From 08d6c3505122eda35537a69d2f3e549a4459ee05 Mon Sep 17 00:00:00 2001 From: Clemens Lang Date: Fri, 22 Jul 2022 18:01:52 +0200 Subject: [PATCH] FIPS self-test: RSA-OAEP, FFDHE2048, digest_sign Use RSA-OAEP in FIPS self-tests and support a fixed OAEP seed to make the test deterministic as required for a known-answer test. Switch the signature FIPS self-test to use the digest_sign and digest_verify provider functions using the EVP_DigestSign and EVP_DigestVerify APIs, as the existing signature self-test does not cover hash computation. Switch the existing Diffie-Hellman FIPS self-test to use FFDHE2048, a known safe prime from RFC 7919. Signed-off-by: Clemens Lang Resolves: rhbz#2102535 --- ...OAEP-in-KATs-support-fixed-OAEP-seed.patch | 367 +++++++++++++++++ ...gest_sign-digest_verify-in-self-test.patch | 307 ++++++++++++++ 0075-FIPS-Use-FFDHE2048-in-self-test.patch | 378 ++++++++++++++++++ openssl.spec | 14 +- 4 files changed, 1065 insertions(+), 1 deletion(-) create mode 100644 0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch create mode 100644 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch create mode 100644 0075-FIPS-Use-FFDHE2048-in-self-test.patch diff --git a/0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch b/0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch new file mode 100644 index 0000000..27f86f5 --- /dev/null +++ b/0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch @@ -0,0 +1,367 @@ +From 4a2239bd7d444c30c55b20ea8b4aeadafdfe1afd Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Fri, 22 Jul 2022 13:59:37 +0200 +Subject: [PATCH] FIPS: Use OAEP in KATs, support fixed OAEP seed + +Review by our lab for FIPS 140-3 certification expects the RSA +encryption and decryption tests to use a supported padding mode, not raw +RSA signatures. Switch to RSA-OAEP for the self tests to fulfill that. + +The FIPS 140-3 Implementation Guidance specifies in section 10.3.A +"Cryptographic Algorithm Self-Test Requirements" that a self-test may be +a known-answer test, a comparison test, or a fault-detection test. + +Comparison tests are not an option, because they would require +a separate implementation of RSA-OAEP, which we do not have. Fault +detection tests require implementing fault detection mechanisms into the +cryptographic algorithm implementation, we we also do not have. + +As a consequence, a known-answer test must be used to test RSA +encryption and decryption, but RSA encryption with OAEP padding is not +deterministic, and thus encryption will always yield different results +that could not be compared to known answers. For this reason, this +change explicitly sets the seed in OAEP (see RFC 8017 section 7.1.1), +which is the source of randomness for RSA-OAEP, to a fixed value. This +setting is only available during self-test execution, and the parameter +set using EVP_PKEY_CTX_set_params() will be ignored otherwise. + +Signed-off-by: Clemens Lang +--- + crypto/rsa/rsa_local.h | 8 ++ + crypto/rsa/rsa_oaep.c | 34 ++++++-- + include/openssl/core_names.h | 3 + + providers/fips/self_test_data.inc | 83 +++++++++++-------- + providers/fips/self_test_kats.c | 7 ++ + .../implementations/asymciphers/rsa_enc.c | 41 ++++++++- + 6 files changed, 133 insertions(+), 43 deletions(-) + +diff --git a/crypto/rsa/rsa_local.h b/crypto/rsa/rsa_local.h +index ea70da05ad..dde57a1a0e 100644 +--- a/crypto/rsa/rsa_local.h ++++ b/crypto/rsa/rsa_local.h +@@ -193,4 +193,12 @@ int ossl_rsa_padding_add_PKCS1_type_2_ex(OSSL_LIB_CTX *libctx, unsigned char *to + int tlen, const unsigned char *from, + int flen); + ++int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2(OSSL_LIB_CTX *libctx, ++ unsigned char *to, int tlen, ++ const unsigned char *from, int flen, ++ const unsigned char *param, ++ int plen, const EVP_MD *md, ++ const EVP_MD *mgf1md, ++ const char *redhat_st_seed); ++ + #endif /* OSSL_CRYPTO_RSA_LOCAL_H */ +diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c +index d9be1a4f98..b2f7f7dc4b 100644 +--- a/crypto/rsa/rsa_oaep.c ++++ b/crypto/rsa/rsa_oaep.c +@@ -44,6 +44,10 @@ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen, + param, plen, NULL, NULL); + } + ++#ifdef FIPS_MODULE ++extern int REDHAT_FIPS_asym_cipher_st; ++#endif /* FIPS_MODULE */ ++ + /* + * Perform the padding as per NIST 800-56B 7.2.2.3 + * from (K) is the key material. +@@ -51,12 +55,13 @@ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen, + * Step numbers are included here but not in the constant time inverse below + * to avoid complicating an already difficult enough function. + */ +-int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx, +- unsigned char *to, int tlen, +- const unsigned char *from, int flen, +- const unsigned char *param, +- int plen, const EVP_MD *md, +- const EVP_MD *mgf1md) ++int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2(OSSL_LIB_CTX *libctx, ++ unsigned char *to, int tlen, ++ const unsigned char *from, int flen, ++ const unsigned char *param, ++ int plen, const EVP_MD *md, ++ const EVP_MD *mgf1md, ++ const char *redhat_st_seed) + { + int rv = 0; + int i, emlen = tlen - 1; +@@ -107,6 +112,11 @@ int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx, + db[emlen - flen - mdlen - 1] = 0x01; + memcpy(db + emlen - flen - mdlen, from, (unsigned int)flen); + /* step 3d: generate random byte string */ ++#ifdef FIPS_MODULE ++ if (redhat_st_seed != NULL && REDHAT_FIPS_asym_cipher_st) { ++ memcpy(seed, redhat_st_seed, mdlen); ++ } else ++#endif + if (RAND_bytes_ex(libctx, seed, mdlen, 0) <= 0) + goto err; + +@@ -138,6 +148,18 @@ int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx, + return rv; + } + ++int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx, ++ unsigned char *to, int tlen, ++ const unsigned char *from, int flen, ++ const unsigned char *param, ++ int plen, const EVP_MD *md, ++ const EVP_MD *mgf1md) ++{ ++ return ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2(libctx, to, tlen, from, ++ flen, param, plen, md, ++ mgf1md, NULL); ++} ++ + int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, + const unsigned char *from, int flen, + const unsigned char *param, int plen, +diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h +index 59a6e79566..11216fb8f8 100644 +--- a/include/openssl/core_names.h ++++ b/include/openssl/core_names.h +@@ -469,6 +469,9 @@ extern "C" { + #define OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL "oaep-label" + #define OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION "tls-client-version" + #define OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION "tls-negotiated-version" ++#ifdef FIPS_MODULE ++#define OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED "redhat-kat-oaep-seed" ++#endif + + /* + * Encoder / decoder parameters +diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc +index 4e30ec56dd..0103c87528 100644 +--- a/providers/fips/self_test_data.inc ++++ b/providers/fips/self_test_data.inc +@@ -1294,9 +1294,22 @@ static const ST_KAT_PARAM rsa_priv_key[] = { + ST_KAT_PARAM_END() + }; + ++/*- ++ * Using OSSL_PKEY_RSA_PAD_MODE_OAEP directly in the expansion of the ++ * ST_KAT_PARAM_UTF8STRING macro below causes a failure on ancient ++ * HP/UX PA-RISC compilers. ++ */ ++static const char pad_mode_oaep[] = OSSL_PKEY_RSA_PAD_MODE_OAEP; ++static const char oaep_fixed_seed[] = { ++ 0xf6, 0x10, 0xef, 0x0a, 0x97, 0xbf, 0x91, 0x25, ++ 0x97, 0xcf, 0x8e, 0x0a, 0x75, 0x51, 0x2f, 0xab, ++ 0x2e, 0x4b, 0x2c, 0xe6 ++}; ++ + static const ST_KAT_PARAM rsa_enc_params[] = { +- ST_KAT_PARAM_UTF8STRING(OSSL_ASYM_CIPHER_PARAM_PAD_MODE, +- OSSL_PKEY_RSA_PAD_MODE_NONE), ++ ST_KAT_PARAM_UTF8STRING(OSSL_ASYM_CIPHER_PARAM_PAD_MODE, pad_mode_oaep), ++ ST_KAT_PARAM_OCTET(OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED, ++ oaep_fixed_seed), + ST_KAT_PARAM_END() + }; + +@@ -1335,43 +1348,43 @@ static const unsigned char rsa_expected_sig[256] = { + 0x2c, 0x68, 0xf0, 0x37, 0xa9, 0xd2, 0x56, 0xd6 + }; + +-static const unsigned char rsa_asym_plaintext_encrypt[256] = { ++static const unsigned char rsa_asym_plaintext_encrypt[208] = { + 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, + 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, + }; + static const unsigned char rsa_asym_expected_encrypt[256] = { +- 0x54, 0xac, 0x23, 0x96, 0x1d, 0x82, 0x5d, 0x8b, +- 0x8f, 0x36, 0x33, 0xd0, 0xf4, 0x02, 0xa2, 0x61, +- 0xb1, 0x13, 0xd4, 0x4a, 0x46, 0x06, 0x37, 0x3c, +- 0xbf, 0x40, 0x05, 0x3c, 0xc6, 0x3b, 0x64, 0xdc, +- 0x22, 0x22, 0xaf, 0x36, 0x79, 0x62, 0x45, 0xf0, +- 0x97, 0x82, 0x22, 0x44, 0x86, 0x4a, 0x7c, 0xfa, +- 0xac, 0x03, 0x21, 0x84, 0x3f, 0x31, 0xad, 0x2a, +- 0xa4, 0x6e, 0x7a, 0xc5, 0x93, 0xf3, 0x0f, 0xfc, +- 0xf1, 0x62, 0xce, 0x82, 0x12, 0x45, 0xc9, 0x35, +- 0xb0, 0x7a, 0xcd, 0x99, 0x8c, 0x91, 0x6b, 0x5a, +- 0xd3, 0x46, 0xdb, 0xf9, 0x9e, 0x52, 0x49, 0xbd, +- 0x1e, 0xe8, 0xda, 0xac, 0x61, 0x47, 0xc2, 0xda, +- 0xfc, 0x1e, 0xfb, 0x74, 0xd7, 0xd6, 0xc1, 0x18, +- 0x86, 0x3e, 0x20, 0x9c, 0x7a, 0xe1, 0x04, 0xb7, +- 0x38, 0x43, 0xb1, 0x4e, 0xa0, 0xd8, 0xc1, 0x39, +- 0x4d, 0xe1, 0xd3, 0xb0, 0xb3, 0xf1, 0x82, 0x87, +- 0x1f, 0x74, 0xb5, 0x69, 0xfd, 0x33, 0xd6, 0x21, +- 0x7c, 0x61, 0x60, 0x28, 0xca, 0x70, 0xdb, 0xa0, +- 0xbb, 0xc8, 0x73, 0xa9, 0x82, 0xf8, 0x6b, 0xd8, +- 0xf0, 0xc9, 0x7b, 0x20, 0xdf, 0x9d, 0xfb, 0x8c, +- 0xd4, 0xa2, 0x89, 0xe1, 0x9b, 0x04, 0xad, 0xaa, +- 0x11, 0x6c, 0x8f, 0xce, 0x83, 0x29, 0x56, 0x69, +- 0xbb, 0x00, 0x3b, 0xef, 0xca, 0x2d, 0xcd, 0x52, +- 0xc8, 0xf1, 0xb3, 0x9b, 0xb4, 0x4f, 0x6d, 0x9c, +- 0x3d, 0x69, 0xcc, 0x6d, 0x1f, 0x38, 0x4d, 0xe6, +- 0xbb, 0x0c, 0x87, 0xdc, 0x5f, 0xa9, 0x24, 0x93, +- 0x03, 0x46, 0xa2, 0x33, 0x6c, 0xf4, 0xd8, 0x5d, +- 0x68, 0xf3, 0xd3, 0xe0, 0xf2, 0x30, 0xdb, 0xf5, +- 0x4f, 0x0f, 0xad, 0xc7, 0xd0, 0xaa, 0x47, 0xd9, +- 0x9f, 0x85, 0x1b, 0x2e, 0x6c, 0x3c, 0x57, 0x04, +- 0x29, 0xf4, 0xf5, 0x66, 0x7d, 0x93, 0x4a, 0xaa, +- 0x05, 0x52, 0x55, 0xc1, 0xc6, 0x06, 0x90, 0xab, ++ 0x6c, 0x21, 0xc1, 0x9e, 0x94, 0xee, 0xdf, 0x74, ++ 0x3a, 0x3c, 0x7c, 0x04, 0x1a, 0x53, 0x9e, 0x7c, ++ 0x42, 0xac, 0x7e, 0x28, 0x9a, 0xb7, 0xe2, 0x4e, ++ 0x87, 0xd4, 0x00, 0x69, 0x71, 0xf0, 0x3e, 0x0b, ++ 0xc1, 0xda, 0xd6, 0xbd, 0x21, 0x39, 0x4f, 0x25, ++ 0x22, 0x1f, 0x76, 0x0d, 0x62, 0x1f, 0xa2, 0x89, ++ 0xdb, 0x38, 0x32, 0x88, 0x21, 0x1d, 0x89, 0xf1, ++ 0xe0, 0x14, 0xd4, 0xb7, 0x90, 0xfc, 0xbc, 0x50, ++ 0xb0, 0x8d, 0x5c, 0x2f, 0x49, 0x9e, 0x90, 0x17, ++ 0x9e, 0x60, 0x9f, 0xe1, 0x77, 0x4f, 0x11, 0xa2, ++ 0xcf, 0x16, 0x65, 0x2d, 0x4a, 0x2c, 0x12, 0xcb, ++ 0x1e, 0x3c, 0x29, 0x8b, 0xdc, 0x27, 0x06, 0x9d, ++ 0xf4, 0x0d, 0xe1, 0xc9, 0xeb, 0x14, 0x6a, 0x7e, ++ 0xfd, 0xa7, 0xa8, 0xa7, 0x51, 0x82, 0x62, 0x0f, ++ 0x29, 0x8d, 0x8c, 0x5e, 0xf2, 0xb8, 0xcd, 0xd3, ++ 0x51, 0x92, 0xa7, 0x25, 0x39, 0x9d, 0xdd, 0x06, ++ 0xff, 0xb1, 0xb0, 0xd5, 0x61, 0x03, 0x8f, 0x25, ++ 0x5c, 0x49, 0x12, 0xc1, 0x50, 0x67, 0x61, 0x78, ++ 0xb3, 0xe3, 0xc4, 0xf6, 0x36, 0x16, 0xa9, 0x04, ++ 0x91, 0x0a, 0x4b, 0x27, 0x28, 0x97, 0x50, 0x7c, ++ 0x65, 0x2d, 0xd0, 0x08, 0x71, 0x84, 0xe7, 0x47, ++ 0x79, 0x83, 0x91, 0x46, 0xd9, 0x8f, 0x79, 0xce, ++ 0x49, 0xcb, 0xcd, 0x8b, 0x34, 0xac, 0x61, 0xe0, ++ 0xe6, 0x55, 0xbf, 0x10, 0xe4, 0xac, 0x9a, 0xd6, ++ 0xed, 0xc1, 0xc2, 0xb6, 0xb6, 0xf7, 0x41, 0x99, ++ 0xde, 0xfa, 0xde, 0x11, 0x16, 0xa2, 0x18, 0x30, ++ 0x30, 0xdc, 0x95, 0x76, 0x2f, 0x46, 0x43, 0x20, ++ 0xc4, 0xe7, 0x50, 0xb9, 0x1e, 0xcd, 0x69, 0xbb, ++ 0x29, 0x94, 0x27, 0x9c, 0xc9, 0xab, 0xb4, 0x27, ++ 0x8b, 0x4d, 0xe1, 0xcb, 0xc1, 0x04, 0x2c, 0x66, ++ 0x41, 0x3a, 0x4d, 0xeb, 0x61, 0x4c, 0x77, 0x5a, ++ 0xee, 0xb0, 0xca, 0x99, 0x0e, 0x7f, 0xbe, 0x06 + }; + + #ifndef OPENSSL_NO_EC +diff --git a/providers/fips/self_test_kats.c b/providers/fips/self_test_kats.c +index 064794d9bf..b6d5e8e134 100644 +--- a/providers/fips/self_test_kats.c ++++ b/providers/fips/self_test_kats.c +@@ -647,14 +647,21 @@ static int self_test_ciphers(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx) + return ret; + } + ++int REDHAT_FIPS_asym_cipher_st = 0; ++ + static int self_test_asym_ciphers(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx) + { + int i, ret = 1; + ++ REDHAT_FIPS_asym_cipher_st = 1; ++ + for (i = 0; i < (int)OSSL_NELEM(st_kat_asym_cipher_tests); ++i) { + if (!self_test_asym_cipher(&st_kat_asym_cipher_tests[i], st, libctx)) + ret = 0; + } ++ ++ REDHAT_FIPS_asym_cipher_st = 0; ++ + return ret; + } + +diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c +index 00cf65fcd6..83be3d8ede 100644 +--- a/providers/implementations/asymciphers/rsa_enc.c ++++ b/providers/implementations/asymciphers/rsa_enc.c +@@ -30,6 +30,9 @@ + #include "prov/implementations.h" + #include "prov/providercommon.h" + #include "prov/securitycheck.h" ++#ifdef FIPS_MODULE ++# include "crypto/rsa/rsa_local.h" ++#endif + + #include + +@@ -75,6 +78,9 @@ typedef struct { + /* TLS padding */ + unsigned int client_version; + unsigned int alt_version; ++#ifdef FIPS_MODULE ++ char *redhat_st_oaep_seed; ++#endif /* FIPS_MODULE */ + } PROV_RSA_CTX; + + static void *rsa_newctx(void *provctx) +@@ -190,12 +196,21 @@ static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen, + return 0; + } + ret = +- ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(prsactx->libctx, tbuf, ++#ifdef FIPS_MODULE ++ ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2( ++#else ++ ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex( ++#endif ++ prsactx->libctx, tbuf, + rsasize, in, inlen, + prsactx->oaep_label, + prsactx->oaep_labellen, + prsactx->oaep_md, +- prsactx->mgf1_md); ++ prsactx->mgf1_md ++#ifdef FIPS_MODULE ++ , prsactx->redhat_st_oaep_seed ++#endif ++ ); + + if (!ret) { + OPENSSL_free(tbuf); +@@ -326,6 +341,9 @@ static void rsa_freectx(void *vprsactx) + EVP_MD_free(prsactx->oaep_md); + EVP_MD_free(prsactx->mgf1_md); + OPENSSL_free(prsactx->oaep_label); ++#ifdef FIPS_MODULE ++ OPENSSL_free(prsactx->redhat_st_oaep_seed); ++#endif /* FIPS_MODULE */ + + OPENSSL_free(prsactx); + } +@@ -445,6 +463,9 @@ static const OSSL_PARAM known_gettable_ctx_params[] = { + NULL, 0), + OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION, NULL), + OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL), ++#ifdef FIPS_MODULE ++ OSSL_PARAM_octet_string(OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED, NULL, 0), ++#endif /* FIPS_MODULE */ + OSSL_PARAM_END + }; + +@@ -454,6 +475,10 @@ static const OSSL_PARAM *rsa_gettable_ctx_params(ossl_unused void *vprsactx, + return known_gettable_ctx_params; + } + ++#ifdef FIPS_MODULE ++extern int REDHAT_FIPS_asym_cipher_st; ++#endif /* FIPS_MODULE */ ++ + static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) + { + PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; +@@ -563,6 +588,18 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) + prsactx->oaep_labellen = tmp_labellen; + } + ++#ifdef FIPS_MODULE ++ p = OSSL_PARAM_locate_const(params, OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED); ++ if (p != NULL && REDHAT_FIPS_asym_cipher_st) { ++ void *tmp_oaep_seed = NULL; ++ ++ if (!OSSL_PARAM_get_octet_string(p, &tmp_oaep_seed, 0, NULL)) ++ return 0; ++ OPENSSL_free(prsactx->redhat_st_oaep_seed); ++ prsactx->redhat_st_oaep_seed = (char *)tmp_oaep_seed; ++ } ++#endif /* FIPS_MODULE */ ++ + p = OSSL_PARAM_locate_const(params, OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION); + if (p != NULL) { + unsigned int client_version; +-- +2.37.1 + diff --git a/0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch b/0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch new file mode 100644 index 0000000..1552d55 --- /dev/null +++ b/0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch @@ -0,0 +1,307 @@ +From 97ac06e5a8e3a8699279c06eeb64c8e958bad7bd Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Fri, 15 Jul 2022 17:45:40 +0200 +Subject: [PATCH] FIPS: Use digest_sign & digest_verify in self test + +In review for FIPS 140-3, the lack of a self-test for the digest_sign +and digest_verify provider functions was highlighted as a problem. NIST +no longer provides ACVP tests for the RSA SigVer primitive (see +https://github.com/usnistgov/ACVP/issues/1347). Because FIPS 140-3 +recommends the use of functions that compute the digest and signature +within the module, we have been advised in our module review that the +self tests should also use the combined digest and signature APIs, i.e. +the digest_sign and digest_verify provider functions. + +Modify the signature self-test to use these instead by switching to +EVP_DigestSign and EVP_DigestVerify. This requires adding more ifdefs to +crypto/evp/m_sigver.c to make these functions usable in the FIPS module. + +Signed-off-by: Clemens Lang +--- + crypto/evp/m_sigver.c | 43 +++++++++++++++++++++++++++------ + providers/fips/self_test_kats.c | 37 +++++++++++++++------------- + 2 files changed, 56 insertions(+), 24 deletions(-) + +diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c +index db1a1d7bc3..c94c3c53bd 100644 +--- a/crypto/evp/m_sigver.c ++++ b/crypto/evp/m_sigver.c +@@ -88,6 +88,7 @@ static int update(EVP_MD_CTX *ctx, const void *data, size_t datalen) + ERR_raise(ERR_LIB_EVP, EVP_R_ONLY_ONESHOT_SUPPORTED); + return 0; + } ++#endif /* !defined(FIPS_MODULE) */ + + /* + * If we get the "NULL" md then the name comes back as "UNDEF". We want to use +@@ -130,8 +131,10 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, + reinit = 0; + if (e == NULL) + ctx->pctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, props); ++#ifndef FIPS_MODULE + else + ctx->pctx = EVP_PKEY_CTX_new(pkey, e); ++#endif /* !defined(FIPS_MODULE) */ + } + if (ctx->pctx == NULL) + return 0; +@@ -139,8 +142,10 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, + locpctx = ctx->pctx; + ERR_set_mark(); + ++#ifndef FIPS_MODULE + if (evp_pkey_ctx_is_legacy(locpctx)) + goto legacy; ++#endif /* !defined(FIPS_MODULE) */ + + /* do not reinitialize if pkey is set or operation is different */ + if (reinit +@@ -225,8 +230,10 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, + signature = + evp_signature_fetch_from_prov((OSSL_PROVIDER *)tmp_prov, + supported_sig, locpctx->propquery); ++#ifndef FIPS_MODULE + if (signature == NULL) + goto legacy; ++#endif /* !defined(FIPS_MODULE) */ + break; + } + if (signature == NULL) +@@ -310,6 +317,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, + ctx->fetched_digest = EVP_MD_fetch(locpctx->libctx, mdname, props); + if (ctx->fetched_digest != NULL) { + ctx->digest = ctx->reqdigest = ctx->fetched_digest; ++#ifndef FIPS_MODULE + } else { + /* legacy engine support : remove the mark when this is deleted */ + ctx->reqdigest = ctx->digest = EVP_get_digestbyname(mdname); +@@ -318,11 +326,13 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, + ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); + goto err; + } ++#endif /* !defined(FIPS_MODULE) */ + } + (void)ERR_pop_to_mark(); + } + } + ++#ifndef FIPS_MODULE + if (ctx->reqdigest != NULL + && !EVP_PKEY_is_a(locpctx->pkey, SN_hmac) + && !EVP_PKEY_is_a(locpctx->pkey, SN_tls1_prf) +@@ -334,6 +344,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, + goto err; + } + } ++#endif /* !defined(FIPS_MODULE) */ + + if (ver) { + if (signature->digest_verify_init == NULL) { +@@ -366,6 +377,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, + EVP_KEYMGMT_free(tmp_keymgmt); + return 0; + ++#ifndef FIPS_MODULE + legacy: + /* + * If we don't have the full support we need with provided methods, +@@ -437,6 +449,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, + ctx->pctx->flag_call_digest_custom = 1; + + ret = 1; ++#endif /* !defined(FIPS_MODULE) */ + + end: + #ifndef FIPS_MODULE +@@ -479,7 +492,6 @@ int EVP_DigestVerifyInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, + return do_sigver_init(ctx, pctx, type, NULL, NULL, NULL, e, pkey, 1, + NULL); + } +-#endif /* FIPS_MDOE */ + + int EVP_DigestSignUpdate(EVP_MD_CTX *ctx, const void *data, size_t dsize) + { +@@ -541,23 +553,29 @@ int EVP_DigestVerifyUpdate(EVP_MD_CTX *ctx, const void *data, size_t dsize) + return EVP_DigestUpdate(ctx, data, dsize); + } + +-#ifndef FIPS_MODULE + int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret, + size_t *siglen) + { +- int sctx = 0, r = 0; +- EVP_PKEY_CTX *dctx, *pctx = ctx->pctx; ++ int r = 0; ++#ifndef FIPS_MODULE ++ int sctx = 0; ++ EVP_PKEY_CTX *dctx; ++#endif /* !defined(FIPS_MODULE) */ ++ EVP_PKEY_CTX *pctx = ctx->pctx; + ++#ifndef FIPS_MODULE + if (pctx == NULL + || pctx->operation != EVP_PKEY_OP_SIGNCTX + || pctx->op.sig.algctx == NULL + || pctx->op.sig.signature == NULL) + goto legacy; ++#endif /* !defined(FIPS_MODULE) */ + + if (sigret == NULL || (ctx->flags & EVP_MD_CTX_FLAG_FINALISE) != 0) + return pctx->op.sig.signature->digest_sign_final(pctx->op.sig.algctx, + sigret, siglen, + (siglen == NULL) ? 0 : *siglen); ++#ifndef FIPS_MODULE + dctx = EVP_PKEY_CTX_dup(pctx); + if (dctx == NULL) + return 0; +@@ -566,8 +584,10 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret, + sigret, siglen, + (siglen == NULL) ? 0 : *siglen); + EVP_PKEY_CTX_free(dctx); ++#endif /* defined(FIPS_MODULE) */ + return r; + ++#ifndef FIPS_MODULE + legacy: + if (pctx == NULL || pctx->pmeth == NULL) { + ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); +@@ -639,6 +659,7 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret, + } + } + return 1; ++#endif /* !defined(FIPS_MODULE) */ + } + + int EVP_DigestSign(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen, +@@ -669,21 +690,27 @@ int EVP_DigestSign(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen, + int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig, + size_t siglen) + { +- unsigned char md[EVP_MAX_MD_SIZE]; + int r = 0; ++#ifndef FIPS_MODULE ++ unsigned char md[EVP_MAX_MD_SIZE]; + unsigned int mdlen = 0; + int vctx = 0; +- EVP_PKEY_CTX *dctx, *pctx = ctx->pctx; ++ EVP_PKEY_CTX *dctx; ++#endif /* !defined(FIPS_MODULE) */ ++ EVP_PKEY_CTX *pctx = ctx->pctx; + ++#ifndef FIPS_MODULE + if (pctx == NULL + || pctx->operation != EVP_PKEY_OP_VERIFYCTX + || pctx->op.sig.algctx == NULL + || pctx->op.sig.signature == NULL) + goto legacy; ++#endif /* !defined(FIPS_MODULE) */ + + if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISE) != 0) + return pctx->op.sig.signature->digest_verify_final(pctx->op.sig.algctx, + sig, siglen); ++#ifndef FIPS_MODULE + dctx = EVP_PKEY_CTX_dup(pctx); + if (dctx == NULL) + return 0; +@@ -691,8 +718,10 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig, + r = dctx->op.sig.signature->digest_verify_final(dctx->op.sig.algctx, + sig, siglen); + EVP_PKEY_CTX_free(dctx); ++#endif /* !defined(FIPS_MODULE) */ + return r; + ++#ifndef FIPS_MODULE + legacy: + if (pctx == NULL || pctx->pmeth == NULL) { + ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); +@@ -732,6 +761,7 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig, + if (vctx || !r) + return r; + return EVP_PKEY_verify(pctx, sig, siglen, md, mdlen); ++#endif /* !defined(FIPS_MODULE) */ + } + + int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret, +@@ -757,4 +787,3 @@ int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret, + return -1; + return EVP_DigestVerifyFinal(ctx, sigret, siglen); + } +-#endif /* FIPS_MODULE */ +diff --git a/providers/fips/self_test_kats.c b/providers/fips/self_test_kats.c +index b6d5e8e134..77eec075e6 100644 +--- a/providers/fips/self_test_kats.c ++++ b/providers/fips/self_test_kats.c +@@ -444,11 +444,14 @@ static int self_test_sign(const ST_KAT_SIGN *t, + int ret = 0; + OSSL_PARAM *params = NULL, *params_sig = NULL; + OSSL_PARAM_BLD *bld = NULL; ++ EVP_MD *md = NULL; ++ EVP_MD_CTX *ctx = NULL; + EVP_PKEY_CTX *sctx = NULL, *kctx = NULL; + EVP_PKEY *pkey = NULL; +- unsigned char sig[256]; + BN_CTX *bnctx = NULL; + BIGNUM *K = NULL; ++ const char *msg = "Hello World!"; ++ unsigned char sig[256]; + size_t siglen = sizeof(sig); + static const unsigned char dgst[] = { + 0x7f, 0x83, 0xb1, 0x65, 0x7f, 0xf1, 0xfc, 0x53, 0xb9, 0x2d, 0xc1, 0x81, +@@ -488,23 +491,22 @@ static int self_test_sign(const ST_KAT_SIGN *t, + || EVP_PKEY_fromdata(kctx, &pkey, EVP_PKEY_KEYPAIR, params) <= 0) + goto err; + +- /* Create a EVP_PKEY_CTX to use for the signing operation */ +- sctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, NULL); +- if (sctx == NULL +- || EVP_PKEY_sign_init(sctx) <= 0) +- goto err; +- +- /* set signature parameters */ +- if (!OSSL_PARAM_BLD_push_utf8_string(bld, OSSL_SIGNATURE_PARAM_DIGEST, +- t->mdalgorithm, +- strlen(t->mdalgorithm) + 1)) +- goto err; ++ /* Create a EVP_MD_CTX to use for the signature operation, assign signature ++ * parameters and sign */ + params_sig = OSSL_PARAM_BLD_to_param(bld); +- if (EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0) ++ md = EVP_MD_fetch(libctx, "SHA256", NULL); ++ ctx = EVP_MD_CTX_new(); ++ if (md == NULL || ctx == NULL) ++ goto err; ++ EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_FINALISE | EVP_MD_CTX_FLAG_ONESHOT); ++ if (EVP_DigestSignInit(ctx, &sctx, md, NULL, pkey) <= 0 ++ || EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0 ++ || EVP_DigestSign(ctx, sig, &siglen, (const unsigned char *)msg, strlen(msg)) <= 0 ++ || EVP_MD_CTX_reset(ctx) <= 0) + goto err; + +- if (EVP_PKEY_sign(sctx, sig, &siglen, dgst, sizeof(dgst)) <= 0 +- || EVP_PKEY_verify_init(sctx) <= 0 ++ EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_FINALISE | EVP_MD_CTX_FLAG_ONESHOT); ++ if (EVP_DigestVerifyInit(ctx, &sctx, md, NULL, pkey) <= 0 + || EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0) + goto err; + +@@ -518,14 +520,15 @@ static int self_test_sign(const ST_KAT_SIGN *t, + goto err; + + OSSL_SELF_TEST_oncorrupt_byte(st, sig); +- if (EVP_PKEY_verify(sctx, sig, siglen, dgst, sizeof(dgst)) <= 0) ++ if (EVP_DigestVerify(ctx, sig, siglen, (const unsigned char *)msg, strlen(msg)) <= 0) + goto err; + ret = 1; + err: + BN_CTX_free(bnctx); + EVP_PKEY_free(pkey); ++ EVP_MD_free(md); ++ EVP_MD_CTX_free(ctx); + EVP_PKEY_CTX_free(kctx); +- EVP_PKEY_CTX_free(sctx); + OSSL_PARAM_free(params); + OSSL_PARAM_free(params_sig); + OSSL_PARAM_BLD_free(bld); +-- +2.37.1 + diff --git a/0075-FIPS-Use-FFDHE2048-in-self-test.patch b/0075-FIPS-Use-FFDHE2048-in-self-test.patch new file mode 100644 index 0000000..096e62d --- /dev/null +++ b/0075-FIPS-Use-FFDHE2048-in-self-test.patch @@ -0,0 +1,378 @@ +From e385647549c467fe263b68b72dd21bdfb875ee88 Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Fri, 22 Jul 2022 17:51:16 +0200 +Subject: [PATCH 2/2] FIPS: Use FFDHE2048 in self test + +Signed-off-by: Clemens Lang +--- + providers/fips/self_test_data.inc | 342 +++++++++++++++--------------- + 1 file changed, 172 insertions(+), 170 deletions(-) + +diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc +index a29cc650b5..1b5623833f 100644 +--- a/providers/fips/self_test_data.inc ++++ b/providers/fips/self_test_data.inc +@@ -821,188 +821,190 @@ static const ST_KAT_DRBG st_kat_drbg_tests[] = + + #ifndef OPENSSL_NO_DH + /* DH KAT */ ++/* RFC7919 FFDHE2048 p */ + static const unsigned char dh_p[] = { +- 0xdc, 0xca, 0x15, 0x11, 0xb2, 0x31, 0x32, 0x25, +- 0xf5, 0x21, 0x16, 0xe1, 0x54, 0x27, 0x89, 0xe0, +- 0x01, 0xf0, 0x42, 0x5b, 0xcc, 0xc7, 0xf3, 0x66, +- 0xf7, 0x40, 0x64, 0x07, 0xf1, 0xc9, 0xfa, 0x8b, +- 0xe6, 0x10, 0xf1, 0x77, 0x8b, 0xb1, 0x70, 0xbe, +- 0x39, 0xdb, 0xb7, 0x6f, 0x85, 0xbf, 0x24, 0xce, +- 0x68, 0x80, 0xad, 0xb7, 0x62, 0x9f, 0x7c, 0x6d, +- 0x01, 0x5e, 0x61, 0xd4, 0x3f, 0xa3, 0xee, 0x4d, +- 0xe1, 0x85, 0xf2, 0xcf, 0xd0, 0x41, 0xff, 0xde, +- 0x9d, 0x41, 0x84, 0x07, 0xe1, 0x51, 0x38, 0xbb, +- 0x02, 0x1d, 0xae, 0xb3, 0x5f, 0x76, 0x2d, 0x17, +- 0x82, 0xac, 0xc6, 0x58, 0xd3, 0x2b, 0xd4, 0xb0, +- 0x23, 0x2c, 0x92, 0x7d, 0xd3, 0x8f, 0xa0, 0x97, +- 0xb3, 0xd1, 0x85, 0x9f, 0xa8, 0xac, 0xaf, 0xb9, +- 0x8f, 0x06, 0x66, 0x08, 0xfc, 0x64, 0x4e, 0xc7, +- 0xdd, 0xb6, 0xf0, 0x85, 0x99, 0xf9, 0x2a, 0xc1, +- 0xb5, 0x98, 0x25, 0xda, 0x84, 0x32, 0x07, 0x7d, +- 0xef, 0x69, 0x56, 0x46, 0x06, 0x3c, 0x20, 0x82, +- 0x3c, 0x95, 0x07, 0xab, 0x6f, 0x01, 0x76, 0xd4, +- 0x73, 0x0d, 0x99, 0x0d, 0xbb, 0xe6, 0x36, 0x1c, +- 0xd8, 0xb2, 0xb9, 0x4d, 0x3d, 0x2f, 0x32, 0x9b, +- 0x82, 0x09, 0x9b, 0xd6, 0x61, 0xf4, 0x29, 0x50, +- 0xf4, 0x03, 0xdf, 0x3e, 0xde, 0x62, 0xa3, 0x31, +- 0x88, 0xb0, 0x27, 0x98, 0xba, 0x82, 0x3f, 0x44, +- 0xb9, 0x46, 0xfe, 0x9d, 0xf6, 0x77, 0xa0, 0xc5, +- 0xa1, 0x23, 0x8e, 0xaa, 0x97, 0xb7, 0x0f, 0x80, +- 0xda, 0x8c, 0xac, 0x88, 0xe0, 0x92, 0xb1, 0x12, +- 0x70, 0x60, 0xff, 0xbf, 0x45, 0x57, 0x99, 0x94, +- 0x01, 0x1d, 0xc2, 0xfa, 0xa5, 0xe7, 0xf6, 0xc7, +- 0x62, 0x45, 0xe1, 0xcc, 0x31, 0x22, 0x31, 0xc1, +- 0x7d, 0x1c, 0xa6, 0xb1, 0x90, 0x07, 0xef, 0x0d, +- 0xb9, 0x9f, 0x9c, 0xb6, 0x0e, 0x1d, 0x5f, 0x69 +-}; ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, ++ 0xad, 0xf8, 0x54, 0x58, 0xa2, 0xbb, 0x4a, 0x9a, ++ 0xaf, 0xdc, 0x56, 0x20, 0x27, 0x3d, 0x3c, 0xf1, ++ 0xd8, 0xb9, 0xc5, 0x83, 0xce, 0x2d, 0x36, 0x95, ++ 0xa9, 0xe1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xfb, ++ 0xcc, 0x93, 0x9d, 0xce, 0x24, 0x9b, 0x3e, 0xf9, ++ 0x7d, 0x2f, 0xe3, 0x63, 0x63, 0x0c, 0x75, 0xd8, ++ 0xf6, 0x81, 0xb2, 0x02, 0xae, 0xc4, 0x61, 0x7a, ++ 0xd3, 0xdf, 0x1e, 0xd5, 0xd5, 0xfd, 0x65, 0x61, ++ 0x24, 0x33, 0xf5, 0x1f, 0x5f, 0x06, 0x6e, 0xd0, ++ 0x85, 0x63, 0x65, 0x55, 0x3d, 0xed, 0x1a, 0xf3, ++ 0xb5, 0x57, 0x13, 0x5e, 0x7f, 0x57, 0xc9, 0x35, ++ 0x98, 0x4f, 0x0c, 0x70, 0xe0, 0xe6, 0x8b, 0x77, ++ 0xe2, 0xa6, 0x89, 0xda, 0xf3, 0xef, 0xe8, 0x72, ++ 0x1d, 0xf1, 0x58, 0xa1, 0x36, 0xad, 0xe7, 0x35, ++ 0x30, 0xac, 0xca, 0x4f, 0x48, 0x3a, 0x79, 0x7a, ++ 0xbc, 0x0a, 0xb1, 0x82, 0xb3, 0x24, 0xfb, 0x61, ++ 0xd1, 0x08, 0xa9, 0x4b, 0xb2, 0xc8, 0xe3, 0xfb, ++ 0xb9, 0x6a, 0xda, 0xb7, 0x60, 0xd7, 0xf4, 0x68, ++ 0x1d, 0x4f, 0x42, 0xa3, 0xde, 0x39, 0x4d, 0xf4, ++ 0xae, 0x56, 0xed, 0xe7, 0x63, 0x72, 0xbb, 0x19, ++ 0x0b, 0x07, 0xa7, 0xc8, 0xee, 0x0a, 0x6d, 0x70, ++ 0x9e, 0x02, 0xfc, 0xe1, 0xcd, 0xf7, 0xe2, 0xec, ++ 0xc0, 0x34, 0x04, 0xcd, 0x28, 0x34, 0x2f, 0x61, ++ 0x91, 0x72, 0xfe, 0x9c, 0xe9, 0x85, 0x83, 0xff, ++ 0x8e, 0x4f, 0x12, 0x32, 0xee, 0xf2, 0x81, 0x83, ++ 0xc3, 0xfe, 0x3b, 0x1b, 0x4c, 0x6f, 0xad, 0x73, ++ 0x3b, 0xb5, 0xfc, 0xbc, 0x2e, 0xc2, 0x20, 0x05, ++ 0xc5, 0x8e, 0xf1, 0x83, 0x7d, 0x16, 0x83, 0xb2, ++ 0xc6, 0xf3, 0x4a, 0x26, 0xc1, 0xb2, 0xef, 0xfa, ++ 0x88, 0x6b, 0x42, 0x38, 0x61, 0x28, 0x5c, 0x97, ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff ++}; ++/* RFC7919 FFDHE2048 q */ + static const unsigned char dh_q[] = { +- 0x89, 0x8b, 0x22, 0x67, 0x17, 0xef, 0x03, 0x9e, +- 0x60, 0x3e, 0x82, 0xe5, 0xc7, 0xaf, 0xe4, 0x83, +- 0x74, 0xac, 0x5f, 0x62, 0x5c, 0x54, 0xf1, 0xea, +- 0x11, 0xac, 0xb5, 0x7d +-}; ++ 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, ++ 0xd6, 0xfc, 0x2a, 0x2c, 0x51, 0x5d, 0xa5, 0x4d, ++ 0x57, 0xee, 0x2b, 0x10, 0x13, 0x9e, 0x9e, 0x78, ++ 0xec, 0x5c, 0xe2, 0xc1, 0xe7, 0x16, 0x9b, 0x4a, ++ 0xd4, 0xf0, 0x9b, 0x20, 0x8a, 0x32, 0x19, 0xfd, ++ 0xe6, 0x49, 0xce, 0xe7, 0x12, 0x4d, 0x9f, 0x7c, ++ 0xbe, 0x97, 0xf1, 0xb1, 0xb1, 0x86, 0x3a, 0xec, ++ 0x7b, 0x40, 0xd9, 0x01, 0x57, 0x62, 0x30, 0xbd, ++ 0x69, 0xef, 0x8f, 0x6a, 0xea, 0xfe, 0xb2, 0xb0, ++ 0x92, 0x19, 0xfa, 0x8f, 0xaf, 0x83, 0x37, 0x68, ++ 0x42, 0xb1, 0xb2, 0xaa, 0x9e, 0xf6, 0x8d, 0x79, ++ 0xda, 0xab, 0x89, 0xaf, 0x3f, 0xab, 0xe4, 0x9a, ++ 0xcc, 0x27, 0x86, 0x38, 0x70, 0x73, 0x45, 0xbb, ++ 0xf1, 0x53, 0x44, 0xed, 0x79, 0xf7, 0xf4, 0x39, ++ 0x0e, 0xf8, 0xac, 0x50, 0x9b, 0x56, 0xf3, 0x9a, ++ 0x98, 0x56, 0x65, 0x27, 0xa4, 0x1d, 0x3c, 0xbd, ++ 0x5e, 0x05, 0x58, 0xc1, 0x59, 0x92, 0x7d, 0xb0, ++ 0xe8, 0x84, 0x54, 0xa5, 0xd9, 0x64, 0x71, 0xfd, ++ 0xdc, 0xb5, 0x6d, 0x5b, 0xb0, 0x6b, 0xfa, 0x34, ++ 0x0e, 0xa7, 0xa1, 0x51, 0xef, 0x1c, 0xa6, 0xfa, ++ 0x57, 0x2b, 0x76, 0xf3, 0xb1, 0xb9, 0x5d, 0x8c, ++ 0x85, 0x83, 0xd3, 0xe4, 0x77, 0x05, 0x36, 0xb8, ++ 0x4f, 0x01, 0x7e, 0x70, 0xe6, 0xfb, 0xf1, 0x76, ++ 0x60, 0x1a, 0x02, 0x66, 0x94, 0x1a, 0x17, 0xb0, ++ 0xc8, 0xb9, 0x7f, 0x4e, 0x74, 0xc2, 0xc1, 0xff, ++ 0xc7, 0x27, 0x89, 0x19, 0x77, 0x79, 0x40, 0xc1, ++ 0xe1, 0xff, 0x1d, 0x8d, 0xa6, 0x37, 0xd6, 0xb9, ++ 0x9d, 0xda, 0xfe, 0x5e, 0x17, 0x61, 0x10, 0x02, ++ 0xe2, 0xc7, 0x78, 0xc1, 0xbe, 0x8b, 0x41, 0xd9, ++ 0x63, 0x79, 0xa5, 0x13, 0x60, 0xd9, 0x77, 0xfd, ++ 0x44, 0x35, 0xa1, 0x1c, 0x30, 0x94, 0x2e, 0x4b, ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff ++}; ++/* RFC7919 FFDHE2048 g */ + static const unsigned char dh_g[] = { +- 0x5e, 0xf7, 0xb8, 0x8f, 0x2d, 0xf6, 0x01, 0x39, +- 0x35, 0x1d, 0xfb, 0xfe, 0x12, 0x66, 0x80, 0x5f, +- 0xdf, 0x35, 0x6c, 0xdf, 0xd1, 0x3a, 0x4d, 0xa0, +- 0x05, 0x0c, 0x7e, 0xde, 0x24, 0x6d, 0xf5, 0x9f, +- 0x6a, 0xbf, 0x96, 0xad, 0xe5, 0xf2, 0xb2, 0x8f, +- 0xfe, 0x88, 0xd6, 0xbc, 0xe7, 0xf7, 0x89, 0x4a, +- 0x3d, 0x53, 0x5f, 0xc8, 0x21, 0x26, 0xdd, 0xd4, +- 0x24, 0x87, 0x2e, 0x16, 0xb8, 0x38, 0xdf, 0x8c, +- 0x51, 0xe9, 0x01, 0x6f, 0x88, 0x9c, 0x7c, 0x20, +- 0x3e, 0x98, 0xa8, 0xb6, 0x31, 0xf9, 0xc7, 0x25, +- 0x63, 0xd3, 0x8a, 0x49, 0x58, 0x9a, 0x07, 0x53, +- 0xd3, 0x58, 0xe7, 0x83, 0x31, 0x8c, 0xef, 0xd9, +- 0x67, 0x7c, 0x7b, 0x2d, 0xbb, 0x77, 0xd6, 0xdc, +- 0xe2, 0xa1, 0x96, 0x37, 0x95, 0xca, 0x64, 0xb9, +- 0x2d, 0x1c, 0x9a, 0xac, 0x6d, 0x0e, 0x8d, 0x43, +- 0x1d, 0xe5, 0xe5, 0x00, 0x60, 0xdf, 0xf7, 0x86, +- 0x89, 0xc9, 0xec, 0xa1, 0xc1, 0x24, 0x8c, 0x16, +- 0xed, 0x09, 0xc7, 0xad, 0x41, 0x2a, 0x17, 0x40, +- 0x6d, 0x2b, 0x52, 0x5a, 0xa1, 0xca, 0xbb, 0x23, +- 0x7b, 0x97, 0x34, 0xec, 0x7b, 0x8c, 0xe3, 0xfa, +- 0xe0, 0x2f, 0x29, 0xc5, 0xef, 0xed, 0x30, 0xd6, +- 0x91, 0x87, 0xda, 0x10, 0x9c, 0x2c, 0x9f, 0xe2, +- 0xaa, 0xdb, 0xb0, 0xc2, 0x2a, 0xf5, 0x4c, 0x61, +- 0x66, 0x55, 0x00, 0x0c, 0x43, 0x1c, 0x6b, 0x4a, +- 0x37, 0x97, 0x63, 0xb0, 0xa9, 0x16, 0x58, 0xef, +- 0xc8, 0x4e, 0x8b, 0x06, 0x35, 0x8c, 0x8b, 0x4f, +- 0x21, 0x37, 0x10, 0xfd, 0x10, 0x17, 0x2c, 0xf3, +- 0x9b, 0x83, 0x0c, 0x2d, 0xd8, 0x4a, 0x0c, 0x8a, +- 0xb8, 0x25, 0x16, 0xec, 0xab, 0x99, 0x5f, 0xa4, +- 0x21, 0x5e, 0x02, 0x3e, 0x4e, 0xcf, 0x80, 0x74, +- 0xc3, 0x9d, 0x6c, 0x88, 0xb7, 0x0d, 0x1e, 0xe4, +- 0xe9, 0x6f, 0xdc, 0x20, 0xea, 0x11, 0x5c, 0x32 ++ 0x02 + }; + static const unsigned char dh_priv[] = { +- 0x14, 0x33, 0xe0, 0xb5, 0xa9, 0x17, 0xb6, 0x0a, +- 0x30, 0x23, 0xf2, 0xf8, 0xaa, 0x2c, 0x2d, 0x70, +- 0xd2, 0x96, 0x8a, 0xba, 0x9a, 0xea, 0xc8, 0x15, +- 0x40, 0xb8, 0xfc, 0xe6 ++ 0x01, 0xdc, 0x2a, 0xb9, 0x87, 0x71, 0x57, 0x0f, ++ 0xcd, 0x93, 0x65, 0x4c, 0xa1, 0xd6, 0x56, 0x6d, ++ 0xc5, 0x35, 0xd5, 0xcb, 0x4c, 0xb8, 0xad, 0x8d, ++ 0x6c, 0xdc, 0x5d, 0x6e, 0x94 + }; + static const unsigned char dh_pub[] = { +- 0x95, 0xdd, 0x33, 0x8d, 0x29, 0xe5, 0x71, 0x04, +- 0x92, 0xb9, 0x18, 0x31, 0x7b, 0x72, 0xa3, 0x69, +- 0x36, 0xe1, 0x95, 0x1a, 0x2e, 0xe5, 0xa5, 0x59, +- 0x16, 0x99, 0xc0, 0x48, 0x6d, 0x0d, 0x4f, 0x9b, +- 0xdd, 0x6d, 0x5a, 0x3f, 0x6b, 0x98, 0x89, 0x0c, +- 0x62, 0xb3, 0x76, 0x52, 0xd3, 0x6e, 0x71, 0x21, +- 0x11, 0xe6, 0x8a, 0x73, 0x55, 0x37, 0x25, 0x06, +- 0x99, 0xef, 0xe3, 0x30, 0x53, 0x73, 0x91, 0xfb, +- 0xc2, 0xc5, 0x48, 0xbc, 0x5a, 0xc3, 0xe5, 0xb2, +- 0x33, 0x86, 0xc3, 0xee, 0xf5, 0xeb, 0x43, 0xc0, +- 0x99, 0xd7, 0x0a, 0x52, 0x02, 0x68, 0x7e, 0x83, +- 0x96, 0x42, 0x48, 0xfc, 0xa9, 0x1f, 0x40, 0x90, +- 0x8e, 0x8f, 0xb3, 0x31, 0x93, 0x15, 0xf6, 0xd2, +- 0x60, 0x6d, 0x7f, 0x7c, 0xd5, 0x2c, 0xc6, 0xe7, +- 0xc5, 0x84, 0x3a, 0xfb, 0x22, 0x51, 0x9c, 0xf0, +- 0xf0, 0xf9, 0xd3, 0xa0, 0xa4, 0xe8, 0xc8, 0x88, +- 0x99, 0xef, 0xed, 0xe7, 0x36, 0x43, 0x51, 0xfb, +- 0x6a, 0x36, 0x3e, 0xe7, 0x17, 0xe5, 0x44, 0x5a, +- 0xda, 0xb4, 0xc9, 0x31, 0xa6, 0x48, 0x39, 0x97, +- 0xb8, 0x7d, 0xad, 0x83, 0x67, 0x7e, 0x4d, 0x1d, +- 0x3a, 0x77, 0x75, 0xe0, 0xf6, 0xd0, 0x0f, 0xdf, +- 0x73, 0xc7, 0xad, 0x80, 0x1e, 0x66, 0x5a, 0x0e, +- 0x5a, 0x79, 0x6d, 0x0a, 0x03, 0x80, 0xa1, 0x9f, +- 0xa1, 0x82, 0xef, 0xc8, 0xa0, 0x4f, 0x5e, 0x4d, +- 0xb9, 0x0d, 0x1a, 0x86, 0x37, 0xf9, 0x5d, 0xb1, +- 0x64, 0x36, 0xbd, 0xc8, 0xf3, 0xfc, 0x09, 0x6c, +- 0x4f, 0xf7, 0xf2, 0x34, 0xbe, 0x8f, 0xef, 0x47, +- 0x9a, 0xc4, 0xb0, 0xdc, 0x4b, 0x77, 0x26, 0x3e, +- 0x07, 0xd9, 0x95, 0x9d, 0xe0, 0xf1, 0xbf, 0x3f, +- 0x0a, 0xe3, 0xd9, 0xd5, 0x0e, 0x4b, 0x89, 0xc9, +- 0x9e, 0x3e, 0xa1, 0x21, 0x73, 0x43, 0xdd, 0x8c, +- 0x65, 0x81, 0xac, 0xc4, 0x95, 0x9c, 0x91, 0xd3 ++ 0x00, 0xc4, 0x82, 0x14, 0x69, 0x16, 0x4c, 0x05, ++ 0x55, 0x2a, 0x7e, 0x55, 0x6d, 0x02, 0xbb, 0x7f, ++ 0xcc, 0x63, 0x74, 0xee, 0xcb, 0xb4, 0x98, 0x43, ++ 0x0e, 0x29, 0x43, 0x0d, 0x44, 0xc7, 0xf1, 0x23, ++ 0x81, 0xca, 0x1c, 0x5c, 0xc3, 0xff, 0x01, 0x4a, ++ 0x1a, 0x03, 0x9e, 0x5f, 0xd1, 0x4e, 0xa0, 0x0b, ++ 0xb9, 0x5c, 0x0d, 0xef, 0x14, 0x01, 0x62, 0x3c, ++ 0x8a, 0x8e, 0x60, 0xbb, 0x39, 0xd6, 0x38, 0x63, ++ 0xb7, 0x65, 0xd0, 0x0b, 0x1a, 0xaf, 0x53, 0x38, ++ 0x10, 0x0f, 0x3e, 0xeb, 0x9d, 0x0c, 0x24, 0xf6, ++ 0xe3, 0x70, 0x08, 0x8a, 0x4d, 0x01, 0xf8, 0x7a, ++ 0x87, 0x49, 0x64, 0x72, 0xb1, 0x75, 0x3b, 0x94, ++ 0xc8, 0x09, 0x2d, 0x6a, 0x63, 0xd8, 0x9a, 0x92, ++ 0xb9, 0x5b, 0x1a, 0xc3, 0x47, 0x0b, 0x63, 0x44, ++ 0x3b, 0xe3, 0xc0, 0x09, 0xc9, 0xf9, 0x02, 0x53, ++ 0xd8, 0xfb, 0x06, 0x44, 0xdb, 0xdf, 0xe8, 0x13, ++ 0x2b, 0x40, 0x6a, 0xd4, 0x13, 0x4e, 0x52, 0x30, ++ 0xd6, 0xc1, 0xd8, 0x59, 0x9d, 0x59, 0xba, 0x1b, ++ 0xbf, 0xaa, 0x6f, 0xe9, 0x3d, 0xfd, 0xff, 0x01, ++ 0x0b, 0x54, 0xe0, 0x6a, 0x4e, 0x27, 0x2b, 0x3d, ++ 0xe8, 0xef, 0xb0, 0xbe, 0x52, 0xc3, 0x52, 0x18, ++ 0x6f, 0xa3, 0x27, 0xab, 0x6c, 0x12, 0xc3, 0x81, ++ 0xcb, 0xae, 0x23, 0x11, 0xa0, 0x5d, 0xc3, 0x6f, ++ 0x23, 0x17, 0x40, 0xb3, 0x05, 0x4f, 0x5d, 0xb7, ++ 0x34, 0xbe, 0x87, 0x2c, 0xa9, 0x9e, 0x98, 0x39, ++ 0xbf, 0x2e, 0x9d, 0xad, 0x4f, 0x70, 0xad, 0xed, ++ 0x1b, 0x5e, 0x47, 0x90, 0x49, 0x2e, 0x61, 0x71, ++ 0x5f, 0x07, 0x0b, 0x35, 0x04, 0xfc, 0x53, 0xce, ++ 0x58, 0x60, 0x6c, 0x5b, 0x8b, 0xfe, 0x70, 0x04, ++ 0x2a, 0x6a, 0x98, 0x0a, 0xd0, 0x80, 0xae, 0x69, ++ 0x95, 0xf9, 0x99, 0x18, 0xfc, 0xe4, 0x8e, 0xed, ++ 0x61, 0xd9, 0x02, 0x9d, 0x4e, 0x05, 0xe9, 0xf2, ++ 0x32 + }; + static const unsigned char dh_peer_pub[] = { +- 0x1f, 0xc1, 0xda, 0x34, 0x1d, 0x1a, 0x84, 0x6a, +- 0x96, 0xb7, 0xbe, 0x24, 0x34, 0x0f, 0x87, 0x7d, +- 0xd0, 0x10, 0xaa, 0x03, 0x56, 0xd5, 0xad, 0x58, +- 0xaa, 0xe9, 0xc7, 0xb0, 0x8f, 0x74, 0x9a, 0x32, +- 0x23, 0x51, 0x10, 0xb5, 0xd8, 0x8e, 0xb5, 0xdb, +- 0xfa, 0x97, 0x8d, 0x27, 0xec, 0xc5, 0x30, 0xf0, +- 0x2d, 0x31, 0x14, 0x00, 0x5b, 0x64, 0xb1, 0xc0, +- 0xe0, 0x24, 0xcb, 0x8a, 0xe2, 0x16, 0x98, 0xbc, +- 0xa9, 0xe6, 0x0d, 0x42, 0x80, 0x86, 0x22, 0xf1, +- 0x81, 0xc5, 0x6e, 0x1d, 0xe7, 0xa9, 0x6e, 0x6e, +- 0xfe, 0xe9, 0xd6, 0x65, 0x67, 0xe9, 0x1b, 0x97, +- 0x70, 0x42, 0xc7, 0xe3, 0xd0, 0x44, 0x8f, 0x05, +- 0xfb, 0x77, 0xf5, 0x22, 0xb9, 0xbf, 0xc8, 0xd3, +- 0x3c, 0xc3, 0xc3, 0x1e, 0xd3, 0xb3, 0x1f, 0x0f, +- 0xec, 0xb6, 0xdb, 0x4f, 0x6e, 0xa3, 0x11, 0xe7, +- 0x7a, 0xfd, 0xbc, 0xd4, 0x7a, 0xee, 0x1b, 0xb1, +- 0x50, 0xf2, 0x16, 0x87, 0x35, 0x78, 0xfb, 0x96, +- 0x46, 0x8e, 0x8f, 0x9f, 0x3d, 0xe8, 0xef, 0xbf, +- 0xce, 0x75, 0x62, 0x4b, 0x1d, 0xf0, 0x53, 0x22, +- 0xa3, 0x4f, 0x14, 0x63, 0xe8, 0x39, 0xe8, 0x98, +- 0x4c, 0x4a, 0xd0, 0xa9, 0x6e, 0x1a, 0xc8, 0x42, +- 0xe5, 0x31, 0x8c, 0xc2, 0x3c, 0x06, 0x2a, 0x8c, +- 0xa1, 0x71, 0xb8, 0xd5, 0x75, 0x98, 0x0d, 0xde, +- 0x7f, 0xc5, 0x6f, 0x15, 0x36, 0x52, 0x38, 0x20, +- 0xd4, 0x31, 0x92, 0xbf, 0xd5, 0x1e, 0x8e, 0x22, +- 0x89, 0x78, 0xac, 0xa5, 0xb9, 0x44, 0x72, 0xf3, +- 0x39, 0xca, 0xeb, 0x99, 0x31, 0xb4, 0x2b, 0xe3, +- 0x01, 0x26, 0x8b, 0xc9, 0x97, 0x89, 0xc9, 0xb2, +- 0x55, 0x71, 0xc3, 0xc0, 0xe4, 0xcb, 0x3f, 0x00, +- 0x7f, 0x1a, 0x51, 0x1c, 0xbb, 0x53, 0xc8, 0x51, +- 0x9c, 0xdd, 0x13, 0x02, 0xab, 0xca, 0x6c, 0x0f, +- 0x34, 0xf9, 0x67, 0x39, 0xf1, 0x7f, 0xf4, 0x8b ++ 0x00, 0xef, 0x15, 0x02, 0xf5, 0x56, 0xa3, 0x79, ++ 0x40, 0x58, 0xbc, 0xeb, 0x56, 0xad, 0xcb, 0xda, ++ 0x8c, 0xda, 0xb8, 0xd1, 0xda, 0x6f, 0x25, 0x29, ++ 0x9e, 0x43, 0x76, 0x2d, 0xb2, 0xd8, 0xbc, 0x84, ++ 0xbc, 0x85, 0xd0, 0x94, 0x8d, 0x44, 0x27, 0x57, ++ 0xe4, 0xdf, 0xc1, 0x78, 0x42, 0x8f, 0x08, 0xf5, ++ 0x74, 0xfe, 0x02, 0x56, 0xd2, 0x09, 0xc8, 0x68, ++ 0xef, 0xed, 0x18, 0xc9, 0xfd, 0x2e, 0x95, 0x6c, ++ 0xba, 0x6c, 0x00, 0x0e, 0xf5, 0xd1, 0x1b, 0xf6, ++ 0x15, 0x14, 0x5b, 0x67, 0x22, 0x7c, 0x6a, 0x20, ++ 0x76, 0x43, 0x51, 0xef, 0x5e, 0x1e, 0xf9, 0x2d, ++ 0xd6, 0xb4, 0xc5, 0xc6, 0x18, 0x33, 0xd1, 0xa3, ++ 0x3b, 0xe6, 0xdd, 0x57, 0x9d, 0xad, 0x13, 0x7a, ++ 0x53, 0xde, 0xb3, 0x97, 0xc0, 0x7e, 0xd7, 0x77, ++ 0x6b, 0xf8, 0xbd, 0x13, 0x70, 0x8c, 0xba, 0x73, ++ 0x80, 0xb3, 0x80, 0x6f, 0xfb, 0x1c, 0xda, 0x53, ++ 0x4d, 0x3c, 0x8a, 0x2e, 0xa1, 0x37, 0xce, 0xb1, ++ 0xde, 0x45, 0x97, 0x58, 0x65, 0x4d, 0xcf, 0x05, ++ 0xbb, 0xc3, 0xd7, 0x38, 0x6d, 0x0a, 0x59, 0x7a, ++ 0x99, 0x15, 0xb7, 0x9a, 0x3d, 0xfd, 0x61, 0xe5, ++ 0x1a, 0xa2, 0xcc, 0xf6, 0xfe, 0xb1, 0xee, 0xe9, ++ 0xa9, 0xe2, 0xeb, 0x06, 0xbc, 0x14, 0x6e, 0x91, ++ 0x0d, 0xf1, 0xe3, 0xbb, 0xe0, 0x7e, 0x1d, 0x31, ++ 0x79, 0xf1, 0x6d, 0x5f, 0xcb, 0xaf, 0xb2, 0x4f, ++ 0x22, 0x12, 0xbf, 0x72, 0xbd, 0xd0, 0x30, 0xe4, ++ 0x1c, 0x35, 0x96, 0x61, 0x98, 0x39, 0xfb, 0x7e, ++ 0x6d, 0x66, 0xc4, 0x69, 0x41, 0x0d, 0x0d, 0x59, ++ 0xbb, 0xa7, 0xbf, 0x34, 0xe0, 0x39, 0x36, 0x84, ++ 0x5e, 0x0e, 0x03, 0x2d, 0xcf, 0xaa, 0x02, 0x8a, ++ 0xba, 0x59, 0x88, 0x47, 0xc4, 0x4d, 0xd7, 0xbd, ++ 0x78, 0x76, 0x24, 0xf1, 0x45, 0x56, 0x44, 0xc2, ++ 0x4a, 0xc2, 0xd5, 0x3a, 0x59, 0x40, 0xab, 0x87, ++ 0x64 + }; + + static const unsigned char dh_secret_expected[] = { +- 0x08, 0xff, 0x33, 0xbb, 0x2e, 0xcf, 0xf4, 0x9a, +- 0x7d, 0x4a, 0x79, 0x12, 0xae, 0xb1, 0xbb, 0x6a, +- 0xb5, 0x11, 0x64, 0x1b, 0x4a, 0x76, 0x77, 0x0c, +- 0x8c, 0xc1, 0xbc, 0xc2, 0x33, 0x34, 0x3d, 0xfe, +- 0x70, 0x0d, 0x11, 0x81, 0x3d, 0x2c, 0x9e, 0xd2, +- 0x3b, 0x21, 0x1c, 0xa9, 0xe8, 0x78, 0x69, 0x21, +- 0xed, 0xca, 0x28, 0x3c, 0x68, 0xb1, 0x61, 0x53, +- 0xfa, 0x01, 0xe9, 0x1a, 0xb8, 0x2c, 0x90, 0xdd, +- 0xab, 0x4a, 0x95, 0x81, 0x67, 0x70, 0xa9, 0x87, +- 0x10, 0xe1, 0x4c, 0x92, 0xab, 0x83, 0xb6, 0xe4, +- 0x6e, 0x1e, 0x42, 0x6e, 0xe8, 0x52, 0x43, 0x0d, +- 0x61, 0x87, 0xda, 0xa3, 0x72, 0x0a, 0x6b, 0xcd, +- 0x73, 0x23, 0x5c, 0x6b, 0x0f, 0x94, 0x1f, 0x33, +- 0x64, 0xf5, 0x04, 0x20, 0x55, 0x1a, 0x4b, 0xfe, +- 0xaf, 0xe2, 0xbc, 0x43, 0x85, 0x05, 0xa5, 0x9a, +- 0x4a, 0x40, 0xda, 0xca, 0x7a, 0x89, 0x5a, 0x73, +- 0xdb, 0x57, 0x5c, 0x74, 0xc1, 0x3a, 0x23, 0xad, +- 0x88, 0x32, 0x95, 0x7d, 0x58, 0x2d, 0x38, 0xf0, +- 0xa6, 0x16, 0x5f, 0xb0, 0xd7, 0xe9, 0xb8, 0x79, +- 0x9e, 0x42, 0xfd, 0x32, 0x20, 0xe3, 0x32, 0xe9, +- 0x81, 0x85, 0xa0, 0xc9, 0x42, 0x97, 0x57, 0xb2, +- 0xd0, 0xd0, 0x2c, 0x17, 0xdb, 0xaa, 0x1f, 0xf6, +- 0xed, 0x93, 0xd7, 0xe7, 0x3e, 0x24, 0x1e, 0xae, +- 0xd9, 0x0c, 0xaf, 0x39, 0x4d, 0x2b, 0xc6, 0x57, +- 0x0f, 0x18, 0xc8, 0x1f, 0x2b, 0xe5, 0xd0, 0x1a, +- 0x2c, 0xa9, 0x9f, 0xf1, 0x42, 0xb5, 0xd9, 0x63, +- 0xf9, 0xf5, 0x00, 0x32, 0x5e, 0x75, 0x56, 0xf9, +- 0x58, 0x49, 0xb3, 0xff, 0xc7, 0x47, 0x94, 0x86, +- 0xbe, 0x1d, 0x45, 0x96, 0xa3, 0x10, 0x6b, 0xd5, +- 0xcb, 0x4f, 0x61, 0xc5, 0x7e, 0xc5, 0xf1, 0x00, +- 0xfb, 0x7a, 0x0c, 0x82, 0xa1, 0x0b, 0x82, 0x52, +- 0x6a, 0x97, 0xd1, 0xd9, 0x7d, 0x98, 0xea, 0xf6 ++ 0x56, 0x13, 0xe3, 0x12, 0x6b, 0x5f, 0x67, 0xe5, ++ 0x08, 0xe5, 0x35, 0x0e, 0x11, 0x90, 0x9d, 0xf5, ++ 0x1a, 0x24, 0xfa, 0x42, 0xd1, 0x4a, 0x50, 0x93, ++ 0x5b, 0xf4, 0x11, 0x6f, 0xd0, 0xc3, 0xc5, 0xa5, ++ 0x80, 0xae, 0x01, 0x3d, 0x66, 0x92, 0xc0, 0x3e, ++ 0x5f, 0xe9, 0x75, 0xb6, 0x5b, 0x37, 0x82, 0x39, ++ 0x72, 0x66, 0x0b, 0xa2, 0x73, 0x94, 0xe5, 0x04, ++ 0x7c, 0x0c, 0x19, 0x9a, 0x03, 0x53, 0xc4, 0x9d, ++ 0xc1, 0x0f, 0xc3, 0xec, 0x0e, 0x2e, 0xa3, 0x7c, ++ 0x07, 0x0e, 0xaf, 0x18, 0x1d, 0xc7, 0x8b, 0x47, ++ 0x4b, 0x94, 0x05, 0x6d, 0xec, 0xdd, 0xa1, 0xae, ++ 0x7b, 0x21, 0x86, 0x53, 0xd3, 0x62, 0x38, 0x08, ++ 0xea, 0xda, 0xdc, 0xb2, 0x5a, 0x7c, 0xef, 0x19, ++ 0xf8, 0x29, 0xef, 0xf8, 0xd0, 0xfb, 0xde, 0xe8, ++ 0xb8, 0x2f, 0xb3, 0xa1, 0x16, 0xa2, 0xd0, 0x8f, ++ 0x48, 0xdc, 0x7d, 0xcb, 0xee, 0x5c, 0x06, 0x1e, ++ 0x2a, 0x66, 0xe8, 0x1f, 0xdb, 0x18, 0xe9, 0xd2, ++ 0xfd, 0xa2, 0x4e, 0x39, 0xa3, 0x2e, 0x88, 0x3d, ++ 0x7d, 0xac, 0x15, 0x18, 0x25, 0xe6, 0xba, 0xd4, ++ 0x0e, 0x89, 0x26, 0x60, 0x8f, 0xdc, 0x4a, 0xb4, ++ 0x49, 0x8f, 0x98, 0xe8, 0x62, 0x8c, 0xc6, 0x66, ++ 0x20, 0x4c, 0xe1, 0xed, 0xfc, 0x01, 0x88, 0x46, ++ 0xa7, 0x67, 0x48, 0x39, 0xc5, 0x22, 0x95, 0xa0, ++ 0x23, 0xb9, 0xd1, 0xed, 0x87, 0xcf, 0xa7, 0x70, ++ 0x1c, 0xac, 0xd3, 0xaf, 0x5c, 0x26, 0x50, 0x3c, ++ 0xe4, 0x23, 0xb6, 0xcc, 0xd7, 0xc5, 0xda, 0x2f, ++ 0xf4, 0x45, 0xf1, 0xe4, 0x40, 0xb5, 0x0a, 0x25, ++ 0x86, 0xe6, 0xde, 0x11, 0x3c, 0x46, 0x16, 0xbc, ++ 0x41, 0xc2, 0x28, 0x19, 0x81, 0x5a, 0x46, 0x02, ++ 0x87, 0xd0, 0x15, 0x0c, 0xd2, 0xfe, 0x75, 0x04, ++ 0x82, 0xd2, 0x0a, 0xb7, 0xbc, 0xc5, 0x6c, 0xb1, ++ 0x41, 0xa8, 0x2b, 0x28, 0xbb, 0x86, 0x0c, 0x89 + }; + + static const ST_KAT_PARAM dh_group[] = { +-- +2.35.3 + diff --git a/openssl.spec b/openssl.spec index 0ba4ba0..7b2a022 100644 --- a/openssl.spec +++ b/openssl.spec @@ -29,7 +29,7 @@ print(string.sub(hash, 0, 16)) Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl Version: 3.0.1 -Release: 38%{?dist} +Release: 39%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -147,6 +147,12 @@ Patch71: 0071-AES-GCM-performance-optimization.patch # https://github.com/openssl/openssl/commit/7e1f3ffcc5bc15fb9a12b9e3bb202f544c6ed5aa # hunks in crypto/ppccap.c from https://github.com/openssl/openssl/commit/f5485b97b6c9977c0d39c7669b9f97a879312447 Patch72: 0072-ChaCha20-performance-optimizations-for-ppc64le.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2102535 +Patch73: 0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2102535 +Patch74: 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2102535 +Patch75: 0075-FIPS-Use-FFDHE2048-in-self-test.patch License: ASL 2.0 URL: http://www.openssl.org/ @@ -477,6 +483,12 @@ install -m644 %{SOURCE9} \ %ldconfig_scriptlets libs %changelog +* Mon Aug 01 2022 Clemens Lang - 1:3.0.1-39 +- Use RSA-OAEP in FIPS RSA encryption/decryption FIPS self-test +- Use Use digest_sign & digest_verify in FIPS signature self test +- Use FFDHE2048 in Diffie-Hellman FIPS self-test + Resolves: rhbz#2102535 + * Thu Jul 14 2022 Clemens Lang - 1:3.0.1-38 - Fix segfault in EVP_PKEY_Q_keygen() when OpenSSL was not previously initialized.