order */ - "ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551", - /* d */ - "c477f9f65c22cce20657faa5b2d1d8122336f851a508a1ed04e479c34985bf96", - }, - { - /* P-521 */ - NID_secp521r1, - 521, - /* p */ - "1ff" - "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" - "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", - /* a */ - "1ff" - "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" - "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc", - /* b */ - "051" - "953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e1" - "56193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00", - /* Qx */ - "0098" - "e91eef9a68452822309c52fab453f5f117c1da8ed796b255e9ab8f6410cca16e" - "59df403a6bdc6ca467a37056b1e54b3005d8ac030decfeb68df18b171885d5c4", - /* Qy */ - "0164" - "350c321aecfc1cca1ba4364c9b15656150b4b78d6a48d7d28e7f31985ef17be8" - "554376b72900712c4b83ad668327231526e313f5f092999a4632fd50d946bc2e", - /* Gx */ - "c6" - "858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dba" - "a14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66", - /* Gy */ - "118" - "39296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c" - "97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650", - /* order */ - "1ff" - "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa" - "51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409", - /* d */ - "0100" - "085f47b8e1b8b11b7eb33028c0b2888e304bfc98501955b45bba1478dc184eee" - "df09b86a5f7c21994406072787205e69a63709fe35aa93ba333514b24f961722", - }, -}; - -static int nistp_single_test(int idx) -{ - const struct nistp_test_params *test = nistp_tests_params + idx; - BN_CTX *ctx = NULL; - BIGNUM *p = NULL, *a = NULL, *b = NULL, *x = NULL, *y = NULL; - BIGNUM *n = NULL, *m = NULL, *order = NULL, *yplusone = NULL; - EC_GROUP *NISTP = NULL; - EC_POINT *G = NULL, *P = NULL, *Q = NULL, *Q_CHECK = NULL; - int r = 0; - - TEST_note("NIST curve P-%d (optimised implementation):", - test->degree); - if (!TEST_ptr(ctx = BN_CTX_new()) - || !TEST_ptr(p = BN_new()) - || !TEST_ptr(a = BN_new()) - || !TEST_ptr(b = BN_new()) - || !TEST_ptr(x = BN_new()) - || !TEST_ptr(y = BN_new()) - || !TEST_ptr(m = BN_new()) - || !TEST_ptr(n = BN_new()) - || !TEST_ptr(order = BN_new()) - || !TEST_ptr(yplusone = BN_new()) - - || !TEST_ptr(NISTP = EC_GROUP_new_by_curve_name(test->nid)) - || !TEST_true(BN_hex2bn(&p, test->p)) - || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL)) - || !TEST_true(BN_hex2bn(&a, test->a)) - || !TEST_true(BN_hex2bn(&b, test->b)) - || !TEST_true(EC_GROUP_set_curve(NISTP, p, a, b, ctx)) - || !TEST_ptr(G = EC_POINT_new(NISTP)) - || !TEST_ptr(P = EC_POINT_new(NISTP)) - || !TEST_ptr(Q = EC_POINT_new(NISTP)) - || !TEST_ptr(Q_CHECK = EC_POINT_new(NISTP)) - || !TEST_true(BN_hex2bn(&x, test->Qx)) - || !TEST_true(BN_hex2bn(&y, test->Qy)) - || !TEST_true(BN_add(yplusone, y, BN_value_one())) - /* - * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, - * and therefore setting the coordinates should fail. - */ - || !TEST_false(EC_POINT_set_affine_coordinates(NISTP, Q_CHECK, x, - yplusone, ctx)) - || !TEST_true(EC_POINT_set_affine_coordinates(NISTP, Q_CHECK, x, y, - ctx)) - || !TEST_true(BN_hex2bn(&x, test->Gx)) - || !TEST_true(BN_hex2bn(&y, test->Gy)) - || !TEST_true(EC_POINT_set_affine_coordinates(NISTP, G, x, y, ctx)) - || !TEST_true(BN_hex2bn(&order, test->order)) - || !TEST_true(EC_GROUP_set_generator(NISTP, G, order, BN_value_one())) - || !TEST_int_eq(EC_GROUP_get_degree(NISTP), test->degree)) - goto err; - - TEST_note("NIST test vectors ... "); - if (!TEST_true(BN_hex2bn(&n, test->d))) - goto err; - /* fixed point multiplication */ - EC_POINT_mul(NISTP, Q, n, NULL, NULL, ctx); - if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))) - goto err; - /* random point multiplication */ - EC_POINT_mul(NISTP, Q, NULL, G, n, ctx); - if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) - - /* set generator to P = 2*G, where G is the standard generator */ - || !TEST_true(EC_POINT_dbl(NISTP, P, G, ctx)) - || !TEST_true(EC_GROUP_set_generator(NISTP, P, order, BN_value_one())) - /* set the scalar to m=n/2, where n is the NIST test scalar */ - || !TEST_true(BN_rshift(m, n, 1))) - goto err; - - /* test the non-standard generator */ - /* fixed point multiplication */ - EC_POINT_mul(NISTP, Q, m, NULL, NULL, ctx); - if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))) - goto err; - /* random point multiplication */ - EC_POINT_mul(NISTP, Q, NULL, P, m, ctx); - if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) -#ifndef OPENSSL_NO_DEPRECATED_3_0 - /* We have not performed precomp so this should be false */ - || !TEST_false(EC_GROUP_have_precompute_mult(NISTP)) - /* now repeat all tests with precomputation */ - || !TEST_true(EC_GROUP_precompute_mult(NISTP, ctx)) -#endif - ) - goto err; - - /* fixed point multiplication */ - EC_POINT_mul(NISTP, Q, m, NULL, NULL, ctx); - if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))) - goto err; - /* random point multiplication */ - EC_POINT_mul(NISTP, Q, NULL, P, m, ctx); - if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) - - /* reset generator */ - || !TEST_true(EC_GROUP_set_generator(NISTP, G, order, BN_value_one()))) - goto err; - /* fixed point multiplication */ - EC_POINT_mul(NISTP, Q, n, NULL, NULL, ctx); - if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))) - goto err; - /* random point multiplication */ - EC_POINT_mul(NISTP, Q, NULL, G, n, ctx); - if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))) - goto err; - - /* regression test for felem_neg bug */ - if (!TEST_true(BN_set_word(m, 32)) - || !TEST_true(BN_set_word(n, 31)) - || !TEST_true(EC_POINT_copy(P, G)) - || !TEST_true(EC_POINT_invert(NISTP, P, ctx)) - || !TEST_true(EC_POINT_mul(NISTP, Q, m, P, n, ctx)) - || !TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, G, ctx))) - goto err; - - r = 1; -err: - EC_GROUP_free(NISTP); - EC_POINT_free(G); - EC_POINT_free(P); - EC_POINT_free(Q); - EC_POINT_free(Q_CHECK); - BN_free(n); - BN_free(m); - BN_free(p); - BN_free(a); - BN_free(b); - BN_free(x); - BN_free(y); - BN_free(order); - BN_free(yplusone); - BN_CTX_free(ctx); - return r; -} - -static const unsigned char p521_named[] = { - 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x23, -}; - -static const unsigned char p521_explicit[] = { - 0x30, 0x82, 0x01, 0xc3, 0x02, 0x01, 0x01, 0x30, 0x4d, 0x06, 0x07, 0x2a, - 0x86, 0x48, 0xce, 0x3d, 0x01, 0x01, 0x02, 0x42, 0x01, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0x30, 0x81, 0x9f, 0x04, 0x42, 0x01, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xfc, 0x04, 0x42, 0x00, 0x51, 0x95, 0x3e, 0xb9, 0x61, 0x8e, 0x1c, 0x9a, - 0x1f, 0x92, 0x9a, 0x21, 0xa0, 0xb6, 0x85, 0x40, 0xee, 0xa2, 0xda, 0x72, - 0x5b, 0x99, 0xb3, 0x15, 0xf3, 0xb8, 0xb4, 0x89, 0x91, 0x8e, 0xf1, 0x09, - 0xe1, 0x56, 0x19, 0x39, 0x51, 0xec, 0x7e, 0x93, 0x7b, 0x16, 0x52, 0xc0, - 0xbd, 0x3b, 0xb1, 0xbf, 0x07, 0x35, 0x73, 0xdf, 0x88, 0x3d, 0x2c, 0x34, - 0xf1, 0xef, 0x45, 0x1f, 0xd4, 0x6b, 0x50, 0x3f, 0x00, 0x03, 0x15, 0x00, - 0xd0, 0x9e, 0x88, 0x00, 0x29, 0x1c, 0xb8, 0x53, 0x96, 0xcc, 0x67, 0x17, - 0x39, 0x32, 0x84, 0xaa, 0xa0, 0xda, 0x64, 0xba, 0x04, 0x81, 0x85, 0x04, - 0x00, 0xc6, 0x85, 0x8e, 0x06, 0xb7, 0x04, 0x04, 0xe9, 0xcd, 0x9e, 0x3e, - 0xcb, 0x66, 0x23, 0x95, 0xb4, 0x42, 0x9c, 0x64, 0x81, 0x39, 0x05, 0x3f, - 0xb5, 0x21, 0xf8, 0x28, 0xaf, 0x60, 0x6b, 0x4d, 0x3d, 0xba, 0xa1, 0x4b, - 0x5e, 0x77, 0xef, 0xe7, 0x59, 0x28, 0xfe, 0x1d, 0xc1, 0x27, 0xa2, 0xff, - 0xa8, 0xde, 0x33, 0x48, 0xb3, 0xc1, 0x85, 0x6a, 0x42, 0x9b, 0xf9, 0x7e, - 0x7e, 0x31, 0xc2, 0xe5, 0xbd, 0x66, 0x01, 0x18, 0x39, 0x29, 0x6a, 0x78, - 0x9a, 0x3b, 0xc0, 0x04, 0x5c, 0x8a, 0x5f, 0xb4, 0x2c, 0x7d, 0x1b, 0xd9, - 0x98, 0xf5, 0x44, 0x49, 0x57, 0x9b, 0x44, 0x68, 0x17, 0xaf, 0xbd, 0x17, - 0x27, 0x3e, 0x66, 0x2c, 0x97, 0xee, 0x72, 0x99, 0x5e, 0xf4, 0x26, 0x40, - 0xc5, 0x50, 0xb9, 0x01, 0x3f, 0xad, 0x07, 0x61, 0x35, 0x3c, 0x70, 0x86, - 0xa2, 0x72, 0xc2, 0x40, 0x88, 0xbe, 0x94, 0x76, 0x9f, 0xd1, 0x66, 0x50, - 0x02, 0x42, 0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfa, - 0x51, 0x86, 0x87, 0x83, 0xbf, 0x2f, 0x96, 0x6b, 0x7f, 0xcc, 0x01, 0x48, - 0xf7, 0x09, 0xa5, 0xd0, 0x3b, 0xb5, 0xc9, 0xb8, 0x89, 0x9c, 0x47, 0xae, - 0xbb, 0x6f, 0xb7, 0x1e, 0x91, 0x38, 0x64, 0x09, 0x02, 0x01, 0x01, -}; - -/* - * This test validates a named curve's group parameters using - * EC_GROUP_check_named_curve(). It also checks that modifying any of the - * group parameters results in the curve not being valid. - */ -static int check_named_curve_test(int id) -{ - int ret = 0, nid, field_nid, has_seed; - EC_GROUP *group = NULL, *gtest = NULL; - const EC_POINT *group_gen = NULL; - EC_POINT *other_gen = NULL; - BIGNUM *group_p = NULL, *group_a = NULL, *group_b = NULL; - BIGNUM *other_p = NULL, *other_a = NULL, *other_b = NULL; - BIGNUM *group_cofactor = NULL, *other_cofactor = NULL; - BIGNUM *other_order = NULL; - const BIGNUM *group_order = NULL; - BN_CTX *bn_ctx = NULL; - static const unsigned char invalid_seed[] = "THIS IS NOT A VALID SEED"; - static size_t invalid_seed_len = sizeof(invalid_seed); - - /* Do some setup */ - nid = curves[id].nid; - if (!TEST_ptr(bn_ctx = BN_CTX_new()) - || !TEST_ptr(group = EC_GROUP_new_by_curve_name(nid)) - || !TEST_ptr(gtest = EC_GROUP_dup(group)) - || !TEST_ptr(group_p = BN_new()) - || !TEST_ptr(group_a = BN_new()) - || !TEST_ptr(group_b = BN_new()) - || !TEST_ptr(group_cofactor = BN_new()) - || !TEST_ptr(group_gen = EC_GROUP_get0_generator(group)) - || !TEST_ptr(group_order = EC_GROUP_get0_order(group)) - || !TEST_true(EC_GROUP_get_cofactor(group, group_cofactor, NULL)) - || !TEST_true(EC_GROUP_get_curve(group, group_p, group_a, group_b, NULL)) - || !TEST_ptr(other_gen = EC_POINT_dup(group_gen, group)) - || !TEST_true(EC_POINT_add(group, other_gen, group_gen, group_gen, NULL)) - || !TEST_ptr(other_order = BN_dup(group_order)) - || !TEST_true(BN_add_word(other_order, 1)) - || !TEST_ptr(other_a = BN_dup(group_a)) - || !TEST_true(BN_add_word(other_a, 1)) - || !TEST_ptr(other_b = BN_dup(group_b)) - || !TEST_true(BN_add_word(other_b, 1)) - || !TEST_ptr(other_cofactor = BN_dup(group_cofactor)) - || !TEST_true(BN_add_word(other_cofactor, 1))) - goto err; - - /* Determine if the built-in curve has a seed field set */ - has_seed = (EC_GROUP_get_seed_len(group) > 0); - field_nid = EC_GROUP_get_field_type(group); - if (field_nid == NID_X9_62_characteristic_two_field) { - if (!TEST_ptr(other_p = BN_dup(group_p)) - || !TEST_true(BN_lshift1(other_p, other_p))) - goto err; - } else { - if (!TEST_ptr(other_p = BN_dup(group_p))) - goto err; - /* - * Just choosing any arbitrary prime does not work.. - * Setting p via ec_GFp_nist_group_set_curve() needs the prime to be a - * nist prime. So only select one of these as an alternate prime. - */ - if (!TEST_ptr(BN_copy(other_p, - BN_ucmp(BN_get0_nist_prime_192(), other_p) == 0 ? - BN_get0_nist_prime_256() : - BN_get0_nist_prime_192()))) - goto err; - } - - /* Passes because this is a valid curve */ - if (!TEST_int_eq(EC_GROUP_check_named_curve(group, 0, NULL), nid) - /* Only NIST curves pass */ - || !TEST_int_eq(EC_GROUP_check_named_curve(group, 1, NULL), - EC_curve_nid2nist(nid) != NULL ? nid : NID_undef)) - goto err; - - /* Fail if the curve name doesn't match the parameters */ - EC_GROUP_set_curve_name(group, nid + 1); - ERR_set_mark(); - if (!TEST_int_le(EC_GROUP_check_named_curve(group, 0, NULL), 0)) - goto err; - ERR_pop_to_mark(); - - /* Restore curve name and ensure it's passing */ - EC_GROUP_set_curve_name(group, nid); - if (!TEST_int_eq(EC_GROUP_check_named_curve(group, 0, NULL), nid)) - goto err; - - if (!TEST_int_eq(EC_GROUP_set_seed(group, invalid_seed, invalid_seed_len), - invalid_seed_len)) - goto err; - - if (has_seed) { - /* - * If the built-in curve has a seed and we set the seed to another value - * then it will fail the check. - */ - if (!TEST_int_eq(EC_GROUP_check_named_curve(group, 0, NULL), 0)) - goto err; - } else { - /* - * If the built-in curve does not have a seed then setting the seed will - * pass the check (as the seed is optional). - */ - if (!TEST_int_eq(EC_GROUP_check_named_curve(group, 0, NULL), nid)) - goto err; - } - /* Pass if the seed is unknown (as it is optional) */ - if (!TEST_int_eq(EC_GROUP_set_seed(group, NULL, 0), 1) - || !TEST_int_eq(EC_GROUP_check_named_curve(group, 0, NULL), nid)) - goto err; - - /* Check that a duped group passes */ - if (!TEST_int_eq(EC_GROUP_check_named_curve(gtest, 0, NULL), nid)) - goto err; - - /* check that changing any generator parameter fails */ - if (!TEST_true(EC_GROUP_set_generator(gtest, other_gen, group_order, - group_cofactor)) - || !TEST_int_eq(EC_GROUP_check_named_curve(gtest, 0, NULL), 0) - || !TEST_true(EC_GROUP_set_generator(gtest, group_gen, other_order, - group_cofactor)) - || !TEST_int_eq(EC_GROUP_check_named_curve(gtest, 0, NULL), 0) - /* The order is not an optional field, so this should fail */ - || !TEST_false(EC_GROUP_set_generator(gtest, group_gen, NULL, - group_cofactor)) - || !TEST_true(EC_GROUP_set_generator(gtest, group_gen, group_order, - other_cofactor)) - || !TEST_int_eq(EC_GROUP_check_named_curve(gtest, 0, NULL), 0) - /* Check that if the cofactor is not set then it still passes */ - || !TEST_true(EC_GROUP_set_generator(gtest, group_gen, group_order, - NULL)) - || !TEST_int_eq(EC_GROUP_check_named_curve(gtest, 0, NULL), nid) - /* check that restoring the generator passes */ - || !TEST_true(EC_GROUP_set_generator(gtest, group_gen, group_order, - group_cofactor)) - || !TEST_int_eq(EC_GROUP_check_named_curve(gtest, 0, NULL), nid)) - goto err; - - /* - * check that changing any curve parameter fails - * - * Setting arbitrary p, a or b might fail for some EC_GROUPs - * depending on the internal EC_METHOD implementation, hence run - * these tests conditionally to the success of EC_GROUP_set_curve(). - */ - ERR_set_mark(); - if (EC_GROUP_set_curve(gtest, other_p, group_a, group_b, NULL)) { - if (!TEST_int_le(EC_GROUP_check_named_curve(gtest, 0, NULL), 0)) - goto err; - } else { - /* clear the error stack if EC_GROUP_set_curve() failed */ - ERR_pop_to_mark(); - ERR_set_mark(); - } - if (EC_GROUP_set_curve(gtest, group_p, other_a, group_b, NULL)) { - if (!TEST_int_le(EC_GROUP_check_named_curve(gtest, 0, NULL), 0)) - goto err; - } else { - /* clear the error stack if EC_GROUP_set_curve() failed */ - ERR_pop_to_mark(); - ERR_set_mark(); - } - if (EC_GROUP_set_curve(gtest, group_p, group_a, other_b, NULL)) { - if (!TEST_int_le(EC_GROUP_check_named_curve(gtest, 0, NULL), 0)) - goto err; - } else { - /* clear the error stack if EC_GROUP_set_curve() failed */ - ERR_pop_to_mark(); - ERR_set_mark(); - } - ERR_pop_to_mark(); - - /* Check that restoring the curve parameters passes */ - if (!TEST_true(EC_GROUP_set_curve(gtest, group_p, group_a, group_b, NULL)) - || !TEST_int_eq(EC_GROUP_check_named_curve(gtest, 0, NULL), nid)) - goto err; - - ret = 1; -err: - BN_free(group_p); - BN_free(other_p); - BN_free(group_a); - BN_free(other_a); - BN_free(group_b); - BN_free(other_b); - BN_free(group_cofactor); - BN_free(other_cofactor); - BN_free(other_order); - EC_POINT_free(other_gen); - EC_GROUP_free(gtest); - EC_GROUP_free(group); - BN_CTX_free(bn_ctx); - return ret; -} - -/* - * This checks the lookup capability of EC_GROUP_check_named_curve() - * when the given group was created with explicit parameters. - * - * It is possible to retrieve an alternative alias that does not match - * the original nid in this case. - */ -static int check_named_curve_lookup_test(int id) -{ - int ret = 0, nid, rv = 0; - EC_GROUP *g = NULL , *ga = NULL; - ECPARAMETERS *p = NULL, *pa = NULL; - BN_CTX *ctx = NULL; - - /* Do some setup */ - nid = curves[id].nid; - if (!TEST_ptr(ctx = BN_CTX_new()) - || !TEST_ptr(g = EC_GROUP_new_by_curve_name(nid)) - || !TEST_ptr(p = EC_GROUP_get_ecparameters(g, NULL))) - goto err; - - /* replace with group from explicit parameters */ - EC_GROUP_free(g); - if (!TEST_ptr(g = EC_GROUP_new_from_ecparameters(p))) - goto err; - - if (!TEST_int_gt(rv = EC_GROUP_check_named_curve(g, 0, NULL), 0)) - goto err; - if (rv != nid) { - /* - * Found an alias: - * fail if the returned nid is not an alias of the original group. - * - * The comparison here is done by comparing two explicit - * parameter EC_GROUPs with EC_GROUP_cmp(), to ensure the - * comparison happens with unnamed EC_GROUPs using the same - * EC_METHODs. - */ - if (!TEST_ptr(ga = EC_GROUP_new_by_curve_name(rv)) - || !TEST_ptr(pa = EC_GROUP_get_ecparameters(ga, NULL))) - goto err; - - /* replace with group from explicit parameters, then compare */ - EC_GROUP_free(ga); - if (!TEST_ptr(ga = EC_GROUP_new_from_ecparameters(pa)) - || !TEST_int_eq(EC_GROUP_cmp(g, ga, ctx), 0)) - goto err; - } - - ret = 1; - - err: - EC_GROUP_free(g); - EC_GROUP_free(ga); - ECPARAMETERS_free(p); - ECPARAMETERS_free(pa); - BN_CTX_free(ctx); - - return ret; -} - -/* - * Sometime we cannot compare nids for equality, as the built-in curve table - * includes aliases with different names for the same curve. - * - * This function returns TRUE (1) if the checked nids are identical, or if they - * alias to the same curve. FALSE (0) otherwise. - */ -static ossl_inline -int are_ec_nids_compatible(int n1d, int n2d) -{ - int ret = 0; - switch (n1d) { -#ifndef OPENSSL_NO_EC2M - case NID_sect113r1: - case NID_wap_wsg_idm_ecid_wtls4: - ret = (n2d == NID_sect113r1 || n2d == NID_wap_wsg_idm_ecid_wtls4); - break; - case NID_sect163k1: - case NID_wap_wsg_idm_ecid_wtls3: - ret = (n2d == NID_sect163k1 || n2d == NID_wap_wsg_idm_ecid_wtls3); - break; - case NID_sect233k1: - case NID_wap_wsg_idm_ecid_wtls10: - ret = (n2d == NID_sect233k1 || n2d == NID_wap_wsg_idm_ecid_wtls10); - break; - case NID_sect233r1: - case NID_wap_wsg_idm_ecid_wtls11: - ret = (n2d == NID_sect233r1 || n2d == NID_wap_wsg_idm_ecid_wtls11); - break; - case NID_X9_62_c2pnb163v1: - case NID_wap_wsg_idm_ecid_wtls5: - ret = (n2d == NID_X9_62_c2pnb163v1 - || n2d == NID_wap_wsg_idm_ecid_wtls5); - break; -#endif /* OPENSSL_NO_EC2M */ - case NID_secp112r1: - case NID_wap_wsg_idm_ecid_wtls6: - ret = (n2d == NID_secp112r1 || n2d == NID_wap_wsg_idm_ecid_wtls6); - break; - case NID_secp160r2: - case NID_wap_wsg_idm_ecid_wtls7: - ret = (n2d == NID_secp160r2 || n2d == NID_wap_wsg_idm_ecid_wtls7); - break; -#ifdef OPENSSL_NO_EC_NISTP_64_GCC_128 - case NID_secp224r1: - case NID_wap_wsg_idm_ecid_wtls12: - ret = (n2d == NID_secp224r1 || n2d == NID_wap_wsg_idm_ecid_wtls12); - break; -#else - /* - * For SEC P-224 we want to ensure that the SECP nid is returned, as - * that is associated with a specialized method. - */ - case NID_wap_wsg_idm_ecid_wtls12: - ret = (n2d == NID_secp224r1); - break; -#endif /* def(OPENSSL_NO_EC_NISTP_64_GCC_128) */ - - default: - ret = (n1d == n2d); - } - return ret; -} - -/* - * This checks that EC_GROUP_bew_from_ecparameters() returns a "named" - * EC_GROUP for built-in curves. - * - * Note that it is possible to retrieve an alternative alias that does not match - * the original nid. - * - * Ensure that the OPENSSL_EC_EXPLICIT_CURVE ASN1 flag is set. - */ -static int check_named_curve_from_ecparameters(int id) -{ - int ret = 0, nid, tnid; - EC_GROUP *group = NULL, *tgroup = NULL, *tmpg = NULL; - const EC_POINT *group_gen = NULL; - EC_POINT *other_gen = NULL; - BIGNUM *group_cofactor = NULL, *other_cofactor = NULL; - BIGNUM *other_gen_x = NULL, *other_gen_y = NULL; - const BIGNUM *group_order = NULL; - BIGNUM *other_order = NULL; - BN_CTX *bn_ctx = NULL; - static const unsigned char invalid_seed[] = "THIS IS NOT A VALID SEED"; - static size_t invalid_seed_len = sizeof(invalid_seed); - ECPARAMETERS *params = NULL, *other_params = NULL; - EC_GROUP *g_ary[8] = {NULL}; - EC_GROUP **g_next = &g_ary[0]; - ECPARAMETERS *p_ary[8] = {NULL}; - ECPARAMETERS **p_next = &p_ary[0]; - - /* Do some setup */ - nid = curves[id].nid; - TEST_note("Curve %s", OBJ_nid2sn(nid)); - if (!TEST_ptr(bn_ctx = BN_CTX_new())) - return ret; - BN_CTX_start(bn_ctx); - - if (/* Allocations */ - !TEST_ptr(group_cofactor = BN_CTX_get(bn_ctx)) - || !TEST_ptr(other_gen_x = BN_CTX_get(bn_ctx)) - || !TEST_ptr(other_gen_y = BN_CTX_get(bn_ctx)) - || !TEST_ptr(other_order = BN_CTX_get(bn_ctx)) - || !TEST_ptr(other_cofactor = BN_CTX_get(bn_ctx)) - /* Generate reference group and params */ - || !TEST_ptr(group = EC_GROUP_new_by_curve_name(nid)) - || !TEST_ptr(params = EC_GROUP_get_ecparameters(group, NULL)) - || !TEST_ptr(group_gen = EC_GROUP_get0_generator(group)) - || !TEST_ptr(group_order = EC_GROUP_get0_order(group)) - || !TEST_true(EC_GROUP_get_cofactor(group, group_cofactor, NULL)) - /* compute `other_*` values */ - || !TEST_ptr(tmpg = EC_GROUP_dup(group)) - || !TEST_ptr(other_gen = EC_POINT_dup(group_gen, group)) - || !TEST_true(EC_POINT_add(group, other_gen, group_gen, group_gen, NULL)) - || !TEST_true(EC_POINT_get_affine_coordinates(group, other_gen, - other_gen_x, other_gen_y, bn_ctx)) - || !TEST_true(BN_copy(other_order, group_order)) - || !TEST_true(BN_add_word(other_order, 1)) - || !TEST_true(BN_copy(other_cofactor, group_cofactor)) - || !TEST_true(BN_add_word(other_cofactor, 1))) - goto err; - - EC_POINT_free(other_gen); - other_gen = NULL; - - if (!TEST_ptr(other_gen = EC_POINT_new(tmpg)) - || !TEST_true(EC_POINT_set_affine_coordinates(tmpg, other_gen, - other_gen_x, other_gen_y, - bn_ctx))) - goto err; - - /* - * ########################### - * # Actual tests start here # - * ########################### - */ - - /* - * Creating a group from built-in explicit parameters returns a - * "named" EC_GROUP - */ - if (!TEST_ptr(tgroup = *g_next++ = EC_GROUP_new_from_ecparameters(params)) - || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)) - goto err; - /* - * We cannot always guarantee the names match, as the built-in table - * contains aliases for the same curve with different names. - */ - if (!TEST_true(are_ec_nids_compatible(nid, tnid))) { - TEST_info("nid = %s, tnid = %s", OBJ_nid2sn(nid), OBJ_nid2sn(tnid)); - goto err; - } - /* Ensure that the OPENSSL_EC_EXPLICIT_CURVE ASN1 flag is set. */ - if (!TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup), OPENSSL_EC_EXPLICIT_CURVE)) - goto err; - - /* - * An invalid seed in the parameters should be ignored: expect a "named" - * group. - */ - if (!TEST_int_eq(EC_GROUP_set_seed(tmpg, invalid_seed, invalid_seed_len), - invalid_seed_len) - || !TEST_ptr(other_params = *p_next++ = - EC_GROUP_get_ecparameters(tmpg, NULL)) - || !TEST_ptr(tgroup = *g_next++ = - EC_GROUP_new_from_ecparameters(other_params)) - || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef) - || !TEST_true(are_ec_nids_compatible(nid, tnid)) - || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup), - OPENSSL_EC_EXPLICIT_CURVE)) { - TEST_info("nid = %s, tnid = %s", OBJ_nid2sn(nid), OBJ_nid2sn(tnid)); - goto err; - } - - /* - * A null seed in the parameters should be ignored, as it is optional: - * expect a "named" group. - */ - if (!TEST_int_eq(EC_GROUP_set_seed(tmpg, NULL, 0), 1) - || !TEST_ptr(other_params = *p_next++ = - EC_GROUP_get_ecparameters(tmpg, NULL)) - || !TEST_ptr(tgroup = *g_next++ = - EC_GROUP_new_from_ecparameters(other_params)) - || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef) - || !TEST_true(are_ec_nids_compatible(nid, tnid)) - || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup), - OPENSSL_EC_EXPLICIT_CURVE)) { - TEST_info("nid = %s, tnid = %s", OBJ_nid2sn(nid), OBJ_nid2sn(tnid)); - goto err; - } - - /* - * Check that changing any of the generator parameters does not yield a - * match with the built-in curves - */ - if (/* Other gen, same group order & cofactor */ - !TEST_true(EC_GROUP_set_generator(tmpg, other_gen, group_order, - group_cofactor)) - || !TEST_ptr(other_params = *p_next++ = - EC_GROUP_get_ecparameters(tmpg, NULL)) - || !TEST_ptr(tgroup = *g_next++ = - EC_GROUP_new_from_ecparameters(other_params)) - || !TEST_int_eq((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef) - /* Same gen & cofactor, different order */ - || !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, other_order, - group_cofactor)) - || !TEST_ptr(other_params = *p_next++ = - EC_GROUP_get_ecparameters(tmpg, NULL)) - || !TEST_ptr(tgroup = *g_next++ = - EC_GROUP_new_from_ecparameters(other_params)) - || !TEST_int_eq((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef) - /* The order is not an optional field, so this should fail */ - || !TEST_false(EC_GROUP_set_generator(tmpg, group_gen, NULL, - group_cofactor)) - /* Check that a wrong cofactor is ignored, and we still match */ - || !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, group_order, - other_cofactor)) - || !TEST_ptr(other_params = *p_next++ = - EC_GROUP_get_ecparameters(tmpg, NULL)) - || !TEST_ptr(tgroup = *g_next++ = - EC_GROUP_new_from_ecparameters(other_params)) - || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef) - || !TEST_true(are_ec_nids_compatible(nid, tnid)) - || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup), - OPENSSL_EC_EXPLICIT_CURVE) - /* Check that if the cofactor is not set then it still matches */ - || !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, group_order, - NULL)) - || !TEST_ptr(other_params = *p_next++ = - EC_GROUP_get_ecparameters(tmpg, NULL)) - || !TEST_ptr(tgroup = *g_next++ = - EC_GROUP_new_from_ecparameters(other_params)) - || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef) - || !TEST_true(are_ec_nids_compatible(nid, tnid)) - || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup), - OPENSSL_EC_EXPLICIT_CURVE) - /* check that restoring the generator passes */ - || !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, group_order, - group_cofactor)) - || !TEST_ptr(other_params = *p_next++ = - EC_GROUP_get_ecparameters(tmpg, NULL)) - || !TEST_ptr(tgroup = *g_next++ = - EC_GROUP_new_from_ecparameters(other_params)) - || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef) - || !TEST_true(are_ec_nids_compatible(nid, tnid)) - || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup), - OPENSSL_EC_EXPLICIT_CURVE)) - goto err; - - ret = 1; -err: - for (g_next = &g_ary[0]; g_next < g_ary + OSSL_NELEM(g_ary); g_next++) - EC_GROUP_free(*g_next); - for (p_next = &p_ary[0]; p_next < p_ary + OSSL_NELEM(g_ary); p_next++) - ECPARAMETERS_free(*p_next); - ECPARAMETERS_free(params); - EC_POINT_free(other_gen); - EC_GROUP_free(tmpg); - EC_GROUP_free(group); - BN_CTX_end(bn_ctx); - BN_CTX_free(bn_ctx); - return ret; -} - - -static int parameter_test(void) -{ - EC_GROUP *group = NULL, *group2 = NULL; - ECPARAMETERS *ecparameters = NULL; - unsigned char *buf = NULL; - int r = 0, len; - if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(NID_secp384r1)) - || !TEST_ptr(ecparameters = EC_GROUP_get_ecparameters(group, NULL)) - || !TEST_ptr(group2 = EC_GROUP_new_from_ecparameters(ecparameters)) - || !TEST_int_eq(EC_GROUP_cmp(group, group2, NULL), 0)) - goto err; - - EC_GROUP_free(group); - group = NULL; - - /* Test the named curve encoding, which should be default. */ - if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(NID_secp521r1)) - || !TEST_true((len = i2d_ECPKParameters(group, &buf)) >= 0) - || !TEST_mem_eq(buf, len, p521_named, sizeof(p521_named))) - goto err; - - OPENSSL_free(buf); - buf = NULL; - - /* - * Test the explicit encoding. P-521 requires correctly zero-padding the - * curve coefficients. - */ - EC_GROUP_set_asn1_flag(group, OPENSSL_EC_EXPLICIT_CURVE); - if (!TEST_true((len = i2d_ECPKParameters(group, &buf)) >= 0) - || !TEST_mem_eq(buf, len, p521_explicit, sizeof(p521_explicit))) - goto err; - - r = 1; -err: - EC_GROUP_free(group); - EC_GROUP_free(group2); - ECPARAMETERS_free(ecparameters); - OPENSSL_free(buf); - return r; -} - -/*- - * random 256-bit explicit parameters curve, cofactor absent - * order: 0x0c38d96a9f892b88772ec2e39614a82f4f (132 bit) - * cofactor: 0x12bc94785251297abfafddf1565100da (125 bit) - */ -static const unsigned char params_cf_pass[] = { - 0x30, 0x81, 0xcd, 0x02, 0x01, 0x01, 0x30, 0x2c, 0x06, 0x07, 0x2a, 0x86, - 0x48, 0xce, 0x3d, 0x01, 0x01, 0x02, 0x21, 0x00, 0xe5, 0x00, 0x1f, 0xc5, - 0xca, 0x71, 0x9d, 0x8e, 0xf7, 0x07, 0x4b, 0x48, 0x37, 0xf9, 0x33, 0x2d, - 0x71, 0xbf, 0x79, 0xe7, 0xdc, 0x91, 0xc2, 0xff, 0xb6, 0x7b, 0xc3, 0x93, - 0x44, 0x88, 0xe6, 0x91, 0x30, 0x44, 0x04, 0x20, 0xe5, 0x00, 0x1f, 0xc5, - 0xca, 0x71, 0x9d, 0x8e, 0xf7, 0x07, 0x4b, 0x48, 0x37, 0xf9, 0x33, 0x2d, - 0x71, 0xbf, 0x79, 0xe7, 0xdc, 0x91, 0xc2, 0xff, 0xb6, 0x7b, 0xc3, 0x93, - 0x44, 0x88, 0xe6, 0x8e, 0x04, 0x20, 0x18, 0x8c, 0x59, 0x57, 0xc4, 0xbc, - 0x85, 0x57, 0xc3, 0x66, 0x9f, 0x89, 0xd5, 0x92, 0x0d, 0x7e, 0x42, 0x27, - 0x07, 0x64, 0xaa, 0x26, 0xed, 0x89, 0xc4, 0x09, 0x05, 0x4d, 0xc7, 0x23, - 0x47, 0xda, 0x04, 0x41, 0x04, 0x1b, 0x6b, 0x41, 0x0b, 0xf9, 0xfb, 0x77, - 0xfd, 0x50, 0xb7, 0x3e, 0x23, 0xa3, 0xec, 0x9a, 0x3b, 0x09, 0x31, 0x6b, - 0xfa, 0xf6, 0xce, 0x1f, 0xff, 0xeb, 0x57, 0x93, 0x24, 0x70, 0xf3, 0xf4, - 0xba, 0x7e, 0xfa, 0x86, 0x6e, 0x19, 0x89, 0xe3, 0x55, 0x6d, 0x5a, 0xe9, - 0xc0, 0x3d, 0xbc, 0xfb, 0xaf, 0xad, 0xd4, 0x7e, 0xa6, 0xe5, 0xfa, 0x1a, - 0x58, 0x07, 0x9e, 0x8f, 0x0d, 0x3b, 0xf7, 0x38, 0xca, 0x02, 0x11, 0x0c, - 0x38, 0xd9, 0x6a, 0x9f, 0x89, 0x2b, 0x88, 0x77, 0x2e, 0xc2, 0xe3, 0x96, - 0x14, 0xa8, 0x2f, 0x4f -}; - -/*- - * random 256-bit explicit parameters curve, cofactor absent - * order: 0x045a75c0c17228ebd9b169a10e34a22101 (131 bit) - * cofactor: 0x2e134b4ede82649f67a2e559d361e5fe (126 bit) - */ -static const unsigned char params_cf_fail[] = { - 0x30, 0x81, 0xcd, 0x02, 0x01, 0x01, 0x30, 0x2c, 0x06, 0x07, 0x2a, 0x86, - 0x48, 0xce, 0x3d, 0x01, 0x01, 0x02, 0x21, 0x00, 0xc8, 0x95, 0x27, 0x37, - 0xe8, 0xe1, 0xfd, 0xcc, 0xf9, 0x6e, 0x0c, 0xa6, 0x21, 0xc1, 0x7d, 0x6b, - 0x9d, 0x44, 0x42, 0xea, 0x73, 0x4e, 0x04, 0xb6, 0xac, 0x62, 0x50, 0xd0, - 0x33, 0xc2, 0xea, 0x13, 0x30, 0x44, 0x04, 0x20, 0xc8, 0x95, 0x27, 0x37, - 0xe8, 0xe1, 0xfd, 0xcc, 0xf9, 0x6e, 0x0c, 0xa6, 0x21, 0xc1, 0x7d, 0x6b, - 0x9d, 0x44, 0x42, 0xea, 0x73, 0x4e, 0x04, 0xb6, 0xac, 0x62, 0x50, 0xd0, - 0x33, 0xc2, 0xea, 0x10, 0x04, 0x20, 0xbf, 0xa6, 0xa8, 0x05, 0x1d, 0x09, - 0xac, 0x70, 0x39, 0xbb, 0x4d, 0xb2, 0x90, 0x8a, 0x15, 0x41, 0x14, 0x1d, - 0x11, 0x86, 0x9f, 0x13, 0xa2, 0x63, 0x1a, 0xda, 0x95, 0x22, 0x4d, 0x02, - 0x15, 0x0a, 0x04, 0x41, 0x04, 0xaf, 0x16, 0x71, 0xf9, 0xc4, 0xc8, 0x59, - 0x1d, 0xa3, 0x6f, 0xe7, 0xc3, 0x57, 0xa1, 0xfa, 0x9f, 0x49, 0x7c, 0x11, - 0x27, 0x05, 0xa0, 0x7f, 0xff, 0xf9, 0xe0, 0xe7, 0x92, 0xdd, 0x9c, 0x24, - 0x8e, 0xc7, 0xb9, 0x52, 0x71, 0x3f, 0xbc, 0x7f, 0x6a, 0x9f, 0x35, 0x70, - 0xe1, 0x27, 0xd5, 0x35, 0x8a, 0x13, 0xfa, 0xa8, 0x33, 0x3e, 0xd4, 0x73, - 0x1c, 0x14, 0x58, 0x9e, 0xc7, 0x0a, 0x87, 0x65, 0x8d, 0x02, 0x11, 0x04, - 0x5a, 0x75, 0xc0, 0xc1, 0x72, 0x28, 0xeb, 0xd9, 0xb1, 0x69, 0xa1, 0x0e, - 0x34, 0xa2, 0x21, 0x01 -}; - -/*- - * Test two random 256-bit explicit parameters curves with absent cofactor. - * The two curves are chosen to roughly straddle the bounds at which the lib - * can compute the cofactor automatically, roughly 4*sqrt(p). So test that: - * - * - params_cf_pass: order is sufficiently close to p to compute cofactor - * - params_cf_fail: order is too far away from p to compute cofactor - * - * For standards-compliant curves, cofactor is chosen as small as possible. - * So you can see neither of these curves are fit for cryptographic use. - * - * Some standards even mandate an upper bound on the cofactor, e.g. SECG1 v2: - * h <= 2**(t/8) where t is the security level of the curve, for which the lib - * will always succeed in computing the cofactor. Neither of these curves - * conform to that -- this is just robustness testing. - */ -static int cofactor_range_test(void) -{ - EC_GROUP *group = NULL; - BIGNUM *cf = NULL; - int ret = 0; - const unsigned char *b1 = (const unsigned char *)params_cf_fail; - const unsigned char *b2 = (const unsigned char *)params_cf_pass; - - if (!TEST_ptr(group = d2i_ECPKParameters(NULL, &b1, sizeof(params_cf_fail))) - || !TEST_BN_eq_zero(EC_GROUP_get0_cofactor(group)) - || !TEST_ptr(group = d2i_ECPKParameters(&group, &b2, - sizeof(params_cf_pass))) - || !TEST_int_gt(BN_hex2bn(&cf, "12bc94785251297abfafddf1565100da"), 0) - || !TEST_BN_eq(cf, EC_GROUP_get0_cofactor(group))) - goto err; - ret = 1; - err: - BN_free(cf); - EC_GROUP_free(group); - return ret; -} - -/*- - * For named curves, test that: - * - the lib correctly computes the cofactor if passed a NULL or zero cofactor - * - a nonsensical cofactor throws an error (negative test) - * - nonsensical orders throw errors (negative tests) - */ -static int cardinality_test(int n) -{ - int ret = 0, is_binary = 0; - int nid = curves[n].nid; - BN_CTX *ctx = NULL; - EC_GROUP *g1 = NULL, *g2 = NULL; - EC_POINT *g2_gen = NULL; - BIGNUM *g1_p = NULL, *g1_a = NULL, *g1_b = NULL, *g1_x = NULL, *g1_y = NULL, - *g1_order = NULL, *g1_cf = NULL, *g2_cf = NULL; - - TEST_info("Curve %s cardinality test", OBJ_nid2sn(nid)); - - if (!TEST_ptr(ctx = BN_CTX_new()) - || !TEST_ptr(g1 = EC_GROUP_new_by_curve_name(nid))) { - BN_CTX_free(ctx); - return 0; - } - - is_binary = (EC_GROUP_get_field_type(g1) == NID_X9_62_characteristic_two_field); - - BN_CTX_start(ctx); - g1_p = BN_CTX_get(ctx); - g1_a = BN_CTX_get(ctx); - g1_b = BN_CTX_get(ctx); - g1_x = BN_CTX_get(ctx); - g1_y = BN_CTX_get(ctx); - g1_order = BN_CTX_get(ctx); - g1_cf = BN_CTX_get(ctx); - - if (!TEST_ptr(g2_cf = BN_CTX_get(ctx)) - /* pull out the explicit curve parameters */ - || !TEST_true(EC_GROUP_get_curve(g1, g1_p, g1_a, g1_b, ctx)) - || !TEST_true(EC_POINT_get_affine_coordinates(g1, - EC_GROUP_get0_generator(g1), g1_x, g1_y, ctx)) - || !TEST_true(BN_copy(g1_order, EC_GROUP_get0_order(g1))) - || !TEST_true(EC_GROUP_get_cofactor(g1, g1_cf, ctx)) - /* construct g2 manually with g1 parameters */ -#ifndef OPENSSL_NO_EC2M - || !TEST_ptr(g2 = (is_binary) ? - EC_GROUP_new_curve_GF2m(g1_p, g1_a, g1_b, ctx) : - EC_GROUP_new_curve_GFp(g1_p, g1_a, g1_b, ctx)) -#else - || !TEST_int_eq(0, is_binary) - || !TEST_ptr(g2 = EC_GROUP_new_curve_GFp(g1_p, g1_a, g1_b, ctx)) -#endif - || !TEST_ptr(g2_gen = EC_POINT_new(g2)) - || !TEST_true(EC_POINT_set_affine_coordinates(g2, g2_gen, g1_x, g1_y, ctx)) - /* pass NULL cofactor: lib should compute it */ - || !TEST_true(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL)) - || !TEST_true(EC_GROUP_get_cofactor(g2, g2_cf, ctx)) - || !TEST_BN_eq(g1_cf, g2_cf) - /* pass zero cofactor: lib should compute it */ - || !TEST_true(BN_set_word(g2_cf, 0)) - || !TEST_true(EC_GROUP_set_generator(g2, g2_gen, g1_order, g2_cf)) - || !TEST_true(EC_GROUP_get_cofactor(g2, g2_cf, ctx)) - || !TEST_BN_eq(g1_cf, g2_cf) - /* negative test for invalid cofactor */ - || !TEST_true(BN_set_word(g2_cf, 0)) - || !TEST_true(BN_sub(g2_cf, g2_cf, BN_value_one())) - || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, g2_cf)) - /* negative test for NULL order */ - || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, NULL, NULL)) - /* negative test for zero order */ - || !TEST_true(BN_set_word(g1_order, 0)) - || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL)) - /* negative test for negative order */ - || !TEST_true(BN_set_word(g2_cf, 0)) - || !TEST_true(BN_sub(g2_cf, g2_cf, BN_value_one())) - || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL)) - /* negative test for too large order */ - || !TEST_true(BN_lshift(g1_order, g1_p, 2)) - || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL))) - goto err; - ret = 1; - err: - EC_POINT_free(g2_gen); - EC_GROUP_free(g1); - EC_GROUP_free(g2); - BN_CTX_end(ctx); - BN_CTX_free(ctx); - return ret; -} - -static int check_ec_key_field_public_range_test(int id) -{ - int ret = 0, type = 0; - const EC_POINT *pub = NULL; - const EC_GROUP *group = NULL; - const BIGNUM *field = NULL; - BIGNUM *x = NULL, *y = NULL; - EC_KEY *key = NULL; - - if (!TEST_ptr(x = BN_new()) - || !TEST_ptr(y = BN_new()) - || !TEST_ptr(key = EC_KEY_new_by_curve_name(curves[id].nid)) - || !TEST_ptr(group = EC_KEY_get0_group(key)) - || !TEST_ptr(field = EC_GROUP_get0_field(group)) - || !TEST_int_gt(EC_KEY_generate_key(key), 0) - || !TEST_int_gt(EC_KEY_check_key(key), 0) - || !TEST_ptr(pub = EC_KEY_get0_public_key(key)) - || !TEST_int_gt(EC_POINT_get_affine_coordinates(group, pub, x, y, - NULL), 0)) - goto err; - - /* - * Make the public point out of range by adding the field (which will still - * be the same point on the curve). The add is different for char2 fields. - */ - type = EC_GROUP_get_field_type(group); -#ifndef OPENSSL_NO_EC2M - if (type == NID_X9_62_characteristic_two_field) { - /* test for binary curves */ - if (!TEST_true(BN_GF2m_add(x, x, field))) - goto err; - } else -#endif - if (type == NID_X9_62_prime_field) { - /* test for prime curves */ - if (!TEST_true(BN_add(x, x, field))) - goto err; - } else { - /* this should never happen */ - TEST_error("Unsupported EC_METHOD field_type"); - goto err; - } - if (!TEST_int_le(EC_KEY_set_public_key_affine_coordinates(key, x, y), 0)) - goto err; - - ret = 1; -err: - BN_free(x); - BN_free(y); - EC_KEY_free(key); - return ret; -} - -/* - * Helper for ec_point_hex2point_test - * - * Self-tests EC_POINT_point2hex() against EC_POINT_hex2point() for the given - * (group,P) pair. - * - * If P is NULL use point at infinity. - */ -static ossl_inline -int ec_point_hex2point_test_helper(const EC_GROUP *group, const EC_POINT *P, - point_conversion_form_t form, - BN_CTX *bnctx) -{ - int ret = 0; - EC_POINT *Q = NULL, *Pinf = NULL; - char *hex = NULL; - - if (P == NULL) { - /* If P is NULL use point at infinity. */ - if (!TEST_ptr(Pinf = EC_POINT_new(group)) - || !TEST_true(EC_POINT_set_to_infinity(group, Pinf))) - goto err; - P = Pinf; - } - - if (!TEST_ptr(hex = EC_POINT_point2hex(group, P, form, bnctx)) - || !TEST_ptr(Q = EC_POINT_hex2point(group, hex, NULL, bnctx)) - || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, bnctx))) - goto err; - - /* - * The next check is most likely superfluous, as EC_POINT_cmp should already - * cover this. - * Nonetheless it increases the test coverage for EC_POINT_is_at_infinity, - * so we include it anyway! - */ - if (Pinf != NULL - && !TEST_true(EC_POINT_is_at_infinity(group, Q))) - goto err; - - ret = 1; - - err: - EC_POINT_free(Pinf); - OPENSSL_free(hex); - EC_POINT_free(Q); - - return ret; -} - -/* - * This test self-validates EC_POINT_hex2point() and EC_POINT_point2hex() - */ -static int ec_point_hex2point_test(int id) -{ - int ret = 0, nid; - EC_GROUP *group = NULL; - const EC_POINT *G = NULL; - EC_POINT *P = NULL; - BN_CTX * bnctx = NULL; - - /* Do some setup */ - nid = curves[id].nid; - if (!TEST_ptr(bnctx = BN_CTX_new()) - || !TEST_ptr(group = EC_GROUP_new_by_curve_name(nid)) - || !TEST_ptr(G = EC_GROUP_get0_generator(group)) - || !TEST_ptr(P = EC_POINT_dup(G, group))) - goto err; - - if (!TEST_true(ec_point_hex2point_test_helper(group, P, - POINT_CONVERSION_COMPRESSED, - bnctx)) - || !TEST_true(ec_point_hex2point_test_helper(group, NULL, - POINT_CONVERSION_COMPRESSED, - bnctx)) - || !TEST_true(ec_point_hex2point_test_helper(group, P, - POINT_CONVERSION_UNCOMPRESSED, - bnctx)) - || !TEST_true(ec_point_hex2point_test_helper(group, NULL, - POINT_CONVERSION_UNCOMPRESSED, - bnctx)) - || !TEST_true(ec_point_hex2point_test_helper(group, P, - POINT_CONVERSION_HYBRID, - bnctx)) - || !TEST_true(ec_point_hex2point_test_helper(group, NULL, - POINT_CONVERSION_HYBRID, - bnctx))) - goto err; - - ret = 1; - - err: - EC_POINT_free(P); - EC_GROUP_free(group); - BN_CTX_free(bnctx); - - return ret; -} - -static int do_test_custom_explicit_fromdata(EC_GROUP *group, BN_CTX *ctx, - unsigned char *gen, int gen_size) -{ - int ret = 0, i_out; - EVP_PKEY_CTX *pctx = NULL; - EVP_PKEY *pkeyparam = NULL; - OSSL_PARAM_BLD *bld = NULL; - const char *field_name; - OSSL_PARAM *params = NULL; - const OSSL_PARAM *gettable; - BIGNUM *p, *a, *b; - BIGNUM *p_out = NULL, *a_out = NULL, *b_out = NULL; - BIGNUM *order_out = NULL, *cofactor_out = NULL; - char name[80]; - unsigned char buf[1024]; - size_t buf_len, name_len; -#ifndef OPENSSL_NO_EC2M - unsigned int k1 = 0, k2 = 0, k3 = 0; - const char *basis_name = NULL; -#endif - - p = BN_CTX_get(ctx); - a = BN_CTX_get(ctx); - b = BN_CTX_get(ctx); - - if (!TEST_ptr(b) - || !TEST_ptr(bld = OSSL_PARAM_BLD_new())) - goto err; - - if (EC_GROUP_get_field_type(group) == NID_X9_62_prime_field) { - field_name = SN_X9_62_prime_field; - } else { - field_name = SN_X9_62_characteristic_two_field; -#ifndef OPENSSL_NO_EC2M - if (EC_GROUP_get_basis_type(group) == NID_X9_62_tpBasis) { - basis_name = SN_X9_62_tpBasis; - if (!TEST_true(EC_GROUP_get_trinomial_basis(group, &k1))) - goto err; - } else { - basis_name = SN_X9_62_ppBasis; - if (!TEST_true(EC_GROUP_get_pentanomial_basis(group, &k1, &k2, &k3))) - goto err; - } -#endif /* OPENSSL_NO_EC2M */ - } - if (!TEST_true(EC_GROUP_get_curve(group, p, a, b, ctx)) - || !TEST_true(OSSL_PARAM_BLD_push_utf8_string(bld, - OSSL_PKEY_PARAM_EC_FIELD_TYPE, field_name, 0)) - || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_EC_P, p)) - || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_EC_A, a)) - || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_EC_B, b))) - goto err; - - if (EC_GROUP_get0_seed(group) != NULL) { - if (!TEST_true(OSSL_PARAM_BLD_push_octet_string(bld, - OSSL_PKEY_PARAM_EC_SEED, EC_GROUP_get0_seed(group), - EC_GROUP_get_seed_len(group)))) - goto err; - } - if (EC_GROUP_get0_cofactor(group) != NULL) { - if (!TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_EC_COFACTOR, - EC_GROUP_get0_cofactor(group)))) - goto err; - } - - if (!TEST_true(OSSL_PARAM_BLD_push_octet_string(bld, - OSSL_PKEY_PARAM_EC_GENERATOR, gen, gen_size)) - || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_EC_ORDER, - EC_GROUP_get0_order(group)))) - goto err; - - if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld)) - || !TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL)) - || !TEST_int_gt(EVP_PKEY_fromdata_init(pctx), 0) - || !TEST_int_gt(EVP_PKEY_fromdata(pctx, &pkeyparam, - EVP_PKEY_KEY_PARAMETERS, params), 0)) - goto err; - - /*- Check that all the set values are retrievable -*/ - - /* There should be no match to a group name since the generator changed */ - if (!TEST_false(EVP_PKEY_get_utf8_string_param(pkeyparam, - OSSL_PKEY_PARAM_GROUP_NAME, name, sizeof(name), - &name_len))) - goto err; - - /* The encoding should be explicit as it has no group */ - if (!TEST_true(EVP_PKEY_get_utf8_string_param(pkeyparam, - OSSL_PKEY_PARAM_EC_ENCODING, - name, sizeof(name), &name_len)) - || !TEST_str_eq(name, OSSL_PKEY_EC_ENCODING_EXPLICIT)) - goto err; - - if (!TEST_true(EVP_PKEY_get_utf8_string_param(pkeyparam, - OSSL_PKEY_PARAM_EC_FIELD_TYPE, name, sizeof(name), - &name_len)) - || !TEST_str_eq(name, field_name)) - goto err; - - if (!TEST_true(EVP_PKEY_get_octet_string_param(pkeyparam, - OSSL_PKEY_PARAM_EC_GENERATOR, buf, sizeof(buf), &buf_len)) - || !TEST_mem_eq(buf, (int)buf_len, gen, gen_size)) - goto err; - - if (!TEST_true(EVP_PKEY_get_bn_param(pkeyparam, OSSL_PKEY_PARAM_EC_P, &p_out)) - || !TEST_BN_eq(p_out, p) - || !TEST_true(EVP_PKEY_get_bn_param(pkeyparam, OSSL_PKEY_PARAM_EC_A, - &a_out)) - || !TEST_BN_eq(a_out, a) - || !TEST_true(EVP_PKEY_get_bn_param(pkeyparam, OSSL_PKEY_PARAM_EC_B, - &b_out)) - || !TEST_BN_eq(b_out, b) - || !TEST_true(EVP_PKEY_get_bn_param(pkeyparam, OSSL_PKEY_PARAM_EC_ORDER, - &order_out)) - || !TEST_BN_eq(order_out, EC_GROUP_get0_order(group))) - goto err; - - if (EC_GROUP_get0_cofactor(group) != NULL) { - if (!TEST_true(EVP_PKEY_get_bn_param(pkeyparam, - OSSL_PKEY_PARAM_EC_COFACTOR, &cofactor_out)) - || !TEST_BN_eq(cofactor_out, EC_GROUP_get0_cofactor(group))) - goto err; - } - if (EC_GROUP_get0_seed(group) != NULL) { - if (!TEST_true(EVP_PKEY_get_octet_string_param(pkeyparam, - OSSL_PKEY_PARAM_EC_SEED, buf, sizeof(buf), &buf_len)) - || !TEST_mem_eq(buf, buf_len, EC_GROUP_get0_seed(group), - EC_GROUP_get_seed_len(group))) - goto err; - } - - if (EC_GROUP_get_field_type(group) == NID_X9_62_prime_field) { - /* No extra fields should be set for a prime field */ - if (!TEST_false(EVP_PKEY_get_int_param(pkeyparam, - OSSL_PKEY_PARAM_EC_CHAR2_M, &i_out)) - || !TEST_false(EVP_PKEY_get_int_param(pkeyparam, - OSSL_PKEY_PARAM_EC_CHAR2_TP_BASIS, &i_out)) - || !TEST_false(EVP_PKEY_get_int_param(pkeyparam, - OSSL_PKEY_PARAM_EC_CHAR2_PP_K1, &i_out)) - || !TEST_false(EVP_PKEY_get_int_param(pkeyparam, - OSSL_PKEY_PARAM_EC_CHAR2_PP_K2, &i_out)) - || !TEST_false(EVP_PKEY_get_int_param(pkeyparam, - OSSL_PKEY_PARAM_EC_CHAR2_PP_K3, &i_out)) - || !TEST_false(EVP_PKEY_get_utf8_string_param(pkeyparam, - OSSL_PKEY_PARAM_EC_CHAR2_TYPE, name, sizeof(name), - &name_len))) - goto err; - } else { -#ifndef OPENSSL_NO_EC2M - if (!TEST_true(EVP_PKEY_get_int_param(pkeyparam, - OSSL_PKEY_PARAM_EC_CHAR2_M, &i_out)) - || !TEST_int_eq(EC_GROUP_get_degree(group), i_out) - || !TEST_true(EVP_PKEY_get_utf8_string_param(pkeyparam, - OSSL_PKEY_PARAM_EC_CHAR2_TYPE, name, sizeof(name), - &name_len)) - || !TEST_str_eq(name, basis_name)) - goto err; - - if (EC_GROUP_get_basis_type(group) == NID_X9_62_tpBasis) { - if (!TEST_true(EVP_PKEY_get_int_param(pkeyparam, - OSSL_PKEY_PARAM_EC_CHAR2_TP_BASIS, &i_out)) - || !TEST_int_eq(k1, i_out) - || !TEST_false(EVP_PKEY_get_int_param(pkeyparam, - OSSL_PKEY_PARAM_EC_CHAR2_PP_K1, &i_out)) - || !TEST_false(EVP_PKEY_get_int_param(pkeyparam, - OSSL_PKEY_PARAM_EC_CHAR2_PP_K2, &i_out)) - || !TEST_false(EVP_PKEY_get_int_param(pkeyparam, - OSSL_PKEY_PARAM_EC_CHAR2_PP_K3, &i_out))) - goto err; - } else { - if (!TEST_false(EVP_PKEY_get_int_param(pkeyparam, - OSSL_PKEY_PARAM_EC_CHAR2_TP_BASIS, &i_out)) - || !TEST_true(EVP_PKEY_get_int_param(pkeyparam, - OSSL_PKEY_PARAM_EC_CHAR2_PP_K1, &i_out)) - || !TEST_int_eq(k1, i_out) - || !TEST_true(EVP_PKEY_get_int_param(pkeyparam, - OSSL_PKEY_PARAM_EC_CHAR2_PP_K2, &i_out)) - || !TEST_int_eq(k2, i_out) - || !TEST_true(EVP_PKEY_get_int_param(pkeyparam, - OSSL_PKEY_PARAM_EC_CHAR2_PP_K3, &i_out)) - || !TEST_int_eq(k3, i_out)) - goto err; - } -#endif /* OPENSSL_NO_EC2M */ - } - if (!TEST_ptr(gettable = EVP_PKEY_gettable_params(pkeyparam)) - || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_GROUP_NAME)) - || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_ENCODING)) - || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_FIELD_TYPE)) - || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_P)) - || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_A)) - || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_B)) - || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_GENERATOR)) - || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_ORDER)) - || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_COFACTOR)) - || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_SEED)) -#ifndef OPENSSL_NO_EC2M - || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_CHAR2_M)) - || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_CHAR2_TYPE)) - || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_CHAR2_TP_BASIS)) - || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_CHAR2_PP_K1)) - || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_CHAR2_PP_K2)) - || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_CHAR2_PP_K3)) -#endif - ) - goto err; - ret = 1; -err: - BN_free(order_out); - BN_free(cofactor_out); - BN_free(a_out); - BN_free(b_out); - BN_free(p_out); - OSSL_PARAM_free(params); - OSSL_PARAM_BLD_free(bld); - EVP_PKEY_free(pkeyparam); - EVP_PKEY_CTX_free(pctx); - return ret; -} - -/* - * check the EC_METHOD respects the supplied EC_GROUP_set_generator G - */ -static int custom_generator_test(int id) -{ - int ret = 0, nid, bsize; - EC_GROUP *group = NULL; - EC_POINT *G2 = NULL, *Q1 = NULL, *Q2 = NULL; - BN_CTX *ctx = NULL; - BIGNUM *k = NULL; - unsigned char *b1 = NULL, *b2 = NULL; - - /* Do some setup */ - nid = curves[id].nid; - TEST_note("Curve %s", OBJ_nid2sn(nid)); - if (!TEST_ptr(ctx = BN_CTX_new())) - return 0; - - BN_CTX_start(ctx); - - if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(nid))) - goto err; - - /* expected byte length of encoded points */ - bsize = (EC_GROUP_get_degree(group) + 7) / 8; - bsize = 1 + 2 * bsize; /* UNCOMPRESSED_POINT format */ - - if (!TEST_ptr(k = BN_CTX_get(ctx)) - /* fetch a testing scalar k != 0,1 */ - || !TEST_true(BN_rand(k, EC_GROUP_order_bits(group) - 1, - BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY)) - /* make k even */ - || !TEST_true(BN_clear_bit(k, 0)) - || !TEST_ptr(G2 = EC_POINT_new(group)) - || !TEST_ptr(Q1 = EC_POINT_new(group)) - /* Q1 := kG */ - || !TEST_true(EC_POINT_mul(group, Q1, k, NULL, NULL, ctx)) - /* pull out the bytes of that */ - || !TEST_int_eq(EC_POINT_point2oct(group, Q1, - POINT_CONVERSION_UNCOMPRESSED, NULL, - 0, ctx), bsize) - || !TEST_ptr(b1 = OPENSSL_malloc(bsize)) - || !TEST_int_eq(EC_POINT_point2oct(group, Q1, - POINT_CONVERSION_UNCOMPRESSED, b1, - bsize, ctx), bsize) - /* new generator is G2 := 2G */ - || !TEST_true(EC_POINT_dbl(group, G2, EC_GROUP_get0_generator(group), - ctx)) - || !TEST_true(EC_GROUP_set_generator(group, G2, - EC_GROUP_get0_order(group), - EC_GROUP_get0_cofactor(group))) - || !TEST_ptr(Q2 = EC_POINT_new(group)) - || !TEST_true(BN_rshift1(k, k)) - /* Q2 := k/2 G2 */ - || !TEST_true(EC_POINT_mul(group, Q2, k, NULL, NULL, ctx)) - || !TEST_int_eq(EC_POINT_point2oct(group, Q2, - POINT_CONVERSION_UNCOMPRESSED, NULL, - 0, ctx), bsize) - || !TEST_ptr(b2 = OPENSSL_malloc(bsize)) - || !TEST_int_eq(EC_POINT_point2oct(group, Q2, - POINT_CONVERSION_UNCOMPRESSED, b2, - bsize, ctx), bsize) - /* Q1 = kG = k/2 G2 = Q2 should hold */ - || !TEST_mem_eq(b1, bsize, b2, bsize)) - goto err; - - if (!do_test_custom_explicit_fromdata(group, ctx, b1, bsize)) - goto err; - - ret = 1; - - err: - EC_POINT_free(Q1); - EC_POINT_free(Q2); - EC_POINT_free(G2); - EC_GROUP_free(group); - BN_CTX_end(ctx); - BN_CTX_free(ctx); - OPENSSL_free(b1); - OPENSSL_free(b2); - - return ret; -} - -/* - * check creation of curves from explicit params through the public API - */ -static int custom_params_test(int id) -{ - int ret = 0, nid, bsize; - const char *curve_name = NULL; - EC_GROUP *group = NULL, *altgroup = NULL; - EC_POINT *G2 = NULL, *Q1 = NULL, *Q2 = NULL; - const EC_POINT *Q = NULL; - BN_CTX *ctx = NULL; - BIGNUM *k = NULL; - unsigned char *buf1 = NULL, *buf2 = NULL; - const BIGNUM *z = NULL, *cof = NULL, *priv1 = NULL; - BIGNUM *p = NULL, *a = NULL, *b = NULL; - int is_prime = 0; - EC_KEY *eckey1 = NULL, *eckey2 = NULL; - EVP_PKEY *pkey1 = NULL, *pkey2 = NULL; - EVP_PKEY_CTX *pctx1 = NULL, *pctx2 = NULL; - size_t sslen, t; - unsigned char *pub1 = NULL , *pub2 = NULL; - OSSL_PARAM_BLD *param_bld = NULL; - OSSL_PARAM *params1 = NULL, *params2 = NULL; - - /* Do some setup */ - nid = curves[id].nid; - curve_name = OBJ_nid2sn(nid); - TEST_note("Curve %s", curve_name); - - if (nid == NID_sm2) - return TEST_skip("custom params not supported with SM2"); - - if (!TEST_ptr(ctx = BN_CTX_new())) - return 0; - - if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(nid))) - goto err; - - is_prime = EC_GROUP_get_field_type(group) == NID_X9_62_prime_field; -#ifdef OPENSSL_NO_EC2M - if (!is_prime) { - ret = TEST_skip("binary curves not supported in this build"); - goto err; - } -#endif - - BN_CTX_start(ctx); - if (!TEST_ptr(p = BN_CTX_get(ctx)) - || !TEST_ptr(a = BN_CTX_get(ctx)) - || !TEST_ptr(b = BN_CTX_get(ctx)) - || !TEST_ptr(k = BN_CTX_get(ctx))) - goto err; - - /* expected byte length of encoded points */ - bsize = (EC_GROUP_get_degree(group) + 7) / 8; - bsize = 1 + 2 * bsize; /* UNCOMPRESSED_POINT format */ - - /* extract parameters from built-in curve */ - if (!TEST_true(EC_GROUP_get_curve(group, p, a, b, ctx)) - || !TEST_ptr(G2 = EC_POINT_new(group)) - /* new generator is G2 := 2G */ - || !TEST_true(EC_POINT_dbl(group, G2, - EC_GROUP_get0_generator(group), ctx)) - /* pull out the bytes of that */ - || !TEST_int_eq(EC_POINT_point2oct(group, G2, - POINT_CONVERSION_UNCOMPRESSED, - NULL, 0, ctx), bsize) - || !TEST_ptr(buf1 = OPENSSL_malloc(bsize)) - || !TEST_int_eq(EC_POINT_point2oct(group, G2, - POINT_CONVERSION_UNCOMPRESSED, - buf1, bsize, ctx), bsize) - || !TEST_ptr(z = EC_GROUP_get0_order(group)) - || !TEST_ptr(cof = EC_GROUP_get0_cofactor(group)) - ) - goto err; - - /* create a new group using same params (but different generator) */ - if (is_prime) { - if (!TEST_ptr(altgroup = EC_GROUP_new_curve_GFp(p, a, b, ctx))) - goto err; - } -#ifndef OPENSSL_NO_EC2M - else { - if (!TEST_ptr(altgroup = EC_GROUP_new_curve_GF2m(p, a, b, ctx))) - goto err; - } -#endif - - /* set 2*G as the generator of altgroup */ - EC_POINT_free(G2); /* discard G2 as it refers to the original group */ - if (!TEST_ptr(G2 = EC_POINT_new(altgroup)) - || !TEST_true(EC_POINT_oct2point(altgroup, G2, buf1, bsize, ctx)) - || !TEST_int_eq(EC_POINT_is_on_curve(altgroup, G2, ctx), 1) - || !TEST_true(EC_GROUP_set_generator(altgroup, G2, z, cof)) - ) - goto err; - - /* verify math checks out */ - if (/* allocate temporary points on group and altgroup */ - !TEST_ptr(Q1 = EC_POINT_new(group)) - || !TEST_ptr(Q2 = EC_POINT_new(altgroup)) - /* fetch a testing scalar k != 0,1 */ - || !TEST_true(BN_rand(k, EC_GROUP_order_bits(group) - 1, - BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY)) - /* make k even */ - || !TEST_true(BN_clear_bit(k, 0)) - /* Q1 := kG on group */ - || !TEST_true(EC_POINT_mul(group, Q1, k, NULL, NULL, ctx)) - /* pull out the bytes of that */ - || !TEST_int_eq(EC_POINT_point2oct(group, Q1, - POINT_CONVERSION_UNCOMPRESSED, - NULL, 0, ctx), bsize) - || !TEST_int_eq(EC_POINT_point2oct(group, Q1, - POINT_CONVERSION_UNCOMPRESSED, - buf1, bsize, ctx), bsize) - /* k := k/2 */ - || !TEST_true(BN_rshift1(k, k)) - /* Q2 := k/2 G2 on altgroup */ - || !TEST_true(EC_POINT_mul(altgroup, Q2, k, NULL, NULL, ctx)) - /* pull out the bytes of that */ - || !TEST_int_eq(EC_POINT_point2oct(altgroup, Q2, - POINT_CONVERSION_UNCOMPRESSED, - NULL, 0, ctx), bsize) - || !TEST_ptr(buf2 = OPENSSL_malloc(bsize)) - || !TEST_int_eq(EC_POINT_point2oct(altgroup, Q2, - POINT_CONVERSION_UNCOMPRESSED, - buf2, bsize, ctx), bsize) - /* Q1 = kG = k/2 G2 = Q2 should hold */ - || !TEST_mem_eq(buf1, bsize, buf2, bsize)) - goto err; - - /* create two `EC_KEY`s on altgroup */ - if (!TEST_ptr(eckey1 = EC_KEY_new()) - || !TEST_true(EC_KEY_set_group(eckey1, altgroup)) - || !TEST_true(EC_KEY_generate_key(eckey1)) - || !TEST_ptr(eckey2 = EC_KEY_new()) - || !TEST_true(EC_KEY_set_group(eckey2, altgroup)) - || !TEST_true(EC_KEY_generate_key(eckey2))) - goto err; - - /* retrieve priv1 for later */ - if (!TEST_ptr(priv1 = EC_KEY_get0_private_key(eckey1))) - goto err; - - /* - * retrieve bytes for pub1 for later - * - * We compute the pub key in the original group as we will later use it to - * define a provider key in the built-in group. - */ - if (!TEST_true(EC_POINT_mul(group, Q1, priv1, NULL, NULL, ctx)) - || !TEST_int_eq(EC_POINT_point2oct(group, Q1, - POINT_CONVERSION_UNCOMPRESSED, - NULL, 0, ctx), bsize) - || !TEST_ptr(pub1 = OPENSSL_malloc(bsize)) - || !TEST_int_eq(EC_POINT_point2oct(group, Q1, - POINT_CONVERSION_UNCOMPRESSED, - pub1, bsize, ctx), bsize)) - goto err; - - /* retrieve bytes for pub2 for later */ - if (!TEST_ptr(Q = EC_KEY_get0_public_key(eckey2)) - || !TEST_int_eq(EC_POINT_point2oct(altgroup, Q, - POINT_CONVERSION_UNCOMPRESSED, - NULL, 0, ctx), bsize) - || !TEST_ptr(pub2 = OPENSSL_malloc(bsize)) - || !TEST_int_eq(EC_POINT_point2oct(altgroup, Q, - POINT_CONVERSION_UNCOMPRESSED, - pub2, bsize, ctx), bsize)) - goto err; - - /* create two `EVP_PKEY`s from the `EC_KEY`s */ - if(!TEST_ptr(pkey1 = EVP_PKEY_new()) - || !TEST_int_eq(EVP_PKEY_assign_EC_KEY(pkey1, eckey1), 1)) - goto err; - eckey1 = NULL; /* ownership passed to pkey1 */ - if(!TEST_ptr(pkey2 = EVP_PKEY_new()) - || !TEST_int_eq(EVP_PKEY_assign_EC_KEY(pkey2, eckey2), 1)) - goto err; - eckey2 = NULL; /* ownership passed to pkey2 */ - - /* Compute keyexchange in both directions */ - if (!TEST_ptr(pctx1 = EVP_PKEY_CTX_new(pkey1, NULL)) - || !TEST_int_eq(EVP_PKEY_derive_init(pctx1), 1) - || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx1, pkey2), 1) - || !TEST_int_eq(EVP_PKEY_derive(pctx1, NULL, &sslen), 1) - || !TEST_int_gt(bsize, sslen) - || !TEST_int_eq(EVP_PKEY_derive(pctx1, buf1, &sslen), 1)) - goto err; - if (!TEST_ptr(pctx2 = EVP_PKEY_CTX_new(pkey2, NULL)) - || !TEST_int_eq(EVP_PKEY_derive_init(pctx2), 1) - || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx2, pkey1), 1) - || !TEST_int_eq(EVP_PKEY_derive(pctx2, NULL, &t), 1) - || !TEST_int_gt(bsize, t) - || !TEST_int_le(sslen, t) - || !TEST_int_eq(EVP_PKEY_derive(pctx2, buf2, &t), 1)) - goto err; - - /* Both sides should expect the same shared secret */ - if (!TEST_mem_eq(buf1, sslen, buf2, t)) - goto err; - - /* Build parameters for provider-native keys */ - if (!TEST_ptr(param_bld = OSSL_PARAM_BLD_new()) - || !TEST_true(OSSL_PARAM_BLD_push_utf8_string(param_bld, - OSSL_PKEY_PARAM_GROUP_NAME, - curve_name, 0)) - || !TEST_true(OSSL_PARAM_BLD_push_octet_string(param_bld, - OSSL_PKEY_PARAM_PUB_KEY, - pub1, bsize)) - || !TEST_true(OSSL_PARAM_BLD_push_BN(param_bld, - OSSL_PKEY_PARAM_PRIV_KEY, - priv1)) - || !TEST_ptr(params1 = OSSL_PARAM_BLD_to_param(param_bld))) - goto err; - - OSSL_PARAM_BLD_free(param_bld); - if (!TEST_ptr(param_bld = OSSL_PARAM_BLD_new()) - || !TEST_true(OSSL_PARAM_BLD_push_utf8_string(param_bld, - OSSL_PKEY_PARAM_GROUP_NAME, - curve_name, 0)) - || !TEST_true(OSSL_PARAM_BLD_push_octet_string(param_bld, - OSSL_PKEY_PARAM_PUB_KEY, - pub2, bsize)) - || !TEST_ptr(params2 = OSSL_PARAM_BLD_to_param(param_bld))) - goto err; - - /* create two new provider-native `EVP_PKEY`s */ - EVP_PKEY_CTX_free(pctx2); - if (!TEST_ptr(pctx2 = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL)) - || !TEST_true(EVP_PKEY_fromdata_init(pctx2)) - || !TEST_true(EVP_PKEY_fromdata(pctx2, &pkey1, EVP_PKEY_KEYPAIR, - params1)) - || !TEST_true(EVP_PKEY_fromdata(pctx2, &pkey2, EVP_PKEY_PUBLIC_KEY, - params2))) - goto err; - - /* compute keyexchange once more using the provider keys */ - EVP_PKEY_CTX_free(pctx1); - if (!TEST_ptr(pctx1 = EVP_PKEY_CTX_new(pkey1, NULL)) - || !TEST_int_eq(EVP_PKEY_derive_init(pctx1), 1) - || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx1, pkey2), 1) - || !TEST_int_eq(EVP_PKEY_derive(pctx1, NULL, &t), 1) - || !TEST_int_gt(bsize, t) - || !TEST_int_le(sslen, t) - || !TEST_int_eq(EVP_PKEY_derive(pctx1, buf1, &t), 1) - /* compare with previous result */ - || !TEST_mem_eq(buf1, t, buf2, sslen)) - goto err; - - ret = 1; - - err: - BN_CTX_end(ctx); - BN_CTX_free(ctx); - OSSL_PARAM_BLD_free(param_bld); - OSSL_PARAM_free(params1); - OSSL_PARAM_free(params2); - EC_POINT_free(Q1); - EC_POINT_free(Q2); - EC_POINT_free(G2); - EC_GROUP_free(group); - EC_GROUP_free(altgroup); - OPENSSL_free(buf1); - OPENSSL_free(buf2); - OPENSSL_free(pub1); - OPENSSL_free(pub2); - EC_KEY_free(eckey1); - EC_KEY_free(eckey2); - EVP_PKEY_free(pkey1); - EVP_PKEY_free(pkey2); - EVP_PKEY_CTX_free(pctx1); - EVP_PKEY_CTX_free(pctx2); - - return ret; -} - -int setup_tests(void) -{ - crv_len = EC_get_builtin_curves(NULL, 0); - if (!TEST_ptr(curves = OPENSSL_malloc(sizeof(*curves) * crv_len)) - || !TEST_true(EC_get_builtin_curves(curves, crv_len))) - return 0; - - ADD_TEST(parameter_test); - /*ADD_TEST(cofactor_range_test);*/ - ADD_ALL_TESTS(cardinality_test, crv_len); - ADD_TEST(prime_field_tests); -#ifndef OPENSSL_NO_EC2M - ADD_TEST(char2_field_tests); - ADD_ALL_TESTS(char2_curve_test, OSSL_NELEM(char2_curve_tests)); -#endif - ADD_ALL_TESTS(nistp_single_test, OSSL_NELEM(nistp_tests_params)); - ADD_ALL_TESTS(internal_curve_test, crv_len); - ADD_ALL_TESTS(internal_curve_test_method, crv_len); - ADD_TEST(group_field_test); - ADD_ALL_TESTS(check_named_curve_test, crv_len); - ADD_ALL_TESTS(check_named_curve_lookup_test, crv_len); - ADD_ALL_TESTS(check_ec_key_field_public_range_test, crv_len); - ADD_ALL_TESTS(check_named_curve_from_ecparameters, crv_len); - ADD_ALL_TESTS(ec_point_hex2point_test, crv_len); - /* ADD_ALL_TESTS(custom_generator_test, crv_len); - ADD_ALL_TESTS(custom_params_test, crv_len); */ - return 1; -} - -void cleanup_tests(void) -{ - OPENSSL_free(curves); -} diff --git a/SOURCES/hobble-openssl b/SOURCES/hobble-openssl deleted file mode 100755 index 9a23ca6..0000000 --- a/SOURCES/hobble-openssl +++ /dev/null @@ -1,40 +0,0 @@ -#!/bin/sh - -# Quit out if anything fails. -set -e - -# Clean out patent-or-otherwise-encumbered code. -# MDC-2: 4,908,861 13/03/2007 - expired, we do not remove it but do not enable it anyway -# IDEA: 5,214,703 07/01/2012 - expired, we do not remove it anymore -# RC5: 5,724,428 01/11/2015 - expired, we do not remove it anymore -# EC: ????????? ??/??/2020 -# SRP: ????????? ??/??/2017 - expired, we do not remove it anymore - -# Remove assembler portions of IDEA, MDC2, and RC5. -# (find crypto/rc5/asm -type f | xargs -r rm -fv) - -for c in `find crypto/bn -name "*gf2m.c"`; do - echo Destroying $c - > $c -done - -for c in `find crypto/ec -name "ec2*.c" -o -name "ec_curve.c"`; do - echo Destroying $c - > $c -done - -for c in `find test -name "ectest.c"`; do - echo Destroying $c - > $c -done - -for h in `find crypto ssl apps test -name "*.h"` ; do - echo Removing EC2M references from $h - cat $h | \ - awk 'BEGIN {ech=1;} \ - /^#[ \t]*ifndef.*NO_EC2M/ {ech--; next;} \ - /^#[ \t]*if/ {if(ech < 1) ech--;} \ - {if(ech>0) {;print $0};} \ - /^#[ \t]*endif/ {if(ech < 1) ech++;}' > $h.hobbled && \ - mv $h.hobbled $h -done diff --git a/SPECS/openssl.spec b/SPECS/openssl.spec index 494c967..91d6a67 100644 --- a/SPECS/openssl.spec +++ b/SPECS/openssl.spec @@ -29,21 +29,18 @@ print(string.sub(hash, 0, 16)) Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 3.0.7 -Release: 5%{?dist} +Release: 24%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. # The original openssl upstream tarball cannot be shipped in the .src.rpm. -Source: openssl-%{version}-hobbled.tar.gz -Source1: hobble-openssl +Source: openssl-%{version}.tar.gz Source2: Makefile.certificate Source3: genpatches Source6: make-dummy-cert Source7: renew-dummy-cert Source9: configuration-switch.h Source10: configuration-prefix.h -Source12: ec_curve.c -Source13: ectest.c Source14: 0025-for-tests.patch # Patches exported from source git @@ -65,11 +62,16 @@ Patch7: 0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch Patch8: 0008-Add-FIPS_mode-compatibility-macro.patch # Add check to see if fips flag is enabled in kernel Patch9: 0009-Add-Kernel-FIPS-mode-flag-support.patch +# Instead of replacing ectest.c and ec_curve.c, add the changes as a patch so +# that new modifications made to these files by upstream are not lost. +Patch10: 0010-Add-changes-to-ectest-and-eccurve.patch # remove unsupported EC curves Patch11: 0011-Remove-EC-curves.patch # Disable explicit EC curves # https://bugzilla.redhat.com/show_bug.cgi?id=2066412 Patch12: 0012-Disable-explicit-ec.patch +#Skipped tests from former 0011-Remove-EC-curves.patch +Patch13: 0013-skipped-tests-EC-curves.patch # Instructions to load legacy provider in openssl.cnf Patch24: 0024-load-legacy-prov.patch # Tmp: test name change @@ -131,13 +133,14 @@ Patch76: 0076-FIPS-140-3-DRBG.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2102542 Patch77: 0077-FIPS-140-3-zeroization.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2114772 -Patch78: 0078-Add-FIPS-indicator-parameter-to-HKDF.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2141695 +# https://bugzilla.redhat.com/show_bug.cgi?id=2160733 +# https://bugzilla.redhat.com/show_bug.cgi?id=2164763 +Patch78: 0078-KDF-Add-FIPS-indicators.patch #https://bugzilla.redhat.com/show_bug.cgi?id=2141748 Patch80: 0080-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2142131 Patch81: 0081-signature-Remove-X9.31-padding-from-FIPS-prov.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=2141695 -Patch82: 0082-kbkdf-Add-explicit-FIPS-indicator-for-key-length.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2136250 Patch83: 0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2137557 @@ -154,6 +157,8 @@ Patch90: 0090-signature-Clamp-PSS-salt-len-to-MD-len.patch Patch91: 0091-FIPS-RSA-encapsulate.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2142517 Patch92: 0092-provider-improvements.patch +# FIPS-95 +Patch93: 0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch # OpenSSL 3.0.8 CVEs Patch101: 0101-CVE-2022-4203-nc-match.patch @@ -165,6 +170,34 @@ Patch106: 0106-CVE-2023-0217-dsa.patch Patch107: 0107-CVE-2023-0286-X400.patch Patch108: 0108-CVE-2023-0401-pkcs7-md.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2169314 +Patch109: 0109-fips-Zeroize-out-in-fips-selftest.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2168289 +Patch110: 0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2175145 +Patch111: 0111-fips-Use-salt-16-bytes-in-PBKDF2-selftest.patch +Patch112: 0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2179331 +Patch113: 0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2157951 +Patch114: 0114-FIPS-enforce-EMS-support.patch + +# X.509 policies minor CVEs +Patch115: 0115-CVE-2023-0464.patch +Patch116: 0116-CVE-2023-0465.patch +Patch117: 0117-CVE-2023-0466.patch +# AES-XTS CVE +Patch118: 0118-CVE-2023-1255.patch + +#https://github.com/openssl/openssl/pull/13817 +#https://bugzilla.redhat.com/show_bug.cgi?id=2153471 +Patch120: 0120-RSA-PKCS15-implicit-rejection.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2160797 +Patch121: 0121-FIPS-cms-defaults.patch +Patch122: 0122-CVE-2023-2650.patch +# https://github.com/openssl/openssl/pull/19386 +Patch123: 0123-ibmca-atexit-crash.patch + License: ASL 2.0 URL: http://www.openssl.org/ BuildRequires: gcc g++ @@ -220,13 +253,6 @@ from other formats to the formats used by the OpenSSL toolkit. %prep %autosetup -S git -n %{name}-%{version} -# The hobble_openssl is called here redundantly, just to be sure. -# The tarball has already the sources removed. -%{SOURCE1} > /dev/null - -cp %{SOURCE12} crypto/ec/ -cp %{SOURCE13} test/ - %build # Figure out which flags we want to use. # default @@ -441,6 +467,7 @@ cat $RPM_BUILD_ROOT/%{_prefix}/include/openssl/configuration.h >> \ install -m644 %{SOURCE9} \ $RPM_BUILD_ROOT/%{_prefix}/include/openssl/configuration.h %endif +ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/fips_local.cnf %files %{!?_licensedir:%global license %%doc} @@ -465,6 +492,7 @@ install -m644 %{SOURCE9} \ %dir %{_sysconfdir}/pki/tls/private %config(noreplace) %{_sysconfdir}/pki/tls/openssl.cnf %config(noreplace) %{_sysconfdir}/pki/tls/ct_log_list.cnf +%config %{_sysconfdir}/pki/tls/fips_local.cnf %attr(0755,root,root) %{_libdir}/libcrypto.so.%{version} %{_libdir}/libcrypto.so.%{soversion} %attr(0755,root,root) %{_libdir}/libssl.so.%{version} @@ -494,9 +522,124 @@ install -m644 %{SOURCE9} \ %ldconfig_scriptlets libs %changelog -* Fri Apr 14 2023 MSVSphere Packaging Team - 3.0.7-5 +* Wed Jul 12 2023 Dmitry Belyavskiy - 1:3.0.7-24 +- Make FIPS module configuration more crypto-policies friendly + Related: rhbz#2216256 + +* Tue Jul 11 2023 Dmitry Belyavskiy - 1:3.0.7-23 +- Add a workaround for lack of EMS in FIPS mode + Resolves: rhbz#2216256 + +* Thu Jul 06 2023 Sahana Prasad - 1:3.0.7-22 +- Remove unsupported curves from nist_curves. + Resolves: rhbz#2069336 + +* Mon Jun 26 2023 Sahana Prasad - 1:3.0.7-21 +- Remove the listing of brainpool curves in FIPS mode. + Related: rhbz#2188180 + +* Tue May 30 2023 Dmitry Belyavskiy - 1:3.0.7-20 +- Fix possible DoS translating ASN.1 object identifiers + Resolves: CVE-2023-2650 +- Release the DRBG in global default libctx early + Resolves: rhbz#2211340 + +* Mon May 22 2023 Clemens Lang - 1:3.0.7-19 +- Re-enable DHX keys in FIPS mode, disable FIPS 186-4 parameter validation and generation in FIPS mode + Resolves: rhbz#2169757 + +* Thu May 18 2023 Dmitry Belyavskiy - 1:3.0.7-18 +- Use OAEP padding and aes-128-cbc by default in cms command in FIPS mode + Resolves: rhbz#2160797 + +* Tue May 09 2023 Dmitry Belyavskiy - 1:3.0.7-17 +- Enforce using EMS in FIPS mode - better alerts + Related: rhbz#2157951 + +* Tue May 02 2023 Sahana Prasad - 1:3.0.7-16 +- Upload new upstream sources without manually hobbling them. +- Remove the hobbling script as it is redundant. It is now allowed to ship + the sources of patented EC curves, however it is still made unavailable to use + by compiling with the 'no-ec2m' Configure option. The additional forbidden + curves such as P-160, P-192, wap-tls curves are manually removed by updating + 0011-Remove-EC-curves.patch. +- Enable Brainpool curves. +- Apply the changes to ec_curve.c and ectest.c as a new patch + 0010-Add-changes-to-ectest-and-eccurve.patch instead of replacing them. +- Modify 0011-Remove-EC-curves.patch to allow Brainpool curves. +- Modify 0011-Remove-EC-curves.patch to allow code under macro OPENSSL_NO_EC2M. + Resolves: rhbz#2130618, rhbz#2188180 + +* Fri Apr 28 2023 Dmitry Belyavskiy - 1:3.0.7-15 +- Backport implicit rejection for RSA PKCS#1 v1.5 encryption + Resolves: rhbz#2153471 + +* Fri Apr 21 2023 Dmitry Belyavskiy - 1:3.0.7-14 +- Input buffer over-read in AES-XTS implementation on 64 bit ARM + Resolves: rhbz#2188554 + +* Tue Apr 18 2023 Dmitry Belyavskiy - 1:3.0.7-13 +- Enforce using EMS in FIPS mode + Resolves: rhbz#2157951 +- Fix excessive resource usage in verifying X509 policy constraints + Resolves: rhbz#2186661 +- Fix invalid certificate policies in leaf certificates check + Resolves: rhbz#2187429 +- Certificate policy check not enabled + Resolves: rhbz#2187431 +- OpenSSL rsa_verify_recover key length checks in FIPS mode + Resolves: rhbz#2186819 + +* Fri Apr 14 2023 MSVSphere Packaging Team - 1:3.0.7-12 - Rebuilt for MSVSphere 9.2 beta +* Fri Mar 24 2023 Clemens Lang - 1:3.0.7-12 +- Change explicit FIPS indicator for RSA decryption to unapproved + Resolves: rhbz#2179379 + +* Mon Mar 20 2023 Clemens Lang - 1:3.0.7-11 +- Add missing reference to patchfile to add explicit FIPS indicator to RSA + encryption and RSASVE and fix the gettable parameter list for the RSA + asymmetric cipher implementation. + Resolves: rhbz#2179379 + +* Fri Mar 17 2023 Clemens Lang - 1:3.0.7-10 +- Add explicit FIPS indicator to RSA encryption and RSASVE + Resolves: rhbz#2179379 + +* Thu Mar 16 2023 Clemens Lang - 1:3.0.7-9 +- Fix explicit FIPS indicator for X9.42 KDF when used with output lengths < 14 bytes + Resolves: rhbz#2175864 + +* Thu Mar 16 2023 Clemens Lang - 1:3.0.7-8 +- Fix Wpointer-sign compiler warning + Resolves: rhbz#2178034 + +* Tue Mar 14 2023 Clemens Lang - 1:3.0.7-7 +- Add explicit FIPS indicators to key derivation functions + Resolves: rhbz#2175860 rhbz#2175864 +- Zeroize FIPS module integrity check MAC after check + Resolves: rhbz#2175873 +- Add explicit FIPS indicator for IV generation in AES-GCM + Resolves: rhbz#2175868 +- Add explicit FIPS indicator for PBKDF2, use test vector with FIPS-compliant + salt in PBKDF2 FIPS self-test + Resolves: rhbz#2178137 +- Limit RSA_NO_PADDING for encryption and signature in FIPS mode + Resolves: rhbz#2178029 +- Pairwise consistency tests should use Digest+Sign/Verify + Resolves: rhbz#2178034 +- Forbid DHX keys import in FIPS mode + Resolves: rhbz#2178030 +- DH PCT should abort on failure + Resolves: rhbz#2178039 +- Increase RNG seeding buffer size to 32 + Related: rhbz#2168224 + +* Wed Mar 08 2023 Dmitry Belyavskiy - 1:3.0.7-6 +- Fixes RNG slowdown in FIPS mode + Resolves: rhbz#2168224 + * Wed Feb 08 2023 Dmitry Belyavskiy - 1:3.0.7-5 - Fixed X.509 Name Constraints Read Buffer Overflow Resolves: CVE-2022-4203