From 9ebabfa10a8344588bf8023857008a406f605d53 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Wed, 1 Mar 2023 19:56:51 +0100 Subject: [PATCH 01/60] Stop everlasting RNG reseeding Resolves: rhbz#2168224 --- 0076-FIPS-140-3-DRBG.patch | 16 ++++++++++++++++ openssl.spec | 6 +++++- 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/0076-FIPS-140-3-DRBG.patch b/0076-FIPS-140-3-DRBG.patch index 0d91598..8f97a6a 100644 --- a/0076-FIPS-140-3-DRBG.patch +++ b/0076-FIPS-140-3-DRBG.patch @@ -92,6 +92,22 @@ diff -up openssl-3.0.1/providers/implementations/rands/drbg.c.fipsrand openssl-3 /* Reseed using our sources in addition */ entropylen = get_entropy(drbg, &entropy, drbg->strength, drbg->min_entropylen, drbg->max_entropylen, +@@ -669,8 +669,14 @@ int ossl_prov_drbg_generate(PROV_DRBG *d + reseed_required = 1; + } + if (drbg->parent != NULL +- && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter) ++ && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter) { ++#ifdef FIPS_MODULE ++ /* Red Hat patches provide chain reseeding when necessary so just sync counters*/ ++ drbg->parent_reseed_counter = get_parent_reseed_count(drbg); ++#else + reseed_required = 1; ++#endif ++ } + + if (reseed_required || prediction_resistance) { + if (!ossl_prov_drbg_reseed(drbg, prediction_resistance, NULL, 0, diff -up openssl-3.0.1/crypto/rand/prov_seed.c.fipsrand openssl-3.0.1/crypto/rand/prov_seed.c --- openssl-3.0.1/crypto/rand/prov_seed.c.fipsrand 2022-08-04 12:17:52.148556301 +0200 +++ openssl-3.0.1/crypto/rand/prov_seed.c 2022-08-04 12:19:41.783533552 +0200 diff --git a/openssl.spec b/openssl.spec index f8d2451..6499d56 100644 --- a/openssl.spec +++ b/openssl.spec @@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16)) Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 3.0.7 -Release: 5%{?dist} +Release: 6%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -494,6 +494,10 @@ install -m644 %{SOURCE9} \ %ldconfig_scriptlets libs %changelog +* Wed Mar 08 2023 Dmitry Belyavskiy - 1:3.0.7-6 +- Fixes RNG slowdown in FIPS mode + Resolves: rhbz#2168224 + * Wed Feb 08 2023 Dmitry Belyavskiy - 1:3.0.7-5 - Fixed X.509 Name Constraints Read Buffer Overflow Resolves: CVE-2022-4203 From 6a9e17a8c1575b72823c5702a61078af474a1a45 Mon Sep 17 00:00:00 2001 From: Clemens Lang Date: Thu, 16 Feb 2023 17:55:03 +0100 Subject: [PATCH 02/60] KDF: Add FIPS indicators FIPS requires a number of restrictions on the parameters of the various key derivation functions implemented in OpenSSL. The KDFs that use digest algorithms usually should not allow SHAKE (due to FIPS 140-3 IG C.C). Additionally, some application-specific KDFs have further restrictions defined in SP 800-135r1. Generally, all KDFs shall use a key-derivation key length of at least 112 bits due to SP 800-131Ar2 section 8. Additionally any use of a KDF to generate and output length of less than 112 bits will also set the indicator to unapproved. Add explicit indicators to all KDFs usable in FIPS mode except for PBKDF2 (which has its specific FIPS limits already implemented). The indicator can be queried using EVP_KDF_CTX_get_params() after setting the required parameters and keys for the KDF. Our FIPS provider implements SHA1, SHA2 (both -256 and -512, and the truncated variants -224 and -384) and SHA3 (-256 and -512, and the truncated versions -224 and -384), as well as SHAKE-128 and -256. The SHAKE functions are generally not allowed in KDFs. For the rest, the support matrix is: KDF | SHA-1 | SHA-2 | SHA-2 truncated | SHA-3 | SHA-3 truncated ========================================================================== KBKDF | x | x | x | x | x HKDF | x | x | x | x | x TLS1PRF | | SHA-{256,384,512} only | | SSHKDF | x | x | x | | SSKDF | x | x | x | x | x X9.63KDF | | x | x | x | x X9.42-ASN1 | x | x | x | x | x TLS1.3PRF | | SHA-{256,384} only | | Signed-off-by: Clemens Lang Resolves: rhbz#2175860 rhbz#2175864 --- ...Add-FIPS-indicator-parameter-to-HKDF.patch | 138 --- 0078-KDF-Add-FIPS-indicators.patch | 896 ++++++++++++++++++ ...plicit-FIPS-indicator-for-key-length.patch | 74 -- openssl.spec | 13 +- 4 files changed, 905 insertions(+), 216 deletions(-) delete mode 100644 0078-Add-FIPS-indicator-parameter-to-HKDF.patch create mode 100644 0078-KDF-Add-FIPS-indicators.patch delete mode 100644 0082-kbkdf-Add-explicit-FIPS-indicator-for-key-length.patch diff --git a/0078-Add-FIPS-indicator-parameter-to-HKDF.patch b/0078-Add-FIPS-indicator-parameter-to-HKDF.patch deleted file mode 100644 index b54d0fa..0000000 --- a/0078-Add-FIPS-indicator-parameter-to-HKDF.patch +++ /dev/null @@ -1,138 +0,0 @@ -From 0c4aaedf29a1ed1559762515bfeaa5923925e18f Mon Sep 17 00:00:00 2001 -From: Clemens Lang -Date: Thu, 11 Aug 2022 09:27:12 +0200 -Subject: [PATCH 1/2] Add FIPS indicator parameter to HKDF - -NIST considers HKDF only acceptable when used as in TLS 1.3, and -otherwise unapproved. Add an explicit indicator attached to the -EVP_KDF_CTX that can be queried using EVP_KDF_CTX_get_params() to -determine whether the KDF operation was approved after performing it. - -Signed-off-by: Clemens Lang -Related: rhbz#2114772 ---- - include/crypto/evp.h | 7 ++++ - include/openssl/core_names.h | 1 + - include/openssl/kdf.h | 4 ++ - providers/implementations/kdfs/hkdf.c | 53 +++++++++++++++++++++++++++ - 4 files changed, 65 insertions(+) - -diff --git a/include/crypto/evp.h b/include/crypto/evp.h -index e70d8e9e84..76fb990de4 100644 ---- a/include/crypto/evp.h -+++ b/include/crypto/evp.h -@@ -219,6 +219,13 @@ struct evp_mac_st { - OSSL_FUNC_mac_set_ctx_params_fn *set_ctx_params; - }; - -+#ifdef FIPS_MODULE -+/* According to NIST Special Publication 800-131Ar2, Section 8: Deriving -+ * Additional Keys from a Cryptographic Key, "[t]he length of the -+ * key-derivation key [i.e., the input key] shall be at least 112 bits". */ -+# define EVP_KDF_FIPS_MIN_KEY_LEN (112 / 8) -+#endif -+ - struct evp_kdf_st { - OSSL_PROVIDER *prov; - int name_id; -diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h -index 21c94d0488..c019afbbb0 100644 ---- a/include/openssl/core_names.h -+++ b/include/openssl/core_names.h -@@ -223,6 +223,7 @@ extern "C" { - #define OSSL_KDF_PARAM_X942_SUPP_PUBINFO "supp-pubinfo" - #define OSSL_KDF_PARAM_X942_SUPP_PRIVINFO "supp-privinfo" - #define OSSL_KDF_PARAM_X942_USE_KEYBITS "use-keybits" -+#define OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator" - - /* Known KDF names */ - #define OSSL_KDF_NAME_HKDF "HKDF" -diff --git a/include/openssl/kdf.h b/include/openssl/kdf.h -index 0983230a48..86171635ea 100644 ---- a/include/openssl/kdf.h -+++ b/include/openssl/kdf.h -@@ -63,6 +63,10 @@ int EVP_KDF_names_do_all(const EVP_KDF *kdf, - # define EVP_KDF_HKDF_MODE_EXTRACT_ONLY 1 - # define EVP_KDF_HKDF_MODE_EXPAND_ONLY 2 - -+# define EVP_KDF_REDHAT_FIPS_INDICATOR_UNDETERMINED 0 -+# define EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED 1 -+# define EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2 -+ - #define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV 65 - #define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI 66 - #define EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV 67 -diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c -index afdb7138e1..6f06fa58fe 100644 ---- a/providers/implementations/kdfs/hkdf.c -+++ b/providers/implementations/kdfs/hkdf.c -@@ -298,6 +298,56 @@ static int kdf_hkdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) - return 0; - return OSSL_PARAM_set_size_t(p, sz); - } -+ -+#ifdef FIPS_MODULE -+ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR)) -+ != NULL) { -+ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_UNDETERMINED; -+ switch (ctx->mode) { -+ case EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND: -+ /* TLS 1.3 never uses extract-and-expand */ -+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; -+ break; -+ case EVP_KDF_HKDF_MODE_EXTRACT_ONLY: -+ { -+ /* When TLS 1.3 uses extract, the following holds: -+ * 1. The salt length matches the hash length, and either -+ * 2.1. the key is all zeroes and matches the hash length, or -+ * 2.2. the key originates from a PSK (resumption_master_secret -+ * or some externally esablished key), or an ECDH or DH key -+ * derivation. See -+ * https://www.rfc-editor.org/rfc/rfc8446#section-7.1. -+ * Unfortunately at this point, we cannot verify where the key -+ * comes from, so all we can do is check the salt length. -+ */ -+ const EVP_MD *md = ossl_prov_digest_md(&ctx->digest); -+ if (md != NULL && ctx->salt_len == (size_t) EVP_MD_get_size(md)) -+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED; -+ else -+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; -+ } -+ break; -+ case EVP_KDF_HKDF_MODE_EXPAND_ONLY: -+ /* When TLS 1.3 uses expand, it always provides a label that -+ * contains an uint16 for the length, followed by between 7 and 255 -+ * bytes for a label string that starts with "tls13 " or "dtls13". -+ * For compatibility with future versions, we only check for "tls" -+ * or "dtls". See -+ * https://www.rfc-editor.org/rfc/rfc8446#section-7.1 and -+ * https://www.rfc-editor.org/rfc/rfc9147#section-5.9. */ -+ if (ctx->label != NULL -+ && ctx->label_len >= 2 /* length */ + 4 /* "dtls" */ -+ && (strncmp("tls", (const char *)ctx->label + 2, 3) == 0 || -+ strncmp("dtls", (const char *)ctx->label + 2, 4) == 0)) -+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED; -+ else -+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; -+ break; -+ } -+ return OSSL_PARAM_set_int(p, fips_indicator); -+ } -+#endif /* defined(FIPS_MODULE) */ -+ - return -2; - } - -@@ -306,6 +356,9 @@ static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx, - { - static const OSSL_PARAM known_gettable_ctx_params[] = { - OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), -+#ifdef FIPS_MODULE -+ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL), -+#endif /* defined(FIPS_MODULE) */ - OSSL_PARAM_END - }; - return known_gettable_ctx_params; --- -2.38.1 - diff --git a/0078-KDF-Add-FIPS-indicators.patch b/0078-KDF-Add-FIPS-indicators.patch new file mode 100644 index 0000000..d8496ce --- /dev/null +++ b/0078-KDF-Add-FIPS-indicators.patch @@ -0,0 +1,896 @@ +From 2f89e15407b7f3947768f93d11adeafd73c0b6d6 Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Thu, 11 Aug 2022 09:27:12 +0200 +Subject: KDF: Add FIPS indicators + +FIPS requires a number of restrictions on the parameters of the various +key derivation functions implemented in OpenSSL. The KDFs that use +digest algorithms usually should not allow SHAKE (due to FIPS 140-3 IG +C.C). Additionally, some application-specific KDFs have further +restrictions defined in SP 800-135r1. + +Generally, all KDFs shall use a key-derivation key length of at least +112 bits due to SP 800-131Ar2 section 8. Additionally any use of a KDF +to generate and output length of less than 112 bits will also set the +indicator to unapproved. + +Add explicit indicators to all KDFs usable in FIPS mode except for +PBKDF2 (which has its specific FIPS limits already implemented). The +indicator can be queried using EVP_KDF_CTX_get_params() after setting +the required parameters and keys for the KDF. + +Our FIPS provider implements SHA1, SHA2 (both -256 and -512, and the +truncated variants -224 and -384) and SHA3 (-256 and -512, and the +truncated versions -224 and -384), as well as SHAKE-128 and -256. + +The SHAKE functions are generally not allowed in KDFs. For the rest, the +support matrix is: + + KDF | SHA-1 | SHA-2 | SHA-2 truncated | SHA-3 | SHA-3 truncated +========================================================================== +KBKDF | x | x | x | x | x +HKDF | x | x | x | x | x +TLS1PRF | | SHA-{256,384,512} only | | +SSHKDF | x | x | x | | +SSKDF | x | x | x | x | x +X9.63KDF | | x | x | x | x +X9.42-ASN1 | x | x | x | x | x +TLS1.3PRF | | SHA-{256,384} only | | + +Signed-off-by: Clemens Lang +Resolves: rhbz#2160733 rhbz#2164763 +Related: rhbz#2114772 rhbz#2141695 +--- + include/crypto/evp.h | 7 ++ + include/openssl/core_names.h | 1 + + include/openssl/kdf.h | 4 + + providers/implementations/kdfs/hkdf.c | 100 +++++++++++++++++++++- + providers/implementations/kdfs/kbkdf.c | 82 ++++++++++++++++-- + providers/implementations/kdfs/sshkdf.c | 75 +++++++++++++++- + providers/implementations/kdfs/sskdf.c | 100 +++++++++++++++++++++- + providers/implementations/kdfs/tls1_prf.c | 74 +++++++++++++++- + providers/implementations/kdfs/x942kdf.c | 57 +++++++++++- + 9 files changed, 478 insertions(+), 22 deletions(-) + +diff --git a/include/crypto/evp.h b/include/crypto/evp.h +index e70d8e9e84..76fb990de4 100644 +--- a/include/crypto/evp.h ++++ b/include/crypto/evp.h +@@ -219,6 +219,13 @@ struct evp_mac_st { + OSSL_FUNC_mac_set_ctx_params_fn *set_ctx_params; + }; + ++#ifdef FIPS_MODULE ++/* According to NIST Special Publication 800-131Ar2, Section 8: Deriving ++ * Additional Keys from a Cryptographic Key, "[t]he length of the ++ * key-derivation key [i.e., the input key] shall be at least 112 bits". */ ++# define EVP_KDF_FIPS_MIN_KEY_LEN (112 / 8) ++#endif ++ + struct evp_kdf_st { + OSSL_PROVIDER *prov; + int name_id; +diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h +index 6bed5a8a67..680bfbc7cc 100644 +--- a/include/openssl/core_names.h ++++ b/include/openssl/core_names.h +@@ -223,6 +223,7 @@ extern "C" { + #define OSSL_KDF_PARAM_X942_SUPP_PUBINFO "supp-pubinfo" + #define OSSL_KDF_PARAM_X942_SUPP_PRIVINFO "supp-privinfo" + #define OSSL_KDF_PARAM_X942_USE_KEYBITS "use-keybits" ++#define OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator" + + /* Known KDF names */ + #define OSSL_KDF_NAME_HKDF "HKDF" +diff --git a/include/openssl/kdf.h b/include/openssl/kdf.h +index 0983230a48..86171635ea 100644 +--- a/include/openssl/kdf.h ++++ b/include/openssl/kdf.h +@@ -63,6 +63,10 @@ int EVP_KDF_names_do_all(const EVP_KDF *kdf, + # define EVP_KDF_HKDF_MODE_EXTRACT_ONLY 1 + # define EVP_KDF_HKDF_MODE_EXPAND_ONLY 2 + ++# define EVP_KDF_REDHAT_FIPS_INDICATOR_UNDETERMINED 0 ++# define EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED 1 ++# define EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2 ++ + #define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV 65 + #define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI 66 + #define EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV 67 +diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c +index dfa7786bde..f01e40ff5a 100644 +--- a/providers/implementations/kdfs/hkdf.c ++++ b/providers/implementations/kdfs/hkdf.c +@@ -42,6 +42,7 @@ static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_hkdf_settable_ctx_params; + static OSSL_FUNC_kdf_set_ctx_params_fn kdf_hkdf_set_ctx_params; + static OSSL_FUNC_kdf_gettable_ctx_params_fn kdf_hkdf_gettable_ctx_params; + static OSSL_FUNC_kdf_get_ctx_params_fn kdf_hkdf_get_ctx_params; ++static OSSL_FUNC_kdf_newctx_fn kdf_tls1_3_new; + static OSSL_FUNC_kdf_derive_fn kdf_tls1_3_derive; + static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_tls1_3_settable_ctx_params; + static OSSL_FUNC_kdf_set_ctx_params_fn kdf_tls1_3_set_ctx_params; +@@ -85,6 +86,10 @@ typedef struct { + size_t data_len; + unsigned char info[HKDF_MAXBUF]; + size_t info_len; ++ int is_tls13; ++#ifdef FIPS_MODULE ++ int output_keylen_indicator; ++#endif /* defined(FIPS_MODULE) */ + } KDF_HKDF; + + static void *kdf_hkdf_new(void *provctx) +@@ -170,6 +175,11 @@ static int kdf_hkdf_derive(void *vctx, unsigned char *key, size_t keylen, + return 0; + } + ++#ifdef FIPS_MODULE ++ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN) ++ ctx->output_keylen_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++#endif /* defined(FIPS_MODULE) */ ++ + switch (ctx->mode) { + case EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND: + default: +@@ -332,15 +342,78 @@ static int kdf_hkdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) + { + KDF_HKDF *ctx = (KDF_HKDF *)vctx; + OSSL_PARAM *p; ++ int any_valid = 0; /* set to 1 when at least one parameter was valid */ + + if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) { + size_t sz = kdf_hkdf_size(ctx); + +- if (sz == 0) ++ any_valid = 1; ++ ++ if (sz == 0 || !OSSL_PARAM_set_size_t(p, sz)) + return 0; +- return OSSL_PARAM_set_size_t(p, sz); + } +- return -2; ++ ++#ifdef FIPS_MODULE ++ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR)) ++ != NULL) { ++ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED; ++ const EVP_MD *md = ossl_prov_digest_md(&ctx->digest); ++ ++ any_valid = 1; ++ ++ /* According to NIST Special Publication 800-131Ar2, Section 8: ++ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of ++ * the key-derivation key [i.e., the input key] shall be at least 112 ++ * bits". */ ++ if (ctx->key_len < EVP_KDF_FIPS_MIN_KEY_LEN) ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ ++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module ++ * Verification Program, Section D.B and NIST Special Publication ++ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security ++ * strength < 112 bits is legacy use only, so all derived keys should ++ * be longer than that. If a derived key has ever been shorter than ++ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we ++ * should also set the returned FIPS indicator to unapproved. */ ++ if (ctx->output_keylen_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED) ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ ++ if (ctx->is_tls13) { ++ if (md != NULL ++ && !EVP_MD_is_a(md, "SHA2-256") ++ && !EVP_MD_is_a(md, "SHA2-384")) { ++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic ++ * Module Validation Program, Section 2.4.B, (5): "The TLS 1.3 ++ * key derivation function documented in Section 7.1 of RFC ++ * 8446. This is considered an approved CVL because the ++ * underlying functions performed within the TLS 1.3 KDF map to ++ * NIST approved standards, namely: SP 800-133rev2 (Section 6.3 ++ * Option #3), SP 800-56Crev2, and SP 800-108." ++ * ++ * RFC 8446 appendix B.4 only lists SHA-256 and SHA-384. */ ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ } ++ } else { ++ if (md != NULL ++ && (EVP_MD_is_a(md, "SHAKE-128") || ++ EVP_MD_is_a(md, "SHAKE-256"))) { ++ /* HKDF is a SP 800-56Cr2 TwoStep KDF, for which all SHA-1, ++ * SHA-2 and SHA-3 are approved. SHAKE is not approved, because ++ * of FIPS 140-3 IG, section C.C: "The SHAKE128 and SHAKE256 ++ * extendable-output functions may only be used as the ++ * standalone algorithms." */ ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ } ++ } ++ if (!OSSL_PARAM_set_int(p, fips_indicator)) ++ return 0; ++ } ++#endif /* defined(FIPS_MODULE) */ ++ ++ if (!any_valid) ++ return -2; ++ ++ return 1; + } + + static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx, +@@ -348,6 +421,9 @@ static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx, + { + static const OSSL_PARAM known_gettable_ctx_params[] = { + OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), ++#ifdef FIPS_MODULE ++ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL), ++#endif /* defined(FIPS_MODULE) */ + OSSL_PARAM_END + }; + return known_gettable_ctx_params; +@@ -677,6 +753,17 @@ static int prov_tls13_hkdf_generate_secret(OSSL_LIB_CTX *libctx, + return ret; + } + ++static void *kdf_tls1_3_new(void *provctx) ++{ ++ KDF_HKDF *hkdf = kdf_hkdf_new(provctx); ++ ++ if (hkdf != NULL) ++ hkdf->is_tls13 = 1; ++ ++ return hkdf; ++} ++ ++ + static int kdf_tls1_3_derive(void *vctx, unsigned char *key, size_t keylen, + const OSSL_PARAM params[]) + { +@@ -692,6 +779,11 @@ static int kdf_tls1_3_derive(void *vctx, unsigned char *key, size_t keylen, + return 0; + } + ++#ifdef FIPS_MODULE ++ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN) ++ ctx->output_keylen_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++#endif /* defined(FIPS_MODULE) */ ++ + switch (ctx->mode) { + default: + return 0; +@@ -769,7 +861,7 @@ static const OSSL_PARAM *kdf_tls1_3_settable_ctx_params(ossl_unused void *ctx, + } + + const OSSL_DISPATCH ossl_kdf_tls1_3_kdf_functions[] = { +- { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_hkdf_new }, ++ { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_tls1_3_new }, + { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_hkdf_free }, + { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_hkdf_reset }, + { OSSL_FUNC_KDF_DERIVE, (void(*)(void))kdf_tls1_3_derive }, +diff --git a/providers/implementations/kdfs/kbkdf.c b/providers/implementations/kdfs/kbkdf.c +index a542f84dfa..6b6dfb94ac 100644 +--- a/providers/implementations/kdfs/kbkdf.c ++++ b/providers/implementations/kdfs/kbkdf.c +@@ -59,6 +59,9 @@ typedef struct { + kbkdf_mode mode; + EVP_MAC_CTX *ctx_init; + ++ /* HMAC digest algorithm, if any; used to compute FIPS indicator */ ++ PROV_DIGEST digest; ++ + /* Names are lowercased versions of those found in SP800-108. */ + int r; + unsigned char *ki; +@@ -70,6 +73,9 @@ typedef struct { + size_t iv_len; + int use_l; + int use_separator; ++#ifdef FIPS_MODULE ++ int output_keylen_indicator; ++#endif /* defined(FIPS_MODULE) */ + } KBKDF; + + /* Definitions needed for typechecking. */ +@@ -138,6 +144,7 @@ static void kbkdf_reset(void *vctx) + void *provctx = ctx->provctx; + + EVP_MAC_CTX_free(ctx->ctx_init); ++ ossl_prov_digest_reset(&ctx->digest); + OPENSSL_clear_free(ctx->context, ctx->context_len); + OPENSSL_clear_free(ctx->label, ctx->label_len); + OPENSSL_clear_free(ctx->ki, ctx->ki_len); +@@ -240,6 +247,11 @@ static int kbkdf_derive(void *vctx, unsigned char *key, size_t keylen, + return 0; + } + ++#ifdef FIPS_MODULE ++ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN) ++ ctx->output_keylen_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++#endif /* defined(FIPS_MODULE) */ ++ + h = EVP_MAC_CTX_get_mac_size(ctx->ctx_init); + if (h == 0) + goto done; +@@ -297,6 +309,9 @@ static int kbkdf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) + return 0; + } + ++ if (!ossl_prov_digest_load_from_params(&ctx->digest, params, libctx)) ++ return 0; ++ + p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_MODE); + if (p != NULL + && OPENSSL_strncasecmp("counter", p->data, p->data_size) == 0) { +@@ -363,20 +378,77 @@ static const OSSL_PARAM *kbkdf_settable_ctx_params(ossl_unused void *ctx, + static int kbkdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) + { + OSSL_PARAM *p; ++ int any_valid = 0; /* set to 1 when at least one parameter was valid */ + + p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE); +- if (p == NULL) ++ if (p != NULL) { ++ any_valid = 1; ++ ++ /* KBKDF can produce results as large as you like. */ ++ if (!OSSL_PARAM_set_size_t(p, SIZE_MAX)) ++ return 0; ++ } ++ ++#ifdef FIPS_MODULE ++ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR); ++ if (p != NULL) { ++ KBKDF *ctx = (KBKDF *)vctx; ++ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED; ++ ++ any_valid = 1; ++ ++ /* According to NIST Special Publication 800-131Ar2, Section 8: ++ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of ++ * the key-derivation key [i.e., the input key] shall be at least 112 ++ * bits". */ ++ if (ctx->ki_len < EVP_KDF_FIPS_MIN_KEY_LEN) ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ ++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module ++ * Verification Program, Section D.B and NIST Special Publication ++ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security ++ * strength < 112 bits is legacy use only, so all derived keys should ++ * be longer than that. If a derived key has ever been shorter than ++ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we ++ * should also set the returned FIPS indicator to unapproved. */ ++ if (ctx->output_keylen_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED) ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ ++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module ++ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256 ++ * extendable-output functions may only be used as the standalone ++ * algorithms." Note that the digest is only used when the MAC ++ * algorithm is HMAC. */ ++ if (ctx->ctx_init != NULL ++ && EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx->ctx_init), OSSL_MAC_NAME_HMAC)) { ++ const EVP_MD *md = ossl_prov_digest_md(&ctx->digest); ++ if (md != NULL ++ && (EVP_MD_is_a(md, "SHAKE-128") || EVP_MD_is_a(md, "SHAKE-256"))) { ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ } ++ } ++ ++ if (!OSSL_PARAM_set_int(p, fips_indicator)) ++ return 0; ++ } ++#endif ++ ++ if (!any_valid) + return -2; + +- /* KBKDF can produce results as large as you like. */ +- return OSSL_PARAM_set_size_t(p, SIZE_MAX); ++ return 1; + } + + static const OSSL_PARAM *kbkdf_gettable_ctx_params(ossl_unused void *ctx, + ossl_unused void *provctx) + { +- static const OSSL_PARAM known_gettable_ctx_params[] = +- { OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), OSSL_PARAM_END }; ++ static const OSSL_PARAM known_gettable_ctx_params[] = { ++ OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), ++#ifdef FIPS_MODULE ++ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL), ++#endif /* defined(FIPS_MODULE) */ ++ OSSL_PARAM_END ++ }; + return known_gettable_ctx_params; + } + +diff --git a/providers/implementations/kdfs/sshkdf.c b/providers/implementations/kdfs/sshkdf.c +index c592ba72f1..4a52b38266 100644 +--- a/providers/implementations/kdfs/sshkdf.c ++++ b/providers/implementations/kdfs/sshkdf.c +@@ -48,6 +48,9 @@ typedef struct { + char type; /* X */ + unsigned char *session_id; + size_t session_id_len; ++#ifdef FIPS_MODULE ++ int output_keylen_indicator; ++#endif /* defined(FIPS_MODULE) */ + } KDF_SSHKDF; + + static void *kdf_sshkdf_new(void *provctx) +@@ -126,6 +129,12 @@ static int kdf_sshkdf_derive(void *vctx, unsigned char *key, size_t keylen, + ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_TYPE); + return 0; + } ++ ++#ifdef FIPS_MODULE ++ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN) ++ ctx->output_keylen_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++#endif /* defined(FIPS_MODULE) */ ++ + return SSHKDF(md, ctx->key, ctx->key_len, + ctx->xcghash, ctx->xcghash_len, + ctx->session_id, ctx->session_id_len, +@@ -194,10 +203,67 @@ static const OSSL_PARAM *kdf_sshkdf_settable_ctx_params(ossl_unused void *ctx, + static int kdf_sshkdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) + { + OSSL_PARAM *p; ++ int any_valid = 0; /* set to 1 when at least one parameter was valid */ + +- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) +- return OSSL_PARAM_set_size_t(p, SIZE_MAX); +- return -2; ++ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) { ++ any_valid = 1; ++ ++ if (!OSSL_PARAM_set_size_t(p, SIZE_MAX)) ++ return 0; ++ } ++ ++#ifdef FIPS_MODULE ++ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR); ++ if (p != NULL) { ++ KDF_SSHKDF *ctx = vctx; ++ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED; ++ ++ any_valid = 1; ++ ++ /* According to NIST Special Publication 800-131Ar2, Section 8: ++ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of ++ * the key-derivation key [i.e., the input key] shall be at least 112 ++ * bits". */ ++ if (ctx->key_len < EVP_KDF_FIPS_MIN_KEY_LEN) ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ ++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module ++ * Verification Program, Section D.B and NIST Special Publication ++ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security ++ * strength < 112 bits is legacy use only, so all derived keys should ++ * be longer than that. If a derived key has ever been shorter than ++ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we ++ * should also set the returned FIPS indicator to unapproved. */ ++ if (ctx->output_keylen_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED) ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ ++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module ++ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256 ++ * extendable-output functions may only be used as the standalone ++ * algorithms." ++ * ++ * Additionally, SP 800-135r1 section 5.2 specifies that the hash ++ * function used in SSHKDF "is one of the hash functions specified in ++ * FIPS 180-3.", which rules out SHA-3 and truncated variants of SHA-2. ++ * */ ++ if (ctx->digest.md != NULL ++ && !EVP_MD_is_a(ctx->digest.md, "SHA-1") ++ && !EVP_MD_is_a(ctx->digest.md, "SHA2-224") ++ && !EVP_MD_is_a(ctx->digest.md, "SHA2-256") ++ && !EVP_MD_is_a(ctx->digest.md, "SHA2-384") ++ && !EVP_MD_is_a(ctx->digest.md, "SHA2-512")) { ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ } ++ ++ if (!OSSL_PARAM_set_int(p, fips_indicator)) ++ return 0; ++ } ++#endif ++ ++ if (!any_valid) ++ return -2; ++ ++ return 1; + } + + static const OSSL_PARAM *kdf_sshkdf_gettable_ctx_params(ossl_unused void *ctx, +@@ -205,6 +271,9 @@ static const OSSL_PARAM *kdf_sshkdf_gettable_ctx_params(ossl_unused void *ctx, + { + static const OSSL_PARAM known_gettable_ctx_params[] = { + OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), ++#ifdef FIPS_MODULE ++ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL), ++#endif /* defined(FIPS_MODULE) */ + OSSL_PARAM_END + }; + return known_gettable_ctx_params; +diff --git a/providers/implementations/kdfs/sskdf.c b/providers/implementations/kdfs/sskdf.c +index eb54972e1c..23865cd70f 100644 +--- a/providers/implementations/kdfs/sskdf.c ++++ b/providers/implementations/kdfs/sskdf.c +@@ -62,6 +62,10 @@ typedef struct { + unsigned char *salt; + size_t salt_len; + size_t out_len; /* optional KMAC parameter */ ++ int is_x963kdf; ++#ifdef FIPS_MODULE ++ int output_keylen_indicator; ++#endif /* defined(FIPS_MODULE) */ + } KDF_SSKDF; + + #define SSKDF_MAX_INLEN (1<<30) +@@ -73,6 +77,7 @@ typedef struct { + static const unsigned char kmac_custom_str[] = { 0x4B, 0x44, 0x46 }; + + static OSSL_FUNC_kdf_newctx_fn sskdf_new; ++static OSSL_FUNC_kdf_newctx_fn x963kdf_new; + static OSSL_FUNC_kdf_freectx_fn sskdf_free; + static OSSL_FUNC_kdf_reset_fn sskdf_reset; + static OSSL_FUNC_kdf_derive_fn sskdf_derive; +@@ -296,6 +301,16 @@ static void *sskdf_new(void *provctx) + return ctx; + } + ++static void *x963kdf_new(void *provctx) ++{ ++ KDF_SSKDF *ctx = sskdf_new(provctx); ++ ++ if (ctx) ++ ctx->is_x963kdf = 1; ++ ++ return ctx; ++} ++ + static void sskdf_reset(void *vctx) + { + KDF_SSKDF *ctx = (KDF_SSKDF *)vctx; +@@ -361,6 +376,11 @@ static int sskdf_derive(void *vctx, unsigned char *key, size_t keylen, + } + md = ossl_prov_digest_md(&ctx->digest); + ++#ifdef FIPS_MODULE ++ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN) ++ ctx->output_keylen_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++#endif /* defined(FIPS_MODULE) */ ++ + if (ctx->macctx != NULL) { + /* H(x) = KMAC or H(x) = HMAC */ + int ret; +@@ -442,6 +462,11 @@ static int x963kdf_derive(void *vctx, unsigned char *key, size_t keylen, + return 0; + } + ++#ifdef FIPS_MODULE ++ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN) ++ ctx->output_keylen_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++#endif /* defined(FIPS_MODULE) */ ++ + return SSKDF_hash_kdm(md, ctx->secret, ctx->secret_len, + ctx->info, ctx->info_len, 1, key, keylen); + } +@@ -514,10 +539,74 @@ static int sskdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) + { + KDF_SSKDF *ctx = (KDF_SSKDF *)vctx; + OSSL_PARAM *p; ++ int any_valid = 0; /* set to 1 when at least one parameter was valid */ ++ ++ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) { ++ any_valid = 1; ++ ++ if (!OSSL_PARAM_set_size_t(p, sskdf_size(ctx))) ++ return 0; ++ } + +- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) +- return OSSL_PARAM_set_size_t(p, sskdf_size(ctx)); +- return -2; ++#ifdef FIPS_MODULE ++ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR); ++ if (p != NULL) { ++ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED; ++ ++ any_valid = 1; ++ ++ /* According to NIST Special Publication 800-131Ar2, Section 8: ++ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of ++ * the key-derivation key [i.e., the input key] shall be at least 112 ++ * bits". */ ++ if (ctx->secret_len < EVP_KDF_FIPS_MIN_KEY_LEN) ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ ++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module ++ * Verification Program, Section D.B and NIST Special Publication ++ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security ++ * strength < 112 bits is legacy use only, so all derived keys should ++ * be longer than that. If a derived key has ever been shorter than ++ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we ++ * should also set the returned FIPS indicator to unapproved. */ ++ if (ctx->output_keylen_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED) ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ ++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module ++ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256 ++ * extendable-output functions may only be used as the standalone ++ * algorithms." */ ++ if (ctx->macctx == NULL ++ || (ctx->macctx != NULL && ++ EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx->macctx), OSSL_MAC_NAME_HMAC))) { ++ if (ctx->digest.md != NULL ++ && (EVP_MD_is_a(ctx->digest.md, "SHAKE-128") || ++ EVP_MD_is_a(ctx->digest.md, "SHAKE-256"))) { ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ } ++ ++ /* Table H-3 in ANS X9.63-2001 says that 160-bit hash functions ++ * should only be used for 80-bit key agreement, but FIPS 140-3 ++ * requires a security strength of 112 bits, so SHA-1 cannot be ++ * used with X9.63. See the discussion in ++ * https://github.com/usnistgov/ACVP/issues/1403#issuecomment-1435300395. ++ */ ++ if (ctx->is_x963kdf ++ && ctx->digest.md != NULL ++ && EVP_MD_is_a(ctx->digest.md, "SHA-1")) { ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ } ++ } ++ ++ if (!OSSL_PARAM_set_int(p, fips_indicator)) ++ return 0; ++ } ++#endif ++ ++ if (!any_valid) ++ return -2; ++ ++ return 1; + } + + static const OSSL_PARAM *sskdf_gettable_ctx_params(ossl_unused void *ctx, +@@ -525,6 +614,9 @@ static const OSSL_PARAM *sskdf_gettable_ctx_params(ossl_unused void *ctx, + { + static const OSSL_PARAM known_gettable_ctx_params[] = { + OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), ++#ifdef FIPS_MODULE ++ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, 0), ++#endif /* defined(FIPS_MODULE) */ + OSSL_PARAM_END + }; + return known_gettable_ctx_params; +@@ -545,7 +637,7 @@ const OSSL_DISPATCH ossl_kdf_sskdf_functions[] = { + }; + + const OSSL_DISPATCH ossl_kdf_x963_kdf_functions[] = { +- { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))sskdf_new }, ++ { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))x963kdf_new }, + { OSSL_FUNC_KDF_FREECTX, (void(*)(void))sskdf_free }, + { OSSL_FUNC_KDF_RESET, (void(*)(void))sskdf_reset }, + { OSSL_FUNC_KDF_DERIVE, (void(*)(void))x963kdf_derive }, +diff --git a/providers/implementations/kdfs/tls1_prf.c b/providers/implementations/kdfs/tls1_prf.c +index a4d64b9352..f6782a6ca2 100644 +--- a/providers/implementations/kdfs/tls1_prf.c ++++ b/providers/implementations/kdfs/tls1_prf.c +@@ -93,6 +93,13 @@ typedef struct { + /* Buffer of concatenated seed data */ + unsigned char seed[TLS1_PRF_MAXBUF]; + size_t seedlen; ++ ++ /* MAC digest algorithm; used to compute FIPS indicator */ ++ PROV_DIGEST digest; ++ ++#ifdef FIPS_MODULE ++ int output_keylen_indicator; ++#endif /* defined(FIPS_MODULE) */ + } TLS1_PRF; + + static void *kdf_tls1_prf_new(void *provctx) +@@ -129,6 +136,7 @@ static void kdf_tls1_prf_reset(void *vctx) + EVP_MAC_CTX_free(ctx->P_sha1); + OPENSSL_clear_free(ctx->sec, ctx->seclen); + OPENSSL_cleanse(ctx->seed, ctx->seedlen); ++ ossl_prov_digest_reset(&ctx->digest); + memset(ctx, 0, sizeof(*ctx)); + ctx->provctx = provctx; + } +@@ -157,6 +165,10 @@ static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, size_t keylen, + ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); + return 0; + } ++#ifdef FIPS_MODULE ++ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN) ++ ctx->output_keylen_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++#endif /* defined(FIPS_MODULE) */ + + return tls1_prf_alg(ctx->P_hash, ctx->P_sha1, + ctx->sec, ctx->seclen, +@@ -191,6 +203,9 @@ static int kdf_tls1_prf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) + } + } + ++ if (!ossl_prov_digest_load_from_params(&ctx->digest, params, libctx)) ++ return 0; ++ + if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SECRET)) != NULL) { + OPENSSL_clear_free(ctx->sec, ctx->seclen); + ctx->sec = NULL; +@@ -232,10 +247,60 @@ static const OSSL_PARAM *kdf_tls1_prf_settable_ctx_params( + static int kdf_tls1_prf_get_ctx_params(void *vctx, OSSL_PARAM params[]) + { + OSSL_PARAM *p; ++#ifdef FIPS_MODULE ++ TLS1_PRF *ctx = vctx; ++#endif /* defined(FIPS_MODULE) */ ++ int any_valid = 0; /* set to 1 when at least one parameter was valid */ ++ ++ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) { ++ any_valid = 1; ++ ++ if (!OSSL_PARAM_set_size_t(p, SIZE_MAX)) ++ return 0; ++ } ++ ++#ifdef FIPS_MODULE ++ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR); ++ if (p != NULL) { ++ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED; ++ ++ any_valid = 1; ++ ++ /* According to NIST Special Publication 800-131Ar2, Section 8: ++ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of ++ * the key-derivation key [i.e., the input key] shall be at least 112 ++ * bits". */ ++ if (ctx->seclen < EVP_KDF_FIPS_MIN_KEY_LEN) ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ ++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module ++ * Verification Program, Section D.B and NIST Special Publication ++ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security ++ * strength < 112 bits is legacy use only, so all derived keys should ++ * be longer than that. If a derived key has ever been shorter than ++ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we ++ * should also set the returned FIPS indicator to unapproved. */ ++ if (ctx->output_keylen_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED) ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ ++ /* SP 800-135r1 section 4.2.2 says TLS 1.2 KDF is approved when "(3) ++ * P_HASH uses either SHA-256, SHA-384 or SHA-512." */ ++ if (ctx->digest.md != NULL ++ && !EVP_MD_is_a(ctx->digest.md, "SHA2-256") ++ && !EVP_MD_is_a(ctx->digest.md, "SHA2-384") ++ && !EVP_MD_is_a(ctx->digest.md, "SHA2-512")) { ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ } ++ ++ if (!OSSL_PARAM_set_int(p, fips_indicator)) ++ return 0; ++ } ++#endif + +- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) +- return OSSL_PARAM_set_size_t(p, SIZE_MAX); +- return -2; ++ if (!any_valid) ++ return -2; ++ ++ return 1; + } + + static const OSSL_PARAM *kdf_tls1_prf_gettable_ctx_params( +@@ -243,6 +308,9 @@ static const OSSL_PARAM *kdf_tls1_prf_gettable_ctx_params( + { + static const OSSL_PARAM known_gettable_ctx_params[] = { + OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), ++#ifdef FIPS_MODULE ++ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, 0), ++#endif /* defined(FIPS_MODULE) */ + OSSL_PARAM_END + }; + return known_gettable_ctx_params; +diff --git a/providers/implementations/kdfs/x942kdf.c b/providers/implementations/kdfs/x942kdf.c +index b1bc6f7e1b..f4ac8ca3f5 100644 +--- a/providers/implementations/kdfs/x942kdf.c ++++ b/providers/implementations/kdfs/x942kdf.c +@@ -13,10 +13,13 @@ + #include + #include + #include ++#include + #include + #include + #include "internal/packet.h" + #include "internal/der.h" ++#include "internal/nelem.h" ++#include "crypto/evp.h" + #include "prov/provider_ctx.h" + #include "prov/providercommon.h" + #include "prov/implementations.h" +@@ -47,6 +50,9 @@ typedef struct { + const unsigned char *cek_oid; + size_t cek_oid_len; + int use_keybits; ++#ifdef FIPS_MODULE ++ int output_keylen_indicator; ++#endif /* defined(FIPS_MODULE) */ + } KDF_X942; + + /* +@@ -460,6 +466,10 @@ static int x942kdf_derive(void *vctx, unsigned char *key, size_t keylen, + ERR_raise(ERR_LIB_PROV, PROV_R_BAD_ENCODING); + return 0; + } ++#ifdef FIPS_MODULE ++ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN) ++ ctx->output_keylen_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++#endif /* defined(FIPS_MODULE) */ + ret = x942kdf_hash_kdm(md, ctx->secret, ctx->secret_len, + der, der_len, ctr, key, keylen); + OPENSSL_free(der); +@@ -563,10 +573,48 @@ static int x942kdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) + { + KDF_X942 *ctx = (KDF_X942 *)vctx; + OSSL_PARAM *p; ++ int any_valid = 0; /* set to 1 when at least one parameter was valid */ + +- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) +- return OSSL_PARAM_set_size_t(p, x942kdf_size(ctx)); +- return -2; ++ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) { ++ any_valid = 1; ++ ++ if (!OSSL_PARAM_set_size_t(p, x942kdf_size(ctx))) ++ return 0; ++ } ++ ++#ifdef FIPS_MODULE ++ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR); ++ if (p != NULL) { ++ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED; ++ ++ any_valid = 1; ++ ++ /* According to NIST Special Publication 800-131Ar2, Section 8: ++ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of ++ * the key-derivation key [i.e., the input key] shall be at least 112 ++ * bits". */ ++ if (ctx->secret_len < EVP_KDF_FIPS_MIN_KEY_LEN) ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ ++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module ++ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256 ++ * extendable-output functions may only be used as the standalone ++ * algorithms." */ ++ if (ctx->digest.md != NULL ++ && (EVP_MD_is_a(ctx->digest.md, "SHAKE-128") || ++ EVP_MD_is_a(ctx->digest.md, "SHAKE-256"))) { ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ } ++ ++ if (!OSSL_PARAM_set_int(p, fips_indicator)) ++ return 0; ++ } ++#endif ++ ++ if (!any_valid) ++ return -2; ++ ++ return 1; + } + + static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx, +@@ -574,6 +622,9 @@ static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx, + { + static const OSSL_PARAM known_gettable_ctx_params[] = { + OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), ++#ifdef FIPS_MODULE ++ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, 0), ++#endif /* defined(FIPS_MODULE) */ + OSSL_PARAM_END + }; + return known_gettable_ctx_params; +-- +2.39.1 + diff --git a/0082-kbkdf-Add-explicit-FIPS-indicator-for-key-length.patch b/0082-kbkdf-Add-explicit-FIPS-indicator-for-key-length.patch deleted file mode 100644 index 8542af9..0000000 --- a/0082-kbkdf-Add-explicit-FIPS-indicator-for-key-length.patch +++ /dev/null @@ -1,74 +0,0 @@ -From 185fbbfea732588187c81d1b2cafb3e1fae9eb77 Mon Sep 17 00:00:00 2001 -From: Clemens Lang -Date: Thu, 17 Nov 2022 16:38:45 +0100 -Subject: [PATCH 2/2] kbkdf: Add explicit FIPS indicator for key length - -NIST SP 800-131Ar2, section 8 "Deriving Additional Keys from -a Cryptographic Key" says that for KDFs defined in SP 800-108, "[t]he -length of the key-derivation key shall be at least 112 bits". It further -specifies that HMAC-based KDFs "with a key whose length is at least 112 -bits" are acceptable. - -Add an explicit indicator for SP 800-108 KDFs that will mark shorter key -lengths as unapproved. The indicator can be queried from the EVP_KDF_CTX -object using EVP_KDF_CTX_get_params() with the - OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR -parameter. - -Signed-off-by: Clemens Lang ---- - providers/implementations/kdfs/kbkdf.c | 32 +++++++++++++++++++++----- - 1 file changed, 26 insertions(+), 6 deletions(-) - -diff --git a/providers/implementations/kdfs/kbkdf.c b/providers/implementations/kdfs/kbkdf.c -index a542f84dfa..93a8a10537 100644 ---- a/providers/implementations/kdfs/kbkdf.c -+++ b/providers/implementations/kdfs/kbkdf.c -@@ -365,18 +365,38 @@ static int kbkdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) - OSSL_PARAM *p; - - p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE); -- if (p == NULL) -- return -2; -+ if (p != NULL) -+ /* KBKDF can produce results as large as you like. */ -+ return OSSL_PARAM_set_size_t(p, SIZE_MAX); -+ -+#ifdef FIPS_MODULE -+ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR); -+ if (p != NULL) { -+ KBKDF *ctx = (KBKDF *)vctx; -+ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED; -+ /* According to NIST Special Publication 800-131Ar2, Section 8: -+ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of -+ * the key-derivation key [i.e., the input key] shall be at least 112 -+ * bits". */ -+ if (ctx->ki_len < EVP_KDF_FIPS_MIN_KEY_LEN) -+ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; -+ return OSSL_PARAM_set_int(p, fips_indicator); -+ } -+#endif - -- /* KBKDF can produce results as large as you like. */ -- return OSSL_PARAM_set_size_t(p, SIZE_MAX); -+ return -2; - } - - static const OSSL_PARAM *kbkdf_gettable_ctx_params(ossl_unused void *ctx, - ossl_unused void *provctx) - { -- static const OSSL_PARAM known_gettable_ctx_params[] = -- { OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), OSSL_PARAM_END }; -+ static const OSSL_PARAM known_gettable_ctx_params[] = { -+ OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), -+#ifdef FIPS_MODULE -+ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL), -+#endif /* defined(FIPS_MODULE) */ -+ OSSL_PARAM_END -+ }; - return known_gettable_ctx_params; - } - --- -2.38.1 - diff --git a/openssl.spec b/openssl.spec index 6499d56..bb96821 100644 --- a/openssl.spec +++ b/openssl.spec @@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16)) Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 3.0.7 -Release: 6%{?dist} +Release: 7%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -131,13 +131,14 @@ Patch76: 0076-FIPS-140-3-DRBG.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2102542 Patch77: 0077-FIPS-140-3-zeroization.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2114772 -Patch78: 0078-Add-FIPS-indicator-parameter-to-HKDF.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2141695 +# https://bugzilla.redhat.com/show_bug.cgi?id=2160733 +# https://bugzilla.redhat.com/show_bug.cgi?id=2164763 +Patch78: 0078-KDF-Add-FIPS-indicators.patch #https://bugzilla.redhat.com/show_bug.cgi?id=2141748 Patch80: 0080-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2142131 Patch81: 0081-signature-Remove-X9.31-padding-from-FIPS-prov.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=2141695 -Patch82: 0082-kbkdf-Add-explicit-FIPS-indicator-for-key-length.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2136250 Patch83: 0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2137557 @@ -494,6 +495,10 @@ install -m644 %{SOURCE9} \ %ldconfig_scriptlets libs %changelog +* Tue Mar 14 2023 Clemens Lang - 1:3.0.7-7 +- Add explicit FIPS indicators to key derivation functions + Resolves: rhbz#2175860 rhbz#2175864 + * Wed Mar 08 2023 Dmitry Belyavskiy - 1:3.0.7-6 - Fixes RNG slowdown in FIPS mode Resolves: rhbz#2168224 From 58955140b656e3a843fe85dba1d77372488ae311 Mon Sep 17 00:00:00 2001 From: Clemens Lang Date: Fri, 17 Feb 2023 13:44:47 +0100 Subject: [PATCH 03/60] Zeroize FIPS module integrity check MAC after check Resolves: rhbz#2175873 Signed-off-by: Clemens Lang --- 0109-fips-Zeroize-out-in-fips-selftest.patch | 26 ++++++++++++++++++++ openssl.spec | 5 ++++ 2 files changed, 31 insertions(+) create mode 100644 0109-fips-Zeroize-out-in-fips-selftest.patch diff --git a/0109-fips-Zeroize-out-in-fips-selftest.patch b/0109-fips-Zeroize-out-in-fips-selftest.patch new file mode 100644 index 0000000..3cd48df --- /dev/null +++ b/0109-fips-Zeroize-out-in-fips-selftest.patch @@ -0,0 +1,26 @@ +From 9dbc6069665690bd238caa7622647ea8ac94124f Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Mon, 13 Feb 2023 11:01:44 +0100 +Subject: fips: Zeroize `out` in fips selftest + +Signed-off-by: Clemens Lang +Resolves: rhbz#2169314 +--- + providers/fips/self_test.c | 1 + + 1 file changed, 1 insertion(+) + +diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c +index 80d048a847..11a989209c 100644 +--- a/providers/fips/self_test.c ++++ b/providers/fips/self_test.c +@@ -221,6 +221,7 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex + goto err; + ret = 1; + err: ++ OPENSSL_cleanse(out, sizeof(out)); + OSSL_SELF_TEST_onend(ev, ret); + EVP_MAC_CTX_free(ctx); + EVP_MAC_free(mac); +-- +2.39.1 + diff --git a/openssl.spec b/openssl.spec index bb96821..4b75c23 100644 --- a/openssl.spec +++ b/openssl.spec @@ -166,6 +166,9 @@ Patch106: 0106-CVE-2023-0217-dsa.patch Patch107: 0107-CVE-2023-0286-X400.patch Patch108: 0108-CVE-2023-0401-pkcs7-md.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2169314 +Patch109: 0109-fips-Zeroize-out-in-fips-selftest.patch + License: ASL 2.0 URL: http://www.openssl.org/ BuildRequires: gcc g++ @@ -498,6 +501,8 @@ install -m644 %{SOURCE9} \ * Tue Mar 14 2023 Clemens Lang - 1:3.0.7-7 - Add explicit FIPS indicators to key derivation functions Resolves: rhbz#2175860 rhbz#2175864 +- Zeroize FIPS module integrity check MAC after check + Resolves: rhbz#2175873 * Wed Mar 08 2023 Dmitry Belyavskiy - 1:3.0.7-6 - Fixes RNG slowdown in FIPS mode From 50cb33e688ab6bef3f73d35e3360421578db8a46 Mon Sep 17 00:00:00 2001 From: Clemens Lang Date: Fri, 17 Feb 2023 18:39:37 +0100 Subject: [PATCH 04/60] GCM: Implement explicit FIPS indicator for IV gen Implementation Guidance for FIPS 140-3 and the Cryptographic Module Verification Program, Section C.H requires guarantees about the uniqueness of key/iv pairs, and proposes a few approaches to ensure this. Provide an indicator for option 2 "The IV may be generated internally at its entirety randomly." Resolves: rhbz#2175868 Signed-off-by: Clemens Lang --- ...t-explicit-FIPS-indicator-for-IV-gen.patch | 101 ++++++++++++++++++ openssl.spec | 4 + 2 files changed, 105 insertions(+) create mode 100644 0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch diff --git a/0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch b/0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch new file mode 100644 index 0000000..5cb8ce4 --- /dev/null +++ b/0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch @@ -0,0 +1,101 @@ +From 589eb3898896c1ac916bc20069ecd5adb8534850 Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Fri, 17 Feb 2023 15:31:08 +0100 +Subject: [PATCH] GCM: Implement explicit FIPS indicator for IV gen + +Implementation Guidance for FIPS 140-3 and the Cryptographic Module +Verification Program, Section C.H requires guarantees about the +uniqueness of key/iv pairs, and proposes a few approaches to ensure +this. Provide an indicator for option 2 "The IV may be generated +internally at its entirety randomly." + +Resolves: rhbz#2168289 +Signed-off-by: Clemens Lang +--- + include/openssl/core_names.h | 1 + + include/openssl/evp.h | 4 +++ + .../implementations/ciphers/ciphercommon.c | 4 +++ + .../ciphers/ciphercommon_gcm.c | 25 +++++++++++++++++++ + 4 files changed, 34 insertions(+) + +diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h +index 680bfbc7cc..832502a034 100644 +--- a/include/openssl/core_names.h ++++ b/include/openssl/core_names.h +@@ -97,6 +97,7 @@ extern "C" { + #define OSSL_CIPHER_PARAM_CTS_MODE "cts_mode" /* utf8_string */ + /* For passing the AlgorithmIdentifier parameter in DER form */ + #define OSSL_CIPHER_PARAM_ALGORITHM_ID_PARAMS "alg_id_param" /* octet_string */ ++#define OSSL_CIPHER_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator" /* int */ + + #define OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_SEND_FRAGMENT \ + "tls1multi_maxsndfrag" /* uint */ +diff --git a/include/openssl/evp.h b/include/openssl/evp.h +index 49e8e1df78..ec2ba46fbd 100644 +--- a/include/openssl/evp.h ++++ b/include/openssl/evp.h +@@ -746,6 +746,10 @@ void EVP_CIPHER_CTX_set_flags(EVP_CIPHER_CTX *ctx, int flags); + void EVP_CIPHER_CTX_clear_flags(EVP_CIPHER_CTX *ctx, int flags); + int EVP_CIPHER_CTX_test_flags(const EVP_CIPHER_CTX *ctx, int flags); + ++# define EVP_CIPHER_REDHAT_FIPS_INDICATOR_UNDETERMINED 0 ++# define EVP_CIPHER_REDHAT_FIPS_INDICATOR_APPROVED 1 ++# define EVP_CIPHER_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2 ++ + __owur int EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, + const unsigned char *key, const unsigned char *iv); + /*__owur*/ int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx, +diff --git a/providers/implementations/ciphers/ciphercommon.c b/providers/implementations/ciphers/ciphercommon.c +index fa383165d8..716add7339 100644 +--- a/providers/implementations/ciphers/ciphercommon.c ++++ b/providers/implementations/ciphers/ciphercommon.c +@@ -149,6 +149,10 @@ static const OSSL_PARAM cipher_aead_known_gettable_ctx_params[] = { + OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, NULL, 0), + OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD, NULL), + OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TLS1_GET_IV_GEN, NULL, 0), ++ /* normally we would hide this under an #ifdef FIPS_MODULE, but that does ++ * not work in ciphercommon.c because it is compiled only once into ++ * libcommon.a */ ++ OSSL_PARAM_int(OSSL_CIPHER_PARAM_REDHAT_FIPS_INDICATOR, NULL), + OSSL_PARAM_END + }; + const OSSL_PARAM *ossl_cipher_aead_gettable_ctx_params( +diff --git a/providers/implementations/ciphers/ciphercommon_gcm.c b/providers/implementations/ciphers/ciphercommon_gcm.c +index ed95c97ff4..db7910eb0e 100644 +--- a/providers/implementations/ciphers/ciphercommon_gcm.c ++++ b/providers/implementations/ciphers/ciphercommon_gcm.c +@@ -224,6 +224,31 @@ int ossl_gcm_get_ctx_params(void *vctx, OSSL_PARAM params[]) + || !getivgen(ctx, p->data, p->data_size)) + return 0; + } ++ ++ /* We would usually hide this under #ifdef FIPS_MODULE, but ++ * ciphercommon_gcm.c is only compiled once into libcommon.a, so ifdefs do ++ * not work here. */ ++ p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_REDHAT_FIPS_INDICATOR); ++ if (p != NULL) { ++ int fips_indicator = EVP_CIPHER_REDHAT_FIPS_INDICATOR_APPROVED; ++ ++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module ++ * Verification Program, Section C.H requires guarantees about the ++ * uniqueness of key/iv pairs, and proposes a few approaches to ensure ++ * this. This provides an indicator for option 2 "The IV may be ++ * generated internally at its entirety randomly." Note that one of the ++ * conditions of this option is that "The IV length shall be at least ++ * 96 bits (per SP 800-38D)." We do not specically check for this ++ * condition here, because gcm_iv_generate will fail in this case. */ ++ if (ctx->enc && !ctx->iv_gen_rand) ++ fips_indicator = EVP_CIPHER_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ ++ if (!OSSL_PARAM_set_int(p, fips_indicator)) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); ++ return 0; ++ } ++ } ++ + return 1; + } + +-- +2.39.1 + diff --git a/openssl.spec b/openssl.spec index 4b75c23..47f6c92 100644 --- a/openssl.spec +++ b/openssl.spec @@ -168,6 +168,8 @@ Patch108: 0108-CVE-2023-0401-pkcs7-md.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2169314 Patch109: 0109-fips-Zeroize-out-in-fips-selftest.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2168289 +Patch110: 0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch License: ASL 2.0 URL: http://www.openssl.org/ @@ -503,6 +505,8 @@ install -m644 %{SOURCE9} \ Resolves: rhbz#2175860 rhbz#2175864 - Zeroize FIPS module integrity check MAC after check Resolves: rhbz#2175873 +- Add explicit FIPS indicator for IV generation in AES-GCM + Resolves: rhbz#2175868 * Wed Mar 08 2023 Dmitry Belyavskiy - 1:3.0.7-6 - Fixes RNG slowdown in FIPS mode From d60644ea6a153b5e09d7f5350436a44798c635da Mon Sep 17 00:00:00 2001 From: Clemens Lang Date: Mon, 6 Mar 2023 13:06:21 +0100 Subject: [PATCH 05/60] Add explicit FIPS indicator for PBKDF2 Also use test vector with FIPS-compliant salt in PBKDF2 FIPS self-test. Resolves: rhbz#2178137 Signed-off-by: Clemens Lang --- ...Use-salt-16-bytes-in-PBKDF2-selftest.patch | 82 +++++++++++++++++++ ...cator-if-pkcs5-param-disabled-checks.patch | 80 ++++++++++++++++++ openssl.spec | 6 ++ 3 files changed, 168 insertions(+) create mode 100644 0111-fips-Use-salt-16-bytes-in-PBKDF2-selftest.patch create mode 100644 0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch diff --git a/0111-fips-Use-salt-16-bytes-in-PBKDF2-selftest.patch b/0111-fips-Use-salt-16-bytes-in-PBKDF2-selftest.patch new file mode 100644 index 0000000..3868089 --- /dev/null +++ b/0111-fips-Use-salt-16-bytes-in-PBKDF2-selftest.patch @@ -0,0 +1,82 @@ +From 56090fca0a0c8b6cf1782aced0a02349358aae7d Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Fri, 3 Mar 2023 12:22:03 +0100 +Subject: [PATCH 1/2] fips: Use salt >= 16 bytes in PBKDF2 selftest + +NIST SP 800-132 [1] section 5.1 says "[t]he length of the +randomly-generated portion of the salt shall be at least +128 bits", which implies that the salt for PBKDF2 must be at least 16 +bytes long (see also Appendix A.2.1). + +The FIPS 140-3 IG [2] section 10.3.A requires that "the lengths and the +properties of the Password and Salt parameters, as well as the desired +length of the Master Key used in a CAST shall be among those supported +by the module in the approved mode." + +As a consequence, the salt length in the self test must be at least 16 +bytes long for FIPS 140-3 compliance. Switch the self test to use the +only test vector from RFC 6070 that uses salt that is long enough to +fulfil this requirement. Since RFC 6070 does not provide expected +results for PBKDF2 with HMAC-SHA256, use the output from [3], which was +generated with python cryptography, which was tested against the RFC +6070 vectors with HMAC-SHA1. + + [1]: https://doi.org/10.6028/NIST.SP.800-132 + [2]: https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf + [3]: https://github.com/brycx/Test-Vector-Generation/blob/master/PBKDF2/pbkdf2-hmac-sha2-test-vectors.md + +Signed-off-by: Clemens Lang + +Reviewed-by: Paul Dale +Reviewed-by: Dmitry Belyavskiy +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/20429) + +(cherry picked from commit 451cb23c41c90d5a02902b3a77551aa9ee1c6956) +--- + providers/fips/self_test_data.inc | 22 ++++++++++++++++------ + 1 file changed, 16 insertions(+), 6 deletions(-) + +diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc +index 8ae8cd6f4a..03adf28f3c 100644 +--- a/providers/fips/self_test_data.inc ++++ b/providers/fips/self_test_data.inc +@@ -361,19 +361,29 @@ static const ST_KAT_PARAM x963kdf_params[] = { + }; + + static const char pbkdf2_digest[] = "SHA256"; ++/* ++ * Input parameters from RFC 6070, vector 5 (because it is the only one with ++ * a salt >= 16 bytes, which NIST SP 800-132 section 5.1 requires). The ++ * expected output is taken from ++ * https://github.com/brycx/Test-Vector-Generation/blob/master/PBKDF2/pbkdf2-hmac-sha2-test-vectors.md, ++ * which ran these test vectors with SHA-256. ++ */ + static const unsigned char pbkdf2_password[] = { +- 0x70, 0x61, 0x73, 0x73, 0x00, 0x77, 0x6f, 0x72, +- 0x64 ++ 0x70, 0x61, 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64, 0x50, 0x41, 0x53, 0x53, ++ 0x57, 0x4f, 0x52, 0x44, 0x70, 0x61, 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64 + }; + static const unsigned char pbkdf2_salt[] = { +- 0x73, 0x61, 0x00, 0x6c, 0x74 ++ 0x73, 0x61, 0x6c, 0x74, 0x53, 0x41, 0x4c, 0x54, 0x73, 0x61, 0x6c, 0x74, ++ 0x53, 0x41, 0x4c, 0x54, 0x73, 0x61, 0x6c, 0x74, 0x53, 0x41, 0x4c, 0x54, ++ 0x73, 0x61, 0x6c, 0x74, 0x53, 0x41, 0x4c, 0x54, 0x73, 0x61, 0x6c, 0x74 + }; + static const unsigned char pbkdf2_expected[] = { +- 0x89, 0xb6, 0x9d, 0x05, 0x16, 0xf8, 0x29, 0x89, +- 0x3c, 0x69, 0x62, 0x26, 0x65, 0x0a, 0x86, 0x87, ++ 0x34, 0x8c, 0x89, 0xdb, 0xcb, 0xd3, 0x2b, 0x2f, 0x32, 0xd8, 0x14, 0xb8, ++ 0x11, 0x6e, 0x84, 0xcf, 0x2b, 0x17, 0x34, 0x7e, 0xbc, 0x18, 0x00, 0x18, ++ 0x1c + }; + static int pbkdf2_iterations = 4096; +-static int pbkdf2_pkcs5 = 1; ++static int pbkdf2_pkcs5 = 0; + static const ST_KAT_PARAM pbkdf2_params[] = { + ST_KAT_PARAM_UTF8STRING(OSSL_KDF_PARAM_DIGEST, pbkdf2_digest), + ST_KAT_PARAM_OCTET(OSSL_KDF_PARAM_PASSWORD, pbkdf2_password), +-- +2.39.2 + diff --git a/0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch b/0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch new file mode 100644 index 0000000..2e869e2 --- /dev/null +++ b/0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch @@ -0,0 +1,80 @@ +From fa96a2f493276e7a57512e8c3d535052586f1525 Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Mon, 6 Mar 2023 12:32:04 +0100 +Subject: [PATCH 2/2] pbdkf2: Set indicator if pkcs5 param disabled checks + +The pbkdf2 implementation in the FIPS provider supports the checks +required by NIST, but allows disabling these checks by setting the +OSSL_KDF_PARAM_PKCS5 parameter to 1. The implementation must indicate +that the use of this configuration is not approved in FIPS mode. Add an +explicit indicator to provide this indication. + +Resolves: rhbz#2175145 +Signed-off-by: Clemens Lang +--- + providers/implementations/kdfs/pbkdf2.c | 40 +++++++++++++++++++++++-- + 1 file changed, 37 insertions(+), 3 deletions(-) + +diff --git a/providers/implementations/kdfs/pbkdf2.c b/providers/implementations/kdfs/pbkdf2.c +index aa0adce5e6..6df8c6d321 100644 +--- a/providers/implementations/kdfs/pbkdf2.c ++++ b/providers/implementations/kdfs/pbkdf2.c +@@ -251,11 +251,42 @@ static const OSSL_PARAM *kdf_pbkdf2_settable_ctx_params(ossl_unused void *ctx, + + static int kdf_pbkdf2_get_ctx_params(void *vctx, OSSL_PARAM params[]) + { ++#ifdef FIPS_MODULE ++ KDF_PBKDF2 *ctx = (KDF_PBKDF2 *)vctx; ++#endif /* defined(FIPS_MODULE) */ + OSSL_PARAM *p; ++ int any_valid = 0; /* set to 1 when at least one parameter was valid */ ++ ++ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) { ++ any_valid = 1; ++ ++ if (!OSSL_PARAM_set_size_t(p, SIZE_MAX)) ++ return 0; ++ } ++ ++#ifdef FIPS_MODULE ++ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR)) ++ != NULL) { ++ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED; ++ ++ /* The lower_bound_checks parameter enables checks required by FIPS. If ++ * those checks are disabled, the PBKDF2 implementation will also ++ * support non-approved parameters (e.g., salt lengths < 16 bytes, see ++ * NIST SP 800-132 section 5.1). */ ++ if (!ctx->lower_bound_checks) ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; + +- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) +- return OSSL_PARAM_set_size_t(p, SIZE_MAX); +- return -2; ++ if (!OSSL_PARAM_set_int(p, fips_indicator)) ++ return 0; ++ ++ any_valid = 1; ++ } ++#endif /* defined(FIPS_MODULE) */ ++ ++ if (!any_valid) ++ return -2; ++ ++ return 1; + } + + static const OSSL_PARAM *kdf_pbkdf2_gettable_ctx_params(ossl_unused void *ctx, +@@ -263,6 +294,9 @@ static const OSSL_PARAM *kdf_pbkdf2_gettable_ctx_params(ossl_unused void *ctx, + { + static const OSSL_PARAM known_gettable_ctx_params[] = { + OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), ++#ifdef FIPS_MODULE ++ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL), ++#endif /* defined(FIPS_MODULE) */ + OSSL_PARAM_END + }; + return known_gettable_ctx_params; +-- +2.39.2 + diff --git a/openssl.spec b/openssl.spec index 47f6c92..baa961c 100644 --- a/openssl.spec +++ b/openssl.spec @@ -170,6 +170,9 @@ Patch108: 0108-CVE-2023-0401-pkcs7-md.patch Patch109: 0109-fips-Zeroize-out-in-fips-selftest.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2168289 Patch110: 0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2175145 +Patch111: 0111-fips-Use-salt-16-bytes-in-PBKDF2-selftest.patch +Patch112: 0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch License: ASL 2.0 URL: http://www.openssl.org/ @@ -507,6 +510,9 @@ install -m644 %{SOURCE9} \ Resolves: rhbz#2175873 - Add explicit FIPS indicator for IV generation in AES-GCM Resolves: rhbz#2175868 +- Add explicit FIPS indicator for PBKDF2, use test vector with FIPS-compliant + salt in PBKDF2 FIPS self-test + Resolves: rhbz#2178137 * Wed Mar 08 2023 Dmitry Belyavskiy - 1:3.0.7-6 - Fixes RNG slowdown in FIPS mode From d2996a9b033f72a68da8abfeb41dbf00ba43c8be Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Wed, 15 Feb 2023 17:16:58 +0100 Subject: [PATCH 06/60] Limit RSA_NO_PADDING for encryption and signature in FIPS mode Resolves: rhbz#2178029 --- 0058-FIPS-limit-rsa-encrypt.patch | 2 +- 0088-signature-Add-indicator-for-PSS-salt-length.patch | 8 +++++++- openssl.spec | 2 ++ 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/0058-FIPS-limit-rsa-encrypt.patch b/0058-FIPS-limit-rsa-encrypt.patch index 6dcf7c0..b9cc3aa 100644 --- a/0058-FIPS-limit-rsa-encrypt.patch +++ b/0058-FIPS-limit-rsa-encrypt.patch @@ -19,7 +19,7 @@ diff -up openssl-3.0.1/providers/implementations/asymciphers/rsa_enc.c.no_bad_pa +# ifdef FIPS_MODULE +static int fips_padding_allowed(const PROV_RSA_CTX *prsactx) +{ -+ if (prsactx->pad_mode == RSA_PKCS1_PADDING ++ if (prsactx->pad_mode == RSA_PKCS1_PADDING || prsactx->pad_mode == RSA_NO_PADDING + || prsactx->pad_mode == RSA_PKCS1_WITH_TLS_PADDING) + return 0; + diff --git a/0088-signature-Add-indicator-for-PSS-salt-length.patch b/0088-signature-Add-indicator-for-PSS-salt-length.patch index 97a0679..20024d3 100644 --- a/0088-signature-Add-indicator-for-PSS-salt-length.patch +++ b/0088-signature-Add-indicator-for-PSS-salt-length.patch @@ -35,6 +35,9 @@ EVP_PKEY_CTX_get_params() with the OSSL_SIGNATURE_PARAM_REDHAT_FIPS_INDICATOR parameter. +We also add indicator for RSA_NO_PADDING here to avoid patch-over-patch. +Dmitry Belyavskiy + Signed-off-by: Clemens Lang --- include/openssl/core_names.h | 1 + @@ -73,7 +76,7 @@ diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implement index 49e7f9158a..0c45008a00 100644 --- a/providers/implementations/signature/rsa_sig.c +++ b/providers/implementations/signature/rsa_sig.c -@@ -1127,6 +1127,21 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params) +@@ -1127,6 +1127,24 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params) } } @@ -87,6 +90,9 @@ index 49e7f9158a..0c45008a00 100644 + } else if (rsa_pss_compute_saltlen(prsactx) > EVP_MD_get_size(prsactx->md)) { + fips_indicator = EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_NOT_APPROVED; + } ++ } else if (prsactx->pad_mode == RSA_NO_PADDING) { ++ if (prsactx->md == NULL) /* Should always be the case */ ++ fips_indicator = EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_NOT_APPROVED; + } + return OSSL_PARAM_set_int(p, fips_indicator); + } diff --git a/openssl.spec b/openssl.spec index baa961c..3aed55f 100644 --- a/openssl.spec +++ b/openssl.spec @@ -513,6 +513,8 @@ install -m644 %{SOURCE9} \ - Add explicit FIPS indicator for PBKDF2, use test vector with FIPS-compliant salt in PBKDF2 FIPS self-test Resolves: rhbz#2178137 +- Limit RSA_NO_PADDING for encryption and signature in FIPS mode + Resolves: rhbz#2178029 * Wed Mar 08 2023 Dmitry Belyavskiy - 1:3.0.7-6 - Fixes RNG slowdown in FIPS mode From fa195e46a2ca5faaee8e954ac219044af63f10a5 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Mon, 20 Feb 2023 15:30:43 +0100 Subject: [PATCH 07/60] Pairwise consistency tests should use Digest+Sign/Verify Resolves: rhbz#2178034 --- 0044-FIPS-140-3-keychecks.patch | 263 ++++++++++++++++++ ...Selectively-disallow-SHA1-signatures.patch | 2 +- openssl.spec | 2 + 3 files changed, 266 insertions(+), 1 deletion(-) diff --git a/0044-FIPS-140-3-keychecks.patch b/0044-FIPS-140-3-keychecks.patch index a0ec627..3419495 100644 --- a/0044-FIPS-140-3-keychecks.patch +++ b/0044-FIPS-140-3-keychecks.patch @@ -185,3 +185,266 @@ diff -up openssl-3.0.1/crypto/rsa/rsa_gen.c.fips3 openssl-3.0.1/crypto/rsa/rsa_g return ret; } +diff -up openssl-3.0.7/providers/implementations/keymgmt/ec_kmgmt.c.pairwise openssl-3.0.7/providers/implementations/keymgmt/ec_kmgmt.c +--- openssl-3.0.7/providers/implementations/keymgmt/ec_kmgmt.c.pairwise 2023-02-20 11:44:18.451884117 +0100 ++++ openssl-3.0.7/providers/implementations/keymgmt/ec_kmgmt.c 2023-02-20 12:39:46.037063842 +0100 +@@ -982,8 +982,17 @@ struct ec_gen_ctx { + int selection; + int ecdh_mode; + EC_GROUP *gen_group; ++#ifdef FIPS_MODULE ++ void *ecdsa_sig_ctx; ++#endif + }; + ++#ifdef FIPS_MODULE ++void *ecdsa_newctx(void *provctx, const char *propq); ++void ecdsa_freectx(void *vctx); ++int do_ec_pct(void *, const char *, void *); ++#endif ++ + static void *ec_gen_init(void *provctx, int selection, + const OSSL_PARAM params[]) + { +@@ -1002,6 +1011,10 @@ static void *ec_gen_init(void *provctx, + OPENSSL_free(gctx); + gctx = NULL; + } ++#ifdef FIPS_MODULE ++ if (gctx != NULL) ++ gctx->ecdsa_sig_ctx = ecdsa_newctx(provctx, NULL); ++#endif + return gctx; + } + +@@ -1272,6 +1285,12 @@ static void *ec_gen(void *genctx, OSSL_C + + if (gctx->ecdh_mode != -1) + ret = ret && ossl_ec_set_ecdh_cofactor_mode(ec, gctx->ecdh_mode); ++#ifdef FIPS_MODULE ++ /* Pairwise consistency test */ ++ if ((gctx->selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0 ++ && do_ec_pct(gctx->ecdsa_sig_ctx, "sha256", ec) != 1) ++ goto err; ++#endif + + if (gctx->group_check != NULL) + ret = ret && ossl_ec_set_check_group_type_from_name(ec, gctx->group_check); +@@ -1341,7 +1359,10 @@ static void ec_gen_cleanup(void *genctx) + + if (gctx == NULL) + return; +- ++#ifdef FIPS_MODULE ++ ecdsa_freectx(gctx->ecdsa_sig_ctx); ++ gctx->ecdsa_sig_ctx = NULL; ++#endif + EC_GROUP_free(gctx->gen_group); + BN_free(gctx->p); + BN_free(gctx->a); +diff -up openssl-3.0.7/providers/implementations/signature/ecdsa_sig.c.pairwise openssl-3.0.7/providers/implementations/signature/ecdsa_sig.c +--- openssl-3.0.7/providers/implementations/signature/ecdsa_sig.c.pairwise 2023-02-20 11:50:23.035194347 +0100 ++++ openssl-3.0.7/providers/implementations/signature/ecdsa_sig.c 2023-02-20 12:19:10.809768979 +0100 +@@ -32,7 +32,7 @@ + #include "crypto/ec.h" + #include "prov/der_ec.h" + +-static OSSL_FUNC_signature_newctx_fn ecdsa_newctx; ++OSSL_FUNC_signature_newctx_fn ecdsa_newctx; + static OSSL_FUNC_signature_sign_init_fn ecdsa_sign_init; + static OSSL_FUNC_signature_verify_init_fn ecdsa_verify_init; + static OSSL_FUNC_signature_sign_fn ecdsa_sign; +@@ -43,7 +43,7 @@ static OSSL_FUNC_signature_digest_sign_f + static OSSL_FUNC_signature_digest_verify_init_fn ecdsa_digest_verify_init; + static OSSL_FUNC_signature_digest_verify_update_fn ecdsa_digest_signverify_update; + static OSSL_FUNC_signature_digest_verify_final_fn ecdsa_digest_verify_final; +-static OSSL_FUNC_signature_freectx_fn ecdsa_freectx; ++OSSL_FUNC_signature_freectx_fn ecdsa_freectx; + static OSSL_FUNC_signature_dupctx_fn ecdsa_dupctx; + static OSSL_FUNC_signature_get_ctx_params_fn ecdsa_get_ctx_params; + static OSSL_FUNC_signature_gettable_ctx_params_fn ecdsa_gettable_ctx_params; +@@ -104,7 +104,7 @@ typedef struct { + #endif + } PROV_ECDSA_CTX; + +-static void *ecdsa_newctx(void *provctx, const char *propq) ++void *ecdsa_newctx(void *provctx, const char *propq) + { + PROV_ECDSA_CTX *ctx; + +@@ -370,7 +370,7 @@ int ecdsa_digest_verify_final(void *vctx + return ecdsa_verify(ctx, sig, siglen, digest, (size_t)dlen); + } + +-static void ecdsa_freectx(void *vctx) ++void ecdsa_freectx(void *vctx) + { + PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx; + +@@ -581,6 +581,35 @@ static const OSSL_PARAM *ecdsa_settable_ + return EVP_MD_settable_ctx_params(ctx->md); + } + ++#ifdef FIPS_MODULE ++int do_ec_pct(void *vctx, const char *mdname, void *ec) ++{ ++ static const char data[32]; ++ unsigned char sigbuf[256]; ++ size_t siglen = sizeof(sigbuf); ++ ++ if (ecdsa_digest_sign_init(vctx, mdname, ec, NULL) <= 0) ++ return 0; ++ ++ if (ecdsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0) ++ return 0; ++ ++ if (ecdsa_digest_sign_final(vctx, sigbuf, &siglen, sizeof(sigbuf)) <= 0) ++ return 0; ++ ++ if (ecdsa_digest_verify_init(vctx, mdname, ec, NULL) <= 0) ++ return 0; ++ ++ if (ecdsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0) ++ return 0; ++ ++ if (ecdsa_digest_verify_final(vctx, sigbuf, siglen) <= 0) ++ return 0; ++ ++ return 1; ++} ++#endif ++ + const OSSL_DISPATCH ossl_ecdsa_signature_functions[] = { + { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))ecdsa_newctx }, + { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))ecdsa_sign_init }, +diff -up openssl-3.0.7/providers/implementations/keymgmt/rsa_kmgmt.c.pairwise openssl-3.0.7/providers/implementations/keymgmt/rsa_kmgmt.c +--- openssl-3.0.7/providers/implementations/keymgmt/rsa_kmgmt.c.pairwise 2023-02-20 16:04:27.103364713 +0100 ++++ openssl-3.0.7/providers/implementations/keymgmt/rsa_kmgmt.c 2023-02-20 16:14:13.848119419 +0100 +@@ -434,6 +434,7 @@ struct rsa_gen_ctx { + #if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS) + /* ACVP test parameters */ + OSSL_PARAM *acvp_test_params; ++ void *prov_rsa_ctx; + #endif + }; + +@@ -447,6 +448,12 @@ static int rsa_gencb(int p, int n, BN_GE + return gctx->cb(params, gctx->cbarg); + } + ++#ifdef FIPS_MODULE ++void *rsa_newctx(void *provctx, const char *propq); ++void rsa_freectx(void *vctx); ++int do_rsa_pct(void *, const char *, void *); ++#endif ++ + static void *gen_init(void *provctx, int selection, int rsa_type, + const OSSL_PARAM params[]) + { +@@ -474,6 +481,10 @@ static void *gen_init(void *provctx, int + + if (!rsa_gen_set_params(gctx, params)) + goto err; ++#ifdef FIPS_MODULE ++ if (gctx != NULL) ++ gctx->prov_rsa_ctx = rsa_newctx(provctx, NULL); ++#endif + return gctx; + + err: +@@ -630,6 +641,11 @@ static void *rsa_gen(void *genctx, OSSL_ + + rsa = rsa_tmp; + rsa_tmp = NULL; ++#ifdef FIPS_MODULE ++ /* Pairwise consistency test */ ++ if (do_rsa_pct(gctx->prov_rsa_ctx, "sha256", rsa) != 1) ++ goto err; ++#endif + err: + BN_GENCB_free(gencb); + RSA_free(rsa_tmp); +@@ -645,6 +662,8 @@ static void rsa_gen_cleanup(void *genctx + #if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS) + ossl_rsa_acvp_test_gen_params_free(gctx->acvp_test_params); + gctx->acvp_test_params = NULL; ++ rsa_freectx(gctx->prov_rsa_ctx); ++ gctx->prov_rsa_ctx = NULL; + #endif + BN_clear_free(gctx->pub_exp); + OPENSSL_free(gctx); +diff -up openssl-3.0.7/providers/implementations/signature/rsa_sig.c.pairwise openssl-3.0.7/providers/implementations/signature/rsa_sig.c +--- openssl-3.0.7/providers/implementations/signature/rsa_sig.c.pairwise 2023-02-20 16:04:22.548327811 +0100 ++++ openssl-3.0.7/providers/implementations/signature/rsa_sig.c 2023-02-20 16:17:50.064871695 +0100 +@@ -36,7 +36,7 @@ + + #define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1 + +-static OSSL_FUNC_signature_newctx_fn rsa_newctx; ++OSSL_FUNC_signature_newctx_fn rsa_newctx; + static OSSL_FUNC_signature_sign_init_fn rsa_sign_init; + static OSSL_FUNC_signature_verify_init_fn rsa_verify_init; + static OSSL_FUNC_signature_verify_recover_init_fn rsa_verify_recover_init; +@@ -49,7 +49,7 @@ static OSSL_FUNC_signature_digest_sign_f + static OSSL_FUNC_signature_digest_verify_init_fn rsa_digest_verify_init; + static OSSL_FUNC_signature_digest_verify_update_fn rsa_digest_signverify_update; + static OSSL_FUNC_signature_digest_verify_final_fn rsa_digest_verify_final; +-static OSSL_FUNC_signature_freectx_fn rsa_freectx; ++OSSL_FUNC_signature_freectx_fn rsa_freectx; + static OSSL_FUNC_signature_dupctx_fn rsa_dupctx; + static OSSL_FUNC_signature_get_ctx_params_fn rsa_get_ctx_params; + static OSSL_FUNC_signature_gettable_ctx_params_fn rsa_gettable_ctx_params; +@@ -172,7 +172,7 @@ static int rsa_check_parameters(PROV_RSA + return 1; + } + +-static void *rsa_newctx(void *provctx, const char *propq) ++void *rsa_newctx(void *provctx, const char *propq) + { + PROV_RSA_CTX *prsactx = NULL; + char *propq_copy = NULL; +@@ -990,7 +990,7 @@ int rsa_digest_verify_final(void *vprsac + return rsa_verify(vprsactx, sig, siglen, digest, (size_t)dlen); + } + +-static void rsa_freectx(void *vprsactx) ++void rsa_freectx(void *vprsactx) + { + PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; + +@@ -1504,6 +1504,35 @@ static const OSSL_PARAM *rsa_settable_ct + return EVP_MD_settable_ctx_params(prsactx->md); + } + ++#ifdef FIPS_MODULE ++int do_rsa_pct(void *vctx, const char *mdname, void *rsa) ++{ ++ static const char data[32]; ++ unsigned char sigbuf[256]; ++ size_t siglen = sizeof(sigbuf); ++ ++ if (rsa_digest_sign_init(vctx, mdname, rsa, NULL) <= 0) ++ return 0; ++ ++ if (rsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0) ++ return 0; ++ ++ if (rsa_digest_sign_final(vctx, sigbuf, &siglen, sizeof(sigbuf)) <= 0) ++ return 0; ++ ++ if (rsa_digest_verify_init(vctx, mdname, rsa, NULL) <= 0) ++ return 0; ++ ++ if (rsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0) ++ return 0; ++ ++ if (rsa_digest_verify_final(vctx, sigbuf, siglen) <= 0) ++ return 0; ++ ++ return 1; ++} ++#endif ++ + const OSSL_DISPATCH ossl_rsa_signature_functions[] = { + { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))rsa_newctx }, + { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))rsa_sign_init }, diff --git a/0049-Selectively-disallow-SHA1-signatures.patch b/0049-Selectively-disallow-SHA1-signatures.patch index f18e099..d453f97 100644 --- a/0049-Selectively-disallow-SHA1-signatures.patch +++ b/0049-Selectively-disallow-SHA1-signatures.patch @@ -399,7 +399,7 @@ index 325e855333..bea397f0c1 100644 #define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1 +#define RSA_DEFAULT_DIGEST_NAME_NONLEGACY OSSL_DIGEST_NAME_SHA2_256 - static OSSL_FUNC_signature_newctx_fn rsa_newctx; + OSSL_FUNC_signature_newctx_fn rsa_newctx; static OSSL_FUNC_signature_sign_init_fn rsa_sign_init; @@ -289,10 +291,15 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname, diff --git a/openssl.spec b/openssl.spec index 3aed55f..e9d0d99 100644 --- a/openssl.spec +++ b/openssl.spec @@ -515,6 +515,8 @@ install -m644 %{SOURCE9} \ Resolves: rhbz#2178137 - Limit RSA_NO_PADDING for encryption and signature in FIPS mode Resolves: rhbz#2178029 +- Pairwise consistency tests should use Digest+Sign/Verify + Resolves: rhbz#2178034 * Wed Mar 08 2023 Dmitry Belyavskiy - 1:3.0.7-6 - Fixes RNG slowdown in FIPS mode From dd6f0d33c842f33db6d00444551681ec76cf83bd Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Wed, 22 Feb 2023 16:22:19 +0100 Subject: [PATCH 08/60] Remove previous low-level PCT Related: rhbz#2168324 --- 0044-FIPS-140-3-keychecks.patch | 96 --------------------------------- 1 file changed, 96 deletions(-) diff --git a/0044-FIPS-140-3-keychecks.patch b/0044-FIPS-140-3-keychecks.patch index 3419495..6c69089 100644 --- a/0044-FIPS-140-3-keychecks.patch +++ b/0044-FIPS-140-3-keychecks.patch @@ -89,102 +89,6 @@ diff -up openssl-3.0.1/providers/implementations/exchange/ecdh_exch.c.fips3 open retlen = ECDH_compute_key(secret, size, ppubkey, privk, NULL); -diff -up openssl-3.0.1/crypto/ec/ec_key.c.fips3 openssl-3.0.1/crypto/ec/ec_key.c ---- openssl-3.0.1/crypto/ec/ec_key.c.fips3 2022-07-25 14:03:34.420222507 +0200 -+++ openssl-3.0.1/crypto/ec/ec_key.c 2022-07-25 14:09:00.728164294 +0200 -@@ -336,6 +336,11 @@ static int ec_generate_key(EC_KEY *eckey - - OSSL_SELF_TEST_get_callback(eckey->libctx, &cb, &cbarg); - ok = ecdsa_keygen_pairwise_test(eckey, cb, cbarg); -+ -+#ifdef FIPS_MODULE -+ ok &= ossl_ec_key_public_check(eckey, ctx); -+ ok &= ossl_ec_key_pairwise_check(eckey, ctx); -+#endif /* FIPS_MODULE */ - } - err: - /* Step (9): If there is an error return an invalid keypair. */ -diff -up openssl-3.0.1/crypto/rsa/rsa_gen.c.fips3 openssl-3.0.1/crypto/rsa/rsa_gen.c ---- openssl-3.0.1/crypto/rsa/rsa_gen.c.fips3 2022-07-25 17:02:17.807271297 +0200 -+++ openssl-3.0.1/crypto/rsa/rsa_gen.c 2022-07-25 17:18:24.931959649 +0200 -@@ -23,6 +23,7 @@ - #include - #include "internal/cryptlib.h" - #include -+#include - #include - #include "prov/providercommon.h" - #include "rsa_local.h" -@@ -476,52 +476,43 @@ static int rsa_keygen(OSSL_LIB_CTX *libc - static int rsa_keygen_pairwise_test(RSA *rsa, OSSL_CALLBACK *cb, void *cbarg) - { - int ret = 0; -- unsigned int ciphertxt_len; -- unsigned char *ciphertxt = NULL; -- const unsigned char plaintxt[16] = {0}; -- unsigned char *decoded = NULL; -- unsigned int decoded_len; -- unsigned int plaintxt_len = (unsigned int)sizeof(plaintxt_len); -- int padding = RSA_PKCS1_PADDING; -+ unsigned int signature_len; -+ unsigned char *signature = NULL; - OSSL_SELF_TEST *st = NULL; -+ static const unsigned char dgst[] = { -+ 0x7f, 0x83, 0xb1, 0x65, 0x7f, 0xf1, 0xfc, 0x53, 0xb9, 0x2d, 0xc1, 0x81, -+ 0x48, 0xa1, 0xd6, 0x5d, 0xfc, 0x2d, 0x4b, 0x1f, 0xa3, 0xd6, 0x77, 0x28, -+ 0x4a, 0xdd, 0xd2, 0x00, 0x12, 0x6d, 0x90, 0x69 -+ }; - - st = OSSL_SELF_TEST_new(cb, cbarg); - if (st == NULL) - goto err; - OSSL_SELF_TEST_onbegin(st, OSSL_SELF_TEST_TYPE_PCT, -+ /* No special name for RSA signature PCT*/ - OSSL_SELF_TEST_DESC_PCT_RSA_PKCS1); - -- ciphertxt_len = RSA_size(rsa); -+ signature_len = RSA_size(rsa); -- /* -- * RSA_private_encrypt() and RSA_private_decrypt() requires the 'to' -- * parameter to be a maximum of RSA_size() - allocate space for both. -- */ -- ciphertxt = OPENSSL_zalloc(ciphertxt_len * 2); -- if (ciphertxt == NULL) -+ signature = OPENSSL_zalloc(signature_len); -+ if (signature == NULL) - goto err; -- decoded = ciphertxt + ciphertxt_len; - -- ciphertxt_len = RSA_public_encrypt(plaintxt_len, plaintxt, ciphertxt, rsa, -- padding); -- if (ciphertxt_len <= 0) -+ if (RSA_sign(NID_sha256, dgst, sizeof(dgst), signature, &signature_len, rsa) <= 0) - goto err; -- if (ciphertxt_len == plaintxt_len -- && memcmp(ciphertxt, plaintxt, plaintxt_len) == 0) -+ -+ if (signature_len <= 0) - goto err; - -- OSSL_SELF_TEST_oncorrupt_byte(st, ciphertxt); -+ OSSL_SELF_TEST_oncorrupt_byte(st, signature); - -- decoded_len = RSA_private_decrypt(ciphertxt_len, ciphertxt, decoded, rsa, -- padding); -- if (decoded_len != plaintxt_len -- || memcmp(decoded, plaintxt, decoded_len) != 0) -+ if (RSA_verify(NID_sha256, dgst, sizeof(dgst), signature, signature_len, rsa) <= 0) - goto err; - - ret = 1; - err: - OSSL_SELF_TEST_onend(st, ret); - OSSL_SELF_TEST_free(st); -- OPENSSL_free(ciphertxt); -+ OPENSSL_free(signature); - - return ret; - } diff -up openssl-3.0.7/providers/implementations/keymgmt/ec_kmgmt.c.pairwise openssl-3.0.7/providers/implementations/keymgmt/ec_kmgmt.c --- openssl-3.0.7/providers/implementations/keymgmt/ec_kmgmt.c.pairwise 2023-02-20 11:44:18.451884117 +0100 +++ openssl-3.0.7/providers/implementations/keymgmt/ec_kmgmt.c 2023-02-20 12:39:46.037063842 +0100 From 960e6deebf9ad0e96ff10ba8dbf19f8eb29e8385 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Thu, 23 Feb 2023 14:39:15 +0100 Subject: [PATCH 09/60] Abort on PCT failure Related: rhbz#2168324 --- 0044-FIPS-140-3-keychecks.patch | 30 ++++++++++++++++++++---------- 1 file changed, 20 insertions(+), 10 deletions(-) diff --git a/0044-FIPS-140-3-keychecks.patch b/0044-FIPS-140-3-keychecks.patch index 6c69089..ba2818c 100644 --- a/0044-FIPS-140-3-keychecks.patch +++ b/0044-FIPS-140-3-keychecks.patch @@ -129,7 +129,7 @@ diff -up openssl-3.0.7/providers/implementations/keymgmt/ec_kmgmt.c.pairwise ope + /* Pairwise consistency test */ + if ((gctx->selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0 + && do_ec_pct(gctx->ecdsa_sig_ctx, "sha256", ec) != 1) -+ goto err; ++ abort(); +#endif if (gctx->group_check != NULL) @@ -263,7 +263,7 @@ diff -up openssl-3.0.7/providers/implementations/keymgmt/rsa_kmgmt.c.pairwise op +#ifdef FIPS_MODULE + /* Pairwise consistency test */ + if (do_rsa_pct(gctx->prov_rsa_ctx, "sha256", rsa) != 1) -+ goto err; ++ abort(); +#endif err: BN_GENCB_free(gencb); @@ -316,7 +316,7 @@ diff -up openssl-3.0.7/providers/implementations/signature/rsa_sig.c.pairwise op { PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; -@@ -1504,6 +1504,35 @@ static const OSSL_PARAM *rsa_settable_ct +@@ -1504,6 +1504,45 @@ static const OSSL_PARAM *rsa_settable_ct return EVP_MD_settable_ctx_params(prsactx->md); } @@ -324,8 +324,9 @@ diff -up openssl-3.0.7/providers/implementations/signature/rsa_sig.c.pairwise op +int do_rsa_pct(void *vctx, const char *mdname, void *rsa) +{ + static const char data[32]; -+ unsigned char sigbuf[256]; -+ size_t siglen = sizeof(sigbuf); ++ unsigned char *sigbuf = NULL; ++ size_t siglen = 0; ++ int ret = 0; + + if (rsa_digest_sign_init(vctx, mdname, rsa, NULL) <= 0) + return 0; @@ -333,19 +334,28 @@ diff -up openssl-3.0.7/providers/implementations/signature/rsa_sig.c.pairwise op + if (rsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0) + return 0; + -+ if (rsa_digest_sign_final(vctx, sigbuf, &siglen, sizeof(sigbuf)) <= 0) ++ if (rsa_digest_sign_final(vctx, NULL, &siglen, 0) <= 0) + return 0; + -+ if (rsa_digest_verify_init(vctx, mdname, rsa, NULL) <= 0) ++ if ((sigbuf = OPENSSL_malloc(siglen)) == NULL) + return 0; + ++ if (rsa_digest_sign_final(vctx, sigbuf, &siglen, siglen) <= 0) ++ goto err; ++ ++ if (rsa_digest_verify_init(vctx, mdname, rsa, NULL) <= 0) ++ goto err; ++ + if (rsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0) -+ return 0; ++ goto err; + + if (rsa_digest_verify_final(vctx, sigbuf, siglen) <= 0) -+ return 0; ++ goto err; ++ ret = 1; + -+ return 1; ++ err: ++ OPENSSL_free(sigbuf); ++ return ret; +} +#endif + From bfdbb139b4fc306a5b04e806f8124bee6851c5d9 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Thu, 9 Mar 2023 14:26:19 +0100 Subject: [PATCH 10/60] Disable DHX keys completely in FIPS mode Resolves: rhbz#2178030 --- 0093-FIPS-nodhx.patch | 90 +++++++++++++++++++++++++++++++++++++++++++ openssl.spec | 4 ++ 2 files changed, 94 insertions(+) create mode 100644 0093-FIPS-nodhx.patch diff --git a/0093-FIPS-nodhx.patch b/0093-FIPS-nodhx.patch new file mode 100644 index 0000000..1a20aa3 --- /dev/null +++ b/0093-FIPS-nodhx.patch @@ -0,0 +1,90 @@ +diff -up openssl-3.0.7/providers/fips/fipsprov.c.nodhx openssl-3.0.7/providers/fips/fipsprov.c +--- openssl-3.0.7/providers/fips/fipsprov.c.nodhx 2023-03-09 13:02:21.621694715 +0100 ++++ openssl-3.0.7/providers/fips/fipsprov.c 2023-03-09 13:02:34.001791831 +0100 +@@ -486,8 +486,8 @@ static const OSSL_ALGORITHM fips_keymgmt + #ifndef OPENSSL_NO_DH + { PROV_NAMES_DH, FIPS_DEFAULT_PROPERTIES, ossl_dh_keymgmt_functions, + PROV_DESCS_DH }, +- { PROV_NAMES_DHX, FIPS_DEFAULT_PROPERTIES, ossl_dhx_keymgmt_functions, +- PROV_DESCS_DHX }, ++/* { PROV_NAMES_DHX, FIPS_DEFAULT_PROPERTIES, ossl_dhx_keymgmt_functions, ++ PROV_DESCS_DHX }, */ + #endif + #ifndef OPENSSL_NO_DSA + /* We don't certify DSA in our FIPS provider */ +diff -up openssl-3.0.7/test/endecode_test.c.nodhx openssl-3.0.7/test/endecode_test.c +--- openssl-3.0.7/test/endecode_test.c.nodhx 2023-03-09 13:39:10.826000162 +0100 ++++ openssl-3.0.7/test/endecode_test.c 2023-03-09 13:41:26.533073598 +0100 +@@ -1356,7 +1358,9 @@ int setup_tests(void) + #ifndef OPENSSL_NO_DH + TEST_info("Generating DH keys..."); + MAKE_DOMAIN_KEYS(DH, "DH", NULL); ++if (is_fips == 0) { + MAKE_DOMAIN_KEYS(DHX, "X9.42 DH", NULL); ++} + #endif + #ifndef OPENSSL_NO_DSA + TEST_info("Generating DSA keys..."); +@@ -1386,8 +1390,10 @@ int setup_tests(void) + #ifndef OPENSSL_NO_DH + ADD_TEST_SUITE(DH); + ADD_TEST_SUITE_PARAMS(DH); ++if (is_fips == 0) { + ADD_TEST_SUITE(DHX); + ADD_TEST_SUITE_PARAMS(DHX); ++} + /* + * DH has no support for PEM_write_bio_PrivateKey_traditional(), + * so no legacy tests. +@@ -1465,7 +1471,9 @@ void cleanup_tests(void) + + #ifndef OPENSSL_NO_DH + FREE_DOMAIN_KEYS(DH); ++if (is_fips == 0) { + FREE_DOMAIN_KEYS(DHX); ++} + #endif + #ifndef OPENSSL_NO_DSA + FREE_DOMAIN_KEYS(DSA); +diff -up openssl-3.0.7/test/recipes/80-test_cms.t.nodhx openssl-3.0.7/test/recipes/80-test_cms.t +--- openssl-3.0.7/test/recipes/80-test_cms.t.nodhx 2023-03-09 13:31:36.851432859 +0100 ++++ openssl-3.0.7/test/recipes/80-test_cms.t 2023-03-09 13:32:35.987888417 +0100 +@@ -869,6 +869,8 @@ sub check_availability { + if ($no_ec2m && $tnam =~ /K-283/); + return "$tnam: skipped, DH disabled\n" + if ($no_dh && $tnam =~ /X9\.42/); ++ return "$tnam: skipped, DHX disabled in RHEL\n" ++ if ($provname eq 'fips' && $tnam =~ /X9\.42/); + return "$tnam: skipped, RC2 disabled\n" + if ($no_rc2 && $tnam =~ /RC2/); + return "$tnam: skipped, DES disabled\n" +diff -up openssl-3.0.7/providers/implementations/exchange/dh_exch.c.nodhx openssl-3.0.7/providers/implementations/exchange/dh_exch.c +--- openssl-3.0.7/providers/implementations/exchange/dh_exch.c.nodhx 2023-03-09 16:33:07.092040809 +0100 ++++ openssl-3.0.7/providers/implementations/exchange/dh_exch.c 2023-03-09 16:42:30.594837565 +0100 +@@ -102,6 +102,11 @@ static int dh_init(void *vpdhctx, void * + || vdh == NULL + || !DH_up_ref(vdh)) + return 0; ++#ifdef FIPS_MODULE ++ if (ossl_ffc_numbers_to_dh_named_group(DH_get0_p(vdh), ++ DH_get0_q(vdh), DH_get0_g(vdh)) == NULL) ++ return 0; ++#endif + DH_free(pdhctx->dh); + pdhctx->dh = vdh; + pdhctx->kdf_type = PROV_DH_KDF_NONE; +diff -up openssl-3.0.7/providers/implementations/keymgmt/dh_kmgmt.c.nodhx openssl-3.0.7/providers/implementations/keymgmt/dh_kmgmt.c +--- openssl-3.0.7/providers/implementations/keymgmt/dh_kmgmt.c.nodhx 2023-03-09 15:38:04.024555943 +0100 ++++ openssl-3.0.7/providers/implementations/keymgmt/dh_kmgmt.c 2023-03-09 16:32:04.142490068 +0100 +@@ -498,6 +499,11 @@ static int dh_gen_set_template(void *gen + + if (!ossl_prov_is_running() || gctx == NULL || dh == NULL) + return 0; ++#ifdef FIPS_MODULE ++ if (ossl_ffc_numbers_to_dh_named_group(DH_get0_p(dh), ++ DH_get0_q(dh), DH_get0_g(dh)) == NULL) ++ return 0; ++#endif + gctx->ffc_params = ossl_dh_get0_params(dh); + return 1; + } diff --git a/openssl.spec b/openssl.spec index e9d0d99..26153ce 100644 --- a/openssl.spec +++ b/openssl.spec @@ -155,6 +155,8 @@ Patch90: 0090-signature-Clamp-PSS-salt-len-to-MD-len.patch Patch91: 0091-FIPS-RSA-encapsulate.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2142517 Patch92: 0092-provider-improvements.patch +# FIPS-95 +Patch93: 0093-FIPS-nodhx.patch # OpenSSL 3.0.8 CVEs Patch101: 0101-CVE-2022-4203-nc-match.patch @@ -517,6 +519,8 @@ install -m644 %{SOURCE9} \ Resolves: rhbz#2178029 - Pairwise consistency tests should use Digest+Sign/Verify Resolves: rhbz#2178034 +- Forbid DHX keys import in FIPS mode + Resolves: rhbz#2178030 * Wed Mar 08 2023 Dmitry Belyavskiy - 1:3.0.7-6 - Fixes RNG slowdown in FIPS mode From fb4b72ff2f98c7cf07e9cc410fbb9f685e3f2b1f Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Fri, 10 Mar 2023 12:36:43 +0100 Subject: [PATCH 11/60] DH PCT should abort on failure Resolves: rhbz#2178039 --- 0044-FIPS-140-3-keychecks.patch | 6 ++---- openssl.spec | 2 ++ 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/0044-FIPS-140-3-keychecks.patch b/0044-FIPS-140-3-keychecks.patch index ba2818c..6b77eb4 100644 --- a/0044-FIPS-140-3-keychecks.patch +++ b/0044-FIPS-140-3-keychecks.patch @@ -35,7 +35,7 @@ diff -up openssl-3.0.1/crypto/dh/dh_key.c.fips3 openssl-3.0.1/crypto/dh/dh_key.c if (BN_num_bits(dh->params.p) > OPENSSL_DH_MAX_MODULUS_BITS) { ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE); -@@ -354,8 +367,23 @@ static int generate_key(DH *dh) +@@ -354,8 +367,21 @@ static int generate_key(DH *dh) if (!ossl_dh_generate_public_key(ctx, dh, priv_key, pub_key)) goto err; @@ -50,9 +50,7 @@ diff -up openssl-3.0.1/crypto/dh/dh_key.c.fips3 openssl-3.0.1/crypto/dh/dh_key.c dh->priv_key = priv_key; +#ifdef FIPS_MODULE + if (ossl_dh_check_pairwise(dh) <= 0) { -+ dh->pub_key = dh->priv_key = NULL; -+ ERR_raise(ERR_LIB_DH, DH_R_CHECK_PUBKEY_INVALID); -+ goto err; ++ abort(); + } +#endif + diff --git a/openssl.spec b/openssl.spec index 26153ce..d0fa72a 100644 --- a/openssl.spec +++ b/openssl.spec @@ -521,6 +521,8 @@ install -m644 %{SOURCE9} \ Resolves: rhbz#2178034 - Forbid DHX keys import in FIPS mode Resolves: rhbz#2178030 +- DH PCT should abort on failure + Resolves: rhbz#2178039 * Wed Mar 08 2023 Dmitry Belyavskiy - 1:3.0.7-6 - Fixes RNG slowdown in FIPS mode From 6eb72dd621162b57d02615814684e8d18e58e235 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Mon, 13 Mar 2023 12:35:42 +0100 Subject: [PATCH 12/60] Increase RNG seeding buffer size to 32 Related: rhbz#2168224 --- 0076-FIPS-140-3-DRBG.patch | 12 ++++++++++++ openssl.spec | 2 ++ 2 files changed, 14 insertions(+) diff --git a/0076-FIPS-140-3-DRBG.patch b/0076-FIPS-140-3-DRBG.patch index 8f97a6a..4a276f7 100644 --- a/0076-FIPS-140-3-DRBG.patch +++ b/0076-FIPS-140-3-DRBG.patch @@ -143,3 +143,15 @@ diff -up openssl-3.0.1/providers/implementations/rands/crngt.c.fipsrand openssl- if (bytes_needed < min_len) bytes_needed = min_len; if (bytes_needed > max_len) +diff -up openssl-3.0.7/providers/implementations/rands/drbg_local.h.drbg openssl-3.0.7/providers/implementations/rands/drbg_local.h +--- openssl-3.0.7/providers/implementations/rands/drbg_local.h.drbg 2023-03-13 12:17:47.705538612 +0100 ++++ openssl-3.0.7/providers/implementations/rands/drbg_local.h 2023-03-13 12:18:03.060702092 +0100 +@@ -38,7 +38,7 @@ + * + * The value is in bytes. + */ +-#define CRNGT_BUFSIZ 16 ++#define CRNGT_BUFSIZ 32 + + /* + * Maximum input size for the DRBG (entropy, nonce, personalization string) diff --git a/openssl.spec b/openssl.spec index d0fa72a..0440475 100644 --- a/openssl.spec +++ b/openssl.spec @@ -523,6 +523,8 @@ install -m644 %{SOURCE9} \ Resolves: rhbz#2178030 - DH PCT should abort on failure Resolves: rhbz#2178039 +- Increase RNG seeding buffer size to 32 + Related: rhbz#2168224 * Wed Mar 08 2023 Dmitry Belyavskiy - 1:3.0.7-6 - Fixes RNG slowdown in FIPS mode From e5f783d5529157f689df56d6f43aa7151fb25748 Mon Sep 17 00:00:00 2001 From: Clemens Lang Date: Thu, 16 Mar 2023 14:08:53 +0100 Subject: [PATCH 13/60] Fix Wpointer-sign compiler warning ``` providers/implementations/signature/ecdsa_sig.c: scope_hint: In function 'do_ec_pct' providers/implementations/signature/ecdsa_sig.c:594:46: warning[-Wpointer-sign]: pointer targets in passing argument 2 of 'ecdsa_digest_signverify_update' differ in signedness providers/implementations/signature/ecdsa_sig.c:325:69: note: expected 'const unsigned char *' but argument is of type 'const char *' ``` ``` providers/implementations/signature/rsa_sig.c: scope_hint: In function 'do_rsa_pct' providers/implementations/signature/rsa_sig.c:1518:44: warning[-Wpointer-sign]: pointer targets in passing argument 2 of 'rsa_digest_signverify_update' differ in signedness providers/implementations/signature/rsa_sig.c:910:62: note: expected 'const unsigned char *' but argument is of type 'const char *' ``` Resolves: rhbz#2178034 Signed-off-by: Clemens Lang --- 0044-FIPS-140-3-keychecks.patch | 4 ++-- openssl.spec | 6 +++++- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/0044-FIPS-140-3-keychecks.patch b/0044-FIPS-140-3-keychecks.patch index 6b77eb4..38efa07 100644 --- a/0044-FIPS-140-3-keychecks.patch +++ b/0044-FIPS-140-3-keychecks.patch @@ -190,7 +190,7 @@ diff -up openssl-3.0.7/providers/implementations/signature/ecdsa_sig.c.pairwise +#ifdef FIPS_MODULE +int do_ec_pct(void *vctx, const char *mdname, void *ec) +{ -+ static const char data[32]; ++ static const unsigned char data[32]; + unsigned char sigbuf[256]; + size_t siglen = sizeof(sigbuf); + @@ -321,7 +321,7 @@ diff -up openssl-3.0.7/providers/implementations/signature/rsa_sig.c.pairwise op +#ifdef FIPS_MODULE +int do_rsa_pct(void *vctx, const char *mdname, void *rsa) +{ -+ static const char data[32]; ++ static const unsigned char data[32]; + unsigned char *sigbuf = NULL; + size_t siglen = 0; + int ret = 0; diff --git a/openssl.spec b/openssl.spec index 0440475..50a3bb4 100644 --- a/openssl.spec +++ b/openssl.spec @@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16)) Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 3.0.7 -Release: 7%{?dist} +Release: 8%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -505,6 +505,10 @@ install -m644 %{SOURCE9} \ %ldconfig_scriptlets libs %changelog +* Thu Mar 16 2023 Clemens Lang - 1:3.0.7-8 +- Fix Wpointer-sign compiler warning + Resolves: rhbz#2178034 + * Tue Mar 14 2023 Clemens Lang - 1:3.0.7-7 - Add explicit FIPS indicators to key derivation functions Resolves: rhbz#2175860 rhbz#2175864 From 21d2b9fb4712e7b77b2d892bec36138e15570c32 Mon Sep 17 00:00:00 2001 From: Clemens Lang Date: Thu, 16 Mar 2023 16:39:03 +0100 Subject: [PATCH 14/60] Fix X942KDF indicator for short output key lengths In testing, we noticed that using output keys shorter than 14 bytes with the X9.42 KDF does not set the explicit FIPS indicator to unapproved as it should. The relevant check was implemented, but the state in the implementation's context was not exposed. Resolves: rhbz#2175864 Signed-off-by: Clemens Lang --- 0078-KDF-Add-FIPS-indicators.patch | 24 +++++++++++++++++------- openssl.spec | 6 +++++- 2 files changed, 22 insertions(+), 8 deletions(-) diff --git a/0078-KDF-Add-FIPS-indicators.patch b/0078-KDF-Add-FIPS-indicators.patch index d8496ce..1090ffa 100644 --- a/0078-KDF-Add-FIPS-indicators.patch +++ b/0078-KDF-Add-FIPS-indicators.patch @@ -1,4 +1,4 @@ -From 2f89e15407b7f3947768f93d11adeafd73c0b6d6 Mon Sep 17 00:00:00 2001 +From 2290280617183863eb15425b8925765966723725 Mon Sep 17 00:00:00 2001 From: Clemens Lang Date: Thu, 11 Aug 2022 09:27:12 +0200 Subject: KDF: Add FIPS indicators @@ -49,8 +49,8 @@ Related: rhbz#2114772 rhbz#2141695 providers/implementations/kdfs/sshkdf.c | 75 +++++++++++++++- providers/implementations/kdfs/sskdf.c | 100 +++++++++++++++++++++- providers/implementations/kdfs/tls1_prf.c | 74 +++++++++++++++- - providers/implementations/kdfs/x942kdf.c | 57 +++++++++++- - 9 files changed, 478 insertions(+), 22 deletions(-) + providers/implementations/kdfs/x942kdf.c | 67 ++++++++++++++- + 9 files changed, 488 insertions(+), 22 deletions(-) diff --git a/include/crypto/evp.h b/include/crypto/evp.h index e70d8e9e84..76fb990de4 100644 @@ -791,7 +791,7 @@ index a4d64b9352..f6782a6ca2 100644 }; return known_gettable_ctx_params; diff --git a/providers/implementations/kdfs/x942kdf.c b/providers/implementations/kdfs/x942kdf.c -index b1bc6f7e1b..f4ac8ca3f5 100644 +index b1bc6f7e1b..8173fc2cc7 100644 --- a/providers/implementations/kdfs/x942kdf.c +++ b/providers/implementations/kdfs/x942kdf.c @@ -13,10 +13,13 @@ @@ -829,7 +829,7 @@ index b1bc6f7e1b..f4ac8ca3f5 100644 ret = x942kdf_hash_kdm(md, ctx->secret, ctx->secret_len, der, der_len, ctr, key, keylen); OPENSSL_free(der); -@@ -563,10 +573,48 @@ static int x942kdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) +@@ -563,10 +573,58 @@ static int x942kdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) { KDF_X942 *ctx = (KDF_X942 *)vctx; OSSL_PARAM *p; @@ -860,6 +860,16 @@ index b1bc6f7e1b..f4ac8ca3f5 100644 + fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; + + /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module ++ * Verification Program, Section D.B and NIST Special Publication ++ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security ++ * strength < 112 bits is legacy use only, so all derived keys should ++ * be longer than that. If a derived key has ever been shorter than ++ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we ++ * should also set the returned FIPS indicator to unapproved. */ ++ if (ctx->output_keylen_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED) ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ ++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module + * Validation Program, Section C.C: "The SHAKE128 and SHAKE256 + * extendable-output functions may only be used as the standalone + * algorithms." */ @@ -881,7 +891,7 @@ index b1bc6f7e1b..f4ac8ca3f5 100644 } static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx, -@@ -574,6 +622,9 @@ static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx, +@@ -574,6 +632,9 @@ static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx, { static const OSSL_PARAM known_gettable_ctx_params[] = { OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), @@ -892,5 +902,5 @@ index b1bc6f7e1b..f4ac8ca3f5 100644 }; return known_gettable_ctx_params; -- -2.39.1 +2.39.2 diff --git a/openssl.spec b/openssl.spec index 50a3bb4..97641a7 100644 --- a/openssl.spec +++ b/openssl.spec @@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16)) Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 3.0.7 -Release: 8%{?dist} +Release: 9%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -505,6 +505,10 @@ install -m644 %{SOURCE9} \ %ldconfig_scriptlets libs %changelog +* Thu Mar 16 2023 Clemens Lang - 1:3.0.7-9 +- Fix explicit FIPS indicator for X9.42 KDF when used with output lengths < 14 bytes + Resolves: rhbz#2175864 + * Thu Mar 16 2023 Clemens Lang - 1:3.0.7-8 - Fix Wpointer-sign compiler warning Resolves: rhbz#2178034 From 1bd49c394a367c847e00aee20403971c42549043 Mon Sep 17 00:00:00 2001 From: Clemens Lang Date: Fri, 17 Mar 2023 15:56:07 +0100 Subject: [PATCH 15/60] Add explicit FIPS indicator to RSA encryption and RSASVE NIST SP 800-56Br2 section 6.4.2.1 requires either explicit key confirmation (section 6.4.2.3.2), or assurance from a trusted third party (section 6.4.2.3.1) for the KTS-OAEP key transport scheme and key agreement schemes, but explicit key confirmation is not implemented and cannot be implemented without protocol changes, and the FIPS provider does not implement trusted third party validation, since it relies on its callers to do that. We must thus mark RSA-OAEP encryption and RSASVE as unapproved until we have received clarification from NIST on how library modules such as OpenSSL should implement TTP validation. This does not affect RSA-OAEP decryption, because it is approved as a component according to the FIPS 140-3 IG, section 2.4.G. Resolves: rhbz#2179379 Signed-off-by: Clemens Lang --- ...hers-kem-Add-explicit-FIPS-indicator.patch | 159 ++++++++++++++++++ openssl.spec | 6 +- 2 files changed, 164 insertions(+), 1 deletion(-) create mode 100644 0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch diff --git a/0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch b/0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch new file mode 100644 index 0000000..4cda828 --- /dev/null +++ b/0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch @@ -0,0 +1,159 @@ +From ee6e381e4140efd5365ddf27a12055859103cf59 Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Fri, 17 Mar 2023 15:39:15 +0100 +Subject: [PATCH] asymciphers, kem: Add explicit FIPS indicator + +NIST SP 800-56Br2 section 6.4.2.1 requires either explicit key +confirmation (section 6.4.2.3.2), or assurance from a trusted third +party (section 6.4.2.3.1) for the KTS-OAEP key transport scheme and key +agreement schemes, but explicit key confirmation is not implemented and +cannot be implemented without protocol changes, and the FIPS provider +does not implement trusted third party validation, since it relies on +its callers to do that. We must thus mark RSA-OAEP encryption and RSASVE +as unapproved until we have received clarification from NIST on how +library modules such as OpenSSL should implement TTP validation. + +This does not affect RSA-OAEP decryption, because it is approved as +a component according to the FIPS 140-3 IG, section 2.4.G. + +Resolves: rhbz#2179331 +Signed-off-by: Clemens Lang +--- + include/openssl/core_names.h | 2 ++ + include/openssl/evp.h | 4 +++ + .../implementations/asymciphers/rsa_enc.c | 31 +++++++++++++++++++ + providers/implementations/kem/rsa_kem.c | 30 +++++++++++++++++- + 4 files changed, 66 insertions(+), 1 deletion(-) + +diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h +index 832502a034..e15d208421 100644 +--- a/include/openssl/core_names.h ++++ b/include/openssl/core_names.h +@@ -469,6 +469,7 @@ extern "C" { + #define OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL "oaep-label" + #define OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION "tls-client-version" + #define OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION "tls-negotiated-version" ++#define OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator" + + /* + * Encoder / decoder parameters +@@ -503,6 +504,7 @@ extern "C" { + + /* KEM parameters */ + #define OSSL_KEM_PARAM_OPERATION "operation" ++#define OSSL_KEM_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator" /* int */ + + /* OSSL_KEM_PARAM_OPERATION values */ + #define OSSL_KEM_PARAM_OPERATION_RSASVE "RSASVE" +diff --git a/include/openssl/evp.h b/include/openssl/evp.h +index ec2ba46fbd..3803b03422 100644 +--- a/include/openssl/evp.h ++++ b/include/openssl/evp.h +@@ -1757,6 +1757,10 @@ OSSL_DEPRECATEDIN_3_0 size_t EVP_PKEY_meth_get_count(void); + OSSL_DEPRECATEDIN_3_0 const EVP_PKEY_METHOD *EVP_PKEY_meth_get0(size_t idx); + # endif + ++# define EVP_PKEY_REDHAT_FIPS_INDICATOR_UNDETERMINED 0 ++# define EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED 1 ++# define EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2 ++ + EVP_KEYMGMT *EVP_KEYMGMT_fetch(OSSL_LIB_CTX *ctx, const char *algorithm, + const char *properties); + int EVP_KEYMGMT_up_ref(EVP_KEYMGMT *keymgmt); +diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c +index 568452ec56..0a9adb4056 100644 +--- a/providers/implementations/asymciphers/rsa_enc.c ++++ b/providers/implementations/asymciphers/rsa_enc.c +@@ -399,6 +399,34 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params) + if (p != NULL && !OSSL_PARAM_set_uint(p, prsactx->alt_version)) + return 0; + ++#ifdef FIPS_MODULE ++ p = OSSL_PARAM_locate(params, OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR); ++ if (p != NULL) { ++ int fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED; ++ ++ if (prsactx->operation == EVP_PKEY_OP_ENCRYPT) { ++ /* NIST SP 800-56Br2 section 6.4.2.1 requires either explicit key ++ * confirmation (section 6.4.2.3.2), or assurance from a trusted ++ * third party (section 6.4.2.3.1) for the KTS-OAEP key transport ++ * scheme, but explicit key confirmation is not implemented here ++ * and cannot be implemented without protocol changes, and the FIPS ++ * provider does not implement trusted third party validation, ++ * since it relies on its callers to do that. We must thus mark ++ * RSA-OAEP as unapproved until we have received clarification from ++ * NIST on how library modules such as OpenSSL should implement TTP ++ * validation. ++ * ++ * This does not affect decryption, because it is approved as ++ * a component according to the FIPS 140-3 IG, section 2.4.G. ++ */ ++ fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ } ++ ++ if (!OSSL_PARAM_set_int(p, fips_indicator)) ++ return 0; ++ } ++#endif /* defined(FIPS_MODULE) */ ++ + return 1; + } + +@@ -410,6 +438,9 @@ static const OSSL_PARAM known_gettable_ctx_params[] = { + NULL, 0), + OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION, NULL), + OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL), ++#ifdef FIPS_MODULE ++ OSSL_PARAM_int(OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR, NULL), ++#endif /* defined(FIPS_MODULE) */ + OSSL_PARAM_END + }; + +diff --git a/providers/implementations/kem/rsa_kem.c b/providers/implementations/kem/rsa_kem.c +index 882cf16125..b4cc0f9237 100644 +--- a/providers/implementations/kem/rsa_kem.c ++++ b/providers/implementations/kem/rsa_kem.c +@@ -151,11 +151,39 @@ static int rsakem_decapsulate_init(void *vprsactx, void *vrsa, + static int rsakem_get_ctx_params(void *vprsactx, OSSL_PARAM *params) + { + PROV_RSA_CTX *ctx = (PROV_RSA_CTX *)vprsactx; ++#ifdef FIPS_MODULE ++ OSSL_PARAM *p; ++#endif /* defined(FIPS_MODULE) */ + +- return ctx != NULL; ++ if (ctx == NULL) ++ return 0; ++ ++#ifdef FIPS_MODULE ++ p = OSSL_PARAM_locate(params, OSSL_KEM_PARAM_REDHAT_FIPS_INDICATOR); ++ if (p != NULL) { ++ /* NIST SP 800-56Br2 section 6.4.2.1 requires either explicit key ++ * confirmation (section 6.4.2.3.2), or assurance from a trusted third ++ * party (section 6.4.2.3.1) for key agreement or key transport, but ++ * explicit key confirmation is not implemented here and cannot be ++ * implemented without protocol changes, and the FIPS provider does not ++ * implement trusted third party validation, since it relies on its ++ * callers to do that. We must thus mark RSASVE unapproved until we ++ * have received clarification from NIST on how library modules such as ++ * OpenSSL should implement TTP validation. */ ++ int fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ ++ if (!OSSL_PARAM_set_int(p, fips_indicator)) ++ return 0; ++ } ++#endif /* defined(FIPS_MODULE) */ ++ ++ return 1; + } + + static const OSSL_PARAM known_gettable_rsakem_ctx_params[] = { ++#ifdef FIPS_MODULE ++ OSSL_PARAM_int(OSSL_KEM_PARAM_REDHAT_FIPS_INDICATOR, NULL), ++#endif /* defined(FIPS_MODULE) */ + OSSL_PARAM_END + }; + +-- +2.39.2 + diff --git a/openssl.spec b/openssl.spec index 97641a7..a3b1f73 100644 --- a/openssl.spec +++ b/openssl.spec @@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16)) Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 3.0.7 -Release: 9%{?dist} +Release: 10%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -505,6 +505,10 @@ install -m644 %{SOURCE9} \ %ldconfig_scriptlets libs %changelog +* Fri Mar 17 2023 Clemens Lang - 1:3.0.7-10 +- Add explicit FIPS indicator to RSA encryption and RSASVE + Resolves: rhbz#2179379 + * Thu Mar 16 2023 Clemens Lang - 1:3.0.7-9 - Fix explicit FIPS indicator for X9.42 KDF when used with output lengths < 14 bytes Resolves: rhbz#2175864 From 1bd2a0cee30459d7ff3b9d4401a80f9ee4e161db Mon Sep 17 00:00:00 2001 From: Clemens Lang Date: Mon, 20 Mar 2023 20:09:04 +0100 Subject: [PATCH 16/60] Add missing patchfile, fix gettable params Add the patchfile that was committed but not referenced in the spec file. Fix the patch to apply on openssl 3.0.7 and fix the gettable FIPS indicator parameter for the RSA asymmetric cipher implementation. Resolves: rhbz#2179379 Signed-off-by: Clemens Lang --- ...hers-kem-Add-explicit-FIPS-indicator.patch | 24 +++++++++---------- openssl.spec | 10 +++++++- 2 files changed, 20 insertions(+), 14 deletions(-) diff --git a/0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch b/0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch index 4cda828..23777c1 100644 --- a/0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch +++ b/0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch @@ -29,10 +29,10 @@ diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h index 832502a034..e15d208421 100644 --- a/include/openssl/core_names.h +++ b/include/openssl/core_names.h -@@ -469,6 +469,7 @@ extern "C" { - #define OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL "oaep-label" - #define OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION "tls-client-version" - #define OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION "tls-negotiated-version" +@@ -477,6 +477,7 @@ extern "C" { + #ifdef FIPS_MODULE + #define OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED "redhat-kat-oaep-seed" + #endif +#define OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator" /* @@ -99,16 +99,14 @@ index 568452ec56..0a9adb4056 100644 return 1; } -@@ -410,6 +438,9 @@ static const OSSL_PARAM known_gettable_ctx_params[] = { - NULL, 0), - OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION, NULL), +@@ -465,6 +493,7 @@ static const OSSL_PARAM known_gettable_ctx_params[] = { OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL), -+#ifdef FIPS_MODULE + #ifdef FIPS_MODULE + OSSL_PARAM_octet_string(OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED, NULL, 0), + OSSL_PARAM_int(OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR, NULL), -+#endif /* defined(FIPS_MODULE) */ + #endif /* FIPS_MODULE */ OSSL_PARAM_END }; - diff --git a/providers/implementations/kem/rsa_kem.c b/providers/implementations/kem/rsa_kem.c index 882cf16125..b4cc0f9237 100644 --- a/providers/implementations/kem/rsa_kem.c @@ -120,8 +118,7 @@ index 882cf16125..b4cc0f9237 100644 +#ifdef FIPS_MODULE + OSSL_PARAM *p; +#endif /* defined(FIPS_MODULE) */ - -- return ctx != NULL; ++ + if (ctx == NULL) + return 0; + @@ -143,7 +140,8 @@ index 882cf16125..b4cc0f9237 100644 + return 0; + } +#endif /* defined(FIPS_MODULE) */ -+ + +- return ctx != NULL; + return 1; } diff --git a/openssl.spec b/openssl.spec index a3b1f73..b335440 100644 --- a/openssl.spec +++ b/openssl.spec @@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16)) Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 3.0.7 -Release: 10%{?dist} +Release: 11%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -175,6 +175,8 @@ Patch110: 0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2175145 Patch111: 0111-fips-Use-salt-16-bytes-in-PBKDF2-selftest.patch Patch112: 0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2179331 +Patch113: 0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch License: ASL 2.0 URL: http://www.openssl.org/ @@ -505,6 +507,12 @@ install -m644 %{SOURCE9} \ %ldconfig_scriptlets libs %changelog +* Mon Mar 20 2023 Clemens Lang - 1:3.0.7-11 +- Add missing reference to patchfile to add explicit FIPS indicator to RSA + encryption and RSASVE and fix the gettable parameter list for the RSA + asymmetric cipher implementation. + Resolves: rhbz#2179379 + * Fri Mar 17 2023 Clemens Lang - 1:3.0.7-10 - Add explicit FIPS indicator to RSA encryption and RSASVE Resolves: rhbz#2179379 From 0dea6db97016ddbdd813cb87ab0d07c6bf3c6207 Mon Sep 17 00:00:00 2001 From: Clemens Lang Date: Fri, 24 Mar 2023 16:00:21 +0100 Subject: [PATCH 17/60] Change explicit FIPS indicator for RSA decryption to unapproved Resolves: rhbz#2179379 Signed-off-by: Clemens Lang --- ...hers-kem-Add-explicit-FIPS-indicator.patch | 37 ++++++++----------- openssl.spec | 6 ++- 2 files changed, 20 insertions(+), 23 deletions(-) diff --git a/0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch b/0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch index 23777c1..4c648d8 100644 --- a/0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch +++ b/0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch @@ -21,9 +21,9 @@ Signed-off-by: Clemens Lang --- include/openssl/core_names.h | 2 ++ include/openssl/evp.h | 4 +++ - .../implementations/asymciphers/rsa_enc.c | 31 +++++++++++++++++++ - providers/implementations/kem/rsa_kem.c | 30 +++++++++++++++++- - 4 files changed, 66 insertions(+), 1 deletion(-) + .../implementations/asymciphers/rsa_enc.c | 24 +++++++++++++++ + providers/implementations/kem/rsa_kem.c | 30 ++++++++++++++++++- + 4 files changed, 59 insertions(+), 1 deletion(-) diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h index 832502a034..e15d208421 100644 @@ -61,10 +61,10 @@ index ec2ba46fbd..3803b03422 100644 const char *properties); int EVP_KEYMGMT_up_ref(EVP_KEYMGMT *keymgmt); diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c -index 568452ec56..0a9adb4056 100644 +index 568452ec56..2e7ea632d7 100644 --- a/providers/implementations/asymciphers/rsa_enc.c +++ b/providers/implementations/asymciphers/rsa_enc.c -@@ -399,6 +399,34 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params) +@@ -399,6 +399,27 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params) if (p != NULL && !OSSL_PARAM_set_uint(p, prsactx->alt_version)) return 0; @@ -73,23 +73,16 @@ index 568452ec56..0a9adb4056 100644 + if (p != NULL) { + int fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED; + -+ if (prsactx->operation == EVP_PKEY_OP_ENCRYPT) { -+ /* NIST SP 800-56Br2 section 6.4.2.1 requires either explicit key -+ * confirmation (section 6.4.2.3.2), or assurance from a trusted -+ * third party (section 6.4.2.3.1) for the KTS-OAEP key transport -+ * scheme, but explicit key confirmation is not implemented here -+ * and cannot be implemented without protocol changes, and the FIPS -+ * provider does not implement trusted third party validation, -+ * since it relies on its callers to do that. We must thus mark -+ * RSA-OAEP as unapproved until we have received clarification from -+ * NIST on how library modules such as OpenSSL should implement TTP -+ * validation. -+ * -+ * This does not affect decryption, because it is approved as -+ * a component according to the FIPS 140-3 IG, section 2.4.G. -+ */ -+ fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED; -+ } ++ /* NIST SP 800-56Br2 section 6.4.2.1 requires either explicit key ++ * confirmation (section 6.4.2.3.2), or assurance from a trusted third ++ * party (section 6.4.2.3.1) for the KTS-OAEP key transport scheme, but ++ * explicit key confirmation is not implemented here and cannot be ++ * implemented without protocol changes, and the FIPS provider does not ++ * implement trusted third party validation, since it relies on its ++ * callers to do that. We must thus mark RSA-OAEP as unapproved until ++ * we have received clarification from NIST on how library modules such ++ * as OpenSSL should implement TTP validation. */ ++ fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED; + + if (!OSSL_PARAM_set_int(p, fips_indicator)) + return 0; diff --git a/openssl.spec b/openssl.spec index b335440..3b0de37 100644 --- a/openssl.spec +++ b/openssl.spec @@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16)) Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 3.0.7 -Release: 11%{?dist} +Release: 12%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -507,6 +507,10 @@ install -m644 %{SOURCE9} \ %ldconfig_scriptlets libs %changelog +* Fri Mar 24 2023 Clemens Lang - 1:3.0.7-12 +- Change explicit FIPS indicator for RSA decryption to unapproved + Resolves: rhbz#2179379 + * Mon Mar 20 2023 Clemens Lang - 1:3.0.7-11 - Add missing reference to patchfile to add explicit FIPS indicator to RSA encryption and RSASVE and fix the gettable parameter list for the RSA From 35f22d134e8417f8ca603ec656d1e82fac3bb579 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Mon, 17 Apr 2023 13:34:16 +0200 Subject: [PATCH 18/60] Enforce using EMS in FIPS mode Resolves: rhbz#2157951 --- 0114-FIPS-enforce-EMS-support.patch | 419 ++++++++++++++++++++++++++++ openssl.spec | 8 +- 2 files changed, 426 insertions(+), 1 deletion(-) create mode 100644 0114-FIPS-enforce-EMS-support.patch diff --git a/0114-FIPS-enforce-EMS-support.patch b/0114-FIPS-enforce-EMS-support.patch new file mode 100644 index 0000000..41a6509 --- /dev/null +++ b/0114-FIPS-enforce-EMS-support.patch @@ -0,0 +1,419 @@ +diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt +index e90e5dc03339..f391e756475c 100644 +--- a/crypto/err/openssl.txt ++++ b/crypto/err/openssl.txt +@@ -1006,6 +1006,7 @@ PROV_R_BN_ERROR:160:bn error + PROV_R_CIPHER_OPERATION_FAILED:102:cipher operation failed + PROV_R_DERIVATION_FUNCTION_INIT_FAILED:205:derivation function init failed + PROV_R_DIGEST_NOT_ALLOWED:174:digest not allowed ++PROV_R_EMS_NOT_ENABLED:233:ems not enabled + PROV_R_ENTROPY_SOURCE_STRENGTH_TOO_WEAK:186:entropy source strength too weak + PROV_R_ERROR_INSTANTIATING_DRBG:188:error instantiating drbg + PROV_R_ERROR_RETRIEVING_ENTROPY:189:error retrieving entropy +diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h +index 173a81d28bbe..5e5be567a578 100644 +--- a/include/openssl/core_names.h ++++ b/include/openssl/core_names.h +@@ -21,11 +21,12 @@ extern "C" { + #define OSSL_PROV_PARAM_CORE_MODULE_FILENAME "module-filename" /* utf8_ptr */ + + /* Well known parameter names that Providers can define */ +-#define OSSL_PROV_PARAM_NAME "name" /* utf8_ptr */ +-#define OSSL_PROV_PARAM_VERSION "version" /* utf8_ptr */ +-#define OSSL_PROV_PARAM_BUILDINFO "buildinfo" /* utf8_ptr */ +-#define OSSL_PROV_PARAM_STATUS "status" /* uint */ +-#define OSSL_PROV_PARAM_SECURITY_CHECKS "security-checks" /* uint */ ++#define OSSL_PROV_PARAM_NAME "name" /* utf8_ptr */ ++#define OSSL_PROV_PARAM_VERSION "version" /* utf8_ptr */ ++#define OSSL_PROV_PARAM_BUILDINFO "buildinfo" /* utf8_ptr */ ++#define OSSL_PROV_PARAM_STATUS "status" /* uint */ ++#define OSSL_PROV_PARAM_SECURITY_CHECKS "security-checks" /* uint */ ++#define OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK "tls1-prf-ems-check" /* uint */ + + /* Self test callback parameters */ + #define OSSL_PROV_PARAM_SELF_TEST_PHASE "st-phase" /* utf8_string */ +diff --git a/include/openssl/fips_names.h b/include/openssl/fips_names.h +index 0fdf5440c7cb..3f29369b3f92 100644 +--- a/include/openssl/fips_names.h ++++ b/include/openssl/fips_names.h +@@ -53,6 +53,14 @@ extern "C" { + */ + # define OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS "security-checks" + ++/* ++ * A boolean that determines if the runtime FIPS check for TLS1_PRF EMS is performed. ++ * This is disabled by default. ++ * ++ * Type: OSSL_PARAM_UTF8_STRING ++ */ ++# define OSSL_PROV_FIPS_PARAM_TLS1_PRF_EMS_CHECK "tls1-prf-ems-check" ++ + # ifdef __cplusplus + } + # endif +diff --git a/include/openssl/proverr.h b/include/openssl/proverr.h +index 3685430f5d3e..bf4dc135f592 100644 +--- a/include/openssl/proverr.h ++++ b/include/openssl/proverr.h +@@ -32,6 +32,7 @@ + # define PROV_R_CIPHER_OPERATION_FAILED 102 + # define PROV_R_DERIVATION_FUNCTION_INIT_FAILED 205 + # define PROV_R_DIGEST_NOT_ALLOWED 174 ++# define PROV_R_EMS_NOT_ENABLED 233 + # define PROV_R_ENTROPY_SOURCE_STRENGTH_TOO_WEAK 186 + # define PROV_R_ERROR_INSTANTIATING_DRBG 188 + # define PROV_R_ERROR_RETRIEVING_ENTROPY 189 +diff --git a/providers/common/include/prov/securitycheck.h b/providers/common/include/prov/securitycheck.h +index 4a7f85f71186..62e60cc0103f 100644 +--- a/providers/common/include/prov/securitycheck.h ++++ b/providers/common/include/prov/securitycheck.h +@@ -28,3 +28,4 @@ int ossl_digest_get_approved_nid(const EVP_MD *md); + int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md, + int sha1_allowed); + int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx); ++int ossl_tls1_prf_ems_check_enabled(OSSL_LIB_CTX *libctx); +diff --git a/providers/common/provider_err.c b/providers/common/provider_err.c +index f6144072aa04..954aabe80cfc 100644 +--- a/providers/common/provider_err.c ++++ b/providers/common/provider_err.c +@@ -33,6 +33,7 @@ static const ERR_STRING_DATA PROV_str_reasons[] = { + "derivation function init failed"}, + {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_DIGEST_NOT_ALLOWED), + "digest not allowed"}, ++ {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_EMS_NOT_ENABLED), "ems not enabled"}, + {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_ENTROPY_SOURCE_STRENGTH_TOO_WEAK), + "entropy source strength too weak"}, + {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_ERROR_INSTANTIATING_DRBG), +diff --git a/providers/common/securitycheck_default.c b/providers/common/securitycheck_default.c +index de7f0d3a0a57..63c875ecd0b7 100644 +--- a/providers/common/securitycheck_default.c ++++ b/providers/common/securitycheck_default.c +@@ -22,6 +22,12 @@ int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx) + return 0; + } + ++/* Disable the ems check in the default provider */ ++int ossl_tls1_prf_ems_check_enabled(OSSL_LIB_CTX *libctx) ++{ ++ return 0; ++} ++ + int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md, + int sha1_allowed) + { +diff --git a/providers/common/securitycheck_fips.c b/providers/common/securitycheck_fips.c +index b7659bd395c3..2bc8a5992685 100644 +--- a/providers/common/securitycheck_fips.c ++++ b/providers/common/securitycheck_fips.c +@@ -20,6 +20,7 @@ + #include "prov/securitycheck.h" + + int FIPS_security_check_enabled(OSSL_LIB_CTX *libctx); ++int FIPS_tls_prf_ems_check(OSSL_LIB_CTX *libctx); + + int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx) + { +@@ -30,6 +31,11 @@ int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx) + #endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */ + } + ++int ossl_tls1_prf_ems_check_enabled(OSSL_LIB_CTX *libctx) ++{ ++ return FIPS_tls_prf_ems_check(libctx); ++} ++ + int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md, + int sha1_allowed) + { +diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c +index b86b27d236f3..b881f46f36ad 100644 +--- a/providers/fips/fipsprov.c ++++ b/providers/fips/fipsprov.c +@@ -47,6 +47,7 @@ static OSSL_FUNC_provider_query_operation_fn fips_query; + #define ALG(NAMES, FUNC) ALGC(NAMES, FUNC, NULL) + extern OSSL_FUNC_core_thread_start_fn *c_thread_start; + int FIPS_security_check_enabled(OSSL_LIB_CTX *libctx); ++int FIPS_tls_prf_ems_check(OSSL_LIB_CTX *libctx); + + /* + * Should these function pointers be stored in the provider side provctx? Could +@@ -82,7 +83,9 @@ typedef struct fips_global_st { + const OSSL_CORE_HANDLE *handle; + SELF_TEST_POST_PARAMS selftest_params; + int fips_security_checks; ++ int fips_tls1_prf_ems_check; + const char *fips_security_check_option; ++ const char *fips_tls1_prf_ems_check_option; + } FIPS_GLOBAL; + + static void *fips_prov_ossl_ctx_new(OSSL_LIB_CTX *libctx) +@@ -94,6 +97,9 @@ void *ossl_fips_prov_ossl_ctx_new(OSSL_LIB_CTX *libctx) + fgbl->fips_security_checks = 1; + fgbl->fips_security_check_option = "1"; + ++ fgbl->fips_tls1_prf_ems_check = 1; /* Enabled */ ++ fgbl->fips_tls1_prf_ems_check_option = "1"; ++ + return fgbl; + } + +@@ -109,6 +115,7 @@ static const OSSL_PARAM fips_param_types[] = { + OSSL_PARAM_DEFN(OSSL_PROV_PARAM_BUILDINFO, OSSL_PARAM_UTF8_PTR, NULL, 0), + OSSL_PARAM_DEFN(OSSL_PROV_PARAM_STATUS, OSSL_PARAM_INTEGER, NULL, 0), + OSSL_PARAM_DEFN(OSSL_PROV_PARAM_SECURITY_CHECKS, OSSL_PARAM_INTEGER, NULL, 0), ++ OSSL_PARAM_DEFN(OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK, OSSL_PARAM_INTEGER, NULL, 0), /* Ignored in RHEL */ + OSSL_PARAM_END + }; + +@@ -119,9 +126,10 @@ static int fips_get_params_from_core(FIPS_GLOBAL *fgbl) + * NOTE: inside core_get_params() these will be loaded from config items + * stored inside prov->parameters (except for + * OSSL_PROV_PARAM_CORE_MODULE_FILENAME). +- * OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS is not a self test parameter. ++ * OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS and ++ * OSSL_PROV_FIPS_PARAM_TLS1_PRF_EMS_CHECK are not self test parameters. + */ +- OSSL_PARAM core_params[8], *p = core_params; ++ OSSL_PARAM core_params[9], *p = core_params; + + *p++ = OSSL_PARAM_construct_utf8_ptr( + OSSL_PROV_PARAM_CORE_MODULE_FILENAME, +@@ -151,6 +159,10 @@ static int fips_get_params_from_core(FIPS_GLOBAL *fgbl) + OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS, + (char **)&fgbl->fips_security_check_option, + sizeof(fgbl->fips_security_check_option)); ++ /* *p++ = OSSL_PARAM_construct_utf8_ptr( ++ OSSL_PROV_FIPS_PARAM_TLS1_PRF_EMS_CHECK, ++ (char **)&fgbl->fips_tls1_prf_ems_check_option, ++ sizeof(fgbl->fips_tls1_prf_ems_check_option)); */ /* Ignored in RHEL */ + *p = OSSL_PARAM_construct_end(); + + if (!c_get_params(fgbl->handle, core_params)) { +@@ -187,6 +199,9 @@ static int fips_get_params(void *provctx, OSSL_PARAM params[]) + p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_SECURITY_CHECKS); + if (p != NULL && !OSSL_PARAM_set_int(p, fgbl->fips_security_checks)) + return 0; ++ p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK); ++ if (p != NULL && !OSSL_PARAM_set_int(p, fgbl->fips_tls1_prf_ems_check)) ++ return 0; + return 1; + } + +@@ -703,6 +718,9 @@ int OSSL_provider_init_int(const OSSL_CORE_HANDLE *handle, + && strcmp(fgbl->fips_security_check_option, "0") == 0) + fgbl->fips_security_checks = 0; + ++ /* Enable the ems check. */ ++ fgbl->fips_tls1_prf_ems_check = 1; ++ + ossl_prov_cache_exported_algorithms(fips_ciphers, exported_fips_ciphers); + + if (!SELF_TEST_post(&fgbl->selftest_params, 0)) { +@@ -898,6 +918,15 @@ int FIPS_security_check_enabled(OSSL_LIB_CTX *libctx) + return fgbl->fips_security_checks; + } + ++int FIPS_tls_prf_ems_check(OSSL_LIB_CTX *libctx) ++{ ++ FIPS_GLOBAL *fgbl = ossl_lib_ctx_get_data(libctx, ++ OSSL_LIB_CTX_FIPS_PROV_INDEX, ++ &fips_prov_ossl_ctx_method); ++ ++ return fgbl->fips_tls1_prf_ems_check; ++} ++ + void OSSL_SELF_TEST_get_callback(OSSL_LIB_CTX *libctx, OSSL_CALLBACK **cb, + void **cbarg) + { +diff --git a/providers/implementations/kdfs/tls1_prf.c b/providers/implementations/kdfs/tls1_prf.c +index 8a3807308408..2c2dbf31cc0b 100644 +--- a/providers/implementations/kdfs/tls1_prf.c ++++ b/providers/implementations/kdfs/tls1_prf.c +@@ -45,6 +45,13 @@ + * A(0) = seed + * A(i) = HMAC_(secret, A(i-1)) + */ ++ ++/* ++ * Low level APIs (such as DH) are deprecated for public use, but still ok for ++ * internal use. ++ */ ++#include "internal/deprecated.h" ++ + #include + #include + #include +@@ -60,6 +67,7 @@ + #include "prov/providercommon.h" + #include "prov/implementations.h" + #include "prov/provider_util.h" ++#include "prov/securitycheck.h" + #include "e_os.h" + + static OSSL_FUNC_kdf_newctx_fn kdf_tls1_prf_new; +@@ -78,6 +86,8 @@ static int tls1_prf_alg(EVP_MAC_CTX *mdctx, EVP_MAC_CTX *sha1ctx, + unsigned char *out, size_t olen); + + #define TLS1_PRF_MAXBUF 1024 ++#define TLS_MD_MASTER_SECRET_CONST "\x6d\x61\x73\x74\x65\x72\x20\x73\x65\x63\x72\x65\x74" ++#define TLS_MD_MASTER_SECRET_CONST_SIZE 13 + + /* TLS KDF kdf context structure */ + typedef struct { +@@ -160,6 +170,7 @@ static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, size_t keylen, + const OSSL_PARAM params[]) + { + TLS1_PRF *ctx = (TLS1_PRF *)vctx; ++ OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx); + + if (!ossl_prov_is_running() || !kdf_tls1_prf_set_ctx_params(ctx, params)) + return 0; +@@ -181,6 +192,21 @@ static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, size_t keylen, + ctx->output_keylen_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; + #endif /* defined(FIPS_MODULE) */ + ++ /* ++ * The seed buffer is prepended with a label. ++ * If EMS mode is enforced then the label "master secret" is not allowed, ++ * We do the check this way since the PRF is used for other purposes, as well ++ * as "extended master secret". ++ */ ++ if (ossl_tls1_prf_ems_check_enabled(libctx)) { ++ if (ctx->seedlen >= TLS_MD_MASTER_SECRET_CONST_SIZE ++ && memcmp(ctx->seed, TLS_MD_MASTER_SECRET_CONST, ++ TLS_MD_MASTER_SECRET_CONST_SIZE) == 0) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_EMS_NOT_ENABLED); ++ return 0; ++ } ++ } ++ + return tls1_prf_alg(ctx->P_hash, ctx->P_sha1, + ctx->sec, ctx->seclen, + ctx->seed, ctx->seedlen, +diff --git a/test/sslapitest.c b/test/sslapitest.c +index 3a8242d2d8c8..b0fbb504689e 100644 +--- a/test/sslapitest.c ++++ b/test/sslapitest.c +@@ -99,6 +99,7 @@ static char *tmpfilename = NULL; + static char *dhfile = NULL; + + static int is_fips = 0; ++static int fips_ems_check = 0; + + #define LOG_BUFFER_SIZE 2048 + static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0}; +@@ -796,7 +797,7 @@ static int test_no_ems(void) + { + SSL_CTX *cctx = NULL, *sctx = NULL; + SSL *clientssl = NULL, *serverssl = NULL; +- int testresult = 0; ++ int testresult = 0, status; + + if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(), + TLS1_VERSION, TLS1_2_VERSION, +@@ -812,19 +813,25 @@ static int test_no_ems(void) + goto end; + } + +- if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) { +- printf("Creating SSL connection failed\n"); +- goto end; +- } +- +- if (SSL_get_extms_support(serverssl)) { +- printf("Server reports Extended Master Secret support\n"); +- goto end; +- } +- +- if (SSL_get_extms_support(clientssl)) { +- printf("Client reports Extended Master Secret support\n"); +- goto end; ++ status = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE); ++ if (fips_ems_check) { ++ if (status == 1) { ++ printf("When FIPS uses the EMS check a connection that doesnt use EMS should fail\n"); ++ goto end; ++ } ++ } else { ++ if (!status) { ++ printf("Creating SSL connection failed\n"); ++ goto end; ++ } ++ if (SSL_get_extms_support(serverssl)) { ++ printf("Server reports Extended Master Secret support\n"); ++ goto end; ++ } ++ if (SSL_get_extms_support(clientssl)) { ++ printf("Client reports Extended Master Secret support\n"); ++ goto end; ++ } + } + testresult = 1; + +@@ -10740,9 +10747,24 @@ int setup_tests(void) + && !TEST_false(OSSL_PROVIDER_available(libctx, "default"))) + return 0; + +- if (strcmp(modulename, "fips") == 0) ++ if (strcmp(modulename, "fips") == 0) { ++ OSSL_PROVIDER *prov = NULL; ++ OSSL_PARAM params[2]; ++ + is_fips = 1; + ++ prov = OSSL_PROVIDER_load(libctx, "fips"); ++ if (prov != NULL) { ++ /* Query the fips provider to check if the check ems option is enabled */ ++ params[0] = ++ OSSL_PARAM_construct_int(OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK, ++ &fips_ems_check); ++ params[1] = OSSL_PARAM_construct_end(); ++ OSSL_PROVIDER_get_params(prov, params); ++ OSSL_PROVIDER_unload(prov); ++ } ++ } ++ + /* + * We add, but don't load the test "tls-provider". We'll load it when we + * need it. +@@ -10816,6 +10838,12 @@ int setup_tests(void) + if (privkey8192 == NULL) + goto err; + ++ if (fips_ems_check) { ++#ifndef OPENSSL_NO_TLS1_2 ++ ADD_TEST(test_no_ems); ++#endif ++ return 1; ++ } + #if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK) + # if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3) + ADD_ALL_TESTS(test_ktls, NUM_KTLS_TEST_CIPHERS * 4); +diff -up openssl-3.0.7/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt.xxx openssl-3.0.7/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt +--- openssl-3.0.7/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt.xxx 2023-04-17 13:04:21.078501747 +0200 ++++ openssl-3.0.7/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt 2023-04-17 13:11:03.189059638 +0200 +@@ -13,6 +13,7 @@ + + Title = TLS12 PRF tests (from NIST test vectors) + ++Availablein = default + KDF = TLS1-PRF + Ctrl.digest = digest:SHA256 + Ctrl.Secret = hexsecret:f8938ecc9edebc5030c0c6a441e213cd24e6f770a50dda07876f8d55da062bcadb386b411fd4fe4313a604fce6c17fbc +@@ -21,6 +22,16 @@ Ctrl.client_random = hexseed:36c129d01a3 + Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae043abfb50053fce + Output = 202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf + ++Availablein = fips ++KDF = TLS1-PRF ++Ctrl.digest = digest:SHA256 ++Ctrl.Secret = hexsecret:f8938ecc9edebc5030c0c6a441e213cd24e6f770a50dda07876f8d55da062bcadb386b411fd4fe4313a604fce6c17fbc ++Ctrl.label = seed:master secret ++Ctrl.client_random = hexseed:36c129d01a3200894b9179faac589d9835d58775f9b5ea3587cb8fd0364cae8c ++Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae043abfb50053fce ++Output = 202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf ++Result = KDF_DERIVE_ERROR ++ + KDF = TLS1-PRF + Ctrl.digest = digest:SHA256 + Ctrl.Secret = hexsecret:202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf diff --git a/openssl.spec b/openssl.spec index 3b0de37..85c8d48 100644 --- a/openssl.spec +++ b/openssl.spec @@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16)) Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 3.0.7 -Release: 12%{?dist} +Release: 13%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -177,6 +177,8 @@ Patch111: 0111-fips-Use-salt-16-bytes-in-PBKDF2-selftest.patch Patch112: 0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2179331 Patch113: 0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2157951 +Patch114: 0114-FIPS-enforce-EMS-support.patch License: ASL 2.0 URL: http://www.openssl.org/ @@ -507,6 +509,10 @@ install -m644 %{SOURCE9} \ %ldconfig_scriptlets libs %changelog +* Tue Apr 18 2023 Dmitry Belyavskiy - 1:3.0.7-13 +- Enforce using EMS in FIPS mode + Resolves: rhbz#2157951 + * Fri Mar 24 2023 Clemens Lang - 1:3.0.7-12 - Change explicit FIPS indicator for RSA decryption to unapproved Resolves: rhbz#2179379 From 90306b7fd82591649cdb5a35d320b8f0e2dbf741 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Mon, 17 Apr 2023 15:29:43 +0200 Subject: [PATCH 19/60] Fix excessive resource usage in verifying X509 policy constraints Resolves: rhbz#2186661 --- 0115-CVE-2023-0464.patch | 195 +++++++++++++++++++++++++++++++++++++++ openssl.spec | 5 + 2 files changed, 200 insertions(+) create mode 100644 0115-CVE-2023-0464.patch diff --git a/0115-CVE-2023-0464.patch b/0115-CVE-2023-0464.patch new file mode 100644 index 0000000..97f3b6d --- /dev/null +++ b/0115-CVE-2023-0464.patch @@ -0,0 +1,195 @@ +diff --git a/crypto/x509/pcy_local.h b/crypto/x509/pcy_local.h +index 18b53cc09e..cba107ca03 100644 +--- a/crypto/x509/pcy_local.h ++++ b/crypto/x509/pcy_local.h +@@ -111,6 +111,11 @@ struct X509_POLICY_LEVEL_st { + }; + + struct X509_POLICY_TREE_st { ++ /* The number of nodes in the tree */ ++ size_t node_count; ++ /* The maximum number of nodes in the tree */ ++ size_t node_maximum; ++ + /* This is the tree 'level' data */ + X509_POLICY_LEVEL *levels; + int nlevel; +@@ -157,7 +162,8 @@ X509_POLICY_NODE *ossl_policy_tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk, + X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, + X509_POLICY_DATA *data, + X509_POLICY_NODE *parent, +- X509_POLICY_TREE *tree); ++ X509_POLICY_TREE *tree, ++ int extra_data); + void ossl_policy_node_free(X509_POLICY_NODE *node); + int ossl_policy_node_match(const X509_POLICY_LEVEL *lvl, + const X509_POLICY_NODE *node, const ASN1_OBJECT *oid); +diff --git a/crypto/x509/pcy_node.c b/crypto/x509/pcy_node.c +index 9d9a7ea179..450f95a655 100644 +--- a/crypto/x509/pcy_node.c ++++ b/crypto/x509/pcy_node.c +@@ -59,10 +59,15 @@ X509_POLICY_NODE *ossl_policy_level_find_node(const X509_POLICY_LEVEL *level, + X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, + X509_POLICY_DATA *data, + X509_POLICY_NODE *parent, +- X509_POLICY_TREE *tree) ++ X509_POLICY_TREE *tree, ++ int extra_data) + { + X509_POLICY_NODE *node; + ++ /* Verify that the tree isn't too large. This mitigates CVE-2023-0464 */ ++ if (tree->node_maximum > 0 && tree->node_count >= tree->node_maximum) ++ return NULL; ++ + node = OPENSSL_zalloc(sizeof(*node)); + if (node == NULL) { + ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE); +@@ -70,7 +75,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, + } + node->data = data; + node->parent = parent; +- if (level) { ++ if (level != NULL) { + if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) { + if (level->anyPolicy) + goto node_error; +@@ -90,7 +95,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, + } + } + +- if (tree) { ++ if (extra_data) { + if (tree->extra_data == NULL) + tree->extra_data = sk_X509_POLICY_DATA_new_null(); + if (tree->extra_data == NULL){ +@@ -103,6 +108,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, + } + } + ++ tree->node_count++; + if (parent) + parent->nchild++; + +diff --git a/crypto/x509/pcy_tree.c b/crypto/x509/pcy_tree.c +index fa45da5117..f953a05a41 100644 +--- a/crypto/x509/pcy_tree.c ++++ b/crypto/x509/pcy_tree.c +@@ -14,6 +14,17 @@ + + #include "pcy_local.h" + ++/* ++ * If the maximum number of nodes in the policy tree isn't defined, set it to ++ * a generous default of 1000 nodes. ++ * ++ * Defining this to be zero means unlimited policy tree growth which opens the ++ * door on CVE-2023-0464. ++ */ ++#ifndef OPENSSL_POLICY_TREE_NODES_MAX ++# define OPENSSL_POLICY_TREE_NODES_MAX 1000 ++#endif ++ + static void expected_print(BIO *channel, + X509_POLICY_LEVEL *lev, X509_POLICY_NODE *node, + int indent) +@@ -163,6 +174,9 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, + return X509_PCY_TREE_INTERNAL; + } + ++ /* Limit the growth of the tree to mitigate CVE-2023-0464 */ ++ tree->node_maximum = OPENSSL_POLICY_TREE_NODES_MAX; ++ + /* + * http://tools.ietf.org/html/rfc5280#section-6.1.2, figure 3. + * +@@ -180,7 +194,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, + if ((data = ossl_policy_data_new(NULL, + OBJ_nid2obj(NID_any_policy), 0)) == NULL) + goto bad_tree; +- if (ossl_policy_level_add_node(level, data, NULL, tree) == NULL) { ++ if (ossl_policy_level_add_node(level, data, NULL, tree, 1) == NULL) { + ossl_policy_data_free(data); + goto bad_tree; + } +@@ -239,7 +253,8 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, + * Return value: 1 on success, 0 otherwise + */ + static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr, +- X509_POLICY_DATA *data) ++ X509_POLICY_DATA *data, ++ X509_POLICY_TREE *tree) + { + X509_POLICY_LEVEL *last = curr - 1; + int i, matched = 0; +@@ -249,13 +264,13 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr, + X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(last->nodes, i); + + if (ossl_policy_node_match(last, node, data->valid_policy)) { +- if (ossl_policy_level_add_node(curr, data, node, NULL) == NULL) ++ if (ossl_policy_level_add_node(curr, data, node, tree, 0) == NULL) + return 0; + matched = 1; + } + } + if (!matched && last->anyPolicy) { +- if (ossl_policy_level_add_node(curr, data, last->anyPolicy, NULL) == NULL) ++ if (ossl_policy_level_add_node(curr, data, last->anyPolicy, tree, 0) == NULL) + return 0; + } + return 1; +@@ -268,7 +283,8 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr, + * Return value: 1 on success, 0 otherwise. + */ + static int tree_link_nodes(X509_POLICY_LEVEL *curr, +- const X509_POLICY_CACHE *cache) ++ const X509_POLICY_CACHE *cache, ++ X509_POLICY_TREE *tree) + { + int i; + +@@ -276,7 +292,7 @@ static int tree_link_nodes(X509_POLICY_LEVEL *curr, + X509_POLICY_DATA *data = sk_X509_POLICY_DATA_value(cache->data, i); + + /* Look for matching nodes in previous level */ +- if (!tree_link_matching_nodes(curr, data)) ++ if (!tree_link_matching_nodes(curr, data, tree)) + return 0; + } + return 1; +@@ -307,7 +323,7 @@ static int tree_add_unmatched(X509_POLICY_LEVEL *curr, + /* Curr may not have anyPolicy */ + data->qualifier_set = cache->anyPolicy->qualifier_set; + data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS; +- if (ossl_policy_level_add_node(curr, data, node, tree) == NULL) { ++ if (ossl_policy_level_add_node(curr, data, node, tree, 1) == NULL) { + ossl_policy_data_free(data); + return 0; + } +@@ -370,7 +386,7 @@ static int tree_link_any(X509_POLICY_LEVEL *curr, + /* Finally add link to anyPolicy */ + if (last->anyPolicy && + ossl_policy_level_add_node(curr, cache->anyPolicy, +- last->anyPolicy, NULL) == NULL) ++ last->anyPolicy, tree, 0) == NULL) + return 0; + return 1; + } +@@ -553,7 +569,7 @@ static int tree_calculate_user_set(X509_POLICY_TREE *tree, + extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS + | POLICY_DATA_FLAG_EXTRA_NODE; + node = ossl_policy_level_add_node(NULL, extra, anyPolicy->parent, +- tree); ++ tree, 1); + } + if (!tree->user_policies) { + tree->user_policies = sk_X509_POLICY_NODE_new_null(); +@@ -580,7 +596,7 @@ static int tree_evaluate(X509_POLICY_TREE *tree) + + for (i = 1; i < tree->nlevel; i++, curr++) { + cache = ossl_policy_cache_set(curr->cert); +- if (!tree_link_nodes(curr, cache)) ++ if (!tree_link_nodes(curr, cache, tree)) + return X509_PCY_TREE_INTERNAL; + + if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY) diff --git a/openssl.spec b/openssl.spec index 85c8d48..d02cae7 100644 --- a/openssl.spec +++ b/openssl.spec @@ -180,6 +180,9 @@ Patch113: 0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2157951 Patch114: 0114-FIPS-enforce-EMS-support.patch +# X.509 policies minor CVEs +Patch115: 0115-CVE-2023-0464.patch + License: ASL 2.0 URL: http://www.openssl.org/ BuildRequires: gcc g++ @@ -512,6 +515,8 @@ install -m644 %{SOURCE9} \ * Tue Apr 18 2023 Dmitry Belyavskiy - 1:3.0.7-13 - Enforce using EMS in FIPS mode Resolves: rhbz#2157951 +- Fix excessive resource usage in verifying X509 policy constraints + Resolves: rhbz#2186661 * Fri Mar 24 2023 Clemens Lang - 1:3.0.7-12 - Change explicit FIPS indicator for RSA decryption to unapproved From 70a27e0ae335e757181751ffa3d20ddd1c4206fc Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Mon, 17 Apr 2023 15:41:21 +0200 Subject: [PATCH 20/60] Fix invalid certificate policies in leaf certificates check Resolves: rhbz#2187429 --- 0116-CVE-2023-0465.patch | 179 +++++++++++++++++++++++++++++++++++++++ openssl.spec | 3 + 2 files changed, 182 insertions(+) create mode 100644 0116-CVE-2023-0465.patch diff --git a/0116-CVE-2023-0465.patch b/0116-CVE-2023-0465.patch new file mode 100644 index 0000000..3a9acb5 --- /dev/null +++ b/0116-CVE-2023-0465.patch @@ -0,0 +1,179 @@ +diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c +index 9384f1da9b..a0282c3ef1 100644 +--- a/crypto/x509/x509_vfy.c ++++ b/crypto/x509/x509_vfy.c +@@ -1654,15 +1654,23 @@ static int check_policy(X509_STORE_CTX *ctx) + goto memerr; + /* Invalid or inconsistent extensions */ + if (ret == X509_PCY_TREE_INVALID) { +- int i; ++ int i, cbcalled = 0; + + /* Locate certificates with bad extensions and notify callback. */ +- for (i = 1; i < sk_X509_num(ctx->chain); i++) { ++ for (i = 0; i < sk_X509_num(ctx->chain); i++) { + X509 *x = sk_X509_value(ctx->chain, i); + ++ if ((x->ex_flags & EXFLAG_INVALID_POLICY) != 0) ++ cbcalled = 1; + CB_FAIL_IF((x->ex_flags & EXFLAG_INVALID_POLICY) != 0, + ctx, x, i, X509_V_ERR_INVALID_POLICY_EXTENSION); + } ++ if (!cbcalled) { ++ /* Should not be able to get here */ ++ ERR_raise(ERR_LIB_X509, ERR_R_INTERNAL_ERROR); ++ return 0; ++ } ++ /* The callback ignored the error so we return success */ + return 1; + } + if (ret == X509_PCY_TREE_FAILURE) { +diff --git a/test/certs/ca-pol-cert.pem b/test/certs/ca-pol-cert.pem +new file mode 100644 +index 0000000000..244af3292b +--- /dev/null ++++ b/test/certs/ca-pol-cert.pem +@@ -0,0 +1,19 @@ ++-----BEGIN CERTIFICATE----- ++MIIDFzCCAf+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 ++IENBMCAXDTIzMDMwODEyMjMxNloYDzIxMjMwMzA5MTIyMzE2WjANMQswCQYDVQQD ++DAJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJadpD0ASxxfxsvd ++j9IxsogVzMSGLFziaYuE9KejU9+R479RifvwfBANO62sNWJ19X//9G5UjwWmkiOz ++n1k50DkYsBBA3mJzik6wjt/c58lBIlSEgAgpvDU8ht8w3t20JP9+YqXAeugqFj/W ++l9rFQtsvaWSRywjXVlp5fxuEQelNnXcJEKhsKTNExsBUZebo4/J1BWpklWzA9P0l ++YW5INvDAAwcF1nzlEf0Y6Eot03IMNyg2MTE4hehxjdgCSci8GYnFirE/ojXqqpAc ++ZGh7r2dqWgZUD1Dh+bT2vjrUzj8eTH3GdzI+oljt29102JIUaqj3yzRYkah8FLF9 ++CLNNsUcCAwEAAaN7MHkwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYwHQYD ++VR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8GA1UdIwQYMBaAFI71Ja8em2uE ++PXyAmslTnE1y96NSMBkGA1UdIAQSMBAwDgYMKwYBBAGBgVy8+0cBMA0GCSqGSIb3 ++DQEBCwUAA4IBAQBbE+MO9mewWIUY2kt85yhl0oZtvVxbn9K2Hty59ItwJGRNfzx7 ++Ge7KgawkvNzMOXmj6qf8TpbJnf41ZLWdRyVZBVyIwrAKIVw1VxfGh8aEifHKN97H ++unZkBPcUkAhUJSiC1BOD/euaMYqOi8QwiI702Q6q1NBY1/UKnV/ZIBLecnqfj9vZ ++7T0wKxrwGYBztP4pNcxCmBoD9Dg+Dx3ZElo0WXyO4SOh/BgrsKJHKyhbuTpjrI/g ++DhcINRp6+lIzuFBtJ67+YXnAEspb3lKMk0YL/LXrCNF2scdmNfOPwHi+OKBqt69C ++9FJyWFEMxx2qm/ENE9sbOswgJRnKkaAqHBHx ++-----END CERTIFICATE----- +diff --git a/test/certs/ee-cert-policies-bad.pem b/test/certs/ee-cert-policies-bad.pem +new file mode 100644 +index 0000000000..0fcd6372b3 +--- /dev/null ++++ b/test/certs/ee-cert-policies-bad.pem +@@ -0,0 +1,20 @@ ++-----BEGIN CERTIFICATE----- ++MIIDTTCCAjWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg ++Fw0yMzAzMDgxMjIzMzJaGA8yMTIzMDMwOTEyMjMzMlowGTEXMBUGA1UEAwwOc2Vy ++dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY ++YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT ++5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l ++Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1 ++U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5 ++ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn ++iIQPYf55NB9KiR+3AgMBAAGjgakwgaYwHQYDVR0OBBYEFOeb4iqtimw6y3ZR5Y4H ++mCKX4XOiMB8GA1UdIwQYMBaAFLQRM/HX4l73U54gIhBPhga/H8leMAkGA1UdEwQC ++MAAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGQYDVR0RBBIwEIIOc2VydmVyLmV4YW1w ++bGUwKQYDVR0gBCIwIDAOBgwrBgEEAYGBXLz7RwEwDgYMKwYBBAGBgVy8+0cBMA0G ++CSqGSIb3DQEBCwUAA4IBAQArwtwNO++7kStcJeMg3ekz2D/m/8UEjTA1rknBjQiQ ++P0FK7tNeRqus9i8PxthNWk+biRayvDzaGIBV7igpDBPfXemDgmW9Adc4MKyiQDfs ++YfkHi3xJKvsK2fQmyCs2InVDaKpVAkNFcgAW8nSOhGliqIxLb0EOLoLNwaktou0N ++XQHmRzY8S7aIr8K9Qo9y/+MLar+PS4h8l6FkLLkTICiFzE4/wje5S3NckAnadRJa ++QpjwM2S6NuA+tYWuOcN//r7BSpW/AZKanYWPzHMrKlqCh+9o7sthPd72+hObG9kx ++wSGdzfStNK1I1zM5LiI08WtXCvR6AfLANTo2x1AYhSxF ++-----END CERTIFICATE----- +diff --git a/test/certs/ee-cert-policies.pem b/test/certs/ee-cert-policies.pem +new file mode 100644 +index 0000000000..2f06d7433f +--- /dev/null ++++ b/test/certs/ee-cert-policies.pem +@@ -0,0 +1,20 @@ ++-----BEGIN CERTIFICATE----- ++MIIDPTCCAiWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg ++Fw0yMzAzMDgxMjIzMjNaGA8yMTIzMDMwOTEyMjMyM1owGTEXMBUGA1UEAwwOc2Vy ++dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY ++YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT ++5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l ++Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1 ++U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5 ++ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn ++iIQPYf55NB9KiR+3AgMBAAGjgZkwgZYwHQYDVR0OBBYEFOeb4iqtimw6y3ZR5Y4H ++mCKX4XOiMB8GA1UdIwQYMBaAFLQRM/HX4l73U54gIhBPhga/H8leMAkGA1UdEwQC ++MAAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGQYDVR0RBBIwEIIOc2VydmVyLmV4YW1w ++bGUwGQYDVR0gBBIwEDAOBgwrBgEEAYGBXLz7RwEwDQYJKoZIhvcNAQELBQADggEB ++AGbWslmAAdMX3+5ChcnFrX+NqDGoyhb3PTgWdtlQB5qtWdIt4rSxN50OcQxFTX0D ++QOBabSzR0DDKrgfBe4waL19WsdEvR9GyO4M7ASze/A3IEZue9C9k0n7Vq8zDaAZl ++CiR/Zqo9nAOuhKHMgmC/NjUlX7STv5pJVgc4SH8VEKmSRZDmNihaOalUtK5X8/Oa ++dawKxsZcaP5IKnOEPPKjtVNJxBu5CXywJHsO0GcoDEnEx1/NLdFoJ6WFw8NuTyDK ++NGLq2MHEdyKaigHQlptEs9bXyu9McJjzbx0uXj3BenRULASreccFej0L1RU6jDlk ++D3brBn24UISaFRZoB7jsjok= ++-----END CERTIFICATE----- +diff --git a/test/certs/mkcert.sh b/test/certs/mkcert.sh +index c3f7ac14b5..a57d9f38dc 100755 +--- a/test/certs/mkcert.sh ++++ b/test/certs/mkcert.sh +@@ -119,11 +119,12 @@ genca() { + local OPTIND=1 + local purpose= + +- while getopts p: o ++ while getopts p:c: o + do + case $o in + p) purpose="$OPTARG";; +- *) echo "Usage: $0 genca [-p EKU] cn keyname certname cakeyname cacertname" >&2 ++ c) certpol="$OPTARG";; ++ *) echo "Usage: $0 genca [-p EKU][-c policyoid] cn keyname certname cakeyname cacertname" >&2 + return 1;; + esac + done +@@ -146,6 +147,10 @@ genca() { + if [ -n "$NC" ]; then + exts=$(printf "%s\nnameConstraints = %s\n" "$exts" "$NC") + fi ++ if [ -n "$certpol" ]; then ++ exts=$(printf "%s\ncertificatePolicies = %s\n" "$exts" "$certpol") ++ fi ++ + csr=$(req "$key" "CN = $cn") || return 1 + echo "$csr" | + cert "$cert" "$exts" -CA "${cacert}.pem" -CAkey "${cakey}.pem" \ +diff --git a/test/certs/setup.sh b/test/certs/setup.sh +index 2240cd9df0..76ceadc7d8 100755 +--- a/test/certs/setup.sh ++++ b/test/certs/setup.sh +@@ -440,3 +440,9 @@ OPENSSL_SIGALG=ED448 OPENSSL_KEYALG=ed448 ./mkcert.sh genee ed448 \ + + # critical id-pkix-ocsp-no-check extension + ./mkcert.sh geneeextra server.example ee-key ee-cert-ocsp-nocheck ca-key ca-cert "1.3.6.1.5.5.7.48.1.5=critical,DER:05:00" ++ ++# certificatePolicies extension ++./mkcert.sh genca -c "1.3.6.1.4.1.16604.998855.1" "CA" ca-key ca-pol-cert root-key root-cert ++./mkcert.sh geneeextra server.example ee-key ee-cert-policies ca-key ca-cert "certificatePolicies=1.3.6.1.4.1.16604.998855.1" ++# We can create a cert with a duplicate policy oid - but its actually invalid! ++./mkcert.sh geneeextra server.example ee-key ee-cert-policies-bad ca-key ca-cert "certificatePolicies=1.3.6.1.4.1.16604.998855.1,1.3.6.1.4.1.16604.998855.1" +diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t +index 2a4c36e86d..818c9ac50d 100644 +--- a/test/recipes/25-test_verify.t ++++ b/test/recipes/25-test_verify.t +@@ -29,7 +29,7 @@ sub verify { + run(app([@args])); + } + +-plan tests => 163; ++plan tests => 165; + + # Canonical success + ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]), +@@ -516,3 +516,14 @@ SKIP: { + ok(run(app([ qw(openssl verify -trusted), $rsapluscert_file, $cert_file ])), + 'Mixed key + cert file test'); + } ++ ++# Certificate Policies ++ok(verify("ee-cert-policies", "", ["root-cert"], ["ca-pol-cert"], ++ "-policy_check", "-policy", "1.3.6.1.4.1.16604.998855.1", ++ "-explicit_policy"), ++ "Certificate policy"); ++ ++ok(!verify("ee-cert-policies-bad", "", ["root-cert"], ["ca-pol-cert"], ++ "-policy_check", "-policy", "1.3.6.1.4.1.16604.998855.1", ++ "-explicit_policy"), ++ "Bad certificate policy"); diff --git a/openssl.spec b/openssl.spec index d02cae7..3002cb9 100644 --- a/openssl.spec +++ b/openssl.spec @@ -182,6 +182,7 @@ Patch114: 0114-FIPS-enforce-EMS-support.patch # X.509 policies minor CVEs Patch115: 0115-CVE-2023-0464.patch +Patch116: 0116-CVE-2023-0465.patch License: ASL 2.0 URL: http://www.openssl.org/ @@ -517,6 +518,8 @@ install -m644 %{SOURCE9} \ Resolves: rhbz#2157951 - Fix excessive resource usage in verifying X509 policy constraints Resolves: rhbz#2186661 +- Fix invalid certificate policies in leaf certificates check + Resolves: rhbz#2187429 * Fri Mar 24 2023 Clemens Lang - 1:3.0.7-12 - Change explicit FIPS indicator for RSA decryption to unapproved From ba8edd5ea8fe43152980b7ce1fcc082db3325395 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Mon, 17 Apr 2023 15:46:46 +0200 Subject: [PATCH 21/60] Certificate policy check not enabled Resolves: rhbz#2187431 --- 0117-CVE-2023-0466.patch | 27 +++++++++++++++++++++++++++ openssl.spec | 3 +++ 2 files changed, 30 insertions(+) create mode 100644 0117-CVE-2023-0466.patch diff --git a/0117-CVE-2023-0466.patch b/0117-CVE-2023-0466.patch new file mode 100644 index 0000000..ef06edf --- /dev/null +++ b/0117-CVE-2023-0466.patch @@ -0,0 +1,27 @@ +diff --git a/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/doc/man3/X509_VERIFY_PARAM_set_flags.pod +index 75a1677022..43c1900bca 100644 +--- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod ++++ b/doc/man3/X509_VERIFY_PARAM_set_flags.pod +@@ -98,8 +98,9 @@ B. + X509_VERIFY_PARAM_set_time() sets the verification time in B to + B. Normally the current time is used. + +-X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled +-by default) and adds B to the acceptable policy set. ++X509_VERIFY_PARAM_add0_policy() adds B to the acceptable policy set. ++Contrary to preexisting documentation of this function it does not enable ++policy checking. + + X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled + by default) and sets the acceptable policy set to B. Any existing +@@ -400,6 +401,10 @@ The X509_VERIFY_PARAM_get_hostflags() function was added in OpenSSL 1.1.0i. + The X509_VERIFY_PARAM_get0_host(), X509_VERIFY_PARAM_get0_email(), + and X509_VERIFY_PARAM_get1_ip_asc() functions were added in OpenSSL 3.0. + ++The function X509_VERIFY_PARAM_add0_policy() was historically documented as ++enabling policy checking however the implementation has never done this. ++The documentation was changed to align with the implementation. ++ + =head1 COPYRIGHT + + Copyright 2009-2022 The OpenSSL Project Authors. All Rights Reserved. diff --git a/openssl.spec b/openssl.spec index 3002cb9..e178aac 100644 --- a/openssl.spec +++ b/openssl.spec @@ -183,6 +183,7 @@ Patch114: 0114-FIPS-enforce-EMS-support.patch # X.509 policies minor CVEs Patch115: 0115-CVE-2023-0464.patch Patch116: 0116-CVE-2023-0465.patch +Patch117: 0117-CVE-2023-0466.patch License: ASL 2.0 URL: http://www.openssl.org/ @@ -520,6 +521,8 @@ install -m644 %{SOURCE9} \ Resolves: rhbz#2186661 - Fix invalid certificate policies in leaf certificates check Resolves: rhbz#2187429 +- Certificate policy check not enabled + Resolves: rhbz#2187431 * Fri Mar 24 2023 Clemens Lang - 1:3.0.7-12 - Change explicit FIPS indicator for RSA decryption to unapproved From 4999352324b8f7cd7144a7916e1cba5b57df2c11 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Mon, 17 Apr 2023 16:08:19 +0200 Subject: [PATCH 22/60] OpenSSL rsa_verify_recover key length checks in FIPS mode Resolves: rhbz#2186819 --- 0045-FIPS-services-minimize.patch | 20 ++++++++++++++++++++ openssl.spec | 2 ++ 2 files changed, 22 insertions(+) diff --git a/0045-FIPS-services-minimize.patch b/0045-FIPS-services-minimize.patch index abb13e0..d2bea7f 100644 --- a/0045-FIPS-services-minimize.patch +++ b/0045-FIPS-services-minimize.patch @@ -697,6 +697,26 @@ diff -up openssl-3.0.1/ssl/ssl_ciph.c.nokrsa openssl-3.0.1/ssl/ssl_ciph.c diff -up openssl-3.0.1/providers/implementations/signature/rsa_sig.c.fipskeylen openssl-3.0.1/providers/implementations/signature/rsa_sig.c --- openssl-3.0.1/providers/implementations/signature/rsa_sig.c.fipskeylen 2022-05-23 14:58:07.764281242 +0200 +++ openssl-3.0.1/providers/implementations/signature/rsa_sig.c 2022-05-23 15:10:29.327993616 +0200 +@@ -692,6 +692,19 @@ static int rsa_verify_recover(void *vprs + { + PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; + int ret; ++# ifdef FIPS_MODULE ++ size_t rsabits = RSA_bits(prsactx->rsa); ++ ++ if (rsabits < 2048) { ++ if (rsabits != 1024 ++ && rsabits != 1280 ++ && rsabits != 1536 ++ && rsabits != 1792) { ++ ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH); ++ return 0; ++ } ++ } ++# endif + + if (!ossl_prov_is_running()) + return 0; @@ -770,6 +770,19 @@ static int rsa_verify(void *vprsactx, co { PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; diff --git a/openssl.spec b/openssl.spec index e178aac..4da5cec 100644 --- a/openssl.spec +++ b/openssl.spec @@ -523,6 +523,8 @@ install -m644 %{SOURCE9} \ Resolves: rhbz#2187429 - Certificate policy check not enabled Resolves: rhbz#2187431 +- OpenSSL rsa_verify_recover key length checks in FIPS mode + Resolves: rhbz#2186819 * Fri Mar 24 2023 Clemens Lang - 1:3.0.7-12 - Change explicit FIPS indicator for RSA decryption to unapproved From 7680abf05d72b87f72718f40fdb7a3c9d0906c79 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Fri, 21 Apr 2023 12:33:25 +0200 Subject: [PATCH 23/60] Input buffer over-read in AES-XTS implementation on 64 bit ARM Resolves: rhbz#2188554 --- 0118-CVE-2023-1255.patch | 20 ++++++++++++++++++++ openssl.spec | 8 +++++++- 2 files changed, 27 insertions(+), 1 deletion(-) create mode 100644 0118-CVE-2023-1255.patch diff --git a/0118-CVE-2023-1255.patch b/0118-CVE-2023-1255.patch new file mode 100644 index 0000000..91efb20 --- /dev/null +++ b/0118-CVE-2023-1255.patch @@ -0,0 +1,20 @@ +--- a/crypto/aes/asm/aesv8-armx.pl ++++ b/crypto/aes/asm/aesv8-armx.pl +@@ -3353,7 +3353,7 @@ $code.=<<___ if ($flavour =~ /64/); + .align 4 + .Lxts_dec_tail4x: + add $inp,$inp,#16 +- vld1.32 {$dat0},[$inp],#16 ++ tst $tailcnt,#0xf + veor $tmp1,$dat1,$tmp0 + vst1.8 {$tmp1},[$out],#16 + veor $tmp2,$dat2,$tmp2 +@@ -3362,6 +3362,8 @@ $code.=<<___ if ($flavour =~ /64/); + veor $tmp4,$dat4,$tmp4 + vst1.8 {$tmp3-$tmp4},[$out],#32 + ++ b.eq .Lxts_dec_abort ++ vld1.32 {$dat0},[$inp],#16 + b .Lxts_done + .align 4 + .Lxts_outer_dec_tail: diff --git a/openssl.spec b/openssl.spec index 4da5cec..0a94491 100644 --- a/openssl.spec +++ b/openssl.spec @@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16)) Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 3.0.7 -Release: 13%{?dist} +Release: 14%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -184,6 +184,8 @@ Patch114: 0114-FIPS-enforce-EMS-support.patch Patch115: 0115-CVE-2023-0464.patch Patch116: 0116-CVE-2023-0465.patch Patch117: 0117-CVE-2023-0466.patch +# AES-XTS CVE +Patch118: 0118-CVE-2023-1255.patch License: ASL 2.0 URL: http://www.openssl.org/ @@ -514,6 +516,10 @@ install -m644 %{SOURCE9} \ %ldconfig_scriptlets libs %changelog +* Fri Apr 21 2023 Dmitry Belyavskiy - 1:3.0.7-14 +- Input buffer over-read in AES-XTS implementation on 64 bit ARM + Resolves: rhbz#2188554 + * Tue Apr 18 2023 Dmitry Belyavskiy - 1:3.0.7-13 - Enforce using EMS in FIPS mode Resolves: rhbz#2157951 From 45cb3a6b4e1708b66f52e860dd576b3a5f7e7974 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Fri, 28 Apr 2023 19:09:47 +0200 Subject: [PATCH 24/60] Backport implicit rejection for RSA PKCS#1 v1.5 encryption Resolves: rhbz#215347 --- 0120-RSA-PKCS15-implicit-rejection.patch | 1354 ++++++++++++++++++++++ openssl.spec | 10 +- 2 files changed, 1363 insertions(+), 1 deletion(-) create mode 100644 0120-RSA-PKCS15-implicit-rejection.patch diff --git a/0120-RSA-PKCS15-implicit-rejection.patch b/0120-RSA-PKCS15-implicit-rejection.patch new file mode 100644 index 0000000..3cb36bb --- /dev/null +++ b/0120-RSA-PKCS15-implicit-rejection.patch @@ -0,0 +1,1354 @@ +diff --git a/crypto/cms/cms_env.c b/crypto/cms/cms_env.c +index d25504a03f7..c55511011f6 100644 +--- a/crypto/cms/cms_env.c ++++ b/crypto/cms/cms_env.c +@@ -608,6 +608,13 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms, + if (!ossl_cms_env_asn1_ctrl(ri, 1)) + goto err; + ++ if (EVP_PKEY_is_a(pkey, "RSA")) ++ /* upper layer CMS code incorrectly assumes that a successful RSA ++ * decryption means that the key matches ciphertext (which never ++ * was the case, implicit rejection or not), so to make it work ++ * disable implicit rejection for RSA keys */ ++ EVP_PKEY_CTX_ctrl_str(ktri->pctx, "rsa_pkcs1_implicit_rejection", "0"); ++ + if (EVP_PKEY_decrypt(ktri->pctx, NULL, &eklen, + ktri->encryptedKey->data, + ktri->encryptedKey->length) <= 0) +diff --git a/crypto/evp/ctrl_params_translate.c b/crypto/evp/ctrl_params_translate.c +index 56ed5ea6d68..f64c1fcb2ac 100644 +--- a/crypto/evp/ctrl_params_translate.c ++++ b/crypto/evp/ctrl_params_translate.c +@@ -2201,6 +2201,12 @@ static const struct translation_st evp_pkey_ctx_translations[] = { + EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL, NULL, NULL, + OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL, OSSL_PARAM_OCTET_STRING, NULL }, + ++ { SET, EVP_PKEY_RSA, 0, EVP_PKEY_OP_TYPE_CRYPT, ++ EVP_PKEY_CTRL_RSA_IMPLICIT_REJECTION, NULL, ++ "rsa_pkcs1_implicit_rejection", ++ OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, OSSL_PARAM_UNSIGNED_INTEGER, ++ NULL }, ++ + { SET, EVP_PKEY_RSA_PSS, 0, EVP_PKEY_OP_TYPE_GEN, + EVP_PKEY_CTRL_MD, "rsa_pss_keygen_md", NULL, + OSSL_ALG_PARAM_DIGEST, OSSL_PARAM_UTF8_STRING, fix_md }, +diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c +index 31b368bda3b..8a46ab471df 100644 +--- a/crypto/pkcs7/pk7_doit.c ++++ b/crypto/pkcs7/pk7_doit.c +@@ -163,6 +163,13 @@ static int pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen, + if (EVP_PKEY_decrypt_init(pctx) <= 0) + goto err; + ++ if (EVP_PKEY_is_a(pkey, "RSA")) ++ /* upper layer pkcs7 code incorrectly assumes that a successful RSA ++ * decryption means that the key matches ciphertext (which never ++ * was the case, implicit rejection or not), so to make it work ++ * disable implicit rejection for RSA keys */ ++ EVP_PKEY_CTX_ctrl_str(pctx, "rsa_pkcs1_implicit_rejection", "0"); ++ + if (EVP_PKEY_decrypt(pctx, NULL, &eklen, + ri->enc_key->data, ri->enc_key->length) <= 0) + goto err; +diff --git a/crypto/rsa/rsa_ossl.c b/crypto/rsa/rsa_ossl.c +index 54e2a1c61ca..094a6632b66 100644 +--- a/crypto/rsa/rsa_ossl.c ++++ b/crypto/rsa/rsa_ossl.c +@@ -17,6 +17,9 @@ + #include "crypto/bn.h" + #include "rsa_local.h" + #include "internal/constant_time.h" ++#include ++#include ++#include + + static int rsa_ossl_public_encrypt(int flen, const unsigned char *from, + unsigned char *to, RSA *rsa, int padding); +@@ -372,8 +375,13 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, + BIGNUM *f, *ret; + int j, num = 0, r = -1; + unsigned char *buf = NULL; ++ unsigned char d_hash[SHA256_DIGEST_LENGTH] = {0}; ++ HMAC_CTX *hmac = NULL; ++ unsigned int md_len = SHA256_DIGEST_LENGTH; ++ unsigned char kdk[SHA256_DIGEST_LENGTH] = {0}; + BN_CTX *ctx = NULL; + int local_blinding = 0; ++ EVP_MD *md = NULL; + /* + * Used only if the blinding structure is shared. A non-NULL unblind + * instructs rsa_blinding_convert() and rsa_blinding_invert() to store +@@ -382,6 +390,12 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, + BIGNUM *unblind = NULL; + BN_BLINDING *blinding = NULL; + ++ /* ++ * we need the value of the private exponent to perform implicit rejection ++ */ ++ if ((rsa->flags & RSA_FLAG_EXT_PKEY) && (padding == RSA_PKCS1_PADDING)) ++ padding = RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING; ++ + if ((ctx = BN_CTX_new_ex(rsa->libctx)) == NULL) + goto err; + BN_CTX_start(ctx); +@@ -405,6 +419,11 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, + goto err; + } + ++ if (flen < 1) { ++ ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_SMALL); ++ goto err; ++ } ++ + /* make data into a big number */ + if (BN_bin2bn(from, (int)flen, f) == NULL) + goto err; +@@ -471,6 +490,81 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, + BN_free(d); + } + ++ /* ++ * derive the Key Derivation Key from private exponent and public ++ * ciphertext ++ */ ++ if (padding == RSA_PKCS1_PADDING) { ++ /* ++ * because we use d as a handle to rsa->d we need to keep it local and ++ * free before any further use of rsa->d ++ */ ++ BIGNUM *d = BN_new(); ++ if (d == NULL) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE); ++ goto err; ++ } ++ if (rsa->d == NULL) { ++ ERR_raise(ERR_LIB_RSA, RSA_R_MISSING_PRIVATE_KEY); ++ BN_free(d); ++ goto err; ++ } ++ BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); ++ if (BN_bn2binpad(d, buf, num) < 0) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ BN_free(d); ++ goto err; ++ } ++ BN_free(d); ++ ++ /* ++ * we use hardcoded hash so that migrating between versions that use ++ * different hash doesn't provide a Bleichenbacher oracle: ++ * if the attacker can see that different versions return different ++ * messages for the same ciphertext, they'll know that the message is ++ * syntethically generated, which means that the padding check failed ++ */ ++ md = EVP_MD_fetch(rsa->libctx, "sha256", NULL); ++ if (md == NULL) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ goto err; ++ } ++ ++ if (EVP_Digest(buf, num, d_hash, NULL, md, NULL) <= 0) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ goto err; ++ } ++ ++ hmac = HMAC_CTX_new(); ++ if (hmac == NULL) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE); ++ goto err; ++ } ++ ++ if (HMAC_Init_ex(hmac, d_hash, sizeof(d_hash), md, NULL) <= 0) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ goto err; ++ } ++ ++ if (flen < num) { ++ memset(buf, 0, num - flen); ++ if (HMAC_Update(hmac, buf, num - flen) <= 0) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ goto err; ++ } ++ } ++ if (HMAC_Update(hmac, from, flen) <= 0) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ goto err; ++ } ++ ++ md_len = SHA256_DIGEST_LENGTH; ++ if (HMAC_Final(hmac, kdk, &md_len) <= 0) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ goto err; ++ } ++ } ++ + if (blinding) { + /* + * ossl_bn_rsa_do_unblind() combines blinding inversion and +@@ -471,9 +545,12 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, + } + + switch (padding) { +- case RSA_PKCS1_PADDING: ++ case RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING: + r = RSA_padding_check_PKCS1_type_2(to, num, buf, j, num); + break; ++ case RSA_PKCS1_PADDING: ++ r = ossl_rsa_padding_check_PKCS1_type_2(rsa->libctx, to, num, buf, j, num, kdk); ++ break; + case RSA_PKCS1_OAEP_PADDING: + r = RSA_padding_check_PKCS1_OAEP(to, num, buf, j, num, NULL, 0); + break; +@@ -500,6 +597,8 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, + #endif + + err: ++ HMAC_CTX_free(hmac); ++ EVP_MD_free(md); + BN_CTX_end(ctx); + BN_CTX_free(ctx); + OPENSSL_clear_free(buf, num); +diff --git a/crypto/rsa/rsa_pk1.c b/crypto/rsa/rsa_pk1.c +index 5f72fe1735d..04fb0e4ed5e 100644 +--- a/crypto/rsa/rsa_pk1.c ++++ b/crypto/rsa/rsa_pk1.c +@@ -21,10 +21,14 @@ + #include + /* Just for the SSL_MAX_MASTER_KEY_LENGTH value */ + #include ++#include ++#include ++#include + #include "internal/cryptlib.h" + #include "crypto/rsa.h" + #include "rsa_local.h" + ++ + int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen, + const unsigned char *from, int flen) + { +@@ -271,6 +275,254 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen, + return constant_time_select_int(good, mlen, -1); + } + ++ ++static int ossl_rsa_prf(OSSL_LIB_CTX *ctx, ++ unsigned char *to, int tlen, ++ const char *label, int llen, ++ const unsigned char *kdk, ++ uint16_t bitlen) ++{ ++ int pos; ++ int ret = -1; ++ uint16_t iter = 0; ++ unsigned char be_iter[sizeof(iter)]; ++ unsigned char be_bitlen[sizeof(bitlen)]; ++ HMAC_CTX *hmac = NULL; ++ EVP_MD *md = NULL; ++ unsigned char hmac_out[SHA256_DIGEST_LENGTH]; ++ unsigned int md_len; ++ ++ if (tlen * 8 != bitlen) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ return ret; ++ } ++ ++ be_bitlen[0] = (bitlen >> 8) & 0xff; ++ be_bitlen[1] = bitlen & 0xff; ++ ++ hmac = HMAC_CTX_new(); ++ if (hmac == NULL) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ goto err; ++ } ++ ++ /* ++ * we use hardcoded hash so that migrating between versions that use ++ * different hash doesn't provide a Bleichenbacher oracle: ++ * if the attacker can see that different versions return different ++ * messages for the same ciphertext, they'll know that the message is ++ * syntethically generated, which means that the padding check failed ++ */ ++ md = EVP_MD_fetch(ctx, "sha256", NULL); ++ if (md == NULL) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ goto err; ++ } ++ ++ if (HMAC_Init_ex(hmac, kdk, SHA256_DIGEST_LENGTH, md, NULL) <= 0) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ goto err; ++ } ++ ++ for (pos = 0; pos < tlen; pos += SHA256_DIGEST_LENGTH, iter++) { ++ if (HMAC_Init_ex(hmac, NULL, 0, NULL, NULL) <= 0) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ goto err; ++ } ++ ++ be_iter[0] = (iter >> 8) & 0xff; ++ be_iter[1] = iter & 0xff; ++ ++ if (HMAC_Update(hmac, be_iter, sizeof(be_iter)) <= 0) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ goto err; ++ } ++ if (HMAC_Update(hmac, (unsigned char *)label, llen) <= 0) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ goto err; ++ } ++ if (HMAC_Update(hmac, be_bitlen, sizeof(be_bitlen)) <= 0) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ goto err; ++ } ++ ++ /* ++ * HMAC_Final requires the output buffer to fit the whole MAC ++ * value, so we need to use the intermediate buffer for the last ++ * unaligned block ++ */ ++ md_len = SHA256_DIGEST_LENGTH; ++ if (pos + SHA256_DIGEST_LENGTH > tlen) { ++ if (HMAC_Final(hmac, hmac_out, &md_len) <= 0) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ goto err; ++ } ++ memcpy(to + pos, hmac_out, tlen - pos); ++ } else { ++ if (HMAC_Final(hmac, to + pos, &md_len) <= 0) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ goto err; ++ } ++ } ++ } ++ ++ ret = 0; ++ ++err: ++ HMAC_CTX_free(hmac); ++ EVP_MD_free(md); ++ return ret; ++} ++ ++/* ++ * ossl_rsa_padding_check_PKCS1_type_2() checks and removes the PKCS#1 type 2 ++ * padding from a decrypted RSA message. Unlike the ++ * RSA_padding_check_PKCS1_type_2() it will not return an error in case it ++ * detects a padding error, rather it will return a deterministically generated ++ * random message. In other words it will perform an implicit rejection ++ * of an invalid padding. This means that the returned value does not indicate ++ * if the padding of the encrypted message was correct or not, making ++ * side channel attacks like the ones described by Bleichenbacher impossible ++ * without access to the full decrypted value and a brute-force search of ++ * remaining padding bytes ++ */ ++int ossl_rsa_padding_check_PKCS1_type_2(OSSL_LIB_CTX *ctx, ++ unsigned char *to, int tlen, ++ const unsigned char *from, int flen, ++ int num, unsigned char *kdk) ++{ ++/* ++ * We need to generate a random length for the synthethic message, to avoid ++ * bias towards zero and avoid non-constant timeness of DIV, we prepare ++ * 128 values to check if they are not too large for the used key size, ++ * and use 0 in case none of them are small enough, as 2^-128 is a good enough ++ * safety margin ++ */ ++#define MAX_LEN_GEN_TRIES 128 ++ unsigned char *synthetic = NULL; ++ int synthethic_length; ++ uint16_t len_candidate; ++ unsigned char candidate_lengths[MAX_LEN_GEN_TRIES * sizeof(len_candidate)]; ++ uint16_t len_mask; ++ uint16_t max_sep_offset; ++ int synth_msg_index = 0; ++ int ret = -1; ++ int i, j; ++ unsigned int good, found_zero_byte; ++ int zero_index = 0, msg_index; ++ ++ /* ++ * If these checks fail then either the message in publicly invalid, or ++ * we've been called incorrectly. We can fail immediately. ++ * Since this code is called only internally by openssl, those are just ++ * sanity checks ++ */ ++ if (num != flen || tlen <= 0 || flen <= 0) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ return -1; ++ } ++ ++ /* Generate a random message to return in case the padding checks fail */ ++ synthetic = OPENSSL_malloc(flen); ++ if (synthetic == NULL) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE); ++ return -1; ++ } ++ ++ if (ossl_rsa_prf(ctx, synthetic, flen, "message", 7, kdk, flen * 8) < 0) ++ goto err; ++ ++ /* decide how long the random message should be */ ++ if (ossl_rsa_prf(ctx, candidate_lengths, sizeof(candidate_lengths), ++ "length", 6, kdk, ++ MAX_LEN_GEN_TRIES * sizeof(len_candidate) * 8) < 0) ++ goto err; ++ ++ /* ++ * max message size is the size of the modulus size less 2 bytes for ++ * version and padding type and a minimum of 8 bytes padding ++ */ ++ len_mask = max_sep_offset = flen - 2 - 8; ++ /* ++ * we want a mask so lets propagate the high bit to all positions less ++ * significant than it ++ */ ++ len_mask |= len_mask >> 1; ++ len_mask |= len_mask >> 2; ++ len_mask |= len_mask >> 4; ++ len_mask |= len_mask >> 8; ++ ++ synthethic_length = 0; ++ for (i = 0; i < MAX_LEN_GEN_TRIES * (int)sizeof(len_candidate); ++ i += sizeof(len_candidate)) { ++ len_candidate = (candidate_lengths[i] << 8) | candidate_lengths[i + 1]; ++ len_candidate &= len_mask; ++ ++ synthethic_length = constant_time_select_int( ++ constant_time_lt(len_candidate, max_sep_offset), ++ len_candidate, synthethic_length); ++ } ++ ++ synth_msg_index = flen - synthethic_length; ++ ++ /* we have alternative message ready, check the real one */ ++ good = constant_time_is_zero(from[0]); ++ good &= constant_time_eq(from[1], 2); ++ ++ /* then look for the padding|message separator (the first zero byte) */ ++ found_zero_byte = 0; ++ for (i = 2; i < flen; i++) { ++ unsigned int equals0 = constant_time_is_zero(from[i]); ++ zero_index = constant_time_select_int(~found_zero_byte & equals0, ++ i, zero_index); ++ found_zero_byte |= equals0; ++ } ++ ++ /* ++ * padding must be at least 8 bytes long, and it starts two bytes into ++ * |from|. If we never found a 0-byte, then |zero_index| is 0 and the check ++ * also fails. ++ */ ++ good &= constant_time_ge(zero_index, 2 + 8); ++ ++ /* ++ * Skip the zero byte. This is incorrect if we never found a zero-byte ++ * but in this case we also do not copy the message out. ++ */ ++ msg_index = zero_index + 1; ++ ++ /* ++ * old code returned an error in case the decrypted message wouldn't fit ++ * into the |to|, since that would leak information, return the synthethic ++ * message instead ++ */ ++ good &= constant_time_ge(tlen, num - msg_index); ++ ++ msg_index = constant_time_select_int(good, msg_index, synth_msg_index); ++ ++ /* ++ * since at this point the |msg_index| does not provide the signal ++ * indicating if the padding check failed or not, we don't have to worry ++ * about leaking the length of returned message, we still need to ensure ++ * that we read contents of both buffers so that cache accesses don't leak ++ * the value of |good| ++ */ ++ for (i = msg_index, j = 0; i < flen && j < tlen; i++, j++) ++ to[j] = constant_time_select_8(good, from[i], synthetic[i]); ++ ret = j; ++ ++err: ++ /* ++ * the only time ret < 0 is when the ciphertext is publicly invalid ++ * or we were called with invalid parameters, so we don't have to perform ++ * a side-channel secure raising of the error ++ */ ++ if (ret < 0) ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ OPENSSL_free(synthetic); ++ return ret; ++} ++ + /* + * ossl_rsa_padding_check_PKCS1_type_2_TLS() checks and removes the PKCS1 type 2 + * padding from a decrypted RSA message in a TLS signature. The result is stored +diff --git a/crypto/rsa/rsa_pmeth.c b/crypto/rsa/rsa_pmeth.c +index 8b35e5c3c6d..c67b20baf56 100644 +--- a/crypto/rsa/rsa_pmeth.c ++++ b/crypto/rsa/rsa_pmeth.c +@@ -52,6 +52,8 @@ typedef struct { + /* OAEP label */ + unsigned char *oaep_label; + size_t oaep_labellen; ++ /* if to use implicit rejection in PKCS#1 v1.5 decryption */ ++ int implicit_rejection; + } RSA_PKEY_CTX; + + /* True if PSS parameters are restricted */ +@@ -72,6 +74,7 @@ static int pkey_rsa_init(EVP_PKEY_CTX *ctx) + /* Maximum for sign, auto for verify */ + rctx->saltlen = RSA_PSS_SALTLEN_AUTO; + rctx->min_saltlen = -1; ++ rctx->implicit_rejection = 1; + ctx->data = rctx; + ctx->keygen_info = rctx->gentmp; + ctx->keygen_info_count = 2; +@@ -97,6 +100,7 @@ static int pkey_rsa_copy(EVP_PKEY_CTX *dst, const EVP_PKEY_CTX *src) + dctx->md = sctx->md; + dctx->mgf1md = sctx->mgf1md; + dctx->saltlen = sctx->saltlen; ++ dctx->implicit_rejection = sctx->implicit_rejection; + if (sctx->oaep_label) { + OPENSSL_free(dctx->oaep_label); + dctx->oaep_label = OPENSSL_memdup(sctx->oaep_label, sctx->oaep_labellen); +@@ -345,6 +349,7 @@ static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx, + const unsigned char *in, size_t inlen) + { + int ret; ++ int pad_mode; + RSA_PKEY_CTX *rctx = ctx->data; + /* + * Discard const. Its marked as const because this may be a cached copy of +@@ -365,7 +370,12 @@ static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx, + rctx->oaep_labellen, + rctx->md, rctx->mgf1md); + } else { +- ret = RSA_private_decrypt(inlen, in, out, rsa, rctx->pad_mode); ++ if (rctx->pad_mode == RSA_PKCS1_PADDING && ++ rctx->implicit_rejection == 0) ++ pad_mode = RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING; ++ else ++ pad_mode = rctx->pad_mode; ++ ret = RSA_private_decrypt(inlen, in, out, rsa, pad_mode); + } + *outlen = constant_time_select_s(constant_time_msb_s(ret), *outlen, ret); + ret = constant_time_select_int(constant_time_msb(ret), ret, 1); +@@ -585,6 +595,14 @@ static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) + *(unsigned char **)p2 = rctx->oaep_label; + return rctx->oaep_labellen; + ++ case EVP_PKEY_CTRL_RSA_IMPLICIT_REJECTION: ++ if (rctx->pad_mode != RSA_PKCS1_PADDING) { ++ ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_PADDING_MODE); ++ return -2; ++ } ++ rctx->implicit_rejection = p1; ++ return 1; ++ + case EVP_PKEY_CTRL_DIGESTINIT: + case EVP_PKEY_CTRL_PKCS7_SIGN: + #ifndef OPENSSL_NO_CMS +diff --git a/doc/man1/openssl-pkeyutl.pod.in b/doc/man1/openssl-pkeyutl.pod.in +index b0054ead66f..dd878297987 100644 +--- a/doc/man1/openssl-pkeyutl.pod.in ++++ b/doc/man1/openssl-pkeyutl.pod.in +@@ -240,6 +240,11 @@ signed or verified directly instead of using a B structure. If a + digest is set then the a B structure is used and its the length + must correspond to the digest type. + ++Note, for B padding, as a protection against Bleichenbacher attack, ++the decryption will not fail in case of padding check failures. Use B ++and manual inspection of the decrypted message to verify if the decrypted ++value has correct PKCS#1 v1.5 padding. ++ + For B mode only encryption and decryption is supported. + + For B if the digest type is set it is used to format the block data +@@ -267,6 +272,16 @@ explicitly set in PSS mode then the signing digest is used. + Sets the digest used for the OAEP hash function. If not explicitly set then + SHA1 is used. + ++=item BI ++ ++Disables (when set to 0) or enables (when set to 1) the use of implicit ++rejection with PKCS#1 v1.5 decryption. When enabled (the default), as a ++protection against Bleichenbacher attack, the library will generate a ++deterministic random plaintext that it will return to the caller in case ++of padding check failure. ++When disabled, it's the callers' responsibility to handle the returned ++errors in a side-channel free manner. ++ + =back + + =head1 RSA-PSS ALGORITHM +diff --git a/doc/man1/openssl-rsautl.pod.in b/doc/man1/openssl-rsautl.pod.in +index 186e49e5e49..eab34979de3 100644 +--- a/doc/man1/openssl-rsautl.pod.in ++++ b/doc/man1/openssl-rsautl.pod.in +@@ -105,6 +105,11 @@ The padding to use: PKCS#1 v1.5 (the default), PKCS#1 OAEP, + ANSI X9.31, or no padding, respectively. + For signatures, only B<-pkcs> and B<-raw> can be used. + ++Note: because of protection against Bleichenbacher attacks, decryption ++using PKCS#1 v1.5 mode will not return errors in case padding check failed. ++Use B<-raw> and inspect the returned value manually to check if the ++padding is correct. ++ + =item B<-hexdump> + + Hex dump the output data. +diff --git a/doc/man3/EVP_PKEY_CTX_ctrl.pod b/doc/man3/EVP_PKEY_CTX_ctrl.pod +index 9b96f42dbc9..f7957e95f7f 100644 +--- a/doc/man3/EVP_PKEY_CTX_ctrl.pod ++++ b/doc/man3/EVP_PKEY_CTX_ctrl.pod +@@ -393,6 +393,15 @@ this behaviour should be tolerated then + OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION should be set to the actual + negotiated protocol version. Otherwise it should be left unset. + ++Similarly to the B above, since OpenSSL version ++3.1.0, the use of B will return a randomly generated message ++instead of padding errors in case padding checks fail. Applications that ++want to remain secure while using earlier versions of OpenSSL, still need to ++handle both the error code from the RSA decryption operation and the ++returned message in a side channel secure manner. ++This protection against Bleichenbacher attacks can be disabled by setting ++the OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION (an unsigned integer) to 0. ++ + =head2 DSA parameters + + EVP_PKEY_CTX_set_dsa_paramgen_bits() sets the number of bits used for DSA +diff --git a/doc/man3/EVP_PKEY_decrypt.pod b/doc/man3/EVP_PKEY_decrypt.pod +index 0cd1a6548d0..462265c5a67 100644 +--- a/doc/man3/EVP_PKEY_decrypt.pod ++++ b/doc/man3/EVP_PKEY_decrypt.pod +@@ -51,6 +51,18 @@ return 1 for success and 0 or a negative value for failure. In particular a + return value of -2 indicates the operation is not supported by the public key + algorithm. + ++=head1 WARNINGS ++ ++In OpenSSL versions before 3.1.0, when used in PKCS#1 v1.5 padding, ++both the return value from the EVP_PKEY_decrypt() and the B provided ++information useful in mounting a Bleichenbacher attack against the ++used private key. They had to processed in a side-channel free way. ++ ++Since version 3.1.0, the EVP_PKEY_decrypt() method when used with PKCS#1 ++v1.5 padding doesn't return an error in case it detects an error in padding, ++instead it returns a pseudo-randomly generated message, removing the need ++of side-channel secure code from applications using OpenSSL. ++ + =head1 EXAMPLES + + Decrypt data using OAEP (for RSA keys): +diff --git a/doc/man3/RSA_padding_add_PKCS1_type_1.pod b/doc/man3/RSA_padding_add_PKCS1_type_1.pod +index 9f7025c4975..36ae18563f2 100644 +--- a/doc/man3/RSA_padding_add_PKCS1_type_1.pod ++++ b/doc/man3/RSA_padding_add_PKCS1_type_1.pod +@@ -121,8 +121,8 @@ L. + + =head1 WARNINGS + +-The result of RSA_padding_check_PKCS1_type_2() is a very sensitive +-information which can potentially be used to mount a Bleichenbacher ++The result of RSA_padding_check_PKCS1_type_2() is exactly the ++information which is used to mount a classical Bleichenbacher + padding oracle attack. This is an inherent weakness in the PKCS #1 + v1.5 padding design. Prefer PKCS1_OAEP padding. If that is not + possible, the result of RSA_padding_check_PKCS1_type_2() should be +@@ -137,6 +137,9 @@ as this would create a small timing side channel which could be + used to mount a Bleichenbacher attack against any padding mode + including PKCS1_OAEP. + ++You should prefer the use of EVP PKEY APIs for PKCS#1 v1.5 decryption ++as they implement the necessary workarounds internally. ++ + =head1 SEE ALSO + + L, +diff --git a/doc/man3/RSA_public_encrypt.pod b/doc/man3/RSA_public_encrypt.pod +index 1d38073aead..bd3f835ac6d 100644 +--- a/doc/man3/RSA_public_encrypt.pod ++++ b/doc/man3/RSA_public_encrypt.pod +@@ -52,8 +52,8 @@ Encrypting user data directly with RSA is insecure. + + =back + +-B must not be more than RSA_size(B) - 11 for the PKCS #1 v1.5 +-based padding modes, not more than RSA_size(B) - 42 for ++When encrypting B must not be more than RSA_size(B) - 11 for the ++PKCS #1 v1.5 based padding modes, not more than RSA_size(B) - 42 for + RSA_PKCS1_OAEP_PADDING and exactly RSA_size(B) for RSA_NO_PADDING. + When a padding mode other than RSA_NO_PADDING is in use, then + RSA_public_encrypt() will include some random bytes into the ciphertext +@@ -92,6 +92,13 @@ which can potentially be used to mount a Bleichenbacher padding oracle + attack. This is an inherent weakness in the PKCS #1 v1.5 padding + design. Prefer RSA_PKCS1_OAEP_PADDING. + ++In OpenSSL before version 3.1.0, both the return value and the length of ++returned value could be used to mount the Bleichenbacher attack. ++Since version 3.1.0, OpenSSL does not return an error in case of padding ++checks failed. Instead it generates a random message based on used private ++key and provided ciphertext so that application code doesn't have to implement ++a side-channel secure error handling. ++ + =head1 CONFORMING TO + + SSL, PKCS #1 v2.0 +diff --git a/doc/man7/provider-asym_cipher.pod b/doc/man7/provider-asym_cipher.pod +index ac3f6271969..cb770c9e857 100644 +--- a/doc/man7/provider-asym_cipher.pod ++++ b/doc/man7/provider-asym_cipher.pod +@@ -235,6 +235,15 @@ The TLS protocol version first requested by the client. + The negotiated TLS protocol version. See + B on the page L. + ++=item "implicit-rejection" (B) ++ ++Gets of sets the use of the implicit rejection mechanism for RSA PKCS#1 v1.5 ++decryption. When set (non zero value), the decryption API will return ++a deterministically random value if the PKCS#1 v1.5 padding check fails. ++This makes explotation of the Bleichenbacher significantly harder, even ++if the code using the RSA decryption API is not implemented in side-channel ++free manner. Set by default. ++ + =back + + OSSL_FUNC_asym_cipher_gettable_ctx_params() and OSSL_FUNC_asym_cipher_settable_ctx_params() +diff --git a/include/crypto/rsa.h b/include/crypto/rsa.h +index 949873d0ee3..f267e5d9d1c 100644 +--- a/include/crypto/rsa.h ++++ b/include/crypto/rsa.h +@@ -83,6 +83,10 @@ int ossl_rsa_param_decode(RSA *rsa, const X509_ALGOR *alg); + RSA *ossl_rsa_key_from_pkcs8(const PKCS8_PRIV_KEY_INFO *p8inf, + OSSL_LIB_CTX *libctx, const char *propq); + ++int ossl_rsa_padding_check_PKCS1_type_2(OSSL_LIB_CTX *ctx, ++ unsigned char *to, int tlen, ++ const unsigned char *from, int flen, ++ int num, unsigned char *kdk); + int ossl_rsa_padding_check_PKCS1_type_2_TLS(OSSL_LIB_CTX *ctx, unsigned char *to, + size_t tlen, + const unsigned char *from, +diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h +index e6c4758a33e..6e4a4f8539d 100644 +--- a/include/openssl/core_names.h ++++ b/include/openssl/core_names.h +@@ -302,6 +302,7 @@ extern "C" { + #define OSSL_PKEY_PARAM_DIST_ID "distid" + #define OSSL_PKEY_PARAM_PUB_KEY "pub" + #define OSSL_PKEY_PARAM_PRIV_KEY "priv" ++#define OSSL_PKEY_PARAM_IMPLICIT_REJECTION "implicit-rejection" + #define OSSL_PKEY_PARAM_REDHAT_SIGN_KAT_K "rh_sign_kat_k" + + /* Diffie-Hellman/DSA Parameters */ +@@ -482,6 +483,7 @@ extern "C" { + #define OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL "oaep-label" + #define OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION "tls-client-version" + #define OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION "tls-negotiated-version" ++#define OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION "implicit-rejection" + #ifdef FIPS_MODULE + #define OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED "redhat-kat-oaep-seed" + #endif +diff --git a/include/openssl/rsa.h b/include/openssl/rsa.h +index bce21258227..167427d3c48 100644 +--- a/include/openssl/rsa.h ++++ b/include/openssl/rsa.h +@@ -189,6 +189,8 @@ int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX *ctx, unsigned char **label); + + # define EVP_PKEY_CTRL_RSA_KEYGEN_PRIMES (EVP_PKEY_ALG_CTRL + 13) + ++# define EVP_PKEY_CTRL_RSA_IMPLICIT_REJECTION (EVP_PKEY_ALG_CTRL + 14) ++ + # define RSA_PKCS1_PADDING 1 + # define RSA_NO_PADDING 3 + # define RSA_PKCS1_OAEP_PADDING 4 +@@ -198,6 +200,9 @@ int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX *ctx, unsigned char **label); + # define RSA_PKCS1_PSS_PADDING 6 + # define RSA_PKCS1_WITH_TLS_PADDING 7 + ++/* internal RSA_ only */ ++# define RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING 8 ++ + # define RSA_PKCS1_PADDING_SIZE 11 + + # define RSA_set_app_data(s,arg) RSA_set_ex_data(s,0,arg) +diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c +index 3d331ea8dfd..fbafb84f8cb 100644 +--- a/providers/implementations/asymciphers/rsa_enc.c ++++ b/providers/implementations/asymciphers/rsa_enc.c +@@ -75,6 +75,8 @@ typedef struct { + /* TLS padding */ + unsigned int client_version; + unsigned int alt_version; ++ /* PKCS#1 v1.5 decryption mode */ ++ unsigned int implicit_rejection; + #ifdef FIPS_MODULE + char *redhat_st_oaep_seed; + #endif /* FIPS_MODULE */ +@@ -107,6 +109,7 @@ static int rsa_init(void *vprsactx, void *vrsa, const OSSL_PARAM params[], + RSA_free(prsactx->rsa); + prsactx->rsa = vrsa; + prsactx->operation = operation; ++ prsactx->implicit_rejection = 1; + + switch (RSA_test_flags(prsactx->rsa, RSA_FLAG_TYPE_MASK)) { + case RSA_FLAG_TYPE_RSA: +@@ -195,6 +198,7 @@ static int rsa_decrypt(void *vprsactx, unsigned char *out, size_t *outlen, + { + PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; + int ret; ++ int pad_mode; + size_t len = RSA_size(prsactx->rsa); + + if (!ossl_prov_is_running()) +@@ -270,8 +274,12 @@ static int rsa_decrypt(void *vprsactx, unsigned char *out, size_t *outlen, + } + OPENSSL_free(tbuf); + } else { +- ret = RSA_private_decrypt(inlen, in, out, prsactx->rsa, +- prsactx->pad_mode); ++ if ((prsactx->implicit_rejection == 0) && ++ (prsactx->pad_mode == RSA_PKCS1_PADDING)) ++ pad_mode = RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING; ++ else ++ pad_mode = prsactx->pad_mode; ++ ret = RSA_private_decrypt(inlen, in, out, prsactx->rsa, pad_mode); + } + *outlen = constant_time_select_s(constant_time_msb_s(ret), *outlen, ret); + ret = constant_time_select_int(constant_time_msb(ret), 0, 1); +@@ -395,6 +403,10 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params) + } + #endif /* defined(FIPS_MODULE) */ + ++ p = OSSL_PARAM_locate(params, OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION); ++ if (p != NULL && !OSSL_PARAM_set_uint(p, prsactx->implicit_rejection)) ++ return 0; ++ + return 1; + } + +@@ -406,6 +418,7 @@ static const OSSL_PARAM known_gettable_ctx_params[] = { + NULL, 0), + OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION, NULL), + OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL), ++ OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, NULL), + #ifdef FIPS_MODULE + OSSL_PARAM_octet_string(OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED, NULL, 0), + OSSL_PARAM_int(OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR, NULL), +@@ -543,6 +556,14 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) + return 0; + prsactx->alt_version = alt_version; + } ++ p = OSSL_PARAM_locate_const(params, OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION); ++ if (p != NULL) { ++ unsigned int implicit_rejection; ++ ++ if (!OSSL_PARAM_get_uint(p, &implicit_rejection)) ++ return 0; ++ prsactx->implicit_rejection = implicit_rejection; ++ } + + return 1; + } +@@ -555,6 +576,7 @@ static const OSSL_PARAM known_settable_ctx_params[] = { + OSSL_PARAM_octet_string(OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL, NULL, 0), + OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION, NULL), + OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL), ++ OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, NULL), + OSSL_PARAM_END + }; + +diff --git a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt +index b8d8bb2993e..a3d01eec457 100644 +--- a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt ++++ b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt +@@ -253,9 +253,25 @@ Decrypt = RSA-2048 + Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A78 + Output = "Hello World" + ++Availablein = default ++# Note: disable the Bleichenbacher workaround to see if it passes ++Decrypt = RSA-2048 ++Ctrl = rsa_pkcs1_implicit_rejection:0 ++Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A78 ++Output = "Hello World" ++ ++Availablein = default ++# Corrupted ciphertext ++# Note: output is generated synthethically by the Bleichenbacher workaround ++Decrypt = RSA-2048 ++Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A79 ++Output = 4cbb988d6a46228379132b0b5f8c249b3860043848c93632fb982c807c7c82fffc7a9ef83f4908f890373ac181ffea6381e103bcaa27e65638b6ecebef38b59ed4226a9d12af675cfcb634d8c40e7a7aff ++ + # Corrupted ciphertext + Availablein = default ++# Note: disable the Bleichenbacher workaround to see if it fails + Decrypt = RSA-2048 ++Ctrl = rsa_pkcs1_implicit_rejection:0 + Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A79 + Output = "Hello World" + Result = KEYOP_ERROR +@@ -277,6 +297,462 @@ Derive = RSA-2048 + Result = KEYOP_INIT_ERROR + Reason = operation not supported for this keytype + ++# Test vectors for the Bleichenbacher workaround ++ ++PrivateKey = RSA-2048-2 ++-----BEGIN RSA PRIVATE KEY----- ++MIIEowIBAAKCAQEAyMyDlxQJjaVsqiNkD5PciZfBY3KWj8Gwxt9RE8HJTosh5IrS ++KX5lQZARtObY9ec7G3iyV0ADIdHva2AtTsjOjRQclJBetK0wZjmkkgZTS25/JgdC ++Ppff/RM8iNchOZ3vvH6WzNy9fzquH+iScSv7SSmBfVEWZkQKH6y3ogj16hZZEK3Y ++o/LUlyAjYMy2MgJPDQcWnBkY8xb3lLFDrvVOyHUipMApePlomYC/+/ZJwwfoGBm/ +++IQJY41IvZS+FStZ/2SfoL1inQ/6GBPDq/S1a9PC6lRl3/oUWJKSqdiiStJr5+4F ++EHQbY4LUPIPVv6QKRmE9BivkRVF9vK8MtOGnaQIDAQABAoIBABRVAQ4PLVh2Y6Zm ++pv8czbvw7dgQBkbQKgI5IpCJksStOeVWWSlybvZQjDpxFY7wtv91HTnQdYC7LS8G ++MhBELQYD/1DbvXs1/iybsZpHoa+FpMJJAeAsqLWLeRmyDt8yqs+/Ua20vEthubfp ++aMqk1XD3DvGNgGMiiJPkfUOe/KeTJZvPLNEIo9hojN8HjnrHmZafIznSwfUiuWlo ++RimpM7quwmgWJeq4T05W9ER+nYj7mhmc9xAj4OJXsURBszyE07xnyoAx0mEmGBA6 ++egpAhEJi912IkM1hblH5A1SI/W4Jnej/bWWk/xGCVIB8n1jS+7qLoVHcjGi+NJyX ++eiBOBMECgYEA+PWta6gokxvqRZuKP23AQdI0gkCcJXHpY/MfdIYColY3GziD7UWe ++z5cFJkWe3RbgVSL1pF2UdRsuwtrycsf4gWpSwA0YCAFxY02omdeXMiL1G5N2MFSG ++lqn32MJKWUl8HvzUVc+5fuhtK200lyszL9owPwSZm062tcwLsz53Yd0CgYEAznou ++O0mpC5YzChLcaCvfvfuujdbcA7YUeu+9V1dD8PbaTYYjUGG3Gv2crS00Al5WrIaw ++93Q+s14ay8ojeJVCRGW3Bu0iF15XGMjHC2cD6o9rUQ+UW+SOWja7PDyRcytYnfwF ++1y2AkDGURSvaITSGR+xylD8RqEbmL66+jrU2sP0CgYB2/hXxiuI5zfHfa0RcpLxr ++uWjXiMIZM6T13NKAAz1nEgYswIpt8gTB+9C+RjB0Q+bdSmRWN1Qp1OA4yiVvrxyb ++3pHGsXt2+BmV+RxIy768e/DjSUwINZ5OjNalh9e5bWIh/X4PtcVXXwgu5XdpeYBx ++sru0oyI4FRtHMUu2VHkDEQKBgQCZiEiwVUmaEAnLx9KUs2sf/fICDm5zZAU+lN4a ++AA3JNAWH9+JydvaM32CNdTtjN3sDtvQITSwCfEs4lgpiM7qe2XOLdvEOp1vkVgeL ++9wH2fMaz8/3BhuZDNsdrNy6AkQ7ICwrcwj0C+5rhBIaigkgHW06n5W3fzziC5FFW ++FHGikQKBgGQ790ZCn32DZnoGUwITR++/wF5jUfghqd67YODszeUAWtnp7DHlWPfp ++LCkyjnRWnXzvfHTKvCs1XtQBoaCRS048uwZITlgZYFEWntFMqi76bqBE4FTSYUTM ++FinFUBBVigThM/RLfCRNrCW/kTxXuJDuSfVIJZzWNAT+9oWdz5da ++-----END RSA PRIVATE KEY----- ++ ++# corresponding public key ++PublicKey = RSA-2048-2-PUBLIC ++-----BEGIN PUBLIC KEY----- ++MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyMyDlxQJjaVsqiNkD5Pc ++iZfBY3KWj8Gwxt9RE8HJTosh5IrSKX5lQZARtObY9ec7G3iyV0ADIdHva2AtTsjO ++jRQclJBetK0wZjmkkgZTS25/JgdCPpff/RM8iNchOZ3vvH6WzNy9fzquH+iScSv7 ++SSmBfVEWZkQKH6y3ogj16hZZEK3Yo/LUlyAjYMy2MgJPDQcWnBkY8xb3lLFDrvVO ++yHUipMApePlomYC/+/ZJwwfoGBm/+IQJY41IvZS+FStZ/2SfoL1inQ/6GBPDq/S1 ++a9PC6lRl3/oUWJKSqdiiStJr5+4FEHQbY4LUPIPVv6QKRmE9BivkRVF9vK8MtOGn ++aQIDAQAB ++-----END PUBLIC KEY----- ++ ++PrivPubKeyPair = RSA-2048-2:RSA-2048-2-PUBLIC ++ ++# RSA decrypt ++ ++# a random positive test case ++Availablein = default ++Decrypt = RSA-2048-2 ++Input = 8bfe264e85d3bdeaa6b8851b8e3b956ee3d226fd3f69063a86880173a273d9f283b2eebdd1ed35f7e02d91c571981b6737d5320bd8396b0f3ad5b019daec1b0aab3cbbc026395f4fd14f13673f2dfc81f9b660ec26ac381e6db3299b4e460b43fab9955df2b3cfaa20e900e19c856238fd371899c2bf2ce8c868b76754e5db3b036533fd603746be13c10d4e3e6022ebc905d20c2a7f32b215a4cd53b3f44ca1c327d2c2b651145821c08396c89071f665349c25e44d2733cd9305985ceef6430c3cf57af5fa224089221218fa34737c79c446d28a94c41c96e4e92ac53fbcf384dea8419ea089f8784445a492c812eb0d409467f75afd7d4d1078886205a066 ++Output = "lorem ipsum dolor sit amet" ++ ++Availablein = default ++# a random negative test case decrypting to empty ++Decrypt = RSA-2048-2 ++Input = 20aaa8adbbc593a924ba1c5c7990b5c2242ae4b99d0fe636a19a4cf754edbcee774e472fe028160ed42634f8864900cb514006da642cae6ae8c7d087caebcfa6dad1551301e130344989a1d462d4164505f6393933450c67bc6d39d8f5160907cabc251b737925a1cf21e5c6aa5781b7769f6a2a583d97cce008c0f8b6add5f0b2bd80bee60237aa39bb20719fe75749f4bc4e42466ef5a861ae3a92395c7d858d430bfe38040f445ea93fa2958b503539800ffa5ce5f8cf51fa8171a91f36cb4f4575e8de6b4d3f096ee140b938fd2f50ee13f0d050222e2a72b0a3069ff3a6738e82c87090caa5aed4fcbe882c49646aa250b98f12f83c8d528113614a29e7 ++Output = ++ ++Availablein = default ++# invalid decrypting to max length message ++Decrypt = RSA-2048-2 ++Input = 48cceab10f39a4db32f60074feea473cbcdb7accf92e150417f76b44756b190e843e79ec12aa85083a21f5437e7bad0a60482e601198f9d86923239c8786ee728285afd0937f7dde12717f28389843d7375912b07b991f4fdb0190fced8ba665314367e8c5f9d2981d0f5128feeb46cb50fc237e64438a86df198dd0209364ae3a842d77532b66b7ef263b83b1541ed671b120dfd660462e2107a4ee7b964e734a7bd68d90dda61770658a3c242948532da32648687e0318286473f675b412d6468f013f14d760a358dfcad3cda2afeec5e268a37d250c37f722f468a70dfd92d7294c3c1ee1e7f8843b7d16f9f37ef35748c3ae93aa155cdcdfeb4e78567303 ++Output = 22d850137b9eebe092b24f602dc5bb7918c16bd89ddbf20467b119d205f9c2e4bd7d2592cf1e532106e0f33557565923c73a02d4f09c0c22bea89148183e60317f7028b3aa1f261f91c979393101d7e15f4067e63979b32751658ef769610fe97cf9cef3278b3117d384051c3b1d82c251c2305418c8f6840530e631aad63e70e20e025bcd8efb54c92ec6d3b106a2f8e64eeff7d38495b0fc50c97138af4b1c0a67a1c4e27b077b8439332edfa8608dfeae653cd6a628ac550395f7e74390e42c11682234870925eeaa1fa71b76cf1f2ee3bda69f6717033ff8b7c95c9799e7a3bea5e7e4a1c359772fb6b1c6e6c516661dfe30c3 ++ ++Availablein = default ++# invalid decrypting to message with length specified by second to last value from PRF ++Decrypt = RSA-2048-2 ++Input = 1439e08c3f84c1a7fec74ce07614b20e01f6fa4e8c2a6cffdc3520d8889e5d9a950c6425798f85d4be38d300ea5695f13ecd4cb389d1ff5b82484b494d6280ab7fa78e645933981cb934cce8bfcd114cc0e6811eefa47aae20af638a1cd163d2d3366186d0a07df0c81f6c9f3171cf3561472e98a6006bf75ddb457bed036dcce199369de7d94ef2c68e8467ee0604eea2b3009479162a7891ba5c40cab17f49e1c438cb6eaea4f76ce23cce0e483ff0e96fa790ea15be67671814342d0a23f4a20262b6182e72f3a67cd289711503c85516a9ed225422f98b116f1ab080a80abd6f0216df88d8cfd67c139243be8dd78502a7aaf6bc99d7da71bcdf627e7354 ++Output = 0f9b ++ ++Availablein = default ++# invalid decrypting to message with length specified by third to last value from PRF ++Decrypt = RSA-2048-2 ++Input = 1690ebcceece2ce024f382e467cf8510e74514120937978576caf684d4a02ad569e8d76cbe365a060e00779de2f0865ccf0d923de3b4783a4e2c74f422e2f326086c390b658ba47f31ab013aa80f468c71256e5fa5679b24e83cd82c3d1e05e398208155de2212993cd2b8bab6987cf4cc1293f19909219439d74127545e9ed8a706961b8ee2119f6bfacafbef91b75a789ba65b8b833bc6149cf49b5c4d2c6359f62808659ba6541e1cd24bf7f7410486b5103f6c0ea29334ea6f4975b17387474fe920710ea61568d7b7c0a7916acf21665ad5a31c4eabcde44f8fb6120d8457afa1f3c85d517cda364af620113ae5a3c52a048821731922737307f77a1081 ++Output = 4f02 ++ ++# positive test with 11 byte long value ++Availablein = default ++Decrypt = RSA-2048-2 ++Input = 6213634593332c485cef783ea2846e3d6e8b0e005cd8293eaebbaa5079712fd681579bdfbbda138ae4d9d952917a03c92398ec0cb2bb0c6b5a8d55061fed0d0d8d72473563152648cfe640b335dc95331c21cb133a91790fa93ae44497c128708970d2beeb77e8721b061b1c44034143734a77be8220877415a6dba073c3871605380542a9f25252a4babe8331cdd53cf828423f3cc70b560624d0581fb126b2ed4f4ed358f0eb8065cf176399ac1a846a31055f9ae8c9c24a1ba050bc20842125bc1753158f8065f3adb9cc16bfdf83816bdf38b624f12022c5a6fbfe29bc91542be8c0208a770bcd677dc597f5557dc2ce28a11bf3e3857f158717a33f6592 ++Output = "lorem ipsum" ++ ++# positive test with 11 byte long value and zero padded ciphertext ++Availablein = default ++Decrypt = RSA-2048-2 ++Input = 00a2e8f114ea8d05d12dc843e3cc3b2edc8229ff2a028bda29ba9d55e3cd02911902fef1f42a075bf05e8016e8567213d6f260fa49e360779dd81aeea3e04c2cb567e0d72b98bf754014561b7511e083d20e0bfb9cd23f8a0d3c88900c49d2fcd5843ff0765607b2026f28202a87aa94678aed22a0c20724541394cd8f44e373eba1d2bae98f516c1e2ba3d86852d064f856b1daf24795e767a2b90396e50743e3150664afab131fe40ea405dcf572dd1079af1d3f0392ccadcca0a12740dbb213b925ca2a06b1bc1383e83a658c82ba2e7427342379084d5f66b544579f07664cb26edd4f10fd913fdbc0de05ef887d4d1ec1ac95652397ea7fd4e4759fda8b ++Output = "lorem ipsum" ++ ++# positive test with 11 byte long value and zero truncated ciphertext ++Availablein = default ++Decrypt = RSA-2048-2 ++Input = a2e8f114ea8d05d12dc843e3cc3b2edc8229ff2a028bda29ba9d55e3cd02911902fef1f42a075bf05e8016e8567213d6f260fa49e360779dd81aeea3e04c2cb567e0d72b98bf754014561b7511e083d20e0bfb9cd23f8a0d3c88900c49d2fcd5843ff0765607b2026f28202a87aa94678aed22a0c20724541394cd8f44e373eba1d2bae98f516c1e2ba3d86852d064f856b1daf24795e767a2b90396e50743e3150664afab131fe40ea405dcf572dd1079af1d3f0392ccadcca0a12740dbb213b925ca2a06b1bc1383e83a658c82ba2e7427342379084d5f66b544579f07664cb26edd4f10fd913fdbc0de05ef887d4d1ec1ac95652397ea7fd4e4759fda8b ++Output = "lorem ipsum" ++ ++# positive test with 11 byte long value and double zero padded ciphertext ++Availablein = default ++Decrypt = RSA-2048-2 ++Input = 00001f71879b426127f7dead621f7380a7098cf7d22173aa27991b143c46d53383c209bd0c9c00d84078037e715f6b98c65005a77120070522ede51d472c87ef94b94ead4c5428ee108a345561658301911ec5a8f7dd43ed4a3957fd29fb02a3529bf63f8040d3953490939bd8f78b2a3404b6fb5ff70a4bfdaac5c541d6bcce49c9778cc390be24cbef1d1eca7e870457241d3ff72ca44f9f56bdf31a890fa5eb3a9107b603ccc9d06a5dd911a664c82b6abd4fe036f8db8d5a070c2d86386ae18d97adc1847640c211d91ff5c3387574a26f8ef27ca7f48d2dd1f0c7f14b81cc9d33ee6853031d3ecf10a914ffd90947909c8011fd30249219348ebff76bfc ++Output = "lorem ipsum" ++ ++# positive test with 11 byte long value and double zero truncated ciphertext ++Availablein = default ++Decrypt = RSA-2048-2 ++Input = 1f71879b426127f7dead621f7380a7098cf7d22173aa27991b143c46d53383c209bd0c9c00d84078037e715f6b98c65005a77120070522ede51d472c87ef94b94ead4c5428ee108a345561658301911ec5a8f7dd43ed4a3957fd29fb02a3529bf63f8040d3953490939bd8f78b2a3404b6fb5ff70a4bfdaac5c541d6bcce49c9778cc390be24cbef1d1eca7e870457241d3ff72ca44f9f56bdf31a890fa5eb3a9107b603ccc9d06a5dd911a664c82b6abd4fe036f8db8d5a070c2d86386ae18d97adc1847640c211d91ff5c3387574a26f8ef27ca7f48d2dd1f0c7f14b81cc9d33ee6853031d3ecf10a914ffd90947909c8011fd30249219348ebff76bfc ++Output = "lorem ipsum" ++ ++# positive that generates a 0 byte long synthethic message internally ++Availablein = default ++Decrypt = RSA-2048-2 ++Input = b5e49308f6e9590014ffaffc5b8560755739dd501f1d4e9227a7d291408cf4b753f292322ff8bead613bf2caa181b221bc38caf6392deafb28eb21ad60930841ed02fd6225cc9c463409adbe7d8f32440212fbe3881c51375bb09565efb22e62b071472fb38676e5b4e23a0617db5d14d93519ac0007a30a9c822eb31c38b57fcb1be29608fcf1ca2abdcaf5d5752bbc2b5ac7dba5afcff4a5641da360dd01f7112539b1ed46cdb550a3b1006559b9fe1891030ec80f0727c42401ddd6cbb5e3c80f312df6ec89394c5a7118f573105e7ab00fe57833c126141b50a935224842addfb479f75160659ba28877b512bb9a93084ad8bec540f92640f63a11a010e0 ++Output = "lorem ipsum" ++ ++# positive that generates a 245 byte long synthethic message internally ++Availablein = default ++Decrypt = RSA-2048-2 ++Input = 1ea0b50ca65203d0a09280d39704b24fe6e47800189db5033f202761a78bafb270c5e25abd1f7ecc6e7abc4f26d1b0cd9b8c648d529416ee64ccbdd7aa72a771d0353262b543f0e436076f40a1095f5c7dfd10dcf0059ccb30e92dfa5e0156618215f1c3ff3aa997a9d999e506924f5289e3ac72e5e2086cc7b499d71583ed561028671155db4005bee01800a7cdbdae781dd32199b8914b5d4011dd6ff11cd26d46aad54934d293b0bc403dd211bf13b5a5c6836a5e769930f437ffd8634fb7371776f4bc88fa6c271d8aa6013df89ae6470154497c4ac861be2a1c65ebffec139bf7aaba3a81c7c5cdd84da9af5d3edfb957848074686b5837ecbcb6a41c50 ++Output = "lorem ipsum" ++ ++Availablein = default ++# a random negative test that generates an 11 byte long message ++Decrypt = RSA-2048-2 ++Input = 5f02f4b1f46935c742ebe62b6f05aa0a3286aab91a49b34780adde6410ab46f7386e05748331864ac98e1da63686e4babe3a19ed40a7f5ceefb89179596aab07ab1015e03b8f825084dab028b6731288f2e511a4b314b6ea3997d2e8fe2825cef8897cbbdfb6c939d441d6e04948414bb69e682927ef8576c9a7090d4aad0e74c520d6d5ce63a154720f00b76de8cc550b1aa14f016d63a7b6d6eaa1f7dbe9e50200d3159b3d099c900116bf4eba3b94204f18b1317b07529751abf64a26b0a0bf1c8ce757333b3d673211b67cc0653f2fe2620d57c8b6ee574a0323a167eab1106d9bc7fd90d415be5f1e9891a0e6c709f4fc0404e8226f8477b4e939b36eb2 ++Output = af9ac70191c92413cb9f2d ++ ++Availablein = default ++# an otherwise correct plaintext, but with wrong first byte ++# (0x01 instead of 0x00), generates a random 11 byte long plaintext ++Decrypt = RSA-2048-2 ++Input = 9b2ec9c0c917c98f1ad3d0119aec6be51ae3106e9af1914d48600ab6a2c0c0c8ae02a2dc3039906ff3aac904af32ec798fd65f3ad1afa2e69400e7c1de81f5728f3b3291f38263bc7a90a0563e43ce7a0d4ee9c0d8a716621ca5d3d081188769ce1b131af7d35b13dea99153579c86db31fe07d5a2c14d621b77854e48a8df41b5798563af489a291e417b6a334c63222627376118c02c53b6e86310f728734ffc86ef9d7c8bf56c0c841b24b82b59f51aee4526ba1c4268506d301e4ebc498c6aebb6fd5258c876bf900bac8ca4d309dd522f6a6343599a8bc3760f422c10c72d0ad527ce4af1874124ace3d99bb74db8d69d2528db22c3a37644640f95c05f ++Output = a1f8c9255c35cfba403ccc ++ ++Availablein = default ++# an otherwise correct plaintext, but with wrong second byte ++# (0x01 instead of 0x02), generates a random 11 byte long plaintext ++Decrypt = RSA-2048-2 ++Input = 782c2b59a21a511243820acedd567c136f6d3090c115232a82a5efb0b178285f55b5ec2d2bac96bf00d6592ea7cdc3341610c8fb07e527e5e2d20cfaf2c7f23e375431f45e998929a02f25fd95354c33838090bca838502259e92d86d568bc2cdb132fab2a399593ca60a015dc2bb1afcd64fef8a3834e17e5358d822980dc446e845b3ab4702b1ee41fe5db716d92348d5091c15d35a110555a35deb4650a5a1d2c98025d42d4544f8b32aa6a5e02dc02deaed9a7313b73b49b0d4772a3768b0ea0db5846ace6569cae677bf67fb0acf3c255dc01ec8400c963b6e49b1067728b4e563d7e1e1515664347b92ee64db7efb5452357a02fff7fcb7437abc2e579 ++Output = e6d700309ca0ed62452254 ++ ++Availablein = default ++# an invalid ciphertext, with a zero byte in first byte of ++# ciphertext, decrypts to a random 11 byte long synthethic ++# plaintext ++Decrypt = RSA-2048-2 ++Input = 0096136621faf36d5290b16bd26295de27f895d1faa51c800dafce73d001d60796cd4e2ac3fa2162131d859cd9da5a0c8a42281d9a63e5f353971b72e36b5722e4ac444d77f892a5443deb3dca49fa732fe855727196e23c26eeac55eeced8267a209ebc0f92f4656d64a6c13f7f7ce544ebeb0f668fe3a6c0f189e4bcd5ea12b73cf63e0c8350ee130dd62f01e5c97a1e13f52fde96a9a1bc9936ce734fdd61f27b18216f1d6de87f49cf4f2ea821fb8efd1f92cdad529baf7e31aff9bff4074f2cad2b4243dd15a711adcf7de900851fbd6bcb53dac399d7c880531d06f25f7002e1aaf1722765865d2c2b902c7736acd27bc6cbd3e38b560e2eecf7d4b576 ++Output = ba27b1842e7c21c0e7ef6a ++ ++Availablein = default ++# an invalid ciphertext, with a zero byte removed from first byte of ++# ciphertext, decrypts to a random 11 byte long synthethic ++# plaintext ++Decrypt = RSA-2048-2 ++Input = 96136621faf36d5290b16bd26295de27f895d1faa51c800dafce73d001d60796cd4e2ac3fa2162131d859cd9da5a0c8a42281d9a63e5f353971b72e36b5722e4ac444d77f892a5443deb3dca49fa732fe855727196e23c26eeac55eeced8267a209ebc0f92f4656d64a6c13f7f7ce544ebeb0f668fe3a6c0f189e4bcd5ea12b73cf63e0c8350ee130dd62f01e5c97a1e13f52fde96a9a1bc9936ce734fdd61f27b18216f1d6de87f49cf4f2ea821fb8efd1f92cdad529baf7e31aff9bff4074f2cad2b4243dd15a711adcf7de900851fbd6bcb53dac399d7c880531d06f25f7002e1aaf1722765865d2c2b902c7736acd27bc6cbd3e38b560e2eecf7d4b576 ++Output = ba27b1842e7c21c0e7ef6a ++ ++Availablein = default ++# an invalid ciphertext, with two zero bytes in first bytes of ++# ciphertext, decrypts to a random 11 byte long synthethic ++# plaintext ++Decrypt = RSA-2048-2 ++Input = 0000587cccc6b264bdfe0dc2149a988047fa921801f3502ea64624c510c6033d2f427e3f136c26e88ea9f6519e86a542cec96aad1e5e9013c3cc203b6de15a69183050813af5c9ad79703136d4b92f50ce171eefc6aa7988ecf02f319ffc5eafd6ee7a137f8fce64b255bb1b8dd19cfe767d64fdb468b9b2e9e7a0c24dae03239c8c714d3f40b7ee9c4e59ac15b17e4d328f1100756bce17133e8e7493b54e5006c3cbcdacd134130c5132a1edebdbd01a0c41452d16ed7a0788003c34730d0808e7e14c797a21f2b45a8aa1644357fd5e988f99b017d9df37563a354c788dc0e2f9466045622fa3f3e17db63414d27761f57392623a2bef6467501c63e8d645 ++Output = d5cf555b1d6151029a429a ++ ++Availablein = default ++# an invalid ciphertext, with two zero bytes removed from first bytes of ++# ciphertext, decrypts to a random 11 byte long synthethic ++# plaintext ++Decrypt = RSA-2048-2 ++Input = 587cccc6b264bdfe0dc2149a988047fa921801f3502ea64624c510c6033d2f427e3f136c26e88ea9f6519e86a542cec96aad1e5e9013c3cc203b6de15a69183050813af5c9ad79703136d4b92f50ce171eefc6aa7988ecf02f319ffc5eafd6ee7a137f8fce64b255bb1b8dd19cfe767d64fdb468b9b2e9e7a0c24dae03239c8c714d3f40b7ee9c4e59ac15b17e4d328f1100756bce17133e8e7493b54e5006c3cbcdacd134130c5132a1edebdbd01a0c41452d16ed7a0788003c34730d0808e7e14c797a21f2b45a8aa1644357fd5e988f99b017d9df37563a354c788dc0e2f9466045622fa3f3e17db63414d27761f57392623a2bef6467501c63e8d645 ++Output = d5cf555b1d6151029a429a ++ ++Availablein = default ++# and invalid ciphertext, otherwise valid but starting with 000002, decrypts ++# to random 11 byte long synthethic plaintext ++Decrypt = RSA-2048-2 ++Input = 1786550ce8d8433052e01ecba8b76d3019f1355b212ac9d0f5191b023325a7e7714b7802f8e9a17c4cb3cd3a84041891471b10ca1fcfb5d041d34c82e6d0011cf4dc76b90e9c2e0743590579d55bcd7857057152c4a8040361343d1d22ba677d62b011407c652e234b1d663af25e2386251d7409190f19fc8ec3f9374fdf1254633874ce2ec2bff40ad0cb473f9761ec7b68da45a4bd5e33f5d7dac9b9a20821df9406b653f78a95a6c0ea0a4d57f867e4db22c17bf9a12c150f809a7b72b6db86c22a8732241ebf3c6a4f2cf82671d917aba8bc61052b40ccddd743a94ea9b538175106201971cca9d136d25081739aaf6cd18b2aecf9ad320ea3f89502f955 ++Output = 3d4a054d9358209e9cbbb9 ++ ++Availablein = default ++# negative test with otherwise valid padding but a zero byte in first byte ++# of padding ++Decrypt = RSA-2048-2 ++Input = 179598823812d2c58a7eb50521150a48bcca8b4eb53414018b6bca19f4801456c5e36a940037ac516b0d6412ba44ec6b4f268a55ef1c5ffbf18a2f4e3522bb7b6ed89774b79bffa22f7d3102165565642de0d43a955e96a1f2e80e5430671d7266eb4f905dc8ff5e106dc5588e5b0289e49a4913940e392a97062616d2bda38155471b7d360cfb94681c702f60ed2d4de614ea72bf1c53160e63179f6c5b897b59492bee219108309f0b7b8cb2b136c346a5e98b8b4b8415fb1d713bae067911e3057f1c335b4b7e39101eafd5d28f0189037e4334f4fdb9038427b1d119a6702aa8233319cc97d496cc289ae8c956ddc84042659a2d43d6aa22f12b81ab884e ++Output = 1f037dd717b07d3e7f7359 ++ ++Availablein = default ++# negative test with otherwise valid padding but a zero byte at the eigth ++# byte of padding ++Decrypt = RSA-2048-2 ++Input = a7a340675a82c30e22219a55bc07cdf36d47d01834c1834f917f18b517419ce9de2a96460e745024436470ed85e94297b283537d52189c406a3f533cb405cc6a9dba46b482ce98b6e3dd52d8fce2237425617e38c11fbc46b61897ef200d01e4f25f5f6c4c5b38cd0de38ba11908b86595a8036a08a42a3d05b79600a97ac18ba368a08d6cf6ccb624f6e8002afc75599fba4de3d4f3ba7d208391ebe8d21f8282b18e2c10869eb2702e68f9176b42b0ddc9d763f0c86ba0ff92c957aaeab76d9ab8da52ea297ec11d92d770146faa1b300e0f91ef969b53e7d2907ffc984e9a9c9d11fb7d6cba91972059b46506b035efec6575c46d7114a6b935864858445f ++Output = 63cb0bf65fc8255dd29e17 ++ ++Availablein = default ++# negative test with an otherwise valid plaintext but with missing separator ++# byte ++Decrypt = RSA-2048-2 ++Input = 3d1b97e7aa34eaf1f4fc171ceb11dcfffd9a46a5b6961205b10b302818c1fcc9f4ec78bf18ea0cee7e9fa5b16fb4c611463b368b3312ac11cf9c06b7cf72b54e284848a508d3f02328c62c2999d0fb60929f81783c7a256891bc2ff4d91df2af96a24fc5701a1823af939ce6dbdc510608e3d41eec172ad2d51b9fc61b4217c923cadcf5bac321355ef8be5e5f090cdc2bd0c697d9058247db3ad613fdce87d2955a6d1c948a5160f93da21f731d74137f5d1f53a1923adb513d2e6e1589d44cc079f4c6ddd471d38ac82d20d8b1d21f8d65f3b6907086809f4123e08d86fb38729585de026a485d8f0e703fd4772f6668febf67df947b82195fa3867e3a3065 ++Output = 6f09a0b62699337c497b0b ++ ++# Test vectors for the Bleichenbacher workaround (2049 bit key size) ++ ++PrivateKey = RSA-2049 ++-----BEGIN RSA PRIVATE KEY----- ++MIIEpQIBAAKCAQEBVfiJVWoXdfHHp3hqULGLwoyemG7eVmfKs5uEEk6Q66dcHbCD ++rD5EO7qU3CNWD3XjqBaToqQ73HQm2MTq/mjIXeD+dX9uSbue1EfmAkMIANuwTOsi ++5/pXoY0zj7ZgJs20Z+cMwEDn02fvQDx78ePfYkZQCUYx8h6v0vtbyRX/BDeazRES ++9zLAtGYHwXjTiiD1LtpQny+cBAXVEGnoDM+UFVTQRwRnUFw89UHqCJffyfQAzssp ++j/x1M3LZ9pM68XTMQO2W1GcDFzO5f4zd0/krw6A+qFdsQX8kAHteT3UBEFtUTen6 ++3N/635jftLsFuBmfP4Ws/ZH3qaCUuaOD9QSQlwIDAQABAoIBAQEZwrP1CnrWFSZ5 ++1/9RCVisLYym8AKFkvMy1VoWc2F4qOZ/F+cFzjAOPodUclEAYBP5dNCj20nvNEyl ++omo0wEUHBNDkIuDOI6aUJcFf77bybhBu7/ZMyLnXRC5NpOjIUAjq6zZYWaIpT6OT ++e8Jr5WMy59geLBYO9jXMUoqnvlXmM6cj28Hha6KeUrKa7y+eVlT9wGZrsPwlSsvo ++DmOHTw9fAgeC48nc/CUg0MnEp7Y05FA/u0k+Gq/us/iL16EzmHJdrm/jmed1zV1M ++8J/IODR8TJjasaSIPM5iBRNhWvqhCmM2jm17ed9BZqsWJznvUVpEAu4eBgHFpVvH ++HfDjDt+BAoGBAYj2k2DwHhjZot4pUlPSUsMeRHbOpf97+EE99/3jVlI83JdoBfhP ++wN3sdw3wbO0GXIETSHVLNGrxaXVod/07PVaGgsh4fQsxTvasZ9ZegTM5i2Kgg8D4 ++dlxa1A1agfm73OJSftfpUAjLECnLTKvR+em+38KGyWVSJV2n6rGSF473AoGBAN7H ++zxHa3oOkxD0vgBl/If1dRv1XtDH0T+gaHeN/agkf/ARk7ZcdyFCINa3mzF9Wbzll ++YTqLNnmMkubiP1LvkH6VZ+NBvrxTNxiWJfu+qx87ez+S/7JoHm71p4SowtePfC2J ++qqok0s7b0GaBz+ZcNse/o8W6E1FiIi71wukUyYNhAoGAEgk/OnPK7dkPYKME5FQC +++HGrMsjJVbCa9GOjvkNw8tVYSpq7q2n9sDHqRPmEBl0EYehAqyGIhmAONxVUbIsL ++ha0m04y0MI9S0H+ZRH2R8IfzndNAONsuk46XrQU6cfvtZ3Xh3IcY5U5sr35lRn2c ++ut3H52XIWJ4smN/cJcpOyoECgYEAjM5hNHnPlgj392wkXPkbtJXWHp3mSISQVLTd ++G0MW8/mBQg3AlXi/eRb+RpHPrppk5jQLhgMjRSPyXXe2amb8PuWTqfGN6l32PtX3 ++3+udILpppb71Wf+w7JTbcl9v9uq7o9SVR8DKdPA+AeweSQ0TmqCnlHuNZizOSjwP ++G16GF0ECgYEA+ZWbNMS8qM5IiHgbMbHptdit9dDT4+1UXoNn0/hUW6ZEMriHMDXv ++iBwrzeANGAn5LEDYeDe1xPms9Is2uNxTpZVhpFZSNALR6Po68wDlTJG2PmzuBv5t ++5mbzkpWCoD4fRU53ifsHgaTW+7Um74gWIf0erNIUZuTN2YrtEPTnb3k= ++-----END RSA PRIVATE KEY----- ++ ++# corresponding public key ++PublicKey = RSA-2049-PUBLIC ++-----BEGIN PUBLIC KEY----- ++MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEBVfiJVWoXdfHHp3hqULGL ++woyemG7eVmfKs5uEEk6Q66dcHbCDrD5EO7qU3CNWD3XjqBaToqQ73HQm2MTq/mjI ++XeD+dX9uSbue1EfmAkMIANuwTOsi5/pXoY0zj7ZgJs20Z+cMwEDn02fvQDx78ePf ++YkZQCUYx8h6v0vtbyRX/BDeazRES9zLAtGYHwXjTiiD1LtpQny+cBAXVEGnoDM+U ++FVTQRwRnUFw89UHqCJffyfQAzsspj/x1M3LZ9pM68XTMQO2W1GcDFzO5f4zd0/kr ++w6A+qFdsQX8kAHteT3UBEFtUTen63N/635jftLsFuBmfP4Ws/ZH3qaCUuaOD9QSQ ++lwIDAQAB ++-----END PUBLIC KEY----- ++ ++PrivPubKeyPair = RSA-2049:RSA-2049-PUBLIC ++ ++# RSA decrypt ++ ++Availablein = default ++# malformed that generates length specified by 3rd last value from PRF ++Decrypt = RSA-2049 ++Input = 00b26f6404b82649629f2704494282443776929122e279a9cf30b0c6fe8122a0a9042870d97cc8ef65490fe58f031eb2442352191f5fbc311026b5147d32df914599f38b825ebb824af0d63f2d541a245c5775d1c4b78630e4996cc5fe413d38455a776cf4edcc0aa7fccb31c584d60502ed2b77398f536e137ff7ba6430e9258e21c2db5b82f5380f566876110ac4c759178900fbad7ab70ea07b1daf7a1639cbb4196543a6cbe8271f35dddb8120304f6eef83059e1c5c5678710f904a6d760c4d1d8ad076be17904b9e69910040b47914a0176fb7eea0c06444a6c4b86d674d19a556a1de5490373cb01ce31bbd15a5633362d3d2cd7d4af1b4c5121288b894 ++Output = 42 ++ ++# simple positive test case ++Availablein = default ++Decrypt = RSA-2049 ++Input = 013300edbf0bb3571e59889f7ed76970bf6d57e1c89bbb6d1c3991d9df8e65ed54b556d928da7d768facb395bbcc81e9f8573b45cf8195dbd85d83a59281cddf4163aec11b53b4140053e3bd109f787a7c3cec31d535af1f50e0598d85d96d91ea01913d07097d25af99c67464ebf2bb396fb28a9233e56f31f7e105d71a23e9ef3b736d1e80e713d1691713df97334779552fc94b40dd733c7251bc522b673d3ec9354af3dd4ad44fa71c0662213a57ada1d75149697d0eb55c053aaed5ffd0b815832f454179519d3736fb4faf808416071db0d0f801aca8548311ee708c131f4be658b15f6b54256872c2903ac708bd43b017b073b5707bc84c2cd9da70e967 ++Output = "lorem ipsum" ++ ++# positive test case with null padded ciphertext ++Availablein = default ++Decrypt = RSA-2049 ++Input = 0002aadf846a329fadc6760980303dbd87bfadfa78c2015ce4d6c5782fd9d3f1078bd3c0a2c5bfbdd1c024552e5054d98b5bcdc94e476dd280e64d650089326542ce7c61d4f1ab40004c2e6a88a883613568556a10f3f9edeab67ae8dddc1e6b0831c2793d2715de943f7ce34c5c05d1b09f14431fde566d17e76c9feee90d86a2c158616ec81dda0c642f58c0ba8fa4495843124a7235d46fb4069715a51bf710fd024259131ba94da73597ace494856c94e7a3ec261545793b0990279b15fa91c7fd13dbfb1df2f221dab9fa9f7c1d21e48aa49f6aaecbabf5ee76dc6c2af2317ffb4e303115386a97f8729afc3d0c89419669235f1a3a69570e0836c79fc162 ++Output = "lorem ipsum" ++ ++# positive test case with null truncated ciphertext ++Availablein = default ++Decrypt = RSA-2049 ++Input = 02aadf846a329fadc6760980303dbd87bfadfa78c2015ce4d6c5782fd9d3f1078bd3c0a2c5bfbdd1c024552e5054d98b5bcdc94e476dd280e64d650089326542ce7c61d4f1ab40004c2e6a88a883613568556a10f3f9edeab67ae8dddc1e6b0831c2793d2715de943f7ce34c5c05d1b09f14431fde566d17e76c9feee90d86a2c158616ec81dda0c642f58c0ba8fa4495843124a7235d46fb4069715a51bf710fd024259131ba94da73597ace494856c94e7a3ec261545793b0990279b15fa91c7fd13dbfb1df2f221dab9fa9f7c1d21e48aa49f6aaecbabf5ee76dc6c2af2317ffb4e303115386a97f8729afc3d0c89419669235f1a3a69570e0836c79fc162 ++Output = "lorem ipsum" ++ ++# positive test case with double null padded ciphertext ++Availablein = default ++Decrypt = RSA-2049 ++Input = 0000f36da3b72d8ff6ded74e7efd08c01908f3f5f0de7b55eab92b5f875190809c39d4162e1e6649618f854fd84aeab03970d16bb814e999852c06de38d82b95c0f32e2a7b5714021fe303389be9c0eac24c90a6b7210f929d390fabf903d44e04110bb7a7fd6c383c275804721efa6d7c93aa64c0bb2b18d97c5220a846c66a4895ae52adddbe2a9996825e013585adcec4b32ba61d782737bd343e5fabd68e8a95b8b1340318559860792dd70dffbe05a1052b54cbfb48cfa7bb3c19cea52076bddac5c25ee276f153a610f6d06ed696d192d8ae4507ffae4e5bdda10a625d6b67f32f7cffcd48dee2431fe66f6105f9d17e611cdcc674868e81692a360f4052 ++Output = "lorem ipsum" ++ ++# positive test case with double null truncated ciphertext ++Availablein = default ++Decrypt = RSA-2049 ++Input = f36da3b72d8ff6ded74e7efd08c01908f3f5f0de7b55eab92b5f875190809c39d4162e1e6649618f854fd84aeab03970d16bb814e999852c06de38d82b95c0f32e2a7b5714021fe303389be9c0eac24c90a6b7210f929d390fabf903d44e04110bb7a7fd6c383c275804721efa6d7c93aa64c0bb2b18d97c5220a846c66a4895ae52adddbe2a9996825e013585adcec4b32ba61d782737bd343e5fabd68e8a95b8b1340318559860792dd70dffbe05a1052b54cbfb48cfa7bb3c19cea52076bddac5c25ee276f153a610f6d06ed696d192d8ae4507ffae4e5bdda10a625d6b67f32f7cffcd48dee2431fe66f6105f9d17e611cdcc674868e81692a360f4052 ++Output = "lorem ipsum" ++ ++Availablein = default ++# a random negative test case that generates an 11 byte long message ++Decrypt = RSA-2049 ++Input = 00f910200830fc8fff478e99e145f1474b312e2512d0f90b8cef77f8001d09861688c156d1cbaf8a8957f7ebf35f724466952d0524cad48aad4fba1e45ce8ea27e8f3ba44131b7831b62d60c0762661f4c1d1a88cd06263a259abf1ba9e6b0b172069afb86a7e88387726f8ab3adb30bfd6b3f6be6d85d5dfd044e7ef052395474a9cbb1c3667a92780b43a22693015af6c513041bdaf87d43b24ddd244e791eeaea1066e1f4917117b3a468e22e0f7358852bb981248de4d720add2d15dccba6280355935b67c96f9dcb6c419cc38ab9f6fba2d649ef2066e0c34c9f788ae49babd9025fa85b21113e56ce4f43aa134c512b030dd7ac7ce82e76f0be9ce09ebca ++Output = 1189b6f5498fd6df532b00 ++ ++Availablein = default ++# otherwise correct plaintext, but with wrong first byte (0x01 instead of 0x00) ++Decrypt = RSA-2049 ++Input = 002c9ddc36ba4cf0038692b2d3a1c61a4bb3786a97ce2e46a3ba74d03158aeef456ce0f4db04dda3fe062268a1711250a18c69778a6280d88e133a16254e1f0e30ce8dac9b57d2e39a2f7d7be3ee4e08aec2fdbe8dadad7fdbf442a29a8fb40857407bf6be35596b8eefb5c2b3f58b894452c2dc54a6123a1a38d642e23751746597e08d71ac92704adc17803b19e131b4d1927881f43b0200e6f95658f559f912c889b4cd51862784364896cd6e8618f485a992f82997ad6a0917e32ae5872eaf850092b2d6c782ad35f487b79682333c1750c685d7d32ab3e1538f31dcaa5e7d5d2825875242c83947308dcf63ba4bfff20334c9c140c837dbdbae7a8dee72ff ++Output = f6d0f5b78082fe61c04674 ++ ++Availablein = default ++# otherwise correct plaintext, but with wrong second byte (0x01 instead of 0x02) ++Decrypt = RSA-2049 ++Input = 00c5d77826c1ab7a34d6390f9d342d5dbe848942e2618287952ba0350d7de6726112e9cebc391a0fae1839e2bf168229e3e0d71d4161801509f1f28f6e1487ca52df05c466b6b0a6fbbe57a3268a970610ec0beac39ec0fa67babce1ef2a86bf77466dc127d7d0d2962c20e66593126f276863cd38dc6351428f884c1384f67cad0a0ffdbc2af16711fb68dc559b96b37b4f04cd133ffc7d79c43c42ca4948fa895b9daeb853150c8a5169849b730cc77d68b0217d6c0e3dbf38d751a1998186633418367e7576530566c23d6d4e0da9b038d0bb5169ce40133ea076472d055001f0135645940fd08ea44269af2604c8b1ba225053d6db9ab43577689401bdc0f3 ++Output = 1ab287fcef3ff17067914d ++ ++# RSA decrypt with 3072 bit keys ++PrivateKey = RSA-3072 ++-----BEGIN RSA PRIVATE KEY----- ++MIIG5AIBAAKCAYEAr9ccqtXp9bjGw2cHCkfxnX5mrt4YpbJ0H7PE0zQ0VgaSotkJ ++72iI7GAv9rk68ljudDA8MBr81O2+xDMR3cjdvwDdu+OG0zuNDiKxtEk23EiYcbhS ++N7NM50etj9sMTk0dqnqt8HOFxchzLMt9Wkni5QyIPH16wQ7Wp02ayQ35EpkFoX1K ++CHIQ/Hi20EseuWlILBGm7recUOWxbz8lT3VxUosvFxargW1uygcnveqYBZMpcw64 ++wzznHWHdSsOTtiVuB6wdEk8CANHD4FpMG8fx7S/IPlcZnP5ZCLEAh+J/vZfSwkIU ++YZxxR8j778o5vCVnYqaCNTH34jTWjq56DZ+vEN0V6VI3gMfVrlgJStUlqQY7TDP5 ++XhAG2i6xLTdDaJSVwfICPkBzU8XrPkyhxIz/gaEJANFIIOuAGvTxpZbEuc6aUx/P ++ilTZ/9ckJYtu7CAQjfb9/XbUrgO6fqWY3LDkooCElYcob01/JWzoXl61Z5sdrMH5 ++CVZJty5foHKusAN5AgMBAAECggGAJRfqyzr+9L/65gOY35lXpdKhVKgzaNjhWEKy ++9Z7gn3kZe9LvHprdr4eG9rQSdEdAXjBCsh8vULeqc3cWgMO7y2wiWl1f9rVsRxwY ++gqCjOwrxZaPtbCSdx3g+a8dYrDfmVy0z/jJQeO2VJlDy65YEkC75mlEaERnRPE/J ++pDoXXc37+xoUAP4XCTtpzTzbiV9lQy6iGV+QURxzNrWKaF2s/y2vTF6S5WWxZlrm ++DlErqplluAjV/xGc63zWksv5IAZ6+s2An2a+cG2iaBCseQ2xVslI5v5YG8mEkVf0 ++2kk/OmSwxuEZ4DGxB/hDbOKRYLRYuPnxCV/esZJjOE/1OHVXvE8QtANN6EFwO60s ++HnacI4U+tjCjbRBh3UbipruvdDqX8LMsNvUMGjci3vOjlNkcLgeL8J15Xs3l5WuC ++Avl0Am91/FbpoN1qiPLny3jvEpjMbGUgfKRb03GIgHtPzbHmDdjluFZI+376i2/d ++RI85dBqNmAn+Fjrz3kW6wkpahByBAoHBAOSj2DDXPosxxoLidP/J/RKsMT0t0FE9 ++UFcNt+tHYv6hk+e7VAuUqUpd3XQqz3P13rnK4xvSOsVguyeU/WgmH4ID9XGSgpBP ++Rh6s7izn4KAJeqfI26vTPxvyaZEqB4JxT6k7SerENus95zSn1v/f2MLBQ16EP8cJ +++QSOVCoZfEhUK+srherQ9eZKpj0OwBUrP4VhLdymv96r8xddWX1AVj4OBi2RywKI ++gAgv6fjwkb292jFu6x6FjKRNKwKK6c3jqQKBwQDE4c0Oz0KYYV4feJun3iL9UJSv ++StGsKVDuljA4WiBAmigMZTii/u0DFEjibiLWcJOnH53HTr0avA6c6D1nCwJ2qxyF ++rHNN2L+cdMx/7L1zLR11+InvRgpIGbpeGwHeIzJVUYG3b6llRJMZimBvAMr9ipM1 ++bkVvIjt1G9W1ypeuKzm6d/t8F0yC7AIYZWDV4nvxiiY8whLZzGawHR2iZz8pfUwb ++7URbTvxdsGE27Kq9gstU0PzEJpnU1goCJ7/gA1ECgcBA8w5B6ZM5xV0H5z6nPwDm ++IgYmw/HucgV1hU8exfuoK8wxQvTACW4B0yJKkrK11T1899aGG7VYRn9D4j4OLO48 ++Z9V8esseJXbc1fEezovvymGOci984xiFXtqAQzk44+lmQJJh33VeZApe2eLocvVH ++ddEmc1kOuJWFpszf3LeCcG69cnKrXsrLrZ8Frz//g3aa9B0sFi5hGeWHWJxISVN2 ++c1Nr9IN/57i/GqVTcztjdCAcdM7Tr8phDg7OvRlnxGkCgcEAuYhMFBuulyiSaTff ++/3ZvJKYOJ45rPkEFGoD/2ercn+RlvyCYGcoAEjnIYVEGlWwrSH+b0NlbjVkQsD6O ++to8CeE/RpgqX8hFCqC7NE/RFp8cpDyXy3j/zqnRMUyhCP1KNuScBBZs9V8gikxv6 ++ukBWCk3PYbeTySHKRBbB8vmCrMfhM96jaBIQsQO1CcZnVceDo1/bnsAIwaREVMxr ++Q8LmG7QOx/Z0x1MMsUFoqzilwccC09/JgxMZPh+h+Nv6jiCxAoHBAOEqQgFAfSdR ++ya60LLH55q803NRFMamuKiPbVJLzwiKfbjOiiopmQOS/LxxqIzeMXlYV4OsSvxTo ++G7mcTOFRtU5hKCK+t8qeQQpa/dsMpiHllwArnRyBjIVgL5lFKRpHUGLsavU/T1IH ++mtgaxZo32dXvcAh1+ndCHVBwbHTOF4conA+g+Usp4bZSSWn5nU4oIizvSVpG7SGe ++0GngdxH9Usdqbvzcip1EKeHRTZrHIEYmB+x0LaRIB3dwZNidK3TkKw== ++-----END RSA PRIVATE KEY----- ++ ++PublicKey = RSA-3072-PUBLIC ++-----BEGIN PUBLIC KEY----- ++MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAr9ccqtXp9bjGw2cHCkfx ++nX5mrt4YpbJ0H7PE0zQ0VgaSotkJ72iI7GAv9rk68ljudDA8MBr81O2+xDMR3cjd ++vwDdu+OG0zuNDiKxtEk23EiYcbhSN7NM50etj9sMTk0dqnqt8HOFxchzLMt9Wkni ++5QyIPH16wQ7Wp02ayQ35EpkFoX1KCHIQ/Hi20EseuWlILBGm7recUOWxbz8lT3Vx ++UosvFxargW1uygcnveqYBZMpcw64wzznHWHdSsOTtiVuB6wdEk8CANHD4FpMG8fx ++7S/IPlcZnP5ZCLEAh+J/vZfSwkIUYZxxR8j778o5vCVnYqaCNTH34jTWjq56DZ+v ++EN0V6VI3gMfVrlgJStUlqQY7TDP5XhAG2i6xLTdDaJSVwfICPkBzU8XrPkyhxIz/ ++gaEJANFIIOuAGvTxpZbEuc6aUx/PilTZ/9ckJYtu7CAQjfb9/XbUrgO6fqWY3LDk ++ooCElYcob01/JWzoXl61Z5sdrMH5CVZJty5foHKusAN5AgMBAAE= ++-----END PUBLIC KEY----- ++ ++PrivPubKeyPair = RSA-3072:RSA-3072-PUBLIC ++ ++Availablein = default ++# a random invalid ciphertext that generates an empty synthethic one ++Decrypt = RSA-3072 ++Input = 5e956cd9652f4a2ece902931013e09662b6a9257ad1e987fb75f73a0606df2a4b04789770820c2e02322c4e826f767bd895734a01e20609c3be4517a7a2a589ea1cdc137beb73eb38dac781b52e863de9620f79f9b90fd5b953651fcbfef4a9f1cc07421d511a87dd6942caab6a5a0f4df473e62defb529a7de1509ab99c596e1dff1320402298d8be73a896cc86c38ae3f2f576e9ea70cc28ad575cb0f854f0be43186baa9c18e29c47c6ca77135db79c811231b7c1730955887d321fdc06568382b86643cf089b10e35ab23e827d2e5aa7b4e99ff2e914f302351819eb4d1693243b35f8bf1d42d08f8ec4acafa35f747a4a975a28643ec630d8e4fa5be59d81995660a14bb64c1fea5146d6b11f92da6a3956dd5cb5e0d747cf2ea23f81617769185336263d46ef4c144b754de62a6337342d6c85a95f19f015724546ee3fc4823eca603dbc1dc01c2d5ed50bd72d8e96df2dc048edde0081284068283fc5e73a6139851abf2f29977d0b3d160c883a42a37efba1be05c1a0b1741d7ddf59 ++Output = ++ ++Availablein = default ++# a random invalid that has PRF output with a length one byte too long ++# in the last value ++Decrypt = RSA-3072 ++Input = 7db0390d75fcf9d4c59cf27b264190d856da9abd11e92334d0e5f71005cfed865a711dfa28b791188374b61916dbc11339bf14b06f5f3f68c206c5607380e13da3129bfb744157e1527dd6fdf6651248b028a496ae1b97702d44706043cdaa7a59c0f41367303f21f268968bf3bd2904db3ae5239b55f8b438d93d7db9d1666c071c0857e2ec37757463769c54e51f052b2a71b04c2869e9e7049a1037b8429206c99726f07289bac18363e7eb2a5b417f47c37a55090cda676517b3549c873f2fe95da9681752ec9864b069089a2ed2f340c8b04ee00079055a817a3355b46ac7dc00d17f4504ccfbcfcadb0c04cb6b22069e179385ae1eafabad5521bac2b8a8ee1dfff59a22eb3fdacfc87175d10d7894cfd869d056057dd9944b869c1784fcc27f731bc46171d39570fbffbadf082d33f6352ecf44aca8d9478e53f5a5b7c852b401e8f5f74da49da91e65bdc97765a9523b7a0885a6f8afe5759d58009fbfa837472a968e6ae92026a5e0202a395483095302d6c3985b5f5831c521a271 ++Output = 56a3bea054e01338be9b7d7957539c ++ ++Availablein = default ++# a random invalid that generates a synthethic of maximum size ++Decrypt = RSA-3072 ++Input = 1715065322522dff85049800f6a29ab5f98c465020467414b2a44127fe9446da47fa18047900f99afe67c2df6f50160bb8e90bff296610fde632b3859d4d0d2e644f23835028c46cca01b84b88231d7e03154edec6627bcba23de76740d839851fa12d74c8f92e540c73fe837b91b7d699b311997d5f0f7864c486d499c3a79c111faaacbe4799597a25066c6200215c3d158f3817c1aa57f18bdaad0be1658da9da93f5cc6c3c4dd72788af57adbb6a0c26f42d32d95b8a4f95e8c6feb2f8a5d53b19a50a0b7cbc25e055ad03e5ace8f3f7db13e57759f67b65d143f08cca15992c6b2aae643390483de111c2988d4e76b42596266005103c8de6044fb7398eb3c28a864fa672de5fd8774510ff45e05969a11a4c7d3f343e331190d2dcf24fb9154ba904dc94af98afc5774a9617d0418fe6d13f8245c7d7626c176138dd698a23547c25f27c2b98ea4d8a45c7842b81888e4cc14e5b72e9cf91f56956c93dbf2e5f44a8282a7813157fc481ff1371a0f66b31797e81ebdb09a673d4db96d6 ++Output = 7b036fcd6243900e4236c894e2462c17738acc87e01a76f4d95cb9a328d9acde81650283b8e8f60a217e3bdee835c7b222ad4c85d0acdb9a309bd2a754609a65dec50f3aa04c6d5891034566b9563d42668ede1f8992b17753a2132e28970584e255efc8b45a41c5dbd7567f014acec5fe6fdb6d484790360a913ebb9defcd74ff377f2a8ba46d2ed85f733c9a3da08eb57ecedfafda806778f03c66b2c5d2874cec1c291b2d49eb194c7b5d0dd2908ae90f4843268a2c45563092ade08acb6ab481a08176102fc803fbb2f8ad11b0e1531bd37df543498daf180b12017f4d4d426ca29b4161075534bfb914968088a9d13785d0adc0e2580d3548494b2a9e91605f2b27e6cc701c796f0de7c6f471f6ab6cb9272a1ed637ca32a60d117505d82af3c1336104afb537d01a8f70b510e1eebf4869cb976c419473795a66c7f5e6e20a8094b1bb603a74330c537c5c0698c31538bd2e138c1275a1bdf24c5fa8ab3b7b526324e7918a382d1363b3d463764222150e04 ++ ++# a positive test case that decrypts to 9 byte long value ++Availablein = default ++Decrypt = RSA-3072 ++Input = 6c60845a854b4571f678941ae35a2ac03f67c21e21146f9db1f2306be9f136453b86ad55647d4f7b5c9e62197aaff0c0e40a3b54c4cde14e774b1c5959b6c2a2302896ffae1f73b00b862a20ff4304fe06cea7ff30ecb3773ca9af27a0b54547350d7c07dfb0a39629c7e71e83fc5af9b2adbaf898e037f1de696a3f328cf45af7ec9aff7173854087fb8fbf34be981efbd8493f9438d1b2ba2a86af082662aa46ae9adfbec51e5f3d9550a4dd1dcb7c8969c9587a6edc82a8cabbc785c40d9fbd12064559fb769450ac3e47e87bc046148130d7eaa843e4b3ccef3675d0630500803cb7ffee3882378c1a404e850c3e20707bb745e42b13c18786c4976076ed9fa8fd0ff15e571bef02cbbe2f90c908ac3734a433b73e778d4d17fcc28f49185ebc6e8536a06d293202d94496453bfdf1c2c7833a3f99fa38ca8a81f42eaa529d603b890308a319c0ab63a35ff8ebac965f6278f5a7e5d622be5d5fe55f0ca3ec993d55430d2bf59c5d3e860e90c16d91a04596f6fdf60d89ed95d88c036dde ++Output = "forty two" ++ ++# a positive test case with null padded ciphertext ++Availablein = default ++Decrypt = RSA-3072 ++Input = 00f4d565a3286784dbb85327db8807ae557ead229f92aba945cecda5225f606a7d6130edeeb6f26724d1eff1110f9eb18dc3248140ee3837e6688391e78796c526791384f045e21b6b853fb6342a11f309eb77962f37ce23925af600847fbd30e6e07e57de50b606e6b7f288cc777c1a6834f27e6edace508452128916eef7788c8bb227e3548c6a761cc4e9dd1a3584176dc053ba3500adb1d5e1611291654f12dfc5722832f635db3002d73f9defc310ace62c63868d341619c7ee15b20243b3371e05078e11219770c701d9f341af35df1bc729de294825ff2e416aa11526612852777eb131f9c45151eb144980d70608d2fc4043477368369aa0fe487a48bd57e66b00c3c58f941549f5ec050fca64449debe7a0c4ac51e55cb71620a70312aa4bd85fac1410c9c7f9d6ec610b7d11bf8faeffa20255d1a1bead9297d0aa8765cd2805847d639bc439f4a6c896e2008f746f9590ff4596de5ddde000ed666c452c978043ff4298461eb5a26d5e63d821438627f91201924bf7f2aeee1727 ++Output = "forty two" ++ ++# a positive test case with null truncated ciphertext ++Availablein = default ++Decrypt = RSA-3072 ++Input = f4d565a3286784dbb85327db8807ae557ead229f92aba945cecda5225f606a7d6130edeeb6f26724d1eff1110f9eb18dc3248140ee3837e6688391e78796c526791384f045e21b6b853fb6342a11f309eb77962f37ce23925af600847fbd30e6e07e57de50b606e6b7f288cc777c1a6834f27e6edace508452128916eef7788c8bb227e3548c6a761cc4e9dd1a3584176dc053ba3500adb1d5e1611291654f12dfc5722832f635db3002d73f9defc310ace62c63868d341619c7ee15b20243b3371e05078e11219770c701d9f341af35df1bc729de294825ff2e416aa11526612852777eb131f9c45151eb144980d70608d2fc4043477368369aa0fe487a48bd57e66b00c3c58f941549f5ec050fca64449debe7a0c4ac51e55cb71620a70312aa4bd85fac1410c9c7f9d6ec610b7d11bf8faeffa20255d1a1bead9297d0aa8765cd2805847d639bc439f4a6c896e2008f746f9590ff4596de5ddde000ed666c452c978043ff4298461eb5a26d5e63d821438627f91201924bf7f2aeee1727 ++Output = "forty two" ++ ++# a positive test case with double null padded ciphertext ++Availablein = default ++Decrypt = RSA-3072 ++Input = 00001ec97ac981dfd9dcc7a7389fdfa9d361141dac80c23a060410d472c16094e6cdffc0c3684d84aa402d7051dfccb2f6da33f66985d2a259f5b7fbf39ac537e95c5b7050eb18844a0513abef812cc8e74a3c5240009e6e805dcadf532bc1a2702d5acc9e585fad5b89d461fcc1397351cdce35171523758b171dc041f412e42966de7f94856477356d06f2a6b40e3ff0547562a4d91bbf1338e9e049facbee8b20171164505468cd308997447d3dc4b0acb49e7d368fedd8c734251f30a83491d2506f3f87318cc118823244a393dc7c5c739a2733d93e1b13db6840a9429947357f47b23fbe39b7d2d61e5ee26f9946c4632f6c4699e452f412a26641d4751135400713cd56ec66f0370423d55d2af70f5e7ad0adea8e4a0d904a01e4ac272eba4af1a029dd53eb71f115bf31f7a6c8b19a6523adeecc0d4c3c107575e38572a8f8474ccad163e46e2e8b08111132aa97a16fb588c9b7e37b3b3d7490381f3c55d1a9869a0fd42cd86fed59ecec78cb6b2dfd06a497f5afe3419691314ba0 ++Output = "forty two" ++ ++# a positive test case with double null truncated ciphertext ++Availablein = default ++Decrypt = RSA-3072 ++Input = 1ec97ac981dfd9dcc7a7389fdfa9d361141dac80c23a060410d472c16094e6cdffc0c3684d84aa402d7051dfccb2f6da33f66985d2a259f5b7fbf39ac537e95c5b7050eb18844a0513abef812cc8e74a3c5240009e6e805dcadf532bc1a2702d5acc9e585fad5b89d461fcc1397351cdce35171523758b171dc041f412e42966de7f94856477356d06f2a6b40e3ff0547562a4d91bbf1338e9e049facbee8b20171164505468cd308997447d3dc4b0acb49e7d368fedd8c734251f30a83491d2506f3f87318cc118823244a393dc7c5c739a2733d93e1b13db6840a9429947357f47b23fbe39b7d2d61e5ee26f9946c4632f6c4699e452f412a26641d4751135400713cd56ec66f0370423d55d2af70f5e7ad0adea8e4a0d904a01e4ac272eba4af1a029dd53eb71f115bf31f7a6c8b19a6523adeecc0d4c3c107575e38572a8f8474ccad163e46e2e8b08111132aa97a16fb588c9b7e37b3b3d7490381f3c55d1a9869a0fd42cd86fed59ecec78cb6b2dfd06a497f5afe3419691314ba0 ++Output = "forty two" ++ ++Availablein = default ++# a random negative test case that generates a 9 byte long message ++Decrypt = RSA-3072 ++Input = 5c8555f5cef627c15d37f85c7f5fd6e499264ea4b8e3f9112023aeb722eb38d8eac2be3751fd5a3785ab7f2d59fa3728e5be8c3de78a67464e30b21ee23b5484bb3cd06d0e1c6ad25649c8518165653eb80488bfb491b20c04897a6772f69292222fc5ef50b5cf9efc6d60426a449b6c489569d48c83488df629d695653d409ce49a795447fcec2c58a1a672e4a391401d428baaf781516e11e323d302fcf20f6eab2b2dbe53a48c987e407c4d7e1cb41131329138313d330204173a4f3ff06c6fadf970f0ed1005d0b27e35c3d11693e0429e272d583e57b2c58d24315c397856b34485dcb077665592b747f889d34febf2be8fce66c265fd9fc3575a6286a5ce88b4b413a08efc57a07a8f57a999605a837b0542695c0d189e678b53662ecf7c3d37d9dbeea585eebfaf79141118e06762c2381fe27ca6288edddc19fd67cd64f16b46e06d8a59ac530f22cd83cc0bc4e37feb52015cbb2283043ccf5e78a4eb7146827d7a466b66c8a4a4826c1bad68123a7f2d00fc1736525ff90c058f56 ++Output = 257906ca6de8307728 ++ ++Availablein = default ++# a random negative test case that generates a 9 byte long message based on ++# second to last value from PRF ++Decrypt = RSA-3072 ++Input = 758c215aa6acd61248062b88284bf43c13cb3b3d02410be4238607442f1c0216706e21a03a2c10eb624a63322d854da195c017b76fea83e274fa371834dcd2f3b7accf433fc212ad76c0bac366e1ed32e25b279f94129be7c64d6e162adc08ccebc0cfe8e926f01c33ab9c065f0e0ac83ae5137a4cb66702615ad68a35707d8676d2740d7c1a954680c83980e19778ed11eed3a7c2dbdfc461a9bbef671c1bc00c882d361d29d5f80c42bdf5efec886c34138f83369c6933b2ac4e93e764265351b4a0083f040e14f511f09b22f96566138864e4e6ff24da4810095da98e0585410951538ced2f757a277ff8e17172f06572c9024eeae503f176fd46eb6c5cd9ba07af11cde31dccac12eb3a4249a7bfd3b19797ad1656984bfcbf6f74e8f99d8f1ac420811f3d166d87f935ef15ae858cf9e72c8e2b547bf16c3fb09a8c9bf88fd2e5d38bf24ed610896131a84df76b9f920fe76d71fff938e9199f3b8cd0c11fd0201f9139d7673a871a9e7d4adc3bbe360c8813617cd60a90128fbe34c9d5 ++Output = 043383c929060374ed ++ ++Availablein = default ++# a random negative test that generates message based on 3rd last value from ++# PRF ++Decrypt = RSA-3072 ++Input = 7b22d5e62d287968c6622171a1f75db4b0fd15cdf3134a1895d235d56f8d8fe619f2bf4868174a91d7601a82975d2255190d28b869141d7c395f0b8c4e2be2b2c1b4ffc12ce749a6f6803d4cfe7fba0a8d6949c04151f981c0d84592aa2ff25d1bd3ce5d10cb03daca6b496c6ad40d30bfa8acdfd02cdb9326c4bdd93b949c9dc46caa8f0e5f429785bce64136a429a3695ee674b647452bea1b0c6de9c5f1e8760d5ef6d5a9cfff40457b023d3c233c1dcb323e7808103e73963b2eafc928c9eeb0ee3294955415c1ddd9a1bb7e138fecd79a3cb89c57bd2305524624814aaf0fd1acbf379f7f5b39421f12f115ba488d380586095bb53f174fae424fa4c8e3b299709cd344b9f949b1ab57f1c645d7ed3c8f81d5594197355029fee8960970ff59710dc0e5eb50ea6f4c3938e3f89ed7933023a2c2ddffaba07be147f686828bd7d520f300507ed6e71bdaee05570b27bc92741108ac2eb433f028e138dd6d63067bc206ea2d826a7f41c0d613daed020f0f30f4e272e9618e0a8c39018a83 ++Output = 70263fa6050534b9e0 ++ ++Availablein = default ++# an otherwise valid plaintext, but with wrong first byte (0x01 instead of 0x00) ++Decrypt = RSA-3072 ++Input = 6db80adb5ff0a768caf1378ecc382a694e7d1bde2eff4ba12c48aaf794ded7a994a5b2b57acec20dbec4ae385c9dd531945c0f197a5496908725fc99d88601a17d3bb0b2d38d2c1c3100f39955a4cb3dbed5a38bf900f23d91e173640e4ec655c84fdfe71fcdb12a386108fcf718c9b7af37d39703e882436224c877a2235e8344fba6c951eb7e2a4d1d1de81fb463ac1b880f6cc0e59ade05c8ce35179ecd09546731fc07b141d3d6b342a97ae747e61a9130f72d37ac5a2c30215b6cbd66c7db893810df58b4c457b4b54f34428247d584e0fa71062446210db08254fb9ead1ba1a393c724bd291f0cf1a7143f32df849051dc896d7d176fef3b57ab6dffd626d0c3044e9edb2e3d012ace202d2581df01bec7e9aa0727a6650dd373d374f0bc0f4a611f8139dfe97d63e70c6188f4df5b672e47c51d8aa567097293fbff127c75ec690b43407578b73c85451710a0cece58fd497d7f7bd36a8a92783ef7dc6265dff52aac8b70340b996508d39217f2783ce6fc91a1cc94bb2ac487b84f62 ++Output = 6d8d3a094ff3afff4c ++ ++Availablein = default ++# an otherwise valid plaintext, but with wrong second byte (0x01 instead of 0x02) ++Decrypt = RSA-3072 ++Input = 417328c034458563079a4024817d0150340c34e25ae16dcad690623f702e5c748a6ebb3419ff48f486f83ba9df35c05efbd7f40613f0fc996c53706c30df6bba6dcd4a40825f96133f3c21638a342bd4663dffbd0073980dac47f8c1dd8e97ce1412e4f91f2a8adb1ac2b1071066efe8d718bbb88ca4a59bd61500e826f2365255a409bece0f972df97c3a55e09289ef5fa815a2353ef393fd1aecfc888d611c16aec532e5148be15ef1bf2834b8f75bb26db08b66d2baad6464f8439d1986b533813321dbb180080910f233bcc4dd784fb21871aef41be08b7bfad4ecc3b68f228cb5317ac6ec1227bc7d0e452037ba918ee1da9fdb8393ae93b1e937a8d4691a17871d5092d2384b6190a53df888f65b951b05ed4ad57fe4b0c6a47b5b22f32a7f23c1a234c9feb5d8713d949686760680da4db454f4acad972470033472b9864d63e8d23eefc87ebcf464ecf33f67fbcdd48eab38c5292586b36aef5981ed2fa07b2f9e23fc57d9eb71bfff4111c857e9fff23ceb31e72592e70c874b4936 ++Output = c6ae80ffa80bc184b0 ++ ++Availablein = default ++# an otherwise valid plaintext, but with zero byte in first byte of padding ++Decrypt = RSA-3072 ++Input = 8542c626fe533467acffcd4e617692244c9b5a3bf0a215c5d64891ced4bf4f9591b4b2aedff9843057986d81631b0acb3704ec2180e5696e8bd15b217a0ec36d2061b0e2182faa3d1c59bd3f9086a10077a3337a3f5da503ec3753535ffd25b837a12f2541afefd0cffb0224b8f874e4bed13949e105c075ed44e287c5ae03b155e06b90ed247d2c07f1ef3323e3508cce4e4074606c54172ad74d12f8c3a47f654ad671104bf7681e5b061862747d9afd37e07d8e0e2291e01f14a95a1bb4cbb47c304ef067595a3947ee2d722067e38a0f046f43ec29cac6a8801c6e3e9a2331b1d45a7aa2c6af3205be382dd026e389614ee095665a611ab2e8dced2ee1c9d08ac9de11aef5b3803fc9a9ce8231ec87b5fed386fb92ee3db995a89307bcba844bd0a691c29ae51216e949dfc813133cb06a07265fd807bcb3377f6adb0a481d9b7f442003115895939773e6b95371c4febef29edae946fa245e7c50729e2e558cfaad773d1fd5f67b457a6d9d17a847c6fcbdb103a86f35f228cefc06cea0 ++Output = a8a9301daa01bb25c7 ++ ++Availablein = default ++# an otherwise valid plaintext, but with zero byte in eight byte of padding ++Decrypt = RSA-3072 ++Input = 449dfa237a70a99cb0351793ec8677882021c2aa743580bf6a0ea672055cffe8303ac42855b1d1f3373aae6af09cb9074180fc963e9d1478a4f98b3b4861d3e7f0aa8560cf603711f139db77667ca14ba3a1acdedfca9ef4603d6d7eb0645bfc805304f9ad9d77d34762ce5cd84bd3ec9d35c30e3be72a1e8d355d5674a141b5530659ad64ebb6082e6f73a80832ab6388912538914654d34602f4b3b1c78589b4a5d964b2efcca1dc7004c41f6cafcb5a7159a7fc7c0398604d0edbd4c8f4f04067da6a153a05e7cbeea13b5ee412400ef7d4f3106f4798da707ec37a11286df2b7a204856d5ff773613fd1e453a7114b78e347d3e8078e1cb3276b3562486ba630bf719697e0073a123c3e60ebb5c7a1ccff4279faffa2402bc1109f8d559d6766e73591943dfcf25ba10c3762f02af85187799b8b4b135c3990793a6fd32642f1557405ba55cc7cf7336a0e967073c5fa50743f9cc5e3017c172d9898d2af83345e71b3e0c22ab791eacb6484a32ec60ebc226ec9deaee91b1a0560c2b571 ++Output = 6c716fe01d44398018 ++ ++Availablein = default ++# an otherwise valid plaintext, but with null separator missing ++Decrypt = RSA-3072 ++Input = a7a5c99e50da48769ecb779d9abe86ef9ec8c38c6f43f17c7f2d7af608a4a1bd6cf695b47e97c191c61fb5a27318d02f495a176b9fae5a55b5d3fabd1d8aae4957e3879cb0c60f037724e11be5f30f08fc51c033731f14b44b414d11278cd3dba7e1c8bfe208d2b2bb7ec36366dacb6c88b24cd79ab394adf19dbbc21dfa5788bacbadc6a62f79cf54fd8cf585c615b5c0eb94c35aa9de25321c8ffefb8916bbaa2697cb2dd82ee98939df9b6704cee77793edd2b4947d82e00e5749664970736c59a84197bd72b5c71e36aae29cd39af6ac73a368edbc1ca792e1309f442aafcd77c992c88f8e4863149f221695cb7b0236e75b2339a02c4ea114854372c306b9412d8eedb600a31532002f2cea07b4df963a093185e4607732e46d753b540974fb5a5c3f9432df22e85bb17611370966c5522fd23f2ad3484341ba7fd8885fc8e6d379a611d13a2aca784fba2073208faad2137bf1979a0fa146c1880d4337db3274269493bab44a1bcd0681f7227ffdf589c2e925ed9d36302509d1109ba4 ++Output = aa2de6cde4e2442884 ++ + # RSA PSS key tests + + # PSS only key, no parameter restrictions diff --git a/openssl.spec b/openssl.spec index 0a94491..fb54144 100644 --- a/openssl.spec +++ b/openssl.spec @@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16)) Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 3.0.7 -Release: 14%{?dist} +Release: 15%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -187,6 +187,10 @@ Patch117: 0117-CVE-2023-0466.patch # AES-XTS CVE Patch118: 0118-CVE-2023-1255.patch +#https://github.com/openssl/openssl/pull/13817 +#https://bugzilla.redhat.com/show_bug.cgi?id=2153471 +Patch120: 0120-RSA-PKCS15-implicit-rejection.patch + License: ASL 2.0 URL: http://www.openssl.org/ BuildRequires: gcc g++ @@ -516,6 +520,10 @@ install -m644 %{SOURCE9} \ %ldconfig_scriptlets libs %changelog +* Fri Apr 28 2023 Dmitry Belyavskiy - 1:3.0.7-15 +- Backport implicit rejection for RSA PKCS#1 v1.5 encryption + Resolves: rhbz#2153471 + * Fri Apr 21 2023 Dmitry Belyavskiy - 1:3.0.7-14 - Input buffer over-read in AES-XTS implementation on 64 bit ARM Resolves: rhbz#2188554 From 05bbcc9920805f15dabdcf6f473a51ab996c1b6b Mon Sep 17 00:00:00 2001 From: Sahana Prasad Date: Mon, 3 Apr 2023 13:23:50 +0200 Subject: [PATCH 25/60] - Upload new upstream sources without manually hobbling them. - Remove the hobbling script as it is redundant. It is now allowed to ship the sources of patented EC curves, however it is still made unavailable to use by compiling with the 'no-ec2m' Configure option. The additional forbidden curves such as P-160, P-192, wap-tls curves are manually removed by updating 0011-Remove-EC-curves.patch. - Enable Brainpool curves. - Apply the changes to ec_curve.c and ectest.c as a new patch 0010-Add-changes-to-ectest-and-eccurve.patch instead of replacing them. - Modify 0011-Remove-EC-curves.patch to allow Brainpool curves. - Modify 0011-Remove-EC-curves.patch to allow code under macro OPENSSL_NO_EC2M. Resolves: rhbz#2130618, rhbz#2188180 Signed-off-by: Sahana Prasad --- .gitignore | 1 + 0010-Add-changes-to-ectest-and-eccurve.patch | 1127 ++++ 0011-Remove-EC-curves.patch | 4989 +----------------- 0013-skipped-tests-EC-curves.patch | 36 + 0045-FIPS-services-minimize.patch | 2 +- ec_curve.c | 628 --- ectest.c | 2311 -------- hobble-openssl | 40 - openssl.spec | 33 +- sources | 2 +- 10 files changed, 1287 insertions(+), 7882 deletions(-) create mode 100644 0010-Add-changes-to-ectest-and-eccurve.patch create mode 100644 0013-skipped-tests-EC-curves.patch delete mode 100644 ec_curve.c delete mode 100644 ectest.c delete mode 100755 hobble-openssl diff --git a/.gitignore b/.gitignore index a8b9f6a..0b3ed17 100644 --- a/.gitignore +++ b/.gitignore @@ -54,3 +54,4 @@ openssl-1.0.0a-usa.tar.bz2 /openssl-3.0.0-hobbled.tar.xz /openssl-3.0.1-hobbled.tar.xz /openssl-3.0.7-hobbled.tar.gz +/openssl-3.0.7.tar.gz diff --git a/0010-Add-changes-to-ectest-and-eccurve.patch b/0010-Add-changes-to-ectest-and-eccurve.patch new file mode 100644 index 0000000..aac242b --- /dev/null +++ b/0010-Add-changes-to-ectest-and-eccurve.patch @@ -0,0 +1,1127 @@ +diff -up ./crypto/ec/ec_curve.c.remove-ec ./crypto/ec/ec_curve.c +--- ./crypto/ec/ec_curve.c.remove-ec 2023-03-13 16:50:09.278933578 +0100 ++++ ./crypto/ec/ec_curve.c 2023-03-21 12:38:57.696531941 +0100 +@@ -32,38 +32,6 @@ typedef struct { + /* the nist prime curves */ + static const struct { + EC_CURVE_DATA h; +- unsigned char data[20 + 24 * 6]; +-} _EC_NIST_PRIME_192 = { +- { +- NID_X9_62_prime_field, 20, 24, 1 +- }, +- { +- /* seed */ +- 0x30, 0x45, 0xAE, 0x6F, 0xC8, 0x42, 0x2F, 0x64, 0xED, 0x57, 0x95, 0x28, +- 0xD3, 0x81, 0x20, 0xEA, 0xE1, 0x21, 0x96, 0xD5, +- /* p */ +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- /* a */ +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC, +- /* b */ +- 0x64, 0x21, 0x05, 0x19, 0xE5, 0x9C, 0x80, 0xE7, 0x0F, 0xA7, 0xE9, 0xAB, +- 0x72, 0x24, 0x30, 0x49, 0xFE, 0xB8, 0xDE, 0xEC, 0xC1, 0x46, 0xB9, 0xB1, +- /* x */ +- 0x18, 0x8D, 0xA8, 0x0E, 0xB0, 0x30, 0x90, 0xF6, 0x7C, 0xBF, 0x20, 0xEB, +- 0x43, 0xA1, 0x88, 0x00, 0xF4, 0xFF, 0x0A, 0xFD, 0x82, 0xFF, 0x10, 0x12, +- /* y */ +- 0x07, 0x19, 0x2b, 0x95, 0xff, 0xc8, 0xda, 0x78, 0x63, 0x10, 0x11, 0xed, +- 0x6b, 0x24, 0xcd, 0xd5, 0x73, 0xf9, 0x77, 0xa1, 0x1e, 0x79, 0x48, 0x11, +- /* order */ +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0x99, 0xDE, 0xF8, 0x36, 0x14, 0x6B, 0xC9, 0xB1, 0xB4, 0xD2, 0x28, 0x31 +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; + unsigned char data[20 + 28 * 6]; + } _EC_NIST_PRIME_224 = { + { +@@ -200,187 +168,6 @@ static const struct { + } + }; + +-# ifndef FIPS_MODULE +-/* the x9.62 prime curves (minus the nist prime curves) */ +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[20 + 24 * 6]; +-} _EC_X9_62_PRIME_192V2 = { +- { +- NID_X9_62_prime_field, 20, 24, 1 +- }, +- { +- /* seed */ +- 0x31, 0xA9, 0x2E, 0xE2, 0x02, 0x9F, 0xD1, 0x0D, 0x90, 0x1B, 0x11, 0x3E, +- 0x99, 0x07, 0x10, 0xF0, 0xD2, 0x1A, 0xC6, 0xB6, +- /* p */ +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- /* a */ +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC, +- /* b */ +- 0xCC, 0x22, 0xD6, 0xDF, 0xB9, 0x5C, 0x6B, 0x25, 0xE4, 0x9C, 0x0D, 0x63, +- 0x64, 0xA4, 0xE5, 0x98, 0x0C, 0x39, 0x3A, 0xA2, 0x16, 0x68, 0xD9, 0x53, +- /* x */ +- 0xEE, 0xA2, 0xBA, 0xE7, 0xE1, 0x49, 0x78, 0x42, 0xF2, 0xDE, 0x77, 0x69, +- 0xCF, 0xE9, 0xC9, 0x89, 0xC0, 0x72, 0xAD, 0x69, 0x6F, 0x48, 0x03, 0x4A, +- /* y */ +- 0x65, 0x74, 0xd1, 0x1d, 0x69, 0xb6, 0xec, 0x7a, 0x67, 0x2b, 0xb8, 0x2a, +- 0x08, 0x3d, 0xf2, 0xf2, 0xb0, 0x84, 0x7d, 0xe9, 0x70, 0xb2, 0xde, 0x15, +- /* order */ +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, +- 0x5F, 0xB1, 0xA7, 0x24, 0xDC, 0x80, 0x41, 0x86, 0x48, 0xD8, 0xDD, 0x31 +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[20 + 24 * 6]; +-} _EC_X9_62_PRIME_192V3 = { +- { +- NID_X9_62_prime_field, 20, 24, 1 +- }, +- { +- /* seed */ +- 0xC4, 0x69, 0x68, 0x44, 0x35, 0xDE, 0xB3, 0x78, 0xC4, 0xB6, 0x5C, 0xA9, +- 0x59, 0x1E, 0x2A, 0x57, 0x63, 0x05, 0x9A, 0x2E, +- /* p */ +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- /* a */ +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC, +- /* b */ +- 0x22, 0x12, 0x3D, 0xC2, 0x39, 0x5A, 0x05, 0xCA, 0xA7, 0x42, 0x3D, 0xAE, +- 0xCC, 0xC9, 0x47, 0x60, 0xA7, 0xD4, 0x62, 0x25, 0x6B, 0xD5, 0x69, 0x16, +- /* x */ +- 0x7D, 0x29, 0x77, 0x81, 0x00, 0xC6, 0x5A, 0x1D, 0xA1, 0x78, 0x37, 0x16, +- 0x58, 0x8D, 0xCE, 0x2B, 0x8B, 0x4A, 0xEE, 0x8E, 0x22, 0x8F, 0x18, 0x96, +- /* y */ +- 0x38, 0xa9, 0x0f, 0x22, 0x63, 0x73, 0x37, 0x33, 0x4b, 0x49, 0xdc, 0xb6, +- 0x6a, 0x6d, 0xc8, 0xf9, 0x97, 0x8a, 0xca, 0x76, 0x48, 0xa9, 0x43, 0xb0, +- /* order */ +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0x7A, 0x62, 0xD0, 0x31, 0xC8, 0x3F, 0x42, 0x94, 0xF6, 0x40, 0xEC, 0x13 +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[20 + 30 * 6]; +-} _EC_X9_62_PRIME_239V1 = { +- { +- NID_X9_62_prime_field, 20, 30, 1 +- }, +- { +- /* seed */ +- 0xE4, 0x3B, 0xB4, 0x60, 0xF0, 0xB8, 0x0C, 0xC0, 0xC0, 0xB0, 0x75, 0x79, +- 0x8E, 0x94, 0x80, 0x60, 0xF8, 0x32, 0x1B, 0x7D, +- /* p */ +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- /* a */ +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC, +- /* b */ +- 0x6B, 0x01, 0x6C, 0x3B, 0xDC, 0xF1, 0x89, 0x41, 0xD0, 0xD6, 0x54, 0x92, +- 0x14, 0x75, 0xCA, 0x71, 0xA9, 0xDB, 0x2F, 0xB2, 0x7D, 0x1D, 0x37, 0x79, +- 0x61, 0x85, 0xC2, 0x94, 0x2C, 0x0A, +- /* x */ +- 0x0F, 0xFA, 0x96, 0x3C, 0xDC, 0xA8, 0x81, 0x6C, 0xCC, 0x33, 0xB8, 0x64, +- 0x2B, 0xED, 0xF9, 0x05, 0xC3, 0xD3, 0x58, 0x57, 0x3D, 0x3F, 0x27, 0xFB, +- 0xBD, 0x3B, 0x3C, 0xB9, 0xAA, 0xAF, +- /* y */ +- 0x7d, 0xeb, 0xe8, 0xe4, 0xe9, 0x0a, 0x5d, 0xae, 0x6e, 0x40, 0x54, 0xca, +- 0x53, 0x0b, 0xa0, 0x46, 0x54, 0xb3, 0x68, 0x18, 0xce, 0x22, 0x6b, 0x39, +- 0xfc, 0xcb, 0x7b, 0x02, 0xf1, 0xae, +- /* order */ +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0x7F, 0xFF, 0xFF, 0x9E, 0x5E, 0x9A, 0x9F, 0x5D, 0x90, 0x71, 0xFB, 0xD1, +- 0x52, 0x26, 0x88, 0x90, 0x9D, 0x0B +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[20 + 30 * 6]; +-} _EC_X9_62_PRIME_239V2 = { +- { +- NID_X9_62_prime_field, 20, 30, 1 +- }, +- { +- /* seed */ +- 0xE8, 0xB4, 0x01, 0x16, 0x04, 0x09, 0x53, 0x03, 0xCA, 0x3B, 0x80, 0x99, +- 0x98, 0x2B, 0xE0, 0x9F, 0xCB, 0x9A, 0xE6, 0x16, +- /* p */ +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- /* a */ +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC, +- /* b */ +- 0x61, 0x7F, 0xAB, 0x68, 0x32, 0x57, 0x6C, 0xBB, 0xFE, 0xD5, 0x0D, 0x99, +- 0xF0, 0x24, 0x9C, 0x3F, 0xEE, 0x58, 0xB9, 0x4B, 0xA0, 0x03, 0x8C, 0x7A, +- 0xE8, 0x4C, 0x8C, 0x83, 0x2F, 0x2C, +- /* x */ +- 0x38, 0xAF, 0x09, 0xD9, 0x87, 0x27, 0x70, 0x51, 0x20, 0xC9, 0x21, 0xBB, +- 0x5E, 0x9E, 0x26, 0x29, 0x6A, 0x3C, 0xDC, 0xF2, 0xF3, 0x57, 0x57, 0xA0, +- 0xEA, 0xFD, 0x87, 0xB8, 0x30, 0xE7, +- /* y */ +- 0x5b, 0x01, 0x25, 0xe4, 0xdb, 0xea, 0x0e, 0xc7, 0x20, 0x6d, 0xa0, 0xfc, +- 0x01, 0xd9, 0xb0, 0x81, 0x32, 0x9f, 0xb5, 0x55, 0xde, 0x6e, 0xf4, 0x60, +- 0x23, 0x7d, 0xff, 0x8b, 0xe4, 0xba, +- /* order */ +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0x80, 0x00, 0x00, 0xCF, 0xA7, 0xE8, 0x59, 0x43, 0x77, 0xD4, 0x14, 0xC0, +- 0x38, 0x21, 0xBC, 0x58, 0x20, 0x63 +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[20 + 30 * 6]; +-} _EC_X9_62_PRIME_239V3 = { +- { +- NID_X9_62_prime_field, 20, 30, 1 +- }, +- { +- /* seed */ +- 0x7D, 0x73, 0x74, 0x16, 0x8F, 0xFE, 0x34, 0x71, 0xB6, 0x0A, 0x85, 0x76, +- 0x86, 0xA1, 0x94, 0x75, 0xD3, 0xBF, 0xA2, 0xFF, +- /* p */ +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- /* a */ +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC, +- /* b */ +- 0x25, 0x57, 0x05, 0xFA, 0x2A, 0x30, 0x66, 0x54, 0xB1, 0xF4, 0xCB, 0x03, +- 0xD6, 0xA7, 0x50, 0xA3, 0x0C, 0x25, 0x01, 0x02, 0xD4, 0x98, 0x87, 0x17, +- 0xD9, 0xBA, 0x15, 0xAB, 0x6D, 0x3E, +- /* x */ +- 0x67, 0x68, 0xAE, 0x8E, 0x18, 0xBB, 0x92, 0xCF, 0xCF, 0x00, 0x5C, 0x94, +- 0x9A, 0xA2, 0xC6, 0xD9, 0x48, 0x53, 0xD0, 0xE6, 0x60, 0xBB, 0xF8, 0x54, +- 0xB1, 0xC9, 0x50, 0x5F, 0xE9, 0x5A, +- /* y */ +- 0x16, 0x07, 0xe6, 0x89, 0x8f, 0x39, 0x0c, 0x06, 0xbc, 0x1d, 0x55, 0x2b, +- 0xad, 0x22, 0x6f, 0x3b, 0x6f, 0xcf, 0xe4, 0x8b, 0x6e, 0x81, 0x84, 0x99, +- 0xaf, 0x18, 0xe3, 0xed, 0x6c, 0xf3, +- /* order */ +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0x7F, 0xFF, 0xFF, 0x97, 0x5D, 0xEB, 0x41, 0xB3, 0xA6, 0x05, 0x7C, 0x3C, +- 0x43, 0x21, 0x46, 0x52, 0x65, 0x51 +- } +-}; +-#endif /* FIPS_MODULE */ +- + static const struct { + EC_CURVE_DATA h; + unsigned char data[20 + 32 * 6]; +@@ -423,294 +210,6 @@ static const struct { + /* the secg prime curves (minus the nist and x9.62 prime curves) */ + static const struct { + EC_CURVE_DATA h; +- unsigned char data[20 + 14 * 6]; +-} _EC_SECG_PRIME_112R1 = { +- { +- NID_X9_62_prime_field, 20, 14, 1 +- }, +- { +- /* seed */ +- 0x00, 0xF5, 0x0B, 0x02, 0x8E, 0x4D, 0x69, 0x6E, 0x67, 0x68, 0x75, 0x61, +- 0x51, 0x75, 0x29, 0x04, 0x72, 0x78, 0x3F, 0xB1, +- /* p */ +- 0xDB, 0x7C, 0x2A, 0xBF, 0x62, 0xE3, 0x5E, 0x66, 0x80, 0x76, 0xBE, 0xAD, +- 0x20, 0x8B, +- /* a */ +- 0xDB, 0x7C, 0x2A, 0xBF, 0x62, 0xE3, 0x5E, 0x66, 0x80, 0x76, 0xBE, 0xAD, +- 0x20, 0x88, +- /* b */ +- 0x65, 0x9E, 0xF8, 0xBA, 0x04, 0x39, 0x16, 0xEE, 0xDE, 0x89, 0x11, 0x70, +- 0x2B, 0x22, +- /* x */ +- 0x09, 0x48, 0x72, 0x39, 0x99, 0x5A, 0x5E, 0xE7, 0x6B, 0x55, 0xF9, 0xC2, +- 0xF0, 0x98, +- /* y */ +- 0xa8, 0x9c, 0xe5, 0xaf, 0x87, 0x24, 0xc0, 0xa2, 0x3e, 0x0e, 0x0f, 0xf7, +- 0x75, 0x00, +- /* order */ +- 0xDB, 0x7C, 0x2A, 0xBF, 0x62, 0xE3, 0x5E, 0x76, 0x28, 0xDF, 0xAC, 0x65, +- 0x61, 0xC5 +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[20 + 14 * 6]; +-} _EC_SECG_PRIME_112R2 = { +- { +- NID_X9_62_prime_field, 20, 14, 4 +- }, +- { +- /* seed */ +- 0x00, 0x27, 0x57, 0xA1, 0x11, 0x4D, 0x69, 0x6E, 0x67, 0x68, 0x75, 0x61, +- 0x51, 0x75, 0x53, 0x16, 0xC0, 0x5E, 0x0B, 0xD4, +- /* p */ +- 0xDB, 0x7C, 0x2A, 0xBF, 0x62, 0xE3, 0x5E, 0x66, 0x80, 0x76, 0xBE, 0xAD, +- 0x20, 0x8B, +- /* a */ +- 0x61, 0x27, 0xC2, 0x4C, 0x05, 0xF3, 0x8A, 0x0A, 0xAA, 0xF6, 0x5C, 0x0E, +- 0xF0, 0x2C, +- /* b */ +- 0x51, 0xDE, 0xF1, 0x81, 0x5D, 0xB5, 0xED, 0x74, 0xFC, 0xC3, 0x4C, 0x85, +- 0xD7, 0x09, +- /* x */ +- 0x4B, 0xA3, 0x0A, 0xB5, 0xE8, 0x92, 0xB4, 0xE1, 0x64, 0x9D, 0xD0, 0x92, +- 0x86, 0x43, +- /* y */ +- 0xad, 0xcd, 0x46, 0xf5, 0x88, 0x2e, 0x37, 0x47, 0xde, 0xf3, 0x6e, 0x95, +- 0x6e, 0x97, +- /* order */ +- 0x36, 0xDF, 0x0A, 0xAF, 0xD8, 0xB8, 0xD7, 0x59, 0x7C, 0xA1, 0x05, 0x20, +- 0xD0, 0x4B +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[20 + 16 * 6]; +-} _EC_SECG_PRIME_128R1 = { +- { +- NID_X9_62_prime_field, 20, 16, 1 +- }, +- { +- /* seed */ +- 0x00, 0x0E, 0x0D, 0x4D, 0x69, 0x6E, 0x67, 0x68, 0x75, 0x61, 0x51, 0x75, +- 0x0C, 0xC0, 0x3A, 0x44, 0x73, 0xD0, 0x36, 0x79, +- /* p */ +- 0xFF, 0xFF, 0xFF, 0xFD, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFF, +- /* a */ +- 0xFF, 0xFF, 0xFF, 0xFD, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFC, +- /* b */ +- 0xE8, 0x75, 0x79, 0xC1, 0x10, 0x79, 0xF4, 0x3D, 0xD8, 0x24, 0x99, 0x3C, +- 0x2C, 0xEE, 0x5E, 0xD3, +- /* x */ +- 0x16, 0x1F, 0xF7, 0x52, 0x8B, 0x89, 0x9B, 0x2D, 0x0C, 0x28, 0x60, 0x7C, +- 0xA5, 0x2C, 0x5B, 0x86, +- /* y */ +- 0xcf, 0x5a, 0xc8, 0x39, 0x5b, 0xaf, 0xeb, 0x13, 0xc0, 0x2d, 0xa2, 0x92, +- 0xdd, 0xed, 0x7a, 0x83, +- /* order */ +- 0xFF, 0xFF, 0xFF, 0xFE, 0x00, 0x00, 0x00, 0x00, 0x75, 0xA3, 0x0D, 0x1B, +- 0x90, 0x38, 0xA1, 0x15 +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[20 + 16 * 6]; +-} _EC_SECG_PRIME_128R2 = { +- { +- NID_X9_62_prime_field, 20, 16, 4 +- }, +- { +- /* seed */ +- 0x00, 0x4D, 0x69, 0x6E, 0x67, 0x68, 0x75, 0x61, 0x51, 0x75, 0x12, 0xD8, +- 0xF0, 0x34, 0x31, 0xFC, 0xE6, 0x3B, 0x88, 0xF4, +- /* p */ +- 0xFF, 0xFF, 0xFF, 0xFD, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFF, +- /* a */ +- 0xD6, 0x03, 0x19, 0x98, 0xD1, 0xB3, 0xBB, 0xFE, 0xBF, 0x59, 0xCC, 0x9B, +- 0xBF, 0xF9, 0xAE, 0xE1, +- /* b */ +- 0x5E, 0xEE, 0xFC, 0xA3, 0x80, 0xD0, 0x29, 0x19, 0xDC, 0x2C, 0x65, 0x58, +- 0xBB, 0x6D, 0x8A, 0x5D, +- /* x */ +- 0x7B, 0x6A, 0xA5, 0xD8, 0x5E, 0x57, 0x29, 0x83, 0xE6, 0xFB, 0x32, 0xA7, +- 0xCD, 0xEB, 0xC1, 0x40, +- /* y */ +- 0x27, 0xb6, 0x91, 0x6a, 0x89, 0x4d, 0x3a, 0xee, 0x71, 0x06, 0xfe, 0x80, +- 0x5f, 0xc3, 0x4b, 0x44, +- /* order */ +- 0x3F, 0xFF, 0xFF, 0xFF, 0x7F, 0xFF, 0xFF, 0xFF, 0xBE, 0x00, 0x24, 0x72, +- 0x06, 0x13, 0xB5, 0xA3 +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[0 + 21 * 6]; +-} _EC_SECG_PRIME_160K1 = { +- { +- NID_X9_62_prime_field, 0, 21, 1 +- }, +- { +- /* no seed */ +- /* p */ +- 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xAC, 0x73, +- /* a */ +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- /* b */ +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, +- /* x */ +- 0x00, 0x3B, 0x4C, 0x38, 0x2C, 0xE3, 0x7A, 0xA1, 0x92, 0xA4, 0x01, 0x9E, +- 0x76, 0x30, 0x36, 0xF4, 0xF5, 0xDD, 0x4D, 0x7E, 0xBB, +- /* y */ +- 0x00, 0x93, 0x8c, 0xf9, 0x35, 0x31, 0x8f, 0xdc, 0xed, 0x6b, 0xc2, 0x82, +- 0x86, 0x53, 0x17, 0x33, 0xc3, 0xf0, 0x3c, 0x4f, 0xee, +- /* order */ +- 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0xB8, +- 0xFA, 0x16, 0xDF, 0xAB, 0x9A, 0xCA, 0x16, 0xB6, 0xB3 +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[20 + 21 * 6]; +-} _EC_SECG_PRIME_160R1 = { +- { +- NID_X9_62_prime_field, 20, 21, 1 +- }, +- { +- /* seed */ +- 0x10, 0x53, 0xCD, 0xE4, 0x2C, 0x14, 0xD6, 0x96, 0xE6, 0x76, 0x87, 0x56, +- 0x15, 0x17, 0x53, 0x3B, 0xF3, 0xF8, 0x33, 0x45, +- /* p */ +- 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x7F, 0xFF, 0xFF, 0xFF, +- /* a */ +- 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x7F, 0xFF, 0xFF, 0xFC, +- /* b */ +- 0x00, 0x1C, 0x97, 0xBE, 0xFC, 0x54, 0xBD, 0x7A, 0x8B, 0x65, 0xAC, 0xF8, +- 0x9F, 0x81, 0xD4, 0xD4, 0xAD, 0xC5, 0x65, 0xFA, 0x45, +- /* x */ +- 0x00, 0x4A, 0x96, 0xB5, 0x68, 0x8E, 0xF5, 0x73, 0x28, 0x46, 0x64, 0x69, +- 0x89, 0x68, 0xC3, 0x8B, 0xB9, 0x13, 0xCB, 0xFC, 0x82, +- /* y */ +- 0x00, 0x23, 0xa6, 0x28, 0x55, 0x31, 0x68, 0x94, 0x7d, 0x59, 0xdc, 0xc9, +- 0x12, 0x04, 0x23, 0x51, 0x37, 0x7a, 0xc5, 0xfb, 0x32, +- /* order */ +- 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0xF4, +- 0xC8, 0xF9, 0x27, 0xAE, 0xD3, 0xCA, 0x75, 0x22, 0x57 +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[20 + 21 * 6]; +-} _EC_SECG_PRIME_160R2 = { +- { +- NID_X9_62_prime_field, 20, 21, 1 +- }, +- { +- /* seed */ +- 0xB9, 0x9B, 0x99, 0xB0, 0x99, 0xB3, 0x23, 0xE0, 0x27, 0x09, 0xA4, 0xD6, +- 0x96, 0xE6, 0x76, 0x87, 0x56, 0x15, 0x17, 0x51, +- /* p */ +- 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xAC, 0x73, +- /* a */ +- 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xAC, 0x70, +- /* b */ +- 0x00, 0xB4, 0xE1, 0x34, 0xD3, 0xFB, 0x59, 0xEB, 0x8B, 0xAB, 0x57, 0x27, +- 0x49, 0x04, 0x66, 0x4D, 0x5A, 0xF5, 0x03, 0x88, 0xBA, +- /* x */ +- 0x00, 0x52, 0xDC, 0xB0, 0x34, 0x29, 0x3A, 0x11, 0x7E, 0x1F, 0x4F, 0xF1, +- 0x1B, 0x30, 0xF7, 0x19, 0x9D, 0x31, 0x44, 0xCE, 0x6D, +- /* y */ +- 0x00, 0xfe, 0xaf, 0xfe, 0xf2, 0xe3, 0x31, 0xf2, 0x96, 0xe0, 0x71, 0xfa, +- 0x0d, 0xf9, 0x98, 0x2c, 0xfe, 0xa7, 0xd4, 0x3f, 0x2e, +- /* order */ +- 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x35, +- 0x1E, 0xE7, 0x86, 0xA8, 0x18, 0xF3, 0xA1, 0xA1, 0x6B +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[0 + 24 * 6]; +-} _EC_SECG_PRIME_192K1 = { +- { +- NID_X9_62_prime_field, 0, 24, 1 +- }, +- { +- /* no seed */ +- /* p */ +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xEE, 0x37, +- /* a */ +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- /* b */ +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, +- /* x */ +- 0xDB, 0x4F, 0xF1, 0x0E, 0xC0, 0x57, 0xE9, 0xAE, 0x26, 0xB0, 0x7D, 0x02, +- 0x80, 0xB7, 0xF4, 0x34, 0x1D, 0xA5, 0xD1, 0xB1, 0xEA, 0xE0, 0x6C, 0x7D, +- /* y */ +- 0x9b, 0x2f, 0x2f, 0x6d, 0x9c, 0x56, 0x28, 0xa7, 0x84, 0x41, 0x63, 0xd0, +- 0x15, 0xbe, 0x86, 0x34, 0x40, 0x82, 0xaa, 0x88, 0xd9, 0x5e, 0x2f, 0x9d, +- /* order */ +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, +- 0x26, 0xF2, 0xFC, 0x17, 0x0F, 0x69, 0x46, 0x6A, 0x74, 0xDE, 0xFD, 0x8D +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[0 + 29 * 6]; +-} _EC_SECG_PRIME_224K1 = { +- { +- NID_X9_62_prime_field, 0, 29, 1 +- }, +- { +- /* no seed */ +- /* p */ +- 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFE, 0xFF, 0xFF, 0xE5, 0x6D, +- /* a */ +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x00, 0x00, 0x00, +- /* b */ +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x00, 0x00, 0x05, +- /* x */ +- 0x00, 0xA1, 0x45, 0x5B, 0x33, 0x4D, 0xF0, 0x99, 0xDF, 0x30, 0xFC, 0x28, +- 0xA1, 0x69, 0xA4, 0x67, 0xE9, 0xE4, 0x70, 0x75, 0xA9, 0x0F, 0x7E, 0x65, +- 0x0E, 0xB6, 0xB7, 0xA4, 0x5C, +- /* y */ +- 0x00, 0x7e, 0x08, 0x9f, 0xed, 0x7f, 0xba, 0x34, 0x42, 0x82, 0xca, 0xfb, +- 0xd6, 0xf7, 0xe3, 0x19, 0xf7, 0xc0, 0xb0, 0xbd, 0x59, 0xe2, 0xca, 0x4b, +- 0xdb, 0x55, 0x6d, 0x61, 0xa5, +- /* order */ +- 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x01, 0xDC, 0xE8, 0xD2, 0xEC, 0x61, 0x84, 0xCA, 0xF0, 0xA9, +- 0x71, 0x76, 0x9F, 0xB1, 0xF7 +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; + unsigned char data[0 + 32 * 6]; + } _EC_SECG_PRIME_256K1 = { + { +@@ -745,102 +244,6 @@ static const struct { + } + }; + +-/* some wap/wtls curves */ +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[0 + 15 * 6]; +-} _EC_WTLS_8 = { +- { +- NID_X9_62_prime_field, 0, 15, 1 +- }, +- { +- /* no seed */ +- /* p */ +- 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFD, 0xE7, +- /* a */ +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x00, +- /* b */ +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x03, +- /* x */ +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x01, +- /* y */ +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x02, +- /* order */ +- 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0xEC, 0xEA, 0x55, 0x1A, +- 0xD8, 0x37, 0xE9 +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[0 + 21 * 6]; +-} _EC_WTLS_9 = { +- { +- NID_X9_62_prime_field, 0, 21, 1 +- }, +- { +- /* no seed */ +- /* p */ +- 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC, 0x80, 0x8F, +- /* a */ +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- /* b */ +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, +- /* x */ +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, +- /* y */ +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, +- /* order */ +- 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0xCD, +- 0xC9, 0x8A, 0xE0, 0xE2, 0xDE, 0x57, 0x4A, 0xBF, 0x33 +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[0 + 28 * 6]; +-} _EC_WTLS_12 = { +- { +- NID_X9_62_prime_field, 0, 28, 1 +- }, +- { +- /* no seed */ +- /* p */ +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x00, 0x01, +- /* a */ +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFE, +- /* b */ +- 0xB4, 0x05, 0x0A, 0x85, 0x0C, 0x04, 0xB3, 0xAB, 0xF5, 0x41, 0x32, 0x56, +- 0x50, 0x44, 0xB0, 0xB7, 0xD7, 0xBF, 0xD8, 0xBA, 0x27, 0x0B, 0x39, 0x43, +- 0x23, 0x55, 0xFF, 0xB4, +- /* x */ +- 0xB7, 0x0E, 0x0C, 0xBD, 0x6B, 0xB4, 0xBF, 0x7F, 0x32, 0x13, 0x90, 0xB9, +- 0x4A, 0x03, 0xC1, 0xD3, 0x56, 0xC2, 0x11, 0x22, 0x34, 0x32, 0x80, 0xD6, +- 0x11, 0x5C, 0x1D, 0x21, +- /* y */ +- 0xbd, 0x37, 0x63, 0x88, 0xb5, 0xf7, 0x23, 0xfb, 0x4c, 0x22, 0xdf, 0xe6, +- 0xcd, 0x43, 0x75, 0xa0, 0x5a, 0x07, 0x47, 0x64, 0x44, 0xd5, 0x81, 0x99, +- 0x85, 0x00, 0x7e, 0x34, +- /* order */ +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0x16, 0xA2, 0xE0, 0xB8, 0xF0, 0x3E, 0x13, 0xDD, 0x29, 0x45, +- 0x5C, 0x5C, 0x2A, 0x3D +- } +-}; + #endif /* FIPS_MODULE */ + + #ifndef OPENSSL_NO_EC2M +@@ -2238,198 +1641,6 @@ static const struct { + #ifndef FIPS_MODULE + static const struct { + EC_CURVE_DATA h; +- unsigned char data[0 + 20 * 6]; +-} _EC_brainpoolP160r1 = { +- { +- NID_X9_62_prime_field, 0, 20, 1 +- }, +- { +- /* no seed */ +- /* p */ +- 0xE9, 0x5E, 0x4A, 0x5F, 0x73, 0x70, 0x59, 0xDC, 0x60, 0xDF, 0xC7, 0xAD, +- 0x95, 0xB3, 0xD8, 0x13, 0x95, 0x15, 0x62, 0x0F, +- /* a */ +- 0x34, 0x0E, 0x7B, 0xE2, 0xA2, 0x80, 0xEB, 0x74, 0xE2, 0xBE, 0x61, 0xBA, +- 0xDA, 0x74, 0x5D, 0x97, 0xE8, 0xF7, 0xC3, 0x00, +- /* b */ +- 0x1E, 0x58, 0x9A, 0x85, 0x95, 0x42, 0x34, 0x12, 0x13, 0x4F, 0xAA, 0x2D, +- 0xBD, 0xEC, 0x95, 0xC8, 0xD8, 0x67, 0x5E, 0x58, +- /* x */ +- 0xBE, 0xD5, 0xAF, 0x16, 0xEA, 0x3F, 0x6A, 0x4F, 0x62, 0x93, 0x8C, 0x46, +- 0x31, 0xEB, 0x5A, 0xF7, 0xBD, 0xBC, 0xDB, 0xC3, +- /* y */ +- 0x16, 0x67, 0xCB, 0x47, 0x7A, 0x1A, 0x8E, 0xC3, 0x38, 0xF9, 0x47, 0x41, +- 0x66, 0x9C, 0x97, 0x63, 0x16, 0xDA, 0x63, 0x21, +- /* order */ +- 0xE9, 0x5E, 0x4A, 0x5F, 0x73, 0x70, 0x59, 0xDC, 0x60, 0xDF, 0x59, 0x91, +- 0xD4, 0x50, 0x29, 0x40, 0x9E, 0x60, 0xFC, 0x09 +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[0 + 20 * 6]; +-} _EC_brainpoolP160t1 = { +- { +- NID_X9_62_prime_field, 0, 20, 1 +- }, +- { +- /* no seed */ +- /* p */ +- 0xE9, 0x5E, 0x4A, 0x5F, 0x73, 0x70, 0x59, 0xDC, 0x60, 0xDF, 0xC7, 0xAD, +- 0x95, 0xB3, 0xD8, 0x13, 0x95, 0x15, 0x62, 0x0F, +- /* a */ +- 0xE9, 0x5E, 0x4A, 0x5F, 0x73, 0x70, 0x59, 0xDC, 0x60, 0xDF, 0xC7, 0xAD, +- 0x95, 0xB3, 0xD8, 0x13, 0x95, 0x15, 0x62, 0x0C, +- /* b */ +- 0x7A, 0x55, 0x6B, 0x6D, 0xAE, 0x53, 0x5B, 0x7B, 0x51, 0xED, 0x2C, 0x4D, +- 0x7D, 0xAA, 0x7A, 0x0B, 0x5C, 0x55, 0xF3, 0x80, +- /* x */ +- 0xB1, 0x99, 0xB1, 0x3B, 0x9B, 0x34, 0xEF, 0xC1, 0x39, 0x7E, 0x64, 0xBA, +- 0xEB, 0x05, 0xAC, 0xC2, 0x65, 0xFF, 0x23, 0x78, +- /* y */ +- 0xAD, 0xD6, 0x71, 0x8B, 0x7C, 0x7C, 0x19, 0x61, 0xF0, 0x99, 0x1B, 0x84, +- 0x24, 0x43, 0x77, 0x21, 0x52, 0xC9, 0xE0, 0xAD, +- /* order */ +- 0xE9, 0x5E, 0x4A, 0x5F, 0x73, 0x70, 0x59, 0xDC, 0x60, 0xDF, 0x59, 0x91, +- 0xD4, 0x50, 0x29, 0x40, 0x9E, 0x60, 0xFC, 0x09 +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[0 + 24 * 6]; +-} _EC_brainpoolP192r1 = { +- { +- NID_X9_62_prime_field, 0, 24, 1 +- }, +- { +- /* no seed */ +- /* p */ +- 0xC3, 0x02, 0xF4, 0x1D, 0x93, 0x2A, 0x36, 0xCD, 0xA7, 0xA3, 0x46, 0x30, +- 0x93, 0xD1, 0x8D, 0xB7, 0x8F, 0xCE, 0x47, 0x6D, 0xE1, 0xA8, 0x62, 0x97, +- /* a */ +- 0x6A, 0x91, 0x17, 0x40, 0x76, 0xB1, 0xE0, 0xE1, 0x9C, 0x39, 0xC0, 0x31, +- 0xFE, 0x86, 0x85, 0xC1, 0xCA, 0xE0, 0x40, 0xE5, 0xC6, 0x9A, 0x28, 0xEF, +- /* b */ +- 0x46, 0x9A, 0x28, 0xEF, 0x7C, 0x28, 0xCC, 0xA3, 0xDC, 0x72, 0x1D, 0x04, +- 0x4F, 0x44, 0x96, 0xBC, 0xCA, 0x7E, 0xF4, 0x14, 0x6F, 0xBF, 0x25, 0xC9, +- /* x */ +- 0xC0, 0xA0, 0x64, 0x7E, 0xAA, 0xB6, 0xA4, 0x87, 0x53, 0xB0, 0x33, 0xC5, +- 0x6C, 0xB0, 0xF0, 0x90, 0x0A, 0x2F, 0x5C, 0x48, 0x53, 0x37, 0x5F, 0xD6, +- /* y */ +- 0x14, 0xB6, 0x90, 0x86, 0x6A, 0xBD, 0x5B, 0xB8, 0x8B, 0x5F, 0x48, 0x28, +- 0xC1, 0x49, 0x00, 0x02, 0xE6, 0x77, 0x3F, 0xA2, 0xFA, 0x29, 0x9B, 0x8F, +- /* order */ +- 0xC3, 0x02, 0xF4, 0x1D, 0x93, 0x2A, 0x36, 0xCD, 0xA7, 0xA3, 0x46, 0x2F, +- 0x9E, 0x9E, 0x91, 0x6B, 0x5B, 0xE8, 0xF1, 0x02, 0x9A, 0xC4, 0xAC, 0xC1 +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[0 + 24 * 6]; +-} _EC_brainpoolP192t1 = { +- { +- NID_X9_62_prime_field, 0, 24, 1 +- }, +- { +- /* no seed */ +- /* p */ +- 0xC3, 0x02, 0xF4, 0x1D, 0x93, 0x2A, 0x36, 0xCD, 0xA7, 0xA3, 0x46, 0x30, +- 0x93, 0xD1, 0x8D, 0xB7, 0x8F, 0xCE, 0x47, 0x6D, 0xE1, 0xA8, 0x62, 0x97, +- /* a */ +- 0xC3, 0x02, 0xF4, 0x1D, 0x93, 0x2A, 0x36, 0xCD, 0xA7, 0xA3, 0x46, 0x30, +- 0x93, 0xD1, 0x8D, 0xB7, 0x8F, 0xCE, 0x47, 0x6D, 0xE1, 0xA8, 0x62, 0x94, +- /* b */ +- 0x13, 0xD5, 0x6F, 0xFA, 0xEC, 0x78, 0x68, 0x1E, 0x68, 0xF9, 0xDE, 0xB4, +- 0x3B, 0x35, 0xBE, 0xC2, 0xFB, 0x68, 0x54, 0x2E, 0x27, 0x89, 0x7B, 0x79, +- /* x */ +- 0x3A, 0xE9, 0xE5, 0x8C, 0x82, 0xF6, 0x3C, 0x30, 0x28, 0x2E, 0x1F, 0xE7, +- 0xBB, 0xF4, 0x3F, 0xA7, 0x2C, 0x44, 0x6A, 0xF6, 0xF4, 0x61, 0x81, 0x29, +- /* y */ +- 0x09, 0x7E, 0x2C, 0x56, 0x67, 0xC2, 0x22, 0x3A, 0x90, 0x2A, 0xB5, 0xCA, +- 0x44, 0x9D, 0x00, 0x84, 0xB7, 0xE5, 0xB3, 0xDE, 0x7C, 0xCC, 0x01, 0xC9, +- /* order */ +- 0xC3, 0x02, 0xF4, 0x1D, 0x93, 0x2A, 0x36, 0xCD, 0xA7, 0xA3, 0x46, 0x2F, +- 0x9E, 0x9E, 0x91, 0x6B, 0x5B, 0xE8, 0xF1, 0x02, 0x9A, 0xC4, 0xAC, 0xC1 +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[0 + 28 * 6]; +-} _EC_brainpoolP224r1 = { +- { +- NID_X9_62_prime_field, 0, 28, 1 +- }, +- { +- /* no seed */ +- /* p */ +- 0xD7, 0xC1, 0x34, 0xAA, 0x26, 0x43, 0x66, 0x86, 0x2A, 0x18, 0x30, 0x25, +- 0x75, 0xD1, 0xD7, 0x87, 0xB0, 0x9F, 0x07, 0x57, 0x97, 0xDA, 0x89, 0xF5, +- 0x7E, 0xC8, 0xC0, 0xFF, +- /* a */ +- 0x68, 0xA5, 0xE6, 0x2C, 0xA9, 0xCE, 0x6C, 0x1C, 0x29, 0x98, 0x03, 0xA6, +- 0xC1, 0x53, 0x0B, 0x51, 0x4E, 0x18, 0x2A, 0xD8, 0xB0, 0x04, 0x2A, 0x59, +- 0xCA, 0xD2, 0x9F, 0x43, +- /* b */ +- 0x25, 0x80, 0xF6, 0x3C, 0xCF, 0xE4, 0x41, 0x38, 0x87, 0x07, 0x13, 0xB1, +- 0xA9, 0x23, 0x69, 0xE3, 0x3E, 0x21, 0x35, 0xD2, 0x66, 0xDB, 0xB3, 0x72, +- 0x38, 0x6C, 0x40, 0x0B, +- /* x */ +- 0x0D, 0x90, 0x29, 0xAD, 0x2C, 0x7E, 0x5C, 0xF4, 0x34, 0x08, 0x23, 0xB2, +- 0xA8, 0x7D, 0xC6, 0x8C, 0x9E, 0x4C, 0xE3, 0x17, 0x4C, 0x1E, 0x6E, 0xFD, +- 0xEE, 0x12, 0xC0, 0x7D, +- /* y */ +- 0x58, 0xAA, 0x56, 0xF7, 0x72, 0xC0, 0x72, 0x6F, 0x24, 0xC6, 0xB8, 0x9E, +- 0x4E, 0xCD, 0xAC, 0x24, 0x35, 0x4B, 0x9E, 0x99, 0xCA, 0xA3, 0xF6, 0xD3, +- 0x76, 0x14, 0x02, 0xCD, +- /* order */ +- 0xD7, 0xC1, 0x34, 0xAA, 0x26, 0x43, 0x66, 0x86, 0x2A, 0x18, 0x30, 0x25, +- 0x75, 0xD0, 0xFB, 0x98, 0xD1, 0x16, 0xBC, 0x4B, 0x6D, 0xDE, 0xBC, 0xA3, +- 0xA5, 0xA7, 0x93, 0x9F +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[0 + 28 * 6]; +-} _EC_brainpoolP224t1 = { +- { +- NID_X9_62_prime_field, 0, 28, 1 +- }, +- { +- /* no seed */ +- /* p */ +- 0xD7, 0xC1, 0x34, 0xAA, 0x26, 0x43, 0x66, 0x86, 0x2A, 0x18, 0x30, 0x25, +- 0x75, 0xD1, 0xD7, 0x87, 0xB0, 0x9F, 0x07, 0x57, 0x97, 0xDA, 0x89, 0xF5, +- 0x7E, 0xC8, 0xC0, 0xFF, +- /* a */ +- 0xD7, 0xC1, 0x34, 0xAA, 0x26, 0x43, 0x66, 0x86, 0x2A, 0x18, 0x30, 0x25, +- 0x75, 0xD1, 0xD7, 0x87, 0xB0, 0x9F, 0x07, 0x57, 0x97, 0xDA, 0x89, 0xF5, +- 0x7E, 0xC8, 0xC0, 0xFC, +- /* b */ +- 0x4B, 0x33, 0x7D, 0x93, 0x41, 0x04, 0xCD, 0x7B, 0xEF, 0x27, 0x1B, 0xF6, +- 0x0C, 0xED, 0x1E, 0xD2, 0x0D, 0xA1, 0x4C, 0x08, 0xB3, 0xBB, 0x64, 0xF1, +- 0x8A, 0x60, 0x88, 0x8D, +- /* x */ +- 0x6A, 0xB1, 0xE3, 0x44, 0xCE, 0x25, 0xFF, 0x38, 0x96, 0x42, 0x4E, 0x7F, +- 0xFE, 0x14, 0x76, 0x2E, 0xCB, 0x49, 0xF8, 0x92, 0x8A, 0xC0, 0xC7, 0x60, +- 0x29, 0xB4, 0xD5, 0x80, +- /* y */ +- 0x03, 0x74, 0xE9, 0xF5, 0x14, 0x3E, 0x56, 0x8C, 0xD2, 0x3F, 0x3F, 0x4D, +- 0x7C, 0x0D, 0x4B, 0x1E, 0x41, 0xC8, 0xCC, 0x0D, 0x1C, 0x6A, 0xBD, 0x5F, +- 0x1A, 0x46, 0xDB, 0x4C, +- /* order */ +- 0xD7, 0xC1, 0x34, 0xAA, 0x26, 0x43, 0x66, 0x86, 0x2A, 0x18, 0x30, 0x25, +- 0x75, 0xD0, 0xFB, 0x98, 0xD1, 0x16, 0xBC, 0x4B, 0x6D, 0xDE, 0xBC, 0xA3, +- 0xA5, 0xA7, 0x93, 0x9F +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; + unsigned char data[0 + 32 * 6]; + } _EC_brainpoolP256r1 = { + { +@@ -2854,8 +2065,6 @@ static const ec_list_element curve_list[ + "NIST/SECG curve over a 521 bit prime field"}, + + /* X9.62 curves */ +- {NID_X9_62_prime192v1, &_EC_NIST_PRIME_192.h, 0, +- "NIST/X9.62/SECG curve over a 192 bit prime field"}, + {NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h, + # if defined(ECP_NISTZ256_ASM) + EC_GFp_nistz256_method, +@@ -2899,25 +2108,6 @@ static const ec_list_element curve_list[ + static const ec_list_element curve_list[] = { + /* prime field curves */ + /* secg curves */ +- {NID_secp112r1, &_EC_SECG_PRIME_112R1.h, 0, +- "SECG/WTLS curve over a 112 bit prime field"}, +- {NID_secp112r2, &_EC_SECG_PRIME_112R2.h, 0, +- "SECG curve over a 112 bit prime field"}, +- {NID_secp128r1, &_EC_SECG_PRIME_128R1.h, 0, +- "SECG curve over a 128 bit prime field"}, +- {NID_secp128r2, &_EC_SECG_PRIME_128R2.h, 0, +- "SECG curve over a 128 bit prime field"}, +- {NID_secp160k1, &_EC_SECG_PRIME_160K1.h, 0, +- "SECG curve over a 160 bit prime field"}, +- {NID_secp160r1, &_EC_SECG_PRIME_160R1.h, 0, +- "SECG curve over a 160 bit prime field"}, +- {NID_secp160r2, &_EC_SECG_PRIME_160R2.h, 0, +- "SECG/WTLS curve over a 160 bit prime field"}, +- /* SECG secp192r1 is the same as X9.62 prime192v1 and hence omitted */ +- {NID_secp192k1, &_EC_SECG_PRIME_192K1.h, 0, +- "SECG curve over a 192 bit prime field"}, +- {NID_secp224k1, &_EC_SECG_PRIME_224K1.h, 0, +- "SECG curve over a 224 bit prime field"}, + # ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 + {NID_secp224r1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method, + "NIST/SECG curve over a 224 bit prime field"}, +@@ -2945,18 +2135,6 @@ static const ec_list_element curve_list[ + # endif + "NIST/SECG curve over a 521 bit prime field"}, + /* X9.62 curves */ +- {NID_X9_62_prime192v1, &_EC_NIST_PRIME_192.h, 0, +- "NIST/X9.62/SECG curve over a 192 bit prime field"}, +- {NID_X9_62_prime192v2, &_EC_X9_62_PRIME_192V2.h, 0, +- "X9.62 curve over a 192 bit prime field"}, +- {NID_X9_62_prime192v3, &_EC_X9_62_PRIME_192V3.h, 0, +- "X9.62 curve over a 192 bit prime field"}, +- {NID_X9_62_prime239v1, &_EC_X9_62_PRIME_239V1.h, 0, +- "X9.62 curve over a 239 bit prime field"}, +- {NID_X9_62_prime239v2, &_EC_X9_62_PRIME_239V2.h, 0, +- "X9.62 curve over a 239 bit prime field"}, +- {NID_X9_62_prime239v3, &_EC_X9_62_PRIME_239V3.h, 0, +- "X9.62 curve over a 239 bit prime field"}, + {NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h, + # if defined(ECP_NISTZ256_ASM) + EC_GFp_nistz256_method, +@@ -3053,22 +2231,12 @@ static const ec_list_element curve_list[ + {NID_wap_wsg_idm_ecid_wtls5, &_EC_X9_62_CHAR2_163V1.h, 0, + "X9.62 curve over a 163 bit binary field"}, + # endif +- {NID_wap_wsg_idm_ecid_wtls6, &_EC_SECG_PRIME_112R1.h, 0, +- "SECG/WTLS curve over a 112 bit prime field"}, +- {NID_wap_wsg_idm_ecid_wtls7, &_EC_SECG_PRIME_160R2.h, 0, +- "SECG/WTLS curve over a 160 bit prime field"}, +- {NID_wap_wsg_idm_ecid_wtls8, &_EC_WTLS_8.h, 0, +- "WTLS curve over a 112 bit prime field"}, +- {NID_wap_wsg_idm_ecid_wtls9, &_EC_WTLS_9.h, 0, +- "WTLS curve over a 160 bit prime field"}, + # ifndef OPENSSL_NO_EC2M + {NID_wap_wsg_idm_ecid_wtls10, &_EC_NIST_CHAR2_233K.h, 0, + "NIST/SECG/WTLS curve over a 233 bit binary field"}, + {NID_wap_wsg_idm_ecid_wtls11, &_EC_NIST_CHAR2_233B.h, 0, + "NIST/SECG/WTLS curve over a 233 bit binary field"}, + # endif +- {NID_wap_wsg_idm_ecid_wtls12, &_EC_WTLS_12.h, 0, +- "WTLS curve over a 224 bit prime field"}, + # ifndef OPENSSL_NO_EC2M + /* IPSec curves */ + {NID_ipsec3, &_EC_IPSEC_155_ID3.h, 0, +@@ -3079,18 +2247,6 @@ static const ec_list_element curve_list[ + "\tNot suitable for ECDSA.\n\tQuestionable extension field!"}, + # endif + /* brainpool curves */ +- {NID_brainpoolP160r1, &_EC_brainpoolP160r1.h, 0, +- "RFC 5639 curve over a 160 bit prime field"}, +- {NID_brainpoolP160t1, &_EC_brainpoolP160t1.h, 0, +- "RFC 5639 curve over a 160 bit prime field"}, +- {NID_brainpoolP192r1, &_EC_brainpoolP192r1.h, 0, +- "RFC 5639 curve over a 192 bit prime field"}, +- {NID_brainpoolP192t1, &_EC_brainpoolP192t1.h, 0, +- "RFC 5639 curve over a 192 bit prime field"}, +- {NID_brainpoolP224r1, &_EC_brainpoolP224r1.h, 0, +- "RFC 5639 curve over a 224 bit prime field"}, +- {NID_brainpoolP224t1, &_EC_brainpoolP224t1.h, 0, +- "RFC 5639 curve over a 224 bit prime field"}, + {NID_brainpoolP256r1, &_EC_brainpoolP256r1.h, 0, + "RFC 5639 curve over a 256 bit prime field"}, + {NID_brainpoolP256t1, &_EC_brainpoolP256t1.h, 0, +diff -up ./test/ectest.c.remove-ec ./test/ectest.c +--- ./test/ectest.c.remove-ec 2023-03-13 18:39:30.544642912 +0100 ++++ ./test/ectest.c 2023-03-20 07:27:26.403212965 +0100 +@@ -175,184 +175,26 @@ static int prime_field_tests(void) + || !TEST_ptr(p = BN_new()) + || !TEST_ptr(a = BN_new()) + || !TEST_ptr(b = BN_new()) +- || !TEST_true(BN_hex2bn(&p, "17")) +- || !TEST_true(BN_hex2bn(&a, "1")) +- || !TEST_true(BN_hex2bn(&b, "1")) +- || !TEST_ptr(group = EC_GROUP_new_curve_GFp(p, a, b, ctx)) +- || !TEST_true(EC_GROUP_get_curve(group, p, a, b, ctx))) ++ /* ++ * applications should use EC_GROUP_new_curve_GFp so ++ * that the library gets to choose the EC_METHOD ++ */ ++ || !TEST_ptr(group = EC_GROUP_new(EC_GFp_mont_method()))) + goto err; + +- TEST_info("Curve defined by Weierstrass equation"); +- TEST_note(" y^2 = x^3 + a*x + b (mod p)"); +- test_output_bignum("a", a); +- test_output_bignum("b", b); +- test_output_bignum("p", p); +- + buf[0] = 0; + if (!TEST_ptr(P = EC_POINT_new(group)) + || !TEST_ptr(Q = EC_POINT_new(group)) + || !TEST_ptr(R = EC_POINT_new(group)) +- || !TEST_true(EC_POINT_set_to_infinity(group, P)) +- || !TEST_true(EC_POINT_is_at_infinity(group, P)) +- || !TEST_true(EC_POINT_oct2point(group, Q, buf, 1, ctx)) +- || !TEST_true(EC_POINT_add(group, P, P, Q, ctx)) +- || !TEST_true(EC_POINT_is_at_infinity(group, P)) + || !TEST_ptr(x = BN_new()) + || !TEST_ptr(y = BN_new()) + || !TEST_ptr(z = BN_new()) +- || !TEST_ptr(yplusone = BN_new()) +- || !TEST_true(BN_hex2bn(&x, "D")) +- || !TEST_true(EC_POINT_set_compressed_coordinates(group, Q, x, 1, ctx))) +- goto err; +- +- if (!TEST_int_gt(EC_POINT_is_on_curve(group, Q, ctx), 0)) { +- if (!TEST_true(EC_POINT_get_affine_coordinates(group, Q, x, y, ctx))) +- goto err; +- TEST_info("Point is not on curve"); +- test_output_bignum("x", x); +- test_output_bignum("y", y); +- goto err; +- } +- +- TEST_note("A cyclic subgroup:"); +- k = 100; +- do { +- if (!TEST_int_ne(k--, 0)) +- goto err; +- +- if (EC_POINT_is_at_infinity(group, P)) { +- TEST_note(" point at infinity"); +- } else { +- if (!TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, +- ctx))) +- goto err; +- +- test_output_bignum("x", x); +- test_output_bignum("y", y); +- } +- +- if (!TEST_true(EC_POINT_copy(R, P)) +- || !TEST_true(EC_POINT_add(group, P, P, Q, ctx))) +- goto err; +- +- } while (!EC_POINT_is_at_infinity(group, P)); +- +- if (!TEST_true(EC_POINT_add(group, P, Q, R, ctx)) +- || !TEST_true(EC_POINT_is_at_infinity(group, P))) +- goto err; +- +- len = +- EC_POINT_point2oct(group, Q, POINT_CONVERSION_COMPRESSED, buf, +- sizeof(buf), ctx); +- if (!TEST_size_t_ne(len, 0) +- || !TEST_true(EC_POINT_oct2point(group, P, buf, len, ctx)) +- || !TEST_int_eq(0, EC_POINT_cmp(group, P, Q, ctx))) +- goto err; +- test_output_memory("Generator as octet string, compressed form:", +- buf, len); +- +- len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_UNCOMPRESSED, +- buf, sizeof(buf), ctx); +- if (!TEST_size_t_ne(len, 0) +- || !TEST_true(EC_POINT_oct2point(group, P, buf, len, ctx)) +- || !TEST_int_eq(0, EC_POINT_cmp(group, P, Q, ctx))) +- goto err; +- test_output_memory("Generator as octet string, uncompressed form:", +- buf, len); +- +- len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_HYBRID, +- buf, sizeof(buf), ctx); +- if (!TEST_size_t_ne(len, 0) +- || !TEST_true(EC_POINT_oct2point(group, P, buf, len, ctx)) +- || !TEST_int_eq(0, EC_POINT_cmp(group, P, Q, ctx))) +- goto err; +- test_output_memory("Generator as octet string, hybrid form:", +- buf, len); +- +- if (!TEST_true(EC_POINT_invert(group, P, ctx)) +- || !TEST_int_eq(0, EC_POINT_cmp(group, P, R, ctx)) +- +- /* +- * Curve secp160r1 (Certicom Research SEC 2 Version 1.0, section 2.4.2, +- * 2000) -- not a NIST curve, but commonly used +- */ +- +- || !TEST_true(BN_hex2bn(&p, "FFFFFFFF" +- "FFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFF")) +- || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL)) +- || !TEST_true(BN_hex2bn(&a, "FFFFFFFF" +- "FFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFC")) +- || !TEST_true(BN_hex2bn(&b, "1C97BEFC" +- "54BD7A8B65ACF89F81D4D4ADC565FA45")) +- || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx)) +- || !TEST_true(BN_hex2bn(&x, "4A96B568" +- "8EF573284664698968C38BB913CBFC82")) +- || !TEST_true(BN_hex2bn(&y, "23a62855" +- "3168947d59dcc912042351377ac5fb32")) +- || !TEST_true(BN_add(yplusone, y, BN_value_one())) +- /* +- * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, +- * and therefore setting the coordinates should fail. +- */ +- || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone, +- ctx)) +- || !TEST_true(EC_POINT_set_affine_coordinates(group, P, x, y, ctx)) +- || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0) +- || !TEST_true(BN_hex2bn(&z, "0100000000" +- "000000000001F4C8F927AED3CA752257")) +- || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one())) +- || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx))) +- goto err; +- TEST_info("SEC2 curve secp160r1 -- Generator"); +- test_output_bignum("x", x); +- test_output_bignum("y", y); +- /* G_y value taken from the standard: */ +- if (!TEST_true(BN_hex2bn(&z, "23a62855" +- "3168947d59dcc912042351377ac5fb32")) +- || !TEST_BN_eq(y, z) +- || !TEST_int_eq(EC_GROUP_get_degree(group), 160) +- || !group_order_tests(group) +- +- /* Curve P-192 (FIPS PUB 186-2, App. 6) */ +- +- || !TEST_true(BN_hex2bn(&p, "FFFFFFFFFFFFFFFF" +- "FFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF")) +- || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL)) +- || !TEST_true(BN_hex2bn(&a, "FFFFFFFFFFFFFFFF" +- "FFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC")) +- || !TEST_true(BN_hex2bn(&b, "64210519E59C80E7" +- "0FA7E9AB72243049FEB8DEECC146B9B1")) +- || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx)) +- || !TEST_true(BN_hex2bn(&x, "188DA80EB03090F6" +- "7CBF20EB43A18800F4FF0AFD82FF1012")) +- || !TEST_true(EC_POINT_set_compressed_coordinates(group, P, x, 1, ctx)) +- || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0) +- || !TEST_true(BN_hex2bn(&z, "FFFFFFFFFFFFFFFF" +- "FFFFFFFF99DEF836146BC9B1B4D22831")) +- || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one())) +- || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx))) ++ || !TEST_ptr(yplusone = BN_new())) + goto err; + +- TEST_info("NIST curve P-192 -- Generator"); +- test_output_bignum("x", x); +- test_output_bignum("y", y); +- /* G_y value taken from the standard: */ +- if (!TEST_true(BN_hex2bn(&z, "07192B95FFC8DA78" +- "631011ED6B24CDD573F977A11E794811")) +- || !TEST_BN_eq(y, z) +- || !TEST_true(BN_add(yplusone, y, BN_value_one())) +- /* +- * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, +- * and therefore setting the coordinates should fail. +- */ +- || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone, +- ctx)) +- || !TEST_int_eq(EC_GROUP_get_degree(group), 192) +- || !group_order_tests(group) +- + /* Curve P-224 (FIPS PUB 186-2, App. 6) */ + +- || !TEST_true(BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFF" ++ if (!TEST_true(BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFF" + "FFFFFFFF000000000000000000000001")) + || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL)) + || !TEST_true(BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFF" +@@ -3015,7 +2857,7 @@ int setup_tests(void) + return 0; + + ADD_TEST(parameter_test); +- ADD_TEST(cofactor_range_test); ++ /* ADD_TEST(cofactor_range_test); */ + ADD_ALL_TESTS(cardinality_test, crv_len); + ADD_TEST(prime_field_tests); + #ifndef OPENSSL_NO_EC2M diff --git a/0011-Remove-EC-curves.patch b/0011-Remove-EC-curves.patch index 10e200c..f6c733a 100644 --- a/0011-Remove-EC-curves.patch +++ b/0011-Remove-EC-curves.patch @@ -1,19 +1,16 @@ -diff -up openssl-3.0.0-alpha13/apps/speed.c.ec-curves openssl-3.0.0-alpha13/apps/speed.c ---- openssl-3.0.0-alpha13/apps/speed.c.ec-curves 2021-04-10 12:12:00.620129302 +0200 -+++ openssl-3.0.0-alpha13/apps/speed.c 2021-04-10 12:18:11.872369417 +0200 -@@ -364,68 +364,23 @@ static double ffdh_results[FFDH_NUM][1]; +diff -up ./apps/speed.c.ec-curves ./apps/speed.c +--- ./apps/speed.c.ec-curves 2023-03-14 04:44:12.545437892 +0100 ++++ ./apps/speed.c 2023-03-14 04:48:28.606729067 +0100 +@@ -366,7 +366,7 @@ static double ffdh_results[FFDH_NUM][1]; #endif /* OPENSSL_NO_DH */ enum ec_curves_t { - R_EC_P160, R_EC_P192, R_EC_P224, R_EC_P256, R_EC_P384, R_EC_P521, --#ifndef OPENSSL_NO_EC2M -- R_EC_K163, R_EC_K233, R_EC_K283, R_EC_K409, R_EC_K571, -- R_EC_B163, R_EC_B233, R_EC_B283, R_EC_B409, R_EC_B571, --#endif -- R_EC_BRP256R1, R_EC_BRP256T1, R_EC_BRP384R1, R_EC_BRP384T1, -- R_EC_BRP512R1, R_EC_BRP512T1, ECDSA_NUM + R_EC_P224, R_EC_P256, R_EC_P384, R_EC_P521, -+ ECDSA_NUM + #ifndef OPENSSL_NO_EC2M + R_EC_K163, R_EC_K233, R_EC_K283, R_EC_K409, R_EC_K571, + R_EC_B163, R_EC_B233, R_EC_B283, R_EC_B409, R_EC_B571, +@@ -376,8 +376,6 @@ enum ec_curves_t { }; /* list of ecdsa curves */ static const OPT_PAIR ecdsa_choices[ECDSA_NUM] = { @@ -22,26 +19,7 @@ diff -up openssl-3.0.0-alpha13/apps/speed.c.ec-curves openssl-3.0.0-alpha13/apps {"ecdsap224", R_EC_P224}, {"ecdsap256", R_EC_P256}, {"ecdsap384", R_EC_P384}, - {"ecdsap521", R_EC_P521}, --#ifndef OPENSSL_NO_EC2M -- {"ecdsak163", R_EC_K163}, -- {"ecdsak233", R_EC_K233}, -- {"ecdsak283", R_EC_K283}, -- {"ecdsak409", R_EC_K409}, -- {"ecdsak571", R_EC_K571}, -- {"ecdsab163", R_EC_B163}, -- {"ecdsab233", R_EC_B233}, -- {"ecdsab283", R_EC_B283}, -- {"ecdsab409", R_EC_B409}, -- {"ecdsab571", R_EC_B571}, --#endif -- {"ecdsabrp256r1", R_EC_BRP256R1}, -- {"ecdsabrp256t1", R_EC_BRP256T1}, -- {"ecdsabrp384r1", R_EC_BRP384R1}, -- {"ecdsabrp384t1", R_EC_BRP384T1}, -- {"ecdsabrp512r1", R_EC_BRP512R1}, -- {"ecdsabrp512t1", R_EC_BRP512T1} - }; +@@ -404,8 +402,6 @@ static const OPT_PAIR ecdsa_choices[ECDS enum { R_EC_X25519 = ECDSA_NUM, R_EC_X448, EC_NUM }; /* list of ecdh curves, extension of |ecdsa_choices| list above */ static const OPT_PAIR ecdh_choices[EC_NUM] = { @@ -50,29 +28,7 @@ diff -up openssl-3.0.0-alpha13/apps/speed.c.ec-curves openssl-3.0.0-alpha13/apps {"ecdhp224", R_EC_P224}, {"ecdhp256", R_EC_P256}, {"ecdhp384", R_EC_P384}, - {"ecdhp521", R_EC_P521}, --#ifndef OPENSSL_NO_EC2M -- {"ecdhk163", R_EC_K163}, -- {"ecdhk233", R_EC_K233}, -- {"ecdhk283", R_EC_K283}, -- {"ecdhk409", R_EC_K409}, -- {"ecdhk571", R_EC_K571}, -- {"ecdhb163", R_EC_B163}, -- {"ecdhb233", R_EC_B233}, -- {"ecdhb283", R_EC_B283}, -- {"ecdhb409", R_EC_B409}, -- {"ecdhb571", R_EC_B571}, --#endif -- {"ecdhbrp256r1", R_EC_BRP256R1}, -- {"ecdhbrp256t1", R_EC_BRP256T1}, -- {"ecdhbrp384r1", R_EC_BRP384R1}, -- {"ecdhbrp384t1", R_EC_BRP384T1}, -- {"ecdhbrp512r1", R_EC_BRP512R1}, -- {"ecdhbrp512t1", R_EC_BRP512T1}, - {"ecdhx25519", R_EC_X25519}, - {"ecdhx448", R_EC_X448} - }; -@@ -1449,31 +1404,10 @@ int speed_main(int argc, char **argv) +@@ -1422,8 +1418,6 @@ int speed_main(int argc, char **argv) */ static const EC_CURVE ec_curves[EC_NUM] = { /* Prime Curves */ @@ -81,367 +37,10 @@ diff -up openssl-3.0.0-alpha13/apps/speed.c.ec-curves openssl-3.0.0-alpha13/apps {"nistp224", NID_secp224r1, 224}, {"nistp256", NID_X9_62_prime256v1, 256}, {"nistp384", NID_secp384r1, 384}, - {"nistp521", NID_secp521r1, 521}, --#ifndef OPENSSL_NO_EC2M -- /* Binary Curves */ -- {"nistk163", NID_sect163k1, 163}, -- {"nistk233", NID_sect233k1, 233}, -- {"nistk283", NID_sect283k1, 283}, -- {"nistk409", NID_sect409k1, 409}, -- {"nistk571", NID_sect571k1, 571}, -- {"nistb163", NID_sect163r2, 163}, -- {"nistb233", NID_sect233r1, 233}, -- {"nistb283", NID_sect283r1, 283}, -- {"nistb409", NID_sect409r1, 409}, -- {"nistb571", NID_sect571r1, 571}, --#endif -- {"brainpoolP256r1", NID_brainpoolP256r1, 256}, -- {"brainpoolP256t1", NID_brainpoolP256t1, 256}, -- {"brainpoolP384r1", NID_brainpoolP384r1, 384}, -- {"brainpoolP384t1", NID_brainpoolP384t1, 384}, -- {"brainpoolP512r1", NID_brainpoolP512r1, 512}, -- {"brainpoolP512t1", NID_brainpoolP512t1, 512}, - /* Other and ECDH only ones */ - {"X25519", NID_X25519, 253}, - {"X448", NID_X448, 448} -diff -up openssl-3.0.0-alpha13/test/ecdsatest.h.ec-curves openssl-3.0.0-alpha13/test/ecdsatest.h ---- openssl-3.0.0-alpha13/test/ecdsatest.h.ec-curves 2021-04-10 12:07:43.158013028 +0200 -+++ openssl-3.0.0-alpha13/test/ecdsatest.h 2021-04-10 12:11:21.601828737 +0200 -@@ -32,23 +32,6 @@ typedef struct { - } ecdsa_cavs_kat_t; - - static const ecdsa_cavs_kat_t ecdsa_cavs_kats[] = { -- /* prime KATs from X9.62 */ -- {NID_X9_62_prime192v1, NID_sha1, -- "616263", /* "abc" */ -- "1a8d598fc15bf0fd89030b5cb1111aeb92ae8baf5ea475fb", -- "0462b12d60690cdcf330babab6e69763b471f994dd702d16a563bf5ec08069705ffff65e" -- "5ca5c0d69716dfcb3474373902", -- "fa6de29746bbeb7f8bb1e761f85f7dfb2983169d82fa2f4e", -- "885052380ff147b734c330c43d39b2c4a89f29b0f749fead", -- "e9ecc78106def82bf1070cf1d4d804c3cb390046951df686"}, -- {NID_X9_62_prime239v1, NID_sha1, -- "616263", /* "abc" */ -- "7ef7c6fabefffdea864206e80b0b08a9331ed93e698561b64ca0f7777f3d", -- "045b6dc53bc61a2548ffb0f671472de6c9521a9d2d2534e65abfcbd5fe0c707fd9f1ed2e" -- "65f09f6ce0893baf5e8e31e6ae82ea8c3592335be906d38dee", -- "656c7196bf87dcc5d1f1020906df2782360d36b2de7a17ece37d503784af", -- "2cb7f36803ebb9c427c58d8265f11fc5084747133078fc279de874fbecb0", -- "2eeae988104e9c2234a3c2beb1f53bfa5dc11ff36a875d1e3ccb1f7e45cf"}, - /* prime KATs from NIST CAVP */ - {NID_secp224r1, NID_sha224, - "699325d6fc8fbbb4981a6ded3c3a54ad2e4e3db8a5669201912064c64e700c139248cdc1" -diff -up openssl-3.0.0-alpha13/test/recipes/15-test_genec.t.ec-curves openssl-3.0.0-alpha13/test/recipes/15-test_genec.t ---- openssl-3.0.0-alpha13/test/recipes/15-test_genec.t.ec-curves 2021-04-10 11:59:37.453332668 +0200 -+++ openssl-3.0.0-alpha13/test/recipes/15-test_genec.t 2021-04-10 12:03:43.363538976 +0200 -@@ -41,45 +41,11 @@ plan skip_all => "This test is unsupport - if disabled("ec"); - - my @prime_curves = qw( -- secp112r1 -- secp112r2 -- secp128r1 -- secp128r2 -- secp160k1 -- secp160r1 -- secp160r2 -- secp192k1 -- secp224k1 - secp224r1 - secp256k1 - secp384r1 - secp521r1 -- prime192v1 -- prime192v2 -- prime192v3 -- prime239v1 -- prime239v2 -- prime239v3 - prime256v1 -- wap-wsg-idm-ecid-wtls6 -- wap-wsg-idm-ecid-wtls7 -- wap-wsg-idm-ecid-wtls8 -- wap-wsg-idm-ecid-wtls9 -- wap-wsg-idm-ecid-wtls12 -- brainpoolP160r1 -- brainpoolP160t1 -- brainpoolP192r1 -- brainpoolP192t1 -- brainpoolP224r1 -- brainpoolP224t1 -- brainpoolP256r1 -- brainpoolP256t1 -- brainpoolP320r1 -- brainpoolP320t1 -- brainpoolP384r1 -- brainpoolP384t1 -- brainpoolP512r1 -- brainpoolP512t1 - ); - - my @binary_curves = qw( -@@ -136,7 +102,6 @@ push(@other_curves, 'SM2') - if !disabled("sm2"); - - my @curve_aliases = qw( -- P-192 - P-224 - P-256 - P-384 -diff -up openssl-3.0.0-alpha13/test/recipes/06-test_algorithmid.t.ec-curves openssl-3.0.0-alpha13/test/recipes/06-test_algorithmid.t ---- openssl-3.0.0-alpha13/test/recipes/06-test_algorithmid.t.ec-curves 2021-04-10 12:40:59.871858764 +0200 -+++ openssl-3.0.0-alpha13/test/recipes/06-test_algorithmid.t 2021-04-10 12:41:41.140455070 +0200 -@@ -33,7 +33,7 @@ my %certs_info = - 'ee-cert-ec-named-explicit' => 'ca-cert-ec-explicit', - 'ee-cert-ec-named-named' => 'ca-cert-ec-named', - # 'server-ed448-cert' => 'root-ed448-cert' -- 'server-ecdsa-brainpoolP256r1-cert' => 'rootcert', -+ # 'server-ecdsa-brainpoolP256r1-cert' => 'rootcert', - ) - ) - ); -diff -up openssl-3.0.0-alpha13/test/recipes/15-test_ec.t.ec-curves openssl-3.0.0-alpha13/test/recipes/15-test_ec.t -diff -up openssl-3.0.0-alpha13/test/recipes/20-test_cli_fips.t.ec-curves openssl-3.0.0-alpha13/test/recipes/20-test_cli_fips.t -diff -up openssl-3.0.0-alpha13/test/recipes/30-test_acvp.t.ec-curves openssl-3.0.0-alpha13/test/recipes/30-test_acvp.t -diff -up openssl-3.0.0-alpha13/test/ssl-tests/20-cert-select.cnf.ec-curves openssl-3.0.0-alpha13/test/ssl-tests/20-cert-select.cnf ---- openssl-3.0.0-alpha13/test/ssl-tests/20-cert-select.cnf.ec-curves 2021-04-10 13:21:52.123040226 +0200 -+++ openssl-3.0.0-alpha13/test/ssl-tests/20-cert-select.cnf 2021-04-10 13:28:20.856023985 +0200 -@@ -776,14 +776,12 @@ server = 22-ECDSA with brainpool-server - client = 22-ECDSA with brainpool-client - - [22-ECDSA with brainpool-server] --Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem -+Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem - CipherString = DEFAULT --Groups = brainpoolP256r1 --PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem -+PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem - - [22-ECDSA with brainpool-client] - CipherString = aECDSA --Groups = brainpoolP256r1 - MaxProtocol = TLSv1.2 - RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem - VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem -@@ -791,9 +789,6 @@ VerifyMode = Peer - - [test-22] - ExpectedResult = Success --ExpectedServerCANames = empty --ExpectedServerCertType = brainpoolP256r1 --ExpectedServerSignType = EC - - - # =========================================================== -@@ -1741,9 +1736,9 @@ server = 53-TLS 1.3 ECDSA with brainpool - client = 53-TLS 1.3 ECDSA with brainpool-client - - [53-TLS 1.3 ECDSA with brainpool-server] --Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem -+Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem - CipherString = DEFAULT --PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem -+PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem - - [53-TLS 1.3 ECDSA with brainpool-client] - CipherString = DEFAULT -@@ -1754,7 +1749,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/ro - VerifyMode = Peer - - [test-53] --ExpectedResult = ServerFail -+ExpectedResult = Success - - - # =========================================================== -diff -up openssl-3.0.0-alpha13/test/ssl-tests/20-cert-select.cnf.in.ec-curves openssl-3.0.0-alpha13/test/ssl-tests/20-cert-select.cnf.in ---- openssl-3.0.0-alpha13/test/ssl-tests/20-cert-select.cnf.in.ec-curves 2021-04-10 13:22:06.275221662 +0200 -+++ openssl-3.0.0-alpha13/test/ssl-tests/20-cert-select.cnf.in 2021-04-10 13:35:18.774623319 +0200 -@@ -428,21 +428,21 @@ my @tests_non_fips = ( - { - name => "ECDSA with brainpool", - server => { -- "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"), -- "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"), -- "Groups" => "brainpoolP256r1", -+ "Certificate" => test_pem("server-ecdsa-cert.pem"), -+ "PrivateKey" => test_pem("server-ecdsa-key.pem"), -+ #"Groups" => "brainpoolP256r1", - }, - client => { - "MaxProtocol" => "TLSv1.2", - "CipherString" => "aECDSA", - "RequestCAFile" => test_pem("root-cert.pem"), -- "Groups" => "brainpoolP256r1", -+ #"Groups" => "brainpoolP256r1", - }, - test => { -- "ExpectedServerCertType" =>, "brainpoolP256r1", -- "ExpectedServerSignType" =>, "EC", -+ #"ExpectedServerCertType" =>, "brainpoolP256r1", -+ #"ExpectedServerSignType" =>, "EC", - # Note: certificate_authorities not sent for TLS < 1.3 -- "ExpectedServerCANames" =>, "empty", -+ #"ExpectedServerCANames" =>, "empty", - "ExpectedResult" => "Success" - }, - }, -@@ -915,8 +915,8 @@ my @tests_tls_1_3_non_fips = ( - { - name => "TLS 1.3 ECDSA with brainpool", - server => { -- "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"), -- "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"), -+ "Certificate" => test_pem("server-ecdsa-cert.pem"), -+ "PrivateKey" => test_pem("server-ecdsa-key.pem"), - }, - client => { - "RequestCAFile" => test_pem("root-cert.pem"), -@@ -924,7 +924,7 @@ my @tests_tls_1_3_non_fips = ( - "MaxProtocol" => "TLSv1.3" - }, - test => { -- "ExpectedResult" => "ServerFail" -+ "ExpectedResult" => "Success" - }, - }, - ); -diff -up openssl-3.0.0-alpha13/test/recipes/20-test_cli_fips.t.ec-curves openssl-3.0.0-alpha13/test/recipes/20-test_cli_fips.t ---- openssl-3.0.0-alpha13/test/recipes/20-test_cli_fips.t.ec-curves 2021-04-10 14:00:22.482782216 +0200 -+++ openssl-3.0.0-alpha13/test/recipes/20-test_cli_fips.t 2021-04-10 14:08:50.769727651 +0200 -@@ -158,60 +158,6 @@ sub tsignverify { - $testtext); - } - --SKIP : { -- skip "FIPS EC tests because of no ec in this build", 1 -- if disabled("ec"); -- -- subtest EC => sub { -- my $testtext_prefix = 'EC'; -- my $a_fips_curve = 'prime256v1'; -- my $fips_key = $testtext_prefix.'.fips.priv.pem'; -- my $fips_pub_key = $testtext_prefix.'.fips.pub.pem'; -- my $a_nonfips_curve = 'brainpoolP256r1'; -- my $nonfips_key = $testtext_prefix.'.nonfips.priv.pem'; -- my $nonfips_pub_key = $testtext_prefix.'.nonfips.pub.pem'; -- my $testtext = ''; -- my $curvename = ''; -- -- plan tests => 5 + $tsignverify_count; -- -- $ENV{OPENSSL_CONF} = $defaultconf; -- $curvename = $a_nonfips_curve; -- $testtext = $testtext_prefix.': '. -- 'Generate a key with a non-FIPS algorithm with the default provider'; -- ok(run(app(['openssl', 'genpkey', '-algorithm', 'EC', -- '-pkeyopt', 'ec_paramgen_curve:'.$curvename, -- '-out', $nonfips_key])), -- $testtext); -- -- pubfrompriv($testtext_prefix, $nonfips_key, $nonfips_pub_key, "non-FIPS"); -- -- $ENV{OPENSSL_CONF} = $fipsconf; -- -- $curvename = $a_fips_curve; -- $testtext = $testtext_prefix.': '. -- 'Generate a key with a FIPS algorithm'; -- ok(run(app(['openssl', 'genpkey', '-algorithm', 'EC', -- '-pkeyopt', 'ec_paramgen_curve:'.$curvename, -- '-out', $fips_key])), -- $testtext); -- -- pubfrompriv($testtext_prefix, $fips_key, $fips_pub_key, "FIPS"); -- -- $curvename = $a_nonfips_curve; -- $testtext = $testtext_prefix.': '. -- 'Generate a key with a non-FIPS algorithm'. -- ' (should fail)'; -- ok(!run(app(['openssl', 'genpkey', '-algorithm', 'EC', -- '-pkeyopt', 'ec_paramgen_curve:'.$curvename, -- '-out', $testtext_prefix.'.'.$curvename.'.priv.pem'])), -- $testtext); -- -- tsignverify($testtext_prefix, $fips_key, $fips_pub_key, $nonfips_key, -- $nonfips_pub_key); -- }; --} -- - SKIP: { - skip "FIPS RSA tests because of no rsa in this build", 1 - if disabled("rsa"); -diff -up openssl-3.0.0-alpha13/test/recipes/20-test_cli_fips.t.ec-curves openssl-3.0.0-alpha13/test/recipes/20-test_cli_fips.t ---- openssl-3.0.0-alpha13/test/recipes/20-test_cli_fips.t.ec-curves 2021-04-10 14:23:09.805468483 +0200 -+++ openssl-3.0.0-alpha13/test/recipes/20-test_cli_fips.t 2021-04-10 14:23:33.002784265 +0200 -@@ -26,7 +26,7 @@ use platform; - my $no_check = disabled("fips") || disabled('fips-securitychecks'); - plan skip_all => "Test only supported in a fips build with security checks" - if $no_check; --plan tests => 11; -+plan tests => 10; - - my $fipsmodule = bldtop_file('providers', platform->dso('fips')); - my $fipsconf = srctop_file("test", "fips-and-base.cnf"); -diff -up openssl-3.0.0-alpha13/test/ssl-tests/20-cert-select.cnf.ec-curves openssl-3.0.0-alpha13/test/ssl-tests/20-cert-select.cnf ---- openssl-3.0.0-alpha13/test/ssl-tests/20-cert-select.cnf.ec-curves 2021-04-10 17:52:46.478721611 +0200 -+++ openssl-3.0.0-alpha13/test/ssl-tests/20-cert-select.cnf 2021-04-10 17:54:11.371688446 +0200 -@@ -1710,20 +1710,18 @@ server = 52-TLS 1.3 ECDSA with brainpool - client = 52-TLS 1.3 ECDSA with brainpool but no suitable groups-client - - [52-TLS 1.3 ECDSA with brainpool but no suitable groups-server] --Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem -+Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem - CipherString = DEFAULT --Groups = brainpoolP256r1 --PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem -+PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem - - [52-TLS 1.3 ECDSA with brainpool but no suitable groups-client] - CipherString = aECDSA --Groups = brainpoolP256r1 - RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem - VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem - VerifyMode = Peer - - [test-52] --ExpectedResult = ClientFail -+ExpectedResult = Success - - - # =========================================================== -diff -up openssl-3.0.0-alpha13/test/ssl-tests/20-cert-select.cnf.in.ec-curves openssl-3.0.0-alpha13/test/ssl-tests/20-cert-select.cnf.in ---- openssl-3.0.0-alpha13/test/ssl-tests/20-cert-select.cnf.in.ec-curves 2021-04-10 17:53:03.317913390 +0200 -+++ openssl-3.0.0-alpha13/test/ssl-tests/20-cert-select.cnf.in 2021-04-10 17:55:22.507498606 +0200 -@@ -896,20 +896,20 @@ my @tests_tls_1_3_non_fips = ( - { - name => "TLS 1.3 ECDSA with brainpool but no suitable groups", - server => { -- "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"), -- "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"), -- "Groups" => "brainpoolP256r1", -+ "Certificate" => test_pem("server-ecdsa-cert.pem"), -+ "PrivateKey" => test_pem("server-ecdsa-key.pem"), -+ #"Groups" => "brainpoolP256r1", - }, - client => { - "CipherString" => "aECDSA", - "RequestCAFile" => test_pem("root-cert.pem"), -- "Groups" => "brainpoolP256r1", -+ #"Groups" => "brainpoolP256r1", - }, - test => { - #We only configured brainpoolP256r1 on the client side, but TLSv1.3 - #is enabled and this group is not allowed in TLSv1.3. Therefore this - #should fail -- "ExpectedResult" => "ClientFail" -+ "ExpectedResult" => "Success" - }, - }, - { -diff -up openssl-3.0.0-alpha13/crypto/evp/ec_support.c.ec-curves openssl-3.0.0-alpha13/crypto/evp/ec_support.c ---- openssl-3.0.0-alpha13/crypto/evp/ec_support.c.ec-curves 2021-04-11 11:13:14.236891844 +0200 -+++ openssl-3.0.0-alpha13/crypto/evp/ec_support.c 2021-04-11 11:12:05.128098714 +0200 -@@ -20,99 +20,13 @@ typedef struct ec_name2nid_st { +diff -up ./crypto/evp/ec_support.c.ec-curves ./crypto/evp/ec_support.c +--- ./crypto/evp/ec_support.c.ec-curves 2023-03-14 06:22:41.542310442 +0100 ++++ ./crypto/evp/ec_support.c 2023-03-21 11:24:18.378451683 +0100 +@@ -20,89 +20,15 @@ typedef struct ec_name2nid_st { static const EC_NAME2NID curve_list[] = { /* prime field curves */ /* secg curves */ @@ -453,7 +52,7 @@ diff -up openssl-3.0.0-alpha13/crypto/evp/ec_support.c.ec-curves openssl-3.0.0-a - {"secp160r1", NID_secp160r1 }, - {"secp160r2", NID_secp160r2 }, - {"secp192k1", NID_secp192k1 }, - {"secp224k1", NID_secp224k1 }, +- {"secp224k1", NID_secp224k1 }, {"secp224r1", NID_secp224r1 }, {"secp256k1", NID_secp256k1 }, {"secp384r1", NID_secp384r1 }, @@ -466,8 +65,8 @@ diff -up openssl-3.0.0-alpha13/crypto/evp/ec_support.c.ec-curves openssl-3.0.0-a - {"prime239v2", NID_X9_62_prime239v2 }, - {"prime239v3", NID_X9_62_prime239v3 }, {"prime256v1", NID_X9_62_prime256v1 }, -- /* characteristic two field curves */ -- /* NIST/SECG curves */ + /* characteristic two field curves */ + /* NIST/SECG curves */ - {"sect113r1", NID_sect113r1 }, - {"sect113r2", NID_sect113r2 }, - {"sect131r1", NID_sect131r1 }, @@ -521,29 +120,28 @@ diff -up openssl-3.0.0-alpha13/crypto/evp/ec_support.c.ec-curves openssl-3.0.0-a - /* IPSec curves */ - {"Oakley-EC2N-3", NID_ipsec3 }, - {"Oakley-EC2N-4", NID_ipsec4 }, -- /* brainpool curves */ + /* brainpool curves */ - {"brainpoolP160r1", NID_brainpoolP160r1 }, - {"brainpoolP160t1", NID_brainpoolP160t1 }, - {"brainpoolP192r1", NID_brainpoolP192r1 }, - {"brainpoolP192t1", NID_brainpoolP192t1 }, - {"brainpoolP224r1", NID_brainpoolP224r1 }, - {"brainpoolP224t1", NID_brainpoolP224t1 }, -- {"brainpoolP256r1", NID_brainpoolP256r1 }, -- {"brainpoolP256t1", NID_brainpoolP256t1 }, -- {"brainpoolP320r1", NID_brainpoolP320r1 }, -- {"brainpoolP320t1", NID_brainpoolP320t1 }, -- {"brainpoolP384r1", NID_brainpoolP384r1 }, -- {"brainpoolP384t1", NID_brainpoolP384t1 }, -- {"brainpoolP512r1", NID_brainpoolP512r1 }, -- {"brainpoolP512t1", NID_brainpoolP512t1 }, + {"brainpoolP256r1", NID_brainpoolP256r1 }, + {"brainpoolP256t1", NID_brainpoolP256t1 }, + {"brainpoolP320r1", NID_brainpoolP320r1 }, +@@ -111,8 +37,6 @@ static const EC_NAME2NID curve_list[] = + {"brainpoolP384t1", NID_brainpoolP384t1 }, + {"brainpoolP512r1", NID_brainpoolP512r1 }, + {"brainpoolP512t1", NID_brainpoolP512t1 }, - /* SM2 curve */ - {"SM2", NID_sm2 }, }; const char *OSSL_EC_curve_nid2name(int nid) -diff -up openssl-3.0.0-alpha13/test/acvp_test.inc.ec-curves openssl-3.0.0-alpha13/test/acvp_test.inc ---- openssl-3.0.0-alpha13/test/acvp_test.inc.ec-curves 2021-04-11 13:46:57.286828933 +0200 -+++ openssl-3.0.0-alpha13/test/acvp_test.inc 2021-04-11 13:48:01.356704526 +0200 +diff -up ./test/acvp_test.inc.ec-curves ./test/acvp_test.inc +--- ./test/acvp_test.inc.ec-curves 2023-03-14 06:38:20.563712586 +0100 ++++ ./test/acvp_test.inc 2023-03-14 06:39:01.631080059 +0100 @@ -212,15 +212,6 @@ static const unsigned char ecdsa_sigver_ }; static const struct ecdsa_sigver_st ecdsa_sigver_data[] = { @@ -560,4466 +158,79 @@ diff -up openssl-3.0.0-alpha13/test/acvp_test.inc.ec-curves openssl-3.0.0-alpha1 "SHA2-512", "P-521", ITM(ecdsa_sigver_msg1), -diff -up openssl-3.0.0-alpha13/test/recipes/65-test_cmp_protect.t.ec-curves openssl-3.0.0-alpha13/test/recipes/65-test_cmp_protect.t ---- openssl-3.0.0-alpha13/test/recipes/65-test_cmp_protect.t.ec-curves 2021-04-11 21:45:04.949948725 +0200 -+++ openssl-3.0.0-alpha13/test/recipes/65-test_cmp_protect.t 2021-04-11 21:44:09.585283604 +0200 -@@ -7,7 +7,6 @@ - # this file except in compliance with the License. You can obtain a copy - # in the file LICENSE in the source distribution or at - # https://www.openssl.org/source/license.html -- - use strict; - use OpenSSL::Test qw/:DEFAULT data_file srctop_file srctop_dir bldtop_file bldtop_dir/; - use OpenSSL::Test::Utils; -@@ -27,7 +26,7 @@ plan skip_all => "This test is not suppo - plan skip_all => "This test is not supported in a shared library build on Windows" - if $^O eq 'MSWin32' && !disabled("shared"); - --plan tests => 2 + ($no_fips ? 0 : 1); #fips test -+plan skip_all => 2 + ($no_fips ? 0 : 1); #fips test +diff -up ./test/ecdsatest.h.ec-curves ./test/ecdsatest.h +--- ./test/ecdsatest.h.ec-curves 2023-03-14 04:49:16.148154472 +0100 ++++ ./test/ecdsatest.h 2023-03-14 04:51:01.376096037 +0100 +@@ -32,23 +32,6 @@ typedef struct { + } ecdsa_cavs_kat_t; - my @basic_cmd = ("cmp_protect_test", - data_file("server.pem"), -diff -up openssl-3.0.0-alpha13/test/recipes/65-test_cmp_vfy.t.ec-curves openssl-3.0.0-alpha13/test/recipes/65-test_cmp_vfy.t ---- openssl-3.0.0-alpha13/test/recipes/65-test_cmp_vfy.t.ec-curves 2021-04-11 21:45:25.414194574 +0200 -+++ openssl-3.0.0-alpha13/test/recipes/65-test_cmp_vfy.t 2021-04-11 21:44:40.786658440 +0200 -@@ -7,7 +7,6 @@ - # this file except in compliance with the License. You can obtain a copy - # in the file LICENSE in the source distribution or at - # https://www.openssl.org/source/license.html -- - use strict; - use OpenSSL::Test qw/:DEFAULT data_file srctop_file srctop_dir bldtop_file bldtop_dir/; - use OpenSSL::Test::Utils; -@@ -27,7 +26,7 @@ plan skip_all => "This test is not suppo - plan skip_all => "This test is not supported in a no-ec build" + static const ecdsa_cavs_kat_t ecdsa_cavs_kats[] = { +- /* prime KATs from X9.62 */ +- {NID_X9_62_prime192v1, NID_sha1, +- "616263", /* "abc" */ +- "1a8d598fc15bf0fd89030b5cb1111aeb92ae8baf5ea475fb", +- "0462b12d60690cdcf330babab6e69763b471f994dd702d16a563bf5ec08069705ffff65e" +- "5ca5c0d69716dfcb3474373902", +- "fa6de29746bbeb7f8bb1e761f85f7dfb2983169d82fa2f4e", +- "885052380ff147b734c330c43d39b2c4a89f29b0f749fead", +- "e9ecc78106def82bf1070cf1d4d804c3cb390046951df686"}, +- {NID_X9_62_prime239v1, NID_sha1, +- "616263", /* "abc" */ +- "7ef7c6fabefffdea864206e80b0b08a9331ed93e698561b64ca0f7777f3d", +- "045b6dc53bc61a2548ffb0f671472de6c9521a9d2d2534e65abfcbd5fe0c707fd9f1ed2e" +- "65f09f6ce0893baf5e8e31e6ae82ea8c3592335be906d38dee", +- "656c7196bf87dcc5d1f1020906df2782360d36b2de7a17ece37d503784af", +- "2cb7f36803ebb9c427c58d8265f11fc5084747133078fc279de874fbecb0", +- "2eeae988104e9c2234a3c2beb1f53bfa5dc11ff36a875d1e3ccb1f7e45cf"}, + /* prime KATs from NIST CAVP */ + {NID_secp224r1, NID_sha224, + "699325d6fc8fbbb4981a6ded3c3a54ad2e4e3db8a5669201912064c64e700c139248cdc1" +diff -up ./test/recipes/15-test_genec.t.ec-curves ./test/recipes/15-test_genec.t +--- ./test/recipes/15-test_genec.t.ec-curves 2023-03-14 04:51:45.215488277 +0100 ++++ ./test/recipes/15-test_genec.t 2023-03-21 11:26:58.613885435 +0100 +@@ -41,37 +41,11 @@ plan skip_all => "This test is unsupport if disabled("ec"); - --plan tests => 2 + ($no_fips ? 0 : 1); #fips test -+plan skip_all => 2 + ($no_fips ? 0 : 1); #fips test - - my @basic_cmd = ("cmp_vfy_test", - data_file("server.crt"), data_file("client.crt"), -diff -up openssl-3.0.0-alpha15/crypto/evp/ec_support.c.ec-curves openssl-3.0.0-alpha15/crypto/evp/ec_support.c ---- openssl-3.0.0-alpha15/crypto/evp/ec_support.c.ec-curves 2021-04-23 18:15:12.571691284 +0200 -+++ openssl-3.0.0-alpha15/crypto/evp/ec_support.c 2021-04-23 18:16:00.803087403 +0200 -@@ -28,7 +28,6 @@ static const EC_NAME2NID curve_list[] = - static const EC_NAME2NID curve_list[] = { - /* prime field curves */ - /* secg curves */ -- {"secp224k1", NID_secp224k1 }, - {"secp224r1", NID_secp224r1 }, - {"secp256k1", NID_secp256k1 }, - {"secp384r1", NID_secp384r1 }, -diff -up openssl-3.0.0-alpha15/apps/speed.c.ec-curves openssl-3.0.0-alpha15/apps/speed.c ---- openssl-3.0.0-alpha15/apps/speed.c.ec-curves 2021-04-26 14:25:44.049991942 +0200 -+++ openssl-3.0.0-alpha15/apps/speed.c 2021-04-26 14:36:10.643570273 +0200 -@@ -1439,8 +1439,8 @@ int speed_main(int argc, char **argv) - OPENSSL_assert(ec_curves[EC_NUM - 1].nid == NID_X448); - OPENSSL_assert(strcmp(ecdh_choices[EC_NUM - 1].name, "ecdhx448") == 0); - -- OPENSSL_assert(ec_curves[ECDSA_NUM - 1].nid == NID_brainpoolP512t1); -- OPENSSL_assert(strcmp(ecdsa_choices[ECDSA_NUM - 1].name, "ecdsabrp512t1") == 0); -+ OPENSSL_assert(ec_curves[ECDSA_NUM - 1].nid == NID_secp521r1); -+ OPENSSL_assert(strcmp(ecdsa_choices[ECDSA_NUM - 1].name, "ecdsap521") == 0); - - #ifndef OPENSSL_NO_SM2 - OPENSSL_assert(sm2_curves[SM2_NUM - 1].nid == NID_sm2); -diff -up openssl-3.0.0-alpha16/test/evp_extra_test.c.ec-curves openssl-3.0.0-alpha16/test/evp_extra_test.c ---- openssl-3.0.0-alpha16/test/evp_extra_test.c.ec-curves 2021-05-10 14:44:28.932751551 +0200 -+++ openssl-3.0.0-alpha16/test/evp_extra_test.c 2021-05-10 14:45:21.537238883 +0200 -@@ -2701,13 +2701,12 @@ err: - - #ifndef OPENSSL_NO_EC - static int ecpub_nids[] = { -- NID_brainpoolP256r1, NID_X9_62_prime256v1, -+ NID_X9_62_prime256v1, - NID_secp384r1, NID_secp521r1, - # ifndef OPENSSL_NO_EC2M - NID_sect233k1, NID_sect233r1, NID_sect283r1, - NID_sect409k1, NID_sect409r1, NID_sect571k1, NID_sect571r1, - # endif -- NID_brainpoolP384r1, NID_brainpoolP512r1 - }; - - static int test_ecpub(int idx) -diff -up openssl-3.0.0-alpha16/test/recipes/30-test_evp_data/evppkey_mismatch.txt.ec-curves openssl-3.0.0-alpha16/test/recipes/30-test_evp_data/evppkey_mismatch.txt ---- openssl-3.0.0-alpha16/test/recipes/30-test_evp_data/evppkey_mismatch.txt.ec-curves 2021-05-17 10:45:03.968368782 +0200 -+++ openssl-3.0.0-alpha16/test/recipes/30-test_evp_data/evppkey_mismatch.txt 2021-05-17 10:45:54.211747865 +0200 -@@ -31,12 +31,6 @@ MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAELBUP - x/iUJAcsJxl9eLM7kg6VzbZk6ZDc8M/qDZTiqOavnQ5YBW5lMQSSW5/myQ== - -----END PUBLIC KEY----- - --PublicKey=KAS-ECC-CDH_K-163_C0-PUBLIC -------BEGIN PUBLIC KEY----- --MEAwEAYHKoZIzj0CAQYFK4EEAAEDLAAEBx+LKHfWAn2cGt5CRPLeoSaS7yPVBcFe --53YiHHK4SzR844PzgGe4nD6a -------END PUBLIC KEY----- -- - PrivateKey = RSA-2048 - -----BEGIN PRIVATE KEY----- - MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQDNAIHqeyrh6gbV -@@ -77,9 +71,3 @@ Result = KEYPAIR_TYPE_MISMATCH - - PrivPubKeyPair = RSA-2048:P-256-PUBLIC - Result = KEYPAIR_TYPE_MISMATCH -- --PrivPubKeyPair = RSA-2048:KAS-ECC-CDH_K-163_C0-PUBLIC --Result = KEYPAIR_TYPE_MISMATCH -- --PrivPubKeyPair = Alice-25519:KAS-ECC-CDH_K-163_C0-PUBLIC --Result = KEYPAIR_TYPE_MISMATCH -diff -up openssl-3.0.0-alpha16/test/recipes/30-test_evp.t.ec-curves openssl-3.0.0-alpha16/test/recipes/30-test_evp.t ---- openssl-3.0.0-alpha16/test/recipes/30-test_evp.t.ec-curves 2021-05-17 10:49:28.050844977 +0200 -+++ openssl-3.0.0-alpha16/test/recipes/30-test_evp.t 2021-05-17 10:53:53.480444576 +0200 -@@ -111,7 +111,6 @@ my @defltfiles = qw( - evppkey_kdf_tls1_prf.txt - evppkey_rsa.txt - ); --push @defltfiles, qw(evppkey_brainpool.txt) unless $no_ec; - push @defltfiles, qw(evppkey_sm2.txt) unless $no_sm2; - - plan tests => -diff -up openssl-3.0.0-beta1/test/recipes/30-test_evp_data/evppkey_ecc.txt.remove-ec openssl-3.0.0-beta1/test/recipes/30-test_evp_data/evppkey_ecc.txt ---- openssl-3.0.0-beta1/test/recipes/30-test_evp_data/evppkey_ecc.txt.remove-ec 2021-06-29 16:24:56.863303499 +0200 -+++ openssl-3.0.0-beta1/test/recipes/30-test_evp_data/evppkey_ecc.txt 2021-06-29 16:38:04.189996425 +0200 -@@ -11,1949 +11,6 @@ - # PrivPubKeyPair Sign Verify VerifyRecover - # and continue until a blank line. Lines starting with a pound sign are ignored. - --Title=c2pnb163v1 curve tests -- --PrivateKey=ALICE_cf_c2pnb163v1 -------BEGIN PRIVATE KEY----- --MDYCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAAEEHDAaAgEBBBUD1JfG8cLNP9418YW+hVhriqH6O5Y= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_c2pnb163v1_PUB -------BEGIN PUBLIC KEY----- --MEMwEwYHKoZIzj0CAQYIKoZIzj0DAAEDLAAEBXgoOgVlWTLQnrQZXgQuSBcIS3bQAlXQ+yJhS03B --4G8rKQXbrc0mvWsF -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_c2pnb163v1:ALICE_cf_c2pnb163v1_PUB -- --PrivateKey=BOB_cf_c2pnb163v1 -------BEGIN PRIVATE KEY----- --MDYCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAAEEHDAaAgEBBBUAc3EaoMmMORTzQhMkhPIXY+/jUSI= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_c2pnb163v1_PUB -------BEGIN PUBLIC KEY----- --MEMwEwYHKoZIzj0CAQYIKoZIzj0DAAEDLAAEBn9J0jo39aFVZqhBsAKZ6bViAu6zBC8WaFGExnpZ --KuBh8tP8VSTHPCHF -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_c2pnb163v1:BOB_cf_c2pnb163v1_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_c2pnb163v1 --PeerKey=BOB_cf_c2pnb163v1_PUB --SharedSecret=065dd38fb6de7f394778e1bf65d840a2c0e7219acd -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_c2pnb163v1 --PeerKey=ALICE_cf_c2pnb163v1_PUB --SharedSecret=065dd38fb6de7f394778e1bf65d840a2c0e7219acd -- --# ECC CDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_c2pnb163v1 --PeerKey=BOB_cf_c2pnb163v1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=066fc46e8cc4327634dd127748020f2de6aab67585 -- --# ECC CDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_c2pnb163v1 --PeerKey=ALICE_cf_c2pnb163v1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=066fc46e8cc4327634dd127748020f2de6aab67585 -- --PublicKey=MALICE_cf_c2pnb163v1_PUB -------BEGIN PUBLIC KEY----- --MEMwEwYHKoZIzj0CAQYIKoZIzj0DAAEDLAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC8JxepS05nN --/piKdhDD3dDKXUih -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Availablein = default --Derive=BOB_cf_c2pnb163v1 --PeerKey=MALICE_cf_c2pnb163v1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Availablein = default --Derive=ALICE_cf_c2pnb163v1 --PeerKey=MALICE_cf_c2pnb163v1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=c2pnb163v2 curve tests -- --PrivateKey=ALICE_cf_c2pnb163v2 -------BEGIN PRIVATE KEY----- --MDYCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAAIEHDAaAgEBBBUA4KFv7c1dygtVbdp/g2z2TqLAHkI= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_c2pnb163v2_PUB -------BEGIN PUBLIC KEY----- --MEMwEwYHKoZIzj0CAQYIKoZIzj0DAAIDLAAEAVnlL7lMBaASwCIJaf9x2LgNPVmEAb43huHQlo3Q --4PzawHXQoYm/qgDd -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_c2pnb163v2:ALICE_cf_c2pnb163v2_PUB -- --PrivateKey=BOB_cf_c2pnb163v2 -------BEGIN PRIVATE KEY----- --MDYCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAAIEHDAaAgEBBBUCEdYqClRWIl2m+X34e+DB2iZSxmQ= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_c2pnb163v2_PUB -------BEGIN PUBLIC KEY----- --MEMwEwYHKoZIzj0CAQYIKoZIzj0DAAIDLAAEAVWNIKn7/WMfzuNnd5ws9J0DI2CfBkEJizZHAFqy --kBF3juAQuARgxuT6 -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_c2pnb163v2:BOB_cf_c2pnb163v2_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_c2pnb163v2 --PeerKey=BOB_cf_c2pnb163v2_PUB --SharedSecret=0078ebb986d4f9b0aa0bc4af99e82c2bd24130f3f4 -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_c2pnb163v2 --PeerKey=ALICE_cf_c2pnb163v2_PUB --SharedSecret=0078ebb986d4f9b0aa0bc4af99e82c2bd24130f3f4 -- --# ECC CDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_c2pnb163v2 --PeerKey=BOB_cf_c2pnb163v2_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=069a80bcd45987fd1c874cd9dc5453207a09b61d41 -- --# ECC CDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_c2pnb163v2 --PeerKey=ALICE_cf_c2pnb163v2_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=069a80bcd45987fd1c874cd9dc5453207a09b61d41 -- --PublicKey=MALICE_cf_c2pnb163v2_PUB -------BEGIN PUBLIC KEY----- --MEMwEwYHKoZIzj0CAQYIKoZIzj0DAAIDLAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAABuVBl1V5uysY --n6HANPEoMoK+7Sv0 -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Availablein = default --Derive=BOB_cf_c2pnb163v2 --PeerKey=MALICE_cf_c2pnb163v2_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Availablein = default --Derive=ALICE_cf_c2pnb163v2 --PeerKey=MALICE_cf_c2pnb163v2_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=c2pnb163v3 curve tests -- --PrivateKey=ALICE_cf_c2pnb163v3 -------BEGIN PRIVATE KEY----- --MDYCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAAMEHDAaAgEBBBUBItB0y/QeJ+cCh9yoHf0zqLVyMZc= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_c2pnb163v3_PUB -------BEGIN PUBLIC KEY----- --MEMwEwYHKoZIzj0CAQYIKoZIzj0DAAMDLAAEBx1HRyjuBMjt+vlbWaQbKOpNvWKFAslzEbPv6MpK --YnObLnq34LRuWznb -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_c2pnb163v3:ALICE_cf_c2pnb163v3_PUB -- --PrivateKey=BOB_cf_c2pnb163v3 -------BEGIN PRIVATE KEY----- --MDYCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAAMEHDAaAgEBBBUAXVHUHeP8Ioz7IqXOWbjaUXEHE5M= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_c2pnb163v3_PUB -------BEGIN PUBLIC KEY----- --MEMwEwYHKoZIzj0CAQYIKoZIzj0DAAMDLAAEAqXF7rsAZ40Z1PT4TeeC45RKTxP4AJBAdfuknJ/J --DZnBLhxBwtqnfUpA -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_c2pnb163v3:BOB_cf_c2pnb163v3_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_c2pnb163v3 --PeerKey=BOB_cf_c2pnb163v3_PUB --SharedSecret=07fd2ffe9b18973c51caeadbc2154b97a9a0390be9 -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_c2pnb163v3 --PeerKey=ALICE_cf_c2pnb163v3_PUB --SharedSecret=07fd2ffe9b18973c51caeadbc2154b97a9a0390be9 -- --# ECC CDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_c2pnb163v3 --PeerKey=BOB_cf_c2pnb163v3_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=06f7daf1c963594e1a13f9f17b62aaab2934872c16 -- --# ECC CDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_c2pnb163v3 --PeerKey=ALICE_cf_c2pnb163v3_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=06f7daf1c963594e1a13f9f17b62aaab2934872c16 -- --PublicKey=MALICE_cf_c2pnb163v3_PUB -------BEGIN PUBLIC KEY----- --MEMwEwYHKoZIzj0CAQYIKoZIzj0DAAMDLAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAA7jRlUg9oaLK --LwAuHF8g5Y0JjJnI -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Availablein = default --Derive=BOB_cf_c2pnb163v3 --PeerKey=MALICE_cf_c2pnb163v3_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Availablein = default --Derive=ALICE_cf_c2pnb163v3 --PeerKey=MALICE_cf_c2pnb163v3_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=c2pnb176v1 curve tests -- --PrivateKey=ALICE_cf_c2pnb176v1 -------BEGIN PRIVATE KEY----- --MDYCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAAQEHDAaAgEBBBUAaZ1jV1jM9meV5iiNGPU/WMSfWOM= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_c2pnb176v1_PUB -------BEGIN PUBLIC KEY----- --MEUwEwYHKoZIzj0CAQYIKoZIzj0DAAQDLgAEPjME7IV6Tuz2P++wIT60hRxTkk0M0PNgvqYcUoCI --iw3girDLhNzOu3IQ8Ac= -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_c2pnb176v1:ALICE_cf_c2pnb176v1_PUB -- --PrivateKey=BOB_cf_c2pnb176v1 -------BEGIN PRIVATE KEY----- --MDYCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAAQEHDAaAgEBBBUAreyYbcF+ONIf64KmeSzV82OI/50= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_c2pnb176v1_PUB -------BEGIN PUBLIC KEY----- --MEUwEwYHKoZIzj0CAQYIKoZIzj0DAAQDLgAEpJn1IDmFj5LceLGfY2wlhI1VHq5vJ+qNIAOXVZhX --uMtp6pzy63rCEK53bgs= -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_c2pnb176v1:BOB_cf_c2pnb176v1_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_c2pnb176v1 --PeerKey=BOB_cf_c2pnb176v1_PUB --SharedSecret=3a8021848ee0b2c1c377404267a515225781c181e6ab -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_c2pnb176v1 --PeerKey=ALICE_cf_c2pnb176v1_PUB --SharedSecret=3a8021848ee0b2c1c377404267a515225781c181e6ab -- --# ECC CDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_c2pnb176v1 --PeerKey=BOB_cf_c2pnb176v1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=b06cdc633b56e813d63326c69d2cfa335352279540ac -- --# ECC CDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_c2pnb176v1 --PeerKey=ALICE_cf_c2pnb176v1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=b06cdc633b56e813d63326c69d2cfa335352279540ac -- --PublicKey=MALICE_cf_c2pnb176v1_PUB -------BEGIN PUBLIC KEY----- --MEUwEwYHKoZIzj0CAQYIKoZIzj0DAAQDLgAE4ePri2opCoAUJIUQnaQlvDaxZd9bsdKnjWSvh+FL --zXV3l5j8K3pow+GJBE4= -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Availablein = default --Derive=BOB_cf_c2pnb176v1 --PeerKey=MALICE_cf_c2pnb176v1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Availablein = default --Derive=ALICE_cf_c2pnb176v1 --PeerKey=MALICE_cf_c2pnb176v1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=c2pnb208w1 curve tests -- --PrivateKey=ALICE_cf_c2pnb208w1 -------BEGIN PRIVATE KEY----- --MDoCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAAoEIDAeAgEBBBkAiENroXMYNbK/7DQQwCpbXk00gnVd --XF2k -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_c2pnb208w1_PUB -------BEGIN PUBLIC KEY----- --ME0wEwYHKoZIzj0CAQYIKoZIzj0DAAoDNgAEL+IHOL2IfeLRiE6Wqsc0Frqjq7t/JnBmhN1lMB9Y --Yj3+Btcne4CPWf8KvfGjAdMs6JKP4A== -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_c2pnb208w1:ALICE_cf_c2pnb208w1_PUB -- --PrivateKey=BOB_cf_c2pnb208w1 -------BEGIN PRIVATE KEY----- --MDoCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAAoEIDAeAgEBBBkAY1GZLynO/IDWwOOjEWUE7k+I/MkP --cJot -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_c2pnb208w1_PUB -------BEGIN PUBLIC KEY----- --ME0wEwYHKoZIzj0CAQYIKoZIzj0DAAoDNgAENBvdzCDOIvu9zo7reJq1ummhR+0jaDc+EoSlW984 --cl9FTi/JJznwC+RNgwVfJ1WKJun1YA== -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_c2pnb208w1:BOB_cf_c2pnb208w1_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_c2pnb208w1 --PeerKey=BOB_cf_c2pnb208w1_PUB --SharedSecret=ba32bf80c0f7ab53cb083f267a902a1ad6396eb283237fad91cd -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_c2pnb208w1 --PeerKey=ALICE_cf_c2pnb208w1_PUB --SharedSecret=ba32bf80c0f7ab53cb083f267a902a1ad6396eb283237fad91cd -- --# ECC CDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_c2pnb208w1 --PeerKey=BOB_cf_c2pnb208w1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=f09f5fc8bf20677558bc65939bf1b7fbbbe2579702729304258b -- --# ECC CDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_c2pnb208w1 --PeerKey=ALICE_cf_c2pnb208w1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=f09f5fc8bf20677558bc65939bf1b7fbbbe2579702729304258b -- --PublicKey=MALICE_cf_c2pnb208w1_PUB -------BEGIN PUBLIC KEY----- --ME0wEwYHKoZIzj0CAQYIKoZIzj0DAAoDNgAEfuWB9pBZQin+VnmqgYVpbUpKxSQsnXxNqiDtVwqJ --oPkHxRWnu5e7qI2idMcqaKDeeniUaA== -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Availablein = default --Derive=BOB_cf_c2pnb208w1 --PeerKey=MALICE_cf_c2pnb208w1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Availablein = default --Derive=ALICE_cf_c2pnb208w1 --PeerKey=MALICE_cf_c2pnb208w1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=c2pnb272w1 curve tests -- --PrivateKey=ALICE_cf_c2pnb272w1 -------BEGIN PRIVATE KEY----- --MEICAQAwEwYHKoZIzj0CAQYIKoZIzj0DABAEKDAmAgEBBCEA0SoHwKAgKb7WQ+s0w1iNBemDZ3+f --StHU67fpP7YoF8U= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_c2pnb272w1_PUB -------BEGIN PUBLIC KEY----- --MF0wEwYHKoZIzj0CAQYIKoZIzj0DABADRgAE0IH60bGi46FDzEprGZ8EBK5uMMcVke/txeBRNGHQ --DzG68r3EMLZkOfE1+g04MN7HgY7zt3jMYb8ImyLRmvqR2abjs6c= -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_c2pnb272w1:ALICE_cf_c2pnb272w1_PUB -- --PrivateKey=BOB_cf_c2pnb272w1 -------BEGIN PRIVATE KEY----- --MEICAQAwEwYHKoZIzj0CAQYIKoZIzj0DABAEKDAmAgEBBCEAFqB5GbPJ4d+X7ye7m05l/OirDqfn --MOsOJ6xObBph3zQ= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_c2pnb272w1_PUB -------BEGIN PUBLIC KEY----- --MF0wEwYHKoZIzj0CAQYIKoZIzj0DABADRgAEIeIkcMHAuOgvHt2Wp52vVe0DYPNnUX79t/mLSx03 --cUlDmcxL7vIXdx9hB4OmQBYbm+YLDNfTFGAIlDfr2tELpVVPWPo= -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_c2pnb272w1:BOB_cf_c2pnb272w1_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_c2pnb272w1 --PeerKey=BOB_cf_c2pnb272w1_PUB --SharedSecret=cfebd65006520a40f081d8940edf0ebb8e54491ba1499d9f3c63deecee84ddc07142 -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_c2pnb272w1 --PeerKey=ALICE_cf_c2pnb272w1_PUB --SharedSecret=cfebd65006520a40f081d8940edf0ebb8e54491ba1499d9f3c63deecee84ddc07142 -- --# ECC CDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_c2pnb272w1 --PeerKey=BOB_cf_c2pnb272w1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=756fc20b27352ac74e5135359c63d375d2732c6d02f25cd526155bac0882a9211dd4 -- --# ECC CDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_c2pnb272w1 --PeerKey=ALICE_cf_c2pnb272w1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=756fc20b27352ac74e5135359c63d375d2732c6d02f25cd526155bac0882a9211dd4 -- --PublicKey=MALICE_cf_c2pnb272w1_PUB -------BEGIN PUBLIC KEY----- --MF0wEwYHKoZIzj0CAQYIKoZIzj0DABADRgAEvID3AM7qzpKDnOLFY00+E7EKZz/vS/pXgsUA3bWN --oJF8ElXFXv59s/SykQBCTHPqzmUbVmrXmtD44Kt1wUBRJfuwxy4= -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Availablein = default --Derive=BOB_cf_c2pnb272w1 --PeerKey=MALICE_cf_c2pnb272w1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Availablein = default --Derive=ALICE_cf_c2pnb272w1 --PeerKey=MALICE_cf_c2pnb272w1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=c2pnb304w1 curve tests -- --PrivateKey=ALICE_cf_c2pnb304w1 -------BEGIN PRIVATE KEY----- --MEYCAQAwEwYHKoZIzj0CAQYIKoZIzj0DABEELDAqAgEBBCUAqJxh50ZIUXOJ1HE3cVkech9OTTPJ --8jy/v5cFcO0X6dykHgnZ -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_c2pnb304w1_PUB -------BEGIN PUBLIC KEY----- --MGUwEwYHKoZIzj0CAQYIKoZIzj0DABEDTgAEvoaqRX6qiNQiFH1BhgLCPTpYszoRhmlLirkvlw/Q --iXBlfQ7U4g+iRR/kmu2RlwwOHgNNL+mWcvLkFfS8Kr4jzv1EY1Ecx96n21l0YQ== -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_c2pnb304w1:ALICE_cf_c2pnb304w1_PUB -- --PrivateKey=BOB_cf_c2pnb304w1 -------BEGIN PRIVATE KEY----- --MEYCAQAwEwYHKoZIzj0CAQYIKoZIzj0DABEELDAqAgEBBCUAOScHepX+IwqC8TjyAJI1bkR3cYYt --X9BbqYM9GQfVNSLHntTg -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_c2pnb304w1_PUB -------BEGIN PUBLIC KEY----- --MGUwEwYHKoZIzj0CAQYIKoZIzj0DABEDTgAEYuAq/6Yw5HxMeMohlWmwl+ZK4ZQucfr1tWDKwhDb --kAOUO2P/Q/H+uelM3VVwxeu6A1kaX7K0UZpNa96NRBwI4aevc+vOxCgYkGt9BA== -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_c2pnb304w1:BOB_cf_c2pnb304w1_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_c2pnb304w1 --PeerKey=BOB_cf_c2pnb304w1_PUB --SharedSecret=bfddf9f923210e8231a702e3a1c987cf27661de1bc243c1890e437d67d9f49c6ccfadc035d9d -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_c2pnb304w1 --PeerKey=ALICE_cf_c2pnb304w1_PUB --SharedSecret=bfddf9f923210e8231a702e3a1c987cf27661de1bc243c1890e437d67d9f49c6ccfadc035d9d -- --# ECC CDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_c2pnb304w1 --PeerKey=BOB_cf_c2pnb304w1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=0c7afb3143f93ef2166c05437a1757a62c916ff1751c6d456dd7f2356dcbc75df48015eb5ce8 -- --# ECC CDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_c2pnb304w1 --PeerKey=ALICE_cf_c2pnb304w1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=0c7afb3143f93ef2166c05437a1757a62c916ff1751c6d456dd7f2356dcbc75df48015eb5ce8 -- --PublicKey=MALICE_cf_c2pnb304w1_PUB -------BEGIN PUBLIC KEY----- --MGUwEwYHKoZIzj0CAQYIKoZIzj0DABEDTgAEBZ5FuthQt0mxTJ8NQWN2J37kYT8ySD893IXEmXYP --fMTr+CSNkf/sfF/13GEdVGnHmBgCH61sPWG69RgzdjRPprZFZxXjubIWYkp0DQ== -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Availablein = default --Derive=BOB_cf_c2pnb304w1 --PeerKey=MALICE_cf_c2pnb304w1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Availablein = default --Derive=ALICE_cf_c2pnb304w1 --PeerKey=MALICE_cf_c2pnb304w1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=c2pnb368w1 curve tests -- --PrivateKey=ALICE_cf_c2pnb368w1 -------BEGIN PRIVATE KEY----- --ME4CAQAwEwYHKoZIzj0CAQYIKoZIzj0DABMENDAyAgEBBC0AXeSTXsHb2PEH12tZL8w2q6evA2mi --KfLLIa1c29BTmM//oWdKpqeuvwMIBto= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_c2pnb368w1_PUB -------BEGIN PUBLIC KEY----- --MHUwEwYHKoZIzj0CAQYIKoZIzj0DABMDXgAEmEBXcvMgnHwJW7wAKM4cqboco6zF01J9ntUwoACI --euvf3cpPXBvxUawJXfO9FwFRQabDRagGP99Walidd2JW8nWDWZgZMKj15Wh+4bp2dZHc2tPIIHHd --3makbwQ= -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_c2pnb368w1:ALICE_cf_c2pnb368w1_PUB -- --PrivateKey=BOB_cf_c2pnb368w1 -------BEGIN PRIVATE KEY----- --ME4CAQAwEwYHKoZIzj0CAQYIKoZIzj0DABMENDAyAgEBBC0Aq1R9M/mCMbJMj6VBUpBkS4HXywEz --Qun6d6uXgyU4LZRszA7Dz9+eKbXEMsk= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_c2pnb368w1_PUB -------BEGIN PUBLIC KEY----- --MHUwEwYHKoZIzj0CAQYIKoZIzj0DABMDXgAEJOSnsaXA9wb5p8CGLPvYI47Yf3IdZSbWQ3Sn6G2v --At+zYlpzGax1oJ1CW8fGA0Gu0RnvAfDeW9vgrtzshH1Vy/Ni6a7LPho99PtUP2nzUBnv+hfhFSra --gqfRaOs= -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_c2pnb368w1:BOB_cf_c2pnb368w1_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_c2pnb368w1 --PeerKey=BOB_cf_c2pnb368w1_PUB --SharedSecret=008d20ede3961be3b01051d6fdae63db43865664804d432293a2edb13dcc8be0fe5b0c655297a84b9067a29c2a6f -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_c2pnb368w1 --PeerKey=ALICE_cf_c2pnb368w1_PUB --SharedSecret=008d20ede3961be3b01051d6fdae63db43865664804d432293a2edb13dcc8be0fe5b0c655297a84b9067a29c2a6f -- --# ECC CDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_c2pnb368w1 --PeerKey=BOB_cf_c2pnb368w1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=df32ddeeffa029aeadabad000a79c3154a0ddd0aeacf4e3de426f5c10096eff8912038c64d4c899131dcd4df2561 -- --# ECC CDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_c2pnb368w1 --PeerKey=ALICE_cf_c2pnb368w1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=df32ddeeffa029aeadabad000a79c3154a0ddd0aeacf4e3de426f5c10096eff8912038c64d4c899131dcd4df2561 -- --PublicKey=MALICE_cf_c2pnb368w1_PUB -------BEGIN PUBLIC KEY----- --MHUwEwYHKoZIzj0CAQYIKoZIzj0DABMDXgAEWDn/U9rymClM/a0Q1mawHjQjvpxSehRWstSE+2Sd --ubcZowJ+rw5LsEZteQyeVrCpKYUiIBmIVuFb2LDjtNLIJD1lr8C+vdco24ciLS9RzF/Dc9X+tcIj --726e1BE= -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Availablein = default --Derive=BOB_cf_c2pnb368w1 --PeerKey=MALICE_cf_c2pnb368w1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Availablein = default --Derive=ALICE_cf_c2pnb368w1 --PeerKey=MALICE_cf_c2pnb368w1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=c2tnb191v1 curve tests -- --PrivateKey=ALICE_cf_c2tnb191v1 -------BEGIN PRIVATE KEY----- --MDkCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAAUEHzAdAgEBBBgXyG7A4BvSmjKEl3aU+FQUt02p9U7x --Jk4= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_c2tnb191v1_PUB -------BEGIN PUBLIC KEY----- --MEkwEwYHKoZIzj0CAQYIKoZIzj0DAAUDMgAEG9iuZmnhz2H/YQKmVUaO//fm7hvV+CP5c2iszpR3 --7lRimqLWHPyvKgcP+PRCIUom -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_c2tnb191v1:ALICE_cf_c2tnb191v1_PUB -- --PrivateKey=BOB_cf_c2tnb191v1 -------BEGIN PRIVATE KEY----- --MDkCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAAUEHzAdAgEBBBg4+2hv9x9HxFy0c2c1XESDdgOamHu0 --MTU= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_c2tnb191v1_PUB -------BEGIN PUBLIC KEY----- --MEkwEwYHKoZIzj0CAQYIKoZIzj0DAAUDMgAEdO/4ii8gi8eQfBrv3XmsOETwIfT8OIpBW/kUoHD+ --adqalcB6SIWOfoJReDLcpxAD -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_c2tnb191v1:BOB_cf_c2tnb191v1_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_c2tnb191v1 --PeerKey=BOB_cf_c2tnb191v1_PUB --SharedSecret=2ee8a85151c397600984285307c14f0ea0e4c2071d753a99 -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_c2tnb191v1 --PeerKey=ALICE_cf_c2tnb191v1_PUB --SharedSecret=2ee8a85151c397600984285307c14f0ea0e4c2071d753a99 -- --# ECC CDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_c2tnb191v1 --PeerKey=BOB_cf_c2tnb191v1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=334051dfd62237e69e280ce2fab979bd77260f8dfe4df989 -- --# ECC CDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_c2tnb191v1 --PeerKey=ALICE_cf_c2tnb191v1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=334051dfd62237e69e280ce2fab979bd77260f8dfe4df989 -- --PublicKey=MALICE_cf_c2tnb191v1_PUB -------BEGIN PUBLIC KEY----- --MEkwEwYHKoZIzj0CAQYIKoZIzj0DAAUDMgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAcPEwZ1wj --iNoFyzyANZl8IDB0fF1RmZD6 -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Availablein = default --Derive=BOB_cf_c2tnb191v1 --PeerKey=MALICE_cf_c2tnb191v1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Availablein = default --Derive=ALICE_cf_c2tnb191v1 --PeerKey=MALICE_cf_c2tnb191v1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=c2tnb191v2 curve tests -- --PrivateKey=ALICE_cf_c2tnb191v2 -------BEGIN PRIVATE KEY----- --MDkCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAAYEHzAdAgEBBBgQZHIQIPrAsbJqq4ZX3JdMrZAkaIGP --jbo= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_c2tnb191v2_PUB -------BEGIN PUBLIC KEY----- --MEkwEwYHKoZIzj0CAQYIKoZIzj0DAAYDMgAEAyQdwZYRIiv7O4/WRLDKJ249TM8dr2Y+Oz8rSxCI --UVvJT/Jv9m462J6Iz1XOohhP -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_c2tnb191v2:ALICE_cf_c2tnb191v2_PUB -- --PrivateKey=BOB_cf_c2tnb191v2 -------BEGIN PRIVATE KEY----- --MDkCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAAYEHzAdAgEBBBgThhW6d5QDaqM8yhm16q6Pu/VFBpf7 --wcs= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_c2tnb191v2_PUB -------BEGIN PUBLIC KEY----- --MEkwEwYHKoZIzj0CAQYIKoZIzj0DAAYDMgAEBVkB4O6fFvGzMHv4BF51muFA0npOGKoOdKbIIMQY --JBIoz1RNNXTcgdpguLcrvcPJ -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_c2tnb191v2:BOB_cf_c2tnb191v2_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_c2tnb191v2 --PeerKey=BOB_cf_c2tnb191v2_PUB --SharedSecret=711f90cb2aaea65e939065cbd1896affe1d490ba14571400 -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_c2tnb191v2 --PeerKey=ALICE_cf_c2tnb191v2_PUB --SharedSecret=711f90cb2aaea65e939065cbd1896affe1d490ba14571400 -- --# ECC CDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_c2tnb191v2 --PeerKey=BOB_cf_c2tnb191v2_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=1740db5b771fa2889d3ec7c1ba8eeffa7741f0ee62433dce -- --# ECC CDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_c2tnb191v2 --PeerKey=ALICE_cf_c2tnb191v2_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=1740db5b771fa2889d3ec7c1ba8eeffa7741f0ee62433dce -- --PublicKey=MALICE_cf_c2tnb191v2_PUB -------BEGIN PUBLIC KEY----- --MEkwEwYHKoZIzj0CAQYIKoZIzj0DAAYDMgAEA3yPV6Ilx7PU7dWIDzgKzFV07LNsn1EhMyLQaa5U --2vqunpWef+/CaO2pFBcwwW+x -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Availablein = default --Derive=BOB_cf_c2tnb191v2 --PeerKey=MALICE_cf_c2tnb191v2_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Availablein = default --Derive=ALICE_cf_c2tnb191v2 --PeerKey=MALICE_cf_c2tnb191v2_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=c2tnb191v3 curve tests -- --PrivateKey=ALICE_cf_c2tnb191v3 -------BEGIN PRIVATE KEY----- --MDkCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAAcEHzAdAgEBBBgTPjf06B01Jq59qU1iczNuA29WfW+b --erU= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_c2tnb191v3_PUB -------BEGIN PUBLIC KEY----- --MEkwEwYHKoZIzj0CAQYIKoZIzj0DAAcDMgAEL4NGEUX2CXY18MyoH1inKq5kde9RGr25ODm/0BEX --HWsGvDE2HC+6pL2BMl3MRCty -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_c2tnb191v3:ALICE_cf_c2tnb191v3_PUB -- --PrivateKey=BOB_cf_c2tnb191v3 -------BEGIN PRIVATE KEY----- --MDkCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAAcEHzAdAgEBBBgUC2bC465JTXYLUaaET/r5n7X85gRH --iSQ= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_c2tnb191v3_PUB -------BEGIN PUBLIC KEY----- --MEkwEwYHKoZIzj0CAQYIKoZIzj0DAAcDMgAEPKekNkT9mQ8KRCTR2RwCFkhNvsjL+/mLHYzbMrYe --QFIb5QwXAdbg2tEOl7yj9qkk -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_c2tnb191v3:BOB_cf_c2tnb191v3_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_c2tnb191v3 --PeerKey=BOB_cf_c2tnb191v3_PUB --SharedSecret=196200f7ea06c43c35516b995cf4a4dd4151dbd0ed998561 -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_c2tnb191v3 --PeerKey=ALICE_cf_c2tnb191v3_PUB --SharedSecret=196200f7ea06c43c35516b995cf4a4dd4151dbd0ed998561 -- --# ECC CDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_c2tnb191v3 --PeerKey=BOB_cf_c2tnb191v3_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=311939377670a8a1ed1ee17f9dd182167da00c5a19e2e109 -- --# ECC CDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_c2tnb191v3 --PeerKey=ALICE_cf_c2tnb191v3_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=311939377670a8a1ed1ee17f9dd182167da00c5a19e2e109 -- --PublicKey=MALICE_cf_c2tnb191v3_PUB -------BEGIN PUBLIC KEY----- --MEkwEwYHKoZIzj0CAQYIKoZIzj0DAAcDMgAESvPjWlLnANK2j38hHZ0uqueaniovkhwwdJZjrmUk --n5vQBTxUzkIkMjL33v6Lr3z7 -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Availablein = default --Derive=BOB_cf_c2tnb191v3 --PeerKey=MALICE_cf_c2tnb191v3_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Availablein = default --Derive=ALICE_cf_c2tnb191v3 --PeerKey=MALICE_cf_c2tnb191v3_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=c2tnb239v1 curve tests -- --PrivateKey=ALICE_cf_c2tnb239v1 -------BEGIN PRIVATE KEY----- --MD8CAQAwEwYHKoZIzj0CAQYIKoZIzj0DAAsEJTAjAgEBBB4fMJDhCEiuEf/RF6oGjHVcNwN+wCYG --rJMnJLIXiCI= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_c2tnb239v1_PUB -------BEGIN PUBLIC KEY----- --MFUwEwYHKoZIzj0CAQYIKoZIzj0DAAsDPgAEUgG/uMWy4k0R/kbVJEapF6r5ik4Q9WPsDXAd0856 --dVL8PvBXgixk2tKfyY1xUVebcEVlgdZP1pN1Xyvi -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_c2tnb239v1:ALICE_cf_c2tnb239v1_PUB -- --PrivateKey=BOB_cf_c2tnb239v1 -------BEGIN PRIVATE KEY----- --MD8CAQAwEwYHKoZIzj0CAQYIKoZIzj0DAAsEJTAjAgEBBB4JLDwVJQw3+00FiZBDWFErd7PXnchH --sfpZeV3i5FM= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_c2tnb239v1_PUB -------BEGIN PUBLIC KEY----- --MFUwEwYHKoZIzj0CAQYIKoZIzj0DAAsDPgAEcwKt31cWaoFUd7QxYSdwgMDOqEhjPbD3Z9AfR3tc --G77/MY5z1oQegqImBog645vtPWI8lZd1zcl6QYRS -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_c2tnb239v1:BOB_cf_c2tnb239v1_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_c2tnb239v1 --PeerKey=BOB_cf_c2tnb239v1_PUB --SharedSecret=413ea943cdf40c45795c77aeea7099b81cc42566067924d1fdbae42ddf99 -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_c2tnb239v1 --PeerKey=ALICE_cf_c2tnb239v1_PUB --SharedSecret=413ea943cdf40c45795c77aeea7099b81cc42566067924d1fdbae42ddf99 -- --# ECC CDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_c2tnb239v1 --PeerKey=BOB_cf_c2tnb239v1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=1f1e5a6084492e895c35d76a5d2b4a3fafbd96c4b2230ea71cc1c711fa38 -- --# ECC CDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_c2tnb239v1 --PeerKey=ALICE_cf_c2tnb239v1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=1f1e5a6084492e895c35d76a5d2b4a3fafbd96c4b2230ea71cc1c711fa38 -- --PublicKey=MALICE_cf_c2tnb239v1_PUB -------BEGIN PUBLIC KEY----- --MFUwEwYHKoZIzj0CAQYIKoZIzj0DAAsDPgAEJFn89FF7xaa5m+XGxWKFwCH+Mu4rbxwi6lvhuEuT --Itl/OAosALFh8xpt+N5gmKtUdhpjyok2udC4B/mY -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Availablein = default --Derive=BOB_cf_c2tnb239v1 --PeerKey=MALICE_cf_c2tnb239v1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Availablein = default --Derive=ALICE_cf_c2tnb239v1 --PeerKey=MALICE_cf_c2tnb239v1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=c2tnb239v2 curve tests -- --PrivateKey=ALICE_cf_c2tnb239v2 -------BEGIN PRIVATE KEY----- --MD8CAQAwEwYHKoZIzj0CAQYIKoZIzj0DAAwEJTAjAgEBBB4KU4YKdzFOkl6M1biHkxtVGD2uNXr6 --GbEcp4PbJKU= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_c2tnb239v2_PUB -------BEGIN PUBLIC KEY----- --MFUwEwYHKoZIzj0CAQYIKoZIzj0DAAwDPgAEKzpycflUrsyqVV/+fzvC2+AuX3r0b0Syn8acvn78 --VnKA9mZKwPLWhnMJcLyzarIzc/6/UcfYGNmTyUlG -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_c2tnb239v2:ALICE_cf_c2tnb239v2_PUB -- --PrivateKey=BOB_cf_c2tnb239v2 -------BEGIN PRIVATE KEY----- --MD8CAQAwEwYHKoZIzj0CAQYIKoZIzj0DAAwEJTAjAgEBBB4HZQLKGKBpIKiyTq6XYZWQNph1oGP+ --JLwCwn7lYx0= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_c2tnb239v2_PUB -------BEGIN PUBLIC KEY----- --MFUwEwYHKoZIzj0CAQYIKoZIzj0DAAwDPgAETPSkhMs3JW3BG66FSfCov76JKdcRiBhMCW453Wku --N7yBxBmWjeclHhnXIzfc4qM4qf9n3KzMSXejPVYg -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_c2tnb239v2:BOB_cf_c2tnb239v2_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_c2tnb239v2 --PeerKey=BOB_cf_c2tnb239v2_PUB --SharedSecret=2e738f14795b2e19ee791c1bf30c5e462ca6c6ed0ec5c6c6402d0730cf4c -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_c2tnb239v2 --PeerKey=ALICE_cf_c2tnb239v2_PUB --SharedSecret=2e738f14795b2e19ee791c1bf30c5e462ca6c6ed0ec5c6c6402d0730cf4c -- --# ECC CDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_c2tnb239v2 --PeerKey=BOB_cf_c2tnb239v2_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=7662d8b94d3f0d20eb8e112ca8b7d5699d81f35902df5b77561977df3946 -- --# ECC CDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_c2tnb239v2 --PeerKey=ALICE_cf_c2tnb239v2_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=7662d8b94d3f0d20eb8e112ca8b7d5699d81f35902df5b77561977df3946 -- --PublicKey=MALICE_cf_c2tnb239v2_PUB -------BEGIN PUBLIC KEY----- --MFUwEwYHKoZIzj0CAQYIKoZIzj0DAAwDPgAES8fLc5mtVI0HqgKRJ7mN8MU1B0FBkiim6jCHYJf3 --JYUX3Gn3Ai11cHie+nVb3z51jSkpDQENHESTv5K2 -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Availablein = default --Derive=BOB_cf_c2tnb239v2 --PeerKey=MALICE_cf_c2tnb239v2_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Availablein = default --Derive=ALICE_cf_c2tnb239v2 --PeerKey=MALICE_cf_c2tnb239v2_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=c2tnb239v3 curve tests -- --PrivateKey=ALICE_cf_c2tnb239v3 -------BEGIN PRIVATE KEY----- --MD8CAQAwEwYHKoZIzj0CAQYIKoZIzj0DAA0EJTAjAgEBBB4BZZXtcMw5GrpgHJLx4D8z7M6ocWdv --rDl2fV9ObC8= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_c2tnb239v3_PUB -------BEGIN PUBLIC KEY----- --MFUwEwYHKoZIzj0CAQYIKoZIzj0DAA0DPgAEOu2HIAUX+r6IbRlrPUJUBDL814dR++maVAAkUIjD --H33ewqcI9ZLtpvuR8P8hgRNUTXlh1GWgrB6F21Eo -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_c2tnb239v3:ALICE_cf_c2tnb239v3_PUB -- --PrivateKey=BOB_cf_c2tnb239v3 -------BEGIN PRIVATE KEY----- --MD8CAQAwEwYHKoZIzj0CAQYIKoZIzj0DAA0EJTAjAgEBBB4BDxw3SA54y6uYOW1n4yZaUK22J9ef --XG3HcQX+4i0= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_c2tnb239v3_PUB -------BEGIN PUBLIC KEY----- --MFUwEwYHKoZIzj0CAQYIKoZIzj0DAA0DPgAEVaEi76wyzlpzkkSElf4SmGZ7kf1ghHMP82HkGk7K --BC10zUyppoSOAr0eX4pHAkDUF1m/KGoJa7QcJJww -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_c2tnb239v3:BOB_cf_c2tnb239v3_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_c2tnb239v3 --PeerKey=BOB_cf_c2tnb239v3_PUB --SharedSecret=6a756022ec2ea89b0fa757824909707102acf3b7da39dc625c6252eb4c48 -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_c2tnb239v3 --PeerKey=ALICE_cf_c2tnb239v3_PUB --SharedSecret=6a756022ec2ea89b0fa757824909707102acf3b7da39dc625c6252eb4c48 -- --# ECC CDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_c2tnb239v3 --PeerKey=BOB_cf_c2tnb239v3_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=3240e19dd8c290e5e1749df60ad0166dd9dbfad645e518b4948e14f774ce -- --# ECC CDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_c2tnb239v3 --PeerKey=ALICE_cf_c2tnb239v3_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=3240e19dd8c290e5e1749df60ad0166dd9dbfad645e518b4948e14f774ce -- --PublicKey=MALICE_cf_c2tnb239v3_PUB -------BEGIN PUBLIC KEY----- --MFUwEwYHKoZIzj0CAQYIKoZIzj0DAA0DPgAELe/znC87/2ucKX7mXUUyiUvg67slWRdH+WHDct9d --LcXDyB342ZN1nm0NCAmBMcLjohX0Zza0ji3YNjT1 -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Availablein = default --Derive=BOB_cf_c2tnb239v3 --PeerKey=MALICE_cf_c2tnb239v3_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Availablein = default --Derive=ALICE_cf_c2tnb239v3 --PeerKey=MALICE_cf_c2tnb239v3_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=c2tnb359v1 curve tests -- --PrivateKey=ALICE_cf_c2tnb359v1 -------BEGIN PRIVATE KEY----- --ME4CAQAwEwYHKoZIzj0CAQYIKoZIzj0DABIENDAyAgEBBC0Afea/a1NrRf6rRRr/UDsI559ADTFP --Bd5HaS33laTZkCdNLITw1UUrESUIOiU= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_c2tnb359v1_PUB -------BEGIN PUBLIC KEY----- --MHMwEwYHKoZIzj0CAQYIKoZIzj0DABIDXAAEZMJU3QF9UJJp2m6qyCnhPuVlPKPHtav3DCgH27SY --RLMN7C4rRmqiJakD11QtOforOgbPW5r/v7t4TUWIlq8jV7kapJNtxQtg/S87L0NQGgHBq/lnJL8x --fN3Y -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_c2tnb359v1:ALICE_cf_c2tnb359v1_PUB -- --PrivateKey=BOB_cf_c2tnb359v1 -------BEGIN PRIVATE KEY----- --ME4CAQAwEwYHKoZIzj0CAQYIKoZIzj0DABIENDAyAgEBBC0Aaw+yr7Atz8CXjLsbI5msXLqxFoMr --esHVfU53i6ucCsnPTWSDWSb5CePtI9g= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_c2tnb359v1_PUB -------BEGIN PUBLIC KEY----- --MHMwEwYHKoZIzj0CAQYIKoZIzj0DABIDXAAEUQde0iyDHbsFJZ459d4zUhsrJYAkqndmEBRwSlg5 --ZNX8SSS79Zf2HsQl+LWIZyzeYzoHobKXufChw9/H4ThS58VwV5/0hoE929PIgJ1MSEqr5LvJXi+b --R8fe -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_c2tnb359v1:BOB_cf_c2tnb359v1_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_c2tnb359v1 --PeerKey=BOB_cf_c2tnb359v1_PUB --SharedSecret=623a71122b5acad467d40d97ef8d8fd46541d8c41d7de6ba181c24e2714c1bc35bcefcf089af69c406eedecc12 -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_c2tnb359v1 --PeerKey=ALICE_cf_c2tnb359v1_PUB --SharedSecret=623a71122b5acad467d40d97ef8d8fd46541d8c41d7de6ba181c24e2714c1bc35bcefcf089af69c406eedecc12 -- --# ECC CDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_c2tnb359v1 --PeerKey=BOB_cf_c2tnb359v1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=1c9c4cea3251dace2cb763eabf60f106cc1b03f2491e6f20d7bea78e062f8f14c4e82e4d43786eefa44d33f7e9 -- --# ECC CDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_c2tnb359v1 --PeerKey=ALICE_cf_c2tnb359v1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=1c9c4cea3251dace2cb763eabf60f106cc1b03f2491e6f20d7bea78e062f8f14c4e82e4d43786eefa44d33f7e9 -- --PublicKey=MALICE_cf_c2tnb359v1_PUB -------BEGIN PUBLIC KEY----- --MHMwEwYHKoZIzj0CAQYIKoZIzj0DABIDXAAEDW1DxeJfyPPnxX4WiLM5ZnX9AypqqeKj7FTHxanl --++A6FgVFjUCatt8Sr4xnSc3zDE0kh6f/wS9SbtCAi74i8HAX5SJiccCMPRkw6kBuHZgiG8EmFJ53 --OEQw -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Availablein = default --Derive=BOB_cf_c2tnb359v1 --PeerKey=MALICE_cf_c2tnb359v1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Availablein = default --Derive=ALICE_cf_c2tnb359v1 --PeerKey=MALICE_cf_c2tnb359v1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=c2tnb431r1 curve tests -- --PrivateKey=ALICE_cf_c2tnb431r1 -------BEGIN PRIVATE KEY----- --MFYCAQAwEwYHKoZIzj0CAQYIKoZIzj0DABQEPDA6AgEBBDUAG1rgUnH3+PSxqlzt9+QTWv7PrYxz --Qgqj5A2Mqi0LbdixVDciVSSgrU6keVu72oCmHVP+OQ== -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_c2tnb431r1_PUB -------BEGIN PUBLIC KEY----- --MIGFMBMGByqGSM49AgEGCCqGSM49AwAUA24ABFcQEDic9pYxtxStk/oBxafqyUux1kvEOOwR4FxJ --pGEMTh8B+YfkWuq+IDY5zSqNKtg7cRlAFX2dlHhRSvNxrN3DJCrhe/TQq8SIYawcqEQnM39F8hHM --7VQJLEsBpJ/WUonwMJXknjgfONP7GA== -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_c2tnb431r1:ALICE_cf_c2tnb431r1_PUB -- --PrivateKey=BOB_cf_c2tnb431r1 -------BEGIN PRIVATE KEY----- --MFYCAQAwEwYHKoZIzj0CAQYIKoZIzj0DABQEPDA6AgEBBDUBOsZrpI6hTgImR8DBhKOOrh2SvcT/ --VwmzYnbuCRrtr/zwIQcqKKI1ztlrl+kxFxJfk5L7UQ== -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_c2tnb431r1_PUB -------BEGIN PUBLIC KEY----- --MIGFMBMGByqGSM49AgEGCCqGSM49AwAUA24ABHeTG6xjbsKKxn4oYQt9qUM9LrSPZfY11XsBmROc --fb9kEbBLU+QixSbYZOrqPasesDV9dApDXF+w6EfIeNyJEK5Lk+aXamrn7fRMUAQ2m7+Odp87GgA+ --8Cg6YpgbK314SK5STziqoZwzEISJ9w== -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_c2tnb431r1:BOB_cf_c2tnb431r1_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_c2tnb431r1 --PeerKey=BOB_cf_c2tnb431r1_PUB --SharedSecret=1c9a64de0b706f0e562d5144ceeb4806ce8782865dc0e3fab694967955bd40afc79bf9241ef4a173fbf9baeac0d416392fb13bdc6978 -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_c2tnb431r1 --PeerKey=ALICE_cf_c2tnb431r1_PUB --SharedSecret=1c9a64de0b706f0e562d5144ceeb4806ce8782865dc0e3fab694967955bd40afc79bf9241ef4a173fbf9baeac0d416392fb13bdc6978 -- --# ECC CDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_c2tnb431r1 --PeerKey=BOB_cf_c2tnb431r1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=059e2ea2d0d8bad5005a9401196ebb1633377c7ded8ec58a0398cf1d0f42ea82614f68cb836ecfc33612b8a705b4c3b7b4ed12eb6e22 -- --# ECC CDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_c2tnb431r1 --PeerKey=ALICE_cf_c2tnb431r1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=059e2ea2d0d8bad5005a9401196ebb1633377c7ded8ec58a0398cf1d0f42ea82614f68cb836ecfc33612b8a705b4c3b7b4ed12eb6e22 -- --PublicKey=MALICE_cf_c2tnb431r1_PUB -------BEGIN PUBLIC KEY----- --MIGFMBMGByqGSM49AgEGCCqGSM49AwAUA24ABA/cHJ1bNJ2l3GcrT67WEoU0w/Ajy28T9X4XLv8a --5EpnkembeFlRG8ILplDcZimE8kjNQWynAk+NbJRsIU/XLzcm7VXkkqEkx/yCQ/TOcbeB3qrpzWYr --F3Cls9x60wuFYNc9d6eIe4B+puz9IQ== -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Availablein = default --Derive=BOB_cf_c2tnb431r1 --PeerKey=MALICE_cf_c2tnb431r1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Availablein = default --Derive=ALICE_cf_c2tnb431r1 --PeerKey=MALICE_cf_c2tnb431r1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=prime192v2 curve tests -- --PrivateKey=ALICE_cf_prime192v2 -------BEGIN PRIVATE KEY----- --MDkCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQIEHzAdAgEBBBh6rcgPFDmA2P4CGSrC7ii9DAjepljX --sMM= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_prime192v2_PUB -------BEGIN PUBLIC KEY----- --MEkwEwYHKoZIzj0CAQYIKoZIzj0DAQIDMgAET6wOPoDU3BeU7VKozsGEvDeJs//9Z/aNEcbbLQ0d --g5IzsS/XMJzifjCJZgNsb7mi -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_prime192v2:ALICE_cf_prime192v2_PUB -- --PrivateKey=BOB_cf_prime192v2 -------BEGIN PRIVATE KEY----- --MDkCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQIEHzAdAgEBBBja4R9iZuiu95XEuM1558ArTwNnAl7M --xqI= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_prime192v2_PUB -------BEGIN PUBLIC KEY----- --MEkwEwYHKoZIzj0CAQYIKoZIzj0DAQIDMgAEcgWNAOL4pZCmouZl+be+rC0yLAJkm2YuPWs+FX2u --Y6OU1aHkkspZTC1uUVWjchy5 -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_prime192v2:BOB_cf_prime192v2_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_prime192v2 --PeerKey=BOB_cf_prime192v2_PUB --SharedSecret=ae2ff9f1f9f24e6d281dc78993d9f71913e1e105965000a1 -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_prime192v2 --PeerKey=ALICE_cf_prime192v2_PUB --SharedSecret=ae2ff9f1f9f24e6d281dc78993d9f71913e1e105965000a1 -- --Title=prime192v3 curve tests -- --PrivateKey=ALICE_cf_prime192v3 -------BEGIN PRIVATE KEY----- --MDkCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQMEHzAdAgEBBBij5blPQRKM1/9c57YDZXIIue80MDqx --Igw= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_prime192v3_PUB -------BEGIN PUBLIC KEY----- --MEkwEwYHKoZIzj0CAQYIKoZIzj0DAQMDMgAE1+mLeiT/jjHO71IL/C/ZcnF6+yj9FV6eqfuPdHAi --MsDRFCB6/h8TcCUFuospu5l0 -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_prime192v3:ALICE_cf_prime192v3_PUB -- --PrivateKey=BOB_cf_prime192v3 -------BEGIN PRIVATE KEY----- --MDkCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQMEHzAdAgEBBBhgFP4fFLtm/yk5tsosBUBKTg370FOu --92g= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_prime192v3_PUB -------BEGIN PUBLIC KEY----- --MEkwEwYHKoZIzj0CAQYIKoZIzj0DAQMDMgAEv35bOz0xqLeJqpZdZ8LyiUgsJMBEtN2UMJm8blX2 --vMWAgEeLhzar86BUlS7dZwS7 -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_prime192v3:BOB_cf_prime192v3_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_prime192v3 --PeerKey=BOB_cf_prime192v3_PUB --SharedSecret=9e562ecbe29c510a13b0daea822ec864c2a9684d2a382812 -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_prime192v3 --PeerKey=ALICE_cf_prime192v3_PUB --SharedSecret=9e562ecbe29c510a13b0daea822ec864c2a9684d2a382812 -- --Title=prime239v1 curve tests -- --PrivateKey=ALICE_cf_prime239v1 -------BEGIN PRIVATE KEY----- --MD8CAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQQEJTAjAgEBBB5nH2mt/GUx+I/60NlcuQlrdupDXwMY --SF/w+SUTNqY= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_prime239v1_PUB -------BEGIN PUBLIC KEY----- --MFUwEwYHKoZIzj0CAQYIKoZIzj0DAQQDPgAEMqQLCgDR9njkq9QELuOu+J/9YGcxJHULdvxHImLW --RXqBUM5Xea+Qk2SKIpWcogxr2zFeQyeLj2bQysuo -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_prime239v1:ALICE_cf_prime239v1_PUB -- --PrivateKey=BOB_cf_prime239v1 -------BEGIN PRIVATE KEY----- --MD8CAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQQEJTAjAgEBBB5RZgYV+j+zhwI12zCzB+mdPofMx0kB --jZ9gplgXxzk= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_prime239v1_PUB -------BEGIN PUBLIC KEY----- --MFUwEwYHKoZIzj0CAQYIKoZIzj0DAQQDPgAEBR5m/kllh025oO4GvqALkjRliVv7q4x8ro/tkYnT --L2U4hkT6xUeRu9QC4KOz7KUVH+nBbQASL4XQg/3C -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_prime239v1:BOB_cf_prime239v1_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_prime239v1 --PeerKey=BOB_cf_prime239v1_PUB --SharedSecret=196b1d0206d4f87c313c266bfb12c90dd1f1f64b89bfc16518086b9801b8 -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_prime239v1 --PeerKey=ALICE_cf_prime239v1_PUB --SharedSecret=196b1d0206d4f87c313c266bfb12c90dd1f1f64b89bfc16518086b9801b8 -- --Title=prime239v2 curve tests -- --PrivateKey=ALICE_cf_prime239v2 -------BEGIN PRIVATE KEY----- --MD8CAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQUEJTAjAgEBBB5uLCwofbD2Suc/iIRhXJsPqZ4me87h --+tFevsg1pPE= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_prime239v2_PUB -------BEGIN PUBLIC KEY----- --MFUwEwYHKoZIzj0CAQYIKoZIzj0DAQUDPgAETH77jXHBItV673gTNK/HTFldo4VxPiscbideUgKd --CWjdVsXebgAZbqQwf0h9QWcIgM7K7ODdW5kCuZ1G -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_prime239v2:ALICE_cf_prime239v2_PUB -- --PrivateKey=BOB_cf_prime239v2 -------BEGIN PRIVATE KEY----- --MD8CAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQUEJTAjAgEBBB5nlF+ouuw3Ljkgy3pHkCN+/JoHAMyT --KY0wlvJdo/w= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_prime239v2_PUB -------BEGIN PUBLIC KEY----- --MFUwEwYHKoZIzj0CAQYIKoZIzj0DAQUDPgAELUQYo0UH8HbK/RMD2jVphBU+iB4OTOfvaaTlHq06 --dcJ8a9a+mAQKhb1OZVEq1n4nQsgRiI1rPxugVERM -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_prime239v2:BOB_cf_prime239v2_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_prime239v2 --PeerKey=BOB_cf_prime239v2_PUB --SharedSecret=1d18ca6366bceba3c1477daa0e08202088abcf14fc2b8fbf98ba95858fcf -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_prime239v2 --PeerKey=ALICE_cf_prime239v2_PUB --SharedSecret=1d18ca6366bceba3c1477daa0e08202088abcf14fc2b8fbf98ba95858fcf -- --Title=prime239v3 curve tests -- --PrivateKey=ALICE_cf_prime239v3 -------BEGIN PRIVATE KEY----- --MD8CAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQYEJTAjAgEBBB5J95JRhBDTzlyAPAfu6T2Pb9vK0NKu --Y9AfhA2G+mI= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_prime239v3_PUB -------BEGIN PUBLIC KEY----- --MFUwEwYHKoZIzj0CAQYIKoZIzj0DAQYDPgAEZEN48pqgLF08Yjj/8BLM2Nr5ZhpYxyBurbzKRuBb --GLpzZLteJN9vZjN7ouNpMxLVUFQxTOwpsvUw86Lk -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_prime239v3:ALICE_cf_prime239v3_PUB -- --PrivateKey=BOB_cf_prime239v3 -------BEGIN PRIVATE KEY----- --MD8CAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQYEJTAjAgEBBB5Z7rMZML1xeryBaYYr+QuMiQxHT44I --d9bmIVvG3dM= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_prime239v3_PUB -------BEGIN PUBLIC KEY----- --MFUwEwYHKoZIzj0CAQYIKoZIzj0DAQYDPgAEQUWKqohAPAoIYEZOvc1QwSlcB+gW0febaNxGOy47 --LaIWdsNM7GJVP9xpdSwm/L+Dip/oH4E59f3SiOAd -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_prime239v3:BOB_cf_prime239v3_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_prime239v3 --PeerKey=BOB_cf_prime239v3_PUB --SharedSecret=4dcc2c67c5993162ed71ebb33077bbb85395b0d3eec2311aa404e45901a0 -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_prime239v3 --PeerKey=ALICE_cf_prime239v3_PUB --SharedSecret=4dcc2c67c5993162ed71ebb33077bbb85395b0d3eec2311aa404e45901a0 -- --Title=secp112r1 curve tests -- --PrivateKey=ALICE_cf_secp112r1 -------BEGIN PRIVATE KEY----- --MCwCAQAwEAYHKoZIzj0CAQYFK4EEAAYEFTATAgEBBA6zC5ZzEIIdvY4Q7DS0uw== -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_secp112r1_PUB -------BEGIN PUBLIC KEY----- --MDIwEAYHKoZIzj0CAQYFK4EEAAYDHgAEYIawfjH3qRrJJWwuG3Ys5ZhDJsmdWi34aHgKAA== -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_secp112r1:ALICE_cf_secp112r1_PUB -- --PrivateKey=BOB_cf_secp112r1 -------BEGIN PRIVATE KEY----- --MCwCAQAwEAYHKoZIzj0CAQYFK4EEAAYEFTATAgEBBA6WPx4YxBODium8BKDw0A== -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_secp112r1_PUB -------BEGIN PUBLIC KEY----- --MDIwEAYHKoZIzj0CAQYFK4EEAAYDHgAEchh3iQdPN1rrzrpdZRQ95G6tvdwEBQ+gfu1tvA== -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_secp112r1:BOB_cf_secp112r1_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_secp112r1 --PeerKey=BOB_cf_secp112r1_PUB --SharedSecret=4ddd1d504b444d4be67ba2e4610a -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_secp112r1 --PeerKey=ALICE_cf_secp112r1_PUB --SharedSecret=4ddd1d504b444d4be67ba2e4610a -- --Title=secp112r2 curve tests -- --PrivateKey=ALICE_cf_secp112r2 -------BEGIN PRIVATE KEY----- --MCwCAQAwEAYHKoZIzj0CAQYFK4EEAAcEFTATAgEBBA4GcvIx97ePHdAiH0Z9EA== -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_secp112r2_PUB -------BEGIN PUBLIC KEY----- --MDIwEAYHKoZIzj0CAQYFK4EEAAcDHgAEHK9uNAILHBmPZdKKh79/nzYE0HbvC//rA7i0Xw== -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_secp112r2:ALICE_cf_secp112r2_PUB -- --PrivateKey=BOB_cf_secp112r2 -------BEGIN PRIVATE KEY----- --MCwCAQAwEAYHKoZIzj0CAQYFK4EEAAcEFTATAgEBBA4WzpVFZnZv9mvtpnYNyw== -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_secp112r2_PUB -------BEGIN PUBLIC KEY----- --MDIwEAYHKoZIzj0CAQYFK4EEAAcDHgAEUzBLNQupqUpGgmZl9JVjKBpwusl52rFg5OVFJA== -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_secp112r2:BOB_cf_secp112r2_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_secp112r2 --PeerKey=BOB_cf_secp112r2_PUB --SharedSecret=a6d05c7ba5128a9685c705b5030b -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_secp112r2 --PeerKey=ALICE_cf_secp112r2_PUB --SharedSecret=a6d05c7ba5128a9685c705b5030b -- --# ECC CDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_secp112r2 --PeerKey=BOB_cf_secp112r2_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=04f3280e92c269d794aa779efcef -- --# ECC CDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_secp112r2 --PeerKey=ALICE_cf_secp112r2_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=04f3280e92c269d794aa779efcef -- --PublicKey=MALICE_cf_secp112r2_PUB -------BEGIN PUBLIC KEY----- --MDIwEAYHKoZIzj0CAQYFK4EEAAcDHgAEsf2N4SfUZWtXPrUTmEyr71I/JSn8VtzQsFHuqQ== -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Availablein = default --Derive=BOB_cf_secp112r2 --PeerKey=MALICE_cf_secp112r2_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Availablein = default --Derive=ALICE_cf_secp112r2 --PeerKey=MALICE_cf_secp112r2_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=secp128r1 curve tests -- --PrivateKey=ALICE_cf_secp128r1 -------BEGIN PRIVATE KEY----- --MC4CAQAwEAYHKoZIzj0CAQYFK4EEABwEFzAVAgEBBBB+RX18d0+gKpdcKbJJTrEZ -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_secp128r1_PUB -------BEGIN PUBLIC KEY----- --MDYwEAYHKoZIzj0CAQYFK4EEABwDIgAEG0XMAdrAZOPUW6L9ADU8XK8sZr7dtIcDinSWU1zSV9s= -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_secp128r1:ALICE_cf_secp128r1_PUB -- --PrivateKey=BOB_cf_secp128r1 -------BEGIN PRIVATE KEY----- --MC4CAQAwEAYHKoZIzj0CAQYFK4EEABwEFzAVAgEBBBB/J9/eClt9mimGwOcOsjJF -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_secp128r1_PUB -------BEGIN PUBLIC KEY----- --MDYwEAYHKoZIzj0CAQYFK4EEABwDIgAE82nknsOS+u8mybP0KJqQhvm83gbPNTZOcvm0ZDVR5sU= -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_secp128r1:BOB_cf_secp128r1_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_secp128r1 --PeerKey=BOB_cf_secp128r1_PUB --SharedSecret=5020f1b759da1f737a61a29a268d7669 -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_secp128r1 --PeerKey=ALICE_cf_secp128r1_PUB --SharedSecret=5020f1b759da1f737a61a29a268d7669 -- --Title=secp128r2 curve tests -- --PrivateKey=ALICE_cf_secp128r2 -------BEGIN PRIVATE KEY----- --MC4CAQAwEAYHKoZIzj0CAQYFK4EEAB0EFzAVAgEBBBALPaUYCnPgNiLhez93Z1Gi -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_secp128r2_PUB -------BEGIN PUBLIC KEY----- --MDYwEAYHKoZIzj0CAQYFK4EEAB0DIgAEOKiPRGtZXwxmvTr35NmUkNsAGGk9RKNA4D5BE9ZrjZQ= -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_secp128r2:ALICE_cf_secp128r2_PUB -- --PrivateKey=BOB_cf_secp128r2 -------BEGIN PRIVATE KEY----- --MC4CAQAwEAYHKoZIzj0CAQYFK4EEAB0EFzAVAgEBBBARg3vb436QgyHdyt6l/b6G -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_secp128r2_PUB -------BEGIN PUBLIC KEY----- --MDYwEAYHKoZIzj0CAQYFK4EEAB0DIgAELph7h27BYjIINC2EddcpIOxKbdz8Xe7h3Az1ZuR9bAI= -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_secp128r2:BOB_cf_secp128r2_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_secp128r2 --PeerKey=BOB_cf_secp128r2_PUB --SharedSecret=8f4d8c75141e9b084328222440eb5dfa -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_secp128r2 --PeerKey=ALICE_cf_secp128r2_PUB --SharedSecret=8f4d8c75141e9b084328222440eb5dfa -- --# ECC CDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_secp128r2 --PeerKey=BOB_cf_secp128r2_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=baaa0c16e16eef291001475d638e4830 -- --# ECC CDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_secp128r2 --PeerKey=ALICE_cf_secp128r2_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=baaa0c16e16eef291001475d638e4830 -- --PublicKey=MALICE_cf_secp128r2_PUB -------BEGIN PUBLIC KEY----- --MDYwEAYHKoZIzj0CAQYFK4EEAB0DIgAE6h6RzJIp6HLR6RDOPtyzGDurkuE9aAaZqHosPTnkLxQ= -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Availablein = default --Derive=BOB_cf_secp128r2 --PeerKey=MALICE_cf_secp128r2_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Availablein = default --Derive=ALICE_cf_secp128r2 --PeerKey=MALICE_cf_secp128r2_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=secp160k1 curve tests -- --PrivateKey=ALICE_cf_secp160k1 -------BEGIN PRIVATE KEY----- --MDMCAQAwEAYHKoZIzj0CAQYFK4EEAAkEHDAaAgEBBBUAlxTBO50KwFwWKPtk1rutu68m+zI= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_secp160k1_PUB -------BEGIN PUBLIC KEY----- --MD4wEAYHKoZIzj0CAQYFK4EEAAkDKgAEcVWIjtPZn1cHckclpn5jKDCphQUVHxFN5tSeFG9wsJZT --EvqPyLS64w== -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_secp160k1:ALICE_cf_secp160k1_PUB -- --PrivateKey=BOB_cf_secp160k1 -------BEGIN PRIVATE KEY----- --MDMCAQAwEAYHKoZIzj0CAQYFK4EEAAkEHDAaAgEBBBUAdrPkoNkRVUloiuwzruQszSUuwpY= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_secp160k1_PUB -------BEGIN PUBLIC KEY----- --MD4wEAYHKoZIzj0CAQYFK4EEAAkDKgAESGN41cAj8Fg4pAJM7FUKHiawbCR0b9unMpZWxqOKeW1/ --bxT/CqEkyw== -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_secp160k1:BOB_cf_secp160k1_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_secp160k1 --PeerKey=BOB_cf_secp160k1_PUB --SharedSecret=b738a0bf17f3271a9a155bfdfe2f0f1d51494d42 -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_secp160k1 --PeerKey=ALICE_cf_secp160k1_PUB --SharedSecret=b738a0bf17f3271a9a155bfdfe2f0f1d51494d42 -- --Title=secp160r1 curve tests -- --PrivateKey=ALICE_cf_secp160r1 -------BEGIN PRIVATE KEY----- --MDMCAQAwEAYHKoZIzj0CAQYFK4EEAAgEHDAaAgEBBBUAR6m1+jIBuJnSKx9fHmyAYhsnYe8= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_secp160r1_PUB -------BEGIN PUBLIC KEY----- --MD4wEAYHKoZIzj0CAQYFK4EEAAgDKgAEO78GZuBaCfJjHK97c9N21z+4mm37b5x7/Hr3Xc4pUbtb --OoNj/A+W9w== -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_secp160r1:ALICE_cf_secp160r1_PUB -- --PrivateKey=BOB_cf_secp160r1 -------BEGIN PRIVATE KEY----- --MDMCAQAwEAYHKoZIzj0CAQYFK4EEAAgEHDAaAgEBBBUATqvd54Jj7TbnrLAd2dMYCpExLws= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_secp160r1_PUB -------BEGIN PUBLIC KEY----- --MD4wEAYHKoZIzj0CAQYFK4EEAAgDKgAEBKDbBSPTwmb00MFvMtJMxQ2YDmcPOZHE8YbVr5hp8s5J --Jwy17FaNNg== -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_secp160r1:BOB_cf_secp160r1_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_secp160r1 --PeerKey=BOB_cf_secp160r1_PUB --SharedSecret=1912ea7b9bb1de5b8d3cef83e7a6e7a917816541 -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_secp160r1 --PeerKey=ALICE_cf_secp160r1_PUB --SharedSecret=1912ea7b9bb1de5b8d3cef83e7a6e7a917816541 -- --Title=secp160r2 curve tests -- --PrivateKey=ALICE_cf_secp160r2 -------BEGIN PRIVATE KEY----- --MDMCAQAwEAYHKoZIzj0CAQYFK4EEAB4EHDAaAgEBBBUA3IsVg4R4paXaPATDHvzfnvM+vjQ= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_secp160r2_PUB -------BEGIN PUBLIC KEY----- --MD4wEAYHKoZIzj0CAQYFK4EEAB4DKgAE4V+25YCpVkKF6NF/UPc1SYxohYWcf3qT3JDoPRhnm/rj --mSqCCA6gUw== -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_secp160r2:ALICE_cf_secp160r2_PUB -- --PrivateKey=BOB_cf_secp160r2 -------BEGIN PRIVATE KEY----- --MDMCAQAwEAYHKoZIzj0CAQYFK4EEAB4EHDAaAgEBBBUAYT/5C7UpD17DnZm4ObswmGFMI1Q= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_secp160r2_PUB -------BEGIN PUBLIC KEY----- --MD4wEAYHKoZIzj0CAQYFK4EEAB4DKgAEB7YVzBmzhnIdouvN/nb8VMXCqO8dkhmebyVzoD0oAzuH --nN+SfWr6aQ== -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_secp160r2:BOB_cf_secp160r2_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_secp160r2 --PeerKey=BOB_cf_secp160r2_PUB --SharedSecret=ccb9cae5c9487ff60c487bd1b39a62eb4680e9b6 -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_secp160r2 --PeerKey=ALICE_cf_secp160r2_PUB --SharedSecret=ccb9cae5c9487ff60c487bd1b39a62eb4680e9b6 -- --Title=secp192k1 curve tests -- --PrivateKey=ALICE_cf_secp192k1 -------BEGIN PRIVATE KEY----- --MDYCAQAwEAYHKoZIzj0CAQYFK4EEAB8EHzAdAgEBBBikVZrCZQB7ZtkhNfQYpjKHZ9KxXgooJ90= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_secp192k1_PUB -------BEGIN PUBLIC KEY----- --MEYwEAYHKoZIzj0CAQYFK4EEAB8DMgAEyV4EzMZglBXtYdn38hNTrCGflAsJprMkxkOlw58chZ25 --6EAu7gVvYDTpnRkymKyH -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_secp192k1:ALICE_cf_secp192k1_PUB -- --PrivateKey=BOB_cf_secp192k1 -------BEGIN PRIVATE KEY----- --MDYCAQAwEAYHKoZIzj0CAQYFK4EEAB8EHzAdAgEBBBiJQ/PunKGk9QPUyqIBGMgHKKg+yxJr5io= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_secp192k1_PUB -------BEGIN PUBLIC KEY----- --MEYwEAYHKoZIzj0CAQYFK4EEAB8DMgAE990Tnmh9QQQHVHuLpfrAsgjvB9R2MJXzhBZN1WvtxLqF --OZ2oFMP0Kfcr7HbI7a5j -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_secp192k1:BOB_cf_secp192k1_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_secp192k1 --PeerKey=BOB_cf_secp192k1_PUB --SharedSecret=a46a6bfb279d4dc30cffac585d1fbec905dbe46aca5e3c9d -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_secp192k1 --PeerKey=ALICE_cf_secp192k1_PUB --SharedSecret=a46a6bfb279d4dc30cffac585d1fbec905dbe46aca5e3c9d -- --Title=secp224k1 curve tests -- --PrivateKey=ALICE_cf_secp224k1 -------BEGIN PRIVATE KEY----- --MDsCAQAwEAYHKoZIzj0CAQYFK4EEACAEJDAiAgEBBB0AZPk3TzxGhX7TljBBhJDLBfulAMp6Bh3W --w40Qyg== -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_secp224k1_PUB -------BEGIN PUBLIC KEY----- --ME4wEAYHKoZIzj0CAQYFK4EEACADOgAE4o7LGdJDixqJZ5imnqaX4IeE55NG4W0HEe72LVC7pmn2 --e3m7uC92ZQhduF9lJli4dXD5en/1wkE= -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_secp224k1:ALICE_cf_secp224k1_PUB -- --PrivateKey=BOB_cf_secp224k1 -------BEGIN PRIVATE KEY----- --MDsCAQAwEAYHKoZIzj0CAQYFK4EEACAEJDAiAgEBBB0AdQ02GguRy3yHOjLkpoWb27QA/L1abfWe --q2xUfA== -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_secp224k1_PUB -------BEGIN PUBLIC KEY----- --ME4wEAYHKoZIzj0CAQYFK4EEACADOgAEzp00m0DaADn1mGiDCT7K1LZnoj/vCxHPowUDC9yQd17K --KpJM5sGILrTkkgxqtt5pBeYE1NC1QUQ= -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_secp224k1:BOB_cf_secp224k1_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_secp224k1 --PeerKey=BOB_cf_secp224k1_PUB --SharedSecret=6f7b9d16c9c1d3a5c84b6028f2a4fed9ae8e02455e678a27243bcc48 -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_secp224k1 --PeerKey=ALICE_cf_secp224k1_PUB --SharedSecret=6f7b9d16c9c1d3a5c84b6028f2a4fed9ae8e02455e678a27243bcc48 -- - Title=secp256k1 curve tests - - PrivateKey=ALICE_cf_secp256k1 -@@ -1998,1323 +55,6 @@ Derive=BOB_cf_secp256k1 - PeerKey=ALICE_cf_secp256k1_PUB - SharedSecret=a4745cc4d19cabb9e5cb0abdd5c604cab2846a4638ad844ed9175f3cadda2da1 - --Title=sect113r1 curve tests -- --PrivateKey=ALICE_cf_sect113r1 -------BEGIN PRIVATE KEY----- --MC0CAQAwEAYHKoZIzj0CAQYFK4EEAAQEFjAUAgEBBA8ALw9CgsuNBkkhhUHE8bQ= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_sect113r1_PUB -------BEGIN PUBLIC KEY----- --MDQwEAYHKoZIzj0CAQYFK4EEAAQDIAAEASO9jcamlg1pRE7JffrTAe9kyRZO2xrymHXoGdnA -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_sect113r1:ALICE_cf_sect113r1_PUB -- --PrivateKey=BOB_cf_sect113r1 -------BEGIN PRIVATE KEY----- --MC0CAQAwEAYHKoZIzj0CAQYFK4EEAAQEFjAUAgEBBA8A/9qbs8sTFNkjS9/4CuM= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_sect113r1_PUB -------BEGIN PUBLIC KEY----- --MDQwEAYHKoZIzj0CAQYFK4EEAAQDIAAEATykaf/cvJzLOUto1EbbAEz/3++nut6q0dcJOQeV -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_sect113r1:BOB_cf_sect113r1_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_sect113r1 --PeerKey=BOB_cf_sect113r1_PUB --SharedSecret=01ed16f1948dcb368a54004237842d -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_sect113r1 --PeerKey=ALICE_cf_sect113r1_PUB --SharedSecret=01ed16f1948dcb368a54004237842d -- --# ECC CDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_sect113r1 --PeerKey=BOB_cf_sect113r1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=012e5f3e348c2a8a88d9590a639219 -- --# ECC CDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_sect113r1 --PeerKey=ALICE_cf_sect113r1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=012e5f3e348c2a8a88d9590a639219 -- --PublicKey=MALICE_cf_sect113r1_PUB -------BEGIN PUBLIC KEY----- --MDQwEAYHKoZIzj0CAQYFK4EEAAQDIAAEAAAAAAAAAAAAAAAAAAAAAd+TqiBXnTd/lyA/OFsR -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Availablein = default --Derive=BOB_cf_sect113r1 --PeerKey=MALICE_cf_sect113r1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Availablein = default --Derive=ALICE_cf_sect113r1 --PeerKey=MALICE_cf_sect113r1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=sect113r2 curve tests -- --PrivateKey=ALICE_cf_sect113r2 -------BEGIN PRIVATE KEY----- --MC0CAQAwEAYHKoZIzj0CAQYFK4EEAAUEFjAUAgEBBA8AvovirHrqTxoKJ3l+7y0= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_sect113r2_PUB -------BEGIN PUBLIC KEY----- --MDQwEAYHKoZIzj0CAQYFK4EEAAUDIAAEAFvQ4JgQTS8kjGeVfuITAS81qNcOQvt3PYa1HuCk -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_sect113r2:ALICE_cf_sect113r2_PUB -- --PrivateKey=BOB_cf_sect113r2 -------BEGIN PRIVATE KEY----- --MC0CAQAwEAYHKoZIzj0CAQYFK4EEAAUEFjAUAgEBBA8ArUjgvp/goxRYb4WuQ80= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_sect113r2_PUB -------BEGIN PUBLIC KEY----- --MDQwEAYHKoZIzj0CAQYFK4EEAAUDIAAEAUoS3of8y28meYu/NoI5AVdhJZCuDjMqFHTriWY4 -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_sect113r2:BOB_cf_sect113r2_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_sect113r2 --PeerKey=BOB_cf_sect113r2_PUB --SharedSecret=0057a287ba1ea05cb4735e673647e1 -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_sect113r2 --PeerKey=ALICE_cf_sect113r2_PUB --SharedSecret=0057a287ba1ea05cb4735e673647e1 -- --# ECC CDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_sect113r2 --PeerKey=BOB_cf_sect113r2_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=00fec2454e46732aca42b22b6d4f13 -- --# ECC CDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_sect113r2 --PeerKey=ALICE_cf_sect113r2_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=00fec2454e46732aca42b22b6d4f13 -- --PublicKey=MALICE_cf_sect113r2_PUB -------BEGIN PUBLIC KEY----- --MDQwEAYHKoZIzj0CAQYFK4EEAAUDIAAEAAAAAAAAAAAAAAAAAAAAAR3dbPHrhFekzJ7Azskr -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Availablein = default --Derive=BOB_cf_sect113r2 --PeerKey=MALICE_cf_sect113r2_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Availablein = default --Derive=ALICE_cf_sect113r2 --PeerKey=MALICE_cf_sect113r2_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=sect131r1 curve tests -- --PrivateKey=ALICE_cf_sect131r1 -------BEGIN PRIVATE KEY----- --MC8CAQAwEAYHKoZIzj0CAQYFK4EEABYEGDAWAgEBBBEA5C6zHMQM7pXPZ6cJz72Niw== -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_sect131r1_PUB -------BEGIN PUBLIC KEY----- --MDgwEAYHKoZIzj0CAQYFK4EEABYDJAAEBXCuXD6wOOif91GUlJNKXf8FBNw8crgqi5aEJEZbCdBJ --Ag== -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_sect131r1:ALICE_cf_sect131r1_PUB -- --PrivateKey=BOB_cf_sect131r1 -------BEGIN PRIVATE KEY----- --MC8CAQAwEAYHKoZIzj0CAQYFK4EEABYEGDAWAgEBBBEDYZmjiokBJ/SnTv8sskBR3A== -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_sect131r1_PUB -------BEGIN PUBLIC KEY----- --MDgwEAYHKoZIzj0CAQYFK4EEABYDJAAEB8vGy3OQXwWKcJUSSJbCtpMBjFgJeZxzAaI420+B1B+1 --5A== -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_sect131r1:BOB_cf_sect131r1_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_sect131r1 --PeerKey=BOB_cf_sect131r1_PUB --SharedSecret=05346248f77f81fff50cc656e119976871 -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_sect131r1 --PeerKey=ALICE_cf_sect131r1_PUB --SharedSecret=05346248f77f81fff50cc656e119976871 -- --# ECC CDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_sect131r1 --PeerKey=BOB_cf_sect131r1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=01f151ae26efa507acc2597356baf7e8ab -- --# ECC CDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_sect131r1 --PeerKey=ALICE_cf_sect131r1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=01f151ae26efa507acc2597356baf7e8ab -- --PublicKey=MALICE_cf_sect131r1_PUB -------BEGIN PUBLIC KEY----- --MDgwEAYHKoZIzj0CAQYFK4EEABYDJAAEAAAAAAAAAAAAAAAAAAAAAAABfiJEFG0vRzEGxk2BxjmK --zw== -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Availablein = default --Derive=BOB_cf_sect131r1 --PeerKey=MALICE_cf_sect131r1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Availablein = default --Derive=ALICE_cf_sect131r1 --PeerKey=MALICE_cf_sect131r1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=sect131r2 curve tests -- --PrivateKey=ALICE_cf_sect131r2 -------BEGIN PRIVATE KEY----- --MC8CAQAwEAYHKoZIzj0CAQYFK4EEABcEGDAWAgEBBBEBnZRUKAQetk5kyUwhIaAyxg== -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_sect131r2_PUB -------BEGIN PUBLIC KEY----- --MDgwEAYHKoZIzj0CAQYFK4EEABcDJAAEA5+Y20L8q989I4jnKknZ7hcGlQ6RUIGni9RahT88kB/d --dw== -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_sect131r2:ALICE_cf_sect131r2_PUB -- --PrivateKey=BOB_cf_sect131r2 -------BEGIN PRIVATE KEY----- --MC8CAQAwEAYHKoZIzj0CAQYFK4EEABcEGDAWAgEBBBEBnafx9vcMeoCqj/1YNuflzw== -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_sect131r2_PUB -------BEGIN PUBLIC KEY----- --MDgwEAYHKoZIzj0CAQYFK4EEABcDJAAEB2G2uNkhQNjjl0/Ov6UYpxoFaWNXO+qy7poV6cdrFN7z --pA== -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_sect131r2:BOB_cf_sect131r2_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_sect131r2 --PeerKey=BOB_cf_sect131r2_PUB --SharedSecret=058d8a8be33068ed8c1dc9f551ef2c3f3c -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_sect131r2 --PeerKey=ALICE_cf_sect131r2_PUB --SharedSecret=058d8a8be33068ed8c1dc9f551ef2c3f3c -- --# ECC CDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_sect131r2 --PeerKey=BOB_cf_sect131r2_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=037b16d85f27c2c878ef96c79a536f89a5 -- --# ECC CDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_sect131r2 --PeerKey=ALICE_cf_sect131r2_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=037b16d85f27c2c878ef96c79a536f89a5 -- --PublicKey=MALICE_cf_sect131r2_PUB -------BEGIN PUBLIC KEY----- --MDgwEAYHKoZIzj0CAQYFK4EEABcDJAAEAAAAAAAAAAAAAAAAAAAAAAAGG5fiIbgziwBZHVzTYqCY --1w== -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Availablein = default --Derive=BOB_cf_sect131r2 --PeerKey=MALICE_cf_sect131r2_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Availablein = default --Derive=ALICE_cf_sect131r2 --PeerKey=MALICE_cf_sect131r2_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=sect163r1 curve tests -- --PrivateKey=ALICE_cf_sect163r1 -------BEGIN PRIVATE KEY----- --MDMCAQAwEAYHKoZIzj0CAQYFK4EEAAIEHDAaAgEBBBUAlbn4x1UGJnAimsXufB/UvUaxU5U= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_sect163r1_PUB -------BEGIN PUBLIC KEY----- --MEAwEAYHKoZIzj0CAQYFK4EEAAIDLAAEA0f195HCcD4D+7wWyl3QuPkRovG/ATy5l7fpMl4BNIg/ --sbtEXluCzANF -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_sect163r1:ALICE_cf_sect163r1_PUB -- --PrivateKey=BOB_cf_sect163r1 -------BEGIN PRIVATE KEY----- --MDMCAQAwEAYHKoZIzj0CAQYFK4EEAAIEHDAaAgEBBBUAoStq6Fjb7nB2PNL6WrzKKqhCGdE= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_sect163r1_PUB -------BEGIN PUBLIC KEY----- --MEAwEAYHKoZIzj0CAQYFK4EEAAIDLAAEAul/oBKr9B5MsPHWGF+q07j0JC+WAxj1JzfcIXR98n+r --9FHWU5LC5pDM -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_sect163r1:BOB_cf_sect163r1_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_sect163r1 --PeerKey=BOB_cf_sect163r1_PUB --SharedSecret=06135eef489fe613c0d8bd522a2a640ff7ae6fb73d -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_sect163r1 --PeerKey=ALICE_cf_sect163r1_PUB --SharedSecret=06135eef489fe613c0d8bd522a2a640ff7ae6fb73d -- --# ECC CDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_sect163r1 --PeerKey=BOB_cf_sect163r1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=0580f5e8efb242a19ae1023acbcab8702c799751e7 -- --# ECC CDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_sect163r1 --PeerKey=ALICE_cf_sect163r1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=0580f5e8efb242a19ae1023acbcab8702c799751e7 -- --PublicKey=MALICE_cf_sect163r1_PUB -------BEGIN PUBLIC KEY----- --MEAwEAYHKoZIzj0CAQYFK4EEAAIDLAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAJkXolVuGFa8fqmk --cs0Bv7iJuVg1 -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Availablein = default --Derive=BOB_cf_sect163r1 --PeerKey=MALICE_cf_sect163r1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Availablein = default --Derive=ALICE_cf_sect163r1 --PeerKey=MALICE_cf_sect163r1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=sect193r1 curve tests -- --PrivateKey=ALICE_cf_sect193r1 -------BEGIN PRIVATE KEY----- --MDcCAQAwEAYHKoZIzj0CAQYFK4EEABgEIDAeAgEBBBkACmcvidKWLtPFB2xqg76F8VhM1Njzrkgo -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_sect193r1_PUB -------BEGIN PUBLIC KEY----- --MEgwEAYHKoZIzj0CAQYFK4EEABgDNAAEAeqP0VQobenduwtf4MPmlYQVDjUmxKq50QFHnaBfzwXY --1TYShZZgBr0R6a5dUGCbiF0= -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_sect193r1:ALICE_cf_sect193r1_PUB -- --PrivateKey=BOB_cf_sect193r1 -------BEGIN PRIVATE KEY----- --MDcCAQAwEAYHKoZIzj0CAQYFK4EEABgEIDAeAgEBBBkAKlSknQ66vpuLjC1mbQyfHOTdJ5Kw5jMh -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_sect193r1_PUB -------BEGIN PUBLIC KEY----- --MEgwEAYHKoZIzj0CAQYFK4EEABgDNAAEAaFZVIeqfV9wbPydaBSJKSWJjVyFVSB/QQB5rHonYQmK --f40zok8PJS6ratIcZwk/n20= -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_sect193r1:BOB_cf_sect193r1_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_sect193r1 --PeerKey=BOB_cf_sect193r1_PUB --SharedSecret=012b8849991814f8c7ed9d40cf9dc204c3a83e0b10675543a5 -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_sect193r1 --PeerKey=ALICE_cf_sect193r1_PUB --SharedSecret=012b8849991814f8c7ed9d40cf9dc204c3a83e0b10675543a5 -- --# ECC CDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_sect193r1 --PeerKey=BOB_cf_sect193r1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=0110180a18844859c52f6f012909522a2d87b5ab143bc80a55 -- --# ECC CDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_sect193r1 --PeerKey=ALICE_cf_sect193r1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=0110180a18844859c52f6f012909522a2d87b5ab143bc80a55 -- --PublicKey=MALICE_cf_sect193r1_PUB -------BEGIN PUBLIC KEY----- --MEgwEAYHKoZIzj0CAQYFK4EEABgDNAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHeX7PX3e5n --zROUg6/STkLp1D+L51L9+wY= -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Availablein = default --Derive=BOB_cf_sect193r1 --PeerKey=MALICE_cf_sect193r1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Availablein = default --Derive=ALICE_cf_sect193r1 --PeerKey=MALICE_cf_sect193r1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=sect193r2 curve tests -- --PrivateKey=ALICE_cf_sect193r2 -------BEGIN PRIVATE KEY----- --MDcCAQAwEAYHKoZIzj0CAQYFK4EEABkEIDAeAgEBBBkAhjkv8lXK/nPp3Qc4IwL/29JUKWi2VBMp -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_sect193r2_PUB -------BEGIN PUBLIC KEY----- --MEgwEAYHKoZIzj0CAQYFK4EEABkDNAAEAIn7oSu3adu4ChNXniHKkMIv9gT24rpzzwAeCTDPIkUT --kJ+Tit6e4RpgkB/dph4V+uI= -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_sect193r2:ALICE_cf_sect193r2_PUB -- --PrivateKey=BOB_cf_sect193r2 -------BEGIN PRIVATE KEY----- --MDcCAQAwEAYHKoZIzj0CAQYFK4EEABkEIDAeAgEBBBkAwGkR3qSQdfh7Q6KbJ4lH5FShGsX8o/jD -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_sect193r2_PUB -------BEGIN PUBLIC KEY----- --MEgwEAYHKoZIzj0CAQYFK4EEABkDNAAEAFdSLKI0tlwZDpkndutOLsnHii1aJO8snwEJ0m/AZgMp --xiDevOQ/xE9SpMX25W7YqkU= -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_sect193r2:BOB_cf_sect193r2_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_sect193r2 --PeerKey=BOB_cf_sect193r2_PUB --SharedSecret=01e2f66a63c24c1de8a399c484228a5ad5b6d911c6e5e83ae3 -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_sect193r2 --PeerKey=ALICE_cf_sect193r2_PUB --SharedSecret=01e2f66a63c24c1de8a399c484228a5ad5b6d911c6e5e83ae3 -- --# ECC CDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_sect193r2 --PeerKey=BOB_cf_sect193r2_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=00bc82d393bd74406683aea003977a86a109f444a833652e43 -- --# ECC CDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_sect193r2 --PeerKey=ALICE_cf_sect193r2_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=00bc82d393bd74406683aea003977a86a109f444a833652e43 -- --PublicKey=MALICE_cf_sect193r2_PUB -------BEGIN PUBLIC KEY----- --MEgwEAYHKoZIzj0CAQYFK4EEABkDNAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAFfdLEkrvsO --Y7+6QpEvOay9A4MJCUZfZmI= -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Availablein = default --Derive=BOB_cf_sect193r2 --PeerKey=MALICE_cf_sect193r2_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Availablein = default --Derive=ALICE_cf_sect193r2 --PeerKey=MALICE_cf_sect193r2_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=sect239k1 curve tests -- --PrivateKey=ALICE_cf_sect239k1 -------BEGIN PRIVATE KEY----- --MDwCAQAwEAYHKoZIzj0CAQYFK4EEAAMEJTAjAgEBBB4G4nbQDUtTnkrPOvDGIlhH9XdjirUSbTI5 --5z6lf7o= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_sect239k1_PUB -------BEGIN PUBLIC KEY----- --MFIwEAYHKoZIzj0CAQYFK4EEAAMDPgAEf5paOMjzcnpVAPMQnIkikE4K2jne3ubX2TD1P3aedknF --lUr6tOU4BsiUQJACF90rQ9/KdeR5mYvYHzvI -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_sect239k1:ALICE_cf_sect239k1_PUB -- --PrivateKey=BOB_cf_sect239k1 -------BEGIN PRIVATE KEY----- --MDwCAQAwEAYHKoZIzj0CAQYFK4EEAAMEJTAjAgEBBB4e0F0NpepAF+iNrEtoZeo4TrQFspkUNLcx --Ly4Klfg= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_sect239k1_PUB -------BEGIN PUBLIC KEY----- --MFIwEAYHKoZIzj0CAQYFK4EEAAMDPgAEKnjJ4RHe+EiElXMrF4ou7VGy1pn0ZiO17FouF31Zbvjc --TcbhfE6ziXM8sekQJBwcwRKQ9+G/Qzq/2A9x -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_sect239k1:BOB_cf_sect239k1_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_sect239k1 --PeerKey=BOB_cf_sect239k1_PUB --SharedSecret=0ef54c7b7dbf55d4278e7a6924dc4833c63ec708e820d501cacdfb4935d5 -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_sect239k1 --PeerKey=ALICE_cf_sect239k1_PUB --SharedSecret=0ef54c7b7dbf55d4278e7a6924dc4833c63ec708e820d501cacdfb4935d5 -- --# ECC CDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_sect239k1 --PeerKey=BOB_cf_sect239k1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=592e4b33ac99624fe7f2f879cf52f12a70f189c5d90785db26a12e0a46c0 -- --# ECC CDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_sect239k1 --PeerKey=ALICE_cf_sect239k1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=592e4b33ac99624fe7f2f879cf52f12a70f189c5d90785db26a12e0a46c0 -- --PublicKey=MALICE_cf_sect239k1_PUB -------BEGIN PUBLIC KEY----- --MFIwEAYHKoZIzj0CAQYFK4EEAAMDPgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAA --AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Availablein = default --Derive=BOB_cf_sect239k1 --PeerKey=MALICE_cf_sect239k1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Availablein = default --Derive=ALICE_cf_sect239k1 --PeerKey=MALICE_cf_sect239k1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=wap-wsg-idm-ecid-wtls10 curve tests -- --PrivateKey=ALICE_cf_wap-wsg-idm-ecid-wtls10 -------BEGIN PRIVATE KEY----- --MDsCAQAwEAYHKoZIzj0CAQYFZysBBAoEJDAiAgEBBB1zvDMHGgcytka5KvlvQvJzTA4l2ts2NzBp --SJiGyw== -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_wap-wsg-idm-ecid-wtls10_PUB -------BEGIN PUBLIC KEY----- --MFIwEAYHKoZIzj0CAQYFZysBBAoDPgAEAZkrhWBz/Q4GB8DY4Ia114ew6H7Eg7ri2uxwxd3rAZs5 --/ShvunNyndjCt3Qaq8sulBM0nUyERSDakyD+ -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_wap-wsg-idm-ecid-wtls10:ALICE_cf_wap-wsg-idm-ecid-wtls10_PUB -- --PrivateKey=BOB_cf_wap-wsg-idm-ecid-wtls10 -------BEGIN PRIVATE KEY----- --MDsCAQAwEAYHKoZIzj0CAQYFZysBBAoEJDAiAgEBBB1SowkHU79PqokOfgllN53rNS8a3h1wFBY0 --dKPkQg== -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_wap-wsg-idm-ecid-wtls10_PUB -------BEGIN PUBLIC KEY----- --MFIwEAYHKoZIzj0CAQYFZysBBAoDPgAEAGavw4ChHCoWplAumMEBwJgJ2aYtw+utu4vhWnscAPIT --IJ4IiIGj18rCFBap1sgVbpXjhEBLYg6Itwv2 -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_wap-wsg-idm-ecid-wtls10:BOB_cf_wap-wsg-idm-ecid-wtls10_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_wap-wsg-idm-ecid-wtls10 --PeerKey=BOB_cf_wap-wsg-idm-ecid-wtls10_PUB --SharedSecret=0194ef5d80fdfe9df366b2273b983c3dbd440faf76964fcfc06c509f289d -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_wap-wsg-idm-ecid-wtls10 --PeerKey=ALICE_cf_wap-wsg-idm-ecid-wtls10_PUB --SharedSecret=0194ef5d80fdfe9df366b2273b983c3dbd440faf76964fcfc06c509f289d -- --# ECC CDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_wap-wsg-idm-ecid-wtls10 --PeerKey=BOB_cf_wap-wsg-idm-ecid-wtls10_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=01bedc5cdf63fbf18c3e2bc9765e12f7990c0c0c64f0267ae7c37b9f49f0 -- --# ECC CDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_wap-wsg-idm-ecid-wtls10 --PeerKey=ALICE_cf_wap-wsg-idm-ecid-wtls10_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=01bedc5cdf63fbf18c3e2bc9765e12f7990c0c0c64f0267ae7c37b9f49f0 -- --PublicKey=MALICE_cf_wap-wsg-idm-ecid-wtls10_PUB -------BEGIN PUBLIC KEY----- --MFIwEAYHKoZIzj0CAQYFZysBBAoDPgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAA --AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Availablein = default --Derive=BOB_cf_wap-wsg-idm-ecid-wtls10 --PeerKey=MALICE_cf_wap-wsg-idm-ecid-wtls10_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Availablein = default --Derive=ALICE_cf_wap-wsg-idm-ecid-wtls10 --PeerKey=MALICE_cf_wap-wsg-idm-ecid-wtls10_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=wap-wsg-idm-ecid-wtls11 curve tests -- --PrivateKey=ALICE_cf_wap-wsg-idm-ecid-wtls11 -------BEGIN PRIVATE KEY----- --MDwCAQAwEAYHKoZIzj0CAQYFZysBBAsEJTAjAgEBBB4AkzS3zoqHNCLug/nwoYMQW3UigmZ9t56k --5jp+FiY= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_wap-wsg-idm-ecid-wtls11_PUB -------BEGIN PUBLIC KEY----- --MFIwEAYHKoZIzj0CAQYFZysBBAsDPgAEABttgKKYeGZRmcH/5UZR56lOSgbU4TH2AuIhvj88AL6H --zTCX9elzXpck+u22bnmkuvL2A8XKB5+fabMR -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_wap-wsg-idm-ecid-wtls11:ALICE_cf_wap-wsg-idm-ecid-wtls11_PUB -- --PrivateKey=BOB_cf_wap-wsg-idm-ecid-wtls11 -------BEGIN PRIVATE KEY----- --MDwCAQAwEAYHKoZIzj0CAQYFZysBBAsEJTAjAgEBBB4AWU05mbqPxsB749llNON1//l0w8RJJ3z5 --h/kzfNM= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_wap-wsg-idm-ecid-wtls11_PUB -------BEGIN PUBLIC KEY----- --MFIwEAYHKoZIzj0CAQYFZysBBAsDPgAEAL6Xj/KCmXAQAAo847t0bl0wqBrteWRg93OvIJsPAAOE --ehdIgJyruc3KsH0RFlipu5QD8pnGSIXvif19 -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_wap-wsg-idm-ecid-wtls11:BOB_cf_wap-wsg-idm-ecid-wtls11_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_wap-wsg-idm-ecid-wtls11 --PeerKey=BOB_cf_wap-wsg-idm-ecid-wtls11_PUB --SharedSecret=01ac8a23ddeeafb4d3bb243fe409f2f9c8b1a3fc11d4690da583f2e21637 -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_wap-wsg-idm-ecid-wtls11 --PeerKey=ALICE_cf_wap-wsg-idm-ecid-wtls11_PUB --SharedSecret=01ac8a23ddeeafb4d3bb243fe409f2f9c8b1a3fc11d4690da583f2e21637 -- --# ECC CDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_wap-wsg-idm-ecid-wtls11 --PeerKey=BOB_cf_wap-wsg-idm-ecid-wtls11_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=01b9992992572d3a59d424f8c9cc195576461ed6c1dadf6fb523717fab19 -- --# ECC CDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_wap-wsg-idm-ecid-wtls11 --PeerKey=ALICE_cf_wap-wsg-idm-ecid-wtls11_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=01b9992992572d3a59d424f8c9cc195576461ed6c1dadf6fb523717fab19 -- --PublicKey=MALICE_cf_wap-wsg-idm-ecid-wtls11_PUB -------BEGIN PUBLIC KEY----- --MFIwEAYHKoZIzj0CAQYFZysBBAsDPgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYf4 --Vie5eHTnR+4x4G1xyq7qUvISU+X5RtBh2pE4 -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Availablein = default --Derive=BOB_cf_wap-wsg-idm-ecid-wtls11 --PeerKey=MALICE_cf_wap-wsg-idm-ecid-wtls11_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Availablein = default --Derive=ALICE_cf_wap-wsg-idm-ecid-wtls11 --PeerKey=MALICE_cf_wap-wsg-idm-ecid-wtls11_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=wap-wsg-idm-ecid-wtls12 curve tests -- --PrivateKey=ALICE_cf_wap-wsg-idm-ecid-wtls12 -------BEGIN PRIVATE KEY----- --MDoCAQAwEAYHKoZIzj0CAQYFZysBBAwEIzAhAgEBBBxwvll9Eb9mm2Xadq1evIi1zIK+6u0Nv8bP --LI9a -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_wap-wsg-idm-ecid-wtls12_PUB -------BEGIN PUBLIC KEY----- --ME4wEAYHKoZIzj0CAQYFZysBBAwDOgAE0t0WqG/pFsiCt6agmebw3FCEWAzf9BpNLuzoCkPEe0Li --bqn5udrckL6s3stwCTVFaZUfY2qS9QE= -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_wap-wsg-idm-ecid-wtls12:ALICE_cf_wap-wsg-idm-ecid-wtls12_PUB -- --PrivateKey=BOB_cf_wap-wsg-idm-ecid-wtls12 -------BEGIN PRIVATE KEY----- --MDoCAQAwEAYHKoZIzj0CAQYFZysBBAwEIzAhAgEBBBz+5P6gpqXxbeXvvaD5W9Ft69BTxcn7zc6q --K3Ax -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_wap-wsg-idm-ecid-wtls12_PUB -------BEGIN PUBLIC KEY----- --ME4wEAYHKoZIzj0CAQYFZysBBAwDOgAEvyxedqaWkoAOMjaV5W3/tJpheiHAR0zV6BlIeUuGP2mx --+xsOK9/QB7hzipq9cXx1K/dXu58EoSY= -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_wap-wsg-idm-ecid-wtls12:BOB_cf_wap-wsg-idm-ecid-wtls12_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_wap-wsg-idm-ecid-wtls12 --PeerKey=BOB_cf_wap-wsg-idm-ecid-wtls12_PUB --SharedSecret=a3b3f20af8c33a0f5c246b4b9d9dda1cd40c294d1f53365d18a8b54b -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_wap-wsg-idm-ecid-wtls12 --PeerKey=ALICE_cf_wap-wsg-idm-ecid-wtls12_PUB --SharedSecret=a3b3f20af8c33a0f5c246b4b9d9dda1cd40c294d1f53365d18a8b54b -- --Title=wap-wsg-idm-ecid-wtls1 curve tests -- --PrivateKey=ALICE_cf_wap-wsg-idm-ecid-wtls1 -------BEGIN PRIVATE KEY----- --MCwCAQAwEAYHKoZIzj0CAQYFZysBBAEEFTATAgEBBA5ZNASTt4/g6XPQwRiQ0Q== -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_wap-wsg-idm-ecid-wtls1_PUB -------BEGIN PUBLIC KEY----- --MDQwEAYHKoZIzj0CAQYFZysBBAEDIAAEACBNPI48xxsPVQBy07jRAAcWzbIkMo8BQotxpfGJ -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_wap-wsg-idm-ecid-wtls1:ALICE_cf_wap-wsg-idm-ecid-wtls1_PUB -- --PrivateKey=BOB_cf_wap-wsg-idm-ecid-wtls1 -------BEGIN PRIVATE KEY----- --MCwCAQAwEAYHKoZIzj0CAQYFZysBBAEEFTATAgEBBA6+0x9qk0NIKHSRvlTemQ== -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_wap-wsg-idm-ecid-wtls1_PUB -------BEGIN PUBLIC KEY----- --MDQwEAYHKoZIzj0CAQYFZysBBAEDIAAEAEeHMSBTx/EtOu+bjBinALHSkQuJyiP3mg1tu+I2 -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_wap-wsg-idm-ecid-wtls1:BOB_cf_wap-wsg-idm-ecid-wtls1_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_wap-wsg-idm-ecid-wtls1 --PeerKey=BOB_cf_wap-wsg-idm-ecid-wtls1_PUB --SharedSecret=0040ba2fadc1da97c973e5e59ade31 -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_wap-wsg-idm-ecid-wtls1 --PeerKey=ALICE_cf_wap-wsg-idm-ecid-wtls1_PUB --SharedSecret=0040ba2fadc1da97c973e5e59ade31 -- --# ECC CDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_wap-wsg-idm-ecid-wtls1 --PeerKey=BOB_cf_wap-wsg-idm-ecid-wtls1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=008919696215a89e03d6c4c9265d6b -- --# ECC CDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_wap-wsg-idm-ecid-wtls1 --PeerKey=ALICE_cf_wap-wsg-idm-ecid-wtls1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=008919696215a89e03d6c4c9265d6b -- --PublicKey=MALICE_cf_wap-wsg-idm-ecid-wtls1_PUB -------BEGIN PUBLIC KEY----- --MDQwEAYHKoZIzj0CAQYFZysBBAEDIAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Availablein = default --Derive=BOB_cf_wap-wsg-idm-ecid-wtls1 --PeerKey=MALICE_cf_wap-wsg-idm-ecid-wtls1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Availablein = default --Derive=ALICE_cf_wap-wsg-idm-ecid-wtls1 --PeerKey=MALICE_cf_wap-wsg-idm-ecid-wtls1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=wap-wsg-idm-ecid-wtls3 curve tests -- --PrivateKey=ALICE_cf_wap-wsg-idm-ecid-wtls3 -------BEGIN PRIVATE KEY----- --MDMCAQAwEAYHKoZIzj0CAQYFZysBBAMEHDAaAgEBBBUDO2cHbqQBUxuJBl6UT9UrasuRVrI= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_wap-wsg-idm-ecid-wtls3_PUB -------BEGIN PUBLIC KEY----- --MEAwEAYHKoZIzj0CAQYFZysBBAMDLAAEBRIzvK9o7eO2NGmtPFV/zo9/1mlvBwjG7+e6hbPG1KdI --01f8oGBuXMQH -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_wap-wsg-idm-ecid-wtls3:ALICE_cf_wap-wsg-idm-ecid-wtls3_PUB -- --PrivateKey=BOB_cf_wap-wsg-idm-ecid-wtls3 -------BEGIN PRIVATE KEY----- --MDMCAQAwEAYHKoZIzj0CAQYFZysBBAMEHDAaAgEBBBUAhZv9WZ00bDnU9MOaqEegP771nes= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_wap-wsg-idm-ecid-wtls3_PUB -------BEGIN PUBLIC KEY----- --MEAwEAYHKoZIzj0CAQYFZysBBAMDLAAEAYOspjEbzyZw61jCtUrxARr+w66nBH+73QIvlaRVSG/4 --hlBUf5kmG4Yn -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_wap-wsg-idm-ecid-wtls3:BOB_cf_wap-wsg-idm-ecid-wtls3_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_wap-wsg-idm-ecid-wtls3 --PeerKey=BOB_cf_wap-wsg-idm-ecid-wtls3_PUB --SharedSecret=0311924428a839b7dcada662722945e62bf1131f4f -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_wap-wsg-idm-ecid-wtls3 --PeerKey=ALICE_cf_wap-wsg-idm-ecid-wtls3_PUB --SharedSecret=0311924428a839b7dcada662722945e62bf1131f4f -- --# ECC CDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_wap-wsg-idm-ecid-wtls3 --PeerKey=BOB_cf_wap-wsg-idm-ecid-wtls3_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=047f1aee6a1a1d7c9c1f0e8dce4349429f737aa658 -- --# ECC CDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_wap-wsg-idm-ecid-wtls3 --PeerKey=ALICE_cf_wap-wsg-idm-ecid-wtls3_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=047f1aee6a1a1d7c9c1f0e8dce4349429f737aa658 -- --PublicKey=MALICE_cf_wap-wsg-idm-ecid-wtls3_PUB -------BEGIN PUBLIC KEY----- --MEAwEAYHKoZIzj0CAQYFZysBBAMDLAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA --AAAAAAAAAAAB -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Availablein = default --Derive=BOB_cf_wap-wsg-idm-ecid-wtls3 --PeerKey=MALICE_cf_wap-wsg-idm-ecid-wtls3_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Availablein = default --Derive=ALICE_cf_wap-wsg-idm-ecid-wtls3 --PeerKey=MALICE_cf_wap-wsg-idm-ecid-wtls3_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=wap-wsg-idm-ecid-wtls4 curve tests -- --PrivateKey=ALICE_cf_wap-wsg-idm-ecid-wtls4 -------BEGIN PRIVATE KEY----- --MC0CAQAwEAYHKoZIzj0CAQYFZysBBAQEFjAUAgEBBA8ACFOrBbOh5LjNtJQCuEE= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_wap-wsg-idm-ecid-wtls4_PUB -------BEGIN PUBLIC KEY----- --MDQwEAYHKoZIzj0CAQYFZysBBAQDIAAEAW3K4Mus5+KAJVGLzEYrAYuCJSEYXFTo17aW0TwN -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_wap-wsg-idm-ecid-wtls4:ALICE_cf_wap-wsg-idm-ecid-wtls4_PUB -- --PrivateKey=BOB_cf_wap-wsg-idm-ecid-wtls4 -------BEGIN PRIVATE KEY----- --MC0CAQAwEAYHKoZIzj0CAQYFZysBBAQEFjAUAgEBBA8Auz4XRc3Rg0bNcbrray8= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_wap-wsg-idm-ecid-wtls4_PUB -------BEGIN PUBLIC KEY----- --MDQwEAYHKoZIzj0CAQYFZysBBAQDIAAEAI0F7ixGqOhnYpsuR80nAdTdSXM+YbcUbLe/U/xG -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_wap-wsg-idm-ecid-wtls4:BOB_cf_wap-wsg-idm-ecid-wtls4_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_wap-wsg-idm-ecid-wtls4 --PeerKey=BOB_cf_wap-wsg-idm-ecid-wtls4_PUB --SharedSecret=0077378ddfdadff704a0b6646949e7 -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_wap-wsg-idm-ecid-wtls4 --PeerKey=ALICE_cf_wap-wsg-idm-ecid-wtls4_PUB --SharedSecret=0077378ddfdadff704a0b6646949e7 -- --# ECC CDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_wap-wsg-idm-ecid-wtls4 --PeerKey=BOB_cf_wap-wsg-idm-ecid-wtls4_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=008f3713fe1ff1fa5d5041899817d1 -- --# ECC CDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_wap-wsg-idm-ecid-wtls4 --PeerKey=ALICE_cf_wap-wsg-idm-ecid-wtls4_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=008f3713fe1ff1fa5d5041899817d1 -- --PublicKey=MALICE_cf_wap-wsg-idm-ecid-wtls4_PUB -------BEGIN PUBLIC KEY----- --MDQwEAYHKoZIzj0CAQYFZysBBAQDIAAEAAAAAAAAAAAAAAAAAAAAAd+TqiBXnTd/lyA/OFsR -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Availablein = default --Derive=BOB_cf_wap-wsg-idm-ecid-wtls4 --PeerKey=MALICE_cf_wap-wsg-idm-ecid-wtls4_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Availablein = default --Derive=ALICE_cf_wap-wsg-idm-ecid-wtls4 --PeerKey=MALICE_cf_wap-wsg-idm-ecid-wtls4_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=wap-wsg-idm-ecid-wtls5 curve tests -- --PrivateKey=ALICE_cf_wap-wsg-idm-ecid-wtls5 -------BEGIN PRIVATE KEY----- --MDMCAQAwEAYHKoZIzj0CAQYFZysBBAUEHDAaAgEBBBUD9gVh3zbLTA7BuRVVi9T8QKZ1uco= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_wap-wsg-idm-ecid-wtls5_PUB -------BEGIN PUBLIC KEY----- --MEAwEAYHKoZIzj0CAQYFZysBBAUDLAAEAH5xyUrvbuN+tWmRhwqrQfFHPHNUBKtAGvJuvSFVwTKk --uFzn9fPvIDe6 -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_wap-wsg-idm-ecid-wtls5:ALICE_cf_wap-wsg-idm-ecid-wtls5_PUB -- --PrivateKey=BOB_cf_wap-wsg-idm-ecid-wtls5 -------BEGIN PRIVATE KEY----- --MDMCAQAwEAYHKoZIzj0CAQYFZysBBAUEHDAaAgEBBBUAr9ZlmuO7bNfqB42xUivJXyVHKNI= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_wap-wsg-idm-ecid-wtls5_PUB -------BEGIN PUBLIC KEY----- --MEAwEAYHKoZIzj0CAQYFZysBBAUDLAAEBdXxEk0L2XAVzRNLPcnMxGXXyDfZAoA1Qw2XpOfVWIVR --jdoMGRgUuJmO -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_wap-wsg-idm-ecid-wtls5:BOB_cf_wap-wsg-idm-ecid-wtls5_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_wap-wsg-idm-ecid-wtls5 --PeerKey=BOB_cf_wap-wsg-idm-ecid-wtls5_PUB --SharedSecret=0190c68d80e94fbe9f193ae7d9a156bf0b8d097c23 -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_wap-wsg-idm-ecid-wtls5 --PeerKey=ALICE_cf_wap-wsg-idm-ecid-wtls5_PUB --SharedSecret=0190c68d80e94fbe9f193ae7d9a156bf0b8d097c23 -- --# ECC CDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_wap-wsg-idm-ecid-wtls5 --PeerKey=BOB_cf_wap-wsg-idm-ecid-wtls5_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=00aabc9b45c200e41294aa922ab06da6655731e0ea -- --# ECC CDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_wap-wsg-idm-ecid-wtls5 --PeerKey=ALICE_cf_wap-wsg-idm-ecid-wtls5_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=00aabc9b45c200e41294aa922ab06da6655731e0ea -- --PublicKey=MALICE_cf_wap-wsg-idm-ecid-wtls5_PUB -------BEGIN PUBLIC KEY----- --MEAwEAYHKoZIzj0CAQYFZysBBAUDLAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAC8JxepS05nN/piK --dhDD3dDKXUih -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Availablein = default --Derive=BOB_cf_wap-wsg-idm-ecid-wtls5 --PeerKey=MALICE_cf_wap-wsg-idm-ecid-wtls5_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Availablein = default --Derive=ALICE_cf_wap-wsg-idm-ecid-wtls5 --PeerKey=MALICE_cf_wap-wsg-idm-ecid-wtls5_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=wap-wsg-idm-ecid-wtls6 curve tests -- --PrivateKey=ALICE_cf_wap-wsg-idm-ecid-wtls6 -------BEGIN PRIVATE KEY----- --MCwCAQAwEAYHKoZIzj0CAQYFZysBBAYEFTATAgEBBA4ayMbswPbvYMwpwo80jA== -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_wap-wsg-idm-ecid-wtls6_PUB -------BEGIN PUBLIC KEY----- --MDIwEAYHKoZIzj0CAQYFZysBBAYDHgAERPw/8Ip/RrXr0gMgLGRQeiQ4Qd6W+Li0ylGKzg== -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_wap-wsg-idm-ecid-wtls6:ALICE_cf_wap-wsg-idm-ecid-wtls6_PUB -- --PrivateKey=BOB_cf_wap-wsg-idm-ecid-wtls6 -------BEGIN PRIVATE KEY----- --MCwCAQAwEAYHKoZIzj0CAQYFZysBBAYEFTATAgEBBA6kbCpFt3tX2hYBQHMXbg== -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_wap-wsg-idm-ecid-wtls6_PUB -------BEGIN PUBLIC KEY----- --MDIwEAYHKoZIzj0CAQYFZysBBAYDHgAEhJXqpYGxE/l1X/LiBeyRbIcyzqPxUP5Tkv3U3w== -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_wap-wsg-idm-ecid-wtls6:BOB_cf_wap-wsg-idm-ecid-wtls6_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_wap-wsg-idm-ecid-wtls6 --PeerKey=BOB_cf_wap-wsg-idm-ecid-wtls6_PUB --SharedSecret=b4cae255268f11a1e46fecad04c2 -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_wap-wsg-idm-ecid-wtls6 --PeerKey=ALICE_cf_wap-wsg-idm-ecid-wtls6_PUB --SharedSecret=b4cae255268f11a1e46fecad04c2 -- --Title=wap-wsg-idm-ecid-wtls7 curve tests -- --PrivateKey=ALICE_cf_wap-wsg-idm-ecid-wtls7 -------BEGIN PRIVATE KEY----- --MDMCAQAwEAYHKoZIzj0CAQYFZysBBAcEHDAaAgEBBBUABcyzh4ot9ck/j4/3ehK0aYngYoM= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_wap-wsg-idm-ecid-wtls7_PUB -------BEGIN PUBLIC KEY----- --MD4wEAYHKoZIzj0CAQYFZysBBAcDKgAEwQLnZ70n45RLqRtAGNzEa3Rl/9nwyjqYUtw2eeHhnNLT --feGY4CNH0w== -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_wap-wsg-idm-ecid-wtls7:ALICE_cf_wap-wsg-idm-ecid-wtls7_PUB -- --PrivateKey=BOB_cf_wap-wsg-idm-ecid-wtls7 -------BEGIN PRIVATE KEY----- --MDMCAQAwEAYHKoZIzj0CAQYFZysBBAcEHDAaAgEBBBUAPyrGRY1SR13hKQswS6yXs8w8PUQ= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_wap-wsg-idm-ecid-wtls7_PUB -------BEGIN PUBLIC KEY----- --MD4wEAYHKoZIzj0CAQYFZysBBAcDKgAEZGN44YbN5r3zcNtOHrvbQLt8/lE7BHp4D/9eKLmwFDn1 --QneRu3xwPA== -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_wap-wsg-idm-ecid-wtls7:BOB_cf_wap-wsg-idm-ecid-wtls7_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_wap-wsg-idm-ecid-wtls7 --PeerKey=BOB_cf_wap-wsg-idm-ecid-wtls7_PUB --SharedSecret=ae9f5bcc6457c0422866bf855921eabc42b7121a -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_wap-wsg-idm-ecid-wtls7 --PeerKey=ALICE_cf_wap-wsg-idm-ecid-wtls7_PUB --SharedSecret=ae9f5bcc6457c0422866bf855921eabc42b7121a -- --Title=wap-wsg-idm-ecid-wtls8 curve tests -- --PrivateKey=ALICE_cf_wap-wsg-idm-ecid-wtls8 -------BEGIN PRIVATE KEY----- --MC0CAQAwEAYHKoZIzj0CAQYFZysBBAgEFjAUAgEBBA8AnkC18b3pH2O5TIYIqAQ= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_wap-wsg-idm-ecid-wtls8_PUB -------BEGIN PUBLIC KEY----- --MDIwEAYHKoZIzj0CAQYFZysBBAgDHgAEJD0h4HEfchwxqhp9eMHh9gczQKHX4MtWVoAxKQ== -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_wap-wsg-idm-ecid-wtls8:ALICE_cf_wap-wsg-idm-ecid-wtls8_PUB -- --PrivateKey=BOB_cf_wap-wsg-idm-ecid-wtls8 -------BEGIN PRIVATE KEY----- --MC0CAQAwEAYHKoZIzj0CAQYFZysBBAgEFjAUAgEBBA8AXxPMnqbl3rOuIM5nsvc= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_wap-wsg-idm-ecid-wtls8_PUB -------BEGIN PUBLIC KEY----- --MDIwEAYHKoZIzj0CAQYFZysBBAgDHgAEZawmRmzr9P+jihImUi6ykOzaSH484JhMKNdrgw== -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_wap-wsg-idm-ecid-wtls8:BOB_cf_wap-wsg-idm-ecid-wtls8_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_wap-wsg-idm-ecid-wtls8 --PeerKey=BOB_cf_wap-wsg-idm-ecid-wtls8_PUB --SharedSecret=48baf4f1f5e8a0eb5dae28ef6290 -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_wap-wsg-idm-ecid-wtls8 --PeerKey=ALICE_cf_wap-wsg-idm-ecid-wtls8_PUB --SharedSecret=48baf4f1f5e8a0eb5dae28ef6290 -- --Title=wap-wsg-idm-ecid-wtls9 curve tests -- --PrivateKey=ALICE_cf_wap-wsg-idm-ecid-wtls9 -------BEGIN PRIVATE KEY----- --MDMCAQAwEAYHKoZIzj0CAQYFZysBBAkEHDAaAgEBBBUALwvuKs3RLthMAsChbqKjXw6vTYo= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_wap-wsg-idm-ecid-wtls9_PUB -------BEGIN PUBLIC KEY----- --MD4wEAYHKoZIzj0CAQYFZysBBAkDKgAET0ppOvd9DU4v+tkKDQ5wRBrN1FwD9+F9t5l3Im+mz3rw --DB/RYdZuUg== -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=ALICE_cf_wap-wsg-idm-ecid-wtls9:ALICE_cf_wap-wsg-idm-ecid-wtls9_PUB -- --PrivateKey=BOB_cf_wap-wsg-idm-ecid-wtls9 -------BEGIN PRIVATE KEY----- --MDMCAQAwEAYHKoZIzj0CAQYFZysBBAkEHDAaAgEBBBUAgeb/vqEM7X5AAAxyBu3M+C8pWLM= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_wap-wsg-idm-ecid-wtls9_PUB -------BEGIN PUBLIC KEY----- --MD4wEAYHKoZIzj0CAQYFZysBBAkDKgAEWc37LGt6lt90iF4lhtDYNFdjAqoczebuNgzGff/Uq8ov --a3EVJ9yK1A== -------END PUBLIC KEY----- -- --Availablein = default --PrivPubKeyPair=BOB_cf_wap-wsg-idm-ecid-wtls9:BOB_cf_wap-wsg-idm-ecid-wtls9_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_wap-wsg-idm-ecid-wtls9 --PeerKey=BOB_cf_wap-wsg-idm-ecid-wtls9_PUB --SharedSecret=948d3030e95cead39a1bb3d8a01c2be178517ba7 -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_wap-wsg-idm-ecid-wtls9 --PeerKey=ALICE_cf_wap-wsg-idm-ecid-wtls9_PUB --SharedSecret=948d3030e95cead39a1bb3d8a01c2be178517ba7 -- --# tests: 484 -- --Title=zero x-coord regression tests -- --PrivateKey=ALICE_zero_prime192v1 -------BEGIN PRIVATE KEY----- --MDkCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQEEHzAdAgEBBBhaPNk8jG5hSG6y8tUqUoOaNNsZ3APU --pps= -------END PRIVATE KEY----- -- --PublicKey=BOB_zero_prime192v1_PUB -------BEGIN PUBLIC KEY----- --MEkwEwYHKoZIzj0CAQYIKoZIzj0DAQEDMgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAe2hWBe5g --DLNj216pEvK7XjoKLg5gNg8S -------END PUBLIC KEY----- -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_zero_prime192v1 --PeerKey=BOB_zero_prime192v1_PUB --SharedSecret=baaffd49a8399d2ad52cbbe24d47b67afb4b3cf436f1cd65 -- --PrivateKey=ALICE_zero_prime192v2 - -----BEGIN PRIVATE KEY----- - MDkCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQIEHzAdAgEBBBj1AIQMJ7jqYIKCvxYAS+qKMmKmH0to - 41k= -@@ -3422,72 +162,6 @@ Derive=ALICE_zero_prime256v1 - PeerKey=BOB_zero_prime256v1_PUB - SharedSecret=c4f5607deb8501f1a4ba23fce4122a4343a17ada2c86a9c8e0d03d92d4a4c84c --PrivateKey=ALICE_zero_secp112r2 -------BEGIN PRIVATE KEY----- --MCwCAQAwEAYHKoZIzj0CAQYFK4EEAAcEFTATAgEBBA4hh3tRkG3tnA0496ffMw== -------END PRIVATE KEY----- -- --PublicKey=BOB_zero_secp112r2_PUB -------BEGIN PUBLIC KEY----- --MDIwEAYHKoZIzj0CAQYFK4EEAAcDHgAEAAAAAAAAAAAAAAAAAAAS5eEOWDV/Wk7w4djyDQ== -------END PUBLIC KEY----- -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_zero_secp112r2 --PeerKey=BOB_zero_secp112r2_PUB --SharedSecret=958cc1cb425713678830a4d7d95e -- --PrivateKey=ALICE_zero_secp128r1 -------BEGIN PRIVATE KEY----- --MC4CAQAwEAYHKoZIzj0CAQYFK4EEABwEFzAVAgEBBBCykSzic/h3T2K6SkSP1SGt -------END PRIVATE KEY----- -- --PublicKey=BOB_zero_secp128r1_PUB -------BEGIN PUBLIC KEY----- --MDYwEAYHKoZIzj0CAQYFK4EEABwDIgAEAAAAAAAAAAAAAAAAAAAAAABya8M5aeOpNG3z799IdHc= -------END PUBLIC KEY----- -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_zero_secp128r1 --PeerKey=BOB_zero_secp128r1_PUB --SharedSecret=5235d452066f126cd7e99eea00fd3068 -- --PrivateKey=ALICE_zero_secp160r1 -------BEGIN PRIVATE KEY----- --MDMCAQAwEAYHKoZIzj0CAQYFK4EEAAgEHDAaAgEBBBUACoRnbig69XLlh5VcRexpbbn5zwA= -------END PRIVATE KEY----- -- --PublicKey=BOB_zero_secp160r1_PUB -------BEGIN PUBLIC KEY----- --MD4wEAYHKoZIzj0CAQYFK4EEAAgDKgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAG/w1po29wYlxlygXs --MGfbiGg5ng== -------END PUBLIC KEY----- -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_zero_secp160r1 --PeerKey=BOB_zero_secp160r1_PUB --SharedSecret=9ccd0ab8d093b6acdb3fe14c3736a0dfe61a4666 -- --PrivateKey=ALICE_zero_secp160r2 -------BEGIN PRIVATE KEY----- --MDMCAQAwEAYHKoZIzj0CAQYFK4EEAB4EHDAaAgEBBBUAQFGxInSw1eAvd45E9TUdbXtJGnA= -------END PRIVATE KEY----- -- --PublicKey=BOB_zero_secp160r2_PUB -------BEGIN PUBLIC KEY----- --MD4wEAYHKoZIzj0CAQYFK4EEAB4DKgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAZtSBSZqfmXp47v5z2 --ZZZl2JFxDg== -------END PUBLIC KEY----- -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_zero_secp160r2 --PeerKey=BOB_zero_secp160r2_PUB --SharedSecret=303e0a282ac86f463fe834cb51b0057be42ed5ab -- - PrivateKey=ALICE_zero_secp384r1 - -----BEGIN PRIVATE KEY----- - ME4CAQAwEAYHKoZIzj0CAQYFK4EEACIENzA1AgEBBDD6kgzKbg28zbQyVTdC0IdHbm0UCQt2Rdbi -@@ -3526,76 +200,6 @@ Derive=ALICE_zero_secp521r1 - PeerKey=BOB_zero_secp521r1_PUB - SharedSecret=003fc3028f61db94b20c7cd177923b6e73f12f0ab067c9ce8866755e3c82abb39c9863cde74fa80b32520bd7dd0eb156c30c08911503b67b2661f1264d09bb231423 - --PrivateKey=ALICE_zero_wap-wsg-idm-ecid-wtls7 -------BEGIN PRIVATE KEY----- --MDMCAQAwEAYHKoZIzj0CAQYFZysBBAcEHDAaAgEBBBUAoGng7WzYr4P9vtdc3BS/UiNWmc0= -------END PRIVATE KEY----- -- --PublicKey=BOB_zero_wap-wsg-idm-ecid-wtls7_PUB -------BEGIN PUBLIC KEY----- --MD4wEAYHKoZIzj0CAQYFZysBBAcDKgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAZtSBSZqfmXp47v5z2 --ZZZl2JFxDg== -------END PUBLIC KEY----- -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_zero_wap-wsg-idm-ecid-wtls7 --PeerKey=BOB_zero_wap-wsg-idm-ecid-wtls7_PUB --SharedSecret=6582fc03bbb340fcf24a5fe8fcdf722655efa8b9 -- --# tests: 14 -- --Title=prime192v1 curve tests -- --PrivateKey=ALICE_cf_prime192v1 -------BEGIN PRIVATE KEY----- --MDkCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQEEHzAdAgEBBBhQFYLaobJ47BVWWZv/ByY8Ti69m/U9 --TeI= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_prime192v1_PUB -------BEGIN PUBLIC KEY----- --MEkwEwYHKoZIzj0CAQYIKoZIzj0DAQEDMgAEHYbt14KzucSpmKMrlDx1IGz/a28nDs21OjKgx3BK --PZ78UrllIr69kgrYUKsRg4sd -------END PUBLIC KEY----- -- --PrivPubKeyPair=ALICE_cf_prime192v1:ALICE_cf_prime192v1_PUB -- --PrivateKey=BOB_cf_prime192v1 -------BEGIN PRIVATE KEY----- --MDkCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQEEHzAdAgEBBBhsbmKHAtygIqirkmUXSbniDJOx0/fI --CWM= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_prime192v1_PUB -------BEGIN PUBLIC KEY----- --MEkwEwYHKoZIzj0CAQYIKoZIzj0DAQEDMgAEJA+FQcXq5Axzv8pLDslxq1QVt1hjN2i0TgoO6Yxp --bAekMot69VorE8ibSzgJixXJ -------END PUBLIC KEY----- -- --PrivPubKeyPair=BOB_cf_prime192v1:BOB_cf_prime192v1_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_prime192v1 --PeerKey=BOB_cf_prime192v1_PUB --SharedSecret=e36cad3b0f8d00f60f090440a76df47896713ae61421c354 -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_prime192v1 --PeerKey=ALICE_cf_prime192v1_PUB --SharedSecret=e36cad3b0f8d00f60f090440a76df47896713ae61421c354 -- --# ECDH Bob with Alice peer : curves with less than 112 bits of strength cannot --# be used for Key agreement in fips mode --Availablein = fips --Derive=BOB_cf_prime192v1 --Securitycheck = 1 --PeerKey=ALICE_cf_prime192v1_PUB --SharedSecret=e36cad3b0f8d00f60f090440a76df47896713ae61421c354 --Result = DERIVE_SET_PEER_ERROR -- - Title=prime256v1 curve tests - - PrivateKey=ALICE_cf_prime256v1 -@@ -3759,743 +363,3 @@ SharedSecret=01dd4aa9037bb4ad298b420998d - Derive=BOB_cf_secp521r1 - PeerKey=ALICE_cf_secp521r1_PUB - SharedSecret=01dd4aa9037bb4ad298b420998dcd32b3a9af1cda8b7919e372aeb4e54ccfb4d2409a340ed896bfbc5dd462f8d96b8784bc17b29db3ca04700e6ec752f9bec777695 -- --Title=sect163k1 curve tests -- --PrivateKey=ALICE_cf_sect163k1 -------BEGIN PRIVATE KEY----- --MDMCAQAwEAYHKoZIzj0CAQYFK4EEAAEEHDAaAgEBBBUB905PYfmej8LzbzX6Bg51GJzXQjQ= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_sect163k1_PUB -------BEGIN PUBLIC KEY----- --MEAwEAYHKoZIzj0CAQYFK4EEAAEDLAAEBfvs5A1hD8YySP9O2ub8GEUfotVuBpfRx4GIHdAfx8wV --1UVeTRnyAlWU -------END PUBLIC KEY----- -- --PrivPubKeyPair=ALICE_cf_sect163k1:ALICE_cf_sect163k1_PUB -- --PrivateKey=BOB_cf_sect163k1 -------BEGIN PRIVATE KEY----- --MDMCAQAwEAYHKoZIzj0CAQYFK4EEAAEEHDAaAgEBBBUCHPtCjJ4/K8ylQBcLlb5VE0bkaUE= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_sect163k1_PUB -------BEGIN PUBLIC KEY----- --MEAwEAYHKoZIzj0CAQYFK4EEAAEDLAAEBvgfX1mTRlt6Z4TE1D1MNWo4loH4AoeYa6oowK104LKk --nsdg7isQ8XBD -------END PUBLIC KEY----- -- --PrivPubKeyPair=BOB_cf_sect163k1:BOB_cf_sect163k1_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_sect163k1 --PeerKey=BOB_cf_sect163k1_PUB --SharedSecret=04d0e40788c5ce5220818055277cae53eac55c1e6b -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_sect163k1 --PeerKey=ALICE_cf_sect163k1_PUB --SharedSecret=04d0e40788c5ce5220818055277cae53eac55c1e6b -- --# ECC CDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_sect163k1 --PeerKey=BOB_cf_sect163k1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=04c902a91110244d89110034dd2b099c49cbab6c77 -- --# ECC CDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_sect163k1 --PeerKey=ALICE_cf_sect163k1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=04c902a91110244d89110034dd2b099c49cbab6c77 -- --PublicKey=MALICE_cf_sect163k1_PUB -------BEGIN PUBLIC KEY----- --MEAwEAYHKoZIzj0CAQYFK4EEAAEDLAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA --AAAAAAAAAAAB -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Availablein = default --Derive=BOB_cf_sect163k1 --PeerKey=MALICE_cf_sect163k1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Availablein = default --Derive=ALICE_cf_sect163k1 --PeerKey=MALICE_cf_sect163k1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=sect163r2 curve tests -- --PrivateKey=ALICE_cf_sect163r2 -------BEGIN PRIVATE KEY----- --MDMCAQAwEAYHKoZIzj0CAQYFK4EEAA8EHDAaAgEBBBUBjCs/M3N31jsAueYrOq21vdETwAI= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_sect163r2_PUB -------BEGIN PUBLIC KEY----- --MEAwEAYHKoZIzj0CAQYFK4EEAA8DLAAEBd8Z1/HpA+89hF4I98EST3svWns3BAEbhWmL/fgxk2uu --YwVrmqhgqH/C -------END PUBLIC KEY----- -- --PrivPubKeyPair=ALICE_cf_sect163r2:ALICE_cf_sect163r2_PUB -- --PrivateKey=BOB_cf_sect163r2 -------BEGIN PRIVATE KEY----- --MDMCAQAwEAYHKoZIzj0CAQYFK4EEAA8EHDAaAgEBBBUBsiouT9Df+mwHWrpPg1JSrY9nqlI= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_sect163r2_PUB -------BEGIN PUBLIC KEY----- --MEAwEAYHKoZIzj0CAQYFK4EEAA8DLAAEBULqBZ+nhLhDEMYY8NEEzZ126MdxAcFXWv8zmPEH9505 --8vT5zU3aq6HV -------END PUBLIC KEY----- -- --PrivPubKeyPair=BOB_cf_sect163r2:BOB_cf_sect163r2_PUB -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_sect163r2 --PeerKey=BOB_cf_sect163r2_PUB --SharedSecret=019f829a53c4e6544bdec1395a23082169efaf369d -- --# ECDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_sect163r2 --PeerKey=ALICE_cf_sect163r2_PUB --SharedSecret=019f829a53c4e6544bdec1395a23082169efaf369d -- --# ECC CDH Alice with Bob peer --Availablein = default --Derive=ALICE_cf_sect163r2 --PeerKey=BOB_cf_sect163r2_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=048870d39235ecbc16a000ee478833509b9318a53f -- --# ECC CDH Bob with Alice peer --Availablein = default --Derive=BOB_cf_sect163r2 --PeerKey=ALICE_cf_sect163r2_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=048870d39235ecbc16a000ee478833509b9318a53f -- --PublicKey=MALICE_cf_sect163r2_PUB -------BEGIN PUBLIC KEY----- --MEAwEAYHKoZIzj0CAQYFK4EEAA8DLAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAsJbhbrfiSdZPSHD --ZtqJwDlp802l -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Availablein = default --Derive=BOB_cf_sect163r2 --PeerKey=MALICE_cf_sect163r2_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Availablein = default --Derive=ALICE_cf_sect163r2 --PeerKey=MALICE_cf_sect163r2_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=sect233k1 curve tests -- --PrivateKey=ALICE_cf_sect233k1 -------BEGIN PRIVATE KEY----- --MDsCAQAwEAYHKoZIzj0CAQYFK4EEABoEJDAiAgEBBB0z/3heNFjJL+2sAT/38yRsN3kt2iXz7u+y --Gua8Kw== -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_sect233k1_PUB -------BEGIN PUBLIC KEY----- --MFIwEAYHKoZIzj0CAQYFK4EEABoDPgAEALQyn0zJmOrHm4S2EIjxRe899PadBnfpYjLKWGvpAIzf --MEG861Nv1IYJkmkO1xlfNHeeRtqFgsQVFKZh -------END PUBLIC KEY----- -- --PrivPubKeyPair=ALICE_cf_sect233k1:ALICE_cf_sect233k1_PUB -- --PrivateKey=BOB_cf_sect233k1 -------BEGIN PRIVATE KEY----- --MDsCAQAwEAYHKoZIzj0CAQYFK4EEABoEJDAiAgEBBB1I0ucrC4d9i6Z+0cbar5r7uKpF5iiQkSJA --DFMTUA== -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_sect233k1_PUB -------BEGIN PUBLIC KEY----- --MFIwEAYHKoZIzj0CAQYFK4EEABoDPgAEAatdqazxSghJ568CBFyMXhEvVeAiLewOY/jk9H5DAOB4 --ufNGbdd131KLaKPivB38a6n5Y+2BVSJangow -------END PUBLIC KEY----- -- --PrivPubKeyPair=BOB_cf_sect233k1:BOB_cf_sect233k1_PUB -- --# ECDH Alice with Bob peer --Derive=ALICE_cf_sect233k1 --PeerKey=BOB_cf_sect233k1_PUB --SharedSecret=012145026e8de65973c154e085456fc5539ba9e25663e7f5816abfcab310 -- --# ECDH Bob with Alice peer --Derive=BOB_cf_sect233k1 --PeerKey=ALICE_cf_sect233k1_PUB --SharedSecret=012145026e8de65973c154e085456fc5539ba9e25663e7f5816abfcab310 -- --# ECC CDH Alice with Bob peer --Derive=ALICE_cf_sect233k1 --PeerKey=BOB_cf_sect233k1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=00ff7d6c6b80f39d2ae68fbd00adbcd75fa599ed0bc1aac0e3f49c1c164d -- --# ECC CDH Bob with Alice peer --Derive=BOB_cf_sect233k1 --PeerKey=ALICE_cf_sect233k1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=00ff7d6c6b80f39d2ae68fbd00adbcd75fa599ed0bc1aac0e3f49c1c164d -- --PublicKey=MALICE_cf_sect233k1_PUB -------BEGIN PUBLIC KEY----- --MFIwEAYHKoZIzj0CAQYFK4EEABoDPgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABAAAA --AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Derive=BOB_cf_sect233k1 --PeerKey=MALICE_cf_sect233k1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Derive=ALICE_cf_sect233k1 --PeerKey=MALICE_cf_sect233k1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=sect233r1 curve tests -- --PrivateKey=ALICE_cf_sect233r1 -------BEGIN PRIVATE KEY----- --MDwCAQAwEAYHKoZIzj0CAQYFK4EEABsEJTAjAgEBBB4ATcy7zVpIsJ9rl5EIDmzRz5wxjrDIQyDm --HP3Pt8Y= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_sect233r1_PUB -------BEGIN PUBLIC KEY----- --MFIwEAYHKoZIzj0CAQYFK4EEABsDPgAEAQMQHiJ44LiCnZkEg1zyww1h+idTbsw8E07P33WUAUfD --NeQ4hWEhTXPnytIbEhFKpnd3j/FbyZnJqxh8 -------END PUBLIC KEY----- -- --PrivPubKeyPair=ALICE_cf_sect233r1:ALICE_cf_sect233r1_PUB -- --PrivateKey=BOB_cf_sect233r1 -------BEGIN PRIVATE KEY----- --MDwCAQAwEAYHKoZIzj0CAQYFK4EEABsEJTAjAgEBBB4ALpOlFn4OfiIAkRAZGOsn7L6W3XoQBSV8 --mQVC2pw= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_sect233r1_PUB -------BEGIN PUBLIC KEY----- --MFIwEAYHKoZIzj0CAQYFK4EEABsDPgAEAJQw+NWqFJXYw4dVMovzvw76OYnYOTaDaEPNW8ECAQbl --TzzbBSTp5iqM13mP0/Bo4OO66NS3lA9e/GTO -------END PUBLIC KEY----- -- --PrivPubKeyPair=BOB_cf_sect233r1:BOB_cf_sect233r1_PUB -- --# ECDH Alice with Bob peer --Derive=ALICE_cf_sect233r1 --PeerKey=BOB_cf_sect233r1_PUB --SharedSecret=00209d2995a63f1e8b7a5c33dee5abb602e32e1835ae8bb57eb264d8d795 -- --# ECDH Bob with Alice peer --Derive=BOB_cf_sect233r1 --PeerKey=ALICE_cf_sect233r1_PUB --SharedSecret=00209d2995a63f1e8b7a5c33dee5abb602e32e1835ae8bb57eb264d8d795 -- --# ECC CDH Alice with Bob peer --Derive=ALICE_cf_sect233r1 --PeerKey=BOB_cf_sect233r1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=00c3cd1d38a65f5e421399409a76cec1136bc84149f054a7f55e7980c612 -- --# ECC CDH Bob with Alice peer --Derive=BOB_cf_sect233r1 --PeerKey=ALICE_cf_sect233r1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=00c3cd1d38a65f5e421399409a76cec1136bc84149f054a7f55e7980c612 -- --PublicKey=MALICE_cf_sect233r1_PUB -------BEGIN PUBLIC KEY----- --MFIwEAYHKoZIzj0CAQYFK4EEABsDPgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAYf4 --Vie5eHTnR+4x4G1xyq7qUvISU+X5RtBh2pE4 -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Derive=BOB_cf_sect233r1 --PeerKey=MALICE_cf_sect233r1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Derive=ALICE_cf_sect233r1 --PeerKey=MALICE_cf_sect233r1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=sect283k1 curve tests -- --PrivateKey=ALICE_cf_sect283k1 -------BEGIN PRIVATE KEY----- --MEICAQAwEAYHKoZIzj0CAQYFK4EEABAEKzApAgEBBCQAY1Mi9rST7PiP1t03qYRczV/kSZ+VjQu8 --5EFCgxyvkaLManw= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_sect283k1_PUB -------BEGIN PUBLIC KEY----- --MF4wEAYHKoZIzj0CAQYFK4EEABADSgAEBMjBO8WoxHS/vz8po52WZGxS+RK5yolrUe6tfbAMA3Sd --5/JjBDVjOz95vM4gUnqzUWHN5nKBQtj6HiU9Q/R+zqg98OiQKTyA -------END PUBLIC KEY----- -- --PrivPubKeyPair=ALICE_cf_sect283k1:ALICE_cf_sect283k1_PUB -- --PrivateKey=BOB_cf_sect283k1 -------BEGIN PRIVATE KEY----- --MEICAQAwEAYHKoZIzj0CAQYFK4EEABAEKzApAgEBBCQBCZC8Is+YSjgXJBBDioEl6gu14QpGHllD --1J6957vBTPSQdH0= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_sect283k1_PUB -------BEGIN PUBLIC KEY----- --MF4wEAYHKoZIzj0CAQYFK4EEABADSgAEAGEQKZVHYAlvtjHrFyZVm12qUb5j+T5/WNoC962+kwUM --QkBYA5BpuG8Knlugq1iB31whPAgRCZfdLKHpHRPJSfXvKyUIdeUm -------END PUBLIC KEY----- -- --PrivPubKeyPair=BOB_cf_sect283k1:BOB_cf_sect283k1_PUB -- --# ECDH Alice with Bob peer --Derive=ALICE_cf_sect283k1 --PeerKey=BOB_cf_sect283k1_PUB --SharedSecret=03f67c88bdc230b43773d17fdb4d0a980556d074ceccee726932160e4ed965e3be72803c -- --# ECDH Bob with Alice peer --Derive=BOB_cf_sect283k1 --PeerKey=ALICE_cf_sect283k1_PUB --SharedSecret=03f67c88bdc230b43773d17fdb4d0a980556d074ceccee726932160e4ed965e3be72803c -- --# ECC CDH Alice with Bob peer --Derive=ALICE_cf_sect283k1 --PeerKey=BOB_cf_sect283k1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=0677ba01c84d139609ca145cb5b6079fc9ca67f59c9c913e47cad1073f1d1dfaddde0169 -- --# ECC CDH Bob with Alice peer --Derive=BOB_cf_sect283k1 --PeerKey=ALICE_cf_sect283k1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=0677ba01c84d139609ca145cb5b6079fc9ca67f59c9c913e47cad1073f1d1dfaddde0169 -- --PublicKey=MALICE_cf_sect283k1_PUB -------BEGIN PUBLIC KEY----- --MF4wEAYHKoZIzj0CAQYFK4EEABADSgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA --AAABAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Derive=BOB_cf_sect283k1 --PeerKey=MALICE_cf_sect283k1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Derive=ALICE_cf_sect283k1 --PeerKey=MALICE_cf_sect283k1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=sect283r1 curve tests -- --PrivateKey=ALICE_cf_sect283r1 -------BEGIN PRIVATE KEY----- --MEICAQAwEAYHKoZIzj0CAQYFK4EEABEEKzApAgEBBCQCQ5pqKvPxDysd1pi2Bv8Z11cFhsRZfuaf --4Pi0hpGr4ubZcHE= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_sect283r1_PUB -------BEGIN PUBLIC KEY----- --MF4wEAYHKoZIzj0CAQYFK4EEABEDSgAEBcsrGDgO7pbGybQX/00gRHtQq3+X9XrGb7Uzv9Nabwc/ --kntnBMF0I2KU+aaTjQx1GVtmNf7CvFwPLEBnfKjJAjekjsGyIqoq -------END PUBLIC KEY----- -- --PrivPubKeyPair=ALICE_cf_sect283r1:ALICE_cf_sect283r1_PUB -- --PrivateKey=BOB_cf_sect283r1 -------BEGIN PRIVATE KEY----- --MEICAQAwEAYHKoZIzj0CAQYFK4EEABEEKzApAgEBBCQDxItnY3cDCrX/jGnVuAKDPaySZCr3E83Q --UdFnP6YIykt7+Pg= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_sect283r1_PUB -------BEGIN PUBLIC KEY----- --MF4wEAYHKoZIzj0CAQYFK4EEABEDSgAEBJ2C9BCkX0YRfs2ufgUKvreUXFWp2AGK+iHlZB4N3LqO --PKpmAkrAeCMty6mw2mEnOR5HA1d4Ee+z7/NJgJJ80Ra9bFnreOW3 -------END PUBLIC KEY----- -- --PrivPubKeyPair=BOB_cf_sect283r1:BOB_cf_sect283r1_PUB -- --# ECDH Alice with Bob peer --Derive=ALICE_cf_sect283r1 --PeerKey=BOB_cf_sect283r1_PUB --SharedSecret=0424259cf09727574fb863cab7c27d8fe3835e96433110a45a951f94347fc81939ec4773 -- --# ECDH Bob with Alice peer --Derive=BOB_cf_sect283r1 --PeerKey=ALICE_cf_sect283r1_PUB --SharedSecret=0424259cf09727574fb863cab7c27d8fe3835e96433110a45a951f94347fc81939ec4773 -- --# ECC CDH Alice with Bob peer --Derive=ALICE_cf_sect283r1 --PeerKey=BOB_cf_sect283r1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=01c2a542654ce85b17456ed75b6bca6b6eb761580913670debc426a3525f236df0e875c8 -- --# ECC CDH Bob with Alice peer --Derive=BOB_cf_sect283r1 --PeerKey=ALICE_cf_sect283r1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=01c2a542654ce85b17456ed75b6bca6b6eb761580913670debc426a3525f236df0e875c8 -- --PublicKey=MALICE_cf_sect283r1_PUB -------BEGIN PUBLIC KEY----- --MF4wEAYHKoZIzj0CAQYFK4EEABEDSgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA --AAAAByvMnFeSsevoGYMIn7b4NaL9IgowRCTKF8CCrhdEKu3pubP2 -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Derive=BOB_cf_sect283r1 --PeerKey=MALICE_cf_sect283r1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Derive=ALICE_cf_sect283r1 --PeerKey=MALICE_cf_sect283r1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=sect409k1 curve tests -- --PrivateKey=ALICE_cf_sect409k1 -------BEGIN PRIVATE KEY----- --MFECAQAwEAYHKoZIzj0CAQYFK4EEACQEOjA4AgEBBDMOthcLahkXFgM0wjOzm767D1A72sFRGlhb --bVH+EB7z2WpIcPX4OD+M4Y1pf/a7wSaoSAo= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_sect409k1_PUB -------BEGIN PUBLIC KEY----- --MH4wEAYHKoZIzj0CAQYFK4EEACQDagAEAbiYYpeFgCMsZFMzQaiwMJDrC+mCMT7KmhYtD5EMMgLW --5OvhaqYdpRf49A8LOtVcRT7J5gGcMrXQgmQeS3FenA5owWnB2NIgrTNf5d8AAEtrOupsJ4c3kL6e --aAzayZ1+UCEj8skbC9U= -------END PUBLIC KEY----- -- --PrivPubKeyPair=ALICE_cf_sect409k1:ALICE_cf_sect409k1_PUB -- --PrivateKey=BOB_cf_sect409k1 -------BEGIN PRIVATE KEY----- --MFECAQAwEAYHKoZIzj0CAQYFK4EEACQEOjA4AgEBBDMO43ldQllTewdZwffH4OEXdzBrLwabKsn4 --6/hjgIAaYda/pt4yCEQLMp18QgtfMey5ENI= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_sect409k1_PUB -------BEGIN PUBLIC KEY----- --MH4wEAYHKoZIzj0CAQYFK4EEACQDagAEAVTQj6hRizVmOx4Z6vroN/zMkmAY+QhkQ0CnFeJ0AydY --Fv+f+/420vMC1Mhqsc9VzPMmIAH6ZrgGKDsd4Ce9JUtYE0rVhGeiG2RaN1U5RlhVK4avkWhFlyQ5 --vuu4aApQiWE3yQd9v/I= -------END PUBLIC KEY----- -- --PrivPubKeyPair=BOB_cf_sect409k1:BOB_cf_sect409k1_PUB -- --# ECDH Alice with Bob peer --Derive=ALICE_cf_sect409k1 --PeerKey=BOB_cf_sect409k1_PUB --SharedSecret=01fbe13188588c9d1ac3a8a2680ea9a009b28e4b7d7fa4efcb1a22553876fb7973616819fd87c75e5b8ce6e3628595e4ce12edb0 -- --# ECDH Bob with Alice peer --Derive=BOB_cf_sect409k1 --PeerKey=ALICE_cf_sect409k1_PUB --SharedSecret=01fbe13188588c9d1ac3a8a2680ea9a009b28e4b7d7fa4efcb1a22553876fb7973616819fd87c75e5b8ce6e3628595e4ce12edb0 -- --# ECC CDH Alice with Bob peer --Derive=ALICE_cf_sect409k1 --PeerKey=BOB_cf_sect409k1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=007e9485f7234bb2255bb40e51f4be867cb0ef31f8e489a697b31b51c4d5346daaee51e96ae6f9636e6e3af56095fe28755325ee -- --# ECC CDH Bob with Alice peer --Derive=BOB_cf_sect409k1 --PeerKey=ALICE_cf_sect409k1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=007e9485f7234bb2255bb40e51f4be867cb0ef31f8e489a697b31b51c4d5346daaee51e96ae6f9636e6e3af56095fe28755325ee -- --PublicKey=MALICE_cf_sect409k1_PUB -------BEGIN PUBLIC KEY----- --MH4wEAYHKoZIzj0CAQYFK4EEACQDagAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA --AAAAAAAAAAAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA --AAAAAAAAAAAAAAAAAAA= -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Derive=BOB_cf_sect409k1 --PeerKey=MALICE_cf_sect409k1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Derive=ALICE_cf_sect409k1 --PeerKey=MALICE_cf_sect409k1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=sect409r1 curve tests -- --PrivateKey=ALICE_cf_sect409r1 -------BEGIN PRIVATE KEY----- --MFICAQAwEAYHKoZIzj0CAQYFK4EEACUEOzA5AgEBBDQAxSC9lST5dtfXQI1Ug9VMMoue3GGni5ON --+gieyXK2KKbd29KAPs4/AOd8kX2wQDsZPO7E -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_sect409r1_PUB -------BEGIN PUBLIC KEY----- --MH4wEAYHKoZIzj0CAQYFK4EEACUDagAEASAvXAM15DJerAu1JttpBuMJK1/fEfFohu2iEpt3r7Ui --iQoER6HUsWiw1hhcJyTv7WzpJQHFWrOlJMe/KjmQa/CygSc65YHDzG27oUL+KGdQUGc79ZRSwl/q --fGZqa3D+bDVMwrhmZto= -------END PUBLIC KEY----- -- --PrivPubKeyPair=ALICE_cf_sect409r1:ALICE_cf_sect409r1_PUB -- --PrivateKey=BOB_cf_sect409r1 -------BEGIN PRIVATE KEY----- --MFICAQAwEAYHKoZIzj0CAQYFK4EEACUEOzA5AgEBBDQARen+1P3JQzBgOv0pUYwsZTPRVLpqqDAU --7mKL2lk9eH7zSGmtNoMvP2m1S2dBnXxFY/bV -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_sect409r1_PUB -------BEGIN PUBLIC KEY----- --MH4wEAYHKoZIzj0CAQYFK4EEACUDagAEAbDUw066TtdfOpDvrlKosEyqUNEG7rY+AKvDqKw+HOzf --sUTYee6cEf71oqJ1sCKPQiYzlwCu/HLQeWPxISE6Uo+53kkeJml2xpMBwoE25Gq/DSS61dR7SRTZ --+sUmumbIuGzbrjtMRmw= -------END PUBLIC KEY----- -- --PrivPubKeyPair=BOB_cf_sect409r1:BOB_cf_sect409r1_PUB -- --# ECDH Alice with Bob peer --Derive=ALICE_cf_sect409r1 --PeerKey=BOB_cf_sect409r1_PUB --SharedSecret=00a751259cdb3b445ce71a40a01a2189dfce70226111190505fc6eabe4e5a05bff7af55f2015e1ffcab6aea7ea9a6e74905da2a1 -- --# ECDH Bob with Alice peer --Derive=BOB_cf_sect409r1 --PeerKey=ALICE_cf_sect409r1_PUB --SharedSecret=00a751259cdb3b445ce71a40a01a2189dfce70226111190505fc6eabe4e5a05bff7af55f2015e1ffcab6aea7ea9a6e74905da2a1 -- --# ECC CDH Alice with Bob peer --Derive=ALICE_cf_sect409r1 --PeerKey=BOB_cf_sect409r1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=0115a31aed416c5089d74a263ec300aff13a5329c6ad27de950ae0b0917b40a3464fccf5691ac9633a51e5177a82b15cfc434aad -- --# ECC CDH Bob with Alice peer --Derive=BOB_cf_sect409r1 --PeerKey=ALICE_cf_sect409r1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=0115a31aed416c5089d74a263ec300aff13a5329c6ad27de950ae0b0917b40a3464fccf5691ac9633a51e5177a82b15cfc434aad -- --PublicKey=MALICE_cf_sect409r1_PUB -------BEGIN PUBLIC KEY----- --MH4wEAYHKoZIzj0CAQYFK4EEACUDagAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA --AAAAAAAAAAAAAAAAAAAAAAAAAACZNffkdo7i7yL5tKKfU8tdk6su0K185XwbJkn96JWVDPZXZ3My --bFKKSOJ7hyrM8Lwl1e8= -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Derive=BOB_cf_sect409r1 --PeerKey=MALICE_cf_sect409r1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Derive=ALICE_cf_sect409r1 --PeerKey=MALICE_cf_sect409r1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=sect571k1 curve tests -- --PrivateKey=ALICE_cf_sect571k1 -------BEGIN PRIVATE KEY----- --MGYCAQAwEAYHKoZIzj0CAQYFK4EEACYETzBNAgEBBEgB4agvk7Qdf9bVb9aMVdtXL0MuVw6dTleB --zrpPMYty/piI5GWkQEGVp4OJSjF1BGgWmtYSYlV0oI8jJ7hfWTjVGfVWix4ipb8= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_sect571k1_PUB -------BEGIN PUBLIC KEY----- --MIGnMBAGByqGSM49AgEGBSuBBAAmA4GSAAQDUZq0ZrgYpTXNpOptjExaur0K9FAYHv1j9cvAptwX --dcmQf3VqekMkGZCfNdqNeqCajG3QHRkBHe4FZhWr3FXi8whvvr463lUDf+t46un1kE6FTYfhILGa --sBZm7OdfkarYd9TXBbmnkFA+XkyPlkM1+6daM3/WmnegK+TYghFDXLgwiyF8s0ElllF7z38Gmc4= -------END PUBLIC KEY----- -- --PrivPubKeyPair=ALICE_cf_sect571k1:ALICE_cf_sect571k1_PUB -- --PrivateKey=BOB_cf_sect571k1 -------BEGIN PRIVATE KEY----- --MGYCAQAwEAYHKoZIzj0CAQYFK4EEACYETzBNAgEBBEgA3pINxGOI7L9M+Mil+bm/udPwI4xu7ubJ --p3aoOepTXW94laf8wjFLcQnRUwH87Vbq9VLQEfCAFvr2vZoBc+5asnNuDhRNNeQ= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_sect571k1_PUB -------BEGIN PUBLIC KEY----- --MIGnMBAGByqGSM49AgEGBSuBBAAmA4GSAAQDZRr5GCSq2uzGxmWNB+bED7zye18Rr/KehwXrbn1r --rKtR8fe+dg2V15FieC3qZe/wCpMtyp79VmEabGi6iGLlAN/rUE81URsA/K7GVpmklslV5gmwryR0 --3E7jGKPFesun9iNtmpgM18P9y3aJd4Qr4hMlwW2Nyw187l6QB/W2e/i+8vKXFTLHlz5WLAyAcpA= -------END PUBLIC KEY----- -- --PrivPubKeyPair=BOB_cf_sect571k1:BOB_cf_sect571k1_PUB -- --# ECDH Alice with Bob peer --Derive=ALICE_cf_sect571k1 --PeerKey=BOB_cf_sect571k1_PUB --SharedSecret=02b79c92cee50dc5b9fdddce36d4fa2e28d7d178cd74e575961f39429496305b38815c840c2e66327435c044ed885ec964068531251a2112717602532e8b6d5411db2fe05c1ac18c -- --# ECDH Bob with Alice peer --Derive=BOB_cf_sect571k1 --PeerKey=ALICE_cf_sect571k1_PUB --SharedSecret=02b79c92cee50dc5b9fdddce36d4fa2e28d7d178cd74e575961f39429496305b38815c840c2e66327435c044ed885ec964068531251a2112717602532e8b6d5411db2fe05c1ac18c -- --# ECC CDH Alice with Bob peer --Derive=ALICE_cf_sect571k1 --PeerKey=BOB_cf_sect571k1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=063aea789492c9727a5a6b7f24e8d3d377c70ee8e86b13664e191a53b1905e90e78b85960b1881db5160c7c5cacca0d686d9e104140d565eeeec17426f93d3a7ba639ecd716b43d2 -- --# ECC CDH Bob with Alice peer --Derive=BOB_cf_sect571k1 --PeerKey=ALICE_cf_sect571k1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=063aea789492c9727a5a6b7f24e8d3d377c70ee8e86b13664e191a53b1905e90e78b85960b1881db5160c7c5cacca0d686d9e104140d565eeeec17426f93d3a7ba639ecd716b43d2 -- --PublicKey=MALICE_cf_sect571k1_PUB -------BEGIN PUBLIC KEY----- --MIGnMBAGByqGSM49AgEGBSuBBAAmA4GSAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA --AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAA --AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAE= -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Derive=BOB_cf_sect571k1 --PeerKey=MALICE_cf_sect571k1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Derive=ALICE_cf_sect571k1 --PeerKey=MALICE_cf_sect571k1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --Title=sect571r1 curve tests -- --PrivateKey=ALICE_cf_sect571r1 -------BEGIN PRIVATE KEY----- --MGYCAQAwEAYHKoZIzj0CAQYFK4EEACcETzBNAgEBBEgAxfL2/gUsmJonvDMR95Azq1ySgXMlKSRk --+PL+WaS92ZyOo45HaC7RpH5sdkf4b948u6y1BXOxGZuORXy6lgbgZ1Zx2UgL3cI= -------END PRIVATE KEY----- -- --PublicKey=ALICE_cf_sect571r1_PUB -------BEGIN PUBLIC KEY----- --MIGnMBAGByqGSM49AgEGBSuBBAAnA4GSAAQBK5L9ccIWacU2A1srZ35opPu6kcbEOsBPmvj/rlMS --fFrdMOcagOYfcD0/ouYHPhvkHbr9k87IlQJfnV6ZNRA4PmWSp/FjkNwETm/fqTCUQHti/qqnKH7R --Ed4fYROLFGvz+PX6E20SryOt1vrmoRyC7Z5FVmgMVOQQ1AaBNAHi3+IPtKx41YdXdbqHJxuI5jE= -------END PUBLIC KEY----- -- --PrivPubKeyPair=ALICE_cf_sect571r1:ALICE_cf_sect571r1_PUB -- --PrivateKey=BOB_cf_sect571r1 -------BEGIN PRIVATE KEY----- --MGYCAQAwEAYHKoZIzj0CAQYFK4EEACcETzBNAgEBBEgAzcRvASPpWi0ybpOGlj0Lozz01C2a5oDA --G5alib1EmZKcpVULxJXn75FQlTKpkUEuWUgA4yk5X5DTiScUuh4LDhaF3AFhsEY= -------END PRIVATE KEY----- -- --PublicKey=BOB_cf_sect571r1_PUB -------BEGIN PUBLIC KEY----- --MIGnMBAGByqGSM49AgEGBSuBBAAnA4GSAAQH3dnL22NajtqDWTX6qD14w1BOlpHFBUPTr24VySlh --kiiBlOF95u7hFr/hSb7gm/3f+IVKyE18Sh2kR4KaxWcPWKY5xKTiqiICT7hCistuzNRt8gR+kNOT --c1rETMV6ZruZinwzEWWWjwJf6612oy2HG3CX3B8Rm+a3sS0q6IzowEwqmDv6v9bMTFk8bsCv0Fk= -------END PUBLIC KEY----- -- --PrivPubKeyPair=BOB_cf_sect571r1:BOB_cf_sect571r1_PUB -- --# ECDH Alice with Bob peer --Derive=ALICE_cf_sect571r1 --PeerKey=BOB_cf_sect571r1_PUB --SharedSecret=0031f9879fa75b8c67ba81ee861be634e2b53aa79f834e9a8ca4df7f4461bcb02f083d9fa5b4767f881a710caa6524b58eb626623ba394961d46535204c26d165089e7d4f7be1827 -- --# ECDH Bob with Alice peer --Derive=BOB_cf_sect571r1 --PeerKey=ALICE_cf_sect571r1_PUB --SharedSecret=0031f9879fa75b8c67ba81ee861be634e2b53aa79f834e9a8ca4df7f4461bcb02f083d9fa5b4767f881a710caa6524b58eb626623ba394961d46535204c26d165089e7d4f7be1827 -- --# ECC CDH Alice with Bob peer --Derive=ALICE_cf_sect571r1 --PeerKey=BOB_cf_sect571r1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=012e8c2c1554988fe20c5ae7d11cdcfe15c7c6e8d2b6f46a43a45d724bfc7b415ea7594d5c16f770a95d6e65bbcb1f34619db95e89f4fecbcb0bc6a3f92d52df6a49b0e7773e0ac0 -- --# ECC CDH Bob with Alice peer --Derive=BOB_cf_sect571r1 --PeerKey=ALICE_cf_sect571r1_PUB --Ctrl=ecdh_cofactor_mode:1 --SharedSecret=012e8c2c1554988fe20c5ae7d11cdcfe15c7c6e8d2b6f46a43a45d724bfc7b415ea7594d5c16f770a95d6e65bbcb1f34619db95e89f4fecbcb0bc6a3f92d52df6a49b0e7773e0ac0 -- --PublicKey=MALICE_cf_sect571r1_PUB -------BEGIN PUBLIC KEY----- --MIGnMBAGByqGSM49AgEGBSuBBAAnA4GSAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA --AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHMtVWZAwgtd1zmgWN/9WC --aNQcWRNUKesEHXqhJVkC5jYsSACodKsLYFNrWEYM0gwG8DQONZSn93G+38EM45tkaZsIRDt2HEM= -------END PUBLIC KEY----- -- --# ECC CDH Bob with Malice peer --Derive=BOB_cf_sect571r1 --PeerKey=MALICE_cf_sect571r1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -- --# ECC CDH Alice with Malice peer --Derive=ALICE_cf_sect571r1 --PeerKey=MALICE_cf_sect571r1_PUB --Ctrl=ecdh_cofactor_mode:1 --Result=DERIVE_ERROR --Reason=point at infinity -diff -up openssl-3.0.0-beta1/test/recipes/30-test_evp_data/evppkey_ecc.txt.remove-ec openssl-3.0.0-beta1/test/recipes/30-test_evp_data/evppkey_ecc.txt ---- openssl-3.0.0-beta1/test/recipes/30-test_evp_data/evppkey_ecc.txt.remove-ec 2021-06-30 10:51:23.258816802 +0200 -+++ openssl-3.0.0-beta1/test/recipes/30-test_evp_data/evppkey_ecc.txt 2021-06-30 11:25:33.504721672 +0200 -@@ -1,3 +1,4 @@ -+ - # - # Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. - # -@@ -55,151 +56,6 @@ Derive=BOB_cf_secp256k1 - PeerKey=ALICE_cf_secp256k1_PUB - SharedSecret=a4745cc4d19cabb9e5cb0abdd5c604cab2846a4638ad844ed9175f3cadda2da1 - -------BEGIN PRIVATE KEY----- --MDkCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQIEHzAdAgEBBBj1AIQMJ7jqYIKCvxYAS+qKMmKmH0to --41k= -------END PRIVATE KEY----- -- --PublicKey=BOB_zero_prime192v2_PUB -------BEGIN PUBLIC KEY----- --MEkwEwYHKoZIzj0CAQYIKoZIzj0DAQIDMgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4Gj7Qqt --2wx/jwFlKgvE4rnd50LspdMk -------END PUBLIC KEY----- -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_zero_prime192v2 --PeerKey=BOB_zero_prime192v2_PUB --SharedSecret=b8f200a4b87064f2e8600685ca3e69b8e661a117aabc770b -- --PrivateKey=ALICE_zero_prime192v3 -------BEGIN PRIVATE KEY----- --MDkCAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQMEHzAdAgEBBBh/maLQMSlea9BfLqGy5NPuK0YAH/cz --GqI= -------END PRIVATE KEY----- -- --PublicKey=BOB_zero_prime192v3_PUB -------BEGIN PUBLIC KEY----- --MEkwEwYHKoZIzj0CAQYIKoZIzj0DAQMDMgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAZEzb63e2 --3MKatRLR9Y1M5JEdI9jwMocI -------END PUBLIC KEY----- -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_zero_prime192v3 --PeerKey=BOB_zero_prime192v3_PUB --SharedSecret=b5de857d355bc5b9e270a4c290ea9728d764d8b243ff5d8d -- --PrivateKey=ALICE_zero_prime239v1 -------BEGIN PRIVATE KEY----- --MD8CAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQQEJTAjAgEBBB5pYWzRYI+c6O7NXCt0H2kw8XRL3rhe --4MrJT8j++CI= -------END PRIVATE KEY----- -- --PublicKey=BOB_zero_prime239v1_PUB -------BEGIN PUBLIC KEY----- --MFUwEwYHKoZIzj0CAQYIKoZIzj0DAQQDPgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA --Ox02uwNNLFuvDRn5ip8TxvW0W22R7UzJa9Av6/nh -------END PUBLIC KEY----- -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_zero_prime239v1 --PeerKey=BOB_zero_prime239v1_PUB --SharedSecret=6b6206408bd05d42daa2cd224c401a1230b44e184f17b82f385f22dac215 -- --PrivateKey=ALICE_zero_prime239v2 -------BEGIN PRIVATE KEY----- --MD8CAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQUEJTAjAgEBBB5l8bB7Cpmr7vyx9FiOT2wEF3YOFbDG --bmRr3Vi/xr4= -------END PRIVATE KEY----- -- --PublicKey=BOB_zero_prime239v2_PUB -------BEGIN PUBLIC KEY----- --MFUwEwYHKoZIzj0CAQYIKoZIzj0DAQUDPgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA --IOg3VJGQ89d1GWg4Igxcj5xpDmJiP8tv+e4mxt5U -------END PUBLIC KEY----- -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_zero_prime239v2 --PeerKey=BOB_zero_prime239v2_PUB --SharedSecret=772c2819c960c78f28f21f6542b7409294fad1f84567c44c4b7678dc0e42 -- --PrivateKey=ALICE_zero_prime239v3 -------BEGIN PRIVATE KEY----- --MD8CAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQYEJTAjAgEBBB5HF5FABzUOTYMZg9UdZTx/oRERm/fU --M/+otKzpLjA= -------END PRIVATE KEY----- -- --PublicKey=BOB_zero_prime239v3_PUB -------BEGIN PUBLIC KEY----- --MFUwEwYHKoZIzj0CAQYIKoZIzj0DAQYDPgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA --AsZ4u6r3qQI78EYBpiSgWjqNpoeShjr5piecMBWj -------END PUBLIC KEY----- -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_zero_prime239v3 --PeerKey=BOB_zero_prime239v3_PUB --SharedSecret=56a71f5dd1611e8032c3e2d8224d86e5e8c2fc6480d74c0e282282decd43 -- --PrivateKey=ALICE_zero_prime256v1 -------BEGIN PRIVATE KEY----- --MEECAQAwEwYHKoZIzj0CAQYIKoZIzj0DAQcEJzAlAgEBBCDXhMb6aR4JR2+l2tmgYqP0r8S4jtym --yH++awvF2nGhhg== -------END PRIVATE KEY----- -- --PublicKey=BOB_zero_prime256v1_PUB -------BEGIN PUBLIC KEY----- --MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA --AABmSFx4Di+D1yQzvV2EoGu2VBwq8x2uhxcov4VqF0+T9A== -------END PUBLIC KEY----- -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_zero_prime256v1 --PeerKey=BOB_zero_prime256v1_PUB --SharedSecret=c4f5607deb8501f1a4ba23fce4122a4343a17ada2c86a9c8e0d03d92d4a4c84c -- --PrivateKey=ALICE_zero_secp384r1 -------BEGIN PRIVATE KEY----- --ME4CAQAwEAYHKoZIzj0CAQYFK4EEACIENzA1AgEBBDD6kgzKbg28zbQyVTdC0IdHbm0UCQt2Rdbi --VVHJeYRSnNpFOiFLaOsGOmwoeZzj6jc= -------END PRIVATE KEY----- -- --PublicKey=BOB_zero_secp384r1_PUB -------BEGIN PUBLIC KEY----- --MHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA --AAAAAAAAAAAAAAAAAAAAPPme8E9RpepjC6P5+WDdWToUyb45/SvSFdO0sIqq+Gu/kn8sRuUqsG+3 --QriFDlIe -------END PUBLIC KEY----- -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_zero_secp384r1 --PeerKey=BOB_zero_secp384r1_PUB --SharedSecret=b1cfeaeef51dfd487d3a8b2849f1592e04d63f2d2c88b310a6290ebfe5399f5ffe954eabd0619231393e56c35b242986 -- --PrivateKey=ALICE_zero_secp521r1 -------BEGIN PRIVATE KEY----- --MGACAQAwEAYHKoZIzj0CAQYFK4EEACMESTBHAgEBBEIAbddDLMUWbAsY7l3vbNDmntXuAUcDYPg5 --w/cgUwSCIvrV9MBeSG8AWqT16riHmHlsn+XI5PAJM6eij3JDahnu9Mo= -------END PRIVATE KEY----- -- --PublicKey=BOB_zero_secp521r1_PUB -------BEGIN PUBLIC KEY----- --MIGbMBAGByqGSM49AgEGBSuBBAAjA4GGAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA --AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0g7J/qa1d8ENJsobtEb0CymeZIsa --1Qiq0GiJb+4/jmFLxjBU1Xcr8Bpl1BLgvKqOll0vXTMtfzn4RtRArgAfT4c= -------END PUBLIC KEY----- -- --# ECDH Alice with Bob peer --Availablein = default --Derive=ALICE_zero_secp521r1 --PeerKey=BOB_zero_secp521r1_PUB --SharedSecret=003fc3028f61db94b20c7cd177923b6e73f12f0ab067c9ce8866755e3c82abb39c9863cde74fa80b32520bd7dd0eb156c30c08911503b67b2661f1264d09bb231423 -- - Title=prime256v1 curve tests - - PrivateKey=ALICE_cf_prime256v1 -diff -up openssl-3.0.7/test/recipes/15-test_ec.t.skipshort openssl-3.0.7/test/recipes/15-test_ec.t ---- openssl-3.0.7/test/recipes/15-test_ec.t.skipshort 2022-11-23 12:40:55.324395782 +0100 -+++ openssl-3.0.7/test/recipes/15-test_ec.t 2022-11-23 12:42:12.478094387 +0100 -@@ -90,7 +90,7 @@ subtest 'Ed448 conversions -- public key - - subtest 'Check loading of fips and non-fips keys' => sub { - plan skip_all => "FIPS is disabled" -- if $no_fips; -+ if 1; #Red Hat specific, original value is $no_fips; - - plan tests => 2; + my @prime_curves = qw( +- secp112r1 +- secp112r2 +- secp128r1 +- secp128r2 +- secp160k1 +- secp160r1 +- secp160r2 +- secp192k1 +- secp224k1 + secp224r1 + secp256k1 + secp384r1 + secp521r1 +- prime192v1 +- prime192v2 +- prime192v3 +- prime239v1 +- prime239v2 +- prime239v3 + prime256v1 +- wap-wsg-idm-ecid-wtls6 +- wap-wsg-idm-ecid-wtls7 +- wap-wsg-idm-ecid-wtls8 +- wap-wsg-idm-ecid-wtls9 +- wap-wsg-idm-ecid-wtls12 +- brainpoolP160r1 +- brainpoolP160t1 +- brainpoolP192r1 +- brainpoolP192t1 +- brainpoolP224r1 +- brainpoolP224t1 + brainpoolP256r1 + brainpoolP256t1 + brainpoolP320r1 +@@ -136,7 +110,6 @@ push(@other_curves, 'SM2') + if !disabled("sm2"); + my @curve_aliases = qw( +- P-192 + P-224 + P-256 + P-384 diff --git a/0013-skipped-tests-EC-curves.patch b/0013-skipped-tests-EC-curves.patch new file mode 100644 index 0000000..0c81d4c --- /dev/null +++ b/0013-skipped-tests-EC-curves.patch @@ -0,0 +1,36 @@ +diff -up ./test/recipes/15-test_ec.t.skip-tests ./test/recipes/15-test_ec.t +--- ./test/recipes/15-test_ec.t.skip-tests 2023-03-14 13:42:38.865508269 +0100 ++++ ./test/recipes/15-test_ec.t 2023-03-14 13:43:36.237021635 +0100 +@@ -90,7 +90,7 @@ subtest 'Ed448 conversions -- public key + + subtest 'Check loading of fips and non-fips keys' => sub { + plan skip_all => "FIPS is disabled" +- if $no_fips; ++ if 1; #Red Hat specific, original value is $no_fips; + + plan tests => 2; + +diff -up ./test/recipes/65-test_cmp_protect.t.skip-tests ./test/recipes/65-test_cmp_protect.t +--- ./test/recipes/65-test_cmp_protect.t.skip-tests 2023-03-14 10:13:11.342056559 +0100 ++++ ./test/recipes/65-test_cmp_protect.t 2023-03-14 10:14:42.643873496 +0100 +@@ -27,7 +27,7 @@ plan skip_all => "This test is not suppo + plan skip_all => "This test is not supported in a shared library build on Windows" + if $^O eq 'MSWin32' && !disabled("shared"); + +-plan tests => 2 + ($no_fips ? 0 : 1); #fips test ++plan skip_all => 2 + ($no_fips ? 0 : 1); #fips test + + my @basic_cmd = ("cmp_protect_test", + data_file("server.pem"), +diff -up ./test/recipes/65-test_cmp_vfy.t.skip-tests ./test/recipes/65-test_cmp_vfy.t +--- ./test/recipes/65-test_cmp_vfy.t.skip-tests 2023-03-14 10:13:38.106296042 +0100 ++++ ./test/recipes/65-test_cmp_vfy.t 2023-03-14 10:16:56.496071178 +0100 +@@ -27,7 +27,7 @@ plan skip_all => "This test is not suppo + plan skip_all => "This test is not supported in a no-ec build" + if disabled("ec"); + +-plan tests => 2 + ($no_fips ? 0 : 1); #fips test ++plan skip_all => 2 + ($no_fips ? 0 : 1); #fips test + + my @basic_cmd = ("cmp_vfy_test", + data_file("server.crt"), data_file("client.crt"), diff --git a/0045-FIPS-services-minimize.patch b/0045-FIPS-services-minimize.patch index d2bea7f..bfee965 100644 --- a/0045-FIPS-services-minimize.patch +++ b/0045-FIPS-services-minimize.patch @@ -434,9 +434,9 @@ diff -up openssl-3.0.1/test/recipes/30-test_evp.t.fipsmin3 openssl-3.0.1/test/re + evpkdf_x942_des.txt + evpmac_cmac_des.txt + ) unless $no_des; + push @defltfiles, qw(evppkey_brainpool.txt) unless $no_ec; push @defltfiles, qw(evppkey_sm2.txt) unless $no_sm2; - plan tests => diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evpmac_common.txt.fipsmin3 openssl-3.0.1/test/recipes/30-test_evp_data/evpmac_common.txt --- openssl-3.0.1/test/recipes/30-test_evp_data/evpmac_common.txt.fipsmin3 2022-05-05 14:46:32.721700697 +0200 +++ openssl-3.0.1/test/recipes/30-test_evp_data/evpmac_common.txt 2022-05-05 14:51:40.205418897 +0200 diff --git a/ec_curve.c b/ec_curve.c deleted file mode 100644 index 64ac40b..0000000 --- a/ec_curve.c +++ /dev/null @@ -1,628 +0,0 @@ -/* - * Copyright 2002-2021 The OpenSSL Project Authors. All Rights Reserved. - * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved - * - * Licensed under the Apache License 2.0 (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html - */ - -/* - * ECDSA low level APIs are deprecated for public use, but still ok for - * internal use. - */ -#include "internal/deprecated.h" - -#include -#include "ec_local.h" -#include -#include -#include -#include -#include "internal/nelem.h" - -typedef struct { - int field_type, /* either NID_X9_62_prime_field or - * NID_X9_62_characteristic_two_field */ - seed_len, param_len; - unsigned int cofactor; /* promoted to BN_ULONG */ -} EC_CURVE_DATA; - -/* the nist prime curves */ -static const struct { - EC_CURVE_DATA h; - unsigned char data[20 + 28 * 6]; -} _EC_NIST_PRIME_224 = { - { - NID_X9_62_prime_field, 20, 28, 1 - }, - { - /* seed */ - 0xBD, 0x71, 0x34, 0x47, 0x99, 0xD5, 0xC7, 0xFC, 0xDC, 0x45, 0xB5, 0x9F, - 0xA3, 0xB9, 0xAB, 0x8F, 0x6A, 0x94, 0x8B, 0xC5, - /* p */ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x01, - /* a */ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFE, - /* b */ - 0xB4, 0x05, 0x0A, 0x85, 0x0C, 0x04, 0xB3, 0xAB, 0xF5, 0x41, 0x32, 0x56, - 0x50, 0x44, 0xB0, 0xB7, 0xD7, 0xBF, 0xD8, 0xBA, 0x27, 0x0B, 0x39, 0x43, - 0x23, 0x55, 0xFF, 0xB4, - /* x */ - 0xB7, 0x0E, 0x0C, 0xBD, 0x6B, 0xB4, 0xBF, 0x7F, 0x32, 0x13, 0x90, 0xB9, - 0x4A, 0x03, 0xC1, 0xD3, 0x56, 0xC2, 0x11, 0x22, 0x34, 0x32, 0x80, 0xD6, - 0x11, 0x5C, 0x1D, 0x21, - /* y */ - 0xbd, 0x37, 0x63, 0x88, 0xb5, 0xf7, 0x23, 0xfb, 0x4c, 0x22, 0xdf, 0xe6, - 0xcd, 0x43, 0x75, 0xa0, 0x5a, 0x07, 0x47, 0x64, 0x44, 0xd5, 0x81, 0x99, - 0x85, 0x00, 0x7e, 0x34, - /* order */ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0x16, 0xA2, 0xE0, 0xB8, 0xF0, 0x3E, 0x13, 0xDD, 0x29, 0x45, - 0x5C, 0x5C, 0x2A, 0x3D - } -}; - -static const struct { - EC_CURVE_DATA h; - unsigned char data[20 + 48 * 6]; -} _EC_NIST_PRIME_384 = { - { - NID_X9_62_prime_field, 20, 48, 1 - }, - { - /* seed */ - 0xA3, 0x35, 0x92, 0x6A, 0xA3, 0x19, 0xA2, 0x7A, 0x1D, 0x00, 0x89, 0x6A, - 0x67, 0x73, 0xA4, 0x82, 0x7A, 0xCD, 0xAC, 0x73, - /* p */ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, - /* a */ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFC, - /* b */ - 0xB3, 0x31, 0x2F, 0xA7, 0xE2, 0x3E, 0xE7, 0xE4, 0x98, 0x8E, 0x05, 0x6B, - 0xE3, 0xF8, 0x2D, 0x19, 0x18, 0x1D, 0x9C, 0x6E, 0xFE, 0x81, 0x41, 0x12, - 0x03, 0x14, 0x08, 0x8F, 0x50, 0x13, 0x87, 0x5A, 0xC6, 0x56, 0x39, 0x8D, - 0x8A, 0x2E, 0xD1, 0x9D, 0x2A, 0x85, 0xC8, 0xED, 0xD3, 0xEC, 0x2A, 0xEF, - /* x */ - 0xAA, 0x87, 0xCA, 0x22, 0xBE, 0x8B, 0x05, 0x37, 0x8E, 0xB1, 0xC7, 0x1E, - 0xF3, 0x20, 0xAD, 0x74, 0x6E, 0x1D, 0x3B, 0x62, 0x8B, 0xA7, 0x9B, 0x98, - 0x59, 0xF7, 0x41, 0xE0, 0x82, 0x54, 0x2A, 0x38, 0x55, 0x02, 0xF2, 0x5D, - 0xBF, 0x55, 0x29, 0x6C, 0x3A, 0x54, 0x5E, 0x38, 0x72, 0x76, 0x0A, 0xB7, - /* y */ - 0x36, 0x17, 0xde, 0x4a, 0x96, 0x26, 0x2c, 0x6f, 0x5d, 0x9e, 0x98, 0xbf, - 0x92, 0x92, 0xdc, 0x29, 0xf8, 0xf4, 0x1d, 0xbd, 0x28, 0x9a, 0x14, 0x7c, - 0xe9, 0xda, 0x31, 0x13, 0xb5, 0xf0, 0xb8, 0xc0, 0x0a, 0x60, 0xb1, 0xce, - 0x1d, 0x7e, 0x81, 0x9d, 0x7a, 0x43, 0x1d, 0x7c, 0x90, 0xea, 0x0e, 0x5f, - /* order */ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xC7, 0x63, 0x4D, 0x81, 0xF4, 0x37, 0x2D, 0xDF, 0x58, 0x1A, 0x0D, 0xB2, - 0x48, 0xB0, 0xA7, 0x7A, 0xEC, 0xEC, 0x19, 0x6A, 0xCC, 0xC5, 0x29, 0x73 - } -}; - -static const struct { - EC_CURVE_DATA h; - unsigned char data[20 + 66 * 6]; -} _EC_NIST_PRIME_521 = { - { - NID_X9_62_prime_field, 20, 66, 1 - }, - { - /* seed */ - 0xD0, 0x9E, 0x88, 0x00, 0x29, 0x1C, 0xB8, 0x53, 0x96, 0xCC, 0x67, 0x17, - 0x39, 0x32, 0x84, 0xAA, 0xA0, 0xDA, 0x64, 0xBA, - /* p */ - 0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - /* a */ - 0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC, - /* b */ - 0x00, 0x51, 0x95, 0x3E, 0xB9, 0x61, 0x8E, 0x1C, 0x9A, 0x1F, 0x92, 0x9A, - 0x21, 0xA0, 0xB6, 0x85, 0x40, 0xEE, 0xA2, 0xDA, 0x72, 0x5B, 0x99, 0xB3, - 0x15, 0xF3, 0xB8, 0xB4, 0x89, 0x91, 0x8E, 0xF1, 0x09, 0xE1, 0x56, 0x19, - 0x39, 0x51, 0xEC, 0x7E, 0x93, 0x7B, 0x16, 0x52, 0xC0, 0xBD, 0x3B, 0xB1, - 0xBF, 0x07, 0x35, 0x73, 0xDF, 0x88, 0x3D, 0x2C, 0x34, 0xF1, 0xEF, 0x45, - 0x1F, 0xD4, 0x6B, 0x50, 0x3F, 0x00, - /* x */ - 0x00, 0xC6, 0x85, 0x8E, 0x06, 0xB7, 0x04, 0x04, 0xE9, 0xCD, 0x9E, 0x3E, - 0xCB, 0x66, 0x23, 0x95, 0xB4, 0x42, 0x9C, 0x64, 0x81, 0x39, 0x05, 0x3F, - 0xB5, 0x21, 0xF8, 0x28, 0xAF, 0x60, 0x6B, 0x4D, 0x3D, 0xBA, 0xA1, 0x4B, - 0x5E, 0x77, 0xEF, 0xE7, 0x59, 0x28, 0xFE, 0x1D, 0xC1, 0x27, 0xA2, 0xFF, - 0xA8, 0xDE, 0x33, 0x48, 0xB3, 0xC1, 0x85, 0x6A, 0x42, 0x9B, 0xF9, 0x7E, - 0x7E, 0x31, 0xC2, 0xE5, 0xBD, 0x66, - /* y */ - 0x01, 0x18, 0x39, 0x29, 0x6a, 0x78, 0x9a, 0x3b, 0xc0, 0x04, 0x5c, 0x8a, - 0x5f, 0xb4, 0x2c, 0x7d, 0x1b, 0xd9, 0x98, 0xf5, 0x44, 0x49, 0x57, 0x9b, - 0x44, 0x68, 0x17, 0xaf, 0xbd, 0x17, 0x27, 0x3e, 0x66, 0x2c, 0x97, 0xee, - 0x72, 0x99, 0x5e, 0xf4, 0x26, 0x40, 0xc5, 0x50, 0xb9, 0x01, 0x3f, 0xad, - 0x07, 0x61, 0x35, 0x3c, 0x70, 0x86, 0xa2, 0x72, 0xc2, 0x40, 0x88, 0xbe, - 0x94, 0x76, 0x9f, 0xd1, 0x66, 0x50, - /* order */ - 0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFA, 0x51, 0x86, - 0x87, 0x83, 0xBF, 0x2F, 0x96, 0x6B, 0x7F, 0xCC, 0x01, 0x48, 0xF7, 0x09, - 0xA5, 0xD0, 0x3B, 0xB5, 0xC9, 0xB8, 0x89, 0x9C, 0x47, 0xAE, 0xBB, 0x6F, - 0xB7, 0x1E, 0x91, 0x38, 0x64, 0x09 - } -}; - -static const struct { - EC_CURVE_DATA h; - unsigned char data[20 + 32 * 6]; -} _EC_X9_62_PRIME_256V1 = { - { - NID_X9_62_prime_field, 20, 32, 1 - }, - { - /* seed */ - 0xC4, 0x9D, 0x36, 0x08, 0x86, 0xE7, 0x04, 0x93, 0x6A, 0x66, 0x78, 0xE1, - 0x13, 0x9D, 0x26, 0xB7, 0x81, 0x9F, 0x7E, 0x90, - /* p */ - 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - /* a */ - 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC, - /* b */ - 0x5A, 0xC6, 0x35, 0xD8, 0xAA, 0x3A, 0x93, 0xE7, 0xB3, 0xEB, 0xBD, 0x55, - 0x76, 0x98, 0x86, 0xBC, 0x65, 0x1D, 0x06, 0xB0, 0xCC, 0x53, 0xB0, 0xF6, - 0x3B, 0xCE, 0x3C, 0x3E, 0x27, 0xD2, 0x60, 0x4B, - /* x */ - 0x6B, 0x17, 0xD1, 0xF2, 0xE1, 0x2C, 0x42, 0x47, 0xF8, 0xBC, 0xE6, 0xE5, - 0x63, 0xA4, 0x40, 0xF2, 0x77, 0x03, 0x7D, 0x81, 0x2D, 0xEB, 0x33, 0xA0, - 0xF4, 0xA1, 0x39, 0x45, 0xD8, 0x98, 0xC2, 0x96, - /* y */ - 0x4f, 0xe3, 0x42, 0xe2, 0xfe, 0x1a, 0x7f, 0x9b, 0x8e, 0xe7, 0xeb, 0x4a, - 0x7c, 0x0f, 0x9e, 0x16, 0x2b, 0xce, 0x33, 0x57, 0x6b, 0x31, 0x5e, 0xce, - 0xcb, 0xb6, 0x40, 0x68, 0x37, 0xbf, 0x51, 0xf5, - /* order */ - 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xBC, 0xE6, 0xFA, 0xAD, 0xA7, 0x17, 0x9E, 0x84, - 0xF3, 0xB9, 0xCA, 0xC2, 0xFC, 0x63, 0x25, 0x51 - } -}; - -static const struct { - EC_CURVE_DATA h; - unsigned char data[0 + 32 * 6]; -} _EC_SECG_PRIME_256K1 = { - { - NID_X9_62_prime_field, 0, 32, 1 - }, - { - /* no seed */ - /* p */ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x2F, - /* a */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - /* b */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, - /* x */ - 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, - 0xCE, 0x87, 0x0B, 0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, - 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17, 0x98, - /* y */ - 0x48, 0x3a, 0xda, 0x77, 0x26, 0xa3, 0xc4, 0x65, 0x5d, 0xa4, 0xfb, 0xfc, - 0x0e, 0x11, 0x08, 0xa8, 0xfd, 0x17, 0xb4, 0x48, 0xa6, 0x85, 0x54, 0x19, - 0x9c, 0x47, 0xd0, 0x8f, 0xfb, 0x10, 0xd4, 0xb8, - /* order */ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFE, 0xBA, 0xAE, 0xDC, 0xE6, 0xAF, 0x48, 0xA0, 0x3B, - 0xBF, 0xD2, 0x5E, 0x8C, 0xD0, 0x36, 0x41, 0x41 - } -}; - -typedef struct _ec_list_element_st { - int nid; - const EC_CURVE_DATA *data; - const EC_METHOD *(*meth) (void); - const char *comment; -} ec_list_element; - -#ifdef FIPS_MODULE -static const ec_list_element curve_list[] = { - /* prime field curves */ - /* secg curves */ - {NID_secp224r1, &_EC_NIST_PRIME_224.h, -# if !defined(OPENSSL_NO_EC_NISTP_64_GCC_128) - EC_GFp_nistp224_method, -# else - 0, -# endif - "NIST/SECG curve over a 224 bit prime field"}, - /* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */ - {NID_secp384r1, &_EC_NIST_PRIME_384.h, -# if defined(S390X_EC_ASM) - EC_GFp_s390x_nistp384_method, -# else - 0, -# endif - "NIST/SECG curve over a 384 bit prime field"}, - - {NID_secp521r1, &_EC_NIST_PRIME_521.h, -# if defined(S390X_EC_ASM) - EC_GFp_s390x_nistp521_method, -# elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128) - EC_GFp_nistp521_method, -# else - 0, -# endif - "NIST/SECG curve over a 521 bit prime field"}, - - /* X9.62 curves */ - {NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h, -# if defined(ECP_NISTZ256_ASM) - EC_GFp_nistz256_method, -# elif defined(S390X_EC_ASM) - EC_GFp_s390x_nistp256_method, -# elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128) - EC_GFp_nistp256_method, -# else - 0, -# endif - "X9.62/SECG curve over a 256 bit prime field"}, -}; - -#else - -static const ec_list_element curve_list[] = { - /* prime field curves */ - /* secg curves */ -# ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 - {NID_secp224r1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method, - "NIST/SECG curve over a 224 bit prime field"}, -# else - {NID_secp224r1, &_EC_NIST_PRIME_224.h, 0, - "NIST/SECG curve over a 224 bit prime field"}, -# endif - {NID_secp256k1, &_EC_SECG_PRIME_256K1.h, 0, - "SECG curve over a 256 bit prime field"}, - /* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */ - {NID_secp384r1, &_EC_NIST_PRIME_384.h, -# if defined(S390X_EC_ASM) - EC_GFp_s390x_nistp384_method, -# else - 0, -# endif - "NIST/SECG curve over a 384 bit prime field"}, - {NID_secp521r1, &_EC_NIST_PRIME_521.h, -# if defined(S390X_EC_ASM) - EC_GFp_s390x_nistp521_method, -# elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128) - EC_GFp_nistp521_method, -# else - 0, -# endif - "NIST/SECG curve over a 521 bit prime field"}, - /* X9.62 curves */ - {NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h, -# if defined(ECP_NISTZ256_ASM) - EC_GFp_nistz256_method, -# elif defined(S390X_EC_ASM) - EC_GFp_s390x_nistp256_method, -# elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128) - EC_GFp_nistp256_method, -# else - 0, -# endif - "X9.62/SECG curve over a 256 bit prime field"}, -}; -#endif /* FIPS_MODULE */ - -#define curve_list_length OSSL_NELEM(curve_list) - -static const ec_list_element *ec_curve_nid2curve(int nid) -{ - size_t i; - - if (nid <= 0) - return NULL; - - for (i = 0; i < curve_list_length; i++) { - if (curve_list[i].nid == nid) - return &curve_list[i]; - } - return NULL; -} - -static EC_GROUP *ec_group_new_from_data(OSSL_LIB_CTX *libctx, - const char *propq, - const ec_list_element curve) -{ - EC_GROUP *group = NULL; - EC_POINT *P = NULL; - BN_CTX *ctx = NULL; - BIGNUM *p = NULL, *a = NULL, *b = NULL, *x = NULL, *y = NULL, *order = - NULL; - int ok = 0; - int seed_len, param_len; - const EC_METHOD *meth; - const EC_CURVE_DATA *data; - const unsigned char *params; - - /* If no curve data curve method must handle everything */ - if (curve.data == NULL) - return ossl_ec_group_new_ex(libctx, propq, - curve.meth != NULL ? curve.meth() : NULL); - - if ((ctx = BN_CTX_new_ex(libctx)) == NULL) { - ERR_raise(ERR_LIB_EC, ERR_R_MALLOC_FAILURE); - goto err; - } - - data = curve.data; - seed_len = data->seed_len; - param_len = data->param_len; - params = (const unsigned char *)(data + 1); /* skip header */ - params += seed_len; /* skip seed */ - - if ((p = BN_bin2bn(params + 0 * param_len, param_len, NULL)) == NULL - || (a = BN_bin2bn(params + 1 * param_len, param_len, NULL)) == NULL - || (b = BN_bin2bn(params + 2 * param_len, param_len, NULL)) == NULL) { - ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); - goto err; - } - - if (curve.meth != 0) { - meth = curve.meth(); - if (((group = ossl_ec_group_new_ex(libctx, propq, meth)) == NULL) || - (!(group->meth->group_set_curve(group, p, a, b, ctx)))) { - ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB); - goto err; - } - } else if (data->field_type == NID_X9_62_prime_field) { - if ((group = EC_GROUP_new_curve_GFp(p, a, b, ctx)) == NULL) { - ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB); - goto err; - } - } -#ifndef OPENSSL_NO_EC2M - else { /* field_type == - * NID_X9_62_characteristic_two_field */ - - if ((group = EC_GROUP_new_curve_GF2m(p, a, b, ctx)) == NULL) { - ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB); - goto err; - } - } -#endif - - EC_GROUP_set_curve_name(group, curve.nid); - - if ((P = EC_POINT_new(group)) == NULL) { - ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB); - goto err; - } - - if ((x = BN_bin2bn(params + 3 * param_len, param_len, NULL)) == NULL - || (y = BN_bin2bn(params + 4 * param_len, param_len, NULL)) == NULL) { - ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); - goto err; - } - if (!EC_POINT_set_affine_coordinates(group, P, x, y, ctx)) { - ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB); - goto err; - } - if ((order = BN_bin2bn(params + 5 * param_len, param_len, NULL)) == NULL - || !BN_set_word(x, (BN_ULONG)data->cofactor)) { - ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); - goto err; - } - if (!EC_GROUP_set_generator(group, P, order, x)) { - ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB); - goto err; - } - if (seed_len) { - if (!EC_GROUP_set_seed(group, params - seed_len, seed_len)) { - ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB); - goto err; - } - } - ok = 1; - err: - if (!ok) { - EC_GROUP_free(group); - group = NULL; - } - EC_POINT_free(P); - BN_CTX_free(ctx); - BN_free(p); - BN_free(a); - BN_free(b); - BN_free(order); - BN_free(x); - BN_free(y); - return group; -} - -EC_GROUP *EC_GROUP_new_by_curve_name_ex(OSSL_LIB_CTX *libctx, const char *propq, - int nid) -{ - EC_GROUP *ret = NULL; - const ec_list_element *curve; - - if ((curve = ec_curve_nid2curve(nid)) == NULL - || (ret = ec_group_new_from_data(libctx, propq, *curve)) == NULL) { -#ifndef FIPS_MODULE - ERR_raise_data(ERR_LIB_EC, EC_R_UNKNOWN_GROUP, - "name=%s", OBJ_nid2sn(nid)); -#else - ERR_raise(ERR_LIB_EC, EC_R_UNKNOWN_GROUP); -#endif - return NULL; - } - - return ret; -} - -#ifndef FIPS_MODULE -EC_GROUP *EC_GROUP_new_by_curve_name(int nid) -{ - return EC_GROUP_new_by_curve_name_ex(NULL, NULL, nid); -} -#endif - -size_t EC_get_builtin_curves(EC_builtin_curve *r, size_t nitems) -{ - size_t i, min; - - if (r == NULL || nitems == 0) - return curve_list_length; - - min = nitems < curve_list_length ? nitems : curve_list_length; - - for (i = 0; i < min; i++) { - r[i].nid = curve_list[i].nid; - r[i].comment = curve_list[i].comment; - } - - return curve_list_length; -} - -const char *EC_curve_nid2nist(int nid) -{ - return ossl_ec_curve_nid2nist_int(nid); -} - -int EC_curve_nist2nid(const char *name) -{ - return ossl_ec_curve_nist2nid_int(name); -} - -#define NUM_BN_FIELDS 6 -/* - * Validates EC domain parameter data for known named curves. - * This can be used when a curve is loaded explicitly (without a curve - * name) or to validate that domain parameters have not been modified. - * - * Returns: The nid associated with the found named curve, or NID_undef - * if not found. If there was an error it returns -1. - */ -int ossl_ec_curve_nid_from_params(const EC_GROUP *group, BN_CTX *ctx) -{ - int ret = -1, nid, len, field_type, param_len; - size_t i, seed_len; - const unsigned char *seed, *params_seed, *params; - unsigned char *param_bytes = NULL; - const EC_CURVE_DATA *data; - const EC_POINT *generator = NULL; - const BIGNUM *cofactor = NULL; - /* An array of BIGNUMs for (p, a, b, x, y, order) */ - BIGNUM *bn[NUM_BN_FIELDS] = {NULL, NULL, NULL, NULL, NULL, NULL}; - - /* Use the optional named curve nid as a search field */ - nid = EC_GROUP_get_curve_name(group); - field_type = EC_GROUP_get_field_type(group); - seed_len = EC_GROUP_get_seed_len(group); - seed = EC_GROUP_get0_seed(group); - cofactor = EC_GROUP_get0_cofactor(group); - - BN_CTX_start(ctx); - - /* - * The built-in curves contains data fields (p, a, b, x, y, order) that are - * all zero-padded to be the same size. The size of the padding is - * determined by either the number of bytes in the field modulus (p) or the - * EC group order, whichever is larger. - */ - param_len = BN_num_bytes(group->order); - len = BN_num_bytes(group->field); - if (len > param_len) - param_len = len; - - /* Allocate space to store the padded data for (p, a, b, x, y, order) */ - param_bytes = OPENSSL_malloc(param_len * NUM_BN_FIELDS); - if (param_bytes == NULL) - goto end; - - /* Create the bignums */ - for (i = 0; i < NUM_BN_FIELDS; ++i) { - if ((bn[i] = BN_CTX_get(ctx)) == NULL) - goto end; - } - /* - * Fill in the bn array with the same values as the internal curves - * i.e. the values are p, a, b, x, y, order. - */ - /* Get p, a & b */ - if (!(EC_GROUP_get_curve(group, bn[0], bn[1], bn[2], ctx) - && ((generator = EC_GROUP_get0_generator(group)) != NULL) - /* Get x & y */ - && EC_POINT_get_affine_coordinates(group, generator, bn[3], bn[4], ctx) - /* Get order */ - && EC_GROUP_get_order(group, bn[5], ctx))) - goto end; - - /* - * Convert the bignum array to bytes that are joined together to form - * a single buffer that contains data for all fields. - * (p, a, b, x, y, order) are all zero padded to be the same size. - */ - for (i = 0; i < NUM_BN_FIELDS; ++i) { - if (BN_bn2binpad(bn[i], ¶m_bytes[i*param_len], param_len) <= 0) - goto end; - } - - for (i = 0; i < curve_list_length; i++) { - const ec_list_element curve = curve_list[i]; - - data = curve.data; - /* Get the raw order byte data */ - params_seed = (const unsigned char *)(data + 1); /* skip header */ - params = params_seed + data->seed_len; - - /* Look for unique fields in the fixed curve data */ - if (data->field_type == field_type - && param_len == data->param_len - && (nid <= 0 || nid == curve.nid) - /* check the optional cofactor (ignore if its zero) */ - && (BN_is_zero(cofactor) - || BN_is_word(cofactor, (const BN_ULONG)curve.data->cofactor)) - /* Check the optional seed (ignore if its not set) */ - && (data->seed_len == 0 || seed_len == 0 - || ((size_t)data->seed_len == seed_len - && memcmp(params_seed, seed, seed_len) == 0)) - /* Check that the groups params match the built-in curve params */ - && memcmp(param_bytes, params, param_len * NUM_BN_FIELDS) - == 0) { - ret = curve.nid; - goto end; - } - } - /* Gets here if the group was not found */ - ret = NID_undef; -end: - OPENSSL_free(param_bytes); - BN_CTX_end(ctx); - return ret; -} diff --git a/ectest.c b/ectest.c deleted file mode 100644 index b2708ea..0000000 --- a/ectest.c +++ /dev/null @@ -1,2311 +0,0 @@ -/* - * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. - * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved - * - * Licensed under the Apache License 2.0 (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html - */ - -/* - * EC_KEY low level APIs are deprecated for public use, but still ok for - * internal use. - */ -#include "internal/deprecated.h" - -#include -#include "internal/nelem.h" -#include "testutil.h" - -#include -#ifndef OPENSSL_NO_ENGINE -# include -#endif -#include -#include -#include -#include -#include -#include -#include -#include -#include - -static size_t crv_len = 0; -static EC_builtin_curve *curves = NULL; - -/* test multiplication with group order, long and negative scalars */ -static int group_order_tests(EC_GROUP *group) -{ - BIGNUM *n1 = NULL, *n2 = NULL, *order = NULL; - EC_POINT *P = NULL, *Q = NULL, *R = NULL, *S = NULL; - const EC_POINT *G = NULL; - BN_CTX *ctx = NULL; - int i = 0, r = 0; - - if (!TEST_ptr(n1 = BN_new()) - || !TEST_ptr(n2 = BN_new()) - || !TEST_ptr(order = BN_new()) - || !TEST_ptr(ctx = BN_CTX_new()) - || !TEST_ptr(G = EC_GROUP_get0_generator(group)) - || !TEST_ptr(P = EC_POINT_new(group)) - || !TEST_ptr(Q = EC_POINT_new(group)) - || !TEST_ptr(R = EC_POINT_new(group)) - || !TEST_ptr(S = EC_POINT_new(group))) - goto err; - - if (!TEST_true(EC_GROUP_get_order(group, order, ctx)) - || !TEST_true(EC_POINT_mul(group, Q, order, NULL, NULL, ctx)) - || !TEST_true(EC_POINT_is_at_infinity(group, Q)) -#ifndef OPENSSL_NO_DEPRECATED_3_0 - || !TEST_true(EC_GROUP_precompute_mult(group, ctx)) -#endif - || !TEST_true(EC_POINT_mul(group, Q, order, NULL, NULL, ctx)) - || !TEST_true(EC_POINT_is_at_infinity(group, Q)) - || !TEST_true(EC_POINT_copy(P, G)) - || !TEST_true(BN_one(n1)) - || !TEST_true(EC_POINT_mul(group, Q, n1, NULL, NULL, ctx)) - || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx)) - || !TEST_true(BN_sub(n1, order, n1)) - || !TEST_true(EC_POINT_mul(group, Q, n1, NULL, NULL, ctx)) - || !TEST_true(EC_POINT_invert(group, Q, ctx)) - || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx))) - goto err; - - for (i = 1; i <= 2; i++) { -#ifndef OPENSSL_NO_DEPRECATED_3_0 - const BIGNUM *scalars[6]; - const EC_POINT *points[6]; -#endif - - if (!TEST_true(BN_set_word(n1, i)) - /* - * If i == 1, P will be the predefined generator for which - * EC_GROUP_precompute_mult has set up precomputation. - */ - || !TEST_true(EC_POINT_mul(group, P, n1, NULL, NULL, ctx)) - || (i == 1 && !TEST_int_eq(0, EC_POINT_cmp(group, P, G, ctx))) - || !TEST_true(BN_one(n1)) - /* n1 = 1 - order */ - || !TEST_true(BN_sub(n1, n1, order)) - || !TEST_true(EC_POINT_mul(group, Q, NULL, P, n1, ctx)) - || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx)) - - /* n2 = 1 + order */ - || !TEST_true(BN_add(n2, order, BN_value_one())) - || !TEST_true(EC_POINT_mul(group, Q, NULL, P, n2, ctx)) - || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx)) - - /* n2 = (1 - order) * (1 + order) = 1 - order^2 */ - || !TEST_true(BN_mul(n2, n1, n2, ctx)) - || !TEST_true(EC_POINT_mul(group, Q, NULL, P, n2, ctx)) - || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx))) - goto err; - - /* n2 = order^2 - 1 */ - BN_set_negative(n2, 0); - if (!TEST_true(EC_POINT_mul(group, Q, NULL, P, n2, ctx)) - /* Add P to verify the result. */ - || !TEST_true(EC_POINT_add(group, Q, Q, P, ctx)) - || !TEST_true(EC_POINT_is_at_infinity(group, Q)) - || !TEST_false(EC_POINT_is_at_infinity(group, P))) - goto err; - -#ifndef OPENSSL_NO_DEPRECATED_3_0 - /* Exercise EC_POINTs_mul, including corner cases. */ - scalars[0] = scalars[1] = BN_value_one(); - points[0] = points[1] = P; - - if (!TEST_true(EC_POINTs_mul(group, R, NULL, 2, points, scalars, ctx)) - || !TEST_true(EC_POINT_dbl(group, S, points[0], ctx)) - || !TEST_int_eq(0, EC_POINT_cmp(group, R, S, ctx))) - goto err; - - scalars[0] = n1; - points[0] = Q; /* => infinity */ - scalars[1] = n2; - points[1] = P; /* => -P */ - scalars[2] = n1; - points[2] = Q; /* => infinity */ - scalars[3] = n2; - points[3] = Q; /* => infinity */ - scalars[4] = n1; - points[4] = P; /* => P */ - scalars[5] = n2; - points[5] = Q; /* => infinity */ - if (!TEST_true(EC_POINTs_mul(group, P, NULL, 6, points, scalars, ctx)) - || !TEST_true(EC_POINT_is_at_infinity(group, P))) - goto err; -#endif - } - - r = 1; -err: - if (r == 0 && i != 0) - TEST_info(i == 1 ? "allowing precomputation" : - "without precomputation"); - EC_POINT_free(P); - EC_POINT_free(Q); - EC_POINT_free(R); - EC_POINT_free(S); - BN_free(n1); - BN_free(n2); - BN_free(order); - BN_CTX_free(ctx); - return r; -} - -static int prime_field_tests(void) -{ - BN_CTX *ctx = NULL; - BIGNUM *p = NULL, *a = NULL, *b = NULL, *scalar3 = NULL; - EC_GROUP *group = NULL; - EC_POINT *P = NULL, *Q = NULL, *R = NULL; - BIGNUM *x = NULL, *y = NULL, *z = NULL, *yplusone = NULL; -#ifndef OPENSSL_NO_DEPRECATED_3_0 - const EC_POINT *points[4]; - const BIGNUM *scalars[4]; -#endif - unsigned char buf[100]; - size_t len, r = 0; - int k; - - if (!TEST_ptr(ctx = BN_CTX_new()) - || !TEST_ptr(p = BN_new()) - || !TEST_ptr(a = BN_new()) - || !TEST_ptr(b = BN_new()) - /* - * applications should use EC_GROUP_new_curve_GFp so - * that the library gets to choose the EC_METHOD - */ - || !TEST_ptr(group = EC_GROUP_new(EC_GFp_mont_method()))) - goto err; - - buf[0] = 0; - if (!TEST_ptr(P = EC_POINT_new(group)) - || !TEST_ptr(Q = EC_POINT_new(group)) - || !TEST_ptr(R = EC_POINT_new(group)) - || !TEST_ptr(x = BN_new()) - || !TEST_ptr(y = BN_new()) - || !TEST_ptr(z = BN_new()) - || !TEST_ptr(yplusone = BN_new())) - goto err; - - /* Curve P-224 (FIPS PUB 186-2, App. 6) */ - - if (!TEST_true(BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFF" - "FFFFFFFF000000000000000000000001")) - || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL)) - || !TEST_true(BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFF" - "FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFE")) - || !TEST_true(BN_hex2bn(&b, "B4050A850C04B3ABF5413256" - "5044B0B7D7BFD8BA270B39432355FFB4")) - || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx)) - || !TEST_true(BN_hex2bn(&x, "B70E0CBD6BB4BF7F321390B9" - "4A03C1D356C21122343280D6115C1D21")) - || !TEST_true(EC_POINT_set_compressed_coordinates(group, P, x, 0, ctx)) - || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0) - || !TEST_true(BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFF" - "FFFF16A2E0B8F03E13DD29455C5C2A3D")) - || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one())) - || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx))) - goto err; - - TEST_info("NIST curve P-224 -- Generator"); - test_output_bignum("x", x); - test_output_bignum("y", y); - /* G_y value taken from the standard: */ - if (!TEST_true(BN_hex2bn(&z, "BD376388B5F723FB4C22DFE6" - "CD4375A05A07476444D5819985007E34")) - || !TEST_BN_eq(y, z) - || !TEST_true(BN_add(yplusone, y, BN_value_one())) - /* - * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, - * and therefore setting the coordinates should fail. - */ - || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone, - ctx)) - || !TEST_int_eq(EC_GROUP_get_degree(group), 224) - || !group_order_tests(group) - - /* Curve P-256 (FIPS PUB 186-2, App. 6) */ - - || !TEST_true(BN_hex2bn(&p, "FFFFFFFF000000010000000000000000" - "00000000FFFFFFFFFFFFFFFFFFFFFFFF")) - || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL)) - || !TEST_true(BN_hex2bn(&a, "FFFFFFFF000000010000000000000000" - "00000000FFFFFFFFFFFFFFFFFFFFFFFC")) - || !TEST_true(BN_hex2bn(&b, "5AC635D8AA3A93E7B3EBBD55769886BC" - "651D06B0CC53B0F63BCE3C3E27D2604B")) - || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx)) - - || !TEST_true(BN_hex2bn(&x, "6B17D1F2E12C4247F8BCE6E563A440F2" - "77037D812DEB33A0F4A13945D898C296")) - || !TEST_true(EC_POINT_set_compressed_coordinates(group, P, x, 1, ctx)) - || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0) - || !TEST_true(BN_hex2bn(&z, "FFFFFFFF00000000FFFFFFFFFFFFFFFF" - "BCE6FAADA7179E84F3B9CAC2FC632551")) - || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one())) - || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx))) - goto err; - - TEST_info("NIST curve P-256 -- Generator"); - test_output_bignum("x", x); - test_output_bignum("y", y); - /* G_y value taken from the standard: */ - if (!TEST_true(BN_hex2bn(&z, "4FE342E2FE1A7F9B8EE7EB4A7C0F9E16" - "2BCE33576B315ECECBB6406837BF51F5")) - || !TEST_BN_eq(y, z) - || !TEST_true(BN_add(yplusone, y, BN_value_one())) - /* - * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, - * and therefore setting the coordinates should fail. - */ - || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone, - ctx)) - || !TEST_int_eq(EC_GROUP_get_degree(group), 256) - || !group_order_tests(group) - - /* Curve P-384 (FIPS PUB 186-2, App. 6) */ - - || !TEST_true(BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" - "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE" - "FFFFFFFF0000000000000000FFFFFFFF")) - || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL)) - || !TEST_true(BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" - "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE" - "FFFFFFFF0000000000000000FFFFFFFC")) - || !TEST_true(BN_hex2bn(&b, "B3312FA7E23EE7E4988E056BE3F82D19" - "181D9C6EFE8141120314088F5013875A" - "C656398D8A2ED19D2A85C8EDD3EC2AEF")) - || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx)) - - || !TEST_true(BN_hex2bn(&x, "AA87CA22BE8B05378EB1C71EF320AD74" - "6E1D3B628BA79B9859F741E082542A38" - "5502F25DBF55296C3A545E3872760AB7")) - || !TEST_true(EC_POINT_set_compressed_coordinates(group, P, x, 1, ctx)) - || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0) - || !TEST_true(BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" - "FFFFFFFFFFFFFFFFC7634D81F4372DDF" - "581A0DB248B0A77AECEC196ACCC52973")) - || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one())) - || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx))) - goto err; - - TEST_info("NIST curve P-384 -- Generator"); - test_output_bignum("x", x); - test_output_bignum("y", y); - /* G_y value taken from the standard: */ - if (!TEST_true(BN_hex2bn(&z, "3617DE4A96262C6F5D9E98BF9292DC29" - "F8F41DBD289A147CE9DA3113B5F0B8C0" - "0A60B1CE1D7E819D7A431D7C90EA0E5F")) - || !TEST_BN_eq(y, z) - || !TEST_true(BN_add(yplusone, y, BN_value_one())) - /* - * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, - * and therefore setting the coordinates should fail. - */ - || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone, - ctx)) - || !TEST_int_eq(EC_GROUP_get_degree(group), 384) - || !group_order_tests(group) - - /* Curve P-521 (FIPS PUB 186-2, App. 6) */ - || !TEST_true(BN_hex2bn(&p, "1FF" - "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" - "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" - "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" - "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF")) - || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL)) - || !TEST_true(BN_hex2bn(&a, "1FF" - "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" - "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" - "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" - "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC")) - || !TEST_true(BN_hex2bn(&b, "051" - "953EB9618E1C9A1F929A21A0B68540EE" - "A2DA725B99B315F3B8B489918EF109E1" - "56193951EC7E937B1652C0BD3BB1BF07" - "3573DF883D2C34F1EF451FD46B503F00")) - || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx)) - || !TEST_true(BN_hex2bn(&x, "C6" - "858E06B70404E9CD9E3ECB662395B442" - "9C648139053FB521F828AF606B4D3DBA" - "A14B5E77EFE75928FE1DC127A2FFA8DE" - "3348B3C1856A429BF97E7E31C2E5BD66")) - || !TEST_true(EC_POINT_set_compressed_coordinates(group, P, x, 0, ctx)) - || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0) - || !TEST_true(BN_hex2bn(&z, "1FF" - "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" - "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA" - "51868783BF2F966B7FCC0148F709A5D0" - "3BB5C9B8899C47AEBB6FB71E91386409")) - || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one())) - || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx))) - goto err; - - TEST_info("NIST curve P-521 -- Generator"); - test_output_bignum("x", x); - test_output_bignum("y", y); - /* G_y value taken from the standard: */ - if (!TEST_true(BN_hex2bn(&z, "118" - "39296A789A3BC0045C8A5FB42C7D1BD9" - "98F54449579B446817AFBD17273E662C" - "97EE72995EF42640C550B9013FAD0761" - "353C7086A272C24088BE94769FD16650")) - || !TEST_BN_eq(y, z) - || !TEST_true(BN_add(yplusone, y, BN_value_one())) - /* - * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, - * and therefore setting the coordinates should fail. - */ - || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone, - ctx)) - || !TEST_int_eq(EC_GROUP_get_degree(group), 521) - || !group_order_tests(group) - - /* more tests using the last curve */ - - /* Restore the point that got mangled in the (x, y + 1) test. */ - || !TEST_true(EC_POINT_set_affine_coordinates(group, P, x, y, ctx)) - || !TEST_true(EC_POINT_copy(Q, P)) - || !TEST_false(EC_POINT_is_at_infinity(group, Q)) - || !TEST_true(EC_POINT_dbl(group, P, P, ctx)) - || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0) - || !TEST_true(EC_POINT_invert(group, Q, ctx)) /* P = -2Q */ - || !TEST_true(EC_POINT_add(group, R, P, Q, ctx)) - || !TEST_true(EC_POINT_add(group, R, R, Q, ctx)) - || !TEST_true(EC_POINT_is_at_infinity(group, R)) /* R = P + 2Q */ - || !TEST_false(EC_POINT_is_at_infinity(group, Q))) - goto err; - -#ifndef OPENSSL_NO_DEPRECATED_3_0 - TEST_note("combined multiplication ..."); - points[0] = Q; - points[1] = Q; - points[2] = Q; - points[3] = Q; - - if (!TEST_true(EC_GROUP_get_order(group, z, ctx)) - || !TEST_true(BN_add(y, z, BN_value_one())) - || !TEST_BN_even(y) - || !TEST_true(BN_rshift1(y, y))) - goto err; - - scalars[0] = y; /* (group order + 1)/2, so y*Q + y*Q = Q */ - scalars[1] = y; - - /* z is still the group order */ - if (!TEST_true(EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx)) - || !TEST_true(EC_POINTs_mul(group, R, z, 2, points, scalars, ctx)) - || !TEST_int_eq(0, EC_POINT_cmp(group, P, R, ctx)) - || !TEST_int_eq(0, EC_POINT_cmp(group, R, Q, ctx)) - || !TEST_true(BN_rand(y, BN_num_bits(y), 0, 0)) - || !TEST_true(BN_add(z, z, y))) - goto err; - BN_set_negative(z, 1); - scalars[0] = y; - scalars[1] = z; /* z = -(order + y) */ - - if (!TEST_true(EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx)) - || !TEST_true(EC_POINT_is_at_infinity(group, P)) - || !TEST_true(BN_rand(x, BN_num_bits(y) - 1, 0, 0)) - || !TEST_true(BN_add(z, x, y))) - goto err; - BN_set_negative(z, 1); - scalars[0] = x; - scalars[1] = y; - scalars[2] = z; /* z = -(x+y) */ - - if (!TEST_ptr(scalar3 = BN_new())) - goto err; - BN_zero(scalar3); - scalars[3] = scalar3; - - if (!TEST_true(EC_POINTs_mul(group, P, NULL, 4, points, scalars, ctx)) - || !TEST_true(EC_POINT_is_at_infinity(group, P))) - goto err; -#endif - TEST_note(" ok\n"); - r = 1; -err: - BN_CTX_free(ctx); - BN_free(p); - BN_free(a); - BN_free(b); - EC_GROUP_free(group); - EC_POINT_free(P); - EC_POINT_free(Q); - EC_POINT_free(R); - BN_free(x); - BN_free(y); - BN_free(z); - BN_free(yplusone); - BN_free(scalar3); - return r; -} - -static int internal_curve_test(int n) -{ - EC_GROUP *group = NULL; - int nid = curves[n].nid; - - if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(nid))) { - TEST_info("EC_GROUP_new_curve_name() failed with curve %s\n", - OBJ_nid2sn(nid)); - return 0; - } - if (!TEST_true(EC_GROUP_check(group, NULL))) { - TEST_info("EC_GROUP_check() failed with curve %s\n", OBJ_nid2sn(nid)); - EC_GROUP_free(group); - return 0; - } - EC_GROUP_free(group); - return 1; -} - -static int internal_curve_test_method(int n) -{ - int r, nid = curves[n].nid; - EC_GROUP *group; - - if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(nid))) { - TEST_info("Curve %s failed\n", OBJ_nid2sn(nid)); - return 0; - } - r = group_order_tests(group); - EC_GROUP_free(group); - return r; -} - -static int group_field_test(void) -{ - int r = 1; - BIGNUM *secp521r1_field = NULL; - BIGNUM *sect163r2_field = NULL; - EC_GROUP *secp521r1_group = NULL; - EC_GROUP *sect163r2_group = NULL; - - BN_hex2bn(&secp521r1_field, - "01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" - "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" - "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" - "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" - "FFFF"); - - - BN_hex2bn(§163r2_field, - "08000000000000000000000000000000" - "00000000C9"); - - secp521r1_group = EC_GROUP_new_by_curve_name(NID_secp521r1); - if (BN_cmp(secp521r1_field, EC_GROUP_get0_field(secp521r1_group))) - r = 0; - - # ifndef OPENSSL_NO_EC2M - sect163r2_group = EC_GROUP_new_by_curve_name(NID_sect163r2); - if (BN_cmp(sect163r2_field, EC_GROUP_get0_field(sect163r2_group))) - r = 0; - # endif - - EC_GROUP_free(secp521r1_group); - EC_GROUP_free(sect163r2_group); - BN_free(secp521r1_field); - BN_free(sect163r2_field); - return r; -} -/* - * nistp_test_params contains magic numbers for testing - * several NIST curves with characteristic > 3. - */ -struct nistp_test_params { - const int nid; - int degree; - /* - * Qx, Qy and D are taken from - * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/ECDSA_Prime.pdf - * Otherwise, values are standard curve parameters from FIPS 180-3 - */ - const char *p, *a, *b, *Qx, *Qy, *Gx, *Gy, *order, *d; -}; - -static const struct nistp_test_params nistp_tests_params[] = { - { - /* P-224 */ - NID_secp224r1, - 224, - /* p */ - "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000001", - /* a */ - "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFE", - /* b */ - "B4050A850C04B3ABF54132565044B0B7D7BFD8BA270B39432355FFB4", - /* Qx */ - "E84FB0B8E7000CB657D7973CF6B42ED78B301674276DF744AF130B3E", - /* Qy */ - "4376675C6FC5612C21A0FF2D2A89D2987DF7A2BC52183B5982298555", - /* Gx */ - "B70E0CBD6BB4BF7F321390B94A03C1D356C21122343280D6115C1D21", - /* Gy */ - "BD376388B5F723FB4C22DFE6CD4375A05A07476444D5819985007E34", - /* order */ - "FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2E0B8F03E13DD29455C5C2A3D", - /* d */ - "3F0C488E987C80BE0FEE521F8D90BE6034EC69AE11CA72AA777481E8", - }, - { - /* P-256 */ - NID_X9_62_prime256v1, - 256, - /* p */ - "ffffffff00000001000000000000000000000000ffffffffffffffffffffffff", - /* a */ - "ffffffff00000001000000000000000000000000fffffffffffffffffffffffc", - /* b */ - "5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b", - /* Qx */ - "b7e08afdfe94bad3f1dc8c734798ba1c62b3a0ad1e9ea2a38201cd0889bc7a19", - /* Qy */ - "3603f747959dbf7a4bb226e41928729063adc7ae43529e61b563bbc606cc5e09", - /* Gx */ - "6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296", - /* Gy */ - "4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5", - /* order */ - "ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551", - /* d */ - "c477f9f65c22cce20657faa5b2d1d8122336f851a508a1ed04e479c34985bf96", - }, - { - /* P-521 */ - NID_secp521r1, - 521, - /* p */ - "1ff" - "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" - "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", - /* a */ - "1ff" - "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" - "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc", - /* b */ - "051" - "953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e1" - "56193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00", - /* Qx */ - "0098" - "e91eef9a68452822309c52fab453f5f117c1da8ed796b255e9ab8f6410cca16e" - "59df403a6bdc6ca467a37056b1e54b3005d8ac030decfeb68df18b171885d5c4", - /* Qy */ - "0164" - "350c321aecfc1cca1ba4364c9b15656150b4b78d6a48d7d28e7f31985ef17be8" - "554376b72900712c4b83ad668327231526e313f5f092999a4632fd50d946bc2e", - /* Gx */ - "c6" - "858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dba" - "a14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66", - /* Gy */ - "118" - "39296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c" - "97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650", - /* order */ - "1ff" - "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa" - "51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409", - /* d */ - "0100" - "085f47b8e1b8b11b7eb33028c0b2888e304bfc98501955b45bba1478dc184eee" - "df09b86a5f7c21994406072787205e69a63709fe35aa93ba333514b24f961722", - }, -}; - -static int nistp_single_test(int idx) -{ - const struct nistp_test_params *test = nistp_tests_params + idx; - BN_CTX *ctx = NULL; - BIGNUM *p = NULL, *a = NULL, *b = NULL, *x = NULL, *y = NULL; - BIGNUM *n = NULL, *m = NULL, *order = NULL, *yplusone = NULL; - EC_GROUP *NISTP = NULL; - EC_POINT *G = NULL, *P = NULL, *Q = NULL, *Q_CHECK = NULL; - int r = 0; - - TEST_note("NIST curve P-%d (optimised implementation):", - test->degree); - if (!TEST_ptr(ctx = BN_CTX_new()) - || !TEST_ptr(p = BN_new()) - || !TEST_ptr(a = BN_new()) - || !TEST_ptr(b = BN_new()) - || !TEST_ptr(x = BN_new()) - || !TEST_ptr(y = BN_new()) - || !TEST_ptr(m = BN_new()) - || !TEST_ptr(n = BN_new()) - || !TEST_ptr(order = BN_new()) - || !TEST_ptr(yplusone = BN_new()) - - || !TEST_ptr(NISTP = EC_GROUP_new_by_curve_name(test->nid)) - || !TEST_true(BN_hex2bn(&p, test->p)) - || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL)) - || !TEST_true(BN_hex2bn(&a, test->a)) - || !TEST_true(BN_hex2bn(&b, test->b)) - || !TEST_true(EC_GROUP_set_curve(NISTP, p, a, b, ctx)) - || !TEST_ptr(G = EC_POINT_new(NISTP)) - || !TEST_ptr(P = EC_POINT_new(NISTP)) - || !TEST_ptr(Q = EC_POINT_new(NISTP)) - || !TEST_ptr(Q_CHECK = EC_POINT_new(NISTP)) - || !TEST_true(BN_hex2bn(&x, test->Qx)) - || !TEST_true(BN_hex2bn(&y, test->Qy)) - || !TEST_true(BN_add(yplusone, y, BN_value_one())) - /* - * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, - * and therefore setting the coordinates should fail. - */ - || !TEST_false(EC_POINT_set_affine_coordinates(NISTP, Q_CHECK, x, - yplusone, ctx)) - || !TEST_true(EC_POINT_set_affine_coordinates(NISTP, Q_CHECK, x, y, - ctx)) - || !TEST_true(BN_hex2bn(&x, test->Gx)) - || !TEST_true(BN_hex2bn(&y, test->Gy)) - || !TEST_true(EC_POINT_set_affine_coordinates(NISTP, G, x, y, ctx)) - || !TEST_true(BN_hex2bn(&order, test->order)) - || !TEST_true(EC_GROUP_set_generator(NISTP, G, order, BN_value_one())) - || !TEST_int_eq(EC_GROUP_get_degree(NISTP), test->degree)) - goto err; - - TEST_note("NIST test vectors ... "); - if (!TEST_true(BN_hex2bn(&n, test->d))) - goto err; - /* fixed point multiplication */ - EC_POINT_mul(NISTP, Q, n, NULL, NULL, ctx); - if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))) - goto err; - /* random point multiplication */ - EC_POINT_mul(NISTP, Q, NULL, G, n, ctx); - if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) - - /* set generator to P = 2*G, where G is the standard generator */ - || !TEST_true(EC_POINT_dbl(NISTP, P, G, ctx)) - || !TEST_true(EC_GROUP_set_generator(NISTP, P, order, BN_value_one())) - /* set the scalar to m=n/2, where n is the NIST test scalar */ - || !TEST_true(BN_rshift(m, n, 1))) - goto err; - - /* test the non-standard generator */ - /* fixed point multiplication */ - EC_POINT_mul(NISTP, Q, m, NULL, NULL, ctx); - if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))) - goto err; - /* random point multiplication */ - EC_POINT_mul(NISTP, Q, NULL, P, m, ctx); - if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) -#ifndef OPENSSL_NO_DEPRECATED_3_0 - /* We have not performed precomp so this should be false */ - || !TEST_false(EC_GROUP_have_precompute_mult(NISTP)) - /* now repeat all tests with precomputation */ - || !TEST_true(EC_GROUP_precompute_mult(NISTP, ctx)) -#endif - ) - goto err; - - /* fixed point multiplication */ - EC_POINT_mul(NISTP, Q, m, NULL, NULL, ctx); - if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))) - goto err; - /* random point multiplication */ - EC_POINT_mul(NISTP, Q, NULL, P, m, ctx); - if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) - - /* reset generator */ - || !TEST_true(EC_GROUP_set_generator(NISTP, G, order, BN_value_one()))) - goto err; - /* fixed point multiplication */ - EC_POINT_mul(NISTP, Q, n, NULL, NULL, ctx); - if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))) - goto err; - /* random point multiplication */ - EC_POINT_mul(NISTP, Q, NULL, G, n, ctx); - if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))) - goto err; - - /* regression test for felem_neg bug */ - if (!TEST_true(BN_set_word(m, 32)) - || !TEST_true(BN_set_word(n, 31)) - || !TEST_true(EC_POINT_copy(P, G)) - || !TEST_true(EC_POINT_invert(NISTP, P, ctx)) - || !TEST_true(EC_POINT_mul(NISTP, Q, m, P, n, ctx)) - || !TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, G, ctx))) - goto err; - - r = 1; -err: - EC_GROUP_free(NISTP); - EC_POINT_free(G); - EC_POINT_free(P); - EC_POINT_free(Q); - EC_POINT_free(Q_CHECK); - BN_free(n); - BN_free(m); - BN_free(p); - BN_free(a); - BN_free(b); - BN_free(x); - BN_free(y); - BN_free(order); - BN_free(yplusone); - BN_CTX_free(ctx); - return r; -} - -static const unsigned char p521_named[] = { - 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x23, -}; - -static const unsigned char p521_explicit[] = { - 0x30, 0x82, 0x01, 0xc3, 0x02, 0x01, 0x01, 0x30, 0x4d, 0x06, 0x07, 0x2a, - 0x86, 0x48, 0xce, 0x3d, 0x01, 0x01, 0x02, 0x42, 0x01, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0x30, 0x81, 0x9f, 0x04, 0x42, 0x01, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xfc, 0x04, 0x42, 0x00, 0x51, 0x95, 0x3e, 0xb9, 0x61, 0x8e, 0x1c, 0x9a, - 0x1f, 0x92, 0x9a, 0x21, 0xa0, 0xb6, 0x85, 0x40, 0xee, 0xa2, 0xda, 0x72, - 0x5b, 0x99, 0xb3, 0x15, 0xf3, 0xb8, 0xb4, 0x89, 0x91, 0x8e, 0xf1, 0x09, - 0xe1, 0x56, 0x19, 0x39, 0x51, 0xec, 0x7e, 0x93, 0x7b, 0x16, 0x52, 0xc0, - 0xbd, 0x3b, 0xb1, 0xbf, 0x07, 0x35, 0x73, 0xdf, 0x88, 0x3d, 0x2c, 0x34, - 0xf1, 0xef, 0x45, 0x1f, 0xd4, 0x6b, 0x50, 0x3f, 0x00, 0x03, 0x15, 0x00, - 0xd0, 0x9e, 0x88, 0x00, 0x29, 0x1c, 0xb8, 0x53, 0x96, 0xcc, 0x67, 0x17, - 0x39, 0x32, 0x84, 0xaa, 0xa0, 0xda, 0x64, 0xba, 0x04, 0x81, 0x85, 0x04, - 0x00, 0xc6, 0x85, 0x8e, 0x06, 0xb7, 0x04, 0x04, 0xe9, 0xcd, 0x9e, 0x3e, - 0xcb, 0x66, 0x23, 0x95, 0xb4, 0x42, 0x9c, 0x64, 0x81, 0x39, 0x05, 0x3f, - 0xb5, 0x21, 0xf8, 0x28, 0xaf, 0x60, 0x6b, 0x4d, 0x3d, 0xba, 0xa1, 0x4b, - 0x5e, 0x77, 0xef, 0xe7, 0x59, 0x28, 0xfe, 0x1d, 0xc1, 0x27, 0xa2, 0xff, - 0xa8, 0xde, 0x33, 0x48, 0xb3, 0xc1, 0x85, 0x6a, 0x42, 0x9b, 0xf9, 0x7e, - 0x7e, 0x31, 0xc2, 0xe5, 0xbd, 0x66, 0x01, 0x18, 0x39, 0x29, 0x6a, 0x78, - 0x9a, 0x3b, 0xc0, 0x04, 0x5c, 0x8a, 0x5f, 0xb4, 0x2c, 0x7d, 0x1b, 0xd9, - 0x98, 0xf5, 0x44, 0x49, 0x57, 0x9b, 0x44, 0x68, 0x17, 0xaf, 0xbd, 0x17, - 0x27, 0x3e, 0x66, 0x2c, 0x97, 0xee, 0x72, 0x99, 0x5e, 0xf4, 0x26, 0x40, - 0xc5, 0x50, 0xb9, 0x01, 0x3f, 0xad, 0x07, 0x61, 0x35, 0x3c, 0x70, 0x86, - 0xa2, 0x72, 0xc2, 0x40, 0x88, 0xbe, 0x94, 0x76, 0x9f, 0xd1, 0x66, 0x50, - 0x02, 0x42, 0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfa, - 0x51, 0x86, 0x87, 0x83, 0xbf, 0x2f, 0x96, 0x6b, 0x7f, 0xcc, 0x01, 0x48, - 0xf7, 0x09, 0xa5, 0xd0, 0x3b, 0xb5, 0xc9, 0xb8, 0x89, 0x9c, 0x47, 0xae, - 0xbb, 0x6f, 0xb7, 0x1e, 0x91, 0x38, 0x64, 0x09, 0x02, 0x01, 0x01, -}; - -/* - * This test validates a named curve's group parameters using - * EC_GROUP_check_named_curve(). It also checks that modifying any of the - * group parameters results in the curve not being valid. - */ -static int check_named_curve_test(int id) -{ - int ret = 0, nid, field_nid, has_seed; - EC_GROUP *group = NULL, *gtest = NULL; - const EC_POINT *group_gen = NULL; - EC_POINT *other_gen = NULL; - BIGNUM *group_p = NULL, *group_a = NULL, *group_b = NULL; - BIGNUM *other_p = NULL, *other_a = NULL, *other_b = NULL; - BIGNUM *group_cofactor = NULL, *other_cofactor = NULL; - BIGNUM *other_order = NULL; - const BIGNUM *group_order = NULL; - BN_CTX *bn_ctx = NULL; - static const unsigned char invalid_seed[] = "THIS IS NOT A VALID SEED"; - static size_t invalid_seed_len = sizeof(invalid_seed); - - /* Do some setup */ - nid = curves[id].nid; - if (!TEST_ptr(bn_ctx = BN_CTX_new()) - || !TEST_ptr(group = EC_GROUP_new_by_curve_name(nid)) - || !TEST_ptr(gtest = EC_GROUP_dup(group)) - || !TEST_ptr(group_p = BN_new()) - || !TEST_ptr(group_a = BN_new()) - || !TEST_ptr(group_b = BN_new()) - || !TEST_ptr(group_cofactor = BN_new()) - || !TEST_ptr(group_gen = EC_GROUP_get0_generator(group)) - || !TEST_ptr(group_order = EC_GROUP_get0_order(group)) - || !TEST_true(EC_GROUP_get_cofactor(group, group_cofactor, NULL)) - || !TEST_true(EC_GROUP_get_curve(group, group_p, group_a, group_b, NULL)) - || !TEST_ptr(other_gen = EC_POINT_dup(group_gen, group)) - || !TEST_true(EC_POINT_add(group, other_gen, group_gen, group_gen, NULL)) - || !TEST_ptr(other_order = BN_dup(group_order)) - || !TEST_true(BN_add_word(other_order, 1)) - || !TEST_ptr(other_a = BN_dup(group_a)) - || !TEST_true(BN_add_word(other_a, 1)) - || !TEST_ptr(other_b = BN_dup(group_b)) - || !TEST_true(BN_add_word(other_b, 1)) - || !TEST_ptr(other_cofactor = BN_dup(group_cofactor)) - || !TEST_true(BN_add_word(other_cofactor, 1))) - goto err; - - /* Determine if the built-in curve has a seed field set */ - has_seed = (EC_GROUP_get_seed_len(group) > 0); - field_nid = EC_GROUP_get_field_type(group); - if (field_nid == NID_X9_62_characteristic_two_field) { - if (!TEST_ptr(other_p = BN_dup(group_p)) - || !TEST_true(BN_lshift1(other_p, other_p))) - goto err; - } else { - if (!TEST_ptr(other_p = BN_dup(group_p))) - goto err; - /* - * Just choosing any arbitrary prime does not work.. - * Setting p via ec_GFp_nist_group_set_curve() needs the prime to be a - * nist prime. So only select one of these as an alternate prime. - */ - if (!TEST_ptr(BN_copy(other_p, - BN_ucmp(BN_get0_nist_prime_192(), other_p) == 0 ? - BN_get0_nist_prime_256() : - BN_get0_nist_prime_192()))) - goto err; - } - - /* Passes because this is a valid curve */ - if (!TEST_int_eq(EC_GROUP_check_named_curve(group, 0, NULL), nid) - /* Only NIST curves pass */ - || !TEST_int_eq(EC_GROUP_check_named_curve(group, 1, NULL), - EC_curve_nid2nist(nid) != NULL ? nid : NID_undef)) - goto err; - - /* Fail if the curve name doesn't match the parameters */ - EC_GROUP_set_curve_name(group, nid + 1); - ERR_set_mark(); - if (!TEST_int_le(EC_GROUP_check_named_curve(group, 0, NULL), 0)) - goto err; - ERR_pop_to_mark(); - - /* Restore curve name and ensure it's passing */ - EC_GROUP_set_curve_name(group, nid); - if (!TEST_int_eq(EC_GROUP_check_named_curve(group, 0, NULL), nid)) - goto err; - - if (!TEST_int_eq(EC_GROUP_set_seed(group, invalid_seed, invalid_seed_len), - invalid_seed_len)) - goto err; - - if (has_seed) { - /* - * If the built-in curve has a seed and we set the seed to another value - * then it will fail the check. - */ - if (!TEST_int_eq(EC_GROUP_check_named_curve(group, 0, NULL), 0)) - goto err; - } else { - /* - * If the built-in curve does not have a seed then setting the seed will - * pass the check (as the seed is optional). - */ - if (!TEST_int_eq(EC_GROUP_check_named_curve(group, 0, NULL), nid)) - goto err; - } - /* Pass if the seed is unknown (as it is optional) */ - if (!TEST_int_eq(EC_GROUP_set_seed(group, NULL, 0), 1) - || !TEST_int_eq(EC_GROUP_check_named_curve(group, 0, NULL), nid)) - goto err; - - /* Check that a duped group passes */ - if (!TEST_int_eq(EC_GROUP_check_named_curve(gtest, 0, NULL), nid)) - goto err; - - /* check that changing any generator parameter fails */ - if (!TEST_true(EC_GROUP_set_generator(gtest, other_gen, group_order, - group_cofactor)) - || !TEST_int_eq(EC_GROUP_check_named_curve(gtest, 0, NULL), 0) - || !TEST_true(EC_GROUP_set_generator(gtest, group_gen, other_order, - group_cofactor)) - || !TEST_int_eq(EC_GROUP_check_named_curve(gtest, 0, NULL), 0) - /* The order is not an optional field, so this should fail */ - || !TEST_false(EC_GROUP_set_generator(gtest, group_gen, NULL, - group_cofactor)) - || !TEST_true(EC_GROUP_set_generator(gtest, group_gen, group_order, - other_cofactor)) - || !TEST_int_eq(EC_GROUP_check_named_curve(gtest, 0, NULL), 0) - /* Check that if the cofactor is not set then it still passes */ - || !TEST_true(EC_GROUP_set_generator(gtest, group_gen, group_order, - NULL)) - || !TEST_int_eq(EC_GROUP_check_named_curve(gtest, 0, NULL), nid) - /* check that restoring the generator passes */ - || !TEST_true(EC_GROUP_set_generator(gtest, group_gen, group_order, - group_cofactor)) - || !TEST_int_eq(EC_GROUP_check_named_curve(gtest, 0, NULL), nid)) - goto err; - - /* - * check that changing any curve parameter fails - * - * Setting arbitrary p, a or b might fail for some EC_GROUPs - * depending on the internal EC_METHOD implementation, hence run - * these tests conditionally to the success of EC_GROUP_set_curve(). - */ - ERR_set_mark(); - if (EC_GROUP_set_curve(gtest, other_p, group_a, group_b, NULL)) { - if (!TEST_int_le(EC_GROUP_check_named_curve(gtest, 0, NULL), 0)) - goto err; - } else { - /* clear the error stack if EC_GROUP_set_curve() failed */ - ERR_pop_to_mark(); - ERR_set_mark(); - } - if (EC_GROUP_set_curve(gtest, group_p, other_a, group_b, NULL)) { - if (!TEST_int_le(EC_GROUP_check_named_curve(gtest, 0, NULL), 0)) - goto err; - } else { - /* clear the error stack if EC_GROUP_set_curve() failed */ - ERR_pop_to_mark(); - ERR_set_mark(); - } - if (EC_GROUP_set_curve(gtest, group_p, group_a, other_b, NULL)) { - if (!TEST_int_le(EC_GROUP_check_named_curve(gtest, 0, NULL), 0)) - goto err; - } else { - /* clear the error stack if EC_GROUP_set_curve() failed */ - ERR_pop_to_mark(); - ERR_set_mark(); - } - ERR_pop_to_mark(); - - /* Check that restoring the curve parameters passes */ - if (!TEST_true(EC_GROUP_set_curve(gtest, group_p, group_a, group_b, NULL)) - || !TEST_int_eq(EC_GROUP_check_named_curve(gtest, 0, NULL), nid)) - goto err; - - ret = 1; -err: - BN_free(group_p); - BN_free(other_p); - BN_free(group_a); - BN_free(other_a); - BN_free(group_b); - BN_free(other_b); - BN_free(group_cofactor); - BN_free(other_cofactor); - BN_free(other_order); - EC_POINT_free(other_gen); - EC_GROUP_free(gtest); - EC_GROUP_free(group); - BN_CTX_free(bn_ctx); - return ret; -} - -/* - * This checks the lookup capability of EC_GROUP_check_named_curve() - * when the given group was created with explicit parameters. - * - * It is possible to retrieve an alternative alias that does not match - * the original nid in this case. - */ -static int check_named_curve_lookup_test(int id) -{ - int ret = 0, nid, rv = 0; - EC_GROUP *g = NULL , *ga = NULL; - ECPARAMETERS *p = NULL, *pa = NULL; - BN_CTX *ctx = NULL; - - /* Do some setup */ - nid = curves[id].nid; - if (!TEST_ptr(ctx = BN_CTX_new()) - || !TEST_ptr(g = EC_GROUP_new_by_curve_name(nid)) - || !TEST_ptr(p = EC_GROUP_get_ecparameters(g, NULL))) - goto err; - - /* replace with group from explicit parameters */ - EC_GROUP_free(g); - if (!TEST_ptr(g = EC_GROUP_new_from_ecparameters(p))) - goto err; - - if (!TEST_int_gt(rv = EC_GROUP_check_named_curve(g, 0, NULL), 0)) - goto err; - if (rv != nid) { - /* - * Found an alias: - * fail if the returned nid is not an alias of the original group. - * - * The comparison here is done by comparing two explicit - * parameter EC_GROUPs with EC_GROUP_cmp(), to ensure the - * comparison happens with unnamed EC_GROUPs using the same - * EC_METHODs. - */ - if (!TEST_ptr(ga = EC_GROUP_new_by_curve_name(rv)) - || !TEST_ptr(pa = EC_GROUP_get_ecparameters(ga, NULL))) - goto err; - - /* replace with group from explicit parameters, then compare */ - EC_GROUP_free(ga); - if (!TEST_ptr(ga = EC_GROUP_new_from_ecparameters(pa)) - || !TEST_int_eq(EC_GROUP_cmp(g, ga, ctx), 0)) - goto err; - } - - ret = 1; - - err: - EC_GROUP_free(g); - EC_GROUP_free(ga); - ECPARAMETERS_free(p); - ECPARAMETERS_free(pa); - BN_CTX_free(ctx); - - return ret; -} - -/* - * Sometime we cannot compare nids for equality, as the built-in curve table - * includes aliases with different names for the same curve. - * - * This function returns TRUE (1) if the checked nids are identical, or if they - * alias to the same curve. FALSE (0) otherwise. - */ -static ossl_inline -int are_ec_nids_compatible(int n1d, int n2d) -{ - int ret = 0; - switch (n1d) { -#ifndef OPENSSL_NO_EC2M - case NID_sect113r1: - case NID_wap_wsg_idm_ecid_wtls4: - ret = (n2d == NID_sect113r1 || n2d == NID_wap_wsg_idm_ecid_wtls4); - break; - case NID_sect163k1: - case NID_wap_wsg_idm_ecid_wtls3: - ret = (n2d == NID_sect163k1 || n2d == NID_wap_wsg_idm_ecid_wtls3); - break; - case NID_sect233k1: - case NID_wap_wsg_idm_ecid_wtls10: - ret = (n2d == NID_sect233k1 || n2d == NID_wap_wsg_idm_ecid_wtls10); - break; - case NID_sect233r1: - case NID_wap_wsg_idm_ecid_wtls11: - ret = (n2d == NID_sect233r1 || n2d == NID_wap_wsg_idm_ecid_wtls11); - break; - case NID_X9_62_c2pnb163v1: - case NID_wap_wsg_idm_ecid_wtls5: - ret = (n2d == NID_X9_62_c2pnb163v1 - || n2d == NID_wap_wsg_idm_ecid_wtls5); - break; -#endif /* OPENSSL_NO_EC2M */ - case NID_secp112r1: - case NID_wap_wsg_idm_ecid_wtls6: - ret = (n2d == NID_secp112r1 || n2d == NID_wap_wsg_idm_ecid_wtls6); - break; - case NID_secp160r2: - case NID_wap_wsg_idm_ecid_wtls7: - ret = (n2d == NID_secp160r2 || n2d == NID_wap_wsg_idm_ecid_wtls7); - break; -#ifdef OPENSSL_NO_EC_NISTP_64_GCC_128 - case NID_secp224r1: - case NID_wap_wsg_idm_ecid_wtls12: - ret = (n2d == NID_secp224r1 || n2d == NID_wap_wsg_idm_ecid_wtls12); - break; -#else - /* - * For SEC P-224 we want to ensure that the SECP nid is returned, as - * that is associated with a specialized method. - */ - case NID_wap_wsg_idm_ecid_wtls12: - ret = (n2d == NID_secp224r1); - break; -#endif /* def(OPENSSL_NO_EC_NISTP_64_GCC_128) */ - - default: - ret = (n1d == n2d); - } - return ret; -} - -/* - * This checks that EC_GROUP_bew_from_ecparameters() returns a "named" - * EC_GROUP for built-in curves. - * - * Note that it is possible to retrieve an alternative alias that does not match - * the original nid. - * - * Ensure that the OPENSSL_EC_EXPLICIT_CURVE ASN1 flag is set. - */ -static int check_named_curve_from_ecparameters(int id) -{ - int ret = 0, nid, tnid; - EC_GROUP *group = NULL, *tgroup = NULL, *tmpg = NULL; - const EC_POINT *group_gen = NULL; - EC_POINT *other_gen = NULL; - BIGNUM *group_cofactor = NULL, *other_cofactor = NULL; - BIGNUM *other_gen_x = NULL, *other_gen_y = NULL; - const BIGNUM *group_order = NULL; - BIGNUM *other_order = NULL; - BN_CTX *bn_ctx = NULL; - static const unsigned char invalid_seed[] = "THIS IS NOT A VALID SEED"; - static size_t invalid_seed_len = sizeof(invalid_seed); - ECPARAMETERS *params = NULL, *other_params = NULL; - EC_GROUP *g_ary[8] = {NULL}; - EC_GROUP **g_next = &g_ary[0]; - ECPARAMETERS *p_ary[8] = {NULL}; - ECPARAMETERS **p_next = &p_ary[0]; - - /* Do some setup */ - nid = curves[id].nid; - TEST_note("Curve %s", OBJ_nid2sn(nid)); - if (!TEST_ptr(bn_ctx = BN_CTX_new())) - return ret; - BN_CTX_start(bn_ctx); - - if (/* Allocations */ - !TEST_ptr(group_cofactor = BN_CTX_get(bn_ctx)) - || !TEST_ptr(other_gen_x = BN_CTX_get(bn_ctx)) - || !TEST_ptr(other_gen_y = BN_CTX_get(bn_ctx)) - || !TEST_ptr(other_order = BN_CTX_get(bn_ctx)) - || !TEST_ptr(other_cofactor = BN_CTX_get(bn_ctx)) - /* Generate reference group and params */ - || !TEST_ptr(group = EC_GROUP_new_by_curve_name(nid)) - || !TEST_ptr(params = EC_GROUP_get_ecparameters(group, NULL)) - || !TEST_ptr(group_gen = EC_GROUP_get0_generator(group)) - || !TEST_ptr(group_order = EC_GROUP_get0_order(group)) - || !TEST_true(EC_GROUP_get_cofactor(group, group_cofactor, NULL)) - /* compute `other_*` values */ - || !TEST_ptr(tmpg = EC_GROUP_dup(group)) - || !TEST_ptr(other_gen = EC_POINT_dup(group_gen, group)) - || !TEST_true(EC_POINT_add(group, other_gen, group_gen, group_gen, NULL)) - || !TEST_true(EC_POINT_get_affine_coordinates(group, other_gen, - other_gen_x, other_gen_y, bn_ctx)) - || !TEST_true(BN_copy(other_order, group_order)) - || !TEST_true(BN_add_word(other_order, 1)) - || !TEST_true(BN_copy(other_cofactor, group_cofactor)) - || !TEST_true(BN_add_word(other_cofactor, 1))) - goto err; - - EC_POINT_free(other_gen); - other_gen = NULL; - - if (!TEST_ptr(other_gen = EC_POINT_new(tmpg)) - || !TEST_true(EC_POINT_set_affine_coordinates(tmpg, other_gen, - other_gen_x, other_gen_y, - bn_ctx))) - goto err; - - /* - * ########################### - * # Actual tests start here # - * ########################### - */ - - /* - * Creating a group from built-in explicit parameters returns a - * "named" EC_GROUP - */ - if (!TEST_ptr(tgroup = *g_next++ = EC_GROUP_new_from_ecparameters(params)) - || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)) - goto err; - /* - * We cannot always guarantee the names match, as the built-in table - * contains aliases for the same curve with different names. - */ - if (!TEST_true(are_ec_nids_compatible(nid, tnid))) { - TEST_info("nid = %s, tnid = %s", OBJ_nid2sn(nid), OBJ_nid2sn(tnid)); - goto err; - } - /* Ensure that the OPENSSL_EC_EXPLICIT_CURVE ASN1 flag is set. */ - if (!TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup), OPENSSL_EC_EXPLICIT_CURVE)) - goto err; - - /* - * An invalid seed in the parameters should be ignored: expect a "named" - * group. - */ - if (!TEST_int_eq(EC_GROUP_set_seed(tmpg, invalid_seed, invalid_seed_len), - invalid_seed_len) - || !TEST_ptr(other_params = *p_next++ = - EC_GROUP_get_ecparameters(tmpg, NULL)) - || !TEST_ptr(tgroup = *g_next++ = - EC_GROUP_new_from_ecparameters(other_params)) - || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef) - || !TEST_true(are_ec_nids_compatible(nid, tnid)) - || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup), - OPENSSL_EC_EXPLICIT_CURVE)) { - TEST_info("nid = %s, tnid = %s", OBJ_nid2sn(nid), OBJ_nid2sn(tnid)); - goto err; - } - - /* - * A null seed in the parameters should be ignored, as it is optional: - * expect a "named" group. - */ - if (!TEST_int_eq(EC_GROUP_set_seed(tmpg, NULL, 0), 1) - || !TEST_ptr(other_params = *p_next++ = - EC_GROUP_get_ecparameters(tmpg, NULL)) - || !TEST_ptr(tgroup = *g_next++ = - EC_GROUP_new_from_ecparameters(other_params)) - || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef) - || !TEST_true(are_ec_nids_compatible(nid, tnid)) - || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup), - OPENSSL_EC_EXPLICIT_CURVE)) { - TEST_info("nid = %s, tnid = %s", OBJ_nid2sn(nid), OBJ_nid2sn(tnid)); - goto err; - } - - /* - * Check that changing any of the generator parameters does not yield a - * match with the built-in curves - */ - if (/* Other gen, same group order & cofactor */ - !TEST_true(EC_GROUP_set_generator(tmpg, other_gen, group_order, - group_cofactor)) - || !TEST_ptr(other_params = *p_next++ = - EC_GROUP_get_ecparameters(tmpg, NULL)) - || !TEST_ptr(tgroup = *g_next++ = - EC_GROUP_new_from_ecparameters(other_params)) - || !TEST_int_eq((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef) - /* Same gen & cofactor, different order */ - || !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, other_order, - group_cofactor)) - || !TEST_ptr(other_params = *p_next++ = - EC_GROUP_get_ecparameters(tmpg, NULL)) - || !TEST_ptr(tgroup = *g_next++ = - EC_GROUP_new_from_ecparameters(other_params)) - || !TEST_int_eq((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef) - /* The order is not an optional field, so this should fail */ - || !TEST_false(EC_GROUP_set_generator(tmpg, group_gen, NULL, - group_cofactor)) - /* Check that a wrong cofactor is ignored, and we still match */ - || !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, group_order, - other_cofactor)) - || !TEST_ptr(other_params = *p_next++ = - EC_GROUP_get_ecparameters(tmpg, NULL)) - || !TEST_ptr(tgroup = *g_next++ = - EC_GROUP_new_from_ecparameters(other_params)) - || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef) - || !TEST_true(are_ec_nids_compatible(nid, tnid)) - || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup), - OPENSSL_EC_EXPLICIT_CURVE) - /* Check that if the cofactor is not set then it still matches */ - || !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, group_order, - NULL)) - || !TEST_ptr(other_params = *p_next++ = - EC_GROUP_get_ecparameters(tmpg, NULL)) - || !TEST_ptr(tgroup = *g_next++ = - EC_GROUP_new_from_ecparameters(other_params)) - || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef) - || !TEST_true(are_ec_nids_compatible(nid, tnid)) - || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup), - OPENSSL_EC_EXPLICIT_CURVE) - /* check that restoring the generator passes */ - || !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, group_order, - group_cofactor)) - || !TEST_ptr(other_params = *p_next++ = - EC_GROUP_get_ecparameters(tmpg, NULL)) - || !TEST_ptr(tgroup = *g_next++ = - EC_GROUP_new_from_ecparameters(other_params)) - || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef) - || !TEST_true(are_ec_nids_compatible(nid, tnid)) - || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup), - OPENSSL_EC_EXPLICIT_CURVE)) - goto err; - - ret = 1; -err: - for (g_next = &g_ary[0]; g_next < g_ary + OSSL_NELEM(g_ary); g_next++) - EC_GROUP_free(*g_next); - for (p_next = &p_ary[0]; p_next < p_ary + OSSL_NELEM(g_ary); p_next++) - ECPARAMETERS_free(*p_next); - ECPARAMETERS_free(params); - EC_POINT_free(other_gen); - EC_GROUP_free(tmpg); - EC_GROUP_free(group); - BN_CTX_end(bn_ctx); - BN_CTX_free(bn_ctx); - return ret; -} - - -static int parameter_test(void) -{ - EC_GROUP *group = NULL, *group2 = NULL; - ECPARAMETERS *ecparameters = NULL; - unsigned char *buf = NULL; - int r = 0, len; - if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(NID_secp384r1)) - || !TEST_ptr(ecparameters = EC_GROUP_get_ecparameters(group, NULL)) - || !TEST_ptr(group2 = EC_GROUP_new_from_ecparameters(ecparameters)) - || !TEST_int_eq(EC_GROUP_cmp(group, group2, NULL), 0)) - goto err; - - EC_GROUP_free(group); - group = NULL; - - /* Test the named curve encoding, which should be default. */ - if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(NID_secp521r1)) - || !TEST_true((len = i2d_ECPKParameters(group, &buf)) >= 0) - || !TEST_mem_eq(buf, len, p521_named, sizeof(p521_named))) - goto err; - - OPENSSL_free(buf); - buf = NULL; - - /* - * Test the explicit encoding. P-521 requires correctly zero-padding the - * curve coefficients. - */ - EC_GROUP_set_asn1_flag(group, OPENSSL_EC_EXPLICIT_CURVE); - if (!TEST_true((len = i2d_ECPKParameters(group, &buf)) >= 0) - || !TEST_mem_eq(buf, len, p521_explicit, sizeof(p521_explicit))) - goto err; - - r = 1; -err: - EC_GROUP_free(group); - EC_GROUP_free(group2); - ECPARAMETERS_free(ecparameters); - OPENSSL_free(buf); - return r; -} - -/*- - * random 256-bit explicit parameters curve, cofactor absent - * order: 0x0c38d96a9f892b88772ec2e39614a82f4f (132 bit) - * cofactor: 0x12bc94785251297abfafddf1565100da (125 bit) - */ -static const unsigned char params_cf_pass[] = { - 0x30, 0x81, 0xcd, 0x02, 0x01, 0x01, 0x30, 0x2c, 0x06, 0x07, 0x2a, 0x86, - 0x48, 0xce, 0x3d, 0x01, 0x01, 0x02, 0x21, 0x00, 0xe5, 0x00, 0x1f, 0xc5, - 0xca, 0x71, 0x9d, 0x8e, 0xf7, 0x07, 0x4b, 0x48, 0x37, 0xf9, 0x33, 0x2d, - 0x71, 0xbf, 0x79, 0xe7, 0xdc, 0x91, 0xc2, 0xff, 0xb6, 0x7b, 0xc3, 0x93, - 0x44, 0x88, 0xe6, 0x91, 0x30, 0x44, 0x04, 0x20, 0xe5, 0x00, 0x1f, 0xc5, - 0xca, 0x71, 0x9d, 0x8e, 0xf7, 0x07, 0x4b, 0x48, 0x37, 0xf9, 0x33, 0x2d, - 0x71, 0xbf, 0x79, 0xe7, 0xdc, 0x91, 0xc2, 0xff, 0xb6, 0x7b, 0xc3, 0x93, - 0x44, 0x88, 0xe6, 0x8e, 0x04, 0x20, 0x18, 0x8c, 0x59, 0x57, 0xc4, 0xbc, - 0x85, 0x57, 0xc3, 0x66, 0x9f, 0x89, 0xd5, 0x92, 0x0d, 0x7e, 0x42, 0x27, - 0x07, 0x64, 0xaa, 0x26, 0xed, 0x89, 0xc4, 0x09, 0x05, 0x4d, 0xc7, 0x23, - 0x47, 0xda, 0x04, 0x41, 0x04, 0x1b, 0x6b, 0x41, 0x0b, 0xf9, 0xfb, 0x77, - 0xfd, 0x50, 0xb7, 0x3e, 0x23, 0xa3, 0xec, 0x9a, 0x3b, 0x09, 0x31, 0x6b, - 0xfa, 0xf6, 0xce, 0x1f, 0xff, 0xeb, 0x57, 0x93, 0x24, 0x70, 0xf3, 0xf4, - 0xba, 0x7e, 0xfa, 0x86, 0x6e, 0x19, 0x89, 0xe3, 0x55, 0x6d, 0x5a, 0xe9, - 0xc0, 0x3d, 0xbc, 0xfb, 0xaf, 0xad, 0xd4, 0x7e, 0xa6, 0xe5, 0xfa, 0x1a, - 0x58, 0x07, 0x9e, 0x8f, 0x0d, 0x3b, 0xf7, 0x38, 0xca, 0x02, 0x11, 0x0c, - 0x38, 0xd9, 0x6a, 0x9f, 0x89, 0x2b, 0x88, 0x77, 0x2e, 0xc2, 0xe3, 0x96, - 0x14, 0xa8, 0x2f, 0x4f -}; - -/*- - * random 256-bit explicit parameters curve, cofactor absent - * order: 0x045a75c0c17228ebd9b169a10e34a22101 (131 bit) - * cofactor: 0x2e134b4ede82649f67a2e559d361e5fe (126 bit) - */ -static const unsigned char params_cf_fail[] = { - 0x30, 0x81, 0xcd, 0x02, 0x01, 0x01, 0x30, 0x2c, 0x06, 0x07, 0x2a, 0x86, - 0x48, 0xce, 0x3d, 0x01, 0x01, 0x02, 0x21, 0x00, 0xc8, 0x95, 0x27, 0x37, - 0xe8, 0xe1, 0xfd, 0xcc, 0xf9, 0x6e, 0x0c, 0xa6, 0x21, 0xc1, 0x7d, 0x6b, - 0x9d, 0x44, 0x42, 0xea, 0x73, 0x4e, 0x04, 0xb6, 0xac, 0x62, 0x50, 0xd0, - 0x33, 0xc2, 0xea, 0x13, 0x30, 0x44, 0x04, 0x20, 0xc8, 0x95, 0x27, 0x37, - 0xe8, 0xe1, 0xfd, 0xcc, 0xf9, 0x6e, 0x0c, 0xa6, 0x21, 0xc1, 0x7d, 0x6b, - 0x9d, 0x44, 0x42, 0xea, 0x73, 0x4e, 0x04, 0xb6, 0xac, 0x62, 0x50, 0xd0, - 0x33, 0xc2, 0xea, 0x10, 0x04, 0x20, 0xbf, 0xa6, 0xa8, 0x05, 0x1d, 0x09, - 0xac, 0x70, 0x39, 0xbb, 0x4d, 0xb2, 0x90, 0x8a, 0x15, 0x41, 0x14, 0x1d, - 0x11, 0x86, 0x9f, 0x13, 0xa2, 0x63, 0x1a, 0xda, 0x95, 0x22, 0x4d, 0x02, - 0x15, 0x0a, 0x04, 0x41, 0x04, 0xaf, 0x16, 0x71, 0xf9, 0xc4, 0xc8, 0x59, - 0x1d, 0xa3, 0x6f, 0xe7, 0xc3, 0x57, 0xa1, 0xfa, 0x9f, 0x49, 0x7c, 0x11, - 0x27, 0x05, 0xa0, 0x7f, 0xff, 0xf9, 0xe0, 0xe7, 0x92, 0xdd, 0x9c, 0x24, - 0x8e, 0xc7, 0xb9, 0x52, 0x71, 0x3f, 0xbc, 0x7f, 0x6a, 0x9f, 0x35, 0x70, - 0xe1, 0x27, 0xd5, 0x35, 0x8a, 0x13, 0xfa, 0xa8, 0x33, 0x3e, 0xd4, 0x73, - 0x1c, 0x14, 0x58, 0x9e, 0xc7, 0x0a, 0x87, 0x65, 0x8d, 0x02, 0x11, 0x04, - 0x5a, 0x75, 0xc0, 0xc1, 0x72, 0x28, 0xeb, 0xd9, 0xb1, 0x69, 0xa1, 0x0e, - 0x34, 0xa2, 0x21, 0x01 -}; - -/*- - * Test two random 256-bit explicit parameters curves with absent cofactor. - * The two curves are chosen to roughly straddle the bounds at which the lib - * can compute the cofactor automatically, roughly 4*sqrt(p). So test that: - * - * - params_cf_pass: order is sufficiently close to p to compute cofactor - * - params_cf_fail: order is too far away from p to compute cofactor - * - * For standards-compliant curves, cofactor is chosen as small as possible. - * So you can see neither of these curves are fit for cryptographic use. - * - * Some standards even mandate an upper bound on the cofactor, e.g. SECG1 v2: - * h <= 2**(t/8) where t is the security level of the curve, for which the lib - * will always succeed in computing the cofactor. Neither of these curves - * conform to that -- this is just robustness testing. - */ -static int cofactor_range_test(void) -{ - EC_GROUP *group = NULL; - BIGNUM *cf = NULL; - int ret = 0; - const unsigned char *b1 = (const unsigned char *)params_cf_fail; - const unsigned char *b2 = (const unsigned char *)params_cf_pass; - - if (!TEST_ptr(group = d2i_ECPKParameters(NULL, &b1, sizeof(params_cf_fail))) - || !TEST_BN_eq_zero(EC_GROUP_get0_cofactor(group)) - || !TEST_ptr(group = d2i_ECPKParameters(&group, &b2, - sizeof(params_cf_pass))) - || !TEST_int_gt(BN_hex2bn(&cf, "12bc94785251297abfafddf1565100da"), 0) - || !TEST_BN_eq(cf, EC_GROUP_get0_cofactor(group))) - goto err; - ret = 1; - err: - BN_free(cf); - EC_GROUP_free(group); - return ret; -} - -/*- - * For named curves, test that: - * - the lib correctly computes the cofactor if passed a NULL or zero cofactor - * - a nonsensical cofactor throws an error (negative test) - * - nonsensical orders throw errors (negative tests) - */ -static int cardinality_test(int n) -{ - int ret = 0, is_binary = 0; - int nid = curves[n].nid; - BN_CTX *ctx = NULL; - EC_GROUP *g1 = NULL, *g2 = NULL; - EC_POINT *g2_gen = NULL; - BIGNUM *g1_p = NULL, *g1_a = NULL, *g1_b = NULL, *g1_x = NULL, *g1_y = NULL, - *g1_order = NULL, *g1_cf = NULL, *g2_cf = NULL; - - TEST_info("Curve %s cardinality test", OBJ_nid2sn(nid)); - - if (!TEST_ptr(ctx = BN_CTX_new()) - || !TEST_ptr(g1 = EC_GROUP_new_by_curve_name(nid))) { - BN_CTX_free(ctx); - return 0; - } - - is_binary = (EC_GROUP_get_field_type(g1) == NID_X9_62_characteristic_two_field); - - BN_CTX_start(ctx); - g1_p = BN_CTX_get(ctx); - g1_a = BN_CTX_get(ctx); - g1_b = BN_CTX_get(ctx); - g1_x = BN_CTX_get(ctx); - g1_y = BN_CTX_get(ctx); - g1_order = BN_CTX_get(ctx); - g1_cf = BN_CTX_get(ctx); - - if (!TEST_ptr(g2_cf = BN_CTX_get(ctx)) - /* pull out the explicit curve parameters */ - || !TEST_true(EC_GROUP_get_curve(g1, g1_p, g1_a, g1_b, ctx)) - || !TEST_true(EC_POINT_get_affine_coordinates(g1, - EC_GROUP_get0_generator(g1), g1_x, g1_y, ctx)) - || !TEST_true(BN_copy(g1_order, EC_GROUP_get0_order(g1))) - || !TEST_true(EC_GROUP_get_cofactor(g1, g1_cf, ctx)) - /* construct g2 manually with g1 parameters */ -#ifndef OPENSSL_NO_EC2M - || !TEST_ptr(g2 = (is_binary) ? - EC_GROUP_new_curve_GF2m(g1_p, g1_a, g1_b, ctx) : - EC_GROUP_new_curve_GFp(g1_p, g1_a, g1_b, ctx)) -#else - || !TEST_int_eq(0, is_binary) - || !TEST_ptr(g2 = EC_GROUP_new_curve_GFp(g1_p, g1_a, g1_b, ctx)) -#endif - || !TEST_ptr(g2_gen = EC_POINT_new(g2)) - || !TEST_true(EC_POINT_set_affine_coordinates(g2, g2_gen, g1_x, g1_y, ctx)) - /* pass NULL cofactor: lib should compute it */ - || !TEST_true(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL)) - || !TEST_true(EC_GROUP_get_cofactor(g2, g2_cf, ctx)) - || !TEST_BN_eq(g1_cf, g2_cf) - /* pass zero cofactor: lib should compute it */ - || !TEST_true(BN_set_word(g2_cf, 0)) - || !TEST_true(EC_GROUP_set_generator(g2, g2_gen, g1_order, g2_cf)) - || !TEST_true(EC_GROUP_get_cofactor(g2, g2_cf, ctx)) - || !TEST_BN_eq(g1_cf, g2_cf) - /* negative test for invalid cofactor */ - || !TEST_true(BN_set_word(g2_cf, 0)) - || !TEST_true(BN_sub(g2_cf, g2_cf, BN_value_one())) - || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, g2_cf)) - /* negative test for NULL order */ - || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, NULL, NULL)) - /* negative test for zero order */ - || !TEST_true(BN_set_word(g1_order, 0)) - || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL)) - /* negative test for negative order */ - || !TEST_true(BN_set_word(g2_cf, 0)) - || !TEST_true(BN_sub(g2_cf, g2_cf, BN_value_one())) - || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL)) - /* negative test for too large order */ - || !TEST_true(BN_lshift(g1_order, g1_p, 2)) - || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL))) - goto err; - ret = 1; - err: - EC_POINT_free(g2_gen); - EC_GROUP_free(g1); - EC_GROUP_free(g2); - BN_CTX_end(ctx); - BN_CTX_free(ctx); - return ret; -} - -static int check_ec_key_field_public_range_test(int id) -{ - int ret = 0, type = 0; - const EC_POINT *pub = NULL; - const EC_GROUP *group = NULL; - const BIGNUM *field = NULL; - BIGNUM *x = NULL, *y = NULL; - EC_KEY *key = NULL; - - if (!TEST_ptr(x = BN_new()) - || !TEST_ptr(y = BN_new()) - || !TEST_ptr(key = EC_KEY_new_by_curve_name(curves[id].nid)) - || !TEST_ptr(group = EC_KEY_get0_group(key)) - || !TEST_ptr(field = EC_GROUP_get0_field(group)) - || !TEST_int_gt(EC_KEY_generate_key(key), 0) - || !TEST_int_gt(EC_KEY_check_key(key), 0) - || !TEST_ptr(pub = EC_KEY_get0_public_key(key)) - || !TEST_int_gt(EC_POINT_get_affine_coordinates(group, pub, x, y, - NULL), 0)) - goto err; - - /* - * Make the public point out of range by adding the field (which will still - * be the same point on the curve). The add is different for char2 fields. - */ - type = EC_GROUP_get_field_type(group); -#ifndef OPENSSL_NO_EC2M - if (type == NID_X9_62_characteristic_two_field) { - /* test for binary curves */ - if (!TEST_true(BN_GF2m_add(x, x, field))) - goto err; - } else -#endif - if (type == NID_X9_62_prime_field) { - /* test for prime curves */ - if (!TEST_true(BN_add(x, x, field))) - goto err; - } else { - /* this should never happen */ - TEST_error("Unsupported EC_METHOD field_type"); - goto err; - } - if (!TEST_int_le(EC_KEY_set_public_key_affine_coordinates(key, x, y), 0)) - goto err; - - ret = 1; -err: - BN_free(x); - BN_free(y); - EC_KEY_free(key); - return ret; -} - -/* - * Helper for ec_point_hex2point_test - * - * Self-tests EC_POINT_point2hex() against EC_POINT_hex2point() for the given - * (group,P) pair. - * - * If P is NULL use point at infinity. - */ -static ossl_inline -int ec_point_hex2point_test_helper(const EC_GROUP *group, const EC_POINT *P, - point_conversion_form_t form, - BN_CTX *bnctx) -{ - int ret = 0; - EC_POINT *Q = NULL, *Pinf = NULL; - char *hex = NULL; - - if (P == NULL) { - /* If P is NULL use point at infinity. */ - if (!TEST_ptr(Pinf = EC_POINT_new(group)) - || !TEST_true(EC_POINT_set_to_infinity(group, Pinf))) - goto err; - P = Pinf; - } - - if (!TEST_ptr(hex = EC_POINT_point2hex(group, P, form, bnctx)) - || !TEST_ptr(Q = EC_POINT_hex2point(group, hex, NULL, bnctx)) - || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, bnctx))) - goto err; - - /* - * The next check is most likely superfluous, as EC_POINT_cmp should already - * cover this. - * Nonetheless it increases the test coverage for EC_POINT_is_at_infinity, - * so we include it anyway! - */ - if (Pinf != NULL - && !TEST_true(EC_POINT_is_at_infinity(group, Q))) - goto err; - - ret = 1; - - err: - EC_POINT_free(Pinf); - OPENSSL_free(hex); - EC_POINT_free(Q); - - return ret; -} - -/* - * This test self-validates EC_POINT_hex2point() and EC_POINT_point2hex() - */ -static int ec_point_hex2point_test(int id) -{ - int ret = 0, nid; - EC_GROUP *group = NULL; - const EC_POINT *G = NULL; - EC_POINT *P = NULL; - BN_CTX * bnctx = NULL; - - /* Do some setup */ - nid = curves[id].nid; - if (!TEST_ptr(bnctx = BN_CTX_new()) - || !TEST_ptr(group = EC_GROUP_new_by_curve_name(nid)) - || !TEST_ptr(G = EC_GROUP_get0_generator(group)) - || !TEST_ptr(P = EC_POINT_dup(G, group))) - goto err; - - if (!TEST_true(ec_point_hex2point_test_helper(group, P, - POINT_CONVERSION_COMPRESSED, - bnctx)) - || !TEST_true(ec_point_hex2point_test_helper(group, NULL, - POINT_CONVERSION_COMPRESSED, - bnctx)) - || !TEST_true(ec_point_hex2point_test_helper(group, P, - POINT_CONVERSION_UNCOMPRESSED, - bnctx)) - || !TEST_true(ec_point_hex2point_test_helper(group, NULL, - POINT_CONVERSION_UNCOMPRESSED, - bnctx)) - || !TEST_true(ec_point_hex2point_test_helper(group, P, - POINT_CONVERSION_HYBRID, - bnctx)) - || !TEST_true(ec_point_hex2point_test_helper(group, NULL, - POINT_CONVERSION_HYBRID, - bnctx))) - goto err; - - ret = 1; - - err: - EC_POINT_free(P); - EC_GROUP_free(group); - BN_CTX_free(bnctx); - - return ret; -} - -static int do_test_custom_explicit_fromdata(EC_GROUP *group, BN_CTX *ctx, - unsigned char *gen, int gen_size) -{ - int ret = 0, i_out; - EVP_PKEY_CTX *pctx = NULL; - EVP_PKEY *pkeyparam = NULL; - OSSL_PARAM_BLD *bld = NULL; - const char *field_name; - OSSL_PARAM *params = NULL; - const OSSL_PARAM *gettable; - BIGNUM *p, *a, *b; - BIGNUM *p_out = NULL, *a_out = NULL, *b_out = NULL; - BIGNUM *order_out = NULL, *cofactor_out = NULL; - char name[80]; - unsigned char buf[1024]; - size_t buf_len, name_len; -#ifndef OPENSSL_NO_EC2M - unsigned int k1 = 0, k2 = 0, k3 = 0; - const char *basis_name = NULL; -#endif - - p = BN_CTX_get(ctx); - a = BN_CTX_get(ctx); - b = BN_CTX_get(ctx); - - if (!TEST_ptr(b) - || !TEST_ptr(bld = OSSL_PARAM_BLD_new())) - goto err; - - if (EC_GROUP_get_field_type(group) == NID_X9_62_prime_field) { - field_name = SN_X9_62_prime_field; - } else { - field_name = SN_X9_62_characteristic_two_field; -#ifndef OPENSSL_NO_EC2M - if (EC_GROUP_get_basis_type(group) == NID_X9_62_tpBasis) { - basis_name = SN_X9_62_tpBasis; - if (!TEST_true(EC_GROUP_get_trinomial_basis(group, &k1))) - goto err; - } else { - basis_name = SN_X9_62_ppBasis; - if (!TEST_true(EC_GROUP_get_pentanomial_basis(group, &k1, &k2, &k3))) - goto err; - } -#endif /* OPENSSL_NO_EC2M */ - } - if (!TEST_true(EC_GROUP_get_curve(group, p, a, b, ctx)) - || !TEST_true(OSSL_PARAM_BLD_push_utf8_string(bld, - OSSL_PKEY_PARAM_EC_FIELD_TYPE, field_name, 0)) - || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_EC_P, p)) - || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_EC_A, a)) - || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_EC_B, b))) - goto err; - - if (EC_GROUP_get0_seed(group) != NULL) { - if (!TEST_true(OSSL_PARAM_BLD_push_octet_string(bld, - OSSL_PKEY_PARAM_EC_SEED, EC_GROUP_get0_seed(group), - EC_GROUP_get_seed_len(group)))) - goto err; - } - if (EC_GROUP_get0_cofactor(group) != NULL) { - if (!TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_EC_COFACTOR, - EC_GROUP_get0_cofactor(group)))) - goto err; - } - - if (!TEST_true(OSSL_PARAM_BLD_push_octet_string(bld, - OSSL_PKEY_PARAM_EC_GENERATOR, gen, gen_size)) - || !TEST_true(OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_EC_ORDER, - EC_GROUP_get0_order(group)))) - goto err; - - if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld)) - || !TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL)) - || !TEST_int_gt(EVP_PKEY_fromdata_init(pctx), 0) - || !TEST_int_gt(EVP_PKEY_fromdata(pctx, &pkeyparam, - EVP_PKEY_KEY_PARAMETERS, params), 0)) - goto err; - - /*- Check that all the set values are retrievable -*/ - - /* There should be no match to a group name since the generator changed */ - if (!TEST_false(EVP_PKEY_get_utf8_string_param(pkeyparam, - OSSL_PKEY_PARAM_GROUP_NAME, name, sizeof(name), - &name_len))) - goto err; - - /* The encoding should be explicit as it has no group */ - if (!TEST_true(EVP_PKEY_get_utf8_string_param(pkeyparam, - OSSL_PKEY_PARAM_EC_ENCODING, - name, sizeof(name), &name_len)) - || !TEST_str_eq(name, OSSL_PKEY_EC_ENCODING_EXPLICIT)) - goto err; - - if (!TEST_true(EVP_PKEY_get_utf8_string_param(pkeyparam, - OSSL_PKEY_PARAM_EC_FIELD_TYPE, name, sizeof(name), - &name_len)) - || !TEST_str_eq(name, field_name)) - goto err; - - if (!TEST_true(EVP_PKEY_get_octet_string_param(pkeyparam, - OSSL_PKEY_PARAM_EC_GENERATOR, buf, sizeof(buf), &buf_len)) - || !TEST_mem_eq(buf, (int)buf_len, gen, gen_size)) - goto err; - - if (!TEST_true(EVP_PKEY_get_bn_param(pkeyparam, OSSL_PKEY_PARAM_EC_P, &p_out)) - || !TEST_BN_eq(p_out, p) - || !TEST_true(EVP_PKEY_get_bn_param(pkeyparam, OSSL_PKEY_PARAM_EC_A, - &a_out)) - || !TEST_BN_eq(a_out, a) - || !TEST_true(EVP_PKEY_get_bn_param(pkeyparam, OSSL_PKEY_PARAM_EC_B, - &b_out)) - || !TEST_BN_eq(b_out, b) - || !TEST_true(EVP_PKEY_get_bn_param(pkeyparam, OSSL_PKEY_PARAM_EC_ORDER, - &order_out)) - || !TEST_BN_eq(order_out, EC_GROUP_get0_order(group))) - goto err; - - if (EC_GROUP_get0_cofactor(group) != NULL) { - if (!TEST_true(EVP_PKEY_get_bn_param(pkeyparam, - OSSL_PKEY_PARAM_EC_COFACTOR, &cofactor_out)) - || !TEST_BN_eq(cofactor_out, EC_GROUP_get0_cofactor(group))) - goto err; - } - if (EC_GROUP_get0_seed(group) != NULL) { - if (!TEST_true(EVP_PKEY_get_octet_string_param(pkeyparam, - OSSL_PKEY_PARAM_EC_SEED, buf, sizeof(buf), &buf_len)) - || !TEST_mem_eq(buf, buf_len, EC_GROUP_get0_seed(group), - EC_GROUP_get_seed_len(group))) - goto err; - } - - if (EC_GROUP_get_field_type(group) == NID_X9_62_prime_field) { - /* No extra fields should be set for a prime field */ - if (!TEST_false(EVP_PKEY_get_int_param(pkeyparam, - OSSL_PKEY_PARAM_EC_CHAR2_M, &i_out)) - || !TEST_false(EVP_PKEY_get_int_param(pkeyparam, - OSSL_PKEY_PARAM_EC_CHAR2_TP_BASIS, &i_out)) - || !TEST_false(EVP_PKEY_get_int_param(pkeyparam, - OSSL_PKEY_PARAM_EC_CHAR2_PP_K1, &i_out)) - || !TEST_false(EVP_PKEY_get_int_param(pkeyparam, - OSSL_PKEY_PARAM_EC_CHAR2_PP_K2, &i_out)) - || !TEST_false(EVP_PKEY_get_int_param(pkeyparam, - OSSL_PKEY_PARAM_EC_CHAR2_PP_K3, &i_out)) - || !TEST_false(EVP_PKEY_get_utf8_string_param(pkeyparam, - OSSL_PKEY_PARAM_EC_CHAR2_TYPE, name, sizeof(name), - &name_len))) - goto err; - } else { -#ifndef OPENSSL_NO_EC2M - if (!TEST_true(EVP_PKEY_get_int_param(pkeyparam, - OSSL_PKEY_PARAM_EC_CHAR2_M, &i_out)) - || !TEST_int_eq(EC_GROUP_get_degree(group), i_out) - || !TEST_true(EVP_PKEY_get_utf8_string_param(pkeyparam, - OSSL_PKEY_PARAM_EC_CHAR2_TYPE, name, sizeof(name), - &name_len)) - || !TEST_str_eq(name, basis_name)) - goto err; - - if (EC_GROUP_get_basis_type(group) == NID_X9_62_tpBasis) { - if (!TEST_true(EVP_PKEY_get_int_param(pkeyparam, - OSSL_PKEY_PARAM_EC_CHAR2_TP_BASIS, &i_out)) - || !TEST_int_eq(k1, i_out) - || !TEST_false(EVP_PKEY_get_int_param(pkeyparam, - OSSL_PKEY_PARAM_EC_CHAR2_PP_K1, &i_out)) - || !TEST_false(EVP_PKEY_get_int_param(pkeyparam, - OSSL_PKEY_PARAM_EC_CHAR2_PP_K2, &i_out)) - || !TEST_false(EVP_PKEY_get_int_param(pkeyparam, - OSSL_PKEY_PARAM_EC_CHAR2_PP_K3, &i_out))) - goto err; - } else { - if (!TEST_false(EVP_PKEY_get_int_param(pkeyparam, - OSSL_PKEY_PARAM_EC_CHAR2_TP_BASIS, &i_out)) - || !TEST_true(EVP_PKEY_get_int_param(pkeyparam, - OSSL_PKEY_PARAM_EC_CHAR2_PP_K1, &i_out)) - || !TEST_int_eq(k1, i_out) - || !TEST_true(EVP_PKEY_get_int_param(pkeyparam, - OSSL_PKEY_PARAM_EC_CHAR2_PP_K2, &i_out)) - || !TEST_int_eq(k2, i_out) - || !TEST_true(EVP_PKEY_get_int_param(pkeyparam, - OSSL_PKEY_PARAM_EC_CHAR2_PP_K3, &i_out)) - || !TEST_int_eq(k3, i_out)) - goto err; - } -#endif /* OPENSSL_NO_EC2M */ - } - if (!TEST_ptr(gettable = EVP_PKEY_gettable_params(pkeyparam)) - || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_GROUP_NAME)) - || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_ENCODING)) - || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_FIELD_TYPE)) - || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_P)) - || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_A)) - || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_B)) - || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_GENERATOR)) - || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_ORDER)) - || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_COFACTOR)) - || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_SEED)) -#ifndef OPENSSL_NO_EC2M - || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_CHAR2_M)) - || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_CHAR2_TYPE)) - || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_CHAR2_TP_BASIS)) - || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_CHAR2_PP_K1)) - || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_CHAR2_PP_K2)) - || !TEST_ptr(OSSL_PARAM_locate_const(gettable, OSSL_PKEY_PARAM_EC_CHAR2_PP_K3)) -#endif - ) - goto err; - ret = 1; -err: - BN_free(order_out); - BN_free(cofactor_out); - BN_free(a_out); - BN_free(b_out); - BN_free(p_out); - OSSL_PARAM_free(params); - OSSL_PARAM_BLD_free(bld); - EVP_PKEY_free(pkeyparam); - EVP_PKEY_CTX_free(pctx); - return ret; -} - -/* - * check the EC_METHOD respects the supplied EC_GROUP_set_generator G - */ -static int custom_generator_test(int id) -{ - int ret = 0, nid, bsize; - EC_GROUP *group = NULL; - EC_POINT *G2 = NULL, *Q1 = NULL, *Q2 = NULL; - BN_CTX *ctx = NULL; - BIGNUM *k = NULL; - unsigned char *b1 = NULL, *b2 = NULL; - - /* Do some setup */ - nid = curves[id].nid; - TEST_note("Curve %s", OBJ_nid2sn(nid)); - if (!TEST_ptr(ctx = BN_CTX_new())) - return 0; - - BN_CTX_start(ctx); - - if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(nid))) - goto err; - - /* expected byte length of encoded points */ - bsize = (EC_GROUP_get_degree(group) + 7) / 8; - bsize = 1 + 2 * bsize; /* UNCOMPRESSED_POINT format */ - - if (!TEST_ptr(k = BN_CTX_get(ctx)) - /* fetch a testing scalar k != 0,1 */ - || !TEST_true(BN_rand(k, EC_GROUP_order_bits(group) - 1, - BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY)) - /* make k even */ - || !TEST_true(BN_clear_bit(k, 0)) - || !TEST_ptr(G2 = EC_POINT_new(group)) - || !TEST_ptr(Q1 = EC_POINT_new(group)) - /* Q1 := kG */ - || !TEST_true(EC_POINT_mul(group, Q1, k, NULL, NULL, ctx)) - /* pull out the bytes of that */ - || !TEST_int_eq(EC_POINT_point2oct(group, Q1, - POINT_CONVERSION_UNCOMPRESSED, NULL, - 0, ctx), bsize) - || !TEST_ptr(b1 = OPENSSL_malloc(bsize)) - || !TEST_int_eq(EC_POINT_point2oct(group, Q1, - POINT_CONVERSION_UNCOMPRESSED, b1, - bsize, ctx), bsize) - /* new generator is G2 := 2G */ - || !TEST_true(EC_POINT_dbl(group, G2, EC_GROUP_get0_generator(group), - ctx)) - || !TEST_true(EC_GROUP_set_generator(group, G2, - EC_GROUP_get0_order(group), - EC_GROUP_get0_cofactor(group))) - || !TEST_ptr(Q2 = EC_POINT_new(group)) - || !TEST_true(BN_rshift1(k, k)) - /* Q2 := k/2 G2 */ - || !TEST_true(EC_POINT_mul(group, Q2, k, NULL, NULL, ctx)) - || !TEST_int_eq(EC_POINT_point2oct(group, Q2, - POINT_CONVERSION_UNCOMPRESSED, NULL, - 0, ctx), bsize) - || !TEST_ptr(b2 = OPENSSL_malloc(bsize)) - || !TEST_int_eq(EC_POINT_point2oct(group, Q2, - POINT_CONVERSION_UNCOMPRESSED, b2, - bsize, ctx), bsize) - /* Q1 = kG = k/2 G2 = Q2 should hold */ - || !TEST_mem_eq(b1, bsize, b2, bsize)) - goto err; - - if (!do_test_custom_explicit_fromdata(group, ctx, b1, bsize)) - goto err; - - ret = 1; - - err: - EC_POINT_free(Q1); - EC_POINT_free(Q2); - EC_POINT_free(G2); - EC_GROUP_free(group); - BN_CTX_end(ctx); - BN_CTX_free(ctx); - OPENSSL_free(b1); - OPENSSL_free(b2); - - return ret; -} - -/* - * check creation of curves from explicit params through the public API - */ -static int custom_params_test(int id) -{ - int ret = 0, nid, bsize; - const char *curve_name = NULL; - EC_GROUP *group = NULL, *altgroup = NULL; - EC_POINT *G2 = NULL, *Q1 = NULL, *Q2 = NULL; - const EC_POINT *Q = NULL; - BN_CTX *ctx = NULL; - BIGNUM *k = NULL; - unsigned char *buf1 = NULL, *buf2 = NULL; - const BIGNUM *z = NULL, *cof = NULL, *priv1 = NULL; - BIGNUM *p = NULL, *a = NULL, *b = NULL; - int is_prime = 0; - EC_KEY *eckey1 = NULL, *eckey2 = NULL; - EVP_PKEY *pkey1 = NULL, *pkey2 = NULL; - EVP_PKEY_CTX *pctx1 = NULL, *pctx2 = NULL; - size_t sslen, t; - unsigned char *pub1 = NULL , *pub2 = NULL; - OSSL_PARAM_BLD *param_bld = NULL; - OSSL_PARAM *params1 = NULL, *params2 = NULL; - - /* Do some setup */ - nid = curves[id].nid; - curve_name = OBJ_nid2sn(nid); - TEST_note("Curve %s", curve_name); - - if (nid == NID_sm2) - return TEST_skip("custom params not supported with SM2"); - - if (!TEST_ptr(ctx = BN_CTX_new())) - return 0; - - if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(nid))) - goto err; - - is_prime = EC_GROUP_get_field_type(group) == NID_X9_62_prime_field; -#ifdef OPENSSL_NO_EC2M - if (!is_prime) { - ret = TEST_skip("binary curves not supported in this build"); - goto err; - } -#endif - - BN_CTX_start(ctx); - if (!TEST_ptr(p = BN_CTX_get(ctx)) - || !TEST_ptr(a = BN_CTX_get(ctx)) - || !TEST_ptr(b = BN_CTX_get(ctx)) - || !TEST_ptr(k = BN_CTX_get(ctx))) - goto err; - - /* expected byte length of encoded points */ - bsize = (EC_GROUP_get_degree(group) + 7) / 8; - bsize = 1 + 2 * bsize; /* UNCOMPRESSED_POINT format */ - - /* extract parameters from built-in curve */ - if (!TEST_true(EC_GROUP_get_curve(group, p, a, b, ctx)) - || !TEST_ptr(G2 = EC_POINT_new(group)) - /* new generator is G2 := 2G */ - || !TEST_true(EC_POINT_dbl(group, G2, - EC_GROUP_get0_generator(group), ctx)) - /* pull out the bytes of that */ - || !TEST_int_eq(EC_POINT_point2oct(group, G2, - POINT_CONVERSION_UNCOMPRESSED, - NULL, 0, ctx), bsize) - || !TEST_ptr(buf1 = OPENSSL_malloc(bsize)) - || !TEST_int_eq(EC_POINT_point2oct(group, G2, - POINT_CONVERSION_UNCOMPRESSED, - buf1, bsize, ctx), bsize) - || !TEST_ptr(z = EC_GROUP_get0_order(group)) - || !TEST_ptr(cof = EC_GROUP_get0_cofactor(group)) - ) - goto err; - - /* create a new group using same params (but different generator) */ - if (is_prime) { - if (!TEST_ptr(altgroup = EC_GROUP_new_curve_GFp(p, a, b, ctx))) - goto err; - } -#ifndef OPENSSL_NO_EC2M - else { - if (!TEST_ptr(altgroup = EC_GROUP_new_curve_GF2m(p, a, b, ctx))) - goto err; - } -#endif - - /* set 2*G as the generator of altgroup */ - EC_POINT_free(G2); /* discard G2 as it refers to the original group */ - if (!TEST_ptr(G2 = EC_POINT_new(altgroup)) - || !TEST_true(EC_POINT_oct2point(altgroup, G2, buf1, bsize, ctx)) - || !TEST_int_eq(EC_POINT_is_on_curve(altgroup, G2, ctx), 1) - || !TEST_true(EC_GROUP_set_generator(altgroup, G2, z, cof)) - ) - goto err; - - /* verify math checks out */ - if (/* allocate temporary points on group and altgroup */ - !TEST_ptr(Q1 = EC_POINT_new(group)) - || !TEST_ptr(Q2 = EC_POINT_new(altgroup)) - /* fetch a testing scalar k != 0,1 */ - || !TEST_true(BN_rand(k, EC_GROUP_order_bits(group) - 1, - BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY)) - /* make k even */ - || !TEST_true(BN_clear_bit(k, 0)) - /* Q1 := kG on group */ - || !TEST_true(EC_POINT_mul(group, Q1, k, NULL, NULL, ctx)) - /* pull out the bytes of that */ - || !TEST_int_eq(EC_POINT_point2oct(group, Q1, - POINT_CONVERSION_UNCOMPRESSED, - NULL, 0, ctx), bsize) - || !TEST_int_eq(EC_POINT_point2oct(group, Q1, - POINT_CONVERSION_UNCOMPRESSED, - buf1, bsize, ctx), bsize) - /* k := k/2 */ - || !TEST_true(BN_rshift1(k, k)) - /* Q2 := k/2 G2 on altgroup */ - || !TEST_true(EC_POINT_mul(altgroup, Q2, k, NULL, NULL, ctx)) - /* pull out the bytes of that */ - || !TEST_int_eq(EC_POINT_point2oct(altgroup, Q2, - POINT_CONVERSION_UNCOMPRESSED, - NULL, 0, ctx), bsize) - || !TEST_ptr(buf2 = OPENSSL_malloc(bsize)) - || !TEST_int_eq(EC_POINT_point2oct(altgroup, Q2, - POINT_CONVERSION_UNCOMPRESSED, - buf2, bsize, ctx), bsize) - /* Q1 = kG = k/2 G2 = Q2 should hold */ - || !TEST_mem_eq(buf1, bsize, buf2, bsize)) - goto err; - - /* create two `EC_KEY`s on altgroup */ - if (!TEST_ptr(eckey1 = EC_KEY_new()) - || !TEST_true(EC_KEY_set_group(eckey1, altgroup)) - || !TEST_true(EC_KEY_generate_key(eckey1)) - || !TEST_ptr(eckey2 = EC_KEY_new()) - || !TEST_true(EC_KEY_set_group(eckey2, altgroup)) - || !TEST_true(EC_KEY_generate_key(eckey2))) - goto err; - - /* retrieve priv1 for later */ - if (!TEST_ptr(priv1 = EC_KEY_get0_private_key(eckey1))) - goto err; - - /* - * retrieve bytes for pub1 for later - * - * We compute the pub key in the original group as we will later use it to - * define a provider key in the built-in group. - */ - if (!TEST_true(EC_POINT_mul(group, Q1, priv1, NULL, NULL, ctx)) - || !TEST_int_eq(EC_POINT_point2oct(group, Q1, - POINT_CONVERSION_UNCOMPRESSED, - NULL, 0, ctx), bsize) - || !TEST_ptr(pub1 = OPENSSL_malloc(bsize)) - || !TEST_int_eq(EC_POINT_point2oct(group, Q1, - POINT_CONVERSION_UNCOMPRESSED, - pub1, bsize, ctx), bsize)) - goto err; - - /* retrieve bytes for pub2 for later */ - if (!TEST_ptr(Q = EC_KEY_get0_public_key(eckey2)) - || !TEST_int_eq(EC_POINT_point2oct(altgroup, Q, - POINT_CONVERSION_UNCOMPRESSED, - NULL, 0, ctx), bsize) - || !TEST_ptr(pub2 = OPENSSL_malloc(bsize)) - || !TEST_int_eq(EC_POINT_point2oct(altgroup, Q, - POINT_CONVERSION_UNCOMPRESSED, - pub2, bsize, ctx), bsize)) - goto err; - - /* create two `EVP_PKEY`s from the `EC_KEY`s */ - if(!TEST_ptr(pkey1 = EVP_PKEY_new()) - || !TEST_int_eq(EVP_PKEY_assign_EC_KEY(pkey1, eckey1), 1)) - goto err; - eckey1 = NULL; /* ownership passed to pkey1 */ - if(!TEST_ptr(pkey2 = EVP_PKEY_new()) - || !TEST_int_eq(EVP_PKEY_assign_EC_KEY(pkey2, eckey2), 1)) - goto err; - eckey2 = NULL; /* ownership passed to pkey2 */ - - /* Compute keyexchange in both directions */ - if (!TEST_ptr(pctx1 = EVP_PKEY_CTX_new(pkey1, NULL)) - || !TEST_int_eq(EVP_PKEY_derive_init(pctx1), 1) - || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx1, pkey2), 1) - || !TEST_int_eq(EVP_PKEY_derive(pctx1, NULL, &sslen), 1) - || !TEST_int_gt(bsize, sslen) - || !TEST_int_eq(EVP_PKEY_derive(pctx1, buf1, &sslen), 1)) - goto err; - if (!TEST_ptr(pctx2 = EVP_PKEY_CTX_new(pkey2, NULL)) - || !TEST_int_eq(EVP_PKEY_derive_init(pctx2), 1) - || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx2, pkey1), 1) - || !TEST_int_eq(EVP_PKEY_derive(pctx2, NULL, &t), 1) - || !TEST_int_gt(bsize, t) - || !TEST_int_le(sslen, t) - || !TEST_int_eq(EVP_PKEY_derive(pctx2, buf2, &t), 1)) - goto err; - - /* Both sides should expect the same shared secret */ - if (!TEST_mem_eq(buf1, sslen, buf2, t)) - goto err; - - /* Build parameters for provider-native keys */ - if (!TEST_ptr(param_bld = OSSL_PARAM_BLD_new()) - || !TEST_true(OSSL_PARAM_BLD_push_utf8_string(param_bld, - OSSL_PKEY_PARAM_GROUP_NAME, - curve_name, 0)) - || !TEST_true(OSSL_PARAM_BLD_push_octet_string(param_bld, - OSSL_PKEY_PARAM_PUB_KEY, - pub1, bsize)) - || !TEST_true(OSSL_PARAM_BLD_push_BN(param_bld, - OSSL_PKEY_PARAM_PRIV_KEY, - priv1)) - || !TEST_ptr(params1 = OSSL_PARAM_BLD_to_param(param_bld))) - goto err; - - OSSL_PARAM_BLD_free(param_bld); - if (!TEST_ptr(param_bld = OSSL_PARAM_BLD_new()) - || !TEST_true(OSSL_PARAM_BLD_push_utf8_string(param_bld, - OSSL_PKEY_PARAM_GROUP_NAME, - curve_name, 0)) - || !TEST_true(OSSL_PARAM_BLD_push_octet_string(param_bld, - OSSL_PKEY_PARAM_PUB_KEY, - pub2, bsize)) - || !TEST_ptr(params2 = OSSL_PARAM_BLD_to_param(param_bld))) - goto err; - - /* create two new provider-native `EVP_PKEY`s */ - EVP_PKEY_CTX_free(pctx2); - if (!TEST_ptr(pctx2 = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL)) - || !TEST_true(EVP_PKEY_fromdata_init(pctx2)) - || !TEST_true(EVP_PKEY_fromdata(pctx2, &pkey1, EVP_PKEY_KEYPAIR, - params1)) - || !TEST_true(EVP_PKEY_fromdata(pctx2, &pkey2, EVP_PKEY_PUBLIC_KEY, - params2))) - goto err; - - /* compute keyexchange once more using the provider keys */ - EVP_PKEY_CTX_free(pctx1); - if (!TEST_ptr(pctx1 = EVP_PKEY_CTX_new(pkey1, NULL)) - || !TEST_int_eq(EVP_PKEY_derive_init(pctx1), 1) - || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx1, pkey2), 1) - || !TEST_int_eq(EVP_PKEY_derive(pctx1, NULL, &t), 1) - || !TEST_int_gt(bsize, t) - || !TEST_int_le(sslen, t) - || !TEST_int_eq(EVP_PKEY_derive(pctx1, buf1, &t), 1) - /* compare with previous result */ - || !TEST_mem_eq(buf1, t, buf2, sslen)) - goto err; - - ret = 1; - - err: - BN_CTX_end(ctx); - BN_CTX_free(ctx); - OSSL_PARAM_BLD_free(param_bld); - OSSL_PARAM_free(params1); - OSSL_PARAM_free(params2); - EC_POINT_free(Q1); - EC_POINT_free(Q2); - EC_POINT_free(G2); - EC_GROUP_free(group); - EC_GROUP_free(altgroup); - OPENSSL_free(buf1); - OPENSSL_free(buf2); - OPENSSL_free(pub1); - OPENSSL_free(pub2); - EC_KEY_free(eckey1); - EC_KEY_free(eckey2); - EVP_PKEY_free(pkey1); - EVP_PKEY_free(pkey2); - EVP_PKEY_CTX_free(pctx1); - EVP_PKEY_CTX_free(pctx2); - - return ret; -} - -int setup_tests(void) -{ - crv_len = EC_get_builtin_curves(NULL, 0); - if (!TEST_ptr(curves = OPENSSL_malloc(sizeof(*curves) * crv_len)) - || !TEST_true(EC_get_builtin_curves(curves, crv_len))) - return 0; - - ADD_TEST(parameter_test); - /*ADD_TEST(cofactor_range_test);*/ - ADD_ALL_TESTS(cardinality_test, crv_len); - ADD_TEST(prime_field_tests); -#ifndef OPENSSL_NO_EC2M - ADD_TEST(char2_field_tests); - ADD_ALL_TESTS(char2_curve_test, OSSL_NELEM(char2_curve_tests)); -#endif - ADD_ALL_TESTS(nistp_single_test, OSSL_NELEM(nistp_tests_params)); - ADD_ALL_TESTS(internal_curve_test, crv_len); - ADD_ALL_TESTS(internal_curve_test_method, crv_len); - ADD_TEST(group_field_test); - ADD_ALL_TESTS(check_named_curve_test, crv_len); - ADD_ALL_TESTS(check_named_curve_lookup_test, crv_len); - ADD_ALL_TESTS(check_ec_key_field_public_range_test, crv_len); - ADD_ALL_TESTS(check_named_curve_from_ecparameters, crv_len); - ADD_ALL_TESTS(ec_point_hex2point_test, crv_len); - /* ADD_ALL_TESTS(custom_generator_test, crv_len); - ADD_ALL_TESTS(custom_params_test, crv_len); */ - return 1; -} - -void cleanup_tests(void) -{ - OPENSSL_free(curves); -} diff --git a/hobble-openssl b/hobble-openssl deleted file mode 100755 index 9a23ca6..0000000 --- a/hobble-openssl +++ /dev/null @@ -1,40 +0,0 @@ -#!/bin/sh - -# Quit out if anything fails. -set -e - -# Clean out patent-or-otherwise-encumbered code. -# MDC-2: 4,908,861 13/03/2007 - expired, we do not remove it but do not enable it anyway -# IDEA: 5,214,703 07/01/2012 - expired, we do not remove it anymore -# RC5: 5,724,428 01/11/2015 - expired, we do not remove it anymore -# EC: ????????? ??/??/2020 -# SRP: ????????? ??/??/2017 - expired, we do not remove it anymore - -# Remove assembler portions of IDEA, MDC2, and RC5. -# (find crypto/rc5/asm -type f | xargs -r rm -fv) - -for c in `find crypto/bn -name "*gf2m.c"`; do - echo Destroying $c - > $c -done - -for c in `find crypto/ec -name "ec2*.c" -o -name "ec_curve.c"`; do - echo Destroying $c - > $c -done - -for c in `find test -name "ectest.c"`; do - echo Destroying $c - > $c -done - -for h in `find crypto ssl apps test -name "*.h"` ; do - echo Removing EC2M references from $h - cat $h | \ - awk 'BEGIN {ech=1;} \ - /^#[ \t]*ifndef.*NO_EC2M/ {ech--; next;} \ - /^#[ \t]*if/ {if(ech < 1) ech--;} \ - {if(ech>0) {;print $0};} \ - /^#[ \t]*endif/ {if(ech < 1) ech++;}' > $h.hobbled && \ - mv $h.hobbled $h -done diff --git a/openssl.spec b/openssl.spec index fb54144..72726e0 100644 --- a/openssl.spec +++ b/openssl.spec @@ -29,21 +29,18 @@ print(string.sub(hash, 0, 16)) Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 3.0.7 -Release: 15%{?dist} +Release: 16%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. # The original openssl upstream tarball cannot be shipped in the .src.rpm. -Source: openssl-%{version}-hobbled.tar.gz -Source1: hobble-openssl +Source: openssl-%{version}.tar.gz Source2: Makefile.certificate Source3: genpatches Source6: make-dummy-cert Source7: renew-dummy-cert Source9: configuration-switch.h Source10: configuration-prefix.h -Source12: ec_curve.c -Source13: ectest.c Source14: 0025-for-tests.patch # Patches exported from source git @@ -65,11 +62,16 @@ Patch7: 0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch Patch8: 0008-Add-FIPS_mode-compatibility-macro.patch # Add check to see if fips flag is enabled in kernel Patch9: 0009-Add-Kernel-FIPS-mode-flag-support.patch +# Instead of replacing ectest.c and ec_curve.c, add the changes as a patch so +# that new modifications made to these files by upstream are not lost. +Patch10: 0010-Add-changes-to-ectest-and-eccurve.patch # remove unsupported EC curves Patch11: 0011-Remove-EC-curves.patch # Disable explicit EC curves # https://bugzilla.redhat.com/show_bug.cgi?id=2066412 Patch12: 0012-Disable-explicit-ec.patch +#Skipped tests from former 0011-Remove-EC-curves.patch +Patch13: 0013-skipped-tests-EC-curves.patch # Instructions to load legacy provider in openssl.cnf Patch24: 0024-load-legacy-prov.patch # Tmp: test name change @@ -246,13 +248,6 @@ from other formats to the formats used by the OpenSSL toolkit. %prep %autosetup -S git -n %{name}-%{version} -# The hobble_openssl is called here redundantly, just to be sure. -# The tarball has already the sources removed. -%{SOURCE1} > /dev/null - -cp %{SOURCE12} crypto/ec/ -cp %{SOURCE13} test/ - %build # Figure out which flags we want to use. # default @@ -520,6 +515,20 @@ install -m644 %{SOURCE9} \ %ldconfig_scriptlets libs %changelog +* Tue May 02 2023 Sahana Prasad - 1:3.0.7-16 +- Upload new upstream sources without manually hobbling them. +- Remove the hobbling script as it is redundant. It is now allowed to ship + the sources of patented EC curves, however it is still made unavailable to use + by compiling with the 'no-ec2m' Configure option. The additional forbidden + curves such as P-160, P-192, wap-tls curves are manually removed by updating + 0011-Remove-EC-curves.patch. +- Enable Brainpool curves. +- Apply the changes to ec_curve.c and ectest.c as a new patch + 0010-Add-changes-to-ectest-and-eccurve.patch instead of replacing them. +- Modify 0011-Remove-EC-curves.patch to allow Brainpool curves. +- Modify 0011-Remove-EC-curves.patch to allow code under macro OPENSSL_NO_EC2M. + Resolves: rhbz#2130618, rhbz#2188180 + * Fri Apr 28 2023 Dmitry Belyavskiy - 1:3.0.7-15 - Backport implicit rejection for RSA PKCS#1 v1.5 encryption Resolves: rhbz#2153471 diff --git a/sources b/sources index e2d9a77..eb19998 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (openssl-3.0.7-hobbled.tar.gz) = 1aea183b0b6650d9d5e7ba87b613bb1692c71720b0e75377b40db336b40bad780f7e8ae8dfb9f60841eeb4381f4b79c4c5043210c96e7cb51f90791b80c8285e +SHA512 (openssl-3.0.7.tar.gz) = 6c2bcd1cd4b499e074e006150dda906980df505679d8e9d988ae93aa61ee6f8c23c0fa369e2edc1e1a743d7bec133044af11d5ed57633b631ae479feb59e3424 From 032dc0839c49ec575e692fdbe7f82af309e4beef Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Tue, 9 May 2023 12:44:49 +0200 Subject: [PATCH 26/60] Enforce using EMS in FIPS mode - better alerts Related: rhbz#2157951 --- 0114-FIPS-enforce-EMS-support.patch | 54 +++++++++++++++++++++++++++++ openssl.spec | 6 +++- 2 files changed, 59 insertions(+), 1 deletion(-) diff --git a/0114-FIPS-enforce-EMS-support.patch b/0114-FIPS-enforce-EMS-support.patch index 41a6509..3b38deb 100644 --- a/0114-FIPS-enforce-EMS-support.patch +++ b/0114-FIPS-enforce-EMS-support.patch @@ -417,3 +417,57 @@ diff -up openssl-3.0.7/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt.xxx op KDF = TLS1-PRF Ctrl.digest = digest:SHA256 Ctrl.Secret = hexsecret:202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf +diff -up openssl-3.0.7/ssl/t1_enc.c.noems openssl-3.0.7/ssl/t1_enc.c +--- openssl-3.0.7/ssl/t1_enc.c.noems 2023-05-05 11:15:57.934415272 +0200 ++++ openssl-3.0.7/ssl/t1_enc.c 2023-05-05 11:39:03.578163778 +0200 +@@ -20,6 +20,7 @@ + #include + #include + #include ++#include + + /* seed1 through seed5 are concatenated */ + static int tls1_PRF(SSL *s, +@@ -75,8 +76,14 @@ static int tls1_PRF(SSL *s, + } + + err: +- if (fatal) +- SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); ++ if (fatal) { ++ /* The calls to this function are local so it's safe to implement the check */ ++ if (FIPS_mode() && seed1_len >= TLS_MD_MASTER_SECRET_CONST_SIZE ++ && memcmp(seed1, TLS_MD_MASTER_SECRET_CONST, TLS_MD_MASTER_SECRET_CONST_SIZE) == 0) ++ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_UNSUPPORTED); ++ else ++ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); ++ } + else + ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); + EVP_KDF_CTX_free(kctx); +diff -up openssl-3.0.7/ssl/statem/extensions_srvr.c.noems openssl-3.0.7/ssl/statem/extensions_srvr.c +--- openssl-3.0.7/ssl/statem/extensions_srvr.c.noems 2023-05-05 17:14:04.663800271 +0200 ++++ openssl-3.0.7/ssl/statem/extensions_srvr.c 2023-05-05 17:20:33.764599507 +0200 +@@ -11,6 +11,7 @@ + #include "../ssl_local.h" + #include "statem_local.h" + #include "internal/cryptlib.h" ++#include + + #define COOKIE_STATE_FORMAT_VERSION 1 + +@@ -1552,8 +1553,13 @@ EXT_RETURN tls_construct_stoc_etm(SSL *s + EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context, + X509 *x, size_t chainidx) + { +- if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0) ++ if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0) { ++ if (FIPS_mode()) { ++ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_UNSUPPORTED); ++ return EXT_RETURN_FAIL; ++ } + return EXT_RETURN_NOT_SENT; ++ } + + if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret) + || !WPACKET_put_bytes_u16(pkt, 0)) { diff --git a/openssl.spec b/openssl.spec index 72726e0..1cf36f2 100644 --- a/openssl.spec +++ b/openssl.spec @@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16)) Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 3.0.7 -Release: 16%{?dist} +Release: 17%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -515,6 +515,10 @@ install -m644 %{SOURCE9} \ %ldconfig_scriptlets libs %changelog +* Tue May 09 2023 Dmitry Belyavskiy - 1:3.0.7-17 +- Enforce using EMS in FIPS mode - better alerts + Related: rhbz#2157951 + * Tue May 02 2023 Sahana Prasad - 1:3.0.7-16 - Upload new upstream sources without manually hobbling them. - Remove the hobbling script as it is redundant. It is now allowed to ship From 57f6d8f4a4453a2e49c51bac9ab54b800ff8829d Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Fri, 19 May 2023 17:47:59 +0200 Subject: [PATCH 27/60] Use OAEP padding and aes-128-cbc by default in cms command in FIPS mode Resolves: rhbz#2160797 --- 0121-FIPS-cms-defaults.patch | 65 ++++++++++++++++++++++++++++++++++++ openssl.spec | 8 ++++- 2 files changed, 72 insertions(+), 1 deletion(-) create mode 100644 0121-FIPS-cms-defaults.patch diff --git a/0121-FIPS-cms-defaults.patch b/0121-FIPS-cms-defaults.patch new file mode 100644 index 0000000..7598512 --- /dev/null +++ b/0121-FIPS-cms-defaults.patch @@ -0,0 +1,65 @@ +diff -up openssl-3.0.7/apps/cms.c.fips_cms openssl-3.0.7/apps/cms.c +--- openssl-3.0.7/apps/cms.c.fips_cms 2023-05-18 14:03:56.360555106 +0200 ++++ openssl-3.0.7/apps/cms.c 2023-05-18 14:13:33.765183185 +0200 +@@ -20,6 +20,7 @@ + #include + #include + #include ++#include + + static int save_certs(char *signerfile, STACK_OF(X509) *signers); + static int cms_cb(int ok, X509_STORE_CTX *ctx); +@@ -810,12 +811,16 @@ int cms_main(int argc, char **argv) + + if (operation == SMIME_ENCRYPT) { + if (!cipher) { ++ if (FIPS_mode()) { ++ cipher = (EVP_CIPHER *)EVP_aes_128_cbc(); ++ } else { + #ifndef OPENSSL_NO_DES +- cipher = (EVP_CIPHER *)EVP_des_ede3_cbc(); ++ cipher = (EVP_CIPHER *)EVP_des_ede3_cbc(); + #else +- BIO_printf(bio_err, "No cipher selected\n"); +- goto end; ++ BIO_printf(bio_err, "No cipher selected\n"); ++ goto end; + #endif ++ } + } + + if (secret_key && !secret_keyid) { +diff -up openssl-3.0.7/crypto/cms/cms_env.c.fips_cms openssl-3.0.7/crypto/cms/cms_env.c +--- openssl-3.0.7/crypto/cms/cms_env.c.fips_cms 2023-05-22 10:06:50.276528155 +0200 ++++ openssl-3.0.7/crypto/cms/cms_env.c 2023-05-22 10:08:58.406073945 +0200 +@@ -14,6 +14,7 @@ + #include + #include + #include ++#include + #include "internal/sizes.h" + #include "crypto/asn1.h" + #include "crypto/evp.h" +@@ -321,6 +321,10 @@ static int cms_RecipientInfo_ktri_init(C + return 0; + if (EVP_PKEY_encrypt_init(ktri->pctx) <= 0) + return 0; ++ if (FIPS_mode()) { ++ if (EVP_PKEY_CTX_ctrl_str(ktri->pctx, "rsa_padding_mode", "oaep") <= 0) ++ return 0; ++ } + } else if (!ossl_cms_env_asn1_ctrl(ri, 0)) + return 0; + return 1; +@@ -484,6 +489,11 @@ static int cms_RecipientInfo_ktri_encryp + + if (EVP_PKEY_encrypt_init(pctx) <= 0) + goto err; ++ ++ if (FIPS_mode()) { ++ if (EVP_PKEY_CTX_ctrl_str(pctx, "rsa_padding_mode", "oaep") <= 0) ++ goto err; ++ } + } + + if (EVP_PKEY_encrypt(pctx, NULL, &eklen, ec->key, ec->keylen) <= 0) diff --git a/openssl.spec b/openssl.spec index 1cf36f2..115e467 100644 --- a/openssl.spec +++ b/openssl.spec @@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16)) Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 3.0.7 -Release: 17%{?dist} +Release: 18%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -192,6 +192,8 @@ Patch118: 0118-CVE-2023-1255.patch #https://github.com/openssl/openssl/pull/13817 #https://bugzilla.redhat.com/show_bug.cgi?id=2153471 Patch120: 0120-RSA-PKCS15-implicit-rejection.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2160797 +Patch121: 0121-FIPS-cms-defaults.patch License: ASL 2.0 URL: http://www.openssl.org/ @@ -515,6 +517,10 @@ install -m644 %{SOURCE9} \ %ldconfig_scriptlets libs %changelog +* Thu May 18 2023 Dmitry Belyavskiy - 1:3.0.7-18 +- Use OAEP padding and aes-128-cbc by default in cms command in FIPS mode + Resolves: rhbz#2160797 + * Tue May 09 2023 Dmitry Belyavskiy - 1:3.0.7-17 - Enforce using EMS in FIPS mode - better alerts Related: rhbz#2157951 From b1d3f019d49aa613b69230cfd64128a89b002e75 Mon Sep 17 00:00:00 2001 From: Clemens Lang Date: Tue, 23 May 2023 14:01:14 +0200 Subject: [PATCH 28/60] FIPS: Re-enable DHX, disable FIPS 186-4 groups For DH parameter and key pair generation/verification, the DSA procedures specified in FIPS 186-4 are used. With the release of FIPS 186-5 and the removal of DSA, the approved status of these groups is in peril. Once the transition for DSA ends (this transition will be 1 year long and start once CMVP has published the guidance), no more submissions claiming DSA will be allowed. Hence, FIPS 186-type parameters will also be automatically non-approved. Previously, we had addressed this by completely disabling the DHX key type in the OpenSSL FIPS provider, but the default encoding for DHX-type keys is X9.42 DH, which is used, for example, by kerberos. Re-enable DHX-type keys in the FIPS provider, but disable import and validation of any DH parameters that are not well-known groups, and remove DH parameter generation completely. Adjust tests to use well-known groups or larger DH groups where this change would now cause failures, and skip tests that are expected to fail due to this change. Signed-off-by: Clemens Lang Resolves: rhbz#2169757 --- ...S-186-4-type-parameters-in-FIPS-mode.patch | 344 ++++++++++++++++++ 0093-FIPS-nodhx.patch | 90 ----- openssl.spec | 8 +- 3 files changed, 350 insertions(+), 92 deletions(-) create mode 100644 0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch delete mode 100644 0093-FIPS-nodhx.patch diff --git a/0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch b/0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch new file mode 100644 index 0000000..65bae6f --- /dev/null +++ b/0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch @@ -0,0 +1,344 @@ +From 8a2d1b22ede5eeca4d104bb027b84f3ecfc69549 Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Thu, 11 May 2023 12:51:59 +0200 +Subject: [PATCH] DH: Disable FIPS 186-4 type parameters in FIPS mode + +For DH parameter and key pair generation/verification, the DSA +procedures specified in FIPS 186-4 are used. With the release of FIPS +186-5 and the removal of DSA, the approved status of these groups is in +peril. Once the transition for DSA ends (this transition will be 1 year +long and start once CMVP has published the guidance), no more +submissions claiming DSA will be allowed. Hence, FIPS 186-type +parameters will also be automatically non-approved. + +In the FIPS provider, disable validation of any DH parameters that are +not well-known groups, and remove DH parameter generation completely. + +Adjust tests to use well-known groups or larger DH groups where this +change would now cause failures, and skip tests that are expected to +fail due to this change. + +Related: rhbz#2169757, rhbz#2169757 +Signed-off-by: Clemens Lang +--- + crypto/dh/dh_backend.c | 10 ++++ + crypto/dh/dh_check.c | 12 ++-- + crypto/dh/dh_gen.c | 12 +++- + crypto/dh/dh_key.c | 13 ++-- + crypto/dh/dh_pmeth.c | 10 +++- + providers/implementations/keymgmt/dh_kmgmt.c | 5 ++ + test/endecode_test.c | 4 +- + test/evp_libctx_test.c | 2 +- + test/helpers/predefined_dhparams.c | 62 ++++++++++++++++++++ + test/helpers/predefined_dhparams.h | 1 + + test/recipes/80-test_cms.t | 4 +- + test/recipes/80-test_ssl_old.t | 3 + + 12 files changed, 118 insertions(+), 20 deletions(-) + +diff --git a/crypto/dh/dh_backend.c b/crypto/dh/dh_backend.c +index 726843fd30..24c65ca84f 100644 +--- a/crypto/dh/dh_backend.c ++++ b/crypto/dh/dh_backend.c +@@ -53,6 +53,16 @@ int ossl_dh_params_fromdata(DH *dh, const OSSL_PARAM params[]) + if (!dh_ffc_params_fromdata(dh, params)) + return 0; + ++#ifdef FIPS_MODULE ++ if (!ossl_dh_is_named_safe_prime_group(dh)) { ++ ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS, ++ "FIPS 186-4 type domain parameters no longer allowed in" ++ " FIPS mode, since the required validation routines" ++ " were removed from FIPS 186-5"); ++ return 0; ++ } ++#endif ++ + param_priv_len = + OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_DH_PRIV_LEN); + if (param_priv_len != NULL +diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c +index 0b391910d6..75581ca347 100644 +--- a/crypto/dh/dh_check.c ++++ b/crypto/dh/dh_check.c +@@ -57,13 +57,15 @@ int DH_check_params(const DH *dh, int *ret) + nid = DH_get_nid((DH *)dh); + if (nid != NID_undef) + return 1; ++ + /* +- * OR +- * (2b) FFC domain params conform to FIPS-186-4 explicit domain param +- * validity tests. ++ * FIPS 186-4 explicit domain parameters are no longer supported in FIPS mode. + */ +- return ossl_ffc_params_FIPS186_4_validate(dh->libctx, &dh->params, +- FFC_PARAM_TYPE_DH, ret, NULL); ++ ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS, ++ "FIPS 186-4 type domain parameters no longer allowed in" ++ " FIPS mode, since the required validation routines were" ++ " removed from FIPS 186-5"); ++ return 0; + } + #else + int DH_check_params(const DH *dh, int *ret) +diff --git a/crypto/dh/dh_gen.c b/crypto/dh/dh_gen.c +index aec6b85316..9c55121067 100644 +--- a/crypto/dh/dh_gen.c ++++ b/crypto/dh/dh_gen.c +@@ -38,18 +38,26 @@ static int dh_builtin_genparams(DH *ret, int prime_len, int generator, + int ossl_dh_generate_ffc_parameters(DH *dh, int type, int pbits, int qbits, + BN_GENCB *cb) + { +- int ret, res; ++ int ret = 0; + + #ifndef FIPS_MODULE ++ int res; ++ + if (type == DH_PARAMGEN_TYPE_FIPS_186_2) + ret = ossl_ffc_params_FIPS186_2_generate(dh->libctx, &dh->params, + FFC_PARAM_TYPE_DH, + pbits, qbits, &res, cb); + else +-#endif + ret = ossl_ffc_params_FIPS186_4_generate(dh->libctx, &dh->params, + FFC_PARAM_TYPE_DH, + pbits, qbits, &res, cb); ++#else ++ /* In FIPS mode, we no longer support FIPS 186-4 domain parameters */ ++ ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS, ++ "FIPS 186-4 type domain parameters no longer allowed in" ++ " FIPS mode, since the required generation routines were" ++ " removed from FIPS 186-5"); ++#endif + if (ret > 0) + dh->dirty_cnt++; + return ret; +diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c +index 4e9705beef..14c0b0b6b3 100644 +--- a/crypto/dh/dh_key.c ++++ b/crypto/dh/dh_key.c +@@ -308,8 +308,12 @@ static int generate_key(DH *dh) + goto err; + } else { + #ifdef FIPS_MODULE +- if (dh->params.q == NULL) +- goto err; ++ ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS, ++ "FIPS 186-4 type domain parameters no longer" ++ " allowed in FIPS mode, since the required" ++ " generation routines were removed from FIPS" ++ " 186-5"); ++ goto err; + #else + if (dh->params.q == NULL) { + /* secret exponent length, must satisfy 2^(l-1) <= p */ +@@ -330,9 +334,7 @@ static int generate_key(DH *dh) + if (!BN_clear_bit(priv_key, 0)) + goto err; + } +- } else +-#endif +- { ++ } else { + /* Do a partial check for invalid p, q, g */ + if (!ossl_ffc_params_simple_validate(dh->libctx, &dh->params, + FFC_PARAM_TYPE_DH, NULL)) +@@ -348,6 +350,7 @@ static int generate_key(DH *dh) + priv_key)) + goto err; + } ++#endif + } + } + +diff --git a/crypto/dh/dh_pmeth.c b/crypto/dh/dh_pmeth.c +index f201eede0d..30f90d15be 100644 +--- a/crypto/dh/dh_pmeth.c ++++ b/crypto/dh/dh_pmeth.c +@@ -305,13 +305,17 @@ static DH *ffc_params_generate(OSSL_LIB_CTX *libctx, DH_PKEY_CTX *dctx, + prime_len, subprime_len, &res, + pcb); + else +-# endif +- /* For FIPS we always use the DH_PARAMGEN_TYPE_FIPS_186_4 generator */ +- if (dctx->paramgen_type >= DH_PARAMGEN_TYPE_FIPS_186_2) + rv = ossl_ffc_params_FIPS186_4_generate(libctx, &ret->params, + FFC_PARAM_TYPE_DH, + prime_len, subprime_len, &res, + pcb); ++# else ++ /* In FIPS mode, we no longer support FIPS 186-4 domain parameters */ ++ ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS, ++ "FIPS 186-4 type domain parameters no longer allowed in" ++ " FIPS mode, since the required generation routines were" ++ " removed from FIPS 186-5"); ++# endif + if (rv <= 0) { + DH_free(ret); + return NULL; +diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c +index 9a7dde7c66..b3e7bca5ac 100644 +--- a/providers/implementations/keymgmt/dh_kmgmt.c ++++ b/providers/implementations/keymgmt/dh_kmgmt.c +@@ -414,6 +414,11 @@ static int dh_validate(const void *keydata, int selection, int checktype) + if ((selection & DH_POSSIBLE_SELECTIONS) == 0) + return 1; /* nothing to validate */ + ++#ifdef FIPS_MODULE ++ /* In FIPS provider, always check the domain parameters to disallow ++ * operations on keys with FIPS 186-4 params. */ ++ selection |= OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS; ++#endif + if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0) { + /* + * Both of these functions check parameters. DH_check_params_ex() +diff --git a/test/endecode_test.c b/test/endecode_test.c +index e3f7b81f69..1b63daaed5 100644 +--- a/test/endecode_test.c ++++ b/test/endecode_test.c +@@ -80,10 +80,10 @@ static EVP_PKEY *make_template(const char *type, OSSL_PARAM *genparams) + * for testing only. Use a minimum key size of 2048 for security purposes. + */ + if (strcmp(type, "DH") == 0) +- return get_dh512(keyctx); ++ return get_dh2048(keyctx); + + if (strcmp(type, "X9.42 DH") == 0) +- return get_dhx512(keyctx); ++ return get_dhx_ffdhe2048(keyctx); + # endif + + /* +diff --git a/test/evp_libctx_test.c b/test/evp_libctx_test.c +index 2448c35a14..92d484fb12 100644 +--- a/test/evp_libctx_test.c ++++ b/test/evp_libctx_test.c +@@ -188,7 +188,7 @@ static int do_dh_param_keygen(int tstid, const BIGNUM **bn) + + if (!TEST_ptr(gen_ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey_parm, NULL)) + || !TEST_int_gt(EVP_PKEY_keygen_init(gen_ctx), 0) +- || !TEST_int_eq(EVP_PKEY_keygen(gen_ctx, &pkey), expected)) ++ || !TEST_int_eq(EVP_PKEY_keygen(gen_ctx, &pkey) == 1, expected)) + goto err; + + if (expected) { +diff --git a/test/helpers/predefined_dhparams.c b/test/helpers/predefined_dhparams.c +index 4bdadc4143..e5186e4b4a 100644 +--- a/test/helpers/predefined_dhparams.c ++++ b/test/helpers/predefined_dhparams.c +@@ -116,6 +116,68 @@ EVP_PKEY *get_dhx512(OSSL_LIB_CTX *libctx) + dhx512_q, sizeof(dhx512_q)); + } + ++EVP_PKEY *get_dhx_ffdhe2048(OSSL_LIB_CTX *libctx) ++{ ++ /* This is RFC 7919 ffdhe2048, since Red Hat removes support for ++ * non-well-known groups in FIPS mode. */ ++ static unsigned char dhx_p[] = { ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xad, 0xf8, 0x54, 0x58, ++ 0xa2, 0xbb, 0x4a, 0x9a, 0xaf, 0xdc, 0x56, 0x20, 0x27, 0x3d, 0x3c, 0xf1, ++ 0xd8, 0xb9, 0xc5, 0x83, 0xce, 0x2d, 0x36, 0x95, 0xa9, 0xe1, 0x36, 0x41, ++ 0x14, 0x64, 0x33, 0xfb, 0xcc, 0x93, 0x9d, 0xce, 0x24, 0x9b, 0x3e, 0xf9, ++ 0x7d, 0x2f, 0xe3, 0x63, 0x63, 0x0c, 0x75, 0xd8, 0xf6, 0x81, 0xb2, 0x02, ++ 0xae, 0xc4, 0x61, 0x7a, 0xd3, 0xdf, 0x1e, 0xd5, 0xd5, 0xfd, 0x65, 0x61, ++ 0x24, 0x33, 0xf5, 0x1f, 0x5f, 0x06, 0x6e, 0xd0, 0x85, 0x63, 0x65, 0x55, ++ 0x3d, 0xed, 0x1a, 0xf3, 0xb5, 0x57, 0x13, 0x5e, 0x7f, 0x57, 0xc9, 0x35, ++ 0x98, 0x4f, 0x0c, 0x70, 0xe0, 0xe6, 0x8b, 0x77, 0xe2, 0xa6, 0x89, 0xda, ++ 0xf3, 0xef, 0xe8, 0x72, 0x1d, 0xf1, 0x58, 0xa1, 0x36, 0xad, 0xe7, 0x35, ++ 0x30, 0xac, 0xca, 0x4f, 0x48, 0x3a, 0x79, 0x7a, 0xbc, 0x0a, 0xb1, 0x82, ++ 0xb3, 0x24, 0xfb, 0x61, 0xd1, 0x08, 0xa9, 0x4b, 0xb2, 0xc8, 0xe3, 0xfb, ++ 0xb9, 0x6a, 0xda, 0xb7, 0x60, 0xd7, 0xf4, 0x68, 0x1d, 0x4f, 0x42, 0xa3, ++ 0xde, 0x39, 0x4d, 0xf4, 0xae, 0x56, 0xed, 0xe7, 0x63, 0x72, 0xbb, 0x19, ++ 0x0b, 0x07, 0xa7, 0xc8, 0xee, 0x0a, 0x6d, 0x70, 0x9e, 0x02, 0xfc, 0xe1, ++ 0xcd, 0xf7, 0xe2, 0xec, 0xc0, 0x34, 0x04, 0xcd, 0x28, 0x34, 0x2f, 0x61, ++ 0x91, 0x72, 0xfe, 0x9c, 0xe9, 0x85, 0x83, 0xff, 0x8e, 0x4f, 0x12, 0x32, ++ 0xee, 0xf2, 0x81, 0x83, 0xc3, 0xfe, 0x3b, 0x1b, 0x4c, 0x6f, 0xad, 0x73, ++ 0x3b, 0xb5, 0xfc, 0xbc, 0x2e, 0xc2, 0x20, 0x05, 0xc5, 0x8e, 0xf1, 0x83, ++ 0x7d, 0x16, 0x83, 0xb2, 0xc6, 0xf3, 0x4a, 0x26, 0xc1, 0xb2, 0xef, 0xfa, ++ 0x88, 0x6b, 0x42, 0x38, 0x61, 0x28, 0x5c, 0x97, 0xff, 0xff, 0xff, 0xff, ++ 0xff, 0xff, 0xff, 0xff ++ }; ++ static unsigned char dhx_g[] = { ++ 0x02 ++ }; ++ static unsigned char dhx_q[] = { ++ 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xd6, 0xfc, 0x2a, 0x2c, ++ 0x51, 0x5d, 0xa5, 0x4d, 0x57, 0xee, 0x2b, 0x10, 0x13, 0x9e, 0x9e, 0x78, ++ 0xec, 0x5c, 0xe2, 0xc1, 0xe7, 0x16, 0x9b, 0x4a, 0xd4, 0xf0, 0x9b, 0x20, ++ 0x8a, 0x32, 0x19, 0xfd, 0xe6, 0x49, 0xce, 0xe7, 0x12, 0x4d, 0x9f, 0x7c, ++ 0xbe, 0x97, 0xf1, 0xb1, 0xb1, 0x86, 0x3a, 0xec, 0x7b, 0x40, 0xd9, 0x01, ++ 0x57, 0x62, 0x30, 0xbd, 0x69, 0xef, 0x8f, 0x6a, 0xea, 0xfe, 0xb2, 0xb0, ++ 0x92, 0x19, 0xfa, 0x8f, 0xaf, 0x83, 0x37, 0x68, 0x42, 0xb1, 0xb2, 0xaa, ++ 0x9e, 0xf6, 0x8d, 0x79, 0xda, 0xab, 0x89, 0xaf, 0x3f, 0xab, 0xe4, 0x9a, ++ 0xcc, 0x27, 0x86, 0x38, 0x70, 0x73, 0x45, 0xbb, 0xf1, 0x53, 0x44, 0xed, ++ 0x79, 0xf7, 0xf4, 0x39, 0x0e, 0xf8, 0xac, 0x50, 0x9b, 0x56, 0xf3, 0x9a, ++ 0x98, 0x56, 0x65, 0x27, 0xa4, 0x1d, 0x3c, 0xbd, 0x5e, 0x05, 0x58, 0xc1, ++ 0x59, 0x92, 0x7d, 0xb0, 0xe8, 0x84, 0x54, 0xa5, 0xd9, 0x64, 0x71, 0xfd, ++ 0xdc, 0xb5, 0x6d, 0x5b, 0xb0, 0x6b, 0xfa, 0x34, 0x0e, 0xa7, 0xa1, 0x51, ++ 0xef, 0x1c, 0xa6, 0xfa, 0x57, 0x2b, 0x76, 0xf3, 0xb1, 0xb9, 0x5d, 0x8c, ++ 0x85, 0x83, 0xd3, 0xe4, 0x77, 0x05, 0x36, 0xb8, 0x4f, 0x01, 0x7e, 0x70, ++ 0xe6, 0xfb, 0xf1, 0x76, 0x60, 0x1a, 0x02, 0x66, 0x94, 0x1a, 0x17, 0xb0, ++ 0xc8, 0xb9, 0x7f, 0x4e, 0x74, 0xc2, 0xc1, 0xff, 0xc7, 0x27, 0x89, 0x19, ++ 0x77, 0x79, 0x40, 0xc1, 0xe1, 0xff, 0x1d, 0x8d, 0xa6, 0x37, 0xd6, 0xb9, ++ 0x9d, 0xda, 0xfe, 0x5e, 0x17, 0x61, 0x10, 0x02, 0xe2, 0xc7, 0x78, 0xc1, ++ 0xbe, 0x8b, 0x41, 0xd9, 0x63, 0x79, 0xa5, 0x13, 0x60, 0xd9, 0x77, 0xfd, ++ 0x44, 0x35, 0xa1, 0x1c, 0x30, 0x94, 0x2e, 0x4b, 0xff, 0xff, 0xff, 0xff, ++ 0xff, 0xff, 0xff, 0xff ++ }; ++ ++ return get_dh_from_pg(libctx, "X9.42 DH", ++ dhx_p, sizeof(dhx_p), ++ dhx_g, sizeof(dhx_g), ++ dhx_q, sizeof(dhx_q)); ++} ++ + EVP_PKEY *get_dh1024dsa(OSSL_LIB_CTX *libctx) + { + static unsigned char dh1024_p[] = { +diff --git a/test/helpers/predefined_dhparams.h b/test/helpers/predefined_dhparams.h +index f0e8709062..2ff6d6e721 100644 +--- a/test/helpers/predefined_dhparams.h ++++ b/test/helpers/predefined_dhparams.h +@@ -12,6 +12,7 @@ + #ifndef OPENSSL_NO_DH + EVP_PKEY *get_dh512(OSSL_LIB_CTX *libctx); + EVP_PKEY *get_dhx512(OSSL_LIB_CTX *libctx); ++EVP_PKEY *get_dhx_ffdhe2048(OSSL_LIB_CTX *libctx); + EVP_PKEY *get_dh1024dsa(OSSL_LIB_CTX *libct); + EVP_PKEY *get_dh2048(OSSL_LIB_CTX *libctx); + EVP_PKEY *get_dh4096(OSSL_LIB_CTX *libctx); +diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t +index cabbe3ecdf..efe56c5665 100644 +--- a/test/recipes/80-test_cms.t ++++ b/test/recipes/80-test_cms.t +@@ -627,10 +627,10 @@ my @smime_cms_param_tests = ( + ], + + [ "enveloped content test streaming S/MIME format, X9.42 DH", +- [ "{cmd1}", @prov, "-encrypt", "-in", $smcont, ++ [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont, + "-stream", "-out", "{output}.cms", + "-recip", catfile($smdir, "smdh.pem"), "-aes128" ], +- [ "{cmd2}", @prov, "-decrypt", "-recip", catfile($smdir, "smdh.pem"), ++ [ "{cmd2}", @defaultprov, "-decrypt", "-recip", catfile($smdir, "smdh.pem"), + "-in", "{output}.cms", "-out", "{output}.txt" ], + \&final_compare + ] +diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t +index 8c52b637fc..31ed54621b 100644 +--- a/test/recipes/80-test_ssl_old.t ++++ b/test/recipes/80-test_ssl_old.t +@@ -390,6 +390,9 @@ sub testssl { + skip "skipping dhe1024dsa test", 1 + if ($no_dh); + ++ skip "FIPS 186-4 type DH groups are no longer supported by the FIPS provider", 1 ++ if $provider eq "fips"; ++ + ok(run(test([@ssltest, "-bio_pair", "-dhe1024dsa", "-v"])), + 'test sslv2/sslv3 with 1024bit DHE via BIO pair'); + } +-- +2.40.1 + diff --git a/0093-FIPS-nodhx.patch b/0093-FIPS-nodhx.patch deleted file mode 100644 index 1a20aa3..0000000 --- a/0093-FIPS-nodhx.patch +++ /dev/null @@ -1,90 +0,0 @@ -diff -up openssl-3.0.7/providers/fips/fipsprov.c.nodhx openssl-3.0.7/providers/fips/fipsprov.c ---- openssl-3.0.7/providers/fips/fipsprov.c.nodhx 2023-03-09 13:02:21.621694715 +0100 -+++ openssl-3.0.7/providers/fips/fipsprov.c 2023-03-09 13:02:34.001791831 +0100 -@@ -486,8 +486,8 @@ static const OSSL_ALGORITHM fips_keymgmt - #ifndef OPENSSL_NO_DH - { PROV_NAMES_DH, FIPS_DEFAULT_PROPERTIES, ossl_dh_keymgmt_functions, - PROV_DESCS_DH }, -- { PROV_NAMES_DHX, FIPS_DEFAULT_PROPERTIES, ossl_dhx_keymgmt_functions, -- PROV_DESCS_DHX }, -+/* { PROV_NAMES_DHX, FIPS_DEFAULT_PROPERTIES, ossl_dhx_keymgmt_functions, -+ PROV_DESCS_DHX }, */ - #endif - #ifndef OPENSSL_NO_DSA - /* We don't certify DSA in our FIPS provider */ -diff -up openssl-3.0.7/test/endecode_test.c.nodhx openssl-3.0.7/test/endecode_test.c ---- openssl-3.0.7/test/endecode_test.c.nodhx 2023-03-09 13:39:10.826000162 +0100 -+++ openssl-3.0.7/test/endecode_test.c 2023-03-09 13:41:26.533073598 +0100 -@@ -1356,7 +1358,9 @@ int setup_tests(void) - #ifndef OPENSSL_NO_DH - TEST_info("Generating DH keys..."); - MAKE_DOMAIN_KEYS(DH, "DH", NULL); -+if (is_fips == 0) { - MAKE_DOMAIN_KEYS(DHX, "X9.42 DH", NULL); -+} - #endif - #ifndef OPENSSL_NO_DSA - TEST_info("Generating DSA keys..."); -@@ -1386,8 +1390,10 @@ int setup_tests(void) - #ifndef OPENSSL_NO_DH - ADD_TEST_SUITE(DH); - ADD_TEST_SUITE_PARAMS(DH); -+if (is_fips == 0) { - ADD_TEST_SUITE(DHX); - ADD_TEST_SUITE_PARAMS(DHX); -+} - /* - * DH has no support for PEM_write_bio_PrivateKey_traditional(), - * so no legacy tests. -@@ -1465,7 +1471,9 @@ void cleanup_tests(void) - - #ifndef OPENSSL_NO_DH - FREE_DOMAIN_KEYS(DH); -+if (is_fips == 0) { - FREE_DOMAIN_KEYS(DHX); -+} - #endif - #ifndef OPENSSL_NO_DSA - FREE_DOMAIN_KEYS(DSA); -diff -up openssl-3.0.7/test/recipes/80-test_cms.t.nodhx openssl-3.0.7/test/recipes/80-test_cms.t ---- openssl-3.0.7/test/recipes/80-test_cms.t.nodhx 2023-03-09 13:31:36.851432859 +0100 -+++ openssl-3.0.7/test/recipes/80-test_cms.t 2023-03-09 13:32:35.987888417 +0100 -@@ -869,6 +869,8 @@ sub check_availability { - if ($no_ec2m && $tnam =~ /K-283/); - return "$tnam: skipped, DH disabled\n" - if ($no_dh && $tnam =~ /X9\.42/); -+ return "$tnam: skipped, DHX disabled in RHEL\n" -+ if ($provname eq 'fips' && $tnam =~ /X9\.42/); - return "$tnam: skipped, RC2 disabled\n" - if ($no_rc2 && $tnam =~ /RC2/); - return "$tnam: skipped, DES disabled\n" -diff -up openssl-3.0.7/providers/implementations/exchange/dh_exch.c.nodhx openssl-3.0.7/providers/implementations/exchange/dh_exch.c ---- openssl-3.0.7/providers/implementations/exchange/dh_exch.c.nodhx 2023-03-09 16:33:07.092040809 +0100 -+++ openssl-3.0.7/providers/implementations/exchange/dh_exch.c 2023-03-09 16:42:30.594837565 +0100 -@@ -102,6 +102,11 @@ static int dh_init(void *vpdhctx, void * - || vdh == NULL - || !DH_up_ref(vdh)) - return 0; -+#ifdef FIPS_MODULE -+ if (ossl_ffc_numbers_to_dh_named_group(DH_get0_p(vdh), -+ DH_get0_q(vdh), DH_get0_g(vdh)) == NULL) -+ return 0; -+#endif - DH_free(pdhctx->dh); - pdhctx->dh = vdh; - pdhctx->kdf_type = PROV_DH_KDF_NONE; -diff -up openssl-3.0.7/providers/implementations/keymgmt/dh_kmgmt.c.nodhx openssl-3.0.7/providers/implementations/keymgmt/dh_kmgmt.c ---- openssl-3.0.7/providers/implementations/keymgmt/dh_kmgmt.c.nodhx 2023-03-09 15:38:04.024555943 +0100 -+++ openssl-3.0.7/providers/implementations/keymgmt/dh_kmgmt.c 2023-03-09 16:32:04.142490068 +0100 -@@ -498,6 +499,11 @@ static int dh_gen_set_template(void *gen - - if (!ossl_prov_is_running() || gctx == NULL || dh == NULL) - return 0; -+#ifdef FIPS_MODULE -+ if (ossl_ffc_numbers_to_dh_named_group(DH_get0_p(dh), -+ DH_get0_q(dh), DH_get0_g(dh)) == NULL) -+ return 0; -+#endif - gctx->ffc_params = ossl_dh_get0_params(dh); - return 1; - } diff --git a/openssl.spec b/openssl.spec index 115e467..9dfb7f2 100644 --- a/openssl.spec +++ b/openssl.spec @@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16)) Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 3.0.7 -Release: 18%{?dist} +Release: 19%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -158,7 +158,7 @@ Patch91: 0091-FIPS-RSA-encapsulate.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2142517 Patch92: 0092-provider-improvements.patch # FIPS-95 -Patch93: 0093-FIPS-nodhx.patch +Patch93: 0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch # OpenSSL 3.0.8 CVEs Patch101: 0101-CVE-2022-4203-nc-match.patch @@ -517,6 +517,10 @@ install -m644 %{SOURCE9} \ %ldconfig_scriptlets libs %changelog +* Mon May 22 2023 Clemens Lang - 1:3.0.7-19 +- Re-enable DHX keys in FIPS mode, disable FIPS 186-4 parameter validation and generation in FIPS mode + Resolves: rhbz#2169757 + * Thu May 18 2023 Dmitry Belyavskiy - 1:3.0.7-18 - Use OAEP padding and aes-128-cbc by default in cms command in FIPS mode Resolves: rhbz#2160797 From 34e7dd5be43df981926973b9c0c01107d95e54b3 Mon Sep 17 00:00:00 2001 From: Peter Leitmann Date: Wed, 24 May 2023 15:41:56 +0000 Subject: [PATCH 29/60] Add interop rpm-tmt-tests --- .fmf/version | 1 + ci.fmf | 1 + plans/gnutls-2way.fmf | 10 ++++++++++ plans/nss-2way.fmf | 10 ++++++++++ plans/nss-reneg.fmf | 10 ++++++++++ plans/short-interop-tests.fmf | 10 ++++++++++ 6 files changed, 42 insertions(+) create mode 100644 .fmf/version create mode 100644 ci.fmf create mode 100644 plans/gnutls-2way.fmf create mode 100644 plans/nss-2way.fmf create mode 100644 plans/nss-reneg.fmf create mode 100644 plans/short-interop-tests.fmf diff --git a/.fmf/version b/.fmf/version new file mode 100644 index 0000000..d00491f --- /dev/null +++ b/.fmf/version @@ -0,0 +1 @@ +1 diff --git a/ci.fmf b/ci.fmf new file mode 100644 index 0000000..c5aa0e0 --- /dev/null +++ b/ci.fmf @@ -0,0 +1 @@ +resultsdb-testcase: separate diff --git a/plans/gnutls-2way.fmf b/plans/gnutls-2way.fmf new file mode 100644 index 0000000..15a7595 --- /dev/null +++ b/plans/gnutls-2way.fmf @@ -0,0 +1,10 @@ +summary: Upstreamed interop-2way tests +contact: Stanislav Zidek +discover: + # upstreamed tests (public) + - name: interop-gnutls-2way + how: fmf + url: https://gitlab.com/redhat-crypto/tests/interop.git + filter: 'tag: interop-openssl & tag: interop-gnutls & tag: interop-2way' +execute: + how: tmt diff --git a/plans/nss-2way.fmf b/plans/nss-2way.fmf new file mode 100644 index 0000000..05a8e33 --- /dev/null +++ b/plans/nss-2way.fmf @@ -0,0 +1,10 @@ +summary: Upstreamed interop-2way tests +contact: Stanislav Zidek +discover: + # upstreamed tests (public) + - name: interop-nss-2way + how: fmf + url: https://gitlab.com/redhat-crypto/tests/interop.git + filter: 'tag: interop-openssl & tag: interop-nss & tag: interop-2way' +execute: + how: tmt diff --git a/plans/nss-reneg.fmf b/plans/nss-reneg.fmf new file mode 100644 index 0000000..4648f4c --- /dev/null +++ b/plans/nss-reneg.fmf @@ -0,0 +1,10 @@ +summary: Upstreamed interop-2way tests +contact: Stanislav Zidek +discover: + # upstreamed tests (public) + - name: interop-nss-reneg + how: fmf + url: https://gitlab.com/redhat-crypto/tests/interop.git + filter: 'tag: interop-openssl & tag: interop-nss & tag: interop-reneg' +execute: + how: tmt diff --git a/plans/short-interop-tests.fmf b/plans/short-interop-tests.fmf new file mode 100644 index 0000000..7b610b2 --- /dev/null +++ b/plans/short-interop-tests.fmf @@ -0,0 +1,10 @@ +summary: Upstreamed interop tests - short tests which do not need to run in parallel +contact: Stanislav Zidek +discover: + # upstreamed tests (public) + - name: interop-other+basic + how: fmf + url: https://gitlab.com/redhat-crypto/tests/interop.git + filter: 'tag: interop-openssl & tag: -interop-slow' +execute: + how: tmt From 103d3109dc18032d5446c71764917f6bf25fbfaa Mon Sep 17 00:00:00 2001 From: Daiki Ueno Date: Mon, 29 May 2023 09:52:49 +0200 Subject: [PATCH 30/60] ci.fmf: Enable golang tests as reverse dependency This will trigger the tests for the golang package when the openssl package is updated, which would be particularly useful when openssl adds a new algorithm tightning. Manual configuration is necessary as Go applications dlopen's libcrypto.so.* and openssl doesn't normally appear as a dependency at RPM level. Signed-off-by: Daiki Ueno --- ci.fmf | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/ci.fmf b/ci.fmf index c5aa0e0..b15ef08 100644 --- a/ci.fmf +++ b/ci.fmf @@ -1 +1,6 @@ resultsdb-testcase: separate + +/test/build/dependent: + execute: + how: dependency + components: [golang] From df4dd7dd7feee99b0a6f9da2c0cc2538e462d019 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Tue, 30 May 2023 16:29:57 +0200 Subject: [PATCH 31/60] Fix possible DoS translating ASN.1 object identifiers Resolves: CVE-2023-2650 --- 0122-CVE-2023-2650.patch | 30 ++++++++++++++++++++++++++++++ openssl.spec | 7 ++++++- 2 files changed, 36 insertions(+), 1 deletion(-) create mode 100644 0122-CVE-2023-2650.patch diff --git a/0122-CVE-2023-2650.patch b/0122-CVE-2023-2650.patch new file mode 100644 index 0000000..ba56969 --- /dev/null +++ b/0122-CVE-2023-2650.patch @@ -0,0 +1,30 @@ +diff --git a/crypto/objects/obj_dat.c b/crypto/objects/obj_dat.c +index 01cde00e98..c0e55197a0 100644 +--- a/crypto/objects/obj_dat.c ++++ b/crypto/objects/obj_dat.c +@@ -443,6 +443,25 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name) + first = 1; + bl = NULL; + ++ /* ++ * RFC 2578 (STD 58) says this about OBJECT IDENTIFIERs: ++ * ++ * > 3.5. OBJECT IDENTIFIER values ++ * > ++ * > An OBJECT IDENTIFIER value is an ordered list of non-negative ++ * > numbers. For the SMIv2, each number in the list is referred to as a ++ * > sub-identifier, there are at most 128 sub-identifiers in a value, ++ * > and each sub-identifier has a maximum value of 2^32-1 (4294967295 ++ * > decimal). ++ * ++ * So a legitimate OID according to this RFC is at most (32 * 128 / 7), ++ * i.e. 586 bytes long. ++ * ++ * Ref: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5 ++ */ ++ if (len > 586) ++ goto err; ++ + while (len > 0) { + l = 0; + use_bn = 0; diff --git a/openssl.spec b/openssl.spec index 9dfb7f2..f6889a5 100644 --- a/openssl.spec +++ b/openssl.spec @@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16)) Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 3.0.7 -Release: 19%{?dist} +Release: 20%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -194,6 +194,7 @@ Patch118: 0118-CVE-2023-1255.patch Patch120: 0120-RSA-PKCS15-implicit-rejection.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2160797 Patch121: 0121-FIPS-cms-defaults.patch +Patch122: 0122-CVE-2023-2650.patch License: ASL 2.0 URL: http://www.openssl.org/ @@ -517,6 +518,10 @@ install -m644 %{SOURCE9} \ %ldconfig_scriptlets libs %changelog +* Tue May 30 2023 Dmitry Belyavskiy - 1:3.0.7-20 +- Fix possible DoS translating ASN.1 object identifiers + Resolves: CVE-2023-2650 + * Mon May 22 2023 Clemens Lang - 1:3.0.7-19 - Re-enable DHX keys in FIPS mode, disable FIPS 186-4 parameter validation and generation in FIPS mode Resolves: rhbz#2169757 From d1a87553bb9f3ed88e351acbf4cea1199a05f995 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Wed, 31 May 2023 16:21:07 +0200 Subject: [PATCH 32/60] Release the DRBG in global default libctx early Resolves: rhbz#2211340 --- 0123-ibmca-atexit-crash.patch | 244 ++++++++++++++++++++++++++++++++++ openssl.spec | 4 + 2 files changed, 248 insertions(+) create mode 100644 0123-ibmca-atexit-crash.patch diff --git a/0123-ibmca-atexit-crash.patch b/0123-ibmca-atexit-crash.patch new file mode 100644 index 0000000..893e598 --- /dev/null +++ b/0123-ibmca-atexit-crash.patch @@ -0,0 +1,244 @@ +diff --git a/crypto/context.c b/crypto/context.c +index bdfc4d02a3f0..548665fba265 100644 +--- a/crypto/context.c ++++ b/crypto/context.c +@@ -15,6 +15,7 @@ + #include "internal/bio.h" + #include "internal/provider.h" + #include "crypto/ctype.h" ++#include "crypto/rand.h" + + # include + # include +@@ -271,6 +272,20 @@ OSSL_LIB_CTX *OSSL_LIB_CTX_set0_default(OSSL_LIB_CTX *libctx) + + return NULL; + } ++ ++void ossl_release_default_drbg_ctx(void) ++{ ++ int dynidx = default_context_int.dyn_indexes[OSSL_LIB_CTX_DRBG_INDEX]; ++ ++ /* early release of the DRBG in global default libctx, no locking */ ++ if (dynidx != -1) { ++ void *data; ++ ++ data = CRYPTO_get_ex_data(&default_context_int.data, dynidx); ++ ossl_rand_ctx_free(data); ++ CRYPTO_set_ex_data(&default_context_int.data, dynidx, NULL); ++ } ++} + #endif + + OSSL_LIB_CTX *ossl_lib_ctx_get_concrete(OSSL_LIB_CTX *ctx) +diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c +index c453d3226133..f341d915db76 100644 +--- a/crypto/rand/rand_lib.c ++++ b/crypto/rand/rand_lib.c +@@ -96,6 +96,7 @@ void ossl_rand_cleanup_int(void) + CRYPTO_THREAD_lock_free(rand_meth_lock); + rand_meth_lock = NULL; + # endif ++ ossl_release_default_drbg_ctx(); + rand_inited = 0; + } + +@@ -469,7 +470,7 @@ static void *rand_ossl_ctx_new(OSSL_LIB_CTX *libctx) + return NULL; + } + +-static void rand_ossl_ctx_free(void *vdgbl) ++void ossl_rand_ctx_free(void *vdgbl) + { + RAND_GLOBAL *dgbl = vdgbl; + +@@ -494,7 +495,7 @@ static void rand_ossl_ctx_free(void *vdgbl) + static const OSSL_LIB_CTX_METHOD rand_drbg_ossl_ctx_method = { + OSSL_LIB_CTX_METHOD_PRIORITY_2, + rand_ossl_ctx_new, +- rand_ossl_ctx_free, ++ ossl_rand_ctx_free, + }; + + static RAND_GLOBAL *rand_get_global(OSSL_LIB_CTX *libctx) +diff --git a/engines/e_dasync.c b/engines/e_dasync.c +index 5a303a9f8528..7974106ae219 100644 +--- a/engines/e_dasync.c ++++ b/engines/e_dasync.c +@@ -139,6 +139,14 @@ static int dasync_aes128_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, + const unsigned char *in, size_t inl); + static int dasync_aes128_cbc_cleanup(EVP_CIPHER_CTX *ctx); + ++static int dasync_aes256_ctr_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, ++ void *ptr); ++static int dasync_aes256_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, ++ const unsigned char *iv, int enc); ++static int dasync_aes256_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, ++ const unsigned char *in, size_t inl); ++static int dasync_aes256_ctr_cleanup(EVP_CIPHER_CTX *ctx); ++ + static int dasync_aes128_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, + int arg, void *ptr); + static int dasync_aes128_cbc_hmac_sha1_init_key(EVP_CIPHER_CTX *ctx, +@@ -171,6 +179,12 @@ static const EVP_CIPHER *dasync_aes_128_cbc(void) + return _hidden_aes_128_cbc; + } + ++static EVP_CIPHER *_hidden_aes_256_ctr = NULL; ++static const EVP_CIPHER *dasync_aes_256_ctr(void) ++{ ++ return _hidden_aes_256_ctr; ++} ++ + /* + * Holds the EVP_CIPHER object for aes_128_cbc_hmac_sha1 in this engine. Set up + * once only during engine bind and can then be reused many times. +@@ -192,8 +206,10 @@ static const EVP_CIPHER *dasync_aes_128_cbc_hmac_sha1(void) + static void destroy_ciphers(void) + { + EVP_CIPHER_meth_free(_hidden_aes_128_cbc); ++ EVP_CIPHER_meth_free(_hidden_aes_256_ctr); + EVP_CIPHER_meth_free(_hidden_aes_128_cbc_hmac_sha1); + _hidden_aes_128_cbc = NULL; ++ _hidden_aes_256_ctr = NULL; + _hidden_aes_128_cbc_hmac_sha1 = NULL; + } + +@@ -202,6 +218,7 @@ static int dasync_ciphers(ENGINE *e, const EVP_CIPHER **cipher, + + static int dasync_cipher_nids[] = { + NID_aes_128_cbc, ++ NID_aes_256_ctr, + NID_aes_128_cbc_hmac_sha1, + 0 + }; +@@ -284,6 +301,30 @@ static int bind_dasync(ENGINE *e) + _hidden_aes_128_cbc = NULL; + } + ++ _hidden_aes_256_ctr = EVP_CIPHER_meth_new(NID_aes_256_ctr, ++ 1 /* block size */, ++ 32 /* key len */); ++ if (_hidden_aes_256_ctr == NULL ++ || !EVP_CIPHER_meth_set_iv_length(_hidden_aes_256_ctr,16) ++ || !EVP_CIPHER_meth_set_flags(_hidden_aes_256_ctr, ++ EVP_CIPH_FLAG_DEFAULT_ASN1 ++ | EVP_CIPH_CTR_MODE ++ | EVP_CIPH_FLAG_PIPELINE ++ | EVP_CIPH_CUSTOM_COPY) ++ || !EVP_CIPHER_meth_set_init(_hidden_aes_256_ctr, ++ dasync_aes256_init_key) ++ || !EVP_CIPHER_meth_set_do_cipher(_hidden_aes_256_ctr, ++ dasync_aes256_ctr_cipher) ++ || !EVP_CIPHER_meth_set_cleanup(_hidden_aes_256_ctr, ++ dasync_aes256_ctr_cleanup) ++ || !EVP_CIPHER_meth_set_ctrl(_hidden_aes_256_ctr, ++ dasync_aes256_ctr_ctrl) ++ || !EVP_CIPHER_meth_set_impl_ctx_size(_hidden_aes_256_ctr, ++ sizeof(struct dasync_pipeline_ctx))) { ++ EVP_CIPHER_meth_free(_hidden_aes_256_ctr); ++ _hidden_aes_256_ctr = NULL; ++ } ++ + _hidden_aes_128_cbc_hmac_sha1 = EVP_CIPHER_meth_new( + NID_aes_128_cbc_hmac_sha1, + 16 /* block size */, +@@ -445,6 +486,9 @@ static int dasync_ciphers(ENGINE *e, const EVP_CIPHER **cipher, + case NID_aes_128_cbc: + *cipher = dasync_aes_128_cbc(); + break; ++ case NID_aes_256_ctr: ++ *cipher = dasync_aes_256_ctr(); ++ break; + case NID_aes_128_cbc_hmac_sha1: + *cipher = dasync_aes_128_cbc_hmac_sha1(); + break; +@@ -779,6 +823,29 @@ static int dasync_aes128_cbc_cleanup(EVP_CIPHER_CTX *ctx) + return dasync_cipher_cleanup_helper(ctx, EVP_aes_128_cbc()); + } + ++static int dasync_aes256_ctr_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, ++ void *ptr) ++{ ++ return dasync_cipher_ctrl_helper(ctx, type, arg, ptr, 0, EVP_aes_256_ctr()); ++} ++ ++static int dasync_aes256_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, ++ const unsigned char *iv, int enc) ++{ ++ return dasync_cipher_init_key_helper(ctx, key, iv, enc, EVP_aes_256_ctr()); ++} ++ ++static int dasync_aes256_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, ++ const unsigned char *in, size_t inl) ++{ ++ return dasync_cipher_helper(ctx, out, in, inl, EVP_aes_256_ctr()); ++} ++ ++static int dasync_aes256_ctr_cleanup(EVP_CIPHER_CTX *ctx) ++{ ++ return dasync_cipher_cleanup_helper(ctx, EVP_aes_256_ctr()); ++} ++ + + /* + * AES128 CBC HMAC SHA1 Implementation +diff --git a/include/crypto/rand.h b/include/crypto/rand.h +index 6a71a339c812..165deaf95c5e 100644 +--- a/include/crypto/rand.h ++++ b/include/crypto/rand.h +@@ -125,4 +125,5 @@ void ossl_rand_cleanup_nonce(ossl_unused const OSSL_CORE_HANDLE *handle, + size_t ossl_pool_acquire_entropy(RAND_POOL *pool); + int ossl_pool_add_nonce_data(RAND_POOL *pool); + ++void ossl_rand_ctx_free(void *vdgbl); + #endif +diff --git a/include/internal/cryptlib.h b/include/internal/cryptlib.h +index 1291299b6e50..934d4b089c20 100644 +--- a/include/internal/cryptlib.h ++++ b/include/internal/cryptlib.h +@@ -199,6 +199,8 @@ int ossl_lib_ctx_run_once(OSSL_LIB_CTX *ctx, unsigned int idx, + int ossl_lib_ctx_onfree(OSSL_LIB_CTX *ctx, ossl_lib_ctx_onfree_fn onfreefn); + const char *ossl_lib_ctx_get_descriptor(OSSL_LIB_CTX *libctx); + ++void ossl_release_default_drbg_ctx(void); ++ + OSSL_LIB_CTX *ossl_crypto_ex_data_get_ossl_lib_ctx(const CRYPTO_EX_DATA *ad); + int ossl_crypto_new_ex_data_ex(OSSL_LIB_CTX *ctx, int class_index, void *obj, + CRYPTO_EX_DATA *ad); +diff --git a/test/recipes/05-test_rand.t b/test/recipes/05-test_rand.t +index 4da1e64cb6da..3f352db9df3a 100644 +--- a/test/recipes/05-test_rand.t ++++ b/test/recipes/05-test_rand.t +@@ -11,9 +11,30 @@ use warnings; + use OpenSSL::Test; + use OpenSSL::Test::Utils; + +-plan tests => 3; ++plan tests => 5; + setup("test_rand"); + + ok(run(test(["rand_test"]))); + ok(run(test(["drbgtest"]))); + ok(run(test(["rand_status_test"]))); ++ ++SKIP: { ++ skip "engine is not supported by this OpenSSL build", 2 ++ if disabled("engine") || disabled("dynamic-engine"); ++ ++ my $success; ++ my @randdata; ++ my $expected = '0102030405060708090a0b0c0d0e0f10'; ++ ++ @randdata = run(app(['openssl', 'rand', '-engine', 'ossltest', '-hex', '16' ]), ++ capture => 1, statusvar => \$success); ++ chomp(@randdata); ++ ok($success and $randdata[0] eq $expected, ++ "rand with ossltest: Check rand output is as expected"); ++ ++ @randdata = run(app(['openssl', 'rand', '-engine', 'dasync', '-hex', '16' ]), ++ capture => 1, statusvar => \$success); ++ chomp(@randdata); ++ ok($success and length($randdata[0]) == 32, ++ "rand with dasync: Check rand output is of expected length"); ++} diff --git a/openssl.spec b/openssl.spec index f6889a5..5ca4f1e 100644 --- a/openssl.spec +++ b/openssl.spec @@ -195,6 +195,8 @@ Patch120: 0120-RSA-PKCS15-implicit-rejection.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2160797 Patch121: 0121-FIPS-cms-defaults.patch Patch122: 0122-CVE-2023-2650.patch +# https://github.com/openssl/openssl/pull/19386 +Patch123: 0123-ibmca-atexit-crash.patch License: ASL 2.0 URL: http://www.openssl.org/ @@ -521,6 +523,8 @@ install -m644 %{SOURCE9} \ * Tue May 30 2023 Dmitry Belyavskiy - 1:3.0.7-20 - Fix possible DoS translating ASN.1 object identifiers Resolves: CVE-2023-2650 +- Release the DRBG in global default libctx early + Resolves: rhbz#2211340 * Mon May 22 2023 Clemens Lang - 1:3.0.7-19 - Re-enable DHX keys in FIPS mode, disable FIPS 186-4 parameter validation and generation in FIPS mode From 05b87f449d6f14bca1a8e255d01bc632c2d833f8 Mon Sep 17 00:00:00 2001 From: Sahana Prasad Date: Mon, 26 Jun 2023 10:15:57 +0200 Subject: [PATCH 33/60] Remove the listing of brainpool curves in FIPS mode Related: rhbz#2188180 Signed-off-by: Sahana Prasad --- 0045-FIPS-services-minimize.patch | 16 ++++++++++++++++ openssl.spec | 6 +++++- 2 files changed, 21 insertions(+), 1 deletion(-) diff --git a/0045-FIPS-services-minimize.patch b/0045-FIPS-services-minimize.patch index bfee965..2ba9aab 100644 --- a/0045-FIPS-services-minimize.patch +++ b/0045-FIPS-services-minimize.patch @@ -737,3 +737,19 @@ diff -up openssl-3.0.1/providers/implementations/signature/rsa_sig.c.fipskeylen if (!ossl_prov_is_running()) return 0; +diff -up openssl-3.0.7/apps/ecparam.c.minfips openssl-3.0.7/apps/ecparam.c +--- openssl-3.0.7/apps/ecparam.c.minfips 2023-06-24 09:58:57.773344910 +0200 ++++ openssl-3.0.7/apps/ecparam.c 2023-06-26 09:18:06.843859405 +0200 +@@ -79,7 +79,11 @@ static int list_builtin_curves(BIO *out) + const char *comment = curves[n].comment; + const char *sname = OBJ_nid2sn(curves[n].nid); + +- if ((curves[n].nid == NID_secp256k1) && EVP_default_properties_is_fips_enabled(NULL)) ++ if (((curves[n].nid == NID_secp256k1) || (curves[n].nid == NID_brainpoolP256r1) ++ || (curves[n].nid == NID_brainpoolP256t1) || (curves[n].nid == NID_brainpoolP320r1) ++ || (curves[n].nid == NID_brainpoolP320t1) || (curves[n].nid == NID_brainpoolP384r1) ++ || (curves[n].nid == NID_brainpoolP384t1) || (curves[n].nid == NID_brainpoolP512r1) ++ || (curves[n].nid == NID_brainpoolP512t1)) && EVP_default_properties_is_fips_enabled(NULL)) + continue; + + if (comment == NULL) diff --git a/openssl.spec b/openssl.spec index 5ca4f1e..e4b4eeb 100644 --- a/openssl.spec +++ b/openssl.spec @@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16)) Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 3.0.7 -Release: 20%{?dist} +Release: 21%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -520,6 +520,10 @@ install -m644 %{SOURCE9} \ %ldconfig_scriptlets libs %changelog +* Mon Jun 26 2023 Sahana Prasad - 1:3.0.7-21 +- Remove the listing of brainpool curves in FIPS mode. + Related: rhbz#2188180 + * Tue May 30 2023 Dmitry Belyavskiy - 1:3.0.7-20 - Fix possible DoS translating ASN.1 object identifiers Resolves: CVE-2023-2650 From 8fb737bf793f61a72b02d4aed45f4f4c2effa24a Mon Sep 17 00:00:00 2001 From: Sahana Prasad Date: Thu, 6 Jul 2023 10:38:36 +0200 Subject: [PATCH 34/60] Remove unsupported ec curves from nist_curves Resolves: rhbz#2069336 Signed-off-by: Sahana Prasad --- 0011-Remove-EC-curves.patch | 21 +++++++++++++++++++++ openssl.spec | 6 +++++- 2 files changed, 26 insertions(+), 1 deletion(-) diff --git a/0011-Remove-EC-curves.patch b/0011-Remove-EC-curves.patch index f6c733a..3bc38cb 100644 --- a/0011-Remove-EC-curves.patch +++ b/0011-Remove-EC-curves.patch @@ -234,3 +234,24 @@ diff -up ./test/recipes/15-test_genec.t.ec-curves ./test/recipes/15-test_genec.t P-224 P-256 P-384 +diff -up openssl-3.0.7/crypto/evp/ec_support.c.ec-remove openssl-3.0.7/crypto/evp/ec_support.c +--- openssl-3.0.7/crypto/evp/ec_support.c.ec-remove 2023-07-06 10:30:10.152621369 +0200 ++++ openssl-3.0.7/crypto/evp/ec_support.c 2023-07-06 10:34:00.557091758 +0200 +@@ -74,17 +74,6 @@ int ossl_ec_curve_name2nid(const char *n + /* Functions to translate between common NIST curve names and NIDs */ + + static const EC_NAME2NID nist_curves[] = { +- {"B-163", NID_sect163r2}, +- {"B-233", NID_sect233r1}, +- {"B-283", NID_sect283r1}, +- {"B-409", NID_sect409r1}, +- {"B-571", NID_sect571r1}, +- {"K-163", NID_sect163k1}, +- {"K-233", NID_sect233k1}, +- {"K-283", NID_sect283k1}, +- {"K-409", NID_sect409k1}, +- {"K-571", NID_sect571k1}, +- {"P-192", NID_X9_62_prime192v1}, + {"P-224", NID_secp224r1}, + {"P-256", NID_X9_62_prime256v1}, + {"P-384", NID_secp384r1}, diff --git a/openssl.spec b/openssl.spec index e4b4eeb..76466df 100644 --- a/openssl.spec +++ b/openssl.spec @@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16)) Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 3.0.7 -Release: 21%{?dist} +Release: 22%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -520,6 +520,10 @@ install -m644 %{SOURCE9} \ %ldconfig_scriptlets libs %changelog +* Thu Jul 06 2023 Sahana Prasad - 1:3.0.7-22 +- Remove unsupported curves from nist_curves. + Resolves: rhbz#2069336 + * Mon Jun 26 2023 Sahana Prasad - 1:3.0.7-21 - Remove the listing of brainpool curves in FIPS mode. Related: rhbz#2188180 From 217cd631e87e6d0912fe35e7f0d2300ab8d95e84 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Tue, 11 Jul 2023 16:37:16 +0200 Subject: [PATCH 35/60] Add a workaround for lack of EMS in FIPS mode Resolves: rhbz#2216256 --- 0032-Force-fips.patch | 31 +++++++++-- 0078-KDF-Add-FIPS-indicators.patch | 40 +++++++------- 0114-FIPS-enforce-EMS-support.patch | 86 +++++++++++++++++++++++++---- openssl.spec | 6 +- 4 files changed, 126 insertions(+), 37 deletions(-) diff --git a/0032-Force-fips.patch b/0032-Force-fips.patch index 1a4ea0d..5f82475 100644 --- a/0032-Force-fips.patch +++ b/0032-Force-fips.patch @@ -7,6 +7,14 @@ diff -up openssl-3.0.1/crypto/provider_conf.c.fipsact openssl-3.0.1/crypto/provider_conf.c --- openssl-3.0.1/crypto/provider_conf.c.fipsact 2022-05-12 12:44:31.199034948 +0200 +++ openssl-3.0.1/crypto/provider_conf.c 2022-05-12 12:49:17.468318373 +0200 +@@ -36,6 +36,7 @@ static int prov_already_activated(const + #include + #include + #include ++#include + #include + #include + #include @@ -136,58 +136,18 @@ static int prov_already_activated(const return 0; } @@ -143,17 +151,28 @@ diff -up openssl-3.0.1/crypto/provider_conf.c.fipsact openssl-3.0.1/crypto/provi } else { OSSL_PROVIDER_INFO entry; -@@ -306,6 +317,19 @@ static int provider_conf_init(CONF_IMODU +@@ -306,6 +317,30 @@ static int provider_conf_init(CONF_IMODU return 0; } + if (ossl_get_kernel_fips_flag() != 0) { /* XXX from provider_conf_load */ + OSSL_LIB_CTX *libctx = NCONF_get0_libctx((CONF *)cnf); -+ PROVIDER_CONF_GLOBAL *pcgbl -+ = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX, -+ &provider_conf_ossl_ctx_method); -+ if (provider_conf_activate(libctx, "fips", NULL, NULL, 0, NULL) != 1) -+ return 0; ++# define FIPS_LOCAL_CONF OPENSSLDIR "/fips_local.cnf" ++ ++ if (access(FIPS_LOCAL_CONF, R_OK) == 0) { ++ CONF *fips_conf = NCONF_new_ex(libctx, NCONF_default()); ++ if (NCONF_load(fips_conf, FIPS_LOCAL_CONF, NULL) <= 0) ++ return 0; ++ ++ if (provider_conf_load(libctx, "fips", "fips_sect", fips_conf) != 1) { ++ NCONF_free(fips_conf); ++ return 0; ++ } ++ NCONF_free(fips_conf); ++ } else { ++ if (provider_conf_activate(libctx, "fips", NULL, NULL, 0, NULL) != 1) ++ return 0; ++ } + if (provider_conf_activate(libctx, "base", NULL, NULL, 0, NULL) != 1) + return 0; + if (EVP_default_properties_enable_fips(libctx, 1) != 1) diff --git a/0078-KDF-Add-FIPS-indicators.patch b/0078-KDF-Add-FIPS-indicators.patch index 1090ffa..40e390a 100644 --- a/0078-KDF-Add-FIPS-indicators.patch +++ b/0078-KDF-Add-FIPS-indicators.patch @@ -115,7 +115,7 @@ index dfa7786bde..f01e40ff5a 100644 size_t info_len; + int is_tls13; +#ifdef FIPS_MODULE -+ int output_keylen_indicator; ++ int fips_indicator; +#endif /* defined(FIPS_MODULE) */ } KDF_HKDF; @@ -126,7 +126,7 @@ index dfa7786bde..f01e40ff5a 100644 +#ifdef FIPS_MODULE + if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN) -+ ctx->output_keylen_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; +#endif /* defined(FIPS_MODULE) */ + switch (ctx->mode) { @@ -172,7 +172,7 @@ index dfa7786bde..f01e40ff5a 100644 + * be longer than that. If a derived key has ever been shorter than + * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we + * should also set the returned FIPS indicator to unapproved. */ -+ if (ctx->output_keylen_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED) ++ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED) + fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; + + if (ctx->is_tls13) { @@ -248,7 +248,7 @@ index dfa7786bde..f01e40ff5a 100644 +#ifdef FIPS_MODULE + if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN) -+ ctx->output_keylen_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; +#endif /* defined(FIPS_MODULE) */ + switch (ctx->mode) { @@ -282,7 +282,7 @@ index a542f84dfa..6b6dfb94ac 100644 int use_l; int use_separator; +#ifdef FIPS_MODULE -+ int output_keylen_indicator; ++ int fips_indicator; +#endif /* defined(FIPS_MODULE) */ } KBKDF; @@ -301,7 +301,7 @@ index a542f84dfa..6b6dfb94ac 100644 +#ifdef FIPS_MODULE + if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN) -+ ctx->output_keylen_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; +#endif /* defined(FIPS_MODULE) */ + h = EVP_MAC_CTX_get_mac_size(ctx->ctx_init); @@ -355,7 +355,7 @@ index a542f84dfa..6b6dfb94ac 100644 + * be longer than that. If a derived key has ever been shorter than + * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we + * should also set the returned FIPS indicator to unapproved. */ -+ if (ctx->output_keylen_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED) ++ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED) + fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; + + /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module @@ -409,7 +409,7 @@ index c592ba72f1..4a52b38266 100644 unsigned char *session_id; size_t session_id_len; +#ifdef FIPS_MODULE -+ int output_keylen_indicator; ++ int fips_indicator; +#endif /* defined(FIPS_MODULE) */ } KDF_SSHKDF; @@ -421,7 +421,7 @@ index c592ba72f1..4a52b38266 100644 + +#ifdef FIPS_MODULE + if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN) -+ ctx->output_keylen_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; +#endif /* defined(FIPS_MODULE) */ + return SSHKDF(md, ctx->key, ctx->key_len, @@ -465,7 +465,7 @@ index c592ba72f1..4a52b38266 100644 + * be longer than that. If a derived key has ever been shorter than + * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we + * should also set the returned FIPS indicator to unapproved. */ -+ if (ctx->output_keylen_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED) ++ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED) + fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; + + /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module @@ -518,7 +518,7 @@ index eb54972e1c..23865cd70f 100644 size_t out_len; /* optional KMAC parameter */ + int is_x963kdf; +#ifdef FIPS_MODULE -+ int output_keylen_indicator; ++ int fips_indicator; +#endif /* defined(FIPS_MODULE) */ } KDF_SSKDF; @@ -554,7 +554,7 @@ index eb54972e1c..23865cd70f 100644 +#ifdef FIPS_MODULE + if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN) -+ ctx->output_keylen_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; +#endif /* defined(FIPS_MODULE) */ + if (ctx->macctx != NULL) { @@ -566,7 +566,7 @@ index eb54972e1c..23865cd70f 100644 +#ifdef FIPS_MODULE + if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN) -+ ctx->output_keylen_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; +#endif /* defined(FIPS_MODULE) */ + return SSKDF_hash_kdm(md, ctx->secret, ctx->secret_len, @@ -609,7 +609,7 @@ index eb54972e1c..23865cd70f 100644 + * be longer than that. If a derived key has ever been shorter than + * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we + * should also set the returned FIPS indicator to unapproved. */ -+ if (ctx->output_keylen_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED) ++ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED) + fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; + + /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module @@ -682,7 +682,7 @@ index a4d64b9352..f6782a6ca2 100644 + PROV_DIGEST digest; + +#ifdef FIPS_MODULE -+ int output_keylen_indicator; ++ int fips_indicator; +#endif /* defined(FIPS_MODULE) */ } TLS1_PRF; @@ -701,7 +701,7 @@ index a4d64b9352..f6782a6ca2 100644 } +#ifdef FIPS_MODULE + if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN) -+ ctx->output_keylen_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; +#endif /* defined(FIPS_MODULE) */ return tls1_prf_alg(ctx->P_hash, ctx->P_sha1, @@ -753,7 +753,7 @@ index a4d64b9352..f6782a6ca2 100644 + * be longer than that. If a derived key has ever been shorter than + * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we + * should also set the returned FIPS indicator to unapproved. */ -+ if (ctx->output_keylen_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED) ++ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED) + fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; + + /* SP 800-135r1 section 4.2.2 says TLS 1.2 KDF is approved when "(3) @@ -813,7 +813,7 @@ index b1bc6f7e1b..8173fc2cc7 100644 size_t cek_oid_len; int use_keybits; +#ifdef FIPS_MODULE -+ int output_keylen_indicator; ++ int fips_indicator; +#endif /* defined(FIPS_MODULE) */ } KDF_X942; @@ -824,7 +824,7 @@ index b1bc6f7e1b..8173fc2cc7 100644 } +#ifdef FIPS_MODULE + if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN) -+ ctx->output_keylen_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; +#endif /* defined(FIPS_MODULE) */ ret = x942kdf_hash_kdm(md, ctx->secret, ctx->secret_len, der, der_len, ctr, key, keylen); @@ -866,7 +866,7 @@ index b1bc6f7e1b..8173fc2cc7 100644 + * be longer than that. If a derived key has ever been shorter than + * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we + * should also set the returned FIPS indicator to unapproved. */ -+ if (ctx->output_keylen_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED) ++ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED) + fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; + + /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module diff --git a/0114-FIPS-enforce-EMS-support.patch b/0114-FIPS-enforce-EMS-support.patch index 3b38deb..d10901f 100644 --- a/0114-FIPS-enforce-EMS-support.patch +++ b/0114-FIPS-enforce-EMS-support.patch @@ -151,7 +151,7 @@ index b86b27d236f3..b881f46f36ad 100644 fgbl->fips_security_checks = 1; fgbl->fips_security_check_option = "1"; -+ fgbl->fips_tls1_prf_ems_check = 1; /* Enabled */ ++ fgbl->fips_tls1_prf_ems_check = 1; /* Enabled by default */ + fgbl->fips_tls1_prf_ems_check_option = "1"; + return fgbl; @@ -161,7 +161,7 @@ index b86b27d236f3..b881f46f36ad 100644 OSSL_PARAM_DEFN(OSSL_PROV_PARAM_BUILDINFO, OSSL_PARAM_UTF8_PTR, NULL, 0), OSSL_PARAM_DEFN(OSSL_PROV_PARAM_STATUS, OSSL_PARAM_INTEGER, NULL, 0), OSSL_PARAM_DEFN(OSSL_PROV_PARAM_SECURITY_CHECKS, OSSL_PARAM_INTEGER, NULL, 0), -+ OSSL_PARAM_DEFN(OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK, OSSL_PARAM_INTEGER, NULL, 0), /* Ignored in RHEL */ ++ OSSL_PARAM_DEFN(OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK, OSSL_PARAM_INTEGER, NULL, 0), OSSL_PARAM_END }; @@ -182,10 +182,10 @@ index b86b27d236f3..b881f46f36ad 100644 OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS, (char **)&fgbl->fips_security_check_option, sizeof(fgbl->fips_security_check_option)); -+ /* *p++ = OSSL_PARAM_construct_utf8_ptr( ++ *p++ = OSSL_PARAM_construct_utf8_ptr( + OSSL_PROV_FIPS_PARAM_TLS1_PRF_EMS_CHECK, + (char **)&fgbl->fips_tls1_prf_ems_check_option, -+ sizeof(fgbl->fips_tls1_prf_ems_check_option)); */ /* Ignored in RHEL */ ++ sizeof(fgbl->fips_tls1_prf_ems_check_option)); *p = OSSL_PARAM_construct_end(); if (!c_get_params(fgbl->handle, core_params)) { @@ -199,12 +199,14 @@ index b86b27d236f3..b881f46f36ad 100644 return 1; } -@@ -703,6 +718,9 @@ int OSSL_provider_init_int(const OSSL_CORE_HANDLE *handle, +@@ -703,6 +718,11 @@ int OSSL_provider_init_int(const OSSL_CORE_HANDLE *handle, && strcmp(fgbl->fips_security_check_option, "0") == 0) fgbl->fips_security_checks = 0; -+ /* Enable the ems check. */ -+ fgbl->fips_tls1_prf_ems_check = 1; ++ /* Disable the ems check if it's disabled in the fips config file. */ ++ if (fgbl->fips_tls1_prf_ems_check_option != NULL ++ && strcmp(fgbl->fips_tls1_prf_ems_check_option, "0") == 0) ++ fgbl->fips_tls1_prf_ems_check = 0; + ossl_prov_cache_exported_algorithms(fips_ciphers, exported_fips_ciphers); @@ -268,8 +270,8 @@ index 8a3807308408..2c2dbf31cc0b 100644 if (!ossl_prov_is_running() || !kdf_tls1_prf_set_ctx_params(ctx, params)) return 0; -@@ -181,6 +192,21 @@ static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, size_t keylen, - ctx->output_keylen_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; +@@ -181,6 +192,27 @@ static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, size_t keylen, + ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; #endif /* defined(FIPS_MODULE) */ + /* @@ -278,6 +280,12 @@ index 8a3807308408..2c2dbf31cc0b 100644 + * We do the check this way since the PRF is used for other purposes, as well + * as "extended master secret". + */ ++#ifdef FIPS_MODULE ++ if (ctx->seedlen >= TLS_MD_MASTER_SECRET_CONST_SIZE ++ && memcmp(ctx->seed, TLS_MD_MASTER_SECRET_CONST, ++ TLS_MD_MASTER_SECRET_CONST_SIZE) == 0) ++ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++#endif /* defined(FIPS_MODULE) */ + if (ossl_tls1_prf_ems_check_enabled(libctx)) { + if (ctx->seedlen >= TLS_MD_MASTER_SECRET_CONST_SIZE + && memcmp(ctx->seed, TLS_MD_MASTER_SECRET_CONST, @@ -462,7 +470,7 @@ diff -up openssl-3.0.7/ssl/statem/extensions_srvr.c.noems openssl-3.0.7/ssl/stat { - if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0) + if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0) { -+ if (FIPS_mode()) { ++ if (FIPS_mode() && !(SSL_get_options(s) & SSL_OP_RH_PERMIT_NOEMS_FIPS) ) { + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_UNSUPPORTED); + return EXT_RETURN_FAIL; + } @@ -471,3 +479,61 @@ diff -up openssl-3.0.7/ssl/statem/extensions_srvr.c.noems openssl-3.0.7/ssl/stat if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret) || !WPACKET_put_bytes_u16(pkt, 0)) { +diff -up openssl-3.0.7/include/openssl/ssl.h.in.fipsems openssl-3.0.7/include/openssl/ssl.h.in +--- openssl-3.0.7/include/openssl/ssl.h.in.fipsems 2023-07-11 12:35:27.951610366 +0200 ++++ openssl-3.0.7/include/openssl/ssl.h.in 2023-07-11 12:36:25.234754680 +0200 +@@ -412,6 +412,7 @@ typedef int (*SSL_async_callback_fn)(SSL + * interoperability with CryptoPro CSP 3.x + */ + # define SSL_OP_CRYPTOPRO_TLSEXT_BUG SSL_OP_BIT(31) ++# define SSL_OP_RH_PERMIT_NOEMS_FIPS SSL_OP_BIT(48) + + /* + * Option "collections." +diff -up openssl-3.0.7/ssl/ssl_conf.c.fipsems openssl-3.0.7/ssl/ssl_conf.c +--- openssl-3.0.7/ssl/ssl_conf.c.fipsems 2023-07-11 12:36:51.465278672 +0200 ++++ openssl-3.0.7/ssl/ssl_conf.c 2023-07-11 12:44:53.365675720 +0200 +@@ -387,6 +387,7 @@ static const ssl_conf_cmd_tbl ssl_conf_c + SSL_FLAG_TBL("ClientRenegotiation", + SSL_OP_ALLOW_CLIENT_RENEGOTIATION), + SSL_FLAG_TBL_INV("EncryptThenMac", SSL_OP_NO_ENCRYPT_THEN_MAC), ++ SSL_FLAG_TBL("RHNoEnforceEMSinFIPS", SSL_OP_RH_PERMIT_NOEMS_FIPS), + SSL_FLAG_TBL("NoRenegotiation", SSL_OP_NO_RENEGOTIATION), + SSL_FLAG_TBL("AllowNoDHEKEX", SSL_OP_ALLOW_NO_DHE_KEX), + SSL_FLAG_TBL("PrioritizeChaCha", SSL_OP_PRIORITIZE_CHACHA), +diff -up openssl-3.0.7/doc/man3/SSL_CONF_cmd.pod.fipsems openssl-3.0.7/doc/man3/SSL_CONF_cmd.pod +--- openssl-3.0.7/doc/man3/SSL_CONF_cmd.pod.fipsems 2023-07-12 13:54:22.508235187 +0200 ++++ openssl-3.0.7/doc/man3/SSL_CONF_cmd.pod 2023-07-12 13:56:51.089613902 +0200 +@@ -524,6 +524,9 @@ B: use extended ma + default. Inverse of B: that is, + B<-ExtendedMasterSecret> is the same as setting B. + ++B: allow establishing connections without EMS in FIPS mode. ++This is a RedHat-based OS specific option, and normally it should be set up via crypto policies. ++ + B: use CA names extension, enabled by + default. Inverse of B: that is, + B<-CANames> is the same as setting B. +diff -up openssl-3.0.7/doc/man5/fips_config.pod.fipsems openssl-3.0.7/doc/man5/fips_config.pod +--- openssl-3.0.7/doc/man5/fips_config.pod.fipsems 2023-07-12 15:39:57.732206731 +0200 ++++ openssl-3.0.7/doc/man5/fips_config.pod 2023-07-12 15:53:45.722885419 +0200 +@@ -11,6 +11,19 @@ automatically loaded when the system is + environment variable B is set. See the documentation + for more information. + ++Red Hat Enterprise Linux uses a supplementary config for FIPS module located in ++OpenSSL configuration directory and managed by crypto policies. If present, it ++should have format ++ ++ [fips_sect] ++ tls1-prf-ems-check = 0 ++ activate = 1 ++ ++The B option specifies whether FIPS module will require the ++presence of extended master secret or not. ++ ++The B option enforces FIPS provider activation. ++ + =head1 COPYRIGHT + + Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. diff --git a/openssl.spec b/openssl.spec index 76466df..fd73673 100644 --- a/openssl.spec +++ b/openssl.spec @@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16)) Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 3.0.7 -Release: 22%{?dist} +Release: 23%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -520,6 +520,10 @@ install -m644 %{SOURCE9} \ %ldconfig_scriptlets libs %changelog +* Tue Jul 11 2023 Dmitry Belyavskiy - 1:3.0.7-23 +- Add a workaround for lack of EMS in FIPS mode + Resolves: rhbz#2216256 + * Thu Jul 06 2023 Sahana Prasad - 1:3.0.7-22 - Remove unsupported curves from nist_curves. Resolves: rhbz#2069336 From d30c497ed1125a1e780be4cf1c713041353bc88a Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Wed, 12 Jul 2023 17:59:35 +0200 Subject: [PATCH 36/60] Make FIPS module configuration more crypto-policies friendly Related: rhbz#2216256 --- openssl.spec | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/openssl.spec b/openssl.spec index fd73673..5a65b10 100644 --- a/openssl.spec +++ b/openssl.spec @@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16)) Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 3.0.7 -Release: 23%{?dist} +Release: 24%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -467,6 +467,7 @@ cat $RPM_BUILD_ROOT/%{_prefix}/include/openssl/configuration.h >> \ install -m644 %{SOURCE9} \ $RPM_BUILD_ROOT/%{_prefix}/include/openssl/configuration.h %endif +ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/fips_local.cnf %files %{!?_licensedir:%global license %%doc} @@ -491,6 +492,7 @@ install -m644 %{SOURCE9} \ %dir %{_sysconfdir}/pki/tls/private %config(noreplace) %{_sysconfdir}/pki/tls/openssl.cnf %config(noreplace) %{_sysconfdir}/pki/tls/ct_log_list.cnf +%config %{_sysconfdir}/pki/tls/fips_local.cnf %attr(0755,root,root) %{_libdir}/libcrypto.so.%{version} %{_libdir}/libcrypto.so.%{soversion} %attr(0755,root,root) %{_libdir}/libssl.so.%{version} @@ -520,6 +522,10 @@ install -m644 %{SOURCE9} \ %ldconfig_scriptlets libs %changelog +* Wed Jul 12 2023 Dmitry Belyavskiy - 1:3.0.7-24 +- Make FIPS module configuration more crypto-policies friendly + Related: rhbz#2216256 + * Tue Jul 11 2023 Dmitry Belyavskiy - 1:3.0.7-23 - Add a workaround for lack of EMS in FIPS mode Resolves: rhbz#2216256 From 131e7d16022bc8f7513e70f888c9b5690da802ed Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Thu, 12 Oct 2023 14:07:54 +0200 Subject: [PATCH 37/60] Provide relevant diagnostics when FIPS checksum is corrupted Resolves: RHEL-5317 --- 0032-Force-fips.patch | 5 ++++- openssl.spec | 6 +++++- 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/0032-Force-fips.patch b/0032-Force-fips.patch index 5f82475..4dc9774 100644 --- a/0032-Force-fips.patch +++ b/0032-Force-fips.patch @@ -151,7 +151,7 @@ diff -up openssl-3.0.1/crypto/provider_conf.c.fipsact openssl-3.0.1/crypto/provi } else { OSSL_PROVIDER_INFO entry; -@@ -306,6 +317,30 @@ static int provider_conf_init(CONF_IMODU +@@ -306,6 +317,33 @@ static int provider_conf_init(CONF_IMODU return 0; } @@ -173,6 +173,9 @@ diff -up openssl-3.0.1/crypto/provider_conf.c.fipsact openssl-3.0.1/crypto/provi + if (provider_conf_activate(libctx, "fips", NULL, NULL, 0, NULL) != 1) + return 0; + } ++ /* provider_conf_load can return 1 even wwhen the test is failed so check explicitly */ ++ if (OSSL_PROVIDER_available(libctx, "fips") != 1) ++ return 0; + if (provider_conf_activate(libctx, "base", NULL, NULL, 0, NULL) != 1) + return 0; + if (EVP_default_properties_enable_fips(libctx, 1) != 1) diff --git a/openssl.spec b/openssl.spec index 5a65b10..f689e74 100644 --- a/openssl.spec +++ b/openssl.spec @@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16)) Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 3.0.7 -Release: 24%{?dist} +Release: 25%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -522,6 +522,10 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco %ldconfig_scriptlets libs %changelog +* Mon Oct 16 2023 Dmitry Belyavskiy - 1:3.0.7-25 +- Provide relevant diagnostics when FIPS checksum is corrupted + Resolves: RHEL-5317 + * Wed Jul 12 2023 Dmitry Belyavskiy - 1:3.0.7-24 - Make FIPS module configuration more crypto-policies friendly Related: rhbz#2216256 From 223304543ac58a99ca7822087eb1fbb3f9254721 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Mon, 16 Oct 2023 11:06:19 +0200 Subject: [PATCH 38/60] Don't limit using SHA1 in KDFs in non-FIPS mode. Resolves: RHEL-5295 --- 0049-Selectively-disallow-SHA1-signatures.patch | 16 ---------------- openssl.spec | 2 ++ 2 files changed, 2 insertions(+), 16 deletions(-) diff --git a/0049-Selectively-disallow-SHA1-signatures.patch b/0049-Selectively-disallow-SHA1-signatures.patch index d453f97..4b6ecf2 100644 --- a/0049-Selectively-disallow-SHA1-signatures.patch +++ b/0049-Selectively-disallow-SHA1-signatures.patch @@ -287,22 +287,6 @@ index 699ada7c52..e534ad0a5f 100644 return mdnid; } -@@ -244,5 +254,15 @@ int ossl_digest_is_allowed(OSSL_LIB_CTX *ctx, const EVP_MD *md) - if (ossl_securitycheck_enabled(ctx)) - return ossl_digest_get_approved_nid(md) != NID_undef; - # endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */ -+ -+#ifndef FIPS_MODULE -+ { -+ int mdnid = EVP_MD_nid(md); -+ if ((mdnid == NID_sha1 || mdnid == NID_md5_sha1) -+ && !ossl_ctx_legacy_digest_signatures_allowed(ctx, 0)) -+ return 0; -+ } -+#endif -+ - return 1; - } diff --git a/providers/common/securitycheck_default.c b/providers/common/securitycheck_default.c index de7f0d3a0a..ce54a94fbc 100644 --- a/providers/common/securitycheck_default.c diff --git a/openssl.spec b/openssl.spec index f689e74..f9230a0 100644 --- a/openssl.spec +++ b/openssl.spec @@ -525,6 +525,8 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco * Mon Oct 16 2023 Dmitry Belyavskiy - 1:3.0.7-25 - Provide relevant diagnostics when FIPS checksum is corrupted Resolves: RHEL-5317 +- Don't limit using SHA1 in KDFs in non-FIPS mode. + Resolves: RHEL-5295 * Wed Jul 12 2023 Dmitry Belyavskiy - 1:3.0.7-24 - Make FIPS module configuration more crypto-policies friendly From ec6d7cf2723f8e57f5cc38296af8401d8b5478b6 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Tue, 17 Oct 2023 12:56:38 +0200 Subject: [PATCH 39/60] Provide empty evp_properties section in main OpenSSL configuration file Resolves: RHEL-11439 --- ...-Override-default-paths-for-the-CA-directory-tree.patch | 7 ++++++- 0024-load-legacy-prov.patch | 6 ++++-- openssl.spec | 2 ++ 3 files changed, 12 insertions(+), 3 deletions(-) diff --git a/0004-Override-default-paths-for-the-CA-directory-tree.patch b/0004-Override-default-paths-for-the-CA-directory-tree.patch index 7c70c60..f16e22b 100644 --- a/0004-Override-default-paths-for-the-CA-directory-tree.patch +++ b/0004-Override-default-paths-for-the-CA-directory-tree.patch @@ -30,12 +30,17 @@ index c0afb96716..d6a5fabd16 100644 diff -up openssl-3.0.0-alpha16/apps/openssl.cnf.default-tls openssl-3.0.0-alpha16/apps/openssl.cnf --- openssl-3.0.0-alpha16/apps/openssl.cnf.default-tls 2021-07-06 13:41:39.204978272 +0200 +++ openssl-3.0.0-alpha16/apps/openssl.cnf 2021-07-06 13:49:50.362857683 +0200 -@@ -53,6 +53,8 @@ tsa_policy3 = 1.2.3.4.5.7 +@@ -53,6 +53,13 @@ tsa_policy3 = 1.2.3.4.5.7 [openssl_init] providers = provider_sect +# Load default TLS policy configuration +ssl_conf = ssl_module ++alg_section = evp_properties ++ ++[ evp_properties ] ++#This section is intentionally added empty here ++#to be tuned on particular systems # List of providers to load [provider_sect] diff --git a/0024-load-legacy-prov.patch b/0024-load-legacy-prov.patch index c7d2958..26ec5f5 100644 --- a/0024-load-legacy-prov.patch +++ b/0024-load-legacy-prov.patch @@ -1,7 +1,7 @@ diff -up openssl-3.0.0/apps/openssl.cnf.legacy-prov openssl-3.0.0/apps/openssl.cnf --- openssl-3.0.0/apps/openssl.cnf.legacy-prov 2021-09-09 12:06:40.895793297 +0200 +++ openssl-3.0.0/apps/openssl.cnf 2021-09-09 12:12:33.947482500 +0200 -@@ -42,36 +42,29 @@ tsa_policy1 = 1.2.3.4.1 +@@ -42,14 +42,6 @@ tsa_policy1 = 1.2.3.4.1 tsa_policy2 = 1.2.3.4.5.6 tsa_policy3 = 1.2.3.4.5.7 @@ -16,7 +16,9 @@ diff -up openssl-3.0.0/apps/openssl.cnf.legacy-prov openssl-3.0.0/apps/openssl.c [openssl_init] providers = provider_sect # Load default TLS policy configuration - ssl_conf = ssl_module +@@ -42,23 +42,24 @@ [ evp_properties ] + #This section is intentionally added empty here + #to be tuned on particular systems -# List of providers to load -[provider_sect] diff --git a/openssl.spec b/openssl.spec index f9230a0..0036747 100644 --- a/openssl.spec +++ b/openssl.spec @@ -527,6 +527,8 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco Resolves: RHEL-5317 - Don't limit using SHA1 in KDFs in non-FIPS mode. Resolves: RHEL-5295 +- Provide empty evp_properties section in main OpenSSL configuration file + Resolves: RHEL-11439 * Wed Jul 12 2023 Dmitry Belyavskiy - 1:3.0.7-24 - Make FIPS module configuration more crypto-policies friendly From 92436854f9ce290acd3ee7fd485a34fb198e3102 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Tue, 17 Oct 2023 13:09:34 +0200 Subject: [PATCH 40/60] Avoid implicit function declaration when building openssl Resolves: RHEL-1780 --- 0032-Force-fips.patch | 3 ++- openssl.spec | 2 ++ 2 files changed, 4 insertions(+), 1 deletion(-) diff --git a/0032-Force-fips.patch b/0032-Force-fips.patch index 4dc9774..c8af196 100644 --- a/0032-Force-fips.patch +++ b/0032-Force-fips.patch @@ -7,10 +7,11 @@ diff -up openssl-3.0.1/crypto/provider_conf.c.fipsact openssl-3.0.1/crypto/provider_conf.c --- openssl-3.0.1/crypto/provider_conf.c.fipsact 2022-05-12 12:44:31.199034948 +0200 +++ openssl-3.0.1/crypto/provider_conf.c 2022-05-12 12:49:17.468318373 +0200 -@@ -36,6 +36,7 @@ static int prov_already_activated(const +@@ -36,6 +36,8 @@ static int prov_already_activated(const #include #include #include ++#include +#include #include #include diff --git a/openssl.spec b/openssl.spec index 0036747..8e041aa 100644 --- a/openssl.spec +++ b/openssl.spec @@ -529,6 +529,8 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco Resolves: RHEL-5295 - Provide empty evp_properties section in main OpenSSL configuration file Resolves: RHEL-11439 +- Avoid implicit function declaration when building openssl + Resolves: RHEL-1780 * Wed Jul 12 2023 Dmitry Belyavskiy - 1:3.0.7-24 - Make FIPS module configuration more crypto-policies friendly From fa5df9d74baa32d9633f6215bb8395d842bb21f5 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Tue, 17 Oct 2023 13:26:14 +0200 Subject: [PATCH 41/60] Forbid explicit curves when created via EVP_PKEY_fromdata Resolves: RHEL-5304 --- 0012-Disable-explicit-ec.patch | 88 ++++++++++++++++++++++++++++++++++ openssl.spec | 2 + 2 files changed, 90 insertions(+) diff --git a/0012-Disable-explicit-ec.patch b/0012-Disable-explicit-ec.patch index 550cdf4..aea4ccf 100644 --- a/0012-Disable-explicit-ec.patch +++ b/0012-Disable-explicit-ec.patch @@ -26,6 +26,94 @@ diff -up openssl-3.0.1/crypto/ec/ec_asn1.c.disable_explicit_ec openssl-3.0.1/cry ret->version = priv_key->version; if (priv_key->privateKey) { +diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c +index a84e088c19..6c37bf78ae 100644 +--- a/crypto/ec/ec_lib.c ++++ b/crypto/ec/ec_lib.c +@@ -1724,6 +1724,11 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[], + goto err; + } + if (named_group == group) { ++ if (EC_GROUP_check_named_curve(group, 0, NULL) == NID_undef) { ++ ERR_raise(ERR_LIB_EC, EC_R_UNKNOWN_GROUP); ++ goto err; ++ } ++#if 0 + /* + * If we did not find a named group then the encoding should be explicit + * if it was specified +@@ -1739,6 +1744,7 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[], + goto err; + } + EC_GROUP_set_asn1_flag(group, OPENSSL_EC_EXPLICIT_CURVE); ++#endif + } else { + EC_GROUP_free(group); + group = named_group; +diff --git a/test/ectest.c b/test/ectest.c +index 4890b0555e..e11aec5b3b 100644 +--- a/test/ectest.c ++++ b/test/ectest.c +@@ -2301,10 +2301,11 @@ static int do_test_custom_explicit_fromdata(EC_GROUP *group, BN_CTX *ctx, + if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld)) + || !TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL)) + || !TEST_int_gt(EVP_PKEY_fromdata_init(pctx), 0) +- || !TEST_int_gt(EVP_PKEY_fromdata(pctx, &pkeyparam, ++ || !TEST_int_le(EVP_PKEY_fromdata(pctx, &pkeyparam, + EVP_PKEY_KEY_PARAMETERS, params), 0)) + goto err; +- ++/* As creating the key should fail, the rest of the test is pointless */ ++# if 0 + /*- Check that all the set values are retrievable -*/ + + /* There should be no match to a group name since the generator changed */ +@@ -2433,6 +2434,7 @@ static int do_test_custom_explicit_fromdata(EC_GROUP *group, BN_CTX *ctx, + #endif + ) + goto err; ++#endif + ret = 1; + err: + BN_free(order_out); +@@ -2714,21 +2716,21 @@ static int custom_params_test(int id) + + /* Compute keyexchange in both directions */ + if (!TEST_ptr(pctx1 = EVP_PKEY_CTX_new(pkey1, NULL)) +- || !TEST_int_eq(EVP_PKEY_derive_init(pctx1), 1) +- || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx1, pkey2), 1) ++ || !TEST_int_le(EVP_PKEY_derive_init(pctx1), 0) ++/* || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx1, pkey2), 1) + || !TEST_int_eq(EVP_PKEY_derive(pctx1, NULL, &sslen), 1) + || !TEST_int_gt(bsize, sslen) +- || !TEST_int_eq(EVP_PKEY_derive(pctx1, buf1, &sslen), 1)) ++ || !TEST_int_eq(EVP_PKEY_derive(pctx1, buf1, &sslen), 1)*/) + goto err; + if (!TEST_ptr(pctx2 = EVP_PKEY_CTX_new(pkey2, NULL)) +- || !TEST_int_eq(EVP_PKEY_derive_init(pctx2), 1) +- || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx2, pkey1), 1) ++ || !TEST_int_le(EVP_PKEY_derive_init(pctx2), 1) ++/* || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx2, pkey1), 1) + || !TEST_int_eq(EVP_PKEY_derive(pctx2, NULL, &t), 1) + || !TEST_int_gt(bsize, t) + || !TEST_int_le(sslen, t) +- || !TEST_int_eq(EVP_PKEY_derive(pctx2, buf2, &t), 1)) ++ || !TEST_int_eq(EVP_PKEY_derive(pctx2, buf2, &t), 1) */) + goto err; +- ++#if 0 + /* Both sides should expect the same shared secret */ + if (!TEST_mem_eq(buf1, sslen, buf2, t)) + goto err; +@@ -2780,7 +2782,7 @@ static int custom_params_test(int id) + /* compare with previous result */ + || !TEST_mem_eq(buf1, t, buf2, sslen)) + goto err; +- ++#endif + ret = 1; + + err: diff -up openssl-3.0.1/test/endecode_test.c.disable_explicit_ec openssl-3.0.1/test/endecode_test.c --- openssl-3.0.1/test/endecode_test.c.disable_explicit_ec 2022-03-21 16:55:46.005558779 +0100 +++ openssl-3.0.1/test/endecode_test.c 2022-03-21 16:56:12.636792762 +0100 diff --git a/openssl.spec b/openssl.spec index 8e041aa..d6b3ddd 100644 --- a/openssl.spec +++ b/openssl.spec @@ -531,6 +531,8 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco Resolves: RHEL-11439 - Avoid implicit function declaration when building openssl Resolves: RHEL-1780 +- Forbid explicit curves when created via EVP_PKEY_fromdata + Resolves: RHEL-5304 * Wed Jul 12 2023 Dmitry Belyavskiy - 1:3.0.7-24 - Make FIPS module configuration more crypto-policies friendly From 6775e82636170787f163ea314fd79744e293a80d Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Wed, 18 Oct 2023 11:15:19 +0200 Subject: [PATCH 42/60] AES-SIV cipher implementation contains a bug that causes it to ignore empty associated data entries Resolves: RHEL-5302 --- 0125-CVE-2023-2975.patch | 30 ++++++++++++++++++++++++++++++ openssl.spec | 4 ++++ 2 files changed, 34 insertions(+) create mode 100644 0125-CVE-2023-2975.patch diff --git a/0125-CVE-2023-2975.patch b/0125-CVE-2023-2975.patch new file mode 100644 index 0000000..4717087 --- /dev/null +++ b/0125-CVE-2023-2975.patch @@ -0,0 +1,30 @@ +diff --git a/providers/implementations/ciphers/cipher_aes_siv.c b/providers/implementations/ciphers/cipher_aes_siv.c +index 45010b90db..b396c8651a 100644 +--- a/providers/implementations/ciphers/cipher_aes_siv.c ++++ b/providers/implementations/ciphers/cipher_aes_siv.c +@@ -120,14 +120,18 @@ static int siv_cipher(void *vctx, unsigned char *out, size_t *outl, + if (!ossl_prov_is_running()) + return 0; + +- if (inl == 0) { +- *outl = 0; +- return 1; +- } ++ /* Ignore just empty encryption/decryption call and not AAD. */ ++ if (out != NULL) { ++ if (inl == 0) { ++ if (outl != NULL) ++ *outl = 0; ++ return 1; ++ } + +- if (outsize < inl) { +- ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL); +- return 0; ++ if (outsize < inl) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL); ++ return 0; ++ } + } + + if (ctx->hw->cipher(ctx, out, in, inl) <= 0) diff --git a/openssl.spec b/openssl.spec index d6b3ddd..26dae8d 100644 --- a/openssl.spec +++ b/openssl.spec @@ -197,6 +197,7 @@ Patch121: 0121-FIPS-cms-defaults.patch Patch122: 0122-CVE-2023-2650.patch # https://github.com/openssl/openssl/pull/19386 Patch123: 0123-ibmca-atexit-crash.patch +Patch125: 0125-CVE-2023-2975.patch License: ASL 2.0 URL: http://www.openssl.org/ @@ -533,6 +534,9 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco Resolves: RHEL-1780 - Forbid explicit curves when created via EVP_PKEY_fromdata Resolves: RHEL-5304 +- AES-SIV cipher implementation contains a bug that causes it to ignore empty + associated data entries (CVE-2023-2975) + Resolves: RHEL-5302 * Wed Jul 12 2023 Dmitry Belyavskiy - 1:3.0.7-24 - Make FIPS module configuration more crypto-policies friendly From d6248f76c48e50645ea564150dfada6f58d4a9c6 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Wed, 18 Oct 2023 11:17:41 +0200 Subject: [PATCH 43/60] Excessive time spent checking DH keys and parameters Resolves: RHEL-5306 --- 0126-CVE-2023-3446.patch | 74 ++++++++++++++++++++++++++++++++++++++++ openssl.spec | 3 ++ 2 files changed, 77 insertions(+) create mode 100644 0126-CVE-2023-3446.patch diff --git a/0126-CVE-2023-3446.patch b/0126-CVE-2023-3446.patch new file mode 100644 index 0000000..38132cf --- /dev/null +++ b/0126-CVE-2023-3446.patch @@ -0,0 +1,74 @@ +diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c +index 0b391910d6..84a926998e 100644 +--- a/crypto/dh/dh_check.c ++++ b/crypto/dh/dh_check.c +@@ -152,6 +152,12 @@ int DH_check(const DH *dh, int *ret) + if (nid != NID_undef) + return 1; + ++ /* Don't do any checks at all with an excessively large modulus */ ++ if (BN_num_bits(dh->params.p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) { ++ ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE); ++ return 0; ++ } ++ + if (!DH_check_params(dh, ret)) + return 0; + +diff --git a/include/openssl/dh.h b/include/openssl/dh.h +index b97871eca7..36420f51d8 100644 +--- a/include/openssl/dh.h ++++ b/include/openssl/dh.h +@@ -89,7 +89,11 @@ int EVP_PKEY_CTX_get0_dh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char **ukm); + # include + + # ifndef OPENSSL_DH_MAX_MODULUS_BITS +-# define OPENSSL_DH_MAX_MODULUS_BITS 10000 ++# define OPENSSL_DH_MAX_MODULUS_BITS 10000 ++# endif ++ ++# ifndef OPENSSL_DH_CHECK_MAX_MODULUS_BITS ++# define OPENSSL_DH_CHECK_MAX_MODULUS_BITS 32768 + # endif + + # define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024 +diff --git a/test/dhtest.c b/test/dhtest.c +index 7b587f3cfa..f8dd8f3aa7 100644 +--- a/test/dhtest.c ++++ b/test/dhtest.c +@@ -73,7 +73,7 @@ static int dh_test(void) + goto err1; + + /* check fails, because p is way too small */ +- if (!DH_check(dh, &i)) ++ if (!TEST_true(DH_check(dh, &i))) + goto err2; + i ^= DH_MODULUS_TOO_SMALL; + if (!TEST_false(i & DH_CHECK_P_NOT_PRIME) +@@ -124,6 +124,17 @@ static int dh_test(void) + /* We'll have a stale error on the queue from the above test so clear it */ + ERR_clear_error(); + ++ /* Modulus of size: dh check max modulus bits + 1 */ ++ if (!TEST_true(BN_set_word(p, 1)) ++ || !TEST_true(BN_lshift(p, p, OPENSSL_DH_CHECK_MAX_MODULUS_BITS))) ++ goto err3; ++ ++ /* ++ * We expect no checks at all for an excessively large modulus ++ */ ++ if (!TEST_false(DH_check(dh, &i))) ++ goto err3; ++ + /* + * II) key generation + */ +@@ -138,7 +149,7 @@ static int dh_test(void) + goto err3; + + /* ... and check whether it is valid */ +- if (!DH_check(a, &i)) ++ if (!TEST_true(DH_check(a, &i))) + goto err3; + if (!TEST_false(i & DH_CHECK_P_NOT_PRIME) + || !TEST_false(i & DH_CHECK_P_NOT_SAFE_PRIME) diff --git a/openssl.spec b/openssl.spec index 26dae8d..ab0c637 100644 --- a/openssl.spec +++ b/openssl.spec @@ -198,6 +198,7 @@ Patch122: 0122-CVE-2023-2650.patch # https://github.com/openssl/openssl/pull/19386 Patch123: 0123-ibmca-atexit-crash.patch Patch125: 0125-CVE-2023-2975.patch +Patch126: 0126-CVE-2023-3446.patch License: ASL 2.0 URL: http://www.openssl.org/ @@ -537,6 +538,8 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco - AES-SIV cipher implementation contains a bug that causes it to ignore empty associated data entries (CVE-2023-2975) Resolves: RHEL-5302 +- Excessive time spent checking DH keys and parameters (CVE-2023-3446) + Resolves: RHEL-5306 * Wed Jul 12 2023 Dmitry Belyavskiy - 1:3.0.7-24 - Make FIPS module configuration more crypto-policies friendly From 6e0d3b16e6d86b43b7921a01ab67842eedebd3ff Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Wed, 18 Oct 2023 11:20:31 +0200 Subject: [PATCH 44/60] Excessive time spent checking DH q parameter value Resolves: RHEL-5308 --- 0127-CVE-2023-3817.patch | 57 ++++++++++++++++++++++++++++++++++++++++ openssl.spec | 3 +++ 2 files changed, 60 insertions(+) create mode 100644 0127-CVE-2023-3817.patch diff --git a/0127-CVE-2023-3817.patch b/0127-CVE-2023-3817.patch new file mode 100644 index 0000000..5fc72e7 --- /dev/null +++ b/0127-CVE-2023-3817.patch @@ -0,0 +1,57 @@ +diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c +index aef6f9b1b7..fbe2797569 100644 +--- a/crypto/dh/dh_check.c ++++ b/crypto/dh/dh_check.c +@@ -143,7 +143,7 @@ int DH_check(const DH *dh, int *ret) + #ifdef FIPS_MODULE + return DH_check_params(dh, ret); + #else +- int ok = 0, r; ++ int ok = 0, r, q_good = 0; + BN_CTX *ctx = NULL; + BIGNUM *t1 = NULL, *t2 = NULL; + int nid = DH_get_nid((DH *)dh); +@@ -172,6 +172,13 @@ int DH_check(const DH *dh, int *ret) + goto err; + + if (dh->params.q != NULL) { ++ if (BN_ucmp(dh->params.p, dh->params.q) > 0) ++ q_good = 1; ++ else ++ *ret |= DH_CHECK_INVALID_Q_VALUE; ++ } ++ ++ if (q_good) { + if (BN_cmp(dh->params.g, BN_value_one()) <= 0) + *ret |= DH_NOT_SUITABLE_GENERATOR; + else if (BN_cmp(dh->params.g, dh->params.p) >= 0) +diff --git a/test/dhtest.c b/test/dhtest.c +index f8dd8f3aa7..d02b3b7c58 100644 +--- a/test/dhtest.c ++++ b/test/dhtest.c +@@ -124,6 +124,15 @@ static int dh_test(void) + /* We'll have a stale error on the queue from the above test so clear it */ + ERR_clear_error(); + ++ if (!TEST_ptr(BN_copy(q, p)) || !TEST_true(BN_add(q, q, BN_value_one()))) ++ goto err3; ++ ++ if (!TEST_true(DH_check(dh, &i))) ++ goto err3; ++ if (!TEST_true(i & DH_CHECK_INVALID_Q_VALUE) ++ || !TEST_false(i & DH_CHECK_Q_NOT_PRIME)) ++ goto err3; ++ + /* Modulus of size: dh check max modulus bits + 1 */ + if (!TEST_true(BN_set_word(p, 1)) + || !TEST_true(BN_lshift(p, p, OPENSSL_DH_CHECK_MAX_MODULUS_BITS))) +@@ -135,6 +144,9 @@ static int dh_test(void) + if (!TEST_false(DH_check(dh, &i))) + goto err3; + ++ /* We'll have a stale error on the queue from the above test so clear it */ ++ ERR_clear_error(); ++ + /* + * II) key generation + */ diff --git a/openssl.spec b/openssl.spec index ab0c637..a59230a 100644 --- a/openssl.spec +++ b/openssl.spec @@ -199,6 +199,7 @@ Patch122: 0122-CVE-2023-2650.patch Patch123: 0123-ibmca-atexit-crash.patch Patch125: 0125-CVE-2023-2975.patch Patch126: 0126-CVE-2023-3446.patch +Patch127: 0127-CVE-2023-3817.patch License: ASL 2.0 URL: http://www.openssl.org/ @@ -540,6 +541,8 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco Resolves: RHEL-5302 - Excessive time spent checking DH keys and parameters (CVE-2023-3446) Resolves: RHEL-5306 +- Excessive time spent checking DH q parameter value (CVE-2023-3817) + Resolves: RHEL-5308 * Wed Jul 12 2023 Dmitry Belyavskiy - 1:3.0.7-24 - Make FIPS module configuration more crypto-policies friendly From 66dddb942c099ca52b8140f5e3dd9aded64f6a3c Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Wed, 25 Oct 2023 12:06:55 +0200 Subject: [PATCH 45/60] Fix incorrect cipher key and IV length processing (CVE-2023-5363) Resolves: RHEL-13251 --- 0128-CVE-2023-5363.patch | 318 +++++++++++++++++++++++++++++++++++++++ openssl.spec | 3 + 2 files changed, 321 insertions(+) create mode 100644 0128-CVE-2023-5363.patch diff --git a/0128-CVE-2023-5363.patch b/0128-CVE-2023-5363.patch new file mode 100644 index 0000000..8610da0 --- /dev/null +++ b/0128-CVE-2023-5363.patch @@ -0,0 +1,318 @@ +diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c +index d2ed3fd378..6a819590e6 100644 +--- a/crypto/evp/evp_enc.c ++++ b/crypto/evp/evp_enc.c +@@ -223,6 +223,42 @@ static int evp_cipher_init_internal(EVP_CIPHER_CTX *ctx, + return 0; + } + ++#ifndef FIPS_MODULE ++ /* ++ * Fix for CVE-2023-5363 ++ * Passing in a size as part of the init call takes effect late ++ * so, force such to occur before the initialisation. ++ * ++ * The FIPS provider's internal library context is used in a manner ++ * such that this is not an issue. ++ */ ++ if (params != NULL) { ++ OSSL_PARAM param_lens[3] = { OSSL_PARAM_END, OSSL_PARAM_END, ++ OSSL_PARAM_END }; ++ OSSL_PARAM *q = param_lens; ++ const OSSL_PARAM *p; ++ ++ p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_KEYLEN); ++ if (p != NULL) ++ memcpy(q++, p, sizeof(*q)); ++ ++ /* ++ * Note that OSSL_CIPHER_PARAM_AEAD_IVLEN is a synomym for ++ * OSSL_CIPHER_PARAM_IVLEN so both are covered here. ++ */ ++ p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_IVLEN); ++ if (p != NULL) ++ memcpy(q++, p, sizeof(*q)); ++ ++ if (q != param_lens) { ++ if (!EVP_CIPHER_CTX_set_params(ctx, param_lens)) { ++ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_LENGTH); ++ return 0; ++ } ++ } ++ } ++#endif ++ + if (enc) { + if (ctx->cipher->einit == NULL) { + ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); +diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c +index cfffa21350..2318bf6a68 100644 +--- a/test/evp_extra_test.c ++++ b/test/evp_extra_test.c +@@ -4851,6 +4851,253 @@ static int test_ecx_not_private_key(int tst) + return options; + } + ++static int aes_gcm_encrypt(const unsigned char *gcm_key, size_t gcm_key_s, ++ const unsigned char *gcm_iv, size_t gcm_ivlen, ++ const unsigned char *gcm_pt, size_t gcm_pt_s, ++ const unsigned char *gcm_aad, size_t gcm_aad_s, ++ const unsigned char *gcm_ct, size_t gcm_ct_s, ++ const unsigned char *gcm_tag, size_t gcm_tag_s) ++{ ++ int ret = 0; ++ EVP_CIPHER_CTX *ctx; ++ EVP_CIPHER *cipher = NULL; ++ int outlen, tmplen; ++ unsigned char outbuf[1024]; ++ unsigned char outtag[16]; ++ OSSL_PARAM params[2] = { ++ OSSL_PARAM_END, OSSL_PARAM_END ++ }; ++ ++ if (!TEST_ptr(ctx = EVP_CIPHER_CTX_new()) ++ || !TEST_ptr(cipher = EVP_CIPHER_fetch(testctx, "AES-256-GCM", ""))) ++ goto err; ++ ++ params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_AEAD_IVLEN, ++ &gcm_ivlen); ++ ++ if (!TEST_true(EVP_EncryptInit_ex2(ctx, cipher, gcm_key, gcm_iv, params)) ++ || (gcm_aad != NULL ++ && !TEST_true(EVP_EncryptUpdate(ctx, NULL, &outlen, ++ gcm_aad, gcm_aad_s))) ++ || !TEST_true(EVP_EncryptUpdate(ctx, outbuf, &outlen, ++ gcm_pt, gcm_pt_s)) ++ || !TEST_true(EVP_EncryptFinal_ex(ctx, outbuf, &tmplen))) ++ goto err; ++ ++ params[0] = OSSL_PARAM_construct_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, ++ outtag, sizeof(outtag)); ++ ++ if (!TEST_true(EVP_CIPHER_CTX_get_params(ctx, params)) ++ || !TEST_mem_eq(outbuf, outlen, gcm_ct, gcm_ct_s) ++ || !TEST_mem_eq(outtag, gcm_tag_s, gcm_tag, gcm_tag_s)) ++ goto err; ++ ++ ret = 1; ++err: ++ EVP_CIPHER_free(cipher); ++ EVP_CIPHER_CTX_free(ctx); ++ ++ return ret; ++} ++ ++static int aes_gcm_decrypt(const unsigned char *gcm_key, size_t gcm_key_s, ++ const unsigned char *gcm_iv, size_t gcm_ivlen, ++ const unsigned char *gcm_pt, size_t gcm_pt_s, ++ const unsigned char *gcm_aad, size_t gcm_aad_s, ++ const unsigned char *gcm_ct, size_t gcm_ct_s, ++ const unsigned char *gcm_tag, size_t gcm_tag_s) ++{ ++ int ret = 0; ++ EVP_CIPHER_CTX *ctx; ++ EVP_CIPHER *cipher = NULL; ++ int outlen; ++ unsigned char outbuf[1024]; ++ OSSL_PARAM params[2] = { ++ OSSL_PARAM_END, OSSL_PARAM_END ++ }; ++ ++ if ((ctx = EVP_CIPHER_CTX_new()) == NULL) ++ goto err; ++ ++ if ((cipher = EVP_CIPHER_fetch(testctx, "AES-256-GCM", "")) == NULL) ++ goto err; ++ ++ params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_AEAD_IVLEN, ++ &gcm_ivlen); ++ ++ if (!TEST_true(EVP_DecryptInit_ex2(ctx, cipher, gcm_key, gcm_iv, params)) ++ || (gcm_aad != NULL ++ && !TEST_true(EVP_DecryptUpdate(ctx, NULL, &outlen, ++ gcm_aad, gcm_aad_s))) ++ || !TEST_true(EVP_DecryptUpdate(ctx, outbuf, &outlen, ++ gcm_ct, gcm_ct_s)) ++ || !TEST_mem_eq(outbuf, outlen, gcm_pt, gcm_pt_s)) ++ goto err; ++ ++ params[0] = OSSL_PARAM_construct_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, ++ (void*)gcm_tag, gcm_tag_s); ++ ++ if (!TEST_true(EVP_CIPHER_CTX_set_params(ctx, params)) ++ ||!TEST_true(EVP_DecryptFinal_ex(ctx, outbuf, &outlen))) ++ goto err; ++ ++ ret = 1; ++err: ++ EVP_CIPHER_free(cipher); ++ EVP_CIPHER_CTX_free(ctx); ++ ++ return ret; ++} ++ ++static int test_aes_gcm_ivlen_change_cve_2023_5363(void) ++{ ++ /* AES-GCM test data obtained from NIST public test vectors */ ++ static const unsigned char gcm_key[] = { ++ 0xd0, 0xc2, 0x67, 0xc1, 0x9f, 0x30, 0xd8, 0x0b, 0x89, 0x14, 0xbb, 0xbf, ++ 0xb7, 0x2f, 0x73, 0xb8, 0xd3, 0xcd, 0x5f, 0x6a, 0x78, 0x70, 0x15, 0x84, ++ 0x8a, 0x7b, 0x30, 0xe3, 0x8f, 0x16, 0xf1, 0x8b, ++ }; ++ static const unsigned char gcm_iv[] = { ++ 0xb6, 0xdc, 0xda, 0x95, 0xac, 0x99, 0x77, 0x76, 0x25, 0xae, 0x87, 0xf8, ++ 0xa3, 0xa9, 0xdd, 0x64, 0xd7, 0x9b, 0xbd, 0x5f, 0x4a, 0x0e, 0x54, 0xca, ++ 0x1a, 0x9f, 0xa2, 0xe3, 0xf4, 0x5f, 0x5f, 0xc2, 0xce, 0xa7, 0xb6, 0x14, ++ 0x12, 0x6f, 0xf0, 0xaf, 0xfd, 0x3e, 0x17, 0x35, 0x6e, 0xa0, 0x16, 0x09, ++ 0xdd, 0xa1, 0x3f, 0xd8, 0xdd, 0xf3, 0xdf, 0x4f, 0xcb, 0x18, 0x49, 0xb8, ++ 0xb3, 0x69, 0x2c, 0x5d, 0x4f, 0xad, 0x30, 0x91, 0x08, 0xbc, 0xbe, 0x24, ++ 0x01, 0x0f, 0xbe, 0x9c, 0xfb, 0x4f, 0x5d, 0x19, 0x7f, 0x4c, 0x53, 0xb0, ++ 0x95, 0x90, 0xac, 0x7b, 0x1f, 0x7b, 0xa0, 0x99, 0xe1, 0xf3, 0x48, 0x54, ++ 0xd0, 0xfc, 0xa9, 0xcc, 0x91, 0xf8, 0x1f, 0x9b, 0x6c, 0x9a, 0xe0, 0xdc, ++ 0x63, 0xea, 0x7d, 0x2a, 0x4a, 0x7d, 0xa5, 0xed, 0x68, 0x57, 0x27, 0x6b, ++ 0x68, 0xe0, 0xf2, 0xb8, 0x51, 0x50, 0x8d, 0x3d, ++ }; ++ static const unsigned char gcm_pt[] = { ++ 0xb8, 0xb6, 0x88, 0x36, 0x44, 0xe2, 0x34, 0xdf, 0x24, 0x32, 0x91, 0x07, ++ 0x4f, 0xe3, 0x6f, 0x81, ++ }; ++ static const unsigned char gcm_ct[] = { ++ 0xff, 0x4f, 0xb3, 0xf3, 0xf9, 0xa2, 0x51, 0xd4, 0x82, 0xc2, 0xbe, 0xf3, ++ 0xe2, 0xd0, 0xec, 0xed, ++ }; ++ static const unsigned char gcm_tag[] = { ++ 0xbd, 0x06, 0x38, 0x09, 0xf7, 0xe1, 0xc4, 0x72, 0x0e, 0xf2, 0xea, 0x63, ++ 0xdb, 0x99, 0x6c, 0x21, ++ }; ++ ++ return aes_gcm_encrypt(gcm_key, sizeof(gcm_key), gcm_iv, sizeof(gcm_iv), ++ gcm_pt, sizeof(gcm_pt), NULL, 0, ++ gcm_ct, sizeof(gcm_ct), gcm_tag, sizeof(gcm_tag)) ++ && aes_gcm_decrypt(gcm_key, sizeof(gcm_key), gcm_iv, sizeof(gcm_iv), ++ gcm_pt, sizeof(gcm_pt), NULL, 0, ++ gcm_ct, sizeof(gcm_ct), gcm_tag, sizeof(gcm_tag)); ++} ++ ++#ifndef OPENSSL_NO_RC4 ++static int rc4_encrypt(const unsigned char *rc4_key, size_t rc4_key_s, ++ const unsigned char *rc4_pt, size_t rc4_pt_s, ++ const unsigned char *rc4_ct, size_t rc4_ct_s) ++{ ++ int ret = 0; ++ EVP_CIPHER_CTX *ctx; ++ EVP_CIPHER *cipher = NULL; ++ int outlen, tmplen; ++ unsigned char outbuf[1024]; ++ OSSL_PARAM params[2] = { ++ OSSL_PARAM_END, OSSL_PARAM_END ++ }; ++ ++ if (!TEST_ptr(ctx = EVP_CIPHER_CTX_new()) ++ || !TEST_ptr(cipher = EVP_CIPHER_fetch(testctx, "RC4", ""))) ++ goto err; ++ ++ params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_KEYLEN, ++ &rc4_key_s); ++ ++ if (!TEST_true(EVP_EncryptInit_ex2(ctx, cipher, rc4_key, NULL, params)) ++ || !TEST_true(EVP_EncryptUpdate(ctx, outbuf, &outlen, ++ rc4_pt, rc4_pt_s)) ++ || !TEST_true(EVP_EncryptFinal_ex(ctx, outbuf, &tmplen))) ++ goto err; ++ ++ if (!TEST_mem_eq(outbuf, outlen, rc4_ct, rc4_ct_s)) ++ goto err; ++ ++ ret = 1; ++err: ++ EVP_CIPHER_free(cipher); ++ EVP_CIPHER_CTX_free(ctx); ++ ++ return ret; ++} ++ ++static int rc4_decrypt(const unsigned char *rc4_key, size_t rc4_key_s, ++ const unsigned char *rc4_pt, size_t rc4_pt_s, ++ const unsigned char *rc4_ct, size_t rc4_ct_s) ++{ ++ int ret = 0; ++ EVP_CIPHER_CTX *ctx; ++ EVP_CIPHER *cipher = NULL; ++ int outlen; ++ unsigned char outbuf[1024]; ++ OSSL_PARAM params[2] = { ++ OSSL_PARAM_END, OSSL_PARAM_END ++ }; ++ ++ if ((ctx = EVP_CIPHER_CTX_new()) == NULL) ++ goto err; ++ ++ if ((cipher = EVP_CIPHER_fetch(testctx, "RC4", "")) == NULL) ++ goto err; ++ ++ params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_KEYLEN, ++ &rc4_key_s); ++ ++ if (!TEST_true(EVP_DecryptInit_ex2(ctx, cipher, rc4_key, NULL, params)) ++ || !TEST_true(EVP_DecryptUpdate(ctx, outbuf, &outlen, ++ rc4_ct, rc4_ct_s)) ++ || !TEST_mem_eq(outbuf, outlen, rc4_pt, rc4_pt_s)) ++ goto err; ++ ++ ret = 1; ++err: ++ EVP_CIPHER_free(cipher); ++ EVP_CIPHER_CTX_free(ctx); ++ ++ return ret; ++} ++ ++static int test_aes_rc4_keylen_change_cve_2023_5363(void) ++{ ++ /* RC4 test data obtained from RFC 6229 */ ++ static const struct { ++ unsigned char key[5]; ++ unsigned char padding[11]; ++ } rc4_key = { ++ { /* Five bytes of key material */ ++ 0x83, 0x32, 0x22, 0x77, 0x2a, ++ }, ++ { /* Random padding to 16 bytes */ ++ 0x80, 0xad, 0x97, 0xbd, 0xc9, 0x73, 0xdf, 0x8a, 0xaa, 0x32, 0x91 ++ } ++ }; ++ static const unsigned char rc4_pt[] = { ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 ++ }; ++ static const unsigned char rc4_ct[] = { ++ 0x80, 0xad, 0x97, 0xbd, 0xc9, 0x73, 0xdf, 0x8a, ++ 0x2e, 0x87, 0x9e, 0x92, 0xa4, 0x97, 0xef, 0xda ++ }; ++ ++ if (lgcyprov == NULL) ++ return TEST_skip("Test requires legacy provider to be loaded"); ++ ++ return rc4_encrypt(rc4_key.key, sizeof(rc4_key.key), ++ rc4_pt, sizeof(rc4_pt), rc4_ct, sizeof(rc4_ct)) ++ && rc4_decrypt(rc4_key.key, sizeof(rc4_key.key), ++ rc4_pt, sizeof(rc4_pt), rc4_ct, sizeof(rc4_ct)); ++} ++#endif ++ + int setup_tests(void) + { + OPTION_CHOICE o; +@@ -4994,6 +5241,12 @@ int setup_tests(void) + + ADD_ALL_TESTS(test_ecx_short_keys, OSSL_NELEM(ecxnids)); + ++ /* Test cases for CVE-2023-5363 */ ++ ADD_TEST(test_aes_gcm_ivlen_change_cve_2023_5363); ++#ifndef OPENSSL_NO_RC4 ++ ADD_TEST(test_aes_rc4_keylen_change_cve_2023_5363); ++#endif ++ + return 1; + } + diff --git a/openssl.spec b/openssl.spec index a59230a..92655b4 100644 --- a/openssl.spec +++ b/openssl.spec @@ -200,6 +200,7 @@ Patch123: 0123-ibmca-atexit-crash.patch Patch125: 0125-CVE-2023-2975.patch Patch126: 0126-CVE-2023-3446.patch Patch127: 0127-CVE-2023-3817.patch +Patch128: 0128-CVE-2023-5363.patch License: ASL 2.0 URL: http://www.openssl.org/ @@ -543,6 +544,8 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco Resolves: RHEL-5306 - Excessive time spent checking DH q parameter value (CVE-2023-3817) Resolves: RHEL-5308 +- Fix incorrect cipher key and IV length processing (CVE-2023-5363) + Resolves: RHEL-13251 * Wed Jul 12 2023 Dmitry Belyavskiy - 1:3.0.7-24 - Make FIPS module configuration more crypto-policies friendly From 9a075c13c3d02bb3b038a07ee7f03c456aad8188 Mon Sep 17 00:00:00 2001 From: Clemens Lang Date: Thu, 19 Oct 2023 12:47:52 +0200 Subject: [PATCH 46/60] Mark RSA-OAEP as approved in FIPS mode Switch explicit FIPS indicator for RSA-OAEP to approved following clarification with CMVP. Additionally, backport a check required by SP800-56Br2 6.4.1.2.1 (3.c). Resolves: RHEL-14083 --- ...hers-kem-Add-explicit-FIPS-indicator.patch | 40 +++++++-------- ...-Add-SP800-56Br2-6.4.1.2.1-3.c-check.patch | 49 +++++++++++++++++++ openssl.spec | 7 +++ 3 files changed, 75 insertions(+), 21 deletions(-) create mode 100644 0129-rsa-Add-SP800-56Br2-6.4.1.2.1-3.c-check.patch diff --git a/0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch b/0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch index 4c648d8..e8777f3 100644 --- a/0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch +++ b/0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch @@ -9,21 +9,23 @@ party (section 6.4.2.3.1) for the KTS-OAEP key transport scheme and key agreement schemes, but explicit key confirmation is not implemented and cannot be implemented without protocol changes, and the FIPS provider does not implement trusted third party validation, since it relies on -its callers to do that. We must thus mark RSA-OAEP encryption and RSASVE -as unapproved until we have received clarification from NIST on how -library modules such as OpenSSL should implement TTP validation. +its callers to do that. A request for guidance sent to NIST did clarify +that OpenSSL can claim KTS-OAEP and RSASVE as approved, but we did add +an indicator to mark them as unapproved previously and should thus keep +the indicator available. This does not affect RSA-OAEP decryption, because it is approved as a component according to the FIPS 140-3 IG, section 2.4.G. Resolves: rhbz#2179331 +Resolves: RHEL-14083 Signed-off-by: Clemens Lang --- include/openssl/core_names.h | 2 ++ include/openssl/evp.h | 4 +++ - .../implementations/asymciphers/rsa_enc.c | 24 +++++++++++++++ - providers/implementations/kem/rsa_kem.c | 30 ++++++++++++++++++- - 4 files changed, 59 insertions(+), 1 deletion(-) + .../implementations/asymciphers/rsa_enc.c | 19 ++++++++++++ + providers/implementations/kem/rsa_kem.c | 29 ++++++++++++++++++- + 4 files changed, 53 insertions(+), 1 deletion(-) diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h index 832502a034..e15d208421 100644 @@ -37,7 +39,7 @@ index 832502a034..e15d208421 100644 /* * Encoder / decoder parameters -@@ -503,6 +504,7 @@ extern "C" { +@@ -511,6 +512,7 @@ extern "C" { /* KEM parameters */ #define OSSL_KEM_PARAM_OPERATION "operation" @@ -49,7 +51,7 @@ diff --git a/include/openssl/evp.h b/include/openssl/evp.h index ec2ba46fbd..3803b03422 100644 --- a/include/openssl/evp.h +++ b/include/openssl/evp.h -@@ -1757,6 +1757,10 @@ OSSL_DEPRECATEDIN_3_0 size_t EVP_PKEY_meth_get_count(void); +@@ -1764,6 +1764,10 @@ OSSL_DEPRECATEDIN_3_0 size_t EVP_PKEY_meth_get_count(void); OSSL_DEPRECATEDIN_3_0 const EVP_PKEY_METHOD *EVP_PKEY_meth_get0(size_t idx); # endif @@ -64,25 +66,22 @@ diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/impleme index 568452ec56..2e7ea632d7 100644 --- a/providers/implementations/asymciphers/rsa_enc.c +++ b/providers/implementations/asymciphers/rsa_enc.c -@@ -399,6 +399,27 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params) +@@ -452,6 +452,24 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params) if (p != NULL && !OSSL_PARAM_set_uint(p, prsactx->alt_version)) return 0; +#ifdef FIPS_MODULE + p = OSSL_PARAM_locate(params, OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR); + if (p != NULL) { -+ int fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED; -+ + /* NIST SP 800-56Br2 section 6.4.2.1 requires either explicit key + * confirmation (section 6.4.2.3.2), or assurance from a trusted third + * party (section 6.4.2.3.1) for the KTS-OAEP key transport scheme, but + * explicit key confirmation is not implemented here and cannot be + * implemented without protocol changes, and the FIPS provider does not + * implement trusted third party validation, since it relies on its -+ * callers to do that. We must thus mark RSA-OAEP as unapproved until -+ * we have received clarification from NIST on how library modules such -+ * as OpenSSL should implement TTP validation. */ -+ fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ * callers to do that. A request for guidance sent to NIST resulted in ++ * further clarification which allows OpenSSL to claim RSA-OAEP. */ ++ int fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED; + + if (!OSSL_PARAM_set_int(p, fips_indicator)) + return 0; @@ -92,7 +91,7 @@ index 568452ec56..2e7ea632d7 100644 return 1; } -@@ -465,6 +493,7 @@ static const OSSL_PARAM known_gettable_ctx_params[] = { +@@ -465,6 +483,7 @@ static const OSSL_PARAM known_gettable_ctx_params[] = { OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL), #ifdef FIPS_MODULE OSSL_PARAM_octet_string(OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED, NULL, 0), @@ -104,7 +103,7 @@ diff --git a/providers/implementations/kem/rsa_kem.c b/providers/implementations index 882cf16125..b4cc0f9237 100644 --- a/providers/implementations/kem/rsa_kem.c +++ b/providers/implementations/kem/rsa_kem.c -@@ -151,11 +151,39 @@ static int rsakem_decapsulate_init(void *vprsactx, void *vrsa, +@@ -151,11 +151,38 @@ static int rsakem_decapsulate_init(void *vprsactx, void *vrsa, static int rsakem_get_ctx_params(void *vprsactx, OSSL_PARAM *params) { PROV_RSA_CTX *ctx = (PROV_RSA_CTX *)vprsactx; @@ -124,10 +123,9 @@ index 882cf16125..b4cc0f9237 100644 + * explicit key confirmation is not implemented here and cannot be + * implemented without protocol changes, and the FIPS provider does not + * implement trusted third party validation, since it relies on its -+ * callers to do that. We must thus mark RSASVE unapproved until we -+ * have received clarification from NIST on how library modules such as -+ * OpenSSL should implement TTP validation. */ -+ int fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ * callers to do that. A request for guidance sent to NIST resulted in ++ * further clarification which allows OpenSSL to claim RSASVE. */ ++ int fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED; + + if (!OSSL_PARAM_set_int(p, fips_indicator)) + return 0; diff --git a/0129-rsa-Add-SP800-56Br2-6.4.1.2.1-3.c-check.patch b/0129-rsa-Add-SP800-56Br2-6.4.1.2.1-3.c-check.patch new file mode 100644 index 0000000..8ee8793 --- /dev/null +++ b/0129-rsa-Add-SP800-56Br2-6.4.1.2.1-3.c-check.patch @@ -0,0 +1,49 @@ +From 0d873f9f647764df147d818a6e998b1c318bac31 Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Mon, 16 Oct 2023 15:30:26 +0200 +Subject: [PATCH] rsa: Add SP800-56Br2 6.4.1.2.1 (3.c) check + +The code did not yet check that the length of the RSA key is positive +and even. + +Signed-off-by: Clemens Lang +Upstream-Status: Backport [8b268541d9aabee51699aef22963407362830ef9] +--- + crypto/rsa/rsa_sp800_56b_check.c | 5 +++++ + test/rsa_sp800_56b_test.c | 4 ++++ + 2 files changed, 9 insertions(+) + +diff --git a/crypto/rsa/rsa_sp800_56b_check.c b/crypto/rsa/rsa_sp800_56b_check.c +index fc8f19b487..e6b79e953d 100644 +--- a/crypto/rsa/rsa_sp800_56b_check.c ++++ b/crypto/rsa/rsa_sp800_56b_check.c +@@ -403,6 +403,11 @@ int ossl_rsa_sp800_56b_check_keypair(const RSA *rsa, const BIGNUM *efixed, + ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_KEYPAIR); + return 0; + } ++ /* (Step 3.c): check that the modulus length is a positive even integer */ ++ if (nbits <= 0 || (nbits & 0x1)) { ++ ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_KEYPAIR); ++ return 0; ++ } + + ctx = BN_CTX_new_ex(rsa->libctx); + if (ctx == NULL) +diff --git a/test/rsa_sp800_56b_test.c b/test/rsa_sp800_56b_test.c +index 7660019f47..aa58bbbe6c 100644 +--- a/test/rsa_sp800_56b_test.c ++++ b/test/rsa_sp800_56b_test.c +@@ -458,6 +458,10 @@ static int test_invalid_keypair(void) + && TEST_true(BN_add_word(n, 1)) + && TEST_false(ossl_rsa_sp800_56b_check_keypair(key, NULL, -1, 2048)) + && TEST_true(BN_sub_word(n, 1)) ++ /* check that validation fails if len(n) is not even */ ++ && TEST_true(BN_lshift1(n, n)) ++ && TEST_false(ossl_rsa_sp800_56b_check_keypair(key, NULL, -1, 2049)) ++ && TEST_true(BN_rshift1(n, n)) + /* check p */ + && TEST_true(BN_sub_word(p, 2)) + && TEST_true(BN_mul(n, p, q, ctx)) +-- +2.41.0 + diff --git a/openssl.spec b/openssl.spec index 92655b4..33def63 100644 --- a/openssl.spec +++ b/openssl.spec @@ -201,6 +201,8 @@ Patch125: 0125-CVE-2023-2975.patch Patch126: 0126-CVE-2023-3446.patch Patch127: 0127-CVE-2023-3817.patch Patch128: 0128-CVE-2023-5363.patch +# https://github.com/openssl/openssl/pull/22403 +Patch129: 0129-rsa-Add-SP800-56Br2-6.4.1.2.1-3.c-check.patch License: ASL 2.0 URL: http://www.openssl.org/ @@ -546,6 +548,11 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco Resolves: RHEL-5308 - Fix incorrect cipher key and IV length processing (CVE-2023-5363) Resolves: RHEL-13251 +- Switch explicit FIPS indicator for RSA-OAEP to approved following + clarification with CMVP + Resolves: RHEL-14083 +- Backport the check required by SP800-56Br2 6.4.1.2.1 (3.c) + Resolves: RHEL-14083 * Wed Jul 12 2023 Dmitry Belyavskiy - 1:3.0.7-24 - Make FIPS module configuration more crypto-policies friendly From 72772f737e4c581b02066779177c07b64e7c6845 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Wed, 8 Nov 2023 11:55:53 +0100 Subject: [PATCH 47/60] Add missing ECDH Public Key Check in FIPS mode Resolves: RHEL-15990 --- 0044-FIPS-140-3-keychecks.patch | 16 +++++++++++++++- openssl.spec | 2 ++ 2 files changed, 17 insertions(+), 1 deletion(-) diff --git a/0044-FIPS-140-3-keychecks.patch b/0044-FIPS-140-3-keychecks.patch index 38efa07..1b0d1fa 100644 --- a/0044-FIPS-140-3-keychecks.patch +++ b/0044-FIPS-140-3-keychecks.patch @@ -57,7 +57,21 @@ diff -up openssl-3.0.1/crypto/dh/dh_key.c.fips3 openssl-3.0.1/crypto/dh/dh_key.c dh->dirty_cnt++; ok = 1; err: -diff -up openssl-3.0.1/crypto/ec/ec_key.c.fips3 openssl-3.0.1/crypto/ec/ec_key.c +diff -up openssl-3.0.7/crypto/ec/ec_key.c.f188 openssl-3.0.7/crypto/ec/ec_key.c +--- openssl-3.0.7/crypto/ec/ec_key.c.f188 2023-11-08 10:58:05.910031253 +0100 ++++ openssl-3.0.7/crypto/ec/ec_key.c 2023-11-08 10:59:42.338526883 +0100 +@@ -326,6 +326,11 @@ static int ec_generate_key(EC_KEY *eckey + eckey->dirty_cnt++; + + #ifdef FIPS_MODULE ++ if (ossl_ec_key_public_check(eckey, ctx) <= 0) { ++ ERR_raise(ERR_LIB_EC, EC_R_INVALID_KEY); ++ goto err; ++ } ++ + pairwise_test = 1; + #endif /* FIPS_MODULE */ + diff -up openssl-3.0.1/providers/implementations/exchange/ecdh_exch.c.fips3 openssl-3.0.1/providers/implementations/exchange/ecdh_exch.c --- openssl-3.0.1/providers/implementations/exchange/ecdh_exch.c.fips3 2022-07-25 13:42:46.814952053 +0200 +++ openssl-3.0.1/providers/implementations/exchange/ecdh_exch.c 2022-07-25 13:52:12.292065706 +0200 diff --git a/openssl.spec b/openssl.spec index 33def63..a22b793 100644 --- a/openssl.spec +++ b/openssl.spec @@ -553,6 +553,8 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco Resolves: RHEL-14083 - Backport the check required by SP800-56Br2 6.4.1.2.1 (3.c) Resolves: RHEL-14083 +- Add missing ECDH Public Key Check in FIPS mode + Resolves: RHEL-15990 * Wed Jul 12 2023 Dmitry Belyavskiy - 1:3.0.7-24 - Make FIPS module configuration more crypto-policies friendly From f1d5ccdb6e67102a96b1efe1ae5e5c33d6f887a8 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Wed, 8 Nov 2023 12:08:38 +0100 Subject: [PATCH 48/60] Excessive time spent in DH check/generation with large Q parameter value (CVE-2023-5678) Resolves: RHEL-15954 --- 0130-CVE-2023-5678.patch | 143 +++++++++++++++++++++++++++++++++++++++ openssl.spec | 3 + 2 files changed, 146 insertions(+) create mode 100644 0130-CVE-2023-5678.patch diff --git a/0130-CVE-2023-5678.patch b/0130-CVE-2023-5678.patch new file mode 100644 index 0000000..aa98d3b --- /dev/null +++ b/0130-CVE-2023-5678.patch @@ -0,0 +1,143 @@ +diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c +index 7ba2beae7f..e20eb62081 100644 +--- a/crypto/dh/dh_check.c ++++ b/crypto/dh/dh_check.c +@@ -249,6 +249,18 @@ int DH_check_pub_key_ex(const DH *dh, const BIGNUM *pub_key) + */ + int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret) + { ++ /* Don't do any checks at all with an excessively large modulus */ ++ if (BN_num_bits(dh->params.p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) { ++ ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE); ++ *ret = DH_MODULUS_TOO_LARGE | DH_CHECK_PUBKEY_INVALID; ++ return 0; ++ } ++ ++ if (dh->params.q != NULL && BN_ucmp(dh->params.p, dh->params.q) < 0) { ++ *ret |= DH_CHECK_INVALID_Q_VALUE | DH_CHECK_PUBKEY_INVALID; ++ return 1; ++ } ++ + return ossl_ffc_validate_public_key(&dh->params, pub_key, ret); + } + +diff --git a/crypto/dh/dh_err.c b/crypto/dh/dh_err.c +index 4152397426..f76ac0dd14 100644 +--- a/crypto/dh/dh_err.c ++++ b/crypto/dh/dh_err.c +@@ -1,6 +1,6 @@ + /* + * Generated by util/mkerr.pl DO NOT EDIT +- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -54,6 +54,7 @@ static const ERR_STRING_DATA DH_str_reasons[] = { + {ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR), + "parameter encoding error"}, + {ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"}, ++ {ERR_PACK(ERR_LIB_DH, 0, DH_R_Q_TOO_LARGE), "q too large"}, + {ERR_PACK(ERR_LIB_DH, 0, DH_R_SHARED_INFO_ERROR), "shared info error"}, + {ERR_PACK(ERR_LIB_DH, 0, DH_R_UNABLE_TO_CHECK_GENERATOR), + "unable to check generator"}, +diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c +index d84ea99241..afc49f5cdc 100644 +--- a/crypto/dh/dh_key.c ++++ b/crypto/dh/dh_key.c +@@ -49,6 +49,12 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) + goto err; + } + ++ if (dh->params.q != NULL ++ && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) { ++ ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE); ++ goto err; ++ } ++ + if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) { + ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL); + return 0; +@@ -267,6 +273,12 @@ static int generate_key(DH *dh) + return 0; + } + ++ if (dh->params.q != NULL ++ && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) { ++ ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE); ++ return 0; ++ } ++ + if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) { + ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL); + return 0; +diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt +index e51504b7ab..36de321b74 100644 +--- a/crypto/err/openssl.txt ++++ b/crypto/err/openssl.txt +@@ -500,6 +500,7 @@ DH_R_NO_PARAMETERS_SET:107:no parameters set + DH_R_NO_PRIVATE_VALUE:100:no private value + DH_R_PARAMETER_ENCODING_ERROR:105:parameter encoding error + DH_R_PEER_KEY_ERROR:111:peer key error ++DH_R_Q_TOO_LARGE:130:q too large + DH_R_SHARED_INFO_ERROR:113:shared info error + DH_R_UNABLE_TO_CHECK_GENERATOR:121:unable to check generator + DSA_R_BAD_FFC_PARAMETERS:114:bad ffc parameters +diff --git a/include/crypto/dherr.h b/include/crypto/dherr.h +index bb24d131eb..519327f795 100644 +--- a/include/crypto/dherr.h ++++ b/include/crypto/dherr.h +@@ -1,6 +1,6 @@ + /* + * Generated by util/mkerr.pl DO NOT EDIT +- * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +diff --git a/include/openssl/dh.h b/include/openssl/dh.h +index 6533260f20..50e0cf54be 100644 +--- a/include/openssl/dh.h ++++ b/include/openssl/dh.h +@@ -141,7 +141,7 @@ DECLARE_ASN1_ITEM(DHparams) + # define DH_GENERATOR_3 3 + # define DH_GENERATOR_5 5 + +-/* DH_check error codes */ ++/* DH_check error codes, some of them shared with DH_check_pub_key */ + /* + * NB: These values must align with the equivalently named macros in + * internal/ffc.h. +@@ -151,10 +151,10 @@ DECLARE_ASN1_ITEM(DHparams) + # define DH_UNABLE_TO_CHECK_GENERATOR 0x04 + # define DH_NOT_SUITABLE_GENERATOR 0x08 + # define DH_CHECK_Q_NOT_PRIME 0x10 +-# define DH_CHECK_INVALID_Q_VALUE 0x20 ++# define DH_CHECK_INVALID_Q_VALUE 0x20 /* +DH_check_pub_key */ + # define DH_CHECK_INVALID_J_VALUE 0x40 + # define DH_MODULUS_TOO_SMALL 0x80 +-# define DH_MODULUS_TOO_LARGE 0x100 ++# define DH_MODULUS_TOO_LARGE 0x100 /* +DH_check_pub_key */ + + /* DH_check_pub_key error codes */ + # define DH_CHECK_PUBKEY_TOO_SMALL 0x01 +diff --git a/include/openssl/dherr.h b/include/openssl/dherr.h +index 5d2a762a96..074a70145f 100644 +--- a/include/openssl/dherr.h ++++ b/include/openssl/dherr.h +@@ -1,6 +1,6 @@ + /* + * Generated by util/mkerr.pl DO NOT EDIT +- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -50,6 +50,7 @@ + # define DH_R_NO_PRIVATE_VALUE 100 + # define DH_R_PARAMETER_ENCODING_ERROR 105 + # define DH_R_PEER_KEY_ERROR 111 ++# define DH_R_Q_TOO_LARGE 130 + # define DH_R_SHARED_INFO_ERROR 113 + # define DH_R_UNABLE_TO_CHECK_GENERATOR 121 + diff --git a/openssl.spec b/openssl.spec index a22b793..b3b5ac6 100644 --- a/openssl.spec +++ b/openssl.spec @@ -203,6 +203,7 @@ Patch127: 0127-CVE-2023-3817.patch Patch128: 0128-CVE-2023-5363.patch # https://github.com/openssl/openssl/pull/22403 Patch129: 0129-rsa-Add-SP800-56Br2-6.4.1.2.1-3.c-check.patch +Patch130: 0130-CVE-2023-5678.patch License: ASL 2.0 URL: http://www.openssl.org/ @@ -555,6 +556,8 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco Resolves: RHEL-14083 - Add missing ECDH Public Key Check in FIPS mode Resolves: RHEL-15990 +- Excessive time spent in DH check/generation with large Q parameter value (CVE-2023-5678) + Resolves: RHEL-15954 * Wed Jul 12 2023 Dmitry Belyavskiy - 1:3.0.7-24 - Make FIPS module configuration more crypto-policies friendly From 67bb06894f278ebffa420ab704c063b5d1925614 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Tue, 21 Nov 2023 12:11:01 +0100 Subject: [PATCH 49/60] Avoid implicit function declaration when building openssl Related: RHEL-1780 --- 0056-strcasecmp.patch | 4 ++-- openssl.spec | 6 +++++- 2 files changed, 7 insertions(+), 3 deletions(-) diff --git a/0056-strcasecmp.patch b/0056-strcasecmp.patch index 8a005e6..01ca25e 100644 --- a/0056-strcasecmp.patch +++ b/0056-strcasecmp.patch @@ -19,7 +19,7 @@ diff -up openssl-3.0.7/crypto/o_str.c.cmp openssl-3.0.7/crypto/o_str.c -int OPENSSL_strcasecmp(const char *s1, const char *s2) +int -+#ifndef FIPS_MODULE ++#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI) +__attribute__ ((symver ("OPENSSL_strcasecmp@@OPENSSL_3.0.3"), + symver ("OPENSSL_strcasecmp@OPENSSL_3.0.1"))) +#endif @@ -33,7 +33,7 @@ diff -up openssl-3.0.7/crypto/o_str.c.cmp openssl-3.0.7/crypto/o_str.c -int OPENSSL_strncasecmp(const char *s1, const char *s2, size_t n) +int -+#ifndef FIPS_MODULE ++#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI) +__attribute__ ((symver ("OPENSSL_strncasecmp@@OPENSSL_3.0.3"), + symver ("OPENSSL_strncasecmp@OPENSSL_3.0.1"))) +#endif diff --git a/openssl.spec b/openssl.spec index b3b5ac6..c57abe2 100644 --- a/openssl.spec +++ b/openssl.spec @@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16)) Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 3.0.7 -Release: 25%{?dist} +Release: 26%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -529,6 +529,10 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco %ldconfig_scriptlets libs %changelog +* Tue Nov 21 2023 Dmitry Belyavskiy - 1:3.0.7-26 +- Avoid implicit function declaration when building openssl + Related: RHEL-1780 + * Mon Oct 16 2023 Dmitry Belyavskiy - 1:3.0.7-25 - Provide relevant diagnostics when FIPS checksum is corrupted Resolves: RHEL-5317 From db0287935122edceb91dcda8dfb53b4090734e22 Mon Sep 17 00:00:00 2001 From: Clemens Lang Date: Tue, 21 Nov 2023 12:16:05 +0100 Subject: [PATCH 50/60] FIPS: abort on rsa_keygen_pairwise_test failure ISO 19790 AS10.09 says the module shall not perform any cryptographic operations or output data in an error state, but OpenSSL does not have checks for the module state in EVP_DigestUpdate() and EVP_EncryptUpdate(). Upstream and their certification lab says these checks aren't needed, our lab disagrees. We asked for clarification from CMVP. While we are waiting for that, add a change that will allow us to submit. We will drop this patch one we found a solution together with upstream. See #22506 for the discussion upstream. Resolves: RHEL-17104 --- 0044-FIPS-140-3-keychecks.patch | 14 ++++++++++++++ openssl.spec | 2 ++ 2 files changed, 16 insertions(+) diff --git a/0044-FIPS-140-3-keychecks.patch b/0044-FIPS-140-3-keychecks.patch index 1b0d1fa..67cbd6d 100644 --- a/0044-FIPS-140-3-keychecks.patch +++ b/0044-FIPS-140-3-keychecks.patch @@ -374,3 +374,17 @@ diff -up openssl-3.0.7/providers/implementations/signature/rsa_sig.c.pairwise op const OSSL_DISPATCH ossl_rsa_signature_functions[] = { { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))rsa_newctx }, { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))rsa_sign_init }, +diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c +index e0d139d..35f23b2 100644 +--- a/crypto/rsa/rsa_gen.c ++++ b/crypto/rsa/rsa_gen.c +@@ -463,6 +463,9 @@ static int rsa_keygen(OSSL_LIB_CTX *libctx, RSA *rsa, int bits, int primes, + rsa->dmp1 = NULL; + rsa->dmq1 = NULL; + rsa->iqmp = NULL; ++#ifdef FIPS_MODULE ++ abort(); ++#endif /* defined(FIPS_MODULE) */ + } + } + return ok; diff --git a/openssl.spec b/openssl.spec index c57abe2..8e936ab 100644 --- a/openssl.spec +++ b/openssl.spec @@ -532,6 +532,8 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco * Tue Nov 21 2023 Dmitry Belyavskiy - 1:3.0.7-26 - Avoid implicit function declaration when building openssl Related: RHEL-1780 +- In FIPS mode, prevent any other operations when rsa_keygen_pairwise_test fails + Resolves: RHEL-17104 * Mon Oct 16 2023 Dmitry Belyavskiy - 1:3.0.7-25 - Provide relevant diagnostics when FIPS checksum is corrupted From e7c35f0edebd46cd8e18f8ab596d08e559fec21c Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Fri, 24 Nov 2023 16:16:54 +0100 Subject: [PATCH 51/60] Add a directory for OpenSSL providers configuration Resolves: RHEL-17193 --- 0024-load-legacy-prov.patch | 5 ++++- openssl.spec | 4 ++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/0024-load-legacy-prov.patch b/0024-load-legacy-prov.patch index 26ec5f5..edbe50b 100644 --- a/0024-load-legacy-prov.patch +++ b/0024-load-legacy-prov.patch @@ -16,7 +16,7 @@ diff -up openssl-3.0.0/apps/openssl.cnf.legacy-prov openssl-3.0.0/apps/openssl.c [openssl_init] providers = provider_sect # Load default TLS policy configuration -@@ -42,23 +42,24 @@ [ evp_properties ] +@@ -42,23 +42,27 @@ [ evp_properties ] #This section is intentionally added empty here #to be tuned on particular systems @@ -54,6 +54,9 @@ diff -up openssl-3.0.0/apps/openssl.cnf.legacy-prov openssl-3.0.0/apps/openssl.c + +##[legacy_sect] +##activate = 1 ++ ++#Place the third party provider configuration files into this folder ++.include /etc/pki/tls/include [ ssl_module ] diff --git a/openssl.spec b/openssl.spec index 8e936ab..e050ec3 100644 --- a/openssl.spec +++ b/openssl.spec @@ -415,6 +415,7 @@ done # Install a makefile for generating keys and self-signed certs, and a script # for generating them on the fly. mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs +mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/include install -m644 %{SOURCE2} $RPM_BUILD_ROOT%{_pkgdocdir}/Makefile.certificate install -m755 %{SOURCE6} $RPM_BUILD_ROOT%{_bindir}/make-dummy-cert install -m755 %{SOURCE7} $RPM_BUILD_ROOT%{_bindir}/renew-dummy-cert @@ -497,6 +498,7 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco %dir %{_sysconfdir}/pki/tls/certs %dir %{_sysconfdir}/pki/tls/misc %dir %{_sysconfdir}/pki/tls/private +%dir %{_sysconfdir}/pki/tls/include %config(noreplace) %{_sysconfdir}/pki/tls/openssl.cnf %config(noreplace) %{_sysconfdir}/pki/tls/ct_log_list.cnf %config %{_sysconfdir}/pki/tls/fips_local.cnf @@ -534,6 +536,8 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco Related: RHEL-1780 - In FIPS mode, prevent any other operations when rsa_keygen_pairwise_test fails Resolves: RHEL-17104 +- Add a directory for OpenSSL providers configuration + Resolves: RHEL-17193 * Mon Oct 16 2023 Dmitry Belyavskiy - 1:3.0.7-25 - Provide relevant diagnostics when FIPS checksum is corrupted From 6c9dd70b94b8d5811d5d9a03f867cb831a1348c8 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Fri, 19 Jan 2024 14:49:51 +0100 Subject: [PATCH 52/60] Eliminate memory leak in OpenSSL when setting elliptic curves on SSL context Resolves: RHEL-19515 --- 0131-sslgroups-memleak.patch | 12 ++++++++++++ openssl.spec | 4 ++++ 2 files changed, 16 insertions(+) create mode 100644 0131-sslgroups-memleak.patch diff --git a/0131-sslgroups-memleak.patch b/0131-sslgroups-memleak.patch new file mode 100644 index 0000000..f292790 --- /dev/null +++ b/0131-sslgroups-memleak.patch @@ -0,0 +1,12 @@ +diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c +index 51c2283db915d..0928a30c2d37b 100644 +--- a/ssl/t1_lib.c ++++ b/ssl/t1_lib.c +@@ -765,6 +765,7 @@ int tls1_set_groups_list(SSL_CTX *ctx, uint16_t **pext, size_t *pextlen, + tmparr = OPENSSL_memdup(gcb.gid_arr, gcb.gidcnt * sizeof(*tmparr)); + if (tmparr == NULL) + goto end; ++ OPENSSL_free(*pext); + *pext = tmparr; + *pextlen = gcb.gidcnt; + ret = 1; diff --git a/openssl.spec b/openssl.spec index e050ec3..854a07a 100644 --- a/openssl.spec +++ b/openssl.spec @@ -204,6 +204,8 @@ Patch128: 0128-CVE-2023-5363.patch # https://github.com/openssl/openssl/pull/22403 Patch129: 0129-rsa-Add-SP800-56Br2-6.4.1.2.1-3.c-check.patch Patch130: 0130-CVE-2023-5678.patch +# https://github.com/openssl/openssl/pull/20317 +Patch131: 0131-sslgroups-memleak.patch License: ASL 2.0 URL: http://www.openssl.org/ @@ -538,6 +540,8 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco Resolves: RHEL-17104 - Add a directory for OpenSSL providers configuration Resolves: RHEL-17193 +- Eliminate memory leak in OpenSSL when setting elliptic curves on SSL context + Resolves: RHEL-19515 * Mon Oct 16 2023 Dmitry Belyavskiy - 1:3.0.7-25 - Provide relevant diagnostics when FIPS checksum is corrupted From 3c49cf388ad389a3b800fa7447d840f9c2f5100c Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Fri, 19 Jan 2024 14:59:04 +0100 Subject: [PATCH 53/60] POLY1305 MAC implementation corrupts vector registers on PowerPC (CVE-2023-6129) Resolves: RHEL-21151 --- 0132-CVE-2023-6129.patch | 86 ++++++++++++++++++++++++++++++++++++++++ openssl.spec | 4 ++ 2 files changed, 90 insertions(+) create mode 100644 0132-CVE-2023-6129.patch diff --git a/0132-CVE-2023-6129.patch b/0132-CVE-2023-6129.patch new file mode 100644 index 0000000..05e7300 --- /dev/null +++ b/0132-CVE-2023-6129.patch @@ -0,0 +1,86 @@ +diff --git a/crypto/poly1305/asm/poly1305-ppc.pl b/crypto/poly1305/asm/poly1305-ppc.pl +index 9f86134d923fb..2e601bb9c24be 100755 +--- a/crypto/poly1305/asm/poly1305-ppc.pl ++++ b/crypto/poly1305/asm/poly1305-ppc.pl +@@ -744,7 +744,7 @@ + my $LOCALS= 6*$SIZE_T; + my $VSXFRAME = $LOCALS + 6*$SIZE_T; + $VSXFRAME += 128; # local variables +- $VSXFRAME += 13*16; # v20-v31 offload ++ $VSXFRAME += 12*16; # v20-v31 offload + + my $BIG_ENDIAN = ($flavour !~ /le/) ? 4 : 0; + +@@ -919,12 +919,12 @@ + addi r11,r11,32 + stvx v22,r10,$sp + addi r10,r10,32 +- stvx v23,r10,$sp +- addi r10,r10,32 +- stvx v24,r11,$sp ++ stvx v23,r11,$sp + addi r11,r11,32 +- stvx v25,r10,$sp ++ stvx v24,r10,$sp + addi r10,r10,32 ++ stvx v25,r11,$sp ++ addi r11,r11,32 + stvx v26,r10,$sp + addi r10,r10,32 + stvx v27,r11,$sp +@@ -1153,12 +1153,12 @@ + addi r11,r11,32 + stvx v22,r10,$sp + addi r10,r10,32 +- stvx v23,r10,$sp +- addi r10,r10,32 +- stvx v24,r11,$sp ++ stvx v23,r11,$sp + addi r11,r11,32 +- stvx v25,r10,$sp ++ stvx v24,r10,$sp + addi r10,r10,32 ++ stvx v25,r11,$sp ++ addi r11,r11,32 + stvx v26,r10,$sp + addi r10,r10,32 + stvx v27,r11,$sp +@@ -1899,26 +1899,26 @@ + mtspr 256,r12 # restore vrsave + lvx v20,r10,$sp + addi r10,r10,32 +- lvx v21,r10,$sp +- addi r10,r10,32 +- lvx v22,r11,$sp ++ lvx v21,r11,$sp + addi r11,r11,32 +- lvx v23,r10,$sp ++ lvx v22,r10,$sp + addi r10,r10,32 +- lvx v24,r11,$sp ++ lvx v23,r11,$sp + addi r11,r11,32 +- lvx v25,r10,$sp ++ lvx v24,r10,$sp + addi r10,r10,32 +- lvx v26,r11,$sp ++ lvx v25,r11,$sp + addi r11,r11,32 +- lvx v27,r10,$sp ++ lvx v26,r10,$sp + addi r10,r10,32 +- lvx v28,r11,$sp ++ lvx v27,r11,$sp + addi r11,r11,32 +- lvx v29,r10,$sp ++ lvx v28,r10,$sp + addi r10,r10,32 +- lvx v30,r11,$sp +- lvx v31,r10,$sp ++ lvx v29,r11,$sp ++ addi r11,r11,32 ++ lvx v30,r10,$sp ++ lvx v31,r11,$sp + $POP r27,`$VSXFRAME-$SIZE_T*5`($sp) + $POP r28,`$VSXFRAME-$SIZE_T*4`($sp) + $POP r29,`$VSXFRAME-$SIZE_T*3`($sp) diff --git a/openssl.spec b/openssl.spec index 854a07a..4af4c04 100644 --- a/openssl.spec +++ b/openssl.spec @@ -206,6 +206,8 @@ Patch129: 0129-rsa-Add-SP800-56Br2-6.4.1.2.1-3.c-check.patch Patch130: 0130-CVE-2023-5678.patch # https://github.com/openssl/openssl/pull/20317 Patch131: 0131-sslgroups-memleak.patch +# https://github.com/openssl/openssl/commit/050d26383d4e264966fb83428e72d5d48f402d35 +Patch132: 0132-CVE-2023-6129.patch License: ASL 2.0 URL: http://www.openssl.org/ @@ -542,6 +544,8 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco Resolves: RHEL-17193 - Eliminate memory leak in OpenSSL when setting elliptic curves on SSL context Resolves: RHEL-19515 +- POLY1305 MAC implementation corrupts vector registers on PowerPC (CVE-2023-6129) + Resolves: RHEL-21151 * Mon Oct 16 2023 Dmitry Belyavskiy - 1:3.0.7-25 - Provide relevant diagnostics when FIPS checksum is corrupted From 0707122b950a172b6efbd22738430a30158be3af Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Fri, 19 Jan 2024 15:07:58 +0100 Subject: [PATCH 54/60] Excessive time spent checking invalid RSA public keys (CVE-2023-6237) Resolves: RHEL-21654 --- 0133-CVE-2023-6237.patch | 93 ++++++++++++++++++++++++++++++++++++++++ openssl.spec | 4 ++ 2 files changed, 97 insertions(+) create mode 100644 0133-CVE-2023-6237.patch diff --git a/0133-CVE-2023-6237.patch b/0133-CVE-2023-6237.patch new file mode 100644 index 0000000..a6f7a9a --- /dev/null +++ b/0133-CVE-2023-6237.patch @@ -0,0 +1,93 @@ +diff --git a/crypto/rsa/rsa_sp800_56b_check.c b/crypto/rsa/rsa_sp800_56b_check.c +index fc8f19b48770b..bcbdd24fb8199 100644 +--- a/crypto/rsa/rsa_sp800_56b_check.c ++++ b/crypto/rsa/rsa_sp800_56b_check.c +@@ -289,6 +289,11 @@ int ossl_rsa_sp800_56b_check_public(const RSA *rsa) + return 0; + + nbits = BN_num_bits(rsa->n); ++ if (nbits > OPENSSL_RSA_MAX_MODULUS_BITS) { ++ ERR_raise(ERR_LIB_RSA, RSA_R_MODULUS_TOO_LARGE); ++ return 0; ++ } ++ + #ifdef FIPS_MODULE + /* + * (Step a): modulus must be 2048 or 3072 (caveat from SP800-56Br1) +@@ -324,7 +329,8 @@ int ossl_rsa_sp800_56b_check_public(const RSA *rsa) + goto err; + } + +- ret = ossl_bn_miller_rabin_is_prime(rsa->n, 0, ctx, NULL, 1, &status); ++ /* Highest number of MR rounds from FIPS 186-5 Section B.3 Table B.1 */ ++ ret = ossl_bn_miller_rabin_is_prime(rsa->n, 5, ctx, NULL, 1, &status); + #ifdef FIPS_MODULE + if (ret != 1 || status != BN_PRIMETEST_COMPOSITE_NOT_POWER_OF_PRIME) { + #else +diff --git a/test/recipes/91-test_pkey_check.t b/test/recipes/91-test_pkey_check.t +index dc7cc64533af2..f8088df14d36c 100644 +--- a/test/recipes/91-test_pkey_check.t ++++ b/test/recipes/91-test_pkey_check.t +@@ -70,7 +70,7 @@ push(@positive_tests, ( + "dhpkey.pem" + )) unless disabled("dh"); + +-my @negative_pubtests = (); ++my @negative_pubtests = ("rsapub_17k.pem"); # Too big RSA public key + + push(@negative_pubtests, ( + "dsapub_noparam.der" +diff --git a/test/recipes/91-test_pkey_check_data/rsapub_17k.pem b/test/recipes/91-test_pkey_check_data/rsapub_17k.pem +new file mode 100644 +index 0000000000000..9a2eaedaf1b22 +--- /dev/null ++++ b/test/recipes/91-test_pkey_check_data/rsapub_17k.pem +@@ -0,0 +1,48 @@ ++-----BEGIN PUBLIC KEY----- ++MIIIbzANBgkqhkiG9w0BAQEFAAOCCFwAMIIIVwKCCE4Ang+cE5H+hg3RbapDAHqR ++B9lUnp2MlAwsZxQ/FhYepaR60bFQeumbu7817Eo5YLMObVI99hF1C4u/qcpD4Jph ++gZt87/JAYDbP+DIh/5gUXCL9m5Fp4u7mvZaZdnlcftBvR1uKUTCAwc9pZ/Cfr8W2 ++GzrRODzsNYnk2DcZMfe2vRDuDZRopE+Y+I72rom2SZLxoN547N1daM/M/CL9KVQ/ ++XMI/YOpJrBI0jI3brMRhLkvLckwies9joufydlGbJkeil9H7/grj3fQZtFkZ2Pkj ++b87XDzRVX7wsEpAgPJxskL3jApokCp1kQYKG+Uc3dKM9Ade6IAPK7VKcmbAQTYw2 ++gZxsc28dtstazmfGz0ACCTSMrmbgWAM3oPL7RRzhrXDWgmYQ0jHefGh8SNTIgtPq ++TuHxPYkDMQNaf0LmDGCxqlnf4b5ld3YaU8zZ/RqIRx5v/+w0rJUvU53qY1bYSnL1 ++vbqKSnN2mip0GYyQ4AUgkS1NBV4rGYU/VTvzEjLfkg02KOtHKandvEoUjmZPzCT0 ++V2ZhGc8K1UJNGYlIiHqCdwCBoghvly/pYajTkDXyd6BsukzA5H3IkZB1xDgl035j ++/0Cr7QeZLEOdi9fPdSSaBT6OmD0WFuZfJF0wMr7ucRhWzPXvSensD9v7MBE7tNfH ++SLeTSx8tLt8UeWriiM+0CnkPR1IOqMOxubOyf1eV8NQqEWm5wEQG/0IskbOKnaHa ++PqLFJZn/bvyL3XK5OxVIJG3z6bnRDOMS9SzkjqgPdIO8tkySEHVSi/6iuGUltx3Y ++Fmq6ye/r34ekyHPbfn6UuTON7joM6SIXb5bHM64x4iMVWx4hMvDjfy0UqfywAUyu ++C1o7BExSMxxFG8GJcqR0K8akpPp7EM588PC+YuItoxzXgfUJnP3BQ1Beev2Ve7/J ++xeGZH0N4ntfr+cuaLAakAER9zDglwChWflw3NNFgIdAgSxXv3XXx5xDXpdP4lxUo ++F5zAN4Mero3yV90FaJl7Vhq/UFVidbwFc15jUDwaE0mKRcsBeVd3GOhoECAgE0id ++aIPT20z8oVY0FyTJlRk7QSjo8WjJSrHY/Fn14gctX07ZdfkufyL6w+NijBdYluvB ++nIrgHEvpkDEWoIa8qcx0EppoIcmqgMV2mTShfFYSybsO33Pm8WXec2FXjwhzs1Pi ++R/BuIW8rHPI67xqWm0h8dEw11vtfi9a/BBBikFHe59KBjMTG+lW/gADNvRoTzGh7 ++kN4+UVDS3jlSisRZZOn1XoeQtpubNYWgUsecjKy45IwIj8h1SHgn3wkmUesY0woN ++mOdoNtq+NezN4RFtbCOHhxFVpKKDi/HQP2ro0ykkXMDjwEIVf2Lii1Mg9UP8m+Ux ++AOqkTrIkdogkRx+70h7/wUOfDIFUq2JbKzqxJYamyEphcdAko7/B8efQKc61Z93O ++f2SHa4++4WI7wIIx18v5KV4M/cRmrfc8w9WRkQN3gBT5AJMuqwcSHVXBWvNQeGmi ++ScMh7X6cCZ0daEujqb8svq4WgsJ8UT4GaGBRIYtt7QUKEh+JQwNJzneRYZ3pzpaH ++UJeeoYobMlkp3rM9cYzdq90nBQiI9Jsbim9m9ggb2dMOS5CsI9S/IuG2O5uTjfxx ++wkwsd5nLDFtNXHYZ7W6XlVJ1Rc6zShnEmdCn3mmibb6OaMUmun2yl9ryEjVSoXLP ++fSA8W9K9yNhKTRkzdXJfqlC+s/ovX2xBGxsuOoUDaXhRVz0qmpKIHeSFjIP4iXq4 ++y8gDiwvM3HbZfvVonbg6siPwpn4uvw3hesojk1DKAENS52i6U3uK2fs1ALVxsFNS ++Yh914rDu0Q3e4RXVhURaYzoEbLCot6WGYeCCfQOK0rkETMv+sTYYscC8/THuW7SL ++HG5zy9Ed95N1Xmf8J+My7gM7ZFodGdHsWvdzEmqsdOFh6IVx/VfHFX0MDBq0t6lZ ++eRvVgVCfu3gkYLwPScn/04E02vOom51ISKHsF/I11erC66jjNYV9BSpH8O7sAHxZ ++EmPT2ZVVRSgivOHdQW/FZ3UZQQhVaVSympo2Eb4yWEMFn84Q8T+9Honj6gnB5PXz ++chmeCsOMlcg1mwWwhn0k+OAWEZy7VRUk5Ahp0fBAGJgwBdqrZ3kM356DjUkVBiYq ++4eHyvafNKmjf2mnFsI3g2NKRNyl1Lh63wyCFx60yYvBUfXF/W9PFJbD9CiP83kEW ++gV36gxTsbOSfhpO1OXR90ODy0kx06XzWmJCUugK8u9bx4F/CjV+LIHExuNJiethC ++A8sIup/MT0fWp4RO/SsVblGqfoqJTaPnhptQzeH2N07pbWkxeMuL6ppPuwFmfVjK ++FJndqCVrAukcPEOQ16iVURuloJMudqYRc9QKkJFsnv0W/iMNbqQGmXe8Q/5qFiys ++26NIQBiE2ad9hNLnoccEnmYSRgnW3ZPSKuq5TDdYyDqTZH2r8cam65pr3beKw2XC ++xw4cc7VaxiwGC2Mg2wRmwwPaTjrcEt6sMa3RjwFEVBxBFyM26wnTEZsTBquCxV0J ++pgERaeplkixP2Q0m7XAdlDaob973SM2vOoUgypzDchWmpx7u775bnOfU5CihwXl+ ++k0i09WZuT8bPmhEAiGCw5sNzMkz1BC2cCZFfJIkE2vc/wXYOrGxBTJo0EKaUFswa ++2dnP/u0bn+VksBUM7ywW9LJSXh4mN+tpzdeJtxEObKwX1I0dQxSPWmjd2++wMr9q ++Unre5fCrDToy2H7C2VKSpuOCT2/Kv4JDQRWwI4KxQOpn0UknAGNmfBoTtpIZ3LEb ++77oBUJdMQD7tQBBLL0a6f1TdK0dHVprWWawJ+gGFMiMQXqAqblHcxFKWuHv9bQID ++AQAB ++-----END PUBLIC KEY----- diff --git a/openssl.spec b/openssl.spec index 4af4c04..df98386 100644 --- a/openssl.spec +++ b/openssl.spec @@ -208,6 +208,8 @@ Patch130: 0130-CVE-2023-5678.patch Patch131: 0131-sslgroups-memleak.patch # https://github.com/openssl/openssl/commit/050d26383d4e264966fb83428e72d5d48f402d35 Patch132: 0132-CVE-2023-6129.patch +# https://github.com/openssl/openssl/commit/18c02492138d1eb8b6548cb26e7b625fb2414a2a +Patch133: 0133-CVE-2023-6237.patch License: ASL 2.0 URL: http://www.openssl.org/ @@ -546,6 +548,8 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco Resolves: RHEL-19515 - POLY1305 MAC implementation corrupts vector registers on PowerPC (CVE-2023-6129) Resolves: RHEL-21151 +- Excessive time spent checking invalid RSA public keys (CVE-2023-6237) + Resolves: RHEL-21654 * Mon Oct 16 2023 Dmitry Belyavskiy - 1:3.0.7-25 - Provide relevant diagnostics when FIPS checksum is corrupted From 08c722bcd1e5c9d42dfaf178ddb564f9cf0e317e Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Fri, 19 Jan 2024 15:18:50 +0100 Subject: [PATCH 55/60] SSL ECDHE Kex fails when pkcs11 engine is set in config file Resolves: RHEL-20249 --- 0134-engine-based-ECDHE-kex.patch | 47 +++++++++++++++++++++++++++++++ openssl.spec | 4 +++ 2 files changed, 51 insertions(+) create mode 100644 0134-engine-based-ECDHE-kex.patch diff --git a/0134-engine-based-ECDHE-kex.patch b/0134-engine-based-ECDHE-kex.patch new file mode 100644 index 0000000..fee56f7 --- /dev/null +++ b/0134-engine-based-ECDHE-kex.patch @@ -0,0 +1,47 @@ +diff --git a/crypto/evp/ctrl_params_translate.c b/crypto/evp/ctrl_params_translate.c +index 448a3c3043c1c..9010fa6c4638c 100644 +--- a/crypto/evp/ctrl_params_translate.c ++++ b/crypto/evp/ctrl_params_translate.c +@@ -1134,6 +1134,7 @@ static int fix_ec_paramgen_curve_nid(enum state state, + const struct translation_st *translation, + struct translation_ctx_st *ctx) + { ++ char *p2 = NULL; + int ret; + + if ((ret = default_check(state, translation, ctx)) <= 0) +@@ -1146,13 +1147,25 @@ static int fix_ec_paramgen_curve_nid(enum state state, + if (state == PRE_CTRL_TO_PARAMS) { + ctx->p2 = (char *)OBJ_nid2sn(ctx->p1); + ctx->p1 = 0; ++ } else if (state == PRE_PARAMS_TO_CTRL) { ++ /* ++ * We're translating from params to ctrl and setting the curve name. ++ * The ctrl function needs it to be a NID, but meanwhile, we need ++ * space to get the curve name from the param. |ctx->name_buf| is ++ * sufficient for that. ++ * The double indirection is necessary for default_fixup_args()'s ++ * call of OSSL_PARAM_get_utf8_string() to be done correctly. ++ */ ++ p2 = ctx->name_buf; ++ ctx->p2 = &p2; ++ ctx->sz = sizeof(ctx->name_buf); + } + + if ((ret = default_fixup_args(state, translation, ctx)) <= 0) + return ret; + + if (state == PRE_PARAMS_TO_CTRL) { +- ctx->p1 = OBJ_sn2nid(ctx->p2); ++ ctx->p1 = OBJ_sn2nid(p2); + ctx->p2 = NULL; + } + +@@ -2789,6 +2802,7 @@ static int evp_pkey_ctx_setget_params_to_ctrl(EVP_PKEY_CTX *pctx, + if (translation->fixup_args != NULL) + fixup = translation->fixup_args; + ctx.action_type = translation->action_type; ++ ctx.ctrl_cmd = translation->ctrl_num; + } + ctx.pctx = pctx; + ctx.params = params; diff --git a/openssl.spec b/openssl.spec index df98386..ec1af2e 100644 --- a/openssl.spec +++ b/openssl.spec @@ -210,6 +210,8 @@ Patch131: 0131-sslgroups-memleak.patch Patch132: 0132-CVE-2023-6129.patch # https://github.com/openssl/openssl/commit/18c02492138d1eb8b6548cb26e7b625fb2414a2a Patch133: 0133-CVE-2023-6237.patch +# https://github.com/openssl/openssl/pull/20780 +Patch134: 0134-engine-based-ECDHE-kex.patch License: ASL 2.0 URL: http://www.openssl.org/ @@ -550,6 +552,8 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco Resolves: RHEL-21151 - Excessive time spent checking invalid RSA public keys (CVE-2023-6237) Resolves: RHEL-21654 +- SSL ECDHE Kex fails when pkcs11 engine is set in config file + Resolves: RHEL-20249 * Mon Oct 16 2023 Dmitry Belyavskiy - 1:3.0.7-25 - Provide relevant diagnostics when FIPS checksum is corrupted From e6e479521be51254c68225e8e9256dfb5037c8b0 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Mon, 29 Jan 2024 13:30:00 +0100 Subject: [PATCH 56/60] Denial of service via null dereference in PKCS#12 Resolves: RHEL-22486 --- 0135-CVE-2024-0727.patch | 178 +++++++++++++++++++++++++++++++++++++++ openssl.spec | 4 + 2 files changed, 182 insertions(+) create mode 100644 0135-CVE-2024-0727.patch diff --git a/0135-CVE-2024-0727.patch b/0135-CVE-2024-0727.patch new file mode 100644 index 0000000..ddebf85 --- /dev/null +++ b/0135-CVE-2024-0727.patch @@ -0,0 +1,178 @@ +diff --git a/crypto/pkcs12/p12_add.c b/crypto/pkcs12/p12_add.c +index 6fd4184af5a52..80ce31b3bca66 100644 +--- a/crypto/pkcs12/p12_add.c ++++ b/crypto/pkcs12/p12_add.c +@@ -78,6 +78,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7data(PKCS7 *p7) + ERR_raise(ERR_LIB_PKCS12, PKCS12_R_CONTENT_TYPE_NOT_DATA); + return NULL; + } ++ ++ if (p7->d.data == NULL) { ++ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR); ++ return NULL; ++ } ++ + return ASN1_item_unpack(p7->d.data, ASN1_ITEM_rptr(PKCS12_SAFEBAGS)); + } + +@@ -150,6 +156,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7encdata(PKCS7 *p7, const char *pass, + { + if (!PKCS7_type_is_encrypted(p7)) + return NULL; ++ ++ if (p7->d.encrypted == NULL) { ++ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR); ++ return NULL; ++ } ++ + return PKCS12_item_decrypt_d2i_ex(p7->d.encrypted->enc_data->algorithm, + ASN1_ITEM_rptr(PKCS12_SAFEBAGS), + pass, passlen, +@@ -188,6 +200,12 @@ STACK_OF(PKCS7) *PKCS12_unpack_authsafes(const PKCS12 *p12) + ERR_raise(ERR_LIB_PKCS12, PKCS12_R_CONTENT_TYPE_NOT_DATA); + return NULL; + } ++ ++ if (p12->authsafes->d.data == NULL) { ++ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR); ++ return NULL; ++ } ++ + p7s = ASN1_item_unpack(p12->authsafes->d.data, + ASN1_ITEM_rptr(PKCS12_AUTHSAFES)); + if (p7s != NULL) { +diff --git a/crypto/pkcs12/p12_mutl.c b/crypto/pkcs12/p12_mutl.c +index 67a885a45f89e..68ff54d0e90ee 100644 +--- a/crypto/pkcs12/p12_mutl.c ++++ b/crypto/pkcs12/p12_mutl.c +@@ -98,6 +98,11 @@ static int pkcs12_gen_mac(PKCS12 *p12, const char *pass, int passlen, + return 0; + } + ++ if (p12->authsafes->d.data == NULL) { ++ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR); ++ return 0; ++ } ++ + salt = p12->mac->salt->data; + saltlen = p12->mac->salt->length; + if (p12->mac->iter == NULL) +diff --git a/crypto/pkcs12/p12_npas.c b/crypto/pkcs12/p12_npas.c +index 62230bc6187ff..1e5b5495991a4 100644 +--- a/crypto/pkcs12/p12_npas.c ++++ b/crypto/pkcs12/p12_npas.c +@@ -77,8 +77,9 @@ static int newpass_p12(PKCS12 *p12, const char *oldpass, const char *newpass) + bags = PKCS12_unpack_p7data(p7); + } else if (bagnid == NID_pkcs7_encrypted) { + bags = PKCS12_unpack_p7encdata(p7, oldpass, -1); +- if (!alg_get(p7->d.encrypted->enc_data->algorithm, +- &pbe_nid, &pbe_iter, &pbe_saltlen)) ++ if (p7->d.encrypted == NULL ++ || !alg_get(p7->d.encrypted->enc_data->algorithm, ++ &pbe_nid, &pbe_iter, &pbe_saltlen)) + goto err; + } else { + continue; +diff --git a/crypto/pkcs7/pk7_mime.c b/crypto/pkcs7/pk7_mime.c +index 49a0da5f819c4..8228315eeaa3a 100644 +--- a/crypto/pkcs7/pk7_mime.c ++++ b/crypto/pkcs7/pk7_mime.c +@@ -33,10 +33,13 @@ int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags) + int ctype_nid = OBJ_obj2nid(p7->type); + const PKCS7_CTX *ctx = ossl_pkcs7_get0_ctx(p7); + +- if (ctype_nid == NID_pkcs7_signed) ++ if (ctype_nid == NID_pkcs7_signed) { ++ if (p7->d.sign == NULL) ++ return 0; + mdalgs = p7->d.sign->md_algs; +- else ++ } else { + mdalgs = NULL; ++ } + + flags ^= SMIME_OLDMIME; + +diff --git a/test/recipes/80-test_pkcs12.t b/test/recipes/80-test_pkcs12.t +index 1f0cb4d501488..b2c376249646d 100644 +--- a/test/recipes/80-test_pkcs12.t ++++ b/test/recipes/80-test_pkcs12.t +@@ -9,7 +9,7 @@ + use strict; + use warnings; + +-use OpenSSL::Test qw/:DEFAULT srctop_file/; ++use OpenSSL::Test qw/:DEFAULT srctop_file with/; + use OpenSSL::Test::Utils; + + use Encode; +@@ -54,7 +54,7 @@ if (eval { require Win32::API; 1; }) { + } + $ENV{OPENSSL_WIN32_UTF8}=1; + +-plan tests => 13; ++plan tests => 17; + + # Test different PKCS#12 formats + ok(run(test(["pkcs12_format_test"])), "test pkcs12 formats"); +@@ -148,4 +148,25 @@ ok(grep(/subject=CN = server.example/, @pkcs12info) == 1, + # Test that the expected friendly name is present in the output + ok(grep(/testname/, @pkcs12info) == 1, "test friendly name in output"); + ++# Test some bad pkcs12 files ++my $bad1 = srctop_file("test", "recipes", "80-test_pkcs12_data", "bad1.p12"); ++my $bad2 = srctop_file("test", "recipes", "80-test_pkcs12_data", "bad2.p12"); ++my $bad3 = srctop_file("test", "recipes", "80-test_pkcs12_data", "bad3.p12"); ++ ++with({ exit_checker => sub { return shift == 1; } }, ++ sub { ++ ok(run(app(["openssl", "pkcs12", "-in", $bad1, "-password", "pass:"])), ++ "test bad pkcs12 file 1"); ++ ++ ok(run(app(["openssl", "pkcs12", "-in", $bad1, "-password", "pass:", ++ "-nomacver"])), ++ "test bad pkcs12 file 1 (nomacver)"); ++ ++ ok(run(app(["openssl", "pkcs12", "-in", $bad2, "-password", "pass:"])), ++ "test bad pkcs12 file 2"); ++ ++ ok(run(app(["openssl", "pkcs12", "-in", $bad3, "-password", "pass:"])), ++ "test bad pkcs12 file 3"); ++ }); ++ + SetConsoleOutputCP($savedcp) if (defined($savedcp)); +diff --git a/test/recipes/80-test_pkcs12_data/bad1.p12 b/test/recipes/80-test_pkcs12_data/bad1.p12 +new file mode 100644 +index 0000000000000000000000000000000000000000..8f3387c7e356e4aa374729f3f3939343557b9c09 +GIT binary patch +literal 85 +zcmV-b0IL5mQvv}4Fbf6=Duzgg_YDCD0Wd)@F)$4V31Egu0c8UO0s#d81R(r{)waiY +rfR=Py6XX#<$m7-wj)xrauuD`}hF=Ng9=0`~S~)@=J%OiUaM0Oze6 +AD*ylh + +literal 0 +HcmV?d00001 + +diff --git a/test/recipes/80-test_pkcs12_data/bad3.p12 b/test/recipes/80-test_pkcs12_data/bad3.p12 +new file mode 100644 +index 0000000000000000000000000000000000000000..ef86a1d86fb0bc09471ca2596d82e7d521d973a4 +GIT binary patch +literal 104 +zcmXp=V`5}BkYnT2YV&CO&dbQoxImDF-+oA$5$MVJL*60=F*5iN*C_e&wD%dwCM*q{=+OBX|Z+F7XSHN#>B+I003La +BAqM~e + +literal 0 +HcmV?d00001 + diff --git a/openssl.spec b/openssl.spec index ec1af2e..1dfd443 100644 --- a/openssl.spec +++ b/openssl.spec @@ -212,6 +212,8 @@ Patch132: 0132-CVE-2023-6129.patch Patch133: 0133-CVE-2023-6237.patch # https://github.com/openssl/openssl/pull/20780 Patch134: 0134-engine-based-ECDHE-kex.patch +# https://github.com/openssl/openssl/pull/23362 +Patch135: 0135-CVE-2024-0727.patch License: ASL 2.0 URL: http://www.openssl.org/ @@ -554,6 +556,8 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco Resolves: RHEL-21654 - SSL ECDHE Kex fails when pkcs11 engine is set in config file Resolves: RHEL-20249 +- Denial of service via null dereference in PKCS#12 + Resolves: RHEL-22486 * Mon Oct 16 2023 Dmitry Belyavskiy - 1:3.0.7-25 - Provide relevant diagnostics when FIPS checksum is corrupted From 50997010d1032f408f7922f597386fb72025377c Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Wed, 31 Jan 2024 16:39:33 +0100 Subject: [PATCH 57/60] Add a directory for OpenSSL providers configuration Related: RHEL-17193 --- 0024-load-legacy-prov.patch | 2 +- openssl.spec | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/0024-load-legacy-prov.patch b/0024-load-legacy-prov.patch index edbe50b..52ac5d5 100644 --- a/0024-load-legacy-prov.patch +++ b/0024-load-legacy-prov.patch @@ -56,7 +56,7 @@ diff -up openssl-3.0.0/apps/openssl.cnf.legacy-prov openssl-3.0.0/apps/openssl.c +##activate = 1 + +#Place the third party provider configuration files into this folder -+.include /etc/pki/tls/include ++.include /etc/pki/tls/openssl.d [ ssl_module ] diff --git a/openssl.spec b/openssl.spec index 1dfd443..fbf2b6b 100644 --- a/openssl.spec +++ b/openssl.spec @@ -425,7 +425,7 @@ done # Install a makefile for generating keys and self-signed certs, and a script # for generating them on the fly. mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs -mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/include +mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.d install -m644 %{SOURCE2} $RPM_BUILD_ROOT%{_pkgdocdir}/Makefile.certificate install -m755 %{SOURCE6} $RPM_BUILD_ROOT%{_bindir}/make-dummy-cert install -m755 %{SOURCE7} $RPM_BUILD_ROOT%{_bindir}/renew-dummy-cert @@ -508,7 +508,7 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco %dir %{_sysconfdir}/pki/tls/certs %dir %{_sysconfdir}/pki/tls/misc %dir %{_sysconfdir}/pki/tls/private -%dir %{_sysconfdir}/pki/tls/include +%dir %{_sysconfdir}/pki/tls/openssl.d %config(noreplace) %{_sysconfdir}/pki/tls/openssl.cnf %config(noreplace) %{_sysconfdir}/pki/tls/ct_log_list.cnf %config %{_sysconfdir}/pki/tls/fips_local.cnf From b9f699b8a8dd3de785236b97650fa9bac3dfdf76 Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Mon, 29 Jan 2024 17:28:37 +0100 Subject: [PATCH 58/60] Use certified FIPS module instead of freshly built one in Red Hat distribution Resolves: RHEL-23474 --- openssl.spec | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/openssl.spec b/openssl.spec index fbf2b6b..20e5027 100644 --- a/openssl.spec +++ b/openssl.spec @@ -230,6 +230,9 @@ BuildRequires: perl(FindBin), perl(lib), perl(File::Compare), perl(File::Copy), BuildRequires: git-core Requires: coreutils Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release} +%if ( %{defined rhel} && (! %{defined centos}) ) +Requires: openssl-fips-provider +%endif %description The OpenSSL toolkit provides support for secure communications between @@ -393,6 +396,14 @@ make test HARNESS_JOBS=8 # Add generation of HMAC checksum of the final stripped library # We manually copy standard definition of __spec_install_post # and add hmac calculation/embedding to fips.so +%if ( %{defined rhel} && (! %{defined centos}) ) +%define __spec_install_post \ + rm -rf $RPM_BUILD_ROOT/%{_libdir}/ossl-modules/fips.so \ + %{?__debug_package:%{__debug_install_post}} \ + %{__arch_install_post} \ + %{__os_install_post} \ +%{nil} +%else %define __spec_install_post \ %{?__debug_package:%{__debug_install_post}} \ %{__arch_install_post} \ @@ -402,6 +413,7 @@ make test HARNESS_JOBS=8 mv $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.mac $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so \ rm $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac \ %{nil} +%endif %define __provides_exclude_from %{_libdir}/openssl @@ -558,6 +570,8 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco Resolves: RHEL-20249 - Denial of service via null dereference in PKCS#12 Resolves: RHEL-22486 +- Use certified FIPS module instead of freshly built one in Red Hat distribution + Resolves: RHEL-23474 * Mon Oct 16 2023 Dmitry Belyavskiy - 1:3.0.7-25 - Provide relevant diagnostics when FIPS checksum is corrupted From 8e5beb77088bfec064d60506b1e76ddb0ac417fe Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Wed, 21 Feb 2024 11:36:30 +0100 Subject: [PATCH 59/60] Use certified FIPS module instead of freshly built one in Red Hat distribution Related: RHEL-23474 --- openssl.spec | 12 ++++++++---- 1 file changed, 8 insertions(+), 4 deletions(-) diff --git a/openssl.spec b/openssl.spec index 20e5027..944551b 100644 --- a/openssl.spec +++ b/openssl.spec @@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16)) Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 3.0.7 -Release: 26%{?dist} +Release: 27%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -230,9 +230,6 @@ BuildRequires: perl(FindBin), perl(lib), perl(File::Compare), perl(File::Copy), BuildRequires: git-core Requires: coreutils Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release} -%if ( %{defined rhel} && (! %{defined centos}) ) -Requires: openssl-fips-provider -%endif %description The OpenSSL toolkit provides support for secure communications between @@ -244,6 +241,9 @@ protocols. Summary: A general purpose cryptography library with TLS implementation Requires: ca-certificates >= 2008-5 Requires: crypto-policies >= 20180730 +%if ( %{defined rhel} && (! %{defined centos}) ) +Requires: openssl-fips-provider +%endif %description libs OpenSSL is a toolkit for supporting cryptography. The openssl-libs @@ -553,6 +553,10 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco %ldconfig_scriptlets libs %changelog +* Wed Feb 21 2024 Dmitry Belyavskiy - 1:3.0.7-27 +- Use certified FIPS module instead of freshly built one in Red Hat distribution + Related: RHEL-23474 + * Tue Nov 21 2023 Dmitry Belyavskiy - 1:3.0.7-26 - Avoid implicit function declaration when building openssl Related: RHEL-1780 From 2c5c3fcced9536e9e3db51b8666a4fd2a70b492a Mon Sep 17 00:00:00 2001 From: Dmitry Belyavskiy Date: Thu, 4 Apr 2024 10:44:19 +0200 Subject: [PATCH 60/60] Rebasing to OpenSSL 3.2.1 Resolves: RHEL-26271 --- .gitignore | 1 + 0003-Do-not-install-html-docs.patch | 12 +- ...PROFILE-SYSTEM-system-default-cipher.patch | 135 +- 0009-Add-Kernel-FIPS-mode-flag-support.patch | 59 +- 0010-Add-changes-to-ectest-and-eccurve.patch | 87 +- 0011-Remove-EC-curves.patch | 116 +- 0013-skipped-tests-EC-curves.patch | 11 +- 0031-tmp-Fix-test-names.patch | 40 - 0032-Force-fips.patch | 181 +- 0033-FIPS-embed-hmac.patch | 290 +- 0034.fipsinstall_disable.patch | 387 ++- 0044-FIPS-140-3-keychecks.patch | 228 +- 0045-FIPS-services-minimize.patch | 746 ++-- 0047-FIPS-early-KATS.patch | 44 +- ...Selectively-disallow-SHA1-signatures.patch | 236 +- ...t-different-R_BITS-lengths-for-KBKDF.patch | 2151 ------------ ...clevel-2-if-rh-allow-sha1-signatures.patch | 29 +- 0056-strcasecmp.patch | 23 +- 0058-FIPS-limit-rsa-encrypt.patch | 587 +++- 0060-FIPS-KAT-signature-tests.patch | 420 --- 0062-fips-Expose-a-FIPS-indicator.patch | 2 +- 0067-ppc64le-Montgomery-multiply.patch | 703 ---- 0071-AES-GCM-performance-optimization.patch | 1635 --------- ...erformance-optimizations-for-ppc64le.patch | 1493 -------- ...OAEP-in-KATs-support-fixed-OAEP-seed.patch | 40 +- ...gest_sign-digest_verify-in-self-test.patch | 144 +- 0076-FIPS-140-3-DRBG.patch | 188 +- 0077-FIPS-140-3-zeroization.patch | 2 +- 0078-KDF-Add-FIPS-indicators.patch | 70 +- ...-truncated-hashes-SHA-3-in-FIPS-prov.patch | 3086 +++-------------- ...plicit-FIPS-indicator-for-key-length.patch | 41 +- ...t-minimum-password-length-of-8-bytes.patch | 2 +- ...re-Add-indicator-for-PSS-salt-length.patch | 52 +- 0089-PSS-salt-length-from-provider.patch | 114 - ...gnature-Clamp-PSS-salt-len-to-MD-len.patch | 338 -- 0092-provider-improvements.patch | 705 ---- 0101-CVE-2022-4203-nc-match.patch | 281 -- 0102-CVE-2022-4304-RSA-time-oracle.patch | 750 ---- 0103-CVE-2022-4450-pem-read-bio.patch | 106 - 0104-CVE-2023-0215-UAF-bio.patch | 187 - 0105-CVE-2023-0216-pkcs7-deref.patch | 110 - 0106-CVE-2023-0217-dsa.patch | 404 --- 0107-CVE-2023-0286-X400.patch | 63 - 0108-CVE-2023-0401-pkcs7-md.patch | 150 - 0109-fips-Zeroize-out-in-fips-selftest.patch | 26 - ...t-explicit-FIPS-indicator-for-IV-gen.patch | 40 +- ...Use-salt-16-bytes-in-PBKDF2-selftest.patch | 82 - ...hers-kem-Add-explicit-FIPS-indicator.patch | 76 +- 0114-FIPS-enforce-EMS-support.patch | 614 +--- 0115-CVE-2023-0464.patch | 195 -- 0115-skip-quic-pairwise.patch | 85 + 0116-CVE-2023-0465.patch | 179 - 0116-version-aliasing.patch | 84 + 0117-CVE-2023-0466.patch | 27 - ...-ignore-unknown-sigalgorithms-groups.patch | 318 ++ 0118-CVE-2023-1255.patch | 20 - 0118-no-crl-memleak.patch | 80 + ...-sigalgs-in-signaturealgorithms-conf.patch | 170 + 0120-RSA-PKCS15-implicit-rejection.patch | 1354 -------- 0122-CVE-2023-2650.patch | 30 - 0122-TMP-KTLS-test-skip.patch | 16 + 0123-ibmca-atexit-crash.patch | 244 -- 0125-CVE-2023-2975.patch | 30 - 0126-CVE-2023-3446.patch | 74 - 0127-CVE-2023-3817.patch | 57 - 0128-CVE-2023-5363.patch | 318 -- ...-Add-SP800-56Br2-6.4.1.2.1-3.c-check.patch | 49 - 0130-CVE-2023-5678.patch | 143 - 0131-sslgroups-memleak.patch | 12 - 0132-CVE-2023-6129.patch | 86 - 0133-CVE-2023-6237.patch | 93 - 0134-engine-based-ECDHE-kex.patch | 47 - 0135-CVE-2024-0727.patch | 178 - openssl.spec | 87 +- sources | 2 +- 75 files changed, 3776 insertions(+), 17489 deletions(-) delete mode 100644 0031-tmp-Fix-test-names.patch delete mode 100644 0051-Support-different-R_BITS-lengths-for-KBKDF.patch delete mode 100644 0060-FIPS-KAT-signature-tests.patch delete mode 100644 0067-ppc64le-Montgomery-multiply.patch delete mode 100644 0071-AES-GCM-performance-optimization.patch delete mode 100644 0072-ChaCha20-performance-optimizations-for-ppc64le.patch delete mode 100644 0089-PSS-salt-length-from-provider.patch delete mode 100644 0090-signature-Clamp-PSS-salt-len-to-MD-len.patch delete mode 100644 0092-provider-improvements.patch delete mode 100644 0101-CVE-2022-4203-nc-match.patch delete mode 100644 0102-CVE-2022-4304-RSA-time-oracle.patch delete mode 100644 0103-CVE-2022-4450-pem-read-bio.patch delete mode 100644 0104-CVE-2023-0215-UAF-bio.patch delete mode 100644 0105-CVE-2023-0216-pkcs7-deref.patch delete mode 100644 0106-CVE-2023-0217-dsa.patch delete mode 100644 0107-CVE-2023-0286-X400.patch delete mode 100644 0108-CVE-2023-0401-pkcs7-md.patch delete mode 100644 0109-fips-Zeroize-out-in-fips-selftest.patch delete mode 100644 0111-fips-Use-salt-16-bytes-in-PBKDF2-selftest.patch delete mode 100644 0115-CVE-2023-0464.patch create mode 100644 0115-skip-quic-pairwise.patch delete mode 100644 0116-CVE-2023-0465.patch create mode 100644 0116-version-aliasing.patch delete mode 100644 0117-CVE-2023-0466.patch create mode 100644 0117-ignore-unknown-sigalgorithms-groups.patch delete mode 100644 0118-CVE-2023-1255.patch create mode 100644 0118-no-crl-memleak.patch create mode 100644 0119-provider-sigalgs-in-signaturealgorithms-conf.patch delete mode 100644 0120-RSA-PKCS15-implicit-rejection.patch delete mode 100644 0122-CVE-2023-2650.patch create mode 100644 0122-TMP-KTLS-test-skip.patch delete mode 100644 0123-ibmca-atexit-crash.patch delete mode 100644 0125-CVE-2023-2975.patch delete mode 100644 0126-CVE-2023-3446.patch delete mode 100644 0127-CVE-2023-3817.patch delete mode 100644 0128-CVE-2023-5363.patch delete mode 100644 0129-rsa-Add-SP800-56Br2-6.4.1.2.1-3.c-check.patch delete mode 100644 0130-CVE-2023-5678.patch delete mode 100644 0131-sslgroups-memleak.patch delete mode 100644 0132-CVE-2023-6129.patch delete mode 100644 0133-CVE-2023-6237.patch delete mode 100644 0134-engine-based-ECDHE-kex.patch delete mode 100644 0135-CVE-2024-0727.patch diff --git a/.gitignore b/.gitignore index 0b3ed17..8e6940c 100644 --- a/.gitignore +++ b/.gitignore @@ -55,3 +55,4 @@ openssl-1.0.0a-usa.tar.bz2 /openssl-3.0.1-hobbled.tar.xz /openssl-3.0.7-hobbled.tar.gz /openssl-3.0.7.tar.gz +/openssl-3.2.1.tar.gz diff --git a/0003-Do-not-install-html-docs.patch b/0003-Do-not-install-html-docs.patch index 66d62e0..6aabf8b 100644 --- a/0003-Do-not-install-html-docs.patch +++ b/0003-Do-not-install-html-docs.patch @@ -12,15 +12,15 @@ diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tm index 342e46d24d..9f369edf0e 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl -@@ -554,7 +554,7 @@ install_sw: install_dev install_engines install_modules install_runtime +@@ -611,7 +611,7 @@ install_sw: install_dev install_engines install_modules install_runtime - uninstall_sw: uninstall_runtime uninstall_modules uninstall_engines uninstall_dev + uninstall_sw: uninstall_runtime uninstall_modules uninstall_engines uninstall_dev ## Uninstall the software and libraries --install_docs: install_man_docs install_html_docs -+install_docs: install_man_docs +-install_docs: install_man_docs install_html_docs ## Install manpages and HTML documentation ++install_docs: install_man_docs ## Install manpages - uninstall_docs: uninstall_man_docs uninstall_html_docs - $(RM) -r $(DESTDIR)$(DOCDIR) + uninstall_docs: uninstall_man_docs uninstall_html_docs ## Uninstall manpages and HTML documentation + $(RM) -r "$(DESTDIR)$(DOCDIR)" -- 2.26.2 diff --git a/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch b/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch index 7a97dee..9decdce 100644 --- a/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch +++ b/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch @@ -6,20 +6,19 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist (was openssl-1.1.1-system-cipherlist.patch) --- Configurations/unix-Makefile.tmpl | 5 ++ - Configure | 10 +++- + Configure | 11 +++- doc/man1/openssl-ciphers.pod.in | 9 ++++ include/openssl/ssl.h.in | 5 ++ - ssl/ssl_ciph.c | 88 +++++++++++++++++++++++++++---- + ssl/ssl_ciph.c | 86 +++++++++++++++++++++++++++---- ssl/ssl_lib.c | 4 +- test/cipherlist_test.c | 2 + - util/libcrypto.num | 1 + - 8 files changed, 110 insertions(+), 14 deletions(-) + 7 files changed, 109 insertions(+), 13 deletions(-) diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl index 9f369edf0e..c52389f831 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl -@@ -269,6 +269,10 @@ MANDIR=$(INSTALLTOP)/share/man +@@ -324,6 +324,10 @@ MANDIR=$(INSTALLTOP)/share/man DOCDIR=$(INSTALLTOP)/share/doc/$(BASENAME) HTMLDIR=$(DOCDIR)/html @@ -30,7 +29,7 @@ index 9f369edf0e..c52389f831 100644 # MANSUFFIX is for the benefit of anyone who may want to have a suffix # appended after the manpage file section number. "ssl" is popular, # resulting in files such as config.5ssl rather than config.5. -@@ -292,6 +296,7 @@ CC=$(CROSS_COMPILE){- $config{CC} -} +@@ -347,6 +351,7 @@ CC=$(CROSS_COMPILE){- $config{CC} -} CXX={- $config{CXX} ? "\$(CROSS_COMPILE)$config{CXX}" : '' -} CPPFLAGS={- our $cppflags1 = join(" ", (map { "-D".$_} @{$config{CPPDEFINES}}), @@ -38,11 +37,54 @@ index 9f369edf0e..c52389f831 100644 (map { "-I".$_} @{$config{CPPINCLUDES}}), @{$config{CPPFLAGS}}) -} CFLAGS={- join(' ', @{$config{CFLAGS}}) -} +diff --git a/Configure b/Configure +index cca1ac8d16..2ae1cd0bc2 100755 +--- a/Configure ++++ b/Configure +@@ -27,7 +27,7 @@ use OpenSSL::config; + my $orig_death_handler = $SIG{__DIE__}; + $SIG{__DIE__} = \&death_handler; + +-my $usage="Usage: Configure [no- ...] [enable- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]thread-pool] [[no-]default-thread-pool] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n"; ++my $usage="Usage: Configure [no- ...] [enable- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]thread-pool] [[no-]default-thread-pool] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--system-ciphers-file=SYSTEMCIPHERFILE] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n"; + + my $banner = <<"EOF"; + +@@ -61,6 +61,10 @@ EOF + # given with --prefix. + # This becomes the value of OPENSSLDIR in Makefile and in C. + # (Default: PREFIX/ssl) ++# ++# --system-ciphers-file A file to read cipher string from when the PROFILE=SYSTEM ++# cipher is specified (default). ++# + # --banner=".." Output specified text instead of default completion banner + # + # -w Don't wait after showing a Configure warning +@@ -394,6 +398,7 @@ $config{prefix}=""; + $config{openssldir}=""; + $config{processor}=""; + $config{libdir}=""; ++$config{system_ciphers_file}=""; + my $auto_threads=1; # enable threads automatically? true by default + my $default_ranlib; + +@@ -1047,6 +1052,10 @@ while (@argvcopy) + die "FIPS key too long (64 bytes max)\n" + if length $1 > 64; + } ++ elsif (/^--system-ciphers-file=(.*)$/) ++ { ++ $config{system_ciphers_file}=$1; ++ } + elsif (/^--banner=(.*)$/) + { + $banner = $1 . "\n"; diff --git a/doc/man1/openssl-ciphers.pod.in b/doc/man1/openssl-ciphers.pod.in index b4ed3e51d5..2122e6bdfd 100644 --- a/doc/man1/openssl-ciphers.pod.in +++ b/doc/man1/openssl-ciphers.pod.in -@@ -187,6 +187,15 @@ As of OpenSSL 1.0.0, the B cipher suites are sensibly ordered by default. +@@ -190,6 +190,15 @@ As of OpenSSL 1.0.0, the B cipher suites are sensibly ordered by default. The cipher suites not enabled by B, currently B. @@ -78,7 +120,7 @@ diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index b1d3f7919e..f7cc7fed48 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c -@@ -1411,6 +1411,53 @@ int SSL_set_ciphersuites(SSL *s, const char *str) +@@ -1455,6 +1455,53 @@ int SSL_set_ciphersuites(SSL *s, const char *str) return ret; } @@ -91,7 +133,7 @@ index b1d3f7919e..f7cc7fed48 100644 + const char *ciphers_path; + unsigned len, slen; + -+ if ((ciphers_path = ossl_safe_getenv("OPENSSL_SYSTEM_CIPHERS_OVERRIDE")) == NULL) ++ if ((ciphers_path = secure_getenv("OPENSSL_SYSTEM_CIPHERS_OVERRIDE")) == NULL) + ciphers_path = SYSTEM_CIPHERS_FILE; + fp = fopen(ciphers_path, "r"); + if (fp == NULL || fgets(buf, sizeof(buf), fp) == NULL) { @@ -153,19 +195,19 @@ index b1d3f7919e..f7cc7fed48 100644 if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL) - return NULL; + goto err; - + if (!check_suiteb_cipher_list(ssl_method, c, &rule_str)) - return NULL; + goto err; /* * To reduce the work to do we only want to process the compiled -@@ -1456,7 +1513,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, - co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers); - if (co_list == NULL) { - ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); -- return NULL; /* Failure */ -+ goto err; +@@ -1499,7 +1556,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, + if (num_of_ciphers > 0) { + co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers); + if (co_list == NULL) +- return NULL; /* Failure */ ++ goto err; } ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers, @@ -179,12 +221,10 @@ index b1d3f7919e..f7cc7fed48 100644 } /* -@@ -1568,9 +1624,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, - num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1; +@@ -1611,7 +1667,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max); if (ca_list == NULL) { -- OPENSSL_free(co_list); - ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); + OPENSSL_free(co_list); - return NULL; /* Failure */ + goto err; } @@ -252,7 +292,7 @@ index d14d5819ba..48d491219a 100644 + SSL_SYSTEM_DEFAULT_CIPHER_LIST, ret->cert) || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) { ERR_raise(ERR_LIB_SSL, SSL_R_LIBRARY_HAS_NO_CIPHERS); - goto err2; + goto err; diff --git a/test/cipherlist_test.c b/test/cipherlist_test.c index 380f0727fc..6922a87c30 100644 --- a/test/cipherlist_test.c @@ -266,58 +306,7 @@ index 380f0727fc..6922a87c30 100644 +#endif ADD_TEST(test_default_cipherlist_explicit); ADD_TEST(test_default_cipherlist_clear); - return 1; -diff --git a/util/libcrypto.num b/util/libcrypto.num -index 404a706fab..e81fa9ec3e 100644 ---- a/util/libcrypto.num -+++ b/util/libcrypto.num -@@ -5282,3 +5282,4 @@ OSSL_DECODER_CTX_set_input_structure ? 3_0_0 EXIST::FUNCTION: - EVP_PKEY_CTX_get0_provider 5555 3_0_0 EXIST::FUNCTION: - OPENSSL_strcasecmp 5556 3_0_3 EXIST::FUNCTION: - OPENSSL_strncasecmp 5557 3_0_3 EXIST::FUNCTION: -+ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION: + ADD_TEST(test_stdname_cipherlist); -- 2.26.2 -diff -up openssl-3.0.0-beta1/Configure.sys-default openssl-3.0.0-beta1/Configure ---- openssl-3.0.0-beta1/Configure.sys-default 2021-06-29 11:47:58.978144386 +0200 -+++ openssl-3.0.0-beta1/Configure 2021-06-29 11:52:01.631126260 +0200 -@@ -27,7 +27,7 @@ use OpenSSL::config; - my $orig_death_handler = $SIG{__DIE__}; - $SIG{__DIE__} = \&death_handler; - --my $usage="Usage: Configure [no- ...] [enable- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n"; -+my $usage="Usage: Configure [no- ...] [enable- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--system-ciphers-file=SYSTEMCIPHERFILE] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n"; - - my $banner = <<"EOF"; - -@@ -61,6 +61,10 @@ EOF - # given with --prefix. - # This becomes the value of OPENSSLDIR in Makefile and in C. - # (Default: PREFIX/ssl) -+# -+# --system-ciphers-file A file to read cipher string from when the PROFILE=SYSTEM -+# cipher is specified (default). -+# - # --banner=".." Output specified text instead of default completion banner - # - # -w Don't wait after showing a Configure warning -@@ -385,6 +389,7 @@ $config{prefix}=""; - $config{openssldir}=""; - $config{processor}=""; - $config{libdir}=""; -+$config{system_ciphers_file}=""; - my $auto_threads=1; # enable threads automatically? true by default - my $default_ranlib; - -@@ -987,6 +992,10 @@ while (@argvcopy) - die "FIPS key too long (64 bytes max)\n" - if length $1 > 64; - } -+ elsif (/^--system-ciphers-file=(.*)$/) -+ { -+ $config{system_ciphers_file}=$1; -+ } - elsif (/^--banner=(.*)$/) - { - $banner = $1 . "\n"; diff --git a/0009-Add-Kernel-FIPS-mode-flag-support.patch b/0009-Add-Kernel-FIPS-mode-flag-support.patch index 30ff325..0848473 100644 --- a/0009-Add-Kernel-FIPS-mode-flag-support.patch +++ b/0009-Add-Kernel-FIPS-mode-flag-support.patch @@ -1,9 +1,25 @@ -diff -up openssl-3.0.0-alpha13/crypto/context.c.kernel-fips openssl-3.0.0-alpha13/crypto/context.c ---- openssl-3.0.0-alpha13/crypto/context.c.kernel-fips 2021-03-16 00:09:55.814826432 +0100 -+++ openssl-3.0.0-alpha13/crypto/context.c 2021-03-16 00:15:55.129043811 +0100 -@@ -12,11 +12,46 @@ - #include "internal/provider.h" - #include "crypto/ctype.h" +From aa3aebf132959e7e44876042efaf9ff24ffe0f2b Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Mon, 31 Jul 2023 09:41:27 +0200 +Subject: [PATCH 09/35] 0009-Add-Kernel-FIPS-mode-flag-support.patch + +Patch-name: 0009-Add-Kernel-FIPS-mode-flag-support.patch +Patch-id: 9 +Patch-status: | + # Add check to see if fips flag is enabled in kernel +From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd +--- + crypto/context.c | 36 ++++++++++++++++++++++++++++++++++++ + include/internal/provider.h | 3 +++ + 2 files changed, 39 insertions(+) + +diff --git a/crypto/context.c b/crypto/context.c +index e294ea1512..51002ba79a 100644 +--- a/crypto/context.c ++++ b/crypto/context.c +@@ -16,6 +16,41 @@ + #include "crypto/decoder.h" + #include "crypto/context.h" +# include +# include @@ -11,11 +27,6 @@ diff -up openssl-3.0.0-alpha13/crypto/context.c.kernel-fips openssl-3.0.0-alpha1 +# include +# include + - struct ossl_lib_ctx_onfree_list_st { - ossl_lib_ctx_onfree_fn *fn; - struct ossl_lib_ctx_onfree_list_st *next; - }; - +# define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled" + +static int kernel_fips_flag; @@ -25,7 +36,7 @@ diff -up openssl-3.0.0-alpha13/crypto/context.c.kernel-fips openssl-3.0.0-alpha1 + char buf[2] = "0"; + int fd; + -+ if (ossl_safe_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) { ++ if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) { + buf[0] = '1'; + } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) { + while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ; @@ -46,20 +57,21 @@ diff -up openssl-3.0.0-alpha13/crypto/context.c.kernel-fips openssl-3.0.0-alpha1 + + struct ossl_lib_ctx_st { - CRYPTO_RWLOCK *lock; - CRYPTO_EX_DATA data; -@@ -121,6 +170,7 @@ static CRYPTO_THREAD_LOCAL default_conte + CRYPTO_RWLOCK *lock, *rand_crngt_lock; + OSSL_EX_DATA_GLOBAL global; +@@ -336,6 +371,7 @@ static int default_context_inited = 0; DEFINE_RUN_ONCE_STATIC(default_context_do_init) { + read_kernel_fips_flag(); - return CRYPTO_THREAD_init_local(&default_context_thread_local, NULL) - && context_init(&default_context_int); - } -diff -up openssl-3.0.1/include/internal/provider.h.embed-fips openssl-3.0.1/include/internal/provider.h ---- openssl-3.0.1/include/internal/provider.h.embed-fips 2022-01-11 13:13:08.323238760 +0100 -+++ openssl-3.0.1/include/internal/provider.h 2022-01-11 13:13:43.522558909 +0100 -@@ -110,6 +110,9 @@ int ossl_provider_init_as_child(OSSL_LIB + if (!CRYPTO_THREAD_init_local(&default_context_thread_local, NULL)) + goto err; + +diff --git a/include/internal/provider.h b/include/internal/provider.h +index 18937f84c7..1446bf7afb 100644 +--- a/include/internal/provider.h ++++ b/include/internal/provider.h +@@ -112,6 +112,9 @@ int ossl_provider_init_as_child(OSSL_LIB_CTX *ctx, const OSSL_DISPATCH *in); void ossl_provider_deinit_child(OSSL_LIB_CTX *ctx); @@ -69,3 +81,6 @@ diff -up openssl-3.0.1/include/internal/provider.h.embed-fips openssl-3.0.1/incl # ifdef __cplusplus } # endif +-- +2.41.0 + diff --git a/0010-Add-changes-to-ectest-and-eccurve.patch b/0010-Add-changes-to-ectest-and-eccurve.patch index aac242b..63a2ca2 100644 --- a/0010-Add-changes-to-ectest-and-eccurve.patch +++ b/0010-Add-changes-to-ectest-and-eccurve.patch @@ -1,10 +1,29 @@ -diff -up ./crypto/ec/ec_curve.c.remove-ec ./crypto/ec/ec_curve.c ---- ./crypto/ec/ec_curve.c.remove-ec 2023-03-13 16:50:09.278933578 +0100 -+++ ./crypto/ec/ec_curve.c 2023-03-21 12:38:57.696531941 +0100 -@@ -32,38 +32,6 @@ typedef struct { +From 37fae351c6fef272baf383469181aecfcac87592 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Mon, 31 Jul 2023 09:41:27 +0200 +Subject: [PATCH 10/35] 0010-Add-changes-to-ectest-and-eccurve.patch + +Patch-name: 0010-Add-changes-to-ectest-and-eccurve.patch +Patch-id: 10 +Patch-status: | + # Instead of replacing ectest.c and ec_curve.c, add the changes as a patch so + # that new modifications made to these files by upstream are not lost. +From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd +--- + crypto/ec/ec_curve.c | 844 ------------------------------------------- + test/ectest.c | 174 +-------- + 2 files changed, 8 insertions(+), 1010 deletions(-) + +diff --git a/crypto/ec/ec_curve.c b/crypto/ec/ec_curve.c +index b5b2f3342d..d32a768fe6 100644 +--- a/crypto/ec/ec_curve.c ++++ b/crypto/ec/ec_curve.c +@@ -30,38 +30,6 @@ typedef struct { + } EC_CURVE_DATA; + /* the nist prime curves */ - static const struct { - EC_CURVE_DATA h; +-static const struct { +- EC_CURVE_DATA h; - unsigned char data[20 + 24 * 6]; -} _EC_NIST_PRIME_192 = { - { @@ -35,11 +54,9 @@ diff -up ./crypto/ec/ec_curve.c.remove-ec ./crypto/ec/ec_curve.c - } -}; - --static const struct { -- EC_CURVE_DATA h; + static const struct { + EC_CURVE_DATA h; unsigned char data[20 + 28 * 6]; - } _EC_NIST_PRIME_224 = { - { @@ -200,187 +168,6 @@ static const struct { } }; @@ -228,10 +245,12 @@ diff -up ./crypto/ec/ec_curve.c.remove-ec ./crypto/ec/ec_curve.c static const struct { EC_CURVE_DATA h; unsigned char data[20 + 32 * 6]; -@@ -423,294 +210,6 @@ static const struct { +@@ -421,294 +208,6 @@ static const struct { + + #ifndef FIPS_MODULE /* the secg prime curves (minus the nist and x9.62 prime curves) */ - static const struct { - EC_CURVE_DATA h; +-static const struct { +- EC_CURVE_DATA h; - unsigned char data[20 + 14 * 6]; -} _EC_SECG_PRIME_112R1 = { - { @@ -518,11 +537,9 @@ diff -up ./crypto/ec/ec_curve.c.remove-ec ./crypto/ec/ec_curve.c - } -}; - --static const struct { -- EC_CURVE_DATA h; + static const struct { + EC_CURVE_DATA h; unsigned char data[0 + 32 * 6]; - } _EC_SECG_PRIME_256K1 = { - { @@ -745,102 +244,6 @@ static const struct { } }; @@ -626,10 +643,12 @@ diff -up ./crypto/ec/ec_curve.c.remove-ec ./crypto/ec/ec_curve.c #endif /* FIPS_MODULE */ #ifndef OPENSSL_NO_EC2M -@@ -2238,198 +1641,6 @@ static const struct { +@@ -2236,198 +1639,6 @@ static const struct { + */ + #ifndef FIPS_MODULE - static const struct { - EC_CURVE_DATA h; +-static const struct { +- EC_CURVE_DATA h; - unsigned char data[0 + 20 * 6]; -} _EC_brainpoolP160r1 = { - { @@ -820,12 +839,10 @@ diff -up ./crypto/ec/ec_curve.c.remove-ec ./crypto/ec/ec_curve.c - } -}; - --static const struct { -- EC_CURVE_DATA h; + static const struct { + EC_CURVE_DATA h; unsigned char data[0 + 32 * 6]; - } _EC_brainpoolP256r1 = { - { -@@ -2854,8 +2065,6 @@ static const ec_list_element curve_list[ +@@ -2854,8 +2065,6 @@ static const ec_list_element curve_list[] = { "NIST/SECG curve over a 521 bit prime field"}, /* X9.62 curves */ @@ -834,7 +851,7 @@ diff -up ./crypto/ec/ec_curve.c.remove-ec ./crypto/ec/ec_curve.c {NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h, # if defined(ECP_NISTZ256_ASM) EC_GFp_nistz256_method, -@@ -2899,25 +2108,6 @@ static const ec_list_element curve_list[ +@@ -2899,25 +2108,6 @@ static const ec_list_element curve_list[] = { static const ec_list_element curve_list[] = { /* prime field curves */ /* secg curves */ @@ -860,7 +877,7 @@ diff -up ./crypto/ec/ec_curve.c.remove-ec ./crypto/ec/ec_curve.c # ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 {NID_secp224r1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method, "NIST/SECG curve over a 224 bit prime field"}, -@@ -2945,18 +2135,6 @@ static const ec_list_element curve_list[ +@@ -2945,18 +2135,6 @@ static const ec_list_element curve_list[] = { # endif "NIST/SECG curve over a 521 bit prime field"}, /* X9.62 curves */ @@ -879,7 +896,7 @@ diff -up ./crypto/ec/ec_curve.c.remove-ec ./crypto/ec/ec_curve.c {NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h, # if defined(ECP_NISTZ256_ASM) EC_GFp_nistz256_method, -@@ -3053,22 +2231,12 @@ static const ec_list_element curve_list[ +@@ -3053,22 +2231,12 @@ static const ec_list_element curve_list[] = { {NID_wap_wsg_idm_ecid_wtls5, &_EC_X9_62_CHAR2_163V1.h, 0, "X9.62 curve over a 163 bit binary field"}, # endif @@ -902,7 +919,7 @@ diff -up ./crypto/ec/ec_curve.c.remove-ec ./crypto/ec/ec_curve.c # ifndef OPENSSL_NO_EC2M /* IPSec curves */ {NID_ipsec3, &_EC_IPSEC_155_ID3.h, 0, -@@ -3079,18 +2247,6 @@ static const ec_list_element curve_list[ +@@ -3079,18 +2247,6 @@ static const ec_list_element curve_list[] = { "\tNot suitable for ECDSA.\n\tQuestionable extension field!"}, # endif /* brainpool curves */ @@ -921,9 +938,10 @@ diff -up ./crypto/ec/ec_curve.c.remove-ec ./crypto/ec/ec_curve.c {NID_brainpoolP256r1, &_EC_brainpoolP256r1.h, 0, "RFC 5639 curve over a 256 bit prime field"}, {NID_brainpoolP256t1, &_EC_brainpoolP256t1.h, 0, -diff -up ./test/ectest.c.remove-ec ./test/ectest.c ---- ./test/ectest.c.remove-ec 2023-03-13 18:39:30.544642912 +0100 -+++ ./test/ectest.c 2023-03-20 07:27:26.403212965 +0100 +diff --git a/test/ectest.c b/test/ectest.c +index afef85b0e6..4890b0555e 100644 +--- a/test/ectest.c ++++ b/test/ectest.c @@ -175,184 +175,26 @@ static int prime_field_tests(void) || !TEST_ptr(p = BN_new()) || !TEST_ptr(a = BN_new()) @@ -1117,11 +1135,14 @@ diff -up ./test/ectest.c.remove-ec ./test/ectest.c || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL)) || !TEST_true(BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFF" @@ -3015,7 +2857,7 @@ int setup_tests(void) - return 0; ADD_TEST(parameter_test); + ADD_TEST(ossl_parameter_test); - ADD_TEST(cofactor_range_test); + /* ADD_TEST(cofactor_range_test); */ ADD_ALL_TESTS(cardinality_test, crv_len); ADD_TEST(prime_field_tests); #ifndef OPENSSL_NO_EC2M +-- +2.41.0 + diff --git a/0011-Remove-EC-curves.patch b/0011-Remove-EC-curves.patch index 3bc38cb..561714e 100644 --- a/0011-Remove-EC-curves.patch +++ b/0011-Remove-EC-curves.patch @@ -1,7 +1,25 @@ -diff -up ./apps/speed.c.ec-curves ./apps/speed.c ---- ./apps/speed.c.ec-curves 2023-03-14 04:44:12.545437892 +0100 -+++ ./apps/speed.c 2023-03-14 04:48:28.606729067 +0100 -@@ -366,7 +366,7 @@ static double ffdh_results[FFDH_NUM][1]; +From 4a275f852b61238161c053774736dc07b3ade200 Mon Sep 17 00:00:00 2001 +From: Dmitry Belyavskiy +Date: Mon, 21 Aug 2023 11:46:40 +0200 +Subject: [PATCH 11/48] 0011-Remove-EC-curves.patch + +Patch-name: 0011-Remove-EC-curves.patch +Patch-id: 11 +Patch-status: | + # remove unsupported EC curves +--- + apps/speed.c | 8 +--- + crypto/evp/ec_support.c | 87 ------------------------------------ + test/acvp_test.inc | 9 ---- + test/ecdsatest.h | 17 ------- + test/recipes/15-test_genec.t | 27 ----------- + 5 files changed, 1 insertion(+), 147 deletions(-) + +diff --git a/apps/speed.c b/apps/speed.c +index cace25eda1..d527f12f18 100644 +--- a/apps/speed.c ++++ b/apps/speed.c +@@ -385,7 +385,7 @@ static double ffdh_results[FFDH_NUM][1]; /* 1 op: derivation */ #endif /* OPENSSL_NO_DH */ enum ec_curves_t { @@ -10,7 +28,7 @@ diff -up ./apps/speed.c.ec-curves ./apps/speed.c #ifndef OPENSSL_NO_EC2M R_EC_K163, R_EC_K233, R_EC_K283, R_EC_K409, R_EC_K571, R_EC_B163, R_EC_B233, R_EC_B283, R_EC_B409, R_EC_B571, -@@ -376,8 +376,6 @@ enum ec_curves_t { +@@ -395,8 +395,6 @@ enum ec_curves_t { }; /* list of ecdsa curves */ static const OPT_PAIR ecdsa_choices[ECDSA_NUM] = { @@ -19,8 +37,8 @@ diff -up ./apps/speed.c.ec-curves ./apps/speed.c {"ecdsap224", R_EC_P224}, {"ecdsap256", R_EC_P256}, {"ecdsap384", R_EC_P384}, -@@ -404,8 +402,6 @@ static const OPT_PAIR ecdsa_choices[ECDS - enum { R_EC_X25519 = ECDSA_NUM, R_EC_X448, EC_NUM }; +@@ -423,8 +421,6 @@ static const OPT_PAIR ecdsa_choices[ECDSA_NUM] = { + }; /* list of ecdh curves, extension of |ecdsa_choices| list above */ static const OPT_PAIR ecdh_choices[EC_NUM] = { - {"ecdhp160", R_EC_P160}, @@ -28,7 +46,7 @@ diff -up ./apps/speed.c.ec-curves ./apps/speed.c {"ecdhp224", R_EC_P224}, {"ecdhp256", R_EC_P256}, {"ecdhp384", R_EC_P384}, -@@ -1422,8 +1418,6 @@ int speed_main(int argc, char **argv) +@@ -1442,8 +1438,6 @@ int speed_main(int argc, char **argv) */ static const EC_CURVE ec_curves[EC_NUM] = { /* Prime Curves */ @@ -37,9 +55,10 @@ diff -up ./apps/speed.c.ec-curves ./apps/speed.c {"nistp224", NID_secp224r1, 224}, {"nistp256", NID_X9_62_prime256v1, 256}, {"nistp384", NID_secp384r1, 384}, -diff -up ./crypto/evp/ec_support.c.ec-curves ./crypto/evp/ec_support.c ---- ./crypto/evp/ec_support.c.ec-curves 2023-03-14 06:22:41.542310442 +0100 -+++ ./crypto/evp/ec_support.c 2023-03-21 11:24:18.378451683 +0100 +diff --git a/crypto/evp/ec_support.c b/crypto/evp/ec_support.c +index 1ec10143d2..82b95294b4 100644 +--- a/crypto/evp/ec_support.c ++++ b/crypto/evp/ec_support.c @@ -20,89 +20,15 @@ typedef struct ec_name2nid_st { static const EC_NAME2NID curve_list[] = { /* prime field curves */ @@ -130,7 +149,7 @@ diff -up ./crypto/evp/ec_support.c.ec-curves ./crypto/evp/ec_support.c {"brainpoolP256r1", NID_brainpoolP256r1 }, {"brainpoolP256t1", NID_brainpoolP256t1 }, {"brainpoolP320r1", NID_brainpoolP320r1 }, -@@ -111,8 +37,6 @@ static const EC_NAME2NID curve_list[] = +@@ -111,8 +37,6 @@ static const EC_NAME2NID curve_list[] = { {"brainpoolP384t1", NID_brainpoolP384t1 }, {"brainpoolP512r1", NID_brainpoolP512r1 }, {"brainpoolP512t1", NID_brainpoolP512t1 }, @@ -139,13 +158,33 @@ diff -up ./crypto/evp/ec_support.c.ec-curves ./crypto/evp/ec_support.c }; const char *OSSL_EC_curve_nid2name(int nid) -diff -up ./test/acvp_test.inc.ec-curves ./test/acvp_test.inc ---- ./test/acvp_test.inc.ec-curves 2023-03-14 06:38:20.563712586 +0100 -+++ ./test/acvp_test.inc 2023-03-14 06:39:01.631080059 +0100 -@@ -212,15 +212,6 @@ static const unsigned char ecdsa_sigver_ +@@ -150,17 +74,6 @@ int ossl_ec_curve_name2nid(const char *name) + /* Functions to translate between common NIST curve names and NIDs */ + + static const EC_NAME2NID nist_curves[] = { +- {"B-163", NID_sect163r2}, +- {"B-233", NID_sect233r1}, +- {"B-283", NID_sect283r1}, +- {"B-409", NID_sect409r1}, +- {"B-571", NID_sect571r1}, +- {"K-163", NID_sect163k1}, +- {"K-233", NID_sect233k1}, +- {"K-283", NID_sect283k1}, +- {"K-409", NID_sect409k1}, +- {"K-571", NID_sect571k1}, +- {"P-192", NID_X9_62_prime192v1}, + {"P-224", NID_secp224r1}, + {"P-256", NID_X9_62_prime256v1}, + {"P-384", NID_secp384r1}, +diff --git a/test/acvp_test.inc b/test/acvp_test.inc +index ad11d3ae1e..894a0bff9d 100644 +--- a/test/acvp_test.inc ++++ b/test/acvp_test.inc +@@ -211,15 +211,6 @@ static const unsigned char ecdsa_sigver_s1[] = { + 0xB1, 0xAC, }; static const struct ecdsa_sigver_st ecdsa_sigver_data[] = { - { +- { - "SHA-1", - "P-192", - ITM(ecdsa_sigver_msg0), @@ -154,13 +193,13 @@ diff -up ./test/acvp_test.inc.ec-curves ./test/acvp_test.inc - ITM(ecdsa_sigver_s0), - PASS, - }, -- { + { "SHA2-512", "P-521", - ITM(ecdsa_sigver_msg1), -diff -up ./test/ecdsatest.h.ec-curves ./test/ecdsatest.h ---- ./test/ecdsatest.h.ec-curves 2023-03-14 04:49:16.148154472 +0100 -+++ ./test/ecdsatest.h 2023-03-14 04:51:01.376096037 +0100 +diff --git a/test/ecdsatest.h b/test/ecdsatest.h +index 63fe319025..06b5c0aac5 100644 +--- a/test/ecdsatest.h ++++ b/test/ecdsatest.h @@ -32,23 +32,6 @@ typedef struct { } ecdsa_cavs_kat_t; @@ -185,10 +224,11 @@ diff -up ./test/ecdsatest.h.ec-curves ./test/ecdsatest.h /* prime KATs from NIST CAVP */ {NID_secp224r1, NID_sha224, "699325d6fc8fbbb4981a6ded3c3a54ad2e4e3db8a5669201912064c64e700c139248cdc1" -diff -up ./test/recipes/15-test_genec.t.ec-curves ./test/recipes/15-test_genec.t ---- ./test/recipes/15-test_genec.t.ec-curves 2023-03-14 04:51:45.215488277 +0100 -+++ ./test/recipes/15-test_genec.t 2023-03-21 11:26:58.613885435 +0100 -@@ -41,37 +41,11 @@ plan skip_all => "This test is unsupport +diff --git a/test/recipes/15-test_genec.t b/test/recipes/15-test_genec.t +index 2dfed387ca..c733b68f83 100644 +--- a/test/recipes/15-test_genec.t ++++ b/test/recipes/15-test_genec.t +@@ -41,37 +41,11 @@ plan skip_all => "This test is unsupported in a no-ec build" if disabled("ec"); my @prime_curves = qw( @@ -234,24 +274,6 @@ diff -up ./test/recipes/15-test_genec.t.ec-curves ./test/recipes/15-test_genec.t P-224 P-256 P-384 -diff -up openssl-3.0.7/crypto/evp/ec_support.c.ec-remove openssl-3.0.7/crypto/evp/ec_support.c ---- openssl-3.0.7/crypto/evp/ec_support.c.ec-remove 2023-07-06 10:30:10.152621369 +0200 -+++ openssl-3.0.7/crypto/evp/ec_support.c 2023-07-06 10:34:00.557091758 +0200 -@@ -74,17 +74,6 @@ int ossl_ec_curve_name2nid(const char *n - /* Functions to translate between common NIST curve names and NIDs */ - - static const EC_NAME2NID nist_curves[] = { -- {"B-163", NID_sect163r2}, -- {"B-233", NID_sect233r1}, -- {"B-283", NID_sect283r1}, -- {"B-409", NID_sect409r1}, -- {"B-571", NID_sect571r1}, -- {"K-163", NID_sect163k1}, -- {"K-233", NID_sect233k1}, -- {"K-283", NID_sect283k1}, -- {"K-409", NID_sect409k1}, -- {"K-571", NID_sect571k1}, -- {"P-192", NID_X9_62_prime192v1}, - {"P-224", NID_secp224r1}, - {"P-256", NID_X9_62_prime256v1}, - {"P-384", NID_secp384r1}, +-- +2.41.0 + diff --git a/0013-skipped-tests-EC-curves.patch b/0013-skipped-tests-EC-curves.patch index 0c81d4c..5bdef1e 100644 --- a/0013-skipped-tests-EC-curves.patch +++ b/0013-skipped-tests-EC-curves.patch @@ -21,11 +21,12 @@ diff -up ./test/recipes/65-test_cmp_protect.t.skip-tests ./test/recipes/65-test_ +plan skip_all => 2 + ($no_fips ? 0 : 1); #fips test my @basic_cmd = ("cmp_protect_test", - data_file("server.pem"), -diff -up ./test/recipes/65-test_cmp_vfy.t.skip-tests ./test/recipes/65-test_cmp_vfy.t ---- ./test/recipes/65-test_cmp_vfy.t.skip-tests 2023-03-14 10:13:38.106296042 +0100 -+++ ./test/recipes/65-test_cmp_vfy.t 2023-03-14 10:16:56.496071178 +0100 -@@ -27,7 +27,7 @@ plan skip_all => "This test is not suppo + data_file("prot_RSA.pem"), +diff --git a/test/recipes/65-test_cmp_vfy.t b/test/recipes/65-test_cmp_vfy.t +index f722800e27..26a01786bb 100644 +--- a/test/recipes/65-test_cmp_vfy.t ++++ b/test/recipes/65-test_cmp_vfy.t +@@ -27,7 +27,7 @@ plan skip_all => "This test is not supported in a no-cmp build" plan skip_all => "This test is not supported in a no-ec build" if disabled("ec"); diff --git a/0031-tmp-Fix-test-names.patch b/0031-tmp-Fix-test-names.patch deleted file mode 100644 index 42b3c0a..0000000 --- a/0031-tmp-Fix-test-names.patch +++ /dev/null @@ -1,40 +0,0 @@ -diff -up openssl-3.0.0/test/recipes/90-test_sslapi.t.beldmit openssl-3.0.0/test/recipes/90-test_sslapi.t ---- openssl-3.0.0/test/recipes/90-test_sslapi.t.beldmit 2021-09-22 11:56:49.452507975 +0200 -+++ openssl-3.0.0/test/recipes/90-test_sslapi.t 2021-09-22 11:57:19.371764742 +0200 -@@ -40,7 +40,7 @@ unless ($no_fips) { - "recipes", - "90-test_sslapi_data", - "dhparams.pem")])), -- "running sslapitest"); -+ "running sslapitest - FIPS"); - } - - unlink $tmpfilename; -diff --git a/test/sslapitest.c b/test/sslapitest.c -index e95d2657f46c..7af0eab3fce0 100644 ---- a/test/sslapitest.c -+++ b/test/sslapitest.c -@@ -1158,6 +1158,11 @@ static int execute_test_ktls(int cis_ktls, int sis_ktls, - goto end; - } - -+ if (is_fips && strstr(cipher, "CHACHA") != NULL) { -+ testresult = TEST_skip("CHACHA is not supported in FIPS"); -+ goto end; -+ } -+ - /* Create a session based on SHA-256 */ - if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), - TLS_client_method(), -@@ -1292,6 +1297,11 @@ static int execute_test_ktls_sendfile(int tls_version, const char *cipher) - goto end; - } - -+ if (is_fips && strstr(cipher, "CHACHA") != NULL) { -+ testresult = TEST_skip("CHACHA is not supported in FIPS"); -+ goto end; -+ } -+ - /* Create a session based on SHA-256 */ - if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), - TLS_client_method(), diff --git a/0032-Force-fips.patch b/0032-Force-fips.patch index c8af196..985fadf 100644 --- a/0032-Force-fips.patch +++ b/0032-Force-fips.patch @@ -1,13 +1,21 @@ -#Note: provider_conf_activate() is introduced in downstream only. It is a rewrite -#(partial) of the function provider_conf_load() under the 'if (activate) section. -#If there is any change to this section, after deleting it in provider_conf_load() -#ensure that you also add those changes to the provider_conf_activate() function. -#additionally please add this check for cnf explicitly as shown below. -#'ok = cnf ? provider_conf_params(prov, NULL, NULL, value, cnf) : 1;' -diff -up openssl-3.0.1/crypto/provider_conf.c.fipsact openssl-3.0.1/crypto/provider_conf.c ---- openssl-3.0.1/crypto/provider_conf.c.fipsact 2022-05-12 12:44:31.199034948 +0200 -+++ openssl-3.0.1/crypto/provider_conf.c 2022-05-12 12:49:17.468318373 +0200 -@@ -36,6 +36,8 @@ static int prov_already_activated(const +From 2c110cf5551a3869514e697d8dc06682b62ca57d Mon Sep 17 00:00:00 2001 +From: Dmitry Belyavskiy +Date: Mon, 21 Aug 2023 11:59:02 +0200 +Subject: [PATCH 16/48] 0032-Force-fips.patch + +Patch-name: 0032-Force-fips.patch +Patch-id: 32 +Patch-status: | + # We load FIPS provider and set FIPS properties implicitly +--- + crypto/provider_conf.c | 28 +++++++++++++++++++++++++++- + 1 file changed, 27 insertions(+), 1 deletion(-) + +diff --git a/crypto/provider_conf.c b/crypto/provider_conf.c +index 058fb58837..5274265a70 100644 +--- a/crypto/provider_conf.c ++++ b/crypto/provider_conf.c +@@ -10,6 +10,8 @@ #include #include #include @@ -16,143 +24,25 @@ diff -up openssl-3.0.1/crypto/provider_conf.c.fipsact openssl-3.0.1/crypto/provi #include #include #include -@@ -136,58 +136,18 @@ static int prov_already_activated(const - return 0; - } - --static int provider_conf_load(OSSL_LIB_CTX *libctx, const char *name, -- const char *value, const CONF *cnf) -+static int provider_conf_activate(OSSL_LIB_CTX *libctx,const char *name, -+ const char *value, const char *path, -+ int soft, const CONF *cnf) - { -- int i; -- STACK_OF(CONF_VALUE) *ecmds; -- int soft = 0; -- OSSL_PROVIDER *prov = NULL, *actual = NULL; -- const char *path = NULL; -- long activate = 0; - int ok = 0; -- -- name = skip_dot(name); -- OSSL_TRACE1(CONF, "Configuring provider %s\n", name); -- /* Value is a section containing PROVIDER commands */ -- ecmds = NCONF_get_section(cnf, value); -- -- if (!ecmds) { -- ERR_raise_data(ERR_LIB_CRYPTO, CRYPTO_R_PROVIDER_SECTION_ERROR, -- "section=%s not found", value); -- return 0; -- } -- -- /* Find the needed data first */ -- for (i = 0; i < sk_CONF_VALUE_num(ecmds); i++) { -- CONF_VALUE *ecmd = sk_CONF_VALUE_value(ecmds, i); -- const char *confname = skip_dot(ecmd->name); -- const char *confvalue = ecmd->value; -- -- OSSL_TRACE2(CONF, "Provider command: %s = %s\n", -- confname, confvalue); -- -- /* First handle some special pseudo confs */ -- -- /* Override provider name to use */ -- if (strcmp(confname, "identity") == 0) -- name = confvalue; -- else if (strcmp(confname, "soft_load") == 0) -- soft = 1; -- /* Load a dynamic PROVIDER */ -- else if (strcmp(confname, "module") == 0) -- path = confvalue; -- else if (strcmp(confname, "activate") == 0) -- activate = 1; -- } -- -- if (activate) { -- PROVIDER_CONF_GLOBAL *pcgbl -- = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX, -- &provider_conf_ossl_ctx_method); -+ OSSL_PROVIDER *prov = NULL, *actual = NULL; -+ PROVIDER_CONF_GLOBAL *pcgbl -+ = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX, -+ &provider_conf_ossl_ctx_method); +@@ -169,7 +171,7 @@ static int provider_conf_activate(OSSL_LIB_CTX *libctx, const char *name, + if (path != NULL) + ossl_provider_set_module_path(prov, path); - if (pcgbl == NULL || !CRYPTO_THREAD_write_lock(pcgbl->lock)) { -- ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR); -+ ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR); - return 0; - } - if (!prov_already_activated(name, pcgbl->activated_providers)) { -@@ -216,7 +176,7 @@ static int provider_conf_load(OSSL_LIB_C - if (path != NULL) - ossl_provider_set_module_path(prov, path); +- ok = provider_conf_params(prov, NULL, NULL, value, cnf); ++ ok = cnf ? provider_conf_params(prov, NULL, NULL, value, cnf) : 1; -- ok = provider_conf_params(prov, NULL, NULL, value, cnf); -+ ok = cnf ? provider_conf_params(prov, NULL, NULL, value, cnf) : 1; + if (ok == 1) { + if (!ossl_provider_activate(prov, 1, 0)) { +@@ -268,6 +268,8 @@ static int provider_conf_activate(OSSL_L - if (ok) { - if (!ossl_provider_activate(prov, 1, 0)) { -@@ -244,8 +204,59 @@ static int provider_conf_load(OSSL_LIB_C - } - if (!ok) - ossl_provider_free(prov); -+ } else { /* No reason to activate the provider twice, returning OK */ -+ ok = 1; - } - CRYPTO_THREAD_unlock(pcgbl->lock); -+ return ok; -+} -+ -+static int provider_conf_load(OSSL_LIB_CTX *libctx, const char *name, -+ const char *value, const CONF *cnf) -+{ -+ int i; -+ STACK_OF(CONF_VALUE) *ecmds; -+ int soft = 0; -+ const char *path = NULL; -+ long activate = 0; -+ int ok = 0; -+ -+ name = skip_dot(name); -+ OSSL_TRACE1(CONF, "Configuring provider %s\n", name); -+ /* Value is a section containing PROVIDER commands */ -+ ecmds = NCONF_get_section(cnf, value); -+ -+ if (!ecmds) { -+ ERR_raise_data(ERR_LIB_CRYPTO, CRYPTO_R_PROVIDER_SECTION_ERROR, -+ "section=%s not found", value); -+ return 0; -+ } -+ -+ /* Find the needed data first */ -+ for (i = 0; i < sk_CONF_VALUE_num(ecmds); i++) { -+ CONF_VALUE *ecmd = sk_CONF_VALUE_value(ecmds, i); -+ const char *confname = skip_dot(ecmd->name); -+ const char *confvalue = ecmd->value; -+ -+ OSSL_TRACE2(CONF, "Provider command: %s = %s\n", -+ confname, confvalue); -+ -+ /* First handle some special pseudo confs */ -+ -+ /* Override provider name to use */ -+ if (strcmp(confname, "identity") == 0) -+ name = confvalue; -+ else if (strcmp(confname, "soft_load") == 0) -+ soft = 1; -+ /* Load a dynamic PROVIDER */ -+ else if (strcmp(confname, "module") == 0) -+ path = confvalue; -+ else if (strcmp(confname, "activate") == 0) -+ activate = 1; -+ } -+ -+ if (activate) { -+ ok = provider_conf_activate(libctx, name, value, path, soft, cnf); - } else { - OSSL_PROVIDER_INFO entry; + if (ok <= 0) + ossl_provider_free(prov); ++ } else { ++ ok = 1; + } + CRYPTO_THREAD_unlock(pcgbl->lock); -@@ -306,6 +317,33 @@ static int provider_conf_init(CONF_IMODU +@@ -309,6 +311,33 @@ static int provider_conf_init(CONF_IMODULE *md, const CONF *cnf) return 0; } @@ -174,7 +64,7 @@ diff -up openssl-3.0.1/crypto/provider_conf.c.fipsact openssl-3.0.1/crypto/provi + if (provider_conf_activate(libctx, "fips", NULL, NULL, 0, NULL) != 1) + return 0; + } -+ /* provider_conf_load can return 1 even wwhen the test is failed so check explicitly */ ++ /* provider_conf_load can return 1 even when the test is failed so check explicitly */ + if (OSSL_PROVIDER_available(libctx, "fips") != 1) + return 0; + if (provider_conf_activate(libctx, "base", NULL, NULL, 0, NULL) != 1) @@ -186,3 +76,6 @@ diff -up openssl-3.0.1/crypto/provider_conf.c.fipsact openssl-3.0.1/crypto/provi return 1; } +-- +2.41.0 + diff --git a/0033-FIPS-embed-hmac.patch b/0033-FIPS-embed-hmac.patch index 484a75e..6738304 100644 --- a/0033-FIPS-embed-hmac.patch +++ b/0033-FIPS-embed-hmac.patch @@ -1,9 +1,34 @@ -diff -up openssl-3.0.7/providers/fips/self_test.c.embed-hmac openssl-3.0.7/providers/fips/self_test.c ---- openssl-3.0.7/providers/fips/self_test.c.embed-hmac 2023-01-05 10:03:44.864869710 +0100 -+++ openssl-3.0.7/providers/fips/self_test.c 2023-01-05 10:15:17.041606472 +0100 -@@ -172,11 +172,27 @@ DEP_FINI_ATTRIBUTE void cleanup(void) +From 831d0025257fd3746ab3fe30c05dbbfc0043f78e Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 6 Mar 2024 19:17:15 +0100 +Subject: [PATCH 16/49] 0033-FIPS-embed-hmac.patch + +Patch-name: 0033-FIPS-embed-hmac.patch +Patch-id: 33 +Patch-status: | + # # Embed HMAC into the fips.so + # Modify fips self test as per + # https://github.com/simo5/openssl/commit/9b95ef8bd2f5ac862e5eee74c724b535f1a8578a +From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce +--- + providers/fips/self_test.c | 204 ++++++++++++++++++++++++-- + test/fipsmodule.cnf | 2 + + test/recipes/00-prep_fipsmodule_cnf.t | 2 +- + test/recipes/01-test_fipsmodule_cnf.t | 2 +- + test/recipes/03-test_fipsinstall.t | 2 +- + test/recipes/30-test_defltfips.t | 2 +- + test/recipes/80-test_ssl_new.t | 2 +- + test/recipes/90-test_sslapi.t | 2 +- + 8 files changed, 200 insertions(+), 18 deletions(-) + create mode 100644 test/fipsmodule.cnf + +diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c +index b8dc9817b2..28f536d13c 100644 +--- a/providers/fips/self_test.c ++++ b/providers/fips/self_test.c +@@ -230,11 +230,133 @@ err: + return ok; } - #endif +#define HMAC_LEN 32 +/* @@ -17,6 +42,7 @@ diff -up openssl-3.0.7/providers/fips/self_test.c.embed-hmac openssl-3.0.7/provi * the result matches the expected value. * Return 1 if verified, or 0 if it fails. */ ++ +#ifndef __USE_GNU +#define __USE_GNU +#include @@ -25,11 +51,116 @@ diff -up openssl-3.0.7/providers/fips/self_test.c.embed-hmac openssl-3.0.7/provi +#include +#endif +#include ++ ++static int verify_integrity_rodata(OSSL_CORE_BIO *bio, ++ OSSL_FUNC_BIO_read_ex_fn read_ex_cb, ++ unsigned char *expected, size_t expected_len, ++ OSSL_LIB_CTX *libctx, OSSL_SELF_TEST *ev, ++ const char *event_type) ++{ ++ int ret = 0, status; ++ unsigned char out[MAX_MD_SIZE]; ++ unsigned char buf[INTEGRITY_BUF_SIZE]; ++ size_t bytes_read = 0, out_len = 0; ++ EVP_MAC *mac = NULL; ++ EVP_MAC_CTX *ctx = NULL; ++ OSSL_PARAM params[2], *p = params; ++ Dl_info info; ++ void *extra_info = NULL; ++ struct link_map *lm = NULL; ++ unsigned long paddr; ++ unsigned long off = 0; ++ ++ if (expected_len != HMAC_LEN) ++ goto err; ++ ++ if (!integrity_self_test(ev, libctx)) ++ goto err; ++ ++ OSSL_SELF_TEST_onbegin(ev, event_type, OSSL_SELF_TEST_DESC_INTEGRITY_HMAC); ++ ++ if (!dladdr1 ((const void *)fips_hmac_container, ++ &info, &extra_info, RTLD_DL_LINKMAP)) ++ goto err; ++ lm = extra_info; ++ paddr = (unsigned long)fips_hmac_container - lm->l_addr; ++ ++ mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL); ++ if (mac == NULL) ++ goto err; ++ ctx = EVP_MAC_CTX_new(mac); ++ if (ctx == NULL) ++ goto err; ++ ++ *p++ = OSSL_PARAM_construct_utf8_string("digest", DIGEST_NAME, 0); ++ *p = OSSL_PARAM_construct_end(); ++ ++ if (!EVP_MAC_init(ctx, fixed_key, sizeof(fixed_key), params)) ++ goto err; ++ ++ while ((off + INTEGRITY_BUF_SIZE) <= paddr) { ++ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read); ++ if (status != 1) ++ break; ++ if (!EVP_MAC_update(ctx, buf, bytes_read)) ++ goto err; ++ off += bytes_read; ++ } ++ ++ if (off < paddr) { ++ int delta = paddr - off; ++ status = read_ex_cb(bio, buf, delta, &bytes_read); ++ if (status != 1) ++ goto err; ++ if (!EVP_MAC_update(ctx, buf, bytes_read)) ++ goto err; ++ off += bytes_read; ++ } ++ ++ /* read away the buffer */ ++ status = read_ex_cb(bio, buf, HMAC_LEN, &bytes_read); ++ if (status != 1) ++ goto err; ++ ++ /* check that it is the expect bytes, no point in continuing otherwise */ ++ if (memcmp(expected, buf, HMAC_LEN) != 0) ++ goto err; ++ ++ /* replace in-file HMAC buffer with the original zeros */ ++ memset(buf, 0, HMAC_LEN); ++ if (!EVP_MAC_update(ctx, buf, HMAC_LEN)) ++ goto err; ++ off += HMAC_LEN; ++ ++ while (bytes_read > 0) { ++ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read); ++ if (status != 1) ++ break; ++ if (!EVP_MAC_update(ctx, buf, bytes_read)) ++ goto err; ++ off += bytes_read; ++ } ++ ++ if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out))) ++ goto err; ++ ++ OSSL_SELF_TEST_oncorrupt_byte(ev, out); ++ if (expected_len != out_len ++ || memcmp(expected, out, out_len) != 0) ++ goto err; ++ ret = 1; ++err: ++ OPENSSL_cleanse(out, MAX_MD_SIZE); ++ OSSL_SELF_TEST_onend(ev, ret); ++ EVP_MAC_CTX_free(ctx); ++ EVP_MAC_free(mac); ++ return ret; ++} + static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex_cb, unsigned char *expected, size_t expected_len, OSSL_LIB_CTX *libctx, OSSL_SELF_TEST *ev, -@@ -189,9 +205,20 @@ static int verify_integrity(OSSL_CORE_BI +@@ -247,12 +369,23 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex EVP_MAC *mac = NULL; EVP_MAC_CTX *ctx = NULL; OSSL_PARAM params[2], *p = params; @@ -39,6 +170,9 @@ diff -up openssl-3.0.7/providers/fips/self_test.c.embed-hmac openssl-3.0.7/provi + unsigned long paddr; + unsigned long off = 0; + if (!integrity_self_test(ev, libctx)) + goto err; + OSSL_SELF_TEST_onbegin(ev, event_type, OSSL_SELF_TEST_DESC_INTEGRITY_HMAC); + if (!dladdr1 ((const void *)fips_hmac_container, @@ -50,7 +184,7 @@ diff -up openssl-3.0.7/providers/fips/self_test.c.embed-hmac openssl-3.0.7/provi mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL); if (mac == NULL) goto err; -@@ -205,13 +233,42 @@ static int verify_integrity(OSSL_CORE_BI +@@ -266,13 +399,42 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex if (!EVP_MAC_init(ctx, fixed_key, sizeof(fixed_key), params)) goto err; @@ -95,8 +229,16 @@ diff -up openssl-3.0.7/providers/fips/self_test.c.embed-hmac openssl-3.0.7/provi if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out))) goto err; -@@ -285,8 +342,7 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS - CRYPTO_THREAD_unlock(fips_state_lock); +@@ -282,6 +444,7 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex + goto err; + ret = 1; + err: ++ OPENSSL_cleanse(out, sizeof(out)); + OSSL_SELF_TEST_onend(ev, ret); + EVP_MAC_CTX_free(ctx); + EVP_MAC_free(mac); +@@ -335,8 +498,7 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) + return 0; } - if (st == NULL @@ -105,30 +247,77 @@ diff -up openssl-3.0.7/providers/fips/self_test.c.embed-hmac openssl-3.0.7/provi ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA); goto end; } -@@ -305,8 +361,9 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS +@@ -345,8 +507,14 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) if (ev == NULL) goto end; - module_checksum = OPENSSL_hexstr2buf(st->module_checksum_data, - &checksum_len); -+ module_checksum = fips_hmac_container; -+ checksum_len = sizeof(fips_hmac_container); ++ if (st->module_checksum_data == NULL) { ++ module_checksum = fips_hmac_container; ++ checksum_len = sizeof(fips_hmac_container); ++ } else { ++ module_checksum = OPENSSL_hexstr2buf(st->module_checksum_data, ++ &checksum_len); ++ } + if (module_checksum == NULL) { ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONFIG_DATA); goto end; -@@ -356,7 +413,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS - ok = 1; +@@ -354,14 +522,27 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) + bio_module = (*st->bio_new_file_cb)(st->module_filename, "rb"); + + /* Always check the integrity of the fips module */ +- if (bio_module == NULL +- || !verify_integrity(bio_module, st->bio_read_ex_cb, +- module_checksum, checksum_len, st->libctx, +- ev, OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY)) { ++ if (bio_module == NULL) { + ERR_raise(ERR_LIB_PROV, PROV_R_MODULE_INTEGRITY_FAILURE); + goto end; + } +- ++ if (st->module_checksum_data == NULL) { ++ if (!verify_integrity_rodata(bio_module, st->bio_read_ex_cb, ++ module_checksum, checksum_len, ++ st->libctx, ev, ++ OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY)) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_MODULE_INTEGRITY_FAILURE); ++ goto end; ++ } ++ } else { ++ if (!verify_integrity(bio_module, st->bio_read_ex_cb, ++ module_checksum, checksum_len, ++ st->libctx, ev, ++ OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY)) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_MODULE_INTEGRITY_FAILURE); ++ goto end; ++ } ++ } + /* This will be NULL during installation - so the self test KATS will run */ + if (st->indicator_data != NULL) { + /* +@@ -420,7 +601,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) end: + EVP_RAND_free(testrand); OSSL_SELF_TEST_free(ev); - OPENSSL_free(module_checksum); OPENSSL_free(indicator_checksum); if (st != NULL) { -diff -ruN openssl-3.0.0/test/recipes/00-prep_fipsmodule_cnf.t openssl-3.0.0-xxx/test/recipes/00-prep_fipsmodule_cnf.t ---- openssl-3.0.0/test/recipes/00-prep_fipsmodule_cnf.t 2021-09-07 13:46:32.000000000 +0200 -+++ openssl-3.0.0-xxx/test/recipes/00-prep_fipsmodule_cnf.t 2021-11-18 09:39:53.386817874 +0100 -@@ -20,7 +20,7 @@ +diff --git a/test/fipsmodule.cnf b/test/fipsmodule.cnf +new file mode 100644 +index 0000000000..f05d0dedbe +--- /dev/null ++++ b/test/fipsmodule.cnf +@@ -0,0 +1,2 @@ ++[fips_sect] ++activate = 1 +diff --git a/test/recipes/00-prep_fipsmodule_cnf.t b/test/recipes/00-prep_fipsmodule_cnf.t +index 4e3a6d85e8..e8255ba974 100644 +--- a/test/recipes/00-prep_fipsmodule_cnf.t ++++ b/test/recipes/00-prep_fipsmodule_cnf.t +@@ -20,7 +20,7 @@ use lib srctop_dir('Configurations'); use lib bldtop_dir('.'); use platform; @@ -137,10 +326,11 @@ diff -ruN openssl-3.0.0/test/recipes/00-prep_fipsmodule_cnf.t openssl-3.0.0-xxx/ plan skip_all => "FIPS module config file only supported in a fips build" if $no_check; -diff -ruN openssl-3.0.0/test/recipes/01-test_fipsmodule_cnf.t openssl-3.0.0-xxx/test/recipes/01-test_fipsmodule_cnf.t ---- openssl-3.0.0/test/recipes/01-test_fipsmodule_cnf.t 2021-09-07 13:46:32.000000000 +0200 -+++ openssl-3.0.0-xxx/test/recipes/01-test_fipsmodule_cnf.t 2021-11-18 09:59:02.315619486 +0100 -@@ -23,7 +23,7 @@ +diff --git a/test/recipes/01-test_fipsmodule_cnf.t b/test/recipes/01-test_fipsmodule_cnf.t +index ce594817d5..00cebacff8 100644 +--- a/test/recipes/01-test_fipsmodule_cnf.t ++++ b/test/recipes/01-test_fipsmodule_cnf.t +@@ -23,7 +23,7 @@ use lib srctop_dir('Configurations'); use lib bldtop_dir('.'); use platform; @@ -149,34 +339,37 @@ diff -ruN openssl-3.0.0/test/recipes/01-test_fipsmodule_cnf.t openssl-3.0.0-xxx/ plan skip_all => "Test only supported in a fips build" if $no_check; plan tests => 1; -diff -ruN openssl-3.0.0/test/recipes/03-test_fipsinstall.t openssl-3.0.0-xxx/test/recipes/03-test_fipsinstall.t ---- openssl-3.0.0/test/recipes/03-test_fipsinstall.t 2021-09-07 13:46:32.000000000 +0200 -+++ openssl-3.0.0-xxx/test/recipes/03-test_fipsinstall.t 2021-11-18 09:59:55.365072074 +0100 -@@ -22,7 +22,7 @@ +diff --git a/test/recipes/03-test_fipsinstall.t b/test/recipes/03-test_fipsinstall.t +index b8b136d110..8242f4ebc3 100644 +--- a/test/recipes/03-test_fipsinstall.t ++++ b/test/recipes/03-test_fipsinstall.t +@@ -22,7 +22,7 @@ use lib srctop_dir('Configurations'); use lib bldtop_dir('.'); use platform; -plan skip_all => "Test only supported in a fips build" if disabled("fips"); +plan skip_all => "Test only supported in a fips build" if 1; - plan tests => 29; - -diff -ruN openssl-3.0.0/test/recipes/30-test_defltfips.t openssl-3.0.0-xxx/test/recipes/30-test_defltfips.t ---- openssl-3.0.0/test/recipes/30-test_defltfips.t 2021-09-07 13:46:32.000000000 +0200 -+++ openssl-3.0.0-xxx/test/recipes/30-test_defltfips.t 2021-11-18 10:22:54.179659682 +0100 -@@ -21,7 +21,7 @@ - use lib srctop_dir('Configurations'); - use lib bldtop_dir('.'); + # Compatible options for pedantic FIPS compliance + my @pedantic_okay = +diff --git a/test/recipes/30-test_defltfips.t b/test/recipes/30-test_defltfips.t +index c8f145405b..56a2ec5dc4 100644 +--- a/test/recipes/30-test_defltfips.t ++++ b/test/recipes/30-test_defltfips.t +@@ -24,7 +24,7 @@ use lib bldtop_dir('.'); + plan skip_all => "Configuration loading is turned off" + if disabled("autoload-config"); -my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); +my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0); plan tests => ($no_fips ? 1 : 5); -diff -ruN openssl-3.0.0/test/recipes/80-test_ssl_new.t openssl-3.0.0-xxx/test/recipes/80-test_ssl_new.t ---- openssl-3.0.0/test/recipes/80-test_ssl_new.t 2021-09-07 13:46:32.000000000 +0200 -+++ openssl-3.0.0-xxx/test/recipes/80-test_ssl_new.t 2021-11-18 10:18:53.391721164 +0100 -@@ -23,7 +23,7 @@ +diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t +index 195b85ea8c..92d48dbf7d 100644 +--- a/test/recipes/80-test_ssl_new.t ++++ b/test/recipes/80-test_ssl_new.t +@@ -27,7 +27,7 @@ setup("test_ssl_new"); use lib srctop_dir('Configurations'); use lib bldtop_dir('.'); @@ -185,20 +378,19 @@ diff -ruN openssl-3.0.0/test/recipes/80-test_ssl_new.t openssl-3.0.0-xxx/test/re $ENV{TEST_CERTS_DIR} = srctop_dir("test", "certs"); -diff -ruN openssl-3.0.0/test/recipes/90-test_sslapi.t openssl-3.0.0-xxx/test/recipes/90-test_sslapi.t ---- openssl-3.0.0/test/recipes/90-test_sslapi.t 2021-11-18 10:32:17.734196705 +0100 -+++ openssl-3.0.0-xxx/test/recipes/90-test_sslapi.t 2021-11-18 10:18:30.695538445 +0100 -@@ -18,7 +18,7 @@ +diff --git a/test/recipes/90-test_sslapi.t b/test/recipes/90-test_sslapi.t +index 18d9f3d204..71780d8caa 100644 +--- a/test/recipes/90-test_sslapi.t ++++ b/test/recipes/90-test_sslapi.t +@@ -17,7 +17,7 @@ setup("test_sslapi"); use lib srctop_dir('Configurations'); use lib bldtop_dir('.'); -my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); +my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0); + my $fipsmodcfg_filename = "fipsmodule.cnf"; + my $fipsmodcfg = bldtop_file("test", $fipsmodcfg_filename); - plan skip_all => "No TLS/SSL protocols are supported by this OpenSSL build" - if alldisabled(grep { $_ ne "ssl3" } available_protocols("tls")); ---- /dev/null 2021-11-16 15:27:32.915000000 +0100 -+++ openssl-3.0.0/test/fipsmodule.cnf 2021-11-18 11:15:34.538060408 +0100 -@@ -0,0 +1,2 @@ -+[fips_sect] -+activate = 1 +-- +2.44.0 + diff --git a/0034.fipsinstall_disable.patch b/0034.fipsinstall_disable.patch index c4f9efd..f1d7b27 100644 --- a/0034.fipsinstall_disable.patch +++ b/0034.fipsinstall_disable.patch @@ -1,7 +1,27 @@ -diff -up openssl-3.0.0/apps/fipsinstall.c.xxx openssl-3.0.0/apps/fipsinstall.c ---- openssl-3.0.0/apps/fipsinstall.c.xxx 2021-11-22 13:09:28.232560235 +0100 -+++ openssl-3.0.0/apps/fipsinstall.c 2021-11-22 13:12:22.272058910 +0100 -@@ -311,6 +311,9 @@ int fipsinstall_main(int argc, char **ar +From a9825123e7ab3474d2794a5706d9bed047959c9c Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Mon, 31 Jul 2023 09:41:28 +0200 +Subject: [PATCH 18/35] 0034.fipsinstall_disable.patch + +Patch-name: 0034.fipsinstall_disable.patch +Patch-id: 34 +Patch-status: | + # Comment out fipsinstall command-line utility +From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd +--- + apps/fipsinstall.c | 3 + + doc/man1/openssl-fipsinstall.pod.in | 272 +--------------------------- + doc/man1/openssl.pod | 4 - + doc/man5/config.pod | 1 - + doc/man5/fips_config.pod | 104 +---------- + doc/man7/OSSL_PROVIDER-FIPS.pod | 1 - + 6 files changed, 10 insertions(+), 375 deletions(-) + +diff --git a/apps/fipsinstall.c b/apps/fipsinstall.c +index e1ef645b60..db92cb5fb2 100644 +--- a/apps/fipsinstall.c ++++ b/apps/fipsinstall.c +@@ -375,6 +375,9 @@ int fipsinstall_main(int argc, char **argv) EVP_MAC *mac = NULL; CONF *conf = NULL; @@ -11,160 +31,11 @@ diff -up openssl-3.0.0/apps/fipsinstall.c.xxx openssl-3.0.0/apps/fipsinstall.c if ((opts = sk_OPENSSL_STRING_new_null()) == NULL) goto end; -diff -up openssl-3.0.0/doc/man1/openssl.pod.xxx openssl-3.0.0/doc/man1/openssl.pod ---- openssl-3.0.0/doc/man1/openssl.pod.xxx 2021-11-22 13:18:51.081406990 +0100 -+++ openssl-3.0.0/doc/man1/openssl.pod 2021-11-22 13:19:02.897508738 +0100 -@@ -158,10 +158,6 @@ Engine (loadable module) information and - - Error Number to Error String Conversion. - --=item B -- --FIPS configuration installation. -- - =item B - - Generation of DSA Private Key from Parameters. Superseded by -diff -up openssl-3.0.0/doc/man5/config.pod.xxx openssl-3.0.0/doc/man5/config.pod ---- openssl-3.0.0/doc/man5/config.pod.xxx 2021-11-22 13:24:51.359509501 +0100 -+++ openssl-3.0.0/doc/man5/config.pod 2021-11-22 13:26:02.360121820 +0100 -@@ -573,7 +573,6 @@ configuration files using that syntax wi - =head1 SEE ALSO - - L, L, L, --L, - L, - L, - L, -diff -up openssl-3.0.0/doc/man5/fips_config.pod.xxx openssl-3.0.0/doc/man5/fips_config.pod ---- openssl-3.0.0/doc/man5/fips_config.pod.xxx 2021-11-22 13:21:13.812636065 +0100 -+++ openssl-3.0.0/doc/man5/fips_config.pod 2021-11-22 13:24:12.278172847 +0100 -@@ -6,106 +6,10 @@ fips_config - OpenSSL FIPS configuration - - =head1 DESCRIPTION - --A separate configuration file, using the OpenSSL L syntax, --is used to hold information about the FIPS module. This includes a digest --of the shared library file, and status about the self-testing. --This data is used automatically by the module itself for two --purposes: -- --=over 4 -- --=item - Run the startup FIPS self-test known answer tests (KATS). -- --This is normally done once, at installation time, but may also be set up to --run each time the module is used. -- --=item - Verify the module's checksum. -- --This is done each time the module is used. -- --=back -- --This file is generated by the L program, and --used internally by the FIPS module during its initialization. -- --The following options are supported. They should all appear in a section --whose name is identified by the B option in the B --section, as described in L. -- --=over 4 -- --=item B -- --If present, the module is activated. The value assigned to this name is not --significant. -- --=item B -- --A version number for the fips install process. Should be 1. -- --=item B -- --The FIPS module normally enters an internal error mode if any self test fails. --Once this error mode is active, no services or cryptographic algorithms are --accessible from this point on. --Continuous tests are a subset of the self tests (e.g., a key pair test during key --generation, or the CRNG output test). --Setting this value to C<0> allows the error mode to not be triggered if any --continuous test fails. The default value of C<1> will trigger the error mode. --Regardless of the value, the operation (e.g., key generation) that called the --continuous test will return an error code if its continuous test fails. The --operation may then be retried if the error mode has not been triggered. -- --=item B -- --This indicates if run-time checks related to enforcement of security parameters --such as minimum security strength of keys and approved curve names are used. --A value of '1' will perform the checks, otherwise if the value is '0' the checks --are not performed and FIPS compliance must be done by procedures documented in --the relevant Security Policy. -- --=item B -- --The calculated MAC of the FIPS provider file. -- --=item B -- --An indicator that the self-tests were successfully run. --This should only be written after the module has --successfully passed its self tests during installation. --If this field is not present, then the self tests will run when the module --loads. -- --=item B -- --A MAC of the value of the B option, to prevent accidental --changes to that value. --It is written-to at the same time as B is updated. -- --=back -- --For example: -- -- [fips_sect] -- activate = 1 -- install-version = 1 -- conditional-errors = 1 -- security-checks = 1 -- module-mac = 41:D0:FA:C2:5D:41:75:CD:7D:C3:90:55:6F:A4:DC -- install-mac = FE:10:13:5A:D3:B4:C7:82:1B:1E:17:4C:AC:84:0C -- install-status = INSTALL_SELF_TEST_KATS_RUN -- --=head1 NOTES -- --When using the FIPS provider, it is recommended that the --B option is enabled to prevent accidental use of --non-FIPS validated algorithms via broken or mistaken configuration. --See L. -- --=head1 SEE ALSO -- --L --L -+This command is disabled in Red Hat Enterprise Linux. The FIPS provider is -+automatically loaded when the system is booted in FIPS mode, or when the -+environment variable B is set. See the documentation -+for more information. - - =head1 COPYRIGHT - -diff -up openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod.xxx openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod ---- openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod.xxx 2021-11-22 13:18:13.850086386 +0100 -+++ openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod 2021-11-22 13:18:24.607179038 +0100 -@@ -388,7 +388,6 @@ A simple self test callback is shown bel - - =head1 SEE ALSO - --L, - L, - L, - L, -diff -up openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in.embed-hmac openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in ---- openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in.embed-hmac 2022-01-11 13:26:33.279906225 +0100 -+++ openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in 2022-01-11 13:33:18.757994419 +0100 -@@ -8,236 +8,11 @@ openssl-fipsinstall - perform FIPS confi +diff --git a/doc/man1/openssl-fipsinstall.pod.in b/doc/man1/openssl-fipsinstall.pod.in +index b1768b7f91..b6b00e27d8 100644 +--- a/doc/man1/openssl-fipsinstall.pod.in ++++ b/doc/man1/openssl-fipsinstall.pod.in +@@ -8,275 +8,9 @@ openssl-fipsinstall - perform FIPS configuration installation =head1 SYNOPSIS B @@ -179,14 +50,18 @@ diff -up openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in.embed-hmac openssl-3. -[B<-macopt> I:I] -[B<-noout>] -[B<-quiet>] +-[B<-pedantic>] -[B<-no_conditional_errors>] -[B<-no_security_checks>] +-[B<-ems_check>] +-[B<-no_drbg_truncated_digests>] -[B<-self_test_onload>] +-[B<-self_test_oninstall>] -[B<-corrupt_desc> I] -[B<-corrupt_type> I] -[B<-config> I] - - =head1 DESCRIPTION +- +-=head1 DESCRIPTION - -This command is used to generate a FIPS module configuration file. -This configuration file can be used each time a FIPS module is loaded @@ -315,6 +190,14 @@ diff -up openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in.embed-hmac openssl-3. - -Disable logging of the self tests. - +-=item B<-pedantic> +- +-Configure the module so that it is strictly FIPS compliant rather +-than being backwards compatible. This enables conditional errors, +-security checks etc. Note that any previous configuration options will +-be overwritten and any subsequent configuration options that violate +-FIPS compliance will result in an error. +- -=item B<-no_conditional_errors> - -Configure the module to not enter an error state if a conditional self test @@ -324,6 +207,20 @@ diff -up openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in.embed-hmac openssl-3. - -Configure the module to not perform run-time security checks as described above. - +-Enabling the configuration option "no-fips-securitychecks" provides another way to +-turn off the check at compile time. +- +-=item B<-ems_check> +- +-Configure the module to enable a run-time Extended Master Secret (EMS) check +-when using the TLS1_PRF KDF algorithm. This check is disabled by default. +-See RFC 7627 for information related to EMS. +- +-=item B<-no_drbg_truncated_digests> +- +-Configure the module to not allow truncated digests to be used with Hash and +-HMAC DRBGs. See FIPS 140-3 IG D.R for details. +- -=item B<-self_test_onload> - -Do not write the two fields related to the "test status indicator" and @@ -334,6 +231,14 @@ diff -up openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in.embed-hmac openssl-3. -could possibly then add the 2 fields into the configuration using some other -mechanism. - +-This is the default. +- +-=item B<-self_test_oninstall> +- +-The converse of B<-self_test_oninstall>. The two fields related to the +-"test status indicator" and "MAC status indicator" are written to the +-output configuration file. +- -=item B<-quiet> - -Do not output pass/fail messages. Implies B<-noout>. @@ -369,6 +274,11 @@ diff -up openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in.embed-hmac openssl-3. -For normal usage the base configuration file should use the default provider -when generating the fips configuration file. - +-The B<-self_test_oninstall> option was added and the +-B<-self_test_onload> option was made the default in OpenSSL 3.1. +- +-The command and all remaining options were added in OpenSSL 3.0. +- -=head1 EXAMPLES - -Calculate the mac of a FIPS module F and run a FIPS self test @@ -404,3 +314,160 @@ diff -up openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in.embed-hmac openssl-3. =head1 COPYRIGHT +diff --git a/doc/man1/openssl.pod b/doc/man1/openssl.pod +index d9c22a580f..d5ec3b9a6a 100644 +--- a/doc/man1/openssl.pod ++++ b/doc/man1/openssl.pod +@@ -135,10 +135,6 @@ Engine (loadable module) information and manipulation. + + Error Number to Error String Conversion. + +-=item B +- +-FIPS configuration installation. +- + =item B + + Generation of DSA Private Key from Parameters. Superseded by +diff --git a/doc/man5/config.pod b/doc/man5/config.pod +index 714a10437b..bd05736220 100644 +--- a/doc/man5/config.pod ++++ b/doc/man5/config.pod +@@ -573,7 +573,6 @@ configuration files using that syntax will have to be modified. + =head1 SEE ALSO + + L, L, L, +-L, + L, + L, + L, +diff --git a/doc/man5/fips_config.pod b/doc/man5/fips_config.pod +index 2255464304..1c15e32a5c 100644 +--- a/doc/man5/fips_config.pod ++++ b/doc/man5/fips_config.pod +@@ -6,106 +6,10 @@ fips_config - OpenSSL FIPS configuration + + =head1 DESCRIPTION + +-A separate configuration file, using the OpenSSL L syntax, +-is used to hold information about the FIPS module. This includes a digest +-of the shared library file, and status about the self-testing. +-This data is used automatically by the module itself for two +-purposes: +- +-=over 4 +- +-=item - Run the startup FIPS self-test known answer tests (KATS). +- +-This is normally done once, at installation time, but may also be set up to +-run each time the module is used. +- +-=item - Verify the module's checksum. +- +-This is done each time the module is used. +- +-=back +- +-This file is generated by the L program, and +-used internally by the FIPS module during its initialization. +- +-The following options are supported. They should all appear in a section +-whose name is identified by the B option in the B +-section, as described in L. +- +-=over 4 +- +-=item B +- +-If present, the module is activated. The value assigned to this name is not +-significant. +- +-=item B +- +-A version number for the fips install process. Should be 1. +- +-=item B +- +-The FIPS module normally enters an internal error mode if any self test fails. +-Once this error mode is active, no services or cryptographic algorithms are +-accessible from this point on. +-Continuous tests are a subset of the self tests (e.g., a key pair test during key +-generation, or the CRNG output test). +-Setting this value to C<0> allows the error mode to not be triggered if any +-continuous test fails. The default value of C<1> will trigger the error mode. +-Regardless of the value, the operation (e.g., key generation) that called the +-continuous test will return an error code if its continuous test fails. The +-operation may then be retried if the error mode has not been triggered. +- +-=item B +- +-This indicates if run-time checks related to enforcement of security parameters +-such as minimum security strength of keys and approved curve names are used. +-A value of '1' will perform the checks, otherwise if the value is '0' the checks +-are not performed and FIPS compliance must be done by procedures documented in +-the relevant Security Policy. +- +-=item B +- +-The calculated MAC of the FIPS provider file. +- +-=item B +- +-An indicator that the self-tests were successfully run. +-This should only be written after the module has +-successfully passed its self tests during installation. +-If this field is not present, then the self tests will run when the module +-loads. +- +-=item B +- +-A MAC of the value of the B option, to prevent accidental +-changes to that value. +-It is written-to at the same time as B is updated. +- +-=back +- +-For example: +- +- [fips_sect] +- activate = 1 +- install-version = 1 +- conditional-errors = 1 +- security-checks = 1 +- module-mac = 41:D0:FA:C2:5D:41:75:CD:7D:C3:90:55:6F:A4:DC +- install-mac = FE:10:13:5A:D3:B4:C7:82:1B:1E:17:4C:AC:84:0C +- install-status = INSTALL_SELF_TEST_KATS_RUN +- +-=head1 NOTES +- +-When using the FIPS provider, it is recommended that the +-B option is enabled to prevent accidental use of +-non-FIPS validated algorithms via broken or mistaken configuration. +-See L. +- +-=head1 SEE ALSO +- +-L +-L ++This command is disabled in Red Hat Enterprise Linux. The FIPS provider is ++automatically loaded when the system is booted in FIPS mode, or when the ++environment variable B is set. See the documentation ++for more information. + + =head1 HISTORY + +diff --git a/doc/man7/OSSL_PROVIDER-FIPS.pod b/doc/man7/OSSL_PROVIDER-FIPS.pod +index 4f908888ba..ef00247770 100644 +--- a/doc/man7/OSSL_PROVIDER-FIPS.pod ++++ b/doc/man7/OSSL_PROVIDER-FIPS.pod +@@ -444,7 +444,6 @@ want to operate in a FIPS approved manner. The algorithms are: + + =head1 SEE ALSO + +-L, + L, + L, + L, +-- +2.41.0 + diff --git a/0044-FIPS-140-3-keychecks.patch b/0044-FIPS-140-3-keychecks.patch index 67cbd6d..3fedb4c 100644 --- a/0044-FIPS-140-3-keychecks.patch +++ b/0044-FIPS-140-3-keychecks.patch @@ -1,7 +1,26 @@ -diff -up openssl-3.0.1/crypto/dh/dh_key.c.fips3 openssl-3.0.1/crypto/dh/dh_key.c ---- openssl-3.0.1/crypto/dh/dh_key.c.fips3 2022-07-18 16:01:41.159543735 +0200 -+++ openssl-3.0.1/crypto/dh/dh_key.c 2022-07-18 16:24:30.251388248 +0200 -@@ -43,6 +43,9 @@ int ossl_dh_compute_key(unsigned char *k +From b300beb172d5813b01b93bfd62fe191f8187fe1e Mon Sep 17 00:00:00 2001 +From: Dmitry Belyavskiy +Date: Mon, 21 Aug 2023 12:05:23 +0200 +Subject: [PATCH 20/48] 0044-FIPS-140-3-keychecks.patch + +Patch-name: 0044-FIPS-140-3-keychecks.patch +Patch-id: 44 +Patch-status: | + # Extra public/private key checks required by FIPS-140-3 +--- + crypto/dh/dh_key.c | 26 ++++++++++ + .../implementations/exchange/ecdh_exch.c | 19 ++++++++ + providers/implementations/keymgmt/ec_kmgmt.c | 24 +++++++++- + providers/implementations/keymgmt/rsa_kmgmt.c | 18 +++++++ + .../implementations/signature/ecdsa_sig.c | 37 +++++++++++++-- + providers/implementations/signature/rsa_sig.c | 47 +++++++++++++++++-- + 6 files changed, 162 insertions(+), 9 deletions(-) + +diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c +index 4e9705beef..83773cceea 100644 +--- a/crypto/dh/dh_key.c ++++ b/crypto/dh/dh_key.c +@@ -43,6 +43,9 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) BN_MONT_CTX *mont = NULL; BIGNUM *z = NULL, *pminus1; int ret = -1; @@ -11,7 +30,7 @@ diff -up openssl-3.0.1/crypto/dh/dh_key.c.fips3 openssl-3.0.1/crypto/dh/dh_key.c if (BN_num_bits(dh->params.p) > OPENSSL_DH_MAX_MODULUS_BITS) { ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE); -@@ -54,6 +57,13 @@ int ossl_dh_compute_key(unsigned char *k +@@ -54,6 +57,13 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) return 0; } @@ -57,25 +76,11 @@ diff -up openssl-3.0.1/crypto/dh/dh_key.c.fips3 openssl-3.0.1/crypto/dh/dh_key.c dh->dirty_cnt++; ok = 1; err: -diff -up openssl-3.0.7/crypto/ec/ec_key.c.f188 openssl-3.0.7/crypto/ec/ec_key.c ---- openssl-3.0.7/crypto/ec/ec_key.c.f188 2023-11-08 10:58:05.910031253 +0100 -+++ openssl-3.0.7/crypto/ec/ec_key.c 2023-11-08 10:59:42.338526883 +0100 -@@ -326,6 +326,11 @@ static int ec_generate_key(EC_KEY *eckey - eckey->dirty_cnt++; - - #ifdef FIPS_MODULE -+ if (ossl_ec_key_public_check(eckey, ctx) <= 0) { -+ ERR_raise(ERR_LIB_EC, EC_R_INVALID_KEY); -+ goto err; -+ } -+ - pairwise_test = 1; - #endif /* FIPS_MODULE */ - -diff -up openssl-3.0.1/providers/implementations/exchange/ecdh_exch.c.fips3 openssl-3.0.1/providers/implementations/exchange/ecdh_exch.c ---- openssl-3.0.1/providers/implementations/exchange/ecdh_exch.c.fips3 2022-07-25 13:42:46.814952053 +0200 -+++ openssl-3.0.1/providers/implementations/exchange/ecdh_exch.c 2022-07-25 13:52:12.292065706 +0200 -@@ -488,6 +488,25 @@ int ecdh_plain_derive(void *vpecdhctx, u +diff --git a/providers/implementations/exchange/ecdh_exch.c b/providers/implementations/exchange/ecdh_exch.c +index 43caedb6df..73873f9758 100644 +--- a/providers/implementations/exchange/ecdh_exch.c ++++ b/providers/implementations/exchange/ecdh_exch.c +@@ -489,6 +489,25 @@ int ecdh_plain_derive(void *vpecdhctx, unsigned char *secret, } ppubkey = EC_KEY_get0_public_key(pecdhctx->peerk); @@ -101,13 +106,14 @@ diff -up openssl-3.0.1/providers/implementations/exchange/ecdh_exch.c.fips3 open retlen = ECDH_compute_key(secret, size, ppubkey, privk, NULL); -diff -up openssl-3.0.7/providers/implementations/keymgmt/ec_kmgmt.c.pairwise openssl-3.0.7/providers/implementations/keymgmt/ec_kmgmt.c ---- openssl-3.0.7/providers/implementations/keymgmt/ec_kmgmt.c.pairwise 2023-02-20 11:44:18.451884117 +0100 -+++ openssl-3.0.7/providers/implementations/keymgmt/ec_kmgmt.c 2023-02-20 12:39:46.037063842 +0100 -@@ -982,8 +982,17 @@ struct ec_gen_ctx { - int selection; - int ecdh_mode; +diff --git a/providers/implementations/keymgmt/ec_kmgmt.c b/providers/implementations/keymgmt/ec_kmgmt.c +index a37cbbdba8..bca3f3c674 100644 +--- a/providers/implementations/keymgmt/ec_kmgmt.c ++++ b/providers/implementations/keymgmt/ec_kmgmt.c +@@ -989,8 +989,17 @@ struct ec_gen_ctx { EC_GROUP *gen_group; + unsigned char *dhkem_ikm; + size_t dhkem_ikmlen; +#ifdef FIPS_MODULE + void *ecdsa_sig_ctx; +#endif @@ -122,9 +128,9 @@ diff -up openssl-3.0.7/providers/implementations/keymgmt/ec_kmgmt.c.pairwise ope static void *ec_gen_init(void *provctx, int selection, const OSSL_PARAM params[]) { -@@ -1002,6 +1011,10 @@ static void *ec_gen_init(void *provctx, - OPENSSL_free(gctx); - gctx = NULL; +@@ -1009,6 +1018,10 @@ static void *ec_gen_init(void *provctx, int selection, + gctx = NULL; + } } +#ifdef FIPS_MODULE + if (gctx != NULL) @@ -133,7 +139,7 @@ diff -up openssl-3.0.7/providers/implementations/keymgmt/ec_kmgmt.c.pairwise ope return gctx; } -@@ -1272,6 +1285,12 @@ static void *ec_gen(void *genctx, OSSL_C +@@ -1279,6 +1292,12 @@ static void *ec_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg) if (gctx->ecdh_mode != -1) ret = ret && ossl_ec_set_ecdh_cofactor_mode(ec, gctx->ecdh_mode); @@ -145,8 +151,8 @@ diff -up openssl-3.0.7/providers/implementations/keymgmt/ec_kmgmt.c.pairwise ope +#endif if (gctx->group_check != NULL) - ret = ret && ossl_ec_set_check_group_type_from_name(ec, gctx->group_check); -@@ -1341,7 +1359,10 @@ static void ec_gen_cleanup(void *genctx) + ret = ret && ossl_ec_set_check_group_type_from_name(ec, +@@ -1348,7 +1367,10 @@ static void ec_gen_cleanup(void *genctx) if (gctx == NULL) return; @@ -155,12 +161,70 @@ diff -up openssl-3.0.7/providers/implementations/keymgmt/ec_kmgmt.c.pairwise ope + ecdsa_freectx(gctx->ecdsa_sig_ctx); + gctx->ecdsa_sig_ctx = NULL; +#endif + OPENSSL_clear_free(gctx->dhkem_ikm, gctx->dhkem_ikmlen); EC_GROUP_free(gctx->gen_group); BN_free(gctx->p); - BN_free(gctx->a); -diff -up openssl-3.0.7/providers/implementations/signature/ecdsa_sig.c.pairwise openssl-3.0.7/providers/implementations/signature/ecdsa_sig.c ---- openssl-3.0.7/providers/implementations/signature/ecdsa_sig.c.pairwise 2023-02-20 11:50:23.035194347 +0100 -+++ openssl-3.0.7/providers/implementations/signature/ecdsa_sig.c 2023-02-20 12:19:10.809768979 +0100 +diff --git a/providers/implementations/keymgmt/rsa_kmgmt.c b/providers/implementations/keymgmt/rsa_kmgmt.c +index 3ba12c4889..ff49f8fcd8 100644 +--- a/providers/implementations/keymgmt/rsa_kmgmt.c ++++ b/providers/implementations/keymgmt/rsa_kmgmt.c +@@ -434,6 +434,7 @@ struct rsa_gen_ctx { + #if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS) + /* ACVP test parameters */ + OSSL_PARAM *acvp_test_params; ++ void *prov_rsa_ctx; + #endif + }; + +@@ -447,6 +448,12 @@ static int rsa_gencb(int p, int n, BN_GENCB *cb) + return gctx->cb(params, gctx->cbarg); + } + ++#ifdef FIPS_MODULE ++void *rsa_newctx(void *provctx, const char *propq); ++void rsa_freectx(void *vctx); ++int do_rsa_pct(void *, const char *, void *); ++#endif ++ + static void *gen_init(void *provctx, int selection, int rsa_type, + const OSSL_PARAM params[]) + { +@@ -474,6 +481,10 @@ static void *gen_init(void *provctx, int selection, int rsa_type, + + if (!rsa_gen_set_params(gctx, params)) + goto err; ++#ifdef FIPS_MODULE ++ if (gctx != NULL) ++ gctx->prov_rsa_ctx = rsa_newctx(provctx, NULL); ++#endif + return gctx; + + err: +@@ -630,6 +641,11 @@ static void *rsa_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg) + + rsa = rsa_tmp; + rsa_tmp = NULL; ++#ifdef FIPS_MODULE ++ /* Pairwise consistency test */ ++ if (do_rsa_pct(gctx->prov_rsa_ctx, "sha256", rsa) != 1) ++ abort(); ++#endif + err: + BN_GENCB_free(gencb); + RSA_free(rsa_tmp); +@@ -645,6 +661,8 @@ static void rsa_gen_cleanup(void *genctx) + #if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS) + ossl_rsa_acvp_test_gen_params_free(gctx->acvp_test_params); + gctx->acvp_test_params = NULL; ++ rsa_freectx(gctx->prov_rsa_ctx); ++ gctx->prov_rsa_ctx = NULL; + #endif + BN_clear_free(gctx->pub_exp); + OPENSSL_free(gctx); +diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c +index 865d49d100..ebeb30e002 100644 +--- a/providers/implementations/signature/ecdsa_sig.c ++++ b/providers/implementations/signature/ecdsa_sig.c @@ -32,7 +32,7 @@ #include "crypto/ec.h" #include "prov/der_ec.h" @@ -170,7 +234,7 @@ diff -up openssl-3.0.7/providers/implementations/signature/ecdsa_sig.c.pairwise static OSSL_FUNC_signature_sign_init_fn ecdsa_sign_init; static OSSL_FUNC_signature_verify_init_fn ecdsa_verify_init; static OSSL_FUNC_signature_sign_fn ecdsa_sign; -@@ -43,7 +43,7 @@ static OSSL_FUNC_signature_digest_sign_f +@@ -43,7 +43,7 @@ static OSSL_FUNC_signature_digest_sign_final_fn ecdsa_digest_sign_final; static OSSL_FUNC_signature_digest_verify_init_fn ecdsa_digest_verify_init; static OSSL_FUNC_signature_digest_verify_update_fn ecdsa_digest_signverify_update; static OSSL_FUNC_signature_digest_verify_final_fn ecdsa_digest_verify_final; @@ -180,7 +244,7 @@ diff -up openssl-3.0.7/providers/implementations/signature/ecdsa_sig.c.pairwise static OSSL_FUNC_signature_get_ctx_params_fn ecdsa_get_ctx_params; static OSSL_FUNC_signature_gettable_ctx_params_fn ecdsa_gettable_ctx_params; @@ -104,7 +104,7 @@ typedef struct { - #endif + unsigned int nonce_type; } PROV_ECDSA_CTX; -static void *ecdsa_newctx(void *provctx, const char *propq) @@ -188,7 +252,7 @@ diff -up openssl-3.0.7/providers/implementations/signature/ecdsa_sig.c.pairwise { PROV_ECDSA_CTX *ctx; -@@ -370,7 +370,7 @@ int ecdsa_digest_verify_final(void *vctx +@@ -370,7 +370,7 @@ int ecdsa_digest_verify_final(void *vctx, const unsigned char *sig, return ecdsa_verify(ctx, sig, siglen, digest, (size_t)dlen); } @@ -197,7 +261,7 @@ diff -up openssl-3.0.7/providers/implementations/signature/ecdsa_sig.c.pairwise { PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx; -@@ -581,6 +581,35 @@ static const OSSL_PARAM *ecdsa_settable_ +@@ -581,6 +581,35 @@ static const OSSL_PARAM *ecdsa_settable_ctx_md_params(void *vctx) return EVP_MD_settable_ctx_params(ctx->md); } @@ -233,66 +297,11 @@ diff -up openssl-3.0.7/providers/implementations/signature/ecdsa_sig.c.pairwise const OSSL_DISPATCH ossl_ecdsa_signature_functions[] = { { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))ecdsa_newctx }, { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))ecdsa_sign_init }, -diff -up openssl-3.0.7/providers/implementations/keymgmt/rsa_kmgmt.c.pairwise openssl-3.0.7/providers/implementations/keymgmt/rsa_kmgmt.c ---- openssl-3.0.7/providers/implementations/keymgmt/rsa_kmgmt.c.pairwise 2023-02-20 16:04:27.103364713 +0100 -+++ openssl-3.0.7/providers/implementations/keymgmt/rsa_kmgmt.c 2023-02-20 16:14:13.848119419 +0100 -@@ -434,6 +434,7 @@ struct rsa_gen_ctx { - #if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS) - /* ACVP test parameters */ - OSSL_PARAM *acvp_test_params; -+ void *prov_rsa_ctx; - #endif - }; - -@@ -447,6 +448,12 @@ static int rsa_gencb(int p, int n, BN_GE - return gctx->cb(params, gctx->cbarg); - } - -+#ifdef FIPS_MODULE -+void *rsa_newctx(void *provctx, const char *propq); -+void rsa_freectx(void *vctx); -+int do_rsa_pct(void *, const char *, void *); -+#endif -+ - static void *gen_init(void *provctx, int selection, int rsa_type, - const OSSL_PARAM params[]) - { -@@ -474,6 +481,10 @@ static void *gen_init(void *provctx, int - - if (!rsa_gen_set_params(gctx, params)) - goto err; -+#ifdef FIPS_MODULE -+ if (gctx != NULL) -+ gctx->prov_rsa_ctx = rsa_newctx(provctx, NULL); -+#endif - return gctx; - - err: -@@ -630,6 +641,11 @@ static void *rsa_gen(void *genctx, OSSL_ - - rsa = rsa_tmp; - rsa_tmp = NULL; -+#ifdef FIPS_MODULE -+ /* Pairwise consistency test */ -+ if (do_rsa_pct(gctx->prov_rsa_ctx, "sha256", rsa) != 1) -+ abort(); -+#endif - err: - BN_GENCB_free(gencb); - RSA_free(rsa_tmp); -@@ -645,6 +662,8 @@ static void rsa_gen_cleanup(void *genctx - #if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS) - ossl_rsa_acvp_test_gen_params_free(gctx->acvp_test_params); - gctx->acvp_test_params = NULL; -+ rsa_freectx(gctx->prov_rsa_ctx); -+ gctx->prov_rsa_ctx = NULL; - #endif - BN_clear_free(gctx->pub_exp); - OPENSSL_free(gctx); -diff -up openssl-3.0.7/providers/implementations/signature/rsa_sig.c.pairwise openssl-3.0.7/providers/implementations/signature/rsa_sig.c ---- openssl-3.0.7/providers/implementations/signature/rsa_sig.c.pairwise 2023-02-20 16:04:22.548327811 +0100 -+++ openssl-3.0.7/providers/implementations/signature/rsa_sig.c 2023-02-20 16:17:50.064871695 +0100 -@@ -36,7 +36,7 @@ +diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c +index cd5de6bd51..d4261e8f7d 100644 +--- a/providers/implementations/signature/rsa_sig.c ++++ b/providers/implementations/signature/rsa_sig.c +@@ -34,7 +34,7 @@ #define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1 @@ -301,7 +310,7 @@ diff -up openssl-3.0.7/providers/implementations/signature/rsa_sig.c.pairwise op static OSSL_FUNC_signature_sign_init_fn rsa_sign_init; static OSSL_FUNC_signature_verify_init_fn rsa_verify_init; static OSSL_FUNC_signature_verify_recover_init_fn rsa_verify_recover_init; -@@ -49,7 +49,7 @@ static OSSL_FUNC_signature_digest_sign_f +@@ -47,7 +47,7 @@ static OSSL_FUNC_signature_digest_sign_final_fn rsa_digest_sign_final; static OSSL_FUNC_signature_digest_verify_init_fn rsa_digest_verify_init; static OSSL_FUNC_signature_digest_verify_update_fn rsa_digest_signverify_update; static OSSL_FUNC_signature_digest_verify_final_fn rsa_digest_verify_final; @@ -310,7 +319,7 @@ diff -up openssl-3.0.7/providers/implementations/signature/rsa_sig.c.pairwise op static OSSL_FUNC_signature_dupctx_fn rsa_dupctx; static OSSL_FUNC_signature_get_ctx_params_fn rsa_get_ctx_params; static OSSL_FUNC_signature_gettable_ctx_params_fn rsa_gettable_ctx_params; -@@ -172,7 +172,7 @@ static int rsa_check_parameters(PROV_RSA +@@ -170,7 +170,7 @@ static int rsa_check_parameters(PROV_RSA_CTX *prsactx, int min_saltlen) return 1; } @@ -319,7 +328,7 @@ diff -up openssl-3.0.7/providers/implementations/signature/rsa_sig.c.pairwise op { PROV_RSA_CTX *prsactx = NULL; char *propq_copy = NULL; -@@ -990,7 +990,7 @@ int rsa_digest_verify_final(void *vprsac +@@ -977,7 +977,7 @@ int rsa_digest_verify_final(void *vprsactx, const unsigned char *sig, return rsa_verify(vprsactx, sig, siglen, digest, (size_t)dlen); } @@ -328,7 +337,7 @@ diff -up openssl-3.0.7/providers/implementations/signature/rsa_sig.c.pairwise op { PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; -@@ -1504,6 +1504,45 @@ static const OSSL_PARAM *rsa_settable_ct +@@ -1455,6 +1455,45 @@ static const OSSL_PARAM *rsa_settable_ctx_md_params(void *vprsactx) return EVP_MD_settable_ctx_params(prsactx->md); } @@ -388,3 +397,6 @@ index e0d139d..35f23b2 100644 } } return ok; +-- +2.41.0 + diff --git a/0045-FIPS-services-minimize.patch b/0045-FIPS-services-minimize.patch index 2ba9aab..117e6b2 100644 --- a/0045-FIPS-services-minimize.patch +++ b/0045-FIPS-services-minimize.patch @@ -1,7 +1,68 @@ -diff -up openssl-3.0.1/providers/common/capabilities.c.fipsmin3 openssl-3.0.1/providers/common/capabilities.c ---- openssl-3.0.1/providers/common/capabilities.c.fipsmin3 2022-05-05 17:11:36.146638536 +0200 -+++ openssl-3.0.1/providers/common/capabilities.c 2022-05-05 17:12:00.138848787 +0200 -@@ -186,9 +186,9 @@ static const OSSL_PARAM param_group_list +From e25b25227043a2b2cf156527c31d7686a4265bf3 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 6 Mar 2024 19:17:15 +0100 +Subject: [PATCH 20/49] 0045-FIPS-services-minimize.patch + +Patch-name: 0045-FIPS-services-minimize.patch +Patch-id: 45 +Patch-status: | + # # Minimize fips services +From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce +--- + apps/ecparam.c | 7 +++ + apps/req.c | 2 +- + providers/common/capabilities.c | 2 +- + providers/fips/fipsprov.c | 44 +++++++++++-------- + providers/fips/self_test_data.inc | 9 +++- + providers/implementations/signature/rsa_sig.c | 26 +++++++++++ + ssl/ssl_ciph.c | 3 ++ + test/acvp_test.c | 2 + + test/endecode_test.c | 4 ++ + test/evp_libctx_test.c | 9 +++- + test/recipes/15-test_gendsa.t | 2 +- + test/recipes/20-test_cli_fips.t | 3 +- + test/recipes/30-test_evp.t | 20 ++++----- + .../30-test_evp_data/evpmac_common.txt | 22 ++++++++++ + test/recipes/80-test_cms.t | 22 +++++----- + test/recipes/80-test_ssl_old.t | 2 +- + 16 files changed, 128 insertions(+), 51 deletions(-) + +diff --git a/apps/ecparam.c b/apps/ecparam.c +index 71f93c4ca5..347bf62d5c 100644 +--- a/apps/ecparam.c ++++ b/apps/ecparam.c +@@ -79,6 +79,13 @@ static int list_builtin_curves(BIO *out) + const char *comment = curves[n].comment; + const char *sname = OBJ_nid2sn(curves[n].nid); + ++ if (((curves[n].nid == NID_secp256k1) || (curves[n].nid == NID_brainpoolP256r1) ++ || (curves[n].nid == NID_brainpoolP256t1) || (curves[n].nid == NID_brainpoolP320r1) ++ || (curves[n].nid == NID_brainpoolP320t1) || (curves[n].nid == NID_brainpoolP384r1) ++ || (curves[n].nid == NID_brainpoolP384t1) || (curves[n].nid == NID_brainpoolP512r1) ++ || (curves[n].nid == NID_brainpoolP512t1)) && EVP_default_properties_is_fips_enabled(NULL)) ++ continue; ++ + if (comment == NULL) + comment = "CURVE DESCRIPTION NOT AVAILABLE"; + if (sname == NULL) +diff --git a/apps/req.c b/apps/req.c +index 8995453dca..cb38e6aa64 100644 +--- a/apps/req.c ++++ b/apps/req.c +@@ -268,7 +268,7 @@ int req_main(int argc, char **argv) + unsigned long chtype = MBSTRING_ASC, reqflag = 0; + + #ifndef OPENSSL_NO_DES +- cipher = (EVP_CIPHER *)EVP_des_ede3_cbc(); ++ cipher = (EVP_CIPHER *)EVP_aes_256_cbc(); + #endif + + opt_set_unknown_name("digest"); +diff --git a/providers/common/capabilities.c b/providers/common/capabilities.c +index f7234615e4..0d4c0e3388 100644 +--- a/providers/common/capabilities.c ++++ b/providers/common/capabilities.c +@@ -189,9 +189,9 @@ static const OSSL_PARAM param_group_list[][10] = { TLS_GROUP_ENTRY("brainpoolP256r1", "brainpoolP256r1", "EC", 25), TLS_GROUP_ENTRY("brainpoolP384r1", "brainpoolP384r1", "EC", 26), TLS_GROUP_ENTRY("brainpoolP512r1", "brainpoolP512r1", "EC", 27), @@ -9,22 +70,15 @@ diff -up openssl-3.0.1/providers/common/capabilities.c.fipsmin3 openssl-3.0.1/pr TLS_GROUP_ENTRY("x25519", "X25519", "X25519", 28), TLS_GROUP_ENTRY("x448", "X448", "X448", 29), +# endif - # endif /* OPENSSL_NO_EC */ - # ifndef OPENSSL_NO_DH - /* Security bit values for FFDHE groups are as per RFC 7919 */ -diff -up openssl-3.0.1/providers/fips/fipsprov.c.fipsmin2 openssl-3.0.1/providers/fips/fipsprov.c ---- openssl-3.0.1/providers/fips/fipsprov.c.fipsmin2 2022-05-05 11:42:58.596848856 +0200 -+++ openssl-3.0.1/providers/fips/fipsprov.c 2022-05-05 11:55:42.997562712 +0200 -@@ -54,7 +54,6 @@ static void fips_deinit_casecmp(void); - - #define ALGC(NAMES, FUNC, CHECK) { { NAMES, FIPS_DEFAULT_PROPERTIES, FUNC }, CHECK } - #define ALG(NAMES, FUNC) ALGC(NAMES, FUNC, NULL) -- - extern OSSL_FUNC_core_thread_start_fn *c_thread_start; - int FIPS_security_check_enabled(OSSL_LIB_CTX *libctx); - -@@ -191,13 +190,13 @@ static int fips_get_params(void *provctx - &fips_prov_ossl_ctx_method); + # ifndef FIPS_MODULE + TLS_GROUP_ENTRY("brainpoolP256r1tls13", "brainpoolP256r1", "EC", 30), + TLS_GROUP_ENTRY("brainpoolP384r1tls13", "brainpoolP384r1", "EC", 31), +diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c +index 7ec409710b..ec5bdd5a69 100644 +--- a/providers/fips/fipsprov.c ++++ b/providers/fips/fipsprov.c +@@ -199,13 +199,13 @@ static int fips_get_params(void *provctx, OSSL_PARAM params[]) + OSSL_LIB_CTX_FIPS_PROV_INDEX); p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME); - if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "OpenSSL FIPS Provider")) @@ -40,7 +94,7 @@ diff -up openssl-3.0.1/providers/fips/fipsprov.c.fipsmin2 openssl-3.0.1/provider return 0; p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_STATUS); if (p != NULL && !OSSL_PARAM_set_int(p, ossl_prov_is_running())) -@@ -281,10 +280,11 @@ static const OSSL_ALGORITHM fips_digests +@@ -298,10 +298,11 @@ static const OSSL_ALGORITHM fips_digests[] = { * KECCAK-KMAC-128 and KECCAK-KMAC-256 as hashes are mostly useful for * KMAC128 and KMAC256. */ @@ -54,19 +108,19 @@ diff -up openssl-3.0.1/providers/fips/fipsprov.c.fipsmin2 openssl-3.0.1/provider { NULL, NULL, NULL } }; -@@ -343,8 +343,9 @@ static const OSSL_ALGORITHM_CAPABLE fips +@@ -360,8 +361,9 @@ static const OSSL_ALGORITHM_CAPABLE fips_ciphers[] = { ALGC(PROV_NAMES_AES_256_CBC_HMAC_SHA256, ossl_aes256cbc_hmac_sha256_functions, ossl_cipher_capable_aes_cbc_hmac_sha256), #ifndef OPENSSL_NO_DES -- ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions), -- ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions), +- UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions), +- UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions), + /* We don't certify 3DES in our FIPS provider */ -+ /* ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions), -+ ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions), */ ++ /* UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions), ++ UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions), */ #endif /* OPENSSL_NO_DES */ { { NULL, NULL, NULL }, NULL } }; -@@ -356,8 +357,9 @@ static const OSSL_ALGORITHM fips_macs[] +@@ -373,8 +375,9 @@ static const OSSL_ALGORITHM fips_macs[] = { #endif { PROV_NAMES_GMAC, FIPS_DEFAULT_PROPERTIES, ossl_gmac_functions }, { PROV_NAMES_HMAC, FIPS_DEFAULT_PROPERTIES, ossl_hmac_functions }, @@ -78,37 +132,39 @@ diff -up openssl-3.0.1/providers/fips/fipsprov.c.fipsmin2 openssl-3.0.1/provider { NULL, NULL, NULL } }; -@@ -392,8 +394,9 @@ static const OSSL_ALGORITHM fips_keyexch - #endif +@@ -410,8 +413,9 @@ static const OSSL_ALGORITHM fips_keyexch[] = { #ifndef OPENSSL_NO_EC { PROV_NAMES_ECDH, FIPS_DEFAULT_PROPERTIES, ossl_ecdh_keyexch_functions }, + # ifndef OPENSSL_NO_ECX - { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keyexch_functions }, - { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keyexch_functions }, + /* We don't certify Edwards curves in our FIPS provider */ + /*{ PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keyexch_functions }, + { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keyexch_functions },*/ + # endif #endif { PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES, - ossl_kdf_tls1_prf_keyexch_functions }, -@@ -403,12 +406,14 @@ static const OSSL_ALGORITHM fips_keyexch +@@ -422,14 +426,16 @@ static const OSSL_ALGORITHM fips_keyexch[] = { static const OSSL_ALGORITHM fips_signature[] = { #ifndef OPENSSL_NO_DSA - { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_signature_functions }, + /* We don't certify DSA in our FIPS provider */ -+ /* { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_signature_functions }, */ ++ /* { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_signature_functions },*/ #endif { PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_signature_functions }, #ifndef OPENSSL_NO_EC -- { PROV_NAMES_ED25519, FIPS_DEFAULT_PROPERTIES, ossl_ed25519_signature_functions }, -- { PROV_NAMES_ED448, FIPS_DEFAULT_PROPERTIES, ossl_ed448_signature_functions }, + # ifndef OPENSSL_NO_ECX +- { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES, + /* We don't certify Edwards curves in our FIPS provider */ -+ /* { PROV_NAMES_ED25519, FIPS_DEFAULT_PROPERTIES, ossl_ed25519_signature_functions }, -+ { PROV_NAMES_ED448, FIPS_DEFAULT_PROPERTIES, ossl_ed448_signature_functions }, */ ++ /* { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES, + ossl_ed25519_signature_functions }, +- { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_signature_functions }, ++ { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_signature_functions },*/ + # endif { PROV_NAMES_ECDSA, FIPS_DEFAULT_PROPERTIES, ossl_ecdsa_signature_functions }, #endif - { PROV_NAMES_HMAC, FIPS_DEFAULT_PROPERTIES, -@@ -438,8 +443,9 @@ static const OSSL_ALGORITHM fips_keymgmt +@@ -460,8 +466,9 @@ static const OSSL_ALGORITHM fips_keymgmt[] = { PROV_DESCS_DHX }, #endif #ifndef OPENSSL_NO_DSA @@ -120,28 +176,29 @@ diff -up openssl-3.0.1/providers/fips/fipsprov.c.fipsmin2 openssl-3.0.1/provider #endif { PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_keymgmt_functions, PROV_DESCS_RSA }, -@@ -448,14 +454,15 @@ static const OSSL_ALGORITHM fips_keymgmt - #ifndef OPENSSL_NO_EC +@@ -471,14 +478,15 @@ static const OSSL_ALGORITHM fips_keymgmt[] = { { PROV_NAMES_EC, FIPS_DEFAULT_PROPERTIES, ossl_ec_keymgmt_functions, PROV_DESCS_EC }, + # ifndef OPENSSL_NO_ECX - { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keymgmt_functions, + /* We don't certify Edwards curves in our FIPS provider */ + /* { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keymgmt_functions, PROV_DESCS_X25519 }, { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keymgmt_functions, PROV_DESCS_X448 }, - { PROV_NAMES_ED25519, FIPS_DEFAULT_PROPERTIES, ossl_ed25519_keymgmt_functions, + { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES, ossl_ed25519_keymgmt_functions, PROV_DESCS_ED25519 }, - { PROV_NAMES_ED448, FIPS_DEFAULT_PROPERTIES, ossl_ed448_keymgmt_functions, + { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_keymgmt_functions, - PROV_DESCS_ED448 }, + PROV_DESCS_ED448 }, */ + # endif #endif { PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES, ossl_kdf_keymgmt_functions, - PROV_DESCS_TLS1_PRF_SIGN }, -diff -up openssl-3.0.1/providers/fips/self_test_data.inc.fipsmin3 openssl-3.0.1/providers/fips/self_test_data.inc ---- openssl-3.0.1/providers/fips/self_test_data.inc.fipsmin3 2022-05-05 12:36:32.335069046 +0200 -+++ openssl-3.0.1/providers/fips/self_test_data.inc 2022-05-05 12:40:02.427966128 +0200 -@@ -171,6 +171,7 @@ static const ST_KAT_DIGEST st_kat_digest +diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc +index 2057378d3d..4b80bb70b9 100644 +--- a/providers/fips/self_test_data.inc ++++ b/providers/fips/self_test_data.inc +@@ -177,6 +177,7 @@ static const ST_KAT_DIGEST st_kat_digest_tests[] = /*- CIPHER TEST DATA */ /* DES3 test data */ @@ -149,7 +206,7 @@ diff -up openssl-3.0.1/providers/fips/self_test_data.inc.fipsmin3 openssl-3.0.1/ static const unsigned char des_ede3_cbc_pt[] = { 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96, 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A, -@@ -191,7 +192,7 @@ static const unsigned char des_ede3_cbc_ +@@ -197,7 +198,7 @@ static const unsigned char des_ede3_cbc_ct[] = { 0x51, 0x65, 0x70, 0x48, 0x1F, 0x25, 0xB5, 0x0F, 0x73, 0xC0, 0xBD, 0xA8, 0x5C, 0x8E, 0x0D, 0xA7 }; @@ -158,23 +215,7 @@ diff -up openssl-3.0.1/providers/fips/self_test_data.inc.fipsmin3 openssl-3.0.1/ /* AES-256 GCM test data */ static const unsigned char aes_256_gcm_key[] = { 0x92, 0xe1, 0x1d, 0xcd, 0xaa, 0x86, 0x6f, 0x5c, -@@ -235,6 +236,7 @@ static const unsigned char aes_128_ecb_c - }; - - static const ST_KAT_CIPHER st_kat_cipher_tests[] = { -+#if 0 - #ifndef OPENSSL_NO_DES - { - { -@@ -248,6 +250,7 @@ static const ST_KAT_CIPHER st_kat_cipher - ITM(des_ede3_cbc_iv), - }, - #endif -+#endif - { - { - OSSL_SELF_TEST_DESC_CIPHER_AES_GCM, -@@ -1424,8 +1427,9 @@ static const ST_KAT_PARAM ecdsa_bin_key[ +@@ -1454,8 +1455,9 @@ static const ST_KAT_PARAM ecdsa_bin_key[] = { # endif /* OPENSSL_NO_EC2M */ #endif /* OPENSSL_NO_EC */ @@ -185,18 +226,15 @@ diff -up openssl-3.0.1/providers/fips/self_test_data.inc.fipsmin3 openssl-3.0.1/ static const unsigned char dsa_p[] = { 0xa2, 0x9b, 0x88, 0x72, 0xce, 0x8b, 0x84, 0x23, 0xb7, 0xd5, 0xd2, 0x1d, 0x4b, 0x02, 0xf5, 0x7e, -@@ -1549,8 +1553,8 @@ static const ST_KAT_PARAM dsa_key[] = { - ST_KAT_PARAM_BIGNUM(OSSL_PKEY_PARAM_PRIV_KEY, dsa_priv), +@@ -1590,6 +1592,7 @@ static const ST_KAT_PARAM dsa_key[] = { ST_KAT_PARAM_END() }; --#endif /* OPENSSL_NO_DSA */ -- -+#endif + #endif /* OPENSSL_NO_DSA */ +#endif - static const ST_KAT_SIGN st_kat_sign_tests[] = { - { - OSSL_SELF_TEST_DESC_SIGN_RSA, -@@ -1583,6 +1587,7 @@ static const ST_KAT_SIGN st_kat_sign_tes + + /* Hash DRBG inputs for signature KATs */ + static const unsigned char sig_kat_entropyin[] = { +@@ -1642,6 +1645,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = { }, # endif #endif /* OPENSSL_NO_EC */ @@ -204,18 +242,77 @@ diff -up openssl-3.0.1/providers/fips/self_test_data.inc.fipsmin3 openssl-3.0.1/ #ifndef OPENSSL_NO_DSA { OSSL_SELF_TEST_DESC_SIGN_DSA, -@@ -1595,6 +1600,7 @@ static const ST_KAT_SIGN st_kat_sign_tes - */ +@@ -1654,6 +1658,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = { + ITM(dsa_expected_sig) }, #endif /* OPENSSL_NO_DSA */ +#endif }; static const ST_KAT_ASYM_CIPHER st_kat_asym_cipher_tests[] = { -diff -up openssl-3.0.1/test/acvp_test.c.fipsmin2 openssl-3.0.1/test/acvp_test.c ---- openssl-3.0.1/test/acvp_test.c.fipsmin2 2022-05-05 11:42:58.597848865 +0200 -+++ openssl-3.0.1/test/acvp_test.c 2022-05-05 11:43:30.141126336 +0200 -@@ -1476,6 +1476,7 @@ int setup_tests(void) +diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c +index 22d93ead53..c1405f47ea 100644 +--- a/providers/implementations/signature/rsa_sig.c ++++ b/providers/implementations/signature/rsa_sig.c +@@ -686,6 +686,19 @@ static int rsa_verify_recover(void *vprsactx, + { + PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; + int ret; ++# ifdef FIPS_MODULE ++ size_t rsabits = RSA_bits(prsactx->rsa); ++ ++ if (rsabits < 2048) { ++ if (rsabits != 1024 ++ && rsabits != 1280 ++ && rsabits != 1536 ++ && rsabits != 1792) { ++ ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH); ++ return 0; ++ } ++ } ++# endif + + if (!ossl_prov_is_running()) + return 0; +@@ -774,6 +787,19 @@ static int rsa_verify(void *vprsactx, const unsigned char *sig, size_t siglen, + { + PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; + size_t rslen; ++# ifdef FIPS_MODULE ++ size_t rsabits = RSA_bits(prsactx->rsa); ++ ++ if (rsabits < 2048) { ++ if (rsabits != 1024 ++ && rsabits != 1280 ++ && rsabits != 1536 ++ && rsabits != 1792) { ++ ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH); ++ return 0; ++ } ++ } ++# endif + + if (!ossl_prov_is_running()) + return 0; +diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c +index 33c23efb0d..113c204716 100644 +--- a/ssl/ssl_ciph.c ++++ b/ssl/ssl_ciph.c +@@ -356,6 +356,9 @@ int ssl_load_ciphers(SSL_CTX *ctx) + ctx->disabled_mkey_mask = 0; + ctx->disabled_auth_mask = 0; + ++ if (EVP_default_properties_is_fips_enabled(ctx->libctx)) ++ ctx->disabled_mkey_mask |= SSL_kRSA | SSL_kRSAPSK; ++ + /* + * We ignore any errors from the fetches below. They are expected to fail + * if these algorithms are not available. +diff --git a/test/acvp_test.c b/test/acvp_test.c +index 45509095af..4a67519bb4 100644 +--- a/test/acvp_test.c ++++ b/test/acvp_test.c +@@ -1478,6 +1478,7 @@ int setup_tests(void) OSSL_NELEM(dh_safe_prime_keyver_data)); #endif /* OPENSSL_NO_DH */ @@ -223,7 +320,7 @@ diff -up openssl-3.0.1/test/acvp_test.c.fipsmin2 openssl-3.0.1/test/acvp_test.c #ifndef OPENSSL_NO_DSA ADD_ALL_TESTS(dsa_keygen_test, OSSL_NELEM(dsa_keygen_data)); ADD_ALL_TESTS(dsa_paramgen_test, OSSL_NELEM(dsa_paramgen_data)); -@@ -1483,6 +1484,7 @@ int setup_tests(void) +@@ -1485,6 +1486,7 @@ int setup_tests(void) ADD_ALL_TESTS(dsa_siggen_test, OSSL_NELEM(dsa_siggen_data)); ADD_ALL_TESTS(dsa_sigver_test, OSSL_NELEM(dsa_sigver_data)); #endif /* OPENSSL_NO_DSA */ @@ -231,9 +328,43 @@ diff -up openssl-3.0.1/test/acvp_test.c.fipsmin2 openssl-3.0.1/test/acvp_test.c #ifndef OPENSSL_NO_EC ADD_ALL_TESTS(ecdsa_keygen_test, OSSL_NELEM(ecdsa_keygen_data)); -diff -up openssl-3.0.1/test/evp_libctx_test.c.fipsmin3 openssl-3.0.1/test/evp_libctx_test.c ---- openssl-3.0.1/test/evp_libctx_test.c.fipsmin3 2022-05-05 14:18:46.370911817 +0200 -+++ openssl-3.0.1/test/evp_libctx_test.c 2022-05-05 14:30:02.117911993 +0200 +diff --git a/test/endecode_test.c b/test/endecode_test.c +index b53b7b715b..885e49a47c 100644 +--- a/test/endecode_test.c ++++ b/test/endecode_test.c +@@ -1419,6 +1419,7 @@ int setup_tests(void) + * so no legacy tests. + */ + #endif ++ if (is_fips == 0) { + #ifndef OPENSSL_NO_DSA + ADD_TEST_SUITE(DSA); + ADD_TEST_SUITE_PARAMS(DSA); +@@ -1429,6 +1430,7 @@ int setup_tests(void) + ADD_TEST_SUITE_PROTECTED_PVK(DSA); + # endif + #endif ++ } + #ifndef OPENSSL_NO_EC + ADD_TEST_SUITE(EC); + ADD_TEST_SUITE_PARAMS(EC); +@@ -1443,10 +1445,12 @@ int setup_tests(void) + ADD_TEST_SUITE(ECExplicitTri2G); + ADD_TEST_SUITE_LEGACY(ECExplicitTri2G); + # endif ++ if (is_fips == 0) { + ADD_TEST_SUITE(ED25519); + ADD_TEST_SUITE(ED448); + ADD_TEST_SUITE(X25519); + ADD_TEST_SUITE(X448); ++ } + /* + * ED25519, ED448, X25519 and X448 have no support for + * PEM_write_bio_PrivateKey_traditional(), so no legacy tests. +diff --git a/test/evp_libctx_test.c b/test/evp_libctx_test.c +index 2448c35a14..a7913cda4c 100644 +--- a/test/evp_libctx_test.c ++++ b/test/evp_libctx_test.c @@ -21,6 +21,7 @@ */ #include "internal/deprecated.h" @@ -242,8 +373,7 @@ diff -up openssl-3.0.1/test/evp_libctx_test.c.fipsmin3 openssl-3.0.1/test/evp_li #include #include #include -@@ -725,8 +726,10 @@ int setup_tests(void) - if (!test_get_libctx(&libctx, &nullprov, config_file, &libprov, prov_name)) +@@ -726,7 +727,9 @@ int setup_tests(void) return 0; #if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DH) @@ -254,7 +384,7 @@ diff -up openssl-3.0.1/test/evp_libctx_test.c.fipsmin3 openssl-3.0.1/test/evp_li #endif #ifndef OPENSSL_NO_DH ADD_ALL_TESTS(test_dh_safeprime_param_keygen, 3 * 3 * 3); -@@ -746,7 +750,9 @@ int setup_tests(void) +@@ -746,7 +749,9 @@ int setup_tests(void) ADD_TEST(kem_invalid_keytype); #endif #ifndef OPENSSL_NO_DES @@ -265,9 +395,10 @@ diff -up openssl-3.0.1/test/evp_libctx_test.c.fipsmin3 openssl-3.0.1/test/evp_li #endif return 1; } -diff -up openssl-3.0.1/test/recipes/15-test_gendsa.t.fipsmin3 openssl-3.0.1/test/recipes/15-test_gendsa.t ---- openssl-3.0.1/test/recipes/15-test_gendsa.t.fipsmin3 2022-05-05 13:46:00.631590335 +0200 -+++ openssl-3.0.1/test/recipes/15-test_gendsa.t 2022-05-05 13:46:06.999644496 +0200 +diff --git a/test/recipes/15-test_gendsa.t b/test/recipes/15-test_gendsa.t +index 4bc460784b..93052eb3e7 100644 +--- a/test/recipes/15-test_gendsa.t ++++ b/test/recipes/15-test_gendsa.t @@ -24,7 +24,7 @@ use lib bldtop_dir('.'); plan skip_all => "This test is unsupported in a no-dsa build" if disabled("dsa"); @@ -277,10 +408,11 @@ diff -up openssl-3.0.1/test/recipes/15-test_gendsa.t.fipsmin3 openssl-3.0.1/test plan tests => ($no_fips ? 0 : 2) # FIPS related tests -diff -up openssl-3.0.1/test/recipes/20-test_cli_fips.t.fipsmin3 openssl-3.0.1/test/recipes/20-test_cli_fips.t ---- openssl-3.0.1/test/recipes/20-test_cli_fips.t.fipsmin3 2022-05-05 13:47:55.217564900 +0200 -+++ openssl-3.0.1/test/recipes/20-test_cli_fips.t 2022-05-05 13:48:02.824629600 +0200 -@@ -207,8 +207,7 @@ SKIP: { +diff --git a/test/recipes/20-test_cli_fips.t b/test/recipes/20-test_cli_fips.t +index d4b4d4ca51..031814e8ff 100644 +--- a/test/recipes/20-test_cli_fips.t ++++ b/test/recipes/20-test_cli_fips.t +@@ -278,8 +278,7 @@ SKIP: { } SKIP : { @@ -290,133 +422,38 @@ diff -up openssl-3.0.1/test/recipes/20-test_cli_fips.t.fipsmin3 openssl-3.0.1/te subtest DSA => sub { my $testtext_prefix = 'DSA'; -diff -up openssl-3.0.1/test/recipes/80-test_cms.t.fipsmin3 openssl-3.0.1/test/recipes/80-test_cms.t ---- openssl-3.0.1/test/recipes/80-test_cms.t.fipsmin3 2022-05-05 13:55:05.257292637 +0200 -+++ openssl-3.0.1/test/recipes/80-test_cms.t 2022-05-05 13:58:35.307150750 +0200 -@@ -95,7 +95,7 @@ my @smime_pkcs7_tests = ( - \&final_compare - ], - -- [ "signed content DER format, DSA key", -+ [ "signed content DER format, DSA key, no Red Hat FIPS", - [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach", - "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ], - [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER", -@@ -103,7 +103,7 @@ my @smime_pkcs7_tests = ( - \&final_compare - ], - -- [ "signed detached content DER format, DSA key", -+ [ "signed detached content DER format, DSA key, no Red Hat FIPS", - [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", - "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ], - [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER", -@@ -112,7 +112,7 @@ my @smime_pkcs7_tests = ( - \&final_compare - ], - -- [ "signed detached content DER format, add RSA signer (with DSA existing)", -+ [ "signed detached content DER format, add RSA signer (with DSA existing), no Red Hat FIPS", - [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", - "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ], - [ "{cmd1}", @prov, "-resign", "-in", "{output}.cms", "-inform", "DER", "-outform", "DER", -@@ -123,7 +123,7 @@ my @smime_pkcs7_tests = ( - \&final_compare - ], - -- [ "signed content test streaming BER format, DSA key", -+ [ "signed content test streaming BER format, DSA key, no Red Hat FIPS", - [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", - "-nodetach", "-stream", - "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ], -@@ -132,7 +132,7 @@ my @smime_pkcs7_tests = ( - \&final_compare - ], - -- [ "signed content test streaming BER format, 2 DSA and 2 RSA keys", -+ [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no Red Hat FIPS", - [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", - "-nodetach", "-stream", - "-signer", $smrsa1, -@@ -145,7 +145,7 @@ my @smime_pkcs7_tests = ( - \&final_compare - ], - -- [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes", -+ [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes, no Red Hat FIPS", - [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", - "-noattr", "-nodetach", "-stream", - "-signer", $smrsa1, -@@ -175,7 +175,7 @@ my @smime_pkcs7_tests = ( - \&zero_compare - ], - -- [ "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys", -+ [ "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys, no Red Hat FIPS", - [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-nodetach", - "-signer", $smrsa1, - "-signer", catfile($smdir, "smrsa2.pem"), -@@ -187,7 +187,7 @@ my @smime_pkcs7_tests = ( - \&final_compare - ], - -- [ "signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys", -+ [ "signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys, no Red Hat FIPS", - [ "{cmd1}", @prov, "-sign", "-in", $smcont, - "-signer", $smrsa1, - "-signer", catfile($smdir, "smrsa2.pem"), -@@ -247,7 +247,7 @@ my @smime_pkcs7_tests = ( - - my @smime_cms_tests = ( - -- [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid", -+ [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid, no Red Hat FIPS", - [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", - "-nodetach", "-keyid", - "-signer", $smrsa1, -@@ -260,7 +260,7 @@ my @smime_cms_tests = ( - \&final_compare - ], - -- [ "signed content test streaming PEM format, 2 DSA and 2 RSA keys", -+ [ "signed content test streaming PEM format, 2 DSA and 2 RSA keys, no Red Hat FIPS", - [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach", - "-signer", $smrsa1, - "-signer", catfile($smdir, "smrsa2.pem"), -@@ -370,7 +370,7 @@ my @smime_cms_tests = ( - \&final_compare - ], - -- [ "encrypted content test streaming PEM format, triple DES key", -+ [ "encrypted content test streaming PEM format, triple DES key, no Red Hat FIPS", - [ "{cmd1}", @prov, "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM", - "-des3", "-secretkey", "000102030405060708090A0B0C0D0E0F1011121314151617", - "-stream", "-out", "{output}.cms" ], -diff -up openssl-3.0.1/test/recipes/30-test_evp.t.fipsmin3 openssl-3.0.1/test/recipes/30-test_evp.t ---- openssl-3.0.1/test/recipes/30-test_evp.t.fipsmin3 2022-05-05 14:43:04.276857033 +0200 -+++ openssl-3.0.1/test/recipes/30-test_evp.t 2022-05-05 14:43:35.975138234 +0200 -@@ -43,7 +43,6 @@ my @files = qw( +diff --git a/test/recipes/30-test_evp.t b/test/recipes/30-test_evp.t +index eddca5c58e..36a192d041 100644 +--- a/test/recipes/30-test_evp.t ++++ b/test/recipes/30-test_evp.t +@@ -46,10 +46,8 @@ my @files = qw( evpciph_aes_cts.txt evpciph_aes_wrap.txt evpciph_aes_stitched.txt - evpciph_des3_common.txt evpkdf_hkdf.txt + evpkdf_kbkdf_counter.txt +- evpkdf_kbkdf_kmac.txt evpkdf_pbkdf1.txt evpkdf_pbkdf2.txt -@@ -66,12 +65,6 @@ push @files, qw( + evpkdf_ss.txt +@@ -69,15 +67,6 @@ push @files, qw( + evppkey_ffdhe.txt evppkey_dh.txt ) unless $no_dh; - push @files, qw( +-push @files, qw( - evpkdf_x942_des.txt - evpmac_cmac_des.txt - ) unless $no_des; -push @files, qw(evppkey_dsa.txt) unless $no_dsa; --push @files, qw(evppkey_ecx.txt) unless $no_ec; -push @files, qw( +- evppkey_ecx.txt +- evppkey_mismatch_ecx.txt +- ) unless $no_ecx; + push @files, qw( evppkey_ecc.txt evppkey_ecdh.txt - evppkey_ecdsa.txt -@@ -91,6 +84,7 @@ my @defltfiles = qw( +@@ -97,6 +86,7 @@ my @defltfiles = qw( evpciph_cast5.txt evpciph_chacha.txt evpciph_des.txt @@ -424,7 +461,12 @@ diff -up openssl-3.0.1/test/recipes/30-test_evp.t.fipsmin3 openssl-3.0.1/test/re evpciph_idea.txt evpciph_rc2.txt evpciph_rc4.txt -@@ -117,6 +111,12 @@ my @defltfiles = qw( +@@ -121,13 +111,19 @@ my @defltfiles = qw( + evpmd_whirlpool.txt + evppbe_scrypt.txt + evppbe_pkcs12.txt ++ evpkdf_kbkdf_kmac.txt + evppkey_kdf_scrypt.txt evppkey_kdf_tls1_prf.txt evppkey_rsa.txt ); @@ -435,20 +477,24 @@ diff -up openssl-3.0.1/test/recipes/30-test_evp.t.fipsmin3 openssl-3.0.1/test/re + evpmac_cmac_des.txt + ) unless $no_des; push @defltfiles, qw(evppkey_brainpool.txt) unless $no_ec; + push @defltfiles, qw(evppkey_ecdsa_rfc6979.txt) unless $no_ec; +-push @defltfiles, qw(evppkey_dsa_rfc6979.txt) unless $no_dsa; push @defltfiles, qw(evppkey_sm2.txt) unless $no_sm2; - -diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evpmac_common.txt.fipsmin3 openssl-3.0.1/test/recipes/30-test_evp_data/evpmac_common.txt ---- openssl-3.0.1/test/recipes/30-test_evp_data/evpmac_common.txt.fipsmin3 2022-05-05 14:46:32.721700697 +0200 -+++ openssl-3.0.1/test/recipes/30-test_evp_data/evpmac_common.txt 2022-05-05 14:51:40.205418897 +0200 -@@ -328,6 +328,7 @@ Input = 68F2E77696CE7AE8E2CA4EC588E54100 - Output = 00BDA1B7E87608BCBF470F12157F4C07 - + push @defltfiles, qw(evpciph_aes_gcm_siv.txt) unless $no_siv; + push @defltfiles, qw(evpciph_aes_siv.txt) unless $no_siv; +diff --git a/test/recipes/30-test_evp_data/evpmac_common.txt b/test/recipes/30-test_evp_data/evpmac_common.txt +index e47023aae6..96a8febeef 100644 +--- a/test/recipes/30-test_evp_data/evpmac_common.txt ++++ b/test/recipes/30-test_evp_data/evpmac_common.txt +@@ -363,6 +363,7 @@ IV = 7AE8E2CA4EC500012E58495C + Input = 68F2E77696CE7AE8E2CA4EC588E541002E58495C08000F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D0007 + Result = MAC_INIT_ERROR +Availablein = default Title = KMAC Tests (From NIST) MAC = KMAC128 Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F -@@ -338,12 +339,14 @@ Ctrl = xof:0 +@@ -373,12 +374,14 @@ Ctrl = xof:0 OutputSize = 32 BlockSize = 168 @@ -463,7 +509,7 @@ diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evpmac_common.txt.fipsmin3 MAC = KMAC128 Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 -@@ -351,6 +354,7 @@ Custom = "My Tagged Application" +@@ -386,6 +389,7 @@ Custom = "My Tagged Application" Output = 1F5B4E6CCA02209E0DCB5CA635B89A15E271ECC760071DFD805FAA38F9729230 Ctrl = size:32 @@ -471,7 +517,7 @@ diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evpmac_common.txt.fipsmin3 MAC = KMAC256 Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F Input = 00010203 -@@ -359,12 +363,14 @@ Output = 20C570C31346F703C9AC36C61C03CB6 +@@ -394,12 +398,14 @@ Output = 20C570C31346F703C9AC36C61C03CB64C3970D0CFC787E9B79599D273A68D2F7F69D4CC OutputSize = 64 BlockSize = 136 @@ -486,7 +532,7 @@ diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evpmac_common.txt.fipsmin3 MAC = KMAC256 Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 -@@ -374,12 +380,14 @@ Ctrl = size:64 +@@ -409,12 +415,14 @@ Ctrl = size:64 Title = KMAC XOF Tests (From NIST) @@ -501,7 +547,7 @@ diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evpmac_common.txt.fipsmin3 MAC = KMAC128 Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F Input = 00010203 -@@ -387,6 +395,7 @@ Custom = "My Tagged Application" +@@ -422,6 +430,7 @@ Custom = "My Tagged Application" Output = 31A44527B4ED9F5C6101D11DE6D26F0620AA5C341DEF41299657FE9DF1A3B16C XOF = 1 @@ -509,7 +555,7 @@ diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evpmac_common.txt.fipsmin3 MAC = KMAC128 Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 -@@ -395,6 +404,7 @@ Output = 47026C7CD793084AA0283C253EF6584 +@@ -430,6 +439,7 @@ Output = 47026C7CD793084AA0283C253EF658490C0DB61438B8326FE9BDDF281B83AE0F XOF = 1 Ctrl = size:32 @@ -517,7 +563,7 @@ diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evpmac_common.txt.fipsmin3 MAC = KMAC256 Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F Input = 00010203 -@@ -402,6 +412,7 @@ Custom = "My Tagged Application" +@@ -437,6 +447,7 @@ Custom = "My Tagged Application" Output = 1755133F1534752AAD0748F2C706FB5C784512CAB835CD15676B16C0C6647FA96FAA7AF634A0BF8FF6DF39374FA00FAD9A39E322A7C92065A64EB1FB0801EB2B XOF = 1 @@ -525,7 +571,7 @@ diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evpmac_common.txt.fipsmin3 MAC = KMAC256 Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 -@@ -409,6 +420,7 @@ Custom = "" +@@ -444,6 +455,7 @@ Custom = "" Output = FF7B171F1E8A2B24683EED37830EE797538BA8DC563F6DA1E667391A75EDC02CA633079F81CE12A25F45615EC89972031D18337331D24CEB8F8CA8E6A19FD98B XOF = 1 @@ -533,7 +579,7 @@ diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evpmac_common.txt.fipsmin3 MAC = KMAC256 Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 -@@ -419,6 +431,7 @@ XOF = 1 +@@ -454,6 +466,7 @@ XOF = 1 Title = KMAC long customisation string (from NIST ACVP) @@ -541,7 +587,7 @@ diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evpmac_common.txt.fipsmin3 MAC = KMAC256 Key = 9743DBF93102FAF11227B154B8ACD16CF142671F7AA16C559A393A38B4CEF461ED29A6A328D7379C99718790E38B54CA25E9E831CBEA463EE704D1689F94629AB795DF0C77F756DA743309C0E054596BA2D9CC1768ACF7CD351D9A7EB1ABD0A3 Input = BA63AC9C711F143CCE7FF92D0322649D1BE437D805FD225C0A2879A008373EC3BCCDB09971FAD2BCE5F4347AF7E5238EF01A90ED34193D6AFC1D -@@ -429,12 +442,14 @@ XOF = 1 +@@ -464,12 +477,14 @@ XOF = 1 Title = KMAC XOF Tests via ctrl (From NIST) @@ -556,7 +602,7 @@ diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evpmac_common.txt.fipsmin3 MAC = KMAC128 Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F Input = 00010203 -@@ -442,6 +457,7 @@ Custom = "My Tagged Application" +@@ -477,6 +492,7 @@ Custom = "My Tagged Application" Output = 31A44527B4ED9F5C6101D11DE6D26F0620AA5C341DEF41299657FE9DF1A3B16C Ctrl = xof:1 @@ -564,7 +610,7 @@ diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evpmac_common.txt.fipsmin3 MAC = KMAC128 Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 -@@ -450,6 +466,7 @@ Output = 47026C7CD793084AA0283C253EF6584 +@@ -485,6 +501,7 @@ Output = 47026C7CD793084AA0283C253EF658490C0DB61438B8326FE9BDDF281B83AE0F Ctrl = xof:1 Ctrl = size:32 @@ -572,7 +618,7 @@ diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evpmac_common.txt.fipsmin3 MAC = KMAC256 Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F Input = 00010203 -@@ -457,6 +474,7 @@ Custom = "My Tagged Application" +@@ -492,6 +509,7 @@ Custom = "My Tagged Application" Output = 1755133F1534752AAD0748F2C706FB5C784512CAB835CD15676B16C0C6647FA96FAA7AF634A0BF8FF6DF39374FA00FAD9A39E322A7C92065A64EB1FB0801EB2B Ctrl = xof:1 @@ -580,7 +626,7 @@ diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evpmac_common.txt.fipsmin3 MAC = KMAC256 Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 -@@ -464,6 +482,7 @@ Custom = "" +@@ -499,6 +517,7 @@ Custom = "" Output = FF7B171F1E8A2B24683EED37830EE797538BA8DC563F6DA1E667391A75EDC02CA633079F81CE12A25F45615EC89972031D18337331D24CEB8F8CA8E6A19FD98B Ctrl = xof:1 @@ -588,7 +634,7 @@ diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evpmac_common.txt.fipsmin3 MAC = KMAC256 Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 -@@ -474,6 +493,7 @@ Ctrl = xof:1 +@@ -509,6 +528,7 @@ Ctrl = xof:1 Title = KMAC long customisation string via ctrl (from NIST ACVP) @@ -596,7 +642,7 @@ diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evpmac_common.txt.fipsmin3 MAC = KMAC256 Key = 9743DBF93102FAF11227B154B8ACD16CF142671F7AA16C559A393A38B4CEF461ED29A6A328D7379C99718790E38B54CA25E9E831CBEA463EE704D1689F94629AB795DF0C77F756DA743309C0E054596BA2D9CC1768ACF7CD351D9A7EB1ABD0A3 Input = BA63AC9C711F143CCE7FF92D0322649D1BE437D805FD225C0A2879A008373EC3BCCDB09971FAD2BCE5F4347AF7E5238EF01A90ED34193D6AFC1D -@@ -484,6 +504,7 @@ Ctrl = xof:1 +@@ -519,6 +539,7 @@ Ctrl = xof:1 Title = KMAC long customisation string negative test @@ -604,7 +650,7 @@ diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evpmac_common.txt.fipsmin3 MAC = KMAC128 Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 -@@ -492,6 +513,7 @@ Result = MAC_INIT_ERROR +@@ -527,6 +548,7 @@ Result = MAC_INIT_ERROR Title = KMAC output is too large @@ -612,144 +658,122 @@ diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evpmac_common.txt.fipsmin3 MAC = KMAC256 Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 -diff -up openssl-3.0.1/test/recipes/80-test_ssl_old.t.fipsmin3 openssl-3.0.1/test/recipes/80-test_ssl_old.t ---- openssl-3.0.1/test/recipes/80-test_ssl_old.t.fipsmin3 2022-05-05 16:02:59.745500635 +0200 -+++ openssl-3.0.1/test/recipes/80-test_ssl_old.t 2022-05-05 16:10:24.071348890 +0200 -@@ -426,7 +426,7 @@ sub testssl { - my @exkeys = (); - my $ciphers = '-PSK:-SRP:@SECLEVEL=0'; +diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t +index 6a9792128b..4e368c730b 100644 +--- a/test/recipes/80-test_cms.t ++++ b/test/recipes/80-test_cms.t +@@ -96,7 +96,7 @@ my @smime_pkcs7_tests = ( + \&final_compare + ], -- if (!$no_dsa) { -+ if (!$no_dsa && $provider ne "fips") { - push @exkeys, "-s_cert", "certD.ss", "-s_key", $Dkey; - } +- [ "signed content DER format, DSA key", ++ [ "signed content DER format, DSA key, no Red Hat FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach", + "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ], + [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER", +@@ -104,7 +104,7 @@ my @smime_pkcs7_tests = ( + \&final_compare + ], -diff -up openssl-3.0.1/test/endecode_test.c.fipsmin3 openssl-3.0.1/test/endecode_test.c ---- openssl-3.0.1/test/endecode_test.c.fipsmin3 2022-05-06 16:25:57.296926271 +0200 -+++ openssl-3.0.1/test/endecode_test.c 2022-05-06 16:27:42.712850840 +0200 -@@ -1387,6 +1387,7 @@ int setup_tests(void) - * so no legacy tests. - */ - #endif -+ if (is_fips == 0) { - #ifndef OPENSSL_NO_DSA - ADD_TEST_SUITE(DSA); - ADD_TEST_SUITE_PARAMS(DSA); -@@ -1397,6 +1398,7 @@ int setup_tests(void) - ADD_TEST_SUITE_PROTECTED_PVK(DSA); - # endif - #endif -+ } - #ifndef OPENSSL_NO_EC - ADD_TEST_SUITE(EC); - ADD_TEST_SUITE_PARAMS(EC); -@@ -1411,10 +1413,12 @@ int setup_tests(void) - ADD_TEST_SUITE(ECExplicitTri2G); - ADD_TEST_SUITE_LEGACY(ECExplicitTri2G); - # endif -+ if (is_fips == 0) { - ADD_TEST_SUITE(ED25519); - ADD_TEST_SUITE(ED448); - ADD_TEST_SUITE(X25519); - ADD_TEST_SUITE(X448); -+ } - /* - * ED25519, ED448, X25519 and X448 have no support for - * PEM_write_bio_PrivateKey_traditional(), so no legacy tests. -diff -up openssl-3.0.1/apps/req.c.dfc openssl-3.0.1/apps/req.c ---- openssl-3.0.1/apps/req.c.dfc 2022-05-12 13:31:21.957638329 +0200 -+++ openssl-3.0.1/apps/req.c 2022-05-12 13:31:49.587984867 +0200 -@@ -266,7 +266,7 @@ int req_main(int argc, char **argv) - unsigned long chtype = MBSTRING_ASC, reqflag = 0; +- [ "signed detached content DER format, DSA key", ++ [ "signed detached content DER format, DSA key, no Red Hat FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", + "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ], + [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER", +@@ -113,7 +113,7 @@ my @smime_pkcs7_tests = ( + \&final_compare + ], - #ifndef OPENSSL_NO_DES -- cipher = (EVP_CIPHER *)EVP_des_ede3_cbc(); -+ cipher = (EVP_CIPHER *)EVP_aes_256_cbc(); - #endif +- [ "signed detached content DER format, add RSA signer (with DSA existing)", ++ [ "signed detached content DER format, add RSA signer (with DSA existing), no Red Hat FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", + "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ], + [ "{cmd1}", @prov, "-resign", "-in", "{output}.cms", "-inform", "DER", "-outform", "DER", +@@ -124,7 +124,7 @@ my @smime_pkcs7_tests = ( + \&final_compare + ], - prog = opt_init(argc, argv, req_options); -diff -up openssl-3.0.1/apps/ecparam.c.fips_list_curves openssl-3.0.1/apps/ecparam.c ---- openssl-3.0.1/apps/ecparam.c.fips_list_curves 2022-05-19 11:46:22.682519422 +0200 -+++ openssl-3.0.1/apps/ecparam.c 2022-05-19 11:50:44.559828701 +0200 -@@ -79,6 +79,9 @@ static int list_builtin_curves(BIO *out) - const char *comment = curves[n].comment; - const char *sname = OBJ_nid2sn(curves[n].nid); +- [ "signed content test streaming BER format, DSA key", ++ [ "signed content test streaming BER format, DSA key, no Red Hat FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", + "-nodetach", "-stream", + "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ], +@@ -133,7 +133,7 @@ my @smime_pkcs7_tests = ( + \&final_compare + ], -+ if ((curves[n].nid == NID_secp256k1) && EVP_default_properties_is_fips_enabled(NULL)) -+ continue; -+ - if (comment == NULL) - comment = "CURVE DESCRIPTION NOT AVAILABLE"; - if (sname == NULL) -diff -up openssl-3.0.1/ssl/ssl_ciph.c.nokrsa openssl-3.0.1/ssl/ssl_ciph.c ---- openssl-3.0.1/ssl/ssl_ciph.c.nokrsa 2022-05-19 13:32:32.536708638 +0200 -+++ openssl-3.0.1/ssl/ssl_ciph.c 2022-05-19 13:42:29.734002959 +0200 -@@ -356,6 +356,9 @@ int ssl_load_ciphers(SSL_CTX *ctx) - ctx->disabled_mkey_mask = 0; - ctx->disabled_auth_mask = 0; +- [ "signed content test streaming BER format, 2 DSA and 2 RSA keys", ++ [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no Red Hat FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", + "-nodetach", "-stream", + "-signer", $smrsa1, +@@ -146,7 +146,7 @@ my @smime_pkcs7_tests = ( + \&final_compare + ], -+ if (EVP_default_properties_is_fips_enabled(ctx->libctx)) -+ ctx->disabled_mkey_mask |= SSL_kRSA | SSL_kRSAPSK; -+ - /* - * We ignore any errors from the fetches below. They are expected to fail - * if theose algorithms are not available. -diff -up openssl-3.0.1/providers/implementations/signature/rsa_sig.c.fipskeylen openssl-3.0.1/providers/implementations/signature/rsa_sig.c ---- openssl-3.0.1/providers/implementations/signature/rsa_sig.c.fipskeylen 2022-05-23 14:58:07.764281242 +0200 -+++ openssl-3.0.1/providers/implementations/signature/rsa_sig.c 2022-05-23 15:10:29.327993616 +0200 -@@ -692,6 +692,19 @@ static int rsa_verify_recover(void *vprs - { - PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; - int ret; -+# ifdef FIPS_MODULE -+ size_t rsabits = RSA_bits(prsactx->rsa); -+ -+ if (rsabits < 2048) { -+ if (rsabits != 1024 -+ && rsabits != 1280 -+ && rsabits != 1536 -+ && rsabits != 1792) { -+ ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH); -+ return 0; -+ } -+ } -+# endif +- [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes", ++ [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes, no Red Hat FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", + "-noattr", "-nodetach", "-stream", + "-signer", $smrsa1, +@@ -176,7 +176,7 @@ my @smime_pkcs7_tests = ( + \&zero_compare + ], - if (!ossl_prov_is_running()) - return 0; -@@ -770,6 +770,19 @@ static int rsa_verify(void *vprsactx, co - { - PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; - size_t rslen; -+# ifdef FIPS_MODULE -+ size_t rsabits = RSA_bits(prsactx->rsa); -+ -+ if (rsabits < 2048) { -+ if (rsabits != 1024 -+ && rsabits != 1280 -+ && rsabits != 1536 -+ && rsabits != 1792) { -+ ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH); -+ return 0; -+ } -+ } -+# endif +- [ "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys", ++ [ "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys, no Red Hat FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-nodetach", + "-signer", $smrsa1, + "-signer", catfile($smdir, "smrsa2.pem"), +@@ -188,7 +188,7 @@ my @smime_pkcs7_tests = ( + \&final_compare + ], - if (!ossl_prov_is_running()) - return 0; -diff -up openssl-3.0.7/apps/ecparam.c.minfips openssl-3.0.7/apps/ecparam.c ---- openssl-3.0.7/apps/ecparam.c.minfips 2023-06-24 09:58:57.773344910 +0200 -+++ openssl-3.0.7/apps/ecparam.c 2023-06-26 09:18:06.843859405 +0200 -@@ -79,7 +79,11 @@ static int list_builtin_curves(BIO *out) - const char *comment = curves[n].comment; - const char *sname = OBJ_nid2sn(curves[n].nid); +- [ "signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys", ++ [ "signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys, no Red Hat FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, + "-signer", $smrsa1, + "-signer", catfile($smdir, "smrsa2.pem"), +@@ -250,7 +250,7 @@ my @smime_pkcs7_tests = ( -- if ((curves[n].nid == NID_secp256k1) && EVP_default_properties_is_fips_enabled(NULL)) -+ if (((curves[n].nid == NID_secp256k1) || (curves[n].nid == NID_brainpoolP256r1) -+ || (curves[n].nid == NID_brainpoolP256t1) || (curves[n].nid == NID_brainpoolP320r1) -+ || (curves[n].nid == NID_brainpoolP320t1) || (curves[n].nid == NID_brainpoolP384r1) -+ || (curves[n].nid == NID_brainpoolP384t1) || (curves[n].nid == NID_brainpoolP512r1) -+ || (curves[n].nid == NID_brainpoolP512t1)) && EVP_default_properties_is_fips_enabled(NULL)) - continue; + my @smime_cms_tests = ( - if (comment == NULL) +- [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid", ++ [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid, no Red Hat FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", + "-nodetach", "-keyid", + "-signer", $smrsa1, +@@ -263,7 +263,7 @@ my @smime_cms_tests = ( + \&final_compare + ], + +- [ "signed content test streaming PEM format, 2 DSA and 2 RSA keys", ++ [ "signed content test streaming PEM format, 2 DSA and 2 RSA keys, no Red Hat FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach", + "-signer", $smrsa1, + "-signer", catfile($smdir, "smrsa2.pem"), +@@ -373,7 +373,7 @@ my @smime_cms_tests = ( + \&final_compare + ], + +- [ "encrypted content test streaming PEM format, triple DES key", ++ [ "encrypted content test streaming PEM format, triple DES key, no Red Hat FIPS", + [ "{cmd1}", @prov, "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM", + "-des3", "-secretkey", "000102030405060708090A0B0C0D0E0F1011121314151617", + "-stream", "-out", "{output}.cms" ], +diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t +index 50b74a1e29..e2dcb68fb5 100644 +--- a/test/recipes/80-test_ssl_old.t ++++ b/test/recipes/80-test_ssl_old.t +@@ -436,7 +436,7 @@ sub testssl { + my @exkeys = (); + my $ciphers = '-PSK:-SRP:@SECLEVEL=0'; + +- if (!$no_dsa) { ++ if (!$no_dsa && $provider ne "fips") { + push @exkeys, "-s_cert", "certD.ss", "-s_key", $Dkey; + } + +-- +2.44.0 + diff --git a/0047-FIPS-early-KATS.patch b/0047-FIPS-early-KATS.patch index ef2d081..6dffded 100644 --- a/0047-FIPS-early-KATS.patch +++ b/0047-FIPS-early-KATS.patch @@ -1,7 +1,22 @@ -diff -up openssl-3.0.1/providers/fips/self_test.c.earlykats openssl-3.0.1/providers/fips/self_test.c ---- openssl-3.0.1/providers/fips/self_test.c.earlykats 2022-01-19 13:10:00.635830783 +0100 -+++ openssl-3.0.1/providers/fips/self_test.c 2022-01-19 13:11:43.309342656 +0100 -@@ -362,6 +362,16 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS +From ba6e65e2f7e7fe8d9cd62e1e7e345bc41dda424f Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Thu, 19 Oct 2023 13:12:40 +0200 +Subject: [PATCH 21/46] 0047-FIPS-early-KATS.patch + +Patch-name: 0047-FIPS-early-KATS.patch +Patch-id: 47 +Patch-status: | + # # Execute KATS before HMAC verification +From-dist-git-commit: 5c67b5adc311af297f425c09e3e1ac7ca8483911 +--- + providers/fips/self_test.c | 22 ++++++++++------------ + 1 file changed, 10 insertions(+), 12 deletions(-) + +diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c +index e3a629018a..3c09bd8638 100644 +--- a/providers/fips/self_test.c ++++ b/providers/fips/self_test.c +@@ -401,6 +401,16 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) if (ev == NULL) goto end; @@ -15,14 +30,13 @@ diff -up openssl-3.0.1/providers/fips/self_test.c.earlykats openssl-3.0.1/provid + } + } + - module_checksum = fips_hmac_container; - checksum_len = sizeof(fips_hmac_container); - -@@ -411,18 +421,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS - kats_already_passed = 1; + if (st->module_checksum_data == NULL) { + module_checksum = fips_hmac_container; + checksum_len = sizeof(fips_hmac_container); +@@ -451,18 +461,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) } } -- + - /* - * Only runs the KAT's during installation OR on_demand(). - * NOTE: If the installation option 'self_test_onload' is chosen then this @@ -34,6 +48,10 @@ diff -up openssl-3.0.1/providers/fips/self_test.c.earlykats openssl-3.0.1/provid - goto end; - } - } - ok = 1; - end: - OSSL_SELF_TEST_free(ev); +- + /* Verify that the RNG has been restored properly */ + rng = ossl_rand_get0_private_noncreating(st->libctx); + if (rng != NULL) +-- +2.41.0 + diff --git a/0049-Selectively-disallow-SHA1-signatures.patch b/0049-Selectively-disallow-SHA1-signatures.patch index 4b6ecf2..4131512 100644 --- a/0049-Selectively-disallow-SHA1-signatures.patch +++ b/0049-Selectively-disallow-SHA1-signatures.patch @@ -1,45 +1,20 @@ -From 243201772cc6d583fae9eba81cb2c2c7425bc564 Mon Sep 17 00:00:00 2001 -From: Clemens Lang -Date: Mon, 21 Feb 2022 17:24:44 +0100 -Subject: Selectively disallow SHA1 signatures +From 4f9167db05cade673f98f1a00efd57136e97b460 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 6 Mar 2024 19:17:15 +0100 +Subject: [PATCH 22/49] 0049-Allow-disabling-of-SHA1-signatures.patch -For RHEL 9.0, we want to phase out SHA1. One of the steps to do that is -disabling SHA1 signatures. Introduce a new configuration option in the -alg_section named 'rh-allow-sha1-signatures'. This option defaults to -false. If set to false (or unset), any signature creation or -verification operations that involve SHA1 as digest will fail. - -This also affects TLS, where the signature_algorithms extension of any -ClientHello message sent by OpenSSL will no longer include signatures -with the SHA1 digest if rh-allow-sha1-signatures is false. For servers -that request a client certificate, the same also applies for -CertificateRequest messages sent by them. - -For signatures created using the EVP_PKEY API, this is a best-effort -check that will deny signatures in cases where the digest algorithm is -known. This means, for example, that that following steps will still -work: - - $> openssl dgst -sha1 -binary -out sha1 infile - $> openssl pkeyutl -inkey key.pem -sign -in sha1 -out sha1sig - $> openssl pkeyutl -inkey key.pem -verify -sigfile sha1sig -in sha1 - -whereas these will not: - - $> openssl dgst -sha1 -binary -out sha1 infile - $> openssl pkeyutl -inkey kem.pem -sign -in sha1 -out sha1sig -pkeyopt digest:sha1 - $> openssl pkeyutl -inkey kem.pem -verify -sigfile sha1sig -in sha1 -pkeyopt digest:sha1 - -This happens because in the first case, OpenSSL's signature -implementation does not know that it is signing a SHA1 hash (it could be -signing arbitrary data). - -Resolves: rhbz#2031742 +Patch-name: 0049-Allow-disabling-of-SHA1-signatures.patch +Patch-id: 49 +Patch-status: | + # # Selectively disallow SHA1 signatures rhbz#2070977 +From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce --- - crypto/evp/evp_cnf.c | 13 ++++ - crypto/evp/m_sigver.c | 77 +++++++++++++++++++ + crypto/context.c | 14 ++++ + crypto/evp/evp_cnf.c | 13 +++ + crypto/evp/m_sigver.c | 79 +++++++++++++++++++ crypto/evp/pmeth_lib.c | 15 ++++ - doc/man5/config.pod | 11 +++ + doc/man5/config.pod | 13 +++ + include/crypto/context.h | 3 + include/internal/cryptlib.h | 3 +- include/internal/sslconf.h | 4 + providers/common/securitycheck.c | 20 +++++ @@ -49,8 +24,54 @@ Resolves: rhbz#2031742 providers/implementations/signature/rsa_sig.c | 20 ++++- ssl/t1_lib.c | 8 ++ util/libcrypto.num | 2 + - 13 files changed, 188 insertions(+), 9 deletions(-) + 15 files changed, 209 insertions(+), 9 deletions(-) +diff --git a/crypto/context.c b/crypto/context.c +index fb4816d89b..c04920fe14 100644 +--- a/crypto/context.c ++++ b/crypto/context.c +@@ -83,6 +83,8 @@ struct ossl_lib_ctx_st { + void *fips_prov; + #endif + ++ void *legacy_digest_signatures; ++ + unsigned int ischild:1; + }; + +@@ -223,6 +225,10 @@ static int context_init(OSSL_LIB_CTX *ctx) + goto err; + #endif + ++ ctx->legacy_digest_signatures = ossl_ctx_legacy_digest_signatures_new(ctx); ++ if (ctx->legacy_digest_signatures == NULL) ++ goto err; ++ + /* Low priority. */ + #ifndef FIPS_MODULE + ctx->child_provider = ossl_child_prov_ctx_new(ctx); +@@ -366,6 +372,11 @@ static void context_deinit_objs(OSSL_LIB_CTX *ctx) + } + #endif + ++ if (ctx->legacy_digest_signatures != NULL) { ++ ossl_ctx_legacy_digest_signatures_free(ctx->legacy_digest_signatures); ++ ctx->legacy_digest_signatures = NULL; ++ } ++ + /* Low priority. */ + #ifndef FIPS_MODULE + if (ctx->child_provider != NULL) { +@@ -663,6 +674,9 @@ void *ossl_lib_ctx_get_data(OSSL_LIB_CTX *ctx, int index) + return ctx->fips_prov; + #endif + ++ case OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES_INDEX: ++ return ctx->legacy_digest_signatures; ++ + default: + return NULL; + } diff --git a/crypto/evp/evp_cnf.c b/crypto/evp/evp_cnf.c index 0e7fe64cf9..b9d3b6d226 100644 --- a/crypto/evp/evp_cnf.c @@ -83,18 +104,20 @@ index 0e7fe64cf9..b9d3b6d226 100644 ERR_raise_data(ERR_LIB_EVP, EVP_R_UNKNOWN_OPTION, "name=%s, value=%s", oval->name, oval->value); diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c -index 9188edbc21..db1a1d7bc3 100644 +index 3a979f4bd4..fd3a4b79df 100644 --- a/crypto/evp/m_sigver.c +++ b/crypto/evp/m_sigver.c -@@ -16,6 +16,71 @@ +@@ -15,6 +15,73 @@ + #include "internal/provider.h" #include "internal/numbers.h" /* includes SIZE_MAX */ #include "evp_local.h" - ++#include "crypto/context.h" ++ +typedef struct ossl_legacy_digest_signatures_st { + int allowed; +} OSSL_LEGACY_DIGEST_SIGNATURES; + -+static void ossl_ctx_legacy_digest_signatures_free(void *vldsigs) ++void ossl_ctx_legacy_digest_signatures_free(void *vldsigs) +{ + OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs = vldsigs; + @@ -103,27 +126,25 @@ index 9188edbc21..db1a1d7bc3 100644 + } +} + -+static void *ossl_ctx_legacy_digest_signatures_new(OSSL_LIB_CTX *ctx) ++void *ossl_ctx_legacy_digest_signatures_new(OSSL_LIB_CTX *ctx) +{ -+ return OPENSSL_zalloc(sizeof(OSSL_LEGACY_DIGEST_SIGNATURES)); ++ OSSL_LEGACY_DIGEST_SIGNATURES* ldsigs = OPENSSL_zalloc(sizeof(OSSL_LEGACY_DIGEST_SIGNATURES)); ++ /* Warning: This patch differs from the same patch in CentOS and RHEL here, ++ * because the default on Fedora is to allow SHA-1 and support disabling ++ * it, while CentOS/RHEL disable it by default and allow enabling it. */ ++ ldsigs->allowed = 0; ++ return ldsigs; +} + -+static const OSSL_LIB_CTX_METHOD ossl_ctx_legacy_digest_signatures_method = { -+ OSSL_LIB_CTX_METHOD_DEFAULT_PRIORITY, -+ ossl_ctx_legacy_digest_signatures_new, -+ ossl_ctx_legacy_digest_signatures_free, -+}; -+ +static OSSL_LEGACY_DIGEST_SIGNATURES *ossl_ctx_legacy_digest_signatures( + OSSL_LIB_CTX *libctx, int loadconfig) +{ +#ifndef FIPS_MODULE + if (loadconfig && !OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL)) -+ return 0; ++ return NULL; +#endif + -+ return ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES, -+ &ossl_ctx_legacy_digest_signatures_method); ++ return ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES_INDEX); +} + +int ossl_ctx_legacy_digest_signatures_allowed(OSSL_LIB_CTX *libctx, int loadconfig) @@ -131,12 +152,15 @@ index 9188edbc21..db1a1d7bc3 100644 + OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs + = ossl_ctx_legacy_digest_signatures(libctx, loadconfig); + -+#ifndef FIPS_MODULE -+ if (ossl_safe_getenv("OPENSSL_ENABLE_SHA1_SIGNATURES") != NULL) ++ #ifndef FIPS_MODULE ++ if (ossl_safe_getenv("OPENSSL_ENABLE_SHA1_SIGNATURES") != NULL) + /* used in tests */ -+ return 1; -+#endif ++ return 1; ++ #endif + ++ /* Warning: This patch differs from the same patch in CentOS and RHEL here, ++ * because the default on Fedora is to allow SHA-1 and support disabling ++ * it, while CentOS/RHEL disable it by default and allow enabling it. */ + return ldsigs != NULL ? ldsigs->allowed : 0; +} + @@ -154,11 +178,10 @@ index 9188edbc21..db1a1d7bc3 100644 + ldsigs->allowed = allow; + return 1; +} -+ + #ifndef FIPS_MODULE - static int update(EVP_MD_CTX *ctx, const void *data, size_t datalen) -@@ -258,6 +323,18 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, +@@ -253,6 +320,18 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, } } @@ -178,7 +201,7 @@ index 9188edbc21..db1a1d7bc3 100644 if (signature->digest_verify_init == NULL) { ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c -index 2b9c6c2351..3c5a1e6f5d 100644 +index 268b1617e3..248f655d0f 100644 --- a/crypto/evp/pmeth_lib.c +++ b/crypto/evp/pmeth_lib.c @@ -33,6 +33,7 @@ @@ -189,7 +212,7 @@ index 2b9c6c2351..3c5a1e6f5d 100644 #include "evp_local.h" #ifndef FIPS_MODULE -@@ -946,6 +947,20 @@ static int evp_pkey_ctx_set_md(EVP_PKEY_CTX *ctx, const EVP_MD *md, +@@ -951,6 +952,20 @@ static int evp_pkey_ctx_set_md(EVP_PKEY_CTX *ctx, const EVP_MD *md, return -2; } @@ -211,7 +234,7 @@ index 2b9c6c2351..3c5a1e6f5d 100644 return EVP_PKEY_CTX_ctrl(ctx, -1, op, ctrl, 0, (void *)(md)); diff --git a/doc/man5/config.pod b/doc/man5/config.pod -index 77a8055e81..aa1be5ca7f 100644 +index bd05736220..ed34ff4b9c 100644 --- a/doc/man5/config.pod +++ b/doc/man5/config.pod @@ -304,6 +304,17 @@ Within the algorithm properties section, the following names have meaning: @@ -232,20 +255,31 @@ index 77a8055e81..aa1be5ca7f 100644 =item B (deprecated) The value is a boolean that can be B or B. If the value is +diff --git a/include/crypto/context.h b/include/crypto/context.h +index 7369a730fb..55b74238c8 100644 +--- a/include/crypto/context.h ++++ b/include/crypto/context.h +@@ -46,3 +46,6 @@ void ossl_release_default_drbg_ctx(void); + #if defined(OPENSSL_THREADS) + void ossl_threads_ctx_free(void *); + #endif ++ ++void *ossl_ctx_legacy_digest_signatures_new(OSSL_LIB_CTX *); ++void ossl_ctx_legacy_digest_signatures_free(void *); diff --git a/include/internal/cryptlib.h b/include/internal/cryptlib.h -index 1291299b6e..e234341e6a 100644 +index 64851fd8ed..8e01a77ddc 100644 --- a/include/internal/cryptlib.h +++ b/include/internal/cryptlib.h -@@ -168,7 +168,8 @@ typedef struct ossl_ex_data_global_st { - # define OSSL_LIB_CTX_PROVIDER_CONF_INDEX 16 - # define OSSL_LIB_CTX_BIO_CORE_INDEX 17 +@@ -117,7 +117,8 @@ typedef struct ossl_ex_data_global_st { # define OSSL_LIB_CTX_CHILD_PROVIDER_INDEX 18 --# define OSSL_LIB_CTX_MAX_INDEXES 19 -+# define OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES 19 -+# define OSSL_LIB_CTX_MAX_INDEXES 20 + # define OSSL_LIB_CTX_THREAD_INDEX 19 + # define OSSL_LIB_CTX_DECODER_CACHE_INDEX 20 +-# define OSSL_LIB_CTX_MAX_INDEXES 20 ++# define OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES_INDEX 21 ++# define OSSL_LIB_CTX_MAX_INDEXES 21 - # define OSSL_LIB_CTX_METHOD_LOW_PRIORITY -1 - # define OSSL_LIB_CTX_METHOD_DEFAULT_PRIORITY 0 + OSSL_LIB_CTX *ossl_lib_ctx_get_concrete(OSSL_LIB_CTX *ctx); + int ossl_lib_ctx_is_default(OSSL_LIB_CTX *ctx); diff --git a/include/internal/sslconf.h b/include/internal/sslconf.h index fd7f7e3331..05464b0655 100644 --- a/include/internal/sslconf.h @@ -260,7 +294,7 @@ index fd7f7e3331..05464b0655 100644 + int loadconfig); #endif diff --git a/providers/common/securitycheck.c b/providers/common/securitycheck.c -index 699ada7c52..e534ad0a5f 100644 +index 0d3acdbe56..fe694c4e96 100644 --- a/providers/common/securitycheck.c +++ b/providers/common/securitycheck.c @@ -19,6 +19,7 @@ @@ -271,7 +305,7 @@ index 699ada7c52..e534ad0a5f 100644 /* * FIPS requires a minimum security strength of 112 bits (for encryption or -@@ -235,6 +236,15 @@ int ossl_digest_get_approved_nid_with_sha1(OSSL_LIB_CTX *ctx, const EVP_MD *md, +@@ -243,6 +244,15 @@ int ossl_digest_get_approved_nid_with_sha1(OSSL_LIB_CTX *ctx, const EVP_MD *md, mdnid = -1; /* disallowed by security checks */ } # endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */ @@ -288,7 +322,7 @@ index 699ada7c52..e534ad0a5f 100644 } diff --git a/providers/common/securitycheck_default.c b/providers/common/securitycheck_default.c -index de7f0d3a0a..ce54a94fbc 100644 +index 246323493e..2ca7a59f39 100644 --- a/providers/common/securitycheck_default.c +++ b/providers/common/securitycheck_default.c @@ -15,6 +15,7 @@ @@ -299,7 +333,7 @@ index de7f0d3a0a..ce54a94fbc 100644 /* Disable the security checks in the default provider */ int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx) -@@ -23,9 +24,10 @@ int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx) +@@ -29,9 +30,10 @@ int ossl_tls1_prf_ems_check_enabled(OSSL_LIB_CTX *libctx) } int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md, @@ -311,7 +345,7 @@ index de7f0d3a0a..ce54a94fbc 100644 static const OSSL_ITEM name_to_nid[] = { { NID_md5, OSSL_DIGEST_NAME_MD5 }, -@@ -36,8 +38,11 @@ int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md, +@@ -42,8 +44,11 @@ int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md, { NID_ripemd160, OSSL_DIGEST_NAME_RIPEMD160 }, }; @@ -325,10 +359,10 @@ index de7f0d3a0a..ce54a94fbc 100644 return mdnid; } diff --git a/providers/implementations/signature/dsa_sig.c b/providers/implementations/signature/dsa_sig.c -index 28fd7c498e..fa3822f39f 100644 +index b89a0f6836..e0c26a13e4 100644 --- a/providers/implementations/signature/dsa_sig.c +++ b/providers/implementations/signature/dsa_sig.c -@@ -124,12 +124,17 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx, +@@ -125,12 +125,17 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx, mdprops = ctx->propq; if (mdname != NULL) { @@ -350,10 +384,10 @@ index 28fd7c498e..fa3822f39f 100644 if (md == NULL || md_nid < 0) { if (md == NULL) diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c -index 865d49d100..99b228e82c 100644 +index f158105e71..62355b89fe 100644 --- a/providers/implementations/signature/ecdsa_sig.c +++ b/providers/implementations/signature/ecdsa_sig.c -@@ -237,7 +237,11 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx, const char *mdname, +@@ -247,7 +247,11 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx, const char *mdname, "%s could not be fetched", mdname); return 0; } @@ -366,10 +400,10 @@ index 865d49d100..99b228e82c 100644 sha1_allowed); if (md_nid < 0) { diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c -index 325e855333..bea397f0c1 100644 +index c1405f47ea..aeda1a7758 100644 --- a/providers/implementations/signature/rsa_sig.c +++ b/providers/implementations/signature/rsa_sig.c -@@ -26,6 +26,7 @@ +@@ -25,6 +25,7 @@ #include "internal/cryptlib.h" #include "internal/nelem.h" #include "internal/sizes.h" @@ -377,7 +411,7 @@ index 325e855333..bea397f0c1 100644 #include "crypto/rsa.h" #include "prov/providercommon.h" #include "prov/implementations.h" -@@ -34,6 +35,7 @@ +@@ -33,6 +34,7 @@ #include "prov/securitycheck.h" #define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1 @@ -385,7 +419,7 @@ index 325e855333..bea397f0c1 100644 OSSL_FUNC_signature_newctx_fn rsa_newctx; static OSSL_FUNC_signature_sign_init_fn rsa_sign_init; -@@ -289,10 +291,15 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname, +@@ -301,10 +303,15 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname, if (mdname != NULL) { EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops); @@ -403,7 +437,7 @@ index 325e855333..bea397f0c1 100644 if (md == NULL || md_nid <= 0 -@@ -1348,8 +1355,15 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) +@@ -1392,8 +1399,15 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) prsactx->pad_mode = pad_mode; if (prsactx->md == NULL && pmdname == NULL @@ -421,7 +455,7 @@ index 325e855333..bea397f0c1 100644 if (pmgf1mdname != NULL && !rsa_setup_mgf1_md(prsactx, pmgf1mdname, pmgf1mdprops)) diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c -index fc32bb3556..4b74ee1a34 100644 +index 631e1fdef9..05dd7c5595 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -20,6 +20,7 @@ @@ -432,21 +466,23 @@ index fc32bb3556..4b74ee1a34 100644 #include "internal/nelem.h" #include "internal/sizes.h" #include "internal/tlsgroups.h" -@@ -1145,11 +1146,13 @@ int ssl_setup_sig_algs(SSL_CTX *ctx) - = OPENSSL_malloc(sizeof(*lu) * OSSL_NELEM(sigalg_lookup_tbl)); +@@ -1506,6 +1507,7 @@ int ssl_setup_sigalgs(SSL_CTX *ctx) + uint16_t *tls12_sigalgs_list = NULL; EVP_PKEY *tmpkey = EVP_PKEY_new(); int ret = 0; + int ldsigs_allowed; - if (cache == NULL || tmpkey == NULL) + if (ctx == NULL) + goto err; +@@ -1521,6 +1523,7 @@ int ssl_setup_sigalgs(SSL_CTX *ctx) goto err; ERR_set_mark(); + ldsigs_allowed = ossl_ctx_legacy_digest_signatures_allowed(ctx->libctx, 0); + /* First fill cache and tls12_sigalgs list from legacy algorithm list */ for (i = 0, lu = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl); lu++, i++) { - EVP_PKEY_CTX *pctx; -@@ -1169,6 +1172,11 @@ int ssl_setup_sig_algs(SSL_CTX *ctx) +@@ -1542,6 +1545,11 @@ int ssl_setup_sigalgs(SSL_CTX *ctx) cache[i].enabled = 0; continue; } @@ -459,15 +495,15 @@ index fc32bb3556..4b74ee1a34 100644 if (!EVP_PKEY_set_type(tmpkey, lu->sig)) { cache[i].enabled = 0; diff --git a/util/libcrypto.num b/util/libcrypto.num -index 10b4e57d79..2d3c363bb0 100644 +index ef97803327..8046454025 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num -@@ -5426,3 +5426,5 @@ ASN1_TIME_print_ex 5553 3_0_0 EXIST::FUNCTION: - OPENSSL_strcasecmp 5556 3_0_3 EXIST::FUNCTION: - OPENSSL_strncasecmp 5557 3_0_3 EXIST::FUNCTION: - ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION: +@@ -5536,3 +5536,5 @@ X509_STORE_CTX_set_get_crl 5663 3_2_0 EXIST::FUNCTION: + X509_STORE_CTX_set_current_reasons 5664 3_2_0 EXIST::FUNCTION: + OSSL_STORE_delete 5665 3_2_0 EXIST::FUNCTION: + BIO_ADDR_copy 5666 3_2_0 EXIST::FUNCTION:SOCK +ossl_ctx_legacy_digest_signatures_allowed ? 3_0_1 EXIST::FUNCTION: +ossl_ctx_legacy_digest_signatures_allowed_set ? 3_0_1 EXIST::FUNCTION: -- -2.35.1 +2.44.0 diff --git a/0051-Support-different-R_BITS-lengths-for-KBKDF.patch b/0051-Support-different-R_BITS-lengths-for-KBKDF.patch deleted file mode 100644 index c240628..0000000 --- a/0051-Support-different-R_BITS-lengths-for-KBKDF.patch +++ /dev/null @@ -1,2151 +0,0 @@ -From 0e9a265e42890699dfce82f1ff6905de6aafbd41 Mon Sep 17 00:00:00 2001 -From: Patrick Uiterwijk -Date: Thu, 18 Nov 2021 10:47:14 +0100 -Subject: [PATCH] Support different R_BITS lengths for KBKDF - -Reviewed-by: Tomas Mraz -Reviewed-by: Paul Dale -(Merged from https://github.com/openssl/openssl/pull/17063) ---- - doc/man7/EVP_KDF-KB.pod | 7 + - include/openssl/core_names.h | 1 + - providers/implementations/kdfs/kbkdf.c | 30 +- - test/evp_kdf_test.c | 47 +- - test/evp_test.c | 6 + - test/recipes/30-test_evp.t | 1 + - .../30-test_evp_data/evpkdf_kbkdf_counter.txt | 1843 +++++++++++++++++ - 7 files changed, 1924 insertions(+), 11 deletions(-) - create mode 100644 test/recipes/30-test_evp_data/evpkdf_kbkdf_counter.txt - -diff --git a/doc/man7/EVP_KDF-KB.pod b/doc/man7/EVP_KDF-KB.pod -index d4fad66f7654..a67268afa7d5 100644 ---- a/doc/man7/EVP_KDF-KB.pod -+++ b/doc/man7/EVP_KDF-KB.pod -@@ -58,6 +58,13 @@ Set to B<0> to disable use of the optional Fixed Input data 'zero separator' - (see SP800-108) that is placed between the Label and Context. - The default value of B<1> will be used if unspecified. - -+=item "r" (B) -+ -+Set the fixed value 'r', indicating the length of the counter in bits. -+ -+Supported values are B<8>, B<16>, B<24>, and B<32>. -+The default value of B<32> will be used if unspecified. -+ - =back - - Depending on whether mac is CMAC or HMAC, either digest or cipher is required -diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h -index b549dae9167c..78418dc6e0a2 100644 ---- a/include/openssl/core_names.h -+++ b/include/openssl/core_names.h -@@ -217,6 +217,7 @@ extern "C" { - #define OSSL_KDF_PARAM_PKCS12_ID "id" /* int */ - #define OSSL_KDF_PARAM_KBKDF_USE_L "use-l" /* int */ - #define OSSL_KDF_PARAM_KBKDF_USE_SEPARATOR "use-separator" /* int */ -+#define OSSL_KDF_PARAM_KBKDF_R "r" /* int */ - #define OSSL_KDF_PARAM_X942_ACVPINFO "acvp-info" - #define OSSL_KDF_PARAM_X942_PARTYUINFO "partyu-info" - #define OSSL_KDF_PARAM_X942_PARTYVINFO "partyv-info" -diff --git a/providers/implementations/kdfs/kbkdf.c b/providers/implementations/kdfs/kbkdf.c -index 01f7f0d4fd2e..a81cc6e0c0d6 100644 ---- a/providers/implementations/kdfs/kbkdf.c -+++ b/providers/implementations/kdfs/kbkdf.c -@@ -60,6 +60,7 @@ typedef struct { - EVP_MAC_CTX *ctx_init; - - /* Names are lowercased versions of those found in SP800-108. */ -+ int r; - unsigned char *ki; - size_t ki_len; - unsigned char *label; -@@ -100,6 +101,7 @@ static uint32_t be32(uint32_t host) - - static void init(KBKDF *ctx) - { -+ ctx->r = 32; - ctx->use_l = 1; - ctx->use_separator = 1; - } -@@ -152,7 +154,7 @@ static int derive(EVP_MAC_CTX *ctx_init, kbkdf_mode mode, unsigned char *iv, - size_t iv_len, unsigned char *label, size_t label_len, - unsigned char *context, size_t context_len, - unsigned char *k_i, size_t h, uint32_t l, int has_separator, -- unsigned char *ko, size_t ko_len) -+ unsigned char *ko, size_t ko_len, int r) - { - int ret = 0; - EVP_MAC_CTX *ctx = NULL; -@@ -186,7 +188,7 @@ static int derive(EVP_MAC_CTX *ctx_init, kbkdf_mode mode, unsigned char *iv, - if (mode == FEEDBACK && !EVP_MAC_update(ctx, k_i, k_i_len)) - goto done; - -- if (!EVP_MAC_update(ctx, (unsigned char *)&i, 4) -+ if (!EVP_MAC_update(ctx, 4 - (r / 8) + (unsigned char *)&i, r / 8) - || !EVP_MAC_update(ctx, label, label_len) - || (has_separator && !EVP_MAC_update(ctx, &zero, 1)) - || !EVP_MAC_update(ctx, context, context_len) -@@ -217,6 +219,7 @@ static int kbkdf_derive(void *vctx, unsigned char *key, size_t keylen, - unsigned char *k_i = NULL; - uint32_t l = 0; - size_t h = 0; -+ uint64_t counter_max; - - if (!ossl_prov_is_running() || !kbkdf_set_ctx_params(ctx, params)) - return 0; -@@ -248,6 +251,15 @@ static int kbkdf_derive(void *vctx, unsigned char *key, size_t keylen, - goto done; - } - -+ if (ctx->mode == COUNTER) { -+ /* Fail if keylen is too large for r */ -+ counter_max = (uint64_t)1 << (uint64_t)ctx->r; -+ if ((uint64_t)(keylen / h) >= counter_max) { -+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); -+ goto done; -+ } -+ } -+ - if (ctx->use_l != 0) - l = be32(keylen * 8); - -@@ -257,7 +269,7 @@ static int kbkdf_derive(void *vctx, unsigned char *key, size_t keylen, - - ret = derive(ctx->ctx_init, ctx->mode, ctx->iv, ctx->iv_len, ctx->label, - ctx->label_len, ctx->context, ctx->context_len, k_i, h, l, -- ctx->use_separator, key, keylen); -+ ctx->use_separator, key, keylen, ctx->r); - done: - if (ret != 1) - OPENSSL_cleanse(key, keylen); -@@ -328,6 +340,17 @@ static int kbkdf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) - if (p != NULL && !OSSL_PARAM_get_int(p, &ctx->use_l)) - return 0; - -+ p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_KBKDF_R); -+ if (p != NULL) { -+ int new_r = 0; -+ -+ if (!OSSL_PARAM_get_int(p, &new_r)) -+ return 0; -+ if (new_r != 8 && new_r != 16 && new_r != 24 && new_r != 32) -+ return 0; -+ ctx->r = new_r; -+ } -+ - p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_KBKDF_USE_SEPARATOR); - if (p != NULL && !OSSL_PARAM_get_int(p, &ctx->use_separator)) - return 0; -@@ -354,6 +377,7 @@ static const OSSL_PARAM *kbkdf_settable_ctx_params(ossl_unused void *ctx, - OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_PROPERTIES, NULL, 0), - OSSL_PARAM_int(OSSL_KDF_PARAM_KBKDF_USE_L, NULL), - OSSL_PARAM_int(OSSL_KDF_PARAM_KBKDF_USE_SEPARATOR, NULL), -+ OSSL_PARAM_int(OSSL_KDF_PARAM_KBKDF_R, NULL), - OSSL_PARAM_END, - }; - return known_settable_ctx_params; -diff --git a/test/evp_kdf_test.c b/test/evp_kdf_test.c -index 7fde5ea4111c..173d8cb8b87b 100644 ---- a/test/evp_kdf_test.c -+++ b/test/evp_kdf_test.c -@@ -1068,9 +1068,9 @@ static int test_kdf_kbkdf_6803_256(void) - #endif - - static OSSL_PARAM *construct_kbkdf_params(char *digest, char *mac, unsigned char *key, -- size_t keylen, char *salt, char *info) -+ size_t keylen, char *salt, char *info, int *r) - { -- OSSL_PARAM *params = OPENSSL_malloc(sizeof(OSSL_PARAM) * 7); -+ OSSL_PARAM *params = OPENSSL_malloc(sizeof(OSSL_PARAM) * 8); - OSSL_PARAM *p = params; - - if (params == NULL) -@@ -1088,6 +1088,8 @@ static OSSL_PARAM *construct_kbkdf_params(char *digest, char *mac, unsigned char - OSSL_KDF_PARAM_SALT, salt, strlen(salt)); - *p++ = OSSL_PARAM_construct_octet_string( - OSSL_KDF_PARAM_INFO, info, strlen(info)); -+ *p++ = OSSL_PARAM_construct_int( -+ OSSL_KDF_PARAM_KBKDF_R, r); - *p = OSSL_PARAM_construct_end(); - - return params; -@@ -1100,8 +1102,9 @@ static int test_kdf_kbkdf_invalid_digest(void) - OSSL_PARAM *params; - - static unsigned char key[] = {0x01}; -+ int r = 32; - -- params = construct_kbkdf_params("blah", "HMAC", key, 1, "prf", "test"); -+ params = construct_kbkdf_params("blah", "HMAC", key, 1, "prf", "test", &r); - if (!TEST_ptr(params)) - return 0; - -@@ -1122,8 +1125,9 @@ static int test_kdf_kbkdf_invalid_mac(void) - OSSL_PARAM *params; - - static unsigned char key[] = {0x01}; -+ int r = 32; - -- params = construct_kbkdf_params("sha256", "blah", key, 1, "prf", "test"); -+ params = construct_kbkdf_params("sha256", "blah", key, 1, "prf", "test", &r); - if (!TEST_ptr(params)) - return 0; - -@@ -1137,6 +1141,30 @@ static int test_kdf_kbkdf_invalid_mac(void) - return ret; - } - -+static int test_kdf_kbkdf_invalid_r(void) -+{ -+ int ret; -+ EVP_KDF_CTX *kctx; -+ OSSL_PARAM *params; -+ -+ static unsigned char key[] = {0x01}; -+ int r = 31; -+ -+ params = construct_kbkdf_params("sha256", "HMAC", key, 1, "prf", "test", &r); -+ if (!TEST_ptr(params)) -+ return 0; -+ -+ /* Negative test case - derive should fail */ -+ kctx = get_kdfbyname("KBKDF"); -+ ret = TEST_ptr(kctx) -+ && TEST_false(EVP_KDF_CTX_set_params(kctx, params)); -+ -+ EVP_KDF_CTX_free(kctx); -+ OPENSSL_free(params); -+ return ret; -+} -+ -+ - static int test_kdf_kbkdf_empty_key(void) - { - int ret; -@@ -1145,8 +1173,9 @@ static int test_kdf_kbkdf_empty_key(void) - - static unsigned char key[] = {0x01}; - unsigned char result[32] = { 0 }; -+ int r = 32; - -- params = construct_kbkdf_params("sha256", "HMAC", key, 0, "prf", "test"); -+ params = construct_kbkdf_params("sha256", "HMAC", key, 0, "prf", "test", &r); - if (!TEST_ptr(params)) - return 0; - -@@ -1169,8 +1198,9 @@ static int test_kdf_kbkdf_1byte_key(void) - - static unsigned char key[] = {0x01}; - unsigned char result[32] = { 0 }; -+ int r = 32; - -- params = construct_kbkdf_params("sha256", "HMAC", key, 1, "prf", "test"); -+ params = construct_kbkdf_params("sha256", "HMAC", key, 1, "prf", "test", &r); - if (!TEST_ptr(params)) - return 0; - -@@ -1191,8 +1221,9 @@ static int test_kdf_kbkdf_zero_output_size(void) - - static unsigned char key[] = {0x01}; - unsigned char result[32] = { 0 }; -+ int r = 32; - -- params = construct_kbkdf_params("sha256", "HMAC", key, 1, "prf", "test"); -+ params = construct_kbkdf_params("sha256", "HMAC", key, 1, "prf", "test", &r); - if (!TEST_ptr(params)) - return 0; - -@@ -1298,7 +1329,6 @@ static int test_kdf_kbkdf_8009_prf2(void) - * Test vector taken from - * https://csrc.nist.gov/CSRC/media/Projects/ - * Cryptographic-Algorithm-Validation-Program/documents/KBKDF800-108/CounterMode.zip -- * Note: Only 32 bit counter is supported ([RLEN=32_BITS]) - */ - static int test_kdf_kbkdf_fixedinfo(void) - { -@@ -1628,6 +1658,7 @@ int setup_tests(void) - #endif - ADD_TEST(test_kdf_kbkdf_invalid_digest); - ADD_TEST(test_kdf_kbkdf_invalid_mac); -+ ADD_TEST(test_kdf_kbkdf_invalid_r); - ADD_TEST(test_kdf_kbkdf_zero_output_size); - ADD_TEST(test_kdf_kbkdf_empty_key); - ADD_TEST(test_kdf_kbkdf_1byte_key); -diff --git a/test/evp_test.c b/test/evp_test.c -index 70996195f0cb..6ae862b04403 100644 ---- a/test/evp_test.c -+++ b/test/evp_test.c -@@ -2639,6 +2639,12 @@ static int kdf_test_ctrl(EVP_TEST *t, EVP_KDF_CTX *kctx, - TEST_info("skipping, '%s' is disabled", p); - t->skip = 1; - } -+ if (p != NULL -+ && (strcmp(name, "mac") == 0) -+ && is_mac_disabled(p)) { -+ TEST_info("skipping, '%s' is disabled", p); -+ t->skip = 1; -+ } - OPENSSL_free(name); - return 1; - } -diff --git a/test/recipes/30-test_evp.t b/test/recipes/30-test_evp.t -index 7ae546e1d70c..7b976c0a1b5e 100644 ---- a/test/recipes/30-test_evp.t -+++ b/test/recipes/30-test_evp.t -@@ -45,6 +45,7 @@ my @files = qw( - evpciph_aes_wrap.txt - evpciph_aes_stitched.txt - evpkdf_hkdf.txt -+ evpkdf_kbkdf_counter.txt - evpkdf_pbkdf1.txt - evpkdf_pbkdf2.txt - evpkdf_ss.txt -diff --git a/test/recipes/30-test_evp_data/evpkdf_kbkdf_counter.txt b/test/recipes/30-test_evp_data/evpkdf_kbkdf_counter.txt -new file mode 100644 -index 000000000000..04ab8ff0fad7 ---- /dev/null -+++ b/test/recipes/30-test_evp_data/evpkdf_kbkdf_counter.txt -@@ -0,0 +1,1843 @@ -+# -+# Copyright 2021-2021 The OpenSSL Project Authors. All Rights Reserved. -+# -+# Licensed under the Apache License 2.0 (the "License"). You may not use -+# this file except in compliance with the License. You can obtain a copy -+# in the file LICENSE in the source distribution or at -+# https://www.openssl.org/source/license.html -+ -+# Tests start with one of these keywords -+# Cipher Decrypt Derive Digest Encoding KDF MAC PBE -+# PrivPubKeyPair Sign Verify VerifyRecover -+# and continue until a blank line. Lines starting with a pound sign are ignored. -+ -+Title = KBKDF tests -+ -+# Test vectors taken from -+# https://csrc.nist.gov/CSRC/media/Projects/ -+# Cryptographic-Algorithm-Validation-Program/documents/KBKDF800-108/CounterMode.zip -+ -+ -+# [PRF=CMAC_AES128] -+# [CTRLOCATION=BEFORE_FIXED] -+# [RLEN=8_BITS] -+ -+# COUNT=0 -+# L = 128 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES128 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:8 -+Ctrl.hexkey = hexkey:dff1e50ac0b69dc40f1051d46c2b069c -+Ctrl.hexinfo = hexinfo:c16e6e02c5a3dcc8d78b9ac1306877761310455b4e41469951d9e6c2245a064b33fd8c3b01203a7824485bf0a64060c4648b707d2607935699316ea5 -+Output = 8be8f0869b3c0ba97b71863d1b9f7813 -+ -+# COUNT=10 -+# L = 256 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES128 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:8 -+Ctrl.hexkey = hexkey:682e814d872397eba71170a693514904 -+Ctrl.hexinfo = hexinfo:e323cdfa7873a0d72cd86ffb4468744f097db60498f7d0e3a43bafd2d1af675e4a88338723b1236199705357c47bf1d89b2f4617a340980e6331625c -+Output = dac9b6ca405749cfb065a0f1e42c7c4224d3d5db32fdafe9dee6ca193316f2c7 -+ -+# COUNT=20 -+# L = 160 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES128 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:8 -+Ctrl.hexkey = hexkey:7aa9973481d560f3be217ac3341144d8 -+Ctrl.hexinfo = hexinfo:46f88b5af7fb9e29262dd4e010143a0a9c465c627450ec74ab7251889529193e995c4b56ff55bc2fc8992a0df1ee8056f6816b7614fba4c12d3be1a5 -+Output = 1746ae4f09903f74bfbe1b8ae2b79d74576a3b09 -+ -+# COUNT=30 -+# L = 320 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES128 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:8 -+Ctrl.hexkey = hexkey:e91e0d06ab23a4e495bbcc430efddcaf -+Ctrl.hexinfo = hexinfo:24acb8e9227b180f2ccebea48051cbdbcd1be2bf94400d1e92945fe9b887585a295f46c469036107697813a3e12c45ae2ffde9a940f8f8c181018a93 -+Output = e81ef2483729d4165aaa4866c17f26496e6c6924e2fe34f608efef0c35835f86df29a1e19ce166a8 -+ -+ -+# [PRF=CMAC_AES128] -+# [CTRLOCATION=BEFORE_FIXED] -+# [RLEN=16_BITS] -+ -+# COUNT=0 -+# L = 128 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES128 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:16 -+Ctrl.hexkey = hexkey:30ec5f6fa1def33cff008178c4454211 -+Ctrl.hexinfo = hexinfo:c95e7b1d4f2570259abfc05bb00730f0284c3bb9a61d07259848a1cb57c81d8a6c3382c500bf801dfc8f70726b082cf4c3fa34386c1e7bf0e5471438 -+Output = 00018fff9574994f5c4457f461c7a67e -+ -+# COUNT=10 -+# L = 256 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES128 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:16 -+Ctrl.hexkey = hexkey:145c9e9365041f075ebde8ce26aa2149 -+Ctrl.hexinfo = hexinfo:0d39b1c9c34d95b5b521971828c81d9f2dbdbc4af2ddd14f628721117e5c39faa030522b93cc07beb8f142fe36f674942453ec5518ca46c3e6842a73 -+Output = 8a204ce7eab882fae3e2b8317fe431dba16dabb8fe5235525e7b61135e1b3c16 -+ -+# COUNT=20 -+# L = 160 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES128 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:16 -+Ctrl.hexkey = hexkey:6f3f8cbf40d2a694274cfa2eb2f265a3 -+Ctrl.hexinfo = hexinfo:e7b88baa4a2c22b3d78f41d509996c95468c8cb834b035dd5e09e0a455da254b8b5687a1433861751d2dd603f69b2d4ba4ae47776335d37c98b44b4b -+Output = d147f1c78121c583cbcb9d4b0d3767a357bd7232 -+ -+# COUNT=30 -+# L = 320 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES128 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:16 -+Ctrl.hexkey = hexkey:5e534bea459e54c58a6942abfd4df8ab -+Ctrl.hexinfo = hexinfo:e9a5cc15d223aaa74abd122983b2a10512199b9cc87663fd8a62d417cef53770264fc51f683890fe42da2df7be0f60898c5b09d5c4932137b6b1e06e -+Output = 92480eb4860123ceda76f1e6bf2668520bea49ed72bb900ae50725bb8cfcdb733af1a9de71fe1af5 -+ -+ -+# [PRF=CMAC_AES128] -+# [CTRLOCATION=BEFORE_FIXED] -+# [RLEN=24_BITS] -+ -+# COUNT=0 -+# L = 128 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES128 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:24 -+Ctrl.hexkey = hexkey:ca1cf43e5ccd512cc719a2f9de41734c -+Ctrl.hexinfo = hexinfo:e3884ac963196f02ddd09fc04c20c88b60faa775b5ef6feb1faf8c5e098b5210e2b4e45d62cc0bf907fd68022ee7b15631b5c8daf903d99642c5b831 -+Output = 1cb2b12326cc5ec1eba248167f0efd58 -+ -+# COUNT=10 -+# L = 256 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES128 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:24 -+Ctrl.hexkey = hexkey:1bfaf4cd6efd25a132e2a1d41b124465 -+Ctrl.hexinfo = hexinfo:b933cfbb223ea65ed0e8db822f83be64ee21d3b9ca1eb0bc32f9d77f145a3e4ed4e2cc72cb3d93ea44824ab81eefdf71bbdb62067e0eb34a79914e4f -+Output = 75f4d20c558d71646ec062d2ca75369a218cedb7104be3abf27026af003e98f3 -+ -+# COUNT=20 -+# L = 160 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES128 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:24 -+Ctrl.hexkey = hexkey:80168f187848a68b0b82a7ef43b4eedc -+Ctrl.hexinfo = hexinfo:9357281df7665ae5ae961fe5f93a3124416cab3deb11583429c5e529af3fc71094aad560cbc279168fe1c3327787f91a414acfff063832bcd78ed1b5 -+Output = be4517c9e6de96929e655a08f5b6d5bb77364f85 -+ -+# COUNT=30 -+# L = 320 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES128 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:24 -+Ctrl.hexkey = hexkey:26fa0e32e7e08f9b157ebae9f579710f -+Ctrl.hexinfo = hexinfo:ceab805efbe0c50a8aef62e59d95e7a54daa74ed86aa9b1ae8abf68b985b5af4b0ee150e83e6c063b59c7bf813ede9826af149237aed85b415898fa8 -+Output = f1d9138afcc3db6001eb54c4da567a5db3659fc0ed48e664a0408946bcee0742127c17cabf348c7a -+ -+ -+# [PRF=CMAC_AES128] -+# [CTRLOCATION=BEFORE_FIXED] -+# [RLEN=32_BITS] -+ -+# COUNT=0 -+# L = 128 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES128 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:32 -+Ctrl.hexkey = hexkey:c10b152e8c97b77e18704e0f0bd38305 -+Ctrl.hexinfo = hexinfo:98cd4cbbbebe15d17dc86e6dbad800a2dcbd64f7c7ad0e78e9cf94ffdba89d03e97eadf6c4f7b806caf52aa38f09d0eb71d71f497bcc6906b48d36c4 -+Output = 26faf61908ad9ee881b8305c221db53f -+ -+# COUNT=10 -+# L = 256 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES128 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:32 -+Ctrl.hexkey = hexkey:695f1b1a16c949cea51cdf2554ec9d42 -+Ctrl.hexinfo = hexinfo:4fce5942832a390aa1cbe8a0bf9d202cb799e986c9d6b51f45e4d597a6b57f06a4ebfec6467335d116b7f5f9c5b954062f661820f5db2a5bbb3e0625 -+Output = d34b601ec18c34dfa0f9e0b7523e218bdddb9befe8d08b6c0202d75ace0dba89 -+ -+# COUNT=20 -+# L = 160 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES128 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:32 -+Ctrl.hexkey = hexkey:b523ae21fc36bc58cc46e5a3cda97493 -+Ctrl.hexinfo = hexinfo:8dbe6d4d9b09b2eabd165b6e6e97e3bc782f8335cb1ea04ad0403affd88a5071db5f36ce2e84ab296261730b2226a9189d867991fbd4ff86f43a3cfb -+Output = 530211df01975dd6c08064c34105f88a6007f2b2 -+ -+# COUNT=30 -+# L = 320 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES128 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:32 -+Ctrl.hexkey = hexkey:b2fcf854b1029888aeb0274ca09bb21a -+Ctrl.hexinfo = hexinfo:a6b84baae7a6ceb1d63ed704757500c510c0a8bdc22d2f42af09f79c815f37f33b67dad0b30f428fc1e2d355f7f91f65acbedd2fdd5b8c38dd890407 -+Output = fe4c2c0242c5a295c008aeb87ae0815171de6173773292347f4f5ec07185c3f860b5667c199aad55 -+ -+ -+# [PRF=CMAC_AES192] -+# [CTRLOCATION=BEFORE_FIXED] -+# [RLEN=8_BITS] -+ -+# COUNT=0 -+# L = 128 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES192 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:8 -+Ctrl.hexkey = hexkey:53d1705caab7b06886e2dbb53eea349aa7419a034e2d92b9 -+Ctrl.hexinfo = hexinfo:b120f7ce30235784664deae3c40723ca0539b4521b9aece43501366cc5df1d9ea163c602702d0974665277c8a7f6a057733d66f928eb7548cf43e374 -+Output = eae32661a323f6d06d0116bb739bd76a -+ -+# COUNT=10 -+# L = 256 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES192 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:8 -+Ctrl.hexkey = hexkey:d10046bb18c3f363e87f4e57b961b294d4edf2ca91dc3e38 -+Ctrl.hexinfo = hexinfo:2d043069de979bffb1be38a3cef2869dc07d5d3e99bde2e2204f10138081743f423f0c0b1aec0735a25bc61a8e2936dec6a25bb0ae105ab46caf8a2a -+Output = 8991a58882a0488bb5478996f2893989adb66d08d5030ad90f6ce5fdfca7754b -+ -+# COUNT=20 -+# L = 160 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES192 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:8 -+Ctrl.hexkey = hexkey:bf0abb70098d6c203074f1bce3d7468116cd1e5e8e618f20 -+Ctrl.hexinfo = hexinfo:d9ce030a48668ada6c67a2ac163515ec22383c4b5332e18d06901bacbb63dd649c683cfd4fee2f33346817b23cb4c734060a1c727b0c72c12448f4f9 -+Output = ecd1eef152b5835376f1a4324cd968bcb0cf850a -+ -+# COUNT=30 -+# L = 320 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES192 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:8 -+Ctrl.hexkey = hexkey:8725918ca07ad8e108473e5ffdf43eb1cf5c44baf0bd1cec -+Ctrl.hexinfo = hexinfo:f4a57b84a881cf282aac5402cfa8fc4ede0db6f8e902d5c0c41c4712077306484e626e3ffc4129d9b43b46cbb6c53d2838a811dc8aedad7253cf94d4 -+Output = 5a795fd0d7661968c478860b526cca40eb8702083fdbff3ff8adfa697e795398ca7106bc950fbb45 -+ -+ -+# [PRF=CMAC_AES192] -+# [CTRLOCATION=BEFORE_FIXED] -+# [RLEN=16_BITS] -+ -+# COUNT=0 -+# L = 128 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES192 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:16 -+Ctrl.hexkey = hexkey:d7e8eefc503a39e70d931f16645958ad06fb789f0cbc518b -+Ctrl.hexinfo = hexinfo:b10ea2d67904a8b3b7ce5eef7d9ee49768e8deb3506ee74a2ad8dd8661146fde74137a8f6dfc69a370945d15335e0d6403fa029da19d34140c7e3da0 -+Output = 95278b8883852f6676c587507b0aa162 -+ -+# COUNT=10 -+# L = 256 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES192 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:16 -+Ctrl.hexkey = hexkey:5e6695d7c3f5b156c7b457c8c2b801ba2ae30c9c8a36ee61 -+Ctrl.hexinfo = hexinfo:1406756f40efb8e29d5455d2da4bf1993b3c3901d67ec90934895f5de7845f573ae8a0dc8a6ad77d80da29e81329440d61d63dda8eaa7851bc7a172d -+Output = 72046d5eed909f6ab25810ead446ace7422fd87e6bd496ff2e84b115b8e0d27e -+ -+# COUNT=20 -+# L = 160 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES192 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:16 -+Ctrl.hexkey = hexkey:e3b88f40c9974410955820a8f8392701e9c67cc6efd3b0ff -+Ctrl.hexinfo = hexinfo:a520f36b6b60dfce34dc1d1f6b16132efa82566efa49f3140113fbc59e309c40db42962c06123721f122f433fa417ce3319bca9c58b4184fd8c7be8f -+Output = 134b6236a80c257591cc1437ab007b3fa4bd7191 -+ -+# COUNT=30 -+# L = 320 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES192 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:16 -+Ctrl.hexkey = hexkey:51574d47f2f1d202a30252823b52ba7858b729d5ed4c92f7 -+Ctrl.hexinfo = hexinfo:0819c17dd3f9a68493a958c46152d04ba450043908a0016b99cc124d5e75b0d11e7c26f27365609c110eee7f8baa88a7d99fecc690e617150f93bd6c -+Output = c46db4cd822e9841408fba79932d6c748bc7ab17421ed1ad188aed327c2a0d694e380c0cade8b37f -+ -+ -+# [PRF=CMAC_AES192] -+# [CTRLOCATION=BEFORE_FIXED] -+# [RLEN=24_BITS] -+ -+# COUNT=0 -+# L = 128 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES192 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:24 -+Ctrl.hexkey = hexkey:f7c1e0682a12f1f17d23dc8af5c463b8aa28f87ed82fad22 -+Ctrl.hexinfo = hexinfo:890ec4966a8ac3fd635bd264a4c726c87341611c6e282766b7ffe621080d0c00ac9cf8e2784a80166303505f820b2a309e9c3a463d2e3fd4814e3af5 -+Output = a71b0cbe30331fdbb63f8d51249ae50b -+ -+# COUNT=10 -+# L = 256 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES192 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:24 -+Ctrl.hexkey = hexkey:3eeed1560e17aaffe9f6ca9d81815b89a6879a56ebe4182a -+Ctrl.hexinfo = hexinfo:a643378a557af69ce2c606bc623a04b568a848207534d25bfa22664f9148997a6b4c00f4624b5100b4eb01857240b119876c3a86c1e8b02335475939 -+Output = 8a1dc0f616353bf3ecf5553d7a7651e9ea6d884a32172d3391ad342bfaf60785 -+ -+# COUNT=20 -+# L = 160 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES192 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:24 -+Ctrl.hexkey = hexkey:c984c3f65cdc32e7503678764a9e84292a1f50e335167a36 -+Ctrl.hexinfo = hexinfo:0061cd40f9eef84d6c8b04e0142d70aa50d4690e0a1de8e3ff5f5cea10cd2d28281eb1df90c519b8b51f7aa0d63a313ebbf80538b54dd11a66115be6 -+Output = afe93ae91930261344e30ef9e1718e76f74225d9 -+ -+# COUNT=30 -+# L = 320 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES192 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:24 -+Ctrl.hexkey = hexkey:993305e59f34a94f62931fd7662bb5b73c77d8d4bc6a33ba -+Ctrl.hexinfo = hexinfo:fcceb2d7ac6a68717c2490ec95bebea484c4930d156683c43164dc53bff0bafcbfb31e920109927ef08e12f66f258b6f8ba284908faee7d3376e1bac -+Output = 40e358cfdeee0286d152fcb4626ff22e67eea3b65d8750a273001b67645804cbf613832201b0a9ba -+ -+ -+# [PRF=CMAC_AES192] -+# [CTRLOCATION=BEFORE_FIXED] -+# [RLEN=32_BITS] -+ -+# COUNT=0 -+# L = 128 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES192 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:32 -+Ctrl.hexkey = hexkey:f4267280cb8667c2cf82bb37f389da6391f58cc74deba0cc -+Ctrl.hexinfo = hexinfo:34abbc9f7b12622309a827de5abfdd51fb5bb824838fcde88ca7bc5f3953abdcb445147f13e809e294f75e6d4e3f13b66e47f2dfc881ed392e3a1bf6 -+Output = 2d1b4b5694b6741b2ed9c02c05474225 -+ -+# COUNT=10 -+# L = 256 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES192 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:32 -+Ctrl.hexkey = hexkey:dc866a038c4f78f22d46caca65892bcdb15c1eb49b275827 -+Ctrl.hexinfo = hexinfo:b4a123bad4890c7a791f5e192bd8b6e9c8c3620329f99249f11e1eb517a5b27b9e5b047a6591b45f6fff53e6d04b32d82e052af2eb8519bd21c10f93 -+Output = 731a2e23ab2e58551490254041ee8fabd9c5a1918d76307f1048535be0763b20 -+ -+# COUNT=20 -+# L = 160 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES192 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:32 -+Ctrl.hexkey = hexkey:dd5e0f1a30b0b722b00626ee663df29601af58082708e18c -+Ctrl.hexinfo = hexinfo:b7c6eb48c80b071080fd07a827d0bfdc781599862084f7ffd968a4cbff0be9a6adef5ea206aa8af4d8a85705953e33cd7c4cbb69969c73698f54c6b8 -+Output = 84e1ca286776cda0784c4fc48b054384ca565d17 -+ -+# COUNT=30 -+# L = 320 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES192 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:32 -+Ctrl.hexkey = hexkey:d64c598436507f4d05d7ebe780092996f281901dc9c8612f -+Ctrl.hexinfo = hexinfo:0ea737cfca2560856917f3a2ff5e2175930d0719bba85a9c8d8cb311a0a1b8caf8ffe03e9a86ab17046670011c9fec5c5cd697d9cd931f615cdfe649 -+Output = 3c26968bd3997c653f79bb725c36d784b590d18a64678cf312abe8a57b2891c27282e37b6a49cd73 -+ -+ -+# [PRF=CMAC_AES256] -+# [CTRLOCATION=BEFORE_FIXED] -+# [RLEN=8_BITS] -+ -+# COUNT=0 -+# L = 128 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES256 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:8 -+Ctrl.hexkey = hexkey:aeb7201d055f754212b3e497bd0b25789a49e51da9f363df414a0f80e6f4e42c -+Ctrl.hexinfo = hexinfo:11ec30761780d4c44acb1f26ca1eb770f87c0e74505e15b7e456b019ce0c38103c4d14afa1de71d340db51410596627512cf199fffa20ef8c5f4841e -+Output = 2a9e2fe078bd4f5d3076d14d46f39fb2 -+ -+# COUNT=10 -+# L = 256 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES256 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:8 -+Ctrl.hexkey = hexkey:5402c978955128558789bee7b571465174a60582a7640037387f99ac16683173 -+Ctrl.hexinfo = hexinfo:5c7eb447481c2884a5398449eaecbb8b55f1f1981ba0fd187818d8b3581b430c3da52ab83d444e003625ff36fcbd160c67b18d85b6c9d00da1a15d15 -+Output = f22a4686abe599c2194d21fc9071ffceb023dd9b24c13f05a3d44cfc77fec44a -+ -+# COUNT=20 -+# L = 160 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES256 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:8 -+Ctrl.hexkey = hexkey:cac968a8ffd81c73948bdfb48bf8a29c1378517d3be294df9a8a80724075bdbd -+Ctrl.hexinfo = hexinfo:08817bcd560edf810aa004194c817e455fb66bbc3b84fef1d66df2d1cebb3403c24231fa822f130c5d8fe886217122dcab15cb725197bbcbeb8010f5 -+Output = 651c43e113b32026b204119af394301f0cb9831c -+ -+# COUNT=30 -+# L = 320 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES256 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:8 -+Ctrl.hexkey = hexkey:9debd1762a9643e967dbc174f2040e177b8053afb0829189a81fed94f8c365ee -+Ctrl.hexinfo = hexinfo:6c4e1e3fdd7f5c97d58bcdda792642cbd271d6968f6a8e368013d88763d0b306c832b7ab46b84d099596972d12220a4e9c81f82d6f5003d18b93c595 -+Output = 2518a44ea347e924b03a7b4c966ec4e4bd76c1456d09096be9387638c2737faeebba4e2b921b19db -+ -+ -+# [PRF=CMAC_AES256] -+# [CTRLOCATION=BEFORE_FIXED] -+# [RLEN=16_BITS] -+ -+# COUNT=0 -+# L = 128 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES256 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:16 -+Ctrl.hexkey = hexkey:4df60800bf8e2f6055c5ad6be43ee3deb54e2a445bc88a576e111b9f7f66756f -+Ctrl.hexinfo = hexinfo:962adcaf12764c87dad298dbd9ae234b1ff37fed24baee0649562d466a80c0dcf0a65f04fe5b477fd00db6767199fa4d1b26c68158c8e656e740ab4d -+Output = eca99d4894cdda31fe355b82059a845c -+ -+# COUNT=10 -+# L = 256 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES256 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:16 -+Ctrl.hexkey = hexkey:4c30b96d9beff5cc3c37527694eeec8207fae2c13ef295556919a7a46e5b90c1 -+Ctrl.hexinfo = hexinfo:86e1ad34bd7a998281a822129a23102f799812864cf5349f3f21cec7729f83ad8c8aa6517fafcc9521cde887686629048159ed3f15c01408984f547e -+Output = 815fe232e0e89f7eeaa87c3ba5007694a43c1577657ccb3018076c5a5c035d95 -+ -+# COUNT=20 -+# L = 160 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES256 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:16 -+Ctrl.hexkey = hexkey:e508ce78aca2cc50c80a6cbdb2b178f8ee5e315dad71ddfa700eb6cf503239b3 -+Ctrl.hexinfo = hexinfo:28c47ddd23d349e3b30bf97975c5fa591f2158e001dae3faa154d93c615c89fc7449c901a2585e618f68a0b2cbd3f35f53424d5ea015cbf7e8e09f68 -+Output = 6bc69b4c11aa7c04ac3c03baa44daeac4a047992 -+ -+# COUNT=30 -+# L = 320 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES256 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:16 -+Ctrl.hexkey = hexkey:ee0a0f88b3b441826264de7a31b890a66edf7c2a28d0286eab285846b586fb8e -+Ctrl.hexinfo = hexinfo:1ea9771ab763056260d885073e80e835e20e5d7ca9659fdf5dd3b7f2ae6286608f8bc7a6728e41346c55544942b1bf06642fb6a6738fb5b7f0128f9c -+Output = 5484f170b6602b505e9e6ccffccf2262b55c3554728244bba94daff0adbc619400b33f38013a2293 -+ -+ -+# [PRF=CMAC_AES256] -+# [CTRLOCATION=BEFORE_FIXED] -+# [RLEN=24_BITS] -+ -+# COUNT=0 -+# L = 128 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES256 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:24 -+Ctrl.hexkey = hexkey:1612a40daa7fce6c6788b3b71311188ffb850613fd81d0e87a891831348e2f28 -+Ctrl.hexinfo = hexinfo:1696438fcdf9a85284759b2604b64d7ea76199514709e711ecde5a505b5f27ae38d154aba14322481ddc9fd9169364b991460a0c9a05c7fcb2d099c9 -+Output = d101f4f2b5e239bae881cb488995bd52 -+ -+# COUNT=10 -+# L = 256 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES256 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:24 -+Ctrl.hexkey = hexkey:77b50e24b859725d1cab531c885a6e60e7d5b0432f37408185ae688dffa5f6a5 -+Ctrl.hexinfo = hexinfo:0b2c907499cddaa1fcfb02002ab8b9756c5f1f9fea482d79b8a6aa9fa2fb48e69df94dca4cb6f2e90a462678279ddaacc482fdd76581996b43974a22 -+Output = c2a02b3743d506cdc1a41d4c2ae4c67610c5d607df0c26cbf7f4fe2198cb35f1 -+ -+# COUNT=20 -+# L = 160 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES256 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:24 -+Ctrl.hexkey = hexkey:18a5c3e669967b42e9a29bad8fe86699f2b5d496ff767cd3171d1c7195ecef59 -+Ctrl.hexinfo = hexinfo:33231c50326592c25ec3eee2c61a3ad4c8a23c098dd83eafe5db411d0948eb122bb6eb7a1d04d2dbcd0b98d0b70b7ff305bb3ef6ac9d4e8e3f7ecd4f -+Output = e80afb5cd274cb5fa4952aa95177ae83337f4c8f -+ -+# COUNT=30 -+# L = 320 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES256 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:24 -+Ctrl.hexkey = hexkey:0b589e556b7583f0fa9144868603b59262f457dee1e887ffc0e39968218959b9 -+Ctrl.hexinfo = hexinfo:1b95b940e0b950a58f09ea09941b80852cb29838940bb146dc3db0ddcd87f72ee28813c09fcef773e95438c0ed3dbcf29e78de0c78377561c5869d5f -+Output = 260aef65eefd58816fe1a77120d047548b00c475c25178a2a33d4c801d49e8a0fb830513d0b3ff17 -+ -+ -+# [PRF=CMAC_AES256] -+# [CTRLOCATION=BEFORE_FIXED] -+# [RLEN=32_BITS] -+ -+# COUNT=0 -+# L = 128 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES256 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:32 -+Ctrl.hexkey = hexkey:d0b1b3b70b2393c48ca05159e7e28cbeadea93f28a7cdae964e5136070c45d5c -+Ctrl.hexinfo = hexinfo:dd2f151a3f173492a6fbbb602189d51ddf8ef79fc8e96b8fcbe6dabe73a35b48104f9dff2d63d48786d2b3af177091d646a9efae005bdfacb61a1214 -+Output = 8c449fb474d1c1d4d2a33827103b656a -+ -+# COUNT=10 -+# L = 256 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES256 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:32 -+Ctrl.hexkey = hexkey:d54b6fd94f7cf98fd955517f937e9927f9536caebe148fba1818c1ba46bba3a4 -+Ctrl.hexinfo = hexinfo:94c4a0c69526196c1377cebf0a2ae0fb4b57797c61bea8eeb0518ca08652d14a5e1bd1b116b1794ac8a476acbdbbcd4f6142d7b8515bad09ec72f7af -+Output = 2e1efed4aef3fdd324e098c0a07c0d97f8fd2c748a996ce29861ca042474daea -+ -+# COUNT=20 -+# L = 160 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES256 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:32 -+Ctrl.hexkey = hexkey:99f212241a343c1c8c2104ca6d28062413d985c21e6bba27fde0c622e2e4e6b7 -+Ctrl.hexinfo = hexinfo:af8dc1cb7d1f82ca834628c20f0fc81920eb3ff3f75d3f4e3000593e9c15872479711d99d1b7be794f58d80a31bb112219dc16e6354111ab1161e21d -+Output = 7f778c625bf0d083169a51584f6683f24af7c35e -+ -+# COUNT=30 -+# L = 320 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES256 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:32 -+Ctrl.hexkey = hexkey:dabde95d751ff1c132bd49f80f4ee347bf39218cf8bfec61bc3ad865d9aa1182 -+Ctrl.hexinfo = hexinfo:55da554307ed756764d4e97febb77ce85391b53225ee09417ad57def48ead090e3d1e7c2ed04f02462a6324ea0163b18f86201c69db27fd50b4c42c5 -+Output = 5cc29221cfa6f3a4ded7afeef5a59c05bac787fc5e98a35ee0c96ba582b05c42f758966566084f69 -+ -+ -+# [PRF=HMAC_SHA1] -+# [CTRLOCATION=BEFORE_FIXED] -+# [RLEN=8_BITS] -+ -+# COUNT=0 -+# L = 128 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA1 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:8 -+Ctrl.hexkey = hexkey:00a39bd547fb88b2d98727cf64c195c61e1cad6c -+Ctrl.hexinfo = hexinfo:98132c1ffaf59ae5cbc0a3133d84c551bb97e0c75ecaddfc30056f6876f59803009bffc7d75c4ed46f40b8f80426750d15bc1ddb14ac5dcb69a68242 -+Output = 0611e1903609b47ad7a5fc2c82e47702 -+ -+# COUNT=10 -+# L = 256 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA1 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:8 -+Ctrl.hexkey = hexkey:1ee222f5cdd60b0ae956eeeaa838c51bd767672c -+Ctrl.hexinfo = hexinfo:4b10500ba5c9391da83d2ef78d01bcdccda32ff6f242960323324474b9d0685d99dc9143ac6d667a5b46dcc89784b3a4af7a7684b01efee41b144f48 -+Output = 806e342013853083a3f7294c63a9ec9a6dba75b256c62fac1e480ef26276cd4b -+ -+# COUNT=20 -+# L = 160 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA1 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:8 -+Ctrl.hexkey = hexkey:0e71d9e9c9e951978ada75c831d627dd5d3b4c59 -+Ctrl.hexinfo = hexinfo:08b6f69698e8eb6c8c63953abd3538531d722cc4e9ca7ffcb68abba4dd4b027b3787efa107902ace8abb54549bede4ffdadabec3f282865b2166d46e -+Output = 86137b96ec15b7954fdc5df8d371ee2d8016e97a -+ -+# COUNT=30 -+# L = 320 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA1 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:8 -+Ctrl.hexkey = hexkey:f0e5ad280b3465e719afdf86377bbcda59f5c59b -+Ctrl.hexinfo = hexinfo:231b6d83f0194499f27848108fd1fcdcf9520e67522cf54486fb919a839532d165019388242ce373a89ce644d7818e7415f5730a0b743595ab19add4 -+Output = 9a9ddd19818bb085d24e48ee99d6e628235a422fb2ae383282b7bbbf0e5f5edf42d7237b8ed6aa1d -+ -+ -+# [PRF=HMAC_SHA1] -+# [CTRLOCATION=BEFORE_FIXED] -+# [RLEN=16_BITS] -+ -+# COUNT=0 -+# L = 128 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA1 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:16 -+Ctrl.hexkey = hexkey:a510fe5ad1640d345a6dbba65d629c2a2fedd1ae -+Ctrl.hexinfo = hexinfo:9953de43418a85aa8db2278a1e380e83fb1e47744d902e8f0d1b3053f185bbcc734d12f219576e75477d7f7b799b7afed1a4847730be8fd2ef3f342e -+Output = c00707a18c57acdb84f17ef05a322da2 -+ -+# COUNT=10 -+# L = 256 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA1 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:16 -+Ctrl.hexkey = hexkey:abec6c894ae9df32e5afdf5d06a0434e8940ca71 -+Ctrl.hexinfo = hexinfo:9a6574a0ea1123ab9580906f8a2c4a0ecba9a8a84079c37a6e283ad4d4e957c3d16db66ae4be99e688b221c359a8dd2505868beb6a49fd7ce6c35df4 -+Output = 5b37675aec199c7d08435ef6321cf6235c12453a4530072d4a73ba0ad34634a5 -+ -+# COUNT=20 -+# L = 160 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA1 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:16 -+Ctrl.hexkey = hexkey:df4e835a2f201a3d0f840eab38a18adf72adf9eb -+Ctrl.hexinfo = hexinfo:84c6ca541d24a8b419037b9657ee4e0d5ef96d8b198355940a30b09bf8784e81d3b93558de21c46f04aec4afd610c3b230d17473c80b47b5004955e7 -+Output = 1202915544844b1f913caab512c582735bf76fed -+ -+# COUNT=30 -+# L = 320 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA1 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:16 -+Ctrl.hexkey = hexkey:cbe1d2895640dcd1545e60e04ce9d995707ec539 -+Ctrl.hexinfo = hexinfo:c80d735ec5fd0bf811a4a71c55e99373f83f4111194ec24a8e9fe24ef03f56ed15b4e135e02488d96dba8c0d60c26592df55a492691cf3b7eced40d1 -+Output = 1fd5a183be95c2d909deed31d686417d5c08bb88e6f75b150df330c8e7703bb8ccdffacb3e9ee3ff -+ -+ -+# [PRF=HMAC_SHA1] -+# [CTRLOCATION=BEFORE_FIXED] -+# [RLEN=24_BITS] -+ -+# COUNT=0 -+# L = 128 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA1 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:24 -+Ctrl.hexkey = hexkey:928c170199473291bf719a1985a13673afb8f298 -+Ctrl.hexinfo = hexinfo:f54388503cde2bf544db4c9510ff7a2759ba9b4e66da3baf41c90ce796d5ea7045bc27424afb03e137abfafe95158954c832090abdba02d86bab569d -+Output = 8c01160c72c925178d616a5c953df0a7 -+ -+# COUNT=10 -+# L = 256 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA1 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:24 -+Ctrl.hexkey = hexkey:df7ecebec20e14be6db5d46af2769fe4e4ed689c -+Ctrl.hexinfo = hexinfo:308ec6953d4945f075d37932d5dd335c7de0d2e7899a8321724a50b52240191fcdf991520c47a25b04ce6eecc835e4265b623c68d687afc615f74ae5 -+Output = c2129eeb33ee6783b6b187e5ae884f8f5bd78ca224e5e01c04a68ecef376ea38 -+ -+# COUNT=20 -+# L = 160 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA1 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:24 -+Ctrl.hexkey = hexkey:2539c58bba8ae61be8b867b767ad698eb1f52a0b -+Ctrl.hexinfo = hexinfo:9f6de21c93176f8814e9290a40149f749f946d376eb65f888eddcc4a24a58dbdbb3222fb53487e0abb08efff6d6a43511b18c40f489abe4013647273 -+Output = 20bc5ab8c27dd3f6f6fa5485f2eed8bd8b8b3d35 -+ -+# COUNT=30 -+# L = 320 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA1 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:24 -+Ctrl.hexkey = hexkey:66002f224106971edc62a7c6957931b2097aabc3 -+Ctrl.hexinfo = hexinfo:f5fe599fac3bac5b10a4296b0783e2fc78cb498347ff3f74e2d9d230dfb6653e1a274e7bc37f0319eac2b0b48533b7be9d3633eed32101837ee460ff -+Output = c195b9139fee020eda70b8a161aef28474977412c0612afafe23b16b1594871548b5889b38e0cf2a -+ -+ -+# [PRF=HMAC_SHA1] -+# [CTRLOCATION=BEFORE_FIXED] -+# [RLEN=32_BITS] -+ -+# COUNT=0 -+# L = 128 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA1 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:32 -+Ctrl.hexkey = hexkey:f7591733c856593565130975351954d0155abf3c -+Ctrl.hexinfo = hexinfo:8e347ef55d5f5e99eab6de706b51de7ce004f3882889e259ff4e5cff102167a5a4bd711578d4ce17dd9abe56e51c1f2df950e2fc812ec1b217ca08d6 -+Output = 34fe44b0d8c41b93f5fa64fb96f00e5b -+ -+# COUNT=10 -+# L = 256 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA1 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:32 -+Ctrl.hexkey = hexkey:c1efb8d25affc61ed060d994fcd5017c2adfc388 -+Ctrl.hexinfo = hexinfo:b92fc055057fec71b9c53e7c44872423a57ed186d6ba66d980fecd1253bf71479320b7bf38d505ef79ca4d62d78ca662642cdcedb99503ea04c1dbe8 -+Output = 8db784cf90b573b06f9b7c7dca63a1ea16d93ee7d70ff9d87fa2558e83dc4eaa -+ -+# COUNT=20 -+# L = 160 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA1 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:32 -+Ctrl.hexkey = hexkey:e02ba5d5c410e855bbd13f840124273e6b864237 -+Ctrl.hexinfo = hexinfo:b14e227b4438f973d671141c6246acdc794eee91bc7efd1d5ff02a7b8fb044009fb6f1f0f64f35365fb1098e1995a34f8b70a71ed0265ed17ae7ae40 -+Output = f077c2d5d36a658031c74ef5a66aa48b4456530a -+ -+# COUNT=30 -+# L = 320 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA1 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:32 -+Ctrl.hexkey = hexkey:693adb9037184627ad300f176985bd379f388a95 -+Ctrl.hexinfo = hexinfo:7f09570c2d9304ec743ab845a8761c126c18f5cf72358eada2b5d1deb43dc6a0f4ff8f933bef7af0bcfacb33fa07f8ca04a06afe231835d5075996be -+Output = 52f55f51010e9bd78e4f58cab274ecafa561bd4e0f20da84f0303a1e5ff9bebc514361ec6df5c77e -+ -+ -+# [PRF=HMAC_SHA224] -+# [CTRLOCATION=BEFORE_FIXED] -+# [RLEN=8_BITS] -+ -+# COUNT=0 -+# L = 128 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA224 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:8 -+Ctrl.hexkey = hexkey:7e2f7a5ab3e82ef927a005308456823da473787bf33d18a864aca63f -+Ctrl.hexinfo = hexinfo:b35695a6e23a765105b87756468d442a53a60cd4225186dc94221c06c5d6f1e98462135656ebca90468a939f29112b811413567d498df9867914d94c -+Output = 10ba5c6ea609da8fa8abe8be552c97a1 -+ -+# COUNT=10 -+# L = 256 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA224 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:8 -+Ctrl.hexkey = hexkey:667f72fc660e32943de386af9670c78e975c838cae91dca97f4f8508 -+Ctrl.hexinfo = hexinfo:e713e8c38e92c8ba0f0791cc4a0d00c98d8dda8f3137a775104e7aa65b5f04fed12ee78a88262b2931717b7ac5624162fd5f0307f4faef038dcc210c -+Output = 835b343242a489249eec3cd56384ea2a5b295e29a4430fec2aae0c8b9fa36d20 -+ -+# COUNT=20 -+# L = 160 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA224 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:8 -+Ctrl.hexkey = hexkey:3344fb80fd655b16f08c78150516cbbc009fbdf1b510905f9113d275 -+Ctrl.hexinfo = hexinfo:dc2aa42084d645baeb822c0c1d9b8e200737e9a2c7dcd922d8f056d6c02552295d95a488758919724207eebb4c21887f71b51a2a7ce98827cf7af4bb -+Output = e281d09a31c57d053f0c2f902792c8bbb9a0f443 -+ -+# COUNT=30 -+# L = 320 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA224 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:8 -+Ctrl.hexkey = hexkey:eb9386450d7b2da5492da5b139cf4b0b951a5b0c7d40c22ae2c20677 -+Ctrl.hexinfo = hexinfo:bd8b73969e3e2d7a943b937c3bffe3a9199d1cf27e289bb10c3b88696a5ae36b3b868b4fc6a20ca93dd0b328f3351f71ce656bb558fa33c74741398d -+Output = bc902dfba79fb4084339b6666c7f72b9f47675229dc24ec61068bb05082717eead35647ff147d7de -+ -+ -+# [PRF=HMAC_SHA224] -+# [CTRLOCATION=BEFORE_FIXED] -+# [RLEN=16_BITS] -+ -+# COUNT=0 -+# L = 128 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA224 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:16 -+Ctrl.hexkey = hexkey:093b2ce84c6175d1723fbe94b9ee963b6251d018fcf8c05c2e3e9b0b -+Ctrl.hexinfo = hexinfo:083e114aca1f97166551b03f27b135c0c802294aa4845a46170b26ec0549cb59c70a85557a3fc3a37d23eed6947d50f10c15baf5c52a7b918ca80bf5 -+Output = 94ced61c3665616d4a368f83a7283648 -+ -+# COUNT=10 -+# L = 256 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA224 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:16 -+Ctrl.hexkey = hexkey:ffb5c9d920522477cb2ecf16ae1e075587b7598348e019df85ca3d43 -+Ctrl.hexinfo = hexinfo:252743519ab4e03f8bb0ed137e2d315aac5010b951645c7626c6f5a77c4a6c4e0b0b4030abf937141f7142bcd702678b15d2d4e8850e0570ec782c79 -+Output = 3d1813da0322201ed45ac2aaf3542843913bb32fd832a33a5dc94bad964bfe56 -+ -+# COUNT=20 -+# L = 160 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA224 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:16 -+Ctrl.hexkey = hexkey:7f0ea811340cddbbf261d0260b0c98dec790133cffd2b04b8f8be2b1 -+Ctrl.hexinfo = hexinfo:0a744543acddf7d8c0a205372a0450e32631a33bb89ad2e3bb2d9766c248ab755fec152a6da866ef50baeab607d88e5177042056970013aa18f9fb1e -+Output = e55120e7848cf61254159e79c2ac47a9a906a73c -+ -+# COUNT=30 -+# L = 320 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA224 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:16 -+Ctrl.hexkey = hexkey:6e237178c4884e13470b6b4848b40389d9856311735da4eefa2f6f38 -+Ctrl.hexinfo = hexinfo:9cd9f9ad88471668f3b25515851fff63d3a886b8c6cf371eae159bab58f997b83eda5815567a142c4264978d8f24d24fe2d513c0eeaff983b86fdbd8 -+Output = 1e6638ea717338cfeb7dea373785c3c763bd5e509358e4940e9a4e4fd0a3e0347973858bc20243b8 -+ -+ -+# [PRF=HMAC_SHA224] -+# [CTRLOCATION=BEFORE_FIXED] -+# [RLEN=24_BITS] -+ -+# COUNT=0 -+# L = 128 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA224 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:24 -+Ctrl.hexkey = hexkey:f09e65e8de7500847b43bd95e6c3506e01aadd484e9699b027897542 -+Ctrl.hexinfo = hexinfo:c20f6188517b2ca10086b9f7f8d6f2d38d66f24193c037008d035f361c6bd74db26aef588a87aa8a1c3cdad2ba0207f7e7b39def0df797c4cb3bf614 -+Output = 73d30c2af54744eb1efb70429f8e303a -+ -+# COUNT=10 -+# L = 256 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA224 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:24 -+Ctrl.hexkey = hexkey:6079eafeba179a915e194b14e12ffee1e2bad56a62077897a4654e4b -+Ctrl.hexinfo = hexinfo:87686603814d619107aabfab85b4c4fe38ae1a5c2a4d78df12119871b8a4f85d583e7d842ee15e7fe03f61dd02b10784838ed163dc67cca43586d628 -+Output = d888a21e1a698654fa46288509ae7a28dc7b05e6fc696a909451c2437097056b -+ -+# COUNT=20 -+# L = 160 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA224 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:24 -+Ctrl.hexkey = hexkey:2efe2905a1b7e1993da0316f2a747be1e91415ca1e6ad14d04341fee -+Ctrl.hexinfo = hexinfo:4d283c0f6d209379facd8a26aa889780863cf6a81893dc3bd2c928a7f8d922ced9c829bf627d2c556441d0d41a1eb00c0deea78349429de56a275f04 -+Output = ec162b6ff6413f5eae9336fd489fab538d042db8 -+ -+# COUNT=30 -+# L = 320 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA224 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:24 -+Ctrl.hexkey = hexkey:0b15638489d3ac7729a7db82797754e7a7c8d52da0cf3638a27a1a9c -+Ctrl.hexinfo = hexinfo:90988848764dacc6eeba817e0b74086b1233bca9d573717b8e3dd3bd23a532aac7db8b196e4c4702f54cc71bb8882dc776b0317457803a632b429776 -+Output = 481293e1e621ad8bab5c9f5090594bb2507a1456ee8ffc30db159cb5b02d69110c3e5270880bf4a7 -+ -+ -+# [PRF=HMAC_SHA224] -+# [CTRLOCATION=BEFORE_FIXED] -+# [RLEN=32_BITS] -+ -+# COUNT=0 -+# L = 128 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA224 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:32 -+Ctrl.hexkey = hexkey:f5cb7cc6207f5920dd60155ddb68c3fbbdf5104365305d2c1abcd311 -+Ctrl.hexinfo = hexinfo:4e5ac7539803da89581ee088c7d10235a10536360054b72b8e9f18f77c25af01019b290656b60428024ce01fccf49022d831941407e6bd27ff9e2d28 -+Output = 0adbaab43edd532b560a322c84ac540e -+ -+# COUNT=10 -+# L = 256 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA224 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:32 -+Ctrl.hexkey = hexkey:992815121d88ffb26c337606723c02ef317713086e2cfbbd37e1a167 -+Ctrl.hexinfo = hexinfo:152d974eb2719b9027d32054a327312361125959df9d96a1832e2056c2571d4f1cf45f6e8f6544c87f15861cef627d2f16e9b0b4ab799bb3362f4aae -+Output = 475eda3a32d569932e043db64dbf0e9bb0945b54dcdfa203be1a28524c147075 -+ -+# COUNT=20 -+# L = 160 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA224 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:32 -+Ctrl.hexkey = hexkey:2eabb6b922c24326ef9ae3c192dfd341caf57efe15dd649772a2ac3b -+Ctrl.hexinfo = hexinfo:c75f6f5a1561aab39ea0e22702a6cf7dba3ca4dd9f046bb0abea2d3284168fd9fb39ff725523a660d21f8c2ade03d18d4273c52fb6f22c9e39d6bc2e -+Output = ae50acebe308a1cf1747b9b178a0720748fa5fe5 -+ -+# COUNT=30 -+# L = 320 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA224 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:32 -+Ctrl.hexkey = hexkey:9b75e7fa216c884037c7d6953092ed335c4efd88ca57a742d6ac3221 -+Ctrl.hexinfo = hexinfo:12bea97865df99315259ff620302432ecafc9dce2619e87dfb4979410456a524434315dd3920e2b1aa1c79d5e07132a758a7b7b71ef10bcf1bb877f3 -+Output = 60071bd0ceea0fe0f879223b940d3de7dde02ca6858f8450fb9c0032e49f968ef9cd9b5703163dbc -+ -+ -+# [PRF=HMAC_SHA256] -+# [CTRLOCATION=BEFORE_FIXED] -+# [RLEN=8_BITS] -+ -+# COUNT=0 -+# L = 128 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA256 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:8 -+Ctrl.hexkey = hexkey:3edc6b5b8f7aadbd713732b482b8f979286e1ea3b8f8f99c30c884cfe3349b83 -+Ctrl.hexinfo = hexinfo:98e9988bb4cc8b34d7922e1c68ad692ba2a1d9ae15149571675f17a77ad49e80c8d2a85e831a26445b1f0ff44d7084a17206b4896c8112daad18605a -+Output = 6c037652990674a07844732d0ad985f9 -+ -+# COUNT=10 -+# L = 256 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA256 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:8 -+Ctrl.hexkey = hexkey:f109513435d72f14863660dfc027118e47e13995ad44a02415c9c8f63d38675c -+Ctrl.hexinfo = hexinfo:53696208d6f42909136a575010e135e142e31f631d72386a631cc704e5ad4049a889422cd6da7f1805e59a273c6f4fa986bc3082952fca658979f1b0 -+Output = 1aaf080fd51b37585ea464a9c617bc3ab859cc78cbe1f2d5d557148ee36821a0 -+ -+# COUNT=20 -+# L = 160 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA256 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:8 -+Ctrl.hexkey = hexkey:6ed1b41a1fc2ca8c7e09d5bccc410661683ec29d41a0fd01dd820a2e824ff672 -+Ctrl.hexinfo = hexinfo:f6dc72adbd8ad4ea91259b61237a042a02546f37d58d933d3efadc54a5e1936a8faf70c33e707c473125bd5006b7dfa6883c04bf27cf53010e1d10bc -+Output = 4090ee711fa361f03267a6ff2a5ace977c8c1db5 -+ -+# COUNT=30 -+# L = 320 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA256 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:8 -+Ctrl.hexkey = hexkey:63a657fb6c5bacb9a124d3e7db8bbb7d42bfdfaf8f04cb6359cd888c70669652 -+Ctrl.hexinfo = hexinfo:2697b6ec112cab4d6f1714c991c17d44fb36a0b6ef0b0f5451619ab248950f56f403215c78711aa563683ced05be7246f32574fa294f162dbbeb3dee -+Output = 1992e75756fa64734d5caecc5f6420fcb28b8b90421eee97dc8b6140ce18518405688bea489d2aaa -+ -+ -+# [PRF=HMAC_SHA256] -+# [CTRLOCATION=BEFORE_FIXED] -+# [RLEN=16_BITS] -+ -+# COUNT=0 -+# L = 128 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA256 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:16 -+Ctrl.hexkey = hexkey:743434c930fe923c350ec202bef28b768cd6062cf233324e21a86c31f9406583 -+Ctrl.hexinfo = hexinfo:9bdb8a454bd55ab30ced3fd420fde6d946252c875bfe986ed34927c7f7f0b106dab9cc85b4c702804965eb24c37ad883a8f695587a7b6094d3335bbc -+Output = 19c8a56db1d2a9afb793dc96fbde4c31 -+ -+# COUNT=10 -+# L = 256 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA256 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:16 -+Ctrl.hexkey = hexkey:365592398d23d31f2cac8bf6211f1ad5f52608efcdc5997b144ea6ded3866cf6 -+Ctrl.hexinfo = hexinfo:07dce524556d3f68d2d91d4c15c9c6212635e0df1aef54938490db46f98737064d6a5624d7f938c263af01e632c45d9fe7a871b67f7d4bf110796eb4 -+Output = 5624c6911dc1b08e090c8c95347adf17895b696aae211932cde3ec8227fcbea8 -+ -+# COUNT=20 -+# L = 160 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA256 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:16 -+Ctrl.hexkey = hexkey:c104e187e344668997b7bd9c8cdf097320518dd7dbcb541c414418b55b58cbb2 -+Ctrl.hexinfo = hexinfo:32f6bd59840c61909f2f92f98f54bd238083577e33c3d071c1abe4c694bd87c1ad235eb9a2d272b3dc67c955574d5e6cad84615120476d6e7e04f51f -+Output = 1b5d9e60aa909aeb973e76d9bf6be208327bb096 -+ -+# COUNT=30 -+# L = 320 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA256 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:16 -+Ctrl.hexkey = hexkey:d4349c26108719debacc04e166a09063ffb5e17bcbaf8738dc2618aa7d1e97ae -+Ctrl.hexinfo = hexinfo:da1f5ed45ead428689b0ecca9dbc2569e76953cda0df085499cca6d5949d8995e1e42bbdc94b0dd78c164867c364a64c894de85294ad89d267ff443d -+Output = 00550ae0f29a2373269af175e7f829ec32c3d05099a39f8c0e02caa00b68afb7457669334383ffb2 -+ -+ -+# [PRF=HMAC_SHA256] -+# [CTRLOCATION=BEFORE_FIXED] -+# [RLEN=24_BITS] -+ -+# COUNT=0 -+# L = 128 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA256 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:24 -+Ctrl.hexkey = hexkey:388e93e0273e62f086f52f6f5369d9e4626d143dce3b6afc7caf2c6e7344276b -+Ctrl.hexinfo = hexinfo:697bb34b3fbe6853864cac3e1bc6c8c44a4335565479403d949fcbb5e2c1795f9a3849df743389d1a99fe75ef566e6227c591104122a6477dd8e8c8e -+Output = d697442b3dd51f96cae949586357b9a6 -+ -+# COUNT=10 -+# L = 256 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA256 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:24 -+Ctrl.hexkey = hexkey:f5207566ad012002ae6f2b501f0c24180228345889c20616d043b868a76d015a -+Ctrl.hexinfo = hexinfo:f36dbc8d1dfda60d4ba05214f8773aaa9f01944150bca68812d0d8deb5492f3f68f09809ba5e8b89e9dca86c70f6f353b3d5f49ef27e2fd01cfa911d -+Output = 0faed440796a0685a24a1c5e1cacde566c7a1a4189885229251c6308a53c3f6e -+ -+# COUNT=20 -+# L = 160 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA256 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:24 -+Ctrl.hexkey = hexkey:e2758918edcf15d957a556055602d283dbdf9c95b6025a3cddf1eeac1e0ac889 -+Ctrl.hexinfo = hexinfo:eda2f792580d6129b43e7b89c661786a29ab502ec6198f4a2bec6d0ffca1a75b8807d4313e7bf769a94fbf4b41c4cc309358a211105312c05818d8f3 -+Output = 67e3273b2cfa4c663377f5841606679aee420dce -+ -+# COUNT=30 -+# L = 320 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA256 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:24 -+Ctrl.hexkey = hexkey:c9063598d6cf8660300073b5c25603baf3ade910c182deea15d8107d6f6be295 -+Ctrl.hexinfo = hexinfo:22d27eec90c2dd4ae5cf4a705abecfd781b9051ba512b048ea9499364b791e9cdf63215db43680dacffe6f19d77fc93f8a46d84dd52146389d9ec308 -+Output = f3a5b521b435a8c83eaf2d264b5b1a6dcc32c21b4897511203f97f01f2a691eef080b4cd7ca4fc38 -+ -+ -+# [PRF=HMAC_SHA256] -+# [CTRLOCATION=BEFORE_FIXED] -+# [RLEN=32_BITS] -+ -+# COUNT=0 -+# L = 128 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA256 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:32 -+Ctrl.hexkey = hexkey:dd1d91b7d90b2bd3138533ce92b272fbf8a369316aefe242e659cc0ae238afe0 -+Ctrl.hexinfo = hexinfo:01322b96b30acd197979444e468e1c5c6859bf1b1cf951b7e725303e237e46b864a145fab25e517b08f8683d0315bb2911d80a0e8aba17f3b413faac -+Output = 10621342bfb0fd40046c0e29f2cfdbf0 -+ -+# COUNT=10 -+# L = 256 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA256 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:32 -+Ctrl.hexkey = hexkey:e204d6d466aad507ffaf6d6dab0a5b26152c9e21e764370464e360c8fbc765c6 -+Ctrl.hexinfo = hexinfo:7b03b98d9f94b899e591f3ef264b71b193fba7043c7e953cde23bc5384bc1a6293580115fae3495fd845dadbd02bd6455cf48d0f62b33e62364a3a80 -+Output = 770dfab6a6a4a4bee0257ff335213f78d8287b4fd537d5c1fffa956910e7c779 -+ -+# COUNT=20 -+# L = 160 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA256 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:32 -+Ctrl.hexkey = hexkey:dc60338d884eecb72975c603c27b360605011756c697c4fc388f5176ef81efb1 -+Ctrl.hexinfo = hexinfo:44d7aa08feba26093c14979c122c2437c3117b63b78841cd10a4bc5ed55c56586ad8986d55307dca1d198edcffbc516a8fbe6152aa428cdd800c062d -+Output = 29ac07dccf1f28d506cd623e6e3fc2fa255bd60b -+ -+# COUNT=30 -+# L = 320 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA256 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:32 -+Ctrl.hexkey = hexkey:c4bedbddb66493e7c7259a3bbbc25f8c7e0ca7fe284d92d431d9cd99a0d214ac -+Ctrl.hexinfo = hexinfo:1c69c54766791e315c2cc5c47ecd3ffab87d0d273dd920e70955814c220eacace6a5946542da3dfe24ff626b4897898cafb7db83bdff3c14fa46fd4b -+Output = 1da47638d6c9c4d04d74d4640bbd42ab814d9e8cc22f4326695239f96b0693f12d0dd1152cf44430 -+ -+ -+# [PRF=HMAC_SHA384] -+# [CTRLOCATION=BEFORE_FIXED] -+# [RLEN=8_BITS] -+ -+# COUNT=0 -+# L = 128 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA384 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:8 -+Ctrl.hexkey = hexkey:0be1999848a7a14a555649048fcadf2f644304d163190dc9b23a21b80e3c8c373515d6267d9c5cfd31b560ffd6a2cd5c -+Ctrl.hexinfo = hexinfo:11340cfbdb40f20f84cac4b8455bdd76c730adcecd0484af9011bacd46e22ff2d87755dfb4d5ba7217c37cb83259bdbe0983cc716adc2e6c826ed53c -+Output = c2ea7454de25afb27065f4676a392385 -+ -+# COUNT=10 -+# L = 256 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA384 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:8 -+Ctrl.hexkey = hexkey:218f47301a3adf39a4e1ddc25a1df2b7db53d7780c207f47ab4cefcaa960ed82cb6cbc34b97b4c332d52ca81cc40cb9a -+Ctrl.hexinfo = hexinfo:60dcb116d7cfd3cca7315c9dc7e9650f886b67d9fbcd98c226239a0f66eff075da23c6cb750a2129ae71b9582934f57423a815249cac2c61f958b35d -+Output = 26b01d94c4dd51a9c8b54f78647257f9e937a8d67dffa78f85749cdfb22db620 -+ -+# COUNT=20 -+# L = 160 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA384 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:8 -+Ctrl.hexkey = hexkey:426c4facbacecb654555bc9843f9864a53e14c9a5e19600abf57b03cf8b6f825f71191eaaf3cfd70961314acbf1e6e29 -+Ctrl.hexinfo = hexinfo:d224dc52dd16bde3391fab24fa875b695d63215e182efa970537904f4cd1d7f929f87c17fa97bd490f10cfc3bb80353ea4a4bb403f79e18677c39d29 -+Output = 431c73810e9fe4f4982202f55eb5f0212f302142 -+ -+# COUNT=30 -+# L = 320 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA384 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:8 -+Ctrl.hexkey = hexkey:522a72c006a6b77911915c78952dd61848725a4b0789b2cfce3b29d947d9faa145417740c0365bd81a860a600012543b -+Ctrl.hexinfo = hexinfo:4a3cd102c4b95fe193660c4c174f02c725207449b785edb8fa8c4404f01a25bef3238637d3bae370758332c678deb578322e031ec3970876600196d2 -+Output = 2f5d52226949aecfe6359561a5fdd87a843457019e24faacacedd34177cda6cba18cc78cc8c78cef -+ -+ -+# [PRF=HMAC_SHA384] -+# [CTRLOCATION=BEFORE_FIXED] -+# [RLEN=16_BITS] -+ -+# COUNT=0 -+# L = 128 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA384 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:16 -+Ctrl.hexkey = hexkey:26ef897e4b617b597f766ec8d8ccf44c543e790a7d218f029dcb4a3695ae2caccce9d3e935f6741581f2f53e49cd46f8 -+Ctrl.hexinfo = hexinfo:bc2c728f9dc6db426dd4e85fdb493826a31fec0607644209f9bf2264b6401b5db3004c1a76aa08d93f08d3d9e2ba434b682e480004fb0d9271a8e8cd -+Output = a43d31f07f0ee484455ae11805803f60 -+ -+# COUNT=10 -+# L = 256 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA384 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:16 -+Ctrl.hexkey = hexkey:269cce234dd4783067ceaa04a70deb1c9700acf705548495767c22f78493851ca9c699077a002874caacb760106016c6 -+Ctrl.hexinfo = hexinfo:f64bfb4bdaac81b5801d2f9f08bc2e4d009990b67290fd49b3730c3a145696447aceae6a82f7508a19c396a548c9c33d943dab82b2538c18b8eee871 -+Output = ab4182261c5d9c0d23a26477f14a507dd7f5e9550d04f48de29e644ed55f3406 -+ -+# COUNT=20 -+# L = 160 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA384 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:16 -+Ctrl.hexkey = hexkey:ec71de96c9520386f9d11bebe474bae0c0549e2b2e8fda6b2336050ee3acbec38bc57d56e6422d3cd493ead69772a059 -+Ctrl.hexinfo = hexinfo:4313d1efba21dded84ce12bf80b1be54400619d3bb1987f18bf85400e335103969e77c819a5360cf1dd3f4addb6b8eec0199508c75adfe2cfc067dc8 -+Output = 8e37ecc86dcb5ee7cf48d8a07f06c47cdce624cc -+ -+# COUNT=30 -+# L = 320 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA384 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:16 -+Ctrl.hexkey = hexkey:afe2d3a4746792908aca8ece67ba8562382000b4e26122414b3ef2e120511bae68448955cf186be87caf69eaced47e87 -+Ctrl.hexinfo = hexinfo:1f6dd0b17fed7f479c4f62927291a95292a4e232441c30ffcaa1d347543e50db939360bb37976eacb911f76c38ad8cce12a0c263875bbcd7f6011ffd -+Output = 17b671ca433cea81384b03b69c26a55257085cdfa48e6d8529431464bd439a881de560294afb0073 -+ -+ -+# [PRF=HMAC_SHA384] -+# [CTRLOCATION=BEFORE_FIXED] -+# [RLEN=24_BITS] -+ -+# COUNT=0 -+# L = 128 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA384 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:24 -+Ctrl.hexkey = hexkey:4fab4f1e3512b5f443ec31d2f6425d5f0fc13a5f82c83f72788a48a1bd499495ff18fb7acc0d4c1666c99db12e28f725 -+Ctrl.hexinfo = hexinfo:f0f010f99fbd8ec1bd0f23cd12bb41b2b8acb8713bb031f927e439f616e6ae27aed3f5582f8206893deea1204df125cedce35ce2b01b32bcefb388fd -+Output = c3c263b5aa6d0cfe5304a7c9d21a44ba -+ -+# COUNT=10 -+# L = 256 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA384 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:24 -+Ctrl.hexkey = hexkey:af3cd100d14dcb5e63f8915eced4b59477936c48e0e2b9232449a97d53d3eddf9e00bf44a8f2370c38a13434c13e0977 -+Ctrl.hexinfo = hexinfo:81f178f11615309844af84e163ff694f1936f7528aba6f0e60d41b4afac87e9dd48fbb5aebe534733f576950484aab15b386b468a055a1e0be8982c0 -+Output = 0b52be4ebd8b2116df895a42317ac78808993673c99da6391f0eee13cc8470fa -+ -+# COUNT=20 -+# L = 160 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA384 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:24 -+Ctrl.hexkey = hexkey:fc3ba84439d8b7ead37ac6c825e088fc80152788bbc9c68569213dd6189d5fd552c37ab73b3d53ee9809a485194fb3cd -+Ctrl.hexinfo = hexinfo:df5728d5d146898b68d8713aa8053d03db52b7227d502d3effcd51a22d52ecd9175a4b01d2f27ecfc8abf02c1dd80f5c90a5e01396c1107dddb02226 -+Output = 87ff36ca26778fcaf4f9209d38095c55c40f5e22 -+ -+# COUNT=30 -+# L = 320 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA384 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:24 -+Ctrl.hexkey = hexkey:08d867a61b13cd8c79d3a1cbec3493925ece900e06993063bc0dfe0247cd059ba50a5fb6afc65ac469793817a1f2dfee -+Ctrl.hexinfo = hexinfo:af0c83a659267869bd7cde387bf1c29c9c0ff3c6cabf512c73fd671748e4e9e49218de9350fc0dde27839eb1e2878f900689abeb7b540c70203e5a95 -+Output = 3fef69d875b9b6047c33f295619f6e7c7125c875d55409500100f71bee6551d511327fbde607ac41 -+ -+ -+# [PRF=HMAC_SHA384] -+# [CTRLOCATION=BEFORE_FIXED] -+# [RLEN=32_BITS] -+ -+# COUNT=0 -+# L = 128 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA384 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:32 -+Ctrl.hexkey = hexkey:216ed044769c4c3908188ece61601af8819c30f501d12995df608e06f5e0e607ab54f542ee2da41906dfdb4971f20f9d -+Ctrl.hexinfo = hexinfo:638e9506a2c7be69ea346b84629a010c0e225b7548f508162c89f29c1ddbfd70472c2b58e7dc8aa6a5b06602f1c8ed4948cda79c62708218e26ac0e2 -+Output = d4b144bb40c7cabed13963d7d4318e72 -+ -+# COUNT=10 -+# L = 256 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA384 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:32 -+Ctrl.hexkey = hexkey:8fca201473433f2dc8f6ae51e48de1a5654ce687e711d2d65f0dc5da6fee9a6a3db9d8535d3e4455ab53d35850c88272 -+Ctrl.hexinfo = hexinfo:195bd88aa2d4211912334fe2fd9bd24522f7d9fb08e04747609bc34f2538089a9d28bbc70b2e1336c3643753cec6e5cd3f246caa915e3c3a6b94d3b6 -+Output = f51ac86b0f462388d189ed0197ef99c2ff3a65816d8442e5ea304397b98dd11f -+ -+# COUNT=20 -+# L = 160 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA384 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:32 -+Ctrl.hexkey = hexkey:bc3157b8932e88d1b1cf8e4622137010a242d3527b1d23d6d9c0db9cc9edfc20e5135de823977bf4defafae44d6cdab6 -+Ctrl.hexinfo = hexinfo:b42a8e43cc2d4e5c69ee5e4f6b19ff6b8071d26bab4dfe45650b92b1f47652d25162d4b61441d8448c54918ae568ae2fb53091c624dbfffacee51d88 -+Output = 91314bdf542162031643247d6507838eaba50f1a -+ -+# COUNT=30 -+# L = 320 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA384 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:32 -+Ctrl.hexkey = hexkey:582f968a54b8797b9ea8c655b42e397adb73d773b1984b1e1c429cd597b8015d2f91d59e4136a9d523bf6491a4733c7a -+Ctrl.hexinfo = hexinfo:e6d3c193eff34e34f8b7b00e66565aeb01f63206bb27e27aa281592afc06ae1ec5b7eb97a39684ce773d7c3528f2667c1f5d428406e78ce4cf39f652 -+Output = 691726c111e5030b5f9657069107861ecc18bc5835a814c3d2e5092c901cb1fb6c1a7cd3eb0be2a7 -+ -+ -+# [PRF=HMAC_SHA512] -+# [CTRLOCATION=BEFORE_FIXED] -+# [RLEN=8_BITS] -+ -+# COUNT=0 -+# L = 128 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA512 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:8 -+Ctrl.hexkey = hexkey:6ea2c385bb3e7bbafc2225cee1d3ee103ce300c1fdf033d0c1e99c57e6a596e037020838e857c0434040b58a5ca5410be672b888ef9955bdd54eb6a67416ff6a -+Ctrl.hexinfo = hexinfo:be119901ed8679b243508b97663f35da322774d7d2012d6557da6657c1176a115ebc73b0f1bfa1dba6b8c3b124f0a47cff2998b230c955b0ea809784 -+Output = e0755fa6f116ef7a8e8361f47fd57511 -+ -+# COUNT=10 -+# L = 256 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA512 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:8 -+Ctrl.hexkey = hexkey:0ef984d7b4ee76f5c9e080b27f45ccab4ac2362c4cafa68198786b18e239d0f69ee62148373643ad9aa42474700348ef651fee9973130a42e76b7e7633eba1e9 -+Ctrl.hexinfo = hexinfo:56ece7c14c1fc5467f8316f3a931a7ddfa490969f442d7a132f3755809f6ca11dbc9c6493a541c244c32be6656e13ef2868cb79415b807b3882f00d2 -+Output = 19aa765affdd3cc7294b2c97e1bd5adc368523a3283c387d0719761e938f83db -+ -+# COUNT=20 -+# L = 160 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA512 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:8 -+Ctrl.hexkey = hexkey:a35728d4ec0d7e94019a45d52264e5cd63c7540c21e30a9882d8d531cbb510edaa78e42c03994c18d8efcf7f826a1a9fdbbbacc55c640e7b532cc08e0615a093 -+Ctrl.hexinfo = hexinfo:f501cc527bad6fe5d8e4f1f0f53d416ab17235f380f7e0d1c90dca18206af1fb1d977551e2e0e25c1fe41a8f825fbae2c07c94b768e98ad5ab8ddb2e -+Output = 54cf238101418ce050eee03aae0c39c4602ab838 -+ -+# COUNT=30 -+# L = 320 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA512 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:8 -+Ctrl.hexkey = hexkey:baed493b0294c9a5dbbe4547a30f0602c6124cedb549b45cff0ee4f3689a7ae5b695e5ecdfebf611bba1174e5e3a8824383e555daef396dc58c2842f77d5a674 -+Ctrl.hexinfo = hexinfo:1371182cb0725416b1eccf4ac9fb20cf4e0f77e7d006a531e0ab2b2b46e0859473dad9dcae65ba5eb902228787dae19e735d002c919a4b74012f8904 -+Output = 09bb55c9f3cee604f4bc5544a802be8b02b34b99f7928ceee696221975f947905f1b5979d9d4c2a1 -+ -+ -+# [PRF=HMAC_SHA512] -+# [CTRLOCATION=BEFORE_FIXED] -+# [RLEN=16_BITS] -+ -+# COUNT=0 -+# L = 128 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA512 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:16 -+Ctrl.hexkey = hexkey:bb0c55c7201ceb2e1369a6c49e2cdc1ae5e4cd1d64638105072c3a9172b2fa6a127c4d6d55132585fb2644b5ae3cf9d347875e0d0bf80945eaabef3b4319605e -+Ctrl.hexinfo = hexinfo:89bf925033f00635c100e2c88a98ad9f08cd6a002b934617d4ebfffc0fe9bca1d19bd942da3704da127c7493cc62c67f507c415e4cb67d7d0be70005 -+Output = 05efd62522beb9bfff6492ecd24501a7 -+ -+# COUNT=10 -+# L = 256 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA512 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:16 -+Ctrl.hexkey = hexkey:393eb889e9c2f251b95aa147d53e4cd029fd0391110be9c6b2f8ba32857864847c448a9a591686de88da7486d0a0f0f8c927560fa8f79c30e66a7efaacaa638f -+Ctrl.hexinfo = hexinfo:116bf7f9e5eb884c86cd0d3a2b33d41de7735677e6bd727e83fbde5c8113de56bf84c9f80610db760ae2df73f4f0db9df0cc1655ea9bc98bb06beeda -+Output = 212e4e4057a6871e166e7563205833bc7f01e86c724b6a61166d9311c55b5044 -+ -+# COUNT=20 -+# L = 160 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA512 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:16 -+Ctrl.hexkey = hexkey:eeec4383a808fae57f24a7a5eb6157cca66483a613590c89ed39f59617ea97fcfa7cdfc83ba8140fa0d8542263d6423a9bcca70e11addb7a646f194ff0878cac -+Ctrl.hexinfo = hexinfo:b2565a20171eef1eaa04728e6c369405b251062bbd0a2b9171c8c6fedf0ff783691db787f153bbf5167301808f768a03df0deec99f2b9efb90cab571 -+Output = 4f31b7bcd54c74d8a7d31aca187b8736f0a59db7 -+ -+# COUNT=30 -+# L = 320 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA512 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:16 -+Ctrl.hexkey = hexkey:62690d8ef259d175911d8eb52a331af29a8e3b797c4b315a67fa5cd1b00e585b2f7d97341284d0fcaa15a080732f7958e3b33e938e730623d1e651dbea9b2233 -+Ctrl.hexinfo = hexinfo:266535b58de26ed62f936bc7147c8c3b31ee0c1bb92c5ef63699ac7225e01cec5afd2e6e39cf095882324c7dc94b0daa2befc50f790da0547d7c6184 -+Output = 9336a88737d9ae01b5c43be5789c8545689557aad295ea3c03d2a2e0143603365fea1656175c20bf -+ -+ -+# [PRF=HMAC_SHA512] -+# [CTRLOCATION=BEFORE_FIXED] -+# [RLEN=24_BITS] -+ -+# COUNT=0 -+# L = 128 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA512 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:24 -+Ctrl.hexkey = hexkey:d10933b0683f6787c33eccea1c311b8444270504fb3980bfd56443ba4068722184c31541d9174f71068b7789440bc34cec456e115067f9c65a5f2883c6868204 -+Ctrl.hexinfo = hexinfo:dcb2ea8d715821d6393bd49a3e35f69a6c2519edb614f80fbc3f7ae1d65ff4a04c499e75d08819a09092ddaadba510e03cb2ac898804590dbd61fb7e -+Output = 876d73040d03d569e2fcae33b241d98e -+ -+# COUNT=10 -+# L = 256 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA512 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:24 -+Ctrl.hexkey = hexkey:44e6e9abd8572a19ba127dfa2ca6a1b53beaef8c19a1ec5b67f1f6f7919671cd80ade7ded7c0f096525936ef427b152339de915f024964ca9ea908a120e2553a -+Ctrl.hexinfo = hexinfo:c2884a0c3ea2ff5b0bc848698f49f2c59eff511d77caddba897dec7714a0984e54f330dd9e9fdca9c033dfbc36d3293eca0ce7601e316463966ad4fd -+Output = b294537440bec490953bf6e9a77c4510536916b84a5a2f45b5bf9f76666d8f12 -+ -+# COUNT=20 -+# L = 160 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA512 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:24 -+Ctrl.hexkey = hexkey:a39131ca2f8df817ea2f155aac72d58a696d915b66b7cbe172a0f48a407aa8af0edbaea051eb027fe8fcc435cc7f160feeb57bd39a39d94104fe35167dac1aae -+Ctrl.hexinfo = hexinfo:52b6d1f6381fc3dd44baf1c9d36f0c313e58bf4fdb936b78103afdb90373079de90e4bb7d7089e65e0aef23f2a34df5198b8392aac705eb998c1f8cd -+Output = e707c910b4db3a648815fcad5ca7af18e5354c2e -+ -+# COUNT=30 -+# L = 320 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA512 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:24 -+Ctrl.hexkey = hexkey:af5a39f0303b11bca55584ce24162dabd1625aed14ce54f9e407866e03efb24b12a36e164f96faf36bc92a08acd194285107173fb84caef787672d6471028459 -+Ctrl.hexinfo = hexinfo:1cd84829b89d3149948967494aece985f1df3d7ec7735e8cc468bb3e6fdb50964d32dcde5521a82402577371047bf77e34714437e9d213561055b9db -+Output = a0e81b336a6f4ab395aada28314d8ba96b9216ae389b01aaec158e166239e554a217e69f603988fb -+ -+ -+# [PRF=HMAC_SHA512] -+# [CTRLOCATION=BEFORE_FIXED] -+# [RLEN=32_BITS] -+ -+# COUNT=0 -+# L = 128 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA512 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:32 -+Ctrl.hexkey = hexkey:dd5dbd45593ee2ac139748e7645b450f223d2ff297b73fd71cbcebe71d41653c950b88500de5322d99ef18dfdd30428294c4b3094f4c954334e593bd982ec614 -+Ctrl.hexinfo = hexinfo:b50b0c963c6b3034b8cf19cd3f5c4ebe4f4985af0c03e575db62e6fdf1ecfe4f28b95d7ce16df85843246e1557ce95bb26cc9a21974bbd2eb69e8355 -+Output = e5993bf9bd2aa1c45746042e12598155 -+ -+# COUNT=10 -+# L = 256 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA512 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:32 -+Ctrl.hexkey = hexkey:5be2bf7f5e2527e15fe65cde4507d98ba55457006867de9e4f36645bcff4ca38754f92898b1c5544718102593b8c26d45d1fceaea27d97ede9de8b9ebfe88093 -+Ctrl.hexinfo = hexinfo:004b13c1f628cb7a00d9498937bf437b71fe196cc916c47d298fa296c6b86188073543bbc66b7535eb17b5cf43c37944b6ca1225298a9e563413e5bb -+Output = cee0c11be2d8110b808f738523e718447d785878bbb783fb081a055160590072 -+ -+# COUNT=20 -+# L = 160 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA512 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:32 -+Ctrl.hexkey = hexkey:9dd03864a31aa4156ca7a12000f541680ce0a5f4775eef1088ac13368200b447a78d0bf14416a1d583c54b0f11200ff4a8983dd775ce9c0302d262483e300ae6 -+Ctrl.hexinfo = hexinfo:037369f142d669fca9e87e9f37ae8f2c8d506b753fdfe8a3b72f75cac1c50fa1f8620883b8dcb8dcc67adcc95e70aa624adb9fe1b2cb396692b0d2e8 -+Output = 96e8d1bc01dc95c0bf42c3c38fc54c090373ced4 -+ -+# COUNT=30 -+# L = 320 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA512 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:32 -+Ctrl.hexkey = hexkey:a9f4a2c5af839867f5db5a1e520ab3cca72a166ca60de512fd7fe7e64cf94f92cf1d8b636175f293e003275e021018c3f0ede495997a505ec9a2afeb0495be57 -+Ctrl.hexinfo = hexinfo:8e9db3335779db688bcfe096668d9c3bc64e193e3529c430e68d09d56c837dd6c0f94678f121a68ee1feea4735da85a49d34a5290aa39f7b40de435f -+Output = 6db880daac98b078ee389a2164252ded61322d661e2b49247ea921e544675d8f17af2bf66dd40d81 -+ diff --git a/0052-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch b/0052-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch index 5208f40..14bacd4 100644 --- a/0052-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch +++ b/0052-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch @@ -95,7 +95,7 @@ index 4b74ee1a34..5f089de107 100644 - */ - sigalgstr[0] = (sig >> 8) & 0xff; - sigalgstr[1] = sig & 0xff; -- secbits = sigalg_security_bits(s->ctx, lu); +- secbits = sigalg_security_bits(SSL_CONNECTION_GET_CTX(s), lu); - if (secbits == 0 || - !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits, - md != NULL ? EVP_MD_get_type(md) : NID_undef, @@ -104,8 +104,8 @@ index 4b74ee1a34..5f089de107 100644 - return 0; + + if (lu->hash == NID_sha1 -+ && ossl_ctx_legacy_digest_signatures_allowed(s->ctx->libctx, 0) -+ && SSL_get_security_level(s) < 3) { ++ && ossl_ctx_legacy_digest_signatures_allowed(s->session_ctx->libctx, 0) ++ && SSL_get_security_level(SSL_CONNECTION_GET_SSL(s)) < 3) { + /* when rh-allow-sha1-signatures = yes and security level <= 2, + * explicitly allow SHA1 for backwards compatibility */ + } else { @@ -115,7 +115,7 @@ index 4b74ee1a34..5f089de107 100644 + */ + sigalgstr[0] = (sig >> 8) & 0xff; + sigalgstr[1] = sig & 0xff; -+ secbits = sigalg_security_bits(s->ctx, lu); ++ secbits = sigalg_security_bits(s->session_ctx, lu); + if (secbits == 0 || + !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits, + md != NULL ? EVP_MD_get_type(md) : NID_undef, @@ -131,15 +131,15 @@ index 4b74ee1a34..5f089de107 100644 } + if (lu->hash == NID_sha1 -+ && ossl_ctx_legacy_digest_signatures_allowed(s->ctx->libctx, 0) -+ && SSL_get_security_level(s) < 3) { ++ && ossl_ctx_legacy_digest_signatures_allowed(s->session_ctx->libctx, 0) ++ && SSL_get_security_level(SSL_CONNECTION_GET_SSL(s)) < 3) { + /* when rh-allow-sha1-signatures = yes and security level <= 2, + * explicitly allow SHA1 for backwards compatibility */ + return 1; + } + /* Finally see if security callback allows it */ - secbits = sigalg_security_bits(s->ctx, lu); + secbits = sigalg_security_bits(SSL_CONNECTION_GET_CTX(s), lu); sigalgstr[0] = (lu->sigalg >> 8) & 0xff; @@ -2977,6 +2994,8 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op) { @@ -147,9 +147,9 @@ index 4b74ee1a34..5f089de107 100644 int secbits, nid, pknid; + OSSL_LIB_CTX *libctx = NULL; + + /* Don't check signature if self signed */ if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0) - return 1; @@ -2985,6 +3004,25 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op) /* If digest NID not defined use signature NID */ if (nid == NID_undef) @@ -159,21 +159,21 @@ index 4b74ee1a34..5f089de107 100644 + libctx = x->libctx; + else if (ctx && ctx->libctx) + libctx = ctx->libctx; -+ else if (s && s->ctx && s->ctx->libctx) -+ libctx = s->ctx->libctx; ++ else if (s && s->session_ctx && s->session_ctx->libctx) ++ libctx = s->session_ctx->libctx; + else + libctx = OSSL_LIB_CTX_get0_global_default(); + + if (nid == NID_sha1 + && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0) -+ && ((s != NULL && SSL_get_security_level(s) < 3) ++ && ((s != NULL && SSL_get_security_level(SSL_CONNECTION_GET_SSL(s)) < 3) + || (ctx != NULL && SSL_CTX_get_security_level(ctx) < 3) + )) + /* When rh-allow-sha1-signatures = yes and security level <= 2, + * explicitly allow SHA1 for backwards compatibility. */ + return 1; + - if (s) + if (s != NULL) return ssl_security(s, op, secbits, nid, x); else diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t @@ -184,8 +184,8 @@ index 700bbd849c..2de1d76b5e 100644 run(app([@args])); } --plan tests => 163; -+plan tests => 162; +-plan tests => 193; ++plan tests => 192; # Canonical success ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]), @@ -203,4 +203,3 @@ index 700bbd849c..2de1d76b5e 100644 "PSS signature using SHA256 and auth level 2"); -- 2.35.1 - diff --git a/0056-strcasecmp.patch b/0056-strcasecmp.patch index 01ca25e..6b740ce 100644 --- a/0056-strcasecmp.patch +++ b/0056-strcasecmp.patch @@ -1,13 +1,12 @@ diff -up openssl-3.0.3/util/libcrypto.num.locale openssl-3.0.3/util/libcrypto.num --- openssl-3.0.3/util/libcrypto.num.locale 2022-06-01 12:35:52.667498724 +0200 +++ openssl-3.0.3/util/libcrypto.num 2022-06-01 12:36:08.112633093 +0200 -@@ -5425,6 +5425,8 @@ ASN1_item_d2i_ex - EVP_PKEY_CTX_get0_provider 5555 3_0_0 EXIST::FUNCTION: - OPENSSL_strcasecmp 5556 3_0_3 EXIST::FUNCTION: - OPENSSL_strncasecmp 5557 3_0_3 EXIST::FUNCTION: +@@ -5425,5 +5425,7 @@ ASN1_item_d2i_ex + X509_STORE_CTX_set_current_reasons 5664 3_2_0 EXIST::FUNCTION: + OSSL_STORE_delete 5665 3_2_0 EXIST::FUNCTION: + BIO_ADDR_copy 5666 3_2_0 EXIST::FUNCTION:SOCK +OPENSSL_strcasecmp ? 3_0_1 EXIST::FUNCTION: +OPENSSL_strncasecmp ? 3_0_1 EXIST::FUNCTION: - ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION: ossl_ctx_legacy_digest_signatures_allowed ? 3_0_1 EXIST::FUNCTION: ossl_ctx_legacy_digest_signatures_allowed_set ? 3_0_1 EXIST::FUNCTION: diff -up openssl-3.0.7/crypto/o_str.c.cmp openssl-3.0.7/crypto/o_str.c @@ -45,10 +44,10 @@ diff -up openssl-3.0.7/test/recipes/01-test_symbol_presence.t.cmp openssl-3.0.7/ --- openssl-3.0.7/test/recipes/01-test_symbol_presence.t.cmp 2022-11-25 18:19:05.669769076 +0100 +++ openssl-3.0.7/test/recipes/01-test_symbol_presence.t 2022-11-25 18:31:20.993392678 +0100 @@ -77,6 +80,7 @@ foreach my $libname (@libnames) { - s| .*||; - # Drop OpenSSL dynamic version information if there is any - s|\@\@.+$||; -+ s|\@.+$||; - # Return the result - $_ - } + s| .*||; + # Drop OpenSSL dynamic version information if there is any + s|\@\@.+$||; ++ s|\@.+$||; + # Return the result + $_ + } diff --git a/0058-FIPS-limit-rsa-encrypt.patch b/0058-FIPS-limit-rsa-encrypt.patch index b9cc3aa..c4f952b 100644 --- a/0058-FIPS-limit-rsa-encrypt.patch +++ b/0058-FIPS-limit-rsa-encrypt.patch @@ -1,6 +1,25 @@ -diff -up openssl-3.0.1/providers/common/securitycheck.c.rsaenc openssl-3.0.1/providers/common/securitycheck.c ---- openssl-3.0.1/providers/common/securitycheck.c.rsaenc 2022-06-24 17:14:33.634692729 +0200 -+++ openssl-3.0.1/providers/common/securitycheck.c 2022-06-24 17:16:08.966540605 +0200 +From 012e319b3d5b936a9208b1c75c13d9c4a2d0cc04 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 6 Mar 2024 19:17:15 +0100 +Subject: [PATCH 24/49] 0058-FIPS-limit-rsa-encrypt.patch + +Patch-name: 0058-FIPS-limit-rsa-encrypt.patch +Patch-id: 58 +Patch-status: | + # # https://bugzilla.redhat.com/show_bug.cgi?id=2053289 +From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce +--- + providers/common/securitycheck.c | 1 + + .../implementations/asymciphers/rsa_enc.c | 35 +++++ + .../30-test_evp_data/evppkey_rsa_common.txt | 140 +++++++++++++----- + test/recipes/80-test_cms.t | 5 +- + test/recipes/80-test_ssl_old.t | 27 +++- + 5 files changed, 168 insertions(+), 40 deletions(-) + +diff --git a/providers/common/securitycheck.c b/providers/common/securitycheck.c +index fe694c4e96..f635b5aec8 100644 +--- a/providers/common/securitycheck.c ++++ b/providers/common/securitycheck.c @@ -27,6 +27,7 @@ * Set protect = 1 for encryption or signing operations, or 0 otherwise. See * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf. @@ -9,10 +28,11 @@ diff -up openssl-3.0.1/providers/common/securitycheck.c.rsaenc openssl-3.0.1/pro int ossl_rsa_check_key(OSSL_LIB_CTX *ctx, const RSA *rsa, int operation) { int protect = 0; -diff -up openssl-3.0.1/providers/implementations/asymciphers/rsa_enc.c.no_bad_pad openssl-3.0.1/providers/implementations/asymciphers/rsa_enc.c ---- openssl-3.0.1/providers/implementations/asymciphers/rsa_enc.c.no_bad_pad 2022-05-02 16:04:47.000091901 +0200 -+++ openssl-3.0.1/providers/implementations/asymciphers/rsa_enc.c 2022-05-02 16:14:50.922443581 +0200 -@@ -132,6 +132,17 @@ static int rsa_decrypt_init(void *vprsac +diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c +index 71bfa344d4..d548560f1f 100644 +--- a/providers/implementations/asymciphers/rsa_enc.c ++++ b/providers/implementations/asymciphers/rsa_enc.c +@@ -135,6 +135,17 @@ static int rsa_decrypt_init(void *vprsactx, void *vrsa, return rsa_init(vprsactx, vrsa, params, EVP_PKEY_OP_DECRYPT); } @@ -30,7 +50,7 @@ diff -up openssl-3.0.1/providers/implementations/asymciphers/rsa_enc.c.no_bad_pa static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen, size_t outsize, const unsigned char *in, size_t inlen) { -@@ -141,6 +152,18 @@ static int rsa_encrypt(void *vprsactx, u +@@ -144,6 +155,18 @@ static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen, if (!ossl_prov_is_running()) return 0; @@ -49,7 +69,7 @@ diff -up openssl-3.0.1/providers/implementations/asymciphers/rsa_enc.c.no_bad_pa if (out == NULL) { size_t len = RSA_size(prsactx->rsa); -@@ -202,6 +220,18 @@ static int rsa_decrypt(void *vprsactx, u +@@ -206,6 +229,18 @@ static int rsa_decrypt(void *vprsactx, unsigned char *out, size_t *outlen, if (!ossl_prov_is_running()) return 0; @@ -68,75 +88,11 @@ diff -up openssl-3.0.1/providers/implementations/asymciphers/rsa_enc.c.no_bad_pa if (prsactx->pad_mode == RSA_PKCS1_WITH_TLS_PADDING) { if (out == NULL) { *outlen = SSL_MAX_MASTER_KEY_LENGTH; -diff -up openssl-3.0.1/test/recipes/80-test_cms.t.no_bad_pad openssl-3.0.1/test/recipes/80-test_cms.t ---- openssl-3.0.1/test/recipes/80-test_cms.t.no_bad_pad 2022-05-02 17:04:07.610782138 +0200 -+++ openssl-3.0.1/test/recipes/80-test_cms.t 2022-05-02 17:06:03.595814620 +0200 -@@ -232,7 +232,7 @@ my @smime_pkcs7_tests = ( - \&final_compare - ], - -- [ "enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients", -+ [ "enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients, no Red Hat FIPS", - [ "{cmd1}", @prov, "-encrypt", "-in", $smcont, - "-aes256", "-stream", "-out", "{output}.cms", - $smrsa1, -@@ -865,5 +865,8 @@ sub check_availability { - return "$tnam: skipped, DSA disabled\n" - if ($no_dsa && $tnam =~ / DSA/); - -+ return "$tnam: skipped, Red Hat FIPS\n" -+ if ($tnam =~ /no Red Hat FIPS/); -+ - return ""; - } -diff -up openssl-3.0.1/test/recipes/80-test_ssl_old.t.no_bad_pad openssl-3.0.1/test/recipes/80-test_ssl_old.t ---- openssl-3.0.1/test/recipes/80-test_ssl_old.t.no_bad_pad 2022-05-02 17:26:37.962838053 +0200 -+++ openssl-3.0.1/test/recipes/80-test_ssl_old.t 2022-05-02 17:34:20.297950449 +0200 -@@ -483,6 +483,18 @@ sub testssl { - # the default choice if TLSv1.3 enabled - my $flag = $protocol eq "-tls1_3" ? "" : $protocol; - my $ciphersuites = ""; -+ my %redhat_skip_cipher = map {$_ => 1} qw( -+AES256-GCM-SHA384:@SECLEVEL=0 -+AES256-CCM8:@SECLEVEL=0 -+AES256-CCM:@SECLEVEL=0 -+AES128-GCM-SHA256:@SECLEVEL=0 -+AES128-CCM8:@SECLEVEL=0 -+AES128-CCM:@SECLEVEL=0 -+AES256-SHA256:@SECLEVEL=0 -+AES128-SHA256:@SECLEVEL=0 -+AES256-SHA:@SECLEVEL=0 -+AES128-SHA:@SECLEVEL=0 -+ ); - foreach my $cipher (@{$ciphersuites{$protocol}}) { - if ($protocol eq "-ssl3" && $cipher =~ /ECDH/ ) { - note "*****SKIPPING $protocol $cipher"; -@@ -494,11 +506,16 @@ sub testssl { - } else { - $cipher = $cipher.':@SECLEVEL=0'; - } -- ok(run(test([@ssltest, @exkeys, "-cipher", -- $cipher, -- "-ciphersuites", $ciphersuites, -- $flag || ()])), -- "Testing $cipher"); -+ if ($provider eq "fips" && exists $redhat_skip_cipher{$cipher}) { -+ note "*****SKIPPING $cipher in Red Hat FIPS mode"; -+ ok(1); -+ } else { -+ ok(run(test([@ssltest, @exkeys, "-cipher", -+ $cipher, -+ "-ciphersuites", $ciphersuites, -+ $flag || ()])), -+ "Testing $cipher"); -+ } - } - } - next if $protocol eq "-tls1_3"; -diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt.fipskeylen openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt ---- openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt.fipskeylen 2022-06-16 14:26:19.383530498 +0200 -+++ openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt 2022-06-16 14:39:53.637777701 +0200 -@@ -263,12 +263,13 @@ Input = 64b0e9f9892371110c40ba5739dc0974 +diff --git a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt +index 76ddc1ec60..62d55308b0 100644 +--- a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt ++++ b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt +@@ -248,13 +248,13 @@ Input = 64b0e9f9892371110c40ba5739dc0974002aa6e6160b481447c6819947c2d3b537a6e377 Output = 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef # RSA decrypt @@ -146,12 +102,394 @@ diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt.fips Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A78 Output = "Hello World" - # Corrupted ciphertext + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 +Availablein = default + # Note: disable the Bleichenbacher workaround to see if it passes Decrypt = RSA-2048 - Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A79 + Ctrl = rsa_pkcs1_implicit_rejection:0 +@@ -262,7 +262,7 @@ Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C70 Output = "Hello World" -@@ -665,36 +666,42 @@ vcDtKrdWo6btTWc1Kml9QhbpMhKxJ6Y9VBHOb6mN + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # Corrupted ciphertext + # Note: output is generated synthethically by the Bleichenbacher workaround + Decrypt = RSA-2048 +@@ -270,7 +270,7 @@ Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C70 + Output = 4cbb988d6a46228379132b0b5f8c249b3860043848c93632fb982c807c7c82fffc7a9ef83f4908f890373ac181ffea6381e103bcaa27e65638b6ecebef38b59ed4226a9d12af675cfcb634d8c40e7a7aff + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # Corrupted ciphertext + # Note: disable the Bleichenbacher workaround to see if it fails + Decrypt = RSA-2048 +@@ -345,82 +345,90 @@ PrivPubKeyPair = RSA-2048-2:RSA-2048-2-PUBLIC + # RSA decrypt + + # a random positive test case ++Availablein = default + Decrypt = RSA-2048-2 + Input = 8bfe264e85d3bdeaa6b8851b8e3b956ee3d226fd3f69063a86880173a273d9f283b2eebdd1ed35f7e02d91c571981b6737d5320bd8396b0f3ad5b019daec1b0aab3cbbc026395f4fd14f13673f2dfc81f9b660ec26ac381e6db3299b4e460b43fab9955df2b3cfaa20e900e19c856238fd371899c2bf2ce8c868b76754e5db3b036533fd603746be13c10d4e3e6022ebc905d20c2a7f32b215a4cd53b3f44ca1c327d2c2b651145821c08396c89071f665349c25e44d2733cd9305985ceef6430c3cf57af5fa224089221218fa34737c79c446d28a94c41c96e4e92ac53fbcf384dea8419ea089f8784445a492c812eb0d409467f75afd7d4d1078886205a066 + Output = "lorem ipsum dolor sit amet" + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # a random negative test case decrypting to empty + Decrypt = RSA-2048-2 + Input = 20aaa8adbbc593a924ba1c5c7990b5c2242ae4b99d0fe636a19a4cf754edbcee774e472fe028160ed42634f8864900cb514006da642cae6ae8c7d087caebcfa6dad1551301e130344989a1d462d4164505f6393933450c67bc6d39d8f5160907cabc251b737925a1cf21e5c6aa5781b7769f6a2a583d97cce008c0f8b6add5f0b2bd80bee60237aa39bb20719fe75749f4bc4e42466ef5a861ae3a92395c7d858d430bfe38040f445ea93fa2958b503539800ffa5ce5f8cf51fa8171a91f36cb4f4575e8de6b4d3f096ee140b938fd2f50ee13f0d050222e2a72b0a3069ff3a6738e82c87090caa5aed4fcbe882c49646aa250b98f12f83c8d528113614a29e7 + Output = + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # invalid decrypting to max length message + Decrypt = RSA-2048-2 + Input = 48cceab10f39a4db32f60074feea473cbcdb7accf92e150417f76b44756b190e843e79ec12aa85083a21f5437e7bad0a60482e601198f9d86923239c8786ee728285afd0937f7dde12717f28389843d7375912b07b991f4fdb0190fced8ba665314367e8c5f9d2981d0f5128feeb46cb50fc237e64438a86df198dd0209364ae3a842d77532b66b7ef263b83b1541ed671b120dfd660462e2107a4ee7b964e734a7bd68d90dda61770658a3c242948532da32648687e0318286473f675b412d6468f013f14d760a358dfcad3cda2afeec5e268a37d250c37f722f468a70dfd92d7294c3c1ee1e7f8843b7d16f9f37ef35748c3ae93aa155cdcdfeb4e78567303 + Output = 22d850137b9eebe092b24f602dc5bb7918c16bd89ddbf20467b119d205f9c2e4bd7d2592cf1e532106e0f33557565923c73a02d4f09c0c22bea89148183e60317f7028b3aa1f261f91c979393101d7e15f4067e63979b32751658ef769610fe97cf9cef3278b3117d384051c3b1d82c251c2305418c8f6840530e631aad63e70e20e025bcd8efb54c92ec6d3b106a2f8e64eeff7d38495b0fc50c97138af4b1c0a67a1c4e27b077b8439332edfa8608dfeae653cd6a628ac550395f7e74390e42c11682234870925eeaa1fa71b76cf1f2ee3bda69f6717033ff8b7c95c9799e7a3bea5e7e4a1c359772fb6b1c6e6c516661dfe30c3 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 + # invalid decrypting to message with length specified by second to last value from PRF ++Availablein = default + Decrypt = RSA-2048-2 + Input = 1439e08c3f84c1a7fec74ce07614b20e01f6fa4e8c2a6cffdc3520d8889e5d9a950c6425798f85d4be38d300ea5695f13ecd4cb389d1ff5b82484b494d6280ab7fa78e645933981cb934cce8bfcd114cc0e6811eefa47aae20af638a1cd163d2d3366186d0a07df0c81f6c9f3171cf3561472e98a6006bf75ddb457bed036dcce199369de7d94ef2c68e8467ee0604eea2b3009479162a7891ba5c40cab17f49e1c438cb6eaea4f76ce23cce0e483ff0e96fa790ea15be67671814342d0a23f4a20262b6182e72f3a67cd289711503c85516a9ed225422f98b116f1ab080a80abd6f0216df88d8cfd67c139243be8dd78502a7aaf6bc99d7da71bcdf627e7354 + Output = 0f9b + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # invalid decrypting to message with length specified by third to last value from PRF + Decrypt = RSA-2048-2 + Input = 1690ebcceece2ce024f382e467cf8510e74514120937978576caf684d4a02ad569e8d76cbe365a060e00779de2f0865ccf0d923de3b4783a4e2c74f422e2f326086c390b658ba47f31ab013aa80f468c71256e5fa5679b24e83cd82c3d1e05e398208155de2212993cd2b8bab6987cf4cc1293f19909219439d74127545e9ed8a706961b8ee2119f6bfacafbef91b75a789ba65b8b833bc6149cf49b5c4d2c6359f62808659ba6541e1cd24bf7f7410486b5103f6c0ea29334ea6f4975b17387474fe920710ea61568d7b7c0a7916acf21665ad5a31c4eabcde44f8fb6120d8457afa1f3c85d517cda364af620113ae5a3c52a048821731922737307f77a1081 + Output = 4f02 + + # positive test with 11 byte long value ++Availablein = default + Decrypt = RSA-2048-2 + Input = 6213634593332c485cef783ea2846e3d6e8b0e005cd8293eaebbaa5079712fd681579bdfbbda138ae4d9d952917a03c92398ec0cb2bb0c6b5a8d55061fed0d0d8d72473563152648cfe640b335dc95331c21cb133a91790fa93ae44497c128708970d2beeb77e8721b061b1c44034143734a77be8220877415a6dba073c3871605380542a9f25252a4babe8331cdd53cf828423f3cc70b560624d0581fb126b2ed4f4ed358f0eb8065cf176399ac1a846a31055f9ae8c9c24a1ba050bc20842125bc1753158f8065f3adb9cc16bfdf83816bdf38b624f12022c5a6fbfe29bc91542be8c0208a770bcd677dc597f5557dc2ce28a11bf3e3857f158717a33f6592 + Output = "lorem ipsum" + + # positive test with 11 byte long value and zero padded ciphertext ++Availablein = default + Decrypt = RSA-2048-2 + Input = 00a2e8f114ea8d05d12dc843e3cc3b2edc8229ff2a028bda29ba9d55e3cd02911902fef1f42a075bf05e8016e8567213d6f260fa49e360779dd81aeea3e04c2cb567e0d72b98bf754014561b7511e083d20e0bfb9cd23f8a0d3c88900c49d2fcd5843ff0765607b2026f28202a87aa94678aed22a0c20724541394cd8f44e373eba1d2bae98f516c1e2ba3d86852d064f856b1daf24795e767a2b90396e50743e3150664afab131fe40ea405dcf572dd1079af1d3f0392ccadcca0a12740dbb213b925ca2a06b1bc1383e83a658c82ba2e7427342379084d5f66b544579f07664cb26edd4f10fd913fdbc0de05ef887d4d1ec1ac95652397ea7fd4e4759fda8b + Output = "lorem ipsum" + + # positive test with 11 byte long value and zero truncated ciphertext ++Availablein = default + Decrypt = RSA-2048-2 + Input = a2e8f114ea8d05d12dc843e3cc3b2edc8229ff2a028bda29ba9d55e3cd02911902fef1f42a075bf05e8016e8567213d6f260fa49e360779dd81aeea3e04c2cb567e0d72b98bf754014561b7511e083d20e0bfb9cd23f8a0d3c88900c49d2fcd5843ff0765607b2026f28202a87aa94678aed22a0c20724541394cd8f44e373eba1d2bae98f516c1e2ba3d86852d064f856b1daf24795e767a2b90396e50743e3150664afab131fe40ea405dcf572dd1079af1d3f0392ccadcca0a12740dbb213b925ca2a06b1bc1383e83a658c82ba2e7427342379084d5f66b544579f07664cb26edd4f10fd913fdbc0de05ef887d4d1ec1ac95652397ea7fd4e4759fda8b + Output = "lorem ipsum" + + # positive test with 11 byte long value and double zero padded ciphertext ++Availablein = default + Decrypt = RSA-2048-2 + Input = 00001f71879b426127f7dead621f7380a7098cf7d22173aa27991b143c46d53383c209bd0c9c00d84078037e715f6b98c65005a77120070522ede51d472c87ef94b94ead4c5428ee108a345561658301911ec5a8f7dd43ed4a3957fd29fb02a3529bf63f8040d3953490939bd8f78b2a3404b6fb5ff70a4bfdaac5c541d6bcce49c9778cc390be24cbef1d1eca7e870457241d3ff72ca44f9f56bdf31a890fa5eb3a9107b603ccc9d06a5dd911a664c82b6abd4fe036f8db8d5a070c2d86386ae18d97adc1847640c211d91ff5c3387574a26f8ef27ca7f48d2dd1f0c7f14b81cc9d33ee6853031d3ecf10a914ffd90947909c8011fd30249219348ebff76bfc + Output = "lorem ipsum" + + # positive test with 11 byte long value and double zero truncated ciphertext ++Availablein = default + Decrypt = RSA-2048-2 + Input = 1f71879b426127f7dead621f7380a7098cf7d22173aa27991b143c46d53383c209bd0c9c00d84078037e715f6b98c65005a77120070522ede51d472c87ef94b94ead4c5428ee108a345561658301911ec5a8f7dd43ed4a3957fd29fb02a3529bf63f8040d3953490939bd8f78b2a3404b6fb5ff70a4bfdaac5c541d6bcce49c9778cc390be24cbef1d1eca7e870457241d3ff72ca44f9f56bdf31a890fa5eb3a9107b603ccc9d06a5dd911a664c82b6abd4fe036f8db8d5a070c2d86386ae18d97adc1847640c211d91ff5c3387574a26f8ef27ca7f48d2dd1f0c7f14b81cc9d33ee6853031d3ecf10a914ffd90947909c8011fd30249219348ebff76bfc + Output = "lorem ipsum" + + # positive that generates a 0 byte long synthetic message internally ++Availablein = default + Decrypt = RSA-2048-2 + Input = b5e49308f6e9590014ffaffc5b8560755739dd501f1d4e9227a7d291408cf4b753f292322ff8bead613bf2caa181b221bc38caf6392deafb28eb21ad60930841ed02fd6225cc9c463409adbe7d8f32440212fbe3881c51375bb09565efb22e62b071472fb38676e5b4e23a0617db5d14d93519ac0007a30a9c822eb31c38b57fcb1be29608fcf1ca2abdcaf5d5752bbc2b5ac7dba5afcff4a5641da360dd01f7112539b1ed46cdb550a3b1006559b9fe1891030ec80f0727c42401ddd6cbb5e3c80f312df6ec89394c5a7118f573105e7ab00fe57833c126141b50a935224842addfb479f75160659ba28877b512bb9a93084ad8bec540f92640f63a11a010e0 + Output = "lorem ipsum" + + # positive that generates a 245 byte long synthetic message internally ++Availablein = default + Decrypt = RSA-2048-2 + Input = 1ea0b50ca65203d0a09280d39704b24fe6e47800189db5033f202761a78bafb270c5e25abd1f7ecc6e7abc4f26d1b0cd9b8c648d529416ee64ccbdd7aa72a771d0353262b543f0e436076f40a1095f5c7dfd10dcf0059ccb30e92dfa5e0156618215f1c3ff3aa997a9d999e506924f5289e3ac72e5e2086cc7b499d71583ed561028671155db4005bee01800a7cdbdae781dd32199b8914b5d4011dd6ff11cd26d46aad54934d293b0bc403dd211bf13b5a5c6836a5e769930f437ffd8634fb7371776f4bc88fa6c271d8aa6013df89ae6470154497c4ac861be2a1c65ebffec139bf7aaba3a81c7c5cdd84da9af5d3edfb957848074686b5837ecbcb6a41c50 + Output = "lorem ipsum" + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # a random negative test that generates an 11 byte long message + Decrypt = RSA-2048-2 + Input = 5f02f4b1f46935c742ebe62b6f05aa0a3286aab91a49b34780adde6410ab46f7386e05748331864ac98e1da63686e4babe3a19ed40a7f5ceefb89179596aab07ab1015e03b8f825084dab028b6731288f2e511a4b314b6ea3997d2e8fe2825cef8897cbbdfb6c939d441d6e04948414bb69e682927ef8576c9a7090d4aad0e74c520d6d5ce63a154720f00b76de8cc550b1aa14f016d63a7b6d6eaa1f7dbe9e50200d3159b3d099c900116bf4eba3b94204f18b1317b07529751abf64a26b0a0bf1c8ce757333b3d673211b67cc0653f2fe2620d57c8b6ee574a0323a167eab1106d9bc7fd90d415be5f1e9891a0e6c709f4fc0404e8226f8477b4e939b36eb2 + Output = af9ac70191c92413cb9f2d + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # an otherwise correct plaintext, but with wrong first byte + # (0x01 instead of 0x00), generates a random 11 byte long plaintext + Decrypt = RSA-2048-2 +@@ -428,7 +436,7 @@ Input = 9b2ec9c0c917c98f1ad3d0119aec6be51ae3106e9af1914d48600ab6a2c0c0c8ae02a2dc + Output = a1f8c9255c35cfba403ccc + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # an otherwise correct plaintext, but with wrong second byte + # (0x01 instead of 0x02), generates a random 11 byte long plaintext + Decrypt = RSA-2048-2 +@@ -436,7 +444,7 @@ Input = 782c2b59a21a511243820acedd567c136f6d3090c115232a82a5efb0b178285f55b5ec2d + Output = e6d700309ca0ed62452254 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # an invalid ciphertext, with a zero byte in first byte of + # ciphertext, decrypts to a random 11 byte long synthetic + # plaintext +@@ -445,7 +453,7 @@ Input = 0096136621faf36d5290b16bd26295de27f895d1faa51c800dafce73d001d60796cd4e2a + Output = ba27b1842e7c21c0e7ef6a + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # an invalid ciphertext, with a zero byte removed from first byte of + # ciphertext, decrypts to a random 11 byte long synthetic + # plaintext +@@ -454,7 +462,7 @@ Input = 96136621faf36d5290b16bd26295de27f895d1faa51c800dafce73d001d60796cd4e2ac3 + Output = ba27b1842e7c21c0e7ef6a + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # an invalid ciphertext, with two zero bytes in first bytes of + # ciphertext, decrypts to a random 11 byte long synthetic + # plaintext +@@ -463,7 +471,7 @@ Input = 0000587cccc6b264bdfe0dc2149a988047fa921801f3502ea64624c510c6033d2f427e3f + Output = d5cf555b1d6151029a429a + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # an invalid ciphertext, with two zero bytes removed from first bytes of + # ciphertext, decrypts to a random 11 byte long synthetic + # plaintext +@@ -472,7 +480,7 @@ Input = 587cccc6b264bdfe0dc2149a988047fa921801f3502ea64624c510c6033d2f427e3f136c + Output = d5cf555b1d6151029a429a + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # and invalid ciphertext, otherwise valid but starting with 000002, decrypts + # to random 11 byte long synthetic plaintext + Decrypt = RSA-2048-2 +@@ -480,7 +488,7 @@ Input = 1786550ce8d8433052e01ecba8b76d3019f1355b212ac9d0f5191b023325a7e7714b7802 + Output = 3d4a054d9358209e9cbbb9 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # negative test with otherwise valid padding but a zero byte in first byte + # of padding + Decrypt = RSA-2048-2 +@@ -488,7 +496,7 @@ Input = 179598823812d2c58a7eb50521150a48bcca8b4eb53414018b6bca19f4801456c5e36a94 + Output = 1f037dd717b07d3e7f7359 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # negative test with otherwise valid padding but a zero byte at the eighth + # byte of padding + Decrypt = RSA-2048-2 +@@ -496,7 +504,7 @@ Input = a7a340675a82c30e22219a55bc07cdf36d47d01834c1834f917f18b517419ce9de2a9646 + Output = 63cb0bf65fc8255dd29e17 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # negative test with an otherwise valid plaintext but with missing separator + # byte + Decrypt = RSA-2048-2 +@@ -551,53 +559,58 @@ PrivPubKeyPair = RSA-2049:RSA-2049-PUBLIC + # RSA decrypt + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # malformed that generates length specified by 3rd last value from PRF + Decrypt = RSA-2049 + Input = 00b26f6404b82649629f2704494282443776929122e279a9cf30b0c6fe8122a0a9042870d97cc8ef65490fe58f031eb2442352191f5fbc311026b5147d32df914599f38b825ebb824af0d63f2d541a245c5775d1c4b78630e4996cc5fe413d38455a776cf4edcc0aa7fccb31c584d60502ed2b77398f536e137ff7ba6430e9258e21c2db5b82f5380f566876110ac4c759178900fbad7ab70ea07b1daf7a1639cbb4196543a6cbe8271f35dddb8120304f6eef83059e1c5c5678710f904a6d760c4d1d8ad076be17904b9e69910040b47914a0176fb7eea0c06444a6c4b86d674d19a556a1de5490373cb01ce31bbd15a5633362d3d2cd7d4af1b4c5121288b894 + Output = 42 + + # simple positive test case ++Availablein = default + Decrypt = RSA-2049 + Input = 013300edbf0bb3571e59889f7ed76970bf6d57e1c89bbb6d1c3991d9df8e65ed54b556d928da7d768facb395bbcc81e9f8573b45cf8195dbd85d83a59281cddf4163aec11b53b4140053e3bd109f787a7c3cec31d535af1f50e0598d85d96d91ea01913d07097d25af99c67464ebf2bb396fb28a9233e56f31f7e105d71a23e9ef3b736d1e80e713d1691713df97334779552fc94b40dd733c7251bc522b673d3ec9354af3dd4ad44fa71c0662213a57ada1d75149697d0eb55c053aaed5ffd0b815832f454179519d3736fb4faf808416071db0d0f801aca8548311ee708c131f4be658b15f6b54256872c2903ac708bd43b017b073b5707bc84c2cd9da70e967 + Output = "lorem ipsum" + + # positive test case with null padded ciphertext ++Availablein = default + Decrypt = RSA-2049 + Input = 0002aadf846a329fadc6760980303dbd87bfadfa78c2015ce4d6c5782fd9d3f1078bd3c0a2c5bfbdd1c024552e5054d98b5bcdc94e476dd280e64d650089326542ce7c61d4f1ab40004c2e6a88a883613568556a10f3f9edeab67ae8dddc1e6b0831c2793d2715de943f7ce34c5c05d1b09f14431fde566d17e76c9feee90d86a2c158616ec81dda0c642f58c0ba8fa4495843124a7235d46fb4069715a51bf710fd024259131ba94da73597ace494856c94e7a3ec261545793b0990279b15fa91c7fd13dbfb1df2f221dab9fa9f7c1d21e48aa49f6aaecbabf5ee76dc6c2af2317ffb4e303115386a97f8729afc3d0c89419669235f1a3a69570e0836c79fc162 + Output = "lorem ipsum" + + # positive test case with null truncated ciphertext ++Availablein = default + Decrypt = RSA-2049 + Input = 02aadf846a329fadc6760980303dbd87bfadfa78c2015ce4d6c5782fd9d3f1078bd3c0a2c5bfbdd1c024552e5054d98b5bcdc94e476dd280e64d650089326542ce7c61d4f1ab40004c2e6a88a883613568556a10f3f9edeab67ae8dddc1e6b0831c2793d2715de943f7ce34c5c05d1b09f14431fde566d17e76c9feee90d86a2c158616ec81dda0c642f58c0ba8fa4495843124a7235d46fb4069715a51bf710fd024259131ba94da73597ace494856c94e7a3ec261545793b0990279b15fa91c7fd13dbfb1df2f221dab9fa9f7c1d21e48aa49f6aaecbabf5ee76dc6c2af2317ffb4e303115386a97f8729afc3d0c89419669235f1a3a69570e0836c79fc162 + Output = "lorem ipsum" + + # positive test case with double null padded ciphertext ++Availablein = default + Decrypt = RSA-2049 + Input = 0000f36da3b72d8ff6ded74e7efd08c01908f3f5f0de7b55eab92b5f875190809c39d4162e1e6649618f854fd84aeab03970d16bb814e999852c06de38d82b95c0f32e2a7b5714021fe303389be9c0eac24c90a6b7210f929d390fabf903d44e04110bb7a7fd6c383c275804721efa6d7c93aa64c0bb2b18d97c5220a846c66a4895ae52adddbe2a9996825e013585adcec4b32ba61d782737bd343e5fabd68e8a95b8b1340318559860792dd70dffbe05a1052b54cbfb48cfa7bb3c19cea52076bddac5c25ee276f153a610f6d06ed696d192d8ae4507ffae4e5bdda10a625d6b67f32f7cffcd48dee2431fe66f6105f9d17e611cdcc674868e81692a360f4052 + Output = "lorem ipsum" + + # positive test case with double null truncated ciphertext ++Availablein = default + Decrypt = RSA-2049 + Input = f36da3b72d8ff6ded74e7efd08c01908f3f5f0de7b55eab92b5f875190809c39d4162e1e6649618f854fd84aeab03970d16bb814e999852c06de38d82b95c0f32e2a7b5714021fe303389be9c0eac24c90a6b7210f929d390fabf903d44e04110bb7a7fd6c383c275804721efa6d7c93aa64c0bb2b18d97c5220a846c66a4895ae52adddbe2a9996825e013585adcec4b32ba61d782737bd343e5fabd68e8a95b8b1340318559860792dd70dffbe05a1052b54cbfb48cfa7bb3c19cea52076bddac5c25ee276f153a610f6d06ed696d192d8ae4507ffae4e5bdda10a625d6b67f32f7cffcd48dee2431fe66f6105f9d17e611cdcc674868e81692a360f4052 + Output = "lorem ipsum" + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # a random negative test case that generates an 11 byte long message + Decrypt = RSA-2049 + Input = 00f910200830fc8fff478e99e145f1474b312e2512d0f90b8cef77f8001d09861688c156d1cbaf8a8957f7ebf35f724466952d0524cad48aad4fba1e45ce8ea27e8f3ba44131b7831b62d60c0762661f4c1d1a88cd06263a259abf1ba9e6b0b172069afb86a7e88387726f8ab3adb30bfd6b3f6be6d85d5dfd044e7ef052395474a9cbb1c3667a92780b43a22693015af6c513041bdaf87d43b24ddd244e791eeaea1066e1f4917117b3a468e22e0f7358852bb981248de4d720add2d15dccba6280355935b67c96f9dcb6c419cc38ab9f6fba2d649ef2066e0c34c9f788ae49babd9025fa85b21113e56ce4f43aa134c512b030dd7ac7ce82e76f0be9ce09ebca + Output = 1189b6f5498fd6df532b00 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # otherwise correct plaintext, but with wrong first byte (0x01 instead of 0x00) + Decrypt = RSA-2049 + Input = 002c9ddc36ba4cf0038692b2d3a1c61a4bb3786a97ce2e46a3ba74d03158aeef456ce0f4db04dda3fe062268a1711250a18c69778a6280d88e133a16254e1f0e30ce8dac9b57d2e39a2f7d7be3ee4e08aec2fdbe8dadad7fdbf442a29a8fb40857407bf6be35596b8eefb5c2b3f58b894452c2dc54a6123a1a38d642e23751746597e08d71ac92704adc17803b19e131b4d1927881f43b0200e6f95658f559f912c889b4cd51862784364896cd6e8618f485a992f82997ad6a0917e32ae5872eaf850092b2d6c782ad35f487b79682333c1750c685d7d32ab3e1538f31dcaa5e7d5d2825875242c83947308dcf63ba4bfff20334c9c140c837dbdbae7a8dee72ff + Output = f6d0f5b78082fe61c04674 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # otherwise correct plaintext, but with wrong second byte (0x01 instead of 0x02) + Decrypt = RSA-2049 + Input = 00c5d77826c1ab7a34d6390f9d342d5dbe848942e2618287952ba0350d7de6726112e9cebc391a0fae1839e2bf168229e3e0d71d4161801509f1f28f6e1487ca52df05c466b6b0a6fbbe57a3268a970610ec0beac39ec0fa67babce1ef2a86bf77466dc127d7d0d2962c20e66593126f276863cd38dc6351428f884c1384f67cad0a0ffdbc2af16711fb68dc559b96b37b4f04cd133ffc7d79c43c42ca4948fa895b9daeb853150c8a5169849b730cc77d68b0217d6c0e3dbf38d751a1998186633418367e7576530566c23d6d4e0da9b038d0bb5169ce40133ea076472d055001f0135645940fd08ea44269af2604c8b1ba225053d6db9ab43577689401bdc0f3 +@@ -661,14 +674,14 @@ ooCElYcob01/JWzoXl61Z5sdrMH5CVZJty5foHKusAN5AgMBAAE= + PrivPubKeyPair = RSA-3072:RSA-3072-PUBLIC + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # a random invalid ciphertext that generates an empty synthetic one + Decrypt = RSA-3072 + Input = 5e956cd9652f4a2ece902931013e09662b6a9257ad1e987fb75f73a0606df2a4b04789770820c2e02322c4e826f767bd895734a01e20609c3be4517a7a2a589ea1cdc137beb73eb38dac781b52e863de9620f79f9b90fd5b953651fcbfef4a9f1cc07421d511a87dd6942caab6a5a0f4df473e62defb529a7de1509ab99c596e1dff1320402298d8be73a896cc86c38ae3f2f576e9ea70cc28ad575cb0f854f0be43186baa9c18e29c47c6ca77135db79c811231b7c1730955887d321fdc06568382b86643cf089b10e35ab23e827d2e5aa7b4e99ff2e914f302351819eb4d1693243b35f8bf1d42d08f8ec4acafa35f747a4a975a28643ec630d8e4fa5be59d81995660a14bb64c1fea5146d6b11f92da6a3956dd5cb5e0d747cf2ea23f81617769185336263d46ef4c144b754de62a6337342d6c85a95f19f015724546ee3fc4823eca603dbc1dc01c2d5ed50bd72d8e96df2dc048edde0081284068283fc5e73a6139851abf2f29977d0b3d160c883a42a37efba1be05c1a0b1741d7ddf59 + Output = + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # a random invalid that has PRF output with a length one byte too long + # in the last value + Decrypt = RSA-3072 +@@ -676,46 +689,51 @@ Input = 7db0390d75fcf9d4c59cf27b264190d856da9abd11e92334d0e5f71005cfed865a711dfa + Output = 56a3bea054e01338be9b7d7957539c + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # a random invalid that generates a synthetic of maximum size + Decrypt = RSA-3072 + Input = 1715065322522dff85049800f6a29ab5f98c465020467414b2a44127fe9446da47fa18047900f99afe67c2df6f50160bb8e90bff296610fde632b3859d4d0d2e644f23835028c46cca01b84b88231d7e03154edec6627bcba23de76740d839851fa12d74c8f92e540c73fe837b91b7d699b311997d5f0f7864c486d499c3a79c111faaacbe4799597a25066c6200215c3d158f3817c1aa57f18bdaad0be1658da9da93f5cc6c3c4dd72788af57adbb6a0c26f42d32d95b8a4f95e8c6feb2f8a5d53b19a50a0b7cbc25e055ad03e5ace8f3f7db13e57759f67b65d143f08cca15992c6b2aae643390483de111c2988d4e76b42596266005103c8de6044fb7398eb3c28a864fa672de5fd8774510ff45e05969a11a4c7d3f343e331190d2dcf24fb9154ba904dc94af98afc5774a9617d0418fe6d13f8245c7d7626c176138dd698a23547c25f27c2b98ea4d8a45c7842b81888e4cc14e5b72e9cf91f56956c93dbf2e5f44a8282a7813157fc481ff1371a0f66b31797e81ebdb09a673d4db96d6 + Output = 7b036fcd6243900e4236c894e2462c17738acc87e01a76f4d95cb9a328d9acde81650283b8e8f60a217e3bdee835c7b222ad4c85d0acdb9a309bd2a754609a65dec50f3aa04c6d5891034566b9563d42668ede1f8992b17753a2132e28970584e255efc8b45a41c5dbd7567f014acec5fe6fdb6d484790360a913ebb9defcd74ff377f2a8ba46d2ed85f733c9a3da08eb57ecedfafda806778f03c66b2c5d2874cec1c291b2d49eb194c7b5d0dd2908ae90f4843268a2c45563092ade08acb6ab481a08176102fc803fbb2f8ad11b0e1531bd37df543498daf180b12017f4d4d426ca29b4161075534bfb914968088a9d13785d0adc0e2580d3548494b2a9e91605f2b27e6cc701c796f0de7c6f471f6ab6cb9272a1ed637ca32a60d117505d82af3c1336104afb537d01a8f70b510e1eebf4869cb976c419473795a66c7f5e6e20a8094b1bb603a74330c537c5c0698c31538bd2e138c1275a1bdf24c5fa8ab3b7b526324e7918a382d1363b3d463764222150e04 + + # a positive test case that decrypts to 9 byte long value ++Availablein = default + Decrypt = RSA-3072 + Input = 6c60845a854b4571f678941ae35a2ac03f67c21e21146f9db1f2306be9f136453b86ad55647d4f7b5c9e62197aaff0c0e40a3b54c4cde14e774b1c5959b6c2a2302896ffae1f73b00b862a20ff4304fe06cea7ff30ecb3773ca9af27a0b54547350d7c07dfb0a39629c7e71e83fc5af9b2adbaf898e037f1de696a3f328cf45af7ec9aff7173854087fb8fbf34be981efbd8493f9438d1b2ba2a86af082662aa46ae9adfbec51e5f3d9550a4dd1dcb7c8969c9587a6edc82a8cabbc785c40d9fbd12064559fb769450ac3e47e87bc046148130d7eaa843e4b3ccef3675d0630500803cb7ffee3882378c1a404e850c3e20707bb745e42b13c18786c4976076ed9fa8fd0ff15e571bef02cbbe2f90c908ac3734a433b73e778d4d17fcc28f49185ebc6e8536a06d293202d94496453bfdf1c2c7833a3f99fa38ca8a81f42eaa529d603b890308a319c0ab63a35ff8ebac965f6278f5a7e5d622be5d5fe55f0ca3ec993d55430d2bf59c5d3e860e90c16d91a04596f6fdf60d89ed95d88c036dde + Output = "forty two" + + # a positive test case with null padded ciphertext ++Availablein = default + Decrypt = RSA-3072 + Input = 00f4d565a3286784dbb85327db8807ae557ead229f92aba945cecda5225f606a7d6130edeeb6f26724d1eff1110f9eb18dc3248140ee3837e6688391e78796c526791384f045e21b6b853fb6342a11f309eb77962f37ce23925af600847fbd30e6e07e57de50b606e6b7f288cc777c1a6834f27e6edace508452128916eef7788c8bb227e3548c6a761cc4e9dd1a3584176dc053ba3500adb1d5e1611291654f12dfc5722832f635db3002d73f9defc310ace62c63868d341619c7ee15b20243b3371e05078e11219770c701d9f341af35df1bc729de294825ff2e416aa11526612852777eb131f9c45151eb144980d70608d2fc4043477368369aa0fe487a48bd57e66b00c3c58f941549f5ec050fca64449debe7a0c4ac51e55cb71620a70312aa4bd85fac1410c9c7f9d6ec610b7d11bf8faeffa20255d1a1bead9297d0aa8765cd2805847d639bc439f4a6c896e2008f746f9590ff4596de5ddde000ed666c452c978043ff4298461eb5a26d5e63d821438627f91201924bf7f2aeee1727 + Output = "forty two" + + # a positive test case with null truncated ciphertext ++Availablein = default + Decrypt = RSA-3072 + Input = f4d565a3286784dbb85327db8807ae557ead229f92aba945cecda5225f606a7d6130edeeb6f26724d1eff1110f9eb18dc3248140ee3837e6688391e78796c526791384f045e21b6b853fb6342a11f309eb77962f37ce23925af600847fbd30e6e07e57de50b606e6b7f288cc777c1a6834f27e6edace508452128916eef7788c8bb227e3548c6a761cc4e9dd1a3584176dc053ba3500adb1d5e1611291654f12dfc5722832f635db3002d73f9defc310ace62c63868d341619c7ee15b20243b3371e05078e11219770c701d9f341af35df1bc729de294825ff2e416aa11526612852777eb131f9c45151eb144980d70608d2fc4043477368369aa0fe487a48bd57e66b00c3c58f941549f5ec050fca64449debe7a0c4ac51e55cb71620a70312aa4bd85fac1410c9c7f9d6ec610b7d11bf8faeffa20255d1a1bead9297d0aa8765cd2805847d639bc439f4a6c896e2008f746f9590ff4596de5ddde000ed666c452c978043ff4298461eb5a26d5e63d821438627f91201924bf7f2aeee1727 + Output = "forty two" + + # a positive test case with double null padded ciphertext ++Availablein = default + Decrypt = RSA-3072 + Input = 00001ec97ac981dfd9dcc7a7389fdfa9d361141dac80c23a060410d472c16094e6cdffc0c3684d84aa402d7051dfccb2f6da33f66985d2a259f5b7fbf39ac537e95c5b7050eb18844a0513abef812cc8e74a3c5240009e6e805dcadf532bc1a2702d5acc9e585fad5b89d461fcc1397351cdce35171523758b171dc041f412e42966de7f94856477356d06f2a6b40e3ff0547562a4d91bbf1338e9e049facbee8b20171164505468cd308997447d3dc4b0acb49e7d368fedd8c734251f30a83491d2506f3f87318cc118823244a393dc7c5c739a2733d93e1b13db6840a9429947357f47b23fbe39b7d2d61e5ee26f9946c4632f6c4699e452f412a26641d4751135400713cd56ec66f0370423d55d2af70f5e7ad0adea8e4a0d904a01e4ac272eba4af1a029dd53eb71f115bf31f7a6c8b19a6523adeecc0d4c3c107575e38572a8f8474ccad163e46e2e8b08111132aa97a16fb588c9b7e37b3b3d7490381f3c55d1a9869a0fd42cd86fed59ecec78cb6b2dfd06a497f5afe3419691314ba0 + Output = "forty two" + + # a positive test case with double null truncated ciphertext ++Availablein = default + Decrypt = RSA-3072 + Input = 1ec97ac981dfd9dcc7a7389fdfa9d361141dac80c23a060410d472c16094e6cdffc0c3684d84aa402d7051dfccb2f6da33f66985d2a259f5b7fbf39ac537e95c5b7050eb18844a0513abef812cc8e74a3c5240009e6e805dcadf532bc1a2702d5acc9e585fad5b89d461fcc1397351cdce35171523758b171dc041f412e42966de7f94856477356d06f2a6b40e3ff0547562a4d91bbf1338e9e049facbee8b20171164505468cd308997447d3dc4b0acb49e7d368fedd8c734251f30a83491d2506f3f87318cc118823244a393dc7c5c739a2733d93e1b13db6840a9429947357f47b23fbe39b7d2d61e5ee26f9946c4632f6c4699e452f412a26641d4751135400713cd56ec66f0370423d55d2af70f5e7ad0adea8e4a0d904a01e4ac272eba4af1a029dd53eb71f115bf31f7a6c8b19a6523adeecc0d4c3c107575e38572a8f8474ccad163e46e2e8b08111132aa97a16fb588c9b7e37b3b3d7490381f3c55d1a9869a0fd42cd86fed59ecec78cb6b2dfd06a497f5afe3419691314ba0 + Output = "forty two" + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # a random negative test case that generates a 9 byte long message + Decrypt = RSA-3072 + Input = 5c8555f5cef627c15d37f85c7f5fd6e499264ea4b8e3f9112023aeb722eb38d8eac2be3751fd5a3785ab7f2d59fa3728e5be8c3de78a67464e30b21ee23b5484bb3cd06d0e1c6ad25649c8518165653eb80488bfb491b20c04897a6772f69292222fc5ef50b5cf9efc6d60426a449b6c489569d48c83488df629d695653d409ce49a795447fcec2c58a1a672e4a391401d428baaf781516e11e323d302fcf20f6eab2b2dbe53a48c987e407c4d7e1cb41131329138313d330204173a4f3ff06c6fadf970f0ed1005d0b27e35c3d11693e0429e272d583e57b2c58d24315c397856b34485dcb077665592b747f889d34febf2be8fce66c265fd9fc3575a6286a5ce88b4b413a08efc57a07a8f57a999605a837b0542695c0d189e678b53662ecf7c3d37d9dbeea585eebfaf79141118e06762c2381fe27ca6288edddc19fd67cd64f16b46e06d8a59ac530f22cd83cc0bc4e37feb52015cbb2283043ccf5e78a4eb7146827d7a466b66c8a4a4826c1bad68123a7f2d00fc1736525ff90c058f56 + Output = 257906ca6de8307728 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # a random negative test case that generates a 9 byte long message based on + # second to last value from PRF + Decrypt = RSA-3072 +@@ -723,7 +741,7 @@ Input = 758c215aa6acd61248062b88284bf43c13cb3b3d02410be4238607442f1c0216706e21a0 + Output = 043383c929060374ed + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # a random negative test that generates message based on 3rd last value from + # PRF + Decrypt = RSA-3072 +@@ -731,35 +749,35 @@ Input = 7b22d5e62d287968c6622171a1f75db4b0fd15cdf3134a1895d235d56f8d8fe619f2bf48 + Output = 70263fa6050534b9e0 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # an otherwise valid plaintext, but with wrong first byte (0x01 instead of 0x00) + Decrypt = RSA-3072 + Input = 6db80adb5ff0a768caf1378ecc382a694e7d1bde2eff4ba12c48aaf794ded7a994a5b2b57acec20dbec4ae385c9dd531945c0f197a5496908725fc99d88601a17d3bb0b2d38d2c1c3100f39955a4cb3dbed5a38bf900f23d91e173640e4ec655c84fdfe71fcdb12a386108fcf718c9b7af37d39703e882436224c877a2235e8344fba6c951eb7e2a4d1d1de81fb463ac1b880f6cc0e59ade05c8ce35179ecd09546731fc07b141d3d6b342a97ae747e61a9130f72d37ac5a2c30215b6cbd66c7db893810df58b4c457b4b54f34428247d584e0fa71062446210db08254fb9ead1ba1a393c724bd291f0cf1a7143f32df849051dc896d7d176fef3b57ab6dffd626d0c3044e9edb2e3d012ace202d2581df01bec7e9aa0727a6650dd373d374f0bc0f4a611f8139dfe97d63e70c6188f4df5b672e47c51d8aa567097293fbff127c75ec690b43407578b73c85451710a0cece58fd497d7f7bd36a8a92783ef7dc6265dff52aac8b70340b996508d39217f2783ce6fc91a1cc94bb2ac487b84f62 + Output = 6d8d3a094ff3afff4c + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # an otherwise valid plaintext, but with wrong second byte (0x01 instead of 0x02) + Decrypt = RSA-3072 + Input = 417328c034458563079a4024817d0150340c34e25ae16dcad690623f702e5c748a6ebb3419ff48f486f83ba9df35c05efbd7f40613f0fc996c53706c30df6bba6dcd4a40825f96133f3c21638a342bd4663dffbd0073980dac47f8c1dd8e97ce1412e4f91f2a8adb1ac2b1071066efe8d718bbb88ca4a59bd61500e826f2365255a409bece0f972df97c3a55e09289ef5fa815a2353ef393fd1aecfc888d611c16aec532e5148be15ef1bf2834b8f75bb26db08b66d2baad6464f8439d1986b533813321dbb180080910f233bcc4dd784fb21871aef41be08b7bfad4ecc3b68f228cb5317ac6ec1227bc7d0e452037ba918ee1da9fdb8393ae93b1e937a8d4691a17871d5092d2384b6190a53df888f65b951b05ed4ad57fe4b0c6a47b5b22f32a7f23c1a234c9feb5d8713d949686760680da4db454f4acad972470033472b9864d63e8d23eefc87ebcf464ecf33f67fbcdd48eab38c5292586b36aef5981ed2fa07b2f9e23fc57d9eb71bfff4111c857e9fff23ceb31e72592e70c874b4936 + Output = c6ae80ffa80bc184b0 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # an otherwise valid plaintext, but with zero byte in first byte of padding + Decrypt = RSA-3072 + Input = 8542c626fe533467acffcd4e617692244c9b5a3bf0a215c5d64891ced4bf4f9591b4b2aedff9843057986d81631b0acb3704ec2180e5696e8bd15b217a0ec36d2061b0e2182faa3d1c59bd3f9086a10077a3337a3f5da503ec3753535ffd25b837a12f2541afefd0cffb0224b8f874e4bed13949e105c075ed44e287c5ae03b155e06b90ed247d2c07f1ef3323e3508cce4e4074606c54172ad74d12f8c3a47f654ad671104bf7681e5b061862747d9afd37e07d8e0e2291e01f14a95a1bb4cbb47c304ef067595a3947ee2d722067e38a0f046f43ec29cac6a8801c6e3e9a2331b1d45a7aa2c6af3205be382dd026e389614ee095665a611ab2e8dced2ee1c9d08ac9de11aef5b3803fc9a9ce8231ec87b5fed386fb92ee3db995a89307bcba844bd0a691c29ae51216e949dfc813133cb06a07265fd807bcb3377f6adb0a481d9b7f442003115895939773e6b95371c4febef29edae946fa245e7c50729e2e558cfaad773d1fd5f67b457a6d9d17a847c6fcbdb103a86f35f228cefc06cea0 + Output = a8a9301daa01bb25c7 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # an otherwise valid plaintext, but with zero byte in eight byte of padding + Decrypt = RSA-3072 + Input = 449dfa237a70a99cb0351793ec8677882021c2aa743580bf6a0ea672055cffe8303ac42855b1d1f3373aae6af09cb9074180fc963e9d1478a4f98b3b4861d3e7f0aa8560cf603711f139db77667ca14ba3a1acdedfca9ef4603d6d7eb0645bfc805304f9ad9d77d34762ce5cd84bd3ec9d35c30e3be72a1e8d355d5674a141b5530659ad64ebb6082e6f73a80832ab6388912538914654d34602f4b3b1c78589b4a5d964b2efcca1dc7004c41f6cafcb5a7159a7fc7c0398604d0edbd4c8f4f04067da6a153a05e7cbeea13b5ee412400ef7d4f3106f4798da707ec37a11286df2b7a204856d5ff773613fd1e453a7114b78e347d3e8078e1cb3276b3562486ba630bf719697e0073a123c3e60ebb5c7a1ccff4279faffa2402bc1109f8d559d6766e73591943dfcf25ba10c3762f02af85187799b8b4b135c3990793a6fd32642f1557405ba55cc7cf7336a0e967073c5fa50743f9cc5e3017c172d9898d2af83345e71b3e0c22ab791eacb6484a32ec60ebc226ec9deaee91b1a0560c2b571 + Output = 6c716fe01d44398018 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # an otherwise valid plaintext, but with null separator missing + Decrypt = RSA-3072 + Input = a7a5c99e50da48769ecb779d9abe86ef9ec8c38c6f43f17c7f2d7af608a4a1bd6cf695b47e97c191c61fb5a27318d02f495a176b9fae5a55b5d3fabd1d8aae4957e3879cb0c60f037724e11be5f30f08fc51c033731f14b44b414d11278cd3dba7e1c8bfe208d2b2bb7ec36366dacb6c88b24cd79ab394adf19dbbc21dfa5788bacbadc6a62f79cf54fd8cf585c615b5c0eb94c35aa9de25321c8ffefb8916bbaa2697cb2dd82ee98939df9b6704cee77793edd2b4947d82e00e5749664970736c59a84197bd72b5c71e36aae29cd39af6ac73a368edbc1ca792e1309f442aafcd77c992c88f8e4863149f221695cb7b0236e75b2339a02c4ea114854372c306b9412d8eedb600a31532002f2cea07b4df963a093185e4607732e46d753b540974fb5a5c3f9432df22e85bb17611370966c5522fd23f2ad3484341ba7fd8885fc8e6d379a611d13a2aca784fba2073208faad2137bf1979a0fa146c1880d4337db3274269493bab44a1bcd0681f7227ffdf589c2e925ed9d36302509d1109ba4 +@@ -1106,36 +1124,42 @@ vcDtKrdWo6btTWc1Kml9QhbpMhKxJ6Y9VBHOb6mNXb79cyY+NygUJ0OBgWbtfdY2 h90qjKHS9PvY4Q== -----END PRIVATE KEY----- @@ -194,7 +532,7 @@ diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt.fips Decrypt=RSA-OAEP-1 Ctrl = rsa_padding_mode:oaep Ctrl = rsa_mgf1_md:sha1 -@@ -719,36 +726,42 @@ SwGNdhGLJDiac1Dsg2sAY6IXISNv2O222JtR5+64 +@@ -1160,36 +1184,42 @@ SwGNdhGLJDiac1Dsg2sAY6IXISNv2O222JtR5+64e2EbcTLLfqc1bCMVHB53UVB8 eG2e4XlBcKjI6A== -----END PRIVATE KEY----- @@ -237,7 +575,7 @@ diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt.fips Decrypt=RSA-OAEP-2 Ctrl = rsa_padding_mode:oaep Ctrl = rsa_mgf1_md:sha1 -@@ -773,36 +786,42 @@ iUGx07dw5a0x7jc7KKzaaf+bb0D+V4ufGvuFg2+W +@@ -1214,36 +1244,42 @@ iUGx07dw5a0x7jc7KKzaaf+bb0D+V4ufGvuFg2+WJ9N6z/c8J3nmNLsmARwsj38z Ya4qnqZe1onjY5o= -----END PRIVATE KEY----- @@ -280,7 +618,7 @@ diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt.fips Decrypt=RSA-OAEP-3 Ctrl = rsa_padding_mode:oaep Ctrl = rsa_mgf1_md:sha1 -@@ -827,36 +846,42 @@ s/XkIiO6MDAcQabYfLtw4wy308Z9JUc9sfbL8D4/ +@@ -1268,36 +1304,42 @@ s/XkIiO6MDAcQabYfLtw4wy308Z9JUc9sfbL8D4/kSbj6XloJ5qGWywrQmUkz8Uq aD0x7TDrmEvkEro= -----END PRIVATE KEY----- @@ -323,7 +661,7 @@ diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt.fips Decrypt=RSA-OAEP-4 Ctrl = rsa_padding_mode:oaep Ctrl = rsa_mgf1_md:sha1 -@@ -881,36 +906,42 @@ OPlAQGLrhaQpJFILOPW7iGoBlvSLuNzqYP2SzAJ/ +@@ -1322,36 +1364,42 @@ OPlAQGLrhaQpJFILOPW7iGoBlvSLuNzqYP2SzAJ/GOeBWKNKXF1fhgoPbAQHGn0B MSwGUGLx60i3nRyDyw== -----END PRIVATE KEY----- @@ -366,7 +704,7 @@ diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt.fips Decrypt=RSA-OAEP-5 Ctrl = rsa_padding_mode:oaep Ctrl = rsa_mgf1_md:sha1 -@@ -935,36 +966,42 @@ xT1F29tenZbQ/s9Cdd8JdLxKBza0p0wyaQU++2hq +@@ -1376,36 +1424,42 @@ xT1F29tenZbQ/s9Cdd8JdLxKBza0p0wyaQU++2hqziQG4iyeBY3bSuVAYnri/bCC Yejn5Ly8mU2q+jBcRQ== -----END PRIVATE KEY----- @@ -409,7 +747,7 @@ diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt.fips Decrypt=RSA-OAEP-6 Ctrl = rsa_padding_mode:oaep Ctrl = rsa_mgf1_md:sha1 -@@ -989,36 +1026,42 @@ tu4XIedy0DiaVZw9PN+VUNRXxGsDe3RkGx1SFmr4 +@@ -1430,36 +1484,42 @@ tu4XIedy0DiaVZw9PN+VUNRXxGsDe3RkGx1SFmr4ohPIOWIGzfukQi8Y1vYdvLXS FMlxv0gq65dqc3DC -----END PRIVATE KEY----- @@ -452,7 +790,7 @@ diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt.fips Decrypt=RSA-OAEP-7 Ctrl = rsa_padding_mode:oaep Ctrl = rsa_mgf1_md:sha1 -@@ -1043,36 +1086,42 @@ njraT2MgdSwJ2AX/fR8a4NAXru7pzvoNfdf/d15E +@@ -1484,36 +1544,42 @@ njraT2MgdSwJ2AX/fR8a4NAXru7pzvoNfdf/d15EtXgyL2QF1iEdoZUZZmqof9xM 2MiPa249Z+lh3Luj0A== -----END PRIVATE KEY----- @@ -495,7 +833,7 @@ diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt.fips Decrypt=RSA-OAEP-8 Ctrl = rsa_padding_mode:oaep Ctrl = rsa_mgf1_md:sha1 -@@ -1103,36 +1152,42 @@ Z7CDuaemy2HkLbNiuMmJbbcGTgKtWuYVh9oVtGSc +@@ -1544,36 +1610,42 @@ Z7CDuaemy2HkLbNiuMmJbbcGTgKtWuYVh9oVtGSckFlJCf6zfby2VL63Jo7IAeWo tKo5Eb69iFQvBb4= -----END PRIVATE KEY----- @@ -538,3 +876,74 @@ diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt.fips Decrypt=RSA-OAEP-9 Ctrl = rsa_padding_mode:oaep Ctrl = rsa_mgf1_md:sha1 +diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t +index 4e368c730b..879d5d76eb 100644 +--- a/test/recipes/80-test_cms.t ++++ b/test/recipes/80-test_cms.t +@@ -235,7 +235,7 @@ my @smime_pkcs7_tests = ( + \&final_compare + ], + +- [ "enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients", ++ [ "enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients, no Red Hat FIPS", + [ "{cmd1}", @prov, "-encrypt", "-in", $smcont, + "-aes256", "-stream", "-out", "{output}.cms", + $smrsa1, +@@ -1118,6 +1118,9 @@ sub check_availability { + return "$tnam: skipped, DSA disabled\n" + if ($no_dsa && $tnam =~ / DSA/); + ++ return "$tnam: skipped, Red Hat FIPS\n" ++ if ($tnam =~ /no Red Hat FIPS/); ++ + return ""; + } + +diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t +index e2dcb68fb5..0775112b40 100644 +--- a/test/recipes/80-test_ssl_old.t ++++ b/test/recipes/80-test_ssl_old.t +@@ -493,6 +493,18 @@ sub testssl { + # the default choice if TLSv1.3 enabled + my $flag = $protocol eq "-tls1_3" ? "" : $protocol; + my $ciphersuites = ""; ++ my %redhat_skip_cipher = map {$_ => 1} qw( ++AES256-GCM-SHA384:@SECLEVEL=0 ++AES256-CCM8:@SECLEVEL=0 ++AES256-CCM:@SECLEVEL=0 ++AES128-GCM-SHA256:@SECLEVEL=0 ++AES128-CCM8:@SECLEVEL=0 ++AES128-CCM:@SECLEVEL=0 ++AES256-SHA256:@SECLEVEL=0 ++AES128-SHA256:@SECLEVEL=0 ++AES256-SHA:@SECLEVEL=0 ++AES128-SHA:@SECLEVEL=0 ++ ); + foreach my $cipher (@{$ciphersuites{$protocol}}) { + if ($protocol eq "-ssl3" && $cipher =~ /ECDH/ ) { + note "*****SKIPPING $protocol $cipher"; +@@ -504,11 +516,16 @@ sub testssl { + } else { + $cipher = $cipher.':@SECLEVEL=0'; + } +- ok(run(test([@ssltest, @exkeys, "-cipher", +- $cipher, +- "-ciphersuites", $ciphersuites, +- $flag || ()])), +- "Testing $cipher"); ++ if ($provider eq "fips" && exists $redhat_skip_cipher{$cipher}) { ++ note "*****SKIPPING $cipher in Red Hat FIPS mode"; ++ ok(1); ++ } else { ++ ok(run(test([@ssltest, @exkeys, "-cipher", ++ $cipher, ++ "-ciphersuites", $ciphersuites, ++ $flag || ()])), ++ "Testing $cipher"); ++ } + } + } + next if $protocol eq "-tls1_3"; +-- +2.44.0 + diff --git a/0060-FIPS-KAT-signature-tests.patch b/0060-FIPS-KAT-signature-tests.patch deleted file mode 100644 index 184b150..0000000 --- a/0060-FIPS-KAT-signature-tests.patch +++ /dev/null @@ -1,420 +0,0 @@ -diff -up openssl-3.0.1/crypto/ec/ec_backend.c.fips_kat_signature openssl-3.0.1/crypto/ec/ec_backend.c ---- openssl-3.0.1/crypto/ec/ec_backend.c.fips_kat_signature 2022-04-04 15:49:24.786455707 +0200 -+++ openssl-3.0.1/crypto/ec/ec_backend.c 2022-04-04 16:06:13.250271963 +0200 -@@ -393,6 +393,10 @@ int ossl_ec_key_fromdata(EC_KEY *ec, con - const OSSL_PARAM *param_priv_key = NULL, *param_pub_key = NULL; - BN_CTX *ctx = NULL; - BIGNUM *priv_key = NULL; -+#ifdef FIPS_MODULE -+ const OSSL_PARAM *param_sign_kat_k = NULL; -+ BIGNUM *sign_kat_k = NULL; -+#endif - unsigned char *pub_key = NULL; - size_t pub_key_len; - const EC_GROUP *ecg = NULL; -@@ -408,7 +412,10 @@ int ossl_ec_key_fromdata(EC_KEY *ec, con - if (include_private) - param_priv_key = - OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_PRIV_KEY); -- -+#ifdef FIPS_MODULE -+ param_sign_kat_k = -+ OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_REDHAT_SIGN_KAT_K); -+#endif - ctx = BN_CTX_new_ex(ossl_ec_key_get_libctx(ec)); - if (ctx == NULL) - goto err; -@@ -481,6 +489,17 @@ int ossl_ec_key_fromdata(EC_KEY *ec, con - && !EC_KEY_set_public_key(ec, pub_point)) - goto err; - -+#ifdef FIPS_MODULE -+ if (param_sign_kat_k) { -+ if ((sign_kat_k = BN_secure_new()) == NULL) -+ goto err; -+ BN_set_flags(sign_kat_k, BN_FLG_CONSTTIME); -+ -+ if (!OSSL_PARAM_get_BN(param_sign_kat_k, &sign_kat_k)) -+ goto err; -+ ec->sign_kat_k = sign_kat_k; -+ } -+#endif - ok = 1; - - err: -diff -up openssl-3.0.1/crypto/ec/ecdsa_ossl.c.fips_kat_signature openssl-3.0.1/crypto/ec/ecdsa_ossl.c ---- openssl-3.0.1/crypto/ec/ecdsa_ossl.c.fips_kat_signature 2022-04-04 17:01:35.725323127 +0200 -+++ openssl-3.0.1/crypto/ec/ecdsa_ossl.c 2022-04-04 17:03:42.000427050 +0200 -@@ -20,6 +20,10 @@ - #include "crypto/bn.h" - #include "ec_local.h" - -+#ifdef FIPS_MODULE -+extern int REDHAT_FIPS_signature_st; -+#endif -+ - int ossl_ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, - BIGNUM **rp) - { -@@ -126,6 +130,11 @@ static int ecdsa_sign_setup(EC_KEY *ecke - goto err; - - do { -+#ifdef FIPS_MODULE -+ if (REDHAT_FIPS_signature_st && eckey->sign_kat_k != NULL) { -+ BN_copy(k, eckey->sign_kat_k); -+ } else { -+#endif - /* get random k */ - do { - if (dgst != NULL) { -@@ -141,7 +150,9 @@ static int ecdsa_sign_setup(EC_KEY *ecke - } - } - } while (BN_is_zero(k)); -- -+#ifdef FIPS_MODULE -+ } -+#endif - /* compute r the x-coordinate of generator * k */ - if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) { - ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB); -diff -up openssl-3.0.1/crypto/ec/ec_key.c.fips_kat_signature openssl-3.0.1/crypto/ec/ec_key.c ---- openssl-3.0.1/crypto/ec/ec_key.c.fips_kat_signature 2022-04-04 13:48:52.231172299 +0200 -+++ openssl-3.0.1/crypto/ec/ec_key.c 2022-04-04 14:00:35.077368605 +0200 -@@ -97,6 +97,9 @@ void EC_KEY_free(EC_KEY *r) - EC_GROUP_free(r->group); - EC_POINT_free(r->pub_key); - BN_clear_free(r->priv_key); -+#ifdef FIPS_MODULE -+ BN_clear_free(r->sign_kat_k); -+#endif - OPENSSL_free(r->propq); - - OPENSSL_clear_free((void *)r, sizeof(EC_KEY)); -diff -up openssl-3.0.1/crypto/ec/ec_local.h.fips_kat_signature openssl-3.0.1/crypto/ec/ec_local.h ---- openssl-3.0.1/crypto/ec/ec_local.h.fips_kat_signature 2022-04-04 13:46:57.576161867 +0200 -+++ openssl-3.0.1/crypto/ec/ec_local.h 2022-04-04 13:48:07.827780835 +0200 -@@ -298,6 +298,9 @@ struct ec_key_st { - #ifndef FIPS_MODULE - CRYPTO_EX_DATA ex_data; - #endif -+#ifdef FIPS_MODULE -+ BIGNUM *sign_kat_k; -+#endif - CRYPTO_RWLOCK *lock; - OSSL_LIB_CTX *libctx; - char *propq; -diff -up openssl-3.0.1/include/openssl/core_names.h.fips_kat_signature openssl-3.0.1/include/openssl/core_names.h ---- openssl-3.0.1/include/openssl/core_names.h.fips_kat_signature 2022-04-04 14:06:15.717370014 +0200 -+++ openssl-3.0.1/include/openssl/core_names.h 2022-04-04 14:07:35.376071229 +0200 -@@ -293,6 +293,7 @@ extern "C" { - #define OSSL_PKEY_PARAM_DIST_ID "distid" - #define OSSL_PKEY_PARAM_PUB_KEY "pub" - #define OSSL_PKEY_PARAM_PRIV_KEY "priv" -+#define OSSL_PKEY_PARAM_REDHAT_SIGN_KAT_K "rh_sign_kat_k" - - /* Diffie-Hellman/DSA Parameters */ - #define OSSL_PKEY_PARAM_FFC_P "p" -diff -up openssl-3.0.1/providers/implementations/keymgmt/ec_kmgmt.c.fips_kat_signature openssl-3.0.1/providers/implementations/keymgmt/ec_kmgmt.c ---- openssl-3.0.1/providers/implementations/keymgmt/ec_kmgmt.c.fips_kat_signature 2022-04-04 14:21:03.043180906 +0200 -+++ openssl-3.0.1/providers/implementations/keymgmt/ec_kmgmt.c 2022-04-04 14:38:33.949406645 +0200 -@@ -530,7 +530,8 @@ end: - # define EC_IMEXPORTABLE_PUBLIC_KEY \ - OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_PUB_KEY, NULL, 0) - # define EC_IMEXPORTABLE_PRIVATE_KEY \ -- OSSL_PARAM_BN(OSSL_PKEY_PARAM_PRIV_KEY, NULL, 0) -+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_PRIV_KEY, NULL, 0), \ -+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_REDHAT_SIGN_KAT_K, NULL, 0) - # define EC_IMEXPORTABLE_OTHER_PARAMETERS \ - OSSL_PARAM_int(OSSL_PKEY_PARAM_USE_COFACTOR_ECDH, NULL), \ - OSSL_PARAM_int(OSSL_PKEY_PARAM_EC_INCLUDE_PUBLIC, NULL) -diff -up openssl-3.0.1/providers/fips/self_test_kats.c.kat openssl-3.0.1/providers/fips/self_test_kats.c ---- openssl-3.0.1/providers/fips/self_test_kats.c.kat 2022-05-10 15:10:32.502185265 +0200 -+++ openssl-3.0.1/providers/fips/self_test_kats.c 2022-05-10 15:13:21.465653720 +0200 -@@ -17,6 +17,8 @@ - #include "self_test.h" - #include "self_test_data.inc" - -+int REDHAT_FIPS_signature_st = 0; -+ - static int self_test_digest(const ST_KAT_DIGEST *t, OSSL_SELF_TEST *st, - OSSL_LIB_CTX *libctx) - { -@@ -446,6 +448,7 @@ static int self_test_sign(const ST_KAT_S - EVP_PKEY *pkey = NULL; - unsigned char sig[256]; - BN_CTX *bnctx = NULL; -+ BIGNUM *K = NULL; - size_t siglen = sizeof(sig); - static const unsigned char dgst[] = { - 0x7f, 0x83, 0xb1, 0x65, 0x7f, 0xf1, 0xfc, 0x53, 0xb9, 0x2d, 0xc1, 0x81, -@@ -462,6 +465,9 @@ static int self_test_sign(const ST_KAT_S - bnctx = BN_CTX_new_ex(libctx); - if (bnctx == NULL) - goto err; -+ K = BN_CTX_get(bnctx); -+ if (K == NULL || BN_bin2bn(dgst, sizeof(dgst), K) == NULL) -+ goto err; - - bld = OSSL_PARAM_BLD_new(); - if (bld == NULL) -@@ -469,6 +475,9 @@ static int self_test_sign(const ST_KAT_S - - if (!add_params(bld, t->key, bnctx)) - goto err; -+ /* set K for ECDSA KAT tests */ -+ if (!OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_REDHAT_SIGN_KAT_K, K)) -+ goto err; - params = OSSL_PARAM_BLD_to_param(bld); - - /* Create a EVP_PKEY_CTX to load the DSA key into */ -@@ -689,11 +698,13 @@ static int self_test_kas(OSSL_SELF_TEST - static int self_test_signatures(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx) - { - int i, ret = 1; -+ REDHAT_FIPS_signature_st = 1; - - for (i = 0; i < (int)OSSL_NELEM(st_kat_sign_tests); ++i) { - if (!self_test_sign(&st_kat_sign_tests[i], st, libctx)) - ret = 0; - } -+ REDHAT_FIPS_signature_st = 0; - return ret; - } - -diff -up openssl-3.0.1/providers/fips/self_test_data.inc.kat openssl-3.0.1/providers/fips/self_test_data.inc ---- openssl-3.0.1/providers/fips/self_test_data.inc.kat 2022-05-16 17:37:34.962807400 +0200 -+++ openssl-3.0.1/providers/fips/self_test_data.inc 2022-05-16 17:48:10.709376779 +0200 -@@ -1399,7 +1399,151 @@ static const ST_KAT_PARAM ecdsa_prime_ke - ST_KAT_PARAM_BIGNUM(OSSL_PKEY_PARAM_PRIV_KEY, ecd_prime_priv), - ST_KAT_PARAM_END() - }; -+static const unsigned char ec224r1_kat_sig[] = { -+0x30, 0x3c, 0x02, 0x1c, 0x2f, 0x24, 0x30, 0x96, 0x3b, 0x39, 0xe0, 0xab, 0xe2, 0x5a, 0x6f, 0xe0, -+0x40, 0x7e, 0x19, 0x30, 0x6e, 0x6a, 0xfd, 0x7a, 0x2b, 0x5d, 0xaa, 0xc2, 0x34, 0x6c, 0xc8, 0xce, -+0x02, 0x1c, 0x47, 0xe1, 0xac, 0xfd, 0xb4, 0xb8, 0x2b, 0x8c, 0x49, 0xb6, 0x36, 0xcd, 0xdd, 0x22, -+0x2a, 0x2d, 0x29, 0x64, 0x70, 0x61, 0xc3, 0x3e, 0x18, 0x51, 0xec, 0xf2, 0xad, 0x3c -+}; - -+static const char ecd_prime_curve_name384[] = "secp384r1"; -+/* -+priv: -+ 58:12:2b:94:be:29:23:13:83:f5:c4:20:e8:22:34: -+ 54:73:49:91:10:05:e9:10:e9:d7:2d:72:9c:5e:6a: -+ ba:8f:6d:d6:e4:a7:eb:e0:ae:e3:d4:c9:aa:33:87: -+ 4c:91:87 -+pub: -+ 04:d1:86:8b:f5:c4:a2:f7:a5:92:e6:85:2a:d2:92: -+ 81:97:0a:8d:fa:09:3f:84:6c:17:43:03:43:49:23: -+ 77:c4:31:f4:0a:a4:de:87:ac:5c:c0:d1:bc:e4:43: -+ 7f:8d:44:e1:3b:5f:bc:27:c8:79:0f:d0:31:9f:a7: -+ 6d:de:fb:f7:da:19:40:fd:aa:83:dc:69:ce:a6:f3: -+ 4d:65:20:1c:66:82:80:03:f7:7b:2e:f3:b3:7c:1f: -+ 11:f2:a3:bf:e8:0e:88 -+*/ -+static const unsigned char ecd_prime_priv384[] = { -+ 0x58, 0x12, 0x2b, 0x94, 0xbe, 0x29, 0x23, 0x13, 0x83, 0xf5, 0xc4, 0x20, 0xe8, 0x22, 0x34, -+ 0x54, 0x73, 0x49, 0x91, 0x10, 0x05, 0xe9, 0x10, 0xe9, 0xd7, 0x2d, 0x72, 0x9c, 0x5e, 0x6a, -+ 0xba, 0x8f, 0x6d, 0xd6, 0xe4, 0xa7, 0xeb, 0xe0, 0xae, 0xe3, 0xd4, 0xc9, 0xaa, 0x33, 0x87, -+ 0x4c, 0x91, 0x87 -+}; -+static const unsigned char ecd_prime_pub384[] = { -+ 0x04, 0xd1, 0x86, 0x8b, 0xf5, 0xc4, 0xa2, 0xf7, 0xa5, 0x92, 0xe6, 0x85, 0x2a, 0xd2, 0x92, -+ 0x81, 0x97, 0x0a, 0x8d, 0xfa, 0x09, 0x3f, 0x84, 0x6c, 0x17, 0x43, 0x03, 0x43, 0x49, 0x23, -+ 0x77, 0xc4, 0x31, 0xf4, 0x0a, 0xa4, 0xde, 0x87, 0xac, 0x5c, 0xc0, 0xd1, 0xbc, 0xe4, 0x43, -+ 0x7f, 0x8d, 0x44, 0xe1, 0x3b, 0x5f, 0xbc, 0x27, 0xc8, 0x79, 0x0f, 0xd0, 0x31, 0x9f, 0xa7, -+ 0x6d, 0xde, 0xfb, 0xf7, 0xda, 0x19, 0x40, 0xfd, 0xaa, 0x83, 0xdc, 0x69, 0xce, 0xa6, 0xf3, -+ 0x4d, 0x65, 0x20, 0x1c, 0x66, 0x82, 0x80, 0x03, 0xf7, 0x7b, 0x2e, 0xf3, 0xb3, 0x7c, 0x1f, -+ 0x11, 0xf2, 0xa3, 0xbf, 0xe8, 0x0e, 0x88 -+}; -+static const ST_KAT_PARAM ecdsa_prime_key384[] = { -+ ST_KAT_PARAM_UTF8STRING(OSSL_PKEY_PARAM_GROUP_NAME, ecd_prime_curve_name384), -+ ST_KAT_PARAM_OCTET(OSSL_PKEY_PARAM_PUB_KEY, ecd_prime_pub384), -+ ST_KAT_PARAM_BIGNUM(OSSL_PKEY_PARAM_PRIV_KEY, ecd_prime_priv384), -+ ST_KAT_PARAM_END() -+}; -+static const unsigned char ec384r1_kat_sig[] = { -+0x30, 0x65, 0x02, 0x30, 0x1a, 0xd5, 0x57, 0x1b, 0x28, 0x0f, 0xf1, 0x68, 0x66, 0x68, 0x8a, 0x98, -+0xe3, 0x9c, 0xce, 0x7f, 0xa7, 0x68, 0xdc, 0x84, 0x5a, 0x65, 0xdc, 0x2b, 0x5d, 0x7e, 0xf3, 0x9b, -+0xa0, 0x40, 0xe8, 0x7a, 0x02, 0xc7, 0x82, 0xe0, 0x0c, 0x81, 0xa5, 0xda, 0x55, 0x27, 0xbf, 0x79, -+0xee, 0x72, 0xc2, 0x14, 0x02, 0x31, 0x00, 0xd1, 0x9d, 0x67, 0xda, 0x5a, 0xd2, 0x58, 0x68, 0xe7, -+0x71, 0x08, 0xb2, 0xa4, 0xe4, 0xe8, 0x74, 0xb4, 0x0a, 0x3d, 0x76, 0x49, 0x31, 0x17, 0x6e, 0x33, -+0x16, 0xf0, 0x00, 0x1f, 0x3c, 0x1f, 0xf9, 0x7c, 0xdb, 0x93, 0x49, 0x9c, 0x7d, 0xb3, 0xd3, 0x30, -+0x98, 0x81, 0x6f, 0xb0, 0xc9, 0x30, 0x2f -+}; -+static const char ecd_prime_curve_name521[] = "secp521r1"; -+/* -+priv: -+ 00:44:0f:96:31:a9:87:f2:5f:be:a0:bc:ef:0c:ae: -+ 58:cc:5f:f8:44:9e:89:86:7e:bf:db:ce:cb:0e:20: -+ 10:4a:11:ec:0b:51:1d:e4:91:ca:c6:40:fb:c6:69: -+ ad:68:33:9e:c8:f5:c4:c6:a5:93:a8:4d:a9:a9:a2: -+ af:fe:6d:cb:c2:3b -+pub: -+ 04:01:5f:58:a9:40:0c:ee:9b:ed:4a:f4:7a:3c:a3: -+ 89:c2:f3:7e:2c:f4:b5:53:80:ae:33:7d:36:d1:b5: -+ 18:bd:ef:a9:48:00:ea:88:ee:00:5c:ca:07:08:b5: -+ 67:4a:c3:2b:10:c6:07:b0:c2:45:37:b7:1d:e3:6c: -+ e1:bf:2c:44:18:4a:aa:01:af:75:40:6a:e3:f5:b2: -+ 7f:d1:9d:1b:8b:29:1f:91:4d:db:93:bf:bd:8c:b7: -+ 6a:8d:4b:2c:36:2a:6b:ab:54:9d:7b:31:99:a4:de: -+ c9:10:c4:f4:a3:f4:6d:94:97:62:16:a5:34:65:1f: -+ 42:cd:8b:9e:e6:db:14:5d:a9:8d:19:95:8d -+*/ -+static const unsigned char ecd_prime_priv521[] = { -+ 0x00, 0x44, 0x0f, 0x96, 0x31, 0xa9, 0x87, 0xf2, 0x5f, 0xbe, 0xa0, 0xbc, 0xef, 0x0c, 0xae, -+ 0x58, 0xcc, 0x5f, 0xf8, 0x44, 0x9e, 0x89, 0x86, 0x7e, 0xbf, 0xdb, 0xce, 0xcb, 0x0e, 0x20, -+ 0x10, 0x4a, 0x11, 0xec, 0x0b, 0x51, 0x1d, 0xe4, 0x91, 0xca, 0xc6, 0x40, 0xfb, 0xc6, 0x69, -+ 0xad, 0x68, 0x33, 0x9e, 0xc8, 0xf5, 0xc4, 0xc6, 0xa5, 0x93, 0xa8, 0x4d, 0xa9, 0xa9, 0xa2, -+ 0xaf, 0xfe, 0x6d, 0xcb, 0xc2, 0x3b -+}; -+static const unsigned char ecd_prime_pub521[] = { -+ 0x04, 0x01, 0x5f, 0x58, 0xa9, 0x40, 0x0c, 0xee, 0x9b, 0xed, 0x4a, 0xf4, 0x7a, 0x3c, 0xa3, -+ 0x89, 0xc2, 0xf3, 0x7e, 0x2c, 0xf4, 0xb5, 0x53, 0x80, 0xae, 0x33, 0x7d, 0x36, 0xd1, 0xb5, -+ 0x18, 0xbd, 0xef, 0xa9, 0x48, 0x00, 0xea, 0x88, 0xee, 0x00, 0x5c, 0xca, 0x07, 0x08, 0xb5, -+ 0x67, 0x4a, 0xc3, 0x2b, 0x10, 0xc6, 0x07, 0xb0, 0xc2, 0x45, 0x37, 0xb7, 0x1d, 0xe3, 0x6c, -+ 0xe1, 0xbf, 0x2c, 0x44, 0x18, 0x4a, 0xaa, 0x01, 0xaf, 0x75, 0x40, 0x6a, 0xe3, 0xf5, 0xb2, -+ 0x7f, 0xd1, 0x9d, 0x1b, 0x8b, 0x29, 0x1f, 0x91, 0x4d, 0xdb, 0x93, 0xbf, 0xbd, 0x8c, 0xb7, -+ 0x6a, 0x8d, 0x4b, 0x2c, 0x36, 0x2a, 0x6b, 0xab, 0x54, 0x9d, 0x7b, 0x31, 0x99, 0xa4, 0xde, -+ 0xc9, 0x10, 0xc4, 0xf4, 0xa3, 0xf4, 0x6d, 0x94, 0x97, 0x62, 0x16, 0xa5, 0x34, 0x65, 0x1f, -+ 0x42, 0xcd, 0x8b, 0x9e, 0xe6, 0xdb, 0x14, 0x5d, 0xa9, 0x8d, 0x19, 0x95, 0x8d -+}; -+static const ST_KAT_PARAM ecdsa_prime_key521[] = { -+ ST_KAT_PARAM_UTF8STRING(OSSL_PKEY_PARAM_GROUP_NAME, ecd_prime_curve_name521), -+ ST_KAT_PARAM_OCTET(OSSL_PKEY_PARAM_PUB_KEY, ecd_prime_pub521), -+ ST_KAT_PARAM_BIGNUM(OSSL_PKEY_PARAM_PRIV_KEY, ecd_prime_priv521), -+ ST_KAT_PARAM_END() -+}; -+static const unsigned char ec521r1_kat_sig[] = { -+0x30, 0x81, 0x88, 0x02, 0x42, 0x00, 0xdf, 0x64, 0x9c, 0xc8, 0x5b, 0xdd, 0x0b, 0x7f, 0x69, 0x7e, -+0xdb, 0x83, 0x58, 0x67, 0x63, 0x43, 0xb7, 0xfa, 0x40, 0x29, 0xde, 0xb9, 0xde, 0xe9, 0x96, 0x65, -+0xe6, 0x8e, 0xf4, 0xeb, 0xd0, 0xe9, 0x6a, 0xd3, 0x27, 0x6c, 0x4d, 0x60, 0x47, 0x9c, 0x62, 0xb8, -+0x6c, 0xc1, 0x36, 0x19, 0x65, 0xff, 0xab, 0xcf, 0x24, 0xa3, 0xde, 0xd1, 0x4b, 0x1b, 0xdd, 0x89, -+0xcf, 0xf8, 0x72, 0x7b, 0x92, 0xbc, 0x02, 0x02, 0x42, 0x01, 0xf8, 0x07, 0x77, 0xb8, 0xcb, 0xa2, -+0xe2, 0x1f, 0x53, 0x9a, 0x7c, 0x16, 0xb5, 0x8e, 0xad, 0xe3, 0xc3, 0xac, 0xb7, 0xb2, 0x51, 0x8f, -+0xf9, 0x09, 0x65, 0x43, 0xf8, 0xd8, 0x3c, 0xe3, 0x5c, 0x4a, 0x5e, 0x3d, 0x6f, 0xb7, 0xbb, 0x5a, -+0x92, 0x69, 0xec, 0x71, 0xa2, 0x35, 0xe5, 0x29, 0x17, 0xaf, 0xc9, 0x69, 0xa7, 0xaa, 0x94, 0xf9, -+0xf9, 0x50, 0x87, 0x7b, 0x5d, 0x87, 0xe3, 0xd6, 0x3f, 0xb6, 0x6e -+}; -+static const char ecd_prime_curve_name256[] = "prime256v1"; -+/* -+priv: -+ 84:88:11:3f:a9:c9:9e:23:72:8b:40:cb:a2:b1:88: -+ 01:1e:92:48:af:13:2d:9b:33:8e:6d:43:40:30:c7: -+ 30:fa -+pub: -+ 04:22:58:b6:f9:01:3b:8c:a6:9b:9f:ae:75:fc:73: -+ cf:1b:f0:81:dc:55:a3:cc:5d:81:46:85:06:32:34: -+ 99:0d:c5:7e:a1:95:bb:21:73:33:40:4b:35:17:f6: -+ 8e:26:61:46:94:2c:4c:ac:9b:20:f8:08:72:25:74: -+ 98:66:c4:63:a6 -+*/ -+static const unsigned char ecd_prime_priv256[] = { -+ 0x84, 0x88, 0x11, 0x3f, 0xa9, 0xc9, 0x9e, 0x23, 0x72, 0x8b, 0x40, 0xcb, 0xa2, 0xb1, 0x88, -+ 0x01, 0x1e, 0x92, 0x48, 0xaf, 0x13, 0x2d, 0x9b, 0x33, 0x8e, 0x6d, 0x43, 0x40, 0x30, 0xc7, -+ 0x30, 0xfa -+}; -+static const unsigned char ecd_prime_pub256[] = { -+ 0x04, 0x22, 0x58, 0xb6, 0xf9, 0x01, 0x3b, 0x8c, 0xa6, 0x9b, 0x9f, 0xae, 0x75, 0xfc, 0x73, -+ 0xcf, 0x1b, 0xf0, 0x81, 0xdc, 0x55, 0xa3, 0xcc, 0x5d, 0x81, 0x46, 0x85, 0x06, 0x32, 0x34, -+ 0x99, 0x0d, 0xc5, 0x7e, 0xa1, 0x95, 0xbb, 0x21, 0x73, 0x33, 0x40, 0x4b, 0x35, 0x17, 0xf6, -+ 0x8e, 0x26, 0x61, 0x46, 0x94, 0x2c, 0x4c, 0xac, 0x9b, 0x20, 0xf8, 0x08, 0x72, 0x25, 0x74, -+ 0x98, 0x66, 0xc4, 0x63, 0xa6 -+}; -+static const ST_KAT_PARAM ecdsa_prime_key256[] = { -+ ST_KAT_PARAM_UTF8STRING(OSSL_PKEY_PARAM_GROUP_NAME, ecd_prime_curve_name256), -+ ST_KAT_PARAM_OCTET(OSSL_PKEY_PARAM_PUB_KEY, ecd_prime_pub256), -+ ST_KAT_PARAM_BIGNUM(OSSL_PKEY_PARAM_PRIV_KEY, ecd_prime_priv256), -+ ST_KAT_PARAM_END() -+}; -+static const unsigned char ec256v1_kat_sig[] = { -+0x30, 0x46, 0x02, 0x21, 0x00, 0xc9, 0x11, 0x27, 0x06, 0x51, 0x2b, 0x50, 0x8c, 0x6b, 0xc0, 0xa6, -+0x85, 0xaa, 0xf4, 0x66, 0x0d, 0xe4, 0x54, 0x0a, 0x10, 0xb6, 0x9f, 0x87, 0xfc, 0xa2, 0xbc, 0x8f, -+0x3c, 0x58, 0xb4, 0xe9, 0x41, 0x02, 0x21, 0x00, 0xc9, 0x72, 0x94, 0xa9, 0xdd, 0x52, 0xca, 0x21, -+0x82, 0x66, 0x7a, 0x68, 0xcb, 0x1e, 0x3b, 0x12, 0x71, 0x4d, 0x56, 0xb5, 0xb7, 0xdd, 0xca, 0x2b, -+0x18, 0xa3, 0xa7, 0x08, 0x0d, 0xfa, 0x9c, 0x66 -+}; - # ifndef OPENSSL_NO_EC2M - static const char ecd_bin_curve_name[] = "sect233r1"; - static const unsigned char ecd_bin_priv[] = { -@@ -1571,8 +1715,42 @@ static const ST_KAT_SIGN st_kat_sign_tes - ecdsa_prime_key, - /* - * The ECDSA signature changes each time due to it using a random k. -- * So there is no expected KAT for this case. -+ * We provide this value in our build -+ */ -+ ITM(ec224r1_kat_sig) -+ }, -+ { -+ OSSL_SELF_TEST_DESC_SIGN_ECDSA, -+ "EC", -+ "SHA-256", -+ ecdsa_prime_key384, -+ /* -+ * The ECDSA signature changes each time due to it using a random k. -+ * We provide this value in our build -+ */ -+ ITM(ec384r1_kat_sig) -+ }, -+ { -+ OSSL_SELF_TEST_DESC_SIGN_ECDSA, -+ "EC", -+ "SHA-256", -+ ecdsa_prime_key521, -+ /* -+ * The ECDSA signature changes each time due to it using a random k. -+ * We provide this value in our build -+ */ -+ ITM(ec521r1_kat_sig) -+ }, -+ { -+ OSSL_SELF_TEST_DESC_SIGN_ECDSA, -+ "EC", -+ "SHA-256", -+ ecdsa_prime_key256, -+ /* -+ * The ECDSA signature changes each time due to it using a random k. -+ * We provide this value in our build - */ -+ ITM(ec256v1_kat_sig) - }, - # ifndef OPENSSL_NO_EC2M - { -diff -up openssl-3.0.1/crypto/ec/ecp_s390x_nistp.c.fipskat openssl-3.0.1/crypto/ec/ecp_s390x_nistp.c ---- openssl-3.0.1/crypto/ec/ecp_s390x_nistp.c.fipskat 2022-05-30 14:48:53.180999124 +0200 -+++ openssl-3.0.1/crypto/ec/ecp_s390x_nistp.c 2022-05-30 14:58:52.841286228 +0200 -@@ -44,6 +44,10 @@ - #define S390X_OFF_RN(n) (4 * n) - #define S390X_OFF_Y(n) (4 * n) - -+#ifdef FIPS_MODULE -+extern int REDHAT_FIPS_signature_st; -+#endif -+ - static int ec_GFp_s390x_nistp_mul(const EC_GROUP *group, EC_POINT *r, - const BIGNUM *scalar, - size_t num, const EC_POINT *points[], -@@ -183,11 +187,21 @@ static ECDSA_SIG *ecdsa_s390x_nistp_sign - * because kdsa instruction constructs an in-range, invertible nonce - * internally implementing counter-measures for RNG weakness. - */ -+#ifdef FIPS_MODULE -+ if (REDHAT_FIPS_signature_st && eckey->sign_kat_k != NULL) { -+ BN_bn2binpad(eckey->sign_kat_k, param + S390X_OFF_RN(len), len); -+ /* Turns KDSA internal nonce-generation off. */ -+ fc |= S390X_KDSA_D; -+ } else { -+#endif - if (RAND_priv_bytes_ex(eckey->libctx, param + S390X_OFF_RN(len), - (size_t)len, 0) != 1) { - ERR_raise(ERR_LIB_EC, EC_R_RANDOM_NUMBER_GENERATION_FAILED); - goto ret; - } -+#ifdef FIPS_MODULE -+ } -+#endif - } else { - /* Reconstruct k = (k^-1)^-1. */ - if (ossl_ec_group_do_inverse_ord(group, k, kinv, NULL) == 0 diff --git a/0062-fips-Expose-a-FIPS-indicator.patch b/0062-fips-Expose-a-FIPS-indicator.patch index d2e9b0a..f1ad59d 100644 --- a/0062-fips-Expose-a-FIPS-indicator.patch +++ b/0062-fips-Expose-a-FIPS-indicator.patch @@ -248,8 +248,8 @@ index de391ce067..1cfd71c5cf 100644 --- a/providers/fips/fipsprov.c +++ b/providers/fips/fipsprov.c @@ -23,6 +23,7 @@ - #include "prov/seeding.h" #include "self_test.h" + #include "crypto/context.h" #include "internal/core.h" +#include "indicator.h" diff --git a/0067-ppc64le-Montgomery-multiply.patch b/0067-ppc64le-Montgomery-multiply.patch deleted file mode 100644 index 36c0222..0000000 --- a/0067-ppc64le-Montgomery-multiply.patch +++ /dev/null @@ -1,703 +0,0 @@ -From 33ffd36afa7594aeb958a925f521cb287ca850c8 Mon Sep 17 00:00:00 2001 -From: Rohan McLure -Date: Mon, 27 Jun 2022 12:14:55 +1000 -Subject: [PATCH 1/2] Revert "Revert "bn: Add fixed length (n=6), unrolled PPC - Montgomery Multiplication"" - -This reverts commit 712d9cc90e355b2c98a959d4e9398610d2269c9e. ---- - crypto/bn/asm/ppc64-mont-fixed.pl | 581 ++++++++++++++++++++++++++++++ - crypto/bn/bn_ppc.c | 15 + - crypto/bn/build.info | 3 +- - 3 files changed, 598 insertions(+), 1 deletion(-) - -diff --git a/crypto/bn/asm/ppc64-mont-fixed.pl b/crypto/bn/asm/ppc64-mont-fixed.pl -index e69de29bb2d1..0fb397bc5f12 100755 ---- a/crypto/bn/asm/ppc64-mont-fixed.pl -+++ b/crypto/bn/asm/ppc64-mont-fixed.pl -@@ -0,0 +1,581 @@ -+#! /usr/bin/env perl -+# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. -+# -+# Licensed under the Apache License 2.0 (the "License"). You may not use -+# this file except in compliance with the License. You can obtain a copy -+# in the file LICENSE in the source distribution or at -+# https://www.openssl.org/source/license.html -+ -+# ==================================================================== -+# Written by Amitay Isaacs , Martin Schwenke -+# & Alastair D'Silva for -+# the OpenSSL project. -+# ==================================================================== -+ -+# -+# Fixed length (n=6), unrolled PPC Montgomery Multiplication -+# -+ -+# 2021 -+# -+# Although this is a generic implementation for unrolling Montgomery -+# Multiplication for arbitrary values of n, this is currently only -+# used for n = 6 to improve the performance of ECC p384. -+# -+# Unrolling allows intermediate results to be stored in registers, -+# rather than on the stack, improving performance by ~7% compared to -+# the existing PPC assembly code. -+# -+# The ISA 3.0 implementation uses combination multiply/add -+# instructions (maddld, maddhdu) to improve performance by an -+# additional ~10% on Power 9. -+# -+# Finally, saving non-volatile registers into volatile vector -+# registers instead of onto the stack saves a little more. -+# -+# On a Power 9 machine we see an overall improvement of ~18%. -+# -+ -+use strict; -+use warnings; -+ -+my ($flavour, $output, $dir, $xlate); -+ -+# $output is the last argument if it looks like a file (it has an extension) -+# $flavour is the first argument if it doesn't look like a file -+$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef; -+$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef; -+ -+$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; -+( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or -+( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or -+die "can't locate ppc-xlate.pl"; -+ -+open STDOUT,"| $^X $xlate $flavour \"$output\"" -+ or die "can't call $xlate: $!"; -+ -+if ($flavour !~ /64/) { -+ die "bad flavour ($flavour) - only ppc64 permitted"; -+} -+ -+my $SIZE_T= 8; -+ -+# Registers are global so the code is remotely readable -+ -+# Parameters for Montgomery multiplication -+my $sp = "r1"; -+my $toc = "r2"; -+my $rp = "r3"; -+my $ap = "r4"; -+my $bp = "r5"; -+my $np = "r6"; -+my $n0 = "r7"; -+my $num = "r8"; -+ -+my $i = "r9"; -+my $c0 = "r10"; -+my $bp0 = "r11"; -+my $bpi = "r11"; -+my $bpj = "r11"; -+my $tj = "r12"; -+my $apj = "r12"; -+my $npj = "r12"; -+my $lo = "r14"; -+my $c1 = "r14"; -+ -+# Non-volatile registers used for tp[i] -+# -+# 12 registers are available but the limit on unrolling is 10, -+# since registers from $tp[0] to $tp[$n+1] are used. -+my @tp = ("r20" .. "r31"); -+ -+# volatile VSRs for saving non-volatile GPRs - faster than stack -+my @vsrs = ("v32" .. "v46"); -+ -+package Mont; -+ -+sub new($$) -+{ -+ my ($class, $n) = @_; -+ -+ if ($n > 10) { -+ die "Can't unroll for BN length ${n} (maximum 10)" -+ } -+ -+ my $self = { -+ code => "", -+ n => $n, -+ }; -+ bless $self, $class; -+ -+ return $self; -+} -+ -+sub add_code($$) -+{ -+ my ($self, $c) = @_; -+ -+ $self->{code} .= $c; -+} -+ -+sub get_code($) -+{ -+ my ($self) = @_; -+ -+ return $self->{code}; -+} -+ -+sub get_function_name($) -+{ -+ my ($self) = @_; -+ -+ return "bn_mul_mont_fixed_n" . $self->{n}; -+} -+ -+sub get_label($$) -+{ -+ my ($self, $l) = @_; -+ -+ return "L" . $l . "_" . $self->{n}; -+} -+ -+sub get_labels($@) -+{ -+ my ($self, @labels) = @_; -+ -+ my %out = (); -+ -+ foreach my $l (@labels) { -+ $out{"$l"} = $self->get_label("$l"); -+ } -+ -+ return \%out; -+} -+ -+sub nl($) -+{ -+ my ($self) = @_; -+ -+ $self->add_code("\n"); -+} -+ -+sub copy_result($) -+{ -+ my ($self) = @_; -+ -+ my ($n) = $self->{n}; -+ -+ for (my $j = 0; $j < $n; $j++) { -+ $self->add_code(<<___); -+ std $tp[$j],`$j*$SIZE_T`($rp) -+___ -+ } -+ -+} -+ -+sub mul_mont_fixed($) -+{ -+ my ($self) = @_; -+ -+ my ($n) = $self->{n}; -+ my $fname = $self->get_function_name(); -+ my $label = $self->get_labels("outer", "enter", "sub", "copy", "end"); -+ -+ $self->add_code(<<___); -+ -+.globl .${fname} -+.align 5 -+.${fname}: -+ -+___ -+ -+ $self->save_registers(); -+ -+ $self->add_code(<<___); -+ ld $n0,0($n0) -+ -+ ld $bp0,0($bp) -+ -+ ld $apj,0($ap) -+___ -+ -+ $self->mul_c_0($tp[0], $apj, $bp0, $c0); -+ -+ for (my $j = 1; $j < $n - 1; $j++) { -+ $self->add_code(<<___); -+ ld $apj,`$j*$SIZE_T`($ap) -+___ -+ $self->mul($tp[$j], $apj, $bp0, $c0); -+ } -+ -+ $self->add_code(<<___); -+ ld $apj,`($n-1)*$SIZE_T`($ap) -+___ -+ -+ $self->mul_last($tp[$n-1], $tp[$n], $apj, $bp0, $c0); -+ -+ $self->add_code(<<___); -+ li $tp[$n+1],0 -+ -+___ -+ -+ $self->add_code(<<___); -+ li $i,0 -+ mtctr $num -+ b $label->{"enter"} -+ -+.align 4 -+$label->{"outer"}: -+ ldx $bpi,$bp,$i -+ -+ ld $apj,0($ap) -+___ -+ -+ $self->mul_add_c_0($tp[0], $tp[0], $apj, $bpi, $c0); -+ -+ for (my $j = 1; $j < $n; $j++) { -+ $self->add_code(<<___); -+ ld $apj,`$j*$SIZE_T`($ap) -+___ -+ $self->mul_add($tp[$j], $tp[$j], $apj, $bpi, $c0); -+ } -+ -+ $self->add_code(<<___); -+ addc $tp[$n],$tp[$n],$c0 -+ addze $tp[$n+1],$tp[$n+1] -+___ -+ -+ $self->add_code(<<___); -+.align 4 -+$label->{"enter"}: -+ mulld $bpi,$tp[0],$n0 -+ -+ ld $npj,0($np) -+___ -+ -+ $self->mul_add_c_0($lo, $tp[0], $bpi, $npj, $c0); -+ -+ for (my $j = 1; $j < $n; $j++) { -+ $self->add_code(<<___); -+ ld $npj,`$j*$SIZE_T`($np) -+___ -+ $self->mul_add($tp[$j-1], $tp[$j], $npj, $bpi, $c0); -+ } -+ -+ $self->add_code(<<___); -+ addc $tp[$n-1],$tp[$n],$c0 -+ addze $tp[$n],$tp[$n+1] -+ -+ addi $i,$i,$SIZE_T -+ bdnz $label->{"outer"} -+ -+ and. $tp[$n],$tp[$n],$tp[$n] -+ bne $label->{"sub"} -+ -+ cmpld $tp[$n-1],$npj -+ blt $label->{"copy"} -+ -+$label->{"sub"}: -+___ -+ -+ # -+ # Reduction -+ # -+ -+ $self->add_code(<<___); -+ ld $bpj,`0*$SIZE_T`($np) -+ subfc $c1,$bpj,$tp[0] -+ std $c1,`0*$SIZE_T`($rp) -+ -+___ -+ for (my $j = 1; $j < $n - 1; $j++) { -+ $self->add_code(<<___); -+ ld $bpj,`$j*$SIZE_T`($np) -+ subfe $c1,$bpj,$tp[$j] -+ std $c1,`$j*$SIZE_T`($rp) -+ -+___ -+ } -+ -+ $self->add_code(<<___); -+ subfe $c1,$npj,$tp[$n-1] -+ std $c1,`($n-1)*$SIZE_T`($rp) -+ -+___ -+ -+ $self->add_code(<<___); -+ addme. $tp[$n],$tp[$n] -+ beq $label->{"end"} -+ -+$label->{"copy"}: -+___ -+ -+ $self->copy_result(); -+ -+ $self->add_code(<<___); -+ -+$label->{"end"}: -+___ -+ -+ $self->restore_registers(); -+ -+ $self->add_code(<<___); -+ li r3,1 -+ blr -+.size .${fname},.-.${fname} -+___ -+ -+} -+ -+package Mont::GPR; -+ -+our @ISA = ('Mont'); -+ -+sub new($$) -+{ -+ my ($class, $n) = @_; -+ -+ return $class->SUPER::new($n); -+} -+ -+sub save_registers($) -+{ -+ my ($self) = @_; -+ -+ my $n = $self->{n}; -+ -+ $self->add_code(<<___); -+ std $lo,-8($sp) -+___ -+ -+ for (my $j = 0; $j <= $n+1; $j++) { -+ $self->{code}.=<<___; -+ std $tp[$j],-`($j+2)*8`($sp) -+___ -+ } -+ -+ $self->add_code(<<___); -+ -+___ -+} -+ -+sub restore_registers($) -+{ -+ my ($self) = @_; -+ -+ my $n = $self->{n}; -+ -+ $self->add_code(<<___); -+ ld $lo,-8($sp) -+___ -+ -+ for (my $j = 0; $j <= $n+1; $j++) { -+ $self->{code}.=<<___; -+ ld $tp[$j],-`($j+2)*8`($sp) -+___ -+ } -+ -+ $self->{code} .=<<___; -+ -+___ -+} -+ -+# Direct translation of C mul() -+sub mul($$$$$) -+{ -+ my ($self, $r, $a, $w, $c) = @_; -+ -+ $self->add_code(<<___); -+ mulld $lo,$a,$w -+ addc $r,$lo,$c -+ mulhdu $c,$a,$w -+ addze $c,$c -+ -+___ -+} -+ -+# Like mul() but $c is ignored as an input - an optimisation to save a -+# preliminary instruction that would set input $c to 0 -+sub mul_c_0($$$$$) -+{ -+ my ($self, $r, $a, $w, $c) = @_; -+ -+ $self->add_code(<<___); -+ mulld $r,$a,$w -+ mulhdu $c,$a,$w -+ -+___ -+} -+ -+# Like mul() but does not to the final addition of CA into $c - an -+# optimisation to save an instruction -+sub mul_last($$$$$$) -+{ -+ my ($self, $r1, $r2, $a, $w, $c) = @_; -+ -+ $self->add_code(<<___); -+ mulld $lo,$a,$w -+ addc $r1,$lo,$c -+ mulhdu $c,$a,$w -+ -+ addze $r2,$c -+___ -+} -+ -+# Like C mul_add() but allow $r_out and $r_in to be different -+sub mul_add($$$$$$) -+{ -+ my ($self, $r_out, $r_in, $a, $w, $c) = @_; -+ -+ $self->add_code(<<___); -+ mulld $lo,$a,$w -+ addc $lo,$lo,$c -+ mulhdu $c,$a,$w -+ addze $c,$c -+ addc $r_out,$r_in,$lo -+ addze $c,$c -+ -+___ -+} -+ -+# Like mul_add() but $c is ignored as an input - an optimisation to save a -+# preliminary instruction that would set input $c to 0 -+sub mul_add_c_0($$$$$$) -+{ -+ my ($self, $r_out, $r_in, $a, $w, $c) = @_; -+ -+ $self->add_code(<<___); -+ mulld $lo,$a,$w -+ addc $r_out,$r_in,$lo -+ mulhdu $c,$a,$w -+ addze $c,$c -+ -+___ -+} -+ -+package Mont::GPR_300; -+ -+our @ISA = ('Mont::GPR'); -+ -+sub new($$) -+{ -+ my ($class, $n) = @_; -+ -+ my $mont = $class->SUPER::new($n); -+ -+ return $mont; -+} -+ -+sub get_function_name($) -+{ -+ my ($self) = @_; -+ -+ return "bn_mul_mont_300_fixed_n" . $self->{n}; -+} -+ -+sub get_label($$) -+{ -+ my ($self, $l) = @_; -+ -+ return "L" . $l . "_300_" . $self->{n}; -+} -+ -+# Direct translation of C mul() -+sub mul($$$$$) -+{ -+ my ($self, $r, $a, $w, $c, $last) = @_; -+ -+ $self->add_code(<<___); -+ maddld $r,$a,$w,$c -+ maddhdu $c,$a,$w,$c -+ -+___ -+} -+ -+# Save the last carry as the final entry -+sub mul_last($$$$$) -+{ -+ my ($self, $r1, $r2, $a, $w, $c) = @_; -+ -+ $self->add_code(<<___); -+ maddld $r1,$a,$w,$c -+ maddhdu $r2,$a,$w,$c -+ -+___ -+} -+ -+# Like mul() but $c is ignored as an input - an optimisation to save a -+# preliminary instruction that would set input $c to 0 -+sub mul_c_0($$$$$) -+{ -+ my ($self, $r, $a, $w, $c) = @_; -+ -+ $self->add_code(<<___); -+ mulld $r,$a,$w -+ mulhdu $c,$a,$w -+ -+___ -+} -+ -+# Like C mul_add() but allow $r_out and $r_in to be different -+sub mul_add($$$$$$) -+{ -+ my ($self, $r_out, $r_in, $a, $w, $c) = @_; -+ -+ $self->add_code(<<___); -+ maddld $lo,$a,$w,$c -+ maddhdu $c,$a,$w,$c -+ addc $r_out,$r_in,$lo -+ addze $c,$c -+ -+___ -+} -+ -+# Like mul_add() but $c is ignored as an input - an optimisation to save a -+# preliminary instruction that would set input $c to 0 -+sub mul_add_c_0($$$$$$) -+{ -+ my ($self, $r_out, $r_in, $a, $w, $c) = @_; -+ -+ $self->add_code(<<___); -+ maddld $lo,$a,$w,$r_in -+ maddhdu $c,$a,$w,$r_in -+___ -+ -+ if ($r_out ne $lo) { -+ $self->add_code(<<___); -+ mr $r_out,$lo -+___ -+ } -+ -+ $self->nl(); -+} -+ -+ -+package main; -+ -+my $code; -+ -+$code.=<<___; -+.machine "any" -+.text -+___ -+ -+my $mont; -+ -+$mont = new Mont::GPR(6); -+$mont->mul_mont_fixed(); -+$code .= $mont->get_code(); -+ -+$mont = new Mont::GPR_300(6); -+$mont->mul_mont_fixed(); -+$code .= $mont->get_code(); -+ -+$code =~ s/\`([^\`]*)\`/eval $1/gem; -+ -+$code.=<<___; -+.asciz "Montgomery Multiplication for PPC by , " -+___ -+ -+print $code; -+close STDOUT or die "error closing STDOUT: $!"; -diff --git a/crypto/bn/bn_ppc.c b/crypto/bn/bn_ppc.c -index 3ee76ea96574..1e9421bee213 100644 ---- a/crypto/bn/bn_ppc.c -+++ b/crypto/bn/bn_ppc.c -@@ -19,6 +19,12 @@ int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, - const BN_ULONG *np, const BN_ULONG *n0, int num); - int bn_mul4x_mont_int(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, - const BN_ULONG *np, const BN_ULONG *n0, int num); -+ int bn_mul_mont_fixed_n6(BN_ULONG *rp, const BN_ULONG *ap, -+ const BN_ULONG *bp, const BN_ULONG *np, -+ const BN_ULONG *n0, int num); -+ int bn_mul_mont_300_fixed_n6(BN_ULONG *rp, const BN_ULONG *ap, -+ const BN_ULONG *bp, const BN_ULONG *np, -+ const BN_ULONG *n0, int num); - - if (num < 4) - return 0; -@@ -34,5 +40,14 @@ int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, - * no opportunity to figure it out... - */ - -+#if defined(_ARCH_PPC64) && !defined(__ILP32__) -+ if (num == 6) { -+ if (OPENSSL_ppccap_P & PPC_MADD300) -+ return bn_mul_mont_300_fixed_n6(rp, ap, bp, np, n0, num); -+ else -+ return bn_mul_mont_fixed_n6(rp, ap, bp, np, n0, num); -+ } -+#endif -+ - return bn_mul_mont_int(rp, ap, bp, np, n0, num); - } -diff --git a/crypto/bn/build.info b/crypto/bn/build.info -index 4f8d0689b5ea..987a70ae263b 100644 ---- a/crypto/bn/build.info -+++ b/crypto/bn/build.info -@@ -79,7 +79,7 @@ IF[{- !$disabled{asm} -}] - - $BNASM_ppc32=bn_ppc.c bn-ppc.s ppc-mont.s - $BNDEF_ppc32=OPENSSL_BN_ASM_MONT -- $BNASM_ppc64=$BNASM_ppc32 -+ $BNASM_ppc64=$BNASM_ppc32 ppc64-mont-fixed.s - $BNDEF_ppc64=$BNDEF_ppc32 - - $BNASM_c64xplus=asm/bn-c64xplus.asm -@@ -173,6 +173,7 @@ GENERATE[parisc-mont.s]=asm/parisc-mont.pl - GENERATE[bn-ppc.s]=asm/ppc.pl - GENERATE[ppc-mont.s]=asm/ppc-mont.pl - GENERATE[ppc64-mont.s]=asm/ppc64-mont.pl -+GENERATE[ppc64-mont-fixed.s]=asm/ppc64-mont-fixed.pl - - GENERATE[alpha-mont.S]=asm/alpha-mont.pl - - -From 01ebad0d6e3a09bc9e32350b402901471610a3dc Mon Sep 17 00:00:00 2001 -From: Rohan McLure -Date: Thu, 30 Jun 2022 16:21:06 +1000 -Subject: [PATCH 2/2] Fix unrolled montgomery multiplication for POWER9 - -In the reference C implementation in bn_asm.c, tp[num + 1] contains the -carry bit for accumulations into tp[num]. tp[num + 1] is only ever -assigned, never itself incremented. ---- - crypto/bn/asm/ppc64-mont-fixed.pl | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/crypto/bn/asm/ppc64-mont-fixed.pl b/crypto/bn/asm/ppc64-mont-fixed.pl -index 0fb397bc5f12..e27d0ad93d85 100755 ---- a/crypto/bn/asm/ppc64-mont-fixed.pl -+++ b/crypto/bn/asm/ppc64-mont-fixed.pl -@@ -63,6 +63,7 @@ - # Registers are global so the code is remotely readable - - # Parameters for Montgomery multiplication -+my $ze = "r0"; - my $sp = "r1"; - my $toc = "r2"; - my $rp = "r3"; -@@ -192,6 +193,7 @@ ($) - $self->save_registers(); - - $self->add_code(<<___); -+ li $ze,0 - ld $n0,0($n0) - - ld $bp0,0($bp) -@@ -242,7 +244,7 @@ ($) - - $self->add_code(<<___); - addc $tp[$n],$tp[$n],$c0 -- addze $tp[$n+1],$tp[$n+1] -+ addze $tp[$n+1],$ze - ___ - - $self->add_code(<<___); -@@ -272,7 +274,7 @@ ($) - and. $tp[$n],$tp[$n],$tp[$n] - bne $label->{"sub"} - -- cmpld $tp[$n-1],$npj -+ cmpld $tp[$n-1],$npj - blt $label->{"copy"} - - $label->{"sub"}: diff --git a/0071-AES-GCM-performance-optimization.patch b/0071-AES-GCM-performance-optimization.patch deleted file mode 100644 index edf40ec..0000000 --- a/0071-AES-GCM-performance-optimization.patch +++ /dev/null @@ -1,1635 +0,0 @@ -Upstream-Status: Backport [https://github.com/openssl/openssl/commit/44a563dde1584cd9284e80b6e45ee5019be8d36c, https://github.com/openssl/openssl/commit/345c99b6654b8313c792d54f829943068911ddbd] -diff --git a/crypto/modes/asm/aes-gcm-ppc.pl b/crypto/modes/asm/aes-gcm-ppc.pl -new file mode 100644 -index 0000000..6624e6c ---- /dev/null -+++ b/crypto/modes/asm/aes-gcm-ppc.pl -@@ -0,0 +1,1438 @@ -+#! /usr/bin/env perl -+# Copyright 2014-2020 The OpenSSL Project Authors. All Rights Reserved. -+# Copyright 2021- IBM Inc. All rights reserved -+# -+# Licensed under the Apache License 2.0 (the "License"). You may not use -+# this file except in compliance with the License. You can obtain a copy -+# in the file LICENSE in the source distribution or at -+# https://www.openssl.org/source/license.html -+# -+#=================================================================================== -+# Written by Danny Tsen for OpenSSL Project, -+# -+# GHASH is based on the Karatsuba multiplication method. -+# -+# Xi xor X1 -+# -+# X1 * H^4 + X2 * H^3 + x3 * H^2 + X4 * H = -+# (X1.h * H4.h + xX.l * H4.l + X1 * H4) + -+# (X2.h * H3.h + X2.l * H3.l + X2 * H3) + -+# (X3.h * H2.h + X3.l * H2.l + X3 * H2) + -+# (X4.h * H.h + X4.l * H.l + X4 * H) -+# -+# Xi = v0 -+# H Poly = v2 -+# Hash keys = v3 - v14 -+# ( H.l, H, H.h) -+# ( H^2.l, H^2, H^2.h) -+# ( H^3.l, H^3, H^3.h) -+# ( H^4.l, H^4, H^4.h) -+# -+# v30 is IV -+# v31 - counter 1 -+# -+# AES used, -+# vs0 - vs14 for round keys -+# v15, v16, v17, v18, v19, v20, v21, v22 for 8 blocks (encrypted) -+# -+# This implementation uses stitched AES-GCM approach to improve overall performance. -+# AES is implemented with 8x blocks and GHASH is using 2 4x blocks. -+# -+# Current large block (16384 bytes) performance per second with 128 bit key -- -+# -+# Encrypt Decrypt -+# Power10[le] (3.5GHz) 5.32G 5.26G -+# -+# =================================================================================== -+# -+# $output is the last argument if it looks like a file (it has an extension) -+# $flavour is the first argument if it doesn't look like a file -+$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef; -+$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef; -+ -+if ($flavour =~ /64/) { -+ $SIZE_T=8; -+ $LRSAVE=2*$SIZE_T; -+ $STU="stdu"; -+ $POP="ld"; -+ $PUSH="std"; -+ $UCMP="cmpld"; -+ $SHRI="srdi"; -+} elsif ($flavour =~ /32/) { -+ $SIZE_T=4; -+ $LRSAVE=$SIZE_T; -+ $STU="stwu"; -+ $POP="lwz"; -+ $PUSH="stw"; -+ $UCMP="cmplw"; -+ $SHRI="srwi"; -+} else { die "nonsense $flavour"; } -+ -+$sp="r1"; -+$FRAME=6*$SIZE_T+13*16; # 13*16 is for v20-v31 offload -+ -+$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; -+( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or -+( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or -+die "can't locate ppc-xlate.pl"; -+ -+open STDOUT,"| $^X $xlate $flavour \"$output\"" -+ or die "can't call $xlate: $!"; -+ -+$code=<<___; -+.machine "any" -+.text -+ -+# 4x loops -+# v15 - v18 - input states -+# vs1 - vs9 - round keys -+# -+.macro Loop_aes_middle4x -+ xxlor 19+32, 1, 1 -+ xxlor 20+32, 2, 2 -+ xxlor 21+32, 3, 3 -+ xxlor 22+32, 4, 4 -+ -+ vcipher 15, 15, 19 -+ vcipher 16, 16, 19 -+ vcipher 17, 17, 19 -+ vcipher 18, 18, 19 -+ -+ vcipher 15, 15, 20 -+ vcipher 16, 16, 20 -+ vcipher 17, 17, 20 -+ vcipher 18, 18, 20 -+ -+ vcipher 15, 15, 21 -+ vcipher 16, 16, 21 -+ vcipher 17, 17, 21 -+ vcipher 18, 18, 21 -+ -+ vcipher 15, 15, 22 -+ vcipher 16, 16, 22 -+ vcipher 17, 17, 22 -+ vcipher 18, 18, 22 -+ -+ xxlor 19+32, 5, 5 -+ xxlor 20+32, 6, 6 -+ xxlor 21+32, 7, 7 -+ xxlor 22+32, 8, 8 -+ -+ vcipher 15, 15, 19 -+ vcipher 16, 16, 19 -+ vcipher 17, 17, 19 -+ vcipher 18, 18, 19 -+ -+ vcipher 15, 15, 20 -+ vcipher 16, 16, 20 -+ vcipher 17, 17, 20 -+ vcipher 18, 18, 20 -+ -+ vcipher 15, 15, 21 -+ vcipher 16, 16, 21 -+ vcipher 17, 17, 21 -+ vcipher 18, 18, 21 -+ -+ vcipher 15, 15, 22 -+ vcipher 16, 16, 22 -+ vcipher 17, 17, 22 -+ vcipher 18, 18, 22 -+ -+ xxlor 23+32, 9, 9 -+ vcipher 15, 15, 23 -+ vcipher 16, 16, 23 -+ vcipher 17, 17, 23 -+ vcipher 18, 18, 23 -+.endm -+ -+# 8x loops -+# v15 - v22 - input states -+# vs1 - vs9 - round keys -+# -+.macro Loop_aes_middle8x -+ xxlor 23+32, 1, 1 -+ xxlor 24+32, 2, 2 -+ xxlor 25+32, 3, 3 -+ xxlor 26+32, 4, 4 -+ -+ vcipher 15, 15, 23 -+ vcipher 16, 16, 23 -+ vcipher 17, 17, 23 -+ vcipher 18, 18, 23 -+ vcipher 19, 19, 23 -+ vcipher 20, 20, 23 -+ vcipher 21, 21, 23 -+ vcipher 22, 22, 23 -+ -+ vcipher 15, 15, 24 -+ vcipher 16, 16, 24 -+ vcipher 17, 17, 24 -+ vcipher 18, 18, 24 -+ vcipher 19, 19, 24 -+ vcipher 20, 20, 24 -+ vcipher 21, 21, 24 -+ vcipher 22, 22, 24 -+ -+ vcipher 15, 15, 25 -+ vcipher 16, 16, 25 -+ vcipher 17, 17, 25 -+ vcipher 18, 18, 25 -+ vcipher 19, 19, 25 -+ vcipher 20, 20, 25 -+ vcipher 21, 21, 25 -+ vcipher 22, 22, 25 -+ -+ vcipher 15, 15, 26 -+ vcipher 16, 16, 26 -+ vcipher 17, 17, 26 -+ vcipher 18, 18, 26 -+ vcipher 19, 19, 26 -+ vcipher 20, 20, 26 -+ vcipher 21, 21, 26 -+ vcipher 22, 22, 26 -+ -+ xxlor 23+32, 5, 5 -+ xxlor 24+32, 6, 6 -+ xxlor 25+32, 7, 7 -+ xxlor 26+32, 8, 8 -+ -+ vcipher 15, 15, 23 -+ vcipher 16, 16, 23 -+ vcipher 17, 17, 23 -+ vcipher 18, 18, 23 -+ vcipher 19, 19, 23 -+ vcipher 20, 20, 23 -+ vcipher 21, 21, 23 -+ vcipher 22, 22, 23 -+ -+ vcipher 15, 15, 24 -+ vcipher 16, 16, 24 -+ vcipher 17, 17, 24 -+ vcipher 18, 18, 24 -+ vcipher 19, 19, 24 -+ vcipher 20, 20, 24 -+ vcipher 21, 21, 24 -+ vcipher 22, 22, 24 -+ -+ vcipher 15, 15, 25 -+ vcipher 16, 16, 25 -+ vcipher 17, 17, 25 -+ vcipher 18, 18, 25 -+ vcipher 19, 19, 25 -+ vcipher 20, 20, 25 -+ vcipher 21, 21, 25 -+ vcipher 22, 22, 25 -+ -+ vcipher 15, 15, 26 -+ vcipher 16, 16, 26 -+ vcipher 17, 17, 26 -+ vcipher 18, 18, 26 -+ vcipher 19, 19, 26 -+ vcipher 20, 20, 26 -+ vcipher 21, 21, 26 -+ vcipher 22, 22, 26 -+ -+ xxlor 23+32, 9, 9 -+ vcipher 15, 15, 23 -+ vcipher 16, 16, 23 -+ vcipher 17, 17, 23 -+ vcipher 18, 18, 23 -+ vcipher 19, 19, 23 -+ vcipher 20, 20, 23 -+ vcipher 21, 21, 23 -+ vcipher 22, 22, 23 -+.endm -+ -+# -+# Compute 4x hash values based on Karatsuba method. -+# -+ppc_aes_gcm_ghash: -+ vxor 15, 15, 0 -+ -+ xxlxor 29, 29, 29 -+ -+ vpmsumd 23, 12, 15 # H4.L * X.L -+ vpmsumd 24, 9, 16 -+ vpmsumd 25, 6, 17 -+ vpmsumd 26, 3, 18 -+ -+ vxor 23, 23, 24 -+ vxor 23, 23, 25 -+ vxor 23, 23, 26 # L -+ -+ vpmsumd 24, 13, 15 # H4.L * X.H + H4.H * X.L -+ vpmsumd 25, 10, 16 # H3.L * X1.H + H3.H * X1.L -+ vpmsumd 26, 7, 17 -+ vpmsumd 27, 4, 18 -+ -+ vxor 24, 24, 25 -+ vxor 24, 24, 26 -+ vxor 24, 24, 27 # M -+ -+ # sum hash and reduction with H Poly -+ vpmsumd 28, 23, 2 # reduction -+ -+ xxlor 29+32, 29, 29 -+ vsldoi 26, 24, 29, 8 # mL -+ vsldoi 29, 29, 24, 8 # mH -+ vxor 23, 23, 26 # mL + L -+ -+ vsldoi 23, 23, 23, 8 # swap -+ vxor 23, 23, 28 -+ -+ vpmsumd 24, 14, 15 # H4.H * X.H -+ vpmsumd 25, 11, 16 -+ vpmsumd 26, 8, 17 -+ vpmsumd 27, 5, 18 -+ -+ vxor 24, 24, 25 -+ vxor 24, 24, 26 -+ vxor 24, 24, 27 -+ -+ vxor 24, 24, 29 -+ -+ # sum hash and reduction with H Poly -+ vsldoi 27, 23, 23, 8 # swap -+ vpmsumd 23, 23, 2 -+ vxor 27, 27, 24 -+ vxor 23, 23, 27 -+ -+ xxlor 32, 23+32, 23+32 # update hash -+ -+ blr -+ -+# -+# Combine two 4x ghash -+# v15 - v22 - input blocks -+# -+.macro ppc_aes_gcm_ghash2_4x -+ # first 4x hash -+ vxor 15, 15, 0 # Xi + X -+ -+ xxlxor 29, 29, 29 -+ -+ vpmsumd 23, 12, 15 # H4.L * X.L -+ vpmsumd 24, 9, 16 -+ vpmsumd 25, 6, 17 -+ vpmsumd 26, 3, 18 -+ -+ vxor 23, 23, 24 -+ vxor 23, 23, 25 -+ vxor 23, 23, 26 # L -+ -+ vpmsumd 24, 13, 15 # H4.L * X.H + H4.H * X.L -+ vpmsumd 25, 10, 16 # H3.L * X1.H + H3.H * X1.L -+ vpmsumd 26, 7, 17 -+ vpmsumd 27, 4, 18 -+ -+ vxor 24, 24, 25 -+ vxor 24, 24, 26 -+ -+ # sum hash and reduction with H Poly -+ vpmsumd 28, 23, 2 # reduction -+ -+ xxlor 29+32, 29, 29 -+ -+ vxor 24, 24, 27 # M -+ vsldoi 26, 24, 29, 8 # mL -+ vsldoi 29, 29, 24, 8 # mH -+ vxor 23, 23, 26 # mL + L -+ -+ vsldoi 23, 23, 23, 8 # swap -+ vxor 23, 23, 28 -+ -+ vpmsumd 24, 14, 15 # H4.H * X.H -+ vpmsumd 25, 11, 16 -+ vpmsumd 26, 8, 17 -+ vpmsumd 27, 5, 18 -+ -+ vxor 24, 24, 25 -+ vxor 24, 24, 26 -+ vxor 24, 24, 27 # H -+ -+ vxor 24, 24, 29 # H + mH -+ -+ # sum hash and reduction with H Poly -+ vsldoi 27, 23, 23, 8 # swap -+ vpmsumd 23, 23, 2 -+ vxor 27, 27, 24 -+ vxor 27, 23, 27 # 1st Xi -+ -+ # 2nd 4x hash -+ vpmsumd 24, 9, 20 -+ vpmsumd 25, 6, 21 -+ vpmsumd 26, 3, 22 -+ vxor 19, 19, 27 # Xi + X -+ vpmsumd 23, 12, 19 # H4.L * X.L -+ -+ vxor 23, 23, 24 -+ vxor 23, 23, 25 -+ vxor 23, 23, 26 # L -+ -+ vpmsumd 24, 13, 19 # H4.L * X.H + H4.H * X.L -+ vpmsumd 25, 10, 20 # H3.L * X1.H + H3.H * X1.L -+ vpmsumd 26, 7, 21 -+ vpmsumd 27, 4, 22 -+ -+ vxor 24, 24, 25 -+ vxor 24, 24, 26 -+ -+ # sum hash and reduction with H Poly -+ vpmsumd 28, 23, 2 # reduction -+ -+ xxlor 29+32, 29, 29 -+ -+ vxor 24, 24, 27 # M -+ vsldoi 26, 24, 29, 8 # mL -+ vsldoi 29, 29, 24, 8 # mH -+ vxor 23, 23, 26 # mL + L -+ -+ vsldoi 23, 23, 23, 8 # swap -+ vxor 23, 23, 28 -+ -+ vpmsumd 24, 14, 19 # H4.H * X.H -+ vpmsumd 25, 11, 20 -+ vpmsumd 26, 8, 21 -+ vpmsumd 27, 5, 22 -+ -+ vxor 24, 24, 25 -+ vxor 24, 24, 26 -+ vxor 24, 24, 27 # H -+ -+ vxor 24, 24, 29 # H + mH -+ -+ # sum hash and reduction with H Poly -+ vsldoi 27, 23, 23, 8 # swap -+ vpmsumd 23, 23, 2 -+ vxor 27, 27, 24 -+ vxor 23, 23, 27 -+ -+ xxlor 32, 23+32, 23+32 # update hash -+ -+.endm -+ -+# -+# Compute update single hash -+# -+.macro ppc_update_hash_1x -+ vxor 28, 28, 0 -+ -+ vxor 19, 19, 19 -+ -+ vpmsumd 22, 3, 28 # L -+ vpmsumd 23, 4, 28 # M -+ vpmsumd 24, 5, 28 # H -+ -+ vpmsumd 27, 22, 2 # reduction -+ -+ vsldoi 25, 23, 19, 8 # mL -+ vsldoi 26, 19, 23, 8 # mH -+ vxor 22, 22, 25 # LL + LL -+ vxor 24, 24, 26 # HH + HH -+ -+ vsldoi 22, 22, 22, 8 # swap -+ vxor 22, 22, 27 -+ -+ vsldoi 20, 22, 22, 8 # swap -+ vpmsumd 22, 22, 2 # reduction -+ vxor 20, 20, 24 -+ vxor 22, 22, 20 -+ -+ vmr 0, 22 # update hash -+ -+.endm -+ -+# -+# ppc_aes_gcm_encrypt (const void *inp, void *out, size_t len, -+# const AES_KEY *key, unsigned char iv[16], -+# void *Xip); -+# -+# r3 - inp -+# r4 - out -+# r5 - len -+# r6 - AES round keys -+# r7 - iv -+# r8 - Xi, HPoli, hash keys -+# -+.global ppc_aes_gcm_encrypt -+.align 5 -+ppc_aes_gcm_encrypt: -+_ppc_aes_gcm_encrypt: -+ -+ stdu 1,-512(1) -+ mflr 0 -+ -+ std 14,112(1) -+ std 15,120(1) -+ std 16,128(1) -+ std 17,136(1) -+ std 18,144(1) -+ std 19,152(1) -+ std 20,160(1) -+ std 21,168(1) -+ li 9, 256 -+ stvx 20, 9, 1 -+ addi 9, 9, 16 -+ stvx 21, 9, 1 -+ addi 9, 9, 16 -+ stvx 22, 9, 1 -+ addi 9, 9, 16 -+ stvx 23, 9, 1 -+ addi 9, 9, 16 -+ stvx 24, 9, 1 -+ addi 9, 9, 16 -+ stvx 25, 9, 1 -+ addi 9, 9, 16 -+ stvx 26, 9, 1 -+ addi 9, 9, 16 -+ stvx 27, 9, 1 -+ addi 9, 9, 16 -+ stvx 28, 9, 1 -+ addi 9, 9, 16 -+ stvx 29, 9, 1 -+ addi 9, 9, 16 -+ stvx 30, 9, 1 -+ addi 9, 9, 16 -+ stvx 31, 9, 1 -+ std 0, 528(1) -+ -+ # Load Xi -+ lxvb16x 32, 0, 8 # load Xi -+ -+ # load Hash - h^4, h^3, h^2, h -+ li 10, 32 -+ lxvd2x 2+32, 10, 8 # H Poli -+ li 10, 48 -+ lxvd2x 3+32, 10, 8 # Hl -+ li 10, 64 -+ lxvd2x 4+32, 10, 8 # H -+ li 10, 80 -+ lxvd2x 5+32, 10, 8 # Hh -+ -+ li 10, 96 -+ lxvd2x 6+32, 10, 8 # H^2l -+ li 10, 112 -+ lxvd2x 7+32, 10, 8 # H^2 -+ li 10, 128 -+ lxvd2x 8+32, 10, 8 # H^2h -+ -+ li 10, 144 -+ lxvd2x 9+32, 10, 8 # H^3l -+ li 10, 160 -+ lxvd2x 10+32, 10, 8 # H^3 -+ li 10, 176 -+ lxvd2x 11+32, 10, 8 # H^3h -+ -+ li 10, 192 -+ lxvd2x 12+32, 10, 8 # H^4l -+ li 10, 208 -+ lxvd2x 13+32, 10, 8 # H^4 -+ li 10, 224 -+ lxvd2x 14+32, 10, 8 # H^4h -+ -+ # initialize ICB: GHASH( IV ), IV - r7 -+ lxvb16x 30+32, 0, 7 # load IV - v30 -+ -+ mr 12, 5 # length -+ li 11, 0 # block index -+ -+ # counter 1 -+ vxor 31, 31, 31 -+ vspltisb 22, 1 -+ vsldoi 31, 31, 22,1 # counter 1 -+ -+ # load round key to VSR -+ lxv 0, 0(6) -+ lxv 1, 0x10(6) -+ lxv 2, 0x20(6) -+ lxv 3, 0x30(6) -+ lxv 4, 0x40(6) -+ lxv 5, 0x50(6) -+ lxv 6, 0x60(6) -+ lxv 7, 0x70(6) -+ lxv 8, 0x80(6) -+ lxv 9, 0x90(6) -+ lxv 10, 0xa0(6) -+ -+ # load rounds - 10 (128), 12 (192), 14 (256) -+ lwz 9,240(6) -+ -+ # -+ # vxor state, state, w # addroundkey -+ xxlor 32+29, 0, 0 -+ vxor 15, 30, 29 # IV + round key - add round key 0 -+ -+ cmpdi 9, 10 -+ beq Loop_aes_gcm_8x -+ -+ # load 2 more round keys (v11, v12) -+ lxv 11, 0xb0(6) -+ lxv 12, 0xc0(6) -+ -+ cmpdi 9, 12 -+ beq Loop_aes_gcm_8x -+ -+ # load 2 more round keys (v11, v12, v13, v14) -+ lxv 13, 0xd0(6) -+ lxv 14, 0xe0(6) -+ cmpdi 9, 14 -+ beq Loop_aes_gcm_8x -+ -+ b aes_gcm_out -+ -+.align 5 -+Loop_aes_gcm_8x: -+ mr 14, 3 -+ mr 9, 4 -+ -+ # n blocks -+ li 10, 128 -+ divdu 10, 5, 10 # n 128 bytes-blocks -+ cmpdi 10, 0 -+ beq Loop_last_block -+ -+ vaddudm 30, 30, 31 # IV + counter -+ vxor 16, 30, 29 -+ vaddudm 30, 30, 31 -+ vxor 17, 30, 29 -+ vaddudm 30, 30, 31 -+ vxor 18, 30, 29 -+ vaddudm 30, 30, 31 -+ vxor 19, 30, 29 -+ vaddudm 30, 30, 31 -+ vxor 20, 30, 29 -+ vaddudm 30, 30, 31 -+ vxor 21, 30, 29 -+ vaddudm 30, 30, 31 -+ vxor 22, 30, 29 -+ -+ mtctr 10 -+ -+ li 15, 16 -+ li 16, 32 -+ li 17, 48 -+ li 18, 64 -+ li 19, 80 -+ li 20, 96 -+ li 21, 112 -+ -+ lwz 10, 240(6) -+ -+Loop_8x_block: -+ -+ lxvb16x 15, 0, 14 # load block -+ lxvb16x 16, 15, 14 # load block -+ lxvb16x 17, 16, 14 # load block -+ lxvb16x 18, 17, 14 # load block -+ lxvb16x 19, 18, 14 # load block -+ lxvb16x 20, 19, 14 # load block -+ lxvb16x 21, 20, 14 # load block -+ lxvb16x 22, 21, 14 # load block -+ addi 14, 14, 128 -+ -+ Loop_aes_middle8x -+ -+ xxlor 23+32, 10, 10 -+ -+ cmpdi 10, 10 -+ beq Do_next_ghash -+ -+ # 192 bits -+ xxlor 24+32, 11, 11 -+ -+ vcipher 15, 15, 23 -+ vcipher 16, 16, 23 -+ vcipher 17, 17, 23 -+ vcipher 18, 18, 23 -+ vcipher 19, 19, 23 -+ vcipher 20, 20, 23 -+ vcipher 21, 21, 23 -+ vcipher 22, 22, 23 -+ -+ vcipher 15, 15, 24 -+ vcipher 16, 16, 24 -+ vcipher 17, 17, 24 -+ vcipher 18, 18, 24 -+ vcipher 19, 19, 24 -+ vcipher 20, 20, 24 -+ vcipher 21, 21, 24 -+ vcipher 22, 22, 24 -+ -+ xxlor 23+32, 12, 12 -+ -+ cmpdi 10, 12 -+ beq Do_next_ghash -+ -+ # 256 bits -+ xxlor 24+32, 13, 13 -+ -+ vcipher 15, 15, 23 -+ vcipher 16, 16, 23 -+ vcipher 17, 17, 23 -+ vcipher 18, 18, 23 -+ vcipher 19, 19, 23 -+ vcipher 20, 20, 23 -+ vcipher 21, 21, 23 -+ vcipher 22, 22, 23 -+ -+ vcipher 15, 15, 24 -+ vcipher 16, 16, 24 -+ vcipher 17, 17, 24 -+ vcipher 18, 18, 24 -+ vcipher 19, 19, 24 -+ vcipher 20, 20, 24 -+ vcipher 21, 21, 24 -+ vcipher 22, 22, 24 -+ -+ xxlor 23+32, 14, 14 -+ -+ cmpdi 10, 14 -+ beq Do_next_ghash -+ b aes_gcm_out -+ -+Do_next_ghash: -+ -+ # -+ # last round -+ vcipherlast 15, 15, 23 -+ vcipherlast 16, 16, 23 -+ -+ xxlxor 47, 47, 15 -+ stxvb16x 47, 0, 9 # store output -+ xxlxor 48, 48, 16 -+ stxvb16x 48, 15, 9 # store output -+ -+ vcipherlast 17, 17, 23 -+ vcipherlast 18, 18, 23 -+ -+ xxlxor 49, 49, 17 -+ stxvb16x 49, 16, 9 # store output -+ xxlxor 50, 50, 18 -+ stxvb16x 50, 17, 9 # store output -+ -+ vcipherlast 19, 19, 23 -+ vcipherlast 20, 20, 23 -+ -+ xxlxor 51, 51, 19 -+ stxvb16x 51, 18, 9 # store output -+ xxlxor 52, 52, 20 -+ stxvb16x 52, 19, 9 # store output -+ -+ vcipherlast 21, 21, 23 -+ vcipherlast 22, 22, 23 -+ -+ xxlxor 53, 53, 21 -+ stxvb16x 53, 20, 9 # store output -+ xxlxor 54, 54, 22 -+ stxvb16x 54, 21, 9 # store output -+ -+ addi 9, 9, 128 -+ -+ # ghash here -+ ppc_aes_gcm_ghash2_4x -+ -+ xxlor 27+32, 0, 0 -+ vaddudm 30, 30, 31 # IV + counter -+ vmr 29, 30 -+ vxor 15, 30, 27 # add round key -+ vaddudm 30, 30, 31 -+ vxor 16, 30, 27 -+ vaddudm 30, 30, 31 -+ vxor 17, 30, 27 -+ vaddudm 30, 30, 31 -+ vxor 18, 30, 27 -+ vaddudm 30, 30, 31 -+ vxor 19, 30, 27 -+ vaddudm 30, 30, 31 -+ vxor 20, 30, 27 -+ vaddudm 30, 30, 31 -+ vxor 21, 30, 27 -+ vaddudm 30, 30, 31 -+ vxor 22, 30, 27 -+ -+ addi 12, 12, -128 -+ addi 11, 11, 128 -+ -+ bdnz Loop_8x_block -+ -+ vmr 30, 29 -+ -+Loop_last_block: -+ cmpdi 12, 0 -+ beq aes_gcm_out -+ -+ # loop last few blocks -+ li 10, 16 -+ divdu 10, 12, 10 -+ -+ mtctr 10 -+ -+ lwz 10, 240(6) -+ -+ cmpdi 12, 16 -+ blt Final_block -+ -+.macro Loop_aes_middle_1x -+ xxlor 19+32, 1, 1 -+ xxlor 20+32, 2, 2 -+ xxlor 21+32, 3, 3 -+ xxlor 22+32, 4, 4 -+ -+ vcipher 15, 15, 19 -+ vcipher 15, 15, 20 -+ vcipher 15, 15, 21 -+ vcipher 15, 15, 22 -+ -+ xxlor 19+32, 5, 5 -+ xxlor 20+32, 6, 6 -+ xxlor 21+32, 7, 7 -+ xxlor 22+32, 8, 8 -+ -+ vcipher 15, 15, 19 -+ vcipher 15, 15, 20 -+ vcipher 15, 15, 21 -+ vcipher 15, 15, 22 -+ -+ xxlor 19+32, 9, 9 -+ vcipher 15, 15, 19 -+.endm -+ -+Next_rem_block: -+ lxvb16x 15, 0, 14 # load block -+ -+ Loop_aes_middle_1x -+ -+ xxlor 23+32, 10, 10 -+ -+ cmpdi 10, 10 -+ beq Do_next_1x -+ -+ # 192 bits -+ xxlor 24+32, 11, 11 -+ -+ vcipher 15, 15, 23 -+ vcipher 15, 15, 24 -+ -+ xxlor 23+32, 12, 12 -+ -+ cmpdi 10, 12 -+ beq Do_next_1x -+ -+ # 256 bits -+ xxlor 24+32, 13, 13 -+ -+ vcipher 15, 15, 23 -+ vcipher 15, 15, 24 -+ -+ xxlor 23+32, 14, 14 -+ -+ cmpdi 10, 14 -+ beq Do_next_1x -+ -+Do_next_1x: -+ vcipherlast 15, 15, 23 -+ -+ xxlxor 47, 47, 15 -+ stxvb16x 47, 0, 9 # store output -+ addi 14, 14, 16 -+ addi 9, 9, 16 -+ -+ vmr 28, 15 -+ ppc_update_hash_1x -+ -+ addi 12, 12, -16 -+ addi 11, 11, 16 -+ xxlor 19+32, 0, 0 -+ vaddudm 30, 30, 31 # IV + counter -+ vxor 15, 30, 19 # add round key -+ -+ bdnz Next_rem_block -+ -+ cmpdi 12, 0 -+ beq aes_gcm_out -+ -+Final_block: -+ Loop_aes_middle_1x -+ -+ xxlor 23+32, 10, 10 -+ -+ cmpdi 10, 10 -+ beq Do_final_1x -+ -+ # 192 bits -+ xxlor 24+32, 11, 11 -+ -+ vcipher 15, 15, 23 -+ vcipher 15, 15, 24 -+ -+ xxlor 23+32, 12, 12 -+ -+ cmpdi 10, 12 -+ beq Do_final_1x -+ -+ # 256 bits -+ xxlor 24+32, 13, 13 -+ -+ vcipher 15, 15, 23 -+ vcipher 15, 15, 24 -+ -+ xxlor 23+32, 14, 14 -+ -+ cmpdi 10, 14 -+ beq Do_final_1x -+ -+Do_final_1x: -+ vcipherlast 15, 15, 23 -+ -+ lxvb16x 15, 0, 14 # load last block -+ xxlxor 47, 47, 15 -+ -+ # create partial block mask -+ li 15, 16 -+ sub 15, 15, 12 # index to the mask -+ -+ vspltisb 16, -1 # first 16 bytes - 0xffff...ff -+ vspltisb 17, 0 # second 16 bytes - 0x0000...00 -+ li 10, 192 -+ stvx 16, 10, 1 -+ addi 10, 10, 16 -+ stvx 17, 10, 1 -+ -+ addi 10, 1, 192 -+ lxvb16x 16, 15, 10 # load partial block mask -+ xxland 47, 47, 16 -+ -+ vmr 28, 15 -+ ppc_update_hash_1x -+ -+ # * should store only the remaining bytes. -+ bl Write_partial_block -+ -+ b aes_gcm_out -+ -+# -+# Write partial block -+# r9 - output -+# r12 - remaining bytes -+# v15 - partial input data -+# -+Write_partial_block: -+ li 10, 192 -+ stxvb16x 15+32, 10, 1 # last block -+ -+ #add 10, 9, 11 # Output -+ addi 10, 9, -1 -+ addi 16, 1, 191 -+ -+ mtctr 12 # remaining bytes -+ li 15, 0 -+ -+Write_last_byte: -+ lbzu 14, 1(16) -+ stbu 14, 1(10) -+ bdnz Write_last_byte -+ blr -+ -+aes_gcm_out: -+ # out = state -+ stxvb16x 32, 0, 8 # write out Xi -+ add 3, 11, 12 # return count -+ -+ li 9, 256 -+ lvx 20, 9, 1 -+ addi 9, 9, 16 -+ lvx 21, 9, 1 -+ addi 9, 9, 16 -+ lvx 22, 9, 1 -+ addi 9, 9, 16 -+ lvx 23, 9, 1 -+ addi 9, 9, 16 -+ lvx 24, 9, 1 -+ addi 9, 9, 16 -+ lvx 25, 9, 1 -+ addi 9, 9, 16 -+ lvx 26, 9, 1 -+ addi 9, 9, 16 -+ lvx 27, 9, 1 -+ addi 9, 9, 16 -+ lvx 28, 9, 1 -+ addi 9, 9, 16 -+ lvx 29, 9, 1 -+ addi 9, 9, 16 -+ lvx 30, 9, 1 -+ addi 9, 9, 16 -+ lvx 31, 9, 1 -+ -+ ld 0, 528(1) -+ ld 14,112(1) -+ ld 15,120(1) -+ ld 16,128(1) -+ ld 17,136(1) -+ ld 18,144(1) -+ ld 19,152(1) -+ ld 20,160(1) -+ ld 21,168(1) -+ -+ mtlr 0 -+ addi 1, 1, 512 -+ blr -+ -+# -+# 8x Decrypt -+# -+.global ppc_aes_gcm_decrypt -+.align 5 -+ppc_aes_gcm_decrypt: -+_ppc_aes_gcm_decrypt: -+ -+ stdu 1,-512(1) -+ mflr 0 -+ -+ std 14,112(1) -+ std 15,120(1) -+ std 16,128(1) -+ std 17,136(1) -+ std 18,144(1) -+ std 19,152(1) -+ std 20,160(1) -+ std 21,168(1) -+ li 9, 256 -+ stvx 20, 9, 1 -+ addi 9, 9, 16 -+ stvx 21, 9, 1 -+ addi 9, 9, 16 -+ stvx 22, 9, 1 -+ addi 9, 9, 16 -+ stvx 23, 9, 1 -+ addi 9, 9, 16 -+ stvx 24, 9, 1 -+ addi 9, 9, 16 -+ stvx 25, 9, 1 -+ addi 9, 9, 16 -+ stvx 26, 9, 1 -+ addi 9, 9, 16 -+ stvx 27, 9, 1 -+ addi 9, 9, 16 -+ stvx 28, 9, 1 -+ addi 9, 9, 16 -+ stvx 29, 9, 1 -+ addi 9, 9, 16 -+ stvx 30, 9, 1 -+ addi 9, 9, 16 -+ stvx 31, 9, 1 -+ std 0, 528(1) -+ -+ # Load Xi -+ lxvb16x 32, 0, 8 # load Xi -+ -+ # load Hash - h^4, h^3, h^2, h -+ li 10, 32 -+ lxvd2x 2+32, 10, 8 # H Poli -+ li 10, 48 -+ lxvd2x 3+32, 10, 8 # Hl -+ li 10, 64 -+ lxvd2x 4+32, 10, 8 # H -+ li 10, 80 -+ lxvd2x 5+32, 10, 8 # Hh -+ -+ li 10, 96 -+ lxvd2x 6+32, 10, 8 # H^2l -+ li 10, 112 -+ lxvd2x 7+32, 10, 8 # H^2 -+ li 10, 128 -+ lxvd2x 8+32, 10, 8 # H^2h -+ -+ li 10, 144 -+ lxvd2x 9+32, 10, 8 # H^3l -+ li 10, 160 -+ lxvd2x 10+32, 10, 8 # H^3 -+ li 10, 176 -+ lxvd2x 11+32, 10, 8 # H^3h -+ -+ li 10, 192 -+ lxvd2x 12+32, 10, 8 # H^4l -+ li 10, 208 -+ lxvd2x 13+32, 10, 8 # H^4 -+ li 10, 224 -+ lxvd2x 14+32, 10, 8 # H^4h -+ -+ # initialize ICB: GHASH( IV ), IV - r7 -+ lxvb16x 30+32, 0, 7 # load IV - v30 -+ -+ mr 12, 5 # length -+ li 11, 0 # block index -+ -+ # counter 1 -+ vxor 31, 31, 31 -+ vspltisb 22, 1 -+ vsldoi 31, 31, 22,1 # counter 1 -+ -+ # load round key to VSR -+ lxv 0, 0(6) -+ lxv 1, 0x10(6) -+ lxv 2, 0x20(6) -+ lxv 3, 0x30(6) -+ lxv 4, 0x40(6) -+ lxv 5, 0x50(6) -+ lxv 6, 0x60(6) -+ lxv 7, 0x70(6) -+ lxv 8, 0x80(6) -+ lxv 9, 0x90(6) -+ lxv 10, 0xa0(6) -+ -+ # load rounds - 10 (128), 12 (192), 14 (256) -+ lwz 9,240(6) -+ -+ # -+ # vxor state, state, w # addroundkey -+ xxlor 32+29, 0, 0 -+ vxor 15, 30, 29 # IV + round key - add round key 0 -+ -+ cmpdi 9, 10 -+ beq Loop_aes_gcm_8x_dec -+ -+ # load 2 more round keys (v11, v12) -+ lxv 11, 0xb0(6) -+ lxv 12, 0xc0(6) -+ -+ cmpdi 9, 12 -+ beq Loop_aes_gcm_8x_dec -+ -+ # load 2 more round keys (v11, v12, v13, v14) -+ lxv 13, 0xd0(6) -+ lxv 14, 0xe0(6) -+ cmpdi 9, 14 -+ beq Loop_aes_gcm_8x_dec -+ -+ b aes_gcm_out -+ -+.align 5 -+Loop_aes_gcm_8x_dec: -+ mr 14, 3 -+ mr 9, 4 -+ -+ # n blocks -+ li 10, 128 -+ divdu 10, 5, 10 # n 128 bytes-blocks -+ cmpdi 10, 0 -+ beq Loop_last_block_dec -+ -+ vaddudm 30, 30, 31 # IV + counter -+ vxor 16, 30, 29 -+ vaddudm 30, 30, 31 -+ vxor 17, 30, 29 -+ vaddudm 30, 30, 31 -+ vxor 18, 30, 29 -+ vaddudm 30, 30, 31 -+ vxor 19, 30, 29 -+ vaddudm 30, 30, 31 -+ vxor 20, 30, 29 -+ vaddudm 30, 30, 31 -+ vxor 21, 30, 29 -+ vaddudm 30, 30, 31 -+ vxor 22, 30, 29 -+ -+ mtctr 10 -+ -+ li 15, 16 -+ li 16, 32 -+ li 17, 48 -+ li 18, 64 -+ li 19, 80 -+ li 20, 96 -+ li 21, 112 -+ -+ lwz 10, 240(6) -+ -+Loop_8x_block_dec: -+ -+ lxvb16x 15, 0, 14 # load block -+ lxvb16x 16, 15, 14 # load block -+ lxvb16x 17, 16, 14 # load block -+ lxvb16x 18, 17, 14 # load block -+ lxvb16x 19, 18, 14 # load block -+ lxvb16x 20, 19, 14 # load block -+ lxvb16x 21, 20, 14 # load block -+ lxvb16x 22, 21, 14 # load block -+ addi 14, 14, 128 -+ -+ Loop_aes_middle8x -+ -+ xxlor 23+32, 10, 10 -+ -+ cmpdi 10, 10 -+ beq Do_last_aes_dec -+ -+ # 192 bits -+ xxlor 24+32, 11, 11 -+ -+ vcipher 15, 15, 23 -+ vcipher 16, 16, 23 -+ vcipher 17, 17, 23 -+ vcipher 18, 18, 23 -+ vcipher 19, 19, 23 -+ vcipher 20, 20, 23 -+ vcipher 21, 21, 23 -+ vcipher 22, 22, 23 -+ -+ vcipher 15, 15, 24 -+ vcipher 16, 16, 24 -+ vcipher 17, 17, 24 -+ vcipher 18, 18, 24 -+ vcipher 19, 19, 24 -+ vcipher 20, 20, 24 -+ vcipher 21, 21, 24 -+ vcipher 22, 22, 24 -+ -+ xxlor 23+32, 12, 12 -+ -+ cmpdi 10, 12 -+ beq Do_last_aes_dec -+ -+ # 256 bits -+ xxlor 24+32, 13, 13 -+ -+ vcipher 15, 15, 23 -+ vcipher 16, 16, 23 -+ vcipher 17, 17, 23 -+ vcipher 18, 18, 23 -+ vcipher 19, 19, 23 -+ vcipher 20, 20, 23 -+ vcipher 21, 21, 23 -+ vcipher 22, 22, 23 -+ -+ vcipher 15, 15, 24 -+ vcipher 16, 16, 24 -+ vcipher 17, 17, 24 -+ vcipher 18, 18, 24 -+ vcipher 19, 19, 24 -+ vcipher 20, 20, 24 -+ vcipher 21, 21, 24 -+ vcipher 22, 22, 24 -+ -+ xxlor 23+32, 14, 14 -+ -+ cmpdi 10, 14 -+ beq Do_last_aes_dec -+ b aes_gcm_out -+ -+Do_last_aes_dec: -+ -+ # -+ # last round -+ vcipherlast 15, 15, 23 -+ vcipherlast 16, 16, 23 -+ -+ xxlxor 47, 47, 15 -+ stxvb16x 47, 0, 9 # store output -+ xxlxor 48, 48, 16 -+ stxvb16x 48, 15, 9 # store output -+ -+ vcipherlast 17, 17, 23 -+ vcipherlast 18, 18, 23 -+ -+ xxlxor 49, 49, 17 -+ stxvb16x 49, 16, 9 # store output -+ xxlxor 50, 50, 18 -+ stxvb16x 50, 17, 9 # store output -+ -+ vcipherlast 19, 19, 23 -+ vcipherlast 20, 20, 23 -+ -+ xxlxor 51, 51, 19 -+ stxvb16x 51, 18, 9 # store output -+ xxlxor 52, 52, 20 -+ stxvb16x 52, 19, 9 # store output -+ -+ vcipherlast 21, 21, 23 -+ vcipherlast 22, 22, 23 -+ -+ xxlxor 53, 53, 21 -+ stxvb16x 53, 20, 9 # store output -+ xxlxor 54, 54, 22 -+ stxvb16x 54, 21, 9 # store output -+ -+ addi 9, 9, 128 -+ -+ xxlor 15+32, 15, 15 -+ xxlor 16+32, 16, 16 -+ xxlor 17+32, 17, 17 -+ xxlor 18+32, 18, 18 -+ xxlor 19+32, 19, 19 -+ xxlor 20+32, 20, 20 -+ xxlor 21+32, 21, 21 -+ xxlor 22+32, 22, 22 -+ -+ # ghash here -+ ppc_aes_gcm_ghash2_4x -+ -+ xxlor 27+32, 0, 0 -+ vaddudm 30, 30, 31 # IV + counter -+ vmr 29, 30 -+ vxor 15, 30, 27 # add round key -+ vaddudm 30, 30, 31 -+ vxor 16, 30, 27 -+ vaddudm 30, 30, 31 -+ vxor 17, 30, 27 -+ vaddudm 30, 30, 31 -+ vxor 18, 30, 27 -+ vaddudm 30, 30, 31 -+ vxor 19, 30, 27 -+ vaddudm 30, 30, 31 -+ vxor 20, 30, 27 -+ vaddudm 30, 30, 31 -+ vxor 21, 30, 27 -+ vaddudm 30, 30, 31 -+ vxor 22, 30, 27 -+ addi 12, 12, -128 -+ addi 11, 11, 128 -+ -+ bdnz Loop_8x_block_dec -+ -+ vmr 30, 29 -+ -+Loop_last_block_dec: -+ cmpdi 12, 0 -+ beq aes_gcm_out -+ -+ # loop last few blocks -+ li 10, 16 -+ divdu 10, 12, 10 -+ -+ mtctr 10 -+ -+ lwz 10,240(6) -+ -+ cmpdi 12, 16 -+ blt Final_block_dec -+ -+Next_rem_block_dec: -+ lxvb16x 15, 0, 14 # load block -+ -+ Loop_aes_middle_1x -+ -+ xxlor 23+32, 10, 10 -+ -+ cmpdi 10, 10 -+ beq Do_next_1x_dec -+ -+ # 192 bits -+ xxlor 24+32, 11, 11 -+ -+ vcipher 15, 15, 23 -+ vcipher 15, 15, 24 -+ -+ xxlor 23+32, 12, 12 -+ -+ cmpdi 10, 12 -+ beq Do_next_1x_dec -+ -+ # 256 bits -+ xxlor 24+32, 13, 13 -+ -+ vcipher 15, 15, 23 -+ vcipher 15, 15, 24 -+ -+ xxlor 23+32, 14, 14 -+ -+ cmpdi 10, 14 -+ beq Do_next_1x_dec -+ -+Do_next_1x_dec: -+ vcipherlast 15, 15, 23 -+ -+ xxlxor 47, 47, 15 -+ stxvb16x 47, 0, 9 # store output -+ addi 14, 14, 16 -+ addi 9, 9, 16 -+ -+ xxlor 28+32, 15, 15 -+ ppc_update_hash_1x -+ -+ addi 12, 12, -16 -+ addi 11, 11, 16 -+ xxlor 19+32, 0, 0 -+ vaddudm 30, 30, 31 # IV + counter -+ vxor 15, 30, 19 # add round key -+ -+ bdnz Next_rem_block_dec -+ -+ cmpdi 12, 0 -+ beq aes_gcm_out -+ -+Final_block_dec: -+ Loop_aes_middle_1x -+ -+ xxlor 23+32, 10, 10 -+ -+ cmpdi 10, 10 -+ beq Do_final_1x_dec -+ -+ # 192 bits -+ xxlor 24+32, 11, 11 -+ -+ vcipher 15, 15, 23 -+ vcipher 15, 15, 24 -+ -+ xxlor 23+32, 12, 12 -+ -+ cmpdi 10, 12 -+ beq Do_final_1x_dec -+ -+ # 256 bits -+ xxlor 24+32, 13, 13 -+ -+ vcipher 15, 15, 23 -+ vcipher 15, 15, 24 -+ -+ xxlor 23+32, 14, 14 -+ -+ cmpdi 10, 14 -+ beq Do_final_1x_dec -+ -+Do_final_1x_dec: -+ vcipherlast 15, 15, 23 -+ -+ lxvb16x 15, 0, 14 # load block -+ xxlxor 47, 47, 15 -+ -+ # create partial block mask -+ li 15, 16 -+ sub 15, 15, 12 # index to the mask -+ -+ vspltisb 16, -1 # first 16 bytes - 0xffff...ff -+ vspltisb 17, 0 # second 16 bytes - 0x0000...00 -+ li 10, 192 -+ stvx 16, 10, 1 -+ addi 10, 10, 16 -+ stvx 17, 10, 1 -+ -+ addi 10, 1, 192 -+ lxvb16x 16, 15, 10 # load block mask -+ xxland 47, 47, 16 -+ -+ xxlor 28+32, 15, 15 -+ ppc_update_hash_1x -+ -+ # * should store only the remaining bytes. -+ bl Write_partial_block -+ -+ b aes_gcm_out -+ -+ -+___ -+ -+foreach (split("\n",$code)) { -+ s/\`([^\`]*)\`/eval $1/geo; -+ -+ if ($flavour =~ /le$/o) { # little-endian -+ s/le\?//o or -+ s/be\?/#be#/o; -+ } else { -+ s/le\?/#le#/o or -+ s/be\?//o; -+ } -+ print $_,"\n"; -+} -+ -+close STDOUT or die "error closing STDOUT: $!"; # enforce flush -diff --git a/crypto/modes/build.info b/crypto/modes/build.info -index 687e872..0ea122e 100644 ---- a/crypto/modes/build.info -+++ b/crypto/modes/build.info -@@ -32,7 +32,7 @@ IF[{- !$disabled{asm} -}] - $MODESASM_parisc20_64=$MODESASM_parisc11 - $MODESDEF_parisc20_64=$MODESDEF_parisc11 - -- $MODESASM_ppc32=ghashp8-ppc.s -+ $MODESASM_ppc32=ghashp8-ppc.s aes-gcm-ppc.s - $MODESDEF_ppc32= - $MODESASM_ppc64=$MODESASM_ppc32 - $MODESDEF_ppc64=$MODESDEF_ppc32 -@@ -71,6 +71,7 @@ INCLUDE[ghash-sparcv9.o]=.. - GENERATE[ghash-alpha.S]=asm/ghash-alpha.pl - GENERATE[ghash-parisc.s]=asm/ghash-parisc.pl - GENERATE[ghashp8-ppc.s]=asm/ghashp8-ppc.pl -+GENERATE[aes-gcm-ppc.s]=asm/aes-gcm-ppc.pl - GENERATE[ghash-armv4.S]=asm/ghash-armv4.pl - INCLUDE[ghash-armv4.o]=.. - GENERATE[ghashv8-armx.S]=asm/ghashv8-armx.pl -diff --git a/include/crypto/aes_platform.h b/include/crypto/aes_platform.h -index e95ad5a..0c281a3 100644 ---- a/include/crypto/aes_platform.h -+++ b/include/crypto/aes_platform.h -@@ -74,6 +74,26 @@ void AES_xts_decrypt(const unsigned char *inp, unsigned char *out, size_t len, - # define HWAES_ctr32_encrypt_blocks aes_p8_ctr32_encrypt_blocks - # define HWAES_xts_encrypt aes_p8_xts_encrypt - # define HWAES_xts_decrypt aes_p8_xts_decrypt -+# define PPC_AES_GCM_CAPABLE (OPENSSL_ppccap_P & PPC_MADD300) -+# define AES_GCM_ENC_BYTES 128 -+# define AES_GCM_DEC_BYTES 128 -+size_t ppc_aes_gcm_encrypt(const unsigned char *in, unsigned char *out, -+ size_t len, const void *key, unsigned char ivec[16], -+ u64 *Xi); -+size_t ppc_aes_gcm_decrypt(const unsigned char *in, unsigned char *out, -+ size_t len, const void *key, unsigned char ivec[16], -+ u64 *Xi); -+size_t ppc_aes_gcm_encrypt_wrap(const unsigned char *in, unsigned char *out, -+ size_t len, const void *key, -+ unsigned char ivec[16], u64 *Xi); -+size_t ppc_aes_gcm_decrypt_wrap(const unsigned char *in, unsigned char *out, -+ size_t len, const void *key, -+ unsigned char ivec[16], u64 *Xi); -+# define AES_gcm_encrypt ppc_aes_gcm_encrypt_wrap -+# define AES_gcm_decrypt ppc_aes_gcm_decrypt_wrap -+# define AES_GCM_ASM(gctx) ((gctx)->ctr==aes_p8_ctr32_encrypt_blocks && \ -+ (gctx)->gcm.ghash==gcm_ghash_p8) -+void gcm_ghash_p8(u64 Xi[2],const u128 Htable[16],const u8 *inp, size_t len); - # endif /* PPC */ - - # if (defined(__arm__) || defined(__arm) || defined(__aarch64__)) -diff --git a/providers/implementations/ciphers/cipher_aes_gcm_hw.c b/providers/implementations/ciphers/cipher_aes_gcm_hw.c -index 44fa9d4..789ec12 100644 ---- a/providers/implementations/ciphers/cipher_aes_gcm_hw.c -+++ b/providers/implementations/ciphers/cipher_aes_gcm_hw.c -@@ -141,6 +141,8 @@ static const PROV_GCM_HW aes_gcm = { - # include "cipher_aes_gcm_hw_t4.inc" - #elif defined(AES_PMULL_CAPABLE) && defined(AES_GCM_ASM) - # include "cipher_aes_gcm_hw_armv8.inc" -+#elif defined(PPC_AES_GCM_CAPABLE) -+# include "cipher_aes_gcm_hw_ppc.inc" - #else - const PROV_GCM_HW *ossl_prov_aes_hw_gcm(size_t keybits) - { -diff --git a/providers/implementations/ciphers/cipher_aes_gcm_hw_ppc.inc b/providers/implementations/ciphers/cipher_aes_gcm_hw_ppc.inc -new file mode 100644 -index 0000000..4eed0f4 ---- /dev/null -+++ b/providers/implementations/ciphers/cipher_aes_gcm_hw_ppc.inc -@@ -0,0 +1,119 @@ -+/* -+ * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. -+ * -+ * Licensed under the Apache License 2.0 (the "License"). You may not use -+ * this file except in compliance with the License. You can obtain a copy -+ * in the file LICENSE in the source distribution or at -+ * https://www.openssl.org/source/license.html -+ */ -+ -+/*- -+ * PPC support for AES GCM. -+ * This file is included by cipher_aes_gcm_hw.c -+ */ -+ -+static int aes_ppc_gcm_initkey(PROV_GCM_CTX *ctx, const unsigned char *key, -+ size_t keylen) -+{ -+ PROV_AES_GCM_CTX *actx = (PROV_AES_GCM_CTX *)ctx; -+ AES_KEY *ks = &actx->ks.ks; -+ -+ GCM_HW_SET_KEY_CTR_FN(ks, aes_p8_set_encrypt_key, aes_p8_encrypt, -+ aes_p8_ctr32_encrypt_blocks); -+ return 1; -+} -+ -+ -+extern size_t ppc_aes_gcm_encrypt(const unsigned char *in, unsigned char *out, size_t len, -+ const void *key, unsigned char ivec[16], u64 *Xi); -+extern size_t ppc_aes_gcm_decrypt(const unsigned char *in, unsigned char *out, size_t len, -+ const void *key, unsigned char ivec[16], u64 *Xi); -+ -+static inline u32 UTO32(unsigned char *buf) -+{ -+ return ((u32) buf[0] << 24) | ((u32) buf[1] << 16) | ((u32) buf[2] << 8) | ((u32) buf[3]); -+} -+ -+static inline u32 add32TOU(unsigned char buf[4], u32 n) -+{ -+ u32 r; -+ -+ r = UTO32(buf); -+ r += n; -+ buf[0] = (unsigned char) (r >> 24) & 0xFF; -+ buf[1] = (unsigned char) (r >> 16) & 0xFF; -+ buf[2] = (unsigned char) (r >> 8) & 0xFF; -+ buf[3] = (unsigned char) r & 0xFF; -+ return r; -+} -+ -+static size_t aes_p10_gcm_crypt(const unsigned char *in, unsigned char *out, size_t len, -+ const void *key, unsigned char ivec[16], u64 *Xi, int encrypt) -+{ -+ int s = 0; -+ int ndone = 0; -+ int ctr_reset = 0; -+ u64 blocks_unused; -+ u64 nb = len / 16; -+ u64 next_ctr = 0; -+ unsigned char ctr_saved[12]; -+ -+ memcpy(ctr_saved, ivec, 12); -+ -+ while (nb) { -+ blocks_unused = (u64) 0xffffffffU + 1 - (u64) UTO32 (ivec + 12); -+ if (nb > blocks_unused) { -+ len = blocks_unused * 16; -+ nb -= blocks_unused; -+ next_ctr = blocks_unused; -+ ctr_reset = 1; -+ } else { -+ len = nb * 16; -+ next_ctr = nb; -+ nb = 0; -+ } -+ -+ s = encrypt ? ppc_aes_gcm_encrypt(in, out, len, key, ivec, Xi) -+ : ppc_aes_gcm_decrypt(in, out, len, key, ivec, Xi); -+ -+ /* add counter to ivec */ -+ add32TOU(ivec + 12, (u32) next_ctr); -+ if (ctr_reset) { -+ ctr_reset = 0; -+ in += len; -+ out += len; -+ } -+ memcpy(ivec, ctr_saved, 12); -+ ndone += s; -+ } -+ -+ return ndone; -+} -+ -+size_t ppc_aes_gcm_encrypt_wrap(const unsigned char *in, unsigned char *out, size_t len, -+ const void *key, unsigned char ivec[16], u64 *Xi) -+{ -+ return aes_p10_gcm_crypt(in, out, len, key, ivec, Xi, 1); -+} -+ -+size_t ppc_aes_gcm_decrypt_wrap(const unsigned char *in, unsigned char *out, size_t len, -+ const void *key, unsigned char ivec[16], u64 *Xi) -+{ -+ return aes_p10_gcm_crypt(in, out, len, key, ivec, Xi, 0); -+} -+ -+ -+static const PROV_GCM_HW aes_ppc_gcm = { -+ aes_ppc_gcm_initkey, -+ ossl_gcm_setiv, -+ ossl_gcm_aad_update, -+ generic_aes_gcm_cipher_update, -+ ossl_gcm_cipher_final, -+ ossl_gcm_one_shot -+}; -+ -+const PROV_GCM_HW *ossl_prov_aes_hw_gcm(size_t keybits) -+{ -+ return PPC_AES_GCM_CAPABLE ? &aes_ppc_gcm : &aes_gcm; -+} -+ diff --git a/0072-ChaCha20-performance-optimizations-for-ppc64le.patch b/0072-ChaCha20-performance-optimizations-for-ppc64le.patch deleted file mode 100644 index e5e7f9b..0000000 --- a/0072-ChaCha20-performance-optimizations-for-ppc64le.patch +++ /dev/null @@ -1,1493 +0,0 @@ -Upstream-Status: Backport [ - https://github.com/openssl/openssl/commit/f596bbe4da779b56eea34d96168b557d78e1149, - https://github.com/openssl/openssl/commit/7e1f3ffcc5bc15fb9a12b9e3bb202f544c6ed5aa, - hunks in crypto/ppccap.c from https://github.com/openssl/openssl/commit/f5485b97b6c9977c0d39c7669b9f97a879312447 -] -diff --git a/crypto/chacha/asm/chachap10-ppc.pl b/crypto/chacha/asm/chachap10-ppc.pl -new file mode 100755 -index 0000000..36e9a8d ---- /dev/null -+++ b/crypto/chacha/asm/chachap10-ppc.pl -@@ -0,0 +1,1288 @@ -+#! /usr/bin/env perl -+# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. -+# -+# Licensed under the Apache License 2.0 (the "License"). You may not use -+# this file except in compliance with the License. You can obtain a copy -+# in the file LICENSE in the source distribution or at -+# https://www.openssl.org/source/license.html -+ -+# -+# ==================================================================== -+# Written by Andy Polyakov for the OpenSSL -+# project. The module is, however, dual licensed under OpenSSL and -+# CRYPTOGAMS licenses depending on where you obtain it. For further -+# details see http://www.openssl.org/~appro/cryptogams/. -+# ==================================================================== -+# -+# October 2015 -+# -+# ChaCha20 for PowerPC/AltiVec. -+# -+# June 2018 -+# -+# Add VSX 2.07 code path. Original 3xAltiVec+1xIALU is well-suited for -+# processors that can't issue more than one vector instruction per -+# cycle. But POWER8 (and POWER9) can issue a pair, and vector-only 4x -+# interleave would perform better. Incidentally PowerISA 2.07 (first -+# implemented by POWER8) defined new usable instructions, hence 4xVSX -+# code path... -+# -+# Performance in cycles per byte out of large buffer. -+# -+# IALU/gcc-4.x 3xAltiVec+1xIALU 4xVSX -+# -+# Freescale e300 13.6/+115% - - -+# PPC74x0/G4e 6.81/+310% 3.81 - -+# PPC970/G5 9.29/+160% ? - -+# POWER7 8.62/+61% 3.35 - -+# POWER8 8.70/+51% 2.91 2.09 -+# POWER9 8.80/+29% 4.44(*) 2.45(**) -+# -+# (*) this is trade-off result, it's possible to improve it, but -+# then it would negatively affect all others; -+# (**) POWER9 seems to be "allergic" to mixing vector and integer -+# instructions, which is why switch to vector-only code pays -+# off that much; -+ -+# $output is the last argument if it looks like a file (it has an extension) -+# $flavour is the first argument if it doesn't look like a file -+$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef; -+$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef; -+ -+if ($flavour =~ /64/) { -+ $SIZE_T =8; -+ $LRSAVE =2*$SIZE_T; -+ $STU ="stdu"; -+ $POP ="ld"; -+ $PUSH ="std"; -+ $UCMP ="cmpld"; -+} elsif ($flavour =~ /32/) { -+ $SIZE_T =4; -+ $LRSAVE =$SIZE_T; -+ $STU ="stwu"; -+ $POP ="lwz"; -+ $PUSH ="stw"; -+ $UCMP ="cmplw"; -+} else { die "nonsense $flavour"; } -+ -+$LITTLE_ENDIAN = ($flavour=~/le$/) ? 1 : 0; -+ -+$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; -+( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or -+( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or -+die "can't locate ppc-xlate.pl"; -+ -+open STDOUT,"| $^X $xlate $flavour \"$output\"" -+ or die "can't call $xlate: $!"; -+ -+$LOCALS=6*$SIZE_T; -+$FRAME=$LOCALS+64+18*$SIZE_T; # 64 is for local variables -+ -+sub AUTOLOAD() # thunk [simplified] x86-style perlasm -+{ my $opcode = $AUTOLOAD; $opcode =~ s/.*:://; $opcode =~ s/_/\./; -+ $code .= "\t$opcode\t".join(',',@_)."\n"; -+} -+ -+my $sp = "r1"; -+ -+my ($out,$inp,$len,$key,$ctr) = map("r$_",(3..7)); -+ -+ -+{{{ -+my ($xa0,$xa1,$xa2,$xa3, $xb0,$xb1,$xb2,$xb3, -+ $xc0,$xc1,$xc2,$xc3, $xd0,$xd1,$xd2,$xd3) = map("v$_",(0..15)); -+my @K = map("v$_",(16..19)); -+my $CTR = "v26"; -+my ($xt0,$xt1,$xt2,$xt3) = map("v$_",(27..30)); -+my ($sixteen,$twelve,$eight,$seven) = ($xt0,$xt1,$xt2,$xt3); -+my $beperm = "v31"; -+ -+my ($x00,$x10,$x20,$x30) = (0, map("r$_",(8..10))); -+ -+my $FRAME=$LOCALS+64+7*16; # 7*16 is for v26-v31 offload -+ -+ -+sub VSX_lane_ROUND_4x { -+my ($a0,$b0,$c0,$d0)=@_; -+my ($a1,$b1,$c1,$d1)=map(($_&~3)+(($_+1)&3),($a0,$b0,$c0,$d0)); -+my ($a2,$b2,$c2,$d2)=map(($_&~3)+(($_+1)&3),($a1,$b1,$c1,$d1)); -+my ($a3,$b3,$c3,$d3)=map(($_&~3)+(($_+1)&3),($a2,$b2,$c2,$d2)); -+my @x=map("\"v$_\"",(0..15)); -+ -+ ( -+ "&vadduwm (@x[$a0],@x[$a0],@x[$b0])", # Q1 -+ "&vadduwm (@x[$a1],@x[$a1],@x[$b1])", # Q2 -+ "&vadduwm (@x[$a2],@x[$a2],@x[$b2])", # Q3 -+ "&vadduwm (@x[$a3],@x[$a3],@x[$b3])", # Q4 -+ "&vxor (@x[$d0],@x[$d0],@x[$a0])", -+ "&vxor (@x[$d1],@x[$d1],@x[$a1])", -+ "&vxor (@x[$d2],@x[$d2],@x[$a2])", -+ "&vxor (@x[$d3],@x[$d3],@x[$a3])", -+ "&vrlw (@x[$d0],@x[$d0],'$sixteen')", -+ "&vrlw (@x[$d1],@x[$d1],'$sixteen')", -+ "&vrlw (@x[$d2],@x[$d2],'$sixteen')", -+ "&vrlw (@x[$d3],@x[$d3],'$sixteen')", -+ -+ "&vadduwm (@x[$c0],@x[$c0],@x[$d0])", -+ "&vadduwm (@x[$c1],@x[$c1],@x[$d1])", -+ "&vadduwm (@x[$c2],@x[$c2],@x[$d2])", -+ "&vadduwm (@x[$c3],@x[$c3],@x[$d3])", -+ "&vxor (@x[$b0],@x[$b0],@x[$c0])", -+ "&vxor (@x[$b1],@x[$b1],@x[$c1])", -+ "&vxor (@x[$b2],@x[$b2],@x[$c2])", -+ "&vxor (@x[$b3],@x[$b3],@x[$c3])", -+ "&vrlw (@x[$b0],@x[$b0],'$twelve')", -+ "&vrlw (@x[$b1],@x[$b1],'$twelve')", -+ "&vrlw (@x[$b2],@x[$b2],'$twelve')", -+ "&vrlw (@x[$b3],@x[$b3],'$twelve')", -+ -+ "&vadduwm (@x[$a0],@x[$a0],@x[$b0])", -+ "&vadduwm (@x[$a1],@x[$a1],@x[$b1])", -+ "&vadduwm (@x[$a2],@x[$a2],@x[$b2])", -+ "&vadduwm (@x[$a3],@x[$a3],@x[$b3])", -+ "&vxor (@x[$d0],@x[$d0],@x[$a0])", -+ "&vxor (@x[$d1],@x[$d1],@x[$a1])", -+ "&vxor (@x[$d2],@x[$d2],@x[$a2])", -+ "&vxor (@x[$d3],@x[$d3],@x[$a3])", -+ "&vrlw (@x[$d0],@x[$d0],'$eight')", -+ "&vrlw (@x[$d1],@x[$d1],'$eight')", -+ "&vrlw (@x[$d2],@x[$d2],'$eight')", -+ "&vrlw (@x[$d3],@x[$d3],'$eight')", -+ -+ "&vadduwm (@x[$c0],@x[$c0],@x[$d0])", -+ "&vadduwm (@x[$c1],@x[$c1],@x[$d1])", -+ "&vadduwm (@x[$c2],@x[$c2],@x[$d2])", -+ "&vadduwm (@x[$c3],@x[$c3],@x[$d3])", -+ "&vxor (@x[$b0],@x[$b0],@x[$c0])", -+ "&vxor (@x[$b1],@x[$b1],@x[$c1])", -+ "&vxor (@x[$b2],@x[$b2],@x[$c2])", -+ "&vxor (@x[$b3],@x[$b3],@x[$c3])", -+ "&vrlw (@x[$b0],@x[$b0],'$seven')", -+ "&vrlw (@x[$b1],@x[$b1],'$seven')", -+ "&vrlw (@x[$b2],@x[$b2],'$seven')", -+ "&vrlw (@x[$b3],@x[$b3],'$seven')" -+ ); -+} -+ -+$code.=<<___; -+ -+.globl .ChaCha20_ctr32_vsx_p10 -+.align 5 -+.ChaCha20_ctr32_vsx_p10: -+ ${UCMP}i $len,255 -+ bgt ChaCha20_ctr32_vsx_8x -+ $STU $sp,-$FRAME($sp) -+ mflr r0 -+ li r10,`15+$LOCALS+64` -+ li r11,`31+$LOCALS+64` -+ mfspr r12,256 -+ stvx v26,r10,$sp -+ addi r10,r10,32 -+ stvx v27,r11,$sp -+ addi r11,r11,32 -+ stvx v28,r10,$sp -+ addi r10,r10,32 -+ stvx v29,r11,$sp -+ addi r11,r11,32 -+ stvx v30,r10,$sp -+ stvx v31,r11,$sp -+ stw r12,`$FRAME-4`($sp) # save vrsave -+ li r12,-4096+63 -+ $PUSH r0, `$FRAME+$LRSAVE`($sp) -+ mtspr 256,r12 # preserve 29 AltiVec registers -+ -+ bl Lconsts # returns pointer Lsigma in r12 -+ lvx_4w @K[0],0,r12 # load sigma -+ addi r12,r12,0x70 -+ li $x10,16 -+ li $x20,32 -+ li $x30,48 -+ li r11,64 -+ -+ lvx_4w @K[1],0,$key # load key -+ lvx_4w @K[2],$x10,$key -+ lvx_4w @K[3],0,$ctr # load counter -+ -+ vxor $xt0,$xt0,$xt0 -+ lvx_4w $xt1,r11,r12 -+ vspltw $CTR,@K[3],0 -+ vsldoi @K[3],@K[3],$xt0,4 -+ vsldoi @K[3],$xt0,@K[3],12 # clear @K[3].word[0] -+ vadduwm $CTR,$CTR,$xt1 -+ -+ be?lvsl $beperm,0,$x10 # 0x00..0f -+ be?vspltisb $xt0,3 # 0x03..03 -+ be?vxor $beperm,$beperm,$xt0 # swap bytes within words -+ -+ li r0,10 # inner loop counter -+ mtctr r0 -+ b Loop_outer_vsx -+ -+.align 5 -+Loop_outer_vsx: -+ lvx $xa0,$x00,r12 # load [smashed] sigma -+ lvx $xa1,$x10,r12 -+ lvx $xa2,$x20,r12 -+ lvx $xa3,$x30,r12 -+ -+ vspltw $xb0,@K[1],0 # smash the key -+ vspltw $xb1,@K[1],1 -+ vspltw $xb2,@K[1],2 -+ vspltw $xb3,@K[1],3 -+ -+ vspltw $xc0,@K[2],0 -+ vspltw $xc1,@K[2],1 -+ vspltw $xc2,@K[2],2 -+ vspltw $xc3,@K[2],3 -+ -+ vmr $xd0,$CTR # smash the counter -+ vspltw $xd1,@K[3],1 -+ vspltw $xd2,@K[3],2 -+ vspltw $xd3,@K[3],3 -+ -+ vspltisw $sixteen,-16 # synthesize constants -+ vspltisw $twelve,12 -+ vspltisw $eight,8 -+ vspltisw $seven,7 -+ -+Loop_vsx_4x: -+___ -+ foreach (&VSX_lane_ROUND_4x(0, 4, 8,12)) { eval; } -+ foreach (&VSX_lane_ROUND_4x(0, 5,10,15)) { eval; } -+$code.=<<___; -+ -+ bdnz Loop_vsx_4x -+ -+ vadduwm $xd0,$xd0,$CTR -+ -+ vmrgew $xt0,$xa0,$xa1 # transpose data -+ vmrgew $xt1,$xa2,$xa3 -+ vmrgow $xa0,$xa0,$xa1 -+ vmrgow $xa2,$xa2,$xa3 -+ vmrgew $xt2,$xb0,$xb1 -+ vmrgew $xt3,$xb2,$xb3 -+ vpermdi $xa1,$xa0,$xa2,0b00 -+ vpermdi $xa3,$xa0,$xa2,0b11 -+ vpermdi $xa0,$xt0,$xt1,0b00 -+ vpermdi $xa2,$xt0,$xt1,0b11 -+ -+ vmrgow $xb0,$xb0,$xb1 -+ vmrgow $xb2,$xb2,$xb3 -+ vmrgew $xt0,$xc0,$xc1 -+ vmrgew $xt1,$xc2,$xc3 -+ vpermdi $xb1,$xb0,$xb2,0b00 -+ vpermdi $xb3,$xb0,$xb2,0b11 -+ vpermdi $xb0,$xt2,$xt3,0b00 -+ vpermdi $xb2,$xt2,$xt3,0b11 -+ -+ vmrgow $xc0,$xc0,$xc1 -+ vmrgow $xc2,$xc2,$xc3 -+ vmrgew $xt2,$xd0,$xd1 -+ vmrgew $xt3,$xd2,$xd3 -+ vpermdi $xc1,$xc0,$xc2,0b00 -+ vpermdi $xc3,$xc0,$xc2,0b11 -+ vpermdi $xc0,$xt0,$xt1,0b00 -+ vpermdi $xc2,$xt0,$xt1,0b11 -+ -+ vmrgow $xd0,$xd0,$xd1 -+ vmrgow $xd2,$xd2,$xd3 -+ vspltisw $xt0,4 -+ vadduwm $CTR,$CTR,$xt0 # next counter value -+ vpermdi $xd1,$xd0,$xd2,0b00 -+ vpermdi $xd3,$xd0,$xd2,0b11 -+ vpermdi $xd0,$xt2,$xt3,0b00 -+ vpermdi $xd2,$xt2,$xt3,0b11 -+ -+ vadduwm $xa0,$xa0,@K[0] -+ vadduwm $xb0,$xb0,@K[1] -+ vadduwm $xc0,$xc0,@K[2] -+ vadduwm $xd0,$xd0,@K[3] -+ -+ be?vperm $xa0,$xa0,$xa0,$beperm -+ be?vperm $xb0,$xb0,$xb0,$beperm -+ be?vperm $xc0,$xc0,$xc0,$beperm -+ be?vperm $xd0,$xd0,$xd0,$beperm -+ -+ ${UCMP}i $len,0x40 -+ blt Ltail_vsx -+ -+ lvx_4w $xt0,$x00,$inp -+ lvx_4w $xt1,$x10,$inp -+ lvx_4w $xt2,$x20,$inp -+ lvx_4w $xt3,$x30,$inp -+ -+ vxor $xt0,$xt0,$xa0 -+ vxor $xt1,$xt1,$xb0 -+ vxor $xt2,$xt2,$xc0 -+ vxor $xt3,$xt3,$xd0 -+ -+ stvx_4w $xt0,$x00,$out -+ stvx_4w $xt1,$x10,$out -+ addi $inp,$inp,0x40 -+ stvx_4w $xt2,$x20,$out -+ subi $len,$len,0x40 -+ stvx_4w $xt3,$x30,$out -+ addi $out,$out,0x40 -+ beq Ldone_vsx -+ -+ vadduwm $xa0,$xa1,@K[0] -+ vadduwm $xb0,$xb1,@K[1] -+ vadduwm $xc0,$xc1,@K[2] -+ vadduwm $xd0,$xd1,@K[3] -+ -+ be?vperm $xa0,$xa0,$xa0,$beperm -+ be?vperm $xb0,$xb0,$xb0,$beperm -+ be?vperm $xc0,$xc0,$xc0,$beperm -+ be?vperm $xd0,$xd0,$xd0,$beperm -+ -+ ${UCMP}i $len,0x40 -+ blt Ltail_vsx -+ -+ lvx_4w $xt0,$x00,$inp -+ lvx_4w $xt1,$x10,$inp -+ lvx_4w $xt2,$x20,$inp -+ lvx_4w $xt3,$x30,$inp -+ -+ vxor $xt0,$xt0,$xa0 -+ vxor $xt1,$xt1,$xb0 -+ vxor $xt2,$xt2,$xc0 -+ vxor $xt3,$xt3,$xd0 -+ -+ stvx_4w $xt0,$x00,$out -+ stvx_4w $xt1,$x10,$out -+ addi $inp,$inp,0x40 -+ stvx_4w $xt2,$x20,$out -+ subi $len,$len,0x40 -+ stvx_4w $xt3,$x30,$out -+ addi $out,$out,0x40 -+ beq Ldone_vsx -+ -+ vadduwm $xa0,$xa2,@K[0] -+ vadduwm $xb0,$xb2,@K[1] -+ vadduwm $xc0,$xc2,@K[2] -+ vadduwm $xd0,$xd2,@K[3] -+ -+ be?vperm $xa0,$xa0,$xa0,$beperm -+ be?vperm $xb0,$xb0,$xb0,$beperm -+ be?vperm $xc0,$xc0,$xc0,$beperm -+ be?vperm $xd0,$xd0,$xd0,$beperm -+ -+ ${UCMP}i $len,0x40 -+ blt Ltail_vsx -+ -+ lvx_4w $xt0,$x00,$inp -+ lvx_4w $xt1,$x10,$inp -+ lvx_4w $xt2,$x20,$inp -+ lvx_4w $xt3,$x30,$inp -+ -+ vxor $xt0,$xt0,$xa0 -+ vxor $xt1,$xt1,$xb0 -+ vxor $xt2,$xt2,$xc0 -+ vxor $xt3,$xt3,$xd0 -+ -+ stvx_4w $xt0,$x00,$out -+ stvx_4w $xt1,$x10,$out -+ addi $inp,$inp,0x40 -+ stvx_4w $xt2,$x20,$out -+ subi $len,$len,0x40 -+ stvx_4w $xt3,$x30,$out -+ addi $out,$out,0x40 -+ beq Ldone_vsx -+ -+ vadduwm $xa0,$xa3,@K[0] -+ vadduwm $xb0,$xb3,@K[1] -+ vadduwm $xc0,$xc3,@K[2] -+ vadduwm $xd0,$xd3,@K[3] -+ -+ be?vperm $xa0,$xa0,$xa0,$beperm -+ be?vperm $xb0,$xb0,$xb0,$beperm -+ be?vperm $xc0,$xc0,$xc0,$beperm -+ be?vperm $xd0,$xd0,$xd0,$beperm -+ -+ ${UCMP}i $len,0x40 -+ blt Ltail_vsx -+ -+ lvx_4w $xt0,$x00,$inp -+ lvx_4w $xt1,$x10,$inp -+ lvx_4w $xt2,$x20,$inp -+ lvx_4w $xt3,$x30,$inp -+ -+ vxor $xt0,$xt0,$xa0 -+ vxor $xt1,$xt1,$xb0 -+ vxor $xt2,$xt2,$xc0 -+ vxor $xt3,$xt3,$xd0 -+ -+ stvx_4w $xt0,$x00,$out -+ stvx_4w $xt1,$x10,$out -+ addi $inp,$inp,0x40 -+ stvx_4w $xt2,$x20,$out -+ subi $len,$len,0x40 -+ stvx_4w $xt3,$x30,$out -+ addi $out,$out,0x40 -+ mtctr r0 -+ bne Loop_outer_vsx -+ -+Ldone_vsx: -+ lwz r12,`$FRAME-4`($sp) # pull vrsave -+ li r10,`15+$LOCALS+64` -+ li r11,`31+$LOCALS+64` -+ $POP r0, `$FRAME+$LRSAVE`($sp) -+ mtspr 256,r12 # restore vrsave -+ lvx v26,r10,$sp -+ addi r10,r10,32 -+ lvx v27,r11,$sp -+ addi r11,r11,32 -+ lvx v28,r10,$sp -+ addi r10,r10,32 -+ lvx v29,r11,$sp -+ addi r11,r11,32 -+ lvx v30,r10,$sp -+ lvx v31,r11,$sp -+ mtlr r0 -+ addi $sp,$sp,$FRAME -+ blr -+ -+.align 4 -+Ltail_vsx: -+ addi r11,$sp,$LOCALS -+ mtctr $len -+ stvx_4w $xa0,$x00,r11 # offload block to stack -+ stvx_4w $xb0,$x10,r11 -+ stvx_4w $xc0,$x20,r11 -+ stvx_4w $xd0,$x30,r11 -+ subi r12,r11,1 # prepare for *++ptr -+ subi $inp,$inp,1 -+ subi $out,$out,1 -+ -+Loop_tail_vsx: -+ lbzu r6,1(r12) -+ lbzu r7,1($inp) -+ xor r6,r6,r7 -+ stbu r6,1($out) -+ bdnz Loop_tail_vsx -+ -+ stvx_4w $K[0],$x00,r11 # wipe copy of the block -+ stvx_4w $K[0],$x10,r11 -+ stvx_4w $K[0],$x20,r11 -+ stvx_4w $K[0],$x30,r11 -+ -+ b Ldone_vsx -+ .long 0 -+ .byte 0,12,0x04,1,0x80,0,5,0 -+ .long 0 -+.size .ChaCha20_ctr32_vsx_p10,.-.ChaCha20_ctr32_vsx_p10 -+___ -+}}} -+ -+##This is 8 block in parallel implementation. The heart of chacha round uses vector instruction that has access to -+# vsr[32+X]. To perform the 8 parallel block we tend to use all 32 register to hold the 8 block info. -+# WE need to store few register value on side, so we can use VSR{32+X} for few vector instructions used in round op and hold intermediate value. -+# WE use the VSR[0]-VSR[31] for holding intermediate value and perform 8 block in parallel. -+# -+{{{ -+#### ($out,$inp,$len,$key,$ctr) = map("r$_",(3..7)); -+my ($xa0,$xa1,$xa2,$xa3, $xb0,$xb1,$xb2,$xb3, -+ $xc0,$xc1,$xc2,$xc3, $xd0,$xd1,$xd2,$xd3, -+ $xa4,$xa5,$xa6,$xa7, $xb4,$xb5,$xb6,$xb7, -+ $xc4,$xc5,$xc6,$xc7, $xd4,$xd5,$xd6,$xd7) = map("v$_",(0..31)); -+my ($xcn4,$xcn5,$xcn6,$xcn7, $xdn4,$xdn5,$xdn6,$xdn7) = map("v$_",(8..15)); -+my ($xan0,$xbn0,$xcn0,$xdn0) = map("v$_",(0..3)); -+my @K = map("v$_",27,(24..26)); -+my ($xt0,$xt1,$xt2,$xt3,$xt4) = map("v$_",23,(28..31)); -+my $xr0 = "v4"; -+my $CTR0 = "v22"; -+my $CTR1 = "v5"; -+my $beperm = "v31"; -+my ($x00,$x10,$x20,$x30) = (0, map("r$_",(8..10))); -+my ($xv0,$xv1,$xv2,$xv3,$xv4,$xv5,$xv6,$xv7) = map("v$_",(0..7)); -+my ($xv8,$xv9,$xv10,$xv11,$xv12,$xv13,$xv14,$xv15,$xv16,$xv17) = map("v$_",(8..17)); -+my ($xv18,$xv19,$xv20,$xv21) = map("v$_",(18..21)); -+my ($xv22,$xv23,$xv24,$xv25,$xv26) = map("v$_",(22..26)); -+ -+my $FRAME=$LOCALS+64+9*16; # 8*16 is for v24-v31 offload -+ -+sub VSX_lane_ROUND_8x { -+my ($a0,$b0,$c0,$d0,$a4,$b4,$c4,$d4)=@_; -+my ($a1,$b1,$c1,$d1)=map(($_&~3)+(($_+1)&3),($a0,$b0,$c0,$d0)); -+my ($a2,$b2,$c2,$d2)=map(($_&~3)+(($_+1)&3),($a1,$b1,$c1,$d1)); -+my ($a3,$b3,$c3,$d3)=map(($_&~3)+(($_+1)&3),($a2,$b2,$c2,$d2)); -+my ($a5,$b5,$c5,$d5)=map(($_&~3)+(($_+1)&3),($a4,$b4,$c4,$d4)); -+my ($a6,$b6,$c6,$d6)=map(($_&~3)+(($_+1)&3),($a5,$b5,$c5,$d5)); -+my ($a7,$b7,$c7,$d7)=map(($_&~3)+(($_+1)&3),($a6,$b6,$c6,$d6)); -+my ($xv8,$xv9,$xv10,$xv11,$xv12,$xv13,$xv14,$xv15,$xv16,$xv17) = map("\"v$_\"",(8..17)); -+my @x=map("\"v$_\"",(0..31)); -+ -+ ( -+ "&vxxlor ($xv15 ,@x[$c7],@x[$c7])", #copy v30 to v13 -+ "&vxxlorc (@x[$c7], $xv9,$xv9)", -+ -+ "&vadduwm (@x[$a0],@x[$a0],@x[$b0])", # Q1 -+ "&vadduwm (@x[$a1],@x[$a1],@x[$b1])", # Q2 -+ "&vadduwm (@x[$a2],@x[$a2],@x[$b2])", # Q3 -+ "&vadduwm (@x[$a3],@x[$a3],@x[$b3])", # Q4 -+ "&vadduwm (@x[$a4],@x[$a4],@x[$b4])", # Q1 -+ "&vadduwm (@x[$a5],@x[$a5],@x[$b5])", # Q2 -+ "&vadduwm (@x[$a6],@x[$a6],@x[$b6])", # Q3 -+ "&vadduwm (@x[$a7],@x[$a7],@x[$b7])", # Q4 -+ -+ "&vxor (@x[$d0],@x[$d0],@x[$a0])", -+ "&vxor (@x[$d1],@x[$d1],@x[$a1])", -+ "&vxor (@x[$d2],@x[$d2],@x[$a2])", -+ "&vxor (@x[$d3],@x[$d3],@x[$a3])", -+ "&vxor (@x[$d4],@x[$d4],@x[$a4])", -+ "&vxor (@x[$d5],@x[$d5],@x[$a5])", -+ "&vxor (@x[$d6],@x[$d6],@x[$a6])", -+ "&vxor (@x[$d7],@x[$d7],@x[$a7])", -+ -+ "&vrlw (@x[$d0],@x[$d0],@x[$c7])", -+ "&vrlw (@x[$d1],@x[$d1],@x[$c7])", -+ "&vrlw (@x[$d2],@x[$d2],@x[$c7])", -+ "&vrlw (@x[$d3],@x[$d3],@x[$c7])", -+ "&vrlw (@x[$d4],@x[$d4],@x[$c7])", -+ "&vrlw (@x[$d5],@x[$d5],@x[$c7])", -+ "&vrlw (@x[$d6],@x[$d6],@x[$c7])", -+ "&vrlw (@x[$d7],@x[$d7],@x[$c7])", -+ -+ "&vxxlor ($xv13 ,@x[$a7],@x[$a7])", -+ "&vxxlorc (@x[$c7], $xv15,$xv15)", -+ "&vxxlorc (@x[$a7], $xv10,$xv10)", -+ -+ "&vadduwm (@x[$c0],@x[$c0],@x[$d0])", -+ "&vadduwm (@x[$c1],@x[$c1],@x[$d1])", -+ "&vadduwm (@x[$c2],@x[$c2],@x[$d2])", -+ "&vadduwm (@x[$c3],@x[$c3],@x[$d3])", -+ "&vadduwm (@x[$c4],@x[$c4],@x[$d4])", -+ "&vadduwm (@x[$c5],@x[$c5],@x[$d5])", -+ "&vadduwm (@x[$c6],@x[$c6],@x[$d6])", -+ "&vadduwm (@x[$c7],@x[$c7],@x[$d7])", -+ -+ "&vxor (@x[$b0],@x[$b0],@x[$c0])", -+ "&vxor (@x[$b1],@x[$b1],@x[$c1])", -+ "&vxor (@x[$b2],@x[$b2],@x[$c2])", -+ "&vxor (@x[$b3],@x[$b3],@x[$c3])", -+ "&vxor (@x[$b4],@x[$b4],@x[$c4])", -+ "&vxor (@x[$b5],@x[$b5],@x[$c5])", -+ "&vxor (@x[$b6],@x[$b6],@x[$c6])", -+ "&vxor (@x[$b7],@x[$b7],@x[$c7])", -+ -+ "&vrlw (@x[$b0],@x[$b0],@x[$a7])", -+ "&vrlw (@x[$b1],@x[$b1],@x[$a7])", -+ "&vrlw (@x[$b2],@x[$b2],@x[$a7])", -+ "&vrlw (@x[$b3],@x[$b3],@x[$a7])", -+ "&vrlw (@x[$b4],@x[$b4],@x[$a7])", -+ "&vrlw (@x[$b5],@x[$b5],@x[$a7])", -+ "&vrlw (@x[$b6],@x[$b6],@x[$a7])", -+ "&vrlw (@x[$b7],@x[$b7],@x[$a7])", -+ -+ "&vxxlorc (@x[$a7], $xv13,$xv13)", -+ "&vxxlor ($xv15 ,@x[$c7],@x[$c7])", -+ "&vxxlorc (@x[$c7], $xv11,$xv11)", -+ -+ -+ "&vadduwm (@x[$a0],@x[$a0],@x[$b0])", -+ "&vadduwm (@x[$a1],@x[$a1],@x[$b1])", -+ "&vadduwm (@x[$a2],@x[$a2],@x[$b2])", -+ "&vadduwm (@x[$a3],@x[$a3],@x[$b3])", -+ "&vadduwm (@x[$a4],@x[$a4],@x[$b4])", -+ "&vadduwm (@x[$a5],@x[$a5],@x[$b5])", -+ "&vadduwm (@x[$a6],@x[$a6],@x[$b6])", -+ "&vadduwm (@x[$a7],@x[$a7],@x[$b7])", -+ -+ "&vxor (@x[$d0],@x[$d0],@x[$a0])", -+ "&vxor (@x[$d1],@x[$d1],@x[$a1])", -+ "&vxor (@x[$d2],@x[$d2],@x[$a2])", -+ "&vxor (@x[$d3],@x[$d3],@x[$a3])", -+ "&vxor (@x[$d4],@x[$d4],@x[$a4])", -+ "&vxor (@x[$d5],@x[$d5],@x[$a5])", -+ "&vxor (@x[$d6],@x[$d6],@x[$a6])", -+ "&vxor (@x[$d7],@x[$d7],@x[$a7])", -+ -+ "&vrlw (@x[$d0],@x[$d0],@x[$c7])", -+ "&vrlw (@x[$d1],@x[$d1],@x[$c7])", -+ "&vrlw (@x[$d2],@x[$d2],@x[$c7])", -+ "&vrlw (@x[$d3],@x[$d3],@x[$c7])", -+ "&vrlw (@x[$d4],@x[$d4],@x[$c7])", -+ "&vrlw (@x[$d5],@x[$d5],@x[$c7])", -+ "&vrlw (@x[$d6],@x[$d6],@x[$c7])", -+ "&vrlw (@x[$d7],@x[$d7],@x[$c7])", -+ -+ "&vxxlorc (@x[$c7], $xv15,$xv15)", -+ "&vxxlor ($xv13 ,@x[$a7],@x[$a7])", -+ "&vxxlorc (@x[$a7], $xv12,$xv12)", -+ -+ "&vadduwm (@x[$c0],@x[$c0],@x[$d0])", -+ "&vadduwm (@x[$c1],@x[$c1],@x[$d1])", -+ "&vadduwm (@x[$c2],@x[$c2],@x[$d2])", -+ "&vadduwm (@x[$c3],@x[$c3],@x[$d3])", -+ "&vadduwm (@x[$c4],@x[$c4],@x[$d4])", -+ "&vadduwm (@x[$c5],@x[$c5],@x[$d5])", -+ "&vadduwm (@x[$c6],@x[$c6],@x[$d6])", -+ "&vadduwm (@x[$c7],@x[$c7],@x[$d7])", -+ "&vxor (@x[$b0],@x[$b0],@x[$c0])", -+ "&vxor (@x[$b1],@x[$b1],@x[$c1])", -+ "&vxor (@x[$b2],@x[$b2],@x[$c2])", -+ "&vxor (@x[$b3],@x[$b3],@x[$c3])", -+ "&vxor (@x[$b4],@x[$b4],@x[$c4])", -+ "&vxor (@x[$b5],@x[$b5],@x[$c5])", -+ "&vxor (@x[$b6],@x[$b6],@x[$c6])", -+ "&vxor (@x[$b7],@x[$b7],@x[$c7])", -+ "&vrlw (@x[$b0],@x[$b0],@x[$a7])", -+ "&vrlw (@x[$b1],@x[$b1],@x[$a7])", -+ "&vrlw (@x[$b2],@x[$b2],@x[$a7])", -+ "&vrlw (@x[$b3],@x[$b3],@x[$a7])", -+ "&vrlw (@x[$b4],@x[$b4],@x[$a7])", -+ "&vrlw (@x[$b5],@x[$b5],@x[$a7])", -+ "&vrlw (@x[$b6],@x[$b6],@x[$a7])", -+ "&vrlw (@x[$b7],@x[$b7],@x[$a7])", -+ -+ "&vxxlorc (@x[$a7], $xv13,$xv13)", -+ ); -+} -+ -+$code.=<<___; -+ -+.globl .ChaCha20_ctr32_vsx_8x -+.align 5 -+.ChaCha20_ctr32_vsx_8x: -+ $STU $sp,-$FRAME($sp) -+ mflr r0 -+ li r10,`15+$LOCALS+64` -+ li r11,`31+$LOCALS+64` -+ mfspr r12,256 -+ stvx v24,r10,$sp -+ addi r10,r10,32 -+ stvx v25,r11,$sp -+ addi r11,r11,32 -+ stvx v26,r10,$sp -+ addi r10,r10,32 -+ stvx v27,r11,$sp -+ addi r11,r11,32 -+ stvx v28,r10,$sp -+ addi r10,r10,32 -+ stvx v29,r11,$sp -+ addi r11,r11,32 -+ stvx v30,r10,$sp -+ stvx v31,r11,$sp -+ stw r12,`$FRAME-4`($sp) # save vrsave -+ li r12,-4096+63 -+ $PUSH r0, `$FRAME+$LRSAVE`($sp) -+ mtspr 256,r12 # preserve 29 AltiVec registers -+ -+ bl Lconsts # returns pointer Lsigma in r12 -+ -+ lvx_4w @K[0],0,r12 # load sigma -+ addi r12,r12,0x70 -+ li $x10,16 -+ li $x20,32 -+ li $x30,48 -+ li r11,64 -+ -+ vspltisw $xa4,-16 # synthesize constants -+ vspltisw $xb4,12 # synthesize constants -+ vspltisw $xc4,8 # synthesize constants -+ vspltisw $xd4,7 # synthesize constants -+ -+ lvx $xa0,$x00,r12 # load [smashed] sigma -+ lvx $xa1,$x10,r12 -+ lvx $xa2,$x20,r12 -+ lvx $xa3,$x30,r12 -+ -+ vxxlor $xv9 ,$xa4,$xa4 #save shift val in vr9-12 -+ vxxlor $xv10 ,$xb4,$xb4 -+ vxxlor $xv11 ,$xc4,$xc4 -+ vxxlor $xv12 ,$xd4,$xd4 -+ vxxlor $xv22 ,$xa0,$xa0 #save sigma in vr22-25 -+ vxxlor $xv23 ,$xa1,$xa1 -+ vxxlor $xv24 ,$xa2,$xa2 -+ vxxlor $xv25 ,$xa3,$xa3 -+ -+ lvx_4w @K[1],0,$key # load key -+ lvx_4w @K[2],$x10,$key -+ lvx_4w @K[3],0,$ctr # load counter -+ vspltisw $xt3,4 -+ -+ -+ vxor $xt2,$xt2,$xt2 -+ lvx_4w $xt1,r11,r12 -+ vspltw $xa2,@K[3],0 #save the original count after spltw -+ vsldoi @K[3],@K[3],$xt2,4 -+ vsldoi @K[3],$xt2,@K[3],12 # clear @K[3].word[0] -+ vadduwm $xt1,$xa2,$xt1 -+ vadduwm $xt3,$xt1,$xt3 # next counter value -+ vspltw $xa0,@K[2],2 # save the K[2] spltw 2 and save v8. -+ -+ be?lvsl $beperm,0,$x10 # 0x00..0f -+ be?vspltisb $xt0,3 # 0x03..03 -+ be?vxor $beperm,$beperm,$xt0 # swap bytes within words -+ be?vxxlor $xv26 ,$beperm,$beperm -+ -+ vxxlor $xv0 ,@K[0],@K[0] # K0,k1,k2 to vr0,1,2 -+ vxxlor $xv1 ,@K[1],@K[1] -+ vxxlor $xv2 ,@K[2],@K[2] -+ vxxlor $xv3 ,@K[3],@K[3] -+ vxxlor $xv4 ,$xt1,$xt1 #CTR ->4, CTR+4-> 5 -+ vxxlor $xv5 ,$xt3,$xt3 -+ vxxlor $xv8 ,$xa0,$xa0 -+ -+ li r0,10 # inner loop counter -+ mtctr r0 -+ b Loop_outer_vsx_8x -+ -+.align 5 -+Loop_outer_vsx_8x: -+ vxxlorc $xa0,$xv22,$xv22 # load [smashed] sigma -+ vxxlorc $xa1,$xv23,$xv23 -+ vxxlorc $xa2,$xv24,$xv24 -+ vxxlorc $xa3,$xv25,$xv25 -+ vxxlorc $xa4,$xv22,$xv22 -+ vxxlorc $xa5,$xv23,$xv23 -+ vxxlorc $xa6,$xv24,$xv24 -+ vxxlorc $xa7,$xv25,$xv25 -+ -+ vspltw $xb0,@K[1],0 # smash the key -+ vspltw $xb1,@K[1],1 -+ vspltw $xb2,@K[1],2 -+ vspltw $xb3,@K[1],3 -+ vspltw $xb4,@K[1],0 # smash the key -+ vspltw $xb5,@K[1],1 -+ vspltw $xb6,@K[1],2 -+ vspltw $xb7,@K[1],3 -+ -+ vspltw $xc0,@K[2],0 -+ vspltw $xc1,@K[2],1 -+ vspltw $xc2,@K[2],2 -+ vspltw $xc3,@K[2],3 -+ vspltw $xc4,@K[2],0 -+ vspltw $xc7,@K[2],3 -+ vspltw $xc5,@K[2],1 -+ -+ vxxlorc $xd0,$xv4,$xv4 # smash the counter -+ vspltw $xd1,@K[3],1 -+ vspltw $xd2,@K[3],2 -+ vspltw $xd3,@K[3],3 -+ vxxlorc $xd4,$xv5,$xv5 # smash the counter -+ vspltw $xd5,@K[3],1 -+ vspltw $xd6,@K[3],2 -+ vspltw $xd7,@K[3],3 -+ vxxlorc $xc6,$xv8,$xv8 #copy of vlspt k[2],2 is in v8.v26 ->k[3] so need to wait until k3 is done -+ -+Loop_vsx_8x: -+___ -+ foreach (&VSX_lane_ROUND_8x(0,4, 8,12,16,20,24,28)) { eval; } -+ foreach (&VSX_lane_ROUND_8x(0,5,10,15,16,21,26,31)) { eval; } -+$code.=<<___; -+ -+ bdnz Loop_vsx_8x -+ vxxlor $xv13 ,$xd4,$xd4 # save the register vr24-31 -+ vxxlor $xv14 ,$xd5,$xd5 # -+ vxxlor $xv15 ,$xd6,$xd6 # -+ vxxlor $xv16 ,$xd7,$xd7 # -+ -+ vxxlor $xv18 ,$xc4,$xc4 # -+ vxxlor $xv19 ,$xc5,$xc5 # -+ vxxlor $xv20 ,$xc6,$xc6 # -+ vxxlor $xv21 ,$xc7,$xc7 # -+ -+ vxxlor $xv6 ,$xb6,$xb6 # save vr23, so we get 8 regs -+ vxxlor $xv7 ,$xb7,$xb7 # save vr23, so we get 8 regs -+ be?vxxlorc $beperm,$xv26,$xv26 # copy back the the beperm. -+ -+ vxxlorc @K[0],$xv0,$xv0 #27 -+ vxxlorc @K[1],$xv1,$xv1 #24 -+ vxxlorc @K[2],$xv2,$xv2 #25 -+ vxxlorc @K[3],$xv3,$xv3 #26 -+ vxxlorc $CTR0,$xv4,$xv4 -+###changing to vertical -+ -+ vmrgew $xt0,$xa0,$xa1 # transpose data -+ vmrgew $xt1,$xa2,$xa3 -+ vmrgow $xa0,$xa0,$xa1 -+ vmrgow $xa2,$xa2,$xa3 -+ -+ vmrgew $xt2,$xb0,$xb1 -+ vmrgew $xt3,$xb2,$xb3 -+ vmrgow $xb0,$xb0,$xb1 -+ vmrgow $xb2,$xb2,$xb3 -+ -+ vadduwm $xd0,$xd0,$CTR0 -+ -+ vpermdi $xa1,$xa0,$xa2,0b00 -+ vpermdi $xa3,$xa0,$xa2,0b11 -+ vpermdi $xa0,$xt0,$xt1,0b00 -+ vpermdi $xa2,$xt0,$xt1,0b11 -+ vpermdi $xb1,$xb0,$xb2,0b00 -+ vpermdi $xb3,$xb0,$xb2,0b11 -+ vpermdi $xb0,$xt2,$xt3,0b00 -+ vpermdi $xb2,$xt2,$xt3,0b11 -+ -+ vmrgew $xt0,$xc0,$xc1 -+ vmrgew $xt1,$xc2,$xc3 -+ vmrgow $xc0,$xc0,$xc1 -+ vmrgow $xc2,$xc2,$xc3 -+ vmrgew $xt2,$xd0,$xd1 -+ vmrgew $xt3,$xd2,$xd3 -+ vmrgow $xd0,$xd0,$xd1 -+ vmrgow $xd2,$xd2,$xd3 -+ -+ vpermdi $xc1,$xc0,$xc2,0b00 -+ vpermdi $xc3,$xc0,$xc2,0b11 -+ vpermdi $xc0,$xt0,$xt1,0b00 -+ vpermdi $xc2,$xt0,$xt1,0b11 -+ vpermdi $xd1,$xd0,$xd2,0b00 -+ vpermdi $xd3,$xd0,$xd2,0b11 -+ vpermdi $xd0,$xt2,$xt3,0b00 -+ vpermdi $xd2,$xt2,$xt3,0b11 -+ -+ vspltisw $xt0,8 -+ vadduwm $CTR0,$CTR0,$xt0 # next counter value -+ vxxlor $xv4 ,$CTR0,$CTR0 #CTR+4-> 5 -+ -+ vadduwm $xa0,$xa0,@K[0] -+ vadduwm $xb0,$xb0,@K[1] -+ vadduwm $xc0,$xc0,@K[2] -+ vadduwm $xd0,$xd0,@K[3] -+ -+ be?vperm $xa0,$xa0,$xa0,$beperm -+ be?vperm $xb0,$xb0,$xb0,$beperm -+ be?vperm $xc0,$xc0,$xc0,$beperm -+ be?vperm $xd0,$xd0,$xd0,$beperm -+ -+ ${UCMP}i $len,0x40 -+ blt Ltail_vsx_8x -+ -+ lvx_4w $xt0,$x00,$inp -+ lvx_4w $xt1,$x10,$inp -+ lvx_4w $xt2,$x20,$inp -+ lvx_4w $xt3,$x30,$inp -+ -+ vxor $xt0,$xt0,$xa0 -+ vxor $xt1,$xt1,$xb0 -+ vxor $xt2,$xt2,$xc0 -+ vxor $xt3,$xt3,$xd0 -+ -+ stvx_4w $xt0,$x00,$out -+ stvx_4w $xt1,$x10,$out -+ addi $inp,$inp,0x40 -+ stvx_4w $xt2,$x20,$out -+ subi $len,$len,0x40 -+ stvx_4w $xt3,$x30,$out -+ addi $out,$out,0x40 -+ beq Ldone_vsx_8x -+ -+ vadduwm $xa0,$xa1,@K[0] -+ vadduwm $xb0,$xb1,@K[1] -+ vadduwm $xc0,$xc1,@K[2] -+ vadduwm $xd0,$xd1,@K[3] -+ -+ be?vperm $xa0,$xa0,$xa0,$beperm -+ be?vperm $xb0,$xb0,$xb0,$beperm -+ be?vperm $xc0,$xc0,$xc0,$beperm -+ be?vperm $xd0,$xd0,$xd0,$beperm -+ -+ ${UCMP}i $len,0x40 -+ blt Ltail_vsx_8x -+ -+ lvx_4w $xt0,$x00,$inp -+ lvx_4w $xt1,$x10,$inp -+ lvx_4w $xt2,$x20,$inp -+ lvx_4w $xt3,$x30,$inp -+ -+ vxor $xt0,$xt0,$xa0 -+ vxor $xt1,$xt1,$xb0 -+ vxor $xt2,$xt2,$xc0 -+ vxor $xt3,$xt3,$xd0 -+ -+ stvx_4w $xt0,$x00,$out -+ stvx_4w $xt1,$x10,$out -+ addi $inp,$inp,0x40 -+ stvx_4w $xt2,$x20,$out -+ subi $len,$len,0x40 -+ stvx_4w $xt3,$x30,$out -+ addi $out,$out,0x40 -+ beq Ldone_vsx_8x -+ -+ vadduwm $xa0,$xa2,@K[0] -+ vadduwm $xb0,$xb2,@K[1] -+ vadduwm $xc0,$xc2,@K[2] -+ vadduwm $xd0,$xd2,@K[3] -+ -+ be?vperm $xa0,$xa0,$xa0,$beperm -+ be?vperm $xb0,$xb0,$xb0,$beperm -+ be?vperm $xc0,$xc0,$xc0,$beperm -+ be?vperm $xd0,$xd0,$xd0,$beperm -+ -+ ${UCMP}i $len,0x40 -+ blt Ltail_vsx_8x -+ -+ lvx_4w $xt0,$x00,$inp -+ lvx_4w $xt1,$x10,$inp -+ lvx_4w $xt2,$x20,$inp -+ lvx_4w $xt3,$x30,$inp -+ -+ vxor $xt0,$xt0,$xa0 -+ vxor $xt1,$xt1,$xb0 -+ vxor $xt2,$xt2,$xc0 -+ vxor $xt3,$xt3,$xd0 -+ -+ stvx_4w $xt0,$x00,$out -+ stvx_4w $xt1,$x10,$out -+ addi $inp,$inp,0x40 -+ stvx_4w $xt2,$x20,$out -+ subi $len,$len,0x40 -+ stvx_4w $xt3,$x30,$out -+ addi $out,$out,0x40 -+ beq Ldone_vsx_8x -+ -+ vadduwm $xa0,$xa3,@K[0] -+ vadduwm $xb0,$xb3,@K[1] -+ vadduwm $xc0,$xc3,@K[2] -+ vadduwm $xd0,$xd3,@K[3] -+ -+ be?vperm $xa0,$xa0,$xa0,$beperm -+ be?vperm $xb0,$xb0,$xb0,$beperm -+ be?vperm $xc0,$xc0,$xc0,$beperm -+ be?vperm $xd0,$xd0,$xd0,$beperm -+ -+ ${UCMP}i $len,0x40 -+ blt Ltail_vsx_8x -+ -+ lvx_4w $xt0,$x00,$inp -+ lvx_4w $xt1,$x10,$inp -+ lvx_4w $xt2,$x20,$inp -+ lvx_4w $xt3,$x30,$inp -+ -+ vxor $xt0,$xt0,$xa0 -+ vxor $xt1,$xt1,$xb0 -+ vxor $xt2,$xt2,$xc0 -+ vxor $xt3,$xt3,$xd0 -+ -+ stvx_4w $xt0,$x00,$out -+ stvx_4w $xt1,$x10,$out -+ addi $inp,$inp,0x40 -+ stvx_4w $xt2,$x20,$out -+ subi $len,$len,0x40 -+ stvx_4w $xt3,$x30,$out -+ addi $out,$out,0x40 -+ beq Ldone_vsx_8x -+ -+#blk4-7: 24:31 remain the same as we can use the same logic above . Reg a4-b7 remain same.Load c4,d7--> position 8-15.we can reuse vr24-31. -+#VR0-3 : are used to load temp value, vr4 --> as xr0 instead of xt0. -+ -+ vxxlorc $CTR1 ,$xv5,$xv5 -+ -+ vxxlorc $xcn4 ,$xv18,$xv18 -+ vxxlorc $xcn5 ,$xv19,$xv19 -+ vxxlorc $xcn6 ,$xv20,$xv20 -+ vxxlorc $xcn7 ,$xv21,$xv21 -+ -+ vxxlorc $xdn4 ,$xv13,$xv13 -+ vxxlorc $xdn5 ,$xv14,$xv14 -+ vxxlorc $xdn6 ,$xv15,$xv15 -+ vxxlorc $xdn7 ,$xv16,$xv16 -+ vadduwm $xdn4,$xdn4,$CTR1 -+ -+ vxxlorc $xb6 ,$xv6,$xv6 -+ vxxlorc $xb7 ,$xv7,$xv7 -+#use xa1->xr0, as xt0...in the block 4-7 -+ -+ vmrgew $xr0,$xa4,$xa5 # transpose data -+ vmrgew $xt1,$xa6,$xa7 -+ vmrgow $xa4,$xa4,$xa5 -+ vmrgow $xa6,$xa6,$xa7 -+ vmrgew $xt2,$xb4,$xb5 -+ vmrgew $xt3,$xb6,$xb7 -+ vmrgow $xb4,$xb4,$xb5 -+ vmrgow $xb6,$xb6,$xb7 -+ -+ vpermdi $xa5,$xa4,$xa6,0b00 -+ vpermdi $xa7,$xa4,$xa6,0b11 -+ vpermdi $xa4,$xr0,$xt1,0b00 -+ vpermdi $xa6,$xr0,$xt1,0b11 -+ vpermdi $xb5,$xb4,$xb6,0b00 -+ vpermdi $xb7,$xb4,$xb6,0b11 -+ vpermdi $xb4,$xt2,$xt3,0b00 -+ vpermdi $xb6,$xt2,$xt3,0b11 -+ -+ vmrgew $xr0,$xcn4,$xcn5 -+ vmrgew $xt1,$xcn6,$xcn7 -+ vmrgow $xcn4,$xcn4,$xcn5 -+ vmrgow $xcn6,$xcn6,$xcn7 -+ vmrgew $xt2,$xdn4,$xdn5 -+ vmrgew $xt3,$xdn6,$xdn7 -+ vmrgow $xdn4,$xdn4,$xdn5 -+ vmrgow $xdn6,$xdn6,$xdn7 -+ -+ vpermdi $xcn5,$xcn4,$xcn6,0b00 -+ vpermdi $xcn7,$xcn4,$xcn6,0b11 -+ vpermdi $xcn4,$xr0,$xt1,0b00 -+ vpermdi $xcn6,$xr0,$xt1,0b11 -+ vpermdi $xdn5,$xdn4,$xdn6,0b00 -+ vpermdi $xdn7,$xdn4,$xdn6,0b11 -+ vpermdi $xdn4,$xt2,$xt3,0b00 -+ vpermdi $xdn6,$xt2,$xt3,0b11 -+ -+ vspltisw $xr0,8 -+ vadduwm $CTR1,$CTR1,$xr0 # next counter value -+ vxxlor $xv5 ,$CTR1,$CTR1 #CTR+4-> 5 -+ -+ vadduwm $xan0,$xa4,@K[0] -+ vadduwm $xbn0,$xb4,@K[1] -+ vadduwm $xcn0,$xcn4,@K[2] -+ vadduwm $xdn0,$xdn4,@K[3] -+ -+ be?vperm $xan0,$xa4,$xa4,$beperm -+ be?vperm $xbn0,$xb4,$xb4,$beperm -+ be?vperm $xcn0,$xcn4,$xcn4,$beperm -+ be?vperm $xdn0,$xdn4,$xdn4,$beperm -+ -+ ${UCMP}i $len,0x40 -+ blt Ltail_vsx_8x_1 -+ -+ lvx_4w $xr0,$x00,$inp -+ lvx_4w $xt1,$x10,$inp -+ lvx_4w $xt2,$x20,$inp -+ lvx_4w $xt3,$x30,$inp -+ -+ vxor $xr0,$xr0,$xan0 -+ vxor $xt1,$xt1,$xbn0 -+ vxor $xt2,$xt2,$xcn0 -+ vxor $xt3,$xt3,$xdn0 -+ -+ stvx_4w $xr0,$x00,$out -+ stvx_4w $xt1,$x10,$out -+ addi $inp,$inp,0x40 -+ stvx_4w $xt2,$x20,$out -+ subi $len,$len,0x40 -+ stvx_4w $xt3,$x30,$out -+ addi $out,$out,0x40 -+ beq Ldone_vsx_8x -+ -+ vadduwm $xan0,$xa5,@K[0] -+ vadduwm $xbn0,$xb5,@K[1] -+ vadduwm $xcn0,$xcn5,@K[2] -+ vadduwm $xdn0,$xdn5,@K[3] -+ -+ be?vperm $xan0,$xan0,$xan0,$beperm -+ be?vperm $xbn0,$xbn0,$xbn0,$beperm -+ be?vperm $xcn0,$xcn0,$xcn0,$beperm -+ be?vperm $xdn0,$xdn0,$xdn0,$beperm -+ -+ ${UCMP}i $len,0x40 -+ blt Ltail_vsx_8x_1 -+ -+ lvx_4w $xr0,$x00,$inp -+ lvx_4w $xt1,$x10,$inp -+ lvx_4w $xt2,$x20,$inp -+ lvx_4w $xt3,$x30,$inp -+ -+ vxor $xr0,$xr0,$xan0 -+ vxor $xt1,$xt1,$xbn0 -+ vxor $xt2,$xt2,$xcn0 -+ vxor $xt3,$xt3,$xdn0 -+ -+ stvx_4w $xr0,$x00,$out -+ stvx_4w $xt1,$x10,$out -+ addi $inp,$inp,0x40 -+ stvx_4w $xt2,$x20,$out -+ subi $len,$len,0x40 -+ stvx_4w $xt3,$x30,$out -+ addi $out,$out,0x40 -+ beq Ldone_vsx_8x -+ -+ vadduwm $xan0,$xa6,@K[0] -+ vadduwm $xbn0,$xb6,@K[1] -+ vadduwm $xcn0,$xcn6,@K[2] -+ vadduwm $xdn0,$xdn6,@K[3] -+ -+ be?vperm $xan0,$xan0,$xan0,$beperm -+ be?vperm $xbn0,$xbn0,$xbn0,$beperm -+ be?vperm $xcn0,$xcn0,$xcn0,$beperm -+ be?vperm $xdn0,$xdn0,$xdn0,$beperm -+ -+ ${UCMP}i $len,0x40 -+ blt Ltail_vsx_8x_1 -+ -+ lvx_4w $xr0,$x00,$inp -+ lvx_4w $xt1,$x10,$inp -+ lvx_4w $xt2,$x20,$inp -+ lvx_4w $xt3,$x30,$inp -+ -+ vxor $xr0,$xr0,$xan0 -+ vxor $xt1,$xt1,$xbn0 -+ vxor $xt2,$xt2,$xcn0 -+ vxor $xt3,$xt3,$xdn0 -+ -+ stvx_4w $xr0,$x00,$out -+ stvx_4w $xt1,$x10,$out -+ addi $inp,$inp,0x40 -+ stvx_4w $xt2,$x20,$out -+ subi $len,$len,0x40 -+ stvx_4w $xt3,$x30,$out -+ addi $out,$out,0x40 -+ beq Ldone_vsx_8x -+ -+ vadduwm $xan0,$xa7,@K[0] -+ vadduwm $xbn0,$xb7,@K[1] -+ vadduwm $xcn0,$xcn7,@K[2] -+ vadduwm $xdn0,$xdn7,@K[3] -+ -+ be?vperm $xan0,$xan0,$xan0,$beperm -+ be?vperm $xbn0,$xbn0,$xbn0,$beperm -+ be?vperm $xcn0,$xcn0,$xcn0,$beperm -+ be?vperm $xdn0,$xdn0,$xdn0,$beperm -+ -+ ${UCMP}i $len,0x40 -+ blt Ltail_vsx_8x_1 -+ -+ lvx_4w $xr0,$x00,$inp -+ lvx_4w $xt1,$x10,$inp -+ lvx_4w $xt2,$x20,$inp -+ lvx_4w $xt3,$x30,$inp -+ -+ vxor $xr0,$xr0,$xan0 -+ vxor $xt1,$xt1,$xbn0 -+ vxor $xt2,$xt2,$xcn0 -+ vxor $xt3,$xt3,$xdn0 -+ -+ stvx_4w $xr0,$x00,$out -+ stvx_4w $xt1,$x10,$out -+ addi $inp,$inp,0x40 -+ stvx_4w $xt2,$x20,$out -+ subi $len,$len,0x40 -+ stvx_4w $xt3,$x30,$out -+ addi $out,$out,0x40 -+ beq Ldone_vsx_8x -+ -+ mtctr r0 -+ bne Loop_outer_vsx_8x -+ -+Ldone_vsx_8x: -+ lwz r12,`$FRAME-4`($sp) # pull vrsave -+ li r10,`15+$LOCALS+64` -+ li r11,`31+$LOCALS+64` -+ $POP r0, `$FRAME+$LRSAVE`($sp) -+ mtspr 256,r12 # restore vrsave -+ lvx v24,r10,$sp -+ addi r10,r10,32 -+ lvx v25,r11,$sp -+ addi r11,r11,32 -+ lvx v26,r10,$sp -+ addi r10,r10,32 -+ lvx v27,r11,$sp -+ addi r11,r11,32 -+ lvx v28,r10,$sp -+ addi r10,r10,32 -+ lvx v29,r11,$sp -+ addi r11,r11,32 -+ lvx v30,r10,$sp -+ lvx v31,r11,$sp -+ mtlr r0 -+ addi $sp,$sp,$FRAME -+ blr -+ -+.align 4 -+Ltail_vsx_8x: -+ addi r11,$sp,$LOCALS -+ mtctr $len -+ stvx_4w $xa0,$x00,r11 # offload block to stack -+ stvx_4w $xb0,$x10,r11 -+ stvx_4w $xc0,$x20,r11 -+ stvx_4w $xd0,$x30,r11 -+ subi r12,r11,1 # prepare for *++ptr -+ subi $inp,$inp,1 -+ subi $out,$out,1 -+ bl Loop_tail_vsx_8x -+Ltail_vsx_8x_1: -+ addi r11,$sp,$LOCALS -+ mtctr $len -+ stvx_4w $xan0,$x00,r11 # offload block to stack -+ stvx_4w $xbn0,$x10,r11 -+ stvx_4w $xcn0,$x20,r11 -+ stvx_4w $xdn0,$x30,r11 -+ subi r12,r11,1 # prepare for *++ptr -+ subi $inp,$inp,1 -+ subi $out,$out,1 -+ bl Loop_tail_vsx_8x -+ -+Loop_tail_vsx_8x: -+ lbzu r6,1(r12) -+ lbzu r7,1($inp) -+ xor r6,r6,r7 -+ stbu r6,1($out) -+ bdnz Loop_tail_vsx_8x -+ -+ stvx_4w $K[0],$x00,r11 # wipe copy of the block -+ stvx_4w $K[0],$x10,r11 -+ stvx_4w $K[0],$x20,r11 -+ stvx_4w $K[0],$x30,r11 -+ -+ b Ldone_vsx_8x -+ .long 0 -+ .byte 0,12,0x04,1,0x80,0,5,0 -+ .long 0 -+.size .ChaCha20_ctr32_vsx_8x,.-.ChaCha20_ctr32_vsx_8x -+___ -+}}} -+ -+ -+$code.=<<___; -+.align 5 -+Lconsts: -+ mflr r0 -+ bcl 20,31,\$+4 -+ mflr r12 #vvvvv "distance between . and Lsigma -+ addi r12,r12,`64-8` -+ mtlr r0 -+ blr -+ .long 0 -+ .byte 0,12,0x14,0,0,0,0,0 -+ .space `64-9*4` -+Lsigma: -+ .long 0x61707865,0x3320646e,0x79622d32,0x6b206574 -+ .long 1,0,0,0 -+ .long 2,0,0,0 -+ .long 3,0,0,0 -+ .long 4,0,0,0 -+___ -+$code.=<<___ if ($LITTLE_ENDIAN); -+ .long 0x0e0f0c0d,0x0a0b0809,0x06070405,0x02030001 -+ .long 0x0d0e0f0c,0x090a0b08,0x05060704,0x01020300 -+___ -+$code.=<<___ if (!$LITTLE_ENDIAN); # flipped words -+ .long 0x02030001,0x06070405,0x0a0b0809,0x0e0f0c0d -+ .long 0x01020300,0x05060704,0x090a0b08,0x0d0e0f0c -+___ -+$code.=<<___; -+ .long 0x61707865,0x61707865,0x61707865,0x61707865 -+ .long 0x3320646e,0x3320646e,0x3320646e,0x3320646e -+ .long 0x79622d32,0x79622d32,0x79622d32,0x79622d32 -+ .long 0x6b206574,0x6b206574,0x6b206574,0x6b206574 -+ .long 0,1,2,3 -+ .long 0x03020100,0x07060504,0x0b0a0908,0x0f0e0d0c -+.asciz "ChaCha20 for PowerPC/AltiVec, CRYPTOGAMS by " -+.align 2 -+___ -+ -+foreach (split("\n",$code)) { -+ s/\`([^\`]*)\`/eval $1/ge; -+ -+ # instructions prefixed with '?' are endian-specific and need -+ # to be adjusted accordingly... -+ if ($flavour !~ /le$/) { # big-endian -+ s/be\?// or -+ s/le\?/#le#/ or -+ s/\?lvsr/lvsl/ or -+ s/\?lvsl/lvsr/ or -+ s/\?(vperm\s+v[0-9]+,\s*)(v[0-9]+,\s*)(v[0-9]+,\s*)(v[0-9]+)/$1$3$2$4/ or -+ s/vrldoi(\s+v[0-9]+,\s*)(v[0-9]+,)\s*([0-9]+)/vsldoi$1$2$2 16-$3/; -+ } else { # little-endian -+ s/le\?// or -+ s/be\?/#be#/ or -+ s/\?([a-z]+)/$1/ or -+ s/vrldoi(\s+v[0-9]+,\s*)(v[0-9]+,)\s*([0-9]+)/vsldoi$1$2$2 $3/; -+ } -+ -+ print $_,"\n"; -+} -+ -+close STDOUT or die "error closing STDOUT: $!"; -diff --git a/crypto/chacha/build.info b/crypto/chacha/build.info -index c12cb9c..2a819b2 100644 ---- a/crypto/chacha/build.info -+++ b/crypto/chacha/build.info -@@ -12,7 +12,7 @@ IF[{- !$disabled{asm} -}] - $CHACHAASM_armv4=chacha-armv4.S - $CHACHAASM_aarch64=chacha-armv8.S - -- $CHACHAASM_ppc32=chacha_ppc.c chacha-ppc.s -+ $CHACHAASM_ppc32=chacha_ppc.c chacha-ppc.s chachap10-ppc.s - $CHACHAASM_ppc64=$CHACHAASM_ppc32 - - $CHACHAASM_c64xplus=chacha-c64xplus.s -@@ -29,6 +29,7 @@ SOURCE[../../libcrypto]=$CHACHAASM - GENERATE[chacha-x86.S]=asm/chacha-x86.pl - GENERATE[chacha-x86_64.s]=asm/chacha-x86_64.pl - GENERATE[chacha-ppc.s]=asm/chacha-ppc.pl -+GENERATE[chachap10-ppc.s]=asm/chachap10-ppc.pl - GENERATE[chacha-armv4.S]=asm/chacha-armv4.pl - INCLUDE[chacha-armv4.o]=.. - GENERATE[chacha-armv8.S]=asm/chacha-armv8.pl -diff --git a/crypto/chacha/chacha_ppc.c b/crypto/chacha/chacha_ppc.c -index 5319040..f99cca8 100644 ---- a/crypto/chacha/chacha_ppc.c -+++ b/crypto/chacha/chacha_ppc.c -@@ -23,13 +23,18 @@ void ChaCha20_ctr32_vmx(unsigned char *out, const unsigned char *inp, - void ChaCha20_ctr32_vsx(unsigned char *out, const unsigned char *inp, - size_t len, const unsigned int key[8], - const unsigned int counter[4]); -+void ChaCha20_ctr32_vsx_p10(unsigned char *out, const unsigned char *inp, -+ size_t len, const unsigned int key[8], -+ const unsigned int counter[4]); - void ChaCha20_ctr32(unsigned char *out, const unsigned char *inp, - size_t len, const unsigned int key[8], - const unsigned int counter[4]) - { -- OPENSSL_ppccap_P & PPC_CRYPTO207 -- ? ChaCha20_ctr32_vsx(out, inp, len, key, counter) -- : OPENSSL_ppccap_P & PPC_ALTIVEC -- ? ChaCha20_ctr32_vmx(out, inp, len, key, counter) -- : ChaCha20_ctr32_int(out, inp, len, key, counter); -+ OPENSSL_ppccap_P & PPC_BRD31 -+ ? ChaCha20_ctr32_vsx_p10(out, inp, len, key, counter) -+ :OPENSSL_ppccap_P & PPC_CRYPTO207 -+ ? ChaCha20_ctr32_vsx(out, inp, len, key, counter) -+ : OPENSSL_ppccap_P & PPC_ALTIVEC -+ ? ChaCha20_ctr32_vmx(out, inp, len, key, counter) -+ : ChaCha20_ctr32_int(out, inp, len, key, counter); - } -diff --git a/crypto/perlasm/ppc-xlate.pl b/crypto/perlasm/ppc-xlate.pl -index 2ee4440..4590340 100755 ---- a/crypto/perlasm/ppc-xlate.pl -+++ b/crypto/perlasm/ppc-xlate.pl -@@ -293,6 +293,14 @@ my $vpermdi = sub { # xxpermdi - $dm = oct($dm) if ($dm =~ /^0/); - " .long ".sprintf "0x%X",(60<<26)|($vrt<<21)|($vra<<16)|($vrb<<11)|($dm<<8)|(10<<3)|7; - }; -+my $vxxlor = sub { # xxlor -+ my ($f, $vrt, $vra, $vrb) = @_; -+ " .long ".sprintf "0x%X",(60<<26)|($vrt<<21)|($vra<<16)|($vrb<<11)|(146<<3)|6; -+}; -+my $vxxlorc = sub { # xxlor -+ my ($f, $vrt, $vra, $vrb) = @_; -+ " .long ".sprintf "0x%X",(60<<26)|($vrt<<21)|($vra<<16)|($vrb<<11)|(146<<3)|1; -+}; - - # PowerISA 2.07 stuff - sub vcrypto_op { -@@ -377,6 +385,15 @@ my $addex = sub { - }; - my $vmsumudm = sub { vfour_vsr(@_, 35); }; - -+# PowerISA 3.1 stuff -+my $brd = sub { -+ my ($f, $ra, $rs) = @_; -+ " .long ".sprintf "0x%X",(31<<26)|($rs<<21)|($ra<<16)|(187<<1); -+}; -+my $vsrq = sub { vcrypto_op(@_, 517); }; -+ -+ -+ - while($line=<>) { - - $line =~ s|[#!;].*$||; # get rid of asm-style comments... -diff --git a/crypto/ppccap.c b/crypto/ppccap.c -index 8bcfed2..664627c 100644 ---- a/crypto/ppccap.c -+++ b/crypto/ppccap.c -@@ -45,6 +45,7 @@ void OPENSSL_ppc64_probe(void); - void OPENSSL_altivec_probe(void); - void OPENSSL_crypto207_probe(void); - void OPENSSL_madd300_probe(void); -+void OPENSSL_brd31_probe(void); - - long OPENSSL_rdtsc_mftb(void); - long OPENSSL_rdtsc_mfspr268(void); -@@ -117,16 +118,21 @@ static unsigned long getauxval(unsigned long key) - #endif - - /* I wish was universally available */ --#define HWCAP 16 /* AT_HWCAP */ -+#ifndef AT_HWCAP -+# define AT_HWCAP 16 /* AT_HWCAP */ -+#endif - #define HWCAP_PPC64 (1U << 30) - #define HWCAP_ALTIVEC (1U << 28) - #define HWCAP_FPU (1U << 27) - #define HWCAP_POWER6_EXT (1U << 9) - #define HWCAP_VSX (1U << 7) - --#define HWCAP2 26 /* AT_HWCAP2 */ -+#ifndef AT_HWCAP2 -+# define AT_HWCAP2 26 /* AT_HWCAP2 */ -+#endif - #define HWCAP_VEC_CRYPTO (1U << 25) - #define HWCAP_ARCH_3_00 (1U << 23) -+#define HWCAP_ARCH_3_1 (1U << 18) - - # if defined(__GNUC__) && __GNUC__>=2 - __attribute__ ((constructor)) -@@ -187,6 +193,9 @@ void OPENSSL_cpuid_setup(void) - if (__power_set(0xffffffffU<<17)) /* POWER9 and later */ - OPENSSL_ppccap_P |= PPC_MADD300; - -+ if (__power_set(0xffffffffU<<18)) /* POWER10 and later */ -+ OPENSSL_ppccap_P |= PPC_BRD31; -+ - return; - # endif - #endif -@@ -215,8 +224,8 @@ void OPENSSL_cpuid_setup(void) - - #ifdef OSSL_IMPLEMENT_GETAUXVAL - { -- unsigned long hwcap = getauxval(HWCAP); -- unsigned long hwcap2 = getauxval(HWCAP2); -+ unsigned long hwcap = getauxval(AT_HWCAP); -+ unsigned long hwcap2 = getauxval(AT_HWCAP2); - - if (hwcap & HWCAP_FPU) { - OPENSSL_ppccap_P |= PPC_FPU; -@@ -242,6 +251,10 @@ void OPENSSL_cpuid_setup(void) - if (hwcap2 & HWCAP_ARCH_3_00) { - OPENSSL_ppccap_P |= PPC_MADD300; - } -+ -+ if (hwcap2 & HWCAP_ARCH_3_1) { -+ OPENSSL_ppccap_P |= PPC_BRD31; -+ } - } - #endif - -@@ -263,7 +276,7 @@ void OPENSSL_cpuid_setup(void) - sigaction(SIGILL, &ill_act, &ill_oact); - - #ifndef OSSL_IMPLEMENT_GETAUXVAL -- if (sigsetjmp(ill_jmp,1) == 0) { -+ if (sigsetjmp(ill_jmp, 1) == 0) { - OPENSSL_fpu_probe(); - OPENSSL_ppccap_P |= PPC_FPU; - -diff --git a/crypto/ppccpuid.pl b/crypto/ppccpuid.pl -index c6555df..706164a 100755 ---- a/crypto/ppccpuid.pl -+++ b/crypto/ppccpuid.pl -@@ -81,6 +81,17 @@ $code=<<___; - .long 0 - .byte 0,12,0x14,0,0,0,0,0 - -+.globl .OPENSSL_brd31_probe -+.align 4 -+.OPENSSL_brd31_probe: -+ xor r0,r0,r0 -+ brd r3,r0 -+ blr -+ .long 0 -+ .byte 0,12,0x14,0,0,0,0,0 -+.size .OPENSSL_brd31_probe,.-.OPENSSL_brd31_probe -+ -+ - .globl .OPENSSL_wipe_cpu - .align 4 - .OPENSSL_wipe_cpu: -diff --git a/include/crypto/ppc_arch.h b/include/crypto/ppc_arch.h -index 3b3ce4b..fcc846c 100644 ---- a/include/crypto/ppc_arch.h -+++ b/include/crypto/ppc_arch.h -@@ -24,5 +24,6 @@ extern unsigned int OPENSSL_ppccap_P; - # define PPC_MADD300 (1<<4) - # define PPC_MFTB (1<<5) - # define PPC_MFSPR268 (1<<6) -+# define PPC_BRD31 (1<<7) - - #endif diff --git a/0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch b/0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch index eeafbfa..726d320 100644 --- a/0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch +++ b/0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch @@ -29,11 +29,11 @@ Signed-off-by: Clemens Lang --- crypto/rsa/rsa_local.h | 8 ++ crypto/rsa/rsa_oaep.c | 34 ++++++-- - include/openssl/core_names.h | 3 + providers/fips/self_test_data.inc | 83 +++++++++++-------- providers/fips/self_test_kats.c | 7 ++ - .../implementations/asymciphers/rsa_enc.c | 41 ++++++++- - 6 files changed, 133 insertions(+), 43 deletions(-) + .../implementations/asymciphers/rsa_enc.c | 41 +++++++++- + util/perl/OpenSSL/paramnames.pm | 1 + + 6 files changed, 126 insertions(+), 44 deletions(-) diff --git a/crypto/rsa/rsa_local.h b/crypto/rsa/rsa_local.h index ea70da05ad..dde57a1a0e 100644 @@ -118,20 +118,6 @@ index d9be1a4f98..b2f7f7dc4b 100644 int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, const unsigned char *from, int flen, const unsigned char *param, int plen, -diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h -index 59a6e79566..11216fb8f8 100644 ---- a/include/openssl/core_names.h -+++ b/include/openssl/core_names.h -@@ -469,6 +469,9 @@ extern "C" { - #define OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL "oaep-label" - #define OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION "tls-client-version" - #define OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION "tls-negotiated-version" -+#ifdef FIPS_MODULE -+#define OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED "redhat-kat-oaep-seed" -+#endif - - /* - * Encoder / decoder parameters diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc index 4e30ec56dd..0103c87528 100644 --- a/providers/fips/self_test_data.inc @@ -291,11 +277,11 @@ index 00cf65fcd6..83be3d8ede 100644 +#ifdef FIPS_MODULE + char *redhat_st_oaep_seed; +#endif /* FIPS_MODULE */ + /* PKCS#1 v1.5 decryption mode */ + unsigned int implicit_rejection; } PROV_RSA_CTX; - - static void *rsa_newctx(void *provctx) @@ -190,12 +196,21 @@ static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen, - return 0; + } } ret = - ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(prsactx->libctx, tbuf, @@ -335,9 +321,9 @@ index 00cf65fcd6..83be3d8ede 100644 +#ifdef FIPS_MODULE + OSSL_PARAM_octet_string(OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED, NULL, 0), +#endif /* FIPS_MODULE */ + OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, NULL), OSSL_PARAM_END }; - @@ -454,6 +475,10 @@ static const OSSL_PARAM *rsa_gettable_ctx_params(ossl_unused void *vprsactx, return known_gettable_ctx_params; } @@ -368,6 +354,18 @@ index 00cf65fcd6..83be3d8ede 100644 p = OSSL_PARAM_locate_const(params, OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION); if (p != NULL) { unsigned int client_version; +diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm +index c37ed7815f..70f7c50fe4 100644 +--- a/util/perl/OpenSSL/paramnames.pm ++++ b/util/perl/OpenSSL/paramnames.pm +@@ -401,6 +401,7 @@ my %params = ( + 'ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION' => "tls-client-version", + 'ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION' => "tls-negotiated-version", + 'ASYM_CIPHER_PARAM_IMPLICIT_REJECTION' => "implicit-rejection", ++ 'ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED' => "redhat-kat-oaep-seed", + + # Encoder / decoder parameters + -- 2.37.1 diff --git a/0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch b/0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch index 0b6a9fb..7751f05 100644 --- a/0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch +++ b/0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch @@ -1,32 +1,25 @@ -From 97ac06e5a8e3a8699279c06eeb64c8e958bad7bd Mon Sep 17 00:00:00 2001 -From: Clemens Lang -Date: Fri, 15 Jul 2022 17:45:40 +0200 -Subject: [PATCH] FIPS: Use digest_sign & digest_verify in self test +From dc41625dc4a793f0e21188165711181ca085339b Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 6 Mar 2024 19:17:16 +0100 +Subject: [PATCH 28/49] + 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch -In review for FIPS 140-3, the lack of a self-test for the digest_sign -and digest_verify provider functions was highlighted as a problem. NIST -no longer provides ACVP tests for the RSA SigVer primitive (see -https://github.com/usnistgov/ACVP/issues/1347). Because FIPS 140-3 -recommends the use of functions that compute the digest and signature -within the module, we have been advised in our module review that the -self tests should also use the combined digest and signature APIs, i.e. -the digest_sign and digest_verify provider functions. - -Modify the signature self-test to use these instead by switching to -EVP_DigestSign and EVP_DigestVerify. This requires adding more ifdefs to -crypto/evp/m_sigver.c to make these functions usable in the FIPS module. - -Signed-off-by: Clemens Lang +Patch-name: 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch +Patch-id: 74 +Patch-status: | + # [PATCH 29/46] + # 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch +From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce --- - crypto/evp/m_sigver.c | 43 +++++++++++++++++++++++++++------ - providers/fips/self_test_kats.c | 37 +++++++++++++++------------- - 2 files changed, 56 insertions(+), 24 deletions(-) + crypto/evp/m_sigver.c | 54 ++++++++++++++++++++++++++++----- + providers/fips/self_test_kats.c | 43 +++++++++++++++----------- + 2 files changed, 73 insertions(+), 24 deletions(-) diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c -index db1a1d7bc3..c94c3c53bd 100644 +index fd3a4b79df..3e9f33c26c 100644 --- a/crypto/evp/m_sigver.c +++ b/crypto/evp/m_sigver.c -@@ -88,6 +88,7 @@ static int update(EVP_MD_CTX *ctx, const void *data, size_t datalen) +@@ -90,6 +90,7 @@ static int update(EVP_MD_CTX *ctx, const void *data, size_t datalen) ERR_raise(ERR_LIB_EVP, EVP_R_ONLY_ONESHOT_SUPPORTED); return 0; } @@ -34,7 +27,7 @@ index db1a1d7bc3..c94c3c53bd 100644 /* * If we get the "NULL" md then the name comes back as "UNDEF". We want to use -@@ -130,8 +131,10 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, +@@ -125,8 +126,10 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, reinit = 0; if (e == NULL) ctx->pctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, props); @@ -45,7 +38,7 @@ index db1a1d7bc3..c94c3c53bd 100644 } if (ctx->pctx == NULL) return 0; -@@ -139,8 +142,10 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, +@@ -136,8 +139,10 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, locpctx = ctx->pctx; ERR_set_mark(); @@ -56,7 +49,7 @@ index db1a1d7bc3..c94c3c53bd 100644 /* do not reinitialize if pkey is set or operation is different */ if (reinit -@@ -225,8 +230,10 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, +@@ -222,8 +227,10 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, signature = evp_signature_fetch_from_prov((OSSL_PROVIDER *)tmp_prov, supported_sig, locpctx->propquery); @@ -67,7 +60,7 @@ index db1a1d7bc3..c94c3c53bd 100644 break; } if (signature == NULL) -@@ -310,6 +317,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, +@@ -307,6 +314,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, ctx->fetched_digest = EVP_MD_fetch(locpctx->libctx, mdname, props); if (ctx->fetched_digest != NULL) { ctx->digest = ctx->reqdigest = ctx->fetched_digest; @@ -75,7 +68,7 @@ index db1a1d7bc3..c94c3c53bd 100644 } else { /* legacy engine support : remove the mark when this is deleted */ ctx->reqdigest = ctx->digest = EVP_get_digestbyname(mdname); -@@ -318,11 +326,13 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, +@@ -315,11 +323,13 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); goto err; } @@ -89,7 +82,7 @@ index db1a1d7bc3..c94c3c53bd 100644 if (ctx->reqdigest != NULL && !EVP_PKEY_is_a(locpctx->pkey, SN_hmac) && !EVP_PKEY_is_a(locpctx->pkey, SN_tls1_prf) -@@ -334,6 +344,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, +@@ -331,6 +341,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, goto err; } } @@ -97,7 +90,7 @@ index db1a1d7bc3..c94c3c53bd 100644 if (ver) { if (signature->digest_verify_init == NULL) { -@@ -366,6 +377,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, +@@ -363,6 +374,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, EVP_KEYMGMT_free(tmp_keymgmt); return 0; @@ -105,7 +98,7 @@ index db1a1d7bc3..c94c3c53bd 100644 legacy: /* * If we don't have the full support we need with provided methods, -@@ -437,6 +449,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, +@@ -434,6 +446,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, ctx->pctx->flag_call_digest_custom = 1; ret = 1; @@ -113,7 +106,7 @@ index db1a1d7bc3..c94c3c53bd 100644 end: #ifndef FIPS_MODULE -@@ -479,7 +492,6 @@ int EVP_DigestVerifyInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, +@@ -476,7 +489,6 @@ int EVP_DigestVerifyInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, return do_sigver_init(ctx, pctx, type, NULL, NULL, NULL, e, pkey, 1, NULL); } @@ -121,7 +114,7 @@ index db1a1d7bc3..c94c3c53bd 100644 int EVP_DigestSignUpdate(EVP_MD_CTX *ctx, const void *data, size_t dsize) { -@@ -541,23 +553,29 @@ int EVP_DigestVerifyUpdate(EVP_MD_CTX *ctx, const void *data, size_t dsize) +@@ -548,24 +560,31 @@ int EVP_DigestVerifyUpdate(EVP_MD_CTX *ctx, const void *data, size_t dsize) return EVP_DigestUpdate(ctx, data, dsize); } @@ -130,13 +123,19 @@ index db1a1d7bc3..c94c3c53bd 100644 size_t *siglen) { - int sctx = 0, r = 0; -- EVP_PKEY_CTX *dctx, *pctx = ctx->pctx; +- EVP_PKEY_CTX *dctx = NULL, *pctx = ctx->pctx; + int r = 0; +#ifndef FIPS_MODULE + int sctx = 0; -+ EVP_PKEY_CTX *dctx; ++ EVP_PKEY_CTX *dctx = NULL; +#endif /* !defined(FIPS_MODULE) */ + EVP_PKEY_CTX *pctx = ctx->pctx; ++ + + if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISED) != 0) { + ERR_raise(ERR_LIB_EVP, EVP_R_FINAL_ERROR); + return 0; + } +#ifndef FIPS_MODULE if (pctx == NULL @@ -146,26 +145,26 @@ index db1a1d7bc3..c94c3c53bd 100644 goto legacy; +#endif /* !defined(FIPS_MODULE) */ - if (sigret == NULL || (ctx->flags & EVP_MD_CTX_FLAG_FINALISE) != 0) - return pctx->op.sig.signature->digest_sign_final(pctx->op.sig.algctx, - sigret, siglen, - sigret == NULL ? 0 : *siglen); +#ifndef FIPS_MODULE - dctx = EVP_PKEY_CTX_dup(pctx); - if (dctx == NULL) - return 0; -@@ -566,8 +584,10 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret, - sigret, siglen, - *siglen); - EVP_PKEY_CTX_free(dctx); -+#endif /* defined(FIPS_MODULE) */ + if (sigret != NULL && (ctx->flags & EVP_MD_CTX_FLAG_FINALISE) == 0) { + /* try dup */ + dctx = EVP_PKEY_CTX_dup(pctx); +@@ -580,7 +599,14 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret, + else + EVP_PKEY_CTX_free(dctx); return r; ++#else ++ r = pctx->op.sig.signature->digest_sign_final(pctx->op.sig.algctx, ++ sigret, siglen, ++ sigret == NULL ? 0 : *siglen); ++ return r; ++#endif /* !defined(FIPS_MODULE) */ +#ifndef FIPS_MODULE legacy: if (pctx == NULL || pctx->pmeth == NULL) { ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); -@@ -639,6 +659,7 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret, +@@ -653,6 +679,7 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret, } } return 1; @@ -173,7 +172,7 @@ index db1a1d7bc3..c94c3c53bd 100644 } int EVP_DigestSign(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen, -@@ -669,21 +690,27 @@ int EVP_DigestSign(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen, +@@ -691,23 +718,30 @@ int EVP_DigestSign(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen, int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig, size_t siglen) { @@ -183,10 +182,16 @@ index db1a1d7bc3..c94c3c53bd 100644 + unsigned char md[EVP_MAX_MD_SIZE]; unsigned int mdlen = 0; int vctx = 0; -- EVP_PKEY_CTX *dctx, *pctx = ctx->pctx; -+ EVP_PKEY_CTX *dctx; +- EVP_PKEY_CTX *dctx = NULL, *pctx = ctx->pctx; ++ EVP_PKEY_CTX *dctx = NULL; +#endif /* !defined(FIPS_MODULE) */ + EVP_PKEY_CTX *pctx = ctx->pctx; ++ + + if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISED) != 0) { + ERR_raise(ERR_LIB_EVP, EVP_R_FINAL_ERROR); + return 0; + } +#ifndef FIPS_MODULE if (pctx == NULL @@ -196,25 +201,25 @@ index db1a1d7bc3..c94c3c53bd 100644 goto legacy; +#endif /* !defined(FIPS_MODULE) */ - if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISE) != 0) - return pctx->op.sig.signature->digest_verify_final(pctx->op.sig.algctx, - sig, siglen); +#ifndef FIPS_MODULE - dctx = EVP_PKEY_CTX_dup(pctx); - if (dctx == NULL) - return 0; -@@ -691,8 +718,10 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig, - r = dctx->op.sig.signature->digest_verify_final(dctx->op.sig.algctx, - sig, siglen); - EVP_PKEY_CTX_free(dctx); -+#endif /* !defined(FIPS_MODULE) */ + if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISE) == 0) { + /* try dup */ + dctx = EVP_PKEY_CTX_dup(pctx); +@@ -721,7 +755,13 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig, + else + EVP_PKEY_CTX_free(dctx); return r; ++#else ++ r = pctx->op.sig.signature->digest_verify_final(pctx->op.sig.algctx, ++ sig, siglen); ++ return r; ++#endif /* !defined(FIPS_MODULE) */ +#ifndef FIPS_MODULE legacy: if (pctx == NULL || pctx->pmeth == NULL) { ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); -@@ -732,6 +761,7 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig, +@@ -762,6 +802,7 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig, if (vctx || !r) return r; return EVP_PKEY_verify(pctx, sig, siglen, md, mdlen); @@ -222,16 +227,16 @@ index db1a1d7bc3..c94c3c53bd 100644 } int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret, -@@ -757,4 +787,3 @@ int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret, +@@ -794,4 +835,3 @@ int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret, return -1; return EVP_DigestVerifyFinal(ctx, sigret, siglen); } -#endif /* FIPS_MODULE */ diff --git a/providers/fips/self_test_kats.c b/providers/fips/self_test_kats.c -index b6d5e8e134..77eec075e6 100644 +index 4ea10670c0..5eb27c8ed2 100644 --- a/providers/fips/self_test_kats.c +++ b/providers/fips/self_test_kats.c -@@ -444,11 +444,14 @@ static int self_test_sign(const ST_KAT_SIGN *t, +@@ -450,10 +450,13 @@ static int self_test_sign(const ST_KAT_SIGN *t, int ret = 0; OSSL_PARAM *params = NULL, *params_sig = NULL; OSSL_PARAM_BLD *bld = NULL; @@ -241,13 +246,12 @@ index b6d5e8e134..77eec075e6 100644 EVP_PKEY *pkey = NULL; - unsigned char sig[256]; BN_CTX *bnctx = NULL; - BIGNUM *K = NULL; + const char *msg = "Hello World!"; + unsigned char sig[256]; size_t siglen = sizeof(sig); static const unsigned char dgst[] = { 0x7f, 0x83, 0xb1, 0x65, 0x7f, 0xf1, 0xfc, 0x53, 0xb9, 0x2d, 0xc1, 0x81, -@@ -488,23 +491,26 @@ static int self_test_sign(const ST_KAT_SIGN *t, +@@ -487,23 +490,26 @@ static int self_test_sign(const ST_KAT_SIGN *t, || EVP_PKEY_fromdata(kctx, &pkey, EVP_PKEY_KEYPAIR, params) <= 0) goto err; @@ -288,7 +292,7 @@ index b6d5e8e134..77eec075e6 100644 || EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0) goto err; -@@ -509,14 +510,17 @@ static int self_test_sign(const ST_KAT_SIGN *t, +@@ -513,14 +519,17 @@ static int self_test_sign(const ST_KAT_SIGN *t, goto err; OSSL_SELF_TEST_oncorrupt_byte(st, sig); @@ -309,5 +313,5 @@ index b6d5e8e134..77eec075e6 100644 OSSL_PARAM_free(params_sig); OSSL_PARAM_BLD_free(bld); -- -2.37.1 +2.44.0 diff --git a/0076-FIPS-140-3-DRBG.patch b/0076-FIPS-140-3-DRBG.patch index 4a276f7..cb2b504 100644 --- a/0076-FIPS-140-3-DRBG.patch +++ b/0076-FIPS-140-3-DRBG.patch @@ -1,3 +1,79 @@ +diff -up openssl-3.0.1/crypto/rand/prov_seed.c.fipsrand openssl-3.0.1/crypto/rand/prov_seed.c +--- openssl-3.0.1/crypto/rand/prov_seed.c.fipsrand 2022-08-04 12:17:52.148556301 +0200 ++++ openssl-3.0.1/crypto/rand/prov_seed.c 2022-08-04 12:19:41.783533552 +0200 +@@ -20,7 +20,14 @@ size_t ossl_rand_get_entropy(ossl_unused + size_t entropy_available; + RAND_POOL *pool; + +- pool = ossl_rand_pool_new(entropy, 1, min_len, max_len); ++ /* ++ * OpenSSL still implements an internal entropy pool of ++ * some size that is hashed to get seed data. ++ * Note that this is a conditioning step for which SP800-90C requires ++ * 64 additional bits from the entropy source to claim the requested ++ * amount of entropy. ++ */ ++ pool = ossl_rand_pool_new(entropy + 64, 1, min_len, max_len); + if (pool == NULL) { + ERR_raise(ERR_LIB_RAND, ERR_R_RAND_LIB); + return 0; +diff -up openssl-3.0.1/providers/implementations/rands/crngt.c.fipsrand openssl-3.0.1/providers/implementations/rands/crngt.c +--- openssl-3.0.1/providers/implementations/rands/crngt.c.fipsrand 2022-08-04 11:56:10.100950299 +0200 ++++ openssl-3.0.1/providers/implementations/rands/crngt.c 2022-08-04 11:59:11.241564925 +0200 +@@ -139,7 +139,11 @@ size_t ossl_crngt_get_entropy(PROV_DRBG + * to the nearest byte. If the entropy is of less than full quality, + * the amount required should be scaled up appropriately here. + */ +- bytes_needed = (entropy + 7) / 8; ++ /* ++ * FIPS 140-3: the yet draft SP800-90C requires requested entropy ++ * + 128 bits during initial seeding ++ */ ++ bytes_needed = (entropy + 128 + 7) / 8; + if (bytes_needed < min_len) + bytes_needed = min_len; + if (bytes_needed > max_len) +diff -up openssl-3.0.1/providers/implementations/rands/drbg.c.fipsrand openssl-3.0.1/providers/implementations/rands/drbg.c +--- openssl-3.0.1/providers/implementations/rands/drbg.c.fipsrand 2022-08-03 12:14:39.409370134 +0200 ++++ openssl-3.0.1/providers/implementations/rands/drbg.c 2022-08-03 12:19:06.320700346 +0200 +@@ -575,6 +575,9 @@ int ossl_prov_drbg_reseed(PROV_DRBG *drb + #endif + } + ++#ifdef FIPS_MODULE ++ prediction_resistance = 1; ++#endif + /* Reseed using our sources in addition */ + entropylen = get_entropy(drbg, &entropy, drbg->strength, + drbg->min_entropylen, drbg->max_entropylen, +@@ -669,8 +669,14 @@ int ossl_prov_drbg_generate(PROV_DRBG *d + reseed_required = 1; + } + if (drbg->parent != NULL +- && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter) ++ && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter) { ++#ifdef FIPS_MODULE ++ /* Red Hat patches provide chain reseeding when necessary so just sync counters*/ ++ drbg->parent_reseed_counter = get_parent_reseed_count(drbg); ++#else + reseed_required = 1; ++#endif ++ } + + if (reseed_required || prediction_resistance) { + if (!ossl_prov_drbg_reseed_unlocked(drbg, prediction_resistance, NULL, +diff -up openssl-3.0.7/providers/implementations/rands/drbg_local.h.drbg openssl-3.0.7/providers/implementations/rands/drbg_local.h +--- openssl-3.0.7/providers/implementations/rands/drbg_local.h.drbg 2023-03-13 12:17:47.705538612 +0100 ++++ openssl-3.0.7/providers/implementations/rands/drbg_local.h 2023-03-13 12:18:03.060702092 +0100 +@@ -38,7 +38,7 @@ + * + * The value is in bytes. + */ +-#define CRNGT_BUFSIZ 16 ++#define CRNGT_BUFSIZ 32 + + /* + * Maximum input size for the DRBG (entropy, nonce, personalization string) diff -up openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c.fipsrand openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c --- openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c.fipsrand 2022-08-03 11:09:01.301637515 +0200 +++ openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c 2022-08-03 11:13:00.058688605 +0200 @@ -9,8 +85,8 @@ diff -up openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c.fipsr +# include static uint64_t get_time_stamp(void); - static uint64_t get_timer_bits(void); -@@ -342,66 +342,8 @@ static ssize_t syscall_random(void *buf, + +@@ -339,70 +341,8 @@ static ssize_t syscall_random(void *buf, size_t buflen) * which is way below the OSSL_SSIZE_MAX limit. Therefore sign conversion * between size_t and ssize_t is safe even without a range check. */ @@ -70,49 +146,40 @@ diff -up openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c.fipsr -# elif (defined(__DragonFly__) && __DragonFly_version >= 500700) \ - || (defined(__NetBSD__) && __NetBSD_Version >= 1000000000) - return getrandom(buf, buflen, 0); +-# elif defined(__wasi__) +- if (getentropy(buf, buflen) == 0) +- return (ssize_t)buflen; +- return -1; -# else - errno = ENOSYS; - return -1; -# endif -+ /* Red Hat uses downstream patch to always seed from getrandom() */ -+ return EVP_default_properties_is_fips_enabled(NULL) ? getrandom(buf, buflen, GRND_RANDOM) : getrandom(buf, buflen, 0); ++ int realbuflen = buflen > 32 ? 32 : buflen; /* Red Hat uses downstream patch to always seed from getrandom() */ ++ return EVP_default_properties_is_fips_enabled(NULL) ? getrandom(buf, realbuflen, GRND_RANDOM) : getrandom(buf, buflen, 0); } # endif /* defined(OPENSSL_RAND_SEED_GETRANDOM) */ -diff -up openssl-3.0.1/providers/implementations/rands/drbg.c.fipsrand openssl-3.0.1/providers/implementations/rands/drbg.c ---- openssl-3.0.1/providers/implementations/rands/drbg.c.fipsrand 2022-08-03 12:14:39.409370134 +0200 -+++ openssl-3.0.1/providers/implementations/rands/drbg.c 2022-08-03 12:19:06.320700346 +0200 -@@ -575,6 +575,9 @@ int ossl_prov_drbg_reseed(PROV_DRBG *drb - #endif +diff -up openssl-3.2.1/providers/implementations/rands/seed_src.c.xxx openssl-3.2.1/providers/implementations/rands/seed_src.c +--- openssl-3.2.1/providers/implementations/rands/seed_src.c.xxx 2024-04-10 13:14:38.984033920 +0200 ++++ openssl-3.2.1/providers/implementations/rands/seed_src.c 2024-04-10 13:15:20.565045748 +0200 +@@ -102,7 +102,14 @@ static int seed_src_generate(void *vseed + return 0; } -+#ifdef FIPS_MODULE -+ prediction_resistance = 1; -+#endif - /* Reseed using our sources in addition */ - entropylen = get_entropy(drbg, &entropy, drbg->strength, - drbg->min_entropylen, drbg->max_entropylen, -@@ -669,8 +669,14 @@ int ossl_prov_drbg_generate(PROV_DRBG *d - reseed_required = 1; - } - if (drbg->parent != NULL -- && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter) -+ && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter) { -+#ifdef FIPS_MODULE -+ /* Red Hat patches provide chain reseeding when necessary so just sync counters*/ -+ drbg->parent_reseed_counter = get_parent_reseed_count(drbg); -+#else - reseed_required = 1; -+#endif -+ } - - if (reseed_required || prediction_resistance) { - if (!ossl_prov_drbg_reseed(drbg, prediction_resistance, NULL, 0, -diff -up openssl-3.0.1/crypto/rand/prov_seed.c.fipsrand openssl-3.0.1/crypto/rand/prov_seed.c ---- openssl-3.0.1/crypto/rand/prov_seed.c.fipsrand 2022-08-04 12:17:52.148556301 +0200 -+++ openssl-3.0.1/crypto/rand/prov_seed.c 2022-08-04 12:19:41.783533552 +0200 -@@ -20,7 +20,14 @@ size_t ossl_rand_get_entropy(ossl_unused - size_t entropy_available; +- pool = ossl_rand_pool_new(strength, 1, outlen, outlen); ++ /* ++ * OpenSSL still implements an internal entropy pool of ++ * some size that is hashed to get seed data. ++ * Note that this is a conditioning step for which SP800-90C requires ++ * 64 additional bits from the entropy source to claim the requested ++ * amount of entropy. ++ */ ++ pool = ossl_rand_pool_new(strength + 64, 1, outlen, outlen); + if (pool == NULL) { + ERR_raise(ERR_LIB_PROV, ERR_R_RAND_LIB); + return 0; +@@ -189,7 +189,14 @@ static size_t seed_get_seed(void *vseed, + size_t i; RAND_POOL *pool; - pool = ossl_rand_pool_new(entropy, 1, min_len, max_len); @@ -125,33 +192,26 @@ diff -up openssl-3.0.1/crypto/rand/prov_seed.c.fipsrand openssl-3.0.1/crypto/ran + */ + pool = ossl_rand_pool_new(entropy + 64, 1, min_len, max_len); if (pool == NULL) { - ERR_raise(ERR_LIB_RAND, ERR_R_MALLOC_FAILURE); + ERR_raise(ERR_LIB_PROV, ERR_R_RAND_LIB); return 0; -diff -up openssl-3.0.1/providers/implementations/rands/crngt.c.fipsrand openssl-3.0.1/providers/implementations/rands/crngt.c ---- openssl-3.0.1/providers/implementations/rands/crngt.c.fipsrand 2022-08-04 11:56:10.100950299 +0200 -+++ openssl-3.0.1/providers/implementations/rands/crngt.c 2022-08-04 11:59:11.241564925 +0200 -@@ -139,7 +139,11 @@ size_t ossl_crngt_get_entropy(PROV_DRBG - * to the nearest byte. If the entropy is of less than full quality, - * the amount required should be scaled up appropriately here. - */ -- bytes_needed = (entropy + 7) / 8; -+ /* -+ * FIPS 140-3: the yet draft SP800-90C requires requested entropy -+ * + 128 bits during initial seeding -+ */ -+ bytes_needed = (entropy + 128 + 7) / 8; - if (bytes_needed < min_len) - bytes_needed = min_len; - if (bytes_needed > max_len) -diff -up openssl-3.0.7/providers/implementations/rands/drbg_local.h.drbg openssl-3.0.7/providers/implementations/rands/drbg_local.h ---- openssl-3.0.7/providers/implementations/rands/drbg_local.h.drbg 2023-03-13 12:17:47.705538612 +0100 -+++ openssl-3.0.7/providers/implementations/rands/drbg_local.h 2023-03-13 12:18:03.060702092 +0100 -@@ -38,7 +38,7 @@ - * - * The value is in bytes. - */ --#define CRNGT_BUFSIZ 16 -+#define CRNGT_BUFSIZ 32 +diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c +index 14999540ab..b05b84717b 100644 +--- a/crypto/rand/rand_lib.c ++++ b/crypto/rand/rand_lib.c +@@ -723,15 +723,7 @@ EVP_RAND_CTX *RAND_get0_primary(OSSL_LIB_CTX *ctx) + return ret; + } - /* - * Maximum input size for the DRBG (entropy, nonce, personalization string) +-#ifndef FIPS_MODULE +- if (dgbl->seed == NULL) { +- ERR_set_mark(); +- dgbl->seed = rand_new_seed(ctx); +- ERR_pop_to_mark(); +- } +-#endif +- +- ret = dgbl->primary = rand_new_drbg(ctx, dgbl->seed, ++ ret = dgbl->primary = rand_new_drbg(ctx, NULL, + PRIMARY_RESEED_INTERVAL, + PRIMARY_RESEED_TIME_INTERVAL, 1); + /* diff --git a/0077-FIPS-140-3-zeroization.patch b/0077-FIPS-140-3-zeroization.patch index f6a50a5..f6ff517 100644 --- a/0077-FIPS-140-3-zeroization.patch +++ b/0077-FIPS-140-3-zeroization.patch @@ -20,8 +20,8 @@ diff -up openssl-3.0.1/crypto/rsa/rsa_lib.c.fipszero openssl-3.0.1/crypto/rsa/rs --- openssl-3.0.1/crypto/rsa/rsa_lib.c.fipszero 2022-08-05 13:08:31.875848536 +0200 +++ openssl-3.0.1/crypto/rsa/rsa_lib.c 2022-08-05 13:09:35.438416025 +0200 @@ -155,8 +155,8 @@ void RSA_free(RSA *r) - CRYPTO_THREAD_lock_free(r->lock); + CRYPTO_FREE_REF(&r->references); - BN_free(r->n); - BN_free(r->e); diff --git a/0078-KDF-Add-FIPS-indicators.patch b/0078-KDF-Add-FIPS-indicators.patch index 40e390a..93ee1e0 100644 --- a/0078-KDF-Add-FIPS-indicators.patch +++ b/0078-KDF-Add-FIPS-indicators.patch @@ -42,15 +42,15 @@ Resolves: rhbz#2160733 rhbz#2164763 Related: rhbz#2114772 rhbz#2141695 --- include/crypto/evp.h | 7 ++ - include/openssl/core_names.h | 1 + include/openssl/kdf.h | 4 + providers/implementations/kdfs/hkdf.c | 100 +++++++++++++++++++++- providers/implementations/kdfs/kbkdf.c | 82 ++++++++++++++++-- providers/implementations/kdfs/sshkdf.c | 75 +++++++++++++++- providers/implementations/kdfs/sskdf.c | 100 +++++++++++++++++++++- providers/implementations/kdfs/tls1_prf.c | 74 +++++++++++++++- - providers/implementations/kdfs/x942kdf.c | 67 ++++++++++++++- - 9 files changed, 488 insertions(+), 22 deletions(-) + providers/implementations/kdfs/x942kdf.c | 66 +++++++++++++- + util/perl/OpenSSL/paramnames.pm | 1 + + 9 files changed, 487 insertions(+), 22 deletions(-) diff --git a/include/crypto/evp.h b/include/crypto/evp.h index e70d8e9e84..76fb990de4 100644 @@ -70,18 +70,6 @@ index e70d8e9e84..76fb990de4 100644 struct evp_kdf_st { OSSL_PROVIDER *prov; int name_id; -diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h -index 6bed5a8a67..680bfbc7cc 100644 ---- a/include/openssl/core_names.h -+++ b/include/openssl/core_names.h -@@ -223,6 +223,7 @@ extern "C" { - #define OSSL_KDF_PARAM_X942_SUPP_PUBINFO "supp-pubinfo" - #define OSSL_KDF_PARAM_X942_SUPP_PRIVINFO "supp-privinfo" - #define OSSL_KDF_PARAM_X942_USE_KEYBITS "use-keybits" -+#define OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator" - - /* Known KDF names */ - #define OSSL_KDF_NAME_HKDF "HKDF" diff --git a/include/openssl/kdf.h b/include/openssl/kdf.h index 0983230a48..86171635ea 100644 --- a/include/openssl/kdf.h @@ -111,7 +99,7 @@ index dfa7786bde..f01e40ff5a 100644 static OSSL_FUNC_kdf_set_ctx_params_fn kdf_tls1_3_set_ctx_params; @@ -85,6 +86,10 @@ typedef struct { size_t data_len; - unsigned char info[HKDF_MAXBUF]; + unsigned char *info; size_t info_len; + int is_tls13; +#ifdef FIPS_MODULE @@ -145,10 +133,8 @@ index dfa7786bde..f01e40ff5a 100644 + any_valid = 1; + + if (sz == 0 || !OSSL_PARAM_set_size_t(p, sz)) - return 0; -- return OSSL_PARAM_set_size_t(p, sz); - } -- return -2; ++ return 0; ++ } + +#ifdef FIPS_MODULE + if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR)) @@ -203,8 +189,10 @@ index dfa7786bde..f01e40ff5a 100644 + } + } + if (!OSSL_PARAM_set_int(p, fips_indicator)) -+ return 0; -+ } + return 0; +- return OSSL_PARAM_set_size_t(p, sz); + } +- return -2; +#endif /* defined(FIPS_MODULE) */ + + if (!any_valid) @@ -260,9 +248,9 @@ index dfa7786bde..f01e40ff5a 100644 const OSSL_DISPATCH ossl_kdf_tls1_3_kdf_functions[] = { - { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_hkdf_new }, + { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_tls1_3_new }, + { OSSL_FUNC_KDF_DUPCTX, (void(*)(void))kdf_hkdf_dup }, { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_hkdf_free }, { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_hkdf_reset }, - { OSSL_FUNC_KDF_DERIVE, (void(*)(void))kdf_tls1_3_derive }, diff --git a/providers/implementations/kdfs/kbkdf.c b/providers/implementations/kdfs/kbkdf.c index a542f84dfa..6b6dfb94ac 100644 --- a/providers/implementations/kdfs/kbkdf.c @@ -277,9 +265,9 @@ index a542f84dfa..6b6dfb94ac 100644 /* Names are lowercased versions of those found in SP800-108. */ int r; unsigned char *ki; -@@ -70,6 +73,9 @@ typedef struct { - size_t iv_len; +@@ -73,6 +76,9 @@ typedef struct { int use_l; + int is_kmac; int use_separator; +#ifdef FIPS_MODULE + int fips_indicator; @@ -296,7 +284,7 @@ index a542f84dfa..6b6dfb94ac 100644 OPENSSL_clear_free(ctx->label, ctx->label_len); OPENSSL_clear_free(ctx->ki, ctx->ki_len); @@ -240,6 +247,11 @@ static int kbkdf_derive(void *vctx, unsigned char *key, size_t keylen, - return 0; + goto done; } +#ifdef FIPS_MODULE @@ -308,7 +296,7 @@ index a542f84dfa..6b6dfb94ac 100644 if (h == 0) goto done; @@ -297,6 +309,9 @@ static int kbkdf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) - return 0; + } } + if (!ossl_prov_digest_load_from_params(&ctx->digest, params, libctx)) @@ -512,10 +500,10 @@ diff --git a/providers/implementations/kdfs/sskdf.c b/providers/implementations/ index eb54972e1c..23865cd70f 100644 --- a/providers/implementations/kdfs/sskdf.c +++ b/providers/implementations/kdfs/sskdf.c -@@ -62,6 +62,10 @@ typedef struct { - unsigned char *salt; +@@ -64,6 +64,10 @@ typedef struct { size_t salt_len; size_t out_len; /* optional KMAC parameter */ + int is_kmac; + int is_x963kdf; +#ifdef FIPS_MODULE + int fips_indicator; @@ -528,9 +516,9 @@ index eb54972e1c..23865cd70f 100644 static OSSL_FUNC_kdf_newctx_fn sskdf_new; +static OSSL_FUNC_kdf_newctx_fn x963kdf_new; + static OSSL_FUNC_kdf_dupctx_fn sskdf_dup; static OSSL_FUNC_kdf_freectx_fn sskdf_free; static OSSL_FUNC_kdf_reset_fn sskdf_reset; - static OSSL_FUNC_kdf_derive_fn sskdf_derive; @@ -296,6 +301,16 @@ static void *sskdf_new(void *provctx) return ctx; } @@ -666,9 +654,9 @@ index eb54972e1c..23865cd70f 100644 const OSSL_DISPATCH ossl_kdf_x963_kdf_functions[] = { - { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))sskdf_new }, + { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))x963kdf_new }, + { OSSL_FUNC_KDF_DUPCTX, (void(*)(void))sskdf_dup }, { OSSL_FUNC_KDF_FREECTX, (void(*)(void))sskdf_free }, { OSSL_FUNC_KDF_RESET, (void(*)(void))sskdf_reset }, - { OSSL_FUNC_KDF_DERIVE, (void(*)(void))x963kdf_derive }, diff --git a/providers/implementations/kdfs/tls1_prf.c b/providers/implementations/kdfs/tls1_prf.c index a4d64b9352..f6782a6ca2 100644 --- a/providers/implementations/kdfs/tls1_prf.c @@ -704,8 +692,8 @@ index a4d64b9352..f6782a6ca2 100644 + ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; +#endif /* defined(FIPS_MODULE) */ - return tls1_prf_alg(ctx->P_hash, ctx->P_sha1, - ctx->sec, ctx->seclen, + /* + * The seed buffer is prepended with a label. @@ -191,6 +203,9 @@ static int kdf_tls1_prf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) } } @@ -794,7 +782,7 @@ diff --git a/providers/implementations/kdfs/x942kdf.c b/providers/implementation index b1bc6f7e1b..8173fc2cc7 100644 --- a/providers/implementations/kdfs/x942kdf.c +++ b/providers/implementations/kdfs/x942kdf.c -@@ -13,10 +13,13 @@ +@@ -13,11 +13,13 @@ #include #include #include @@ -803,7 +791,7 @@ index b1bc6f7e1b..8173fc2cc7 100644 #include #include "internal/packet.h" #include "internal/der.h" -+#include "internal/nelem.h" + #include "internal/nelem.h" +#include "crypto/evp.h" #include "prov/provider_ctx.h" #include "prov/providercommon.h" @@ -901,6 +889,18 @@ index b1bc6f7e1b..8173fc2cc7 100644 OSSL_PARAM_END }; return known_gettable_ctx_params; +diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm +index 70f7c50fe4..6618122417 100644 +--- a/util/perl/OpenSSL/paramnames.pm ++++ b/util/perl/OpenSSL/paramnames.pm +@@ -183,6 +183,7 @@ my %params = ( + 'KDF_PARAM_X942_SUPP_PUBINFO' => "supp-pubinfo", + 'KDF_PARAM_X942_SUPP_PRIVINFO' => "supp-privinfo", + 'KDF_PARAM_X942_USE_KEYBITS' => "use-keybits", ++ 'KDF_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator", + 'KDF_PARAM_HMACDRBG_ENTROPY' => "entropy", + 'KDF_PARAM_HMACDRBG_NONCE' => "nonce", + 'KDF_PARAM_THREADS' => "threads", # uint32_t -- 2.39.2 diff --git a/0080-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch b/0080-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch index a5633d3..5903857 100644 --- a/0080-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch +++ b/0080-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch @@ -22,18 +22,18 @@ algorithms in the default provider. Signed-off-by: Clemens Lang --- - providers/implementations/rands/drbg_hash.c | 12 + - providers/implementations/rands/drbg_hmac.c | 12 + - test/recipes/30-test_evp_data/evprand.txt | 384 ++++++++++++++++++++ - 3 files changed, 408 insertions(+) + providers/implementations/rands/drbg_hash.c | 12 ++ + providers/implementations/rands/drbg_hmac.c | 12 ++ + test/recipes/30-test_evp_data/evprand.txt | 129 ++++++++++++++++++++ + 3 files changed, 153 insertions(+) diff --git a/providers/implementations/rands/drbg_hash.c b/providers/implementations/rands/drbg_hash.c index 12faa993d0..5f9602cf84 100644 --- a/providers/implementations/rands/drbg_hash.c +++ b/providers/implementations/rands/drbg_hash.c @@ -471,6 +471,18 @@ static int drbg_hash_set_ctx_params(void *vctx, const OSSL_PARAM params[]) - return 0; - } + if (!ossl_drbg_verify_digest(libctx, md)) + return 0; /* Error already raised for us */ +#ifdef FIPS_MODULE + if (!EVP_MD_is_a(md, SN_sha1) @@ -54,9 +54,9 @@ diff --git a/providers/implementations/rands/drbg_hmac.c b/providers/implementat index ffeb70f8c3..79ed96a15a 100644 --- a/providers/implementations/rands/drbg_hmac.c +++ b/providers/implementations/rands/drbg_hmac.c -@@ -372,6 +372,18 @@ static int drbg_hmac_set_ctx_params(void *vctx, const OSSL_PARAM params[]) - return 0; - } +@@ -367,6 +367,18 @@ static int drbg_hmac_set_ctx_params(void *vctx, const OSSL_PARAM params[]) + if (md != NULL && !ossl_drbg_verify_digest(libctx, md)) + return 0; /* Error already raised for us */ +#ifdef FIPS_MODULE + if (!EVP_MD_is_a(md, SN_sha1) @@ -77,3077 +77,1037 @@ diff --git a/test/recipes/30-test_evp_data/evprand.txt b/test/recipes/30-test_ev index 8cb70247a0..8a0a2dea15 100644 --- a/test/recipes/30-test_evp_data/evprand.txt +++ b/test/recipes/30-test_evp_data/evprand.txt -@@ -7483,6 +7483,7 @@ AdditionalInputA.14 = fc54b5339b37eb6889cfd7c185070bd0 - AdditionalInputB.14 = f6a783d6d42e5ad5abb0a996bddfa04c - Output.14 = 683faa732c4551604c8865b5f777571c7d3cf1a60124c59b91283da0cda9b21761d1c17c81856958c6d590436c73594bb36f46c2f89237d8c7a7ddd2c58394c983f8f6c000d77566f2a1d89bac054bdb +@@ -7388,6 +7388,7 @@ Nonce.14 = 7239f92b63fb3dbe + PersonalisationString.14 = 8d2e2ca3985bd2538a71f02cc3eb5568 + Output.14 = 0e4cb328c03faaedbec7215725851069bceae4332de6a70e3521dd065f2f7923485969571ebd7f24be460fd901c6b3e356da6ee5262ef2d76ad14eb0f697f8fb92af2f46630198c5f7018860886147b3 +Availablein = default RAND = HASH-DRBG - Digest = SHA-224 + Digest = SHA-1 PredictionResistance = 0 -@@ -7533,6 +7534,7 @@ Entropy.14 = 08a325accfe119fa807a95e8cc2cd8ff041ccad8e2c4cf49 - Nonce.14 = c85baec1c2d1f3f189eecad5 - Output.14 = 2567712d6fd3b52364b508bb2e4ae18e34b155dbe99fef9acbe21346715d36c538dc380a5e5900e0ebde76c779006fabe2b3f171fa63fa0f5ba264748278549c9beb26db701c8fab7adfdf48eb63e48ca6f3be8f17131c5e9145f5dadb00fe666a651d2b1b9e785fd444b05d4efa8ccc +@@ -8659,6 +8660,7 @@ AdditionalInputA.14 = e5c633ca50dcd83e0a34d397df53f6d7a6f7170a3f81f0e6 + AdditionalInputB.14 = 5f0beb5a2d2968e83ba87c92bfa420fd6e8526fbbfdea128 + Output.14 = 8bec11df1022aa50d95daeaf23d78d6ee45c43c5768b90181e106c7df8ff333d7cb87ca1ab83f8742370db1c8c0c0c22f141ff4de33ae8bdb14fee7e6c069819320629c66d94c7c97ff52930a3c1dcd501b60f0f84bda4720ee187ae858a6e068326eda5809716e366d1b608c61b0100 +Availablein = default RAND = HASH-DRBG - Digest = SHA-224 + Digest = SHA-256 PredictionResistance = 0 -@@ -7613,6 +7615,7 @@ AdditionalInputA.14 = ae701404440c584e27266a12318c1793b6a112d96e6a6749 - AdditionalInputB.14 = 53861747c9627e9244679d58e2dc8cfd8a72d1bab611dfd1 - Output.14 = 665481033912ca7d87caa56af2612338768b044953b02b9a50e0244bb805ca007648f71ccf923030e56baa13a88111fe211091a54744aa5d82abe97775878059dedc6272e7c7a5392d1fb443b770ee7f5dd05a3f2bba4cab1cf473d02648d4f8acce91ef167e3ac00c1c9324ca074486 +@@ -8709,6 +8711,7 @@ Entropy.14 = 1194beb668839c47c73e7516f9ba09d23dec3553b3b5532f75b260106dcc2abf + Nonce.14 = 3c8a77351e93065d584feeb08c8424a9 + Output.14 = fabd48bfcdd07968239fe538c2d8c9bde2e257b9b244078f39287c7ee90de167fff56a693c4e64f45081635511b5fd031c0270a31b4a014e44c0516a55ae72345aa11dffcda4ccf8cda50f6948d5ae425d8d53ad5c74cef1364277990156796e1c5dfa1ef095c0d8983477eb24241135760b02c86c86d4ec3627edac8c1a7e32 +Availablein = default RAND = HASH-DRBG - Digest = SHA-224 + Digest = SHA-256 PredictionResistance = 0 -@@ -7678,6 +7681,7 @@ Nonce.14 = e41f19a969494a2293ad0542 - PersonalisationString.14 = f67bda6553b5e4b89e309cb48a336b78460aff498846c2e9 - Output.14 = 44d544ac910b7668ba9c5524e388957520fdbf11383808a5a8008d119aff7e1e2bbe63b4cbff19455f20f3dc79ab0a83dcf0e403728f2a2b2a9f3b98930d9f285641da3b6b9a9467b2701ce1ecac82bad8214bb618c40999f5023dc2d97dc1a53a0296d44f6fc9d49db00959c89e9f5e +@@ -8789,6 +8792,7 @@ AdditionalInputA.14 = 626385595bef7103af0af700e1df048d7572286af709289b7894d2ab09 + AdditionalInputB.14 = bfe8946dbf27d3a2127ec600351c3920d2531eb9419408233e0a888059b5eb68 + Output.14 = ee6d07661828213e6453d94faaf76345c70949eca4965714c350313b0bcd8e079e6a07f8b2f7a91bcb7ef39a61568fd1c40ab78f154b3582f830095d571de29f81f9565e46b560d34c32bff55341a991f8e863bd9242c7cdd366be12538bb6922f1abfa19e7998aac61d465fc46538ee9142acc66786f4516ef4105fe1d80372 +Availablein = default RAND = HASH-DRBG - Digest = SHA-224 + Digest = SHA-256 PredictionResistance = 0 -@@ -7773,6 +7777,7 @@ AdditionalInputA.14 = 6a7418d4ffc40e11859f33189d5a8327042ec268b004ade8 - AdditionalInputB.14 = 97beb8c47434a23efe536287d776edda7ed7cae84c0c7e35 - Output.14 = 1fe94acb5f5cb7e4a8edf5be61673bdc066288538dbd0ac29ce2d43f7b890028e48131e6b3a7cfbb42772b63f2fac8c0472418653ee2ebcdfa5ec08683e7d4a9cb2c67cf7e22c2ddc779c6d9971b29347e6688113294c902a5d62c1fc35595e091cb10e5a895d7c3697056659ae457d1 +@@ -8854,6 +8858,7 @@ Nonce.14 = de2186bafa82b0d08a0b8215e3424512 + PersonalisationString.14 = d96db27febe22db935b117dc3068374e39c5b2119b497e3c1d858ef649e01de5 + Output.14 = d04435a8aab397cfcee5151f7aa24298ffc6eee4f577cda42d5e154b8d28cb2f0f945f11a15ed5b76486c88f03081cfd262d94a8e0b332e3c9c608461dcc8eba20d7db209810d25c226fda9fe218022a9b2c96876cb16c06c0553dd84ce57e20338c3d3e03c59ce22e668e25c2c50d5cc9afab91f50a28680964c2dacb9d2fb3 +Availablein = default RAND = HASH-DRBG - Digest = SHA-224 + Digest = SHA-256 PredictionResistance = 0 -@@ -7823,6 +7828,7 @@ Entropy.14 = a71c303bf17e128c8e0aa07fb61ccc1f40fdb487a955fd95 - Nonce.14 = d3ca16fb12ae4709d411e5c5 - Output.14 = 61a51fe1eca4cf947bbf2a77d643e7963ca2c587e0eacc8f7fab3b3f0e166197a4d15184cec4f0858de2773d8becb339bbb18ab2c10c8b246ca66dce48e2a0938fe1ab122b4930d603b937491ddd3d10abac731957f2e1e030eef33f7f311ed782b06697914145e266d0b967914d638a +@@ -8949,6 +8954,7 @@ AdditionalInputA.14 = 5d9446eff72d59529a90b498d8f40983b3b2904f63664fc0aa1de8700d + AdditionalInputB.14 = e19707aafa391e8622539d52a05d930292bd0f7c17825dbed5fb7a2f8734081b + Output.14 = 6ce2ae37349cbef9ebd1f9b85485810a22d430d94abf66912dd7b6cc751400e777be2f1cebc19d65694a456b2c6429cefd95eb934030846708d50be3b274c2f7de299f3c311038491f271448c7d02ff51de048fa1184e8ee06b7b46a9f123daecbebae4a2183dc8eb6976abf0dae7cdbea6017cd1500f37dfadcce0c1956ea87 +Availablein = default RAND = HASH-DRBG - Digest = SHA-224 + Digest = SHA-256 PredictionResistance = 0 -@@ -7903,6 +7909,7 @@ AdditionalInputA.14 = e098f0e076a3f40fd970f5d221944f0040ef4a18d88dbe6c - AdditionalInputB.14 = d7eb01dfd7c13fece92d35133c3be71efba145d7353c6d69 - Output.14 = f03074a219ef31d395451ebc8534e4f2cd2dbfebbd9257507979ecec79a5f76359f2d6b4653b31704ae5a49f884db91ac335ddc6d11768cac7850734e76734b63b71ff12f3f8d42cd404009e7f4b66bc0a639a9354ebd754c17f3cc65704e698d9bc0640919c386e96760f3c36d8789e +@@ -8999,6 +9005,7 @@ Entropy.14 = a7a1dbf7f828555610197e71e0ad563b8691589c5289ced03e9ef83b6f9ff938 + Nonce.14 = 4274788c5d80e26ec1ac3a57b9c7c0df + Output.14 = 5a907a26c1ef588219d4c69fcf4c5c283ab148a77588a40b323bd24e6dfb29551c4b6116c4d61349f5f8bd9ed497f38b239c37283902beb3c9700c768fa289ee4573f92316efb860a5ca4267b328f03c13138b774b4b9f7516003a699f7a0854a0efb045a5932753a771c2cc6119202b33336f10edb715bcce1d20ff503dda01 +Availablein = default RAND = HASH-DRBG - Digest = SHA-224 + Digest = SHA-256 PredictionResistance = 0 -@@ -7968,6 +7975,7 @@ Nonce.14 = 838d1c69d8408cf0134f54e1 - PersonalisationString.14 = f08a964b386eeadc4bbe57164d3b3a0c7c0068c49c9bc5ad - Output.14 = d8af077476875fca2ef9f04013976c3c278d30592361b923bab2f7e3c8af4affac5408c390b4989da254eeb97ccdabf32f5e246739d0e532a6ea317e7dda02bae5051ca97a445f5e0696a041e5f9f2c077b26e575d749cae344859864aa00f262c1c41b2964b78f72f9cb98abce103f9 +@@ -9079,6 +9086,7 @@ AdditionalInputA.14 = de1bbca12357943b4489cc7209b3f063b51b91acc168ec5e0ad88048b6 + AdditionalInputB.14 = 6ddd9aba4f100ef902ba50adee53ef44a4f45564c13e774e69557e36a357e7cf + Output.14 = 544ec80a966644454886fb97a0f05eb6a4a25fcbce795b5e5b27ee06ba14b7de18dbf54f80a670b87c76c336ac9af16c8958ad6c1bde9a97aa4c1ab5823d24a53c64f6766ce6eb9b7085cf7282499c37fc1e2e825f53bc357bf36d5901e0ae93cd3bd821fa18b5aa17548560f7ad6ef38124814fccf9b2b89de61cfc27c7269b +Availablein = default RAND = HASH-DRBG - Digest = SHA-224 + Digest = SHA-256 PredictionResistance = 0 -@@ -8063,6 +8071,7 @@ AdditionalInputA.14 = fa0823db6808a3de1a7dcc081c01cca840f68b005d473bfe - AdditionalInputB.14 = d3054fa2bdec7c63dc009ecccf25c1116380ac25f82a9085 - Output.14 = 556e90c95c1abcdde027fb2b88cf191f0686830ecf3fbf89de51c9bd735726131472a17f307263d57c03bd5ecd9ceba6cd5759b06594bf901418e2421fcef4b72678614079cdf4d25fa0b74985380552d2bbf478290445066e3f4a40a2e2b0792a685b769ffdb27721b1faa484e9c783 +@@ -9144,6 +9152,7 @@ Nonce.14 = ab7843b73ecb4858f2cc5e9dfca803ef + PersonalisationString.14 = dee559515084d8ac49c3803f09f3d5fed3b307946a2752c267677f22786a0125 + Output.14 = a12f5e8ea3bb174934c15e5d114ba615da33210c98c38d7fde4b5aef9aecdeaef311d929d7fece7fee11db67134c3326b413b8dc17766ba4fb881105db68688b148fd95d812f6538b14f25afaae84d39025336136d270bd643f2a6c7164930372fb1c8f4f0dab60283e9d8d3440ce8dc66761c5d5c4c13cc3a367feb4869b559 +Availablein = default RAND = HASH-DRBG - Digest = SHA-224 + Digest = SHA-256 PredictionResistance = 0 -@@ -8113,6 +8122,7 @@ Entropy.14 = 2a55ddbf673f4e12538e61cd2bfda6f0316277661f553c38 - Nonce.14 = a0c71049f5c75c23cc11c7ca - Output.14 = a88e6cc37617929bee1e14f74ee363d1e05fee618fc1eb1f8abaff42c571048032c84ef0ec7a6d8ad7e6c5a4a6e90d714d76643eca063287929032fe75a2b63fb1f83ab36a7fa12a12d7332459bba56b017654bc0fc29beae1897863a63276208f9d11a32780a627135b271efda4f4f0 +@@ -9239,6 +9248,7 @@ AdditionalInputA.14 = ead8c0dcf4ddc909aab96eadab509a46908ee5f090983af609f08d8a8b + AdditionalInputB.14 = f357bda8f2048929a4e31969ec978cc333d58b4fc09a8aa1b73ec9bdfaa1a8f6 + Output.14 = 901aabb3f065be08e2f8072d5d3ffcb28ab291420644e407e7a6a3346b75a5be535bdbdd5a8245998689450292df877233ef0783e0bd1765413193790995d884ffcb2c8dc35fe4cfc12def2f091866d735b1dcfc9d8d8c26903d50e9397b1bbd674bb81fc908361b2bddb68f02031d87588cc3e94210422674e93fea6a5329af +Availablein = default RAND = HASH-DRBG - Digest = SHA-224 + Digest = SHA-256 PredictionResistance = 0 -@@ -8193,6 +8203,7 @@ AdditionalInputA.14 = 65e70309f7386d1a0aaa53da65263d5263bc5eaff0d5f3d8 - AdditionalInputB.14 = abb8cd0ce0560309d2424d2f3fdce7af085e6c14699b4799 - Output.14 = 8188a498ef9e0fd52a77c3a44f1c7edccf9248590aebc52cb9ba7b5cddffe867b26309f032a78c0ab751741fdd9bd77d4bd17be90dd045f6f8b45826c9900028f68138cf1ca8e18b253b8eb73ae04f2e156d51a792abdc6524e4f45e4ed0b06ab3b0c94bc5e1ed58f917c17f72161d31 +@@ -9289,6 +9299,7 @@ Entropy.14 = dfa94c198483c5daa046f1dd1e4e83f854fd6c5cbc3465f671bdfd36837779ab + Nonce.14 = 298de64bbd817d009a71c1424ae839f9 + Output.14 = bfb9a54ce31406a82608aebc826441f8f633813a0c3bad723b802f3e905a6ee3512ff3513062aea51f93be17aebf1cfcd81868e85db3db9aa98680f974001fda8fe6a644f5efbb9d6e52e99ff606ef1ed7cd3b17fa6c6844790ed58da6df61aba0c200d7dff943588f4520891798098bddc65797b2f99c05efa090c60dc48a4e +Availablein = default RAND = HASH-DRBG - Digest = SHA-224 + Digest = SHA-256 PredictionResistance = 0 -@@ -8258,6 +8269,7 @@ Nonce.14 = 1ffb77244697c3d67a564d06 - PersonalisationString.14 = 62865bf0f5af2146440d74e5ac8787cbedc544de16db24f1 - Output.14 = 1a74f62cc6bb05ff956d1af526926b937a84352830a78c7ecd2ad9c39a796f29f640d188ded8bda0e66ba81c941fed5e82f3c78543d9fca14335459ad9d573362f6b5d69861cb94c0bb055723ba5416b1fe08e74f27f23cdec9db05b50b01a20f0337cafec896f5f7412e1dbe7307e0c +@@ -9369,6 +9380,7 @@ AdditionalInputA.14 = 066b072d48f6cc6bb00273e0bc0ebc086235fe79af1fbdb46318f56c62 + AdditionalInputB.14 = cfb58f59c6d56993b9f0b5ba1643554072cf4ae8013c236120044ae909083f5f + Output.14 = d5dd7f55ffa7d53fc0f679cddadeb869f39b29a6d394c9f1185b11ebefbcb43419c6a26ae3c9ab9d456e2cdba1aead05e67eabd3596526ee431ba7cab7f94838062fcec2363cf0e19849ffef30064263b3a059ce38aa02c2729bff5af9450e035161816724163906112205196c642bfd70f36abb4639fd6e4f7f6a879ebbcc62 +Availablein = default RAND = HASH-DRBG - Digest = SHA-224 + Digest = SHA-256 PredictionResistance = 0 -@@ -8353,6 +8365,7 @@ AdditionalInputA.14 = 1a6853817be281e26796430dc90f014f6fde64cbef16e58d - AdditionalInputB.14 = bdfa703974a758cd4eb00661e0f4663f4e574cc7be6906e9 - Output.14 = 23c9f591ec9abea9f9eb89ab8d705a1e570fd2888772db5d6fc6e418a34e32d78fe49be8d4d8288fa397b57afd49c07b715e276c68a2eb8f3e63f67de21d8ad23fbbdcfa03b201952fae49928ce4da66cb70638398bfdba4db7635c8c726a3cdac22c98ae776e881edd60b69f0b38e4c +@@ -9434,6 +9446,7 @@ Nonce.14 = ea7d3c3b8f6da0667d7f0d543c68d7d1 + PersonalisationString.14 = 86c20a7e794c887898d5bc00e98398276a4e3ad8d674fb808a63a44330490d2b + Output.14 = ee8e21ff48af611a17d33e130f4e4224330efcc1402b6d55aaf1f514553b880f18df68c0e4279854eb2e9b904c552f69f0e1badc347ebe336b70456f221e07a2fc78df72551d99df3755997029ee1461e2b6e396370096d7e8c2dfceb73214a72ae2b25ccc60b92dd71988eda811ceac4b7c335528249aaf82826a14c142007c +Availablein = default RAND = HASH-DRBG - Digest = SHA-224 + Digest = SHA-256 PredictionResistance = 0 -@@ -8403,6 +8416,7 @@ Entropy.14 = 7c8a961f01c1888456ae6042caf338c3ab8b5be28b34d15b - Nonce.14 = 61edc22b49e518eaa9e4e04d - Output.14 = 9d2eb0a41f7b03ccae8e4e3c61628e6710f5999f3991f04ba90fb3007275d07ff169d325ab26f3446e585c2d454ff8f6cd4a520190afbc06f30ec9b49668b09de45a116b171c210f5f888cf3c273c803044b17a16b06b44bc39344f2b2acb2f21f4b0a7abafec8c8d406d26477db9b7b +@@ -9529,6 +9542,7 @@ AdditionalInputA.14 = ea12ddcafa4f578b8b43337508dd8627844d185b10af7de7e907d113c6 + AdditionalInputB.14 = 0cc670275cd2b0eac5df123eb1fd73c2f2b093b76806943918cf49930fa97515 + Output.14 = 88dc727007c0e03c8d27d00c87876f8990b271964a5275f636ecd7f18cac9c869e5f9df5fb2d34e7f89c2e9819af562a706a03d9be9318896f5ab16573aebbfd94a681cbf27e7202b8674437667893246c267785d0deca5033de88a61bf5158177391c2e3232ea6f812c468d5629ed9f89ad0bec0f6c7a469f56331f9eba1cd2 +Availablein = default RAND = HASH-DRBG - Digest = SHA-224 + Digest = SHA-256 PredictionResistance = 0 -@@ -8483,6 +8497,7 @@ AdditionalInputA.14 = 71b5b9e9b813b5f69e8fa9fa7f588217268581b7d135fd7b - AdditionalInputB.14 = e5b06d8f12539d36c665cf129c1c42e3b7e88edce1650870 - Output.14 = 64595391a02ff750b46418274b8366bbca0e9c52c95bbdfa65882b76395887a018faa276f3fd6c8dbccdb964755e36508897cdac977037d0978f2752d1dc68bde3ba1edc94787c1c8cfe42c2347052da30ba7f1e06b44c10805196e7bb048cf572fda62b4a28fc189702b1e575b008ef +@@ -9579,6 +9593,7 @@ Entropy.14 = 6b9f904ac4b16d36e06a1bddc501d7ef98d5685c1ceadd0a6e1622e0c1e73716 + Nonce.14 = 4a42f39e5a241a2b96db29055159c91f + Output.14 = 785014b0460831b7b67346c6997217b0f6c8e7313687ea6ff4d0b09a0786bd6ac362a0b1ddc6ab8c9c624625a379cbec7f11cf30ddab23cdec054b986175cdae0ca4ba4610e0711bc94e9ab706539d5fa2c1a4fd3cd49042696b58dce465f8e09a200e7d214cda357021c62248a01aeb95f8ffa8bd49d354fdccf4c71eec3491 +Availablein = default RAND = HASH-DRBG - Digest = SHA-224 + Digest = SHA-256 PredictionResistance = 0 -@@ -8548,6 +8563,7 @@ Nonce.14 = a16783ada78fa029ca3fe31b - PersonalisationString.14 = b20dae78f254b07fe3eeb7c793334f3f432930353fe7f221 - Output.14 = 081803927779c7b2039681db542c965fe48dc3cfde712a361e77da9aaf9f21cf38e18b4e8e5ae5a365910ada327b05630abe87858163713fd8c2988975eca44ee3725370f1c68117e58c2164605524102f22f3ea55f21f7e8fccd9861c59973d71c0aaca574480be6ec8e1fb9a163680 +@@ -9659,6 +9674,7 @@ AdditionalInputA.14 = 147d51711ae8a420f165db0000d9d0cb9e9cd5447311eed43d7cc9217d + AdditionalInputB.14 = 2910968bb1976a1b8ced116e673f408da6fc563695c918ac0a230b0bb800c707 + Output.14 = 357a7269b30ca744e213d894f5c45d0db9fba897e0c863a56062f5018ad9be9f37b8d550014ed68f2c34bf5195c0b7460df171ff3bd4a590578670c92470d876c8de19d48a6d7fa15fc7996be78d3cc8a5c657439f4bb9865bd56e187d5df2531a405e3e0f4b87c611aa8e226b8b0266290f06f8062456a7a4bf0896e4ddd948 +Availablein = default RAND = HASH-DRBG - Digest = SHA-224 + Digest = SHA-256 PredictionResistance = 0 -@@ -9803,6 +9819,7 @@ AdditionalInputA.14 = 228522e58e65d50dfd176e8ff1749faa70fc2c82eda25b0748ddc5d41f - AdditionalInputB.14 = 7af60c47b4cd146a39887c9b812a1dd814d74c398609bbbfb57e73da9caff57a - Output.14 = 9528c88f0aea3fc03bb8a9061e159a06d78a2a654408808aa4d0e73ab1a51e5aa85e8bcae72d34784ff6f513193e183d556ddac5675314f2b5cfe392d1526056afe32d7c03e09ba2bdf3b10e228b0f600a61cccd9e7bf14dccf13b16a838e60909785307e6905d510d9888eaab169fa601558fc952aa8559d270ecd386d7fbd7 +@@ -10995,6 +11011,7 @@ AdditionalInputA.14 = 23e4e6b0e0c1b28a6f9731f8b09960ce7adac17527b3bbaca7c811daea + AdditionalInputB.14 = dc7fac6aeded9e17b5bb5e2bcad9424d42dc07e809da59d52caecba6e75ca457 + Output.14 = 5a42b35cf1b72d2520d92719a94ef1a7ca5b6d6c7eef2de25c8ea44c1fc3a9a5ff2128f47bbe58084a0c7a3fc790626eff5666b4c1e68fb2f53de3370b29c398d5067b255f5f7f29fdb0f8bc256ee3afbe78a33981626837c55f981e56eb2e1bdd89ca081e48f6da7ce6576fbd37dbd57a3f41cf410cb375614af239f2e10218e777fb97a55d9cc73243882b8d8d2a2c812fbdeaaed90b5bd71a274b4b171cd7e661912c9b3de1714a3fe4931d8fc7cb1c9f64f4e37d4e5dbc31602d2f8699e0 +Availablein = default RAND = HASH-DRBG - Digest = SHA-384 + Digest = SHA-512 PredictionResistance = 0 -@@ -9853,6 +9870,7 @@ Entropy.14 = c0509068d88167921812103b67e734698d68718ecf42cd99e0f55836c162d450 - Nonce.14 = 71a50d2db258ea35ba69b5716bf68a14 - Output.14 = f66c05713ebe804b4273103997d260adbe8a7d0f6b2bb862b867ca59874ab9e0898102664af2a8db24a7ccb4637269ac67d5e834941303acab9076ebfa04cef64f73480afb6808f11e6ab1a9deae514f5db1c90c59ce988cc1d04012640a40173362de2689f88647268c665ca44f57534c9ad9b8316b9cd1d5a14942e94e90607acf6ad37a2398979e56e9c227c1803f90844d6140f10d0baf20dd789d808a647b4df54d2136d967461383dd4db9dc154dd89cd282a2766dd6086bf3825d095c +@@ -11045,6 +11062,7 @@ Entropy.14 = 471746177fa3ebbc1f1e06fa42d61d5d491abc82eb7d66e749b87d562a7eff34 + Nonce.14 = 42f8a1ee9b09940e9e1dc64f51a78b4b + Output.14 = 238c9889284139945e657d2c4312ee3ca2013de69be10bdc8b90d54867889f2c15c6cc933913457d4f5a00bd52b0216d90c56bcb341dde7496218861b083f80d8c933627e19b7bd8b73d6dda1bb0b2b0f1f90e2b453cd063938cec3a08f34e5581c1322329d87709e552a97e8a8c8e8e598a5c5cd6623ad1eb9f7ddd12739b1d157b1020cb8cef19402938d31b74e490c0ce75a9f57a17476df1cffa55de73bb8151071edf396c3b9e4607b07c7e2b45c249f5a8194cca1e97af78be47cec0ab0096cf588f3d4432393a8f5423a165d585e2e5f98fe47510d9415418aba28aab1193261036214c35d8ba04650b4539be6b9f7377e3c75ed236d0e69cce004906 +Availablein = default RAND = HASH-DRBG - Digest = SHA-384 + Digest = SHA-512 PredictionResistance = 0 -@@ -9933,6 +9951,7 @@ AdditionalInputA.14 = 25d2ad9eecd3bb8bb60769942abd16edf0ba777f2541a4b0e80fdd70fc - AdditionalInputB.14 = 608c5789b5a2a6c11c7df095be8c81968c0bdbc6296026ab65195bdc5a297366 - Output.14 = e1c600294a86393b7067b6e77ca83e68d28a6b76f6f81007183be65a50fd2f1adf6eec5a64cc753c5bd0ebc12387bde8c6ec10e6ec7e603f09d4ae624cc5423b5bd53da4f0af064e14a7d176369f1726fdcf6468ee15ffd7db3be48d196601506c71e2f443a768e03ebc35245d254bb87a392508ab07c95bce84ba81058ca1545289c9d8142aa0858c9cd5ba54ee2bb75cebb5b74e0d099ee458752d11ed70122aed1254609a715ddf2720798c9194ae4a7424e2c518ce7a8277ec79da86263a +@@ -11125,6 +11143,7 @@ AdditionalInputA.14 = 4b69404b80b6f2fec36a7dff1b194a228761694129efa6c6b9a044f553 + AdditionalInputB.14 = 519c4cf1b30500f729e5426d76373c291e26cafceb594c10c96bdb9aef4b42fa + Output.14 = 53568141a5c09b6b02ac4ab674d341aa6300f8be93c0f36a7376a6850abfce068927510a1b98301aaa29252cfadfe5a2f241abc677e9e70fbca287c579acd276c2eec5c8b508f2b119a40164c6a12c0e0ca1d3d53595bbebe32fda2eef2b613329a614a28d3b374a7b031b49dba74b465a7db60a8dbdcc9e952ea143e9d5a3a651c1b0d6dad79341a7c3fd5816933f2579cc005f3c5655eb8d3f9d1e4562a756ecca3fc1d688c9824391ec8444c6024774a295c44c17fe592694dcf41f305f50a16e07fc28e247bb3d9dd0c52c6fde79df84c8d521606cec9a55f909691f5cfd797b69304dff5b60ac816b0d5046a47c2434127da1fbaa86d2844f5164a9dbdd +Availablein = default RAND = HASH-DRBG - Digest = SHA-384 + Digest = SHA-512 PredictionResistance = 0 -@@ -9998,6 +10017,7 @@ Nonce.14 = aadd62dbd7b34bf2021ea74a2788b17b - PersonalisationString.14 = cc3308e380672a955620fba59999ec4fcabf1b7f63089a124cc1f65d58b691e3 - Output.14 = 6c39f49bb51765dbae1de8325e7a6f8f8aec031dbdd94b83d5c4e062848eb4e01e3912784f817ee16f9c2dd0129eacd3f7b8d5bb4cf9a4a2ef823b0505c2ac8e4a1ec30812e98564aebaec14ff710a77c1904ab1fa3fef3c3d09f2d55b047a8db860322fab6d939093385838ec6d11667ca843f69268ba1fb7edc462fcc285adc9b4b97f0f717c28ac1b6f371d90baa86e8728051dfe9b68f15dd31a6da35194253545a5d667df6a1322f6b73ba661c7407608fa42e1b894bd1b6e7641749977 +@@ -11190,6 +11209,7 @@ Nonce.14 = 8680d7b3f0a8ae576bb0f75364b463ea + PersonalisationString.14 = c0bf8f2ca4efb48b8dca73ca7148da3cd5981c5a459be32db5a14fc7762c68d6 + Output.14 = 269b3b656e58f9aeed32c80700d9d1b863b0253b3b33155cc0849efbedfa51cff82262c9342cff7f1a7a58a5954fe66547baa1831fee55ae0d322674c6c784095f43b30c1887fb9fa5e7e7f1905da2808ab810ecd224ab403b6f562bac54e65cf7f0473991ce7d7cbc1a669a022fde3141a9880d974b7ede2fad24a3263570443cab0e8017d242fb4c2032dc8be56d8fc1e0e8f92254c7480e4941259ecc29ea47a1d11e074148b259ff95a94711d767f0655f1e0574dfdc4ae4f27b12015af86aefd36f6c10056c3d83e639e3641cdd8ba178f7779dcf502bab3d7588cffb72f6489981aaa7139c255df0e76bf6bba32e4f547327da4597745b15042869b2c2 +Availablein = default RAND = HASH-DRBG - Digest = SHA-384 + Digest = SHA-512 PredictionResistance = 0 -@@ -10093,6 +10113,7 @@ AdditionalInputA.14 = 0d81d8c5af9885d1b30d2174429bcc6979bdb2b82e6fd3ccdfe93f36fa - AdditionalInputB.14 = c63866629ed771e53d2fe2d5c21e98ebde295c3fc3896fb67279427c61a89eb7 - Output.14 = b369b226dd535dbdab45ff8f13735214f9abe6d11463a44804b838d2932112ce6799341505b7b5bab423a3794c37f383b06be1fe21f5c7da97b333a41fb67908dbeeb2450a3581ef71870c964c976f039ee856fa507e9de948c4c097a64070b23cfa09ab7506a8ec4fc38a38ce21fbee3f3c1ef3ab598f5da202f35b90f422af31688402509c38ac25359409d2b61958390d28ca2d8b5dea99ae26c90978f01d7a482c12e134a81de0bf6c9f39e32a8b597ec7b7a05a805ebc7ce260c381f189 +@@ -11285,6 +11305,7 @@ AdditionalInputA.14 = 64278bb6b8224b93c0b5339726fb752f6d81e85b204d76376d99779ff1 + AdditionalInputB.14 = 4995815c060c80e9bead55dfe823b869862bd0e5b4357afe810a53c68d4b0e7b + Output.14 = 9b4249e1e692153ecd20e968f86eb31bf9a22d3671d0ce9d3eea243bfc70890644a95d551cb9956cc3770e95c2f14ff154760cba1b24c51c41f7a961a4502aa053068751618eaaf743e0d37fd41ab4969444519c22c8fd96f9eb1be6ff3ae01a25abba84a259dad8bbc78f47dcab3ac2242e6974a56454999b4c59243102b731fc4bb4e01c92d36f232ca8cfe00fcbc0ac200c2e403d17d5d1dd3d6c2095ddd15ad58a070f18b69a5f5d3f240435d298bd48bd9be028ccaeb10997f88857a848882f51a193522bb0b979b37b5508775fe150cab8ce97c0760b7418b5bbe496562fe639540e77c1025c0e191fe000aa5d1e49bf02a5a3c6f46b40dd2c47786d45 +Availablein = default RAND = HASH-DRBG - Digest = SHA-384 + Digest = SHA-512 PredictionResistance = 0 -@@ -10143,6 +10164,7 @@ Entropy.14 = 5b50064163ae6238f462461472ad2ac9acc300316e140abd9cd6edb87b8ffa09 - Nonce.14 = 581d145675384210801d9c75d4d19624 - Output.14 = de0ace4f4a728c681a0b326298142fe79cbff2ce5230e6c1ca3e2808692d02e4845867763cb9e93acb983aa54659be6f9baf210048baf7ea4f062bd7e3d9a6d5e7dccf427422b9dd93d392ffc810dfe185bbee253c3208e22a83c9804501321c6cc0357d22859487a3eaba53444f4027843699d5a78214c431ea741bba73bd29550925443cfa5f494372bd0e482e3ab4eace1b60187b6db588c0d252c8da3e0d6dd3e475040817ca2c85b1149d8447a52c111f05d7c14a0f6b7b6ea4f60aed3e +@@ -11335,6 +11356,7 @@ Entropy.14 = 337373a24fe76f025575b3dbd7eeedd03d3459d6ef44cd53335a9c4963cc45de + Nonce.14 = ebbea7e8e1a3a45c58044b65ab7688b9 + Output.14 = 21ae4510a133fa0906c873eb73e00d777b68a45a1de8759b1497f5146f0c45cf612b02e972ec93ebccbb85c9adaf0f5942fcfbb3b808482f05497f2f4734dd6d42c8413e1bd1bad10463dd4b4cf29f1662c15efc6d24955b1e54a60508d9ed008c9d29f8a6bddfe564c21473271350137452f4601179af37e19d553ec738539cfd7a8df17f07e1f9db5df776256e3c00199997307de394a8ba41be2829defbd8105fcb3cda215219fecb607eb1e7137a29eef188ca7eb349d2d1fe27edc2526ccc6d8f1af7eec9c06910f3909907f966d5904b32577f2715cc32ac08f1b5e25a734716ffddf60c57d422b515ce817b605ead2f875db7a789e351b660704f0cbc +Availablein = default RAND = HASH-DRBG - Digest = SHA-384 + Digest = SHA-512 PredictionResistance = 0 -@@ -10223,6 +10245,7 @@ AdditionalInputA.14 = 80bb70930ef2015949b53d787630f5de93d93f98c577ca4632266e1bb1 - AdditionalInputB.14 = b6afd2c00be2eaed5c1991909e89029db0b04598115fae5118cc215298e0528b - Output.14 = c20bd78d9c396fc8fb408361e1dd4827ed3231617a73cd8848e493927207ea23e6efecd4fae36aff74b5235067543c7eb44c290122f9167a0ec4c6a530ecb0936fd683fbd866b73afb712b2f20ccc981b3f70faec4f4fda62e956c7d04cf578b06259b0f3c044e6dc68baf91e6149efa70b2ad2b81c8e14d1a994887193e53bdb5986a23d0412e989c447689a71b283934e50c25e10bdef0b22ce7368840cf761e32aebc07d7b51da16dad4c332926a4cc9853ac8db36b4b01bb36746a28f527 +@@ -11415,6 +11437,7 @@ AdditionalInputA.14 = 771e91743429c40a2e3ececc9a3d73a92336c9c988c5d9dde47563b631 + AdditionalInputB.14 = ae1a58611aa54df3c655a1f20985552ed9e3610e92170a0de1a4573a5a1f93d7 + Output.14 = b2534bf690444513bdfecb35bd616b0de47b7cca7f8ab9c5e823b468da62855601b59c6bb75cf34fe3dbc7f795536b9619d243c0f6960895d6710130fbfda2a0bff803e856f1cf21a63e86e59be0d6da7516b697e9ff95c341913ff27c8abe10e6af1b7ad8dec9f7aab46b8d35c103f9bff3016b39ec24026a7b582f6e95261031f734e29a1b64c65639cf238381e5f7e31da624ad24290930501132c860118b6c59052aaa7cf982486219431311453a431a1cf50deaf068e2f9993c0ab851c9aec72be8f7c5c57ed03c488befe6ffc256efe6db52b7734c042b69a5ed74e2593c4788c5fa8a03a5017b927bb8f1c8262925d734c5604639a9b441187b0d95e3 +Availablein = default RAND = HASH-DRBG - Digest = SHA-384 + Digest = SHA-512 PredictionResistance = 0 -@@ -10288,6 +10311,7 @@ Nonce.14 = 3432a2e2263728e375ab973bb5842d40 - PersonalisationString.14 = ccfee35071757d5141f55a481b7c44a584c5e537c636d4d0ba10dc3c88adf6a2 - Output.14 = 72a77d1c5dea9d00c349d4e5a9e6dff63ef6cb80b7998ef62e7a1fdc2267057d07fafb993e8df868821c6cf76430f3b7ff24a527f7e41fda6d560a773d05bc003f7e1ed5085f6da3785dd999a4763894455febf7618750bad4e30d8f52f3a072af30d57df5afda08ae7cebdcb659e6cdeaff52b47d4dc571e28315ff0e38538baf436e02d157b64afc6d50e6a4c5842aff1e7573888c6ff9beaf4f91aed988f03032388940c4f54afda05bf55ef6fc8c673f01ab545838574f3bd4f22865cfd6 +@@ -11480,6 +11503,7 @@ Nonce.14 = 78e7f6e9e8e1511bc0ba7f230b65fe47 + PersonalisationString.14 = 37544eb1992fc569ff259946d639a00230ec1196c5565b8f9da62d9ce552e09a + Output.14 = 0ddbb84e21d4d7110b933bbeaddb35ad81dc1f331ac8293695b30924f2713eca6f93a13d520da4486f32a12412a927d00e3f27009a944056a5805b0e050f5bf6c6bd32c523c1d607d6e3e97b59fd059a610d664396f69961599ce7f0a0cbd1dcff15474ac267e36c0b871c559fd13b7ff0c3fcc11ff8dac26761a42697c3744981cc5c5ac10cd0f3b285c4ceb4a550ecead095f90fb6f53aa302218ede7ed5ae5deac91a83f957d15ee901746d11777b23c327ee811966690f5f253c7c314a2bf2bea73ca46c6c8cc332c3493f9d023029d762fc90e5dddbb838f2225c521f196332812570a17455b3db45306aa9100ca83185395435137a0b961531cbcafc03 +Availablein = default RAND = HASH-DRBG - Digest = SHA-384 + Digest = SHA-512 PredictionResistance = 0 -@@ -10383,6 +10407,7 @@ AdditionalInputA.14 = 0facad642bc0004f946e3fdd149a4c0e52475c9e832c85b228bff6f2a4 - AdditionalInputB.14 = 19d477a7dd45a0b733e6c301a4fd44ddf65d4fe0a0435b57e319e31de4797427 - Output.14 = 2a48844f6919ed43a2b0b64a1d28707fd3265b418e0673190b49a606358062c1a54a6071c845adc6ad74193d746668f890423ebb971a63cedae3241005432c8f3fa3fe7f98d5912da34dabcfeb17c03ee8881de7b2ef04fa2147b78532eb0ce7d9244d717697138f116341c7b9e99f15728207f6a73c651b8940582f9f926253420a853ae18132093183a6073e3bc85633b75e1c6cec9323ed4142d0c8ca0dd5ab2ff2e6b304ab8cfe4aa98ac64951d836e074169d375ebeae8498f11bd02c05 +@@ -11575,6 +11599,7 @@ AdditionalInputA.14 = 8dab17e96142c890eb16981b97364223e815130bdb0c0c284e50dd3349 + AdditionalInputB.14 = 1439e2d19a99703fc35607b5bde55331eca67b2b9a9f7587ddba0dd1fe690ab2 + Output.14 = aa088ba4682bd2285e90c7967a7b8a518e0ec45afd490d367022893e3822c09d967d06ff28748b5de3fb33b071b73c581bd893b6641a72cd5db35540b904eae19765cc121ca4dc9404530114c3369fa80d20dd63c8c09559c4be48aa26ca77b47579dc52fdf0eb2f2db84ab688b87f63097140aef65410fcd7a81c2bddb2c92f9d67b2e46647aadd9b85c9e17ff8b579cd672708282981ba54d854e7c9a1de66621845ae2d337a90025ccbdd1b0d695790b1f977b1e944bbc04d16a9a399628bfb33f98b40e13567514d8ce0b23340803718ea3da44fa84c923f2a85ba21495c2f9541cbe8cadc0b230b1b942e934eb4fe95c3754a77a09641ad730a550fc24e +Availablein = default RAND = HASH-DRBG - Digest = SHA-384 + Digest = SHA-512 PredictionResistance = 0 -@@ -10433,6 +10458,7 @@ Entropy.14 = 3b6dde5f550d482d30eee2288bff802241ef20ec15696e614b7268f7c574eb1f - Nonce.14 = b8d8984703ca7f942951fca97129135a - Output.14 = 36d0cce70eb5aaccf9b172fccf68e01eb8ac8b1f2652cdd238f4b070c8f2d9a128418badb38d5d5fabe28b59d15cd432010716fa6a48071114b2168cd29028386171594291118e54fbf5b61ae3fbbf9a21ebe73a4aba482c7cdc5ea1a4f21a0f1b38812cefff9bae78c2b95f417dc0cda010079b637f825dcba059d154f5a53050db773250013a1f051de9f7882433d2054ef2adf9b7b57c67173c06ad16cac6bdf74a10bcc666f7d4a091a78131c5ed76fb733791278b6ee0f55302c4b122a4 +@@ -11625,6 +11650,7 @@ Entropy.14 = 5f72e390aa960846a0004d266e3741b6fe0aaac98d9d87b4cbaaa7a2af0d0bdf + Nonce.14 = 2074991cf0c22cd34b2de48ea1f9ec66 + Output.14 = 7bf54b69e455c7941e8e24ef59b5525dc1ed3b7f934333713b9dc305dcae2cd1b74648149e04bb4f4e00b110926a6bfead7adef954b6d7e180ff820192677efa3c0c8af6a3e201d8d555cc599cdd2626d8778ea2c7a2a8e0c99e719929ae9ac4fb9a7e5176da8987508d1152909f456a4ce9461188e264cda1c879af1a8cca6c182e73c164986cbf07f441756791fa1fae40b784800335d94b0b54135831044bf0cb5dbb5c0c71de6b6ae33d6b87782d34be3cbc2991ad109d6c0440916d91baf96c4375ecdc9f09dca79671a45309c408062cd08ee623c8de007cda3b3d110425d7e8fee13b2a14215033d9ea2397cc6b5c995f37273a00dbcdf9437bc77857 +Availablein = default RAND = HASH-DRBG - Digest = SHA-384 + Digest = SHA-512 PredictionResistance = 0 -@@ -10513,6 +10539,7 @@ AdditionalInputA.14 = c6a3bc83220c7708eb7fff5787ecba27e48c894e15302e0ee7f4e5f09b - AdditionalInputB.14 = 39b854a1c487e24e1ed58916d8012277fafd6e7b6175c4be43927cfac9958404 - Output.14 = f7d2f39a513f6c4eab993fa440b769ce09a15476e06ceda47969be05f53ec7f8409de284749cdcfac07fe7df66b1b6bd39389401909f3a84538d041e1c038a289869e51bce8bac13a0f786cb091628f0a3a7f7f9a2f620c98889688d46a2a037fbc1b2a4fff40800eaccf98a0bc1452ff1f53f040daa94e17dcd6acef97192c74075d064be5a97205ad97f693257d96c04e78654a694e90b80a5234a25d1c7ceef360d53e768067335097c4aa8f126a31882eff8e55cee05eba4b4325c203f4b +@@ -11705,6 +11731,7 @@ AdditionalInputA.14 = 97f8c1e98fd25289be846d80f667341a095dfbabd610c691ad6b2b901c + AdditionalInputB.14 = 136912d2805ab8ffcb4e7d6a81e37e14b7f7bb65dd0241d56f11d7c72dd5de1d + Output.14 = 2e1f4954107f3654f51024f032518ba91512c9d8005265ff35248487b8c87d8862b8caaae27898a22f9ba7a0297fc071ceb6a1612bb99c0f15210a11f5a0725158832996f15106a7c43a216f90501c0dfb36933be940a875d4f6b0e5c29edb01614a26cb3ff7b906762fd6435eb7cec8c88f5fd7c4d76fcb018c08987108117c95d4d35c1c59efc06358c7abe7a73012ae4440b2ec86c3664e5549b8b0a30d6c8538d6e5151f9c17f9ce026556508b8b3d926e4364839bb526a94c7d8abf4c1241cd844bc6227a01d024affaedd4701129fb0f9b5ae853c7085ca13ec78ffa3476ddb1c1e71942c351c3ce9a855ccfa4c3c7f92b59d5b67e8eab16b699b7ed5b +Availablein = default RAND = HASH-DRBG - Digest = SHA-384 + Digest = SHA-512 PredictionResistance = 0 -@@ -10578,6 +10605,7 @@ Nonce.14 = a684932ea2337296cc3d150174a47ce0 - PersonalisationString.14 = b2c0af9038c2ef79ca8263a047bb9293a44ecdb457fb45945996157dcd199cec - Output.14 = 316fbc32ecc1dfa778b13921b1d624f9231c0ecca03e17fde750b1e31e76b1c330ea5bd62ca76150f231ac4aa96b06f845db2d03b65cdaba4c160b288a121eb144058f65a751e22151f91b90131e6756356e7f90d880ce754cf965f439189eb8bedf86c58e1fc2751e65637930c42552fdf81acfa1d4515ad49dc532b2a10b2b11209425ed1cf43c991b4a7c49bf6e701990fddc420608d74c3636829e4683c4e77a8151708d82ef8fb81b3655670fd4d242e357831bc091f30e6d139d5e5ba5 +@@ -11770,6 +11797,7 @@ Nonce.14 = fe9dfa1b683fa9cc70b7c7f8c81185b2 + PersonalisationString.14 = 7e86cf4111fbea8fa9b180a1bd9ff3e9d233304b1d293adffa49ce8e77f400ab + Output.14 = ca0a6268d034f6817edcb6875b4754b5e9b2061ce0bc2bcd27c28065d8258b40ae63bf6d1e15521196da0afea8139c10d7bf3b54694a82d24476c578991fce1371e40b78087d95b1117650af7134567513a017353bb4af85cdc98db757cec9f92df42b7323b1e5d05387debb02750683a5553bdfb5f9fa34e14d29e09ad18bc6ef2380c173a19631abde085369ff47fa8b4fdfebe13b95b90c6f5841fe5aa6334edcfae26c13cc5d14d17a02d684b64bd55841831bde4c75de7d49bdc1a405d4e3e0d327bec44644e972349a49cbd48a4d3b8e984f5847ffeba950fff55bba9b287d51d8475f7799752208da31d91853fe6d04d97ea2a33d53b07a4fc787be2a +Availablein = default RAND = HASH-DRBG - Digest = SHA-384 + Digest = SHA-512 PredictionResistance = 0 -@@ -10673,6 +10701,7 @@ AdditionalInputA.14 = fa32817ad83c85b594976eafab28fe25c45aa74d0ab4750b33dbfd8836 - AdditionalInputB.14 = 2e5cb3c7c9503e019b3383eb6264d6000160c3c99ee5700e7a92433da1c01f56 - Output.14 = a7571c1afd3d1dc1d3b28dbab54fe3514a0ec74ccf999376a963a3820474cdd67b190551ad5b24f4376633b4964490f79a94059a55b967f8dbe58eb20d70f1fdac91565bd8daf5223abfa13b132a140acd33e36f29fe1b107f62e6c45a679247b80c0aa050f1c2d3195629baef7422b72fb3cfbb82a2e4dd1966b1cc27b8e6df1907fbd6320f25594e1eff912cd9685755473b908e06fd30c4359258be0580e6bb2f986b0450d53fdbfefc3bf06c0d80648800234100af755acec4f809c39f3e +@@ -11865,6 +11893,7 @@ AdditionalInputA.14 = 91e14e178a033e26e6f6a0b0f3890fa46f83731a14cf31445c51a92166 + AdditionalInputB.14 = 20299371a1de6f994260d1c59c1d3f731d8f70fea6e9389b3ede54d47594414d + Output.14 = 1b4efcce136b40bdc792d1607d4ab4fadc10d5e2b22eacca6f412d3aa1c60320bf825778e7ff8296db9ea360e068350f90d7d4947dc9a2e2a4074653458784059ceebf2a97db0e4a29f7c6107783fa3683b6846b8c8ce7161082405643bb84d602c6c36ca79b2b6562417f0d15f46a4fbdc445d50935f49eedf01bb131d104385369fdf88d91518618134a37c5bf73140400cced73795910ad0d2a89db2d79355ecedbcdabf135219d2afd7ac28cd7e45c6fd4e913ce5d464fd6de6e4c62b76ff86c28b0ab27a3c2622cacec075c790a7ff2f57f99ccb89c590a1dfb5a1862200c9cdf97f94eef18ddc85cf9830be662cec1885a629a6603add9396fb26341d9 +Availablein = default RAND = HASH-DRBG - Digest = SHA-384 + Digest = SHA-512 PredictionResistance = 0 -@@ -10723,6 +10752,7 @@ Entropy.14 = 1e1cde834393e00a2136b8924be5600c8bf59dc2d8a9eeae467ede71ee7b75af - Nonce.14 = b6035e96adcb7e8f2e17022e2e4f39ad - Output.14 = 9dde9f29034b6e784be24fe600c39b091568afb4c40c8e05b8b7dc36ca74a1bed38ab15643ca8c6da2f5aa4b7a6a5d5c9920cc31129c84e2fc9b865b3f30b698a143189a3f3b692b3e5641499c949e53e3619cb112f42046a18d5d12dfb3c6932a6a829d07deb17b799519b81e961ff293c0b2d24b629fe906166e330135e4ffd00609462f0f9b89a110084945243972486a0e1aedb2eceec02d402696c89abbc950dcaa72d7b0e00ed8e65c3e9eb1af7535de2da728f901650633242b3368c6 +@@ -11915,6 +11944,7 @@ Entropy.14 = c5ebb2ae08a03815e496c2db1e2a650b40893ea78fbd7ca8434edcde4432a43e + Nonce.14 = 0cede46aca7d2a60f2e98eb3c7d1dba7 + Output.14 = 6d8eeb5ba130de7dca993b44b46e08894fd84ab8c347992aeeac56ce5fb5f435bba92f1129aaf9b3035aa117301a1289acc222cdac043dac58b62567102dd5a57483d79fd703e188a0fe47254bb20b361281b5b8cedded86ba9b6d86deb30e539eb7ee007131ab2af99408f38ec7fd66bec4f1ed71251c149dbf8393b6dbe96cdeb9a3b5ee065ec8636444e72339ed2cb27fbbe5421f7f141940d6fa1cf570b8dd0393625ae16b10df2f1f6fe35dba15a732357dcdf4f56abcbb47a4640dcef618e27d049e27f2af7b8634faad00280e004cfe3f52d63185eccd6c4937a026830c38e1ed6aa9bfeaf739416706f63bb8b1475ac25d734db28e39163aa0c69c52 +Availablein = default RAND = HASH-DRBG - Digest = SHA-384 + Digest = SHA-512 PredictionResistance = 0 -@@ -10803,6 +10833,7 @@ AdditionalInputA.14 = 7112823304b16377182ff9aba920c97ec4d4f23cd472fa9954ded16495 - AdditionalInputB.14 = ba183a035635d9617bd71b59fccd561f1c78a7589c7fb3fedf41dc2e6d5015c9 - Output.14 = 94e577e5c4f66be345c6be7038b02fcfb4070d5bf74f8004b59c279cce961dcf5bfdce2f01e007790cf770587a68d0d24ef0fcd1a148fca6920e707289e58b81fa4a58b5a018a358d336a20daef30b2881844838e51c56f11533b25c77b9c6c6bb2c0657350f011b24db6c60a84232dbcd218a816563737585c1ca6152ff13304ca86dff20f9f9596aaa21448f2c6e620eee58f69338e3b675d29b478f34f0e60dfe7f12f02e6181d19185f7dc945210d86d31e85eae03161e947fec0f0fc91d +@@ -11995,6 +12025,7 @@ AdditionalInputA.14 = def9d8f7b18023b69c6cd4121c0adbc2a89b3ca37333d4523261d5eb20 + AdditionalInputB.14 = 06051dec796525094018b436605bd2ddd66359a2836a5996e8262bb7763fadc0 + Output.14 = 29e8184e37a5c26670bdc95c842c602ed8b0cf102ca144133e8cc841e1dc32fd038a72c26b8be8a568db60a4cfbd52b0d8b74cdf180a4931d6dd19a255104db105b3366d75e8f6afd0e5fab4dc14f6deac82e7703eb6a61f22b79bdad8ac7fab95a58a71f80fa510542615c305f7cbf84790060f17e7d78ab5d4b0ca34fad47133a0627b803c1caee3b97fe47626a8590672e2211f39cbe1b79d1999fb772b884122c8e50c59fdd3de13a53e805f40f8aa35501571a4c4cce79a8f738e60a43a11afdbed94e26f474ba5cd6ff5cdaf00d0fb84109aeb3510f1ea576c70ae78cdd0415a0521f3ff4083f9160011dcd6e2802cfbbbdfe9c4a3b114dd47b3a6cddb +Availablein = default RAND = HASH-DRBG - Digest = SHA-384 + Digest = SHA-512 PredictionResistance = 0 -@@ -10868,6 +10899,7 @@ Nonce.14 = 67f50628067bc401648926d7567711cb - PersonalisationString.14 = 5f8cb19e3c86b179ffb8812db791e8bbe6b0caff958715dd9e3368a2d48f65d7 - Output.14 = f178a20d27725759c839e7fabb63bd101c3352f582524ff088ccaf6f0546ecbd3d5165f1e3cacbb49ede115b8f6c8db3aa9720692efda124138d29eac17637b84977384fb88e81289ed5ec960e6e98fdc71d03ef0bbc05ac7682acdc62888b49fdbb442080687f902b5a313ac88d364b13871b20f684cf1acbfa229fa203607a0a37b4e1685d13a508da9f48dcd83f26751a2284044f93e18b2a206a1887d77c4b76e821952b376f19fcf53d83f704e3ec3b5c3cb4c390b213d57dbe4852914b +@@ -12060,6 +12091,7 @@ Nonce.14 = 7b9a876017e5e14bd6a19719c73035da + PersonalisationString.14 = eb97028b093f820b182384baafa56ecf196dc11ebc515a405ac24f73e465ae9a + Output.14 = 3791ee66e505257b0bebc4319897e80ea8a70577b8a85d809cc7e4c77a458e8517368e2eaa7c0623b91ab3ebc4de3240e00e5f0cd20524d73b8000f00a3cecf869bee26763db9689dfaad9b5f21e3975f750e0c6b694d7df35fea26b2ff3c2bc679b5ecaf129320dde8245677aab9fb54b8faa97d394adae687a35b00f026430ef29bc7226957dac5edbc4a70dc82fcac00bf89d97e11d2a3e6ecfc4af4536c329ed3f4dda201db47236b03f30daf71e6368a18ab6224a023fca2ead589d9ea165d66fbce2b37a630d18ef1c97a619cd8949f16f44a9bc0f5837737d7fa4355587af5ab452f53fb82dd8b8b4706cf04e77938d7e0c3a9744c353edd0c6931591 +Availablein = default RAND = HASH-DRBG - Digest = SHA-384 + Digest = SHA-512 PredictionResistance = 0 -@@ -12123,6 +12155,7 @@ AdditionalInputA.14 = 2cc9f137fcd8c2d526d70093fe11f90a0a36bc9764a4c5609072e181a2 - AdditionalInputB.14 = e40361245b91880e308fb777c28bbfaea5982e45fecb7757bb1c9de2df9dc612 - Output.14 = 66ad048b4d2d003223c64dd9827cc22ed3ec8fcb61209d199619177592e9b89226be30b1930bdd749f30ed09da52abaa2e599afaf91903e7a2b59ffb8fd470e6604485a27c200d375feff621118595a7a3057b7e31eadc0687b1008c3cb2c7435a5704b1a1a6a3487d60fd14793c31486af765ce2ce182de88112445dd5ff11b256cfda07018b95f97edbab4e4c39ca097c42f9dce80cd3f32677f3c224a86b315d02e377dca8f3785e9748ffdbe3fcaa3b0c6bf001b63b57426836358e9b315c6718e0b74fb82b9bf3df700a641ab9411d1b9fba42309a84bef67a14204f3160ed16a5497fe211aa1f5d3ae4b858b6d445f1d094543d0107ce04ef1d1ba33ab +@@ -31145,6 +31177,7 @@ Output.14 = 01f11971835819c1148aa079eea09fd5b1aa3ac6ba557ae3317b1a33f4505174cf9d -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/224 - PredictionResistance = 0 -@@ -12173,6 +12206,7 @@ Entropy.14 = 42623115c0a43edeab391ee8ac84c2b3b1bebba8a6040cd1 - Nonce.14 = b79f5c377be52381210c1c2c - Output.14 = a59dcfa9585b1080cee51ee493fabc22394ccd0949e3a4d4e5b8d60e1137288d20f65e7f1ddc1345869e1af62562d6c11044bb65d11dc0071a04a2cd0eab76718ec9a67d4482acbc82ac27685b98c50064b41e120a35e5ca57ed1bed6963fdd03e26865ddd3217d67cdddbc990c5833c + Title = Hash DRBG No Reseed Tests (from NIST test vectors) +Availablein = default RAND = HASH-DRBG - Digest = SHA-512/224 + Digest = SHA-1 PredictionResistance = 0 -@@ -12253,6 +12287,7 @@ AdditionalInputA.14 = 450a2109e7d83a3ab2e628ab35af4dce8ce7205de7c5f365 - AdditionalInputB.14 = 60d0ce5e11413c321535d849da56c3d9bf6222a3d2cf77e9 - Output.14 = 27397574a1ad91ef6f332c954c0d5802cb9c90926ab05c116586995bd795a2f1b4706487da86282e33d0b44dcb7a58c8c4a2874ed4646a1e963b7d26b62e0a5e0a5bb60ec6e07ea6b7b7fe1194c3ca4371736e595707ca7fb56bc924089e66b137c47f9dde74b5de3687aebc2f5c2a39 +@@ -31195,6 +31228,7 @@ Entropy.14 = 6fe9597b59903b1af4012a15368af7b1 + Nonce.14 = fd3e84b3a96caaff + Output.14 = 1eee4c786476d488e58d0e065bb025db548787fafbe757f29ee2bd4781cf69216091ba2b68919b54ad3070ac72a2342320eb1e697b9115acbe07e194d060562e4d0fd966ab29e2c5e560574b2dac04ce +Availablein = default RAND = HASH-DRBG - Digest = SHA-512/224 + Digest = SHA-1 PredictionResistance = 0 -@@ -12318,6 +12353,7 @@ Nonce.14 = f2435f70e075f8044d4235cb - PersonalisationString.14 = 80fa0ec5a3a1b46cd639ae19c137239ba8113db33984c593 - Output.14 = e547f6d8cd665204f8ebf6d64ecaa23fcc59c1682eab3190bc76ad4981d68810833f1212965def4868883529c0bae4a2345da6a0e6a7e766d16022c6f371db8ad089d9227e3a85168d080c3ff2bdd604e7f8404a16268bd66d70f5fb164cee60f1af97bdb6e1d72059d7028a13ec83f5 +@@ -31275,6 +31309,7 @@ AdditionalInputA.14 = 93dc424bd0d266879601745a23317141 + AdditionalInputB.14 = a17321015d327c5dc0bc1e130aad81ee + Output.14 = f682834b5b492e09ff8e0f2c80683b032a3b262d16bc609c550dc0e74a4b7d8ebc0e3b8f2c9970d90aec9a82497dded20422b17b9e3cc3bca771cbe717ddaed5a7a6ae2601c7f765eaa719b71624e83b +Availablein = default RAND = HASH-DRBG - Digest = SHA-512/224 + Digest = SHA-1 PredictionResistance = 0 -@@ -12413,6 +12449,7 @@ AdditionalInputA.14 = 81356bf7d3122bd65b5d96d2ca68875e1d77b36edb8e92b3 - AdditionalInputB.14 = 1f185d4aeca1d95ba4c8e7867df64296525e00db7da61e88 - Output.14 = 8032e92efc35ace508d8a10f36a6e7110cd0b087cf853409e83dbc554633380e9793b7657a23a931e34347fe0ba34c2abdef6a8505e44da62fee97a9543b9e6dd6538726ec2cc6f6d19382562a4a438a2b0756fa66b48628af292e2f53e49edfae3ccc48a95f24c940a90d1abfdd6d0b +@@ -31340,6 +31375,7 @@ Nonce.14 = fa9adae924417150 + PersonalisationString.14 = dbad22c389c527715d21a5bdf38c1fad + Output.14 = a18d57e672218956e6c8cb9901d02888f3587177c3e11e1a99ea72370347b953a9f122c9446dfa109723b27f36fbf15edf103a56741c24968592479cfe30bc0053fa7b9818e9debcc494db64d15d038b +Availablein = default RAND = HASH-DRBG - Digest = SHA-512/224 + Digest = SHA-1 PredictionResistance = 0 -@@ -12463,6 +12500,7 @@ Entropy.14 = 3879ca720aaebb2a29c99c0aa21d63308b44677f2bbe6056 - Nonce.14 = 2642dd7030605b3608f4513e - Output.14 = b7ddc2d0295a550e44103ffe7e6e1771cd488fa2ea32b091076085284edb870220e02ba6facdf27d8b34209048d0aa4cce4556c074fc7ec2c3691b95aac3f47c3b42bee3c2e35da17b040188d47b7effef8ac471a669f29e6c4b97ff6836cb9fd8954f57309a97e9a697e061010525a1 +@@ -31435,6 +31471,7 @@ AdditionalInputA.14 = e488e16f48c61dd2152afe925eceee92 + AdditionalInputB.14 = 12c692abd90ab485f4d9499680a6893f + Output.14 = 8ba04617a135d8abe0c3c0a170e7472e7ed750eac706e5c3ed8305d6f6f8a1a53e0c52d4853b21ab8951e80970b426008ae11952ff364817b6856ef0810860dc65faea487b5d7c3f3d63fd443756d2a8 +Availablein = default RAND = HASH-DRBG - Digest = SHA-512/224 + Digest = SHA-1 PredictionResistance = 0 -@@ -12543,6 +12581,7 @@ AdditionalInputA.14 = 13998df6bfa51c2708775384f01cfe8f4755b6fe4b3c2fd8 - AdditionalInputB.14 = 8d25383b6d04285fb699c644bfc9b7fc72de41c733f35b27 - Output.14 = 3f408ca372917703ecb3449ea55de7a969a5ba184eee8f30fb19b99ae827c66b13f29d4d3a0236aefdaca63c28bb71595d3dc1fc20f1e7ba1b1c9bdb7c2122bd8e443b00b5339508c315ebbfc9bc3c7bebaaf83312325bae696a576b3c92931eef6b4eab6bd90c140295f47994ec6e34 +@@ -31485,6 +31522,7 @@ Entropy.14 = ceb354444d1a29c0c3e8a1cc24d02846 + Nonce.14 = 86d3fd9fc51f8b19 + Output.14 = 6f90ad611987a37bac54bea0782ac78215b7d17ecdd3991a81a36d0e263c6f0dda2c102cfba56b26c7b74b5dd2548be9bc81c7958e9d19821583c6f388132b9e19ae7609add9a296c1e92d66a2ef5464 +Availablein = default RAND = HASH-DRBG - Digest = SHA-512/224 + Digest = SHA-1 PredictionResistance = 0 -@@ -12608,6 +12647,7 @@ Nonce.14 = ddb5c0cd2b4b640898c2fd1a - PersonalisationString.14 = a096d62f947314691cfb647cc2f331af834cbcdd5918f099 - Output.14 = dc9175fb05854708739c3da005592ada29d408ed6162dd278ee457bd3304e4f7011355da2302df1d0d190ef846cadaccfa5325d3f71c407ab2434d65d815dafa6ca15f7e701a104225a839f2fa9874ad49bbdbee576b1bc71ace28c825095510890861c851bb79e2e2e922c3ac22fcde +@@ -31565,6 +31603,7 @@ AdditionalInputA.14 = 32d09b604a65dc8daa35cdc34141b751 + AdditionalInputB.14 = b8186a294c7824b7c550c1054badec00 + Output.14 = ae9a091cfafbf0e74c2be8ad4b984e824a24e65ba7610b0f3ab1750e2f12de1620db6bb8c493b3d8b06ab78e69cf2dffd73d4322a67ee7725aad84fb458b8f26cf04846850202e53c874213221e761e5 +Availablein = default RAND = HASH-DRBG - Digest = SHA-512/224 + Digest = SHA-1 PredictionResistance = 0 -@@ -12703,6 +12743,7 @@ AdditionalInputA.14 = 2bc060710fe3d92760adc274b878de0df82804e840cd098d - AdditionalInputB.14 = de879de9c03efe5a68a12da7a06003ffbbea0a9c53f5e0bb - Output.14 = 4968c67d2f830b591531d620b6c40de4e9a15dc97c70b8b059023033bea376953cc5fb415d823d55d5b02b17c2ac60a1c8ee7473d25e94888fae15c6a7770b75565fe505a117c734d0c7d0386cff907a893da3a83d45f51bec9d95670374524b4f59e45a04c88d1756ed854fa9f65693 +@@ -31630,6 +31669,7 @@ Nonce.14 = 8368ee0e29d35c67 + PersonalisationString.14 = f189a80d5619f53cce878ed57522a468 + Output.14 = aeac5933065c33ce2ace2531a193e367f73c83fc328f61ee2627f6f3841914c6b8a3ff767f96b3c3b685bac931af9ec10c6f3efe25b5109bb647b120e3a3f6971a4ec41f4ef0c7a900fdb09d7ff3b247 +Availablein = default RAND = HASH-DRBG - Digest = SHA-512/224 + Digest = SHA-1 PredictionResistance = 0 -@@ -12753,6 +12794,7 @@ Entropy.14 = 7ce7dd98c93953a8b60d395a68f03b8919931031e8f68bb9 - Nonce.14 = 1c217188f9c7980b8b03b41b - Output.14 = 58884a4316fe8104459bb339a4bac08d95461ad8e58f333eae5ceeecbf2d375e8fbb82eb1d29890ee0c56037bbbac8cd8e202d7ef05ed7126a15064699b9dfd4523782aabc6eaf21f1727d02c1311f5812c4b4294827a75f1cd6e6dcc73ba45ea8fc5f2647dff725f5fd9bc64d7b21ec +@@ -31725,6 +31765,7 @@ AdditionalInputA.14 = af578fbbb8a830947e9b4e2c9e729336 + AdditionalInputB.14 = 5a69864ca39da1ba4719dfe1dc850a4a + Output.14 = 8b846f03cb66f7e49fdddf7cc449a5f3f6ccdc17ae7e2265a5d0e39ea10fc3e6cffefc04147b773a1584e429fe99e885f278aff74a49d8c842e7ccd870f1330692fc9c4836dac5046c544be74652da26 +Availablein = default RAND = HASH-DRBG - Digest = SHA-512/224 + Digest = SHA-1 PredictionResistance = 0 -@@ -12833,6 +12875,7 @@ AdditionalInputA.14 = e73890b772747a356ee1527501410eb5cddef015a8d6fbd7 - AdditionalInputB.14 = 9145caf79d0b85bb7874c2dc82d52bcca68225a18de258cb - Output.14 = 4ce4c45336ed4bdf4004f326a049c195c26ff11aadde90d7d035ce277a5b158577a7e9971063ee9c0b5063ab1f20c90f619137c2f4713831d18f2237e1a3d522af9a585e5f43f07d911b8b977f6c644784c9c02238b9fcd0f663c8bc1913f783c200b388b4ecf30246c7120adf3db79b +@@ -31775,6 +31816,7 @@ Entropy.14 = b7ddb82f5664834b4fb17778d22e62f2 + Nonce.14 = 52461924becab175 + Output.14 = 8735d06e26814ee54b5daca4e1da3e321a5a19b062ec0c3afbe3b16f23332a687fadb29e65208130c3d667c075660ff70aea96430fee254c472686b8e82ca359a57bbdc3004bb3eb641c1f97e4b19e02 +Availablein = default RAND = HASH-DRBG - Digest = SHA-512/224 + Digest = SHA-1 PredictionResistance = 0 -@@ -12898,6 +12941,7 @@ Nonce.14 = 2b884a75ff571f92ba1eb965 - PersonalisationString.14 = 273f3885354c0a8296b0862e19157fbad69578ec121cecbb - Output.14 = b60362ddfbb4fc41f4f5ef353fc0fd8f31e139876a3af0e69f9049aca46a5989ee3a1ebb6cf14f525c3d8a944f4e88e030e020ef6551289c93f5c6ca2f6bc495cdf49ac91bb86e4766ccbace5f7aba008390d2b6dfd416d63ebfe07f5d583b8f9916ebb54620953d0b73c136de06f520 +@@ -31855,6 +31897,7 @@ AdditionalInputA.14 = 7725ef70592c362d70b088ed639f9d9b + AdditionalInputB.14 = 5ab2e0067c3b384e55a78492f0f6ed44 + Output.14 = ca095da39d9c21d7da073d9c95d2e415503b33c327d739f1838bbea4fc6f0254fdaf8ef6152e9263f46b864f39c7104d1d337d99fee588061152e623d7e00a27e03b5d16fe6e543453a31d4dafeda3b5 +Availablein = default RAND = HASH-DRBG - Digest = SHA-512/224 + Digest = SHA-1 PredictionResistance = 0 -@@ -12993,6 +13037,7 @@ AdditionalInputA.14 = 69720682d68b7043c331b889ce6d3d83aa3d33846e9ddc86 - AdditionalInputB.14 = 350c63e7b01ecff4aa171f157c71f89a55637c2cac0253e8 - Output.14 = 63fc9293971bc8dc151bcc2df20e4b5c7604138e4df49fed323c9f1cdeade3d5d1c8bc89e507e5da1f38c1f76d968ee45ba53a3da35e693e00afd683817ee7da5cd2b0a657ac6cf95913c859c6b4a15449fe9045a3af03cc198cf10b2deb67c5c3e9cf9a40b8251de19c6cf3114bfe22 +@@ -31920,6 +31963,7 @@ Nonce.14 = 4e838a124e4b53df + PersonalisationString.14 = 163e393b290a4d390ab0beb392f52d26 + Output.14 = 76234afc296ea36a44254f999ac31fca258a24427cf4bfe2c54495fc41478ec4a00b540659b3b9461cc6188bc1f57c19ae414bd18aa81eca7b9d765a784f0ef24335e46c2c77b8dc915f5d12c26bc653 +Availablein = default RAND = HASH-DRBG - Digest = SHA-512/224 + Digest = SHA-1 PredictionResistance = 0 -@@ -13043,6 +13088,7 @@ Entropy.14 = e03af342db03da30e2b0e5b8ed76c2562194417fbf6be645 - Nonce.14 = 6a9a5188dabd510894073f76 - Output.14 = 7963276f1054db251369a0b91d854fabaa3dd5b2343ef4306cf897bf964fc8b885908c4ada163b929a19c948ac89c8480170eb59b9a8d7d2d30ddfd1248e2c1795c69da81fe72d6361d34754f88eeffca2c31859bc8940d6662abe2622fdfcc28a1764355aaf46a2e00e50606af2b6be +@@ -32015,6 +32059,7 @@ AdditionalInputA.14 = 27486f8dae1b36462639ff7eee869a29 + AdditionalInputB.14 = d1bfc7eabd8eddf622297012169f351b + Output.14 = 4c893c3d1ed3a190fa88e159d6c99f26a02fb5fccb98bdef9fe43f1f492f490109224ba6c317db9569f618984409f2fb3db0b1e2cd4b95746f159cca76f1204f6d2a4c455c547a39a5f79fec95c8f4cd +Availablein = default RAND = HASH-DRBG - Digest = SHA-512/224 + Digest = SHA-1 PredictionResistance = 0 -@@ -13123,6 +13169,7 @@ AdditionalInputA.14 = 9b6c491387a2394b94bfa8b077cd43bac49117e94afb9616 - AdditionalInputB.14 = 7c04bea824d8aa7b19facfeb3a676eb51c31d7b92f0ca1ac - Output.14 = 332b884c8edcb260c535a218001d421e190d8b9c6b856fbc5a4ab45f92149487f8563138312a42487969370440675f5bc9b21a75d2a8386867fdf861c8650e26af47c5efd81d9fc39cbcd44ab0f4cb10325fed6f5b7ce5d8111ff71e5d78c7d1f53410e5ba492b9f68ca55325ea8b318 +@@ -32065,6 +32110,7 @@ Entropy.14 = f484b922f492d19b58407c242ab90e76 + Nonce.14 = 8952a0a4b666b0c8 + Output.14 = 2d77235fa273cab3c1bb176d44817cc25300b3f0172a0b5aaa66b282c015d426edec5f1ebbfc0269956b85994167992a71002586923ea234be6c5df09f47d89132e440827b89f7ff97e032b3f74fe32f +Availablein = default RAND = HASH-DRBG - Digest = SHA-512/224 + Digest = SHA-1 PredictionResistance = 0 -@@ -13188,6 +13235,7 @@ Nonce.14 = 9dcc6c4317ff492d0d7dec5b - PersonalisationString.14 = 7d30c5a4aa169c6dce156a8eaf000f9be0f8681e3282dbae - Output.14 = 550a9ad9e45ba359d463c1e084777bfb2ee25ff791070a87f01adc04cd1a7e9e6ef334e477fb5cadd82381e0add8a39ffc222150f17b8bb0d3b1cd80948c0a5ee09a84ccfff6c9ac33e6831d1a84182edac6bcc25fe357a708f78db9a88daf553914cdf0bc7a9b0527597f73707fec8e +@@ -32145,6 +32191,7 @@ AdditionalInputA.14 = 9e3ea6eac120d663e330d282ca9b9d7c + AdditionalInputB.14 = b8d71fce7779a9906b9790cd1d4e48d5 + Output.14 = 63d28a300a329ca202b98498c9f46912620bc85c246f034dca4186cd9b0e0810a363785878effde90aec8cb584862524eebf940c44fed21cb580d4115f3e0dda07e0e4a66689c2ff3e9b87edfaa4d051 +Availablein = default RAND = HASH-DRBG - Digest = SHA-512/224 + Digest = SHA-1 PredictionResistance = 0 -@@ -13283,6 +13331,7 @@ AdditionalInputA.14 = 1b8725447ec539ea4a13c47b323f1d6f435ba7e624dcf5af - AdditionalInputB.14 = 86d30af40a7a395764b8b69f2656954c7c3f1c30b2b703b0 - Output.14 = 2fb2f24b2c38f217232dc22ecc7380b8240b05d2c7bc0e3dfdad268c8c10912a92595d70dd98e7ecdbdc6d7bce6c72cdebd7e121d75de8b6795b660be9096a1f24a97e9c5344c35f04451dbd8d9808c7a84c6fbafab6d060026490d492060f052fbf21a3bfa2a8e4a40db58672ca52ce +@@ -32210,6 +32257,7 @@ Nonce.14 = 7239f92b63fb3dbe + PersonalisationString.14 = 8d2e2ca3985bd2538a71f02cc3eb5568 + Output.14 = 0e4cb328c03faaedbec7215725851069bceae4332de6a70e3521dd065f2f7923485969571ebd7f24be460fd901c6b3e356da6ee5262ef2d76ad14eb0f697f8fb92af2f46630198c5f7018860886147b3 +Availablein = default RAND = HASH-DRBG - Digest = SHA-512/256 + Digest = SHA-1 PredictionResistance = 0 -@@ -13333,6 +13382,7 @@ Entropy.14 = 9021c403eada5eac222dc48e1437b6de48ca31b9e7e76fc5f60653a3d901308a - Nonce.14 = 503b4bbc0ca538983285857a573f6166 - Output.14 = bca7456257568a178877bca602d331161828a4ed0758d1ec3febcc21717cc4142e5481dc9756c56099cb043130345689156cb96e1664ad007c461ef8b5b0fa7d18508541f528a43fe8c719f3a269ff2821ca655980579dfc2c794da673b8c9234d561b833855efc91b4747ea5135a1a05017543f5780f2cde8b472787173ec50 +@@ -33481,6 +33529,7 @@ AdditionalInputA.14 = e5c633ca50dcd83e0a34d397df53f6d7a6f7170a3f81f0e6 + AdditionalInputB.14 = 5f0beb5a2d2968e83ba87c92bfa420fd6e8526fbbfdea128 + Output.14 = 8bec11df1022aa50d95daeaf23d78d6ee45c43c5768b90181e106c7df8ff333d7cb87ca1ab83f8742370db1c8c0c0c22f141ff4de33ae8bdb14fee7e6c069819320629c66d94c7c97ff52930a3c1dcd501b60f0f84bda4720ee187ae858a6e068326eda5809716e366d1b608c61b0100 +Availablein = default RAND = HASH-DRBG - Digest = SHA-512/256 + Digest = SHA-256 PredictionResistance = 0 -@@ -13413,6 +13463,7 @@ AdditionalInputA.14 = 439ba9ee252edb11b09fd765266b220077ab641cd7ed42b7cedc96b399 - AdditionalInputB.14 = 18e1dab1f2af82b8912be6791b003d7b0d66ce76a78cc17b753055b7b48cd2e9 - Output.14 = 5af9e042af202c9584bb69cb54738c0352ef2c9b9483d6fc8efd525ca38e62f535f2ed5658770e8cc5d53d9f1964b8a55d871c78250851491441c924701a52175410f52b162ebfe3991a72472d8842248402a666d726ea71437fc4a521543a323d501a6942ec4b7fb77ce462face53a2ab9b1b9fcccfe2346adf36027c48293e +@@ -33531,6 +33580,7 @@ Entropy.14 = 1194beb668839c47c73e7516f9ba09d23dec3553b3b5532f75b260106dcc2abf + Nonce.14 = 3c8a77351e93065d584feeb08c8424a9 + Output.14 = fabd48bfcdd07968239fe538c2d8c9bde2e257b9b244078f39287c7ee90de167fff56a693c4e64f45081635511b5fd031c0270a31b4a014e44c0516a55ae72345aa11dffcda4ccf8cda50f6948d5ae425d8d53ad5c74cef1364277990156796e1c5dfa1ef095c0d8983477eb24241135760b02c86c86d4ec3627edac8c1a7e32 +Availablein = default RAND = HASH-DRBG - Digest = SHA-512/256 + Digest = SHA-256 PredictionResistance = 0 -@@ -13478,6 +13529,7 @@ Nonce.14 = ef68efad369ca5fe791ad438cf9dbbd2 - PersonalisationString.14 = 012ff5b08fe14fad65ebad5f15d74fd72d8577115e5e91262043e85a13a3043b - Output.14 = 1779c05411254dc5ff714eb56332cdf9a378a160bf0a20ca2da9e4c3b4e3c425d2f08dc969bd4924560c8caf9686b27720307af8246e6cef20fcbc00cb1f137b6efe9902f9944c1384bf917675a52b7b816795327afc4896182a78d4664b98196f89c466d5fe1e2a54122035863c8bd61461b2ef9e7b469492ff63364b013dfb +@@ -33611,6 +33661,7 @@ AdditionalInputA.14 = 626385595bef7103af0af700e1df048d7572286af709289b7894d2ab09 + AdditionalInputB.14 = bfe8946dbf27d3a2127ec600351c3920d2531eb9419408233e0a888059b5eb68 + Output.14 = ee6d07661828213e6453d94faaf76345c70949eca4965714c350313b0bcd8e079e6a07f8b2f7a91bcb7ef39a61568fd1c40ab78f154b3582f830095d571de29f81f9565e46b560d34c32bff55341a991f8e863bd9242c7cdd366be12538bb6922f1abfa19e7998aac61d465fc46538ee9142acc66786f4516ef4105fe1d80372 +Availablein = default RAND = HASH-DRBG - Digest = SHA-512/256 + Digest = SHA-256 PredictionResistance = 0 -@@ -13573,6 +13625,7 @@ AdditionalInputA.14 = 77d998ddfd7ab7577ca9f51d6cfbec955aaf9f88cbb3ae32db7f7c4609 - AdditionalInputB.14 = 9ebaa09e7057ad7cfbf02e8f3143ef7b7c1dd6158f641815ecdf8e4a65c17f19 - Output.14 = 161efdc30cdd124d4d6b3d43798dd79bac70f494c3ebaca111cfa3d9343bdb73ac0def00776486584f932cab74ee12a391cbf4890b10044f7de6c73f973e43837a43b7c47a1a9a36d7e62f9b7ce40064994a610b92d68c6d37aa5d9d92c3d858770ffb8fbd87324b49101bade3f2014bcae7deffc1e4f6a1a91ddfe7e6aa33cd +@@ -33676,6 +33727,7 @@ Nonce.14 = de2186bafa82b0d08a0b8215e3424512 + PersonalisationString.14 = d96db27febe22db935b117dc3068374e39c5b2119b497e3c1d858ef649e01de5 + Output.14 = d04435a8aab397cfcee5151f7aa24298ffc6eee4f577cda42d5e154b8d28cb2f0f945f11a15ed5b76486c88f03081cfd262d94a8e0b332e3c9c608461dcc8eba20d7db209810d25c226fda9fe218022a9b2c96876cb16c06c0553dd84ce57e20338c3d3e03c59ce22e668e25c2c50d5cc9afab91f50a28680964c2dacb9d2fb3 +Availablein = default RAND = HASH-DRBG - Digest = SHA-512/256 + Digest = SHA-256 PredictionResistance = 0 -@@ -13623,6 +13676,7 @@ Entropy.14 = 0653c409e957302f6eb62bbc4f42b30942ff7860e7c38dfb2fd26b164e83a713 - Nonce.14 = 273f7eab3dc9bf11216d5216bd12478d - Output.14 = 51dfe9851da8d7d5add3dae413d8bab8bc7d1fcecea00795ffadce047d5243ae36f29f3611fb8cb66e98717a98735384aa6a310696356cb48f4672b2ddccf86eb44777c1616338792629b6cc6ec2b66dbacc1a6b66bd9364914f1f43277f6f43e13145fcdb73a4aca6b784f9084d22c967033651da610e9a85b1eb7513683dc9 +@@ -33771,6 +33823,7 @@ AdditionalInputA.14 = 5d9446eff72d59529a90b498d8f40983b3b2904f63664fc0aa1de8700d + AdditionalInputB.14 = e19707aafa391e8622539d52a05d930292bd0f7c17825dbed5fb7a2f8734081b + Output.14 = 6ce2ae37349cbef9ebd1f9b85485810a22d430d94abf66912dd7b6cc751400e777be2f1cebc19d65694a456b2c6429cefd95eb934030846708d50be3b274c2f7de299f3c311038491f271448c7d02ff51de048fa1184e8ee06b7b46a9f123daecbebae4a2183dc8eb6976abf0dae7cdbea6017cd1500f37dfadcce0c1956ea87 +Availablein = default RAND = HASH-DRBG - Digest = SHA-512/256 + Digest = SHA-256 PredictionResistance = 0 -@@ -13703,6 +13757,7 @@ AdditionalInputA.14 = ca73cf447f2fc3984a9de0290fd9a984a8460ac715cddd9e8ed99aafd6 - AdditionalInputB.14 = 21dd9cb8e146954a9745fabe039f6f52ba8200f575e9bbe19c703b8864f34e93 - Output.14 = f1b153ae274a380c28668f1ee2c8c3a91f5380d41bd611d974e4e419a37debe664d0b706722184fd3e805f2ff05554bde7219023d1f62a52970aedf4d77e7b4604cac2a804e7b9353c087752f7f185991b10910724d0fd06dc6526d6102c8d0ee8c32f6692c2786d3b715bf3860539689e3f415855ddc37bbb6750972f3a45ca +@@ -33821,6 +33874,7 @@ Entropy.14 = a7a1dbf7f828555610197e71e0ad563b8691589c5289ced03e9ef83b6f9ff938 + Nonce.14 = 4274788c5d80e26ec1ac3a57b9c7c0df + Output.14 = 5a907a26c1ef588219d4c69fcf4c5c283ab148a77588a40b323bd24e6dfb29551c4b6116c4d61349f5f8bd9ed497f38b239c37283902beb3c9700c768fa289ee4573f92316efb860a5ca4267b328f03c13138b774b4b9f7516003a699f7a0854a0efb045a5932753a771c2cc6119202b33336f10edb715bcce1d20ff503dda01 +Availablein = default RAND = HASH-DRBG - Digest = SHA-512/256 + Digest = SHA-256 PredictionResistance = 0 -@@ -13768,6 +13823,7 @@ Nonce.14 = 10818cc50b58ccb660d65ff705041a37 - PersonalisationString.14 = 2756a89e79266d6d86bbd865708321f529b023d0cb5ee5d9888c37db33dd5164 - Output.14 = 7b3d778ee1623b08875305d5761ce2cf44ef1bab87c7d0f29c862c40d3da31240e7450d827909b6b131a9b0e9ad68d5c02caebf4f3b0b7d7ac1cc58e353ba68e7ac9eefc3de1310cf9bf5f4b854ef3fc36e940d4fc50072845a83c38a7d4372c191b900d11d11a907a50607c348951ccfeba4efc30377e4a965056e4e84eeb02 +@@ -33901,6 +33955,7 @@ AdditionalInputA.14 = de1bbca12357943b4489cc7209b3f063b51b91acc168ec5e0ad88048b6 + AdditionalInputB.14 = 6ddd9aba4f100ef902ba50adee53ef44a4f45564c13e774e69557e36a357e7cf + Output.14 = 544ec80a966644454886fb97a0f05eb6a4a25fcbce795b5e5b27ee06ba14b7de18dbf54f80a670b87c76c336ac9af16c8958ad6c1bde9a97aa4c1ab5823d24a53c64f6766ce6eb9b7085cf7282499c37fc1e2e825f53bc357bf36d5901e0ae93cd3bd821fa18b5aa17548560f7ad6ef38124814fccf9b2b89de61cfc27c7269b +Availablein = default RAND = HASH-DRBG - Digest = SHA-512/256 + Digest = SHA-256 PredictionResistance = 0 -@@ -13863,6 +13919,7 @@ AdditionalInputA.14 = 764b81871036cf65802c4e9659e25b8039be84bad1b121b536d2ffc269 - AdditionalInputB.14 = 28d46df3c254e5cc199e14b45bb1e2f85a5da03f49dd76b5a16b76723d5b9855 - Output.14 = 94e1fa76f879eb9840cd50853565f43cd7b0545705bd9a35494668bef7d7e7085b48a455b38fcf10f145f28a599c58e2f88c2855f2437a17d7333d243a1c25b76bebc6a94f7abc3fabe4c78041d9b3eaf675c11970b14cfc6ff20c8b23852b2733ef8d8416a920617a9b271beeabdb0462e5d23fd68b56f58e3554e81493c5a5 +@@ -33966,6 +34021,7 @@ Nonce.14 = ab7843b73ecb4858f2cc5e9dfca803ef + PersonalisationString.14 = dee559515084d8ac49c3803f09f3d5fed3b307946a2752c267677f22786a0125 + Output.14 = a12f5e8ea3bb174934c15e5d114ba615da33210c98c38d7fde4b5aef9aecdeaef311d929d7fece7fee11db67134c3326b413b8dc17766ba4fb881105db68688b148fd95d812f6538b14f25afaae84d39025336136d270bd643f2a6c7164930372fb1c8f4f0dab60283e9d8d3440ce8dc66761c5d5c4c13cc3a367feb4869b559 +Availablein = default RAND = HASH-DRBG - Digest = SHA-512/256 + Digest = SHA-256 PredictionResistance = 0 -@@ -13913,6 +13970,7 @@ Entropy.14 = 3bb1f6cabc56a02643eb767cc6e5bb3a5bd765555e4e27159ec905012f58de22 - Nonce.14 = cc37cc9b20a2e4de0bdf8ccc3261eb90 - Output.14 = 28f20b9a94340aaa6ca98174b5929ce3329d81bebd67faf5e30d12f775748c34c848bcda26cac8b4a9b34c7c92c9984a6f5a85269583358e985c2b372a887f9e3f0f3920dd512def27d818522ed1a49e96d00a5aeb41bafd152144a8b6f93426e73d6e8ef7a8a5381bc464b24061080af02aac51fdc52f404e1349b7d04daef8 +@@ -34061,6 +34117,7 @@ AdditionalInputA.14 = ead8c0dcf4ddc909aab96eadab509a46908ee5f090983af609f08d8a8b + AdditionalInputB.14 = f357bda8f2048929a4e31969ec978cc333d58b4fc09a8aa1b73ec9bdfaa1a8f6 + Output.14 = 901aabb3f065be08e2f8072d5d3ffcb28ab291420644e407e7a6a3346b75a5be535bdbdd5a8245998689450292df877233ef0783e0bd1765413193790995d884ffcb2c8dc35fe4cfc12def2f091866d735b1dcfc9d8d8c26903d50e9397b1bbd674bb81fc908361b2bddb68f02031d87588cc3e94210422674e93fea6a5329af +Availablein = default RAND = HASH-DRBG - Digest = SHA-512/256 + Digest = SHA-256 PredictionResistance = 0 -@@ -13993,6 +14051,7 @@ AdditionalInputA.14 = 2be009fb81ff22c5c2e15c988cdac8f21a6f17a4277fb1df773bbbcc39 - AdditionalInputB.14 = 0c869f061049dbaea48af93272c5b321977659a79f8bf0a5c6d68b982ef44b88 - Output.14 = cd9e8213591ed7e30743ba0dbae5f08a4021845d961040c5188093d518c3135048ea8ff052fd66fa83bf98c06d39c6cb522dbc938b6824f51488197159666369e7a9444e04b7ce5832bd6db1b3cebf8c0f7bf865bfc3cf60d2a2c0ef06abf7737590fba097c29fed234369cf9f064b142ca30e3941093904945021372c20d90e +@@ -34111,6 +34168,7 @@ Entropy.14 = dfa94c198483c5daa046f1dd1e4e83f854fd6c5cbc3465f671bdfd36837779ab + Nonce.14 = 298de64bbd817d009a71c1424ae839f9 + Output.14 = bfb9a54ce31406a82608aebc826441f8f633813a0c3bad723b802f3e905a6ee3512ff3513062aea51f93be17aebf1cfcd81868e85db3db9aa98680f974001fda8fe6a644f5efbb9d6e52e99ff606ef1ed7cd3b17fa6c6844790ed58da6df61aba0c200d7dff943588f4520891798098bddc65797b2f99c05efa090c60dc48a4e +Availablein = default RAND = HASH-DRBG - Digest = SHA-512/256 + Digest = SHA-256 PredictionResistance = 0 -@@ -14058,6 +14117,7 @@ Nonce.14 = 704e8e29c7aac1d8cbe97bd7305f8cb3 - PersonalisationString.14 = 631c5d0240b8d9800211ee6c97a5ae77405a354ac25705f22d405e17a52109cb - Output.14 = 9ee855e661d4293fdd7353492c711b39625ead90849ae5808b1f67c55cabe17ae13f0f18c0954341d6a2d24b899785642c0b29bb1b81fe098a17f8701e8820cacf6c00a8dab2e96e7f8593e188aae48385ede7bb5ed5ffa3f19053663383d666d38eea377d121e0b55ee58ee8fbf1e49c42a4d3d48fb0c9247c6b94c6539f4cf +@@ -34191,6 +34249,7 @@ AdditionalInputA.14 = 066b072d48f6cc6bb00273e0bc0ebc086235fe79af1fbdb46318f56c62 + AdditionalInputB.14 = cfb58f59c6d56993b9f0b5ba1643554072cf4ae8013c236120044ae909083f5f + Output.14 = d5dd7f55ffa7d53fc0f679cddadeb869f39b29a6d394c9f1185b11ebefbcb43419c6a26ae3c9ab9d456e2cdba1aead05e67eabd3596526ee431ba7cab7f94838062fcec2363cf0e19849ffef30064263b3a059ce38aa02c2729bff5af9450e035161816724163906112205196c642bfd70f36abb4639fd6e4f7f6a879ebbcc62 +Availablein = default RAND = HASH-DRBG - Digest = SHA-512/256 + Digest = SHA-256 PredictionResistance = 0 -@@ -14153,6 +14213,7 @@ AdditionalInputA.14 = cf6884bb4cf7c08ea954cc2d2389eaaaaaa3bf9ab1dd74372c20bb3e12 - AdditionalInputB.14 = 2b30cc597b280e704632ed1cd2bbbbba7a9953deaa809848eb937b6b1a44b91f - Output.14 = 4de8e3c529bda0753a9ba237633be4c844308c233d6e58995c339cc006c7d4789b5f1a6314637b9749621fae3982c5a748d58c080e12118d4442bb55732da53daeca71d3d033b10a2a807848babb822a346524b4a41e9d85941730b21c0e80a9871c9d9aab0e6d0269258b57fcbf7d703794bd2e5f3d7b3da9d3cf2dc2073653 +@@ -34256,6 +34315,7 @@ Nonce.14 = ea7d3c3b8f6da0667d7f0d543c68d7d1 + PersonalisationString.14 = 86c20a7e794c887898d5bc00e98398276a4e3ad8d674fb808a63a44330490d2b + Output.14 = ee8e21ff48af611a17d33e130f4e4224330efcc1402b6d55aaf1f514553b880f18df68c0e4279854eb2e9b904c552f69f0e1badc347ebe336b70456f221e07a2fc78df72551d99df3755997029ee1461e2b6e396370096d7e8c2dfceb73214a72ae2b25ccc60b92dd71988eda811ceac4b7c335528249aaf82826a14c142007c +Availablein = default RAND = HASH-DRBG - Digest = SHA-512/256 + Digest = SHA-256 PredictionResistance = 0 -@@ -14203,6 +14264,7 @@ Entropy.14 = 043872fa9f0c4d97e2c6824b778a4fb0debae214d3358a5aa01c0092c9dab6a1 - Nonce.14 = 0fc8d529a37083c2efe84aba8c8abbc0 - Output.14 = 22e8eb6b4d11657a66cba93f89b519bcce87a9bfa5ee22cd3cfef6180cb8ca842e8d408257b8140fabbf1dd65085ae62fb8b1d2a679dc0bb0a82ecd3b8bbc05782a20a6345554a1f5467e9811e0fce41a786c805ce2882f8b4d972b9a37eedbf828a381d34bab95efc47233846f8b5c701563033253323eda41effad5fe37d3a +@@ -34351,6 +34411,7 @@ AdditionalInputA.14 = ea12ddcafa4f578b8b43337508dd8627844d185b10af7de7e907d113c6 + AdditionalInputB.14 = 0cc670275cd2b0eac5df123eb1fd73c2f2b093b76806943918cf49930fa97515 + Output.14 = 88dc727007c0e03c8d27d00c87876f8990b271964a5275f636ecd7f18cac9c869e5f9df5fb2d34e7f89c2e9819af562a706a03d9be9318896f5ab16573aebbfd94a681cbf27e7202b8674437667893246c267785d0deca5033de88a61bf5158177391c2e3232ea6f812c468d5629ed9f89ad0bec0f6c7a469f56331f9eba1cd2 +Availablein = default RAND = HASH-DRBG - Digest = SHA-512/256 + Digest = SHA-256 PredictionResistance = 0 -@@ -14283,6 +14345,7 @@ AdditionalInputA.14 = 585a4b6736338ba663522b438ab9255782c39b36e6b253186e821ae969 - AdditionalInputB.14 = 2581ca0314c9a224b09c0c2e677e1df1c215cae0760d3ba03d1053156e9c3155 - Output.14 = e244109b937e9a71caa70d627ec8280210c86676b4ea842c6a4569e5da0b25c1ab3794ade3344e2185641c77df4d3011962e8312aa7c2013e4373204d861e27e88ede82873d5d45ae5700ddf0ae7d523e96df236a249ffc6e009e231b77d64f07f395e57b19a4d2961a6046c910d0b8ac3d882129ec3e337be4cf2d9ef041a8f +@@ -34401,6 +34462,7 @@ Entropy.14 = 6b9f904ac4b16d36e06a1bddc501d7ef98d5685c1ceadd0a6e1622e0c1e73716 + Nonce.14 = 4a42f39e5a241a2b96db29055159c91f + Output.14 = 785014b0460831b7b67346c6997217b0f6c8e7313687ea6ff4d0b09a0786bd6ac362a0b1ddc6ab8c9c624625a379cbec7f11cf30ddab23cdec054b986175cdae0ca4ba4610e0711bc94e9ab706539d5fa2c1a4fd3cd49042696b58dce465f8e09a200e7d214cda357021c62248a01aeb95f8ffa8bd49d354fdccf4c71eec3491 +Availablein = default RAND = HASH-DRBG - Digest = SHA-512/256 + Digest = SHA-256 PredictionResistance = 0 -@@ -14348,6 +14411,7 @@ Nonce.14 = b2328815495d926dc8ff075d5834bc20 - PersonalisationString.14 = 4c539b94823c6c7883b071ac395203bfb5117b6f9d5db7cf4063132e6a2a3cb8 - Output.14 = 4f6035946d4305290485c7aea10bbceb99b841770dbf5529e31ad51b0ce138344ac0b193a5074234adab8887a51d9448a2cc637a543372ed93885975b8de342c6a12a1ca8f3d053ced1dd2c7d6a3fabf6ea7860071c035f0fd54ee5775ae3a5d457d4af9e034ed337d79e9fd52c2ad051388dda50aa78d37403f33d52d30f6be +@@ -34481,6 +34543,7 @@ AdditionalInputA.14 = 147d51711ae8a420f165db0000d9d0cb9e9cd5447311eed43d7cc9217d + AdditionalInputB.14 = 2910968bb1976a1b8ced116e673f408da6fc563695c918ac0a230b0bb800c707 + Output.14 = 357a7269b30ca744e213d894f5c45d0db9fba897e0c863a56062f5018ad9be9f37b8d550014ed68f2c34bf5195c0b7460df171ff3bd4a590578670c92470d876c8de19d48a6d7fa15fc7996be78d3cc8a5c657439f4bb9865bd56e187d5df2531a405e3e0f4b87c611aa8e226b8b0266290f06f8062456a7a4bf0896e4ddd948 +Availablein = default RAND = HASH-DRBG - Digest = SHA-512/256 - PredictionResistance = 0 -@@ -15605,6 +15669,7 @@ AdditionalInputA.14 = c9a1481cd25c537ba57750d594afd25f - AdditionalInputB.14 = 51e29804f9d079f3074ec398320b2a70 - Output.14 = cb3cd4510de88f8081d8989c2679f76387b7d2cda286b75d659a3ab7c3b2ac77ea00366e7531c1c9f4f8e60c845c5d2a5e05fc999621d011deac3f28cb447a37c2ee815f7f5be3a571d153475d6497a3 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -15655,6 +15720,7 @@ Entropy.14 = 71acb71235e88e3aa6d8bbf27ccef8ef28043ebe8663f7bc - Nonce.14 = f49cb642b3d915cf03b90e65 - Output.14 = 144aeb56a11cb648b5ec7d40c2816e368426690db55b559f5633f856b79efe5f784944144756825b8fd7bf98beb758efe2ac1f650d54fc436a4bcd7dfaf3a66c192a7629eea8a357eef24b117a6e7d578797980eaefcf9a961452c4c1315119ca960ad08764fe76e2462ae1a191baeca - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -15735,6 +15801,7 @@ AdditionalInputA.14 = 03015311cddd0961ec7a74cb84d835c058a69b964f18a1c1 - AdditionalInputB.14 = 5e0d99e0e7c57769a43ea771c467fb5e2df6d06dae035fd6 - Output.14 = 72e8ca7666e440ac6a84ab6f7be7e00a536d77315b119b49e5544bf3ead564bd06740f09f6e20564542e0d597ac15a43b5fb5a0239a3362bc3a9efe1ce358ddd9d4f30b72e12ed9d78340c66b194beb4b12e973213931b9cfd0ccbdf540d2c36ce074e2beac7a4ddac59e06e4c7178d3 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -15800,6 +15867,7 @@ Nonce.14 = e8c5220ae48b0ca1412e9c74 - PersonalisationString.14 = a0a1d6d3887f7ff9f13c85d6ae5af2c840fd85989b7e50b3 - Output.14 = 14f629aee43f71b61d467ccc37de8eb6110ccdc65fff57ddd2e66707bb768e5de5df5467ccd55002815d306adc7b7d6b5d87c20d2922bf5fd3790282608457b69720be7d7affcdfecd173a741c7fc99f5f30f981b1bc102977a61f1515b923ba53cd87a37faaac12e0af613ba0972a0c - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -15895,6 +15963,7 @@ AdditionalInputA.14 = 875e5bc9548917a82b6dc95200d92bf4218dba7ab316a5fe - AdditionalInputB.14 = 4d3f5678b00d47bb9d0936486de60407eaf1282fda99f595 - Output.14 = 90969961ef9283b9e600aead7985455e692db817165189665f498f219b1e5f277e586b237851305d5205548b565faeb02bb7b5f477c80ba94b0563e24d9309d2957a675848140f5601f698459db5899b20dda68f000ccb18dcd39dfae49955b8478fd50bb59d772045beb338622efa5a - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -15945,6 +16014,7 @@ Entropy.14 = 30efbec33ef98a928e9441af3caabb34cdad892669e88130 - Nonce.14 = f77b7e0fcca6f8733e0bb0cc - Output.14 = 85f5368cb9f44474af6c4a159477c5cdd05eb0c0a37847bbb07e9a9c8f633ef2c3727d017f1bbfa89dba056062202f5824b3a493ab53a2a5fcf796d944577f1393d35f2a284453b2cbd8eaf35b9bae7b87c156cdf9cd0a2fc94ddb0d4842e3ab4b6c97089cac0e32bdeb32dd8233fd6e - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -16025,6 +16095,7 @@ AdditionalInputA.14 = 5c15fa9dc77d6fec5f7a4a3e4a315c05de2b5e46efe54934 - AdditionalInputB.14 = fb65ede490ee01a1c100ad5e23a20f91b45adf1ddc15c590 - Output.14 = 98cb3191831dc79334e8e37d5246600f822aaa40964b91f345b9df90929db1b7bdea96dae9aeb88d05fade5ae6c29aa8eeec7fdc96e654c5ea41ea01e3104ca4d287bb03005feab0bd1f85e556bb6bc46a2227b14fd94f9e6cfd0341cfce951851feb967968d6cc818f364345b715bbf - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 + Digest = SHA-256 PredictionResistance = 0 -@@ -16090,6 +16161,7 @@ Nonce.14 = 46f8ee037b927ec766de0aba - PersonalisationString.14 = e6299e0eb5826e498d873ac02892f01e02f6632101fcc090 - Output.14 = d86bfd8f9d80eda3bd43850ea6edab2ba4f69ac8eea623fd6bbd5c0c920620f8cc136b0170f0310a156271981a9cf7629e1b8f0759de1e99e20a0930ce3bb7dd2d88bc9172a56108cdd736dc529a6b99862bed7d543bdceeebf450020762652d520105f5c5cc3c9a6ebb64af2a7e82b0 +@@ -34546,6 +34609,7 @@ Nonce.14 = 66ad2a0d5de624f3d709cc95e5c99220 + PersonalisationString.14 = 6f7f8f1ffdcf859adcf6020d5cffdd8e3e1bdcaef0b22e9e61384b888f1b3537 + Output.14 = 1bc4cd76787f031df8e4f592f56a845f7d8aa200aca0b910e68f149cde112d0f1e127faa7fae25ca4299eacf9e49e132f3e4083f1c5fb0304b714f06cea122bc1392cbe18289d2411ae08642a9196b654a8b177c127b9215f9df815eceb254b8d9b4f632d25d123ceec686124e58b3606ff1ce51fce0752f42232c03694a1d8a +Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -16185,6 +16257,7 @@ AdditionalInputA.14 = 82f895626afb606f335f5f050f0fdf3b45275e0b451774f2 - AdditionalInputB.14 = d423d43240cb6461402a7755f247573f24fab496e00b2e5d - Output.14 = b32c753900d4a0a0650d35d0fc918b3aa5f253d4381598ed475147f32c8b002bc08678e45bed1b9b519cb9729972886f85e581c75d3c2c9fd6ced929be29aa3befcd1d3fabefec590ca55612c1a0409446a01398d0e4775a548d118a32f29b0dc29530329d2a7656e5d3ef66db2b9726 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -16235,6 +16308,7 @@ Entropy.14 = c617061099a17392c3092d27728b35e59eb45814e9df9fa5 - Nonce.14 = e1634c0d96cf91c53b063450 - Output.14 = f08234ed8621f1f551cf49ea60140313a71341f6886c484a06e74e64aba6f8ffc2cf1edd34cd93e836ab033fb0893e52e01da9b3104fe49584a45447c136222b1c1f1d3cf406a80ed9d782d2ae277790eefc5c06f954e654f7f283ddea79d2160cca1f63d0ad00eae9e882de34ba4083 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -16315,6 +16389,7 @@ AdditionalInputA.14 = 857ce19dd6e8a45be185875f1a98911062045553e8d28ac2 - AdditionalInputB.14 = b5f1998f0fa38145edb86ae4d569ef4dc2e0aac0a815d3b1 - Output.14 = 8f0d978b24bae2a0665beaddfa61e8896ed7976432bc4f7c444699e30b8da1ecbab8990bab9d0d72ef6f6b0b27ede12dc171a43a14092d57e3999cee71b1356da5f29b17fec227ca2a4887bd990fa33e1e01c8a9f900ffbeb300cc5ce9d7d2e25a44fafc07e34acd61d425e0d36fb0f4 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -16380,6 +16455,7 @@ Nonce.14 = fc382061e29c4047c6f05dde - PersonalisationString.14 = 9b2eaa4c2a229cd2bc5de218aff95f6e5fbc7ef150bdb50a - Output.14 = ad49119d6b4f25ba34050920fc503d3d0d331ac2535d916a58d781317fcc2b1117618e9105ce192651ea9e19fa6756975d207c662f2b464416d849cb67b9af52abeb84f80863943af99c7916e78317a091ba90714ec8620f661b41d648c15c06e822329cd7f145446c5c3630a4243281 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -16475,6 +16551,7 @@ AdditionalInputA.14 = c9aac7bd9f15385facc344dedcfa754bc9f4f30277a3555a - AdditionalInputB.14 = 42de701acf5622b30e7672bf7115043a9912c1758c1b316f - Output.14 = 972ccd5aa60966bac39aa9c891c7c513244efbfe3446fde6806cee991851f1e4b3d4a4a0c04b57242deb4f53d27040879562fc5b32621b46a642f3c84063c5195faf9b78ed92145821ae554d58325b03d60e11461adaa8ac87876559e1cbe47f7b5c33a8311294b0e54a44c97d4d2c9d - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -16525,6 +16602,7 @@ Entropy.14 = 47f141d1d0142d53c10628d2d1dd77aafc11ffe45f29b126 - Nonce.14 = a1e958e036afd40059ce9639 - Output.14 = 2096935329ffd975154c38a2c22e30ef12b7acbacd39868032d6eb31a596e617fc7e05026b3dae231f256ea94dd4ea4f05734eaa7916be6f846b0304ff0de389f3390e51641103e7dedee99e56d9455c80a7e10edfd2147a50b3864b05443a1646fccde2197af1d1d72ae3c2d4594218 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -16605,6 +16683,7 @@ AdditionalInputA.14 = 49a758a4e0a8ce69aa2e5f9b7940c6fbcbfc4fdc91165e4d - AdditionalInputB.14 = 9c8ebc02c3d92d33112a15747b6367b8d6db3447cb9be2af - Output.14 = 70cf10825dab6c1abcc1532a1b2bccd96f0638d02eedb40a7ebf97093f5d0295b6bc74d9e48290ab39260d684effcb401427a4ca62b971e5a31f06c14a9f8e3851c3e79dfe129ecf8a8e185ee58667e2b692474a0d5f0a39f9d794adf1cd71c1266563dde24dc944661acbf849fe69fa - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 + RAND = HASH-DRBG + Digest = SHA-256 PredictionResistance = 0 -@@ -16670,6 +16749,7 @@ Nonce.14 = 82dfae196513724ae269204e - PersonalisationString.14 = 6e01d897ae919812b8408f82edffcfed8db6df2e2cbebd95 - Output.14 = 6e9bebf2e54d8da4e8ede97ce463239245ff1b021acf4441312ddba96d1f3d750bf2b9583a8aee76e2ee36a56d8e2fd4e11377d15ba3ad0876fd467c375a744240de0a7b38974e0e7b27c3917ce4e22f2bc78861f6f8b1fb42edbb1b0cb869fe5169527064cf2f38c0154082af5457bd +@@ -39331,6 +39395,7 @@ Output.14 = c731cc7b21c42730bd3cca61fc5250b507ad08b24ac471d526f2217f15dc4d1fea85 -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -17925,6 +18005,7 @@ AdditionalInputA.14 = 9ba9285889d50c27bdeb4a830a5b3120931a53980b30643557444718cb - AdditionalInputB.14 = 0f8716df331067b8ccf0e5b90ff79dd0f962acc69fc5f89c593bbb84e3501ae2 - Output.14 = 9d2c0053a0fd3f9be1fe33db214f6f2d54aca573e0642bd269f1b1ca23c42a1e85c73449830673cca14feab4d2686814edbd90c325e0fbcd5a2d7ca75334dbb113a13a0bb4e838f6724c74dddfca8c2bfb903c362d3ea82acd60d01749f6dc01fcd6708009a58ee9cc57a0d089095efae66aaea68ac247cf6aa8808d1038a109 + Title = HMAC DRBG No Reseed Tests (from NIST test vectors) +Availablein = default RAND = HMAC-DRBG - Digest = SHA-384 + Digest = SHA-1 PredictionResistance = 0 -@@ -17975,6 +18056,7 @@ Entropy.14 = fd54cf77ed35022a3fd0dec88e58a207c8c069250066481388f12841d38ad985 - Nonce.14 = 91f9c02a1d205cdbcdf4d93054fde5f5 - Output.14 = f6d5bf594f44a1c7c9954ae498fe993f67f4e67ef4e349509719b7fd597311f2c123889203d90f147a242cfa863c691dc74cfe7027de25860c67d8ecd06bcd22dfec34f6b6c838e5aab34d89624378fb5598b9f30add2e10bdc439dcb1535878cec90a7cf7251675ccfb9ee37932b1a07cd9b523c07eff45a5e14d888be830c5ab06dcd5032278bf9627ff20dbec322e84038bac3b46229425e954283c4e061383ffe9b0558c59b1ece2a167a4ee27dd59afeeb16b38fbdb3c415f34b1c83a75 +@@ -39381,6 +39446,7 @@ Entropy.14 = 5d80883ce24feb3911fdeb8e730f9588 + Nonce.14 = 6a63c01478ecd62b + Output.14 = 9e351b853091add2047e9ea2da07d41fa4ace03db3d4a43217e802352f1c97382ed7afee5cb2cf5848a93ce0a25a28cdc8e96ccdf14875cb9f845790800d542bac81d0be53376385baa5e7cbe2c3b469 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-384 + Digest = SHA-1 PredictionResistance = 0 -@@ -18055,6 +18137,7 @@ AdditionalInputA.14 = 809639f48ebf6756a530e1b6aad2036082b07b13ed3c13e80dc2b6ea56 - AdditionalInputB.14 = 3395902e0004e584123bb6926f89954a5d03cc13c3c3e3b70fd0cbe975c339a7 - Output.14 = 4a5a29bf725c8240ae6558641a6b8f2e584db031ef158124c4d1041fe56988fdaee91ca13925fee6d5e5748b26cc0275d45ef35abb56ad12e65aa6fe1d28a198f5aa7938fca4794c1a35f9a60a37c7360baf860efd20398c72a36b3c4805c67a185e2f099f034b80d04008c54d6a6e7ec727b1cace12e0119c171a02515ab18ea3d0a3463622dd88027b40567be96e5c301469b47d83f5a2056d1dc9341e0de101d6d5f1b78c61cc4a6bfd6f9184ebde7a97ccf53d393f26fd2afcae5ebedb7e +@@ -39461,6 +39527,7 @@ AdditionalInputA.14 = 7206a271499fb2ef9087fb8843b1ed64 + AdditionalInputB.14 = f14b17febd813294b3c4b22b7bae71b0 + Output.14 = 49c35814f44b54bf13f0db52bd8a7651d060ddae0b6dde8edbeb003dbc30a7ffea1ea5b08ebe1d50b52410b972bec51fd174190671eecae201568b73deb0454194ef5c7b57b13320a0ac4dd60c04ae3b +Availablein = default RAND = HMAC-DRBG - Digest = SHA-384 + Digest = SHA-1 PredictionResistance = 0 -@@ -18120,6 +18203,7 @@ Nonce.14 = afafaf2ad7e6449308e176be01edbc59 - PersonalisationString.14 = ddb4ced192f52bdfa17aa82391f57142ac50e77f428fa191e298c23899611aad - Output.14 = b978826b890ce8a264bf1ad1c486aaf5a80aa407428c0201dd047fa1b26e9ea9ff25a9149215b04c2f32b65e007e0059a8efe11481926925061c748678835c0066f596352123f0b883e0c6ab027da2486244da5e6033953af9e41eec02f15bebdb4e1215d964905e67c9e3945ec8177b8c4869efc70a165719b8e1f153c41744d44d3c56a15822d522e69bd277c0c0435fa93e5e1bc49bc9d02aee058a01a04580a6cad821e9f85cf764fc70dfae494cbfa924eab0eff7842e3541bc29156f6b +@@ -39526,6 +39593,7 @@ Nonce.14 = 296bfe331b6578e6 + PersonalisationString.14 = 4fccbf2d3c73a8e1e92273a33e648eaa + Output.14 = 90dc6e1532022a9fe2161604fc79536b4afd9af06ab8adbb77f7490b355d0db3368d102d723a0d0f70d10475f9e99771fb774f7ad0ba7b5fe22a50bfda89e0215a014dc1f1605939590aa783360eb52e +Availablein = default RAND = HMAC-DRBG - Digest = SHA-384 + Digest = SHA-1 PredictionResistance = 0 -@@ -18215,6 +18299,7 @@ AdditionalInputA.14 = 9574ca51f21865c2fb0efc75cc9d90ec5e9c43104979cd64d00ea5544e - AdditionalInputB.14 = c0df840a18d7584b62c70b2f057bf824168edb673cb517cd9dac89a0fc80c9b4 - Output.14 = b31e50202f883a8563cf129a0d5f8a33abad79d8ec8a97167ed7fca778e5892480617cdf50b5e51547f7ec1bede35020a311572c61e33e9c82968e8f69586daea3dc19063bea56503f8ca482918d229949acd6f1c52cccdc5f7f4cd43602a72a5375f3aabfd2834ee0494823beada2daeccbed8d46984d1756fe2207ca92186b506115f6de7d840c0b3b658e4d422dbf07210f620c71545f74cdf39ff82de2b0b6b53fbfa0cf58014038184d34fc9617b71ccd22031b27a8fc5c7b338eeaf0fc +@@ -39621,6 +39689,7 @@ AdditionalInputA.14 = 4de6c923346d7adc16bbe89b9a184a79 + AdditionalInputB.14 = 9e9e3412635aec6fcfb9d00da0c49fb3 + Output.14 = 48ac8646b334e7434e5f73d60a8f6741e472baabe525257b78151c20872f331c169abe25faf800991f3d0a45c65e71261be0c8e14a1a8a6df9c6a80834a4f2237e23abd750f845ccbb4a46250ab1bb63 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-384 + Digest = SHA-1 PredictionResistance = 0 -@@ -18265,6 +18350,7 @@ Entropy.14 = 5f28c73baaabbc09e8260df3b3577c21f2f02be057bf49d2e73098ed5ff67f89 - Nonce.14 = 8c2f85b546903d8d4c10fe4549c3f673 - Output.14 = 1563c678f1b072813888970996af33c2a6b70b8dfd2e146c46df0616509382062fc9c72d223ebd555f4d8892aafd7b3b61619559fe3d3e7b5e83c07f422eeac912ca7d8858a2d25b966a8b34348b8ebcf44a4651edb9cf5a886e383b01423322ab3002edc8c936aef869d7638f38ca6688c308d2a17fea0ded21901d8e9f1ff8508762cb1dc7e700970938a0ece74c1c2d1801230ea785165d62a7ab0d6d59caf36b30be8e2e1f691210373b7a2866e32ba4b49b6a2f9cc9b80aa1340ef5c76f +@@ -39671,6 +39740,7 @@ Entropy.14 = f41d60edb7749acb68111045000ccef2 + Nonce.14 = bb5fb8962ca3002f + Output.14 = 262821119be1ee0bceedc1bcfd04f7fa2e199b2a7522c4a3a98c4174e0ac4ddcf7323dee2fcf9fbd2fe26c4fad347f7199be105730441f042865aeef50b89c00aa661361b6a1f20849bc7c70aa294543 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-384 + Digest = SHA-1 PredictionResistance = 0 -@@ -18345,6 +18431,7 @@ AdditionalInputA.14 = b5d9cb4b3709adf297462f1aa8875c9f84bc39e323b8fe1c0df269344e - AdditionalInputB.14 = 5e47728cc468e0d2c6b6a90a20f83a9f0565716af54844552988f1d8c3a83eb7 - Output.14 = 548c3496135ecfa1119098ea2d862d421af024a844c37a02142e2545e4ff1038f4b73c7f6b7d0fba8f92f292cf5ca8fd57dbe7ce129423e0ddeb1dffe89252dd6b50495c88f350bb77e08c8be409064f7e9cb751aeb779eae30b7c471dc41365f128d22474a7e90a9953e948642001f8e6ba8f91d250d8b4c6407892cd96b12e5d94e4d7608e6c11604357436c8d1cc07a21aeb58d396f413a31f72af1ac06864ba68c04e0c25971c1315f5a8c5c04fe252105fc822452d0cf66f86af13d613e +@@ -39751,6 +39821,7 @@ AdditionalInputA.14 = b4894bbb6435ffeb710bf5ae440bd744 + AdditionalInputB.14 = 689fb48c27983ededdd56d5a6b2c0345 + Output.14 = dfe8a9e17b938a1782fc3dba4f234dd9c9e36b67b28e1d901ca6b3628689aa4d2ae6b005ae3ce97e0d1e645da2710162294606ce51638b91e9c46d8f7f4f1a217e44c36b560f78b0541fececcf49b9b9 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-384 + Digest = SHA-1 PredictionResistance = 0 -@@ -18410,6 +18497,7 @@ Nonce.14 = d28f752f6e466e3fd9595fd380fa14b6 - PersonalisationString.14 = 232727310fdaac541b182497e5240dc2623a36b4efa7a912ab3ffaf9939c2336 - Output.14 = 3bc26201261930bf3dc164d25287e41efb47c07c8c5c0adf3e86613435df202116331cfccd4e07c9ef008c62d4199d937221a17dc97be2043270ecc605d3d48c609cbce3aecba3557dddb304f440250b2c9fd78838483e2d5a2b22015b97869b891f9e42afe21df5fbb8dfc9061468c70c63a14b6dcad9ccdeced41d021dc0ff47821415e8793d34377258d9d6629b9e396b9d6b8bb7fc22e03ecfd4890d16912001cb7ed002e33a595052ddf7b991c5607ab93c220b2122783d51a8372a223d +@@ -39816,6 +39887,7 @@ Nonce.14 = 3c9434b7d7e18472 + PersonalisationString.14 = 55bfc33da17f712877829b7f8a134e55 + Output.14 = 705950e4790ada95b99ace57e31115610ebc65d755fe587eae8fb1aeae463bea8b50a278f45e61d3433272ec31b0d48afcf219f5f4a0adb20537be9c7cb65911df28976aed4b4278cc524639a1ca5f40 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-384 + Digest = SHA-1 PredictionResistance = 0 -@@ -18505,6 +18593,7 @@ AdditionalInputA.14 = 50ceb01860d60ed119f101d5c573b5db00402dbb03885a09e8d326156f - AdditionalInputB.14 = 01e09092bc892916c29f7b515823f244d147d4b16976cebd6a76a37ef6e62998 - Output.14 = 6f1379c44d8131924c9a78286e80ebb34604ad78b531e795cc30c4f0aee422e4052f201ba226bc0c2aa3ec341fcbb5a87e24b91c36be7dda62addba6960df1289372e9677ce030555a9bd1691f559b8ff787dafa35cff5dfd66a2abd83f81552a82ba6ca7d21c438483e60fd77f93bc109f5be802035412c2af2873f5cb186b77dc055c0e0b27b16b1ef37de0b81fe63c4074a7cc8c3d27f71a992b5468351ef8b84a7b3e8f12458ff670d1381d879feeb1cd3b93436580c86bc2c33f27448d4 +@@ -39911,6 +39983,7 @@ AdditionalInputA.14 = 7ee4f3670c4671f128cbd743c408bdd1 + AdditionalInputB.14 = 38f8003e8fb8c119534a2c3400a87f8d + Output.14 = fedbb1636b83c5cc5379c9aa4d1319df6d30770e469c2f7bd65b4b74d9bc880d520e11b2c3642a7c4cb6d6138d1d92f716317dd762c0a841e56e7e0226971a7f470e918d44b4f374f9e7e3b5209516d3 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-384 + Digest = SHA-1 PredictionResistance = 0 -@@ -18555,6 +18644,7 @@ Entropy.14 = 57050c5fe58b2a2a0eba0d3b9c08a9b285e1180d2a297e0a9ad20740c6fa9f00 - Nonce.14 = fc309209936c569a1367d45b212a9a50 - Output.14 = 288668476b39814edbce5ed91951cec398ba2dc3bad76048df5fb1a2a680519c217ec4d57adc0251e1f8892a866b142e0953353bc2dd207aa2703f81814d26a60daedfe94d97de6043ed5f3bd957b7516681827f7a36d1b2a87b692c67aba050bc38b5e84f65f07d70cc34549f01aa390c5fc8dd01304fee7378e62549738e3f710ee6a4e32db3f472e1c2ef1e803e57a8ea992f389f0823c922bcea8b00ab844e071579170baae90839ffd5e00844ec343b02db090847cd323f8a68f0dce64e +@@ -39961,6 +40034,7 @@ Entropy.14 = 5b6aaaf5c4e5acdacd2c0c14648eeb3f + Nonce.14 = 353cc1174da7f766 + Output.14 = f7664dd99fb870dad1a45a4ddb870c9936fb42b3a063336e447f15703c5a95dd79eacd9f41cd0c1b4f2e1a45229aca140f463c1beab47aa0525e5bd6e1accf360bc8525430ba05fd14d1f008009fd586 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-384 + Digest = SHA-1 PredictionResistance = 0 -@@ -18635,6 +18725,7 @@ AdditionalInputA.14 = a633f5f05ed8b09b70683a9f9a8e998ebf843b68a039dc3aa40cf30a5f - AdditionalInputB.14 = 9a57c6be8c1d992bcbd599952bd94a755d7ad686698991d189afd11cb88b9f53 - Output.14 = ae0fd8a1bf6f2f53f9e81ecf6f40ff6a36fef58a3f157b6a435403e48da4e88cab7871bfe2233b92afd228bfe3117d7cff0798225a901663d51f0491109b9c631dd6d32c5bec2da321b8e64ebaced87a27f17f67082df944fa94acc6c557fa6816001642e38b7d776c631212b782f71aed6db760f90e0de8e81baaf4d419170362932e6c319dab948749b331aae41b4cb3267da37c9233c36d65d5482c8940387498453b226af485a37ea16bd9e4f938618f70aec97e8c1430a8d8b6aae396e9 +@@ -40041,6 +40115,7 @@ AdditionalInputA.14 = 4eb5c1192fa86b355237b5a8bd43ebf9 + AdditionalInputB.14 = 7323d1a6f983b7d16df6b0aa9d14adb4 + Output.14 = cd41a0d7371b2eeb790fa8335660385c418ba84507ba94d1d1015b3353cdcad556993c19388461fd2cce38cc9fbc00e707b18dea9d712ac0616b443b23aee8131c295a1a741ffde36b2032bdb8ae2f6f +Availablein = default RAND = HMAC-DRBG - Digest = SHA-384 + Digest = SHA-1 PredictionResistance = 0 -@@ -18700,6 +18791,7 @@ Nonce.14 = e1609138b91637917ec170fa3c3fb278 - PersonalisationString.14 = 230db2e57b87e910cbab26fbac7fa93a65c07c1ec004c74637e346c2db63288f - Output.14 = fa58f2e96776b4aa079dbfb49d81d8abfcc30d459caeb45dec4f1766fdc3b234d52cdc5337ea770e71a28cc42c82cbefce896d1fecea5a5290300208aa79b5ff97d2091498d749b66a9e5b2da7b774567ae9f83b87a8417b1bd089935e575b16618ffe8ec04b91fc9315968dc395fa2bb8776133d3ede95aa89ae675881b26ca831fa5fe6cba800d2fed1d509353e8cba6f007cf3c5e0b9424cc034e1c817d5f7326764f5ed1d17ddf8900977a0172dfab50bf4819a67e4c1af4704f59eda3bc +@@ -40106,6 +40181,7 @@ Nonce.14 = 9bee7502db25ae7f + PersonalisationString.14 = d0e8fa47aed6b67ca4e8e521f733921c + Output.14 = 3c649d295fd9b98082706f3f841f5275834143698c202da4c881c7d0a3c9995329a54d440fc4d21ab596e95e5b6651c6e7138b332c97ef771bc6e3b0b3fa09090ffb402ed1116d8395e5f1cfea3eae6b +Availablein = default RAND = HMAC-DRBG - Digest = SHA-384 + Digest = SHA-1 PredictionResistance = 0 -@@ -18795,6 +18887,7 @@ AdditionalInputA.14 = 32f618446311f03a0038dae07e85e19006a55b69501d764c241f683be5 - AdditionalInputB.14 = d64a97650e2f25362fd711c7abb5635672e16a02a1dd5ed8a181762e86f4f5be - Output.14 = 54ee53e6d18e974913ec235a37a706868f217af33b25e8e5369d90071be1d01035ca331b8514f3d6186a9ec62b1e7808b7fa22859eea21e4b8113ef770772561eff7f8b6ac22125d002f6ba9f53b235f7d85dd5b601787201ee1423de5d971b2e758b3955a048b50f118c01122a8e657f69a63843bea00a46c4fc2ebbae36adaebfe3e6c9b1c82e498d3fe48d332ac1bf31ab4c80830086c8ee4b1ea190f8e269f74cd760f5a29d244064d09c1bc30832482d5205e35604a388250a7a196ec74 +@@ -40201,6 +40277,7 @@ AdditionalInputA.14 = d56ade0d74ea34577eb12a899d18d382 + AdditionalInputB.14 = ea83bdba8490ffd136def5f7d9240c59 + Output.14 = cd3d8174d8af97387ff02707d2757ce685ffb5d8dd91d95b8af4a3a757f9321b0e908096cd1321de0599640b7d81f43606b12e029ae158ed568ce1db429be75285c655e15f88da859f09b4cd843a0b61 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-384 + Digest = SHA-1 PredictionResistance = 0 -@@ -18845,6 +18938,7 @@ Entropy.14 = 9168436a8600415b83062125de0ce6a998090216dea7374af08e6d3becba054b - Nonce.14 = 94206c91dcdf9c7c3f3571c703013419 - Output.14 = ef12bd2b6dea20cd197ea9eabd98eec1a2943619cd2a96dd16a6c5485435e00c59570ff14d7d9fc09c99ade0e5ec12a84c0a8ccd5677fa9b92295eb2a620e8a0400bc9ad8a1ac1aa4969d8d04b77ad59b81d95cad75358698107dc8a2ff42adbd679ab29cc29cd6ea756f4c4e60c271c3134c48b5d5aedecf011e73c2663ad1cafe57120cc70137370760c350f4e9c0b8e9b01c9acaaeb56094434f4f87c67a5b5f674783204ab0d0598c06f0802a05ec97073c005f3c9f772fe0bb449c1cad0 +@@ -40251,6 +40328,7 @@ Entropy.14 = 1c3fc8de26ddc78651c9c2e4ba874ee0 + Nonce.14 = ca6a2d3cc5495dd0 + Output.14 = d00ff8d3b8ca273cf7c3650e36c892018c0f765da45ab5b902c5accb30ffe01a99d3b86752195dc9aa1232fc852790ef51860fd114bdc78ae02acb5ab2021ec726829591d623b0b66329e641c1f915ce +Availablein = default RAND = HMAC-DRBG - Digest = SHA-384 + Digest = SHA-1 PredictionResistance = 0 -@@ -18925,6 +19019,7 @@ AdditionalInputA.14 = eb9e19bb6eb7b714dc4d56243897916364dae7bb3861a4697d7d3f2b14 - AdditionalInputB.14 = 156d12c7a1d0af2cb9f2d0610cedd9ed3b982e77bf4a9dc1ef0f71284b751ca4 - Output.14 = d3b0b0ac5150afdb3d9de12d2c8a7d45109436ed9c316aef1d1fc5bfba1cd37cd750841146dd08320539eb1678962e990f7b7662b44b918447e173672b873b8ab0348306cf6ae2bcc6756036870745436571763efde334dec5be7bb9920629a36cc5db66e8824695cabecb8bf092858e095a2a520eff140f483ec528131c850a8eaa48d8c997fbc810401ca378666d84020fd34af77fbe1152523e979560708fb15f3b7981e333ad4ee8c2fb6021a562f339616823cac5998cd919f82d43f41f +@@ -40331,6 +40409,7 @@ AdditionalInputA.14 = b180d77e0ef217268d2d4dc9d4a9532f + AdditionalInputB.14 = b192957f3e98f7595768d00834eee1d9 + Output.14 = 7d4791ccae7980ad19e5d8eb8932ea8ea1756710349ab8b771558cfe471a278dcc263b737486179a4ffad12d5311d23912c3a46f07152808d288be2dfd2b315fc4f6df6418029be52daed643dd3c6110 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-384 + Digest = SHA-1 PredictionResistance = 0 -@@ -18990,6 +19085,7 @@ Nonce.14 = 733bf048e5b112426979a9879b6a0c10 - PersonalisationString.14 = 58d91008875f51d541c6fbd626a49a798dc51d9cf2e8588808e74953392800e7 - Output.14 = 1794335e21606d706dc89ace28c60a15c0c9f108f5ac882b103eb62e225de749285e5fb0be98a5bdc26e3c998ae418306380941d78acb7c81b91ef41cecab328332ac7404ace0ea858e7835534f778cab3e3e4eff043742e4f7d4d5725bcdca0b6be7ddbf79e57fcd1d5a4279f074a599abac2cd281ec6784e29d9399f5ffa8def3252acacc59844c0c24c20d029a89b4407e0b5cbe9a8d51241dd36bb82c400ec4571dd1baf831d58fed3dde4ac7f961be6ebc18af6bfa922a32b81ea11334a +@@ -40396,6 +40475,7 @@ Nonce.14 = 84f7310a7ab653e6 + PersonalisationString.14 = 0fb2233c2cea27d17b6dd93bc4621285 + Output.14 = a2f373a523ac9f2524b059d0c23bcaa905e15948c7ebf71b6e82150aef562dae4003c1a8a3748cfd553d9a51a8f9450b9d569d96d897fed50eee23978e49b364c64db63fac9dc0fe9e8b58836aa04a74 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-384 + Digest = SHA-1 PredictionResistance = 0 -@@ -20245,6 +20341,7 @@ AdditionalInputA.14 = 06df99a38f4222b9e7e1e3f4a6f488c1dfeafe847129d54c93bccb1649 - AdditionalInputB.14 = 3977a9671024bf0150752ba10c9f6432773bb71aaaa9d23d1ab72b90b7f0e088 - Output.14 = cd4fa86fb559475f4cf4a60f111d3d0f71646d3d25111889332f2451eda96390c607a0178e1e79e8124c7626ecaa9822495e5341dc6f24818f97951bb29434c7c48d05838fcf3b43b8314827d3acc8fbe2c4ae2ab066626c25c32a760002cb1d980169f7691bee5e329ff1ff4938d3bdaae583f3561499563198a5eb69e73f6b963a5d072d23e07b0ce48cd04b31f9ea349c2cae355ba478e26a5fa33d8f03af84235fb1743d30910f5557194e3609494019bd705f8cdbf3d1b4dafaa09c9d8037d2e0ba0f96948d4302e981162c34c12c2fabe1a42da517b7e5a1f796980371420cb305d0a316bee56767ce1aca9260231839b92fa26fd75846d9304427da27 +@@ -41667,6 +41747,7 @@ AdditionalInputA.14 = a58757b98280d90e84d6cf4e2fa89c01a9e6aad22d6cff0d + AdditionalInputB.14 = a3f5de1ec6d0ccd39fa153899f0c1a414106a2aa182acf31 + Output.14 = b1797707f1217d81c8463b44957df350dd139073b056c50d1c912fa111f9cb488bfb7d2ec6faebd078171cd6b71171ae33698ff96c7225d7fd36ddcfeb2630464974d12b3e03877bc73ce1a2f89aea7ff7ddc8ac85708b35dd94d3972875e2d3e7237ec33871e99301202b52e2ff89db +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/224 + Digest = SHA-256 PredictionResistance = 0 -@@ -20295,6 +20392,7 @@ Entropy.14 = 0cac1d970c06da6f224d49e5affec0fe338d0b375b66687b - Nonce.14 = 1fb1df257951ce8fc0cf12a5 - Output.14 = 7d6e2be5aa574b0edff39ea938e94143ed92b287262891dd2a6c9193b0237e8fbe10056e15785bd818e548452792a31c728acc14ce2bce9295d3776885018a57c8580a8e7df9a34ea960e0b39af4510711320528fa7a0badc6e25a0eead8cb091c404f626343c63d40044055ee9f9e35 +@@ -41717,6 +41798,7 @@ Entropy.14 = 451ed024bc4b95f1025b14ec3616f5e42e80824541dc795a2f07500f92adc665 + Nonce.14 = 2f28e6ee8de5879db1eccd58c994e5f0 + Output.14 = 3fb637085ab75f4e95655faae95885166a5fbb423bb03dbf0543be063bcd48799c4f05d4e522634d9275fe02e1edd920e26d9accd43709cb0d8f6e50aa54a5f3bdd618be23cf73ef736ed0ef7524b0d14d5bef8c8aec1cf1ed3e1c38a808b35e61a44078127c7cb3a8fd7addfa50fcf3ff3bc6d6bc355d5436fe9b71eb44f7fd +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/224 + Digest = SHA-256 PredictionResistance = 0 -@@ -20375,6 +20473,7 @@ AdditionalInputA.14 = 38ead8a466e462f5c0617822c23294cdba07a80fd51dc241 - AdditionalInputB.14 = cacc9efb209c71b123498182d25081aab8f0159bed1fc0c6 - Output.14 = c200766d5caf72e64a77a7fcae1ae3d14681e33767ba2ba7faca26209fdcb59c7202c381b18adba07ef0ceef443d9e1c5888366bfd953d614bb184370b45ea2b44a251e381fd2bdb80bf4bb8dfe011e1b143032bae9ce82c2869537e70d36622bf23476163a2dace9ba863a5f0e3d303 +@@ -41797,6 +41879,7 @@ AdditionalInputA.14 = 4f53db89b9ba7fc00767bc751fb8f3c103fe0f76acd6d5c7891ab15b2b + AdditionalInputB.14 = 582c2a7d34679088cca6bd28723c99aac07db46c332dc0153d1673256903b446 + Output.14 = 6311f4c0c4cd1f86bd48349abb9eb930d4f63df5e5f7217d1d1b91a71d8a6938b0ad2b3e897bd7e3d8703db125fab30e03464fad41e5ddf5bf9aeeb5161b244468cfb26a9d956931a5412c97d64188b0da1bd907819c686f39af82e91cfeef0cbffb5d1e229e383bed26d06412988640706815a6e820796876f416653e464961 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/224 + Digest = SHA-256 PredictionResistance = 0 -@@ -20440,6 +20539,7 @@ Nonce.14 = 7e2f3e4427d00de41ae92bf6 - PersonalisationString.14 = 2e8bc8edcdb3dfdd451542fbc68481b30964fdf8a6ca77cb - Output.14 = df949beb9b33d2c1522cf6fdb3206cb10b58411ba9e28a4096cda7662b69d23e0da2be9557b9a3b5a8d67db4d616ae9fda3a7e0a8516196568f7a81474c0264993b141f14066fbfc29da724e447f6e503385944e902510f0b3971f7bffc6a6a202ff88d8113bb222b104055f427fe770 +@@ -41862,6 +41945,7 @@ Nonce.14 = a59394e0af764e2f21cf751f623ffa6c + PersonalisationString.14 = eb8164b3bf6c1750a8de8528af16cffdf400856d82260acd5958894a98afeed5 + Output.14 = fc5701b508f0264f4fdb88414768e1afb0a5b445400dcfdeddd0eba67b4fea8c056d79a69fd050759fb3d626b29adb8438326fd583f1ba0475ce7707bd294ab01743d077605866425b1cbd0f6c7bba972b30fbe9fce0a719b044fcc1394354895a9f8304a2b5101909808ddfdf66df6237142b6566588e4e1e8949b90c27fc1f +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/224 + Digest = SHA-256 PredictionResistance = 0 -@@ -20535,6 +20635,7 @@ AdditionalInputA.14 = 23a781948449d82ee235d0495ca48d61aeb399d7e2ea68b8 - AdditionalInputB.14 = b52421e5b0e5281920da6975ee18d74ceebdd5d5de05c018 - Output.14 = c878a886e24e20a8b7e22e41ebb33a2b6e9a0168f4c72bebb78f0955c8449592e91c6a2f1ba5554c9459bf2702e67470c1df0b5125d651facc0a9339a2b7c921a51bc7203020f085c9231b3acd850ebfef0d0e13dc8bcfecf1f9853930ecd9b262cecaff0e2bed9e3b5b53343b733766 +@@ -41957,6 +42041,7 @@ AdditionalInputA.14 = 288e948a551284eb3cb23e26299955c2fb8f063c132a92683c1615ecae + AdditionalInputB.14 = d975b22f79e34acf5db25a2a167ef60a10682dd9964e15533d75f7fa9efc5dcb + Output.14 = ee8d707eea9bc7080d58768c8c64a991606bb808600cafab834db8bc884f866941b4a7eb8d0334d876c0f1151bccc7ce8970593dad0c1809075ce6dbca54c4d4667227331eeac97f83ccb76901762f153c5e8562a8ccf12c8a1f2f480ec6f1975ac097a49770219107d4edea54fb5ee23a8403874929d073d7ef0526a647011a +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/224 + Digest = SHA-256 PredictionResistance = 0 -@@ -20585,6 +20686,7 @@ Entropy.14 = 04c61e5cbd79804118267ee1c76db36b71b042bf60a1c891 - Nonce.14 = b833be09092d4755ee6118f6 - Output.14 = 0c4663313750b12daaeee80cb28f097cbe6f50df2022f9ff02a51fb373da42411c5856a136e9645e99e69aee273726d146e3ef4e546273eeca52b43c068887148b7197143f5b9a4c55d4b0544907ee9ad2f181d1b37742d1479d39e78e47505603550d2b28bc1d151a50bbac140988ec +@@ -42007,6 +42092,7 @@ Entropy.14 = 17da1efd3e5250dfde3ef1683bd9cf4d4432a2f223399664f7645763bebd5ebd + Nonce.14 = 0b160c67b97d5302972b5c517bed5a7c + Output.14 = 859bab959dd16f2cddb05376b3d3e46cd13c191c18203bf3c0bbd5803cc559aacce48d88564166fd5f43c22d08cda1acd8004f36915739796a39ca96f8e7def14b58a8ee55ff72de7e2e2727389e027657447e32e47d4ea2f0fda48e86046d111cc334bebf4ee1019199c94fdb26169661cec0b0c47176cb5fb7aed8ad35afb1 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/224 + Digest = SHA-256 PredictionResistance = 0 -@@ -20665,6 +20767,7 @@ AdditionalInputA.14 = fa3bc697a6bd8ce341735365ad6e214d1e53e8d6d0a2c206 - AdditionalInputB.14 = bea0650424d1f26e75a49ae2dc529f1fdc552e3a0aa50948 - Output.14 = 4a718257296a3a99f199a5a24decf8f3e6209a4a7fb0b24913393c8309826ffcd6c47208ea6879921424ca55e63a7e5bc63a030cc48be7648da78fc9f314dacb2b8568635e5b14a94bb06a709a2f023a86a871dfd708204c911d94ef3690b3634e58de03fb20091d628bec834a760dd4 +@@ -42087,6 +42173,7 @@ AdditionalInputA.14 = 50687524beffed38fe27963340483886645153311dbd4d10d86e7d6b26 + AdditionalInputB.14 = 1e3ebe4a54c3092d540ad2898ec3be1af84a1d515c013632402ffdeede7caa8b + Output.14 = 007139a46072d9dbb6589b8ecf5f287d3aebb13b480ffcd6e95f0b2f916cd99e75f30a21971298257a80c17e9e41f8e0874dc9da8f6c18007a6e4cd5971df083ae62bb7b9f1bd4926f17e5574535f6009c0068b4ea3a50e2ba6c6aa6c7729fbe8ba58b4b795740ff6ae2f3d6fbe3e06828080cd1dcfb11771ec98ad9e0bac0b7 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/224 + Digest = SHA-256 PredictionResistance = 0 -@@ -20730,6 +20833,7 @@ Nonce.14 = 4b729a67449bb5675a1f9d1f - PersonalisationString.14 = 9160b7c96fd367dd7d378e82be11ad1827c7661d76bc1fb4 - Output.14 = 1d7ab4500d99a18b8be2ffb8177c869059e25f1ffbddb36694fa8561da1d71f86a38accb1926339f6dff71ea8ed104c3518e62b00e520c51a096c1c62469e56b139e6384e982588e748a8074dccc51d558d944868e2b8e1dbd68bd83c663447590430ebe15c64aba4669d1a4a784d8c5 +@@ -42152,6 +42239,7 @@ Nonce.14 = 2b653a89e549e3b1ee7817f5864fa684 + PersonalisationString.14 = 814146b3b340e042557b0e8482fcc496a14c02d89195782679172e99654991ed + Output.14 = 3ea100cf50c25d7b2ef286b5fa0720f344de2d568979e7349befa23589083e835205cdf6a4670722fff04260e54618c9c00af75cc26eee665b64e7e628ec4c56a8086dcd583681170f60d565bd97d0f416e4c231e281081b0fcd16c8db63ea9029abbfcb068bf57a36364aa9e27603f447adf337baa35f049a129abdc899f808 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/224 + Digest = SHA-256 PredictionResistance = 0 -@@ -20825,6 +20929,7 @@ AdditionalInputA.14 = c375af43c11115e995f47212f81cf3cdca5801d184d82235 - AdditionalInputB.14 = d2eea45f69c6d82dc3a7bb3be69d595c86c5ea5b4aee6001 - Output.14 = 907452bdf42eb168195313eefd090a2fe1be8b668b8ec7153a4ed4c07e6979244282e976decef02ffd4fd92b0d7b90bfc453cfd81a823dc162dde29dfa926f20e395d7432e0aea61c72e05c1673180bee3b47fa171cfba98864fc2bf83878e37c7dc019d465788aa1500ab3db8997d3c +@@ -42247,6 +42335,7 @@ AdditionalInputA.14 = 95f6df9905b652de6d08399f61956acf943fe412bc71de60d6b69881f8 + AdditionalInputB.14 = 87b818568ed80f7c2e8f5b5d7be403f8badf9fa0e716aaf1d6409957b242aa07 + Output.14 = 45b5182f313a26008bb4ab82f68a12e7c783c243ba1ac6d8bfaed44ddddb607f964ace9c3505d59ef5a3691143a4845491661a1dff8ac4de2e56b54e263ac3aef86966fd656b5a65d4f3b89731d50fa919663bd5691678ee5f8f499e84b1822bd0b91409b62cf98c176df7e812513f3252d25d15fe13ef9f253af477d16bcfcd +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/224 + Digest = SHA-256 PredictionResistance = 0 -@@ -20875,6 +20980,7 @@ Entropy.14 = b37ca70fd13538ef74c5a3c7ef00a78705919446954ec43f - Nonce.14 = 3ecbdff8cf33b50788dba82f - Output.14 = 1bcbccc535fbdc8617575d46ea5a9cef2622995dee19aa4b998325dd8d0935957170f6b18219354cd2759ba53c9c1f380586070db0c89979a581ce1e00ce38855e123dc3a2dc9ce74bc3b6e27c9603fb87c09a1d90bb540d267d456f5457daf0920a13119a2b805f9b97b154f80f4bbf +@@ -42297,6 +42386,7 @@ Entropy.14 = 32695b2c55839eb3a048fabedcae1f23bf0c7206280ba4ba0d08b9bd9f119908 + Nonce.14 = 01f2a4cf8a9311abe5ecf58d6661dc5a + Output.14 = 4a4f44f418d585e03f508f2ff05345abffeafd75f610a957be7f3ccaae31ba28e69bf8ae441a405fdbc0ee761e39c76b69062f5a3866fc296be1ad306e6584ab2d250d717605c70a17c46a298f714e4e820c85a1fb84f4d61b9857a40c2902193ad703c78635a2791abe6abca6124229ed75827135c27f1a04d244e1d73ff059 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/224 + Digest = SHA-256 PredictionResistance = 0 -@@ -20955,6 +21061,7 @@ AdditionalInputA.14 = 9fcab4a8d0d1036a6210d56a894f861fbfacd4b20c081f38 - AdditionalInputB.14 = e279bf650f812b8931662e59a0da7ab799c193da1f6eef1d - Output.14 = b3ec81a3cc8dfa4e1ea17d33566a4444bae9969244e7a8970eab02afc8797b5fc85b6614ab009625b81fbe078bfa4db78ced2d8b3f1e3342b477a3fb42cec7d44546585621bb8310075808aaddef32ede3e668e626711fdfaf2569721bf645edeaf74a9826aadf0a9cea9893aab4fe3c +@@ -42377,6 +42467,7 @@ AdditionalInputA.14 = 2e51dbbfda8c92f2c838bd85ca5dfd7f35504fae1ad438431b61c2f062 + AdditionalInputB.14 = 00f507a359585778988b6bb6b91f23d4ab29d2adbe632e4cd4646c8cd5f1b76a + Output.14 = b7adbbf07414551464711ad9a718315b0587db2782d34179b70b4c0e323a91ad9de40933023e3a6be71cd50dc58953ad1bf66354bc45dcd9ea23682d487b43903a8f426182536e170af8b04460c586d8ca56e4c307ab7116d8130634dc9a58e1c3077bbddd6bd58c8a0fb9b18c4b839aacf5fcd711c611db120e6a605745e86a +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/224 + Digest = SHA-256 PredictionResistance = 0 -@@ -21020,6 +21127,7 @@ Nonce.14 = 98ec3ae036755323042c08da - PersonalisationString.14 = e6f24d96c8d11cc68e72f56ee7e345c5a0083509821fdf17 - Output.14 = f5a9d375a58d1b337d245d29b7a9e352cbb0fc950276e042d075a71f4bc43b65b063bff299c670adfc46db39c4303adbbfebcea1df964c27d33cbfe4d46567475abff4f357252ff7d05ed4ac34e6ed14c33c192909426654d604736f3bb0ba01aa5e0454d60dfe8aa5b2df3a52df22d4 +@@ -42442,6 +42533,7 @@ Nonce.14 = 3f9e88b93a6e69d070328c2c570c3be9 + PersonalisationString.14 = bbe702bbd2265e73aa073f47ce55fb65902abbe51635b414df688c60868546e1 + Output.14 = 0280555ba6b2379dce7cd56615d7d86feadb8ad995e2852a0607e663a34b1e0342c7bc649adcb204e271eeb87521591fad74b3bd841971cb100ae5f21599b732d8c5f9d578c1113da7034b580013720e62b1d013e28205d5024f8b1eb3219e6cf821792713354cf1349d32a64f32ecdbd7578c55e401fbea57f21ea3ebef0f9f +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/224 + Digest = SHA-256 PredictionResistance = 0 -@@ -21115,6 +21223,7 @@ AdditionalInputA.14 = ec35738bedab1835d07ec7a6d9a5e6e0bf8a3283541b3216 - AdditionalInputB.14 = 689957f9c2c58f1ff34899bd0c295bbfacdd149ab378428a - Output.14 = 6eebecbac4dd64b170cf6aa84788f643755ad5c6c731b63bbba3b2bdc2694f1fd42fb077b4309a0cb09b5ed1107fee2379272351ca9221069530762e4c8ac4c142c30167a32ac2b82b728d57bef95d620cd1b7a2ab5c1a6fac2cc90e0f6cd003ef526485c8bf0dbc9baa7c1f0d6f763c +@@ -42537,6 +42629,7 @@ AdditionalInputA.14 = 38684dfa6edbd61e464e49f7d01932802a5a5d824db6b1df6087e84a8e + AdditionalInputB.14 = 4949b08a12656c497cc6760791982c0d4e674b0f8a14be730a91689ee77e981a + Output.14 = fda39bf8dc1aa785422281dec946bad99d5ead17cac55d47bdb9bd0a80a72f3c611f92bcf29e3e45475426a7a9f139b755f332cf75035b047697f4131c9bbc9ee825ede9a743b14f02dea122194405864aa2b538ed5cdf40ecf81e02bed1556ce0e7974548f050b084b8f3626c0fb2c7272d42cdcb039af4c7d957e285b53b5b +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/224 + Digest = SHA-256 PredictionResistance = 0 -@@ -21165,6 +21274,7 @@ Entropy.14 = 2fe6d7ec78f76820cd88c41a5a958c399c7ad1619406caca - Nonce.14 = 1ed975755cad5e4c475c5945 - Output.14 = e34b31db083e58516cd60ead2e5b0d39e4a2bb47c2436531c0e700e484c27d3d233d10d1ea6c58148149751f24155fcd258f384d61000da88106a0205d693e4ddfbb5c35f101ff15e531e9ac4a988c16302a962146a3aba9af5c505697cf9aeb7bdb8c49c281458acc33ad4010122aa5 +@@ -42587,6 +42680,7 @@ Entropy.14 = 1006646f977b83f4d90870f24b3b72d0b4947037f7671a64ce3b52829506a519 + Nonce.14 = 5698d50f59c42b26339d218fc985a41d + Output.14 = 44ab1d22fd3a84f8847c33d0fb0aea66408d5181b8ea95416beddd9784d86d72d2851857b503253016036246cea11f2ad2bd18fe56508697a50b14e7c85bd9b002deadbce5ff9f72508b6ebce741dd7803a2d8633dbec235cccd37c089c9d747a52000ed4cc1dc8545ddb65e784a698bdc74a6ff4fd7b3dbed31a22f83b4fd8f +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/224 + Digest = SHA-256 PredictionResistance = 0 -@@ -21245,6 +21355,7 @@ AdditionalInputA.14 = 17c87a351e940e261e8806e2548da44a751c550ff5f0257a - AdditionalInputB.14 = 7e3bb28f266786ae38c24876087fe35c7e43222382270380 - Output.14 = c943c9ff0cde86a62756465e6bf4fc9dc25447157537831c975782dad82f3e33e6e7790b41c158713b8978a6967bfadda9e15ef43922b3f93c8ccd0cfa834fbc6776f3c1b6369b4f25b1cd1189f8b8efc31be2dc151d3608eb2189a4f39c0f0a3deba00ffc97299c11c46885b424a7b2 +@@ -42667,6 +42761,7 @@ AdditionalInputA.14 = 8d72118578abbd90ddbe6115ab10b499afa26c2360eaf6fa118ba590ac + AdditionalInputB.14 = 6ca4d45fcbd0c7e964557b2bd7622a528b4722335b47383f7bca004b7cd5cf04 + Output.14 = 360d9ff3111c6b713fc641b571b582770991885f2fea806a485006a1b4f41ece4ce83dcabfd403edde77780c044c96e85ce5d1f1a368ad881a64be8c41e87f0a682ab67170ae05a24b08b4a9178d13ac9928ecb3b5e23e745d93aaa5f111c335c77cb9a5c3da8163cb428fef60da737b884105ae57616637b0e40bad9594bd51 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/224 + Digest = SHA-256 PredictionResistance = 0 -@@ -21310,6 +21421,7 @@ Nonce.14 = 4fb71fac56d2aa35d7fa44d1 - PersonalisationString.14 = ad66fd02b6f6e30ce521ae0d783236c75cd3699696475ac7 - Output.14 = 4b2df98ad411407c1dff07b5c08e97ab501fc20ad191794dab73e9b4dce62470b3c70d75f07848f436f16a8c63ac31a75525bd928b5c76218099ec940e3ad193eecdbad834557e92602d7daa6e3eedcbccbc4d0829c8e1c7e59adb95ce928bb138870566eb27e4725191a9ebed50304c +@@ -42732,6 +42827,7 @@ Nonce.14 = 50f723edc4f658862758e149e7ae4f20 + PersonalisationString.14 = 39d43e627ab7c7a6d12fce4cd8c001678bfadd9d07d4086674e5d8bdef4ac62e + Output.14 = 02e68bf3f78812aa270619b307dc0e57b05b8310084ecd1914a67d93b77127e0b3ec40e359adc451eac8788ac708fde70575fc1b9bbfd291bf5b8d7bda7bcc23a0271ba0bb0e6d617132399bd6cedf5a9a683ea98b3b0dd3bc6d811e4f66c9ec751012992cf54e3ce474e09b31ba9c01ea231d4fa8f09441e204c4d3285c78d0 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/224 + Digest = SHA-256 PredictionResistance = 0 -@@ -21405,6 +21517,7 @@ AdditionalInputA.14 = 30a66bba0f4d6c249e271de8927b6ba1e99fefbf3386934f - AdditionalInputB.14 = 1ebe06fd88f8f914ea8f590483994fbf227613e7f49ff18a - Output.14 = 38b4e2bf6aaf771df03b3bc37a959955dec83f07af4bcd995957a31991c5ee18b5bcb7754f3bf6293665dff2b4769d081d9be6393803e2c62a73ed8ce4adb17b36c1e0deb8ff6106308be9019cd179a92feeb184d93a9348d3b14a70bf13fd74d12cc427496803b7fc041f87c630756c +@@ -44003,6 +44099,7 @@ AdditionalInputA.14 = 73cd5580972f69bb4b0d0cd8915a5b594c3a9fa40b82d6b37446dff4c0 + AdditionalInputB.14 = 304c2001d8bfb9f1b23f3b336db9f5da17752cbaba782d8932d2641aab4c34b8 + Output.14 = 5771705c788e15fd5f656d4b5555d532ee4c48453be651a69c30fa706abe7719d9842028c667fab59aab97fe64a6140baa5d42dbfb7ecd58f2ce557a7b8b2c01669232e0b8bb0ddc6ef8dbe627ec5b370ec74553640982a14bd38ad9824b9651b717f8e90f539c42d04f7cff648c38b26abf38dd2a777348a4c2872f6551ef0f9e148bec810025779e7cbe1055cb0250a764fca5a1feba53bba64b7ea0c4dd3d56a7e6b4f8a157264e6666d356fe5a7a29fde7f4391662c4e69f471c21c6beeb +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/256 + Digest = SHA-512 PredictionResistance = 0 -@@ -21455,6 +21568,7 @@ Entropy.14 = 7f422e735bdf349e4f51787571ffe061ec7e9181fa0b6a342e36611da25c1a15 - Nonce.14 = b09d8dc6997bcb567cfd788d0e06483c - Output.14 = b83bb6e99b0a5237242711e27779d05d2157402856f9653542f1ce52b1a7463e13d5c92309a06d8a78773ad70504b64ff070c2e6afa4ec3662f2729cb7552235b79c18e08354e334474f238ee74feb7e892d5701543f418cd7f2f5533437d9901dcc54687816f16eb7341b1707c6310a2085dbf387044a78fed850b42fe9d8b4 +@@ -44053,6 +44150,7 @@ Entropy.14 = 2c13e44674e89aa105fc11b05e8526769a53ab0b4688f3d0d9cf23af4c8469bb + Nonce.14 = 700ac6a616c1d1bb7bd8ff7e96a4d250 + Output.14 = f778161306fc5f1d9e649b2a26983f31266a84bc79dd1b0016c8de53706f9812c4cebdbde78a3592bc7752303154acd7f4d27c2d5751fc7b1fee62677a71fc90e259dfb4b6a9c372515fac6efe01958d199888c360504ffa4c7cf4517918c430f5640fedc738e0cc1fcec33945a34a62ca61a71a9067298d34ac4a93751ddcd9a0f142748a1f0a81a948c6c6a16179e70b6f13633fd03b838da20f81450b4fdc1752e98e71296f1941ca58e71b73ea93e99a98f58d0892fa16de6a16c602036ac857dd75f9ac2c9185932103db5430e80cde9131e814a0bf3f3e7a2200a7152424472fd27f791a854f29aecc448f8d3fca3f93290266df3193d9e13e08907ab2 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/256 + Digest = SHA-512 PredictionResistance = 0 -@@ -21535,6 +21649,7 @@ AdditionalInputA.14 = 5722b092a5a0195f14b5f236885538cc7a514e997876c06f634926c695 - AdditionalInputB.14 = 6e4f341a0524dd1085aad0b6c956057893f737704ca2fd8eaae6231e9691688f - Output.14 = a757af53227bd8555853ee2e643256074be9904d2fabb0ca86a645b0ed1905731cfbfdb7eefc83938fb576d7e5da8135300f8e934dca521637ed10e5e791e18e82c48085f511476452237ceb930e0307e228886d36aeb83d8e25ba23b38dce6dbc335de90b63db4021d6ebba5dfb6d8044a2bb7bb20aca679cde16406c8c4746 +@@ -44133,6 +44231,7 @@ AdditionalInputA.14 = 6cfccdd8253cc5b284701ef8d16f8888f79100373a7df50f43a122591b + AdditionalInputB.14 = 5795ae5be47a7f793423820352505e3890bac3805c102020e48226deab70140a + Output.14 = 4a398c114f2e0ac330893d103b585cadcf9cd3b2ac7e46cde15b2f32cc4b9a7c7172b1a73f86d6d12d02973e561fa7f615e30195f7715022df75157f41dc7f9a50029350e308e3345c9ab2029bdc0f1b72c195db098c26c1ab1864224504c72f48a64d722e41b00707c7f2f6cdfe8634d06abe838c85b419c02bf419b88cde35324b1bfdaddff8b7e95f6af0e55b5ff3f5475feb354f2a7a490597b36080322265b213541682572616f3d3276c713a978259d607c6d69eec26d524ba38163a329103e39e3b0a8ec989eca74f287d6d39c7ceda4df8558faeb9d25149963430f33b108dc136a4f9bfa416b3ceaa6632cd5505fe14fb0d78cf15f2acfa03b9c307 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/256 + Digest = SHA-512 PredictionResistance = 0 -@@ -21600,6 +21715,7 @@ Nonce.14 = 06b7b75d18365f4957489a09204b2672 - PersonalisationString.14 = 9e32f001033eba3bede220d4f351ce110e6ee2eb0b099ce54f9606a21d80b1ea - Output.14 = 508333114a0abd5fe10327daa0f1342c66569d912a64d8ae89227d0d8ed5b4052cf84f0c38927d88dc0d7c476e747965adc9579a4603a36566a1730f55ed7b100c1695f060674484781682ee629167f7adce89885ff04d722d960d0297d2abf79bd3338126c2d356a91bfa588f80db7ea365bf181fa5370c478a04d05a515b78 +@@ -44198,6 +44297,7 @@ Nonce.14 = fff1f2e2ac117af8b2cb023f0dd6c6ea + PersonalisationString.14 = 0a4c2df69d6c69df0a9c58ab7c886ed9db294f5fe98eb066fde543b409ee91e0 + Output.14 = ae35e947a538e7da73f944b4dea689c064b144b753fe597369e58ec4868099c0f000995949e82dc3e5c00555a2cfe48c8a87e87ae5e7402e2b1679e413cc556f08796269ef3ea83d6a49116349a31710964fb2f936cccf249472eab3267cc1ca0073ff4d964eefc82dd1559c3737661f8b206757a64c756680fb7ab6be8cb433b93f21a04c1e99c777ac26c1f34918794085ee593ca27ae991c53d141e52f90e7872bbb036dce78e6a33e2d638360f9c15d5746d6ff13c1bcdff1cd01749fa51c3c72e68c0ce57423d4915abe84c15cfb3301d0c3b8ffc6a1962c1fd981790fa2a3da60d70e8e8557e4b2e7458ad85f5141ad46e1db751893e8327c8197571e8 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/256 + Digest = SHA-512 PredictionResistance = 0 -@@ -21695,6 +21811,7 @@ AdditionalInputA.14 = 5b2d2bf0653e3c075c469de5e2a093193e700abff9792a9f3bc0d143fb - AdditionalInputB.14 = 976c765df6b57f0eed8661587045826c329f4f1994020de30fdd835912f72fe0 - Output.14 = d8275a104f1dad7412637d12fabf9dd1b06592850cd48a3f38304789911efe8f08970b8f90fa021b04039cd3d1ca573c1586e7ef586f4c623dfc559efc0f2c89e4136b59f0f5706a74679d1c95886a5ad05b9a850043cdb19d806d617b2f640f715351cff6920c47f96a42b872a512a7b2e99e4d0c2230861b16f3b38deb9b58 +@@ -44293,6 +44393,7 @@ AdditionalInputA.14 = 2b2dbe3834d8be93f1396b19be83bd96823dd82740da71c5eeb7b21865 + AdditionalInputB.14 = 49c322fc1bec86d3e20628d9bdc1644e6f5e0237c7c694746bfee32a00145696 + Output.14 = 9110cec7d07e6e32724bf043e73021b3ca0e4516b619d036ac9a00914e12f01ece71989f55c1caccd542c60a9cccffb91e203fd39dca2d92c8eb03ee7ee88abf21dc6891de326c3190f25ee9ab44ca72d178db0f846969465b25a07dcc83777e6b63a7f9f1a8246dd31ce50cd9eb70e6e383c9ad4dae19f7cec8bfe079b36d309c28b10161c28b8d66c357c7ee01f07403a596366725fd5bd3a5de3cb40dcf60aac10635615b866ae633fbdb7ece41695d533757d9d16c6d44fd170fae77c15b7426ed6ec8c9d6e9245cd5e19e8dc3c8c7e671007ce8454413bd07407e8a2248bee95a7669db6ee47377b4490a6251abb60cd4e2e404ab88aa4948e71ecec50c +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/256 + Digest = SHA-512 PredictionResistance = 0 -@@ -21745,6 +21862,7 @@ Entropy.14 = df6edf960abe3aef5f50741907c0171906c0837ba3bfaa3a1044fcc4f19ed21f - Nonce.14 = ff2558bec3e5377c12697c908d629952 - Output.14 = 9d68c2674eac76f3ccabe1c6c0bad96d5fbdcb1629c939e397eefbcd2ec2f25803fbb9aa72db952f7fedcb290da99f34c0fdd637c37dde1446d475a61c38c3fc5c1ebf9541d136cb02a43b2646df7ee4bd0d9191157dac92a33f401f089ae15618624fc0baf707409aa2f80cd5d0676612c2667aa420acc6e016e6ba3f63c686 +@@ -44343,6 +44444,7 @@ Entropy.14 = 1436be35237c34bac5b5b36b24c998380883fb52621daa420112cb57bc84745c + Nonce.14 = ed884f91a94c1b0a51f316df776283af + Output.14 = c74ce568f0c465e79ef3700857cc8857b74ec8c075cada3f2698ff69569318b130b5b079ac5b69814d057097b0a107a546b011db601b2f7aa1708effd6479f383d7d484a5df76b63f1419eb360991475b2cd97590a1887487a76cd6fde7764cba5f101e4614c635ba7b1e18724a0a8fb39ca0948bffc441b6aa0216cf3c28ae6c06a24ad1bbe68970e06884d3b68325a3d7c1dce9a2fe87d565dccdcee7c62ed32b577763f510f0029a99530209628359bedf4bbfed1a13c222692d8cae60ca736df834a6e316db27642ed5839d2e11716a5c06e8d067e8548d7ac0687da801d292e2a6f414d7470d2e72261188347878d18e00fab3d4c15cb4c4a73cf963437 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/256 + Digest = SHA-512 PredictionResistance = 0 -@@ -21825,6 +21943,7 @@ AdditionalInputA.14 = 4bf2c816e2c3e9721d192a670153d620aded035ffa214cb0d7638432c3 - AdditionalInputB.14 = 06f515395ad7c3d025af7df781b49b62f068ec9398f6dab31ead6f917c663de0 - Output.14 = 1e70791e6a8ce753f959ab75d1225b44452ce7aed0fb53b56208b3f26419f004983c452d724c483b4f9b70d2d84734ce8ec0258d8edfac639b355204e14b5b7bc1d3aee6ddd9f5da54c6cb086d16ce381c2d5cefbceae3afd56c13441d80c7e6081aa68ff57f21d460370de9ae713c17ab14a81f0895e9e492af7c437d7a5799 +@@ -44423,6 +44525,7 @@ AdditionalInputA.14 = 48e994654ab1d109511a3b34f5fa9f12b8da17da510d7a71e3839ba86b + AdditionalInputB.14 = 949ee0617b277a3ddf4a51343104704775d91797be1826d78051496a87d9113d + Output.14 = c4bce916b00a8583ebe1e85feaa1f076315ec9433e18afa1252061a62fc7558491678cb31048e4b4551b697e8dcb58dff951337f0fb7a41546d9a7838a1da149cb44558d324eab9e7ae147e8ead666e3d4eabc9978626efc8710ba8b5eb485d5693e5d6cac36ddd3a1a878ffbc77e9ec5d333cdae2b5803dcbba70d4e0dc60366dae5cf25990f3ae6147c99ec6c998397a1ac02b1b6ef6867aa897ca90b7fb938e3ddeef57e40897a644a4f08e37c995210e00f07145d5b3620ce673072525f9f74adf79ad703c4a09adc6eadcf77e76c6b032270d4c68f01672decf9aa0e941086188304fc33a28f53bf121df747b7dfdc00ddfe68f6d06ab7e82295f70652e +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/256 + Digest = SHA-512 PredictionResistance = 0 -@@ -21890,6 +22009,7 @@ Nonce.14 = 2c4c4f3a953e551746f7e258821d24f6 - PersonalisationString.14 = 676a9304a3f744c62c7f5048f2137982c89860577cfcaf0d855514436ff8eff2 - Output.14 = 7bde8a5a34538655ab2ca26d0447eff3c6da298b3fa53ff0526eeeebaa4a876b60e47ca544ae30ccb00176ff84920bb4e4a4ebc3cf74b9cf8cd8ff9f7b11266a3c9bf918c458760bca6368ddfb3522edbc61ad14f2b638294e51d82e617d8c0c631aefbba50dbcd1a0a88963c3d63959909ce2cc669924d7163b01cac468c0d9 +@@ -44488,6 +44591,7 @@ Nonce.14 = 70916df78dd9ea799230435b3e48686b + PersonalisationString.14 = bf755696adb9c92839798798f836b063cbbe987f0163ef3f4a97222c888f5da0 + Output.14 = 411cd8e76e711447e8a93ca95aa3aac5e51f559d65a8385a15e71877ac8472a347d9d453bd6761655711ce2133900d28e41cfd1292d28848646e5cbdcac1e60e49e62aab169b1735e701e38d65ccc073f277972ca85444dea86c19c0c08317dbbeca4fbd5d4295c9da71b89623d0028cebf1ab68fd0aef5b37e76e2e0b3e7f72eee04c01b6afb180b1fa0c370975526b788ec4db076a16a798671451af3e20d323684e232a25d78aaa8ee43f734f1555bf0a324053c7c895dc3e098621e189962a914f486cd7a5ff330f39316afb762b1a06cf8b593ca00d7edf739e2e6827a7af662f33bb09fad09d6bdb3a565f2bd32512c79927d390c79a1cc6db968b13a0 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/256 + Digest = SHA-512 PredictionResistance = 0 -@@ -21985,6 +22105,7 @@ AdditionalInputA.14 = c168776136197bc3877c824461994a4cb020b61ad1630bd8f38d0db211 - AdditionalInputB.14 = 4f54082a1b9e6cdc8599e1639865c00fd758f403adba5cb74a37e2b20f29b654 - Output.14 = b48984588cb54f78610e05c8a7ce12c630934f5ed2e4cee21e523fc65a7b8412189ac51823ecdf493844a859aa87f3e84645f22f0914245043f7b86287a85db97697bcc84684b072162c2fa636569df83fe85f1ae25204786bfdcf5eb85006d09a4d97b162248daa8ccbff9eca28b7bce9fdbddcb8679ba50b6648cb3bfe9af1 +@@ -44583,6 +44687,7 @@ AdditionalInputA.14 = 6f9f47857a60b6f3f9fe9a83ebcec5f16ca73e236d2af5b0daab45c0b9 + AdditionalInputB.14 = e6628fbe4a774bc5383218302b7c565da5a5bd9f19db6182b444af5ae5f62739 + Output.14 = d701c1824a82ff1803c4b59f490c3f37850ce85b5905059ac4484f5049f31772ab8401bc9b8fc1fd6ca06d01f01caecb3cbd914ea9574f497df0316a0d56e2830c8a908ba78d1dbe243d0fbc560c407052ec02e9c77f7b12264a46316a777955ae87a71f2da9cef2811f6328ccb288343abb65a36359c07122cb4e6639397829c48dbf8a821ddf00ddec2f294e48d05adfd0f7a706bfc337387bb7923641d08c288d23ed5a2a20f34684549f9f6b3d74ac0f04e10c7dec04aceac369f505d7ccacdf30ea0662cbab001740922e9ac32b6968e0c5a640345d1132e883e07fc82858980489893d0e38960883e989c41e72ee967c00b9a943f0666d1f5e93e848ef +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/256 + Digest = SHA-512 PredictionResistance = 0 -@@ -22035,6 +22156,7 @@ Entropy.14 = abc502a99b7c3cf14262f6b036925a9904105b019592a2a6be26d71fc42c7444 - Nonce.14 = 40a212f9e1a5aa54f2c7ed4ccf631c9a - Output.14 = 0e747d83e2104367beca697db9b6bb994061d82aae7b1564f6a0911a1f599084a7ca7c94e232908d41df93a6b416e76146a53b490afb552124fc0c2087cc45de96390565b58f913b5dddbc55dcdd2617ea27858ae7c7748b31d832fec0fafe84594ad7b693cf972daa9521ad4134867339536ed5cdf02a758e40d5d96802f4fa +@@ -44633,6 +44738,7 @@ Entropy.14 = f5ee32b61bd57a4a4d51309e846f636560a8bb2a576c65d37a3f715ff1878014 + Nonce.14 = c638557dae4f9ab6e078c61d54d0f566 + Output.14 = e929e6c5c4a629c49fbb8623aea903ea129bb6484ed542cf940dd97bedc292e8bce924ef0cc57fa9b50b17b82618a840375874735560aea57e4e9701e4ecd0e812d1bf9fdecf67f431e4d7f6f455dfe4bd3b9a1553c574b0bfbc933a31580319c97682dd990c7081b711c2fa67a4eb54472be39f634c5dd901848c012c309c43f34d189a72c219acf8ca393d3f2cb292d62bb4d5e88f2b6e5e0422dafeac17415af623473f26ec24e65082123db9b9c00dbce3ca1942269fdf66f14add6c486a00527a39b050c2f3a6bc461e750f6e33236de198742284998bff98b7b3f6566e66679b3d8a1e63561fb5f8228867b8ff92230a9f2a6b9427821b6d55a359994d +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/256 + Digest = SHA-512 PredictionResistance = 0 -@@ -22115,6 +22237,7 @@ AdditionalInputA.14 = 2a8cf10885a141125dae18c40f7bcb7e09c1b2726e22a7f776e4735279 - AdditionalInputB.14 = 7c2db5278d2336764d274bf9624db7eecad2db11c6622831e47338ea3ef02ad7 - Output.14 = 08ed2c3aa35812485ea8aa0b16149ee4f3207a0368be2035e202797939dd2a1c1db1ab244434edd783c7574bf48fc99f93827a1fee91cd1db1cad53512b6931d2d63018045b2a50a9b523a6ee212fbcb21ffa57ef998b4ce24e5f2f875a8ff3a45d8602cd56cfefd2f61f73d00dc33304a464f4fc1f7dd311b516a8da4e91151 +@@ -44713,6 +44819,7 @@ AdditionalInputA.14 = db7b290176b65f826aac2190a912672f8a9c97815706af33732f68b1f7 + AdditionalInputB.14 = 13425f17d8fbcca3b4d7793a53507a85813f6f50d3365d680c0620d5fe1bfc33 + Output.14 = 12d4cfe6574dddbf9de82b8a357bbd6e32a3addb7022c313ac401d0aecfbdfbc7229822f7db9012e8bb0e2907fd48d3eb435ef8368802e5eb948f1bd8d47569b694e23979652f6978b568d7e2288b596afbc67b6c1e0d662240356dc6257d9d273a9ca9f7dfc9bd4175a50ad5b328056c37046e734a76384d7418591a7604f332a457f2fbb277dce4fd2729fdd1319dc3a56b9901a50dc90feaf5969cd9e450bd8716e44253ca55c4e1dcf791658cc467cfba613c27a96f67bd68dd8ccf46bbca4294a0f548b919626d1712ed4290ec90c1098a082699450738d32a8c6516d83bd54a42413bc0ea0b37fe5d6b0663806df67f61d2c553aba3aed3f9aff111d2d +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/256 + Digest = SHA-512 PredictionResistance = 0 -@@ -22180,6 +22303,7 @@ Nonce.14 = d5aa1d24b7c7564f6836f626bcc6d32b - PersonalisationString.14 = 4ef1e00dcda9e893d066ce48cd291258a29e0a234796c30a6465079cbc3d3aa4 - Output.14 = 43da46cb7b737ff7617715e3a8aa4c42d8cf1b62f32ea97d035514a10798f5bcaab550eab684cfbd5c8d3e1ce6d9fb026812e647ae6a50d3d8da8e9e2f1d5f7fe550e7e0b88e146925f2aa64690e1a5a5de152f6421837c15337efa80fdedb0a4754268bb83fcf0281b05b3885dc64b87f1da61b1ab219779ef44a1399b992ac +@@ -44778,6 +44885,7 @@ Nonce.14 = c600da30d68cddd9b823433845111880 + PersonalisationString.14 = 8896ff67866ff1f59c8e5074d91e6b9112410c9b6a1eefbcf05a1b8c7123dc89 + Output.14 = ad8150de910a0bbdad0a674d032919ac3304d5977fc43ad5d5b1fa9be46f22e94f5c2747db228315b0d0505867fd97f9b1582f97b4693ed542c416df1847a85bcd4ad07d6348a4df78412e3df4e675def7f44b1895a8a2156c811040a46198a863c0107aebc3a426b4c2b9ac294b227d323879a70cdf7ceeee7f6f51f102c3ba4ae9a7343aff295b664c869f2c2d6e4396362fdae7d9b5eb0802f37ff7a3a7f1c944044b1bd9b21fbf23f191c6f538398164c2d1b67390e7b059b1c9f5bb031b89a23895ac65770182c8072fb0ad4a7be055d9a4653d08e6b22a61ebdfb66adec2629030f47aca70a06d68c9e1c041ceb2dc9bcd1ceaf61655ef7bbb1653f3d6 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/256 + Digest = SHA-512 PredictionResistance = 0 -@@ -22275,6 +22399,7 @@ AdditionalInputA.14 = f8dbd6a405435595b2520bec5026075514955a666e4ca34b7d0339b0a0 - AdditionalInputB.14 = d9536bdf1c3944d4d239b6dd13750c16a2780d943d4cb5fbbe418189a7d65432 - Output.14 = b5e12e5082c09fbdda81d1a2229ef9bd46db84e62ecbcd1a2c4e88557f8ed3b5af740fac2bddaaf441b66084ce2239adfc9d02f001cd23470535f13ee6ed73256adf902b359930093ffb293a7c007074582a356529ea3ed9a5ac0a1a3f62df5fe09d27f5a7ac6abdf1fbd5f5e5da70da5e3037fb062d0817b077b56457238108 +@@ -44873,6 +44981,7 @@ AdditionalInputA.14 = 4adc98c66aa72da2c63172aba2a6c59fb20aa7b195a0b79edc709bfa99 + AdditionalInputB.14 = 83485ecbf938b8035d047956a3a1bea5adb66c4a7a24b21dfce4269681c31bae + Output.14 = 6c69a58a3b27c73ac396840a93ff914219fa80241d39d65890ea612017d7b92b12062fbc0e3c39508c86023f7d70e9b156b4a766465c01c554acd6b5d78568d2087834b3b14f3fdc4d4b959e78ae2fa5298c87321b777afaea4a5c271a584a23a262f8b679cc8198ccd116c88dcf529a6677ebf5189d287f56eb445ad7313acce013b3fe49fb5212cdc3cf8c5ed15aa26b1135d7d9e0570719c4230c104a652fb36ffc57e219e735c03346d18eb57bcba813965bcb39b6a81da624838ba7b9a65d3b684a021f4071c66ce705974f2bd0ce1ad6727136d77529e3b400db0d14ffeabbac877cdf6a38ca66d83492a90482343a5a427ae8b8f77a2f724aa30c11b9 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/256 + Digest = SHA-512 PredictionResistance = 0 -@@ -22325,6 +22450,7 @@ Entropy.14 = d233eed6e4a43436e4418ac071bf9ec00d463d0568cfaf7b4174f96c1f6b8564 - Nonce.14 = ea8e646e88f7fd6c8e590155df15558d - Output.14 = 314dca793ee1eb0dbe48bedc324b557966ac7a17b900bc4167ab4b65fe6b34ae625c200c4e21428ed258fe28b99c31cc4e8f9eb93a793c3e33fb0b75a2595a3201d939dddfa27911ad6f731894e16692343f25de291da89570a257a95cccb42f7d9820afa9b35d16664f95a2099ac929683b7480a4d1e34291853047ced3302a +@@ -44923,6 +45032,7 @@ Entropy.14 = 60da58990a377a615436ef43b1199f88c7a4629653dde2350a4c5115c42e52f6 + Nonce.14 = 592033d0de138ae7082c03553e3bfdf9 + Output.14 = 7a770dbe8e1d3af1dae5b93acd9e6f1748a4a6a88229a875d23b37665e0cc96d888dfdc428a32cab378a9ebe22409709cd9d11f0c751c08d98eeac13b6f76f0f51ccea254cae23177c3aa207c59b5ce221b93442d037256d553275a6c4b5c83c1fe555a630e37d8277e02c050c19e145a71ec98b96ae3ae44c9ff87c4501c1ff7fd5231510ac9df623b3fb178e147f07d1fe02b48e877cba89a822c91b5af56b71d60116c49f80d87656144854909a7d718b5aa8f071f18357c2c9f9b6c0fac3195040f26b86aa936fd35ff37287aa140cd01ca6c5e577d815790d6fcb1a57569d23e801e2eb2b669ae7cf17d87f9ee66e0b515bcab09087e111da199b6a15b2 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/256 + Digest = SHA-512 PredictionResistance = 0 -@@ -22405,6 +22531,7 @@ AdditionalInputA.14 = 46cc09705223bd3c01fa037d9a19dd2465bc612f519e51d33fbc845742 - AdditionalInputB.14 = a9f78f79d034d46086bbe5c8883dc2a34a1a17414aad2c767a3b3f23dfc9b637 - Output.14 = 2674afd329d03ad3b1bb8157c3100a312e29bd72b55139c408afe7f2c9e6d53df2cb8b829b7351a80cca8f0b59d60f6454ba60b154f654a09aa82a63fb28ceab9435cb6022934a0599a4c3a005bccdaa8bdaf8246ca654692a6c038cc82fea477fabdf3d6a0975e952ce3feb7fe8c4510b8c5347b21da5431cfee69e9dd2d8c4 +@@ -45003,6 +45113,7 @@ AdditionalInputA.14 = 967911f9412d40f2c62e43f48ff965bb1579a2ace388c781e125fe70f4 + AdditionalInputB.14 = 052c401de1053b8dea309196bb8e326d4b643371976d1ff6be0a6ea4ad27e5e9 + Output.14 = f7e8cdc3f8d2796414b9c83486d746cb8b1675b37d0d7546392c59622c693045dbcb10e9343524a6e7a9cc757717af22ddb8127bcdfb29cb8da409bd69d42aed9708cb2f904dff562a695be004ab25d31b8485bdd677c96d156ce8037726519d1949cc15e91acfd1c7c0bd58058b72c7d340b2f0bb12115ef44af6d20ce5f429d681b614e06bcddbf8ba00b40732b4dd425d1a87b663afce0e9a87b942a543b055f00b2428de12464a1309fccd0a15d512691e3858666ea4dc6084283deb075877c0162dbaf8318c9cda01ca611d72fac0b386a753ef35f438757cdf732a61a1f6123d1de3f61eb072d022f56c679a86f7a05bd6fa420ba39ed2973d4007b9cc +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/256 + Digest = SHA-512 PredictionResistance = 0 -@@ -22470,6 +22597,7 @@ Nonce.14 = 4788964160bb81d6f6c2675008b05410 - PersonalisationString.14 = c56e284ac65798010eb7bd39ffdf49bc25fc2e663e90ff93f73c97e65ea82935 - Output.14 = 683493fb3c6ba0ae0c42009beb39fc37a9d235fb3fa00648ce4d60b4d6bdecdbaa1e2ca0c0fc80c53f6f8ceab31c3c42764b8f23c4cda91743be33e0a77fe5a4297701bdec6b2a5712e76c64bb8b7e03a257c140cd8aafef046b049303679a7904f029444d92d673107bdbf769fc1130429ff64b527b0ce2420e2c70e8998ee8 +@@ -45068,6 +45179,7 @@ Nonce.14 = 0a6bef6b736129740978e31c3fa279e8 + PersonalisationString.14 = a5ca2491479bda16341b2c14339a5307fc2e2f5df4fa625e0ea351a95a14f588 + Output.14 = df587647f8d440a6c8034e757cd47f28d0e58f8aad9a047cdc8a70a8b1cd0d8185240d47bc5d2f4657205ed218ec38307e68efad94714630cd490b939719a4a07ab994793112c021969a8c69872903315c74b00b677648673e5883b5f46e075550092914cfeab05454226ee3d2154698f368bfda0b8b99eff5d111c1649a0f7e67ec0f637c6d3466994d655066a95732590e521ca055b048dbafd219be1a04fcd047c3722c4adf29ebd8486e7171359292e11ac6b740b4d51093383d64d2a45e51115c689ae29357366f2013eb9b420c6bd069d22c2110182e842eccadae81797a5f57d9ff47311f094ea0a25d7e329fcccb93c28b92ed85ccc2d690a84f2b2a +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/256 - PredictionResistance = 0 -@@ -32177,6 +32305,7 @@ AdditionalInputA.14 = fc54b5339b37eb6889cfd7c185070bd0 - AdditionalInputB.14 = f6a783d6d42e5ad5abb0a996bddfa04c - Output.14 = 683faa732c4551604c8865b5f777571c7d3cf1a60124c59b91283da0cda9b21761d1c17c81856958c6d590436c73594bb36f46c2f89237d8c7a7ddd2c58394c983f8f6c000d77566f2a1d89bac054bdb - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -32227,6 +32356,7 @@ Entropy.14 = 08a325accfe119fa807a95e8cc2cd8ff041ccad8e2c4cf49 - Nonce.14 = c85baec1c2d1f3f189eecad5 - Output.14 = 2567712d6fd3b52364b508bb2e4ae18e34b155dbe99fef9acbe21346715d36c538dc380a5e5900e0ebde76c779006fabe2b3f171fa63fa0f5ba264748278549c9beb26db701c8fab7adfdf48eb63e48ca6f3be8f17131c5e9145f5dadb00fe666a651d2b1b9e785fd444b05d4efa8ccc - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -32307,6 +32437,7 @@ AdditionalInputA.14 = ae701404440c584e27266a12318c1793b6a112d96e6a6749 - AdditionalInputB.14 = 53861747c9627e9244679d58e2dc8cfd8a72d1bab611dfd1 - Output.14 = 665481033912ca7d87caa56af2612338768b044953b02b9a50e0244bb805ca007648f71ccf923030e56baa13a88111fe211091a54744aa5d82abe97775878059dedc6272e7c7a5392d1fb443b770ee7f5dd05a3f2bba4cab1cf473d02648d4f8acce91ef167e3ac00c1c9324ca074486 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -32372,6 +32503,7 @@ Nonce.14 = e41f19a969494a2293ad0542 - PersonalisationString.14 = f67bda6553b5e4b89e309cb48a336b78460aff498846c2e9 - Output.14 = 44d544ac910b7668ba9c5524e388957520fdbf11383808a5a8008d119aff7e1e2bbe63b4cbff19455f20f3dc79ab0a83dcf0e403728f2a2b2a9f3b98930d9f285641da3b6b9a9467b2701ce1ecac82bad8214bb618c40999f5023dc2d97dc1a53a0296d44f6fc9d49db00959c89e9f5e - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -32467,6 +32599,7 @@ AdditionalInputA.14 = 6a7418d4ffc40e11859f33189d5a8327042ec268b004ade8 - AdditionalInputB.14 = 97beb8c47434a23efe536287d776edda7ed7cae84c0c7e35 - Output.14 = 1fe94acb5f5cb7e4a8edf5be61673bdc066288538dbd0ac29ce2d43f7b890028e48131e6b3a7cfbb42772b63f2fac8c0472418653ee2ebcdfa5ec08683e7d4a9cb2c67cf7e22c2ddc779c6d9971b29347e6688113294c902a5d62c1fc35595e091cb10e5a895d7c3697056659ae457d1 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -32517,6 +32650,7 @@ Entropy.14 = a71c303bf17e128c8e0aa07fb61ccc1f40fdb487a955fd95 - Nonce.14 = d3ca16fb12ae4709d411e5c5 - Output.14 = 61a51fe1eca4cf947bbf2a77d643e7963ca2c587e0eacc8f7fab3b3f0e166197a4d15184cec4f0858de2773d8becb339bbb18ab2c10c8b246ca66dce48e2a0938fe1ab122b4930d603b937491ddd3d10abac731957f2e1e030eef33f7f311ed782b06697914145e266d0b967914d638a - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -32597,6 +32731,7 @@ AdditionalInputA.14 = e098f0e076a3f40fd970f5d221944f0040ef4a18d88dbe6c - AdditionalInputB.14 = d7eb01dfd7c13fece92d35133c3be71efba145d7353c6d69 - Output.14 = f03074a219ef31d395451ebc8534e4f2cd2dbfebbd9257507979ecec79a5f76359f2d6b4653b31704ae5a49f884db91ac335ddc6d11768cac7850734e76734b63b71ff12f3f8d42cd404009e7f4b66bc0a639a9354ebd754c17f3cc65704e698d9bc0640919c386e96760f3c36d8789e - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -32662,6 +32797,7 @@ Nonce.14 = 838d1c69d8408cf0134f54e1 - PersonalisationString.14 = f08a964b386eeadc4bbe57164d3b3a0c7c0068c49c9bc5ad - Output.14 = d8af077476875fca2ef9f04013976c3c278d30592361b923bab2f7e3c8af4affac5408c390b4989da254eeb97ccdabf32f5e246739d0e532a6ea317e7dda02bae5051ca97a445f5e0696a041e5f9f2c077b26e575d749cae344859864aa00f262c1c41b2964b78f72f9cb98abce103f9 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -32757,6 +32893,7 @@ AdditionalInputA.14 = fa0823db6808a3de1a7dcc081c01cca840f68b005d473bfe - AdditionalInputB.14 = d3054fa2bdec7c63dc009ecccf25c1116380ac25f82a9085 - Output.14 = 556e90c95c1abcdde027fb2b88cf191f0686830ecf3fbf89de51c9bd735726131472a17f307263d57c03bd5ecd9ceba6cd5759b06594bf901418e2421fcef4b72678614079cdf4d25fa0b74985380552d2bbf478290445066e3f4a40a2e2b0792a685b769ffdb27721b1faa484e9c783 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -32807,6 +32944,7 @@ Entropy.14 = 2a55ddbf673f4e12538e61cd2bfda6f0316277661f553c38 - Nonce.14 = a0c71049f5c75c23cc11c7ca - Output.14 = a88e6cc37617929bee1e14f74ee363d1e05fee618fc1eb1f8abaff42c571048032c84ef0ec7a6d8ad7e6c5a4a6e90d714d76643eca063287929032fe75a2b63fb1f83ab36a7fa12a12d7332459bba56b017654bc0fc29beae1897863a63276208f9d11a32780a627135b271efda4f4f0 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -32887,6 +33025,7 @@ AdditionalInputA.14 = 65e70309f7386d1a0aaa53da65263d5263bc5eaff0d5f3d8 - AdditionalInputB.14 = abb8cd0ce0560309d2424d2f3fdce7af085e6c14699b4799 - Output.14 = 8188a498ef9e0fd52a77c3a44f1c7edccf9248590aebc52cb9ba7b5cddffe867b26309f032a78c0ab751741fdd9bd77d4bd17be90dd045f6f8b45826c9900028f68138cf1ca8e18b253b8eb73ae04f2e156d51a792abdc6524e4f45e4ed0b06ab3b0c94bc5e1ed58f917c17f72161d31 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -32952,6 +33091,7 @@ Nonce.14 = 1ffb77244697c3d67a564d06 - PersonalisationString.14 = 62865bf0f5af2146440d74e5ac8787cbedc544de16db24f1 - Output.14 = 1a74f62cc6bb05ff956d1af526926b937a84352830a78c7ecd2ad9c39a796f29f640d188ded8bda0e66ba81c941fed5e82f3c78543d9fca14335459ad9d573362f6b5d69861cb94c0bb055723ba5416b1fe08e74f27f23cdec9db05b50b01a20f0337cafec896f5f7412e1dbe7307e0c - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -33047,6 +33187,7 @@ AdditionalInputA.14 = 1a6853817be281e26796430dc90f014f6fde64cbef16e58d - AdditionalInputB.14 = bdfa703974a758cd4eb00661e0f4663f4e574cc7be6906e9 - Output.14 = 23c9f591ec9abea9f9eb89ab8d705a1e570fd2888772db5d6fc6e418a34e32d78fe49be8d4d8288fa397b57afd49c07b715e276c68a2eb8f3e63f67de21d8ad23fbbdcfa03b201952fae49928ce4da66cb70638398bfdba4db7635c8c726a3cdac22c98ae776e881edd60b69f0b38e4c - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -33097,6 +33238,7 @@ Entropy.14 = 7c8a961f01c1888456ae6042caf338c3ab8b5be28b34d15b - Nonce.14 = 61edc22b49e518eaa9e4e04d - Output.14 = 9d2eb0a41f7b03ccae8e4e3c61628e6710f5999f3991f04ba90fb3007275d07ff169d325ab26f3446e585c2d454ff8f6cd4a520190afbc06f30ec9b49668b09de45a116b171c210f5f888cf3c273c803044b17a16b06b44bc39344f2b2acb2f21f4b0a7abafec8c8d406d26477db9b7b - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -33177,6 +33319,7 @@ AdditionalInputA.14 = 71b5b9e9b813b5f69e8fa9fa7f588217268581b7d135fd7b - AdditionalInputB.14 = e5b06d8f12539d36c665cf129c1c42e3b7e88edce1650870 - Output.14 = 64595391a02ff750b46418274b8366bbca0e9c52c95bbdfa65882b76395887a018faa276f3fd6c8dbccdb964755e36508897cdac977037d0978f2752d1dc68bde3ba1edc94787c1c8cfe42c2347052da30ba7f1e06b44c10805196e7bb048cf572fda62b4a28fc189702b1e575b008ef - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -33242,6 +33385,7 @@ Nonce.14 = a16783ada78fa029ca3fe31b - PersonalisationString.14 = b20dae78f254b07fe3eeb7c793334f3f432930353fe7f221 - Output.14 = 081803927779c7b2039681db542c965fe48dc3cfde712a361e77da9aaf9f21cf38e18b4e8e5ae5a365910ada327b05630abe87858163713fd8c2988975eca44ee3725370f1c68117e58c2164605524102f22f3ea55f21f7e8fccd9861c59973d71c0aaca574480be6ec8e1fb9a163680 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -34497,6 +34641,7 @@ AdditionalInputA.14 = 228522e58e65d50dfd176e8ff1749faa70fc2c82eda25b0748ddc5d41f - AdditionalInputB.14 = 7af60c47b4cd146a39887c9b812a1dd814d74c398609bbbfb57e73da9caff57a - Output.14 = 9528c88f0aea3fc03bb8a9061e159a06d78a2a654408808aa4d0e73ab1a51e5aa85e8bcae72d34784ff6f513193e183d556ddac5675314f2b5cfe392d1526056afe32d7c03e09ba2bdf3b10e228b0f600a61cccd9e7bf14dccf13b16a838e60909785307e6905d510d9888eaab169fa601558fc952aa8559d270ecd386d7fbd7 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-384 - PredictionResistance = 0 -@@ -34547,6 +34692,7 @@ Entropy.14 = c0509068d88167921812103b67e734698d68718ecf42cd99e0f55836c162d450 - Nonce.14 = 71a50d2db258ea35ba69b5716bf68a14 - Output.14 = f66c05713ebe804b4273103997d260adbe8a7d0f6b2bb862b867ca59874ab9e0898102664af2a8db24a7ccb4637269ac67d5e834941303acab9076ebfa04cef64f73480afb6808f11e6ab1a9deae514f5db1c90c59ce988cc1d04012640a40173362de2689f88647268c665ca44f57534c9ad9b8316b9cd1d5a14942e94e90607acf6ad37a2398979e56e9c227c1803f90844d6140f10d0baf20dd789d808a647b4df54d2136d967461383dd4db9dc154dd89cd282a2766dd6086bf3825d095c - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-384 - PredictionResistance = 0 -@@ -34627,6 +34773,7 @@ AdditionalInputA.14 = 25d2ad9eecd3bb8bb60769942abd16edf0ba777f2541a4b0e80fdd70fc - AdditionalInputB.14 = 608c5789b5a2a6c11c7df095be8c81968c0bdbc6296026ab65195bdc5a297366 - Output.14 = e1c600294a86393b7067b6e77ca83e68d28a6b76f6f81007183be65a50fd2f1adf6eec5a64cc753c5bd0ebc12387bde8c6ec10e6ec7e603f09d4ae624cc5423b5bd53da4f0af064e14a7d176369f1726fdcf6468ee15ffd7db3be48d196601506c71e2f443a768e03ebc35245d254bb87a392508ab07c95bce84ba81058ca1545289c9d8142aa0858c9cd5ba54ee2bb75cebb5b74e0d099ee458752d11ed70122aed1254609a715ddf2720798c9194ae4a7424e2c518ce7a8277ec79da86263a - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-384 - PredictionResistance = 0 -@@ -34692,6 +34839,7 @@ Nonce.14 = aadd62dbd7b34bf2021ea74a2788b17b - PersonalisationString.14 = cc3308e380672a955620fba59999ec4fcabf1b7f63089a124cc1f65d58b691e3 - Output.14 = 6c39f49bb51765dbae1de8325e7a6f8f8aec031dbdd94b83d5c4e062848eb4e01e3912784f817ee16f9c2dd0129eacd3f7b8d5bb4cf9a4a2ef823b0505c2ac8e4a1ec30812e98564aebaec14ff710a77c1904ab1fa3fef3c3d09f2d55b047a8db860322fab6d939093385838ec6d11667ca843f69268ba1fb7edc462fcc285adc9b4b97f0f717c28ac1b6f371d90baa86e8728051dfe9b68f15dd31a6da35194253545a5d667df6a1322f6b73ba661c7407608fa42e1b894bd1b6e7641749977 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-384 - PredictionResistance = 0 -@@ -34787,6 +34935,7 @@ AdditionalInputA.14 = 0d81d8c5af9885d1b30d2174429bcc6979bdb2b82e6fd3ccdfe93f36fa - AdditionalInputB.14 = c63866629ed771e53d2fe2d5c21e98ebde295c3fc3896fb67279427c61a89eb7 - Output.14 = b369b226dd535dbdab45ff8f13735214f9abe6d11463a44804b838d2932112ce6799341505b7b5bab423a3794c37f383b06be1fe21f5c7da97b333a41fb67908dbeeb2450a3581ef71870c964c976f039ee856fa507e9de948c4c097a64070b23cfa09ab7506a8ec4fc38a38ce21fbee3f3c1ef3ab598f5da202f35b90f422af31688402509c38ac25359409d2b61958390d28ca2d8b5dea99ae26c90978f01d7a482c12e134a81de0bf6c9f39e32a8b597ec7b7a05a805ebc7ce260c381f189 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-384 - PredictionResistance = 0 -@@ -34837,6 +34986,7 @@ Entropy.14 = 5b50064163ae6238f462461472ad2ac9acc300316e140abd9cd6edb87b8ffa09 - Nonce.14 = 581d145675384210801d9c75d4d19624 - Output.14 = de0ace4f4a728c681a0b326298142fe79cbff2ce5230e6c1ca3e2808692d02e4845867763cb9e93acb983aa54659be6f9baf210048baf7ea4f062bd7e3d9a6d5e7dccf427422b9dd93d392ffc810dfe185bbee253c3208e22a83c9804501321c6cc0357d22859487a3eaba53444f4027843699d5a78214c431ea741bba73bd29550925443cfa5f494372bd0e482e3ab4eace1b60187b6db588c0d252c8da3e0d6dd3e475040817ca2c85b1149d8447a52c111f05d7c14a0f6b7b6ea4f60aed3e - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-384 - PredictionResistance = 0 -@@ -34917,6 +35067,7 @@ AdditionalInputA.14 = 80bb70930ef2015949b53d787630f5de93d93f98c577ca4632266e1bb1 - AdditionalInputB.14 = b6afd2c00be2eaed5c1991909e89029db0b04598115fae5118cc215298e0528b - Output.14 = c20bd78d9c396fc8fb408361e1dd4827ed3231617a73cd8848e493927207ea23e6efecd4fae36aff74b5235067543c7eb44c290122f9167a0ec4c6a530ecb0936fd683fbd866b73afb712b2f20ccc981b3f70faec4f4fda62e956c7d04cf578b06259b0f3c044e6dc68baf91e6149efa70b2ad2b81c8e14d1a994887193e53bdb5986a23d0412e989c447689a71b283934e50c25e10bdef0b22ce7368840cf761e32aebc07d7b51da16dad4c332926a4cc9853ac8db36b4b01bb36746a28f527 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-384 - PredictionResistance = 0 -@@ -34982,6 +35133,7 @@ Nonce.14 = 3432a2e2263728e375ab973bb5842d40 - PersonalisationString.14 = ccfee35071757d5141f55a481b7c44a584c5e537c636d4d0ba10dc3c88adf6a2 - Output.14 = 72a77d1c5dea9d00c349d4e5a9e6dff63ef6cb80b7998ef62e7a1fdc2267057d07fafb993e8df868821c6cf76430f3b7ff24a527f7e41fda6d560a773d05bc003f7e1ed5085f6da3785dd999a4763894455febf7618750bad4e30d8f52f3a072af30d57df5afda08ae7cebdcb659e6cdeaff52b47d4dc571e28315ff0e38538baf436e02d157b64afc6d50e6a4c5842aff1e7573888c6ff9beaf4f91aed988f03032388940c4f54afda05bf55ef6fc8c673f01ab545838574f3bd4f22865cfd6 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-384 - PredictionResistance = 0 -@@ -35077,6 +35229,7 @@ AdditionalInputA.14 = 0facad642bc0004f946e3fdd149a4c0e52475c9e832c85b228bff6f2a4 - AdditionalInputB.14 = 19d477a7dd45a0b733e6c301a4fd44ddf65d4fe0a0435b57e319e31de4797427 - Output.14 = 2a48844f6919ed43a2b0b64a1d28707fd3265b418e0673190b49a606358062c1a54a6071c845adc6ad74193d746668f890423ebb971a63cedae3241005432c8f3fa3fe7f98d5912da34dabcfeb17c03ee8881de7b2ef04fa2147b78532eb0ce7d9244d717697138f116341c7b9e99f15728207f6a73c651b8940582f9f926253420a853ae18132093183a6073e3bc85633b75e1c6cec9323ed4142d0c8ca0dd5ab2ff2e6b304ab8cfe4aa98ac64951d836e074169d375ebeae8498f11bd02c05 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-384 - PredictionResistance = 0 -@@ -35127,6 +35280,7 @@ Entropy.14 = 3b6dde5f550d482d30eee2288bff802241ef20ec15696e614b7268f7c574eb1f - Nonce.14 = b8d8984703ca7f942951fca97129135a - Output.14 = 36d0cce70eb5aaccf9b172fccf68e01eb8ac8b1f2652cdd238f4b070c8f2d9a128418badb38d5d5fabe28b59d15cd432010716fa6a48071114b2168cd29028386171594291118e54fbf5b61ae3fbbf9a21ebe73a4aba482c7cdc5ea1a4f21a0f1b38812cefff9bae78c2b95f417dc0cda010079b637f825dcba059d154f5a53050db773250013a1f051de9f7882433d2054ef2adf9b7b57c67173c06ad16cac6bdf74a10bcc666f7d4a091a78131c5ed76fb733791278b6ee0f55302c4b122a4 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-384 - PredictionResistance = 0 -@@ -35207,6 +35361,7 @@ AdditionalInputA.14 = c6a3bc83220c7708eb7fff5787ecba27e48c894e15302e0ee7f4e5f09b - AdditionalInputB.14 = 39b854a1c487e24e1ed58916d8012277fafd6e7b6175c4be43927cfac9958404 - Output.14 = f7d2f39a513f6c4eab993fa440b769ce09a15476e06ceda47969be05f53ec7f8409de284749cdcfac07fe7df66b1b6bd39389401909f3a84538d041e1c038a289869e51bce8bac13a0f786cb091628f0a3a7f7f9a2f620c98889688d46a2a037fbc1b2a4fff40800eaccf98a0bc1452ff1f53f040daa94e17dcd6acef97192c74075d064be5a97205ad97f693257d96c04e78654a694e90b80a5234a25d1c7ceef360d53e768067335097c4aa8f126a31882eff8e55cee05eba4b4325c203f4b - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-384 - PredictionResistance = 0 -@@ -35272,6 +35427,7 @@ Nonce.14 = a684932ea2337296cc3d150174a47ce0 - PersonalisationString.14 = b2c0af9038c2ef79ca8263a047bb9293a44ecdb457fb45945996157dcd199cec - Output.14 = 316fbc32ecc1dfa778b13921b1d624f9231c0ecca03e17fde750b1e31e76b1c330ea5bd62ca76150f231ac4aa96b06f845db2d03b65cdaba4c160b288a121eb144058f65a751e22151f91b90131e6756356e7f90d880ce754cf965f439189eb8bedf86c58e1fc2751e65637930c42552fdf81acfa1d4515ad49dc532b2a10b2b11209425ed1cf43c991b4a7c49bf6e701990fddc420608d74c3636829e4683c4e77a8151708d82ef8fb81b3655670fd4d242e357831bc091f30e6d139d5e5ba5 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-384 - PredictionResistance = 0 -@@ -35367,6 +35523,7 @@ AdditionalInputA.14 = fa32817ad83c85b594976eafab28fe25c45aa74d0ab4750b33dbfd8836 - AdditionalInputB.14 = 2e5cb3c7c9503e019b3383eb6264d6000160c3c99ee5700e7a92433da1c01f56 - Output.14 = a7571c1afd3d1dc1d3b28dbab54fe3514a0ec74ccf999376a963a3820474cdd67b190551ad5b24f4376633b4964490f79a94059a55b967f8dbe58eb20d70f1fdac91565bd8daf5223abfa13b132a140acd33e36f29fe1b107f62e6c45a679247b80c0aa050f1c2d3195629baef7422b72fb3cfbb82a2e4dd1966b1cc27b8e6df1907fbd6320f25594e1eff912cd9685755473b908e06fd30c4359258be0580e6bb2f986b0450d53fdbfefc3bf06c0d80648800234100af755acec4f809c39f3e - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-384 - PredictionResistance = 0 -@@ -35417,6 +35574,7 @@ Entropy.14 = 1e1cde834393e00a2136b8924be5600c8bf59dc2d8a9eeae467ede71ee7b75af - Nonce.14 = b6035e96adcb7e8f2e17022e2e4f39ad - Output.14 = 9dde9f29034b6e784be24fe600c39b091568afb4c40c8e05b8b7dc36ca74a1bed38ab15643ca8c6da2f5aa4b7a6a5d5c9920cc31129c84e2fc9b865b3f30b698a143189a3f3b692b3e5641499c949e53e3619cb112f42046a18d5d12dfb3c6932a6a829d07deb17b799519b81e961ff293c0b2d24b629fe906166e330135e4ffd00609462f0f9b89a110084945243972486a0e1aedb2eceec02d402696c89abbc950dcaa72d7b0e00ed8e65c3e9eb1af7535de2da728f901650633242b3368c6 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-384 - PredictionResistance = 0 -@@ -35497,6 +35655,7 @@ AdditionalInputA.14 = 7112823304b16377182ff9aba920c97ec4d4f23cd472fa9954ded16495 - AdditionalInputB.14 = ba183a035635d9617bd71b59fccd561f1c78a7589c7fb3fedf41dc2e6d5015c9 - Output.14 = 94e577e5c4f66be345c6be7038b02fcfb4070d5bf74f8004b59c279cce961dcf5bfdce2f01e007790cf770587a68d0d24ef0fcd1a148fca6920e707289e58b81fa4a58b5a018a358d336a20daef30b2881844838e51c56f11533b25c77b9c6c6bb2c0657350f011b24db6c60a84232dbcd218a816563737585c1ca6152ff13304ca86dff20f9f9596aaa21448f2c6e620eee58f69338e3b675d29b478f34f0e60dfe7f12f02e6181d19185f7dc945210d86d31e85eae03161e947fec0f0fc91d - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-384 - PredictionResistance = 0 -@@ -35562,6 +35721,7 @@ Nonce.14 = 67f50628067bc401648926d7567711cb - PersonalisationString.14 = 5f8cb19e3c86b179ffb8812db791e8bbe6b0caff958715dd9e3368a2d48f65d7 - Output.14 = f178a20d27725759c839e7fabb63bd101c3352f582524ff088ccaf6f0546ecbd3d5165f1e3cacbb49ede115b8f6c8db3aa9720692efda124138d29eac17637b84977384fb88e81289ed5ec960e6e98fdc71d03ef0bbc05ac7682acdc62888b49fdbb442080687f902b5a313ac88d364b13871b20f684cf1acbfa229fa203607a0a37b4e1685d13a508da9f48dcd83f26751a2284044f93e18b2a206a1887d77c4b76e821952b376f19fcf53d83f704e3ec3b5c3cb4c390b213d57dbe4852914b - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-384 - PredictionResistance = 0 -@@ -36817,6 +36977,7 @@ AdditionalInputA.14 = 2cc9f137fcd8c2d526d70093fe11f90a0a36bc9764a4c5609072e181a2 - AdditionalInputB.14 = e40361245b91880e308fb777c28bbfaea5982e45fecb7757bb1c9de2df9dc612 - Output.14 = 66ad048b4d2d003223c64dd9827cc22ed3ec8fcb61209d199619177592e9b89226be30b1930bdd749f30ed09da52abaa2e599afaf91903e7a2b59ffb8fd470e6604485a27c200d375feff621118595a7a3057b7e31eadc0687b1008c3cb2c7435a5704b1a1a6a3487d60fd14793c31486af765ce2ce182de88112445dd5ff11b256cfda07018b95f97edbab4e4c39ca097c42f9dce80cd3f32677f3c224a86b315d02e377dca8f3785e9748ffdbe3fcaa3b0c6bf001b63b57426836358e9b315c6718e0b74fb82b9bf3df700a641ab9411d1b9fba42309a84bef67a14204f3160ed16a5497fe211aa1f5d3ae4b858b6d445f1d094543d0107ce04ef1d1ba33ab - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/224 - PredictionResistance = 0 -@@ -36867,6 +37028,7 @@ Entropy.14 = 42623115c0a43edeab391ee8ac84c2b3b1bebba8a6040cd1 - Nonce.14 = b79f5c377be52381210c1c2c - Output.14 = a59dcfa9585b1080cee51ee493fabc22394ccd0949e3a4d4e5b8d60e1137288d20f65e7f1ddc1345869e1af62562d6c11044bb65d11dc0071a04a2cd0eab76718ec9a67d4482acbc82ac27685b98c50064b41e120a35e5ca57ed1bed6963fdd03e26865ddd3217d67cdddbc990c5833c - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/224 - PredictionResistance = 0 -@@ -36947,6 +37109,7 @@ AdditionalInputA.14 = 450a2109e7d83a3ab2e628ab35af4dce8ce7205de7c5f365 - AdditionalInputB.14 = 60d0ce5e11413c321535d849da56c3d9bf6222a3d2cf77e9 - Output.14 = 27397574a1ad91ef6f332c954c0d5802cb9c90926ab05c116586995bd795a2f1b4706487da86282e33d0b44dcb7a58c8c4a2874ed4646a1e963b7d26b62e0a5e0a5bb60ec6e07ea6b7b7fe1194c3ca4371736e595707ca7fb56bc924089e66b137c47f9dde74b5de3687aebc2f5c2a39 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/224 - PredictionResistance = 0 -@@ -37012,6 +37175,7 @@ Nonce.14 = f2435f70e075f8044d4235cb - PersonalisationString.14 = 80fa0ec5a3a1b46cd639ae19c137239ba8113db33984c593 - Output.14 = e547f6d8cd665204f8ebf6d64ecaa23fcc59c1682eab3190bc76ad4981d68810833f1212965def4868883529c0bae4a2345da6a0e6a7e766d16022c6f371db8ad089d9227e3a85168d080c3ff2bdd604e7f8404a16268bd66d70f5fb164cee60f1af97bdb6e1d72059d7028a13ec83f5 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/224 - PredictionResistance = 0 -@@ -37107,6 +37271,7 @@ AdditionalInputA.14 = 81356bf7d3122bd65b5d96d2ca68875e1d77b36edb8e92b3 - AdditionalInputB.14 = 1f185d4aeca1d95ba4c8e7867df64296525e00db7da61e88 - Output.14 = 8032e92efc35ace508d8a10f36a6e7110cd0b087cf853409e83dbc554633380e9793b7657a23a931e34347fe0ba34c2abdef6a8505e44da62fee97a9543b9e6dd6538726ec2cc6f6d19382562a4a438a2b0756fa66b48628af292e2f53e49edfae3ccc48a95f24c940a90d1abfdd6d0b - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/224 - PredictionResistance = 0 -@@ -37157,6 +37322,7 @@ Entropy.14 = 3879ca720aaebb2a29c99c0aa21d63308b44677f2bbe6056 - Nonce.14 = 2642dd7030605b3608f4513e - Output.14 = b7ddc2d0295a550e44103ffe7e6e1771cd488fa2ea32b091076085284edb870220e02ba6facdf27d8b34209048d0aa4cce4556c074fc7ec2c3691b95aac3f47c3b42bee3c2e35da17b040188d47b7effef8ac471a669f29e6c4b97ff6836cb9fd8954f57309a97e9a697e061010525a1 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/224 - PredictionResistance = 0 -@@ -37237,6 +37403,7 @@ AdditionalInputA.14 = 13998df6bfa51c2708775384f01cfe8f4755b6fe4b3c2fd8 - AdditionalInputB.14 = 8d25383b6d04285fb699c644bfc9b7fc72de41c733f35b27 - Output.14 = 3f408ca372917703ecb3449ea55de7a969a5ba184eee8f30fb19b99ae827c66b13f29d4d3a0236aefdaca63c28bb71595d3dc1fc20f1e7ba1b1c9bdb7c2122bd8e443b00b5339508c315ebbfc9bc3c7bebaaf83312325bae696a576b3c92931eef6b4eab6bd90c140295f47994ec6e34 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/224 - PredictionResistance = 0 -@@ -37302,6 +37469,7 @@ Nonce.14 = ddb5c0cd2b4b640898c2fd1a - PersonalisationString.14 = a096d62f947314691cfb647cc2f331af834cbcdd5918f099 - Output.14 = dc9175fb05854708739c3da005592ada29d408ed6162dd278ee457bd3304e4f7011355da2302df1d0d190ef846cadaccfa5325d3f71c407ab2434d65d815dafa6ca15f7e701a104225a839f2fa9874ad49bbdbee576b1bc71ace28c825095510890861c851bb79e2e2e922c3ac22fcde - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/224 - PredictionResistance = 0 -@@ -37397,6 +37565,7 @@ AdditionalInputA.14 = 2bc060710fe3d92760adc274b878de0df82804e840cd098d - AdditionalInputB.14 = de879de9c03efe5a68a12da7a06003ffbbea0a9c53f5e0bb - Output.14 = 4968c67d2f830b591531d620b6c40de4e9a15dc97c70b8b059023033bea376953cc5fb415d823d55d5b02b17c2ac60a1c8ee7473d25e94888fae15c6a7770b75565fe505a117c734d0c7d0386cff907a893da3a83d45f51bec9d95670374524b4f59e45a04c88d1756ed854fa9f65693 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/224 - PredictionResistance = 0 -@@ -37447,6 +37616,7 @@ Entropy.14 = 7ce7dd98c93953a8b60d395a68f03b8919931031e8f68bb9 - Nonce.14 = 1c217188f9c7980b8b03b41b - Output.14 = 58884a4316fe8104459bb339a4bac08d95461ad8e58f333eae5ceeecbf2d375e8fbb82eb1d29890ee0c56037bbbac8cd8e202d7ef05ed7126a15064699b9dfd4523782aabc6eaf21f1727d02c1311f5812c4b4294827a75f1cd6e6dcc73ba45ea8fc5f2647dff725f5fd9bc64d7b21ec - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/224 - PredictionResistance = 0 -@@ -37527,6 +37697,7 @@ AdditionalInputA.14 = e73890b772747a356ee1527501410eb5cddef015a8d6fbd7 - AdditionalInputB.14 = 9145caf79d0b85bb7874c2dc82d52bcca68225a18de258cb - Output.14 = 4ce4c45336ed4bdf4004f326a049c195c26ff11aadde90d7d035ce277a5b158577a7e9971063ee9c0b5063ab1f20c90f619137c2f4713831d18f2237e1a3d522af9a585e5f43f07d911b8b977f6c644784c9c02238b9fcd0f663c8bc1913f783c200b388b4ecf30246c7120adf3db79b - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/224 - PredictionResistance = 0 -@@ -37592,6 +37763,7 @@ Nonce.14 = 2b884a75ff571f92ba1eb965 - PersonalisationString.14 = 273f3885354c0a8296b0862e19157fbad69578ec121cecbb - Output.14 = b60362ddfbb4fc41f4f5ef353fc0fd8f31e139876a3af0e69f9049aca46a5989ee3a1ebb6cf14f525c3d8a944f4e88e030e020ef6551289c93f5c6ca2f6bc495cdf49ac91bb86e4766ccbace5f7aba008390d2b6dfd416d63ebfe07f5d583b8f9916ebb54620953d0b73c136de06f520 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/224 - PredictionResistance = 0 -@@ -37687,6 +37859,7 @@ AdditionalInputA.14 = 69720682d68b7043c331b889ce6d3d83aa3d33846e9ddc86 - AdditionalInputB.14 = 350c63e7b01ecff4aa171f157c71f89a55637c2cac0253e8 - Output.14 = 63fc9293971bc8dc151bcc2df20e4b5c7604138e4df49fed323c9f1cdeade3d5d1c8bc89e507e5da1f38c1f76d968ee45ba53a3da35e693e00afd683817ee7da5cd2b0a657ac6cf95913c859c6b4a15449fe9045a3af03cc198cf10b2deb67c5c3e9cf9a40b8251de19c6cf3114bfe22 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/224 - PredictionResistance = 0 -@@ -37737,6 +37910,7 @@ Entropy.14 = e03af342db03da30e2b0e5b8ed76c2562194417fbf6be645 - Nonce.14 = 6a9a5188dabd510894073f76 - Output.14 = 7963276f1054db251369a0b91d854fabaa3dd5b2343ef4306cf897bf964fc8b885908c4ada163b929a19c948ac89c8480170eb59b9a8d7d2d30ddfd1248e2c1795c69da81fe72d6361d34754f88eeffca2c31859bc8940d6662abe2622fdfcc28a1764355aaf46a2e00e50606af2b6be - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/224 - PredictionResistance = 0 -@@ -37817,6 +37991,7 @@ AdditionalInputA.14 = 9b6c491387a2394b94bfa8b077cd43bac49117e94afb9616 - AdditionalInputB.14 = 7c04bea824d8aa7b19facfeb3a676eb51c31d7b92f0ca1ac - Output.14 = 332b884c8edcb260c535a218001d421e190d8b9c6b856fbc5a4ab45f92149487f8563138312a42487969370440675f5bc9b21a75d2a8386867fdf861c8650e26af47c5efd81d9fc39cbcd44ab0f4cb10325fed6f5b7ce5d8111ff71e5d78c7d1f53410e5ba492b9f68ca55325ea8b318 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/224 + Digest = SHA-512 PredictionResistance = 0 -@@ -37882,6 +38057,7 @@ Nonce.14 = 9dcc6c4317ff492d0d7dec5b - PersonalisationString.14 = 7d30c5a4aa169c6dce156a8eaf000f9be0f8681e3282dbae - Output.14 = 550a9ad9e45ba359d463c1e084777bfb2ee25ff791070a87f01adc04cd1a7e9e6ef334e477fb5cadd82381e0add8a39ffc222150f17b8bb0d3b1cd80948c0a5ee09a84ccfff6c9ac33e6831d1a84182edac6bcc25fe357a708f78db9a88daf553914cdf0bc7a9b0527597f73707fec8e +@@ -68233,6 +68345,7 @@ Output.14 = 6af689cec62a633492f6e24b754d38dd6ab0b556e91802d72f14dc8c0e9ff50df728 -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/224 - PredictionResistance = 0 -@@ -37977,6 +38153,7 @@ AdditionalInputA.14 = 1b8725447ec539ea4a13c47b323f1d6f435ba7e624dcf5af - AdditionalInputB.14 = 86d30af40a7a395764b8b69f2656954c7c3f1c30b2b703b0 - Output.14 = 2fb2f24b2c38f217232dc22ecc7380b8240b05d2c7bc0e3dfdad268c8c10912a92595d70dd98e7ecdbdc6d7bce6c72cdebd7e121d75de8b6795b660be9096a1f24a97e9c5344c35f04451dbd8d9808c7a84c6fbafab6d060026490d492060f052fbf21a3bfa2a8e4a40db58672ca52ce - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/256 - PredictionResistance = 0 -@@ -38027,6 +38204,7 @@ Entropy.14 = 9021c403eada5eac222dc48e1437b6de48ca31b9e7e76fc5f60653a3d901308a - Nonce.14 = 503b4bbc0ca538983285857a573f6166 - Output.14 = bca7456257568a178877bca602d331161828a4ed0758d1ec3febcc21717cc4142e5481dc9756c56099cb043130345689156cb96e1664ad007c461ef8b5b0fa7d18508541f528a43fe8c719f3a269ff2821ca655980579dfc2c794da673b8c9234d561b833855efc91b4747ea5135a1a05017543f5780f2cde8b472787173ec50 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/256 - PredictionResistance = 0 -@@ -38107,6 +38285,7 @@ AdditionalInputA.14 = 439ba9ee252edb11b09fd765266b220077ab641cd7ed42b7cedc96b399 - AdditionalInputB.14 = 18e1dab1f2af82b8912be6791b003d7b0d66ce76a78cc17b753055b7b48cd2e9 - Output.14 = 5af9e042af202c9584bb69cb54738c0352ef2c9b9483d6fc8efd525ca38e62f535f2ed5658770e8cc5d53d9f1964b8a55d871c78250851491441c924701a52175410f52b162ebfe3991a72472d8842248402a666d726ea71437fc4a521543a323d501a6942ec4b7fb77ce462face53a2ab9b1b9fcccfe2346adf36027c48293e - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/256 - PredictionResistance = 0 -@@ -38172,6 +38351,7 @@ Nonce.14 = ef68efad369ca5fe791ad438cf9dbbd2 - PersonalisationString.14 = 012ff5b08fe14fad65ebad5f15d74fd72d8577115e5e91262043e85a13a3043b - Output.14 = 1779c05411254dc5ff714eb56332cdf9a378a160bf0a20ca2da9e4c3b4e3c425d2f08dc969bd4924560c8caf9686b27720307af8246e6cef20fcbc00cb1f137b6efe9902f9944c1384bf917675a52b7b816795327afc4896182a78d4664b98196f89c466d5fe1e2a54122035863c8bd61461b2ef9e7b469492ff63364b013dfb - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/256 - PredictionResistance = 0 -@@ -38267,6 +38447,7 @@ AdditionalInputA.14 = 77d998ddfd7ab7577ca9f51d6cfbec955aaf9f88cbb3ae32db7f7c4609 - AdditionalInputB.14 = 9ebaa09e7057ad7cfbf02e8f3143ef7b7c1dd6158f641815ecdf8e4a65c17f19 - Output.14 = 161efdc30cdd124d4d6b3d43798dd79bac70f494c3ebaca111cfa3d9343bdb73ac0def00776486584f932cab74ee12a391cbf4890b10044f7de6c73f973e43837a43b7c47a1a9a36d7e62f9b7ce40064994a610b92d68c6d37aa5d9d92c3d858770ffb8fbd87324b49101bade3f2014bcae7deffc1e4f6a1a91ddfe7e6aa33cd - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/256 - PredictionResistance = 0 -@@ -38317,6 +38498,7 @@ Entropy.14 = 0653c409e957302f6eb62bbc4f42b30942ff7860e7c38dfb2fd26b164e83a713 - Nonce.14 = 273f7eab3dc9bf11216d5216bd12478d - Output.14 = 51dfe9851da8d7d5add3dae413d8bab8bc7d1fcecea00795ffadce047d5243ae36f29f3611fb8cb66e98717a98735384aa6a310696356cb48f4672b2ddccf86eb44777c1616338792629b6cc6ec2b66dbacc1a6b66bd9364914f1f43277f6f43e13145fcdb73a4aca6b784f9084d22c967033651da610e9a85b1eb7513683dc9 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/256 - PredictionResistance = 0 -@@ -38397,6 +38579,7 @@ AdditionalInputA.14 = ca73cf447f2fc3984a9de0290fd9a984a8460ac715cddd9e8ed99aafd6 - AdditionalInputB.14 = 21dd9cb8e146954a9745fabe039f6f52ba8200f575e9bbe19c703b8864f34e93 - Output.14 = f1b153ae274a380c28668f1ee2c8c3a91f5380d41bd611d974e4e419a37debe664d0b706722184fd3e805f2ff05554bde7219023d1f62a52970aedf4d77e7b4604cac2a804e7b9353c087752f7f185991b10910724d0fd06dc6526d6102c8d0ee8c32f6692c2786d3b715bf3860539689e3f415855ddc37bbb6750972f3a45ca - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/256 - PredictionResistance = 0 -@@ -38462,6 +38645,7 @@ Nonce.14 = 10818cc50b58ccb660d65ff705041a37 - PersonalisationString.14 = 2756a89e79266d6d86bbd865708321f529b023d0cb5ee5d9888c37db33dd5164 - Output.14 = 7b3d778ee1623b08875305d5761ce2cf44ef1bab87c7d0f29c862c40d3da31240e7450d827909b6b131a9b0e9ad68d5c02caebf4f3b0b7d7ac1cc58e353ba68e7ac9eefc3de1310cf9bf5f4b854ef3fc36e940d4fc50072845a83c38a7d4372c191b900d11d11a907a50607c348951ccfeba4efc30377e4a965056e4e84eeb02 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/256 - PredictionResistance = 0 -@@ -38557,6 +38741,7 @@ AdditionalInputA.14 = 764b81871036cf65802c4e9659e25b8039be84bad1b121b536d2ffc269 - AdditionalInputB.14 = 28d46df3c254e5cc199e14b45bb1e2f85a5da03f49dd76b5a16b76723d5b9855 - Output.14 = 94e1fa76f879eb9840cd50853565f43cd7b0545705bd9a35494668bef7d7e7085b48a455b38fcf10f145f28a599c58e2f88c2855f2437a17d7333d243a1c25b76bebc6a94f7abc3fabe4c78041d9b3eaf675c11970b14cfc6ff20c8b23852b2733ef8d8416a920617a9b271beeabdb0462e5d23fd68b56f58e3554e81493c5a5 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/256 - PredictionResistance = 0 -@@ -38607,6 +38792,7 @@ Entropy.14 = 3bb1f6cabc56a02643eb767cc6e5bb3a5bd765555e4e27159ec905012f58de22 - Nonce.14 = cc37cc9b20a2e4de0bdf8ccc3261eb90 - Output.14 = 28f20b9a94340aaa6ca98174b5929ce3329d81bebd67faf5e30d12f775748c34c848bcda26cac8b4a9b34c7c92c9984a6f5a85269583358e985c2b372a887f9e3f0f3920dd512def27d818522ed1a49e96d00a5aeb41bafd152144a8b6f93426e73d6e8ef7a8a5381bc464b24061080af02aac51fdc52f404e1349b7d04daef8 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/256 - PredictionResistance = 0 -@@ -38687,6 +38873,7 @@ AdditionalInputA.14 = 2be009fb81ff22c5c2e15c988cdac8f21a6f17a4277fb1df773bbbcc39 - AdditionalInputB.14 = 0c869f061049dbaea48af93272c5b321977659a79f8bf0a5c6d68b982ef44b88 - Output.14 = cd9e8213591ed7e30743ba0dbae5f08a4021845d961040c5188093d518c3135048ea8ff052fd66fa83bf98c06d39c6cb522dbc938b6824f51488197159666369e7a9444e04b7ce5832bd6db1b3cebf8c0f7bf865bfc3cf60d2a2c0ef06abf7737590fba097c29fed234369cf9f064b142ca30e3941093904945021372c20d90e - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/256 - PredictionResistance = 0 -@@ -38752,6 +38939,7 @@ Nonce.14 = 704e8e29c7aac1d8cbe97bd7305f8cb3 - PersonalisationString.14 = 631c5d0240b8d9800211ee6c97a5ae77405a354ac25705f22d405e17a52109cb - Output.14 = 9ee855e661d4293fdd7353492c711b39625ead90849ae5808b1f67c55cabe17ae13f0f18c0954341d6a2d24b899785642c0b29bb1b81fe098a17f8701e8820cacf6c00a8dab2e96e7f8593e188aae48385ede7bb5ed5ffa3f19053663383d666d38eea377d121e0b55ee58ee8fbf1e49c42a4d3d48fb0c9247c6b94c6539f4cf - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/256 - PredictionResistance = 0 -@@ -38847,6 +39035,7 @@ AdditionalInputA.14 = cf6884bb4cf7c08ea954cc2d2389eaaaaaa3bf9ab1dd74372c20bb3e12 - AdditionalInputB.14 = 2b30cc597b280e704632ed1cd2bbbbba7a9953deaa809848eb937b6b1a44b91f - Output.14 = 4de8e3c529bda0753a9ba237633be4c844308c233d6e58995c339cc006c7d4789b5f1a6314637b9749621fae3982c5a748d58c080e12118d4442bb55732da53daeca71d3d033b10a2a807848babb822a346524b4a41e9d85941730b21c0e80a9871c9d9aab0e6d0269258b57fcbf7d703794bd2e5f3d7b3da9d3cf2dc2073653 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/256 - PredictionResistance = 0 -@@ -38897,6 +39086,7 @@ Entropy.14 = 043872fa9f0c4d97e2c6824b778a4fb0debae214d3358a5aa01c0092c9dab6a1 - Nonce.14 = 0fc8d529a37083c2efe84aba8c8abbc0 - Output.14 = 22e8eb6b4d11657a66cba93f89b519bcce87a9bfa5ee22cd3cfef6180cb8ca842e8d408257b8140fabbf1dd65085ae62fb8b1d2a679dc0bb0a82ecd3b8bbc05782a20a6345554a1f5467e9811e0fce41a786c805ce2882f8b4d972b9a37eedbf828a381d34bab95efc47233846f8b5c701563033253323eda41effad5fe37d3a - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/256 - PredictionResistance = 0 -@@ -38977,6 +39167,7 @@ AdditionalInputA.14 = 585a4b6736338ba663522b438ab9255782c39b36e6b253186e821ae969 - AdditionalInputB.14 = 2581ca0314c9a224b09c0c2e677e1df1c215cae0760d3ba03d1053156e9c3155 - Output.14 = e244109b937e9a71caa70d627ec8280210c86676b4ea842c6a4569e5da0b25c1ab3794ade3344e2185641c77df4d3011962e8312aa7c2013e4373204d861e27e88ede82873d5d45ae5700ddf0ae7d523e96df236a249ffc6e009e231b77d64f07f395e57b19a4d2961a6046c910d0b8ac3d882129ec3e337be4cf2d9ef041a8f - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/256 - PredictionResistance = 0 -@@ -39042,6 +39233,7 @@ Nonce.14 = b2328815495d926dc8ff075d5834bc20 - PersonalisationString.14 = 4c539b94823c6c7883b071ac395203bfb5117b6f9d5db7cf4063132e6a2a3cb8 - Output.14 = 4f6035946d4305290485c7aea10bbceb99b841770dbf5529e31ad51b0ce138344ac0b193a5074234adab8887a51d9448a2cc637a543372ed93885975b8de342c6a12a1ca8f3d053ced1dd2c7d6a3fabf6ea7860071c035f0fd54ee5775ae3a5d457d4af9e034ed337d79e9fd52c2ad051388dda50aa78d37403f33d52d30f6be - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/256 - PredictionResistance = 0 -@@ -40299,6 +40491,7 @@ AdditionalInputA.14 = c9a1481cd25c537ba57750d594afd25f - AdditionalInputB.14 = 51e29804f9d079f3074ec398320b2a70 - Output.14 = cb3cd4510de88f8081d8989c2679f76387b7d2cda286b75d659a3ab7c3b2ac77ea00366e7531c1c9f4f8e60c845c5d2a5e05fc999621d011deac3f28cb447a37c2ee815f7f5be3a571d153475d6497a3 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -40349,6 +40542,7 @@ Entropy.14 = 71acb71235e88e3aa6d8bbf27ccef8ef28043ebe8663f7bc - Nonce.14 = f49cb642b3d915cf03b90e65 - Output.14 = 144aeb56a11cb648b5ec7d40c2816e368426690db55b559f5633f856b79efe5f784944144756825b8fd7bf98beb758efe2ac1f650d54fc436a4bcd7dfaf3a66c192a7629eea8a357eef24b117a6e7d578797980eaefcf9a961452c4c1315119ca960ad08764fe76e2462ae1a191baeca - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -40429,6 +40623,7 @@ AdditionalInputA.14 = 03015311cddd0961ec7a74cb84d835c058a69b964f18a1c1 - AdditionalInputB.14 = 5e0d99e0e7c57769a43ea771c467fb5e2df6d06dae035fd6 - Output.14 = 72e8ca7666e440ac6a84ab6f7be7e00a536d77315b119b49e5544bf3ead564bd06740f09f6e20564542e0d597ac15a43b5fb5a0239a3362bc3a9efe1ce358ddd9d4f30b72e12ed9d78340c66b194beb4b12e973213931b9cfd0ccbdf540d2c36ce074e2beac7a4ddac59e06e4c7178d3 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -40494,6 +40689,7 @@ Nonce.14 = e8c5220ae48b0ca1412e9c74 - PersonalisationString.14 = a0a1d6d3887f7ff9f13c85d6ae5af2c840fd85989b7e50b3 - Output.14 = 14f629aee43f71b61d467ccc37de8eb6110ccdc65fff57ddd2e66707bb768e5de5df5467ccd55002815d306adc7b7d6b5d87c20d2922bf5fd3790282608457b69720be7d7affcdfecd173a741c7fc99f5f30f981b1bc102977a61f1515b923ba53cd87a37faaac12e0af613ba0972a0c - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -40589,6 +40785,7 @@ AdditionalInputA.14 = 875e5bc9548917a82b6dc95200d92bf4218dba7ab316a5fe - AdditionalInputB.14 = 4d3f5678b00d47bb9d0936486de60407eaf1282fda99f595 - Output.14 = 90969961ef9283b9e600aead7985455e692db817165189665f498f219b1e5f277e586b237851305d5205548b565faeb02bb7b5f477c80ba94b0563e24d9309d2957a675848140f5601f698459db5899b20dda68f000ccb18dcd39dfae49955b8478fd50bb59d772045beb338622efa5a - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -40639,6 +40836,7 @@ Entropy.14 = 30efbec33ef98a928e9441af3caabb34cdad892669e88130 - Nonce.14 = f77b7e0fcca6f8733e0bb0cc - Output.14 = 85f5368cb9f44474af6c4a159477c5cdd05eb0c0a37847bbb07e9a9c8f633ef2c3727d017f1bbfa89dba056062202f5824b3a493ab53a2a5fcf796d944577f1393d35f2a284453b2cbd8eaf35b9bae7b87c156cdf9cd0a2fc94ddb0d4842e3ab4b6c97089cac0e32bdeb32dd8233fd6e - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -40719,6 +40917,7 @@ AdditionalInputA.14 = 5c15fa9dc77d6fec5f7a4a3e4a315c05de2b5e46efe54934 - AdditionalInputB.14 = fb65ede490ee01a1c100ad5e23a20f91b45adf1ddc15c590 - Output.14 = 98cb3191831dc79334e8e37d5246600f822aaa40964b91f345b9df90929db1b7bdea96dae9aeb88d05fade5ae6c29aa8eeec7fdc96e654c5ea41ea01e3104ca4d287bb03005feab0bd1f85e556bb6bc46a2227b14fd94f9e6cfd0341cfce951851feb967968d6cc818f364345b715bbf - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -40784,6 +40983,7 @@ Nonce.14 = 46f8ee037b927ec766de0aba - PersonalisationString.14 = e6299e0eb5826e498d873ac02892f01e02f6632101fcc090 - Output.14 = d86bfd8f9d80eda3bd43850ea6edab2ba4f69ac8eea623fd6bbd5c0c920620f8cc136b0170f0310a156271981a9cf7629e1b8f0759de1e99e20a0930ce3bb7dd2d88bc9172a56108cdd736dc529a6b99862bed7d543bdceeebf450020762652d520105f5c5cc3c9a6ebb64af2a7e82b0 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -40879,6 +41079,7 @@ AdditionalInputA.14 = 82f895626afb606f335f5f050f0fdf3b45275e0b451774f2 - AdditionalInputB.14 = d423d43240cb6461402a7755f247573f24fab496e00b2e5d - Output.14 = b32c753900d4a0a0650d35d0fc918b3aa5f253d4381598ed475147f32c8b002bc08678e45bed1b9b519cb9729972886f85e581c75d3c2c9fd6ced929be29aa3befcd1d3fabefec590ca55612c1a0409446a01398d0e4775a548d118a32f29b0dc29530329d2a7656e5d3ef66db2b9726 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -40929,6 +41130,7 @@ Entropy.14 = c617061099a17392c3092d27728b35e59eb45814e9df9fa5 - Nonce.14 = e1634c0d96cf91c53b063450 - Output.14 = f08234ed8621f1f551cf49ea60140313a71341f6886c484a06e74e64aba6f8ffc2cf1edd34cd93e836ab033fb0893e52e01da9b3104fe49584a45447c136222b1c1f1d3cf406a80ed9d782d2ae277790eefc5c06f954e654f7f283ddea79d2160cca1f63d0ad00eae9e882de34ba4083 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -41009,6 +41211,7 @@ AdditionalInputA.14 = 857ce19dd6e8a45be185875f1a98911062045553e8d28ac2 - AdditionalInputB.14 = b5f1998f0fa38145edb86ae4d569ef4dc2e0aac0a815d3b1 - Output.14 = 8f0d978b24bae2a0665beaddfa61e8896ed7976432bc4f7c444699e30b8da1ecbab8990bab9d0d72ef6f6b0b27ede12dc171a43a14092d57e3999cee71b1356da5f29b17fec227ca2a4887bd990fa33e1e01c8a9f900ffbeb300cc5ce9d7d2e25a44fafc07e34acd61d425e0d36fb0f4 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -41074,6 +41277,7 @@ Nonce.14 = fc382061e29c4047c6f05dde - PersonalisationString.14 = 9b2eaa4c2a229cd2bc5de218aff95f6e5fbc7ef150bdb50a - Output.14 = ad49119d6b4f25ba34050920fc503d3d0d331ac2535d916a58d781317fcc2b1117618e9105ce192651ea9e19fa6756975d207c662f2b464416d849cb67b9af52abeb84f80863943af99c7916e78317a091ba90714ec8620f661b41d648c15c06e822329cd7f145446c5c3630a4243281 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -41169,6 +41373,7 @@ AdditionalInputA.14 = c9aac7bd9f15385facc344dedcfa754bc9f4f30277a3555a - AdditionalInputB.14 = 42de701acf5622b30e7672bf7115043a9912c1758c1b316f - Output.14 = 972ccd5aa60966bac39aa9c891c7c513244efbfe3446fde6806cee991851f1e4b3d4a4a0c04b57242deb4f53d27040879562fc5b32621b46a642f3c84063c5195faf9b78ed92145821ae554d58325b03d60e11461adaa8ac87876559e1cbe47f7b5c33a8311294b0e54a44c97d4d2c9d - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -41219,6 +41424,7 @@ Entropy.14 = 47f141d1d0142d53c10628d2d1dd77aafc11ffe45f29b126 - Nonce.14 = a1e958e036afd40059ce9639 - Output.14 = 2096935329ffd975154c38a2c22e30ef12b7acbacd39868032d6eb31a596e617fc7e05026b3dae231f256ea94dd4ea4f05734eaa7916be6f846b0304ff0de389f3390e51641103e7dedee99e56d9455c80a7e10edfd2147a50b3864b05443a1646fccde2197af1d1d72ae3c2d4594218 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -41299,6 +41505,7 @@ AdditionalInputA.14 = 49a758a4e0a8ce69aa2e5f9b7940c6fbcbfc4fdc91165e4d - AdditionalInputB.14 = 9c8ebc02c3d92d33112a15747b6367b8d6db3447cb9be2af - Output.14 = 70cf10825dab6c1abcc1532a1b2bccd96f0638d02eedb40a7ebf97093f5d0295b6bc74d9e48290ab39260d684effcb401427a4ca62b971e5a31f06c14a9f8e3851c3e79dfe129ecf8a8e185ee58667e2b692474a0d5f0a39f9d794adf1cd71c1266563dde24dc944661acbf849fe69fa - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -41364,6 +41571,7 @@ Nonce.14 = 82dfae196513724ae269204e - PersonalisationString.14 = 6e01d897ae919812b8408f82edffcfed8db6df2e2cbebd95 - Output.14 = 6e9bebf2e54d8da4e8ede97ce463239245ff1b021acf4441312ddba96d1f3d750bf2b9583a8aee76e2ee36a56d8e2fd4e11377d15ba3ad0876fd467c375a744240de0a7b38974e0e7b27c3917ce4e22f2bc78861f6f8b1fb42edbb1b0cb869fe5169527064cf2f38c0154082af5457bd - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -42619,6 +42827,7 @@ AdditionalInputA.14 = 9ba9285889d50c27bdeb4a830a5b3120931a53980b30643557444718cb - AdditionalInputB.14 = 0f8716df331067b8ccf0e5b90ff79dd0f962acc69fc5f89c593bbb84e3501ae2 - Output.14 = 9d2c0053a0fd3f9be1fe33db214f6f2d54aca573e0642bd269f1b1ca23c42a1e85c73449830673cca14feab4d2686814edbd90c325e0fbcd5a2d7ca75334dbb113a13a0bb4e838f6724c74dddfca8c2bfb903c362d3ea82acd60d01749f6dc01fcd6708009a58ee9cc57a0d089095efae66aaea68ac247cf6aa8808d1038a109 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-384 - PredictionResistance = 0 -@@ -42669,6 +42878,7 @@ Entropy.14 = fd54cf77ed35022a3fd0dec88e58a207c8c069250066481388f12841d38ad985 - Nonce.14 = 91f9c02a1d205cdbcdf4d93054fde5f5 - Output.14 = f6d5bf594f44a1c7c9954ae498fe993f67f4e67ef4e349509719b7fd597311f2c123889203d90f147a242cfa863c691dc74cfe7027de25860c67d8ecd06bcd22dfec34f6b6c838e5aab34d89624378fb5598b9f30add2e10bdc439dcb1535878cec90a7cf7251675ccfb9ee37932b1a07cd9b523c07eff45a5e14d888be830c5ab06dcd5032278bf9627ff20dbec322e84038bac3b46229425e954283c4e061383ffe9b0558c59b1ece2a167a4ee27dd59afeeb16b38fbdb3c415f34b1c83a75 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-384 - PredictionResistance = 0 -@@ -42749,6 +42959,7 @@ AdditionalInputA.14 = 809639f48ebf6756a530e1b6aad2036082b07b13ed3c13e80dc2b6ea56 - AdditionalInputB.14 = 3395902e0004e584123bb6926f89954a5d03cc13c3c3e3b70fd0cbe975c339a7 - Output.14 = 4a5a29bf725c8240ae6558641a6b8f2e584db031ef158124c4d1041fe56988fdaee91ca13925fee6d5e5748b26cc0275d45ef35abb56ad12e65aa6fe1d28a198f5aa7938fca4794c1a35f9a60a37c7360baf860efd20398c72a36b3c4805c67a185e2f099f034b80d04008c54d6a6e7ec727b1cace12e0119c171a02515ab18ea3d0a3463622dd88027b40567be96e5c301469b47d83f5a2056d1dc9341e0de101d6d5f1b78c61cc4a6bfd6f9184ebde7a97ccf53d393f26fd2afcae5ebedb7e - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-384 - PredictionResistance = 0 -@@ -42814,6 +43025,7 @@ Nonce.14 = afafaf2ad7e6449308e176be01edbc59 - PersonalisationString.14 = ddb4ced192f52bdfa17aa82391f57142ac50e77f428fa191e298c23899611aad - Output.14 = b978826b890ce8a264bf1ad1c486aaf5a80aa407428c0201dd047fa1b26e9ea9ff25a9149215b04c2f32b65e007e0059a8efe11481926925061c748678835c0066f596352123f0b883e0c6ab027da2486244da5e6033953af9e41eec02f15bebdb4e1215d964905e67c9e3945ec8177b8c4869efc70a165719b8e1f153c41744d44d3c56a15822d522e69bd277c0c0435fa93e5e1bc49bc9d02aee058a01a04580a6cad821e9f85cf764fc70dfae494cbfa924eab0eff7842e3541bc29156f6b - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-384 - PredictionResistance = 0 -@@ -42909,6 +43121,7 @@ AdditionalInputA.14 = 9574ca51f21865c2fb0efc75cc9d90ec5e9c43104979cd64d00ea5544e - AdditionalInputB.14 = c0df840a18d7584b62c70b2f057bf824168edb673cb517cd9dac89a0fc80c9b4 - Output.14 = b31e50202f883a8563cf129a0d5f8a33abad79d8ec8a97167ed7fca778e5892480617cdf50b5e51547f7ec1bede35020a311572c61e33e9c82968e8f69586daea3dc19063bea56503f8ca482918d229949acd6f1c52cccdc5f7f4cd43602a72a5375f3aabfd2834ee0494823beada2daeccbed8d46984d1756fe2207ca92186b506115f6de7d840c0b3b658e4d422dbf07210f620c71545f74cdf39ff82de2b0b6b53fbfa0cf58014038184d34fc9617b71ccd22031b27a8fc5c7b338eeaf0fc - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-384 - PredictionResistance = 0 -@@ -42959,6 +43172,7 @@ Entropy.14 = 5f28c73baaabbc09e8260df3b3577c21f2f02be057bf49d2e73098ed5ff67f89 - Nonce.14 = 8c2f85b546903d8d4c10fe4549c3f673 - Output.14 = 1563c678f1b072813888970996af33c2a6b70b8dfd2e146c46df0616509382062fc9c72d223ebd555f4d8892aafd7b3b61619559fe3d3e7b5e83c07f422eeac912ca7d8858a2d25b966a8b34348b8ebcf44a4651edb9cf5a886e383b01423322ab3002edc8c936aef869d7638f38ca6688c308d2a17fea0ded21901d8e9f1ff8508762cb1dc7e700970938a0ece74c1c2d1801230ea785165d62a7ab0d6d59caf36b30be8e2e1f691210373b7a2866e32ba4b49b6a2f9cc9b80aa1340ef5c76f - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-384 - PredictionResistance = 0 -@@ -43039,6 +43253,7 @@ AdditionalInputA.14 = b5d9cb4b3709adf297462f1aa8875c9f84bc39e323b8fe1c0df269344e - AdditionalInputB.14 = 5e47728cc468e0d2c6b6a90a20f83a9f0565716af54844552988f1d8c3a83eb7 - Output.14 = 548c3496135ecfa1119098ea2d862d421af024a844c37a02142e2545e4ff1038f4b73c7f6b7d0fba8f92f292cf5ca8fd57dbe7ce129423e0ddeb1dffe89252dd6b50495c88f350bb77e08c8be409064f7e9cb751aeb779eae30b7c471dc41365f128d22474a7e90a9953e948642001f8e6ba8f91d250d8b4c6407892cd96b12e5d94e4d7608e6c11604357436c8d1cc07a21aeb58d396f413a31f72af1ac06864ba68c04e0c25971c1315f5a8c5c04fe252105fc822452d0cf66f86af13d613e - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-384 - PredictionResistance = 0 -@@ -43104,6 +43319,7 @@ Nonce.14 = d28f752f6e466e3fd9595fd380fa14b6 - PersonalisationString.14 = 232727310fdaac541b182497e5240dc2623a36b4efa7a912ab3ffaf9939c2336 - Output.14 = 3bc26201261930bf3dc164d25287e41efb47c07c8c5c0adf3e86613435df202116331cfccd4e07c9ef008c62d4199d937221a17dc97be2043270ecc605d3d48c609cbce3aecba3557dddb304f440250b2c9fd78838483e2d5a2b22015b97869b891f9e42afe21df5fbb8dfc9061468c70c63a14b6dcad9ccdeced41d021dc0ff47821415e8793d34377258d9d6629b9e396b9d6b8bb7fc22e03ecfd4890d16912001cb7ed002e33a595052ddf7b991c5607ab93c220b2122783d51a8372a223d - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-384 - PredictionResistance = 0 -@@ -43199,6 +43415,7 @@ AdditionalInputA.14 = 50ceb01860d60ed119f101d5c573b5db00402dbb03885a09e8d326156f - AdditionalInputB.14 = 01e09092bc892916c29f7b515823f244d147d4b16976cebd6a76a37ef6e62998 - Output.14 = 6f1379c44d8131924c9a78286e80ebb34604ad78b531e795cc30c4f0aee422e4052f201ba226bc0c2aa3ec341fcbb5a87e24b91c36be7dda62addba6960df1289372e9677ce030555a9bd1691f559b8ff787dafa35cff5dfd66a2abd83f81552a82ba6ca7d21c438483e60fd77f93bc109f5be802035412c2af2873f5cb186b77dc055c0e0b27b16b1ef37de0b81fe63c4074a7cc8c3d27f71a992b5468351ef8b84a7b3e8f12458ff670d1381d879feeb1cd3b93436580c86bc2c33f27448d4 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-384 - PredictionResistance = 0 -@@ -43249,6 +43466,7 @@ Entropy.14 = 57050c5fe58b2a2a0eba0d3b9c08a9b285e1180d2a297e0a9ad20740c6fa9f00 - Nonce.14 = fc309209936c569a1367d45b212a9a50 - Output.14 = 288668476b39814edbce5ed91951cec398ba2dc3bad76048df5fb1a2a680519c217ec4d57adc0251e1f8892a866b142e0953353bc2dd207aa2703f81814d26a60daedfe94d97de6043ed5f3bd957b7516681827f7a36d1b2a87b692c67aba050bc38b5e84f65f07d70cc34549f01aa390c5fc8dd01304fee7378e62549738e3f710ee6a4e32db3f472e1c2ef1e803e57a8ea992f389f0823c922bcea8b00ab844e071579170baae90839ffd5e00844ec343b02db090847cd323f8a68f0dce64e - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-384 - PredictionResistance = 0 -@@ -43329,6 +43547,7 @@ AdditionalInputA.14 = a633f5f05ed8b09b70683a9f9a8e998ebf843b68a039dc3aa40cf30a5f - AdditionalInputB.14 = 9a57c6be8c1d992bcbd599952bd94a755d7ad686698991d189afd11cb88b9f53 - Output.14 = ae0fd8a1bf6f2f53f9e81ecf6f40ff6a36fef58a3f157b6a435403e48da4e88cab7871bfe2233b92afd228bfe3117d7cff0798225a901663d51f0491109b9c631dd6d32c5bec2da321b8e64ebaced87a27f17f67082df944fa94acc6c557fa6816001642e38b7d776c631212b782f71aed6db760f90e0de8e81baaf4d419170362932e6c319dab948749b331aae41b4cb3267da37c9233c36d65d5482c8940387498453b226af485a37ea16bd9e4f938618f70aec97e8c1430a8d8b6aae396e9 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-384 - PredictionResistance = 0 -@@ -43394,6 +43613,7 @@ Nonce.14 = e1609138b91637917ec170fa3c3fb278 - PersonalisationString.14 = 230db2e57b87e910cbab26fbac7fa93a65c07c1ec004c74637e346c2db63288f - Output.14 = fa58f2e96776b4aa079dbfb49d81d8abfcc30d459caeb45dec4f1766fdc3b234d52cdc5337ea770e71a28cc42c82cbefce896d1fecea5a5290300208aa79b5ff97d2091498d749b66a9e5b2da7b774567ae9f83b87a8417b1bd089935e575b16618ffe8ec04b91fc9315968dc395fa2bb8776133d3ede95aa89ae675881b26ca831fa5fe6cba800d2fed1d509353e8cba6f007cf3c5e0b9424cc034e1c817d5f7326764f5ed1d17ddf8900977a0172dfab50bf4819a67e4c1af4704f59eda3bc - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-384 - PredictionResistance = 0 -@@ -43489,6 +43709,7 @@ AdditionalInputA.14 = 32f618446311f03a0038dae07e85e19006a55b69501d764c241f683be5 - AdditionalInputB.14 = d64a97650e2f25362fd711c7abb5635672e16a02a1dd5ed8a181762e86f4f5be - Output.14 = 54ee53e6d18e974913ec235a37a706868f217af33b25e8e5369d90071be1d01035ca331b8514f3d6186a9ec62b1e7808b7fa22859eea21e4b8113ef770772561eff7f8b6ac22125d002f6ba9f53b235f7d85dd5b601787201ee1423de5d971b2e758b3955a048b50f118c01122a8e657f69a63843bea00a46c4fc2ebbae36adaebfe3e6c9b1c82e498d3fe48d332ac1bf31ab4c80830086c8ee4b1ea190f8e269f74cd760f5a29d244064d09c1bc30832482d5205e35604a388250a7a196ec74 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-384 - PredictionResistance = 0 -@@ -43539,6 +43760,7 @@ Entropy.14 = 9168436a8600415b83062125de0ce6a998090216dea7374af08e6d3becba054b - Nonce.14 = 94206c91dcdf9c7c3f3571c703013419 - Output.14 = ef12bd2b6dea20cd197ea9eabd98eec1a2943619cd2a96dd16a6c5485435e00c59570ff14d7d9fc09c99ade0e5ec12a84c0a8ccd5677fa9b92295eb2a620e8a0400bc9ad8a1ac1aa4969d8d04b77ad59b81d95cad75358698107dc8a2ff42adbd679ab29cc29cd6ea756f4c4e60c271c3134c48b5d5aedecf011e73c2663ad1cafe57120cc70137370760c350f4e9c0b8e9b01c9acaaeb56094434f4f87c67a5b5f674783204ab0d0598c06f0802a05ec97073c005f3c9f772fe0bb449c1cad0 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-384 - PredictionResistance = 0 -@@ -43619,6 +43841,7 @@ AdditionalInputA.14 = eb9e19bb6eb7b714dc4d56243897916364dae7bb3861a4697d7d3f2b14 - AdditionalInputB.14 = 156d12c7a1d0af2cb9f2d0610cedd9ed3b982e77bf4a9dc1ef0f71284b751ca4 - Output.14 = d3b0b0ac5150afdb3d9de12d2c8a7d45109436ed9c316aef1d1fc5bfba1cd37cd750841146dd08320539eb1678962e990f7b7662b44b918447e173672b873b8ab0348306cf6ae2bcc6756036870745436571763efde334dec5be7bb9920629a36cc5db66e8824695cabecb8bf092858e095a2a520eff140f483ec528131c850a8eaa48d8c997fbc810401ca378666d84020fd34af77fbe1152523e979560708fb15f3b7981e333ad4ee8c2fb6021a562f339616823cac5998cd919f82d43f41f - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-384 - PredictionResistance = 0 -@@ -43684,6 +43907,7 @@ Nonce.14 = 733bf048e5b112426979a9879b6a0c10 - PersonalisationString.14 = 58d91008875f51d541c6fbd626a49a798dc51d9cf2e8588808e74953392800e7 - Output.14 = 1794335e21606d706dc89ace28c60a15c0c9f108f5ac882b103eb62e225de749285e5fb0be98a5bdc26e3c998ae418306380941d78acb7c81b91ef41cecab328332ac7404ace0ea858e7835534f778cab3e3e4eff043742e4f7d4d5725bcdca0b6be7ddbf79e57fcd1d5a4279f074a599abac2cd281ec6784e29d9399f5ffa8def3252acacc59844c0c24c20d029a89b4407e0b5cbe9a8d51241dd36bb82c400ec4571dd1baf831d58fed3dde4ac7f961be6ebc18af6bfa922a32b81ea11334a - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-384 - PredictionResistance = 0 -@@ -44939,6 +45163,7 @@ AdditionalInputA.14 = 06df99a38f4222b9e7e1e3f4a6f488c1dfeafe847129d54c93bccb1649 - AdditionalInputB.14 = 3977a9671024bf0150752ba10c9f6432773bb71aaaa9d23d1ab72b90b7f0e088 - Output.14 = cd4fa86fb559475f4cf4a60f111d3d0f71646d3d25111889332f2451eda96390c607a0178e1e79e8124c7626ecaa9822495e5341dc6f24818f97951bb29434c7c48d05838fcf3b43b8314827d3acc8fbe2c4ae2ab066626c25c32a760002cb1d980169f7691bee5e329ff1ff4938d3bdaae583f3561499563198a5eb69e73f6b963a5d072d23e07b0ce48cd04b31f9ea349c2cae355ba478e26a5fa33d8f03af84235fb1743d30910f5557194e3609494019bd705f8cdbf3d1b4dafaa09c9d8037d2e0ba0f96948d4302e981162c34c12c2fabe1a42da517b7e5a1f796980371420cb305d0a316bee56767ce1aca9260231839b92fa26fd75846d9304427da27 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/224 - PredictionResistance = 0 -@@ -44989,6 +45214,7 @@ Entropy.14 = 0cac1d970c06da6f224d49e5affec0fe338d0b375b66687b - Nonce.14 = 1fb1df257951ce8fc0cf12a5 - Output.14 = 7d6e2be5aa574b0edff39ea938e94143ed92b287262891dd2a6c9193b0237e8fbe10056e15785bd818e548452792a31c728acc14ce2bce9295d3776885018a57c8580a8e7df9a34ea960e0b39af4510711320528fa7a0badc6e25a0eead8cb091c404f626343c63d40044055ee9f9e35 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/224 - PredictionResistance = 0 -@@ -45069,6 +45295,7 @@ AdditionalInputA.14 = 38ead8a466e462f5c0617822c23294cdba07a80fd51dc241 - AdditionalInputB.14 = cacc9efb209c71b123498182d25081aab8f0159bed1fc0c6 - Output.14 = c200766d5caf72e64a77a7fcae1ae3d14681e33767ba2ba7faca26209fdcb59c7202c381b18adba07ef0ceef443d9e1c5888366bfd953d614bb184370b45ea2b44a251e381fd2bdb80bf4bb8dfe011e1b143032bae9ce82c2869537e70d36622bf23476163a2dace9ba863a5f0e3d303 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/224 - PredictionResistance = 0 -@@ -45134,6 +45361,7 @@ Nonce.14 = 7e2f3e4427d00de41ae92bf6 - PersonalisationString.14 = 2e8bc8edcdb3dfdd451542fbc68481b30964fdf8a6ca77cb - Output.14 = df949beb9b33d2c1522cf6fdb3206cb10b58411ba9e28a4096cda7662b69d23e0da2be9557b9a3b5a8d67db4d616ae9fda3a7e0a8516196568f7a81474c0264993b141f14066fbfc29da724e447f6e503385944e902510f0b3971f7bffc6a6a202ff88d8113bb222b104055f427fe770 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/224 - PredictionResistance = 0 -@@ -45229,6 +45457,7 @@ AdditionalInputA.14 = 23a781948449d82ee235d0495ca48d61aeb399d7e2ea68b8 - AdditionalInputB.14 = b52421e5b0e5281920da6975ee18d74ceebdd5d5de05c018 - Output.14 = c878a886e24e20a8b7e22e41ebb33a2b6e9a0168f4c72bebb78f0955c8449592e91c6a2f1ba5554c9459bf2702e67470c1df0b5125d651facc0a9339a2b7c921a51bc7203020f085c9231b3acd850ebfef0d0e13dc8bcfecf1f9853930ecd9b262cecaff0e2bed9e3b5b53343b733766 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/224 - PredictionResistance = 0 -@@ -45279,6 +45508,7 @@ Entropy.14 = 04c61e5cbd79804118267ee1c76db36b71b042bf60a1c891 - Nonce.14 = b833be09092d4755ee6118f6 - Output.14 = 0c4663313750b12daaeee80cb28f097cbe6f50df2022f9ff02a51fb373da42411c5856a136e9645e99e69aee273726d146e3ef4e546273eeca52b43c068887148b7197143f5b9a4c55d4b0544907ee9ad2f181d1b37742d1479d39e78e47505603550d2b28bc1d151a50bbac140988ec - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/224 - PredictionResistance = 0 -@@ -45359,6 +45589,7 @@ AdditionalInputA.14 = fa3bc697a6bd8ce341735365ad6e214d1e53e8d6d0a2c206 - AdditionalInputB.14 = bea0650424d1f26e75a49ae2dc529f1fdc552e3a0aa50948 - Output.14 = 4a718257296a3a99f199a5a24decf8f3e6209a4a7fb0b24913393c8309826ffcd6c47208ea6879921424ca55e63a7e5bc63a030cc48be7648da78fc9f314dacb2b8568635e5b14a94bb06a709a2f023a86a871dfd708204c911d94ef3690b3634e58de03fb20091d628bec834a760dd4 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/224 - PredictionResistance = 0 -@@ -45424,6 +45655,7 @@ Nonce.14 = 4b729a67449bb5675a1f9d1f - PersonalisationString.14 = 9160b7c96fd367dd7d378e82be11ad1827c7661d76bc1fb4 - Output.14 = 1d7ab4500d99a18b8be2ffb8177c869059e25f1ffbddb36694fa8561da1d71f86a38accb1926339f6dff71ea8ed104c3518e62b00e520c51a096c1c62469e56b139e6384e982588e748a8074dccc51d558d944868e2b8e1dbd68bd83c663447590430ebe15c64aba4669d1a4a784d8c5 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/224 - PredictionResistance = 0 -@@ -45519,6 +45751,7 @@ AdditionalInputA.14 = c375af43c11115e995f47212f81cf3cdca5801d184d82235 - AdditionalInputB.14 = d2eea45f69c6d82dc3a7bb3be69d595c86c5ea5b4aee6001 - Output.14 = 907452bdf42eb168195313eefd090a2fe1be8b668b8ec7153a4ed4c07e6979244282e976decef02ffd4fd92b0d7b90bfc453cfd81a823dc162dde29dfa926f20e395d7432e0aea61c72e05c1673180bee3b47fa171cfba98864fc2bf83878e37c7dc019d465788aa1500ab3db8997d3c - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/224 - PredictionResistance = 0 -@@ -45569,6 +45802,7 @@ Entropy.14 = b37ca70fd13538ef74c5a3c7ef00a78705919446954ec43f - Nonce.14 = 3ecbdff8cf33b50788dba82f - Output.14 = 1bcbccc535fbdc8617575d46ea5a9cef2622995dee19aa4b998325dd8d0935957170f6b18219354cd2759ba53c9c1f380586070db0c89979a581ce1e00ce38855e123dc3a2dc9ce74bc3b6e27c9603fb87c09a1d90bb540d267d456f5457daf0920a13119a2b805f9b97b154f80f4bbf - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/224 - PredictionResistance = 0 -@@ -45649,6 +45883,7 @@ AdditionalInputA.14 = 9fcab4a8d0d1036a6210d56a894f861fbfacd4b20c081f38 - AdditionalInputB.14 = e279bf650f812b8931662e59a0da7ab799c193da1f6eef1d - Output.14 = b3ec81a3cc8dfa4e1ea17d33566a4444bae9969244e7a8970eab02afc8797b5fc85b6614ab009625b81fbe078bfa4db78ced2d8b3f1e3342b477a3fb42cec7d44546585621bb8310075808aaddef32ede3e668e626711fdfaf2569721bf645edeaf74a9826aadf0a9cea9893aab4fe3c - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/224 - PredictionResistance = 0 -@@ -45714,6 +45949,7 @@ Nonce.14 = 98ec3ae036755323042c08da - PersonalisationString.14 = e6f24d96c8d11cc68e72f56ee7e345c5a0083509821fdf17 - Output.14 = f5a9d375a58d1b337d245d29b7a9e352cbb0fc950276e042d075a71f4bc43b65b063bff299c670adfc46db39c4303adbbfebcea1df964c27d33cbfe4d46567475abff4f357252ff7d05ed4ac34e6ed14c33c192909426654d604736f3bb0ba01aa5e0454d60dfe8aa5b2df3a52df22d4 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/224 - PredictionResistance = 0 -@@ -45809,6 +46045,7 @@ AdditionalInputA.14 = ec35738bedab1835d07ec7a6d9a5e6e0bf8a3283541b3216 - AdditionalInputB.14 = 689957f9c2c58f1ff34899bd0c295bbfacdd149ab378428a - Output.14 = 6eebecbac4dd64b170cf6aa84788f643755ad5c6c731b63bbba3b2bdc2694f1fd42fb077b4309a0cb09b5ed1107fee2379272351ca9221069530762e4c8ac4c142c30167a32ac2b82b728d57bef95d620cd1b7a2ab5c1a6fac2cc90e0f6cd003ef526485c8bf0dbc9baa7c1f0d6f763c - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/224 - PredictionResistance = 0 -@@ -45859,6 +46096,7 @@ Entropy.14 = 2fe6d7ec78f76820cd88c41a5a958c399c7ad1619406caca - Nonce.14 = 1ed975755cad5e4c475c5945 - Output.14 = e34b31db083e58516cd60ead2e5b0d39e4a2bb47c2436531c0e700e484c27d3d233d10d1ea6c58148149751f24155fcd258f384d61000da88106a0205d693e4ddfbb5c35f101ff15e531e9ac4a988c16302a962146a3aba9af5c505697cf9aeb7bdb8c49c281458acc33ad4010122aa5 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/224 - PredictionResistance = 0 -@@ -45939,6 +46177,7 @@ AdditionalInputA.14 = 17c87a351e940e261e8806e2548da44a751c550ff5f0257a - AdditionalInputB.14 = 7e3bb28f266786ae38c24876087fe35c7e43222382270380 - Output.14 = c943c9ff0cde86a62756465e6bf4fc9dc25447157537831c975782dad82f3e33e6e7790b41c158713b8978a6967bfadda9e15ef43922b3f93c8ccd0cfa834fbc6776f3c1b6369b4f25b1cd1189f8b8efc31be2dc151d3608eb2189a4f39c0f0a3deba00ffc97299c11c46885b424a7b2 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/224 - PredictionResistance = 0 -@@ -46004,6 +46243,7 @@ Nonce.14 = 4fb71fac56d2aa35d7fa44d1 - PersonalisationString.14 = ad66fd02b6f6e30ce521ae0d783236c75cd3699696475ac7 - Output.14 = 4b2df98ad411407c1dff07b5c08e97ab501fc20ad191794dab73e9b4dce62470b3c70d75f07848f436f16a8c63ac31a75525bd928b5c76218099ec940e3ad193eecdbad834557e92602d7daa6e3eedcbccbc4d0829c8e1c7e59adb95ce928bb138870566eb27e4725191a9ebed50304c - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/224 - PredictionResistance = 0 -@@ -46099,6 +46339,7 @@ AdditionalInputA.14 = 30a66bba0f4d6c249e271de8927b6ba1e99fefbf3386934f - AdditionalInputB.14 = 1ebe06fd88f8f914ea8f590483994fbf227613e7f49ff18a - Output.14 = 38b4e2bf6aaf771df03b3bc37a959955dec83f07af4bcd995957a31991c5ee18b5bcb7754f3bf6293665dff2b4769d081d9be6393803e2c62a73ed8ce4adb17b36c1e0deb8ff6106308be9019cd179a92feeb184d93a9348d3b14a70bf13fd74d12cc427496803b7fc041f87c630756c - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/256 - PredictionResistance = 0 -@@ -46149,6 +46390,7 @@ Entropy.14 = 7f422e735bdf349e4f51787571ffe061ec7e9181fa0b6a342e36611da25c1a15 - Nonce.14 = b09d8dc6997bcb567cfd788d0e06483c - Output.14 = b83bb6e99b0a5237242711e27779d05d2157402856f9653542f1ce52b1a7463e13d5c92309a06d8a78773ad70504b64ff070c2e6afa4ec3662f2729cb7552235b79c18e08354e334474f238ee74feb7e892d5701543f418cd7f2f5533437d9901dcc54687816f16eb7341b1707c6310a2085dbf387044a78fed850b42fe9d8b4 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/256 - PredictionResistance = 0 -@@ -46229,6 +46471,7 @@ AdditionalInputA.14 = 5722b092a5a0195f14b5f236885538cc7a514e997876c06f634926c695 - AdditionalInputB.14 = 6e4f341a0524dd1085aad0b6c956057893f737704ca2fd8eaae6231e9691688f - Output.14 = a757af53227bd8555853ee2e643256074be9904d2fabb0ca86a645b0ed1905731cfbfdb7eefc83938fb576d7e5da8135300f8e934dca521637ed10e5e791e18e82c48085f511476452237ceb930e0307e228886d36aeb83d8e25ba23b38dce6dbc335de90b63db4021d6ebba5dfb6d8044a2bb7bb20aca679cde16406c8c4746 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/256 - PredictionResistance = 0 -@@ -46294,6 +46537,7 @@ Nonce.14 = 06b7b75d18365f4957489a09204b2672 - PersonalisationString.14 = 9e32f001033eba3bede220d4f351ce110e6ee2eb0b099ce54f9606a21d80b1ea - Output.14 = 508333114a0abd5fe10327daa0f1342c66569d912a64d8ae89227d0d8ed5b4052cf84f0c38927d88dc0d7c476e747965adc9579a4603a36566a1730f55ed7b100c1695f060674484781682ee629167f7adce89885ff04d722d960d0297d2abf79bd3338126c2d356a91bfa588f80db7ea365bf181fa5370c478a04d05a515b78 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/256 - PredictionResistance = 0 -@@ -46389,6 +46633,7 @@ AdditionalInputA.14 = 5b2d2bf0653e3c075c469de5e2a093193e700abff9792a9f3bc0d143fb - AdditionalInputB.14 = 976c765df6b57f0eed8661587045826c329f4f1994020de30fdd835912f72fe0 - Output.14 = d8275a104f1dad7412637d12fabf9dd1b06592850cd48a3f38304789911efe8f08970b8f90fa021b04039cd3d1ca573c1586e7ef586f4c623dfc559efc0f2c89e4136b59f0f5706a74679d1c95886a5ad05b9a850043cdb19d806d617b2f640f715351cff6920c47f96a42b872a512a7b2e99e4d0c2230861b16f3b38deb9b58 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/256 - PredictionResistance = 0 -@@ -46439,6 +46684,7 @@ Entropy.14 = df6edf960abe3aef5f50741907c0171906c0837ba3bfaa3a1044fcc4f19ed21f - Nonce.14 = ff2558bec3e5377c12697c908d629952 - Output.14 = 9d68c2674eac76f3ccabe1c6c0bad96d5fbdcb1629c939e397eefbcd2ec2f25803fbb9aa72db952f7fedcb290da99f34c0fdd637c37dde1446d475a61c38c3fc5c1ebf9541d136cb02a43b2646df7ee4bd0d9191157dac92a33f401f089ae15618624fc0baf707409aa2f80cd5d0676612c2667aa420acc6e016e6ba3f63c686 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/256 - PredictionResistance = 0 -@@ -46519,6 +46765,7 @@ AdditionalInputA.14 = 4bf2c816e2c3e9721d192a670153d620aded035ffa214cb0d7638432c3 - AdditionalInputB.14 = 06f515395ad7c3d025af7df781b49b62f068ec9398f6dab31ead6f917c663de0 - Output.14 = 1e70791e6a8ce753f959ab75d1225b44452ce7aed0fb53b56208b3f26419f004983c452d724c483b4f9b70d2d84734ce8ec0258d8edfac639b355204e14b5b7bc1d3aee6ddd9f5da54c6cb086d16ce381c2d5cefbceae3afd56c13441d80c7e6081aa68ff57f21d460370de9ae713c17ab14a81f0895e9e492af7c437d7a5799 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/256 - PredictionResistance = 0 -@@ -46584,6 +46831,7 @@ Nonce.14 = 2c4c4f3a953e551746f7e258821d24f6 - PersonalisationString.14 = 676a9304a3f744c62c7f5048f2137982c89860577cfcaf0d855514436ff8eff2 - Output.14 = 7bde8a5a34538655ab2ca26d0447eff3c6da298b3fa53ff0526eeeebaa4a876b60e47ca544ae30ccb00176ff84920bb4e4a4ebc3cf74b9cf8cd8ff9f7b11266a3c9bf918c458760bca6368ddfb3522edbc61ad14f2b638294e51d82e617d8c0c631aefbba50dbcd1a0a88963c3d63959909ce2cc669924d7163b01cac468c0d9 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/256 - PredictionResistance = 0 -@@ -46679,6 +46927,7 @@ AdditionalInputA.14 = c168776136197bc3877c824461994a4cb020b61ad1630bd8f38d0db211 - AdditionalInputB.14 = 4f54082a1b9e6cdc8599e1639865c00fd758f403adba5cb74a37e2b20f29b654 - Output.14 = b48984588cb54f78610e05c8a7ce12c630934f5ed2e4cee21e523fc65a7b8412189ac51823ecdf493844a859aa87f3e84645f22f0914245043f7b86287a85db97697bcc84684b072162c2fa636569df83fe85f1ae25204786bfdcf5eb85006d09a4d97b162248daa8ccbff9eca28b7bce9fdbddcb8679ba50b6648cb3bfe9af1 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/256 - PredictionResistance = 0 -@@ -46729,6 +46978,7 @@ Entropy.14 = abc502a99b7c3cf14262f6b036925a9904105b019592a2a6be26d71fc42c7444 - Nonce.14 = 40a212f9e1a5aa54f2c7ed4ccf631c9a - Output.14 = 0e747d83e2104367beca697db9b6bb994061d82aae7b1564f6a0911a1f599084a7ca7c94e232908d41df93a6b416e76146a53b490afb552124fc0c2087cc45de96390565b58f913b5dddbc55dcdd2617ea27858ae7c7748b31d832fec0fafe84594ad7b693cf972daa9521ad4134867339536ed5cdf02a758e40d5d96802f4fa - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/256 - PredictionResistance = 0 -@@ -46809,6 +47059,7 @@ AdditionalInputA.14 = 2a8cf10885a141125dae18c40f7bcb7e09c1b2726e22a7f776e4735279 - AdditionalInputB.14 = 7c2db5278d2336764d274bf9624db7eecad2db11c6622831e47338ea3ef02ad7 - Output.14 = 08ed2c3aa35812485ea8aa0b16149ee4f3207a0368be2035e202797939dd2a1c1db1ab244434edd783c7574bf48fc99f93827a1fee91cd1db1cad53512b6931d2d63018045b2a50a9b523a6ee212fbcb21ffa57ef998b4ce24e5f2f875a8ff3a45d8602cd56cfefd2f61f73d00dc33304a464f4fc1f7dd311b516a8da4e91151 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/256 - PredictionResistance = 0 -@@ -46874,6 +47125,7 @@ Nonce.14 = d5aa1d24b7c7564f6836f626bcc6d32b - PersonalisationString.14 = 4ef1e00dcda9e893d066ce48cd291258a29e0a234796c30a6465079cbc3d3aa4 - Output.14 = 43da46cb7b737ff7617715e3a8aa4c42d8cf1b62f32ea97d035514a10798f5bcaab550eab684cfbd5c8d3e1ce6d9fb026812e647ae6a50d3d8da8e9e2f1d5f7fe550e7e0b88e146925f2aa64690e1a5a5de152f6421837c15337efa80fdedb0a4754268bb83fcf0281b05b3885dc64b87f1da61b1ab219779ef44a1399b992ac - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/256 - PredictionResistance = 0 -@@ -46969,6 +47221,7 @@ AdditionalInputA.14 = f8dbd6a405435595b2520bec5026075514955a666e4ca34b7d0339b0a0 - AdditionalInputB.14 = d9536bdf1c3944d4d239b6dd13750c16a2780d943d4cb5fbbe418189a7d65432 - Output.14 = b5e12e5082c09fbdda81d1a2229ef9bd46db84e62ecbcd1a2c4e88557f8ed3b5af740fac2bddaaf441b66084ce2239adfc9d02f001cd23470535f13ee6ed73256adf902b359930093ffb293a7c007074582a356529ea3ed9a5ac0a1a3f62df5fe09d27f5a7ac6abdf1fbd5f5e5da70da5e3037fb062d0817b077b56457238108 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/256 - PredictionResistance = 0 -@@ -47019,6 +47272,7 @@ Entropy.14 = d233eed6e4a43436e4418ac071bf9ec00d463d0568cfaf7b4174f96c1f6b8564 - Nonce.14 = ea8e646e88f7fd6c8e590155df15558d - Output.14 = 314dca793ee1eb0dbe48bedc324b557966ac7a17b900bc4167ab4b65fe6b34ae625c200c4e21428ed258fe28b99c31cc4e8f9eb93a793c3e33fb0b75a2595a3201d939dddfa27911ad6f731894e16692343f25de291da89570a257a95cccb42f7d9820afa9b35d16664f95a2099ac929683b7480a4d1e34291853047ced3302a - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/256 - PredictionResistance = 0 -@@ -47099,6 +47353,7 @@ AdditionalInputA.14 = 46cc09705223bd3c01fa037d9a19dd2465bc612f519e51d33fbc845742 - AdditionalInputB.14 = a9f78f79d034d46086bbe5c8883dc2a34a1a17414aad2c767a3b3f23dfc9b637 - Output.14 = 2674afd329d03ad3b1bb8157c3100a312e29bd72b55139c408afe7f2c9e6d53df2cb8b829b7351a80cca8f0b59d60f6454ba60b154f654a09aa82a63fb28ceab9435cb6022934a0599a4c3a005bccdaa8bdaf8246ca654692a6c038cc82fea477fabdf3d6a0975e952ce3feb7fe8c4510b8c5347b21da5431cfee69e9dd2d8c4 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/256 - PredictionResistance = 0 -@@ -47164,6 +47419,7 @@ Nonce.14 = 4788964160bb81d6f6c2675008b05410 - PersonalisationString.14 = c56e284ac65798010eb7bd39ffdf49bc25fc2e663e90ff93f73c97e65ea82935 - Output.14 = 683493fb3c6ba0ae0c42009beb39fc37a9d235fb3fa00648ce4d60b4d6bdecdbaa1e2ca0c0fc80c53f6f8ceab31c3c42764b8f23c4cda91743be33e0a77fe5a4297701bdec6b2a5712e76c64bb8b7e03a257c140cd8aafef046b049303679a7904f029444d92d673107bdbf769fc1130429ff64b527b0ce2420e2c70e8998ee8 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/256 - PredictionResistance = 0 -@@ -58071,6 +58327,7 @@ AdditionalInputB.14 = b07198a49bc854cfc9d6d7466fe24948 - EntropyPredictionResistanceB.14 = 7b558b48f3c891a77fed293881775118 - Output.14 = 878d26fb57589d42497b869564a1dac5adf1b83615f9ab9fc30b5140f79e3b7f525f1eff2e68002801939aa0728432efad829b5b12491404fb50f2584a3bdea8785e79390501978704a667ec5d04da56 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-224 - PredictionResistance = 1 -@@ -58151,6 +58408,7 @@ EntropyPredictionResistanceA.14 = e734a035d71399a60be221b8c383044fc83506429a7eaf - EntropyPredictionResistanceB.14 = 51325a5d10137cd3ef2c6cd2290593a73361b298b9fc0099 - Output.14 = 12b008fd1ebb36ee67678a8b90ebd4ae333451aac2961d2ecf0d3fe2321fa520543452505e1e6216921ac380ddd88c51fc8b6b873b77b73b38558163845e2bf67661c05896da0efbd6c0faf0e363103abce11ab27da19c21564d8ec067802a0000e61fc33f43c12b854b85d6166a3a3a - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-224 - PredictionResistance = 1 -@@ -58261,6 +58519,7 @@ AdditionalInputB.14 = dc30a416e609cd52562109d22960e1295e3fc6eb66709704 - EntropyPredictionResistanceB.14 = 849864c63ae33d51a3b2e282325729df0d01b4b6efe4d2b0 - Output.14 = f2206a4e8008a5b32a3a3e271e9673031f536eda568fc2cf7013b4b342af76bf4ebdf867e7f2e2e89fbf2f63cb6e096671d360eb72223e96d9bacdc2195138770870557b88e770b7a439094e2eba6b529e54a25c75237c4b4fcbd06efa77f6174ba64071d2c3caf13fc1fad0c0cf005a - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-224 - PredictionResistance = 1 -@@ -58356,6 +58615,7 @@ EntropyPredictionResistanceA.14 = e0b1ad06619cc7e6b06fa369846d0718061e4ac707d1a7 - EntropyPredictionResistanceB.14 = 2941e7b99738be35a340fbf29bb443547f3128e5435ae876 - Output.14 = 07a627ee351cd794c19148459821ee504770bfdc07399fede63f1e22c3d76a57ae1da3c66403d789a8f2f4a0f071dec3fa102bcaf791222d2b0de7cc5b9d8f59b6b23d441b006eec851856c8abb152b84828a88f06e1f4cb257dbe00ce4d4868532782b06da28f923bf8e3f38d4ba50a - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-224 - PredictionResistance = 1 -@@ -58481,6 +58741,7 @@ AdditionalInputB.14 = ae204b086225c6659bd8c2487b1b91310c3d65c6a18a8081 - EntropyPredictionResistanceB.14 = f69f38c433c8f892d4aa3d1c7b97903711b6e0f5445ca61b - Output.14 = e4b3c801cee482f2d70a92fa7d4d2b9b19a1827287ea50698de61f82a095246dbc3abf102510c3fd413d6a8a9b9c88b186a177c14e013672fe3056722ee69fc3a49679f9d1cc0707ebb29297472343884dd6637bf094af5dd40bd1be4a269cf4fa65c163347ecd0fb6935eda690402ac - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-224 - PredictionResistance = 1 -@@ -58561,6 +58822,7 @@ EntropyPredictionResistanceA.14 = babb7e1e29089815ef8d794611a3164b54617f8edcae51 - EntropyPredictionResistanceB.14 = 06ab40819ac75f8609d7759fdecd3274d231781c939516ba - Output.14 = 80abf3d122e8917731a3ad6c8cc0495aa302d521384a155707f1302fd2c14ff9b8d6a12027b05cfb050fc45baee976715aa9cc606b943c785001c0431175278ed18d3b4c99bb7380598db4e9462e472ed9ede95c2e357f37152d1a76a60fbef4f97751fd111d9b965645de5c823d64bb - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-224 - PredictionResistance = 1 -@@ -58671,6 +58933,7 @@ AdditionalInputB.14 = 32460d6c3eb7912389edb486462038fe90505f7bd5d8e46d - EntropyPredictionResistanceB.14 = 31b1b8fd7753800a1d3c3849ccb22a7c28ea4cec21e71c91 - Output.14 = 77e3b89a60d91cfbbdac8215a3fcc000ae61a86016cefd998de3561ff76e188eda8910c08e964fdac58e3bb30f4af464b92812e15178a97d3215699f21b9775d3d4b11fb16541eeda2956937e43bd4e928f3856bced91c2e9a3c741f89894912cdec7acdb0652542fd08acb6d6ce2c66 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-224 - PredictionResistance = 1 -@@ -58766,6 +59029,7 @@ EntropyPredictionResistanceA.14 = 7a40b0bd455f5eed4ea7fef036c5b044425ef2138b18f1 - EntropyPredictionResistanceB.14 = 33bd20a02d78688da2b43f2222894d508f63851fa8217b6e - Output.14 = 1d0bcbbddc32be27ad0408c93d49f328832dd15beafaf969fa8f991b18faf1cf4cd1ae7103cf94135c1fa9beaef66f75d825cd9c3a16697337d746069a94aa8881e9ca841fc61fadc3701fec3fe65f750240c7da05884828ac3cb87289567c4e491ddb3f1ca5cdc08b5fcd3d8f91136a - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-224 - PredictionResistance = 1 -@@ -58891,6 +59155,7 @@ AdditionalInputB.14 = 528bc69e8fc2c45ad8006dc7a865ca73c31a679adbcb0656 - EntropyPredictionResistanceB.14 = 97bbf5c91c830c627a1dfb629a0f40943655d70ef97fe922 - Output.14 = d9cafae3bfbcfe622c82f137700f959f79ea11d07631abc26beb2d846e375a2b21165db0c568e1ae54d03c26f0ecdfa2564bf5c3c6c902abba3b2ff994ce191caba7e89b129c303e5169f4ec2e415a90523efc792e6aa2caf5ef583d286285f7d4900d79fce6afdd184d9993f85cd6d6 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-224 - PredictionResistance = 1 -@@ -58971,6 +59236,7 @@ EntropyPredictionResistanceA.14 = 58e89c98a93710a6856da202b373749dcf3f60c16fe067 - EntropyPredictionResistanceB.14 = bebbc0ee84a187340613ff138c5abc0aab2e86f57f337712 - Output.14 = 13949feb41c811c6894809f16ab5b34be3fe3753416a8fceb0c6de131167d0bf60409b753385307b71e2622a46a42f1561b4793c6f0394fda66115c95dce20753a9caec5aa5263f6581db8195bb7de7e4b13761fd43eff13741849b8556247f08a58c9b180269f213eba0476c7fd3394 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-224 - PredictionResistance = 1 -@@ -59081,6 +59347,7 @@ AdditionalInputB.14 = 15f279e7677894af10821b9cc0ddc9238b318dc9020b05e5 - EntropyPredictionResistanceB.14 = 878d41b7c5951930acb26a23c06501b88d1474796e536225 - Output.14 = 8f96cd7a4e6363be72a9b45bdf8253fb47d0b50ddb3c5dfc8825f2c44366106b1094cc65d60d86542c25830a3d0f247326fbb941053df81a1d0789318563b870a81f9e554d8349b669f528d6889247d23896186c620b93b239c1d18861cfde3c123c80b4e9d5e338bd83bc2e97135ee2 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-224 - PredictionResistance = 1 -@@ -59176,6 +59443,7 @@ EntropyPredictionResistanceA.14 = 62b1fbffc1d23ec871ec6c85c76f1bae9ec7b7cf85eeff - EntropyPredictionResistanceB.14 = ad80381072e85622e48978527ee673151fcc036c0096094e - Output.14 = c5d7cf9f1f83f497ef8c48eb81898ad1616c00cf2788a32c5878c3ea868eb3848cfc2961c8095f9c65052ba063707ea69f9d6ad9c4ac9858fb2470543dc4d2d2fb3eab11994e6ce387809c3e7595ede565ae549b25070f7ffdc630ee0ef8ac9835dbcc5cb5c9570143006ac691265a89 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-224 - PredictionResistance = 1 -@@ -59301,6 +59569,7 @@ AdditionalInputB.14 = 6abc274f05fc74ffe1a0bac13cffb199eb87d66b385fb675 - EntropyPredictionResistanceB.14 = b3a9b4f5f51dc337d12d34dddf231ca21dd98f0775a53ae7 - Output.14 = 86732afa068efb5fdadf94ac34ec595eba831694cae1dc892e9c028ca78f950afbe78191457a115f3c444e5735bdbc40d787294de99043c96ce49176fd17d721f5b467943219437f3e1bea373fcad275e64bd35cd4aacd1f3c126bcb59b50d905bf40966dcbd474978abe1899bf0c4a7 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-224 - PredictionResistance = 1 -@@ -59381,6 +59650,7 @@ EntropyPredictionResistanceA.14 = 058a109cc72dd766556a142a2d59acbc036cc86d476fb9 - EntropyPredictionResistanceB.14 = 97f27faad6528c42dcd97c1313c0e9043a043e0ab0b58395 - Output.14 = 3f5095a28e5674becd4b895d8918a36ba3cbf44f09c8c80b155f217e9b783b4ba99bf3ef183371bc3c5a654e3dc2346b605463abe63313cbf0919693965712366574e175d910e263f5086ee862672bd9c59a461f2d66a9b397570c86a09e2e4eab77aa139133789424482e94b9ba63d4 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-224 - PredictionResistance = 1 -@@ -59491,6 +59761,7 @@ AdditionalInputB.14 = 3d9654ec477ddb9d1928cf286f599736d51eb35af1eb3738 - EntropyPredictionResistanceB.14 = b8de4fffb86a4c7af05d85f7855aec4c8b463676b9b9eca4 - Output.14 = 33f691da4b3f351aa15acebafdc181da1a57883f0ded8b7223ab9c1b80e913644f850e3511e901175c7be68c96dc2b6175f69ea91218bf09dfd8b91a79e7499c8386746c260f29a22c6a000659e8aeee4c83f1484d5c09677f15d3bc045a2ddbf0b72c179dfe260e5054a75fd11c6867 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-224 - PredictionResistance = 1 -@@ -59586,6 +59857,7 @@ EntropyPredictionResistanceA.14 = 4afd7a280d8eb867f842e2e84f2c84d78749aa25c1201e - EntropyPredictionResistanceB.14 = 7d3e4a62634e7c6f74610ae4aacc62ca147fd1699c5b246e - Output.14 = 5c89bce4759878a3fe7b510c1b0c5ebfb2b085f89c3c4fa8cf6755cb51ba16dcc516402783d7870296f848bc285a5100a548e51cab01cd60638ecf2ecdf63f6d1c793aec14c4b179880687022acb9c90907e53fcede69d26f68a53815a6746c5bb80ecb22bc7d134da3412ba7c31477b - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-224 - PredictionResistance = 1 -@@ -61351,6 +61623,7 @@ AdditionalInputB.14 = ced31f7e0dae5bb5c043e246b29473e2fd39512ead4569eee3e3803314 - EntropyPredictionResistanceB.14 = c73832534681ede37e03846d3c841767297d246c689241d2e775be7ec996293d - Output.14 = 60c234cfafb468033bf195e578ce266e1465326a96a9e03f8b893670ef62754d5e80d553a1f84950208b9343079f2ef856e9c570618597b5dc82a2daeaa3fd9b2fd2a0d71bc62935ccb83da0679805a0e31efee4f0e513b08317faca935e382948d272db763e6df32510ff1b99fff8c60eb0dd292ebcbbc80a016ed3b00e4eab - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-384 - PredictionResistance = 1 -@@ -61431,6 +61704,7 @@ EntropyPredictionResistanceA.14 = a835812aff799db76764365d3cfce7a70d168ca8a363e7 - EntropyPredictionResistanceB.14 = 6cc406628d2fa0771f896079d052d057f60b334e620315f2cb3e658b1323e7ac - Output.14 = 36c2e433e06280c1219c2f2992985e74117d35aafbeefb6468d9576fc4a23f97f131874c0c4c18b9cc6028f881eb42f0e011f2c19bb60db5f5eb65114365c659790a3f423f986eb5ccec70118e48e7ecb40e40c31a6c4b8752e8fc841df65ee68c6343579bf95e10ff99486d9793eb6a92471622b3d60297d9b0faa9e7d925d3ec9cc05bc9853c18930a5f64a8aa9e139baa625665aacd443f1469d11a6c24a3e079b952cc8b5f75ddc9fb7d96b8b14cf255c2fe7619212f281364bcd8958bd2 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-384 - PredictionResistance = 1 -@@ -61541,6 +61815,7 @@ AdditionalInputB.14 = d8e5e99dd1498f4cbf4224e4c7ac40aa7e077521ff5abfb836d8483d6a - EntropyPredictionResistanceB.14 = cc122d075bde2cb4ce5e48d72d5f6fb99529262118b01cca6639fff83adcb977 - Output.14 = bbc4a9e2c9ee0e3f1e55e77cbb8d0ff902bf5d6853a5aed3fc0de3275da712b031a723ce201448e3d15360e5471f11bbd30029c6574db47d9d3275a8559294695b4ab832d656defecc9d6086a01895f74f67ad0643e77cccf92ff358440f3efdca3cb816687e940b7e30bf50795f111175a7a564333b21b32a0b9d26b093c396dcdcf3203e8ecd902c3de0ab0c82ac4c1d68f77da85383e60b3ac403b8ea339a97088539aa0004e3a7fb39a827aa0d27eb308d8ae29c07cb5b0495cedb839863 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-384 - PredictionResistance = 1 -@@ -61636,6 +61911,7 @@ EntropyPredictionResistanceA.14 = 54ca39bb5d569901c657e36d0a8e103551e25f9a3a40a3 - EntropyPredictionResistanceB.14 = 9c2962c0e03e96c94b9a616fdd52b1f04945597b372ed5c69469b29b3bfa71cc - Output.14 = 96cd0e64c1dfbf51e067b2eafd896d30580f46e29ecc1e51cc662e0acecad5529d2bb177d60c02e7cf415777a85feece50113942eed54a5b328cbc007a72a0db1500f17e5fa1cbd1231a8608dc25f64e1e078d7e0b4c49ba34e4659b9642f79acd108de0c92e52af86a4a82f23df12826f8f44a88cd99f576897896d17d7ab19ad02be4660b8a5840552cc73b5e24e76705485c70ca57b07eac35765ccc51d0795abc229aadc0101a056e047d7514c9d9294ef9458d5f7f5328673defb3c5aac - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-384 - PredictionResistance = 1 -@@ -61761,6 +62037,7 @@ AdditionalInputB.14 = 9d015ac36aa25905ab1ad61c4c5ced15620306935c548b63f6274d0e69 - EntropyPredictionResistanceB.14 = 462b911da3ed588f1e57e952379c76f4c32b1db3f85fce3315904d38bdd5ca9d - Output.14 = 1beaa2df060fcbb134e8af0f7e1c4e6073fa23deac0a774825978a42083b18c559de8ddd6652dc89abfd8006ba18d9bb9f579f611fe02984870f160e4f4516d6a708253e3c57896a0c9491b7c218e4131d29d31ff331c411c157ba071289a0004d3ee5fc6bc0e8aaf4bb934f48521c5c30aea79fc752720c3cdf67517abae2b936a75b669edd0f86d0d9d01bfb91033c431a4f8c2822f4f055c39a8451c3169dd63597ed1710915d5ed1fb8af25e2db01fe1cf60b8ed59ff0af91282db367afb - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-384 - PredictionResistance = 1 -@@ -61841,6 +62118,7 @@ EntropyPredictionResistanceA.14 = 523aa2f18ed872566ae4fa9061a83dbe1e213fe141e84d - EntropyPredictionResistanceB.14 = 101ca246a89f650b9f6e3282a908d51742e4f2b9a0fa987e9c8f8be89f3d7ce7 - Output.14 = 2a34c78d5ebc24dfb34250a1a2601f044e15969ea37e791110261f86d1c7e8c60b60cb4515649cb277526d4cca4bc6d31f14b42dc4da15044deb36cd9040a73e5f32806270cd503af2c7a6af85d2c9b91480df5677d9c2da368621dc7dbab8ca1ec634246fd55120058a7c0e16dc934e69fbe890a16a2b759b9d10c23fb57a188d906585c87c26a70cfa69aa7609c3a4226494b9498e6bafe0632ce06a82ee60b7bf275edc4ac862e3a2bc7683cd2258663d1cf2d0fa95ca75ee9dd85bcd42a0 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-384 - PredictionResistance = 1 -@@ -61951,6 +62229,7 @@ AdditionalInputB.14 = af0921fd29ae0315837039a4ecd285de2d6e04f97bd6b18a480ff31c3e - EntropyPredictionResistanceB.14 = 028ae7d410cadffbb1a8dd1a26649c51abda3729d64ef24049157b8250c532fa - Output.14 = c4552eee3b4b58c5ac306a607e3047bedb0fc06f921f28f859324ffae46d95b5a235d32dbf68b6093498a02270ac6988c13467481553996e6ad080b5b7dee800807e9e8776d0f338fd2dcfa74716a9663c3984fff72167afdc5a5292a85663d1b243b96e7ea070021fce1f269de1f5ccb60c8f3755a7b7c9f36dd5fa5894ccb3838d568507a9bcc418a82eed820b6c35ee66c40ad9bc718ef73fd7f8c956cbcbc173b9ac0d7f3f40ff37da2d4572a8901d84c216e1ef2b90bd531aa9238af339 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-384 - PredictionResistance = 1 -@@ -62046,6 +62325,7 @@ EntropyPredictionResistanceA.14 = 0ef1d45b978c565be7e64b9e455e02636ce9d2981bab7d - EntropyPredictionResistanceB.14 = cfe1c350d349c38b6f4568e2f1ca53493be77597271ecedc5ed578abf1f94096 - Output.14 = 49c4c52a81741d2eb583eb6038c1c686b84ec9e8a882d1ef509777a5bb431eb9ae711412afd5ceaeea212c2dbbb17652881b20b2517f1b720eb528274f937b4c41c4991730bbc7979d305859fd1fed523af128347f9fb3e3df22afc4be9f43ab6c5529f720b766cb519700ac83e83668083199f02c5ec80d29621d6c41394a927839bcccd802fc00839923a482ab82061bc96798046c20a11429f266195820862b8e242b083b12567c17e0423d01a7f77f5d4d035eb75c797019d798b54148ec - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-384 - PredictionResistance = 1 -@@ -62171,6 +62451,7 @@ AdditionalInputB.14 = 64d3689e23425f428b99b64736cc26c475f72fbc564f86f99ec4e22440 - EntropyPredictionResistanceB.14 = 1dd8eded094fc0baea87df0317255fb06ca6e3470c9d1d52e5b238513ddf93ec - Output.14 = e52e2c91e99f31080afc7398ed67f4b7ca0b48e9db242815524b192c7bec24b4aa2aaa3449ed5c49053273b8f30773784c27355c238c7c3c8b8085a5b2917a46862fb0d7cb0b52d62e630f7fb55be54977a15d3e82ba09a7d26e270384ed5b0a381920ea2c9c6a2da7a123f811a066c81eb3b8b92d7bfd62007a19a13725566d35b0c811b4f4a951f3fa83cc7809c623c9af5317054ee1567109d3772965eb3cf6e2c399d89e5fd59c5aa1391d149a09d002ff7e6d1efbad2624c71d01ec184d - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-384 - PredictionResistance = 1 -@@ -62251,6 +62532,7 @@ EntropyPredictionResistanceA.14 = 32822d7374b2a24cc00a9217ff5dd17c6962d40d9c739d - EntropyPredictionResistanceB.14 = 98f2d35e46d162b562842886552bb854212fb652431058cc02e9963c07128406 - Output.14 = 73f40fdf6550d37fd7c9f64221e7d0447cdf6911e5aeb7b80ea6307a3f97b7d4d6e42eff11e8c53d18504a6b8c735d9d89c6e1f0fff47f2dc3ad823229cd0bb811c50aca7f3f8b7890df6da7ea279e3f0582a580ac18c3a42b10e5be088c90d3aced0418c6183b0ce11957052c9e48a8e30f12e1e5deaf68d29e4809e7fed178b541c80930b6b3b782121b99c41ccb98046147a6e08294e2f8a9a215ff77b4f6729a0585a554014c60b36ba29db8de4cb11f3e20b4bb2406d03f7f1d4601ea23 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-384 - PredictionResistance = 1 -@@ -62361,6 +62643,7 @@ AdditionalInputB.14 = 4d60a3f6c5fad0b57ee38f5ccc9c83843344dcce4f5dc056d813eb9fca - EntropyPredictionResistanceB.14 = 50915e1d171a23bb7328650449a6845c181ad304b5415e05e4bb8f6820a7adc9 - Output.14 = 08071e75400f6f225a1801359983a0fb4d6fdd1bc74f8a78d9f54b1027df0b4167acfbced55ad735a99ece966bd1e79a71ffb62c4526b8afe1a276976d9b3b765b9533f50e750651596ca53a24af1606a2cf6aab27ab3026437b7a03a0507c1913e6ae1718d6d69c7e09f808cf97c73a6195550a0f4cb426df27362b0f005226bd54e0df9c5e5038c75da6f8f77bd5fa35b9a3324b0aea322f5e48c203ee228483ac0f56a67dedcd1d706b8f0a69fa7946f1177a313241066b5324249faa7cf8 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-384 - PredictionResistance = 1 -@@ -62456,6 +62739,7 @@ EntropyPredictionResistanceA.14 = fd31acdbc71e112a4db2ceff387d4b6db1e7c714e89390 - EntropyPredictionResistanceB.14 = 754a7e0ea6eb9e18483e0ed7045ae6f7ccc6cc626ddc1cc2b317ee78782c6e19 - Output.14 = 978543a7389db3122a01947a9a8ede689a4fba9c0d72b74e1aec38ec6fda8e7b519e5ce91eee5c532c9df49c8a36a64818230c5535d262061e96cbdb9e7bef5d7330a2989c3d3012727a18d2c96931b66f48bb0bf6cefcf783c65b0e094e44b0227e3e898215aa3afa2a71dfd832c6e11b3522940cea0482b5f24a90d12e5aea53bad0d028abaa4c45c54828272a9ce543e8cd7ad10a3daf15055e3999e94a62a7281ddf1dff41ad3e30c19ab8c50c759607203ed67c153a33f52130670d1f1a - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-384 - PredictionResistance = 1 -@@ -62581,6 +62865,7 @@ AdditionalInputB.14 = d56dffe6e68ff34c828ed6daa6957db8f8f1eb0683f6788ebc4d7ba42e - EntropyPredictionResistanceB.14 = caaee38a60aa69e7fbf710f0d03ac18ed70bf50590dc7854e2ba78edf2f6a826 - Output.14 = bd2334cb3356a211a759fbad57708e815889f3961b4c6a0f5475792d1f0db772af058bc44ab716d02f11e37bbc74f59ef046d01f99056eb4366435b23bcd92f5c761d22551e66ce180defd47fc43afc361bb2ec8a3c92727bd63329f1397bd5ac689709b529fafb7a8a70437790384213a3f1b27c6086fee25cbc3c0a2874c8a85dfe7022a5ca7365e9a715bd0904dfc999eba168466766316fd196a1fa139e37cfa30be486b0fa1ca03602becbbe97869535913b1f9e00b12f4f2085794c0d2 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-384 - PredictionResistance = 1 -@@ -62661,6 +62946,7 @@ EntropyPredictionResistanceA.14 = 957544da181d9451e52bad53ecc6e598e94e55434ba806 - EntropyPredictionResistanceB.14 = c8c9ed877603789c92d8dbcccd10bf34e26fd34804178db31a6ec0486fdf44a8 - Output.14 = 10e2ef2c3bf4836f072688eede8aad92da8ba7cc06bb2af2243fc2e7ccf9f9489a7ccfda36b2d91420df270ea9402b9716b95db186aa1859fa0e9a5cc389dbd7ad94490818fa34804a773d8dfe054cfa663267b8d21dd58cc199d7d3f7fa1abe54ef8d4cb2fb0f72a02537b0901c03b848c491784afd314d92b409b51a8ce88a3b7907e36170bcb1004a65c49785e9c14d6ad8871d6474d890b3f1599550d41c0b7a9b39c7e30a8932ce5a832137f77b97081088a8fce641e03875102e51b9da - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-384 - PredictionResistance = 1 -@@ -62771,6 +63057,7 @@ AdditionalInputB.14 = cb7cd7e4239a550b8f65366cbb39c50c551d83976a01ce82aba7517530 - EntropyPredictionResistanceB.14 = 2ff81fd74a033d6333f732f4cefbf021a90b42c9daa6830c2ab2899b64a05320 - Output.14 = 932fac5d00f0026d0c439912ea5714fbca4385d25e8a3dd42440087bc3114ae946f32c7d7a22a0a699ce8b840b6edf5975d70961cb91f8aacc3dd826dc6e88bc780eaff13c80abcc8461d6fbd53122fe8574295ee67a624108d4aba3cf333c58316ce811194c9db18b2c1d897f385a3d7732a86d867a361b9f7f502421f12f53e97f0ebed34e03039bc903c104025e2b0bfd76f1bc70597946f97c0815fd1b7043e007a3542d0c2a8250935d0e705e8854d4f2b991bd8e11b446e0bcbaa4d695 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-384 - PredictionResistance = 1 -@@ -62866,6 +63153,7 @@ EntropyPredictionResistanceA.14 = 44d6b1c7d7e951ce59f1cd023717a4a06eb3b55e78e64f - EntropyPredictionResistanceB.14 = 6ce1aaedda5818985583c96218d19d63c23aaf9ab6614556a5d3df0c3c5a3fcd - Output.14 = a2a7bcb7752b27516c35c2a42c912462205c267120c0ae06e6413ec13a93563443a81f7f68694d8212237adfd474e765dd00c73a350d793202e6899492a135876d06eb30630527b2064c310bf65fe2f8bb0ecb53367658603775caf3c8fa9afbe38d09e67bfb73eee11f216e4619f2008c739d1637ecb046b459d5ce49defd273d0c238d0468742a023a00a50aaeab976b66abddca704ce7ccff7ed754cd0380c963b0e044b7477acb6bce83c4567638ae740e329c062bdfdfe5386a1958da8e - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-384 - PredictionResistance = 1 -@@ -64631,6 +64919,7 @@ AdditionalInputB.14 = cf2040e9046a69dd9638de941f0090b7535c51cfa9f1c7bb2a56a33232 - EntropyPredictionResistanceB.14 = b871611f8fcb8c860a72c4fd406d4939335a031e0de9f2d436d4736b6b060c2d - Output.14 = 2d990f0de43d3a4b2930542c27ad27458e8865ca6b8f27fd7a969cf4e2a0323e38fe6f505a2dba488ea6b04365209c6db786cbbf0a7c73b4fd56d24987719db0fdba1a3f07149521dcf5b7759c610da22d151057acefe70df1ccaeb67a975159b8996aca93d7a48096926db4381bbce481277d7ab27cbc0388f0b7cedbbfb8421cb1dc5f2a9c677f62acf96ab25e7e406ce82f5b96bcb471afbdf4b3f5a6fbcb8da45d2258e350e77d4633b0c1da691662dd869909dcfd7c8ed0f54ba7af0f9c038eb32d32b705e51b35bb3c2eeff010bb47ee326c2318b5bcda963c2dad419c5923e368d9b28f25b048a87bdba0a90d98c24c81b6dbde0f58054a41a8293a65 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/224 - PredictionResistance = 1 -@@ -64711,6 +65000,7 @@ EntropyPredictionResistanceA.14 = c6e791bf03cb41dd67d8d0e6afc88cdb3243c6d8c99ec6 - EntropyPredictionResistanceB.14 = 4b107f56ea9cf896bc58a6409dfab2fa65adf930488f634e - Output.14 = 9c25b3a34af68768dc47e8521b70dd52bd3243c8c4ca911fc32b6a191e4abb7a56c2ae535ee17899ddd7d3011386c60d4dd1c7a0f3bbc27224e1471e061675d28d726a6463d45612b6b1913136be596255ee2f1cac4f24400bc50ed41a30e4c4dc1a32524617e51ce2fe41a829d164c4 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/224 - PredictionResistance = 1 -@@ -64821,6 +65111,7 @@ AdditionalInputB.14 = 67333be1a1d8ccfeaf0bb6836abc101f9be86f6584168b71 - EntropyPredictionResistanceB.14 = bc9be23eb198d7a9c821bf848dc659b6c5c7b001b388078f - Output.14 = 9d45b149af6ddd8231aef5d6ac48dc80cea748f860edbb447c3e181be541c0cc384bd2b3d39a7dbda865cbae5da0e6e9e4230728a819e1dfb9b7ac9b6610ea5fc42554b357f4f4b2d48ece49fb86127d5669cb4d361be9fb22c658264a850bd927252ce83ad57e7373689acbb1b2c266 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/224 - PredictionResistance = 1 -@@ -64916,6 +65207,7 @@ EntropyPredictionResistanceA.14 = 1faaa87f7d4767c15792faaeff52c850e7d1779819fbee - EntropyPredictionResistanceB.14 = 79cf8e36b1ea35077793e4dfe4e4cc736fc8071c72ec9ee3 - Output.14 = 356c2bc25223d3f536b075f7052d29e1f36c3dcef8b09811f3bcc18fcd78fb10115b6779bec0dfedf1563eb9024fd38e9083c1a7b748b05d61c99c14b7a57ebb121b5ca9a83e6bfbd4be01a24185de86a9baca5c9e8b1f59424bf77b9457e3829de9c44ab10c5966dc59ba5884493980 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/224 - PredictionResistance = 1 -@@ -65041,6 +65333,7 @@ AdditionalInputB.14 = 74b7046dee3b978038195a4ede2e8a0ffd3b8c490c4ea36f - EntropyPredictionResistanceB.14 = 52f143079094332e20460b6bd1b5a5872348ddd626053d3a - Output.14 = 58d2c19cd4ad3ebd48e3520d23395b4566e65981aebf6f143f46733d4fdf23e2fe0243674778fe5c5ad1fa4e9389305d3e7c1b99d7f7e163c9ef87a35d34732629ca8d87b7b8878ec95662dd9ccb43b0d2ccee2f4f3c4037925f264fa03b534da0751f45b2df1cb653c379cac512ee5d - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/224 - PredictionResistance = 1 -@@ -65121,6 +65414,7 @@ EntropyPredictionResistanceA.14 = 2520f0af49912e6973e81e5d3ea1b140664209e1050784 - EntropyPredictionResistanceB.14 = da19f29b28f43ff72e579a4a21d979dbf399f0123695227e - Output.14 = c79b9cb6955eaf7d0354ea81b1e54f3bb7855edea5040fa6ea2f18566210372f9f7b4d08208931c321ea09f44390dcb4939373e96fe3a417b2804b6af94aebc65fb31e7e9faa4113cb4bc1294fbfd19eb078eb300e599beb0a8afd05f10dcbbca84a27dc86a12a998a74d6f532f38e39 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/224 - PredictionResistance = 1 -@@ -65231,6 +65525,7 @@ AdditionalInputB.14 = 9b0214621496003a5e48ca25fb008bb7ac7cb9192ccabdd4 - EntropyPredictionResistanceB.14 = 9764e49ef04c1c164bec335e2ecd98ff0f8b7959c4af9ef0 - Output.14 = 8e4a6f42f812bcb71891f6abcb4c19f179f44d6d7ca0be8f84ea4de6227e31f60ba600c0dce0c0cdd6bba0deea6d860b3ee204be73421044cdeb59f3b42a5e4db94e2d06af91e1f2ccea73eeaea40262a5c74b7fe76979bf67510c86c4c5fc55569b6244fd15a49db2768c884102e106 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/224 - PredictionResistance = 1 -@@ -65326,6 +65621,7 @@ EntropyPredictionResistanceA.14 = 3e5b6735d467912273c38536f7a1be160b1edca1af6dc1 - EntropyPredictionResistanceB.14 = 0dec0880ce8e6ef894b9396ef56fd678435ed5b6b39d4918 - Output.14 = 5dbf5d3b2fe59054ab29bd747ac3dfc4026799f493b65a49a528bdd1dfe26ee50f7d8b4a69f96488095d09209f2657d98d2625adfb769188e5fcba1472d8364611e34dbce5160adb642bff5919b54e8ef3c6bf8de8fa0f651fed3878ecee371e312bf71688093a7a625239fb861cd8d8 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/224 - PredictionResistance = 1 -@@ -65451,6 +65747,7 @@ AdditionalInputB.14 = c7c8c48d9ab3014e6f94a3ce3e8df9768b3c60f478a5edbf - EntropyPredictionResistanceB.14 = 00b456fef04acd6dadb600fe9b2735a5d53dc58e9cd3f963 - Output.14 = 6c1d21ef77388dae905c338b72894c8fa3a066d6255e7760eeb307d264948f979a343a25209a3a7d1b6944d013b05142c3fdc155d63ccdf626437298d0a9f0715d6dfd81acc7e45129b6a3b442e8c36527470466f74712b03d03ff1f4cadfa8e2c348639d82919cc9a3e288fc15751c9 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/224 - PredictionResistance = 1 -@@ -65531,6 +65828,7 @@ EntropyPredictionResistanceA.14 = f9902e3d878151db3849537f186a7b2fcbcd10576aab5e - EntropyPredictionResistanceB.14 = 9787f601b4a6244569468fe586a67e2e7733ec0f1e2405ed - Output.14 = 8338c7e93fc15595aa5828c90f064f37221439c1e6d9c51a0986fe9f3e9b719f0a05c9dda87f3f88543b2ec0005ec343b62a3929ef720fb269e8dd1cdec36a8a2b867876752b8aa23d6878d0e9f3a27b06a7782a58ce68fe80cbfe6b5795e7da0c34499dd153b202c5432e37e03638f8 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/224 - PredictionResistance = 1 -@@ -65641,6 +65939,7 @@ AdditionalInputB.14 = 69b3ec5d555f1c338f45a72c56ba8f714894c069e47d329e - EntropyPredictionResistanceB.14 = 9a0350c1885b5f69fdd13e8324b8730f27c92dd96c87916c - Output.14 = b4a922cfedb084156cc73d5bacf1a78090935fb1a5368e02d1bfcd22ff497defc9784e16b14e19777c50f0db895c3a61fde6f97988315e427b4323c9c0ddee5eefe49677b37bbea5a6c9d43cd7c3279c7502154e8b551538e10c8bdd0cf35ac9379931f0bd7acfa82291702648612815 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/224 - PredictionResistance = 1 -@@ -65736,6 +66035,7 @@ EntropyPredictionResistanceA.14 = 80b2cc6b2d460340d5915e109e434d05ab4861378d65ea - EntropyPredictionResistanceB.14 = 42a0f1f0e9a911d0e12948a235d1a125e9462d5bcb605b98 - Output.14 = 38df6537e3bf2a8ce577da82336ccb234dcfa6fae8bec62c1ee38be0f9014f49695e4200389a55291a95b97ebd09ccb7c392320fda66797ab1979ed0ea56772456f36ee287bd683c190c438b1ee0c4c262ebc4b2e5d036b3f50f0630da695b271c3cf746162258a4920be29c25dcf201 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/224 - PredictionResistance = 1 -@@ -65861,6 +66161,7 @@ AdditionalInputB.14 = e201d55a78452ed3401d92c27247db4801b572b389b2fe61 - EntropyPredictionResistanceB.14 = d50ec469c29891aff7289644413e0bae6954075854c1e475 - Output.14 = 1bc3d11462d9e2ae029afa1b7db585d17c1de83fa1e7d7d9e9e7c015fd85a369edce029a3eb111dec4a2efda8e35bc5d412d31fe2d0d0a35f629609c2aaaaec7fba121a164f4ab20fd65b8bff2ca6f52f171ed2879f129b0bc2ba7dddb0c387a8748ddd2321681655cb2821523bb2510 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/224 - PredictionResistance = 1 -@@ -65941,6 +66242,7 @@ EntropyPredictionResistanceA.14 = d6734f3b3b76bdd8715f1cbc24df30bc8062a0276d954d - EntropyPredictionResistanceB.14 = c6947a5c4932e357cd296aa8153614ceab7a6c479ba1cf30 - Output.14 = 19f1b2ab68854e65d92318b4e09c74a379c76c096ee460355a977ca08788a8ac83bbe817a8ae4eaaa795a09a49f572fdb471d8f5d2de060016b1b0422905af24018457acc9ded76b66d204ed5d1bb66d77270bc23ae5528a6a05aadd3eb1a194bfd42c88273def6fc24ef677d326c586 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/224 - PredictionResistance = 1 -@@ -66051,6 +66353,7 @@ AdditionalInputB.14 = add443f0f3064aa799c6fcbc729416a494ace56d2a29eebd - EntropyPredictionResistanceB.14 = 19b708e95dfcfe56f171ddcc411c63bc2e742cb45873a019 - Output.14 = 29fcc98bb0b08c965dc5ec7de8dbf7a16d234eeaaa262f5ece8f2a1d843940bc663b4f892ca1481155573c4a6754f8b7b398fe12a81409ed7f6165bd16f2ac031d809e6535dcd3561586c038df4aa735c5efa36224b2235d05c12555151b1ddfc2121e806ddb484d19e9db631383e969 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/224 - PredictionResistance = 1 -@@ -66146,6 +66449,7 @@ EntropyPredictionResistanceA.14 = d9b643ef8cb569c2eaeeacb3d8be9a0b2c93c60f8e1129 - EntropyPredictionResistanceB.14 = 213994f4f3e9382b9b6c0247e74a930043a563d0dc67d05c - Output.14 = 991659b877318d688fb40a862e4a089f74e60948f853ccc57588ca14a51c8a8af65c7c1e0a5fa1393a2f96d23cf0e6f829141cdbc4229c5576b07a915a59bcae554cc50e6f38264757e29117273792cd9ec6e89a82713db07af8562c24aa80e64f2723e8885ddf3435d96581881ccf9c - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/224 - PredictionResistance = 1 -@@ -66271,6 +66575,7 @@ AdditionalInputB.14 = a00aa12c4a26030b79897e04d0171bbce1cd7257e0cce379 - EntropyPredictionResistanceB.14 = aa9b3dba7376b0a21d34ee6ac8939a625dbfec172a108c4c - Output.14 = 54fb778fcfc5549e190271dc12389f42ea8128df55e6193e03073888b4be31e2d7a78845c47362c4e96b41fce503fb970f9176bdb9b5d664c386898a0e44ffe12f9480699b7d566d697a4f520268f62e460359a39d091f4c372ad33ef0eef58622f488c9348ab5fd693d4edece794b12 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/256 - PredictionResistance = 1 -@@ -66351,6 +66656,7 @@ EntropyPredictionResistanceA.14 = bc9fa0d6596cd2b1e020a0f23fadcdbd5ed8730e9187c5 - EntropyPredictionResistanceB.14 = 671405ac5614d316a8f289b50eeff5467be8960feccc46b7eda7d3038f09321a - Output.14 = c8784cdcf893010849f094a0de5d3325a69b425a8c7b788f96ed2d8209434f9731bec3c590e8982c22b46ab9f28d169933c1ca2c4e4b99a9bbbd74e2182097a7c0e29e84a63363eb3c0b7b9cd730cd0bde121006aa11542b968f4963e84830219c359771a3ab03298e5c0b8a207387668308e2158fd06add5309defc8cb2c0e8 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/256 - PredictionResistance = 1 -@@ -66461,6 +66767,7 @@ AdditionalInputB.14 = 7a63a39a4db6161824113f32ca5c4588edaefccb08894b2ba52b6659e0 - EntropyPredictionResistanceB.14 = c20c5ba1aea693d375097d19b3cfc2b06c9c876e980131387374899d4ab48385 - Output.14 = 818ab1aeac3dd58e54ab686b04e3686a37a1202a19979a3620d1aea5e425472af381677a363ae190acfdbb0372c7ea2d5248cf27b18327e13b91507fc28b9d3e804ca0e618d867b3d892173a19c5918326e6fda277d5a3a34bba1425f4a6c9543f66dec79bc909b3d082c6067df73966d1b8f8a16d07005732e0cc00f9b212a8 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/256 - PredictionResistance = 1 -@@ -66556,6 +66863,7 @@ EntropyPredictionResistanceA.14 = a21a3a1e4a6e4ff4c646ee1b19ae20f956cd174001cac1 - EntropyPredictionResistanceB.14 = 5f673e1dba2a9c526ebf62d4383da60fd194bee81d405dd719f0cdfd0624a79d - Output.14 = 718c2bd08da84f897864d2c2a91cab5e6b66251ce71886969271b3b88885cce8f01e2e0bbddb0f5826c68445c8d56964c7f2b641b7f8498dbc293875a422b65bb7aec20b154064b336ebb06dc861fa7e69d683dba33d8a6f71c2b2c76e030db66fcacead182c0f316395c3dd4586a38d56157d8b4138f3039acfaa599df1a096 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/256 - PredictionResistance = 1 -@@ -66681,6 +66989,7 @@ AdditionalInputB.14 = 4a5a23362f631c0b155fb802990f855d684a1d3f54073c7bef2515ee3c - EntropyPredictionResistanceB.14 = 73189d6afce0d5724c50cbe257a1494c7e78dd5b3d7509c5509d795d6abea851 - Output.14 = 8c64782c4b34cb5e2ac304ad773adc7a76ff2fe1f43202b01e28aed52ff96b651765d642d5313146f322f3cb067cc274918babc2b35255f048ee74b4c87a4e1c465e3e1098b1053747343123ae5ecb652520d0fb20db17379388249a2d92cabcea7140162f2d9cc17daf718eaaeb8e8a69197689ab206f68fc468982c8f89e73 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/256 - PredictionResistance = 1 -@@ -66761,6 +67070,7 @@ EntropyPredictionResistanceA.14 = e0975b46c5421742148647c5ea8ca534bf23b9cad38fdb - EntropyPredictionResistanceB.14 = 92632b542fbe20c00c8071037c15a2434cc23b3b6ba800dc9e419e105c1a4c4c - Output.14 = b457c370a8bd4451f4185f7c925b90365ecdf0cf1a4e809967ca9218fc7350447c32d25bb3ac36d8d0de69e2f8d6e7f0276cde6d9a615d5644654be11ccae2a556d331310494ecdb961468ed6283dfd9342be478f0e3d5bbcfcbfbfab86625a3fab5c43296bfe1fd9218ec5cac2da563adef29084fb7906a7284da44872a957a - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/256 - PredictionResistance = 1 -@@ -66871,6 +67181,7 @@ AdditionalInputB.14 = 0eb21b9dd429b7ccf6183587400ff57ccb84e13513a553c83bd18695eb - EntropyPredictionResistanceB.14 = e65beb2bb257e5b9770af1404e58743540ce7d6338089906464de3350c481f59 - Output.14 = 30ad11bfc18d3fa9c7ca2adf01bca76f8f2513c2aab3e830b1ec8892cd6544ad9e25f2c8369a034a25962634fe86e833aa32baa24ea608c91818994601be78ab1fa772cd80b6eb3006c4c2d4b0b1268f7d8759b7e0193e15a69f7e13def2e4af35536d92c1b8dfe3b7ac72104543a8e99585bad53728899fc5cd4ffa509b4b79 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/256 - PredictionResistance = 1 -@@ -66966,6 +67277,7 @@ EntropyPredictionResistanceA.14 = ca849cd2397ed598a1f4a5fe1ac34d9bd72ba79cf44b89 - EntropyPredictionResistanceB.14 = bf75a707fe7d86993dfa00386ce07f94898f484a9f936d47e4923bd6bd8e2121 - Output.14 = 63fd0934c1c510ed19955471552a645ebc7ffcb90ec904994fcbe89ad938ca0b6ac3c0bf958d453af8ef7b4cdfa1bf20a5e79a68d1801a91dbe63ca254d8088d7d508971d203fd9dd4fb4fdcd9e8f1f25e899912dee3f59ee1815efe0959c7e4ae06453ae9031a8cc94ae38d7d634fc46233ed8d11ea8e20e326841d3cb40680 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/256 - PredictionResistance = 1 -@@ -67091,6 +67403,7 @@ AdditionalInputB.14 = ca63db9ef242fc5132d291600fbfe99b72649a2c51080bf46501286c27 - EntropyPredictionResistanceB.14 = aa1d3e08e011aecbeb852bd054066d44b5f66a71682427d9a49deb6fd43ac6a3 - Output.14 = c44e0709fe70b56c0d612f354f796e33f6008e8dd9346ce75894e3a09186fe54b4a7988060e48488a329387bf1bbde11de1525f14caa0af8d6e4d4b32b5dce06d71b368d5cf181535557accfbd9ae55d4b844479a8c959fd0ef0739f1fcccfa2d4e053194b90b8ab9fa4135db408018c3d4895c44cfefc05951d1cffb8da24e5 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/256 - PredictionResistance = 1 -@@ -67171,6 +67484,7 @@ EntropyPredictionResistanceA.14 = 3b12c8af1e7f747f5307c4a0e7af0efa7a34039b4f2c5f - EntropyPredictionResistanceB.14 = 90e07e1b5ea4915b23d18d52dd1a5d79ed0feaaf4c3b9176ae92c85f28c5ef0a - Output.14 = 6c2ad7e3738c856374ab4b7a56ef4b3e1aea65f69fd6fffdc0fc06c585eeca2761fda70234b844b37ee8fdd43f8f58b5f73accc0943b8da2544f3a7ea7e7107786d9de4f457519fc80782d0ce64e5b33c82b6935f80d0e1e241ed1c119621d43ce1d18fc016b136ca1eb7907c6fdc14f77d807cd0ff1a1ffef73f6eab009b02c - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/256 - PredictionResistance = 1 -@@ -67281,6 +67595,7 @@ AdditionalInputB.14 = 5138951ad6b555496eb1005bc403f5937dae4e05f1254d7ae2406a3f81 - EntropyPredictionResistanceB.14 = 9eaeba16579b23aa55adb7f2b33430e5f9006c6247944b16cca7f36ce6eb0cb2 - Output.14 = 60cb8d3a0d921d6895033f75330a82de2121abcc7f0ca1391687a510ee79c7e99154483f20ceee8cd85c6be7dabf93ca5c535b42980dbca8b308375f44ea3c1682d0edb7391e468898eca762b39b2ca5beeba498881e116e45429b49ae3936e1d11baace14b11c64aaa17f4c830ed62df0d66ccf0093c73f705e32067904ce8a - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/256 - PredictionResistance = 1 -@@ -67376,6 +67691,7 @@ EntropyPredictionResistanceA.14 = 5dd6463be2b566208350dd70f0d7132cf2249ff1069c97 - EntropyPredictionResistanceB.14 = b59a5c1e855d888a76aef8a2bdc0e6701eb7cf7d6d0da08c9e9764ac31311d3b - Output.14 = 69fd03a37b267d6f2a9f338ba844a69f700089f3348c7dce12497ed6637e294b9b958ab36f85d986b1f311400d2e58bf5251cfda4c6e173e0a0eb0c25b529057e458951e8a9ca233f578ede226fcbc16fc95b9421f4db1b939e77110d1e7ba0d486aad8d62f0e417ef3a5f39145d05423113d8901493b866c3dff2a213ab8dff - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/256 - PredictionResistance = 1 -@@ -67501,6 +67817,7 @@ AdditionalInputB.14 = cba2a6a01cc09238e9a8e9fe56663a8eb4ebc186f4927042f7f19bc8e8 - EntropyPredictionResistanceB.14 = 4c691865c160d187f5c3654e3fa2eca8e818b2f6ead070dc69b2585d5d4589cf - Output.14 = 004e5ce98e6f7a64a98ae577c3c702b8aa489148edb61e57cbb980c2383723918bc380e07944049631a8f88044a7954570086cb972c6653ebfa49a5c174f8fbb788005aeb7bbfba2039eb495cad2c23836f94bb6029f3ae3dc2dd8525aef77614d3bf5ad62c48ac56c1cf1155653243d4d10da4c4ad9e8fde33802d46026212a - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/256 - PredictionResistance = 1 -@@ -67581,6 +67898,7 @@ EntropyPredictionResistanceA.14 = e67d0f28c142a83bab1572b0b44c83f0fd9ff3ccc2efbf - EntropyPredictionResistanceB.14 = 5b7ae1170e439d0f9b8d5279fb29da66fe280483e0dbfb6e289d63b80c0e9662 - Output.14 = 4168445948f0108eee7c346820bde513375c403736ac22b6b51a0237ce84c9f6ec3f85be5e5af9f1a23123692794704825c4e1935ccf790413725fc44ff64c457a58a700265c04dfd9674ecf952af9105b0b62e9f2867aa15cc18077063f1be603a4fdb0060a272aae224bacd1f45d172c8fe03ae1b4dc4616bb47be9ca6fb3c - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/256 - PredictionResistance = 1 -@@ -67691,6 +68009,7 @@ AdditionalInputB.14 = e5cbbe21f36bdb46d389a479bc23ed7162ccc9fd07e3c15b2af38da548 - EntropyPredictionResistanceB.14 = 524506ce82bc8e9813b12258b87eef1021c3df39de0b377529c3614a88a5ef9b - Output.14 = 942432679f040520258501966ea68fb5044cb44c4d02b0eee3041d3e43e3c283e76d4bab79305d16888b42581ee087dde5e2b0e2c3bfc7d1122c2fc450729343a45331df3cbf7b9a4253a5f8550d37672a73a75b3cc8abd68f98803643b6eb69ec95cf55c2cfa037b69523afdd045c740708f1f7403621c8074d497e0efe689e - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/256 - PredictionResistance = 1 -@@ -67786,6 +68105,7 @@ EntropyPredictionResistanceA.14 = 711415888490d7ff523e9883f6bf0226dc6d446901fb41 - EntropyPredictionResistanceB.14 = e15d421f53c1c843c847b2abace780caad977a337d81469d973ddae6aecdd1a2 - Output.14 = 79071920bd431dc5156b6f03932ae2aa4dfa06a61994bd07ed65cea1ec8c08416c7ee5c045f0fc63b4ca237e85d29d8987b65f3e9ad22a984aad16676a9a0b50af959f19b57863c43fd316516cc7d8516bd4705193be20d3ffa42f843905ad64a5288c875f55a8996ecb239700136b6a57a43f2c6dcb11af5e8fba3597fd8870 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/256 - PredictionResistance = 1 -@@ -69553,6 +69873,7 @@ AdditionalInputB.14 = a0ee5a3a9a8c5eccb62b9e7ed45d04d8 - EntropyPredictionResistanceB.14 = c588bc21bfe29ac749639bcce28f17fb - Output.14 = b519ee28f38bcc0305ac49eeaaf9f27eb6af797ac95e13431d1f5611e89930bb2c362a9abbf4fb8d89605e5db756fadaea2f36e953751006361b94f89c893e2505b77e41ba27eb9d56d9124111e7c12d - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 1 -@@ -69633,6 +69954,7 @@ EntropyPredictionResistanceA.14 = cdc10e50c630ccb235579a72b6eb4502fe146aabdab62a - EntropyPredictionResistanceB.14 = 5c820ea46bb9091054d75a892a83c3850da0a31c15e0d021 - Output.14 = e32c0798b2040620fbc5d2a44ec7fa8038444c1910fd4a24312c8c8eadb57a78606449cf05ac51a3bc4d58ce78742c1be3a0fab6e3f5ebc92b82b5d5d64ce29e8c2787ace0f4e718a7f6cb669a0a43ba1aee0d9aef55cb7c6f5dff57c8acfe883ffd8a496d44afe06803e4c9ff62df04 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 1 -@@ -69743,6 +70065,7 @@ AdditionalInputB.14 = 4505c0664e59bb4388020470838bb098c4ae1338c268adf2 - EntropyPredictionResistanceB.14 = fc4ef2906cf36c6c8897b802200a83e60d16f7fb064abd2a - Output.14 = 4f9c3c60ee32042735cc539b9a23d04c2bc6bcd68db04a58240305f165bccebbb98e0f4796b283a0d78bdaccfcc8daf19f21a72945be07996bbb0b606643c7753f76ee6371292d3e681468b714e16bc32db14ad6d777677137ebd3731186ea72b840b8c4ae79ecb2c61352ea056d2d6a - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 1 -@@ -69838,6 +70161,7 @@ EntropyPredictionResistanceA.14 = 90e391a33dc21281372589e2a667cdbbe4267710d5244f - EntropyPredictionResistanceB.14 = 42c959b7272b39e5cdf67701d47665b61782541e94aa224f - Output.14 = 4402afee12048c1c6a44624d2df026798930ec732884899ffd20d17f1c8d7c221cf5edac8679a21ee11b177ecfd61927d4ccbb175ee6b49cc6f371450904c2666aaf2e6cb36cd55cae3af772beb80955cf67b4e8be1fce11250a39693ecb7f8ac05aa23b949ac74bc9a67060cd60cc77 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 1 -@@ -69963,6 +70287,7 @@ AdditionalInputB.14 = 764705681b7781573af811fa7751dbc27d667af7a1e59dce - EntropyPredictionResistanceB.14 = 76a59ae38c88631a066fa85d24dfc9b2547caae598cd0fa7 - Output.14 = ba4a0583d8d6c5b4216a0875cfad594485858dc7f9ef265d4ed0c0f0fbfcaaf5ae318df2d7fc530301813d9f49826030625f7ea02d0630b3573c486b1fa0ef4269cbfb6fb86675c11fb7c0570cf7ff4fc7affdb00625ac453c23c229a4ea5f540c66f031ab3462f7d12659eec990501f - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 1 -@@ -70043,6 +70368,7 @@ EntropyPredictionResistanceA.14 = 85ef26b185a0aa99aa8761981cf02a634b62f47baccf27 - EntropyPredictionResistanceB.14 = 2e9d56a2fb6ca0bef9a286d23e7d38457790f97f2b7ea5fc - Output.14 = 5c7bb6bedc97cd38837beb0d963d76a953d4c53827e24ffeb278acce8350c43fa6e289672fe6452b769b921937ea8059cac8326332966d3490f57b8fa89aa86deeb3edcdc108d1899eaaa2d568d78e26b8ed674282ce16a0cc03f3c3b1da6d5c73afe8f392b32151e938d99c94bf8152 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 1 -@@ -70153,6 +70479,7 @@ AdditionalInputB.14 = a05a3af78f164652504f38cbb262a93f5fbe72c55e28aa55 - EntropyPredictionResistanceB.14 = 0dedd1d3b74beb9c3ed9a6af24ba4a8fab11aed95d829a11 - Output.14 = 4e6dc09aabcb0fdfded4f1d6ac2339add1b5d7528c3676203b09341a1cf70f0e838301f7a78dfe6960daa674517162f4819a37027845c260186325846604db350969ca2abbabf713159669260b80de6e42bc33a64c796280402da8b3c3bf6e8255a11b82b046f1b3800cad132c2c0cc6 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 1 -@@ -70248,6 +70575,7 @@ EntropyPredictionResistanceA.14 = e5f524fde813bd2478fee8dbbb6284f3863b43a8cdb2f8 - EntropyPredictionResistanceB.14 = 178f885705e506129a137c64daab8870149344d82990e454 - Output.14 = cc687b9fc638af68d71c2e12ff8727f2cb2eef42a888216af09167ee23f5b432ba896ccd508afae8670dac9fae348eff0f8db63c3fe86f6a1e2d97f9b11813a56ddc1d5c99cdf79afb5d281fd1682dfada3c608ac1cd8ed28e70e21d3ecf7c13c410e8e657d7d0714aabef78795e46d1 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 1 -@@ -70373,6 +70701,7 @@ AdditionalInputB.14 = 29729358e5e488ac8924536a8806d242952da8ade0d4e4ab - EntropyPredictionResistanceB.14 = 0a0148aa002eb800291d3bb5fedcc8a6b80897ce459710f5 - Output.14 = c97f446cd3d9c96f63782925178e879b3fdf0d46a2e67d2489a39c55ded3330d70a7be34128f3e8ea442989ba7ad90ccf7f66bfe1f7c1b17585cfb5786d764a44e39bc021e06a193254ec26b7b93e33fb883408756e651176a098a4b75b3ca48ffc4b66f0f5519592d529500dfb30287 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 1 -@@ -70453,6 +70782,7 @@ EntropyPredictionResistanceA.14 = 3ef188e76f0d26d790b51c9eea46b0a9d15fd631f044dc - EntropyPredictionResistanceB.14 = b2d0c40fc7c3e6fa3fa030d54f4548cc664ad604eb9ebf7a - Output.14 = 966790327a7fd7dad98fbfc5c86d8d678d28dccab766dbe0a10bf917b59e85cfafc1a948b0abcd89fe6cbd30352e8c672a849b2b6b598b495719303d17b22f879361078e1dfc13052879e7fb8613a0d5fe764377e98e8c4d41faf8aac94ebd299caea002a93f5e56b6a78e6869190c33 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 1 -@@ -70563,6 +70893,7 @@ AdditionalInputB.14 = b4c6dec979f2875bd6ab575c884b9c82a7f87b0e8536fc63 - EntropyPredictionResistanceB.14 = 812de24e2801b83b5938cf87ccd697d29e1e47dbb773e8ae - Output.14 = 42e656b2bd89c6b87eeeb4cbc88da7b7ea63f2d0e34ccfda69f1306982727b65248742030974bc2013af0fc0e04792ac57a6b33f7a0e1c106b4877abcc43649ea67c7706c2c6a32341ab03f35ef5429b634c546ad46e9f4ed65835246047ec510de96d544dcf5cfd5cf38b1191844699 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 1 -@@ -70658,6 +70989,7 @@ EntropyPredictionResistanceA.14 = f3519a57f18c23306e613cd6701a63b476750bc86a2c3e - EntropyPredictionResistanceB.14 = 970a0425e52d2ec2cfdaf196d46e132483021785e3be083d - Output.14 = 92e7614f08b0bd0356849559567fcc18f467f7ef0d31801c9d38d48adfb1a49d464abca4764e5a9da227d20dea34e9d05535de6daba95db7ae42ad94155f795c06ba3241e897ffdcdb1c0cb1ed2767bc8b1259359e70739b52f87c947fc0ed293990fc1a9d452c18afaf5586a7a4e828 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 1 -@@ -70783,6 +71115,7 @@ AdditionalInputB.14 = f7bd5c7a7e998407efc71f4bc2a6c811edf1687b019ceb9e - EntropyPredictionResistanceB.14 = 84f15292035fcbd61337c733fed157b3e7db3097c2a3bd9c - Output.14 = d59bde2388f07c18be829b8fd08376a93af24145700238175859ee3f89a7dba009c628d749c9ad72abfa3609dd0a5d38ef1abf261225b988db1d3d3183b5c5ffcc19303f4eea88df2df4b65df1ad28796e9ef1340731ad6c3bef33043c90880e3ed5b8b336d5d125b89df17028983f4d - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 1 -@@ -70863,6 +71196,7 @@ EntropyPredictionResistanceA.14 = d16361e926630ea7eab852d3fbaacd4ed8bcd4437311da - EntropyPredictionResistanceB.14 = 15d2ef5b010ae9f49d738919580a99985fa6e749f4f25e4b - Output.14 = a34007c66a63071fd9b88fcac4e0438961458595c5fa9d39453af1a8260a5810461f55cc8bc9135b24713c82d9a8f7caa720ece42a7a94ba9142c7f25120f2cb57265a83e2a40129357234dff36f320935a2e88559a334e33044d6e6694a9485ffc243fde57a28958975d40342d17c0e - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 1 -@@ -70973,6 +71307,7 @@ AdditionalInputB.14 = 6a59ff9e4710c11794930434f5084196353fb44fd07b2e25 - EntropyPredictionResistanceB.14 = 7b9f7f89a03e06aaf45b165d68c6275db97352d04c8fc977 - Output.14 = 7f72c56664a786385db6206c39a8fcc6d2ad278abb7270961c79f17f3123b62ac1118a814fc8d22d2f2c0219cf12879bc688056f39d79849c6eb4f3bf2d48939372313d46c6f816205e71a162c8ac3373f39905c19b1003183a14f1a993851a2f9a961bcf3fdeb656d7190c7ed5348ba - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 1 -@@ -71068,6 +71403,7 @@ EntropyPredictionResistanceA.14 = 40da9bf2a3adce3bed58d5ca64411ace999f0dd1be0849 - EntropyPredictionResistanceB.14 = caa117803af0fe7ded86e010dd37e4945fb8b32256663cfa - Output.14 = e1468e54df5d693ae5094982e155a74033e4079dd1086d45a91ee213b3ab4486640dac0342e6aa82f76569ae9d395f5161d82d27a7c6a8573e3f42e7c57ae6bed8a45a177dd35a999e322a3538a9b8cec51df28eac49ca8a7022200963aa0d4d66868c1cb8dd90a1564cbbf8bf26778f - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 1 -@@ -72833,6 +73169,7 @@ AdditionalInputB.14 = 666ab44b022bd295bb6b516390e14c1a7e746acb6437e33b203779116f - EntropyPredictionResistanceB.14 = fb25b91fb031adb53b1d175a68a9202abdd6b3da5d658b7d3d5e815e62d440a5 - Output.14 = b02cd3e20a39877aa2b5288236990b77e0e9e21987583fbabd6ddd9ae2c5316fa51602d06ae57a55a784dcb163504014a21a1ac2290b6232e8e97d186e6f6a8508f7eb6958a0ffff454f91e1c0b2831a594d31445918c92268b380c017f9911e81c82ae23449976252add67ea901463848696eb31453189fa88d2c999b6d9d81 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-384 - PredictionResistance = 1 -@@ -72913,6 +73250,7 @@ EntropyPredictionResistanceA.14 = c5650c33f68b5d33502b1f55e06fe2c1169fb34688a092 - EntropyPredictionResistanceB.14 = 25be4cf15692e3e6ad0ab6ffb22cf3f77b00333517ecb2239c9b81e59a72d087 - Output.14 = 41f335cf727ffec9ebfe7cb348d11cdb4e5e49a9a047d8342a6656e5d235219a5d80715166698cc1f16e34f743811b820e6ea55c2bdd0db1b97ea2269fbf60c739feed818282f447bfe2bd0b9a7c479144f0016703aff450abbd87a50e5e5af0d2d9469175542737bd116de2a73acbb74d9f0077a227704f271fe0696f071914dcb9c0f0191fee35eb66248eb17991b538649457d5d5f9d4bb9cd81c33a14d2becce003c143c9cfe39ccac51048ef169f6a22143eca721d04f6e147749a44a75 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-384 - PredictionResistance = 1 -@@ -73023,6 +73361,7 @@ AdditionalInputB.14 = 301f91c659f73b618cb46a4343772f1eee9fb4949ec6328109823749bd - EntropyPredictionResistanceB.14 = 24a71d39e627d5efaa1e8f3e5f70114bb03b71ce54e4f8d34e838106b2467cca - Output.14 = 34c532082926e6d530b3a58282eb4666ac7374e8befaa4999dfc9f409e40ff966652295d2940db97061800583bc7d47b053553ad29c89ee61803c1089d30592270d2927031353592d4aa71f59a4bf3f2147cb406322367544c38fa5a3c8ccb534bd884355b06145db62161260162091c795874a2e99e01292a2e39e107738818a211750f858edbe0c2ea4734ad14f1c45bcc9f733f027616926558587f7332be55044dfd6fcdb628ff7d7d581820a217bc64aa092e450722686e0cb291eca45b - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-384 - PredictionResistance = 1 -@@ -73118,6 +73457,7 @@ EntropyPredictionResistanceA.14 = fd947b0a21e580e6c2dbfbd44d01f5fb4a51dcd2199df9 - EntropyPredictionResistanceB.14 = 815302e016aad33254d308c5457f368965c15b6204e191c2a252e4fe88dfb978 - Output.14 = 34f550231d31c1b3a3db331d341ada3b987120d94e431831eea67e8d208f9cf1800549d445fc7befbdcc2488cc7f4340560d574fcd2396e9ecc9a232f1015cfb26db451623fe47ec8bacee1756573e74e519adc62b23ce86fc191ea5e13da9c7a14496426c6c53dfa7c7ccdb67d6164dbe88cbbe7f48d4971993003ab24f3eff18bd52c2661992e8f8da93bfdd28f01fc32edb439ad130352463084041e9871c431ba26c676ecd7812991833113cbbe687651e93aeb22a6a44cffc7a3fb214b2 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-384 - PredictionResistance = 1 -@@ -73243,6 +73583,7 @@ AdditionalInputB.14 = 5a7434648de82a3552e12aff800093776ca3e86565b29c0b3ad6c0bc31 - EntropyPredictionResistanceB.14 = 2d6b77ff7e612c7c40cd5231eece4018c5b3c0d8181ab44703f7a04c0a1c7c5e - Output.14 = cfc79a89a0a55dc9c6c6eccdfab5a9935335e806b73bab7f5eff5f9fea6aa3f47bf31f06d987a94e2bc2a4a6144ebe94d6f5aa8fcaabbf86a37c8d412207864322d3057b89fef358740c5962cf9e7c37072847fcaa6db693a5238ef270e8414e2b29448bbcc37dceaa75479c2ac5fee2d6fe9ed68516f6dbd90135ddcae8a12d1c1595e0edc34ea2bf00bee7ae773c240c2bc1ed828b7ff91a676891173eec1dabeecb2184df9186c3bd833e349351481655bda91bc0f4e419fb78e426de6b39 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-384 - PredictionResistance = 1 -@@ -73323,6 +73664,7 @@ EntropyPredictionResistanceA.14 = 6cc5f9e579d80eb1e93876513892307c462383f1b5e591 - EntropyPredictionResistanceB.14 = 2672d3be2c1b741a8a60662e24e2bd6a674def98b16994189c08d7972d275f6b - Output.14 = e7f7f113778234b68dbef00b74b656a52eed3cf3aadab8e5d96d1daa5c253f5ffdcbddbc8dac0acf43a7e2a18303a6ca389db0bd0c5118a869e7e06115df5315ab9962a782281c5c46823d1067a8a5cef28c7ab7aaa70c069841875f02f294e557158da3adfc6c11407d5dc3c783332b4d3e25001b5b1e48dbb45a5ec0c8fbc0343f8d73963b7928e501f5dae8716746a835e121ac748243c90d3d3ba22e11cffd76f53a6e372546e0fd333e46df1056197e5a44a8b69e5b923637212635e6d4 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-384 - PredictionResistance = 1 -@@ -73433,6 +73775,7 @@ AdditionalInputB.14 = c81910a207597a0657cb06cb89897f9ca67aaa5e3289159fab1f36cb2f - EntropyPredictionResistanceB.14 = 0fe27d8d5ab415f1332cf42f7a6eb23033a9c5eed085b3646ac3fd288de95b63 - Output.14 = 080c95ae4f89185591db9f06e68ec25774ebb1fe9e5cf9acb4a6190341d40c78c1b92dfcfc142bd8719da2d09d879875e5eae3a0f7e4030a61904e45dc5f059e550e85f4f2e081f2b7ff22c47eff29944d5f17396cd1712070a2e1c565253a032e15432489c093561ff61b2729ad785e7d3da276a860d40ffec5f766997260ca2f0bfac1a3d20da5602357d9b8c92c97f8830fc1c93ecc68ad2edf2a559a7f52325ee7c7f9c85205016af24e0833fbd54bac2f6bf42266d3b90c0431783b8a75 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-384 - PredictionResistance = 1 -@@ -73528,6 +73871,7 @@ EntropyPredictionResistanceA.14 = 0877707fdad56cc9c9de7e9fdb0c0314316ebd529920e9 - EntropyPredictionResistanceB.14 = 208e73cb7f1d5cedab1c8b3b53e0e8677e3ef4664cab9a305fec6dc0246256bd - Output.14 = 97d899881e4f6bd01a6030d211643b3c4d27dd7df30956495497b8748998c7bfd74373293f1c992ca303f0d59e46ca98f97acb101113bf97682ff75de95fcbd9c511f798ff76d7a17ded50948aa2ffa15013e1d486de1368c5ff009a2c0ad062fb9045f89d8867aaf8799089bc9b7eebd5a9069690076538a589483c7af29c48b6726982ccecce027b87b1ded6875015195c60604d2e564ee3014d9114f5a2d900829d449a69ae4dc23e5df063c103260163509bfc38690f8d274c620b53feba - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-384 - PredictionResistance = 1 -@@ -73653,6 +73997,7 @@ AdditionalInputB.14 = 30dd5a23a1cc9acb87060b151274df28882f3d442d1b9ee6ca58dc118f - EntropyPredictionResistanceB.14 = d980c14049c6d9e9bfa9340c92ba188091416e7eab2849f347f72840d79f9f59 - Output.14 = 97db825c1019bdd33f0f67b32adb6490a8f38e96fa34658f93edaf6d000ca806bbf7fe6af0b5b17c9e850a6dc41f8899355849f04e58ba0f75872021cfa7cc4410160324312fe8a7b6e9d8f42778a1b8496d9f0bb40eb336039ea3f762147fdef0d53603591b0fdb9f4d0b345c8f1cdbaecca96e5411a960933f52ba9b3457a0058ac464cb30118ce65f027e8a7584cf9eba11754ad3d26d3600a3af3bbaa9caff6ad4a28a8a76abff9c5d710530270cbd9972b90bc767ad7e76eca03dd13549 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-384 - PredictionResistance = 1 -@@ -73733,6 +74078,7 @@ EntropyPredictionResistanceA.14 = bd108a354d8b8448d8add8059b0c40ce026bbd85209c87 - EntropyPredictionResistanceB.14 = baddefae7c08ddd069296022aaedf0eb70e44df7a1aa04a030bca6cf9ad89211 - Output.14 = 8360787a7febcd2965a605f03a76a46bc3b842097936c0df13fb778feeeb3f7c12af610fc1d845ef71d5b4b834f1659004834c107e084de52e2303fd81930eec8aea7fa86893e58ae764f1894965b04bd8bb65a308e4f38d390ab11d93dc77c69e86650bdc20e7a3fc616a996f4a4bd5668d31c6155644867ad93e31f8d78f512a99b6b368350c53adc5de36fc13052e600dffeeaefd06b2a4b969782c046087ac07a4e02aa5302e499ac11e26116186f32d4169454eec4eb29f2e75e544a0e9 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-384 - PredictionResistance = 1 -@@ -73843,6 +74189,7 @@ AdditionalInputB.14 = 8316fb114ead33f4d6cf236cc711432f42a699c1c8207865428de36375 - EntropyPredictionResistanceB.14 = e4e9129ee1cc84738d8eb8db7404da8c0f9f16a5dfe1b2cd99ed2b08bfe635ad - Output.14 = 18daf46771e8acd38c2cb82aa837a239a145c48c303dc26feef47d5cd74b01cd53546fe54e300bd3212e1c13c1bf3a9d17165c89399539c07e30816ab1c7bd1b598e1b07cfd4ad0785cf6f6a5b835d8f212c825a4ed2d7821bb29255428c468c84ec2e609cfe23f79468f60b236ed228b5252a95bd4c0bfef62f2b640c7823e32d72e5f1bddd56835e0b8428ceafada24efe0de582678545de63cbdeee77d6b3929d83d9b5db2134349444926c6fdf2422c786a67e017a8f98659b9c80ce95ef - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-384 - PredictionResistance = 1 -@@ -73938,6 +74285,7 @@ EntropyPredictionResistanceA.14 = 7a7721ea04f0e15f08ac5bc6f52ba3cc2c9f62f0bd8adb - EntropyPredictionResistanceB.14 = b38c8a67366b0aa435d71cb0050039a98447b1a40a0eeec63b33eb6b37e2edda - Output.14 = f5fd860edbe302d1448ff77d56b368c4eb156490aaf07a640a87a7036201fb816bf24066b7caa9cdd709da7234882939e717298193f9dcd634c8975dd95ab56c38e8407db56dd8713b0c85842f85516640d3faa7b5e12a390ddf0d4d80c96a407b9a2a4767fdcf9c37d504134dfe0a90c8b10ec9bbcdbc56e54180022461c69379c7aed3f5732e1e56d03d078bd8b6e7c621f518a631f0eb493d5b747877a9cfcd06e61674a2f5295a91830b5dae43e30c1e72fc8c91528acd13566b723acd6d - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-384 - PredictionResistance = 1 -@@ -74063,6 +74411,7 @@ AdditionalInputB.14 = 9fd99df9cba9f0cd2445ad2d4b2c6d34c112d882b7c364b1d52f47d880 - EntropyPredictionResistanceB.14 = 3c2b67fcb3929cbfe60ea272a0295c1a59c631ba2f9619c0c93337646731a8df - Output.14 = cb3c238037a3165f17d416dc04fa07a41eeb7041afb26f5d02de1ae45a9ddf37eef688c9c29ac05fa9dfc35947123cb3db0125f5bd5453f4e48a3b2cb027465ca74f9952456d3bb0efdbc047f96a201e78d813ee37e213240eac293479444723d63148333d93dd7cf81b2e19a7c6feb217c32b25a4cd184a8bf7c2aaac149744cc53134d38eb4a2bcdec0d69950171847fa97d0766a19c3f96e9076520d25b1741a9c4fa31bcfd6b3ad8e4aad6f0c33751d128b9bdf4975e0819985c3b00dcb0 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-384 - PredictionResistance = 1 -@@ -74143,6 +74492,7 @@ EntropyPredictionResistanceA.14 = d5029f8d6b538542043669856f1f443d1b0cba26f5a075 - EntropyPredictionResistanceB.14 = e184b0afcf6bc3bf9c121b0df5aeb8f8fb94eeab939de04b5deea470ab94de15 - Output.14 = 86c8cd6a92b103b0d88e54be7d4c1a9f8e2ebfebeb66cd812298fcfef3a7eb84dd84d0683a12497716c4325e8105b39c9841dca2d60da1dc875b904839b18d1681805d058faa0ae897bdcea8528b8e99bc6899f96ce635f3176a645224d668afedaef3d65336b91c78cbb7f0a5090e95938e15f0e43d827bc22a4cc714aac95d69b90553b06a9f3a76cdc0e04d0f6e24a91ef5468bee2f77b631d5a5bd95d74eb91be516027c86a17240611746aa99c6c84003aad7b809c0ae72f221c564c8ca - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-384 - PredictionResistance = 1 -@@ -74253,6 +74603,7 @@ AdditionalInputB.14 = 1161d440c1db4c8bbef4967dbb70d8054c1713dac5c1bf62866e1f0327 - EntropyPredictionResistanceB.14 = 5cf03ac2109ac324991b13b84b25d44bf6edd86f634a2358c3eccc9e3f477ee9 - Output.14 = e0793def2fb3674f7401517bc0645973b7f97091c3b96b3bdcebd96b882ed393ed38f7b7f5a6e381dad287f642c99e9cc6b6eb090092e468c96d743b20c7c71371a1c64637256d041211300213a9aa330c05e80db3456de1d55e6d7e3aa3d7a501450ec24c74da213b7184f4ee481c416f6b7e0877d947393921b72a6636d642c8d33b9e57a35efa2490d37f8fe584644e0c19a54941248fbbd2fa31310a4592926db7092f5e8b3ad1111454e04705f79e46f4f6e4d109f4c0fc67a253550bb4 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-384 - PredictionResistance = 1 -@@ -74348,6 +74699,7 @@ EntropyPredictionResistanceA.14 = b35a6d3ba1b4b3d62389ff2dfe1a8a9ff527d4fd3b2cba - EntropyPredictionResistanceB.14 = 325043f919f312cac2102d97cdc26a58637120c01c09448be861dd97751e8672 - Output.14 = 32ccfedd45cd80172e146ce0982f6046a96735237e6df0033eb5d61d134383efe454da37a8ff31689613a808ef649f5eada3214ea50ff21b673bd407662006c157f98a36418bfe72493134f6d8e2b5276610d6626977cb725d43a526ab523ddb97ce76e6802c60da568402ed854bb9e1af9cc74f123493b19b765aed7dca28bfed8bfaa58601c1f2d1e1b782b83337cd42c0c304e7415da0ddffc9078d42fe6b59e5454dfcd71d59cdd453303018c28015d88c914b62d8c3fcb94eaf5654b02d - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-384 - PredictionResistance = 1 -@@ -76113,6 +76465,7 @@ AdditionalInputB.14 = b969d2503e5dea21ce90fe8ce89cf9e6e9165313fbf44286ca91a689b4 - EntropyPredictionResistanceB.14 = 0735d5d8322df6f7568e2bb29a8d63461d8b28ed9af5f7323ab96292c31cb59f - Output.14 = 7ecd4eef593d3c8c2ad90851d17501e666cf22ade15471b3739882cfbf0b03acdb6b83288f22f4a6246fccb608c98cb906a5e9a42fdfbefa52e968e903d175b90f51369d21bd8f408a723768d6de02606a15f37e9a16469146de7340d8c6e58d293a2fce0de7217f7a16e9bb7000f54f35b5b58ab24c0dea43508f52a718eeb46be9618461afcbfc2ea4ad3a38ccb180db88a0fcdfb2d883f82e27fc119a249e668ced1e33dd66ba23ddd0ecef668e91d17654ba13dccb5f8b858f44171f4629ad4a91459b6c257eb20cfeb814e289518947d94f9827514aaad7036bc19cb0b73857b1d9ca3ef069d2d20eb5ada8505fcf404052d9889138cf51e137e70468f1 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/224 - PredictionResistance = 1 -@@ -76193,6 +76546,7 @@ EntropyPredictionResistanceA.14 = f80eee174bd5b1b8abdcbec30c62b3aa85ade4d9a43e2a - EntropyPredictionResistanceB.14 = a150d5528a5f79914074a783738af08eae5c95b49f407929 - Output.14 = 88ff82264427067d717027de8edc886c01c782379ccb937cd6434703d4f0ab13acb4142149372fffc793813733ebdc9058c85d900f4e442a2369c16057e4dec1a75f5c5858d2fd1d69a48227b293a953b24fe38adda48f080a9cc5666e299ce301d2f230ad5581fb05aa78a00dd35a9d - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/224 - PredictionResistance = 1 -@@ -76303,6 +76657,7 @@ AdditionalInputB.14 = ee19a759562c231ecfc777c588087e790d5e170956b11c08 - EntropyPredictionResistanceB.14 = 4a004a5c4a0ec328a0ff26ac0aca82ce35ee9064add86094 - Output.14 = ae21ee878e4664c73f22e88ec4a646c0192b5c52a7bebb7b17a94a7c4630568b81da000983bf0d1a96e96432175a214ce7bc9332bb7e99f2a81e588ee4c1120c1eb22cc6b24a386ac5a11c4d63de4f20bfc8d9e4094613730f900ad7b54498954040a1fe7b53cd2a0989b3bf8946aa1e - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/224 - PredictionResistance = 1 -@@ -76398,6 +76753,7 @@ EntropyPredictionResistanceA.14 = 4f0d9e7c269ab360dbdf47e9ea7d655c204dce80082451 - EntropyPredictionResistanceB.14 = 8290ade448d2d83445b96ac682366659b228f952faa1f9a3 - Output.14 = 0d6bd0196ae2b3af4a750e4ea529b353979b30ab1bd05e96bf3c6f0c40b527ad07d90db5a1f392fef1d33bac5cc2a47cf4d9f20b8388a922d869f073e65ce6340cf30d45645a03a951dadbe81cffdcd145a32519658d0efe9f28175871b45cd6ca16e4efbd37802a1b88682819e5800a - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/224 - PredictionResistance = 1 -@@ -76523,6 +76879,7 @@ AdditionalInputB.14 = 4e29e32346671af3b726d7030ccf470f72ca369687b489dc - EntropyPredictionResistanceB.14 = 21d5eebf3f54780f046fe2cffb2cc9b52eed850d1b44d675 - Output.14 = abc8ffaebfda52cf3a9bc037b965f9e97ba7aafbe1575efe8fa7182229d58a2d1282776225af0ea87dd79de7b210f654388c718f8dfe22aedbb4cfe92a964664904b960f2577f43f6c48783a8423788de7aa693ed859c8269e3c8b8b59eca1659c0473aae8b0a444d4aaff23991709cb - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/224 - PredictionResistance = 1 -@@ -76603,6 +76960,7 @@ EntropyPredictionResistanceA.14 = 02496883d50bc28e037a370890edab9be1a69e003e70a7 - EntropyPredictionResistanceB.14 = db072d2518f7b6b73292f7e167bec9cf5fcbeb265c316ae5 - Output.14 = cc01e951f15bdcfe94288a0de84ce187bad281683773f1b8341efecba656d62528ba91ca864c440b085be142dc565c1b7a326dfc9ac47a84623c2cff20b6c047d2f39e3db0b02fab4c1ac82e63bcc06b032c16f6e9ddd8c60f03f5b55cc40acb3b5e2de6ae3938f0e2fe21d72134346d - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/224 - PredictionResistance = 1 -@@ -76713,6 +77071,7 @@ AdditionalInputB.14 = cad366cc562a45f74fda0bf6fd3eafc0f3dd59c666b33881 - EntropyPredictionResistanceB.14 = acbf8dcb97c61718c9cc8adeca8873e31b794086d7b84cc3 - Output.14 = a6ddaf00876c5bf50d7a2f5b986a770685f64ef54e2273c51ec1e594378fcd08f16316d1589f1c5948f524b3fd57d40b4ad732ae06f3bfb5359e6282105bc70fdddc9d1920c5092cabcf0c8ec14642d50be19de439ffafdedf3ec9e0672eb7754814eeea09430d65ba181525c616c31d - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/224 - PredictionResistance = 1 -@@ -76808,6 +77167,7 @@ EntropyPredictionResistanceA.14 = d1c3175c4853102ed4b306eea013cc448d325938c52940 - EntropyPredictionResistanceB.14 = c0139e13d5d7c5bbf9c2394973d00487d49d4241ae7e90cc - Output.14 = df70ba5809a640b8fa1ab712d6ea7048f8609944d63bf4fa958556ae020d95a9011ddf0041a75b708a372a486e9ca8e0d2c361e4f75171710ab42d49ba3c0b6dfc4b3614b3577ddca5adbfb2d096acc4a72bdf1c6113cf6f0bfb5e8f1d69ef0a4a4edae75ccafd614ae1e718f60e3196 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/224 - PredictionResistance = 1 -@@ -76933,6 +77293,7 @@ AdditionalInputB.14 = a3c2f11654592e478c8ac1a1fce2224627ca37bd0efb44ab - EntropyPredictionResistanceB.14 = f986d7f33aad227e98d9087fe30c34f1c18b42f85d56b72c - Output.14 = b1fad8f7950787c949b41dbc5581069f0920058614c3ea7bf1edf3812027a4c989d8b029e08c4ee77c76c4457aaa3d89dc775c6c60bb125dfb969729fe669152a173256b4d2181e84bbc63bcad8ae645f4371682a39ae65d00f004e344ddff5374b257d8881f63d4ab960017258815c1 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/224 - PredictionResistance = 1 -@@ -77013,6 +77374,7 @@ EntropyPredictionResistanceA.14 = 42d19ff5c985c31c955a0aed5ed02581ffbf2a0ae62d78 - EntropyPredictionResistanceB.14 = 7f9af6a606c9b315c04faf5ce3c0412092edb19f9463784c - Output.14 = 219072e8b6d939f75ab90edc91ade50b8e40f2c1fae68aa5fb5bb297506ebc5f18d20492b55fd73ec118e6d74e4796c1dd28d50f903dca70960ba66b33b0a6c3d06e2ba79eada96b613324914b19224f0c710af7793722687f9d464093fc651a5d613b03c6d71bcad9bf2c74a4844718 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/224 - PredictionResistance = 1 -@@ -77123,6 +77485,7 @@ AdditionalInputB.14 = ecced4ace2d11cb2e02c253d81d15ecfaf555a51189d2051 - EntropyPredictionResistanceB.14 = cff57ef512d7da05e7ea7d197c797962099c64ad89f52a24 - Output.14 = 40f8480b22c24bde9c66f91761b1ecf25a6486024315b58028ddb8a88088f7deffc671a9465671c370f7877527e72c4259669890abc4efbdbb09550a84fa2f60a41d74c9d7960d5fa05e9f66ecd5ac344970aacc23ab1361d364eb697abfd6cd621773f4ea7ec2dc7795cc533abe664a - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/224 - PredictionResistance = 1 -@@ -77218,6 +77581,7 @@ EntropyPredictionResistanceA.14 = 4de293b3ea5c26925d39d5376ed5fd43b9b775b80c6cac - EntropyPredictionResistanceB.14 = 4e7f27a772fb8de77031b24cc514c06086de59989856694c - Output.14 = c1ec91ec7585ffc05d765d0a9e30f62bcdc115426af9947eab68b6c9a88e6a11890704b623eb7acaec77bc6988da9246e10aa3eaf65380f3083bbecd4a41ccb09879ed9c46669a78102b7822b157d0d2a3bf09b452300ccac217db03b455382d8990e3bdd9a2a6461b19dfdfbad5910a - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/224 - PredictionResistance = 1 -@@ -77343,6 +77707,7 @@ AdditionalInputB.14 = b87bf3d164ac955913ae4a780ac654d9a67c37c8df1f79c7 - EntropyPredictionResistanceB.14 = e2b5224119118410592ae0b238dfd75ad576b3eaa1848313 - Output.14 = cbf31760cbefcebf50289b9ad8e9443cde14fd6beee80c0bae83cdf77deb6e9c77ddcd0316667373b28b9431857e6e7cdccd8b6906927f66b362452325339a035b23baca8ce1697663e4879cc2084fceed28e9bbb2dbb91f868ba7626f6b7e5ea87eaa48ca50f9b76ac2c74b39bc9a86 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/224 - PredictionResistance = 1 -@@ -77423,6 +77788,7 @@ EntropyPredictionResistanceA.14 = d931a0cbda3985a34b0a2eac42e9bc5ead10520de4e7d1 - EntropyPredictionResistanceB.14 = 518e2480b742f9c30098a6d543d1669678084b3208b5375b - Output.14 = ef57d91db4d94aef743f1528e0c27b69654e3a854fb7479d25a8796b06c85884f328db9a09deb9be55cdeb9cca2a5a00ba56e28d2fa0057ef1ccb00b22a0a747bf15e7b303b990bf2fc3903f96cc55e69d8808c9da93231e5e859f7ec9edc9961dfc9b30b30ce0f43a3d65da93a82377 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/224 - PredictionResistance = 1 -@@ -77533,6 +77899,7 @@ AdditionalInputB.14 = 51f6a64ad57705cbae6b92cdeb622a0701f5500e6ad7eb0a - EntropyPredictionResistanceB.14 = d5f8c2ba94bd849bd1434ff9d0b72517a7e6d381f13387a0 - Output.14 = 15d882c8ec0a8ff1544813ba2a6cebe81281117628fc4e79371b7e84027d0d9322a76e42c733c73ba90c4b204bbe329a4ff344c3fd8204e0c220154ca9cd04c80457cebc33f9466c33358fe1c05d49bf83d174f8abf530b46b701c0ba24b081dda46ae38f58815a996fe878fa6884845 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/224 - PredictionResistance = 1 -@@ -77628,6 +77995,7 @@ EntropyPredictionResistanceA.14 = 7ac8115615a29c535ce9b45d3e57d6f9ab0e6d4a021fe9 - EntropyPredictionResistanceB.14 = f6ab8840edeb3c20d7bddf7fdaa5c980c58bfd116551d1ae - Output.14 = a85a3ede0e85ce593be2a2a2c650d49a740e9b8f07c24348d2bd968c917d442ed8de8a0d8ec8ff09ff86e6f279159001382cdb92f4625d12365443881df226c9a3833ba051a92f29fb55b788ab4b2d01958b9c067b43bb86c4e547b24e609e0d86aa3b75ea8d73e2c90092a50bcc6ce9 + Title = HMAC DRBG Prediction Resistance Tests (from NIST test vectors) +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/224 + Digest = SHA-1 PredictionResistance = 1 -@@ -77753,6 +78121,7 @@ AdditionalInputB.14 = f0431c9d8925aaaf8f28d112773e5f5fed7feff633c9b056 - EntropyPredictionResistanceB.14 = 5e27635c34a1b793b2b1f23c9a72eb3e58c6ad63ac752dda - Output.14 = 20a84f074794921d7c1ba7463c4cd5f165ef6ff003555a69a71d529ea8177b3b4845898f031428b320b9dc59b16260d80baab34e7cc6daba5463cb496e4a6588ca5f3547412e63d36d560d9549f87a3ca346968f4dfdda3d0cf9b82384b3e830a8368c659c5aea26b03c4bbb8bbd3878 +@@ -68313,6 +68426,7 @@ EntropyPredictionResistanceA.14 = ae706e740dda50209b20acf90dfa8cec + EntropyPredictionResistanceB.14 = b4d4b4bc7cba4daa285ff88ce9e8d451 + Output.14 = 74acba48f0216087f18042ff14101707c27d281e5ddbc19c722bec3f77bf17ca31239382f4fc1d4dd0f44c296bc2f10f74864951f7da19a23e3e598ac43fb8bbdd1fca8047b98689ef1c05bc81102bb5 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/256 + Digest = SHA-1 PredictionResistance = 1 -@@ -77833,6 +78202,7 @@ EntropyPredictionResistanceA.14 = 33fd3300d120786b2f756459b222b72728c1b2c53d09aa - EntropyPredictionResistanceB.14 = 96aa233b407f0cb14d6ecf2a243efcd7c1b7ed3fede97dfeb269cf8331189412 - Output.14 = 6a34b428c4ff416d3ae907318928663ac8683ef6328d37b19bd2c179aeb7e56a73c6ed096ebfeb85a263f2c868fb4a2d977d5d41fe12b135b1c9017555b36a9f6775a43c42be37a78eb067f520f091ccd94b38c62fa7d48c494b05b072fee34ba262a4fe1a70c98fea2fae40513723a52d6ea44f5fa168f4c03ae2c73d793ef0 +@@ -68423,6 +68537,7 @@ AdditionalInputB.14 = ccdb3f7d7f6a4d169f5f2e24ec481fcb + EntropyPredictionResistanceB.14 = be4a2c87c875be0e1be01aadf2efeef6 + Output.14 = bfcc8f2ece23d22545ec2176aabd083855923ca9a673b54b66a3e2562212aad3cc74c4c8976de259cc95a2f09a85b7acd1f18c343eff0368a80e73a547efdcd954816b38df1c19556d714897e317d69f +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/256 + Digest = SHA-1 PredictionResistance = 1 -@@ -77943,6 +78313,7 @@ AdditionalInputB.14 = 2563ad078ad8eda919ed40a81b634073064c22f2b21926bbd9cc1d7c2a - EntropyPredictionResistanceB.14 = 45ddc44189bbcd60713c40e811d6b2acdd1659c670f715703f5b80eb4152311f - Output.14 = c2554fc1931b72acd98e4949707802ab471c4f2eb62813f87f137e698cf89a13fa7366a97b49587d9a0c4d42a62eb0bce27e2ce0e67324739c49eb180216beb51fc82d45b7900fa1c2d3db3a0c781ef93ee57f6a186a61e0f0fd25a8d8d2d9170bd18714cfc1a6e7fb6dc992579cfb0306de5b67c01522b3ea3955d63a775cce +@@ -68518,6 +68633,7 @@ EntropyPredictionResistanceA.14 = f324c09f96434ceea7e756fc2f55a0b3 + EntropyPredictionResistanceB.14 = f043b6e11fc2f671ec00f4d478b791c6 + Output.14 = 40e87b822b1000441884a38b8776baa69fbea99962571e8a20d8af012d50c8c211860ad579869ec880320ea8057d5cb0de9496ec57d8b594ca8be5b94219eaa800af7205f8a83b66c87e0fee9aa9732f +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/256 + Digest = SHA-1 PredictionResistance = 1 -@@ -78038,6 +78409,7 @@ EntropyPredictionResistanceA.14 = e43ba5b540971c4f02f0212bbc0ba521f3e64a627c1d0a - EntropyPredictionResistanceB.14 = 3ca4a33a72e7aed850e64984c28407327d94e6858a65d42b16f985d010b783bd - Output.14 = 2567b74d4d1eeceb6321817f5ada210954643e1212b766bf2eb84d2ce6231c58e346ed57824c409f3c73de40395608a7d3c52708f07ee7e721b7c42ccce5b0baae67364e1cffb7fb0e363eadf3415c99bdc7b730b8c66201da1f8a2290cbd6165912484def03a96b237b793b76b76043cf9fadcd5e66ea94e6110c4b2b025232 +@@ -68643,6 +68759,7 @@ AdditionalInputB.14 = 0d5a2183c9f9ca6941f6a617892f5e47 + EntropyPredictionResistanceB.14 = 998f9cde45b1dc22db6d2d7bfd4f3930 + Output.14 = 934fe82b0951b97dafc5ba16e87b0459691156b42ff2dbbbd8f6ed9b04be952af267c6a17fbfc86de91f9f07eed482a5362b176216a8963af485503ba93b2e82c03a3ee6225077d90cd961e24f6026f6 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/256 + Digest = SHA-1 PredictionResistance = 1 -@@ -78163,6 +78535,7 @@ AdditionalInputB.14 = 7978071c7a648cf7f02c9cdf544d6ff9dbe3c5636f73fe50deb7e89695 - EntropyPredictionResistanceB.14 = aaf9320ee7c103d51512232305aab44b946a73ddb13270f42903a37f84c9da01 - Output.14 = cf5ed4b6208a0db15373d472e240dee04a34e630000f9751cf8d3f15dd6a4fa3a4602ec539dbb1811978493f920e84b2e3ac78bcfd619b6c4e7e0072381a7bc150a91b31a0280dd843ca1c4332ba0757d6f6f0f2f830a623cb78011dec8c4d844f71427b09be4e9fdff4bc1cf3a72a773e06121cd8792232d387170a66ca384b +@@ -68723,6 +68840,7 @@ EntropyPredictionResistanceA.14 = 427b47ed008e489cfd06e1a6e0a9f07b + EntropyPredictionResistanceB.14 = e5ee8df96c0e929446502a4bbd23ab22 + Output.14 = a544ea7c3362570f48a42635f4b79f615d11a5d8a480d85ac71e4be90074fbd5e2d368d00755e95a262d79ed262003d3e2a26f82c37d091ae763a01fba08c87b3ec0ce817bbab8d1905f91f021b7d7d0 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/256 + Digest = SHA-1 PredictionResistance = 1 -@@ -78243,6 +78616,7 @@ EntropyPredictionResistanceA.14 = f124c88bad32cf4ff49ccc4271c7f4046f277c0b1fc73c - EntropyPredictionResistanceB.14 = c32b11359b7ed121c87b85716c2ce83aebdd46cd4c19168ad3930be351ea1ff9 - Output.14 = 9f382e0382f2e6b3ba85ace2cec7301ea6f7d0d3b0895937033df9f710471e468b8162492d18ab45ca809e8aa2f37c15ec599d4b2774947b90c269bc2f8553e639f21e1c371f7a49edb4cb4e51bd1e9fd7d66e3b313ce227373dd2548870378206b4b5fd0d22c48ce03a72003be53ec378d9eab25bc432c7a8bd0eed89adf941 +@@ -68833,6 +68951,7 @@ AdditionalInputB.14 = 3e95f86a7168410eac0c84995c187fd9 + EntropyPredictionResistanceB.14 = fd15dfdd8cfeeb7ce0c76f759dfd47df + Output.14 = 480d9cbbfa6c923866179318b293c52c9ad86c2ee27faa745873a77d0242afe669d1773fd9c17284097ee8e644aa054deefbb9c73732ba6b5004623df15edeb49ef2e1bc8dbe023f7104ea1395d9fd38 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/256 + Digest = SHA-1 PredictionResistance = 1 -@@ -78353,6 +78727,7 @@ AdditionalInputB.14 = df48314d76c0d698923dabd3d23024ac2aa5fd236ad3c6e3b4cf2244a8 - EntropyPredictionResistanceB.14 = 3387fb65c8c1dd5e3d4f64bebb45da1a7e288a22e16f2fbb882dc2f9534717e5 - Output.14 = 31998e0784579bc7aaf5130b747eb295a089a12c1844406aa18c06f19607a2e497adf5352e10c145b3cd2a2532389f771af3028042605f0abe705f8540561c4e376d405c6f2dc23b3d3fe0c14790beea99705e69fac2518154613680012c5a140d45fba7e381f55c61ec7f3850dc586bb1f3cf928685a9d60e06fd93eb1fd8cb +@@ -68928,6 +69047,7 @@ EntropyPredictionResistanceA.14 = 845decbe6e03e423b3660bfe7db383bf + EntropyPredictionResistanceB.14 = f4ee7409c076201255bc78ec82ca5530 + Output.14 = ac57a08b77c528b834df2757069b6330f05a9196fbbb17300f9c31ef596f551ecc56fa3256c0ab1534df4955f2da1e8d98026b7c5e07290faa5131a95d0fa35a56b075752656ab61a74f889fbb735c58 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/256 + Digest = SHA-1 PredictionResistance = 1 -@@ -78448,6 +78823,7 @@ EntropyPredictionResistanceA.14 = bf2e966737aaa8abbccaa45ac5371db4c4dd0bf2b3c9f1 - EntropyPredictionResistanceB.14 = f316f2613b068f607c2fb5218e037c5ab1d80b7d75fda419a7e0caedcfd7ce1a - Output.14 = 36e385da783dd146364fead3dc2dc71bdaa6d30c6ab5f94e007b1ced51b2f45947c57652e305204a0cad2ba7b43056461aed10132d89aea8f9ec7ccf0e7487aa2d97fc40f65b399df732b03f8e6834903c60e2e5d6f5ab1b3a034b3eaaa73936770324ea02bd2830e6b26e00d7b49022ce0454afcecbfb912511cd13090d9693 +@@ -69053,6 +69173,7 @@ AdditionalInputB.14 = 063e444dc2990f59e04839fd5e9eaeb6 + EntropyPredictionResistanceB.14 = e059229538a827fe9b7e5caa44fb1e3d + Output.14 = 62efebd7730c6999fd052b98e2bf26eebc96b617a03fe2f1aa7ea3be1aea833f705a3ef3776adc7578f5bb6955a60853ef267fbc18aa3d57b8e0d9134c81e8ffadd0c66d385e5d535d74a615fa896757 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/256 + Digest = SHA-1 PredictionResistance = 1 -@@ -78573,6 +78949,7 @@ AdditionalInputB.14 = b395f988467a2a5f4f3ddef792f16f2461886caf9d6f12c4d643d20775 - EntropyPredictionResistanceB.14 = 22f2693142e42848bf4c00f65337ec2405cd22bc06c6d035a5acec0a5b7d5d9a - Output.14 = 3edeba227da675e1b9e684317e54c4537691f9a412102a21e32e699ff0c6e95655d3342e94daf37dd08114d16b45328795e24d7381195711792226769975167ccdd10df89410e485c880865676a081ce6a61641fc805d6d06cb4aebbc731de0a7df69ed1107da07821d64e9f8bc124f094bb799fe50a001914a47221a45ca2c9 +@@ -69133,6 +69254,7 @@ EntropyPredictionResistanceA.14 = 74b72e7e1c5f16bf0389dafed9a86ae4 + EntropyPredictionResistanceB.14 = adef9418a342b4717e93df6450429a38 + Output.14 = eae51f34bfaa2970f41c3211ec228cfccc1d3c0fcc077d1d9ba159b3bac8685bc5783f61c67fdd4beca05dd4f14afcfc4d554ae75f73842637671102c3b81cabc9a0638cecad5a6615171be5265d5454 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/256 + Digest = SHA-1 PredictionResistance = 1 -@@ -78653,6 +79030,7 @@ EntropyPredictionResistanceA.14 = dac0795c36fd9cb6eff0cd7137190d573dde7148fc19c2 - EntropyPredictionResistanceB.14 = 1a29a4fb16a73c2c187c6d1b5a1a1394b63b6878abcfffeb94aab5dcd593037b - Output.14 = 835efa36b1ff38ed845f3c2e8f5ec0f89a60f7def6d36f8577192625fb89cb634be535a791e28b1c27320e40f594b1705e712e43856a1a5aba0e98b987fd1b5e6ca78458c98b3f8de449f4f23d0dbfe374e8241a2f12b6cdaeaa896b9953c32d756fc2b70e1edcde45aaab0df6e816fe0d04b2cec88ea159dadbae9b1eed3125 +@@ -69243,6 +69365,7 @@ AdditionalInputB.14 = 696d9380b814b456ca59ed58ea765400 + EntropyPredictionResistanceB.14 = d57fb196a634da13ba8695098ed79f9c + Output.14 = 069848aef419759b75896cd507a109f685228b5639470afeac0caa853f1c3dbe373f99db76bf06fe8bac356bedf6bf18787043970fb0a185c8a0a4d8482aa3059eeba0d244fc03c9b72857dc5188d44b +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/256 + Digest = SHA-1 PredictionResistance = 1 -@@ -78763,6 +79141,7 @@ AdditionalInputB.14 = a908058d07b69a7e7f53869d81128e47303fffa4f0400b3bee7acc4e45 - EntropyPredictionResistanceB.14 = 040c9859c26e54e9d5f92485888bb67acc5092ce679e6a54730ffebaa0fac226 - Output.14 = 3caf4baa5fab5bed4d50b0b4ace9c2ec8c21a1e952d81ebcf23a6cfbd177f53168a876f7e5b7d2c63cd7bba4a1b61b3ef59e1cf87b353ff64c7f798fb0c5d6e375fc1e8653f8d22be965abcc87f178e4023d1ef85baa278faa1eb205e4c05219222f543c5b9ac6a86b00071e34a7b2b9c6983f8ab6f187295f5095b801466a76 +@@ -69338,6 +69461,7 @@ EntropyPredictionResistanceA.14 = 015ef1f359f60a391b3720d578731070 + EntropyPredictionResistanceB.14 = 963736987090fe71e69b4a2480d9b314 + Output.14 = c75a102bea830a8a58d9a9a43cb03b21aea75d8d2a08c37aaae9180a5e1c78e5700b20a5fe1c7ef0a7e3d2adcf539c4c1357946a328a057e719b97d802b586910f804c166d4884d8bbb3bbc03074c53a +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/256 + Digest = SHA-1 PredictionResistance = 1 -@@ -78858,6 +79237,7 @@ EntropyPredictionResistanceA.14 = c689be45ecddc94daaf823c6ddd6491b028ace5c25c407 - EntropyPredictionResistanceB.14 = 2f81e665f02331531ca37635b8664ba5641b8a200031677aba00253f8f1fe035 - Output.14 = 9bfdeef565b0979be0f88e3b9e283433bd1fa2333662445302aa84332aa601a61a5b3d449eb5fe33db385254571eedff49b8d2f49ade41c12133263d447e7edf49998f5c05582504775f5b18bc7a0c075c6bfa4596178d95a019402937712afe69f3ad534fd44259312c63f1970b3d8bd404e758c9e884b19330350020896b37 +@@ -69463,6 +69587,7 @@ AdditionalInputB.14 = e0b7ad60c542e6c2b324652fd2d7cdc6 + EntropyPredictionResistanceB.14 = dc7ea852c3e5467977c7946e77223567 + Output.14 = 0e2e5f47ca8ce1c7fdae1b49d6bc8594da1458eb8dfb35e0602d3812df7532cf6213eba8e75302444529565c40d23d0a336c4cadde37f0def2c3d412984360b65c668ef43263fada16b28860f6ee6ceb +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/256 + Digest = SHA-1 PredictionResistance = 1 -@@ -78983,6 +79363,7 @@ AdditionalInputB.14 = a63bd3ef8cfeca1e2552bc111786a992526802e51cd30f0e9e7b7a398a - EntropyPredictionResistanceB.14 = defd0a8320a31b94998e74e0e5e40422e80735b281b9901e9fd1c8ecc50ff2b3 - Output.14 = ffc830d5029f42c1c9aa10d6d90d94abf3bc39269bf4fc4a4ed14435a985cb14da64d79ad4d8951e582b0b793836ef3380dff4d063682a4e8ac8796ca74e74d3933e5111bb92d219b72b28f4198b23446e422aaa7f33ade182801506aec4293fd69c3fc86cf39297867d16b98738740f1b7465043e0eaf7480d1c328ce2b4cfc +@@ -69543,6 +69668,7 @@ EntropyPredictionResistanceA.14 = 4912a46c447c2de26dbbaec01817d2a6 + EntropyPredictionResistanceB.14 = c182dc35363cd7e04394c28030e6d6b9 + Output.14 = 976daafdf1dd5163e88a928d91933678cda9c8ef9a8251070ee8a6b42efda3c00a73303d0426da4a4af7c587174dce9936bfbb68a73979afee9f3a5b4fb4da2eb2b2f2f1c0948b63b45bf583412b2890 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/256 + Digest = SHA-1 PredictionResistance = 1 -@@ -79063,6 +79444,7 @@ EntropyPredictionResistanceA.14 = 29fa15be2259b4b164b3d232809cd7eeb3c5c24aec81c7 - EntropyPredictionResistanceB.14 = babf7813c6a24d4e68e09025a0d3b0242e9a98779ecdcaa64baf1ef82e8d4a77 - Output.14 = e6528c03849f1535b6f443e30817d3deccc7ea4699fc88ec9d6f3e28e72cc4b199afa5db7ba2da1ffd1a1ce7aa1a15be4892d0d98e27332f6d45ed63a2636073d12b8a99089ac5b55c93aecdb5e584e32ec75e44390016421822158d3596daaca561245bf1b8740d1f3c885be5149505f9591b0679f9b88df45741b767f423ec +@@ -69653,6 +69779,7 @@ AdditionalInputB.14 = 8022a4985c745515682102a25b379301 + EntropyPredictionResistanceB.14 = 8cc2d8a789d343547ee48869f57ae225 + Output.14 = 5707c544445358767b1c4d6c319b6a8d9be38afbf945dd4e869e9136d63c9d74aa872139e8bdd374510ebcf8c36c39e45ff31596fa58721c2a089dea7b418b3f7a00d78c6ba531adbb59ae2ab44bb683 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/256 + Digest = SHA-1 PredictionResistance = 1 -@@ -79173,6 +79555,7 @@ AdditionalInputB.14 = 711bf57411337724960392a9319e580c226abff909e28d4696fcf5f0e7 - EntropyPredictionResistanceB.14 = 9fac27583fbf9335c2a8d7f1edfb99b18ee5f8e58e537749fb674bcb46ef537a - Output.14 = ab08f911c4c87135c3f9de33cda823f91a1a8cdfd10f59b81f77dd2158890634f7c5373bc40e158a7881f62a18b0b553d3f075fb96112a04e39ad6918fb2f139ae6fe11856e6a0f17a2e1c0cf88ac49563c08ba5c9c48ad6a7a99825148132ccf3a9a46b92597d0a971f33e43c5a3746c0d8564e19d1681173f24e22fa54521a +@@ -69748,6 +69875,7 @@ EntropyPredictionResistanceA.14 = 701b8e70583effd1c4e901c50966127e + EntropyPredictionResistanceB.14 = 40e9ad701b63ee7bd6132d7f056a1f09 + Output.14 = a76b3e058ed1a8ca5860b15abe08a607894207d3d3be5bf6c3dc99c01523c85bf18927bc6d3f66cfef63a238aaef1ee87998100faabeef0d2518f3ccc0423d776a440ec9a87c5601fdf45c309c264dcd +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/256 + Digest = SHA-1 PredictionResistance = 1 -@@ -79268,6 +79651,7 @@ EntropyPredictionResistanceA.14 = ed3bd1e78d7f3cadcf45170dcbb605913140f68bdf4e36 - EntropyPredictionResistanceB.14 = 214b7501096bf1d7605e9082a9238334ca15522cf2eed77bce6dd3872106dab3 - Output.14 = bdd8721d12e9cafb73070a13d70db1020e95cac5f93037716ae10045007f5ecb8ea90c529e9aa8b0f312a2f81a5086713509e7909bd7081d0c25a33971904e3b90b486c71e185c752311dfa309b53c8cccd9cde63868bced00af0113eeaa77395c717792373ea708973a2f084dfa050cfdd0e73a8c51cc25651cdf8b6b8b3a02 +@@ -76340,6 +76468,7 @@ EntropyPredictionResistanceA.14 = a918ec35414b0bf1d9ba3b80ef838e75b9504fb6b77e40 + EntropyPredictionResistanceB.14 = c25de5d8b1f17acb7303c4a652ea1bcf284bfdc08a12c40ece16e3125fc8757e + Output.14 = a3072880e72e76ec1e467d7c4f4ab8013eca926c96f075a0a25f5550931f4d6b3aff2057ae6fc1382d579e8963ee24459d76d7414d250aaf5b302a539775862e26596176de2891589defa7aa66f763126c7fb7ced0fa80f3f5e1f0d15295e6025fad617e554838876c8c8efb4bef1e1227a1c967afe99540c1992328a70798167eaea5a768f1f4395178dc914cde01b8e6b98266a66c5c079e19e5d3b6599c6dec24e8e155b310164299d1b4d31ab2e0c3b917b0cb627a4cc19c86061c74c849aab764feacd33de7472b7c4e1403cb38f8f1c3062e75966b2e2c0b2d7d966271f3d180440aa2ed2194bbf7d8b9415a5c5bb7f3df7cf2d02740cd4366ee3781a9 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/256 + Digest = SHA-512 PredictionResistance = 1 -- 2.38.1 diff --git a/0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch b/0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch index 81a6544..b61bcb8 100644 --- a/0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch +++ b/0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch @@ -16,7 +16,6 @@ parameter. Signed-off-by: Clemens Lang --- include/crypto/evp.h | 7 +++++++ - include/openssl/core_names.h | 1 + include/openssl/evp.h | 3 +++ providers/implementations/macs/hmac_prov.c | 17 +++++++++++++++++ 4 files changed, 28 insertions(+) @@ -39,18 +38,6 @@ index 76fb990de4..1e2240516e 100644 struct evp_mac_st { OSSL_PROVIDER *prov; int name_id; -diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h -index c019afbbb0..94fab83193 100644 ---- a/include/openssl/core_names.h -+++ b/include/openssl/core_names.h -@@ -173,6 +173,7 @@ extern "C" { - #define OSSL_MAC_PARAM_SIZE "size" /* size_t */ - #define OSSL_MAC_PARAM_BLOCK_SIZE "block-size" /* size_t */ - #define OSSL_MAC_PARAM_TLS_DATA_SIZE "tls-data-size" /* size_t */ -+#define OSSL_MAC_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator" - - /* Known MAC names */ - #define OSSL_MAC_NAME_BLAKE2BMAC "BLAKE2BMAC" diff --git a/include/openssl/evp.h b/include/openssl/evp.h index 49e8e1df78..a5e78efd6e 100644 --- a/include/openssl/evp.h @@ -75,9 +62,9 @@ index 52ebb08b8f..cf5c3ecbe7 100644 +#include "crypto/evp.h" + + #include "internal/ssl3_cbc.h" + #include "prov/implementations.h" - #include "prov/provider_ctx.h" - #include "prov/provider_util.h" @@ -244,6 +246,9 @@ static int hmac_final(void *vmacctx, unsigned char *out, size_t *outl, static const OSSL_PARAM known_gettable_ctx_params[] = { OSSL_PARAM_size_t(OSSL_MAC_PARAM_SIZE, NULL), @@ -107,6 +94,30 @@ index 52ebb08b8f..cf5c3ecbe7 100644 return 1; } +diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm +index 6618122417..8b2d430f17 100644 +--- a/util/perl/OpenSSL/paramnames.pm ++++ b/util/perl/OpenSSL/paramnames.pm +@@ -137,12 +137,13 @@ my %params = ( + # If "engine",or "properties",are specified, they should always be paired + # with "cipher",or "digest". + +- 'MAC_PARAM_CIPHER' => '*ALG_PARAM_CIPHER', # utf8 string +- 'MAC_PARAM_DIGEST' => '*ALG_PARAM_DIGEST', # utf8 string +- 'MAC_PARAM_PROPERTIES' => '*ALG_PARAM_PROPERTIES', # utf8 string +- 'MAC_PARAM_SIZE' => "size", # size_t +- 'MAC_PARAM_BLOCK_SIZE' => "block-size", # size_t +- 'MAC_PARAM_TLS_DATA_SIZE' => "tls-data-size", # size_t ++ 'MAC_PARAM_CIPHER' => '*ALG_PARAM_CIPHER', # utf8 string ++ 'MAC_PARAM_DIGEST' => '*ALG_PARAM_DIGEST', # utf8 string ++ 'MAC_PARAM_PROPERTIES' => '*ALG_PARAM_PROPERTIES', # utf8 string ++ 'MAC_PARAM_SIZE' => "size", # size_t ++ 'MAC_PARAM_BLOCK_SIZE' => "block-size", # size_t ++ 'MAC_PARAM_TLS_DATA_SIZE' => "tls-data-size", # size_t ++ 'MAC_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator", # size_t + + # KDF / PRF parameters + 'KDF_PARAM_SECRET' => "secret", # octet string -- 2.38.1 diff --git a/0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch b/0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch index 181fedd..3eb6755 100644 --- a/0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch +++ b/0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch @@ -52,7 +52,7 @@ index 2a0ae63acc..aa0adce5e6 100644 +#define KDF_PBKDF2_MIN_PASSWORD_LEN (8) static OSSL_FUNC_kdf_newctx_fn kdf_pbkdf2_new; - static OSSL_FUNC_kdf_freectx_fn kdf_pbkdf2_free; + static OSSL_FUNC_kdf_dupctx_fn kdf_pbkdf2_dup; @@ -186,9 +201,15 @@ static int kdf_pbkdf2_set_ctx_params(void *vctx, const OSSL_PARAM params[]) ctx->lower_bound_checks = pkcs5 == 0; } diff --git a/0088-signature-Add-indicator-for-PSS-salt-length.patch b/0088-signature-Add-indicator-for-PSS-salt-length.patch index 20024d3..edfd0b8 100644 --- a/0088-signature-Add-indicator-for-PSS-salt-length.patch +++ b/0088-signature-Add-indicator-for-PSS-salt-length.patch @@ -40,23 +40,11 @@ Dmitry Belyavskiy Signed-off-by: Clemens Lang --- - include/openssl/core_names.h | 1 + include/openssl/evp.h | 4 ++++ - providers/implementations/signature/rsa_sig.c | 18 ++++++++++++++++++ - 3 files changed, 23 insertions(+) + providers/implementations/signature/rsa_sig.c | 21 +++++++++++++++++ + util/perl/OpenSSL/paramnames.pm | 23 ++++++++++--------- + 3 files changed, 37 insertions(+), 11 deletions(-) -diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h -index 94fab83193..69c59f0b46 100644 ---- a/include/openssl/core_names.h -+++ b/include/openssl/core_names.h -@@ -453,6 +453,7 @@ extern "C" { - #define OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES \ - OSSL_PKEY_PARAM_MGF1_PROPERTIES - #define OSSL_SIGNATURE_PARAM_DIGEST_SIZE OSSL_PKEY_PARAM_DIGEST_SIZE -+#define OSSL_SIGNATURE_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator" - - /* Asym cipher parameters */ - #define OSSL_ASYM_CIPHER_PARAM_DIGEST OSSL_PKEY_PARAM_DIGEST diff --git a/include/openssl/evp.h b/include/openssl/evp.h index a5e78efd6e..f239200465 100644 --- a/include/openssl/evp.h @@ -111,6 +99,40 @@ index 49e7f9158a..0c45008a00 100644 OSSL_PARAM_END }; +diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm +index 8b2d430f17..a109e44521 100644 +--- a/util/perl/OpenSSL/paramnames.pm ++++ b/util/perl/OpenSSL/paramnames.pm +@@ -377,17 +377,18 @@ my %params = ( + 'EXCHANGE_PARAM_KDF_UKM' => "kdf-ukm", + + # Signature parameters +- 'SIGNATURE_PARAM_ALGORITHM_ID' => "algorithm-id", +- 'SIGNATURE_PARAM_PAD_MODE' => '*PKEY_PARAM_PAD_MODE', +- 'SIGNATURE_PARAM_DIGEST' => '*PKEY_PARAM_DIGEST', +- 'SIGNATURE_PARAM_PROPERTIES' => '*PKEY_PARAM_PROPERTIES', +- 'SIGNATURE_PARAM_PSS_SALTLEN' => "saltlen", +- 'SIGNATURE_PARAM_MGF1_DIGEST' => '*PKEY_PARAM_MGF1_DIGEST', +- 'SIGNATURE_PARAM_MGF1_PROPERTIES' => '*PKEY_PARAM_MGF1_PROPERTIES', +- 'SIGNATURE_PARAM_DIGEST_SIZE' => '*PKEY_PARAM_DIGEST_SIZE', +- 'SIGNATURE_PARAM_NONCE_TYPE' => "nonce-type", +- 'SIGNATURE_PARAM_INSTANCE' => "instance", +- 'SIGNATURE_PARAM_CONTEXT_STRING' => "context-string", ++ 'SIGNATURE_PARAM_ALGORITHM_ID' => "algorithm-id", ++ 'SIGNATURE_PARAM_PAD_MODE' => '*PKEY_PARAM_PAD_MODE', ++ 'SIGNATURE_PARAM_DIGEST' => '*PKEY_PARAM_DIGEST', ++ 'SIGNATURE_PARAM_PROPERTIES' => '*PKEY_PARAM_PROPERTIES', ++ 'SIGNATURE_PARAM_PSS_SALTLEN' => "saltlen", ++ 'SIGNATURE_PARAM_MGF1_DIGEST' => '*PKEY_PARAM_MGF1_DIGEST', ++ 'SIGNATURE_PARAM_MGF1_PROPERTIES' => '*PKEY_PARAM_MGF1_PROPERTIES', ++ 'SIGNATURE_PARAM_DIGEST_SIZE' => '*PKEY_PARAM_DIGEST_SIZE', ++ 'SIGNATURE_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator", ++ 'SIGNATURE_PARAM_NONCE_TYPE' => "nonce-type", ++ 'SIGNATURE_PARAM_INSTANCE' => "instance", ++ 'SIGNATURE_PARAM_CONTEXT_STRING' => "context-string", + + # Asym cipher parameters + 'ASYM_CIPHER_PARAM_DIGEST' => '*PKEY_PARAM_DIGEST', -- 2.38.1 diff --git a/0089-PSS-salt-length-from-provider.patch b/0089-PSS-salt-length-from-provider.patch deleted file mode 100644 index 8e61747..0000000 --- a/0089-PSS-salt-length-from-provider.patch +++ /dev/null @@ -1,114 +0,0 @@ -From 0879fac692cb1bff0ec4c196cb364d970ad3ecec Mon Sep 17 00:00:00 2001 -From: Clemens Lang -Date: Mon, 21 Nov 2022 14:33:57 +0100 -Subject: [PATCH 2/3] Obtain PSS salt length from provider - -Rather than computing the PSS salt length again in core using -ossl_rsa_ctx_to_pss_string, which calls rsa_ctx_to_pss and computes the -salt length, obtain it from the provider using the -OSSL_SIGNATURE_PARAM_ALGORITHM_ID param to handle the case where the -interpretation of the magic constants in the provider differs from that -of OpenSSL core. - -Signed-off-by: Clemens Lang ---- - crypto/cms/cms_rsa.c | 19 +++++++++++++++---- - crypto/rsa/rsa_ameth.c | 34 +++++++++++++++++++++------------- - 2 files changed, 36 insertions(+), 17 deletions(-) - -diff --git a/crypto/cms/cms_rsa.c b/crypto/cms/cms_rsa.c -index 20ed816918..997567fdbf 100644 ---- a/crypto/cms/cms_rsa.c -+++ b/crypto/cms/cms_rsa.c -@@ -10,6 +10,7 @@ - #include - #include - #include -+#include - #include "crypto/asn1.h" - #include "crypto/rsa.h" - #include "cms_local.h" -@@ -191,7 +192,10 @@ static int rsa_cms_sign(CMS_SignerInfo *si) - int pad_mode = RSA_PKCS1_PADDING; - X509_ALGOR *alg; - EVP_PKEY_CTX *pkctx = CMS_SignerInfo_get0_pkey_ctx(si); -- ASN1_STRING *os = NULL; -+ unsigned char aid[128]; -+ const unsigned char *pp = aid; -+ size_t aid_len = 0; -+ OSSL_PARAM params[2]; - - CMS_SignerInfo_get0_algs(si, NULL, NULL, NULL, &alg); - if (pkctx != NULL) { -@@ -205,10 +209,17 @@ static int rsa_cms_sign(CMS_SignerInfo *si) - /* We don't support it */ - if (pad_mode != RSA_PKCS1_PSS_PADDING) - return 0; -- os = ossl_rsa_ctx_to_pss_string(pkctx); -- if (os == NULL) -+ -+ params[0] = OSSL_PARAM_construct_octet_string( -+ OSSL_SIGNATURE_PARAM_ALGORITHM_ID, aid, sizeof(aid)); -+ params[1] = OSSL_PARAM_construct_end(); -+ -+ if (EVP_PKEY_CTX_get_params(pkctx, params) <= 0) -+ return 0; -+ if ((aid_len = params[0].return_size) == 0) -+ return 0; -+ if (d2i_X509_ALGOR(&alg, &pp, aid_len) == NULL) - return 0; -- X509_ALGOR_set0(alg, OBJ_nid2obj(EVP_PKEY_RSA_PSS), V_ASN1_SEQUENCE, os); - return 1; - } - -diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c -index c15554505b..61ec53d424 100644 ---- a/crypto/rsa/rsa_ameth.c -+++ b/crypto/rsa/rsa_ameth.c -@@ -637,22 +637,30 @@ static int rsa_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, const void *asn, - if (pad_mode == RSA_PKCS1_PADDING) - return 2; - if (pad_mode == RSA_PKCS1_PSS_PADDING) { -- ASN1_STRING *os1 = NULL; -- os1 = ossl_rsa_ctx_to_pss_string(pkctx); -- if (!os1) -+ unsigned char aid[128]; -+ size_t aid_len = 0; -+ OSSL_PARAM params[2]; -+ -+ params[0] = OSSL_PARAM_construct_octet_string( -+ OSSL_SIGNATURE_PARAM_ALGORITHM_ID, aid, sizeof(aid)); -+ params[1] = OSSL_PARAM_construct_end(); -+ -+ if (EVP_PKEY_CTX_get_params(pkctx, params) <= 0) - return 0; -- /* Duplicate parameters if we have to */ -- if (alg2) { -- ASN1_STRING *os2 = ASN1_STRING_dup(os1); -- if (!os2) { -- ASN1_STRING_free(os1); -+ if ((aid_len = params[0].return_size) == 0) -+ return 0; -+ -+ if (alg1 != NULL) { -+ const unsigned char *pp = aid; -+ if (d2i_X509_ALGOR(&alg1, &pp, aid_len) == NULL) -+ return 0; -+ } -+ if (alg2 != NULL) { -+ const unsigned char *pp = aid; -+ if (d2i_X509_ALGOR(&alg2, &pp, aid_len) == NULL) - return 0; -- } -- X509_ALGOR_set0(alg2, OBJ_nid2obj(EVP_PKEY_RSA_PSS), -- V_ASN1_SEQUENCE, os2); - } -- X509_ALGOR_set0(alg1, OBJ_nid2obj(EVP_PKEY_RSA_PSS), -- V_ASN1_SEQUENCE, os1); -+ - return 3; - } - return 2; --- -2.38.1 - diff --git a/0090-signature-Clamp-PSS-salt-len-to-MD-len.patch b/0090-signature-Clamp-PSS-salt-len-to-MD-len.patch deleted file mode 100644 index efe7751..0000000 --- a/0090-signature-Clamp-PSS-salt-len-to-MD-len.patch +++ /dev/null @@ -1,338 +0,0 @@ -From 9cc914ff3e1fda124bdc76d72ebc9349ec19f8ae Mon Sep 17 00:00:00 2001 -From: Clemens Lang -Date: Fri, 18 Nov 2022 12:35:33 +0100 -Subject: [PATCH 3/3] signature: Clamp PSS salt len to MD len -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection -5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in bytes) of the -salt (sLen) shall satisfy 0 <= sLen <= hLen, where hLen is the length of -the hash function output block (in bytes)." - -Introduce a new option RSA_PSS_SALTLEN_AUTO_DIGEST_MAX and make it the -default. The new value will behave like RSA_PSS_SALTLEN_AUTO, but will -not use more than the digest legth when signing, so that FIPS 186-4 is -not violated. This value has two advantages when compared with -RSA_PSS_SALTLEN_DIGEST: (1) It will continue to do auto-detection when -verifying signatures for maximum compatibility, where -RSA_PSS_SALTLEN_DIGEST would fail for other digest sizes. (2) It will -work for combinations where the maximum salt length is smaller than the -digest size, which typically happens with large digest sizes (e.g., -SHA-512) and small RSA keys. - -Signed-off-by: Clemens Lang ---- - crypto/rsa/rsa_ameth.c | 18 ++++++++- - crypto/rsa/rsa_pss.c | 26 ++++++++++-- - doc/man3/EVP_PKEY_CTX_ctrl.pod | 11 ++++- - doc/man7/EVP_SIGNATURE-RSA.pod | 5 +++ - include/openssl/core_names.h | 1 + - include/openssl/rsa.h | 3 ++ - providers/implementations/signature/rsa_sig.c | 40 ++++++++++++++----- - test/recipes/25-test_req.t | 2 +- - 8 files changed, 87 insertions(+), 19 deletions(-) - -diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c -index 61ec53d424..e69a98d116 100644 ---- a/crypto/rsa/rsa_ameth.c -+++ b/crypto/rsa/rsa_ameth.c -@@ -450,6 +450,7 @@ static RSA_PSS_PARAMS *rsa_ctx_to_pss(EVP_PKEY_CTX *pkctx) - const EVP_MD *sigmd, *mgf1md; - EVP_PKEY *pk = EVP_PKEY_CTX_get0_pkey(pkctx); - int saltlen; -+ int saltlenMax = -1; - - if (EVP_PKEY_CTX_get_signature_md(pkctx, &sigmd) <= 0) - return NULL; -@@ -457,14 +458,27 @@ static RSA_PSS_PARAMS *rsa_ctx_to_pss(EVP_PKEY_CTX *pkctx) - return NULL; - if (EVP_PKEY_CTX_get_rsa_pss_saltlen(pkctx, &saltlen) <= 0) - return NULL; -- if (saltlen == -1) { -+ if (saltlen == RSA_PSS_SALTLEN_DIGEST) { - saltlen = EVP_MD_get_size(sigmd); -- } else if (saltlen == -2 || saltlen == -3) { -+ } else if (saltlen == RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) { -+ /* FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", -+ * subsection 5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in -+ * bytes) of the salt (sLen) shall satisfy 0 <= sLen <= hLen, where -+ * hLen is the length of the hash function output block (in bytes)." -+ * -+ * Provide a way to use at most the digest length, so that the default -+ * does not violate FIPS 186-4. */ -+ saltlen = RSA_PSS_SALTLEN_MAX; -+ saltlenMax = EVP_MD_get_size(sigmd); -+ } -+ if (saltlen == RSA_PSS_SALTLEN_MAX || saltlen == RSA_PSS_SALTLEN_AUTO) { - saltlen = EVP_PKEY_get_size(pk) - EVP_MD_get_size(sigmd) - 2; - if ((EVP_PKEY_get_bits(pk) & 0x7) == 1) - saltlen--; - if (saltlen < 0) - return NULL; -+ if (saltlenMax >= 0 && saltlen > saltlenMax) -+ saltlen = saltlenMax; - } - - return ossl_rsa_pss_params_create(sigmd, mgf1md, saltlen); -diff --git a/crypto/rsa/rsa_pss.c b/crypto/rsa/rsa_pss.c -index 33874bfef8..430c36eb2a 100644 ---- a/crypto/rsa/rsa_pss.c -+++ b/crypto/rsa/rsa_pss.c -@@ -61,11 +61,12 @@ int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash, - * -1 sLen == hLen - * -2 salt length is autorecovered from signature - * -3 salt length is maximized -+ * -4 salt length is autorecovered from signature - * -N reserved - */ - if (sLen == RSA_PSS_SALTLEN_DIGEST) { - sLen = hLen; -- } else if (sLen < RSA_PSS_SALTLEN_MAX) { -+ } else if (sLen < RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) { - ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED); - goto err; - } -@@ -112,7 +113,9 @@ int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash, - ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_RECOVERY_FAILED); - goto err; - } -- if (sLen != RSA_PSS_SALTLEN_AUTO && (maskedDBLen - i) != sLen) { -+ if (sLen != RSA_PSS_SALTLEN_AUTO -+ && sLen != RSA_PSS_SALTLEN_AUTO_DIGEST_MAX -+ && (maskedDBLen - i) != sLen) { - ERR_raise_data(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED, - "expected: %d retrieved: %d", sLen, - maskedDBLen - i); -@@ -160,6 +163,7 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM, - int hLen, maskedDBLen, MSBits, emLen; - unsigned char *H, *salt = NULL, *p; - EVP_MD_CTX *ctx = NULL; -+ int sLenMax = -1; - - if (mgf1Hash == NULL) - mgf1Hash = Hash; -@@ -172,13 +176,25 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM, - * -1 sLen == hLen - * -2 salt length is maximized - * -3 same as above (on signing) -+ * -4 salt length is min(hLen, maximum salt length) - * -N reserved - */ -+ /* FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection -+ * 5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in bytes) of the -+ * salt (sLen) shall satisfy 0 <= sLen <= hLen, where hLen is the length of -+ * the hash function output block (in bytes)." -+ * -+ * Provide a way to use at most the digest length, so that the default does -+ * not violate FIPS 186-4. */ - if (sLen == RSA_PSS_SALTLEN_DIGEST) { - sLen = hLen; -- } else if (sLen == RSA_PSS_SALTLEN_MAX_SIGN) { -+ } else if (sLen == RSA_PSS_SALTLEN_MAX_SIGN -+ || sLen == RSA_PSS_SALTLEN_AUTO) { - sLen = RSA_PSS_SALTLEN_MAX; -- } else if (sLen < RSA_PSS_SALTLEN_MAX) { -+ } else if (sLen == RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) { -+ sLen = RSA_PSS_SALTLEN_MAX; -+ sLenMax = hLen; -+ } else if (sLen < RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) { - ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED); - goto err; - } -@@ -195,6 +211,8 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM, - } - if (sLen == RSA_PSS_SALTLEN_MAX) { - sLen = emLen - hLen - 2; -+ if (sLenMax >= 0 && sLen > sLenMax) -+ sLen = sLenMax; - } else if (sLen > emLen - hLen - 2) { - ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); - goto err; -diff --git a/doc/man3/EVP_PKEY_CTX_ctrl.pod b/doc/man3/EVP_PKEY_CTX_ctrl.pod -index 3075eaafd6..9b96f42dbc 100644 ---- a/doc/man3/EVP_PKEY_CTX_ctrl.pod -+++ b/doc/man3/EVP_PKEY_CTX_ctrl.pod -@@ -270,8 +270,8 @@ EVP_PKEY_CTX_get_rsa_padding() gets the RSA padding mode for I. - - EVP_PKEY_CTX_set_rsa_pss_saltlen() sets the RSA PSS salt length to I. - As its name implies it is only supported for PSS padding. If this function is --not called then the maximum salt length is used when signing and auto detection --when verifying. Three special values are supported: -+not called then the salt length is maximized up to the digest length when -+signing and auto detection when verifying. Four special values are supported: - - =over 4 - -@@ -289,6 +289,13 @@ causes the salt length to be automatically determined based on the - B block structure when verifying. When signing, it has the same - meaning as B. - -+=item B -+ -+causes the salt length to be automatically determined based on the B block -+structure when verifying, like B. When signing, the salt -+length is maximized up to a maximum of the digest length to comply with FIPS -+186-4 section 5.5. -+ - =back - - EVP_PKEY_CTX_get_rsa_pss_saltlen() gets the RSA PSS salt length for I. -diff --git a/doc/man7/EVP_SIGNATURE-RSA.pod b/doc/man7/EVP_SIGNATURE-RSA.pod -index 1ce32cc443..13d053e262 100644 ---- a/doc/man7/EVP_SIGNATURE-RSA.pod -+++ b/doc/man7/EVP_SIGNATURE-RSA.pod -@@ -68,6 +68,11 @@ Use the maximum salt length. - - Auto detect the salt length. - -+=item "auto-digestmax" (B) -+ -+Auto detect the salt length when verifying. Maximize the salt length up to the -+digest size when signing to comply with FIPS 186-4 section 5.5. -+ - =back - - =back -diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h -index 69c59f0b46..5779f41427 100644 ---- a/include/openssl/core_names.h -+++ b/include/openssl/core_names.h -@@ -399,6 +399,7 @@ extern "C" { - #define OSSL_PKEY_RSA_PSS_SALT_LEN_DIGEST "digest" - #define OSSL_PKEY_RSA_PSS_SALT_LEN_MAX "max" - #define OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO "auto" -+#define OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX "auto-digestmax" - - /* Key generation parameters */ - #define OSSL_PKEY_PARAM_RSA_BITS OSSL_PKEY_PARAM_BITS -diff --git a/include/openssl/rsa.h b/include/openssl/rsa.h -index a55c9727c6..daf55bc6d4 100644 ---- a/include/openssl/rsa.h -+++ b/include/openssl/rsa.h -@@ -137,6 +137,9 @@ int EVP_PKEY_CTX_set_rsa_keygen_pubexp(EVP_PKEY_CTX *ctx, BIGNUM *pubexp); - # define RSA_PSS_SALTLEN_AUTO -2 - /* Set salt length to maximum possible */ - # define RSA_PSS_SALTLEN_MAX -3 -+/* Auto-detect on verify, set salt length to min(maximum possible, digest -+ * length) on sign */ -+# define RSA_PSS_SALTLEN_AUTO_DIGEST_MAX -4 - /* Old compatible max salt length for sign only */ - # define RSA_PSS_SALTLEN_MAX_SIGN -2 - -diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c -index 0c45008a00..1a787d77db 100644 ---- a/providers/implementations/signature/rsa_sig.c -+++ b/providers/implementations/signature/rsa_sig.c -@@ -191,8 +191,8 @@ static void *rsa_newctx(void *provctx, const char *propq) - prsactx->libctx = PROV_LIBCTX_OF(provctx); - prsactx->flag_allow_md = 1; - prsactx->propq = propq_copy; -- /* Maximum for sign, auto for verify */ -- prsactx->saltlen = RSA_PSS_SALTLEN_AUTO; -+ /* Maximum up to digest length for sign, auto for verify */ -+ prsactx->saltlen = RSA_PSS_SALTLEN_AUTO_DIGEST_MAX; - prsactx->min_saltlen = -1; - return prsactx; - } -@@ -200,13 +200,27 @@ static void *rsa_newctx(void *provctx, const char *propq) - static int rsa_pss_compute_saltlen(PROV_RSA_CTX *ctx) - { - int saltlen = ctx->saltlen; -- -+ int saltlenMax = -1; -+ -+ /* FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection -+ * 5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in bytes) of the -+ * salt (sLen) shall satisfy 0 <= sLen <= hLen, where hLen is the length of -+ * the hash function output block (in bytes)." -+ * -+ * Provide a way to use at most the digest length, so that the default does -+ * not violate FIPS 186-4. */ - if (saltlen == RSA_PSS_SALTLEN_DIGEST) { - saltlen = EVP_MD_get_size(ctx->md); -- } else if (saltlen == RSA_PSS_SALTLEN_AUTO || saltlen == RSA_PSS_SALTLEN_MAX) { -+ } else if (saltlen == RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) { -+ saltlen = RSA_PSS_SALTLEN_MAX; -+ saltlenMax = EVP_MD_get_size(ctx->md); -+ } -+ if (saltlen == RSA_PSS_SALTLEN_MAX || saltlen == RSA_PSS_SALTLEN_AUTO) { - saltlen = RSA_size(ctx->rsa) - EVP_MD_get_size(ctx->md) - 2; - if ((RSA_bits(ctx->rsa) & 0x7) == 1) - saltlen--; -+ if (saltlenMax >= 0 && saltlen > saltlenMax) -+ saltlen = saltlenMax; - } - if (saltlen < 0) { - ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR); -@@ -411,8 +425,8 @@ static int rsa_signverify_init(void *vprsactx, void *vrsa, - - prsactx->operation = operation; - -- /* Maximum for sign, auto for verify */ -- prsactx->saltlen = RSA_PSS_SALTLEN_AUTO; -+ /* Maximize up to digest length for sign, auto for verify */ -+ prsactx->saltlen = RSA_PSS_SALTLEN_AUTO_DIGEST_MAX; - prsactx->min_saltlen = -1; - - switch (RSA_test_flags(prsactx->rsa, RSA_FLAG_TYPE_MASK)) { -@@ -1110,6 +1124,9 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params) - case RSA_PSS_SALTLEN_AUTO: - value = OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO; - break; -+ case RSA_PSS_SALTLEN_AUTO_DIGEST_MAX: -+ value = OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX; -+ break; - default: - { - int len = BIO_snprintf(p->data, p->data_size, "%d", -@@ -1297,6 +1314,8 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) - saltlen = RSA_PSS_SALTLEN_MAX; - else if (strcmp(p->data, OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO) == 0) - saltlen = RSA_PSS_SALTLEN_AUTO; -+ else if (strcmp(p->data, OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX) == 0) -+ saltlen = RSA_PSS_SALTLEN_AUTO_DIGEST_MAX; - else - saltlen = atoi(p->data); - break; -@@ -1305,11 +1324,11 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) - } - - /* -- * RSA_PSS_SALTLEN_MAX seems curiously named in this check. -- * Contrary to what it's name suggests, it's the currently -- * lowest saltlen number possible. -+ * RSA_PSS_SALTLEN_AUTO_DIGEST_MAX seems curiously named in this check. -+ * Contrary to what it's name suggests, it's the currently lowest -+ * saltlen number possible. - */ -- if (saltlen < RSA_PSS_SALTLEN_MAX) { -+ if (saltlen < RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) { - ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH); - return 0; - } -@@ -1317,6 +1336,7 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) - if (rsa_pss_restricted(prsactx)) { - switch (saltlen) { - case RSA_PSS_SALTLEN_AUTO: -+ case RSA_PSS_SALTLEN_AUTO_DIGEST_MAX: - if (prsactx->operation == EVP_PKEY_OP_VERIFY) { - ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH, - "Cannot use autodetected salt length"); -diff --git a/test/recipes/25-test_req.t b/test/recipes/25-test_req.t -index e615f1b338..35541aed12 100644 ---- a/test/recipes/25-test_req.t -+++ b/test/recipes/25-test_req.t -@@ -199,7 +199,7 @@ subtest "generating certificate requests with RSA-PSS" => sub { - ok(!run(app(["openssl", "req", - "-config", srctop_file("test", "test.cnf"), - "-new", "-out", "testreq-rsapss3.pem", "-utf8", -- "-sigopt", "rsa_pss_saltlen:-4", -+ "-sigopt", "rsa_pss_saltlen:-5", - "-key", srctop_file("test", "testrsapss.pem")])), - "Generating request with expected failure"); - --- -2.38.1 - diff --git a/0092-provider-improvements.patch b/0092-provider-improvements.patch deleted file mode 100644 index b850fc3..0000000 --- a/0092-provider-improvements.patch +++ /dev/null @@ -1,705 +0,0 @@ -From 98642df4ba886818900ab7e6b23703544e6addd4 Mon Sep 17 00:00:00 2001 -From: Simo Sorce -Date: Thu, 10 Nov 2022 10:46:32 -0500 -Subject: [PATCH 1/3] Propagate selection all the way on key export - -EVP_PKEY_eq() is used to check, among other things, if a certificate -public key corresponds to a private key. When the private key belongs to -a provider that does not allow to export private keys this currently -fails as the internal functions used to import/export keys ignored the -selection given (which specifies that only the public key needs to be -considered) and instead tries to export everything. - -This patch allows to propagate the selection all the way down including -adding it in the cache so that a following operation actually looking -for other selection parameters does not mistakenly pick up an export -containing only partial information. - -Signed-off-by: Simo Sorce - -Reviewed-by: Dmitry Belyavskiy -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/19648) - -diff --git a/crypto/evp/keymgmt_lib.c b/crypto/evp/keymgmt_lib.c -index b06730dc7a..2d0238ee27 100644 ---- a/crypto/evp/keymgmt_lib.c -+++ b/crypto/evp/keymgmt_lib.c -@@ -93,7 +93,8 @@ int evp_keymgmt_util_export(const EVP_PKEY *pk, int selection, - export_cb, export_cbarg); - } - --void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt) -+void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt, -+ int selection) - { - struct evp_keymgmt_util_try_import_data_st import_data; - OP_CACHE_ELEM *op; -@@ -127,7 +128,7 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt) - */ - if (pk->dirty_cnt == pk->dirty_cnt_copy) { - /* If this key is already exported to |keymgmt|, no more to do */ -- op = evp_keymgmt_util_find_operation_cache(pk, keymgmt); -+ op = evp_keymgmt_util_find_operation_cache(pk, keymgmt, selection); - if (op != NULL && op->keymgmt != NULL) { - void *ret = op->keydata; - -@@ -157,13 +158,13 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt) - /* Setup for the export callback */ - import_data.keydata = NULL; /* evp_keymgmt_util_try_import will create it */ - import_data.keymgmt = keymgmt; -- import_data.selection = OSSL_KEYMGMT_SELECT_ALL; -+ import_data.selection = selection; - - /* - * The export function calls the callback (evp_keymgmt_util_try_import), - * which does the import for us. If successful, we're done. - */ -- if (!evp_keymgmt_util_export(pk, OSSL_KEYMGMT_SELECT_ALL, -+ if (!evp_keymgmt_util_export(pk, selection, - &evp_keymgmt_util_try_import, &import_data)) - /* If there was an error, bail out */ - return NULL; -@@ -173,7 +174,7 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt) - return NULL; - } - /* Check to make sure some other thread didn't get there first */ -- op = evp_keymgmt_util_find_operation_cache(pk, keymgmt); -+ op = evp_keymgmt_util_find_operation_cache(pk, keymgmt, selection); - if (op != NULL && op->keydata != NULL) { - void *ret = op->keydata; - -@@ -196,7 +197,8 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt) - evp_keymgmt_util_clear_operation_cache(pk, 0); - - /* Add the new export to the operation cache */ -- if (!evp_keymgmt_util_cache_keydata(pk, keymgmt, import_data.keydata)) { -+ if (!evp_keymgmt_util_cache_keydata(pk, keymgmt, import_data.keydata, -+ selection)) { - CRYPTO_THREAD_unlock(pk->lock); - evp_keymgmt_freedata(keymgmt, import_data.keydata); - return NULL; -@@ -232,7 +234,8 @@ int evp_keymgmt_util_clear_operation_cache(EVP_PKEY *pk, int locking) - } - - OP_CACHE_ELEM *evp_keymgmt_util_find_operation_cache(EVP_PKEY *pk, -- EVP_KEYMGMT *keymgmt) -+ EVP_KEYMGMT *keymgmt, -+ int selection) - { - int i, end = sk_OP_CACHE_ELEM_num(pk->operation_cache); - OP_CACHE_ELEM *p; -@@ -243,14 +246,14 @@ OP_CACHE_ELEM *evp_keymgmt_util_find_operation_cache(EVP_PKEY *pk, - */ - for (i = 0; i < end; i++) { - p = sk_OP_CACHE_ELEM_value(pk->operation_cache, i); -- if (keymgmt == p->keymgmt) -+ if (keymgmt == p->keymgmt && (p->selection & selection) == selection) - return p; - } - return NULL; - } - --int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, -- EVP_KEYMGMT *keymgmt, void *keydata) -+int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt, -+ void *keydata, int selection) - { - OP_CACHE_ELEM *p = NULL; - -@@ -266,6 +269,7 @@ int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, - return 0; - p->keydata = keydata; - p->keymgmt = keymgmt; -+ p->selection = selection; - - if (!EVP_KEYMGMT_up_ref(keymgmt)) { - OPENSSL_free(p); -@@ -391,7 +395,8 @@ int evp_keymgmt_util_match(EVP_PKEY *pk1, EVP_PKEY *pk2, int selection) - ok = 1; - if (keydata1 != NULL) { - tmp_keydata = -- evp_keymgmt_util_export_to_provider(pk1, keymgmt2); -+ evp_keymgmt_util_export_to_provider(pk1, keymgmt2, -+ selection); - ok = (tmp_keydata != NULL); - } - if (ok) { -@@ -411,7 +416,8 @@ int evp_keymgmt_util_match(EVP_PKEY *pk1, EVP_PKEY *pk2, int selection) - ok = 1; - if (keydata2 != NULL) { - tmp_keydata = -- evp_keymgmt_util_export_to_provider(pk2, keymgmt1); -+ evp_keymgmt_util_export_to_provider(pk2, keymgmt1, -+ selection); - ok = (tmp_keydata != NULL); - } - if (ok) { -diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c -index 70d17ec37e..905e9c9ce4 100644 ---- a/crypto/evp/p_lib.c -+++ b/crypto/evp/p_lib.c -@@ -1822,6 +1822,7 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx, - { - EVP_KEYMGMT *allocated_keymgmt = NULL; - EVP_KEYMGMT *tmp_keymgmt = NULL; -+ int selection = OSSL_KEYMGMT_SELECT_ALL; - void *keydata = NULL; - int check; - -@@ -1883,7 +1884,8 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx, - if (pk->ameth->dirty_cnt(pk) == pk->dirty_cnt_copy) { - if (!CRYPTO_THREAD_read_lock(pk->lock)) - goto end; -- op = evp_keymgmt_util_find_operation_cache(pk, tmp_keymgmt); -+ op = evp_keymgmt_util_find_operation_cache(pk, tmp_keymgmt, -+ selection); - - /* - * If |tmp_keymgmt| is present in the operation cache, it means -@@ -1938,7 +1940,7 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx, - EVP_KEYMGMT_free(tmp_keymgmt); /* refcnt-- */ - - /* Check to make sure some other thread didn't get there first */ -- op = evp_keymgmt_util_find_operation_cache(pk, tmp_keymgmt); -+ op = evp_keymgmt_util_find_operation_cache(pk, tmp_keymgmt, selection); - if (op != NULL && op->keymgmt != NULL) { - void *tmp_keydata = op->keydata; - -@@ -1949,7 +1951,8 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx, - } - - /* Add the new export to the operation cache */ -- if (!evp_keymgmt_util_cache_keydata(pk, tmp_keymgmt, keydata)) { -+ if (!evp_keymgmt_util_cache_keydata(pk, tmp_keymgmt, keydata, -+ selection)) { - CRYPTO_THREAD_unlock(pk->lock); - evp_keymgmt_freedata(tmp_keymgmt, keydata); - keydata = NULL; -@@ -1964,7 +1967,7 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx, - } - #endif /* FIPS_MODULE */ - -- keydata = evp_keymgmt_util_export_to_provider(pk, tmp_keymgmt); -+ keydata = evp_keymgmt_util_export_to_provider(pk, tmp_keymgmt, selection); - - end: - /* -diff --git a/include/crypto/evp.h b/include/crypto/evp.h -index f601b72807..dbbdcccbda 100644 ---- a/include/crypto/evp.h -+++ b/include/crypto/evp.h -@@ -589,6 +589,7 @@ int evp_cipher_asn1_to_param_ex(EVP_CIPHER_CTX *c, ASN1_TYPE *type, - typedef struct { - EVP_KEYMGMT *keymgmt; - void *keydata; -+ int selection; - } OP_CACHE_ELEM; - - DEFINE_STACK_OF(OP_CACHE_ELEM) -@@ -778,12 +779,14 @@ EVP_PKEY *evp_keymgmt_util_make_pkey(EVP_KEYMGMT *keymgmt, void *keydata); - - int evp_keymgmt_util_export(const EVP_PKEY *pk, int selection, - OSSL_CALLBACK *export_cb, void *export_cbarg); --void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt); -+void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt, -+ int selection); - OP_CACHE_ELEM *evp_keymgmt_util_find_operation_cache(EVP_PKEY *pk, -- EVP_KEYMGMT *keymgmt); -+ EVP_KEYMGMT *keymgmt, -+ int selection); - int evp_keymgmt_util_clear_operation_cache(EVP_PKEY *pk, int locking); --int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, -- EVP_KEYMGMT *keymgmt, void *keydata); -+int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt, -+ void *keydata, int selection); - void evp_keymgmt_util_cache_keyinfo(EVP_PKEY *pk); - void *evp_keymgmt_util_fromdata(EVP_PKEY *target, EVP_KEYMGMT *keymgmt, - int selection, const OSSL_PARAM params[]); --- -2.38.1 - -From 504427eb5f32108dd64ff7858012863fe47b369b Mon Sep 17 00:00:00 2001 -From: Simo Sorce -Date: Thu, 10 Nov 2022 16:58:28 -0500 -Subject: [PATCH 2/3] Update documentation for keymgmt export utils - -Change function prototypes and explain how to use the selection -argument. - -Signed-off-by: Simo Sorce - -Reviewed-by: Dmitry Belyavskiy -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/19648) - -diff --git a/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod b/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod -index 1fee9f6ff9..7099e44964 100644 ---- a/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod -+++ b/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod -@@ -20,12 +20,14 @@ OP_CACHE_ELEM - - int evp_keymgmt_util_export(const EVP_PKEY *pk, int selection, - OSSL_CALLBACK *export_cb, void *export_cbarg); -- void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt); -+ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt, -+ int selection); - OP_CACHE_ELEM *evp_keymgmt_util_find_operation_cache(EVP_PKEY *pk, -- EVP_KEYMGMT *keymgmt); -+ EVP_KEYMGMT *keymgmt, -+ int selection); - int evp_keymgmt_util_clear_operation_cache(EVP_PKEY *pk, int locking); -- int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, -- EVP_KEYMGMT *keymgmt, void *keydata); -+ int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt, -+ void *keydata, int selection); - void evp_keymgmt_util_cache_keyinfo(EVP_PKEY *pk); - void *evp_keymgmt_util_fromdata(EVP_PKEY *target, EVP_KEYMGMT *keymgmt, - int selection, const OSSL_PARAM params[]); -@@ -65,6 +67,11 @@ evp_keymgmt_util_fromdata() can be used to add key object data to a - given key I via a B interface. This is used as a - helper for L. - -+In all functions that take a I argument, the selection is used to -+constraint the information requested on export. It is also used in the cache -+so that key data is guaranteed to contain all the information requested in -+the selection. -+ - =head1 RETURN VALUES - - evp_keymgmt_export_to_provider() and evp_keymgmt_util_fromdata() --- -2.38.1 - -From e5202fbd461cb6c067874987998e91c6093e5267 Mon Sep 17 00:00:00 2001 -From: Simo Sorce -Date: Fri, 11 Nov 2022 12:18:26 -0500 -Subject: [PATCH 3/3] Add test for EVP_PKEY_eq - -This tests that the comparison work even if a provider can only return -a public key. - -Signed-off-by: Simo Sorce - -Reviewed-by: Dmitry Belyavskiy -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/19648) - -diff --git a/test/fake_rsaprov.c b/test/fake_rsaprov.c -index d556551bb6..5e92e72d4b 100644 ---- a/test/fake_rsaprov.c -+++ b/test/fake_rsaprov.c -@@ -22,24 +22,34 @@ static OSSL_FUNC_keymgmt_has_fn fake_rsa_keymgmt_has; - static OSSL_FUNC_keymgmt_query_operation_name_fn fake_rsa_keymgmt_query; - static OSSL_FUNC_keymgmt_import_fn fake_rsa_keymgmt_import; - static OSSL_FUNC_keymgmt_import_types_fn fake_rsa_keymgmt_imptypes; -+static OSSL_FUNC_keymgmt_export_fn fake_rsa_keymgmt_export; -+static OSSL_FUNC_keymgmt_export_types_fn fake_rsa_keymgmt_exptypes; - static OSSL_FUNC_keymgmt_load_fn fake_rsa_keymgmt_load; - - static int has_selection; - static int imptypes_selection; -+static int exptypes_selection; - static int query_id; - -+struct fake_rsa_keydata { -+ int selection; -+ int status; -+}; -+ - static void *fake_rsa_keymgmt_new(void *provctx) - { -- unsigned char *keydata = OPENSSL_zalloc(1); -+ struct fake_rsa_keydata *key; - -- TEST_ptr(keydata); -+ if (!TEST_ptr(key = OPENSSL_zalloc(sizeof(struct fake_rsa_keydata)))) -+ return NULL; - - /* clear test globals */ - has_selection = 0; - imptypes_selection = 0; -+ exptypes_selection = 0; - query_id = 0; - -- return keydata; -+ return key; - } - - static void fake_rsa_keymgmt_free(void *keydata) -@@ -67,14 +77,104 @@ static const char *fake_rsa_keymgmt_query(int id) - static int fake_rsa_keymgmt_import(void *keydata, int selection, - const OSSL_PARAM *p) - { -- unsigned char *fake_rsa_key = keydata; -+ struct fake_rsa_keydata *fake_rsa_key = keydata; - - /* key was imported */ -- *fake_rsa_key = 1; -+ fake_rsa_key->status = 1; - - return 1; - } - -+static unsigned char fake_rsa_n[] = -+ "\x00\xAA\x36\xAB\xCE\x88\xAC\xFD\xFF\x55\x52\x3C\x7F\xC4\x52\x3F" -+ "\x90\xEF\xA0\x0D\xF3\x77\x4A\x25\x9F\x2E\x62\xB4\xC5\xD9\x9C\xB5" -+ "\xAD\xB3\x00\xA0\x28\x5E\x53\x01\x93\x0E\x0C\x70\xFB\x68\x76\x93" -+ "\x9C\xE6\x16\xCE\x62\x4A\x11\xE0\x08\x6D\x34\x1E\xBC\xAC\xA0\xA1" -+ "\xF5"; -+ -+static unsigned char fake_rsa_e[] = "\x11"; -+ -+static unsigned char fake_rsa_d[] = -+ "\x0A\x03\x37\x48\x62\x64\x87\x69\x5F\x5F\x30\xBC\x38\xB9\x8B\x44" -+ "\xC2\xCD\x2D\xFF\x43\x40\x98\xCD\x20\xD8\xA1\x38\xD0\x90\xBF\x64" -+ "\x79\x7C\x3F\xA7\xA2\xCD\xCB\x3C\xD1\xE0\xBD\xBA\x26\x54\xB4\xF9" -+ "\xDF\x8E\x8A\xE5\x9D\x73\x3D\x9F\x33\xB3\x01\x62\x4A\xFD\x1D\x51"; -+ -+static unsigned char fake_rsa_p[] = -+ "\x00\xD8\x40\xB4\x16\x66\xB4\x2E\x92\xEA\x0D\xA3\xB4\x32\x04\xB5" -+ "\xCF\xCE\x33\x52\x52\x4D\x04\x16\xA5\xA4\x41\xE7\x00\xAF\x46\x12" -+ "\x0D"; -+ -+static unsigned char fake_rsa_q[] = -+ "\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9" -+ "\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5A\x0F\x20\x35\x02\x8B\x9D" -+ "\x89"; -+ -+static unsigned char fake_rsa_dmp1[] = -+ "\x59\x0B\x95\x72\xA2\xC2\xA9\xC4\x06\x05\x9D\xC2\xAB\x2F\x1D\xAF" -+ "\xEB\x7E\x8B\x4F\x10\xA7\x54\x9E\x8E\xED\xF5\xB4\xFC\xE0\x9E\x05"; -+ -+static unsigned char fake_rsa_dmq1[] = -+ "\x00\x8E\x3C\x05\x21\xFE\x15\xE0\xEA\x06\xA3\x6F\xF0\xF1\x0C\x99" -+ "\x52\xC3\x5B\x7A\x75\x14\xFD\x32\x38\xB8\x0A\xAD\x52\x98\x62\x8D" -+ "\x51"; -+ -+static unsigned char fake_rsa_iqmp[] = -+ "\x36\x3F\xF7\x18\x9D\xA8\xE9\x0B\x1D\x34\x1F\x71\xD0\x9B\x76\xA8" -+ "\xA9\x43\xE1\x1D\x10\xB2\x4D\x24\x9F\x2D\xEA\xFE\xF8\x0C\x18\x26"; -+ -+OSSL_PARAM *fake_rsa_key_params(int priv) -+{ -+ if (priv) { -+ OSSL_PARAM params[] = { -+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_N, fake_rsa_n, -+ sizeof(fake_rsa_n) -1), -+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_E, fake_rsa_e, -+ sizeof(fake_rsa_e) -1), -+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_D, fake_rsa_d, -+ sizeof(fake_rsa_d) -1), -+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_FACTOR1, fake_rsa_p, -+ sizeof(fake_rsa_p) -1), -+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_FACTOR2, fake_rsa_q, -+ sizeof(fake_rsa_q) -1), -+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_EXPONENT1, fake_rsa_dmp1, -+ sizeof(fake_rsa_dmp1) -1), -+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_EXPONENT2, fake_rsa_dmq1, -+ sizeof(fake_rsa_dmq1) -1), -+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_COEFFICIENT1, fake_rsa_iqmp, -+ sizeof(fake_rsa_iqmp) -1), -+ OSSL_PARAM_END -+ }; -+ return OSSL_PARAM_dup(params); -+ } else { -+ OSSL_PARAM params[] = { -+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_N, fake_rsa_n, -+ sizeof(fake_rsa_n) -1), -+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_E, fake_rsa_e, -+ sizeof(fake_rsa_e) -1), -+ OSSL_PARAM_END -+ }; -+ return OSSL_PARAM_dup(params); -+ } -+} -+ -+static int fake_rsa_keymgmt_export(void *keydata, int selection, -+ OSSL_CALLBACK *param_callback, void *cbarg) -+{ -+ OSSL_PARAM *params = NULL; -+ int ret; -+ -+ if (selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) -+ return 0; -+ -+ if (!TEST_ptr(params = fake_rsa_key_params(0))) -+ return 0; -+ -+ ret = param_callback(params, cbarg); -+ OSSL_PARAM_free(params); -+ return ret; -+} -+ - static const OSSL_PARAM fake_rsa_import_key_types[] = { - OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_N, NULL, 0), - OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_E, NULL, 0), -@@ -95,19 +195,33 @@ static const OSSL_PARAM *fake_rsa_keymgmt_imptypes(int selection) - return fake_rsa_import_key_types; - } - -+static const OSSL_PARAM fake_rsa_export_key_types[] = { -+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_N, NULL, 0), -+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_E, NULL, 0), -+ OSSL_PARAM_END -+}; -+ -+static const OSSL_PARAM *fake_rsa_keymgmt_exptypes(int selection) -+{ -+ /* record global for checking */ -+ exptypes_selection = selection; -+ -+ return fake_rsa_export_key_types; -+} -+ - static void *fake_rsa_keymgmt_load(const void *reference, size_t reference_sz) - { -- unsigned char *key = NULL; -+ struct fake_rsa_keydata *key = NULL; - -- if (reference_sz != sizeof(key)) -+ if (reference_sz != sizeof(*key)) - return NULL; - -- key = *(unsigned char **)reference; -- if (*key != 1) -+ key = *(struct fake_rsa_keydata **)reference; -+ if (key->status != 1) - return NULL; - - /* detach the reference */ -- *(unsigned char **)reference = NULL; -+ *(struct fake_rsa_keydata **)reference = NULL; - - return key; - } -@@ -129,7 +243,7 @@ static void *fake_rsa_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg) - { - unsigned char *gctx = genctx; - static const unsigned char inited[] = { 1 }; -- unsigned char *keydata; -+ struct fake_rsa_keydata *keydata; - - if (!TEST_ptr(gctx) - || !TEST_mem_eq(gctx, sizeof(*gctx), inited, sizeof(inited))) -@@ -138,7 +252,7 @@ static void *fake_rsa_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg) - if (!TEST_ptr(keydata = fake_rsa_keymgmt_new(NULL))) - return NULL; - -- *keydata = 2; -+ keydata->status = 2; - return keydata; - } - -@@ -156,6 +270,9 @@ static const OSSL_DISPATCH fake_rsa_keymgmt_funcs[] = { - { OSSL_FUNC_KEYMGMT_IMPORT, (void (*)(void))fake_rsa_keymgmt_import }, - { OSSL_FUNC_KEYMGMT_IMPORT_TYPES, - (void (*)(void))fake_rsa_keymgmt_imptypes }, -+ { OSSL_FUNC_KEYMGMT_EXPORT, (void (*)(void))fake_rsa_keymgmt_export }, -+ { OSSL_FUNC_KEYMGMT_EXPORT_TYPES, -+ (void (*)(void))fake_rsa_keymgmt_exptypes }, - { OSSL_FUNC_KEYMGMT_LOAD, (void (*)(void))fake_rsa_keymgmt_load }, - { OSSL_FUNC_KEYMGMT_GEN_INIT, (void (*)(void))fake_rsa_gen_init }, - { OSSL_FUNC_KEYMGMT_GEN, (void (*)(void))fake_rsa_gen }, -@@ -191,14 +308,14 @@ static int fake_rsa_sig_sign_init(void *ctx, void *provkey, - const OSSL_PARAM params[]) - { - unsigned char *sigctx = ctx; -- unsigned char *keydata = provkey; -+ struct fake_rsa_keydata *keydata = provkey; - - /* we must have a ctx */ - if (!TEST_ptr(sigctx)) - return 0; - - /* we must have some initialized key */ -- if (!TEST_ptr(keydata) || !TEST_int_gt(keydata[0], 0)) -+ if (!TEST_ptr(keydata) || !TEST_int_gt(keydata->status, 0)) - return 0; - - /* record that sign init was called */ -@@ -289,7 +406,7 @@ static int fake_rsa_st_load(void *loaderctx, - unsigned char *storectx = loaderctx; - OSSL_PARAM params[4]; - int object_type = OSSL_OBJECT_PKEY; -- void *key = NULL; -+ struct fake_rsa_keydata *key = NULL; - int rv = 0; - - switch (*storectx) { -@@ -307,7 +424,7 @@ static int fake_rsa_st_load(void *loaderctx, - /* The address of the key becomes the octet string */ - params[2] = - OSSL_PARAM_construct_octet_string(OSSL_OBJECT_PARAM_REFERENCE, -- &key, sizeof(key)); -+ &key, sizeof(*key)); - params[3] = OSSL_PARAM_construct_end(); - rv = object_cb(params, object_cbarg); - *storectx = 1; -diff --git a/test/fake_rsaprov.h b/test/fake_rsaprov.h -index 57de1ecf8d..190c46a285 100644 ---- a/test/fake_rsaprov.h -+++ b/test/fake_rsaprov.h -@@ -12,3 +12,4 @@ - /* Fake RSA provider implementation */ - OSSL_PROVIDER *fake_rsa_start(OSSL_LIB_CTX *libctx); - void fake_rsa_finish(OSSL_PROVIDER *p); -+OSSL_PARAM *fake_rsa_key_params(int priv); -diff --git a/test/provider_pkey_test.c b/test/provider_pkey_test.c -index 5c398398f4..3b190baa5e 100644 ---- a/test/provider_pkey_test.c -+++ b/test/provider_pkey_test.c -@@ -176,6 +176,67 @@ end: - return ret; - } - -+static int test_pkey_eq(void) -+{ -+ OSSL_PROVIDER *deflt = NULL; -+ OSSL_PROVIDER *fake_rsa = NULL; -+ EVP_PKEY *pkey_fake = NULL; -+ EVP_PKEY *pkey_dflt = NULL; -+ EVP_PKEY_CTX *ctx = NULL; -+ OSSL_PARAM *params = NULL; -+ int ret = 0; -+ -+ if (!TEST_ptr(fake_rsa = fake_rsa_start(libctx))) -+ return 0; -+ -+ if (!TEST_ptr(deflt = OSSL_PROVIDER_load(libctx, "default"))) -+ goto end; -+ -+ /* Construct a public key for fake-rsa */ -+ if (!TEST_ptr(params = fake_rsa_key_params(0)) -+ || !TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(libctx, "RSA", -+ "provider=fake-rsa")) -+ || !TEST_true(EVP_PKEY_fromdata_init(ctx)) -+ || !TEST_true(EVP_PKEY_fromdata(ctx, &pkey_fake, EVP_PKEY_PUBLIC_KEY, -+ params)) -+ || !TEST_ptr(pkey_fake)) -+ goto end; -+ -+ EVP_PKEY_CTX_free(ctx); -+ ctx = NULL; -+ OSSL_PARAM_free(params); -+ params = NULL; -+ -+ /* Construct a public key for default */ -+ if (!TEST_ptr(params = fake_rsa_key_params(0)) -+ || !TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(libctx, "RSA", -+ "provider=default")) -+ || !TEST_true(EVP_PKEY_fromdata_init(ctx)) -+ || !TEST_true(EVP_PKEY_fromdata(ctx, &pkey_dflt, EVP_PKEY_PUBLIC_KEY, -+ params)) -+ || !TEST_ptr(pkey_dflt)) -+ goto end; -+ -+ EVP_PKEY_CTX_free(ctx); -+ ctx = NULL; -+ OSSL_PARAM_free(params); -+ params = NULL; -+ -+ /* now test for equality */ -+ if (!TEST_int_eq(EVP_PKEY_eq(pkey_fake, pkey_dflt), 1)) -+ goto end; -+ -+ ret = 1; -+end: -+ fake_rsa_finish(fake_rsa); -+ OSSL_PROVIDER_unload(deflt); -+ EVP_PKEY_CTX_free(ctx); -+ EVP_PKEY_free(pkey_fake); -+ EVP_PKEY_free(pkey_dflt); -+ OSSL_PARAM_free(params); -+ return ret; -+} -+ - static int test_pkey_store(int idx) - { - OSSL_PROVIDER *deflt = NULL; -@@ -235,6 +296,7 @@ int setup_tests(void) - - ADD_TEST(test_pkey_sig); - ADD_TEST(test_alternative_keygen_init); -+ ADD_TEST(test_pkey_eq); - ADD_ALL_TESTS(test_pkey_store, 2); - - return 1; --- -2.38.1 - -From 2fea56832780248af2aba2e4433ece2d18428515 Mon Sep 17 00:00:00 2001 -From: Simo Sorce -Date: Mon, 14 Nov 2022 10:25:15 -0500 -Subject: [PATCH] Drop explicit check for engines in opt_legacy_okay - -The providers indication should always indicate that this is not a -legacy request. -This makes a check for engines redundant as the default return is that -legacy is ok if there are no explicit providers. - -Fixes #19662 - -Signed-off-by: Simo Sorce - -Reviewed-by: Dmitry Belyavskiy -Reviewed-by: Paul Dale -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/19671) ---- - apps/lib/apps.c | 8 -------- - test/recipes/20-test_legacy_okay.t | 23 +++++++++++++++++++++++ - 2 files changed, 23 insertions(+), 8 deletions(-) - create mode 100755 test/recipes/20-test_legacy_okay.t - -diff --git a/apps/lib/apps.c b/apps/lib/apps.c -index 3d52e030ab7e258f9cd983b2d9755d954cb3aee5..bbe0d009efb35fcf1a902c86cbddc61e657e57f1 100644 ---- a/apps/lib/apps.c -+++ b/apps/lib/apps.c -@@ -3405,14 +3405,6 @@ int opt_legacy_okay(void) - { - int provider_options = opt_provider_option_given(); - int libctx = app_get0_libctx() != NULL || app_get0_propq() != NULL; --#ifndef OPENSSL_NO_ENGINE -- ENGINE *e = ENGINE_get_first(); -- -- if (e != NULL) { -- ENGINE_free(e); -- return 1; -- } --#endif - /* - * Having a provider option specified or a custom library context or - * property query, is a sure sign we're not using legacy. -diff --git a/test/recipes/20-test_legacy_okay.t b/test/recipes/20-test_legacy_okay.t -new file mode 100755 -index 0000000000000000000000000000000000000000..183499f3fd93f97e8a4a30681a9f383d2f6e0c56 ---- /dev/null -+++ b/test/recipes/20-test_legacy_okay.t -@@ -0,0 +1,23 @@ -+#! /usr/bin/env perl -+# Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. -+# -+# Licensed under the Apache License 2.0 (the "License"). You may not use -+# this file except in compliance with the License. You can obtain a copy -+# in the file LICENSE in the source distribution or at -+# https://www.openssl.org/source/license.html -+ -+use strict; -+use warnings; -+ -+use OpenSSL::Test; -+ -+setup("test_legacy"); -+ -+plan tests => 3; -+ -+ok(run(app(['openssl', 'rand', '-out', 'rand.txt', '256'])), "Generate random file"); -+ -+ok(run(app(['openssl', 'dgst', '-sha256', 'rand.txt'])), "Generate a digest"); -+ -+ok(!run(app(['openssl', 'dgst', '-sha256', '-propquery', 'foo=1', -+ 'rand.txt'])), "Fail to generate a digest"); --- -2.38.1 - diff --git a/0101-CVE-2022-4203-nc-match.patch b/0101-CVE-2022-4203-nc-match.patch deleted file mode 100644 index 860deac..0000000 --- a/0101-CVE-2022-4203-nc-match.patch +++ /dev/null @@ -1,281 +0,0 @@ -From c927a3492698c254637da836762f9b1f86cffabc Mon Sep 17 00:00:00 2001 -From: Viktor Dukhovni -Date: Tue, 13 Dec 2022 08:49:13 +0100 -Subject: [PATCH 01/18] Fix type confusion in nc_match_single() - -This function assumes that if the "gen" is an OtherName, then the "base" -is a rfc822Name constraint. This assumption is not true in all cases. -If the end-entity certificate contains an OtherName SAN of any type besides -SmtpUtf8Mailbox and the CA certificate contains a name constraint of -OtherName (of any type), then "nc_email_eai" will be invoked, with the -OTHERNAME "base" being incorrectly interpreted as a ASN1_IA5STRING. - -Reported by Corey Bonnell from Digicert. - -CVE-2022-4203 - -Reviewed-by: Paul Dale -Reviewed-by: Hugo Landau -Reviewed-by: Tomas Mraz ---- - crypto/x509/v3_ncons.c | 45 +++++++++++++++++++++++++++++------------- - 1 file changed, 31 insertions(+), 14 deletions(-) - -diff --git a/crypto/x509/v3_ncons.c b/crypto/x509/v3_ncons.c -index 70a7e8304e..5101598512 100644 ---- a/crypto/x509/v3_ncons.c -+++ b/crypto/x509/v3_ncons.c -@@ -31,7 +31,8 @@ static int do_i2r_name_constraints(const X509V3_EXT_METHOD *method, - static int print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip); - - static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc); --static int nc_match_single(GENERAL_NAME *sub, GENERAL_NAME *gen); -+static int nc_match_single(int effective_type, GENERAL_NAME *sub, -+ GENERAL_NAME *gen); - static int nc_dn(const X509_NAME *sub, const X509_NAME *nm); - static int nc_dns(ASN1_IA5STRING *sub, ASN1_IA5STRING *dns); - static int nc_email(ASN1_IA5STRING *sub, ASN1_IA5STRING *eml); -@@ -472,14 +473,17 @@ static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc) - { - GENERAL_SUBTREE *sub; - int i, r, match = 0; -+ int effective_type = gen->type; -+ - /* - * We need to compare not gen->type field but an "effective" type because - * the otherName field may contain EAI email address treated specially - * according to RFC 8398, section 6 - */ -- int effective_type = ((gen->type == GEN_OTHERNAME) && -- (OBJ_obj2nid(gen->d.otherName->type_id) == -- NID_id_on_SmtpUTF8Mailbox)) ? GEN_EMAIL : gen->type; -+ if (effective_type == GEN_OTHERNAME && -+ (OBJ_obj2nid(gen->d.otherName->type_id) == NID_id_on_SmtpUTF8Mailbox)) { -+ effective_type = GEN_EMAIL; -+ } - - /* - * Permitted subtrees: if any subtrees exist of matching the type at -@@ -488,7 +492,10 @@ static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc) - - for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->permittedSubtrees); i++) { - sub = sk_GENERAL_SUBTREE_value(nc->permittedSubtrees, i); -- if (effective_type != sub->base->type) -+ if (effective_type != sub->base->type -+ || (effective_type == GEN_OTHERNAME && -+ OBJ_cmp(gen->d.otherName->type_id, -+ sub->base->d.otherName->type_id) != 0)) - continue; - if (!nc_minmax_valid(sub)) - return X509_V_ERR_SUBTREE_MINMAX; -@@ -497,7 +504,7 @@ static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc) - continue; - if (match == 0) - match = 1; -- r = nc_match_single(gen, sub->base); -+ r = nc_match_single(effective_type, gen, sub->base); - if (r == X509_V_OK) - match = 2; - else if (r != X509_V_ERR_PERMITTED_VIOLATION) -@@ -511,12 +518,15 @@ static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc) - - for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->excludedSubtrees); i++) { - sub = sk_GENERAL_SUBTREE_value(nc->excludedSubtrees, i); -- if (effective_type != sub->base->type) -+ if (effective_type != sub->base->type -+ || (effective_type == GEN_OTHERNAME && -+ OBJ_cmp(gen->d.otherName->type_id, -+ sub->base->d.otherName->type_id) != 0)) - continue; - if (!nc_minmax_valid(sub)) - return X509_V_ERR_SUBTREE_MINMAX; - -- r = nc_match_single(gen, sub->base); -+ r = nc_match_single(effective_type, gen, sub->base); - if (r == X509_V_OK) - return X509_V_ERR_EXCLUDED_VIOLATION; - else if (r != X509_V_ERR_PERMITTED_VIOLATION) -@@ -528,15 +538,22 @@ static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc) - - } - --static int nc_match_single(GENERAL_NAME *gen, GENERAL_NAME *base) -+static int nc_match_single(int effective_type, GENERAL_NAME *gen, -+ GENERAL_NAME *base) - { - switch (gen->type) { - case GEN_OTHERNAME: -- /* -- * We are here only when we have SmtpUTF8 name, -- * so we match the value of othername with base->d.rfc822Name -- */ -- return nc_email_eai(gen->d.otherName->value, base->d.rfc822Name); -+ switch (effective_type) { -+ case GEN_EMAIL: -+ /* -+ * We are here only when we have SmtpUTF8 name, -+ * so we match the value of othername with base->d.rfc822Name -+ */ -+ return nc_email_eai(gen->d.otherName->value, base->d.rfc822Name); -+ -+ default: -+ return X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE; -+ } - - case GEN_DIRNAME: - return nc_dn(gen->d.directoryName, base->d.directoryName); --- -2.39.1 - -From fe6842f5a5dc2fb66da7fb24bf4343a3aeedd50a Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Tue, 13 Dec 2022 19:45:09 +0100 -Subject: [PATCH 02/18] Add testcase for nc_match_single type confusion - -Reviewed-by: Paul Dale -Reviewed-by: Hugo Landau ---- - test/certs/bad-othername-cert.pem | 20 ++++++++++++++++++++ - test/certs/nccaothername-cert.pem | 20 ++++++++++++++++++++ - test/certs/nccaothername-key.pem | 28 ++++++++++++++++++++++++++++ - test/certs/setup.sh | 11 +++++++++++ - test/recipes/25-test_verify.t | 5 ++++- - 5 files changed, 83 insertions(+), 1 deletion(-) - create mode 100644 test/certs/bad-othername-cert.pem - create mode 100644 test/certs/nccaothername-cert.pem - create mode 100644 test/certs/nccaothername-key.pem - -diff --git a/test/certs/bad-othername-cert.pem b/test/certs/bad-othername-cert.pem -new file mode 100644 -index 0000000000..cf279de5ea ---- /dev/null -+++ b/test/certs/bad-othername-cert.pem -@@ -0,0 +1,20 @@ -+-----BEGIN CERTIFICATE----- -+MIIDRDCCAiygAwIBAgIBAjANBgkqhkiG9w0BAQsFADAfMR0wGwYDVQQDDBRUZXN0 -+IE5DIENBIG90aGVybmFtZTAgFw0yMjEyMTMxODMzMTZaGA8yMTIyMTIxNDE4MzMx -+NlowMTEvMC0GA1UECgwmTkMgZW1haWwgaW4gb3RoZXJuYW1lIFRlc3QgQ2VydGlm -+aWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPgeoakqHk1zYt -+JZpEC0qkJPU/X0lfI+6GY2LHFY9KOSFqqmTXxrUtjQc3SdpQvBZhPuMZ8p82Jid2 -+kkRHnWs0uqX9NtLO923yQalYvP6Mt3fokcYgw/C9b+I/q1PKUyN0kPB6McROguD5 -+Jz2DcEufJBhbpyay1bFjEI2DAQJKDP/U7uH0EA7kH/27UMk0vfvL5uVjDvlo8i6S -+Ul8+u0cDV5ZFJW2VAJKLU3wp6IY4fZl9UqkHZuRQpMJGqAjAleWOIEpyyvfGGh0b -+75n3GJ+4YZ7CIBEgY7K0nIbKxtcDZPvmtbYg3g1tkPMTHcodFT7yEdqkBTJ5AGL7 -+6U850OhjAgMBAAGjdzB1MB0GA1UdDgQWBBTBz0k+q6d4c3aM+s2IyOF/QP6zCTAf -+BgNVHSMEGDAWgBTwhghX7uNdMejZ3f4XorqOQoMqwTAJBgNVHRMEAjAAMCgGA1Ud -+EQQhMB+gHQYIKwYBBQUHCAegEQwPZm9vQGV4YW1wbGUub3JnMA0GCSqGSIb3DQEB -+CwUAA4IBAQAhxbCEVH8pq0aUMaLWaodyXdCqA0AKTFG6Mz9Rpwn89OwC8FylTEru -+t+Bqx/ZuTo8YzON8h9m7DIrQIjZKDLW/g5YbvIsxIVV9gWhAGohdsIyMKRBepSmr -+NxJQkO74RLBTamfl0WUCVM4HqroflFjBBG67CTJaQ9cH9ug3TKxaXCK1L6iQAXtq -+enILGai98Byo0LCFH4MQOhmhV1BDT2boIG/iYb5VKCTSX25vhaF+PNBhUoysjW0O -+vhQX8vrw42QRr4Qi7VfUBXzrbRTzxjOc4yqki7h2DcEdpginqe+aGyaFY+H9m/ka -+1AR5KN8h5SYKltSXknjs0pp1w4k49aHl -+-----END CERTIFICATE----- -diff --git a/test/certs/nccaothername-cert.pem b/test/certs/nccaothername-cert.pem -new file mode 100644 -index 0000000000..f9b9b07b80 ---- /dev/null -+++ b/test/certs/nccaothername-cert.pem -@@ -0,0 +1,20 @@ -+-----BEGIN CERTIFICATE----- -+MIIDPjCCAiagAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 -+IENBMCAXDTIyMTIxMzE4MTgwM1oYDzIxMjIxMjE0MTgxODAzWjAfMR0wGwYDVQQD -+DBRUZXN0IE5DIENBIG90aGVybmFtZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC -+AQoCggEBAN0Dx+ei8CgtRKnDcYiLwX4vrA48at/o/zfX24X/WZZM1o9HUKo1FQBN -+vhESJu+gqPxuIePrk+/L25XdRqwCKk8wkWX0XIz18q5orOHUUFAWNK3g0FDj6N8H -+d8urNIbDJ44FCx+/0n8Ppiht/EYN3aVOW5enqbgZ+EEt+3AUG6ibieRdGri9g4oh -+IIx60MmVHLbuT/TcVZxaeWyTl6iWmsYosUyqlhTtu1uGtbVtkCAhBYloVvz4J5eA -+mVu/JuJbsNxbxVeO9Q8Kj6nb4jPPdGvZ3JPcabbWrz5LwaereBf5IPrXEVdQTlYB -+gI0pTz2CEDHSIrd7jzRUX/9EC2gMk6UCAwEAAaOBjzCBjDAPBgNVHRMBAf8EBTAD -+AQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU8IYIV+7jXTHo2d3+F6K6jkKDKsEw -+HwYDVR0jBBgwFoAUjvUlrx6ba4Q9fICayVOcTXL3o1IwLAYDVR0eBCUwI6EhMB+g -+HQYIKwYBBQUHCAegEQwPZm9vQGV4YW1wbGUub3JnMA0GCSqGSIb3DQEBCwUAA4IB -+AQDPI5uZd8DhSNKMvYF5bxOshd6h6UJ7YzZS7K6fhiygltdqzkHQ/5+4yiuUkDe4 -+hOZlH8MCfXQy5jVZDTk24yNchpdfie5Bswn4SmQVQh3QyzOLxizoh0rLCf2PHueu -+dNVNhfiiJNJ5kd8MIuVG7CPK68dP0QrVR+DihROuJgvGB3ClKttLrgle19t4PFRR -+2wW6hJT9aXEjzLNyN1QFZKoShuiGX4xwjZh7VyKkV64p8hjojhcLk6dQkel+Jw4y -+OP26XbVfM8/6KG8f6WAZ8P0qJwHlhmi0EvRTnEpAM8WuenOeZH6ERZ9uZbRGh6xx -+LKQu2Aw2+bOEZ2vUtz0dBhX8 -+-----END CERTIFICATE----- -diff --git a/test/certs/nccaothername-key.pem b/test/certs/nccaothername-key.pem -new file mode 100644 -index 0000000000..d3e300ac2f ---- /dev/null -+++ b/test/certs/nccaothername-key.pem -@@ -0,0 +1,28 @@ -+-----BEGIN PRIVATE KEY----- -+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDdA8fnovAoLUSp -+w3GIi8F+L6wOPGrf6P8319uF/1mWTNaPR1CqNRUATb4REibvoKj8biHj65Pvy9uV -+3UasAipPMJFl9FyM9fKuaKzh1FBQFjSt4NBQ4+jfB3fLqzSGwyeOBQsfv9J/D6Yo -+bfxGDd2lTluXp6m4GfhBLftwFBuom4nkXRq4vYOKISCMetDJlRy27k/03FWcWnls -+k5eolprGKLFMqpYU7btbhrW1bZAgIQWJaFb8+CeXgJlbvybiW7DcW8VXjvUPCo+p -+2+Izz3Rr2dyT3Gm21q8+S8Gnq3gX+SD61xFXUE5WAYCNKU89ghAx0iK3e480VF// -+RAtoDJOlAgMBAAECggEAMFSJlCyEFlER3Qq9asXe9eRgXEuXdmfZ2aEVIuf8M/sR -+B0tpxxKtCUA24j5FL+0CzxKZTCFBnDRIzCyTbf1aOa9t+CzXyUZmP3/p4EdgmabF -+dcl93FZ+X7kfF/VUGu0Vmv+c12BH3Fu0cs5cVohlMecg7diu6zCYok43F+L5ymRy -+2mTcKkGc0ShWizj8Z9R3WJGssZOlxbxa/Zr4rZwRC24UVhfN8AfGWYx/StyQPQIw -+gtbbtOmwbyredQmY4jwNqgrnfZS9bkWwJbRuCmD5l7lxubBgcHQpoM+DQVeOLZIq -+uksFXeNfal9G5Bo747MMzpD7dJMCGmX+gbMY5oZF+QKBgQDs2MbY4nbxi+fV+KuV -+zUvis8m8Lpzf3T6NLkgSkUPRN9tGr95iLIrB/bRPJg5Ne02q/cT7d86B9rpE42w7 -+eeIF9fANezX2AF8LUqNZhIR23J3tfB/eqGlJRZeMNia+lD09a7SWGwrS7sufY1I+ -+JQGcHx77ntt+eQT1MUJ1skF06QKBgQDu4z+TW4QIA5ItxIReVdcfh5e3xLkzDEVP -+3KNo9tpXxvPwqapdeBh6c9z4Lqe3MKr5UPlDvVW+o40t6OjKxDCXczB8+JAM0OyX -+8V+K3zXXUxRgieSd3oMncTylSWIvouPP3aW37B67TKdRlRHgaBrpJT2wdk3kYR4t -+62J1eDdjXQKBgQDMsY0pZI/nskJrar7geM1c4IU5Xg+2aj/lRFqFsYYrC1s3fEd2 -+EYjan6l1vi4eSLKXVTspGiIfsFzLrMGdpXjyLduJyzKXqTp7TrBebWkOUR0sYloo -+1OQprzuKskJJ81P6AVvRXw27vyW8Wtp5WwJJK5xbWq/YXj8qqagGkEiCAQKBgQCc -+RK3XAFurPmLGa7JHX5Hc/z8BKMAZo6JHrsZ6qFiGaRA0U1it0hz5JYfcFfECheSi -+ORUF+fn4PlbhPGXkFljPCbwjVBovOBA9CNl+J6u50pAW4r1ZhDB5gbqxSQLgtIaf -++JcqbFxiG6+sT36lNJS+BO2I3KrxhZJPaZY7z8szxQKBgQDRy70XzwOk8jXayiF2 -+ej2IN7Ow9cgSE4tLEwR/vCjxvOlWhA3jC3wxoggshGJkpbP3DqLkQtwQm0h1lM8J -+QNtFwKzjtpf//bTlfFq08/YxWimTPMqzcV2PgRacB8P3yf1r8T7M4fA5TORCDWpW -+5FtOCFEmwQHTR8lu4c63qfxkEQ== -+-----END PRIVATE KEY----- -diff --git a/test/certs/setup.sh b/test/certs/setup.sh -index b9766aab20..2240cd9df0 100755 ---- a/test/certs/setup.sh -+++ b/test/certs/setup.sh -@@ -388,6 +388,17 @@ REQMASK=MASK:0x800 ./mkcert.sh req badalt7-key "O = Bad NC Test Certificate 7" \ - "email.1 = good@good.org" "email.2 = any@good.com" \ - "IP = 127.0.0.1" "IP = 192.168.0.1" - -+# Certs for CVE-2022-4203 testcase -+ -+NC="excluded;otherName:SRVName;UTF8STRING:foo@example.org" ./mkcert.sh genca \ -+ "Test NC CA othername" nccaothername-key nccaothername-cert \ -+ root-key root-cert -+ -+./mkcert.sh req alt-email-key "O = NC email in othername Test Certificate" | \ -+ ./mkcert.sh geneealt bad-othername-key bad-othername-cert \ -+ nccaothername-key nccaothername-cert \ -+ "otherName.1 = SRVName;UTF8STRING:foo@example.org" -+ - # RSA-PSS signatures - # SHA1 - ./mkcert.sh genee PSS-SHA1 ee-key ee-pss-sha1-cert ca-key ca-cert \ -diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t -index 4613489f57..e6a2bca731 100644 ---- a/test/recipes/25-test_verify.t -+++ b/test/recipes/25-test_verify.t -@@ -29,7 +29,7 @@ sub verify { - run(app([@args])); - } - --plan tests => 162; -+plan tests => 163; - - # Canonical success - ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]), -@@ -402,6 +402,9 @@ ok(!verify("badalt9-cert", "", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ), - ok(!verify("badalt10-cert", "", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ), - "Name constraints nested DNS name excluded"); - -+ok(!verify("bad-othername-cert", "", ["root-cert"], ["nccaothername-cert"], ), -+ "CVE-2022-4203 type confusion test"); -+ - #Check that we get the expected failure return code - with({ exit_checker => sub { return shift == 2; } }, - sub { --- -2.39.1 - diff --git a/0102-CVE-2022-4304-RSA-time-oracle.patch b/0102-CVE-2022-4304-RSA-time-oracle.patch deleted file mode 100644 index a650715..0000000 --- a/0102-CVE-2022-4304-RSA-time-oracle.patch +++ /dev/null @@ -1,750 +0,0 @@ -From 8e257b86e5812c6e1cfa9e8e5f5660ac7bed899d Mon Sep 17 00:00:00 2001 -From: Dmitry Belyavskiy -Date: Fri, 20 Jan 2023 15:03:40 +0000 -Subject: [PATCH 03/18] Fix Timing Oracle in RSA decryption - -A timing based side channel exists in the OpenSSL RSA Decryption -implementation which could be sufficient to recover a plaintext across -a network in a Bleichenbacher style attack. To achieve a successful -decryption an attacker would have to be able to send a very large number -of trial messages for decryption. The vulnerability affects all RSA -padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. - -Patch written by Dmitry Belyavsky and Hubert Kario - -CVE-2022-4304 - -Reviewed-by: Matt Caswell -Reviewed-by: Tomas Mraz ---- - crypto/bn/bn_blind.c | 14 - - crypto/bn/bn_local.h | 14 + - crypto/bn/build.info | 2 +- - crypto/bn/rsa_sup_mul.c | 604 ++++++++++++++++++++++++++++++++++++++++ - crypto/rsa/rsa_ossl.c | 19 +- - include/crypto/bn.h | 6 + - 6 files changed, 638 insertions(+), 21 deletions(-) - create mode 100644 crypto/bn/rsa_sup_mul.c - -diff --git a/crypto/bn/bn_blind.c b/crypto/bn/bn_blind.c -index 72457b34cf..6061ebb4c0 100644 ---- a/crypto/bn/bn_blind.c -+++ b/crypto/bn/bn_blind.c -@@ -13,20 +13,6 @@ - - #define BN_BLINDING_COUNTER 32 - --struct bn_blinding_st { -- BIGNUM *A; -- BIGNUM *Ai; -- BIGNUM *e; -- BIGNUM *mod; /* just a reference */ -- CRYPTO_THREAD_ID tid; -- int counter; -- unsigned long flags; -- BN_MONT_CTX *m_ctx; -- int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p, -- const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); -- CRYPTO_RWLOCK *lock; --}; -- - BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod) - { - BN_BLINDING *ret = NULL; -diff --git a/crypto/bn/bn_local.h b/crypto/bn/bn_local.h -index c9a7ecf298..8c428f919d 100644 ---- a/crypto/bn/bn_local.h -+++ b/crypto/bn/bn_local.h -@@ -290,6 +290,20 @@ struct bn_gencb_st { - } cb; - }; - -+struct bn_blinding_st { -+ BIGNUM *A; -+ BIGNUM *Ai; -+ BIGNUM *e; -+ BIGNUM *mod; /* just a reference */ -+ CRYPTO_THREAD_ID tid; -+ int counter; -+ unsigned long flags; -+ BN_MONT_CTX *m_ctx; -+ int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p, -+ const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); -+ CRYPTO_RWLOCK *lock; -+}; -+ - /*- - * BN_window_bits_for_exponent_size -- macro for sliding window mod_exp functions - * -diff --git a/crypto/bn/build.info b/crypto/bn/build.info -index c4ba51b265..f4ff619239 100644 ---- a/crypto/bn/build.info -+++ b/crypto/bn/build.info -@@ -105,7 +105,7 @@ $COMMON=bn_add.c bn_div.c bn_exp.c bn_lib.c bn_ctx.c bn_mul.c \ - bn_mod.c bn_conv.c bn_rand.c bn_shift.c bn_word.c bn_blind.c \ - bn_kron.c bn_sqrt.c bn_gcd.c bn_prime.c bn_sqr.c \ - bn_recp.c bn_mont.c bn_mpi.c bn_exp2.c bn_gf2m.c bn_nist.c \ -- bn_intern.c bn_dh.c bn_rsa_fips186_4.c bn_const.c -+ bn_intern.c bn_dh.c bn_rsa_fips186_4.c bn_const.c rsa_sup_mul.c - SOURCE[../../libcrypto]=$COMMON $BNASM bn_print.c bn_err.c bn_srp.c - DEFINE[../../libcrypto]=$BNDEF - IF[{- !$disabled{'deprecated-0.9.8'} -}] -diff --git a/crypto/bn/rsa_sup_mul.c b/crypto/bn/rsa_sup_mul.c -new file mode 100644 -index 0000000000..0e0d02e194 ---- /dev/null -+++ b/crypto/bn/rsa_sup_mul.c -@@ -0,0 +1,604 @@ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include "internal/endian.h" -+#include "internal/numbers.h" -+#include "internal/constant_time.h" -+#include "bn_local.h" -+ -+# if BN_BYTES == 8 -+typedef uint64_t limb_t; -+# if defined(__SIZEOF_INT128__) && __SIZEOF_INT128__ == 16 -+typedef uint128_t limb2_t; -+# define HAVE_LIMB2_T -+# endif -+# define LIMB_BIT_SIZE 64 -+# define LIMB_BYTE_SIZE 8 -+# elif BN_BYTES == 4 -+typedef uint32_t limb_t; -+typedef uint64_t limb2_t; -+# define LIMB_BIT_SIZE 32 -+# define LIMB_BYTE_SIZE 4 -+# define HAVE_LIMB2_T -+# else -+# error "Not supported" -+# endif -+ -+/* -+ * For multiplication we're using schoolbook multiplication, -+ * so if we have two numbers, each with 6 "digits" (words) -+ * the multiplication is calculated as follows: -+ * A B C D E F -+ * x I J K L M N -+ * -------------- -+ * N*F -+ * N*E -+ * N*D -+ * N*C -+ * N*B -+ * N*A -+ * M*F -+ * M*E -+ * M*D -+ * M*C -+ * M*B -+ * M*A -+ * L*F -+ * L*E -+ * L*D -+ * L*C -+ * L*B -+ * L*A -+ * K*F -+ * K*E -+ * K*D -+ * K*C -+ * K*B -+ * K*A -+ * J*F -+ * J*E -+ * J*D -+ * J*C -+ * J*B -+ * J*A -+ * I*F -+ * I*E -+ * I*D -+ * I*C -+ * I*B -+ * + I*A -+ * ========================== -+ * N*B N*D N*F -+ * + N*A N*C N*E -+ * + M*B M*D M*F -+ * + M*A M*C M*E -+ * + L*B L*D L*F -+ * + L*A L*C L*E -+ * + K*B K*D K*F -+ * + K*A K*C K*E -+ * + J*B J*D J*F -+ * + J*A J*C J*E -+ * + I*B I*D I*F -+ * + I*A I*C I*E -+ * -+ * 1+1 1+3 1+5 -+ * 1+0 1+2 1+4 -+ * 0+1 0+3 0+5 -+ * 0+0 0+2 0+4 -+ * -+ * 0 1 2 3 4 5 6 -+ * which requires n^2 multiplications and 2n full length additions -+ * as we can keep every other result of limb multiplication in two separate -+ * limbs -+ */ -+ -+#if defined HAVE_LIMB2_T -+static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b) -+{ -+ limb2_t t; -+ /* -+ * this is idiomatic code to tell compiler to use the native mul -+ * those three lines will actually compile to single instruction -+ */ -+ -+ t = (limb2_t)a * b; -+ *hi = t >> LIMB_BIT_SIZE; -+ *lo = (limb_t)t; -+} -+#elif (BN_BYTES == 8) && (defined _MSC_VER) -+/* https://learn.microsoft.com/en-us/cpp/intrinsics/umul128?view=msvc-170 */ -+#pragma intrinsic(_umul128) -+static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b) -+{ -+ *lo = _umul128(a, b, hi); -+} -+#else -+/* -+ * if the compiler doesn't have either a 128bit data type nor a "return -+ * high 64 bits of multiplication" -+ */ -+static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b) -+{ -+ limb_t a_low = (limb_t)(uint32_t)a; -+ limb_t a_hi = a >> 32; -+ limb_t b_low = (limb_t)(uint32_t)b; -+ limb_t b_hi = b >> 32; -+ -+ limb_t p0 = a_low * b_low; -+ limb_t p1 = a_low * b_hi; -+ limb_t p2 = a_hi * b_low; -+ limb_t p3 = a_hi * b_hi; -+ -+ uint32_t cy = (uint32_t)(((p0 >> 32) + (uint32_t)p1 + (uint32_t)p2) >> 32); -+ -+ *lo = p0 + (p1 << 32) + (p2 << 32); -+ *hi = p3 + (p1 >> 32) + (p2 >> 32) + cy; -+} -+#endif -+ -+/* add two limbs with carry in, return carry out */ -+static ossl_inline limb_t _add_limb(limb_t *ret, limb_t a, limb_t b, limb_t carry) -+{ -+ limb_t carry1, carry2, t; -+ /* -+ * `c = a + b; if (c < a)` is idiomatic code that makes compilers -+ * use add with carry on assembly level -+ */ -+ -+ *ret = a + carry; -+ if (*ret < a) -+ carry1 = 1; -+ else -+ carry1 = 0; -+ -+ t = *ret; -+ *ret = t + b; -+ if (*ret < t) -+ carry2 = 1; -+ else -+ carry2 = 0; -+ -+ return carry1 + carry2; -+} -+ -+/* -+ * add two numbers of the same size, return overflow -+ * -+ * add a to b, place result in ret; all arrays need to be n limbs long -+ * return overflow from addition (0 or 1) -+ */ -+static ossl_inline limb_t add(limb_t *ret, limb_t *a, limb_t *b, size_t n) -+{ -+ limb_t c = 0; -+ ossl_ssize_t i; -+ -+ for(i = n - 1; i > -1; i--) -+ c = _add_limb(&ret[i], a[i], b[i], c); -+ -+ return c; -+} -+ -+/* -+ * return number of limbs necessary for temporary values -+ * when multiplying numbers n limbs large -+ */ -+static ossl_inline size_t mul_limb_numb(size_t n) -+{ -+ return 2 * n * 2; -+} -+ -+/* -+ * multiply two numbers of the same size -+ * -+ * multiply a by b, place result in ret; a and b need to be n limbs long -+ * ret needs to be 2*n limbs long, tmp needs to be mul_limb_numb(n) limbs -+ * long -+ */ -+static void limb_mul(limb_t *ret, limb_t *a, limb_t *b, size_t n, limb_t *tmp) -+{ -+ limb_t *r_odd, *r_even; -+ size_t i, j, k; -+ -+ r_odd = tmp; -+ r_even = &tmp[2 * n]; -+ -+ memset(ret, 0, 2 * n * sizeof(limb_t)); -+ -+ for (i = 0; i < n; i++) { -+ for (k = 0; k < i + n + 1; k++) { -+ r_even[k] = 0; -+ r_odd[k] = 0; -+ } -+ for (j = 0; j < n; j++) { -+ /* -+ * place results from even and odd limbs in separate arrays so that -+ * we don't have to calculate overflow every time we get individual -+ * limb multiplication result -+ */ -+ if (j % 2 == 0) -+ _mul_limb(&r_even[i + j], &r_even[i + j + 1], a[i], b[j]); -+ else -+ _mul_limb(&r_odd[i + j], &r_odd[i + j + 1], a[i], b[j]); -+ } -+ /* -+ * skip the least significant limbs when adding multiples of -+ * more significant limbs (they're zero anyway) -+ */ -+ add(ret, ret, r_even, n + i + 1); -+ add(ret, ret, r_odd, n + i + 1); -+ } -+} -+ -+/* modifies the value in place by performing a right shift by one bit */ -+static ossl_inline void rshift1(limb_t *val, size_t n) -+{ -+ limb_t shift_in = 0, shift_out = 0; -+ size_t i; -+ -+ for (i = 0; i < n; i++) { -+ shift_out = val[i] & 1; -+ val[i] = shift_in << (LIMB_BIT_SIZE - 1) | (val[i] >> 1); -+ shift_in = shift_out; -+ } -+} -+ -+/* extend the LSB of flag to all bits of limb */ -+static ossl_inline limb_t mk_mask(limb_t flag) -+{ -+ flag |= flag << 1; -+ flag |= flag << 2; -+ flag |= flag << 4; -+ flag |= flag << 8; -+ flag |= flag << 16; -+#if (LIMB_BYTE_SIZE == 8) -+ flag |= flag << 32; -+#endif -+ return flag; -+} -+ -+/* -+ * copy from either a or b to ret based on flag -+ * when flag == 0, then copies from b -+ * when flag == 1, then copies from a -+ */ -+static ossl_inline void cselect(limb_t flag, limb_t *ret, limb_t *a, limb_t *b, size_t n) -+{ -+ /* -+ * would be more efficient with non volatile mask, but then gcc -+ * generates code with jumps -+ */ -+ volatile limb_t mask; -+ size_t i; -+ -+ mask = mk_mask(flag); -+ for (i = 0; i < n; i++) { -+#if (LIMB_BYTE_SIZE == 8) -+ ret[i] = constant_time_select_64(mask, a[i], b[i]); -+#else -+ ret[i] = constant_time_select_32(mask, a[i], b[i]); -+#endif -+ } -+} -+ -+static limb_t _sub_limb(limb_t *ret, limb_t a, limb_t b, limb_t borrow) -+{ -+ limb_t borrow1, borrow2, t; -+ /* -+ * while it doesn't look constant-time, this is idiomatic code -+ * to tell compilers to use the carry bit from subtraction -+ */ -+ -+ *ret = a - borrow; -+ if (*ret > a) -+ borrow1 = 1; -+ else -+ borrow1 = 0; -+ -+ t = *ret; -+ *ret = t - b; -+ if (*ret > t) -+ borrow2 = 1; -+ else -+ borrow2 = 0; -+ -+ return borrow1 + borrow2; -+} -+ -+/* -+ * place the result of a - b into ret, return the borrow bit. -+ * All arrays need to be n limbs long -+ */ -+static limb_t sub(limb_t *ret, limb_t *a, limb_t *b, size_t n) -+{ -+ limb_t borrow = 0; -+ ossl_ssize_t i; -+ -+ for (i = n - 1; i > -1; i--) -+ borrow = _sub_limb(&ret[i], a[i], b[i], borrow); -+ -+ return borrow; -+} -+ -+/* return the number of limbs necessary to allocate for the mod() tmp operand */ -+static ossl_inline size_t mod_limb_numb(size_t anum, size_t modnum) -+{ -+ return (anum + modnum) * 3; -+} -+ -+/* -+ * calculate a % mod, place the result in ret -+ * size of a is defined by anum, size of ret and mod is modnum, -+ * size of tmp is returned by mod_limb_numb() -+ */ -+static void mod(limb_t *ret, limb_t *a, size_t anum, limb_t *mod, -+ size_t modnum, limb_t *tmp) -+{ -+ limb_t *atmp, *modtmp, *rettmp; -+ limb_t res; -+ size_t i; -+ -+ memset(tmp, 0, mod_limb_numb(anum, modnum) * LIMB_BYTE_SIZE); -+ -+ atmp = tmp; -+ modtmp = &tmp[anum + modnum]; -+ rettmp = &tmp[(anum + modnum) * 2]; -+ -+ for (i = modnum; i 0; i--, rp--) { -+ v = _mul_add_limb(rp, mod, modnum, rp[modnum-1] * ni0, tmp2); -+ v = v + carry + rp[-1]; -+ carry |= (v != rp[-1]); -+ carry &= (v <= rp[-1]); -+ rp[-1] = v; -+ } -+ -+ /* perform the final reduction by mod... */ -+ carry -= sub(ret, rp, mod, modnum); -+ -+ /* ...conditionally */ -+ cselect(carry, ret, rp, ret, modnum); -+} -+ -+/* allocated buffer should be freed afterwards */ -+static void BN_to_limb(const BIGNUM *bn, limb_t *buf, size_t limbs) -+{ -+ int i; -+ int real_limbs = (BN_num_bytes(bn) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE; -+ limb_t *ptr = buf + (limbs - real_limbs); -+ -+ for (i = 0; i < real_limbs; i++) -+ ptr[i] = bn->d[real_limbs - i - 1]; -+} -+ -+#if LIMB_BYTE_SIZE == 8 -+static ossl_inline uint64_t be64(uint64_t host) -+{ -+ uint64_t big = 0; -+ DECLARE_IS_ENDIAN; -+ -+ if (!IS_LITTLE_ENDIAN) -+ return host; -+ -+ big |= (host & 0xff00000000000000) >> 56; -+ big |= (host & 0x00ff000000000000) >> 40; -+ big |= (host & 0x0000ff0000000000) >> 24; -+ big |= (host & 0x000000ff00000000) >> 8; -+ big |= (host & 0x00000000ff000000) << 8; -+ big |= (host & 0x0000000000ff0000) << 24; -+ big |= (host & 0x000000000000ff00) << 40; -+ big |= (host & 0x00000000000000ff) << 56; -+ return big; -+} -+ -+#else -+/* Not all platforms have htobe32(). */ -+static ossl_inline uint32_t be32(uint32_t host) -+{ -+ uint32_t big = 0; -+ DECLARE_IS_ENDIAN; -+ -+ if (!IS_LITTLE_ENDIAN) -+ return host; -+ -+ big |= (host & 0xff000000) >> 24; -+ big |= (host & 0x00ff0000) >> 8; -+ big |= (host & 0x0000ff00) << 8; -+ big |= (host & 0x000000ff) << 24; -+ return big; -+} -+#endif -+ -+/* -+ * We assume that intermediate, possible_arg2, blinding, and ctx are used -+ * similar to BN_BLINDING_invert_ex() arguments. -+ * to_mod is RSA modulus. -+ * buf and num is the serialization buffer and its length. -+ * -+ * Here we use classic/Montgomery multiplication and modulo. After the calculation finished -+ * we serialize the new structure instead of BIGNUMs taking endianness into account. -+ */ -+int ossl_bn_rsa_do_unblind(const BIGNUM *intermediate, -+ const BN_BLINDING *blinding, -+ const BIGNUM *possible_arg2, -+ const BIGNUM *to_mod, BN_CTX *ctx, -+ unsigned char *buf, int num) -+{ -+ limb_t *l_im = NULL, *l_mul = NULL, *l_mod = NULL; -+ limb_t *l_ret = NULL, *l_tmp = NULL, l_buf; -+ size_t l_im_count = 0, l_mul_count = 0, l_size = 0, l_mod_count = 0; -+ size_t l_tmp_count = 0; -+ int ret = 0; -+ size_t i; -+ unsigned char *tmp; -+ const BIGNUM *arg1 = intermediate; -+ const BIGNUM *arg2 = (possible_arg2 == NULL) ? blinding->Ai : possible_arg2; -+ -+ l_im_count = (BN_num_bytes(arg1) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE; -+ l_mul_count = (BN_num_bytes(arg2) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE; -+ l_mod_count = (BN_num_bytes(to_mod) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE; -+ -+ l_size = l_im_count > l_mul_count ? l_im_count : l_mul_count; -+ l_im = OPENSSL_zalloc(l_size * LIMB_BYTE_SIZE); -+ l_mul = OPENSSL_zalloc(l_size * LIMB_BYTE_SIZE); -+ l_mod = OPENSSL_zalloc(l_mod_count * LIMB_BYTE_SIZE); -+ -+ if ((l_im == NULL) || (l_mul == NULL) || (l_mod == NULL)) -+ goto err; -+ -+ BN_to_limb(arg1, l_im, l_size); -+ BN_to_limb(arg2, l_mul, l_size); -+ BN_to_limb(to_mod, l_mod, l_mod_count); -+ -+ l_ret = OPENSSL_malloc(2 * l_size * LIMB_BYTE_SIZE); -+ -+ if (blinding->m_ctx != NULL) { -+ l_tmp_count = mul_limb_numb(l_size) > mod_montgomery_limb_numb(l_mod_count) ? -+ mul_limb_numb(l_size) : mod_montgomery_limb_numb(l_mod_count); -+ l_tmp = OPENSSL_malloc(l_tmp_count * LIMB_BYTE_SIZE); -+ } else { -+ l_tmp_count = mul_limb_numb(l_size) > mod_limb_numb(2 * l_size, l_mod_count) ? -+ mul_limb_numb(l_size) : mod_limb_numb(2 * l_size, l_mod_count); -+ l_tmp = OPENSSL_malloc(l_tmp_count * LIMB_BYTE_SIZE); -+ } -+ -+ if ((l_ret == NULL) || (l_tmp == NULL)) -+ goto err; -+ -+ if (blinding->m_ctx != NULL) { -+ limb_mul(l_ret, l_im, l_mul, l_size, l_tmp); -+ mod_montgomery(l_ret, l_ret, 2 * l_size, l_mod, l_mod_count, -+ blinding->m_ctx->n0[0], l_tmp); -+ } else { -+ limb_mul(l_ret, l_im, l_mul, l_size, l_tmp); -+ mod(l_ret, l_ret, 2 * l_size, l_mod, l_mod_count, l_tmp); -+ } -+ -+ /* modulus size in bytes can be equal to num but after limbs conversion it becomes bigger */ -+ if (num < BN_num_bytes(to_mod)) { -+ ERR_raise(ERR_LIB_BN, ERR_R_PASSED_INVALID_ARGUMENT); -+ goto err; -+ } -+ -+ memset(buf, 0, num); -+ tmp = buf + num - BN_num_bytes(to_mod); -+ for (i = 0; i < l_mod_count; i++) { -+#if LIMB_BYTE_SIZE == 8 -+ l_buf = be64(l_ret[i]); -+#else -+ l_buf = be32(l_ret[i]); -+#endif -+ if (i == 0) { -+ int delta = LIMB_BYTE_SIZE - ((l_mod_count * LIMB_BYTE_SIZE) - num); -+ -+ memcpy(tmp, ((char *)&l_buf) + LIMB_BYTE_SIZE - delta, delta); -+ tmp += delta; -+ } else { -+ memcpy(tmp, &l_buf, LIMB_BYTE_SIZE); -+ tmp += LIMB_BYTE_SIZE; -+ } -+ } -+ ret = num; -+ -+ err: -+ OPENSSL_free(l_im); -+ OPENSSL_free(l_mul); -+ OPENSSL_free(l_mod); -+ OPENSSL_free(l_tmp); -+ OPENSSL_free(l_ret); -+ -+ return ret; -+} -diff --git a/crypto/rsa/rsa_ossl.c b/crypto/rsa/rsa_ossl.c -index 381c659352..7e8b791fba 100644 ---- a/crypto/rsa/rsa_ossl.c -+++ b/crypto/rsa/rsa_ossl.c -@@ -469,13 +469,20 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, - BN_free(d); - } - -- if (blinding) -- if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) -+ if (blinding) { -+ /* -+ * ossl_bn_rsa_do_unblind() combines blinding inversion and -+ * 0-padded BN BE serialization -+ */ -+ j = ossl_bn_rsa_do_unblind(ret, blinding, unblind, rsa->n, ctx, -+ buf, num); -+ if (j == 0) - goto err; -- -- j = BN_bn2binpad(ret, buf, num); -- if (j < 0) -- goto err; -+ } else { -+ j = BN_bn2binpad(ret, buf, num); -+ if (j < 0) -+ goto err; -+ } - - switch (padding) { - case RSA_PKCS1_PADDING: -diff --git a/include/crypto/bn.h b/include/crypto/bn.h -index cf69bea848..cd45654210 100644 ---- a/include/crypto/bn.h -+++ b/include/crypto/bn.h -@@ -114,4 +114,10 @@ OSSL_LIB_CTX *ossl_bn_get_libctx(BN_CTX *ctx); - - extern const BIGNUM ossl_bn_inv_sqrt_2; - -+int ossl_bn_rsa_do_unblind(const BIGNUM *intermediate, -+ const BN_BLINDING *blinding, -+ const BIGNUM *possible_arg2, -+ const BIGNUM *to_mod, BN_CTX *ctx, -+ unsigned char *buf, int num); -+ - #endif --- -2.39.1 - diff --git a/0103-CVE-2022-4450-pem-read-bio.patch b/0103-CVE-2022-4450-pem-read-bio.patch deleted file mode 100644 index 7d86395..0000000 --- a/0103-CVE-2022-4450-pem-read-bio.patch +++ /dev/null @@ -1,106 +0,0 @@ -From 63bcf189be73a9cc1264059bed6f57974be74a83 Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Tue, 13 Dec 2022 14:54:55 +0000 -Subject: [PATCH 04/18] Avoid dangling ptrs in header and data params for - PEM_read_bio_ex - -In the event of a failure in PEM_read_bio_ex() we free the buffers we -allocated for the header and data buffers. However we were not clearing -the ptrs stored in *header and *data. Since, on success, the caller is -responsible for freeing these ptrs this can potentially lead to a double -free if the caller frees them even on failure. - -Thanks to Dawei Wang for reporting this issue. - -Based on a proposed patch by Kurt Roeckx. - -CVE-2022-4450 - -Reviewed-by: Paul Dale -Reviewed-by: Hugo Landau ---- - crypto/pem/pem_lib.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c -index f9ff80162a..85c47fb627 100644 ---- a/crypto/pem/pem_lib.c -+++ b/crypto/pem/pem_lib.c -@@ -989,7 +989,9 @@ int PEM_read_bio_ex(BIO *bp, char **name_out, char **header, - - out_free: - pem_free(*header, flags, 0); -+ *header = NULL; - pem_free(*data, flags, 0); -+ *data = NULL; - end: - EVP_ENCODE_CTX_free(ctx); - pem_free(name, flags, 0); --- -2.39.1 - -From cbafa34b5a057794c5c08cd4657038e1f643c1ac Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Tue, 13 Dec 2022 15:02:26 +0000 -Subject: [PATCH 05/18] Add a test for CVE-2022-4450 - -Call PEM_read_bio_ex() and expect a failure. There should be no dangling -ptrs and therefore there should be no double free if we free the ptrs on -error. - -Reviewed-by: Paul Dale -Reviewed-by: Hugo Landau ---- - test/pemtest.c | 30 ++++++++++++++++++++++++++++++ - 1 file changed, 30 insertions(+) - -diff --git a/test/pemtest.c b/test/pemtest.c -index a8d2d49bb5..a5d28cb256 100644 ---- a/test/pemtest.c -+++ b/test/pemtest.c -@@ -96,6 +96,35 @@ static int test_cert_key_cert(void) - return 1; - } - -+static int test_empty_payload(void) -+{ -+ BIO *b; -+ static char *emptypay = -+ "-----BEGIN CERTIFICATE-----\n" -+ "-\n" /* Base64 EOF character */ -+ "-----END CERTIFICATE-----"; -+ char *name = NULL, *header = NULL; -+ unsigned char *data = NULL; -+ long len; -+ int ret = 0; -+ -+ b = BIO_new_mem_buf(emptypay, strlen(emptypay)); -+ if (!TEST_ptr(b)) -+ return 0; -+ -+ /* Expected to fail because the payload is empty */ -+ if (!TEST_false(PEM_read_bio_ex(b, &name, &header, &data, &len, 0))) -+ goto err; -+ -+ ret = 1; -+ err: -+ OPENSSL_free(name); -+ OPENSSL_free(header); -+ OPENSSL_free(data); -+ BIO_free(b); -+ return ret; -+} -+ - int setup_tests(void) - { - if (!TEST_ptr(pemfile = test_get_argument(0))) -@@ -103,5 +132,6 @@ int setup_tests(void) - ADD_ALL_TESTS(test_b64, OSSL_NELEM(b64_pem_data)); - ADD_TEST(test_invalid); - ADD_TEST(test_cert_key_cert); -+ ADD_TEST(test_empty_payload); - return 1; - } --- -2.39.1 - diff --git a/0104-CVE-2023-0215-UAF-bio.patch b/0104-CVE-2023-0215-UAF-bio.patch deleted file mode 100644 index 4140219..0000000 --- a/0104-CVE-2023-0215-UAF-bio.patch +++ /dev/null @@ -1,187 +0,0 @@ -From 8818064ce3c3c0f1b740a5aaba2a987e75bfbafd Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Wed, 14 Dec 2022 16:18:14 +0000 -Subject: [PATCH 06/18] Fix a UAF resulting from a bug in BIO_new_NDEF - -If the aux->asn1_cb() call fails in BIO_new_NDEF then the "out" BIO will -be part of an invalid BIO chain. This causes a "use after free" when the -BIO is eventually freed. - -Based on an original patch by Viktor Dukhovni and an idea from Theo -Buehler. - -Thanks to Octavio Galland for reporting this issue. - -Reviewed-by: Paul Dale -Reviewed-by: Tomas Mraz ---- - crypto/asn1/bio_ndef.c | 40 ++++++++++++++++++++++++++++++++-------- - 1 file changed, 32 insertions(+), 8 deletions(-) - -diff --git a/crypto/asn1/bio_ndef.c b/crypto/asn1/bio_ndef.c -index d94e3a3644..b9df3a7a47 100644 ---- a/crypto/asn1/bio_ndef.c -+++ b/crypto/asn1/bio_ndef.c -@@ -49,13 +49,19 @@ static int ndef_suffix(BIO *b, unsigned char **pbuf, int *plen, void *parg); - static int ndef_suffix_free(BIO *b, unsigned char **pbuf, int *plen, - void *parg); - --/* unfortunately cannot constify this due to CMS_stream() and PKCS7_stream() */ -+/* -+ * On success, the returned BIO owns the input BIO as part of its BIO chain. -+ * On failure, NULL is returned and the input BIO is owned by the caller. -+ * -+ * Unfortunately cannot constify this due to CMS_stream() and PKCS7_stream() -+ */ - BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it) - { - NDEF_SUPPORT *ndef_aux = NULL; - BIO *asn_bio = NULL; - const ASN1_AUX *aux = it->funcs; - ASN1_STREAM_ARG sarg; -+ BIO *pop_bio = NULL; - - if (!aux || !aux->asn1_cb) { - ERR_raise(ERR_LIB_ASN1, ASN1_R_STREAMING_NOT_SUPPORTED); -@@ -70,21 +76,39 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it) - out = BIO_push(asn_bio, out); - if (out == NULL) - goto err; -+ pop_bio = asn_bio; - -- BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free); -- BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free); -+ if (BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free) <= 0 -+ || BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free) <= 0 -+ || BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux) <= 0) -+ goto err; - - /* -- * Now let callback prepends any digest, cipher etc BIOs ASN1 structure -- * needs. -+ * Now let the callback prepend any digest, cipher, etc., that the BIO's -+ * ASN1 structure needs. - */ - - sarg.out = out; - sarg.ndef_bio = NULL; - sarg.boundary = NULL; - -- if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0) -+ /* -+ * The asn1_cb(), must not have mutated asn_bio on error, leaving it in the -+ * middle of some partially built, but not returned BIO chain. -+ */ -+ if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0) { -+ /* -+ * ndef_aux is now owned by asn_bio so we must not free it in the err -+ * clean up block -+ */ -+ ndef_aux = NULL; - goto err; -+ } -+ -+ /* -+ * We must not fail now because the callback has prepended additional -+ * BIOs to the chain -+ */ - - ndef_aux->val = val; - ndef_aux->it = it; -@@ -92,11 +116,11 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it) - ndef_aux->boundary = sarg.boundary; - ndef_aux->out = out; - -- BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux); -- - return sarg.ndef_bio; - - err: -+ /* BIO_pop() is NULL safe */ -+ (void)BIO_pop(pop_bio); - BIO_free(asn_bio); - OPENSSL_free(ndef_aux); - return NULL; --- -2.39.1 - -From f596ec8a6f9f5fcfa8e46a73b60f78a609725294 Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Wed, 14 Dec 2022 17:15:18 +0000 -Subject: [PATCH 07/18] Check CMS failure during BIO setup with -stream is - handled correctly - -Test for the issue fixed in the previous commit - -Reviewed-by: Paul Dale -Reviewed-by: Tomas Mraz ---- - test/recipes/80-test_cms.t | 15 +++++++++++++-- - test/smime-certs/badrsa.pem | 18 ++++++++++++++++++ - 2 files changed, 31 insertions(+), 2 deletions(-) - create mode 100644 test/smime-certs/badrsa.pem - -diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t -index 610f1cbc51..fd53683e6b 100644 ---- a/test/recipes/80-test_cms.t -+++ b/test/recipes/80-test_cms.t -@@ -13,7 +13,7 @@ use warnings; - use POSIX; - use File::Spec::Functions qw/catfile/; - use File::Compare qw/compare_text compare/; --use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file bldtop_dir bldtop_file/; -+use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file bldtop_dir bldtop_file with/; - - use OpenSSL::Test::Utils; - -@@ -50,7 +50,7 @@ my ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib) - - $no_rc2 = 1 if disabled("legacy"); - --plan tests => 12; -+plan tests => 13; - - ok(run(test(["pkcs7_test"])), "test pkcs7"); - -@@ -972,3 +972,14 @@ ok(!run(app(['openssl', 'cms', '-verify', - - return ""; - } -+ -+# Check that we get the expected failure return code -+with({ exit_checker => sub { return shift == 6; } }, -+ sub { -+ ok(run(app(['openssl', 'cms', '-encrypt', -+ '-in', srctop_file("test", "smcont.txt"), -+ '-stream', '-recip', -+ srctop_file("test/smime-certs", "badrsa.pem"), -+ ])), -+ "Check failure during BIO setup with -stream is handled correctly"); -+ }); -diff --git a/test/smime-certs/badrsa.pem b/test/smime-certs/badrsa.pem -new file mode 100644 -index 0000000000..f824fc2267 ---- /dev/null -+++ b/test/smime-certs/badrsa.pem -@@ -0,0 +1,18 @@ -+-----BEGIN CERTIFICATE----- -+MIIDbTCCAlWgAwIBAgIToTV4Z0iuK08vZP20oTh//hC8BDANBgkqhkiG9w0BAQ0FADAtMSswKQYD -+VfcDEyJTYW1wbGUgTEFNUFMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoY -+DzIwNTIwOTI3MDY1NDE4WjAZMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcN -+AQEBBQADggEPADCCAQoCggEBALT0iehYOBY+TZp/T5K2KNI05Hwr+E3wP6XTvyi6WWyTgBK9LCOw -+I2juwdRrjFBmXkk7pWpjXwsA3A5GOtz0FpfgyC7OxsVcF7q4WHWZWleYXFKlQHJD73nQwXP968+A -+/3rBX7PhO0DBbZnfitOLPgPEwjTtdg0VQQ6Wz+CRQ/YbHPKaw7aRphZO63dKvIKp4cQVtkWQHi6s -+yTjGsgkLcLNau5LZDQUdsGV+SAo3nBdWCRYV+I65x8Kf4hCxqqmjV3d/2NKRu0BXnDe/N+iDz3X0 -+zEoj0fqXgq4SWcC0nsG1lyyXt1TL270I6ATKRGJWiQVCCpDtc0NT6vdJ45bCSxgCAwEAAaOBlzCB -+lDAMBgNVHRMBAf8EAjAAMB4GA1UdEQQXMBWBE2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0lBAww -+CgYIKwYBBQUHAwQwDwYDVR0PAQH/BAUDAwfAADAdBgNVHQ4EFgQUu/bMsi0dBhIcl64papAQ0yBm -+ZnMwHwYDVR0jBBgwFoAUeF8OWnjYa+RUcD2z3ez38fL6wEcwDQYJKoZIhvcNAQENBQADggEBABbW -+eonR6TMTckehDKNOabwaCIcekahAIL6l9tTzUX5ew6ufiAPlC6I/zQlmUaU0iSyFDG1NW14kNbFt -+5CAokyLhMtE4ASHBIHbiOp/ZSbUBTVYJZB61ot7w1/ol5QECSs08b8zrxIncf+t2DHGuVEy/Qq1d -+rBz8d4ay8zpqAE1tUyL5Da6ZiKUfWwZQXSI/JlbjQFzYQqTRDnzHWrg1xPeMTO1P2/cplFaseTiv -+yk4cYwOp/W9UAWymOZXF8WcJYCIUXkdcG/nEZxr057KlScrJmFXOoh7Y+8ON4iWYYcAfiNgpUFo/ -+j8BAwrKKaFvdlZS9k1Ypb2+UQY75mKJE9Bg= -+-----END CERTIFICATE----- --- -2.39.1 - diff --git a/0105-CVE-2023-0216-pkcs7-deref.patch b/0105-CVE-2023-0216-pkcs7-deref.patch deleted file mode 100644 index bbcd594..0000000 --- a/0105-CVE-2023-0216-pkcs7-deref.patch +++ /dev/null @@ -1,110 +0,0 @@ -From 934a04f0e775309cadbef0aa6b9692e1b12a76c6 Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Mon, 16 Jan 2023 19:45:23 +0100 -Subject: [PATCH 08/18] Do not dereference PKCS7 object data if not set - -Fixes CVE-2023-0216 - -Reviewed-by: Shane Lontis -Reviewed-by: Paul Dale ---- - crypto/pkcs7/pk7_lib.c | 16 ++++++++++++---- - 1 file changed, 12 insertions(+), 4 deletions(-) - -diff --git a/crypto/pkcs7/pk7_lib.c b/crypto/pkcs7/pk7_lib.c -index 753f1276e6..936e50da54 100644 ---- a/crypto/pkcs7/pk7_lib.c -+++ b/crypto/pkcs7/pk7_lib.c -@@ -414,6 +414,8 @@ PKCS7_SIGNER_INFO *PKCS7_add_signature(PKCS7 *p7, X509 *x509, EVP_PKEY *pkey, - - static STACK_OF(X509) *pkcs7_get_signer_certs(const PKCS7 *p7) - { -+ if (p7->d.ptr == NULL) -+ return NULL; - if (PKCS7_type_is_signed(p7)) - return p7->d.sign->cert; - if (PKCS7_type_is_signedAndEnveloped(p7)) -@@ -423,6 +425,8 @@ static STACK_OF(X509) *pkcs7_get_signer_certs(const PKCS7 *p7) - - static STACK_OF(PKCS7_RECIP_INFO) *pkcs7_get_recipient_info(const PKCS7 *p7) - { -+ if (p7->d.ptr == NULL) -+ return NULL; - if (PKCS7_type_is_signedAndEnveloped(p7)) - return p7->d.signed_and_enveloped->recipientinfo; - if (PKCS7_type_is_enveloped(p7)) -@@ -440,13 +444,17 @@ void ossl_pkcs7_resolve_libctx(PKCS7 *p7) - const PKCS7_CTX *ctx = ossl_pkcs7_get0_ctx(p7); - OSSL_LIB_CTX *libctx = ossl_pkcs7_ctx_get0_libctx(ctx); - const char *propq = ossl_pkcs7_ctx_get0_propq(ctx); -- STACK_OF(PKCS7_RECIP_INFO) *rinfos = pkcs7_get_recipient_info(p7); -- STACK_OF(PKCS7_SIGNER_INFO) *sinfos = PKCS7_get_signer_info(p7); -- STACK_OF(X509) *certs = pkcs7_get_signer_certs(p7); -+ STACK_OF(PKCS7_RECIP_INFO) *rinfos; -+ STACK_OF(PKCS7_SIGNER_INFO) *sinfos; -+ STACK_OF(X509) *certs; - -- if (ctx == NULL) -+ if (ctx == NULL || p7->d.ptr == NULL) - return; - -+ rinfos = pkcs7_get_recipient_info(p7); -+ sinfos = PKCS7_get_signer_info(p7); -+ certs = pkcs7_get_signer_certs(p7); -+ - for (i = 0; i < sk_X509_num(certs); i++) - ossl_x509_set0_libctx(sk_X509_value(certs, i), libctx, propq); - --- -2.39.1 - -From 67813d8a4d110f4174bbd2fee8a2f15388e324b5 Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Mon, 16 Jan 2023 19:56:20 +0100 -Subject: [PATCH 09/18] Add test for d2i_PKCS7 NULL dereference - -Reviewed-by: Shane Lontis -Reviewed-by: Paul Dale ---- - test/recipes/25-test_pkcs7.t | 7 +++++-- - test/recipes/25-test_pkcs7_data/malformed.pkcs7 | 3 +++ - 2 files changed, 8 insertions(+), 2 deletions(-) - create mode 100644 test/recipes/25-test_pkcs7_data/malformed.pkcs7 - -diff --git a/test/recipes/25-test_pkcs7.t b/test/recipes/25-test_pkcs7.t -index 37cd43dc6b..d61cd6abad 100644 ---- a/test/recipes/25-test_pkcs7.t -+++ b/test/recipes/25-test_pkcs7.t -@@ -11,11 +11,11 @@ use strict; - use warnings; - - use File::Spec; --use OpenSSL::Test qw/:DEFAULT srctop_file/; -+use OpenSSL::Test qw/:DEFAULT srctop_file data_file/; - - setup("test_pkcs7"); - --plan tests => 3; -+plan tests => 4; - - require_ok(srctop_file('test','recipes','tconversion.pl')); - -@@ -27,3 +27,6 @@ subtest 'pkcs7 conversions -- pkcs7d' => sub { - tconversion( -type => 'p7d', -in => srctop_file("test", "pkcs7-1.pem"), - -args => ["pkcs7"] ); - }; -+ -+my $malformed = data_file('malformed.pkcs7'); -+ok(run(app(["openssl", "pkcs7", "-in", $malformed]))); -diff --git a/test/recipes/25-test_pkcs7_data/malformed.pkcs7 b/test/recipes/25-test_pkcs7_data/malformed.pkcs7 -new file mode 100644 -index 0000000000..e30d1b582c ---- /dev/null -+++ b/test/recipes/25-test_pkcs7_data/malformed.pkcs7 -@@ -0,0 +1,3 @@ -+-----BEGIN PKCS7----- -+MAsGCSqGSIb3DQEHAg== -+-----END PKCS7----- --- -2.39.1 - diff --git a/0106-CVE-2023-0217-dsa.patch b/0106-CVE-2023-0217-dsa.patch deleted file mode 100644 index d2db996..0000000 --- a/0106-CVE-2023-0217-dsa.patch +++ /dev/null @@ -1,404 +0,0 @@ -From 23985bac83fd50c8e29431009302b5442f985096 Mon Sep 17 00:00:00 2001 -From: slontis -Date: Wed, 11 Jan 2023 11:05:04 +1000 -Subject: [PATCH 10/18] Fix NULL deference when validating FFC public key. - -Fixes CVE-2023-0217 - -When attempting to do a BN_Copy of params->p there was no NULL check. -Since BN_copy does not check for NULL this is a NULL reference. - -As an aside BN_cmp() does do a NULL check, so there are other checks -that fail because a NULL is passed. A more general check for NULL params -has been added for both FFC public and private key validation instead. - -Reviewed-by: Matt Caswell -Reviewed-by: Paul Dale -Reviewed-by: Tomas Mraz ---- - crypto/ffc/ffc_key_validate.c | 9 +++++++++ - include/internal/ffc.h | 1 + - test/ffc_internal_test.c | 31 +++++++++++++++++++++++++++++++ - 3 files changed, 41 insertions(+) - -diff --git a/crypto/ffc/ffc_key_validate.c b/crypto/ffc/ffc_key_validate.c -index 9f6525a2c8..442303e4b3 100644 ---- a/crypto/ffc/ffc_key_validate.c -+++ b/crypto/ffc/ffc_key_validate.c -@@ -24,6 +24,11 @@ int ossl_ffc_validate_public_key_partial(const FFC_PARAMS *params, - BN_CTX *ctx = NULL; - - *ret = 0; -+ if (params == NULL || pub_key == NULL || params->p == NULL) { -+ *ret = FFC_ERROR_PASSED_NULL_PARAM; -+ return 0; -+ } -+ - ctx = BN_CTX_new_ex(NULL); - if (ctx == NULL) - goto err; -@@ -107,6 +112,10 @@ int ossl_ffc_validate_private_key(const BIGNUM *upper, const BIGNUM *priv, - - *ret = 0; - -+ if (priv == NULL || upper == NULL) { -+ *ret = FFC_ERROR_PASSED_NULL_PARAM; -+ goto err; -+ } - if (BN_cmp(priv, BN_value_one()) < 0) { - *ret |= FFC_ERROR_PRIVKEY_TOO_SMALL; - goto err; -diff --git a/include/internal/ffc.h b/include/internal/ffc.h -index 732514a6c2..b8b7140857 100644 ---- a/include/internal/ffc.h -+++ b/include/internal/ffc.h -@@ -76,6 +76,7 @@ - # define FFC_ERROR_NOT_SUITABLE_GENERATOR 0x08 - # define FFC_ERROR_PRIVKEY_TOO_SMALL 0x10 - # define FFC_ERROR_PRIVKEY_TOO_LARGE 0x20 -+# define FFC_ERROR_PASSED_NULL_PARAM 0x40 - - /* - * Finite field cryptography (FFC) domain parameters are used by DH and DSA. -diff --git a/test/ffc_internal_test.c b/test/ffc_internal_test.c -index 2c97293573..9f67bd29b9 100644 ---- a/test/ffc_internal_test.c -+++ b/test/ffc_internal_test.c -@@ -510,6 +510,27 @@ static int ffc_public_validate_test(void) - if (!TEST_true(ossl_ffc_validate_public_key(params, pub, &res))) - goto err; - -+ /* Fail if params is NULL */ -+ if (!TEST_false(ossl_ffc_validate_public_key(NULL, pub, &res))) -+ goto err; -+ if (!TEST_int_eq(FFC_ERROR_PASSED_NULL_PARAM, res)) -+ goto err; -+ res = -1; -+ /* Fail if pubkey is NULL */ -+ if (!TEST_false(ossl_ffc_validate_public_key(params, NULL, &res))) -+ goto err; -+ if (!TEST_int_eq(FFC_ERROR_PASSED_NULL_PARAM, res)) -+ goto err; -+ res = -1; -+ -+ BN_free(params->p); -+ params->p = NULL; -+ /* Fail if params->p is NULL */ -+ if (!TEST_false(ossl_ffc_validate_public_key(params, pub, &res))) -+ goto err; -+ if (!TEST_int_eq(FFC_ERROR_PASSED_NULL_PARAM, res)) -+ goto err; -+ - ret = 1; - err: - DH_free(dh); -@@ -567,6 +588,16 @@ static int ffc_private_validate_test(void) - if (!TEST_true(ossl_ffc_validate_private_key(params->q, priv, &res))) - goto err; - -+ if (!TEST_false(ossl_ffc_validate_private_key(NULL, priv, &res))) -+ goto err; -+ if (!TEST_int_eq(FFC_ERROR_PASSED_NULL_PARAM, res)) -+ goto err; -+ res = -1; -+ if (!TEST_false(ossl_ffc_validate_private_key(params->q, NULL, &res))) -+ goto err; -+ if (!TEST_int_eq(FFC_ERROR_PASSED_NULL_PARAM, res)) -+ goto err; -+ - ret = 1; - err: - DH_free(dh); --- -2.39.1 - -From c1b4467a7cc129a74fc5205b80a5c47556b99416 Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Fri, 13 Jan 2023 17:57:59 +0100 -Subject: [PATCH 11/18] Prevent creating DSA and DH keys without parameters - through import - -Reviewed-by: Matt Caswell -Reviewed-by: Paul Dale ---- - providers/implementations/keymgmt/dh_kmgmt.c | 4 ++-- - providers/implementations/keymgmt/dsa_kmgmt.c | 5 +++-- - 2 files changed, 5 insertions(+), 4 deletions(-) - -diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c -index 58a5fd009f..c2d87b4a7f 100644 ---- a/providers/implementations/keymgmt/dh_kmgmt.c -+++ b/providers/implementations/keymgmt/dh_kmgmt.c -@@ -198,8 +198,8 @@ static int dh_import(void *keydata, int selection, const OSSL_PARAM params[]) - if ((selection & DH_POSSIBLE_SELECTIONS) == 0) - return 0; - -- if ((selection & OSSL_KEYMGMT_SELECT_ALL_PARAMETERS) != 0) -- ok = ok && ossl_dh_params_fromdata(dh, params); -+ /* a key without parameters is meaningless */ -+ ok = ok && ossl_dh_params_fromdata(dh, params); - - if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) { - int include_private = -diff --git a/providers/implementations/keymgmt/dsa_kmgmt.c b/providers/implementations/keymgmt/dsa_kmgmt.c -index 100e917167..881680c085 100644 ---- a/providers/implementations/keymgmt/dsa_kmgmt.c -+++ b/providers/implementations/keymgmt/dsa_kmgmt.c -@@ -199,8 +199,9 @@ static int dsa_import(void *keydata, int selection, const OSSL_PARAM params[]) - if ((selection & DSA_POSSIBLE_SELECTIONS) == 0) - return 0; - -- if ((selection & OSSL_KEYMGMT_SELECT_ALL_PARAMETERS) != 0) -- ok = ok && ossl_dsa_ffc_params_fromdata(dsa, params); -+ /* a key without parameters is meaningless */ -+ ok = ok && ossl_dsa_ffc_params_fromdata(dsa, params); -+ - if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) { - int include_private = - selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY ? 1 : 0; --- -2.39.1 - -From fab4973801bdc11c29c4c8ccf65cf39cbc63ce9b Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Fri, 13 Jan 2023 17:59:52 +0100 -Subject: [PATCH 12/18] Do not create DSA keys without parameters by decoder - -Reviewed-by: Matt Caswell -Reviewed-by: Paul Dale ---- - crypto/x509/x_pubkey.c | 24 +++++++++++++++++++ - include/crypto/x509.h | 3 +++ - .../encode_decode/decode_der2key.c | 2 +- - 3 files changed, 28 insertions(+), 1 deletion(-) - -diff --git a/crypto/x509/x_pubkey.c b/crypto/x509/x_pubkey.c -index bc90ddd89b..77790faa1f 100644 ---- a/crypto/x509/x_pubkey.c -+++ b/crypto/x509/x_pubkey.c -@@ -745,6 +745,30 @@ DSA *d2i_DSA_PUBKEY(DSA **a, const unsigned char **pp, long length) - return key; - } - -+/* Called from decoders; disallows provided DSA keys without parameters. */ -+DSA *ossl_d2i_DSA_PUBKEY(DSA **a, const unsigned char **pp, long length) -+{ -+ DSA *key = NULL; -+ const unsigned char *data; -+ const BIGNUM *p, *q, *g; -+ -+ data = *pp; -+ key = d2i_DSA_PUBKEY(NULL, &data, length); -+ if (key == NULL) -+ return NULL; -+ DSA_get0_pqg(key, &p, &q, &g); -+ if (p == NULL || q == NULL || g == NULL) { -+ DSA_free(key); -+ return NULL; -+ } -+ *pp = data; -+ if (a != NULL) { -+ DSA_free(*a); -+ *a = key; -+ } -+ return key; -+} -+ - int i2d_DSA_PUBKEY(const DSA *a, unsigned char **pp) - { - EVP_PKEY *pktmp; -diff --git a/include/crypto/x509.h b/include/crypto/x509.h -index 1f00178e89..0c42730ee9 100644 ---- a/include/crypto/x509.h -+++ b/include/crypto/x509.h -@@ -339,6 +339,9 @@ void ossl_X509_PUBKEY_INTERNAL_free(X509_PUBKEY *xpub); - - RSA *ossl_d2i_RSA_PSS_PUBKEY(RSA **a, const unsigned char **pp, long length); - int ossl_i2d_RSA_PSS_PUBKEY(const RSA *a, unsigned char **pp); -+# ifndef OPENSSL_NO_DSA -+DSA *ossl_d2i_DSA_PUBKEY(DSA **a, const unsigned char **pp, long length); -+# endif /* OPENSSL_NO_DSA */ - # ifndef OPENSSL_NO_DH - DH *ossl_d2i_DH_PUBKEY(DH **a, const unsigned char **pp, long length); - int ossl_i2d_DH_PUBKEY(const DH *a, unsigned char **pp); -diff --git a/providers/implementations/encode_decode/decode_der2key.c b/providers/implementations/encode_decode/decode_der2key.c -index ebc2d24833..d6ad738ef3 100644 ---- a/providers/implementations/encode_decode/decode_der2key.c -+++ b/providers/implementations/encode_decode/decode_der2key.c -@@ -374,7 +374,7 @@ static void *dsa_d2i_PKCS8(void **key, const unsigned char **der, long der_len, - (key_from_pkcs8_t *)ossl_dsa_key_from_pkcs8); - } - --# define dsa_d2i_PUBKEY (d2i_of_void *)d2i_DSA_PUBKEY -+# define dsa_d2i_PUBKEY (d2i_of_void *)ossl_d2i_DSA_PUBKEY - # define dsa_free (free_key_fn *)DSA_free - # define dsa_check NULL - --- -2.39.1 - -From 7e37185582995b35f885fec9dcc3670af9ffcbef Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Fri, 13 Jan 2023 18:46:15 +0100 -Subject: [PATCH 13/18] Add test for DSA pubkey without param import and check - -Reviewed-by: Matt Caswell -Reviewed-by: Paul Dale ---- - test/recipes/91-test_pkey_check.t | 48 ++++++++++++++---- - .../91-test_pkey_check_data/dsapub.pem | 12 +++++ - .../dsapub_noparam.der | Bin 0 -> 108 bytes - 3 files changed, 49 insertions(+), 11 deletions(-) - create mode 100644 test/recipes/91-test_pkey_check_data/dsapub.pem - create mode 100644 test/recipes/91-test_pkey_check_data/dsapub_noparam.der - -diff --git a/test/recipes/91-test_pkey_check.t b/test/recipes/91-test_pkey_check.t -index 612a3e3d6c..015d7805db 100644 ---- a/test/recipes/91-test_pkey_check.t -+++ b/test/recipes/91-test_pkey_check.t -@@ -11,19 +11,24 @@ use strict; - use warnings; - - use File::Spec; --use OpenSSL::Test qw/:DEFAULT data_file/; -+use OpenSSL::Test qw/:DEFAULT data_file with/; - use OpenSSL::Test::Utils; - - sub pkey_check { - my $f = shift; -+ my $pubcheck = shift; -+ my @checkopt = ('-check'); - -- return run(app(['openssl', 'pkey', '-check', '-text', -+ @checkopt = ('-pubcheck', '-pubin') if $pubcheck; -+ -+ return run(app(['openssl', 'pkey', @checkopt, '-text', - '-in', $f])); - } - - sub check_key { - my $f = shift; - my $should_fail = shift; -+ my $pubcheck = shift; - my $str; - - -@@ -33,11 +38,10 @@ sub check_key { - $f = data_file($f); - - if ( -s $f ) { -- if ($should_fail) { -- ok(!pkey_check($f), $str); -- } else { -- ok(pkey_check($f), $str); -- } -+ with({ exit_checker => sub { return shift == $should_fail; } }, -+ sub { -+ ok(pkey_check($f, $pubcheck), $str); -+ }); - } else { - fail("Missing file $f"); - } -@@ -66,15 +70,37 @@ push(@positive_tests, ( - "dhpkey.pem" - )) unless disabled("dh"); - -+my @negative_pubtests = (); -+ -+push(@negative_pubtests, ( -+ "dsapub_noparam.der" -+ )) unless disabled("dsa"); -+ -+my @positive_pubtests = (); -+ -+push(@positive_pubtests, ( -+ "dsapub.pem" -+ )) unless disabled("dsa"); -+ - plan skip_all => "No tests within the current enabled feature set" -- unless @negative_tests && @positive_tests; -+ unless @negative_tests && @positive_tests -+ && @negative_pubtests && @positive_pubtests; - --plan tests => scalar(@negative_tests) + scalar(@positive_tests); -+plan tests => scalar(@negative_tests) + scalar(@positive_tests) -+ + scalar(@negative_pubtests) + scalar(@positive_pubtests); - - foreach my $t (@negative_tests) { -- check_key($t, 1); -+ check_key($t, 1, 0); - } - - foreach my $t (@positive_tests) { -- check_key($t, 0); -+ check_key($t, 0, 0); -+} -+ -+foreach my $t (@negative_pubtests) { -+ check_key($t, 1, 1); -+} -+ -+foreach my $t (@positive_pubtests) { -+ check_key($t, 0, 1); - } -diff --git a/test/recipes/91-test_pkey_check_data/dsapub.pem b/test/recipes/91-test_pkey_check_data/dsapub.pem -new file mode 100644 -index 0000000000..0ff4bd83ed ---- /dev/null -+++ b/test/recipes/91-test_pkey_check_data/dsapub.pem -@@ -0,0 +1,12 @@ -+-----BEGIN PUBLIC KEY----- -+MIIBvzCCATQGByqGSM44BAEwggEnAoGBAIjbXpOVVciVNuagg26annKkghIIZFI4 -+4WdMomnV+I/oXyxHbZTBBBpW9xy/E1+yMjbp4GmX+VxyDj3WxUWxXllzL+miEkzD -+9Xz638VzIBhjFbMvk1/N4kS4bKVUd9yk7HfvYzAdnRphk0WI+RoDiDrBNPPxSoQD -+CEWgvwgsLIDhAh0A6dbz1IQpQwGF4+Ca28x6OO+UfJJv3ggeZ++fNwKBgQCA9XKV -+lRrTY8ALBxS0KbZjpaIXuUj5nr3i1lIDyP3ISksDF0ekyLtn6eK9VijX6Pm65Np+ -+4ic9Nr5WKLKhPaUSpLNRx1gDqo3sd92hYgiEUifzEuhLYfK/CsgFED+l2hDXtJUq -+bISNSHVwI5lsyNXLu7HI1Fk8F5UO3LqsboFAngOBhAACgYATxFY89nEYcUhgHGgr -+YDHhXBQfMKnTKYdvon4DN7WQ9ip+t4VUsLpTD1ZE9zrM2R/B04+8C6KGoViwyeER -+kS4dxWOkX71x4X2DlNpYevcR53tNcTDqmMD7YKfDDmrb0lftMyfW8aESaiymVMys -+DRjhKHBjdo0rZeSM8DAk3ctrXA== -+-----END PUBLIC KEY----- -diff --git a/test/recipes/91-test_pkey_check_data/dsapub_noparam.der b/test/recipes/91-test_pkey_check_data/dsapub_noparam.der -new file mode 100644 -index 0000000000000000000000000000000000000000..b8135f1ca94da914b6829421e0c13f6daa731862 -GIT binary patch -literal 108 -zcmXpIGT>xm*J|@PXTieE%*wz71|F5F-Nv0Bz9(=Kufz - -literal 0 -HcmV?d00001 - --- -2.39.1 - -From 2ad9928170768653d19d81881deabc5f9c1665c0 Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Fri, 3 Feb 2023 14:57:04 +0100 -Subject: [PATCH 18/18] Internaly declare the DSA type for no-deprecated builds - -Reviewed-by: Hugo Landau -Reviewed-by: Richard Levitte -(cherry picked from commit 7a21a1b5fa2dac438892cf3292d1f9c445d870d9) ---- - include/crypto/types.h | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/include/crypto/types.h b/include/crypto/types.h -index 0d81404091..0a75f03a3f 100644 ---- a/include/crypto/types.h -+++ b/include/crypto/types.h -@@ -20,6 +20,9 @@ typedef struct rsa_meth_st RSA_METHOD; - typedef struct ec_key_st EC_KEY; - typedef struct ec_key_method_st EC_KEY_METHOD; - # endif -+# ifndef OPENSSL_NO_DSA -+typedef struct dsa_st DSA; -+# endif - # endif - - # ifndef OPENSSL_NO_EC --- -2.39.1 - diff --git a/0107-CVE-2023-0286-X400.patch b/0107-CVE-2023-0286-X400.patch deleted file mode 100644 index b3d7a15..0000000 --- a/0107-CVE-2023-0286-X400.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 2f7530077e0ef79d98718138716bc51ca0cad658 Mon Sep 17 00:00:00 2001 -From: Hugo Landau -Date: Tue, 17 Jan 2023 17:45:42 +0000 -Subject: [PATCH 14/18] CVE-2023-0286: Fix GENERAL_NAME_cmp for x400Address - (3.0) - -Reviewed-by: Paul Dale -Reviewed-by: Tomas Mraz ---- - CHANGES.md | 19 +++++++++++++++++++ - crypto/x509/v3_genn.c | 2 +- - include/openssl/x509v3.h.in | 2 +- - test/v3nametest.c | 8 ++++++++ - 4 files changed, 29 insertions(+), 2 deletions(-) - -diff --git a/crypto/x509/v3_genn.c b/crypto/x509/v3_genn.c -index c0a7166cd0..1741c2d2f6 100644 ---- a/crypto/x509/v3_genn.c -+++ b/crypto/x509/v3_genn.c -@@ -98,7 +98,7 @@ int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b) - return -1; - switch (a->type) { - case GEN_X400: -- result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address); -+ result = ASN1_STRING_cmp(a->d.x400Address, b->d.x400Address); - break; - - case GEN_EDIPARTY: -diff --git a/include/openssl/x509v3.h.in b/include/openssl/x509v3.h.in -index d00a66a343..c087e3cf92 100644 ---- a/include/openssl/x509v3.h.in -+++ b/include/openssl/x509v3.h.in -@@ -154,7 +154,7 @@ typedef struct GENERAL_NAME_st { - OTHERNAME *otherName; /* otherName */ - ASN1_IA5STRING *rfc822Name; - ASN1_IA5STRING *dNSName; -- ASN1_TYPE *x400Address; -+ ASN1_STRING *x400Address; - X509_NAME *directoryName; - EDIPARTYNAME *ediPartyName; - ASN1_IA5STRING *uniformResourceIdentifier; -diff --git a/test/v3nametest.c b/test/v3nametest.c -index 6d2e2f8e27..0341995dde 100644 ---- a/test/v3nametest.c -+++ b/test/v3nametest.c -@@ -644,6 +644,14 @@ static struct gennamedata { - 0xb7, 0x09, 0x02, 0x02 - }, - 15 -+ }, { -+ /* -+ * Regression test for CVE-2023-0286. -+ */ -+ { -+ 0xa3, 0x00 -+ }, -+ 2 - } - }; - --- -2.39.1 - diff --git a/0108-CVE-2023-0401-pkcs7-md.patch b/0108-CVE-2023-0401-pkcs7-md.patch deleted file mode 100644 index 7608f56..0000000 --- a/0108-CVE-2023-0401-pkcs7-md.patch +++ /dev/null @@ -1,150 +0,0 @@ -From d3b6dfd70db844c4499bec6ad6601623a565e674 Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Wed, 18 Jan 2023 09:27:53 +0100 -Subject: [PATCH 15/18] pk7_doit.c: Check return of BIO_set_md() calls - -These calls invoke EVP_DigestInit() which can fail for digests -with implicit fetches. Subsequent EVP_DigestUpdate() from BIO_write() -or EVP_DigestFinal() from BIO_read() will segfault on NULL -dereference. This can be triggered by an attacker providing -PKCS7 data digested with MD4 for example if the legacy provider -is not loaded. - -If BIO_set_md() fails the md BIO cannot be used. - -CVE-2023-0401 - -Reviewed-by: Paul Dale -Reviewed-by: Dmitry Belyavskiy ---- - crypto/pkcs7/pk7_doit.c | 12 ++++++++++-- - 1 file changed, 10 insertions(+), 2 deletions(-) - -diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c -index bde9ac4787..5e562fbea5 100644 ---- a/crypto/pkcs7/pk7_doit.c -+++ b/crypto/pkcs7/pk7_doit.c -@@ -84,7 +84,11 @@ static int pkcs7_bio_add_digest(BIO **pbio, X509_ALGOR *alg, - } - (void)ERR_pop_to_mark(); - -- BIO_set_md(btmp, md); -+ if (BIO_set_md(btmp, md) <= 0) { -+ ERR_raise(ERR_LIB_PKCS7, ERR_R_BIO_LIB); -+ EVP_MD_free(fetched); -+ goto err; -+ } - EVP_MD_free(fetched); - if (*pbio == NULL) - *pbio = btmp; -@@ -522,7 +526,11 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) - } - (void)ERR_pop_to_mark(); - -- BIO_set_md(btmp, md); -+ if (BIO_set_md(btmp, md) <= 0) { -+ EVP_MD_free(evp_md); -+ ERR_raise(ERR_LIB_PKCS7, ERR_R_BIO_LIB); -+ goto err; -+ } - EVP_MD_free(evp_md); - if (out == NULL) - out = btmp; --- -2.39.1 - -From a0f2359613f50b5ca6b74b78bf4b54d7dc925fd2 Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Wed, 18 Jan 2023 17:07:24 +0100 -Subject: [PATCH 16/18] Add testcase for missing return check of BIO_set_md() - calls - -Reviewed-by: Paul Dale -Reviewed-by: Dmitry Belyavskiy ---- - test/recipes/80-test_cms.t | 15 ++++++++-- - test/recipes/80-test_cms_data/pkcs7-md4.pem | 32 +++++++++++++++++++++ - 2 files changed, 45 insertions(+), 2 deletions(-) - create mode 100644 test/recipes/80-test_cms_data/pkcs7-md4.pem - -diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t -index fd53683e6b..d45789de70 100644 ---- a/test/recipes/80-test_cms.t -+++ b/test/recipes/80-test_cms.t -@@ -13,7 +13,7 @@ use warnings; - use POSIX; - use File::Spec::Functions qw/catfile/; - use File::Compare qw/compare_text compare/; --use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file bldtop_dir bldtop_file with/; -+use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file bldtop_dir bldtop_file with data_file/; - - use OpenSSL::Test::Utils; - -@@ -50,7 +50,7 @@ my ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib) - - $no_rc2 = 1 if disabled("legacy"); - --plan tests => 13; -+plan tests => 14; - - ok(run(test(["pkcs7_test"])), "test pkcs7"); - -@@ -941,6 +941,17 @@ subtest "CMS binary input tests\n" => sub { - "verify binary input with -binary missing -crlfeol"); - }; - -+# Test case for missing MD algorithm (must not segfault) -+ -+with({ exit_checker => sub { return shift == 4; } }, -+ sub { -+ ok(run(app(['openssl', 'smime', '-verify', '-noverify', -+ '-inform', 'PEM', -+ '-in', data_file("pkcs7-md4.pem"), -+ ])), -+ "Check failure of EVP_DigestInit is handled correctly"); -+ }); -+ - sub check_availability { - my $tnam = shift; - -diff --git a/test/recipes/80-test_cms_data/pkcs7-md4.pem b/test/recipes/80-test_cms_data/pkcs7-md4.pem -new file mode 100644 -index 0000000000..ecff611deb ---- /dev/null -+++ b/test/recipes/80-test_cms_data/pkcs7-md4.pem -@@ -0,0 +1,32 @@ -+-----BEGIN PKCS7----- -+MIIFhAYJKoZIhvcNAQcCoIIFdTCCBXECAQExDjAMBggqhkiG9w0CBAUAMB0GCSqG -+SIb3DQEHAaAQBA5UZXN0IGNvbnRlbnQNCqCCAyQwggMgMIICCKADAgECAgECMA0G -+CSqGSIb3DQEBCwUAMA0xCzAJBgNVBAMMAkNBMCAXDTE2MDExNTA4MTk0OVoYDzIx -+MTYwMTE2MDgxOTQ5WjAZMRcwFQYDVQQDDA5zZXJ2ZXIuZXhhbXBsZTCCASIwDQYJ -+KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKj/iVhhha7e2ywP1XP74reoG3p1YCvU -+fTxzdrWu3pMvfySQbckc9Io4zZ+igBZWy7Qsu5PlFx//DcZD/jE0+CjYdemju4iC -+76Ny4lNiBUVN4DGX76qdENJYDZ4GnjK7GwhWXWUPP2aOwjagEf/AWTX9SRzdHEIz -+BniuBDgj5ed1Z9OUrVqpQB+sWRD1DMFkrUrExjVTs5ZqghsVi9GZq+Seb5Sq0pbl -+V/uMkWSKPCQWxtIZvoJgEztisO0+HbPK+WvfMbl6nktHaKcpxz9K4iIntO+QY9fv -+0HJJPlutuRvUK2+GaN3VcxK4Q8ncQQ+io0ZPi2eIhA9h/nk0H0qJH7cCAwEAAaN9 -+MHswHQYDVR0OBBYEFOeb4iqtimw6y3ZR5Y4HmCKX4XOiMB8GA1UdIwQYMBaAFLQR -+M/HX4l73U54gIhBPhga/H8leMAkGA1UdEwQCMAAwEwYDVR0lBAwwCgYIKwYBBQUH -+AwEwGQYDVR0RBBIwEIIOc2VydmVyLmV4YW1wbGUwDQYJKoZIhvcNAQELBQADggEB -+AEG0PE9hQuXlvtUULv9TQ2BXy9MmTjOk+dQwxDhAXYBYMUB6TygsqvPXwpDwz8MS -+EPGCRqh5cQwtPoElQRU1i4URgcQMZquXScwNFcvE6AATF/PdN/+mOwtqFrlpYfs3 -+IJIpYL6ViQg4n8pv+b/pCwMmhewQLwCGs9+omHNTOwKjEiVoNaprAfj5Lxt15fS2 -++zZW0mT9Y4kfEypetrqSAjh8CDK+vaQhkeKdDfJyBfjS4ALfxvCkT3mQnsWFJ9CU -+TVG3uw6ylSPT3wN3RE0Ofa4rI5PESogQsd/DgBc7dcDO3yoPKGjycR3/GJDqqCxC -+e9dr6FJEnDjaDf9zNWyTFHExggITMIICDwIBATASMA0xCzAJBgNVBAMMAkNBAgEC -+MAwGCCqGSIb3DQIEBQCggdQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkq -+hkiG9w0BCQUxDxcNMjMwMTE4MTU0NzExWjAfBgkqhkiG9w0BCQQxEgQQRXO4TKpp -+RgA4XHb8bD1pczB5BgkqhkiG9w0BCQ8xbDBqMAsGCWCGSAFlAwQBKjALBglghkgB -+ZQMEARYwCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDAN -+BggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDANBgkqhkiG9w0B -+AQEFAASCAQAe+xlm/TGg/s/7b0xBc3FFnmmUDEe7ljkehIx61OnBV9ZWA+LcBX/7 -+kmMSMdaHjRq4w8FmwBMLzn0ttXVqf0QuPbBF/E6X5EqK9lpOdkUQhNiN2v+ZfY6c -+lrH4ADsSD9D+UHw0sxo5KEF+PPuneUfYCJZosFUJosBbuSEXK0C9yfJoDKVE8Syp -+0vdqh73ogLeNgZLAUGSSB66OmHDxwgAj4qPAv6FHFBy1Xs4uFZER5vniYrH9OrAk -+Z6XdvzDoYZC4XcGMDtcOpOM6D4owqy5svHPDw8wIlM4GVhrTw7CQmuBz5uRNnf6a -+ZK3jZIxG1hr/INaNWheHoPIhPblYaVc6 -+-----END PKCS7----- --- -2.39.1 - diff --git a/0109-fips-Zeroize-out-in-fips-selftest.patch b/0109-fips-Zeroize-out-in-fips-selftest.patch deleted file mode 100644 index 3cd48df..0000000 --- a/0109-fips-Zeroize-out-in-fips-selftest.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 9dbc6069665690bd238caa7622647ea8ac94124f Mon Sep 17 00:00:00 2001 -From: Clemens Lang -Date: Mon, 13 Feb 2023 11:01:44 +0100 -Subject: fips: Zeroize `out` in fips selftest - -Signed-off-by: Clemens Lang -Resolves: rhbz#2169314 ---- - providers/fips/self_test.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c -index 80d048a847..11a989209c 100644 ---- a/providers/fips/self_test.c -+++ b/providers/fips/self_test.c -@@ -221,6 +221,7 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex - goto err; - ret = 1; - err: -+ OPENSSL_cleanse(out, sizeof(out)); - OSSL_SELF_TEST_onend(ev, ret); - EVP_MAC_CTX_free(ctx); - EVP_MAC_free(mac); --- -2.39.1 - diff --git a/0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch b/0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch index 5cb8ce4..4d80b9c 100644 --- a/0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch +++ b/0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch @@ -12,24 +12,12 @@ internally at its entirety randomly." Resolves: rhbz#2168289 Signed-off-by: Clemens Lang --- - include/openssl/core_names.h | 1 + include/openssl/evp.h | 4 +++ .../implementations/ciphers/ciphercommon.c | 4 +++ .../ciphers/ciphercommon_gcm.c | 25 +++++++++++++++++++ - 4 files changed, 34 insertions(+) + util/perl/OpenSSL/paramnames.pm | 5 ++-- + 4 files changed, 36 insertions(+), 2 deletions(-) -diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h -index 680bfbc7cc..832502a034 100644 ---- a/include/openssl/core_names.h -+++ b/include/openssl/core_names.h -@@ -97,6 +97,7 @@ extern "C" { - #define OSSL_CIPHER_PARAM_CTS_MODE "cts_mode" /* utf8_string */ - /* For passing the AlgorithmIdentifier parameter in DER form */ - #define OSSL_CIPHER_PARAM_ALGORITHM_ID_PARAMS "alg_id_param" /* octet_string */ -+#define OSSL_CIPHER_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator" /* int */ - - #define OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_SEND_FRAGMENT \ - "tls1multi_maxsndfrag" /* uint */ diff --git a/include/openssl/evp.h b/include/openssl/evp.h index 49e8e1df78..ec2ba46fbd 100644 --- a/include/openssl/evp.h @@ -44,7 +32,7 @@ index 49e8e1df78..ec2ba46fbd 100644 + __owur int EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, const unsigned char *key, const unsigned char *iv); - /*__owur*/ int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx, + __owur int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx, diff --git a/providers/implementations/ciphers/ciphercommon.c b/providers/implementations/ciphers/ciphercommon.c index fa383165d8..716add7339 100644 --- a/providers/implementations/ciphers/ciphercommon.c @@ -64,9 +52,9 @@ diff --git a/providers/implementations/ciphers/ciphercommon_gcm.c b/providers/im index ed95c97ff4..db7910eb0e 100644 --- a/providers/implementations/ciphers/ciphercommon_gcm.c +++ b/providers/implementations/ciphers/ciphercommon_gcm.c -@@ -224,6 +224,31 @@ int ossl_gcm_get_ctx_params(void *vctx, OSSL_PARAM params[]) - || !getivgen(ctx, p->data, p->data_size)) - return 0; +@@ -238,6 +238,31 @@ int ossl_gcm_get_ctx_params(void *vctx, OSSL_PARAM params[]) + break; + } } + + /* We would usually hide this under #ifdef FIPS_MODULE, but @@ -96,6 +84,22 @@ index ed95c97ff4..db7910eb0e 100644 return 1; } +diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm +index a109e44521..64e9809387 100644 +--- a/util/perl/OpenSSL/paramnames.pm ++++ b/util/perl/OpenSSL/paramnames.pm +@@ -101,8 +101,9 @@ my %params = ( + 'CIPHER_PARAM_SPEED' => "speed", # uint + 'CIPHER_PARAM_CTS_MODE' => "cts_mode", # utf8_string + # For passing the AlgorithmIdentifier parameter in DER form +- 'CIPHER_PARAM_ALGORITHM_ID_PARAMS' => "alg_id_param",# octet_string +- 'CIPHER_PARAM_XTS_STANDARD' => "xts_standard",# utf8_string ++ 'CIPHER_PARAM_ALGORITHM_ID_PARAMS' => "alg_id_param",# octet_string ++ 'CIPHER_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator", # int ++ 'CIPHER_PARAM_XTS_STANDARD' => "xts_standard",# utf8_string + + 'CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_SEND_FRAGMENT' => "tls1multi_maxsndfrag",# uint + 'CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_BUFSIZE' => "tls1multi_maxbufsz", # size_t -- 2.39.1 diff --git a/0111-fips-Use-salt-16-bytes-in-PBKDF2-selftest.patch b/0111-fips-Use-salt-16-bytes-in-PBKDF2-selftest.patch deleted file mode 100644 index 3868089..0000000 --- a/0111-fips-Use-salt-16-bytes-in-PBKDF2-selftest.patch +++ /dev/null @@ -1,82 +0,0 @@ -From 56090fca0a0c8b6cf1782aced0a02349358aae7d Mon Sep 17 00:00:00 2001 -From: Clemens Lang -Date: Fri, 3 Mar 2023 12:22:03 +0100 -Subject: [PATCH 1/2] fips: Use salt >= 16 bytes in PBKDF2 selftest - -NIST SP 800-132 [1] section 5.1 says "[t]he length of the -randomly-generated portion of the salt shall be at least -128 bits", which implies that the salt for PBKDF2 must be at least 16 -bytes long (see also Appendix A.2.1). - -The FIPS 140-3 IG [2] section 10.3.A requires that "the lengths and the -properties of the Password and Salt parameters, as well as the desired -length of the Master Key used in a CAST shall be among those supported -by the module in the approved mode." - -As a consequence, the salt length in the self test must be at least 16 -bytes long for FIPS 140-3 compliance. Switch the self test to use the -only test vector from RFC 6070 that uses salt that is long enough to -fulfil this requirement. Since RFC 6070 does not provide expected -results for PBKDF2 with HMAC-SHA256, use the output from [3], which was -generated with python cryptography, which was tested against the RFC -6070 vectors with HMAC-SHA1. - - [1]: https://doi.org/10.6028/NIST.SP.800-132 - [2]: https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf - [3]: https://github.com/brycx/Test-Vector-Generation/blob/master/PBKDF2/pbkdf2-hmac-sha2-test-vectors.md - -Signed-off-by: Clemens Lang - -Reviewed-by: Paul Dale -Reviewed-by: Dmitry Belyavskiy -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/20429) - -(cherry picked from commit 451cb23c41c90d5a02902b3a77551aa9ee1c6956) ---- - providers/fips/self_test_data.inc | 22 ++++++++++++++++------ - 1 file changed, 16 insertions(+), 6 deletions(-) - -diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc -index 8ae8cd6f4a..03adf28f3c 100644 ---- a/providers/fips/self_test_data.inc -+++ b/providers/fips/self_test_data.inc -@@ -361,19 +361,29 @@ static const ST_KAT_PARAM x963kdf_params[] = { - }; - - static const char pbkdf2_digest[] = "SHA256"; -+/* -+ * Input parameters from RFC 6070, vector 5 (because it is the only one with -+ * a salt >= 16 bytes, which NIST SP 800-132 section 5.1 requires). The -+ * expected output is taken from -+ * https://github.com/brycx/Test-Vector-Generation/blob/master/PBKDF2/pbkdf2-hmac-sha2-test-vectors.md, -+ * which ran these test vectors with SHA-256. -+ */ - static const unsigned char pbkdf2_password[] = { -- 0x70, 0x61, 0x73, 0x73, 0x00, 0x77, 0x6f, 0x72, -- 0x64 -+ 0x70, 0x61, 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64, 0x50, 0x41, 0x53, 0x53, -+ 0x57, 0x4f, 0x52, 0x44, 0x70, 0x61, 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64 - }; - static const unsigned char pbkdf2_salt[] = { -- 0x73, 0x61, 0x00, 0x6c, 0x74 -+ 0x73, 0x61, 0x6c, 0x74, 0x53, 0x41, 0x4c, 0x54, 0x73, 0x61, 0x6c, 0x74, -+ 0x53, 0x41, 0x4c, 0x54, 0x73, 0x61, 0x6c, 0x74, 0x53, 0x41, 0x4c, 0x54, -+ 0x73, 0x61, 0x6c, 0x74, 0x53, 0x41, 0x4c, 0x54, 0x73, 0x61, 0x6c, 0x74 - }; - static const unsigned char pbkdf2_expected[] = { -- 0x89, 0xb6, 0x9d, 0x05, 0x16, 0xf8, 0x29, 0x89, -- 0x3c, 0x69, 0x62, 0x26, 0x65, 0x0a, 0x86, 0x87, -+ 0x34, 0x8c, 0x89, 0xdb, 0xcb, 0xd3, 0x2b, 0x2f, 0x32, 0xd8, 0x14, 0xb8, -+ 0x11, 0x6e, 0x84, 0xcf, 0x2b, 0x17, 0x34, 0x7e, 0xbc, 0x18, 0x00, 0x18, -+ 0x1c - }; - static int pbkdf2_iterations = 4096; --static int pbkdf2_pkcs5 = 1; -+static int pbkdf2_pkcs5 = 0; - static const ST_KAT_PARAM pbkdf2_params[] = { - ST_KAT_PARAM_UTF8STRING(OSSL_KDF_PARAM_DIGEST, pbkdf2_digest), - ST_KAT_PARAM_OCTET(OSSL_KDF_PARAM_PASSWORD, pbkdf2_password), --- -2.39.2 - diff --git a/0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch b/0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch index e8777f3..2dc304c 100644 --- a/0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch +++ b/0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch @@ -21,32 +21,12 @@ Resolves: rhbz#2179331 Resolves: RHEL-14083 Signed-off-by: Clemens Lang --- - include/openssl/core_names.h | 2 ++ include/openssl/evp.h | 4 +++ - .../implementations/asymciphers/rsa_enc.c | 19 ++++++++++++ - providers/implementations/kem/rsa_kem.c | 29 ++++++++++++++++++- - 4 files changed, 53 insertions(+), 1 deletion(-) + .../implementations/asymciphers/rsa_enc.c | 22 ++++++++++++++ + providers/implementations/kem/rsa_kem.c | 30 ++++++++++++++++++- + util/perl/OpenSSL/paramnames.pm | 6 ++-- + 4 files changed, 59 insertions(+), 3 deletions(-) -diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h -index 832502a034..e15d208421 100644 ---- a/include/openssl/core_names.h -+++ b/include/openssl/core_names.h -@@ -477,6 +477,7 @@ extern "C" { - #ifdef FIPS_MODULE - #define OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED "redhat-kat-oaep-seed" - #endif -+#define OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator" - - /* - * Encoder / decoder parameters -@@ -511,6 +512,7 @@ extern "C" { - - /* KEM parameters */ - #define OSSL_KEM_PARAM_OPERATION "operation" -+#define OSSL_KEM_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator" /* int */ - - /* OSSL_KEM_PARAM_OPERATION values */ - #define OSSL_KEM_PARAM_OPERATION_RSASVE "RSASVE" diff --git a/include/openssl/evp.h b/include/openssl/evp.h index ec2ba46fbd..3803b03422 100644 --- a/include/openssl/evp.h @@ -66,22 +46,25 @@ diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/impleme index 568452ec56..2e7ea632d7 100644 --- a/providers/implementations/asymciphers/rsa_enc.c +++ b/providers/implementations/asymciphers/rsa_enc.c -@@ -452,6 +452,24 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params) - if (p != NULL && !OSSL_PARAM_set_uint(p, prsactx->alt_version)) +@@ -462,6 +462,27 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params) + if (p != NULL && !OSSL_PARAM_set_uint(p, prsactx->implicit_rejection)) return 0; +#ifdef FIPS_MODULE + p = OSSL_PARAM_locate(params, OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR); + if (p != NULL) { ++ int fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED; ++ + /* NIST SP 800-56Br2 section 6.4.2.1 requires either explicit key + * confirmation (section 6.4.2.3.2), or assurance from a trusted third + * party (section 6.4.2.3.1) for the KTS-OAEP key transport scheme, but + * explicit key confirmation is not implemented here and cannot be + * implemented without protocol changes, and the FIPS provider does not + * implement trusted third party validation, since it relies on its -+ * callers to do that. A request for guidance sent to NIST resulted in -+ * further clarification which allows OpenSSL to claim RSA-OAEP. */ -+ int fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED; ++ * callers to do that. We must thus mark RSA-OAEP as unapproved until ++ * we have received clarification from NIST on how library modules such ++ * as OpenSSL should implement TTP validation. */ ++ fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED; + + if (!OSSL_PARAM_set_int(p, fips_indicator)) + return 0; @@ -97,13 +80,13 @@ index 568452ec56..2e7ea632d7 100644 OSSL_PARAM_octet_string(OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED, NULL, 0), + OSSL_PARAM_int(OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR, NULL), #endif /* FIPS_MODULE */ + OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, NULL), OSSL_PARAM_END - }; diff --git a/providers/implementations/kem/rsa_kem.c b/providers/implementations/kem/rsa_kem.c index 882cf16125..b4cc0f9237 100644 --- a/providers/implementations/kem/rsa_kem.c +++ b/providers/implementations/kem/rsa_kem.c -@@ -151,11 +151,38 @@ static int rsakem_decapsulate_init(void *vprsactx, void *vrsa, +@@ -151,11 +151,39 @@ static int rsakem_decapsulate_init(void *vprsactx, void *vrsa, static int rsakem_get_ctx_params(void *vprsactx, OSSL_PARAM *params) { PROV_RSA_CTX *ctx = (PROV_RSA_CTX *)vprsactx; @@ -123,9 +106,10 @@ index 882cf16125..b4cc0f9237 100644 + * explicit key confirmation is not implemented here and cannot be + * implemented without protocol changes, and the FIPS provider does not + * implement trusted third party validation, since it relies on its -+ * callers to do that. A request for guidance sent to NIST resulted in -+ * further clarification which allows OpenSSL to claim RSASVE. */ -+ int fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED; ++ * callers to do that. We must thus mark RSASVE unapproved until we ++ * have received clarification from NIST on how library modules such as ++ * OpenSSL should implement TTP validation. */ ++ int fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED; + + if (!OSSL_PARAM_set_int(p, fips_indicator)) + return 0; @@ -143,6 +127,30 @@ index 882cf16125..b4cc0f9237 100644 OSSL_PARAM_END }; +diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm +index 64e9809387..45ab0c8dc4 100644 +--- a/util/perl/OpenSSL/paramnames.pm ++++ b/util/perl/OpenSSL/paramnames.pm +@@ -406,6 +406,7 @@ my %params = ( + 'ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION' => "tls-negotiated-version", + 'ASYM_CIPHER_PARAM_IMPLICIT_REJECTION' => "implicit-rejection", + 'ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED' => "redhat-kat-oaep-seed", ++ 'ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator", + + # Encoder / decoder parameters + +@@ -438,8 +439,9 @@ my %params = ( + 'SIGNATURE_PARAM_KAT' => "kat", + + # KEM parameters +- 'KEM_PARAM_OPERATION' => "operation", +- 'KEM_PARAM_IKME' => "ikme", ++ 'KEM_PARAM_OPERATION' => "operation", ++ 'KEM_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator", ++ 'KEM_PARAM_IKME' => "ikme", + + # Capabilities + -- 2.39.2 diff --git a/0114-FIPS-enforce-EMS-support.patch b/0114-FIPS-enforce-EMS-support.patch index d10901f..fd1e90e 100644 --- a/0114-FIPS-enforce-EMS-support.patch +++ b/0114-FIPS-enforce-EMS-support.patch @@ -1,44 +1,72 @@ -diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt -index e90e5dc03339..f391e756475c 100644 ---- a/crypto/err/openssl.txt -+++ b/crypto/err/openssl.txt -@@ -1006,6 +1006,7 @@ PROV_R_BN_ERROR:160:bn error - PROV_R_CIPHER_OPERATION_FAILED:102:cipher operation failed - PROV_R_DERIVATION_FUNCTION_INIT_FAILED:205:derivation function init failed - PROV_R_DIGEST_NOT_ALLOWED:174:digest not allowed -+PROV_R_EMS_NOT_ENABLED:233:ems not enabled - PROV_R_ENTROPY_SOURCE_STRENGTH_TOO_WEAK:186:entropy source strength too weak - PROV_R_ERROR_INSTANTIATING_DRBG:188:error instantiating drbg - PROV_R_ERROR_RETRIEVING_ENTROPY:189:error retrieving entropy -diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h -index 173a81d28bbe..5e5be567a578 100644 ---- a/include/openssl/core_names.h -+++ b/include/openssl/core_names.h -@@ -21,11 +21,12 @@ extern "C" { - #define OSSL_PROV_PARAM_CORE_MODULE_FILENAME "module-filename" /* utf8_ptr */ +From 9b02ad7225b74a5b9088b361caead0a41e570e93 Mon Sep 17 00:00:00 2001 +From: Dmitry Belyavskiy +Date: Mon, 21 Aug 2023 16:40:56 +0200 +Subject: [PATCH 48/48] 0114-FIPS-enforce-EMS-support.patch + +Patch-name: 0114-FIPS-enforce-EMS-support.patch +Patch-id: 114 +Patch-status: | + # We believe that some changes present in CentOS are not necessary + # because ustream has a check for FIPS version +--- + doc/man3/SSL_CONF_cmd.pod | 3 +++ + doc/man5/fips_config.pod | 13 +++++++++++ + include/openssl/fips_names.h | 8 +++++++ + include/openssl/ssl.h.in | 1 + + providers/fips/fipsprov.c | 2 +- + providers/implementations/kdfs/tls1_prf.c | 22 +++++++++++++++++++ + ssl/ssl_conf.c | 1 + + ssl/statem/extensions_srvr.c | 8 ++++++- + ssl/t1_enc.c | 11 ++++++++-- + .../30-test_evp_data/evpkdf_tls12_prf.txt | 10 +++++++++ + test/sslapitest.c | 2 +- + 11 files changed, 76 insertions(+), 5 deletions(-) + +diff --git a/doc/man3/SSL_CONF_cmd.pod b/doc/man3/SSL_CONF_cmd.pod +index ae6ca43282..b83c04a308 100644 +--- a/doc/man3/SSL_CONF_cmd.pod ++++ b/doc/man3/SSL_CONF_cmd.pod +@@ -524,6 +524,9 @@ B: use extended master secret extension, enabled by + default. Inverse of B: that is, + B<-ExtendedMasterSecret> is the same as setting B. - /* Well known parameter names that Providers can define */ --#define OSSL_PROV_PARAM_NAME "name" /* utf8_ptr */ --#define OSSL_PROV_PARAM_VERSION "version" /* utf8_ptr */ --#define OSSL_PROV_PARAM_BUILDINFO "buildinfo" /* utf8_ptr */ --#define OSSL_PROV_PARAM_STATUS "status" /* uint */ --#define OSSL_PROV_PARAM_SECURITY_CHECKS "security-checks" /* uint */ -+#define OSSL_PROV_PARAM_NAME "name" /* utf8_ptr */ -+#define OSSL_PROV_PARAM_VERSION "version" /* utf8_ptr */ -+#define OSSL_PROV_PARAM_BUILDINFO "buildinfo" /* utf8_ptr */ -+#define OSSL_PROV_PARAM_STATUS "status" /* uint */ -+#define OSSL_PROV_PARAM_SECURITY_CHECKS "security-checks" /* uint */ -+#define OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK "tls1-prf-ems-check" /* uint */ ++B: allow establishing connections without EMS in FIPS mode. ++This is a RedHat-based OS specific option, and normally it should be set up via crypto policies. ++ + B: use CA names extension, enabled by + default. Inverse of B: that is, + B<-CANames> is the same as setting B. +diff --git a/doc/man5/fips_config.pod b/doc/man5/fips_config.pod +index 1c15e32a5c..f2cedaf88d 100644 +--- a/doc/man5/fips_config.pod ++++ b/doc/man5/fips_config.pod +@@ -15,6 +15,19 @@ for more information. + + This functionality was added in OpenSSL 3.0. + ++Red Hat Enterprise Linux uses a supplementary config for FIPS module located in ++OpenSSL configuration directory and managed by crypto policies. If present, it ++should have format ++ ++ [fips_sect] ++ tls1-prf-ems-check = 0 ++ activate = 1 ++ ++The B option specifies whether FIPS module will require the ++presence of extended master secret or not. ++ ++The B option enforces FIPS provider activation. ++ + =head1 COPYRIGHT - /* Self test callback parameters */ - #define OSSL_PROV_PARAM_SELF_TEST_PHASE "st-phase" /* utf8_string */ + Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. diff --git a/include/openssl/fips_names.h b/include/openssl/fips_names.h -index 0fdf5440c7cb..3f29369b3f92 100644 +index 5c77f6d691..8cdd5a6bf7 100644 --- a/include/openssl/fips_names.h +++ b/include/openssl/fips_names.h -@@ -53,6 +53,14 @@ extern "C" { +@@ -70,6 +70,14 @@ extern "C" { */ - # define OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS "security-checks" + # define OSSL_PROV_FIPS_PARAM_DRBG_TRUNC_DIGEST "drbg-no-trunc-md" +/* + * A boolean that determines if the runtime FIPS check for TLS1_PRF EMS is performed. @@ -51,228 +79,46 @@ index 0fdf5440c7cb..3f29369b3f92 100644 # ifdef __cplusplus } # endif -diff --git a/include/openssl/proverr.h b/include/openssl/proverr.h -index 3685430f5d3e..bf4dc135f592 100644 ---- a/include/openssl/proverr.h -+++ b/include/openssl/proverr.h -@@ -32,6 +32,7 @@ - # define PROV_R_CIPHER_OPERATION_FAILED 102 - # define PROV_R_DERIVATION_FUNCTION_INIT_FAILED 205 - # define PROV_R_DIGEST_NOT_ALLOWED 174 -+# define PROV_R_EMS_NOT_ENABLED 233 - # define PROV_R_ENTROPY_SOURCE_STRENGTH_TOO_WEAK 186 - # define PROV_R_ERROR_INSTANTIATING_DRBG 188 - # define PROV_R_ERROR_RETRIEVING_ENTROPY 189 -diff --git a/providers/common/include/prov/securitycheck.h b/providers/common/include/prov/securitycheck.h -index 4a7f85f71186..62e60cc0103f 100644 ---- a/providers/common/include/prov/securitycheck.h -+++ b/providers/common/include/prov/securitycheck.h -@@ -28,3 +28,4 @@ int ossl_digest_get_approved_nid(const EVP_MD *md); - int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md, - int sha1_allowed); - int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx); -+int ossl_tls1_prf_ems_check_enabled(OSSL_LIB_CTX *libctx); -diff --git a/providers/common/provider_err.c b/providers/common/provider_err.c -index f6144072aa04..954aabe80cfc 100644 ---- a/providers/common/provider_err.c -+++ b/providers/common/provider_err.c -@@ -33,6 +33,7 @@ static const ERR_STRING_DATA PROV_str_reasons[] = { - "derivation function init failed"}, - {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_DIGEST_NOT_ALLOWED), - "digest not allowed"}, -+ {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_EMS_NOT_ENABLED), "ems not enabled"}, - {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_ENTROPY_SOURCE_STRENGTH_TOO_WEAK), - "entropy source strength too weak"}, - {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_ERROR_INSTANTIATING_DRBG), -diff --git a/providers/common/securitycheck_default.c b/providers/common/securitycheck_default.c -index de7f0d3a0a57..63c875ecd0b7 100644 ---- a/providers/common/securitycheck_default.c -+++ b/providers/common/securitycheck_default.c -@@ -22,6 +22,12 @@ int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx) - return 0; - } - -+/* Disable the ems check in the default provider */ -+int ossl_tls1_prf_ems_check_enabled(OSSL_LIB_CTX *libctx) -+{ -+ return 0; -+} -+ - int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md, - int sha1_allowed) - { -diff --git a/providers/common/securitycheck_fips.c b/providers/common/securitycheck_fips.c -index b7659bd395c3..2bc8a5992685 100644 ---- a/providers/common/securitycheck_fips.c -+++ b/providers/common/securitycheck_fips.c -@@ -20,6 +20,7 @@ - #include "prov/securitycheck.h" - - int FIPS_security_check_enabled(OSSL_LIB_CTX *libctx); -+int FIPS_tls_prf_ems_check(OSSL_LIB_CTX *libctx); - - int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx) - { -@@ -30,6 +31,11 @@ int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx) - #endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */ - } - -+int ossl_tls1_prf_ems_check_enabled(OSSL_LIB_CTX *libctx) -+{ -+ return FIPS_tls_prf_ems_check(libctx); -+} -+ - int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md, - int sha1_allowed) - { +diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in +index 0b6de603e2..26a69ca282 100644 +--- a/include/openssl/ssl.h.in ++++ b/include/openssl/ssl.h.in +@@ -415,6 +415,7 @@ typedef int (*SSL_async_callback_fn)(SSL *s, void *arg); + * interoperability with CryptoPro CSP 3.x + */ + # define SSL_OP_CRYPTOPRO_TLSEXT_BUG SSL_OP_BIT(31) ++# define SSL_OP_RH_PERMIT_NOEMS_FIPS SSL_OP_BIT(48) + /* + * Disable RFC8879 certificate compression + * SSL_OP_NO_TX_CERTIFICATE_COMPRESSION: don't send compressed certificates, diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c -index b86b27d236f3..b881f46f36ad 100644 +index 5ff9872bd8..eb9653a9df 100644 --- a/providers/fips/fipsprov.c +++ b/providers/fips/fipsprov.c -@@ -47,6 +47,7 @@ static OSSL_FUNC_provider_query_operation_fn fips_query; - #define ALG(NAMES, FUNC) ALGC(NAMES, FUNC, NULL) - extern OSSL_FUNC_core_thread_start_fn *c_thread_start; - int FIPS_security_check_enabled(OSSL_LIB_CTX *libctx); -+int FIPS_tls_prf_ems_check(OSSL_LIB_CTX *libctx); - - /* - * Should these function pointers be stored in the provider side provctx? Could -@@ -82,7 +83,9 @@ typedef struct fips_global_st { - const OSSL_CORE_HANDLE *handle; - SELF_TEST_POST_PARAMS selftest_params; - int fips_security_checks; -+ int fips_tls1_prf_ems_check; - const char *fips_security_check_option; -+ const char *fips_tls1_prf_ems_check_option; - } FIPS_GLOBAL; - - static void *fips_prov_ossl_ctx_new(OSSL_LIB_CTX *libctx) -@@ -94,6 +97,9 @@ void *ossl_fips_prov_ossl_ctx_new(OSSL_LIB_CTX *libctx) - fgbl->fips_security_checks = 1; - fgbl->fips_security_check_option = "1"; - -+ fgbl->fips_tls1_prf_ems_check = 1; /* Enabled by default */ -+ fgbl->fips_tls1_prf_ems_check_option = "1"; -+ +@@ -105,7 +105,7 @@ void *ossl_fips_prov_ossl_ctx_new(OSSL_LIB_CTX *libctx) + if (fgbl == NULL) + return NULL; + init_fips_option(&fgbl->fips_security_checks, 1); +- init_fips_option(&fgbl->fips_tls1_prf_ems_check, 0); /* Disabled by default */ ++ init_fips_option(&fgbl->fips_tls1_prf_ems_check, 1); /* Enabled by default */ + init_fips_option(&fgbl->fips_restricted_drgb_digests, 0); return fgbl; } - -@@ -109,6 +115,7 @@ static const OSSL_PARAM fips_param_types[] = { - OSSL_PARAM_DEFN(OSSL_PROV_PARAM_BUILDINFO, OSSL_PARAM_UTF8_PTR, NULL, 0), - OSSL_PARAM_DEFN(OSSL_PROV_PARAM_STATUS, OSSL_PARAM_INTEGER, NULL, 0), - OSSL_PARAM_DEFN(OSSL_PROV_PARAM_SECURITY_CHECKS, OSSL_PARAM_INTEGER, NULL, 0), -+ OSSL_PARAM_DEFN(OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK, OSSL_PARAM_INTEGER, NULL, 0), - OSSL_PARAM_END - }; - -@@ -119,9 +126,10 @@ static int fips_get_params_from_core(FIPS_GLOBAL *fgbl) - * NOTE: inside core_get_params() these will be loaded from config items - * stored inside prov->parameters (except for - * OSSL_PROV_PARAM_CORE_MODULE_FILENAME). -- * OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS is not a self test parameter. -+ * OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS and -+ * OSSL_PROV_FIPS_PARAM_TLS1_PRF_EMS_CHECK are not self test parameters. - */ -- OSSL_PARAM core_params[8], *p = core_params; -+ OSSL_PARAM core_params[9], *p = core_params; - - *p++ = OSSL_PARAM_construct_utf8_ptr( - OSSL_PROV_PARAM_CORE_MODULE_FILENAME, -@@ -151,6 +159,10 @@ static int fips_get_params_from_core(FIPS_GLOBAL *fgbl) - OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS, - (char **)&fgbl->fips_security_check_option, - sizeof(fgbl->fips_security_check_option)); -+ *p++ = OSSL_PARAM_construct_utf8_ptr( -+ OSSL_PROV_FIPS_PARAM_TLS1_PRF_EMS_CHECK, -+ (char **)&fgbl->fips_tls1_prf_ems_check_option, -+ sizeof(fgbl->fips_tls1_prf_ems_check_option)); - *p = OSSL_PARAM_construct_end(); - - if (!c_get_params(fgbl->handle, core_params)) { -@@ -187,6 +199,9 @@ static int fips_get_params(void *provctx, OSSL_PARAM params[]) - p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_SECURITY_CHECKS); - if (p != NULL && !OSSL_PARAM_set_int(p, fgbl->fips_security_checks)) - return 0; -+ p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK); -+ if (p != NULL && !OSSL_PARAM_set_int(p, fgbl->fips_tls1_prf_ems_check)) -+ return 0; - return 1; - } - -@@ -703,6 +718,11 @@ int OSSL_provider_init_int(const OSSL_CORE_HANDLE *handle, - && strcmp(fgbl->fips_security_check_option, "0") == 0) - fgbl->fips_security_checks = 0; - -+ /* Disable the ems check if it's disabled in the fips config file. */ -+ if (fgbl->fips_tls1_prf_ems_check_option != NULL -+ && strcmp(fgbl->fips_tls1_prf_ems_check_option, "0") == 0) -+ fgbl->fips_tls1_prf_ems_check = 0; -+ - ossl_prov_cache_exported_algorithms(fips_ciphers, exported_fips_ciphers); - - if (!SELF_TEST_post(&fgbl->selftest_params, 0)) { -@@ -898,6 +918,15 @@ int FIPS_security_check_enabled(OSSL_LIB_CTX *libctx) - return fgbl->fips_security_checks; - } - -+int FIPS_tls_prf_ems_check(OSSL_LIB_CTX *libctx) -+{ -+ FIPS_GLOBAL *fgbl = ossl_lib_ctx_get_data(libctx, -+ OSSL_LIB_CTX_FIPS_PROV_INDEX, -+ &fips_prov_ossl_ctx_method); -+ -+ return fgbl->fips_tls1_prf_ems_check; -+} -+ - void OSSL_SELF_TEST_get_callback(OSSL_LIB_CTX *libctx, OSSL_CALLBACK **cb, - void **cbarg) - { diff --git a/providers/implementations/kdfs/tls1_prf.c b/providers/implementations/kdfs/tls1_prf.c -index 8a3807308408..2c2dbf31cc0b 100644 +index 25a6c79a2e..79bc7a9719 100644 --- a/providers/implementations/kdfs/tls1_prf.c +++ b/providers/implementations/kdfs/tls1_prf.c -@@ -45,6 +45,13 @@ - * A(0) = seed - * A(i) = HMAC_(secret, A(i-1)) - */ -+ -+/* -+ * Low level APIs (such as DH) are deprecated for public use, but still ok for -+ * internal use. -+ */ -+#include "internal/deprecated.h" -+ - #include - #include - #include -@@ -60,6 +67,7 @@ - #include "prov/providercommon.h" - #include "prov/implementations.h" - #include "prov/provider_util.h" -+#include "prov/securitycheck.h" - #include "e_os.h" - - static OSSL_FUNC_kdf_newctx_fn kdf_tls1_prf_new; -@@ -78,6 +86,8 @@ static int tls1_prf_alg(EVP_MAC_CTX *mdctx, EVP_MAC_CTX *sha1ctx, - unsigned char *out, size_t olen); - - #define TLS1_PRF_MAXBUF 1024 -+#define TLS_MD_MASTER_SECRET_CONST "\x6d\x61\x73\x74\x65\x72\x20\x73\x65\x63\x72\x65\x74" -+#define TLS_MD_MASTER_SECRET_CONST_SIZE 13 - - /* TLS KDF kdf context structure */ - typedef struct { -@@ -160,6 +170,7 @@ static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, size_t keylen, - const OSSL_PARAM params[]) +@@ -131,6 +131,7 @@ static void *kdf_tls1_prf_new(void *provctx) + static void kdf_tls1_prf_free(void *vctx) { TLS1_PRF *ctx = (TLS1_PRF *)vctx; + OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx); - if (!ossl_prov_is_running() || !kdf_tls1_prf_set_ctx_params(ctx, params)) - return 0; -@@ -181,6 +192,27 @@ static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, size_t keylen, - ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; - #endif /* defined(FIPS_MODULE) */ + if (ctx != NULL) { + kdf_tls1_prf_reset(ctx); +@@ -222,6 +223,27 @@ static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, size_t keylen, + } + } + /* + * The seed buffer is prepended with a label. @@ -298,136 +144,49 @@ index 8a3807308408..2c2dbf31cc0b 100644 return tls1_prf_alg(ctx->P_hash, ctx->P_sha1, ctx->sec, ctx->seclen, ctx->seed, ctx->seedlen, -diff --git a/test/sslapitest.c b/test/sslapitest.c -index 3a8242d2d8c8..b0fbb504689e 100644 ---- a/test/sslapitest.c -+++ b/test/sslapitest.c -@@ -99,6 +99,7 @@ static char *tmpfilename = NULL; - static char *dhfile = NULL; +diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c +index 5146cedb96..086db98c33 100644 +--- a/ssl/ssl_conf.c ++++ b/ssl/ssl_conf.c +@@ -389,6 +389,7 @@ static int cmd_Options(SSL_CONF_CTX *cctx, const char *value) + SSL_FLAG_TBL("ClientRenegotiation", + SSL_OP_ALLOW_CLIENT_RENEGOTIATION), + SSL_FLAG_TBL_INV("EncryptThenMac", SSL_OP_NO_ENCRYPT_THEN_MAC), ++ SSL_FLAG_TBL("RHNoEnforceEMSinFIPS", SSL_OP_RH_PERMIT_NOEMS_FIPS), + SSL_FLAG_TBL("NoRenegotiation", SSL_OP_NO_RENEGOTIATION), + SSL_FLAG_TBL("AllowNoDHEKEX", SSL_OP_ALLOW_NO_DHE_KEX), + SSL_FLAG_TBL("PrioritizeChaCha", SSL_OP_PRIORITIZE_CHACHA), +diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c +index 00b1ee531e..22cdabb308 100644 +--- a/ssl/statem/extensions_srvr.c ++++ b/ssl/statem/extensions_srvr.c +@@ -11,6 +11,7 @@ + #include "../ssl_local.h" + #include "statem_local.h" + #include "internal/cryptlib.h" ++#include - static int is_fips = 0; -+static int fips_ems_check = 0; + #define COOKIE_STATE_FORMAT_VERSION 1 - #define LOG_BUFFER_SIZE 2048 - static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0}; -@@ -796,7 +797,7 @@ static int test_no_ems(void) +@@ -1552,8 +1553,13 @@ EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context, + unsigned int context, + X509 *x, size_t chainidx) { - SSL_CTX *cctx = NULL, *sctx = NULL; - SSL *clientssl = NULL, *serverssl = NULL; -- int testresult = 0; -+ int testresult = 0, status; - - if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(), - TLS1_VERSION, TLS1_2_VERSION, -@@ -812,19 +813,25 @@ static int test_no_ems(void) - goto end; - } - -- if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) { -- printf("Creating SSL connection failed\n"); -- goto end; -- } -- -- if (SSL_get_extms_support(serverssl)) { -- printf("Server reports Extended Master Secret support\n"); -- goto end; -- } -- -- if (SSL_get_extms_support(clientssl)) { -- printf("Client reports Extended Master Secret support\n"); -- goto end; -+ status = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE); -+ if (fips_ems_check) { -+ if (status == 1) { -+ printf("When FIPS uses the EMS check a connection that doesnt use EMS should fail\n"); -+ goto end; -+ } -+ } else { -+ if (!status) { -+ printf("Creating SSL connection failed\n"); -+ goto end; -+ } -+ if (SSL_get_extms_support(serverssl)) { -+ printf("Server reports Extended Master Secret support\n"); -+ goto end; -+ } -+ if (SSL_get_extms_support(clientssl)) { -+ printf("Client reports Extended Master Secret support\n"); -+ goto end; -+ } - } - testresult = 1; - -@@ -10740,9 +10747,24 @@ int setup_tests(void) - && !TEST_false(OSSL_PROVIDER_available(libctx, "default"))) - return 0; - -- if (strcmp(modulename, "fips") == 0) -+ if (strcmp(modulename, "fips") == 0) { -+ OSSL_PROVIDER *prov = NULL; -+ OSSL_PARAM params[2]; -+ - is_fips = 1; - -+ prov = OSSL_PROVIDER_load(libctx, "fips"); -+ if (prov != NULL) { -+ /* Query the fips provider to check if the check ems option is enabled */ -+ params[0] = -+ OSSL_PARAM_construct_int(OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK, -+ &fips_ems_check); -+ params[1] = OSSL_PARAM_construct_end(); -+ OSSL_PROVIDER_get_params(prov, params); -+ OSSL_PROVIDER_unload(prov); +- if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0) ++ if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0) { ++ if (FIPS_mode() && !(SSL_get_options(SSL_CONNECTION_GET_SSL(s)) & SSL_OP_RH_PERMIT_NOEMS_FIPS) ) { ++ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_UNSUPPORTED); ++ return EXT_RETURN_FAIL; + } + return EXT_RETURN_NOT_SENT; + } -+ - /* - * We add, but don't load the test "tls-provider". We'll load it when we - * need it. -@@ -10816,6 +10838,12 @@ int setup_tests(void) - if (privkey8192 == NULL) - goto err; - -+ if (fips_ems_check) { -+#ifndef OPENSSL_NO_TLS1_2 -+ ADD_TEST(test_no_ems); -+#endif -+ return 1; -+ } - #if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK) - # if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3) - ADD_ALL_TESTS(test_ktls, NUM_KTLS_TEST_CIPHERS * 4); -diff -up openssl-3.0.7/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt.xxx openssl-3.0.7/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt ---- openssl-3.0.7/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt.xxx 2023-04-17 13:04:21.078501747 +0200 -+++ openssl-3.0.7/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt 2023-04-17 13:11:03.189059638 +0200 -@@ -13,6 +13,7 @@ - - Title = TLS12 PRF tests (from NIST test vectors) - -+Availablein = default - KDF = TLS1-PRF - Ctrl.digest = digest:SHA256 - Ctrl.Secret = hexsecret:f8938ecc9edebc5030c0c6a441e213cd24e6f770a50dda07876f8d55da062bcadb386b411fd4fe4313a604fce6c17fbc -@@ -21,6 +22,16 @@ Ctrl.client_random = hexseed:36c129d01a3 - Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae043abfb50053fce - Output = 202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf -+Availablein = fips -+KDF = TLS1-PRF -+Ctrl.digest = digest:SHA256 -+Ctrl.Secret = hexsecret:f8938ecc9edebc5030c0c6a441e213cd24e6f770a50dda07876f8d55da062bcadb386b411fd4fe4313a604fce6c17fbc -+Ctrl.label = seed:master secret -+Ctrl.client_random = hexseed:36c129d01a3200894b9179faac589d9835d58775f9b5ea3587cb8fd0364cae8c -+Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae043abfb50053fce -+Output = 202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf -+Result = KDF_DERIVE_ERROR -+ - KDF = TLS1-PRF - Ctrl.digest = digest:SHA256 - Ctrl.Secret = hexsecret:202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf -diff -up openssl-3.0.7/ssl/t1_enc.c.noems openssl-3.0.7/ssl/t1_enc.c ---- openssl-3.0.7/ssl/t1_enc.c.noems 2023-05-05 11:15:57.934415272 +0200 -+++ openssl-3.0.7/ssl/t1_enc.c 2023-05-05 11:39:03.578163778 +0200 + if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret) + || !WPACKET_put_bytes_u16(pkt, 0)) { +diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c +index 91238e6457..e8ad8ecd9e 100644 +--- a/ssl/t1_enc.c ++++ b/ssl/t1_enc.c @@ -20,6 +20,7 @@ #include #include @@ -435,7 +194,7 @@ diff -up openssl-3.0.7/ssl/t1_enc.c.noems openssl-3.0.7/ssl/t1_enc.c +#include /* seed1 through seed5 are concatenated */ - static int tls1_PRF(SSL *s, + static int tls1_PRF(SSL_CONNECTION *s, @@ -75,8 +76,14 @@ static int tls1_PRF(SSL *s, } @@ -453,87 +212,40 @@ diff -up openssl-3.0.7/ssl/t1_enc.c.noems openssl-3.0.7/ssl/t1_enc.c else ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); EVP_KDF_CTX_free(kctx); -diff -up openssl-3.0.7/ssl/statem/extensions_srvr.c.noems openssl-3.0.7/ssl/statem/extensions_srvr.c ---- openssl-3.0.7/ssl/statem/extensions_srvr.c.noems 2023-05-05 17:14:04.663800271 +0200 -+++ openssl-3.0.7/ssl/statem/extensions_srvr.c 2023-05-05 17:20:33.764599507 +0200 -@@ -11,6 +11,7 @@ - #include "../ssl_local.h" - #include "statem_local.h" - #include "internal/cryptlib.h" -+#include - - #define COOKIE_STATE_FORMAT_VERSION 1 - -@@ -1552,8 +1553,13 @@ EXT_RETURN tls_construct_stoc_etm(SSL *s - EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context, - X509 *x, size_t chainidx) - { -- if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0) -+ if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0) { -+ if (FIPS_mode() && !(SSL_get_options(s) & SSL_OP_RH_PERMIT_NOEMS_FIPS) ) { -+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_UNSUPPORTED); -+ return EXT_RETURN_FAIL; -+ } - return EXT_RETURN_NOT_SENT; -+ } - - if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret) - || !WPACKET_put_bytes_u16(pkt, 0)) { -diff -up openssl-3.0.7/include/openssl/ssl.h.in.fipsems openssl-3.0.7/include/openssl/ssl.h.in ---- openssl-3.0.7/include/openssl/ssl.h.in.fipsems 2023-07-11 12:35:27.951610366 +0200 -+++ openssl-3.0.7/include/openssl/ssl.h.in 2023-07-11 12:36:25.234754680 +0200 -@@ -412,6 +412,7 @@ typedef int (*SSL_async_callback_fn)(SSL - * interoperability with CryptoPro CSP 3.x - */ - # define SSL_OP_CRYPTOPRO_TLSEXT_BUG SSL_OP_BIT(31) -+# define SSL_OP_RH_PERMIT_NOEMS_FIPS SSL_OP_BIT(48) - - /* - * Option "collections." -diff -up openssl-3.0.7/ssl/ssl_conf.c.fipsems openssl-3.0.7/ssl/ssl_conf.c ---- openssl-3.0.7/ssl/ssl_conf.c.fipsems 2023-07-11 12:36:51.465278672 +0200 -+++ openssl-3.0.7/ssl/ssl_conf.c 2023-07-11 12:44:53.365675720 +0200 -@@ -387,6 +387,7 @@ static const ssl_conf_cmd_tbl ssl_conf_c - SSL_FLAG_TBL("ClientRenegotiation", - SSL_OP_ALLOW_CLIENT_RENEGOTIATION), - SSL_FLAG_TBL_INV("EncryptThenMac", SSL_OP_NO_ENCRYPT_THEN_MAC), -+ SSL_FLAG_TBL("RHNoEnforceEMSinFIPS", SSL_OP_RH_PERMIT_NOEMS_FIPS), - SSL_FLAG_TBL("NoRenegotiation", SSL_OP_NO_RENEGOTIATION), - SSL_FLAG_TBL("AllowNoDHEKEX", SSL_OP_ALLOW_NO_DHE_KEX), - SSL_FLAG_TBL("PrioritizeChaCha", SSL_OP_PRIORITIZE_CHACHA), -diff -up openssl-3.0.7/doc/man3/SSL_CONF_cmd.pod.fipsems openssl-3.0.7/doc/man3/SSL_CONF_cmd.pod ---- openssl-3.0.7/doc/man3/SSL_CONF_cmd.pod.fipsems 2023-07-12 13:54:22.508235187 +0200 -+++ openssl-3.0.7/doc/man3/SSL_CONF_cmd.pod 2023-07-12 13:56:51.089613902 +0200 -@@ -524,6 +524,9 @@ B: use extended ma - default. Inverse of B: that is, - B<-ExtendedMasterSecret> is the same as setting B. - -+B: allow establishing connections without EMS in FIPS mode. -+This is a RedHat-based OS specific option, and normally it should be set up via crypto policies. -+ - B: use CA names extension, enabled by - default. Inverse of B: that is, - B<-CANames> is the same as setting B. -diff -up openssl-3.0.7/doc/man5/fips_config.pod.fipsems openssl-3.0.7/doc/man5/fips_config.pod ---- openssl-3.0.7/doc/man5/fips_config.pod.fipsems 2023-07-12 15:39:57.732206731 +0200 -+++ openssl-3.0.7/doc/man5/fips_config.pod 2023-07-12 15:53:45.722885419 +0200 -@@ -11,6 +11,19 @@ automatically loaded when the system is - environment variable B is set. See the documentation - for more information. +diff --git a/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt b/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt +index 44040ff66b..deb6bf3fcb 100644 +--- a/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt ++++ b/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt +@@ -22,6 +22,16 @@ Ctrl.client_random = hexseed:36c129d01a3200894b9179faac589d9835d58775f9b5ea3587c + Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae043abfb50053fce + Output = 202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf -+Red Hat Enterprise Linux uses a supplementary config for FIPS module located in -+OpenSSL configuration directory and managed by crypto policies. If present, it -+should have format -+ -+ [fips_sect] -+ tls1-prf-ems-check = 0 -+ activate = 1 -+ -+The B option specifies whether FIPS module will require the -+presence of extended master secret or not. -+ -+The B option enforces FIPS provider activation. ++Availablein = fips ++KDF = TLS1-PRF ++Ctrl.digest = digest:SHA256 ++Ctrl.Secret = hexsecret:f8938ecc9edebc5030c0c6a441e213cd24e6f770a50dda07876f8d55da062bcadb386b411fd4fe4313a604fce6c17fbc ++Ctrl.label = seed:master secret ++Ctrl.client_random = hexseed:36c129d01a3200894b9179faac589d9835d58775f9b5ea3587cb8fd0364cae8c ++Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae043abfb50053fce ++Output = 202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf ++Result = KDF_DERIVE_ERROR + - =head1 COPYRIGHT + FIPSversion = <=3.1.0 + KDF = TLS1-PRF + Ctrl.digest = digest:SHA256 +diff --git a/test/sslapitest.c b/test/sslapitest.c +index 169e3c7466..e67b5bb44c 100644 +--- a/test/sslapitest.c ++++ b/test/sslapitest.c +@@ -574,7 +574,7 @@ static int test_client_cert_verify_cb(void) + STACK_OF(X509) *server_chain; + SSL_CTX *cctx = NULL, *sctx = NULL; + SSL *clientssl = NULL, *serverssl = NULL; +- int testresult = 0; ++ int testresult = 0, status; - Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), + TLS_client_method(), TLS1_VERSION, 0, +-- +2.41.0 + diff --git a/0115-CVE-2023-0464.patch b/0115-CVE-2023-0464.patch deleted file mode 100644 index 97f3b6d..0000000 --- a/0115-CVE-2023-0464.patch +++ /dev/null @@ -1,195 +0,0 @@ -diff --git a/crypto/x509/pcy_local.h b/crypto/x509/pcy_local.h -index 18b53cc09e..cba107ca03 100644 ---- a/crypto/x509/pcy_local.h -+++ b/crypto/x509/pcy_local.h -@@ -111,6 +111,11 @@ struct X509_POLICY_LEVEL_st { - }; - - struct X509_POLICY_TREE_st { -+ /* The number of nodes in the tree */ -+ size_t node_count; -+ /* The maximum number of nodes in the tree */ -+ size_t node_maximum; -+ - /* This is the tree 'level' data */ - X509_POLICY_LEVEL *levels; - int nlevel; -@@ -157,7 +162,8 @@ X509_POLICY_NODE *ossl_policy_tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk, - X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, - X509_POLICY_DATA *data, - X509_POLICY_NODE *parent, -- X509_POLICY_TREE *tree); -+ X509_POLICY_TREE *tree, -+ int extra_data); - void ossl_policy_node_free(X509_POLICY_NODE *node); - int ossl_policy_node_match(const X509_POLICY_LEVEL *lvl, - const X509_POLICY_NODE *node, const ASN1_OBJECT *oid); -diff --git a/crypto/x509/pcy_node.c b/crypto/x509/pcy_node.c -index 9d9a7ea179..450f95a655 100644 ---- a/crypto/x509/pcy_node.c -+++ b/crypto/x509/pcy_node.c -@@ -59,10 +59,15 @@ X509_POLICY_NODE *ossl_policy_level_find_node(const X509_POLICY_LEVEL *level, - X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, - X509_POLICY_DATA *data, - X509_POLICY_NODE *parent, -- X509_POLICY_TREE *tree) -+ X509_POLICY_TREE *tree, -+ int extra_data) - { - X509_POLICY_NODE *node; - -+ /* Verify that the tree isn't too large. This mitigates CVE-2023-0464 */ -+ if (tree->node_maximum > 0 && tree->node_count >= tree->node_maximum) -+ return NULL; -+ - node = OPENSSL_zalloc(sizeof(*node)); - if (node == NULL) { - ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE); -@@ -70,7 +75,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, - } - node->data = data; - node->parent = parent; -- if (level) { -+ if (level != NULL) { - if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) { - if (level->anyPolicy) - goto node_error; -@@ -90,7 +95,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, - } - } - -- if (tree) { -+ if (extra_data) { - if (tree->extra_data == NULL) - tree->extra_data = sk_X509_POLICY_DATA_new_null(); - if (tree->extra_data == NULL){ -@@ -103,6 +108,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, - } - } - -+ tree->node_count++; - if (parent) - parent->nchild++; - -diff --git a/crypto/x509/pcy_tree.c b/crypto/x509/pcy_tree.c -index fa45da5117..f953a05a41 100644 ---- a/crypto/x509/pcy_tree.c -+++ b/crypto/x509/pcy_tree.c -@@ -14,6 +14,17 @@ - - #include "pcy_local.h" - -+/* -+ * If the maximum number of nodes in the policy tree isn't defined, set it to -+ * a generous default of 1000 nodes. -+ * -+ * Defining this to be zero means unlimited policy tree growth which opens the -+ * door on CVE-2023-0464. -+ */ -+#ifndef OPENSSL_POLICY_TREE_NODES_MAX -+# define OPENSSL_POLICY_TREE_NODES_MAX 1000 -+#endif -+ - static void expected_print(BIO *channel, - X509_POLICY_LEVEL *lev, X509_POLICY_NODE *node, - int indent) -@@ -163,6 +174,9 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, - return X509_PCY_TREE_INTERNAL; - } - -+ /* Limit the growth of the tree to mitigate CVE-2023-0464 */ -+ tree->node_maximum = OPENSSL_POLICY_TREE_NODES_MAX; -+ - /* - * http://tools.ietf.org/html/rfc5280#section-6.1.2, figure 3. - * -@@ -180,7 +194,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, - if ((data = ossl_policy_data_new(NULL, - OBJ_nid2obj(NID_any_policy), 0)) == NULL) - goto bad_tree; -- if (ossl_policy_level_add_node(level, data, NULL, tree) == NULL) { -+ if (ossl_policy_level_add_node(level, data, NULL, tree, 1) == NULL) { - ossl_policy_data_free(data); - goto bad_tree; - } -@@ -239,7 +253,8 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, - * Return value: 1 on success, 0 otherwise - */ - static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr, -- X509_POLICY_DATA *data) -+ X509_POLICY_DATA *data, -+ X509_POLICY_TREE *tree) - { - X509_POLICY_LEVEL *last = curr - 1; - int i, matched = 0; -@@ -249,13 +264,13 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr, - X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(last->nodes, i); - - if (ossl_policy_node_match(last, node, data->valid_policy)) { -- if (ossl_policy_level_add_node(curr, data, node, NULL) == NULL) -+ if (ossl_policy_level_add_node(curr, data, node, tree, 0) == NULL) - return 0; - matched = 1; - } - } - if (!matched && last->anyPolicy) { -- if (ossl_policy_level_add_node(curr, data, last->anyPolicy, NULL) == NULL) -+ if (ossl_policy_level_add_node(curr, data, last->anyPolicy, tree, 0) == NULL) - return 0; - } - return 1; -@@ -268,7 +283,8 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr, - * Return value: 1 on success, 0 otherwise. - */ - static int tree_link_nodes(X509_POLICY_LEVEL *curr, -- const X509_POLICY_CACHE *cache) -+ const X509_POLICY_CACHE *cache, -+ X509_POLICY_TREE *tree) - { - int i; - -@@ -276,7 +292,7 @@ static int tree_link_nodes(X509_POLICY_LEVEL *curr, - X509_POLICY_DATA *data = sk_X509_POLICY_DATA_value(cache->data, i); - - /* Look for matching nodes in previous level */ -- if (!tree_link_matching_nodes(curr, data)) -+ if (!tree_link_matching_nodes(curr, data, tree)) - return 0; - } - return 1; -@@ -307,7 +323,7 @@ static int tree_add_unmatched(X509_POLICY_LEVEL *curr, - /* Curr may not have anyPolicy */ - data->qualifier_set = cache->anyPolicy->qualifier_set; - data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS; -- if (ossl_policy_level_add_node(curr, data, node, tree) == NULL) { -+ if (ossl_policy_level_add_node(curr, data, node, tree, 1) == NULL) { - ossl_policy_data_free(data); - return 0; - } -@@ -370,7 +386,7 @@ static int tree_link_any(X509_POLICY_LEVEL *curr, - /* Finally add link to anyPolicy */ - if (last->anyPolicy && - ossl_policy_level_add_node(curr, cache->anyPolicy, -- last->anyPolicy, NULL) == NULL) -+ last->anyPolicy, tree, 0) == NULL) - return 0; - return 1; - } -@@ -553,7 +569,7 @@ static int tree_calculate_user_set(X509_POLICY_TREE *tree, - extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS - | POLICY_DATA_FLAG_EXTRA_NODE; - node = ossl_policy_level_add_node(NULL, extra, anyPolicy->parent, -- tree); -+ tree, 1); - } - if (!tree->user_policies) { - tree->user_policies = sk_X509_POLICY_NODE_new_null(); -@@ -580,7 +596,7 @@ static int tree_evaluate(X509_POLICY_TREE *tree) - - for (i = 1; i < tree->nlevel; i++, curr++) { - cache = ossl_policy_cache_set(curr->cert); -- if (!tree_link_nodes(curr, cache)) -+ if (!tree_link_nodes(curr, cache, tree)) - return X509_PCY_TREE_INTERNAL; - - if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY) diff --git a/0115-skip-quic-pairwise.patch b/0115-skip-quic-pairwise.patch new file mode 100644 index 0000000..90f8cb8 --- /dev/null +++ b/0115-skip-quic-pairwise.patch @@ -0,0 +1,85 @@ +From ec8e4e25cc5e5c67313c5fd6af94fa248685c3d1 Mon Sep 17 00:00:00 2001 +From: Dmitry Belyavskiy +Date: Thu, 7 Mar 2024 17:37:09 +0100 +Subject: [PATCH 45/49] 0115-skip-quic-pairwise.patch + +Patch-name: 0115-skip-quic-pairwise.patch +Patch-id: 115 +Patch-status: | + # skip quic and pairwise tests temporarily +--- + test/quicapitest.c | 4 +++- + test/recipes/01-test_symbol_presence.t | 1 + + test/recipes/30-test_pairwise_fail.t | 10 ++++++++-- + 3 files changed, 12 insertions(+), 3 deletions(-) + +diff --git a/test/quicapitest.c b/test/quicapitest.c +index 41cf0fc7a8..0fb7492700 100644 +--- a/test/quicapitest.c ++++ b/test/quicapitest.c +@@ -2139,7 +2139,9 @@ int setup_tests(void) + ADD_TEST(test_cipher_find); + ADD_TEST(test_version); + #if defined(DO_SSL_TRACE_TEST) +- ADD_TEST(test_ssl_trace); ++ if (is_fips == 0) { ++ ADD_TEST(test_ssl_trace); ++ } + #endif + ADD_TEST(test_quic_forbidden_apis_ctx); + ADD_TEST(test_quic_forbidden_apis); +diff --git a/test/recipes/30-test_pairwise_fail.t b/test/recipes/30-test_pairwise_fail.t +index c837d48fb4..6291c08c49 100644 +--- a/test/recipes/30-test_pairwise_fail.t ++++ b/test/recipes/30-test_pairwise_fail.t +@@ -9,7 +9,7 @@ + use strict; + use warnings; + +-use OpenSSL::Test qw(:DEFAULT bldtop_dir srctop_file srctop_dir data_file); ++use OpenSSL::Test qw(:DEFAULT bldtop_dir srctop_file srctop_dir data_file with); + use OpenSSL::Test::Utils; + + BEGIN { +@@ -31,28 +31,37 @@ run(test(["fips_version_test", "-config" + SKIP: { + skip "Skip RSA test because of no rsa in this build", 1 + if disabled("rsa"); ++ with({ exit_checker => sub {my $val = shift; return $val == 134; } }, ++ sub { + ok(run(test(["pairwise_fail_test", "-config", $provconf, + "-pairwise", "rsa"])), + "fips provider rsa keygen pairwise failure test"); ++ }); + } + + SKIP: { + skip "Skip EC test because of no ec in this build", 2 + if disabled("ec"); ++ with({ exit_checker => sub {my $val = shift; return $val == 134; } }, ++ sub { + ok(run(test(["pairwise_fail_test", "-config", $provconf, + "-pairwise", "ec"])), + "fips provider ec keygen pairwise failure test"); ++ }); + + skip "FIPS provider version is too old", 1 + if !$fips_exit; ++ with({ exit_checker => sub {my $val = shift; return $val == 134; } }, ++ sub { + ok(run(test(["pairwise_fail_test", "-config", $provconf, + "-pairwise", "eckat"])), + "fips provider ec keygen kat failure test"); ++ }); + } + + SKIP: { + skip "Skip DSA tests because of no dsa in this build", 2 +- if disabled("dsa"); ++ if 1; #if disabled("dsa"); + ok(run(test(["pairwise_fail_test", "-config", $provconf, + "-pairwise", "dsa", "-dsaparam", data_file("dsaparam.pem")])), + "fips provider dsa keygen pairwise failure test"); +-- +2.44.0 + diff --git a/0116-CVE-2023-0465.patch b/0116-CVE-2023-0465.patch deleted file mode 100644 index 3a9acb5..0000000 --- a/0116-CVE-2023-0465.patch +++ /dev/null @@ -1,179 +0,0 @@ -diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c -index 9384f1da9b..a0282c3ef1 100644 ---- a/crypto/x509/x509_vfy.c -+++ b/crypto/x509/x509_vfy.c -@@ -1654,15 +1654,23 @@ static int check_policy(X509_STORE_CTX *ctx) - goto memerr; - /* Invalid or inconsistent extensions */ - if (ret == X509_PCY_TREE_INVALID) { -- int i; -+ int i, cbcalled = 0; - - /* Locate certificates with bad extensions and notify callback. */ -- for (i = 1; i < sk_X509_num(ctx->chain); i++) { -+ for (i = 0; i < sk_X509_num(ctx->chain); i++) { - X509 *x = sk_X509_value(ctx->chain, i); - -+ if ((x->ex_flags & EXFLAG_INVALID_POLICY) != 0) -+ cbcalled = 1; - CB_FAIL_IF((x->ex_flags & EXFLAG_INVALID_POLICY) != 0, - ctx, x, i, X509_V_ERR_INVALID_POLICY_EXTENSION); - } -+ if (!cbcalled) { -+ /* Should not be able to get here */ -+ ERR_raise(ERR_LIB_X509, ERR_R_INTERNAL_ERROR); -+ return 0; -+ } -+ /* The callback ignored the error so we return success */ - return 1; - } - if (ret == X509_PCY_TREE_FAILURE) { -diff --git a/test/certs/ca-pol-cert.pem b/test/certs/ca-pol-cert.pem -new file mode 100644 -index 0000000000..244af3292b ---- /dev/null -+++ b/test/certs/ca-pol-cert.pem -@@ -0,0 +1,19 @@ -+-----BEGIN CERTIFICATE----- -+MIIDFzCCAf+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 -+IENBMCAXDTIzMDMwODEyMjMxNloYDzIxMjMwMzA5MTIyMzE2WjANMQswCQYDVQQD -+DAJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJadpD0ASxxfxsvd -+j9IxsogVzMSGLFziaYuE9KejU9+R479RifvwfBANO62sNWJ19X//9G5UjwWmkiOz -+n1k50DkYsBBA3mJzik6wjt/c58lBIlSEgAgpvDU8ht8w3t20JP9+YqXAeugqFj/W -+l9rFQtsvaWSRywjXVlp5fxuEQelNnXcJEKhsKTNExsBUZebo4/J1BWpklWzA9P0l -+YW5INvDAAwcF1nzlEf0Y6Eot03IMNyg2MTE4hehxjdgCSci8GYnFirE/ojXqqpAc -+ZGh7r2dqWgZUD1Dh+bT2vjrUzj8eTH3GdzI+oljt29102JIUaqj3yzRYkah8FLF9 -+CLNNsUcCAwEAAaN7MHkwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYwHQYD -+VR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8GA1UdIwQYMBaAFI71Ja8em2uE -+PXyAmslTnE1y96NSMBkGA1UdIAQSMBAwDgYMKwYBBAGBgVy8+0cBMA0GCSqGSIb3 -+DQEBCwUAA4IBAQBbE+MO9mewWIUY2kt85yhl0oZtvVxbn9K2Hty59ItwJGRNfzx7 -+Ge7KgawkvNzMOXmj6qf8TpbJnf41ZLWdRyVZBVyIwrAKIVw1VxfGh8aEifHKN97H -+unZkBPcUkAhUJSiC1BOD/euaMYqOi8QwiI702Q6q1NBY1/UKnV/ZIBLecnqfj9vZ -+7T0wKxrwGYBztP4pNcxCmBoD9Dg+Dx3ZElo0WXyO4SOh/BgrsKJHKyhbuTpjrI/g -+DhcINRp6+lIzuFBtJ67+YXnAEspb3lKMk0YL/LXrCNF2scdmNfOPwHi+OKBqt69C -+9FJyWFEMxx2qm/ENE9sbOswgJRnKkaAqHBHx -+-----END CERTIFICATE----- -diff --git a/test/certs/ee-cert-policies-bad.pem b/test/certs/ee-cert-policies-bad.pem -new file mode 100644 -index 0000000000..0fcd6372b3 ---- /dev/null -+++ b/test/certs/ee-cert-policies-bad.pem -@@ -0,0 +1,20 @@ -+-----BEGIN CERTIFICATE----- -+MIIDTTCCAjWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg -+Fw0yMzAzMDgxMjIzMzJaGA8yMTIzMDMwOTEyMjMzMlowGTEXMBUGA1UEAwwOc2Vy -+dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY -+YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT -+5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l -+Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1 -+U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5 -+ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn -+iIQPYf55NB9KiR+3AgMBAAGjgakwgaYwHQYDVR0OBBYEFOeb4iqtimw6y3ZR5Y4H -+mCKX4XOiMB8GA1UdIwQYMBaAFLQRM/HX4l73U54gIhBPhga/H8leMAkGA1UdEwQC -+MAAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGQYDVR0RBBIwEIIOc2VydmVyLmV4YW1w -+bGUwKQYDVR0gBCIwIDAOBgwrBgEEAYGBXLz7RwEwDgYMKwYBBAGBgVy8+0cBMA0G -+CSqGSIb3DQEBCwUAA4IBAQArwtwNO++7kStcJeMg3ekz2D/m/8UEjTA1rknBjQiQ -+P0FK7tNeRqus9i8PxthNWk+biRayvDzaGIBV7igpDBPfXemDgmW9Adc4MKyiQDfs -+YfkHi3xJKvsK2fQmyCs2InVDaKpVAkNFcgAW8nSOhGliqIxLb0EOLoLNwaktou0N -+XQHmRzY8S7aIr8K9Qo9y/+MLar+PS4h8l6FkLLkTICiFzE4/wje5S3NckAnadRJa -+QpjwM2S6NuA+tYWuOcN//r7BSpW/AZKanYWPzHMrKlqCh+9o7sthPd72+hObG9kx -+wSGdzfStNK1I1zM5LiI08WtXCvR6AfLANTo2x1AYhSxF -+-----END CERTIFICATE----- -diff --git a/test/certs/ee-cert-policies.pem b/test/certs/ee-cert-policies.pem -new file mode 100644 -index 0000000000..2f06d7433f ---- /dev/null -+++ b/test/certs/ee-cert-policies.pem -@@ -0,0 +1,20 @@ -+-----BEGIN CERTIFICATE----- -+MIIDPTCCAiWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg -+Fw0yMzAzMDgxMjIzMjNaGA8yMTIzMDMwOTEyMjMyM1owGTEXMBUGA1UEAwwOc2Vy -+dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY -+YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT -+5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l -+Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1 -+U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5 -+ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn -+iIQPYf55NB9KiR+3AgMBAAGjgZkwgZYwHQYDVR0OBBYEFOeb4iqtimw6y3ZR5Y4H -+mCKX4XOiMB8GA1UdIwQYMBaAFLQRM/HX4l73U54gIhBPhga/H8leMAkGA1UdEwQC -+MAAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGQYDVR0RBBIwEIIOc2VydmVyLmV4YW1w -+bGUwGQYDVR0gBBIwEDAOBgwrBgEEAYGBXLz7RwEwDQYJKoZIhvcNAQELBQADggEB -+AGbWslmAAdMX3+5ChcnFrX+NqDGoyhb3PTgWdtlQB5qtWdIt4rSxN50OcQxFTX0D -+QOBabSzR0DDKrgfBe4waL19WsdEvR9GyO4M7ASze/A3IEZue9C9k0n7Vq8zDaAZl -+CiR/Zqo9nAOuhKHMgmC/NjUlX7STv5pJVgc4SH8VEKmSRZDmNihaOalUtK5X8/Oa -+dawKxsZcaP5IKnOEPPKjtVNJxBu5CXywJHsO0GcoDEnEx1/NLdFoJ6WFw8NuTyDK -+NGLq2MHEdyKaigHQlptEs9bXyu9McJjzbx0uXj3BenRULASreccFej0L1RU6jDlk -+D3brBn24UISaFRZoB7jsjok= -+-----END CERTIFICATE----- -diff --git a/test/certs/mkcert.sh b/test/certs/mkcert.sh -index c3f7ac14b5..a57d9f38dc 100755 ---- a/test/certs/mkcert.sh -+++ b/test/certs/mkcert.sh -@@ -119,11 +119,12 @@ genca() { - local OPTIND=1 - local purpose= - -- while getopts p: o -+ while getopts p:c: o - do - case $o in - p) purpose="$OPTARG";; -- *) echo "Usage: $0 genca [-p EKU] cn keyname certname cakeyname cacertname" >&2 -+ c) certpol="$OPTARG";; -+ *) echo "Usage: $0 genca [-p EKU][-c policyoid] cn keyname certname cakeyname cacertname" >&2 - return 1;; - esac - done -@@ -146,6 +147,10 @@ genca() { - if [ -n "$NC" ]; then - exts=$(printf "%s\nnameConstraints = %s\n" "$exts" "$NC") - fi -+ if [ -n "$certpol" ]; then -+ exts=$(printf "%s\ncertificatePolicies = %s\n" "$exts" "$certpol") -+ fi -+ - csr=$(req "$key" "CN = $cn") || return 1 - echo "$csr" | - cert "$cert" "$exts" -CA "${cacert}.pem" -CAkey "${cakey}.pem" \ -diff --git a/test/certs/setup.sh b/test/certs/setup.sh -index 2240cd9df0..76ceadc7d8 100755 ---- a/test/certs/setup.sh -+++ b/test/certs/setup.sh -@@ -440,3 +440,9 @@ OPENSSL_SIGALG=ED448 OPENSSL_KEYALG=ed448 ./mkcert.sh genee ed448 \ - - # critical id-pkix-ocsp-no-check extension - ./mkcert.sh geneeextra server.example ee-key ee-cert-ocsp-nocheck ca-key ca-cert "1.3.6.1.5.5.7.48.1.5=critical,DER:05:00" -+ -+# certificatePolicies extension -+./mkcert.sh genca -c "1.3.6.1.4.1.16604.998855.1" "CA" ca-key ca-pol-cert root-key root-cert -+./mkcert.sh geneeextra server.example ee-key ee-cert-policies ca-key ca-cert "certificatePolicies=1.3.6.1.4.1.16604.998855.1" -+# We can create a cert with a duplicate policy oid - but its actually invalid! -+./mkcert.sh geneeextra server.example ee-key ee-cert-policies-bad ca-key ca-cert "certificatePolicies=1.3.6.1.4.1.16604.998855.1,1.3.6.1.4.1.16604.998855.1" -diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t -index 2a4c36e86d..818c9ac50d 100644 ---- a/test/recipes/25-test_verify.t -+++ b/test/recipes/25-test_verify.t -@@ -29,7 +29,7 @@ sub verify { - run(app([@args])); - } - --plan tests => 163; -+plan tests => 165; - - # Canonical success - ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]), -@@ -516,3 +516,14 @@ SKIP: { - ok(run(app([ qw(openssl verify -trusted), $rsapluscert_file, $cert_file ])), - 'Mixed key + cert file test'); - } -+ -+# Certificate Policies -+ok(verify("ee-cert-policies", "", ["root-cert"], ["ca-pol-cert"], -+ "-policy_check", "-policy", "1.3.6.1.4.1.16604.998855.1", -+ "-explicit_policy"), -+ "Certificate policy"); -+ -+ok(!verify("ee-cert-policies-bad", "", ["root-cert"], ["ca-pol-cert"], -+ "-policy_check", "-policy", "1.3.6.1.4.1.16604.998855.1", -+ "-explicit_policy"), -+ "Bad certificate policy"); diff --git a/0116-version-aliasing.patch b/0116-version-aliasing.patch new file mode 100644 index 0000000..73f7981 --- /dev/null +++ b/0116-version-aliasing.patch @@ -0,0 +1,84 @@ +From a2673b5e2e95bcf54a1746bfd409cca688275e75 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 6 Mar 2024 19:17:17 +0100 +Subject: [PATCH 46/49] 0116-version-aliasing.patch + +Patch-name: 0116-version-aliasing.patch +Patch-id: 116 +Patch-status: | + # Add version aliasing due to + # https://github.com/openssl/openssl/issues/23534 +From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce +--- + crypto/evp/digest.c | 7 ++++++- + crypto/evp/evp_enc.c | 7 ++++++- + test/recipes/01-test_symbol_presence.t | 1 + + util/libcrypto.num | 2 ++ + 4 files changed, 15 insertions(+), 2 deletions(-) + +diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c +index 42331703da..3a280acc0e 100644 +--- a/crypto/evp/digest.c ++++ b/crypto/evp/digest.c +@@ -553,7 +553,12 @@ legacy: + return ret; + } + +-EVP_MD_CTX *EVP_MD_CTX_dup(const EVP_MD_CTX *in) ++EVP_MD_CTX ++#if !defined(FIPS_MODULE) ++__attribute__ ((symver ("EVP_MD_CTX_dup@@OPENSSL_3.1.0"), ++ symver ("EVP_MD_CTX_dup@OPENSSL_3.2.0"))) ++#endif ++*EVP_MD_CTX_dup(const EVP_MD_CTX *in) + { + EVP_MD_CTX *out = EVP_MD_CTX_new(); + +diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c +index e9faf31057..5a29b8dbb7 100644 +--- a/crypto/evp/evp_enc.c ++++ b/crypto/evp/evp_enc.c +@@ -1444,7 +1444,12 @@ int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key) + #endif /* FIPS_MODULE */ + } + +-EVP_CIPHER_CTX *EVP_CIPHER_CTX_dup(const EVP_CIPHER_CTX *in) ++EVP_CIPHER_CTX ++#if !defined(FIPS_MODULE) ++__attribute__ ((symver ("EVP_CIPHER_CTX_dup@@OPENSSL_3.1.0"), ++ symver ("EVP_CIPHER_CTX_dup@OPENSSL_3.2.0"))) ++#endif ++*EVP_CIPHER_CTX_dup(const EVP_CIPHER_CTX *in) + { + EVP_CIPHER_CTX *out = EVP_CIPHER_CTX_new(); + +diff --git a/test/recipes/01-test_symbol_presence.t b/test/recipes/01-test_symbol_presence.t +index 222b1886ae..7e2f65cccb 100644 +--- a/test/recipes/01-test_symbol_presence.t ++++ b/test/recipes/01-test_symbol_presence.t +@@ -185,6 +185,8 @@ foreach (sort keys %stlibname) { + } + } + my @duplicates = sort grep { $symbols{$_} > 1 } keys %symbols; ++@duplicates = grep {($_ ne "OPENSSL_ia32cap_P") && ($_ ne "EVP_CIPHER_CTX_dup") && ($_ ne "EVP_MD_CTX_dup") } @duplicates; ++@duplicates = grep {($_ ne "OPENSSL_strcasecmp") && ($_ ne "OPENSSL_strncasecmp") } @duplicates; + if (@duplicates) { + note "Duplicates:"; + note join('\n', @duplicates); +diff --git a/util/libcrypto.num b/util/libcrypto.num +index 8046454025..068e9904e2 100644 +--- a/util/libcrypto.num ++++ b/util/libcrypto.num +@@ -5435,7 +5435,9 @@ X509_PUBKEY_set0_public_key 5562 3_2_0 EXIST::FUNCTION: + OSSL_STACK_OF_X509_free 5563 3_2_0 EXIST::FUNCTION: + OSSL_trace_string 5564 3_2_0 EXIST::FUNCTION: + EVP_MD_CTX_dup 5565 3_2_0 EXIST::FUNCTION: ++EVP_MD_CTX_dup ? 3_1_0 EXIST::FUNCTION: + EVP_CIPHER_CTX_dup 5566 3_2_0 EXIST::FUNCTION: ++EVP_CIPHER_CTX_dup ? 3_1_0 EXIST::FUNCTION: + BN_signed_bin2bn 5567 3_2_0 EXIST::FUNCTION: + BN_signed_bn2bin 5568 3_2_0 EXIST::FUNCTION: + BN_signed_lebin2bn 5569 3_2_0 EXIST::FUNCTION: +-- +2.44.0 + diff --git a/0117-CVE-2023-0466.patch b/0117-CVE-2023-0466.patch deleted file mode 100644 index ef06edf..0000000 --- a/0117-CVE-2023-0466.patch +++ /dev/null @@ -1,27 +0,0 @@ -diff --git a/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/doc/man3/X509_VERIFY_PARAM_set_flags.pod -index 75a1677022..43c1900bca 100644 ---- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod -+++ b/doc/man3/X509_VERIFY_PARAM_set_flags.pod -@@ -98,8 +98,9 @@ B. - X509_VERIFY_PARAM_set_time() sets the verification time in B to - B. Normally the current time is used. - --X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled --by default) and adds B to the acceptable policy set. -+X509_VERIFY_PARAM_add0_policy() adds B to the acceptable policy set. -+Contrary to preexisting documentation of this function it does not enable -+policy checking. - - X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled - by default) and sets the acceptable policy set to B. Any existing -@@ -400,6 +401,10 @@ The X509_VERIFY_PARAM_get_hostflags() function was added in OpenSSL 1.1.0i. - The X509_VERIFY_PARAM_get0_host(), X509_VERIFY_PARAM_get0_email(), - and X509_VERIFY_PARAM_get1_ip_asc() functions were added in OpenSSL 3.0. - -+The function X509_VERIFY_PARAM_add0_policy() was historically documented as -+enabling policy checking however the implementation has never done this. -+The documentation was changed to align with the implementation. -+ - =head1 COPYRIGHT - - Copyright 2009-2022 The OpenSSL Project Authors. All Rights Reserved. diff --git a/0117-ignore-unknown-sigalgorithms-groups.patch b/0117-ignore-unknown-sigalgorithms-groups.patch new file mode 100644 index 0000000..3c52277 --- /dev/null +++ b/0117-ignore-unknown-sigalgorithms-groups.patch @@ -0,0 +1,318 @@ +From 242c746690dd1d0e500fa554c60536877d77776d Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Thu, 14 Dec 2023 17:08:56 +0100 +Subject: [PATCH 47/49] 0117-ignore-unknown-sigalgorithms-groups.patch + +Patch-name: 0117-ignore-unknown-sigalgorithms-groups.patch +Patch-id: 117 +Patch-status: | + # https://github.com/openssl/openssl/issues/23050 +--- + CHANGES.md | 13 +++++++ + doc/man3/SSL_CTX_set1_curves.pod | 6 ++- + doc/man3/SSL_CTX_set1_sigalgs.pod | 11 +++++- + ssl/t1_lib.c | 56 +++++++++++++++++++++------- + test/sslapitest.c | 61 +++++++++++++++++++++++++++++++ + 5 files changed, 132 insertions(+), 15 deletions(-) + +diff --git a/CHANGES.md b/CHANGES.md +index ca29762ac2..4e21d0ddf9 100644 +--- a/CHANGES.md ++++ b/CHANGES.md +@@ -27,6 +27,19 @@ OpenSSL 3.2 + + ### Changes between 3.2.0 and 3.2.1 [30 Jan 2024] + ++ * Unknown entries in TLS SignatureAlgorithms, ClientSignatureAlgorithms ++ config options and the respective calls to SSL[_CTX]_set1_sigalgs() and ++ SSL[_CTX]_set1_client_sigalgs() that start with `?` character are ++ ignored and the configuration will still be used. ++ ++ Similarly unknown entries that start with `?` character in a TLS ++ Groups config option or set with SSL[_CTX]_set1_groups_list() are ignored ++ and the configuration will still be used. ++ ++ In both cases if the resulting list is empty, an error is returned. ++ ++ *Tomáš Mráz* ++ + * A file in PKCS12 format can contain certificates and keys and may come from + an untrusted source. The PKCS12 specification allows certain fields to be + NULL, but OpenSSL did not correctly check for this case. A fix has been +diff --git a/doc/man3/SSL_CTX_set1_curves.pod b/doc/man3/SSL_CTX_set1_curves.pod +index c26ef00306..f0566e148e 100644 +--- a/doc/man3/SSL_CTX_set1_curves.pod ++++ b/doc/man3/SSL_CTX_set1_curves.pod +@@ -58,7 +58,8 @@ string B. The string is a colon separated list of group names, for example + are B, B, B, B, B, B, + B, B, B, B, + B, B and B. Support for other groups may be +-added by external providers. ++added by external providers. If a group name is preceded with the C ++character, it will be ignored if an implementation is missing. + + SSL_set1_groups() and SSL_set1_groups_list() are similar except they set + supported groups for the SSL structure B. +@@ -142,6 +143,9 @@ The curve functions were added in OpenSSL 1.0.2. The equivalent group + functions were added in OpenSSL 1.1.1. The SSL_get_negotiated_group() function + was added in OpenSSL 3.0.0. + ++Support for ignoring unknown groups in SSL_CTX_set1_groups_list() and ++SSL_set1_groups_list() was added in OpenSSL 3.3. ++ + =head1 COPYRIGHT + + Copyright 2013-2022 The OpenSSL Project Authors. All Rights Reserved. +diff --git a/doc/man3/SSL_CTX_set1_sigalgs.pod b/doc/man3/SSL_CTX_set1_sigalgs.pod +index eb31006346..5b7de7d956 100644 +--- a/doc/man3/SSL_CTX_set1_sigalgs.pod ++++ b/doc/man3/SSL_CTX_set1_sigalgs.pod +@@ -33,7 +33,9 @@ signature algorithms for B or B. The B parameter + must be a null terminated string consisting of a colon separated list of + elements, where each element is either a combination of a public key + algorithm and a digest separated by B<+>, or a TLS 1.3-style named +-SignatureScheme such as rsa_pss_pss_sha256. ++SignatureScheme such as rsa_pss_pss_sha256. If a list entry is preceded ++with the C character, it will be ignored if an implementation is missing. ++ + + SSL_CTX_set1_client_sigalgs(), SSL_set1_client_sigalgs(), + SSL_CTX_set1_client_sigalgs_list() and SSL_set1_client_sigalgs_list() set +@@ -106,6 +108,13 @@ using a string: + L, L, + L + ++=head1 HISTORY ++ ++Support for ignoring unknown signature algorithms in ++SSL_CTX_set1_sigalgs_list(), SSL_set1_sigalgs_list(), ++SSL_CTX_set1_client_sigalgs_list() and SSL_set1_client_sigalgs_list() ++was added in OpenSSL 3.3. ++ + =head1 COPYRIGHT + + Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. +diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c +index 056aae3863..fe680449c5 100644 +--- a/ssl/t1_lib.c ++++ b/ssl/t1_lib.c +@@ -1052,9 +1052,15 @@ static int gid_cb(const char *elem, int len, void *arg) + size_t i; + uint16_t gid = 0; + char etmp[GROUP_NAME_BUFFER_LENGTH]; ++ int ignore_unknown = 0; + + if (elem == NULL) + return 0; ++ if (elem[0] == '?') { ++ ignore_unknown = 1; ++ ++elem; ++ --len; ++ } + if (garg->gidcnt == garg->gidmax) { + uint16_t *tmp = + OPENSSL_realloc(garg->gid_arr, garg->gidmax + GROUPLIST_INCREMENT); +@@ -1070,13 +1076,14 @@ static int gid_cb(const char *elem, int len, void *arg) + + gid = tls1_group_name2id(garg->ctx, etmp); + if (gid == 0) { +- ERR_raise_data(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT, +- "group '%s' cannot be set", etmp); +- return 0; ++ /* Unknown group - ignore, if ignore_unknown */ ++ return ignore_unknown; + } + for (i = 0; i < garg->gidcnt; i++) +- if (garg->gid_arr[i] == gid) +- return 0; ++ if (garg->gid_arr[i] == gid) { ++ /* Duplicate group - ignore */ ++ return 1; ++ } + garg->gid_arr[garg->gidcnt++] = gid; + return 1; + } +@@ -1097,6 +1104,11 @@ int tls1_set_groups_list(SSL_CTX *ctx, uint16_t **pext, size_t *pextlen, + gcb.ctx = ctx; + if (!CONF_parse_list(str, ':', 1, gid_cb, &gcb)) + goto end; ++ if (gcb.gidcnt == 0) { ++ ERR_raise_data(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT, ++ "No valid groups in '%s'", str); ++ goto end; ++ } + if (pext == NULL) { + ret = 1; + goto end; +@@ -2905,8 +2917,15 @@ static int sig_cb(const char *elem, int len, void *arg) + const SIGALG_LOOKUP *s; + char etmp[TLS_MAX_SIGSTRING_LEN], *p; + int sig_alg = NID_undef, hash_alg = NID_undef; ++ int ignore_unknown = 0; ++ + if (elem == NULL) + return 0; ++ if (elem[0] == '?') { ++ ignore_unknown = 1; ++ ++elem; ++ --len; ++ } + if (sarg->sigalgcnt == TLS_MAX_SIGALGCNT) + return 0; + if (len > (int)(sizeof(etmp) - 1)) +@@ -2931,8 +2950,10 @@ static int sig_cb(const char *elem, int len, void *arg) + break; + } + } +- if (i == OSSL_NELEM(sigalg_lookup_tbl)) +- return 0; ++ if (i == OSSL_NELEM(sigalg_lookup_tbl)) { ++ /* Ignore unknown algorithms if ignore_unknown */ ++ return ignore_unknown; ++ } + } else { + *p = 0; + p++; +@@ -2940,8 +2961,10 @@ static int sig_cb(const char *elem, int len, void *arg) + return 0; + get_sigorhash(&sig_alg, &hash_alg, etmp); + get_sigorhash(&sig_alg, &hash_alg, p); +- if (sig_alg == NID_undef || hash_alg == NID_undef) +- return 0; ++ if (sig_alg == NID_undef || hash_alg == NID_undef) { ++ /* Ignore unknown algorithms if ignore_unknown */ ++ return ignore_unknown; ++ } + for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl); + i++, s++) { + if (s->hash == hash_alg && s->sig == sig_alg) { +@@ -2949,15 +2972,17 @@ static int sig_cb(const char *elem, int len, void *arg) + break; + } + } +- if (i == OSSL_NELEM(sigalg_lookup_tbl)) +- return 0; ++ if (i == OSSL_NELEM(sigalg_lookup_tbl)) { ++ /* Ignore unknown algorithms if ignore_unknown */ ++ return ignore_unknown; ++ } + } + +- /* Reject duplicates */ ++ /* Ignore duplicates */ + for (i = 0; i < sarg->sigalgcnt - 1; i++) { + if (sarg->sigalgs[i] == sarg->sigalgs[sarg->sigalgcnt - 1]) { + sarg->sigalgcnt--; +- return 0; ++ return 1; + } + } + return 1; +@@ -2973,6 +2998,11 @@ int tls1_set_sigalgs_list(CERT *c, const char *str, int client) + sig.sigalgcnt = 0; + if (!CONF_parse_list(str, ':', 1, sig_cb, &sig)) + return 0; ++ if (sig.sigalgcnt == 0) { ++ ERR_raise_data(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT, ++ "No valid signature algorithms in '%s'", str); ++ return 0; ++ } + if (c == NULL) + return 1; + return tls1_set_raw_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client); +diff --git a/test/sslapitest.c b/test/sslapitest.c +index 1c14f93ed1..184a0f1055 100644 +--- a/test/sslapitest.c ++++ b/test/sslapitest.c +@@ -39,6 +39,7 @@ + #include "testutil.h" + #include "testutil/output.h" + #include "internal/nelem.h" ++#include "internal/tlsgroups.h" + #include "internal/ktls.h" + #include "../ssl/ssl_local.h" + #include "../ssl/record/methods/recmethod_local.h" +@@ -3147,6 +3148,7 @@ static const sigalgs_list testsigalgs[] = { + {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0}, + # endif + {NULL, 0, "RSA+SHA256", 1, 1}, ++ {NULL, 0, "RSA+SHA256:?Invalid", 1, 1}, + # ifndef OPENSSL_NO_EC + {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1}, + {NULL, 0, "ECDSA+SHA512", 1, 0}, +@@ -9276,6 +9278,64 @@ static int test_servername(int tst) + return testresult; + } + ++static int test_unknown_sigalgs_groups(void) ++{ ++ int ret = 0; ++ SSL_CTX *ctx = NULL; ++ ++ if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method()))) ++ goto end; ++ ++ if (!TEST_int_gt(SSL_CTX_set1_sigalgs_list(ctx, ++ "RSA+SHA256:?nonexistent:?RSA+SHA512"), ++ 0)) ++ goto end; ++ if (!TEST_size_t_eq(ctx->cert->conf_sigalgslen, 2) ++ || !TEST_int_eq(ctx->cert->conf_sigalgs[0], TLSEXT_SIGALG_rsa_pkcs1_sha256) ++ || !TEST_int_eq(ctx->cert->conf_sigalgs[1], TLSEXT_SIGALG_rsa_pkcs1_sha512)) ++ goto end; ++ ++ if (!TEST_int_gt(SSL_CTX_set1_client_sigalgs_list(ctx, ++ "RSA+SHA256:?nonexistent:?RSA+SHA512"), ++ 0)) ++ goto end; ++ if (!TEST_size_t_eq(ctx->cert->client_sigalgslen, 2) ++ || !TEST_int_eq(ctx->cert->client_sigalgs[0], TLSEXT_SIGALG_rsa_pkcs1_sha256) ++ || !TEST_int_eq(ctx->cert->client_sigalgs[1], TLSEXT_SIGALG_rsa_pkcs1_sha512)) ++ goto end; ++ ++ if (!TEST_int_le(SSL_CTX_set1_groups_list(ctx, ++ "nonexistent"), ++ 0)) ++ goto end; ++ ++ if (!TEST_int_le(SSL_CTX_set1_groups_list(ctx, ++ "?nonexistent1:?nonexistent2:?nonexistent3"), ++ 0)) ++ goto end; ++ ++#ifndef OPENSSL_NO_EC ++ if (!TEST_int_le(SSL_CTX_set1_groups_list(ctx, ++ "P-256:nonexistent"), ++ 0)) ++ goto end; ++ ++ if (!TEST_int_gt(SSL_CTX_set1_groups_list(ctx, ++ "P-384:?nonexistent:?P-521"), ++ 0)) ++ goto end; ++ if (!TEST_size_t_eq(ctx->ext.supportedgroups_len, 2) ++ || !TEST_int_eq(ctx->ext.supportedgroups[0], OSSL_TLS_GROUP_ID_secp384r1) ++ || !TEST_int_eq(ctx->ext.supportedgroups[1], OSSL_TLS_GROUP_ID_secp521r1)) ++ goto end; ++#endif ++ ++ ret = 1; ++ end: ++ SSL_CTX_free(ctx); ++ return ret; ++} ++ + #if !defined(OPENSSL_NO_EC) \ + && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)) + /* +@@ -11519,6 +11579,7 @@ int setup_tests(void) + ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data)); + #endif + ADD_ALL_TESTS(test_servername, 10); ++ ADD_TEST(test_unknown_sigalgs_groups); + #if !defined(OPENSSL_NO_EC) \ + && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)) + ADD_ALL_TESTS(test_sigalgs_available, 6); +-- +2.44.0 + diff --git a/0118-CVE-2023-1255.patch b/0118-CVE-2023-1255.patch deleted file mode 100644 index 91efb20..0000000 --- a/0118-CVE-2023-1255.patch +++ /dev/null @@ -1,20 +0,0 @@ ---- a/crypto/aes/asm/aesv8-armx.pl -+++ b/crypto/aes/asm/aesv8-armx.pl -@@ -3353,7 +3353,7 @@ $code.=<<___ if ($flavour =~ /64/); - .align 4 - .Lxts_dec_tail4x: - add $inp,$inp,#16 -- vld1.32 {$dat0},[$inp],#16 -+ tst $tailcnt,#0xf - veor $tmp1,$dat1,$tmp0 - vst1.8 {$tmp1},[$out],#16 - veor $tmp2,$dat2,$tmp2 -@@ -3362,6 +3362,8 @@ $code.=<<___ if ($flavour =~ /64/); - veor $tmp4,$dat4,$tmp4 - vst1.8 {$tmp3-$tmp4},[$out],#32 - -+ b.eq .Lxts_dec_abort -+ vld1.32 {$dat0},[$inp],#16 - b .Lxts_done - .align 4 - .Lxts_outer_dec_tail: diff --git a/0118-no-crl-memleak.patch b/0118-no-crl-memleak.patch new file mode 100644 index 0000000..ee7e745 --- /dev/null +++ b/0118-no-crl-memleak.patch @@ -0,0 +1,80 @@ +From 105217c7d58c726f4e646177e0aaefb6115aad3e Mon Sep 17 00:00:00 2001 +From: Dmitry Belyavskiy +Date: Tue, 27 Feb 2024 15:22:58 +0100 +Subject: [PATCH 48/49] 0118-no-crl-memleak.patch + +Patch-name: 0118-no-crl-memleak.patch +Patch-id: 118 +Patch-status: | + # https://github.com/openssl/openssl/issues/23770 +--- + crypto/x509/by_file.c | 2 ++ + test/recipes/60-test_x509_load_cert_file.t | 3 ++- + test/x509_load_cert_file_test.c | 8 +++++++- + 3 files changed, 11 insertions(+), 2 deletions(-) + +diff --git a/crypto/x509/by_file.c b/crypto/x509/by_file.c +index 5073c137a2..85923804ac 100644 +--- a/crypto/x509/by_file.c ++++ b/crypto/x509/by_file.c +@@ -198,6 +198,8 @@ int X509_load_crl_file(X509_LOOKUP *ctx, const char *file, int type) + goto err; + } + count++; ++ X509_CRL_free(x); ++ x = NULL; + } + } else if (type == X509_FILETYPE_ASN1) { + x = d2i_X509_CRL_bio(in, NULL); +diff --git a/test/recipes/60-test_x509_load_cert_file.t b/test/recipes/60-test_x509_load_cert_file.t +index 75aeac362c..e329d7675c 100644 +--- a/test/recipes/60-test_x509_load_cert_file.t ++++ b/test/recipes/60-test_x509_load_cert_file.t +@@ -12,4 +12,5 @@ setup("test_load_cert_file"); + + plan tests => 1; + +-ok(run(test(["x509_load_cert_file_test", srctop_file("test", "certs", "leaf-chain.pem")]))); ++ok(run(test(["x509_load_cert_file_test", srctop_file("test", "certs", "leaf-chain.pem"), ++ srctop_file("test", "certs", "cyrillic_crl.pem")]))); +diff --git a/test/x509_load_cert_file_test.c b/test/x509_load_cert_file_test.c +index 4a736071ae..c07d329915 100644 +--- a/test/x509_load_cert_file_test.c ++++ b/test/x509_load_cert_file_test.c +@@ -12,6 +12,7 @@ + #include "testutil.h" + + static const char *chain; ++static const char *crl; + + static int test_load_cert_file(void) + { +@@ -27,12 +28,15 @@ static int test_load_cert_file(void) + && TEST_int_eq(sk_X509_num(certs), 4)) + ret = 1; + ++ if (crl != NULL && !TEST_true(X509_load_crl_file(lookup, crl, X509_FILETYPE_PEM))) ++ ret = 0; ++ + OSSL_STACK_OF_X509_free(certs); + X509_STORE_free(store); + return ret; + } + +-OPT_TEST_DECLARE_USAGE("cert.pem...\n") ++OPT_TEST_DECLARE_USAGE("cert.pem [crl.pem]\n") + + int setup_tests(void) + { +@@ -45,6 +49,8 @@ int setup_tests(void) + if (chain == NULL) + return 0; + ++ crl = test_get_argument(1); ++ + ADD_TEST(test_load_cert_file); + return 1; + } +-- +2.44.0 + diff --git a/0119-provider-sigalgs-in-signaturealgorithms-conf.patch b/0119-provider-sigalgs-in-signaturealgorithms-conf.patch new file mode 100644 index 0000000..c363223 --- /dev/null +++ b/0119-provider-sigalgs-in-signaturealgorithms-conf.patch @@ -0,0 +1,170 @@ +From f5b48604779362c91a22080b6905413fbba28b74 Mon Sep 17 00:00:00 2001 +From: Dmitry Belyavskiy +Date: Fri, 8 Mar 2024 11:18:12 +0100 +Subject: [PATCH 49/49] 0119-provider-sigalgs-in-signaturealgorithms-conf.patch + +Patch-name: 0119-provider-sigalgs-in-signaturealgorithms-conf.patch +Patch-id: 119 +Patch-status: | + # https://github.com/openssl/openssl/issues/22779 +--- + ssl/s3_lib.c | 8 ++++---- + ssl/ssl_lib.c | 2 +- + ssl/ssl_local.h | 2 +- + ssl/t1_lib.c | 45 ++++++++++++++++++++++++++++++++++----------- + 4 files changed, 40 insertions(+), 17 deletions(-) + +diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c +index e8ec98c221..48a1aa0e61 100644 +--- a/ssl/s3_lib.c ++++ b/ssl/s3_lib.c +@@ -3685,13 +3685,13 @@ long ssl3_ctrl(SSL *s, int cmd, long larg, void *parg) + return tls1_set_sigalgs(sc->cert, parg, larg, 0); + + case SSL_CTRL_SET_SIGALGS_LIST: +- return tls1_set_sigalgs_list(sc->cert, parg, 0); ++ return tls1_set_sigalgs_list(s->ctx, sc->cert, parg, 0); + + case SSL_CTRL_SET_CLIENT_SIGALGS: + return tls1_set_sigalgs(sc->cert, parg, larg, 1); + + case SSL_CTRL_SET_CLIENT_SIGALGS_LIST: +- return tls1_set_sigalgs_list(sc->cert, parg, 1); ++ return tls1_set_sigalgs_list(s->ctx, sc->cert, parg, 1); + + case SSL_CTRL_GET_CLIENT_CERT_TYPES: + { +@@ -3968,13 +3968,13 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) + return tls1_set_sigalgs(ctx->cert, parg, larg, 0); + + case SSL_CTRL_SET_SIGALGS_LIST: +- return tls1_set_sigalgs_list(ctx->cert, parg, 0); ++ return tls1_set_sigalgs_list(ctx, ctx->cert, parg, 0); + + case SSL_CTRL_SET_CLIENT_SIGALGS: + return tls1_set_sigalgs(ctx->cert, parg, larg, 1); + + case SSL_CTRL_SET_CLIENT_SIGALGS_LIST: +- return tls1_set_sigalgs_list(ctx->cert, parg, 1); ++ return tls1_set_sigalgs_list(ctx, ctx->cert, parg, 1); + + case SSL_CTRL_SET_CLIENT_CERT_TYPES: + return ssl3_set_req_cert_type(ctx->cert, parg, larg); +diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c +index 1329841aaf..4d95ab71cd 100644 +--- a/ssl/ssl_lib.c ++++ b/ssl/ssl_lib.c +@@ -3078,7 +3078,7 @@ long SSL_CTX_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg) + return tls1_set_groups_list(ctx, NULL, NULL, parg); + case SSL_CTRL_SET_SIGALGS_LIST: + case SSL_CTRL_SET_CLIENT_SIGALGS_LIST: +- return tls1_set_sigalgs_list(NULL, parg, 0); ++ return tls1_set_sigalgs_list(ctx, NULL, parg, 0); + default: + return 0; + } +diff --git a/ssl/ssl_local.h b/ssl/ssl_local.h +index 0d3acfbe66..a73b2c4770 100644 +--- a/ssl/ssl_local.h ++++ b/ssl/ssl_local.h +@@ -2796,7 +2796,7 @@ __owur int tls_use_ticket(SSL_CONNECTION *s); + + void ssl_set_sig_mask(uint32_t *pmask_a, SSL_CONNECTION *s, int op); + +-__owur int tls1_set_sigalgs_list(CERT *c, const char *str, int client); ++__owur int tls1_set_sigalgs_list(SSL_CTX *ctx, CERT *c, const char *str, int client); + __owur int tls1_set_raw_sigalgs(CERT *c, const uint16_t *psigs, size_t salglen, + int client); + __owur int tls1_set_sigalgs(CERT *c, const int *salg, size_t salglen, +diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c +index fe680449c5..87f2ae7000 100644 +--- a/ssl/t1_lib.c ++++ b/ssl/t1_lib.c +@@ -716,6 +716,7 @@ int ssl_load_sigalgs(SSL_CTX *ctx) + + /* now populate ctx->ssl_cert_info */ + if (ctx->sigalg_list_len > 0) { ++ OPENSSL_free(ctx->ssl_cert_info); + ctx->ssl_cert_info = OPENSSL_zalloc(sizeof(lu) * ctx->sigalg_list_len); + if (ctx->ssl_cert_info == NULL) + return 0; +@@ -2889,6 +2890,7 @@ typedef struct { + size_t sigalgcnt; + /* TLSEXT_SIGALG_XXX values */ + uint16_t sigalgs[TLS_MAX_SIGALGCNT]; ++ SSL_CTX *ctx; + } sig_cb_st; + + static void get_sigorhash(int *psig, int *phash, const char *str) +@@ -2913,7 +2915,8 @@ static void get_sigorhash(int *psig, int *phash, const char *str) + static int sig_cb(const char *elem, int len, void *arg) + { + sig_cb_st *sarg = arg; +- size_t i; ++ size_t i = 0; ++ int load_success = 0; + const SIGALG_LOOKUP *s; + char etmp[TLS_MAX_SIGSTRING_LEN], *p; + int sig_alg = NID_undef, hash_alg = NID_undef; +@@ -2943,17 +2946,36 @@ static int sig_cb(const char *elem, int len, void *arg) + * in the table. + */ + if (p == NULL) { +- for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl); +- i++, s++) { +- if (s->name != NULL && strcmp(etmp, s->name) == 0) { +- sarg->sigalgs[sarg->sigalgcnt++] = s->sigalg; +- break; +- } ++ /* Load provider sigalgs */ ++ if (sarg->ctx) { ++ load_success = ssl_load_sigalgs(sarg->ctx); + } +- if (i == OSSL_NELEM(sigalg_lookup_tbl)) { +- /* Ignore unknown algorithms if ignore_unknown */ +- return ignore_unknown; ++ if (load_success) { ++ /* Check if a provider supports the sigalg */ ++ for (i = 0; i < sarg->ctx->sigalg_list_len; i++) { ++ if (sarg->ctx->sigalg_list[i].sigalg_name != NULL ++ && strcmp(etmp, ++ sarg->ctx->sigalg_list[i].sigalg_name) == 0) { ++ sarg->sigalgs[sarg->sigalgcnt++] = ++ sarg->ctx->sigalg_list[i].code_point; ++ break; ++ } ++ } + } ++ /* Check the built-in sigalgs */ ++ if (!sarg->ctx || !load_success || i == sarg->ctx->sigalg_list_len) { ++ for (i = 0, s = sigalg_lookup_tbl; ++ i < OSSL_NELEM(sigalg_lookup_tbl); i++, s++) { ++ if (s->name != NULL && strcmp(etmp, s->name) == 0) { ++ sarg->sigalgs[sarg->sigalgcnt++] = s->sigalg; ++ break; ++ } ++ } ++ if (i == OSSL_NELEM(sigalg_lookup_tbl)) { ++ /* Ignore unknown algorithms if ignore_unknown */ ++ return ignore_unknown; ++ } ++ } + } else { + *p = 0; + p++; +@@ -2992,10 +3014,11 @@ static int sig_cb(const char *elem, int len, void *arg) + * Set supported signature algorithms based on a colon separated list of the + * form sig+hash e.g. RSA+SHA512:DSA+SHA512 + */ +-int tls1_set_sigalgs_list(CERT *c, const char *str, int client) ++int tls1_set_sigalgs_list(SSL_CTX *ctx, CERT *c, const char *str, int client) + { + sig_cb_st sig; + sig.sigalgcnt = 0; ++ sig.ctx = ctx; + if (!CONF_parse_list(str, ':', 1, sig_cb, &sig)) + return 0; + if (sig.sigalgcnt == 0) { +-- +2.44.0 + diff --git a/0120-RSA-PKCS15-implicit-rejection.patch b/0120-RSA-PKCS15-implicit-rejection.patch deleted file mode 100644 index 3cb36bb..0000000 --- a/0120-RSA-PKCS15-implicit-rejection.patch +++ /dev/null @@ -1,1354 +0,0 @@ -diff --git a/crypto/cms/cms_env.c b/crypto/cms/cms_env.c -index d25504a03f7..c55511011f6 100644 ---- a/crypto/cms/cms_env.c -+++ b/crypto/cms/cms_env.c -@@ -608,6 +608,13 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms, - if (!ossl_cms_env_asn1_ctrl(ri, 1)) - goto err; - -+ if (EVP_PKEY_is_a(pkey, "RSA")) -+ /* upper layer CMS code incorrectly assumes that a successful RSA -+ * decryption means that the key matches ciphertext (which never -+ * was the case, implicit rejection or not), so to make it work -+ * disable implicit rejection for RSA keys */ -+ EVP_PKEY_CTX_ctrl_str(ktri->pctx, "rsa_pkcs1_implicit_rejection", "0"); -+ - if (EVP_PKEY_decrypt(ktri->pctx, NULL, &eklen, - ktri->encryptedKey->data, - ktri->encryptedKey->length) <= 0) -diff --git a/crypto/evp/ctrl_params_translate.c b/crypto/evp/ctrl_params_translate.c -index 56ed5ea6d68..f64c1fcb2ac 100644 ---- a/crypto/evp/ctrl_params_translate.c -+++ b/crypto/evp/ctrl_params_translate.c -@@ -2201,6 +2201,12 @@ static const struct translation_st evp_pkey_ctx_translations[] = { - EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL, NULL, NULL, - OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL, OSSL_PARAM_OCTET_STRING, NULL }, - -+ { SET, EVP_PKEY_RSA, 0, EVP_PKEY_OP_TYPE_CRYPT, -+ EVP_PKEY_CTRL_RSA_IMPLICIT_REJECTION, NULL, -+ "rsa_pkcs1_implicit_rejection", -+ OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, OSSL_PARAM_UNSIGNED_INTEGER, -+ NULL }, -+ - { SET, EVP_PKEY_RSA_PSS, 0, EVP_PKEY_OP_TYPE_GEN, - EVP_PKEY_CTRL_MD, "rsa_pss_keygen_md", NULL, - OSSL_ALG_PARAM_DIGEST, OSSL_PARAM_UTF8_STRING, fix_md }, -diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c -index 31b368bda3b..8a46ab471df 100644 ---- a/crypto/pkcs7/pk7_doit.c -+++ b/crypto/pkcs7/pk7_doit.c -@@ -163,6 +163,13 @@ static int pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen, - if (EVP_PKEY_decrypt_init(pctx) <= 0) - goto err; - -+ if (EVP_PKEY_is_a(pkey, "RSA")) -+ /* upper layer pkcs7 code incorrectly assumes that a successful RSA -+ * decryption means that the key matches ciphertext (which never -+ * was the case, implicit rejection or not), so to make it work -+ * disable implicit rejection for RSA keys */ -+ EVP_PKEY_CTX_ctrl_str(pctx, "rsa_pkcs1_implicit_rejection", "0"); -+ - if (EVP_PKEY_decrypt(pctx, NULL, &eklen, - ri->enc_key->data, ri->enc_key->length) <= 0) - goto err; -diff --git a/crypto/rsa/rsa_ossl.c b/crypto/rsa/rsa_ossl.c -index 54e2a1c61ca..094a6632b66 100644 ---- a/crypto/rsa/rsa_ossl.c -+++ b/crypto/rsa/rsa_ossl.c -@@ -17,6 +17,9 @@ - #include "crypto/bn.h" - #include "rsa_local.h" - #include "internal/constant_time.h" -+#include -+#include -+#include - - static int rsa_ossl_public_encrypt(int flen, const unsigned char *from, - unsigned char *to, RSA *rsa, int padding); -@@ -372,8 +375,13 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, - BIGNUM *f, *ret; - int j, num = 0, r = -1; - unsigned char *buf = NULL; -+ unsigned char d_hash[SHA256_DIGEST_LENGTH] = {0}; -+ HMAC_CTX *hmac = NULL; -+ unsigned int md_len = SHA256_DIGEST_LENGTH; -+ unsigned char kdk[SHA256_DIGEST_LENGTH] = {0}; - BN_CTX *ctx = NULL; - int local_blinding = 0; -+ EVP_MD *md = NULL; - /* - * Used only if the blinding structure is shared. A non-NULL unblind - * instructs rsa_blinding_convert() and rsa_blinding_invert() to store -@@ -382,6 +390,12 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, - BIGNUM *unblind = NULL; - BN_BLINDING *blinding = NULL; - -+ /* -+ * we need the value of the private exponent to perform implicit rejection -+ */ -+ if ((rsa->flags & RSA_FLAG_EXT_PKEY) && (padding == RSA_PKCS1_PADDING)) -+ padding = RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING; -+ - if ((ctx = BN_CTX_new_ex(rsa->libctx)) == NULL) - goto err; - BN_CTX_start(ctx); -@@ -405,6 +419,11 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, - goto err; - } - -+ if (flen < 1) { -+ ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_SMALL); -+ goto err; -+ } -+ - /* make data into a big number */ - if (BN_bin2bn(from, (int)flen, f) == NULL) - goto err; -@@ -471,6 +490,81 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, - BN_free(d); - } - -+ /* -+ * derive the Key Derivation Key from private exponent and public -+ * ciphertext -+ */ -+ if (padding == RSA_PKCS1_PADDING) { -+ /* -+ * because we use d as a handle to rsa->d we need to keep it local and -+ * free before any further use of rsa->d -+ */ -+ BIGNUM *d = BN_new(); -+ if (d == NULL) { -+ ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE); -+ goto err; -+ } -+ if (rsa->d == NULL) { -+ ERR_raise(ERR_LIB_RSA, RSA_R_MISSING_PRIVATE_KEY); -+ BN_free(d); -+ goto err; -+ } -+ BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); -+ if (BN_bn2binpad(d, buf, num) < 0) { -+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); -+ BN_free(d); -+ goto err; -+ } -+ BN_free(d); -+ -+ /* -+ * we use hardcoded hash so that migrating between versions that use -+ * different hash doesn't provide a Bleichenbacher oracle: -+ * if the attacker can see that different versions return different -+ * messages for the same ciphertext, they'll know that the message is -+ * syntethically generated, which means that the padding check failed -+ */ -+ md = EVP_MD_fetch(rsa->libctx, "sha256", NULL); -+ if (md == NULL) { -+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); -+ goto err; -+ } -+ -+ if (EVP_Digest(buf, num, d_hash, NULL, md, NULL) <= 0) { -+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); -+ goto err; -+ } -+ -+ hmac = HMAC_CTX_new(); -+ if (hmac == NULL) { -+ ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE); -+ goto err; -+ } -+ -+ if (HMAC_Init_ex(hmac, d_hash, sizeof(d_hash), md, NULL) <= 0) { -+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); -+ goto err; -+ } -+ -+ if (flen < num) { -+ memset(buf, 0, num - flen); -+ if (HMAC_Update(hmac, buf, num - flen) <= 0) { -+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); -+ goto err; -+ } -+ } -+ if (HMAC_Update(hmac, from, flen) <= 0) { -+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); -+ goto err; -+ } -+ -+ md_len = SHA256_DIGEST_LENGTH; -+ if (HMAC_Final(hmac, kdk, &md_len) <= 0) { -+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); -+ goto err; -+ } -+ } -+ - if (blinding) { - /* - * ossl_bn_rsa_do_unblind() combines blinding inversion and -@@ -471,9 +545,12 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, - } - - switch (padding) { -- case RSA_PKCS1_PADDING: -+ case RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING: - r = RSA_padding_check_PKCS1_type_2(to, num, buf, j, num); - break; -+ case RSA_PKCS1_PADDING: -+ r = ossl_rsa_padding_check_PKCS1_type_2(rsa->libctx, to, num, buf, j, num, kdk); -+ break; - case RSA_PKCS1_OAEP_PADDING: - r = RSA_padding_check_PKCS1_OAEP(to, num, buf, j, num, NULL, 0); - break; -@@ -500,6 +597,8 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, - #endif - - err: -+ HMAC_CTX_free(hmac); -+ EVP_MD_free(md); - BN_CTX_end(ctx); - BN_CTX_free(ctx); - OPENSSL_clear_free(buf, num); -diff --git a/crypto/rsa/rsa_pk1.c b/crypto/rsa/rsa_pk1.c -index 5f72fe1735d..04fb0e4ed5e 100644 ---- a/crypto/rsa/rsa_pk1.c -+++ b/crypto/rsa/rsa_pk1.c -@@ -21,10 +21,14 @@ - #include - /* Just for the SSL_MAX_MASTER_KEY_LENGTH value */ - #include -+#include -+#include -+#include - #include "internal/cryptlib.h" - #include "crypto/rsa.h" - #include "rsa_local.h" - -+ - int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen, - const unsigned char *from, int flen) - { -@@ -271,6 +275,254 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen, - return constant_time_select_int(good, mlen, -1); - } - -+ -+static int ossl_rsa_prf(OSSL_LIB_CTX *ctx, -+ unsigned char *to, int tlen, -+ const char *label, int llen, -+ const unsigned char *kdk, -+ uint16_t bitlen) -+{ -+ int pos; -+ int ret = -1; -+ uint16_t iter = 0; -+ unsigned char be_iter[sizeof(iter)]; -+ unsigned char be_bitlen[sizeof(bitlen)]; -+ HMAC_CTX *hmac = NULL; -+ EVP_MD *md = NULL; -+ unsigned char hmac_out[SHA256_DIGEST_LENGTH]; -+ unsigned int md_len; -+ -+ if (tlen * 8 != bitlen) { -+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); -+ return ret; -+ } -+ -+ be_bitlen[0] = (bitlen >> 8) & 0xff; -+ be_bitlen[1] = bitlen & 0xff; -+ -+ hmac = HMAC_CTX_new(); -+ if (hmac == NULL) { -+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); -+ goto err; -+ } -+ -+ /* -+ * we use hardcoded hash so that migrating between versions that use -+ * different hash doesn't provide a Bleichenbacher oracle: -+ * if the attacker can see that different versions return different -+ * messages for the same ciphertext, they'll know that the message is -+ * syntethically generated, which means that the padding check failed -+ */ -+ md = EVP_MD_fetch(ctx, "sha256", NULL); -+ if (md == NULL) { -+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); -+ goto err; -+ } -+ -+ if (HMAC_Init_ex(hmac, kdk, SHA256_DIGEST_LENGTH, md, NULL) <= 0) { -+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); -+ goto err; -+ } -+ -+ for (pos = 0; pos < tlen; pos += SHA256_DIGEST_LENGTH, iter++) { -+ if (HMAC_Init_ex(hmac, NULL, 0, NULL, NULL) <= 0) { -+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); -+ goto err; -+ } -+ -+ be_iter[0] = (iter >> 8) & 0xff; -+ be_iter[1] = iter & 0xff; -+ -+ if (HMAC_Update(hmac, be_iter, sizeof(be_iter)) <= 0) { -+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); -+ goto err; -+ } -+ if (HMAC_Update(hmac, (unsigned char *)label, llen) <= 0) { -+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); -+ goto err; -+ } -+ if (HMAC_Update(hmac, be_bitlen, sizeof(be_bitlen)) <= 0) { -+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); -+ goto err; -+ } -+ -+ /* -+ * HMAC_Final requires the output buffer to fit the whole MAC -+ * value, so we need to use the intermediate buffer for the last -+ * unaligned block -+ */ -+ md_len = SHA256_DIGEST_LENGTH; -+ if (pos + SHA256_DIGEST_LENGTH > tlen) { -+ if (HMAC_Final(hmac, hmac_out, &md_len) <= 0) { -+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); -+ goto err; -+ } -+ memcpy(to + pos, hmac_out, tlen - pos); -+ } else { -+ if (HMAC_Final(hmac, to + pos, &md_len) <= 0) { -+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); -+ goto err; -+ } -+ } -+ } -+ -+ ret = 0; -+ -+err: -+ HMAC_CTX_free(hmac); -+ EVP_MD_free(md); -+ return ret; -+} -+ -+/* -+ * ossl_rsa_padding_check_PKCS1_type_2() checks and removes the PKCS#1 type 2 -+ * padding from a decrypted RSA message. Unlike the -+ * RSA_padding_check_PKCS1_type_2() it will not return an error in case it -+ * detects a padding error, rather it will return a deterministically generated -+ * random message. In other words it will perform an implicit rejection -+ * of an invalid padding. This means that the returned value does not indicate -+ * if the padding of the encrypted message was correct or not, making -+ * side channel attacks like the ones described by Bleichenbacher impossible -+ * without access to the full decrypted value and a brute-force search of -+ * remaining padding bytes -+ */ -+int ossl_rsa_padding_check_PKCS1_type_2(OSSL_LIB_CTX *ctx, -+ unsigned char *to, int tlen, -+ const unsigned char *from, int flen, -+ int num, unsigned char *kdk) -+{ -+/* -+ * We need to generate a random length for the synthethic message, to avoid -+ * bias towards zero and avoid non-constant timeness of DIV, we prepare -+ * 128 values to check if they are not too large for the used key size, -+ * and use 0 in case none of them are small enough, as 2^-128 is a good enough -+ * safety margin -+ */ -+#define MAX_LEN_GEN_TRIES 128 -+ unsigned char *synthetic = NULL; -+ int synthethic_length; -+ uint16_t len_candidate; -+ unsigned char candidate_lengths[MAX_LEN_GEN_TRIES * sizeof(len_candidate)]; -+ uint16_t len_mask; -+ uint16_t max_sep_offset; -+ int synth_msg_index = 0; -+ int ret = -1; -+ int i, j; -+ unsigned int good, found_zero_byte; -+ int zero_index = 0, msg_index; -+ -+ /* -+ * If these checks fail then either the message in publicly invalid, or -+ * we've been called incorrectly. We can fail immediately. -+ * Since this code is called only internally by openssl, those are just -+ * sanity checks -+ */ -+ if (num != flen || tlen <= 0 || flen <= 0) { -+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); -+ return -1; -+ } -+ -+ /* Generate a random message to return in case the padding checks fail */ -+ synthetic = OPENSSL_malloc(flen); -+ if (synthetic == NULL) { -+ ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE); -+ return -1; -+ } -+ -+ if (ossl_rsa_prf(ctx, synthetic, flen, "message", 7, kdk, flen * 8) < 0) -+ goto err; -+ -+ /* decide how long the random message should be */ -+ if (ossl_rsa_prf(ctx, candidate_lengths, sizeof(candidate_lengths), -+ "length", 6, kdk, -+ MAX_LEN_GEN_TRIES * sizeof(len_candidate) * 8) < 0) -+ goto err; -+ -+ /* -+ * max message size is the size of the modulus size less 2 bytes for -+ * version and padding type and a minimum of 8 bytes padding -+ */ -+ len_mask = max_sep_offset = flen - 2 - 8; -+ /* -+ * we want a mask so lets propagate the high bit to all positions less -+ * significant than it -+ */ -+ len_mask |= len_mask >> 1; -+ len_mask |= len_mask >> 2; -+ len_mask |= len_mask >> 4; -+ len_mask |= len_mask >> 8; -+ -+ synthethic_length = 0; -+ for (i = 0; i < MAX_LEN_GEN_TRIES * (int)sizeof(len_candidate); -+ i += sizeof(len_candidate)) { -+ len_candidate = (candidate_lengths[i] << 8) | candidate_lengths[i + 1]; -+ len_candidate &= len_mask; -+ -+ synthethic_length = constant_time_select_int( -+ constant_time_lt(len_candidate, max_sep_offset), -+ len_candidate, synthethic_length); -+ } -+ -+ synth_msg_index = flen - synthethic_length; -+ -+ /* we have alternative message ready, check the real one */ -+ good = constant_time_is_zero(from[0]); -+ good &= constant_time_eq(from[1], 2); -+ -+ /* then look for the padding|message separator (the first zero byte) */ -+ found_zero_byte = 0; -+ for (i = 2; i < flen; i++) { -+ unsigned int equals0 = constant_time_is_zero(from[i]); -+ zero_index = constant_time_select_int(~found_zero_byte & equals0, -+ i, zero_index); -+ found_zero_byte |= equals0; -+ } -+ -+ /* -+ * padding must be at least 8 bytes long, and it starts two bytes into -+ * |from|. If we never found a 0-byte, then |zero_index| is 0 and the check -+ * also fails. -+ */ -+ good &= constant_time_ge(zero_index, 2 + 8); -+ -+ /* -+ * Skip the zero byte. This is incorrect if we never found a zero-byte -+ * but in this case we also do not copy the message out. -+ */ -+ msg_index = zero_index + 1; -+ -+ /* -+ * old code returned an error in case the decrypted message wouldn't fit -+ * into the |to|, since that would leak information, return the synthethic -+ * message instead -+ */ -+ good &= constant_time_ge(tlen, num - msg_index); -+ -+ msg_index = constant_time_select_int(good, msg_index, synth_msg_index); -+ -+ /* -+ * since at this point the |msg_index| does not provide the signal -+ * indicating if the padding check failed or not, we don't have to worry -+ * about leaking the length of returned message, we still need to ensure -+ * that we read contents of both buffers so that cache accesses don't leak -+ * the value of |good| -+ */ -+ for (i = msg_index, j = 0; i < flen && j < tlen; i++, j++) -+ to[j] = constant_time_select_8(good, from[i], synthetic[i]); -+ ret = j; -+ -+err: -+ /* -+ * the only time ret < 0 is when the ciphertext is publicly invalid -+ * or we were called with invalid parameters, so we don't have to perform -+ * a side-channel secure raising of the error -+ */ -+ if (ret < 0) -+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); -+ OPENSSL_free(synthetic); -+ return ret; -+} -+ - /* - * ossl_rsa_padding_check_PKCS1_type_2_TLS() checks and removes the PKCS1 type 2 - * padding from a decrypted RSA message in a TLS signature. The result is stored -diff --git a/crypto/rsa/rsa_pmeth.c b/crypto/rsa/rsa_pmeth.c -index 8b35e5c3c6d..c67b20baf56 100644 ---- a/crypto/rsa/rsa_pmeth.c -+++ b/crypto/rsa/rsa_pmeth.c -@@ -52,6 +52,8 @@ typedef struct { - /* OAEP label */ - unsigned char *oaep_label; - size_t oaep_labellen; -+ /* if to use implicit rejection in PKCS#1 v1.5 decryption */ -+ int implicit_rejection; - } RSA_PKEY_CTX; - - /* True if PSS parameters are restricted */ -@@ -72,6 +74,7 @@ static int pkey_rsa_init(EVP_PKEY_CTX *ctx) - /* Maximum for sign, auto for verify */ - rctx->saltlen = RSA_PSS_SALTLEN_AUTO; - rctx->min_saltlen = -1; -+ rctx->implicit_rejection = 1; - ctx->data = rctx; - ctx->keygen_info = rctx->gentmp; - ctx->keygen_info_count = 2; -@@ -97,6 +100,7 @@ static int pkey_rsa_copy(EVP_PKEY_CTX *dst, const EVP_PKEY_CTX *src) - dctx->md = sctx->md; - dctx->mgf1md = sctx->mgf1md; - dctx->saltlen = sctx->saltlen; -+ dctx->implicit_rejection = sctx->implicit_rejection; - if (sctx->oaep_label) { - OPENSSL_free(dctx->oaep_label); - dctx->oaep_label = OPENSSL_memdup(sctx->oaep_label, sctx->oaep_labellen); -@@ -345,6 +349,7 @@ static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx, - const unsigned char *in, size_t inlen) - { - int ret; -+ int pad_mode; - RSA_PKEY_CTX *rctx = ctx->data; - /* - * Discard const. Its marked as const because this may be a cached copy of -@@ -365,7 +370,12 @@ static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx, - rctx->oaep_labellen, - rctx->md, rctx->mgf1md); - } else { -- ret = RSA_private_decrypt(inlen, in, out, rsa, rctx->pad_mode); -+ if (rctx->pad_mode == RSA_PKCS1_PADDING && -+ rctx->implicit_rejection == 0) -+ pad_mode = RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING; -+ else -+ pad_mode = rctx->pad_mode; -+ ret = RSA_private_decrypt(inlen, in, out, rsa, pad_mode); - } - *outlen = constant_time_select_s(constant_time_msb_s(ret), *outlen, ret); - ret = constant_time_select_int(constant_time_msb(ret), ret, 1); -@@ -585,6 +595,14 @@ static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) - *(unsigned char **)p2 = rctx->oaep_label; - return rctx->oaep_labellen; - -+ case EVP_PKEY_CTRL_RSA_IMPLICIT_REJECTION: -+ if (rctx->pad_mode != RSA_PKCS1_PADDING) { -+ ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_PADDING_MODE); -+ return -2; -+ } -+ rctx->implicit_rejection = p1; -+ return 1; -+ - case EVP_PKEY_CTRL_DIGESTINIT: - case EVP_PKEY_CTRL_PKCS7_SIGN: - #ifndef OPENSSL_NO_CMS -diff --git a/doc/man1/openssl-pkeyutl.pod.in b/doc/man1/openssl-pkeyutl.pod.in -index b0054ead66f..dd878297987 100644 ---- a/doc/man1/openssl-pkeyutl.pod.in -+++ b/doc/man1/openssl-pkeyutl.pod.in -@@ -240,6 +240,11 @@ signed or verified directly instead of using a B structure. If a - digest is set then the a B structure is used and its the length - must correspond to the digest type. - -+Note, for B padding, as a protection against Bleichenbacher attack, -+the decryption will not fail in case of padding check failures. Use B -+and manual inspection of the decrypted message to verify if the decrypted -+value has correct PKCS#1 v1.5 padding. -+ - For B mode only encryption and decryption is supported. - - For B if the digest type is set it is used to format the block data -@@ -267,6 +272,16 @@ explicitly set in PSS mode then the signing digest is used. - Sets the digest used for the OAEP hash function. If not explicitly set then - SHA1 is used. - -+=item BI -+ -+Disables (when set to 0) or enables (when set to 1) the use of implicit -+rejection with PKCS#1 v1.5 decryption. When enabled (the default), as a -+protection against Bleichenbacher attack, the library will generate a -+deterministic random plaintext that it will return to the caller in case -+of padding check failure. -+When disabled, it's the callers' responsibility to handle the returned -+errors in a side-channel free manner. -+ - =back - - =head1 RSA-PSS ALGORITHM -diff --git a/doc/man1/openssl-rsautl.pod.in b/doc/man1/openssl-rsautl.pod.in -index 186e49e5e49..eab34979de3 100644 ---- a/doc/man1/openssl-rsautl.pod.in -+++ b/doc/man1/openssl-rsautl.pod.in -@@ -105,6 +105,11 @@ The padding to use: PKCS#1 v1.5 (the default), PKCS#1 OAEP, - ANSI X9.31, or no padding, respectively. - For signatures, only B<-pkcs> and B<-raw> can be used. - -+Note: because of protection against Bleichenbacher attacks, decryption -+using PKCS#1 v1.5 mode will not return errors in case padding check failed. -+Use B<-raw> and inspect the returned value manually to check if the -+padding is correct. -+ - =item B<-hexdump> - - Hex dump the output data. -diff --git a/doc/man3/EVP_PKEY_CTX_ctrl.pod b/doc/man3/EVP_PKEY_CTX_ctrl.pod -index 9b96f42dbc9..f7957e95f7f 100644 ---- a/doc/man3/EVP_PKEY_CTX_ctrl.pod -+++ b/doc/man3/EVP_PKEY_CTX_ctrl.pod -@@ -393,6 +393,15 @@ this behaviour should be tolerated then - OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION should be set to the actual - negotiated protocol version. Otherwise it should be left unset. - -+Similarly to the B above, since OpenSSL version -+3.1.0, the use of B will return a randomly generated message -+instead of padding errors in case padding checks fail. Applications that -+want to remain secure while using earlier versions of OpenSSL, still need to -+handle both the error code from the RSA decryption operation and the -+returned message in a side channel secure manner. -+This protection against Bleichenbacher attacks can be disabled by setting -+the OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION (an unsigned integer) to 0. -+ - =head2 DSA parameters - - EVP_PKEY_CTX_set_dsa_paramgen_bits() sets the number of bits used for DSA -diff --git a/doc/man3/EVP_PKEY_decrypt.pod b/doc/man3/EVP_PKEY_decrypt.pod -index 0cd1a6548d0..462265c5a67 100644 ---- a/doc/man3/EVP_PKEY_decrypt.pod -+++ b/doc/man3/EVP_PKEY_decrypt.pod -@@ -51,6 +51,18 @@ return 1 for success and 0 or a negative value for failure. In particular a - return value of -2 indicates the operation is not supported by the public key - algorithm. - -+=head1 WARNINGS -+ -+In OpenSSL versions before 3.1.0, when used in PKCS#1 v1.5 padding, -+both the return value from the EVP_PKEY_decrypt() and the B provided -+information useful in mounting a Bleichenbacher attack against the -+used private key. They had to processed in a side-channel free way. -+ -+Since version 3.1.0, the EVP_PKEY_decrypt() method when used with PKCS#1 -+v1.5 padding doesn't return an error in case it detects an error in padding, -+instead it returns a pseudo-randomly generated message, removing the need -+of side-channel secure code from applications using OpenSSL. -+ - =head1 EXAMPLES - - Decrypt data using OAEP (for RSA keys): -diff --git a/doc/man3/RSA_padding_add_PKCS1_type_1.pod b/doc/man3/RSA_padding_add_PKCS1_type_1.pod -index 9f7025c4975..36ae18563f2 100644 ---- a/doc/man3/RSA_padding_add_PKCS1_type_1.pod -+++ b/doc/man3/RSA_padding_add_PKCS1_type_1.pod -@@ -121,8 +121,8 @@ L. - - =head1 WARNINGS - --The result of RSA_padding_check_PKCS1_type_2() is a very sensitive --information which can potentially be used to mount a Bleichenbacher -+The result of RSA_padding_check_PKCS1_type_2() is exactly the -+information which is used to mount a classical Bleichenbacher - padding oracle attack. This is an inherent weakness in the PKCS #1 - v1.5 padding design. Prefer PKCS1_OAEP padding. If that is not - possible, the result of RSA_padding_check_PKCS1_type_2() should be -@@ -137,6 +137,9 @@ as this would create a small timing side channel which could be - used to mount a Bleichenbacher attack against any padding mode - including PKCS1_OAEP. - -+You should prefer the use of EVP PKEY APIs for PKCS#1 v1.5 decryption -+as they implement the necessary workarounds internally. -+ - =head1 SEE ALSO - - L, -diff --git a/doc/man3/RSA_public_encrypt.pod b/doc/man3/RSA_public_encrypt.pod -index 1d38073aead..bd3f835ac6d 100644 ---- a/doc/man3/RSA_public_encrypt.pod -+++ b/doc/man3/RSA_public_encrypt.pod -@@ -52,8 +52,8 @@ Encrypting user data directly with RSA is insecure. - - =back - --B must not be more than RSA_size(B) - 11 for the PKCS #1 v1.5 --based padding modes, not more than RSA_size(B) - 42 for -+When encrypting B must not be more than RSA_size(B) - 11 for the -+PKCS #1 v1.5 based padding modes, not more than RSA_size(B) - 42 for - RSA_PKCS1_OAEP_PADDING and exactly RSA_size(B) for RSA_NO_PADDING. - When a padding mode other than RSA_NO_PADDING is in use, then - RSA_public_encrypt() will include some random bytes into the ciphertext -@@ -92,6 +92,13 @@ which can potentially be used to mount a Bleichenbacher padding oracle - attack. This is an inherent weakness in the PKCS #1 v1.5 padding - design. Prefer RSA_PKCS1_OAEP_PADDING. - -+In OpenSSL before version 3.1.0, both the return value and the length of -+returned value could be used to mount the Bleichenbacher attack. -+Since version 3.1.0, OpenSSL does not return an error in case of padding -+checks failed. Instead it generates a random message based on used private -+key and provided ciphertext so that application code doesn't have to implement -+a side-channel secure error handling. -+ - =head1 CONFORMING TO - - SSL, PKCS #1 v2.0 -diff --git a/doc/man7/provider-asym_cipher.pod b/doc/man7/provider-asym_cipher.pod -index ac3f6271969..cb770c9e857 100644 ---- a/doc/man7/provider-asym_cipher.pod -+++ b/doc/man7/provider-asym_cipher.pod -@@ -235,6 +235,15 @@ The TLS protocol version first requested by the client. - The negotiated TLS protocol version. See - B on the page L. - -+=item "implicit-rejection" (B) -+ -+Gets of sets the use of the implicit rejection mechanism for RSA PKCS#1 v1.5 -+decryption. When set (non zero value), the decryption API will return -+a deterministically random value if the PKCS#1 v1.5 padding check fails. -+This makes explotation of the Bleichenbacher significantly harder, even -+if the code using the RSA decryption API is not implemented in side-channel -+free manner. Set by default. -+ - =back - - OSSL_FUNC_asym_cipher_gettable_ctx_params() and OSSL_FUNC_asym_cipher_settable_ctx_params() -diff --git a/include/crypto/rsa.h b/include/crypto/rsa.h -index 949873d0ee3..f267e5d9d1c 100644 ---- a/include/crypto/rsa.h -+++ b/include/crypto/rsa.h -@@ -83,6 +83,10 @@ int ossl_rsa_param_decode(RSA *rsa, const X509_ALGOR *alg); - RSA *ossl_rsa_key_from_pkcs8(const PKCS8_PRIV_KEY_INFO *p8inf, - OSSL_LIB_CTX *libctx, const char *propq); - -+int ossl_rsa_padding_check_PKCS1_type_2(OSSL_LIB_CTX *ctx, -+ unsigned char *to, int tlen, -+ const unsigned char *from, int flen, -+ int num, unsigned char *kdk); - int ossl_rsa_padding_check_PKCS1_type_2_TLS(OSSL_LIB_CTX *ctx, unsigned char *to, - size_t tlen, - const unsigned char *from, -diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h -index e6c4758a33e..6e4a4f8539d 100644 ---- a/include/openssl/core_names.h -+++ b/include/openssl/core_names.h -@@ -302,6 +302,7 @@ extern "C" { - #define OSSL_PKEY_PARAM_DIST_ID "distid" - #define OSSL_PKEY_PARAM_PUB_KEY "pub" - #define OSSL_PKEY_PARAM_PRIV_KEY "priv" -+#define OSSL_PKEY_PARAM_IMPLICIT_REJECTION "implicit-rejection" - #define OSSL_PKEY_PARAM_REDHAT_SIGN_KAT_K "rh_sign_kat_k" - - /* Diffie-Hellman/DSA Parameters */ -@@ -482,6 +483,7 @@ extern "C" { - #define OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL "oaep-label" - #define OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION "tls-client-version" - #define OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION "tls-negotiated-version" -+#define OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION "implicit-rejection" - #ifdef FIPS_MODULE - #define OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED "redhat-kat-oaep-seed" - #endif -diff --git a/include/openssl/rsa.h b/include/openssl/rsa.h -index bce21258227..167427d3c48 100644 ---- a/include/openssl/rsa.h -+++ b/include/openssl/rsa.h -@@ -189,6 +189,8 @@ int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX *ctx, unsigned char **label); - - # define EVP_PKEY_CTRL_RSA_KEYGEN_PRIMES (EVP_PKEY_ALG_CTRL + 13) - -+# define EVP_PKEY_CTRL_RSA_IMPLICIT_REJECTION (EVP_PKEY_ALG_CTRL + 14) -+ - # define RSA_PKCS1_PADDING 1 - # define RSA_NO_PADDING 3 - # define RSA_PKCS1_OAEP_PADDING 4 -@@ -198,6 +200,9 @@ int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX *ctx, unsigned char **label); - # define RSA_PKCS1_PSS_PADDING 6 - # define RSA_PKCS1_WITH_TLS_PADDING 7 - -+/* internal RSA_ only */ -+# define RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING 8 -+ - # define RSA_PKCS1_PADDING_SIZE 11 - - # define RSA_set_app_data(s,arg) RSA_set_ex_data(s,0,arg) -diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c -index 3d331ea8dfd..fbafb84f8cb 100644 ---- a/providers/implementations/asymciphers/rsa_enc.c -+++ b/providers/implementations/asymciphers/rsa_enc.c -@@ -75,6 +75,8 @@ typedef struct { - /* TLS padding */ - unsigned int client_version; - unsigned int alt_version; -+ /* PKCS#1 v1.5 decryption mode */ -+ unsigned int implicit_rejection; - #ifdef FIPS_MODULE - char *redhat_st_oaep_seed; - #endif /* FIPS_MODULE */ -@@ -107,6 +109,7 @@ static int rsa_init(void *vprsactx, void *vrsa, const OSSL_PARAM params[], - RSA_free(prsactx->rsa); - prsactx->rsa = vrsa; - prsactx->operation = operation; -+ prsactx->implicit_rejection = 1; - - switch (RSA_test_flags(prsactx->rsa, RSA_FLAG_TYPE_MASK)) { - case RSA_FLAG_TYPE_RSA: -@@ -195,6 +198,7 @@ static int rsa_decrypt(void *vprsactx, unsigned char *out, size_t *outlen, - { - PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; - int ret; -+ int pad_mode; - size_t len = RSA_size(prsactx->rsa); - - if (!ossl_prov_is_running()) -@@ -270,8 +274,12 @@ static int rsa_decrypt(void *vprsactx, unsigned char *out, size_t *outlen, - } - OPENSSL_free(tbuf); - } else { -- ret = RSA_private_decrypt(inlen, in, out, prsactx->rsa, -- prsactx->pad_mode); -+ if ((prsactx->implicit_rejection == 0) && -+ (prsactx->pad_mode == RSA_PKCS1_PADDING)) -+ pad_mode = RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING; -+ else -+ pad_mode = prsactx->pad_mode; -+ ret = RSA_private_decrypt(inlen, in, out, prsactx->rsa, pad_mode); - } - *outlen = constant_time_select_s(constant_time_msb_s(ret), *outlen, ret); - ret = constant_time_select_int(constant_time_msb(ret), 0, 1); -@@ -395,6 +403,10 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params) - } - #endif /* defined(FIPS_MODULE) */ - -+ p = OSSL_PARAM_locate(params, OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION); -+ if (p != NULL && !OSSL_PARAM_set_uint(p, prsactx->implicit_rejection)) -+ return 0; -+ - return 1; - } - -@@ -406,6 +418,7 @@ static const OSSL_PARAM known_gettable_ctx_params[] = { - NULL, 0), - OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION, NULL), - OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL), -+ OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, NULL), - #ifdef FIPS_MODULE - OSSL_PARAM_octet_string(OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED, NULL, 0), - OSSL_PARAM_int(OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR, NULL), -@@ -543,6 +556,14 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) - return 0; - prsactx->alt_version = alt_version; - } -+ p = OSSL_PARAM_locate_const(params, OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION); -+ if (p != NULL) { -+ unsigned int implicit_rejection; -+ -+ if (!OSSL_PARAM_get_uint(p, &implicit_rejection)) -+ return 0; -+ prsactx->implicit_rejection = implicit_rejection; -+ } - - return 1; - } -@@ -555,6 +576,7 @@ static const OSSL_PARAM known_settable_ctx_params[] = { - OSSL_PARAM_octet_string(OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL, NULL, 0), - OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION, NULL), - OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL), -+ OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, NULL), - OSSL_PARAM_END - }; - -diff --git a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt -index b8d8bb2993e..a3d01eec457 100644 ---- a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt -+++ b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt -@@ -253,9 +253,25 @@ Decrypt = RSA-2048 - Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A78 - Output = "Hello World" - -+Availablein = default -+# Note: disable the Bleichenbacher workaround to see if it passes -+Decrypt = RSA-2048 -+Ctrl = rsa_pkcs1_implicit_rejection:0 -+Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A78 -+Output = "Hello World" -+ -+Availablein = default -+# Corrupted ciphertext -+# Note: output is generated synthethically by the Bleichenbacher workaround -+Decrypt = RSA-2048 -+Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A79 -+Output = 4cbb988d6a46228379132b0b5f8c249b3860043848c93632fb982c807c7c82fffc7a9ef83f4908f890373ac181ffea6381e103bcaa27e65638b6ecebef38b59ed4226a9d12af675cfcb634d8c40e7a7aff -+ - # Corrupted ciphertext - Availablein = default -+# Note: disable the Bleichenbacher workaround to see if it fails - Decrypt = RSA-2048 -+Ctrl = rsa_pkcs1_implicit_rejection:0 - Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A79 - Output = "Hello World" - Result = KEYOP_ERROR -@@ -277,6 +297,462 @@ Derive = RSA-2048 - Result = KEYOP_INIT_ERROR - Reason = operation not supported for this keytype - -+# Test vectors for the Bleichenbacher workaround -+ -+PrivateKey = RSA-2048-2 -+-----BEGIN RSA PRIVATE KEY----- -+MIIEowIBAAKCAQEAyMyDlxQJjaVsqiNkD5PciZfBY3KWj8Gwxt9RE8HJTosh5IrS -+KX5lQZARtObY9ec7G3iyV0ADIdHva2AtTsjOjRQclJBetK0wZjmkkgZTS25/JgdC -+Ppff/RM8iNchOZ3vvH6WzNy9fzquH+iScSv7SSmBfVEWZkQKH6y3ogj16hZZEK3Y -+o/LUlyAjYMy2MgJPDQcWnBkY8xb3lLFDrvVOyHUipMApePlomYC/+/ZJwwfoGBm/ -++IQJY41IvZS+FStZ/2SfoL1inQ/6GBPDq/S1a9PC6lRl3/oUWJKSqdiiStJr5+4F -+EHQbY4LUPIPVv6QKRmE9BivkRVF9vK8MtOGnaQIDAQABAoIBABRVAQ4PLVh2Y6Zm -+pv8czbvw7dgQBkbQKgI5IpCJksStOeVWWSlybvZQjDpxFY7wtv91HTnQdYC7LS8G -+MhBELQYD/1DbvXs1/iybsZpHoa+FpMJJAeAsqLWLeRmyDt8yqs+/Ua20vEthubfp -+aMqk1XD3DvGNgGMiiJPkfUOe/KeTJZvPLNEIo9hojN8HjnrHmZafIznSwfUiuWlo -+RimpM7quwmgWJeq4T05W9ER+nYj7mhmc9xAj4OJXsURBszyE07xnyoAx0mEmGBA6 -+egpAhEJi912IkM1hblH5A1SI/W4Jnej/bWWk/xGCVIB8n1jS+7qLoVHcjGi+NJyX -+eiBOBMECgYEA+PWta6gokxvqRZuKP23AQdI0gkCcJXHpY/MfdIYColY3GziD7UWe -+z5cFJkWe3RbgVSL1pF2UdRsuwtrycsf4gWpSwA0YCAFxY02omdeXMiL1G5N2MFSG -+lqn32MJKWUl8HvzUVc+5fuhtK200lyszL9owPwSZm062tcwLsz53Yd0CgYEAznou -+O0mpC5YzChLcaCvfvfuujdbcA7YUeu+9V1dD8PbaTYYjUGG3Gv2crS00Al5WrIaw -+93Q+s14ay8ojeJVCRGW3Bu0iF15XGMjHC2cD6o9rUQ+UW+SOWja7PDyRcytYnfwF -+1y2AkDGURSvaITSGR+xylD8RqEbmL66+jrU2sP0CgYB2/hXxiuI5zfHfa0RcpLxr -+uWjXiMIZM6T13NKAAz1nEgYswIpt8gTB+9C+RjB0Q+bdSmRWN1Qp1OA4yiVvrxyb -+3pHGsXt2+BmV+RxIy768e/DjSUwINZ5OjNalh9e5bWIh/X4PtcVXXwgu5XdpeYBx -+sru0oyI4FRtHMUu2VHkDEQKBgQCZiEiwVUmaEAnLx9KUs2sf/fICDm5zZAU+lN4a -+AA3JNAWH9+JydvaM32CNdTtjN3sDtvQITSwCfEs4lgpiM7qe2XOLdvEOp1vkVgeL -+9wH2fMaz8/3BhuZDNsdrNy6AkQ7ICwrcwj0C+5rhBIaigkgHW06n5W3fzziC5FFW -+FHGikQKBgGQ790ZCn32DZnoGUwITR++/wF5jUfghqd67YODszeUAWtnp7DHlWPfp -+LCkyjnRWnXzvfHTKvCs1XtQBoaCRS048uwZITlgZYFEWntFMqi76bqBE4FTSYUTM -+FinFUBBVigThM/RLfCRNrCW/kTxXuJDuSfVIJZzWNAT+9oWdz5da -+-----END RSA PRIVATE KEY----- -+ -+# corresponding public key -+PublicKey = RSA-2048-2-PUBLIC -+-----BEGIN PUBLIC KEY----- -+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyMyDlxQJjaVsqiNkD5Pc -+iZfBY3KWj8Gwxt9RE8HJTosh5IrSKX5lQZARtObY9ec7G3iyV0ADIdHva2AtTsjO -+jRQclJBetK0wZjmkkgZTS25/JgdCPpff/RM8iNchOZ3vvH6WzNy9fzquH+iScSv7 -+SSmBfVEWZkQKH6y3ogj16hZZEK3Yo/LUlyAjYMy2MgJPDQcWnBkY8xb3lLFDrvVO -+yHUipMApePlomYC/+/ZJwwfoGBm/+IQJY41IvZS+FStZ/2SfoL1inQ/6GBPDq/S1 -+a9PC6lRl3/oUWJKSqdiiStJr5+4FEHQbY4LUPIPVv6QKRmE9BivkRVF9vK8MtOGn -+aQIDAQAB -+-----END PUBLIC KEY----- -+ -+PrivPubKeyPair = RSA-2048-2:RSA-2048-2-PUBLIC -+ -+# RSA decrypt -+ -+# a random positive test case -+Availablein = default -+Decrypt = RSA-2048-2 -+Input = 8bfe264e85d3bdeaa6b8851b8e3b956ee3d226fd3f69063a86880173a273d9f283b2eebdd1ed35f7e02d91c571981b6737d5320bd8396b0f3ad5b019daec1b0aab3cbbc026395f4fd14f13673f2dfc81f9b660ec26ac381e6db3299b4e460b43fab9955df2b3cfaa20e900e19c856238fd371899c2bf2ce8c868b76754e5db3b036533fd603746be13c10d4e3e6022ebc905d20c2a7f32b215a4cd53b3f44ca1c327d2c2b651145821c08396c89071f665349c25e44d2733cd9305985ceef6430c3cf57af5fa224089221218fa34737c79c446d28a94c41c96e4e92ac53fbcf384dea8419ea089f8784445a492c812eb0d409467f75afd7d4d1078886205a066 -+Output = "lorem ipsum dolor sit amet" -+ -+Availablein = default -+# a random negative test case decrypting to empty -+Decrypt = RSA-2048-2 -+Input = 20aaa8adbbc593a924ba1c5c7990b5c2242ae4b99d0fe636a19a4cf754edbcee774e472fe028160ed42634f8864900cb514006da642cae6ae8c7d087caebcfa6dad1551301e130344989a1d462d4164505f6393933450c67bc6d39d8f5160907cabc251b737925a1cf21e5c6aa5781b7769f6a2a583d97cce008c0f8b6add5f0b2bd80bee60237aa39bb20719fe75749f4bc4e42466ef5a861ae3a92395c7d858d430bfe38040f445ea93fa2958b503539800ffa5ce5f8cf51fa8171a91f36cb4f4575e8de6b4d3f096ee140b938fd2f50ee13f0d050222e2a72b0a3069ff3a6738e82c87090caa5aed4fcbe882c49646aa250b98f12f83c8d528113614a29e7 -+Output = -+ -+Availablein = default -+# invalid decrypting to max length message -+Decrypt = RSA-2048-2 -+Input = 48cceab10f39a4db32f60074feea473cbcdb7accf92e150417f76b44756b190e843e79ec12aa85083a21f5437e7bad0a60482e601198f9d86923239c8786ee728285afd0937f7dde12717f28389843d7375912b07b991f4fdb0190fced8ba665314367e8c5f9d2981d0f5128feeb46cb50fc237e64438a86df198dd0209364ae3a842d77532b66b7ef263b83b1541ed671b120dfd660462e2107a4ee7b964e734a7bd68d90dda61770658a3c242948532da32648687e0318286473f675b412d6468f013f14d760a358dfcad3cda2afeec5e268a37d250c37f722f468a70dfd92d7294c3c1ee1e7f8843b7d16f9f37ef35748c3ae93aa155cdcdfeb4e78567303 -+Output = 22d850137b9eebe092b24f602dc5bb7918c16bd89ddbf20467b119d205f9c2e4bd7d2592cf1e532106e0f33557565923c73a02d4f09c0c22bea89148183e60317f7028b3aa1f261f91c979393101d7e15f4067e63979b32751658ef769610fe97cf9cef3278b3117d384051c3b1d82c251c2305418c8f6840530e631aad63e70e20e025bcd8efb54c92ec6d3b106a2f8e64eeff7d38495b0fc50c97138af4b1c0a67a1c4e27b077b8439332edfa8608dfeae653cd6a628ac550395f7e74390e42c11682234870925eeaa1fa71b76cf1f2ee3bda69f6717033ff8b7c95c9799e7a3bea5e7e4a1c359772fb6b1c6e6c516661dfe30c3 -+ -+Availablein = default -+# invalid decrypting to message with length specified by second to last value from PRF -+Decrypt = RSA-2048-2 -+Input = 1439e08c3f84c1a7fec74ce07614b20e01f6fa4e8c2a6cffdc3520d8889e5d9a950c6425798f85d4be38d300ea5695f13ecd4cb389d1ff5b82484b494d6280ab7fa78e645933981cb934cce8bfcd114cc0e6811eefa47aae20af638a1cd163d2d3366186d0a07df0c81f6c9f3171cf3561472e98a6006bf75ddb457bed036dcce199369de7d94ef2c68e8467ee0604eea2b3009479162a7891ba5c40cab17f49e1c438cb6eaea4f76ce23cce0e483ff0e96fa790ea15be67671814342d0a23f4a20262b6182e72f3a67cd289711503c85516a9ed225422f98b116f1ab080a80abd6f0216df88d8cfd67c139243be8dd78502a7aaf6bc99d7da71bcdf627e7354 -+Output = 0f9b -+ -+Availablein = default -+# invalid decrypting to message with length specified by third to last value from PRF -+Decrypt = RSA-2048-2 -+Input = 1690ebcceece2ce024f382e467cf8510e74514120937978576caf684d4a02ad569e8d76cbe365a060e00779de2f0865ccf0d923de3b4783a4e2c74f422e2f326086c390b658ba47f31ab013aa80f468c71256e5fa5679b24e83cd82c3d1e05e398208155de2212993cd2b8bab6987cf4cc1293f19909219439d74127545e9ed8a706961b8ee2119f6bfacafbef91b75a789ba65b8b833bc6149cf49b5c4d2c6359f62808659ba6541e1cd24bf7f7410486b5103f6c0ea29334ea6f4975b17387474fe920710ea61568d7b7c0a7916acf21665ad5a31c4eabcde44f8fb6120d8457afa1f3c85d517cda364af620113ae5a3c52a048821731922737307f77a1081 -+Output = 4f02 -+ -+# positive test with 11 byte long value -+Availablein = default -+Decrypt = RSA-2048-2 -+Input = 6213634593332c485cef783ea2846e3d6e8b0e005cd8293eaebbaa5079712fd681579bdfbbda138ae4d9d952917a03c92398ec0cb2bb0c6b5a8d55061fed0d0d8d72473563152648cfe640b335dc95331c21cb133a91790fa93ae44497c128708970d2beeb77e8721b061b1c44034143734a77be8220877415a6dba073c3871605380542a9f25252a4babe8331cdd53cf828423f3cc70b560624d0581fb126b2ed4f4ed358f0eb8065cf176399ac1a846a31055f9ae8c9c24a1ba050bc20842125bc1753158f8065f3adb9cc16bfdf83816bdf38b624f12022c5a6fbfe29bc91542be8c0208a770bcd677dc597f5557dc2ce28a11bf3e3857f158717a33f6592 -+Output = "lorem ipsum" -+ -+# positive test with 11 byte long value and zero padded ciphertext -+Availablein = default -+Decrypt = RSA-2048-2 -+Input = 00a2e8f114ea8d05d12dc843e3cc3b2edc8229ff2a028bda29ba9d55e3cd02911902fef1f42a075bf05e8016e8567213d6f260fa49e360779dd81aeea3e04c2cb567e0d72b98bf754014561b7511e083d20e0bfb9cd23f8a0d3c88900c49d2fcd5843ff0765607b2026f28202a87aa94678aed22a0c20724541394cd8f44e373eba1d2bae98f516c1e2ba3d86852d064f856b1daf24795e767a2b90396e50743e3150664afab131fe40ea405dcf572dd1079af1d3f0392ccadcca0a12740dbb213b925ca2a06b1bc1383e83a658c82ba2e7427342379084d5f66b544579f07664cb26edd4f10fd913fdbc0de05ef887d4d1ec1ac95652397ea7fd4e4759fda8b -+Output = "lorem ipsum" -+ -+# positive test with 11 byte long value and zero truncated ciphertext -+Availablein = default -+Decrypt = RSA-2048-2 -+Input = a2e8f114ea8d05d12dc843e3cc3b2edc8229ff2a028bda29ba9d55e3cd02911902fef1f42a075bf05e8016e8567213d6f260fa49e360779dd81aeea3e04c2cb567e0d72b98bf754014561b7511e083d20e0bfb9cd23f8a0d3c88900c49d2fcd5843ff0765607b2026f28202a87aa94678aed22a0c20724541394cd8f44e373eba1d2bae98f516c1e2ba3d86852d064f856b1daf24795e767a2b90396e50743e3150664afab131fe40ea405dcf572dd1079af1d3f0392ccadcca0a12740dbb213b925ca2a06b1bc1383e83a658c82ba2e7427342379084d5f66b544579f07664cb26edd4f10fd913fdbc0de05ef887d4d1ec1ac95652397ea7fd4e4759fda8b -+Output = "lorem ipsum" -+ -+# positive test with 11 byte long value and double zero padded ciphertext -+Availablein = default -+Decrypt = RSA-2048-2 -+Input = 00001f71879b426127f7dead621f7380a7098cf7d22173aa27991b143c46d53383c209bd0c9c00d84078037e715f6b98c65005a77120070522ede51d472c87ef94b94ead4c5428ee108a345561658301911ec5a8f7dd43ed4a3957fd29fb02a3529bf63f8040d3953490939bd8f78b2a3404b6fb5ff70a4bfdaac5c541d6bcce49c9778cc390be24cbef1d1eca7e870457241d3ff72ca44f9f56bdf31a890fa5eb3a9107b603ccc9d06a5dd911a664c82b6abd4fe036f8db8d5a070c2d86386ae18d97adc1847640c211d91ff5c3387574a26f8ef27ca7f48d2dd1f0c7f14b81cc9d33ee6853031d3ecf10a914ffd90947909c8011fd30249219348ebff76bfc -+Output = "lorem ipsum" -+ -+# positive test with 11 byte long value and double zero truncated ciphertext -+Availablein = default -+Decrypt = RSA-2048-2 -+Input = 1f71879b426127f7dead621f7380a7098cf7d22173aa27991b143c46d53383c209bd0c9c00d84078037e715f6b98c65005a77120070522ede51d472c87ef94b94ead4c5428ee108a345561658301911ec5a8f7dd43ed4a3957fd29fb02a3529bf63f8040d3953490939bd8f78b2a3404b6fb5ff70a4bfdaac5c541d6bcce49c9778cc390be24cbef1d1eca7e870457241d3ff72ca44f9f56bdf31a890fa5eb3a9107b603ccc9d06a5dd911a664c82b6abd4fe036f8db8d5a070c2d86386ae18d97adc1847640c211d91ff5c3387574a26f8ef27ca7f48d2dd1f0c7f14b81cc9d33ee6853031d3ecf10a914ffd90947909c8011fd30249219348ebff76bfc -+Output = "lorem ipsum" -+ -+# positive that generates a 0 byte long synthethic message internally -+Availablein = default -+Decrypt = RSA-2048-2 -+Input = b5e49308f6e9590014ffaffc5b8560755739dd501f1d4e9227a7d291408cf4b753f292322ff8bead613bf2caa181b221bc38caf6392deafb28eb21ad60930841ed02fd6225cc9c463409adbe7d8f32440212fbe3881c51375bb09565efb22e62b071472fb38676e5b4e23a0617db5d14d93519ac0007a30a9c822eb31c38b57fcb1be29608fcf1ca2abdcaf5d5752bbc2b5ac7dba5afcff4a5641da360dd01f7112539b1ed46cdb550a3b1006559b9fe1891030ec80f0727c42401ddd6cbb5e3c80f312df6ec89394c5a7118f573105e7ab00fe57833c126141b50a935224842addfb479f75160659ba28877b512bb9a93084ad8bec540f92640f63a11a010e0 -+Output = "lorem ipsum" -+ -+# positive that generates a 245 byte long synthethic message internally -+Availablein = default -+Decrypt = RSA-2048-2 -+Input = 1ea0b50ca65203d0a09280d39704b24fe6e47800189db5033f202761a78bafb270c5e25abd1f7ecc6e7abc4f26d1b0cd9b8c648d529416ee64ccbdd7aa72a771d0353262b543f0e436076f40a1095f5c7dfd10dcf0059ccb30e92dfa5e0156618215f1c3ff3aa997a9d999e506924f5289e3ac72e5e2086cc7b499d71583ed561028671155db4005bee01800a7cdbdae781dd32199b8914b5d4011dd6ff11cd26d46aad54934d293b0bc403dd211bf13b5a5c6836a5e769930f437ffd8634fb7371776f4bc88fa6c271d8aa6013df89ae6470154497c4ac861be2a1c65ebffec139bf7aaba3a81c7c5cdd84da9af5d3edfb957848074686b5837ecbcb6a41c50 -+Output = "lorem ipsum" -+ -+Availablein = default -+# a random negative test that generates an 11 byte long message -+Decrypt = RSA-2048-2 -+Input = 5f02f4b1f46935c742ebe62b6f05aa0a3286aab91a49b34780adde6410ab46f7386e05748331864ac98e1da63686e4babe3a19ed40a7f5ceefb89179596aab07ab1015e03b8f825084dab028b6731288f2e511a4b314b6ea3997d2e8fe2825cef8897cbbdfb6c939d441d6e04948414bb69e682927ef8576c9a7090d4aad0e74c520d6d5ce63a154720f00b76de8cc550b1aa14f016d63a7b6d6eaa1f7dbe9e50200d3159b3d099c900116bf4eba3b94204f18b1317b07529751abf64a26b0a0bf1c8ce757333b3d673211b67cc0653f2fe2620d57c8b6ee574a0323a167eab1106d9bc7fd90d415be5f1e9891a0e6c709f4fc0404e8226f8477b4e939b36eb2 -+Output = af9ac70191c92413cb9f2d -+ -+Availablein = default -+# an otherwise correct plaintext, but with wrong first byte -+# (0x01 instead of 0x00), generates a random 11 byte long plaintext -+Decrypt = RSA-2048-2 -+Input = 9b2ec9c0c917c98f1ad3d0119aec6be51ae3106e9af1914d48600ab6a2c0c0c8ae02a2dc3039906ff3aac904af32ec798fd65f3ad1afa2e69400e7c1de81f5728f3b3291f38263bc7a90a0563e43ce7a0d4ee9c0d8a716621ca5d3d081188769ce1b131af7d35b13dea99153579c86db31fe07d5a2c14d621b77854e48a8df41b5798563af489a291e417b6a334c63222627376118c02c53b6e86310f728734ffc86ef9d7c8bf56c0c841b24b82b59f51aee4526ba1c4268506d301e4ebc498c6aebb6fd5258c876bf900bac8ca4d309dd522f6a6343599a8bc3760f422c10c72d0ad527ce4af1874124ace3d99bb74db8d69d2528db22c3a37644640f95c05f -+Output = a1f8c9255c35cfba403ccc -+ -+Availablein = default -+# an otherwise correct plaintext, but with wrong second byte -+# (0x01 instead of 0x02), generates a random 11 byte long plaintext -+Decrypt = RSA-2048-2 -+Input = 782c2b59a21a511243820acedd567c136f6d3090c115232a82a5efb0b178285f55b5ec2d2bac96bf00d6592ea7cdc3341610c8fb07e527e5e2d20cfaf2c7f23e375431f45e998929a02f25fd95354c33838090bca838502259e92d86d568bc2cdb132fab2a399593ca60a015dc2bb1afcd64fef8a3834e17e5358d822980dc446e845b3ab4702b1ee41fe5db716d92348d5091c15d35a110555a35deb4650a5a1d2c98025d42d4544f8b32aa6a5e02dc02deaed9a7313b73b49b0d4772a3768b0ea0db5846ace6569cae677bf67fb0acf3c255dc01ec8400c963b6e49b1067728b4e563d7e1e1515664347b92ee64db7efb5452357a02fff7fcb7437abc2e579 -+Output = e6d700309ca0ed62452254 -+ -+Availablein = default -+# an invalid ciphertext, with a zero byte in first byte of -+# ciphertext, decrypts to a random 11 byte long synthethic -+# plaintext -+Decrypt = RSA-2048-2 -+Input = 0096136621faf36d5290b16bd26295de27f895d1faa51c800dafce73d001d60796cd4e2ac3fa2162131d859cd9da5a0c8a42281d9a63e5f353971b72e36b5722e4ac444d77f892a5443deb3dca49fa732fe855727196e23c26eeac55eeced8267a209ebc0f92f4656d64a6c13f7f7ce544ebeb0f668fe3a6c0f189e4bcd5ea12b73cf63e0c8350ee130dd62f01e5c97a1e13f52fde96a9a1bc9936ce734fdd61f27b18216f1d6de87f49cf4f2ea821fb8efd1f92cdad529baf7e31aff9bff4074f2cad2b4243dd15a711adcf7de900851fbd6bcb53dac399d7c880531d06f25f7002e1aaf1722765865d2c2b902c7736acd27bc6cbd3e38b560e2eecf7d4b576 -+Output = ba27b1842e7c21c0e7ef6a -+ -+Availablein = default -+# an invalid ciphertext, with a zero byte removed from first byte of -+# ciphertext, decrypts to a random 11 byte long synthethic -+# plaintext -+Decrypt = RSA-2048-2 -+Input = 96136621faf36d5290b16bd26295de27f895d1faa51c800dafce73d001d60796cd4e2ac3fa2162131d859cd9da5a0c8a42281d9a63e5f353971b72e36b5722e4ac444d77f892a5443deb3dca49fa732fe855727196e23c26eeac55eeced8267a209ebc0f92f4656d64a6c13f7f7ce544ebeb0f668fe3a6c0f189e4bcd5ea12b73cf63e0c8350ee130dd62f01e5c97a1e13f52fde96a9a1bc9936ce734fdd61f27b18216f1d6de87f49cf4f2ea821fb8efd1f92cdad529baf7e31aff9bff4074f2cad2b4243dd15a711adcf7de900851fbd6bcb53dac399d7c880531d06f25f7002e1aaf1722765865d2c2b902c7736acd27bc6cbd3e38b560e2eecf7d4b576 -+Output = ba27b1842e7c21c0e7ef6a -+ -+Availablein = default -+# an invalid ciphertext, with two zero bytes in first bytes of -+# ciphertext, decrypts to a random 11 byte long synthethic -+# plaintext -+Decrypt = RSA-2048-2 -+Input = 0000587cccc6b264bdfe0dc2149a988047fa921801f3502ea64624c510c6033d2f427e3f136c26e88ea9f6519e86a542cec96aad1e5e9013c3cc203b6de15a69183050813af5c9ad79703136d4b92f50ce171eefc6aa7988ecf02f319ffc5eafd6ee7a137f8fce64b255bb1b8dd19cfe767d64fdb468b9b2e9e7a0c24dae03239c8c714d3f40b7ee9c4e59ac15b17e4d328f1100756bce17133e8e7493b54e5006c3cbcdacd134130c5132a1edebdbd01a0c41452d16ed7a0788003c34730d0808e7e14c797a21f2b45a8aa1644357fd5e988f99b017d9df37563a354c788dc0e2f9466045622fa3f3e17db63414d27761f57392623a2bef6467501c63e8d645 -+Output = d5cf555b1d6151029a429a -+ -+Availablein = default -+# an invalid ciphertext, with two zero bytes removed from first bytes of -+# ciphertext, decrypts to a random 11 byte long synthethic -+# plaintext -+Decrypt = RSA-2048-2 -+Input = 587cccc6b264bdfe0dc2149a988047fa921801f3502ea64624c510c6033d2f427e3f136c26e88ea9f6519e86a542cec96aad1e5e9013c3cc203b6de15a69183050813af5c9ad79703136d4b92f50ce171eefc6aa7988ecf02f319ffc5eafd6ee7a137f8fce64b255bb1b8dd19cfe767d64fdb468b9b2e9e7a0c24dae03239c8c714d3f40b7ee9c4e59ac15b17e4d328f1100756bce17133e8e7493b54e5006c3cbcdacd134130c5132a1edebdbd01a0c41452d16ed7a0788003c34730d0808e7e14c797a21f2b45a8aa1644357fd5e988f99b017d9df37563a354c788dc0e2f9466045622fa3f3e17db63414d27761f57392623a2bef6467501c63e8d645 -+Output = d5cf555b1d6151029a429a -+ -+Availablein = default -+# and invalid ciphertext, otherwise valid but starting with 000002, decrypts -+# to random 11 byte long synthethic plaintext -+Decrypt = RSA-2048-2 -+Input = 1786550ce8d8433052e01ecba8b76d3019f1355b212ac9d0f5191b023325a7e7714b7802f8e9a17c4cb3cd3a84041891471b10ca1fcfb5d041d34c82e6d0011cf4dc76b90e9c2e0743590579d55bcd7857057152c4a8040361343d1d22ba677d62b011407c652e234b1d663af25e2386251d7409190f19fc8ec3f9374fdf1254633874ce2ec2bff40ad0cb473f9761ec7b68da45a4bd5e33f5d7dac9b9a20821df9406b653f78a95a6c0ea0a4d57f867e4db22c17bf9a12c150f809a7b72b6db86c22a8732241ebf3c6a4f2cf82671d917aba8bc61052b40ccddd743a94ea9b538175106201971cca9d136d25081739aaf6cd18b2aecf9ad320ea3f89502f955 -+Output = 3d4a054d9358209e9cbbb9 -+ -+Availablein = default -+# negative test with otherwise valid padding but a zero byte in first byte -+# of padding -+Decrypt = RSA-2048-2 -+Input = 179598823812d2c58a7eb50521150a48bcca8b4eb53414018b6bca19f4801456c5e36a940037ac516b0d6412ba44ec6b4f268a55ef1c5ffbf18a2f4e3522bb7b6ed89774b79bffa22f7d3102165565642de0d43a955e96a1f2e80e5430671d7266eb4f905dc8ff5e106dc5588e5b0289e49a4913940e392a97062616d2bda38155471b7d360cfb94681c702f60ed2d4de614ea72bf1c53160e63179f6c5b897b59492bee219108309f0b7b8cb2b136c346a5e98b8b4b8415fb1d713bae067911e3057f1c335b4b7e39101eafd5d28f0189037e4334f4fdb9038427b1d119a6702aa8233319cc97d496cc289ae8c956ddc84042659a2d43d6aa22f12b81ab884e -+Output = 1f037dd717b07d3e7f7359 -+ -+Availablein = default -+# negative test with otherwise valid padding but a zero byte at the eigth -+# byte of padding -+Decrypt = RSA-2048-2 -+Input = a7a340675a82c30e22219a55bc07cdf36d47d01834c1834f917f18b517419ce9de2a96460e745024436470ed85e94297b283537d52189c406a3f533cb405cc6a9dba46b482ce98b6e3dd52d8fce2237425617e38c11fbc46b61897ef200d01e4f25f5f6c4c5b38cd0de38ba11908b86595a8036a08a42a3d05b79600a97ac18ba368a08d6cf6ccb624f6e8002afc75599fba4de3d4f3ba7d208391ebe8d21f8282b18e2c10869eb2702e68f9176b42b0ddc9d763f0c86ba0ff92c957aaeab76d9ab8da52ea297ec11d92d770146faa1b300e0f91ef969b53e7d2907ffc984e9a9c9d11fb7d6cba91972059b46506b035efec6575c46d7114a6b935864858445f -+Output = 63cb0bf65fc8255dd29e17 -+ -+Availablein = default -+# negative test with an otherwise valid plaintext but with missing separator -+# byte -+Decrypt = RSA-2048-2 -+Input = 3d1b97e7aa34eaf1f4fc171ceb11dcfffd9a46a5b6961205b10b302818c1fcc9f4ec78bf18ea0cee7e9fa5b16fb4c611463b368b3312ac11cf9c06b7cf72b54e284848a508d3f02328c62c2999d0fb60929f81783c7a256891bc2ff4d91df2af96a24fc5701a1823af939ce6dbdc510608e3d41eec172ad2d51b9fc61b4217c923cadcf5bac321355ef8be5e5f090cdc2bd0c697d9058247db3ad613fdce87d2955a6d1c948a5160f93da21f731d74137f5d1f53a1923adb513d2e6e1589d44cc079f4c6ddd471d38ac82d20d8b1d21f8d65f3b6907086809f4123e08d86fb38729585de026a485d8f0e703fd4772f6668febf67df947b82195fa3867e3a3065 -+Output = 6f09a0b62699337c497b0b -+ -+# Test vectors for the Bleichenbacher workaround (2049 bit key size) -+ -+PrivateKey = RSA-2049 -+-----BEGIN RSA PRIVATE KEY----- -+MIIEpQIBAAKCAQEBVfiJVWoXdfHHp3hqULGLwoyemG7eVmfKs5uEEk6Q66dcHbCD -+rD5EO7qU3CNWD3XjqBaToqQ73HQm2MTq/mjIXeD+dX9uSbue1EfmAkMIANuwTOsi -+5/pXoY0zj7ZgJs20Z+cMwEDn02fvQDx78ePfYkZQCUYx8h6v0vtbyRX/BDeazRES -+9zLAtGYHwXjTiiD1LtpQny+cBAXVEGnoDM+UFVTQRwRnUFw89UHqCJffyfQAzssp -+j/x1M3LZ9pM68XTMQO2W1GcDFzO5f4zd0/krw6A+qFdsQX8kAHteT3UBEFtUTen6 -+3N/635jftLsFuBmfP4Ws/ZH3qaCUuaOD9QSQlwIDAQABAoIBAQEZwrP1CnrWFSZ5 -+1/9RCVisLYym8AKFkvMy1VoWc2F4qOZ/F+cFzjAOPodUclEAYBP5dNCj20nvNEyl -+omo0wEUHBNDkIuDOI6aUJcFf77bybhBu7/ZMyLnXRC5NpOjIUAjq6zZYWaIpT6OT -+e8Jr5WMy59geLBYO9jXMUoqnvlXmM6cj28Hha6KeUrKa7y+eVlT9wGZrsPwlSsvo -+DmOHTw9fAgeC48nc/CUg0MnEp7Y05FA/u0k+Gq/us/iL16EzmHJdrm/jmed1zV1M -+8J/IODR8TJjasaSIPM5iBRNhWvqhCmM2jm17ed9BZqsWJznvUVpEAu4eBgHFpVvH -+HfDjDt+BAoGBAYj2k2DwHhjZot4pUlPSUsMeRHbOpf97+EE99/3jVlI83JdoBfhP -+wN3sdw3wbO0GXIETSHVLNGrxaXVod/07PVaGgsh4fQsxTvasZ9ZegTM5i2Kgg8D4 -+dlxa1A1agfm73OJSftfpUAjLECnLTKvR+em+38KGyWVSJV2n6rGSF473AoGBAN7H -+zxHa3oOkxD0vgBl/If1dRv1XtDH0T+gaHeN/agkf/ARk7ZcdyFCINa3mzF9Wbzll -+YTqLNnmMkubiP1LvkH6VZ+NBvrxTNxiWJfu+qx87ez+S/7JoHm71p4SowtePfC2J -+qqok0s7b0GaBz+ZcNse/o8W6E1FiIi71wukUyYNhAoGAEgk/OnPK7dkPYKME5FQC -++HGrMsjJVbCa9GOjvkNw8tVYSpq7q2n9sDHqRPmEBl0EYehAqyGIhmAONxVUbIsL -+ha0m04y0MI9S0H+ZRH2R8IfzndNAONsuk46XrQU6cfvtZ3Xh3IcY5U5sr35lRn2c -+ut3H52XIWJ4smN/cJcpOyoECgYEAjM5hNHnPlgj392wkXPkbtJXWHp3mSISQVLTd -+G0MW8/mBQg3AlXi/eRb+RpHPrppk5jQLhgMjRSPyXXe2amb8PuWTqfGN6l32PtX3 -+3+udILpppb71Wf+w7JTbcl9v9uq7o9SVR8DKdPA+AeweSQ0TmqCnlHuNZizOSjwP -+G16GF0ECgYEA+ZWbNMS8qM5IiHgbMbHptdit9dDT4+1UXoNn0/hUW6ZEMriHMDXv -+iBwrzeANGAn5LEDYeDe1xPms9Is2uNxTpZVhpFZSNALR6Po68wDlTJG2PmzuBv5t -+5mbzkpWCoD4fRU53ifsHgaTW+7Um74gWIf0erNIUZuTN2YrtEPTnb3k= -+-----END RSA PRIVATE KEY----- -+ -+# corresponding public key -+PublicKey = RSA-2049-PUBLIC -+-----BEGIN PUBLIC KEY----- -+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEBVfiJVWoXdfHHp3hqULGL -+woyemG7eVmfKs5uEEk6Q66dcHbCDrD5EO7qU3CNWD3XjqBaToqQ73HQm2MTq/mjI -+XeD+dX9uSbue1EfmAkMIANuwTOsi5/pXoY0zj7ZgJs20Z+cMwEDn02fvQDx78ePf -+YkZQCUYx8h6v0vtbyRX/BDeazRES9zLAtGYHwXjTiiD1LtpQny+cBAXVEGnoDM+U -+FVTQRwRnUFw89UHqCJffyfQAzsspj/x1M3LZ9pM68XTMQO2W1GcDFzO5f4zd0/kr -+w6A+qFdsQX8kAHteT3UBEFtUTen63N/635jftLsFuBmfP4Ws/ZH3qaCUuaOD9QSQ -+lwIDAQAB -+-----END PUBLIC KEY----- -+ -+PrivPubKeyPair = RSA-2049:RSA-2049-PUBLIC -+ -+# RSA decrypt -+ -+Availablein = default -+# malformed that generates length specified by 3rd last value from PRF -+Decrypt = RSA-2049 -+Input = 00b26f6404b82649629f2704494282443776929122e279a9cf30b0c6fe8122a0a9042870d97cc8ef65490fe58f031eb2442352191f5fbc311026b5147d32df914599f38b825ebb824af0d63f2d541a245c5775d1c4b78630e4996cc5fe413d38455a776cf4edcc0aa7fccb31c584d60502ed2b77398f536e137ff7ba6430e9258e21c2db5b82f5380f566876110ac4c759178900fbad7ab70ea07b1daf7a1639cbb4196543a6cbe8271f35dddb8120304f6eef83059e1c5c5678710f904a6d760c4d1d8ad076be17904b9e69910040b47914a0176fb7eea0c06444a6c4b86d674d19a556a1de5490373cb01ce31bbd15a5633362d3d2cd7d4af1b4c5121288b894 -+Output = 42 -+ -+# simple positive test case -+Availablein = default -+Decrypt = RSA-2049 -+Input = 013300edbf0bb3571e59889f7ed76970bf6d57e1c89bbb6d1c3991d9df8e65ed54b556d928da7d768facb395bbcc81e9f8573b45cf8195dbd85d83a59281cddf4163aec11b53b4140053e3bd109f787a7c3cec31d535af1f50e0598d85d96d91ea01913d07097d25af99c67464ebf2bb396fb28a9233e56f31f7e105d71a23e9ef3b736d1e80e713d1691713df97334779552fc94b40dd733c7251bc522b673d3ec9354af3dd4ad44fa71c0662213a57ada1d75149697d0eb55c053aaed5ffd0b815832f454179519d3736fb4faf808416071db0d0f801aca8548311ee708c131f4be658b15f6b54256872c2903ac708bd43b017b073b5707bc84c2cd9da70e967 -+Output = "lorem ipsum" -+ -+# positive test case with null padded ciphertext -+Availablein = default -+Decrypt = RSA-2049 -+Input = 0002aadf846a329fadc6760980303dbd87bfadfa78c2015ce4d6c5782fd9d3f1078bd3c0a2c5bfbdd1c024552e5054d98b5bcdc94e476dd280e64d650089326542ce7c61d4f1ab40004c2e6a88a883613568556a10f3f9edeab67ae8dddc1e6b0831c2793d2715de943f7ce34c5c05d1b09f14431fde566d17e76c9feee90d86a2c158616ec81dda0c642f58c0ba8fa4495843124a7235d46fb4069715a51bf710fd024259131ba94da73597ace494856c94e7a3ec261545793b0990279b15fa91c7fd13dbfb1df2f221dab9fa9f7c1d21e48aa49f6aaecbabf5ee76dc6c2af2317ffb4e303115386a97f8729afc3d0c89419669235f1a3a69570e0836c79fc162 -+Output = "lorem ipsum" -+ -+# positive test case with null truncated ciphertext -+Availablein = default -+Decrypt = RSA-2049 -+Input = 02aadf846a329fadc6760980303dbd87bfadfa78c2015ce4d6c5782fd9d3f1078bd3c0a2c5bfbdd1c024552e5054d98b5bcdc94e476dd280e64d650089326542ce7c61d4f1ab40004c2e6a88a883613568556a10f3f9edeab67ae8dddc1e6b0831c2793d2715de943f7ce34c5c05d1b09f14431fde566d17e76c9feee90d86a2c158616ec81dda0c642f58c0ba8fa4495843124a7235d46fb4069715a51bf710fd024259131ba94da73597ace494856c94e7a3ec261545793b0990279b15fa91c7fd13dbfb1df2f221dab9fa9f7c1d21e48aa49f6aaecbabf5ee76dc6c2af2317ffb4e303115386a97f8729afc3d0c89419669235f1a3a69570e0836c79fc162 -+Output = "lorem ipsum" -+ -+# positive test case with double null padded ciphertext -+Availablein = default -+Decrypt = RSA-2049 -+Input = 0000f36da3b72d8ff6ded74e7efd08c01908f3f5f0de7b55eab92b5f875190809c39d4162e1e6649618f854fd84aeab03970d16bb814e999852c06de38d82b95c0f32e2a7b5714021fe303389be9c0eac24c90a6b7210f929d390fabf903d44e04110bb7a7fd6c383c275804721efa6d7c93aa64c0bb2b18d97c5220a846c66a4895ae52adddbe2a9996825e013585adcec4b32ba61d782737bd343e5fabd68e8a95b8b1340318559860792dd70dffbe05a1052b54cbfb48cfa7bb3c19cea52076bddac5c25ee276f153a610f6d06ed696d192d8ae4507ffae4e5bdda10a625d6b67f32f7cffcd48dee2431fe66f6105f9d17e611cdcc674868e81692a360f4052 -+Output = "lorem ipsum" -+ -+# positive test case with double null truncated ciphertext -+Availablein = default -+Decrypt = RSA-2049 -+Input = f36da3b72d8ff6ded74e7efd08c01908f3f5f0de7b55eab92b5f875190809c39d4162e1e6649618f854fd84aeab03970d16bb814e999852c06de38d82b95c0f32e2a7b5714021fe303389be9c0eac24c90a6b7210f929d390fabf903d44e04110bb7a7fd6c383c275804721efa6d7c93aa64c0bb2b18d97c5220a846c66a4895ae52adddbe2a9996825e013585adcec4b32ba61d782737bd343e5fabd68e8a95b8b1340318559860792dd70dffbe05a1052b54cbfb48cfa7bb3c19cea52076bddac5c25ee276f153a610f6d06ed696d192d8ae4507ffae4e5bdda10a625d6b67f32f7cffcd48dee2431fe66f6105f9d17e611cdcc674868e81692a360f4052 -+Output = "lorem ipsum" -+ -+Availablein = default -+# a random negative test case that generates an 11 byte long message -+Decrypt = RSA-2049 -+Input = 00f910200830fc8fff478e99e145f1474b312e2512d0f90b8cef77f8001d09861688c156d1cbaf8a8957f7ebf35f724466952d0524cad48aad4fba1e45ce8ea27e8f3ba44131b7831b62d60c0762661f4c1d1a88cd06263a259abf1ba9e6b0b172069afb86a7e88387726f8ab3adb30bfd6b3f6be6d85d5dfd044e7ef052395474a9cbb1c3667a92780b43a22693015af6c513041bdaf87d43b24ddd244e791eeaea1066e1f4917117b3a468e22e0f7358852bb981248de4d720add2d15dccba6280355935b67c96f9dcb6c419cc38ab9f6fba2d649ef2066e0c34c9f788ae49babd9025fa85b21113e56ce4f43aa134c512b030dd7ac7ce82e76f0be9ce09ebca -+Output = 1189b6f5498fd6df532b00 -+ -+Availablein = default -+# otherwise correct plaintext, but with wrong first byte (0x01 instead of 0x00) -+Decrypt = RSA-2049 -+Input = 002c9ddc36ba4cf0038692b2d3a1c61a4bb3786a97ce2e46a3ba74d03158aeef456ce0f4db04dda3fe062268a1711250a18c69778a6280d88e133a16254e1f0e30ce8dac9b57d2e39a2f7d7be3ee4e08aec2fdbe8dadad7fdbf442a29a8fb40857407bf6be35596b8eefb5c2b3f58b894452c2dc54a6123a1a38d642e23751746597e08d71ac92704adc17803b19e131b4d1927881f43b0200e6f95658f559f912c889b4cd51862784364896cd6e8618f485a992f82997ad6a0917e32ae5872eaf850092b2d6c782ad35f487b79682333c1750c685d7d32ab3e1538f31dcaa5e7d5d2825875242c83947308dcf63ba4bfff20334c9c140c837dbdbae7a8dee72ff -+Output = f6d0f5b78082fe61c04674 -+ -+Availablein = default -+# otherwise correct plaintext, but with wrong second byte (0x01 instead of 0x02) -+Decrypt = RSA-2049 -+Input = 00c5d77826c1ab7a34d6390f9d342d5dbe848942e2618287952ba0350d7de6726112e9cebc391a0fae1839e2bf168229e3e0d71d4161801509f1f28f6e1487ca52df05c466b6b0a6fbbe57a3268a970610ec0beac39ec0fa67babce1ef2a86bf77466dc127d7d0d2962c20e66593126f276863cd38dc6351428f884c1384f67cad0a0ffdbc2af16711fb68dc559b96b37b4f04cd133ffc7d79c43c42ca4948fa895b9daeb853150c8a5169849b730cc77d68b0217d6c0e3dbf38d751a1998186633418367e7576530566c23d6d4e0da9b038d0bb5169ce40133ea076472d055001f0135645940fd08ea44269af2604c8b1ba225053d6db9ab43577689401bdc0f3 -+Output = 1ab287fcef3ff17067914d -+ -+# RSA decrypt with 3072 bit keys -+PrivateKey = RSA-3072 -+-----BEGIN RSA PRIVATE KEY----- -+MIIG5AIBAAKCAYEAr9ccqtXp9bjGw2cHCkfxnX5mrt4YpbJ0H7PE0zQ0VgaSotkJ -+72iI7GAv9rk68ljudDA8MBr81O2+xDMR3cjdvwDdu+OG0zuNDiKxtEk23EiYcbhS -+N7NM50etj9sMTk0dqnqt8HOFxchzLMt9Wkni5QyIPH16wQ7Wp02ayQ35EpkFoX1K -+CHIQ/Hi20EseuWlILBGm7recUOWxbz8lT3VxUosvFxargW1uygcnveqYBZMpcw64 -+wzznHWHdSsOTtiVuB6wdEk8CANHD4FpMG8fx7S/IPlcZnP5ZCLEAh+J/vZfSwkIU -+YZxxR8j778o5vCVnYqaCNTH34jTWjq56DZ+vEN0V6VI3gMfVrlgJStUlqQY7TDP5 -+XhAG2i6xLTdDaJSVwfICPkBzU8XrPkyhxIz/gaEJANFIIOuAGvTxpZbEuc6aUx/P -+ilTZ/9ckJYtu7CAQjfb9/XbUrgO6fqWY3LDkooCElYcob01/JWzoXl61Z5sdrMH5 -+CVZJty5foHKusAN5AgMBAAECggGAJRfqyzr+9L/65gOY35lXpdKhVKgzaNjhWEKy -+9Z7gn3kZe9LvHprdr4eG9rQSdEdAXjBCsh8vULeqc3cWgMO7y2wiWl1f9rVsRxwY -+gqCjOwrxZaPtbCSdx3g+a8dYrDfmVy0z/jJQeO2VJlDy65YEkC75mlEaERnRPE/J -+pDoXXc37+xoUAP4XCTtpzTzbiV9lQy6iGV+QURxzNrWKaF2s/y2vTF6S5WWxZlrm -+DlErqplluAjV/xGc63zWksv5IAZ6+s2An2a+cG2iaBCseQ2xVslI5v5YG8mEkVf0 -+2kk/OmSwxuEZ4DGxB/hDbOKRYLRYuPnxCV/esZJjOE/1OHVXvE8QtANN6EFwO60s -+HnacI4U+tjCjbRBh3UbipruvdDqX8LMsNvUMGjci3vOjlNkcLgeL8J15Xs3l5WuC -+Avl0Am91/FbpoN1qiPLny3jvEpjMbGUgfKRb03GIgHtPzbHmDdjluFZI+376i2/d -+RI85dBqNmAn+Fjrz3kW6wkpahByBAoHBAOSj2DDXPosxxoLidP/J/RKsMT0t0FE9 -+UFcNt+tHYv6hk+e7VAuUqUpd3XQqz3P13rnK4xvSOsVguyeU/WgmH4ID9XGSgpBP -+Rh6s7izn4KAJeqfI26vTPxvyaZEqB4JxT6k7SerENus95zSn1v/f2MLBQ16EP8cJ -++QSOVCoZfEhUK+srherQ9eZKpj0OwBUrP4VhLdymv96r8xddWX1AVj4OBi2RywKI -+gAgv6fjwkb292jFu6x6FjKRNKwKK6c3jqQKBwQDE4c0Oz0KYYV4feJun3iL9UJSv -+StGsKVDuljA4WiBAmigMZTii/u0DFEjibiLWcJOnH53HTr0avA6c6D1nCwJ2qxyF -+rHNN2L+cdMx/7L1zLR11+InvRgpIGbpeGwHeIzJVUYG3b6llRJMZimBvAMr9ipM1 -+bkVvIjt1G9W1ypeuKzm6d/t8F0yC7AIYZWDV4nvxiiY8whLZzGawHR2iZz8pfUwb -+7URbTvxdsGE27Kq9gstU0PzEJpnU1goCJ7/gA1ECgcBA8w5B6ZM5xV0H5z6nPwDm -+IgYmw/HucgV1hU8exfuoK8wxQvTACW4B0yJKkrK11T1899aGG7VYRn9D4j4OLO48 -+Z9V8esseJXbc1fEezovvymGOci984xiFXtqAQzk44+lmQJJh33VeZApe2eLocvVH -+ddEmc1kOuJWFpszf3LeCcG69cnKrXsrLrZ8Frz//g3aa9B0sFi5hGeWHWJxISVN2 -+c1Nr9IN/57i/GqVTcztjdCAcdM7Tr8phDg7OvRlnxGkCgcEAuYhMFBuulyiSaTff -+/3ZvJKYOJ45rPkEFGoD/2ercn+RlvyCYGcoAEjnIYVEGlWwrSH+b0NlbjVkQsD6O -+to8CeE/RpgqX8hFCqC7NE/RFp8cpDyXy3j/zqnRMUyhCP1KNuScBBZs9V8gikxv6 -+ukBWCk3PYbeTySHKRBbB8vmCrMfhM96jaBIQsQO1CcZnVceDo1/bnsAIwaREVMxr -+Q8LmG7QOx/Z0x1MMsUFoqzilwccC09/JgxMZPh+h+Nv6jiCxAoHBAOEqQgFAfSdR -+ya60LLH55q803NRFMamuKiPbVJLzwiKfbjOiiopmQOS/LxxqIzeMXlYV4OsSvxTo -+G7mcTOFRtU5hKCK+t8qeQQpa/dsMpiHllwArnRyBjIVgL5lFKRpHUGLsavU/T1IH -+mtgaxZo32dXvcAh1+ndCHVBwbHTOF4conA+g+Usp4bZSSWn5nU4oIizvSVpG7SGe -+0GngdxH9Usdqbvzcip1EKeHRTZrHIEYmB+x0LaRIB3dwZNidK3TkKw== -+-----END RSA PRIVATE KEY----- -+ -+PublicKey = RSA-3072-PUBLIC -+-----BEGIN PUBLIC KEY----- -+MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAr9ccqtXp9bjGw2cHCkfx -+nX5mrt4YpbJ0H7PE0zQ0VgaSotkJ72iI7GAv9rk68ljudDA8MBr81O2+xDMR3cjd -+vwDdu+OG0zuNDiKxtEk23EiYcbhSN7NM50etj9sMTk0dqnqt8HOFxchzLMt9Wkni -+5QyIPH16wQ7Wp02ayQ35EpkFoX1KCHIQ/Hi20EseuWlILBGm7recUOWxbz8lT3Vx -+UosvFxargW1uygcnveqYBZMpcw64wzznHWHdSsOTtiVuB6wdEk8CANHD4FpMG8fx -+7S/IPlcZnP5ZCLEAh+J/vZfSwkIUYZxxR8j778o5vCVnYqaCNTH34jTWjq56DZ+v -+EN0V6VI3gMfVrlgJStUlqQY7TDP5XhAG2i6xLTdDaJSVwfICPkBzU8XrPkyhxIz/ -+gaEJANFIIOuAGvTxpZbEuc6aUx/PilTZ/9ckJYtu7CAQjfb9/XbUrgO6fqWY3LDk -+ooCElYcob01/JWzoXl61Z5sdrMH5CVZJty5foHKusAN5AgMBAAE= -+-----END PUBLIC KEY----- -+ -+PrivPubKeyPair = RSA-3072:RSA-3072-PUBLIC -+ -+Availablein = default -+# a random invalid ciphertext that generates an empty synthethic one -+Decrypt = RSA-3072 -+Input = 5e956cd9652f4a2ece902931013e09662b6a9257ad1e987fb75f73a0606df2a4b04789770820c2e02322c4e826f767bd895734a01e20609c3be4517a7a2a589ea1cdc137beb73eb38dac781b52e863de9620f79f9b90fd5b953651fcbfef4a9f1cc07421d511a87dd6942caab6a5a0f4df473e62defb529a7de1509ab99c596e1dff1320402298d8be73a896cc86c38ae3f2f576e9ea70cc28ad575cb0f854f0be43186baa9c18e29c47c6ca77135db79c811231b7c1730955887d321fdc06568382b86643cf089b10e35ab23e827d2e5aa7b4e99ff2e914f302351819eb4d1693243b35f8bf1d42d08f8ec4acafa35f747a4a975a28643ec630d8e4fa5be59d81995660a14bb64c1fea5146d6b11f92da6a3956dd5cb5e0d747cf2ea23f81617769185336263d46ef4c144b754de62a6337342d6c85a95f19f015724546ee3fc4823eca603dbc1dc01c2d5ed50bd72d8e96df2dc048edde0081284068283fc5e73a6139851abf2f29977d0b3d160c883a42a37efba1be05c1a0b1741d7ddf59 -+Output = -+ -+Availablein = default -+# a random invalid that has PRF output with a length one byte too long -+# in the last value -+Decrypt = RSA-3072 -+Input = 7db0390d75fcf9d4c59cf27b264190d856da9abd11e92334d0e5f71005cfed865a711dfa28b791188374b61916dbc11339bf14b06f5f3f68c206c5607380e13da3129bfb744157e1527dd6fdf6651248b028a496ae1b97702d44706043cdaa7a59c0f41367303f21f268968bf3bd2904db3ae5239b55f8b438d93d7db9d1666c071c0857e2ec37757463769c54e51f052b2a71b04c2869e9e7049a1037b8429206c99726f07289bac18363e7eb2a5b417f47c37a55090cda676517b3549c873f2fe95da9681752ec9864b069089a2ed2f340c8b04ee00079055a817a3355b46ac7dc00d17f4504ccfbcfcadb0c04cb6b22069e179385ae1eafabad5521bac2b8a8ee1dfff59a22eb3fdacfc87175d10d7894cfd869d056057dd9944b869c1784fcc27f731bc46171d39570fbffbadf082d33f6352ecf44aca8d9478e53f5a5b7c852b401e8f5f74da49da91e65bdc97765a9523b7a0885a6f8afe5759d58009fbfa837472a968e6ae92026a5e0202a395483095302d6c3985b5f5831c521a271 -+Output = 56a3bea054e01338be9b7d7957539c -+ -+Availablein = default -+# a random invalid that generates a synthethic of maximum size -+Decrypt = RSA-3072 -+Input = 1715065322522dff85049800f6a29ab5f98c465020467414b2a44127fe9446da47fa18047900f99afe67c2df6f50160bb8e90bff296610fde632b3859d4d0d2e644f23835028c46cca01b84b88231d7e03154edec6627bcba23de76740d839851fa12d74c8f92e540c73fe837b91b7d699b311997d5f0f7864c486d499c3a79c111faaacbe4799597a25066c6200215c3d158f3817c1aa57f18bdaad0be1658da9da93f5cc6c3c4dd72788af57adbb6a0c26f42d32d95b8a4f95e8c6feb2f8a5d53b19a50a0b7cbc25e055ad03e5ace8f3f7db13e57759f67b65d143f08cca15992c6b2aae643390483de111c2988d4e76b42596266005103c8de6044fb7398eb3c28a864fa672de5fd8774510ff45e05969a11a4c7d3f343e331190d2dcf24fb9154ba904dc94af98afc5774a9617d0418fe6d13f8245c7d7626c176138dd698a23547c25f27c2b98ea4d8a45c7842b81888e4cc14e5b72e9cf91f56956c93dbf2e5f44a8282a7813157fc481ff1371a0f66b31797e81ebdb09a673d4db96d6 -+Output = 7b036fcd6243900e4236c894e2462c17738acc87e01a76f4d95cb9a328d9acde81650283b8e8f60a217e3bdee835c7b222ad4c85d0acdb9a309bd2a754609a65dec50f3aa04c6d5891034566b9563d42668ede1f8992b17753a2132e28970584e255efc8b45a41c5dbd7567f014acec5fe6fdb6d484790360a913ebb9defcd74ff377f2a8ba46d2ed85f733c9a3da08eb57ecedfafda806778f03c66b2c5d2874cec1c291b2d49eb194c7b5d0dd2908ae90f4843268a2c45563092ade08acb6ab481a08176102fc803fbb2f8ad11b0e1531bd37df543498daf180b12017f4d4d426ca29b4161075534bfb914968088a9d13785d0adc0e2580d3548494b2a9e91605f2b27e6cc701c796f0de7c6f471f6ab6cb9272a1ed637ca32a60d117505d82af3c1336104afb537d01a8f70b510e1eebf4869cb976c419473795a66c7f5e6e20a8094b1bb603a74330c537c5c0698c31538bd2e138c1275a1bdf24c5fa8ab3b7b526324e7918a382d1363b3d463764222150e04 -+ -+# a positive test case that decrypts to 9 byte long value -+Availablein = default -+Decrypt = RSA-3072 -+Input = 6c60845a854b4571f678941ae35a2ac03f67c21e21146f9db1f2306be9f136453b86ad55647d4f7b5c9e62197aaff0c0e40a3b54c4cde14e774b1c5959b6c2a2302896ffae1f73b00b862a20ff4304fe06cea7ff30ecb3773ca9af27a0b54547350d7c07dfb0a39629c7e71e83fc5af9b2adbaf898e037f1de696a3f328cf45af7ec9aff7173854087fb8fbf34be981efbd8493f9438d1b2ba2a86af082662aa46ae9adfbec51e5f3d9550a4dd1dcb7c8969c9587a6edc82a8cabbc785c40d9fbd12064559fb769450ac3e47e87bc046148130d7eaa843e4b3ccef3675d0630500803cb7ffee3882378c1a404e850c3e20707bb745e42b13c18786c4976076ed9fa8fd0ff15e571bef02cbbe2f90c908ac3734a433b73e778d4d17fcc28f49185ebc6e8536a06d293202d94496453bfdf1c2c7833a3f99fa38ca8a81f42eaa529d603b890308a319c0ab63a35ff8ebac965f6278f5a7e5d622be5d5fe55f0ca3ec993d55430d2bf59c5d3e860e90c16d91a04596f6fdf60d89ed95d88c036dde -+Output = "forty two" -+ -+# a positive test case with null padded ciphertext -+Availablein = default -+Decrypt = RSA-3072 -+Input = 00f4d565a3286784dbb85327db8807ae557ead229f92aba945cecda5225f606a7d6130edeeb6f26724d1eff1110f9eb18dc3248140ee3837e6688391e78796c526791384f045e21b6b853fb6342a11f309eb77962f37ce23925af600847fbd30e6e07e57de50b606e6b7f288cc777c1a6834f27e6edace508452128916eef7788c8bb227e3548c6a761cc4e9dd1a3584176dc053ba3500adb1d5e1611291654f12dfc5722832f635db3002d73f9defc310ace62c63868d341619c7ee15b20243b3371e05078e11219770c701d9f341af35df1bc729de294825ff2e416aa11526612852777eb131f9c45151eb144980d70608d2fc4043477368369aa0fe487a48bd57e66b00c3c58f941549f5ec050fca64449debe7a0c4ac51e55cb71620a70312aa4bd85fac1410c9c7f9d6ec610b7d11bf8faeffa20255d1a1bead9297d0aa8765cd2805847d639bc439f4a6c896e2008f746f9590ff4596de5ddde000ed666c452c978043ff4298461eb5a26d5e63d821438627f91201924bf7f2aeee1727 -+Output = "forty two" -+ -+# a positive test case with null truncated ciphertext -+Availablein = default -+Decrypt = RSA-3072 -+Input = f4d565a3286784dbb85327db8807ae557ead229f92aba945cecda5225f606a7d6130edeeb6f26724d1eff1110f9eb18dc3248140ee3837e6688391e78796c526791384f045e21b6b853fb6342a11f309eb77962f37ce23925af600847fbd30e6e07e57de50b606e6b7f288cc777c1a6834f27e6edace508452128916eef7788c8bb227e3548c6a761cc4e9dd1a3584176dc053ba3500adb1d5e1611291654f12dfc5722832f635db3002d73f9defc310ace62c63868d341619c7ee15b20243b3371e05078e11219770c701d9f341af35df1bc729de294825ff2e416aa11526612852777eb131f9c45151eb144980d70608d2fc4043477368369aa0fe487a48bd57e66b00c3c58f941549f5ec050fca64449debe7a0c4ac51e55cb71620a70312aa4bd85fac1410c9c7f9d6ec610b7d11bf8faeffa20255d1a1bead9297d0aa8765cd2805847d639bc439f4a6c896e2008f746f9590ff4596de5ddde000ed666c452c978043ff4298461eb5a26d5e63d821438627f91201924bf7f2aeee1727 -+Output = "forty two" -+ -+# a positive test case with double null padded ciphertext -+Availablein = default -+Decrypt = RSA-3072 -+Input = 00001ec97ac981dfd9dcc7a7389fdfa9d361141dac80c23a060410d472c16094e6cdffc0c3684d84aa402d7051dfccb2f6da33f66985d2a259f5b7fbf39ac537e95c5b7050eb18844a0513abef812cc8e74a3c5240009e6e805dcadf532bc1a2702d5acc9e585fad5b89d461fcc1397351cdce35171523758b171dc041f412e42966de7f94856477356d06f2a6b40e3ff0547562a4d91bbf1338e9e049facbee8b20171164505468cd308997447d3dc4b0acb49e7d368fedd8c734251f30a83491d2506f3f87318cc118823244a393dc7c5c739a2733d93e1b13db6840a9429947357f47b23fbe39b7d2d61e5ee26f9946c4632f6c4699e452f412a26641d4751135400713cd56ec66f0370423d55d2af70f5e7ad0adea8e4a0d904a01e4ac272eba4af1a029dd53eb71f115bf31f7a6c8b19a6523adeecc0d4c3c107575e38572a8f8474ccad163e46e2e8b08111132aa97a16fb588c9b7e37b3b3d7490381f3c55d1a9869a0fd42cd86fed59ecec78cb6b2dfd06a497f5afe3419691314ba0 -+Output = "forty two" -+ -+# a positive test case with double null truncated ciphertext -+Availablein = default -+Decrypt = RSA-3072 -+Input = 1ec97ac981dfd9dcc7a7389fdfa9d361141dac80c23a060410d472c16094e6cdffc0c3684d84aa402d7051dfccb2f6da33f66985d2a259f5b7fbf39ac537e95c5b7050eb18844a0513abef812cc8e74a3c5240009e6e805dcadf532bc1a2702d5acc9e585fad5b89d461fcc1397351cdce35171523758b171dc041f412e42966de7f94856477356d06f2a6b40e3ff0547562a4d91bbf1338e9e049facbee8b20171164505468cd308997447d3dc4b0acb49e7d368fedd8c734251f30a83491d2506f3f87318cc118823244a393dc7c5c739a2733d93e1b13db6840a9429947357f47b23fbe39b7d2d61e5ee26f9946c4632f6c4699e452f412a26641d4751135400713cd56ec66f0370423d55d2af70f5e7ad0adea8e4a0d904a01e4ac272eba4af1a029dd53eb71f115bf31f7a6c8b19a6523adeecc0d4c3c107575e38572a8f8474ccad163e46e2e8b08111132aa97a16fb588c9b7e37b3b3d7490381f3c55d1a9869a0fd42cd86fed59ecec78cb6b2dfd06a497f5afe3419691314ba0 -+Output = "forty two" -+ -+Availablein = default -+# a random negative test case that generates a 9 byte long message -+Decrypt = RSA-3072 -+Input = 5c8555f5cef627c15d37f85c7f5fd6e499264ea4b8e3f9112023aeb722eb38d8eac2be3751fd5a3785ab7f2d59fa3728e5be8c3de78a67464e30b21ee23b5484bb3cd06d0e1c6ad25649c8518165653eb80488bfb491b20c04897a6772f69292222fc5ef50b5cf9efc6d60426a449b6c489569d48c83488df629d695653d409ce49a795447fcec2c58a1a672e4a391401d428baaf781516e11e323d302fcf20f6eab2b2dbe53a48c987e407c4d7e1cb41131329138313d330204173a4f3ff06c6fadf970f0ed1005d0b27e35c3d11693e0429e272d583e57b2c58d24315c397856b34485dcb077665592b747f889d34febf2be8fce66c265fd9fc3575a6286a5ce88b4b413a08efc57a07a8f57a999605a837b0542695c0d189e678b53662ecf7c3d37d9dbeea585eebfaf79141118e06762c2381fe27ca6288edddc19fd67cd64f16b46e06d8a59ac530f22cd83cc0bc4e37feb52015cbb2283043ccf5e78a4eb7146827d7a466b66c8a4a4826c1bad68123a7f2d00fc1736525ff90c058f56 -+Output = 257906ca6de8307728 -+ -+Availablein = default -+# a random negative test case that generates a 9 byte long message based on -+# second to last value from PRF -+Decrypt = RSA-3072 -+Input = 758c215aa6acd61248062b88284bf43c13cb3b3d02410be4238607442f1c0216706e21a03a2c10eb624a63322d854da195c017b76fea83e274fa371834dcd2f3b7accf433fc212ad76c0bac366e1ed32e25b279f94129be7c64d6e162adc08ccebc0cfe8e926f01c33ab9c065f0e0ac83ae5137a4cb66702615ad68a35707d8676d2740d7c1a954680c83980e19778ed11eed3a7c2dbdfc461a9bbef671c1bc00c882d361d29d5f80c42bdf5efec886c34138f83369c6933b2ac4e93e764265351b4a0083f040e14f511f09b22f96566138864e4e6ff24da4810095da98e0585410951538ced2f757a277ff8e17172f06572c9024eeae503f176fd46eb6c5cd9ba07af11cde31dccac12eb3a4249a7bfd3b19797ad1656984bfcbf6f74e8f99d8f1ac420811f3d166d87f935ef15ae858cf9e72c8e2b547bf16c3fb09a8c9bf88fd2e5d38bf24ed610896131a84df76b9f920fe76d71fff938e9199f3b8cd0c11fd0201f9139d7673a871a9e7d4adc3bbe360c8813617cd60a90128fbe34c9d5 -+Output = 043383c929060374ed -+ -+Availablein = default -+# a random negative test that generates message based on 3rd last value from -+# PRF -+Decrypt = RSA-3072 -+Input = 7b22d5e62d287968c6622171a1f75db4b0fd15cdf3134a1895d235d56f8d8fe619f2bf4868174a91d7601a82975d2255190d28b869141d7c395f0b8c4e2be2b2c1b4ffc12ce749a6f6803d4cfe7fba0a8d6949c04151f981c0d84592aa2ff25d1bd3ce5d10cb03daca6b496c6ad40d30bfa8acdfd02cdb9326c4bdd93b949c9dc46caa8f0e5f429785bce64136a429a3695ee674b647452bea1b0c6de9c5f1e8760d5ef6d5a9cfff40457b023d3c233c1dcb323e7808103e73963b2eafc928c9eeb0ee3294955415c1ddd9a1bb7e138fecd79a3cb89c57bd2305524624814aaf0fd1acbf379f7f5b39421f12f115ba488d380586095bb53f174fae424fa4c8e3b299709cd344b9f949b1ab57f1c645d7ed3c8f81d5594197355029fee8960970ff59710dc0e5eb50ea6f4c3938e3f89ed7933023a2c2ddffaba07be147f686828bd7d520f300507ed6e71bdaee05570b27bc92741108ac2eb433f028e138dd6d63067bc206ea2d826a7f41c0d613daed020f0f30f4e272e9618e0a8c39018a83 -+Output = 70263fa6050534b9e0 -+ -+Availablein = default -+# an otherwise valid plaintext, but with wrong first byte (0x01 instead of 0x00) -+Decrypt = RSA-3072 -+Input = 6db80adb5ff0a768caf1378ecc382a694e7d1bde2eff4ba12c48aaf794ded7a994a5b2b57acec20dbec4ae385c9dd531945c0f197a5496908725fc99d88601a17d3bb0b2d38d2c1c3100f39955a4cb3dbed5a38bf900f23d91e173640e4ec655c84fdfe71fcdb12a386108fcf718c9b7af37d39703e882436224c877a2235e8344fba6c951eb7e2a4d1d1de81fb463ac1b880f6cc0e59ade05c8ce35179ecd09546731fc07b141d3d6b342a97ae747e61a9130f72d37ac5a2c30215b6cbd66c7db893810df58b4c457b4b54f34428247d584e0fa71062446210db08254fb9ead1ba1a393c724bd291f0cf1a7143f32df849051dc896d7d176fef3b57ab6dffd626d0c3044e9edb2e3d012ace202d2581df01bec7e9aa0727a6650dd373d374f0bc0f4a611f8139dfe97d63e70c6188f4df5b672e47c51d8aa567097293fbff127c75ec690b43407578b73c85451710a0cece58fd497d7f7bd36a8a92783ef7dc6265dff52aac8b70340b996508d39217f2783ce6fc91a1cc94bb2ac487b84f62 -+Output = 6d8d3a094ff3afff4c -+ -+Availablein = default -+# an otherwise valid plaintext, but with wrong second byte (0x01 instead of 0x02) -+Decrypt = RSA-3072 -+Input = 417328c034458563079a4024817d0150340c34e25ae16dcad690623f702e5c748a6ebb3419ff48f486f83ba9df35c05efbd7f40613f0fc996c53706c30df6bba6dcd4a40825f96133f3c21638a342bd4663dffbd0073980dac47f8c1dd8e97ce1412e4f91f2a8adb1ac2b1071066efe8d718bbb88ca4a59bd61500e826f2365255a409bece0f972df97c3a55e09289ef5fa815a2353ef393fd1aecfc888d611c16aec532e5148be15ef1bf2834b8f75bb26db08b66d2baad6464f8439d1986b533813321dbb180080910f233bcc4dd784fb21871aef41be08b7bfad4ecc3b68f228cb5317ac6ec1227bc7d0e452037ba918ee1da9fdb8393ae93b1e937a8d4691a17871d5092d2384b6190a53df888f65b951b05ed4ad57fe4b0c6a47b5b22f32a7f23c1a234c9feb5d8713d949686760680da4db454f4acad972470033472b9864d63e8d23eefc87ebcf464ecf33f67fbcdd48eab38c5292586b36aef5981ed2fa07b2f9e23fc57d9eb71bfff4111c857e9fff23ceb31e72592e70c874b4936 -+Output = c6ae80ffa80bc184b0 -+ -+Availablein = default -+# an otherwise valid plaintext, but with zero byte in first byte of padding -+Decrypt = RSA-3072 -+Input = 8542c626fe533467acffcd4e617692244c9b5a3bf0a215c5d64891ced4bf4f9591b4b2aedff9843057986d81631b0acb3704ec2180e5696e8bd15b217a0ec36d2061b0e2182faa3d1c59bd3f9086a10077a3337a3f5da503ec3753535ffd25b837a12f2541afefd0cffb0224b8f874e4bed13949e105c075ed44e287c5ae03b155e06b90ed247d2c07f1ef3323e3508cce4e4074606c54172ad74d12f8c3a47f654ad671104bf7681e5b061862747d9afd37e07d8e0e2291e01f14a95a1bb4cbb47c304ef067595a3947ee2d722067e38a0f046f43ec29cac6a8801c6e3e9a2331b1d45a7aa2c6af3205be382dd026e389614ee095665a611ab2e8dced2ee1c9d08ac9de11aef5b3803fc9a9ce8231ec87b5fed386fb92ee3db995a89307bcba844bd0a691c29ae51216e949dfc813133cb06a07265fd807bcb3377f6adb0a481d9b7f442003115895939773e6b95371c4febef29edae946fa245e7c50729e2e558cfaad773d1fd5f67b457a6d9d17a847c6fcbdb103a86f35f228cefc06cea0 -+Output = a8a9301daa01bb25c7 -+ -+Availablein = default -+# an otherwise valid plaintext, but with zero byte in eight byte of padding -+Decrypt = RSA-3072 -+Input = 449dfa237a70a99cb0351793ec8677882021c2aa743580bf6a0ea672055cffe8303ac42855b1d1f3373aae6af09cb9074180fc963e9d1478a4f98b3b4861d3e7f0aa8560cf603711f139db77667ca14ba3a1acdedfca9ef4603d6d7eb0645bfc805304f9ad9d77d34762ce5cd84bd3ec9d35c30e3be72a1e8d355d5674a141b5530659ad64ebb6082e6f73a80832ab6388912538914654d34602f4b3b1c78589b4a5d964b2efcca1dc7004c41f6cafcb5a7159a7fc7c0398604d0edbd4c8f4f04067da6a153a05e7cbeea13b5ee412400ef7d4f3106f4798da707ec37a11286df2b7a204856d5ff773613fd1e453a7114b78e347d3e8078e1cb3276b3562486ba630bf719697e0073a123c3e60ebb5c7a1ccff4279faffa2402bc1109f8d559d6766e73591943dfcf25ba10c3762f02af85187799b8b4b135c3990793a6fd32642f1557405ba55cc7cf7336a0e967073c5fa50743f9cc5e3017c172d9898d2af83345e71b3e0c22ab791eacb6484a32ec60ebc226ec9deaee91b1a0560c2b571 -+Output = 6c716fe01d44398018 -+ -+Availablein = default -+# an otherwise valid plaintext, but with null separator missing -+Decrypt = RSA-3072 -+Input = a7a5c99e50da48769ecb779d9abe86ef9ec8c38c6f43f17c7f2d7af608a4a1bd6cf695b47e97c191c61fb5a27318d02f495a176b9fae5a55b5d3fabd1d8aae4957e3879cb0c60f037724e11be5f30f08fc51c033731f14b44b414d11278cd3dba7e1c8bfe208d2b2bb7ec36366dacb6c88b24cd79ab394adf19dbbc21dfa5788bacbadc6a62f79cf54fd8cf585c615b5c0eb94c35aa9de25321c8ffefb8916bbaa2697cb2dd82ee98939df9b6704cee77793edd2b4947d82e00e5749664970736c59a84197bd72b5c71e36aae29cd39af6ac73a368edbc1ca792e1309f442aafcd77c992c88f8e4863149f221695cb7b0236e75b2339a02c4ea114854372c306b9412d8eedb600a31532002f2cea07b4df963a093185e4607732e46d753b540974fb5a5c3f9432df22e85bb17611370966c5522fd23f2ad3484341ba7fd8885fc8e6d379a611d13a2aca784fba2073208faad2137bf1979a0fa146c1880d4337db3274269493bab44a1bcd0681f7227ffdf589c2e925ed9d36302509d1109ba4 -+Output = aa2de6cde4e2442884 -+ - # RSA PSS key tests - - # PSS only key, no parameter restrictions diff --git a/0122-CVE-2023-2650.patch b/0122-CVE-2023-2650.patch deleted file mode 100644 index ba56969..0000000 --- a/0122-CVE-2023-2650.patch +++ /dev/null @@ -1,30 +0,0 @@ -diff --git a/crypto/objects/obj_dat.c b/crypto/objects/obj_dat.c -index 01cde00e98..c0e55197a0 100644 ---- a/crypto/objects/obj_dat.c -+++ b/crypto/objects/obj_dat.c -@@ -443,6 +443,25 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name) - first = 1; - bl = NULL; - -+ /* -+ * RFC 2578 (STD 58) says this about OBJECT IDENTIFIERs: -+ * -+ * > 3.5. OBJECT IDENTIFIER values -+ * > -+ * > An OBJECT IDENTIFIER value is an ordered list of non-negative -+ * > numbers. For the SMIv2, each number in the list is referred to as a -+ * > sub-identifier, there are at most 128 sub-identifiers in a value, -+ * > and each sub-identifier has a maximum value of 2^32-1 (4294967295 -+ * > decimal). -+ * -+ * So a legitimate OID according to this RFC is at most (32 * 128 / 7), -+ * i.e. 586 bytes long. -+ * -+ * Ref: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5 -+ */ -+ if (len > 586) -+ goto err; -+ - while (len > 0) { - l = 0; - use_bn = 0; diff --git a/0122-TMP-KTLS-test-skip.patch b/0122-TMP-KTLS-test-skip.patch new file mode 100644 index 0000000..f037ee3 --- /dev/null +++ b/0122-TMP-KTLS-test-skip.patch @@ -0,0 +1,16 @@ +diff -up openssl-3.2.1/test/sslapitest.c.xxx openssl-3.2.1/test/sslapitest.c +--- openssl-3.2.1/test/sslapitest.c.xxx 2024-04-15 10:14:47.292448045 +0200 ++++ openssl-3.2.1/test/sslapitest.c 2024-04-15 10:15:23.428396994 +0200 +@@ -1020,9 +1020,10 @@ static int execute_test_large_message(co + /* sock must be connected */ + static int ktls_chk_platform(int sock) + { +- if (!ktls_enable(sock)) ++/* if (!ktls_enable(sock)) + return 0; +- return 1; ++ return 1; */ ++ return 0; + } + + static int ping_pong_query(SSL *clientssl, SSL *serverssl) diff --git a/0123-ibmca-atexit-crash.patch b/0123-ibmca-atexit-crash.patch deleted file mode 100644 index 893e598..0000000 --- a/0123-ibmca-atexit-crash.patch +++ /dev/null @@ -1,244 +0,0 @@ -diff --git a/crypto/context.c b/crypto/context.c -index bdfc4d02a3f0..548665fba265 100644 ---- a/crypto/context.c -+++ b/crypto/context.c -@@ -15,6 +15,7 @@ - #include "internal/bio.h" - #include "internal/provider.h" - #include "crypto/ctype.h" -+#include "crypto/rand.h" - - # include - # include -@@ -271,6 +272,20 @@ OSSL_LIB_CTX *OSSL_LIB_CTX_set0_default(OSSL_LIB_CTX *libctx) - - return NULL; - } -+ -+void ossl_release_default_drbg_ctx(void) -+{ -+ int dynidx = default_context_int.dyn_indexes[OSSL_LIB_CTX_DRBG_INDEX]; -+ -+ /* early release of the DRBG in global default libctx, no locking */ -+ if (dynidx != -1) { -+ void *data; -+ -+ data = CRYPTO_get_ex_data(&default_context_int.data, dynidx); -+ ossl_rand_ctx_free(data); -+ CRYPTO_set_ex_data(&default_context_int.data, dynidx, NULL); -+ } -+} - #endif - - OSSL_LIB_CTX *ossl_lib_ctx_get_concrete(OSSL_LIB_CTX *ctx) -diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c -index c453d3226133..f341d915db76 100644 ---- a/crypto/rand/rand_lib.c -+++ b/crypto/rand/rand_lib.c -@@ -96,6 +96,7 @@ void ossl_rand_cleanup_int(void) - CRYPTO_THREAD_lock_free(rand_meth_lock); - rand_meth_lock = NULL; - # endif -+ ossl_release_default_drbg_ctx(); - rand_inited = 0; - } - -@@ -469,7 +470,7 @@ static void *rand_ossl_ctx_new(OSSL_LIB_CTX *libctx) - return NULL; - } - --static void rand_ossl_ctx_free(void *vdgbl) -+void ossl_rand_ctx_free(void *vdgbl) - { - RAND_GLOBAL *dgbl = vdgbl; - -@@ -494,7 +495,7 @@ static void rand_ossl_ctx_free(void *vdgbl) - static const OSSL_LIB_CTX_METHOD rand_drbg_ossl_ctx_method = { - OSSL_LIB_CTX_METHOD_PRIORITY_2, - rand_ossl_ctx_new, -- rand_ossl_ctx_free, -+ ossl_rand_ctx_free, - }; - - static RAND_GLOBAL *rand_get_global(OSSL_LIB_CTX *libctx) -diff --git a/engines/e_dasync.c b/engines/e_dasync.c -index 5a303a9f8528..7974106ae219 100644 ---- a/engines/e_dasync.c -+++ b/engines/e_dasync.c -@@ -139,6 +139,14 @@ static int dasync_aes128_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, - const unsigned char *in, size_t inl); - static int dasync_aes128_cbc_cleanup(EVP_CIPHER_CTX *ctx); - -+static int dasync_aes256_ctr_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, -+ void *ptr); -+static int dasync_aes256_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, -+ const unsigned char *iv, int enc); -+static int dasync_aes256_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, -+ const unsigned char *in, size_t inl); -+static int dasync_aes256_ctr_cleanup(EVP_CIPHER_CTX *ctx); -+ - static int dasync_aes128_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, - int arg, void *ptr); - static int dasync_aes128_cbc_hmac_sha1_init_key(EVP_CIPHER_CTX *ctx, -@@ -171,6 +179,12 @@ static const EVP_CIPHER *dasync_aes_128_cbc(void) - return _hidden_aes_128_cbc; - } - -+static EVP_CIPHER *_hidden_aes_256_ctr = NULL; -+static const EVP_CIPHER *dasync_aes_256_ctr(void) -+{ -+ return _hidden_aes_256_ctr; -+} -+ - /* - * Holds the EVP_CIPHER object for aes_128_cbc_hmac_sha1 in this engine. Set up - * once only during engine bind and can then be reused many times. -@@ -192,8 +206,10 @@ static const EVP_CIPHER *dasync_aes_128_cbc_hmac_sha1(void) - static void destroy_ciphers(void) - { - EVP_CIPHER_meth_free(_hidden_aes_128_cbc); -+ EVP_CIPHER_meth_free(_hidden_aes_256_ctr); - EVP_CIPHER_meth_free(_hidden_aes_128_cbc_hmac_sha1); - _hidden_aes_128_cbc = NULL; -+ _hidden_aes_256_ctr = NULL; - _hidden_aes_128_cbc_hmac_sha1 = NULL; - } - -@@ -202,6 +218,7 @@ static int dasync_ciphers(ENGINE *e, const EVP_CIPHER **cipher, - - static int dasync_cipher_nids[] = { - NID_aes_128_cbc, -+ NID_aes_256_ctr, - NID_aes_128_cbc_hmac_sha1, - 0 - }; -@@ -284,6 +301,30 @@ static int bind_dasync(ENGINE *e) - _hidden_aes_128_cbc = NULL; - } - -+ _hidden_aes_256_ctr = EVP_CIPHER_meth_new(NID_aes_256_ctr, -+ 1 /* block size */, -+ 32 /* key len */); -+ if (_hidden_aes_256_ctr == NULL -+ || !EVP_CIPHER_meth_set_iv_length(_hidden_aes_256_ctr,16) -+ || !EVP_CIPHER_meth_set_flags(_hidden_aes_256_ctr, -+ EVP_CIPH_FLAG_DEFAULT_ASN1 -+ | EVP_CIPH_CTR_MODE -+ | EVP_CIPH_FLAG_PIPELINE -+ | EVP_CIPH_CUSTOM_COPY) -+ || !EVP_CIPHER_meth_set_init(_hidden_aes_256_ctr, -+ dasync_aes256_init_key) -+ || !EVP_CIPHER_meth_set_do_cipher(_hidden_aes_256_ctr, -+ dasync_aes256_ctr_cipher) -+ || !EVP_CIPHER_meth_set_cleanup(_hidden_aes_256_ctr, -+ dasync_aes256_ctr_cleanup) -+ || !EVP_CIPHER_meth_set_ctrl(_hidden_aes_256_ctr, -+ dasync_aes256_ctr_ctrl) -+ || !EVP_CIPHER_meth_set_impl_ctx_size(_hidden_aes_256_ctr, -+ sizeof(struct dasync_pipeline_ctx))) { -+ EVP_CIPHER_meth_free(_hidden_aes_256_ctr); -+ _hidden_aes_256_ctr = NULL; -+ } -+ - _hidden_aes_128_cbc_hmac_sha1 = EVP_CIPHER_meth_new( - NID_aes_128_cbc_hmac_sha1, - 16 /* block size */, -@@ -445,6 +486,9 @@ static int dasync_ciphers(ENGINE *e, const EVP_CIPHER **cipher, - case NID_aes_128_cbc: - *cipher = dasync_aes_128_cbc(); - break; -+ case NID_aes_256_ctr: -+ *cipher = dasync_aes_256_ctr(); -+ break; - case NID_aes_128_cbc_hmac_sha1: - *cipher = dasync_aes_128_cbc_hmac_sha1(); - break; -@@ -779,6 +823,29 @@ static int dasync_aes128_cbc_cleanup(EVP_CIPHER_CTX *ctx) - return dasync_cipher_cleanup_helper(ctx, EVP_aes_128_cbc()); - } - -+static int dasync_aes256_ctr_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, -+ void *ptr) -+{ -+ return dasync_cipher_ctrl_helper(ctx, type, arg, ptr, 0, EVP_aes_256_ctr()); -+} -+ -+static int dasync_aes256_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, -+ const unsigned char *iv, int enc) -+{ -+ return dasync_cipher_init_key_helper(ctx, key, iv, enc, EVP_aes_256_ctr()); -+} -+ -+static int dasync_aes256_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, -+ const unsigned char *in, size_t inl) -+{ -+ return dasync_cipher_helper(ctx, out, in, inl, EVP_aes_256_ctr()); -+} -+ -+static int dasync_aes256_ctr_cleanup(EVP_CIPHER_CTX *ctx) -+{ -+ return dasync_cipher_cleanup_helper(ctx, EVP_aes_256_ctr()); -+} -+ - - /* - * AES128 CBC HMAC SHA1 Implementation -diff --git a/include/crypto/rand.h b/include/crypto/rand.h -index 6a71a339c812..165deaf95c5e 100644 ---- a/include/crypto/rand.h -+++ b/include/crypto/rand.h -@@ -125,4 +125,5 @@ void ossl_rand_cleanup_nonce(ossl_unused const OSSL_CORE_HANDLE *handle, - size_t ossl_pool_acquire_entropy(RAND_POOL *pool); - int ossl_pool_add_nonce_data(RAND_POOL *pool); - -+void ossl_rand_ctx_free(void *vdgbl); - #endif -diff --git a/include/internal/cryptlib.h b/include/internal/cryptlib.h -index 1291299b6e50..934d4b089c20 100644 ---- a/include/internal/cryptlib.h -+++ b/include/internal/cryptlib.h -@@ -199,6 +199,8 @@ int ossl_lib_ctx_run_once(OSSL_LIB_CTX *ctx, unsigned int idx, - int ossl_lib_ctx_onfree(OSSL_LIB_CTX *ctx, ossl_lib_ctx_onfree_fn onfreefn); - const char *ossl_lib_ctx_get_descriptor(OSSL_LIB_CTX *libctx); - -+void ossl_release_default_drbg_ctx(void); -+ - OSSL_LIB_CTX *ossl_crypto_ex_data_get_ossl_lib_ctx(const CRYPTO_EX_DATA *ad); - int ossl_crypto_new_ex_data_ex(OSSL_LIB_CTX *ctx, int class_index, void *obj, - CRYPTO_EX_DATA *ad); -diff --git a/test/recipes/05-test_rand.t b/test/recipes/05-test_rand.t -index 4da1e64cb6da..3f352db9df3a 100644 ---- a/test/recipes/05-test_rand.t -+++ b/test/recipes/05-test_rand.t -@@ -11,9 +11,30 @@ use warnings; - use OpenSSL::Test; - use OpenSSL::Test::Utils; - --plan tests => 3; -+plan tests => 5; - setup("test_rand"); - - ok(run(test(["rand_test"]))); - ok(run(test(["drbgtest"]))); - ok(run(test(["rand_status_test"]))); -+ -+SKIP: { -+ skip "engine is not supported by this OpenSSL build", 2 -+ if disabled("engine") || disabled("dynamic-engine"); -+ -+ my $success; -+ my @randdata; -+ my $expected = '0102030405060708090a0b0c0d0e0f10'; -+ -+ @randdata = run(app(['openssl', 'rand', '-engine', 'ossltest', '-hex', '16' ]), -+ capture => 1, statusvar => \$success); -+ chomp(@randdata); -+ ok($success and $randdata[0] eq $expected, -+ "rand with ossltest: Check rand output is as expected"); -+ -+ @randdata = run(app(['openssl', 'rand', '-engine', 'dasync', '-hex', '16' ]), -+ capture => 1, statusvar => \$success); -+ chomp(@randdata); -+ ok($success and length($randdata[0]) == 32, -+ "rand with dasync: Check rand output is of expected length"); -+} diff --git a/0125-CVE-2023-2975.patch b/0125-CVE-2023-2975.patch deleted file mode 100644 index 4717087..0000000 --- a/0125-CVE-2023-2975.patch +++ /dev/null @@ -1,30 +0,0 @@ -diff --git a/providers/implementations/ciphers/cipher_aes_siv.c b/providers/implementations/ciphers/cipher_aes_siv.c -index 45010b90db..b396c8651a 100644 ---- a/providers/implementations/ciphers/cipher_aes_siv.c -+++ b/providers/implementations/ciphers/cipher_aes_siv.c -@@ -120,14 +120,18 @@ static int siv_cipher(void *vctx, unsigned char *out, size_t *outl, - if (!ossl_prov_is_running()) - return 0; - -- if (inl == 0) { -- *outl = 0; -- return 1; -- } -+ /* Ignore just empty encryption/decryption call and not AAD. */ -+ if (out != NULL) { -+ if (inl == 0) { -+ if (outl != NULL) -+ *outl = 0; -+ return 1; -+ } - -- if (outsize < inl) { -- ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL); -- return 0; -+ if (outsize < inl) { -+ ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL); -+ return 0; -+ } - } - - if (ctx->hw->cipher(ctx, out, in, inl) <= 0) diff --git a/0126-CVE-2023-3446.patch b/0126-CVE-2023-3446.patch deleted file mode 100644 index 38132cf..0000000 --- a/0126-CVE-2023-3446.patch +++ /dev/null @@ -1,74 +0,0 @@ -diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c -index 0b391910d6..84a926998e 100644 ---- a/crypto/dh/dh_check.c -+++ b/crypto/dh/dh_check.c -@@ -152,6 +152,12 @@ int DH_check(const DH *dh, int *ret) - if (nid != NID_undef) - return 1; - -+ /* Don't do any checks at all with an excessively large modulus */ -+ if (BN_num_bits(dh->params.p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) { -+ ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE); -+ return 0; -+ } -+ - if (!DH_check_params(dh, ret)) - return 0; - -diff --git a/include/openssl/dh.h b/include/openssl/dh.h -index b97871eca7..36420f51d8 100644 ---- a/include/openssl/dh.h -+++ b/include/openssl/dh.h -@@ -89,7 +89,11 @@ int EVP_PKEY_CTX_get0_dh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char **ukm); - # include - - # ifndef OPENSSL_DH_MAX_MODULUS_BITS --# define OPENSSL_DH_MAX_MODULUS_BITS 10000 -+# define OPENSSL_DH_MAX_MODULUS_BITS 10000 -+# endif -+ -+# ifndef OPENSSL_DH_CHECK_MAX_MODULUS_BITS -+# define OPENSSL_DH_CHECK_MAX_MODULUS_BITS 32768 - # endif - - # define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024 -diff --git a/test/dhtest.c b/test/dhtest.c -index 7b587f3cfa..f8dd8f3aa7 100644 ---- a/test/dhtest.c -+++ b/test/dhtest.c -@@ -73,7 +73,7 @@ static int dh_test(void) - goto err1; - - /* check fails, because p is way too small */ -- if (!DH_check(dh, &i)) -+ if (!TEST_true(DH_check(dh, &i))) - goto err2; - i ^= DH_MODULUS_TOO_SMALL; - if (!TEST_false(i & DH_CHECK_P_NOT_PRIME) -@@ -124,6 +124,17 @@ static int dh_test(void) - /* We'll have a stale error on the queue from the above test so clear it */ - ERR_clear_error(); - -+ /* Modulus of size: dh check max modulus bits + 1 */ -+ if (!TEST_true(BN_set_word(p, 1)) -+ || !TEST_true(BN_lshift(p, p, OPENSSL_DH_CHECK_MAX_MODULUS_BITS))) -+ goto err3; -+ -+ /* -+ * We expect no checks at all for an excessively large modulus -+ */ -+ if (!TEST_false(DH_check(dh, &i))) -+ goto err3; -+ - /* - * II) key generation - */ -@@ -138,7 +149,7 @@ static int dh_test(void) - goto err3; - - /* ... and check whether it is valid */ -- if (!DH_check(a, &i)) -+ if (!TEST_true(DH_check(a, &i))) - goto err3; - if (!TEST_false(i & DH_CHECK_P_NOT_PRIME) - || !TEST_false(i & DH_CHECK_P_NOT_SAFE_PRIME) diff --git a/0127-CVE-2023-3817.patch b/0127-CVE-2023-3817.patch deleted file mode 100644 index 5fc72e7..0000000 --- a/0127-CVE-2023-3817.patch +++ /dev/null @@ -1,57 +0,0 @@ -diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c -index aef6f9b1b7..fbe2797569 100644 ---- a/crypto/dh/dh_check.c -+++ b/crypto/dh/dh_check.c -@@ -143,7 +143,7 @@ int DH_check(const DH *dh, int *ret) - #ifdef FIPS_MODULE - return DH_check_params(dh, ret); - #else -- int ok = 0, r; -+ int ok = 0, r, q_good = 0; - BN_CTX *ctx = NULL; - BIGNUM *t1 = NULL, *t2 = NULL; - int nid = DH_get_nid((DH *)dh); -@@ -172,6 +172,13 @@ int DH_check(const DH *dh, int *ret) - goto err; - - if (dh->params.q != NULL) { -+ if (BN_ucmp(dh->params.p, dh->params.q) > 0) -+ q_good = 1; -+ else -+ *ret |= DH_CHECK_INVALID_Q_VALUE; -+ } -+ -+ if (q_good) { - if (BN_cmp(dh->params.g, BN_value_one()) <= 0) - *ret |= DH_NOT_SUITABLE_GENERATOR; - else if (BN_cmp(dh->params.g, dh->params.p) >= 0) -diff --git a/test/dhtest.c b/test/dhtest.c -index f8dd8f3aa7..d02b3b7c58 100644 ---- a/test/dhtest.c -+++ b/test/dhtest.c -@@ -124,6 +124,15 @@ static int dh_test(void) - /* We'll have a stale error on the queue from the above test so clear it */ - ERR_clear_error(); - -+ if (!TEST_ptr(BN_copy(q, p)) || !TEST_true(BN_add(q, q, BN_value_one()))) -+ goto err3; -+ -+ if (!TEST_true(DH_check(dh, &i))) -+ goto err3; -+ if (!TEST_true(i & DH_CHECK_INVALID_Q_VALUE) -+ || !TEST_false(i & DH_CHECK_Q_NOT_PRIME)) -+ goto err3; -+ - /* Modulus of size: dh check max modulus bits + 1 */ - if (!TEST_true(BN_set_word(p, 1)) - || !TEST_true(BN_lshift(p, p, OPENSSL_DH_CHECK_MAX_MODULUS_BITS))) -@@ -135,6 +144,9 @@ static int dh_test(void) - if (!TEST_false(DH_check(dh, &i))) - goto err3; - -+ /* We'll have a stale error on the queue from the above test so clear it */ -+ ERR_clear_error(); -+ - /* - * II) key generation - */ diff --git a/0128-CVE-2023-5363.patch b/0128-CVE-2023-5363.patch deleted file mode 100644 index 8610da0..0000000 --- a/0128-CVE-2023-5363.patch +++ /dev/null @@ -1,318 +0,0 @@ -diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c -index d2ed3fd378..6a819590e6 100644 ---- a/crypto/evp/evp_enc.c -+++ b/crypto/evp/evp_enc.c -@@ -223,6 +223,42 @@ static int evp_cipher_init_internal(EVP_CIPHER_CTX *ctx, - return 0; - } - -+#ifndef FIPS_MODULE -+ /* -+ * Fix for CVE-2023-5363 -+ * Passing in a size as part of the init call takes effect late -+ * so, force such to occur before the initialisation. -+ * -+ * The FIPS provider's internal library context is used in a manner -+ * such that this is not an issue. -+ */ -+ if (params != NULL) { -+ OSSL_PARAM param_lens[3] = { OSSL_PARAM_END, OSSL_PARAM_END, -+ OSSL_PARAM_END }; -+ OSSL_PARAM *q = param_lens; -+ const OSSL_PARAM *p; -+ -+ p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_KEYLEN); -+ if (p != NULL) -+ memcpy(q++, p, sizeof(*q)); -+ -+ /* -+ * Note that OSSL_CIPHER_PARAM_AEAD_IVLEN is a synomym for -+ * OSSL_CIPHER_PARAM_IVLEN so both are covered here. -+ */ -+ p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_IVLEN); -+ if (p != NULL) -+ memcpy(q++, p, sizeof(*q)); -+ -+ if (q != param_lens) { -+ if (!EVP_CIPHER_CTX_set_params(ctx, param_lens)) { -+ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_LENGTH); -+ return 0; -+ } -+ } -+ } -+#endif -+ - if (enc) { - if (ctx->cipher->einit == NULL) { - ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); -diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c -index cfffa21350..2318bf6a68 100644 ---- a/test/evp_extra_test.c -+++ b/test/evp_extra_test.c -@@ -4851,6 +4851,253 @@ static int test_ecx_not_private_key(int tst) - return options; - } - -+static int aes_gcm_encrypt(const unsigned char *gcm_key, size_t gcm_key_s, -+ const unsigned char *gcm_iv, size_t gcm_ivlen, -+ const unsigned char *gcm_pt, size_t gcm_pt_s, -+ const unsigned char *gcm_aad, size_t gcm_aad_s, -+ const unsigned char *gcm_ct, size_t gcm_ct_s, -+ const unsigned char *gcm_tag, size_t gcm_tag_s) -+{ -+ int ret = 0; -+ EVP_CIPHER_CTX *ctx; -+ EVP_CIPHER *cipher = NULL; -+ int outlen, tmplen; -+ unsigned char outbuf[1024]; -+ unsigned char outtag[16]; -+ OSSL_PARAM params[2] = { -+ OSSL_PARAM_END, OSSL_PARAM_END -+ }; -+ -+ if (!TEST_ptr(ctx = EVP_CIPHER_CTX_new()) -+ || !TEST_ptr(cipher = EVP_CIPHER_fetch(testctx, "AES-256-GCM", ""))) -+ goto err; -+ -+ params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_AEAD_IVLEN, -+ &gcm_ivlen); -+ -+ if (!TEST_true(EVP_EncryptInit_ex2(ctx, cipher, gcm_key, gcm_iv, params)) -+ || (gcm_aad != NULL -+ && !TEST_true(EVP_EncryptUpdate(ctx, NULL, &outlen, -+ gcm_aad, gcm_aad_s))) -+ || !TEST_true(EVP_EncryptUpdate(ctx, outbuf, &outlen, -+ gcm_pt, gcm_pt_s)) -+ || !TEST_true(EVP_EncryptFinal_ex(ctx, outbuf, &tmplen))) -+ goto err; -+ -+ params[0] = OSSL_PARAM_construct_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, -+ outtag, sizeof(outtag)); -+ -+ if (!TEST_true(EVP_CIPHER_CTX_get_params(ctx, params)) -+ || !TEST_mem_eq(outbuf, outlen, gcm_ct, gcm_ct_s) -+ || !TEST_mem_eq(outtag, gcm_tag_s, gcm_tag, gcm_tag_s)) -+ goto err; -+ -+ ret = 1; -+err: -+ EVP_CIPHER_free(cipher); -+ EVP_CIPHER_CTX_free(ctx); -+ -+ return ret; -+} -+ -+static int aes_gcm_decrypt(const unsigned char *gcm_key, size_t gcm_key_s, -+ const unsigned char *gcm_iv, size_t gcm_ivlen, -+ const unsigned char *gcm_pt, size_t gcm_pt_s, -+ const unsigned char *gcm_aad, size_t gcm_aad_s, -+ const unsigned char *gcm_ct, size_t gcm_ct_s, -+ const unsigned char *gcm_tag, size_t gcm_tag_s) -+{ -+ int ret = 0; -+ EVP_CIPHER_CTX *ctx; -+ EVP_CIPHER *cipher = NULL; -+ int outlen; -+ unsigned char outbuf[1024]; -+ OSSL_PARAM params[2] = { -+ OSSL_PARAM_END, OSSL_PARAM_END -+ }; -+ -+ if ((ctx = EVP_CIPHER_CTX_new()) == NULL) -+ goto err; -+ -+ if ((cipher = EVP_CIPHER_fetch(testctx, "AES-256-GCM", "")) == NULL) -+ goto err; -+ -+ params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_AEAD_IVLEN, -+ &gcm_ivlen); -+ -+ if (!TEST_true(EVP_DecryptInit_ex2(ctx, cipher, gcm_key, gcm_iv, params)) -+ || (gcm_aad != NULL -+ && !TEST_true(EVP_DecryptUpdate(ctx, NULL, &outlen, -+ gcm_aad, gcm_aad_s))) -+ || !TEST_true(EVP_DecryptUpdate(ctx, outbuf, &outlen, -+ gcm_ct, gcm_ct_s)) -+ || !TEST_mem_eq(outbuf, outlen, gcm_pt, gcm_pt_s)) -+ goto err; -+ -+ params[0] = OSSL_PARAM_construct_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, -+ (void*)gcm_tag, gcm_tag_s); -+ -+ if (!TEST_true(EVP_CIPHER_CTX_set_params(ctx, params)) -+ ||!TEST_true(EVP_DecryptFinal_ex(ctx, outbuf, &outlen))) -+ goto err; -+ -+ ret = 1; -+err: -+ EVP_CIPHER_free(cipher); -+ EVP_CIPHER_CTX_free(ctx); -+ -+ return ret; -+} -+ -+static int test_aes_gcm_ivlen_change_cve_2023_5363(void) -+{ -+ /* AES-GCM test data obtained from NIST public test vectors */ -+ static const unsigned char gcm_key[] = { -+ 0xd0, 0xc2, 0x67, 0xc1, 0x9f, 0x30, 0xd8, 0x0b, 0x89, 0x14, 0xbb, 0xbf, -+ 0xb7, 0x2f, 0x73, 0xb8, 0xd3, 0xcd, 0x5f, 0x6a, 0x78, 0x70, 0x15, 0x84, -+ 0x8a, 0x7b, 0x30, 0xe3, 0x8f, 0x16, 0xf1, 0x8b, -+ }; -+ static const unsigned char gcm_iv[] = { -+ 0xb6, 0xdc, 0xda, 0x95, 0xac, 0x99, 0x77, 0x76, 0x25, 0xae, 0x87, 0xf8, -+ 0xa3, 0xa9, 0xdd, 0x64, 0xd7, 0x9b, 0xbd, 0x5f, 0x4a, 0x0e, 0x54, 0xca, -+ 0x1a, 0x9f, 0xa2, 0xe3, 0xf4, 0x5f, 0x5f, 0xc2, 0xce, 0xa7, 0xb6, 0x14, -+ 0x12, 0x6f, 0xf0, 0xaf, 0xfd, 0x3e, 0x17, 0x35, 0x6e, 0xa0, 0x16, 0x09, -+ 0xdd, 0xa1, 0x3f, 0xd8, 0xdd, 0xf3, 0xdf, 0x4f, 0xcb, 0x18, 0x49, 0xb8, -+ 0xb3, 0x69, 0x2c, 0x5d, 0x4f, 0xad, 0x30, 0x91, 0x08, 0xbc, 0xbe, 0x24, -+ 0x01, 0x0f, 0xbe, 0x9c, 0xfb, 0x4f, 0x5d, 0x19, 0x7f, 0x4c, 0x53, 0xb0, -+ 0x95, 0x90, 0xac, 0x7b, 0x1f, 0x7b, 0xa0, 0x99, 0xe1, 0xf3, 0x48, 0x54, -+ 0xd0, 0xfc, 0xa9, 0xcc, 0x91, 0xf8, 0x1f, 0x9b, 0x6c, 0x9a, 0xe0, 0xdc, -+ 0x63, 0xea, 0x7d, 0x2a, 0x4a, 0x7d, 0xa5, 0xed, 0x68, 0x57, 0x27, 0x6b, -+ 0x68, 0xe0, 0xf2, 0xb8, 0x51, 0x50, 0x8d, 0x3d, -+ }; -+ static const unsigned char gcm_pt[] = { -+ 0xb8, 0xb6, 0x88, 0x36, 0x44, 0xe2, 0x34, 0xdf, 0x24, 0x32, 0x91, 0x07, -+ 0x4f, 0xe3, 0x6f, 0x81, -+ }; -+ static const unsigned char gcm_ct[] = { -+ 0xff, 0x4f, 0xb3, 0xf3, 0xf9, 0xa2, 0x51, 0xd4, 0x82, 0xc2, 0xbe, 0xf3, -+ 0xe2, 0xd0, 0xec, 0xed, -+ }; -+ static const unsigned char gcm_tag[] = { -+ 0xbd, 0x06, 0x38, 0x09, 0xf7, 0xe1, 0xc4, 0x72, 0x0e, 0xf2, 0xea, 0x63, -+ 0xdb, 0x99, 0x6c, 0x21, -+ }; -+ -+ return aes_gcm_encrypt(gcm_key, sizeof(gcm_key), gcm_iv, sizeof(gcm_iv), -+ gcm_pt, sizeof(gcm_pt), NULL, 0, -+ gcm_ct, sizeof(gcm_ct), gcm_tag, sizeof(gcm_tag)) -+ && aes_gcm_decrypt(gcm_key, sizeof(gcm_key), gcm_iv, sizeof(gcm_iv), -+ gcm_pt, sizeof(gcm_pt), NULL, 0, -+ gcm_ct, sizeof(gcm_ct), gcm_tag, sizeof(gcm_tag)); -+} -+ -+#ifndef OPENSSL_NO_RC4 -+static int rc4_encrypt(const unsigned char *rc4_key, size_t rc4_key_s, -+ const unsigned char *rc4_pt, size_t rc4_pt_s, -+ const unsigned char *rc4_ct, size_t rc4_ct_s) -+{ -+ int ret = 0; -+ EVP_CIPHER_CTX *ctx; -+ EVP_CIPHER *cipher = NULL; -+ int outlen, tmplen; -+ unsigned char outbuf[1024]; -+ OSSL_PARAM params[2] = { -+ OSSL_PARAM_END, OSSL_PARAM_END -+ }; -+ -+ if (!TEST_ptr(ctx = EVP_CIPHER_CTX_new()) -+ || !TEST_ptr(cipher = EVP_CIPHER_fetch(testctx, "RC4", ""))) -+ goto err; -+ -+ params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_KEYLEN, -+ &rc4_key_s); -+ -+ if (!TEST_true(EVP_EncryptInit_ex2(ctx, cipher, rc4_key, NULL, params)) -+ || !TEST_true(EVP_EncryptUpdate(ctx, outbuf, &outlen, -+ rc4_pt, rc4_pt_s)) -+ || !TEST_true(EVP_EncryptFinal_ex(ctx, outbuf, &tmplen))) -+ goto err; -+ -+ if (!TEST_mem_eq(outbuf, outlen, rc4_ct, rc4_ct_s)) -+ goto err; -+ -+ ret = 1; -+err: -+ EVP_CIPHER_free(cipher); -+ EVP_CIPHER_CTX_free(ctx); -+ -+ return ret; -+} -+ -+static int rc4_decrypt(const unsigned char *rc4_key, size_t rc4_key_s, -+ const unsigned char *rc4_pt, size_t rc4_pt_s, -+ const unsigned char *rc4_ct, size_t rc4_ct_s) -+{ -+ int ret = 0; -+ EVP_CIPHER_CTX *ctx; -+ EVP_CIPHER *cipher = NULL; -+ int outlen; -+ unsigned char outbuf[1024]; -+ OSSL_PARAM params[2] = { -+ OSSL_PARAM_END, OSSL_PARAM_END -+ }; -+ -+ if ((ctx = EVP_CIPHER_CTX_new()) == NULL) -+ goto err; -+ -+ if ((cipher = EVP_CIPHER_fetch(testctx, "RC4", "")) == NULL) -+ goto err; -+ -+ params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_KEYLEN, -+ &rc4_key_s); -+ -+ if (!TEST_true(EVP_DecryptInit_ex2(ctx, cipher, rc4_key, NULL, params)) -+ || !TEST_true(EVP_DecryptUpdate(ctx, outbuf, &outlen, -+ rc4_ct, rc4_ct_s)) -+ || !TEST_mem_eq(outbuf, outlen, rc4_pt, rc4_pt_s)) -+ goto err; -+ -+ ret = 1; -+err: -+ EVP_CIPHER_free(cipher); -+ EVP_CIPHER_CTX_free(ctx); -+ -+ return ret; -+} -+ -+static int test_aes_rc4_keylen_change_cve_2023_5363(void) -+{ -+ /* RC4 test data obtained from RFC 6229 */ -+ static const struct { -+ unsigned char key[5]; -+ unsigned char padding[11]; -+ } rc4_key = { -+ { /* Five bytes of key material */ -+ 0x83, 0x32, 0x22, 0x77, 0x2a, -+ }, -+ { /* Random padding to 16 bytes */ -+ 0x80, 0xad, 0x97, 0xbd, 0xc9, 0x73, 0xdf, 0x8a, 0xaa, 0x32, 0x91 -+ } -+ }; -+ static const unsigned char rc4_pt[] = { -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 -+ }; -+ static const unsigned char rc4_ct[] = { -+ 0x80, 0xad, 0x97, 0xbd, 0xc9, 0x73, 0xdf, 0x8a, -+ 0x2e, 0x87, 0x9e, 0x92, 0xa4, 0x97, 0xef, 0xda -+ }; -+ -+ if (lgcyprov == NULL) -+ return TEST_skip("Test requires legacy provider to be loaded"); -+ -+ return rc4_encrypt(rc4_key.key, sizeof(rc4_key.key), -+ rc4_pt, sizeof(rc4_pt), rc4_ct, sizeof(rc4_ct)) -+ && rc4_decrypt(rc4_key.key, sizeof(rc4_key.key), -+ rc4_pt, sizeof(rc4_pt), rc4_ct, sizeof(rc4_ct)); -+} -+#endif -+ - int setup_tests(void) - { - OPTION_CHOICE o; -@@ -4994,6 +5241,12 @@ int setup_tests(void) - - ADD_ALL_TESTS(test_ecx_short_keys, OSSL_NELEM(ecxnids)); - -+ /* Test cases for CVE-2023-5363 */ -+ ADD_TEST(test_aes_gcm_ivlen_change_cve_2023_5363); -+#ifndef OPENSSL_NO_RC4 -+ ADD_TEST(test_aes_rc4_keylen_change_cve_2023_5363); -+#endif -+ - return 1; - } - diff --git a/0129-rsa-Add-SP800-56Br2-6.4.1.2.1-3.c-check.patch b/0129-rsa-Add-SP800-56Br2-6.4.1.2.1-3.c-check.patch deleted file mode 100644 index 8ee8793..0000000 --- a/0129-rsa-Add-SP800-56Br2-6.4.1.2.1-3.c-check.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 0d873f9f647764df147d818a6e998b1c318bac31 Mon Sep 17 00:00:00 2001 -From: Clemens Lang -Date: Mon, 16 Oct 2023 15:30:26 +0200 -Subject: [PATCH] rsa: Add SP800-56Br2 6.4.1.2.1 (3.c) check - -The code did not yet check that the length of the RSA key is positive -and even. - -Signed-off-by: Clemens Lang -Upstream-Status: Backport [8b268541d9aabee51699aef22963407362830ef9] ---- - crypto/rsa/rsa_sp800_56b_check.c | 5 +++++ - test/rsa_sp800_56b_test.c | 4 ++++ - 2 files changed, 9 insertions(+) - -diff --git a/crypto/rsa/rsa_sp800_56b_check.c b/crypto/rsa/rsa_sp800_56b_check.c -index fc8f19b487..e6b79e953d 100644 ---- a/crypto/rsa/rsa_sp800_56b_check.c -+++ b/crypto/rsa/rsa_sp800_56b_check.c -@@ -403,6 +403,11 @@ int ossl_rsa_sp800_56b_check_keypair(const RSA *rsa, const BIGNUM *efixed, - ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_KEYPAIR); - return 0; - } -+ /* (Step 3.c): check that the modulus length is a positive even integer */ -+ if (nbits <= 0 || (nbits & 0x1)) { -+ ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_KEYPAIR); -+ return 0; -+ } - - ctx = BN_CTX_new_ex(rsa->libctx); - if (ctx == NULL) -diff --git a/test/rsa_sp800_56b_test.c b/test/rsa_sp800_56b_test.c -index 7660019f47..aa58bbbe6c 100644 ---- a/test/rsa_sp800_56b_test.c -+++ b/test/rsa_sp800_56b_test.c -@@ -458,6 +458,10 @@ static int test_invalid_keypair(void) - && TEST_true(BN_add_word(n, 1)) - && TEST_false(ossl_rsa_sp800_56b_check_keypair(key, NULL, -1, 2048)) - && TEST_true(BN_sub_word(n, 1)) -+ /* check that validation fails if len(n) is not even */ -+ && TEST_true(BN_lshift1(n, n)) -+ && TEST_false(ossl_rsa_sp800_56b_check_keypair(key, NULL, -1, 2049)) -+ && TEST_true(BN_rshift1(n, n)) - /* check p */ - && TEST_true(BN_sub_word(p, 2)) - && TEST_true(BN_mul(n, p, q, ctx)) --- -2.41.0 - diff --git a/0130-CVE-2023-5678.patch b/0130-CVE-2023-5678.patch deleted file mode 100644 index aa98d3b..0000000 --- a/0130-CVE-2023-5678.patch +++ /dev/null @@ -1,143 +0,0 @@ -diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c -index 7ba2beae7f..e20eb62081 100644 ---- a/crypto/dh/dh_check.c -+++ b/crypto/dh/dh_check.c -@@ -249,6 +249,18 @@ int DH_check_pub_key_ex(const DH *dh, const BIGNUM *pub_key) - */ - int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret) - { -+ /* Don't do any checks at all with an excessively large modulus */ -+ if (BN_num_bits(dh->params.p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) { -+ ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE); -+ *ret = DH_MODULUS_TOO_LARGE | DH_CHECK_PUBKEY_INVALID; -+ return 0; -+ } -+ -+ if (dh->params.q != NULL && BN_ucmp(dh->params.p, dh->params.q) < 0) { -+ *ret |= DH_CHECK_INVALID_Q_VALUE | DH_CHECK_PUBKEY_INVALID; -+ return 1; -+ } -+ - return ossl_ffc_validate_public_key(&dh->params, pub_key, ret); - } - -diff --git a/crypto/dh/dh_err.c b/crypto/dh/dh_err.c -index 4152397426..f76ac0dd14 100644 ---- a/crypto/dh/dh_err.c -+++ b/crypto/dh/dh_err.c -@@ -1,6 +1,6 @@ - /* - * Generated by util/mkerr.pl DO NOT EDIT -- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. -+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the Apache License 2.0 (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy -@@ -54,6 +54,7 @@ static const ERR_STRING_DATA DH_str_reasons[] = { - {ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR), - "parameter encoding error"}, - {ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"}, -+ {ERR_PACK(ERR_LIB_DH, 0, DH_R_Q_TOO_LARGE), "q too large"}, - {ERR_PACK(ERR_LIB_DH, 0, DH_R_SHARED_INFO_ERROR), "shared info error"}, - {ERR_PACK(ERR_LIB_DH, 0, DH_R_UNABLE_TO_CHECK_GENERATOR), - "unable to check generator"}, -diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c -index d84ea99241..afc49f5cdc 100644 ---- a/crypto/dh/dh_key.c -+++ b/crypto/dh/dh_key.c -@@ -49,6 +49,12 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) - goto err; - } - -+ if (dh->params.q != NULL -+ && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) { -+ ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE); -+ goto err; -+ } -+ - if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) { - ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL); - return 0; -@@ -267,6 +273,12 @@ static int generate_key(DH *dh) - return 0; - } - -+ if (dh->params.q != NULL -+ && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) { -+ ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE); -+ return 0; -+ } -+ - if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) { - ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL); - return 0; -diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt -index e51504b7ab..36de321b74 100644 ---- a/crypto/err/openssl.txt -+++ b/crypto/err/openssl.txt -@@ -500,6 +500,7 @@ DH_R_NO_PARAMETERS_SET:107:no parameters set - DH_R_NO_PRIVATE_VALUE:100:no private value - DH_R_PARAMETER_ENCODING_ERROR:105:parameter encoding error - DH_R_PEER_KEY_ERROR:111:peer key error -+DH_R_Q_TOO_LARGE:130:q too large - DH_R_SHARED_INFO_ERROR:113:shared info error - DH_R_UNABLE_TO_CHECK_GENERATOR:121:unable to check generator - DSA_R_BAD_FFC_PARAMETERS:114:bad ffc parameters -diff --git a/include/crypto/dherr.h b/include/crypto/dherr.h -index bb24d131eb..519327f795 100644 ---- a/include/crypto/dherr.h -+++ b/include/crypto/dherr.h -@@ -1,6 +1,6 @@ - /* - * Generated by util/mkerr.pl DO NOT EDIT -- * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. -+ * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the Apache License 2.0 (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy -diff --git a/include/openssl/dh.h b/include/openssl/dh.h -index 6533260f20..50e0cf54be 100644 ---- a/include/openssl/dh.h -+++ b/include/openssl/dh.h -@@ -141,7 +141,7 @@ DECLARE_ASN1_ITEM(DHparams) - # define DH_GENERATOR_3 3 - # define DH_GENERATOR_5 5 - --/* DH_check error codes */ -+/* DH_check error codes, some of them shared with DH_check_pub_key */ - /* - * NB: These values must align with the equivalently named macros in - * internal/ffc.h. -@@ -151,10 +151,10 @@ DECLARE_ASN1_ITEM(DHparams) - # define DH_UNABLE_TO_CHECK_GENERATOR 0x04 - # define DH_NOT_SUITABLE_GENERATOR 0x08 - # define DH_CHECK_Q_NOT_PRIME 0x10 --# define DH_CHECK_INVALID_Q_VALUE 0x20 -+# define DH_CHECK_INVALID_Q_VALUE 0x20 /* +DH_check_pub_key */ - # define DH_CHECK_INVALID_J_VALUE 0x40 - # define DH_MODULUS_TOO_SMALL 0x80 --# define DH_MODULUS_TOO_LARGE 0x100 -+# define DH_MODULUS_TOO_LARGE 0x100 /* +DH_check_pub_key */ - - /* DH_check_pub_key error codes */ - # define DH_CHECK_PUBKEY_TOO_SMALL 0x01 -diff --git a/include/openssl/dherr.h b/include/openssl/dherr.h -index 5d2a762a96..074a70145f 100644 ---- a/include/openssl/dherr.h -+++ b/include/openssl/dherr.h -@@ -1,6 +1,6 @@ - /* - * Generated by util/mkerr.pl DO NOT EDIT -- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. -+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the Apache License 2.0 (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy -@@ -50,6 +50,7 @@ - # define DH_R_NO_PRIVATE_VALUE 100 - # define DH_R_PARAMETER_ENCODING_ERROR 105 - # define DH_R_PEER_KEY_ERROR 111 -+# define DH_R_Q_TOO_LARGE 130 - # define DH_R_SHARED_INFO_ERROR 113 - # define DH_R_UNABLE_TO_CHECK_GENERATOR 121 - diff --git a/0131-sslgroups-memleak.patch b/0131-sslgroups-memleak.patch deleted file mode 100644 index f292790..0000000 --- a/0131-sslgroups-memleak.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c -index 51c2283db915d..0928a30c2d37b 100644 ---- a/ssl/t1_lib.c -+++ b/ssl/t1_lib.c -@@ -765,6 +765,7 @@ int tls1_set_groups_list(SSL_CTX *ctx, uint16_t **pext, size_t *pextlen, - tmparr = OPENSSL_memdup(gcb.gid_arr, gcb.gidcnt * sizeof(*tmparr)); - if (tmparr == NULL) - goto end; -+ OPENSSL_free(*pext); - *pext = tmparr; - *pextlen = gcb.gidcnt; - ret = 1; diff --git a/0132-CVE-2023-6129.patch b/0132-CVE-2023-6129.patch deleted file mode 100644 index 05e7300..0000000 --- a/0132-CVE-2023-6129.patch +++ /dev/null @@ -1,86 +0,0 @@ -diff --git a/crypto/poly1305/asm/poly1305-ppc.pl b/crypto/poly1305/asm/poly1305-ppc.pl -index 9f86134d923fb..2e601bb9c24be 100755 ---- a/crypto/poly1305/asm/poly1305-ppc.pl -+++ b/crypto/poly1305/asm/poly1305-ppc.pl -@@ -744,7 +744,7 @@ - my $LOCALS= 6*$SIZE_T; - my $VSXFRAME = $LOCALS + 6*$SIZE_T; - $VSXFRAME += 128; # local variables -- $VSXFRAME += 13*16; # v20-v31 offload -+ $VSXFRAME += 12*16; # v20-v31 offload - - my $BIG_ENDIAN = ($flavour !~ /le/) ? 4 : 0; - -@@ -919,12 +919,12 @@ - addi r11,r11,32 - stvx v22,r10,$sp - addi r10,r10,32 -- stvx v23,r10,$sp -- addi r10,r10,32 -- stvx v24,r11,$sp -+ stvx v23,r11,$sp - addi r11,r11,32 -- stvx v25,r10,$sp -+ stvx v24,r10,$sp - addi r10,r10,32 -+ stvx v25,r11,$sp -+ addi r11,r11,32 - stvx v26,r10,$sp - addi r10,r10,32 - stvx v27,r11,$sp -@@ -1153,12 +1153,12 @@ - addi r11,r11,32 - stvx v22,r10,$sp - addi r10,r10,32 -- stvx v23,r10,$sp -- addi r10,r10,32 -- stvx v24,r11,$sp -+ stvx v23,r11,$sp - addi r11,r11,32 -- stvx v25,r10,$sp -+ stvx v24,r10,$sp - addi r10,r10,32 -+ stvx v25,r11,$sp -+ addi r11,r11,32 - stvx v26,r10,$sp - addi r10,r10,32 - stvx v27,r11,$sp -@@ -1899,26 +1899,26 @@ - mtspr 256,r12 # restore vrsave - lvx v20,r10,$sp - addi r10,r10,32 -- lvx v21,r10,$sp -- addi r10,r10,32 -- lvx v22,r11,$sp -+ lvx v21,r11,$sp - addi r11,r11,32 -- lvx v23,r10,$sp -+ lvx v22,r10,$sp - addi r10,r10,32 -- lvx v24,r11,$sp -+ lvx v23,r11,$sp - addi r11,r11,32 -- lvx v25,r10,$sp -+ lvx v24,r10,$sp - addi r10,r10,32 -- lvx v26,r11,$sp -+ lvx v25,r11,$sp - addi r11,r11,32 -- lvx v27,r10,$sp -+ lvx v26,r10,$sp - addi r10,r10,32 -- lvx v28,r11,$sp -+ lvx v27,r11,$sp - addi r11,r11,32 -- lvx v29,r10,$sp -+ lvx v28,r10,$sp - addi r10,r10,32 -- lvx v30,r11,$sp -- lvx v31,r10,$sp -+ lvx v29,r11,$sp -+ addi r11,r11,32 -+ lvx v30,r10,$sp -+ lvx v31,r11,$sp - $POP r27,`$VSXFRAME-$SIZE_T*5`($sp) - $POP r28,`$VSXFRAME-$SIZE_T*4`($sp) - $POP r29,`$VSXFRAME-$SIZE_T*3`($sp) diff --git a/0133-CVE-2023-6237.patch b/0133-CVE-2023-6237.patch deleted file mode 100644 index a6f7a9a..0000000 --- a/0133-CVE-2023-6237.patch +++ /dev/null @@ -1,93 +0,0 @@ -diff --git a/crypto/rsa/rsa_sp800_56b_check.c b/crypto/rsa/rsa_sp800_56b_check.c -index fc8f19b48770b..bcbdd24fb8199 100644 ---- a/crypto/rsa/rsa_sp800_56b_check.c -+++ b/crypto/rsa/rsa_sp800_56b_check.c -@@ -289,6 +289,11 @@ int ossl_rsa_sp800_56b_check_public(const RSA *rsa) - return 0; - - nbits = BN_num_bits(rsa->n); -+ if (nbits > OPENSSL_RSA_MAX_MODULUS_BITS) { -+ ERR_raise(ERR_LIB_RSA, RSA_R_MODULUS_TOO_LARGE); -+ return 0; -+ } -+ - #ifdef FIPS_MODULE - /* - * (Step a): modulus must be 2048 or 3072 (caveat from SP800-56Br1) -@@ -324,7 +329,8 @@ int ossl_rsa_sp800_56b_check_public(const RSA *rsa) - goto err; - } - -- ret = ossl_bn_miller_rabin_is_prime(rsa->n, 0, ctx, NULL, 1, &status); -+ /* Highest number of MR rounds from FIPS 186-5 Section B.3 Table B.1 */ -+ ret = ossl_bn_miller_rabin_is_prime(rsa->n, 5, ctx, NULL, 1, &status); - #ifdef FIPS_MODULE - if (ret != 1 || status != BN_PRIMETEST_COMPOSITE_NOT_POWER_OF_PRIME) { - #else -diff --git a/test/recipes/91-test_pkey_check.t b/test/recipes/91-test_pkey_check.t -index dc7cc64533af2..f8088df14d36c 100644 ---- a/test/recipes/91-test_pkey_check.t -+++ b/test/recipes/91-test_pkey_check.t -@@ -70,7 +70,7 @@ push(@positive_tests, ( - "dhpkey.pem" - )) unless disabled("dh"); - --my @negative_pubtests = (); -+my @negative_pubtests = ("rsapub_17k.pem"); # Too big RSA public key - - push(@negative_pubtests, ( - "dsapub_noparam.der" -diff --git a/test/recipes/91-test_pkey_check_data/rsapub_17k.pem b/test/recipes/91-test_pkey_check_data/rsapub_17k.pem -new file mode 100644 -index 0000000000000..9a2eaedaf1b22 ---- /dev/null -+++ b/test/recipes/91-test_pkey_check_data/rsapub_17k.pem -@@ -0,0 +1,48 @@ -+-----BEGIN PUBLIC KEY----- -+MIIIbzANBgkqhkiG9w0BAQEFAAOCCFwAMIIIVwKCCE4Ang+cE5H+hg3RbapDAHqR -+B9lUnp2MlAwsZxQ/FhYepaR60bFQeumbu7817Eo5YLMObVI99hF1C4u/qcpD4Jph -+gZt87/JAYDbP+DIh/5gUXCL9m5Fp4u7mvZaZdnlcftBvR1uKUTCAwc9pZ/Cfr8W2 -+GzrRODzsNYnk2DcZMfe2vRDuDZRopE+Y+I72rom2SZLxoN547N1daM/M/CL9KVQ/ -+XMI/YOpJrBI0jI3brMRhLkvLckwies9joufydlGbJkeil9H7/grj3fQZtFkZ2Pkj -+b87XDzRVX7wsEpAgPJxskL3jApokCp1kQYKG+Uc3dKM9Ade6IAPK7VKcmbAQTYw2 -+gZxsc28dtstazmfGz0ACCTSMrmbgWAM3oPL7RRzhrXDWgmYQ0jHefGh8SNTIgtPq -+TuHxPYkDMQNaf0LmDGCxqlnf4b5ld3YaU8zZ/RqIRx5v/+w0rJUvU53qY1bYSnL1 -+vbqKSnN2mip0GYyQ4AUgkS1NBV4rGYU/VTvzEjLfkg02KOtHKandvEoUjmZPzCT0 -+V2ZhGc8K1UJNGYlIiHqCdwCBoghvly/pYajTkDXyd6BsukzA5H3IkZB1xDgl035j -+/0Cr7QeZLEOdi9fPdSSaBT6OmD0WFuZfJF0wMr7ucRhWzPXvSensD9v7MBE7tNfH -+SLeTSx8tLt8UeWriiM+0CnkPR1IOqMOxubOyf1eV8NQqEWm5wEQG/0IskbOKnaHa -+PqLFJZn/bvyL3XK5OxVIJG3z6bnRDOMS9SzkjqgPdIO8tkySEHVSi/6iuGUltx3Y -+Fmq6ye/r34ekyHPbfn6UuTON7joM6SIXb5bHM64x4iMVWx4hMvDjfy0UqfywAUyu -+C1o7BExSMxxFG8GJcqR0K8akpPp7EM588PC+YuItoxzXgfUJnP3BQ1Beev2Ve7/J -+xeGZH0N4ntfr+cuaLAakAER9zDglwChWflw3NNFgIdAgSxXv3XXx5xDXpdP4lxUo -+F5zAN4Mero3yV90FaJl7Vhq/UFVidbwFc15jUDwaE0mKRcsBeVd3GOhoECAgE0id -+aIPT20z8oVY0FyTJlRk7QSjo8WjJSrHY/Fn14gctX07ZdfkufyL6w+NijBdYluvB -+nIrgHEvpkDEWoIa8qcx0EppoIcmqgMV2mTShfFYSybsO33Pm8WXec2FXjwhzs1Pi -+R/BuIW8rHPI67xqWm0h8dEw11vtfi9a/BBBikFHe59KBjMTG+lW/gADNvRoTzGh7 -+kN4+UVDS3jlSisRZZOn1XoeQtpubNYWgUsecjKy45IwIj8h1SHgn3wkmUesY0woN -+mOdoNtq+NezN4RFtbCOHhxFVpKKDi/HQP2ro0ykkXMDjwEIVf2Lii1Mg9UP8m+Ux -+AOqkTrIkdogkRx+70h7/wUOfDIFUq2JbKzqxJYamyEphcdAko7/B8efQKc61Z93O -+f2SHa4++4WI7wIIx18v5KV4M/cRmrfc8w9WRkQN3gBT5AJMuqwcSHVXBWvNQeGmi -+ScMh7X6cCZ0daEujqb8svq4WgsJ8UT4GaGBRIYtt7QUKEh+JQwNJzneRYZ3pzpaH -+UJeeoYobMlkp3rM9cYzdq90nBQiI9Jsbim9m9ggb2dMOS5CsI9S/IuG2O5uTjfxx -+wkwsd5nLDFtNXHYZ7W6XlVJ1Rc6zShnEmdCn3mmibb6OaMUmun2yl9ryEjVSoXLP -+fSA8W9K9yNhKTRkzdXJfqlC+s/ovX2xBGxsuOoUDaXhRVz0qmpKIHeSFjIP4iXq4 -+y8gDiwvM3HbZfvVonbg6siPwpn4uvw3hesojk1DKAENS52i6U3uK2fs1ALVxsFNS -+Yh914rDu0Q3e4RXVhURaYzoEbLCot6WGYeCCfQOK0rkETMv+sTYYscC8/THuW7SL -+HG5zy9Ed95N1Xmf8J+My7gM7ZFodGdHsWvdzEmqsdOFh6IVx/VfHFX0MDBq0t6lZ -+eRvVgVCfu3gkYLwPScn/04E02vOom51ISKHsF/I11erC66jjNYV9BSpH8O7sAHxZ -+EmPT2ZVVRSgivOHdQW/FZ3UZQQhVaVSympo2Eb4yWEMFn84Q8T+9Honj6gnB5PXz -+chmeCsOMlcg1mwWwhn0k+OAWEZy7VRUk5Ahp0fBAGJgwBdqrZ3kM356DjUkVBiYq -+4eHyvafNKmjf2mnFsI3g2NKRNyl1Lh63wyCFx60yYvBUfXF/W9PFJbD9CiP83kEW -+gV36gxTsbOSfhpO1OXR90ODy0kx06XzWmJCUugK8u9bx4F/CjV+LIHExuNJiethC -+A8sIup/MT0fWp4RO/SsVblGqfoqJTaPnhptQzeH2N07pbWkxeMuL6ppPuwFmfVjK -+FJndqCVrAukcPEOQ16iVURuloJMudqYRc9QKkJFsnv0W/iMNbqQGmXe8Q/5qFiys -+26NIQBiE2ad9hNLnoccEnmYSRgnW3ZPSKuq5TDdYyDqTZH2r8cam65pr3beKw2XC -+xw4cc7VaxiwGC2Mg2wRmwwPaTjrcEt6sMa3RjwFEVBxBFyM26wnTEZsTBquCxV0J -+pgERaeplkixP2Q0m7XAdlDaob973SM2vOoUgypzDchWmpx7u775bnOfU5CihwXl+ -+k0i09WZuT8bPmhEAiGCw5sNzMkz1BC2cCZFfJIkE2vc/wXYOrGxBTJo0EKaUFswa -+2dnP/u0bn+VksBUM7ywW9LJSXh4mN+tpzdeJtxEObKwX1I0dQxSPWmjd2++wMr9q -+Unre5fCrDToy2H7C2VKSpuOCT2/Kv4JDQRWwI4KxQOpn0UknAGNmfBoTtpIZ3LEb -+77oBUJdMQD7tQBBLL0a6f1TdK0dHVprWWawJ+gGFMiMQXqAqblHcxFKWuHv9bQID -+AQAB -+-----END PUBLIC KEY----- diff --git a/0134-engine-based-ECDHE-kex.patch b/0134-engine-based-ECDHE-kex.patch deleted file mode 100644 index fee56f7..0000000 --- a/0134-engine-based-ECDHE-kex.patch +++ /dev/null @@ -1,47 +0,0 @@ -diff --git a/crypto/evp/ctrl_params_translate.c b/crypto/evp/ctrl_params_translate.c -index 448a3c3043c1c..9010fa6c4638c 100644 ---- a/crypto/evp/ctrl_params_translate.c -+++ b/crypto/evp/ctrl_params_translate.c -@@ -1134,6 +1134,7 @@ static int fix_ec_paramgen_curve_nid(enum state state, - const struct translation_st *translation, - struct translation_ctx_st *ctx) - { -+ char *p2 = NULL; - int ret; - - if ((ret = default_check(state, translation, ctx)) <= 0) -@@ -1146,13 +1147,25 @@ static int fix_ec_paramgen_curve_nid(enum state state, - if (state == PRE_CTRL_TO_PARAMS) { - ctx->p2 = (char *)OBJ_nid2sn(ctx->p1); - ctx->p1 = 0; -+ } else if (state == PRE_PARAMS_TO_CTRL) { -+ /* -+ * We're translating from params to ctrl and setting the curve name. -+ * The ctrl function needs it to be a NID, but meanwhile, we need -+ * space to get the curve name from the param. |ctx->name_buf| is -+ * sufficient for that. -+ * The double indirection is necessary for default_fixup_args()'s -+ * call of OSSL_PARAM_get_utf8_string() to be done correctly. -+ */ -+ p2 = ctx->name_buf; -+ ctx->p2 = &p2; -+ ctx->sz = sizeof(ctx->name_buf); - } - - if ((ret = default_fixup_args(state, translation, ctx)) <= 0) - return ret; - - if (state == PRE_PARAMS_TO_CTRL) { -- ctx->p1 = OBJ_sn2nid(ctx->p2); -+ ctx->p1 = OBJ_sn2nid(p2); - ctx->p2 = NULL; - } - -@@ -2789,6 +2802,7 @@ static int evp_pkey_ctx_setget_params_to_ctrl(EVP_PKEY_CTX *pctx, - if (translation->fixup_args != NULL) - fixup = translation->fixup_args; - ctx.action_type = translation->action_type; -+ ctx.ctrl_cmd = translation->ctrl_num; - } - ctx.pctx = pctx; - ctx.params = params; diff --git a/0135-CVE-2024-0727.patch b/0135-CVE-2024-0727.patch deleted file mode 100644 index ddebf85..0000000 --- a/0135-CVE-2024-0727.patch +++ /dev/null @@ -1,178 +0,0 @@ -diff --git a/crypto/pkcs12/p12_add.c b/crypto/pkcs12/p12_add.c -index 6fd4184af5a52..80ce31b3bca66 100644 ---- a/crypto/pkcs12/p12_add.c -+++ b/crypto/pkcs12/p12_add.c -@@ -78,6 +78,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7data(PKCS7 *p7) - ERR_raise(ERR_LIB_PKCS12, PKCS12_R_CONTENT_TYPE_NOT_DATA); - return NULL; - } -+ -+ if (p7->d.data == NULL) { -+ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR); -+ return NULL; -+ } -+ - return ASN1_item_unpack(p7->d.data, ASN1_ITEM_rptr(PKCS12_SAFEBAGS)); - } - -@@ -150,6 +156,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7encdata(PKCS7 *p7, const char *pass, - { - if (!PKCS7_type_is_encrypted(p7)) - return NULL; -+ -+ if (p7->d.encrypted == NULL) { -+ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR); -+ return NULL; -+ } -+ - return PKCS12_item_decrypt_d2i_ex(p7->d.encrypted->enc_data->algorithm, - ASN1_ITEM_rptr(PKCS12_SAFEBAGS), - pass, passlen, -@@ -188,6 +200,12 @@ STACK_OF(PKCS7) *PKCS12_unpack_authsafes(const PKCS12 *p12) - ERR_raise(ERR_LIB_PKCS12, PKCS12_R_CONTENT_TYPE_NOT_DATA); - return NULL; - } -+ -+ if (p12->authsafes->d.data == NULL) { -+ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR); -+ return NULL; -+ } -+ - p7s = ASN1_item_unpack(p12->authsafes->d.data, - ASN1_ITEM_rptr(PKCS12_AUTHSAFES)); - if (p7s != NULL) { -diff --git a/crypto/pkcs12/p12_mutl.c b/crypto/pkcs12/p12_mutl.c -index 67a885a45f89e..68ff54d0e90ee 100644 ---- a/crypto/pkcs12/p12_mutl.c -+++ b/crypto/pkcs12/p12_mutl.c -@@ -98,6 +98,11 @@ static int pkcs12_gen_mac(PKCS12 *p12, const char *pass, int passlen, - return 0; - } - -+ if (p12->authsafes->d.data == NULL) { -+ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR); -+ return 0; -+ } -+ - salt = p12->mac->salt->data; - saltlen = p12->mac->salt->length; - if (p12->mac->iter == NULL) -diff --git a/crypto/pkcs12/p12_npas.c b/crypto/pkcs12/p12_npas.c -index 62230bc6187ff..1e5b5495991a4 100644 ---- a/crypto/pkcs12/p12_npas.c -+++ b/crypto/pkcs12/p12_npas.c -@@ -77,8 +77,9 @@ static int newpass_p12(PKCS12 *p12, const char *oldpass, const char *newpass) - bags = PKCS12_unpack_p7data(p7); - } else if (bagnid == NID_pkcs7_encrypted) { - bags = PKCS12_unpack_p7encdata(p7, oldpass, -1); -- if (!alg_get(p7->d.encrypted->enc_data->algorithm, -- &pbe_nid, &pbe_iter, &pbe_saltlen)) -+ if (p7->d.encrypted == NULL -+ || !alg_get(p7->d.encrypted->enc_data->algorithm, -+ &pbe_nid, &pbe_iter, &pbe_saltlen)) - goto err; - } else { - continue; -diff --git a/crypto/pkcs7/pk7_mime.c b/crypto/pkcs7/pk7_mime.c -index 49a0da5f819c4..8228315eeaa3a 100644 ---- a/crypto/pkcs7/pk7_mime.c -+++ b/crypto/pkcs7/pk7_mime.c -@@ -33,10 +33,13 @@ int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags) - int ctype_nid = OBJ_obj2nid(p7->type); - const PKCS7_CTX *ctx = ossl_pkcs7_get0_ctx(p7); - -- if (ctype_nid == NID_pkcs7_signed) -+ if (ctype_nid == NID_pkcs7_signed) { -+ if (p7->d.sign == NULL) -+ return 0; - mdalgs = p7->d.sign->md_algs; -- else -+ } else { - mdalgs = NULL; -+ } - - flags ^= SMIME_OLDMIME; - -diff --git a/test/recipes/80-test_pkcs12.t b/test/recipes/80-test_pkcs12.t -index 1f0cb4d501488..b2c376249646d 100644 ---- a/test/recipes/80-test_pkcs12.t -+++ b/test/recipes/80-test_pkcs12.t -@@ -9,7 +9,7 @@ - use strict; - use warnings; - --use OpenSSL::Test qw/:DEFAULT srctop_file/; -+use OpenSSL::Test qw/:DEFAULT srctop_file with/; - use OpenSSL::Test::Utils; - - use Encode; -@@ -54,7 +54,7 @@ if (eval { require Win32::API; 1; }) { - } - $ENV{OPENSSL_WIN32_UTF8}=1; - --plan tests => 13; -+plan tests => 17; - - # Test different PKCS#12 formats - ok(run(test(["pkcs12_format_test"])), "test pkcs12 formats"); -@@ -148,4 +148,25 @@ ok(grep(/subject=CN = server.example/, @pkcs12info) == 1, - # Test that the expected friendly name is present in the output - ok(grep(/testname/, @pkcs12info) == 1, "test friendly name in output"); - -+# Test some bad pkcs12 files -+my $bad1 = srctop_file("test", "recipes", "80-test_pkcs12_data", "bad1.p12"); -+my $bad2 = srctop_file("test", "recipes", "80-test_pkcs12_data", "bad2.p12"); -+my $bad3 = srctop_file("test", "recipes", "80-test_pkcs12_data", "bad3.p12"); -+ -+with({ exit_checker => sub { return shift == 1; } }, -+ sub { -+ ok(run(app(["openssl", "pkcs12", "-in", $bad1, "-password", "pass:"])), -+ "test bad pkcs12 file 1"); -+ -+ ok(run(app(["openssl", "pkcs12", "-in", $bad1, "-password", "pass:", -+ "-nomacver"])), -+ "test bad pkcs12 file 1 (nomacver)"); -+ -+ ok(run(app(["openssl", "pkcs12", "-in", $bad2, "-password", "pass:"])), -+ "test bad pkcs12 file 2"); -+ -+ ok(run(app(["openssl", "pkcs12", "-in", $bad3, "-password", "pass:"])), -+ "test bad pkcs12 file 3"); -+ }); -+ - SetConsoleOutputCP($savedcp) if (defined($savedcp)); -diff --git a/test/recipes/80-test_pkcs12_data/bad1.p12 b/test/recipes/80-test_pkcs12_data/bad1.p12 -new file mode 100644 -index 0000000000000000000000000000000000000000..8f3387c7e356e4aa374729f3f3939343557b9c09 -GIT binary patch -literal 85 -zcmV-b0IL5mQvv}4Fbf6=Duzgg_YDCD0Wd)@F)$4V31Egu0c8UO0s#d81R(r{)waiY -rfR=Py6XX#<$m7-wj)xrauuD`}hF=Ng9=0`~S~)@=J%OiUaM0Oze6 -AD*ylh - -literal 0 -HcmV?d00001 - -diff --git a/test/recipes/80-test_pkcs12_data/bad3.p12 b/test/recipes/80-test_pkcs12_data/bad3.p12 -new file mode 100644 -index 0000000000000000000000000000000000000000..ef86a1d86fb0bc09471ca2596d82e7d521d973a4 -GIT binary patch -literal 104 -zcmXp=V`5}BkYnT2YV&CO&dbQoxImDF-+oA$5$MVJL*60=F*5iN*C_e&wD%dwCM*q{=+OBX|Z+F7XSHN#>B+I003La -BAqM~e - -literal 0 -HcmV?d00001 - diff --git a/openssl.spec b/openssl.spec index 944551b..d3e478f 100644 --- a/openssl.spec +++ b/openssl.spec @@ -28,8 +28,8 @@ print(string.sub(hash, 0, 16)) Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl -Version: 3.0.7 -Release: 27%{?dist} +Version: 3.2.1 +Release: 1%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -74,8 +74,6 @@ Patch12: 0012-Disable-explicit-ec.patch Patch13: 0013-skipped-tests-EC-curves.patch # Instructions to load legacy provider in openssl.cnf Patch24: 0024-load-legacy-prov.patch -# Tmp: test name change -Patch31: 0031-tmp-Fix-test-names.patch # We load FIPS provider and set FIPS properties implicitly Patch32: 0032-Force-fips.patch # Embed HMAC into the fips.so @@ -94,8 +92,6 @@ Patch47: 0047-FIPS-early-KATS.patch Patch49: 0049-Selectively-disallow-SHA1-signatures.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2049265 Patch50: 0050-FIPS-enable-pkcs12-mac.patch -# Backport of patch for RHEL for Edge rhbz #2027261 -Patch51: 0051-Support-different-R_BITS-lengths-for-KBKDF.patch # Allow SHA1 in seclevel 2 if rh-allow-sha1-signatures = yes Patch52: 0052-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch # Originally from https://github.com/openssl/openssl/pull/18103 @@ -106,21 +102,9 @@ Patch52: 0052-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch Patch56: 0056-strcasecmp.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2053289 Patch58: 0058-FIPS-limit-rsa-encrypt.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=2069235 -Patch60: 0060-FIPS-KAT-signature-tests.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2087147 Patch61: 0061-Deny-SHA-1-signature-verification-in-FIPS-provider.patch Patch62: 0062-fips-Expose-a-FIPS-indicator.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=2130708 -# https://github.com/openssl/openssl/pull/18883 -Patch67: 0067-ppc64le-Montgomery-multiply.patch -# https://github.com/openssl/openssl/commit/44a563dde1584cd9284e80b6e45ee5019be8d36c -# https://github.com/openssl/openssl/commit/345c99b6654b8313c792d54f829943068911ddbd -Patch71: 0071-AES-GCM-performance-optimization.patch -# https://github.com/openssl/openssl/commit/f596bbe4da779b56eea34d96168b557d78e1149 -# https://github.com/openssl/openssl/commit/7e1f3ffcc5bc15fb9a12b9e3bb202f544c6ed5aa -# hunks in crypto/ppccap.c from https://github.com/openssl/openssl/commit/f5485b97b6c9977c0d39c7669b9f97a879312447 -Patch72: 0072-ChaCha20-performance-optimizations-for-ppc64le.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2102535 Patch73: 0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2102535 @@ -149,71 +133,34 @@ Patch84: 0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch Patch85: 0085-FIPS-RSA-disable-shake.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2142087 Patch88: 0088-signature-Add-indicator-for-PSS-salt-length.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=2142087 -Patch89: 0089-PSS-salt-length-from-provider.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=2142087 -Patch90: 0090-signature-Clamp-PSS-salt-len-to-MD-len.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2144561 Patch91: 0091-FIPS-RSA-encapsulate.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=2142517 -Patch92: 0092-provider-improvements.patch # FIPS-95 Patch93: 0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch -# OpenSSL 3.0.8 CVEs -Patch101: 0101-CVE-2022-4203-nc-match.patch -Patch102: 0102-CVE-2022-4304-RSA-time-oracle.patch -Patch103: 0103-CVE-2022-4450-pem-read-bio.patch -Patch104: 0104-CVE-2023-0215-UAF-bio.patch -Patch105: 0105-CVE-2023-0216-pkcs7-deref.patch -Patch106: 0106-CVE-2023-0217-dsa.patch -Patch107: 0107-CVE-2023-0286-X400.patch -Patch108: 0108-CVE-2023-0401-pkcs7-md.patch - -# https://bugzilla.redhat.com/show_bug.cgi?id=2169314 -Patch109: 0109-fips-Zeroize-out-in-fips-selftest.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2168289 Patch110: 0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=2175145 -Patch111: 0111-fips-Use-salt-16-bytes-in-PBKDF2-selftest.patch Patch112: 0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2179331 Patch113: 0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2157951 Patch114: 0114-FIPS-enforce-EMS-support.patch +# skip quic and pairwise tests temporarily +Patch115: 0115-skip-quic-pairwise.patch +# Add version aliasing due to +# https://github.com/openssl/openssl/issues/23534 +Patch116: 0116-version-aliasing.patch +# https://github.com/openssl/openssl/issues/23050 +Patch117: 0117-ignore-unknown-sigalgorithms-groups.patch +# https://github.com/openssl/openssl/issues/23770 +Patch118: 0118-no-crl-memleak.patch +# https://github.com/openssl/openssl/issues/22779 +Patch119: 0119-provider-sigalgs-in-signaturealgorithms-conf.patch -# X.509 policies minor CVEs -Patch115: 0115-CVE-2023-0464.patch -Patch116: 0116-CVE-2023-0465.patch -Patch117: 0117-CVE-2023-0466.patch -# AES-XTS CVE -Patch118: 0118-CVE-2023-1255.patch - -#https://github.com/openssl/openssl/pull/13817 -#https://bugzilla.redhat.com/show_bug.cgi?id=2153471 -Patch120: 0120-RSA-PKCS15-implicit-rejection.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2160797 Patch121: 0121-FIPS-cms-defaults.patch -Patch122: 0122-CVE-2023-2650.patch -# https://github.com/openssl/openssl/pull/19386 -Patch123: 0123-ibmca-atexit-crash.patch -Patch125: 0125-CVE-2023-2975.patch -Patch126: 0126-CVE-2023-3446.patch -Patch127: 0127-CVE-2023-3817.patch -Patch128: 0128-CVE-2023-5363.patch -# https://github.com/openssl/openssl/pull/22403 -Patch129: 0129-rsa-Add-SP800-56Br2-6.4.1.2.1-3.c-check.patch -Patch130: 0130-CVE-2023-5678.patch -# https://github.com/openssl/openssl/pull/20317 -Patch131: 0131-sslgroups-memleak.patch -# https://github.com/openssl/openssl/commit/050d26383d4e264966fb83428e72d5d48f402d35 -Patch132: 0132-CVE-2023-6129.patch -# https://github.com/openssl/openssl/commit/18c02492138d1eb8b6548cb26e7b625fb2414a2a -Patch133: 0133-CVE-2023-6237.patch -# https://github.com/openssl/openssl/pull/20780 -Patch134: 0134-engine-based-ECDHE-kex.patch -# https://github.com/openssl/openssl/pull/23362 -Patch135: 0135-CVE-2024-0727.patch +# KTLS regression, temporary skip tests +Patch122: 0122-TMP-KTLS-test-skip.patch License: ASL 2.0 URL: http://www.openssl.org/ @@ -553,6 +500,10 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco %ldconfig_scriptlets libs %changelog +* Wed Apr 03 2024 Dmitry Belyavskiy - 1:3.2.1-1 +- Rebasing OpenSSL to 3.2.1 + Resolves: RHEL-26271 + * Wed Feb 21 2024 Dmitry Belyavskiy - 1:3.0.7-27 - Use certified FIPS module instead of freshly built one in Red Hat distribution Related: RHEL-23474 diff --git a/sources b/sources index eb19998..21d66d1 100644 --- a/sources +++ b/sources @@ -1 +1 @@ -SHA512 (openssl-3.0.7.tar.gz) = 6c2bcd1cd4b499e074e006150dda906980df505679d8e9d988ae93aa61ee6f8c23c0fa369e2edc1e1a743d7bec133044af11d5ed57633b631ae479feb59e3424 +SHA512 (openssl-3.2.1.tar.gz) = 29ea75964f78ef5bbe5783ed60d32917408ae4cb7d4aecdbbf2280bfdbc260c7cbabbc03bd179fc994fbee85cebc7213eeb5bfcde5c22db5e83edf2cebe7113f