diff --git a/.gitignore b/.gitignore index 5dbaaaf..e32873a 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/openssl-3.0.7.tar.gz +SOURCES/openssl-3.2.2.tar.gz diff --git a/.openssl.metadata b/.openssl.metadata index da37925..212f099 100644 --- a/.openssl.metadata +++ b/.openssl.metadata @@ -1 +1 @@ -f20736d6aae36bcbfa9aba0d358c71601833bf27 SOURCES/openssl-3.0.7.tar.gz +b12311372a0277ca0eb218a68a7fd9f5ce66d162 SOURCES/openssl-3.2.2.tar.gz diff --git a/SOURCES/0003-Do-not-install-html-docs.patch b/SOURCES/0003-Do-not-install-html-docs.patch index 66d62e0..6aabf8b 100644 --- a/SOURCES/0003-Do-not-install-html-docs.patch +++ b/SOURCES/0003-Do-not-install-html-docs.patch @@ -12,15 +12,15 @@ diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tm index 342e46d24d..9f369edf0e 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl -@@ -554,7 +554,7 @@ install_sw: install_dev install_engines install_modules install_runtime +@@ -611,7 +611,7 @@ install_sw: install_dev install_engines install_modules install_runtime - uninstall_sw: uninstall_runtime uninstall_modules uninstall_engines uninstall_dev + uninstall_sw: uninstall_runtime uninstall_modules uninstall_engines uninstall_dev ## Uninstall the software and libraries --install_docs: install_man_docs install_html_docs -+install_docs: install_man_docs +-install_docs: install_man_docs install_html_docs ## Install manpages and HTML documentation ++install_docs: install_man_docs ## Install manpages - uninstall_docs: uninstall_man_docs uninstall_html_docs - $(RM) -r $(DESTDIR)$(DOCDIR) + uninstall_docs: uninstall_man_docs uninstall_html_docs ## Uninstall manpages and HTML documentation + $(RM) -r "$(DESTDIR)$(DOCDIR)" -- 2.26.2 diff --git a/SOURCES/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch b/SOURCES/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch index 7a97dee..9decdce 100644 --- a/SOURCES/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch +++ b/SOURCES/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch @@ -6,20 +6,19 @@ Subject: Add support for PROFILE=SYSTEM system default cipherlist (was openssl-1.1.1-system-cipherlist.patch) --- Configurations/unix-Makefile.tmpl | 5 ++ - Configure | 10 +++- + Configure | 11 +++- doc/man1/openssl-ciphers.pod.in | 9 ++++ include/openssl/ssl.h.in | 5 ++ - ssl/ssl_ciph.c | 88 +++++++++++++++++++++++++++---- + ssl/ssl_ciph.c | 86 +++++++++++++++++++++++++++---- ssl/ssl_lib.c | 4 +- test/cipherlist_test.c | 2 + - util/libcrypto.num | 1 + - 8 files changed, 110 insertions(+), 14 deletions(-) + 7 files changed, 109 insertions(+), 13 deletions(-) diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl index 9f369edf0e..c52389f831 100644 --- a/Configurations/unix-Makefile.tmpl +++ b/Configurations/unix-Makefile.tmpl -@@ -269,6 +269,10 @@ MANDIR=$(INSTALLTOP)/share/man +@@ -324,6 +324,10 @@ MANDIR=$(INSTALLTOP)/share/man DOCDIR=$(INSTALLTOP)/share/doc/$(BASENAME) HTMLDIR=$(DOCDIR)/html @@ -30,7 +29,7 @@ index 9f369edf0e..c52389f831 100644 # MANSUFFIX is for the benefit of anyone who may want to have a suffix # appended after the manpage file section number. "ssl" is popular, # resulting in files such as config.5ssl rather than config.5. -@@ -292,6 +296,7 @@ CC=$(CROSS_COMPILE){- $config{CC} -} +@@ -347,6 +351,7 @@ CC=$(CROSS_COMPILE){- $config{CC} -} CXX={- $config{CXX} ? "\$(CROSS_COMPILE)$config{CXX}" : '' -} CPPFLAGS={- our $cppflags1 = join(" ", (map { "-D".$_} @{$config{CPPDEFINES}}), @@ -38,11 +37,54 @@ index 9f369edf0e..c52389f831 100644 (map { "-I".$_} @{$config{CPPINCLUDES}}), @{$config{CPPFLAGS}}) -} CFLAGS={- join(' ', @{$config{CFLAGS}}) -} +diff --git a/Configure b/Configure +index cca1ac8d16..2ae1cd0bc2 100755 +--- a/Configure ++++ b/Configure +@@ -27,7 +27,7 @@ use OpenSSL::config; + my $orig_death_handler = $SIG{__DIE__}; + $SIG{__DIE__} = \&death_handler; + +-my $usage="Usage: Configure [no- ...] [enable- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]thread-pool] [[no-]default-thread-pool] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n"; ++my $usage="Usage: Configure [no- ...] [enable- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]thread-pool] [[no-]default-thread-pool] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--system-ciphers-file=SYSTEMCIPHERFILE] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n"; + + my $banner = <<"EOF"; + +@@ -61,6 +61,10 @@ EOF + # given with --prefix. + # This becomes the value of OPENSSLDIR in Makefile and in C. + # (Default: PREFIX/ssl) ++# ++# --system-ciphers-file A file to read cipher string from when the PROFILE=SYSTEM ++# cipher is specified (default). ++# + # --banner=".." Output specified text instead of default completion banner + # + # -w Don't wait after showing a Configure warning +@@ -394,6 +398,7 @@ $config{prefix}=""; + $config{openssldir}=""; + $config{processor}=""; + $config{libdir}=""; ++$config{system_ciphers_file}=""; + my $auto_threads=1; # enable threads automatically? true by default + my $default_ranlib; + +@@ -1047,6 +1052,10 @@ while (@argvcopy) + die "FIPS key too long (64 bytes max)\n" + if length $1 > 64; + } ++ elsif (/^--system-ciphers-file=(.*)$/) ++ { ++ $config{system_ciphers_file}=$1; ++ } + elsif (/^--banner=(.*)$/) + { + $banner = $1 . "\n"; diff --git a/doc/man1/openssl-ciphers.pod.in b/doc/man1/openssl-ciphers.pod.in index b4ed3e51d5..2122e6bdfd 100644 --- a/doc/man1/openssl-ciphers.pod.in +++ b/doc/man1/openssl-ciphers.pod.in -@@ -187,6 +187,15 @@ As of OpenSSL 1.0.0, the B cipher suites are sensibly ordered by default. +@@ -190,6 +190,15 @@ As of OpenSSL 1.0.0, the B cipher suites are sensibly ordered by default. The cipher suites not enabled by B, currently B. @@ -78,7 +120,7 @@ diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c index b1d3f7919e..f7cc7fed48 100644 --- a/ssl/ssl_ciph.c +++ b/ssl/ssl_ciph.c -@@ -1411,6 +1411,53 @@ int SSL_set_ciphersuites(SSL *s, const char *str) +@@ -1455,6 +1455,53 @@ int SSL_set_ciphersuites(SSL *s, const char *str) return ret; } @@ -91,7 +133,7 @@ index b1d3f7919e..f7cc7fed48 100644 + const char *ciphers_path; + unsigned len, slen; + -+ if ((ciphers_path = ossl_safe_getenv("OPENSSL_SYSTEM_CIPHERS_OVERRIDE")) == NULL) ++ if ((ciphers_path = secure_getenv("OPENSSL_SYSTEM_CIPHERS_OVERRIDE")) == NULL) + ciphers_path = SYSTEM_CIPHERS_FILE; + fp = fopen(ciphers_path, "r"); + if (fp == NULL || fgets(buf, sizeof(buf), fp) == NULL) { @@ -153,19 +195,19 @@ index b1d3f7919e..f7cc7fed48 100644 if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL) - return NULL; + goto err; - + if (!check_suiteb_cipher_list(ssl_method, c, &rule_str)) - return NULL; + goto err; /* * To reduce the work to do we only want to process the compiled -@@ -1456,7 +1513,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, - co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers); - if (co_list == NULL) { - ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); -- return NULL; /* Failure */ -+ goto err; +@@ -1499,7 +1556,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, + if (num_of_ciphers > 0) { + co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers); + if (co_list == NULL) +- return NULL; /* Failure */ ++ goto err; } ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers, @@ -179,12 +221,10 @@ index b1d3f7919e..f7cc7fed48 100644 } /* -@@ -1568,9 +1624,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, - num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1; +@@ -1611,7 +1667,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max); if (ca_list == NULL) { -- OPENSSL_free(co_list); - ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); + OPENSSL_free(co_list); - return NULL; /* Failure */ + goto err; } @@ -252,7 +292,7 @@ index d14d5819ba..48d491219a 100644 + SSL_SYSTEM_DEFAULT_CIPHER_LIST, ret->cert) || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) { ERR_raise(ERR_LIB_SSL, SSL_R_LIBRARY_HAS_NO_CIPHERS); - goto err2; + goto err; diff --git a/test/cipherlist_test.c b/test/cipherlist_test.c index 380f0727fc..6922a87c30 100644 --- a/test/cipherlist_test.c @@ -266,58 +306,7 @@ index 380f0727fc..6922a87c30 100644 +#endif ADD_TEST(test_default_cipherlist_explicit); ADD_TEST(test_default_cipherlist_clear); - return 1; -diff --git a/util/libcrypto.num b/util/libcrypto.num -index 404a706fab..e81fa9ec3e 100644 ---- a/util/libcrypto.num -+++ b/util/libcrypto.num -@@ -5282,3 +5282,4 @@ OSSL_DECODER_CTX_set_input_structure ? 3_0_0 EXIST::FUNCTION: - EVP_PKEY_CTX_get0_provider 5555 3_0_0 EXIST::FUNCTION: - OPENSSL_strcasecmp 5556 3_0_3 EXIST::FUNCTION: - OPENSSL_strncasecmp 5557 3_0_3 EXIST::FUNCTION: -+ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION: + ADD_TEST(test_stdname_cipherlist); -- 2.26.2 -diff -up openssl-3.0.0-beta1/Configure.sys-default openssl-3.0.0-beta1/Configure ---- openssl-3.0.0-beta1/Configure.sys-default 2021-06-29 11:47:58.978144386 +0200 -+++ openssl-3.0.0-beta1/Configure 2021-06-29 11:52:01.631126260 +0200 -@@ -27,7 +27,7 @@ use OpenSSL::config; - my $orig_death_handler = $SIG{__DIE__}; - $SIG{__DIE__} = \&death_handler; - --my $usage="Usage: Configure [no- ...] [enable- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n"; -+my $usage="Usage: Configure [no- ...] [enable- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--system-ciphers-file=SYSTEMCIPHERFILE] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n"; - - my $banner = <<"EOF"; - -@@ -61,6 +61,10 @@ EOF - # given with --prefix. - # This becomes the value of OPENSSLDIR in Makefile and in C. - # (Default: PREFIX/ssl) -+# -+# --system-ciphers-file A file to read cipher string from when the PROFILE=SYSTEM -+# cipher is specified (default). -+# - # --banner=".." Output specified text instead of default completion banner - # - # -w Don't wait after showing a Configure warning -@@ -385,6 +389,7 @@ $config{prefix}=""; - $config{openssldir}=""; - $config{processor}=""; - $config{libdir}=""; -+$config{system_ciphers_file}=""; - my $auto_threads=1; # enable threads automatically? true by default - my $default_ranlib; - -@@ -987,6 +992,10 @@ while (@argvcopy) - die "FIPS key too long (64 bytes max)\n" - if length $1 > 64; - } -+ elsif (/^--system-ciphers-file=(.*)$/) -+ { -+ $config{system_ciphers_file}=$1; -+ } - elsif (/^--banner=(.*)$/) - { - $banner = $1 . "\n"; diff --git a/SOURCES/0009-Add-Kernel-FIPS-mode-flag-support.patch b/SOURCES/0009-Add-Kernel-FIPS-mode-flag-support.patch index 30ff325..0848473 100644 --- a/SOURCES/0009-Add-Kernel-FIPS-mode-flag-support.patch +++ b/SOURCES/0009-Add-Kernel-FIPS-mode-flag-support.patch @@ -1,9 +1,25 @@ -diff -up openssl-3.0.0-alpha13/crypto/context.c.kernel-fips openssl-3.0.0-alpha13/crypto/context.c ---- openssl-3.0.0-alpha13/crypto/context.c.kernel-fips 2021-03-16 00:09:55.814826432 +0100 -+++ openssl-3.0.0-alpha13/crypto/context.c 2021-03-16 00:15:55.129043811 +0100 -@@ -12,11 +12,46 @@ - #include "internal/provider.h" - #include "crypto/ctype.h" +From aa3aebf132959e7e44876042efaf9ff24ffe0f2b Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Mon, 31 Jul 2023 09:41:27 +0200 +Subject: [PATCH 09/35] 0009-Add-Kernel-FIPS-mode-flag-support.patch + +Patch-name: 0009-Add-Kernel-FIPS-mode-flag-support.patch +Patch-id: 9 +Patch-status: | + # Add check to see if fips flag is enabled in kernel +From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd +--- + crypto/context.c | 36 ++++++++++++++++++++++++++++++++++++ + include/internal/provider.h | 3 +++ + 2 files changed, 39 insertions(+) + +diff --git a/crypto/context.c b/crypto/context.c +index e294ea1512..51002ba79a 100644 +--- a/crypto/context.c ++++ b/crypto/context.c +@@ -16,6 +16,41 @@ + #include "crypto/decoder.h" + #include "crypto/context.h" +# include +# include @@ -11,11 +27,6 @@ diff -up openssl-3.0.0-alpha13/crypto/context.c.kernel-fips openssl-3.0.0-alpha1 +# include +# include + - struct ossl_lib_ctx_onfree_list_st { - ossl_lib_ctx_onfree_fn *fn; - struct ossl_lib_ctx_onfree_list_st *next; - }; - +# define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled" + +static int kernel_fips_flag; @@ -25,7 +36,7 @@ diff -up openssl-3.0.0-alpha13/crypto/context.c.kernel-fips openssl-3.0.0-alpha1 + char buf[2] = "0"; + int fd; + -+ if (ossl_safe_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) { ++ if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) { + buf[0] = '1'; + } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) { + while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ; @@ -46,20 +57,21 @@ diff -up openssl-3.0.0-alpha13/crypto/context.c.kernel-fips openssl-3.0.0-alpha1 + + struct ossl_lib_ctx_st { - CRYPTO_RWLOCK *lock; - CRYPTO_EX_DATA data; -@@ -121,6 +170,7 @@ static CRYPTO_THREAD_LOCAL default_conte + CRYPTO_RWLOCK *lock, *rand_crngt_lock; + OSSL_EX_DATA_GLOBAL global; +@@ -336,6 +371,7 @@ static int default_context_inited = 0; DEFINE_RUN_ONCE_STATIC(default_context_do_init) { + read_kernel_fips_flag(); - return CRYPTO_THREAD_init_local(&default_context_thread_local, NULL) - && context_init(&default_context_int); - } -diff -up openssl-3.0.1/include/internal/provider.h.embed-fips openssl-3.0.1/include/internal/provider.h ---- openssl-3.0.1/include/internal/provider.h.embed-fips 2022-01-11 13:13:08.323238760 +0100 -+++ openssl-3.0.1/include/internal/provider.h 2022-01-11 13:13:43.522558909 +0100 -@@ -110,6 +110,9 @@ int ossl_provider_init_as_child(OSSL_LIB + if (!CRYPTO_THREAD_init_local(&default_context_thread_local, NULL)) + goto err; + +diff --git a/include/internal/provider.h b/include/internal/provider.h +index 18937f84c7..1446bf7afb 100644 +--- a/include/internal/provider.h ++++ b/include/internal/provider.h +@@ -112,6 +112,9 @@ int ossl_provider_init_as_child(OSSL_LIB_CTX *ctx, const OSSL_DISPATCH *in); void ossl_provider_deinit_child(OSSL_LIB_CTX *ctx); @@ -69,3 +81,6 @@ diff -up openssl-3.0.1/include/internal/provider.h.embed-fips openssl-3.0.1/incl # ifdef __cplusplus } # endif +-- +2.41.0 + diff --git a/SOURCES/0010-Add-changes-to-ectest-and-eccurve.patch b/SOURCES/0010-Add-changes-to-ectest-and-eccurve.patch index aac242b..63a2ca2 100644 --- a/SOURCES/0010-Add-changes-to-ectest-and-eccurve.patch +++ b/SOURCES/0010-Add-changes-to-ectest-and-eccurve.patch @@ -1,10 +1,29 @@ -diff -up ./crypto/ec/ec_curve.c.remove-ec ./crypto/ec/ec_curve.c ---- ./crypto/ec/ec_curve.c.remove-ec 2023-03-13 16:50:09.278933578 +0100 -+++ ./crypto/ec/ec_curve.c 2023-03-21 12:38:57.696531941 +0100 -@@ -32,38 +32,6 @@ typedef struct { +From 37fae351c6fef272baf383469181aecfcac87592 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Mon, 31 Jul 2023 09:41:27 +0200 +Subject: [PATCH 10/35] 0010-Add-changes-to-ectest-and-eccurve.patch + +Patch-name: 0010-Add-changes-to-ectest-and-eccurve.patch +Patch-id: 10 +Patch-status: | + # Instead of replacing ectest.c and ec_curve.c, add the changes as a patch so + # that new modifications made to these files by upstream are not lost. +From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd +--- + crypto/ec/ec_curve.c | 844 ------------------------------------------- + test/ectest.c | 174 +-------- + 2 files changed, 8 insertions(+), 1010 deletions(-) + +diff --git a/crypto/ec/ec_curve.c b/crypto/ec/ec_curve.c +index b5b2f3342d..d32a768fe6 100644 +--- a/crypto/ec/ec_curve.c ++++ b/crypto/ec/ec_curve.c +@@ -30,38 +30,6 @@ typedef struct { + } EC_CURVE_DATA; + /* the nist prime curves */ - static const struct { - EC_CURVE_DATA h; +-static const struct { +- EC_CURVE_DATA h; - unsigned char data[20 + 24 * 6]; -} _EC_NIST_PRIME_192 = { - { @@ -35,11 +54,9 @@ diff -up ./crypto/ec/ec_curve.c.remove-ec ./crypto/ec/ec_curve.c - } -}; - --static const struct { -- EC_CURVE_DATA h; + static const struct { + EC_CURVE_DATA h; unsigned char data[20 + 28 * 6]; - } _EC_NIST_PRIME_224 = { - { @@ -200,187 +168,6 @@ static const struct { } }; @@ -228,10 +245,12 @@ diff -up ./crypto/ec/ec_curve.c.remove-ec ./crypto/ec/ec_curve.c static const struct { EC_CURVE_DATA h; unsigned char data[20 + 32 * 6]; -@@ -423,294 +210,6 @@ static const struct { +@@ -421,294 +208,6 @@ static const struct { + + #ifndef FIPS_MODULE /* the secg prime curves (minus the nist and x9.62 prime curves) */ - static const struct { - EC_CURVE_DATA h; +-static const struct { +- EC_CURVE_DATA h; - unsigned char data[20 + 14 * 6]; -} _EC_SECG_PRIME_112R1 = { - { @@ -518,11 +537,9 @@ diff -up ./crypto/ec/ec_curve.c.remove-ec ./crypto/ec/ec_curve.c - } -}; - --static const struct { -- EC_CURVE_DATA h; + static const struct { + EC_CURVE_DATA h; unsigned char data[0 + 32 * 6]; - } _EC_SECG_PRIME_256K1 = { - { @@ -745,102 +244,6 @@ static const struct { } }; @@ -626,10 +643,12 @@ diff -up ./crypto/ec/ec_curve.c.remove-ec ./crypto/ec/ec_curve.c #endif /* FIPS_MODULE */ #ifndef OPENSSL_NO_EC2M -@@ -2238,198 +1641,6 @@ static const struct { +@@ -2236,198 +1639,6 @@ static const struct { + */ + #ifndef FIPS_MODULE - static const struct { - EC_CURVE_DATA h; +-static const struct { +- EC_CURVE_DATA h; - unsigned char data[0 + 20 * 6]; -} _EC_brainpoolP160r1 = { - { @@ -820,12 +839,10 @@ diff -up ./crypto/ec/ec_curve.c.remove-ec ./crypto/ec/ec_curve.c - } -}; - --static const struct { -- EC_CURVE_DATA h; + static const struct { + EC_CURVE_DATA h; unsigned char data[0 + 32 * 6]; - } _EC_brainpoolP256r1 = { - { -@@ -2854,8 +2065,6 @@ static const ec_list_element curve_list[ +@@ -2854,8 +2065,6 @@ static const ec_list_element curve_list[] = { "NIST/SECG curve over a 521 bit prime field"}, /* X9.62 curves */ @@ -834,7 +851,7 @@ diff -up ./crypto/ec/ec_curve.c.remove-ec ./crypto/ec/ec_curve.c {NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h, # if defined(ECP_NISTZ256_ASM) EC_GFp_nistz256_method, -@@ -2899,25 +2108,6 @@ static const ec_list_element curve_list[ +@@ -2899,25 +2108,6 @@ static const ec_list_element curve_list[] = { static const ec_list_element curve_list[] = { /* prime field curves */ /* secg curves */ @@ -860,7 +877,7 @@ diff -up ./crypto/ec/ec_curve.c.remove-ec ./crypto/ec/ec_curve.c # ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 {NID_secp224r1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method, "NIST/SECG curve over a 224 bit prime field"}, -@@ -2945,18 +2135,6 @@ static const ec_list_element curve_list[ +@@ -2945,18 +2135,6 @@ static const ec_list_element curve_list[] = { # endif "NIST/SECG curve over a 521 bit prime field"}, /* X9.62 curves */ @@ -879,7 +896,7 @@ diff -up ./crypto/ec/ec_curve.c.remove-ec ./crypto/ec/ec_curve.c {NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h, # if defined(ECP_NISTZ256_ASM) EC_GFp_nistz256_method, -@@ -3053,22 +2231,12 @@ static const ec_list_element curve_list[ +@@ -3053,22 +2231,12 @@ static const ec_list_element curve_list[] = { {NID_wap_wsg_idm_ecid_wtls5, &_EC_X9_62_CHAR2_163V1.h, 0, "X9.62 curve over a 163 bit binary field"}, # endif @@ -902,7 +919,7 @@ diff -up ./crypto/ec/ec_curve.c.remove-ec ./crypto/ec/ec_curve.c # ifndef OPENSSL_NO_EC2M /* IPSec curves */ {NID_ipsec3, &_EC_IPSEC_155_ID3.h, 0, -@@ -3079,18 +2247,6 @@ static const ec_list_element curve_list[ +@@ -3079,18 +2247,6 @@ static const ec_list_element curve_list[] = { "\tNot suitable for ECDSA.\n\tQuestionable extension field!"}, # endif /* brainpool curves */ @@ -921,9 +938,10 @@ diff -up ./crypto/ec/ec_curve.c.remove-ec ./crypto/ec/ec_curve.c {NID_brainpoolP256r1, &_EC_brainpoolP256r1.h, 0, "RFC 5639 curve over a 256 bit prime field"}, {NID_brainpoolP256t1, &_EC_brainpoolP256t1.h, 0, -diff -up ./test/ectest.c.remove-ec ./test/ectest.c ---- ./test/ectest.c.remove-ec 2023-03-13 18:39:30.544642912 +0100 -+++ ./test/ectest.c 2023-03-20 07:27:26.403212965 +0100 +diff --git a/test/ectest.c b/test/ectest.c +index afef85b0e6..4890b0555e 100644 +--- a/test/ectest.c ++++ b/test/ectest.c @@ -175,184 +175,26 @@ static int prime_field_tests(void) || !TEST_ptr(p = BN_new()) || !TEST_ptr(a = BN_new()) @@ -1117,11 +1135,14 @@ diff -up ./test/ectest.c.remove-ec ./test/ectest.c || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL)) || !TEST_true(BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFF" @@ -3015,7 +2857,7 @@ int setup_tests(void) - return 0; ADD_TEST(parameter_test); + ADD_TEST(ossl_parameter_test); - ADD_TEST(cofactor_range_test); + /* ADD_TEST(cofactor_range_test); */ ADD_ALL_TESTS(cardinality_test, crv_len); ADD_TEST(prime_field_tests); #ifndef OPENSSL_NO_EC2M +-- +2.41.0 + diff --git a/SOURCES/0011-Remove-EC-curves.patch b/SOURCES/0011-Remove-EC-curves.patch index 3bc38cb..561714e 100644 --- a/SOURCES/0011-Remove-EC-curves.patch +++ b/SOURCES/0011-Remove-EC-curves.patch @@ -1,7 +1,25 @@ -diff -up ./apps/speed.c.ec-curves ./apps/speed.c ---- ./apps/speed.c.ec-curves 2023-03-14 04:44:12.545437892 +0100 -+++ ./apps/speed.c 2023-03-14 04:48:28.606729067 +0100 -@@ -366,7 +366,7 @@ static double ffdh_results[FFDH_NUM][1]; +From 4a275f852b61238161c053774736dc07b3ade200 Mon Sep 17 00:00:00 2001 +From: Dmitry Belyavskiy +Date: Mon, 21 Aug 2023 11:46:40 +0200 +Subject: [PATCH 11/48] 0011-Remove-EC-curves.patch + +Patch-name: 0011-Remove-EC-curves.patch +Patch-id: 11 +Patch-status: | + # remove unsupported EC curves +--- + apps/speed.c | 8 +--- + crypto/evp/ec_support.c | 87 ------------------------------------ + test/acvp_test.inc | 9 ---- + test/ecdsatest.h | 17 ------- + test/recipes/15-test_genec.t | 27 ----------- + 5 files changed, 1 insertion(+), 147 deletions(-) + +diff --git a/apps/speed.c b/apps/speed.c +index cace25eda1..d527f12f18 100644 +--- a/apps/speed.c ++++ b/apps/speed.c +@@ -385,7 +385,7 @@ static double ffdh_results[FFDH_NUM][1]; /* 1 op: derivation */ #endif /* OPENSSL_NO_DH */ enum ec_curves_t { @@ -10,7 +28,7 @@ diff -up ./apps/speed.c.ec-curves ./apps/speed.c #ifndef OPENSSL_NO_EC2M R_EC_K163, R_EC_K233, R_EC_K283, R_EC_K409, R_EC_K571, R_EC_B163, R_EC_B233, R_EC_B283, R_EC_B409, R_EC_B571, -@@ -376,8 +376,6 @@ enum ec_curves_t { +@@ -395,8 +395,6 @@ enum ec_curves_t { }; /* list of ecdsa curves */ static const OPT_PAIR ecdsa_choices[ECDSA_NUM] = { @@ -19,8 +37,8 @@ diff -up ./apps/speed.c.ec-curves ./apps/speed.c {"ecdsap224", R_EC_P224}, {"ecdsap256", R_EC_P256}, {"ecdsap384", R_EC_P384}, -@@ -404,8 +402,6 @@ static const OPT_PAIR ecdsa_choices[ECDS - enum { R_EC_X25519 = ECDSA_NUM, R_EC_X448, EC_NUM }; +@@ -423,8 +421,6 @@ static const OPT_PAIR ecdsa_choices[ECDSA_NUM] = { + }; /* list of ecdh curves, extension of |ecdsa_choices| list above */ static const OPT_PAIR ecdh_choices[EC_NUM] = { - {"ecdhp160", R_EC_P160}, @@ -28,7 +46,7 @@ diff -up ./apps/speed.c.ec-curves ./apps/speed.c {"ecdhp224", R_EC_P224}, {"ecdhp256", R_EC_P256}, {"ecdhp384", R_EC_P384}, -@@ -1422,8 +1418,6 @@ int speed_main(int argc, char **argv) +@@ -1442,8 +1438,6 @@ int speed_main(int argc, char **argv) */ static const EC_CURVE ec_curves[EC_NUM] = { /* Prime Curves */ @@ -37,9 +55,10 @@ diff -up ./apps/speed.c.ec-curves ./apps/speed.c {"nistp224", NID_secp224r1, 224}, {"nistp256", NID_X9_62_prime256v1, 256}, {"nistp384", NID_secp384r1, 384}, -diff -up ./crypto/evp/ec_support.c.ec-curves ./crypto/evp/ec_support.c ---- ./crypto/evp/ec_support.c.ec-curves 2023-03-14 06:22:41.542310442 +0100 -+++ ./crypto/evp/ec_support.c 2023-03-21 11:24:18.378451683 +0100 +diff --git a/crypto/evp/ec_support.c b/crypto/evp/ec_support.c +index 1ec10143d2..82b95294b4 100644 +--- a/crypto/evp/ec_support.c ++++ b/crypto/evp/ec_support.c @@ -20,89 +20,15 @@ typedef struct ec_name2nid_st { static const EC_NAME2NID curve_list[] = { /* prime field curves */ @@ -130,7 +149,7 @@ diff -up ./crypto/evp/ec_support.c.ec-curves ./crypto/evp/ec_support.c {"brainpoolP256r1", NID_brainpoolP256r1 }, {"brainpoolP256t1", NID_brainpoolP256t1 }, {"brainpoolP320r1", NID_brainpoolP320r1 }, -@@ -111,8 +37,6 @@ static const EC_NAME2NID curve_list[] = +@@ -111,8 +37,6 @@ static const EC_NAME2NID curve_list[] = { {"brainpoolP384t1", NID_brainpoolP384t1 }, {"brainpoolP512r1", NID_brainpoolP512r1 }, {"brainpoolP512t1", NID_brainpoolP512t1 }, @@ -139,13 +158,33 @@ diff -up ./crypto/evp/ec_support.c.ec-curves ./crypto/evp/ec_support.c }; const char *OSSL_EC_curve_nid2name(int nid) -diff -up ./test/acvp_test.inc.ec-curves ./test/acvp_test.inc ---- ./test/acvp_test.inc.ec-curves 2023-03-14 06:38:20.563712586 +0100 -+++ ./test/acvp_test.inc 2023-03-14 06:39:01.631080059 +0100 -@@ -212,15 +212,6 @@ static const unsigned char ecdsa_sigver_ +@@ -150,17 +74,6 @@ int ossl_ec_curve_name2nid(const char *name) + /* Functions to translate between common NIST curve names and NIDs */ + + static const EC_NAME2NID nist_curves[] = { +- {"B-163", NID_sect163r2}, +- {"B-233", NID_sect233r1}, +- {"B-283", NID_sect283r1}, +- {"B-409", NID_sect409r1}, +- {"B-571", NID_sect571r1}, +- {"K-163", NID_sect163k1}, +- {"K-233", NID_sect233k1}, +- {"K-283", NID_sect283k1}, +- {"K-409", NID_sect409k1}, +- {"K-571", NID_sect571k1}, +- {"P-192", NID_X9_62_prime192v1}, + {"P-224", NID_secp224r1}, + {"P-256", NID_X9_62_prime256v1}, + {"P-384", NID_secp384r1}, +diff --git a/test/acvp_test.inc b/test/acvp_test.inc +index ad11d3ae1e..894a0bff9d 100644 +--- a/test/acvp_test.inc ++++ b/test/acvp_test.inc +@@ -211,15 +211,6 @@ static const unsigned char ecdsa_sigver_s1[] = { + 0xB1, 0xAC, }; static const struct ecdsa_sigver_st ecdsa_sigver_data[] = { - { +- { - "SHA-1", - "P-192", - ITM(ecdsa_sigver_msg0), @@ -154,13 +193,13 @@ diff -up ./test/acvp_test.inc.ec-curves ./test/acvp_test.inc - ITM(ecdsa_sigver_s0), - PASS, - }, -- { + { "SHA2-512", "P-521", - ITM(ecdsa_sigver_msg1), -diff -up ./test/ecdsatest.h.ec-curves ./test/ecdsatest.h ---- ./test/ecdsatest.h.ec-curves 2023-03-14 04:49:16.148154472 +0100 -+++ ./test/ecdsatest.h 2023-03-14 04:51:01.376096037 +0100 +diff --git a/test/ecdsatest.h b/test/ecdsatest.h +index 63fe319025..06b5c0aac5 100644 +--- a/test/ecdsatest.h ++++ b/test/ecdsatest.h @@ -32,23 +32,6 @@ typedef struct { } ecdsa_cavs_kat_t; @@ -185,10 +224,11 @@ diff -up ./test/ecdsatest.h.ec-curves ./test/ecdsatest.h /* prime KATs from NIST CAVP */ {NID_secp224r1, NID_sha224, "699325d6fc8fbbb4981a6ded3c3a54ad2e4e3db8a5669201912064c64e700c139248cdc1" -diff -up ./test/recipes/15-test_genec.t.ec-curves ./test/recipes/15-test_genec.t ---- ./test/recipes/15-test_genec.t.ec-curves 2023-03-14 04:51:45.215488277 +0100 -+++ ./test/recipes/15-test_genec.t 2023-03-21 11:26:58.613885435 +0100 -@@ -41,37 +41,11 @@ plan skip_all => "This test is unsupport +diff --git a/test/recipes/15-test_genec.t b/test/recipes/15-test_genec.t +index 2dfed387ca..c733b68f83 100644 +--- a/test/recipes/15-test_genec.t ++++ b/test/recipes/15-test_genec.t +@@ -41,37 +41,11 @@ plan skip_all => "This test is unsupported in a no-ec build" if disabled("ec"); my @prime_curves = qw( @@ -234,24 +274,6 @@ diff -up ./test/recipes/15-test_genec.t.ec-curves ./test/recipes/15-test_genec.t P-224 P-256 P-384 -diff -up openssl-3.0.7/crypto/evp/ec_support.c.ec-remove openssl-3.0.7/crypto/evp/ec_support.c ---- openssl-3.0.7/crypto/evp/ec_support.c.ec-remove 2023-07-06 10:30:10.152621369 +0200 -+++ openssl-3.0.7/crypto/evp/ec_support.c 2023-07-06 10:34:00.557091758 +0200 -@@ -74,17 +74,6 @@ int ossl_ec_curve_name2nid(const char *n - /* Functions to translate between common NIST curve names and NIDs */ - - static const EC_NAME2NID nist_curves[] = { -- {"B-163", NID_sect163r2}, -- {"B-233", NID_sect233r1}, -- {"B-283", NID_sect283r1}, -- {"B-409", NID_sect409r1}, -- {"B-571", NID_sect571r1}, -- {"K-163", NID_sect163k1}, -- {"K-233", NID_sect233k1}, -- {"K-283", NID_sect283k1}, -- {"K-409", NID_sect409k1}, -- {"K-571", NID_sect571k1}, -- {"P-192", NID_X9_62_prime192v1}, - {"P-224", NID_secp224r1}, - {"P-256", NID_X9_62_prime256v1}, - {"P-384", NID_secp384r1}, +-- +2.41.0 + diff --git a/SOURCES/0013-skipped-tests-EC-curves.patch b/SOURCES/0013-skipped-tests-EC-curves.patch index 0c81d4c..5bdef1e 100644 --- a/SOURCES/0013-skipped-tests-EC-curves.patch +++ b/SOURCES/0013-skipped-tests-EC-curves.patch @@ -21,11 +21,12 @@ diff -up ./test/recipes/65-test_cmp_protect.t.skip-tests ./test/recipes/65-test_ +plan skip_all => 2 + ($no_fips ? 0 : 1); #fips test my @basic_cmd = ("cmp_protect_test", - data_file("server.pem"), -diff -up ./test/recipes/65-test_cmp_vfy.t.skip-tests ./test/recipes/65-test_cmp_vfy.t ---- ./test/recipes/65-test_cmp_vfy.t.skip-tests 2023-03-14 10:13:38.106296042 +0100 -+++ ./test/recipes/65-test_cmp_vfy.t 2023-03-14 10:16:56.496071178 +0100 -@@ -27,7 +27,7 @@ plan skip_all => "This test is not suppo + data_file("prot_RSA.pem"), +diff --git a/test/recipes/65-test_cmp_vfy.t b/test/recipes/65-test_cmp_vfy.t +index f722800e27..26a01786bb 100644 +--- a/test/recipes/65-test_cmp_vfy.t ++++ b/test/recipes/65-test_cmp_vfy.t +@@ -27,7 +27,7 @@ plan skip_all => "This test is not supported in a no-cmp build" plan skip_all => "This test is not supported in a no-ec build" if disabled("ec"); diff --git a/SOURCES/0031-tmp-Fix-test-names.patch b/SOURCES/0031-tmp-Fix-test-names.patch deleted file mode 100644 index 42b3c0a..0000000 --- a/SOURCES/0031-tmp-Fix-test-names.patch +++ /dev/null @@ -1,40 +0,0 @@ -diff -up openssl-3.0.0/test/recipes/90-test_sslapi.t.beldmit openssl-3.0.0/test/recipes/90-test_sslapi.t ---- openssl-3.0.0/test/recipes/90-test_sslapi.t.beldmit 2021-09-22 11:56:49.452507975 +0200 -+++ openssl-3.0.0/test/recipes/90-test_sslapi.t 2021-09-22 11:57:19.371764742 +0200 -@@ -40,7 +40,7 @@ unless ($no_fips) { - "recipes", - "90-test_sslapi_data", - "dhparams.pem")])), -- "running sslapitest"); -+ "running sslapitest - FIPS"); - } - - unlink $tmpfilename; -diff --git a/test/sslapitest.c b/test/sslapitest.c -index e95d2657f46c..7af0eab3fce0 100644 ---- a/test/sslapitest.c -+++ b/test/sslapitest.c -@@ -1158,6 +1158,11 @@ static int execute_test_ktls(int cis_ktls, int sis_ktls, - goto end; - } - -+ if (is_fips && strstr(cipher, "CHACHA") != NULL) { -+ testresult = TEST_skip("CHACHA is not supported in FIPS"); -+ goto end; -+ } -+ - /* Create a session based on SHA-256 */ - if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), - TLS_client_method(), -@@ -1292,6 +1297,11 @@ static int execute_test_ktls_sendfile(int tls_version, const char *cipher) - goto end; - } - -+ if (is_fips && strstr(cipher, "CHACHA") != NULL) { -+ testresult = TEST_skip("CHACHA is not supported in FIPS"); -+ goto end; -+ } -+ - /* Create a session based on SHA-256 */ - if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), - TLS_client_method(), diff --git a/SOURCES/0032-Force-fips.patch b/SOURCES/0032-Force-fips.patch index c8af196..985fadf 100644 --- a/SOURCES/0032-Force-fips.patch +++ b/SOURCES/0032-Force-fips.patch @@ -1,13 +1,21 @@ -#Note: provider_conf_activate() is introduced in downstream only. It is a rewrite -#(partial) of the function provider_conf_load() under the 'if (activate) section. -#If there is any change to this section, after deleting it in provider_conf_load() -#ensure that you also add those changes to the provider_conf_activate() function. -#additionally please add this check for cnf explicitly as shown below. -#'ok = cnf ? provider_conf_params(prov, NULL, NULL, value, cnf) : 1;' -diff -up openssl-3.0.1/crypto/provider_conf.c.fipsact openssl-3.0.1/crypto/provider_conf.c ---- openssl-3.0.1/crypto/provider_conf.c.fipsact 2022-05-12 12:44:31.199034948 +0200 -+++ openssl-3.0.1/crypto/provider_conf.c 2022-05-12 12:49:17.468318373 +0200 -@@ -36,6 +36,8 @@ static int prov_already_activated(const +From 2c110cf5551a3869514e697d8dc06682b62ca57d Mon Sep 17 00:00:00 2001 +From: Dmitry Belyavskiy +Date: Mon, 21 Aug 2023 11:59:02 +0200 +Subject: [PATCH 16/48] 0032-Force-fips.patch + +Patch-name: 0032-Force-fips.patch +Patch-id: 32 +Patch-status: | + # We load FIPS provider and set FIPS properties implicitly +--- + crypto/provider_conf.c | 28 +++++++++++++++++++++++++++- + 1 file changed, 27 insertions(+), 1 deletion(-) + +diff --git a/crypto/provider_conf.c b/crypto/provider_conf.c +index 058fb58837..5274265a70 100644 +--- a/crypto/provider_conf.c ++++ b/crypto/provider_conf.c +@@ -10,6 +10,8 @@ #include #include #include @@ -16,143 +24,25 @@ diff -up openssl-3.0.1/crypto/provider_conf.c.fipsact openssl-3.0.1/crypto/provi #include #include #include -@@ -136,58 +136,18 @@ static int prov_already_activated(const - return 0; - } +@@ -169,7 +171,7 @@ static int provider_conf_activate(OSSL_LIB_CTX *libctx, const char *name, + if (path != NULL) + ossl_provider_set_module_path(prov, path); --static int provider_conf_load(OSSL_LIB_CTX *libctx, const char *name, -- const char *value, const CONF *cnf) -+static int provider_conf_activate(OSSL_LIB_CTX *libctx,const char *name, -+ const char *value, const char *path, -+ int soft, const CONF *cnf) - { -- int i; -- STACK_OF(CONF_VALUE) *ecmds; -- int soft = 0; -- OSSL_PROVIDER *prov = NULL, *actual = NULL; -- const char *path = NULL; -- long activate = 0; - int ok = 0; -- -- name = skip_dot(name); -- OSSL_TRACE1(CONF, "Configuring provider %s\n", name); -- /* Value is a section containing PROVIDER commands */ -- ecmds = NCONF_get_section(cnf, value); -- -- if (!ecmds) { -- ERR_raise_data(ERR_LIB_CRYPTO, CRYPTO_R_PROVIDER_SECTION_ERROR, -- "section=%s not found", value); -- return 0; -- } -- -- /* Find the needed data first */ -- for (i = 0; i < sk_CONF_VALUE_num(ecmds); i++) { -- CONF_VALUE *ecmd = sk_CONF_VALUE_value(ecmds, i); -- const char *confname = skip_dot(ecmd->name); -- const char *confvalue = ecmd->value; -- -- OSSL_TRACE2(CONF, "Provider command: %s = %s\n", -- confname, confvalue); -- -- /* First handle some special pseudo confs */ -- -- /* Override provider name to use */ -- if (strcmp(confname, "identity") == 0) -- name = confvalue; -- else if (strcmp(confname, "soft_load") == 0) -- soft = 1; -- /* Load a dynamic PROVIDER */ -- else if (strcmp(confname, "module") == 0) -- path = confvalue; -- else if (strcmp(confname, "activate") == 0) -- activate = 1; -- } -- -- if (activate) { -- PROVIDER_CONF_GLOBAL *pcgbl -- = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX, -- &provider_conf_ossl_ctx_method); -+ OSSL_PROVIDER *prov = NULL, *actual = NULL; -+ PROVIDER_CONF_GLOBAL *pcgbl -+ = ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_PROVIDER_CONF_INDEX, -+ &provider_conf_ossl_ctx_method); +- ok = provider_conf_params(prov, NULL, NULL, value, cnf); ++ ok = cnf ? provider_conf_params(prov, NULL, NULL, value, cnf) : 1; - if (pcgbl == NULL || !CRYPTO_THREAD_write_lock(pcgbl->lock)) { -- ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR); -+ ERR_raise(ERR_LIB_CRYPTO, ERR_R_INTERNAL_ERROR); - return 0; - } - if (!prov_already_activated(name, pcgbl->activated_providers)) { -@@ -216,7 +176,7 @@ static int provider_conf_load(OSSL_LIB_C - if (path != NULL) - ossl_provider_set_module_path(prov, path); + if (ok == 1) { + if (!ossl_provider_activate(prov, 1, 0)) { +@@ -268,6 +268,8 @@ static int provider_conf_activate(OSSL_L -- ok = provider_conf_params(prov, NULL, NULL, value, cnf); -+ ok = cnf ? provider_conf_params(prov, NULL, NULL, value, cnf) : 1; + if (ok <= 0) + ossl_provider_free(prov); ++ } else { ++ ok = 1; + } + CRYPTO_THREAD_unlock(pcgbl->lock); - if (ok) { - if (!ossl_provider_activate(prov, 1, 0)) { -@@ -244,8 +204,59 @@ static int provider_conf_load(OSSL_LIB_C - } - if (!ok) - ossl_provider_free(prov); -+ } else { /* No reason to activate the provider twice, returning OK */ -+ ok = 1; - } - CRYPTO_THREAD_unlock(pcgbl->lock); -+ return ok; -+} -+ -+static int provider_conf_load(OSSL_LIB_CTX *libctx, const char *name, -+ const char *value, const CONF *cnf) -+{ -+ int i; -+ STACK_OF(CONF_VALUE) *ecmds; -+ int soft = 0; -+ const char *path = NULL; -+ long activate = 0; -+ int ok = 0; -+ -+ name = skip_dot(name); -+ OSSL_TRACE1(CONF, "Configuring provider %s\n", name); -+ /* Value is a section containing PROVIDER commands */ -+ ecmds = NCONF_get_section(cnf, value); -+ -+ if (!ecmds) { -+ ERR_raise_data(ERR_LIB_CRYPTO, CRYPTO_R_PROVIDER_SECTION_ERROR, -+ "section=%s not found", value); -+ return 0; -+ } -+ -+ /* Find the needed data first */ -+ for (i = 0; i < sk_CONF_VALUE_num(ecmds); i++) { -+ CONF_VALUE *ecmd = sk_CONF_VALUE_value(ecmds, i); -+ const char *confname = skip_dot(ecmd->name); -+ const char *confvalue = ecmd->value; -+ -+ OSSL_TRACE2(CONF, "Provider command: %s = %s\n", -+ confname, confvalue); -+ -+ /* First handle some special pseudo confs */ -+ -+ /* Override provider name to use */ -+ if (strcmp(confname, "identity") == 0) -+ name = confvalue; -+ else if (strcmp(confname, "soft_load") == 0) -+ soft = 1; -+ /* Load a dynamic PROVIDER */ -+ else if (strcmp(confname, "module") == 0) -+ path = confvalue; -+ else if (strcmp(confname, "activate") == 0) -+ activate = 1; -+ } -+ -+ if (activate) { -+ ok = provider_conf_activate(libctx, name, value, path, soft, cnf); - } else { - OSSL_PROVIDER_INFO entry; - -@@ -306,6 +317,33 @@ static int provider_conf_init(CONF_IMODU +@@ -309,6 +311,33 @@ static int provider_conf_init(CONF_IMODULE *md, const CONF *cnf) return 0; } @@ -174,7 +64,7 @@ diff -up openssl-3.0.1/crypto/provider_conf.c.fipsact openssl-3.0.1/crypto/provi + if (provider_conf_activate(libctx, "fips", NULL, NULL, 0, NULL) != 1) + return 0; + } -+ /* provider_conf_load can return 1 even wwhen the test is failed so check explicitly */ ++ /* provider_conf_load can return 1 even when the test is failed so check explicitly */ + if (OSSL_PROVIDER_available(libctx, "fips") != 1) + return 0; + if (provider_conf_activate(libctx, "base", NULL, NULL, 0, NULL) != 1) @@ -186,3 +76,6 @@ diff -up openssl-3.0.1/crypto/provider_conf.c.fipsact openssl-3.0.1/crypto/provi return 1; } +-- +2.41.0 + diff --git a/SOURCES/0033-FIPS-embed-hmac.patch b/SOURCES/0033-FIPS-embed-hmac.patch index 484a75e..0bf3b2d 100644 --- a/SOURCES/0033-FIPS-embed-hmac.patch +++ b/SOURCES/0033-FIPS-embed-hmac.patch @@ -1,9 +1,34 @@ -diff -up openssl-3.0.7/providers/fips/self_test.c.embed-hmac openssl-3.0.7/providers/fips/self_test.c ---- openssl-3.0.7/providers/fips/self_test.c.embed-hmac 2023-01-05 10:03:44.864869710 +0100 -+++ openssl-3.0.7/providers/fips/self_test.c 2023-01-05 10:15:17.041606472 +0100 -@@ -172,11 +172,27 @@ DEP_FINI_ATTRIBUTE void cleanup(void) +From 831d0025257fd3746ab3fe30c05dbbfc0043f78e Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 6 Mar 2024 19:17:15 +0100 +Subject: [PATCH 16/49] 0033-FIPS-embed-hmac.patch + +Patch-name: 0033-FIPS-embed-hmac.patch +Patch-id: 33 +Patch-status: | + # # Embed HMAC into the fips.so + # Modify fips self test as per + # https://github.com/simo5/openssl/commit/9b95ef8bd2f5ac862e5eee74c724b535f1a8578a +From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce +--- + providers/fips/self_test.c | 204 ++++++++++++++++++++++++-- + test/fipsmodule.cnf | 2 + + test/recipes/00-prep_fipsmodule_cnf.t | 2 +- + test/recipes/01-test_fipsmodule_cnf.t | 2 +- + test/recipes/03-test_fipsinstall.t | 2 +- + test/recipes/30-test_defltfips.t | 2 +- + test/recipes/80-test_ssl_new.t | 2 +- + test/recipes/90-test_sslapi.t | 2 +- + 8 files changed, 200 insertions(+), 18 deletions(-) + create mode 100644 test/fipsmodule.cnf + +diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c +index b8dc9817b2..28f536d13c 100644 +--- a/providers/fips/self_test.c ++++ b/providers/fips/self_test.c +@@ -230,11 +230,133 @@ err: + return ok; } - #endif +#define HMAC_LEN 32 +/* @@ -17,6 +42,7 @@ diff -up openssl-3.0.7/providers/fips/self_test.c.embed-hmac openssl-3.0.7/provi * the result matches the expected value. * Return 1 if verified, or 0 if it fails. */ ++ +#ifndef __USE_GNU +#define __USE_GNU +#include @@ -25,11 +51,116 @@ diff -up openssl-3.0.7/providers/fips/self_test.c.embed-hmac openssl-3.0.7/provi +#include +#endif +#include ++ ++static int verify_integrity_rodata(OSSL_CORE_BIO *bio, ++ OSSL_FUNC_BIO_read_ex_fn read_ex_cb, ++ unsigned char *expected, size_t expected_len, ++ OSSL_LIB_CTX *libctx, OSSL_SELF_TEST *ev, ++ const char *event_type) ++{ ++ int ret = 0, status; ++ unsigned char out[MAX_MD_SIZE]; ++ unsigned char buf[INTEGRITY_BUF_SIZE]; ++ size_t bytes_read = 0, out_len = 0; ++ EVP_MAC *mac = NULL; ++ EVP_MAC_CTX *ctx = NULL; ++ OSSL_PARAM params[2], *p = params; ++ Dl_info info; ++ void *extra_info = NULL; ++ struct link_map *lm = NULL; ++ unsigned long paddr; ++ unsigned long off = 0; ++ ++ if (expected_len != HMAC_LEN) ++ goto err; ++ ++ if (!integrity_self_test(ev, libctx)) ++ goto err; ++ ++ OSSL_SELF_TEST_onbegin(ev, event_type, OSSL_SELF_TEST_DESC_INTEGRITY_HMAC); ++ ++ if (!dladdr1 ((const void *)fips_hmac_container, ++ &info, &extra_info, RTLD_DL_LINKMAP)) ++ goto err; ++ lm = extra_info; ++ paddr = (unsigned long)fips_hmac_container - lm->l_addr; ++ ++ mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL); ++ if (mac == NULL) ++ goto err; ++ ctx = EVP_MAC_CTX_new(mac); ++ if (ctx == NULL) ++ goto err; ++ ++ *p++ = OSSL_PARAM_construct_utf8_string("digest", DIGEST_NAME, 0); ++ *p = OSSL_PARAM_construct_end(); ++ ++ if (!EVP_MAC_init(ctx, fixed_key, sizeof(fixed_key), params)) ++ goto err; ++ ++ while ((off + INTEGRITY_BUF_SIZE) <= paddr) { ++ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read); ++ if (status != 1) ++ break; ++ if (!EVP_MAC_update(ctx, buf, bytes_read)) ++ goto err; ++ off += bytes_read; ++ } ++ ++ if (off < paddr) { ++ int delta = paddr - off; ++ status = read_ex_cb(bio, buf, delta, &bytes_read); ++ if (status != 1) ++ goto err; ++ if (!EVP_MAC_update(ctx, buf, bytes_read)) ++ goto err; ++ off += bytes_read; ++ } ++ ++ /* read away the buffer */ ++ status = read_ex_cb(bio, buf, HMAC_LEN, &bytes_read); ++ if (status != 1) ++ goto err; ++ ++ /* check that it is the expect bytes, no point in continuing otherwise */ ++ if (memcmp(expected, buf, HMAC_LEN) != 0) ++ goto err; ++ ++ /* replace in-file HMAC buffer with the original zeros */ ++ memset(buf, 0, HMAC_LEN); ++ if (!EVP_MAC_update(ctx, buf, HMAC_LEN)) ++ goto err; ++ off += HMAC_LEN; ++ ++ while (bytes_read > 0) { ++ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read); ++ if (status != 1) ++ break; ++ if (!EVP_MAC_update(ctx, buf, bytes_read)) ++ goto err; ++ off += bytes_read; ++ } ++ ++ if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out))) ++ goto err; ++ ++ OSSL_SELF_TEST_oncorrupt_byte(ev, out); ++ if (expected_len != out_len ++ || memcmp(expected, out, out_len) != 0) ++ goto err; ++ ret = 1; ++err: ++ OPENSSL_cleanse(out, MAX_MD_SIZE); ++ OSSL_SELF_TEST_onend(ev, ret); ++ EVP_MAC_CTX_free(ctx); ++ EVP_MAC_free(mac); ++ return ret; ++} + static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex_cb, unsigned char *expected, size_t expected_len, OSSL_LIB_CTX *libctx, OSSL_SELF_TEST *ev, -@@ -189,9 +205,20 @@ static int verify_integrity(OSSL_CORE_BI +@@ -247,12 +369,23 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex EVP_MAC *mac = NULL; EVP_MAC_CTX *ctx = NULL; OSSL_PARAM params[2], *p = params; @@ -39,6 +170,9 @@ diff -up openssl-3.0.7/providers/fips/self_test.c.embed-hmac openssl-3.0.7/provi + unsigned long paddr; + unsigned long off = 0; + if (!integrity_self_test(ev, libctx)) + goto err; + OSSL_SELF_TEST_onbegin(ev, event_type, OSSL_SELF_TEST_DESC_INTEGRITY_HMAC); + if (!dladdr1 ((const void *)fips_hmac_container, @@ -50,7 +184,7 @@ diff -up openssl-3.0.7/providers/fips/self_test.c.embed-hmac openssl-3.0.7/provi mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL); if (mac == NULL) goto err; -@@ -205,13 +233,42 @@ static int verify_integrity(OSSL_CORE_BI +@@ -266,13 +399,42 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex if (!EVP_MAC_init(ctx, fixed_key, sizeof(fixed_key), params)) goto err; @@ -95,8 +229,16 @@ diff -up openssl-3.0.7/providers/fips/self_test.c.embed-hmac openssl-3.0.7/provi if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out))) goto err; -@@ -285,8 +342,7 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS - CRYPTO_THREAD_unlock(fips_state_lock); +@@ -282,6 +444,7 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex + goto err; + ret = 1; + err: ++ OPENSSL_cleanse(out, sizeof(out)); + OSSL_SELF_TEST_onend(ev, ret); + EVP_MAC_CTX_free(ctx); + EVP_MAC_free(mac); +@@ -335,8 +498,7 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) + return 0; } - if (st == NULL @@ -105,30 +247,77 @@ diff -up openssl-3.0.7/providers/fips/self_test.c.embed-hmac openssl-3.0.7/provi ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA); goto end; } -@@ -305,8 +361,9 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS +@@ -345,8 +507,14 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) if (ev == NULL) goto end; - module_checksum = OPENSSL_hexstr2buf(st->module_checksum_data, - &checksum_len); -+ module_checksum = fips_hmac_container; -+ checksum_len = sizeof(fips_hmac_container); ++ if (st->module_checksum_data == NULL) { ++ module_checksum = fips_hmac_container; ++ checksum_len = sizeof(fips_hmac_container); ++ } else { ++ module_checksum = OPENSSL_hexstr2buf(st->module_checksum_data, ++ &checksum_len); ++ } + if (module_checksum == NULL) { ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONFIG_DATA); goto end; -@@ -356,7 +413,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS - ok = 1; +@@ -354,14 +522,27 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) + bio_module = (*st->bio_new_file_cb)(st->module_filename, "rb"); + + /* Always check the integrity of the fips module */ +- if (bio_module == NULL +- || !verify_integrity(bio_module, st->bio_read_ex_cb, +- module_checksum, checksum_len, st->libctx, +- ev, OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY)) { ++ if (bio_module == NULL) { + ERR_raise(ERR_LIB_PROV, PROV_R_MODULE_INTEGRITY_FAILURE); + goto end; + } +- ++ if (st->module_checksum_data == NULL) { ++ if (!verify_integrity_rodata(bio_module, st->bio_read_ex_cb, ++ module_checksum, checksum_len, ++ st->libctx, ev, ++ OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY)) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_MODULE_INTEGRITY_FAILURE); ++ goto end; ++ } ++ } else { ++ if (!verify_integrity(bio_module, st->bio_read_ex_cb, ++ module_checksum, checksum_len, ++ st->libctx, ev, ++ OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY)) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_MODULE_INTEGRITY_FAILURE); ++ goto end; ++ } ++ } + /* This will be NULL during installation - so the self test KATS will run */ + if (st->indicator_data != NULL) { + /* +@@ -420,7 +601,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) end: + EVP_RAND_free(testrand); OSSL_SELF_TEST_free(ev); - OPENSSL_free(module_checksum); OPENSSL_free(indicator_checksum); if (st != NULL) { -diff -ruN openssl-3.0.0/test/recipes/00-prep_fipsmodule_cnf.t openssl-3.0.0-xxx/test/recipes/00-prep_fipsmodule_cnf.t ---- openssl-3.0.0/test/recipes/00-prep_fipsmodule_cnf.t 2021-09-07 13:46:32.000000000 +0200 -+++ openssl-3.0.0-xxx/test/recipes/00-prep_fipsmodule_cnf.t 2021-11-18 09:39:53.386817874 +0100 -@@ -20,7 +20,7 @@ +diff --git a/test/fipsmodule.cnf b/test/fipsmodule.cnf +new file mode 100644 +index 0000000000..f05d0dedbe +--- /dev/null ++++ b/test/fipsmodule.cnf +@@ -0,0 +1,2 @@ ++[fips_sect] ++activate = 1 +diff --git a/test/recipes/00-prep_fipsmodule_cnf.t b/test/recipes/00-prep_fipsmodule_cnf.t +index 4e3a6d85e8..e8255ba974 100644 +--- a/test/recipes/00-prep_fipsmodule_cnf.t ++++ b/test/recipes/00-prep_fipsmodule_cnf.t +@@ -20,7 +20,7 @@ use lib srctop_dir('Configurations'); use lib bldtop_dir('.'); use platform; @@ -137,10 +326,11 @@ diff -ruN openssl-3.0.0/test/recipes/00-prep_fipsmodule_cnf.t openssl-3.0.0-xxx/ plan skip_all => "FIPS module config file only supported in a fips build" if $no_check; -diff -ruN openssl-3.0.0/test/recipes/01-test_fipsmodule_cnf.t openssl-3.0.0-xxx/test/recipes/01-test_fipsmodule_cnf.t ---- openssl-3.0.0/test/recipes/01-test_fipsmodule_cnf.t 2021-09-07 13:46:32.000000000 +0200 -+++ openssl-3.0.0-xxx/test/recipes/01-test_fipsmodule_cnf.t 2021-11-18 09:59:02.315619486 +0100 -@@ -23,7 +23,7 @@ +diff --git a/test/recipes/01-test_fipsmodule_cnf.t b/test/recipes/01-test_fipsmodule_cnf.t +index ce594817d5..00cebacff8 100644 +--- a/test/recipes/01-test_fipsmodule_cnf.t ++++ b/test/recipes/01-test_fipsmodule_cnf.t +@@ -23,7 +23,7 @@ use lib srctop_dir('Configurations'); use lib bldtop_dir('.'); use platform; @@ -149,34 +339,37 @@ diff -ruN openssl-3.0.0/test/recipes/01-test_fipsmodule_cnf.t openssl-3.0.0-xxx/ plan skip_all => "Test only supported in a fips build" if $no_check; plan tests => 1; -diff -ruN openssl-3.0.0/test/recipes/03-test_fipsinstall.t openssl-3.0.0-xxx/test/recipes/03-test_fipsinstall.t ---- openssl-3.0.0/test/recipes/03-test_fipsinstall.t 2021-09-07 13:46:32.000000000 +0200 -+++ openssl-3.0.0-xxx/test/recipes/03-test_fipsinstall.t 2021-11-18 09:59:55.365072074 +0100 -@@ -22,7 +22,7 @@ +diff --git a/test/recipes/03-test_fipsinstall.t b/test/recipes/03-test_fipsinstall.t +index b8b136d110..8242f4ebc3 100644 +--- a/test/recipes/03-test_fipsinstall.t ++++ b/test/recipes/03-test_fipsinstall.t +@@ -22,7 +22,7 @@ use lib srctop_dir('Configurations'); use lib bldtop_dir('.'); use platform; -plan skip_all => "Test only supported in a fips build" if disabled("fips"); +plan skip_all => "Test only supported in a fips build" if 1; - plan tests => 29; - -diff -ruN openssl-3.0.0/test/recipes/30-test_defltfips.t openssl-3.0.0-xxx/test/recipes/30-test_defltfips.t ---- openssl-3.0.0/test/recipes/30-test_defltfips.t 2021-09-07 13:46:32.000000000 +0200 -+++ openssl-3.0.0-xxx/test/recipes/30-test_defltfips.t 2021-11-18 10:22:54.179659682 +0100 -@@ -21,7 +21,7 @@ - use lib srctop_dir('Configurations'); - use lib bldtop_dir('.'); + # Compatible options for pedantic FIPS compliance + my @pedantic_okay = +diff --git a/test/recipes/30-test_defltfips.t b/test/recipes/30-test_defltfips.t +index c8f145405b..56a2ec5dc4 100644 +--- a/test/recipes/30-test_defltfips.t ++++ b/test/recipes/30-test_defltfips.t +@@ -24,7 +24,7 @@ use lib bldtop_dir('.'); + plan skip_all => "Configuration loading is turned off" + if disabled("autoload-config"); -my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); +my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0); plan tests => ($no_fips ? 1 : 5); -diff -ruN openssl-3.0.0/test/recipes/80-test_ssl_new.t openssl-3.0.0-xxx/test/recipes/80-test_ssl_new.t ---- openssl-3.0.0/test/recipes/80-test_ssl_new.t 2021-09-07 13:46:32.000000000 +0200 -+++ openssl-3.0.0-xxx/test/recipes/80-test_ssl_new.t 2021-11-18 10:18:53.391721164 +0100 -@@ -23,7 +23,7 @@ +diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t +index 195b85ea8c..92d48dbf7d 100644 +--- a/test/recipes/80-test_ssl_new.t ++++ b/test/recipes/80-test_ssl_new.t +@@ -27,7 +27,7 @@ setup("test_ssl_new"); use lib srctop_dir('Configurations'); use lib bldtop_dir('.'); @@ -185,20 +378,19 @@ diff -ruN openssl-3.0.0/test/recipes/80-test_ssl_new.t openssl-3.0.0-xxx/test/re $ENV{TEST_CERTS_DIR} = srctop_dir("test", "certs"); -diff -ruN openssl-3.0.0/test/recipes/90-test_sslapi.t openssl-3.0.0-xxx/test/recipes/90-test_sslapi.t ---- openssl-3.0.0/test/recipes/90-test_sslapi.t 2021-11-18 10:32:17.734196705 +0100 -+++ openssl-3.0.0-xxx/test/recipes/90-test_sslapi.t 2021-11-18 10:18:30.695538445 +0100 -@@ -18,7 +18,7 @@ - use lib srctop_dir('Configurations'); - use lib bldtop_dir('.'); +diff --git a/test/recipes/90-test_sslapi.t b/test/recipes/90-test_sslapi.t +index 18d9f3d204..71780d8caa 100644 +--- a/test/recipes/90-test_sslapi.t ++++ b/test/recipes/90-test_sslapi.t +@@ -17,7 +17,7 @@ setup("test_sslapi"); + setup("test_sslapi"); + } -my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); +my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0); + my $fipsmodcfg_filename = "fipsmodule.cnf"; + my $fipsmodcfg = bldtop_file("test", $fipsmodcfg_filename); - plan skip_all => "No TLS/SSL protocols are supported by this OpenSSL build" - if alldisabled(grep { $_ ne "ssl3" } available_protocols("tls")); ---- /dev/null 2021-11-16 15:27:32.915000000 +0100 -+++ openssl-3.0.0/test/fipsmodule.cnf 2021-11-18 11:15:34.538060408 +0100 -@@ -0,0 +1,2 @@ -+[fips_sect] -+activate = 1 +-- +2.44.0 + diff --git a/SOURCES/0034.fipsinstall_disable.patch b/SOURCES/0034.fipsinstall_disable.patch index c4f9efd..f1d7b27 100644 --- a/SOURCES/0034.fipsinstall_disable.patch +++ b/SOURCES/0034.fipsinstall_disable.patch @@ -1,7 +1,27 @@ -diff -up openssl-3.0.0/apps/fipsinstall.c.xxx openssl-3.0.0/apps/fipsinstall.c ---- openssl-3.0.0/apps/fipsinstall.c.xxx 2021-11-22 13:09:28.232560235 +0100 -+++ openssl-3.0.0/apps/fipsinstall.c 2021-11-22 13:12:22.272058910 +0100 -@@ -311,6 +311,9 @@ int fipsinstall_main(int argc, char **ar +From a9825123e7ab3474d2794a5706d9bed047959c9c Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Mon, 31 Jul 2023 09:41:28 +0200 +Subject: [PATCH 18/35] 0034.fipsinstall_disable.patch + +Patch-name: 0034.fipsinstall_disable.patch +Patch-id: 34 +Patch-status: | + # Comment out fipsinstall command-line utility +From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd +--- + apps/fipsinstall.c | 3 + + doc/man1/openssl-fipsinstall.pod.in | 272 +--------------------------- + doc/man1/openssl.pod | 4 - + doc/man5/config.pod | 1 - + doc/man5/fips_config.pod | 104 +---------- + doc/man7/OSSL_PROVIDER-FIPS.pod | 1 - + 6 files changed, 10 insertions(+), 375 deletions(-) + +diff --git a/apps/fipsinstall.c b/apps/fipsinstall.c +index e1ef645b60..db92cb5fb2 100644 +--- a/apps/fipsinstall.c ++++ b/apps/fipsinstall.c +@@ -375,6 +375,9 @@ int fipsinstall_main(int argc, char **argv) EVP_MAC *mac = NULL; CONF *conf = NULL; @@ -11,160 +31,11 @@ diff -up openssl-3.0.0/apps/fipsinstall.c.xxx openssl-3.0.0/apps/fipsinstall.c if ((opts = sk_OPENSSL_STRING_new_null()) == NULL) goto end; -diff -up openssl-3.0.0/doc/man1/openssl.pod.xxx openssl-3.0.0/doc/man1/openssl.pod ---- openssl-3.0.0/doc/man1/openssl.pod.xxx 2021-11-22 13:18:51.081406990 +0100 -+++ openssl-3.0.0/doc/man1/openssl.pod 2021-11-22 13:19:02.897508738 +0100 -@@ -158,10 +158,6 @@ Engine (loadable module) information and - - Error Number to Error String Conversion. - --=item B -- --FIPS configuration installation. -- - =item B - - Generation of DSA Private Key from Parameters. Superseded by -diff -up openssl-3.0.0/doc/man5/config.pod.xxx openssl-3.0.0/doc/man5/config.pod ---- openssl-3.0.0/doc/man5/config.pod.xxx 2021-11-22 13:24:51.359509501 +0100 -+++ openssl-3.0.0/doc/man5/config.pod 2021-11-22 13:26:02.360121820 +0100 -@@ -573,7 +573,6 @@ configuration files using that syntax wi - =head1 SEE ALSO - - L, L, L, --L, - L, - L, - L, -diff -up openssl-3.0.0/doc/man5/fips_config.pod.xxx openssl-3.0.0/doc/man5/fips_config.pod ---- openssl-3.0.0/doc/man5/fips_config.pod.xxx 2021-11-22 13:21:13.812636065 +0100 -+++ openssl-3.0.0/doc/man5/fips_config.pod 2021-11-22 13:24:12.278172847 +0100 -@@ -6,106 +6,10 @@ fips_config - OpenSSL FIPS configuration - - =head1 DESCRIPTION - --A separate configuration file, using the OpenSSL L syntax, --is used to hold information about the FIPS module. This includes a digest --of the shared library file, and status about the self-testing. --This data is used automatically by the module itself for two --purposes: -- --=over 4 -- --=item - Run the startup FIPS self-test known answer tests (KATS). -- --This is normally done once, at installation time, but may also be set up to --run each time the module is used. -- --=item - Verify the module's checksum. -- --This is done each time the module is used. -- --=back -- --This file is generated by the L program, and --used internally by the FIPS module during its initialization. -- --The following options are supported. They should all appear in a section --whose name is identified by the B option in the B --section, as described in L. -- --=over 4 -- --=item B -- --If present, the module is activated. The value assigned to this name is not --significant. -- --=item B -- --A version number for the fips install process. Should be 1. -- --=item B -- --The FIPS module normally enters an internal error mode if any self test fails. --Once this error mode is active, no services or cryptographic algorithms are --accessible from this point on. --Continuous tests are a subset of the self tests (e.g., a key pair test during key --generation, or the CRNG output test). --Setting this value to C<0> allows the error mode to not be triggered if any --continuous test fails. The default value of C<1> will trigger the error mode. --Regardless of the value, the operation (e.g., key generation) that called the --continuous test will return an error code if its continuous test fails. The --operation may then be retried if the error mode has not been triggered. -- --=item B -- --This indicates if run-time checks related to enforcement of security parameters --such as minimum security strength of keys and approved curve names are used. --A value of '1' will perform the checks, otherwise if the value is '0' the checks --are not performed and FIPS compliance must be done by procedures documented in --the relevant Security Policy. -- --=item B -- --The calculated MAC of the FIPS provider file. -- --=item B -- --An indicator that the self-tests were successfully run. --This should only be written after the module has --successfully passed its self tests during installation. --If this field is not present, then the self tests will run when the module --loads. -- --=item B -- --A MAC of the value of the B option, to prevent accidental --changes to that value. --It is written-to at the same time as B is updated. -- --=back -- --For example: -- -- [fips_sect] -- activate = 1 -- install-version = 1 -- conditional-errors = 1 -- security-checks = 1 -- module-mac = 41:D0:FA:C2:5D:41:75:CD:7D:C3:90:55:6F:A4:DC -- install-mac = FE:10:13:5A:D3:B4:C7:82:1B:1E:17:4C:AC:84:0C -- install-status = INSTALL_SELF_TEST_KATS_RUN -- --=head1 NOTES -- --When using the FIPS provider, it is recommended that the --B option is enabled to prevent accidental use of --non-FIPS validated algorithms via broken or mistaken configuration. --See L. -- --=head1 SEE ALSO -- --L --L -+This command is disabled in Red Hat Enterprise Linux. The FIPS provider is -+automatically loaded when the system is booted in FIPS mode, or when the -+environment variable B is set. See the documentation -+for more information. - - =head1 COPYRIGHT - -diff -up openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod.xxx openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod ---- openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod.xxx 2021-11-22 13:18:13.850086386 +0100 -+++ openssl-3.0.0/doc/man7/OSSL_PROVIDER-FIPS.pod 2021-11-22 13:18:24.607179038 +0100 -@@ -388,7 +388,6 @@ A simple self test callback is shown bel - - =head1 SEE ALSO - --L, - L, - L, - L, -diff -up openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in.embed-hmac openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in ---- openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in.embed-hmac 2022-01-11 13:26:33.279906225 +0100 -+++ openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in 2022-01-11 13:33:18.757994419 +0100 -@@ -8,236 +8,11 @@ openssl-fipsinstall - perform FIPS confi +diff --git a/doc/man1/openssl-fipsinstall.pod.in b/doc/man1/openssl-fipsinstall.pod.in +index b1768b7f91..b6b00e27d8 100644 +--- a/doc/man1/openssl-fipsinstall.pod.in ++++ b/doc/man1/openssl-fipsinstall.pod.in +@@ -8,275 +8,9 @@ openssl-fipsinstall - perform FIPS configuration installation =head1 SYNOPSIS B @@ -179,14 +50,18 @@ diff -up openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in.embed-hmac openssl-3. -[B<-macopt> I:I] -[B<-noout>] -[B<-quiet>] +-[B<-pedantic>] -[B<-no_conditional_errors>] -[B<-no_security_checks>] +-[B<-ems_check>] +-[B<-no_drbg_truncated_digests>] -[B<-self_test_onload>] +-[B<-self_test_oninstall>] -[B<-corrupt_desc> I] -[B<-corrupt_type> I] -[B<-config> I] - - =head1 DESCRIPTION +- +-=head1 DESCRIPTION - -This command is used to generate a FIPS module configuration file. -This configuration file can be used each time a FIPS module is loaded @@ -315,6 +190,14 @@ diff -up openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in.embed-hmac openssl-3. - -Disable logging of the self tests. - +-=item B<-pedantic> +- +-Configure the module so that it is strictly FIPS compliant rather +-than being backwards compatible. This enables conditional errors, +-security checks etc. Note that any previous configuration options will +-be overwritten and any subsequent configuration options that violate +-FIPS compliance will result in an error. +- -=item B<-no_conditional_errors> - -Configure the module to not enter an error state if a conditional self test @@ -324,6 +207,20 @@ diff -up openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in.embed-hmac openssl-3. - -Configure the module to not perform run-time security checks as described above. - +-Enabling the configuration option "no-fips-securitychecks" provides another way to +-turn off the check at compile time. +- +-=item B<-ems_check> +- +-Configure the module to enable a run-time Extended Master Secret (EMS) check +-when using the TLS1_PRF KDF algorithm. This check is disabled by default. +-See RFC 7627 for information related to EMS. +- +-=item B<-no_drbg_truncated_digests> +- +-Configure the module to not allow truncated digests to be used with Hash and +-HMAC DRBGs. See FIPS 140-3 IG D.R for details. +- -=item B<-self_test_onload> - -Do not write the two fields related to the "test status indicator" and @@ -334,6 +231,14 @@ diff -up openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in.embed-hmac openssl-3. -could possibly then add the 2 fields into the configuration using some other -mechanism. - +-This is the default. +- +-=item B<-self_test_oninstall> +- +-The converse of B<-self_test_oninstall>. The two fields related to the +-"test status indicator" and "MAC status indicator" are written to the +-output configuration file. +- -=item B<-quiet> - -Do not output pass/fail messages. Implies B<-noout>. @@ -369,6 +274,11 @@ diff -up openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in.embed-hmac openssl-3. -For normal usage the base configuration file should use the default provider -when generating the fips configuration file. - +-The B<-self_test_oninstall> option was added and the +-B<-self_test_onload> option was made the default in OpenSSL 3.1. +- +-The command and all remaining options were added in OpenSSL 3.0. +- -=head1 EXAMPLES - -Calculate the mac of a FIPS module F and run a FIPS self test @@ -404,3 +314,160 @@ diff -up openssl-3.0.1/doc/man1/openssl-fipsinstall.pod.in.embed-hmac openssl-3. =head1 COPYRIGHT +diff --git a/doc/man1/openssl.pod b/doc/man1/openssl.pod +index d9c22a580f..d5ec3b9a6a 100644 +--- a/doc/man1/openssl.pod ++++ b/doc/man1/openssl.pod +@@ -135,10 +135,6 @@ Engine (loadable module) information and manipulation. + + Error Number to Error String Conversion. + +-=item B +- +-FIPS configuration installation. +- + =item B + + Generation of DSA Private Key from Parameters. Superseded by +diff --git a/doc/man5/config.pod b/doc/man5/config.pod +index 714a10437b..bd05736220 100644 +--- a/doc/man5/config.pod ++++ b/doc/man5/config.pod +@@ -573,7 +573,6 @@ configuration files using that syntax will have to be modified. + =head1 SEE ALSO + + L, L, L, +-L, + L, + L, + L, +diff --git a/doc/man5/fips_config.pod b/doc/man5/fips_config.pod +index 2255464304..1c15e32a5c 100644 +--- a/doc/man5/fips_config.pod ++++ b/doc/man5/fips_config.pod +@@ -6,106 +6,10 @@ fips_config - OpenSSL FIPS configuration + + =head1 DESCRIPTION + +-A separate configuration file, using the OpenSSL L syntax, +-is used to hold information about the FIPS module. This includes a digest +-of the shared library file, and status about the self-testing. +-This data is used automatically by the module itself for two +-purposes: +- +-=over 4 +- +-=item - Run the startup FIPS self-test known answer tests (KATS). +- +-This is normally done once, at installation time, but may also be set up to +-run each time the module is used. +- +-=item - Verify the module's checksum. +- +-This is done each time the module is used. +- +-=back +- +-This file is generated by the L program, and +-used internally by the FIPS module during its initialization. +- +-The following options are supported. They should all appear in a section +-whose name is identified by the B option in the B +-section, as described in L. +- +-=over 4 +- +-=item B +- +-If present, the module is activated. The value assigned to this name is not +-significant. +- +-=item B +- +-A version number for the fips install process. Should be 1. +- +-=item B +- +-The FIPS module normally enters an internal error mode if any self test fails. +-Once this error mode is active, no services or cryptographic algorithms are +-accessible from this point on. +-Continuous tests are a subset of the self tests (e.g., a key pair test during key +-generation, or the CRNG output test). +-Setting this value to C<0> allows the error mode to not be triggered if any +-continuous test fails. The default value of C<1> will trigger the error mode. +-Regardless of the value, the operation (e.g., key generation) that called the +-continuous test will return an error code if its continuous test fails. The +-operation may then be retried if the error mode has not been triggered. +- +-=item B +- +-This indicates if run-time checks related to enforcement of security parameters +-such as minimum security strength of keys and approved curve names are used. +-A value of '1' will perform the checks, otherwise if the value is '0' the checks +-are not performed and FIPS compliance must be done by procedures documented in +-the relevant Security Policy. +- +-=item B +- +-The calculated MAC of the FIPS provider file. +- +-=item B +- +-An indicator that the self-tests were successfully run. +-This should only be written after the module has +-successfully passed its self tests during installation. +-If this field is not present, then the self tests will run when the module +-loads. +- +-=item B +- +-A MAC of the value of the B option, to prevent accidental +-changes to that value. +-It is written-to at the same time as B is updated. +- +-=back +- +-For example: +- +- [fips_sect] +- activate = 1 +- install-version = 1 +- conditional-errors = 1 +- security-checks = 1 +- module-mac = 41:D0:FA:C2:5D:41:75:CD:7D:C3:90:55:6F:A4:DC +- install-mac = FE:10:13:5A:D3:B4:C7:82:1B:1E:17:4C:AC:84:0C +- install-status = INSTALL_SELF_TEST_KATS_RUN +- +-=head1 NOTES +- +-When using the FIPS provider, it is recommended that the +-B option is enabled to prevent accidental use of +-non-FIPS validated algorithms via broken or mistaken configuration. +-See L. +- +-=head1 SEE ALSO +- +-L +-L ++This command is disabled in Red Hat Enterprise Linux. The FIPS provider is ++automatically loaded when the system is booted in FIPS mode, or when the ++environment variable B is set. See the documentation ++for more information. + + =head1 HISTORY + +diff --git a/doc/man7/OSSL_PROVIDER-FIPS.pod b/doc/man7/OSSL_PROVIDER-FIPS.pod +index 4f908888ba..ef00247770 100644 +--- a/doc/man7/OSSL_PROVIDER-FIPS.pod ++++ b/doc/man7/OSSL_PROVIDER-FIPS.pod +@@ -444,7 +444,6 @@ want to operate in a FIPS approved manner. The algorithms are: + + =head1 SEE ALSO + +-L, + L, + L, + L, +-- +2.41.0 + diff --git a/SOURCES/0044-FIPS-140-3-keychecks.patch b/SOURCES/0044-FIPS-140-3-keychecks.patch index 67cbd6d..3fedb4c 100644 --- a/SOURCES/0044-FIPS-140-3-keychecks.patch +++ b/SOURCES/0044-FIPS-140-3-keychecks.patch @@ -1,7 +1,26 @@ -diff -up openssl-3.0.1/crypto/dh/dh_key.c.fips3 openssl-3.0.1/crypto/dh/dh_key.c ---- openssl-3.0.1/crypto/dh/dh_key.c.fips3 2022-07-18 16:01:41.159543735 +0200 -+++ openssl-3.0.1/crypto/dh/dh_key.c 2022-07-18 16:24:30.251388248 +0200 -@@ -43,6 +43,9 @@ int ossl_dh_compute_key(unsigned char *k +From b300beb172d5813b01b93bfd62fe191f8187fe1e Mon Sep 17 00:00:00 2001 +From: Dmitry Belyavskiy +Date: Mon, 21 Aug 2023 12:05:23 +0200 +Subject: [PATCH 20/48] 0044-FIPS-140-3-keychecks.patch + +Patch-name: 0044-FIPS-140-3-keychecks.patch +Patch-id: 44 +Patch-status: | + # Extra public/private key checks required by FIPS-140-3 +--- + crypto/dh/dh_key.c | 26 ++++++++++ + .../implementations/exchange/ecdh_exch.c | 19 ++++++++ + providers/implementations/keymgmt/ec_kmgmt.c | 24 +++++++++- + providers/implementations/keymgmt/rsa_kmgmt.c | 18 +++++++ + .../implementations/signature/ecdsa_sig.c | 37 +++++++++++++-- + providers/implementations/signature/rsa_sig.c | 47 +++++++++++++++++-- + 6 files changed, 162 insertions(+), 9 deletions(-) + +diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c +index 4e9705beef..83773cceea 100644 +--- a/crypto/dh/dh_key.c ++++ b/crypto/dh/dh_key.c +@@ -43,6 +43,9 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) BN_MONT_CTX *mont = NULL; BIGNUM *z = NULL, *pminus1; int ret = -1; @@ -11,7 +30,7 @@ diff -up openssl-3.0.1/crypto/dh/dh_key.c.fips3 openssl-3.0.1/crypto/dh/dh_key.c if (BN_num_bits(dh->params.p) > OPENSSL_DH_MAX_MODULUS_BITS) { ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE); -@@ -54,6 +57,13 @@ int ossl_dh_compute_key(unsigned char *k +@@ -54,6 +57,13 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) return 0; } @@ -57,25 +76,11 @@ diff -up openssl-3.0.1/crypto/dh/dh_key.c.fips3 openssl-3.0.1/crypto/dh/dh_key.c dh->dirty_cnt++; ok = 1; err: -diff -up openssl-3.0.7/crypto/ec/ec_key.c.f188 openssl-3.0.7/crypto/ec/ec_key.c ---- openssl-3.0.7/crypto/ec/ec_key.c.f188 2023-11-08 10:58:05.910031253 +0100 -+++ openssl-3.0.7/crypto/ec/ec_key.c 2023-11-08 10:59:42.338526883 +0100 -@@ -326,6 +326,11 @@ static int ec_generate_key(EC_KEY *eckey - eckey->dirty_cnt++; - - #ifdef FIPS_MODULE -+ if (ossl_ec_key_public_check(eckey, ctx) <= 0) { -+ ERR_raise(ERR_LIB_EC, EC_R_INVALID_KEY); -+ goto err; -+ } -+ - pairwise_test = 1; - #endif /* FIPS_MODULE */ - -diff -up openssl-3.0.1/providers/implementations/exchange/ecdh_exch.c.fips3 openssl-3.0.1/providers/implementations/exchange/ecdh_exch.c ---- openssl-3.0.1/providers/implementations/exchange/ecdh_exch.c.fips3 2022-07-25 13:42:46.814952053 +0200 -+++ openssl-3.0.1/providers/implementations/exchange/ecdh_exch.c 2022-07-25 13:52:12.292065706 +0200 -@@ -488,6 +488,25 @@ int ecdh_plain_derive(void *vpecdhctx, u +diff --git a/providers/implementations/exchange/ecdh_exch.c b/providers/implementations/exchange/ecdh_exch.c +index 43caedb6df..73873f9758 100644 +--- a/providers/implementations/exchange/ecdh_exch.c ++++ b/providers/implementations/exchange/ecdh_exch.c +@@ -489,6 +489,25 @@ int ecdh_plain_derive(void *vpecdhctx, unsigned char *secret, } ppubkey = EC_KEY_get0_public_key(pecdhctx->peerk); @@ -101,13 +106,14 @@ diff -up openssl-3.0.1/providers/implementations/exchange/ecdh_exch.c.fips3 open retlen = ECDH_compute_key(secret, size, ppubkey, privk, NULL); -diff -up openssl-3.0.7/providers/implementations/keymgmt/ec_kmgmt.c.pairwise openssl-3.0.7/providers/implementations/keymgmt/ec_kmgmt.c ---- openssl-3.0.7/providers/implementations/keymgmt/ec_kmgmt.c.pairwise 2023-02-20 11:44:18.451884117 +0100 -+++ openssl-3.0.7/providers/implementations/keymgmt/ec_kmgmt.c 2023-02-20 12:39:46.037063842 +0100 -@@ -982,8 +982,17 @@ struct ec_gen_ctx { - int selection; - int ecdh_mode; +diff --git a/providers/implementations/keymgmt/ec_kmgmt.c b/providers/implementations/keymgmt/ec_kmgmt.c +index a37cbbdba8..bca3f3c674 100644 +--- a/providers/implementations/keymgmt/ec_kmgmt.c ++++ b/providers/implementations/keymgmt/ec_kmgmt.c +@@ -989,8 +989,17 @@ struct ec_gen_ctx { EC_GROUP *gen_group; + unsigned char *dhkem_ikm; + size_t dhkem_ikmlen; +#ifdef FIPS_MODULE + void *ecdsa_sig_ctx; +#endif @@ -122,9 +128,9 @@ diff -up openssl-3.0.7/providers/implementations/keymgmt/ec_kmgmt.c.pairwise ope static void *ec_gen_init(void *provctx, int selection, const OSSL_PARAM params[]) { -@@ -1002,6 +1011,10 @@ static void *ec_gen_init(void *provctx, - OPENSSL_free(gctx); - gctx = NULL; +@@ -1009,6 +1018,10 @@ static void *ec_gen_init(void *provctx, int selection, + gctx = NULL; + } } +#ifdef FIPS_MODULE + if (gctx != NULL) @@ -133,7 +139,7 @@ diff -up openssl-3.0.7/providers/implementations/keymgmt/ec_kmgmt.c.pairwise ope return gctx; } -@@ -1272,6 +1285,12 @@ static void *ec_gen(void *genctx, OSSL_C +@@ -1279,6 +1292,12 @@ static void *ec_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg) if (gctx->ecdh_mode != -1) ret = ret && ossl_ec_set_ecdh_cofactor_mode(ec, gctx->ecdh_mode); @@ -145,8 +151,8 @@ diff -up openssl-3.0.7/providers/implementations/keymgmt/ec_kmgmt.c.pairwise ope +#endif if (gctx->group_check != NULL) - ret = ret && ossl_ec_set_check_group_type_from_name(ec, gctx->group_check); -@@ -1341,7 +1359,10 @@ static void ec_gen_cleanup(void *genctx) + ret = ret && ossl_ec_set_check_group_type_from_name(ec, +@@ -1348,7 +1367,10 @@ static void ec_gen_cleanup(void *genctx) if (gctx == NULL) return; @@ -155,12 +161,70 @@ diff -up openssl-3.0.7/providers/implementations/keymgmt/ec_kmgmt.c.pairwise ope + ecdsa_freectx(gctx->ecdsa_sig_ctx); + gctx->ecdsa_sig_ctx = NULL; +#endif + OPENSSL_clear_free(gctx->dhkem_ikm, gctx->dhkem_ikmlen); EC_GROUP_free(gctx->gen_group); BN_free(gctx->p); - BN_free(gctx->a); -diff -up openssl-3.0.7/providers/implementations/signature/ecdsa_sig.c.pairwise openssl-3.0.7/providers/implementations/signature/ecdsa_sig.c ---- openssl-3.0.7/providers/implementations/signature/ecdsa_sig.c.pairwise 2023-02-20 11:50:23.035194347 +0100 -+++ openssl-3.0.7/providers/implementations/signature/ecdsa_sig.c 2023-02-20 12:19:10.809768979 +0100 +diff --git a/providers/implementations/keymgmt/rsa_kmgmt.c b/providers/implementations/keymgmt/rsa_kmgmt.c +index 3ba12c4889..ff49f8fcd8 100644 +--- a/providers/implementations/keymgmt/rsa_kmgmt.c ++++ b/providers/implementations/keymgmt/rsa_kmgmt.c +@@ -434,6 +434,7 @@ struct rsa_gen_ctx { + #if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS) + /* ACVP test parameters */ + OSSL_PARAM *acvp_test_params; ++ void *prov_rsa_ctx; + #endif + }; + +@@ -447,6 +448,12 @@ static int rsa_gencb(int p, int n, BN_GENCB *cb) + return gctx->cb(params, gctx->cbarg); + } + ++#ifdef FIPS_MODULE ++void *rsa_newctx(void *provctx, const char *propq); ++void rsa_freectx(void *vctx); ++int do_rsa_pct(void *, const char *, void *); ++#endif ++ + static void *gen_init(void *provctx, int selection, int rsa_type, + const OSSL_PARAM params[]) + { +@@ -474,6 +481,10 @@ static void *gen_init(void *provctx, int selection, int rsa_type, + + if (!rsa_gen_set_params(gctx, params)) + goto err; ++#ifdef FIPS_MODULE ++ if (gctx != NULL) ++ gctx->prov_rsa_ctx = rsa_newctx(provctx, NULL); ++#endif + return gctx; + + err: +@@ -630,6 +641,11 @@ static void *rsa_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg) + + rsa = rsa_tmp; + rsa_tmp = NULL; ++#ifdef FIPS_MODULE ++ /* Pairwise consistency test */ ++ if (do_rsa_pct(gctx->prov_rsa_ctx, "sha256", rsa) != 1) ++ abort(); ++#endif + err: + BN_GENCB_free(gencb); + RSA_free(rsa_tmp); +@@ -645,6 +661,8 @@ static void rsa_gen_cleanup(void *genctx) + #if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS) + ossl_rsa_acvp_test_gen_params_free(gctx->acvp_test_params); + gctx->acvp_test_params = NULL; ++ rsa_freectx(gctx->prov_rsa_ctx); ++ gctx->prov_rsa_ctx = NULL; + #endif + BN_clear_free(gctx->pub_exp); + OPENSSL_free(gctx); +diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c +index 865d49d100..ebeb30e002 100644 +--- a/providers/implementations/signature/ecdsa_sig.c ++++ b/providers/implementations/signature/ecdsa_sig.c @@ -32,7 +32,7 @@ #include "crypto/ec.h" #include "prov/der_ec.h" @@ -170,7 +234,7 @@ diff -up openssl-3.0.7/providers/implementations/signature/ecdsa_sig.c.pairwise static OSSL_FUNC_signature_sign_init_fn ecdsa_sign_init; static OSSL_FUNC_signature_verify_init_fn ecdsa_verify_init; static OSSL_FUNC_signature_sign_fn ecdsa_sign; -@@ -43,7 +43,7 @@ static OSSL_FUNC_signature_digest_sign_f +@@ -43,7 +43,7 @@ static OSSL_FUNC_signature_digest_sign_final_fn ecdsa_digest_sign_final; static OSSL_FUNC_signature_digest_verify_init_fn ecdsa_digest_verify_init; static OSSL_FUNC_signature_digest_verify_update_fn ecdsa_digest_signverify_update; static OSSL_FUNC_signature_digest_verify_final_fn ecdsa_digest_verify_final; @@ -180,7 +244,7 @@ diff -up openssl-3.0.7/providers/implementations/signature/ecdsa_sig.c.pairwise static OSSL_FUNC_signature_get_ctx_params_fn ecdsa_get_ctx_params; static OSSL_FUNC_signature_gettable_ctx_params_fn ecdsa_gettable_ctx_params; @@ -104,7 +104,7 @@ typedef struct { - #endif + unsigned int nonce_type; } PROV_ECDSA_CTX; -static void *ecdsa_newctx(void *provctx, const char *propq) @@ -188,7 +252,7 @@ diff -up openssl-3.0.7/providers/implementations/signature/ecdsa_sig.c.pairwise { PROV_ECDSA_CTX *ctx; -@@ -370,7 +370,7 @@ int ecdsa_digest_verify_final(void *vctx +@@ -370,7 +370,7 @@ int ecdsa_digest_verify_final(void *vctx, const unsigned char *sig, return ecdsa_verify(ctx, sig, siglen, digest, (size_t)dlen); } @@ -197,7 +261,7 @@ diff -up openssl-3.0.7/providers/implementations/signature/ecdsa_sig.c.pairwise { PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx; -@@ -581,6 +581,35 @@ static const OSSL_PARAM *ecdsa_settable_ +@@ -581,6 +581,35 @@ static const OSSL_PARAM *ecdsa_settable_ctx_md_params(void *vctx) return EVP_MD_settable_ctx_params(ctx->md); } @@ -233,66 +297,11 @@ diff -up openssl-3.0.7/providers/implementations/signature/ecdsa_sig.c.pairwise const OSSL_DISPATCH ossl_ecdsa_signature_functions[] = { { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))ecdsa_newctx }, { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))ecdsa_sign_init }, -diff -up openssl-3.0.7/providers/implementations/keymgmt/rsa_kmgmt.c.pairwise openssl-3.0.7/providers/implementations/keymgmt/rsa_kmgmt.c ---- openssl-3.0.7/providers/implementations/keymgmt/rsa_kmgmt.c.pairwise 2023-02-20 16:04:27.103364713 +0100 -+++ openssl-3.0.7/providers/implementations/keymgmt/rsa_kmgmt.c 2023-02-20 16:14:13.848119419 +0100 -@@ -434,6 +434,7 @@ struct rsa_gen_ctx { - #if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS) - /* ACVP test parameters */ - OSSL_PARAM *acvp_test_params; -+ void *prov_rsa_ctx; - #endif - }; - -@@ -447,6 +448,12 @@ static int rsa_gencb(int p, int n, BN_GE - return gctx->cb(params, gctx->cbarg); - } - -+#ifdef FIPS_MODULE -+void *rsa_newctx(void *provctx, const char *propq); -+void rsa_freectx(void *vctx); -+int do_rsa_pct(void *, const char *, void *); -+#endif -+ - static void *gen_init(void *provctx, int selection, int rsa_type, - const OSSL_PARAM params[]) - { -@@ -474,6 +481,10 @@ static void *gen_init(void *provctx, int - - if (!rsa_gen_set_params(gctx, params)) - goto err; -+#ifdef FIPS_MODULE -+ if (gctx != NULL) -+ gctx->prov_rsa_ctx = rsa_newctx(provctx, NULL); -+#endif - return gctx; - - err: -@@ -630,6 +641,11 @@ static void *rsa_gen(void *genctx, OSSL_ - - rsa = rsa_tmp; - rsa_tmp = NULL; -+#ifdef FIPS_MODULE -+ /* Pairwise consistency test */ -+ if (do_rsa_pct(gctx->prov_rsa_ctx, "sha256", rsa) != 1) -+ abort(); -+#endif - err: - BN_GENCB_free(gencb); - RSA_free(rsa_tmp); -@@ -645,6 +662,8 @@ static void rsa_gen_cleanup(void *genctx - #if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS) - ossl_rsa_acvp_test_gen_params_free(gctx->acvp_test_params); - gctx->acvp_test_params = NULL; -+ rsa_freectx(gctx->prov_rsa_ctx); -+ gctx->prov_rsa_ctx = NULL; - #endif - BN_clear_free(gctx->pub_exp); - OPENSSL_free(gctx); -diff -up openssl-3.0.7/providers/implementations/signature/rsa_sig.c.pairwise openssl-3.0.7/providers/implementations/signature/rsa_sig.c ---- openssl-3.0.7/providers/implementations/signature/rsa_sig.c.pairwise 2023-02-20 16:04:22.548327811 +0100 -+++ openssl-3.0.7/providers/implementations/signature/rsa_sig.c 2023-02-20 16:17:50.064871695 +0100 -@@ -36,7 +36,7 @@ +diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c +index cd5de6bd51..d4261e8f7d 100644 +--- a/providers/implementations/signature/rsa_sig.c ++++ b/providers/implementations/signature/rsa_sig.c +@@ -34,7 +34,7 @@ #define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1 @@ -301,7 +310,7 @@ diff -up openssl-3.0.7/providers/implementations/signature/rsa_sig.c.pairwise op static OSSL_FUNC_signature_sign_init_fn rsa_sign_init; static OSSL_FUNC_signature_verify_init_fn rsa_verify_init; static OSSL_FUNC_signature_verify_recover_init_fn rsa_verify_recover_init; -@@ -49,7 +49,7 @@ static OSSL_FUNC_signature_digest_sign_f +@@ -47,7 +47,7 @@ static OSSL_FUNC_signature_digest_sign_final_fn rsa_digest_sign_final; static OSSL_FUNC_signature_digest_verify_init_fn rsa_digest_verify_init; static OSSL_FUNC_signature_digest_verify_update_fn rsa_digest_signverify_update; static OSSL_FUNC_signature_digest_verify_final_fn rsa_digest_verify_final; @@ -310,7 +319,7 @@ diff -up openssl-3.0.7/providers/implementations/signature/rsa_sig.c.pairwise op static OSSL_FUNC_signature_dupctx_fn rsa_dupctx; static OSSL_FUNC_signature_get_ctx_params_fn rsa_get_ctx_params; static OSSL_FUNC_signature_gettable_ctx_params_fn rsa_gettable_ctx_params; -@@ -172,7 +172,7 @@ static int rsa_check_parameters(PROV_RSA +@@ -170,7 +170,7 @@ static int rsa_check_parameters(PROV_RSA_CTX *prsactx, int min_saltlen) return 1; } @@ -319,7 +328,7 @@ diff -up openssl-3.0.7/providers/implementations/signature/rsa_sig.c.pairwise op { PROV_RSA_CTX *prsactx = NULL; char *propq_copy = NULL; -@@ -990,7 +990,7 @@ int rsa_digest_verify_final(void *vprsac +@@ -977,7 +977,7 @@ int rsa_digest_verify_final(void *vprsactx, const unsigned char *sig, return rsa_verify(vprsactx, sig, siglen, digest, (size_t)dlen); } @@ -328,7 +337,7 @@ diff -up openssl-3.0.7/providers/implementations/signature/rsa_sig.c.pairwise op { PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; -@@ -1504,6 +1504,45 @@ static const OSSL_PARAM *rsa_settable_ct +@@ -1455,6 +1455,45 @@ static const OSSL_PARAM *rsa_settable_ctx_md_params(void *vprsactx) return EVP_MD_settable_ctx_params(prsactx->md); } @@ -388,3 +397,6 @@ index e0d139d..35f23b2 100644 } } return ok; +-- +2.41.0 + diff --git a/SOURCES/0045-FIPS-services-minimize.patch b/SOURCES/0045-FIPS-services-minimize.patch index 2ba9aab..117e6b2 100644 --- a/SOURCES/0045-FIPS-services-minimize.patch +++ b/SOURCES/0045-FIPS-services-minimize.patch @@ -1,7 +1,68 @@ -diff -up openssl-3.0.1/providers/common/capabilities.c.fipsmin3 openssl-3.0.1/providers/common/capabilities.c ---- openssl-3.0.1/providers/common/capabilities.c.fipsmin3 2022-05-05 17:11:36.146638536 +0200 -+++ openssl-3.0.1/providers/common/capabilities.c 2022-05-05 17:12:00.138848787 +0200 -@@ -186,9 +186,9 @@ static const OSSL_PARAM param_group_list +From e25b25227043a2b2cf156527c31d7686a4265bf3 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 6 Mar 2024 19:17:15 +0100 +Subject: [PATCH 20/49] 0045-FIPS-services-minimize.patch + +Patch-name: 0045-FIPS-services-minimize.patch +Patch-id: 45 +Patch-status: | + # # Minimize fips services +From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce +--- + apps/ecparam.c | 7 +++ + apps/req.c | 2 +- + providers/common/capabilities.c | 2 +- + providers/fips/fipsprov.c | 44 +++++++++++-------- + providers/fips/self_test_data.inc | 9 +++- + providers/implementations/signature/rsa_sig.c | 26 +++++++++++ + ssl/ssl_ciph.c | 3 ++ + test/acvp_test.c | 2 + + test/endecode_test.c | 4 ++ + test/evp_libctx_test.c | 9 +++- + test/recipes/15-test_gendsa.t | 2 +- + test/recipes/20-test_cli_fips.t | 3 +- + test/recipes/30-test_evp.t | 20 ++++----- + .../30-test_evp_data/evpmac_common.txt | 22 ++++++++++ + test/recipes/80-test_cms.t | 22 +++++----- + test/recipes/80-test_ssl_old.t | 2 +- + 16 files changed, 128 insertions(+), 51 deletions(-) + +diff --git a/apps/ecparam.c b/apps/ecparam.c +index 71f93c4ca5..347bf62d5c 100644 +--- a/apps/ecparam.c ++++ b/apps/ecparam.c +@@ -79,6 +79,13 @@ static int list_builtin_curves(BIO *out) + const char *comment = curves[n].comment; + const char *sname = OBJ_nid2sn(curves[n].nid); + ++ if (((curves[n].nid == NID_secp256k1) || (curves[n].nid == NID_brainpoolP256r1) ++ || (curves[n].nid == NID_brainpoolP256t1) || (curves[n].nid == NID_brainpoolP320r1) ++ || (curves[n].nid == NID_brainpoolP320t1) || (curves[n].nid == NID_brainpoolP384r1) ++ || (curves[n].nid == NID_brainpoolP384t1) || (curves[n].nid == NID_brainpoolP512r1) ++ || (curves[n].nid == NID_brainpoolP512t1)) && EVP_default_properties_is_fips_enabled(NULL)) ++ continue; ++ + if (comment == NULL) + comment = "CURVE DESCRIPTION NOT AVAILABLE"; + if (sname == NULL) +diff --git a/apps/req.c b/apps/req.c +index 8995453dca..cb38e6aa64 100644 +--- a/apps/req.c ++++ b/apps/req.c +@@ -268,7 +268,7 @@ int req_main(int argc, char **argv) + unsigned long chtype = MBSTRING_ASC, reqflag = 0; + + #ifndef OPENSSL_NO_DES +- cipher = (EVP_CIPHER *)EVP_des_ede3_cbc(); ++ cipher = (EVP_CIPHER *)EVP_aes_256_cbc(); + #endif + + opt_set_unknown_name("digest"); +diff --git a/providers/common/capabilities.c b/providers/common/capabilities.c +index f7234615e4..0d4c0e3388 100644 +--- a/providers/common/capabilities.c ++++ b/providers/common/capabilities.c +@@ -189,9 +189,9 @@ static const OSSL_PARAM param_group_list[][10] = { TLS_GROUP_ENTRY("brainpoolP256r1", "brainpoolP256r1", "EC", 25), TLS_GROUP_ENTRY("brainpoolP384r1", "brainpoolP384r1", "EC", 26), TLS_GROUP_ENTRY("brainpoolP512r1", "brainpoolP512r1", "EC", 27), @@ -9,22 +70,15 @@ diff -up openssl-3.0.1/providers/common/capabilities.c.fipsmin3 openssl-3.0.1/pr TLS_GROUP_ENTRY("x25519", "X25519", "X25519", 28), TLS_GROUP_ENTRY("x448", "X448", "X448", 29), +# endif - # endif /* OPENSSL_NO_EC */ - # ifndef OPENSSL_NO_DH - /* Security bit values for FFDHE groups are as per RFC 7919 */ -diff -up openssl-3.0.1/providers/fips/fipsprov.c.fipsmin2 openssl-3.0.1/providers/fips/fipsprov.c ---- openssl-3.0.1/providers/fips/fipsprov.c.fipsmin2 2022-05-05 11:42:58.596848856 +0200 -+++ openssl-3.0.1/providers/fips/fipsprov.c 2022-05-05 11:55:42.997562712 +0200 -@@ -54,7 +54,6 @@ static void fips_deinit_casecmp(void); - - #define ALGC(NAMES, FUNC, CHECK) { { NAMES, FIPS_DEFAULT_PROPERTIES, FUNC }, CHECK } - #define ALG(NAMES, FUNC) ALGC(NAMES, FUNC, NULL) -- - extern OSSL_FUNC_core_thread_start_fn *c_thread_start; - int FIPS_security_check_enabled(OSSL_LIB_CTX *libctx); - -@@ -191,13 +190,13 @@ static int fips_get_params(void *provctx - &fips_prov_ossl_ctx_method); + # ifndef FIPS_MODULE + TLS_GROUP_ENTRY("brainpoolP256r1tls13", "brainpoolP256r1", "EC", 30), + TLS_GROUP_ENTRY("brainpoolP384r1tls13", "brainpoolP384r1", "EC", 31), +diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c +index 7ec409710b..ec5bdd5a69 100644 +--- a/providers/fips/fipsprov.c ++++ b/providers/fips/fipsprov.c +@@ -199,13 +199,13 @@ static int fips_get_params(void *provctx, OSSL_PARAM params[]) + OSSL_LIB_CTX_FIPS_PROV_INDEX); p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME); - if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "OpenSSL FIPS Provider")) @@ -40,7 +94,7 @@ diff -up openssl-3.0.1/providers/fips/fipsprov.c.fipsmin2 openssl-3.0.1/provider return 0; p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_STATUS); if (p != NULL && !OSSL_PARAM_set_int(p, ossl_prov_is_running())) -@@ -281,10 +280,11 @@ static const OSSL_ALGORITHM fips_digests +@@ -298,10 +298,11 @@ static const OSSL_ALGORITHM fips_digests[] = { * KECCAK-KMAC-128 and KECCAK-KMAC-256 as hashes are mostly useful for * KMAC128 and KMAC256. */ @@ -54,19 +108,19 @@ diff -up openssl-3.0.1/providers/fips/fipsprov.c.fipsmin2 openssl-3.0.1/provider { NULL, NULL, NULL } }; -@@ -343,8 +343,9 @@ static const OSSL_ALGORITHM_CAPABLE fips +@@ -360,8 +361,9 @@ static const OSSL_ALGORITHM_CAPABLE fips_ciphers[] = { ALGC(PROV_NAMES_AES_256_CBC_HMAC_SHA256, ossl_aes256cbc_hmac_sha256_functions, ossl_cipher_capable_aes_cbc_hmac_sha256), #ifndef OPENSSL_NO_DES -- ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions), -- ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions), +- UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions), +- UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions), + /* We don't certify 3DES in our FIPS provider */ -+ /* ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions), -+ ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions), */ ++ /* UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions), ++ UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions), */ #endif /* OPENSSL_NO_DES */ { { NULL, NULL, NULL }, NULL } }; -@@ -356,8 +357,9 @@ static const OSSL_ALGORITHM fips_macs[] +@@ -373,8 +375,9 @@ static const OSSL_ALGORITHM fips_macs[] = { #endif { PROV_NAMES_GMAC, FIPS_DEFAULT_PROPERTIES, ossl_gmac_functions }, { PROV_NAMES_HMAC, FIPS_DEFAULT_PROPERTIES, ossl_hmac_functions }, @@ -78,37 +132,39 @@ diff -up openssl-3.0.1/providers/fips/fipsprov.c.fipsmin2 openssl-3.0.1/provider { NULL, NULL, NULL } }; -@@ -392,8 +394,9 @@ static const OSSL_ALGORITHM fips_keyexch - #endif +@@ -410,8 +413,9 @@ static const OSSL_ALGORITHM fips_keyexch[] = { #ifndef OPENSSL_NO_EC { PROV_NAMES_ECDH, FIPS_DEFAULT_PROPERTIES, ossl_ecdh_keyexch_functions }, + # ifndef OPENSSL_NO_ECX - { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keyexch_functions }, - { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keyexch_functions }, + /* We don't certify Edwards curves in our FIPS provider */ + /*{ PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keyexch_functions }, + { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keyexch_functions },*/ + # endif #endif { PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES, - ossl_kdf_tls1_prf_keyexch_functions }, -@@ -403,12 +406,14 @@ static const OSSL_ALGORITHM fips_keyexch +@@ -422,14 +426,16 @@ static const OSSL_ALGORITHM fips_keyexch[] = { static const OSSL_ALGORITHM fips_signature[] = { #ifndef OPENSSL_NO_DSA - { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_signature_functions }, + /* We don't certify DSA in our FIPS provider */ -+ /* { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_signature_functions }, */ ++ /* { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_signature_functions },*/ #endif { PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_signature_functions }, #ifndef OPENSSL_NO_EC -- { PROV_NAMES_ED25519, FIPS_DEFAULT_PROPERTIES, ossl_ed25519_signature_functions }, -- { PROV_NAMES_ED448, FIPS_DEFAULT_PROPERTIES, ossl_ed448_signature_functions }, + # ifndef OPENSSL_NO_ECX +- { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES, + /* We don't certify Edwards curves in our FIPS provider */ -+ /* { PROV_NAMES_ED25519, FIPS_DEFAULT_PROPERTIES, ossl_ed25519_signature_functions }, -+ { PROV_NAMES_ED448, FIPS_DEFAULT_PROPERTIES, ossl_ed448_signature_functions }, */ ++ /* { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES, + ossl_ed25519_signature_functions }, +- { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_signature_functions }, ++ { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_signature_functions },*/ + # endif { PROV_NAMES_ECDSA, FIPS_DEFAULT_PROPERTIES, ossl_ecdsa_signature_functions }, #endif - { PROV_NAMES_HMAC, FIPS_DEFAULT_PROPERTIES, -@@ -438,8 +443,9 @@ static const OSSL_ALGORITHM fips_keymgmt +@@ -460,8 +466,9 @@ static const OSSL_ALGORITHM fips_keymgmt[] = { PROV_DESCS_DHX }, #endif #ifndef OPENSSL_NO_DSA @@ -120,28 +176,29 @@ diff -up openssl-3.0.1/providers/fips/fipsprov.c.fipsmin2 openssl-3.0.1/provider #endif { PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_keymgmt_functions, PROV_DESCS_RSA }, -@@ -448,14 +454,15 @@ static const OSSL_ALGORITHM fips_keymgmt - #ifndef OPENSSL_NO_EC +@@ -471,14 +478,15 @@ static const OSSL_ALGORITHM fips_keymgmt[] = { { PROV_NAMES_EC, FIPS_DEFAULT_PROPERTIES, ossl_ec_keymgmt_functions, PROV_DESCS_EC }, + # ifndef OPENSSL_NO_ECX - { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keymgmt_functions, + /* We don't certify Edwards curves in our FIPS provider */ + /* { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keymgmt_functions, PROV_DESCS_X25519 }, { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keymgmt_functions, PROV_DESCS_X448 }, - { PROV_NAMES_ED25519, FIPS_DEFAULT_PROPERTIES, ossl_ed25519_keymgmt_functions, + { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES, ossl_ed25519_keymgmt_functions, PROV_DESCS_ED25519 }, - { PROV_NAMES_ED448, FIPS_DEFAULT_PROPERTIES, ossl_ed448_keymgmt_functions, + { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_keymgmt_functions, - PROV_DESCS_ED448 }, + PROV_DESCS_ED448 }, */ + # endif #endif { PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES, ossl_kdf_keymgmt_functions, - PROV_DESCS_TLS1_PRF_SIGN }, -diff -up openssl-3.0.1/providers/fips/self_test_data.inc.fipsmin3 openssl-3.0.1/providers/fips/self_test_data.inc ---- openssl-3.0.1/providers/fips/self_test_data.inc.fipsmin3 2022-05-05 12:36:32.335069046 +0200 -+++ openssl-3.0.1/providers/fips/self_test_data.inc 2022-05-05 12:40:02.427966128 +0200 -@@ -171,6 +171,7 @@ static const ST_KAT_DIGEST st_kat_digest +diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc +index 2057378d3d..4b80bb70b9 100644 +--- a/providers/fips/self_test_data.inc ++++ b/providers/fips/self_test_data.inc +@@ -177,6 +177,7 @@ static const ST_KAT_DIGEST st_kat_digest_tests[] = /*- CIPHER TEST DATA */ /* DES3 test data */ @@ -149,7 +206,7 @@ diff -up openssl-3.0.1/providers/fips/self_test_data.inc.fipsmin3 openssl-3.0.1/ static const unsigned char des_ede3_cbc_pt[] = { 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96, 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A, -@@ -191,7 +192,7 @@ static const unsigned char des_ede3_cbc_ +@@ -197,7 +198,7 @@ static const unsigned char des_ede3_cbc_ct[] = { 0x51, 0x65, 0x70, 0x48, 0x1F, 0x25, 0xB5, 0x0F, 0x73, 0xC0, 0xBD, 0xA8, 0x5C, 0x8E, 0x0D, 0xA7 }; @@ -158,23 +215,7 @@ diff -up openssl-3.0.1/providers/fips/self_test_data.inc.fipsmin3 openssl-3.0.1/ /* AES-256 GCM test data */ static const unsigned char aes_256_gcm_key[] = { 0x92, 0xe1, 0x1d, 0xcd, 0xaa, 0x86, 0x6f, 0x5c, -@@ -235,6 +236,7 @@ static const unsigned char aes_128_ecb_c - }; - - static const ST_KAT_CIPHER st_kat_cipher_tests[] = { -+#if 0 - #ifndef OPENSSL_NO_DES - { - { -@@ -248,6 +250,7 @@ static const ST_KAT_CIPHER st_kat_cipher - ITM(des_ede3_cbc_iv), - }, - #endif -+#endif - { - { - OSSL_SELF_TEST_DESC_CIPHER_AES_GCM, -@@ -1424,8 +1427,9 @@ static const ST_KAT_PARAM ecdsa_bin_key[ +@@ -1454,8 +1455,9 @@ static const ST_KAT_PARAM ecdsa_bin_key[] = { # endif /* OPENSSL_NO_EC2M */ #endif /* OPENSSL_NO_EC */ @@ -185,18 +226,15 @@ diff -up openssl-3.0.1/providers/fips/self_test_data.inc.fipsmin3 openssl-3.0.1/ static const unsigned char dsa_p[] = { 0xa2, 0x9b, 0x88, 0x72, 0xce, 0x8b, 0x84, 0x23, 0xb7, 0xd5, 0xd2, 0x1d, 0x4b, 0x02, 0xf5, 0x7e, -@@ -1549,8 +1553,8 @@ static const ST_KAT_PARAM dsa_key[] = { - ST_KAT_PARAM_BIGNUM(OSSL_PKEY_PARAM_PRIV_KEY, dsa_priv), +@@ -1590,6 +1592,7 @@ static const ST_KAT_PARAM dsa_key[] = { ST_KAT_PARAM_END() }; --#endif /* OPENSSL_NO_DSA */ -- + #endif /* OPENSSL_NO_DSA */ +#endif -+#endif - static const ST_KAT_SIGN st_kat_sign_tests[] = { - { - OSSL_SELF_TEST_DESC_SIGN_RSA, -@@ -1583,6 +1587,7 @@ static const ST_KAT_SIGN st_kat_sign_tes + + /* Hash DRBG inputs for signature KATs */ + static const unsigned char sig_kat_entropyin[] = { +@@ -1642,6 +1645,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = { }, # endif #endif /* OPENSSL_NO_EC */ @@ -204,500 +242,19 @@ diff -up openssl-3.0.1/providers/fips/self_test_data.inc.fipsmin3 openssl-3.0.1/ #ifndef OPENSSL_NO_DSA { OSSL_SELF_TEST_DESC_SIGN_DSA, -@@ -1595,6 +1600,7 @@ static const ST_KAT_SIGN st_kat_sign_tes - */ +@@ -1654,6 +1658,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = { + ITM(dsa_expected_sig) }, #endif /* OPENSSL_NO_DSA */ +#endif }; static const ST_KAT_ASYM_CIPHER st_kat_asym_cipher_tests[] = { -diff -up openssl-3.0.1/test/acvp_test.c.fipsmin2 openssl-3.0.1/test/acvp_test.c ---- openssl-3.0.1/test/acvp_test.c.fipsmin2 2022-05-05 11:42:58.597848865 +0200 -+++ openssl-3.0.1/test/acvp_test.c 2022-05-05 11:43:30.141126336 +0200 -@@ -1476,6 +1476,7 @@ int setup_tests(void) - OSSL_NELEM(dh_safe_prime_keyver_data)); - #endif /* OPENSSL_NO_DH */ - -+#if 0 /* Red Hat FIPS provider doesn't have fips=yes property on DSA */ - #ifndef OPENSSL_NO_DSA - ADD_ALL_TESTS(dsa_keygen_test, OSSL_NELEM(dsa_keygen_data)); - ADD_ALL_TESTS(dsa_paramgen_test, OSSL_NELEM(dsa_paramgen_data)); -@@ -1483,6 +1484,7 @@ int setup_tests(void) - ADD_ALL_TESTS(dsa_siggen_test, OSSL_NELEM(dsa_siggen_data)); - ADD_ALL_TESTS(dsa_sigver_test, OSSL_NELEM(dsa_sigver_data)); - #endif /* OPENSSL_NO_DSA */ -+#endif - - #ifndef OPENSSL_NO_EC - ADD_ALL_TESTS(ecdsa_keygen_test, OSSL_NELEM(ecdsa_keygen_data)); -diff -up openssl-3.0.1/test/evp_libctx_test.c.fipsmin3 openssl-3.0.1/test/evp_libctx_test.c ---- openssl-3.0.1/test/evp_libctx_test.c.fipsmin3 2022-05-05 14:18:46.370911817 +0200 -+++ openssl-3.0.1/test/evp_libctx_test.c 2022-05-05 14:30:02.117911993 +0200 -@@ -21,6 +21,7 @@ - */ - #include "internal/deprecated.h" - #include -+#include - #include - #include - #include -@@ -725,8 +726,10 @@ int setup_tests(void) - if (!test_get_libctx(&libctx, &nullprov, config_file, &libprov, prov_name)) - return 0; - - #if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DH) -- ADD_ALL_TESTS(test_dsa_param_keygen, 3 * 3 * 3); -+ if (strcmp(prov_name, "fips") != 0) { -+ ADD_ALL_TESTS(test_dsa_param_keygen, 3 * 3 * 3); -+ } - #endif - #ifndef OPENSSL_NO_DH - ADD_ALL_TESTS(test_dh_safeprime_param_keygen, 3 * 3 * 3); -@@ -746,7 +750,9 @@ int setup_tests(void) - ADD_TEST(kem_invalid_keytype); - #endif - #ifndef OPENSSL_NO_DES -- ADD_TEST(test_cipher_tdes_randkey); -+ if (strcmp(prov_name, "fips") != 0) { -+ ADD_TEST(test_cipher_tdes_randkey); -+ } - #endif - return 1; - } -diff -up openssl-3.0.1/test/recipes/15-test_gendsa.t.fipsmin3 openssl-3.0.1/test/recipes/15-test_gendsa.t ---- openssl-3.0.1/test/recipes/15-test_gendsa.t.fipsmin3 2022-05-05 13:46:00.631590335 +0200 -+++ openssl-3.0.1/test/recipes/15-test_gendsa.t 2022-05-05 13:46:06.999644496 +0200 -@@ -24,7 +24,7 @@ use lib bldtop_dir('.'); - plan skip_all => "This test is unsupported in a no-dsa build" - if disabled("dsa"); - --my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); -+my $no_fips = 1; - - plan tests => - ($no_fips ? 0 : 2) # FIPS related tests -diff -up openssl-3.0.1/test/recipes/20-test_cli_fips.t.fipsmin3 openssl-3.0.1/test/recipes/20-test_cli_fips.t ---- openssl-3.0.1/test/recipes/20-test_cli_fips.t.fipsmin3 2022-05-05 13:47:55.217564900 +0200 -+++ openssl-3.0.1/test/recipes/20-test_cli_fips.t 2022-05-05 13:48:02.824629600 +0200 -@@ -207,8 +207,7 @@ SKIP: { - } - - SKIP : { -- skip "FIPS DSA tests because of no dsa in this build", 1 -- if disabled("dsa"); -+ skip "FIPS DSA tests because of no dsa in this build", 1; - - subtest DSA => sub { - my $testtext_prefix = 'DSA'; -diff -up openssl-3.0.1/test/recipes/80-test_cms.t.fipsmin3 openssl-3.0.1/test/recipes/80-test_cms.t ---- openssl-3.0.1/test/recipes/80-test_cms.t.fipsmin3 2022-05-05 13:55:05.257292637 +0200 -+++ openssl-3.0.1/test/recipes/80-test_cms.t 2022-05-05 13:58:35.307150750 +0200 -@@ -95,7 +95,7 @@ my @smime_pkcs7_tests = ( - \&final_compare - ], - -- [ "signed content DER format, DSA key", -+ [ "signed content DER format, DSA key, no Red Hat FIPS", - [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach", - "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ], - [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER", -@@ -103,7 +103,7 @@ my @smime_pkcs7_tests = ( - \&final_compare - ], - -- [ "signed detached content DER format, DSA key", -+ [ "signed detached content DER format, DSA key, no Red Hat FIPS", - [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", - "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ], - [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER", -@@ -112,7 +112,7 @@ my @smime_pkcs7_tests = ( - \&final_compare - ], - -- [ "signed detached content DER format, add RSA signer (with DSA existing)", -+ [ "signed detached content DER format, add RSA signer (with DSA existing), no Red Hat FIPS", - [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", - "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ], - [ "{cmd1}", @prov, "-resign", "-in", "{output}.cms", "-inform", "DER", "-outform", "DER", -@@ -123,7 +123,7 @@ my @smime_pkcs7_tests = ( - \&final_compare - ], - -- [ "signed content test streaming BER format, DSA key", -+ [ "signed content test streaming BER format, DSA key, no Red Hat FIPS", - [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", - "-nodetach", "-stream", - "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ], -@@ -132,7 +132,7 @@ my @smime_pkcs7_tests = ( - \&final_compare - ], - -- [ "signed content test streaming BER format, 2 DSA and 2 RSA keys", -+ [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no Red Hat FIPS", - [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", - "-nodetach", "-stream", - "-signer", $smrsa1, -@@ -145,7 +145,7 @@ my @smime_pkcs7_tests = ( - \&final_compare - ], - -- [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes", -+ [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes, no Red Hat FIPS", - [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", - "-noattr", "-nodetach", "-stream", - "-signer", $smrsa1, -@@ -175,7 +175,7 @@ my @smime_pkcs7_tests = ( - \&zero_compare - ], - -- [ "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys", -+ [ "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys, no Red Hat FIPS", - [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-nodetach", - "-signer", $smrsa1, - "-signer", catfile($smdir, "smrsa2.pem"), -@@ -187,7 +187,7 @@ my @smime_pkcs7_tests = ( - \&final_compare - ], - -- [ "signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys", -+ [ "signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys, no Red Hat FIPS", - [ "{cmd1}", @prov, "-sign", "-in", $smcont, - "-signer", $smrsa1, - "-signer", catfile($smdir, "smrsa2.pem"), -@@ -247,7 +247,7 @@ my @smime_pkcs7_tests = ( - - my @smime_cms_tests = ( - -- [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid", -+ [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid, no Red Hat FIPS", - [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", - "-nodetach", "-keyid", - "-signer", $smrsa1, -@@ -260,7 +260,7 @@ my @smime_cms_tests = ( - \&final_compare - ], - -- [ "signed content test streaming PEM format, 2 DSA and 2 RSA keys", -+ [ "signed content test streaming PEM format, 2 DSA and 2 RSA keys, no Red Hat FIPS", - [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach", - "-signer", $smrsa1, - "-signer", catfile($smdir, "smrsa2.pem"), -@@ -370,7 +370,7 @@ my @smime_cms_tests = ( - \&final_compare - ], - -- [ "encrypted content test streaming PEM format, triple DES key", -+ [ "encrypted content test streaming PEM format, triple DES key, no Red Hat FIPS", - [ "{cmd1}", @prov, "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM", - "-des3", "-secretkey", "000102030405060708090A0B0C0D0E0F1011121314151617", - "-stream", "-out", "{output}.cms" ], -diff -up openssl-3.0.1/test/recipes/30-test_evp.t.fipsmin3 openssl-3.0.1/test/recipes/30-test_evp.t ---- openssl-3.0.1/test/recipes/30-test_evp.t.fipsmin3 2022-05-05 14:43:04.276857033 +0200 -+++ openssl-3.0.1/test/recipes/30-test_evp.t 2022-05-05 14:43:35.975138234 +0200 -@@ -43,7 +43,6 @@ my @files = qw( - evpciph_aes_cts.txt - evpciph_aes_wrap.txt - evpciph_aes_stitched.txt -- evpciph_des3_common.txt - evpkdf_hkdf.txt - evpkdf_pbkdf1.txt - evpkdf_pbkdf2.txt -@@ -66,12 +65,6 @@ push @files, qw( - evppkey_dh.txt - ) unless $no_dh; - push @files, qw( -- evpkdf_x942_des.txt -- evpmac_cmac_des.txt -- ) unless $no_des; --push @files, qw(evppkey_dsa.txt) unless $no_dsa; --push @files, qw(evppkey_ecx.txt) unless $no_ec; --push @files, qw( - evppkey_ecc.txt - evppkey_ecdh.txt - evppkey_ecdsa.txt -@@ -91,6 +84,7 @@ my @defltfiles = qw( - evpciph_cast5.txt - evpciph_chacha.txt - evpciph_des.txt -+ evpciph_des3_common.txt - evpciph_idea.txt - evpciph_rc2.txt - evpciph_rc4.txt -@@ -117,6 +111,12 @@ my @defltfiles = qw( - evppkey_kdf_tls1_prf.txt - evppkey_rsa.txt - ); -+push @defltfiles, qw(evppkey_dsa.txt) unless $no_dsa; -+push @defltfiles, qw(evppkey_ecx.txt) unless $no_ec; -+push @defltfiles, qw( -+ evpkdf_x942_des.txt -+ evpmac_cmac_des.txt -+ ) unless $no_des; - push @defltfiles, qw(evppkey_brainpool.txt) unless $no_ec; - push @defltfiles, qw(evppkey_sm2.txt) unless $no_sm2; - -diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evpmac_common.txt.fipsmin3 openssl-3.0.1/test/recipes/30-test_evp_data/evpmac_common.txt ---- openssl-3.0.1/test/recipes/30-test_evp_data/evpmac_common.txt.fipsmin3 2022-05-05 14:46:32.721700697 +0200 -+++ openssl-3.0.1/test/recipes/30-test_evp_data/evpmac_common.txt 2022-05-05 14:51:40.205418897 +0200 -@@ -328,6 +328,7 @@ Input = 68F2E77696CE7AE8E2CA4EC588E54100 - Output = 00BDA1B7E87608BCBF470F12157F4C07 - - -+Availablein = default - Title = KMAC Tests (From NIST) - MAC = KMAC128 - Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F -@@ -338,12 +339,14 @@ Ctrl = xof:0 - OutputSize = 32 - BlockSize = 168 - -+Availablein = default - MAC = KMAC128 - Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F - Input = 00010203 - Custom = "My Tagged Application" - Output = 3B1FBA963CD8B0B59E8C1A6D71888B7143651AF8BA0A7070C0979E2811324AA5 - -+Availablein = default - MAC = KMAC128 - Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F - Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 -@@ -351,6 +354,7 @@ Custom = "My Tagged Application" - Output = 1F5B4E6CCA02209E0DCB5CA635B89A15E271ECC760071DFD805FAA38F9729230 - Ctrl = size:32 - -+Availablein = default - MAC = KMAC256 - Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F - Input = 00010203 -@@ -359,12 +363,14 @@ Output = 20C570C31346F703C9AC36C61C03CB6 - OutputSize = 64 - BlockSize = 136 - -+Availablein = default - MAC = KMAC256 - Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F - Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 - Custom = "" - Output = 75358CF39E41494E949707927CEE0AF20A3FF553904C86B08F21CC414BCFD691589D27CF5E15369CBBFF8B9A4C2EB17800855D0235FF635DA82533EC6B759B69 - -+Availablein = default - MAC = KMAC256 - Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F - Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 -@@ -374,12 +380,14 @@ Ctrl = size:64 - - Title = KMAC XOF Tests (From NIST) - -+Availablein = default - MAC = KMAC128 - Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F - Input = 00010203 - Output = CD83740BBD92CCC8CF032B1481A0F4460E7CA9DD12B08A0C4031178BACD6EC35 - XOF = 1 - -+Availablein = default - MAC = KMAC128 - Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F - Input = 00010203 -@@ -387,6 +395,7 @@ Custom = "My Tagged Application" - Output = 31A44527B4ED9F5C6101D11DE6D26F0620AA5C341DEF41299657FE9DF1A3B16C - XOF = 1 - -+Availablein = default - MAC = KMAC128 - Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F - Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 -@@ -395,6 +404,7 @@ Output = 47026C7CD793084AA0283C253EF6584 - XOF = 1 - Ctrl = size:32 - -+Availablein = default - MAC = KMAC256 - Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F - Input = 00010203 -@@ -402,6 +412,7 @@ Custom = "My Tagged Application" - Output = 1755133F1534752AAD0748F2C706FB5C784512CAB835CD15676B16C0C6647FA96FAA7AF634A0BF8FF6DF39374FA00FAD9A39E322A7C92065A64EB1FB0801EB2B - XOF = 1 - -+Availablein = default - MAC = KMAC256 - Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F - Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 -@@ -409,6 +420,7 @@ Custom = "" - Output = FF7B171F1E8A2B24683EED37830EE797538BA8DC563F6DA1E667391A75EDC02CA633079F81CE12A25F45615EC89972031D18337331D24CEB8F8CA8E6A19FD98B - XOF = 1 - -+Availablein = default - MAC = KMAC256 - Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F - Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 -@@ -419,6 +431,7 @@ XOF = 1 - - Title = KMAC long customisation string (from NIST ACVP) - -+Availablein = default - MAC = KMAC256 - Key = 9743DBF93102FAF11227B154B8ACD16CF142671F7AA16C559A393A38B4CEF461ED29A6A328D7379C99718790E38B54CA25E9E831CBEA463EE704D1689F94629AB795DF0C77F756DA743309C0E054596BA2D9CC1768ACF7CD351D9A7EB1ABD0A3 - Input = BA63AC9C711F143CCE7FF92D0322649D1BE437D805FD225C0A2879A008373EC3BCCDB09971FAD2BCE5F4347AF7E5238EF01A90ED34193D6AFC1D -@@ -429,12 +442,14 @@ XOF = 1 - - Title = KMAC XOF Tests via ctrl (From NIST) - -+Availablein = default - MAC = KMAC128 - Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F - Input = 00010203 - Output = CD83740BBD92CCC8CF032B1481A0F4460E7CA9DD12B08A0C4031178BACD6EC35 - Ctrl = xof:1 - -+Availablein = default - MAC = KMAC128 - Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F - Input = 00010203 -@@ -442,6 +457,7 @@ Custom = "My Tagged Application" - Output = 31A44527B4ED9F5C6101D11DE6D26F0620AA5C341DEF41299657FE9DF1A3B16C - Ctrl = xof:1 - -+Availablein = default - MAC = KMAC128 - Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F - Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 -@@ -450,6 +466,7 @@ Output = 47026C7CD793084AA0283C253EF6584 - Ctrl = xof:1 - Ctrl = size:32 - -+Availablein = default - MAC = KMAC256 - Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F - Input = 00010203 -@@ -457,6 +474,7 @@ Custom = "My Tagged Application" - Output = 1755133F1534752AAD0748F2C706FB5C784512CAB835CD15676B16C0C6647FA96FAA7AF634A0BF8FF6DF39374FA00FAD9A39E322A7C92065A64EB1FB0801EB2B - Ctrl = xof:1 - -+Availablein = default - MAC = KMAC256 - Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F - Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 -@@ -464,6 +482,7 @@ Custom = "" - Output = FF7B171F1E8A2B24683EED37830EE797538BA8DC563F6DA1E667391A75EDC02CA633079F81CE12A25F45615EC89972031D18337331D24CEB8F8CA8E6A19FD98B - Ctrl = xof:1 - -+Availablein = default - MAC = KMAC256 - Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F - Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 -@@ -474,6 +493,7 @@ Ctrl = xof:1 - - Title = KMAC long customisation string via ctrl (from NIST ACVP) - -+Availablein = default - MAC = KMAC256 - Key = 9743DBF93102FAF11227B154B8ACD16CF142671F7AA16C559A393A38B4CEF461ED29A6A328D7379C99718790E38B54CA25E9E831CBEA463EE704D1689F94629AB795DF0C77F756DA743309C0E054596BA2D9CC1768ACF7CD351D9A7EB1ABD0A3 - Input = BA63AC9C711F143CCE7FF92D0322649D1BE437D805FD225C0A2879A008373EC3BCCDB09971FAD2BCE5F4347AF7E5238EF01A90ED34193D6AFC1D -@@ -484,6 +504,7 @@ Ctrl = xof:1 - - Title = KMAC long customisation string negative test - -+Availablein = default - MAC = KMAC128 - Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F - Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 -@@ -492,6 +513,7 @@ Result = MAC_INIT_ERROR - - Title = KMAC output is too large - -+Availablein = default - MAC = KMAC256 - Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F - Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 -diff -up openssl-3.0.1/test/recipes/80-test_ssl_old.t.fipsmin3 openssl-3.0.1/test/recipes/80-test_ssl_old.t ---- openssl-3.0.1/test/recipes/80-test_ssl_old.t.fipsmin3 2022-05-05 16:02:59.745500635 +0200 -+++ openssl-3.0.1/test/recipes/80-test_ssl_old.t 2022-05-05 16:10:24.071348890 +0200 -@@ -426,7 +426,7 @@ sub testssl { - my @exkeys = (); - my $ciphers = '-PSK:-SRP:@SECLEVEL=0'; - -- if (!$no_dsa) { -+ if (!$no_dsa && $provider ne "fips") { - push @exkeys, "-s_cert", "certD.ss", "-s_key", $Dkey; - } - -diff -up openssl-3.0.1/test/endecode_test.c.fipsmin3 openssl-3.0.1/test/endecode_test.c ---- openssl-3.0.1/test/endecode_test.c.fipsmin3 2022-05-06 16:25:57.296926271 +0200 -+++ openssl-3.0.1/test/endecode_test.c 2022-05-06 16:27:42.712850840 +0200 -@@ -1387,6 +1387,7 @@ int setup_tests(void) - * so no legacy tests. - */ - #endif -+ if (is_fips == 0) { - #ifndef OPENSSL_NO_DSA - ADD_TEST_SUITE(DSA); - ADD_TEST_SUITE_PARAMS(DSA); -@@ -1397,6 +1398,7 @@ int setup_tests(void) - ADD_TEST_SUITE_PROTECTED_PVK(DSA); - # endif - #endif -+ } - #ifndef OPENSSL_NO_EC - ADD_TEST_SUITE(EC); - ADD_TEST_SUITE_PARAMS(EC); -@@ -1411,10 +1413,12 @@ int setup_tests(void) - ADD_TEST_SUITE(ECExplicitTri2G); - ADD_TEST_SUITE_LEGACY(ECExplicitTri2G); - # endif -+ if (is_fips == 0) { - ADD_TEST_SUITE(ED25519); - ADD_TEST_SUITE(ED448); - ADD_TEST_SUITE(X25519); - ADD_TEST_SUITE(X448); -+ } - /* - * ED25519, ED448, X25519 and X448 have no support for - * PEM_write_bio_PrivateKey_traditional(), so no legacy tests. -diff -up openssl-3.0.1/apps/req.c.dfc openssl-3.0.1/apps/req.c ---- openssl-3.0.1/apps/req.c.dfc 2022-05-12 13:31:21.957638329 +0200 -+++ openssl-3.0.1/apps/req.c 2022-05-12 13:31:49.587984867 +0200 -@@ -266,7 +266,7 @@ int req_main(int argc, char **argv) - unsigned long chtype = MBSTRING_ASC, reqflag = 0; - - #ifndef OPENSSL_NO_DES -- cipher = (EVP_CIPHER *)EVP_des_ede3_cbc(); -+ cipher = (EVP_CIPHER *)EVP_aes_256_cbc(); - #endif - - prog = opt_init(argc, argv, req_options); -diff -up openssl-3.0.1/apps/ecparam.c.fips_list_curves openssl-3.0.1/apps/ecparam.c ---- openssl-3.0.1/apps/ecparam.c.fips_list_curves 2022-05-19 11:46:22.682519422 +0200 -+++ openssl-3.0.1/apps/ecparam.c 2022-05-19 11:50:44.559828701 +0200 -@@ -79,6 +79,9 @@ static int list_builtin_curves(BIO *out) - const char *comment = curves[n].comment; - const char *sname = OBJ_nid2sn(curves[n].nid); - -+ if ((curves[n].nid == NID_secp256k1) && EVP_default_properties_is_fips_enabled(NULL)) -+ continue; -+ - if (comment == NULL) - comment = "CURVE DESCRIPTION NOT AVAILABLE"; - if (sname == NULL) -diff -up openssl-3.0.1/ssl/ssl_ciph.c.nokrsa openssl-3.0.1/ssl/ssl_ciph.c ---- openssl-3.0.1/ssl/ssl_ciph.c.nokrsa 2022-05-19 13:32:32.536708638 +0200 -+++ openssl-3.0.1/ssl/ssl_ciph.c 2022-05-19 13:42:29.734002959 +0200 -@@ -356,6 +356,9 @@ int ssl_load_ciphers(SSL_CTX *ctx) - ctx->disabled_mkey_mask = 0; - ctx->disabled_auth_mask = 0; - -+ if (EVP_default_properties_is_fips_enabled(ctx->libctx)) -+ ctx->disabled_mkey_mask |= SSL_kRSA | SSL_kRSAPSK; -+ - /* - * We ignore any errors from the fetches below. They are expected to fail - * if theose algorithms are not available. -diff -up openssl-3.0.1/providers/implementations/signature/rsa_sig.c.fipskeylen openssl-3.0.1/providers/implementations/signature/rsa_sig.c ---- openssl-3.0.1/providers/implementations/signature/rsa_sig.c.fipskeylen 2022-05-23 14:58:07.764281242 +0200 -+++ openssl-3.0.1/providers/implementations/signature/rsa_sig.c 2022-05-23 15:10:29.327993616 +0200 -@@ -692,6 +692,19 @@ static int rsa_verify_recover(void *vprs +diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c +index 22d93ead53..c1405f47ea 100644 +--- a/providers/implementations/signature/rsa_sig.c ++++ b/providers/implementations/signature/rsa_sig.c +@@ -686,6 +686,19 @@ static int rsa_verify_recover(void *vprsactx, { PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; int ret; @@ -717,7 +274,7 @@ diff -up openssl-3.0.1/providers/implementations/signature/rsa_sig.c.fipskeylen if (!ossl_prov_is_running()) return 0; -@@ -770,6 +770,19 @@ static int rsa_verify(void *vprsactx, co +@@ -774,6 +787,19 @@ static int rsa_verify(void *vprsactx, const unsigned char *sig, size_t siglen, { PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; size_t rslen; @@ -737,19 +294,486 @@ diff -up openssl-3.0.1/providers/implementations/signature/rsa_sig.c.fipskeylen if (!ossl_prov_is_running()) return 0; -diff -up openssl-3.0.7/apps/ecparam.c.minfips openssl-3.0.7/apps/ecparam.c ---- openssl-3.0.7/apps/ecparam.c.minfips 2023-06-24 09:58:57.773344910 +0200 -+++ openssl-3.0.7/apps/ecparam.c 2023-06-26 09:18:06.843859405 +0200 -@@ -79,7 +79,11 @@ static int list_builtin_curves(BIO *out) - const char *comment = curves[n].comment; - const char *sname = OBJ_nid2sn(curves[n].nid); +diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c +index 33c23efb0d..113c204716 100644 +--- a/ssl/ssl_ciph.c ++++ b/ssl/ssl_ciph.c +@@ -356,6 +356,9 @@ int ssl_load_ciphers(SSL_CTX *ctx) + ctx->disabled_mkey_mask = 0; + ctx->disabled_auth_mask = 0; -- if ((curves[n].nid == NID_secp256k1) && EVP_default_properties_is_fips_enabled(NULL)) -+ if (((curves[n].nid == NID_secp256k1) || (curves[n].nid == NID_brainpoolP256r1) -+ || (curves[n].nid == NID_brainpoolP256t1) || (curves[n].nid == NID_brainpoolP320r1) -+ || (curves[n].nid == NID_brainpoolP320t1) || (curves[n].nid == NID_brainpoolP384r1) -+ || (curves[n].nid == NID_brainpoolP384t1) || (curves[n].nid == NID_brainpoolP512r1) -+ || (curves[n].nid == NID_brainpoolP512t1)) && EVP_default_properties_is_fips_enabled(NULL)) - continue; ++ if (EVP_default_properties_is_fips_enabled(ctx->libctx)) ++ ctx->disabled_mkey_mask |= SSL_kRSA | SSL_kRSAPSK; ++ + /* + * We ignore any errors from the fetches below. They are expected to fail + * if these algorithms are not available. +diff --git a/test/acvp_test.c b/test/acvp_test.c +index 45509095af..4a67519bb4 100644 +--- a/test/acvp_test.c ++++ b/test/acvp_test.c +@@ -1478,6 +1478,7 @@ int setup_tests(void) + OSSL_NELEM(dh_safe_prime_keyver_data)); + #endif /* OPENSSL_NO_DH */ - if (comment == NULL) ++#if 0 /* Red Hat FIPS provider doesn't have fips=yes property on DSA */ + #ifndef OPENSSL_NO_DSA + ADD_ALL_TESTS(dsa_keygen_test, OSSL_NELEM(dsa_keygen_data)); + ADD_ALL_TESTS(dsa_paramgen_test, OSSL_NELEM(dsa_paramgen_data)); +@@ -1485,6 +1486,7 @@ int setup_tests(void) + ADD_ALL_TESTS(dsa_siggen_test, OSSL_NELEM(dsa_siggen_data)); + ADD_ALL_TESTS(dsa_sigver_test, OSSL_NELEM(dsa_sigver_data)); + #endif /* OPENSSL_NO_DSA */ ++#endif + + #ifndef OPENSSL_NO_EC + ADD_ALL_TESTS(ecdsa_keygen_test, OSSL_NELEM(ecdsa_keygen_data)); +diff --git a/test/endecode_test.c b/test/endecode_test.c +index b53b7b715b..885e49a47c 100644 +--- a/test/endecode_test.c ++++ b/test/endecode_test.c +@@ -1419,6 +1419,7 @@ int setup_tests(void) + * so no legacy tests. + */ + #endif ++ if (is_fips == 0) { + #ifndef OPENSSL_NO_DSA + ADD_TEST_SUITE(DSA); + ADD_TEST_SUITE_PARAMS(DSA); +@@ -1429,6 +1430,7 @@ int setup_tests(void) + ADD_TEST_SUITE_PROTECTED_PVK(DSA); + # endif + #endif ++ } + #ifndef OPENSSL_NO_EC + ADD_TEST_SUITE(EC); + ADD_TEST_SUITE_PARAMS(EC); +@@ -1443,10 +1445,12 @@ int setup_tests(void) + ADD_TEST_SUITE(ECExplicitTri2G); + ADD_TEST_SUITE_LEGACY(ECExplicitTri2G); + # endif ++ if (is_fips == 0) { + ADD_TEST_SUITE(ED25519); + ADD_TEST_SUITE(ED448); + ADD_TEST_SUITE(X25519); + ADD_TEST_SUITE(X448); ++ } + /* + * ED25519, ED448, X25519 and X448 have no support for + * PEM_write_bio_PrivateKey_traditional(), so no legacy tests. +diff --git a/test/evp_libctx_test.c b/test/evp_libctx_test.c +index 2448c35a14..a7913cda4c 100644 +--- a/test/evp_libctx_test.c ++++ b/test/evp_libctx_test.c +@@ -21,6 +21,7 @@ + */ + #include "internal/deprecated.h" + #include ++#include + #include + #include + #include +@@ -726,7 +727,9 @@ int setup_tests(void) + return 0; + + #if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DH) +- ADD_ALL_TESTS(test_dsa_param_keygen, 3 * 3 * 3); ++ if (strcmp(prov_name, "fips") != 0) { ++ ADD_ALL_TESTS(test_dsa_param_keygen, 3 * 3 * 3); ++ } + #endif + #ifndef OPENSSL_NO_DH + ADD_ALL_TESTS(test_dh_safeprime_param_keygen, 3 * 3 * 3); +@@ -746,7 +749,9 @@ int setup_tests(void) + ADD_TEST(kem_invalid_keytype); + #endif + #ifndef OPENSSL_NO_DES +- ADD_TEST(test_cipher_tdes_randkey); ++ if (strcmp(prov_name, "fips") != 0) { ++ ADD_TEST(test_cipher_tdes_randkey); ++ } + #endif + return 1; + } +diff --git a/test/recipes/15-test_gendsa.t b/test/recipes/15-test_gendsa.t +index 4bc460784b..93052eb3e7 100644 +--- a/test/recipes/15-test_gendsa.t ++++ b/test/recipes/15-test_gendsa.t +@@ -24,7 +24,7 @@ use lib bldtop_dir('.'); + plan skip_all => "This test is unsupported in a no-dsa build" + if disabled("dsa"); + +-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); ++my $no_fips = 1; + + plan tests => + ($no_fips ? 0 : 2) # FIPS related tests +diff --git a/test/recipes/20-test_cli_fips.t b/test/recipes/20-test_cli_fips.t +index d4b4d4ca51..031814e8ff 100644 +--- a/test/recipes/20-test_cli_fips.t ++++ b/test/recipes/20-test_cli_fips.t +@@ -278,8 +278,7 @@ SKIP: { + } + + SKIP : { +- skip "FIPS DSA tests because of no dsa in this build", 1 +- if disabled("dsa"); ++ skip "FIPS DSA tests because of no dsa in this build", 1; + + subtest DSA => sub { + my $testtext_prefix = 'DSA'; +diff --git a/test/recipes/30-test_evp.t b/test/recipes/30-test_evp.t +index eddca5c58e..36a192d041 100644 +--- a/test/recipes/30-test_evp.t ++++ b/test/recipes/30-test_evp.t +@@ -46,10 +46,8 @@ my @files = qw( + evpciph_aes_cts.txt + evpciph_aes_wrap.txt + evpciph_aes_stitched.txt +- evpciph_des3_common.txt + evpkdf_hkdf.txt + evpkdf_kbkdf_counter.txt +- evpkdf_kbkdf_kmac.txt + evpkdf_pbkdf1.txt + evpkdf_pbkdf2.txt + evpkdf_ss.txt +@@ -69,15 +67,6 @@ push @files, qw( + evppkey_ffdhe.txt + evppkey_dh.txt + ) unless $no_dh; +-push @files, qw( +- evpkdf_x942_des.txt +- evpmac_cmac_des.txt +- ) unless $no_des; +-push @files, qw(evppkey_dsa.txt) unless $no_dsa; +-push @files, qw( +- evppkey_ecx.txt +- evppkey_mismatch_ecx.txt +- ) unless $no_ecx; + push @files, qw( + evppkey_ecc.txt + evppkey_ecdh.txt +@@ -97,6 +86,7 @@ my @defltfiles = qw( + evpciph_cast5.txt + evpciph_chacha.txt + evpciph_des.txt ++ evpciph_des3_common.txt + evpciph_idea.txt + evpciph_rc2.txt + evpciph_rc4.txt +@@ -121,13 +111,19 @@ my @defltfiles = qw( + evpmd_whirlpool.txt + evppbe_scrypt.txt + evppbe_pkcs12.txt ++ evpkdf_kbkdf_kmac.txt + evppkey_kdf_scrypt.txt + evppkey_kdf_tls1_prf.txt + evppkey_rsa.txt + ); ++push @defltfiles, qw(evppkey_dsa.txt) unless $no_dsa; ++push @defltfiles, qw(evppkey_ecx.txt) unless $no_ec; ++push @defltfiles, qw( ++ evpkdf_x942_des.txt ++ evpmac_cmac_des.txt ++ ) unless $no_des; + push @defltfiles, qw(evppkey_brainpool.txt) unless $no_ec; + push @defltfiles, qw(evppkey_ecdsa_rfc6979.txt) unless $no_ec; +-push @defltfiles, qw(evppkey_dsa_rfc6979.txt) unless $no_dsa; + push @defltfiles, qw(evppkey_sm2.txt) unless $no_sm2; + push @defltfiles, qw(evpciph_aes_gcm_siv.txt) unless $no_siv; + push @defltfiles, qw(evpciph_aes_siv.txt) unless $no_siv; +diff --git a/test/recipes/30-test_evp_data/evpmac_common.txt b/test/recipes/30-test_evp_data/evpmac_common.txt +index e47023aae6..96a8febeef 100644 +--- a/test/recipes/30-test_evp_data/evpmac_common.txt ++++ b/test/recipes/30-test_evp_data/evpmac_common.txt +@@ -363,6 +363,7 @@ IV = 7AE8E2CA4EC500012E58495C + Input = 68F2E77696CE7AE8E2CA4EC588E541002E58495C08000F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D0007 + Result = MAC_INIT_ERROR + ++Availablein = default + Title = KMAC Tests (From NIST) + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F +@@ -373,12 +374,14 @@ Ctrl = xof:0 + OutputSize = 32 + BlockSize = 168 + ++Availablein = default + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 00010203 + Custom = "My Tagged Application" + Output = 3B1FBA963CD8B0B59E8C1A6D71888B7143651AF8BA0A7070C0979E2811324AA5 + ++Availablein = default + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +@@ -386,6 +389,7 @@ Custom = "My Tagged Application" + Output = 1F5B4E6CCA02209E0DCB5CA635B89A15E271ECC760071DFD805FAA38F9729230 + Ctrl = size:32 + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 00010203 +@@ -394,12 +398,14 @@ Output = 20C570C31346F703C9AC36C61C03CB64C3970D0CFC787E9B79599D273A68D2F7F69D4CC + OutputSize = 64 + BlockSize = 136 + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 + Custom = "" + Output = 75358CF39E41494E949707927CEE0AF20A3FF553904C86B08F21CC414BCFD691589D27CF5E15369CBBFF8B9A4C2EB17800855D0235FF635DA82533EC6B759B69 + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +@@ -409,12 +415,14 @@ Ctrl = size:64 + + Title = KMAC XOF Tests (From NIST) + ++Availablein = default + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 00010203 + Output = CD83740BBD92CCC8CF032B1481A0F4460E7CA9DD12B08A0C4031178BACD6EC35 + XOF = 1 + ++Availablein = default + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 00010203 +@@ -422,6 +430,7 @@ Custom = "My Tagged Application" + Output = 31A44527B4ED9F5C6101D11DE6D26F0620AA5C341DEF41299657FE9DF1A3B16C + XOF = 1 + ++Availablein = default + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +@@ -430,6 +439,7 @@ Output = 47026C7CD793084AA0283C253EF658490C0DB61438B8326FE9BDDF281B83AE0F + XOF = 1 + Ctrl = size:32 + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 00010203 +@@ -437,6 +447,7 @@ Custom = "My Tagged Application" + Output = 1755133F1534752AAD0748F2C706FB5C784512CAB835CD15676B16C0C6647FA96FAA7AF634A0BF8FF6DF39374FA00FAD9A39E322A7C92065A64EB1FB0801EB2B + XOF = 1 + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +@@ -444,6 +455,7 @@ Custom = "" + Output = FF7B171F1E8A2B24683EED37830EE797538BA8DC563F6DA1E667391A75EDC02CA633079F81CE12A25F45615EC89972031D18337331D24CEB8F8CA8E6A19FD98B + XOF = 1 + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +@@ -454,6 +466,7 @@ XOF = 1 + + Title = KMAC long customisation string (from NIST ACVP) + ++Availablein = default + MAC = KMAC256 + Key = 9743DBF93102FAF11227B154B8ACD16CF142671F7AA16C559A393A38B4CEF461ED29A6A328D7379C99718790E38B54CA25E9E831CBEA463EE704D1689F94629AB795DF0C77F756DA743309C0E054596BA2D9CC1768ACF7CD351D9A7EB1ABD0A3 + Input = BA63AC9C711F143CCE7FF92D0322649D1BE437D805FD225C0A2879A008373EC3BCCDB09971FAD2BCE5F4347AF7E5238EF01A90ED34193D6AFC1D +@@ -464,12 +477,14 @@ XOF = 1 + + Title = KMAC XOF Tests via ctrl (From NIST) + ++Availablein = default + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 00010203 + Output = CD83740BBD92CCC8CF032B1481A0F4460E7CA9DD12B08A0C4031178BACD6EC35 + Ctrl = xof:1 + ++Availablein = default + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 00010203 +@@ -477,6 +492,7 @@ Custom = "My Tagged Application" + Output = 31A44527B4ED9F5C6101D11DE6D26F0620AA5C341DEF41299657FE9DF1A3B16C + Ctrl = xof:1 + ++Availablein = default + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +@@ -485,6 +501,7 @@ Output = 47026C7CD793084AA0283C253EF658490C0DB61438B8326FE9BDDF281B83AE0F + Ctrl = xof:1 + Ctrl = size:32 + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 00010203 +@@ -492,6 +509,7 @@ Custom = "My Tagged Application" + Output = 1755133F1534752AAD0748F2C706FB5C784512CAB835CD15676B16C0C6647FA96FAA7AF634A0BF8FF6DF39374FA00FAD9A39E322A7C92065A64EB1FB0801EB2B + Ctrl = xof:1 + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +@@ -499,6 +517,7 @@ Custom = "" + Output = FF7B171F1E8A2B24683EED37830EE797538BA8DC563F6DA1E667391A75EDC02CA633079F81CE12A25F45615EC89972031D18337331D24CEB8F8CA8E6A19FD98B + Ctrl = xof:1 + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +@@ -509,6 +528,7 @@ Ctrl = xof:1 + + Title = KMAC long customisation string via ctrl (from NIST ACVP) + ++Availablein = default + MAC = KMAC256 + Key = 9743DBF93102FAF11227B154B8ACD16CF142671F7AA16C559A393A38B4CEF461ED29A6A328D7379C99718790E38B54CA25E9E831CBEA463EE704D1689F94629AB795DF0C77F756DA743309C0E054596BA2D9CC1768ACF7CD351D9A7EB1ABD0A3 + Input = BA63AC9C711F143CCE7FF92D0322649D1BE437D805FD225C0A2879A008373EC3BCCDB09971FAD2BCE5F4347AF7E5238EF01A90ED34193D6AFC1D +@@ -519,6 +539,7 @@ Ctrl = xof:1 + + Title = KMAC long customisation string negative test + ++Availablein = default + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +@@ -527,6 +548,7 @@ Result = MAC_INIT_ERROR + + Title = KMAC output is too large + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t +index 6a9792128b..4e368c730b 100644 +--- a/test/recipes/80-test_cms.t ++++ b/test/recipes/80-test_cms.t +@@ -96,7 +96,7 @@ my @smime_pkcs7_tests = ( + \&final_compare + ], + +- [ "signed content DER format, DSA key", ++ [ "signed content DER format, DSA key, no Red Hat FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach", + "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ], + [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER", +@@ -104,7 +104,7 @@ my @smime_pkcs7_tests = ( + \&final_compare + ], + +- [ "signed detached content DER format, DSA key", ++ [ "signed detached content DER format, DSA key, no Red Hat FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", + "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ], + [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER", +@@ -113,7 +113,7 @@ my @smime_pkcs7_tests = ( + \&final_compare + ], + +- [ "signed detached content DER format, add RSA signer (with DSA existing)", ++ [ "signed detached content DER format, add RSA signer (with DSA existing), no Red Hat FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", + "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ], + [ "{cmd1}", @prov, "-resign", "-in", "{output}.cms", "-inform", "DER", "-outform", "DER", +@@ -124,7 +124,7 @@ my @smime_pkcs7_tests = ( + \&final_compare + ], + +- [ "signed content test streaming BER format, DSA key", ++ [ "signed content test streaming BER format, DSA key, no Red Hat FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", + "-nodetach", "-stream", + "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ], +@@ -133,7 +133,7 @@ my @smime_pkcs7_tests = ( + \&final_compare + ], + +- [ "signed content test streaming BER format, 2 DSA and 2 RSA keys", ++ [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no Red Hat FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", + "-nodetach", "-stream", + "-signer", $smrsa1, +@@ -146,7 +146,7 @@ my @smime_pkcs7_tests = ( + \&final_compare + ], + +- [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes", ++ [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes, no Red Hat FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", + "-noattr", "-nodetach", "-stream", + "-signer", $smrsa1, +@@ -176,7 +176,7 @@ my @smime_pkcs7_tests = ( + \&zero_compare + ], + +- [ "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys", ++ [ "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys, no Red Hat FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-nodetach", + "-signer", $smrsa1, + "-signer", catfile($smdir, "smrsa2.pem"), +@@ -188,7 +188,7 @@ my @smime_pkcs7_tests = ( + \&final_compare + ], + +- [ "signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys", ++ [ "signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys, no Red Hat FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, + "-signer", $smrsa1, + "-signer", catfile($smdir, "smrsa2.pem"), +@@ -250,7 +250,7 @@ my @smime_pkcs7_tests = ( + + my @smime_cms_tests = ( + +- [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid", ++ [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid, no Red Hat FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", + "-nodetach", "-keyid", + "-signer", $smrsa1, +@@ -263,7 +263,7 @@ my @smime_cms_tests = ( + \&final_compare + ], + +- [ "signed content test streaming PEM format, 2 DSA and 2 RSA keys", ++ [ "signed content test streaming PEM format, 2 DSA and 2 RSA keys, no Red Hat FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach", + "-signer", $smrsa1, + "-signer", catfile($smdir, "smrsa2.pem"), +@@ -373,7 +373,7 @@ my @smime_cms_tests = ( + \&final_compare + ], + +- [ "encrypted content test streaming PEM format, triple DES key", ++ [ "encrypted content test streaming PEM format, triple DES key, no Red Hat FIPS", + [ "{cmd1}", @prov, "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM", + "-des3", "-secretkey", "000102030405060708090A0B0C0D0E0F1011121314151617", + "-stream", "-out", "{output}.cms" ], +diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t +index 50b74a1e29..e2dcb68fb5 100644 +--- a/test/recipes/80-test_ssl_old.t ++++ b/test/recipes/80-test_ssl_old.t +@@ -436,7 +436,7 @@ sub testssl { + my @exkeys = (); + my $ciphers = '-PSK:-SRP:@SECLEVEL=0'; + +- if (!$no_dsa) { ++ if (!$no_dsa && $provider ne "fips") { + push @exkeys, "-s_cert", "certD.ss", "-s_key", $Dkey; + } + +-- +2.44.0 + diff --git a/SOURCES/0047-FIPS-early-KATS.patch b/SOURCES/0047-FIPS-early-KATS.patch index ef2d081..6dffded 100644 --- a/SOURCES/0047-FIPS-early-KATS.patch +++ b/SOURCES/0047-FIPS-early-KATS.patch @@ -1,7 +1,22 @@ -diff -up openssl-3.0.1/providers/fips/self_test.c.earlykats openssl-3.0.1/providers/fips/self_test.c ---- openssl-3.0.1/providers/fips/self_test.c.earlykats 2022-01-19 13:10:00.635830783 +0100 -+++ openssl-3.0.1/providers/fips/self_test.c 2022-01-19 13:11:43.309342656 +0100 -@@ -362,6 +362,16 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS +From ba6e65e2f7e7fe8d9cd62e1e7e345bc41dda424f Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Thu, 19 Oct 2023 13:12:40 +0200 +Subject: [PATCH 21/46] 0047-FIPS-early-KATS.patch + +Patch-name: 0047-FIPS-early-KATS.patch +Patch-id: 47 +Patch-status: | + # # Execute KATS before HMAC verification +From-dist-git-commit: 5c67b5adc311af297f425c09e3e1ac7ca8483911 +--- + providers/fips/self_test.c | 22 ++++++++++------------ + 1 file changed, 10 insertions(+), 12 deletions(-) + +diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c +index e3a629018a..3c09bd8638 100644 +--- a/providers/fips/self_test.c ++++ b/providers/fips/self_test.c +@@ -401,6 +401,16 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) if (ev == NULL) goto end; @@ -15,14 +30,13 @@ diff -up openssl-3.0.1/providers/fips/self_test.c.earlykats openssl-3.0.1/provid + } + } + - module_checksum = fips_hmac_container; - checksum_len = sizeof(fips_hmac_container); - -@@ -411,18 +421,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS - kats_already_passed = 1; + if (st->module_checksum_data == NULL) { + module_checksum = fips_hmac_container; + checksum_len = sizeof(fips_hmac_container); +@@ -451,18 +461,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) } } -- + - /* - * Only runs the KAT's during installation OR on_demand(). - * NOTE: If the installation option 'self_test_onload' is chosen then this @@ -34,6 +48,10 @@ diff -up openssl-3.0.1/providers/fips/self_test.c.earlykats openssl-3.0.1/provid - goto end; - } - } - ok = 1; - end: - OSSL_SELF_TEST_free(ev); +- + /* Verify that the RNG has been restored properly */ + rng = ossl_rand_get0_private_noncreating(st->libctx); + if (rng != NULL) +-- +2.41.0 + diff --git a/SOURCES/0049-Selectively-disallow-SHA1-signatures.patch b/SOURCES/0049-Selectively-disallow-SHA1-signatures.patch index 4b6ecf2..4131512 100644 --- a/SOURCES/0049-Selectively-disallow-SHA1-signatures.patch +++ b/SOURCES/0049-Selectively-disallow-SHA1-signatures.patch @@ -1,45 +1,20 @@ -From 243201772cc6d583fae9eba81cb2c2c7425bc564 Mon Sep 17 00:00:00 2001 -From: Clemens Lang -Date: Mon, 21 Feb 2022 17:24:44 +0100 -Subject: Selectively disallow SHA1 signatures +From 4f9167db05cade673f98f1a00efd57136e97b460 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 6 Mar 2024 19:17:15 +0100 +Subject: [PATCH 22/49] 0049-Allow-disabling-of-SHA1-signatures.patch -For RHEL 9.0, we want to phase out SHA1. One of the steps to do that is -disabling SHA1 signatures. Introduce a new configuration option in the -alg_section named 'rh-allow-sha1-signatures'. This option defaults to -false. If set to false (or unset), any signature creation or -verification operations that involve SHA1 as digest will fail. - -This also affects TLS, where the signature_algorithms extension of any -ClientHello message sent by OpenSSL will no longer include signatures -with the SHA1 digest if rh-allow-sha1-signatures is false. For servers -that request a client certificate, the same also applies for -CertificateRequest messages sent by them. - -For signatures created using the EVP_PKEY API, this is a best-effort -check that will deny signatures in cases where the digest algorithm is -known. This means, for example, that that following steps will still -work: - - $> openssl dgst -sha1 -binary -out sha1 infile - $> openssl pkeyutl -inkey key.pem -sign -in sha1 -out sha1sig - $> openssl pkeyutl -inkey key.pem -verify -sigfile sha1sig -in sha1 - -whereas these will not: - - $> openssl dgst -sha1 -binary -out sha1 infile - $> openssl pkeyutl -inkey kem.pem -sign -in sha1 -out sha1sig -pkeyopt digest:sha1 - $> openssl pkeyutl -inkey kem.pem -verify -sigfile sha1sig -in sha1 -pkeyopt digest:sha1 - -This happens because in the first case, OpenSSL's signature -implementation does not know that it is signing a SHA1 hash (it could be -signing arbitrary data). - -Resolves: rhbz#2031742 +Patch-name: 0049-Allow-disabling-of-SHA1-signatures.patch +Patch-id: 49 +Patch-status: | + # # Selectively disallow SHA1 signatures rhbz#2070977 +From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce --- - crypto/evp/evp_cnf.c | 13 ++++ - crypto/evp/m_sigver.c | 77 +++++++++++++++++++ + crypto/context.c | 14 ++++ + crypto/evp/evp_cnf.c | 13 +++ + crypto/evp/m_sigver.c | 79 +++++++++++++++++++ crypto/evp/pmeth_lib.c | 15 ++++ - doc/man5/config.pod | 11 +++ + doc/man5/config.pod | 13 +++ + include/crypto/context.h | 3 + include/internal/cryptlib.h | 3 +- include/internal/sslconf.h | 4 + providers/common/securitycheck.c | 20 +++++ @@ -49,8 +24,54 @@ Resolves: rhbz#2031742 providers/implementations/signature/rsa_sig.c | 20 ++++- ssl/t1_lib.c | 8 ++ util/libcrypto.num | 2 + - 13 files changed, 188 insertions(+), 9 deletions(-) + 15 files changed, 209 insertions(+), 9 deletions(-) +diff --git a/crypto/context.c b/crypto/context.c +index fb4816d89b..c04920fe14 100644 +--- a/crypto/context.c ++++ b/crypto/context.c +@@ -83,6 +83,8 @@ struct ossl_lib_ctx_st { + void *fips_prov; + #endif + ++ void *legacy_digest_signatures; ++ + unsigned int ischild:1; + }; + +@@ -223,6 +225,10 @@ static int context_init(OSSL_LIB_CTX *ctx) + goto err; + #endif + ++ ctx->legacy_digest_signatures = ossl_ctx_legacy_digest_signatures_new(ctx); ++ if (ctx->legacy_digest_signatures == NULL) ++ goto err; ++ + /* Low priority. */ + #ifndef FIPS_MODULE + ctx->child_provider = ossl_child_prov_ctx_new(ctx); +@@ -366,6 +372,11 @@ static void context_deinit_objs(OSSL_LIB_CTX *ctx) + } + #endif + ++ if (ctx->legacy_digest_signatures != NULL) { ++ ossl_ctx_legacy_digest_signatures_free(ctx->legacy_digest_signatures); ++ ctx->legacy_digest_signatures = NULL; ++ } ++ + /* Low priority. */ + #ifndef FIPS_MODULE + if (ctx->child_provider != NULL) { +@@ -663,6 +674,9 @@ void *ossl_lib_ctx_get_data(OSSL_LIB_CTX *ctx, int index) + return ctx->fips_prov; + #endif + ++ case OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES_INDEX: ++ return ctx->legacy_digest_signatures; ++ + default: + return NULL; + } diff --git a/crypto/evp/evp_cnf.c b/crypto/evp/evp_cnf.c index 0e7fe64cf9..b9d3b6d226 100644 --- a/crypto/evp/evp_cnf.c @@ -83,18 +104,20 @@ index 0e7fe64cf9..b9d3b6d226 100644 ERR_raise_data(ERR_LIB_EVP, EVP_R_UNKNOWN_OPTION, "name=%s, value=%s", oval->name, oval->value); diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c -index 9188edbc21..db1a1d7bc3 100644 +index 3a979f4bd4..fd3a4b79df 100644 --- a/crypto/evp/m_sigver.c +++ b/crypto/evp/m_sigver.c -@@ -16,6 +16,71 @@ +@@ -15,6 +15,73 @@ + #include "internal/provider.h" #include "internal/numbers.h" /* includes SIZE_MAX */ #include "evp_local.h" - ++#include "crypto/context.h" ++ +typedef struct ossl_legacy_digest_signatures_st { + int allowed; +} OSSL_LEGACY_DIGEST_SIGNATURES; + -+static void ossl_ctx_legacy_digest_signatures_free(void *vldsigs) ++void ossl_ctx_legacy_digest_signatures_free(void *vldsigs) +{ + OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs = vldsigs; + @@ -103,27 +126,25 @@ index 9188edbc21..db1a1d7bc3 100644 + } +} + -+static void *ossl_ctx_legacy_digest_signatures_new(OSSL_LIB_CTX *ctx) ++void *ossl_ctx_legacy_digest_signatures_new(OSSL_LIB_CTX *ctx) +{ -+ return OPENSSL_zalloc(sizeof(OSSL_LEGACY_DIGEST_SIGNATURES)); ++ OSSL_LEGACY_DIGEST_SIGNATURES* ldsigs = OPENSSL_zalloc(sizeof(OSSL_LEGACY_DIGEST_SIGNATURES)); ++ /* Warning: This patch differs from the same patch in CentOS and RHEL here, ++ * because the default on Fedora is to allow SHA-1 and support disabling ++ * it, while CentOS/RHEL disable it by default and allow enabling it. */ ++ ldsigs->allowed = 0; ++ return ldsigs; +} + -+static const OSSL_LIB_CTX_METHOD ossl_ctx_legacy_digest_signatures_method = { -+ OSSL_LIB_CTX_METHOD_DEFAULT_PRIORITY, -+ ossl_ctx_legacy_digest_signatures_new, -+ ossl_ctx_legacy_digest_signatures_free, -+}; -+ +static OSSL_LEGACY_DIGEST_SIGNATURES *ossl_ctx_legacy_digest_signatures( + OSSL_LIB_CTX *libctx, int loadconfig) +{ +#ifndef FIPS_MODULE + if (loadconfig && !OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL)) -+ return 0; ++ return NULL; +#endif + -+ return ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES, -+ &ossl_ctx_legacy_digest_signatures_method); ++ return ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES_INDEX); +} + +int ossl_ctx_legacy_digest_signatures_allowed(OSSL_LIB_CTX *libctx, int loadconfig) @@ -131,12 +152,15 @@ index 9188edbc21..db1a1d7bc3 100644 + OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs + = ossl_ctx_legacy_digest_signatures(libctx, loadconfig); + -+#ifndef FIPS_MODULE -+ if (ossl_safe_getenv("OPENSSL_ENABLE_SHA1_SIGNATURES") != NULL) ++ #ifndef FIPS_MODULE ++ if (ossl_safe_getenv("OPENSSL_ENABLE_SHA1_SIGNATURES") != NULL) + /* used in tests */ -+ return 1; -+#endif ++ return 1; ++ #endif + ++ /* Warning: This patch differs from the same patch in CentOS and RHEL here, ++ * because the default on Fedora is to allow SHA-1 and support disabling ++ * it, while CentOS/RHEL disable it by default and allow enabling it. */ + return ldsigs != NULL ? ldsigs->allowed : 0; +} + @@ -154,11 +178,10 @@ index 9188edbc21..db1a1d7bc3 100644 + ldsigs->allowed = allow; + return 1; +} -+ + #ifndef FIPS_MODULE - static int update(EVP_MD_CTX *ctx, const void *data, size_t datalen) -@@ -258,6 +323,18 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, +@@ -253,6 +320,18 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, } } @@ -178,7 +201,7 @@ index 9188edbc21..db1a1d7bc3 100644 if (signature->digest_verify_init == NULL) { ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c -index 2b9c6c2351..3c5a1e6f5d 100644 +index 268b1617e3..248f655d0f 100644 --- a/crypto/evp/pmeth_lib.c +++ b/crypto/evp/pmeth_lib.c @@ -33,6 +33,7 @@ @@ -189,7 +212,7 @@ index 2b9c6c2351..3c5a1e6f5d 100644 #include "evp_local.h" #ifndef FIPS_MODULE -@@ -946,6 +947,20 @@ static int evp_pkey_ctx_set_md(EVP_PKEY_CTX *ctx, const EVP_MD *md, +@@ -951,6 +952,20 @@ static int evp_pkey_ctx_set_md(EVP_PKEY_CTX *ctx, const EVP_MD *md, return -2; } @@ -211,7 +234,7 @@ index 2b9c6c2351..3c5a1e6f5d 100644 return EVP_PKEY_CTX_ctrl(ctx, -1, op, ctrl, 0, (void *)(md)); diff --git a/doc/man5/config.pod b/doc/man5/config.pod -index 77a8055e81..aa1be5ca7f 100644 +index bd05736220..ed34ff4b9c 100644 --- a/doc/man5/config.pod +++ b/doc/man5/config.pod @@ -304,6 +304,17 @@ Within the algorithm properties section, the following names have meaning: @@ -232,20 +255,31 @@ index 77a8055e81..aa1be5ca7f 100644 =item B (deprecated) The value is a boolean that can be B or B. If the value is +diff --git a/include/crypto/context.h b/include/crypto/context.h +index 7369a730fb..55b74238c8 100644 +--- a/include/crypto/context.h ++++ b/include/crypto/context.h +@@ -46,3 +46,6 @@ void ossl_release_default_drbg_ctx(void); + #if defined(OPENSSL_THREADS) + void ossl_threads_ctx_free(void *); + #endif ++ ++void *ossl_ctx_legacy_digest_signatures_new(OSSL_LIB_CTX *); ++void ossl_ctx_legacy_digest_signatures_free(void *); diff --git a/include/internal/cryptlib.h b/include/internal/cryptlib.h -index 1291299b6e..e234341e6a 100644 +index 64851fd8ed..8e01a77ddc 100644 --- a/include/internal/cryptlib.h +++ b/include/internal/cryptlib.h -@@ -168,7 +168,8 @@ typedef struct ossl_ex_data_global_st { - # define OSSL_LIB_CTX_PROVIDER_CONF_INDEX 16 - # define OSSL_LIB_CTX_BIO_CORE_INDEX 17 +@@ -117,7 +117,8 @@ typedef struct ossl_ex_data_global_st { # define OSSL_LIB_CTX_CHILD_PROVIDER_INDEX 18 --# define OSSL_LIB_CTX_MAX_INDEXES 19 -+# define OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES 19 -+# define OSSL_LIB_CTX_MAX_INDEXES 20 + # define OSSL_LIB_CTX_THREAD_INDEX 19 + # define OSSL_LIB_CTX_DECODER_CACHE_INDEX 20 +-# define OSSL_LIB_CTX_MAX_INDEXES 20 ++# define OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES_INDEX 21 ++# define OSSL_LIB_CTX_MAX_INDEXES 21 - # define OSSL_LIB_CTX_METHOD_LOW_PRIORITY -1 - # define OSSL_LIB_CTX_METHOD_DEFAULT_PRIORITY 0 + OSSL_LIB_CTX *ossl_lib_ctx_get_concrete(OSSL_LIB_CTX *ctx); + int ossl_lib_ctx_is_default(OSSL_LIB_CTX *ctx); diff --git a/include/internal/sslconf.h b/include/internal/sslconf.h index fd7f7e3331..05464b0655 100644 --- a/include/internal/sslconf.h @@ -260,7 +294,7 @@ index fd7f7e3331..05464b0655 100644 + int loadconfig); #endif diff --git a/providers/common/securitycheck.c b/providers/common/securitycheck.c -index 699ada7c52..e534ad0a5f 100644 +index 0d3acdbe56..fe694c4e96 100644 --- a/providers/common/securitycheck.c +++ b/providers/common/securitycheck.c @@ -19,6 +19,7 @@ @@ -271,7 +305,7 @@ index 699ada7c52..e534ad0a5f 100644 /* * FIPS requires a minimum security strength of 112 bits (for encryption or -@@ -235,6 +236,15 @@ int ossl_digest_get_approved_nid_with_sha1(OSSL_LIB_CTX *ctx, const EVP_MD *md, +@@ -243,6 +244,15 @@ int ossl_digest_get_approved_nid_with_sha1(OSSL_LIB_CTX *ctx, const EVP_MD *md, mdnid = -1; /* disallowed by security checks */ } # endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */ @@ -288,7 +322,7 @@ index 699ada7c52..e534ad0a5f 100644 } diff --git a/providers/common/securitycheck_default.c b/providers/common/securitycheck_default.c -index de7f0d3a0a..ce54a94fbc 100644 +index 246323493e..2ca7a59f39 100644 --- a/providers/common/securitycheck_default.c +++ b/providers/common/securitycheck_default.c @@ -15,6 +15,7 @@ @@ -299,7 +333,7 @@ index de7f0d3a0a..ce54a94fbc 100644 /* Disable the security checks in the default provider */ int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx) -@@ -23,9 +24,10 @@ int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx) +@@ -29,9 +30,10 @@ int ossl_tls1_prf_ems_check_enabled(OSSL_LIB_CTX *libctx) } int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md, @@ -311,7 +345,7 @@ index de7f0d3a0a..ce54a94fbc 100644 static const OSSL_ITEM name_to_nid[] = { { NID_md5, OSSL_DIGEST_NAME_MD5 }, -@@ -36,8 +38,11 @@ int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md, +@@ -42,8 +44,11 @@ int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md, { NID_ripemd160, OSSL_DIGEST_NAME_RIPEMD160 }, }; @@ -325,10 +359,10 @@ index de7f0d3a0a..ce54a94fbc 100644 return mdnid; } diff --git a/providers/implementations/signature/dsa_sig.c b/providers/implementations/signature/dsa_sig.c -index 28fd7c498e..fa3822f39f 100644 +index b89a0f6836..e0c26a13e4 100644 --- a/providers/implementations/signature/dsa_sig.c +++ b/providers/implementations/signature/dsa_sig.c -@@ -124,12 +124,17 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx, +@@ -125,12 +125,17 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx, mdprops = ctx->propq; if (mdname != NULL) { @@ -350,10 +384,10 @@ index 28fd7c498e..fa3822f39f 100644 if (md == NULL || md_nid < 0) { if (md == NULL) diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c -index 865d49d100..99b228e82c 100644 +index f158105e71..62355b89fe 100644 --- a/providers/implementations/signature/ecdsa_sig.c +++ b/providers/implementations/signature/ecdsa_sig.c -@@ -237,7 +237,11 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx, const char *mdname, +@@ -247,7 +247,11 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx, const char *mdname, "%s could not be fetched", mdname); return 0; } @@ -366,10 +400,10 @@ index 865d49d100..99b228e82c 100644 sha1_allowed); if (md_nid < 0) { diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c -index 325e855333..bea397f0c1 100644 +index c1405f47ea..aeda1a7758 100644 --- a/providers/implementations/signature/rsa_sig.c +++ b/providers/implementations/signature/rsa_sig.c -@@ -26,6 +26,7 @@ +@@ -25,6 +25,7 @@ #include "internal/cryptlib.h" #include "internal/nelem.h" #include "internal/sizes.h" @@ -377,7 +411,7 @@ index 325e855333..bea397f0c1 100644 #include "crypto/rsa.h" #include "prov/providercommon.h" #include "prov/implementations.h" -@@ -34,6 +35,7 @@ +@@ -33,6 +34,7 @@ #include "prov/securitycheck.h" #define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1 @@ -385,7 +419,7 @@ index 325e855333..bea397f0c1 100644 OSSL_FUNC_signature_newctx_fn rsa_newctx; static OSSL_FUNC_signature_sign_init_fn rsa_sign_init; -@@ -289,10 +291,15 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname, +@@ -301,10 +303,15 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname, if (mdname != NULL) { EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops); @@ -403,7 +437,7 @@ index 325e855333..bea397f0c1 100644 if (md == NULL || md_nid <= 0 -@@ -1348,8 +1355,15 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) +@@ -1392,8 +1399,15 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) prsactx->pad_mode = pad_mode; if (prsactx->md == NULL && pmdname == NULL @@ -421,7 +455,7 @@ index 325e855333..bea397f0c1 100644 if (pmgf1mdname != NULL && !rsa_setup_mgf1_md(prsactx, pmgf1mdname, pmgf1mdprops)) diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c -index fc32bb3556..4b74ee1a34 100644 +index 631e1fdef9..05dd7c5595 100644 --- a/ssl/t1_lib.c +++ b/ssl/t1_lib.c @@ -20,6 +20,7 @@ @@ -432,21 +466,23 @@ index fc32bb3556..4b74ee1a34 100644 #include "internal/nelem.h" #include "internal/sizes.h" #include "internal/tlsgroups.h" -@@ -1145,11 +1146,13 @@ int ssl_setup_sig_algs(SSL_CTX *ctx) - = OPENSSL_malloc(sizeof(*lu) * OSSL_NELEM(sigalg_lookup_tbl)); +@@ -1506,6 +1507,7 @@ int ssl_setup_sigalgs(SSL_CTX *ctx) + uint16_t *tls12_sigalgs_list = NULL; EVP_PKEY *tmpkey = EVP_PKEY_new(); int ret = 0; + int ldsigs_allowed; - if (cache == NULL || tmpkey == NULL) + if (ctx == NULL) + goto err; +@@ -1521,6 +1523,7 @@ int ssl_setup_sigalgs(SSL_CTX *ctx) goto err; ERR_set_mark(); + ldsigs_allowed = ossl_ctx_legacy_digest_signatures_allowed(ctx->libctx, 0); + /* First fill cache and tls12_sigalgs list from legacy algorithm list */ for (i = 0, lu = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl); lu++, i++) { - EVP_PKEY_CTX *pctx; -@@ -1169,6 +1172,11 @@ int ssl_setup_sig_algs(SSL_CTX *ctx) +@@ -1542,6 +1545,11 @@ int ssl_setup_sigalgs(SSL_CTX *ctx) cache[i].enabled = 0; continue; } @@ -459,15 +495,15 @@ index fc32bb3556..4b74ee1a34 100644 if (!EVP_PKEY_set_type(tmpkey, lu->sig)) { cache[i].enabled = 0; diff --git a/util/libcrypto.num b/util/libcrypto.num -index 10b4e57d79..2d3c363bb0 100644 +index ef97803327..8046454025 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num -@@ -5426,3 +5426,5 @@ ASN1_TIME_print_ex 5553 3_0_0 EXIST::FUNCTION: - OPENSSL_strcasecmp 5556 3_0_3 EXIST::FUNCTION: - OPENSSL_strncasecmp 5557 3_0_3 EXIST::FUNCTION: - ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION: +@@ -5536,3 +5536,5 @@ X509_STORE_CTX_set_get_crl 5663 3_2_0 EXIST::FUNCTION: + X509_STORE_CTX_set_current_reasons 5664 3_2_0 EXIST::FUNCTION: + OSSL_STORE_delete 5665 3_2_0 EXIST::FUNCTION: + BIO_ADDR_copy 5666 3_2_0 EXIST::FUNCTION:SOCK +ossl_ctx_legacy_digest_signatures_allowed ? 3_0_1 EXIST::FUNCTION: +ossl_ctx_legacy_digest_signatures_allowed_set ? 3_0_1 EXIST::FUNCTION: -- -2.35.1 +2.44.0 diff --git a/SOURCES/0051-Support-different-R_BITS-lengths-for-KBKDF.patch b/SOURCES/0051-Support-different-R_BITS-lengths-for-KBKDF.patch deleted file mode 100644 index c240628..0000000 --- a/SOURCES/0051-Support-different-R_BITS-lengths-for-KBKDF.patch +++ /dev/null @@ -1,2151 +0,0 @@ -From 0e9a265e42890699dfce82f1ff6905de6aafbd41 Mon Sep 17 00:00:00 2001 -From: Patrick Uiterwijk -Date: Thu, 18 Nov 2021 10:47:14 +0100 -Subject: [PATCH] Support different R_BITS lengths for KBKDF - -Reviewed-by: Tomas Mraz -Reviewed-by: Paul Dale -(Merged from https://github.com/openssl/openssl/pull/17063) ---- - doc/man7/EVP_KDF-KB.pod | 7 + - include/openssl/core_names.h | 1 + - providers/implementations/kdfs/kbkdf.c | 30 +- - test/evp_kdf_test.c | 47 +- - test/evp_test.c | 6 + - test/recipes/30-test_evp.t | 1 + - .../30-test_evp_data/evpkdf_kbkdf_counter.txt | 1843 +++++++++++++++++ - 7 files changed, 1924 insertions(+), 11 deletions(-) - create mode 100644 test/recipes/30-test_evp_data/evpkdf_kbkdf_counter.txt - -diff --git a/doc/man7/EVP_KDF-KB.pod b/doc/man7/EVP_KDF-KB.pod -index d4fad66f7654..a67268afa7d5 100644 ---- a/doc/man7/EVP_KDF-KB.pod -+++ b/doc/man7/EVP_KDF-KB.pod -@@ -58,6 +58,13 @@ Set to B<0> to disable use of the optional Fixed Input data 'zero separator' - (see SP800-108) that is placed between the Label and Context. - The default value of B<1> will be used if unspecified. - -+=item "r" (B) -+ -+Set the fixed value 'r', indicating the length of the counter in bits. -+ -+Supported values are B<8>, B<16>, B<24>, and B<32>. -+The default value of B<32> will be used if unspecified. -+ - =back - - Depending on whether mac is CMAC or HMAC, either digest or cipher is required -diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h -index b549dae9167c..78418dc6e0a2 100644 ---- a/include/openssl/core_names.h -+++ b/include/openssl/core_names.h -@@ -217,6 +217,7 @@ extern "C" { - #define OSSL_KDF_PARAM_PKCS12_ID "id" /* int */ - #define OSSL_KDF_PARAM_KBKDF_USE_L "use-l" /* int */ - #define OSSL_KDF_PARAM_KBKDF_USE_SEPARATOR "use-separator" /* int */ -+#define OSSL_KDF_PARAM_KBKDF_R "r" /* int */ - #define OSSL_KDF_PARAM_X942_ACVPINFO "acvp-info" - #define OSSL_KDF_PARAM_X942_PARTYUINFO "partyu-info" - #define OSSL_KDF_PARAM_X942_PARTYVINFO "partyv-info" -diff --git a/providers/implementations/kdfs/kbkdf.c b/providers/implementations/kdfs/kbkdf.c -index 01f7f0d4fd2e..a81cc6e0c0d6 100644 ---- a/providers/implementations/kdfs/kbkdf.c -+++ b/providers/implementations/kdfs/kbkdf.c -@@ -60,6 +60,7 @@ typedef struct { - EVP_MAC_CTX *ctx_init; - - /* Names are lowercased versions of those found in SP800-108. */ -+ int r; - unsigned char *ki; - size_t ki_len; - unsigned char *label; -@@ -100,6 +101,7 @@ static uint32_t be32(uint32_t host) - - static void init(KBKDF *ctx) - { -+ ctx->r = 32; - ctx->use_l = 1; - ctx->use_separator = 1; - } -@@ -152,7 +154,7 @@ static int derive(EVP_MAC_CTX *ctx_init, kbkdf_mode mode, unsigned char *iv, - size_t iv_len, unsigned char *label, size_t label_len, - unsigned char *context, size_t context_len, - unsigned char *k_i, size_t h, uint32_t l, int has_separator, -- unsigned char *ko, size_t ko_len) -+ unsigned char *ko, size_t ko_len, int r) - { - int ret = 0; - EVP_MAC_CTX *ctx = NULL; -@@ -186,7 +188,7 @@ static int derive(EVP_MAC_CTX *ctx_init, kbkdf_mode mode, unsigned char *iv, - if (mode == FEEDBACK && !EVP_MAC_update(ctx, k_i, k_i_len)) - goto done; - -- if (!EVP_MAC_update(ctx, (unsigned char *)&i, 4) -+ if (!EVP_MAC_update(ctx, 4 - (r / 8) + (unsigned char *)&i, r / 8) - || !EVP_MAC_update(ctx, label, label_len) - || (has_separator && !EVP_MAC_update(ctx, &zero, 1)) - || !EVP_MAC_update(ctx, context, context_len) -@@ -217,6 +219,7 @@ static int kbkdf_derive(void *vctx, unsigned char *key, size_t keylen, - unsigned char *k_i = NULL; - uint32_t l = 0; - size_t h = 0; -+ uint64_t counter_max; - - if (!ossl_prov_is_running() || !kbkdf_set_ctx_params(ctx, params)) - return 0; -@@ -248,6 +251,15 @@ static int kbkdf_derive(void *vctx, unsigned char *key, size_t keylen, - goto done; - } - -+ if (ctx->mode == COUNTER) { -+ /* Fail if keylen is too large for r */ -+ counter_max = (uint64_t)1 << (uint64_t)ctx->r; -+ if ((uint64_t)(keylen / h) >= counter_max) { -+ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); -+ goto done; -+ } -+ } -+ - if (ctx->use_l != 0) - l = be32(keylen * 8); - -@@ -257,7 +269,7 @@ static int kbkdf_derive(void *vctx, unsigned char *key, size_t keylen, - - ret = derive(ctx->ctx_init, ctx->mode, ctx->iv, ctx->iv_len, ctx->label, - ctx->label_len, ctx->context, ctx->context_len, k_i, h, l, -- ctx->use_separator, key, keylen); -+ ctx->use_separator, key, keylen, ctx->r); - done: - if (ret != 1) - OPENSSL_cleanse(key, keylen); -@@ -328,6 +340,17 @@ static int kbkdf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) - if (p != NULL && !OSSL_PARAM_get_int(p, &ctx->use_l)) - return 0; - -+ p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_KBKDF_R); -+ if (p != NULL) { -+ int new_r = 0; -+ -+ if (!OSSL_PARAM_get_int(p, &new_r)) -+ return 0; -+ if (new_r != 8 && new_r != 16 && new_r != 24 && new_r != 32) -+ return 0; -+ ctx->r = new_r; -+ } -+ - p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_KBKDF_USE_SEPARATOR); - if (p != NULL && !OSSL_PARAM_get_int(p, &ctx->use_separator)) - return 0; -@@ -354,6 +377,7 @@ static const OSSL_PARAM *kbkdf_settable_ctx_params(ossl_unused void *ctx, - OSSL_PARAM_utf8_string(OSSL_KDF_PARAM_PROPERTIES, NULL, 0), - OSSL_PARAM_int(OSSL_KDF_PARAM_KBKDF_USE_L, NULL), - OSSL_PARAM_int(OSSL_KDF_PARAM_KBKDF_USE_SEPARATOR, NULL), -+ OSSL_PARAM_int(OSSL_KDF_PARAM_KBKDF_R, NULL), - OSSL_PARAM_END, - }; - return known_settable_ctx_params; -diff --git a/test/evp_kdf_test.c b/test/evp_kdf_test.c -index 7fde5ea4111c..173d8cb8b87b 100644 ---- a/test/evp_kdf_test.c -+++ b/test/evp_kdf_test.c -@@ -1068,9 +1068,9 @@ static int test_kdf_kbkdf_6803_256(void) - #endif - - static OSSL_PARAM *construct_kbkdf_params(char *digest, char *mac, unsigned char *key, -- size_t keylen, char *salt, char *info) -+ size_t keylen, char *salt, char *info, int *r) - { -- OSSL_PARAM *params = OPENSSL_malloc(sizeof(OSSL_PARAM) * 7); -+ OSSL_PARAM *params = OPENSSL_malloc(sizeof(OSSL_PARAM) * 8); - OSSL_PARAM *p = params; - - if (params == NULL) -@@ -1088,6 +1088,8 @@ static OSSL_PARAM *construct_kbkdf_params(char *digest, char *mac, unsigned char - OSSL_KDF_PARAM_SALT, salt, strlen(salt)); - *p++ = OSSL_PARAM_construct_octet_string( - OSSL_KDF_PARAM_INFO, info, strlen(info)); -+ *p++ = OSSL_PARAM_construct_int( -+ OSSL_KDF_PARAM_KBKDF_R, r); - *p = OSSL_PARAM_construct_end(); - - return params; -@@ -1100,8 +1102,9 @@ static int test_kdf_kbkdf_invalid_digest(void) - OSSL_PARAM *params; - - static unsigned char key[] = {0x01}; -+ int r = 32; - -- params = construct_kbkdf_params("blah", "HMAC", key, 1, "prf", "test"); -+ params = construct_kbkdf_params("blah", "HMAC", key, 1, "prf", "test", &r); - if (!TEST_ptr(params)) - return 0; - -@@ -1122,8 +1125,9 @@ static int test_kdf_kbkdf_invalid_mac(void) - OSSL_PARAM *params; - - static unsigned char key[] = {0x01}; -+ int r = 32; - -- params = construct_kbkdf_params("sha256", "blah", key, 1, "prf", "test"); -+ params = construct_kbkdf_params("sha256", "blah", key, 1, "prf", "test", &r); - if (!TEST_ptr(params)) - return 0; - -@@ -1137,6 +1141,30 @@ static int test_kdf_kbkdf_invalid_mac(void) - return ret; - } - -+static int test_kdf_kbkdf_invalid_r(void) -+{ -+ int ret; -+ EVP_KDF_CTX *kctx; -+ OSSL_PARAM *params; -+ -+ static unsigned char key[] = {0x01}; -+ int r = 31; -+ -+ params = construct_kbkdf_params("sha256", "HMAC", key, 1, "prf", "test", &r); -+ if (!TEST_ptr(params)) -+ return 0; -+ -+ /* Negative test case - derive should fail */ -+ kctx = get_kdfbyname("KBKDF"); -+ ret = TEST_ptr(kctx) -+ && TEST_false(EVP_KDF_CTX_set_params(kctx, params)); -+ -+ EVP_KDF_CTX_free(kctx); -+ OPENSSL_free(params); -+ return ret; -+} -+ -+ - static int test_kdf_kbkdf_empty_key(void) - { - int ret; -@@ -1145,8 +1173,9 @@ static int test_kdf_kbkdf_empty_key(void) - - static unsigned char key[] = {0x01}; - unsigned char result[32] = { 0 }; -+ int r = 32; - -- params = construct_kbkdf_params("sha256", "HMAC", key, 0, "prf", "test"); -+ params = construct_kbkdf_params("sha256", "HMAC", key, 0, "prf", "test", &r); - if (!TEST_ptr(params)) - return 0; - -@@ -1169,8 +1198,9 @@ static int test_kdf_kbkdf_1byte_key(void) - - static unsigned char key[] = {0x01}; - unsigned char result[32] = { 0 }; -+ int r = 32; - -- params = construct_kbkdf_params("sha256", "HMAC", key, 1, "prf", "test"); -+ params = construct_kbkdf_params("sha256", "HMAC", key, 1, "prf", "test", &r); - if (!TEST_ptr(params)) - return 0; - -@@ -1191,8 +1221,9 @@ static int test_kdf_kbkdf_zero_output_size(void) - - static unsigned char key[] = {0x01}; - unsigned char result[32] = { 0 }; -+ int r = 32; - -- params = construct_kbkdf_params("sha256", "HMAC", key, 1, "prf", "test"); -+ params = construct_kbkdf_params("sha256", "HMAC", key, 1, "prf", "test", &r); - if (!TEST_ptr(params)) - return 0; - -@@ -1298,7 +1329,6 @@ static int test_kdf_kbkdf_8009_prf2(void) - * Test vector taken from - * https://csrc.nist.gov/CSRC/media/Projects/ - * Cryptographic-Algorithm-Validation-Program/documents/KBKDF800-108/CounterMode.zip -- * Note: Only 32 bit counter is supported ([RLEN=32_BITS]) - */ - static int test_kdf_kbkdf_fixedinfo(void) - { -@@ -1628,6 +1658,7 @@ int setup_tests(void) - #endif - ADD_TEST(test_kdf_kbkdf_invalid_digest); - ADD_TEST(test_kdf_kbkdf_invalid_mac); -+ ADD_TEST(test_kdf_kbkdf_invalid_r); - ADD_TEST(test_kdf_kbkdf_zero_output_size); - ADD_TEST(test_kdf_kbkdf_empty_key); - ADD_TEST(test_kdf_kbkdf_1byte_key); -diff --git a/test/evp_test.c b/test/evp_test.c -index 70996195f0cb..6ae862b04403 100644 ---- a/test/evp_test.c -+++ b/test/evp_test.c -@@ -2639,6 +2639,12 @@ static int kdf_test_ctrl(EVP_TEST *t, EVP_KDF_CTX *kctx, - TEST_info("skipping, '%s' is disabled", p); - t->skip = 1; - } -+ if (p != NULL -+ && (strcmp(name, "mac") == 0) -+ && is_mac_disabled(p)) { -+ TEST_info("skipping, '%s' is disabled", p); -+ t->skip = 1; -+ } - OPENSSL_free(name); - return 1; - } -diff --git a/test/recipes/30-test_evp.t b/test/recipes/30-test_evp.t -index 7ae546e1d70c..7b976c0a1b5e 100644 ---- a/test/recipes/30-test_evp.t -+++ b/test/recipes/30-test_evp.t -@@ -45,6 +45,7 @@ my @files = qw( - evpciph_aes_wrap.txt - evpciph_aes_stitched.txt - evpkdf_hkdf.txt -+ evpkdf_kbkdf_counter.txt - evpkdf_pbkdf1.txt - evpkdf_pbkdf2.txt - evpkdf_ss.txt -diff --git a/test/recipes/30-test_evp_data/evpkdf_kbkdf_counter.txt b/test/recipes/30-test_evp_data/evpkdf_kbkdf_counter.txt -new file mode 100644 -index 000000000000..04ab8ff0fad7 ---- /dev/null -+++ b/test/recipes/30-test_evp_data/evpkdf_kbkdf_counter.txt -@@ -0,0 +1,1843 @@ -+# -+# Copyright 2021-2021 The OpenSSL Project Authors. All Rights Reserved. -+# -+# Licensed under the Apache License 2.0 (the "License"). You may not use -+# this file except in compliance with the License. You can obtain a copy -+# in the file LICENSE in the source distribution or at -+# https://www.openssl.org/source/license.html -+ -+# Tests start with one of these keywords -+# Cipher Decrypt Derive Digest Encoding KDF MAC PBE -+# PrivPubKeyPair Sign Verify VerifyRecover -+# and continue until a blank line. Lines starting with a pound sign are ignored. -+ -+Title = KBKDF tests -+ -+# Test vectors taken from -+# https://csrc.nist.gov/CSRC/media/Projects/ -+# Cryptographic-Algorithm-Validation-Program/documents/KBKDF800-108/CounterMode.zip -+ -+ -+# [PRF=CMAC_AES128] -+# [CTRLOCATION=BEFORE_FIXED] -+# [RLEN=8_BITS] -+ -+# COUNT=0 -+# L = 128 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES128 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:8 -+Ctrl.hexkey = hexkey:dff1e50ac0b69dc40f1051d46c2b069c -+Ctrl.hexinfo = hexinfo:c16e6e02c5a3dcc8d78b9ac1306877761310455b4e41469951d9e6c2245a064b33fd8c3b01203a7824485bf0a64060c4648b707d2607935699316ea5 -+Output = 8be8f0869b3c0ba97b71863d1b9f7813 -+ -+# COUNT=10 -+# L = 256 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES128 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:8 -+Ctrl.hexkey = hexkey:682e814d872397eba71170a693514904 -+Ctrl.hexinfo = hexinfo:e323cdfa7873a0d72cd86ffb4468744f097db60498f7d0e3a43bafd2d1af675e4a88338723b1236199705357c47bf1d89b2f4617a340980e6331625c -+Output = dac9b6ca405749cfb065a0f1e42c7c4224d3d5db32fdafe9dee6ca193316f2c7 -+ -+# COUNT=20 -+# L = 160 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES128 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:8 -+Ctrl.hexkey = hexkey:7aa9973481d560f3be217ac3341144d8 -+Ctrl.hexinfo = hexinfo:46f88b5af7fb9e29262dd4e010143a0a9c465c627450ec74ab7251889529193e995c4b56ff55bc2fc8992a0df1ee8056f6816b7614fba4c12d3be1a5 -+Output = 1746ae4f09903f74bfbe1b8ae2b79d74576a3b09 -+ -+# COUNT=30 -+# L = 320 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES128 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:8 -+Ctrl.hexkey = hexkey:e91e0d06ab23a4e495bbcc430efddcaf -+Ctrl.hexinfo = hexinfo:24acb8e9227b180f2ccebea48051cbdbcd1be2bf94400d1e92945fe9b887585a295f46c469036107697813a3e12c45ae2ffde9a940f8f8c181018a93 -+Output = e81ef2483729d4165aaa4866c17f26496e6c6924e2fe34f608efef0c35835f86df29a1e19ce166a8 -+ -+ -+# [PRF=CMAC_AES128] -+# [CTRLOCATION=BEFORE_FIXED] -+# [RLEN=16_BITS] -+ -+# COUNT=0 -+# L = 128 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES128 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:16 -+Ctrl.hexkey = hexkey:30ec5f6fa1def33cff008178c4454211 -+Ctrl.hexinfo = hexinfo:c95e7b1d4f2570259abfc05bb00730f0284c3bb9a61d07259848a1cb57c81d8a6c3382c500bf801dfc8f70726b082cf4c3fa34386c1e7bf0e5471438 -+Output = 00018fff9574994f5c4457f461c7a67e -+ -+# COUNT=10 -+# L = 256 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES128 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:16 -+Ctrl.hexkey = hexkey:145c9e9365041f075ebde8ce26aa2149 -+Ctrl.hexinfo = hexinfo:0d39b1c9c34d95b5b521971828c81d9f2dbdbc4af2ddd14f628721117e5c39faa030522b93cc07beb8f142fe36f674942453ec5518ca46c3e6842a73 -+Output = 8a204ce7eab882fae3e2b8317fe431dba16dabb8fe5235525e7b61135e1b3c16 -+ -+# COUNT=20 -+# L = 160 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES128 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:16 -+Ctrl.hexkey = hexkey:6f3f8cbf40d2a694274cfa2eb2f265a3 -+Ctrl.hexinfo = hexinfo:e7b88baa4a2c22b3d78f41d509996c95468c8cb834b035dd5e09e0a455da254b8b5687a1433861751d2dd603f69b2d4ba4ae47776335d37c98b44b4b -+Output = d147f1c78121c583cbcb9d4b0d3767a357bd7232 -+ -+# COUNT=30 -+# L = 320 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES128 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:16 -+Ctrl.hexkey = hexkey:5e534bea459e54c58a6942abfd4df8ab -+Ctrl.hexinfo = hexinfo:e9a5cc15d223aaa74abd122983b2a10512199b9cc87663fd8a62d417cef53770264fc51f683890fe42da2df7be0f60898c5b09d5c4932137b6b1e06e -+Output = 92480eb4860123ceda76f1e6bf2668520bea49ed72bb900ae50725bb8cfcdb733af1a9de71fe1af5 -+ -+ -+# [PRF=CMAC_AES128] -+# [CTRLOCATION=BEFORE_FIXED] -+# [RLEN=24_BITS] -+ -+# COUNT=0 -+# L = 128 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES128 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:24 -+Ctrl.hexkey = hexkey:ca1cf43e5ccd512cc719a2f9de41734c -+Ctrl.hexinfo = hexinfo:e3884ac963196f02ddd09fc04c20c88b60faa775b5ef6feb1faf8c5e098b5210e2b4e45d62cc0bf907fd68022ee7b15631b5c8daf903d99642c5b831 -+Output = 1cb2b12326cc5ec1eba248167f0efd58 -+ -+# COUNT=10 -+# L = 256 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES128 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:24 -+Ctrl.hexkey = hexkey:1bfaf4cd6efd25a132e2a1d41b124465 -+Ctrl.hexinfo = hexinfo:b933cfbb223ea65ed0e8db822f83be64ee21d3b9ca1eb0bc32f9d77f145a3e4ed4e2cc72cb3d93ea44824ab81eefdf71bbdb62067e0eb34a79914e4f -+Output = 75f4d20c558d71646ec062d2ca75369a218cedb7104be3abf27026af003e98f3 -+ -+# COUNT=20 -+# L = 160 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES128 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:24 -+Ctrl.hexkey = hexkey:80168f187848a68b0b82a7ef43b4eedc -+Ctrl.hexinfo = hexinfo:9357281df7665ae5ae961fe5f93a3124416cab3deb11583429c5e529af3fc71094aad560cbc279168fe1c3327787f91a414acfff063832bcd78ed1b5 -+Output = be4517c9e6de96929e655a08f5b6d5bb77364f85 -+ -+# COUNT=30 -+# L = 320 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES128 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:24 -+Ctrl.hexkey = hexkey:26fa0e32e7e08f9b157ebae9f579710f -+Ctrl.hexinfo = hexinfo:ceab805efbe0c50a8aef62e59d95e7a54daa74ed86aa9b1ae8abf68b985b5af4b0ee150e83e6c063b59c7bf813ede9826af149237aed85b415898fa8 -+Output = f1d9138afcc3db6001eb54c4da567a5db3659fc0ed48e664a0408946bcee0742127c17cabf348c7a -+ -+ -+# [PRF=CMAC_AES128] -+# [CTRLOCATION=BEFORE_FIXED] -+# [RLEN=32_BITS] -+ -+# COUNT=0 -+# L = 128 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES128 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:32 -+Ctrl.hexkey = hexkey:c10b152e8c97b77e18704e0f0bd38305 -+Ctrl.hexinfo = hexinfo:98cd4cbbbebe15d17dc86e6dbad800a2dcbd64f7c7ad0e78e9cf94ffdba89d03e97eadf6c4f7b806caf52aa38f09d0eb71d71f497bcc6906b48d36c4 -+Output = 26faf61908ad9ee881b8305c221db53f -+ -+# COUNT=10 -+# L = 256 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES128 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:32 -+Ctrl.hexkey = hexkey:695f1b1a16c949cea51cdf2554ec9d42 -+Ctrl.hexinfo = hexinfo:4fce5942832a390aa1cbe8a0bf9d202cb799e986c9d6b51f45e4d597a6b57f06a4ebfec6467335d116b7f5f9c5b954062f661820f5db2a5bbb3e0625 -+Output = d34b601ec18c34dfa0f9e0b7523e218bdddb9befe8d08b6c0202d75ace0dba89 -+ -+# COUNT=20 -+# L = 160 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES128 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:32 -+Ctrl.hexkey = hexkey:b523ae21fc36bc58cc46e5a3cda97493 -+Ctrl.hexinfo = hexinfo:8dbe6d4d9b09b2eabd165b6e6e97e3bc782f8335cb1ea04ad0403affd88a5071db5f36ce2e84ab296261730b2226a9189d867991fbd4ff86f43a3cfb -+Output = 530211df01975dd6c08064c34105f88a6007f2b2 -+ -+# COUNT=30 -+# L = 320 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES128 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:32 -+Ctrl.hexkey = hexkey:b2fcf854b1029888aeb0274ca09bb21a -+Ctrl.hexinfo = hexinfo:a6b84baae7a6ceb1d63ed704757500c510c0a8bdc22d2f42af09f79c815f37f33b67dad0b30f428fc1e2d355f7f91f65acbedd2fdd5b8c38dd890407 -+Output = fe4c2c0242c5a295c008aeb87ae0815171de6173773292347f4f5ec07185c3f860b5667c199aad55 -+ -+ -+# [PRF=CMAC_AES192] -+# [CTRLOCATION=BEFORE_FIXED] -+# [RLEN=8_BITS] -+ -+# COUNT=0 -+# L = 128 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES192 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:8 -+Ctrl.hexkey = hexkey:53d1705caab7b06886e2dbb53eea349aa7419a034e2d92b9 -+Ctrl.hexinfo = hexinfo:b120f7ce30235784664deae3c40723ca0539b4521b9aece43501366cc5df1d9ea163c602702d0974665277c8a7f6a057733d66f928eb7548cf43e374 -+Output = eae32661a323f6d06d0116bb739bd76a -+ -+# COUNT=10 -+# L = 256 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES192 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:8 -+Ctrl.hexkey = hexkey:d10046bb18c3f363e87f4e57b961b294d4edf2ca91dc3e38 -+Ctrl.hexinfo = hexinfo:2d043069de979bffb1be38a3cef2869dc07d5d3e99bde2e2204f10138081743f423f0c0b1aec0735a25bc61a8e2936dec6a25bb0ae105ab46caf8a2a -+Output = 8991a58882a0488bb5478996f2893989adb66d08d5030ad90f6ce5fdfca7754b -+ -+# COUNT=20 -+# L = 160 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES192 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:8 -+Ctrl.hexkey = hexkey:bf0abb70098d6c203074f1bce3d7468116cd1e5e8e618f20 -+Ctrl.hexinfo = hexinfo:d9ce030a48668ada6c67a2ac163515ec22383c4b5332e18d06901bacbb63dd649c683cfd4fee2f33346817b23cb4c734060a1c727b0c72c12448f4f9 -+Output = ecd1eef152b5835376f1a4324cd968bcb0cf850a -+ -+# COUNT=30 -+# L = 320 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES192 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:8 -+Ctrl.hexkey = hexkey:8725918ca07ad8e108473e5ffdf43eb1cf5c44baf0bd1cec -+Ctrl.hexinfo = hexinfo:f4a57b84a881cf282aac5402cfa8fc4ede0db6f8e902d5c0c41c4712077306484e626e3ffc4129d9b43b46cbb6c53d2838a811dc8aedad7253cf94d4 -+Output = 5a795fd0d7661968c478860b526cca40eb8702083fdbff3ff8adfa697e795398ca7106bc950fbb45 -+ -+ -+# [PRF=CMAC_AES192] -+# [CTRLOCATION=BEFORE_FIXED] -+# [RLEN=16_BITS] -+ -+# COUNT=0 -+# L = 128 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES192 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:16 -+Ctrl.hexkey = hexkey:d7e8eefc503a39e70d931f16645958ad06fb789f0cbc518b -+Ctrl.hexinfo = hexinfo:b10ea2d67904a8b3b7ce5eef7d9ee49768e8deb3506ee74a2ad8dd8661146fde74137a8f6dfc69a370945d15335e0d6403fa029da19d34140c7e3da0 -+Output = 95278b8883852f6676c587507b0aa162 -+ -+# COUNT=10 -+# L = 256 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES192 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:16 -+Ctrl.hexkey = hexkey:5e6695d7c3f5b156c7b457c8c2b801ba2ae30c9c8a36ee61 -+Ctrl.hexinfo = hexinfo:1406756f40efb8e29d5455d2da4bf1993b3c3901d67ec90934895f5de7845f573ae8a0dc8a6ad77d80da29e81329440d61d63dda8eaa7851bc7a172d -+Output = 72046d5eed909f6ab25810ead446ace7422fd87e6bd496ff2e84b115b8e0d27e -+ -+# COUNT=20 -+# L = 160 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES192 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:16 -+Ctrl.hexkey = hexkey:e3b88f40c9974410955820a8f8392701e9c67cc6efd3b0ff -+Ctrl.hexinfo = hexinfo:a520f36b6b60dfce34dc1d1f6b16132efa82566efa49f3140113fbc59e309c40db42962c06123721f122f433fa417ce3319bca9c58b4184fd8c7be8f -+Output = 134b6236a80c257591cc1437ab007b3fa4bd7191 -+ -+# COUNT=30 -+# L = 320 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES192 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:16 -+Ctrl.hexkey = hexkey:51574d47f2f1d202a30252823b52ba7858b729d5ed4c92f7 -+Ctrl.hexinfo = hexinfo:0819c17dd3f9a68493a958c46152d04ba450043908a0016b99cc124d5e75b0d11e7c26f27365609c110eee7f8baa88a7d99fecc690e617150f93bd6c -+Output = c46db4cd822e9841408fba79932d6c748bc7ab17421ed1ad188aed327c2a0d694e380c0cade8b37f -+ -+ -+# [PRF=CMAC_AES192] -+# [CTRLOCATION=BEFORE_FIXED] -+# [RLEN=24_BITS] -+ -+# COUNT=0 -+# L = 128 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES192 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:24 -+Ctrl.hexkey = hexkey:f7c1e0682a12f1f17d23dc8af5c463b8aa28f87ed82fad22 -+Ctrl.hexinfo = hexinfo:890ec4966a8ac3fd635bd264a4c726c87341611c6e282766b7ffe621080d0c00ac9cf8e2784a80166303505f820b2a309e9c3a463d2e3fd4814e3af5 -+Output = a71b0cbe30331fdbb63f8d51249ae50b -+ -+# COUNT=10 -+# L = 256 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES192 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:24 -+Ctrl.hexkey = hexkey:3eeed1560e17aaffe9f6ca9d81815b89a6879a56ebe4182a -+Ctrl.hexinfo = hexinfo:a643378a557af69ce2c606bc623a04b568a848207534d25bfa22664f9148997a6b4c00f4624b5100b4eb01857240b119876c3a86c1e8b02335475939 -+Output = 8a1dc0f616353bf3ecf5553d7a7651e9ea6d884a32172d3391ad342bfaf60785 -+ -+# COUNT=20 -+# L = 160 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES192 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:24 -+Ctrl.hexkey = hexkey:c984c3f65cdc32e7503678764a9e84292a1f50e335167a36 -+Ctrl.hexinfo = hexinfo:0061cd40f9eef84d6c8b04e0142d70aa50d4690e0a1de8e3ff5f5cea10cd2d28281eb1df90c519b8b51f7aa0d63a313ebbf80538b54dd11a66115be6 -+Output = afe93ae91930261344e30ef9e1718e76f74225d9 -+ -+# COUNT=30 -+# L = 320 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES192 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:24 -+Ctrl.hexkey = hexkey:993305e59f34a94f62931fd7662bb5b73c77d8d4bc6a33ba -+Ctrl.hexinfo = hexinfo:fcceb2d7ac6a68717c2490ec95bebea484c4930d156683c43164dc53bff0bafcbfb31e920109927ef08e12f66f258b6f8ba284908faee7d3376e1bac -+Output = 40e358cfdeee0286d152fcb4626ff22e67eea3b65d8750a273001b67645804cbf613832201b0a9ba -+ -+ -+# [PRF=CMAC_AES192] -+# [CTRLOCATION=BEFORE_FIXED] -+# [RLEN=32_BITS] -+ -+# COUNT=0 -+# L = 128 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES192 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:32 -+Ctrl.hexkey = hexkey:f4267280cb8667c2cf82bb37f389da6391f58cc74deba0cc -+Ctrl.hexinfo = hexinfo:34abbc9f7b12622309a827de5abfdd51fb5bb824838fcde88ca7bc5f3953abdcb445147f13e809e294f75e6d4e3f13b66e47f2dfc881ed392e3a1bf6 -+Output = 2d1b4b5694b6741b2ed9c02c05474225 -+ -+# COUNT=10 -+# L = 256 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES192 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:32 -+Ctrl.hexkey = hexkey:dc866a038c4f78f22d46caca65892bcdb15c1eb49b275827 -+Ctrl.hexinfo = hexinfo:b4a123bad4890c7a791f5e192bd8b6e9c8c3620329f99249f11e1eb517a5b27b9e5b047a6591b45f6fff53e6d04b32d82e052af2eb8519bd21c10f93 -+Output = 731a2e23ab2e58551490254041ee8fabd9c5a1918d76307f1048535be0763b20 -+ -+# COUNT=20 -+# L = 160 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES192 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:32 -+Ctrl.hexkey = hexkey:dd5e0f1a30b0b722b00626ee663df29601af58082708e18c -+Ctrl.hexinfo = hexinfo:b7c6eb48c80b071080fd07a827d0bfdc781599862084f7ffd968a4cbff0be9a6adef5ea206aa8af4d8a85705953e33cd7c4cbb69969c73698f54c6b8 -+Output = 84e1ca286776cda0784c4fc48b054384ca565d17 -+ -+# COUNT=30 -+# L = 320 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES192 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:32 -+Ctrl.hexkey = hexkey:d64c598436507f4d05d7ebe780092996f281901dc9c8612f -+Ctrl.hexinfo = hexinfo:0ea737cfca2560856917f3a2ff5e2175930d0719bba85a9c8d8cb311a0a1b8caf8ffe03e9a86ab17046670011c9fec5c5cd697d9cd931f615cdfe649 -+Output = 3c26968bd3997c653f79bb725c36d784b590d18a64678cf312abe8a57b2891c27282e37b6a49cd73 -+ -+ -+# [PRF=CMAC_AES256] -+# [CTRLOCATION=BEFORE_FIXED] -+# [RLEN=8_BITS] -+ -+# COUNT=0 -+# L = 128 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES256 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:8 -+Ctrl.hexkey = hexkey:aeb7201d055f754212b3e497bd0b25789a49e51da9f363df414a0f80e6f4e42c -+Ctrl.hexinfo = hexinfo:11ec30761780d4c44acb1f26ca1eb770f87c0e74505e15b7e456b019ce0c38103c4d14afa1de71d340db51410596627512cf199fffa20ef8c5f4841e -+Output = 2a9e2fe078bd4f5d3076d14d46f39fb2 -+ -+# COUNT=10 -+# L = 256 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES256 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:8 -+Ctrl.hexkey = hexkey:5402c978955128558789bee7b571465174a60582a7640037387f99ac16683173 -+Ctrl.hexinfo = hexinfo:5c7eb447481c2884a5398449eaecbb8b55f1f1981ba0fd187818d8b3581b430c3da52ab83d444e003625ff36fcbd160c67b18d85b6c9d00da1a15d15 -+Output = f22a4686abe599c2194d21fc9071ffceb023dd9b24c13f05a3d44cfc77fec44a -+ -+# COUNT=20 -+# L = 160 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES256 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:8 -+Ctrl.hexkey = hexkey:cac968a8ffd81c73948bdfb48bf8a29c1378517d3be294df9a8a80724075bdbd -+Ctrl.hexinfo = hexinfo:08817bcd560edf810aa004194c817e455fb66bbc3b84fef1d66df2d1cebb3403c24231fa822f130c5d8fe886217122dcab15cb725197bbcbeb8010f5 -+Output = 651c43e113b32026b204119af394301f0cb9831c -+ -+# COUNT=30 -+# L = 320 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES256 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:8 -+Ctrl.hexkey = hexkey:9debd1762a9643e967dbc174f2040e177b8053afb0829189a81fed94f8c365ee -+Ctrl.hexinfo = hexinfo:6c4e1e3fdd7f5c97d58bcdda792642cbd271d6968f6a8e368013d88763d0b306c832b7ab46b84d099596972d12220a4e9c81f82d6f5003d18b93c595 -+Output = 2518a44ea347e924b03a7b4c966ec4e4bd76c1456d09096be9387638c2737faeebba4e2b921b19db -+ -+ -+# [PRF=CMAC_AES256] -+# [CTRLOCATION=BEFORE_FIXED] -+# [RLEN=16_BITS] -+ -+# COUNT=0 -+# L = 128 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES256 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:16 -+Ctrl.hexkey = hexkey:4df60800bf8e2f6055c5ad6be43ee3deb54e2a445bc88a576e111b9f7f66756f -+Ctrl.hexinfo = hexinfo:962adcaf12764c87dad298dbd9ae234b1ff37fed24baee0649562d466a80c0dcf0a65f04fe5b477fd00db6767199fa4d1b26c68158c8e656e740ab4d -+Output = eca99d4894cdda31fe355b82059a845c -+ -+# COUNT=10 -+# L = 256 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES256 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:16 -+Ctrl.hexkey = hexkey:4c30b96d9beff5cc3c37527694eeec8207fae2c13ef295556919a7a46e5b90c1 -+Ctrl.hexinfo = hexinfo:86e1ad34bd7a998281a822129a23102f799812864cf5349f3f21cec7729f83ad8c8aa6517fafcc9521cde887686629048159ed3f15c01408984f547e -+Output = 815fe232e0e89f7eeaa87c3ba5007694a43c1577657ccb3018076c5a5c035d95 -+ -+# COUNT=20 -+# L = 160 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES256 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:16 -+Ctrl.hexkey = hexkey:e508ce78aca2cc50c80a6cbdb2b178f8ee5e315dad71ddfa700eb6cf503239b3 -+Ctrl.hexinfo = hexinfo:28c47ddd23d349e3b30bf97975c5fa591f2158e001dae3faa154d93c615c89fc7449c901a2585e618f68a0b2cbd3f35f53424d5ea015cbf7e8e09f68 -+Output = 6bc69b4c11aa7c04ac3c03baa44daeac4a047992 -+ -+# COUNT=30 -+# L = 320 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES256 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:16 -+Ctrl.hexkey = hexkey:ee0a0f88b3b441826264de7a31b890a66edf7c2a28d0286eab285846b586fb8e -+Ctrl.hexinfo = hexinfo:1ea9771ab763056260d885073e80e835e20e5d7ca9659fdf5dd3b7f2ae6286608f8bc7a6728e41346c55544942b1bf06642fb6a6738fb5b7f0128f9c -+Output = 5484f170b6602b505e9e6ccffccf2262b55c3554728244bba94daff0adbc619400b33f38013a2293 -+ -+ -+# [PRF=CMAC_AES256] -+# [CTRLOCATION=BEFORE_FIXED] -+# [RLEN=24_BITS] -+ -+# COUNT=0 -+# L = 128 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES256 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:24 -+Ctrl.hexkey = hexkey:1612a40daa7fce6c6788b3b71311188ffb850613fd81d0e87a891831348e2f28 -+Ctrl.hexinfo = hexinfo:1696438fcdf9a85284759b2604b64d7ea76199514709e711ecde5a505b5f27ae38d154aba14322481ddc9fd9169364b991460a0c9a05c7fcb2d099c9 -+Output = d101f4f2b5e239bae881cb488995bd52 -+ -+# COUNT=10 -+# L = 256 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES256 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:24 -+Ctrl.hexkey = hexkey:77b50e24b859725d1cab531c885a6e60e7d5b0432f37408185ae688dffa5f6a5 -+Ctrl.hexinfo = hexinfo:0b2c907499cddaa1fcfb02002ab8b9756c5f1f9fea482d79b8a6aa9fa2fb48e69df94dca4cb6f2e90a462678279ddaacc482fdd76581996b43974a22 -+Output = c2a02b3743d506cdc1a41d4c2ae4c67610c5d607df0c26cbf7f4fe2198cb35f1 -+ -+# COUNT=20 -+# L = 160 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES256 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:24 -+Ctrl.hexkey = hexkey:18a5c3e669967b42e9a29bad8fe86699f2b5d496ff767cd3171d1c7195ecef59 -+Ctrl.hexinfo = hexinfo:33231c50326592c25ec3eee2c61a3ad4c8a23c098dd83eafe5db411d0948eb122bb6eb7a1d04d2dbcd0b98d0b70b7ff305bb3ef6ac9d4e8e3f7ecd4f -+Output = e80afb5cd274cb5fa4952aa95177ae83337f4c8f -+ -+# COUNT=30 -+# L = 320 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES256 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:24 -+Ctrl.hexkey = hexkey:0b589e556b7583f0fa9144868603b59262f457dee1e887ffc0e39968218959b9 -+Ctrl.hexinfo = hexinfo:1b95b940e0b950a58f09ea09941b80852cb29838940bb146dc3db0ddcd87f72ee28813c09fcef773e95438c0ed3dbcf29e78de0c78377561c5869d5f -+Output = 260aef65eefd58816fe1a77120d047548b00c475c25178a2a33d4c801d49e8a0fb830513d0b3ff17 -+ -+ -+# [PRF=CMAC_AES256] -+# [CTRLOCATION=BEFORE_FIXED] -+# [RLEN=32_BITS] -+ -+# COUNT=0 -+# L = 128 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES256 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:32 -+Ctrl.hexkey = hexkey:d0b1b3b70b2393c48ca05159e7e28cbeadea93f28a7cdae964e5136070c45d5c -+Ctrl.hexinfo = hexinfo:dd2f151a3f173492a6fbbb602189d51ddf8ef79fc8e96b8fcbe6dabe73a35b48104f9dff2d63d48786d2b3af177091d646a9efae005bdfacb61a1214 -+Output = 8c449fb474d1c1d4d2a33827103b656a -+ -+# COUNT=10 -+# L = 256 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES256 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:32 -+Ctrl.hexkey = hexkey:d54b6fd94f7cf98fd955517f937e9927f9536caebe148fba1818c1ba46bba3a4 -+Ctrl.hexinfo = hexinfo:94c4a0c69526196c1377cebf0a2ae0fb4b57797c61bea8eeb0518ca08652d14a5e1bd1b116b1794ac8a476acbdbbcd4f6142d7b8515bad09ec72f7af -+Output = 2e1efed4aef3fdd324e098c0a07c0d97f8fd2c748a996ce29861ca042474daea -+ -+# COUNT=20 -+# L = 160 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES256 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:32 -+Ctrl.hexkey = hexkey:99f212241a343c1c8c2104ca6d28062413d985c21e6bba27fde0c622e2e4e6b7 -+Ctrl.hexinfo = hexinfo:af8dc1cb7d1f82ca834628c20f0fc81920eb3ff3f75d3f4e3000593e9c15872479711d99d1b7be794f58d80a31bb112219dc16e6354111ab1161e21d -+Output = 7f778c625bf0d083169a51584f6683f24af7c35e -+ -+# COUNT=30 -+# L = 320 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.cipher = cipher:AES256 -+Ctrl.mac = mac:CMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:32 -+Ctrl.hexkey = hexkey:dabde95d751ff1c132bd49f80f4ee347bf39218cf8bfec61bc3ad865d9aa1182 -+Ctrl.hexinfo = hexinfo:55da554307ed756764d4e97febb77ce85391b53225ee09417ad57def48ead090e3d1e7c2ed04f02462a6324ea0163b18f86201c69db27fd50b4c42c5 -+Output = 5cc29221cfa6f3a4ded7afeef5a59c05bac787fc5e98a35ee0c96ba582b05c42f758966566084f69 -+ -+ -+# [PRF=HMAC_SHA1] -+# [CTRLOCATION=BEFORE_FIXED] -+# [RLEN=8_BITS] -+ -+# COUNT=0 -+# L = 128 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA1 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:8 -+Ctrl.hexkey = hexkey:00a39bd547fb88b2d98727cf64c195c61e1cad6c -+Ctrl.hexinfo = hexinfo:98132c1ffaf59ae5cbc0a3133d84c551bb97e0c75ecaddfc30056f6876f59803009bffc7d75c4ed46f40b8f80426750d15bc1ddb14ac5dcb69a68242 -+Output = 0611e1903609b47ad7a5fc2c82e47702 -+ -+# COUNT=10 -+# L = 256 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA1 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:8 -+Ctrl.hexkey = hexkey:1ee222f5cdd60b0ae956eeeaa838c51bd767672c -+Ctrl.hexinfo = hexinfo:4b10500ba5c9391da83d2ef78d01bcdccda32ff6f242960323324474b9d0685d99dc9143ac6d667a5b46dcc89784b3a4af7a7684b01efee41b144f48 -+Output = 806e342013853083a3f7294c63a9ec9a6dba75b256c62fac1e480ef26276cd4b -+ -+# COUNT=20 -+# L = 160 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA1 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:8 -+Ctrl.hexkey = hexkey:0e71d9e9c9e951978ada75c831d627dd5d3b4c59 -+Ctrl.hexinfo = hexinfo:08b6f69698e8eb6c8c63953abd3538531d722cc4e9ca7ffcb68abba4dd4b027b3787efa107902ace8abb54549bede4ffdadabec3f282865b2166d46e -+Output = 86137b96ec15b7954fdc5df8d371ee2d8016e97a -+ -+# COUNT=30 -+# L = 320 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA1 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:8 -+Ctrl.hexkey = hexkey:f0e5ad280b3465e719afdf86377bbcda59f5c59b -+Ctrl.hexinfo = hexinfo:231b6d83f0194499f27848108fd1fcdcf9520e67522cf54486fb919a839532d165019388242ce373a89ce644d7818e7415f5730a0b743595ab19add4 -+Output = 9a9ddd19818bb085d24e48ee99d6e628235a422fb2ae383282b7bbbf0e5f5edf42d7237b8ed6aa1d -+ -+ -+# [PRF=HMAC_SHA1] -+# [CTRLOCATION=BEFORE_FIXED] -+# [RLEN=16_BITS] -+ -+# COUNT=0 -+# L = 128 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA1 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:16 -+Ctrl.hexkey = hexkey:a510fe5ad1640d345a6dbba65d629c2a2fedd1ae -+Ctrl.hexinfo = hexinfo:9953de43418a85aa8db2278a1e380e83fb1e47744d902e8f0d1b3053f185bbcc734d12f219576e75477d7f7b799b7afed1a4847730be8fd2ef3f342e -+Output = c00707a18c57acdb84f17ef05a322da2 -+ -+# COUNT=10 -+# L = 256 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA1 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:16 -+Ctrl.hexkey = hexkey:abec6c894ae9df32e5afdf5d06a0434e8940ca71 -+Ctrl.hexinfo = hexinfo:9a6574a0ea1123ab9580906f8a2c4a0ecba9a8a84079c37a6e283ad4d4e957c3d16db66ae4be99e688b221c359a8dd2505868beb6a49fd7ce6c35df4 -+Output = 5b37675aec199c7d08435ef6321cf6235c12453a4530072d4a73ba0ad34634a5 -+ -+# COUNT=20 -+# L = 160 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA1 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:16 -+Ctrl.hexkey = hexkey:df4e835a2f201a3d0f840eab38a18adf72adf9eb -+Ctrl.hexinfo = hexinfo:84c6ca541d24a8b419037b9657ee4e0d5ef96d8b198355940a30b09bf8784e81d3b93558de21c46f04aec4afd610c3b230d17473c80b47b5004955e7 -+Output = 1202915544844b1f913caab512c582735bf76fed -+ -+# COUNT=30 -+# L = 320 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA1 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:16 -+Ctrl.hexkey = hexkey:cbe1d2895640dcd1545e60e04ce9d995707ec539 -+Ctrl.hexinfo = hexinfo:c80d735ec5fd0bf811a4a71c55e99373f83f4111194ec24a8e9fe24ef03f56ed15b4e135e02488d96dba8c0d60c26592df55a492691cf3b7eced40d1 -+Output = 1fd5a183be95c2d909deed31d686417d5c08bb88e6f75b150df330c8e7703bb8ccdffacb3e9ee3ff -+ -+ -+# [PRF=HMAC_SHA1] -+# [CTRLOCATION=BEFORE_FIXED] -+# [RLEN=24_BITS] -+ -+# COUNT=0 -+# L = 128 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA1 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:24 -+Ctrl.hexkey = hexkey:928c170199473291bf719a1985a13673afb8f298 -+Ctrl.hexinfo = hexinfo:f54388503cde2bf544db4c9510ff7a2759ba9b4e66da3baf41c90ce796d5ea7045bc27424afb03e137abfafe95158954c832090abdba02d86bab569d -+Output = 8c01160c72c925178d616a5c953df0a7 -+ -+# COUNT=10 -+# L = 256 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA1 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:24 -+Ctrl.hexkey = hexkey:df7ecebec20e14be6db5d46af2769fe4e4ed689c -+Ctrl.hexinfo = hexinfo:308ec6953d4945f075d37932d5dd335c7de0d2e7899a8321724a50b52240191fcdf991520c47a25b04ce6eecc835e4265b623c68d687afc615f74ae5 -+Output = c2129eeb33ee6783b6b187e5ae884f8f5bd78ca224e5e01c04a68ecef376ea38 -+ -+# COUNT=20 -+# L = 160 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA1 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:24 -+Ctrl.hexkey = hexkey:2539c58bba8ae61be8b867b767ad698eb1f52a0b -+Ctrl.hexinfo = hexinfo:9f6de21c93176f8814e9290a40149f749f946d376eb65f888eddcc4a24a58dbdbb3222fb53487e0abb08efff6d6a43511b18c40f489abe4013647273 -+Output = 20bc5ab8c27dd3f6f6fa5485f2eed8bd8b8b3d35 -+ -+# COUNT=30 -+# L = 320 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA1 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:24 -+Ctrl.hexkey = hexkey:66002f224106971edc62a7c6957931b2097aabc3 -+Ctrl.hexinfo = hexinfo:f5fe599fac3bac5b10a4296b0783e2fc78cb498347ff3f74e2d9d230dfb6653e1a274e7bc37f0319eac2b0b48533b7be9d3633eed32101837ee460ff -+Output = c195b9139fee020eda70b8a161aef28474977412c0612afafe23b16b1594871548b5889b38e0cf2a -+ -+ -+# [PRF=HMAC_SHA1] -+# [CTRLOCATION=BEFORE_FIXED] -+# [RLEN=32_BITS] -+ -+# COUNT=0 -+# L = 128 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA1 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:32 -+Ctrl.hexkey = hexkey:f7591733c856593565130975351954d0155abf3c -+Ctrl.hexinfo = hexinfo:8e347ef55d5f5e99eab6de706b51de7ce004f3882889e259ff4e5cff102167a5a4bd711578d4ce17dd9abe56e51c1f2df950e2fc812ec1b217ca08d6 -+Output = 34fe44b0d8c41b93f5fa64fb96f00e5b -+ -+# COUNT=10 -+# L = 256 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA1 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:32 -+Ctrl.hexkey = hexkey:c1efb8d25affc61ed060d994fcd5017c2adfc388 -+Ctrl.hexinfo = hexinfo:b92fc055057fec71b9c53e7c44872423a57ed186d6ba66d980fecd1253bf71479320b7bf38d505ef79ca4d62d78ca662642cdcedb99503ea04c1dbe8 -+Output = 8db784cf90b573b06f9b7c7dca63a1ea16d93ee7d70ff9d87fa2558e83dc4eaa -+ -+# COUNT=20 -+# L = 160 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA1 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:32 -+Ctrl.hexkey = hexkey:e02ba5d5c410e855bbd13f840124273e6b864237 -+Ctrl.hexinfo = hexinfo:b14e227b4438f973d671141c6246acdc794eee91bc7efd1d5ff02a7b8fb044009fb6f1f0f64f35365fb1098e1995a34f8b70a71ed0265ed17ae7ae40 -+Output = f077c2d5d36a658031c74ef5a66aa48b4456530a -+ -+# COUNT=30 -+# L = 320 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA1 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:32 -+Ctrl.hexkey = hexkey:693adb9037184627ad300f176985bd379f388a95 -+Ctrl.hexinfo = hexinfo:7f09570c2d9304ec743ab845a8761c126c18f5cf72358eada2b5d1deb43dc6a0f4ff8f933bef7af0bcfacb33fa07f8ca04a06afe231835d5075996be -+Output = 52f55f51010e9bd78e4f58cab274ecafa561bd4e0f20da84f0303a1e5ff9bebc514361ec6df5c77e -+ -+ -+# [PRF=HMAC_SHA224] -+# [CTRLOCATION=BEFORE_FIXED] -+# [RLEN=8_BITS] -+ -+# COUNT=0 -+# L = 128 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA224 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:8 -+Ctrl.hexkey = hexkey:7e2f7a5ab3e82ef927a005308456823da473787bf33d18a864aca63f -+Ctrl.hexinfo = hexinfo:b35695a6e23a765105b87756468d442a53a60cd4225186dc94221c06c5d6f1e98462135656ebca90468a939f29112b811413567d498df9867914d94c -+Output = 10ba5c6ea609da8fa8abe8be552c97a1 -+ -+# COUNT=10 -+# L = 256 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA224 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:8 -+Ctrl.hexkey = hexkey:667f72fc660e32943de386af9670c78e975c838cae91dca97f4f8508 -+Ctrl.hexinfo = hexinfo:e713e8c38e92c8ba0f0791cc4a0d00c98d8dda8f3137a775104e7aa65b5f04fed12ee78a88262b2931717b7ac5624162fd5f0307f4faef038dcc210c -+Output = 835b343242a489249eec3cd56384ea2a5b295e29a4430fec2aae0c8b9fa36d20 -+ -+# COUNT=20 -+# L = 160 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA224 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:8 -+Ctrl.hexkey = hexkey:3344fb80fd655b16f08c78150516cbbc009fbdf1b510905f9113d275 -+Ctrl.hexinfo = hexinfo:dc2aa42084d645baeb822c0c1d9b8e200737e9a2c7dcd922d8f056d6c02552295d95a488758919724207eebb4c21887f71b51a2a7ce98827cf7af4bb -+Output = e281d09a31c57d053f0c2f902792c8bbb9a0f443 -+ -+# COUNT=30 -+# L = 320 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA224 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:8 -+Ctrl.hexkey = hexkey:eb9386450d7b2da5492da5b139cf4b0b951a5b0c7d40c22ae2c20677 -+Ctrl.hexinfo = hexinfo:bd8b73969e3e2d7a943b937c3bffe3a9199d1cf27e289bb10c3b88696a5ae36b3b868b4fc6a20ca93dd0b328f3351f71ce656bb558fa33c74741398d -+Output = bc902dfba79fb4084339b6666c7f72b9f47675229dc24ec61068bb05082717eead35647ff147d7de -+ -+ -+# [PRF=HMAC_SHA224] -+# [CTRLOCATION=BEFORE_FIXED] -+# [RLEN=16_BITS] -+ -+# COUNT=0 -+# L = 128 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA224 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:16 -+Ctrl.hexkey = hexkey:093b2ce84c6175d1723fbe94b9ee963b6251d018fcf8c05c2e3e9b0b -+Ctrl.hexinfo = hexinfo:083e114aca1f97166551b03f27b135c0c802294aa4845a46170b26ec0549cb59c70a85557a3fc3a37d23eed6947d50f10c15baf5c52a7b918ca80bf5 -+Output = 94ced61c3665616d4a368f83a7283648 -+ -+# COUNT=10 -+# L = 256 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA224 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:16 -+Ctrl.hexkey = hexkey:ffb5c9d920522477cb2ecf16ae1e075587b7598348e019df85ca3d43 -+Ctrl.hexinfo = hexinfo:252743519ab4e03f8bb0ed137e2d315aac5010b951645c7626c6f5a77c4a6c4e0b0b4030abf937141f7142bcd702678b15d2d4e8850e0570ec782c79 -+Output = 3d1813da0322201ed45ac2aaf3542843913bb32fd832a33a5dc94bad964bfe56 -+ -+# COUNT=20 -+# L = 160 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA224 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:16 -+Ctrl.hexkey = hexkey:7f0ea811340cddbbf261d0260b0c98dec790133cffd2b04b8f8be2b1 -+Ctrl.hexinfo = hexinfo:0a744543acddf7d8c0a205372a0450e32631a33bb89ad2e3bb2d9766c248ab755fec152a6da866ef50baeab607d88e5177042056970013aa18f9fb1e -+Output = e55120e7848cf61254159e79c2ac47a9a906a73c -+ -+# COUNT=30 -+# L = 320 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA224 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:16 -+Ctrl.hexkey = hexkey:6e237178c4884e13470b6b4848b40389d9856311735da4eefa2f6f38 -+Ctrl.hexinfo = hexinfo:9cd9f9ad88471668f3b25515851fff63d3a886b8c6cf371eae159bab58f997b83eda5815567a142c4264978d8f24d24fe2d513c0eeaff983b86fdbd8 -+Output = 1e6638ea717338cfeb7dea373785c3c763bd5e509358e4940e9a4e4fd0a3e0347973858bc20243b8 -+ -+ -+# [PRF=HMAC_SHA224] -+# [CTRLOCATION=BEFORE_FIXED] -+# [RLEN=24_BITS] -+ -+# COUNT=0 -+# L = 128 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA224 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:24 -+Ctrl.hexkey = hexkey:f09e65e8de7500847b43bd95e6c3506e01aadd484e9699b027897542 -+Ctrl.hexinfo = hexinfo:c20f6188517b2ca10086b9f7f8d6f2d38d66f24193c037008d035f361c6bd74db26aef588a87aa8a1c3cdad2ba0207f7e7b39def0df797c4cb3bf614 -+Output = 73d30c2af54744eb1efb70429f8e303a -+ -+# COUNT=10 -+# L = 256 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA224 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:24 -+Ctrl.hexkey = hexkey:6079eafeba179a915e194b14e12ffee1e2bad56a62077897a4654e4b -+Ctrl.hexinfo = hexinfo:87686603814d619107aabfab85b4c4fe38ae1a5c2a4d78df12119871b8a4f85d583e7d842ee15e7fe03f61dd02b10784838ed163dc67cca43586d628 -+Output = d888a21e1a698654fa46288509ae7a28dc7b05e6fc696a909451c2437097056b -+ -+# COUNT=20 -+# L = 160 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA224 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:24 -+Ctrl.hexkey = hexkey:2efe2905a1b7e1993da0316f2a747be1e91415ca1e6ad14d04341fee -+Ctrl.hexinfo = hexinfo:4d283c0f6d209379facd8a26aa889780863cf6a81893dc3bd2c928a7f8d922ced9c829bf627d2c556441d0d41a1eb00c0deea78349429de56a275f04 -+Output = ec162b6ff6413f5eae9336fd489fab538d042db8 -+ -+# COUNT=30 -+# L = 320 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA224 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:24 -+Ctrl.hexkey = hexkey:0b15638489d3ac7729a7db82797754e7a7c8d52da0cf3638a27a1a9c -+Ctrl.hexinfo = hexinfo:90988848764dacc6eeba817e0b74086b1233bca9d573717b8e3dd3bd23a532aac7db8b196e4c4702f54cc71bb8882dc776b0317457803a632b429776 -+Output = 481293e1e621ad8bab5c9f5090594bb2507a1456ee8ffc30db159cb5b02d69110c3e5270880bf4a7 -+ -+ -+# [PRF=HMAC_SHA224] -+# [CTRLOCATION=BEFORE_FIXED] -+# [RLEN=32_BITS] -+ -+# COUNT=0 -+# L = 128 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA224 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:32 -+Ctrl.hexkey = hexkey:f5cb7cc6207f5920dd60155ddb68c3fbbdf5104365305d2c1abcd311 -+Ctrl.hexinfo = hexinfo:4e5ac7539803da89581ee088c7d10235a10536360054b72b8e9f18f77c25af01019b290656b60428024ce01fccf49022d831941407e6bd27ff9e2d28 -+Output = 0adbaab43edd532b560a322c84ac540e -+ -+# COUNT=10 -+# L = 256 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA224 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:32 -+Ctrl.hexkey = hexkey:992815121d88ffb26c337606723c02ef317713086e2cfbbd37e1a167 -+Ctrl.hexinfo = hexinfo:152d974eb2719b9027d32054a327312361125959df9d96a1832e2056c2571d4f1cf45f6e8f6544c87f15861cef627d2f16e9b0b4ab799bb3362f4aae -+Output = 475eda3a32d569932e043db64dbf0e9bb0945b54dcdfa203be1a28524c147075 -+ -+# COUNT=20 -+# L = 160 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA224 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:32 -+Ctrl.hexkey = hexkey:2eabb6b922c24326ef9ae3c192dfd341caf57efe15dd649772a2ac3b -+Ctrl.hexinfo = hexinfo:c75f6f5a1561aab39ea0e22702a6cf7dba3ca4dd9f046bb0abea2d3284168fd9fb39ff725523a660d21f8c2ade03d18d4273c52fb6f22c9e39d6bc2e -+Output = ae50acebe308a1cf1747b9b178a0720748fa5fe5 -+ -+# COUNT=30 -+# L = 320 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA224 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:32 -+Ctrl.hexkey = hexkey:9b75e7fa216c884037c7d6953092ed335c4efd88ca57a742d6ac3221 -+Ctrl.hexinfo = hexinfo:12bea97865df99315259ff620302432ecafc9dce2619e87dfb4979410456a524434315dd3920e2b1aa1c79d5e07132a758a7b7b71ef10bcf1bb877f3 -+Output = 60071bd0ceea0fe0f879223b940d3de7dde02ca6858f8450fb9c0032e49f968ef9cd9b5703163dbc -+ -+ -+# [PRF=HMAC_SHA256] -+# [CTRLOCATION=BEFORE_FIXED] -+# [RLEN=8_BITS] -+ -+# COUNT=0 -+# L = 128 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA256 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:8 -+Ctrl.hexkey = hexkey:3edc6b5b8f7aadbd713732b482b8f979286e1ea3b8f8f99c30c884cfe3349b83 -+Ctrl.hexinfo = hexinfo:98e9988bb4cc8b34d7922e1c68ad692ba2a1d9ae15149571675f17a77ad49e80c8d2a85e831a26445b1f0ff44d7084a17206b4896c8112daad18605a -+Output = 6c037652990674a07844732d0ad985f9 -+ -+# COUNT=10 -+# L = 256 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA256 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:8 -+Ctrl.hexkey = hexkey:f109513435d72f14863660dfc027118e47e13995ad44a02415c9c8f63d38675c -+Ctrl.hexinfo = hexinfo:53696208d6f42909136a575010e135e142e31f631d72386a631cc704e5ad4049a889422cd6da7f1805e59a273c6f4fa986bc3082952fca658979f1b0 -+Output = 1aaf080fd51b37585ea464a9c617bc3ab859cc78cbe1f2d5d557148ee36821a0 -+ -+# COUNT=20 -+# L = 160 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA256 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:8 -+Ctrl.hexkey = hexkey:6ed1b41a1fc2ca8c7e09d5bccc410661683ec29d41a0fd01dd820a2e824ff672 -+Ctrl.hexinfo = hexinfo:f6dc72adbd8ad4ea91259b61237a042a02546f37d58d933d3efadc54a5e1936a8faf70c33e707c473125bd5006b7dfa6883c04bf27cf53010e1d10bc -+Output = 4090ee711fa361f03267a6ff2a5ace977c8c1db5 -+ -+# COUNT=30 -+# L = 320 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA256 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:8 -+Ctrl.hexkey = hexkey:63a657fb6c5bacb9a124d3e7db8bbb7d42bfdfaf8f04cb6359cd888c70669652 -+Ctrl.hexinfo = hexinfo:2697b6ec112cab4d6f1714c991c17d44fb36a0b6ef0b0f5451619ab248950f56f403215c78711aa563683ced05be7246f32574fa294f162dbbeb3dee -+Output = 1992e75756fa64734d5caecc5f6420fcb28b8b90421eee97dc8b6140ce18518405688bea489d2aaa -+ -+ -+# [PRF=HMAC_SHA256] -+# [CTRLOCATION=BEFORE_FIXED] -+# [RLEN=16_BITS] -+ -+# COUNT=0 -+# L = 128 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA256 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:16 -+Ctrl.hexkey = hexkey:743434c930fe923c350ec202bef28b768cd6062cf233324e21a86c31f9406583 -+Ctrl.hexinfo = hexinfo:9bdb8a454bd55ab30ced3fd420fde6d946252c875bfe986ed34927c7f7f0b106dab9cc85b4c702804965eb24c37ad883a8f695587a7b6094d3335bbc -+Output = 19c8a56db1d2a9afb793dc96fbde4c31 -+ -+# COUNT=10 -+# L = 256 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA256 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:16 -+Ctrl.hexkey = hexkey:365592398d23d31f2cac8bf6211f1ad5f52608efcdc5997b144ea6ded3866cf6 -+Ctrl.hexinfo = hexinfo:07dce524556d3f68d2d91d4c15c9c6212635e0df1aef54938490db46f98737064d6a5624d7f938c263af01e632c45d9fe7a871b67f7d4bf110796eb4 -+Output = 5624c6911dc1b08e090c8c95347adf17895b696aae211932cde3ec8227fcbea8 -+ -+# COUNT=20 -+# L = 160 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA256 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:16 -+Ctrl.hexkey = hexkey:c104e187e344668997b7bd9c8cdf097320518dd7dbcb541c414418b55b58cbb2 -+Ctrl.hexinfo = hexinfo:32f6bd59840c61909f2f92f98f54bd238083577e33c3d071c1abe4c694bd87c1ad235eb9a2d272b3dc67c955574d5e6cad84615120476d6e7e04f51f -+Output = 1b5d9e60aa909aeb973e76d9bf6be208327bb096 -+ -+# COUNT=30 -+# L = 320 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA256 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:16 -+Ctrl.hexkey = hexkey:d4349c26108719debacc04e166a09063ffb5e17bcbaf8738dc2618aa7d1e97ae -+Ctrl.hexinfo = hexinfo:da1f5ed45ead428689b0ecca9dbc2569e76953cda0df085499cca6d5949d8995e1e42bbdc94b0dd78c164867c364a64c894de85294ad89d267ff443d -+Output = 00550ae0f29a2373269af175e7f829ec32c3d05099a39f8c0e02caa00b68afb7457669334383ffb2 -+ -+ -+# [PRF=HMAC_SHA256] -+# [CTRLOCATION=BEFORE_FIXED] -+# [RLEN=24_BITS] -+ -+# COUNT=0 -+# L = 128 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA256 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:24 -+Ctrl.hexkey = hexkey:388e93e0273e62f086f52f6f5369d9e4626d143dce3b6afc7caf2c6e7344276b -+Ctrl.hexinfo = hexinfo:697bb34b3fbe6853864cac3e1bc6c8c44a4335565479403d949fcbb5e2c1795f9a3849df743389d1a99fe75ef566e6227c591104122a6477dd8e8c8e -+Output = d697442b3dd51f96cae949586357b9a6 -+ -+# COUNT=10 -+# L = 256 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA256 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:24 -+Ctrl.hexkey = hexkey:f5207566ad012002ae6f2b501f0c24180228345889c20616d043b868a76d015a -+Ctrl.hexinfo = hexinfo:f36dbc8d1dfda60d4ba05214f8773aaa9f01944150bca68812d0d8deb5492f3f68f09809ba5e8b89e9dca86c70f6f353b3d5f49ef27e2fd01cfa911d -+Output = 0faed440796a0685a24a1c5e1cacde566c7a1a4189885229251c6308a53c3f6e -+ -+# COUNT=20 -+# L = 160 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA256 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:24 -+Ctrl.hexkey = hexkey:e2758918edcf15d957a556055602d283dbdf9c95b6025a3cddf1eeac1e0ac889 -+Ctrl.hexinfo = hexinfo:eda2f792580d6129b43e7b89c661786a29ab502ec6198f4a2bec6d0ffca1a75b8807d4313e7bf769a94fbf4b41c4cc309358a211105312c05818d8f3 -+Output = 67e3273b2cfa4c663377f5841606679aee420dce -+ -+# COUNT=30 -+# L = 320 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA256 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:24 -+Ctrl.hexkey = hexkey:c9063598d6cf8660300073b5c25603baf3ade910c182deea15d8107d6f6be295 -+Ctrl.hexinfo = hexinfo:22d27eec90c2dd4ae5cf4a705abecfd781b9051ba512b048ea9499364b791e9cdf63215db43680dacffe6f19d77fc93f8a46d84dd52146389d9ec308 -+Output = f3a5b521b435a8c83eaf2d264b5b1a6dcc32c21b4897511203f97f01f2a691eef080b4cd7ca4fc38 -+ -+ -+# [PRF=HMAC_SHA256] -+# [CTRLOCATION=BEFORE_FIXED] -+# [RLEN=32_BITS] -+ -+# COUNT=0 -+# L = 128 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA256 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:32 -+Ctrl.hexkey = hexkey:dd1d91b7d90b2bd3138533ce92b272fbf8a369316aefe242e659cc0ae238afe0 -+Ctrl.hexinfo = hexinfo:01322b96b30acd197979444e468e1c5c6859bf1b1cf951b7e725303e237e46b864a145fab25e517b08f8683d0315bb2911d80a0e8aba17f3b413faac -+Output = 10621342bfb0fd40046c0e29f2cfdbf0 -+ -+# COUNT=10 -+# L = 256 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA256 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:32 -+Ctrl.hexkey = hexkey:e204d6d466aad507ffaf6d6dab0a5b26152c9e21e764370464e360c8fbc765c6 -+Ctrl.hexinfo = hexinfo:7b03b98d9f94b899e591f3ef264b71b193fba7043c7e953cde23bc5384bc1a6293580115fae3495fd845dadbd02bd6455cf48d0f62b33e62364a3a80 -+Output = 770dfab6a6a4a4bee0257ff335213f78d8287b4fd537d5c1fffa956910e7c779 -+ -+# COUNT=20 -+# L = 160 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA256 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:32 -+Ctrl.hexkey = hexkey:dc60338d884eecb72975c603c27b360605011756c697c4fc388f5176ef81efb1 -+Ctrl.hexinfo = hexinfo:44d7aa08feba26093c14979c122c2437c3117b63b78841cd10a4bc5ed55c56586ad8986d55307dca1d198edcffbc516a8fbe6152aa428cdd800c062d -+Output = 29ac07dccf1f28d506cd623e6e3fc2fa255bd60b -+ -+# COUNT=30 -+# L = 320 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA256 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:32 -+Ctrl.hexkey = hexkey:c4bedbddb66493e7c7259a3bbbc25f8c7e0ca7fe284d92d431d9cd99a0d214ac -+Ctrl.hexinfo = hexinfo:1c69c54766791e315c2cc5c47ecd3ffab87d0d273dd920e70955814c220eacace6a5946542da3dfe24ff626b4897898cafb7db83bdff3c14fa46fd4b -+Output = 1da47638d6c9c4d04d74d4640bbd42ab814d9e8cc22f4326695239f96b0693f12d0dd1152cf44430 -+ -+ -+# [PRF=HMAC_SHA384] -+# [CTRLOCATION=BEFORE_FIXED] -+# [RLEN=8_BITS] -+ -+# COUNT=0 -+# L = 128 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA384 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:8 -+Ctrl.hexkey = hexkey:0be1999848a7a14a555649048fcadf2f644304d163190dc9b23a21b80e3c8c373515d6267d9c5cfd31b560ffd6a2cd5c -+Ctrl.hexinfo = hexinfo:11340cfbdb40f20f84cac4b8455bdd76c730adcecd0484af9011bacd46e22ff2d87755dfb4d5ba7217c37cb83259bdbe0983cc716adc2e6c826ed53c -+Output = c2ea7454de25afb27065f4676a392385 -+ -+# COUNT=10 -+# L = 256 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA384 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:8 -+Ctrl.hexkey = hexkey:218f47301a3adf39a4e1ddc25a1df2b7db53d7780c207f47ab4cefcaa960ed82cb6cbc34b97b4c332d52ca81cc40cb9a -+Ctrl.hexinfo = hexinfo:60dcb116d7cfd3cca7315c9dc7e9650f886b67d9fbcd98c226239a0f66eff075da23c6cb750a2129ae71b9582934f57423a815249cac2c61f958b35d -+Output = 26b01d94c4dd51a9c8b54f78647257f9e937a8d67dffa78f85749cdfb22db620 -+ -+# COUNT=20 -+# L = 160 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA384 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:8 -+Ctrl.hexkey = hexkey:426c4facbacecb654555bc9843f9864a53e14c9a5e19600abf57b03cf8b6f825f71191eaaf3cfd70961314acbf1e6e29 -+Ctrl.hexinfo = hexinfo:d224dc52dd16bde3391fab24fa875b695d63215e182efa970537904f4cd1d7f929f87c17fa97bd490f10cfc3bb80353ea4a4bb403f79e18677c39d29 -+Output = 431c73810e9fe4f4982202f55eb5f0212f302142 -+ -+# COUNT=30 -+# L = 320 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA384 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:8 -+Ctrl.hexkey = hexkey:522a72c006a6b77911915c78952dd61848725a4b0789b2cfce3b29d947d9faa145417740c0365bd81a860a600012543b -+Ctrl.hexinfo = hexinfo:4a3cd102c4b95fe193660c4c174f02c725207449b785edb8fa8c4404f01a25bef3238637d3bae370758332c678deb578322e031ec3970876600196d2 -+Output = 2f5d52226949aecfe6359561a5fdd87a843457019e24faacacedd34177cda6cba18cc78cc8c78cef -+ -+ -+# [PRF=HMAC_SHA384] -+# [CTRLOCATION=BEFORE_FIXED] -+# [RLEN=16_BITS] -+ -+# COUNT=0 -+# L = 128 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA384 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:16 -+Ctrl.hexkey = hexkey:26ef897e4b617b597f766ec8d8ccf44c543e790a7d218f029dcb4a3695ae2caccce9d3e935f6741581f2f53e49cd46f8 -+Ctrl.hexinfo = hexinfo:bc2c728f9dc6db426dd4e85fdb493826a31fec0607644209f9bf2264b6401b5db3004c1a76aa08d93f08d3d9e2ba434b682e480004fb0d9271a8e8cd -+Output = a43d31f07f0ee484455ae11805803f60 -+ -+# COUNT=10 -+# L = 256 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA384 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:16 -+Ctrl.hexkey = hexkey:269cce234dd4783067ceaa04a70deb1c9700acf705548495767c22f78493851ca9c699077a002874caacb760106016c6 -+Ctrl.hexinfo = hexinfo:f64bfb4bdaac81b5801d2f9f08bc2e4d009990b67290fd49b3730c3a145696447aceae6a82f7508a19c396a548c9c33d943dab82b2538c18b8eee871 -+Output = ab4182261c5d9c0d23a26477f14a507dd7f5e9550d04f48de29e644ed55f3406 -+ -+# COUNT=20 -+# L = 160 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA384 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:16 -+Ctrl.hexkey = hexkey:ec71de96c9520386f9d11bebe474bae0c0549e2b2e8fda6b2336050ee3acbec38bc57d56e6422d3cd493ead69772a059 -+Ctrl.hexinfo = hexinfo:4313d1efba21dded84ce12bf80b1be54400619d3bb1987f18bf85400e335103969e77c819a5360cf1dd3f4addb6b8eec0199508c75adfe2cfc067dc8 -+Output = 8e37ecc86dcb5ee7cf48d8a07f06c47cdce624cc -+ -+# COUNT=30 -+# L = 320 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA384 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:16 -+Ctrl.hexkey = hexkey:afe2d3a4746792908aca8ece67ba8562382000b4e26122414b3ef2e120511bae68448955cf186be87caf69eaced47e87 -+Ctrl.hexinfo = hexinfo:1f6dd0b17fed7f479c4f62927291a95292a4e232441c30ffcaa1d347543e50db939360bb37976eacb911f76c38ad8cce12a0c263875bbcd7f6011ffd -+Output = 17b671ca433cea81384b03b69c26a55257085cdfa48e6d8529431464bd439a881de560294afb0073 -+ -+ -+# [PRF=HMAC_SHA384] -+# [CTRLOCATION=BEFORE_FIXED] -+# [RLEN=24_BITS] -+ -+# COUNT=0 -+# L = 128 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA384 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:24 -+Ctrl.hexkey = hexkey:4fab4f1e3512b5f443ec31d2f6425d5f0fc13a5f82c83f72788a48a1bd499495ff18fb7acc0d4c1666c99db12e28f725 -+Ctrl.hexinfo = hexinfo:f0f010f99fbd8ec1bd0f23cd12bb41b2b8acb8713bb031f927e439f616e6ae27aed3f5582f8206893deea1204df125cedce35ce2b01b32bcefb388fd -+Output = c3c263b5aa6d0cfe5304a7c9d21a44ba -+ -+# COUNT=10 -+# L = 256 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA384 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:24 -+Ctrl.hexkey = hexkey:af3cd100d14dcb5e63f8915eced4b59477936c48e0e2b9232449a97d53d3eddf9e00bf44a8f2370c38a13434c13e0977 -+Ctrl.hexinfo = hexinfo:81f178f11615309844af84e163ff694f1936f7528aba6f0e60d41b4afac87e9dd48fbb5aebe534733f576950484aab15b386b468a055a1e0be8982c0 -+Output = 0b52be4ebd8b2116df895a42317ac78808993673c99da6391f0eee13cc8470fa -+ -+# COUNT=20 -+# L = 160 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA384 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:24 -+Ctrl.hexkey = hexkey:fc3ba84439d8b7ead37ac6c825e088fc80152788bbc9c68569213dd6189d5fd552c37ab73b3d53ee9809a485194fb3cd -+Ctrl.hexinfo = hexinfo:df5728d5d146898b68d8713aa8053d03db52b7227d502d3effcd51a22d52ecd9175a4b01d2f27ecfc8abf02c1dd80f5c90a5e01396c1107dddb02226 -+Output = 87ff36ca26778fcaf4f9209d38095c55c40f5e22 -+ -+# COUNT=30 -+# L = 320 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA384 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:24 -+Ctrl.hexkey = hexkey:08d867a61b13cd8c79d3a1cbec3493925ece900e06993063bc0dfe0247cd059ba50a5fb6afc65ac469793817a1f2dfee -+Ctrl.hexinfo = hexinfo:af0c83a659267869bd7cde387bf1c29c9c0ff3c6cabf512c73fd671748e4e9e49218de9350fc0dde27839eb1e2878f900689abeb7b540c70203e5a95 -+Output = 3fef69d875b9b6047c33f295619f6e7c7125c875d55409500100f71bee6551d511327fbde607ac41 -+ -+ -+# [PRF=HMAC_SHA384] -+# [CTRLOCATION=BEFORE_FIXED] -+# [RLEN=32_BITS] -+ -+# COUNT=0 -+# L = 128 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA384 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:32 -+Ctrl.hexkey = hexkey:216ed044769c4c3908188ece61601af8819c30f501d12995df608e06f5e0e607ab54f542ee2da41906dfdb4971f20f9d -+Ctrl.hexinfo = hexinfo:638e9506a2c7be69ea346b84629a010c0e225b7548f508162c89f29c1ddbfd70472c2b58e7dc8aa6a5b06602f1c8ed4948cda79c62708218e26ac0e2 -+Output = d4b144bb40c7cabed13963d7d4318e72 -+ -+# COUNT=10 -+# L = 256 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA384 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:32 -+Ctrl.hexkey = hexkey:8fca201473433f2dc8f6ae51e48de1a5654ce687e711d2d65f0dc5da6fee9a6a3db9d8535d3e4455ab53d35850c88272 -+Ctrl.hexinfo = hexinfo:195bd88aa2d4211912334fe2fd9bd24522f7d9fb08e04747609bc34f2538089a9d28bbc70b2e1336c3643753cec6e5cd3f246caa915e3c3a6b94d3b6 -+Output = f51ac86b0f462388d189ed0197ef99c2ff3a65816d8442e5ea304397b98dd11f -+ -+# COUNT=20 -+# L = 160 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA384 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:32 -+Ctrl.hexkey = hexkey:bc3157b8932e88d1b1cf8e4622137010a242d3527b1d23d6d9c0db9cc9edfc20e5135de823977bf4defafae44d6cdab6 -+Ctrl.hexinfo = hexinfo:b42a8e43cc2d4e5c69ee5e4f6b19ff6b8071d26bab4dfe45650b92b1f47652d25162d4b61441d8448c54918ae568ae2fb53091c624dbfffacee51d88 -+Output = 91314bdf542162031643247d6507838eaba50f1a -+ -+# COUNT=30 -+# L = 320 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA384 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:32 -+Ctrl.hexkey = hexkey:582f968a54b8797b9ea8c655b42e397adb73d773b1984b1e1c429cd597b8015d2f91d59e4136a9d523bf6491a4733c7a -+Ctrl.hexinfo = hexinfo:e6d3c193eff34e34f8b7b00e66565aeb01f63206bb27e27aa281592afc06ae1ec5b7eb97a39684ce773d7c3528f2667c1f5d428406e78ce4cf39f652 -+Output = 691726c111e5030b5f9657069107861ecc18bc5835a814c3d2e5092c901cb1fb6c1a7cd3eb0be2a7 -+ -+ -+# [PRF=HMAC_SHA512] -+# [CTRLOCATION=BEFORE_FIXED] -+# [RLEN=8_BITS] -+ -+# COUNT=0 -+# L = 128 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA512 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:8 -+Ctrl.hexkey = hexkey:6ea2c385bb3e7bbafc2225cee1d3ee103ce300c1fdf033d0c1e99c57e6a596e037020838e857c0434040b58a5ca5410be672b888ef9955bdd54eb6a67416ff6a -+Ctrl.hexinfo = hexinfo:be119901ed8679b243508b97663f35da322774d7d2012d6557da6657c1176a115ebc73b0f1bfa1dba6b8c3b124f0a47cff2998b230c955b0ea809784 -+Output = e0755fa6f116ef7a8e8361f47fd57511 -+ -+# COUNT=10 -+# L = 256 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA512 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:8 -+Ctrl.hexkey = hexkey:0ef984d7b4ee76f5c9e080b27f45ccab4ac2362c4cafa68198786b18e239d0f69ee62148373643ad9aa42474700348ef651fee9973130a42e76b7e7633eba1e9 -+Ctrl.hexinfo = hexinfo:56ece7c14c1fc5467f8316f3a931a7ddfa490969f442d7a132f3755809f6ca11dbc9c6493a541c244c32be6656e13ef2868cb79415b807b3882f00d2 -+Output = 19aa765affdd3cc7294b2c97e1bd5adc368523a3283c387d0719761e938f83db -+ -+# COUNT=20 -+# L = 160 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA512 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:8 -+Ctrl.hexkey = hexkey:a35728d4ec0d7e94019a45d52264e5cd63c7540c21e30a9882d8d531cbb510edaa78e42c03994c18d8efcf7f826a1a9fdbbbacc55c640e7b532cc08e0615a093 -+Ctrl.hexinfo = hexinfo:f501cc527bad6fe5d8e4f1f0f53d416ab17235f380f7e0d1c90dca18206af1fb1d977551e2e0e25c1fe41a8f825fbae2c07c94b768e98ad5ab8ddb2e -+Output = 54cf238101418ce050eee03aae0c39c4602ab838 -+ -+# COUNT=30 -+# L = 320 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA512 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:8 -+Ctrl.hexkey = hexkey:baed493b0294c9a5dbbe4547a30f0602c6124cedb549b45cff0ee4f3689a7ae5b695e5ecdfebf611bba1174e5e3a8824383e555daef396dc58c2842f77d5a674 -+Ctrl.hexinfo = hexinfo:1371182cb0725416b1eccf4ac9fb20cf4e0f77e7d006a531e0ab2b2b46e0859473dad9dcae65ba5eb902228787dae19e735d002c919a4b74012f8904 -+Output = 09bb55c9f3cee604f4bc5544a802be8b02b34b99f7928ceee696221975f947905f1b5979d9d4c2a1 -+ -+ -+# [PRF=HMAC_SHA512] -+# [CTRLOCATION=BEFORE_FIXED] -+# [RLEN=16_BITS] -+ -+# COUNT=0 -+# L = 128 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA512 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:16 -+Ctrl.hexkey = hexkey:bb0c55c7201ceb2e1369a6c49e2cdc1ae5e4cd1d64638105072c3a9172b2fa6a127c4d6d55132585fb2644b5ae3cf9d347875e0d0bf80945eaabef3b4319605e -+Ctrl.hexinfo = hexinfo:89bf925033f00635c100e2c88a98ad9f08cd6a002b934617d4ebfffc0fe9bca1d19bd942da3704da127c7493cc62c67f507c415e4cb67d7d0be70005 -+Output = 05efd62522beb9bfff6492ecd24501a7 -+ -+# COUNT=10 -+# L = 256 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA512 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:16 -+Ctrl.hexkey = hexkey:393eb889e9c2f251b95aa147d53e4cd029fd0391110be9c6b2f8ba32857864847c448a9a591686de88da7486d0a0f0f8c927560fa8f79c30e66a7efaacaa638f -+Ctrl.hexinfo = hexinfo:116bf7f9e5eb884c86cd0d3a2b33d41de7735677e6bd727e83fbde5c8113de56bf84c9f80610db760ae2df73f4f0db9df0cc1655ea9bc98bb06beeda -+Output = 212e4e4057a6871e166e7563205833bc7f01e86c724b6a61166d9311c55b5044 -+ -+# COUNT=20 -+# L = 160 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA512 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:16 -+Ctrl.hexkey = hexkey:eeec4383a808fae57f24a7a5eb6157cca66483a613590c89ed39f59617ea97fcfa7cdfc83ba8140fa0d8542263d6423a9bcca70e11addb7a646f194ff0878cac -+Ctrl.hexinfo = hexinfo:b2565a20171eef1eaa04728e6c369405b251062bbd0a2b9171c8c6fedf0ff783691db787f153bbf5167301808f768a03df0deec99f2b9efb90cab571 -+Output = 4f31b7bcd54c74d8a7d31aca187b8736f0a59db7 -+ -+# COUNT=30 -+# L = 320 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA512 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:16 -+Ctrl.hexkey = hexkey:62690d8ef259d175911d8eb52a331af29a8e3b797c4b315a67fa5cd1b00e585b2f7d97341284d0fcaa15a080732f7958e3b33e938e730623d1e651dbea9b2233 -+Ctrl.hexinfo = hexinfo:266535b58de26ed62f936bc7147c8c3b31ee0c1bb92c5ef63699ac7225e01cec5afd2e6e39cf095882324c7dc94b0daa2befc50f790da0547d7c6184 -+Output = 9336a88737d9ae01b5c43be5789c8545689557aad295ea3c03d2a2e0143603365fea1656175c20bf -+ -+ -+# [PRF=HMAC_SHA512] -+# [CTRLOCATION=BEFORE_FIXED] -+# [RLEN=24_BITS] -+ -+# COUNT=0 -+# L = 128 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA512 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:24 -+Ctrl.hexkey = hexkey:d10933b0683f6787c33eccea1c311b8444270504fb3980bfd56443ba4068722184c31541d9174f71068b7789440bc34cec456e115067f9c65a5f2883c6868204 -+Ctrl.hexinfo = hexinfo:dcb2ea8d715821d6393bd49a3e35f69a6c2519edb614f80fbc3f7ae1d65ff4a04c499e75d08819a09092ddaadba510e03cb2ac898804590dbd61fb7e -+Output = 876d73040d03d569e2fcae33b241d98e -+ -+# COUNT=10 -+# L = 256 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA512 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:24 -+Ctrl.hexkey = hexkey:44e6e9abd8572a19ba127dfa2ca6a1b53beaef8c19a1ec5b67f1f6f7919671cd80ade7ded7c0f096525936ef427b152339de915f024964ca9ea908a120e2553a -+Ctrl.hexinfo = hexinfo:c2884a0c3ea2ff5b0bc848698f49f2c59eff511d77caddba897dec7714a0984e54f330dd9e9fdca9c033dfbc36d3293eca0ce7601e316463966ad4fd -+Output = b294537440bec490953bf6e9a77c4510536916b84a5a2f45b5bf9f76666d8f12 -+ -+# COUNT=20 -+# L = 160 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA512 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:24 -+Ctrl.hexkey = hexkey:a39131ca2f8df817ea2f155aac72d58a696d915b66b7cbe172a0f48a407aa8af0edbaea051eb027fe8fcc435cc7f160feeb57bd39a39d94104fe35167dac1aae -+Ctrl.hexinfo = hexinfo:52b6d1f6381fc3dd44baf1c9d36f0c313e58bf4fdb936b78103afdb90373079de90e4bb7d7089e65e0aef23f2a34df5198b8392aac705eb998c1f8cd -+Output = e707c910b4db3a648815fcad5ca7af18e5354c2e -+ -+# COUNT=30 -+# L = 320 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA512 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:24 -+Ctrl.hexkey = hexkey:af5a39f0303b11bca55584ce24162dabd1625aed14ce54f9e407866e03efb24b12a36e164f96faf36bc92a08acd194285107173fb84caef787672d6471028459 -+Ctrl.hexinfo = hexinfo:1cd84829b89d3149948967494aece985f1df3d7ec7735e8cc468bb3e6fdb50964d32dcde5521a82402577371047bf77e34714437e9d213561055b9db -+Output = a0e81b336a6f4ab395aada28314d8ba96b9216ae389b01aaec158e166239e554a217e69f603988fb -+ -+ -+# [PRF=HMAC_SHA512] -+# [CTRLOCATION=BEFORE_FIXED] -+# [RLEN=32_BITS] -+ -+# COUNT=0 -+# L = 128 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA512 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:32 -+Ctrl.hexkey = hexkey:dd5dbd45593ee2ac139748e7645b450f223d2ff297b73fd71cbcebe71d41653c950b88500de5322d99ef18dfdd30428294c4b3094f4c954334e593bd982ec614 -+Ctrl.hexinfo = hexinfo:b50b0c963c6b3034b8cf19cd3f5c4ebe4f4985af0c03e575db62e6fdf1ecfe4f28b95d7ce16df85843246e1557ce95bb26cc9a21974bbd2eb69e8355 -+Output = e5993bf9bd2aa1c45746042e12598155 -+ -+# COUNT=10 -+# L = 256 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA512 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:32 -+Ctrl.hexkey = hexkey:5be2bf7f5e2527e15fe65cde4507d98ba55457006867de9e4f36645bcff4ca38754f92898b1c5544718102593b8c26d45d1fceaea27d97ede9de8b9ebfe88093 -+Ctrl.hexinfo = hexinfo:004b13c1f628cb7a00d9498937bf437b71fe196cc916c47d298fa296c6b86188073543bbc66b7535eb17b5cf43c37944b6ca1225298a9e563413e5bb -+Output = cee0c11be2d8110b808f738523e718447d785878bbb783fb081a055160590072 -+ -+# COUNT=20 -+# L = 160 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA512 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:32 -+Ctrl.hexkey = hexkey:9dd03864a31aa4156ca7a12000f541680ce0a5f4775eef1088ac13368200b447a78d0bf14416a1d583c54b0f11200ff4a8983dd775ce9c0302d262483e300ae6 -+Ctrl.hexinfo = hexinfo:037369f142d669fca9e87e9f37ae8f2c8d506b753fdfe8a3b72f75cac1c50fa1f8620883b8dcb8dcc67adcc95e70aa624adb9fe1b2cb396692b0d2e8 -+Output = 96e8d1bc01dc95c0bf42c3c38fc54c090373ced4 -+ -+# COUNT=30 -+# L = 320 -+KDF = KBKDF -+Ctrl.mode = mode:COUNTER -+Ctrl.digest = digest:SHA512 -+Ctrl.mac = mac:HMAC -+Ctrl.use-l = use-l:0 -+Ctrl.use-separator = use-separator:0 -+Ctrl.r = r:32 -+Ctrl.hexkey = hexkey:a9f4a2c5af839867f5db5a1e520ab3cca72a166ca60de512fd7fe7e64cf94f92cf1d8b636175f293e003275e021018c3f0ede495997a505ec9a2afeb0495be57 -+Ctrl.hexinfo = hexinfo:8e9db3335779db688bcfe096668d9c3bc64e193e3529c430e68d09d56c837dd6c0f94678f121a68ee1feea4735da85a49d34a5290aa39f7b40de435f -+Output = 6db880daac98b078ee389a2164252ded61322d661e2b49247ea921e544675d8f17af2bf66dd40d81 -+ diff --git a/SOURCES/0052-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch b/SOURCES/0052-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch index 5208f40..14bacd4 100644 --- a/SOURCES/0052-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch +++ b/SOURCES/0052-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch @@ -95,7 +95,7 @@ index 4b74ee1a34..5f089de107 100644 - */ - sigalgstr[0] = (sig >> 8) & 0xff; - sigalgstr[1] = sig & 0xff; -- secbits = sigalg_security_bits(s->ctx, lu); +- secbits = sigalg_security_bits(SSL_CONNECTION_GET_CTX(s), lu); - if (secbits == 0 || - !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits, - md != NULL ? EVP_MD_get_type(md) : NID_undef, @@ -104,8 +104,8 @@ index 4b74ee1a34..5f089de107 100644 - return 0; + + if (lu->hash == NID_sha1 -+ && ossl_ctx_legacy_digest_signatures_allowed(s->ctx->libctx, 0) -+ && SSL_get_security_level(s) < 3) { ++ && ossl_ctx_legacy_digest_signatures_allowed(s->session_ctx->libctx, 0) ++ && SSL_get_security_level(SSL_CONNECTION_GET_SSL(s)) < 3) { + /* when rh-allow-sha1-signatures = yes and security level <= 2, + * explicitly allow SHA1 for backwards compatibility */ + } else { @@ -115,7 +115,7 @@ index 4b74ee1a34..5f089de107 100644 + */ + sigalgstr[0] = (sig >> 8) & 0xff; + sigalgstr[1] = sig & 0xff; -+ secbits = sigalg_security_bits(s->ctx, lu); ++ secbits = sigalg_security_bits(s->session_ctx, lu); + if (secbits == 0 || + !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits, + md != NULL ? EVP_MD_get_type(md) : NID_undef, @@ -131,15 +131,15 @@ index 4b74ee1a34..5f089de107 100644 } + if (lu->hash == NID_sha1 -+ && ossl_ctx_legacy_digest_signatures_allowed(s->ctx->libctx, 0) -+ && SSL_get_security_level(s) < 3) { ++ && ossl_ctx_legacy_digest_signatures_allowed(s->session_ctx->libctx, 0) ++ && SSL_get_security_level(SSL_CONNECTION_GET_SSL(s)) < 3) { + /* when rh-allow-sha1-signatures = yes and security level <= 2, + * explicitly allow SHA1 for backwards compatibility */ + return 1; + } + /* Finally see if security callback allows it */ - secbits = sigalg_security_bits(s->ctx, lu); + secbits = sigalg_security_bits(SSL_CONNECTION_GET_CTX(s), lu); sigalgstr[0] = (lu->sigalg >> 8) & 0xff; @@ -2977,6 +2994,8 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op) { @@ -147,9 +147,9 @@ index 4b74ee1a34..5f089de107 100644 int secbits, nid, pknid; + OSSL_LIB_CTX *libctx = NULL; + + /* Don't check signature if self signed */ if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0) - return 1; @@ -2985,6 +3004,25 @@ static int ssl_security_cert_sig(SSL *s, SSL_CTX *ctx, X509 *x, int op) /* If digest NID not defined use signature NID */ if (nid == NID_undef) @@ -159,21 +159,21 @@ index 4b74ee1a34..5f089de107 100644 + libctx = x->libctx; + else if (ctx && ctx->libctx) + libctx = ctx->libctx; -+ else if (s && s->ctx && s->ctx->libctx) -+ libctx = s->ctx->libctx; ++ else if (s && s->session_ctx && s->session_ctx->libctx) ++ libctx = s->session_ctx->libctx; + else + libctx = OSSL_LIB_CTX_get0_global_default(); + + if (nid == NID_sha1 + && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0) -+ && ((s != NULL && SSL_get_security_level(s) < 3) ++ && ((s != NULL && SSL_get_security_level(SSL_CONNECTION_GET_SSL(s)) < 3) + || (ctx != NULL && SSL_CTX_get_security_level(ctx) < 3) + )) + /* When rh-allow-sha1-signatures = yes and security level <= 2, + * explicitly allow SHA1 for backwards compatibility. */ + return 1; + - if (s) + if (s != NULL) return ssl_security(s, op, secbits, nid, x); else diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t @@ -184,8 +184,8 @@ index 700bbd849c..2de1d76b5e 100644 run(app([@args])); } --plan tests => 163; -+plan tests => 162; +-plan tests => 193; ++plan tests => 192; # Canonical success ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]), @@ -203,4 +203,3 @@ index 700bbd849c..2de1d76b5e 100644 "PSS signature using SHA256 and auth level 2"); -- 2.35.1 - diff --git a/SOURCES/0056-strcasecmp.patch b/SOURCES/0056-strcasecmp.patch index 01ca25e..6b740ce 100644 --- a/SOURCES/0056-strcasecmp.patch +++ b/SOURCES/0056-strcasecmp.patch @@ -1,13 +1,12 @@ diff -up openssl-3.0.3/util/libcrypto.num.locale openssl-3.0.3/util/libcrypto.num --- openssl-3.0.3/util/libcrypto.num.locale 2022-06-01 12:35:52.667498724 +0200 +++ openssl-3.0.3/util/libcrypto.num 2022-06-01 12:36:08.112633093 +0200 -@@ -5425,6 +5425,8 @@ ASN1_item_d2i_ex - EVP_PKEY_CTX_get0_provider 5555 3_0_0 EXIST::FUNCTION: - OPENSSL_strcasecmp 5556 3_0_3 EXIST::FUNCTION: - OPENSSL_strncasecmp 5557 3_0_3 EXIST::FUNCTION: +@@ -5425,5 +5425,7 @@ ASN1_item_d2i_ex + X509_STORE_CTX_set_current_reasons 5664 3_2_0 EXIST::FUNCTION: + OSSL_STORE_delete 5665 3_2_0 EXIST::FUNCTION: + BIO_ADDR_copy 5666 3_2_0 EXIST::FUNCTION:SOCK +OPENSSL_strcasecmp ? 3_0_1 EXIST::FUNCTION: +OPENSSL_strncasecmp ? 3_0_1 EXIST::FUNCTION: - ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION: ossl_ctx_legacy_digest_signatures_allowed ? 3_0_1 EXIST::FUNCTION: ossl_ctx_legacy_digest_signatures_allowed_set ? 3_0_1 EXIST::FUNCTION: diff -up openssl-3.0.7/crypto/o_str.c.cmp openssl-3.0.7/crypto/o_str.c @@ -45,10 +44,10 @@ diff -up openssl-3.0.7/test/recipes/01-test_symbol_presence.t.cmp openssl-3.0.7/ --- openssl-3.0.7/test/recipes/01-test_symbol_presence.t.cmp 2022-11-25 18:19:05.669769076 +0100 +++ openssl-3.0.7/test/recipes/01-test_symbol_presence.t 2022-11-25 18:31:20.993392678 +0100 @@ -77,6 +80,7 @@ foreach my $libname (@libnames) { - s| .*||; - # Drop OpenSSL dynamic version information if there is any - s|\@\@.+$||; -+ s|\@.+$||; - # Return the result - $_ - } + s| .*||; + # Drop OpenSSL dynamic version information if there is any + s|\@\@.+$||; ++ s|\@.+$||; + # Return the result + $_ + } diff --git a/SOURCES/0058-FIPS-limit-rsa-encrypt.patch b/SOURCES/0058-FIPS-limit-rsa-encrypt.patch index b9cc3aa..c4f952b 100644 --- a/SOURCES/0058-FIPS-limit-rsa-encrypt.patch +++ b/SOURCES/0058-FIPS-limit-rsa-encrypt.patch @@ -1,6 +1,25 @@ -diff -up openssl-3.0.1/providers/common/securitycheck.c.rsaenc openssl-3.0.1/providers/common/securitycheck.c ---- openssl-3.0.1/providers/common/securitycheck.c.rsaenc 2022-06-24 17:14:33.634692729 +0200 -+++ openssl-3.0.1/providers/common/securitycheck.c 2022-06-24 17:16:08.966540605 +0200 +From 012e319b3d5b936a9208b1c75c13d9c4a2d0cc04 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 6 Mar 2024 19:17:15 +0100 +Subject: [PATCH 24/49] 0058-FIPS-limit-rsa-encrypt.patch + +Patch-name: 0058-FIPS-limit-rsa-encrypt.patch +Patch-id: 58 +Patch-status: | + # # https://bugzilla.redhat.com/show_bug.cgi?id=2053289 +From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce +--- + providers/common/securitycheck.c | 1 + + .../implementations/asymciphers/rsa_enc.c | 35 +++++ + .../30-test_evp_data/evppkey_rsa_common.txt | 140 +++++++++++++----- + test/recipes/80-test_cms.t | 5 +- + test/recipes/80-test_ssl_old.t | 27 +++- + 5 files changed, 168 insertions(+), 40 deletions(-) + +diff --git a/providers/common/securitycheck.c b/providers/common/securitycheck.c +index fe694c4e96..f635b5aec8 100644 +--- a/providers/common/securitycheck.c ++++ b/providers/common/securitycheck.c @@ -27,6 +27,7 @@ * Set protect = 1 for encryption or signing operations, or 0 otherwise. See * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf. @@ -9,10 +28,11 @@ diff -up openssl-3.0.1/providers/common/securitycheck.c.rsaenc openssl-3.0.1/pro int ossl_rsa_check_key(OSSL_LIB_CTX *ctx, const RSA *rsa, int operation) { int protect = 0; -diff -up openssl-3.0.1/providers/implementations/asymciphers/rsa_enc.c.no_bad_pad openssl-3.0.1/providers/implementations/asymciphers/rsa_enc.c ---- openssl-3.0.1/providers/implementations/asymciphers/rsa_enc.c.no_bad_pad 2022-05-02 16:04:47.000091901 +0200 -+++ openssl-3.0.1/providers/implementations/asymciphers/rsa_enc.c 2022-05-02 16:14:50.922443581 +0200 -@@ -132,6 +132,17 @@ static int rsa_decrypt_init(void *vprsac +diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c +index 71bfa344d4..d548560f1f 100644 +--- a/providers/implementations/asymciphers/rsa_enc.c ++++ b/providers/implementations/asymciphers/rsa_enc.c +@@ -135,6 +135,17 @@ static int rsa_decrypt_init(void *vprsactx, void *vrsa, return rsa_init(vprsactx, vrsa, params, EVP_PKEY_OP_DECRYPT); } @@ -30,7 +50,7 @@ diff -up openssl-3.0.1/providers/implementations/asymciphers/rsa_enc.c.no_bad_pa static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen, size_t outsize, const unsigned char *in, size_t inlen) { -@@ -141,6 +152,18 @@ static int rsa_encrypt(void *vprsactx, u +@@ -144,6 +155,18 @@ static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen, if (!ossl_prov_is_running()) return 0; @@ -49,7 +69,7 @@ diff -up openssl-3.0.1/providers/implementations/asymciphers/rsa_enc.c.no_bad_pa if (out == NULL) { size_t len = RSA_size(prsactx->rsa); -@@ -202,6 +220,18 @@ static int rsa_decrypt(void *vprsactx, u +@@ -206,6 +229,18 @@ static int rsa_decrypt(void *vprsactx, unsigned char *out, size_t *outlen, if (!ossl_prov_is_running()) return 0; @@ -68,75 +88,11 @@ diff -up openssl-3.0.1/providers/implementations/asymciphers/rsa_enc.c.no_bad_pa if (prsactx->pad_mode == RSA_PKCS1_WITH_TLS_PADDING) { if (out == NULL) { *outlen = SSL_MAX_MASTER_KEY_LENGTH; -diff -up openssl-3.0.1/test/recipes/80-test_cms.t.no_bad_pad openssl-3.0.1/test/recipes/80-test_cms.t ---- openssl-3.0.1/test/recipes/80-test_cms.t.no_bad_pad 2022-05-02 17:04:07.610782138 +0200 -+++ openssl-3.0.1/test/recipes/80-test_cms.t 2022-05-02 17:06:03.595814620 +0200 -@@ -232,7 +232,7 @@ my @smime_pkcs7_tests = ( - \&final_compare - ], - -- [ "enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients", -+ [ "enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients, no Red Hat FIPS", - [ "{cmd1}", @prov, "-encrypt", "-in", $smcont, - "-aes256", "-stream", "-out", "{output}.cms", - $smrsa1, -@@ -865,5 +865,8 @@ sub check_availability { - return "$tnam: skipped, DSA disabled\n" - if ($no_dsa && $tnam =~ / DSA/); - -+ return "$tnam: skipped, Red Hat FIPS\n" -+ if ($tnam =~ /no Red Hat FIPS/); -+ - return ""; - } -diff -up openssl-3.0.1/test/recipes/80-test_ssl_old.t.no_bad_pad openssl-3.0.1/test/recipes/80-test_ssl_old.t ---- openssl-3.0.1/test/recipes/80-test_ssl_old.t.no_bad_pad 2022-05-02 17:26:37.962838053 +0200 -+++ openssl-3.0.1/test/recipes/80-test_ssl_old.t 2022-05-02 17:34:20.297950449 +0200 -@@ -483,6 +483,18 @@ sub testssl { - # the default choice if TLSv1.3 enabled - my $flag = $protocol eq "-tls1_3" ? "" : $protocol; - my $ciphersuites = ""; -+ my %redhat_skip_cipher = map {$_ => 1} qw( -+AES256-GCM-SHA384:@SECLEVEL=0 -+AES256-CCM8:@SECLEVEL=0 -+AES256-CCM:@SECLEVEL=0 -+AES128-GCM-SHA256:@SECLEVEL=0 -+AES128-CCM8:@SECLEVEL=0 -+AES128-CCM:@SECLEVEL=0 -+AES256-SHA256:@SECLEVEL=0 -+AES128-SHA256:@SECLEVEL=0 -+AES256-SHA:@SECLEVEL=0 -+AES128-SHA:@SECLEVEL=0 -+ ); - foreach my $cipher (@{$ciphersuites{$protocol}}) { - if ($protocol eq "-ssl3" && $cipher =~ /ECDH/ ) { - note "*****SKIPPING $protocol $cipher"; -@@ -494,11 +506,16 @@ sub testssl { - } else { - $cipher = $cipher.':@SECLEVEL=0'; - } -- ok(run(test([@ssltest, @exkeys, "-cipher", -- $cipher, -- "-ciphersuites", $ciphersuites, -- $flag || ()])), -- "Testing $cipher"); -+ if ($provider eq "fips" && exists $redhat_skip_cipher{$cipher}) { -+ note "*****SKIPPING $cipher in Red Hat FIPS mode"; -+ ok(1); -+ } else { -+ ok(run(test([@ssltest, @exkeys, "-cipher", -+ $cipher, -+ "-ciphersuites", $ciphersuites, -+ $flag || ()])), -+ "Testing $cipher"); -+ } - } - } - next if $protocol eq "-tls1_3"; -diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt.fipskeylen openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt ---- openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt.fipskeylen 2022-06-16 14:26:19.383530498 +0200 -+++ openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt 2022-06-16 14:39:53.637777701 +0200 -@@ -263,12 +263,13 @@ Input = 64b0e9f9892371110c40ba5739dc0974 +diff --git a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt +index 76ddc1ec60..62d55308b0 100644 +--- a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt ++++ b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt +@@ -248,13 +248,13 @@ Input = 64b0e9f9892371110c40ba5739dc0974002aa6e6160b481447c6819947c2d3b537a6e377 Output = 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef # RSA decrypt @@ -146,12 +102,394 @@ diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt.fips Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A78 Output = "Hello World" - # Corrupted ciphertext + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 +Availablein = default + # Note: disable the Bleichenbacher workaround to see if it passes Decrypt = RSA-2048 - Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A79 + Ctrl = rsa_pkcs1_implicit_rejection:0 +@@ -262,7 +262,7 @@ Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C70 Output = "Hello World" -@@ -665,36 +666,42 @@ vcDtKrdWo6btTWc1Kml9QhbpMhKxJ6Y9VBHOb6mN + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # Corrupted ciphertext + # Note: output is generated synthethically by the Bleichenbacher workaround + Decrypt = RSA-2048 +@@ -270,7 +270,7 @@ Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C70 + Output = 4cbb988d6a46228379132b0b5f8c249b3860043848c93632fb982c807c7c82fffc7a9ef83f4908f890373ac181ffea6381e103bcaa27e65638b6ecebef38b59ed4226a9d12af675cfcb634d8c40e7a7aff + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # Corrupted ciphertext + # Note: disable the Bleichenbacher workaround to see if it fails + Decrypt = RSA-2048 +@@ -345,82 +345,90 @@ PrivPubKeyPair = RSA-2048-2:RSA-2048-2-PUBLIC + # RSA decrypt + + # a random positive test case ++Availablein = default + Decrypt = RSA-2048-2 + Input = 8bfe264e85d3bdeaa6b8851b8e3b956ee3d226fd3f69063a86880173a273d9f283b2eebdd1ed35f7e02d91c571981b6737d5320bd8396b0f3ad5b019daec1b0aab3cbbc026395f4fd14f13673f2dfc81f9b660ec26ac381e6db3299b4e460b43fab9955df2b3cfaa20e900e19c856238fd371899c2bf2ce8c868b76754e5db3b036533fd603746be13c10d4e3e6022ebc905d20c2a7f32b215a4cd53b3f44ca1c327d2c2b651145821c08396c89071f665349c25e44d2733cd9305985ceef6430c3cf57af5fa224089221218fa34737c79c446d28a94c41c96e4e92ac53fbcf384dea8419ea089f8784445a492c812eb0d409467f75afd7d4d1078886205a066 + Output = "lorem ipsum dolor sit amet" + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # a random negative test case decrypting to empty + Decrypt = RSA-2048-2 + Input = 20aaa8adbbc593a924ba1c5c7990b5c2242ae4b99d0fe636a19a4cf754edbcee774e472fe028160ed42634f8864900cb514006da642cae6ae8c7d087caebcfa6dad1551301e130344989a1d462d4164505f6393933450c67bc6d39d8f5160907cabc251b737925a1cf21e5c6aa5781b7769f6a2a583d97cce008c0f8b6add5f0b2bd80bee60237aa39bb20719fe75749f4bc4e42466ef5a861ae3a92395c7d858d430bfe38040f445ea93fa2958b503539800ffa5ce5f8cf51fa8171a91f36cb4f4575e8de6b4d3f096ee140b938fd2f50ee13f0d050222e2a72b0a3069ff3a6738e82c87090caa5aed4fcbe882c49646aa250b98f12f83c8d528113614a29e7 + Output = + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # invalid decrypting to max length message + Decrypt = RSA-2048-2 + Input = 48cceab10f39a4db32f60074feea473cbcdb7accf92e150417f76b44756b190e843e79ec12aa85083a21f5437e7bad0a60482e601198f9d86923239c8786ee728285afd0937f7dde12717f28389843d7375912b07b991f4fdb0190fced8ba665314367e8c5f9d2981d0f5128feeb46cb50fc237e64438a86df198dd0209364ae3a842d77532b66b7ef263b83b1541ed671b120dfd660462e2107a4ee7b964e734a7bd68d90dda61770658a3c242948532da32648687e0318286473f675b412d6468f013f14d760a358dfcad3cda2afeec5e268a37d250c37f722f468a70dfd92d7294c3c1ee1e7f8843b7d16f9f37ef35748c3ae93aa155cdcdfeb4e78567303 + Output = 22d850137b9eebe092b24f602dc5bb7918c16bd89ddbf20467b119d205f9c2e4bd7d2592cf1e532106e0f33557565923c73a02d4f09c0c22bea89148183e60317f7028b3aa1f261f91c979393101d7e15f4067e63979b32751658ef769610fe97cf9cef3278b3117d384051c3b1d82c251c2305418c8f6840530e631aad63e70e20e025bcd8efb54c92ec6d3b106a2f8e64eeff7d38495b0fc50c97138af4b1c0a67a1c4e27b077b8439332edfa8608dfeae653cd6a628ac550395f7e74390e42c11682234870925eeaa1fa71b76cf1f2ee3bda69f6717033ff8b7c95c9799e7a3bea5e7e4a1c359772fb6b1c6e6c516661dfe30c3 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 + # invalid decrypting to message with length specified by second to last value from PRF ++Availablein = default + Decrypt = RSA-2048-2 + Input = 1439e08c3f84c1a7fec74ce07614b20e01f6fa4e8c2a6cffdc3520d8889e5d9a950c6425798f85d4be38d300ea5695f13ecd4cb389d1ff5b82484b494d6280ab7fa78e645933981cb934cce8bfcd114cc0e6811eefa47aae20af638a1cd163d2d3366186d0a07df0c81f6c9f3171cf3561472e98a6006bf75ddb457bed036dcce199369de7d94ef2c68e8467ee0604eea2b3009479162a7891ba5c40cab17f49e1c438cb6eaea4f76ce23cce0e483ff0e96fa790ea15be67671814342d0a23f4a20262b6182e72f3a67cd289711503c85516a9ed225422f98b116f1ab080a80abd6f0216df88d8cfd67c139243be8dd78502a7aaf6bc99d7da71bcdf627e7354 + Output = 0f9b + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # invalid decrypting to message with length specified by third to last value from PRF + Decrypt = RSA-2048-2 + Input = 1690ebcceece2ce024f382e467cf8510e74514120937978576caf684d4a02ad569e8d76cbe365a060e00779de2f0865ccf0d923de3b4783a4e2c74f422e2f326086c390b658ba47f31ab013aa80f468c71256e5fa5679b24e83cd82c3d1e05e398208155de2212993cd2b8bab6987cf4cc1293f19909219439d74127545e9ed8a706961b8ee2119f6bfacafbef91b75a789ba65b8b833bc6149cf49b5c4d2c6359f62808659ba6541e1cd24bf7f7410486b5103f6c0ea29334ea6f4975b17387474fe920710ea61568d7b7c0a7916acf21665ad5a31c4eabcde44f8fb6120d8457afa1f3c85d517cda364af620113ae5a3c52a048821731922737307f77a1081 + Output = 4f02 + + # positive test with 11 byte long value ++Availablein = default + Decrypt = RSA-2048-2 + Input = 6213634593332c485cef783ea2846e3d6e8b0e005cd8293eaebbaa5079712fd681579bdfbbda138ae4d9d952917a03c92398ec0cb2bb0c6b5a8d55061fed0d0d8d72473563152648cfe640b335dc95331c21cb133a91790fa93ae44497c128708970d2beeb77e8721b061b1c44034143734a77be8220877415a6dba073c3871605380542a9f25252a4babe8331cdd53cf828423f3cc70b560624d0581fb126b2ed4f4ed358f0eb8065cf176399ac1a846a31055f9ae8c9c24a1ba050bc20842125bc1753158f8065f3adb9cc16bfdf83816bdf38b624f12022c5a6fbfe29bc91542be8c0208a770bcd677dc597f5557dc2ce28a11bf3e3857f158717a33f6592 + Output = "lorem ipsum" + + # positive test with 11 byte long value and zero padded ciphertext ++Availablein = default + Decrypt = RSA-2048-2 + Input = 00a2e8f114ea8d05d12dc843e3cc3b2edc8229ff2a028bda29ba9d55e3cd02911902fef1f42a075bf05e8016e8567213d6f260fa49e360779dd81aeea3e04c2cb567e0d72b98bf754014561b7511e083d20e0bfb9cd23f8a0d3c88900c49d2fcd5843ff0765607b2026f28202a87aa94678aed22a0c20724541394cd8f44e373eba1d2bae98f516c1e2ba3d86852d064f856b1daf24795e767a2b90396e50743e3150664afab131fe40ea405dcf572dd1079af1d3f0392ccadcca0a12740dbb213b925ca2a06b1bc1383e83a658c82ba2e7427342379084d5f66b544579f07664cb26edd4f10fd913fdbc0de05ef887d4d1ec1ac95652397ea7fd4e4759fda8b + Output = "lorem ipsum" + + # positive test with 11 byte long value and zero truncated ciphertext ++Availablein = default + Decrypt = RSA-2048-2 + Input = a2e8f114ea8d05d12dc843e3cc3b2edc8229ff2a028bda29ba9d55e3cd02911902fef1f42a075bf05e8016e8567213d6f260fa49e360779dd81aeea3e04c2cb567e0d72b98bf754014561b7511e083d20e0bfb9cd23f8a0d3c88900c49d2fcd5843ff0765607b2026f28202a87aa94678aed22a0c20724541394cd8f44e373eba1d2bae98f516c1e2ba3d86852d064f856b1daf24795e767a2b90396e50743e3150664afab131fe40ea405dcf572dd1079af1d3f0392ccadcca0a12740dbb213b925ca2a06b1bc1383e83a658c82ba2e7427342379084d5f66b544579f07664cb26edd4f10fd913fdbc0de05ef887d4d1ec1ac95652397ea7fd4e4759fda8b + Output = "lorem ipsum" + + # positive test with 11 byte long value and double zero padded ciphertext ++Availablein = default + Decrypt = RSA-2048-2 + Input = 00001f71879b426127f7dead621f7380a7098cf7d22173aa27991b143c46d53383c209bd0c9c00d84078037e715f6b98c65005a77120070522ede51d472c87ef94b94ead4c5428ee108a345561658301911ec5a8f7dd43ed4a3957fd29fb02a3529bf63f8040d3953490939bd8f78b2a3404b6fb5ff70a4bfdaac5c541d6bcce49c9778cc390be24cbef1d1eca7e870457241d3ff72ca44f9f56bdf31a890fa5eb3a9107b603ccc9d06a5dd911a664c82b6abd4fe036f8db8d5a070c2d86386ae18d97adc1847640c211d91ff5c3387574a26f8ef27ca7f48d2dd1f0c7f14b81cc9d33ee6853031d3ecf10a914ffd90947909c8011fd30249219348ebff76bfc + Output = "lorem ipsum" + + # positive test with 11 byte long value and double zero truncated ciphertext ++Availablein = default + Decrypt = RSA-2048-2 + Input = 1f71879b426127f7dead621f7380a7098cf7d22173aa27991b143c46d53383c209bd0c9c00d84078037e715f6b98c65005a77120070522ede51d472c87ef94b94ead4c5428ee108a345561658301911ec5a8f7dd43ed4a3957fd29fb02a3529bf63f8040d3953490939bd8f78b2a3404b6fb5ff70a4bfdaac5c541d6bcce49c9778cc390be24cbef1d1eca7e870457241d3ff72ca44f9f56bdf31a890fa5eb3a9107b603ccc9d06a5dd911a664c82b6abd4fe036f8db8d5a070c2d86386ae18d97adc1847640c211d91ff5c3387574a26f8ef27ca7f48d2dd1f0c7f14b81cc9d33ee6853031d3ecf10a914ffd90947909c8011fd30249219348ebff76bfc + Output = "lorem ipsum" + + # positive that generates a 0 byte long synthetic message internally ++Availablein = default + Decrypt = RSA-2048-2 + Input = b5e49308f6e9590014ffaffc5b8560755739dd501f1d4e9227a7d291408cf4b753f292322ff8bead613bf2caa181b221bc38caf6392deafb28eb21ad60930841ed02fd6225cc9c463409adbe7d8f32440212fbe3881c51375bb09565efb22e62b071472fb38676e5b4e23a0617db5d14d93519ac0007a30a9c822eb31c38b57fcb1be29608fcf1ca2abdcaf5d5752bbc2b5ac7dba5afcff4a5641da360dd01f7112539b1ed46cdb550a3b1006559b9fe1891030ec80f0727c42401ddd6cbb5e3c80f312df6ec89394c5a7118f573105e7ab00fe57833c126141b50a935224842addfb479f75160659ba28877b512bb9a93084ad8bec540f92640f63a11a010e0 + Output = "lorem ipsum" + + # positive that generates a 245 byte long synthetic message internally ++Availablein = default + Decrypt = RSA-2048-2 + Input = 1ea0b50ca65203d0a09280d39704b24fe6e47800189db5033f202761a78bafb270c5e25abd1f7ecc6e7abc4f26d1b0cd9b8c648d529416ee64ccbdd7aa72a771d0353262b543f0e436076f40a1095f5c7dfd10dcf0059ccb30e92dfa5e0156618215f1c3ff3aa997a9d999e506924f5289e3ac72e5e2086cc7b499d71583ed561028671155db4005bee01800a7cdbdae781dd32199b8914b5d4011dd6ff11cd26d46aad54934d293b0bc403dd211bf13b5a5c6836a5e769930f437ffd8634fb7371776f4bc88fa6c271d8aa6013df89ae6470154497c4ac861be2a1c65ebffec139bf7aaba3a81c7c5cdd84da9af5d3edfb957848074686b5837ecbcb6a41c50 + Output = "lorem ipsum" + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # a random negative test that generates an 11 byte long message + Decrypt = RSA-2048-2 + Input = 5f02f4b1f46935c742ebe62b6f05aa0a3286aab91a49b34780adde6410ab46f7386e05748331864ac98e1da63686e4babe3a19ed40a7f5ceefb89179596aab07ab1015e03b8f825084dab028b6731288f2e511a4b314b6ea3997d2e8fe2825cef8897cbbdfb6c939d441d6e04948414bb69e682927ef8576c9a7090d4aad0e74c520d6d5ce63a154720f00b76de8cc550b1aa14f016d63a7b6d6eaa1f7dbe9e50200d3159b3d099c900116bf4eba3b94204f18b1317b07529751abf64a26b0a0bf1c8ce757333b3d673211b67cc0653f2fe2620d57c8b6ee574a0323a167eab1106d9bc7fd90d415be5f1e9891a0e6c709f4fc0404e8226f8477b4e939b36eb2 + Output = af9ac70191c92413cb9f2d + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # an otherwise correct plaintext, but with wrong first byte + # (0x01 instead of 0x00), generates a random 11 byte long plaintext + Decrypt = RSA-2048-2 +@@ -428,7 +436,7 @@ Input = 9b2ec9c0c917c98f1ad3d0119aec6be51ae3106e9af1914d48600ab6a2c0c0c8ae02a2dc + Output = a1f8c9255c35cfba403ccc + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # an otherwise correct plaintext, but with wrong second byte + # (0x01 instead of 0x02), generates a random 11 byte long plaintext + Decrypt = RSA-2048-2 +@@ -436,7 +444,7 @@ Input = 782c2b59a21a511243820acedd567c136f6d3090c115232a82a5efb0b178285f55b5ec2d + Output = e6d700309ca0ed62452254 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # an invalid ciphertext, with a zero byte in first byte of + # ciphertext, decrypts to a random 11 byte long synthetic + # plaintext +@@ -445,7 +453,7 @@ Input = 0096136621faf36d5290b16bd26295de27f895d1faa51c800dafce73d001d60796cd4e2a + Output = ba27b1842e7c21c0e7ef6a + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # an invalid ciphertext, with a zero byte removed from first byte of + # ciphertext, decrypts to a random 11 byte long synthetic + # plaintext +@@ -454,7 +462,7 @@ Input = 96136621faf36d5290b16bd26295de27f895d1faa51c800dafce73d001d60796cd4e2ac3 + Output = ba27b1842e7c21c0e7ef6a + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # an invalid ciphertext, with two zero bytes in first bytes of + # ciphertext, decrypts to a random 11 byte long synthetic + # plaintext +@@ -463,7 +471,7 @@ Input = 0000587cccc6b264bdfe0dc2149a988047fa921801f3502ea64624c510c6033d2f427e3f + Output = d5cf555b1d6151029a429a + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # an invalid ciphertext, with two zero bytes removed from first bytes of + # ciphertext, decrypts to a random 11 byte long synthetic + # plaintext +@@ -472,7 +480,7 @@ Input = 587cccc6b264bdfe0dc2149a988047fa921801f3502ea64624c510c6033d2f427e3f136c + Output = d5cf555b1d6151029a429a + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # and invalid ciphertext, otherwise valid but starting with 000002, decrypts + # to random 11 byte long synthetic plaintext + Decrypt = RSA-2048-2 +@@ -480,7 +488,7 @@ Input = 1786550ce8d8433052e01ecba8b76d3019f1355b212ac9d0f5191b023325a7e7714b7802 + Output = 3d4a054d9358209e9cbbb9 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # negative test with otherwise valid padding but a zero byte in first byte + # of padding + Decrypt = RSA-2048-2 +@@ -488,7 +496,7 @@ Input = 179598823812d2c58a7eb50521150a48bcca8b4eb53414018b6bca19f4801456c5e36a94 + Output = 1f037dd717b07d3e7f7359 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # negative test with otherwise valid padding but a zero byte at the eighth + # byte of padding + Decrypt = RSA-2048-2 +@@ -496,7 +504,7 @@ Input = a7a340675a82c30e22219a55bc07cdf36d47d01834c1834f917f18b517419ce9de2a9646 + Output = 63cb0bf65fc8255dd29e17 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # negative test with an otherwise valid plaintext but with missing separator + # byte + Decrypt = RSA-2048-2 +@@ -551,53 +559,58 @@ PrivPubKeyPair = RSA-2049:RSA-2049-PUBLIC + # RSA decrypt + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # malformed that generates length specified by 3rd last value from PRF + Decrypt = RSA-2049 + Input = 00b26f6404b82649629f2704494282443776929122e279a9cf30b0c6fe8122a0a9042870d97cc8ef65490fe58f031eb2442352191f5fbc311026b5147d32df914599f38b825ebb824af0d63f2d541a245c5775d1c4b78630e4996cc5fe413d38455a776cf4edcc0aa7fccb31c584d60502ed2b77398f536e137ff7ba6430e9258e21c2db5b82f5380f566876110ac4c759178900fbad7ab70ea07b1daf7a1639cbb4196543a6cbe8271f35dddb8120304f6eef83059e1c5c5678710f904a6d760c4d1d8ad076be17904b9e69910040b47914a0176fb7eea0c06444a6c4b86d674d19a556a1de5490373cb01ce31bbd15a5633362d3d2cd7d4af1b4c5121288b894 + Output = 42 + + # simple positive test case ++Availablein = default + Decrypt = RSA-2049 + Input = 013300edbf0bb3571e59889f7ed76970bf6d57e1c89bbb6d1c3991d9df8e65ed54b556d928da7d768facb395bbcc81e9f8573b45cf8195dbd85d83a59281cddf4163aec11b53b4140053e3bd109f787a7c3cec31d535af1f50e0598d85d96d91ea01913d07097d25af99c67464ebf2bb396fb28a9233e56f31f7e105d71a23e9ef3b736d1e80e713d1691713df97334779552fc94b40dd733c7251bc522b673d3ec9354af3dd4ad44fa71c0662213a57ada1d75149697d0eb55c053aaed5ffd0b815832f454179519d3736fb4faf808416071db0d0f801aca8548311ee708c131f4be658b15f6b54256872c2903ac708bd43b017b073b5707bc84c2cd9da70e967 + Output = "lorem ipsum" + + # positive test case with null padded ciphertext ++Availablein = default + Decrypt = RSA-2049 + Input = 0002aadf846a329fadc6760980303dbd87bfadfa78c2015ce4d6c5782fd9d3f1078bd3c0a2c5bfbdd1c024552e5054d98b5bcdc94e476dd280e64d650089326542ce7c61d4f1ab40004c2e6a88a883613568556a10f3f9edeab67ae8dddc1e6b0831c2793d2715de943f7ce34c5c05d1b09f14431fde566d17e76c9feee90d86a2c158616ec81dda0c642f58c0ba8fa4495843124a7235d46fb4069715a51bf710fd024259131ba94da73597ace494856c94e7a3ec261545793b0990279b15fa91c7fd13dbfb1df2f221dab9fa9f7c1d21e48aa49f6aaecbabf5ee76dc6c2af2317ffb4e303115386a97f8729afc3d0c89419669235f1a3a69570e0836c79fc162 + Output = "lorem ipsum" + + # positive test case with null truncated ciphertext ++Availablein = default + Decrypt = RSA-2049 + Input = 02aadf846a329fadc6760980303dbd87bfadfa78c2015ce4d6c5782fd9d3f1078bd3c0a2c5bfbdd1c024552e5054d98b5bcdc94e476dd280e64d650089326542ce7c61d4f1ab40004c2e6a88a883613568556a10f3f9edeab67ae8dddc1e6b0831c2793d2715de943f7ce34c5c05d1b09f14431fde566d17e76c9feee90d86a2c158616ec81dda0c642f58c0ba8fa4495843124a7235d46fb4069715a51bf710fd024259131ba94da73597ace494856c94e7a3ec261545793b0990279b15fa91c7fd13dbfb1df2f221dab9fa9f7c1d21e48aa49f6aaecbabf5ee76dc6c2af2317ffb4e303115386a97f8729afc3d0c89419669235f1a3a69570e0836c79fc162 + Output = "lorem ipsum" + + # positive test case with double null padded ciphertext ++Availablein = default + Decrypt = RSA-2049 + Input = 0000f36da3b72d8ff6ded74e7efd08c01908f3f5f0de7b55eab92b5f875190809c39d4162e1e6649618f854fd84aeab03970d16bb814e999852c06de38d82b95c0f32e2a7b5714021fe303389be9c0eac24c90a6b7210f929d390fabf903d44e04110bb7a7fd6c383c275804721efa6d7c93aa64c0bb2b18d97c5220a846c66a4895ae52adddbe2a9996825e013585adcec4b32ba61d782737bd343e5fabd68e8a95b8b1340318559860792dd70dffbe05a1052b54cbfb48cfa7bb3c19cea52076bddac5c25ee276f153a610f6d06ed696d192d8ae4507ffae4e5bdda10a625d6b67f32f7cffcd48dee2431fe66f6105f9d17e611cdcc674868e81692a360f4052 + Output = "lorem ipsum" + + # positive test case with double null truncated ciphertext ++Availablein = default + Decrypt = RSA-2049 + Input = f36da3b72d8ff6ded74e7efd08c01908f3f5f0de7b55eab92b5f875190809c39d4162e1e6649618f854fd84aeab03970d16bb814e999852c06de38d82b95c0f32e2a7b5714021fe303389be9c0eac24c90a6b7210f929d390fabf903d44e04110bb7a7fd6c383c275804721efa6d7c93aa64c0bb2b18d97c5220a846c66a4895ae52adddbe2a9996825e013585adcec4b32ba61d782737bd343e5fabd68e8a95b8b1340318559860792dd70dffbe05a1052b54cbfb48cfa7bb3c19cea52076bddac5c25ee276f153a610f6d06ed696d192d8ae4507ffae4e5bdda10a625d6b67f32f7cffcd48dee2431fe66f6105f9d17e611cdcc674868e81692a360f4052 + Output = "lorem ipsum" + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # a random negative test case that generates an 11 byte long message + Decrypt = RSA-2049 + Input = 00f910200830fc8fff478e99e145f1474b312e2512d0f90b8cef77f8001d09861688c156d1cbaf8a8957f7ebf35f724466952d0524cad48aad4fba1e45ce8ea27e8f3ba44131b7831b62d60c0762661f4c1d1a88cd06263a259abf1ba9e6b0b172069afb86a7e88387726f8ab3adb30bfd6b3f6be6d85d5dfd044e7ef052395474a9cbb1c3667a92780b43a22693015af6c513041bdaf87d43b24ddd244e791eeaea1066e1f4917117b3a468e22e0f7358852bb981248de4d720add2d15dccba6280355935b67c96f9dcb6c419cc38ab9f6fba2d649ef2066e0c34c9f788ae49babd9025fa85b21113e56ce4f43aa134c512b030dd7ac7ce82e76f0be9ce09ebca + Output = 1189b6f5498fd6df532b00 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # otherwise correct plaintext, but with wrong first byte (0x01 instead of 0x00) + Decrypt = RSA-2049 + Input = 002c9ddc36ba4cf0038692b2d3a1c61a4bb3786a97ce2e46a3ba74d03158aeef456ce0f4db04dda3fe062268a1711250a18c69778a6280d88e133a16254e1f0e30ce8dac9b57d2e39a2f7d7be3ee4e08aec2fdbe8dadad7fdbf442a29a8fb40857407bf6be35596b8eefb5c2b3f58b894452c2dc54a6123a1a38d642e23751746597e08d71ac92704adc17803b19e131b4d1927881f43b0200e6f95658f559f912c889b4cd51862784364896cd6e8618f485a992f82997ad6a0917e32ae5872eaf850092b2d6c782ad35f487b79682333c1750c685d7d32ab3e1538f31dcaa5e7d5d2825875242c83947308dcf63ba4bfff20334c9c140c837dbdbae7a8dee72ff + Output = f6d0f5b78082fe61c04674 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # otherwise correct plaintext, but with wrong second byte (0x01 instead of 0x02) + Decrypt = RSA-2049 + Input = 00c5d77826c1ab7a34d6390f9d342d5dbe848942e2618287952ba0350d7de6726112e9cebc391a0fae1839e2bf168229e3e0d71d4161801509f1f28f6e1487ca52df05c466b6b0a6fbbe57a3268a970610ec0beac39ec0fa67babce1ef2a86bf77466dc127d7d0d2962c20e66593126f276863cd38dc6351428f884c1384f67cad0a0ffdbc2af16711fb68dc559b96b37b4f04cd133ffc7d79c43c42ca4948fa895b9daeb853150c8a5169849b730cc77d68b0217d6c0e3dbf38d751a1998186633418367e7576530566c23d6d4e0da9b038d0bb5169ce40133ea076472d055001f0135645940fd08ea44269af2604c8b1ba225053d6db9ab43577689401bdc0f3 +@@ -661,14 +674,14 @@ ooCElYcob01/JWzoXl61Z5sdrMH5CVZJty5foHKusAN5AgMBAAE= + PrivPubKeyPair = RSA-3072:RSA-3072-PUBLIC + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # a random invalid ciphertext that generates an empty synthetic one + Decrypt = RSA-3072 + Input = 5e956cd9652f4a2ece902931013e09662b6a9257ad1e987fb75f73a0606df2a4b04789770820c2e02322c4e826f767bd895734a01e20609c3be4517a7a2a589ea1cdc137beb73eb38dac781b52e863de9620f79f9b90fd5b953651fcbfef4a9f1cc07421d511a87dd6942caab6a5a0f4df473e62defb529a7de1509ab99c596e1dff1320402298d8be73a896cc86c38ae3f2f576e9ea70cc28ad575cb0f854f0be43186baa9c18e29c47c6ca77135db79c811231b7c1730955887d321fdc06568382b86643cf089b10e35ab23e827d2e5aa7b4e99ff2e914f302351819eb4d1693243b35f8bf1d42d08f8ec4acafa35f747a4a975a28643ec630d8e4fa5be59d81995660a14bb64c1fea5146d6b11f92da6a3956dd5cb5e0d747cf2ea23f81617769185336263d46ef4c144b754de62a6337342d6c85a95f19f015724546ee3fc4823eca603dbc1dc01c2d5ed50bd72d8e96df2dc048edde0081284068283fc5e73a6139851abf2f29977d0b3d160c883a42a37efba1be05c1a0b1741d7ddf59 + Output = + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # a random invalid that has PRF output with a length one byte too long + # in the last value + Decrypt = RSA-3072 +@@ -676,46 +689,51 @@ Input = 7db0390d75fcf9d4c59cf27b264190d856da9abd11e92334d0e5f71005cfed865a711dfa + Output = 56a3bea054e01338be9b7d7957539c + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # a random invalid that generates a synthetic of maximum size + Decrypt = RSA-3072 + Input = 1715065322522dff85049800f6a29ab5f98c465020467414b2a44127fe9446da47fa18047900f99afe67c2df6f50160bb8e90bff296610fde632b3859d4d0d2e644f23835028c46cca01b84b88231d7e03154edec6627bcba23de76740d839851fa12d74c8f92e540c73fe837b91b7d699b311997d5f0f7864c486d499c3a79c111faaacbe4799597a25066c6200215c3d158f3817c1aa57f18bdaad0be1658da9da93f5cc6c3c4dd72788af57adbb6a0c26f42d32d95b8a4f95e8c6feb2f8a5d53b19a50a0b7cbc25e055ad03e5ace8f3f7db13e57759f67b65d143f08cca15992c6b2aae643390483de111c2988d4e76b42596266005103c8de6044fb7398eb3c28a864fa672de5fd8774510ff45e05969a11a4c7d3f343e331190d2dcf24fb9154ba904dc94af98afc5774a9617d0418fe6d13f8245c7d7626c176138dd698a23547c25f27c2b98ea4d8a45c7842b81888e4cc14e5b72e9cf91f56956c93dbf2e5f44a8282a7813157fc481ff1371a0f66b31797e81ebdb09a673d4db96d6 + Output = 7b036fcd6243900e4236c894e2462c17738acc87e01a76f4d95cb9a328d9acde81650283b8e8f60a217e3bdee835c7b222ad4c85d0acdb9a309bd2a754609a65dec50f3aa04c6d5891034566b9563d42668ede1f8992b17753a2132e28970584e255efc8b45a41c5dbd7567f014acec5fe6fdb6d484790360a913ebb9defcd74ff377f2a8ba46d2ed85f733c9a3da08eb57ecedfafda806778f03c66b2c5d2874cec1c291b2d49eb194c7b5d0dd2908ae90f4843268a2c45563092ade08acb6ab481a08176102fc803fbb2f8ad11b0e1531bd37df543498daf180b12017f4d4d426ca29b4161075534bfb914968088a9d13785d0adc0e2580d3548494b2a9e91605f2b27e6cc701c796f0de7c6f471f6ab6cb9272a1ed637ca32a60d117505d82af3c1336104afb537d01a8f70b510e1eebf4869cb976c419473795a66c7f5e6e20a8094b1bb603a74330c537c5c0698c31538bd2e138c1275a1bdf24c5fa8ab3b7b526324e7918a382d1363b3d463764222150e04 + + # a positive test case that decrypts to 9 byte long value ++Availablein = default + Decrypt = RSA-3072 + Input = 6c60845a854b4571f678941ae35a2ac03f67c21e21146f9db1f2306be9f136453b86ad55647d4f7b5c9e62197aaff0c0e40a3b54c4cde14e774b1c5959b6c2a2302896ffae1f73b00b862a20ff4304fe06cea7ff30ecb3773ca9af27a0b54547350d7c07dfb0a39629c7e71e83fc5af9b2adbaf898e037f1de696a3f328cf45af7ec9aff7173854087fb8fbf34be981efbd8493f9438d1b2ba2a86af082662aa46ae9adfbec51e5f3d9550a4dd1dcb7c8969c9587a6edc82a8cabbc785c40d9fbd12064559fb769450ac3e47e87bc046148130d7eaa843e4b3ccef3675d0630500803cb7ffee3882378c1a404e850c3e20707bb745e42b13c18786c4976076ed9fa8fd0ff15e571bef02cbbe2f90c908ac3734a433b73e778d4d17fcc28f49185ebc6e8536a06d293202d94496453bfdf1c2c7833a3f99fa38ca8a81f42eaa529d603b890308a319c0ab63a35ff8ebac965f6278f5a7e5d622be5d5fe55f0ca3ec993d55430d2bf59c5d3e860e90c16d91a04596f6fdf60d89ed95d88c036dde + Output = "forty two" + + # a positive test case with null padded ciphertext ++Availablein = default + Decrypt = RSA-3072 + Input = 00f4d565a3286784dbb85327db8807ae557ead229f92aba945cecda5225f606a7d6130edeeb6f26724d1eff1110f9eb18dc3248140ee3837e6688391e78796c526791384f045e21b6b853fb6342a11f309eb77962f37ce23925af600847fbd30e6e07e57de50b606e6b7f288cc777c1a6834f27e6edace508452128916eef7788c8bb227e3548c6a761cc4e9dd1a3584176dc053ba3500adb1d5e1611291654f12dfc5722832f635db3002d73f9defc310ace62c63868d341619c7ee15b20243b3371e05078e11219770c701d9f341af35df1bc729de294825ff2e416aa11526612852777eb131f9c45151eb144980d70608d2fc4043477368369aa0fe487a48bd57e66b00c3c58f941549f5ec050fca64449debe7a0c4ac51e55cb71620a70312aa4bd85fac1410c9c7f9d6ec610b7d11bf8faeffa20255d1a1bead9297d0aa8765cd2805847d639bc439f4a6c896e2008f746f9590ff4596de5ddde000ed666c452c978043ff4298461eb5a26d5e63d821438627f91201924bf7f2aeee1727 + Output = "forty two" + + # a positive test case with null truncated ciphertext ++Availablein = default + Decrypt = RSA-3072 + Input = f4d565a3286784dbb85327db8807ae557ead229f92aba945cecda5225f606a7d6130edeeb6f26724d1eff1110f9eb18dc3248140ee3837e6688391e78796c526791384f045e21b6b853fb6342a11f309eb77962f37ce23925af600847fbd30e6e07e57de50b606e6b7f288cc777c1a6834f27e6edace508452128916eef7788c8bb227e3548c6a761cc4e9dd1a3584176dc053ba3500adb1d5e1611291654f12dfc5722832f635db3002d73f9defc310ace62c63868d341619c7ee15b20243b3371e05078e11219770c701d9f341af35df1bc729de294825ff2e416aa11526612852777eb131f9c45151eb144980d70608d2fc4043477368369aa0fe487a48bd57e66b00c3c58f941549f5ec050fca64449debe7a0c4ac51e55cb71620a70312aa4bd85fac1410c9c7f9d6ec610b7d11bf8faeffa20255d1a1bead9297d0aa8765cd2805847d639bc439f4a6c896e2008f746f9590ff4596de5ddde000ed666c452c978043ff4298461eb5a26d5e63d821438627f91201924bf7f2aeee1727 + Output = "forty two" + + # a positive test case with double null padded ciphertext ++Availablein = default + Decrypt = RSA-3072 + Input = 00001ec97ac981dfd9dcc7a7389fdfa9d361141dac80c23a060410d472c16094e6cdffc0c3684d84aa402d7051dfccb2f6da33f66985d2a259f5b7fbf39ac537e95c5b7050eb18844a0513abef812cc8e74a3c5240009e6e805dcadf532bc1a2702d5acc9e585fad5b89d461fcc1397351cdce35171523758b171dc041f412e42966de7f94856477356d06f2a6b40e3ff0547562a4d91bbf1338e9e049facbee8b20171164505468cd308997447d3dc4b0acb49e7d368fedd8c734251f30a83491d2506f3f87318cc118823244a393dc7c5c739a2733d93e1b13db6840a9429947357f47b23fbe39b7d2d61e5ee26f9946c4632f6c4699e452f412a26641d4751135400713cd56ec66f0370423d55d2af70f5e7ad0adea8e4a0d904a01e4ac272eba4af1a029dd53eb71f115bf31f7a6c8b19a6523adeecc0d4c3c107575e38572a8f8474ccad163e46e2e8b08111132aa97a16fb588c9b7e37b3b3d7490381f3c55d1a9869a0fd42cd86fed59ecec78cb6b2dfd06a497f5afe3419691314ba0 + Output = "forty two" + + # a positive test case with double null truncated ciphertext ++Availablein = default + Decrypt = RSA-3072 + Input = 1ec97ac981dfd9dcc7a7389fdfa9d361141dac80c23a060410d472c16094e6cdffc0c3684d84aa402d7051dfccb2f6da33f66985d2a259f5b7fbf39ac537e95c5b7050eb18844a0513abef812cc8e74a3c5240009e6e805dcadf532bc1a2702d5acc9e585fad5b89d461fcc1397351cdce35171523758b171dc041f412e42966de7f94856477356d06f2a6b40e3ff0547562a4d91bbf1338e9e049facbee8b20171164505468cd308997447d3dc4b0acb49e7d368fedd8c734251f30a83491d2506f3f87318cc118823244a393dc7c5c739a2733d93e1b13db6840a9429947357f47b23fbe39b7d2d61e5ee26f9946c4632f6c4699e452f412a26641d4751135400713cd56ec66f0370423d55d2af70f5e7ad0adea8e4a0d904a01e4ac272eba4af1a029dd53eb71f115bf31f7a6c8b19a6523adeecc0d4c3c107575e38572a8f8474ccad163e46e2e8b08111132aa97a16fb588c9b7e37b3b3d7490381f3c55d1a9869a0fd42cd86fed59ecec78cb6b2dfd06a497f5afe3419691314ba0 + Output = "forty two" + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # a random negative test case that generates a 9 byte long message + Decrypt = RSA-3072 + Input = 5c8555f5cef627c15d37f85c7f5fd6e499264ea4b8e3f9112023aeb722eb38d8eac2be3751fd5a3785ab7f2d59fa3728e5be8c3de78a67464e30b21ee23b5484bb3cd06d0e1c6ad25649c8518165653eb80488bfb491b20c04897a6772f69292222fc5ef50b5cf9efc6d60426a449b6c489569d48c83488df629d695653d409ce49a795447fcec2c58a1a672e4a391401d428baaf781516e11e323d302fcf20f6eab2b2dbe53a48c987e407c4d7e1cb41131329138313d330204173a4f3ff06c6fadf970f0ed1005d0b27e35c3d11693e0429e272d583e57b2c58d24315c397856b34485dcb077665592b747f889d34febf2be8fce66c265fd9fc3575a6286a5ce88b4b413a08efc57a07a8f57a999605a837b0542695c0d189e678b53662ecf7c3d37d9dbeea585eebfaf79141118e06762c2381fe27ca6288edddc19fd67cd64f16b46e06d8a59ac530f22cd83cc0bc4e37feb52015cbb2283043ccf5e78a4eb7146827d7a466b66c8a4a4826c1bad68123a7f2d00fc1736525ff90c058f56 + Output = 257906ca6de8307728 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # a random negative test case that generates a 9 byte long message based on + # second to last value from PRF + Decrypt = RSA-3072 +@@ -723,7 +741,7 @@ Input = 758c215aa6acd61248062b88284bf43c13cb3b3d02410be4238607442f1c0216706e21a0 + Output = 043383c929060374ed + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # a random negative test that generates message based on 3rd last value from + # PRF + Decrypt = RSA-3072 +@@ -731,35 +749,35 @@ Input = 7b22d5e62d287968c6622171a1f75db4b0fd15cdf3134a1895d235d56f8d8fe619f2bf48 + Output = 70263fa6050534b9e0 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # an otherwise valid plaintext, but with wrong first byte (0x01 instead of 0x00) + Decrypt = RSA-3072 + Input = 6db80adb5ff0a768caf1378ecc382a694e7d1bde2eff4ba12c48aaf794ded7a994a5b2b57acec20dbec4ae385c9dd531945c0f197a5496908725fc99d88601a17d3bb0b2d38d2c1c3100f39955a4cb3dbed5a38bf900f23d91e173640e4ec655c84fdfe71fcdb12a386108fcf718c9b7af37d39703e882436224c877a2235e8344fba6c951eb7e2a4d1d1de81fb463ac1b880f6cc0e59ade05c8ce35179ecd09546731fc07b141d3d6b342a97ae747e61a9130f72d37ac5a2c30215b6cbd66c7db893810df58b4c457b4b54f34428247d584e0fa71062446210db08254fb9ead1ba1a393c724bd291f0cf1a7143f32df849051dc896d7d176fef3b57ab6dffd626d0c3044e9edb2e3d012ace202d2581df01bec7e9aa0727a6650dd373d374f0bc0f4a611f8139dfe97d63e70c6188f4df5b672e47c51d8aa567097293fbff127c75ec690b43407578b73c85451710a0cece58fd497d7f7bd36a8a92783ef7dc6265dff52aac8b70340b996508d39217f2783ce6fc91a1cc94bb2ac487b84f62 + Output = 6d8d3a094ff3afff4c + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # an otherwise valid plaintext, but with wrong second byte (0x01 instead of 0x02) + Decrypt = RSA-3072 + Input = 417328c034458563079a4024817d0150340c34e25ae16dcad690623f702e5c748a6ebb3419ff48f486f83ba9df35c05efbd7f40613f0fc996c53706c30df6bba6dcd4a40825f96133f3c21638a342bd4663dffbd0073980dac47f8c1dd8e97ce1412e4f91f2a8adb1ac2b1071066efe8d718bbb88ca4a59bd61500e826f2365255a409bece0f972df97c3a55e09289ef5fa815a2353ef393fd1aecfc888d611c16aec532e5148be15ef1bf2834b8f75bb26db08b66d2baad6464f8439d1986b533813321dbb180080910f233bcc4dd784fb21871aef41be08b7bfad4ecc3b68f228cb5317ac6ec1227bc7d0e452037ba918ee1da9fdb8393ae93b1e937a8d4691a17871d5092d2384b6190a53df888f65b951b05ed4ad57fe4b0c6a47b5b22f32a7f23c1a234c9feb5d8713d949686760680da4db454f4acad972470033472b9864d63e8d23eefc87ebcf464ecf33f67fbcdd48eab38c5292586b36aef5981ed2fa07b2f9e23fc57d9eb71bfff4111c857e9fff23ceb31e72592e70c874b4936 + Output = c6ae80ffa80bc184b0 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # an otherwise valid plaintext, but with zero byte in first byte of padding + Decrypt = RSA-3072 + Input = 8542c626fe533467acffcd4e617692244c9b5a3bf0a215c5d64891ced4bf4f9591b4b2aedff9843057986d81631b0acb3704ec2180e5696e8bd15b217a0ec36d2061b0e2182faa3d1c59bd3f9086a10077a3337a3f5da503ec3753535ffd25b837a12f2541afefd0cffb0224b8f874e4bed13949e105c075ed44e287c5ae03b155e06b90ed247d2c07f1ef3323e3508cce4e4074606c54172ad74d12f8c3a47f654ad671104bf7681e5b061862747d9afd37e07d8e0e2291e01f14a95a1bb4cbb47c304ef067595a3947ee2d722067e38a0f046f43ec29cac6a8801c6e3e9a2331b1d45a7aa2c6af3205be382dd026e389614ee095665a611ab2e8dced2ee1c9d08ac9de11aef5b3803fc9a9ce8231ec87b5fed386fb92ee3db995a89307bcba844bd0a691c29ae51216e949dfc813133cb06a07265fd807bcb3377f6adb0a481d9b7f442003115895939773e6b95371c4febef29edae946fa245e7c50729e2e558cfaad773d1fd5f67b457a6d9d17a847c6fcbdb103a86f35f228cefc06cea0 + Output = a8a9301daa01bb25c7 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # an otherwise valid plaintext, but with zero byte in eight byte of padding + Decrypt = RSA-3072 + Input = 449dfa237a70a99cb0351793ec8677882021c2aa743580bf6a0ea672055cffe8303ac42855b1d1f3373aae6af09cb9074180fc963e9d1478a4f98b3b4861d3e7f0aa8560cf603711f139db77667ca14ba3a1acdedfca9ef4603d6d7eb0645bfc805304f9ad9d77d34762ce5cd84bd3ec9d35c30e3be72a1e8d355d5674a141b5530659ad64ebb6082e6f73a80832ab6388912538914654d34602f4b3b1c78589b4a5d964b2efcca1dc7004c41f6cafcb5a7159a7fc7c0398604d0edbd4c8f4f04067da6a153a05e7cbeea13b5ee412400ef7d4f3106f4798da707ec37a11286df2b7a204856d5ff773613fd1e453a7114b78e347d3e8078e1cb3276b3562486ba630bf719697e0073a123c3e60ebb5c7a1ccff4279faffa2402bc1109f8d559d6766e73591943dfcf25ba10c3762f02af85187799b8b4b135c3990793a6fd32642f1557405ba55cc7cf7336a0e967073c5fa50743f9cc5e3017c172d9898d2af83345e71b3e0c22ab791eacb6484a32ec60ebc226ec9deaee91b1a0560c2b571 + Output = 6c716fe01d44398018 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # an otherwise valid plaintext, but with null separator missing + Decrypt = RSA-3072 + Input = a7a5c99e50da48769ecb779d9abe86ef9ec8c38c6f43f17c7f2d7af608a4a1bd6cf695b47e97c191c61fb5a27318d02f495a176b9fae5a55b5d3fabd1d8aae4957e3879cb0c60f037724e11be5f30f08fc51c033731f14b44b414d11278cd3dba7e1c8bfe208d2b2bb7ec36366dacb6c88b24cd79ab394adf19dbbc21dfa5788bacbadc6a62f79cf54fd8cf585c615b5c0eb94c35aa9de25321c8ffefb8916bbaa2697cb2dd82ee98939df9b6704cee77793edd2b4947d82e00e5749664970736c59a84197bd72b5c71e36aae29cd39af6ac73a368edbc1ca792e1309f442aafcd77c992c88f8e4863149f221695cb7b0236e75b2339a02c4ea114854372c306b9412d8eedb600a31532002f2cea07b4df963a093185e4607732e46d753b540974fb5a5c3f9432df22e85bb17611370966c5522fd23f2ad3484341ba7fd8885fc8e6d379a611d13a2aca784fba2073208faad2137bf1979a0fa146c1880d4337db3274269493bab44a1bcd0681f7227ffdf589c2e925ed9d36302509d1109ba4 +@@ -1106,36 +1124,42 @@ vcDtKrdWo6btTWc1Kml9QhbpMhKxJ6Y9VBHOb6mNXb79cyY+NygUJ0OBgWbtfdY2 h90qjKHS9PvY4Q== -----END PRIVATE KEY----- @@ -194,7 +532,7 @@ diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt.fips Decrypt=RSA-OAEP-1 Ctrl = rsa_padding_mode:oaep Ctrl = rsa_mgf1_md:sha1 -@@ -719,36 +726,42 @@ SwGNdhGLJDiac1Dsg2sAY6IXISNv2O222JtR5+64 +@@ -1160,36 +1184,42 @@ SwGNdhGLJDiac1Dsg2sAY6IXISNv2O222JtR5+64e2EbcTLLfqc1bCMVHB53UVB8 eG2e4XlBcKjI6A== -----END PRIVATE KEY----- @@ -237,7 +575,7 @@ diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt.fips Decrypt=RSA-OAEP-2 Ctrl = rsa_padding_mode:oaep Ctrl = rsa_mgf1_md:sha1 -@@ -773,36 +786,42 @@ iUGx07dw5a0x7jc7KKzaaf+bb0D+V4ufGvuFg2+W +@@ -1214,36 +1244,42 @@ iUGx07dw5a0x7jc7KKzaaf+bb0D+V4ufGvuFg2+WJ9N6z/c8J3nmNLsmARwsj38z Ya4qnqZe1onjY5o= -----END PRIVATE KEY----- @@ -280,7 +618,7 @@ diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt.fips Decrypt=RSA-OAEP-3 Ctrl = rsa_padding_mode:oaep Ctrl = rsa_mgf1_md:sha1 -@@ -827,36 +846,42 @@ s/XkIiO6MDAcQabYfLtw4wy308Z9JUc9sfbL8D4/ +@@ -1268,36 +1304,42 @@ s/XkIiO6MDAcQabYfLtw4wy308Z9JUc9sfbL8D4/kSbj6XloJ5qGWywrQmUkz8Uq aD0x7TDrmEvkEro= -----END PRIVATE KEY----- @@ -323,7 +661,7 @@ diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt.fips Decrypt=RSA-OAEP-4 Ctrl = rsa_padding_mode:oaep Ctrl = rsa_mgf1_md:sha1 -@@ -881,36 +906,42 @@ OPlAQGLrhaQpJFILOPW7iGoBlvSLuNzqYP2SzAJ/ +@@ -1322,36 +1364,42 @@ OPlAQGLrhaQpJFILOPW7iGoBlvSLuNzqYP2SzAJ/GOeBWKNKXF1fhgoPbAQHGn0B MSwGUGLx60i3nRyDyw== -----END PRIVATE KEY----- @@ -366,7 +704,7 @@ diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt.fips Decrypt=RSA-OAEP-5 Ctrl = rsa_padding_mode:oaep Ctrl = rsa_mgf1_md:sha1 -@@ -935,36 +966,42 @@ xT1F29tenZbQ/s9Cdd8JdLxKBza0p0wyaQU++2hq +@@ -1376,36 +1424,42 @@ xT1F29tenZbQ/s9Cdd8JdLxKBza0p0wyaQU++2hqziQG4iyeBY3bSuVAYnri/bCC Yejn5Ly8mU2q+jBcRQ== -----END PRIVATE KEY----- @@ -409,7 +747,7 @@ diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt.fips Decrypt=RSA-OAEP-6 Ctrl = rsa_padding_mode:oaep Ctrl = rsa_mgf1_md:sha1 -@@ -989,36 +1026,42 @@ tu4XIedy0DiaVZw9PN+VUNRXxGsDe3RkGx1SFmr4 +@@ -1430,36 +1484,42 @@ tu4XIedy0DiaVZw9PN+VUNRXxGsDe3RkGx1SFmr4ohPIOWIGzfukQi8Y1vYdvLXS FMlxv0gq65dqc3DC -----END PRIVATE KEY----- @@ -452,7 +790,7 @@ diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt.fips Decrypt=RSA-OAEP-7 Ctrl = rsa_padding_mode:oaep Ctrl = rsa_mgf1_md:sha1 -@@ -1043,36 +1086,42 @@ njraT2MgdSwJ2AX/fR8a4NAXru7pzvoNfdf/d15E +@@ -1484,36 +1544,42 @@ njraT2MgdSwJ2AX/fR8a4NAXru7pzvoNfdf/d15EtXgyL2QF1iEdoZUZZmqof9xM 2MiPa249Z+lh3Luj0A== -----END PRIVATE KEY----- @@ -495,7 +833,7 @@ diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt.fips Decrypt=RSA-OAEP-8 Ctrl = rsa_padding_mode:oaep Ctrl = rsa_mgf1_md:sha1 -@@ -1103,36 +1152,42 @@ Z7CDuaemy2HkLbNiuMmJbbcGTgKtWuYVh9oVtGSc +@@ -1544,36 +1610,42 @@ Z7CDuaemy2HkLbNiuMmJbbcGTgKtWuYVh9oVtGSckFlJCf6zfby2VL63Jo7IAeWo tKo5Eb69iFQvBb4= -----END PRIVATE KEY----- @@ -538,3 +876,74 @@ diff -up openssl-3.0.1/test/recipes/30-test_evp_data/evppkey_rsa_common.txt.fips Decrypt=RSA-OAEP-9 Ctrl = rsa_padding_mode:oaep Ctrl = rsa_mgf1_md:sha1 +diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t +index 4e368c730b..879d5d76eb 100644 +--- a/test/recipes/80-test_cms.t ++++ b/test/recipes/80-test_cms.t +@@ -235,7 +235,7 @@ my @smime_pkcs7_tests = ( + \&final_compare + ], + +- [ "enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients", ++ [ "enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients, no Red Hat FIPS", + [ "{cmd1}", @prov, "-encrypt", "-in", $smcont, + "-aes256", "-stream", "-out", "{output}.cms", + $smrsa1, +@@ -1118,6 +1118,9 @@ sub check_availability { + return "$tnam: skipped, DSA disabled\n" + if ($no_dsa && $tnam =~ / DSA/); + ++ return "$tnam: skipped, Red Hat FIPS\n" ++ if ($tnam =~ /no Red Hat FIPS/); ++ + return ""; + } + +diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t +index e2dcb68fb5..0775112b40 100644 +--- a/test/recipes/80-test_ssl_old.t ++++ b/test/recipes/80-test_ssl_old.t +@@ -493,6 +493,18 @@ sub testssl { + # the default choice if TLSv1.3 enabled + my $flag = $protocol eq "-tls1_3" ? "" : $protocol; + my $ciphersuites = ""; ++ my %redhat_skip_cipher = map {$_ => 1} qw( ++AES256-GCM-SHA384:@SECLEVEL=0 ++AES256-CCM8:@SECLEVEL=0 ++AES256-CCM:@SECLEVEL=0 ++AES128-GCM-SHA256:@SECLEVEL=0 ++AES128-CCM8:@SECLEVEL=0 ++AES128-CCM:@SECLEVEL=0 ++AES256-SHA256:@SECLEVEL=0 ++AES128-SHA256:@SECLEVEL=0 ++AES256-SHA:@SECLEVEL=0 ++AES128-SHA:@SECLEVEL=0 ++ ); + foreach my $cipher (@{$ciphersuites{$protocol}}) { + if ($protocol eq "-ssl3" && $cipher =~ /ECDH/ ) { + note "*****SKIPPING $protocol $cipher"; +@@ -504,11 +516,16 @@ sub testssl { + } else { + $cipher = $cipher.':@SECLEVEL=0'; + } +- ok(run(test([@ssltest, @exkeys, "-cipher", +- $cipher, +- "-ciphersuites", $ciphersuites, +- $flag || ()])), +- "Testing $cipher"); ++ if ($provider eq "fips" && exists $redhat_skip_cipher{$cipher}) { ++ note "*****SKIPPING $cipher in Red Hat FIPS mode"; ++ ok(1); ++ } else { ++ ok(run(test([@ssltest, @exkeys, "-cipher", ++ $cipher, ++ "-ciphersuites", $ciphersuites, ++ $flag || ()])), ++ "Testing $cipher"); ++ } + } + } + next if $protocol eq "-tls1_3"; +-- +2.44.0 + diff --git a/SOURCES/0060-FIPS-KAT-signature-tests.patch b/SOURCES/0060-FIPS-KAT-signature-tests.patch deleted file mode 100644 index 184b150..0000000 --- a/SOURCES/0060-FIPS-KAT-signature-tests.patch +++ /dev/null @@ -1,420 +0,0 @@ -diff -up openssl-3.0.1/crypto/ec/ec_backend.c.fips_kat_signature openssl-3.0.1/crypto/ec/ec_backend.c ---- openssl-3.0.1/crypto/ec/ec_backend.c.fips_kat_signature 2022-04-04 15:49:24.786455707 +0200 -+++ openssl-3.0.1/crypto/ec/ec_backend.c 2022-04-04 16:06:13.250271963 +0200 -@@ -393,6 +393,10 @@ int ossl_ec_key_fromdata(EC_KEY *ec, con - const OSSL_PARAM *param_priv_key = NULL, *param_pub_key = NULL; - BN_CTX *ctx = NULL; - BIGNUM *priv_key = NULL; -+#ifdef FIPS_MODULE -+ const OSSL_PARAM *param_sign_kat_k = NULL; -+ BIGNUM *sign_kat_k = NULL; -+#endif - unsigned char *pub_key = NULL; - size_t pub_key_len; - const EC_GROUP *ecg = NULL; -@@ -408,7 +412,10 @@ int ossl_ec_key_fromdata(EC_KEY *ec, con - if (include_private) - param_priv_key = - OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_PRIV_KEY); -- -+#ifdef FIPS_MODULE -+ param_sign_kat_k = -+ OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_REDHAT_SIGN_KAT_K); -+#endif - ctx = BN_CTX_new_ex(ossl_ec_key_get_libctx(ec)); - if (ctx == NULL) - goto err; -@@ -481,6 +489,17 @@ int ossl_ec_key_fromdata(EC_KEY *ec, con - && !EC_KEY_set_public_key(ec, pub_point)) - goto err; - -+#ifdef FIPS_MODULE -+ if (param_sign_kat_k) { -+ if ((sign_kat_k = BN_secure_new()) == NULL) -+ goto err; -+ BN_set_flags(sign_kat_k, BN_FLG_CONSTTIME); -+ -+ if (!OSSL_PARAM_get_BN(param_sign_kat_k, &sign_kat_k)) -+ goto err; -+ ec->sign_kat_k = sign_kat_k; -+ } -+#endif - ok = 1; - - err: -diff -up openssl-3.0.1/crypto/ec/ecdsa_ossl.c.fips_kat_signature openssl-3.0.1/crypto/ec/ecdsa_ossl.c ---- openssl-3.0.1/crypto/ec/ecdsa_ossl.c.fips_kat_signature 2022-04-04 17:01:35.725323127 +0200 -+++ openssl-3.0.1/crypto/ec/ecdsa_ossl.c 2022-04-04 17:03:42.000427050 +0200 -@@ -20,6 +20,10 @@ - #include "crypto/bn.h" - #include "ec_local.h" - -+#ifdef FIPS_MODULE -+extern int REDHAT_FIPS_signature_st; -+#endif -+ - int ossl_ecdsa_sign_setup(EC_KEY *eckey, BN_CTX *ctx_in, BIGNUM **kinvp, - BIGNUM **rp) - { -@@ -126,6 +130,11 @@ static int ecdsa_sign_setup(EC_KEY *ecke - goto err; - - do { -+#ifdef FIPS_MODULE -+ if (REDHAT_FIPS_signature_st && eckey->sign_kat_k != NULL) { -+ BN_copy(k, eckey->sign_kat_k); -+ } else { -+#endif - /* get random k */ - do { - if (dgst != NULL) { -@@ -141,7 +150,9 @@ static int ecdsa_sign_setup(EC_KEY *ecke - } - } - } while (BN_is_zero(k)); -- -+#ifdef FIPS_MODULE -+ } -+#endif - /* compute r the x-coordinate of generator * k */ - if (!EC_POINT_mul(group, tmp_point, k, NULL, NULL, ctx)) { - ERR_raise(ERR_LIB_EC, ERR_R_EC_LIB); -diff -up openssl-3.0.1/crypto/ec/ec_key.c.fips_kat_signature openssl-3.0.1/crypto/ec/ec_key.c ---- openssl-3.0.1/crypto/ec/ec_key.c.fips_kat_signature 2022-04-04 13:48:52.231172299 +0200 -+++ openssl-3.0.1/crypto/ec/ec_key.c 2022-04-04 14:00:35.077368605 +0200 -@@ -97,6 +97,9 @@ void EC_KEY_free(EC_KEY *r) - EC_GROUP_free(r->group); - EC_POINT_free(r->pub_key); - BN_clear_free(r->priv_key); -+#ifdef FIPS_MODULE -+ BN_clear_free(r->sign_kat_k); -+#endif - OPENSSL_free(r->propq); - - OPENSSL_clear_free((void *)r, sizeof(EC_KEY)); -diff -up openssl-3.0.1/crypto/ec/ec_local.h.fips_kat_signature openssl-3.0.1/crypto/ec/ec_local.h ---- openssl-3.0.1/crypto/ec/ec_local.h.fips_kat_signature 2022-04-04 13:46:57.576161867 +0200 -+++ openssl-3.0.1/crypto/ec/ec_local.h 2022-04-04 13:48:07.827780835 +0200 -@@ -298,6 +298,9 @@ struct ec_key_st { - #ifndef FIPS_MODULE - CRYPTO_EX_DATA ex_data; - #endif -+#ifdef FIPS_MODULE -+ BIGNUM *sign_kat_k; -+#endif - CRYPTO_RWLOCK *lock; - OSSL_LIB_CTX *libctx; - char *propq; -diff -up openssl-3.0.1/include/openssl/core_names.h.fips_kat_signature openssl-3.0.1/include/openssl/core_names.h ---- openssl-3.0.1/include/openssl/core_names.h.fips_kat_signature 2022-04-04 14:06:15.717370014 +0200 -+++ openssl-3.0.1/include/openssl/core_names.h 2022-04-04 14:07:35.376071229 +0200 -@@ -293,6 +293,7 @@ extern "C" { - #define OSSL_PKEY_PARAM_DIST_ID "distid" - #define OSSL_PKEY_PARAM_PUB_KEY "pub" - #define OSSL_PKEY_PARAM_PRIV_KEY "priv" -+#define OSSL_PKEY_PARAM_REDHAT_SIGN_KAT_K "rh_sign_kat_k" - - /* Diffie-Hellman/DSA Parameters */ - #define OSSL_PKEY_PARAM_FFC_P "p" -diff -up openssl-3.0.1/providers/implementations/keymgmt/ec_kmgmt.c.fips_kat_signature openssl-3.0.1/providers/implementations/keymgmt/ec_kmgmt.c ---- openssl-3.0.1/providers/implementations/keymgmt/ec_kmgmt.c.fips_kat_signature 2022-04-04 14:21:03.043180906 +0200 -+++ openssl-3.0.1/providers/implementations/keymgmt/ec_kmgmt.c 2022-04-04 14:38:33.949406645 +0200 -@@ -530,7 +530,8 @@ end: - # define EC_IMEXPORTABLE_PUBLIC_KEY \ - OSSL_PARAM_octet_string(OSSL_PKEY_PARAM_PUB_KEY, NULL, 0) - # define EC_IMEXPORTABLE_PRIVATE_KEY \ -- OSSL_PARAM_BN(OSSL_PKEY_PARAM_PRIV_KEY, NULL, 0) -+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_PRIV_KEY, NULL, 0), \ -+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_REDHAT_SIGN_KAT_K, NULL, 0) - # define EC_IMEXPORTABLE_OTHER_PARAMETERS \ - OSSL_PARAM_int(OSSL_PKEY_PARAM_USE_COFACTOR_ECDH, NULL), \ - OSSL_PARAM_int(OSSL_PKEY_PARAM_EC_INCLUDE_PUBLIC, NULL) -diff -up openssl-3.0.1/providers/fips/self_test_kats.c.kat openssl-3.0.1/providers/fips/self_test_kats.c ---- openssl-3.0.1/providers/fips/self_test_kats.c.kat 2022-05-10 15:10:32.502185265 +0200 -+++ openssl-3.0.1/providers/fips/self_test_kats.c 2022-05-10 15:13:21.465653720 +0200 -@@ -17,6 +17,8 @@ - #include "self_test.h" - #include "self_test_data.inc" - -+int REDHAT_FIPS_signature_st = 0; -+ - static int self_test_digest(const ST_KAT_DIGEST *t, OSSL_SELF_TEST *st, - OSSL_LIB_CTX *libctx) - { -@@ -446,6 +448,7 @@ static int self_test_sign(const ST_KAT_S - EVP_PKEY *pkey = NULL; - unsigned char sig[256]; - BN_CTX *bnctx = NULL; -+ BIGNUM *K = NULL; - size_t siglen = sizeof(sig); - static const unsigned char dgst[] = { - 0x7f, 0x83, 0xb1, 0x65, 0x7f, 0xf1, 0xfc, 0x53, 0xb9, 0x2d, 0xc1, 0x81, -@@ -462,6 +465,9 @@ static int self_test_sign(const ST_KAT_S - bnctx = BN_CTX_new_ex(libctx); - if (bnctx == NULL) - goto err; -+ K = BN_CTX_get(bnctx); -+ if (K == NULL || BN_bin2bn(dgst, sizeof(dgst), K) == NULL) -+ goto err; - - bld = OSSL_PARAM_BLD_new(); - if (bld == NULL) -@@ -469,6 +475,9 @@ static int self_test_sign(const ST_KAT_S - - if (!add_params(bld, t->key, bnctx)) - goto err; -+ /* set K for ECDSA KAT tests */ -+ if (!OSSL_PARAM_BLD_push_BN(bld, OSSL_PKEY_PARAM_REDHAT_SIGN_KAT_K, K)) -+ goto err; - params = OSSL_PARAM_BLD_to_param(bld); - - /* Create a EVP_PKEY_CTX to load the DSA key into */ -@@ -689,11 +698,13 @@ static int self_test_kas(OSSL_SELF_TEST - static int self_test_signatures(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx) - { - int i, ret = 1; -+ REDHAT_FIPS_signature_st = 1; - - for (i = 0; i < (int)OSSL_NELEM(st_kat_sign_tests); ++i) { - if (!self_test_sign(&st_kat_sign_tests[i], st, libctx)) - ret = 0; - } -+ REDHAT_FIPS_signature_st = 0; - return ret; - } - -diff -up openssl-3.0.1/providers/fips/self_test_data.inc.kat openssl-3.0.1/providers/fips/self_test_data.inc ---- openssl-3.0.1/providers/fips/self_test_data.inc.kat 2022-05-16 17:37:34.962807400 +0200 -+++ openssl-3.0.1/providers/fips/self_test_data.inc 2022-05-16 17:48:10.709376779 +0200 -@@ -1399,7 +1399,151 @@ static const ST_KAT_PARAM ecdsa_prime_ke - ST_KAT_PARAM_BIGNUM(OSSL_PKEY_PARAM_PRIV_KEY, ecd_prime_priv), - ST_KAT_PARAM_END() - }; -+static const unsigned char ec224r1_kat_sig[] = { -+0x30, 0x3c, 0x02, 0x1c, 0x2f, 0x24, 0x30, 0x96, 0x3b, 0x39, 0xe0, 0xab, 0xe2, 0x5a, 0x6f, 0xe0, -+0x40, 0x7e, 0x19, 0x30, 0x6e, 0x6a, 0xfd, 0x7a, 0x2b, 0x5d, 0xaa, 0xc2, 0x34, 0x6c, 0xc8, 0xce, -+0x02, 0x1c, 0x47, 0xe1, 0xac, 0xfd, 0xb4, 0xb8, 0x2b, 0x8c, 0x49, 0xb6, 0x36, 0xcd, 0xdd, 0x22, -+0x2a, 0x2d, 0x29, 0x64, 0x70, 0x61, 0xc3, 0x3e, 0x18, 0x51, 0xec, 0xf2, 0xad, 0x3c -+}; - -+static const char ecd_prime_curve_name384[] = "secp384r1"; -+/* -+priv: -+ 58:12:2b:94:be:29:23:13:83:f5:c4:20:e8:22:34: -+ 54:73:49:91:10:05:e9:10:e9:d7:2d:72:9c:5e:6a: -+ ba:8f:6d:d6:e4:a7:eb:e0:ae:e3:d4:c9:aa:33:87: -+ 4c:91:87 -+pub: -+ 04:d1:86:8b:f5:c4:a2:f7:a5:92:e6:85:2a:d2:92: -+ 81:97:0a:8d:fa:09:3f:84:6c:17:43:03:43:49:23: -+ 77:c4:31:f4:0a:a4:de:87:ac:5c:c0:d1:bc:e4:43: -+ 7f:8d:44:e1:3b:5f:bc:27:c8:79:0f:d0:31:9f:a7: -+ 6d:de:fb:f7:da:19:40:fd:aa:83:dc:69:ce:a6:f3: -+ 4d:65:20:1c:66:82:80:03:f7:7b:2e:f3:b3:7c:1f: -+ 11:f2:a3:bf:e8:0e:88 -+*/ -+static const unsigned char ecd_prime_priv384[] = { -+ 0x58, 0x12, 0x2b, 0x94, 0xbe, 0x29, 0x23, 0x13, 0x83, 0xf5, 0xc4, 0x20, 0xe8, 0x22, 0x34, -+ 0x54, 0x73, 0x49, 0x91, 0x10, 0x05, 0xe9, 0x10, 0xe9, 0xd7, 0x2d, 0x72, 0x9c, 0x5e, 0x6a, -+ 0xba, 0x8f, 0x6d, 0xd6, 0xe4, 0xa7, 0xeb, 0xe0, 0xae, 0xe3, 0xd4, 0xc9, 0xaa, 0x33, 0x87, -+ 0x4c, 0x91, 0x87 -+}; -+static const unsigned char ecd_prime_pub384[] = { -+ 0x04, 0xd1, 0x86, 0x8b, 0xf5, 0xc4, 0xa2, 0xf7, 0xa5, 0x92, 0xe6, 0x85, 0x2a, 0xd2, 0x92, -+ 0x81, 0x97, 0x0a, 0x8d, 0xfa, 0x09, 0x3f, 0x84, 0x6c, 0x17, 0x43, 0x03, 0x43, 0x49, 0x23, -+ 0x77, 0xc4, 0x31, 0xf4, 0x0a, 0xa4, 0xde, 0x87, 0xac, 0x5c, 0xc0, 0xd1, 0xbc, 0xe4, 0x43, -+ 0x7f, 0x8d, 0x44, 0xe1, 0x3b, 0x5f, 0xbc, 0x27, 0xc8, 0x79, 0x0f, 0xd0, 0x31, 0x9f, 0xa7, -+ 0x6d, 0xde, 0xfb, 0xf7, 0xda, 0x19, 0x40, 0xfd, 0xaa, 0x83, 0xdc, 0x69, 0xce, 0xa6, 0xf3, -+ 0x4d, 0x65, 0x20, 0x1c, 0x66, 0x82, 0x80, 0x03, 0xf7, 0x7b, 0x2e, 0xf3, 0xb3, 0x7c, 0x1f, -+ 0x11, 0xf2, 0xa3, 0xbf, 0xe8, 0x0e, 0x88 -+}; -+static const ST_KAT_PARAM ecdsa_prime_key384[] = { -+ ST_KAT_PARAM_UTF8STRING(OSSL_PKEY_PARAM_GROUP_NAME, ecd_prime_curve_name384), -+ ST_KAT_PARAM_OCTET(OSSL_PKEY_PARAM_PUB_KEY, ecd_prime_pub384), -+ ST_KAT_PARAM_BIGNUM(OSSL_PKEY_PARAM_PRIV_KEY, ecd_prime_priv384), -+ ST_KAT_PARAM_END() -+}; -+static const unsigned char ec384r1_kat_sig[] = { -+0x30, 0x65, 0x02, 0x30, 0x1a, 0xd5, 0x57, 0x1b, 0x28, 0x0f, 0xf1, 0x68, 0x66, 0x68, 0x8a, 0x98, -+0xe3, 0x9c, 0xce, 0x7f, 0xa7, 0x68, 0xdc, 0x84, 0x5a, 0x65, 0xdc, 0x2b, 0x5d, 0x7e, 0xf3, 0x9b, -+0xa0, 0x40, 0xe8, 0x7a, 0x02, 0xc7, 0x82, 0xe0, 0x0c, 0x81, 0xa5, 0xda, 0x55, 0x27, 0xbf, 0x79, -+0xee, 0x72, 0xc2, 0x14, 0x02, 0x31, 0x00, 0xd1, 0x9d, 0x67, 0xda, 0x5a, 0xd2, 0x58, 0x68, 0xe7, -+0x71, 0x08, 0xb2, 0xa4, 0xe4, 0xe8, 0x74, 0xb4, 0x0a, 0x3d, 0x76, 0x49, 0x31, 0x17, 0x6e, 0x33, -+0x16, 0xf0, 0x00, 0x1f, 0x3c, 0x1f, 0xf9, 0x7c, 0xdb, 0x93, 0x49, 0x9c, 0x7d, 0xb3, 0xd3, 0x30, -+0x98, 0x81, 0x6f, 0xb0, 0xc9, 0x30, 0x2f -+}; -+static const char ecd_prime_curve_name521[] = "secp521r1"; -+/* -+priv: -+ 00:44:0f:96:31:a9:87:f2:5f:be:a0:bc:ef:0c:ae: -+ 58:cc:5f:f8:44:9e:89:86:7e:bf:db:ce:cb:0e:20: -+ 10:4a:11:ec:0b:51:1d:e4:91:ca:c6:40:fb:c6:69: -+ ad:68:33:9e:c8:f5:c4:c6:a5:93:a8:4d:a9:a9:a2: -+ af:fe:6d:cb:c2:3b -+pub: -+ 04:01:5f:58:a9:40:0c:ee:9b:ed:4a:f4:7a:3c:a3: -+ 89:c2:f3:7e:2c:f4:b5:53:80:ae:33:7d:36:d1:b5: -+ 18:bd:ef:a9:48:00:ea:88:ee:00:5c:ca:07:08:b5: -+ 67:4a:c3:2b:10:c6:07:b0:c2:45:37:b7:1d:e3:6c: -+ e1:bf:2c:44:18:4a:aa:01:af:75:40:6a:e3:f5:b2: -+ 7f:d1:9d:1b:8b:29:1f:91:4d:db:93:bf:bd:8c:b7: -+ 6a:8d:4b:2c:36:2a:6b:ab:54:9d:7b:31:99:a4:de: -+ c9:10:c4:f4:a3:f4:6d:94:97:62:16:a5:34:65:1f: -+ 42:cd:8b:9e:e6:db:14:5d:a9:8d:19:95:8d -+*/ -+static const unsigned char ecd_prime_priv521[] = { -+ 0x00, 0x44, 0x0f, 0x96, 0x31, 0xa9, 0x87, 0xf2, 0x5f, 0xbe, 0xa0, 0xbc, 0xef, 0x0c, 0xae, -+ 0x58, 0xcc, 0x5f, 0xf8, 0x44, 0x9e, 0x89, 0x86, 0x7e, 0xbf, 0xdb, 0xce, 0xcb, 0x0e, 0x20, -+ 0x10, 0x4a, 0x11, 0xec, 0x0b, 0x51, 0x1d, 0xe4, 0x91, 0xca, 0xc6, 0x40, 0xfb, 0xc6, 0x69, -+ 0xad, 0x68, 0x33, 0x9e, 0xc8, 0xf5, 0xc4, 0xc6, 0xa5, 0x93, 0xa8, 0x4d, 0xa9, 0xa9, 0xa2, -+ 0xaf, 0xfe, 0x6d, 0xcb, 0xc2, 0x3b -+}; -+static const unsigned char ecd_prime_pub521[] = { -+ 0x04, 0x01, 0x5f, 0x58, 0xa9, 0x40, 0x0c, 0xee, 0x9b, 0xed, 0x4a, 0xf4, 0x7a, 0x3c, 0xa3, -+ 0x89, 0xc2, 0xf3, 0x7e, 0x2c, 0xf4, 0xb5, 0x53, 0x80, 0xae, 0x33, 0x7d, 0x36, 0xd1, 0xb5, -+ 0x18, 0xbd, 0xef, 0xa9, 0x48, 0x00, 0xea, 0x88, 0xee, 0x00, 0x5c, 0xca, 0x07, 0x08, 0xb5, -+ 0x67, 0x4a, 0xc3, 0x2b, 0x10, 0xc6, 0x07, 0xb0, 0xc2, 0x45, 0x37, 0xb7, 0x1d, 0xe3, 0x6c, -+ 0xe1, 0xbf, 0x2c, 0x44, 0x18, 0x4a, 0xaa, 0x01, 0xaf, 0x75, 0x40, 0x6a, 0xe3, 0xf5, 0xb2, -+ 0x7f, 0xd1, 0x9d, 0x1b, 0x8b, 0x29, 0x1f, 0x91, 0x4d, 0xdb, 0x93, 0xbf, 0xbd, 0x8c, 0xb7, -+ 0x6a, 0x8d, 0x4b, 0x2c, 0x36, 0x2a, 0x6b, 0xab, 0x54, 0x9d, 0x7b, 0x31, 0x99, 0xa4, 0xde, -+ 0xc9, 0x10, 0xc4, 0xf4, 0xa3, 0xf4, 0x6d, 0x94, 0x97, 0x62, 0x16, 0xa5, 0x34, 0x65, 0x1f, -+ 0x42, 0xcd, 0x8b, 0x9e, 0xe6, 0xdb, 0x14, 0x5d, 0xa9, 0x8d, 0x19, 0x95, 0x8d -+}; -+static const ST_KAT_PARAM ecdsa_prime_key521[] = { -+ ST_KAT_PARAM_UTF8STRING(OSSL_PKEY_PARAM_GROUP_NAME, ecd_prime_curve_name521), -+ ST_KAT_PARAM_OCTET(OSSL_PKEY_PARAM_PUB_KEY, ecd_prime_pub521), -+ ST_KAT_PARAM_BIGNUM(OSSL_PKEY_PARAM_PRIV_KEY, ecd_prime_priv521), -+ ST_KAT_PARAM_END() -+}; -+static const unsigned char ec521r1_kat_sig[] = { -+0x30, 0x81, 0x88, 0x02, 0x42, 0x00, 0xdf, 0x64, 0x9c, 0xc8, 0x5b, 0xdd, 0x0b, 0x7f, 0x69, 0x7e, -+0xdb, 0x83, 0x58, 0x67, 0x63, 0x43, 0xb7, 0xfa, 0x40, 0x29, 0xde, 0xb9, 0xde, 0xe9, 0x96, 0x65, -+0xe6, 0x8e, 0xf4, 0xeb, 0xd0, 0xe9, 0x6a, 0xd3, 0x27, 0x6c, 0x4d, 0x60, 0x47, 0x9c, 0x62, 0xb8, -+0x6c, 0xc1, 0x36, 0x19, 0x65, 0xff, 0xab, 0xcf, 0x24, 0xa3, 0xde, 0xd1, 0x4b, 0x1b, 0xdd, 0x89, -+0xcf, 0xf8, 0x72, 0x7b, 0x92, 0xbc, 0x02, 0x02, 0x42, 0x01, 0xf8, 0x07, 0x77, 0xb8, 0xcb, 0xa2, -+0xe2, 0x1f, 0x53, 0x9a, 0x7c, 0x16, 0xb5, 0x8e, 0xad, 0xe3, 0xc3, 0xac, 0xb7, 0xb2, 0x51, 0x8f, -+0xf9, 0x09, 0x65, 0x43, 0xf8, 0xd8, 0x3c, 0xe3, 0x5c, 0x4a, 0x5e, 0x3d, 0x6f, 0xb7, 0xbb, 0x5a, -+0x92, 0x69, 0xec, 0x71, 0xa2, 0x35, 0xe5, 0x29, 0x17, 0xaf, 0xc9, 0x69, 0xa7, 0xaa, 0x94, 0xf9, -+0xf9, 0x50, 0x87, 0x7b, 0x5d, 0x87, 0xe3, 0xd6, 0x3f, 0xb6, 0x6e -+}; -+static const char ecd_prime_curve_name256[] = "prime256v1"; -+/* -+priv: -+ 84:88:11:3f:a9:c9:9e:23:72:8b:40:cb:a2:b1:88: -+ 01:1e:92:48:af:13:2d:9b:33:8e:6d:43:40:30:c7: -+ 30:fa -+pub: -+ 04:22:58:b6:f9:01:3b:8c:a6:9b:9f:ae:75:fc:73: -+ cf:1b:f0:81:dc:55:a3:cc:5d:81:46:85:06:32:34: -+ 99:0d:c5:7e:a1:95:bb:21:73:33:40:4b:35:17:f6: -+ 8e:26:61:46:94:2c:4c:ac:9b:20:f8:08:72:25:74: -+ 98:66:c4:63:a6 -+*/ -+static const unsigned char ecd_prime_priv256[] = { -+ 0x84, 0x88, 0x11, 0x3f, 0xa9, 0xc9, 0x9e, 0x23, 0x72, 0x8b, 0x40, 0xcb, 0xa2, 0xb1, 0x88, -+ 0x01, 0x1e, 0x92, 0x48, 0xaf, 0x13, 0x2d, 0x9b, 0x33, 0x8e, 0x6d, 0x43, 0x40, 0x30, 0xc7, -+ 0x30, 0xfa -+}; -+static const unsigned char ecd_prime_pub256[] = { -+ 0x04, 0x22, 0x58, 0xb6, 0xf9, 0x01, 0x3b, 0x8c, 0xa6, 0x9b, 0x9f, 0xae, 0x75, 0xfc, 0x73, -+ 0xcf, 0x1b, 0xf0, 0x81, 0xdc, 0x55, 0xa3, 0xcc, 0x5d, 0x81, 0x46, 0x85, 0x06, 0x32, 0x34, -+ 0x99, 0x0d, 0xc5, 0x7e, 0xa1, 0x95, 0xbb, 0x21, 0x73, 0x33, 0x40, 0x4b, 0x35, 0x17, 0xf6, -+ 0x8e, 0x26, 0x61, 0x46, 0x94, 0x2c, 0x4c, 0xac, 0x9b, 0x20, 0xf8, 0x08, 0x72, 0x25, 0x74, -+ 0x98, 0x66, 0xc4, 0x63, 0xa6 -+}; -+static const ST_KAT_PARAM ecdsa_prime_key256[] = { -+ ST_KAT_PARAM_UTF8STRING(OSSL_PKEY_PARAM_GROUP_NAME, ecd_prime_curve_name256), -+ ST_KAT_PARAM_OCTET(OSSL_PKEY_PARAM_PUB_KEY, ecd_prime_pub256), -+ ST_KAT_PARAM_BIGNUM(OSSL_PKEY_PARAM_PRIV_KEY, ecd_prime_priv256), -+ ST_KAT_PARAM_END() -+}; -+static const unsigned char ec256v1_kat_sig[] = { -+0x30, 0x46, 0x02, 0x21, 0x00, 0xc9, 0x11, 0x27, 0x06, 0x51, 0x2b, 0x50, 0x8c, 0x6b, 0xc0, 0xa6, -+0x85, 0xaa, 0xf4, 0x66, 0x0d, 0xe4, 0x54, 0x0a, 0x10, 0xb6, 0x9f, 0x87, 0xfc, 0xa2, 0xbc, 0x8f, -+0x3c, 0x58, 0xb4, 0xe9, 0x41, 0x02, 0x21, 0x00, 0xc9, 0x72, 0x94, 0xa9, 0xdd, 0x52, 0xca, 0x21, -+0x82, 0x66, 0x7a, 0x68, 0xcb, 0x1e, 0x3b, 0x12, 0x71, 0x4d, 0x56, 0xb5, 0xb7, 0xdd, 0xca, 0x2b, -+0x18, 0xa3, 0xa7, 0x08, 0x0d, 0xfa, 0x9c, 0x66 -+}; - # ifndef OPENSSL_NO_EC2M - static const char ecd_bin_curve_name[] = "sect233r1"; - static const unsigned char ecd_bin_priv[] = { -@@ -1571,8 +1715,42 @@ static const ST_KAT_SIGN st_kat_sign_tes - ecdsa_prime_key, - /* - * The ECDSA signature changes each time due to it using a random k. -- * So there is no expected KAT for this case. -+ * We provide this value in our build -+ */ -+ ITM(ec224r1_kat_sig) -+ }, -+ { -+ OSSL_SELF_TEST_DESC_SIGN_ECDSA, -+ "EC", -+ "SHA-256", -+ ecdsa_prime_key384, -+ /* -+ * The ECDSA signature changes each time due to it using a random k. -+ * We provide this value in our build -+ */ -+ ITM(ec384r1_kat_sig) -+ }, -+ { -+ OSSL_SELF_TEST_DESC_SIGN_ECDSA, -+ "EC", -+ "SHA-256", -+ ecdsa_prime_key521, -+ /* -+ * The ECDSA signature changes each time due to it using a random k. -+ * We provide this value in our build -+ */ -+ ITM(ec521r1_kat_sig) -+ }, -+ { -+ OSSL_SELF_TEST_DESC_SIGN_ECDSA, -+ "EC", -+ "SHA-256", -+ ecdsa_prime_key256, -+ /* -+ * The ECDSA signature changes each time due to it using a random k. -+ * We provide this value in our build - */ -+ ITM(ec256v1_kat_sig) - }, - # ifndef OPENSSL_NO_EC2M - { -diff -up openssl-3.0.1/crypto/ec/ecp_s390x_nistp.c.fipskat openssl-3.0.1/crypto/ec/ecp_s390x_nistp.c ---- openssl-3.0.1/crypto/ec/ecp_s390x_nistp.c.fipskat 2022-05-30 14:48:53.180999124 +0200 -+++ openssl-3.0.1/crypto/ec/ecp_s390x_nistp.c 2022-05-30 14:58:52.841286228 +0200 -@@ -44,6 +44,10 @@ - #define S390X_OFF_RN(n) (4 * n) - #define S390X_OFF_Y(n) (4 * n) - -+#ifdef FIPS_MODULE -+extern int REDHAT_FIPS_signature_st; -+#endif -+ - static int ec_GFp_s390x_nistp_mul(const EC_GROUP *group, EC_POINT *r, - const BIGNUM *scalar, - size_t num, const EC_POINT *points[], -@@ -183,11 +187,21 @@ static ECDSA_SIG *ecdsa_s390x_nistp_sign - * because kdsa instruction constructs an in-range, invertible nonce - * internally implementing counter-measures for RNG weakness. - */ -+#ifdef FIPS_MODULE -+ if (REDHAT_FIPS_signature_st && eckey->sign_kat_k != NULL) { -+ BN_bn2binpad(eckey->sign_kat_k, param + S390X_OFF_RN(len), len); -+ /* Turns KDSA internal nonce-generation off. */ -+ fc |= S390X_KDSA_D; -+ } else { -+#endif - if (RAND_priv_bytes_ex(eckey->libctx, param + S390X_OFF_RN(len), - (size_t)len, 0) != 1) { - ERR_raise(ERR_LIB_EC, EC_R_RANDOM_NUMBER_GENERATION_FAILED); - goto ret; - } -+#ifdef FIPS_MODULE -+ } -+#endif - } else { - /* Reconstruct k = (k^-1)^-1. */ - if (ossl_ec_group_do_inverse_ord(group, k, kinv, NULL) == 0 diff --git a/SOURCES/0062-fips-Expose-a-FIPS-indicator.patch b/SOURCES/0062-fips-Expose-a-FIPS-indicator.patch index d2e9b0a..f1ad59d 100644 --- a/SOURCES/0062-fips-Expose-a-FIPS-indicator.patch +++ b/SOURCES/0062-fips-Expose-a-FIPS-indicator.patch @@ -248,8 +248,8 @@ index de391ce067..1cfd71c5cf 100644 --- a/providers/fips/fipsprov.c +++ b/providers/fips/fipsprov.c @@ -23,6 +23,7 @@ - #include "prov/seeding.h" #include "self_test.h" + #include "crypto/context.h" #include "internal/core.h" +#include "indicator.h" diff --git a/SOURCES/0067-ppc64le-Montgomery-multiply.patch b/SOURCES/0067-ppc64le-Montgomery-multiply.patch deleted file mode 100644 index 36c0222..0000000 --- a/SOURCES/0067-ppc64le-Montgomery-multiply.patch +++ /dev/null @@ -1,703 +0,0 @@ -From 33ffd36afa7594aeb958a925f521cb287ca850c8 Mon Sep 17 00:00:00 2001 -From: Rohan McLure -Date: Mon, 27 Jun 2022 12:14:55 +1000 -Subject: [PATCH 1/2] Revert "Revert "bn: Add fixed length (n=6), unrolled PPC - Montgomery Multiplication"" - -This reverts commit 712d9cc90e355b2c98a959d4e9398610d2269c9e. ---- - crypto/bn/asm/ppc64-mont-fixed.pl | 581 ++++++++++++++++++++++++++++++ - crypto/bn/bn_ppc.c | 15 + - crypto/bn/build.info | 3 +- - 3 files changed, 598 insertions(+), 1 deletion(-) - -diff --git a/crypto/bn/asm/ppc64-mont-fixed.pl b/crypto/bn/asm/ppc64-mont-fixed.pl -index e69de29bb2d1..0fb397bc5f12 100755 ---- a/crypto/bn/asm/ppc64-mont-fixed.pl -+++ b/crypto/bn/asm/ppc64-mont-fixed.pl -@@ -0,0 +1,581 @@ -+#! /usr/bin/env perl -+# Copyright 2021-2022 The OpenSSL Project Authors. All Rights Reserved. -+# -+# Licensed under the Apache License 2.0 (the "License"). You may not use -+# this file except in compliance with the License. You can obtain a copy -+# in the file LICENSE in the source distribution or at -+# https://www.openssl.org/source/license.html -+ -+# ==================================================================== -+# Written by Amitay Isaacs , Martin Schwenke -+# & Alastair D'Silva for -+# the OpenSSL project. -+# ==================================================================== -+ -+# -+# Fixed length (n=6), unrolled PPC Montgomery Multiplication -+# -+ -+# 2021 -+# -+# Although this is a generic implementation for unrolling Montgomery -+# Multiplication for arbitrary values of n, this is currently only -+# used for n = 6 to improve the performance of ECC p384. -+# -+# Unrolling allows intermediate results to be stored in registers, -+# rather than on the stack, improving performance by ~7% compared to -+# the existing PPC assembly code. -+# -+# The ISA 3.0 implementation uses combination multiply/add -+# instructions (maddld, maddhdu) to improve performance by an -+# additional ~10% on Power 9. -+# -+# Finally, saving non-volatile registers into volatile vector -+# registers instead of onto the stack saves a little more. -+# -+# On a Power 9 machine we see an overall improvement of ~18%. -+# -+ -+use strict; -+use warnings; -+ -+my ($flavour, $output, $dir, $xlate); -+ -+# $output is the last argument if it looks like a file (it has an extension) -+# $flavour is the first argument if it doesn't look like a file -+$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef; -+$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef; -+ -+$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; -+( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or -+( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or -+die "can't locate ppc-xlate.pl"; -+ -+open STDOUT,"| $^X $xlate $flavour \"$output\"" -+ or die "can't call $xlate: $!"; -+ -+if ($flavour !~ /64/) { -+ die "bad flavour ($flavour) - only ppc64 permitted"; -+} -+ -+my $SIZE_T= 8; -+ -+# Registers are global so the code is remotely readable -+ -+# Parameters for Montgomery multiplication -+my $sp = "r1"; -+my $toc = "r2"; -+my $rp = "r3"; -+my $ap = "r4"; -+my $bp = "r5"; -+my $np = "r6"; -+my $n0 = "r7"; -+my $num = "r8"; -+ -+my $i = "r9"; -+my $c0 = "r10"; -+my $bp0 = "r11"; -+my $bpi = "r11"; -+my $bpj = "r11"; -+my $tj = "r12"; -+my $apj = "r12"; -+my $npj = "r12"; -+my $lo = "r14"; -+my $c1 = "r14"; -+ -+# Non-volatile registers used for tp[i] -+# -+# 12 registers are available but the limit on unrolling is 10, -+# since registers from $tp[0] to $tp[$n+1] are used. -+my @tp = ("r20" .. "r31"); -+ -+# volatile VSRs for saving non-volatile GPRs - faster than stack -+my @vsrs = ("v32" .. "v46"); -+ -+package Mont; -+ -+sub new($$) -+{ -+ my ($class, $n) = @_; -+ -+ if ($n > 10) { -+ die "Can't unroll for BN length ${n} (maximum 10)" -+ } -+ -+ my $self = { -+ code => "", -+ n => $n, -+ }; -+ bless $self, $class; -+ -+ return $self; -+} -+ -+sub add_code($$) -+{ -+ my ($self, $c) = @_; -+ -+ $self->{code} .= $c; -+} -+ -+sub get_code($) -+{ -+ my ($self) = @_; -+ -+ return $self->{code}; -+} -+ -+sub get_function_name($) -+{ -+ my ($self) = @_; -+ -+ return "bn_mul_mont_fixed_n" . $self->{n}; -+} -+ -+sub get_label($$) -+{ -+ my ($self, $l) = @_; -+ -+ return "L" . $l . "_" . $self->{n}; -+} -+ -+sub get_labels($@) -+{ -+ my ($self, @labels) = @_; -+ -+ my %out = (); -+ -+ foreach my $l (@labels) { -+ $out{"$l"} = $self->get_label("$l"); -+ } -+ -+ return \%out; -+} -+ -+sub nl($) -+{ -+ my ($self) = @_; -+ -+ $self->add_code("\n"); -+} -+ -+sub copy_result($) -+{ -+ my ($self) = @_; -+ -+ my ($n) = $self->{n}; -+ -+ for (my $j = 0; $j < $n; $j++) { -+ $self->add_code(<<___); -+ std $tp[$j],`$j*$SIZE_T`($rp) -+___ -+ } -+ -+} -+ -+sub mul_mont_fixed($) -+{ -+ my ($self) = @_; -+ -+ my ($n) = $self->{n}; -+ my $fname = $self->get_function_name(); -+ my $label = $self->get_labels("outer", "enter", "sub", "copy", "end"); -+ -+ $self->add_code(<<___); -+ -+.globl .${fname} -+.align 5 -+.${fname}: -+ -+___ -+ -+ $self->save_registers(); -+ -+ $self->add_code(<<___); -+ ld $n0,0($n0) -+ -+ ld $bp0,0($bp) -+ -+ ld $apj,0($ap) -+___ -+ -+ $self->mul_c_0($tp[0], $apj, $bp0, $c0); -+ -+ for (my $j = 1; $j < $n - 1; $j++) { -+ $self->add_code(<<___); -+ ld $apj,`$j*$SIZE_T`($ap) -+___ -+ $self->mul($tp[$j], $apj, $bp0, $c0); -+ } -+ -+ $self->add_code(<<___); -+ ld $apj,`($n-1)*$SIZE_T`($ap) -+___ -+ -+ $self->mul_last($tp[$n-1], $tp[$n], $apj, $bp0, $c0); -+ -+ $self->add_code(<<___); -+ li $tp[$n+1],0 -+ -+___ -+ -+ $self->add_code(<<___); -+ li $i,0 -+ mtctr $num -+ b $label->{"enter"} -+ -+.align 4 -+$label->{"outer"}: -+ ldx $bpi,$bp,$i -+ -+ ld $apj,0($ap) -+___ -+ -+ $self->mul_add_c_0($tp[0], $tp[0], $apj, $bpi, $c0); -+ -+ for (my $j = 1; $j < $n; $j++) { -+ $self->add_code(<<___); -+ ld $apj,`$j*$SIZE_T`($ap) -+___ -+ $self->mul_add($tp[$j], $tp[$j], $apj, $bpi, $c0); -+ } -+ -+ $self->add_code(<<___); -+ addc $tp[$n],$tp[$n],$c0 -+ addze $tp[$n+1],$tp[$n+1] -+___ -+ -+ $self->add_code(<<___); -+.align 4 -+$label->{"enter"}: -+ mulld $bpi,$tp[0],$n0 -+ -+ ld $npj,0($np) -+___ -+ -+ $self->mul_add_c_0($lo, $tp[0], $bpi, $npj, $c0); -+ -+ for (my $j = 1; $j < $n; $j++) { -+ $self->add_code(<<___); -+ ld $npj,`$j*$SIZE_T`($np) -+___ -+ $self->mul_add($tp[$j-1], $tp[$j], $npj, $bpi, $c0); -+ } -+ -+ $self->add_code(<<___); -+ addc $tp[$n-1],$tp[$n],$c0 -+ addze $tp[$n],$tp[$n+1] -+ -+ addi $i,$i,$SIZE_T -+ bdnz $label->{"outer"} -+ -+ and. $tp[$n],$tp[$n],$tp[$n] -+ bne $label->{"sub"} -+ -+ cmpld $tp[$n-1],$npj -+ blt $label->{"copy"} -+ -+$label->{"sub"}: -+___ -+ -+ # -+ # Reduction -+ # -+ -+ $self->add_code(<<___); -+ ld $bpj,`0*$SIZE_T`($np) -+ subfc $c1,$bpj,$tp[0] -+ std $c1,`0*$SIZE_T`($rp) -+ -+___ -+ for (my $j = 1; $j < $n - 1; $j++) { -+ $self->add_code(<<___); -+ ld $bpj,`$j*$SIZE_T`($np) -+ subfe $c1,$bpj,$tp[$j] -+ std $c1,`$j*$SIZE_T`($rp) -+ -+___ -+ } -+ -+ $self->add_code(<<___); -+ subfe $c1,$npj,$tp[$n-1] -+ std $c1,`($n-1)*$SIZE_T`($rp) -+ -+___ -+ -+ $self->add_code(<<___); -+ addme. $tp[$n],$tp[$n] -+ beq $label->{"end"} -+ -+$label->{"copy"}: -+___ -+ -+ $self->copy_result(); -+ -+ $self->add_code(<<___); -+ -+$label->{"end"}: -+___ -+ -+ $self->restore_registers(); -+ -+ $self->add_code(<<___); -+ li r3,1 -+ blr -+.size .${fname},.-.${fname} -+___ -+ -+} -+ -+package Mont::GPR; -+ -+our @ISA = ('Mont'); -+ -+sub new($$) -+{ -+ my ($class, $n) = @_; -+ -+ return $class->SUPER::new($n); -+} -+ -+sub save_registers($) -+{ -+ my ($self) = @_; -+ -+ my $n = $self->{n}; -+ -+ $self->add_code(<<___); -+ std $lo,-8($sp) -+___ -+ -+ for (my $j = 0; $j <= $n+1; $j++) { -+ $self->{code}.=<<___; -+ std $tp[$j],-`($j+2)*8`($sp) -+___ -+ } -+ -+ $self->add_code(<<___); -+ -+___ -+} -+ -+sub restore_registers($) -+{ -+ my ($self) = @_; -+ -+ my $n = $self->{n}; -+ -+ $self->add_code(<<___); -+ ld $lo,-8($sp) -+___ -+ -+ for (my $j = 0; $j <= $n+1; $j++) { -+ $self->{code}.=<<___; -+ ld $tp[$j],-`($j+2)*8`($sp) -+___ -+ } -+ -+ $self->{code} .=<<___; -+ -+___ -+} -+ -+# Direct translation of C mul() -+sub mul($$$$$) -+{ -+ my ($self, $r, $a, $w, $c) = @_; -+ -+ $self->add_code(<<___); -+ mulld $lo,$a,$w -+ addc $r,$lo,$c -+ mulhdu $c,$a,$w -+ addze $c,$c -+ -+___ -+} -+ -+# Like mul() but $c is ignored as an input - an optimisation to save a -+# preliminary instruction that would set input $c to 0 -+sub mul_c_0($$$$$) -+{ -+ my ($self, $r, $a, $w, $c) = @_; -+ -+ $self->add_code(<<___); -+ mulld $r,$a,$w -+ mulhdu $c,$a,$w -+ -+___ -+} -+ -+# Like mul() but does not to the final addition of CA into $c - an -+# optimisation to save an instruction -+sub mul_last($$$$$$) -+{ -+ my ($self, $r1, $r2, $a, $w, $c) = @_; -+ -+ $self->add_code(<<___); -+ mulld $lo,$a,$w -+ addc $r1,$lo,$c -+ mulhdu $c,$a,$w -+ -+ addze $r2,$c -+___ -+} -+ -+# Like C mul_add() but allow $r_out and $r_in to be different -+sub mul_add($$$$$$) -+{ -+ my ($self, $r_out, $r_in, $a, $w, $c) = @_; -+ -+ $self->add_code(<<___); -+ mulld $lo,$a,$w -+ addc $lo,$lo,$c -+ mulhdu $c,$a,$w -+ addze $c,$c -+ addc $r_out,$r_in,$lo -+ addze $c,$c -+ -+___ -+} -+ -+# Like mul_add() but $c is ignored as an input - an optimisation to save a -+# preliminary instruction that would set input $c to 0 -+sub mul_add_c_0($$$$$$) -+{ -+ my ($self, $r_out, $r_in, $a, $w, $c) = @_; -+ -+ $self->add_code(<<___); -+ mulld $lo,$a,$w -+ addc $r_out,$r_in,$lo -+ mulhdu $c,$a,$w -+ addze $c,$c -+ -+___ -+} -+ -+package Mont::GPR_300; -+ -+our @ISA = ('Mont::GPR'); -+ -+sub new($$) -+{ -+ my ($class, $n) = @_; -+ -+ my $mont = $class->SUPER::new($n); -+ -+ return $mont; -+} -+ -+sub get_function_name($) -+{ -+ my ($self) = @_; -+ -+ return "bn_mul_mont_300_fixed_n" . $self->{n}; -+} -+ -+sub get_label($$) -+{ -+ my ($self, $l) = @_; -+ -+ return "L" . $l . "_300_" . $self->{n}; -+} -+ -+# Direct translation of C mul() -+sub mul($$$$$) -+{ -+ my ($self, $r, $a, $w, $c, $last) = @_; -+ -+ $self->add_code(<<___); -+ maddld $r,$a,$w,$c -+ maddhdu $c,$a,$w,$c -+ -+___ -+} -+ -+# Save the last carry as the final entry -+sub mul_last($$$$$) -+{ -+ my ($self, $r1, $r2, $a, $w, $c) = @_; -+ -+ $self->add_code(<<___); -+ maddld $r1,$a,$w,$c -+ maddhdu $r2,$a,$w,$c -+ -+___ -+} -+ -+# Like mul() but $c is ignored as an input - an optimisation to save a -+# preliminary instruction that would set input $c to 0 -+sub mul_c_0($$$$$) -+{ -+ my ($self, $r, $a, $w, $c) = @_; -+ -+ $self->add_code(<<___); -+ mulld $r,$a,$w -+ mulhdu $c,$a,$w -+ -+___ -+} -+ -+# Like C mul_add() but allow $r_out and $r_in to be different -+sub mul_add($$$$$$) -+{ -+ my ($self, $r_out, $r_in, $a, $w, $c) = @_; -+ -+ $self->add_code(<<___); -+ maddld $lo,$a,$w,$c -+ maddhdu $c,$a,$w,$c -+ addc $r_out,$r_in,$lo -+ addze $c,$c -+ -+___ -+} -+ -+# Like mul_add() but $c is ignored as an input - an optimisation to save a -+# preliminary instruction that would set input $c to 0 -+sub mul_add_c_0($$$$$$) -+{ -+ my ($self, $r_out, $r_in, $a, $w, $c) = @_; -+ -+ $self->add_code(<<___); -+ maddld $lo,$a,$w,$r_in -+ maddhdu $c,$a,$w,$r_in -+___ -+ -+ if ($r_out ne $lo) { -+ $self->add_code(<<___); -+ mr $r_out,$lo -+___ -+ } -+ -+ $self->nl(); -+} -+ -+ -+package main; -+ -+my $code; -+ -+$code.=<<___; -+.machine "any" -+.text -+___ -+ -+my $mont; -+ -+$mont = new Mont::GPR(6); -+$mont->mul_mont_fixed(); -+$code .= $mont->get_code(); -+ -+$mont = new Mont::GPR_300(6); -+$mont->mul_mont_fixed(); -+$code .= $mont->get_code(); -+ -+$code =~ s/\`([^\`]*)\`/eval $1/gem; -+ -+$code.=<<___; -+.asciz "Montgomery Multiplication for PPC by , " -+___ -+ -+print $code; -+close STDOUT or die "error closing STDOUT: $!"; -diff --git a/crypto/bn/bn_ppc.c b/crypto/bn/bn_ppc.c -index 3ee76ea96574..1e9421bee213 100644 ---- a/crypto/bn/bn_ppc.c -+++ b/crypto/bn/bn_ppc.c -@@ -19,6 +19,12 @@ int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, - const BN_ULONG *np, const BN_ULONG *n0, int num); - int bn_mul4x_mont_int(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, - const BN_ULONG *np, const BN_ULONG *n0, int num); -+ int bn_mul_mont_fixed_n6(BN_ULONG *rp, const BN_ULONG *ap, -+ const BN_ULONG *bp, const BN_ULONG *np, -+ const BN_ULONG *n0, int num); -+ int bn_mul_mont_300_fixed_n6(BN_ULONG *rp, const BN_ULONG *ap, -+ const BN_ULONG *bp, const BN_ULONG *np, -+ const BN_ULONG *n0, int num); - - if (num < 4) - return 0; -@@ -34,5 +40,14 @@ int bn_mul_mont(BN_ULONG *rp, const BN_ULONG *ap, const BN_ULONG *bp, - * no opportunity to figure it out... - */ - -+#if defined(_ARCH_PPC64) && !defined(__ILP32__) -+ if (num == 6) { -+ if (OPENSSL_ppccap_P & PPC_MADD300) -+ return bn_mul_mont_300_fixed_n6(rp, ap, bp, np, n0, num); -+ else -+ return bn_mul_mont_fixed_n6(rp, ap, bp, np, n0, num); -+ } -+#endif -+ - return bn_mul_mont_int(rp, ap, bp, np, n0, num); - } -diff --git a/crypto/bn/build.info b/crypto/bn/build.info -index 4f8d0689b5ea..987a70ae263b 100644 ---- a/crypto/bn/build.info -+++ b/crypto/bn/build.info -@@ -79,7 +79,7 @@ IF[{- !$disabled{asm} -}] - - $BNASM_ppc32=bn_ppc.c bn-ppc.s ppc-mont.s - $BNDEF_ppc32=OPENSSL_BN_ASM_MONT -- $BNASM_ppc64=$BNASM_ppc32 -+ $BNASM_ppc64=$BNASM_ppc32 ppc64-mont-fixed.s - $BNDEF_ppc64=$BNDEF_ppc32 - - $BNASM_c64xplus=asm/bn-c64xplus.asm -@@ -173,6 +173,7 @@ GENERATE[parisc-mont.s]=asm/parisc-mont.pl - GENERATE[bn-ppc.s]=asm/ppc.pl - GENERATE[ppc-mont.s]=asm/ppc-mont.pl - GENERATE[ppc64-mont.s]=asm/ppc64-mont.pl -+GENERATE[ppc64-mont-fixed.s]=asm/ppc64-mont-fixed.pl - - GENERATE[alpha-mont.S]=asm/alpha-mont.pl - - -From 01ebad0d6e3a09bc9e32350b402901471610a3dc Mon Sep 17 00:00:00 2001 -From: Rohan McLure -Date: Thu, 30 Jun 2022 16:21:06 +1000 -Subject: [PATCH 2/2] Fix unrolled montgomery multiplication for POWER9 - -In the reference C implementation in bn_asm.c, tp[num + 1] contains the -carry bit for accumulations into tp[num]. tp[num + 1] is only ever -assigned, never itself incremented. ---- - crypto/bn/asm/ppc64-mont-fixed.pl | 6 ++++-- - 1 file changed, 4 insertions(+), 2 deletions(-) - -diff --git a/crypto/bn/asm/ppc64-mont-fixed.pl b/crypto/bn/asm/ppc64-mont-fixed.pl -index 0fb397bc5f12..e27d0ad93d85 100755 ---- a/crypto/bn/asm/ppc64-mont-fixed.pl -+++ b/crypto/bn/asm/ppc64-mont-fixed.pl -@@ -63,6 +63,7 @@ - # Registers are global so the code is remotely readable - - # Parameters for Montgomery multiplication -+my $ze = "r0"; - my $sp = "r1"; - my $toc = "r2"; - my $rp = "r3"; -@@ -192,6 +193,7 @@ ($) - $self->save_registers(); - - $self->add_code(<<___); -+ li $ze,0 - ld $n0,0($n0) - - ld $bp0,0($bp) -@@ -242,7 +244,7 @@ ($) - - $self->add_code(<<___); - addc $tp[$n],$tp[$n],$c0 -- addze $tp[$n+1],$tp[$n+1] -+ addze $tp[$n+1],$ze - ___ - - $self->add_code(<<___); -@@ -272,7 +274,7 @@ ($) - and. $tp[$n],$tp[$n],$tp[$n] - bne $label->{"sub"} - -- cmpld $tp[$n-1],$npj -+ cmpld $tp[$n-1],$npj - blt $label->{"copy"} - - $label->{"sub"}: diff --git a/SOURCES/0071-AES-GCM-performance-optimization.patch b/SOURCES/0071-AES-GCM-performance-optimization.patch deleted file mode 100644 index edf40ec..0000000 --- a/SOURCES/0071-AES-GCM-performance-optimization.patch +++ /dev/null @@ -1,1635 +0,0 @@ -Upstream-Status: Backport [https://github.com/openssl/openssl/commit/44a563dde1584cd9284e80b6e45ee5019be8d36c, https://github.com/openssl/openssl/commit/345c99b6654b8313c792d54f829943068911ddbd] -diff --git a/crypto/modes/asm/aes-gcm-ppc.pl b/crypto/modes/asm/aes-gcm-ppc.pl -new file mode 100644 -index 0000000..6624e6c ---- /dev/null -+++ b/crypto/modes/asm/aes-gcm-ppc.pl -@@ -0,0 +1,1438 @@ -+#! /usr/bin/env perl -+# Copyright 2014-2020 The OpenSSL Project Authors. All Rights Reserved. -+# Copyright 2021- IBM Inc. All rights reserved -+# -+# Licensed under the Apache License 2.0 (the "License"). You may not use -+# this file except in compliance with the License. You can obtain a copy -+# in the file LICENSE in the source distribution or at -+# https://www.openssl.org/source/license.html -+# -+#=================================================================================== -+# Written by Danny Tsen for OpenSSL Project, -+# -+# GHASH is based on the Karatsuba multiplication method. -+# -+# Xi xor X1 -+# -+# X1 * H^4 + X2 * H^3 + x3 * H^2 + X4 * H = -+# (X1.h * H4.h + xX.l * H4.l + X1 * H4) + -+# (X2.h * H3.h + X2.l * H3.l + X2 * H3) + -+# (X3.h * H2.h + X3.l * H2.l + X3 * H2) + -+# (X4.h * H.h + X4.l * H.l + X4 * H) -+# -+# Xi = v0 -+# H Poly = v2 -+# Hash keys = v3 - v14 -+# ( H.l, H, H.h) -+# ( H^2.l, H^2, H^2.h) -+# ( H^3.l, H^3, H^3.h) -+# ( H^4.l, H^4, H^4.h) -+# -+# v30 is IV -+# v31 - counter 1 -+# -+# AES used, -+# vs0 - vs14 for round keys -+# v15, v16, v17, v18, v19, v20, v21, v22 for 8 blocks (encrypted) -+# -+# This implementation uses stitched AES-GCM approach to improve overall performance. -+# AES is implemented with 8x blocks and GHASH is using 2 4x blocks. -+# -+# Current large block (16384 bytes) performance per second with 128 bit key -- -+# -+# Encrypt Decrypt -+# Power10[le] (3.5GHz) 5.32G 5.26G -+# -+# =================================================================================== -+# -+# $output is the last argument if it looks like a file (it has an extension) -+# $flavour is the first argument if it doesn't look like a file -+$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef; -+$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef; -+ -+if ($flavour =~ /64/) { -+ $SIZE_T=8; -+ $LRSAVE=2*$SIZE_T; -+ $STU="stdu"; -+ $POP="ld"; -+ $PUSH="std"; -+ $UCMP="cmpld"; -+ $SHRI="srdi"; -+} elsif ($flavour =~ /32/) { -+ $SIZE_T=4; -+ $LRSAVE=$SIZE_T; -+ $STU="stwu"; -+ $POP="lwz"; -+ $PUSH="stw"; -+ $UCMP="cmplw"; -+ $SHRI="srwi"; -+} else { die "nonsense $flavour"; } -+ -+$sp="r1"; -+$FRAME=6*$SIZE_T+13*16; # 13*16 is for v20-v31 offload -+ -+$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; -+( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or -+( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or -+die "can't locate ppc-xlate.pl"; -+ -+open STDOUT,"| $^X $xlate $flavour \"$output\"" -+ or die "can't call $xlate: $!"; -+ -+$code=<<___; -+.machine "any" -+.text -+ -+# 4x loops -+# v15 - v18 - input states -+# vs1 - vs9 - round keys -+# -+.macro Loop_aes_middle4x -+ xxlor 19+32, 1, 1 -+ xxlor 20+32, 2, 2 -+ xxlor 21+32, 3, 3 -+ xxlor 22+32, 4, 4 -+ -+ vcipher 15, 15, 19 -+ vcipher 16, 16, 19 -+ vcipher 17, 17, 19 -+ vcipher 18, 18, 19 -+ -+ vcipher 15, 15, 20 -+ vcipher 16, 16, 20 -+ vcipher 17, 17, 20 -+ vcipher 18, 18, 20 -+ -+ vcipher 15, 15, 21 -+ vcipher 16, 16, 21 -+ vcipher 17, 17, 21 -+ vcipher 18, 18, 21 -+ -+ vcipher 15, 15, 22 -+ vcipher 16, 16, 22 -+ vcipher 17, 17, 22 -+ vcipher 18, 18, 22 -+ -+ xxlor 19+32, 5, 5 -+ xxlor 20+32, 6, 6 -+ xxlor 21+32, 7, 7 -+ xxlor 22+32, 8, 8 -+ -+ vcipher 15, 15, 19 -+ vcipher 16, 16, 19 -+ vcipher 17, 17, 19 -+ vcipher 18, 18, 19 -+ -+ vcipher 15, 15, 20 -+ vcipher 16, 16, 20 -+ vcipher 17, 17, 20 -+ vcipher 18, 18, 20 -+ -+ vcipher 15, 15, 21 -+ vcipher 16, 16, 21 -+ vcipher 17, 17, 21 -+ vcipher 18, 18, 21 -+ -+ vcipher 15, 15, 22 -+ vcipher 16, 16, 22 -+ vcipher 17, 17, 22 -+ vcipher 18, 18, 22 -+ -+ xxlor 23+32, 9, 9 -+ vcipher 15, 15, 23 -+ vcipher 16, 16, 23 -+ vcipher 17, 17, 23 -+ vcipher 18, 18, 23 -+.endm -+ -+# 8x loops -+# v15 - v22 - input states -+# vs1 - vs9 - round keys -+# -+.macro Loop_aes_middle8x -+ xxlor 23+32, 1, 1 -+ xxlor 24+32, 2, 2 -+ xxlor 25+32, 3, 3 -+ xxlor 26+32, 4, 4 -+ -+ vcipher 15, 15, 23 -+ vcipher 16, 16, 23 -+ vcipher 17, 17, 23 -+ vcipher 18, 18, 23 -+ vcipher 19, 19, 23 -+ vcipher 20, 20, 23 -+ vcipher 21, 21, 23 -+ vcipher 22, 22, 23 -+ -+ vcipher 15, 15, 24 -+ vcipher 16, 16, 24 -+ vcipher 17, 17, 24 -+ vcipher 18, 18, 24 -+ vcipher 19, 19, 24 -+ vcipher 20, 20, 24 -+ vcipher 21, 21, 24 -+ vcipher 22, 22, 24 -+ -+ vcipher 15, 15, 25 -+ vcipher 16, 16, 25 -+ vcipher 17, 17, 25 -+ vcipher 18, 18, 25 -+ vcipher 19, 19, 25 -+ vcipher 20, 20, 25 -+ vcipher 21, 21, 25 -+ vcipher 22, 22, 25 -+ -+ vcipher 15, 15, 26 -+ vcipher 16, 16, 26 -+ vcipher 17, 17, 26 -+ vcipher 18, 18, 26 -+ vcipher 19, 19, 26 -+ vcipher 20, 20, 26 -+ vcipher 21, 21, 26 -+ vcipher 22, 22, 26 -+ -+ xxlor 23+32, 5, 5 -+ xxlor 24+32, 6, 6 -+ xxlor 25+32, 7, 7 -+ xxlor 26+32, 8, 8 -+ -+ vcipher 15, 15, 23 -+ vcipher 16, 16, 23 -+ vcipher 17, 17, 23 -+ vcipher 18, 18, 23 -+ vcipher 19, 19, 23 -+ vcipher 20, 20, 23 -+ vcipher 21, 21, 23 -+ vcipher 22, 22, 23 -+ -+ vcipher 15, 15, 24 -+ vcipher 16, 16, 24 -+ vcipher 17, 17, 24 -+ vcipher 18, 18, 24 -+ vcipher 19, 19, 24 -+ vcipher 20, 20, 24 -+ vcipher 21, 21, 24 -+ vcipher 22, 22, 24 -+ -+ vcipher 15, 15, 25 -+ vcipher 16, 16, 25 -+ vcipher 17, 17, 25 -+ vcipher 18, 18, 25 -+ vcipher 19, 19, 25 -+ vcipher 20, 20, 25 -+ vcipher 21, 21, 25 -+ vcipher 22, 22, 25 -+ -+ vcipher 15, 15, 26 -+ vcipher 16, 16, 26 -+ vcipher 17, 17, 26 -+ vcipher 18, 18, 26 -+ vcipher 19, 19, 26 -+ vcipher 20, 20, 26 -+ vcipher 21, 21, 26 -+ vcipher 22, 22, 26 -+ -+ xxlor 23+32, 9, 9 -+ vcipher 15, 15, 23 -+ vcipher 16, 16, 23 -+ vcipher 17, 17, 23 -+ vcipher 18, 18, 23 -+ vcipher 19, 19, 23 -+ vcipher 20, 20, 23 -+ vcipher 21, 21, 23 -+ vcipher 22, 22, 23 -+.endm -+ -+# -+# Compute 4x hash values based on Karatsuba method. -+# -+ppc_aes_gcm_ghash: -+ vxor 15, 15, 0 -+ -+ xxlxor 29, 29, 29 -+ -+ vpmsumd 23, 12, 15 # H4.L * X.L -+ vpmsumd 24, 9, 16 -+ vpmsumd 25, 6, 17 -+ vpmsumd 26, 3, 18 -+ -+ vxor 23, 23, 24 -+ vxor 23, 23, 25 -+ vxor 23, 23, 26 # L -+ -+ vpmsumd 24, 13, 15 # H4.L * X.H + H4.H * X.L -+ vpmsumd 25, 10, 16 # H3.L * X1.H + H3.H * X1.L -+ vpmsumd 26, 7, 17 -+ vpmsumd 27, 4, 18 -+ -+ vxor 24, 24, 25 -+ vxor 24, 24, 26 -+ vxor 24, 24, 27 # M -+ -+ # sum hash and reduction with H Poly -+ vpmsumd 28, 23, 2 # reduction -+ -+ xxlor 29+32, 29, 29 -+ vsldoi 26, 24, 29, 8 # mL -+ vsldoi 29, 29, 24, 8 # mH -+ vxor 23, 23, 26 # mL + L -+ -+ vsldoi 23, 23, 23, 8 # swap -+ vxor 23, 23, 28 -+ -+ vpmsumd 24, 14, 15 # H4.H * X.H -+ vpmsumd 25, 11, 16 -+ vpmsumd 26, 8, 17 -+ vpmsumd 27, 5, 18 -+ -+ vxor 24, 24, 25 -+ vxor 24, 24, 26 -+ vxor 24, 24, 27 -+ -+ vxor 24, 24, 29 -+ -+ # sum hash and reduction with H Poly -+ vsldoi 27, 23, 23, 8 # swap -+ vpmsumd 23, 23, 2 -+ vxor 27, 27, 24 -+ vxor 23, 23, 27 -+ -+ xxlor 32, 23+32, 23+32 # update hash -+ -+ blr -+ -+# -+# Combine two 4x ghash -+# v15 - v22 - input blocks -+# -+.macro ppc_aes_gcm_ghash2_4x -+ # first 4x hash -+ vxor 15, 15, 0 # Xi + X -+ -+ xxlxor 29, 29, 29 -+ -+ vpmsumd 23, 12, 15 # H4.L * X.L -+ vpmsumd 24, 9, 16 -+ vpmsumd 25, 6, 17 -+ vpmsumd 26, 3, 18 -+ -+ vxor 23, 23, 24 -+ vxor 23, 23, 25 -+ vxor 23, 23, 26 # L -+ -+ vpmsumd 24, 13, 15 # H4.L * X.H + H4.H * X.L -+ vpmsumd 25, 10, 16 # H3.L * X1.H + H3.H * X1.L -+ vpmsumd 26, 7, 17 -+ vpmsumd 27, 4, 18 -+ -+ vxor 24, 24, 25 -+ vxor 24, 24, 26 -+ -+ # sum hash and reduction with H Poly -+ vpmsumd 28, 23, 2 # reduction -+ -+ xxlor 29+32, 29, 29 -+ -+ vxor 24, 24, 27 # M -+ vsldoi 26, 24, 29, 8 # mL -+ vsldoi 29, 29, 24, 8 # mH -+ vxor 23, 23, 26 # mL + L -+ -+ vsldoi 23, 23, 23, 8 # swap -+ vxor 23, 23, 28 -+ -+ vpmsumd 24, 14, 15 # H4.H * X.H -+ vpmsumd 25, 11, 16 -+ vpmsumd 26, 8, 17 -+ vpmsumd 27, 5, 18 -+ -+ vxor 24, 24, 25 -+ vxor 24, 24, 26 -+ vxor 24, 24, 27 # H -+ -+ vxor 24, 24, 29 # H + mH -+ -+ # sum hash and reduction with H Poly -+ vsldoi 27, 23, 23, 8 # swap -+ vpmsumd 23, 23, 2 -+ vxor 27, 27, 24 -+ vxor 27, 23, 27 # 1st Xi -+ -+ # 2nd 4x hash -+ vpmsumd 24, 9, 20 -+ vpmsumd 25, 6, 21 -+ vpmsumd 26, 3, 22 -+ vxor 19, 19, 27 # Xi + X -+ vpmsumd 23, 12, 19 # H4.L * X.L -+ -+ vxor 23, 23, 24 -+ vxor 23, 23, 25 -+ vxor 23, 23, 26 # L -+ -+ vpmsumd 24, 13, 19 # H4.L * X.H + H4.H * X.L -+ vpmsumd 25, 10, 20 # H3.L * X1.H + H3.H * X1.L -+ vpmsumd 26, 7, 21 -+ vpmsumd 27, 4, 22 -+ -+ vxor 24, 24, 25 -+ vxor 24, 24, 26 -+ -+ # sum hash and reduction with H Poly -+ vpmsumd 28, 23, 2 # reduction -+ -+ xxlor 29+32, 29, 29 -+ -+ vxor 24, 24, 27 # M -+ vsldoi 26, 24, 29, 8 # mL -+ vsldoi 29, 29, 24, 8 # mH -+ vxor 23, 23, 26 # mL + L -+ -+ vsldoi 23, 23, 23, 8 # swap -+ vxor 23, 23, 28 -+ -+ vpmsumd 24, 14, 19 # H4.H * X.H -+ vpmsumd 25, 11, 20 -+ vpmsumd 26, 8, 21 -+ vpmsumd 27, 5, 22 -+ -+ vxor 24, 24, 25 -+ vxor 24, 24, 26 -+ vxor 24, 24, 27 # H -+ -+ vxor 24, 24, 29 # H + mH -+ -+ # sum hash and reduction with H Poly -+ vsldoi 27, 23, 23, 8 # swap -+ vpmsumd 23, 23, 2 -+ vxor 27, 27, 24 -+ vxor 23, 23, 27 -+ -+ xxlor 32, 23+32, 23+32 # update hash -+ -+.endm -+ -+# -+# Compute update single hash -+# -+.macro ppc_update_hash_1x -+ vxor 28, 28, 0 -+ -+ vxor 19, 19, 19 -+ -+ vpmsumd 22, 3, 28 # L -+ vpmsumd 23, 4, 28 # M -+ vpmsumd 24, 5, 28 # H -+ -+ vpmsumd 27, 22, 2 # reduction -+ -+ vsldoi 25, 23, 19, 8 # mL -+ vsldoi 26, 19, 23, 8 # mH -+ vxor 22, 22, 25 # LL + LL -+ vxor 24, 24, 26 # HH + HH -+ -+ vsldoi 22, 22, 22, 8 # swap -+ vxor 22, 22, 27 -+ -+ vsldoi 20, 22, 22, 8 # swap -+ vpmsumd 22, 22, 2 # reduction -+ vxor 20, 20, 24 -+ vxor 22, 22, 20 -+ -+ vmr 0, 22 # update hash -+ -+.endm -+ -+# -+# ppc_aes_gcm_encrypt (const void *inp, void *out, size_t len, -+# const AES_KEY *key, unsigned char iv[16], -+# void *Xip); -+# -+# r3 - inp -+# r4 - out -+# r5 - len -+# r6 - AES round keys -+# r7 - iv -+# r8 - Xi, HPoli, hash keys -+# -+.global ppc_aes_gcm_encrypt -+.align 5 -+ppc_aes_gcm_encrypt: -+_ppc_aes_gcm_encrypt: -+ -+ stdu 1,-512(1) -+ mflr 0 -+ -+ std 14,112(1) -+ std 15,120(1) -+ std 16,128(1) -+ std 17,136(1) -+ std 18,144(1) -+ std 19,152(1) -+ std 20,160(1) -+ std 21,168(1) -+ li 9, 256 -+ stvx 20, 9, 1 -+ addi 9, 9, 16 -+ stvx 21, 9, 1 -+ addi 9, 9, 16 -+ stvx 22, 9, 1 -+ addi 9, 9, 16 -+ stvx 23, 9, 1 -+ addi 9, 9, 16 -+ stvx 24, 9, 1 -+ addi 9, 9, 16 -+ stvx 25, 9, 1 -+ addi 9, 9, 16 -+ stvx 26, 9, 1 -+ addi 9, 9, 16 -+ stvx 27, 9, 1 -+ addi 9, 9, 16 -+ stvx 28, 9, 1 -+ addi 9, 9, 16 -+ stvx 29, 9, 1 -+ addi 9, 9, 16 -+ stvx 30, 9, 1 -+ addi 9, 9, 16 -+ stvx 31, 9, 1 -+ std 0, 528(1) -+ -+ # Load Xi -+ lxvb16x 32, 0, 8 # load Xi -+ -+ # load Hash - h^4, h^3, h^2, h -+ li 10, 32 -+ lxvd2x 2+32, 10, 8 # H Poli -+ li 10, 48 -+ lxvd2x 3+32, 10, 8 # Hl -+ li 10, 64 -+ lxvd2x 4+32, 10, 8 # H -+ li 10, 80 -+ lxvd2x 5+32, 10, 8 # Hh -+ -+ li 10, 96 -+ lxvd2x 6+32, 10, 8 # H^2l -+ li 10, 112 -+ lxvd2x 7+32, 10, 8 # H^2 -+ li 10, 128 -+ lxvd2x 8+32, 10, 8 # H^2h -+ -+ li 10, 144 -+ lxvd2x 9+32, 10, 8 # H^3l -+ li 10, 160 -+ lxvd2x 10+32, 10, 8 # H^3 -+ li 10, 176 -+ lxvd2x 11+32, 10, 8 # H^3h -+ -+ li 10, 192 -+ lxvd2x 12+32, 10, 8 # H^4l -+ li 10, 208 -+ lxvd2x 13+32, 10, 8 # H^4 -+ li 10, 224 -+ lxvd2x 14+32, 10, 8 # H^4h -+ -+ # initialize ICB: GHASH( IV ), IV - r7 -+ lxvb16x 30+32, 0, 7 # load IV - v30 -+ -+ mr 12, 5 # length -+ li 11, 0 # block index -+ -+ # counter 1 -+ vxor 31, 31, 31 -+ vspltisb 22, 1 -+ vsldoi 31, 31, 22,1 # counter 1 -+ -+ # load round key to VSR -+ lxv 0, 0(6) -+ lxv 1, 0x10(6) -+ lxv 2, 0x20(6) -+ lxv 3, 0x30(6) -+ lxv 4, 0x40(6) -+ lxv 5, 0x50(6) -+ lxv 6, 0x60(6) -+ lxv 7, 0x70(6) -+ lxv 8, 0x80(6) -+ lxv 9, 0x90(6) -+ lxv 10, 0xa0(6) -+ -+ # load rounds - 10 (128), 12 (192), 14 (256) -+ lwz 9,240(6) -+ -+ # -+ # vxor state, state, w # addroundkey -+ xxlor 32+29, 0, 0 -+ vxor 15, 30, 29 # IV + round key - add round key 0 -+ -+ cmpdi 9, 10 -+ beq Loop_aes_gcm_8x -+ -+ # load 2 more round keys (v11, v12) -+ lxv 11, 0xb0(6) -+ lxv 12, 0xc0(6) -+ -+ cmpdi 9, 12 -+ beq Loop_aes_gcm_8x -+ -+ # load 2 more round keys (v11, v12, v13, v14) -+ lxv 13, 0xd0(6) -+ lxv 14, 0xe0(6) -+ cmpdi 9, 14 -+ beq Loop_aes_gcm_8x -+ -+ b aes_gcm_out -+ -+.align 5 -+Loop_aes_gcm_8x: -+ mr 14, 3 -+ mr 9, 4 -+ -+ # n blocks -+ li 10, 128 -+ divdu 10, 5, 10 # n 128 bytes-blocks -+ cmpdi 10, 0 -+ beq Loop_last_block -+ -+ vaddudm 30, 30, 31 # IV + counter -+ vxor 16, 30, 29 -+ vaddudm 30, 30, 31 -+ vxor 17, 30, 29 -+ vaddudm 30, 30, 31 -+ vxor 18, 30, 29 -+ vaddudm 30, 30, 31 -+ vxor 19, 30, 29 -+ vaddudm 30, 30, 31 -+ vxor 20, 30, 29 -+ vaddudm 30, 30, 31 -+ vxor 21, 30, 29 -+ vaddudm 30, 30, 31 -+ vxor 22, 30, 29 -+ -+ mtctr 10 -+ -+ li 15, 16 -+ li 16, 32 -+ li 17, 48 -+ li 18, 64 -+ li 19, 80 -+ li 20, 96 -+ li 21, 112 -+ -+ lwz 10, 240(6) -+ -+Loop_8x_block: -+ -+ lxvb16x 15, 0, 14 # load block -+ lxvb16x 16, 15, 14 # load block -+ lxvb16x 17, 16, 14 # load block -+ lxvb16x 18, 17, 14 # load block -+ lxvb16x 19, 18, 14 # load block -+ lxvb16x 20, 19, 14 # load block -+ lxvb16x 21, 20, 14 # load block -+ lxvb16x 22, 21, 14 # load block -+ addi 14, 14, 128 -+ -+ Loop_aes_middle8x -+ -+ xxlor 23+32, 10, 10 -+ -+ cmpdi 10, 10 -+ beq Do_next_ghash -+ -+ # 192 bits -+ xxlor 24+32, 11, 11 -+ -+ vcipher 15, 15, 23 -+ vcipher 16, 16, 23 -+ vcipher 17, 17, 23 -+ vcipher 18, 18, 23 -+ vcipher 19, 19, 23 -+ vcipher 20, 20, 23 -+ vcipher 21, 21, 23 -+ vcipher 22, 22, 23 -+ -+ vcipher 15, 15, 24 -+ vcipher 16, 16, 24 -+ vcipher 17, 17, 24 -+ vcipher 18, 18, 24 -+ vcipher 19, 19, 24 -+ vcipher 20, 20, 24 -+ vcipher 21, 21, 24 -+ vcipher 22, 22, 24 -+ -+ xxlor 23+32, 12, 12 -+ -+ cmpdi 10, 12 -+ beq Do_next_ghash -+ -+ # 256 bits -+ xxlor 24+32, 13, 13 -+ -+ vcipher 15, 15, 23 -+ vcipher 16, 16, 23 -+ vcipher 17, 17, 23 -+ vcipher 18, 18, 23 -+ vcipher 19, 19, 23 -+ vcipher 20, 20, 23 -+ vcipher 21, 21, 23 -+ vcipher 22, 22, 23 -+ -+ vcipher 15, 15, 24 -+ vcipher 16, 16, 24 -+ vcipher 17, 17, 24 -+ vcipher 18, 18, 24 -+ vcipher 19, 19, 24 -+ vcipher 20, 20, 24 -+ vcipher 21, 21, 24 -+ vcipher 22, 22, 24 -+ -+ xxlor 23+32, 14, 14 -+ -+ cmpdi 10, 14 -+ beq Do_next_ghash -+ b aes_gcm_out -+ -+Do_next_ghash: -+ -+ # -+ # last round -+ vcipherlast 15, 15, 23 -+ vcipherlast 16, 16, 23 -+ -+ xxlxor 47, 47, 15 -+ stxvb16x 47, 0, 9 # store output -+ xxlxor 48, 48, 16 -+ stxvb16x 48, 15, 9 # store output -+ -+ vcipherlast 17, 17, 23 -+ vcipherlast 18, 18, 23 -+ -+ xxlxor 49, 49, 17 -+ stxvb16x 49, 16, 9 # store output -+ xxlxor 50, 50, 18 -+ stxvb16x 50, 17, 9 # store output -+ -+ vcipherlast 19, 19, 23 -+ vcipherlast 20, 20, 23 -+ -+ xxlxor 51, 51, 19 -+ stxvb16x 51, 18, 9 # store output -+ xxlxor 52, 52, 20 -+ stxvb16x 52, 19, 9 # store output -+ -+ vcipherlast 21, 21, 23 -+ vcipherlast 22, 22, 23 -+ -+ xxlxor 53, 53, 21 -+ stxvb16x 53, 20, 9 # store output -+ xxlxor 54, 54, 22 -+ stxvb16x 54, 21, 9 # store output -+ -+ addi 9, 9, 128 -+ -+ # ghash here -+ ppc_aes_gcm_ghash2_4x -+ -+ xxlor 27+32, 0, 0 -+ vaddudm 30, 30, 31 # IV + counter -+ vmr 29, 30 -+ vxor 15, 30, 27 # add round key -+ vaddudm 30, 30, 31 -+ vxor 16, 30, 27 -+ vaddudm 30, 30, 31 -+ vxor 17, 30, 27 -+ vaddudm 30, 30, 31 -+ vxor 18, 30, 27 -+ vaddudm 30, 30, 31 -+ vxor 19, 30, 27 -+ vaddudm 30, 30, 31 -+ vxor 20, 30, 27 -+ vaddudm 30, 30, 31 -+ vxor 21, 30, 27 -+ vaddudm 30, 30, 31 -+ vxor 22, 30, 27 -+ -+ addi 12, 12, -128 -+ addi 11, 11, 128 -+ -+ bdnz Loop_8x_block -+ -+ vmr 30, 29 -+ -+Loop_last_block: -+ cmpdi 12, 0 -+ beq aes_gcm_out -+ -+ # loop last few blocks -+ li 10, 16 -+ divdu 10, 12, 10 -+ -+ mtctr 10 -+ -+ lwz 10, 240(6) -+ -+ cmpdi 12, 16 -+ blt Final_block -+ -+.macro Loop_aes_middle_1x -+ xxlor 19+32, 1, 1 -+ xxlor 20+32, 2, 2 -+ xxlor 21+32, 3, 3 -+ xxlor 22+32, 4, 4 -+ -+ vcipher 15, 15, 19 -+ vcipher 15, 15, 20 -+ vcipher 15, 15, 21 -+ vcipher 15, 15, 22 -+ -+ xxlor 19+32, 5, 5 -+ xxlor 20+32, 6, 6 -+ xxlor 21+32, 7, 7 -+ xxlor 22+32, 8, 8 -+ -+ vcipher 15, 15, 19 -+ vcipher 15, 15, 20 -+ vcipher 15, 15, 21 -+ vcipher 15, 15, 22 -+ -+ xxlor 19+32, 9, 9 -+ vcipher 15, 15, 19 -+.endm -+ -+Next_rem_block: -+ lxvb16x 15, 0, 14 # load block -+ -+ Loop_aes_middle_1x -+ -+ xxlor 23+32, 10, 10 -+ -+ cmpdi 10, 10 -+ beq Do_next_1x -+ -+ # 192 bits -+ xxlor 24+32, 11, 11 -+ -+ vcipher 15, 15, 23 -+ vcipher 15, 15, 24 -+ -+ xxlor 23+32, 12, 12 -+ -+ cmpdi 10, 12 -+ beq Do_next_1x -+ -+ # 256 bits -+ xxlor 24+32, 13, 13 -+ -+ vcipher 15, 15, 23 -+ vcipher 15, 15, 24 -+ -+ xxlor 23+32, 14, 14 -+ -+ cmpdi 10, 14 -+ beq Do_next_1x -+ -+Do_next_1x: -+ vcipherlast 15, 15, 23 -+ -+ xxlxor 47, 47, 15 -+ stxvb16x 47, 0, 9 # store output -+ addi 14, 14, 16 -+ addi 9, 9, 16 -+ -+ vmr 28, 15 -+ ppc_update_hash_1x -+ -+ addi 12, 12, -16 -+ addi 11, 11, 16 -+ xxlor 19+32, 0, 0 -+ vaddudm 30, 30, 31 # IV + counter -+ vxor 15, 30, 19 # add round key -+ -+ bdnz Next_rem_block -+ -+ cmpdi 12, 0 -+ beq aes_gcm_out -+ -+Final_block: -+ Loop_aes_middle_1x -+ -+ xxlor 23+32, 10, 10 -+ -+ cmpdi 10, 10 -+ beq Do_final_1x -+ -+ # 192 bits -+ xxlor 24+32, 11, 11 -+ -+ vcipher 15, 15, 23 -+ vcipher 15, 15, 24 -+ -+ xxlor 23+32, 12, 12 -+ -+ cmpdi 10, 12 -+ beq Do_final_1x -+ -+ # 256 bits -+ xxlor 24+32, 13, 13 -+ -+ vcipher 15, 15, 23 -+ vcipher 15, 15, 24 -+ -+ xxlor 23+32, 14, 14 -+ -+ cmpdi 10, 14 -+ beq Do_final_1x -+ -+Do_final_1x: -+ vcipherlast 15, 15, 23 -+ -+ lxvb16x 15, 0, 14 # load last block -+ xxlxor 47, 47, 15 -+ -+ # create partial block mask -+ li 15, 16 -+ sub 15, 15, 12 # index to the mask -+ -+ vspltisb 16, -1 # first 16 bytes - 0xffff...ff -+ vspltisb 17, 0 # second 16 bytes - 0x0000...00 -+ li 10, 192 -+ stvx 16, 10, 1 -+ addi 10, 10, 16 -+ stvx 17, 10, 1 -+ -+ addi 10, 1, 192 -+ lxvb16x 16, 15, 10 # load partial block mask -+ xxland 47, 47, 16 -+ -+ vmr 28, 15 -+ ppc_update_hash_1x -+ -+ # * should store only the remaining bytes. -+ bl Write_partial_block -+ -+ b aes_gcm_out -+ -+# -+# Write partial block -+# r9 - output -+# r12 - remaining bytes -+# v15 - partial input data -+# -+Write_partial_block: -+ li 10, 192 -+ stxvb16x 15+32, 10, 1 # last block -+ -+ #add 10, 9, 11 # Output -+ addi 10, 9, -1 -+ addi 16, 1, 191 -+ -+ mtctr 12 # remaining bytes -+ li 15, 0 -+ -+Write_last_byte: -+ lbzu 14, 1(16) -+ stbu 14, 1(10) -+ bdnz Write_last_byte -+ blr -+ -+aes_gcm_out: -+ # out = state -+ stxvb16x 32, 0, 8 # write out Xi -+ add 3, 11, 12 # return count -+ -+ li 9, 256 -+ lvx 20, 9, 1 -+ addi 9, 9, 16 -+ lvx 21, 9, 1 -+ addi 9, 9, 16 -+ lvx 22, 9, 1 -+ addi 9, 9, 16 -+ lvx 23, 9, 1 -+ addi 9, 9, 16 -+ lvx 24, 9, 1 -+ addi 9, 9, 16 -+ lvx 25, 9, 1 -+ addi 9, 9, 16 -+ lvx 26, 9, 1 -+ addi 9, 9, 16 -+ lvx 27, 9, 1 -+ addi 9, 9, 16 -+ lvx 28, 9, 1 -+ addi 9, 9, 16 -+ lvx 29, 9, 1 -+ addi 9, 9, 16 -+ lvx 30, 9, 1 -+ addi 9, 9, 16 -+ lvx 31, 9, 1 -+ -+ ld 0, 528(1) -+ ld 14,112(1) -+ ld 15,120(1) -+ ld 16,128(1) -+ ld 17,136(1) -+ ld 18,144(1) -+ ld 19,152(1) -+ ld 20,160(1) -+ ld 21,168(1) -+ -+ mtlr 0 -+ addi 1, 1, 512 -+ blr -+ -+# -+# 8x Decrypt -+# -+.global ppc_aes_gcm_decrypt -+.align 5 -+ppc_aes_gcm_decrypt: -+_ppc_aes_gcm_decrypt: -+ -+ stdu 1,-512(1) -+ mflr 0 -+ -+ std 14,112(1) -+ std 15,120(1) -+ std 16,128(1) -+ std 17,136(1) -+ std 18,144(1) -+ std 19,152(1) -+ std 20,160(1) -+ std 21,168(1) -+ li 9, 256 -+ stvx 20, 9, 1 -+ addi 9, 9, 16 -+ stvx 21, 9, 1 -+ addi 9, 9, 16 -+ stvx 22, 9, 1 -+ addi 9, 9, 16 -+ stvx 23, 9, 1 -+ addi 9, 9, 16 -+ stvx 24, 9, 1 -+ addi 9, 9, 16 -+ stvx 25, 9, 1 -+ addi 9, 9, 16 -+ stvx 26, 9, 1 -+ addi 9, 9, 16 -+ stvx 27, 9, 1 -+ addi 9, 9, 16 -+ stvx 28, 9, 1 -+ addi 9, 9, 16 -+ stvx 29, 9, 1 -+ addi 9, 9, 16 -+ stvx 30, 9, 1 -+ addi 9, 9, 16 -+ stvx 31, 9, 1 -+ std 0, 528(1) -+ -+ # Load Xi -+ lxvb16x 32, 0, 8 # load Xi -+ -+ # load Hash - h^4, h^3, h^2, h -+ li 10, 32 -+ lxvd2x 2+32, 10, 8 # H Poli -+ li 10, 48 -+ lxvd2x 3+32, 10, 8 # Hl -+ li 10, 64 -+ lxvd2x 4+32, 10, 8 # H -+ li 10, 80 -+ lxvd2x 5+32, 10, 8 # Hh -+ -+ li 10, 96 -+ lxvd2x 6+32, 10, 8 # H^2l -+ li 10, 112 -+ lxvd2x 7+32, 10, 8 # H^2 -+ li 10, 128 -+ lxvd2x 8+32, 10, 8 # H^2h -+ -+ li 10, 144 -+ lxvd2x 9+32, 10, 8 # H^3l -+ li 10, 160 -+ lxvd2x 10+32, 10, 8 # H^3 -+ li 10, 176 -+ lxvd2x 11+32, 10, 8 # H^3h -+ -+ li 10, 192 -+ lxvd2x 12+32, 10, 8 # H^4l -+ li 10, 208 -+ lxvd2x 13+32, 10, 8 # H^4 -+ li 10, 224 -+ lxvd2x 14+32, 10, 8 # H^4h -+ -+ # initialize ICB: GHASH( IV ), IV - r7 -+ lxvb16x 30+32, 0, 7 # load IV - v30 -+ -+ mr 12, 5 # length -+ li 11, 0 # block index -+ -+ # counter 1 -+ vxor 31, 31, 31 -+ vspltisb 22, 1 -+ vsldoi 31, 31, 22,1 # counter 1 -+ -+ # load round key to VSR -+ lxv 0, 0(6) -+ lxv 1, 0x10(6) -+ lxv 2, 0x20(6) -+ lxv 3, 0x30(6) -+ lxv 4, 0x40(6) -+ lxv 5, 0x50(6) -+ lxv 6, 0x60(6) -+ lxv 7, 0x70(6) -+ lxv 8, 0x80(6) -+ lxv 9, 0x90(6) -+ lxv 10, 0xa0(6) -+ -+ # load rounds - 10 (128), 12 (192), 14 (256) -+ lwz 9,240(6) -+ -+ # -+ # vxor state, state, w # addroundkey -+ xxlor 32+29, 0, 0 -+ vxor 15, 30, 29 # IV + round key - add round key 0 -+ -+ cmpdi 9, 10 -+ beq Loop_aes_gcm_8x_dec -+ -+ # load 2 more round keys (v11, v12) -+ lxv 11, 0xb0(6) -+ lxv 12, 0xc0(6) -+ -+ cmpdi 9, 12 -+ beq Loop_aes_gcm_8x_dec -+ -+ # load 2 more round keys (v11, v12, v13, v14) -+ lxv 13, 0xd0(6) -+ lxv 14, 0xe0(6) -+ cmpdi 9, 14 -+ beq Loop_aes_gcm_8x_dec -+ -+ b aes_gcm_out -+ -+.align 5 -+Loop_aes_gcm_8x_dec: -+ mr 14, 3 -+ mr 9, 4 -+ -+ # n blocks -+ li 10, 128 -+ divdu 10, 5, 10 # n 128 bytes-blocks -+ cmpdi 10, 0 -+ beq Loop_last_block_dec -+ -+ vaddudm 30, 30, 31 # IV + counter -+ vxor 16, 30, 29 -+ vaddudm 30, 30, 31 -+ vxor 17, 30, 29 -+ vaddudm 30, 30, 31 -+ vxor 18, 30, 29 -+ vaddudm 30, 30, 31 -+ vxor 19, 30, 29 -+ vaddudm 30, 30, 31 -+ vxor 20, 30, 29 -+ vaddudm 30, 30, 31 -+ vxor 21, 30, 29 -+ vaddudm 30, 30, 31 -+ vxor 22, 30, 29 -+ -+ mtctr 10 -+ -+ li 15, 16 -+ li 16, 32 -+ li 17, 48 -+ li 18, 64 -+ li 19, 80 -+ li 20, 96 -+ li 21, 112 -+ -+ lwz 10, 240(6) -+ -+Loop_8x_block_dec: -+ -+ lxvb16x 15, 0, 14 # load block -+ lxvb16x 16, 15, 14 # load block -+ lxvb16x 17, 16, 14 # load block -+ lxvb16x 18, 17, 14 # load block -+ lxvb16x 19, 18, 14 # load block -+ lxvb16x 20, 19, 14 # load block -+ lxvb16x 21, 20, 14 # load block -+ lxvb16x 22, 21, 14 # load block -+ addi 14, 14, 128 -+ -+ Loop_aes_middle8x -+ -+ xxlor 23+32, 10, 10 -+ -+ cmpdi 10, 10 -+ beq Do_last_aes_dec -+ -+ # 192 bits -+ xxlor 24+32, 11, 11 -+ -+ vcipher 15, 15, 23 -+ vcipher 16, 16, 23 -+ vcipher 17, 17, 23 -+ vcipher 18, 18, 23 -+ vcipher 19, 19, 23 -+ vcipher 20, 20, 23 -+ vcipher 21, 21, 23 -+ vcipher 22, 22, 23 -+ -+ vcipher 15, 15, 24 -+ vcipher 16, 16, 24 -+ vcipher 17, 17, 24 -+ vcipher 18, 18, 24 -+ vcipher 19, 19, 24 -+ vcipher 20, 20, 24 -+ vcipher 21, 21, 24 -+ vcipher 22, 22, 24 -+ -+ xxlor 23+32, 12, 12 -+ -+ cmpdi 10, 12 -+ beq Do_last_aes_dec -+ -+ # 256 bits -+ xxlor 24+32, 13, 13 -+ -+ vcipher 15, 15, 23 -+ vcipher 16, 16, 23 -+ vcipher 17, 17, 23 -+ vcipher 18, 18, 23 -+ vcipher 19, 19, 23 -+ vcipher 20, 20, 23 -+ vcipher 21, 21, 23 -+ vcipher 22, 22, 23 -+ -+ vcipher 15, 15, 24 -+ vcipher 16, 16, 24 -+ vcipher 17, 17, 24 -+ vcipher 18, 18, 24 -+ vcipher 19, 19, 24 -+ vcipher 20, 20, 24 -+ vcipher 21, 21, 24 -+ vcipher 22, 22, 24 -+ -+ xxlor 23+32, 14, 14 -+ -+ cmpdi 10, 14 -+ beq Do_last_aes_dec -+ b aes_gcm_out -+ -+Do_last_aes_dec: -+ -+ # -+ # last round -+ vcipherlast 15, 15, 23 -+ vcipherlast 16, 16, 23 -+ -+ xxlxor 47, 47, 15 -+ stxvb16x 47, 0, 9 # store output -+ xxlxor 48, 48, 16 -+ stxvb16x 48, 15, 9 # store output -+ -+ vcipherlast 17, 17, 23 -+ vcipherlast 18, 18, 23 -+ -+ xxlxor 49, 49, 17 -+ stxvb16x 49, 16, 9 # store output -+ xxlxor 50, 50, 18 -+ stxvb16x 50, 17, 9 # store output -+ -+ vcipherlast 19, 19, 23 -+ vcipherlast 20, 20, 23 -+ -+ xxlxor 51, 51, 19 -+ stxvb16x 51, 18, 9 # store output -+ xxlxor 52, 52, 20 -+ stxvb16x 52, 19, 9 # store output -+ -+ vcipherlast 21, 21, 23 -+ vcipherlast 22, 22, 23 -+ -+ xxlxor 53, 53, 21 -+ stxvb16x 53, 20, 9 # store output -+ xxlxor 54, 54, 22 -+ stxvb16x 54, 21, 9 # store output -+ -+ addi 9, 9, 128 -+ -+ xxlor 15+32, 15, 15 -+ xxlor 16+32, 16, 16 -+ xxlor 17+32, 17, 17 -+ xxlor 18+32, 18, 18 -+ xxlor 19+32, 19, 19 -+ xxlor 20+32, 20, 20 -+ xxlor 21+32, 21, 21 -+ xxlor 22+32, 22, 22 -+ -+ # ghash here -+ ppc_aes_gcm_ghash2_4x -+ -+ xxlor 27+32, 0, 0 -+ vaddudm 30, 30, 31 # IV + counter -+ vmr 29, 30 -+ vxor 15, 30, 27 # add round key -+ vaddudm 30, 30, 31 -+ vxor 16, 30, 27 -+ vaddudm 30, 30, 31 -+ vxor 17, 30, 27 -+ vaddudm 30, 30, 31 -+ vxor 18, 30, 27 -+ vaddudm 30, 30, 31 -+ vxor 19, 30, 27 -+ vaddudm 30, 30, 31 -+ vxor 20, 30, 27 -+ vaddudm 30, 30, 31 -+ vxor 21, 30, 27 -+ vaddudm 30, 30, 31 -+ vxor 22, 30, 27 -+ addi 12, 12, -128 -+ addi 11, 11, 128 -+ -+ bdnz Loop_8x_block_dec -+ -+ vmr 30, 29 -+ -+Loop_last_block_dec: -+ cmpdi 12, 0 -+ beq aes_gcm_out -+ -+ # loop last few blocks -+ li 10, 16 -+ divdu 10, 12, 10 -+ -+ mtctr 10 -+ -+ lwz 10,240(6) -+ -+ cmpdi 12, 16 -+ blt Final_block_dec -+ -+Next_rem_block_dec: -+ lxvb16x 15, 0, 14 # load block -+ -+ Loop_aes_middle_1x -+ -+ xxlor 23+32, 10, 10 -+ -+ cmpdi 10, 10 -+ beq Do_next_1x_dec -+ -+ # 192 bits -+ xxlor 24+32, 11, 11 -+ -+ vcipher 15, 15, 23 -+ vcipher 15, 15, 24 -+ -+ xxlor 23+32, 12, 12 -+ -+ cmpdi 10, 12 -+ beq Do_next_1x_dec -+ -+ # 256 bits -+ xxlor 24+32, 13, 13 -+ -+ vcipher 15, 15, 23 -+ vcipher 15, 15, 24 -+ -+ xxlor 23+32, 14, 14 -+ -+ cmpdi 10, 14 -+ beq Do_next_1x_dec -+ -+Do_next_1x_dec: -+ vcipherlast 15, 15, 23 -+ -+ xxlxor 47, 47, 15 -+ stxvb16x 47, 0, 9 # store output -+ addi 14, 14, 16 -+ addi 9, 9, 16 -+ -+ xxlor 28+32, 15, 15 -+ ppc_update_hash_1x -+ -+ addi 12, 12, -16 -+ addi 11, 11, 16 -+ xxlor 19+32, 0, 0 -+ vaddudm 30, 30, 31 # IV + counter -+ vxor 15, 30, 19 # add round key -+ -+ bdnz Next_rem_block_dec -+ -+ cmpdi 12, 0 -+ beq aes_gcm_out -+ -+Final_block_dec: -+ Loop_aes_middle_1x -+ -+ xxlor 23+32, 10, 10 -+ -+ cmpdi 10, 10 -+ beq Do_final_1x_dec -+ -+ # 192 bits -+ xxlor 24+32, 11, 11 -+ -+ vcipher 15, 15, 23 -+ vcipher 15, 15, 24 -+ -+ xxlor 23+32, 12, 12 -+ -+ cmpdi 10, 12 -+ beq Do_final_1x_dec -+ -+ # 256 bits -+ xxlor 24+32, 13, 13 -+ -+ vcipher 15, 15, 23 -+ vcipher 15, 15, 24 -+ -+ xxlor 23+32, 14, 14 -+ -+ cmpdi 10, 14 -+ beq Do_final_1x_dec -+ -+Do_final_1x_dec: -+ vcipherlast 15, 15, 23 -+ -+ lxvb16x 15, 0, 14 # load block -+ xxlxor 47, 47, 15 -+ -+ # create partial block mask -+ li 15, 16 -+ sub 15, 15, 12 # index to the mask -+ -+ vspltisb 16, -1 # first 16 bytes - 0xffff...ff -+ vspltisb 17, 0 # second 16 bytes - 0x0000...00 -+ li 10, 192 -+ stvx 16, 10, 1 -+ addi 10, 10, 16 -+ stvx 17, 10, 1 -+ -+ addi 10, 1, 192 -+ lxvb16x 16, 15, 10 # load block mask -+ xxland 47, 47, 16 -+ -+ xxlor 28+32, 15, 15 -+ ppc_update_hash_1x -+ -+ # * should store only the remaining bytes. -+ bl Write_partial_block -+ -+ b aes_gcm_out -+ -+ -+___ -+ -+foreach (split("\n",$code)) { -+ s/\`([^\`]*)\`/eval $1/geo; -+ -+ if ($flavour =~ /le$/o) { # little-endian -+ s/le\?//o or -+ s/be\?/#be#/o; -+ } else { -+ s/le\?/#le#/o or -+ s/be\?//o; -+ } -+ print $_,"\n"; -+} -+ -+close STDOUT or die "error closing STDOUT: $!"; # enforce flush -diff --git a/crypto/modes/build.info b/crypto/modes/build.info -index 687e872..0ea122e 100644 ---- a/crypto/modes/build.info -+++ b/crypto/modes/build.info -@@ -32,7 +32,7 @@ IF[{- !$disabled{asm} -}] - $MODESASM_parisc20_64=$MODESASM_parisc11 - $MODESDEF_parisc20_64=$MODESDEF_parisc11 - -- $MODESASM_ppc32=ghashp8-ppc.s -+ $MODESASM_ppc32=ghashp8-ppc.s aes-gcm-ppc.s - $MODESDEF_ppc32= - $MODESASM_ppc64=$MODESASM_ppc32 - $MODESDEF_ppc64=$MODESDEF_ppc32 -@@ -71,6 +71,7 @@ INCLUDE[ghash-sparcv9.o]=.. - GENERATE[ghash-alpha.S]=asm/ghash-alpha.pl - GENERATE[ghash-parisc.s]=asm/ghash-parisc.pl - GENERATE[ghashp8-ppc.s]=asm/ghashp8-ppc.pl -+GENERATE[aes-gcm-ppc.s]=asm/aes-gcm-ppc.pl - GENERATE[ghash-armv4.S]=asm/ghash-armv4.pl - INCLUDE[ghash-armv4.o]=.. - GENERATE[ghashv8-armx.S]=asm/ghashv8-armx.pl -diff --git a/include/crypto/aes_platform.h b/include/crypto/aes_platform.h -index e95ad5a..0c281a3 100644 ---- a/include/crypto/aes_platform.h -+++ b/include/crypto/aes_platform.h -@@ -74,6 +74,26 @@ void AES_xts_decrypt(const unsigned char *inp, unsigned char *out, size_t len, - # define HWAES_ctr32_encrypt_blocks aes_p8_ctr32_encrypt_blocks - # define HWAES_xts_encrypt aes_p8_xts_encrypt - # define HWAES_xts_decrypt aes_p8_xts_decrypt -+# define PPC_AES_GCM_CAPABLE (OPENSSL_ppccap_P & PPC_MADD300) -+# define AES_GCM_ENC_BYTES 128 -+# define AES_GCM_DEC_BYTES 128 -+size_t ppc_aes_gcm_encrypt(const unsigned char *in, unsigned char *out, -+ size_t len, const void *key, unsigned char ivec[16], -+ u64 *Xi); -+size_t ppc_aes_gcm_decrypt(const unsigned char *in, unsigned char *out, -+ size_t len, const void *key, unsigned char ivec[16], -+ u64 *Xi); -+size_t ppc_aes_gcm_encrypt_wrap(const unsigned char *in, unsigned char *out, -+ size_t len, const void *key, -+ unsigned char ivec[16], u64 *Xi); -+size_t ppc_aes_gcm_decrypt_wrap(const unsigned char *in, unsigned char *out, -+ size_t len, const void *key, -+ unsigned char ivec[16], u64 *Xi); -+# define AES_gcm_encrypt ppc_aes_gcm_encrypt_wrap -+# define AES_gcm_decrypt ppc_aes_gcm_decrypt_wrap -+# define AES_GCM_ASM(gctx) ((gctx)->ctr==aes_p8_ctr32_encrypt_blocks && \ -+ (gctx)->gcm.ghash==gcm_ghash_p8) -+void gcm_ghash_p8(u64 Xi[2],const u128 Htable[16],const u8 *inp, size_t len); - # endif /* PPC */ - - # if (defined(__arm__) || defined(__arm) || defined(__aarch64__)) -diff --git a/providers/implementations/ciphers/cipher_aes_gcm_hw.c b/providers/implementations/ciphers/cipher_aes_gcm_hw.c -index 44fa9d4..789ec12 100644 ---- a/providers/implementations/ciphers/cipher_aes_gcm_hw.c -+++ b/providers/implementations/ciphers/cipher_aes_gcm_hw.c -@@ -141,6 +141,8 @@ static const PROV_GCM_HW aes_gcm = { - # include "cipher_aes_gcm_hw_t4.inc" - #elif defined(AES_PMULL_CAPABLE) && defined(AES_GCM_ASM) - # include "cipher_aes_gcm_hw_armv8.inc" -+#elif defined(PPC_AES_GCM_CAPABLE) -+# include "cipher_aes_gcm_hw_ppc.inc" - #else - const PROV_GCM_HW *ossl_prov_aes_hw_gcm(size_t keybits) - { -diff --git a/providers/implementations/ciphers/cipher_aes_gcm_hw_ppc.inc b/providers/implementations/ciphers/cipher_aes_gcm_hw_ppc.inc -new file mode 100644 -index 0000000..4eed0f4 ---- /dev/null -+++ b/providers/implementations/ciphers/cipher_aes_gcm_hw_ppc.inc -@@ -0,0 +1,119 @@ -+/* -+ * Copyright 2001-2021 The OpenSSL Project Authors. All Rights Reserved. -+ * -+ * Licensed under the Apache License 2.0 (the "License"). You may not use -+ * this file except in compliance with the License. You can obtain a copy -+ * in the file LICENSE in the source distribution or at -+ * https://www.openssl.org/source/license.html -+ */ -+ -+/*- -+ * PPC support for AES GCM. -+ * This file is included by cipher_aes_gcm_hw.c -+ */ -+ -+static int aes_ppc_gcm_initkey(PROV_GCM_CTX *ctx, const unsigned char *key, -+ size_t keylen) -+{ -+ PROV_AES_GCM_CTX *actx = (PROV_AES_GCM_CTX *)ctx; -+ AES_KEY *ks = &actx->ks.ks; -+ -+ GCM_HW_SET_KEY_CTR_FN(ks, aes_p8_set_encrypt_key, aes_p8_encrypt, -+ aes_p8_ctr32_encrypt_blocks); -+ return 1; -+} -+ -+ -+extern size_t ppc_aes_gcm_encrypt(const unsigned char *in, unsigned char *out, size_t len, -+ const void *key, unsigned char ivec[16], u64 *Xi); -+extern size_t ppc_aes_gcm_decrypt(const unsigned char *in, unsigned char *out, size_t len, -+ const void *key, unsigned char ivec[16], u64 *Xi); -+ -+static inline u32 UTO32(unsigned char *buf) -+{ -+ return ((u32) buf[0] << 24) | ((u32) buf[1] << 16) | ((u32) buf[2] << 8) | ((u32) buf[3]); -+} -+ -+static inline u32 add32TOU(unsigned char buf[4], u32 n) -+{ -+ u32 r; -+ -+ r = UTO32(buf); -+ r += n; -+ buf[0] = (unsigned char) (r >> 24) & 0xFF; -+ buf[1] = (unsigned char) (r >> 16) & 0xFF; -+ buf[2] = (unsigned char) (r >> 8) & 0xFF; -+ buf[3] = (unsigned char) r & 0xFF; -+ return r; -+} -+ -+static size_t aes_p10_gcm_crypt(const unsigned char *in, unsigned char *out, size_t len, -+ const void *key, unsigned char ivec[16], u64 *Xi, int encrypt) -+{ -+ int s = 0; -+ int ndone = 0; -+ int ctr_reset = 0; -+ u64 blocks_unused; -+ u64 nb = len / 16; -+ u64 next_ctr = 0; -+ unsigned char ctr_saved[12]; -+ -+ memcpy(ctr_saved, ivec, 12); -+ -+ while (nb) { -+ blocks_unused = (u64) 0xffffffffU + 1 - (u64) UTO32 (ivec + 12); -+ if (nb > blocks_unused) { -+ len = blocks_unused * 16; -+ nb -= blocks_unused; -+ next_ctr = blocks_unused; -+ ctr_reset = 1; -+ } else { -+ len = nb * 16; -+ next_ctr = nb; -+ nb = 0; -+ } -+ -+ s = encrypt ? ppc_aes_gcm_encrypt(in, out, len, key, ivec, Xi) -+ : ppc_aes_gcm_decrypt(in, out, len, key, ivec, Xi); -+ -+ /* add counter to ivec */ -+ add32TOU(ivec + 12, (u32) next_ctr); -+ if (ctr_reset) { -+ ctr_reset = 0; -+ in += len; -+ out += len; -+ } -+ memcpy(ivec, ctr_saved, 12); -+ ndone += s; -+ } -+ -+ return ndone; -+} -+ -+size_t ppc_aes_gcm_encrypt_wrap(const unsigned char *in, unsigned char *out, size_t len, -+ const void *key, unsigned char ivec[16], u64 *Xi) -+{ -+ return aes_p10_gcm_crypt(in, out, len, key, ivec, Xi, 1); -+} -+ -+size_t ppc_aes_gcm_decrypt_wrap(const unsigned char *in, unsigned char *out, size_t len, -+ const void *key, unsigned char ivec[16], u64 *Xi) -+{ -+ return aes_p10_gcm_crypt(in, out, len, key, ivec, Xi, 0); -+} -+ -+ -+static const PROV_GCM_HW aes_ppc_gcm = { -+ aes_ppc_gcm_initkey, -+ ossl_gcm_setiv, -+ ossl_gcm_aad_update, -+ generic_aes_gcm_cipher_update, -+ ossl_gcm_cipher_final, -+ ossl_gcm_one_shot -+}; -+ -+const PROV_GCM_HW *ossl_prov_aes_hw_gcm(size_t keybits) -+{ -+ return PPC_AES_GCM_CAPABLE ? &aes_ppc_gcm : &aes_gcm; -+} -+ diff --git a/SOURCES/0072-ChaCha20-performance-optimizations-for-ppc64le.patch b/SOURCES/0072-ChaCha20-performance-optimizations-for-ppc64le.patch deleted file mode 100644 index e5e7f9b..0000000 --- a/SOURCES/0072-ChaCha20-performance-optimizations-for-ppc64le.patch +++ /dev/null @@ -1,1493 +0,0 @@ -Upstream-Status: Backport [ - https://github.com/openssl/openssl/commit/f596bbe4da779b56eea34d96168b557d78e1149, - https://github.com/openssl/openssl/commit/7e1f3ffcc5bc15fb9a12b9e3bb202f544c6ed5aa, - hunks in crypto/ppccap.c from https://github.com/openssl/openssl/commit/f5485b97b6c9977c0d39c7669b9f97a879312447 -] -diff --git a/crypto/chacha/asm/chachap10-ppc.pl b/crypto/chacha/asm/chachap10-ppc.pl -new file mode 100755 -index 0000000..36e9a8d ---- /dev/null -+++ b/crypto/chacha/asm/chachap10-ppc.pl -@@ -0,0 +1,1288 @@ -+#! /usr/bin/env perl -+# Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. -+# -+# Licensed under the Apache License 2.0 (the "License"). You may not use -+# this file except in compliance with the License. You can obtain a copy -+# in the file LICENSE in the source distribution or at -+# https://www.openssl.org/source/license.html -+ -+# -+# ==================================================================== -+# Written by Andy Polyakov for the OpenSSL -+# project. The module is, however, dual licensed under OpenSSL and -+# CRYPTOGAMS licenses depending on where you obtain it. For further -+# details see http://www.openssl.org/~appro/cryptogams/. -+# ==================================================================== -+# -+# October 2015 -+# -+# ChaCha20 for PowerPC/AltiVec. -+# -+# June 2018 -+# -+# Add VSX 2.07 code path. Original 3xAltiVec+1xIALU is well-suited for -+# processors that can't issue more than one vector instruction per -+# cycle. But POWER8 (and POWER9) can issue a pair, and vector-only 4x -+# interleave would perform better. Incidentally PowerISA 2.07 (first -+# implemented by POWER8) defined new usable instructions, hence 4xVSX -+# code path... -+# -+# Performance in cycles per byte out of large buffer. -+# -+# IALU/gcc-4.x 3xAltiVec+1xIALU 4xVSX -+# -+# Freescale e300 13.6/+115% - - -+# PPC74x0/G4e 6.81/+310% 3.81 - -+# PPC970/G5 9.29/+160% ? - -+# POWER7 8.62/+61% 3.35 - -+# POWER8 8.70/+51% 2.91 2.09 -+# POWER9 8.80/+29% 4.44(*) 2.45(**) -+# -+# (*) this is trade-off result, it's possible to improve it, but -+# then it would negatively affect all others; -+# (**) POWER9 seems to be "allergic" to mixing vector and integer -+# instructions, which is why switch to vector-only code pays -+# off that much; -+ -+# $output is the last argument if it looks like a file (it has an extension) -+# $flavour is the first argument if it doesn't look like a file -+$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef; -+$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef; -+ -+if ($flavour =~ /64/) { -+ $SIZE_T =8; -+ $LRSAVE =2*$SIZE_T; -+ $STU ="stdu"; -+ $POP ="ld"; -+ $PUSH ="std"; -+ $UCMP ="cmpld"; -+} elsif ($flavour =~ /32/) { -+ $SIZE_T =4; -+ $LRSAVE =$SIZE_T; -+ $STU ="stwu"; -+ $POP ="lwz"; -+ $PUSH ="stw"; -+ $UCMP ="cmplw"; -+} else { die "nonsense $flavour"; } -+ -+$LITTLE_ENDIAN = ($flavour=~/le$/) ? 1 : 0; -+ -+$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; -+( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or -+( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or -+die "can't locate ppc-xlate.pl"; -+ -+open STDOUT,"| $^X $xlate $flavour \"$output\"" -+ or die "can't call $xlate: $!"; -+ -+$LOCALS=6*$SIZE_T; -+$FRAME=$LOCALS+64+18*$SIZE_T; # 64 is for local variables -+ -+sub AUTOLOAD() # thunk [simplified] x86-style perlasm -+{ my $opcode = $AUTOLOAD; $opcode =~ s/.*:://; $opcode =~ s/_/\./; -+ $code .= "\t$opcode\t".join(',',@_)."\n"; -+} -+ -+my $sp = "r1"; -+ -+my ($out,$inp,$len,$key,$ctr) = map("r$_",(3..7)); -+ -+ -+{{{ -+my ($xa0,$xa1,$xa2,$xa3, $xb0,$xb1,$xb2,$xb3, -+ $xc0,$xc1,$xc2,$xc3, $xd0,$xd1,$xd2,$xd3) = map("v$_",(0..15)); -+my @K = map("v$_",(16..19)); -+my $CTR = "v26"; -+my ($xt0,$xt1,$xt2,$xt3) = map("v$_",(27..30)); -+my ($sixteen,$twelve,$eight,$seven) = ($xt0,$xt1,$xt2,$xt3); -+my $beperm = "v31"; -+ -+my ($x00,$x10,$x20,$x30) = (0, map("r$_",(8..10))); -+ -+my $FRAME=$LOCALS+64+7*16; # 7*16 is for v26-v31 offload -+ -+ -+sub VSX_lane_ROUND_4x { -+my ($a0,$b0,$c0,$d0)=@_; -+my ($a1,$b1,$c1,$d1)=map(($_&~3)+(($_+1)&3),($a0,$b0,$c0,$d0)); -+my ($a2,$b2,$c2,$d2)=map(($_&~3)+(($_+1)&3),($a1,$b1,$c1,$d1)); -+my ($a3,$b3,$c3,$d3)=map(($_&~3)+(($_+1)&3),($a2,$b2,$c2,$d2)); -+my @x=map("\"v$_\"",(0..15)); -+ -+ ( -+ "&vadduwm (@x[$a0],@x[$a0],@x[$b0])", # Q1 -+ "&vadduwm (@x[$a1],@x[$a1],@x[$b1])", # Q2 -+ "&vadduwm (@x[$a2],@x[$a2],@x[$b2])", # Q3 -+ "&vadduwm (@x[$a3],@x[$a3],@x[$b3])", # Q4 -+ "&vxor (@x[$d0],@x[$d0],@x[$a0])", -+ "&vxor (@x[$d1],@x[$d1],@x[$a1])", -+ "&vxor (@x[$d2],@x[$d2],@x[$a2])", -+ "&vxor (@x[$d3],@x[$d3],@x[$a3])", -+ "&vrlw (@x[$d0],@x[$d0],'$sixteen')", -+ "&vrlw (@x[$d1],@x[$d1],'$sixteen')", -+ "&vrlw (@x[$d2],@x[$d2],'$sixteen')", -+ "&vrlw (@x[$d3],@x[$d3],'$sixteen')", -+ -+ "&vadduwm (@x[$c0],@x[$c0],@x[$d0])", -+ "&vadduwm (@x[$c1],@x[$c1],@x[$d1])", -+ "&vadduwm (@x[$c2],@x[$c2],@x[$d2])", -+ "&vadduwm (@x[$c3],@x[$c3],@x[$d3])", -+ "&vxor (@x[$b0],@x[$b0],@x[$c0])", -+ "&vxor (@x[$b1],@x[$b1],@x[$c1])", -+ "&vxor (@x[$b2],@x[$b2],@x[$c2])", -+ "&vxor (@x[$b3],@x[$b3],@x[$c3])", -+ "&vrlw (@x[$b0],@x[$b0],'$twelve')", -+ "&vrlw (@x[$b1],@x[$b1],'$twelve')", -+ "&vrlw (@x[$b2],@x[$b2],'$twelve')", -+ "&vrlw (@x[$b3],@x[$b3],'$twelve')", -+ -+ "&vadduwm (@x[$a0],@x[$a0],@x[$b0])", -+ "&vadduwm (@x[$a1],@x[$a1],@x[$b1])", -+ "&vadduwm (@x[$a2],@x[$a2],@x[$b2])", -+ "&vadduwm (@x[$a3],@x[$a3],@x[$b3])", -+ "&vxor (@x[$d0],@x[$d0],@x[$a0])", -+ "&vxor (@x[$d1],@x[$d1],@x[$a1])", -+ "&vxor (@x[$d2],@x[$d2],@x[$a2])", -+ "&vxor (@x[$d3],@x[$d3],@x[$a3])", -+ "&vrlw (@x[$d0],@x[$d0],'$eight')", -+ "&vrlw (@x[$d1],@x[$d1],'$eight')", -+ "&vrlw (@x[$d2],@x[$d2],'$eight')", -+ "&vrlw (@x[$d3],@x[$d3],'$eight')", -+ -+ "&vadduwm (@x[$c0],@x[$c0],@x[$d0])", -+ "&vadduwm (@x[$c1],@x[$c1],@x[$d1])", -+ "&vadduwm (@x[$c2],@x[$c2],@x[$d2])", -+ "&vadduwm (@x[$c3],@x[$c3],@x[$d3])", -+ "&vxor (@x[$b0],@x[$b0],@x[$c0])", -+ "&vxor (@x[$b1],@x[$b1],@x[$c1])", -+ "&vxor (@x[$b2],@x[$b2],@x[$c2])", -+ "&vxor (@x[$b3],@x[$b3],@x[$c3])", -+ "&vrlw (@x[$b0],@x[$b0],'$seven')", -+ "&vrlw (@x[$b1],@x[$b1],'$seven')", -+ "&vrlw (@x[$b2],@x[$b2],'$seven')", -+ "&vrlw (@x[$b3],@x[$b3],'$seven')" -+ ); -+} -+ -+$code.=<<___; -+ -+.globl .ChaCha20_ctr32_vsx_p10 -+.align 5 -+.ChaCha20_ctr32_vsx_p10: -+ ${UCMP}i $len,255 -+ bgt ChaCha20_ctr32_vsx_8x -+ $STU $sp,-$FRAME($sp) -+ mflr r0 -+ li r10,`15+$LOCALS+64` -+ li r11,`31+$LOCALS+64` -+ mfspr r12,256 -+ stvx v26,r10,$sp -+ addi r10,r10,32 -+ stvx v27,r11,$sp -+ addi r11,r11,32 -+ stvx v28,r10,$sp -+ addi r10,r10,32 -+ stvx v29,r11,$sp -+ addi r11,r11,32 -+ stvx v30,r10,$sp -+ stvx v31,r11,$sp -+ stw r12,`$FRAME-4`($sp) # save vrsave -+ li r12,-4096+63 -+ $PUSH r0, `$FRAME+$LRSAVE`($sp) -+ mtspr 256,r12 # preserve 29 AltiVec registers -+ -+ bl Lconsts # returns pointer Lsigma in r12 -+ lvx_4w @K[0],0,r12 # load sigma -+ addi r12,r12,0x70 -+ li $x10,16 -+ li $x20,32 -+ li $x30,48 -+ li r11,64 -+ -+ lvx_4w @K[1],0,$key # load key -+ lvx_4w @K[2],$x10,$key -+ lvx_4w @K[3],0,$ctr # load counter -+ -+ vxor $xt0,$xt0,$xt0 -+ lvx_4w $xt1,r11,r12 -+ vspltw $CTR,@K[3],0 -+ vsldoi @K[3],@K[3],$xt0,4 -+ vsldoi @K[3],$xt0,@K[3],12 # clear @K[3].word[0] -+ vadduwm $CTR,$CTR,$xt1 -+ -+ be?lvsl $beperm,0,$x10 # 0x00..0f -+ be?vspltisb $xt0,3 # 0x03..03 -+ be?vxor $beperm,$beperm,$xt0 # swap bytes within words -+ -+ li r0,10 # inner loop counter -+ mtctr r0 -+ b Loop_outer_vsx -+ -+.align 5 -+Loop_outer_vsx: -+ lvx $xa0,$x00,r12 # load [smashed] sigma -+ lvx $xa1,$x10,r12 -+ lvx $xa2,$x20,r12 -+ lvx $xa3,$x30,r12 -+ -+ vspltw $xb0,@K[1],0 # smash the key -+ vspltw $xb1,@K[1],1 -+ vspltw $xb2,@K[1],2 -+ vspltw $xb3,@K[1],3 -+ -+ vspltw $xc0,@K[2],0 -+ vspltw $xc1,@K[2],1 -+ vspltw $xc2,@K[2],2 -+ vspltw $xc3,@K[2],3 -+ -+ vmr $xd0,$CTR # smash the counter -+ vspltw $xd1,@K[3],1 -+ vspltw $xd2,@K[3],2 -+ vspltw $xd3,@K[3],3 -+ -+ vspltisw $sixteen,-16 # synthesize constants -+ vspltisw $twelve,12 -+ vspltisw $eight,8 -+ vspltisw $seven,7 -+ -+Loop_vsx_4x: -+___ -+ foreach (&VSX_lane_ROUND_4x(0, 4, 8,12)) { eval; } -+ foreach (&VSX_lane_ROUND_4x(0, 5,10,15)) { eval; } -+$code.=<<___; -+ -+ bdnz Loop_vsx_4x -+ -+ vadduwm $xd0,$xd0,$CTR -+ -+ vmrgew $xt0,$xa0,$xa1 # transpose data -+ vmrgew $xt1,$xa2,$xa3 -+ vmrgow $xa0,$xa0,$xa1 -+ vmrgow $xa2,$xa2,$xa3 -+ vmrgew $xt2,$xb0,$xb1 -+ vmrgew $xt3,$xb2,$xb3 -+ vpermdi $xa1,$xa0,$xa2,0b00 -+ vpermdi $xa3,$xa0,$xa2,0b11 -+ vpermdi $xa0,$xt0,$xt1,0b00 -+ vpermdi $xa2,$xt0,$xt1,0b11 -+ -+ vmrgow $xb0,$xb0,$xb1 -+ vmrgow $xb2,$xb2,$xb3 -+ vmrgew $xt0,$xc0,$xc1 -+ vmrgew $xt1,$xc2,$xc3 -+ vpermdi $xb1,$xb0,$xb2,0b00 -+ vpermdi $xb3,$xb0,$xb2,0b11 -+ vpermdi $xb0,$xt2,$xt3,0b00 -+ vpermdi $xb2,$xt2,$xt3,0b11 -+ -+ vmrgow $xc0,$xc0,$xc1 -+ vmrgow $xc2,$xc2,$xc3 -+ vmrgew $xt2,$xd0,$xd1 -+ vmrgew $xt3,$xd2,$xd3 -+ vpermdi $xc1,$xc0,$xc2,0b00 -+ vpermdi $xc3,$xc0,$xc2,0b11 -+ vpermdi $xc0,$xt0,$xt1,0b00 -+ vpermdi $xc2,$xt0,$xt1,0b11 -+ -+ vmrgow $xd0,$xd0,$xd1 -+ vmrgow $xd2,$xd2,$xd3 -+ vspltisw $xt0,4 -+ vadduwm $CTR,$CTR,$xt0 # next counter value -+ vpermdi $xd1,$xd0,$xd2,0b00 -+ vpermdi $xd3,$xd0,$xd2,0b11 -+ vpermdi $xd0,$xt2,$xt3,0b00 -+ vpermdi $xd2,$xt2,$xt3,0b11 -+ -+ vadduwm $xa0,$xa0,@K[0] -+ vadduwm $xb0,$xb0,@K[1] -+ vadduwm $xc0,$xc0,@K[2] -+ vadduwm $xd0,$xd0,@K[3] -+ -+ be?vperm $xa0,$xa0,$xa0,$beperm -+ be?vperm $xb0,$xb0,$xb0,$beperm -+ be?vperm $xc0,$xc0,$xc0,$beperm -+ be?vperm $xd0,$xd0,$xd0,$beperm -+ -+ ${UCMP}i $len,0x40 -+ blt Ltail_vsx -+ -+ lvx_4w $xt0,$x00,$inp -+ lvx_4w $xt1,$x10,$inp -+ lvx_4w $xt2,$x20,$inp -+ lvx_4w $xt3,$x30,$inp -+ -+ vxor $xt0,$xt0,$xa0 -+ vxor $xt1,$xt1,$xb0 -+ vxor $xt2,$xt2,$xc0 -+ vxor $xt3,$xt3,$xd0 -+ -+ stvx_4w $xt0,$x00,$out -+ stvx_4w $xt1,$x10,$out -+ addi $inp,$inp,0x40 -+ stvx_4w $xt2,$x20,$out -+ subi $len,$len,0x40 -+ stvx_4w $xt3,$x30,$out -+ addi $out,$out,0x40 -+ beq Ldone_vsx -+ -+ vadduwm $xa0,$xa1,@K[0] -+ vadduwm $xb0,$xb1,@K[1] -+ vadduwm $xc0,$xc1,@K[2] -+ vadduwm $xd0,$xd1,@K[3] -+ -+ be?vperm $xa0,$xa0,$xa0,$beperm -+ be?vperm $xb0,$xb0,$xb0,$beperm -+ be?vperm $xc0,$xc0,$xc0,$beperm -+ be?vperm $xd0,$xd0,$xd0,$beperm -+ -+ ${UCMP}i $len,0x40 -+ blt Ltail_vsx -+ -+ lvx_4w $xt0,$x00,$inp -+ lvx_4w $xt1,$x10,$inp -+ lvx_4w $xt2,$x20,$inp -+ lvx_4w $xt3,$x30,$inp -+ -+ vxor $xt0,$xt0,$xa0 -+ vxor $xt1,$xt1,$xb0 -+ vxor $xt2,$xt2,$xc0 -+ vxor $xt3,$xt3,$xd0 -+ -+ stvx_4w $xt0,$x00,$out -+ stvx_4w $xt1,$x10,$out -+ addi $inp,$inp,0x40 -+ stvx_4w $xt2,$x20,$out -+ subi $len,$len,0x40 -+ stvx_4w $xt3,$x30,$out -+ addi $out,$out,0x40 -+ beq Ldone_vsx -+ -+ vadduwm $xa0,$xa2,@K[0] -+ vadduwm $xb0,$xb2,@K[1] -+ vadduwm $xc0,$xc2,@K[2] -+ vadduwm $xd0,$xd2,@K[3] -+ -+ be?vperm $xa0,$xa0,$xa0,$beperm -+ be?vperm $xb0,$xb0,$xb0,$beperm -+ be?vperm $xc0,$xc0,$xc0,$beperm -+ be?vperm $xd0,$xd0,$xd0,$beperm -+ -+ ${UCMP}i $len,0x40 -+ blt Ltail_vsx -+ -+ lvx_4w $xt0,$x00,$inp -+ lvx_4w $xt1,$x10,$inp -+ lvx_4w $xt2,$x20,$inp -+ lvx_4w $xt3,$x30,$inp -+ -+ vxor $xt0,$xt0,$xa0 -+ vxor $xt1,$xt1,$xb0 -+ vxor $xt2,$xt2,$xc0 -+ vxor $xt3,$xt3,$xd0 -+ -+ stvx_4w $xt0,$x00,$out -+ stvx_4w $xt1,$x10,$out -+ addi $inp,$inp,0x40 -+ stvx_4w $xt2,$x20,$out -+ subi $len,$len,0x40 -+ stvx_4w $xt3,$x30,$out -+ addi $out,$out,0x40 -+ beq Ldone_vsx -+ -+ vadduwm $xa0,$xa3,@K[0] -+ vadduwm $xb0,$xb3,@K[1] -+ vadduwm $xc0,$xc3,@K[2] -+ vadduwm $xd0,$xd3,@K[3] -+ -+ be?vperm $xa0,$xa0,$xa0,$beperm -+ be?vperm $xb0,$xb0,$xb0,$beperm -+ be?vperm $xc0,$xc0,$xc0,$beperm -+ be?vperm $xd0,$xd0,$xd0,$beperm -+ -+ ${UCMP}i $len,0x40 -+ blt Ltail_vsx -+ -+ lvx_4w $xt0,$x00,$inp -+ lvx_4w $xt1,$x10,$inp -+ lvx_4w $xt2,$x20,$inp -+ lvx_4w $xt3,$x30,$inp -+ -+ vxor $xt0,$xt0,$xa0 -+ vxor $xt1,$xt1,$xb0 -+ vxor $xt2,$xt2,$xc0 -+ vxor $xt3,$xt3,$xd0 -+ -+ stvx_4w $xt0,$x00,$out -+ stvx_4w $xt1,$x10,$out -+ addi $inp,$inp,0x40 -+ stvx_4w $xt2,$x20,$out -+ subi $len,$len,0x40 -+ stvx_4w $xt3,$x30,$out -+ addi $out,$out,0x40 -+ mtctr r0 -+ bne Loop_outer_vsx -+ -+Ldone_vsx: -+ lwz r12,`$FRAME-4`($sp) # pull vrsave -+ li r10,`15+$LOCALS+64` -+ li r11,`31+$LOCALS+64` -+ $POP r0, `$FRAME+$LRSAVE`($sp) -+ mtspr 256,r12 # restore vrsave -+ lvx v26,r10,$sp -+ addi r10,r10,32 -+ lvx v27,r11,$sp -+ addi r11,r11,32 -+ lvx v28,r10,$sp -+ addi r10,r10,32 -+ lvx v29,r11,$sp -+ addi r11,r11,32 -+ lvx v30,r10,$sp -+ lvx v31,r11,$sp -+ mtlr r0 -+ addi $sp,$sp,$FRAME -+ blr -+ -+.align 4 -+Ltail_vsx: -+ addi r11,$sp,$LOCALS -+ mtctr $len -+ stvx_4w $xa0,$x00,r11 # offload block to stack -+ stvx_4w $xb0,$x10,r11 -+ stvx_4w $xc0,$x20,r11 -+ stvx_4w $xd0,$x30,r11 -+ subi r12,r11,1 # prepare for *++ptr -+ subi $inp,$inp,1 -+ subi $out,$out,1 -+ -+Loop_tail_vsx: -+ lbzu r6,1(r12) -+ lbzu r7,1($inp) -+ xor r6,r6,r7 -+ stbu r6,1($out) -+ bdnz Loop_tail_vsx -+ -+ stvx_4w $K[0],$x00,r11 # wipe copy of the block -+ stvx_4w $K[0],$x10,r11 -+ stvx_4w $K[0],$x20,r11 -+ stvx_4w $K[0],$x30,r11 -+ -+ b Ldone_vsx -+ .long 0 -+ .byte 0,12,0x04,1,0x80,0,5,0 -+ .long 0 -+.size .ChaCha20_ctr32_vsx_p10,.-.ChaCha20_ctr32_vsx_p10 -+___ -+}}} -+ -+##This is 8 block in parallel implementation. The heart of chacha round uses vector instruction that has access to -+# vsr[32+X]. To perform the 8 parallel block we tend to use all 32 register to hold the 8 block info. -+# WE need to store few register value on side, so we can use VSR{32+X} for few vector instructions used in round op and hold intermediate value. -+# WE use the VSR[0]-VSR[31] for holding intermediate value and perform 8 block in parallel. -+# -+{{{ -+#### ($out,$inp,$len,$key,$ctr) = map("r$_",(3..7)); -+my ($xa0,$xa1,$xa2,$xa3, $xb0,$xb1,$xb2,$xb3, -+ $xc0,$xc1,$xc2,$xc3, $xd0,$xd1,$xd2,$xd3, -+ $xa4,$xa5,$xa6,$xa7, $xb4,$xb5,$xb6,$xb7, -+ $xc4,$xc5,$xc6,$xc7, $xd4,$xd5,$xd6,$xd7) = map("v$_",(0..31)); -+my ($xcn4,$xcn5,$xcn6,$xcn7, $xdn4,$xdn5,$xdn6,$xdn7) = map("v$_",(8..15)); -+my ($xan0,$xbn0,$xcn0,$xdn0) = map("v$_",(0..3)); -+my @K = map("v$_",27,(24..26)); -+my ($xt0,$xt1,$xt2,$xt3,$xt4) = map("v$_",23,(28..31)); -+my $xr0 = "v4"; -+my $CTR0 = "v22"; -+my $CTR1 = "v5"; -+my $beperm = "v31"; -+my ($x00,$x10,$x20,$x30) = (0, map("r$_",(8..10))); -+my ($xv0,$xv1,$xv2,$xv3,$xv4,$xv5,$xv6,$xv7) = map("v$_",(0..7)); -+my ($xv8,$xv9,$xv10,$xv11,$xv12,$xv13,$xv14,$xv15,$xv16,$xv17) = map("v$_",(8..17)); -+my ($xv18,$xv19,$xv20,$xv21) = map("v$_",(18..21)); -+my ($xv22,$xv23,$xv24,$xv25,$xv26) = map("v$_",(22..26)); -+ -+my $FRAME=$LOCALS+64+9*16; # 8*16 is for v24-v31 offload -+ -+sub VSX_lane_ROUND_8x { -+my ($a0,$b0,$c0,$d0,$a4,$b4,$c4,$d4)=@_; -+my ($a1,$b1,$c1,$d1)=map(($_&~3)+(($_+1)&3),($a0,$b0,$c0,$d0)); -+my ($a2,$b2,$c2,$d2)=map(($_&~3)+(($_+1)&3),($a1,$b1,$c1,$d1)); -+my ($a3,$b3,$c3,$d3)=map(($_&~3)+(($_+1)&3),($a2,$b2,$c2,$d2)); -+my ($a5,$b5,$c5,$d5)=map(($_&~3)+(($_+1)&3),($a4,$b4,$c4,$d4)); -+my ($a6,$b6,$c6,$d6)=map(($_&~3)+(($_+1)&3),($a5,$b5,$c5,$d5)); -+my ($a7,$b7,$c7,$d7)=map(($_&~3)+(($_+1)&3),($a6,$b6,$c6,$d6)); -+my ($xv8,$xv9,$xv10,$xv11,$xv12,$xv13,$xv14,$xv15,$xv16,$xv17) = map("\"v$_\"",(8..17)); -+my @x=map("\"v$_\"",(0..31)); -+ -+ ( -+ "&vxxlor ($xv15 ,@x[$c7],@x[$c7])", #copy v30 to v13 -+ "&vxxlorc (@x[$c7], $xv9,$xv9)", -+ -+ "&vadduwm (@x[$a0],@x[$a0],@x[$b0])", # Q1 -+ "&vadduwm (@x[$a1],@x[$a1],@x[$b1])", # Q2 -+ "&vadduwm (@x[$a2],@x[$a2],@x[$b2])", # Q3 -+ "&vadduwm (@x[$a3],@x[$a3],@x[$b3])", # Q4 -+ "&vadduwm (@x[$a4],@x[$a4],@x[$b4])", # Q1 -+ "&vadduwm (@x[$a5],@x[$a5],@x[$b5])", # Q2 -+ "&vadduwm (@x[$a6],@x[$a6],@x[$b6])", # Q3 -+ "&vadduwm (@x[$a7],@x[$a7],@x[$b7])", # Q4 -+ -+ "&vxor (@x[$d0],@x[$d0],@x[$a0])", -+ "&vxor (@x[$d1],@x[$d1],@x[$a1])", -+ "&vxor (@x[$d2],@x[$d2],@x[$a2])", -+ "&vxor (@x[$d3],@x[$d3],@x[$a3])", -+ "&vxor (@x[$d4],@x[$d4],@x[$a4])", -+ "&vxor (@x[$d5],@x[$d5],@x[$a5])", -+ "&vxor (@x[$d6],@x[$d6],@x[$a6])", -+ "&vxor (@x[$d7],@x[$d7],@x[$a7])", -+ -+ "&vrlw (@x[$d0],@x[$d0],@x[$c7])", -+ "&vrlw (@x[$d1],@x[$d1],@x[$c7])", -+ "&vrlw (@x[$d2],@x[$d2],@x[$c7])", -+ "&vrlw (@x[$d3],@x[$d3],@x[$c7])", -+ "&vrlw (@x[$d4],@x[$d4],@x[$c7])", -+ "&vrlw (@x[$d5],@x[$d5],@x[$c7])", -+ "&vrlw (@x[$d6],@x[$d6],@x[$c7])", -+ "&vrlw (@x[$d7],@x[$d7],@x[$c7])", -+ -+ "&vxxlor ($xv13 ,@x[$a7],@x[$a7])", -+ "&vxxlorc (@x[$c7], $xv15,$xv15)", -+ "&vxxlorc (@x[$a7], $xv10,$xv10)", -+ -+ "&vadduwm (@x[$c0],@x[$c0],@x[$d0])", -+ "&vadduwm (@x[$c1],@x[$c1],@x[$d1])", -+ "&vadduwm (@x[$c2],@x[$c2],@x[$d2])", -+ "&vadduwm (@x[$c3],@x[$c3],@x[$d3])", -+ "&vadduwm (@x[$c4],@x[$c4],@x[$d4])", -+ "&vadduwm (@x[$c5],@x[$c5],@x[$d5])", -+ "&vadduwm (@x[$c6],@x[$c6],@x[$d6])", -+ "&vadduwm (@x[$c7],@x[$c7],@x[$d7])", -+ -+ "&vxor (@x[$b0],@x[$b0],@x[$c0])", -+ "&vxor (@x[$b1],@x[$b1],@x[$c1])", -+ "&vxor (@x[$b2],@x[$b2],@x[$c2])", -+ "&vxor (@x[$b3],@x[$b3],@x[$c3])", -+ "&vxor (@x[$b4],@x[$b4],@x[$c4])", -+ "&vxor (@x[$b5],@x[$b5],@x[$c5])", -+ "&vxor (@x[$b6],@x[$b6],@x[$c6])", -+ "&vxor (@x[$b7],@x[$b7],@x[$c7])", -+ -+ "&vrlw (@x[$b0],@x[$b0],@x[$a7])", -+ "&vrlw (@x[$b1],@x[$b1],@x[$a7])", -+ "&vrlw (@x[$b2],@x[$b2],@x[$a7])", -+ "&vrlw (@x[$b3],@x[$b3],@x[$a7])", -+ "&vrlw (@x[$b4],@x[$b4],@x[$a7])", -+ "&vrlw (@x[$b5],@x[$b5],@x[$a7])", -+ "&vrlw (@x[$b6],@x[$b6],@x[$a7])", -+ "&vrlw (@x[$b7],@x[$b7],@x[$a7])", -+ -+ "&vxxlorc (@x[$a7], $xv13,$xv13)", -+ "&vxxlor ($xv15 ,@x[$c7],@x[$c7])", -+ "&vxxlorc (@x[$c7], $xv11,$xv11)", -+ -+ -+ "&vadduwm (@x[$a0],@x[$a0],@x[$b0])", -+ "&vadduwm (@x[$a1],@x[$a1],@x[$b1])", -+ "&vadduwm (@x[$a2],@x[$a2],@x[$b2])", -+ "&vadduwm (@x[$a3],@x[$a3],@x[$b3])", -+ "&vadduwm (@x[$a4],@x[$a4],@x[$b4])", -+ "&vadduwm (@x[$a5],@x[$a5],@x[$b5])", -+ "&vadduwm (@x[$a6],@x[$a6],@x[$b6])", -+ "&vadduwm (@x[$a7],@x[$a7],@x[$b7])", -+ -+ "&vxor (@x[$d0],@x[$d0],@x[$a0])", -+ "&vxor (@x[$d1],@x[$d1],@x[$a1])", -+ "&vxor (@x[$d2],@x[$d2],@x[$a2])", -+ "&vxor (@x[$d3],@x[$d3],@x[$a3])", -+ "&vxor (@x[$d4],@x[$d4],@x[$a4])", -+ "&vxor (@x[$d5],@x[$d5],@x[$a5])", -+ "&vxor (@x[$d6],@x[$d6],@x[$a6])", -+ "&vxor (@x[$d7],@x[$d7],@x[$a7])", -+ -+ "&vrlw (@x[$d0],@x[$d0],@x[$c7])", -+ "&vrlw (@x[$d1],@x[$d1],@x[$c7])", -+ "&vrlw (@x[$d2],@x[$d2],@x[$c7])", -+ "&vrlw (@x[$d3],@x[$d3],@x[$c7])", -+ "&vrlw (@x[$d4],@x[$d4],@x[$c7])", -+ "&vrlw (@x[$d5],@x[$d5],@x[$c7])", -+ "&vrlw (@x[$d6],@x[$d6],@x[$c7])", -+ "&vrlw (@x[$d7],@x[$d7],@x[$c7])", -+ -+ "&vxxlorc (@x[$c7], $xv15,$xv15)", -+ "&vxxlor ($xv13 ,@x[$a7],@x[$a7])", -+ "&vxxlorc (@x[$a7], $xv12,$xv12)", -+ -+ "&vadduwm (@x[$c0],@x[$c0],@x[$d0])", -+ "&vadduwm (@x[$c1],@x[$c1],@x[$d1])", -+ "&vadduwm (@x[$c2],@x[$c2],@x[$d2])", -+ "&vadduwm (@x[$c3],@x[$c3],@x[$d3])", -+ "&vadduwm (@x[$c4],@x[$c4],@x[$d4])", -+ "&vadduwm (@x[$c5],@x[$c5],@x[$d5])", -+ "&vadduwm (@x[$c6],@x[$c6],@x[$d6])", -+ "&vadduwm (@x[$c7],@x[$c7],@x[$d7])", -+ "&vxor (@x[$b0],@x[$b0],@x[$c0])", -+ "&vxor (@x[$b1],@x[$b1],@x[$c1])", -+ "&vxor (@x[$b2],@x[$b2],@x[$c2])", -+ "&vxor (@x[$b3],@x[$b3],@x[$c3])", -+ "&vxor (@x[$b4],@x[$b4],@x[$c4])", -+ "&vxor (@x[$b5],@x[$b5],@x[$c5])", -+ "&vxor (@x[$b6],@x[$b6],@x[$c6])", -+ "&vxor (@x[$b7],@x[$b7],@x[$c7])", -+ "&vrlw (@x[$b0],@x[$b0],@x[$a7])", -+ "&vrlw (@x[$b1],@x[$b1],@x[$a7])", -+ "&vrlw (@x[$b2],@x[$b2],@x[$a7])", -+ "&vrlw (@x[$b3],@x[$b3],@x[$a7])", -+ "&vrlw (@x[$b4],@x[$b4],@x[$a7])", -+ "&vrlw (@x[$b5],@x[$b5],@x[$a7])", -+ "&vrlw (@x[$b6],@x[$b6],@x[$a7])", -+ "&vrlw (@x[$b7],@x[$b7],@x[$a7])", -+ -+ "&vxxlorc (@x[$a7], $xv13,$xv13)", -+ ); -+} -+ -+$code.=<<___; -+ -+.globl .ChaCha20_ctr32_vsx_8x -+.align 5 -+.ChaCha20_ctr32_vsx_8x: -+ $STU $sp,-$FRAME($sp) -+ mflr r0 -+ li r10,`15+$LOCALS+64` -+ li r11,`31+$LOCALS+64` -+ mfspr r12,256 -+ stvx v24,r10,$sp -+ addi r10,r10,32 -+ stvx v25,r11,$sp -+ addi r11,r11,32 -+ stvx v26,r10,$sp -+ addi r10,r10,32 -+ stvx v27,r11,$sp -+ addi r11,r11,32 -+ stvx v28,r10,$sp -+ addi r10,r10,32 -+ stvx v29,r11,$sp -+ addi r11,r11,32 -+ stvx v30,r10,$sp -+ stvx v31,r11,$sp -+ stw r12,`$FRAME-4`($sp) # save vrsave -+ li r12,-4096+63 -+ $PUSH r0, `$FRAME+$LRSAVE`($sp) -+ mtspr 256,r12 # preserve 29 AltiVec registers -+ -+ bl Lconsts # returns pointer Lsigma in r12 -+ -+ lvx_4w @K[0],0,r12 # load sigma -+ addi r12,r12,0x70 -+ li $x10,16 -+ li $x20,32 -+ li $x30,48 -+ li r11,64 -+ -+ vspltisw $xa4,-16 # synthesize constants -+ vspltisw $xb4,12 # synthesize constants -+ vspltisw $xc4,8 # synthesize constants -+ vspltisw $xd4,7 # synthesize constants -+ -+ lvx $xa0,$x00,r12 # load [smashed] sigma -+ lvx $xa1,$x10,r12 -+ lvx $xa2,$x20,r12 -+ lvx $xa3,$x30,r12 -+ -+ vxxlor $xv9 ,$xa4,$xa4 #save shift val in vr9-12 -+ vxxlor $xv10 ,$xb4,$xb4 -+ vxxlor $xv11 ,$xc4,$xc4 -+ vxxlor $xv12 ,$xd4,$xd4 -+ vxxlor $xv22 ,$xa0,$xa0 #save sigma in vr22-25 -+ vxxlor $xv23 ,$xa1,$xa1 -+ vxxlor $xv24 ,$xa2,$xa2 -+ vxxlor $xv25 ,$xa3,$xa3 -+ -+ lvx_4w @K[1],0,$key # load key -+ lvx_4w @K[2],$x10,$key -+ lvx_4w @K[3],0,$ctr # load counter -+ vspltisw $xt3,4 -+ -+ -+ vxor $xt2,$xt2,$xt2 -+ lvx_4w $xt1,r11,r12 -+ vspltw $xa2,@K[3],0 #save the original count after spltw -+ vsldoi @K[3],@K[3],$xt2,4 -+ vsldoi @K[3],$xt2,@K[3],12 # clear @K[3].word[0] -+ vadduwm $xt1,$xa2,$xt1 -+ vadduwm $xt3,$xt1,$xt3 # next counter value -+ vspltw $xa0,@K[2],2 # save the K[2] spltw 2 and save v8. -+ -+ be?lvsl $beperm,0,$x10 # 0x00..0f -+ be?vspltisb $xt0,3 # 0x03..03 -+ be?vxor $beperm,$beperm,$xt0 # swap bytes within words -+ be?vxxlor $xv26 ,$beperm,$beperm -+ -+ vxxlor $xv0 ,@K[0],@K[0] # K0,k1,k2 to vr0,1,2 -+ vxxlor $xv1 ,@K[1],@K[1] -+ vxxlor $xv2 ,@K[2],@K[2] -+ vxxlor $xv3 ,@K[3],@K[3] -+ vxxlor $xv4 ,$xt1,$xt1 #CTR ->4, CTR+4-> 5 -+ vxxlor $xv5 ,$xt3,$xt3 -+ vxxlor $xv8 ,$xa0,$xa0 -+ -+ li r0,10 # inner loop counter -+ mtctr r0 -+ b Loop_outer_vsx_8x -+ -+.align 5 -+Loop_outer_vsx_8x: -+ vxxlorc $xa0,$xv22,$xv22 # load [smashed] sigma -+ vxxlorc $xa1,$xv23,$xv23 -+ vxxlorc $xa2,$xv24,$xv24 -+ vxxlorc $xa3,$xv25,$xv25 -+ vxxlorc $xa4,$xv22,$xv22 -+ vxxlorc $xa5,$xv23,$xv23 -+ vxxlorc $xa6,$xv24,$xv24 -+ vxxlorc $xa7,$xv25,$xv25 -+ -+ vspltw $xb0,@K[1],0 # smash the key -+ vspltw $xb1,@K[1],1 -+ vspltw $xb2,@K[1],2 -+ vspltw $xb3,@K[1],3 -+ vspltw $xb4,@K[1],0 # smash the key -+ vspltw $xb5,@K[1],1 -+ vspltw $xb6,@K[1],2 -+ vspltw $xb7,@K[1],3 -+ -+ vspltw $xc0,@K[2],0 -+ vspltw $xc1,@K[2],1 -+ vspltw $xc2,@K[2],2 -+ vspltw $xc3,@K[2],3 -+ vspltw $xc4,@K[2],0 -+ vspltw $xc7,@K[2],3 -+ vspltw $xc5,@K[2],1 -+ -+ vxxlorc $xd0,$xv4,$xv4 # smash the counter -+ vspltw $xd1,@K[3],1 -+ vspltw $xd2,@K[3],2 -+ vspltw $xd3,@K[3],3 -+ vxxlorc $xd4,$xv5,$xv5 # smash the counter -+ vspltw $xd5,@K[3],1 -+ vspltw $xd6,@K[3],2 -+ vspltw $xd7,@K[3],3 -+ vxxlorc $xc6,$xv8,$xv8 #copy of vlspt k[2],2 is in v8.v26 ->k[3] so need to wait until k3 is done -+ -+Loop_vsx_8x: -+___ -+ foreach (&VSX_lane_ROUND_8x(0,4, 8,12,16,20,24,28)) { eval; } -+ foreach (&VSX_lane_ROUND_8x(0,5,10,15,16,21,26,31)) { eval; } -+$code.=<<___; -+ -+ bdnz Loop_vsx_8x -+ vxxlor $xv13 ,$xd4,$xd4 # save the register vr24-31 -+ vxxlor $xv14 ,$xd5,$xd5 # -+ vxxlor $xv15 ,$xd6,$xd6 # -+ vxxlor $xv16 ,$xd7,$xd7 # -+ -+ vxxlor $xv18 ,$xc4,$xc4 # -+ vxxlor $xv19 ,$xc5,$xc5 # -+ vxxlor $xv20 ,$xc6,$xc6 # -+ vxxlor $xv21 ,$xc7,$xc7 # -+ -+ vxxlor $xv6 ,$xb6,$xb6 # save vr23, so we get 8 regs -+ vxxlor $xv7 ,$xb7,$xb7 # save vr23, so we get 8 regs -+ be?vxxlorc $beperm,$xv26,$xv26 # copy back the the beperm. -+ -+ vxxlorc @K[0],$xv0,$xv0 #27 -+ vxxlorc @K[1],$xv1,$xv1 #24 -+ vxxlorc @K[2],$xv2,$xv2 #25 -+ vxxlorc @K[3],$xv3,$xv3 #26 -+ vxxlorc $CTR0,$xv4,$xv4 -+###changing to vertical -+ -+ vmrgew $xt0,$xa0,$xa1 # transpose data -+ vmrgew $xt1,$xa2,$xa3 -+ vmrgow $xa0,$xa0,$xa1 -+ vmrgow $xa2,$xa2,$xa3 -+ -+ vmrgew $xt2,$xb0,$xb1 -+ vmrgew $xt3,$xb2,$xb3 -+ vmrgow $xb0,$xb0,$xb1 -+ vmrgow $xb2,$xb2,$xb3 -+ -+ vadduwm $xd0,$xd0,$CTR0 -+ -+ vpermdi $xa1,$xa0,$xa2,0b00 -+ vpermdi $xa3,$xa0,$xa2,0b11 -+ vpermdi $xa0,$xt0,$xt1,0b00 -+ vpermdi $xa2,$xt0,$xt1,0b11 -+ vpermdi $xb1,$xb0,$xb2,0b00 -+ vpermdi $xb3,$xb0,$xb2,0b11 -+ vpermdi $xb0,$xt2,$xt3,0b00 -+ vpermdi $xb2,$xt2,$xt3,0b11 -+ -+ vmrgew $xt0,$xc0,$xc1 -+ vmrgew $xt1,$xc2,$xc3 -+ vmrgow $xc0,$xc0,$xc1 -+ vmrgow $xc2,$xc2,$xc3 -+ vmrgew $xt2,$xd0,$xd1 -+ vmrgew $xt3,$xd2,$xd3 -+ vmrgow $xd0,$xd0,$xd1 -+ vmrgow $xd2,$xd2,$xd3 -+ -+ vpermdi $xc1,$xc0,$xc2,0b00 -+ vpermdi $xc3,$xc0,$xc2,0b11 -+ vpermdi $xc0,$xt0,$xt1,0b00 -+ vpermdi $xc2,$xt0,$xt1,0b11 -+ vpermdi $xd1,$xd0,$xd2,0b00 -+ vpermdi $xd3,$xd0,$xd2,0b11 -+ vpermdi $xd0,$xt2,$xt3,0b00 -+ vpermdi $xd2,$xt2,$xt3,0b11 -+ -+ vspltisw $xt0,8 -+ vadduwm $CTR0,$CTR0,$xt0 # next counter value -+ vxxlor $xv4 ,$CTR0,$CTR0 #CTR+4-> 5 -+ -+ vadduwm $xa0,$xa0,@K[0] -+ vadduwm $xb0,$xb0,@K[1] -+ vadduwm $xc0,$xc0,@K[2] -+ vadduwm $xd0,$xd0,@K[3] -+ -+ be?vperm $xa0,$xa0,$xa0,$beperm -+ be?vperm $xb0,$xb0,$xb0,$beperm -+ be?vperm $xc0,$xc0,$xc0,$beperm -+ be?vperm $xd0,$xd0,$xd0,$beperm -+ -+ ${UCMP}i $len,0x40 -+ blt Ltail_vsx_8x -+ -+ lvx_4w $xt0,$x00,$inp -+ lvx_4w $xt1,$x10,$inp -+ lvx_4w $xt2,$x20,$inp -+ lvx_4w $xt3,$x30,$inp -+ -+ vxor $xt0,$xt0,$xa0 -+ vxor $xt1,$xt1,$xb0 -+ vxor $xt2,$xt2,$xc0 -+ vxor $xt3,$xt3,$xd0 -+ -+ stvx_4w $xt0,$x00,$out -+ stvx_4w $xt1,$x10,$out -+ addi $inp,$inp,0x40 -+ stvx_4w $xt2,$x20,$out -+ subi $len,$len,0x40 -+ stvx_4w $xt3,$x30,$out -+ addi $out,$out,0x40 -+ beq Ldone_vsx_8x -+ -+ vadduwm $xa0,$xa1,@K[0] -+ vadduwm $xb0,$xb1,@K[1] -+ vadduwm $xc0,$xc1,@K[2] -+ vadduwm $xd0,$xd1,@K[3] -+ -+ be?vperm $xa0,$xa0,$xa0,$beperm -+ be?vperm $xb0,$xb0,$xb0,$beperm -+ be?vperm $xc0,$xc0,$xc0,$beperm -+ be?vperm $xd0,$xd0,$xd0,$beperm -+ -+ ${UCMP}i $len,0x40 -+ blt Ltail_vsx_8x -+ -+ lvx_4w $xt0,$x00,$inp -+ lvx_4w $xt1,$x10,$inp -+ lvx_4w $xt2,$x20,$inp -+ lvx_4w $xt3,$x30,$inp -+ -+ vxor $xt0,$xt0,$xa0 -+ vxor $xt1,$xt1,$xb0 -+ vxor $xt2,$xt2,$xc0 -+ vxor $xt3,$xt3,$xd0 -+ -+ stvx_4w $xt0,$x00,$out -+ stvx_4w $xt1,$x10,$out -+ addi $inp,$inp,0x40 -+ stvx_4w $xt2,$x20,$out -+ subi $len,$len,0x40 -+ stvx_4w $xt3,$x30,$out -+ addi $out,$out,0x40 -+ beq Ldone_vsx_8x -+ -+ vadduwm $xa0,$xa2,@K[0] -+ vadduwm $xb0,$xb2,@K[1] -+ vadduwm $xc0,$xc2,@K[2] -+ vadduwm $xd0,$xd2,@K[3] -+ -+ be?vperm $xa0,$xa0,$xa0,$beperm -+ be?vperm $xb0,$xb0,$xb0,$beperm -+ be?vperm $xc0,$xc0,$xc0,$beperm -+ be?vperm $xd0,$xd0,$xd0,$beperm -+ -+ ${UCMP}i $len,0x40 -+ blt Ltail_vsx_8x -+ -+ lvx_4w $xt0,$x00,$inp -+ lvx_4w $xt1,$x10,$inp -+ lvx_4w $xt2,$x20,$inp -+ lvx_4w $xt3,$x30,$inp -+ -+ vxor $xt0,$xt0,$xa0 -+ vxor $xt1,$xt1,$xb0 -+ vxor $xt2,$xt2,$xc0 -+ vxor $xt3,$xt3,$xd0 -+ -+ stvx_4w $xt0,$x00,$out -+ stvx_4w $xt1,$x10,$out -+ addi $inp,$inp,0x40 -+ stvx_4w $xt2,$x20,$out -+ subi $len,$len,0x40 -+ stvx_4w $xt3,$x30,$out -+ addi $out,$out,0x40 -+ beq Ldone_vsx_8x -+ -+ vadduwm $xa0,$xa3,@K[0] -+ vadduwm $xb0,$xb3,@K[1] -+ vadduwm $xc0,$xc3,@K[2] -+ vadduwm $xd0,$xd3,@K[3] -+ -+ be?vperm $xa0,$xa0,$xa0,$beperm -+ be?vperm $xb0,$xb0,$xb0,$beperm -+ be?vperm $xc0,$xc0,$xc0,$beperm -+ be?vperm $xd0,$xd0,$xd0,$beperm -+ -+ ${UCMP}i $len,0x40 -+ blt Ltail_vsx_8x -+ -+ lvx_4w $xt0,$x00,$inp -+ lvx_4w $xt1,$x10,$inp -+ lvx_4w $xt2,$x20,$inp -+ lvx_4w $xt3,$x30,$inp -+ -+ vxor $xt0,$xt0,$xa0 -+ vxor $xt1,$xt1,$xb0 -+ vxor $xt2,$xt2,$xc0 -+ vxor $xt3,$xt3,$xd0 -+ -+ stvx_4w $xt0,$x00,$out -+ stvx_4w $xt1,$x10,$out -+ addi $inp,$inp,0x40 -+ stvx_4w $xt2,$x20,$out -+ subi $len,$len,0x40 -+ stvx_4w $xt3,$x30,$out -+ addi $out,$out,0x40 -+ beq Ldone_vsx_8x -+ -+#blk4-7: 24:31 remain the same as we can use the same logic above . Reg a4-b7 remain same.Load c4,d7--> position 8-15.we can reuse vr24-31. -+#VR0-3 : are used to load temp value, vr4 --> as xr0 instead of xt0. -+ -+ vxxlorc $CTR1 ,$xv5,$xv5 -+ -+ vxxlorc $xcn4 ,$xv18,$xv18 -+ vxxlorc $xcn5 ,$xv19,$xv19 -+ vxxlorc $xcn6 ,$xv20,$xv20 -+ vxxlorc $xcn7 ,$xv21,$xv21 -+ -+ vxxlorc $xdn4 ,$xv13,$xv13 -+ vxxlorc $xdn5 ,$xv14,$xv14 -+ vxxlorc $xdn6 ,$xv15,$xv15 -+ vxxlorc $xdn7 ,$xv16,$xv16 -+ vadduwm $xdn4,$xdn4,$CTR1 -+ -+ vxxlorc $xb6 ,$xv6,$xv6 -+ vxxlorc $xb7 ,$xv7,$xv7 -+#use xa1->xr0, as xt0...in the block 4-7 -+ -+ vmrgew $xr0,$xa4,$xa5 # transpose data -+ vmrgew $xt1,$xa6,$xa7 -+ vmrgow $xa4,$xa4,$xa5 -+ vmrgow $xa6,$xa6,$xa7 -+ vmrgew $xt2,$xb4,$xb5 -+ vmrgew $xt3,$xb6,$xb7 -+ vmrgow $xb4,$xb4,$xb5 -+ vmrgow $xb6,$xb6,$xb7 -+ -+ vpermdi $xa5,$xa4,$xa6,0b00 -+ vpermdi $xa7,$xa4,$xa6,0b11 -+ vpermdi $xa4,$xr0,$xt1,0b00 -+ vpermdi $xa6,$xr0,$xt1,0b11 -+ vpermdi $xb5,$xb4,$xb6,0b00 -+ vpermdi $xb7,$xb4,$xb6,0b11 -+ vpermdi $xb4,$xt2,$xt3,0b00 -+ vpermdi $xb6,$xt2,$xt3,0b11 -+ -+ vmrgew $xr0,$xcn4,$xcn5 -+ vmrgew $xt1,$xcn6,$xcn7 -+ vmrgow $xcn4,$xcn4,$xcn5 -+ vmrgow $xcn6,$xcn6,$xcn7 -+ vmrgew $xt2,$xdn4,$xdn5 -+ vmrgew $xt3,$xdn6,$xdn7 -+ vmrgow $xdn4,$xdn4,$xdn5 -+ vmrgow $xdn6,$xdn6,$xdn7 -+ -+ vpermdi $xcn5,$xcn4,$xcn6,0b00 -+ vpermdi $xcn7,$xcn4,$xcn6,0b11 -+ vpermdi $xcn4,$xr0,$xt1,0b00 -+ vpermdi $xcn6,$xr0,$xt1,0b11 -+ vpermdi $xdn5,$xdn4,$xdn6,0b00 -+ vpermdi $xdn7,$xdn4,$xdn6,0b11 -+ vpermdi $xdn4,$xt2,$xt3,0b00 -+ vpermdi $xdn6,$xt2,$xt3,0b11 -+ -+ vspltisw $xr0,8 -+ vadduwm $CTR1,$CTR1,$xr0 # next counter value -+ vxxlor $xv5 ,$CTR1,$CTR1 #CTR+4-> 5 -+ -+ vadduwm $xan0,$xa4,@K[0] -+ vadduwm $xbn0,$xb4,@K[1] -+ vadduwm $xcn0,$xcn4,@K[2] -+ vadduwm $xdn0,$xdn4,@K[3] -+ -+ be?vperm $xan0,$xa4,$xa4,$beperm -+ be?vperm $xbn0,$xb4,$xb4,$beperm -+ be?vperm $xcn0,$xcn4,$xcn4,$beperm -+ be?vperm $xdn0,$xdn4,$xdn4,$beperm -+ -+ ${UCMP}i $len,0x40 -+ blt Ltail_vsx_8x_1 -+ -+ lvx_4w $xr0,$x00,$inp -+ lvx_4w $xt1,$x10,$inp -+ lvx_4w $xt2,$x20,$inp -+ lvx_4w $xt3,$x30,$inp -+ -+ vxor $xr0,$xr0,$xan0 -+ vxor $xt1,$xt1,$xbn0 -+ vxor $xt2,$xt2,$xcn0 -+ vxor $xt3,$xt3,$xdn0 -+ -+ stvx_4w $xr0,$x00,$out -+ stvx_4w $xt1,$x10,$out -+ addi $inp,$inp,0x40 -+ stvx_4w $xt2,$x20,$out -+ subi $len,$len,0x40 -+ stvx_4w $xt3,$x30,$out -+ addi $out,$out,0x40 -+ beq Ldone_vsx_8x -+ -+ vadduwm $xan0,$xa5,@K[0] -+ vadduwm $xbn0,$xb5,@K[1] -+ vadduwm $xcn0,$xcn5,@K[2] -+ vadduwm $xdn0,$xdn5,@K[3] -+ -+ be?vperm $xan0,$xan0,$xan0,$beperm -+ be?vperm $xbn0,$xbn0,$xbn0,$beperm -+ be?vperm $xcn0,$xcn0,$xcn0,$beperm -+ be?vperm $xdn0,$xdn0,$xdn0,$beperm -+ -+ ${UCMP}i $len,0x40 -+ blt Ltail_vsx_8x_1 -+ -+ lvx_4w $xr0,$x00,$inp -+ lvx_4w $xt1,$x10,$inp -+ lvx_4w $xt2,$x20,$inp -+ lvx_4w $xt3,$x30,$inp -+ -+ vxor $xr0,$xr0,$xan0 -+ vxor $xt1,$xt1,$xbn0 -+ vxor $xt2,$xt2,$xcn0 -+ vxor $xt3,$xt3,$xdn0 -+ -+ stvx_4w $xr0,$x00,$out -+ stvx_4w $xt1,$x10,$out -+ addi $inp,$inp,0x40 -+ stvx_4w $xt2,$x20,$out -+ subi $len,$len,0x40 -+ stvx_4w $xt3,$x30,$out -+ addi $out,$out,0x40 -+ beq Ldone_vsx_8x -+ -+ vadduwm $xan0,$xa6,@K[0] -+ vadduwm $xbn0,$xb6,@K[1] -+ vadduwm $xcn0,$xcn6,@K[2] -+ vadduwm $xdn0,$xdn6,@K[3] -+ -+ be?vperm $xan0,$xan0,$xan0,$beperm -+ be?vperm $xbn0,$xbn0,$xbn0,$beperm -+ be?vperm $xcn0,$xcn0,$xcn0,$beperm -+ be?vperm $xdn0,$xdn0,$xdn0,$beperm -+ -+ ${UCMP}i $len,0x40 -+ blt Ltail_vsx_8x_1 -+ -+ lvx_4w $xr0,$x00,$inp -+ lvx_4w $xt1,$x10,$inp -+ lvx_4w $xt2,$x20,$inp -+ lvx_4w $xt3,$x30,$inp -+ -+ vxor $xr0,$xr0,$xan0 -+ vxor $xt1,$xt1,$xbn0 -+ vxor $xt2,$xt2,$xcn0 -+ vxor $xt3,$xt3,$xdn0 -+ -+ stvx_4w $xr0,$x00,$out -+ stvx_4w $xt1,$x10,$out -+ addi $inp,$inp,0x40 -+ stvx_4w $xt2,$x20,$out -+ subi $len,$len,0x40 -+ stvx_4w $xt3,$x30,$out -+ addi $out,$out,0x40 -+ beq Ldone_vsx_8x -+ -+ vadduwm $xan0,$xa7,@K[0] -+ vadduwm $xbn0,$xb7,@K[1] -+ vadduwm $xcn0,$xcn7,@K[2] -+ vadduwm $xdn0,$xdn7,@K[3] -+ -+ be?vperm $xan0,$xan0,$xan0,$beperm -+ be?vperm $xbn0,$xbn0,$xbn0,$beperm -+ be?vperm $xcn0,$xcn0,$xcn0,$beperm -+ be?vperm $xdn0,$xdn0,$xdn0,$beperm -+ -+ ${UCMP}i $len,0x40 -+ blt Ltail_vsx_8x_1 -+ -+ lvx_4w $xr0,$x00,$inp -+ lvx_4w $xt1,$x10,$inp -+ lvx_4w $xt2,$x20,$inp -+ lvx_4w $xt3,$x30,$inp -+ -+ vxor $xr0,$xr0,$xan0 -+ vxor $xt1,$xt1,$xbn0 -+ vxor $xt2,$xt2,$xcn0 -+ vxor $xt3,$xt3,$xdn0 -+ -+ stvx_4w $xr0,$x00,$out -+ stvx_4w $xt1,$x10,$out -+ addi $inp,$inp,0x40 -+ stvx_4w $xt2,$x20,$out -+ subi $len,$len,0x40 -+ stvx_4w $xt3,$x30,$out -+ addi $out,$out,0x40 -+ beq Ldone_vsx_8x -+ -+ mtctr r0 -+ bne Loop_outer_vsx_8x -+ -+Ldone_vsx_8x: -+ lwz r12,`$FRAME-4`($sp) # pull vrsave -+ li r10,`15+$LOCALS+64` -+ li r11,`31+$LOCALS+64` -+ $POP r0, `$FRAME+$LRSAVE`($sp) -+ mtspr 256,r12 # restore vrsave -+ lvx v24,r10,$sp -+ addi r10,r10,32 -+ lvx v25,r11,$sp -+ addi r11,r11,32 -+ lvx v26,r10,$sp -+ addi r10,r10,32 -+ lvx v27,r11,$sp -+ addi r11,r11,32 -+ lvx v28,r10,$sp -+ addi r10,r10,32 -+ lvx v29,r11,$sp -+ addi r11,r11,32 -+ lvx v30,r10,$sp -+ lvx v31,r11,$sp -+ mtlr r0 -+ addi $sp,$sp,$FRAME -+ blr -+ -+.align 4 -+Ltail_vsx_8x: -+ addi r11,$sp,$LOCALS -+ mtctr $len -+ stvx_4w $xa0,$x00,r11 # offload block to stack -+ stvx_4w $xb0,$x10,r11 -+ stvx_4w $xc0,$x20,r11 -+ stvx_4w $xd0,$x30,r11 -+ subi r12,r11,1 # prepare for *++ptr -+ subi $inp,$inp,1 -+ subi $out,$out,1 -+ bl Loop_tail_vsx_8x -+Ltail_vsx_8x_1: -+ addi r11,$sp,$LOCALS -+ mtctr $len -+ stvx_4w $xan0,$x00,r11 # offload block to stack -+ stvx_4w $xbn0,$x10,r11 -+ stvx_4w $xcn0,$x20,r11 -+ stvx_4w $xdn0,$x30,r11 -+ subi r12,r11,1 # prepare for *++ptr -+ subi $inp,$inp,1 -+ subi $out,$out,1 -+ bl Loop_tail_vsx_8x -+ -+Loop_tail_vsx_8x: -+ lbzu r6,1(r12) -+ lbzu r7,1($inp) -+ xor r6,r6,r7 -+ stbu r6,1($out) -+ bdnz Loop_tail_vsx_8x -+ -+ stvx_4w $K[0],$x00,r11 # wipe copy of the block -+ stvx_4w $K[0],$x10,r11 -+ stvx_4w $K[0],$x20,r11 -+ stvx_4w $K[0],$x30,r11 -+ -+ b Ldone_vsx_8x -+ .long 0 -+ .byte 0,12,0x04,1,0x80,0,5,0 -+ .long 0 -+.size .ChaCha20_ctr32_vsx_8x,.-.ChaCha20_ctr32_vsx_8x -+___ -+}}} -+ -+ -+$code.=<<___; -+.align 5 -+Lconsts: -+ mflr r0 -+ bcl 20,31,\$+4 -+ mflr r12 #vvvvv "distance between . and Lsigma -+ addi r12,r12,`64-8` -+ mtlr r0 -+ blr -+ .long 0 -+ .byte 0,12,0x14,0,0,0,0,0 -+ .space `64-9*4` -+Lsigma: -+ .long 0x61707865,0x3320646e,0x79622d32,0x6b206574 -+ .long 1,0,0,0 -+ .long 2,0,0,0 -+ .long 3,0,0,0 -+ .long 4,0,0,0 -+___ -+$code.=<<___ if ($LITTLE_ENDIAN); -+ .long 0x0e0f0c0d,0x0a0b0809,0x06070405,0x02030001 -+ .long 0x0d0e0f0c,0x090a0b08,0x05060704,0x01020300 -+___ -+$code.=<<___ if (!$LITTLE_ENDIAN); # flipped words -+ .long 0x02030001,0x06070405,0x0a0b0809,0x0e0f0c0d -+ .long 0x01020300,0x05060704,0x090a0b08,0x0d0e0f0c -+___ -+$code.=<<___; -+ .long 0x61707865,0x61707865,0x61707865,0x61707865 -+ .long 0x3320646e,0x3320646e,0x3320646e,0x3320646e -+ .long 0x79622d32,0x79622d32,0x79622d32,0x79622d32 -+ .long 0x6b206574,0x6b206574,0x6b206574,0x6b206574 -+ .long 0,1,2,3 -+ .long 0x03020100,0x07060504,0x0b0a0908,0x0f0e0d0c -+.asciz "ChaCha20 for PowerPC/AltiVec, CRYPTOGAMS by " -+.align 2 -+___ -+ -+foreach (split("\n",$code)) { -+ s/\`([^\`]*)\`/eval $1/ge; -+ -+ # instructions prefixed with '?' are endian-specific and need -+ # to be adjusted accordingly... -+ if ($flavour !~ /le$/) { # big-endian -+ s/be\?// or -+ s/le\?/#le#/ or -+ s/\?lvsr/lvsl/ or -+ s/\?lvsl/lvsr/ or -+ s/\?(vperm\s+v[0-9]+,\s*)(v[0-9]+,\s*)(v[0-9]+,\s*)(v[0-9]+)/$1$3$2$4/ or -+ s/vrldoi(\s+v[0-9]+,\s*)(v[0-9]+,)\s*([0-9]+)/vsldoi$1$2$2 16-$3/; -+ } else { # little-endian -+ s/le\?// or -+ s/be\?/#be#/ or -+ s/\?([a-z]+)/$1/ or -+ s/vrldoi(\s+v[0-9]+,\s*)(v[0-9]+,)\s*([0-9]+)/vsldoi$1$2$2 $3/; -+ } -+ -+ print $_,"\n"; -+} -+ -+close STDOUT or die "error closing STDOUT: $!"; -diff --git a/crypto/chacha/build.info b/crypto/chacha/build.info -index c12cb9c..2a819b2 100644 ---- a/crypto/chacha/build.info -+++ b/crypto/chacha/build.info -@@ -12,7 +12,7 @@ IF[{- !$disabled{asm} -}] - $CHACHAASM_armv4=chacha-armv4.S - $CHACHAASM_aarch64=chacha-armv8.S - -- $CHACHAASM_ppc32=chacha_ppc.c chacha-ppc.s -+ $CHACHAASM_ppc32=chacha_ppc.c chacha-ppc.s chachap10-ppc.s - $CHACHAASM_ppc64=$CHACHAASM_ppc32 - - $CHACHAASM_c64xplus=chacha-c64xplus.s -@@ -29,6 +29,7 @@ SOURCE[../../libcrypto]=$CHACHAASM - GENERATE[chacha-x86.S]=asm/chacha-x86.pl - GENERATE[chacha-x86_64.s]=asm/chacha-x86_64.pl - GENERATE[chacha-ppc.s]=asm/chacha-ppc.pl -+GENERATE[chachap10-ppc.s]=asm/chachap10-ppc.pl - GENERATE[chacha-armv4.S]=asm/chacha-armv4.pl - INCLUDE[chacha-armv4.o]=.. - GENERATE[chacha-armv8.S]=asm/chacha-armv8.pl -diff --git a/crypto/chacha/chacha_ppc.c b/crypto/chacha/chacha_ppc.c -index 5319040..f99cca8 100644 ---- a/crypto/chacha/chacha_ppc.c -+++ b/crypto/chacha/chacha_ppc.c -@@ -23,13 +23,18 @@ void ChaCha20_ctr32_vmx(unsigned char *out, const unsigned char *inp, - void ChaCha20_ctr32_vsx(unsigned char *out, const unsigned char *inp, - size_t len, const unsigned int key[8], - const unsigned int counter[4]); -+void ChaCha20_ctr32_vsx_p10(unsigned char *out, const unsigned char *inp, -+ size_t len, const unsigned int key[8], -+ const unsigned int counter[4]); - void ChaCha20_ctr32(unsigned char *out, const unsigned char *inp, - size_t len, const unsigned int key[8], - const unsigned int counter[4]) - { -- OPENSSL_ppccap_P & PPC_CRYPTO207 -- ? ChaCha20_ctr32_vsx(out, inp, len, key, counter) -- : OPENSSL_ppccap_P & PPC_ALTIVEC -- ? ChaCha20_ctr32_vmx(out, inp, len, key, counter) -- : ChaCha20_ctr32_int(out, inp, len, key, counter); -+ OPENSSL_ppccap_P & PPC_BRD31 -+ ? ChaCha20_ctr32_vsx_p10(out, inp, len, key, counter) -+ :OPENSSL_ppccap_P & PPC_CRYPTO207 -+ ? ChaCha20_ctr32_vsx(out, inp, len, key, counter) -+ : OPENSSL_ppccap_P & PPC_ALTIVEC -+ ? ChaCha20_ctr32_vmx(out, inp, len, key, counter) -+ : ChaCha20_ctr32_int(out, inp, len, key, counter); - } -diff --git a/crypto/perlasm/ppc-xlate.pl b/crypto/perlasm/ppc-xlate.pl -index 2ee4440..4590340 100755 ---- a/crypto/perlasm/ppc-xlate.pl -+++ b/crypto/perlasm/ppc-xlate.pl -@@ -293,6 +293,14 @@ my $vpermdi = sub { # xxpermdi - $dm = oct($dm) if ($dm =~ /^0/); - " .long ".sprintf "0x%X",(60<<26)|($vrt<<21)|($vra<<16)|($vrb<<11)|($dm<<8)|(10<<3)|7; - }; -+my $vxxlor = sub { # xxlor -+ my ($f, $vrt, $vra, $vrb) = @_; -+ " .long ".sprintf "0x%X",(60<<26)|($vrt<<21)|($vra<<16)|($vrb<<11)|(146<<3)|6; -+}; -+my $vxxlorc = sub { # xxlor -+ my ($f, $vrt, $vra, $vrb) = @_; -+ " .long ".sprintf "0x%X",(60<<26)|($vrt<<21)|($vra<<16)|($vrb<<11)|(146<<3)|1; -+}; - - # PowerISA 2.07 stuff - sub vcrypto_op { -@@ -377,6 +385,15 @@ my $addex = sub { - }; - my $vmsumudm = sub { vfour_vsr(@_, 35); }; - -+# PowerISA 3.1 stuff -+my $brd = sub { -+ my ($f, $ra, $rs) = @_; -+ " .long ".sprintf "0x%X",(31<<26)|($rs<<21)|($ra<<16)|(187<<1); -+}; -+my $vsrq = sub { vcrypto_op(@_, 517); }; -+ -+ -+ - while($line=<>) { - - $line =~ s|[#!;].*$||; # get rid of asm-style comments... -diff --git a/crypto/ppccap.c b/crypto/ppccap.c -index 8bcfed2..664627c 100644 ---- a/crypto/ppccap.c -+++ b/crypto/ppccap.c -@@ -45,6 +45,7 @@ void OPENSSL_ppc64_probe(void); - void OPENSSL_altivec_probe(void); - void OPENSSL_crypto207_probe(void); - void OPENSSL_madd300_probe(void); -+void OPENSSL_brd31_probe(void); - - long OPENSSL_rdtsc_mftb(void); - long OPENSSL_rdtsc_mfspr268(void); -@@ -117,16 +118,21 @@ static unsigned long getauxval(unsigned long key) - #endif - - /* I wish was universally available */ --#define HWCAP 16 /* AT_HWCAP */ -+#ifndef AT_HWCAP -+# define AT_HWCAP 16 /* AT_HWCAP */ -+#endif - #define HWCAP_PPC64 (1U << 30) - #define HWCAP_ALTIVEC (1U << 28) - #define HWCAP_FPU (1U << 27) - #define HWCAP_POWER6_EXT (1U << 9) - #define HWCAP_VSX (1U << 7) - --#define HWCAP2 26 /* AT_HWCAP2 */ -+#ifndef AT_HWCAP2 -+# define AT_HWCAP2 26 /* AT_HWCAP2 */ -+#endif - #define HWCAP_VEC_CRYPTO (1U << 25) - #define HWCAP_ARCH_3_00 (1U << 23) -+#define HWCAP_ARCH_3_1 (1U << 18) - - # if defined(__GNUC__) && __GNUC__>=2 - __attribute__ ((constructor)) -@@ -187,6 +193,9 @@ void OPENSSL_cpuid_setup(void) - if (__power_set(0xffffffffU<<17)) /* POWER9 and later */ - OPENSSL_ppccap_P |= PPC_MADD300; - -+ if (__power_set(0xffffffffU<<18)) /* POWER10 and later */ -+ OPENSSL_ppccap_P |= PPC_BRD31; -+ - return; - # endif - #endif -@@ -215,8 +224,8 @@ void OPENSSL_cpuid_setup(void) - - #ifdef OSSL_IMPLEMENT_GETAUXVAL - { -- unsigned long hwcap = getauxval(HWCAP); -- unsigned long hwcap2 = getauxval(HWCAP2); -+ unsigned long hwcap = getauxval(AT_HWCAP); -+ unsigned long hwcap2 = getauxval(AT_HWCAP2); - - if (hwcap & HWCAP_FPU) { - OPENSSL_ppccap_P |= PPC_FPU; -@@ -242,6 +251,10 @@ void OPENSSL_cpuid_setup(void) - if (hwcap2 & HWCAP_ARCH_3_00) { - OPENSSL_ppccap_P |= PPC_MADD300; - } -+ -+ if (hwcap2 & HWCAP_ARCH_3_1) { -+ OPENSSL_ppccap_P |= PPC_BRD31; -+ } - } - #endif - -@@ -263,7 +276,7 @@ void OPENSSL_cpuid_setup(void) - sigaction(SIGILL, &ill_act, &ill_oact); - - #ifndef OSSL_IMPLEMENT_GETAUXVAL -- if (sigsetjmp(ill_jmp,1) == 0) { -+ if (sigsetjmp(ill_jmp, 1) == 0) { - OPENSSL_fpu_probe(); - OPENSSL_ppccap_P |= PPC_FPU; - -diff --git a/crypto/ppccpuid.pl b/crypto/ppccpuid.pl -index c6555df..706164a 100755 ---- a/crypto/ppccpuid.pl -+++ b/crypto/ppccpuid.pl -@@ -81,6 +81,17 @@ $code=<<___; - .long 0 - .byte 0,12,0x14,0,0,0,0,0 - -+.globl .OPENSSL_brd31_probe -+.align 4 -+.OPENSSL_brd31_probe: -+ xor r0,r0,r0 -+ brd r3,r0 -+ blr -+ .long 0 -+ .byte 0,12,0x14,0,0,0,0,0 -+.size .OPENSSL_brd31_probe,.-.OPENSSL_brd31_probe -+ -+ - .globl .OPENSSL_wipe_cpu - .align 4 - .OPENSSL_wipe_cpu: -diff --git a/include/crypto/ppc_arch.h b/include/crypto/ppc_arch.h -index 3b3ce4b..fcc846c 100644 ---- a/include/crypto/ppc_arch.h -+++ b/include/crypto/ppc_arch.h -@@ -24,5 +24,6 @@ extern unsigned int OPENSSL_ppccap_P; - # define PPC_MADD300 (1<<4) - # define PPC_MFTB (1<<5) - # define PPC_MFSPR268 (1<<6) -+# define PPC_BRD31 (1<<7) - - #endif diff --git a/SOURCES/0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch b/SOURCES/0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch index eeafbfa..726d320 100644 --- a/SOURCES/0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch +++ b/SOURCES/0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch @@ -29,11 +29,11 @@ Signed-off-by: Clemens Lang --- crypto/rsa/rsa_local.h | 8 ++ crypto/rsa/rsa_oaep.c | 34 ++++++-- - include/openssl/core_names.h | 3 + providers/fips/self_test_data.inc | 83 +++++++++++-------- providers/fips/self_test_kats.c | 7 ++ - .../implementations/asymciphers/rsa_enc.c | 41 ++++++++- - 6 files changed, 133 insertions(+), 43 deletions(-) + .../implementations/asymciphers/rsa_enc.c | 41 +++++++++- + util/perl/OpenSSL/paramnames.pm | 1 + + 6 files changed, 126 insertions(+), 44 deletions(-) diff --git a/crypto/rsa/rsa_local.h b/crypto/rsa/rsa_local.h index ea70da05ad..dde57a1a0e 100644 @@ -118,20 +118,6 @@ index d9be1a4f98..b2f7f7dc4b 100644 int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, const unsigned char *from, int flen, const unsigned char *param, int plen, -diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h -index 59a6e79566..11216fb8f8 100644 ---- a/include/openssl/core_names.h -+++ b/include/openssl/core_names.h -@@ -469,6 +469,9 @@ extern "C" { - #define OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL "oaep-label" - #define OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION "tls-client-version" - #define OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION "tls-negotiated-version" -+#ifdef FIPS_MODULE -+#define OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED "redhat-kat-oaep-seed" -+#endif - - /* - * Encoder / decoder parameters diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc index 4e30ec56dd..0103c87528 100644 --- a/providers/fips/self_test_data.inc @@ -291,11 +277,11 @@ index 00cf65fcd6..83be3d8ede 100644 +#ifdef FIPS_MODULE + char *redhat_st_oaep_seed; +#endif /* FIPS_MODULE */ + /* PKCS#1 v1.5 decryption mode */ + unsigned int implicit_rejection; } PROV_RSA_CTX; - - static void *rsa_newctx(void *provctx) @@ -190,12 +196,21 @@ static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen, - return 0; + } } ret = - ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(prsactx->libctx, tbuf, @@ -335,9 +321,9 @@ index 00cf65fcd6..83be3d8ede 100644 +#ifdef FIPS_MODULE + OSSL_PARAM_octet_string(OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED, NULL, 0), +#endif /* FIPS_MODULE */ + OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, NULL), OSSL_PARAM_END }; - @@ -454,6 +475,10 @@ static const OSSL_PARAM *rsa_gettable_ctx_params(ossl_unused void *vprsactx, return known_gettable_ctx_params; } @@ -368,6 +354,18 @@ index 00cf65fcd6..83be3d8ede 100644 p = OSSL_PARAM_locate_const(params, OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION); if (p != NULL) { unsigned int client_version; +diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm +index c37ed7815f..70f7c50fe4 100644 +--- a/util/perl/OpenSSL/paramnames.pm ++++ b/util/perl/OpenSSL/paramnames.pm +@@ -401,6 +401,7 @@ my %params = ( + 'ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION' => "tls-client-version", + 'ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION' => "tls-negotiated-version", + 'ASYM_CIPHER_PARAM_IMPLICIT_REJECTION' => "implicit-rejection", ++ 'ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED' => "redhat-kat-oaep-seed", + + # Encoder / decoder parameters + -- 2.37.1 diff --git a/SOURCES/0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch b/SOURCES/0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch index 0b6a9fb..7751f05 100644 --- a/SOURCES/0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch +++ b/SOURCES/0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch @@ -1,32 +1,25 @@ -From 97ac06e5a8e3a8699279c06eeb64c8e958bad7bd Mon Sep 17 00:00:00 2001 -From: Clemens Lang -Date: Fri, 15 Jul 2022 17:45:40 +0200 -Subject: [PATCH] FIPS: Use digest_sign & digest_verify in self test +From dc41625dc4a793f0e21188165711181ca085339b Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 6 Mar 2024 19:17:16 +0100 +Subject: [PATCH 28/49] + 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch -In review for FIPS 140-3, the lack of a self-test for the digest_sign -and digest_verify provider functions was highlighted as a problem. NIST -no longer provides ACVP tests for the RSA SigVer primitive (see -https://github.com/usnistgov/ACVP/issues/1347). Because FIPS 140-3 -recommends the use of functions that compute the digest and signature -within the module, we have been advised in our module review that the -self tests should also use the combined digest and signature APIs, i.e. -the digest_sign and digest_verify provider functions. - -Modify the signature self-test to use these instead by switching to -EVP_DigestSign and EVP_DigestVerify. This requires adding more ifdefs to -crypto/evp/m_sigver.c to make these functions usable in the FIPS module. - -Signed-off-by: Clemens Lang +Patch-name: 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch +Patch-id: 74 +Patch-status: | + # [PATCH 29/46] + # 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch +From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce --- - crypto/evp/m_sigver.c | 43 +++++++++++++++++++++++++++------ - providers/fips/self_test_kats.c | 37 +++++++++++++++------------- - 2 files changed, 56 insertions(+), 24 deletions(-) + crypto/evp/m_sigver.c | 54 ++++++++++++++++++++++++++++----- + providers/fips/self_test_kats.c | 43 +++++++++++++++----------- + 2 files changed, 73 insertions(+), 24 deletions(-) diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c -index db1a1d7bc3..c94c3c53bd 100644 +index fd3a4b79df..3e9f33c26c 100644 --- a/crypto/evp/m_sigver.c +++ b/crypto/evp/m_sigver.c -@@ -88,6 +88,7 @@ static int update(EVP_MD_CTX *ctx, const void *data, size_t datalen) +@@ -90,6 +90,7 @@ static int update(EVP_MD_CTX *ctx, const void *data, size_t datalen) ERR_raise(ERR_LIB_EVP, EVP_R_ONLY_ONESHOT_SUPPORTED); return 0; } @@ -34,7 +27,7 @@ index db1a1d7bc3..c94c3c53bd 100644 /* * If we get the "NULL" md then the name comes back as "UNDEF". We want to use -@@ -130,8 +131,10 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, +@@ -125,8 +126,10 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, reinit = 0; if (e == NULL) ctx->pctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, props); @@ -45,7 +38,7 @@ index db1a1d7bc3..c94c3c53bd 100644 } if (ctx->pctx == NULL) return 0; -@@ -139,8 +142,10 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, +@@ -136,8 +139,10 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, locpctx = ctx->pctx; ERR_set_mark(); @@ -56,7 +49,7 @@ index db1a1d7bc3..c94c3c53bd 100644 /* do not reinitialize if pkey is set or operation is different */ if (reinit -@@ -225,8 +230,10 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, +@@ -222,8 +227,10 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, signature = evp_signature_fetch_from_prov((OSSL_PROVIDER *)tmp_prov, supported_sig, locpctx->propquery); @@ -67,7 +60,7 @@ index db1a1d7bc3..c94c3c53bd 100644 break; } if (signature == NULL) -@@ -310,6 +317,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, +@@ -307,6 +314,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, ctx->fetched_digest = EVP_MD_fetch(locpctx->libctx, mdname, props); if (ctx->fetched_digest != NULL) { ctx->digest = ctx->reqdigest = ctx->fetched_digest; @@ -75,7 +68,7 @@ index db1a1d7bc3..c94c3c53bd 100644 } else { /* legacy engine support : remove the mark when this is deleted */ ctx->reqdigest = ctx->digest = EVP_get_digestbyname(mdname); -@@ -318,11 +326,13 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, +@@ -315,11 +323,13 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); goto err; } @@ -89,7 +82,7 @@ index db1a1d7bc3..c94c3c53bd 100644 if (ctx->reqdigest != NULL && !EVP_PKEY_is_a(locpctx->pkey, SN_hmac) && !EVP_PKEY_is_a(locpctx->pkey, SN_tls1_prf) -@@ -334,6 +344,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, +@@ -331,6 +341,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, goto err; } } @@ -97,7 +90,7 @@ index db1a1d7bc3..c94c3c53bd 100644 if (ver) { if (signature->digest_verify_init == NULL) { -@@ -366,6 +377,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, +@@ -363,6 +374,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, EVP_KEYMGMT_free(tmp_keymgmt); return 0; @@ -105,7 +98,7 @@ index db1a1d7bc3..c94c3c53bd 100644 legacy: /* * If we don't have the full support we need with provided methods, -@@ -437,6 +449,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, +@@ -434,6 +446,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, ctx->pctx->flag_call_digest_custom = 1; ret = 1; @@ -113,7 +106,7 @@ index db1a1d7bc3..c94c3c53bd 100644 end: #ifndef FIPS_MODULE -@@ -479,7 +492,6 @@ int EVP_DigestVerifyInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, +@@ -476,7 +489,6 @@ int EVP_DigestVerifyInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, return do_sigver_init(ctx, pctx, type, NULL, NULL, NULL, e, pkey, 1, NULL); } @@ -121,7 +114,7 @@ index db1a1d7bc3..c94c3c53bd 100644 int EVP_DigestSignUpdate(EVP_MD_CTX *ctx, const void *data, size_t dsize) { -@@ -541,23 +553,29 @@ int EVP_DigestVerifyUpdate(EVP_MD_CTX *ctx, const void *data, size_t dsize) +@@ -548,24 +560,31 @@ int EVP_DigestVerifyUpdate(EVP_MD_CTX *ctx, const void *data, size_t dsize) return EVP_DigestUpdate(ctx, data, dsize); } @@ -130,13 +123,19 @@ index db1a1d7bc3..c94c3c53bd 100644 size_t *siglen) { - int sctx = 0, r = 0; -- EVP_PKEY_CTX *dctx, *pctx = ctx->pctx; +- EVP_PKEY_CTX *dctx = NULL, *pctx = ctx->pctx; + int r = 0; +#ifndef FIPS_MODULE + int sctx = 0; -+ EVP_PKEY_CTX *dctx; ++ EVP_PKEY_CTX *dctx = NULL; +#endif /* !defined(FIPS_MODULE) */ + EVP_PKEY_CTX *pctx = ctx->pctx; ++ + + if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISED) != 0) { + ERR_raise(ERR_LIB_EVP, EVP_R_FINAL_ERROR); + return 0; + } +#ifndef FIPS_MODULE if (pctx == NULL @@ -146,26 +145,26 @@ index db1a1d7bc3..c94c3c53bd 100644 goto legacy; +#endif /* !defined(FIPS_MODULE) */ - if (sigret == NULL || (ctx->flags & EVP_MD_CTX_FLAG_FINALISE) != 0) - return pctx->op.sig.signature->digest_sign_final(pctx->op.sig.algctx, - sigret, siglen, - sigret == NULL ? 0 : *siglen); +#ifndef FIPS_MODULE - dctx = EVP_PKEY_CTX_dup(pctx); - if (dctx == NULL) - return 0; -@@ -566,8 +584,10 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret, - sigret, siglen, - *siglen); - EVP_PKEY_CTX_free(dctx); -+#endif /* defined(FIPS_MODULE) */ + if (sigret != NULL && (ctx->flags & EVP_MD_CTX_FLAG_FINALISE) == 0) { + /* try dup */ + dctx = EVP_PKEY_CTX_dup(pctx); +@@ -580,7 +599,14 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret, + else + EVP_PKEY_CTX_free(dctx); return r; ++#else ++ r = pctx->op.sig.signature->digest_sign_final(pctx->op.sig.algctx, ++ sigret, siglen, ++ sigret == NULL ? 0 : *siglen); ++ return r; ++#endif /* !defined(FIPS_MODULE) */ +#ifndef FIPS_MODULE legacy: if (pctx == NULL || pctx->pmeth == NULL) { ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); -@@ -639,6 +659,7 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret, +@@ -653,6 +679,7 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret, } } return 1; @@ -173,7 +172,7 @@ index db1a1d7bc3..c94c3c53bd 100644 } int EVP_DigestSign(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen, -@@ -669,21 +690,27 @@ int EVP_DigestSign(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen, +@@ -691,23 +718,30 @@ int EVP_DigestSign(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen, int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig, size_t siglen) { @@ -183,10 +182,16 @@ index db1a1d7bc3..c94c3c53bd 100644 + unsigned char md[EVP_MAX_MD_SIZE]; unsigned int mdlen = 0; int vctx = 0; -- EVP_PKEY_CTX *dctx, *pctx = ctx->pctx; -+ EVP_PKEY_CTX *dctx; +- EVP_PKEY_CTX *dctx = NULL, *pctx = ctx->pctx; ++ EVP_PKEY_CTX *dctx = NULL; +#endif /* !defined(FIPS_MODULE) */ + EVP_PKEY_CTX *pctx = ctx->pctx; ++ + + if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISED) != 0) { + ERR_raise(ERR_LIB_EVP, EVP_R_FINAL_ERROR); + return 0; + } +#ifndef FIPS_MODULE if (pctx == NULL @@ -196,25 +201,25 @@ index db1a1d7bc3..c94c3c53bd 100644 goto legacy; +#endif /* !defined(FIPS_MODULE) */ - if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISE) != 0) - return pctx->op.sig.signature->digest_verify_final(pctx->op.sig.algctx, - sig, siglen); +#ifndef FIPS_MODULE - dctx = EVP_PKEY_CTX_dup(pctx); - if (dctx == NULL) - return 0; -@@ -691,8 +718,10 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig, - r = dctx->op.sig.signature->digest_verify_final(dctx->op.sig.algctx, - sig, siglen); - EVP_PKEY_CTX_free(dctx); -+#endif /* !defined(FIPS_MODULE) */ + if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISE) == 0) { + /* try dup */ + dctx = EVP_PKEY_CTX_dup(pctx); +@@ -721,7 +755,13 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig, + else + EVP_PKEY_CTX_free(dctx); return r; ++#else ++ r = pctx->op.sig.signature->digest_verify_final(pctx->op.sig.algctx, ++ sig, siglen); ++ return r; ++#endif /* !defined(FIPS_MODULE) */ +#ifndef FIPS_MODULE legacy: if (pctx == NULL || pctx->pmeth == NULL) { ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); -@@ -732,6 +761,7 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig, +@@ -762,6 +802,7 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig, if (vctx || !r) return r; return EVP_PKEY_verify(pctx, sig, siglen, md, mdlen); @@ -222,16 +227,16 @@ index db1a1d7bc3..c94c3c53bd 100644 } int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret, -@@ -757,4 +787,3 @@ int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret, +@@ -794,4 +835,3 @@ int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret, return -1; return EVP_DigestVerifyFinal(ctx, sigret, siglen); } -#endif /* FIPS_MODULE */ diff --git a/providers/fips/self_test_kats.c b/providers/fips/self_test_kats.c -index b6d5e8e134..77eec075e6 100644 +index 4ea10670c0..5eb27c8ed2 100644 --- a/providers/fips/self_test_kats.c +++ b/providers/fips/self_test_kats.c -@@ -444,11 +444,14 @@ static int self_test_sign(const ST_KAT_SIGN *t, +@@ -450,10 +450,13 @@ static int self_test_sign(const ST_KAT_SIGN *t, int ret = 0; OSSL_PARAM *params = NULL, *params_sig = NULL; OSSL_PARAM_BLD *bld = NULL; @@ -241,13 +246,12 @@ index b6d5e8e134..77eec075e6 100644 EVP_PKEY *pkey = NULL; - unsigned char sig[256]; BN_CTX *bnctx = NULL; - BIGNUM *K = NULL; + const char *msg = "Hello World!"; + unsigned char sig[256]; size_t siglen = sizeof(sig); static const unsigned char dgst[] = { 0x7f, 0x83, 0xb1, 0x65, 0x7f, 0xf1, 0xfc, 0x53, 0xb9, 0x2d, 0xc1, 0x81, -@@ -488,23 +491,26 @@ static int self_test_sign(const ST_KAT_SIGN *t, +@@ -487,23 +490,26 @@ static int self_test_sign(const ST_KAT_SIGN *t, || EVP_PKEY_fromdata(kctx, &pkey, EVP_PKEY_KEYPAIR, params) <= 0) goto err; @@ -288,7 +292,7 @@ index b6d5e8e134..77eec075e6 100644 || EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0) goto err; -@@ -509,14 +510,17 @@ static int self_test_sign(const ST_KAT_SIGN *t, +@@ -513,14 +519,17 @@ static int self_test_sign(const ST_KAT_SIGN *t, goto err; OSSL_SELF_TEST_oncorrupt_byte(st, sig); @@ -309,5 +313,5 @@ index b6d5e8e134..77eec075e6 100644 OSSL_PARAM_free(params_sig); OSSL_PARAM_BLD_free(bld); -- -2.37.1 +2.44.0 diff --git a/SOURCES/0076-FIPS-140-3-DRBG.patch b/SOURCES/0076-FIPS-140-3-DRBG.patch index 4a276f7..591b49c 100644 --- a/SOURCES/0076-FIPS-140-3-DRBG.patch +++ b/SOURCES/0076-FIPS-140-3-DRBG.patch @@ -1,3 +1,79 @@ +diff -up openssl-3.0.1/crypto/rand/prov_seed.c.fipsrand openssl-3.0.1/crypto/rand/prov_seed.c +--- openssl-3.0.1/crypto/rand/prov_seed.c.fipsrand 2022-08-04 12:17:52.148556301 +0200 ++++ openssl-3.0.1/crypto/rand/prov_seed.c 2022-08-04 12:19:41.783533552 +0200 +@@ -20,7 +20,14 @@ size_t ossl_rand_get_entropy(ossl_unused + size_t entropy_available; + RAND_POOL *pool; + +- pool = ossl_rand_pool_new(entropy, 1, min_len, max_len); ++ /* ++ * OpenSSL still implements an internal entropy pool of ++ * some size that is hashed to get seed data. ++ * Note that this is a conditioning step for which SP800-90C requires ++ * 64 additional bits from the entropy source to claim the requested ++ * amount of entropy. ++ */ ++ pool = ossl_rand_pool_new(entropy + 64, 1, min_len, max_len); + if (pool == NULL) { + ERR_raise(ERR_LIB_RAND, ERR_R_RAND_LIB); + return 0; +diff -up openssl-3.0.1/providers/implementations/rands/crngt.c.fipsrand openssl-3.0.1/providers/implementations/rands/crngt.c +--- openssl-3.0.1/providers/implementations/rands/crngt.c.fipsrand 2022-08-04 11:56:10.100950299 +0200 ++++ openssl-3.0.1/providers/implementations/rands/crngt.c 2022-08-04 11:59:11.241564925 +0200 +@@ -139,7 +139,11 @@ size_t ossl_crngt_get_entropy(PROV_DRBG + * to the nearest byte. If the entropy is of less than full quality, + * the amount required should be scaled up appropriately here. + */ +- bytes_needed = (entropy + 7) / 8; ++ /* ++ * FIPS 140-3: the yet draft SP800-90C requires requested entropy ++ * + 128 bits during initial seeding ++ */ ++ bytes_needed = (entropy + 128 + 7) / 8; + if (bytes_needed < min_len) + bytes_needed = min_len; + if (bytes_needed > max_len) +diff -up openssl-3.0.1/providers/implementations/rands/drbg.c.fipsrand openssl-3.0.1/providers/implementations/rands/drbg.c +--- openssl-3.0.1/providers/implementations/rands/drbg.c.fipsrand 2022-08-03 12:14:39.409370134 +0200 ++++ openssl-3.0.1/providers/implementations/rands/drbg.c 2022-08-03 12:19:06.320700346 +0200 +@@ -575,6 +575,9 @@ int ossl_prov_drbg_reseed(PROV_DRBG *drb + #endif + } + ++#ifdef FIPS_MODULE ++ prediction_resistance = 1; ++#endif + /* Reseed using our sources in addition */ + entropylen = get_entropy(drbg, &entropy, drbg->strength, + drbg->min_entropylen, drbg->max_entropylen, +@@ -669,8 +669,14 @@ int ossl_prov_drbg_generate(PROV_DRBG *d + reseed_required = 1; + } + if (drbg->parent != NULL +- && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter) ++ && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter) { ++#ifdef FIPS_MODULE ++ /* Red Hat patches provide chain reseeding when necessary so just sync counters*/ ++ drbg->parent_reseed_counter = get_parent_reseed_count(drbg); ++#else + reseed_required = 1; ++#endif ++ } + + if (reseed_required || prediction_resistance) { + if (!ossl_prov_drbg_reseed_unlocked(drbg, prediction_resistance, NULL, +diff -up openssl-3.0.7/providers/implementations/rands/drbg_local.h.drbg openssl-3.0.7/providers/implementations/rands/drbg_local.h +--- openssl-3.0.7/providers/implementations/rands/drbg_local.h.drbg 2023-03-13 12:17:47.705538612 +0100 ++++ openssl-3.0.7/providers/implementations/rands/drbg_local.h 2023-03-13 12:18:03.060702092 +0100 +@@ -38,7 +38,7 @@ + * + * The value is in bytes. + */ +-#define CRNGT_BUFSIZ 16 ++#define CRNGT_BUFSIZ 32 + + /* + * Maximum input size for the DRBG (entropy, nonce, personalization string) diff -up openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c.fipsrand openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c --- openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c.fipsrand 2022-08-03 11:09:01.301637515 +0200 +++ openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c 2022-08-03 11:13:00.058688605 +0200 @@ -9,8 +85,8 @@ diff -up openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c.fipsr +# include static uint64_t get_time_stamp(void); - static uint64_t get_timer_bits(void); -@@ -342,66 +342,8 @@ static ssize_t syscall_random(void *buf, + +@@ -339,70 +341,8 @@ static ssize_t syscall_random(void *buf, size_t buflen) * which is way below the OSSL_SSIZE_MAX limit. Therefore sign conversion * between size_t and ssize_t is safe even without a range check. */ @@ -70,49 +146,40 @@ diff -up openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c.fipsr -# elif (defined(__DragonFly__) && __DragonFly_version >= 500700) \ - || (defined(__NetBSD__) && __NetBSD_Version >= 1000000000) - return getrandom(buf, buflen, 0); +-# elif defined(__wasi__) +- if (getentropy(buf, buflen) == 0) +- return (ssize_t)buflen; +- return -1; -# else - errno = ENOSYS; - return -1; -# endif -+ /* Red Hat uses downstream patch to always seed from getrandom() */ -+ return EVP_default_properties_is_fips_enabled(NULL) ? getrandom(buf, buflen, GRND_RANDOM) : getrandom(buf, buflen, 0); ++ int realbuflen = buflen > 32 ? 32 : buflen; /* Red Hat uses downstream patch to always seed from getrandom() */ ++ return EVP_default_properties_is_fips_enabled(NULL) ? getrandom(buf, realbuflen, GRND_RANDOM) : getrandom(buf, buflen, 0); } # endif /* defined(OPENSSL_RAND_SEED_GETRANDOM) */ -diff -up openssl-3.0.1/providers/implementations/rands/drbg.c.fipsrand openssl-3.0.1/providers/implementations/rands/drbg.c ---- openssl-3.0.1/providers/implementations/rands/drbg.c.fipsrand 2022-08-03 12:14:39.409370134 +0200 -+++ openssl-3.0.1/providers/implementations/rands/drbg.c 2022-08-03 12:19:06.320700346 +0200 -@@ -575,6 +575,9 @@ int ossl_prov_drbg_reseed(PROV_DRBG *drb - #endif +diff -up openssl-3.2.1/providers/implementations/rands/seed_src.c.xxx openssl-3.2.1/providers/implementations/rands/seed_src.c +--- openssl-3.2.1/providers/implementations/rands/seed_src.c.xxx 2024-04-10 13:14:38.984033920 +0200 ++++ openssl-3.2.1/providers/implementations/rands/seed_src.c 2024-04-10 13:15:20.565045748 +0200 +@@ -102,7 +102,14 @@ static int seed_src_generate(void *vseed + return 0; } -+#ifdef FIPS_MODULE -+ prediction_resistance = 1; -+#endif - /* Reseed using our sources in addition */ - entropylen = get_entropy(drbg, &entropy, drbg->strength, - drbg->min_entropylen, drbg->max_entropylen, -@@ -669,8 +669,14 @@ int ossl_prov_drbg_generate(PROV_DRBG *d - reseed_required = 1; - } - if (drbg->parent != NULL -- && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter) -+ && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter) { -+#ifdef FIPS_MODULE -+ /* Red Hat patches provide chain reseeding when necessary so just sync counters*/ -+ drbg->parent_reseed_counter = get_parent_reseed_count(drbg); -+#else - reseed_required = 1; -+#endif -+ } - - if (reseed_required || prediction_resistance) { - if (!ossl_prov_drbg_reseed(drbg, prediction_resistance, NULL, 0, -diff -up openssl-3.0.1/crypto/rand/prov_seed.c.fipsrand openssl-3.0.1/crypto/rand/prov_seed.c ---- openssl-3.0.1/crypto/rand/prov_seed.c.fipsrand 2022-08-04 12:17:52.148556301 +0200 -+++ openssl-3.0.1/crypto/rand/prov_seed.c 2022-08-04 12:19:41.783533552 +0200 -@@ -20,7 +20,14 @@ size_t ossl_rand_get_entropy(ossl_unused - size_t entropy_available; +- pool = ossl_rand_pool_new(strength, 1, outlen, outlen); ++ /* ++ * OpenSSL still implements an internal entropy pool of ++ * some size that is hashed to get seed data. ++ * Note that this is a conditioning step for which SP800-90C requires ++ * 64 additional bits from the entropy source to claim the requested ++ * amount of entropy. ++ */ ++ pool = ossl_rand_pool_new(strength + 64, 1, outlen, outlen); + if (pool == NULL) { + ERR_raise(ERR_LIB_PROV, ERR_R_RAND_LIB); + return 0; +@@ -189,7 +189,14 @@ static size_t seed_get_seed(void *vseed, + size_t i; RAND_POOL *pool; - pool = ossl_rand_pool_new(entropy, 1, min_len, max_len); @@ -125,33 +192,107 @@ diff -up openssl-3.0.1/crypto/rand/prov_seed.c.fipsrand openssl-3.0.1/crypto/ran + */ + pool = ossl_rand_pool_new(entropy + 64, 1, min_len, max_len); if (pool == NULL) { - ERR_raise(ERR_LIB_RAND, ERR_R_MALLOC_FAILURE); + ERR_raise(ERR_LIB_PROV, ERR_R_RAND_LIB); return 0; -diff -up openssl-3.0.1/providers/implementations/rands/crngt.c.fipsrand openssl-3.0.1/providers/implementations/rands/crngt.c ---- openssl-3.0.1/providers/implementations/rands/crngt.c.fipsrand 2022-08-04 11:56:10.100950299 +0200 -+++ openssl-3.0.1/providers/implementations/rands/crngt.c 2022-08-04 11:59:11.241564925 +0200 -@@ -139,7 +139,11 @@ size_t ossl_crngt_get_entropy(PROV_DRBG - * to the nearest byte. If the entropy is of less than full quality, - * the amount required should be scaled up appropriately here. - */ -- bytes_needed = (entropy + 7) / 8; -+ /* -+ * FIPS 140-3: the yet draft SP800-90C requires requested entropy -+ * + 128 bits during initial seeding -+ */ -+ bytes_needed = (entropy + 128 + 7) / 8; - if (bytes_needed < min_len) - bytes_needed = min_len; - if (bytes_needed > max_len) -diff -up openssl-3.0.7/providers/implementations/rands/drbg_local.h.drbg openssl-3.0.7/providers/implementations/rands/drbg_local.h ---- openssl-3.0.7/providers/implementations/rands/drbg_local.h.drbg 2023-03-13 12:17:47.705538612 +0100 -+++ openssl-3.0.7/providers/implementations/rands/drbg_local.h 2023-03-13 12:18:03.060702092 +0100 -@@ -38,7 +38,7 @@ - * - * The value is in bytes. - */ --#define CRNGT_BUFSIZ 16 -+#define CRNGT_BUFSIZ 32 +diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c +index 14999540ab..b05b84717b 100644 +--- a/crypto/rand/rand_lib.c ++++ b/crypto/rand/rand_lib.c +@@ -11,6 +11,7 @@ + #define OPENSSL_SUPPRESS_DEPRECATED - /* - * Maximum input size for the DRBG (entropy, nonce, personalization string) + #include ++#include + #include + #include + #include "internal/cryptlib.h" +@@ -723,15 +723,7 @@ EVP_RAND_CTX *RAND_get0_primary(OSSL_LIB_CTX *ctx) + return ret; + } + +-#ifndef FIPS_MODULE +- if (dgbl->seed == NULL) { +- ERR_set_mark(); +- dgbl->seed = rand_new_seed(ctx); +- ERR_pop_to_mark(); +- } +-#endif +- +- ret = dgbl->primary = rand_new_drbg(ctx, dgbl->seed, ++ ret = dgbl->primary = rand_new_drbg(ctx, NULL, + PRIMARY_RESEED_INTERVAL, + PRIMARY_RESEED_TIME_INTERVAL, 1); + /* +@@ -766,7 +766,7 @@ EVP_RAND_CTX *RAND_get0_public(OSSL_LIB_ + if (CRYPTO_THREAD_get_local(&dgbl->private) == NULL + && !ossl_init_thread_start(NULL, ctx, rand_delete_thread_state)) + return NULL; +- rand = rand_new_drbg(ctx, primary, SECONDARY_RESEED_INTERVAL, ++ rand = rand_new_drbg(ctx, NULL, SECONDARY_RESEED_INTERVAL, + SECONDARY_RESEED_TIME_INTERVAL, 0); + CRYPTO_THREAD_set_local(&dgbl->public, rand); + } +@@ -799,7 +799,7 @@ EVP_RAND_CTX *RAND_get0_private(OSSL_LIB + if (CRYPTO_THREAD_get_local(&dgbl->public) == NULL + && !ossl_init_thread_start(NULL, ctx, rand_delete_thread_state)) + return NULL; +- rand = rand_new_drbg(ctx, primary, SECONDARY_RESEED_INTERVAL, ++ rand = rand_new_drbg(ctx, NULL, SECONDARY_RESEED_INTERVAL, + SECONDARY_RESEED_TIME_INTERVAL, 0); + CRYPTO_THREAD_set_local(&dgbl->private, rand); + } +diff -up openssl-3.2.1/test/drbgtest.c.xxx openssl-3.2.1/test/drbgtest.c +--- openssl-3.2.1/test/drbgtest.c.xxx 2024-05-02 15:37:23.550979597 +0200 ++++ openssl-3.2.1/test/drbgtest.c 2024-05-02 15:45:37.189979881 +0200 +@@ -218,7 +218,7 @@ static int test_drbg_reseed(int expect_s + reseed_when = time(NULL); + + /* Generate random output from the public and private DRBG */ +- before_reseed = expect_primary_reseed == 1 ? reseed_when : 0; ++ before_reseed = 0; + if (!TEST_int_eq(rand_bytes((unsigned char*)public_random, + RANDOM_SIZE), expect_success) + || !TEST_int_eq(rand_priv_bytes((unsigned char*) private_random, +@@ -232,8 +232,8 @@ static int test_drbg_reseed(int expect_s + */ + + /* Test whether reseeding succeeded as expected */ +- if (!TEST_int_eq(state(primary), expected_state) +- || !TEST_int_eq(state(public), expected_state) ++ if (/*!TEST_int_eq(state(primary), expected_state) ++ ||*/ !TEST_int_eq(state(public), expected_state) + || !TEST_int_eq(state(private), expected_state)) + return 0; + +@@ -246,16 +246,16 @@ static int test_drbg_reseed(int expect_s + if (expect_public_reseed >= 0) { + /* Test whether public DRBG was reseeded as expected */ + if (!TEST_int_ge(reseed_counter(public), public_reseed) +- || !TEST_uint_ge(reseed_counter(public), +- reseed_counter(primary))) ++ /*|| !TEST_uint_ge(reseed_counter(public), ++ reseed_counter(primary))*/) + return 0; + } + + if (expect_private_reseed >= 0) { + /* Test whether public DRBG was reseeded as expected */ + if (!TEST_int_ge(reseed_counter(private), private_reseed) +- || !TEST_uint_ge(reseed_counter(private), +- reseed_counter(primary))) ++ /*|| !TEST_uint_ge(reseed_counter(private), ++ reseed_counter(primary))*/) + return 0; + } + +@@ -577,8 +577,8 @@ static int test_rand_reseed(void) + if (!TEST_ptr_ne(public, private) + || !TEST_ptr_ne(public, primary) + || !TEST_ptr_ne(private, primary) +- || !TEST_ptr_eq(prov_rand(public)->parent, prov_rand(primary)) +- || !TEST_ptr_eq(prov_rand(private)->parent, prov_rand(primary))) ++ /*|| !TEST_ptr_eq(prov_rand(public)->parent, prov_rand(primary)) ++ || !TEST_ptr_eq(prov_rand(private)->parent, prov_rand(primary))*/) + return 0; + + /* Disable CRNG testing for the primary DRBG */ diff --git a/SOURCES/0077-FIPS-140-3-zeroization.patch b/SOURCES/0077-FIPS-140-3-zeroization.patch index f6a50a5..f6ff517 100644 --- a/SOURCES/0077-FIPS-140-3-zeroization.patch +++ b/SOURCES/0077-FIPS-140-3-zeroization.patch @@ -20,8 +20,8 @@ diff -up openssl-3.0.1/crypto/rsa/rsa_lib.c.fipszero openssl-3.0.1/crypto/rsa/rs --- openssl-3.0.1/crypto/rsa/rsa_lib.c.fipszero 2022-08-05 13:08:31.875848536 +0200 +++ openssl-3.0.1/crypto/rsa/rsa_lib.c 2022-08-05 13:09:35.438416025 +0200 @@ -155,8 +155,8 @@ void RSA_free(RSA *r) - CRYPTO_THREAD_lock_free(r->lock); + CRYPTO_FREE_REF(&r->references); - BN_free(r->n); - BN_free(r->e); diff --git a/SOURCES/0078-KDF-Add-FIPS-indicators.patch b/SOURCES/0078-KDF-Add-FIPS-indicators.patch index 40e390a..17ff63e 100644 --- a/SOURCES/0078-KDF-Add-FIPS-indicators.patch +++ b/SOURCES/0078-KDF-Add-FIPS-indicators.patch @@ -42,15 +42,15 @@ Resolves: rhbz#2160733 rhbz#2164763 Related: rhbz#2114772 rhbz#2141695 --- include/crypto/evp.h | 7 ++ - include/openssl/core_names.h | 1 + include/openssl/kdf.h | 4 + providers/implementations/kdfs/hkdf.c | 100 +++++++++++++++++++++- providers/implementations/kdfs/kbkdf.c | 82 ++++++++++++++++-- providers/implementations/kdfs/sshkdf.c | 75 +++++++++++++++- providers/implementations/kdfs/sskdf.c | 100 +++++++++++++++++++++- providers/implementations/kdfs/tls1_prf.c | 74 +++++++++++++++- - providers/implementations/kdfs/x942kdf.c | 67 ++++++++++++++- - 9 files changed, 488 insertions(+), 22 deletions(-) + providers/implementations/kdfs/x942kdf.c | 66 +++++++++++++- + util/perl/OpenSSL/paramnames.pm | 1 + + 9 files changed, 487 insertions(+), 22 deletions(-) diff --git a/include/crypto/evp.h b/include/crypto/evp.h index e70d8e9e84..76fb990de4 100644 @@ -70,18 +70,6 @@ index e70d8e9e84..76fb990de4 100644 struct evp_kdf_st { OSSL_PROVIDER *prov; int name_id; -diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h -index 6bed5a8a67..680bfbc7cc 100644 ---- a/include/openssl/core_names.h -+++ b/include/openssl/core_names.h -@@ -223,6 +223,7 @@ extern "C" { - #define OSSL_KDF_PARAM_X942_SUPP_PUBINFO "supp-pubinfo" - #define OSSL_KDF_PARAM_X942_SUPP_PRIVINFO "supp-privinfo" - #define OSSL_KDF_PARAM_X942_USE_KEYBITS "use-keybits" -+#define OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator" - - /* Known KDF names */ - #define OSSL_KDF_NAME_HKDF "HKDF" diff --git a/include/openssl/kdf.h b/include/openssl/kdf.h index 0983230a48..86171635ea 100644 --- a/include/openssl/kdf.h @@ -111,7 +99,7 @@ index dfa7786bde..f01e40ff5a 100644 static OSSL_FUNC_kdf_set_ctx_params_fn kdf_tls1_3_set_ctx_params; @@ -85,6 +86,10 @@ typedef struct { size_t data_len; - unsigned char info[HKDF_MAXBUF]; + unsigned char *info; size_t info_len; + int is_tls13; +#ifdef FIPS_MODULE @@ -132,7 +120,7 @@ index dfa7786bde..f01e40ff5a 100644 switch (ctx->mode) { case EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND: default: -@@ -332,15 +342,78 @@ static int kdf_hkdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) +@@ -318,22 +318,85 @@ static int kdf_hkdf_get_ctx_params(void { KDF_HKDF *ctx = (KDF_HKDF *)vctx; OSSL_PARAM *p; @@ -141,15 +129,20 @@ index dfa7786bde..f01e40ff5a 100644 if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) { size_t sz = kdf_hkdf_size(ctx); -- if (sz == 0) + any_valid = 1; -+ -+ if (sz == 0 || !OSSL_PARAM_set_size_t(p, sz)) + if (sz == 0) return 0; -- return OSSL_PARAM_set_size_t(p, sz); + return OSSL_PARAM_set_size_t(p, sz); + } + if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_INFO)) != NULL) { ++ any_valid = 1; + if (ctx->info == NULL || ctx->info_len == 0) { + p->return_size = 0; + return 1; + } + return OSSL_PARAM_set_octet_string(p, ctx->info, ctx->info_len); } - return -2; -+ +#ifdef FIPS_MODULE + if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR)) + != NULL) { @@ -215,9 +208,9 @@ index dfa7786bde..f01e40ff5a 100644 static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx, @@ -348,6 +421,9 @@ static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx, - { static const OSSL_PARAM known_gettable_ctx_params[] = { OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), + OSSL_PARAM_octet_string(OSSL_KDF_PARAM_INFO, NULL, 0), +#ifdef FIPS_MODULE + OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL), +#endif /* defined(FIPS_MODULE) */ @@ -260,9 +253,9 @@ index dfa7786bde..f01e40ff5a 100644 const OSSL_DISPATCH ossl_kdf_tls1_3_kdf_functions[] = { - { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_hkdf_new }, + { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_tls1_3_new }, + { OSSL_FUNC_KDF_DUPCTX, (void(*)(void))kdf_hkdf_dup }, { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_hkdf_free }, { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_hkdf_reset }, - { OSSL_FUNC_KDF_DERIVE, (void(*)(void))kdf_tls1_3_derive }, diff --git a/providers/implementations/kdfs/kbkdf.c b/providers/implementations/kdfs/kbkdf.c index a542f84dfa..6b6dfb94ac 100644 --- a/providers/implementations/kdfs/kbkdf.c @@ -277,9 +270,9 @@ index a542f84dfa..6b6dfb94ac 100644 /* Names are lowercased versions of those found in SP800-108. */ int r; unsigned char *ki; -@@ -70,6 +73,9 @@ typedef struct { - size_t iv_len; +@@ -73,6 +76,9 @@ typedef struct { int use_l; + int is_kmac; int use_separator; +#ifdef FIPS_MODULE + int fips_indicator; @@ -296,7 +289,7 @@ index a542f84dfa..6b6dfb94ac 100644 OPENSSL_clear_free(ctx->label, ctx->label_len); OPENSSL_clear_free(ctx->ki, ctx->ki_len); @@ -240,6 +247,11 @@ static int kbkdf_derive(void *vctx, unsigned char *key, size_t keylen, - return 0; + goto done; } +#ifdef FIPS_MODULE @@ -308,7 +301,7 @@ index a542f84dfa..6b6dfb94ac 100644 if (h == 0) goto done; @@ -297,6 +309,9 @@ static int kbkdf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) - return 0; + } } + if (!ossl_prov_digest_load_from_params(&ctx->digest, params, libctx)) @@ -512,10 +505,10 @@ diff --git a/providers/implementations/kdfs/sskdf.c b/providers/implementations/ index eb54972e1c..23865cd70f 100644 --- a/providers/implementations/kdfs/sskdf.c +++ b/providers/implementations/kdfs/sskdf.c -@@ -62,6 +62,10 @@ typedef struct { - unsigned char *salt; +@@ -64,6 +64,10 @@ typedef struct { size_t salt_len; size_t out_len; /* optional KMAC parameter */ + int is_kmac; + int is_x963kdf; +#ifdef FIPS_MODULE + int fips_indicator; @@ -528,9 +521,9 @@ index eb54972e1c..23865cd70f 100644 static OSSL_FUNC_kdf_newctx_fn sskdf_new; +static OSSL_FUNC_kdf_newctx_fn x963kdf_new; + static OSSL_FUNC_kdf_dupctx_fn sskdf_dup; static OSSL_FUNC_kdf_freectx_fn sskdf_free; static OSSL_FUNC_kdf_reset_fn sskdf_reset; - static OSSL_FUNC_kdf_derive_fn sskdf_derive; @@ -296,6 +301,16 @@ static void *sskdf_new(void *provctx) return ctx; } @@ -666,9 +659,9 @@ index eb54972e1c..23865cd70f 100644 const OSSL_DISPATCH ossl_kdf_x963_kdf_functions[] = { - { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))sskdf_new }, + { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))x963kdf_new }, + { OSSL_FUNC_KDF_DUPCTX, (void(*)(void))sskdf_dup }, { OSSL_FUNC_KDF_FREECTX, (void(*)(void))sskdf_free }, { OSSL_FUNC_KDF_RESET, (void(*)(void))sskdf_reset }, - { OSSL_FUNC_KDF_DERIVE, (void(*)(void))x963kdf_derive }, diff --git a/providers/implementations/kdfs/tls1_prf.c b/providers/implementations/kdfs/tls1_prf.c index a4d64b9352..f6782a6ca2 100644 --- a/providers/implementations/kdfs/tls1_prf.c @@ -704,8 +697,8 @@ index a4d64b9352..f6782a6ca2 100644 + ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; +#endif /* defined(FIPS_MODULE) */ - return tls1_prf_alg(ctx->P_hash, ctx->P_sha1, - ctx->sec, ctx->seclen, + /* + * The seed buffer is prepended with a label. @@ -191,6 +203,9 @@ static int kdf_tls1_prf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) } } @@ -794,7 +787,7 @@ diff --git a/providers/implementations/kdfs/x942kdf.c b/providers/implementation index b1bc6f7e1b..8173fc2cc7 100644 --- a/providers/implementations/kdfs/x942kdf.c +++ b/providers/implementations/kdfs/x942kdf.c -@@ -13,10 +13,13 @@ +@@ -13,11 +13,13 @@ #include #include #include @@ -803,7 +796,7 @@ index b1bc6f7e1b..8173fc2cc7 100644 #include #include "internal/packet.h" #include "internal/der.h" -+#include "internal/nelem.h" + #include "internal/nelem.h" +#include "crypto/evp.h" #include "prov/provider_ctx.h" #include "prov/providercommon.h" @@ -901,6 +894,18 @@ index b1bc6f7e1b..8173fc2cc7 100644 OSSL_PARAM_END }; return known_gettable_ctx_params; +diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm +index 70f7c50fe4..6618122417 100644 +--- a/util/perl/OpenSSL/paramnames.pm ++++ b/util/perl/OpenSSL/paramnames.pm +@@ -183,6 +183,7 @@ my %params = ( + 'KDF_PARAM_X942_SUPP_PUBINFO' => "supp-pubinfo", + 'KDF_PARAM_X942_SUPP_PRIVINFO' => "supp-privinfo", + 'KDF_PARAM_X942_USE_KEYBITS' => "use-keybits", ++ 'KDF_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator", + 'KDF_PARAM_HMACDRBG_ENTROPY' => "entropy", + 'KDF_PARAM_HMACDRBG_NONCE' => "nonce", + 'KDF_PARAM_THREADS' => "threads", # uint32_t -- 2.39.2 diff --git a/SOURCES/0080-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch b/SOURCES/0080-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch index a5633d3..5903857 100644 --- a/SOURCES/0080-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch +++ b/SOURCES/0080-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch @@ -22,18 +22,18 @@ algorithms in the default provider. Signed-off-by: Clemens Lang --- - providers/implementations/rands/drbg_hash.c | 12 + - providers/implementations/rands/drbg_hmac.c | 12 + - test/recipes/30-test_evp_data/evprand.txt | 384 ++++++++++++++++++++ - 3 files changed, 408 insertions(+) + providers/implementations/rands/drbg_hash.c | 12 ++ + providers/implementations/rands/drbg_hmac.c | 12 ++ + test/recipes/30-test_evp_data/evprand.txt | 129 ++++++++++++++++++++ + 3 files changed, 153 insertions(+) diff --git a/providers/implementations/rands/drbg_hash.c b/providers/implementations/rands/drbg_hash.c index 12faa993d0..5f9602cf84 100644 --- a/providers/implementations/rands/drbg_hash.c +++ b/providers/implementations/rands/drbg_hash.c @@ -471,6 +471,18 @@ static int drbg_hash_set_ctx_params(void *vctx, const OSSL_PARAM params[]) - return 0; - } + if (!ossl_drbg_verify_digest(libctx, md)) + return 0; /* Error already raised for us */ +#ifdef FIPS_MODULE + if (!EVP_MD_is_a(md, SN_sha1) @@ -54,9 +54,9 @@ diff --git a/providers/implementations/rands/drbg_hmac.c b/providers/implementat index ffeb70f8c3..79ed96a15a 100644 --- a/providers/implementations/rands/drbg_hmac.c +++ b/providers/implementations/rands/drbg_hmac.c -@@ -372,6 +372,18 @@ static int drbg_hmac_set_ctx_params(void *vctx, const OSSL_PARAM params[]) - return 0; - } +@@ -367,6 +367,18 @@ static int drbg_hmac_set_ctx_params(void *vctx, const OSSL_PARAM params[]) + if (md != NULL && !ossl_drbg_verify_digest(libctx, md)) + return 0; /* Error already raised for us */ +#ifdef FIPS_MODULE + if (!EVP_MD_is_a(md, SN_sha1) @@ -77,3077 +77,1037 @@ diff --git a/test/recipes/30-test_evp_data/evprand.txt b/test/recipes/30-test_ev index 8cb70247a0..8a0a2dea15 100644 --- a/test/recipes/30-test_evp_data/evprand.txt +++ b/test/recipes/30-test_evp_data/evprand.txt -@@ -7483,6 +7483,7 @@ AdditionalInputA.14 = fc54b5339b37eb6889cfd7c185070bd0 - AdditionalInputB.14 = f6a783d6d42e5ad5abb0a996bddfa04c - Output.14 = 683faa732c4551604c8865b5f777571c7d3cf1a60124c59b91283da0cda9b21761d1c17c81856958c6d590436c73594bb36f46c2f89237d8c7a7ddd2c58394c983f8f6c000d77566f2a1d89bac054bdb +@@ -7388,6 +7388,7 @@ Nonce.14 = 7239f92b63fb3dbe + PersonalisationString.14 = 8d2e2ca3985bd2538a71f02cc3eb5568 + Output.14 = 0e4cb328c03faaedbec7215725851069bceae4332de6a70e3521dd065f2f7923485969571ebd7f24be460fd901c6b3e356da6ee5262ef2d76ad14eb0f697f8fb92af2f46630198c5f7018860886147b3 +Availablein = default RAND = HASH-DRBG - Digest = SHA-224 + Digest = SHA-1 PredictionResistance = 0 -@@ -7533,6 +7534,7 @@ Entropy.14 = 08a325accfe119fa807a95e8cc2cd8ff041ccad8e2c4cf49 - Nonce.14 = c85baec1c2d1f3f189eecad5 - Output.14 = 2567712d6fd3b52364b508bb2e4ae18e34b155dbe99fef9acbe21346715d36c538dc380a5e5900e0ebde76c779006fabe2b3f171fa63fa0f5ba264748278549c9beb26db701c8fab7adfdf48eb63e48ca6f3be8f17131c5e9145f5dadb00fe666a651d2b1b9e785fd444b05d4efa8ccc +@@ -8659,6 +8660,7 @@ AdditionalInputA.14 = e5c633ca50dcd83e0a34d397df53f6d7a6f7170a3f81f0e6 + AdditionalInputB.14 = 5f0beb5a2d2968e83ba87c92bfa420fd6e8526fbbfdea128 + Output.14 = 8bec11df1022aa50d95daeaf23d78d6ee45c43c5768b90181e106c7df8ff333d7cb87ca1ab83f8742370db1c8c0c0c22f141ff4de33ae8bdb14fee7e6c069819320629c66d94c7c97ff52930a3c1dcd501b60f0f84bda4720ee187ae858a6e068326eda5809716e366d1b608c61b0100 +Availablein = default RAND = HASH-DRBG - Digest = SHA-224 + Digest = SHA-256 PredictionResistance = 0 -@@ -7613,6 +7615,7 @@ AdditionalInputA.14 = ae701404440c584e27266a12318c1793b6a112d96e6a6749 - AdditionalInputB.14 = 53861747c9627e9244679d58e2dc8cfd8a72d1bab611dfd1 - Output.14 = 665481033912ca7d87caa56af2612338768b044953b02b9a50e0244bb805ca007648f71ccf923030e56baa13a88111fe211091a54744aa5d82abe97775878059dedc6272e7c7a5392d1fb443b770ee7f5dd05a3f2bba4cab1cf473d02648d4f8acce91ef167e3ac00c1c9324ca074486 +@@ -8709,6 +8711,7 @@ Entropy.14 = 1194beb668839c47c73e7516f9ba09d23dec3553b3b5532f75b260106dcc2abf + Nonce.14 = 3c8a77351e93065d584feeb08c8424a9 + Output.14 = fabd48bfcdd07968239fe538c2d8c9bde2e257b9b244078f39287c7ee90de167fff56a693c4e64f45081635511b5fd031c0270a31b4a014e44c0516a55ae72345aa11dffcda4ccf8cda50f6948d5ae425d8d53ad5c74cef1364277990156796e1c5dfa1ef095c0d8983477eb24241135760b02c86c86d4ec3627edac8c1a7e32 +Availablein = default RAND = HASH-DRBG - Digest = SHA-224 + Digest = SHA-256 PredictionResistance = 0 -@@ -7678,6 +7681,7 @@ Nonce.14 = e41f19a969494a2293ad0542 - PersonalisationString.14 = f67bda6553b5e4b89e309cb48a336b78460aff498846c2e9 - Output.14 = 44d544ac910b7668ba9c5524e388957520fdbf11383808a5a8008d119aff7e1e2bbe63b4cbff19455f20f3dc79ab0a83dcf0e403728f2a2b2a9f3b98930d9f285641da3b6b9a9467b2701ce1ecac82bad8214bb618c40999f5023dc2d97dc1a53a0296d44f6fc9d49db00959c89e9f5e +@@ -8789,6 +8792,7 @@ AdditionalInputA.14 = 626385595bef7103af0af700e1df048d7572286af709289b7894d2ab09 + AdditionalInputB.14 = bfe8946dbf27d3a2127ec600351c3920d2531eb9419408233e0a888059b5eb68 + Output.14 = ee6d07661828213e6453d94faaf76345c70949eca4965714c350313b0bcd8e079e6a07f8b2f7a91bcb7ef39a61568fd1c40ab78f154b3582f830095d571de29f81f9565e46b560d34c32bff55341a991f8e863bd9242c7cdd366be12538bb6922f1abfa19e7998aac61d465fc46538ee9142acc66786f4516ef4105fe1d80372 +Availablein = default RAND = HASH-DRBG - Digest = SHA-224 + Digest = SHA-256 PredictionResistance = 0 -@@ -7773,6 +7777,7 @@ AdditionalInputA.14 = 6a7418d4ffc40e11859f33189d5a8327042ec268b004ade8 - AdditionalInputB.14 = 97beb8c47434a23efe536287d776edda7ed7cae84c0c7e35 - Output.14 = 1fe94acb5f5cb7e4a8edf5be61673bdc066288538dbd0ac29ce2d43f7b890028e48131e6b3a7cfbb42772b63f2fac8c0472418653ee2ebcdfa5ec08683e7d4a9cb2c67cf7e22c2ddc779c6d9971b29347e6688113294c902a5d62c1fc35595e091cb10e5a895d7c3697056659ae457d1 +@@ -8854,6 +8858,7 @@ Nonce.14 = de2186bafa82b0d08a0b8215e3424512 + PersonalisationString.14 = d96db27febe22db935b117dc3068374e39c5b2119b497e3c1d858ef649e01de5 + Output.14 = d04435a8aab397cfcee5151f7aa24298ffc6eee4f577cda42d5e154b8d28cb2f0f945f11a15ed5b76486c88f03081cfd262d94a8e0b332e3c9c608461dcc8eba20d7db209810d25c226fda9fe218022a9b2c96876cb16c06c0553dd84ce57e20338c3d3e03c59ce22e668e25c2c50d5cc9afab91f50a28680964c2dacb9d2fb3 +Availablein = default RAND = HASH-DRBG - Digest = SHA-224 + Digest = SHA-256 PredictionResistance = 0 -@@ -7823,6 +7828,7 @@ Entropy.14 = a71c303bf17e128c8e0aa07fb61ccc1f40fdb487a955fd95 - Nonce.14 = d3ca16fb12ae4709d411e5c5 - Output.14 = 61a51fe1eca4cf947bbf2a77d643e7963ca2c587e0eacc8f7fab3b3f0e166197a4d15184cec4f0858de2773d8becb339bbb18ab2c10c8b246ca66dce48e2a0938fe1ab122b4930d603b937491ddd3d10abac731957f2e1e030eef33f7f311ed782b06697914145e266d0b967914d638a +@@ -8949,6 +8954,7 @@ AdditionalInputA.14 = 5d9446eff72d59529a90b498d8f40983b3b2904f63664fc0aa1de8700d + AdditionalInputB.14 = e19707aafa391e8622539d52a05d930292bd0f7c17825dbed5fb7a2f8734081b + Output.14 = 6ce2ae37349cbef9ebd1f9b85485810a22d430d94abf66912dd7b6cc751400e777be2f1cebc19d65694a456b2c6429cefd95eb934030846708d50be3b274c2f7de299f3c311038491f271448c7d02ff51de048fa1184e8ee06b7b46a9f123daecbebae4a2183dc8eb6976abf0dae7cdbea6017cd1500f37dfadcce0c1956ea87 +Availablein = default RAND = HASH-DRBG - Digest = SHA-224 + Digest = SHA-256 PredictionResistance = 0 -@@ -7903,6 +7909,7 @@ AdditionalInputA.14 = e098f0e076a3f40fd970f5d221944f0040ef4a18d88dbe6c - AdditionalInputB.14 = d7eb01dfd7c13fece92d35133c3be71efba145d7353c6d69 - Output.14 = f03074a219ef31d395451ebc8534e4f2cd2dbfebbd9257507979ecec79a5f76359f2d6b4653b31704ae5a49f884db91ac335ddc6d11768cac7850734e76734b63b71ff12f3f8d42cd404009e7f4b66bc0a639a9354ebd754c17f3cc65704e698d9bc0640919c386e96760f3c36d8789e +@@ -8999,6 +9005,7 @@ Entropy.14 = a7a1dbf7f828555610197e71e0ad563b8691589c5289ced03e9ef83b6f9ff938 + Nonce.14 = 4274788c5d80e26ec1ac3a57b9c7c0df + Output.14 = 5a907a26c1ef588219d4c69fcf4c5c283ab148a77588a40b323bd24e6dfb29551c4b6116c4d61349f5f8bd9ed497f38b239c37283902beb3c9700c768fa289ee4573f92316efb860a5ca4267b328f03c13138b774b4b9f7516003a699f7a0854a0efb045a5932753a771c2cc6119202b33336f10edb715bcce1d20ff503dda01 +Availablein = default RAND = HASH-DRBG - Digest = SHA-224 + Digest = SHA-256 PredictionResistance = 0 -@@ -7968,6 +7975,7 @@ Nonce.14 = 838d1c69d8408cf0134f54e1 - PersonalisationString.14 = f08a964b386eeadc4bbe57164d3b3a0c7c0068c49c9bc5ad - Output.14 = d8af077476875fca2ef9f04013976c3c278d30592361b923bab2f7e3c8af4affac5408c390b4989da254eeb97ccdabf32f5e246739d0e532a6ea317e7dda02bae5051ca97a445f5e0696a041e5f9f2c077b26e575d749cae344859864aa00f262c1c41b2964b78f72f9cb98abce103f9 +@@ -9079,6 +9086,7 @@ AdditionalInputA.14 = de1bbca12357943b4489cc7209b3f063b51b91acc168ec5e0ad88048b6 + AdditionalInputB.14 = 6ddd9aba4f100ef902ba50adee53ef44a4f45564c13e774e69557e36a357e7cf + Output.14 = 544ec80a966644454886fb97a0f05eb6a4a25fcbce795b5e5b27ee06ba14b7de18dbf54f80a670b87c76c336ac9af16c8958ad6c1bde9a97aa4c1ab5823d24a53c64f6766ce6eb9b7085cf7282499c37fc1e2e825f53bc357bf36d5901e0ae93cd3bd821fa18b5aa17548560f7ad6ef38124814fccf9b2b89de61cfc27c7269b +Availablein = default RAND = HASH-DRBG - Digest = SHA-224 + Digest = SHA-256 PredictionResistance = 0 -@@ -8063,6 +8071,7 @@ AdditionalInputA.14 = fa0823db6808a3de1a7dcc081c01cca840f68b005d473bfe - AdditionalInputB.14 = d3054fa2bdec7c63dc009ecccf25c1116380ac25f82a9085 - Output.14 = 556e90c95c1abcdde027fb2b88cf191f0686830ecf3fbf89de51c9bd735726131472a17f307263d57c03bd5ecd9ceba6cd5759b06594bf901418e2421fcef4b72678614079cdf4d25fa0b74985380552d2bbf478290445066e3f4a40a2e2b0792a685b769ffdb27721b1faa484e9c783 +@@ -9144,6 +9152,7 @@ Nonce.14 = ab7843b73ecb4858f2cc5e9dfca803ef + PersonalisationString.14 = dee559515084d8ac49c3803f09f3d5fed3b307946a2752c267677f22786a0125 + Output.14 = a12f5e8ea3bb174934c15e5d114ba615da33210c98c38d7fde4b5aef9aecdeaef311d929d7fece7fee11db67134c3326b413b8dc17766ba4fb881105db68688b148fd95d812f6538b14f25afaae84d39025336136d270bd643f2a6c7164930372fb1c8f4f0dab60283e9d8d3440ce8dc66761c5d5c4c13cc3a367feb4869b559 +Availablein = default RAND = HASH-DRBG - Digest = SHA-224 + Digest = SHA-256 PredictionResistance = 0 -@@ -8113,6 +8122,7 @@ Entropy.14 = 2a55ddbf673f4e12538e61cd2bfda6f0316277661f553c38 - Nonce.14 = a0c71049f5c75c23cc11c7ca - Output.14 = a88e6cc37617929bee1e14f74ee363d1e05fee618fc1eb1f8abaff42c571048032c84ef0ec7a6d8ad7e6c5a4a6e90d714d76643eca063287929032fe75a2b63fb1f83ab36a7fa12a12d7332459bba56b017654bc0fc29beae1897863a63276208f9d11a32780a627135b271efda4f4f0 +@@ -9239,6 +9248,7 @@ AdditionalInputA.14 = ead8c0dcf4ddc909aab96eadab509a46908ee5f090983af609f08d8a8b + AdditionalInputB.14 = f357bda8f2048929a4e31969ec978cc333d58b4fc09a8aa1b73ec9bdfaa1a8f6 + Output.14 = 901aabb3f065be08e2f8072d5d3ffcb28ab291420644e407e7a6a3346b75a5be535bdbdd5a8245998689450292df877233ef0783e0bd1765413193790995d884ffcb2c8dc35fe4cfc12def2f091866d735b1dcfc9d8d8c26903d50e9397b1bbd674bb81fc908361b2bddb68f02031d87588cc3e94210422674e93fea6a5329af +Availablein = default RAND = HASH-DRBG - Digest = SHA-224 + Digest = SHA-256 PredictionResistance = 0 -@@ -8193,6 +8203,7 @@ AdditionalInputA.14 = 65e70309f7386d1a0aaa53da65263d5263bc5eaff0d5f3d8 - AdditionalInputB.14 = abb8cd0ce0560309d2424d2f3fdce7af085e6c14699b4799 - Output.14 = 8188a498ef9e0fd52a77c3a44f1c7edccf9248590aebc52cb9ba7b5cddffe867b26309f032a78c0ab751741fdd9bd77d4bd17be90dd045f6f8b45826c9900028f68138cf1ca8e18b253b8eb73ae04f2e156d51a792abdc6524e4f45e4ed0b06ab3b0c94bc5e1ed58f917c17f72161d31 +@@ -9289,6 +9299,7 @@ Entropy.14 = dfa94c198483c5daa046f1dd1e4e83f854fd6c5cbc3465f671bdfd36837779ab + Nonce.14 = 298de64bbd817d009a71c1424ae839f9 + Output.14 = bfb9a54ce31406a82608aebc826441f8f633813a0c3bad723b802f3e905a6ee3512ff3513062aea51f93be17aebf1cfcd81868e85db3db9aa98680f974001fda8fe6a644f5efbb9d6e52e99ff606ef1ed7cd3b17fa6c6844790ed58da6df61aba0c200d7dff943588f4520891798098bddc65797b2f99c05efa090c60dc48a4e +Availablein = default RAND = HASH-DRBG - Digest = SHA-224 + Digest = SHA-256 PredictionResistance = 0 -@@ -8258,6 +8269,7 @@ Nonce.14 = 1ffb77244697c3d67a564d06 - PersonalisationString.14 = 62865bf0f5af2146440d74e5ac8787cbedc544de16db24f1 - Output.14 = 1a74f62cc6bb05ff956d1af526926b937a84352830a78c7ecd2ad9c39a796f29f640d188ded8bda0e66ba81c941fed5e82f3c78543d9fca14335459ad9d573362f6b5d69861cb94c0bb055723ba5416b1fe08e74f27f23cdec9db05b50b01a20f0337cafec896f5f7412e1dbe7307e0c +@@ -9369,6 +9380,7 @@ AdditionalInputA.14 = 066b072d48f6cc6bb00273e0bc0ebc086235fe79af1fbdb46318f56c62 + AdditionalInputB.14 = cfb58f59c6d56993b9f0b5ba1643554072cf4ae8013c236120044ae909083f5f + Output.14 = d5dd7f55ffa7d53fc0f679cddadeb869f39b29a6d394c9f1185b11ebefbcb43419c6a26ae3c9ab9d456e2cdba1aead05e67eabd3596526ee431ba7cab7f94838062fcec2363cf0e19849ffef30064263b3a059ce38aa02c2729bff5af9450e035161816724163906112205196c642bfd70f36abb4639fd6e4f7f6a879ebbcc62 +Availablein = default RAND = HASH-DRBG - Digest = SHA-224 + Digest = SHA-256 PredictionResistance = 0 -@@ -8353,6 +8365,7 @@ AdditionalInputA.14 = 1a6853817be281e26796430dc90f014f6fde64cbef16e58d - AdditionalInputB.14 = bdfa703974a758cd4eb00661e0f4663f4e574cc7be6906e9 - Output.14 = 23c9f591ec9abea9f9eb89ab8d705a1e570fd2888772db5d6fc6e418a34e32d78fe49be8d4d8288fa397b57afd49c07b715e276c68a2eb8f3e63f67de21d8ad23fbbdcfa03b201952fae49928ce4da66cb70638398bfdba4db7635c8c726a3cdac22c98ae776e881edd60b69f0b38e4c +@@ -9434,6 +9446,7 @@ Nonce.14 = ea7d3c3b8f6da0667d7f0d543c68d7d1 + PersonalisationString.14 = 86c20a7e794c887898d5bc00e98398276a4e3ad8d674fb808a63a44330490d2b + Output.14 = ee8e21ff48af611a17d33e130f4e4224330efcc1402b6d55aaf1f514553b880f18df68c0e4279854eb2e9b904c552f69f0e1badc347ebe336b70456f221e07a2fc78df72551d99df3755997029ee1461e2b6e396370096d7e8c2dfceb73214a72ae2b25ccc60b92dd71988eda811ceac4b7c335528249aaf82826a14c142007c +Availablein = default RAND = HASH-DRBG - Digest = SHA-224 + Digest = SHA-256 PredictionResistance = 0 -@@ -8403,6 +8416,7 @@ Entropy.14 = 7c8a961f01c1888456ae6042caf338c3ab8b5be28b34d15b - Nonce.14 = 61edc22b49e518eaa9e4e04d - Output.14 = 9d2eb0a41f7b03ccae8e4e3c61628e6710f5999f3991f04ba90fb3007275d07ff169d325ab26f3446e585c2d454ff8f6cd4a520190afbc06f30ec9b49668b09de45a116b171c210f5f888cf3c273c803044b17a16b06b44bc39344f2b2acb2f21f4b0a7abafec8c8d406d26477db9b7b +@@ -9529,6 +9542,7 @@ AdditionalInputA.14 = ea12ddcafa4f578b8b43337508dd8627844d185b10af7de7e907d113c6 + AdditionalInputB.14 = 0cc670275cd2b0eac5df123eb1fd73c2f2b093b76806943918cf49930fa97515 + Output.14 = 88dc727007c0e03c8d27d00c87876f8990b271964a5275f636ecd7f18cac9c869e5f9df5fb2d34e7f89c2e9819af562a706a03d9be9318896f5ab16573aebbfd94a681cbf27e7202b8674437667893246c267785d0deca5033de88a61bf5158177391c2e3232ea6f812c468d5629ed9f89ad0bec0f6c7a469f56331f9eba1cd2 +Availablein = default RAND = HASH-DRBG - Digest = SHA-224 + Digest = SHA-256 PredictionResistance = 0 -@@ -8483,6 +8497,7 @@ AdditionalInputA.14 = 71b5b9e9b813b5f69e8fa9fa7f588217268581b7d135fd7b - AdditionalInputB.14 = e5b06d8f12539d36c665cf129c1c42e3b7e88edce1650870 - Output.14 = 64595391a02ff750b46418274b8366bbca0e9c52c95bbdfa65882b76395887a018faa276f3fd6c8dbccdb964755e36508897cdac977037d0978f2752d1dc68bde3ba1edc94787c1c8cfe42c2347052da30ba7f1e06b44c10805196e7bb048cf572fda62b4a28fc189702b1e575b008ef +@@ -9579,6 +9593,7 @@ Entropy.14 = 6b9f904ac4b16d36e06a1bddc501d7ef98d5685c1ceadd0a6e1622e0c1e73716 + Nonce.14 = 4a42f39e5a241a2b96db29055159c91f + Output.14 = 785014b0460831b7b67346c6997217b0f6c8e7313687ea6ff4d0b09a0786bd6ac362a0b1ddc6ab8c9c624625a379cbec7f11cf30ddab23cdec054b986175cdae0ca4ba4610e0711bc94e9ab706539d5fa2c1a4fd3cd49042696b58dce465f8e09a200e7d214cda357021c62248a01aeb95f8ffa8bd49d354fdccf4c71eec3491 +Availablein = default RAND = HASH-DRBG - Digest = SHA-224 + Digest = SHA-256 PredictionResistance = 0 -@@ -8548,6 +8563,7 @@ Nonce.14 = a16783ada78fa029ca3fe31b - PersonalisationString.14 = b20dae78f254b07fe3eeb7c793334f3f432930353fe7f221 - Output.14 = 081803927779c7b2039681db542c965fe48dc3cfde712a361e77da9aaf9f21cf38e18b4e8e5ae5a365910ada327b05630abe87858163713fd8c2988975eca44ee3725370f1c68117e58c2164605524102f22f3ea55f21f7e8fccd9861c59973d71c0aaca574480be6ec8e1fb9a163680 +@@ -9659,6 +9674,7 @@ AdditionalInputA.14 = 147d51711ae8a420f165db0000d9d0cb9e9cd5447311eed43d7cc9217d + AdditionalInputB.14 = 2910968bb1976a1b8ced116e673f408da6fc563695c918ac0a230b0bb800c707 + Output.14 = 357a7269b30ca744e213d894f5c45d0db9fba897e0c863a56062f5018ad9be9f37b8d550014ed68f2c34bf5195c0b7460df171ff3bd4a590578670c92470d876c8de19d48a6d7fa15fc7996be78d3cc8a5c657439f4bb9865bd56e187d5df2531a405e3e0f4b87c611aa8e226b8b0266290f06f8062456a7a4bf0896e4ddd948 +Availablein = default RAND = HASH-DRBG - Digest = SHA-224 + Digest = SHA-256 PredictionResistance = 0 -@@ -9803,6 +9819,7 @@ AdditionalInputA.14 = 228522e58e65d50dfd176e8ff1749faa70fc2c82eda25b0748ddc5d41f - AdditionalInputB.14 = 7af60c47b4cd146a39887c9b812a1dd814d74c398609bbbfb57e73da9caff57a - Output.14 = 9528c88f0aea3fc03bb8a9061e159a06d78a2a654408808aa4d0e73ab1a51e5aa85e8bcae72d34784ff6f513193e183d556ddac5675314f2b5cfe392d1526056afe32d7c03e09ba2bdf3b10e228b0f600a61cccd9e7bf14dccf13b16a838e60909785307e6905d510d9888eaab169fa601558fc952aa8559d270ecd386d7fbd7 +@@ -10995,6 +11011,7 @@ AdditionalInputA.14 = 23e4e6b0e0c1b28a6f9731f8b09960ce7adac17527b3bbaca7c811daea + AdditionalInputB.14 = dc7fac6aeded9e17b5bb5e2bcad9424d42dc07e809da59d52caecba6e75ca457 + Output.14 = 5a42b35cf1b72d2520d92719a94ef1a7ca5b6d6c7eef2de25c8ea44c1fc3a9a5ff2128f47bbe58084a0c7a3fc790626eff5666b4c1e68fb2f53de3370b29c398d5067b255f5f7f29fdb0f8bc256ee3afbe78a33981626837c55f981e56eb2e1bdd89ca081e48f6da7ce6576fbd37dbd57a3f41cf410cb375614af239f2e10218e777fb97a55d9cc73243882b8d8d2a2c812fbdeaaed90b5bd71a274b4b171cd7e661912c9b3de1714a3fe4931d8fc7cb1c9f64f4e37d4e5dbc31602d2f8699e0 +Availablein = default RAND = HASH-DRBG - Digest = SHA-384 + Digest = SHA-512 PredictionResistance = 0 -@@ -9853,6 +9870,7 @@ Entropy.14 = c0509068d88167921812103b67e734698d68718ecf42cd99e0f55836c162d450 - Nonce.14 = 71a50d2db258ea35ba69b5716bf68a14 - Output.14 = f66c05713ebe804b4273103997d260adbe8a7d0f6b2bb862b867ca59874ab9e0898102664af2a8db24a7ccb4637269ac67d5e834941303acab9076ebfa04cef64f73480afb6808f11e6ab1a9deae514f5db1c90c59ce988cc1d04012640a40173362de2689f88647268c665ca44f57534c9ad9b8316b9cd1d5a14942e94e90607acf6ad37a2398979e56e9c227c1803f90844d6140f10d0baf20dd789d808a647b4df54d2136d967461383dd4db9dc154dd89cd282a2766dd6086bf3825d095c +@@ -11045,6 +11062,7 @@ Entropy.14 = 471746177fa3ebbc1f1e06fa42d61d5d491abc82eb7d66e749b87d562a7eff34 + Nonce.14 = 42f8a1ee9b09940e9e1dc64f51a78b4b + Output.14 = 238c9889284139945e657d2c4312ee3ca2013de69be10bdc8b90d54867889f2c15c6cc933913457d4f5a00bd52b0216d90c56bcb341dde7496218861b083f80d8c933627e19b7bd8b73d6dda1bb0b2b0f1f90e2b453cd063938cec3a08f34e5581c1322329d87709e552a97e8a8c8e8e598a5c5cd6623ad1eb9f7ddd12739b1d157b1020cb8cef19402938d31b74e490c0ce75a9f57a17476df1cffa55de73bb8151071edf396c3b9e4607b07c7e2b45c249f5a8194cca1e97af78be47cec0ab0096cf588f3d4432393a8f5423a165d585e2e5f98fe47510d9415418aba28aab1193261036214c35d8ba04650b4539be6b9f7377e3c75ed236d0e69cce004906 +Availablein = default RAND = HASH-DRBG - Digest = SHA-384 + Digest = SHA-512 PredictionResistance = 0 -@@ -9933,6 +9951,7 @@ AdditionalInputA.14 = 25d2ad9eecd3bb8bb60769942abd16edf0ba777f2541a4b0e80fdd70fc - AdditionalInputB.14 = 608c5789b5a2a6c11c7df095be8c81968c0bdbc6296026ab65195bdc5a297366 - Output.14 = e1c600294a86393b7067b6e77ca83e68d28a6b76f6f81007183be65a50fd2f1adf6eec5a64cc753c5bd0ebc12387bde8c6ec10e6ec7e603f09d4ae624cc5423b5bd53da4f0af064e14a7d176369f1726fdcf6468ee15ffd7db3be48d196601506c71e2f443a768e03ebc35245d254bb87a392508ab07c95bce84ba81058ca1545289c9d8142aa0858c9cd5ba54ee2bb75cebb5b74e0d099ee458752d11ed70122aed1254609a715ddf2720798c9194ae4a7424e2c518ce7a8277ec79da86263a +@@ -11125,6 +11143,7 @@ AdditionalInputA.14 = 4b69404b80b6f2fec36a7dff1b194a228761694129efa6c6b9a044f553 + AdditionalInputB.14 = 519c4cf1b30500f729e5426d76373c291e26cafceb594c10c96bdb9aef4b42fa + Output.14 = 53568141a5c09b6b02ac4ab674d341aa6300f8be93c0f36a7376a6850abfce068927510a1b98301aaa29252cfadfe5a2f241abc677e9e70fbca287c579acd276c2eec5c8b508f2b119a40164c6a12c0e0ca1d3d53595bbebe32fda2eef2b613329a614a28d3b374a7b031b49dba74b465a7db60a8dbdcc9e952ea143e9d5a3a651c1b0d6dad79341a7c3fd5816933f2579cc005f3c5655eb8d3f9d1e4562a756ecca3fc1d688c9824391ec8444c6024774a295c44c17fe592694dcf41f305f50a16e07fc28e247bb3d9dd0c52c6fde79df84c8d521606cec9a55f909691f5cfd797b69304dff5b60ac816b0d5046a47c2434127da1fbaa86d2844f5164a9dbdd +Availablein = default RAND = HASH-DRBG - Digest = SHA-384 + Digest = SHA-512 PredictionResistance = 0 -@@ -9998,6 +10017,7 @@ Nonce.14 = aadd62dbd7b34bf2021ea74a2788b17b - PersonalisationString.14 = cc3308e380672a955620fba59999ec4fcabf1b7f63089a124cc1f65d58b691e3 - Output.14 = 6c39f49bb51765dbae1de8325e7a6f8f8aec031dbdd94b83d5c4e062848eb4e01e3912784f817ee16f9c2dd0129eacd3f7b8d5bb4cf9a4a2ef823b0505c2ac8e4a1ec30812e98564aebaec14ff710a77c1904ab1fa3fef3c3d09f2d55b047a8db860322fab6d939093385838ec6d11667ca843f69268ba1fb7edc462fcc285adc9b4b97f0f717c28ac1b6f371d90baa86e8728051dfe9b68f15dd31a6da35194253545a5d667df6a1322f6b73ba661c7407608fa42e1b894bd1b6e7641749977 +@@ -11190,6 +11209,7 @@ Nonce.14 = 8680d7b3f0a8ae576bb0f75364b463ea + PersonalisationString.14 = c0bf8f2ca4efb48b8dca73ca7148da3cd5981c5a459be32db5a14fc7762c68d6 + Output.14 = 269b3b656e58f9aeed32c80700d9d1b863b0253b3b33155cc0849efbedfa51cff82262c9342cff7f1a7a58a5954fe66547baa1831fee55ae0d322674c6c784095f43b30c1887fb9fa5e7e7f1905da2808ab810ecd224ab403b6f562bac54e65cf7f0473991ce7d7cbc1a669a022fde3141a9880d974b7ede2fad24a3263570443cab0e8017d242fb4c2032dc8be56d8fc1e0e8f92254c7480e4941259ecc29ea47a1d11e074148b259ff95a94711d767f0655f1e0574dfdc4ae4f27b12015af86aefd36f6c10056c3d83e639e3641cdd8ba178f7779dcf502bab3d7588cffb72f6489981aaa7139c255df0e76bf6bba32e4f547327da4597745b15042869b2c2 +Availablein = default RAND = HASH-DRBG - Digest = SHA-384 + Digest = SHA-512 PredictionResistance = 0 -@@ -10093,6 +10113,7 @@ AdditionalInputA.14 = 0d81d8c5af9885d1b30d2174429bcc6979bdb2b82e6fd3ccdfe93f36fa - AdditionalInputB.14 = c63866629ed771e53d2fe2d5c21e98ebde295c3fc3896fb67279427c61a89eb7 - Output.14 = b369b226dd535dbdab45ff8f13735214f9abe6d11463a44804b838d2932112ce6799341505b7b5bab423a3794c37f383b06be1fe21f5c7da97b333a41fb67908dbeeb2450a3581ef71870c964c976f039ee856fa507e9de948c4c097a64070b23cfa09ab7506a8ec4fc38a38ce21fbee3f3c1ef3ab598f5da202f35b90f422af31688402509c38ac25359409d2b61958390d28ca2d8b5dea99ae26c90978f01d7a482c12e134a81de0bf6c9f39e32a8b597ec7b7a05a805ebc7ce260c381f189 +@@ -11285,6 +11305,7 @@ AdditionalInputA.14 = 64278bb6b8224b93c0b5339726fb752f6d81e85b204d76376d99779ff1 + AdditionalInputB.14 = 4995815c060c80e9bead55dfe823b869862bd0e5b4357afe810a53c68d4b0e7b + Output.14 = 9b4249e1e692153ecd20e968f86eb31bf9a22d3671d0ce9d3eea243bfc70890644a95d551cb9956cc3770e95c2f14ff154760cba1b24c51c41f7a961a4502aa053068751618eaaf743e0d37fd41ab4969444519c22c8fd96f9eb1be6ff3ae01a25abba84a259dad8bbc78f47dcab3ac2242e6974a56454999b4c59243102b731fc4bb4e01c92d36f232ca8cfe00fcbc0ac200c2e403d17d5d1dd3d6c2095ddd15ad58a070f18b69a5f5d3f240435d298bd48bd9be028ccaeb10997f88857a848882f51a193522bb0b979b37b5508775fe150cab8ce97c0760b7418b5bbe496562fe639540e77c1025c0e191fe000aa5d1e49bf02a5a3c6f46b40dd2c47786d45 +Availablein = default RAND = HASH-DRBG - Digest = SHA-384 + Digest = SHA-512 PredictionResistance = 0 -@@ -10143,6 +10164,7 @@ Entropy.14 = 5b50064163ae6238f462461472ad2ac9acc300316e140abd9cd6edb87b8ffa09 - Nonce.14 = 581d145675384210801d9c75d4d19624 - Output.14 = de0ace4f4a728c681a0b326298142fe79cbff2ce5230e6c1ca3e2808692d02e4845867763cb9e93acb983aa54659be6f9baf210048baf7ea4f062bd7e3d9a6d5e7dccf427422b9dd93d392ffc810dfe185bbee253c3208e22a83c9804501321c6cc0357d22859487a3eaba53444f4027843699d5a78214c431ea741bba73bd29550925443cfa5f494372bd0e482e3ab4eace1b60187b6db588c0d252c8da3e0d6dd3e475040817ca2c85b1149d8447a52c111f05d7c14a0f6b7b6ea4f60aed3e +@@ -11335,6 +11356,7 @@ Entropy.14 = 337373a24fe76f025575b3dbd7eeedd03d3459d6ef44cd53335a9c4963cc45de + Nonce.14 = ebbea7e8e1a3a45c58044b65ab7688b9 + Output.14 = 21ae4510a133fa0906c873eb73e00d777b68a45a1de8759b1497f5146f0c45cf612b02e972ec93ebccbb85c9adaf0f5942fcfbb3b808482f05497f2f4734dd6d42c8413e1bd1bad10463dd4b4cf29f1662c15efc6d24955b1e54a60508d9ed008c9d29f8a6bddfe564c21473271350137452f4601179af37e19d553ec738539cfd7a8df17f07e1f9db5df776256e3c00199997307de394a8ba41be2829defbd8105fcb3cda215219fecb607eb1e7137a29eef188ca7eb349d2d1fe27edc2526ccc6d8f1af7eec9c06910f3909907f966d5904b32577f2715cc32ac08f1b5e25a734716ffddf60c57d422b515ce817b605ead2f875db7a789e351b660704f0cbc +Availablein = default RAND = HASH-DRBG - Digest = SHA-384 + Digest = SHA-512 PredictionResistance = 0 -@@ -10223,6 +10245,7 @@ AdditionalInputA.14 = 80bb70930ef2015949b53d787630f5de93d93f98c577ca4632266e1bb1 - AdditionalInputB.14 = b6afd2c00be2eaed5c1991909e89029db0b04598115fae5118cc215298e0528b - Output.14 = c20bd78d9c396fc8fb408361e1dd4827ed3231617a73cd8848e493927207ea23e6efecd4fae36aff74b5235067543c7eb44c290122f9167a0ec4c6a530ecb0936fd683fbd866b73afb712b2f20ccc981b3f70faec4f4fda62e956c7d04cf578b06259b0f3c044e6dc68baf91e6149efa70b2ad2b81c8e14d1a994887193e53bdb5986a23d0412e989c447689a71b283934e50c25e10bdef0b22ce7368840cf761e32aebc07d7b51da16dad4c332926a4cc9853ac8db36b4b01bb36746a28f527 +@@ -11415,6 +11437,7 @@ AdditionalInputA.14 = 771e91743429c40a2e3ececc9a3d73a92336c9c988c5d9dde47563b631 + AdditionalInputB.14 = ae1a58611aa54df3c655a1f20985552ed9e3610e92170a0de1a4573a5a1f93d7 + Output.14 = b2534bf690444513bdfecb35bd616b0de47b7cca7f8ab9c5e823b468da62855601b59c6bb75cf34fe3dbc7f795536b9619d243c0f6960895d6710130fbfda2a0bff803e856f1cf21a63e86e59be0d6da7516b697e9ff95c341913ff27c8abe10e6af1b7ad8dec9f7aab46b8d35c103f9bff3016b39ec24026a7b582f6e95261031f734e29a1b64c65639cf238381e5f7e31da624ad24290930501132c860118b6c59052aaa7cf982486219431311453a431a1cf50deaf068e2f9993c0ab851c9aec72be8f7c5c57ed03c488befe6ffc256efe6db52b7734c042b69a5ed74e2593c4788c5fa8a03a5017b927bb8f1c8262925d734c5604639a9b441187b0d95e3 +Availablein = default RAND = HASH-DRBG - Digest = SHA-384 + Digest = SHA-512 PredictionResistance = 0 -@@ -10288,6 +10311,7 @@ Nonce.14 = 3432a2e2263728e375ab973bb5842d40 - PersonalisationString.14 = ccfee35071757d5141f55a481b7c44a584c5e537c636d4d0ba10dc3c88adf6a2 - Output.14 = 72a77d1c5dea9d00c349d4e5a9e6dff63ef6cb80b7998ef62e7a1fdc2267057d07fafb993e8df868821c6cf76430f3b7ff24a527f7e41fda6d560a773d05bc003f7e1ed5085f6da3785dd999a4763894455febf7618750bad4e30d8f52f3a072af30d57df5afda08ae7cebdcb659e6cdeaff52b47d4dc571e28315ff0e38538baf436e02d157b64afc6d50e6a4c5842aff1e7573888c6ff9beaf4f91aed988f03032388940c4f54afda05bf55ef6fc8c673f01ab545838574f3bd4f22865cfd6 +@@ -11480,6 +11503,7 @@ Nonce.14 = 78e7f6e9e8e1511bc0ba7f230b65fe47 + PersonalisationString.14 = 37544eb1992fc569ff259946d639a00230ec1196c5565b8f9da62d9ce552e09a + Output.14 = 0ddbb84e21d4d7110b933bbeaddb35ad81dc1f331ac8293695b30924f2713eca6f93a13d520da4486f32a12412a927d00e3f27009a944056a5805b0e050f5bf6c6bd32c523c1d607d6e3e97b59fd059a610d664396f69961599ce7f0a0cbd1dcff15474ac267e36c0b871c559fd13b7ff0c3fcc11ff8dac26761a42697c3744981cc5c5ac10cd0f3b285c4ceb4a550ecead095f90fb6f53aa302218ede7ed5ae5deac91a83f957d15ee901746d11777b23c327ee811966690f5f253c7c314a2bf2bea73ca46c6c8cc332c3493f9d023029d762fc90e5dddbb838f2225c521f196332812570a17455b3db45306aa9100ca83185395435137a0b961531cbcafc03 +Availablein = default RAND = HASH-DRBG - Digest = SHA-384 + Digest = SHA-512 PredictionResistance = 0 -@@ -10383,6 +10407,7 @@ AdditionalInputA.14 = 0facad642bc0004f946e3fdd149a4c0e52475c9e832c85b228bff6f2a4 - AdditionalInputB.14 = 19d477a7dd45a0b733e6c301a4fd44ddf65d4fe0a0435b57e319e31de4797427 - Output.14 = 2a48844f6919ed43a2b0b64a1d28707fd3265b418e0673190b49a606358062c1a54a6071c845adc6ad74193d746668f890423ebb971a63cedae3241005432c8f3fa3fe7f98d5912da34dabcfeb17c03ee8881de7b2ef04fa2147b78532eb0ce7d9244d717697138f116341c7b9e99f15728207f6a73c651b8940582f9f926253420a853ae18132093183a6073e3bc85633b75e1c6cec9323ed4142d0c8ca0dd5ab2ff2e6b304ab8cfe4aa98ac64951d836e074169d375ebeae8498f11bd02c05 +@@ -11575,6 +11599,7 @@ AdditionalInputA.14 = 8dab17e96142c890eb16981b97364223e815130bdb0c0c284e50dd3349 + AdditionalInputB.14 = 1439e2d19a99703fc35607b5bde55331eca67b2b9a9f7587ddba0dd1fe690ab2 + Output.14 = aa088ba4682bd2285e90c7967a7b8a518e0ec45afd490d367022893e3822c09d967d06ff28748b5de3fb33b071b73c581bd893b6641a72cd5db35540b904eae19765cc121ca4dc9404530114c3369fa80d20dd63c8c09559c4be48aa26ca77b47579dc52fdf0eb2f2db84ab688b87f63097140aef65410fcd7a81c2bddb2c92f9d67b2e46647aadd9b85c9e17ff8b579cd672708282981ba54d854e7c9a1de66621845ae2d337a90025ccbdd1b0d695790b1f977b1e944bbc04d16a9a399628bfb33f98b40e13567514d8ce0b23340803718ea3da44fa84c923f2a85ba21495c2f9541cbe8cadc0b230b1b942e934eb4fe95c3754a77a09641ad730a550fc24e +Availablein = default RAND = HASH-DRBG - Digest = SHA-384 + Digest = SHA-512 PredictionResistance = 0 -@@ -10433,6 +10458,7 @@ Entropy.14 = 3b6dde5f550d482d30eee2288bff802241ef20ec15696e614b7268f7c574eb1f - Nonce.14 = b8d8984703ca7f942951fca97129135a - Output.14 = 36d0cce70eb5aaccf9b172fccf68e01eb8ac8b1f2652cdd238f4b070c8f2d9a128418badb38d5d5fabe28b59d15cd432010716fa6a48071114b2168cd29028386171594291118e54fbf5b61ae3fbbf9a21ebe73a4aba482c7cdc5ea1a4f21a0f1b38812cefff9bae78c2b95f417dc0cda010079b637f825dcba059d154f5a53050db773250013a1f051de9f7882433d2054ef2adf9b7b57c67173c06ad16cac6bdf74a10bcc666f7d4a091a78131c5ed76fb733791278b6ee0f55302c4b122a4 +@@ -11625,6 +11650,7 @@ Entropy.14 = 5f72e390aa960846a0004d266e3741b6fe0aaac98d9d87b4cbaaa7a2af0d0bdf + Nonce.14 = 2074991cf0c22cd34b2de48ea1f9ec66 + Output.14 = 7bf54b69e455c7941e8e24ef59b5525dc1ed3b7f934333713b9dc305dcae2cd1b74648149e04bb4f4e00b110926a6bfead7adef954b6d7e180ff820192677efa3c0c8af6a3e201d8d555cc599cdd2626d8778ea2c7a2a8e0c99e719929ae9ac4fb9a7e5176da8987508d1152909f456a4ce9461188e264cda1c879af1a8cca6c182e73c164986cbf07f441756791fa1fae40b784800335d94b0b54135831044bf0cb5dbb5c0c71de6b6ae33d6b87782d34be3cbc2991ad109d6c0440916d91baf96c4375ecdc9f09dca79671a45309c408062cd08ee623c8de007cda3b3d110425d7e8fee13b2a14215033d9ea2397cc6b5c995f37273a00dbcdf9437bc77857 +Availablein = default RAND = HASH-DRBG - Digest = SHA-384 + Digest = SHA-512 PredictionResistance = 0 -@@ -10513,6 +10539,7 @@ AdditionalInputA.14 = c6a3bc83220c7708eb7fff5787ecba27e48c894e15302e0ee7f4e5f09b - AdditionalInputB.14 = 39b854a1c487e24e1ed58916d8012277fafd6e7b6175c4be43927cfac9958404 - Output.14 = f7d2f39a513f6c4eab993fa440b769ce09a15476e06ceda47969be05f53ec7f8409de284749cdcfac07fe7df66b1b6bd39389401909f3a84538d041e1c038a289869e51bce8bac13a0f786cb091628f0a3a7f7f9a2f620c98889688d46a2a037fbc1b2a4fff40800eaccf98a0bc1452ff1f53f040daa94e17dcd6acef97192c74075d064be5a97205ad97f693257d96c04e78654a694e90b80a5234a25d1c7ceef360d53e768067335097c4aa8f126a31882eff8e55cee05eba4b4325c203f4b +@@ -11705,6 +11731,7 @@ AdditionalInputA.14 = 97f8c1e98fd25289be846d80f667341a095dfbabd610c691ad6b2b901c + AdditionalInputB.14 = 136912d2805ab8ffcb4e7d6a81e37e14b7f7bb65dd0241d56f11d7c72dd5de1d + Output.14 = 2e1f4954107f3654f51024f032518ba91512c9d8005265ff35248487b8c87d8862b8caaae27898a22f9ba7a0297fc071ceb6a1612bb99c0f15210a11f5a0725158832996f15106a7c43a216f90501c0dfb36933be940a875d4f6b0e5c29edb01614a26cb3ff7b906762fd6435eb7cec8c88f5fd7c4d76fcb018c08987108117c95d4d35c1c59efc06358c7abe7a73012ae4440b2ec86c3664e5549b8b0a30d6c8538d6e5151f9c17f9ce026556508b8b3d926e4364839bb526a94c7d8abf4c1241cd844bc6227a01d024affaedd4701129fb0f9b5ae853c7085ca13ec78ffa3476ddb1c1e71942c351c3ce9a855ccfa4c3c7f92b59d5b67e8eab16b699b7ed5b +Availablein = default RAND = HASH-DRBG - Digest = SHA-384 + Digest = SHA-512 PredictionResistance = 0 -@@ -10578,6 +10605,7 @@ Nonce.14 = a684932ea2337296cc3d150174a47ce0 - PersonalisationString.14 = b2c0af9038c2ef79ca8263a047bb9293a44ecdb457fb45945996157dcd199cec - Output.14 = 316fbc32ecc1dfa778b13921b1d624f9231c0ecca03e17fde750b1e31e76b1c330ea5bd62ca76150f231ac4aa96b06f845db2d03b65cdaba4c160b288a121eb144058f65a751e22151f91b90131e6756356e7f90d880ce754cf965f439189eb8bedf86c58e1fc2751e65637930c42552fdf81acfa1d4515ad49dc532b2a10b2b11209425ed1cf43c991b4a7c49bf6e701990fddc420608d74c3636829e4683c4e77a8151708d82ef8fb81b3655670fd4d242e357831bc091f30e6d139d5e5ba5 +@@ -11770,6 +11797,7 @@ Nonce.14 = fe9dfa1b683fa9cc70b7c7f8c81185b2 + PersonalisationString.14 = 7e86cf4111fbea8fa9b180a1bd9ff3e9d233304b1d293adffa49ce8e77f400ab + Output.14 = ca0a6268d034f6817edcb6875b4754b5e9b2061ce0bc2bcd27c28065d8258b40ae63bf6d1e15521196da0afea8139c10d7bf3b54694a82d24476c578991fce1371e40b78087d95b1117650af7134567513a017353bb4af85cdc98db757cec9f92df42b7323b1e5d05387debb02750683a5553bdfb5f9fa34e14d29e09ad18bc6ef2380c173a19631abde085369ff47fa8b4fdfebe13b95b90c6f5841fe5aa6334edcfae26c13cc5d14d17a02d684b64bd55841831bde4c75de7d49bdc1a405d4e3e0d327bec44644e972349a49cbd48a4d3b8e984f5847ffeba950fff55bba9b287d51d8475f7799752208da31d91853fe6d04d97ea2a33d53b07a4fc787be2a +Availablein = default RAND = HASH-DRBG - Digest = SHA-384 + Digest = SHA-512 PredictionResistance = 0 -@@ -10673,6 +10701,7 @@ AdditionalInputA.14 = fa32817ad83c85b594976eafab28fe25c45aa74d0ab4750b33dbfd8836 - AdditionalInputB.14 = 2e5cb3c7c9503e019b3383eb6264d6000160c3c99ee5700e7a92433da1c01f56 - Output.14 = a7571c1afd3d1dc1d3b28dbab54fe3514a0ec74ccf999376a963a3820474cdd67b190551ad5b24f4376633b4964490f79a94059a55b967f8dbe58eb20d70f1fdac91565bd8daf5223abfa13b132a140acd33e36f29fe1b107f62e6c45a679247b80c0aa050f1c2d3195629baef7422b72fb3cfbb82a2e4dd1966b1cc27b8e6df1907fbd6320f25594e1eff912cd9685755473b908e06fd30c4359258be0580e6bb2f986b0450d53fdbfefc3bf06c0d80648800234100af755acec4f809c39f3e +@@ -11865,6 +11893,7 @@ AdditionalInputA.14 = 91e14e178a033e26e6f6a0b0f3890fa46f83731a14cf31445c51a92166 + AdditionalInputB.14 = 20299371a1de6f994260d1c59c1d3f731d8f70fea6e9389b3ede54d47594414d + Output.14 = 1b4efcce136b40bdc792d1607d4ab4fadc10d5e2b22eacca6f412d3aa1c60320bf825778e7ff8296db9ea360e068350f90d7d4947dc9a2e2a4074653458784059ceebf2a97db0e4a29f7c6107783fa3683b6846b8c8ce7161082405643bb84d602c6c36ca79b2b6562417f0d15f46a4fbdc445d50935f49eedf01bb131d104385369fdf88d91518618134a37c5bf73140400cced73795910ad0d2a89db2d79355ecedbcdabf135219d2afd7ac28cd7e45c6fd4e913ce5d464fd6de6e4c62b76ff86c28b0ab27a3c2622cacec075c790a7ff2f57f99ccb89c590a1dfb5a1862200c9cdf97f94eef18ddc85cf9830be662cec1885a629a6603add9396fb26341d9 +Availablein = default RAND = HASH-DRBG - Digest = SHA-384 + Digest = SHA-512 PredictionResistance = 0 -@@ -10723,6 +10752,7 @@ Entropy.14 = 1e1cde834393e00a2136b8924be5600c8bf59dc2d8a9eeae467ede71ee7b75af - Nonce.14 = b6035e96adcb7e8f2e17022e2e4f39ad - Output.14 = 9dde9f29034b6e784be24fe600c39b091568afb4c40c8e05b8b7dc36ca74a1bed38ab15643ca8c6da2f5aa4b7a6a5d5c9920cc31129c84e2fc9b865b3f30b698a143189a3f3b692b3e5641499c949e53e3619cb112f42046a18d5d12dfb3c6932a6a829d07deb17b799519b81e961ff293c0b2d24b629fe906166e330135e4ffd00609462f0f9b89a110084945243972486a0e1aedb2eceec02d402696c89abbc950dcaa72d7b0e00ed8e65c3e9eb1af7535de2da728f901650633242b3368c6 +@@ -11915,6 +11944,7 @@ Entropy.14 = c5ebb2ae08a03815e496c2db1e2a650b40893ea78fbd7ca8434edcde4432a43e + Nonce.14 = 0cede46aca7d2a60f2e98eb3c7d1dba7 + Output.14 = 6d8eeb5ba130de7dca993b44b46e08894fd84ab8c347992aeeac56ce5fb5f435bba92f1129aaf9b3035aa117301a1289acc222cdac043dac58b62567102dd5a57483d79fd703e188a0fe47254bb20b361281b5b8cedded86ba9b6d86deb30e539eb7ee007131ab2af99408f38ec7fd66bec4f1ed71251c149dbf8393b6dbe96cdeb9a3b5ee065ec8636444e72339ed2cb27fbbe5421f7f141940d6fa1cf570b8dd0393625ae16b10df2f1f6fe35dba15a732357dcdf4f56abcbb47a4640dcef618e27d049e27f2af7b8634faad00280e004cfe3f52d63185eccd6c4937a026830c38e1ed6aa9bfeaf739416706f63bb8b1475ac25d734db28e39163aa0c69c52 +Availablein = default RAND = HASH-DRBG - Digest = SHA-384 + Digest = SHA-512 PredictionResistance = 0 -@@ -10803,6 +10833,7 @@ AdditionalInputA.14 = 7112823304b16377182ff9aba920c97ec4d4f23cd472fa9954ded16495 - AdditionalInputB.14 = ba183a035635d9617bd71b59fccd561f1c78a7589c7fb3fedf41dc2e6d5015c9 - Output.14 = 94e577e5c4f66be345c6be7038b02fcfb4070d5bf74f8004b59c279cce961dcf5bfdce2f01e007790cf770587a68d0d24ef0fcd1a148fca6920e707289e58b81fa4a58b5a018a358d336a20daef30b2881844838e51c56f11533b25c77b9c6c6bb2c0657350f011b24db6c60a84232dbcd218a816563737585c1ca6152ff13304ca86dff20f9f9596aaa21448f2c6e620eee58f69338e3b675d29b478f34f0e60dfe7f12f02e6181d19185f7dc945210d86d31e85eae03161e947fec0f0fc91d +@@ -11995,6 +12025,7 @@ AdditionalInputA.14 = def9d8f7b18023b69c6cd4121c0adbc2a89b3ca37333d4523261d5eb20 + AdditionalInputB.14 = 06051dec796525094018b436605bd2ddd66359a2836a5996e8262bb7763fadc0 + Output.14 = 29e8184e37a5c26670bdc95c842c602ed8b0cf102ca144133e8cc841e1dc32fd038a72c26b8be8a568db60a4cfbd52b0d8b74cdf180a4931d6dd19a255104db105b3366d75e8f6afd0e5fab4dc14f6deac82e7703eb6a61f22b79bdad8ac7fab95a58a71f80fa510542615c305f7cbf84790060f17e7d78ab5d4b0ca34fad47133a0627b803c1caee3b97fe47626a8590672e2211f39cbe1b79d1999fb772b884122c8e50c59fdd3de13a53e805f40f8aa35501571a4c4cce79a8f738e60a43a11afdbed94e26f474ba5cd6ff5cdaf00d0fb84109aeb3510f1ea576c70ae78cdd0415a0521f3ff4083f9160011dcd6e2802cfbbbdfe9c4a3b114dd47b3a6cddb +Availablein = default RAND = HASH-DRBG - Digest = SHA-384 + Digest = SHA-512 PredictionResistance = 0 -@@ -10868,6 +10899,7 @@ Nonce.14 = 67f50628067bc401648926d7567711cb - PersonalisationString.14 = 5f8cb19e3c86b179ffb8812db791e8bbe6b0caff958715dd9e3368a2d48f65d7 - Output.14 = f178a20d27725759c839e7fabb63bd101c3352f582524ff088ccaf6f0546ecbd3d5165f1e3cacbb49ede115b8f6c8db3aa9720692efda124138d29eac17637b84977384fb88e81289ed5ec960e6e98fdc71d03ef0bbc05ac7682acdc62888b49fdbb442080687f902b5a313ac88d364b13871b20f684cf1acbfa229fa203607a0a37b4e1685d13a508da9f48dcd83f26751a2284044f93e18b2a206a1887d77c4b76e821952b376f19fcf53d83f704e3ec3b5c3cb4c390b213d57dbe4852914b +@@ -12060,6 +12091,7 @@ Nonce.14 = 7b9a876017e5e14bd6a19719c73035da + PersonalisationString.14 = eb97028b093f820b182384baafa56ecf196dc11ebc515a405ac24f73e465ae9a + Output.14 = 3791ee66e505257b0bebc4319897e80ea8a70577b8a85d809cc7e4c77a458e8517368e2eaa7c0623b91ab3ebc4de3240e00e5f0cd20524d73b8000f00a3cecf869bee26763db9689dfaad9b5f21e3975f750e0c6b694d7df35fea26b2ff3c2bc679b5ecaf129320dde8245677aab9fb54b8faa97d394adae687a35b00f026430ef29bc7226957dac5edbc4a70dc82fcac00bf89d97e11d2a3e6ecfc4af4536c329ed3f4dda201db47236b03f30daf71e6368a18ab6224a023fca2ead589d9ea165d66fbce2b37a630d18ef1c97a619cd8949f16f44a9bc0f5837737d7fa4355587af5ab452f53fb82dd8b8b4706cf04e77938d7e0c3a9744c353edd0c6931591 +Availablein = default RAND = HASH-DRBG - Digest = SHA-384 + Digest = SHA-512 PredictionResistance = 0 -@@ -12123,6 +12155,7 @@ AdditionalInputA.14 = 2cc9f137fcd8c2d526d70093fe11f90a0a36bc9764a4c5609072e181a2 - AdditionalInputB.14 = e40361245b91880e308fb777c28bbfaea5982e45fecb7757bb1c9de2df9dc612 - Output.14 = 66ad048b4d2d003223c64dd9827cc22ed3ec8fcb61209d199619177592e9b89226be30b1930bdd749f30ed09da52abaa2e599afaf91903e7a2b59ffb8fd470e6604485a27c200d375feff621118595a7a3057b7e31eadc0687b1008c3cb2c7435a5704b1a1a6a3487d60fd14793c31486af765ce2ce182de88112445dd5ff11b256cfda07018b95f97edbab4e4c39ca097c42f9dce80cd3f32677f3c224a86b315d02e377dca8f3785e9748ffdbe3fcaa3b0c6bf001b63b57426836358e9b315c6718e0b74fb82b9bf3df700a641ab9411d1b9fba42309a84bef67a14204f3160ed16a5497fe211aa1f5d3ae4b858b6d445f1d094543d0107ce04ef1d1ba33ab +@@ -31145,6 +31177,7 @@ Output.14 = 01f11971835819c1148aa079eea09fd5b1aa3ac6ba557ae3317b1a33f4505174cf9d -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/224 - PredictionResistance = 0 -@@ -12173,6 +12206,7 @@ Entropy.14 = 42623115c0a43edeab391ee8ac84c2b3b1bebba8a6040cd1 - Nonce.14 = b79f5c377be52381210c1c2c - Output.14 = a59dcfa9585b1080cee51ee493fabc22394ccd0949e3a4d4e5b8d60e1137288d20f65e7f1ddc1345869e1af62562d6c11044bb65d11dc0071a04a2cd0eab76718ec9a67d4482acbc82ac27685b98c50064b41e120a35e5ca57ed1bed6963fdd03e26865ddd3217d67cdddbc990c5833c + Title = Hash DRBG No Reseed Tests (from NIST test vectors) +Availablein = default RAND = HASH-DRBG - Digest = SHA-512/224 + Digest = SHA-1 PredictionResistance = 0 -@@ -12253,6 +12287,7 @@ AdditionalInputA.14 = 450a2109e7d83a3ab2e628ab35af4dce8ce7205de7c5f365 - AdditionalInputB.14 = 60d0ce5e11413c321535d849da56c3d9bf6222a3d2cf77e9 - Output.14 = 27397574a1ad91ef6f332c954c0d5802cb9c90926ab05c116586995bd795a2f1b4706487da86282e33d0b44dcb7a58c8c4a2874ed4646a1e963b7d26b62e0a5e0a5bb60ec6e07ea6b7b7fe1194c3ca4371736e595707ca7fb56bc924089e66b137c47f9dde74b5de3687aebc2f5c2a39 +@@ -31195,6 +31228,7 @@ Entropy.14 = 6fe9597b59903b1af4012a15368af7b1 + Nonce.14 = fd3e84b3a96caaff + Output.14 = 1eee4c786476d488e58d0e065bb025db548787fafbe757f29ee2bd4781cf69216091ba2b68919b54ad3070ac72a2342320eb1e697b9115acbe07e194d060562e4d0fd966ab29e2c5e560574b2dac04ce +Availablein = default RAND = HASH-DRBG - Digest = SHA-512/224 + Digest = SHA-1 PredictionResistance = 0 -@@ -12318,6 +12353,7 @@ Nonce.14 = f2435f70e075f8044d4235cb - PersonalisationString.14 = 80fa0ec5a3a1b46cd639ae19c137239ba8113db33984c593 - Output.14 = e547f6d8cd665204f8ebf6d64ecaa23fcc59c1682eab3190bc76ad4981d68810833f1212965def4868883529c0bae4a2345da6a0e6a7e766d16022c6f371db8ad089d9227e3a85168d080c3ff2bdd604e7f8404a16268bd66d70f5fb164cee60f1af97bdb6e1d72059d7028a13ec83f5 +@@ -31275,6 +31309,7 @@ AdditionalInputA.14 = 93dc424bd0d266879601745a23317141 + AdditionalInputB.14 = a17321015d327c5dc0bc1e130aad81ee + Output.14 = f682834b5b492e09ff8e0f2c80683b032a3b262d16bc609c550dc0e74a4b7d8ebc0e3b8f2c9970d90aec9a82497dded20422b17b9e3cc3bca771cbe717ddaed5a7a6ae2601c7f765eaa719b71624e83b +Availablein = default RAND = HASH-DRBG - Digest = SHA-512/224 + Digest = SHA-1 PredictionResistance = 0 -@@ -12413,6 +12449,7 @@ AdditionalInputA.14 = 81356bf7d3122bd65b5d96d2ca68875e1d77b36edb8e92b3 - AdditionalInputB.14 = 1f185d4aeca1d95ba4c8e7867df64296525e00db7da61e88 - Output.14 = 8032e92efc35ace508d8a10f36a6e7110cd0b087cf853409e83dbc554633380e9793b7657a23a931e34347fe0ba34c2abdef6a8505e44da62fee97a9543b9e6dd6538726ec2cc6f6d19382562a4a438a2b0756fa66b48628af292e2f53e49edfae3ccc48a95f24c940a90d1abfdd6d0b +@@ -31340,6 +31375,7 @@ Nonce.14 = fa9adae924417150 + PersonalisationString.14 = dbad22c389c527715d21a5bdf38c1fad + Output.14 = a18d57e672218956e6c8cb9901d02888f3587177c3e11e1a99ea72370347b953a9f122c9446dfa109723b27f36fbf15edf103a56741c24968592479cfe30bc0053fa7b9818e9debcc494db64d15d038b +Availablein = default RAND = HASH-DRBG - Digest = SHA-512/224 + Digest = SHA-1 PredictionResistance = 0 -@@ -12463,6 +12500,7 @@ Entropy.14 = 3879ca720aaebb2a29c99c0aa21d63308b44677f2bbe6056 - Nonce.14 = 2642dd7030605b3608f4513e - Output.14 = b7ddc2d0295a550e44103ffe7e6e1771cd488fa2ea32b091076085284edb870220e02ba6facdf27d8b34209048d0aa4cce4556c074fc7ec2c3691b95aac3f47c3b42bee3c2e35da17b040188d47b7effef8ac471a669f29e6c4b97ff6836cb9fd8954f57309a97e9a697e061010525a1 +@@ -31435,6 +31471,7 @@ AdditionalInputA.14 = e488e16f48c61dd2152afe925eceee92 + AdditionalInputB.14 = 12c692abd90ab485f4d9499680a6893f + Output.14 = 8ba04617a135d8abe0c3c0a170e7472e7ed750eac706e5c3ed8305d6f6f8a1a53e0c52d4853b21ab8951e80970b426008ae11952ff364817b6856ef0810860dc65faea487b5d7c3f3d63fd443756d2a8 +Availablein = default RAND = HASH-DRBG - Digest = SHA-512/224 + Digest = SHA-1 PredictionResistance = 0 -@@ -12543,6 +12581,7 @@ AdditionalInputA.14 = 13998df6bfa51c2708775384f01cfe8f4755b6fe4b3c2fd8 - AdditionalInputB.14 = 8d25383b6d04285fb699c644bfc9b7fc72de41c733f35b27 - Output.14 = 3f408ca372917703ecb3449ea55de7a969a5ba184eee8f30fb19b99ae827c66b13f29d4d3a0236aefdaca63c28bb71595d3dc1fc20f1e7ba1b1c9bdb7c2122bd8e443b00b5339508c315ebbfc9bc3c7bebaaf83312325bae696a576b3c92931eef6b4eab6bd90c140295f47994ec6e34 +@@ -31485,6 +31522,7 @@ Entropy.14 = ceb354444d1a29c0c3e8a1cc24d02846 + Nonce.14 = 86d3fd9fc51f8b19 + Output.14 = 6f90ad611987a37bac54bea0782ac78215b7d17ecdd3991a81a36d0e263c6f0dda2c102cfba56b26c7b74b5dd2548be9bc81c7958e9d19821583c6f388132b9e19ae7609add9a296c1e92d66a2ef5464 +Availablein = default RAND = HASH-DRBG - Digest = SHA-512/224 + Digest = SHA-1 PredictionResistance = 0 -@@ -12608,6 +12647,7 @@ Nonce.14 = ddb5c0cd2b4b640898c2fd1a - PersonalisationString.14 = a096d62f947314691cfb647cc2f331af834cbcdd5918f099 - Output.14 = dc9175fb05854708739c3da005592ada29d408ed6162dd278ee457bd3304e4f7011355da2302df1d0d190ef846cadaccfa5325d3f71c407ab2434d65d815dafa6ca15f7e701a104225a839f2fa9874ad49bbdbee576b1bc71ace28c825095510890861c851bb79e2e2e922c3ac22fcde +@@ -31565,6 +31603,7 @@ AdditionalInputA.14 = 32d09b604a65dc8daa35cdc34141b751 + AdditionalInputB.14 = b8186a294c7824b7c550c1054badec00 + Output.14 = ae9a091cfafbf0e74c2be8ad4b984e824a24e65ba7610b0f3ab1750e2f12de1620db6bb8c493b3d8b06ab78e69cf2dffd73d4322a67ee7725aad84fb458b8f26cf04846850202e53c874213221e761e5 +Availablein = default RAND = HASH-DRBG - Digest = SHA-512/224 + Digest = SHA-1 PredictionResistance = 0 -@@ -12703,6 +12743,7 @@ AdditionalInputA.14 = 2bc060710fe3d92760adc274b878de0df82804e840cd098d - AdditionalInputB.14 = de879de9c03efe5a68a12da7a06003ffbbea0a9c53f5e0bb - Output.14 = 4968c67d2f830b591531d620b6c40de4e9a15dc97c70b8b059023033bea376953cc5fb415d823d55d5b02b17c2ac60a1c8ee7473d25e94888fae15c6a7770b75565fe505a117c734d0c7d0386cff907a893da3a83d45f51bec9d95670374524b4f59e45a04c88d1756ed854fa9f65693 +@@ -31630,6 +31669,7 @@ Nonce.14 = 8368ee0e29d35c67 + PersonalisationString.14 = f189a80d5619f53cce878ed57522a468 + Output.14 = aeac5933065c33ce2ace2531a193e367f73c83fc328f61ee2627f6f3841914c6b8a3ff767f96b3c3b685bac931af9ec10c6f3efe25b5109bb647b120e3a3f6971a4ec41f4ef0c7a900fdb09d7ff3b247 +Availablein = default RAND = HASH-DRBG - Digest = SHA-512/224 + Digest = SHA-1 PredictionResistance = 0 -@@ -12753,6 +12794,7 @@ Entropy.14 = 7ce7dd98c93953a8b60d395a68f03b8919931031e8f68bb9 - Nonce.14 = 1c217188f9c7980b8b03b41b - Output.14 = 58884a4316fe8104459bb339a4bac08d95461ad8e58f333eae5ceeecbf2d375e8fbb82eb1d29890ee0c56037bbbac8cd8e202d7ef05ed7126a15064699b9dfd4523782aabc6eaf21f1727d02c1311f5812c4b4294827a75f1cd6e6dcc73ba45ea8fc5f2647dff725f5fd9bc64d7b21ec +@@ -31725,6 +31765,7 @@ AdditionalInputA.14 = af578fbbb8a830947e9b4e2c9e729336 + AdditionalInputB.14 = 5a69864ca39da1ba4719dfe1dc850a4a + Output.14 = 8b846f03cb66f7e49fdddf7cc449a5f3f6ccdc17ae7e2265a5d0e39ea10fc3e6cffefc04147b773a1584e429fe99e885f278aff74a49d8c842e7ccd870f1330692fc9c4836dac5046c544be74652da26 +Availablein = default RAND = HASH-DRBG - Digest = SHA-512/224 + Digest = SHA-1 PredictionResistance = 0 -@@ -12833,6 +12875,7 @@ AdditionalInputA.14 = e73890b772747a356ee1527501410eb5cddef015a8d6fbd7 - AdditionalInputB.14 = 9145caf79d0b85bb7874c2dc82d52bcca68225a18de258cb - Output.14 = 4ce4c45336ed4bdf4004f326a049c195c26ff11aadde90d7d035ce277a5b158577a7e9971063ee9c0b5063ab1f20c90f619137c2f4713831d18f2237e1a3d522af9a585e5f43f07d911b8b977f6c644784c9c02238b9fcd0f663c8bc1913f783c200b388b4ecf30246c7120adf3db79b +@@ -31775,6 +31816,7 @@ Entropy.14 = b7ddb82f5664834b4fb17778d22e62f2 + Nonce.14 = 52461924becab175 + Output.14 = 8735d06e26814ee54b5daca4e1da3e321a5a19b062ec0c3afbe3b16f23332a687fadb29e65208130c3d667c075660ff70aea96430fee254c472686b8e82ca359a57bbdc3004bb3eb641c1f97e4b19e02 +Availablein = default RAND = HASH-DRBG - Digest = SHA-512/224 + Digest = SHA-1 PredictionResistance = 0 -@@ -12898,6 +12941,7 @@ Nonce.14 = 2b884a75ff571f92ba1eb965 - PersonalisationString.14 = 273f3885354c0a8296b0862e19157fbad69578ec121cecbb - Output.14 = b60362ddfbb4fc41f4f5ef353fc0fd8f31e139876a3af0e69f9049aca46a5989ee3a1ebb6cf14f525c3d8a944f4e88e030e020ef6551289c93f5c6ca2f6bc495cdf49ac91bb86e4766ccbace5f7aba008390d2b6dfd416d63ebfe07f5d583b8f9916ebb54620953d0b73c136de06f520 +@@ -31855,6 +31897,7 @@ AdditionalInputA.14 = 7725ef70592c362d70b088ed639f9d9b + AdditionalInputB.14 = 5ab2e0067c3b384e55a78492f0f6ed44 + Output.14 = ca095da39d9c21d7da073d9c95d2e415503b33c327d739f1838bbea4fc6f0254fdaf8ef6152e9263f46b864f39c7104d1d337d99fee588061152e623d7e00a27e03b5d16fe6e543453a31d4dafeda3b5 +Availablein = default RAND = HASH-DRBG - Digest = SHA-512/224 + Digest = SHA-1 PredictionResistance = 0 -@@ -12993,6 +13037,7 @@ AdditionalInputA.14 = 69720682d68b7043c331b889ce6d3d83aa3d33846e9ddc86 - AdditionalInputB.14 = 350c63e7b01ecff4aa171f157c71f89a55637c2cac0253e8 - Output.14 = 63fc9293971bc8dc151bcc2df20e4b5c7604138e4df49fed323c9f1cdeade3d5d1c8bc89e507e5da1f38c1f76d968ee45ba53a3da35e693e00afd683817ee7da5cd2b0a657ac6cf95913c859c6b4a15449fe9045a3af03cc198cf10b2deb67c5c3e9cf9a40b8251de19c6cf3114bfe22 +@@ -31920,6 +31963,7 @@ Nonce.14 = 4e838a124e4b53df + PersonalisationString.14 = 163e393b290a4d390ab0beb392f52d26 + Output.14 = 76234afc296ea36a44254f999ac31fca258a24427cf4bfe2c54495fc41478ec4a00b540659b3b9461cc6188bc1f57c19ae414bd18aa81eca7b9d765a784f0ef24335e46c2c77b8dc915f5d12c26bc653 +Availablein = default RAND = HASH-DRBG - Digest = SHA-512/224 + Digest = SHA-1 PredictionResistance = 0 -@@ -13043,6 +13088,7 @@ Entropy.14 = e03af342db03da30e2b0e5b8ed76c2562194417fbf6be645 - Nonce.14 = 6a9a5188dabd510894073f76 - Output.14 = 7963276f1054db251369a0b91d854fabaa3dd5b2343ef4306cf897bf964fc8b885908c4ada163b929a19c948ac89c8480170eb59b9a8d7d2d30ddfd1248e2c1795c69da81fe72d6361d34754f88eeffca2c31859bc8940d6662abe2622fdfcc28a1764355aaf46a2e00e50606af2b6be +@@ -32015,6 +32059,7 @@ AdditionalInputA.14 = 27486f8dae1b36462639ff7eee869a29 + AdditionalInputB.14 = d1bfc7eabd8eddf622297012169f351b + Output.14 = 4c893c3d1ed3a190fa88e159d6c99f26a02fb5fccb98bdef9fe43f1f492f490109224ba6c317db9569f618984409f2fb3db0b1e2cd4b95746f159cca76f1204f6d2a4c455c547a39a5f79fec95c8f4cd +Availablein = default RAND = HASH-DRBG - Digest = SHA-512/224 + Digest = SHA-1 PredictionResistance = 0 -@@ -13123,6 +13169,7 @@ AdditionalInputA.14 = 9b6c491387a2394b94bfa8b077cd43bac49117e94afb9616 - AdditionalInputB.14 = 7c04bea824d8aa7b19facfeb3a676eb51c31d7b92f0ca1ac - Output.14 = 332b884c8edcb260c535a218001d421e190d8b9c6b856fbc5a4ab45f92149487f8563138312a42487969370440675f5bc9b21a75d2a8386867fdf861c8650e26af47c5efd81d9fc39cbcd44ab0f4cb10325fed6f5b7ce5d8111ff71e5d78c7d1f53410e5ba492b9f68ca55325ea8b318 +@@ -32065,6 +32110,7 @@ Entropy.14 = f484b922f492d19b58407c242ab90e76 + Nonce.14 = 8952a0a4b666b0c8 + Output.14 = 2d77235fa273cab3c1bb176d44817cc25300b3f0172a0b5aaa66b282c015d426edec5f1ebbfc0269956b85994167992a71002586923ea234be6c5df09f47d89132e440827b89f7ff97e032b3f74fe32f +Availablein = default RAND = HASH-DRBG - Digest = SHA-512/224 + Digest = SHA-1 PredictionResistance = 0 -@@ -13188,6 +13235,7 @@ Nonce.14 = 9dcc6c4317ff492d0d7dec5b - PersonalisationString.14 = 7d30c5a4aa169c6dce156a8eaf000f9be0f8681e3282dbae - Output.14 = 550a9ad9e45ba359d463c1e084777bfb2ee25ff791070a87f01adc04cd1a7e9e6ef334e477fb5cadd82381e0add8a39ffc222150f17b8bb0d3b1cd80948c0a5ee09a84ccfff6c9ac33e6831d1a84182edac6bcc25fe357a708f78db9a88daf553914cdf0bc7a9b0527597f73707fec8e +@@ -32145,6 +32191,7 @@ AdditionalInputA.14 = 9e3ea6eac120d663e330d282ca9b9d7c + AdditionalInputB.14 = b8d71fce7779a9906b9790cd1d4e48d5 + Output.14 = 63d28a300a329ca202b98498c9f46912620bc85c246f034dca4186cd9b0e0810a363785878effde90aec8cb584862524eebf940c44fed21cb580d4115f3e0dda07e0e4a66689c2ff3e9b87edfaa4d051 +Availablein = default RAND = HASH-DRBG - Digest = SHA-512/224 + Digest = SHA-1 PredictionResistance = 0 -@@ -13283,6 +13331,7 @@ AdditionalInputA.14 = 1b8725447ec539ea4a13c47b323f1d6f435ba7e624dcf5af - AdditionalInputB.14 = 86d30af40a7a395764b8b69f2656954c7c3f1c30b2b703b0 - Output.14 = 2fb2f24b2c38f217232dc22ecc7380b8240b05d2c7bc0e3dfdad268c8c10912a92595d70dd98e7ecdbdc6d7bce6c72cdebd7e121d75de8b6795b660be9096a1f24a97e9c5344c35f04451dbd8d9808c7a84c6fbafab6d060026490d492060f052fbf21a3bfa2a8e4a40db58672ca52ce +@@ -32210,6 +32257,7 @@ Nonce.14 = 7239f92b63fb3dbe + PersonalisationString.14 = 8d2e2ca3985bd2538a71f02cc3eb5568 + Output.14 = 0e4cb328c03faaedbec7215725851069bceae4332de6a70e3521dd065f2f7923485969571ebd7f24be460fd901c6b3e356da6ee5262ef2d76ad14eb0f697f8fb92af2f46630198c5f7018860886147b3 +Availablein = default RAND = HASH-DRBG - Digest = SHA-512/256 + Digest = SHA-1 PredictionResistance = 0 -@@ -13333,6 +13382,7 @@ Entropy.14 = 9021c403eada5eac222dc48e1437b6de48ca31b9e7e76fc5f60653a3d901308a - Nonce.14 = 503b4bbc0ca538983285857a573f6166 - Output.14 = bca7456257568a178877bca602d331161828a4ed0758d1ec3febcc21717cc4142e5481dc9756c56099cb043130345689156cb96e1664ad007c461ef8b5b0fa7d18508541f528a43fe8c719f3a269ff2821ca655980579dfc2c794da673b8c9234d561b833855efc91b4747ea5135a1a05017543f5780f2cde8b472787173ec50 +@@ -33481,6 +33529,7 @@ AdditionalInputA.14 = e5c633ca50dcd83e0a34d397df53f6d7a6f7170a3f81f0e6 + AdditionalInputB.14 = 5f0beb5a2d2968e83ba87c92bfa420fd6e8526fbbfdea128 + Output.14 = 8bec11df1022aa50d95daeaf23d78d6ee45c43c5768b90181e106c7df8ff333d7cb87ca1ab83f8742370db1c8c0c0c22f141ff4de33ae8bdb14fee7e6c069819320629c66d94c7c97ff52930a3c1dcd501b60f0f84bda4720ee187ae858a6e068326eda5809716e366d1b608c61b0100 +Availablein = default RAND = HASH-DRBG - Digest = SHA-512/256 + Digest = SHA-256 PredictionResistance = 0 -@@ -13413,6 +13463,7 @@ AdditionalInputA.14 = 439ba9ee252edb11b09fd765266b220077ab641cd7ed42b7cedc96b399 - AdditionalInputB.14 = 18e1dab1f2af82b8912be6791b003d7b0d66ce76a78cc17b753055b7b48cd2e9 - Output.14 = 5af9e042af202c9584bb69cb54738c0352ef2c9b9483d6fc8efd525ca38e62f535f2ed5658770e8cc5d53d9f1964b8a55d871c78250851491441c924701a52175410f52b162ebfe3991a72472d8842248402a666d726ea71437fc4a521543a323d501a6942ec4b7fb77ce462face53a2ab9b1b9fcccfe2346adf36027c48293e +@@ -33531,6 +33580,7 @@ Entropy.14 = 1194beb668839c47c73e7516f9ba09d23dec3553b3b5532f75b260106dcc2abf + Nonce.14 = 3c8a77351e93065d584feeb08c8424a9 + Output.14 = fabd48bfcdd07968239fe538c2d8c9bde2e257b9b244078f39287c7ee90de167fff56a693c4e64f45081635511b5fd031c0270a31b4a014e44c0516a55ae72345aa11dffcda4ccf8cda50f6948d5ae425d8d53ad5c74cef1364277990156796e1c5dfa1ef095c0d8983477eb24241135760b02c86c86d4ec3627edac8c1a7e32 +Availablein = default RAND = HASH-DRBG - Digest = SHA-512/256 + Digest = SHA-256 PredictionResistance = 0 -@@ -13478,6 +13529,7 @@ Nonce.14 = ef68efad369ca5fe791ad438cf9dbbd2 - PersonalisationString.14 = 012ff5b08fe14fad65ebad5f15d74fd72d8577115e5e91262043e85a13a3043b - Output.14 = 1779c05411254dc5ff714eb56332cdf9a378a160bf0a20ca2da9e4c3b4e3c425d2f08dc969bd4924560c8caf9686b27720307af8246e6cef20fcbc00cb1f137b6efe9902f9944c1384bf917675a52b7b816795327afc4896182a78d4664b98196f89c466d5fe1e2a54122035863c8bd61461b2ef9e7b469492ff63364b013dfb +@@ -33611,6 +33661,7 @@ AdditionalInputA.14 = 626385595bef7103af0af700e1df048d7572286af709289b7894d2ab09 + AdditionalInputB.14 = bfe8946dbf27d3a2127ec600351c3920d2531eb9419408233e0a888059b5eb68 + Output.14 = ee6d07661828213e6453d94faaf76345c70949eca4965714c350313b0bcd8e079e6a07f8b2f7a91bcb7ef39a61568fd1c40ab78f154b3582f830095d571de29f81f9565e46b560d34c32bff55341a991f8e863bd9242c7cdd366be12538bb6922f1abfa19e7998aac61d465fc46538ee9142acc66786f4516ef4105fe1d80372 +Availablein = default RAND = HASH-DRBG - Digest = SHA-512/256 + Digest = SHA-256 PredictionResistance = 0 -@@ -13573,6 +13625,7 @@ AdditionalInputA.14 = 77d998ddfd7ab7577ca9f51d6cfbec955aaf9f88cbb3ae32db7f7c4609 - AdditionalInputB.14 = 9ebaa09e7057ad7cfbf02e8f3143ef7b7c1dd6158f641815ecdf8e4a65c17f19 - Output.14 = 161efdc30cdd124d4d6b3d43798dd79bac70f494c3ebaca111cfa3d9343bdb73ac0def00776486584f932cab74ee12a391cbf4890b10044f7de6c73f973e43837a43b7c47a1a9a36d7e62f9b7ce40064994a610b92d68c6d37aa5d9d92c3d858770ffb8fbd87324b49101bade3f2014bcae7deffc1e4f6a1a91ddfe7e6aa33cd +@@ -33676,6 +33727,7 @@ Nonce.14 = de2186bafa82b0d08a0b8215e3424512 + PersonalisationString.14 = d96db27febe22db935b117dc3068374e39c5b2119b497e3c1d858ef649e01de5 + Output.14 = d04435a8aab397cfcee5151f7aa24298ffc6eee4f577cda42d5e154b8d28cb2f0f945f11a15ed5b76486c88f03081cfd262d94a8e0b332e3c9c608461dcc8eba20d7db209810d25c226fda9fe218022a9b2c96876cb16c06c0553dd84ce57e20338c3d3e03c59ce22e668e25c2c50d5cc9afab91f50a28680964c2dacb9d2fb3 +Availablein = default RAND = HASH-DRBG - Digest = SHA-512/256 + Digest = SHA-256 PredictionResistance = 0 -@@ -13623,6 +13676,7 @@ Entropy.14 = 0653c409e957302f6eb62bbc4f42b30942ff7860e7c38dfb2fd26b164e83a713 - Nonce.14 = 273f7eab3dc9bf11216d5216bd12478d - Output.14 = 51dfe9851da8d7d5add3dae413d8bab8bc7d1fcecea00795ffadce047d5243ae36f29f3611fb8cb66e98717a98735384aa6a310696356cb48f4672b2ddccf86eb44777c1616338792629b6cc6ec2b66dbacc1a6b66bd9364914f1f43277f6f43e13145fcdb73a4aca6b784f9084d22c967033651da610e9a85b1eb7513683dc9 +@@ -33771,6 +33823,7 @@ AdditionalInputA.14 = 5d9446eff72d59529a90b498d8f40983b3b2904f63664fc0aa1de8700d + AdditionalInputB.14 = e19707aafa391e8622539d52a05d930292bd0f7c17825dbed5fb7a2f8734081b + Output.14 = 6ce2ae37349cbef9ebd1f9b85485810a22d430d94abf66912dd7b6cc751400e777be2f1cebc19d65694a456b2c6429cefd95eb934030846708d50be3b274c2f7de299f3c311038491f271448c7d02ff51de048fa1184e8ee06b7b46a9f123daecbebae4a2183dc8eb6976abf0dae7cdbea6017cd1500f37dfadcce0c1956ea87 +Availablein = default RAND = HASH-DRBG - Digest = SHA-512/256 + Digest = SHA-256 PredictionResistance = 0 -@@ -13703,6 +13757,7 @@ AdditionalInputA.14 = ca73cf447f2fc3984a9de0290fd9a984a8460ac715cddd9e8ed99aafd6 - AdditionalInputB.14 = 21dd9cb8e146954a9745fabe039f6f52ba8200f575e9bbe19c703b8864f34e93 - Output.14 = f1b153ae274a380c28668f1ee2c8c3a91f5380d41bd611d974e4e419a37debe664d0b706722184fd3e805f2ff05554bde7219023d1f62a52970aedf4d77e7b4604cac2a804e7b9353c087752f7f185991b10910724d0fd06dc6526d6102c8d0ee8c32f6692c2786d3b715bf3860539689e3f415855ddc37bbb6750972f3a45ca +@@ -33821,6 +33874,7 @@ Entropy.14 = a7a1dbf7f828555610197e71e0ad563b8691589c5289ced03e9ef83b6f9ff938 + Nonce.14 = 4274788c5d80e26ec1ac3a57b9c7c0df + Output.14 = 5a907a26c1ef588219d4c69fcf4c5c283ab148a77588a40b323bd24e6dfb29551c4b6116c4d61349f5f8bd9ed497f38b239c37283902beb3c9700c768fa289ee4573f92316efb860a5ca4267b328f03c13138b774b4b9f7516003a699f7a0854a0efb045a5932753a771c2cc6119202b33336f10edb715bcce1d20ff503dda01 +Availablein = default RAND = HASH-DRBG - Digest = SHA-512/256 + Digest = SHA-256 PredictionResistance = 0 -@@ -13768,6 +13823,7 @@ Nonce.14 = 10818cc50b58ccb660d65ff705041a37 - PersonalisationString.14 = 2756a89e79266d6d86bbd865708321f529b023d0cb5ee5d9888c37db33dd5164 - Output.14 = 7b3d778ee1623b08875305d5761ce2cf44ef1bab87c7d0f29c862c40d3da31240e7450d827909b6b131a9b0e9ad68d5c02caebf4f3b0b7d7ac1cc58e353ba68e7ac9eefc3de1310cf9bf5f4b854ef3fc36e940d4fc50072845a83c38a7d4372c191b900d11d11a907a50607c348951ccfeba4efc30377e4a965056e4e84eeb02 +@@ -33901,6 +33955,7 @@ AdditionalInputA.14 = de1bbca12357943b4489cc7209b3f063b51b91acc168ec5e0ad88048b6 + AdditionalInputB.14 = 6ddd9aba4f100ef902ba50adee53ef44a4f45564c13e774e69557e36a357e7cf + Output.14 = 544ec80a966644454886fb97a0f05eb6a4a25fcbce795b5e5b27ee06ba14b7de18dbf54f80a670b87c76c336ac9af16c8958ad6c1bde9a97aa4c1ab5823d24a53c64f6766ce6eb9b7085cf7282499c37fc1e2e825f53bc357bf36d5901e0ae93cd3bd821fa18b5aa17548560f7ad6ef38124814fccf9b2b89de61cfc27c7269b +Availablein = default RAND = HASH-DRBG - Digest = SHA-512/256 + Digest = SHA-256 PredictionResistance = 0 -@@ -13863,6 +13919,7 @@ AdditionalInputA.14 = 764b81871036cf65802c4e9659e25b8039be84bad1b121b536d2ffc269 - AdditionalInputB.14 = 28d46df3c254e5cc199e14b45bb1e2f85a5da03f49dd76b5a16b76723d5b9855 - Output.14 = 94e1fa76f879eb9840cd50853565f43cd7b0545705bd9a35494668bef7d7e7085b48a455b38fcf10f145f28a599c58e2f88c2855f2437a17d7333d243a1c25b76bebc6a94f7abc3fabe4c78041d9b3eaf675c11970b14cfc6ff20c8b23852b2733ef8d8416a920617a9b271beeabdb0462e5d23fd68b56f58e3554e81493c5a5 +@@ -33966,6 +34021,7 @@ Nonce.14 = ab7843b73ecb4858f2cc5e9dfca803ef + PersonalisationString.14 = dee559515084d8ac49c3803f09f3d5fed3b307946a2752c267677f22786a0125 + Output.14 = a12f5e8ea3bb174934c15e5d114ba615da33210c98c38d7fde4b5aef9aecdeaef311d929d7fece7fee11db67134c3326b413b8dc17766ba4fb881105db68688b148fd95d812f6538b14f25afaae84d39025336136d270bd643f2a6c7164930372fb1c8f4f0dab60283e9d8d3440ce8dc66761c5d5c4c13cc3a367feb4869b559 +Availablein = default RAND = HASH-DRBG - Digest = SHA-512/256 + Digest = SHA-256 PredictionResistance = 0 -@@ -13913,6 +13970,7 @@ Entropy.14 = 3bb1f6cabc56a02643eb767cc6e5bb3a5bd765555e4e27159ec905012f58de22 - Nonce.14 = cc37cc9b20a2e4de0bdf8ccc3261eb90 - Output.14 = 28f20b9a94340aaa6ca98174b5929ce3329d81bebd67faf5e30d12f775748c34c848bcda26cac8b4a9b34c7c92c9984a6f5a85269583358e985c2b372a887f9e3f0f3920dd512def27d818522ed1a49e96d00a5aeb41bafd152144a8b6f93426e73d6e8ef7a8a5381bc464b24061080af02aac51fdc52f404e1349b7d04daef8 +@@ -34061,6 +34117,7 @@ AdditionalInputA.14 = ead8c0dcf4ddc909aab96eadab509a46908ee5f090983af609f08d8a8b + AdditionalInputB.14 = f357bda8f2048929a4e31969ec978cc333d58b4fc09a8aa1b73ec9bdfaa1a8f6 + Output.14 = 901aabb3f065be08e2f8072d5d3ffcb28ab291420644e407e7a6a3346b75a5be535bdbdd5a8245998689450292df877233ef0783e0bd1765413193790995d884ffcb2c8dc35fe4cfc12def2f091866d735b1dcfc9d8d8c26903d50e9397b1bbd674bb81fc908361b2bddb68f02031d87588cc3e94210422674e93fea6a5329af +Availablein = default RAND = HASH-DRBG - Digest = SHA-512/256 + Digest = SHA-256 PredictionResistance = 0 -@@ -13993,6 +14051,7 @@ AdditionalInputA.14 = 2be009fb81ff22c5c2e15c988cdac8f21a6f17a4277fb1df773bbbcc39 - AdditionalInputB.14 = 0c869f061049dbaea48af93272c5b321977659a79f8bf0a5c6d68b982ef44b88 - Output.14 = cd9e8213591ed7e30743ba0dbae5f08a4021845d961040c5188093d518c3135048ea8ff052fd66fa83bf98c06d39c6cb522dbc938b6824f51488197159666369e7a9444e04b7ce5832bd6db1b3cebf8c0f7bf865bfc3cf60d2a2c0ef06abf7737590fba097c29fed234369cf9f064b142ca30e3941093904945021372c20d90e +@@ -34111,6 +34168,7 @@ Entropy.14 = dfa94c198483c5daa046f1dd1e4e83f854fd6c5cbc3465f671bdfd36837779ab + Nonce.14 = 298de64bbd817d009a71c1424ae839f9 + Output.14 = bfb9a54ce31406a82608aebc826441f8f633813a0c3bad723b802f3e905a6ee3512ff3513062aea51f93be17aebf1cfcd81868e85db3db9aa98680f974001fda8fe6a644f5efbb9d6e52e99ff606ef1ed7cd3b17fa6c6844790ed58da6df61aba0c200d7dff943588f4520891798098bddc65797b2f99c05efa090c60dc48a4e +Availablein = default RAND = HASH-DRBG - Digest = SHA-512/256 + Digest = SHA-256 PredictionResistance = 0 -@@ -14058,6 +14117,7 @@ Nonce.14 = 704e8e29c7aac1d8cbe97bd7305f8cb3 - PersonalisationString.14 = 631c5d0240b8d9800211ee6c97a5ae77405a354ac25705f22d405e17a52109cb - Output.14 = 9ee855e661d4293fdd7353492c711b39625ead90849ae5808b1f67c55cabe17ae13f0f18c0954341d6a2d24b899785642c0b29bb1b81fe098a17f8701e8820cacf6c00a8dab2e96e7f8593e188aae48385ede7bb5ed5ffa3f19053663383d666d38eea377d121e0b55ee58ee8fbf1e49c42a4d3d48fb0c9247c6b94c6539f4cf +@@ -34191,6 +34249,7 @@ AdditionalInputA.14 = 066b072d48f6cc6bb00273e0bc0ebc086235fe79af1fbdb46318f56c62 + AdditionalInputB.14 = cfb58f59c6d56993b9f0b5ba1643554072cf4ae8013c236120044ae909083f5f + Output.14 = d5dd7f55ffa7d53fc0f679cddadeb869f39b29a6d394c9f1185b11ebefbcb43419c6a26ae3c9ab9d456e2cdba1aead05e67eabd3596526ee431ba7cab7f94838062fcec2363cf0e19849ffef30064263b3a059ce38aa02c2729bff5af9450e035161816724163906112205196c642bfd70f36abb4639fd6e4f7f6a879ebbcc62 +Availablein = default RAND = HASH-DRBG - Digest = SHA-512/256 + Digest = SHA-256 PredictionResistance = 0 -@@ -14153,6 +14213,7 @@ AdditionalInputA.14 = cf6884bb4cf7c08ea954cc2d2389eaaaaaa3bf9ab1dd74372c20bb3e12 - AdditionalInputB.14 = 2b30cc597b280e704632ed1cd2bbbbba7a9953deaa809848eb937b6b1a44b91f - Output.14 = 4de8e3c529bda0753a9ba237633be4c844308c233d6e58995c339cc006c7d4789b5f1a6314637b9749621fae3982c5a748d58c080e12118d4442bb55732da53daeca71d3d033b10a2a807848babb822a346524b4a41e9d85941730b21c0e80a9871c9d9aab0e6d0269258b57fcbf7d703794bd2e5f3d7b3da9d3cf2dc2073653 +@@ -34256,6 +34315,7 @@ Nonce.14 = ea7d3c3b8f6da0667d7f0d543c68d7d1 + PersonalisationString.14 = 86c20a7e794c887898d5bc00e98398276a4e3ad8d674fb808a63a44330490d2b + Output.14 = ee8e21ff48af611a17d33e130f4e4224330efcc1402b6d55aaf1f514553b880f18df68c0e4279854eb2e9b904c552f69f0e1badc347ebe336b70456f221e07a2fc78df72551d99df3755997029ee1461e2b6e396370096d7e8c2dfceb73214a72ae2b25ccc60b92dd71988eda811ceac4b7c335528249aaf82826a14c142007c +Availablein = default RAND = HASH-DRBG - Digest = SHA-512/256 + Digest = SHA-256 PredictionResistance = 0 -@@ -14203,6 +14264,7 @@ Entropy.14 = 043872fa9f0c4d97e2c6824b778a4fb0debae214d3358a5aa01c0092c9dab6a1 - Nonce.14 = 0fc8d529a37083c2efe84aba8c8abbc0 - Output.14 = 22e8eb6b4d11657a66cba93f89b519bcce87a9bfa5ee22cd3cfef6180cb8ca842e8d408257b8140fabbf1dd65085ae62fb8b1d2a679dc0bb0a82ecd3b8bbc05782a20a6345554a1f5467e9811e0fce41a786c805ce2882f8b4d972b9a37eedbf828a381d34bab95efc47233846f8b5c701563033253323eda41effad5fe37d3a +@@ -34351,6 +34411,7 @@ AdditionalInputA.14 = ea12ddcafa4f578b8b43337508dd8627844d185b10af7de7e907d113c6 + AdditionalInputB.14 = 0cc670275cd2b0eac5df123eb1fd73c2f2b093b76806943918cf49930fa97515 + Output.14 = 88dc727007c0e03c8d27d00c87876f8990b271964a5275f636ecd7f18cac9c869e5f9df5fb2d34e7f89c2e9819af562a706a03d9be9318896f5ab16573aebbfd94a681cbf27e7202b8674437667893246c267785d0deca5033de88a61bf5158177391c2e3232ea6f812c468d5629ed9f89ad0bec0f6c7a469f56331f9eba1cd2 +Availablein = default RAND = HASH-DRBG - Digest = SHA-512/256 + Digest = SHA-256 PredictionResistance = 0 -@@ -14283,6 +14345,7 @@ AdditionalInputA.14 = 585a4b6736338ba663522b438ab9255782c39b36e6b253186e821ae969 - AdditionalInputB.14 = 2581ca0314c9a224b09c0c2e677e1df1c215cae0760d3ba03d1053156e9c3155 - Output.14 = e244109b937e9a71caa70d627ec8280210c86676b4ea842c6a4569e5da0b25c1ab3794ade3344e2185641c77df4d3011962e8312aa7c2013e4373204d861e27e88ede82873d5d45ae5700ddf0ae7d523e96df236a249ffc6e009e231b77d64f07f395e57b19a4d2961a6046c910d0b8ac3d882129ec3e337be4cf2d9ef041a8f +@@ -34401,6 +34462,7 @@ Entropy.14 = 6b9f904ac4b16d36e06a1bddc501d7ef98d5685c1ceadd0a6e1622e0c1e73716 + Nonce.14 = 4a42f39e5a241a2b96db29055159c91f + Output.14 = 785014b0460831b7b67346c6997217b0f6c8e7313687ea6ff4d0b09a0786bd6ac362a0b1ddc6ab8c9c624625a379cbec7f11cf30ddab23cdec054b986175cdae0ca4ba4610e0711bc94e9ab706539d5fa2c1a4fd3cd49042696b58dce465f8e09a200e7d214cda357021c62248a01aeb95f8ffa8bd49d354fdccf4c71eec3491 +Availablein = default RAND = HASH-DRBG - Digest = SHA-512/256 + Digest = SHA-256 PredictionResistance = 0 -@@ -14348,6 +14411,7 @@ Nonce.14 = b2328815495d926dc8ff075d5834bc20 - PersonalisationString.14 = 4c539b94823c6c7883b071ac395203bfb5117b6f9d5db7cf4063132e6a2a3cb8 - Output.14 = 4f6035946d4305290485c7aea10bbceb99b841770dbf5529e31ad51b0ce138344ac0b193a5074234adab8887a51d9448a2cc637a543372ed93885975b8de342c6a12a1ca8f3d053ced1dd2c7d6a3fabf6ea7860071c035f0fd54ee5775ae3a5d457d4af9e034ed337d79e9fd52c2ad051388dda50aa78d37403f33d52d30f6be +@@ -34481,6 +34543,7 @@ AdditionalInputA.14 = 147d51711ae8a420f165db0000d9d0cb9e9cd5447311eed43d7cc9217d + AdditionalInputB.14 = 2910968bb1976a1b8ced116e673f408da6fc563695c918ac0a230b0bb800c707 + Output.14 = 357a7269b30ca744e213d894f5c45d0db9fba897e0c863a56062f5018ad9be9f37b8d550014ed68f2c34bf5195c0b7460df171ff3bd4a590578670c92470d876c8de19d48a6d7fa15fc7996be78d3cc8a5c657439f4bb9865bd56e187d5df2531a405e3e0f4b87c611aa8e226b8b0266290f06f8062456a7a4bf0896e4ddd948 +Availablein = default RAND = HASH-DRBG - Digest = SHA-512/256 - PredictionResistance = 0 -@@ -15605,6 +15669,7 @@ AdditionalInputA.14 = c9a1481cd25c537ba57750d594afd25f - AdditionalInputB.14 = 51e29804f9d079f3074ec398320b2a70 - Output.14 = cb3cd4510de88f8081d8989c2679f76387b7d2cda286b75d659a3ab7c3b2ac77ea00366e7531c1c9f4f8e60c845c5d2a5e05fc999621d011deac3f28cb447a37c2ee815f7f5be3a571d153475d6497a3 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -15655,6 +15720,7 @@ Entropy.14 = 71acb71235e88e3aa6d8bbf27ccef8ef28043ebe8663f7bc - Nonce.14 = f49cb642b3d915cf03b90e65 - Output.14 = 144aeb56a11cb648b5ec7d40c2816e368426690db55b559f5633f856b79efe5f784944144756825b8fd7bf98beb758efe2ac1f650d54fc436a4bcd7dfaf3a66c192a7629eea8a357eef24b117a6e7d578797980eaefcf9a961452c4c1315119ca960ad08764fe76e2462ae1a191baeca - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -15735,6 +15801,7 @@ AdditionalInputA.14 = 03015311cddd0961ec7a74cb84d835c058a69b964f18a1c1 - AdditionalInputB.14 = 5e0d99e0e7c57769a43ea771c467fb5e2df6d06dae035fd6 - Output.14 = 72e8ca7666e440ac6a84ab6f7be7e00a536d77315b119b49e5544bf3ead564bd06740f09f6e20564542e0d597ac15a43b5fb5a0239a3362bc3a9efe1ce358ddd9d4f30b72e12ed9d78340c66b194beb4b12e973213931b9cfd0ccbdf540d2c36ce074e2beac7a4ddac59e06e4c7178d3 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -15800,6 +15867,7 @@ Nonce.14 = e8c5220ae48b0ca1412e9c74 - PersonalisationString.14 = a0a1d6d3887f7ff9f13c85d6ae5af2c840fd85989b7e50b3 - Output.14 = 14f629aee43f71b61d467ccc37de8eb6110ccdc65fff57ddd2e66707bb768e5de5df5467ccd55002815d306adc7b7d6b5d87c20d2922bf5fd3790282608457b69720be7d7affcdfecd173a741c7fc99f5f30f981b1bc102977a61f1515b923ba53cd87a37faaac12e0af613ba0972a0c - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -15895,6 +15963,7 @@ AdditionalInputA.14 = 875e5bc9548917a82b6dc95200d92bf4218dba7ab316a5fe - AdditionalInputB.14 = 4d3f5678b00d47bb9d0936486de60407eaf1282fda99f595 - Output.14 = 90969961ef9283b9e600aead7985455e692db817165189665f498f219b1e5f277e586b237851305d5205548b565faeb02bb7b5f477c80ba94b0563e24d9309d2957a675848140f5601f698459db5899b20dda68f000ccb18dcd39dfae49955b8478fd50bb59d772045beb338622efa5a - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -15945,6 +16014,7 @@ Entropy.14 = 30efbec33ef98a928e9441af3caabb34cdad892669e88130 - Nonce.14 = f77b7e0fcca6f8733e0bb0cc - Output.14 = 85f5368cb9f44474af6c4a159477c5cdd05eb0c0a37847bbb07e9a9c8f633ef2c3727d017f1bbfa89dba056062202f5824b3a493ab53a2a5fcf796d944577f1393d35f2a284453b2cbd8eaf35b9bae7b87c156cdf9cd0a2fc94ddb0d4842e3ab4b6c97089cac0e32bdeb32dd8233fd6e - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -16025,6 +16095,7 @@ AdditionalInputA.14 = 5c15fa9dc77d6fec5f7a4a3e4a315c05de2b5e46efe54934 - AdditionalInputB.14 = fb65ede490ee01a1c100ad5e23a20f91b45adf1ddc15c590 - Output.14 = 98cb3191831dc79334e8e37d5246600f822aaa40964b91f345b9df90929db1b7bdea96dae9aeb88d05fade5ae6c29aa8eeec7fdc96e654c5ea41ea01e3104ca4d287bb03005feab0bd1f85e556bb6bc46a2227b14fd94f9e6cfd0341cfce951851feb967968d6cc818f364345b715bbf - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -16090,6 +16161,7 @@ Nonce.14 = 46f8ee037b927ec766de0aba - PersonalisationString.14 = e6299e0eb5826e498d873ac02892f01e02f6632101fcc090 - Output.14 = d86bfd8f9d80eda3bd43850ea6edab2ba4f69ac8eea623fd6bbd5c0c920620f8cc136b0170f0310a156271981a9cf7629e1b8f0759de1e99e20a0930ce3bb7dd2d88bc9172a56108cdd736dc529a6b99862bed7d543bdceeebf450020762652d520105f5c5cc3c9a6ebb64af2a7e82b0 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -16185,6 +16257,7 @@ AdditionalInputA.14 = 82f895626afb606f335f5f050f0fdf3b45275e0b451774f2 - AdditionalInputB.14 = d423d43240cb6461402a7755f247573f24fab496e00b2e5d - Output.14 = b32c753900d4a0a0650d35d0fc918b3aa5f253d4381598ed475147f32c8b002bc08678e45bed1b9b519cb9729972886f85e581c75d3c2c9fd6ced929be29aa3befcd1d3fabefec590ca55612c1a0409446a01398d0e4775a548d118a32f29b0dc29530329d2a7656e5d3ef66db2b9726 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -16235,6 +16308,7 @@ Entropy.14 = c617061099a17392c3092d27728b35e59eb45814e9df9fa5 - Nonce.14 = e1634c0d96cf91c53b063450 - Output.14 = f08234ed8621f1f551cf49ea60140313a71341f6886c484a06e74e64aba6f8ffc2cf1edd34cd93e836ab033fb0893e52e01da9b3104fe49584a45447c136222b1c1f1d3cf406a80ed9d782d2ae277790eefc5c06f954e654f7f283ddea79d2160cca1f63d0ad00eae9e882de34ba4083 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -16315,6 +16389,7 @@ AdditionalInputA.14 = 857ce19dd6e8a45be185875f1a98911062045553e8d28ac2 - AdditionalInputB.14 = b5f1998f0fa38145edb86ae4d569ef4dc2e0aac0a815d3b1 - Output.14 = 8f0d978b24bae2a0665beaddfa61e8896ed7976432bc4f7c444699e30b8da1ecbab8990bab9d0d72ef6f6b0b27ede12dc171a43a14092d57e3999cee71b1356da5f29b17fec227ca2a4887bd990fa33e1e01c8a9f900ffbeb300cc5ce9d7d2e25a44fafc07e34acd61d425e0d36fb0f4 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -16380,6 +16455,7 @@ Nonce.14 = fc382061e29c4047c6f05dde - PersonalisationString.14 = 9b2eaa4c2a229cd2bc5de218aff95f6e5fbc7ef150bdb50a - Output.14 = ad49119d6b4f25ba34050920fc503d3d0d331ac2535d916a58d781317fcc2b1117618e9105ce192651ea9e19fa6756975d207c662f2b464416d849cb67b9af52abeb84f80863943af99c7916e78317a091ba90714ec8620f661b41d648c15c06e822329cd7f145446c5c3630a4243281 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -16475,6 +16551,7 @@ AdditionalInputA.14 = c9aac7bd9f15385facc344dedcfa754bc9f4f30277a3555a - AdditionalInputB.14 = 42de701acf5622b30e7672bf7115043a9912c1758c1b316f - Output.14 = 972ccd5aa60966bac39aa9c891c7c513244efbfe3446fde6806cee991851f1e4b3d4a4a0c04b57242deb4f53d27040879562fc5b32621b46a642f3c84063c5195faf9b78ed92145821ae554d58325b03d60e11461adaa8ac87876559e1cbe47f7b5c33a8311294b0e54a44c97d4d2c9d - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -16525,6 +16602,7 @@ Entropy.14 = 47f141d1d0142d53c10628d2d1dd77aafc11ffe45f29b126 - Nonce.14 = a1e958e036afd40059ce9639 - Output.14 = 2096935329ffd975154c38a2c22e30ef12b7acbacd39868032d6eb31a596e617fc7e05026b3dae231f256ea94dd4ea4f05734eaa7916be6f846b0304ff0de389f3390e51641103e7dedee99e56d9455c80a7e10edfd2147a50b3864b05443a1646fccde2197af1d1d72ae3c2d4594218 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 + Digest = SHA-256 PredictionResistance = 0 -@@ -16605,6 +16683,7 @@ AdditionalInputA.14 = 49a758a4e0a8ce69aa2e5f9b7940c6fbcbfc4fdc91165e4d - AdditionalInputB.14 = 9c8ebc02c3d92d33112a15747b6367b8d6db3447cb9be2af - Output.14 = 70cf10825dab6c1abcc1532a1b2bccd96f0638d02eedb40a7ebf97093f5d0295b6bc74d9e48290ab39260d684effcb401427a4ca62b971e5a31f06c14a9f8e3851c3e79dfe129ecf8a8e185ee58667e2b692474a0d5f0a39f9d794adf1cd71c1266563dde24dc944661acbf849fe69fa +@@ -34546,6 +34609,7 @@ Nonce.14 = 66ad2a0d5de624f3d709cc95e5c99220 + PersonalisationString.14 = 6f7f8f1ffdcf859adcf6020d5cffdd8e3e1bdcaef0b22e9e61384b888f1b3537 + Output.14 = 1bc4cd76787f031df8e4f592f56a845f7d8aa200aca0b910e68f149cde112d0f1e127faa7fae25ca4299eacf9e49e132f3e4083f1c5fb0304b714f06cea122bc1392cbe18289d2411ae08642a9196b654a8b177c127b9215f9df815eceb254b8d9b4f632d25d123ceec686124e58b3606ff1ce51fce0752f42232c03694a1d8a +Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 + RAND = HASH-DRBG + Digest = SHA-256 PredictionResistance = 0 -@@ -16670,6 +16749,7 @@ Nonce.14 = 82dfae196513724ae269204e - PersonalisationString.14 = 6e01d897ae919812b8408f82edffcfed8db6df2e2cbebd95 - Output.14 = 6e9bebf2e54d8da4e8ede97ce463239245ff1b021acf4441312ddba96d1f3d750bf2b9583a8aee76e2ee36a56d8e2fd4e11377d15ba3ad0876fd467c375a744240de0a7b38974e0e7b27c3917ce4e22f2bc78861f6f8b1fb42edbb1b0cb869fe5169527064cf2f38c0154082af5457bd +@@ -39331,6 +39395,7 @@ Output.14 = c731cc7b21c42730bd3cca61fc5250b507ad08b24ac471d526f2217f15dc4d1fea85 -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -17925,6 +18005,7 @@ AdditionalInputA.14 = 9ba9285889d50c27bdeb4a830a5b3120931a53980b30643557444718cb - AdditionalInputB.14 = 0f8716df331067b8ccf0e5b90ff79dd0f962acc69fc5f89c593bbb84e3501ae2 - Output.14 = 9d2c0053a0fd3f9be1fe33db214f6f2d54aca573e0642bd269f1b1ca23c42a1e85c73449830673cca14feab4d2686814edbd90c325e0fbcd5a2d7ca75334dbb113a13a0bb4e838f6724c74dddfca8c2bfb903c362d3ea82acd60d01749f6dc01fcd6708009a58ee9cc57a0d089095efae66aaea68ac247cf6aa8808d1038a109 + Title = HMAC DRBG No Reseed Tests (from NIST test vectors) +Availablein = default RAND = HMAC-DRBG - Digest = SHA-384 + Digest = SHA-1 PredictionResistance = 0 -@@ -17975,6 +18056,7 @@ Entropy.14 = fd54cf77ed35022a3fd0dec88e58a207c8c069250066481388f12841d38ad985 - Nonce.14 = 91f9c02a1d205cdbcdf4d93054fde5f5 - Output.14 = f6d5bf594f44a1c7c9954ae498fe993f67f4e67ef4e349509719b7fd597311f2c123889203d90f147a242cfa863c691dc74cfe7027de25860c67d8ecd06bcd22dfec34f6b6c838e5aab34d89624378fb5598b9f30add2e10bdc439dcb1535878cec90a7cf7251675ccfb9ee37932b1a07cd9b523c07eff45a5e14d888be830c5ab06dcd5032278bf9627ff20dbec322e84038bac3b46229425e954283c4e061383ffe9b0558c59b1ece2a167a4ee27dd59afeeb16b38fbdb3c415f34b1c83a75 +@@ -39381,6 +39446,7 @@ Entropy.14 = 5d80883ce24feb3911fdeb8e730f9588 + Nonce.14 = 6a63c01478ecd62b + Output.14 = 9e351b853091add2047e9ea2da07d41fa4ace03db3d4a43217e802352f1c97382ed7afee5cb2cf5848a93ce0a25a28cdc8e96ccdf14875cb9f845790800d542bac81d0be53376385baa5e7cbe2c3b469 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-384 + Digest = SHA-1 PredictionResistance = 0 -@@ -18055,6 +18137,7 @@ AdditionalInputA.14 = 809639f48ebf6756a530e1b6aad2036082b07b13ed3c13e80dc2b6ea56 - AdditionalInputB.14 = 3395902e0004e584123bb6926f89954a5d03cc13c3c3e3b70fd0cbe975c339a7 - Output.14 = 4a5a29bf725c8240ae6558641a6b8f2e584db031ef158124c4d1041fe56988fdaee91ca13925fee6d5e5748b26cc0275d45ef35abb56ad12e65aa6fe1d28a198f5aa7938fca4794c1a35f9a60a37c7360baf860efd20398c72a36b3c4805c67a185e2f099f034b80d04008c54d6a6e7ec727b1cace12e0119c171a02515ab18ea3d0a3463622dd88027b40567be96e5c301469b47d83f5a2056d1dc9341e0de101d6d5f1b78c61cc4a6bfd6f9184ebde7a97ccf53d393f26fd2afcae5ebedb7e +@@ -39461,6 +39527,7 @@ AdditionalInputA.14 = 7206a271499fb2ef9087fb8843b1ed64 + AdditionalInputB.14 = f14b17febd813294b3c4b22b7bae71b0 + Output.14 = 49c35814f44b54bf13f0db52bd8a7651d060ddae0b6dde8edbeb003dbc30a7ffea1ea5b08ebe1d50b52410b972bec51fd174190671eecae201568b73deb0454194ef5c7b57b13320a0ac4dd60c04ae3b +Availablein = default RAND = HMAC-DRBG - Digest = SHA-384 + Digest = SHA-1 PredictionResistance = 0 -@@ -18120,6 +18203,7 @@ Nonce.14 = afafaf2ad7e6449308e176be01edbc59 - PersonalisationString.14 = ddb4ced192f52bdfa17aa82391f57142ac50e77f428fa191e298c23899611aad - Output.14 = b978826b890ce8a264bf1ad1c486aaf5a80aa407428c0201dd047fa1b26e9ea9ff25a9149215b04c2f32b65e007e0059a8efe11481926925061c748678835c0066f596352123f0b883e0c6ab027da2486244da5e6033953af9e41eec02f15bebdb4e1215d964905e67c9e3945ec8177b8c4869efc70a165719b8e1f153c41744d44d3c56a15822d522e69bd277c0c0435fa93e5e1bc49bc9d02aee058a01a04580a6cad821e9f85cf764fc70dfae494cbfa924eab0eff7842e3541bc29156f6b +@@ -39526,6 +39593,7 @@ Nonce.14 = 296bfe331b6578e6 + PersonalisationString.14 = 4fccbf2d3c73a8e1e92273a33e648eaa + Output.14 = 90dc6e1532022a9fe2161604fc79536b4afd9af06ab8adbb77f7490b355d0db3368d102d723a0d0f70d10475f9e99771fb774f7ad0ba7b5fe22a50bfda89e0215a014dc1f1605939590aa783360eb52e +Availablein = default RAND = HMAC-DRBG - Digest = SHA-384 + Digest = SHA-1 PredictionResistance = 0 -@@ -18215,6 +18299,7 @@ AdditionalInputA.14 = 9574ca51f21865c2fb0efc75cc9d90ec5e9c43104979cd64d00ea5544e - AdditionalInputB.14 = c0df840a18d7584b62c70b2f057bf824168edb673cb517cd9dac89a0fc80c9b4 - Output.14 = b31e50202f883a8563cf129a0d5f8a33abad79d8ec8a97167ed7fca778e5892480617cdf50b5e51547f7ec1bede35020a311572c61e33e9c82968e8f69586daea3dc19063bea56503f8ca482918d229949acd6f1c52cccdc5f7f4cd43602a72a5375f3aabfd2834ee0494823beada2daeccbed8d46984d1756fe2207ca92186b506115f6de7d840c0b3b658e4d422dbf07210f620c71545f74cdf39ff82de2b0b6b53fbfa0cf58014038184d34fc9617b71ccd22031b27a8fc5c7b338eeaf0fc +@@ -39621,6 +39689,7 @@ AdditionalInputA.14 = 4de6c923346d7adc16bbe89b9a184a79 + AdditionalInputB.14 = 9e9e3412635aec6fcfb9d00da0c49fb3 + Output.14 = 48ac8646b334e7434e5f73d60a8f6741e472baabe525257b78151c20872f331c169abe25faf800991f3d0a45c65e71261be0c8e14a1a8a6df9c6a80834a4f2237e23abd750f845ccbb4a46250ab1bb63 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-384 + Digest = SHA-1 PredictionResistance = 0 -@@ -18265,6 +18350,7 @@ Entropy.14 = 5f28c73baaabbc09e8260df3b3577c21f2f02be057bf49d2e73098ed5ff67f89 - Nonce.14 = 8c2f85b546903d8d4c10fe4549c3f673 - Output.14 = 1563c678f1b072813888970996af33c2a6b70b8dfd2e146c46df0616509382062fc9c72d223ebd555f4d8892aafd7b3b61619559fe3d3e7b5e83c07f422eeac912ca7d8858a2d25b966a8b34348b8ebcf44a4651edb9cf5a886e383b01423322ab3002edc8c936aef869d7638f38ca6688c308d2a17fea0ded21901d8e9f1ff8508762cb1dc7e700970938a0ece74c1c2d1801230ea785165d62a7ab0d6d59caf36b30be8e2e1f691210373b7a2866e32ba4b49b6a2f9cc9b80aa1340ef5c76f +@@ -39671,6 +39740,7 @@ Entropy.14 = f41d60edb7749acb68111045000ccef2 + Nonce.14 = bb5fb8962ca3002f + Output.14 = 262821119be1ee0bceedc1bcfd04f7fa2e199b2a7522c4a3a98c4174e0ac4ddcf7323dee2fcf9fbd2fe26c4fad347f7199be105730441f042865aeef50b89c00aa661361b6a1f20849bc7c70aa294543 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-384 + Digest = SHA-1 PredictionResistance = 0 -@@ -18345,6 +18431,7 @@ AdditionalInputA.14 = b5d9cb4b3709adf297462f1aa8875c9f84bc39e323b8fe1c0df269344e - AdditionalInputB.14 = 5e47728cc468e0d2c6b6a90a20f83a9f0565716af54844552988f1d8c3a83eb7 - Output.14 = 548c3496135ecfa1119098ea2d862d421af024a844c37a02142e2545e4ff1038f4b73c7f6b7d0fba8f92f292cf5ca8fd57dbe7ce129423e0ddeb1dffe89252dd6b50495c88f350bb77e08c8be409064f7e9cb751aeb779eae30b7c471dc41365f128d22474a7e90a9953e948642001f8e6ba8f91d250d8b4c6407892cd96b12e5d94e4d7608e6c11604357436c8d1cc07a21aeb58d396f413a31f72af1ac06864ba68c04e0c25971c1315f5a8c5c04fe252105fc822452d0cf66f86af13d613e +@@ -39751,6 +39821,7 @@ AdditionalInputA.14 = b4894bbb6435ffeb710bf5ae440bd744 + AdditionalInputB.14 = 689fb48c27983ededdd56d5a6b2c0345 + Output.14 = dfe8a9e17b938a1782fc3dba4f234dd9c9e36b67b28e1d901ca6b3628689aa4d2ae6b005ae3ce97e0d1e645da2710162294606ce51638b91e9c46d8f7f4f1a217e44c36b560f78b0541fececcf49b9b9 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-384 + Digest = SHA-1 PredictionResistance = 0 -@@ -18410,6 +18497,7 @@ Nonce.14 = d28f752f6e466e3fd9595fd380fa14b6 - PersonalisationString.14 = 232727310fdaac541b182497e5240dc2623a36b4efa7a912ab3ffaf9939c2336 - Output.14 = 3bc26201261930bf3dc164d25287e41efb47c07c8c5c0adf3e86613435df202116331cfccd4e07c9ef008c62d4199d937221a17dc97be2043270ecc605d3d48c609cbce3aecba3557dddb304f440250b2c9fd78838483e2d5a2b22015b97869b891f9e42afe21df5fbb8dfc9061468c70c63a14b6dcad9ccdeced41d021dc0ff47821415e8793d34377258d9d6629b9e396b9d6b8bb7fc22e03ecfd4890d16912001cb7ed002e33a595052ddf7b991c5607ab93c220b2122783d51a8372a223d +@@ -39816,6 +39887,7 @@ Nonce.14 = 3c9434b7d7e18472 + PersonalisationString.14 = 55bfc33da17f712877829b7f8a134e55 + Output.14 = 705950e4790ada95b99ace57e31115610ebc65d755fe587eae8fb1aeae463bea8b50a278f45e61d3433272ec31b0d48afcf219f5f4a0adb20537be9c7cb65911df28976aed4b4278cc524639a1ca5f40 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-384 + Digest = SHA-1 PredictionResistance = 0 -@@ -18505,6 +18593,7 @@ AdditionalInputA.14 = 50ceb01860d60ed119f101d5c573b5db00402dbb03885a09e8d326156f - AdditionalInputB.14 = 01e09092bc892916c29f7b515823f244d147d4b16976cebd6a76a37ef6e62998 - Output.14 = 6f1379c44d8131924c9a78286e80ebb34604ad78b531e795cc30c4f0aee422e4052f201ba226bc0c2aa3ec341fcbb5a87e24b91c36be7dda62addba6960df1289372e9677ce030555a9bd1691f559b8ff787dafa35cff5dfd66a2abd83f81552a82ba6ca7d21c438483e60fd77f93bc109f5be802035412c2af2873f5cb186b77dc055c0e0b27b16b1ef37de0b81fe63c4074a7cc8c3d27f71a992b5468351ef8b84a7b3e8f12458ff670d1381d879feeb1cd3b93436580c86bc2c33f27448d4 +@@ -39911,6 +39983,7 @@ AdditionalInputA.14 = 7ee4f3670c4671f128cbd743c408bdd1 + AdditionalInputB.14 = 38f8003e8fb8c119534a2c3400a87f8d + Output.14 = fedbb1636b83c5cc5379c9aa4d1319df6d30770e469c2f7bd65b4b74d9bc880d520e11b2c3642a7c4cb6d6138d1d92f716317dd762c0a841e56e7e0226971a7f470e918d44b4f374f9e7e3b5209516d3 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-384 + Digest = SHA-1 PredictionResistance = 0 -@@ -18555,6 +18644,7 @@ Entropy.14 = 57050c5fe58b2a2a0eba0d3b9c08a9b285e1180d2a297e0a9ad20740c6fa9f00 - Nonce.14 = fc309209936c569a1367d45b212a9a50 - Output.14 = 288668476b39814edbce5ed91951cec398ba2dc3bad76048df5fb1a2a680519c217ec4d57adc0251e1f8892a866b142e0953353bc2dd207aa2703f81814d26a60daedfe94d97de6043ed5f3bd957b7516681827f7a36d1b2a87b692c67aba050bc38b5e84f65f07d70cc34549f01aa390c5fc8dd01304fee7378e62549738e3f710ee6a4e32db3f472e1c2ef1e803e57a8ea992f389f0823c922bcea8b00ab844e071579170baae90839ffd5e00844ec343b02db090847cd323f8a68f0dce64e +@@ -39961,6 +40034,7 @@ Entropy.14 = 5b6aaaf5c4e5acdacd2c0c14648eeb3f + Nonce.14 = 353cc1174da7f766 + Output.14 = f7664dd99fb870dad1a45a4ddb870c9936fb42b3a063336e447f15703c5a95dd79eacd9f41cd0c1b4f2e1a45229aca140f463c1beab47aa0525e5bd6e1accf360bc8525430ba05fd14d1f008009fd586 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-384 + Digest = SHA-1 PredictionResistance = 0 -@@ -18635,6 +18725,7 @@ AdditionalInputA.14 = a633f5f05ed8b09b70683a9f9a8e998ebf843b68a039dc3aa40cf30a5f - AdditionalInputB.14 = 9a57c6be8c1d992bcbd599952bd94a755d7ad686698991d189afd11cb88b9f53 - Output.14 = ae0fd8a1bf6f2f53f9e81ecf6f40ff6a36fef58a3f157b6a435403e48da4e88cab7871bfe2233b92afd228bfe3117d7cff0798225a901663d51f0491109b9c631dd6d32c5bec2da321b8e64ebaced87a27f17f67082df944fa94acc6c557fa6816001642e38b7d776c631212b782f71aed6db760f90e0de8e81baaf4d419170362932e6c319dab948749b331aae41b4cb3267da37c9233c36d65d5482c8940387498453b226af485a37ea16bd9e4f938618f70aec97e8c1430a8d8b6aae396e9 +@@ -40041,6 +40115,7 @@ AdditionalInputA.14 = 4eb5c1192fa86b355237b5a8bd43ebf9 + AdditionalInputB.14 = 7323d1a6f983b7d16df6b0aa9d14adb4 + Output.14 = cd41a0d7371b2eeb790fa8335660385c418ba84507ba94d1d1015b3353cdcad556993c19388461fd2cce38cc9fbc00e707b18dea9d712ac0616b443b23aee8131c295a1a741ffde36b2032bdb8ae2f6f +Availablein = default RAND = HMAC-DRBG - Digest = SHA-384 + Digest = SHA-1 PredictionResistance = 0 -@@ -18700,6 +18791,7 @@ Nonce.14 = e1609138b91637917ec170fa3c3fb278 - PersonalisationString.14 = 230db2e57b87e910cbab26fbac7fa93a65c07c1ec004c74637e346c2db63288f - Output.14 = fa58f2e96776b4aa079dbfb49d81d8abfcc30d459caeb45dec4f1766fdc3b234d52cdc5337ea770e71a28cc42c82cbefce896d1fecea5a5290300208aa79b5ff97d2091498d749b66a9e5b2da7b774567ae9f83b87a8417b1bd089935e575b16618ffe8ec04b91fc9315968dc395fa2bb8776133d3ede95aa89ae675881b26ca831fa5fe6cba800d2fed1d509353e8cba6f007cf3c5e0b9424cc034e1c817d5f7326764f5ed1d17ddf8900977a0172dfab50bf4819a67e4c1af4704f59eda3bc +@@ -40106,6 +40181,7 @@ Nonce.14 = 9bee7502db25ae7f + PersonalisationString.14 = d0e8fa47aed6b67ca4e8e521f733921c + Output.14 = 3c649d295fd9b98082706f3f841f5275834143698c202da4c881c7d0a3c9995329a54d440fc4d21ab596e95e5b6651c6e7138b332c97ef771bc6e3b0b3fa09090ffb402ed1116d8395e5f1cfea3eae6b +Availablein = default RAND = HMAC-DRBG - Digest = SHA-384 + Digest = SHA-1 PredictionResistance = 0 -@@ -18795,6 +18887,7 @@ AdditionalInputA.14 = 32f618446311f03a0038dae07e85e19006a55b69501d764c241f683be5 - AdditionalInputB.14 = d64a97650e2f25362fd711c7abb5635672e16a02a1dd5ed8a181762e86f4f5be - Output.14 = 54ee53e6d18e974913ec235a37a706868f217af33b25e8e5369d90071be1d01035ca331b8514f3d6186a9ec62b1e7808b7fa22859eea21e4b8113ef770772561eff7f8b6ac22125d002f6ba9f53b235f7d85dd5b601787201ee1423de5d971b2e758b3955a048b50f118c01122a8e657f69a63843bea00a46c4fc2ebbae36adaebfe3e6c9b1c82e498d3fe48d332ac1bf31ab4c80830086c8ee4b1ea190f8e269f74cd760f5a29d244064d09c1bc30832482d5205e35604a388250a7a196ec74 +@@ -40201,6 +40277,7 @@ AdditionalInputA.14 = d56ade0d74ea34577eb12a899d18d382 + AdditionalInputB.14 = ea83bdba8490ffd136def5f7d9240c59 + Output.14 = cd3d8174d8af97387ff02707d2757ce685ffb5d8dd91d95b8af4a3a757f9321b0e908096cd1321de0599640b7d81f43606b12e029ae158ed568ce1db429be75285c655e15f88da859f09b4cd843a0b61 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-384 + Digest = SHA-1 PredictionResistance = 0 -@@ -18845,6 +18938,7 @@ Entropy.14 = 9168436a8600415b83062125de0ce6a998090216dea7374af08e6d3becba054b - Nonce.14 = 94206c91dcdf9c7c3f3571c703013419 - Output.14 = ef12bd2b6dea20cd197ea9eabd98eec1a2943619cd2a96dd16a6c5485435e00c59570ff14d7d9fc09c99ade0e5ec12a84c0a8ccd5677fa9b92295eb2a620e8a0400bc9ad8a1ac1aa4969d8d04b77ad59b81d95cad75358698107dc8a2ff42adbd679ab29cc29cd6ea756f4c4e60c271c3134c48b5d5aedecf011e73c2663ad1cafe57120cc70137370760c350f4e9c0b8e9b01c9acaaeb56094434f4f87c67a5b5f674783204ab0d0598c06f0802a05ec97073c005f3c9f772fe0bb449c1cad0 +@@ -40251,6 +40328,7 @@ Entropy.14 = 1c3fc8de26ddc78651c9c2e4ba874ee0 + Nonce.14 = ca6a2d3cc5495dd0 + Output.14 = d00ff8d3b8ca273cf7c3650e36c892018c0f765da45ab5b902c5accb30ffe01a99d3b86752195dc9aa1232fc852790ef51860fd114bdc78ae02acb5ab2021ec726829591d623b0b66329e641c1f915ce +Availablein = default RAND = HMAC-DRBG - Digest = SHA-384 + Digest = SHA-1 PredictionResistance = 0 -@@ -18925,6 +19019,7 @@ AdditionalInputA.14 = eb9e19bb6eb7b714dc4d56243897916364dae7bb3861a4697d7d3f2b14 - AdditionalInputB.14 = 156d12c7a1d0af2cb9f2d0610cedd9ed3b982e77bf4a9dc1ef0f71284b751ca4 - Output.14 = d3b0b0ac5150afdb3d9de12d2c8a7d45109436ed9c316aef1d1fc5bfba1cd37cd750841146dd08320539eb1678962e990f7b7662b44b918447e173672b873b8ab0348306cf6ae2bcc6756036870745436571763efde334dec5be7bb9920629a36cc5db66e8824695cabecb8bf092858e095a2a520eff140f483ec528131c850a8eaa48d8c997fbc810401ca378666d84020fd34af77fbe1152523e979560708fb15f3b7981e333ad4ee8c2fb6021a562f339616823cac5998cd919f82d43f41f +@@ -40331,6 +40409,7 @@ AdditionalInputA.14 = b180d77e0ef217268d2d4dc9d4a9532f + AdditionalInputB.14 = b192957f3e98f7595768d00834eee1d9 + Output.14 = 7d4791ccae7980ad19e5d8eb8932ea8ea1756710349ab8b771558cfe471a278dcc263b737486179a4ffad12d5311d23912c3a46f07152808d288be2dfd2b315fc4f6df6418029be52daed643dd3c6110 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-384 + Digest = SHA-1 PredictionResistance = 0 -@@ -18990,6 +19085,7 @@ Nonce.14 = 733bf048e5b112426979a9879b6a0c10 - PersonalisationString.14 = 58d91008875f51d541c6fbd626a49a798dc51d9cf2e8588808e74953392800e7 - Output.14 = 1794335e21606d706dc89ace28c60a15c0c9f108f5ac882b103eb62e225de749285e5fb0be98a5bdc26e3c998ae418306380941d78acb7c81b91ef41cecab328332ac7404ace0ea858e7835534f778cab3e3e4eff043742e4f7d4d5725bcdca0b6be7ddbf79e57fcd1d5a4279f074a599abac2cd281ec6784e29d9399f5ffa8def3252acacc59844c0c24c20d029a89b4407e0b5cbe9a8d51241dd36bb82c400ec4571dd1baf831d58fed3dde4ac7f961be6ebc18af6bfa922a32b81ea11334a +@@ -40396,6 +40475,7 @@ Nonce.14 = 84f7310a7ab653e6 + PersonalisationString.14 = 0fb2233c2cea27d17b6dd93bc4621285 + Output.14 = a2f373a523ac9f2524b059d0c23bcaa905e15948c7ebf71b6e82150aef562dae4003c1a8a3748cfd553d9a51a8f9450b9d569d96d897fed50eee23978e49b364c64db63fac9dc0fe9e8b58836aa04a74 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-384 + Digest = SHA-1 PredictionResistance = 0 -@@ -20245,6 +20341,7 @@ AdditionalInputA.14 = 06df99a38f4222b9e7e1e3f4a6f488c1dfeafe847129d54c93bccb1649 - AdditionalInputB.14 = 3977a9671024bf0150752ba10c9f6432773bb71aaaa9d23d1ab72b90b7f0e088 - Output.14 = cd4fa86fb559475f4cf4a60f111d3d0f71646d3d25111889332f2451eda96390c607a0178e1e79e8124c7626ecaa9822495e5341dc6f24818f97951bb29434c7c48d05838fcf3b43b8314827d3acc8fbe2c4ae2ab066626c25c32a760002cb1d980169f7691bee5e329ff1ff4938d3bdaae583f3561499563198a5eb69e73f6b963a5d072d23e07b0ce48cd04b31f9ea349c2cae355ba478e26a5fa33d8f03af84235fb1743d30910f5557194e3609494019bd705f8cdbf3d1b4dafaa09c9d8037d2e0ba0f96948d4302e981162c34c12c2fabe1a42da517b7e5a1f796980371420cb305d0a316bee56767ce1aca9260231839b92fa26fd75846d9304427da27 +@@ -41667,6 +41747,7 @@ AdditionalInputA.14 = a58757b98280d90e84d6cf4e2fa89c01a9e6aad22d6cff0d + AdditionalInputB.14 = a3f5de1ec6d0ccd39fa153899f0c1a414106a2aa182acf31 + Output.14 = b1797707f1217d81c8463b44957df350dd139073b056c50d1c912fa111f9cb488bfb7d2ec6faebd078171cd6b71171ae33698ff96c7225d7fd36ddcfeb2630464974d12b3e03877bc73ce1a2f89aea7ff7ddc8ac85708b35dd94d3972875e2d3e7237ec33871e99301202b52e2ff89db +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/224 + Digest = SHA-256 PredictionResistance = 0 -@@ -20295,6 +20392,7 @@ Entropy.14 = 0cac1d970c06da6f224d49e5affec0fe338d0b375b66687b - Nonce.14 = 1fb1df257951ce8fc0cf12a5 - Output.14 = 7d6e2be5aa574b0edff39ea938e94143ed92b287262891dd2a6c9193b0237e8fbe10056e15785bd818e548452792a31c728acc14ce2bce9295d3776885018a57c8580a8e7df9a34ea960e0b39af4510711320528fa7a0badc6e25a0eead8cb091c404f626343c63d40044055ee9f9e35 +@@ -41717,6 +41798,7 @@ Entropy.14 = 451ed024bc4b95f1025b14ec3616f5e42e80824541dc795a2f07500f92adc665 + Nonce.14 = 2f28e6ee8de5879db1eccd58c994e5f0 + Output.14 = 3fb637085ab75f4e95655faae95885166a5fbb423bb03dbf0543be063bcd48799c4f05d4e522634d9275fe02e1edd920e26d9accd43709cb0d8f6e50aa54a5f3bdd618be23cf73ef736ed0ef7524b0d14d5bef8c8aec1cf1ed3e1c38a808b35e61a44078127c7cb3a8fd7addfa50fcf3ff3bc6d6bc355d5436fe9b71eb44f7fd +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/224 + Digest = SHA-256 PredictionResistance = 0 -@@ -20375,6 +20473,7 @@ AdditionalInputA.14 = 38ead8a466e462f5c0617822c23294cdba07a80fd51dc241 - AdditionalInputB.14 = cacc9efb209c71b123498182d25081aab8f0159bed1fc0c6 - Output.14 = c200766d5caf72e64a77a7fcae1ae3d14681e33767ba2ba7faca26209fdcb59c7202c381b18adba07ef0ceef443d9e1c5888366bfd953d614bb184370b45ea2b44a251e381fd2bdb80bf4bb8dfe011e1b143032bae9ce82c2869537e70d36622bf23476163a2dace9ba863a5f0e3d303 +@@ -41797,6 +41879,7 @@ AdditionalInputA.14 = 4f53db89b9ba7fc00767bc751fb8f3c103fe0f76acd6d5c7891ab15b2b + AdditionalInputB.14 = 582c2a7d34679088cca6bd28723c99aac07db46c332dc0153d1673256903b446 + Output.14 = 6311f4c0c4cd1f86bd48349abb9eb930d4f63df5e5f7217d1d1b91a71d8a6938b0ad2b3e897bd7e3d8703db125fab30e03464fad41e5ddf5bf9aeeb5161b244468cfb26a9d956931a5412c97d64188b0da1bd907819c686f39af82e91cfeef0cbffb5d1e229e383bed26d06412988640706815a6e820796876f416653e464961 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/224 + Digest = SHA-256 PredictionResistance = 0 -@@ -20440,6 +20539,7 @@ Nonce.14 = 7e2f3e4427d00de41ae92bf6 - PersonalisationString.14 = 2e8bc8edcdb3dfdd451542fbc68481b30964fdf8a6ca77cb - Output.14 = df949beb9b33d2c1522cf6fdb3206cb10b58411ba9e28a4096cda7662b69d23e0da2be9557b9a3b5a8d67db4d616ae9fda3a7e0a8516196568f7a81474c0264993b141f14066fbfc29da724e447f6e503385944e902510f0b3971f7bffc6a6a202ff88d8113bb222b104055f427fe770 +@@ -41862,6 +41945,7 @@ Nonce.14 = a59394e0af764e2f21cf751f623ffa6c + PersonalisationString.14 = eb8164b3bf6c1750a8de8528af16cffdf400856d82260acd5958894a98afeed5 + Output.14 = fc5701b508f0264f4fdb88414768e1afb0a5b445400dcfdeddd0eba67b4fea8c056d79a69fd050759fb3d626b29adb8438326fd583f1ba0475ce7707bd294ab01743d077605866425b1cbd0f6c7bba972b30fbe9fce0a719b044fcc1394354895a9f8304a2b5101909808ddfdf66df6237142b6566588e4e1e8949b90c27fc1f +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/224 + Digest = SHA-256 PredictionResistance = 0 -@@ -20535,6 +20635,7 @@ AdditionalInputA.14 = 23a781948449d82ee235d0495ca48d61aeb399d7e2ea68b8 - AdditionalInputB.14 = b52421e5b0e5281920da6975ee18d74ceebdd5d5de05c018 - Output.14 = c878a886e24e20a8b7e22e41ebb33a2b6e9a0168f4c72bebb78f0955c8449592e91c6a2f1ba5554c9459bf2702e67470c1df0b5125d651facc0a9339a2b7c921a51bc7203020f085c9231b3acd850ebfef0d0e13dc8bcfecf1f9853930ecd9b262cecaff0e2bed9e3b5b53343b733766 +@@ -41957,6 +42041,7 @@ AdditionalInputA.14 = 288e948a551284eb3cb23e26299955c2fb8f063c132a92683c1615ecae + AdditionalInputB.14 = d975b22f79e34acf5db25a2a167ef60a10682dd9964e15533d75f7fa9efc5dcb + Output.14 = ee8d707eea9bc7080d58768c8c64a991606bb808600cafab834db8bc884f866941b4a7eb8d0334d876c0f1151bccc7ce8970593dad0c1809075ce6dbca54c4d4667227331eeac97f83ccb76901762f153c5e8562a8ccf12c8a1f2f480ec6f1975ac097a49770219107d4edea54fb5ee23a8403874929d073d7ef0526a647011a +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/224 + Digest = SHA-256 PredictionResistance = 0 -@@ -20585,6 +20686,7 @@ Entropy.14 = 04c61e5cbd79804118267ee1c76db36b71b042bf60a1c891 - Nonce.14 = b833be09092d4755ee6118f6 - Output.14 = 0c4663313750b12daaeee80cb28f097cbe6f50df2022f9ff02a51fb373da42411c5856a136e9645e99e69aee273726d146e3ef4e546273eeca52b43c068887148b7197143f5b9a4c55d4b0544907ee9ad2f181d1b37742d1479d39e78e47505603550d2b28bc1d151a50bbac140988ec +@@ -42007,6 +42092,7 @@ Entropy.14 = 17da1efd3e5250dfde3ef1683bd9cf4d4432a2f223399664f7645763bebd5ebd + Nonce.14 = 0b160c67b97d5302972b5c517bed5a7c + Output.14 = 859bab959dd16f2cddb05376b3d3e46cd13c191c18203bf3c0bbd5803cc559aacce48d88564166fd5f43c22d08cda1acd8004f36915739796a39ca96f8e7def14b58a8ee55ff72de7e2e2727389e027657447e32e47d4ea2f0fda48e86046d111cc334bebf4ee1019199c94fdb26169661cec0b0c47176cb5fb7aed8ad35afb1 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/224 + Digest = SHA-256 PredictionResistance = 0 -@@ -20665,6 +20767,7 @@ AdditionalInputA.14 = fa3bc697a6bd8ce341735365ad6e214d1e53e8d6d0a2c206 - AdditionalInputB.14 = bea0650424d1f26e75a49ae2dc529f1fdc552e3a0aa50948 - Output.14 = 4a718257296a3a99f199a5a24decf8f3e6209a4a7fb0b24913393c8309826ffcd6c47208ea6879921424ca55e63a7e5bc63a030cc48be7648da78fc9f314dacb2b8568635e5b14a94bb06a709a2f023a86a871dfd708204c911d94ef3690b3634e58de03fb20091d628bec834a760dd4 +@@ -42087,6 +42173,7 @@ AdditionalInputA.14 = 50687524beffed38fe27963340483886645153311dbd4d10d86e7d6b26 + AdditionalInputB.14 = 1e3ebe4a54c3092d540ad2898ec3be1af84a1d515c013632402ffdeede7caa8b + Output.14 = 007139a46072d9dbb6589b8ecf5f287d3aebb13b480ffcd6e95f0b2f916cd99e75f30a21971298257a80c17e9e41f8e0874dc9da8f6c18007a6e4cd5971df083ae62bb7b9f1bd4926f17e5574535f6009c0068b4ea3a50e2ba6c6aa6c7729fbe8ba58b4b795740ff6ae2f3d6fbe3e06828080cd1dcfb11771ec98ad9e0bac0b7 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/224 + Digest = SHA-256 PredictionResistance = 0 -@@ -20730,6 +20833,7 @@ Nonce.14 = 4b729a67449bb5675a1f9d1f - PersonalisationString.14 = 9160b7c96fd367dd7d378e82be11ad1827c7661d76bc1fb4 - Output.14 = 1d7ab4500d99a18b8be2ffb8177c869059e25f1ffbddb36694fa8561da1d71f86a38accb1926339f6dff71ea8ed104c3518e62b00e520c51a096c1c62469e56b139e6384e982588e748a8074dccc51d558d944868e2b8e1dbd68bd83c663447590430ebe15c64aba4669d1a4a784d8c5 +@@ -42152,6 +42239,7 @@ Nonce.14 = 2b653a89e549e3b1ee7817f5864fa684 + PersonalisationString.14 = 814146b3b340e042557b0e8482fcc496a14c02d89195782679172e99654991ed + Output.14 = 3ea100cf50c25d7b2ef286b5fa0720f344de2d568979e7349befa23589083e835205cdf6a4670722fff04260e54618c9c00af75cc26eee665b64e7e628ec4c56a8086dcd583681170f60d565bd97d0f416e4c231e281081b0fcd16c8db63ea9029abbfcb068bf57a36364aa9e27603f447adf337baa35f049a129abdc899f808 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/224 + Digest = SHA-256 PredictionResistance = 0 -@@ -20825,6 +20929,7 @@ AdditionalInputA.14 = c375af43c11115e995f47212f81cf3cdca5801d184d82235 - AdditionalInputB.14 = d2eea45f69c6d82dc3a7bb3be69d595c86c5ea5b4aee6001 - Output.14 = 907452bdf42eb168195313eefd090a2fe1be8b668b8ec7153a4ed4c07e6979244282e976decef02ffd4fd92b0d7b90bfc453cfd81a823dc162dde29dfa926f20e395d7432e0aea61c72e05c1673180bee3b47fa171cfba98864fc2bf83878e37c7dc019d465788aa1500ab3db8997d3c +@@ -42247,6 +42335,7 @@ AdditionalInputA.14 = 95f6df9905b652de6d08399f61956acf943fe412bc71de60d6b69881f8 + AdditionalInputB.14 = 87b818568ed80f7c2e8f5b5d7be403f8badf9fa0e716aaf1d6409957b242aa07 + Output.14 = 45b5182f313a26008bb4ab82f68a12e7c783c243ba1ac6d8bfaed44ddddb607f964ace9c3505d59ef5a3691143a4845491661a1dff8ac4de2e56b54e263ac3aef86966fd656b5a65d4f3b89731d50fa919663bd5691678ee5f8f499e84b1822bd0b91409b62cf98c176df7e812513f3252d25d15fe13ef9f253af477d16bcfcd +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/224 + Digest = SHA-256 PredictionResistance = 0 -@@ -20875,6 +20980,7 @@ Entropy.14 = b37ca70fd13538ef74c5a3c7ef00a78705919446954ec43f - Nonce.14 = 3ecbdff8cf33b50788dba82f - Output.14 = 1bcbccc535fbdc8617575d46ea5a9cef2622995dee19aa4b998325dd8d0935957170f6b18219354cd2759ba53c9c1f380586070db0c89979a581ce1e00ce38855e123dc3a2dc9ce74bc3b6e27c9603fb87c09a1d90bb540d267d456f5457daf0920a13119a2b805f9b97b154f80f4bbf +@@ -42297,6 +42386,7 @@ Entropy.14 = 32695b2c55839eb3a048fabedcae1f23bf0c7206280ba4ba0d08b9bd9f119908 + Nonce.14 = 01f2a4cf8a9311abe5ecf58d6661dc5a + Output.14 = 4a4f44f418d585e03f508f2ff05345abffeafd75f610a957be7f3ccaae31ba28e69bf8ae441a405fdbc0ee761e39c76b69062f5a3866fc296be1ad306e6584ab2d250d717605c70a17c46a298f714e4e820c85a1fb84f4d61b9857a40c2902193ad703c78635a2791abe6abca6124229ed75827135c27f1a04d244e1d73ff059 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/224 + Digest = SHA-256 PredictionResistance = 0 -@@ -20955,6 +21061,7 @@ AdditionalInputA.14 = 9fcab4a8d0d1036a6210d56a894f861fbfacd4b20c081f38 - AdditionalInputB.14 = e279bf650f812b8931662e59a0da7ab799c193da1f6eef1d - Output.14 = b3ec81a3cc8dfa4e1ea17d33566a4444bae9969244e7a8970eab02afc8797b5fc85b6614ab009625b81fbe078bfa4db78ced2d8b3f1e3342b477a3fb42cec7d44546585621bb8310075808aaddef32ede3e668e626711fdfaf2569721bf645edeaf74a9826aadf0a9cea9893aab4fe3c +@@ -42377,6 +42467,7 @@ AdditionalInputA.14 = 2e51dbbfda8c92f2c838bd85ca5dfd7f35504fae1ad438431b61c2f062 + AdditionalInputB.14 = 00f507a359585778988b6bb6b91f23d4ab29d2adbe632e4cd4646c8cd5f1b76a + Output.14 = b7adbbf07414551464711ad9a718315b0587db2782d34179b70b4c0e323a91ad9de40933023e3a6be71cd50dc58953ad1bf66354bc45dcd9ea23682d487b43903a8f426182536e170af8b04460c586d8ca56e4c307ab7116d8130634dc9a58e1c3077bbddd6bd58c8a0fb9b18c4b839aacf5fcd711c611db120e6a605745e86a +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/224 + Digest = SHA-256 PredictionResistance = 0 -@@ -21020,6 +21127,7 @@ Nonce.14 = 98ec3ae036755323042c08da - PersonalisationString.14 = e6f24d96c8d11cc68e72f56ee7e345c5a0083509821fdf17 - Output.14 = f5a9d375a58d1b337d245d29b7a9e352cbb0fc950276e042d075a71f4bc43b65b063bff299c670adfc46db39c4303adbbfebcea1df964c27d33cbfe4d46567475abff4f357252ff7d05ed4ac34e6ed14c33c192909426654d604736f3bb0ba01aa5e0454d60dfe8aa5b2df3a52df22d4 +@@ -42442,6 +42533,7 @@ Nonce.14 = 3f9e88b93a6e69d070328c2c570c3be9 + PersonalisationString.14 = bbe702bbd2265e73aa073f47ce55fb65902abbe51635b414df688c60868546e1 + Output.14 = 0280555ba6b2379dce7cd56615d7d86feadb8ad995e2852a0607e663a34b1e0342c7bc649adcb204e271eeb87521591fad74b3bd841971cb100ae5f21599b732d8c5f9d578c1113da7034b580013720e62b1d013e28205d5024f8b1eb3219e6cf821792713354cf1349d32a64f32ecdbd7578c55e401fbea57f21ea3ebef0f9f +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/224 + Digest = SHA-256 PredictionResistance = 0 -@@ -21115,6 +21223,7 @@ AdditionalInputA.14 = ec35738bedab1835d07ec7a6d9a5e6e0bf8a3283541b3216 - AdditionalInputB.14 = 689957f9c2c58f1ff34899bd0c295bbfacdd149ab378428a - Output.14 = 6eebecbac4dd64b170cf6aa84788f643755ad5c6c731b63bbba3b2bdc2694f1fd42fb077b4309a0cb09b5ed1107fee2379272351ca9221069530762e4c8ac4c142c30167a32ac2b82b728d57bef95d620cd1b7a2ab5c1a6fac2cc90e0f6cd003ef526485c8bf0dbc9baa7c1f0d6f763c +@@ -42537,6 +42629,7 @@ AdditionalInputA.14 = 38684dfa6edbd61e464e49f7d01932802a5a5d824db6b1df6087e84a8e + AdditionalInputB.14 = 4949b08a12656c497cc6760791982c0d4e674b0f8a14be730a91689ee77e981a + Output.14 = fda39bf8dc1aa785422281dec946bad99d5ead17cac55d47bdb9bd0a80a72f3c611f92bcf29e3e45475426a7a9f139b755f332cf75035b047697f4131c9bbc9ee825ede9a743b14f02dea122194405864aa2b538ed5cdf40ecf81e02bed1556ce0e7974548f050b084b8f3626c0fb2c7272d42cdcb039af4c7d957e285b53b5b +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/224 + Digest = SHA-256 PredictionResistance = 0 -@@ -21165,6 +21274,7 @@ Entropy.14 = 2fe6d7ec78f76820cd88c41a5a958c399c7ad1619406caca - Nonce.14 = 1ed975755cad5e4c475c5945 - Output.14 = e34b31db083e58516cd60ead2e5b0d39e4a2bb47c2436531c0e700e484c27d3d233d10d1ea6c58148149751f24155fcd258f384d61000da88106a0205d693e4ddfbb5c35f101ff15e531e9ac4a988c16302a962146a3aba9af5c505697cf9aeb7bdb8c49c281458acc33ad4010122aa5 +@@ -42587,6 +42680,7 @@ Entropy.14 = 1006646f977b83f4d90870f24b3b72d0b4947037f7671a64ce3b52829506a519 + Nonce.14 = 5698d50f59c42b26339d218fc985a41d + Output.14 = 44ab1d22fd3a84f8847c33d0fb0aea66408d5181b8ea95416beddd9784d86d72d2851857b503253016036246cea11f2ad2bd18fe56508697a50b14e7c85bd9b002deadbce5ff9f72508b6ebce741dd7803a2d8633dbec235cccd37c089c9d747a52000ed4cc1dc8545ddb65e784a698bdc74a6ff4fd7b3dbed31a22f83b4fd8f +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/224 + Digest = SHA-256 PredictionResistance = 0 -@@ -21245,6 +21355,7 @@ AdditionalInputA.14 = 17c87a351e940e261e8806e2548da44a751c550ff5f0257a - AdditionalInputB.14 = 7e3bb28f266786ae38c24876087fe35c7e43222382270380 - Output.14 = c943c9ff0cde86a62756465e6bf4fc9dc25447157537831c975782dad82f3e33e6e7790b41c158713b8978a6967bfadda9e15ef43922b3f93c8ccd0cfa834fbc6776f3c1b6369b4f25b1cd1189f8b8efc31be2dc151d3608eb2189a4f39c0f0a3deba00ffc97299c11c46885b424a7b2 +@@ -42667,6 +42761,7 @@ AdditionalInputA.14 = 8d72118578abbd90ddbe6115ab10b499afa26c2360eaf6fa118ba590ac + AdditionalInputB.14 = 6ca4d45fcbd0c7e964557b2bd7622a528b4722335b47383f7bca004b7cd5cf04 + Output.14 = 360d9ff3111c6b713fc641b571b582770991885f2fea806a485006a1b4f41ece4ce83dcabfd403edde77780c044c96e85ce5d1f1a368ad881a64be8c41e87f0a682ab67170ae05a24b08b4a9178d13ac9928ecb3b5e23e745d93aaa5f111c335c77cb9a5c3da8163cb428fef60da737b884105ae57616637b0e40bad9594bd51 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/224 + Digest = SHA-256 PredictionResistance = 0 -@@ -21310,6 +21421,7 @@ Nonce.14 = 4fb71fac56d2aa35d7fa44d1 - PersonalisationString.14 = ad66fd02b6f6e30ce521ae0d783236c75cd3699696475ac7 - Output.14 = 4b2df98ad411407c1dff07b5c08e97ab501fc20ad191794dab73e9b4dce62470b3c70d75f07848f436f16a8c63ac31a75525bd928b5c76218099ec940e3ad193eecdbad834557e92602d7daa6e3eedcbccbc4d0829c8e1c7e59adb95ce928bb138870566eb27e4725191a9ebed50304c +@@ -42732,6 +42827,7 @@ Nonce.14 = 50f723edc4f658862758e149e7ae4f20 + PersonalisationString.14 = 39d43e627ab7c7a6d12fce4cd8c001678bfadd9d07d4086674e5d8bdef4ac62e + Output.14 = 02e68bf3f78812aa270619b307dc0e57b05b8310084ecd1914a67d93b77127e0b3ec40e359adc451eac8788ac708fde70575fc1b9bbfd291bf5b8d7bda7bcc23a0271ba0bb0e6d617132399bd6cedf5a9a683ea98b3b0dd3bc6d811e4f66c9ec751012992cf54e3ce474e09b31ba9c01ea231d4fa8f09441e204c4d3285c78d0 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/224 + Digest = SHA-256 PredictionResistance = 0 -@@ -21405,6 +21517,7 @@ AdditionalInputA.14 = 30a66bba0f4d6c249e271de8927b6ba1e99fefbf3386934f - AdditionalInputB.14 = 1ebe06fd88f8f914ea8f590483994fbf227613e7f49ff18a - Output.14 = 38b4e2bf6aaf771df03b3bc37a959955dec83f07af4bcd995957a31991c5ee18b5bcb7754f3bf6293665dff2b4769d081d9be6393803e2c62a73ed8ce4adb17b36c1e0deb8ff6106308be9019cd179a92feeb184d93a9348d3b14a70bf13fd74d12cc427496803b7fc041f87c630756c +@@ -44003,6 +44099,7 @@ AdditionalInputA.14 = 73cd5580972f69bb4b0d0cd8915a5b594c3a9fa40b82d6b37446dff4c0 + AdditionalInputB.14 = 304c2001d8bfb9f1b23f3b336db9f5da17752cbaba782d8932d2641aab4c34b8 + Output.14 = 5771705c788e15fd5f656d4b5555d532ee4c48453be651a69c30fa706abe7719d9842028c667fab59aab97fe64a6140baa5d42dbfb7ecd58f2ce557a7b8b2c01669232e0b8bb0ddc6ef8dbe627ec5b370ec74553640982a14bd38ad9824b9651b717f8e90f539c42d04f7cff648c38b26abf38dd2a777348a4c2872f6551ef0f9e148bec810025779e7cbe1055cb0250a764fca5a1feba53bba64b7ea0c4dd3d56a7e6b4f8a157264e6666d356fe5a7a29fde7f4391662c4e69f471c21c6beeb +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/256 + Digest = SHA-512 PredictionResistance = 0 -@@ -21455,6 +21568,7 @@ Entropy.14 = 7f422e735bdf349e4f51787571ffe061ec7e9181fa0b6a342e36611da25c1a15 - Nonce.14 = b09d8dc6997bcb567cfd788d0e06483c - Output.14 = b83bb6e99b0a5237242711e27779d05d2157402856f9653542f1ce52b1a7463e13d5c92309a06d8a78773ad70504b64ff070c2e6afa4ec3662f2729cb7552235b79c18e08354e334474f238ee74feb7e892d5701543f418cd7f2f5533437d9901dcc54687816f16eb7341b1707c6310a2085dbf387044a78fed850b42fe9d8b4 +@@ -44053,6 +44150,7 @@ Entropy.14 = 2c13e44674e89aa105fc11b05e8526769a53ab0b4688f3d0d9cf23af4c8469bb + Nonce.14 = 700ac6a616c1d1bb7bd8ff7e96a4d250 + Output.14 = f778161306fc5f1d9e649b2a26983f31266a84bc79dd1b0016c8de53706f9812c4cebdbde78a3592bc7752303154acd7f4d27c2d5751fc7b1fee62677a71fc90e259dfb4b6a9c372515fac6efe01958d199888c360504ffa4c7cf4517918c430f5640fedc738e0cc1fcec33945a34a62ca61a71a9067298d34ac4a93751ddcd9a0f142748a1f0a81a948c6c6a16179e70b6f13633fd03b838da20f81450b4fdc1752e98e71296f1941ca58e71b73ea93e99a98f58d0892fa16de6a16c602036ac857dd75f9ac2c9185932103db5430e80cde9131e814a0bf3f3e7a2200a7152424472fd27f791a854f29aecc448f8d3fca3f93290266df3193d9e13e08907ab2 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/256 + Digest = SHA-512 PredictionResistance = 0 -@@ -21535,6 +21649,7 @@ AdditionalInputA.14 = 5722b092a5a0195f14b5f236885538cc7a514e997876c06f634926c695 - AdditionalInputB.14 = 6e4f341a0524dd1085aad0b6c956057893f737704ca2fd8eaae6231e9691688f - Output.14 = a757af53227bd8555853ee2e643256074be9904d2fabb0ca86a645b0ed1905731cfbfdb7eefc83938fb576d7e5da8135300f8e934dca521637ed10e5e791e18e82c48085f511476452237ceb930e0307e228886d36aeb83d8e25ba23b38dce6dbc335de90b63db4021d6ebba5dfb6d8044a2bb7bb20aca679cde16406c8c4746 +@@ -44133,6 +44231,7 @@ AdditionalInputA.14 = 6cfccdd8253cc5b284701ef8d16f8888f79100373a7df50f43a122591b + AdditionalInputB.14 = 5795ae5be47a7f793423820352505e3890bac3805c102020e48226deab70140a + Output.14 = 4a398c114f2e0ac330893d103b585cadcf9cd3b2ac7e46cde15b2f32cc4b9a7c7172b1a73f86d6d12d02973e561fa7f615e30195f7715022df75157f41dc7f9a50029350e308e3345c9ab2029bdc0f1b72c195db098c26c1ab1864224504c72f48a64d722e41b00707c7f2f6cdfe8634d06abe838c85b419c02bf419b88cde35324b1bfdaddff8b7e95f6af0e55b5ff3f5475feb354f2a7a490597b36080322265b213541682572616f3d3276c713a978259d607c6d69eec26d524ba38163a329103e39e3b0a8ec989eca74f287d6d39c7ceda4df8558faeb9d25149963430f33b108dc136a4f9bfa416b3ceaa6632cd5505fe14fb0d78cf15f2acfa03b9c307 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/256 + Digest = SHA-512 PredictionResistance = 0 -@@ -21600,6 +21715,7 @@ Nonce.14 = 06b7b75d18365f4957489a09204b2672 - PersonalisationString.14 = 9e32f001033eba3bede220d4f351ce110e6ee2eb0b099ce54f9606a21d80b1ea - Output.14 = 508333114a0abd5fe10327daa0f1342c66569d912a64d8ae89227d0d8ed5b4052cf84f0c38927d88dc0d7c476e747965adc9579a4603a36566a1730f55ed7b100c1695f060674484781682ee629167f7adce89885ff04d722d960d0297d2abf79bd3338126c2d356a91bfa588f80db7ea365bf181fa5370c478a04d05a515b78 +@@ -44198,6 +44297,7 @@ Nonce.14 = fff1f2e2ac117af8b2cb023f0dd6c6ea + PersonalisationString.14 = 0a4c2df69d6c69df0a9c58ab7c886ed9db294f5fe98eb066fde543b409ee91e0 + Output.14 = ae35e947a538e7da73f944b4dea689c064b144b753fe597369e58ec4868099c0f000995949e82dc3e5c00555a2cfe48c8a87e87ae5e7402e2b1679e413cc556f08796269ef3ea83d6a49116349a31710964fb2f936cccf249472eab3267cc1ca0073ff4d964eefc82dd1559c3737661f8b206757a64c756680fb7ab6be8cb433b93f21a04c1e99c777ac26c1f34918794085ee593ca27ae991c53d141e52f90e7872bbb036dce78e6a33e2d638360f9c15d5746d6ff13c1bcdff1cd01749fa51c3c72e68c0ce57423d4915abe84c15cfb3301d0c3b8ffc6a1962c1fd981790fa2a3da60d70e8e8557e4b2e7458ad85f5141ad46e1db751893e8327c8197571e8 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/256 + Digest = SHA-512 PredictionResistance = 0 -@@ -21695,6 +21811,7 @@ AdditionalInputA.14 = 5b2d2bf0653e3c075c469de5e2a093193e700abff9792a9f3bc0d143fb - AdditionalInputB.14 = 976c765df6b57f0eed8661587045826c329f4f1994020de30fdd835912f72fe0 - Output.14 = d8275a104f1dad7412637d12fabf9dd1b06592850cd48a3f38304789911efe8f08970b8f90fa021b04039cd3d1ca573c1586e7ef586f4c623dfc559efc0f2c89e4136b59f0f5706a74679d1c95886a5ad05b9a850043cdb19d806d617b2f640f715351cff6920c47f96a42b872a512a7b2e99e4d0c2230861b16f3b38deb9b58 +@@ -44293,6 +44393,7 @@ AdditionalInputA.14 = 2b2dbe3834d8be93f1396b19be83bd96823dd82740da71c5eeb7b21865 + AdditionalInputB.14 = 49c322fc1bec86d3e20628d9bdc1644e6f5e0237c7c694746bfee32a00145696 + Output.14 = 9110cec7d07e6e32724bf043e73021b3ca0e4516b619d036ac9a00914e12f01ece71989f55c1caccd542c60a9cccffb91e203fd39dca2d92c8eb03ee7ee88abf21dc6891de326c3190f25ee9ab44ca72d178db0f846969465b25a07dcc83777e6b63a7f9f1a8246dd31ce50cd9eb70e6e383c9ad4dae19f7cec8bfe079b36d309c28b10161c28b8d66c357c7ee01f07403a596366725fd5bd3a5de3cb40dcf60aac10635615b866ae633fbdb7ece41695d533757d9d16c6d44fd170fae77c15b7426ed6ec8c9d6e9245cd5e19e8dc3c8c7e671007ce8454413bd07407e8a2248bee95a7669db6ee47377b4490a6251abb60cd4e2e404ab88aa4948e71ecec50c +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/256 + Digest = SHA-512 PredictionResistance = 0 -@@ -21745,6 +21862,7 @@ Entropy.14 = df6edf960abe3aef5f50741907c0171906c0837ba3bfaa3a1044fcc4f19ed21f - Nonce.14 = ff2558bec3e5377c12697c908d629952 - Output.14 = 9d68c2674eac76f3ccabe1c6c0bad96d5fbdcb1629c939e397eefbcd2ec2f25803fbb9aa72db952f7fedcb290da99f34c0fdd637c37dde1446d475a61c38c3fc5c1ebf9541d136cb02a43b2646df7ee4bd0d9191157dac92a33f401f089ae15618624fc0baf707409aa2f80cd5d0676612c2667aa420acc6e016e6ba3f63c686 +@@ -44343,6 +44444,7 @@ Entropy.14 = 1436be35237c34bac5b5b36b24c998380883fb52621daa420112cb57bc84745c + Nonce.14 = ed884f91a94c1b0a51f316df776283af + Output.14 = c74ce568f0c465e79ef3700857cc8857b74ec8c075cada3f2698ff69569318b130b5b079ac5b69814d057097b0a107a546b011db601b2f7aa1708effd6479f383d7d484a5df76b63f1419eb360991475b2cd97590a1887487a76cd6fde7764cba5f101e4614c635ba7b1e18724a0a8fb39ca0948bffc441b6aa0216cf3c28ae6c06a24ad1bbe68970e06884d3b68325a3d7c1dce9a2fe87d565dccdcee7c62ed32b577763f510f0029a99530209628359bedf4bbfed1a13c222692d8cae60ca736df834a6e316db27642ed5839d2e11716a5c06e8d067e8548d7ac0687da801d292e2a6f414d7470d2e72261188347878d18e00fab3d4c15cb4c4a73cf963437 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/256 + Digest = SHA-512 PredictionResistance = 0 -@@ -21825,6 +21943,7 @@ AdditionalInputA.14 = 4bf2c816e2c3e9721d192a670153d620aded035ffa214cb0d7638432c3 - AdditionalInputB.14 = 06f515395ad7c3d025af7df781b49b62f068ec9398f6dab31ead6f917c663de0 - Output.14 = 1e70791e6a8ce753f959ab75d1225b44452ce7aed0fb53b56208b3f26419f004983c452d724c483b4f9b70d2d84734ce8ec0258d8edfac639b355204e14b5b7bc1d3aee6ddd9f5da54c6cb086d16ce381c2d5cefbceae3afd56c13441d80c7e6081aa68ff57f21d460370de9ae713c17ab14a81f0895e9e492af7c437d7a5799 +@@ -44423,6 +44525,7 @@ AdditionalInputA.14 = 48e994654ab1d109511a3b34f5fa9f12b8da17da510d7a71e3839ba86b + AdditionalInputB.14 = 949ee0617b277a3ddf4a51343104704775d91797be1826d78051496a87d9113d + Output.14 = c4bce916b00a8583ebe1e85feaa1f076315ec9433e18afa1252061a62fc7558491678cb31048e4b4551b697e8dcb58dff951337f0fb7a41546d9a7838a1da149cb44558d324eab9e7ae147e8ead666e3d4eabc9978626efc8710ba8b5eb485d5693e5d6cac36ddd3a1a878ffbc77e9ec5d333cdae2b5803dcbba70d4e0dc60366dae5cf25990f3ae6147c99ec6c998397a1ac02b1b6ef6867aa897ca90b7fb938e3ddeef57e40897a644a4f08e37c995210e00f07145d5b3620ce673072525f9f74adf79ad703c4a09adc6eadcf77e76c6b032270d4c68f01672decf9aa0e941086188304fc33a28f53bf121df747b7dfdc00ddfe68f6d06ab7e82295f70652e +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/256 + Digest = SHA-512 PredictionResistance = 0 -@@ -21890,6 +22009,7 @@ Nonce.14 = 2c4c4f3a953e551746f7e258821d24f6 - PersonalisationString.14 = 676a9304a3f744c62c7f5048f2137982c89860577cfcaf0d855514436ff8eff2 - Output.14 = 7bde8a5a34538655ab2ca26d0447eff3c6da298b3fa53ff0526eeeebaa4a876b60e47ca544ae30ccb00176ff84920bb4e4a4ebc3cf74b9cf8cd8ff9f7b11266a3c9bf918c458760bca6368ddfb3522edbc61ad14f2b638294e51d82e617d8c0c631aefbba50dbcd1a0a88963c3d63959909ce2cc669924d7163b01cac468c0d9 +@@ -44488,6 +44591,7 @@ Nonce.14 = 70916df78dd9ea799230435b3e48686b + PersonalisationString.14 = bf755696adb9c92839798798f836b063cbbe987f0163ef3f4a97222c888f5da0 + Output.14 = 411cd8e76e711447e8a93ca95aa3aac5e51f559d65a8385a15e71877ac8472a347d9d453bd6761655711ce2133900d28e41cfd1292d28848646e5cbdcac1e60e49e62aab169b1735e701e38d65ccc073f277972ca85444dea86c19c0c08317dbbeca4fbd5d4295c9da71b89623d0028cebf1ab68fd0aef5b37e76e2e0b3e7f72eee04c01b6afb180b1fa0c370975526b788ec4db076a16a798671451af3e20d323684e232a25d78aaa8ee43f734f1555bf0a324053c7c895dc3e098621e189962a914f486cd7a5ff330f39316afb762b1a06cf8b593ca00d7edf739e2e6827a7af662f33bb09fad09d6bdb3a565f2bd32512c79927d390c79a1cc6db968b13a0 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/256 + Digest = SHA-512 PredictionResistance = 0 -@@ -21985,6 +22105,7 @@ AdditionalInputA.14 = c168776136197bc3877c824461994a4cb020b61ad1630bd8f38d0db211 - AdditionalInputB.14 = 4f54082a1b9e6cdc8599e1639865c00fd758f403adba5cb74a37e2b20f29b654 - Output.14 = b48984588cb54f78610e05c8a7ce12c630934f5ed2e4cee21e523fc65a7b8412189ac51823ecdf493844a859aa87f3e84645f22f0914245043f7b86287a85db97697bcc84684b072162c2fa636569df83fe85f1ae25204786bfdcf5eb85006d09a4d97b162248daa8ccbff9eca28b7bce9fdbddcb8679ba50b6648cb3bfe9af1 +@@ -44583,6 +44687,7 @@ AdditionalInputA.14 = 6f9f47857a60b6f3f9fe9a83ebcec5f16ca73e236d2af5b0daab45c0b9 + AdditionalInputB.14 = e6628fbe4a774bc5383218302b7c565da5a5bd9f19db6182b444af5ae5f62739 + Output.14 = d701c1824a82ff1803c4b59f490c3f37850ce85b5905059ac4484f5049f31772ab8401bc9b8fc1fd6ca06d01f01caecb3cbd914ea9574f497df0316a0d56e2830c8a908ba78d1dbe243d0fbc560c407052ec02e9c77f7b12264a46316a777955ae87a71f2da9cef2811f6328ccb288343abb65a36359c07122cb4e6639397829c48dbf8a821ddf00ddec2f294e48d05adfd0f7a706bfc337387bb7923641d08c288d23ed5a2a20f34684549f9f6b3d74ac0f04e10c7dec04aceac369f505d7ccacdf30ea0662cbab001740922e9ac32b6968e0c5a640345d1132e883e07fc82858980489893d0e38960883e989c41e72ee967c00b9a943f0666d1f5e93e848ef +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/256 + Digest = SHA-512 PredictionResistance = 0 -@@ -22035,6 +22156,7 @@ Entropy.14 = abc502a99b7c3cf14262f6b036925a9904105b019592a2a6be26d71fc42c7444 - Nonce.14 = 40a212f9e1a5aa54f2c7ed4ccf631c9a - Output.14 = 0e747d83e2104367beca697db9b6bb994061d82aae7b1564f6a0911a1f599084a7ca7c94e232908d41df93a6b416e76146a53b490afb552124fc0c2087cc45de96390565b58f913b5dddbc55dcdd2617ea27858ae7c7748b31d832fec0fafe84594ad7b693cf972daa9521ad4134867339536ed5cdf02a758e40d5d96802f4fa +@@ -44633,6 +44738,7 @@ Entropy.14 = f5ee32b61bd57a4a4d51309e846f636560a8bb2a576c65d37a3f715ff1878014 + Nonce.14 = c638557dae4f9ab6e078c61d54d0f566 + Output.14 = e929e6c5c4a629c49fbb8623aea903ea129bb6484ed542cf940dd97bedc292e8bce924ef0cc57fa9b50b17b82618a840375874735560aea57e4e9701e4ecd0e812d1bf9fdecf67f431e4d7f6f455dfe4bd3b9a1553c574b0bfbc933a31580319c97682dd990c7081b711c2fa67a4eb54472be39f634c5dd901848c012c309c43f34d189a72c219acf8ca393d3f2cb292d62bb4d5e88f2b6e5e0422dafeac17415af623473f26ec24e65082123db9b9c00dbce3ca1942269fdf66f14add6c486a00527a39b050c2f3a6bc461e750f6e33236de198742284998bff98b7b3f6566e66679b3d8a1e63561fb5f8228867b8ff92230a9f2a6b9427821b6d55a359994d +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/256 + Digest = SHA-512 PredictionResistance = 0 -@@ -22115,6 +22237,7 @@ AdditionalInputA.14 = 2a8cf10885a141125dae18c40f7bcb7e09c1b2726e22a7f776e4735279 - AdditionalInputB.14 = 7c2db5278d2336764d274bf9624db7eecad2db11c6622831e47338ea3ef02ad7 - Output.14 = 08ed2c3aa35812485ea8aa0b16149ee4f3207a0368be2035e202797939dd2a1c1db1ab244434edd783c7574bf48fc99f93827a1fee91cd1db1cad53512b6931d2d63018045b2a50a9b523a6ee212fbcb21ffa57ef998b4ce24e5f2f875a8ff3a45d8602cd56cfefd2f61f73d00dc33304a464f4fc1f7dd311b516a8da4e91151 +@@ -44713,6 +44819,7 @@ AdditionalInputA.14 = db7b290176b65f826aac2190a912672f8a9c97815706af33732f68b1f7 + AdditionalInputB.14 = 13425f17d8fbcca3b4d7793a53507a85813f6f50d3365d680c0620d5fe1bfc33 + Output.14 = 12d4cfe6574dddbf9de82b8a357bbd6e32a3addb7022c313ac401d0aecfbdfbc7229822f7db9012e8bb0e2907fd48d3eb435ef8368802e5eb948f1bd8d47569b694e23979652f6978b568d7e2288b596afbc67b6c1e0d662240356dc6257d9d273a9ca9f7dfc9bd4175a50ad5b328056c37046e734a76384d7418591a7604f332a457f2fbb277dce4fd2729fdd1319dc3a56b9901a50dc90feaf5969cd9e450bd8716e44253ca55c4e1dcf791658cc467cfba613c27a96f67bd68dd8ccf46bbca4294a0f548b919626d1712ed4290ec90c1098a082699450738d32a8c6516d83bd54a42413bc0ea0b37fe5d6b0663806df67f61d2c553aba3aed3f9aff111d2d +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/256 + Digest = SHA-512 PredictionResistance = 0 -@@ -22180,6 +22303,7 @@ Nonce.14 = d5aa1d24b7c7564f6836f626bcc6d32b - PersonalisationString.14 = 4ef1e00dcda9e893d066ce48cd291258a29e0a234796c30a6465079cbc3d3aa4 - Output.14 = 43da46cb7b737ff7617715e3a8aa4c42d8cf1b62f32ea97d035514a10798f5bcaab550eab684cfbd5c8d3e1ce6d9fb026812e647ae6a50d3d8da8e9e2f1d5f7fe550e7e0b88e146925f2aa64690e1a5a5de152f6421837c15337efa80fdedb0a4754268bb83fcf0281b05b3885dc64b87f1da61b1ab219779ef44a1399b992ac +@@ -44778,6 +44885,7 @@ Nonce.14 = c600da30d68cddd9b823433845111880 + PersonalisationString.14 = 8896ff67866ff1f59c8e5074d91e6b9112410c9b6a1eefbcf05a1b8c7123dc89 + Output.14 = ad8150de910a0bbdad0a674d032919ac3304d5977fc43ad5d5b1fa9be46f22e94f5c2747db228315b0d0505867fd97f9b1582f97b4693ed542c416df1847a85bcd4ad07d6348a4df78412e3df4e675def7f44b1895a8a2156c811040a46198a863c0107aebc3a426b4c2b9ac294b227d323879a70cdf7ceeee7f6f51f102c3ba4ae9a7343aff295b664c869f2c2d6e4396362fdae7d9b5eb0802f37ff7a3a7f1c944044b1bd9b21fbf23f191c6f538398164c2d1b67390e7b059b1c9f5bb031b89a23895ac65770182c8072fb0ad4a7be055d9a4653d08e6b22a61ebdfb66adec2629030f47aca70a06d68c9e1c041ceb2dc9bcd1ceaf61655ef7bbb1653f3d6 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/256 + Digest = SHA-512 PredictionResistance = 0 -@@ -22275,6 +22399,7 @@ AdditionalInputA.14 = f8dbd6a405435595b2520bec5026075514955a666e4ca34b7d0339b0a0 - AdditionalInputB.14 = d9536bdf1c3944d4d239b6dd13750c16a2780d943d4cb5fbbe418189a7d65432 - Output.14 = b5e12e5082c09fbdda81d1a2229ef9bd46db84e62ecbcd1a2c4e88557f8ed3b5af740fac2bddaaf441b66084ce2239adfc9d02f001cd23470535f13ee6ed73256adf902b359930093ffb293a7c007074582a356529ea3ed9a5ac0a1a3f62df5fe09d27f5a7ac6abdf1fbd5f5e5da70da5e3037fb062d0817b077b56457238108 +@@ -44873,6 +44981,7 @@ AdditionalInputA.14 = 4adc98c66aa72da2c63172aba2a6c59fb20aa7b195a0b79edc709bfa99 + AdditionalInputB.14 = 83485ecbf938b8035d047956a3a1bea5adb66c4a7a24b21dfce4269681c31bae + Output.14 = 6c69a58a3b27c73ac396840a93ff914219fa80241d39d65890ea612017d7b92b12062fbc0e3c39508c86023f7d70e9b156b4a766465c01c554acd6b5d78568d2087834b3b14f3fdc4d4b959e78ae2fa5298c87321b777afaea4a5c271a584a23a262f8b679cc8198ccd116c88dcf529a6677ebf5189d287f56eb445ad7313acce013b3fe49fb5212cdc3cf8c5ed15aa26b1135d7d9e0570719c4230c104a652fb36ffc57e219e735c03346d18eb57bcba813965bcb39b6a81da624838ba7b9a65d3b684a021f4071c66ce705974f2bd0ce1ad6727136d77529e3b400db0d14ffeabbac877cdf6a38ca66d83492a90482343a5a427ae8b8f77a2f724aa30c11b9 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/256 + Digest = SHA-512 PredictionResistance = 0 -@@ -22325,6 +22450,7 @@ Entropy.14 = d233eed6e4a43436e4418ac071bf9ec00d463d0568cfaf7b4174f96c1f6b8564 - Nonce.14 = ea8e646e88f7fd6c8e590155df15558d - Output.14 = 314dca793ee1eb0dbe48bedc324b557966ac7a17b900bc4167ab4b65fe6b34ae625c200c4e21428ed258fe28b99c31cc4e8f9eb93a793c3e33fb0b75a2595a3201d939dddfa27911ad6f731894e16692343f25de291da89570a257a95cccb42f7d9820afa9b35d16664f95a2099ac929683b7480a4d1e34291853047ced3302a +@@ -44923,6 +45032,7 @@ Entropy.14 = 60da58990a377a615436ef43b1199f88c7a4629653dde2350a4c5115c42e52f6 + Nonce.14 = 592033d0de138ae7082c03553e3bfdf9 + Output.14 = 7a770dbe8e1d3af1dae5b93acd9e6f1748a4a6a88229a875d23b37665e0cc96d888dfdc428a32cab378a9ebe22409709cd9d11f0c751c08d98eeac13b6f76f0f51ccea254cae23177c3aa207c59b5ce221b93442d037256d553275a6c4b5c83c1fe555a630e37d8277e02c050c19e145a71ec98b96ae3ae44c9ff87c4501c1ff7fd5231510ac9df623b3fb178e147f07d1fe02b48e877cba89a822c91b5af56b71d60116c49f80d87656144854909a7d718b5aa8f071f18357c2c9f9b6c0fac3195040f26b86aa936fd35ff37287aa140cd01ca6c5e577d815790d6fcb1a57569d23e801e2eb2b669ae7cf17d87f9ee66e0b515bcab09087e111da199b6a15b2 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/256 + Digest = SHA-512 PredictionResistance = 0 -@@ -22405,6 +22531,7 @@ AdditionalInputA.14 = 46cc09705223bd3c01fa037d9a19dd2465bc612f519e51d33fbc845742 - AdditionalInputB.14 = a9f78f79d034d46086bbe5c8883dc2a34a1a17414aad2c767a3b3f23dfc9b637 - Output.14 = 2674afd329d03ad3b1bb8157c3100a312e29bd72b55139c408afe7f2c9e6d53df2cb8b829b7351a80cca8f0b59d60f6454ba60b154f654a09aa82a63fb28ceab9435cb6022934a0599a4c3a005bccdaa8bdaf8246ca654692a6c038cc82fea477fabdf3d6a0975e952ce3feb7fe8c4510b8c5347b21da5431cfee69e9dd2d8c4 +@@ -45003,6 +45113,7 @@ AdditionalInputA.14 = 967911f9412d40f2c62e43f48ff965bb1579a2ace388c781e125fe70f4 + AdditionalInputB.14 = 052c401de1053b8dea309196bb8e326d4b643371976d1ff6be0a6ea4ad27e5e9 + Output.14 = f7e8cdc3f8d2796414b9c83486d746cb8b1675b37d0d7546392c59622c693045dbcb10e9343524a6e7a9cc757717af22ddb8127bcdfb29cb8da409bd69d42aed9708cb2f904dff562a695be004ab25d31b8485bdd677c96d156ce8037726519d1949cc15e91acfd1c7c0bd58058b72c7d340b2f0bb12115ef44af6d20ce5f429d681b614e06bcddbf8ba00b40732b4dd425d1a87b663afce0e9a87b942a543b055f00b2428de12464a1309fccd0a15d512691e3858666ea4dc6084283deb075877c0162dbaf8318c9cda01ca611d72fac0b386a753ef35f438757cdf732a61a1f6123d1de3f61eb072d022f56c679a86f7a05bd6fa420ba39ed2973d4007b9cc +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/256 + Digest = SHA-512 PredictionResistance = 0 -@@ -22470,6 +22597,7 @@ Nonce.14 = 4788964160bb81d6f6c2675008b05410 - PersonalisationString.14 = c56e284ac65798010eb7bd39ffdf49bc25fc2e663e90ff93f73c97e65ea82935 - Output.14 = 683493fb3c6ba0ae0c42009beb39fc37a9d235fb3fa00648ce4d60b4d6bdecdbaa1e2ca0c0fc80c53f6f8ceab31c3c42764b8f23c4cda91743be33e0a77fe5a4297701bdec6b2a5712e76c64bb8b7e03a257c140cd8aafef046b049303679a7904f029444d92d673107bdbf769fc1130429ff64b527b0ce2420e2c70e8998ee8 +@@ -45068,6 +45179,7 @@ Nonce.14 = 0a6bef6b736129740978e31c3fa279e8 + PersonalisationString.14 = a5ca2491479bda16341b2c14339a5307fc2e2f5df4fa625e0ea351a95a14f588 + Output.14 = df587647f8d440a6c8034e757cd47f28d0e58f8aad9a047cdc8a70a8b1cd0d8185240d47bc5d2f4657205ed218ec38307e68efad94714630cd490b939719a4a07ab994793112c021969a8c69872903315c74b00b677648673e5883b5f46e075550092914cfeab05454226ee3d2154698f368bfda0b8b99eff5d111c1649a0f7e67ec0f637c6d3466994d655066a95732590e521ca055b048dbafd219be1a04fcd047c3722c4adf29ebd8486e7171359292e11ac6b740b4d51093383d64d2a45e51115c689ae29357366f2013eb9b420c6bd069d22c2110182e842eccadae81797a5f57d9ff47311f094ea0a25d7e329fcccb93c28b92ed85ccc2d690a84f2b2a +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/256 - PredictionResistance = 0 -@@ -32177,6 +32305,7 @@ AdditionalInputA.14 = fc54b5339b37eb6889cfd7c185070bd0 - AdditionalInputB.14 = f6a783d6d42e5ad5abb0a996bddfa04c - Output.14 = 683faa732c4551604c8865b5f777571c7d3cf1a60124c59b91283da0cda9b21761d1c17c81856958c6d590436c73594bb36f46c2f89237d8c7a7ddd2c58394c983f8f6c000d77566f2a1d89bac054bdb - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -32227,6 +32356,7 @@ Entropy.14 = 08a325accfe119fa807a95e8cc2cd8ff041ccad8e2c4cf49 - Nonce.14 = c85baec1c2d1f3f189eecad5 - Output.14 = 2567712d6fd3b52364b508bb2e4ae18e34b155dbe99fef9acbe21346715d36c538dc380a5e5900e0ebde76c779006fabe2b3f171fa63fa0f5ba264748278549c9beb26db701c8fab7adfdf48eb63e48ca6f3be8f17131c5e9145f5dadb00fe666a651d2b1b9e785fd444b05d4efa8ccc - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -32307,6 +32437,7 @@ AdditionalInputA.14 = ae701404440c584e27266a12318c1793b6a112d96e6a6749 - AdditionalInputB.14 = 53861747c9627e9244679d58e2dc8cfd8a72d1bab611dfd1 - Output.14 = 665481033912ca7d87caa56af2612338768b044953b02b9a50e0244bb805ca007648f71ccf923030e56baa13a88111fe211091a54744aa5d82abe97775878059dedc6272e7c7a5392d1fb443b770ee7f5dd05a3f2bba4cab1cf473d02648d4f8acce91ef167e3ac00c1c9324ca074486 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -32372,6 +32503,7 @@ Nonce.14 = e41f19a969494a2293ad0542 - PersonalisationString.14 = f67bda6553b5e4b89e309cb48a336b78460aff498846c2e9 - Output.14 = 44d544ac910b7668ba9c5524e388957520fdbf11383808a5a8008d119aff7e1e2bbe63b4cbff19455f20f3dc79ab0a83dcf0e403728f2a2b2a9f3b98930d9f285641da3b6b9a9467b2701ce1ecac82bad8214bb618c40999f5023dc2d97dc1a53a0296d44f6fc9d49db00959c89e9f5e - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -32467,6 +32599,7 @@ AdditionalInputA.14 = 6a7418d4ffc40e11859f33189d5a8327042ec268b004ade8 - AdditionalInputB.14 = 97beb8c47434a23efe536287d776edda7ed7cae84c0c7e35 - Output.14 = 1fe94acb5f5cb7e4a8edf5be61673bdc066288538dbd0ac29ce2d43f7b890028e48131e6b3a7cfbb42772b63f2fac8c0472418653ee2ebcdfa5ec08683e7d4a9cb2c67cf7e22c2ddc779c6d9971b29347e6688113294c902a5d62c1fc35595e091cb10e5a895d7c3697056659ae457d1 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -32517,6 +32650,7 @@ Entropy.14 = a71c303bf17e128c8e0aa07fb61ccc1f40fdb487a955fd95 - Nonce.14 = d3ca16fb12ae4709d411e5c5 - Output.14 = 61a51fe1eca4cf947bbf2a77d643e7963ca2c587e0eacc8f7fab3b3f0e166197a4d15184cec4f0858de2773d8becb339bbb18ab2c10c8b246ca66dce48e2a0938fe1ab122b4930d603b937491ddd3d10abac731957f2e1e030eef33f7f311ed782b06697914145e266d0b967914d638a - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -32597,6 +32731,7 @@ AdditionalInputA.14 = e098f0e076a3f40fd970f5d221944f0040ef4a18d88dbe6c - AdditionalInputB.14 = d7eb01dfd7c13fece92d35133c3be71efba145d7353c6d69 - Output.14 = f03074a219ef31d395451ebc8534e4f2cd2dbfebbd9257507979ecec79a5f76359f2d6b4653b31704ae5a49f884db91ac335ddc6d11768cac7850734e76734b63b71ff12f3f8d42cd404009e7f4b66bc0a639a9354ebd754c17f3cc65704e698d9bc0640919c386e96760f3c36d8789e - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -32662,6 +32797,7 @@ Nonce.14 = 838d1c69d8408cf0134f54e1 - PersonalisationString.14 = f08a964b386eeadc4bbe57164d3b3a0c7c0068c49c9bc5ad - Output.14 = d8af077476875fca2ef9f04013976c3c278d30592361b923bab2f7e3c8af4affac5408c390b4989da254eeb97ccdabf32f5e246739d0e532a6ea317e7dda02bae5051ca97a445f5e0696a041e5f9f2c077b26e575d749cae344859864aa00f262c1c41b2964b78f72f9cb98abce103f9 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -32757,6 +32893,7 @@ AdditionalInputA.14 = fa0823db6808a3de1a7dcc081c01cca840f68b005d473bfe - AdditionalInputB.14 = d3054fa2bdec7c63dc009ecccf25c1116380ac25f82a9085 - Output.14 = 556e90c95c1abcdde027fb2b88cf191f0686830ecf3fbf89de51c9bd735726131472a17f307263d57c03bd5ecd9ceba6cd5759b06594bf901418e2421fcef4b72678614079cdf4d25fa0b74985380552d2bbf478290445066e3f4a40a2e2b0792a685b769ffdb27721b1faa484e9c783 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -32807,6 +32944,7 @@ Entropy.14 = 2a55ddbf673f4e12538e61cd2bfda6f0316277661f553c38 - Nonce.14 = a0c71049f5c75c23cc11c7ca - Output.14 = a88e6cc37617929bee1e14f74ee363d1e05fee618fc1eb1f8abaff42c571048032c84ef0ec7a6d8ad7e6c5a4a6e90d714d76643eca063287929032fe75a2b63fb1f83ab36a7fa12a12d7332459bba56b017654bc0fc29beae1897863a63276208f9d11a32780a627135b271efda4f4f0 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -32887,6 +33025,7 @@ AdditionalInputA.14 = 65e70309f7386d1a0aaa53da65263d5263bc5eaff0d5f3d8 - AdditionalInputB.14 = abb8cd0ce0560309d2424d2f3fdce7af085e6c14699b4799 - Output.14 = 8188a498ef9e0fd52a77c3a44f1c7edccf9248590aebc52cb9ba7b5cddffe867b26309f032a78c0ab751741fdd9bd77d4bd17be90dd045f6f8b45826c9900028f68138cf1ca8e18b253b8eb73ae04f2e156d51a792abdc6524e4f45e4ed0b06ab3b0c94bc5e1ed58f917c17f72161d31 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -32952,6 +33091,7 @@ Nonce.14 = 1ffb77244697c3d67a564d06 - PersonalisationString.14 = 62865bf0f5af2146440d74e5ac8787cbedc544de16db24f1 - Output.14 = 1a74f62cc6bb05ff956d1af526926b937a84352830a78c7ecd2ad9c39a796f29f640d188ded8bda0e66ba81c941fed5e82f3c78543d9fca14335459ad9d573362f6b5d69861cb94c0bb055723ba5416b1fe08e74f27f23cdec9db05b50b01a20f0337cafec896f5f7412e1dbe7307e0c - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -33047,6 +33187,7 @@ AdditionalInputA.14 = 1a6853817be281e26796430dc90f014f6fde64cbef16e58d - AdditionalInputB.14 = bdfa703974a758cd4eb00661e0f4663f4e574cc7be6906e9 - Output.14 = 23c9f591ec9abea9f9eb89ab8d705a1e570fd2888772db5d6fc6e418a34e32d78fe49be8d4d8288fa397b57afd49c07b715e276c68a2eb8f3e63f67de21d8ad23fbbdcfa03b201952fae49928ce4da66cb70638398bfdba4db7635c8c726a3cdac22c98ae776e881edd60b69f0b38e4c - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -33097,6 +33238,7 @@ Entropy.14 = 7c8a961f01c1888456ae6042caf338c3ab8b5be28b34d15b - Nonce.14 = 61edc22b49e518eaa9e4e04d - Output.14 = 9d2eb0a41f7b03ccae8e4e3c61628e6710f5999f3991f04ba90fb3007275d07ff169d325ab26f3446e585c2d454ff8f6cd4a520190afbc06f30ec9b49668b09de45a116b171c210f5f888cf3c273c803044b17a16b06b44bc39344f2b2acb2f21f4b0a7abafec8c8d406d26477db9b7b - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -33177,6 +33319,7 @@ AdditionalInputA.14 = 71b5b9e9b813b5f69e8fa9fa7f588217268581b7d135fd7b - AdditionalInputB.14 = e5b06d8f12539d36c665cf129c1c42e3b7e88edce1650870 - Output.14 = 64595391a02ff750b46418274b8366bbca0e9c52c95bbdfa65882b76395887a018faa276f3fd6c8dbccdb964755e36508897cdac977037d0978f2752d1dc68bde3ba1edc94787c1c8cfe42c2347052da30ba7f1e06b44c10805196e7bb048cf572fda62b4a28fc189702b1e575b008ef - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -33242,6 +33385,7 @@ Nonce.14 = a16783ada78fa029ca3fe31b - PersonalisationString.14 = b20dae78f254b07fe3eeb7c793334f3f432930353fe7f221 - Output.14 = 081803927779c7b2039681db542c965fe48dc3cfde712a361e77da9aaf9f21cf38e18b4e8e5ae5a365910ada327b05630abe87858163713fd8c2988975eca44ee3725370f1c68117e58c2164605524102f22f3ea55f21f7e8fccd9861c59973d71c0aaca574480be6ec8e1fb9a163680 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -34497,6 +34641,7 @@ AdditionalInputA.14 = 228522e58e65d50dfd176e8ff1749faa70fc2c82eda25b0748ddc5d41f - AdditionalInputB.14 = 7af60c47b4cd146a39887c9b812a1dd814d74c398609bbbfb57e73da9caff57a - Output.14 = 9528c88f0aea3fc03bb8a9061e159a06d78a2a654408808aa4d0e73ab1a51e5aa85e8bcae72d34784ff6f513193e183d556ddac5675314f2b5cfe392d1526056afe32d7c03e09ba2bdf3b10e228b0f600a61cccd9e7bf14dccf13b16a838e60909785307e6905d510d9888eaab169fa601558fc952aa8559d270ecd386d7fbd7 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-384 - PredictionResistance = 0 -@@ -34547,6 +34692,7 @@ Entropy.14 = c0509068d88167921812103b67e734698d68718ecf42cd99e0f55836c162d450 - Nonce.14 = 71a50d2db258ea35ba69b5716bf68a14 - Output.14 = f66c05713ebe804b4273103997d260adbe8a7d0f6b2bb862b867ca59874ab9e0898102664af2a8db24a7ccb4637269ac67d5e834941303acab9076ebfa04cef64f73480afb6808f11e6ab1a9deae514f5db1c90c59ce988cc1d04012640a40173362de2689f88647268c665ca44f57534c9ad9b8316b9cd1d5a14942e94e90607acf6ad37a2398979e56e9c227c1803f90844d6140f10d0baf20dd789d808a647b4df54d2136d967461383dd4db9dc154dd89cd282a2766dd6086bf3825d095c - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-384 - PredictionResistance = 0 -@@ -34627,6 +34773,7 @@ AdditionalInputA.14 = 25d2ad9eecd3bb8bb60769942abd16edf0ba777f2541a4b0e80fdd70fc - AdditionalInputB.14 = 608c5789b5a2a6c11c7df095be8c81968c0bdbc6296026ab65195bdc5a297366 - Output.14 = e1c600294a86393b7067b6e77ca83e68d28a6b76f6f81007183be65a50fd2f1adf6eec5a64cc753c5bd0ebc12387bde8c6ec10e6ec7e603f09d4ae624cc5423b5bd53da4f0af064e14a7d176369f1726fdcf6468ee15ffd7db3be48d196601506c71e2f443a768e03ebc35245d254bb87a392508ab07c95bce84ba81058ca1545289c9d8142aa0858c9cd5ba54ee2bb75cebb5b74e0d099ee458752d11ed70122aed1254609a715ddf2720798c9194ae4a7424e2c518ce7a8277ec79da86263a - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-384 - PredictionResistance = 0 -@@ -34692,6 +34839,7 @@ Nonce.14 = aadd62dbd7b34bf2021ea74a2788b17b - PersonalisationString.14 = cc3308e380672a955620fba59999ec4fcabf1b7f63089a124cc1f65d58b691e3 - Output.14 = 6c39f49bb51765dbae1de8325e7a6f8f8aec031dbdd94b83d5c4e062848eb4e01e3912784f817ee16f9c2dd0129eacd3f7b8d5bb4cf9a4a2ef823b0505c2ac8e4a1ec30812e98564aebaec14ff710a77c1904ab1fa3fef3c3d09f2d55b047a8db860322fab6d939093385838ec6d11667ca843f69268ba1fb7edc462fcc285adc9b4b97f0f717c28ac1b6f371d90baa86e8728051dfe9b68f15dd31a6da35194253545a5d667df6a1322f6b73ba661c7407608fa42e1b894bd1b6e7641749977 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-384 - PredictionResistance = 0 -@@ -34787,6 +34935,7 @@ AdditionalInputA.14 = 0d81d8c5af9885d1b30d2174429bcc6979bdb2b82e6fd3ccdfe93f36fa - AdditionalInputB.14 = c63866629ed771e53d2fe2d5c21e98ebde295c3fc3896fb67279427c61a89eb7 - Output.14 = b369b226dd535dbdab45ff8f13735214f9abe6d11463a44804b838d2932112ce6799341505b7b5bab423a3794c37f383b06be1fe21f5c7da97b333a41fb67908dbeeb2450a3581ef71870c964c976f039ee856fa507e9de948c4c097a64070b23cfa09ab7506a8ec4fc38a38ce21fbee3f3c1ef3ab598f5da202f35b90f422af31688402509c38ac25359409d2b61958390d28ca2d8b5dea99ae26c90978f01d7a482c12e134a81de0bf6c9f39e32a8b597ec7b7a05a805ebc7ce260c381f189 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-384 - PredictionResistance = 0 -@@ -34837,6 +34986,7 @@ Entropy.14 = 5b50064163ae6238f462461472ad2ac9acc300316e140abd9cd6edb87b8ffa09 - Nonce.14 = 581d145675384210801d9c75d4d19624 - Output.14 = de0ace4f4a728c681a0b326298142fe79cbff2ce5230e6c1ca3e2808692d02e4845867763cb9e93acb983aa54659be6f9baf210048baf7ea4f062bd7e3d9a6d5e7dccf427422b9dd93d392ffc810dfe185bbee253c3208e22a83c9804501321c6cc0357d22859487a3eaba53444f4027843699d5a78214c431ea741bba73bd29550925443cfa5f494372bd0e482e3ab4eace1b60187b6db588c0d252c8da3e0d6dd3e475040817ca2c85b1149d8447a52c111f05d7c14a0f6b7b6ea4f60aed3e - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-384 - PredictionResistance = 0 -@@ -34917,6 +35067,7 @@ AdditionalInputA.14 = 80bb70930ef2015949b53d787630f5de93d93f98c577ca4632266e1bb1 - AdditionalInputB.14 = b6afd2c00be2eaed5c1991909e89029db0b04598115fae5118cc215298e0528b - Output.14 = c20bd78d9c396fc8fb408361e1dd4827ed3231617a73cd8848e493927207ea23e6efecd4fae36aff74b5235067543c7eb44c290122f9167a0ec4c6a530ecb0936fd683fbd866b73afb712b2f20ccc981b3f70faec4f4fda62e956c7d04cf578b06259b0f3c044e6dc68baf91e6149efa70b2ad2b81c8e14d1a994887193e53bdb5986a23d0412e989c447689a71b283934e50c25e10bdef0b22ce7368840cf761e32aebc07d7b51da16dad4c332926a4cc9853ac8db36b4b01bb36746a28f527 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-384 - PredictionResistance = 0 -@@ -34982,6 +35133,7 @@ Nonce.14 = 3432a2e2263728e375ab973bb5842d40 - PersonalisationString.14 = ccfee35071757d5141f55a481b7c44a584c5e537c636d4d0ba10dc3c88adf6a2 - Output.14 = 72a77d1c5dea9d00c349d4e5a9e6dff63ef6cb80b7998ef62e7a1fdc2267057d07fafb993e8df868821c6cf76430f3b7ff24a527f7e41fda6d560a773d05bc003f7e1ed5085f6da3785dd999a4763894455febf7618750bad4e30d8f52f3a072af30d57df5afda08ae7cebdcb659e6cdeaff52b47d4dc571e28315ff0e38538baf436e02d157b64afc6d50e6a4c5842aff1e7573888c6ff9beaf4f91aed988f03032388940c4f54afda05bf55ef6fc8c673f01ab545838574f3bd4f22865cfd6 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-384 - PredictionResistance = 0 -@@ -35077,6 +35229,7 @@ AdditionalInputA.14 = 0facad642bc0004f946e3fdd149a4c0e52475c9e832c85b228bff6f2a4 - AdditionalInputB.14 = 19d477a7dd45a0b733e6c301a4fd44ddf65d4fe0a0435b57e319e31de4797427 - Output.14 = 2a48844f6919ed43a2b0b64a1d28707fd3265b418e0673190b49a606358062c1a54a6071c845adc6ad74193d746668f890423ebb971a63cedae3241005432c8f3fa3fe7f98d5912da34dabcfeb17c03ee8881de7b2ef04fa2147b78532eb0ce7d9244d717697138f116341c7b9e99f15728207f6a73c651b8940582f9f926253420a853ae18132093183a6073e3bc85633b75e1c6cec9323ed4142d0c8ca0dd5ab2ff2e6b304ab8cfe4aa98ac64951d836e074169d375ebeae8498f11bd02c05 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-384 - PredictionResistance = 0 -@@ -35127,6 +35280,7 @@ Entropy.14 = 3b6dde5f550d482d30eee2288bff802241ef20ec15696e614b7268f7c574eb1f - Nonce.14 = b8d8984703ca7f942951fca97129135a - Output.14 = 36d0cce70eb5aaccf9b172fccf68e01eb8ac8b1f2652cdd238f4b070c8f2d9a128418badb38d5d5fabe28b59d15cd432010716fa6a48071114b2168cd29028386171594291118e54fbf5b61ae3fbbf9a21ebe73a4aba482c7cdc5ea1a4f21a0f1b38812cefff9bae78c2b95f417dc0cda010079b637f825dcba059d154f5a53050db773250013a1f051de9f7882433d2054ef2adf9b7b57c67173c06ad16cac6bdf74a10bcc666f7d4a091a78131c5ed76fb733791278b6ee0f55302c4b122a4 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-384 - PredictionResistance = 0 -@@ -35207,6 +35361,7 @@ AdditionalInputA.14 = c6a3bc83220c7708eb7fff5787ecba27e48c894e15302e0ee7f4e5f09b - AdditionalInputB.14 = 39b854a1c487e24e1ed58916d8012277fafd6e7b6175c4be43927cfac9958404 - Output.14 = f7d2f39a513f6c4eab993fa440b769ce09a15476e06ceda47969be05f53ec7f8409de284749cdcfac07fe7df66b1b6bd39389401909f3a84538d041e1c038a289869e51bce8bac13a0f786cb091628f0a3a7f7f9a2f620c98889688d46a2a037fbc1b2a4fff40800eaccf98a0bc1452ff1f53f040daa94e17dcd6acef97192c74075d064be5a97205ad97f693257d96c04e78654a694e90b80a5234a25d1c7ceef360d53e768067335097c4aa8f126a31882eff8e55cee05eba4b4325c203f4b - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-384 - PredictionResistance = 0 -@@ -35272,6 +35427,7 @@ Nonce.14 = a684932ea2337296cc3d150174a47ce0 - PersonalisationString.14 = b2c0af9038c2ef79ca8263a047bb9293a44ecdb457fb45945996157dcd199cec - Output.14 = 316fbc32ecc1dfa778b13921b1d624f9231c0ecca03e17fde750b1e31e76b1c330ea5bd62ca76150f231ac4aa96b06f845db2d03b65cdaba4c160b288a121eb144058f65a751e22151f91b90131e6756356e7f90d880ce754cf965f439189eb8bedf86c58e1fc2751e65637930c42552fdf81acfa1d4515ad49dc532b2a10b2b11209425ed1cf43c991b4a7c49bf6e701990fddc420608d74c3636829e4683c4e77a8151708d82ef8fb81b3655670fd4d242e357831bc091f30e6d139d5e5ba5 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-384 - PredictionResistance = 0 -@@ -35367,6 +35523,7 @@ AdditionalInputA.14 = fa32817ad83c85b594976eafab28fe25c45aa74d0ab4750b33dbfd8836 - AdditionalInputB.14 = 2e5cb3c7c9503e019b3383eb6264d6000160c3c99ee5700e7a92433da1c01f56 - Output.14 = a7571c1afd3d1dc1d3b28dbab54fe3514a0ec74ccf999376a963a3820474cdd67b190551ad5b24f4376633b4964490f79a94059a55b967f8dbe58eb20d70f1fdac91565bd8daf5223abfa13b132a140acd33e36f29fe1b107f62e6c45a679247b80c0aa050f1c2d3195629baef7422b72fb3cfbb82a2e4dd1966b1cc27b8e6df1907fbd6320f25594e1eff912cd9685755473b908e06fd30c4359258be0580e6bb2f986b0450d53fdbfefc3bf06c0d80648800234100af755acec4f809c39f3e - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-384 - PredictionResistance = 0 -@@ -35417,6 +35574,7 @@ Entropy.14 = 1e1cde834393e00a2136b8924be5600c8bf59dc2d8a9eeae467ede71ee7b75af - Nonce.14 = b6035e96adcb7e8f2e17022e2e4f39ad - Output.14 = 9dde9f29034b6e784be24fe600c39b091568afb4c40c8e05b8b7dc36ca74a1bed38ab15643ca8c6da2f5aa4b7a6a5d5c9920cc31129c84e2fc9b865b3f30b698a143189a3f3b692b3e5641499c949e53e3619cb112f42046a18d5d12dfb3c6932a6a829d07deb17b799519b81e961ff293c0b2d24b629fe906166e330135e4ffd00609462f0f9b89a110084945243972486a0e1aedb2eceec02d402696c89abbc950dcaa72d7b0e00ed8e65c3e9eb1af7535de2da728f901650633242b3368c6 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-384 - PredictionResistance = 0 -@@ -35497,6 +35655,7 @@ AdditionalInputA.14 = 7112823304b16377182ff9aba920c97ec4d4f23cd472fa9954ded16495 - AdditionalInputB.14 = ba183a035635d9617bd71b59fccd561f1c78a7589c7fb3fedf41dc2e6d5015c9 - Output.14 = 94e577e5c4f66be345c6be7038b02fcfb4070d5bf74f8004b59c279cce961dcf5bfdce2f01e007790cf770587a68d0d24ef0fcd1a148fca6920e707289e58b81fa4a58b5a018a358d336a20daef30b2881844838e51c56f11533b25c77b9c6c6bb2c0657350f011b24db6c60a84232dbcd218a816563737585c1ca6152ff13304ca86dff20f9f9596aaa21448f2c6e620eee58f69338e3b675d29b478f34f0e60dfe7f12f02e6181d19185f7dc945210d86d31e85eae03161e947fec0f0fc91d - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-384 - PredictionResistance = 0 -@@ -35562,6 +35721,7 @@ Nonce.14 = 67f50628067bc401648926d7567711cb - PersonalisationString.14 = 5f8cb19e3c86b179ffb8812db791e8bbe6b0caff958715dd9e3368a2d48f65d7 - Output.14 = f178a20d27725759c839e7fabb63bd101c3352f582524ff088ccaf6f0546ecbd3d5165f1e3cacbb49ede115b8f6c8db3aa9720692efda124138d29eac17637b84977384fb88e81289ed5ec960e6e98fdc71d03ef0bbc05ac7682acdc62888b49fdbb442080687f902b5a313ac88d364b13871b20f684cf1acbfa229fa203607a0a37b4e1685d13a508da9f48dcd83f26751a2284044f93e18b2a206a1887d77c4b76e821952b376f19fcf53d83f704e3ec3b5c3cb4c390b213d57dbe4852914b - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-384 - PredictionResistance = 0 -@@ -36817,6 +36977,7 @@ AdditionalInputA.14 = 2cc9f137fcd8c2d526d70093fe11f90a0a36bc9764a4c5609072e181a2 - AdditionalInputB.14 = e40361245b91880e308fb777c28bbfaea5982e45fecb7757bb1c9de2df9dc612 - Output.14 = 66ad048b4d2d003223c64dd9827cc22ed3ec8fcb61209d199619177592e9b89226be30b1930bdd749f30ed09da52abaa2e599afaf91903e7a2b59ffb8fd470e6604485a27c200d375feff621118595a7a3057b7e31eadc0687b1008c3cb2c7435a5704b1a1a6a3487d60fd14793c31486af765ce2ce182de88112445dd5ff11b256cfda07018b95f97edbab4e4c39ca097c42f9dce80cd3f32677f3c224a86b315d02e377dca8f3785e9748ffdbe3fcaa3b0c6bf001b63b57426836358e9b315c6718e0b74fb82b9bf3df700a641ab9411d1b9fba42309a84bef67a14204f3160ed16a5497fe211aa1f5d3ae4b858b6d445f1d094543d0107ce04ef1d1ba33ab - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/224 - PredictionResistance = 0 -@@ -36867,6 +37028,7 @@ Entropy.14 = 42623115c0a43edeab391ee8ac84c2b3b1bebba8a6040cd1 - Nonce.14 = b79f5c377be52381210c1c2c - Output.14 = a59dcfa9585b1080cee51ee493fabc22394ccd0949e3a4d4e5b8d60e1137288d20f65e7f1ddc1345869e1af62562d6c11044bb65d11dc0071a04a2cd0eab76718ec9a67d4482acbc82ac27685b98c50064b41e120a35e5ca57ed1bed6963fdd03e26865ddd3217d67cdddbc990c5833c - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/224 - PredictionResistance = 0 -@@ -36947,6 +37109,7 @@ AdditionalInputA.14 = 450a2109e7d83a3ab2e628ab35af4dce8ce7205de7c5f365 - AdditionalInputB.14 = 60d0ce5e11413c321535d849da56c3d9bf6222a3d2cf77e9 - Output.14 = 27397574a1ad91ef6f332c954c0d5802cb9c90926ab05c116586995bd795a2f1b4706487da86282e33d0b44dcb7a58c8c4a2874ed4646a1e963b7d26b62e0a5e0a5bb60ec6e07ea6b7b7fe1194c3ca4371736e595707ca7fb56bc924089e66b137c47f9dde74b5de3687aebc2f5c2a39 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/224 - PredictionResistance = 0 -@@ -37012,6 +37175,7 @@ Nonce.14 = f2435f70e075f8044d4235cb - PersonalisationString.14 = 80fa0ec5a3a1b46cd639ae19c137239ba8113db33984c593 - Output.14 = e547f6d8cd665204f8ebf6d64ecaa23fcc59c1682eab3190bc76ad4981d68810833f1212965def4868883529c0bae4a2345da6a0e6a7e766d16022c6f371db8ad089d9227e3a85168d080c3ff2bdd604e7f8404a16268bd66d70f5fb164cee60f1af97bdb6e1d72059d7028a13ec83f5 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/224 - PredictionResistance = 0 -@@ -37107,6 +37271,7 @@ AdditionalInputA.14 = 81356bf7d3122bd65b5d96d2ca68875e1d77b36edb8e92b3 - AdditionalInputB.14 = 1f185d4aeca1d95ba4c8e7867df64296525e00db7da61e88 - Output.14 = 8032e92efc35ace508d8a10f36a6e7110cd0b087cf853409e83dbc554633380e9793b7657a23a931e34347fe0ba34c2abdef6a8505e44da62fee97a9543b9e6dd6538726ec2cc6f6d19382562a4a438a2b0756fa66b48628af292e2f53e49edfae3ccc48a95f24c940a90d1abfdd6d0b - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/224 - PredictionResistance = 0 -@@ -37157,6 +37322,7 @@ Entropy.14 = 3879ca720aaebb2a29c99c0aa21d63308b44677f2bbe6056 - Nonce.14 = 2642dd7030605b3608f4513e - Output.14 = b7ddc2d0295a550e44103ffe7e6e1771cd488fa2ea32b091076085284edb870220e02ba6facdf27d8b34209048d0aa4cce4556c074fc7ec2c3691b95aac3f47c3b42bee3c2e35da17b040188d47b7effef8ac471a669f29e6c4b97ff6836cb9fd8954f57309a97e9a697e061010525a1 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/224 - PredictionResistance = 0 -@@ -37237,6 +37403,7 @@ AdditionalInputA.14 = 13998df6bfa51c2708775384f01cfe8f4755b6fe4b3c2fd8 - AdditionalInputB.14 = 8d25383b6d04285fb699c644bfc9b7fc72de41c733f35b27 - Output.14 = 3f408ca372917703ecb3449ea55de7a969a5ba184eee8f30fb19b99ae827c66b13f29d4d3a0236aefdaca63c28bb71595d3dc1fc20f1e7ba1b1c9bdb7c2122bd8e443b00b5339508c315ebbfc9bc3c7bebaaf83312325bae696a576b3c92931eef6b4eab6bd90c140295f47994ec6e34 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/224 - PredictionResistance = 0 -@@ -37302,6 +37469,7 @@ Nonce.14 = ddb5c0cd2b4b640898c2fd1a - PersonalisationString.14 = a096d62f947314691cfb647cc2f331af834cbcdd5918f099 - Output.14 = dc9175fb05854708739c3da005592ada29d408ed6162dd278ee457bd3304e4f7011355da2302df1d0d190ef846cadaccfa5325d3f71c407ab2434d65d815dafa6ca15f7e701a104225a839f2fa9874ad49bbdbee576b1bc71ace28c825095510890861c851bb79e2e2e922c3ac22fcde - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/224 - PredictionResistance = 0 -@@ -37397,6 +37565,7 @@ AdditionalInputA.14 = 2bc060710fe3d92760adc274b878de0df82804e840cd098d - AdditionalInputB.14 = de879de9c03efe5a68a12da7a06003ffbbea0a9c53f5e0bb - Output.14 = 4968c67d2f830b591531d620b6c40de4e9a15dc97c70b8b059023033bea376953cc5fb415d823d55d5b02b17c2ac60a1c8ee7473d25e94888fae15c6a7770b75565fe505a117c734d0c7d0386cff907a893da3a83d45f51bec9d95670374524b4f59e45a04c88d1756ed854fa9f65693 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/224 - PredictionResistance = 0 -@@ -37447,6 +37616,7 @@ Entropy.14 = 7ce7dd98c93953a8b60d395a68f03b8919931031e8f68bb9 - Nonce.14 = 1c217188f9c7980b8b03b41b - Output.14 = 58884a4316fe8104459bb339a4bac08d95461ad8e58f333eae5ceeecbf2d375e8fbb82eb1d29890ee0c56037bbbac8cd8e202d7ef05ed7126a15064699b9dfd4523782aabc6eaf21f1727d02c1311f5812c4b4294827a75f1cd6e6dcc73ba45ea8fc5f2647dff725f5fd9bc64d7b21ec - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/224 - PredictionResistance = 0 -@@ -37527,6 +37697,7 @@ AdditionalInputA.14 = e73890b772747a356ee1527501410eb5cddef015a8d6fbd7 - AdditionalInputB.14 = 9145caf79d0b85bb7874c2dc82d52bcca68225a18de258cb - Output.14 = 4ce4c45336ed4bdf4004f326a049c195c26ff11aadde90d7d035ce277a5b158577a7e9971063ee9c0b5063ab1f20c90f619137c2f4713831d18f2237e1a3d522af9a585e5f43f07d911b8b977f6c644784c9c02238b9fcd0f663c8bc1913f783c200b388b4ecf30246c7120adf3db79b - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/224 - PredictionResistance = 0 -@@ -37592,6 +37763,7 @@ Nonce.14 = 2b884a75ff571f92ba1eb965 - PersonalisationString.14 = 273f3885354c0a8296b0862e19157fbad69578ec121cecbb - Output.14 = b60362ddfbb4fc41f4f5ef353fc0fd8f31e139876a3af0e69f9049aca46a5989ee3a1ebb6cf14f525c3d8a944f4e88e030e020ef6551289c93f5c6ca2f6bc495cdf49ac91bb86e4766ccbace5f7aba008390d2b6dfd416d63ebfe07f5d583b8f9916ebb54620953d0b73c136de06f520 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/224 - PredictionResistance = 0 -@@ -37687,6 +37859,7 @@ AdditionalInputA.14 = 69720682d68b7043c331b889ce6d3d83aa3d33846e9ddc86 - AdditionalInputB.14 = 350c63e7b01ecff4aa171f157c71f89a55637c2cac0253e8 - Output.14 = 63fc9293971bc8dc151bcc2df20e4b5c7604138e4df49fed323c9f1cdeade3d5d1c8bc89e507e5da1f38c1f76d968ee45ba53a3da35e693e00afd683817ee7da5cd2b0a657ac6cf95913c859c6b4a15449fe9045a3af03cc198cf10b2deb67c5c3e9cf9a40b8251de19c6cf3114bfe22 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/224 - PredictionResistance = 0 -@@ -37737,6 +37910,7 @@ Entropy.14 = e03af342db03da30e2b0e5b8ed76c2562194417fbf6be645 - Nonce.14 = 6a9a5188dabd510894073f76 - Output.14 = 7963276f1054db251369a0b91d854fabaa3dd5b2343ef4306cf897bf964fc8b885908c4ada163b929a19c948ac89c8480170eb59b9a8d7d2d30ddfd1248e2c1795c69da81fe72d6361d34754f88eeffca2c31859bc8940d6662abe2622fdfcc28a1764355aaf46a2e00e50606af2b6be - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/224 - PredictionResistance = 0 -@@ -37817,6 +37991,7 @@ AdditionalInputA.14 = 9b6c491387a2394b94bfa8b077cd43bac49117e94afb9616 - AdditionalInputB.14 = 7c04bea824d8aa7b19facfeb3a676eb51c31d7b92f0ca1ac - Output.14 = 332b884c8edcb260c535a218001d421e190d8b9c6b856fbc5a4ab45f92149487f8563138312a42487969370440675f5bc9b21a75d2a8386867fdf861c8650e26af47c5efd81d9fc39cbcd44ab0f4cb10325fed6f5b7ce5d8111ff71e5d78c7d1f53410e5ba492b9f68ca55325ea8b318 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/224 - PredictionResistance = 0 -@@ -37882,6 +38057,7 @@ Nonce.14 = 9dcc6c4317ff492d0d7dec5b - PersonalisationString.14 = 7d30c5a4aa169c6dce156a8eaf000f9be0f8681e3282dbae - Output.14 = 550a9ad9e45ba359d463c1e084777bfb2ee25ff791070a87f01adc04cd1a7e9e6ef334e477fb5cadd82381e0add8a39ffc222150f17b8bb0d3b1cd80948c0a5ee09a84ccfff6c9ac33e6831d1a84182edac6bcc25fe357a708f78db9a88daf553914cdf0bc7a9b0527597f73707fec8e - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/224 + Digest = SHA-512 PredictionResistance = 0 -@@ -37977,6 +38153,7 @@ AdditionalInputA.14 = 1b8725447ec539ea4a13c47b323f1d6f435ba7e624dcf5af - AdditionalInputB.14 = 86d30af40a7a395764b8b69f2656954c7c3f1c30b2b703b0 - Output.14 = 2fb2f24b2c38f217232dc22ecc7380b8240b05d2c7bc0e3dfdad268c8c10912a92595d70dd98e7ecdbdc6d7bce6c72cdebd7e121d75de8b6795b660be9096a1f24a97e9c5344c35f04451dbd8d9808c7a84c6fbafab6d060026490d492060f052fbf21a3bfa2a8e4a40db58672ca52ce +@@ -68233,6 +68345,7 @@ Output.14 = 6af689cec62a633492f6e24b754d38dd6ab0b556e91802d72f14dc8c0e9ff50df728 -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/256 - PredictionResistance = 0 -@@ -38027,6 +38204,7 @@ Entropy.14 = 9021c403eada5eac222dc48e1437b6de48ca31b9e7e76fc5f60653a3d901308a - Nonce.14 = 503b4bbc0ca538983285857a573f6166 - Output.14 = bca7456257568a178877bca602d331161828a4ed0758d1ec3febcc21717cc4142e5481dc9756c56099cb043130345689156cb96e1664ad007c461ef8b5b0fa7d18508541f528a43fe8c719f3a269ff2821ca655980579dfc2c794da673b8c9234d561b833855efc91b4747ea5135a1a05017543f5780f2cde8b472787173ec50 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/256 - PredictionResistance = 0 -@@ -38107,6 +38285,7 @@ AdditionalInputA.14 = 439ba9ee252edb11b09fd765266b220077ab641cd7ed42b7cedc96b399 - AdditionalInputB.14 = 18e1dab1f2af82b8912be6791b003d7b0d66ce76a78cc17b753055b7b48cd2e9 - Output.14 = 5af9e042af202c9584bb69cb54738c0352ef2c9b9483d6fc8efd525ca38e62f535f2ed5658770e8cc5d53d9f1964b8a55d871c78250851491441c924701a52175410f52b162ebfe3991a72472d8842248402a666d726ea71437fc4a521543a323d501a6942ec4b7fb77ce462face53a2ab9b1b9fcccfe2346adf36027c48293e - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/256 - PredictionResistance = 0 -@@ -38172,6 +38351,7 @@ Nonce.14 = ef68efad369ca5fe791ad438cf9dbbd2 - PersonalisationString.14 = 012ff5b08fe14fad65ebad5f15d74fd72d8577115e5e91262043e85a13a3043b - Output.14 = 1779c05411254dc5ff714eb56332cdf9a378a160bf0a20ca2da9e4c3b4e3c425d2f08dc969bd4924560c8caf9686b27720307af8246e6cef20fcbc00cb1f137b6efe9902f9944c1384bf917675a52b7b816795327afc4896182a78d4664b98196f89c466d5fe1e2a54122035863c8bd61461b2ef9e7b469492ff63364b013dfb - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/256 - PredictionResistance = 0 -@@ -38267,6 +38447,7 @@ AdditionalInputA.14 = 77d998ddfd7ab7577ca9f51d6cfbec955aaf9f88cbb3ae32db7f7c4609 - AdditionalInputB.14 = 9ebaa09e7057ad7cfbf02e8f3143ef7b7c1dd6158f641815ecdf8e4a65c17f19 - Output.14 = 161efdc30cdd124d4d6b3d43798dd79bac70f494c3ebaca111cfa3d9343bdb73ac0def00776486584f932cab74ee12a391cbf4890b10044f7de6c73f973e43837a43b7c47a1a9a36d7e62f9b7ce40064994a610b92d68c6d37aa5d9d92c3d858770ffb8fbd87324b49101bade3f2014bcae7deffc1e4f6a1a91ddfe7e6aa33cd - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/256 - PredictionResistance = 0 -@@ -38317,6 +38498,7 @@ Entropy.14 = 0653c409e957302f6eb62bbc4f42b30942ff7860e7c38dfb2fd26b164e83a713 - Nonce.14 = 273f7eab3dc9bf11216d5216bd12478d - Output.14 = 51dfe9851da8d7d5add3dae413d8bab8bc7d1fcecea00795ffadce047d5243ae36f29f3611fb8cb66e98717a98735384aa6a310696356cb48f4672b2ddccf86eb44777c1616338792629b6cc6ec2b66dbacc1a6b66bd9364914f1f43277f6f43e13145fcdb73a4aca6b784f9084d22c967033651da610e9a85b1eb7513683dc9 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/256 - PredictionResistance = 0 -@@ -38397,6 +38579,7 @@ AdditionalInputA.14 = ca73cf447f2fc3984a9de0290fd9a984a8460ac715cddd9e8ed99aafd6 - AdditionalInputB.14 = 21dd9cb8e146954a9745fabe039f6f52ba8200f575e9bbe19c703b8864f34e93 - Output.14 = f1b153ae274a380c28668f1ee2c8c3a91f5380d41bd611d974e4e419a37debe664d0b706722184fd3e805f2ff05554bde7219023d1f62a52970aedf4d77e7b4604cac2a804e7b9353c087752f7f185991b10910724d0fd06dc6526d6102c8d0ee8c32f6692c2786d3b715bf3860539689e3f415855ddc37bbb6750972f3a45ca - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/256 - PredictionResistance = 0 -@@ -38462,6 +38645,7 @@ Nonce.14 = 10818cc50b58ccb660d65ff705041a37 - PersonalisationString.14 = 2756a89e79266d6d86bbd865708321f529b023d0cb5ee5d9888c37db33dd5164 - Output.14 = 7b3d778ee1623b08875305d5761ce2cf44ef1bab87c7d0f29c862c40d3da31240e7450d827909b6b131a9b0e9ad68d5c02caebf4f3b0b7d7ac1cc58e353ba68e7ac9eefc3de1310cf9bf5f4b854ef3fc36e940d4fc50072845a83c38a7d4372c191b900d11d11a907a50607c348951ccfeba4efc30377e4a965056e4e84eeb02 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/256 - PredictionResistance = 0 -@@ -38557,6 +38741,7 @@ AdditionalInputA.14 = 764b81871036cf65802c4e9659e25b8039be84bad1b121b536d2ffc269 - AdditionalInputB.14 = 28d46df3c254e5cc199e14b45bb1e2f85a5da03f49dd76b5a16b76723d5b9855 - Output.14 = 94e1fa76f879eb9840cd50853565f43cd7b0545705bd9a35494668bef7d7e7085b48a455b38fcf10f145f28a599c58e2f88c2855f2437a17d7333d243a1c25b76bebc6a94f7abc3fabe4c78041d9b3eaf675c11970b14cfc6ff20c8b23852b2733ef8d8416a920617a9b271beeabdb0462e5d23fd68b56f58e3554e81493c5a5 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/256 - PredictionResistance = 0 -@@ -38607,6 +38792,7 @@ Entropy.14 = 3bb1f6cabc56a02643eb767cc6e5bb3a5bd765555e4e27159ec905012f58de22 - Nonce.14 = cc37cc9b20a2e4de0bdf8ccc3261eb90 - Output.14 = 28f20b9a94340aaa6ca98174b5929ce3329d81bebd67faf5e30d12f775748c34c848bcda26cac8b4a9b34c7c92c9984a6f5a85269583358e985c2b372a887f9e3f0f3920dd512def27d818522ed1a49e96d00a5aeb41bafd152144a8b6f93426e73d6e8ef7a8a5381bc464b24061080af02aac51fdc52f404e1349b7d04daef8 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/256 - PredictionResistance = 0 -@@ -38687,6 +38873,7 @@ AdditionalInputA.14 = 2be009fb81ff22c5c2e15c988cdac8f21a6f17a4277fb1df773bbbcc39 - AdditionalInputB.14 = 0c869f061049dbaea48af93272c5b321977659a79f8bf0a5c6d68b982ef44b88 - Output.14 = cd9e8213591ed7e30743ba0dbae5f08a4021845d961040c5188093d518c3135048ea8ff052fd66fa83bf98c06d39c6cb522dbc938b6824f51488197159666369e7a9444e04b7ce5832bd6db1b3cebf8c0f7bf865bfc3cf60d2a2c0ef06abf7737590fba097c29fed234369cf9f064b142ca30e3941093904945021372c20d90e - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/256 - PredictionResistance = 0 -@@ -38752,6 +38939,7 @@ Nonce.14 = 704e8e29c7aac1d8cbe97bd7305f8cb3 - PersonalisationString.14 = 631c5d0240b8d9800211ee6c97a5ae77405a354ac25705f22d405e17a52109cb - Output.14 = 9ee855e661d4293fdd7353492c711b39625ead90849ae5808b1f67c55cabe17ae13f0f18c0954341d6a2d24b899785642c0b29bb1b81fe098a17f8701e8820cacf6c00a8dab2e96e7f8593e188aae48385ede7bb5ed5ffa3f19053663383d666d38eea377d121e0b55ee58ee8fbf1e49c42a4d3d48fb0c9247c6b94c6539f4cf - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/256 - PredictionResistance = 0 -@@ -38847,6 +39035,7 @@ AdditionalInputA.14 = cf6884bb4cf7c08ea954cc2d2389eaaaaaa3bf9ab1dd74372c20bb3e12 - AdditionalInputB.14 = 2b30cc597b280e704632ed1cd2bbbbba7a9953deaa809848eb937b6b1a44b91f - Output.14 = 4de8e3c529bda0753a9ba237633be4c844308c233d6e58995c339cc006c7d4789b5f1a6314637b9749621fae3982c5a748d58c080e12118d4442bb55732da53daeca71d3d033b10a2a807848babb822a346524b4a41e9d85941730b21c0e80a9871c9d9aab0e6d0269258b57fcbf7d703794bd2e5f3d7b3da9d3cf2dc2073653 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/256 - PredictionResistance = 0 -@@ -38897,6 +39086,7 @@ Entropy.14 = 043872fa9f0c4d97e2c6824b778a4fb0debae214d3358a5aa01c0092c9dab6a1 - Nonce.14 = 0fc8d529a37083c2efe84aba8c8abbc0 - Output.14 = 22e8eb6b4d11657a66cba93f89b519bcce87a9bfa5ee22cd3cfef6180cb8ca842e8d408257b8140fabbf1dd65085ae62fb8b1d2a679dc0bb0a82ecd3b8bbc05782a20a6345554a1f5467e9811e0fce41a786c805ce2882f8b4d972b9a37eedbf828a381d34bab95efc47233846f8b5c701563033253323eda41effad5fe37d3a - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/256 - PredictionResistance = 0 -@@ -38977,6 +39167,7 @@ AdditionalInputA.14 = 585a4b6736338ba663522b438ab9255782c39b36e6b253186e821ae969 - AdditionalInputB.14 = 2581ca0314c9a224b09c0c2e677e1df1c215cae0760d3ba03d1053156e9c3155 - Output.14 = e244109b937e9a71caa70d627ec8280210c86676b4ea842c6a4569e5da0b25c1ab3794ade3344e2185641c77df4d3011962e8312aa7c2013e4373204d861e27e88ede82873d5d45ae5700ddf0ae7d523e96df236a249ffc6e009e231b77d64f07f395e57b19a4d2961a6046c910d0b8ac3d882129ec3e337be4cf2d9ef041a8f - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/256 - PredictionResistance = 0 -@@ -39042,6 +39233,7 @@ Nonce.14 = b2328815495d926dc8ff075d5834bc20 - PersonalisationString.14 = 4c539b94823c6c7883b071ac395203bfb5117b6f9d5db7cf4063132e6a2a3cb8 - Output.14 = 4f6035946d4305290485c7aea10bbceb99b841770dbf5529e31ad51b0ce138344ac0b193a5074234adab8887a51d9448a2cc637a543372ed93885975b8de342c6a12a1ca8f3d053ced1dd2c7d6a3fabf6ea7860071c035f0fd54ee5775ae3a5d457d4af9e034ed337d79e9fd52c2ad051388dda50aa78d37403f33d52d30f6be - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/256 - PredictionResistance = 0 -@@ -40299,6 +40491,7 @@ AdditionalInputA.14 = c9a1481cd25c537ba57750d594afd25f - AdditionalInputB.14 = 51e29804f9d079f3074ec398320b2a70 - Output.14 = cb3cd4510de88f8081d8989c2679f76387b7d2cda286b75d659a3ab7c3b2ac77ea00366e7531c1c9f4f8e60c845c5d2a5e05fc999621d011deac3f28cb447a37c2ee815f7f5be3a571d153475d6497a3 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -40349,6 +40542,7 @@ Entropy.14 = 71acb71235e88e3aa6d8bbf27ccef8ef28043ebe8663f7bc - Nonce.14 = f49cb642b3d915cf03b90e65 - Output.14 = 144aeb56a11cb648b5ec7d40c2816e368426690db55b559f5633f856b79efe5f784944144756825b8fd7bf98beb758efe2ac1f650d54fc436a4bcd7dfaf3a66c192a7629eea8a357eef24b117a6e7d578797980eaefcf9a961452c4c1315119ca960ad08764fe76e2462ae1a191baeca - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -40429,6 +40623,7 @@ AdditionalInputA.14 = 03015311cddd0961ec7a74cb84d835c058a69b964f18a1c1 - AdditionalInputB.14 = 5e0d99e0e7c57769a43ea771c467fb5e2df6d06dae035fd6 - Output.14 = 72e8ca7666e440ac6a84ab6f7be7e00a536d77315b119b49e5544bf3ead564bd06740f09f6e20564542e0d597ac15a43b5fb5a0239a3362bc3a9efe1ce358ddd9d4f30b72e12ed9d78340c66b194beb4b12e973213931b9cfd0ccbdf540d2c36ce074e2beac7a4ddac59e06e4c7178d3 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -40494,6 +40689,7 @@ Nonce.14 = e8c5220ae48b0ca1412e9c74 - PersonalisationString.14 = a0a1d6d3887f7ff9f13c85d6ae5af2c840fd85989b7e50b3 - Output.14 = 14f629aee43f71b61d467ccc37de8eb6110ccdc65fff57ddd2e66707bb768e5de5df5467ccd55002815d306adc7b7d6b5d87c20d2922bf5fd3790282608457b69720be7d7affcdfecd173a741c7fc99f5f30f981b1bc102977a61f1515b923ba53cd87a37faaac12e0af613ba0972a0c - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -40589,6 +40785,7 @@ AdditionalInputA.14 = 875e5bc9548917a82b6dc95200d92bf4218dba7ab316a5fe - AdditionalInputB.14 = 4d3f5678b00d47bb9d0936486de60407eaf1282fda99f595 - Output.14 = 90969961ef9283b9e600aead7985455e692db817165189665f498f219b1e5f277e586b237851305d5205548b565faeb02bb7b5f477c80ba94b0563e24d9309d2957a675848140f5601f698459db5899b20dda68f000ccb18dcd39dfae49955b8478fd50bb59d772045beb338622efa5a - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -40639,6 +40836,7 @@ Entropy.14 = 30efbec33ef98a928e9441af3caabb34cdad892669e88130 - Nonce.14 = f77b7e0fcca6f8733e0bb0cc - Output.14 = 85f5368cb9f44474af6c4a159477c5cdd05eb0c0a37847bbb07e9a9c8f633ef2c3727d017f1bbfa89dba056062202f5824b3a493ab53a2a5fcf796d944577f1393d35f2a284453b2cbd8eaf35b9bae7b87c156cdf9cd0a2fc94ddb0d4842e3ab4b6c97089cac0e32bdeb32dd8233fd6e - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -40719,6 +40917,7 @@ AdditionalInputA.14 = 5c15fa9dc77d6fec5f7a4a3e4a315c05de2b5e46efe54934 - AdditionalInputB.14 = fb65ede490ee01a1c100ad5e23a20f91b45adf1ddc15c590 - Output.14 = 98cb3191831dc79334e8e37d5246600f822aaa40964b91f345b9df90929db1b7bdea96dae9aeb88d05fade5ae6c29aa8eeec7fdc96e654c5ea41ea01e3104ca4d287bb03005feab0bd1f85e556bb6bc46a2227b14fd94f9e6cfd0341cfce951851feb967968d6cc818f364345b715bbf - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -40784,6 +40983,7 @@ Nonce.14 = 46f8ee037b927ec766de0aba - PersonalisationString.14 = e6299e0eb5826e498d873ac02892f01e02f6632101fcc090 - Output.14 = d86bfd8f9d80eda3bd43850ea6edab2ba4f69ac8eea623fd6bbd5c0c920620f8cc136b0170f0310a156271981a9cf7629e1b8f0759de1e99e20a0930ce3bb7dd2d88bc9172a56108cdd736dc529a6b99862bed7d543bdceeebf450020762652d520105f5c5cc3c9a6ebb64af2a7e82b0 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -40879,6 +41079,7 @@ AdditionalInputA.14 = 82f895626afb606f335f5f050f0fdf3b45275e0b451774f2 - AdditionalInputB.14 = d423d43240cb6461402a7755f247573f24fab496e00b2e5d - Output.14 = b32c753900d4a0a0650d35d0fc918b3aa5f253d4381598ed475147f32c8b002bc08678e45bed1b9b519cb9729972886f85e581c75d3c2c9fd6ced929be29aa3befcd1d3fabefec590ca55612c1a0409446a01398d0e4775a548d118a32f29b0dc29530329d2a7656e5d3ef66db2b9726 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -40929,6 +41130,7 @@ Entropy.14 = c617061099a17392c3092d27728b35e59eb45814e9df9fa5 - Nonce.14 = e1634c0d96cf91c53b063450 - Output.14 = f08234ed8621f1f551cf49ea60140313a71341f6886c484a06e74e64aba6f8ffc2cf1edd34cd93e836ab033fb0893e52e01da9b3104fe49584a45447c136222b1c1f1d3cf406a80ed9d782d2ae277790eefc5c06f954e654f7f283ddea79d2160cca1f63d0ad00eae9e882de34ba4083 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -41009,6 +41211,7 @@ AdditionalInputA.14 = 857ce19dd6e8a45be185875f1a98911062045553e8d28ac2 - AdditionalInputB.14 = b5f1998f0fa38145edb86ae4d569ef4dc2e0aac0a815d3b1 - Output.14 = 8f0d978b24bae2a0665beaddfa61e8896ed7976432bc4f7c444699e30b8da1ecbab8990bab9d0d72ef6f6b0b27ede12dc171a43a14092d57e3999cee71b1356da5f29b17fec227ca2a4887bd990fa33e1e01c8a9f900ffbeb300cc5ce9d7d2e25a44fafc07e34acd61d425e0d36fb0f4 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -41074,6 +41277,7 @@ Nonce.14 = fc382061e29c4047c6f05dde - PersonalisationString.14 = 9b2eaa4c2a229cd2bc5de218aff95f6e5fbc7ef150bdb50a - Output.14 = ad49119d6b4f25ba34050920fc503d3d0d331ac2535d916a58d781317fcc2b1117618e9105ce192651ea9e19fa6756975d207c662f2b464416d849cb67b9af52abeb84f80863943af99c7916e78317a091ba90714ec8620f661b41d648c15c06e822329cd7f145446c5c3630a4243281 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -41169,6 +41373,7 @@ AdditionalInputA.14 = c9aac7bd9f15385facc344dedcfa754bc9f4f30277a3555a - AdditionalInputB.14 = 42de701acf5622b30e7672bf7115043a9912c1758c1b316f - Output.14 = 972ccd5aa60966bac39aa9c891c7c513244efbfe3446fde6806cee991851f1e4b3d4a4a0c04b57242deb4f53d27040879562fc5b32621b46a642f3c84063c5195faf9b78ed92145821ae554d58325b03d60e11461adaa8ac87876559e1cbe47f7b5c33a8311294b0e54a44c97d4d2c9d - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -41219,6 +41424,7 @@ Entropy.14 = 47f141d1d0142d53c10628d2d1dd77aafc11ffe45f29b126 - Nonce.14 = a1e958e036afd40059ce9639 - Output.14 = 2096935329ffd975154c38a2c22e30ef12b7acbacd39868032d6eb31a596e617fc7e05026b3dae231f256ea94dd4ea4f05734eaa7916be6f846b0304ff0de389f3390e51641103e7dedee99e56d9455c80a7e10edfd2147a50b3864b05443a1646fccde2197af1d1d72ae3c2d4594218 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -41299,6 +41505,7 @@ AdditionalInputA.14 = 49a758a4e0a8ce69aa2e5f9b7940c6fbcbfc4fdc91165e4d - AdditionalInputB.14 = 9c8ebc02c3d92d33112a15747b6367b8d6db3447cb9be2af - Output.14 = 70cf10825dab6c1abcc1532a1b2bccd96f0638d02eedb40a7ebf97093f5d0295b6bc74d9e48290ab39260d684effcb401427a4ca62b971e5a31f06c14a9f8e3851c3e79dfe129ecf8a8e185ee58667e2b692474a0d5f0a39f9d794adf1cd71c1266563dde24dc944661acbf849fe69fa - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -41364,6 +41571,7 @@ Nonce.14 = 82dfae196513724ae269204e - PersonalisationString.14 = 6e01d897ae919812b8408f82edffcfed8db6df2e2cbebd95 - Output.14 = 6e9bebf2e54d8da4e8ede97ce463239245ff1b021acf4441312ddba96d1f3d750bf2b9583a8aee76e2ee36a56d8e2fd4e11377d15ba3ad0876fd467c375a744240de0a7b38974e0e7b27c3917ce4e22f2bc78861f6f8b1fb42edbb1b0cb869fe5169527064cf2f38c0154082af5457bd - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 0 -@@ -42619,6 +42827,7 @@ AdditionalInputA.14 = 9ba9285889d50c27bdeb4a830a5b3120931a53980b30643557444718cb - AdditionalInputB.14 = 0f8716df331067b8ccf0e5b90ff79dd0f962acc69fc5f89c593bbb84e3501ae2 - Output.14 = 9d2c0053a0fd3f9be1fe33db214f6f2d54aca573e0642bd269f1b1ca23c42a1e85c73449830673cca14feab4d2686814edbd90c325e0fbcd5a2d7ca75334dbb113a13a0bb4e838f6724c74dddfca8c2bfb903c362d3ea82acd60d01749f6dc01fcd6708009a58ee9cc57a0d089095efae66aaea68ac247cf6aa8808d1038a109 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-384 - PredictionResistance = 0 -@@ -42669,6 +42878,7 @@ Entropy.14 = fd54cf77ed35022a3fd0dec88e58a207c8c069250066481388f12841d38ad985 - Nonce.14 = 91f9c02a1d205cdbcdf4d93054fde5f5 - Output.14 = f6d5bf594f44a1c7c9954ae498fe993f67f4e67ef4e349509719b7fd597311f2c123889203d90f147a242cfa863c691dc74cfe7027de25860c67d8ecd06bcd22dfec34f6b6c838e5aab34d89624378fb5598b9f30add2e10bdc439dcb1535878cec90a7cf7251675ccfb9ee37932b1a07cd9b523c07eff45a5e14d888be830c5ab06dcd5032278bf9627ff20dbec322e84038bac3b46229425e954283c4e061383ffe9b0558c59b1ece2a167a4ee27dd59afeeb16b38fbdb3c415f34b1c83a75 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-384 - PredictionResistance = 0 -@@ -42749,6 +42959,7 @@ AdditionalInputA.14 = 809639f48ebf6756a530e1b6aad2036082b07b13ed3c13e80dc2b6ea56 - AdditionalInputB.14 = 3395902e0004e584123bb6926f89954a5d03cc13c3c3e3b70fd0cbe975c339a7 - Output.14 = 4a5a29bf725c8240ae6558641a6b8f2e584db031ef158124c4d1041fe56988fdaee91ca13925fee6d5e5748b26cc0275d45ef35abb56ad12e65aa6fe1d28a198f5aa7938fca4794c1a35f9a60a37c7360baf860efd20398c72a36b3c4805c67a185e2f099f034b80d04008c54d6a6e7ec727b1cace12e0119c171a02515ab18ea3d0a3463622dd88027b40567be96e5c301469b47d83f5a2056d1dc9341e0de101d6d5f1b78c61cc4a6bfd6f9184ebde7a97ccf53d393f26fd2afcae5ebedb7e - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-384 - PredictionResistance = 0 -@@ -42814,6 +43025,7 @@ Nonce.14 = afafaf2ad7e6449308e176be01edbc59 - PersonalisationString.14 = ddb4ced192f52bdfa17aa82391f57142ac50e77f428fa191e298c23899611aad - Output.14 = b978826b890ce8a264bf1ad1c486aaf5a80aa407428c0201dd047fa1b26e9ea9ff25a9149215b04c2f32b65e007e0059a8efe11481926925061c748678835c0066f596352123f0b883e0c6ab027da2486244da5e6033953af9e41eec02f15bebdb4e1215d964905e67c9e3945ec8177b8c4869efc70a165719b8e1f153c41744d44d3c56a15822d522e69bd277c0c0435fa93e5e1bc49bc9d02aee058a01a04580a6cad821e9f85cf764fc70dfae494cbfa924eab0eff7842e3541bc29156f6b - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-384 - PredictionResistance = 0 -@@ -42909,6 +43121,7 @@ AdditionalInputA.14 = 9574ca51f21865c2fb0efc75cc9d90ec5e9c43104979cd64d00ea5544e - AdditionalInputB.14 = c0df840a18d7584b62c70b2f057bf824168edb673cb517cd9dac89a0fc80c9b4 - Output.14 = b31e50202f883a8563cf129a0d5f8a33abad79d8ec8a97167ed7fca778e5892480617cdf50b5e51547f7ec1bede35020a311572c61e33e9c82968e8f69586daea3dc19063bea56503f8ca482918d229949acd6f1c52cccdc5f7f4cd43602a72a5375f3aabfd2834ee0494823beada2daeccbed8d46984d1756fe2207ca92186b506115f6de7d840c0b3b658e4d422dbf07210f620c71545f74cdf39ff82de2b0b6b53fbfa0cf58014038184d34fc9617b71ccd22031b27a8fc5c7b338eeaf0fc - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-384 - PredictionResistance = 0 -@@ -42959,6 +43172,7 @@ Entropy.14 = 5f28c73baaabbc09e8260df3b3577c21f2f02be057bf49d2e73098ed5ff67f89 - Nonce.14 = 8c2f85b546903d8d4c10fe4549c3f673 - Output.14 = 1563c678f1b072813888970996af33c2a6b70b8dfd2e146c46df0616509382062fc9c72d223ebd555f4d8892aafd7b3b61619559fe3d3e7b5e83c07f422eeac912ca7d8858a2d25b966a8b34348b8ebcf44a4651edb9cf5a886e383b01423322ab3002edc8c936aef869d7638f38ca6688c308d2a17fea0ded21901d8e9f1ff8508762cb1dc7e700970938a0ece74c1c2d1801230ea785165d62a7ab0d6d59caf36b30be8e2e1f691210373b7a2866e32ba4b49b6a2f9cc9b80aa1340ef5c76f - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-384 - PredictionResistance = 0 -@@ -43039,6 +43253,7 @@ AdditionalInputA.14 = b5d9cb4b3709adf297462f1aa8875c9f84bc39e323b8fe1c0df269344e - AdditionalInputB.14 = 5e47728cc468e0d2c6b6a90a20f83a9f0565716af54844552988f1d8c3a83eb7 - Output.14 = 548c3496135ecfa1119098ea2d862d421af024a844c37a02142e2545e4ff1038f4b73c7f6b7d0fba8f92f292cf5ca8fd57dbe7ce129423e0ddeb1dffe89252dd6b50495c88f350bb77e08c8be409064f7e9cb751aeb779eae30b7c471dc41365f128d22474a7e90a9953e948642001f8e6ba8f91d250d8b4c6407892cd96b12e5d94e4d7608e6c11604357436c8d1cc07a21aeb58d396f413a31f72af1ac06864ba68c04e0c25971c1315f5a8c5c04fe252105fc822452d0cf66f86af13d613e - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-384 - PredictionResistance = 0 -@@ -43104,6 +43319,7 @@ Nonce.14 = d28f752f6e466e3fd9595fd380fa14b6 - PersonalisationString.14 = 232727310fdaac541b182497e5240dc2623a36b4efa7a912ab3ffaf9939c2336 - Output.14 = 3bc26201261930bf3dc164d25287e41efb47c07c8c5c0adf3e86613435df202116331cfccd4e07c9ef008c62d4199d937221a17dc97be2043270ecc605d3d48c609cbce3aecba3557dddb304f440250b2c9fd78838483e2d5a2b22015b97869b891f9e42afe21df5fbb8dfc9061468c70c63a14b6dcad9ccdeced41d021dc0ff47821415e8793d34377258d9d6629b9e396b9d6b8bb7fc22e03ecfd4890d16912001cb7ed002e33a595052ddf7b991c5607ab93c220b2122783d51a8372a223d - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-384 - PredictionResistance = 0 -@@ -43199,6 +43415,7 @@ AdditionalInputA.14 = 50ceb01860d60ed119f101d5c573b5db00402dbb03885a09e8d326156f - AdditionalInputB.14 = 01e09092bc892916c29f7b515823f244d147d4b16976cebd6a76a37ef6e62998 - Output.14 = 6f1379c44d8131924c9a78286e80ebb34604ad78b531e795cc30c4f0aee422e4052f201ba226bc0c2aa3ec341fcbb5a87e24b91c36be7dda62addba6960df1289372e9677ce030555a9bd1691f559b8ff787dafa35cff5dfd66a2abd83f81552a82ba6ca7d21c438483e60fd77f93bc109f5be802035412c2af2873f5cb186b77dc055c0e0b27b16b1ef37de0b81fe63c4074a7cc8c3d27f71a992b5468351ef8b84a7b3e8f12458ff670d1381d879feeb1cd3b93436580c86bc2c33f27448d4 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-384 - PredictionResistance = 0 -@@ -43249,6 +43466,7 @@ Entropy.14 = 57050c5fe58b2a2a0eba0d3b9c08a9b285e1180d2a297e0a9ad20740c6fa9f00 - Nonce.14 = fc309209936c569a1367d45b212a9a50 - Output.14 = 288668476b39814edbce5ed91951cec398ba2dc3bad76048df5fb1a2a680519c217ec4d57adc0251e1f8892a866b142e0953353bc2dd207aa2703f81814d26a60daedfe94d97de6043ed5f3bd957b7516681827f7a36d1b2a87b692c67aba050bc38b5e84f65f07d70cc34549f01aa390c5fc8dd01304fee7378e62549738e3f710ee6a4e32db3f472e1c2ef1e803e57a8ea992f389f0823c922bcea8b00ab844e071579170baae90839ffd5e00844ec343b02db090847cd323f8a68f0dce64e - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-384 - PredictionResistance = 0 -@@ -43329,6 +43547,7 @@ AdditionalInputA.14 = a633f5f05ed8b09b70683a9f9a8e998ebf843b68a039dc3aa40cf30a5f - AdditionalInputB.14 = 9a57c6be8c1d992bcbd599952bd94a755d7ad686698991d189afd11cb88b9f53 - Output.14 = ae0fd8a1bf6f2f53f9e81ecf6f40ff6a36fef58a3f157b6a435403e48da4e88cab7871bfe2233b92afd228bfe3117d7cff0798225a901663d51f0491109b9c631dd6d32c5bec2da321b8e64ebaced87a27f17f67082df944fa94acc6c557fa6816001642e38b7d776c631212b782f71aed6db760f90e0de8e81baaf4d419170362932e6c319dab948749b331aae41b4cb3267da37c9233c36d65d5482c8940387498453b226af485a37ea16bd9e4f938618f70aec97e8c1430a8d8b6aae396e9 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-384 - PredictionResistance = 0 -@@ -43394,6 +43613,7 @@ Nonce.14 = e1609138b91637917ec170fa3c3fb278 - PersonalisationString.14 = 230db2e57b87e910cbab26fbac7fa93a65c07c1ec004c74637e346c2db63288f - Output.14 = fa58f2e96776b4aa079dbfb49d81d8abfcc30d459caeb45dec4f1766fdc3b234d52cdc5337ea770e71a28cc42c82cbefce896d1fecea5a5290300208aa79b5ff97d2091498d749b66a9e5b2da7b774567ae9f83b87a8417b1bd089935e575b16618ffe8ec04b91fc9315968dc395fa2bb8776133d3ede95aa89ae675881b26ca831fa5fe6cba800d2fed1d509353e8cba6f007cf3c5e0b9424cc034e1c817d5f7326764f5ed1d17ddf8900977a0172dfab50bf4819a67e4c1af4704f59eda3bc - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-384 - PredictionResistance = 0 -@@ -43489,6 +43709,7 @@ AdditionalInputA.14 = 32f618446311f03a0038dae07e85e19006a55b69501d764c241f683be5 - AdditionalInputB.14 = d64a97650e2f25362fd711c7abb5635672e16a02a1dd5ed8a181762e86f4f5be - Output.14 = 54ee53e6d18e974913ec235a37a706868f217af33b25e8e5369d90071be1d01035ca331b8514f3d6186a9ec62b1e7808b7fa22859eea21e4b8113ef770772561eff7f8b6ac22125d002f6ba9f53b235f7d85dd5b601787201ee1423de5d971b2e758b3955a048b50f118c01122a8e657f69a63843bea00a46c4fc2ebbae36adaebfe3e6c9b1c82e498d3fe48d332ac1bf31ab4c80830086c8ee4b1ea190f8e269f74cd760f5a29d244064d09c1bc30832482d5205e35604a388250a7a196ec74 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-384 - PredictionResistance = 0 -@@ -43539,6 +43760,7 @@ Entropy.14 = 9168436a8600415b83062125de0ce6a998090216dea7374af08e6d3becba054b - Nonce.14 = 94206c91dcdf9c7c3f3571c703013419 - Output.14 = ef12bd2b6dea20cd197ea9eabd98eec1a2943619cd2a96dd16a6c5485435e00c59570ff14d7d9fc09c99ade0e5ec12a84c0a8ccd5677fa9b92295eb2a620e8a0400bc9ad8a1ac1aa4969d8d04b77ad59b81d95cad75358698107dc8a2ff42adbd679ab29cc29cd6ea756f4c4e60c271c3134c48b5d5aedecf011e73c2663ad1cafe57120cc70137370760c350f4e9c0b8e9b01c9acaaeb56094434f4f87c67a5b5f674783204ab0d0598c06f0802a05ec97073c005f3c9f772fe0bb449c1cad0 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-384 - PredictionResistance = 0 -@@ -43619,6 +43841,7 @@ AdditionalInputA.14 = eb9e19bb6eb7b714dc4d56243897916364dae7bb3861a4697d7d3f2b14 - AdditionalInputB.14 = 156d12c7a1d0af2cb9f2d0610cedd9ed3b982e77bf4a9dc1ef0f71284b751ca4 - Output.14 = d3b0b0ac5150afdb3d9de12d2c8a7d45109436ed9c316aef1d1fc5bfba1cd37cd750841146dd08320539eb1678962e990f7b7662b44b918447e173672b873b8ab0348306cf6ae2bcc6756036870745436571763efde334dec5be7bb9920629a36cc5db66e8824695cabecb8bf092858e095a2a520eff140f483ec528131c850a8eaa48d8c997fbc810401ca378666d84020fd34af77fbe1152523e979560708fb15f3b7981e333ad4ee8c2fb6021a562f339616823cac5998cd919f82d43f41f - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-384 - PredictionResistance = 0 -@@ -43684,6 +43907,7 @@ Nonce.14 = 733bf048e5b112426979a9879b6a0c10 - PersonalisationString.14 = 58d91008875f51d541c6fbd626a49a798dc51d9cf2e8588808e74953392800e7 - Output.14 = 1794335e21606d706dc89ace28c60a15c0c9f108f5ac882b103eb62e225de749285e5fb0be98a5bdc26e3c998ae418306380941d78acb7c81b91ef41cecab328332ac7404ace0ea858e7835534f778cab3e3e4eff043742e4f7d4d5725bcdca0b6be7ddbf79e57fcd1d5a4279f074a599abac2cd281ec6784e29d9399f5ffa8def3252acacc59844c0c24c20d029a89b4407e0b5cbe9a8d51241dd36bb82c400ec4571dd1baf831d58fed3dde4ac7f961be6ebc18af6bfa922a32b81ea11334a - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-384 - PredictionResistance = 0 -@@ -44939,6 +45163,7 @@ AdditionalInputA.14 = 06df99a38f4222b9e7e1e3f4a6f488c1dfeafe847129d54c93bccb1649 - AdditionalInputB.14 = 3977a9671024bf0150752ba10c9f6432773bb71aaaa9d23d1ab72b90b7f0e088 - Output.14 = cd4fa86fb559475f4cf4a60f111d3d0f71646d3d25111889332f2451eda96390c607a0178e1e79e8124c7626ecaa9822495e5341dc6f24818f97951bb29434c7c48d05838fcf3b43b8314827d3acc8fbe2c4ae2ab066626c25c32a760002cb1d980169f7691bee5e329ff1ff4938d3bdaae583f3561499563198a5eb69e73f6b963a5d072d23e07b0ce48cd04b31f9ea349c2cae355ba478e26a5fa33d8f03af84235fb1743d30910f5557194e3609494019bd705f8cdbf3d1b4dafaa09c9d8037d2e0ba0f96948d4302e981162c34c12c2fabe1a42da517b7e5a1f796980371420cb305d0a316bee56767ce1aca9260231839b92fa26fd75846d9304427da27 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/224 - PredictionResistance = 0 -@@ -44989,6 +45214,7 @@ Entropy.14 = 0cac1d970c06da6f224d49e5affec0fe338d0b375b66687b - Nonce.14 = 1fb1df257951ce8fc0cf12a5 - Output.14 = 7d6e2be5aa574b0edff39ea938e94143ed92b287262891dd2a6c9193b0237e8fbe10056e15785bd818e548452792a31c728acc14ce2bce9295d3776885018a57c8580a8e7df9a34ea960e0b39af4510711320528fa7a0badc6e25a0eead8cb091c404f626343c63d40044055ee9f9e35 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/224 - PredictionResistance = 0 -@@ -45069,6 +45295,7 @@ AdditionalInputA.14 = 38ead8a466e462f5c0617822c23294cdba07a80fd51dc241 - AdditionalInputB.14 = cacc9efb209c71b123498182d25081aab8f0159bed1fc0c6 - Output.14 = c200766d5caf72e64a77a7fcae1ae3d14681e33767ba2ba7faca26209fdcb59c7202c381b18adba07ef0ceef443d9e1c5888366bfd953d614bb184370b45ea2b44a251e381fd2bdb80bf4bb8dfe011e1b143032bae9ce82c2869537e70d36622bf23476163a2dace9ba863a5f0e3d303 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/224 - PredictionResistance = 0 -@@ -45134,6 +45361,7 @@ Nonce.14 = 7e2f3e4427d00de41ae92bf6 - PersonalisationString.14 = 2e8bc8edcdb3dfdd451542fbc68481b30964fdf8a6ca77cb - Output.14 = df949beb9b33d2c1522cf6fdb3206cb10b58411ba9e28a4096cda7662b69d23e0da2be9557b9a3b5a8d67db4d616ae9fda3a7e0a8516196568f7a81474c0264993b141f14066fbfc29da724e447f6e503385944e902510f0b3971f7bffc6a6a202ff88d8113bb222b104055f427fe770 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/224 - PredictionResistance = 0 -@@ -45229,6 +45457,7 @@ AdditionalInputA.14 = 23a781948449d82ee235d0495ca48d61aeb399d7e2ea68b8 - AdditionalInputB.14 = b52421e5b0e5281920da6975ee18d74ceebdd5d5de05c018 - Output.14 = c878a886e24e20a8b7e22e41ebb33a2b6e9a0168f4c72bebb78f0955c8449592e91c6a2f1ba5554c9459bf2702e67470c1df0b5125d651facc0a9339a2b7c921a51bc7203020f085c9231b3acd850ebfef0d0e13dc8bcfecf1f9853930ecd9b262cecaff0e2bed9e3b5b53343b733766 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/224 - PredictionResistance = 0 -@@ -45279,6 +45508,7 @@ Entropy.14 = 04c61e5cbd79804118267ee1c76db36b71b042bf60a1c891 - Nonce.14 = b833be09092d4755ee6118f6 - Output.14 = 0c4663313750b12daaeee80cb28f097cbe6f50df2022f9ff02a51fb373da42411c5856a136e9645e99e69aee273726d146e3ef4e546273eeca52b43c068887148b7197143f5b9a4c55d4b0544907ee9ad2f181d1b37742d1479d39e78e47505603550d2b28bc1d151a50bbac140988ec - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/224 - PredictionResistance = 0 -@@ -45359,6 +45589,7 @@ AdditionalInputA.14 = fa3bc697a6bd8ce341735365ad6e214d1e53e8d6d0a2c206 - AdditionalInputB.14 = bea0650424d1f26e75a49ae2dc529f1fdc552e3a0aa50948 - Output.14 = 4a718257296a3a99f199a5a24decf8f3e6209a4a7fb0b24913393c8309826ffcd6c47208ea6879921424ca55e63a7e5bc63a030cc48be7648da78fc9f314dacb2b8568635e5b14a94bb06a709a2f023a86a871dfd708204c911d94ef3690b3634e58de03fb20091d628bec834a760dd4 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/224 - PredictionResistance = 0 -@@ -45424,6 +45655,7 @@ Nonce.14 = 4b729a67449bb5675a1f9d1f - PersonalisationString.14 = 9160b7c96fd367dd7d378e82be11ad1827c7661d76bc1fb4 - Output.14 = 1d7ab4500d99a18b8be2ffb8177c869059e25f1ffbddb36694fa8561da1d71f86a38accb1926339f6dff71ea8ed104c3518e62b00e520c51a096c1c62469e56b139e6384e982588e748a8074dccc51d558d944868e2b8e1dbd68bd83c663447590430ebe15c64aba4669d1a4a784d8c5 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/224 - PredictionResistance = 0 -@@ -45519,6 +45751,7 @@ AdditionalInputA.14 = c375af43c11115e995f47212f81cf3cdca5801d184d82235 - AdditionalInputB.14 = d2eea45f69c6d82dc3a7bb3be69d595c86c5ea5b4aee6001 - Output.14 = 907452bdf42eb168195313eefd090a2fe1be8b668b8ec7153a4ed4c07e6979244282e976decef02ffd4fd92b0d7b90bfc453cfd81a823dc162dde29dfa926f20e395d7432e0aea61c72e05c1673180bee3b47fa171cfba98864fc2bf83878e37c7dc019d465788aa1500ab3db8997d3c - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/224 - PredictionResistance = 0 -@@ -45569,6 +45802,7 @@ Entropy.14 = b37ca70fd13538ef74c5a3c7ef00a78705919446954ec43f - Nonce.14 = 3ecbdff8cf33b50788dba82f - Output.14 = 1bcbccc535fbdc8617575d46ea5a9cef2622995dee19aa4b998325dd8d0935957170f6b18219354cd2759ba53c9c1f380586070db0c89979a581ce1e00ce38855e123dc3a2dc9ce74bc3b6e27c9603fb87c09a1d90bb540d267d456f5457daf0920a13119a2b805f9b97b154f80f4bbf - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/224 - PredictionResistance = 0 -@@ -45649,6 +45883,7 @@ AdditionalInputA.14 = 9fcab4a8d0d1036a6210d56a894f861fbfacd4b20c081f38 - AdditionalInputB.14 = e279bf650f812b8931662e59a0da7ab799c193da1f6eef1d - Output.14 = b3ec81a3cc8dfa4e1ea17d33566a4444bae9969244e7a8970eab02afc8797b5fc85b6614ab009625b81fbe078bfa4db78ced2d8b3f1e3342b477a3fb42cec7d44546585621bb8310075808aaddef32ede3e668e626711fdfaf2569721bf645edeaf74a9826aadf0a9cea9893aab4fe3c - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/224 - PredictionResistance = 0 -@@ -45714,6 +45949,7 @@ Nonce.14 = 98ec3ae036755323042c08da - PersonalisationString.14 = e6f24d96c8d11cc68e72f56ee7e345c5a0083509821fdf17 - Output.14 = f5a9d375a58d1b337d245d29b7a9e352cbb0fc950276e042d075a71f4bc43b65b063bff299c670adfc46db39c4303adbbfebcea1df964c27d33cbfe4d46567475abff4f357252ff7d05ed4ac34e6ed14c33c192909426654d604736f3bb0ba01aa5e0454d60dfe8aa5b2df3a52df22d4 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/224 - PredictionResistance = 0 -@@ -45809,6 +46045,7 @@ AdditionalInputA.14 = ec35738bedab1835d07ec7a6d9a5e6e0bf8a3283541b3216 - AdditionalInputB.14 = 689957f9c2c58f1ff34899bd0c295bbfacdd149ab378428a - Output.14 = 6eebecbac4dd64b170cf6aa84788f643755ad5c6c731b63bbba3b2bdc2694f1fd42fb077b4309a0cb09b5ed1107fee2379272351ca9221069530762e4c8ac4c142c30167a32ac2b82b728d57bef95d620cd1b7a2ab5c1a6fac2cc90e0f6cd003ef526485c8bf0dbc9baa7c1f0d6f763c - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/224 - PredictionResistance = 0 -@@ -45859,6 +46096,7 @@ Entropy.14 = 2fe6d7ec78f76820cd88c41a5a958c399c7ad1619406caca - Nonce.14 = 1ed975755cad5e4c475c5945 - Output.14 = e34b31db083e58516cd60ead2e5b0d39e4a2bb47c2436531c0e700e484c27d3d233d10d1ea6c58148149751f24155fcd258f384d61000da88106a0205d693e4ddfbb5c35f101ff15e531e9ac4a988c16302a962146a3aba9af5c505697cf9aeb7bdb8c49c281458acc33ad4010122aa5 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/224 - PredictionResistance = 0 -@@ -45939,6 +46177,7 @@ AdditionalInputA.14 = 17c87a351e940e261e8806e2548da44a751c550ff5f0257a - AdditionalInputB.14 = 7e3bb28f266786ae38c24876087fe35c7e43222382270380 - Output.14 = c943c9ff0cde86a62756465e6bf4fc9dc25447157537831c975782dad82f3e33e6e7790b41c158713b8978a6967bfadda9e15ef43922b3f93c8ccd0cfa834fbc6776f3c1b6369b4f25b1cd1189f8b8efc31be2dc151d3608eb2189a4f39c0f0a3deba00ffc97299c11c46885b424a7b2 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/224 - PredictionResistance = 0 -@@ -46004,6 +46243,7 @@ Nonce.14 = 4fb71fac56d2aa35d7fa44d1 - PersonalisationString.14 = ad66fd02b6f6e30ce521ae0d783236c75cd3699696475ac7 - Output.14 = 4b2df98ad411407c1dff07b5c08e97ab501fc20ad191794dab73e9b4dce62470b3c70d75f07848f436f16a8c63ac31a75525bd928b5c76218099ec940e3ad193eecdbad834557e92602d7daa6e3eedcbccbc4d0829c8e1c7e59adb95ce928bb138870566eb27e4725191a9ebed50304c - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/224 - PredictionResistance = 0 -@@ -46099,6 +46339,7 @@ AdditionalInputA.14 = 30a66bba0f4d6c249e271de8927b6ba1e99fefbf3386934f - AdditionalInputB.14 = 1ebe06fd88f8f914ea8f590483994fbf227613e7f49ff18a - Output.14 = 38b4e2bf6aaf771df03b3bc37a959955dec83f07af4bcd995957a31991c5ee18b5bcb7754f3bf6293665dff2b4769d081d9be6393803e2c62a73ed8ce4adb17b36c1e0deb8ff6106308be9019cd179a92feeb184d93a9348d3b14a70bf13fd74d12cc427496803b7fc041f87c630756c - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/256 - PredictionResistance = 0 -@@ -46149,6 +46390,7 @@ Entropy.14 = 7f422e735bdf349e4f51787571ffe061ec7e9181fa0b6a342e36611da25c1a15 - Nonce.14 = b09d8dc6997bcb567cfd788d0e06483c - Output.14 = b83bb6e99b0a5237242711e27779d05d2157402856f9653542f1ce52b1a7463e13d5c92309a06d8a78773ad70504b64ff070c2e6afa4ec3662f2729cb7552235b79c18e08354e334474f238ee74feb7e892d5701543f418cd7f2f5533437d9901dcc54687816f16eb7341b1707c6310a2085dbf387044a78fed850b42fe9d8b4 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/256 - PredictionResistance = 0 -@@ -46229,6 +46471,7 @@ AdditionalInputA.14 = 5722b092a5a0195f14b5f236885538cc7a514e997876c06f634926c695 - AdditionalInputB.14 = 6e4f341a0524dd1085aad0b6c956057893f737704ca2fd8eaae6231e9691688f - Output.14 = a757af53227bd8555853ee2e643256074be9904d2fabb0ca86a645b0ed1905731cfbfdb7eefc83938fb576d7e5da8135300f8e934dca521637ed10e5e791e18e82c48085f511476452237ceb930e0307e228886d36aeb83d8e25ba23b38dce6dbc335de90b63db4021d6ebba5dfb6d8044a2bb7bb20aca679cde16406c8c4746 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/256 - PredictionResistance = 0 -@@ -46294,6 +46537,7 @@ Nonce.14 = 06b7b75d18365f4957489a09204b2672 - PersonalisationString.14 = 9e32f001033eba3bede220d4f351ce110e6ee2eb0b099ce54f9606a21d80b1ea - Output.14 = 508333114a0abd5fe10327daa0f1342c66569d912a64d8ae89227d0d8ed5b4052cf84f0c38927d88dc0d7c476e747965adc9579a4603a36566a1730f55ed7b100c1695f060674484781682ee629167f7adce89885ff04d722d960d0297d2abf79bd3338126c2d356a91bfa588f80db7ea365bf181fa5370c478a04d05a515b78 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/256 - PredictionResistance = 0 -@@ -46389,6 +46633,7 @@ AdditionalInputA.14 = 5b2d2bf0653e3c075c469de5e2a093193e700abff9792a9f3bc0d143fb - AdditionalInputB.14 = 976c765df6b57f0eed8661587045826c329f4f1994020de30fdd835912f72fe0 - Output.14 = d8275a104f1dad7412637d12fabf9dd1b06592850cd48a3f38304789911efe8f08970b8f90fa021b04039cd3d1ca573c1586e7ef586f4c623dfc559efc0f2c89e4136b59f0f5706a74679d1c95886a5ad05b9a850043cdb19d806d617b2f640f715351cff6920c47f96a42b872a512a7b2e99e4d0c2230861b16f3b38deb9b58 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/256 - PredictionResistance = 0 -@@ -46439,6 +46684,7 @@ Entropy.14 = df6edf960abe3aef5f50741907c0171906c0837ba3bfaa3a1044fcc4f19ed21f - Nonce.14 = ff2558bec3e5377c12697c908d629952 - Output.14 = 9d68c2674eac76f3ccabe1c6c0bad96d5fbdcb1629c939e397eefbcd2ec2f25803fbb9aa72db952f7fedcb290da99f34c0fdd637c37dde1446d475a61c38c3fc5c1ebf9541d136cb02a43b2646df7ee4bd0d9191157dac92a33f401f089ae15618624fc0baf707409aa2f80cd5d0676612c2667aa420acc6e016e6ba3f63c686 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/256 - PredictionResistance = 0 -@@ -46519,6 +46765,7 @@ AdditionalInputA.14 = 4bf2c816e2c3e9721d192a670153d620aded035ffa214cb0d7638432c3 - AdditionalInputB.14 = 06f515395ad7c3d025af7df781b49b62f068ec9398f6dab31ead6f917c663de0 - Output.14 = 1e70791e6a8ce753f959ab75d1225b44452ce7aed0fb53b56208b3f26419f004983c452d724c483b4f9b70d2d84734ce8ec0258d8edfac639b355204e14b5b7bc1d3aee6ddd9f5da54c6cb086d16ce381c2d5cefbceae3afd56c13441d80c7e6081aa68ff57f21d460370de9ae713c17ab14a81f0895e9e492af7c437d7a5799 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/256 - PredictionResistance = 0 -@@ -46584,6 +46831,7 @@ Nonce.14 = 2c4c4f3a953e551746f7e258821d24f6 - PersonalisationString.14 = 676a9304a3f744c62c7f5048f2137982c89860577cfcaf0d855514436ff8eff2 - Output.14 = 7bde8a5a34538655ab2ca26d0447eff3c6da298b3fa53ff0526eeeebaa4a876b60e47ca544ae30ccb00176ff84920bb4e4a4ebc3cf74b9cf8cd8ff9f7b11266a3c9bf918c458760bca6368ddfb3522edbc61ad14f2b638294e51d82e617d8c0c631aefbba50dbcd1a0a88963c3d63959909ce2cc669924d7163b01cac468c0d9 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/256 - PredictionResistance = 0 -@@ -46679,6 +46927,7 @@ AdditionalInputA.14 = c168776136197bc3877c824461994a4cb020b61ad1630bd8f38d0db211 - AdditionalInputB.14 = 4f54082a1b9e6cdc8599e1639865c00fd758f403adba5cb74a37e2b20f29b654 - Output.14 = b48984588cb54f78610e05c8a7ce12c630934f5ed2e4cee21e523fc65a7b8412189ac51823ecdf493844a859aa87f3e84645f22f0914245043f7b86287a85db97697bcc84684b072162c2fa636569df83fe85f1ae25204786bfdcf5eb85006d09a4d97b162248daa8ccbff9eca28b7bce9fdbddcb8679ba50b6648cb3bfe9af1 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/256 - PredictionResistance = 0 -@@ -46729,6 +46978,7 @@ Entropy.14 = abc502a99b7c3cf14262f6b036925a9904105b019592a2a6be26d71fc42c7444 - Nonce.14 = 40a212f9e1a5aa54f2c7ed4ccf631c9a - Output.14 = 0e747d83e2104367beca697db9b6bb994061d82aae7b1564f6a0911a1f599084a7ca7c94e232908d41df93a6b416e76146a53b490afb552124fc0c2087cc45de96390565b58f913b5dddbc55dcdd2617ea27858ae7c7748b31d832fec0fafe84594ad7b693cf972daa9521ad4134867339536ed5cdf02a758e40d5d96802f4fa - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/256 - PredictionResistance = 0 -@@ -46809,6 +47059,7 @@ AdditionalInputA.14 = 2a8cf10885a141125dae18c40f7bcb7e09c1b2726e22a7f776e4735279 - AdditionalInputB.14 = 7c2db5278d2336764d274bf9624db7eecad2db11c6622831e47338ea3ef02ad7 - Output.14 = 08ed2c3aa35812485ea8aa0b16149ee4f3207a0368be2035e202797939dd2a1c1db1ab244434edd783c7574bf48fc99f93827a1fee91cd1db1cad53512b6931d2d63018045b2a50a9b523a6ee212fbcb21ffa57ef998b4ce24e5f2f875a8ff3a45d8602cd56cfefd2f61f73d00dc33304a464f4fc1f7dd311b516a8da4e91151 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/256 - PredictionResistance = 0 -@@ -46874,6 +47125,7 @@ Nonce.14 = d5aa1d24b7c7564f6836f626bcc6d32b - PersonalisationString.14 = 4ef1e00dcda9e893d066ce48cd291258a29e0a234796c30a6465079cbc3d3aa4 - Output.14 = 43da46cb7b737ff7617715e3a8aa4c42d8cf1b62f32ea97d035514a10798f5bcaab550eab684cfbd5c8d3e1ce6d9fb026812e647ae6a50d3d8da8e9e2f1d5f7fe550e7e0b88e146925f2aa64690e1a5a5de152f6421837c15337efa80fdedb0a4754268bb83fcf0281b05b3885dc64b87f1da61b1ab219779ef44a1399b992ac - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/256 - PredictionResistance = 0 -@@ -46969,6 +47221,7 @@ AdditionalInputA.14 = f8dbd6a405435595b2520bec5026075514955a666e4ca34b7d0339b0a0 - AdditionalInputB.14 = d9536bdf1c3944d4d239b6dd13750c16a2780d943d4cb5fbbe418189a7d65432 - Output.14 = b5e12e5082c09fbdda81d1a2229ef9bd46db84e62ecbcd1a2c4e88557f8ed3b5af740fac2bddaaf441b66084ce2239adfc9d02f001cd23470535f13ee6ed73256adf902b359930093ffb293a7c007074582a356529ea3ed9a5ac0a1a3f62df5fe09d27f5a7ac6abdf1fbd5f5e5da70da5e3037fb062d0817b077b56457238108 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/256 - PredictionResistance = 0 -@@ -47019,6 +47272,7 @@ Entropy.14 = d233eed6e4a43436e4418ac071bf9ec00d463d0568cfaf7b4174f96c1f6b8564 - Nonce.14 = ea8e646e88f7fd6c8e590155df15558d - Output.14 = 314dca793ee1eb0dbe48bedc324b557966ac7a17b900bc4167ab4b65fe6b34ae625c200c4e21428ed258fe28b99c31cc4e8f9eb93a793c3e33fb0b75a2595a3201d939dddfa27911ad6f731894e16692343f25de291da89570a257a95cccb42f7d9820afa9b35d16664f95a2099ac929683b7480a4d1e34291853047ced3302a - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/256 - PredictionResistance = 0 -@@ -47099,6 +47353,7 @@ AdditionalInputA.14 = 46cc09705223bd3c01fa037d9a19dd2465bc612f519e51d33fbc845742 - AdditionalInputB.14 = a9f78f79d034d46086bbe5c8883dc2a34a1a17414aad2c767a3b3f23dfc9b637 - Output.14 = 2674afd329d03ad3b1bb8157c3100a312e29bd72b55139c408afe7f2c9e6d53df2cb8b829b7351a80cca8f0b59d60f6454ba60b154f654a09aa82a63fb28ceab9435cb6022934a0599a4c3a005bccdaa8bdaf8246ca654692a6c038cc82fea477fabdf3d6a0975e952ce3feb7fe8c4510b8c5347b21da5431cfee69e9dd2d8c4 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/256 - PredictionResistance = 0 -@@ -47164,6 +47419,7 @@ Nonce.14 = 4788964160bb81d6f6c2675008b05410 - PersonalisationString.14 = c56e284ac65798010eb7bd39ffdf49bc25fc2e663e90ff93f73c97e65ea82935 - Output.14 = 683493fb3c6ba0ae0c42009beb39fc37a9d235fb3fa00648ce4d60b4d6bdecdbaa1e2ca0c0fc80c53f6f8ceab31c3c42764b8f23c4cda91743be33e0a77fe5a4297701bdec6b2a5712e76c64bb8b7e03a257c140cd8aafef046b049303679a7904f029444d92d673107bdbf769fc1130429ff64b527b0ce2420e2c70e8998ee8 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/256 - PredictionResistance = 0 -@@ -58071,6 +58327,7 @@ AdditionalInputB.14 = b07198a49bc854cfc9d6d7466fe24948 - EntropyPredictionResistanceB.14 = 7b558b48f3c891a77fed293881775118 - Output.14 = 878d26fb57589d42497b869564a1dac5adf1b83615f9ab9fc30b5140f79e3b7f525f1eff2e68002801939aa0728432efad829b5b12491404fb50f2584a3bdea8785e79390501978704a667ec5d04da56 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-224 - PredictionResistance = 1 -@@ -58151,6 +58408,7 @@ EntropyPredictionResistanceA.14 = e734a035d71399a60be221b8c383044fc83506429a7eaf - EntropyPredictionResistanceB.14 = 51325a5d10137cd3ef2c6cd2290593a73361b298b9fc0099 - Output.14 = 12b008fd1ebb36ee67678a8b90ebd4ae333451aac2961d2ecf0d3fe2321fa520543452505e1e6216921ac380ddd88c51fc8b6b873b77b73b38558163845e2bf67661c05896da0efbd6c0faf0e363103abce11ab27da19c21564d8ec067802a0000e61fc33f43c12b854b85d6166a3a3a - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-224 - PredictionResistance = 1 -@@ -58261,6 +58519,7 @@ AdditionalInputB.14 = dc30a416e609cd52562109d22960e1295e3fc6eb66709704 - EntropyPredictionResistanceB.14 = 849864c63ae33d51a3b2e282325729df0d01b4b6efe4d2b0 - Output.14 = f2206a4e8008a5b32a3a3e271e9673031f536eda568fc2cf7013b4b342af76bf4ebdf867e7f2e2e89fbf2f63cb6e096671d360eb72223e96d9bacdc2195138770870557b88e770b7a439094e2eba6b529e54a25c75237c4b4fcbd06efa77f6174ba64071d2c3caf13fc1fad0c0cf005a - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-224 - PredictionResistance = 1 -@@ -58356,6 +58615,7 @@ EntropyPredictionResistanceA.14 = e0b1ad06619cc7e6b06fa369846d0718061e4ac707d1a7 - EntropyPredictionResistanceB.14 = 2941e7b99738be35a340fbf29bb443547f3128e5435ae876 - Output.14 = 07a627ee351cd794c19148459821ee504770bfdc07399fede63f1e22c3d76a57ae1da3c66403d789a8f2f4a0f071dec3fa102bcaf791222d2b0de7cc5b9d8f59b6b23d441b006eec851856c8abb152b84828a88f06e1f4cb257dbe00ce4d4868532782b06da28f923bf8e3f38d4ba50a - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-224 - PredictionResistance = 1 -@@ -58481,6 +58741,7 @@ AdditionalInputB.14 = ae204b086225c6659bd8c2487b1b91310c3d65c6a18a8081 - EntropyPredictionResistanceB.14 = f69f38c433c8f892d4aa3d1c7b97903711b6e0f5445ca61b - Output.14 = e4b3c801cee482f2d70a92fa7d4d2b9b19a1827287ea50698de61f82a095246dbc3abf102510c3fd413d6a8a9b9c88b186a177c14e013672fe3056722ee69fc3a49679f9d1cc0707ebb29297472343884dd6637bf094af5dd40bd1be4a269cf4fa65c163347ecd0fb6935eda690402ac - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-224 - PredictionResistance = 1 -@@ -58561,6 +58822,7 @@ EntropyPredictionResistanceA.14 = babb7e1e29089815ef8d794611a3164b54617f8edcae51 - EntropyPredictionResistanceB.14 = 06ab40819ac75f8609d7759fdecd3274d231781c939516ba - Output.14 = 80abf3d122e8917731a3ad6c8cc0495aa302d521384a155707f1302fd2c14ff9b8d6a12027b05cfb050fc45baee976715aa9cc606b943c785001c0431175278ed18d3b4c99bb7380598db4e9462e472ed9ede95c2e357f37152d1a76a60fbef4f97751fd111d9b965645de5c823d64bb - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-224 - PredictionResistance = 1 -@@ -58671,6 +58933,7 @@ AdditionalInputB.14 = 32460d6c3eb7912389edb486462038fe90505f7bd5d8e46d - EntropyPredictionResistanceB.14 = 31b1b8fd7753800a1d3c3849ccb22a7c28ea4cec21e71c91 - Output.14 = 77e3b89a60d91cfbbdac8215a3fcc000ae61a86016cefd998de3561ff76e188eda8910c08e964fdac58e3bb30f4af464b92812e15178a97d3215699f21b9775d3d4b11fb16541eeda2956937e43bd4e928f3856bced91c2e9a3c741f89894912cdec7acdb0652542fd08acb6d6ce2c66 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-224 - PredictionResistance = 1 -@@ -58766,6 +59029,7 @@ EntropyPredictionResistanceA.14 = 7a40b0bd455f5eed4ea7fef036c5b044425ef2138b18f1 - EntropyPredictionResistanceB.14 = 33bd20a02d78688da2b43f2222894d508f63851fa8217b6e - Output.14 = 1d0bcbbddc32be27ad0408c93d49f328832dd15beafaf969fa8f991b18faf1cf4cd1ae7103cf94135c1fa9beaef66f75d825cd9c3a16697337d746069a94aa8881e9ca841fc61fadc3701fec3fe65f750240c7da05884828ac3cb87289567c4e491ddb3f1ca5cdc08b5fcd3d8f91136a - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-224 - PredictionResistance = 1 -@@ -58891,6 +59155,7 @@ AdditionalInputB.14 = 528bc69e8fc2c45ad8006dc7a865ca73c31a679adbcb0656 - EntropyPredictionResistanceB.14 = 97bbf5c91c830c627a1dfb629a0f40943655d70ef97fe922 - Output.14 = d9cafae3bfbcfe622c82f137700f959f79ea11d07631abc26beb2d846e375a2b21165db0c568e1ae54d03c26f0ecdfa2564bf5c3c6c902abba3b2ff994ce191caba7e89b129c303e5169f4ec2e415a90523efc792e6aa2caf5ef583d286285f7d4900d79fce6afdd184d9993f85cd6d6 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-224 - PredictionResistance = 1 -@@ -58971,6 +59236,7 @@ EntropyPredictionResistanceA.14 = 58e89c98a93710a6856da202b373749dcf3f60c16fe067 - EntropyPredictionResistanceB.14 = bebbc0ee84a187340613ff138c5abc0aab2e86f57f337712 - Output.14 = 13949feb41c811c6894809f16ab5b34be3fe3753416a8fceb0c6de131167d0bf60409b753385307b71e2622a46a42f1561b4793c6f0394fda66115c95dce20753a9caec5aa5263f6581db8195bb7de7e4b13761fd43eff13741849b8556247f08a58c9b180269f213eba0476c7fd3394 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-224 - PredictionResistance = 1 -@@ -59081,6 +59347,7 @@ AdditionalInputB.14 = 15f279e7677894af10821b9cc0ddc9238b318dc9020b05e5 - EntropyPredictionResistanceB.14 = 878d41b7c5951930acb26a23c06501b88d1474796e536225 - Output.14 = 8f96cd7a4e6363be72a9b45bdf8253fb47d0b50ddb3c5dfc8825f2c44366106b1094cc65d60d86542c25830a3d0f247326fbb941053df81a1d0789318563b870a81f9e554d8349b669f528d6889247d23896186c620b93b239c1d18861cfde3c123c80b4e9d5e338bd83bc2e97135ee2 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-224 - PredictionResistance = 1 -@@ -59176,6 +59443,7 @@ EntropyPredictionResistanceA.14 = 62b1fbffc1d23ec871ec6c85c76f1bae9ec7b7cf85eeff - EntropyPredictionResistanceB.14 = ad80381072e85622e48978527ee673151fcc036c0096094e - Output.14 = c5d7cf9f1f83f497ef8c48eb81898ad1616c00cf2788a32c5878c3ea868eb3848cfc2961c8095f9c65052ba063707ea69f9d6ad9c4ac9858fb2470543dc4d2d2fb3eab11994e6ce387809c3e7595ede565ae549b25070f7ffdc630ee0ef8ac9835dbcc5cb5c9570143006ac691265a89 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-224 - PredictionResistance = 1 -@@ -59301,6 +59569,7 @@ AdditionalInputB.14 = 6abc274f05fc74ffe1a0bac13cffb199eb87d66b385fb675 - EntropyPredictionResistanceB.14 = b3a9b4f5f51dc337d12d34dddf231ca21dd98f0775a53ae7 - Output.14 = 86732afa068efb5fdadf94ac34ec595eba831694cae1dc892e9c028ca78f950afbe78191457a115f3c444e5735bdbc40d787294de99043c96ce49176fd17d721f5b467943219437f3e1bea373fcad275e64bd35cd4aacd1f3c126bcb59b50d905bf40966dcbd474978abe1899bf0c4a7 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-224 - PredictionResistance = 1 -@@ -59381,6 +59650,7 @@ EntropyPredictionResistanceA.14 = 058a109cc72dd766556a142a2d59acbc036cc86d476fb9 - EntropyPredictionResistanceB.14 = 97f27faad6528c42dcd97c1313c0e9043a043e0ab0b58395 - Output.14 = 3f5095a28e5674becd4b895d8918a36ba3cbf44f09c8c80b155f217e9b783b4ba99bf3ef183371bc3c5a654e3dc2346b605463abe63313cbf0919693965712366574e175d910e263f5086ee862672bd9c59a461f2d66a9b397570c86a09e2e4eab77aa139133789424482e94b9ba63d4 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-224 - PredictionResistance = 1 -@@ -59491,6 +59761,7 @@ AdditionalInputB.14 = 3d9654ec477ddb9d1928cf286f599736d51eb35af1eb3738 - EntropyPredictionResistanceB.14 = b8de4fffb86a4c7af05d85f7855aec4c8b463676b9b9eca4 - Output.14 = 33f691da4b3f351aa15acebafdc181da1a57883f0ded8b7223ab9c1b80e913644f850e3511e901175c7be68c96dc2b6175f69ea91218bf09dfd8b91a79e7499c8386746c260f29a22c6a000659e8aeee4c83f1484d5c09677f15d3bc045a2ddbf0b72c179dfe260e5054a75fd11c6867 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-224 - PredictionResistance = 1 -@@ -59586,6 +59857,7 @@ EntropyPredictionResistanceA.14 = 4afd7a280d8eb867f842e2e84f2c84d78749aa25c1201e - EntropyPredictionResistanceB.14 = 7d3e4a62634e7c6f74610ae4aacc62ca147fd1699c5b246e - Output.14 = 5c89bce4759878a3fe7b510c1b0c5ebfb2b085f89c3c4fa8cf6755cb51ba16dcc516402783d7870296f848bc285a5100a548e51cab01cd60638ecf2ecdf63f6d1c793aec14c4b179880687022acb9c90907e53fcede69d26f68a53815a6746c5bb80ecb22bc7d134da3412ba7c31477b - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-224 - PredictionResistance = 1 -@@ -61351,6 +61623,7 @@ AdditionalInputB.14 = ced31f7e0dae5bb5c043e246b29473e2fd39512ead4569eee3e3803314 - EntropyPredictionResistanceB.14 = c73832534681ede37e03846d3c841767297d246c689241d2e775be7ec996293d - Output.14 = 60c234cfafb468033bf195e578ce266e1465326a96a9e03f8b893670ef62754d5e80d553a1f84950208b9343079f2ef856e9c570618597b5dc82a2daeaa3fd9b2fd2a0d71bc62935ccb83da0679805a0e31efee4f0e513b08317faca935e382948d272db763e6df32510ff1b99fff8c60eb0dd292ebcbbc80a016ed3b00e4eab - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-384 - PredictionResistance = 1 -@@ -61431,6 +61704,7 @@ EntropyPredictionResistanceA.14 = a835812aff799db76764365d3cfce7a70d168ca8a363e7 - EntropyPredictionResistanceB.14 = 6cc406628d2fa0771f896079d052d057f60b334e620315f2cb3e658b1323e7ac - Output.14 = 36c2e433e06280c1219c2f2992985e74117d35aafbeefb6468d9576fc4a23f97f131874c0c4c18b9cc6028f881eb42f0e011f2c19bb60db5f5eb65114365c659790a3f423f986eb5ccec70118e48e7ecb40e40c31a6c4b8752e8fc841df65ee68c6343579bf95e10ff99486d9793eb6a92471622b3d60297d9b0faa9e7d925d3ec9cc05bc9853c18930a5f64a8aa9e139baa625665aacd443f1469d11a6c24a3e079b952cc8b5f75ddc9fb7d96b8b14cf255c2fe7619212f281364bcd8958bd2 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-384 - PredictionResistance = 1 -@@ -61541,6 +61815,7 @@ AdditionalInputB.14 = d8e5e99dd1498f4cbf4224e4c7ac40aa7e077521ff5abfb836d8483d6a - EntropyPredictionResistanceB.14 = cc122d075bde2cb4ce5e48d72d5f6fb99529262118b01cca6639fff83adcb977 - Output.14 = bbc4a9e2c9ee0e3f1e55e77cbb8d0ff902bf5d6853a5aed3fc0de3275da712b031a723ce201448e3d15360e5471f11bbd30029c6574db47d9d3275a8559294695b4ab832d656defecc9d6086a01895f74f67ad0643e77cccf92ff358440f3efdca3cb816687e940b7e30bf50795f111175a7a564333b21b32a0b9d26b093c396dcdcf3203e8ecd902c3de0ab0c82ac4c1d68f77da85383e60b3ac403b8ea339a97088539aa0004e3a7fb39a827aa0d27eb308d8ae29c07cb5b0495cedb839863 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-384 - PredictionResistance = 1 -@@ -61636,6 +61911,7 @@ EntropyPredictionResistanceA.14 = 54ca39bb5d569901c657e36d0a8e103551e25f9a3a40a3 - EntropyPredictionResistanceB.14 = 9c2962c0e03e96c94b9a616fdd52b1f04945597b372ed5c69469b29b3bfa71cc - Output.14 = 96cd0e64c1dfbf51e067b2eafd896d30580f46e29ecc1e51cc662e0acecad5529d2bb177d60c02e7cf415777a85feece50113942eed54a5b328cbc007a72a0db1500f17e5fa1cbd1231a8608dc25f64e1e078d7e0b4c49ba34e4659b9642f79acd108de0c92e52af86a4a82f23df12826f8f44a88cd99f576897896d17d7ab19ad02be4660b8a5840552cc73b5e24e76705485c70ca57b07eac35765ccc51d0795abc229aadc0101a056e047d7514c9d9294ef9458d5f7f5328673defb3c5aac - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-384 - PredictionResistance = 1 -@@ -61761,6 +62037,7 @@ AdditionalInputB.14 = 9d015ac36aa25905ab1ad61c4c5ced15620306935c548b63f6274d0e69 - EntropyPredictionResistanceB.14 = 462b911da3ed588f1e57e952379c76f4c32b1db3f85fce3315904d38bdd5ca9d - Output.14 = 1beaa2df060fcbb134e8af0f7e1c4e6073fa23deac0a774825978a42083b18c559de8ddd6652dc89abfd8006ba18d9bb9f579f611fe02984870f160e4f4516d6a708253e3c57896a0c9491b7c218e4131d29d31ff331c411c157ba071289a0004d3ee5fc6bc0e8aaf4bb934f48521c5c30aea79fc752720c3cdf67517abae2b936a75b669edd0f86d0d9d01bfb91033c431a4f8c2822f4f055c39a8451c3169dd63597ed1710915d5ed1fb8af25e2db01fe1cf60b8ed59ff0af91282db367afb - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-384 - PredictionResistance = 1 -@@ -61841,6 +62118,7 @@ EntropyPredictionResistanceA.14 = 523aa2f18ed872566ae4fa9061a83dbe1e213fe141e84d - EntropyPredictionResistanceB.14 = 101ca246a89f650b9f6e3282a908d51742e4f2b9a0fa987e9c8f8be89f3d7ce7 - Output.14 = 2a34c78d5ebc24dfb34250a1a2601f044e15969ea37e791110261f86d1c7e8c60b60cb4515649cb277526d4cca4bc6d31f14b42dc4da15044deb36cd9040a73e5f32806270cd503af2c7a6af85d2c9b91480df5677d9c2da368621dc7dbab8ca1ec634246fd55120058a7c0e16dc934e69fbe890a16a2b759b9d10c23fb57a188d906585c87c26a70cfa69aa7609c3a4226494b9498e6bafe0632ce06a82ee60b7bf275edc4ac862e3a2bc7683cd2258663d1cf2d0fa95ca75ee9dd85bcd42a0 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-384 - PredictionResistance = 1 -@@ -61951,6 +62229,7 @@ AdditionalInputB.14 = af0921fd29ae0315837039a4ecd285de2d6e04f97bd6b18a480ff31c3e - EntropyPredictionResistanceB.14 = 028ae7d410cadffbb1a8dd1a26649c51abda3729d64ef24049157b8250c532fa - Output.14 = c4552eee3b4b58c5ac306a607e3047bedb0fc06f921f28f859324ffae46d95b5a235d32dbf68b6093498a02270ac6988c13467481553996e6ad080b5b7dee800807e9e8776d0f338fd2dcfa74716a9663c3984fff72167afdc5a5292a85663d1b243b96e7ea070021fce1f269de1f5ccb60c8f3755a7b7c9f36dd5fa5894ccb3838d568507a9bcc418a82eed820b6c35ee66c40ad9bc718ef73fd7f8c956cbcbc173b9ac0d7f3f40ff37da2d4572a8901d84c216e1ef2b90bd531aa9238af339 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-384 - PredictionResistance = 1 -@@ -62046,6 +62325,7 @@ EntropyPredictionResistanceA.14 = 0ef1d45b978c565be7e64b9e455e02636ce9d2981bab7d - EntropyPredictionResistanceB.14 = cfe1c350d349c38b6f4568e2f1ca53493be77597271ecedc5ed578abf1f94096 - Output.14 = 49c4c52a81741d2eb583eb6038c1c686b84ec9e8a882d1ef509777a5bb431eb9ae711412afd5ceaeea212c2dbbb17652881b20b2517f1b720eb528274f937b4c41c4991730bbc7979d305859fd1fed523af128347f9fb3e3df22afc4be9f43ab6c5529f720b766cb519700ac83e83668083199f02c5ec80d29621d6c41394a927839bcccd802fc00839923a482ab82061bc96798046c20a11429f266195820862b8e242b083b12567c17e0423d01a7f77f5d4d035eb75c797019d798b54148ec - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-384 - PredictionResistance = 1 -@@ -62171,6 +62451,7 @@ AdditionalInputB.14 = 64d3689e23425f428b99b64736cc26c475f72fbc564f86f99ec4e22440 - EntropyPredictionResistanceB.14 = 1dd8eded094fc0baea87df0317255fb06ca6e3470c9d1d52e5b238513ddf93ec - Output.14 = e52e2c91e99f31080afc7398ed67f4b7ca0b48e9db242815524b192c7bec24b4aa2aaa3449ed5c49053273b8f30773784c27355c238c7c3c8b8085a5b2917a46862fb0d7cb0b52d62e630f7fb55be54977a15d3e82ba09a7d26e270384ed5b0a381920ea2c9c6a2da7a123f811a066c81eb3b8b92d7bfd62007a19a13725566d35b0c811b4f4a951f3fa83cc7809c623c9af5317054ee1567109d3772965eb3cf6e2c399d89e5fd59c5aa1391d149a09d002ff7e6d1efbad2624c71d01ec184d - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-384 - PredictionResistance = 1 -@@ -62251,6 +62532,7 @@ EntropyPredictionResistanceA.14 = 32822d7374b2a24cc00a9217ff5dd17c6962d40d9c739d - EntropyPredictionResistanceB.14 = 98f2d35e46d162b562842886552bb854212fb652431058cc02e9963c07128406 - Output.14 = 73f40fdf6550d37fd7c9f64221e7d0447cdf6911e5aeb7b80ea6307a3f97b7d4d6e42eff11e8c53d18504a6b8c735d9d89c6e1f0fff47f2dc3ad823229cd0bb811c50aca7f3f8b7890df6da7ea279e3f0582a580ac18c3a42b10e5be088c90d3aced0418c6183b0ce11957052c9e48a8e30f12e1e5deaf68d29e4809e7fed178b541c80930b6b3b782121b99c41ccb98046147a6e08294e2f8a9a215ff77b4f6729a0585a554014c60b36ba29db8de4cb11f3e20b4bb2406d03f7f1d4601ea23 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-384 - PredictionResistance = 1 -@@ -62361,6 +62643,7 @@ AdditionalInputB.14 = 4d60a3f6c5fad0b57ee38f5ccc9c83843344dcce4f5dc056d813eb9fca - EntropyPredictionResistanceB.14 = 50915e1d171a23bb7328650449a6845c181ad304b5415e05e4bb8f6820a7adc9 - Output.14 = 08071e75400f6f225a1801359983a0fb4d6fdd1bc74f8a78d9f54b1027df0b4167acfbced55ad735a99ece966bd1e79a71ffb62c4526b8afe1a276976d9b3b765b9533f50e750651596ca53a24af1606a2cf6aab27ab3026437b7a03a0507c1913e6ae1718d6d69c7e09f808cf97c73a6195550a0f4cb426df27362b0f005226bd54e0df9c5e5038c75da6f8f77bd5fa35b9a3324b0aea322f5e48c203ee228483ac0f56a67dedcd1d706b8f0a69fa7946f1177a313241066b5324249faa7cf8 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-384 - PredictionResistance = 1 -@@ -62456,6 +62739,7 @@ EntropyPredictionResistanceA.14 = fd31acdbc71e112a4db2ceff387d4b6db1e7c714e89390 - EntropyPredictionResistanceB.14 = 754a7e0ea6eb9e18483e0ed7045ae6f7ccc6cc626ddc1cc2b317ee78782c6e19 - Output.14 = 978543a7389db3122a01947a9a8ede689a4fba9c0d72b74e1aec38ec6fda8e7b519e5ce91eee5c532c9df49c8a36a64818230c5535d262061e96cbdb9e7bef5d7330a2989c3d3012727a18d2c96931b66f48bb0bf6cefcf783c65b0e094e44b0227e3e898215aa3afa2a71dfd832c6e11b3522940cea0482b5f24a90d12e5aea53bad0d028abaa4c45c54828272a9ce543e8cd7ad10a3daf15055e3999e94a62a7281ddf1dff41ad3e30c19ab8c50c759607203ed67c153a33f52130670d1f1a - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-384 - PredictionResistance = 1 -@@ -62581,6 +62865,7 @@ AdditionalInputB.14 = d56dffe6e68ff34c828ed6daa6957db8f8f1eb0683f6788ebc4d7ba42e - EntropyPredictionResistanceB.14 = caaee38a60aa69e7fbf710f0d03ac18ed70bf50590dc7854e2ba78edf2f6a826 - Output.14 = bd2334cb3356a211a759fbad57708e815889f3961b4c6a0f5475792d1f0db772af058bc44ab716d02f11e37bbc74f59ef046d01f99056eb4366435b23bcd92f5c761d22551e66ce180defd47fc43afc361bb2ec8a3c92727bd63329f1397bd5ac689709b529fafb7a8a70437790384213a3f1b27c6086fee25cbc3c0a2874c8a85dfe7022a5ca7365e9a715bd0904dfc999eba168466766316fd196a1fa139e37cfa30be486b0fa1ca03602becbbe97869535913b1f9e00b12f4f2085794c0d2 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-384 - PredictionResistance = 1 -@@ -62661,6 +62946,7 @@ EntropyPredictionResistanceA.14 = 957544da181d9451e52bad53ecc6e598e94e55434ba806 - EntropyPredictionResistanceB.14 = c8c9ed877603789c92d8dbcccd10bf34e26fd34804178db31a6ec0486fdf44a8 - Output.14 = 10e2ef2c3bf4836f072688eede8aad92da8ba7cc06bb2af2243fc2e7ccf9f9489a7ccfda36b2d91420df270ea9402b9716b95db186aa1859fa0e9a5cc389dbd7ad94490818fa34804a773d8dfe054cfa663267b8d21dd58cc199d7d3f7fa1abe54ef8d4cb2fb0f72a02537b0901c03b848c491784afd314d92b409b51a8ce88a3b7907e36170bcb1004a65c49785e9c14d6ad8871d6474d890b3f1599550d41c0b7a9b39c7e30a8932ce5a832137f77b97081088a8fce641e03875102e51b9da - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-384 - PredictionResistance = 1 -@@ -62771,6 +63057,7 @@ AdditionalInputB.14 = cb7cd7e4239a550b8f65366cbb39c50c551d83976a01ce82aba7517530 - EntropyPredictionResistanceB.14 = 2ff81fd74a033d6333f732f4cefbf021a90b42c9daa6830c2ab2899b64a05320 - Output.14 = 932fac5d00f0026d0c439912ea5714fbca4385d25e8a3dd42440087bc3114ae946f32c7d7a22a0a699ce8b840b6edf5975d70961cb91f8aacc3dd826dc6e88bc780eaff13c80abcc8461d6fbd53122fe8574295ee67a624108d4aba3cf333c58316ce811194c9db18b2c1d897f385a3d7732a86d867a361b9f7f502421f12f53e97f0ebed34e03039bc903c104025e2b0bfd76f1bc70597946f97c0815fd1b7043e007a3542d0c2a8250935d0e705e8854d4f2b991bd8e11b446e0bcbaa4d695 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-384 - PredictionResistance = 1 -@@ -62866,6 +63153,7 @@ EntropyPredictionResistanceA.14 = 44d6b1c7d7e951ce59f1cd023717a4a06eb3b55e78e64f - EntropyPredictionResistanceB.14 = 6ce1aaedda5818985583c96218d19d63c23aaf9ab6614556a5d3df0c3c5a3fcd - Output.14 = a2a7bcb7752b27516c35c2a42c912462205c267120c0ae06e6413ec13a93563443a81f7f68694d8212237adfd474e765dd00c73a350d793202e6899492a135876d06eb30630527b2064c310bf65fe2f8bb0ecb53367658603775caf3c8fa9afbe38d09e67bfb73eee11f216e4619f2008c739d1637ecb046b459d5ce49defd273d0c238d0468742a023a00a50aaeab976b66abddca704ce7ccff7ed754cd0380c963b0e044b7477acb6bce83c4567638ae740e329c062bdfdfe5386a1958da8e - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-384 - PredictionResistance = 1 -@@ -64631,6 +64919,7 @@ AdditionalInputB.14 = cf2040e9046a69dd9638de941f0090b7535c51cfa9f1c7bb2a56a33232 - EntropyPredictionResistanceB.14 = b871611f8fcb8c860a72c4fd406d4939335a031e0de9f2d436d4736b6b060c2d - Output.14 = 2d990f0de43d3a4b2930542c27ad27458e8865ca6b8f27fd7a969cf4e2a0323e38fe6f505a2dba488ea6b04365209c6db786cbbf0a7c73b4fd56d24987719db0fdba1a3f07149521dcf5b7759c610da22d151057acefe70df1ccaeb67a975159b8996aca93d7a48096926db4381bbce481277d7ab27cbc0388f0b7cedbbfb8421cb1dc5f2a9c677f62acf96ab25e7e406ce82f5b96bcb471afbdf4b3f5a6fbcb8da45d2258e350e77d4633b0c1da691662dd869909dcfd7c8ed0f54ba7af0f9c038eb32d32b705e51b35bb3c2eeff010bb47ee326c2318b5bcda963c2dad419c5923e368d9b28f25b048a87bdba0a90d98c24c81b6dbde0f58054a41a8293a65 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/224 - PredictionResistance = 1 -@@ -64711,6 +65000,7 @@ EntropyPredictionResistanceA.14 = c6e791bf03cb41dd67d8d0e6afc88cdb3243c6d8c99ec6 - EntropyPredictionResistanceB.14 = 4b107f56ea9cf896bc58a6409dfab2fa65adf930488f634e - Output.14 = 9c25b3a34af68768dc47e8521b70dd52bd3243c8c4ca911fc32b6a191e4abb7a56c2ae535ee17899ddd7d3011386c60d4dd1c7a0f3bbc27224e1471e061675d28d726a6463d45612b6b1913136be596255ee2f1cac4f24400bc50ed41a30e4c4dc1a32524617e51ce2fe41a829d164c4 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/224 - PredictionResistance = 1 -@@ -64821,6 +65111,7 @@ AdditionalInputB.14 = 67333be1a1d8ccfeaf0bb6836abc101f9be86f6584168b71 - EntropyPredictionResistanceB.14 = bc9be23eb198d7a9c821bf848dc659b6c5c7b001b388078f - Output.14 = 9d45b149af6ddd8231aef5d6ac48dc80cea748f860edbb447c3e181be541c0cc384bd2b3d39a7dbda865cbae5da0e6e9e4230728a819e1dfb9b7ac9b6610ea5fc42554b357f4f4b2d48ece49fb86127d5669cb4d361be9fb22c658264a850bd927252ce83ad57e7373689acbb1b2c266 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/224 - PredictionResistance = 1 -@@ -64916,6 +65207,7 @@ EntropyPredictionResistanceA.14 = 1faaa87f7d4767c15792faaeff52c850e7d1779819fbee - EntropyPredictionResistanceB.14 = 79cf8e36b1ea35077793e4dfe4e4cc736fc8071c72ec9ee3 - Output.14 = 356c2bc25223d3f536b075f7052d29e1f36c3dcef8b09811f3bcc18fcd78fb10115b6779bec0dfedf1563eb9024fd38e9083c1a7b748b05d61c99c14b7a57ebb121b5ca9a83e6bfbd4be01a24185de86a9baca5c9e8b1f59424bf77b9457e3829de9c44ab10c5966dc59ba5884493980 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/224 - PredictionResistance = 1 -@@ -65041,6 +65333,7 @@ AdditionalInputB.14 = 74b7046dee3b978038195a4ede2e8a0ffd3b8c490c4ea36f - EntropyPredictionResistanceB.14 = 52f143079094332e20460b6bd1b5a5872348ddd626053d3a - Output.14 = 58d2c19cd4ad3ebd48e3520d23395b4566e65981aebf6f143f46733d4fdf23e2fe0243674778fe5c5ad1fa4e9389305d3e7c1b99d7f7e163c9ef87a35d34732629ca8d87b7b8878ec95662dd9ccb43b0d2ccee2f4f3c4037925f264fa03b534da0751f45b2df1cb653c379cac512ee5d - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/224 - PredictionResistance = 1 -@@ -65121,6 +65414,7 @@ EntropyPredictionResistanceA.14 = 2520f0af49912e6973e81e5d3ea1b140664209e1050784 - EntropyPredictionResistanceB.14 = da19f29b28f43ff72e579a4a21d979dbf399f0123695227e - Output.14 = c79b9cb6955eaf7d0354ea81b1e54f3bb7855edea5040fa6ea2f18566210372f9f7b4d08208931c321ea09f44390dcb4939373e96fe3a417b2804b6af94aebc65fb31e7e9faa4113cb4bc1294fbfd19eb078eb300e599beb0a8afd05f10dcbbca84a27dc86a12a998a74d6f532f38e39 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/224 - PredictionResistance = 1 -@@ -65231,6 +65525,7 @@ AdditionalInputB.14 = 9b0214621496003a5e48ca25fb008bb7ac7cb9192ccabdd4 - EntropyPredictionResistanceB.14 = 9764e49ef04c1c164bec335e2ecd98ff0f8b7959c4af9ef0 - Output.14 = 8e4a6f42f812bcb71891f6abcb4c19f179f44d6d7ca0be8f84ea4de6227e31f60ba600c0dce0c0cdd6bba0deea6d860b3ee204be73421044cdeb59f3b42a5e4db94e2d06af91e1f2ccea73eeaea40262a5c74b7fe76979bf67510c86c4c5fc55569b6244fd15a49db2768c884102e106 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/224 - PredictionResistance = 1 -@@ -65326,6 +65621,7 @@ EntropyPredictionResistanceA.14 = 3e5b6735d467912273c38536f7a1be160b1edca1af6dc1 - EntropyPredictionResistanceB.14 = 0dec0880ce8e6ef894b9396ef56fd678435ed5b6b39d4918 - Output.14 = 5dbf5d3b2fe59054ab29bd747ac3dfc4026799f493b65a49a528bdd1dfe26ee50f7d8b4a69f96488095d09209f2657d98d2625adfb769188e5fcba1472d8364611e34dbce5160adb642bff5919b54e8ef3c6bf8de8fa0f651fed3878ecee371e312bf71688093a7a625239fb861cd8d8 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/224 - PredictionResistance = 1 -@@ -65451,6 +65747,7 @@ AdditionalInputB.14 = c7c8c48d9ab3014e6f94a3ce3e8df9768b3c60f478a5edbf - EntropyPredictionResistanceB.14 = 00b456fef04acd6dadb600fe9b2735a5d53dc58e9cd3f963 - Output.14 = 6c1d21ef77388dae905c338b72894c8fa3a066d6255e7760eeb307d264948f979a343a25209a3a7d1b6944d013b05142c3fdc155d63ccdf626437298d0a9f0715d6dfd81acc7e45129b6a3b442e8c36527470466f74712b03d03ff1f4cadfa8e2c348639d82919cc9a3e288fc15751c9 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/224 - PredictionResistance = 1 -@@ -65531,6 +65828,7 @@ EntropyPredictionResistanceA.14 = f9902e3d878151db3849537f186a7b2fcbcd10576aab5e - EntropyPredictionResistanceB.14 = 9787f601b4a6244569468fe586a67e2e7733ec0f1e2405ed - Output.14 = 8338c7e93fc15595aa5828c90f064f37221439c1e6d9c51a0986fe9f3e9b719f0a05c9dda87f3f88543b2ec0005ec343b62a3929ef720fb269e8dd1cdec36a8a2b867876752b8aa23d6878d0e9f3a27b06a7782a58ce68fe80cbfe6b5795e7da0c34499dd153b202c5432e37e03638f8 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/224 - PredictionResistance = 1 -@@ -65641,6 +65939,7 @@ AdditionalInputB.14 = 69b3ec5d555f1c338f45a72c56ba8f714894c069e47d329e - EntropyPredictionResistanceB.14 = 9a0350c1885b5f69fdd13e8324b8730f27c92dd96c87916c - Output.14 = b4a922cfedb084156cc73d5bacf1a78090935fb1a5368e02d1bfcd22ff497defc9784e16b14e19777c50f0db895c3a61fde6f97988315e427b4323c9c0ddee5eefe49677b37bbea5a6c9d43cd7c3279c7502154e8b551538e10c8bdd0cf35ac9379931f0bd7acfa82291702648612815 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/224 - PredictionResistance = 1 -@@ -65736,6 +66035,7 @@ EntropyPredictionResistanceA.14 = 80b2cc6b2d460340d5915e109e434d05ab4861378d65ea - EntropyPredictionResistanceB.14 = 42a0f1f0e9a911d0e12948a235d1a125e9462d5bcb605b98 - Output.14 = 38df6537e3bf2a8ce577da82336ccb234dcfa6fae8bec62c1ee38be0f9014f49695e4200389a55291a95b97ebd09ccb7c392320fda66797ab1979ed0ea56772456f36ee287bd683c190c438b1ee0c4c262ebc4b2e5d036b3f50f0630da695b271c3cf746162258a4920be29c25dcf201 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/224 - PredictionResistance = 1 -@@ -65861,6 +66161,7 @@ AdditionalInputB.14 = e201d55a78452ed3401d92c27247db4801b572b389b2fe61 - EntropyPredictionResistanceB.14 = d50ec469c29891aff7289644413e0bae6954075854c1e475 - Output.14 = 1bc3d11462d9e2ae029afa1b7db585d17c1de83fa1e7d7d9e9e7c015fd85a369edce029a3eb111dec4a2efda8e35bc5d412d31fe2d0d0a35f629609c2aaaaec7fba121a164f4ab20fd65b8bff2ca6f52f171ed2879f129b0bc2ba7dddb0c387a8748ddd2321681655cb2821523bb2510 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/224 - PredictionResistance = 1 -@@ -65941,6 +66242,7 @@ EntropyPredictionResistanceA.14 = d6734f3b3b76bdd8715f1cbc24df30bc8062a0276d954d - EntropyPredictionResistanceB.14 = c6947a5c4932e357cd296aa8153614ceab7a6c479ba1cf30 - Output.14 = 19f1b2ab68854e65d92318b4e09c74a379c76c096ee460355a977ca08788a8ac83bbe817a8ae4eaaa795a09a49f572fdb471d8f5d2de060016b1b0422905af24018457acc9ded76b66d204ed5d1bb66d77270bc23ae5528a6a05aadd3eb1a194bfd42c88273def6fc24ef677d326c586 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/224 - PredictionResistance = 1 -@@ -66051,6 +66353,7 @@ AdditionalInputB.14 = add443f0f3064aa799c6fcbc729416a494ace56d2a29eebd - EntropyPredictionResistanceB.14 = 19b708e95dfcfe56f171ddcc411c63bc2e742cb45873a019 - Output.14 = 29fcc98bb0b08c965dc5ec7de8dbf7a16d234eeaaa262f5ece8f2a1d843940bc663b4f892ca1481155573c4a6754f8b7b398fe12a81409ed7f6165bd16f2ac031d809e6535dcd3561586c038df4aa735c5efa36224b2235d05c12555151b1ddfc2121e806ddb484d19e9db631383e969 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/224 - PredictionResistance = 1 -@@ -66146,6 +66449,7 @@ EntropyPredictionResistanceA.14 = d9b643ef8cb569c2eaeeacb3d8be9a0b2c93c60f8e1129 - EntropyPredictionResistanceB.14 = 213994f4f3e9382b9b6c0247e74a930043a563d0dc67d05c - Output.14 = 991659b877318d688fb40a862e4a089f74e60948f853ccc57588ca14a51c8a8af65c7c1e0a5fa1393a2f96d23cf0e6f829141cdbc4229c5576b07a915a59bcae554cc50e6f38264757e29117273792cd9ec6e89a82713db07af8562c24aa80e64f2723e8885ddf3435d96581881ccf9c - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/224 - PredictionResistance = 1 -@@ -66271,6 +66575,7 @@ AdditionalInputB.14 = a00aa12c4a26030b79897e04d0171bbce1cd7257e0cce379 - EntropyPredictionResistanceB.14 = aa9b3dba7376b0a21d34ee6ac8939a625dbfec172a108c4c - Output.14 = 54fb778fcfc5549e190271dc12389f42ea8128df55e6193e03073888b4be31e2d7a78845c47362c4e96b41fce503fb970f9176bdb9b5d664c386898a0e44ffe12f9480699b7d566d697a4f520268f62e460359a39d091f4c372ad33ef0eef58622f488c9348ab5fd693d4edece794b12 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/256 - PredictionResistance = 1 -@@ -66351,6 +66656,7 @@ EntropyPredictionResistanceA.14 = bc9fa0d6596cd2b1e020a0f23fadcdbd5ed8730e9187c5 - EntropyPredictionResistanceB.14 = 671405ac5614d316a8f289b50eeff5467be8960feccc46b7eda7d3038f09321a - Output.14 = c8784cdcf893010849f094a0de5d3325a69b425a8c7b788f96ed2d8209434f9731bec3c590e8982c22b46ab9f28d169933c1ca2c4e4b99a9bbbd74e2182097a7c0e29e84a63363eb3c0b7b9cd730cd0bde121006aa11542b968f4963e84830219c359771a3ab03298e5c0b8a207387668308e2158fd06add5309defc8cb2c0e8 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/256 - PredictionResistance = 1 -@@ -66461,6 +66767,7 @@ AdditionalInputB.14 = 7a63a39a4db6161824113f32ca5c4588edaefccb08894b2ba52b6659e0 - EntropyPredictionResistanceB.14 = c20c5ba1aea693d375097d19b3cfc2b06c9c876e980131387374899d4ab48385 - Output.14 = 818ab1aeac3dd58e54ab686b04e3686a37a1202a19979a3620d1aea5e425472af381677a363ae190acfdbb0372c7ea2d5248cf27b18327e13b91507fc28b9d3e804ca0e618d867b3d892173a19c5918326e6fda277d5a3a34bba1425f4a6c9543f66dec79bc909b3d082c6067df73966d1b8f8a16d07005732e0cc00f9b212a8 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/256 - PredictionResistance = 1 -@@ -66556,6 +66863,7 @@ EntropyPredictionResistanceA.14 = a21a3a1e4a6e4ff4c646ee1b19ae20f956cd174001cac1 - EntropyPredictionResistanceB.14 = 5f673e1dba2a9c526ebf62d4383da60fd194bee81d405dd719f0cdfd0624a79d - Output.14 = 718c2bd08da84f897864d2c2a91cab5e6b66251ce71886969271b3b88885cce8f01e2e0bbddb0f5826c68445c8d56964c7f2b641b7f8498dbc293875a422b65bb7aec20b154064b336ebb06dc861fa7e69d683dba33d8a6f71c2b2c76e030db66fcacead182c0f316395c3dd4586a38d56157d8b4138f3039acfaa599df1a096 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/256 - PredictionResistance = 1 -@@ -66681,6 +66989,7 @@ AdditionalInputB.14 = 4a5a23362f631c0b155fb802990f855d684a1d3f54073c7bef2515ee3c - EntropyPredictionResistanceB.14 = 73189d6afce0d5724c50cbe257a1494c7e78dd5b3d7509c5509d795d6abea851 - Output.14 = 8c64782c4b34cb5e2ac304ad773adc7a76ff2fe1f43202b01e28aed52ff96b651765d642d5313146f322f3cb067cc274918babc2b35255f048ee74b4c87a4e1c465e3e1098b1053747343123ae5ecb652520d0fb20db17379388249a2d92cabcea7140162f2d9cc17daf718eaaeb8e8a69197689ab206f68fc468982c8f89e73 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/256 - PredictionResistance = 1 -@@ -66761,6 +67070,7 @@ EntropyPredictionResistanceA.14 = e0975b46c5421742148647c5ea8ca534bf23b9cad38fdb - EntropyPredictionResistanceB.14 = 92632b542fbe20c00c8071037c15a2434cc23b3b6ba800dc9e419e105c1a4c4c - Output.14 = b457c370a8bd4451f4185f7c925b90365ecdf0cf1a4e809967ca9218fc7350447c32d25bb3ac36d8d0de69e2f8d6e7f0276cde6d9a615d5644654be11ccae2a556d331310494ecdb961468ed6283dfd9342be478f0e3d5bbcfcbfbfab86625a3fab5c43296bfe1fd9218ec5cac2da563adef29084fb7906a7284da44872a957a - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/256 - PredictionResistance = 1 -@@ -66871,6 +67181,7 @@ AdditionalInputB.14 = 0eb21b9dd429b7ccf6183587400ff57ccb84e13513a553c83bd18695eb - EntropyPredictionResistanceB.14 = e65beb2bb257e5b9770af1404e58743540ce7d6338089906464de3350c481f59 - Output.14 = 30ad11bfc18d3fa9c7ca2adf01bca76f8f2513c2aab3e830b1ec8892cd6544ad9e25f2c8369a034a25962634fe86e833aa32baa24ea608c91818994601be78ab1fa772cd80b6eb3006c4c2d4b0b1268f7d8759b7e0193e15a69f7e13def2e4af35536d92c1b8dfe3b7ac72104543a8e99585bad53728899fc5cd4ffa509b4b79 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/256 - PredictionResistance = 1 -@@ -66966,6 +67277,7 @@ EntropyPredictionResistanceA.14 = ca849cd2397ed598a1f4a5fe1ac34d9bd72ba79cf44b89 - EntropyPredictionResistanceB.14 = bf75a707fe7d86993dfa00386ce07f94898f484a9f936d47e4923bd6bd8e2121 - Output.14 = 63fd0934c1c510ed19955471552a645ebc7ffcb90ec904994fcbe89ad938ca0b6ac3c0bf958d453af8ef7b4cdfa1bf20a5e79a68d1801a91dbe63ca254d8088d7d508971d203fd9dd4fb4fdcd9e8f1f25e899912dee3f59ee1815efe0959c7e4ae06453ae9031a8cc94ae38d7d634fc46233ed8d11ea8e20e326841d3cb40680 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/256 - PredictionResistance = 1 -@@ -67091,6 +67403,7 @@ AdditionalInputB.14 = ca63db9ef242fc5132d291600fbfe99b72649a2c51080bf46501286c27 - EntropyPredictionResistanceB.14 = aa1d3e08e011aecbeb852bd054066d44b5f66a71682427d9a49deb6fd43ac6a3 - Output.14 = c44e0709fe70b56c0d612f354f796e33f6008e8dd9346ce75894e3a09186fe54b4a7988060e48488a329387bf1bbde11de1525f14caa0af8d6e4d4b32b5dce06d71b368d5cf181535557accfbd9ae55d4b844479a8c959fd0ef0739f1fcccfa2d4e053194b90b8ab9fa4135db408018c3d4895c44cfefc05951d1cffb8da24e5 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/256 - PredictionResistance = 1 -@@ -67171,6 +67484,7 @@ EntropyPredictionResistanceA.14 = 3b12c8af1e7f747f5307c4a0e7af0efa7a34039b4f2c5f - EntropyPredictionResistanceB.14 = 90e07e1b5ea4915b23d18d52dd1a5d79ed0feaaf4c3b9176ae92c85f28c5ef0a - Output.14 = 6c2ad7e3738c856374ab4b7a56ef4b3e1aea65f69fd6fffdc0fc06c585eeca2761fda70234b844b37ee8fdd43f8f58b5f73accc0943b8da2544f3a7ea7e7107786d9de4f457519fc80782d0ce64e5b33c82b6935f80d0e1e241ed1c119621d43ce1d18fc016b136ca1eb7907c6fdc14f77d807cd0ff1a1ffef73f6eab009b02c - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/256 - PredictionResistance = 1 -@@ -67281,6 +67595,7 @@ AdditionalInputB.14 = 5138951ad6b555496eb1005bc403f5937dae4e05f1254d7ae2406a3f81 - EntropyPredictionResistanceB.14 = 9eaeba16579b23aa55adb7f2b33430e5f9006c6247944b16cca7f36ce6eb0cb2 - Output.14 = 60cb8d3a0d921d6895033f75330a82de2121abcc7f0ca1391687a510ee79c7e99154483f20ceee8cd85c6be7dabf93ca5c535b42980dbca8b308375f44ea3c1682d0edb7391e468898eca762b39b2ca5beeba498881e116e45429b49ae3936e1d11baace14b11c64aaa17f4c830ed62df0d66ccf0093c73f705e32067904ce8a - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/256 - PredictionResistance = 1 -@@ -67376,6 +67691,7 @@ EntropyPredictionResistanceA.14 = 5dd6463be2b566208350dd70f0d7132cf2249ff1069c97 - EntropyPredictionResistanceB.14 = b59a5c1e855d888a76aef8a2bdc0e6701eb7cf7d6d0da08c9e9764ac31311d3b - Output.14 = 69fd03a37b267d6f2a9f338ba844a69f700089f3348c7dce12497ed6637e294b9b958ab36f85d986b1f311400d2e58bf5251cfda4c6e173e0a0eb0c25b529057e458951e8a9ca233f578ede226fcbc16fc95b9421f4db1b939e77110d1e7ba0d486aad8d62f0e417ef3a5f39145d05423113d8901493b866c3dff2a213ab8dff - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/256 - PredictionResistance = 1 -@@ -67501,6 +67817,7 @@ AdditionalInputB.14 = cba2a6a01cc09238e9a8e9fe56663a8eb4ebc186f4927042f7f19bc8e8 - EntropyPredictionResistanceB.14 = 4c691865c160d187f5c3654e3fa2eca8e818b2f6ead070dc69b2585d5d4589cf - Output.14 = 004e5ce98e6f7a64a98ae577c3c702b8aa489148edb61e57cbb980c2383723918bc380e07944049631a8f88044a7954570086cb972c6653ebfa49a5c174f8fbb788005aeb7bbfba2039eb495cad2c23836f94bb6029f3ae3dc2dd8525aef77614d3bf5ad62c48ac56c1cf1155653243d4d10da4c4ad9e8fde33802d46026212a - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/256 - PredictionResistance = 1 -@@ -67581,6 +67898,7 @@ EntropyPredictionResistanceA.14 = e67d0f28c142a83bab1572b0b44c83f0fd9ff3ccc2efbf - EntropyPredictionResistanceB.14 = 5b7ae1170e439d0f9b8d5279fb29da66fe280483e0dbfb6e289d63b80c0e9662 - Output.14 = 4168445948f0108eee7c346820bde513375c403736ac22b6b51a0237ce84c9f6ec3f85be5e5af9f1a23123692794704825c4e1935ccf790413725fc44ff64c457a58a700265c04dfd9674ecf952af9105b0b62e9f2867aa15cc18077063f1be603a4fdb0060a272aae224bacd1f45d172c8fe03ae1b4dc4616bb47be9ca6fb3c - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/256 - PredictionResistance = 1 -@@ -67691,6 +68009,7 @@ AdditionalInputB.14 = e5cbbe21f36bdb46d389a479bc23ed7162ccc9fd07e3c15b2af38da548 - EntropyPredictionResistanceB.14 = 524506ce82bc8e9813b12258b87eef1021c3df39de0b377529c3614a88a5ef9b - Output.14 = 942432679f040520258501966ea68fb5044cb44c4d02b0eee3041d3e43e3c283e76d4bab79305d16888b42581ee087dde5e2b0e2c3bfc7d1122c2fc450729343a45331df3cbf7b9a4253a5f8550d37672a73a75b3cc8abd68f98803643b6eb69ec95cf55c2cfa037b69523afdd045c740708f1f7403621c8074d497e0efe689e - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/256 - PredictionResistance = 1 -@@ -67786,6 +68105,7 @@ EntropyPredictionResistanceA.14 = 711415888490d7ff523e9883f6bf0226dc6d446901fb41 - EntropyPredictionResistanceB.14 = e15d421f53c1c843c847b2abace780caad977a337d81469d973ddae6aecdd1a2 - Output.14 = 79071920bd431dc5156b6f03932ae2aa4dfa06a61994bd07ed65cea1ec8c08416c7ee5c045f0fc63b4ca237e85d29d8987b65f3e9ad22a984aad16676a9a0b50af959f19b57863c43fd316516cc7d8516bd4705193be20d3ffa42f843905ad64a5288c875f55a8996ecb239700136b6a57a43f2c6dcb11af5e8fba3597fd8870 - -+Availablein = default - RAND = HASH-DRBG - Digest = SHA-512/256 - PredictionResistance = 1 -@@ -69553,6 +69873,7 @@ AdditionalInputB.14 = a0ee5a3a9a8c5eccb62b9e7ed45d04d8 - EntropyPredictionResistanceB.14 = c588bc21bfe29ac749639bcce28f17fb - Output.14 = b519ee28f38bcc0305ac49eeaaf9f27eb6af797ac95e13431d1f5611e89930bb2c362a9abbf4fb8d89605e5db756fadaea2f36e953751006361b94f89c893e2505b77e41ba27eb9d56d9124111e7c12d - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 1 -@@ -69633,6 +69954,7 @@ EntropyPredictionResistanceA.14 = cdc10e50c630ccb235579a72b6eb4502fe146aabdab62a - EntropyPredictionResistanceB.14 = 5c820ea46bb9091054d75a892a83c3850da0a31c15e0d021 - Output.14 = e32c0798b2040620fbc5d2a44ec7fa8038444c1910fd4a24312c8c8eadb57a78606449cf05ac51a3bc4d58ce78742c1be3a0fab6e3f5ebc92b82b5d5d64ce29e8c2787ace0f4e718a7f6cb669a0a43ba1aee0d9aef55cb7c6f5dff57c8acfe883ffd8a496d44afe06803e4c9ff62df04 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 1 -@@ -69743,6 +70065,7 @@ AdditionalInputB.14 = 4505c0664e59bb4388020470838bb098c4ae1338c268adf2 - EntropyPredictionResistanceB.14 = fc4ef2906cf36c6c8897b802200a83e60d16f7fb064abd2a - Output.14 = 4f9c3c60ee32042735cc539b9a23d04c2bc6bcd68db04a58240305f165bccebbb98e0f4796b283a0d78bdaccfcc8daf19f21a72945be07996bbb0b606643c7753f76ee6371292d3e681468b714e16bc32db14ad6d777677137ebd3731186ea72b840b8c4ae79ecb2c61352ea056d2d6a - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 1 -@@ -69838,6 +70161,7 @@ EntropyPredictionResistanceA.14 = 90e391a33dc21281372589e2a667cdbbe4267710d5244f - EntropyPredictionResistanceB.14 = 42c959b7272b39e5cdf67701d47665b61782541e94aa224f - Output.14 = 4402afee12048c1c6a44624d2df026798930ec732884899ffd20d17f1c8d7c221cf5edac8679a21ee11b177ecfd61927d4ccbb175ee6b49cc6f371450904c2666aaf2e6cb36cd55cae3af772beb80955cf67b4e8be1fce11250a39693ecb7f8ac05aa23b949ac74bc9a67060cd60cc77 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 1 -@@ -69963,6 +70287,7 @@ AdditionalInputB.14 = 764705681b7781573af811fa7751dbc27d667af7a1e59dce - EntropyPredictionResistanceB.14 = 76a59ae38c88631a066fa85d24dfc9b2547caae598cd0fa7 - Output.14 = ba4a0583d8d6c5b4216a0875cfad594485858dc7f9ef265d4ed0c0f0fbfcaaf5ae318df2d7fc530301813d9f49826030625f7ea02d0630b3573c486b1fa0ef4269cbfb6fb86675c11fb7c0570cf7ff4fc7affdb00625ac453c23c229a4ea5f540c66f031ab3462f7d12659eec990501f - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 1 -@@ -70043,6 +70368,7 @@ EntropyPredictionResistanceA.14 = 85ef26b185a0aa99aa8761981cf02a634b62f47baccf27 - EntropyPredictionResistanceB.14 = 2e9d56a2fb6ca0bef9a286d23e7d38457790f97f2b7ea5fc - Output.14 = 5c7bb6bedc97cd38837beb0d963d76a953d4c53827e24ffeb278acce8350c43fa6e289672fe6452b769b921937ea8059cac8326332966d3490f57b8fa89aa86deeb3edcdc108d1899eaaa2d568d78e26b8ed674282ce16a0cc03f3c3b1da6d5c73afe8f392b32151e938d99c94bf8152 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 1 -@@ -70153,6 +70479,7 @@ AdditionalInputB.14 = a05a3af78f164652504f38cbb262a93f5fbe72c55e28aa55 - EntropyPredictionResistanceB.14 = 0dedd1d3b74beb9c3ed9a6af24ba4a8fab11aed95d829a11 - Output.14 = 4e6dc09aabcb0fdfded4f1d6ac2339add1b5d7528c3676203b09341a1cf70f0e838301f7a78dfe6960daa674517162f4819a37027845c260186325846604db350969ca2abbabf713159669260b80de6e42bc33a64c796280402da8b3c3bf6e8255a11b82b046f1b3800cad132c2c0cc6 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 1 -@@ -70248,6 +70575,7 @@ EntropyPredictionResistanceA.14 = e5f524fde813bd2478fee8dbbb6284f3863b43a8cdb2f8 - EntropyPredictionResistanceB.14 = 178f885705e506129a137c64daab8870149344d82990e454 - Output.14 = cc687b9fc638af68d71c2e12ff8727f2cb2eef42a888216af09167ee23f5b432ba896ccd508afae8670dac9fae348eff0f8db63c3fe86f6a1e2d97f9b11813a56ddc1d5c99cdf79afb5d281fd1682dfada3c608ac1cd8ed28e70e21d3ecf7c13c410e8e657d7d0714aabef78795e46d1 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 1 -@@ -70373,6 +70701,7 @@ AdditionalInputB.14 = 29729358e5e488ac8924536a8806d242952da8ade0d4e4ab - EntropyPredictionResistanceB.14 = 0a0148aa002eb800291d3bb5fedcc8a6b80897ce459710f5 - Output.14 = c97f446cd3d9c96f63782925178e879b3fdf0d46a2e67d2489a39c55ded3330d70a7be34128f3e8ea442989ba7ad90ccf7f66bfe1f7c1b17585cfb5786d764a44e39bc021e06a193254ec26b7b93e33fb883408756e651176a098a4b75b3ca48ffc4b66f0f5519592d529500dfb30287 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 1 -@@ -70453,6 +70782,7 @@ EntropyPredictionResistanceA.14 = 3ef188e76f0d26d790b51c9eea46b0a9d15fd631f044dc - EntropyPredictionResistanceB.14 = b2d0c40fc7c3e6fa3fa030d54f4548cc664ad604eb9ebf7a - Output.14 = 966790327a7fd7dad98fbfc5c86d8d678d28dccab766dbe0a10bf917b59e85cfafc1a948b0abcd89fe6cbd30352e8c672a849b2b6b598b495719303d17b22f879361078e1dfc13052879e7fb8613a0d5fe764377e98e8c4d41faf8aac94ebd299caea002a93f5e56b6a78e6869190c33 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 1 -@@ -70563,6 +70893,7 @@ AdditionalInputB.14 = b4c6dec979f2875bd6ab575c884b9c82a7f87b0e8536fc63 - EntropyPredictionResistanceB.14 = 812de24e2801b83b5938cf87ccd697d29e1e47dbb773e8ae - Output.14 = 42e656b2bd89c6b87eeeb4cbc88da7b7ea63f2d0e34ccfda69f1306982727b65248742030974bc2013af0fc0e04792ac57a6b33f7a0e1c106b4877abcc43649ea67c7706c2c6a32341ab03f35ef5429b634c546ad46e9f4ed65835246047ec510de96d544dcf5cfd5cf38b1191844699 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 1 -@@ -70658,6 +70989,7 @@ EntropyPredictionResistanceA.14 = f3519a57f18c23306e613cd6701a63b476750bc86a2c3e - EntropyPredictionResistanceB.14 = 970a0425e52d2ec2cfdaf196d46e132483021785e3be083d - Output.14 = 92e7614f08b0bd0356849559567fcc18f467f7ef0d31801c9d38d48adfb1a49d464abca4764e5a9da227d20dea34e9d05535de6daba95db7ae42ad94155f795c06ba3241e897ffdcdb1c0cb1ed2767bc8b1259359e70739b52f87c947fc0ed293990fc1a9d452c18afaf5586a7a4e828 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 1 -@@ -70783,6 +71115,7 @@ AdditionalInputB.14 = f7bd5c7a7e998407efc71f4bc2a6c811edf1687b019ceb9e - EntropyPredictionResistanceB.14 = 84f15292035fcbd61337c733fed157b3e7db3097c2a3bd9c - Output.14 = d59bde2388f07c18be829b8fd08376a93af24145700238175859ee3f89a7dba009c628d749c9ad72abfa3609dd0a5d38ef1abf261225b988db1d3d3183b5c5ffcc19303f4eea88df2df4b65df1ad28796e9ef1340731ad6c3bef33043c90880e3ed5b8b336d5d125b89df17028983f4d - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 1 -@@ -70863,6 +71196,7 @@ EntropyPredictionResistanceA.14 = d16361e926630ea7eab852d3fbaacd4ed8bcd4437311da - EntropyPredictionResistanceB.14 = 15d2ef5b010ae9f49d738919580a99985fa6e749f4f25e4b - Output.14 = a34007c66a63071fd9b88fcac4e0438961458595c5fa9d39453af1a8260a5810461f55cc8bc9135b24713c82d9a8f7caa720ece42a7a94ba9142c7f25120f2cb57265a83e2a40129357234dff36f320935a2e88559a334e33044d6e6694a9485ffc243fde57a28958975d40342d17c0e - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 1 -@@ -70973,6 +71307,7 @@ AdditionalInputB.14 = 6a59ff9e4710c11794930434f5084196353fb44fd07b2e25 - EntropyPredictionResistanceB.14 = 7b9f7f89a03e06aaf45b165d68c6275db97352d04c8fc977 - Output.14 = 7f72c56664a786385db6206c39a8fcc6d2ad278abb7270961c79f17f3123b62ac1118a814fc8d22d2f2c0219cf12879bc688056f39d79849c6eb4f3bf2d48939372313d46c6f816205e71a162c8ac3373f39905c19b1003183a14f1a993851a2f9a961bcf3fdeb656d7190c7ed5348ba - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 1 -@@ -71068,6 +71403,7 @@ EntropyPredictionResistanceA.14 = 40da9bf2a3adce3bed58d5ca64411ace999f0dd1be0849 - EntropyPredictionResistanceB.14 = caa117803af0fe7ded86e010dd37e4945fb8b32256663cfa - Output.14 = e1468e54df5d693ae5094982e155a74033e4079dd1086d45a91ee213b3ab4486640dac0342e6aa82f76569ae9d395f5161d82d27a7c6a8573e3f42e7c57ae6bed8a45a177dd35a999e322a3538a9b8cec51df28eac49ca8a7022200963aa0d4d66868c1cb8dd90a1564cbbf8bf26778f - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-224 - PredictionResistance = 1 -@@ -72833,6 +73169,7 @@ AdditionalInputB.14 = 666ab44b022bd295bb6b516390e14c1a7e746acb6437e33b203779116f - EntropyPredictionResistanceB.14 = fb25b91fb031adb53b1d175a68a9202abdd6b3da5d658b7d3d5e815e62d440a5 - Output.14 = b02cd3e20a39877aa2b5288236990b77e0e9e21987583fbabd6ddd9ae2c5316fa51602d06ae57a55a784dcb163504014a21a1ac2290b6232e8e97d186e6f6a8508f7eb6958a0ffff454f91e1c0b2831a594d31445918c92268b380c017f9911e81c82ae23449976252add67ea901463848696eb31453189fa88d2c999b6d9d81 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-384 - PredictionResistance = 1 -@@ -72913,6 +73250,7 @@ EntropyPredictionResistanceA.14 = c5650c33f68b5d33502b1f55e06fe2c1169fb34688a092 - EntropyPredictionResistanceB.14 = 25be4cf15692e3e6ad0ab6ffb22cf3f77b00333517ecb2239c9b81e59a72d087 - Output.14 = 41f335cf727ffec9ebfe7cb348d11cdb4e5e49a9a047d8342a6656e5d235219a5d80715166698cc1f16e34f743811b820e6ea55c2bdd0db1b97ea2269fbf60c739feed818282f447bfe2bd0b9a7c479144f0016703aff450abbd87a50e5e5af0d2d9469175542737bd116de2a73acbb74d9f0077a227704f271fe0696f071914dcb9c0f0191fee35eb66248eb17991b538649457d5d5f9d4bb9cd81c33a14d2becce003c143c9cfe39ccac51048ef169f6a22143eca721d04f6e147749a44a75 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-384 - PredictionResistance = 1 -@@ -73023,6 +73361,7 @@ AdditionalInputB.14 = 301f91c659f73b618cb46a4343772f1eee9fb4949ec6328109823749bd - EntropyPredictionResistanceB.14 = 24a71d39e627d5efaa1e8f3e5f70114bb03b71ce54e4f8d34e838106b2467cca - Output.14 = 34c532082926e6d530b3a58282eb4666ac7374e8befaa4999dfc9f409e40ff966652295d2940db97061800583bc7d47b053553ad29c89ee61803c1089d30592270d2927031353592d4aa71f59a4bf3f2147cb406322367544c38fa5a3c8ccb534bd884355b06145db62161260162091c795874a2e99e01292a2e39e107738818a211750f858edbe0c2ea4734ad14f1c45bcc9f733f027616926558587f7332be55044dfd6fcdb628ff7d7d581820a217bc64aa092e450722686e0cb291eca45b - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-384 - PredictionResistance = 1 -@@ -73118,6 +73457,7 @@ EntropyPredictionResistanceA.14 = fd947b0a21e580e6c2dbfbd44d01f5fb4a51dcd2199df9 - EntropyPredictionResistanceB.14 = 815302e016aad33254d308c5457f368965c15b6204e191c2a252e4fe88dfb978 - Output.14 = 34f550231d31c1b3a3db331d341ada3b987120d94e431831eea67e8d208f9cf1800549d445fc7befbdcc2488cc7f4340560d574fcd2396e9ecc9a232f1015cfb26db451623fe47ec8bacee1756573e74e519adc62b23ce86fc191ea5e13da9c7a14496426c6c53dfa7c7ccdb67d6164dbe88cbbe7f48d4971993003ab24f3eff18bd52c2661992e8f8da93bfdd28f01fc32edb439ad130352463084041e9871c431ba26c676ecd7812991833113cbbe687651e93aeb22a6a44cffc7a3fb214b2 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-384 - PredictionResistance = 1 -@@ -73243,6 +73583,7 @@ AdditionalInputB.14 = 5a7434648de82a3552e12aff800093776ca3e86565b29c0b3ad6c0bc31 - EntropyPredictionResistanceB.14 = 2d6b77ff7e612c7c40cd5231eece4018c5b3c0d8181ab44703f7a04c0a1c7c5e - Output.14 = cfc79a89a0a55dc9c6c6eccdfab5a9935335e806b73bab7f5eff5f9fea6aa3f47bf31f06d987a94e2bc2a4a6144ebe94d6f5aa8fcaabbf86a37c8d412207864322d3057b89fef358740c5962cf9e7c37072847fcaa6db693a5238ef270e8414e2b29448bbcc37dceaa75479c2ac5fee2d6fe9ed68516f6dbd90135ddcae8a12d1c1595e0edc34ea2bf00bee7ae773c240c2bc1ed828b7ff91a676891173eec1dabeecb2184df9186c3bd833e349351481655bda91bc0f4e419fb78e426de6b39 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-384 - PredictionResistance = 1 -@@ -73323,6 +73664,7 @@ EntropyPredictionResistanceA.14 = 6cc5f9e579d80eb1e93876513892307c462383f1b5e591 - EntropyPredictionResistanceB.14 = 2672d3be2c1b741a8a60662e24e2bd6a674def98b16994189c08d7972d275f6b - Output.14 = e7f7f113778234b68dbef00b74b656a52eed3cf3aadab8e5d96d1daa5c253f5ffdcbddbc8dac0acf43a7e2a18303a6ca389db0bd0c5118a869e7e06115df5315ab9962a782281c5c46823d1067a8a5cef28c7ab7aaa70c069841875f02f294e557158da3adfc6c11407d5dc3c783332b4d3e25001b5b1e48dbb45a5ec0c8fbc0343f8d73963b7928e501f5dae8716746a835e121ac748243c90d3d3ba22e11cffd76f53a6e372546e0fd333e46df1056197e5a44a8b69e5b923637212635e6d4 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-384 - PredictionResistance = 1 -@@ -73433,6 +73775,7 @@ AdditionalInputB.14 = c81910a207597a0657cb06cb89897f9ca67aaa5e3289159fab1f36cb2f - EntropyPredictionResistanceB.14 = 0fe27d8d5ab415f1332cf42f7a6eb23033a9c5eed085b3646ac3fd288de95b63 - Output.14 = 080c95ae4f89185591db9f06e68ec25774ebb1fe9e5cf9acb4a6190341d40c78c1b92dfcfc142bd8719da2d09d879875e5eae3a0f7e4030a61904e45dc5f059e550e85f4f2e081f2b7ff22c47eff29944d5f17396cd1712070a2e1c565253a032e15432489c093561ff61b2729ad785e7d3da276a860d40ffec5f766997260ca2f0bfac1a3d20da5602357d9b8c92c97f8830fc1c93ecc68ad2edf2a559a7f52325ee7c7f9c85205016af24e0833fbd54bac2f6bf42266d3b90c0431783b8a75 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-384 - PredictionResistance = 1 -@@ -73528,6 +73871,7 @@ EntropyPredictionResistanceA.14 = 0877707fdad56cc9c9de7e9fdb0c0314316ebd529920e9 - EntropyPredictionResistanceB.14 = 208e73cb7f1d5cedab1c8b3b53e0e8677e3ef4664cab9a305fec6dc0246256bd - Output.14 = 97d899881e4f6bd01a6030d211643b3c4d27dd7df30956495497b8748998c7bfd74373293f1c992ca303f0d59e46ca98f97acb101113bf97682ff75de95fcbd9c511f798ff76d7a17ded50948aa2ffa15013e1d486de1368c5ff009a2c0ad062fb9045f89d8867aaf8799089bc9b7eebd5a9069690076538a589483c7af29c48b6726982ccecce027b87b1ded6875015195c60604d2e564ee3014d9114f5a2d900829d449a69ae4dc23e5df063c103260163509bfc38690f8d274c620b53feba - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-384 - PredictionResistance = 1 -@@ -73653,6 +73997,7 @@ AdditionalInputB.14 = 30dd5a23a1cc9acb87060b151274df28882f3d442d1b9ee6ca58dc118f - EntropyPredictionResistanceB.14 = d980c14049c6d9e9bfa9340c92ba188091416e7eab2849f347f72840d79f9f59 - Output.14 = 97db825c1019bdd33f0f67b32adb6490a8f38e96fa34658f93edaf6d000ca806bbf7fe6af0b5b17c9e850a6dc41f8899355849f04e58ba0f75872021cfa7cc4410160324312fe8a7b6e9d8f42778a1b8496d9f0bb40eb336039ea3f762147fdef0d53603591b0fdb9f4d0b345c8f1cdbaecca96e5411a960933f52ba9b3457a0058ac464cb30118ce65f027e8a7584cf9eba11754ad3d26d3600a3af3bbaa9caff6ad4a28a8a76abff9c5d710530270cbd9972b90bc767ad7e76eca03dd13549 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-384 - PredictionResistance = 1 -@@ -73733,6 +74078,7 @@ EntropyPredictionResistanceA.14 = bd108a354d8b8448d8add8059b0c40ce026bbd85209c87 - EntropyPredictionResistanceB.14 = baddefae7c08ddd069296022aaedf0eb70e44df7a1aa04a030bca6cf9ad89211 - Output.14 = 8360787a7febcd2965a605f03a76a46bc3b842097936c0df13fb778feeeb3f7c12af610fc1d845ef71d5b4b834f1659004834c107e084de52e2303fd81930eec8aea7fa86893e58ae764f1894965b04bd8bb65a308e4f38d390ab11d93dc77c69e86650bdc20e7a3fc616a996f4a4bd5668d31c6155644867ad93e31f8d78f512a99b6b368350c53adc5de36fc13052e600dffeeaefd06b2a4b969782c046087ac07a4e02aa5302e499ac11e26116186f32d4169454eec4eb29f2e75e544a0e9 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-384 - PredictionResistance = 1 -@@ -73843,6 +74189,7 @@ AdditionalInputB.14 = 8316fb114ead33f4d6cf236cc711432f42a699c1c8207865428de36375 - EntropyPredictionResistanceB.14 = e4e9129ee1cc84738d8eb8db7404da8c0f9f16a5dfe1b2cd99ed2b08bfe635ad - Output.14 = 18daf46771e8acd38c2cb82aa837a239a145c48c303dc26feef47d5cd74b01cd53546fe54e300bd3212e1c13c1bf3a9d17165c89399539c07e30816ab1c7bd1b598e1b07cfd4ad0785cf6f6a5b835d8f212c825a4ed2d7821bb29255428c468c84ec2e609cfe23f79468f60b236ed228b5252a95bd4c0bfef62f2b640c7823e32d72e5f1bddd56835e0b8428ceafada24efe0de582678545de63cbdeee77d6b3929d83d9b5db2134349444926c6fdf2422c786a67e017a8f98659b9c80ce95ef - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-384 - PredictionResistance = 1 -@@ -73938,6 +74285,7 @@ EntropyPredictionResistanceA.14 = 7a7721ea04f0e15f08ac5bc6f52ba3cc2c9f62f0bd8adb - EntropyPredictionResistanceB.14 = b38c8a67366b0aa435d71cb0050039a98447b1a40a0eeec63b33eb6b37e2edda - Output.14 = f5fd860edbe302d1448ff77d56b368c4eb156490aaf07a640a87a7036201fb816bf24066b7caa9cdd709da7234882939e717298193f9dcd634c8975dd95ab56c38e8407db56dd8713b0c85842f85516640d3faa7b5e12a390ddf0d4d80c96a407b9a2a4767fdcf9c37d504134dfe0a90c8b10ec9bbcdbc56e54180022461c69379c7aed3f5732e1e56d03d078bd8b6e7c621f518a631f0eb493d5b747877a9cfcd06e61674a2f5295a91830b5dae43e30c1e72fc8c91528acd13566b723acd6d - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-384 - PredictionResistance = 1 -@@ -74063,6 +74411,7 @@ AdditionalInputB.14 = 9fd99df9cba9f0cd2445ad2d4b2c6d34c112d882b7c364b1d52f47d880 - EntropyPredictionResistanceB.14 = 3c2b67fcb3929cbfe60ea272a0295c1a59c631ba2f9619c0c93337646731a8df - Output.14 = cb3c238037a3165f17d416dc04fa07a41eeb7041afb26f5d02de1ae45a9ddf37eef688c9c29ac05fa9dfc35947123cb3db0125f5bd5453f4e48a3b2cb027465ca74f9952456d3bb0efdbc047f96a201e78d813ee37e213240eac293479444723d63148333d93dd7cf81b2e19a7c6feb217c32b25a4cd184a8bf7c2aaac149744cc53134d38eb4a2bcdec0d69950171847fa97d0766a19c3f96e9076520d25b1741a9c4fa31bcfd6b3ad8e4aad6f0c33751d128b9bdf4975e0819985c3b00dcb0 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-384 - PredictionResistance = 1 -@@ -74143,6 +74492,7 @@ EntropyPredictionResistanceA.14 = d5029f8d6b538542043669856f1f443d1b0cba26f5a075 - EntropyPredictionResistanceB.14 = e184b0afcf6bc3bf9c121b0df5aeb8f8fb94eeab939de04b5deea470ab94de15 - Output.14 = 86c8cd6a92b103b0d88e54be7d4c1a9f8e2ebfebeb66cd812298fcfef3a7eb84dd84d0683a12497716c4325e8105b39c9841dca2d60da1dc875b904839b18d1681805d058faa0ae897bdcea8528b8e99bc6899f96ce635f3176a645224d668afedaef3d65336b91c78cbb7f0a5090e95938e15f0e43d827bc22a4cc714aac95d69b90553b06a9f3a76cdc0e04d0f6e24a91ef5468bee2f77b631d5a5bd95d74eb91be516027c86a17240611746aa99c6c84003aad7b809c0ae72f221c564c8ca - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-384 - PredictionResistance = 1 -@@ -74253,6 +74603,7 @@ AdditionalInputB.14 = 1161d440c1db4c8bbef4967dbb70d8054c1713dac5c1bf62866e1f0327 - EntropyPredictionResistanceB.14 = 5cf03ac2109ac324991b13b84b25d44bf6edd86f634a2358c3eccc9e3f477ee9 - Output.14 = e0793def2fb3674f7401517bc0645973b7f97091c3b96b3bdcebd96b882ed393ed38f7b7f5a6e381dad287f642c99e9cc6b6eb090092e468c96d743b20c7c71371a1c64637256d041211300213a9aa330c05e80db3456de1d55e6d7e3aa3d7a501450ec24c74da213b7184f4ee481c416f6b7e0877d947393921b72a6636d642c8d33b9e57a35efa2490d37f8fe584644e0c19a54941248fbbd2fa31310a4592926db7092f5e8b3ad1111454e04705f79e46f4f6e4d109f4c0fc67a253550bb4 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-384 - PredictionResistance = 1 -@@ -74348,6 +74699,7 @@ EntropyPredictionResistanceA.14 = b35a6d3ba1b4b3d62389ff2dfe1a8a9ff527d4fd3b2cba - EntropyPredictionResistanceB.14 = 325043f919f312cac2102d97cdc26a58637120c01c09448be861dd97751e8672 - Output.14 = 32ccfedd45cd80172e146ce0982f6046a96735237e6df0033eb5d61d134383efe454da37a8ff31689613a808ef649f5eada3214ea50ff21b673bd407662006c157f98a36418bfe72493134f6d8e2b5276610d6626977cb725d43a526ab523ddb97ce76e6802c60da568402ed854bb9e1af9cc74f123493b19b765aed7dca28bfed8bfaa58601c1f2d1e1b782b83337cd42c0c304e7415da0ddffc9078d42fe6b59e5454dfcd71d59cdd453303018c28015d88c914b62d8c3fcb94eaf5654b02d - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-384 - PredictionResistance = 1 -@@ -76113,6 +76465,7 @@ AdditionalInputB.14 = b969d2503e5dea21ce90fe8ce89cf9e6e9165313fbf44286ca91a689b4 - EntropyPredictionResistanceB.14 = 0735d5d8322df6f7568e2bb29a8d63461d8b28ed9af5f7323ab96292c31cb59f - Output.14 = 7ecd4eef593d3c8c2ad90851d17501e666cf22ade15471b3739882cfbf0b03acdb6b83288f22f4a6246fccb608c98cb906a5e9a42fdfbefa52e968e903d175b90f51369d21bd8f408a723768d6de02606a15f37e9a16469146de7340d8c6e58d293a2fce0de7217f7a16e9bb7000f54f35b5b58ab24c0dea43508f52a718eeb46be9618461afcbfc2ea4ad3a38ccb180db88a0fcdfb2d883f82e27fc119a249e668ced1e33dd66ba23ddd0ecef668e91d17654ba13dccb5f8b858f44171f4629ad4a91459b6c257eb20cfeb814e289518947d94f9827514aaad7036bc19cb0b73857b1d9ca3ef069d2d20eb5ada8505fcf404052d9889138cf51e137e70468f1 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/224 - PredictionResistance = 1 -@@ -76193,6 +76546,7 @@ EntropyPredictionResistanceA.14 = f80eee174bd5b1b8abdcbec30c62b3aa85ade4d9a43e2a - EntropyPredictionResistanceB.14 = a150d5528a5f79914074a783738af08eae5c95b49f407929 - Output.14 = 88ff82264427067d717027de8edc886c01c782379ccb937cd6434703d4f0ab13acb4142149372fffc793813733ebdc9058c85d900f4e442a2369c16057e4dec1a75f5c5858d2fd1d69a48227b293a953b24fe38adda48f080a9cc5666e299ce301d2f230ad5581fb05aa78a00dd35a9d - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/224 - PredictionResistance = 1 -@@ -76303,6 +76657,7 @@ AdditionalInputB.14 = ee19a759562c231ecfc777c588087e790d5e170956b11c08 - EntropyPredictionResistanceB.14 = 4a004a5c4a0ec328a0ff26ac0aca82ce35ee9064add86094 - Output.14 = ae21ee878e4664c73f22e88ec4a646c0192b5c52a7bebb7b17a94a7c4630568b81da000983bf0d1a96e96432175a214ce7bc9332bb7e99f2a81e588ee4c1120c1eb22cc6b24a386ac5a11c4d63de4f20bfc8d9e4094613730f900ad7b54498954040a1fe7b53cd2a0989b3bf8946aa1e - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/224 - PredictionResistance = 1 -@@ -76398,6 +76753,7 @@ EntropyPredictionResistanceA.14 = 4f0d9e7c269ab360dbdf47e9ea7d655c204dce80082451 - EntropyPredictionResistanceB.14 = 8290ade448d2d83445b96ac682366659b228f952faa1f9a3 - Output.14 = 0d6bd0196ae2b3af4a750e4ea529b353979b30ab1bd05e96bf3c6f0c40b527ad07d90db5a1f392fef1d33bac5cc2a47cf4d9f20b8388a922d869f073e65ce6340cf30d45645a03a951dadbe81cffdcd145a32519658d0efe9f28175871b45cd6ca16e4efbd37802a1b88682819e5800a - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/224 - PredictionResistance = 1 -@@ -76523,6 +76879,7 @@ AdditionalInputB.14 = 4e29e32346671af3b726d7030ccf470f72ca369687b489dc - EntropyPredictionResistanceB.14 = 21d5eebf3f54780f046fe2cffb2cc9b52eed850d1b44d675 - Output.14 = abc8ffaebfda52cf3a9bc037b965f9e97ba7aafbe1575efe8fa7182229d58a2d1282776225af0ea87dd79de7b210f654388c718f8dfe22aedbb4cfe92a964664904b960f2577f43f6c48783a8423788de7aa693ed859c8269e3c8b8b59eca1659c0473aae8b0a444d4aaff23991709cb - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/224 - PredictionResistance = 1 -@@ -76603,6 +76960,7 @@ EntropyPredictionResistanceA.14 = 02496883d50bc28e037a370890edab9be1a69e003e70a7 - EntropyPredictionResistanceB.14 = db072d2518f7b6b73292f7e167bec9cf5fcbeb265c316ae5 - Output.14 = cc01e951f15bdcfe94288a0de84ce187bad281683773f1b8341efecba656d62528ba91ca864c440b085be142dc565c1b7a326dfc9ac47a84623c2cff20b6c047d2f39e3db0b02fab4c1ac82e63bcc06b032c16f6e9ddd8c60f03f5b55cc40acb3b5e2de6ae3938f0e2fe21d72134346d - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/224 - PredictionResistance = 1 -@@ -76713,6 +77071,7 @@ AdditionalInputB.14 = cad366cc562a45f74fda0bf6fd3eafc0f3dd59c666b33881 - EntropyPredictionResistanceB.14 = acbf8dcb97c61718c9cc8adeca8873e31b794086d7b84cc3 - Output.14 = a6ddaf00876c5bf50d7a2f5b986a770685f64ef54e2273c51ec1e594378fcd08f16316d1589f1c5948f524b3fd57d40b4ad732ae06f3bfb5359e6282105bc70fdddc9d1920c5092cabcf0c8ec14642d50be19de439ffafdedf3ec9e0672eb7754814eeea09430d65ba181525c616c31d - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/224 - PredictionResistance = 1 -@@ -76808,6 +77167,7 @@ EntropyPredictionResistanceA.14 = d1c3175c4853102ed4b306eea013cc448d325938c52940 - EntropyPredictionResistanceB.14 = c0139e13d5d7c5bbf9c2394973d00487d49d4241ae7e90cc - Output.14 = df70ba5809a640b8fa1ab712d6ea7048f8609944d63bf4fa958556ae020d95a9011ddf0041a75b708a372a486e9ca8e0d2c361e4f75171710ab42d49ba3c0b6dfc4b3614b3577ddca5adbfb2d096acc4a72bdf1c6113cf6f0bfb5e8f1d69ef0a4a4edae75ccafd614ae1e718f60e3196 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/224 - PredictionResistance = 1 -@@ -76933,6 +77293,7 @@ AdditionalInputB.14 = a3c2f11654592e478c8ac1a1fce2224627ca37bd0efb44ab - EntropyPredictionResistanceB.14 = f986d7f33aad227e98d9087fe30c34f1c18b42f85d56b72c - Output.14 = b1fad8f7950787c949b41dbc5581069f0920058614c3ea7bf1edf3812027a4c989d8b029e08c4ee77c76c4457aaa3d89dc775c6c60bb125dfb969729fe669152a173256b4d2181e84bbc63bcad8ae645f4371682a39ae65d00f004e344ddff5374b257d8881f63d4ab960017258815c1 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/224 - PredictionResistance = 1 -@@ -77013,6 +77374,7 @@ EntropyPredictionResistanceA.14 = 42d19ff5c985c31c955a0aed5ed02581ffbf2a0ae62d78 - EntropyPredictionResistanceB.14 = 7f9af6a606c9b315c04faf5ce3c0412092edb19f9463784c - Output.14 = 219072e8b6d939f75ab90edc91ade50b8e40f2c1fae68aa5fb5bb297506ebc5f18d20492b55fd73ec118e6d74e4796c1dd28d50f903dca70960ba66b33b0a6c3d06e2ba79eada96b613324914b19224f0c710af7793722687f9d464093fc651a5d613b03c6d71bcad9bf2c74a4844718 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/224 - PredictionResistance = 1 -@@ -77123,6 +77485,7 @@ AdditionalInputB.14 = ecced4ace2d11cb2e02c253d81d15ecfaf555a51189d2051 - EntropyPredictionResistanceB.14 = cff57ef512d7da05e7ea7d197c797962099c64ad89f52a24 - Output.14 = 40f8480b22c24bde9c66f91761b1ecf25a6486024315b58028ddb8a88088f7deffc671a9465671c370f7877527e72c4259669890abc4efbdbb09550a84fa2f60a41d74c9d7960d5fa05e9f66ecd5ac344970aacc23ab1361d364eb697abfd6cd621773f4ea7ec2dc7795cc533abe664a - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/224 - PredictionResistance = 1 -@@ -77218,6 +77581,7 @@ EntropyPredictionResistanceA.14 = 4de293b3ea5c26925d39d5376ed5fd43b9b775b80c6cac - EntropyPredictionResistanceB.14 = 4e7f27a772fb8de77031b24cc514c06086de59989856694c - Output.14 = c1ec91ec7585ffc05d765d0a9e30f62bcdc115426af9947eab68b6c9a88e6a11890704b623eb7acaec77bc6988da9246e10aa3eaf65380f3083bbecd4a41ccb09879ed9c46669a78102b7822b157d0d2a3bf09b452300ccac217db03b455382d8990e3bdd9a2a6461b19dfdfbad5910a - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/224 - PredictionResistance = 1 -@@ -77343,6 +77707,7 @@ AdditionalInputB.14 = b87bf3d164ac955913ae4a780ac654d9a67c37c8df1f79c7 - EntropyPredictionResistanceB.14 = e2b5224119118410592ae0b238dfd75ad576b3eaa1848313 - Output.14 = cbf31760cbefcebf50289b9ad8e9443cde14fd6beee80c0bae83cdf77deb6e9c77ddcd0316667373b28b9431857e6e7cdccd8b6906927f66b362452325339a035b23baca8ce1697663e4879cc2084fceed28e9bbb2dbb91f868ba7626f6b7e5ea87eaa48ca50f9b76ac2c74b39bc9a86 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/224 - PredictionResistance = 1 -@@ -77423,6 +77788,7 @@ EntropyPredictionResistanceA.14 = d931a0cbda3985a34b0a2eac42e9bc5ead10520de4e7d1 - EntropyPredictionResistanceB.14 = 518e2480b742f9c30098a6d543d1669678084b3208b5375b - Output.14 = ef57d91db4d94aef743f1528e0c27b69654e3a854fb7479d25a8796b06c85884f328db9a09deb9be55cdeb9cca2a5a00ba56e28d2fa0057ef1ccb00b22a0a747bf15e7b303b990bf2fc3903f96cc55e69d8808c9da93231e5e859f7ec9edc9961dfc9b30b30ce0f43a3d65da93a82377 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/224 - PredictionResistance = 1 -@@ -77533,6 +77899,7 @@ AdditionalInputB.14 = 51f6a64ad57705cbae6b92cdeb622a0701f5500e6ad7eb0a - EntropyPredictionResistanceB.14 = d5f8c2ba94bd849bd1434ff9d0b72517a7e6d381f13387a0 - Output.14 = 15d882c8ec0a8ff1544813ba2a6cebe81281117628fc4e79371b7e84027d0d9322a76e42c733c73ba90c4b204bbe329a4ff344c3fd8204e0c220154ca9cd04c80457cebc33f9466c33358fe1c05d49bf83d174f8abf530b46b701c0ba24b081dda46ae38f58815a996fe878fa6884845 - -+Availablein = default - RAND = HMAC-DRBG - Digest = SHA-512/224 - PredictionResistance = 1 -@@ -77628,6 +77995,7 @@ EntropyPredictionResistanceA.14 = 7ac8115615a29c535ce9b45d3e57d6f9ab0e6d4a021fe9 - EntropyPredictionResistanceB.14 = f6ab8840edeb3c20d7bddf7fdaa5c980c58bfd116551d1ae - Output.14 = a85a3ede0e85ce593be2a2a2c650d49a740e9b8f07c24348d2bd968c917d442ed8de8a0d8ec8ff09ff86e6f279159001382cdb92f4625d12365443881df226c9a3833ba051a92f29fb55b788ab4b2d01958b9c067b43bb86c4e547b24e609e0d86aa3b75ea8d73e2c90092a50bcc6ce9 + Title = HMAC DRBG Prediction Resistance Tests (from NIST test vectors) +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/224 + Digest = SHA-1 PredictionResistance = 1 -@@ -77753,6 +78121,7 @@ AdditionalInputB.14 = f0431c9d8925aaaf8f28d112773e5f5fed7feff633c9b056 - EntropyPredictionResistanceB.14 = 5e27635c34a1b793b2b1f23c9a72eb3e58c6ad63ac752dda - Output.14 = 20a84f074794921d7c1ba7463c4cd5f165ef6ff003555a69a71d529ea8177b3b4845898f031428b320b9dc59b16260d80baab34e7cc6daba5463cb496e4a6588ca5f3547412e63d36d560d9549f87a3ca346968f4dfdda3d0cf9b82384b3e830a8368c659c5aea26b03c4bbb8bbd3878 +@@ -68313,6 +68426,7 @@ EntropyPredictionResistanceA.14 = ae706e740dda50209b20acf90dfa8cec + EntropyPredictionResistanceB.14 = b4d4b4bc7cba4daa285ff88ce9e8d451 + Output.14 = 74acba48f0216087f18042ff14101707c27d281e5ddbc19c722bec3f77bf17ca31239382f4fc1d4dd0f44c296bc2f10f74864951f7da19a23e3e598ac43fb8bbdd1fca8047b98689ef1c05bc81102bb5 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/256 + Digest = SHA-1 PredictionResistance = 1 -@@ -77833,6 +78202,7 @@ EntropyPredictionResistanceA.14 = 33fd3300d120786b2f756459b222b72728c1b2c53d09aa - EntropyPredictionResistanceB.14 = 96aa233b407f0cb14d6ecf2a243efcd7c1b7ed3fede97dfeb269cf8331189412 - Output.14 = 6a34b428c4ff416d3ae907318928663ac8683ef6328d37b19bd2c179aeb7e56a73c6ed096ebfeb85a263f2c868fb4a2d977d5d41fe12b135b1c9017555b36a9f6775a43c42be37a78eb067f520f091ccd94b38c62fa7d48c494b05b072fee34ba262a4fe1a70c98fea2fae40513723a52d6ea44f5fa168f4c03ae2c73d793ef0 +@@ -68423,6 +68537,7 @@ AdditionalInputB.14 = ccdb3f7d7f6a4d169f5f2e24ec481fcb + EntropyPredictionResistanceB.14 = be4a2c87c875be0e1be01aadf2efeef6 + Output.14 = bfcc8f2ece23d22545ec2176aabd083855923ca9a673b54b66a3e2562212aad3cc74c4c8976de259cc95a2f09a85b7acd1f18c343eff0368a80e73a547efdcd954816b38df1c19556d714897e317d69f +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/256 + Digest = SHA-1 PredictionResistance = 1 -@@ -77943,6 +78313,7 @@ AdditionalInputB.14 = 2563ad078ad8eda919ed40a81b634073064c22f2b21926bbd9cc1d7c2a - EntropyPredictionResistanceB.14 = 45ddc44189bbcd60713c40e811d6b2acdd1659c670f715703f5b80eb4152311f - Output.14 = c2554fc1931b72acd98e4949707802ab471c4f2eb62813f87f137e698cf89a13fa7366a97b49587d9a0c4d42a62eb0bce27e2ce0e67324739c49eb180216beb51fc82d45b7900fa1c2d3db3a0c781ef93ee57f6a186a61e0f0fd25a8d8d2d9170bd18714cfc1a6e7fb6dc992579cfb0306de5b67c01522b3ea3955d63a775cce +@@ -68518,6 +68633,7 @@ EntropyPredictionResistanceA.14 = f324c09f96434ceea7e756fc2f55a0b3 + EntropyPredictionResistanceB.14 = f043b6e11fc2f671ec00f4d478b791c6 + Output.14 = 40e87b822b1000441884a38b8776baa69fbea99962571e8a20d8af012d50c8c211860ad579869ec880320ea8057d5cb0de9496ec57d8b594ca8be5b94219eaa800af7205f8a83b66c87e0fee9aa9732f +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/256 + Digest = SHA-1 PredictionResistance = 1 -@@ -78038,6 +78409,7 @@ EntropyPredictionResistanceA.14 = e43ba5b540971c4f02f0212bbc0ba521f3e64a627c1d0a - EntropyPredictionResistanceB.14 = 3ca4a33a72e7aed850e64984c28407327d94e6858a65d42b16f985d010b783bd - Output.14 = 2567b74d4d1eeceb6321817f5ada210954643e1212b766bf2eb84d2ce6231c58e346ed57824c409f3c73de40395608a7d3c52708f07ee7e721b7c42ccce5b0baae67364e1cffb7fb0e363eadf3415c99bdc7b730b8c66201da1f8a2290cbd6165912484def03a96b237b793b76b76043cf9fadcd5e66ea94e6110c4b2b025232 +@@ -68643,6 +68759,7 @@ AdditionalInputB.14 = 0d5a2183c9f9ca6941f6a617892f5e47 + EntropyPredictionResistanceB.14 = 998f9cde45b1dc22db6d2d7bfd4f3930 + Output.14 = 934fe82b0951b97dafc5ba16e87b0459691156b42ff2dbbbd8f6ed9b04be952af267c6a17fbfc86de91f9f07eed482a5362b176216a8963af485503ba93b2e82c03a3ee6225077d90cd961e24f6026f6 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/256 + Digest = SHA-1 PredictionResistance = 1 -@@ -78163,6 +78535,7 @@ AdditionalInputB.14 = 7978071c7a648cf7f02c9cdf544d6ff9dbe3c5636f73fe50deb7e89695 - EntropyPredictionResistanceB.14 = aaf9320ee7c103d51512232305aab44b946a73ddb13270f42903a37f84c9da01 - Output.14 = cf5ed4b6208a0db15373d472e240dee04a34e630000f9751cf8d3f15dd6a4fa3a4602ec539dbb1811978493f920e84b2e3ac78bcfd619b6c4e7e0072381a7bc150a91b31a0280dd843ca1c4332ba0757d6f6f0f2f830a623cb78011dec8c4d844f71427b09be4e9fdff4bc1cf3a72a773e06121cd8792232d387170a66ca384b +@@ -68723,6 +68840,7 @@ EntropyPredictionResistanceA.14 = 427b47ed008e489cfd06e1a6e0a9f07b + EntropyPredictionResistanceB.14 = e5ee8df96c0e929446502a4bbd23ab22 + Output.14 = a544ea7c3362570f48a42635f4b79f615d11a5d8a480d85ac71e4be90074fbd5e2d368d00755e95a262d79ed262003d3e2a26f82c37d091ae763a01fba08c87b3ec0ce817bbab8d1905f91f021b7d7d0 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/256 + Digest = SHA-1 PredictionResistance = 1 -@@ -78243,6 +78616,7 @@ EntropyPredictionResistanceA.14 = f124c88bad32cf4ff49ccc4271c7f4046f277c0b1fc73c - EntropyPredictionResistanceB.14 = c32b11359b7ed121c87b85716c2ce83aebdd46cd4c19168ad3930be351ea1ff9 - Output.14 = 9f382e0382f2e6b3ba85ace2cec7301ea6f7d0d3b0895937033df9f710471e468b8162492d18ab45ca809e8aa2f37c15ec599d4b2774947b90c269bc2f8553e639f21e1c371f7a49edb4cb4e51bd1e9fd7d66e3b313ce227373dd2548870378206b4b5fd0d22c48ce03a72003be53ec378d9eab25bc432c7a8bd0eed89adf941 +@@ -68833,6 +68951,7 @@ AdditionalInputB.14 = 3e95f86a7168410eac0c84995c187fd9 + EntropyPredictionResistanceB.14 = fd15dfdd8cfeeb7ce0c76f759dfd47df + Output.14 = 480d9cbbfa6c923866179318b293c52c9ad86c2ee27faa745873a77d0242afe669d1773fd9c17284097ee8e644aa054deefbb9c73732ba6b5004623df15edeb49ef2e1bc8dbe023f7104ea1395d9fd38 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/256 + Digest = SHA-1 PredictionResistance = 1 -@@ -78353,6 +78727,7 @@ AdditionalInputB.14 = df48314d76c0d698923dabd3d23024ac2aa5fd236ad3c6e3b4cf2244a8 - EntropyPredictionResistanceB.14 = 3387fb65c8c1dd5e3d4f64bebb45da1a7e288a22e16f2fbb882dc2f9534717e5 - Output.14 = 31998e0784579bc7aaf5130b747eb295a089a12c1844406aa18c06f19607a2e497adf5352e10c145b3cd2a2532389f771af3028042605f0abe705f8540561c4e376d405c6f2dc23b3d3fe0c14790beea99705e69fac2518154613680012c5a140d45fba7e381f55c61ec7f3850dc586bb1f3cf928685a9d60e06fd93eb1fd8cb +@@ -68928,6 +69047,7 @@ EntropyPredictionResistanceA.14 = 845decbe6e03e423b3660bfe7db383bf + EntropyPredictionResistanceB.14 = f4ee7409c076201255bc78ec82ca5530 + Output.14 = ac57a08b77c528b834df2757069b6330f05a9196fbbb17300f9c31ef596f551ecc56fa3256c0ab1534df4955f2da1e8d98026b7c5e07290faa5131a95d0fa35a56b075752656ab61a74f889fbb735c58 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/256 + Digest = SHA-1 PredictionResistance = 1 -@@ -78448,6 +78823,7 @@ EntropyPredictionResistanceA.14 = bf2e966737aaa8abbccaa45ac5371db4c4dd0bf2b3c9f1 - EntropyPredictionResistanceB.14 = f316f2613b068f607c2fb5218e037c5ab1d80b7d75fda419a7e0caedcfd7ce1a - Output.14 = 36e385da783dd146364fead3dc2dc71bdaa6d30c6ab5f94e007b1ced51b2f45947c57652e305204a0cad2ba7b43056461aed10132d89aea8f9ec7ccf0e7487aa2d97fc40f65b399df732b03f8e6834903c60e2e5d6f5ab1b3a034b3eaaa73936770324ea02bd2830e6b26e00d7b49022ce0454afcecbfb912511cd13090d9693 +@@ -69053,6 +69173,7 @@ AdditionalInputB.14 = 063e444dc2990f59e04839fd5e9eaeb6 + EntropyPredictionResistanceB.14 = e059229538a827fe9b7e5caa44fb1e3d + Output.14 = 62efebd7730c6999fd052b98e2bf26eebc96b617a03fe2f1aa7ea3be1aea833f705a3ef3776adc7578f5bb6955a60853ef267fbc18aa3d57b8e0d9134c81e8ffadd0c66d385e5d535d74a615fa896757 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/256 + Digest = SHA-1 PredictionResistance = 1 -@@ -78573,6 +78949,7 @@ AdditionalInputB.14 = b395f988467a2a5f4f3ddef792f16f2461886caf9d6f12c4d643d20775 - EntropyPredictionResistanceB.14 = 22f2693142e42848bf4c00f65337ec2405cd22bc06c6d035a5acec0a5b7d5d9a - Output.14 = 3edeba227da675e1b9e684317e54c4537691f9a412102a21e32e699ff0c6e95655d3342e94daf37dd08114d16b45328795e24d7381195711792226769975167ccdd10df89410e485c880865676a081ce6a61641fc805d6d06cb4aebbc731de0a7df69ed1107da07821d64e9f8bc124f094bb799fe50a001914a47221a45ca2c9 +@@ -69133,6 +69254,7 @@ EntropyPredictionResistanceA.14 = 74b72e7e1c5f16bf0389dafed9a86ae4 + EntropyPredictionResistanceB.14 = adef9418a342b4717e93df6450429a38 + Output.14 = eae51f34bfaa2970f41c3211ec228cfccc1d3c0fcc077d1d9ba159b3bac8685bc5783f61c67fdd4beca05dd4f14afcfc4d554ae75f73842637671102c3b81cabc9a0638cecad5a6615171be5265d5454 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/256 + Digest = SHA-1 PredictionResistance = 1 -@@ -78653,6 +79030,7 @@ EntropyPredictionResistanceA.14 = dac0795c36fd9cb6eff0cd7137190d573dde7148fc19c2 - EntropyPredictionResistanceB.14 = 1a29a4fb16a73c2c187c6d1b5a1a1394b63b6878abcfffeb94aab5dcd593037b - Output.14 = 835efa36b1ff38ed845f3c2e8f5ec0f89a60f7def6d36f8577192625fb89cb634be535a791e28b1c27320e40f594b1705e712e43856a1a5aba0e98b987fd1b5e6ca78458c98b3f8de449f4f23d0dbfe374e8241a2f12b6cdaeaa896b9953c32d756fc2b70e1edcde45aaab0df6e816fe0d04b2cec88ea159dadbae9b1eed3125 +@@ -69243,6 +69365,7 @@ AdditionalInputB.14 = 696d9380b814b456ca59ed58ea765400 + EntropyPredictionResistanceB.14 = d57fb196a634da13ba8695098ed79f9c + Output.14 = 069848aef419759b75896cd507a109f685228b5639470afeac0caa853f1c3dbe373f99db76bf06fe8bac356bedf6bf18787043970fb0a185c8a0a4d8482aa3059eeba0d244fc03c9b72857dc5188d44b +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/256 + Digest = SHA-1 PredictionResistance = 1 -@@ -78763,6 +79141,7 @@ AdditionalInputB.14 = a908058d07b69a7e7f53869d81128e47303fffa4f0400b3bee7acc4e45 - EntropyPredictionResistanceB.14 = 040c9859c26e54e9d5f92485888bb67acc5092ce679e6a54730ffebaa0fac226 - Output.14 = 3caf4baa5fab5bed4d50b0b4ace9c2ec8c21a1e952d81ebcf23a6cfbd177f53168a876f7e5b7d2c63cd7bba4a1b61b3ef59e1cf87b353ff64c7f798fb0c5d6e375fc1e8653f8d22be965abcc87f178e4023d1ef85baa278faa1eb205e4c05219222f543c5b9ac6a86b00071e34a7b2b9c6983f8ab6f187295f5095b801466a76 +@@ -69338,6 +69461,7 @@ EntropyPredictionResistanceA.14 = 015ef1f359f60a391b3720d578731070 + EntropyPredictionResistanceB.14 = 963736987090fe71e69b4a2480d9b314 + Output.14 = c75a102bea830a8a58d9a9a43cb03b21aea75d8d2a08c37aaae9180a5e1c78e5700b20a5fe1c7ef0a7e3d2adcf539c4c1357946a328a057e719b97d802b586910f804c166d4884d8bbb3bbc03074c53a +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/256 + Digest = SHA-1 PredictionResistance = 1 -@@ -78858,6 +79237,7 @@ EntropyPredictionResistanceA.14 = c689be45ecddc94daaf823c6ddd6491b028ace5c25c407 - EntropyPredictionResistanceB.14 = 2f81e665f02331531ca37635b8664ba5641b8a200031677aba00253f8f1fe035 - Output.14 = 9bfdeef565b0979be0f88e3b9e283433bd1fa2333662445302aa84332aa601a61a5b3d449eb5fe33db385254571eedff49b8d2f49ade41c12133263d447e7edf49998f5c05582504775f5b18bc7a0c075c6bfa4596178d95a019402937712afe69f3ad534fd44259312c63f1970b3d8bd404e758c9e884b19330350020896b37 +@@ -69463,6 +69587,7 @@ AdditionalInputB.14 = e0b7ad60c542e6c2b324652fd2d7cdc6 + EntropyPredictionResistanceB.14 = dc7ea852c3e5467977c7946e77223567 + Output.14 = 0e2e5f47ca8ce1c7fdae1b49d6bc8594da1458eb8dfb35e0602d3812df7532cf6213eba8e75302444529565c40d23d0a336c4cadde37f0def2c3d412984360b65c668ef43263fada16b28860f6ee6ceb +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/256 + Digest = SHA-1 PredictionResistance = 1 -@@ -78983,6 +79363,7 @@ AdditionalInputB.14 = a63bd3ef8cfeca1e2552bc111786a992526802e51cd30f0e9e7b7a398a - EntropyPredictionResistanceB.14 = defd0a8320a31b94998e74e0e5e40422e80735b281b9901e9fd1c8ecc50ff2b3 - Output.14 = ffc830d5029f42c1c9aa10d6d90d94abf3bc39269bf4fc4a4ed14435a985cb14da64d79ad4d8951e582b0b793836ef3380dff4d063682a4e8ac8796ca74e74d3933e5111bb92d219b72b28f4198b23446e422aaa7f33ade182801506aec4293fd69c3fc86cf39297867d16b98738740f1b7465043e0eaf7480d1c328ce2b4cfc +@@ -69543,6 +69668,7 @@ EntropyPredictionResistanceA.14 = 4912a46c447c2de26dbbaec01817d2a6 + EntropyPredictionResistanceB.14 = c182dc35363cd7e04394c28030e6d6b9 + Output.14 = 976daafdf1dd5163e88a928d91933678cda9c8ef9a8251070ee8a6b42efda3c00a73303d0426da4a4af7c587174dce9936bfbb68a73979afee9f3a5b4fb4da2eb2b2f2f1c0948b63b45bf583412b2890 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/256 + Digest = SHA-1 PredictionResistance = 1 -@@ -79063,6 +79444,7 @@ EntropyPredictionResistanceA.14 = 29fa15be2259b4b164b3d232809cd7eeb3c5c24aec81c7 - EntropyPredictionResistanceB.14 = babf7813c6a24d4e68e09025a0d3b0242e9a98779ecdcaa64baf1ef82e8d4a77 - Output.14 = e6528c03849f1535b6f443e30817d3deccc7ea4699fc88ec9d6f3e28e72cc4b199afa5db7ba2da1ffd1a1ce7aa1a15be4892d0d98e27332f6d45ed63a2636073d12b8a99089ac5b55c93aecdb5e584e32ec75e44390016421822158d3596daaca561245bf1b8740d1f3c885be5149505f9591b0679f9b88df45741b767f423ec +@@ -69653,6 +69779,7 @@ AdditionalInputB.14 = 8022a4985c745515682102a25b379301 + EntropyPredictionResistanceB.14 = 8cc2d8a789d343547ee48869f57ae225 + Output.14 = 5707c544445358767b1c4d6c319b6a8d9be38afbf945dd4e869e9136d63c9d74aa872139e8bdd374510ebcf8c36c39e45ff31596fa58721c2a089dea7b418b3f7a00d78c6ba531adbb59ae2ab44bb683 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/256 + Digest = SHA-1 PredictionResistance = 1 -@@ -79173,6 +79555,7 @@ AdditionalInputB.14 = 711bf57411337724960392a9319e580c226abff909e28d4696fcf5f0e7 - EntropyPredictionResistanceB.14 = 9fac27583fbf9335c2a8d7f1edfb99b18ee5f8e58e537749fb674bcb46ef537a - Output.14 = ab08f911c4c87135c3f9de33cda823f91a1a8cdfd10f59b81f77dd2158890634f7c5373bc40e158a7881f62a18b0b553d3f075fb96112a04e39ad6918fb2f139ae6fe11856e6a0f17a2e1c0cf88ac49563c08ba5c9c48ad6a7a99825148132ccf3a9a46b92597d0a971f33e43c5a3746c0d8564e19d1681173f24e22fa54521a +@@ -69748,6 +69875,7 @@ EntropyPredictionResistanceA.14 = 701b8e70583effd1c4e901c50966127e + EntropyPredictionResistanceB.14 = 40e9ad701b63ee7bd6132d7f056a1f09 + Output.14 = a76b3e058ed1a8ca5860b15abe08a607894207d3d3be5bf6c3dc99c01523c85bf18927bc6d3f66cfef63a238aaef1ee87998100faabeef0d2518f3ccc0423d776a440ec9a87c5601fdf45c309c264dcd +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/256 + Digest = SHA-1 PredictionResistance = 1 -@@ -79268,6 +79651,7 @@ EntropyPredictionResistanceA.14 = ed3bd1e78d7f3cadcf45170dcbb605913140f68bdf4e36 - EntropyPredictionResistanceB.14 = 214b7501096bf1d7605e9082a9238334ca15522cf2eed77bce6dd3872106dab3 - Output.14 = bdd8721d12e9cafb73070a13d70db1020e95cac5f93037716ae10045007f5ecb8ea90c529e9aa8b0f312a2f81a5086713509e7909bd7081d0c25a33971904e3b90b486c71e185c752311dfa309b53c8cccd9cde63868bced00af0113eeaa77395c717792373ea708973a2f084dfa050cfdd0e73a8c51cc25651cdf8b6b8b3a02 +@@ -76340,6 +76468,7 @@ EntropyPredictionResistanceA.14 = a918ec35414b0bf1d9ba3b80ef838e75b9504fb6b77e40 + EntropyPredictionResistanceB.14 = c25de5d8b1f17acb7303c4a652ea1bcf284bfdc08a12c40ece16e3125fc8757e + Output.14 = a3072880e72e76ec1e467d7c4f4ab8013eca926c96f075a0a25f5550931f4d6b3aff2057ae6fc1382d579e8963ee24459d76d7414d250aaf5b302a539775862e26596176de2891589defa7aa66f763126c7fb7ced0fa80f3f5e1f0d15295e6025fad617e554838876c8c8efb4bef1e1227a1c967afe99540c1992328a70798167eaea5a768f1f4395178dc914cde01b8e6b98266a66c5c079e19e5d3b6599c6dec24e8e155b310164299d1b4d31ab2e0c3b917b0cb627a4cc19c86061c74c849aab764feacd33de7472b7c4e1403cb38f8f1c3062e75966b2e2c0b2d7d966271f3d180440aa2ed2194bbf7d8b9415a5c5bb7f3df7cf2d02740cd4366ee3781a9 +Availablein = default RAND = HMAC-DRBG - Digest = SHA-512/256 + Digest = SHA-512 PredictionResistance = 1 -- 2.38.1 diff --git a/SOURCES/0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch b/SOURCES/0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch index 81a6544..b61bcb8 100644 --- a/SOURCES/0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch +++ b/SOURCES/0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch @@ -16,7 +16,6 @@ parameter. Signed-off-by: Clemens Lang --- include/crypto/evp.h | 7 +++++++ - include/openssl/core_names.h | 1 + include/openssl/evp.h | 3 +++ providers/implementations/macs/hmac_prov.c | 17 +++++++++++++++++ 4 files changed, 28 insertions(+) @@ -39,18 +38,6 @@ index 76fb990de4..1e2240516e 100644 struct evp_mac_st { OSSL_PROVIDER *prov; int name_id; -diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h -index c019afbbb0..94fab83193 100644 ---- a/include/openssl/core_names.h -+++ b/include/openssl/core_names.h -@@ -173,6 +173,7 @@ extern "C" { - #define OSSL_MAC_PARAM_SIZE "size" /* size_t */ - #define OSSL_MAC_PARAM_BLOCK_SIZE "block-size" /* size_t */ - #define OSSL_MAC_PARAM_TLS_DATA_SIZE "tls-data-size" /* size_t */ -+#define OSSL_MAC_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator" - - /* Known MAC names */ - #define OSSL_MAC_NAME_BLAKE2BMAC "BLAKE2BMAC" diff --git a/include/openssl/evp.h b/include/openssl/evp.h index 49e8e1df78..a5e78efd6e 100644 --- a/include/openssl/evp.h @@ -75,9 +62,9 @@ index 52ebb08b8f..cf5c3ecbe7 100644 +#include "crypto/evp.h" + + #include "internal/ssl3_cbc.h" + #include "prov/implementations.h" - #include "prov/provider_ctx.h" - #include "prov/provider_util.h" @@ -244,6 +246,9 @@ static int hmac_final(void *vmacctx, unsigned char *out, size_t *outl, static const OSSL_PARAM known_gettable_ctx_params[] = { OSSL_PARAM_size_t(OSSL_MAC_PARAM_SIZE, NULL), @@ -107,6 +94,30 @@ index 52ebb08b8f..cf5c3ecbe7 100644 return 1; } +diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm +index 6618122417..8b2d430f17 100644 +--- a/util/perl/OpenSSL/paramnames.pm ++++ b/util/perl/OpenSSL/paramnames.pm +@@ -137,12 +137,13 @@ my %params = ( + # If "engine",or "properties",are specified, they should always be paired + # with "cipher",or "digest". + +- 'MAC_PARAM_CIPHER' => '*ALG_PARAM_CIPHER', # utf8 string +- 'MAC_PARAM_DIGEST' => '*ALG_PARAM_DIGEST', # utf8 string +- 'MAC_PARAM_PROPERTIES' => '*ALG_PARAM_PROPERTIES', # utf8 string +- 'MAC_PARAM_SIZE' => "size", # size_t +- 'MAC_PARAM_BLOCK_SIZE' => "block-size", # size_t +- 'MAC_PARAM_TLS_DATA_SIZE' => "tls-data-size", # size_t ++ 'MAC_PARAM_CIPHER' => '*ALG_PARAM_CIPHER', # utf8 string ++ 'MAC_PARAM_DIGEST' => '*ALG_PARAM_DIGEST', # utf8 string ++ 'MAC_PARAM_PROPERTIES' => '*ALG_PARAM_PROPERTIES', # utf8 string ++ 'MAC_PARAM_SIZE' => "size", # size_t ++ 'MAC_PARAM_BLOCK_SIZE' => "block-size", # size_t ++ 'MAC_PARAM_TLS_DATA_SIZE' => "tls-data-size", # size_t ++ 'MAC_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator", # size_t + + # KDF / PRF parameters + 'KDF_PARAM_SECRET' => "secret", # octet string -- 2.38.1 diff --git a/SOURCES/0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch b/SOURCES/0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch index 181fedd..3eb6755 100644 --- a/SOURCES/0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch +++ b/SOURCES/0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch @@ -52,7 +52,7 @@ index 2a0ae63acc..aa0adce5e6 100644 +#define KDF_PBKDF2_MIN_PASSWORD_LEN (8) static OSSL_FUNC_kdf_newctx_fn kdf_pbkdf2_new; - static OSSL_FUNC_kdf_freectx_fn kdf_pbkdf2_free; + static OSSL_FUNC_kdf_dupctx_fn kdf_pbkdf2_dup; @@ -186,9 +201,15 @@ static int kdf_pbkdf2_set_ctx_params(void *vctx, const OSSL_PARAM params[]) ctx->lower_bound_checks = pkcs5 == 0; } diff --git a/SOURCES/0088-signature-Add-indicator-for-PSS-salt-length.patch b/SOURCES/0088-signature-Add-indicator-for-PSS-salt-length.patch index 20024d3..edfd0b8 100644 --- a/SOURCES/0088-signature-Add-indicator-for-PSS-salt-length.patch +++ b/SOURCES/0088-signature-Add-indicator-for-PSS-salt-length.patch @@ -40,23 +40,11 @@ Dmitry Belyavskiy Signed-off-by: Clemens Lang --- - include/openssl/core_names.h | 1 + include/openssl/evp.h | 4 ++++ - providers/implementations/signature/rsa_sig.c | 18 ++++++++++++++++++ - 3 files changed, 23 insertions(+) + providers/implementations/signature/rsa_sig.c | 21 +++++++++++++++++ + util/perl/OpenSSL/paramnames.pm | 23 ++++++++++--------- + 3 files changed, 37 insertions(+), 11 deletions(-) -diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h -index 94fab83193..69c59f0b46 100644 ---- a/include/openssl/core_names.h -+++ b/include/openssl/core_names.h -@@ -453,6 +453,7 @@ extern "C" { - #define OSSL_SIGNATURE_PARAM_MGF1_PROPERTIES \ - OSSL_PKEY_PARAM_MGF1_PROPERTIES - #define OSSL_SIGNATURE_PARAM_DIGEST_SIZE OSSL_PKEY_PARAM_DIGEST_SIZE -+#define OSSL_SIGNATURE_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator" - - /* Asym cipher parameters */ - #define OSSL_ASYM_CIPHER_PARAM_DIGEST OSSL_PKEY_PARAM_DIGEST diff --git a/include/openssl/evp.h b/include/openssl/evp.h index a5e78efd6e..f239200465 100644 --- a/include/openssl/evp.h @@ -111,6 +99,40 @@ index 49e7f9158a..0c45008a00 100644 OSSL_PARAM_END }; +diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm +index 8b2d430f17..a109e44521 100644 +--- a/util/perl/OpenSSL/paramnames.pm ++++ b/util/perl/OpenSSL/paramnames.pm +@@ -377,17 +377,18 @@ my %params = ( + 'EXCHANGE_PARAM_KDF_UKM' => "kdf-ukm", + + # Signature parameters +- 'SIGNATURE_PARAM_ALGORITHM_ID' => "algorithm-id", +- 'SIGNATURE_PARAM_PAD_MODE' => '*PKEY_PARAM_PAD_MODE', +- 'SIGNATURE_PARAM_DIGEST' => '*PKEY_PARAM_DIGEST', +- 'SIGNATURE_PARAM_PROPERTIES' => '*PKEY_PARAM_PROPERTIES', +- 'SIGNATURE_PARAM_PSS_SALTLEN' => "saltlen", +- 'SIGNATURE_PARAM_MGF1_DIGEST' => '*PKEY_PARAM_MGF1_DIGEST', +- 'SIGNATURE_PARAM_MGF1_PROPERTIES' => '*PKEY_PARAM_MGF1_PROPERTIES', +- 'SIGNATURE_PARAM_DIGEST_SIZE' => '*PKEY_PARAM_DIGEST_SIZE', +- 'SIGNATURE_PARAM_NONCE_TYPE' => "nonce-type", +- 'SIGNATURE_PARAM_INSTANCE' => "instance", +- 'SIGNATURE_PARAM_CONTEXT_STRING' => "context-string", ++ 'SIGNATURE_PARAM_ALGORITHM_ID' => "algorithm-id", ++ 'SIGNATURE_PARAM_PAD_MODE' => '*PKEY_PARAM_PAD_MODE', ++ 'SIGNATURE_PARAM_DIGEST' => '*PKEY_PARAM_DIGEST', ++ 'SIGNATURE_PARAM_PROPERTIES' => '*PKEY_PARAM_PROPERTIES', ++ 'SIGNATURE_PARAM_PSS_SALTLEN' => "saltlen", ++ 'SIGNATURE_PARAM_MGF1_DIGEST' => '*PKEY_PARAM_MGF1_DIGEST', ++ 'SIGNATURE_PARAM_MGF1_PROPERTIES' => '*PKEY_PARAM_MGF1_PROPERTIES', ++ 'SIGNATURE_PARAM_DIGEST_SIZE' => '*PKEY_PARAM_DIGEST_SIZE', ++ 'SIGNATURE_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator", ++ 'SIGNATURE_PARAM_NONCE_TYPE' => "nonce-type", ++ 'SIGNATURE_PARAM_INSTANCE' => "instance", ++ 'SIGNATURE_PARAM_CONTEXT_STRING' => "context-string", + + # Asym cipher parameters + 'ASYM_CIPHER_PARAM_DIGEST' => '*PKEY_PARAM_DIGEST', -- 2.38.1 diff --git a/SOURCES/0089-PSS-salt-length-from-provider.patch b/SOURCES/0089-PSS-salt-length-from-provider.patch deleted file mode 100644 index 8e61747..0000000 --- a/SOURCES/0089-PSS-salt-length-from-provider.patch +++ /dev/null @@ -1,114 +0,0 @@ -From 0879fac692cb1bff0ec4c196cb364d970ad3ecec Mon Sep 17 00:00:00 2001 -From: Clemens Lang -Date: Mon, 21 Nov 2022 14:33:57 +0100 -Subject: [PATCH 2/3] Obtain PSS salt length from provider - -Rather than computing the PSS salt length again in core using -ossl_rsa_ctx_to_pss_string, which calls rsa_ctx_to_pss and computes the -salt length, obtain it from the provider using the -OSSL_SIGNATURE_PARAM_ALGORITHM_ID param to handle the case where the -interpretation of the magic constants in the provider differs from that -of OpenSSL core. - -Signed-off-by: Clemens Lang ---- - crypto/cms/cms_rsa.c | 19 +++++++++++++++---- - crypto/rsa/rsa_ameth.c | 34 +++++++++++++++++++++------------- - 2 files changed, 36 insertions(+), 17 deletions(-) - -diff --git a/crypto/cms/cms_rsa.c b/crypto/cms/cms_rsa.c -index 20ed816918..997567fdbf 100644 ---- a/crypto/cms/cms_rsa.c -+++ b/crypto/cms/cms_rsa.c -@@ -10,6 +10,7 @@ - #include - #include - #include -+#include - #include "crypto/asn1.h" - #include "crypto/rsa.h" - #include "cms_local.h" -@@ -191,7 +192,10 @@ static int rsa_cms_sign(CMS_SignerInfo *si) - int pad_mode = RSA_PKCS1_PADDING; - X509_ALGOR *alg; - EVP_PKEY_CTX *pkctx = CMS_SignerInfo_get0_pkey_ctx(si); -- ASN1_STRING *os = NULL; -+ unsigned char aid[128]; -+ const unsigned char *pp = aid; -+ size_t aid_len = 0; -+ OSSL_PARAM params[2]; - - CMS_SignerInfo_get0_algs(si, NULL, NULL, NULL, &alg); - if (pkctx != NULL) { -@@ -205,10 +209,17 @@ static int rsa_cms_sign(CMS_SignerInfo *si) - /* We don't support it */ - if (pad_mode != RSA_PKCS1_PSS_PADDING) - return 0; -- os = ossl_rsa_ctx_to_pss_string(pkctx); -- if (os == NULL) -+ -+ params[0] = OSSL_PARAM_construct_octet_string( -+ OSSL_SIGNATURE_PARAM_ALGORITHM_ID, aid, sizeof(aid)); -+ params[1] = OSSL_PARAM_construct_end(); -+ -+ if (EVP_PKEY_CTX_get_params(pkctx, params) <= 0) -+ return 0; -+ if ((aid_len = params[0].return_size) == 0) -+ return 0; -+ if (d2i_X509_ALGOR(&alg, &pp, aid_len) == NULL) - return 0; -- X509_ALGOR_set0(alg, OBJ_nid2obj(EVP_PKEY_RSA_PSS), V_ASN1_SEQUENCE, os); - return 1; - } - -diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c -index c15554505b..61ec53d424 100644 ---- a/crypto/rsa/rsa_ameth.c -+++ b/crypto/rsa/rsa_ameth.c -@@ -637,22 +637,30 @@ static int rsa_item_sign(EVP_MD_CTX *ctx, const ASN1_ITEM *it, const void *asn, - if (pad_mode == RSA_PKCS1_PADDING) - return 2; - if (pad_mode == RSA_PKCS1_PSS_PADDING) { -- ASN1_STRING *os1 = NULL; -- os1 = ossl_rsa_ctx_to_pss_string(pkctx); -- if (!os1) -+ unsigned char aid[128]; -+ size_t aid_len = 0; -+ OSSL_PARAM params[2]; -+ -+ params[0] = OSSL_PARAM_construct_octet_string( -+ OSSL_SIGNATURE_PARAM_ALGORITHM_ID, aid, sizeof(aid)); -+ params[1] = OSSL_PARAM_construct_end(); -+ -+ if (EVP_PKEY_CTX_get_params(pkctx, params) <= 0) - return 0; -- /* Duplicate parameters if we have to */ -- if (alg2) { -- ASN1_STRING *os2 = ASN1_STRING_dup(os1); -- if (!os2) { -- ASN1_STRING_free(os1); -+ if ((aid_len = params[0].return_size) == 0) -+ return 0; -+ -+ if (alg1 != NULL) { -+ const unsigned char *pp = aid; -+ if (d2i_X509_ALGOR(&alg1, &pp, aid_len) == NULL) -+ return 0; -+ } -+ if (alg2 != NULL) { -+ const unsigned char *pp = aid; -+ if (d2i_X509_ALGOR(&alg2, &pp, aid_len) == NULL) - return 0; -- } -- X509_ALGOR_set0(alg2, OBJ_nid2obj(EVP_PKEY_RSA_PSS), -- V_ASN1_SEQUENCE, os2); - } -- X509_ALGOR_set0(alg1, OBJ_nid2obj(EVP_PKEY_RSA_PSS), -- V_ASN1_SEQUENCE, os1); -+ - return 3; - } - return 2; --- -2.38.1 - diff --git a/SOURCES/0090-signature-Clamp-PSS-salt-len-to-MD-len.patch b/SOURCES/0090-signature-Clamp-PSS-salt-len-to-MD-len.patch deleted file mode 100644 index efe7751..0000000 --- a/SOURCES/0090-signature-Clamp-PSS-salt-len-to-MD-len.patch +++ /dev/null @@ -1,338 +0,0 @@ -From 9cc914ff3e1fda124bdc76d72ebc9349ec19f8ae Mon Sep 17 00:00:00 2001 -From: Clemens Lang -Date: Fri, 18 Nov 2022 12:35:33 +0100 -Subject: [PATCH 3/3] signature: Clamp PSS salt len to MD len -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection -5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in bytes) of the -salt (sLen) shall satisfy 0 <= sLen <= hLen, where hLen is the length of -the hash function output block (in bytes)." - -Introduce a new option RSA_PSS_SALTLEN_AUTO_DIGEST_MAX and make it the -default. The new value will behave like RSA_PSS_SALTLEN_AUTO, but will -not use more than the digest legth when signing, so that FIPS 186-4 is -not violated. This value has two advantages when compared with -RSA_PSS_SALTLEN_DIGEST: (1) It will continue to do auto-detection when -verifying signatures for maximum compatibility, where -RSA_PSS_SALTLEN_DIGEST would fail for other digest sizes. (2) It will -work for combinations where the maximum salt length is smaller than the -digest size, which typically happens with large digest sizes (e.g., -SHA-512) and small RSA keys. - -Signed-off-by: Clemens Lang ---- - crypto/rsa/rsa_ameth.c | 18 ++++++++- - crypto/rsa/rsa_pss.c | 26 ++++++++++-- - doc/man3/EVP_PKEY_CTX_ctrl.pod | 11 ++++- - doc/man7/EVP_SIGNATURE-RSA.pod | 5 +++ - include/openssl/core_names.h | 1 + - include/openssl/rsa.h | 3 ++ - providers/implementations/signature/rsa_sig.c | 40 ++++++++++++++----- - test/recipes/25-test_req.t | 2 +- - 8 files changed, 87 insertions(+), 19 deletions(-) - -diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c -index 61ec53d424..e69a98d116 100644 ---- a/crypto/rsa/rsa_ameth.c -+++ b/crypto/rsa/rsa_ameth.c -@@ -450,6 +450,7 @@ static RSA_PSS_PARAMS *rsa_ctx_to_pss(EVP_PKEY_CTX *pkctx) - const EVP_MD *sigmd, *mgf1md; - EVP_PKEY *pk = EVP_PKEY_CTX_get0_pkey(pkctx); - int saltlen; -+ int saltlenMax = -1; - - if (EVP_PKEY_CTX_get_signature_md(pkctx, &sigmd) <= 0) - return NULL; -@@ -457,14 +458,27 @@ static RSA_PSS_PARAMS *rsa_ctx_to_pss(EVP_PKEY_CTX *pkctx) - return NULL; - if (EVP_PKEY_CTX_get_rsa_pss_saltlen(pkctx, &saltlen) <= 0) - return NULL; -- if (saltlen == -1) { -+ if (saltlen == RSA_PSS_SALTLEN_DIGEST) { - saltlen = EVP_MD_get_size(sigmd); -- } else if (saltlen == -2 || saltlen == -3) { -+ } else if (saltlen == RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) { -+ /* FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", -+ * subsection 5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in -+ * bytes) of the salt (sLen) shall satisfy 0 <= sLen <= hLen, where -+ * hLen is the length of the hash function output block (in bytes)." -+ * -+ * Provide a way to use at most the digest length, so that the default -+ * does not violate FIPS 186-4. */ -+ saltlen = RSA_PSS_SALTLEN_MAX; -+ saltlenMax = EVP_MD_get_size(sigmd); -+ } -+ if (saltlen == RSA_PSS_SALTLEN_MAX || saltlen == RSA_PSS_SALTLEN_AUTO) { - saltlen = EVP_PKEY_get_size(pk) - EVP_MD_get_size(sigmd) - 2; - if ((EVP_PKEY_get_bits(pk) & 0x7) == 1) - saltlen--; - if (saltlen < 0) - return NULL; -+ if (saltlenMax >= 0 && saltlen > saltlenMax) -+ saltlen = saltlenMax; - } - - return ossl_rsa_pss_params_create(sigmd, mgf1md, saltlen); -diff --git a/crypto/rsa/rsa_pss.c b/crypto/rsa/rsa_pss.c -index 33874bfef8..430c36eb2a 100644 ---- a/crypto/rsa/rsa_pss.c -+++ b/crypto/rsa/rsa_pss.c -@@ -61,11 +61,12 @@ int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash, - * -1 sLen == hLen - * -2 salt length is autorecovered from signature - * -3 salt length is maximized -+ * -4 salt length is autorecovered from signature - * -N reserved - */ - if (sLen == RSA_PSS_SALTLEN_DIGEST) { - sLen = hLen; -- } else if (sLen < RSA_PSS_SALTLEN_MAX) { -+ } else if (sLen < RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) { - ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED); - goto err; - } -@@ -112,7 +113,9 @@ int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash, - ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_RECOVERY_FAILED); - goto err; - } -- if (sLen != RSA_PSS_SALTLEN_AUTO && (maskedDBLen - i) != sLen) { -+ if (sLen != RSA_PSS_SALTLEN_AUTO -+ && sLen != RSA_PSS_SALTLEN_AUTO_DIGEST_MAX -+ && (maskedDBLen - i) != sLen) { - ERR_raise_data(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED, - "expected: %d retrieved: %d", sLen, - maskedDBLen - i); -@@ -160,6 +163,7 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM, - int hLen, maskedDBLen, MSBits, emLen; - unsigned char *H, *salt = NULL, *p; - EVP_MD_CTX *ctx = NULL; -+ int sLenMax = -1; - - if (mgf1Hash == NULL) - mgf1Hash = Hash; -@@ -172,13 +176,25 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM, - * -1 sLen == hLen - * -2 salt length is maximized - * -3 same as above (on signing) -+ * -4 salt length is min(hLen, maximum salt length) - * -N reserved - */ -+ /* FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection -+ * 5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in bytes) of the -+ * salt (sLen) shall satisfy 0 <= sLen <= hLen, where hLen is the length of -+ * the hash function output block (in bytes)." -+ * -+ * Provide a way to use at most the digest length, so that the default does -+ * not violate FIPS 186-4. */ - if (sLen == RSA_PSS_SALTLEN_DIGEST) { - sLen = hLen; -- } else if (sLen == RSA_PSS_SALTLEN_MAX_SIGN) { -+ } else if (sLen == RSA_PSS_SALTLEN_MAX_SIGN -+ || sLen == RSA_PSS_SALTLEN_AUTO) { - sLen = RSA_PSS_SALTLEN_MAX; -- } else if (sLen < RSA_PSS_SALTLEN_MAX) { -+ } else if (sLen == RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) { -+ sLen = RSA_PSS_SALTLEN_MAX; -+ sLenMax = hLen; -+ } else if (sLen < RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) { - ERR_raise(ERR_LIB_RSA, RSA_R_SLEN_CHECK_FAILED); - goto err; - } -@@ -195,6 +211,8 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM, - } - if (sLen == RSA_PSS_SALTLEN_MAX) { - sLen = emLen - hLen - 2; -+ if (sLenMax >= 0 && sLen > sLenMax) -+ sLen = sLenMax; - } else if (sLen > emLen - hLen - 2) { - ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_LARGE_FOR_KEY_SIZE); - goto err; -diff --git a/doc/man3/EVP_PKEY_CTX_ctrl.pod b/doc/man3/EVP_PKEY_CTX_ctrl.pod -index 3075eaafd6..9b96f42dbc 100644 ---- a/doc/man3/EVP_PKEY_CTX_ctrl.pod -+++ b/doc/man3/EVP_PKEY_CTX_ctrl.pod -@@ -270,8 +270,8 @@ EVP_PKEY_CTX_get_rsa_padding() gets the RSA padding mode for I. - - EVP_PKEY_CTX_set_rsa_pss_saltlen() sets the RSA PSS salt length to I. - As its name implies it is only supported for PSS padding. If this function is --not called then the maximum salt length is used when signing and auto detection --when verifying. Three special values are supported: -+not called then the salt length is maximized up to the digest length when -+signing and auto detection when verifying. Four special values are supported: - - =over 4 - -@@ -289,6 +289,13 @@ causes the salt length to be automatically determined based on the - B block structure when verifying. When signing, it has the same - meaning as B. - -+=item B -+ -+causes the salt length to be automatically determined based on the B block -+structure when verifying, like B. When signing, the salt -+length is maximized up to a maximum of the digest length to comply with FIPS -+186-4 section 5.5. -+ - =back - - EVP_PKEY_CTX_get_rsa_pss_saltlen() gets the RSA PSS salt length for I. -diff --git a/doc/man7/EVP_SIGNATURE-RSA.pod b/doc/man7/EVP_SIGNATURE-RSA.pod -index 1ce32cc443..13d053e262 100644 ---- a/doc/man7/EVP_SIGNATURE-RSA.pod -+++ b/doc/man7/EVP_SIGNATURE-RSA.pod -@@ -68,6 +68,11 @@ Use the maximum salt length. - - Auto detect the salt length. - -+=item "auto-digestmax" (B) -+ -+Auto detect the salt length when verifying. Maximize the salt length up to the -+digest size when signing to comply with FIPS 186-4 section 5.5. -+ - =back - - =back -diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h -index 69c59f0b46..5779f41427 100644 ---- a/include/openssl/core_names.h -+++ b/include/openssl/core_names.h -@@ -399,6 +399,7 @@ extern "C" { - #define OSSL_PKEY_RSA_PSS_SALT_LEN_DIGEST "digest" - #define OSSL_PKEY_RSA_PSS_SALT_LEN_MAX "max" - #define OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO "auto" -+#define OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX "auto-digestmax" - - /* Key generation parameters */ - #define OSSL_PKEY_PARAM_RSA_BITS OSSL_PKEY_PARAM_BITS -diff --git a/include/openssl/rsa.h b/include/openssl/rsa.h -index a55c9727c6..daf55bc6d4 100644 ---- a/include/openssl/rsa.h -+++ b/include/openssl/rsa.h -@@ -137,6 +137,9 @@ int EVP_PKEY_CTX_set_rsa_keygen_pubexp(EVP_PKEY_CTX *ctx, BIGNUM *pubexp); - # define RSA_PSS_SALTLEN_AUTO -2 - /* Set salt length to maximum possible */ - # define RSA_PSS_SALTLEN_MAX -3 -+/* Auto-detect on verify, set salt length to min(maximum possible, digest -+ * length) on sign */ -+# define RSA_PSS_SALTLEN_AUTO_DIGEST_MAX -4 - /* Old compatible max salt length for sign only */ - # define RSA_PSS_SALTLEN_MAX_SIGN -2 - -diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c -index 0c45008a00..1a787d77db 100644 ---- a/providers/implementations/signature/rsa_sig.c -+++ b/providers/implementations/signature/rsa_sig.c -@@ -191,8 +191,8 @@ static void *rsa_newctx(void *provctx, const char *propq) - prsactx->libctx = PROV_LIBCTX_OF(provctx); - prsactx->flag_allow_md = 1; - prsactx->propq = propq_copy; -- /* Maximum for sign, auto for verify */ -- prsactx->saltlen = RSA_PSS_SALTLEN_AUTO; -+ /* Maximum up to digest length for sign, auto for verify */ -+ prsactx->saltlen = RSA_PSS_SALTLEN_AUTO_DIGEST_MAX; - prsactx->min_saltlen = -1; - return prsactx; - } -@@ -200,13 +200,27 @@ static void *rsa_newctx(void *provctx, const char *propq) - static int rsa_pss_compute_saltlen(PROV_RSA_CTX *ctx) - { - int saltlen = ctx->saltlen; -- -+ int saltlenMax = -1; -+ -+ /* FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection -+ * 5.5 "PKCS #1" says: "For RSASSA-PSS […] the length (in bytes) of the -+ * salt (sLen) shall satisfy 0 <= sLen <= hLen, where hLen is the length of -+ * the hash function output block (in bytes)." -+ * -+ * Provide a way to use at most the digest length, so that the default does -+ * not violate FIPS 186-4. */ - if (saltlen == RSA_PSS_SALTLEN_DIGEST) { - saltlen = EVP_MD_get_size(ctx->md); -- } else if (saltlen == RSA_PSS_SALTLEN_AUTO || saltlen == RSA_PSS_SALTLEN_MAX) { -+ } else if (saltlen == RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) { -+ saltlen = RSA_PSS_SALTLEN_MAX; -+ saltlenMax = EVP_MD_get_size(ctx->md); -+ } -+ if (saltlen == RSA_PSS_SALTLEN_MAX || saltlen == RSA_PSS_SALTLEN_AUTO) { - saltlen = RSA_size(ctx->rsa) - EVP_MD_get_size(ctx->md) - 2; - if ((RSA_bits(ctx->rsa) & 0x7) == 1) - saltlen--; -+ if (saltlenMax >= 0 && saltlen > saltlenMax) -+ saltlen = saltlenMax; - } - if (saltlen < 0) { - ERR_raise(ERR_LIB_PROV, ERR_R_INTERNAL_ERROR); -@@ -411,8 +425,8 @@ static int rsa_signverify_init(void *vprsactx, void *vrsa, - - prsactx->operation = operation; - -- /* Maximum for sign, auto for verify */ -- prsactx->saltlen = RSA_PSS_SALTLEN_AUTO; -+ /* Maximize up to digest length for sign, auto for verify */ -+ prsactx->saltlen = RSA_PSS_SALTLEN_AUTO_DIGEST_MAX; - prsactx->min_saltlen = -1; - - switch (RSA_test_flags(prsactx->rsa, RSA_FLAG_TYPE_MASK)) { -@@ -1110,6 +1124,9 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params) - case RSA_PSS_SALTLEN_AUTO: - value = OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO; - break; -+ case RSA_PSS_SALTLEN_AUTO_DIGEST_MAX: -+ value = OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX; -+ break; - default: - { - int len = BIO_snprintf(p->data, p->data_size, "%d", -@@ -1297,6 +1314,8 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) - saltlen = RSA_PSS_SALTLEN_MAX; - else if (strcmp(p->data, OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO) == 0) - saltlen = RSA_PSS_SALTLEN_AUTO; -+ else if (strcmp(p->data, OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX) == 0) -+ saltlen = RSA_PSS_SALTLEN_AUTO_DIGEST_MAX; - else - saltlen = atoi(p->data); - break; -@@ -1305,11 +1324,11 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) - } - - /* -- * RSA_PSS_SALTLEN_MAX seems curiously named in this check. -- * Contrary to what it's name suggests, it's the currently -- * lowest saltlen number possible. -+ * RSA_PSS_SALTLEN_AUTO_DIGEST_MAX seems curiously named in this check. -+ * Contrary to what it's name suggests, it's the currently lowest -+ * saltlen number possible. - */ -- if (saltlen < RSA_PSS_SALTLEN_MAX) { -+ if (saltlen < RSA_PSS_SALTLEN_AUTO_DIGEST_MAX) { - ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH); - return 0; - } -@@ -1317,6 +1336,7 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) - if (rsa_pss_restricted(prsactx)) { - switch (saltlen) { - case RSA_PSS_SALTLEN_AUTO: -+ case RSA_PSS_SALTLEN_AUTO_DIGEST_MAX: - if (prsactx->operation == EVP_PKEY_OP_VERIFY) { - ERR_raise_data(ERR_LIB_PROV, PROV_R_INVALID_SALT_LENGTH, - "Cannot use autodetected salt length"); -diff --git a/test/recipes/25-test_req.t b/test/recipes/25-test_req.t -index e615f1b338..35541aed12 100644 ---- a/test/recipes/25-test_req.t -+++ b/test/recipes/25-test_req.t -@@ -199,7 +199,7 @@ subtest "generating certificate requests with RSA-PSS" => sub { - ok(!run(app(["openssl", "req", - "-config", srctop_file("test", "test.cnf"), - "-new", "-out", "testreq-rsapss3.pem", "-utf8", -- "-sigopt", "rsa_pss_saltlen:-4", -+ "-sigopt", "rsa_pss_saltlen:-5", - "-key", srctop_file("test", "testrsapss.pem")])), - "Generating request with expected failure"); - --- -2.38.1 - diff --git a/SOURCES/0092-provider-improvements.patch b/SOURCES/0092-provider-improvements.patch deleted file mode 100644 index b850fc3..0000000 --- a/SOURCES/0092-provider-improvements.patch +++ /dev/null @@ -1,705 +0,0 @@ -From 98642df4ba886818900ab7e6b23703544e6addd4 Mon Sep 17 00:00:00 2001 -From: Simo Sorce -Date: Thu, 10 Nov 2022 10:46:32 -0500 -Subject: [PATCH 1/3] Propagate selection all the way on key export - -EVP_PKEY_eq() is used to check, among other things, if a certificate -public key corresponds to a private key. When the private key belongs to -a provider that does not allow to export private keys this currently -fails as the internal functions used to import/export keys ignored the -selection given (which specifies that only the public key needs to be -considered) and instead tries to export everything. - -This patch allows to propagate the selection all the way down including -adding it in the cache so that a following operation actually looking -for other selection parameters does not mistakenly pick up an export -containing only partial information. - -Signed-off-by: Simo Sorce - -Reviewed-by: Dmitry Belyavskiy -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/19648) - -diff --git a/crypto/evp/keymgmt_lib.c b/crypto/evp/keymgmt_lib.c -index b06730dc7a..2d0238ee27 100644 ---- a/crypto/evp/keymgmt_lib.c -+++ b/crypto/evp/keymgmt_lib.c -@@ -93,7 +93,8 @@ int evp_keymgmt_util_export(const EVP_PKEY *pk, int selection, - export_cb, export_cbarg); - } - --void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt) -+void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt, -+ int selection) - { - struct evp_keymgmt_util_try_import_data_st import_data; - OP_CACHE_ELEM *op; -@@ -127,7 +128,7 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt) - */ - if (pk->dirty_cnt == pk->dirty_cnt_copy) { - /* If this key is already exported to |keymgmt|, no more to do */ -- op = evp_keymgmt_util_find_operation_cache(pk, keymgmt); -+ op = evp_keymgmt_util_find_operation_cache(pk, keymgmt, selection); - if (op != NULL && op->keymgmt != NULL) { - void *ret = op->keydata; - -@@ -157,13 +158,13 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt) - /* Setup for the export callback */ - import_data.keydata = NULL; /* evp_keymgmt_util_try_import will create it */ - import_data.keymgmt = keymgmt; -- import_data.selection = OSSL_KEYMGMT_SELECT_ALL; -+ import_data.selection = selection; - - /* - * The export function calls the callback (evp_keymgmt_util_try_import), - * which does the import for us. If successful, we're done. - */ -- if (!evp_keymgmt_util_export(pk, OSSL_KEYMGMT_SELECT_ALL, -+ if (!evp_keymgmt_util_export(pk, selection, - &evp_keymgmt_util_try_import, &import_data)) - /* If there was an error, bail out */ - return NULL; -@@ -173,7 +174,7 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt) - return NULL; - } - /* Check to make sure some other thread didn't get there first */ -- op = evp_keymgmt_util_find_operation_cache(pk, keymgmt); -+ op = evp_keymgmt_util_find_operation_cache(pk, keymgmt, selection); - if (op != NULL && op->keydata != NULL) { - void *ret = op->keydata; - -@@ -196,7 +197,8 @@ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt) - evp_keymgmt_util_clear_operation_cache(pk, 0); - - /* Add the new export to the operation cache */ -- if (!evp_keymgmt_util_cache_keydata(pk, keymgmt, import_data.keydata)) { -+ if (!evp_keymgmt_util_cache_keydata(pk, keymgmt, import_data.keydata, -+ selection)) { - CRYPTO_THREAD_unlock(pk->lock); - evp_keymgmt_freedata(keymgmt, import_data.keydata); - return NULL; -@@ -232,7 +234,8 @@ int evp_keymgmt_util_clear_operation_cache(EVP_PKEY *pk, int locking) - } - - OP_CACHE_ELEM *evp_keymgmt_util_find_operation_cache(EVP_PKEY *pk, -- EVP_KEYMGMT *keymgmt) -+ EVP_KEYMGMT *keymgmt, -+ int selection) - { - int i, end = sk_OP_CACHE_ELEM_num(pk->operation_cache); - OP_CACHE_ELEM *p; -@@ -243,14 +246,14 @@ OP_CACHE_ELEM *evp_keymgmt_util_find_operation_cache(EVP_PKEY *pk, - */ - for (i = 0; i < end; i++) { - p = sk_OP_CACHE_ELEM_value(pk->operation_cache, i); -- if (keymgmt == p->keymgmt) -+ if (keymgmt == p->keymgmt && (p->selection & selection) == selection) - return p; - } - return NULL; - } - --int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, -- EVP_KEYMGMT *keymgmt, void *keydata) -+int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt, -+ void *keydata, int selection) - { - OP_CACHE_ELEM *p = NULL; - -@@ -266,6 +269,7 @@ int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, - return 0; - p->keydata = keydata; - p->keymgmt = keymgmt; -+ p->selection = selection; - - if (!EVP_KEYMGMT_up_ref(keymgmt)) { - OPENSSL_free(p); -@@ -391,7 +395,8 @@ int evp_keymgmt_util_match(EVP_PKEY *pk1, EVP_PKEY *pk2, int selection) - ok = 1; - if (keydata1 != NULL) { - tmp_keydata = -- evp_keymgmt_util_export_to_provider(pk1, keymgmt2); -+ evp_keymgmt_util_export_to_provider(pk1, keymgmt2, -+ selection); - ok = (tmp_keydata != NULL); - } - if (ok) { -@@ -411,7 +416,8 @@ int evp_keymgmt_util_match(EVP_PKEY *pk1, EVP_PKEY *pk2, int selection) - ok = 1; - if (keydata2 != NULL) { - tmp_keydata = -- evp_keymgmt_util_export_to_provider(pk2, keymgmt1); -+ evp_keymgmt_util_export_to_provider(pk2, keymgmt1, -+ selection); - ok = (tmp_keydata != NULL); - } - if (ok) { -diff --git a/crypto/evp/p_lib.c b/crypto/evp/p_lib.c -index 70d17ec37e..905e9c9ce4 100644 ---- a/crypto/evp/p_lib.c -+++ b/crypto/evp/p_lib.c -@@ -1822,6 +1822,7 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx, - { - EVP_KEYMGMT *allocated_keymgmt = NULL; - EVP_KEYMGMT *tmp_keymgmt = NULL; -+ int selection = OSSL_KEYMGMT_SELECT_ALL; - void *keydata = NULL; - int check; - -@@ -1883,7 +1884,8 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx, - if (pk->ameth->dirty_cnt(pk) == pk->dirty_cnt_copy) { - if (!CRYPTO_THREAD_read_lock(pk->lock)) - goto end; -- op = evp_keymgmt_util_find_operation_cache(pk, tmp_keymgmt); -+ op = evp_keymgmt_util_find_operation_cache(pk, tmp_keymgmt, -+ selection); - - /* - * If |tmp_keymgmt| is present in the operation cache, it means -@@ -1938,7 +1940,7 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx, - EVP_KEYMGMT_free(tmp_keymgmt); /* refcnt-- */ - - /* Check to make sure some other thread didn't get there first */ -- op = evp_keymgmt_util_find_operation_cache(pk, tmp_keymgmt); -+ op = evp_keymgmt_util_find_operation_cache(pk, tmp_keymgmt, selection); - if (op != NULL && op->keymgmt != NULL) { - void *tmp_keydata = op->keydata; - -@@ -1949,7 +1951,8 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx, - } - - /* Add the new export to the operation cache */ -- if (!evp_keymgmt_util_cache_keydata(pk, tmp_keymgmt, keydata)) { -+ if (!evp_keymgmt_util_cache_keydata(pk, tmp_keymgmt, keydata, -+ selection)) { - CRYPTO_THREAD_unlock(pk->lock); - evp_keymgmt_freedata(tmp_keymgmt, keydata); - keydata = NULL; -@@ -1964,7 +1967,7 @@ void *evp_pkey_export_to_provider(EVP_PKEY *pk, OSSL_LIB_CTX *libctx, - } - #endif /* FIPS_MODULE */ - -- keydata = evp_keymgmt_util_export_to_provider(pk, tmp_keymgmt); -+ keydata = evp_keymgmt_util_export_to_provider(pk, tmp_keymgmt, selection); - - end: - /* -diff --git a/include/crypto/evp.h b/include/crypto/evp.h -index f601b72807..dbbdcccbda 100644 ---- a/include/crypto/evp.h -+++ b/include/crypto/evp.h -@@ -589,6 +589,7 @@ int evp_cipher_asn1_to_param_ex(EVP_CIPHER_CTX *c, ASN1_TYPE *type, - typedef struct { - EVP_KEYMGMT *keymgmt; - void *keydata; -+ int selection; - } OP_CACHE_ELEM; - - DEFINE_STACK_OF(OP_CACHE_ELEM) -@@ -778,12 +779,14 @@ EVP_PKEY *evp_keymgmt_util_make_pkey(EVP_KEYMGMT *keymgmt, void *keydata); - - int evp_keymgmt_util_export(const EVP_PKEY *pk, int selection, - OSSL_CALLBACK *export_cb, void *export_cbarg); --void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt); -+void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt, -+ int selection); - OP_CACHE_ELEM *evp_keymgmt_util_find_operation_cache(EVP_PKEY *pk, -- EVP_KEYMGMT *keymgmt); -+ EVP_KEYMGMT *keymgmt, -+ int selection); - int evp_keymgmt_util_clear_operation_cache(EVP_PKEY *pk, int locking); --int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, -- EVP_KEYMGMT *keymgmt, void *keydata); -+int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt, -+ void *keydata, int selection); - void evp_keymgmt_util_cache_keyinfo(EVP_PKEY *pk); - void *evp_keymgmt_util_fromdata(EVP_PKEY *target, EVP_KEYMGMT *keymgmt, - int selection, const OSSL_PARAM params[]); --- -2.38.1 - -From 504427eb5f32108dd64ff7858012863fe47b369b Mon Sep 17 00:00:00 2001 -From: Simo Sorce -Date: Thu, 10 Nov 2022 16:58:28 -0500 -Subject: [PATCH 2/3] Update documentation for keymgmt export utils - -Change function prototypes and explain how to use the selection -argument. - -Signed-off-by: Simo Sorce - -Reviewed-by: Dmitry Belyavskiy -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/19648) - -diff --git a/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod b/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod -index 1fee9f6ff9..7099e44964 100644 ---- a/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod -+++ b/doc/internal/man3/evp_keymgmt_util_export_to_provider.pod -@@ -20,12 +20,14 @@ OP_CACHE_ELEM - - int evp_keymgmt_util_export(const EVP_PKEY *pk, int selection, - OSSL_CALLBACK *export_cb, void *export_cbarg); -- void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt); -+ void *evp_keymgmt_util_export_to_provider(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt, -+ int selection); - OP_CACHE_ELEM *evp_keymgmt_util_find_operation_cache(EVP_PKEY *pk, -- EVP_KEYMGMT *keymgmt); -+ EVP_KEYMGMT *keymgmt, -+ int selection); - int evp_keymgmt_util_clear_operation_cache(EVP_PKEY *pk, int locking); -- int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, -- EVP_KEYMGMT *keymgmt, void *keydata); -+ int evp_keymgmt_util_cache_keydata(EVP_PKEY *pk, EVP_KEYMGMT *keymgmt, -+ void *keydata, int selection); - void evp_keymgmt_util_cache_keyinfo(EVP_PKEY *pk); - void *evp_keymgmt_util_fromdata(EVP_PKEY *target, EVP_KEYMGMT *keymgmt, - int selection, const OSSL_PARAM params[]); -@@ -65,6 +67,11 @@ evp_keymgmt_util_fromdata() can be used to add key object data to a - given key I via a B interface. This is used as a - helper for L. - -+In all functions that take a I argument, the selection is used to -+constraint the information requested on export. It is also used in the cache -+so that key data is guaranteed to contain all the information requested in -+the selection. -+ - =head1 RETURN VALUES - - evp_keymgmt_export_to_provider() and evp_keymgmt_util_fromdata() --- -2.38.1 - -From e5202fbd461cb6c067874987998e91c6093e5267 Mon Sep 17 00:00:00 2001 -From: Simo Sorce -Date: Fri, 11 Nov 2022 12:18:26 -0500 -Subject: [PATCH 3/3] Add test for EVP_PKEY_eq - -This tests that the comparison work even if a provider can only return -a public key. - -Signed-off-by: Simo Sorce - -Reviewed-by: Dmitry Belyavskiy -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/19648) - -diff --git a/test/fake_rsaprov.c b/test/fake_rsaprov.c -index d556551bb6..5e92e72d4b 100644 ---- a/test/fake_rsaprov.c -+++ b/test/fake_rsaprov.c -@@ -22,24 +22,34 @@ static OSSL_FUNC_keymgmt_has_fn fake_rsa_keymgmt_has; - static OSSL_FUNC_keymgmt_query_operation_name_fn fake_rsa_keymgmt_query; - static OSSL_FUNC_keymgmt_import_fn fake_rsa_keymgmt_import; - static OSSL_FUNC_keymgmt_import_types_fn fake_rsa_keymgmt_imptypes; -+static OSSL_FUNC_keymgmt_export_fn fake_rsa_keymgmt_export; -+static OSSL_FUNC_keymgmt_export_types_fn fake_rsa_keymgmt_exptypes; - static OSSL_FUNC_keymgmt_load_fn fake_rsa_keymgmt_load; - - static int has_selection; - static int imptypes_selection; -+static int exptypes_selection; - static int query_id; - -+struct fake_rsa_keydata { -+ int selection; -+ int status; -+}; -+ - static void *fake_rsa_keymgmt_new(void *provctx) - { -- unsigned char *keydata = OPENSSL_zalloc(1); -+ struct fake_rsa_keydata *key; - -- TEST_ptr(keydata); -+ if (!TEST_ptr(key = OPENSSL_zalloc(sizeof(struct fake_rsa_keydata)))) -+ return NULL; - - /* clear test globals */ - has_selection = 0; - imptypes_selection = 0; -+ exptypes_selection = 0; - query_id = 0; - -- return keydata; -+ return key; - } - - static void fake_rsa_keymgmt_free(void *keydata) -@@ -67,14 +77,104 @@ static const char *fake_rsa_keymgmt_query(int id) - static int fake_rsa_keymgmt_import(void *keydata, int selection, - const OSSL_PARAM *p) - { -- unsigned char *fake_rsa_key = keydata; -+ struct fake_rsa_keydata *fake_rsa_key = keydata; - - /* key was imported */ -- *fake_rsa_key = 1; -+ fake_rsa_key->status = 1; - - return 1; - } - -+static unsigned char fake_rsa_n[] = -+ "\x00\xAA\x36\xAB\xCE\x88\xAC\xFD\xFF\x55\x52\x3C\x7F\xC4\x52\x3F" -+ "\x90\xEF\xA0\x0D\xF3\x77\x4A\x25\x9F\x2E\x62\xB4\xC5\xD9\x9C\xB5" -+ "\xAD\xB3\x00\xA0\x28\x5E\x53\x01\x93\x0E\x0C\x70\xFB\x68\x76\x93" -+ "\x9C\xE6\x16\xCE\x62\x4A\x11\xE0\x08\x6D\x34\x1E\xBC\xAC\xA0\xA1" -+ "\xF5"; -+ -+static unsigned char fake_rsa_e[] = "\x11"; -+ -+static unsigned char fake_rsa_d[] = -+ "\x0A\x03\x37\x48\x62\x64\x87\x69\x5F\x5F\x30\xBC\x38\xB9\x8B\x44" -+ "\xC2\xCD\x2D\xFF\x43\x40\x98\xCD\x20\xD8\xA1\x38\xD0\x90\xBF\x64" -+ "\x79\x7C\x3F\xA7\xA2\xCD\xCB\x3C\xD1\xE0\xBD\xBA\x26\x54\xB4\xF9" -+ "\xDF\x8E\x8A\xE5\x9D\x73\x3D\x9F\x33\xB3\x01\x62\x4A\xFD\x1D\x51"; -+ -+static unsigned char fake_rsa_p[] = -+ "\x00\xD8\x40\xB4\x16\x66\xB4\x2E\x92\xEA\x0D\xA3\xB4\x32\x04\xB5" -+ "\xCF\xCE\x33\x52\x52\x4D\x04\x16\xA5\xA4\x41\xE7\x00\xAF\x46\x12" -+ "\x0D"; -+ -+static unsigned char fake_rsa_q[] = -+ "\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9" -+ "\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5A\x0F\x20\x35\x02\x8B\x9D" -+ "\x89"; -+ -+static unsigned char fake_rsa_dmp1[] = -+ "\x59\x0B\x95\x72\xA2\xC2\xA9\xC4\x06\x05\x9D\xC2\xAB\x2F\x1D\xAF" -+ "\xEB\x7E\x8B\x4F\x10\xA7\x54\x9E\x8E\xED\xF5\xB4\xFC\xE0\x9E\x05"; -+ -+static unsigned char fake_rsa_dmq1[] = -+ "\x00\x8E\x3C\x05\x21\xFE\x15\xE0\xEA\x06\xA3\x6F\xF0\xF1\x0C\x99" -+ "\x52\xC3\x5B\x7A\x75\x14\xFD\x32\x38\xB8\x0A\xAD\x52\x98\x62\x8D" -+ "\x51"; -+ -+static unsigned char fake_rsa_iqmp[] = -+ "\x36\x3F\xF7\x18\x9D\xA8\xE9\x0B\x1D\x34\x1F\x71\xD0\x9B\x76\xA8" -+ "\xA9\x43\xE1\x1D\x10\xB2\x4D\x24\x9F\x2D\xEA\xFE\xF8\x0C\x18\x26"; -+ -+OSSL_PARAM *fake_rsa_key_params(int priv) -+{ -+ if (priv) { -+ OSSL_PARAM params[] = { -+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_N, fake_rsa_n, -+ sizeof(fake_rsa_n) -1), -+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_E, fake_rsa_e, -+ sizeof(fake_rsa_e) -1), -+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_D, fake_rsa_d, -+ sizeof(fake_rsa_d) -1), -+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_FACTOR1, fake_rsa_p, -+ sizeof(fake_rsa_p) -1), -+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_FACTOR2, fake_rsa_q, -+ sizeof(fake_rsa_q) -1), -+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_EXPONENT1, fake_rsa_dmp1, -+ sizeof(fake_rsa_dmp1) -1), -+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_EXPONENT2, fake_rsa_dmq1, -+ sizeof(fake_rsa_dmq1) -1), -+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_COEFFICIENT1, fake_rsa_iqmp, -+ sizeof(fake_rsa_iqmp) -1), -+ OSSL_PARAM_END -+ }; -+ return OSSL_PARAM_dup(params); -+ } else { -+ OSSL_PARAM params[] = { -+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_N, fake_rsa_n, -+ sizeof(fake_rsa_n) -1), -+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_E, fake_rsa_e, -+ sizeof(fake_rsa_e) -1), -+ OSSL_PARAM_END -+ }; -+ return OSSL_PARAM_dup(params); -+ } -+} -+ -+static int fake_rsa_keymgmt_export(void *keydata, int selection, -+ OSSL_CALLBACK *param_callback, void *cbarg) -+{ -+ OSSL_PARAM *params = NULL; -+ int ret; -+ -+ if (selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY) -+ return 0; -+ -+ if (!TEST_ptr(params = fake_rsa_key_params(0))) -+ return 0; -+ -+ ret = param_callback(params, cbarg); -+ OSSL_PARAM_free(params); -+ return ret; -+} -+ - static const OSSL_PARAM fake_rsa_import_key_types[] = { - OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_N, NULL, 0), - OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_E, NULL, 0), -@@ -95,19 +195,33 @@ static const OSSL_PARAM *fake_rsa_keymgmt_imptypes(int selection) - return fake_rsa_import_key_types; - } - -+static const OSSL_PARAM fake_rsa_export_key_types[] = { -+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_N, NULL, 0), -+ OSSL_PARAM_BN(OSSL_PKEY_PARAM_RSA_E, NULL, 0), -+ OSSL_PARAM_END -+}; -+ -+static const OSSL_PARAM *fake_rsa_keymgmt_exptypes(int selection) -+{ -+ /* record global for checking */ -+ exptypes_selection = selection; -+ -+ return fake_rsa_export_key_types; -+} -+ - static void *fake_rsa_keymgmt_load(const void *reference, size_t reference_sz) - { -- unsigned char *key = NULL; -+ struct fake_rsa_keydata *key = NULL; - -- if (reference_sz != sizeof(key)) -+ if (reference_sz != sizeof(*key)) - return NULL; - -- key = *(unsigned char **)reference; -- if (*key != 1) -+ key = *(struct fake_rsa_keydata **)reference; -+ if (key->status != 1) - return NULL; - - /* detach the reference */ -- *(unsigned char **)reference = NULL; -+ *(struct fake_rsa_keydata **)reference = NULL; - - return key; - } -@@ -129,7 +243,7 @@ static void *fake_rsa_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg) - { - unsigned char *gctx = genctx; - static const unsigned char inited[] = { 1 }; -- unsigned char *keydata; -+ struct fake_rsa_keydata *keydata; - - if (!TEST_ptr(gctx) - || !TEST_mem_eq(gctx, sizeof(*gctx), inited, sizeof(inited))) -@@ -138,7 +252,7 @@ static void *fake_rsa_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg) - if (!TEST_ptr(keydata = fake_rsa_keymgmt_new(NULL))) - return NULL; - -- *keydata = 2; -+ keydata->status = 2; - return keydata; - } - -@@ -156,6 +270,9 @@ static const OSSL_DISPATCH fake_rsa_keymgmt_funcs[] = { - { OSSL_FUNC_KEYMGMT_IMPORT, (void (*)(void))fake_rsa_keymgmt_import }, - { OSSL_FUNC_KEYMGMT_IMPORT_TYPES, - (void (*)(void))fake_rsa_keymgmt_imptypes }, -+ { OSSL_FUNC_KEYMGMT_EXPORT, (void (*)(void))fake_rsa_keymgmt_export }, -+ { OSSL_FUNC_KEYMGMT_EXPORT_TYPES, -+ (void (*)(void))fake_rsa_keymgmt_exptypes }, - { OSSL_FUNC_KEYMGMT_LOAD, (void (*)(void))fake_rsa_keymgmt_load }, - { OSSL_FUNC_KEYMGMT_GEN_INIT, (void (*)(void))fake_rsa_gen_init }, - { OSSL_FUNC_KEYMGMT_GEN, (void (*)(void))fake_rsa_gen }, -@@ -191,14 +308,14 @@ static int fake_rsa_sig_sign_init(void *ctx, void *provkey, - const OSSL_PARAM params[]) - { - unsigned char *sigctx = ctx; -- unsigned char *keydata = provkey; -+ struct fake_rsa_keydata *keydata = provkey; - - /* we must have a ctx */ - if (!TEST_ptr(sigctx)) - return 0; - - /* we must have some initialized key */ -- if (!TEST_ptr(keydata) || !TEST_int_gt(keydata[0], 0)) -+ if (!TEST_ptr(keydata) || !TEST_int_gt(keydata->status, 0)) - return 0; - - /* record that sign init was called */ -@@ -289,7 +406,7 @@ static int fake_rsa_st_load(void *loaderctx, - unsigned char *storectx = loaderctx; - OSSL_PARAM params[4]; - int object_type = OSSL_OBJECT_PKEY; -- void *key = NULL; -+ struct fake_rsa_keydata *key = NULL; - int rv = 0; - - switch (*storectx) { -@@ -307,7 +424,7 @@ static int fake_rsa_st_load(void *loaderctx, - /* The address of the key becomes the octet string */ - params[2] = - OSSL_PARAM_construct_octet_string(OSSL_OBJECT_PARAM_REFERENCE, -- &key, sizeof(key)); -+ &key, sizeof(*key)); - params[3] = OSSL_PARAM_construct_end(); - rv = object_cb(params, object_cbarg); - *storectx = 1; -diff --git a/test/fake_rsaprov.h b/test/fake_rsaprov.h -index 57de1ecf8d..190c46a285 100644 ---- a/test/fake_rsaprov.h -+++ b/test/fake_rsaprov.h -@@ -12,3 +12,4 @@ - /* Fake RSA provider implementation */ - OSSL_PROVIDER *fake_rsa_start(OSSL_LIB_CTX *libctx); - void fake_rsa_finish(OSSL_PROVIDER *p); -+OSSL_PARAM *fake_rsa_key_params(int priv); -diff --git a/test/provider_pkey_test.c b/test/provider_pkey_test.c -index 5c398398f4..3b190baa5e 100644 ---- a/test/provider_pkey_test.c -+++ b/test/provider_pkey_test.c -@@ -176,6 +176,67 @@ end: - return ret; - } - -+static int test_pkey_eq(void) -+{ -+ OSSL_PROVIDER *deflt = NULL; -+ OSSL_PROVIDER *fake_rsa = NULL; -+ EVP_PKEY *pkey_fake = NULL; -+ EVP_PKEY *pkey_dflt = NULL; -+ EVP_PKEY_CTX *ctx = NULL; -+ OSSL_PARAM *params = NULL; -+ int ret = 0; -+ -+ if (!TEST_ptr(fake_rsa = fake_rsa_start(libctx))) -+ return 0; -+ -+ if (!TEST_ptr(deflt = OSSL_PROVIDER_load(libctx, "default"))) -+ goto end; -+ -+ /* Construct a public key for fake-rsa */ -+ if (!TEST_ptr(params = fake_rsa_key_params(0)) -+ || !TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(libctx, "RSA", -+ "provider=fake-rsa")) -+ || !TEST_true(EVP_PKEY_fromdata_init(ctx)) -+ || !TEST_true(EVP_PKEY_fromdata(ctx, &pkey_fake, EVP_PKEY_PUBLIC_KEY, -+ params)) -+ || !TEST_ptr(pkey_fake)) -+ goto end; -+ -+ EVP_PKEY_CTX_free(ctx); -+ ctx = NULL; -+ OSSL_PARAM_free(params); -+ params = NULL; -+ -+ /* Construct a public key for default */ -+ if (!TEST_ptr(params = fake_rsa_key_params(0)) -+ || !TEST_ptr(ctx = EVP_PKEY_CTX_new_from_name(libctx, "RSA", -+ "provider=default")) -+ || !TEST_true(EVP_PKEY_fromdata_init(ctx)) -+ || !TEST_true(EVP_PKEY_fromdata(ctx, &pkey_dflt, EVP_PKEY_PUBLIC_KEY, -+ params)) -+ || !TEST_ptr(pkey_dflt)) -+ goto end; -+ -+ EVP_PKEY_CTX_free(ctx); -+ ctx = NULL; -+ OSSL_PARAM_free(params); -+ params = NULL; -+ -+ /* now test for equality */ -+ if (!TEST_int_eq(EVP_PKEY_eq(pkey_fake, pkey_dflt), 1)) -+ goto end; -+ -+ ret = 1; -+end: -+ fake_rsa_finish(fake_rsa); -+ OSSL_PROVIDER_unload(deflt); -+ EVP_PKEY_CTX_free(ctx); -+ EVP_PKEY_free(pkey_fake); -+ EVP_PKEY_free(pkey_dflt); -+ OSSL_PARAM_free(params); -+ return ret; -+} -+ - static int test_pkey_store(int idx) - { - OSSL_PROVIDER *deflt = NULL; -@@ -235,6 +296,7 @@ int setup_tests(void) - - ADD_TEST(test_pkey_sig); - ADD_TEST(test_alternative_keygen_init); -+ ADD_TEST(test_pkey_eq); - ADD_ALL_TESTS(test_pkey_store, 2); - - return 1; --- -2.38.1 - -From 2fea56832780248af2aba2e4433ece2d18428515 Mon Sep 17 00:00:00 2001 -From: Simo Sorce -Date: Mon, 14 Nov 2022 10:25:15 -0500 -Subject: [PATCH] Drop explicit check for engines in opt_legacy_okay - -The providers indication should always indicate that this is not a -legacy request. -This makes a check for engines redundant as the default return is that -legacy is ok if there are no explicit providers. - -Fixes #19662 - -Signed-off-by: Simo Sorce - -Reviewed-by: Dmitry Belyavskiy -Reviewed-by: Paul Dale -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/19671) ---- - apps/lib/apps.c | 8 -------- - test/recipes/20-test_legacy_okay.t | 23 +++++++++++++++++++++++ - 2 files changed, 23 insertions(+), 8 deletions(-) - create mode 100755 test/recipes/20-test_legacy_okay.t - -diff --git a/apps/lib/apps.c b/apps/lib/apps.c -index 3d52e030ab7e258f9cd983b2d9755d954cb3aee5..bbe0d009efb35fcf1a902c86cbddc61e657e57f1 100644 ---- a/apps/lib/apps.c -+++ b/apps/lib/apps.c -@@ -3405,14 +3405,6 @@ int opt_legacy_okay(void) - { - int provider_options = opt_provider_option_given(); - int libctx = app_get0_libctx() != NULL || app_get0_propq() != NULL; --#ifndef OPENSSL_NO_ENGINE -- ENGINE *e = ENGINE_get_first(); -- -- if (e != NULL) { -- ENGINE_free(e); -- return 1; -- } --#endif - /* - * Having a provider option specified or a custom library context or - * property query, is a sure sign we're not using legacy. -diff --git a/test/recipes/20-test_legacy_okay.t b/test/recipes/20-test_legacy_okay.t -new file mode 100755 -index 0000000000000000000000000000000000000000..183499f3fd93f97e8a4a30681a9f383d2f6e0c56 ---- /dev/null -+++ b/test/recipes/20-test_legacy_okay.t -@@ -0,0 +1,23 @@ -+#! /usr/bin/env perl -+# Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. -+# -+# Licensed under the Apache License 2.0 (the "License"). You may not use -+# this file except in compliance with the License. You can obtain a copy -+# in the file LICENSE in the source distribution or at -+# https://www.openssl.org/source/license.html -+ -+use strict; -+use warnings; -+ -+use OpenSSL::Test; -+ -+setup("test_legacy"); -+ -+plan tests => 3; -+ -+ok(run(app(['openssl', 'rand', '-out', 'rand.txt', '256'])), "Generate random file"); -+ -+ok(run(app(['openssl', 'dgst', '-sha256', 'rand.txt'])), "Generate a digest"); -+ -+ok(!run(app(['openssl', 'dgst', '-sha256', '-propquery', 'foo=1', -+ 'rand.txt'])), "Fail to generate a digest"); --- -2.38.1 - diff --git a/SOURCES/0101-CVE-2022-4203-nc-match.patch b/SOURCES/0101-CVE-2022-4203-nc-match.patch deleted file mode 100644 index 860deac..0000000 --- a/SOURCES/0101-CVE-2022-4203-nc-match.patch +++ /dev/null @@ -1,281 +0,0 @@ -From c927a3492698c254637da836762f9b1f86cffabc Mon Sep 17 00:00:00 2001 -From: Viktor Dukhovni -Date: Tue, 13 Dec 2022 08:49:13 +0100 -Subject: [PATCH 01/18] Fix type confusion in nc_match_single() - -This function assumes that if the "gen" is an OtherName, then the "base" -is a rfc822Name constraint. This assumption is not true in all cases. -If the end-entity certificate contains an OtherName SAN of any type besides -SmtpUtf8Mailbox and the CA certificate contains a name constraint of -OtherName (of any type), then "nc_email_eai" will be invoked, with the -OTHERNAME "base" being incorrectly interpreted as a ASN1_IA5STRING. - -Reported by Corey Bonnell from Digicert. - -CVE-2022-4203 - -Reviewed-by: Paul Dale -Reviewed-by: Hugo Landau -Reviewed-by: Tomas Mraz ---- - crypto/x509/v3_ncons.c | 45 +++++++++++++++++++++++++++++------------- - 1 file changed, 31 insertions(+), 14 deletions(-) - -diff --git a/crypto/x509/v3_ncons.c b/crypto/x509/v3_ncons.c -index 70a7e8304e..5101598512 100644 ---- a/crypto/x509/v3_ncons.c -+++ b/crypto/x509/v3_ncons.c -@@ -31,7 +31,8 @@ static int do_i2r_name_constraints(const X509V3_EXT_METHOD *method, - static int print_nc_ipadd(BIO *bp, ASN1_OCTET_STRING *ip); - - static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc); --static int nc_match_single(GENERAL_NAME *sub, GENERAL_NAME *gen); -+static int nc_match_single(int effective_type, GENERAL_NAME *sub, -+ GENERAL_NAME *gen); - static int nc_dn(const X509_NAME *sub, const X509_NAME *nm); - static int nc_dns(ASN1_IA5STRING *sub, ASN1_IA5STRING *dns); - static int nc_email(ASN1_IA5STRING *sub, ASN1_IA5STRING *eml); -@@ -472,14 +473,17 @@ static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc) - { - GENERAL_SUBTREE *sub; - int i, r, match = 0; -+ int effective_type = gen->type; -+ - /* - * We need to compare not gen->type field but an "effective" type because - * the otherName field may contain EAI email address treated specially - * according to RFC 8398, section 6 - */ -- int effective_type = ((gen->type == GEN_OTHERNAME) && -- (OBJ_obj2nid(gen->d.otherName->type_id) == -- NID_id_on_SmtpUTF8Mailbox)) ? GEN_EMAIL : gen->type; -+ if (effective_type == GEN_OTHERNAME && -+ (OBJ_obj2nid(gen->d.otherName->type_id) == NID_id_on_SmtpUTF8Mailbox)) { -+ effective_type = GEN_EMAIL; -+ } - - /* - * Permitted subtrees: if any subtrees exist of matching the type at -@@ -488,7 +492,10 @@ static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc) - - for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->permittedSubtrees); i++) { - sub = sk_GENERAL_SUBTREE_value(nc->permittedSubtrees, i); -- if (effective_type != sub->base->type) -+ if (effective_type != sub->base->type -+ || (effective_type == GEN_OTHERNAME && -+ OBJ_cmp(gen->d.otherName->type_id, -+ sub->base->d.otherName->type_id) != 0)) - continue; - if (!nc_minmax_valid(sub)) - return X509_V_ERR_SUBTREE_MINMAX; -@@ -497,7 +504,7 @@ static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc) - continue; - if (match == 0) - match = 1; -- r = nc_match_single(gen, sub->base); -+ r = nc_match_single(effective_type, gen, sub->base); - if (r == X509_V_OK) - match = 2; - else if (r != X509_V_ERR_PERMITTED_VIOLATION) -@@ -511,12 +518,15 @@ static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc) - - for (i = 0; i < sk_GENERAL_SUBTREE_num(nc->excludedSubtrees); i++) { - sub = sk_GENERAL_SUBTREE_value(nc->excludedSubtrees, i); -- if (effective_type != sub->base->type) -+ if (effective_type != sub->base->type -+ || (effective_type == GEN_OTHERNAME && -+ OBJ_cmp(gen->d.otherName->type_id, -+ sub->base->d.otherName->type_id) != 0)) - continue; - if (!nc_minmax_valid(sub)) - return X509_V_ERR_SUBTREE_MINMAX; - -- r = nc_match_single(gen, sub->base); -+ r = nc_match_single(effective_type, gen, sub->base); - if (r == X509_V_OK) - return X509_V_ERR_EXCLUDED_VIOLATION; - else if (r != X509_V_ERR_PERMITTED_VIOLATION) -@@ -528,15 +538,22 @@ static int nc_match(GENERAL_NAME *gen, NAME_CONSTRAINTS *nc) - - } - --static int nc_match_single(GENERAL_NAME *gen, GENERAL_NAME *base) -+static int nc_match_single(int effective_type, GENERAL_NAME *gen, -+ GENERAL_NAME *base) - { - switch (gen->type) { - case GEN_OTHERNAME: -- /* -- * We are here only when we have SmtpUTF8 name, -- * so we match the value of othername with base->d.rfc822Name -- */ -- return nc_email_eai(gen->d.otherName->value, base->d.rfc822Name); -+ switch (effective_type) { -+ case GEN_EMAIL: -+ /* -+ * We are here only when we have SmtpUTF8 name, -+ * so we match the value of othername with base->d.rfc822Name -+ */ -+ return nc_email_eai(gen->d.otherName->value, base->d.rfc822Name); -+ -+ default: -+ return X509_V_ERR_UNSUPPORTED_CONSTRAINT_TYPE; -+ } - - case GEN_DIRNAME: - return nc_dn(gen->d.directoryName, base->d.directoryName); --- -2.39.1 - -From fe6842f5a5dc2fb66da7fb24bf4343a3aeedd50a Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Tue, 13 Dec 2022 19:45:09 +0100 -Subject: [PATCH 02/18] Add testcase for nc_match_single type confusion - -Reviewed-by: Paul Dale -Reviewed-by: Hugo Landau ---- - test/certs/bad-othername-cert.pem | 20 ++++++++++++++++++++ - test/certs/nccaothername-cert.pem | 20 ++++++++++++++++++++ - test/certs/nccaothername-key.pem | 28 ++++++++++++++++++++++++++++ - test/certs/setup.sh | 11 +++++++++++ - test/recipes/25-test_verify.t | 5 ++++- - 5 files changed, 83 insertions(+), 1 deletion(-) - create mode 100644 test/certs/bad-othername-cert.pem - create mode 100644 test/certs/nccaothername-cert.pem - create mode 100644 test/certs/nccaothername-key.pem - -diff --git a/test/certs/bad-othername-cert.pem b/test/certs/bad-othername-cert.pem -new file mode 100644 -index 0000000000..cf279de5ea ---- /dev/null -+++ b/test/certs/bad-othername-cert.pem -@@ -0,0 +1,20 @@ -+-----BEGIN CERTIFICATE----- -+MIIDRDCCAiygAwIBAgIBAjANBgkqhkiG9w0BAQsFADAfMR0wGwYDVQQDDBRUZXN0 -+IE5DIENBIG90aGVybmFtZTAgFw0yMjEyMTMxODMzMTZaGA8yMTIyMTIxNDE4MzMx -+NlowMTEvMC0GA1UECgwmTkMgZW1haWwgaW4gb3RoZXJuYW1lIFRlc3QgQ2VydGlm -+aWNhdGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDPgeoakqHk1zYt -+JZpEC0qkJPU/X0lfI+6GY2LHFY9KOSFqqmTXxrUtjQc3SdpQvBZhPuMZ8p82Jid2 -+kkRHnWs0uqX9NtLO923yQalYvP6Mt3fokcYgw/C9b+I/q1PKUyN0kPB6McROguD5 -+Jz2DcEufJBhbpyay1bFjEI2DAQJKDP/U7uH0EA7kH/27UMk0vfvL5uVjDvlo8i6S -+Ul8+u0cDV5ZFJW2VAJKLU3wp6IY4fZl9UqkHZuRQpMJGqAjAleWOIEpyyvfGGh0b -+75n3GJ+4YZ7CIBEgY7K0nIbKxtcDZPvmtbYg3g1tkPMTHcodFT7yEdqkBTJ5AGL7 -+6U850OhjAgMBAAGjdzB1MB0GA1UdDgQWBBTBz0k+q6d4c3aM+s2IyOF/QP6zCTAf -+BgNVHSMEGDAWgBTwhghX7uNdMejZ3f4XorqOQoMqwTAJBgNVHRMEAjAAMCgGA1Ud -+EQQhMB+gHQYIKwYBBQUHCAegEQwPZm9vQGV4YW1wbGUub3JnMA0GCSqGSIb3DQEB -+CwUAA4IBAQAhxbCEVH8pq0aUMaLWaodyXdCqA0AKTFG6Mz9Rpwn89OwC8FylTEru -+t+Bqx/ZuTo8YzON8h9m7DIrQIjZKDLW/g5YbvIsxIVV9gWhAGohdsIyMKRBepSmr -+NxJQkO74RLBTamfl0WUCVM4HqroflFjBBG67CTJaQ9cH9ug3TKxaXCK1L6iQAXtq -+enILGai98Byo0LCFH4MQOhmhV1BDT2boIG/iYb5VKCTSX25vhaF+PNBhUoysjW0O -+vhQX8vrw42QRr4Qi7VfUBXzrbRTzxjOc4yqki7h2DcEdpginqe+aGyaFY+H9m/ka -+1AR5KN8h5SYKltSXknjs0pp1w4k49aHl -+-----END CERTIFICATE----- -diff --git a/test/certs/nccaothername-cert.pem b/test/certs/nccaothername-cert.pem -new file mode 100644 -index 0000000000..f9b9b07b80 ---- /dev/null -+++ b/test/certs/nccaothername-cert.pem -@@ -0,0 +1,20 @@ -+-----BEGIN CERTIFICATE----- -+MIIDPjCCAiagAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 -+IENBMCAXDTIyMTIxMzE4MTgwM1oYDzIxMjIxMjE0MTgxODAzWjAfMR0wGwYDVQQD -+DBRUZXN0IE5DIENBIG90aGVybmFtZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCC -+AQoCggEBAN0Dx+ei8CgtRKnDcYiLwX4vrA48at/o/zfX24X/WZZM1o9HUKo1FQBN -+vhESJu+gqPxuIePrk+/L25XdRqwCKk8wkWX0XIz18q5orOHUUFAWNK3g0FDj6N8H -+d8urNIbDJ44FCx+/0n8Ppiht/EYN3aVOW5enqbgZ+EEt+3AUG6ibieRdGri9g4oh -+IIx60MmVHLbuT/TcVZxaeWyTl6iWmsYosUyqlhTtu1uGtbVtkCAhBYloVvz4J5eA -+mVu/JuJbsNxbxVeO9Q8Kj6nb4jPPdGvZ3JPcabbWrz5LwaereBf5IPrXEVdQTlYB -+gI0pTz2CEDHSIrd7jzRUX/9EC2gMk6UCAwEAAaOBjzCBjDAPBgNVHRMBAf8EBTAD -+AQH/MAsGA1UdDwQEAwIBBjAdBgNVHQ4EFgQU8IYIV+7jXTHo2d3+F6K6jkKDKsEw -+HwYDVR0jBBgwFoAUjvUlrx6ba4Q9fICayVOcTXL3o1IwLAYDVR0eBCUwI6EhMB+g -+HQYIKwYBBQUHCAegEQwPZm9vQGV4YW1wbGUub3JnMA0GCSqGSIb3DQEBCwUAA4IB -+AQDPI5uZd8DhSNKMvYF5bxOshd6h6UJ7YzZS7K6fhiygltdqzkHQ/5+4yiuUkDe4 -+hOZlH8MCfXQy5jVZDTk24yNchpdfie5Bswn4SmQVQh3QyzOLxizoh0rLCf2PHueu -+dNVNhfiiJNJ5kd8MIuVG7CPK68dP0QrVR+DihROuJgvGB3ClKttLrgle19t4PFRR -+2wW6hJT9aXEjzLNyN1QFZKoShuiGX4xwjZh7VyKkV64p8hjojhcLk6dQkel+Jw4y -+OP26XbVfM8/6KG8f6WAZ8P0qJwHlhmi0EvRTnEpAM8WuenOeZH6ERZ9uZbRGh6xx -+LKQu2Aw2+bOEZ2vUtz0dBhX8 -+-----END CERTIFICATE----- -diff --git a/test/certs/nccaothername-key.pem b/test/certs/nccaothername-key.pem -new file mode 100644 -index 0000000000..d3e300ac2f ---- /dev/null -+++ b/test/certs/nccaothername-key.pem -@@ -0,0 +1,28 @@ -+-----BEGIN PRIVATE KEY----- -+MIIEvwIBADANBgkqhkiG9w0BAQEFAASCBKkwggSlAgEAAoIBAQDdA8fnovAoLUSp -+w3GIi8F+L6wOPGrf6P8319uF/1mWTNaPR1CqNRUATb4REibvoKj8biHj65Pvy9uV -+3UasAipPMJFl9FyM9fKuaKzh1FBQFjSt4NBQ4+jfB3fLqzSGwyeOBQsfv9J/D6Yo -+bfxGDd2lTluXp6m4GfhBLftwFBuom4nkXRq4vYOKISCMetDJlRy27k/03FWcWnls -+k5eolprGKLFMqpYU7btbhrW1bZAgIQWJaFb8+CeXgJlbvybiW7DcW8VXjvUPCo+p -+2+Izz3Rr2dyT3Gm21q8+S8Gnq3gX+SD61xFXUE5WAYCNKU89ghAx0iK3e480VF// -+RAtoDJOlAgMBAAECggEAMFSJlCyEFlER3Qq9asXe9eRgXEuXdmfZ2aEVIuf8M/sR -+B0tpxxKtCUA24j5FL+0CzxKZTCFBnDRIzCyTbf1aOa9t+CzXyUZmP3/p4EdgmabF -+dcl93FZ+X7kfF/VUGu0Vmv+c12BH3Fu0cs5cVohlMecg7diu6zCYok43F+L5ymRy -+2mTcKkGc0ShWizj8Z9R3WJGssZOlxbxa/Zr4rZwRC24UVhfN8AfGWYx/StyQPQIw -+gtbbtOmwbyredQmY4jwNqgrnfZS9bkWwJbRuCmD5l7lxubBgcHQpoM+DQVeOLZIq -+uksFXeNfal9G5Bo747MMzpD7dJMCGmX+gbMY5oZF+QKBgQDs2MbY4nbxi+fV+KuV -+zUvis8m8Lpzf3T6NLkgSkUPRN9tGr95iLIrB/bRPJg5Ne02q/cT7d86B9rpE42w7 -+eeIF9fANezX2AF8LUqNZhIR23J3tfB/eqGlJRZeMNia+lD09a7SWGwrS7sufY1I+ -+JQGcHx77ntt+eQT1MUJ1skF06QKBgQDu4z+TW4QIA5ItxIReVdcfh5e3xLkzDEVP -+3KNo9tpXxvPwqapdeBh6c9z4Lqe3MKr5UPlDvVW+o40t6OjKxDCXczB8+JAM0OyX -+8V+K3zXXUxRgieSd3oMncTylSWIvouPP3aW37B67TKdRlRHgaBrpJT2wdk3kYR4t -+62J1eDdjXQKBgQDMsY0pZI/nskJrar7geM1c4IU5Xg+2aj/lRFqFsYYrC1s3fEd2 -+EYjan6l1vi4eSLKXVTspGiIfsFzLrMGdpXjyLduJyzKXqTp7TrBebWkOUR0sYloo -+1OQprzuKskJJ81P6AVvRXw27vyW8Wtp5WwJJK5xbWq/YXj8qqagGkEiCAQKBgQCc -+RK3XAFurPmLGa7JHX5Hc/z8BKMAZo6JHrsZ6qFiGaRA0U1it0hz5JYfcFfECheSi -+ORUF+fn4PlbhPGXkFljPCbwjVBovOBA9CNl+J6u50pAW4r1ZhDB5gbqxSQLgtIaf -++JcqbFxiG6+sT36lNJS+BO2I3KrxhZJPaZY7z8szxQKBgQDRy70XzwOk8jXayiF2 -+ej2IN7Ow9cgSE4tLEwR/vCjxvOlWhA3jC3wxoggshGJkpbP3DqLkQtwQm0h1lM8J -+QNtFwKzjtpf//bTlfFq08/YxWimTPMqzcV2PgRacB8P3yf1r8T7M4fA5TORCDWpW -+5FtOCFEmwQHTR8lu4c63qfxkEQ== -+-----END PRIVATE KEY----- -diff --git a/test/certs/setup.sh b/test/certs/setup.sh -index b9766aab20..2240cd9df0 100755 ---- a/test/certs/setup.sh -+++ b/test/certs/setup.sh -@@ -388,6 +388,17 @@ REQMASK=MASK:0x800 ./mkcert.sh req badalt7-key "O = Bad NC Test Certificate 7" \ - "email.1 = good@good.org" "email.2 = any@good.com" \ - "IP = 127.0.0.1" "IP = 192.168.0.1" - -+# Certs for CVE-2022-4203 testcase -+ -+NC="excluded;otherName:SRVName;UTF8STRING:foo@example.org" ./mkcert.sh genca \ -+ "Test NC CA othername" nccaothername-key nccaothername-cert \ -+ root-key root-cert -+ -+./mkcert.sh req alt-email-key "O = NC email in othername Test Certificate" | \ -+ ./mkcert.sh geneealt bad-othername-key bad-othername-cert \ -+ nccaothername-key nccaothername-cert \ -+ "otherName.1 = SRVName;UTF8STRING:foo@example.org" -+ - # RSA-PSS signatures - # SHA1 - ./mkcert.sh genee PSS-SHA1 ee-key ee-pss-sha1-cert ca-key ca-cert \ -diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t -index 4613489f57..e6a2bca731 100644 ---- a/test/recipes/25-test_verify.t -+++ b/test/recipes/25-test_verify.t -@@ -29,7 +29,7 @@ sub verify { - run(app([@args])); - } - --plan tests => 162; -+plan tests => 163; - - # Canonical success - ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]), -@@ -402,6 +402,9 @@ ok(!verify("badalt9-cert", "", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ), - ok(!verify("badalt10-cert", "", ["root-cert"], ["ncca1-cert", "ncca3-cert"], ), - "Name constraints nested DNS name excluded"); - -+ok(!verify("bad-othername-cert", "", ["root-cert"], ["nccaothername-cert"], ), -+ "CVE-2022-4203 type confusion test"); -+ - #Check that we get the expected failure return code - with({ exit_checker => sub { return shift == 2; } }, - sub { --- -2.39.1 - diff --git a/SOURCES/0102-CVE-2022-4304-RSA-time-oracle.patch b/SOURCES/0102-CVE-2022-4304-RSA-time-oracle.patch deleted file mode 100644 index a650715..0000000 --- a/SOURCES/0102-CVE-2022-4304-RSA-time-oracle.patch +++ /dev/null @@ -1,750 +0,0 @@ -From 8e257b86e5812c6e1cfa9e8e5f5660ac7bed899d Mon Sep 17 00:00:00 2001 -From: Dmitry Belyavskiy -Date: Fri, 20 Jan 2023 15:03:40 +0000 -Subject: [PATCH 03/18] Fix Timing Oracle in RSA decryption - -A timing based side channel exists in the OpenSSL RSA Decryption -implementation which could be sufficient to recover a plaintext across -a network in a Bleichenbacher style attack. To achieve a successful -decryption an attacker would have to be able to send a very large number -of trial messages for decryption. The vulnerability affects all RSA -padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. - -Patch written by Dmitry Belyavsky and Hubert Kario - -CVE-2022-4304 - -Reviewed-by: Matt Caswell -Reviewed-by: Tomas Mraz ---- - crypto/bn/bn_blind.c | 14 - - crypto/bn/bn_local.h | 14 + - crypto/bn/build.info | 2 +- - crypto/bn/rsa_sup_mul.c | 604 ++++++++++++++++++++++++++++++++++++++++ - crypto/rsa/rsa_ossl.c | 19 +- - include/crypto/bn.h | 6 + - 6 files changed, 638 insertions(+), 21 deletions(-) - create mode 100644 crypto/bn/rsa_sup_mul.c - -diff --git a/crypto/bn/bn_blind.c b/crypto/bn/bn_blind.c -index 72457b34cf..6061ebb4c0 100644 ---- a/crypto/bn/bn_blind.c -+++ b/crypto/bn/bn_blind.c -@@ -13,20 +13,6 @@ - - #define BN_BLINDING_COUNTER 32 - --struct bn_blinding_st { -- BIGNUM *A; -- BIGNUM *Ai; -- BIGNUM *e; -- BIGNUM *mod; /* just a reference */ -- CRYPTO_THREAD_ID tid; -- int counter; -- unsigned long flags; -- BN_MONT_CTX *m_ctx; -- int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p, -- const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); -- CRYPTO_RWLOCK *lock; --}; -- - BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod) - { - BN_BLINDING *ret = NULL; -diff --git a/crypto/bn/bn_local.h b/crypto/bn/bn_local.h -index c9a7ecf298..8c428f919d 100644 ---- a/crypto/bn/bn_local.h -+++ b/crypto/bn/bn_local.h -@@ -290,6 +290,20 @@ struct bn_gencb_st { - } cb; - }; - -+struct bn_blinding_st { -+ BIGNUM *A; -+ BIGNUM *Ai; -+ BIGNUM *e; -+ BIGNUM *mod; /* just a reference */ -+ CRYPTO_THREAD_ID tid; -+ int counter; -+ unsigned long flags; -+ BN_MONT_CTX *m_ctx; -+ int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p, -+ const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); -+ CRYPTO_RWLOCK *lock; -+}; -+ - /*- - * BN_window_bits_for_exponent_size -- macro for sliding window mod_exp functions - * -diff --git a/crypto/bn/build.info b/crypto/bn/build.info -index c4ba51b265..f4ff619239 100644 ---- a/crypto/bn/build.info -+++ b/crypto/bn/build.info -@@ -105,7 +105,7 @@ $COMMON=bn_add.c bn_div.c bn_exp.c bn_lib.c bn_ctx.c bn_mul.c \ - bn_mod.c bn_conv.c bn_rand.c bn_shift.c bn_word.c bn_blind.c \ - bn_kron.c bn_sqrt.c bn_gcd.c bn_prime.c bn_sqr.c \ - bn_recp.c bn_mont.c bn_mpi.c bn_exp2.c bn_gf2m.c bn_nist.c \ -- bn_intern.c bn_dh.c bn_rsa_fips186_4.c bn_const.c -+ bn_intern.c bn_dh.c bn_rsa_fips186_4.c bn_const.c rsa_sup_mul.c - SOURCE[../../libcrypto]=$COMMON $BNASM bn_print.c bn_err.c bn_srp.c - DEFINE[../../libcrypto]=$BNDEF - IF[{- !$disabled{'deprecated-0.9.8'} -}] -diff --git a/crypto/bn/rsa_sup_mul.c b/crypto/bn/rsa_sup_mul.c -new file mode 100644 -index 0000000000..0e0d02e194 ---- /dev/null -+++ b/crypto/bn/rsa_sup_mul.c -@@ -0,0 +1,604 @@ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include "internal/endian.h" -+#include "internal/numbers.h" -+#include "internal/constant_time.h" -+#include "bn_local.h" -+ -+# if BN_BYTES == 8 -+typedef uint64_t limb_t; -+# if defined(__SIZEOF_INT128__) && __SIZEOF_INT128__ == 16 -+typedef uint128_t limb2_t; -+# define HAVE_LIMB2_T -+# endif -+# define LIMB_BIT_SIZE 64 -+# define LIMB_BYTE_SIZE 8 -+# elif BN_BYTES == 4 -+typedef uint32_t limb_t; -+typedef uint64_t limb2_t; -+# define LIMB_BIT_SIZE 32 -+# define LIMB_BYTE_SIZE 4 -+# define HAVE_LIMB2_T -+# else -+# error "Not supported" -+# endif -+ -+/* -+ * For multiplication we're using schoolbook multiplication, -+ * so if we have two numbers, each with 6 "digits" (words) -+ * the multiplication is calculated as follows: -+ * A B C D E F -+ * x I J K L M N -+ * -------------- -+ * N*F -+ * N*E -+ * N*D -+ * N*C -+ * N*B -+ * N*A -+ * M*F -+ * M*E -+ * M*D -+ * M*C -+ * M*B -+ * M*A -+ * L*F -+ * L*E -+ * L*D -+ * L*C -+ * L*B -+ * L*A -+ * K*F -+ * K*E -+ * K*D -+ * K*C -+ * K*B -+ * K*A -+ * J*F -+ * J*E -+ * J*D -+ * J*C -+ * J*B -+ * J*A -+ * I*F -+ * I*E -+ * I*D -+ * I*C -+ * I*B -+ * + I*A -+ * ========================== -+ * N*B N*D N*F -+ * + N*A N*C N*E -+ * + M*B M*D M*F -+ * + M*A M*C M*E -+ * + L*B L*D L*F -+ * + L*A L*C L*E -+ * + K*B K*D K*F -+ * + K*A K*C K*E -+ * + J*B J*D J*F -+ * + J*A J*C J*E -+ * + I*B I*D I*F -+ * + I*A I*C I*E -+ * -+ * 1+1 1+3 1+5 -+ * 1+0 1+2 1+4 -+ * 0+1 0+3 0+5 -+ * 0+0 0+2 0+4 -+ * -+ * 0 1 2 3 4 5 6 -+ * which requires n^2 multiplications and 2n full length additions -+ * as we can keep every other result of limb multiplication in two separate -+ * limbs -+ */ -+ -+#if defined HAVE_LIMB2_T -+static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b) -+{ -+ limb2_t t; -+ /* -+ * this is idiomatic code to tell compiler to use the native mul -+ * those three lines will actually compile to single instruction -+ */ -+ -+ t = (limb2_t)a * b; -+ *hi = t >> LIMB_BIT_SIZE; -+ *lo = (limb_t)t; -+} -+#elif (BN_BYTES == 8) && (defined _MSC_VER) -+/* https://learn.microsoft.com/en-us/cpp/intrinsics/umul128?view=msvc-170 */ -+#pragma intrinsic(_umul128) -+static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b) -+{ -+ *lo = _umul128(a, b, hi); -+} -+#else -+/* -+ * if the compiler doesn't have either a 128bit data type nor a "return -+ * high 64 bits of multiplication" -+ */ -+static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b) -+{ -+ limb_t a_low = (limb_t)(uint32_t)a; -+ limb_t a_hi = a >> 32; -+ limb_t b_low = (limb_t)(uint32_t)b; -+ limb_t b_hi = b >> 32; -+ -+ limb_t p0 = a_low * b_low; -+ limb_t p1 = a_low * b_hi; -+ limb_t p2 = a_hi * b_low; -+ limb_t p3 = a_hi * b_hi; -+ -+ uint32_t cy = (uint32_t)(((p0 >> 32) + (uint32_t)p1 + (uint32_t)p2) >> 32); -+ -+ *lo = p0 + (p1 << 32) + (p2 << 32); -+ *hi = p3 + (p1 >> 32) + (p2 >> 32) + cy; -+} -+#endif -+ -+/* add two limbs with carry in, return carry out */ -+static ossl_inline limb_t _add_limb(limb_t *ret, limb_t a, limb_t b, limb_t carry) -+{ -+ limb_t carry1, carry2, t; -+ /* -+ * `c = a + b; if (c < a)` is idiomatic code that makes compilers -+ * use add with carry on assembly level -+ */ -+ -+ *ret = a + carry; -+ if (*ret < a) -+ carry1 = 1; -+ else -+ carry1 = 0; -+ -+ t = *ret; -+ *ret = t + b; -+ if (*ret < t) -+ carry2 = 1; -+ else -+ carry2 = 0; -+ -+ return carry1 + carry2; -+} -+ -+/* -+ * add two numbers of the same size, return overflow -+ * -+ * add a to b, place result in ret; all arrays need to be n limbs long -+ * return overflow from addition (0 or 1) -+ */ -+static ossl_inline limb_t add(limb_t *ret, limb_t *a, limb_t *b, size_t n) -+{ -+ limb_t c = 0; -+ ossl_ssize_t i; -+ -+ for(i = n - 1; i > -1; i--) -+ c = _add_limb(&ret[i], a[i], b[i], c); -+ -+ return c; -+} -+ -+/* -+ * return number of limbs necessary for temporary values -+ * when multiplying numbers n limbs large -+ */ -+static ossl_inline size_t mul_limb_numb(size_t n) -+{ -+ return 2 * n * 2; -+} -+ -+/* -+ * multiply two numbers of the same size -+ * -+ * multiply a by b, place result in ret; a and b need to be n limbs long -+ * ret needs to be 2*n limbs long, tmp needs to be mul_limb_numb(n) limbs -+ * long -+ */ -+static void limb_mul(limb_t *ret, limb_t *a, limb_t *b, size_t n, limb_t *tmp) -+{ -+ limb_t *r_odd, *r_even; -+ size_t i, j, k; -+ -+ r_odd = tmp; -+ r_even = &tmp[2 * n]; -+ -+ memset(ret, 0, 2 * n * sizeof(limb_t)); -+ -+ for (i = 0; i < n; i++) { -+ for (k = 0; k < i + n + 1; k++) { -+ r_even[k] = 0; -+ r_odd[k] = 0; -+ } -+ for (j = 0; j < n; j++) { -+ /* -+ * place results from even and odd limbs in separate arrays so that -+ * we don't have to calculate overflow every time we get individual -+ * limb multiplication result -+ */ -+ if (j % 2 == 0) -+ _mul_limb(&r_even[i + j], &r_even[i + j + 1], a[i], b[j]); -+ else -+ _mul_limb(&r_odd[i + j], &r_odd[i + j + 1], a[i], b[j]); -+ } -+ /* -+ * skip the least significant limbs when adding multiples of -+ * more significant limbs (they're zero anyway) -+ */ -+ add(ret, ret, r_even, n + i + 1); -+ add(ret, ret, r_odd, n + i + 1); -+ } -+} -+ -+/* modifies the value in place by performing a right shift by one bit */ -+static ossl_inline void rshift1(limb_t *val, size_t n) -+{ -+ limb_t shift_in = 0, shift_out = 0; -+ size_t i; -+ -+ for (i = 0; i < n; i++) { -+ shift_out = val[i] & 1; -+ val[i] = shift_in << (LIMB_BIT_SIZE - 1) | (val[i] >> 1); -+ shift_in = shift_out; -+ } -+} -+ -+/* extend the LSB of flag to all bits of limb */ -+static ossl_inline limb_t mk_mask(limb_t flag) -+{ -+ flag |= flag << 1; -+ flag |= flag << 2; -+ flag |= flag << 4; -+ flag |= flag << 8; -+ flag |= flag << 16; -+#if (LIMB_BYTE_SIZE == 8) -+ flag |= flag << 32; -+#endif -+ return flag; -+} -+ -+/* -+ * copy from either a or b to ret based on flag -+ * when flag == 0, then copies from b -+ * when flag == 1, then copies from a -+ */ -+static ossl_inline void cselect(limb_t flag, limb_t *ret, limb_t *a, limb_t *b, size_t n) -+{ -+ /* -+ * would be more efficient with non volatile mask, but then gcc -+ * generates code with jumps -+ */ -+ volatile limb_t mask; -+ size_t i; -+ -+ mask = mk_mask(flag); -+ for (i = 0; i < n; i++) { -+#if (LIMB_BYTE_SIZE == 8) -+ ret[i] = constant_time_select_64(mask, a[i], b[i]); -+#else -+ ret[i] = constant_time_select_32(mask, a[i], b[i]); -+#endif -+ } -+} -+ -+static limb_t _sub_limb(limb_t *ret, limb_t a, limb_t b, limb_t borrow) -+{ -+ limb_t borrow1, borrow2, t; -+ /* -+ * while it doesn't look constant-time, this is idiomatic code -+ * to tell compilers to use the carry bit from subtraction -+ */ -+ -+ *ret = a - borrow; -+ if (*ret > a) -+ borrow1 = 1; -+ else -+ borrow1 = 0; -+ -+ t = *ret; -+ *ret = t - b; -+ if (*ret > t) -+ borrow2 = 1; -+ else -+ borrow2 = 0; -+ -+ return borrow1 + borrow2; -+} -+ -+/* -+ * place the result of a - b into ret, return the borrow bit. -+ * All arrays need to be n limbs long -+ */ -+static limb_t sub(limb_t *ret, limb_t *a, limb_t *b, size_t n) -+{ -+ limb_t borrow = 0; -+ ossl_ssize_t i; -+ -+ for (i = n - 1; i > -1; i--) -+ borrow = _sub_limb(&ret[i], a[i], b[i], borrow); -+ -+ return borrow; -+} -+ -+/* return the number of limbs necessary to allocate for the mod() tmp operand */ -+static ossl_inline size_t mod_limb_numb(size_t anum, size_t modnum) -+{ -+ return (anum + modnum) * 3; -+} -+ -+/* -+ * calculate a % mod, place the result in ret -+ * size of a is defined by anum, size of ret and mod is modnum, -+ * size of tmp is returned by mod_limb_numb() -+ */ -+static void mod(limb_t *ret, limb_t *a, size_t anum, limb_t *mod, -+ size_t modnum, limb_t *tmp) -+{ -+ limb_t *atmp, *modtmp, *rettmp; -+ limb_t res; -+ size_t i; -+ -+ memset(tmp, 0, mod_limb_numb(anum, modnum) * LIMB_BYTE_SIZE); -+ -+ atmp = tmp; -+ modtmp = &tmp[anum + modnum]; -+ rettmp = &tmp[(anum + modnum) * 2]; -+ -+ for (i = modnum; i 0; i--, rp--) { -+ v = _mul_add_limb(rp, mod, modnum, rp[modnum-1] * ni0, tmp2); -+ v = v + carry + rp[-1]; -+ carry |= (v != rp[-1]); -+ carry &= (v <= rp[-1]); -+ rp[-1] = v; -+ } -+ -+ /* perform the final reduction by mod... */ -+ carry -= sub(ret, rp, mod, modnum); -+ -+ /* ...conditionally */ -+ cselect(carry, ret, rp, ret, modnum); -+} -+ -+/* allocated buffer should be freed afterwards */ -+static void BN_to_limb(const BIGNUM *bn, limb_t *buf, size_t limbs) -+{ -+ int i; -+ int real_limbs = (BN_num_bytes(bn) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE; -+ limb_t *ptr = buf + (limbs - real_limbs); -+ -+ for (i = 0; i < real_limbs; i++) -+ ptr[i] = bn->d[real_limbs - i - 1]; -+} -+ -+#if LIMB_BYTE_SIZE == 8 -+static ossl_inline uint64_t be64(uint64_t host) -+{ -+ uint64_t big = 0; -+ DECLARE_IS_ENDIAN; -+ -+ if (!IS_LITTLE_ENDIAN) -+ return host; -+ -+ big |= (host & 0xff00000000000000) >> 56; -+ big |= (host & 0x00ff000000000000) >> 40; -+ big |= (host & 0x0000ff0000000000) >> 24; -+ big |= (host & 0x000000ff00000000) >> 8; -+ big |= (host & 0x00000000ff000000) << 8; -+ big |= (host & 0x0000000000ff0000) << 24; -+ big |= (host & 0x000000000000ff00) << 40; -+ big |= (host & 0x00000000000000ff) << 56; -+ return big; -+} -+ -+#else -+/* Not all platforms have htobe32(). */ -+static ossl_inline uint32_t be32(uint32_t host) -+{ -+ uint32_t big = 0; -+ DECLARE_IS_ENDIAN; -+ -+ if (!IS_LITTLE_ENDIAN) -+ return host; -+ -+ big |= (host & 0xff000000) >> 24; -+ big |= (host & 0x00ff0000) >> 8; -+ big |= (host & 0x0000ff00) << 8; -+ big |= (host & 0x000000ff) << 24; -+ return big; -+} -+#endif -+ -+/* -+ * We assume that intermediate, possible_arg2, blinding, and ctx are used -+ * similar to BN_BLINDING_invert_ex() arguments. -+ * to_mod is RSA modulus. -+ * buf and num is the serialization buffer and its length. -+ * -+ * Here we use classic/Montgomery multiplication and modulo. After the calculation finished -+ * we serialize the new structure instead of BIGNUMs taking endianness into account. -+ */ -+int ossl_bn_rsa_do_unblind(const BIGNUM *intermediate, -+ const BN_BLINDING *blinding, -+ const BIGNUM *possible_arg2, -+ const BIGNUM *to_mod, BN_CTX *ctx, -+ unsigned char *buf, int num) -+{ -+ limb_t *l_im = NULL, *l_mul = NULL, *l_mod = NULL; -+ limb_t *l_ret = NULL, *l_tmp = NULL, l_buf; -+ size_t l_im_count = 0, l_mul_count = 0, l_size = 0, l_mod_count = 0; -+ size_t l_tmp_count = 0; -+ int ret = 0; -+ size_t i; -+ unsigned char *tmp; -+ const BIGNUM *arg1 = intermediate; -+ const BIGNUM *arg2 = (possible_arg2 == NULL) ? blinding->Ai : possible_arg2; -+ -+ l_im_count = (BN_num_bytes(arg1) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE; -+ l_mul_count = (BN_num_bytes(arg2) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE; -+ l_mod_count = (BN_num_bytes(to_mod) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE; -+ -+ l_size = l_im_count > l_mul_count ? l_im_count : l_mul_count; -+ l_im = OPENSSL_zalloc(l_size * LIMB_BYTE_SIZE); -+ l_mul = OPENSSL_zalloc(l_size * LIMB_BYTE_SIZE); -+ l_mod = OPENSSL_zalloc(l_mod_count * LIMB_BYTE_SIZE); -+ -+ if ((l_im == NULL) || (l_mul == NULL) || (l_mod == NULL)) -+ goto err; -+ -+ BN_to_limb(arg1, l_im, l_size); -+ BN_to_limb(arg2, l_mul, l_size); -+ BN_to_limb(to_mod, l_mod, l_mod_count); -+ -+ l_ret = OPENSSL_malloc(2 * l_size * LIMB_BYTE_SIZE); -+ -+ if (blinding->m_ctx != NULL) { -+ l_tmp_count = mul_limb_numb(l_size) > mod_montgomery_limb_numb(l_mod_count) ? -+ mul_limb_numb(l_size) : mod_montgomery_limb_numb(l_mod_count); -+ l_tmp = OPENSSL_malloc(l_tmp_count * LIMB_BYTE_SIZE); -+ } else { -+ l_tmp_count = mul_limb_numb(l_size) > mod_limb_numb(2 * l_size, l_mod_count) ? -+ mul_limb_numb(l_size) : mod_limb_numb(2 * l_size, l_mod_count); -+ l_tmp = OPENSSL_malloc(l_tmp_count * LIMB_BYTE_SIZE); -+ } -+ -+ if ((l_ret == NULL) || (l_tmp == NULL)) -+ goto err; -+ -+ if (blinding->m_ctx != NULL) { -+ limb_mul(l_ret, l_im, l_mul, l_size, l_tmp); -+ mod_montgomery(l_ret, l_ret, 2 * l_size, l_mod, l_mod_count, -+ blinding->m_ctx->n0[0], l_tmp); -+ } else { -+ limb_mul(l_ret, l_im, l_mul, l_size, l_tmp); -+ mod(l_ret, l_ret, 2 * l_size, l_mod, l_mod_count, l_tmp); -+ } -+ -+ /* modulus size in bytes can be equal to num but after limbs conversion it becomes bigger */ -+ if (num < BN_num_bytes(to_mod)) { -+ ERR_raise(ERR_LIB_BN, ERR_R_PASSED_INVALID_ARGUMENT); -+ goto err; -+ } -+ -+ memset(buf, 0, num); -+ tmp = buf + num - BN_num_bytes(to_mod); -+ for (i = 0; i < l_mod_count; i++) { -+#if LIMB_BYTE_SIZE == 8 -+ l_buf = be64(l_ret[i]); -+#else -+ l_buf = be32(l_ret[i]); -+#endif -+ if (i == 0) { -+ int delta = LIMB_BYTE_SIZE - ((l_mod_count * LIMB_BYTE_SIZE) - num); -+ -+ memcpy(tmp, ((char *)&l_buf) + LIMB_BYTE_SIZE - delta, delta); -+ tmp += delta; -+ } else { -+ memcpy(tmp, &l_buf, LIMB_BYTE_SIZE); -+ tmp += LIMB_BYTE_SIZE; -+ } -+ } -+ ret = num; -+ -+ err: -+ OPENSSL_free(l_im); -+ OPENSSL_free(l_mul); -+ OPENSSL_free(l_mod); -+ OPENSSL_free(l_tmp); -+ OPENSSL_free(l_ret); -+ -+ return ret; -+} -diff --git a/crypto/rsa/rsa_ossl.c b/crypto/rsa/rsa_ossl.c -index 381c659352..7e8b791fba 100644 ---- a/crypto/rsa/rsa_ossl.c -+++ b/crypto/rsa/rsa_ossl.c -@@ -469,13 +469,20 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, - BN_free(d); - } - -- if (blinding) -- if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) -+ if (blinding) { -+ /* -+ * ossl_bn_rsa_do_unblind() combines blinding inversion and -+ * 0-padded BN BE serialization -+ */ -+ j = ossl_bn_rsa_do_unblind(ret, blinding, unblind, rsa->n, ctx, -+ buf, num); -+ if (j == 0) - goto err; -- -- j = BN_bn2binpad(ret, buf, num); -- if (j < 0) -- goto err; -+ } else { -+ j = BN_bn2binpad(ret, buf, num); -+ if (j < 0) -+ goto err; -+ } - - switch (padding) { - case RSA_PKCS1_PADDING: -diff --git a/include/crypto/bn.h b/include/crypto/bn.h -index cf69bea848..cd45654210 100644 ---- a/include/crypto/bn.h -+++ b/include/crypto/bn.h -@@ -114,4 +114,10 @@ OSSL_LIB_CTX *ossl_bn_get_libctx(BN_CTX *ctx); - - extern const BIGNUM ossl_bn_inv_sqrt_2; - -+int ossl_bn_rsa_do_unblind(const BIGNUM *intermediate, -+ const BN_BLINDING *blinding, -+ const BIGNUM *possible_arg2, -+ const BIGNUM *to_mod, BN_CTX *ctx, -+ unsigned char *buf, int num); -+ - #endif --- -2.39.1 - diff --git a/SOURCES/0103-CVE-2022-4450-pem-read-bio.patch b/SOURCES/0103-CVE-2022-4450-pem-read-bio.patch deleted file mode 100644 index 7d86395..0000000 --- a/SOURCES/0103-CVE-2022-4450-pem-read-bio.patch +++ /dev/null @@ -1,106 +0,0 @@ -From 63bcf189be73a9cc1264059bed6f57974be74a83 Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Tue, 13 Dec 2022 14:54:55 +0000 -Subject: [PATCH 04/18] Avoid dangling ptrs in header and data params for - PEM_read_bio_ex - -In the event of a failure in PEM_read_bio_ex() we free the buffers we -allocated for the header and data buffers. However we were not clearing -the ptrs stored in *header and *data. Since, on success, the caller is -responsible for freeing these ptrs this can potentially lead to a double -free if the caller frees them even on failure. - -Thanks to Dawei Wang for reporting this issue. - -Based on a proposed patch by Kurt Roeckx. - -CVE-2022-4450 - -Reviewed-by: Paul Dale -Reviewed-by: Hugo Landau ---- - crypto/pem/pem_lib.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c -index f9ff80162a..85c47fb627 100644 ---- a/crypto/pem/pem_lib.c -+++ b/crypto/pem/pem_lib.c -@@ -989,7 +989,9 @@ int PEM_read_bio_ex(BIO *bp, char **name_out, char **header, - - out_free: - pem_free(*header, flags, 0); -+ *header = NULL; - pem_free(*data, flags, 0); -+ *data = NULL; - end: - EVP_ENCODE_CTX_free(ctx); - pem_free(name, flags, 0); --- -2.39.1 - -From cbafa34b5a057794c5c08cd4657038e1f643c1ac Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Tue, 13 Dec 2022 15:02:26 +0000 -Subject: [PATCH 05/18] Add a test for CVE-2022-4450 - -Call PEM_read_bio_ex() and expect a failure. There should be no dangling -ptrs and therefore there should be no double free if we free the ptrs on -error. - -Reviewed-by: Paul Dale -Reviewed-by: Hugo Landau ---- - test/pemtest.c | 30 ++++++++++++++++++++++++++++++ - 1 file changed, 30 insertions(+) - -diff --git a/test/pemtest.c b/test/pemtest.c -index a8d2d49bb5..a5d28cb256 100644 ---- a/test/pemtest.c -+++ b/test/pemtest.c -@@ -96,6 +96,35 @@ static int test_cert_key_cert(void) - return 1; - } - -+static int test_empty_payload(void) -+{ -+ BIO *b; -+ static char *emptypay = -+ "-----BEGIN CERTIFICATE-----\n" -+ "-\n" /* Base64 EOF character */ -+ "-----END CERTIFICATE-----"; -+ char *name = NULL, *header = NULL; -+ unsigned char *data = NULL; -+ long len; -+ int ret = 0; -+ -+ b = BIO_new_mem_buf(emptypay, strlen(emptypay)); -+ if (!TEST_ptr(b)) -+ return 0; -+ -+ /* Expected to fail because the payload is empty */ -+ if (!TEST_false(PEM_read_bio_ex(b, &name, &header, &data, &len, 0))) -+ goto err; -+ -+ ret = 1; -+ err: -+ OPENSSL_free(name); -+ OPENSSL_free(header); -+ OPENSSL_free(data); -+ BIO_free(b); -+ return ret; -+} -+ - int setup_tests(void) - { - if (!TEST_ptr(pemfile = test_get_argument(0))) -@@ -103,5 +132,6 @@ int setup_tests(void) - ADD_ALL_TESTS(test_b64, OSSL_NELEM(b64_pem_data)); - ADD_TEST(test_invalid); - ADD_TEST(test_cert_key_cert); -+ ADD_TEST(test_empty_payload); - return 1; - } --- -2.39.1 - diff --git a/SOURCES/0104-CVE-2023-0215-UAF-bio.patch b/SOURCES/0104-CVE-2023-0215-UAF-bio.patch deleted file mode 100644 index 4140219..0000000 --- a/SOURCES/0104-CVE-2023-0215-UAF-bio.patch +++ /dev/null @@ -1,187 +0,0 @@ -From 8818064ce3c3c0f1b740a5aaba2a987e75bfbafd Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Wed, 14 Dec 2022 16:18:14 +0000 -Subject: [PATCH 06/18] Fix a UAF resulting from a bug in BIO_new_NDEF - -If the aux->asn1_cb() call fails in BIO_new_NDEF then the "out" BIO will -be part of an invalid BIO chain. This causes a "use after free" when the -BIO is eventually freed. - -Based on an original patch by Viktor Dukhovni and an idea from Theo -Buehler. - -Thanks to Octavio Galland for reporting this issue. - -Reviewed-by: Paul Dale -Reviewed-by: Tomas Mraz ---- - crypto/asn1/bio_ndef.c | 40 ++++++++++++++++++++++++++++++++-------- - 1 file changed, 32 insertions(+), 8 deletions(-) - -diff --git a/crypto/asn1/bio_ndef.c b/crypto/asn1/bio_ndef.c -index d94e3a3644..b9df3a7a47 100644 ---- a/crypto/asn1/bio_ndef.c -+++ b/crypto/asn1/bio_ndef.c -@@ -49,13 +49,19 @@ static int ndef_suffix(BIO *b, unsigned char **pbuf, int *plen, void *parg); - static int ndef_suffix_free(BIO *b, unsigned char **pbuf, int *plen, - void *parg); - --/* unfortunately cannot constify this due to CMS_stream() and PKCS7_stream() */ -+/* -+ * On success, the returned BIO owns the input BIO as part of its BIO chain. -+ * On failure, NULL is returned and the input BIO is owned by the caller. -+ * -+ * Unfortunately cannot constify this due to CMS_stream() and PKCS7_stream() -+ */ - BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it) - { - NDEF_SUPPORT *ndef_aux = NULL; - BIO *asn_bio = NULL; - const ASN1_AUX *aux = it->funcs; - ASN1_STREAM_ARG sarg; -+ BIO *pop_bio = NULL; - - if (!aux || !aux->asn1_cb) { - ERR_raise(ERR_LIB_ASN1, ASN1_R_STREAMING_NOT_SUPPORTED); -@@ -70,21 +76,39 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it) - out = BIO_push(asn_bio, out); - if (out == NULL) - goto err; -+ pop_bio = asn_bio; - -- BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free); -- BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free); -+ if (BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free) <= 0 -+ || BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free) <= 0 -+ || BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux) <= 0) -+ goto err; - - /* -- * Now let callback prepends any digest, cipher etc BIOs ASN1 structure -- * needs. -+ * Now let the callback prepend any digest, cipher, etc., that the BIO's -+ * ASN1 structure needs. - */ - - sarg.out = out; - sarg.ndef_bio = NULL; - sarg.boundary = NULL; - -- if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0) -+ /* -+ * The asn1_cb(), must not have mutated asn_bio on error, leaving it in the -+ * middle of some partially built, but not returned BIO chain. -+ */ -+ if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0) { -+ /* -+ * ndef_aux is now owned by asn_bio so we must not free it in the err -+ * clean up block -+ */ -+ ndef_aux = NULL; - goto err; -+ } -+ -+ /* -+ * We must not fail now because the callback has prepended additional -+ * BIOs to the chain -+ */ - - ndef_aux->val = val; - ndef_aux->it = it; -@@ -92,11 +116,11 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it) - ndef_aux->boundary = sarg.boundary; - ndef_aux->out = out; - -- BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux); -- - return sarg.ndef_bio; - - err: -+ /* BIO_pop() is NULL safe */ -+ (void)BIO_pop(pop_bio); - BIO_free(asn_bio); - OPENSSL_free(ndef_aux); - return NULL; --- -2.39.1 - -From f596ec8a6f9f5fcfa8e46a73b60f78a609725294 Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Wed, 14 Dec 2022 17:15:18 +0000 -Subject: [PATCH 07/18] Check CMS failure during BIO setup with -stream is - handled correctly - -Test for the issue fixed in the previous commit - -Reviewed-by: Paul Dale -Reviewed-by: Tomas Mraz ---- - test/recipes/80-test_cms.t | 15 +++++++++++++-- - test/smime-certs/badrsa.pem | 18 ++++++++++++++++++ - 2 files changed, 31 insertions(+), 2 deletions(-) - create mode 100644 test/smime-certs/badrsa.pem - -diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t -index 610f1cbc51..fd53683e6b 100644 ---- a/test/recipes/80-test_cms.t -+++ b/test/recipes/80-test_cms.t -@@ -13,7 +13,7 @@ use warnings; - use POSIX; - use File::Spec::Functions qw/catfile/; - use File::Compare qw/compare_text compare/; --use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file bldtop_dir bldtop_file/; -+use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file bldtop_dir bldtop_file with/; - - use OpenSSL::Test::Utils; - -@@ -50,7 +50,7 @@ my ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib) - - $no_rc2 = 1 if disabled("legacy"); - --plan tests => 12; -+plan tests => 13; - - ok(run(test(["pkcs7_test"])), "test pkcs7"); - -@@ -972,3 +972,14 @@ ok(!run(app(['openssl', 'cms', '-verify', - - return ""; - } -+ -+# Check that we get the expected failure return code -+with({ exit_checker => sub { return shift == 6; } }, -+ sub { -+ ok(run(app(['openssl', 'cms', '-encrypt', -+ '-in', srctop_file("test", "smcont.txt"), -+ '-stream', '-recip', -+ srctop_file("test/smime-certs", "badrsa.pem"), -+ ])), -+ "Check failure during BIO setup with -stream is handled correctly"); -+ }); -diff --git a/test/smime-certs/badrsa.pem b/test/smime-certs/badrsa.pem -new file mode 100644 -index 0000000000..f824fc2267 ---- /dev/null -+++ b/test/smime-certs/badrsa.pem -@@ -0,0 +1,18 @@ -+-----BEGIN CERTIFICATE----- -+MIIDbTCCAlWgAwIBAgIToTV4Z0iuK08vZP20oTh//hC8BDANBgkqhkiG9w0BAQ0FADAtMSswKQYD -+VfcDEyJTYW1wbGUgTEFNUFMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoY -+DzIwNTIwOTI3MDY1NDE4WjAZMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcN -+AQEBBQADggEPADCCAQoCggEBALT0iehYOBY+TZp/T5K2KNI05Hwr+E3wP6XTvyi6WWyTgBK9LCOw -+I2juwdRrjFBmXkk7pWpjXwsA3A5GOtz0FpfgyC7OxsVcF7q4WHWZWleYXFKlQHJD73nQwXP968+A -+/3rBX7PhO0DBbZnfitOLPgPEwjTtdg0VQQ6Wz+CRQ/YbHPKaw7aRphZO63dKvIKp4cQVtkWQHi6s -+yTjGsgkLcLNau5LZDQUdsGV+SAo3nBdWCRYV+I65x8Kf4hCxqqmjV3d/2NKRu0BXnDe/N+iDz3X0 -+zEoj0fqXgq4SWcC0nsG1lyyXt1TL270I6ATKRGJWiQVCCpDtc0NT6vdJ45bCSxgCAwEAAaOBlzCB -+lDAMBgNVHRMBAf8EAjAAMB4GA1UdEQQXMBWBE2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0lBAww -+CgYIKwYBBQUHAwQwDwYDVR0PAQH/BAUDAwfAADAdBgNVHQ4EFgQUu/bMsi0dBhIcl64papAQ0yBm -+ZnMwHwYDVR0jBBgwFoAUeF8OWnjYa+RUcD2z3ez38fL6wEcwDQYJKoZIhvcNAQENBQADggEBABbW -+eonR6TMTckehDKNOabwaCIcekahAIL6l9tTzUX5ew6ufiAPlC6I/zQlmUaU0iSyFDG1NW14kNbFt -+5CAokyLhMtE4ASHBIHbiOp/ZSbUBTVYJZB61ot7w1/ol5QECSs08b8zrxIncf+t2DHGuVEy/Qq1d -+rBz8d4ay8zpqAE1tUyL5Da6ZiKUfWwZQXSI/JlbjQFzYQqTRDnzHWrg1xPeMTO1P2/cplFaseTiv -+yk4cYwOp/W9UAWymOZXF8WcJYCIUXkdcG/nEZxr057KlScrJmFXOoh7Y+8ON4iWYYcAfiNgpUFo/ -+j8BAwrKKaFvdlZS9k1Ypb2+UQY75mKJE9Bg= -+-----END CERTIFICATE----- --- -2.39.1 - diff --git a/SOURCES/0105-CVE-2023-0216-pkcs7-deref.patch b/SOURCES/0105-CVE-2023-0216-pkcs7-deref.patch deleted file mode 100644 index bbcd594..0000000 --- a/SOURCES/0105-CVE-2023-0216-pkcs7-deref.patch +++ /dev/null @@ -1,110 +0,0 @@ -From 934a04f0e775309cadbef0aa6b9692e1b12a76c6 Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Mon, 16 Jan 2023 19:45:23 +0100 -Subject: [PATCH 08/18] Do not dereference PKCS7 object data if not set - -Fixes CVE-2023-0216 - -Reviewed-by: Shane Lontis -Reviewed-by: Paul Dale ---- - crypto/pkcs7/pk7_lib.c | 16 ++++++++++++---- - 1 file changed, 12 insertions(+), 4 deletions(-) - -diff --git a/crypto/pkcs7/pk7_lib.c b/crypto/pkcs7/pk7_lib.c -index 753f1276e6..936e50da54 100644 ---- a/crypto/pkcs7/pk7_lib.c -+++ b/crypto/pkcs7/pk7_lib.c -@@ -414,6 +414,8 @@ PKCS7_SIGNER_INFO *PKCS7_add_signature(PKCS7 *p7, X509 *x509, EVP_PKEY *pkey, - - static STACK_OF(X509) *pkcs7_get_signer_certs(const PKCS7 *p7) - { -+ if (p7->d.ptr == NULL) -+ return NULL; - if (PKCS7_type_is_signed(p7)) - return p7->d.sign->cert; - if (PKCS7_type_is_signedAndEnveloped(p7)) -@@ -423,6 +425,8 @@ static STACK_OF(X509) *pkcs7_get_signer_certs(const PKCS7 *p7) - - static STACK_OF(PKCS7_RECIP_INFO) *pkcs7_get_recipient_info(const PKCS7 *p7) - { -+ if (p7->d.ptr == NULL) -+ return NULL; - if (PKCS7_type_is_signedAndEnveloped(p7)) - return p7->d.signed_and_enveloped->recipientinfo; - if (PKCS7_type_is_enveloped(p7)) -@@ -440,13 +444,17 @@ void ossl_pkcs7_resolve_libctx(PKCS7 *p7) - const PKCS7_CTX *ctx = ossl_pkcs7_get0_ctx(p7); - OSSL_LIB_CTX *libctx = ossl_pkcs7_ctx_get0_libctx(ctx); - const char *propq = ossl_pkcs7_ctx_get0_propq(ctx); -- STACK_OF(PKCS7_RECIP_INFO) *rinfos = pkcs7_get_recipient_info(p7); -- STACK_OF(PKCS7_SIGNER_INFO) *sinfos = PKCS7_get_signer_info(p7); -- STACK_OF(X509) *certs = pkcs7_get_signer_certs(p7); -+ STACK_OF(PKCS7_RECIP_INFO) *rinfos; -+ STACK_OF(PKCS7_SIGNER_INFO) *sinfos; -+ STACK_OF(X509) *certs; - -- if (ctx == NULL) -+ if (ctx == NULL || p7->d.ptr == NULL) - return; - -+ rinfos = pkcs7_get_recipient_info(p7); -+ sinfos = PKCS7_get_signer_info(p7); -+ certs = pkcs7_get_signer_certs(p7); -+ - for (i = 0; i < sk_X509_num(certs); i++) - ossl_x509_set0_libctx(sk_X509_value(certs, i), libctx, propq); - --- -2.39.1 - -From 67813d8a4d110f4174bbd2fee8a2f15388e324b5 Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Mon, 16 Jan 2023 19:56:20 +0100 -Subject: [PATCH 09/18] Add test for d2i_PKCS7 NULL dereference - -Reviewed-by: Shane Lontis -Reviewed-by: Paul Dale ---- - test/recipes/25-test_pkcs7.t | 7 +++++-- - test/recipes/25-test_pkcs7_data/malformed.pkcs7 | 3 +++ - 2 files changed, 8 insertions(+), 2 deletions(-) - create mode 100644 test/recipes/25-test_pkcs7_data/malformed.pkcs7 - -diff --git a/test/recipes/25-test_pkcs7.t b/test/recipes/25-test_pkcs7.t -index 37cd43dc6b..d61cd6abad 100644 ---- a/test/recipes/25-test_pkcs7.t -+++ b/test/recipes/25-test_pkcs7.t -@@ -11,11 +11,11 @@ use strict; - use warnings; - - use File::Spec; --use OpenSSL::Test qw/:DEFAULT srctop_file/; -+use OpenSSL::Test qw/:DEFAULT srctop_file data_file/; - - setup("test_pkcs7"); - --plan tests => 3; -+plan tests => 4; - - require_ok(srctop_file('test','recipes','tconversion.pl')); - -@@ -27,3 +27,6 @@ subtest 'pkcs7 conversions -- pkcs7d' => sub { - tconversion( -type => 'p7d', -in => srctop_file("test", "pkcs7-1.pem"), - -args => ["pkcs7"] ); - }; -+ -+my $malformed = data_file('malformed.pkcs7'); -+ok(run(app(["openssl", "pkcs7", "-in", $malformed]))); -diff --git a/test/recipes/25-test_pkcs7_data/malformed.pkcs7 b/test/recipes/25-test_pkcs7_data/malformed.pkcs7 -new file mode 100644 -index 0000000000..e30d1b582c ---- /dev/null -+++ b/test/recipes/25-test_pkcs7_data/malformed.pkcs7 -@@ -0,0 +1,3 @@ -+-----BEGIN PKCS7----- -+MAsGCSqGSIb3DQEHAg== -+-----END PKCS7----- --- -2.39.1 - diff --git a/SOURCES/0106-CVE-2023-0217-dsa.patch b/SOURCES/0106-CVE-2023-0217-dsa.patch deleted file mode 100644 index d2db996..0000000 --- a/SOURCES/0106-CVE-2023-0217-dsa.patch +++ /dev/null @@ -1,404 +0,0 @@ -From 23985bac83fd50c8e29431009302b5442f985096 Mon Sep 17 00:00:00 2001 -From: slontis -Date: Wed, 11 Jan 2023 11:05:04 +1000 -Subject: [PATCH 10/18] Fix NULL deference when validating FFC public key. - -Fixes CVE-2023-0217 - -When attempting to do a BN_Copy of params->p there was no NULL check. -Since BN_copy does not check for NULL this is a NULL reference. - -As an aside BN_cmp() does do a NULL check, so there are other checks -that fail because a NULL is passed. A more general check for NULL params -has been added for both FFC public and private key validation instead. - -Reviewed-by: Matt Caswell -Reviewed-by: Paul Dale -Reviewed-by: Tomas Mraz ---- - crypto/ffc/ffc_key_validate.c | 9 +++++++++ - include/internal/ffc.h | 1 + - test/ffc_internal_test.c | 31 +++++++++++++++++++++++++++++++ - 3 files changed, 41 insertions(+) - -diff --git a/crypto/ffc/ffc_key_validate.c b/crypto/ffc/ffc_key_validate.c -index 9f6525a2c8..442303e4b3 100644 ---- a/crypto/ffc/ffc_key_validate.c -+++ b/crypto/ffc/ffc_key_validate.c -@@ -24,6 +24,11 @@ int ossl_ffc_validate_public_key_partial(const FFC_PARAMS *params, - BN_CTX *ctx = NULL; - - *ret = 0; -+ if (params == NULL || pub_key == NULL || params->p == NULL) { -+ *ret = FFC_ERROR_PASSED_NULL_PARAM; -+ return 0; -+ } -+ - ctx = BN_CTX_new_ex(NULL); - if (ctx == NULL) - goto err; -@@ -107,6 +112,10 @@ int ossl_ffc_validate_private_key(const BIGNUM *upper, const BIGNUM *priv, - - *ret = 0; - -+ if (priv == NULL || upper == NULL) { -+ *ret = FFC_ERROR_PASSED_NULL_PARAM; -+ goto err; -+ } - if (BN_cmp(priv, BN_value_one()) < 0) { - *ret |= FFC_ERROR_PRIVKEY_TOO_SMALL; - goto err; -diff --git a/include/internal/ffc.h b/include/internal/ffc.h -index 732514a6c2..b8b7140857 100644 ---- a/include/internal/ffc.h -+++ b/include/internal/ffc.h -@@ -76,6 +76,7 @@ - # define FFC_ERROR_NOT_SUITABLE_GENERATOR 0x08 - # define FFC_ERROR_PRIVKEY_TOO_SMALL 0x10 - # define FFC_ERROR_PRIVKEY_TOO_LARGE 0x20 -+# define FFC_ERROR_PASSED_NULL_PARAM 0x40 - - /* - * Finite field cryptography (FFC) domain parameters are used by DH and DSA. -diff --git a/test/ffc_internal_test.c b/test/ffc_internal_test.c -index 2c97293573..9f67bd29b9 100644 ---- a/test/ffc_internal_test.c -+++ b/test/ffc_internal_test.c -@@ -510,6 +510,27 @@ static int ffc_public_validate_test(void) - if (!TEST_true(ossl_ffc_validate_public_key(params, pub, &res))) - goto err; - -+ /* Fail if params is NULL */ -+ if (!TEST_false(ossl_ffc_validate_public_key(NULL, pub, &res))) -+ goto err; -+ if (!TEST_int_eq(FFC_ERROR_PASSED_NULL_PARAM, res)) -+ goto err; -+ res = -1; -+ /* Fail if pubkey is NULL */ -+ if (!TEST_false(ossl_ffc_validate_public_key(params, NULL, &res))) -+ goto err; -+ if (!TEST_int_eq(FFC_ERROR_PASSED_NULL_PARAM, res)) -+ goto err; -+ res = -1; -+ -+ BN_free(params->p); -+ params->p = NULL; -+ /* Fail if params->p is NULL */ -+ if (!TEST_false(ossl_ffc_validate_public_key(params, pub, &res))) -+ goto err; -+ if (!TEST_int_eq(FFC_ERROR_PASSED_NULL_PARAM, res)) -+ goto err; -+ - ret = 1; - err: - DH_free(dh); -@@ -567,6 +588,16 @@ static int ffc_private_validate_test(void) - if (!TEST_true(ossl_ffc_validate_private_key(params->q, priv, &res))) - goto err; - -+ if (!TEST_false(ossl_ffc_validate_private_key(NULL, priv, &res))) -+ goto err; -+ if (!TEST_int_eq(FFC_ERROR_PASSED_NULL_PARAM, res)) -+ goto err; -+ res = -1; -+ if (!TEST_false(ossl_ffc_validate_private_key(params->q, NULL, &res))) -+ goto err; -+ if (!TEST_int_eq(FFC_ERROR_PASSED_NULL_PARAM, res)) -+ goto err; -+ - ret = 1; - err: - DH_free(dh); --- -2.39.1 - -From c1b4467a7cc129a74fc5205b80a5c47556b99416 Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Fri, 13 Jan 2023 17:57:59 +0100 -Subject: [PATCH 11/18] Prevent creating DSA and DH keys without parameters - through import - -Reviewed-by: Matt Caswell -Reviewed-by: Paul Dale ---- - providers/implementations/keymgmt/dh_kmgmt.c | 4 ++-- - providers/implementations/keymgmt/dsa_kmgmt.c | 5 +++-- - 2 files changed, 5 insertions(+), 4 deletions(-) - -diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c -index 58a5fd009f..c2d87b4a7f 100644 ---- a/providers/implementations/keymgmt/dh_kmgmt.c -+++ b/providers/implementations/keymgmt/dh_kmgmt.c -@@ -198,8 +198,8 @@ static int dh_import(void *keydata, int selection, const OSSL_PARAM params[]) - if ((selection & DH_POSSIBLE_SELECTIONS) == 0) - return 0; - -- if ((selection & OSSL_KEYMGMT_SELECT_ALL_PARAMETERS) != 0) -- ok = ok && ossl_dh_params_fromdata(dh, params); -+ /* a key without parameters is meaningless */ -+ ok = ok && ossl_dh_params_fromdata(dh, params); - - if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) { - int include_private = -diff --git a/providers/implementations/keymgmt/dsa_kmgmt.c b/providers/implementations/keymgmt/dsa_kmgmt.c -index 100e917167..881680c085 100644 ---- a/providers/implementations/keymgmt/dsa_kmgmt.c -+++ b/providers/implementations/keymgmt/dsa_kmgmt.c -@@ -199,8 +199,9 @@ static int dsa_import(void *keydata, int selection, const OSSL_PARAM params[]) - if ((selection & DSA_POSSIBLE_SELECTIONS) == 0) - return 0; - -- if ((selection & OSSL_KEYMGMT_SELECT_ALL_PARAMETERS) != 0) -- ok = ok && ossl_dsa_ffc_params_fromdata(dsa, params); -+ /* a key without parameters is meaningless */ -+ ok = ok && ossl_dsa_ffc_params_fromdata(dsa, params); -+ - if ((selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0) { - int include_private = - selection & OSSL_KEYMGMT_SELECT_PRIVATE_KEY ? 1 : 0; --- -2.39.1 - -From fab4973801bdc11c29c4c8ccf65cf39cbc63ce9b Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Fri, 13 Jan 2023 17:59:52 +0100 -Subject: [PATCH 12/18] Do not create DSA keys without parameters by decoder - -Reviewed-by: Matt Caswell -Reviewed-by: Paul Dale ---- - crypto/x509/x_pubkey.c | 24 +++++++++++++++++++ - include/crypto/x509.h | 3 +++ - .../encode_decode/decode_der2key.c | 2 +- - 3 files changed, 28 insertions(+), 1 deletion(-) - -diff --git a/crypto/x509/x_pubkey.c b/crypto/x509/x_pubkey.c -index bc90ddd89b..77790faa1f 100644 ---- a/crypto/x509/x_pubkey.c -+++ b/crypto/x509/x_pubkey.c -@@ -745,6 +745,30 @@ DSA *d2i_DSA_PUBKEY(DSA **a, const unsigned char **pp, long length) - return key; - } - -+/* Called from decoders; disallows provided DSA keys without parameters. */ -+DSA *ossl_d2i_DSA_PUBKEY(DSA **a, const unsigned char **pp, long length) -+{ -+ DSA *key = NULL; -+ const unsigned char *data; -+ const BIGNUM *p, *q, *g; -+ -+ data = *pp; -+ key = d2i_DSA_PUBKEY(NULL, &data, length); -+ if (key == NULL) -+ return NULL; -+ DSA_get0_pqg(key, &p, &q, &g); -+ if (p == NULL || q == NULL || g == NULL) { -+ DSA_free(key); -+ return NULL; -+ } -+ *pp = data; -+ if (a != NULL) { -+ DSA_free(*a); -+ *a = key; -+ } -+ return key; -+} -+ - int i2d_DSA_PUBKEY(const DSA *a, unsigned char **pp) - { - EVP_PKEY *pktmp; -diff --git a/include/crypto/x509.h b/include/crypto/x509.h -index 1f00178e89..0c42730ee9 100644 ---- a/include/crypto/x509.h -+++ b/include/crypto/x509.h -@@ -339,6 +339,9 @@ void ossl_X509_PUBKEY_INTERNAL_free(X509_PUBKEY *xpub); - - RSA *ossl_d2i_RSA_PSS_PUBKEY(RSA **a, const unsigned char **pp, long length); - int ossl_i2d_RSA_PSS_PUBKEY(const RSA *a, unsigned char **pp); -+# ifndef OPENSSL_NO_DSA -+DSA *ossl_d2i_DSA_PUBKEY(DSA **a, const unsigned char **pp, long length); -+# endif /* OPENSSL_NO_DSA */ - # ifndef OPENSSL_NO_DH - DH *ossl_d2i_DH_PUBKEY(DH **a, const unsigned char **pp, long length); - int ossl_i2d_DH_PUBKEY(const DH *a, unsigned char **pp); -diff --git a/providers/implementations/encode_decode/decode_der2key.c b/providers/implementations/encode_decode/decode_der2key.c -index ebc2d24833..d6ad738ef3 100644 ---- a/providers/implementations/encode_decode/decode_der2key.c -+++ b/providers/implementations/encode_decode/decode_der2key.c -@@ -374,7 +374,7 @@ static void *dsa_d2i_PKCS8(void **key, const unsigned char **der, long der_len, - (key_from_pkcs8_t *)ossl_dsa_key_from_pkcs8); - } - --# define dsa_d2i_PUBKEY (d2i_of_void *)d2i_DSA_PUBKEY -+# define dsa_d2i_PUBKEY (d2i_of_void *)ossl_d2i_DSA_PUBKEY - # define dsa_free (free_key_fn *)DSA_free - # define dsa_check NULL - --- -2.39.1 - -From 7e37185582995b35f885fec9dcc3670af9ffcbef Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Fri, 13 Jan 2023 18:46:15 +0100 -Subject: [PATCH 13/18] Add test for DSA pubkey without param import and check - -Reviewed-by: Matt Caswell -Reviewed-by: Paul Dale ---- - test/recipes/91-test_pkey_check.t | 48 ++++++++++++++---- - .../91-test_pkey_check_data/dsapub.pem | 12 +++++ - .../dsapub_noparam.der | Bin 0 -> 108 bytes - 3 files changed, 49 insertions(+), 11 deletions(-) - create mode 100644 test/recipes/91-test_pkey_check_data/dsapub.pem - create mode 100644 test/recipes/91-test_pkey_check_data/dsapub_noparam.der - -diff --git a/test/recipes/91-test_pkey_check.t b/test/recipes/91-test_pkey_check.t -index 612a3e3d6c..015d7805db 100644 ---- a/test/recipes/91-test_pkey_check.t -+++ b/test/recipes/91-test_pkey_check.t -@@ -11,19 +11,24 @@ use strict; - use warnings; - - use File::Spec; --use OpenSSL::Test qw/:DEFAULT data_file/; -+use OpenSSL::Test qw/:DEFAULT data_file with/; - use OpenSSL::Test::Utils; - - sub pkey_check { - my $f = shift; -+ my $pubcheck = shift; -+ my @checkopt = ('-check'); - -- return run(app(['openssl', 'pkey', '-check', '-text', -+ @checkopt = ('-pubcheck', '-pubin') if $pubcheck; -+ -+ return run(app(['openssl', 'pkey', @checkopt, '-text', - '-in', $f])); - } - - sub check_key { - my $f = shift; - my $should_fail = shift; -+ my $pubcheck = shift; - my $str; - - -@@ -33,11 +38,10 @@ sub check_key { - $f = data_file($f); - - if ( -s $f ) { -- if ($should_fail) { -- ok(!pkey_check($f), $str); -- } else { -- ok(pkey_check($f), $str); -- } -+ with({ exit_checker => sub { return shift == $should_fail; } }, -+ sub { -+ ok(pkey_check($f, $pubcheck), $str); -+ }); - } else { - fail("Missing file $f"); - } -@@ -66,15 +70,37 @@ push(@positive_tests, ( - "dhpkey.pem" - )) unless disabled("dh"); - -+my @negative_pubtests = (); -+ -+push(@negative_pubtests, ( -+ "dsapub_noparam.der" -+ )) unless disabled("dsa"); -+ -+my @positive_pubtests = (); -+ -+push(@positive_pubtests, ( -+ "dsapub.pem" -+ )) unless disabled("dsa"); -+ - plan skip_all => "No tests within the current enabled feature set" -- unless @negative_tests && @positive_tests; -+ unless @negative_tests && @positive_tests -+ && @negative_pubtests && @positive_pubtests; - --plan tests => scalar(@negative_tests) + scalar(@positive_tests); -+plan tests => scalar(@negative_tests) + scalar(@positive_tests) -+ + scalar(@negative_pubtests) + scalar(@positive_pubtests); - - foreach my $t (@negative_tests) { -- check_key($t, 1); -+ check_key($t, 1, 0); - } - - foreach my $t (@positive_tests) { -- check_key($t, 0); -+ check_key($t, 0, 0); -+} -+ -+foreach my $t (@negative_pubtests) { -+ check_key($t, 1, 1); -+} -+ -+foreach my $t (@positive_pubtests) { -+ check_key($t, 0, 1); - } -diff --git a/test/recipes/91-test_pkey_check_data/dsapub.pem b/test/recipes/91-test_pkey_check_data/dsapub.pem -new file mode 100644 -index 0000000000..0ff4bd83ed ---- /dev/null -+++ b/test/recipes/91-test_pkey_check_data/dsapub.pem -@@ -0,0 +1,12 @@ -+-----BEGIN PUBLIC KEY----- -+MIIBvzCCATQGByqGSM44BAEwggEnAoGBAIjbXpOVVciVNuagg26annKkghIIZFI4 -+4WdMomnV+I/oXyxHbZTBBBpW9xy/E1+yMjbp4GmX+VxyDj3WxUWxXllzL+miEkzD -+9Xz638VzIBhjFbMvk1/N4kS4bKVUd9yk7HfvYzAdnRphk0WI+RoDiDrBNPPxSoQD -+CEWgvwgsLIDhAh0A6dbz1IQpQwGF4+Ca28x6OO+UfJJv3ggeZ++fNwKBgQCA9XKV -+lRrTY8ALBxS0KbZjpaIXuUj5nr3i1lIDyP3ISksDF0ekyLtn6eK9VijX6Pm65Np+ -+4ic9Nr5WKLKhPaUSpLNRx1gDqo3sd92hYgiEUifzEuhLYfK/CsgFED+l2hDXtJUq -+bISNSHVwI5lsyNXLu7HI1Fk8F5UO3LqsboFAngOBhAACgYATxFY89nEYcUhgHGgr -+YDHhXBQfMKnTKYdvon4DN7WQ9ip+t4VUsLpTD1ZE9zrM2R/B04+8C6KGoViwyeER -+kS4dxWOkX71x4X2DlNpYevcR53tNcTDqmMD7YKfDDmrb0lftMyfW8aESaiymVMys -+DRjhKHBjdo0rZeSM8DAk3ctrXA== -+-----END PUBLIC KEY----- -diff --git a/test/recipes/91-test_pkey_check_data/dsapub_noparam.der b/test/recipes/91-test_pkey_check_data/dsapub_noparam.der -new file mode 100644 -index 0000000000000000000000000000000000000000..b8135f1ca94da914b6829421e0c13f6daa731862 -GIT binary patch -literal 108 -zcmXpIGT>xm*J|@PXTieE%*wz71|F5F-Nv0Bz9(=Kufz - -literal 0 -HcmV?d00001 - --- -2.39.1 - -From 2ad9928170768653d19d81881deabc5f9c1665c0 Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Fri, 3 Feb 2023 14:57:04 +0100 -Subject: [PATCH 18/18] Internaly declare the DSA type for no-deprecated builds - -Reviewed-by: Hugo Landau -Reviewed-by: Richard Levitte -(cherry picked from commit 7a21a1b5fa2dac438892cf3292d1f9c445d870d9) ---- - include/crypto/types.h | 3 +++ - 1 file changed, 3 insertions(+) - -diff --git a/include/crypto/types.h b/include/crypto/types.h -index 0d81404091..0a75f03a3f 100644 ---- a/include/crypto/types.h -+++ b/include/crypto/types.h -@@ -20,6 +20,9 @@ typedef struct rsa_meth_st RSA_METHOD; - typedef struct ec_key_st EC_KEY; - typedef struct ec_key_method_st EC_KEY_METHOD; - # endif -+# ifndef OPENSSL_NO_DSA -+typedef struct dsa_st DSA; -+# endif - # endif - - # ifndef OPENSSL_NO_EC --- -2.39.1 - diff --git a/SOURCES/0107-CVE-2023-0286-X400.patch b/SOURCES/0107-CVE-2023-0286-X400.patch deleted file mode 100644 index b3d7a15..0000000 --- a/SOURCES/0107-CVE-2023-0286-X400.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 2f7530077e0ef79d98718138716bc51ca0cad658 Mon Sep 17 00:00:00 2001 -From: Hugo Landau -Date: Tue, 17 Jan 2023 17:45:42 +0000 -Subject: [PATCH 14/18] CVE-2023-0286: Fix GENERAL_NAME_cmp for x400Address - (3.0) - -Reviewed-by: Paul Dale -Reviewed-by: Tomas Mraz ---- - CHANGES.md | 19 +++++++++++++++++++ - crypto/x509/v3_genn.c | 2 +- - include/openssl/x509v3.h.in | 2 +- - test/v3nametest.c | 8 ++++++++ - 4 files changed, 29 insertions(+), 2 deletions(-) - -diff --git a/crypto/x509/v3_genn.c b/crypto/x509/v3_genn.c -index c0a7166cd0..1741c2d2f6 100644 ---- a/crypto/x509/v3_genn.c -+++ b/crypto/x509/v3_genn.c -@@ -98,7 +98,7 @@ int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b) - return -1; - switch (a->type) { - case GEN_X400: -- result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address); -+ result = ASN1_STRING_cmp(a->d.x400Address, b->d.x400Address); - break; - - case GEN_EDIPARTY: -diff --git a/include/openssl/x509v3.h.in b/include/openssl/x509v3.h.in -index d00a66a343..c087e3cf92 100644 ---- a/include/openssl/x509v3.h.in -+++ b/include/openssl/x509v3.h.in -@@ -154,7 +154,7 @@ typedef struct GENERAL_NAME_st { - OTHERNAME *otherName; /* otherName */ - ASN1_IA5STRING *rfc822Name; - ASN1_IA5STRING *dNSName; -- ASN1_TYPE *x400Address; -+ ASN1_STRING *x400Address; - X509_NAME *directoryName; - EDIPARTYNAME *ediPartyName; - ASN1_IA5STRING *uniformResourceIdentifier; -diff --git a/test/v3nametest.c b/test/v3nametest.c -index 6d2e2f8e27..0341995dde 100644 ---- a/test/v3nametest.c -+++ b/test/v3nametest.c -@@ -644,6 +644,14 @@ static struct gennamedata { - 0xb7, 0x09, 0x02, 0x02 - }, - 15 -+ }, { -+ /* -+ * Regression test for CVE-2023-0286. -+ */ -+ { -+ 0xa3, 0x00 -+ }, -+ 2 - } - }; - --- -2.39.1 - diff --git a/SOURCES/0108-CVE-2023-0401-pkcs7-md.patch b/SOURCES/0108-CVE-2023-0401-pkcs7-md.patch deleted file mode 100644 index 7608f56..0000000 --- a/SOURCES/0108-CVE-2023-0401-pkcs7-md.patch +++ /dev/null @@ -1,150 +0,0 @@ -From d3b6dfd70db844c4499bec6ad6601623a565e674 Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Wed, 18 Jan 2023 09:27:53 +0100 -Subject: [PATCH 15/18] pk7_doit.c: Check return of BIO_set_md() calls - -These calls invoke EVP_DigestInit() which can fail for digests -with implicit fetches. Subsequent EVP_DigestUpdate() from BIO_write() -or EVP_DigestFinal() from BIO_read() will segfault on NULL -dereference. This can be triggered by an attacker providing -PKCS7 data digested with MD4 for example if the legacy provider -is not loaded. - -If BIO_set_md() fails the md BIO cannot be used. - -CVE-2023-0401 - -Reviewed-by: Paul Dale -Reviewed-by: Dmitry Belyavskiy ---- - crypto/pkcs7/pk7_doit.c | 12 ++++++++++-- - 1 file changed, 10 insertions(+), 2 deletions(-) - -diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c -index bde9ac4787..5e562fbea5 100644 ---- a/crypto/pkcs7/pk7_doit.c -+++ b/crypto/pkcs7/pk7_doit.c -@@ -84,7 +84,11 @@ static int pkcs7_bio_add_digest(BIO **pbio, X509_ALGOR *alg, - } - (void)ERR_pop_to_mark(); - -- BIO_set_md(btmp, md); -+ if (BIO_set_md(btmp, md) <= 0) { -+ ERR_raise(ERR_LIB_PKCS7, ERR_R_BIO_LIB); -+ EVP_MD_free(fetched); -+ goto err; -+ } - EVP_MD_free(fetched); - if (*pbio == NULL) - *pbio = btmp; -@@ -522,7 +526,11 @@ BIO *PKCS7_dataDecode(PKCS7 *p7, EVP_PKEY *pkey, BIO *in_bio, X509 *pcert) - } - (void)ERR_pop_to_mark(); - -- BIO_set_md(btmp, md); -+ if (BIO_set_md(btmp, md) <= 0) { -+ EVP_MD_free(evp_md); -+ ERR_raise(ERR_LIB_PKCS7, ERR_R_BIO_LIB); -+ goto err; -+ } - EVP_MD_free(evp_md); - if (out == NULL) - out = btmp; --- -2.39.1 - -From a0f2359613f50b5ca6b74b78bf4b54d7dc925fd2 Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Wed, 18 Jan 2023 17:07:24 +0100 -Subject: [PATCH 16/18] Add testcase for missing return check of BIO_set_md() - calls - -Reviewed-by: Paul Dale -Reviewed-by: Dmitry Belyavskiy ---- - test/recipes/80-test_cms.t | 15 ++++++++-- - test/recipes/80-test_cms_data/pkcs7-md4.pem | 32 +++++++++++++++++++++ - 2 files changed, 45 insertions(+), 2 deletions(-) - create mode 100644 test/recipes/80-test_cms_data/pkcs7-md4.pem - -diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t -index fd53683e6b..d45789de70 100644 ---- a/test/recipes/80-test_cms.t -+++ b/test/recipes/80-test_cms.t -@@ -13,7 +13,7 @@ use warnings; - use POSIX; - use File::Spec::Functions qw/catfile/; - use File::Compare qw/compare_text compare/; --use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file bldtop_dir bldtop_file with/; -+use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file bldtop_dir bldtop_file with data_file/; - - use OpenSSL::Test::Utils; - -@@ -50,7 +50,7 @@ my ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib) - - $no_rc2 = 1 if disabled("legacy"); - --plan tests => 13; -+plan tests => 14; - - ok(run(test(["pkcs7_test"])), "test pkcs7"); - -@@ -941,6 +941,17 @@ subtest "CMS binary input tests\n" => sub { - "verify binary input with -binary missing -crlfeol"); - }; - -+# Test case for missing MD algorithm (must not segfault) -+ -+with({ exit_checker => sub { return shift == 4; } }, -+ sub { -+ ok(run(app(['openssl', 'smime', '-verify', '-noverify', -+ '-inform', 'PEM', -+ '-in', data_file("pkcs7-md4.pem"), -+ ])), -+ "Check failure of EVP_DigestInit is handled correctly"); -+ }); -+ - sub check_availability { - my $tnam = shift; - -diff --git a/test/recipes/80-test_cms_data/pkcs7-md4.pem b/test/recipes/80-test_cms_data/pkcs7-md4.pem -new file mode 100644 -index 0000000000..ecff611deb ---- /dev/null -+++ b/test/recipes/80-test_cms_data/pkcs7-md4.pem -@@ -0,0 +1,32 @@ -+-----BEGIN PKCS7----- -+MIIFhAYJKoZIhvcNAQcCoIIFdTCCBXECAQExDjAMBggqhkiG9w0CBAUAMB0GCSqG -+SIb3DQEHAaAQBA5UZXN0IGNvbnRlbnQNCqCCAyQwggMgMIICCKADAgECAgECMA0G -+CSqGSIb3DQEBCwUAMA0xCzAJBgNVBAMMAkNBMCAXDTE2MDExNTA4MTk0OVoYDzIx -+MTYwMTE2MDgxOTQ5WjAZMRcwFQYDVQQDDA5zZXJ2ZXIuZXhhbXBsZTCCASIwDQYJ -+KoZIhvcNAQEBBQADggEPADCCAQoCggEBAKj/iVhhha7e2ywP1XP74reoG3p1YCvU -+fTxzdrWu3pMvfySQbckc9Io4zZ+igBZWy7Qsu5PlFx//DcZD/jE0+CjYdemju4iC -+76Ny4lNiBUVN4DGX76qdENJYDZ4GnjK7GwhWXWUPP2aOwjagEf/AWTX9SRzdHEIz -+BniuBDgj5ed1Z9OUrVqpQB+sWRD1DMFkrUrExjVTs5ZqghsVi9GZq+Seb5Sq0pbl -+V/uMkWSKPCQWxtIZvoJgEztisO0+HbPK+WvfMbl6nktHaKcpxz9K4iIntO+QY9fv -+0HJJPlutuRvUK2+GaN3VcxK4Q8ncQQ+io0ZPi2eIhA9h/nk0H0qJH7cCAwEAAaN9 -+MHswHQYDVR0OBBYEFOeb4iqtimw6y3ZR5Y4HmCKX4XOiMB8GA1UdIwQYMBaAFLQR -+M/HX4l73U54gIhBPhga/H8leMAkGA1UdEwQCMAAwEwYDVR0lBAwwCgYIKwYBBQUH -+AwEwGQYDVR0RBBIwEIIOc2VydmVyLmV4YW1wbGUwDQYJKoZIhvcNAQELBQADggEB -+AEG0PE9hQuXlvtUULv9TQ2BXy9MmTjOk+dQwxDhAXYBYMUB6TygsqvPXwpDwz8MS -+EPGCRqh5cQwtPoElQRU1i4URgcQMZquXScwNFcvE6AATF/PdN/+mOwtqFrlpYfs3 -+IJIpYL6ViQg4n8pv+b/pCwMmhewQLwCGs9+omHNTOwKjEiVoNaprAfj5Lxt15fS2 -++zZW0mT9Y4kfEypetrqSAjh8CDK+vaQhkeKdDfJyBfjS4ALfxvCkT3mQnsWFJ9CU -+TVG3uw6ylSPT3wN3RE0Ofa4rI5PESogQsd/DgBc7dcDO3yoPKGjycR3/GJDqqCxC -+e9dr6FJEnDjaDf9zNWyTFHExggITMIICDwIBATASMA0xCzAJBgNVBAMMAkNBAgEC -+MAwGCCqGSIb3DQIEBQCggdQwGAYJKoZIhvcNAQkDMQsGCSqGSIb3DQEHATAcBgkq -+hkiG9w0BCQUxDxcNMjMwMTE4MTU0NzExWjAfBgkqhkiG9w0BCQQxEgQQRXO4TKpp -+RgA4XHb8bD1pczB5BgkqhkiG9w0BCQ8xbDBqMAsGCWCGSAFlAwQBKjALBglghkgB -+ZQMEARYwCwYJYIZIAWUDBAECMAoGCCqGSIb3DQMHMA4GCCqGSIb3DQMCAgIAgDAN -+BggqhkiG9w0DAgIBQDAHBgUrDgMCBzANBggqhkiG9w0DAgIBKDANBgkqhkiG9w0B -+AQEFAASCAQAe+xlm/TGg/s/7b0xBc3FFnmmUDEe7ljkehIx61OnBV9ZWA+LcBX/7 -+kmMSMdaHjRq4w8FmwBMLzn0ttXVqf0QuPbBF/E6X5EqK9lpOdkUQhNiN2v+ZfY6c -+lrH4ADsSD9D+UHw0sxo5KEF+PPuneUfYCJZosFUJosBbuSEXK0C9yfJoDKVE8Syp -+0vdqh73ogLeNgZLAUGSSB66OmHDxwgAj4qPAv6FHFBy1Xs4uFZER5vniYrH9OrAk -+Z6XdvzDoYZC4XcGMDtcOpOM6D4owqy5svHPDw8wIlM4GVhrTw7CQmuBz5uRNnf6a -+ZK3jZIxG1hr/INaNWheHoPIhPblYaVc6 -+-----END PKCS7----- --- -2.39.1 - diff --git a/SOURCES/0109-fips-Zeroize-out-in-fips-selftest.patch b/SOURCES/0109-fips-Zeroize-out-in-fips-selftest.patch deleted file mode 100644 index 3cd48df..0000000 --- a/SOURCES/0109-fips-Zeroize-out-in-fips-selftest.patch +++ /dev/null @@ -1,26 +0,0 @@ -From 9dbc6069665690bd238caa7622647ea8ac94124f Mon Sep 17 00:00:00 2001 -From: Clemens Lang -Date: Mon, 13 Feb 2023 11:01:44 +0100 -Subject: fips: Zeroize `out` in fips selftest - -Signed-off-by: Clemens Lang -Resolves: rhbz#2169314 ---- - providers/fips/self_test.c | 1 + - 1 file changed, 1 insertion(+) - -diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c -index 80d048a847..11a989209c 100644 ---- a/providers/fips/self_test.c -+++ b/providers/fips/self_test.c -@@ -221,6 +221,7 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex - goto err; - ret = 1; - err: -+ OPENSSL_cleanse(out, sizeof(out)); - OSSL_SELF_TEST_onend(ev, ret); - EVP_MAC_CTX_free(ctx); - EVP_MAC_free(mac); --- -2.39.1 - diff --git a/SOURCES/0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch b/SOURCES/0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch index 5cb8ce4..4d80b9c 100644 --- a/SOURCES/0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch +++ b/SOURCES/0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch @@ -12,24 +12,12 @@ internally at its entirety randomly." Resolves: rhbz#2168289 Signed-off-by: Clemens Lang --- - include/openssl/core_names.h | 1 + include/openssl/evp.h | 4 +++ .../implementations/ciphers/ciphercommon.c | 4 +++ .../ciphers/ciphercommon_gcm.c | 25 +++++++++++++++++++ - 4 files changed, 34 insertions(+) + util/perl/OpenSSL/paramnames.pm | 5 ++-- + 4 files changed, 36 insertions(+), 2 deletions(-) -diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h -index 680bfbc7cc..832502a034 100644 ---- a/include/openssl/core_names.h -+++ b/include/openssl/core_names.h -@@ -97,6 +97,7 @@ extern "C" { - #define OSSL_CIPHER_PARAM_CTS_MODE "cts_mode" /* utf8_string */ - /* For passing the AlgorithmIdentifier parameter in DER form */ - #define OSSL_CIPHER_PARAM_ALGORITHM_ID_PARAMS "alg_id_param" /* octet_string */ -+#define OSSL_CIPHER_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator" /* int */ - - #define OSSL_CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_SEND_FRAGMENT \ - "tls1multi_maxsndfrag" /* uint */ diff --git a/include/openssl/evp.h b/include/openssl/evp.h index 49e8e1df78..ec2ba46fbd 100644 --- a/include/openssl/evp.h @@ -44,7 +32,7 @@ index 49e8e1df78..ec2ba46fbd 100644 + __owur int EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, const unsigned char *key, const unsigned char *iv); - /*__owur*/ int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx, + __owur int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx, diff --git a/providers/implementations/ciphers/ciphercommon.c b/providers/implementations/ciphers/ciphercommon.c index fa383165d8..716add7339 100644 --- a/providers/implementations/ciphers/ciphercommon.c @@ -64,9 +52,9 @@ diff --git a/providers/implementations/ciphers/ciphercommon_gcm.c b/providers/im index ed95c97ff4..db7910eb0e 100644 --- a/providers/implementations/ciphers/ciphercommon_gcm.c +++ b/providers/implementations/ciphers/ciphercommon_gcm.c -@@ -224,6 +224,31 @@ int ossl_gcm_get_ctx_params(void *vctx, OSSL_PARAM params[]) - || !getivgen(ctx, p->data, p->data_size)) - return 0; +@@ -238,6 +238,31 @@ int ossl_gcm_get_ctx_params(void *vctx, OSSL_PARAM params[]) + break; + } } + + /* We would usually hide this under #ifdef FIPS_MODULE, but @@ -96,6 +84,22 @@ index ed95c97ff4..db7910eb0e 100644 return 1; } +diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm +index a109e44521..64e9809387 100644 +--- a/util/perl/OpenSSL/paramnames.pm ++++ b/util/perl/OpenSSL/paramnames.pm +@@ -101,8 +101,9 @@ my %params = ( + 'CIPHER_PARAM_SPEED' => "speed", # uint + 'CIPHER_PARAM_CTS_MODE' => "cts_mode", # utf8_string + # For passing the AlgorithmIdentifier parameter in DER form +- 'CIPHER_PARAM_ALGORITHM_ID_PARAMS' => "alg_id_param",# octet_string +- 'CIPHER_PARAM_XTS_STANDARD' => "xts_standard",# utf8_string ++ 'CIPHER_PARAM_ALGORITHM_ID_PARAMS' => "alg_id_param",# octet_string ++ 'CIPHER_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator", # int ++ 'CIPHER_PARAM_XTS_STANDARD' => "xts_standard",# utf8_string + + 'CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_SEND_FRAGMENT' => "tls1multi_maxsndfrag",# uint + 'CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_BUFSIZE' => "tls1multi_maxbufsz", # size_t -- 2.39.1 diff --git a/SOURCES/0111-fips-Use-salt-16-bytes-in-PBKDF2-selftest.patch b/SOURCES/0111-fips-Use-salt-16-bytes-in-PBKDF2-selftest.patch deleted file mode 100644 index 3868089..0000000 --- a/SOURCES/0111-fips-Use-salt-16-bytes-in-PBKDF2-selftest.patch +++ /dev/null @@ -1,82 +0,0 @@ -From 56090fca0a0c8b6cf1782aced0a02349358aae7d Mon Sep 17 00:00:00 2001 -From: Clemens Lang -Date: Fri, 3 Mar 2023 12:22:03 +0100 -Subject: [PATCH 1/2] fips: Use salt >= 16 bytes in PBKDF2 selftest - -NIST SP 800-132 [1] section 5.1 says "[t]he length of the -randomly-generated portion of the salt shall be at least -128 bits", which implies that the salt for PBKDF2 must be at least 16 -bytes long (see also Appendix A.2.1). - -The FIPS 140-3 IG [2] section 10.3.A requires that "the lengths and the -properties of the Password and Salt parameters, as well as the desired -length of the Master Key used in a CAST shall be among those supported -by the module in the approved mode." - -As a consequence, the salt length in the self test must be at least 16 -bytes long for FIPS 140-3 compliance. Switch the self test to use the -only test vector from RFC 6070 that uses salt that is long enough to -fulfil this requirement. Since RFC 6070 does not provide expected -results for PBKDF2 with HMAC-SHA256, use the output from [3], which was -generated with python cryptography, which was tested against the RFC -6070 vectors with HMAC-SHA1. - - [1]: https://doi.org/10.6028/NIST.SP.800-132 - [2]: https://csrc.nist.gov/CSRC/media/Projects/cryptographic-module-validation-program/documents/fips%20140-3/FIPS%20140-3%20IG.pdf - [3]: https://github.com/brycx/Test-Vector-Generation/blob/master/PBKDF2/pbkdf2-hmac-sha2-test-vectors.md - -Signed-off-by: Clemens Lang - -Reviewed-by: Paul Dale -Reviewed-by: Dmitry Belyavskiy -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/20429) - -(cherry picked from commit 451cb23c41c90d5a02902b3a77551aa9ee1c6956) ---- - providers/fips/self_test_data.inc | 22 ++++++++++++++++------ - 1 file changed, 16 insertions(+), 6 deletions(-) - -diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc -index 8ae8cd6f4a..03adf28f3c 100644 ---- a/providers/fips/self_test_data.inc -+++ b/providers/fips/self_test_data.inc -@@ -361,19 +361,29 @@ static const ST_KAT_PARAM x963kdf_params[] = { - }; - - static const char pbkdf2_digest[] = "SHA256"; -+/* -+ * Input parameters from RFC 6070, vector 5 (because it is the only one with -+ * a salt >= 16 bytes, which NIST SP 800-132 section 5.1 requires). The -+ * expected output is taken from -+ * https://github.com/brycx/Test-Vector-Generation/blob/master/PBKDF2/pbkdf2-hmac-sha2-test-vectors.md, -+ * which ran these test vectors with SHA-256. -+ */ - static const unsigned char pbkdf2_password[] = { -- 0x70, 0x61, 0x73, 0x73, 0x00, 0x77, 0x6f, 0x72, -- 0x64 -+ 0x70, 0x61, 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64, 0x50, 0x41, 0x53, 0x53, -+ 0x57, 0x4f, 0x52, 0x44, 0x70, 0x61, 0x73, 0x73, 0x77, 0x6f, 0x72, 0x64 - }; - static const unsigned char pbkdf2_salt[] = { -- 0x73, 0x61, 0x00, 0x6c, 0x74 -+ 0x73, 0x61, 0x6c, 0x74, 0x53, 0x41, 0x4c, 0x54, 0x73, 0x61, 0x6c, 0x74, -+ 0x53, 0x41, 0x4c, 0x54, 0x73, 0x61, 0x6c, 0x74, 0x53, 0x41, 0x4c, 0x54, -+ 0x73, 0x61, 0x6c, 0x74, 0x53, 0x41, 0x4c, 0x54, 0x73, 0x61, 0x6c, 0x74 - }; - static const unsigned char pbkdf2_expected[] = { -- 0x89, 0xb6, 0x9d, 0x05, 0x16, 0xf8, 0x29, 0x89, -- 0x3c, 0x69, 0x62, 0x26, 0x65, 0x0a, 0x86, 0x87, -+ 0x34, 0x8c, 0x89, 0xdb, 0xcb, 0xd3, 0x2b, 0x2f, 0x32, 0xd8, 0x14, 0xb8, -+ 0x11, 0x6e, 0x84, 0xcf, 0x2b, 0x17, 0x34, 0x7e, 0xbc, 0x18, 0x00, 0x18, -+ 0x1c - }; - static int pbkdf2_iterations = 4096; --static int pbkdf2_pkcs5 = 1; -+static int pbkdf2_pkcs5 = 0; - static const ST_KAT_PARAM pbkdf2_params[] = { - ST_KAT_PARAM_UTF8STRING(OSSL_KDF_PARAM_DIGEST, pbkdf2_digest), - ST_KAT_PARAM_OCTET(OSSL_KDF_PARAM_PASSWORD, pbkdf2_password), --- -2.39.2 - diff --git a/SOURCES/0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch b/SOURCES/0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch index e8777f3..2dc304c 100644 --- a/SOURCES/0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch +++ b/SOURCES/0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch @@ -21,32 +21,12 @@ Resolves: rhbz#2179331 Resolves: RHEL-14083 Signed-off-by: Clemens Lang --- - include/openssl/core_names.h | 2 ++ include/openssl/evp.h | 4 +++ - .../implementations/asymciphers/rsa_enc.c | 19 ++++++++++++ - providers/implementations/kem/rsa_kem.c | 29 ++++++++++++++++++- - 4 files changed, 53 insertions(+), 1 deletion(-) + .../implementations/asymciphers/rsa_enc.c | 22 ++++++++++++++ + providers/implementations/kem/rsa_kem.c | 30 ++++++++++++++++++- + util/perl/OpenSSL/paramnames.pm | 6 ++-- + 4 files changed, 59 insertions(+), 3 deletions(-) -diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h -index 832502a034..e15d208421 100644 ---- a/include/openssl/core_names.h -+++ b/include/openssl/core_names.h -@@ -477,6 +477,7 @@ extern "C" { - #ifdef FIPS_MODULE - #define OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED "redhat-kat-oaep-seed" - #endif -+#define OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator" - - /* - * Encoder / decoder parameters -@@ -511,6 +512,7 @@ extern "C" { - - /* KEM parameters */ - #define OSSL_KEM_PARAM_OPERATION "operation" -+#define OSSL_KEM_PARAM_REDHAT_FIPS_INDICATOR "redhat-fips-indicator" /* int */ - - /* OSSL_KEM_PARAM_OPERATION values */ - #define OSSL_KEM_PARAM_OPERATION_RSASVE "RSASVE" diff --git a/include/openssl/evp.h b/include/openssl/evp.h index ec2ba46fbd..3803b03422 100644 --- a/include/openssl/evp.h @@ -66,22 +46,25 @@ diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/impleme index 568452ec56..2e7ea632d7 100644 --- a/providers/implementations/asymciphers/rsa_enc.c +++ b/providers/implementations/asymciphers/rsa_enc.c -@@ -452,6 +452,24 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params) - if (p != NULL && !OSSL_PARAM_set_uint(p, prsactx->alt_version)) +@@ -462,6 +462,27 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params) + if (p != NULL && !OSSL_PARAM_set_uint(p, prsactx->implicit_rejection)) return 0; +#ifdef FIPS_MODULE + p = OSSL_PARAM_locate(params, OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR); + if (p != NULL) { ++ int fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED; ++ + /* NIST SP 800-56Br2 section 6.4.2.1 requires either explicit key + * confirmation (section 6.4.2.3.2), or assurance from a trusted third + * party (section 6.4.2.3.1) for the KTS-OAEP key transport scheme, but + * explicit key confirmation is not implemented here and cannot be + * implemented without protocol changes, and the FIPS provider does not + * implement trusted third party validation, since it relies on its -+ * callers to do that. A request for guidance sent to NIST resulted in -+ * further clarification which allows OpenSSL to claim RSA-OAEP. */ -+ int fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED; ++ * callers to do that. We must thus mark RSA-OAEP as unapproved until ++ * we have received clarification from NIST on how library modules such ++ * as OpenSSL should implement TTP validation. */ ++ fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED; + + if (!OSSL_PARAM_set_int(p, fips_indicator)) + return 0; @@ -97,13 +80,13 @@ index 568452ec56..2e7ea632d7 100644 OSSL_PARAM_octet_string(OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED, NULL, 0), + OSSL_PARAM_int(OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR, NULL), #endif /* FIPS_MODULE */ + OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, NULL), OSSL_PARAM_END - }; diff --git a/providers/implementations/kem/rsa_kem.c b/providers/implementations/kem/rsa_kem.c index 882cf16125..b4cc0f9237 100644 --- a/providers/implementations/kem/rsa_kem.c +++ b/providers/implementations/kem/rsa_kem.c -@@ -151,11 +151,38 @@ static int rsakem_decapsulate_init(void *vprsactx, void *vrsa, +@@ -151,11 +151,39 @@ static int rsakem_decapsulate_init(void *vprsactx, void *vrsa, static int rsakem_get_ctx_params(void *vprsactx, OSSL_PARAM *params) { PROV_RSA_CTX *ctx = (PROV_RSA_CTX *)vprsactx; @@ -123,9 +106,10 @@ index 882cf16125..b4cc0f9237 100644 + * explicit key confirmation is not implemented here and cannot be + * implemented without protocol changes, and the FIPS provider does not + * implement trusted third party validation, since it relies on its -+ * callers to do that. A request for guidance sent to NIST resulted in -+ * further clarification which allows OpenSSL to claim RSASVE. */ -+ int fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED; ++ * callers to do that. We must thus mark RSASVE unapproved until we ++ * have received clarification from NIST on how library modules such as ++ * OpenSSL should implement TTP validation. */ ++ int fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED; + + if (!OSSL_PARAM_set_int(p, fips_indicator)) + return 0; @@ -143,6 +127,30 @@ index 882cf16125..b4cc0f9237 100644 OSSL_PARAM_END }; +diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm +index 64e9809387..45ab0c8dc4 100644 +--- a/util/perl/OpenSSL/paramnames.pm ++++ b/util/perl/OpenSSL/paramnames.pm +@@ -406,6 +406,7 @@ my %params = ( + 'ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION' => "tls-negotiated-version", + 'ASYM_CIPHER_PARAM_IMPLICIT_REJECTION' => "implicit-rejection", + 'ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED' => "redhat-kat-oaep-seed", ++ 'ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator", + + # Encoder / decoder parameters + +@@ -438,8 +439,9 @@ my %params = ( + 'SIGNATURE_PARAM_KAT' => "kat", + + # KEM parameters +- 'KEM_PARAM_OPERATION' => "operation", +- 'KEM_PARAM_IKME' => "ikme", ++ 'KEM_PARAM_OPERATION' => "operation", ++ 'KEM_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator", ++ 'KEM_PARAM_IKME' => "ikme", + + # Capabilities + -- 2.39.2 diff --git a/SOURCES/0114-FIPS-enforce-EMS-support.patch b/SOURCES/0114-FIPS-enforce-EMS-support.patch index d10901f..fd1e90e 100644 --- a/SOURCES/0114-FIPS-enforce-EMS-support.patch +++ b/SOURCES/0114-FIPS-enforce-EMS-support.patch @@ -1,44 +1,72 @@ -diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt -index e90e5dc03339..f391e756475c 100644 ---- a/crypto/err/openssl.txt -+++ b/crypto/err/openssl.txt -@@ -1006,6 +1006,7 @@ PROV_R_BN_ERROR:160:bn error - PROV_R_CIPHER_OPERATION_FAILED:102:cipher operation failed - PROV_R_DERIVATION_FUNCTION_INIT_FAILED:205:derivation function init failed - PROV_R_DIGEST_NOT_ALLOWED:174:digest not allowed -+PROV_R_EMS_NOT_ENABLED:233:ems not enabled - PROV_R_ENTROPY_SOURCE_STRENGTH_TOO_WEAK:186:entropy source strength too weak - PROV_R_ERROR_INSTANTIATING_DRBG:188:error instantiating drbg - PROV_R_ERROR_RETRIEVING_ENTROPY:189:error retrieving entropy -diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h -index 173a81d28bbe..5e5be567a578 100644 ---- a/include/openssl/core_names.h -+++ b/include/openssl/core_names.h -@@ -21,11 +21,12 @@ extern "C" { - #define OSSL_PROV_PARAM_CORE_MODULE_FILENAME "module-filename" /* utf8_ptr */ +From 9b02ad7225b74a5b9088b361caead0a41e570e93 Mon Sep 17 00:00:00 2001 +From: Dmitry Belyavskiy +Date: Mon, 21 Aug 2023 16:40:56 +0200 +Subject: [PATCH 48/48] 0114-FIPS-enforce-EMS-support.patch + +Patch-name: 0114-FIPS-enforce-EMS-support.patch +Patch-id: 114 +Patch-status: | + # We believe that some changes present in CentOS are not necessary + # because ustream has a check for FIPS version +--- + doc/man3/SSL_CONF_cmd.pod | 3 +++ + doc/man5/fips_config.pod | 13 +++++++++++ + include/openssl/fips_names.h | 8 +++++++ + include/openssl/ssl.h.in | 1 + + providers/fips/fipsprov.c | 2 +- + providers/implementations/kdfs/tls1_prf.c | 22 +++++++++++++++++++ + ssl/ssl_conf.c | 1 + + ssl/statem/extensions_srvr.c | 8 ++++++- + ssl/t1_enc.c | 11 ++++++++-- + .../30-test_evp_data/evpkdf_tls12_prf.txt | 10 +++++++++ + test/sslapitest.c | 2 +- + 11 files changed, 76 insertions(+), 5 deletions(-) + +diff --git a/doc/man3/SSL_CONF_cmd.pod b/doc/man3/SSL_CONF_cmd.pod +index ae6ca43282..b83c04a308 100644 +--- a/doc/man3/SSL_CONF_cmd.pod ++++ b/doc/man3/SSL_CONF_cmd.pod +@@ -524,6 +524,9 @@ B: use extended master secret extension, enabled by + default. Inverse of B: that is, + B<-ExtendedMasterSecret> is the same as setting B. - /* Well known parameter names that Providers can define */ --#define OSSL_PROV_PARAM_NAME "name" /* utf8_ptr */ --#define OSSL_PROV_PARAM_VERSION "version" /* utf8_ptr */ --#define OSSL_PROV_PARAM_BUILDINFO "buildinfo" /* utf8_ptr */ --#define OSSL_PROV_PARAM_STATUS "status" /* uint */ --#define OSSL_PROV_PARAM_SECURITY_CHECKS "security-checks" /* uint */ -+#define OSSL_PROV_PARAM_NAME "name" /* utf8_ptr */ -+#define OSSL_PROV_PARAM_VERSION "version" /* utf8_ptr */ -+#define OSSL_PROV_PARAM_BUILDINFO "buildinfo" /* utf8_ptr */ -+#define OSSL_PROV_PARAM_STATUS "status" /* uint */ -+#define OSSL_PROV_PARAM_SECURITY_CHECKS "security-checks" /* uint */ -+#define OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK "tls1-prf-ems-check" /* uint */ ++B: allow establishing connections without EMS in FIPS mode. ++This is a RedHat-based OS specific option, and normally it should be set up via crypto policies. ++ + B: use CA names extension, enabled by + default. Inverse of B: that is, + B<-CANames> is the same as setting B. +diff --git a/doc/man5/fips_config.pod b/doc/man5/fips_config.pod +index 1c15e32a5c..f2cedaf88d 100644 +--- a/doc/man5/fips_config.pod ++++ b/doc/man5/fips_config.pod +@@ -15,6 +15,19 @@ for more information. - /* Self test callback parameters */ - #define OSSL_PROV_PARAM_SELF_TEST_PHASE "st-phase" /* utf8_string */ + This functionality was added in OpenSSL 3.0. + ++Red Hat Enterprise Linux uses a supplementary config for FIPS module located in ++OpenSSL configuration directory and managed by crypto policies. If present, it ++should have format ++ ++ [fips_sect] ++ tls1-prf-ems-check = 0 ++ activate = 1 ++ ++The B option specifies whether FIPS module will require the ++presence of extended master secret or not. ++ ++The B option enforces FIPS provider activation. ++ + =head1 COPYRIGHT + + Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. diff --git a/include/openssl/fips_names.h b/include/openssl/fips_names.h -index 0fdf5440c7cb..3f29369b3f92 100644 +index 5c77f6d691..8cdd5a6bf7 100644 --- a/include/openssl/fips_names.h +++ b/include/openssl/fips_names.h -@@ -53,6 +53,14 @@ extern "C" { +@@ -70,6 +70,14 @@ extern "C" { */ - # define OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS "security-checks" + # define OSSL_PROV_FIPS_PARAM_DRBG_TRUNC_DIGEST "drbg-no-trunc-md" +/* + * A boolean that determines if the runtime FIPS check for TLS1_PRF EMS is performed. @@ -51,228 +79,46 @@ index 0fdf5440c7cb..3f29369b3f92 100644 # ifdef __cplusplus } # endif -diff --git a/include/openssl/proverr.h b/include/openssl/proverr.h -index 3685430f5d3e..bf4dc135f592 100644 ---- a/include/openssl/proverr.h -+++ b/include/openssl/proverr.h -@@ -32,6 +32,7 @@ - # define PROV_R_CIPHER_OPERATION_FAILED 102 - # define PROV_R_DERIVATION_FUNCTION_INIT_FAILED 205 - # define PROV_R_DIGEST_NOT_ALLOWED 174 -+# define PROV_R_EMS_NOT_ENABLED 233 - # define PROV_R_ENTROPY_SOURCE_STRENGTH_TOO_WEAK 186 - # define PROV_R_ERROR_INSTANTIATING_DRBG 188 - # define PROV_R_ERROR_RETRIEVING_ENTROPY 189 -diff --git a/providers/common/include/prov/securitycheck.h b/providers/common/include/prov/securitycheck.h -index 4a7f85f71186..62e60cc0103f 100644 ---- a/providers/common/include/prov/securitycheck.h -+++ b/providers/common/include/prov/securitycheck.h -@@ -28,3 +28,4 @@ int ossl_digest_get_approved_nid(const EVP_MD *md); - int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md, - int sha1_allowed); - int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx); -+int ossl_tls1_prf_ems_check_enabled(OSSL_LIB_CTX *libctx); -diff --git a/providers/common/provider_err.c b/providers/common/provider_err.c -index f6144072aa04..954aabe80cfc 100644 ---- a/providers/common/provider_err.c -+++ b/providers/common/provider_err.c -@@ -33,6 +33,7 @@ static const ERR_STRING_DATA PROV_str_reasons[] = { - "derivation function init failed"}, - {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_DIGEST_NOT_ALLOWED), - "digest not allowed"}, -+ {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_EMS_NOT_ENABLED), "ems not enabled"}, - {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_ENTROPY_SOURCE_STRENGTH_TOO_WEAK), - "entropy source strength too weak"}, - {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_ERROR_INSTANTIATING_DRBG), -diff --git a/providers/common/securitycheck_default.c b/providers/common/securitycheck_default.c -index de7f0d3a0a57..63c875ecd0b7 100644 ---- a/providers/common/securitycheck_default.c -+++ b/providers/common/securitycheck_default.c -@@ -22,6 +22,12 @@ int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx) - return 0; - } - -+/* Disable the ems check in the default provider */ -+int ossl_tls1_prf_ems_check_enabled(OSSL_LIB_CTX *libctx) -+{ -+ return 0; -+} -+ - int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md, - int sha1_allowed) - { -diff --git a/providers/common/securitycheck_fips.c b/providers/common/securitycheck_fips.c -index b7659bd395c3..2bc8a5992685 100644 ---- a/providers/common/securitycheck_fips.c -+++ b/providers/common/securitycheck_fips.c -@@ -20,6 +20,7 @@ - #include "prov/securitycheck.h" - - int FIPS_security_check_enabled(OSSL_LIB_CTX *libctx); -+int FIPS_tls_prf_ems_check(OSSL_LIB_CTX *libctx); - - int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx) - { -@@ -30,6 +31,11 @@ int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx) - #endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */ - } - -+int ossl_tls1_prf_ems_check_enabled(OSSL_LIB_CTX *libctx) -+{ -+ return FIPS_tls_prf_ems_check(libctx); -+} -+ - int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md, - int sha1_allowed) - { +diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in +index 0b6de603e2..26a69ca282 100644 +--- a/include/openssl/ssl.h.in ++++ b/include/openssl/ssl.h.in +@@ -415,6 +415,7 @@ typedef int (*SSL_async_callback_fn)(SSL *s, void *arg); + * interoperability with CryptoPro CSP 3.x + */ + # define SSL_OP_CRYPTOPRO_TLSEXT_BUG SSL_OP_BIT(31) ++# define SSL_OP_RH_PERMIT_NOEMS_FIPS SSL_OP_BIT(48) + /* + * Disable RFC8879 certificate compression + * SSL_OP_NO_TX_CERTIFICATE_COMPRESSION: don't send compressed certificates, diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c -index b86b27d236f3..b881f46f36ad 100644 +index 5ff9872bd8..eb9653a9df 100644 --- a/providers/fips/fipsprov.c +++ b/providers/fips/fipsprov.c -@@ -47,6 +47,7 @@ static OSSL_FUNC_provider_query_operation_fn fips_query; - #define ALG(NAMES, FUNC) ALGC(NAMES, FUNC, NULL) - extern OSSL_FUNC_core_thread_start_fn *c_thread_start; - int FIPS_security_check_enabled(OSSL_LIB_CTX *libctx); -+int FIPS_tls_prf_ems_check(OSSL_LIB_CTX *libctx); - - /* - * Should these function pointers be stored in the provider side provctx? Could -@@ -82,7 +83,9 @@ typedef struct fips_global_st { - const OSSL_CORE_HANDLE *handle; - SELF_TEST_POST_PARAMS selftest_params; - int fips_security_checks; -+ int fips_tls1_prf_ems_check; - const char *fips_security_check_option; -+ const char *fips_tls1_prf_ems_check_option; - } FIPS_GLOBAL; - - static void *fips_prov_ossl_ctx_new(OSSL_LIB_CTX *libctx) -@@ -94,6 +97,9 @@ void *ossl_fips_prov_ossl_ctx_new(OSSL_LIB_CTX *libctx) - fgbl->fips_security_checks = 1; - fgbl->fips_security_check_option = "1"; - -+ fgbl->fips_tls1_prf_ems_check = 1; /* Enabled by default */ -+ fgbl->fips_tls1_prf_ems_check_option = "1"; -+ +@@ -105,7 +105,7 @@ void *ossl_fips_prov_ossl_ctx_new(OSSL_LIB_CTX *libctx) + if (fgbl == NULL) + return NULL; + init_fips_option(&fgbl->fips_security_checks, 1); +- init_fips_option(&fgbl->fips_tls1_prf_ems_check, 0); /* Disabled by default */ ++ init_fips_option(&fgbl->fips_tls1_prf_ems_check, 1); /* Enabled by default */ + init_fips_option(&fgbl->fips_restricted_drgb_digests, 0); return fgbl; } - -@@ -109,6 +115,7 @@ static const OSSL_PARAM fips_param_types[] = { - OSSL_PARAM_DEFN(OSSL_PROV_PARAM_BUILDINFO, OSSL_PARAM_UTF8_PTR, NULL, 0), - OSSL_PARAM_DEFN(OSSL_PROV_PARAM_STATUS, OSSL_PARAM_INTEGER, NULL, 0), - OSSL_PARAM_DEFN(OSSL_PROV_PARAM_SECURITY_CHECKS, OSSL_PARAM_INTEGER, NULL, 0), -+ OSSL_PARAM_DEFN(OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK, OSSL_PARAM_INTEGER, NULL, 0), - OSSL_PARAM_END - }; - -@@ -119,9 +126,10 @@ static int fips_get_params_from_core(FIPS_GLOBAL *fgbl) - * NOTE: inside core_get_params() these will be loaded from config items - * stored inside prov->parameters (except for - * OSSL_PROV_PARAM_CORE_MODULE_FILENAME). -- * OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS is not a self test parameter. -+ * OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS and -+ * OSSL_PROV_FIPS_PARAM_TLS1_PRF_EMS_CHECK are not self test parameters. - */ -- OSSL_PARAM core_params[8], *p = core_params; -+ OSSL_PARAM core_params[9], *p = core_params; - - *p++ = OSSL_PARAM_construct_utf8_ptr( - OSSL_PROV_PARAM_CORE_MODULE_FILENAME, -@@ -151,6 +159,10 @@ static int fips_get_params_from_core(FIPS_GLOBAL *fgbl) - OSSL_PROV_FIPS_PARAM_SECURITY_CHECKS, - (char **)&fgbl->fips_security_check_option, - sizeof(fgbl->fips_security_check_option)); -+ *p++ = OSSL_PARAM_construct_utf8_ptr( -+ OSSL_PROV_FIPS_PARAM_TLS1_PRF_EMS_CHECK, -+ (char **)&fgbl->fips_tls1_prf_ems_check_option, -+ sizeof(fgbl->fips_tls1_prf_ems_check_option)); - *p = OSSL_PARAM_construct_end(); - - if (!c_get_params(fgbl->handle, core_params)) { -@@ -187,6 +199,9 @@ static int fips_get_params(void *provctx, OSSL_PARAM params[]) - p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_SECURITY_CHECKS); - if (p != NULL && !OSSL_PARAM_set_int(p, fgbl->fips_security_checks)) - return 0; -+ p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK); -+ if (p != NULL && !OSSL_PARAM_set_int(p, fgbl->fips_tls1_prf_ems_check)) -+ return 0; - return 1; - } - -@@ -703,6 +718,11 @@ int OSSL_provider_init_int(const OSSL_CORE_HANDLE *handle, - && strcmp(fgbl->fips_security_check_option, "0") == 0) - fgbl->fips_security_checks = 0; - -+ /* Disable the ems check if it's disabled in the fips config file. */ -+ if (fgbl->fips_tls1_prf_ems_check_option != NULL -+ && strcmp(fgbl->fips_tls1_prf_ems_check_option, "0") == 0) -+ fgbl->fips_tls1_prf_ems_check = 0; -+ - ossl_prov_cache_exported_algorithms(fips_ciphers, exported_fips_ciphers); - - if (!SELF_TEST_post(&fgbl->selftest_params, 0)) { -@@ -898,6 +918,15 @@ int FIPS_security_check_enabled(OSSL_LIB_CTX *libctx) - return fgbl->fips_security_checks; - } - -+int FIPS_tls_prf_ems_check(OSSL_LIB_CTX *libctx) -+{ -+ FIPS_GLOBAL *fgbl = ossl_lib_ctx_get_data(libctx, -+ OSSL_LIB_CTX_FIPS_PROV_INDEX, -+ &fips_prov_ossl_ctx_method); -+ -+ return fgbl->fips_tls1_prf_ems_check; -+} -+ - void OSSL_SELF_TEST_get_callback(OSSL_LIB_CTX *libctx, OSSL_CALLBACK **cb, - void **cbarg) - { diff --git a/providers/implementations/kdfs/tls1_prf.c b/providers/implementations/kdfs/tls1_prf.c -index 8a3807308408..2c2dbf31cc0b 100644 +index 25a6c79a2e..79bc7a9719 100644 --- a/providers/implementations/kdfs/tls1_prf.c +++ b/providers/implementations/kdfs/tls1_prf.c -@@ -45,6 +45,13 @@ - * A(0) = seed - * A(i) = HMAC_(secret, A(i-1)) - */ -+ -+/* -+ * Low level APIs (such as DH) are deprecated for public use, but still ok for -+ * internal use. -+ */ -+#include "internal/deprecated.h" -+ - #include - #include - #include -@@ -60,6 +67,7 @@ - #include "prov/providercommon.h" - #include "prov/implementations.h" - #include "prov/provider_util.h" -+#include "prov/securitycheck.h" - #include "e_os.h" - - static OSSL_FUNC_kdf_newctx_fn kdf_tls1_prf_new; -@@ -78,6 +86,8 @@ static int tls1_prf_alg(EVP_MAC_CTX *mdctx, EVP_MAC_CTX *sha1ctx, - unsigned char *out, size_t olen); - - #define TLS1_PRF_MAXBUF 1024 -+#define TLS_MD_MASTER_SECRET_CONST "\x6d\x61\x73\x74\x65\x72\x20\x73\x65\x63\x72\x65\x74" -+#define TLS_MD_MASTER_SECRET_CONST_SIZE 13 - - /* TLS KDF kdf context structure */ - typedef struct { -@@ -160,6 +170,7 @@ static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, size_t keylen, - const OSSL_PARAM params[]) +@@ -131,6 +131,7 @@ static void *kdf_tls1_prf_new(void *provctx) + static void kdf_tls1_prf_free(void *vctx) { TLS1_PRF *ctx = (TLS1_PRF *)vctx; + OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx); - if (!ossl_prov_is_running() || !kdf_tls1_prf_set_ctx_params(ctx, params)) - return 0; -@@ -181,6 +192,27 @@ static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, size_t keylen, - ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; - #endif /* defined(FIPS_MODULE) */ + if (ctx != NULL) { + kdf_tls1_prf_reset(ctx); +@@ -222,6 +223,27 @@ static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, size_t keylen, + } + } + /* + * The seed buffer is prepended with a label. @@ -298,136 +144,49 @@ index 8a3807308408..2c2dbf31cc0b 100644 return tls1_prf_alg(ctx->P_hash, ctx->P_sha1, ctx->sec, ctx->seclen, ctx->seed, ctx->seedlen, -diff --git a/test/sslapitest.c b/test/sslapitest.c -index 3a8242d2d8c8..b0fbb504689e 100644 ---- a/test/sslapitest.c -+++ b/test/sslapitest.c -@@ -99,6 +99,7 @@ static char *tmpfilename = NULL; - static char *dhfile = NULL; +diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c +index 5146cedb96..086db98c33 100644 +--- a/ssl/ssl_conf.c ++++ b/ssl/ssl_conf.c +@@ -389,6 +389,7 @@ static int cmd_Options(SSL_CONF_CTX *cctx, const char *value) + SSL_FLAG_TBL("ClientRenegotiation", + SSL_OP_ALLOW_CLIENT_RENEGOTIATION), + SSL_FLAG_TBL_INV("EncryptThenMac", SSL_OP_NO_ENCRYPT_THEN_MAC), ++ SSL_FLAG_TBL("RHNoEnforceEMSinFIPS", SSL_OP_RH_PERMIT_NOEMS_FIPS), + SSL_FLAG_TBL("NoRenegotiation", SSL_OP_NO_RENEGOTIATION), + SSL_FLAG_TBL("AllowNoDHEKEX", SSL_OP_ALLOW_NO_DHE_KEX), + SSL_FLAG_TBL("PrioritizeChaCha", SSL_OP_PRIORITIZE_CHACHA), +diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c +index 00b1ee531e..22cdabb308 100644 +--- a/ssl/statem/extensions_srvr.c ++++ b/ssl/statem/extensions_srvr.c +@@ -11,6 +11,7 @@ + #include "../ssl_local.h" + #include "statem_local.h" + #include "internal/cryptlib.h" ++#include - static int is_fips = 0; -+static int fips_ems_check = 0; + #define COOKIE_STATE_FORMAT_VERSION 1 - #define LOG_BUFFER_SIZE 2048 - static char server_log_buffer[LOG_BUFFER_SIZE + 1] = {0}; -@@ -796,7 +797,7 @@ static int test_no_ems(void) +@@ -1552,8 +1553,13 @@ EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context, + unsigned int context, + X509 *x, size_t chainidx) { - SSL_CTX *cctx = NULL, *sctx = NULL; - SSL *clientssl = NULL, *serverssl = NULL; -- int testresult = 0; -+ int testresult = 0, status; - - if (!create_ssl_ctx_pair(libctx, TLS_server_method(), TLS_client_method(), - TLS1_VERSION, TLS1_2_VERSION, -@@ -812,19 +813,25 @@ static int test_no_ems(void) - goto end; - } - -- if (!create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE)) { -- printf("Creating SSL connection failed\n"); -- goto end; -- } -- -- if (SSL_get_extms_support(serverssl)) { -- printf("Server reports Extended Master Secret support\n"); -- goto end; -- } -- -- if (SSL_get_extms_support(clientssl)) { -- printf("Client reports Extended Master Secret support\n"); -- goto end; -+ status = create_ssl_connection(serverssl, clientssl, SSL_ERROR_NONE); -+ if (fips_ems_check) { -+ if (status == 1) { -+ printf("When FIPS uses the EMS check a connection that doesnt use EMS should fail\n"); -+ goto end; -+ } -+ } else { -+ if (!status) { -+ printf("Creating SSL connection failed\n"); -+ goto end; -+ } -+ if (SSL_get_extms_support(serverssl)) { -+ printf("Server reports Extended Master Secret support\n"); -+ goto end; -+ } -+ if (SSL_get_extms_support(clientssl)) { -+ printf("Client reports Extended Master Secret support\n"); -+ goto end; -+ } - } - testresult = 1; - -@@ -10740,9 +10747,24 @@ int setup_tests(void) - && !TEST_false(OSSL_PROVIDER_available(libctx, "default"))) - return 0; - -- if (strcmp(modulename, "fips") == 0) -+ if (strcmp(modulename, "fips") == 0) { -+ OSSL_PROVIDER *prov = NULL; -+ OSSL_PARAM params[2]; -+ - is_fips = 1; - -+ prov = OSSL_PROVIDER_load(libctx, "fips"); -+ if (prov != NULL) { -+ /* Query the fips provider to check if the check ems option is enabled */ -+ params[0] = -+ OSSL_PARAM_construct_int(OSSL_PROV_PARAM_TLS1_PRF_EMS_CHECK, -+ &fips_ems_check); -+ params[1] = OSSL_PARAM_construct_end(); -+ OSSL_PROVIDER_get_params(prov, params); -+ OSSL_PROVIDER_unload(prov); +- if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0) ++ if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0) { ++ if (FIPS_mode() && !(SSL_get_options(SSL_CONNECTION_GET_SSL(s)) & SSL_OP_RH_PERMIT_NOEMS_FIPS) ) { ++ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_UNSUPPORTED); ++ return EXT_RETURN_FAIL; + } + return EXT_RETURN_NOT_SENT; + } -+ - /* - * We add, but don't load the test "tls-provider". We'll load it when we - * need it. -@@ -10816,6 +10838,12 @@ int setup_tests(void) - if (privkey8192 == NULL) - goto err; -+ if (fips_ems_check) { -+#ifndef OPENSSL_NO_TLS1_2 -+ ADD_TEST(test_no_ems); -+#endif -+ return 1; -+ } - #if !defined(OPENSSL_NO_KTLS) && !defined(OPENSSL_NO_SOCK) - # if !defined(OPENSSL_NO_TLS1_2) || !defined(OSSL_NO_USABLE_TLS1_3) - ADD_ALL_TESTS(test_ktls, NUM_KTLS_TEST_CIPHERS * 4); -diff -up openssl-3.0.7/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt.xxx openssl-3.0.7/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt ---- openssl-3.0.7/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt.xxx 2023-04-17 13:04:21.078501747 +0200 -+++ openssl-3.0.7/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt 2023-04-17 13:11:03.189059638 +0200 -@@ -13,6 +13,7 @@ - - Title = TLS12 PRF tests (from NIST test vectors) - -+Availablein = default - KDF = TLS1-PRF - Ctrl.digest = digest:SHA256 - Ctrl.Secret = hexsecret:f8938ecc9edebc5030c0c6a441e213cd24e6f770a50dda07876f8d55da062bcadb386b411fd4fe4313a604fce6c17fbc -@@ -21,6 +22,16 @@ Ctrl.client_random = hexseed:36c129d01a3 - Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae043abfb50053fce - Output = 202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf - -+Availablein = fips -+KDF = TLS1-PRF -+Ctrl.digest = digest:SHA256 -+Ctrl.Secret = hexsecret:f8938ecc9edebc5030c0c6a441e213cd24e6f770a50dda07876f8d55da062bcadb386b411fd4fe4313a604fce6c17fbc -+Ctrl.label = seed:master secret -+Ctrl.client_random = hexseed:36c129d01a3200894b9179faac589d9835d58775f9b5ea3587cb8fd0364cae8c -+Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae043abfb50053fce -+Output = 202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf -+Result = KDF_DERIVE_ERROR -+ - KDF = TLS1-PRF - Ctrl.digest = digest:SHA256 - Ctrl.Secret = hexsecret:202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf -diff -up openssl-3.0.7/ssl/t1_enc.c.noems openssl-3.0.7/ssl/t1_enc.c ---- openssl-3.0.7/ssl/t1_enc.c.noems 2023-05-05 11:15:57.934415272 +0200 -+++ openssl-3.0.7/ssl/t1_enc.c 2023-05-05 11:39:03.578163778 +0200 + if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret) + || !WPACKET_put_bytes_u16(pkt, 0)) { +diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c +index 91238e6457..e8ad8ecd9e 100644 +--- a/ssl/t1_enc.c ++++ b/ssl/t1_enc.c @@ -20,6 +20,7 @@ #include #include @@ -435,7 +194,7 @@ diff -up openssl-3.0.7/ssl/t1_enc.c.noems openssl-3.0.7/ssl/t1_enc.c +#include /* seed1 through seed5 are concatenated */ - static int tls1_PRF(SSL *s, + static int tls1_PRF(SSL_CONNECTION *s, @@ -75,8 +76,14 @@ static int tls1_PRF(SSL *s, } @@ -453,87 +212,40 @@ diff -up openssl-3.0.7/ssl/t1_enc.c.noems openssl-3.0.7/ssl/t1_enc.c else ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); EVP_KDF_CTX_free(kctx); -diff -up openssl-3.0.7/ssl/statem/extensions_srvr.c.noems openssl-3.0.7/ssl/statem/extensions_srvr.c ---- openssl-3.0.7/ssl/statem/extensions_srvr.c.noems 2023-05-05 17:14:04.663800271 +0200 -+++ openssl-3.0.7/ssl/statem/extensions_srvr.c 2023-05-05 17:20:33.764599507 +0200 -@@ -11,6 +11,7 @@ - #include "../ssl_local.h" - #include "statem_local.h" - #include "internal/cryptlib.h" -+#include +diff --git a/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt b/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt +index 44040ff66b..deb6bf3fcb 100644 +--- a/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt ++++ b/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt +@@ -22,6 +22,16 @@ Ctrl.client_random = hexseed:36c129d01a3200894b9179faac589d9835d58775f9b5ea3587c + Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae043abfb50053fce + Output = 202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf - #define COOKIE_STATE_FORMAT_VERSION 1 - -@@ -1552,8 +1553,13 @@ EXT_RETURN tls_construct_stoc_etm(SSL *s - EXT_RETURN tls_construct_stoc_ems(SSL *s, WPACKET *pkt, unsigned int context, - X509 *x, size_t chainidx) - { -- if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0) -+ if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0) { -+ if (FIPS_mode() && !(SSL_get_options(s) & SSL_OP_RH_PERMIT_NOEMS_FIPS) ) { -+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_UNSUPPORTED); -+ return EXT_RETURN_FAIL; -+ } - return EXT_RETURN_NOT_SENT; -+ } - - if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret) - || !WPACKET_put_bytes_u16(pkt, 0)) { -diff -up openssl-3.0.7/include/openssl/ssl.h.in.fipsems openssl-3.0.7/include/openssl/ssl.h.in ---- openssl-3.0.7/include/openssl/ssl.h.in.fipsems 2023-07-11 12:35:27.951610366 +0200 -+++ openssl-3.0.7/include/openssl/ssl.h.in 2023-07-11 12:36:25.234754680 +0200 -@@ -412,6 +412,7 @@ typedef int (*SSL_async_callback_fn)(SSL - * interoperability with CryptoPro CSP 3.x - */ - # define SSL_OP_CRYPTOPRO_TLSEXT_BUG SSL_OP_BIT(31) -+# define SSL_OP_RH_PERMIT_NOEMS_FIPS SSL_OP_BIT(48) - - /* - * Option "collections." -diff -up openssl-3.0.7/ssl/ssl_conf.c.fipsems openssl-3.0.7/ssl/ssl_conf.c ---- openssl-3.0.7/ssl/ssl_conf.c.fipsems 2023-07-11 12:36:51.465278672 +0200 -+++ openssl-3.0.7/ssl/ssl_conf.c 2023-07-11 12:44:53.365675720 +0200 -@@ -387,6 +387,7 @@ static const ssl_conf_cmd_tbl ssl_conf_c - SSL_FLAG_TBL("ClientRenegotiation", - SSL_OP_ALLOW_CLIENT_RENEGOTIATION), - SSL_FLAG_TBL_INV("EncryptThenMac", SSL_OP_NO_ENCRYPT_THEN_MAC), -+ SSL_FLAG_TBL("RHNoEnforceEMSinFIPS", SSL_OP_RH_PERMIT_NOEMS_FIPS), - SSL_FLAG_TBL("NoRenegotiation", SSL_OP_NO_RENEGOTIATION), - SSL_FLAG_TBL("AllowNoDHEKEX", SSL_OP_ALLOW_NO_DHE_KEX), - SSL_FLAG_TBL("PrioritizeChaCha", SSL_OP_PRIORITIZE_CHACHA), -diff -up openssl-3.0.7/doc/man3/SSL_CONF_cmd.pod.fipsems openssl-3.0.7/doc/man3/SSL_CONF_cmd.pod ---- openssl-3.0.7/doc/man3/SSL_CONF_cmd.pod.fipsems 2023-07-12 13:54:22.508235187 +0200 -+++ openssl-3.0.7/doc/man3/SSL_CONF_cmd.pod 2023-07-12 13:56:51.089613902 +0200 -@@ -524,6 +524,9 @@ B: use extended ma - default. Inverse of B: that is, - B<-ExtendedMasterSecret> is the same as setting B. - -+B: allow establishing connections without EMS in FIPS mode. -+This is a RedHat-based OS specific option, and normally it should be set up via crypto policies. ++Availablein = fips ++KDF = TLS1-PRF ++Ctrl.digest = digest:SHA256 ++Ctrl.Secret = hexsecret:f8938ecc9edebc5030c0c6a441e213cd24e6f770a50dda07876f8d55da062bcadb386b411fd4fe4313a604fce6c17fbc ++Ctrl.label = seed:master secret ++Ctrl.client_random = hexseed:36c129d01a3200894b9179faac589d9835d58775f9b5ea3587cb8fd0364cae8c ++Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae043abfb50053fce ++Output = 202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf ++Result = KDF_DERIVE_ERROR + - B: use CA names extension, enabled by - default. Inverse of B: that is, - B<-CANames> is the same as setting B. -diff -up openssl-3.0.7/doc/man5/fips_config.pod.fipsems openssl-3.0.7/doc/man5/fips_config.pod ---- openssl-3.0.7/doc/man5/fips_config.pod.fipsems 2023-07-12 15:39:57.732206731 +0200 -+++ openssl-3.0.7/doc/man5/fips_config.pod 2023-07-12 15:53:45.722885419 +0200 -@@ -11,6 +11,19 @@ automatically loaded when the system is - environment variable B is set. See the documentation - for more information. + FIPSversion = <=3.1.0 + KDF = TLS1-PRF + Ctrl.digest = digest:SHA256 +diff --git a/test/sslapitest.c b/test/sslapitest.c +index 169e3c7466..e67b5bb44c 100644 +--- a/test/sslapitest.c ++++ b/test/sslapitest.c +@@ -574,7 +574,7 @@ static int test_client_cert_verify_cb(void) + STACK_OF(X509) *server_chain; + SSL_CTX *cctx = NULL, *sctx = NULL; + SSL *clientssl = NULL, *serverssl = NULL; +- int testresult = 0; ++ int testresult = 0, status; -+Red Hat Enterprise Linux uses a supplementary config for FIPS module located in -+OpenSSL configuration directory and managed by crypto policies. If present, it -+should have format -+ -+ [fips_sect] -+ tls1-prf-ems-check = 0 -+ activate = 1 -+ -+The B option specifies whether FIPS module will require the -+presence of extended master secret or not. -+ -+The B option enforces FIPS provider activation. -+ - =head1 COPYRIGHT - - Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. + if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), + TLS_client_method(), TLS1_VERSION, 0, +-- +2.41.0 + diff --git a/SOURCES/0115-CVE-2023-0464.patch b/SOURCES/0115-CVE-2023-0464.patch deleted file mode 100644 index 97f3b6d..0000000 --- a/SOURCES/0115-CVE-2023-0464.patch +++ /dev/null @@ -1,195 +0,0 @@ -diff --git a/crypto/x509/pcy_local.h b/crypto/x509/pcy_local.h -index 18b53cc09e..cba107ca03 100644 ---- a/crypto/x509/pcy_local.h -+++ b/crypto/x509/pcy_local.h -@@ -111,6 +111,11 @@ struct X509_POLICY_LEVEL_st { - }; - - struct X509_POLICY_TREE_st { -+ /* The number of nodes in the tree */ -+ size_t node_count; -+ /* The maximum number of nodes in the tree */ -+ size_t node_maximum; -+ - /* This is the tree 'level' data */ - X509_POLICY_LEVEL *levels; - int nlevel; -@@ -157,7 +162,8 @@ X509_POLICY_NODE *ossl_policy_tree_find_sk(STACK_OF(X509_POLICY_NODE) *sk, - X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, - X509_POLICY_DATA *data, - X509_POLICY_NODE *parent, -- X509_POLICY_TREE *tree); -+ X509_POLICY_TREE *tree, -+ int extra_data); - void ossl_policy_node_free(X509_POLICY_NODE *node); - int ossl_policy_node_match(const X509_POLICY_LEVEL *lvl, - const X509_POLICY_NODE *node, const ASN1_OBJECT *oid); -diff --git a/crypto/x509/pcy_node.c b/crypto/x509/pcy_node.c -index 9d9a7ea179..450f95a655 100644 ---- a/crypto/x509/pcy_node.c -+++ b/crypto/x509/pcy_node.c -@@ -59,10 +59,15 @@ X509_POLICY_NODE *ossl_policy_level_find_node(const X509_POLICY_LEVEL *level, - X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, - X509_POLICY_DATA *data, - X509_POLICY_NODE *parent, -- X509_POLICY_TREE *tree) -+ X509_POLICY_TREE *tree, -+ int extra_data) - { - X509_POLICY_NODE *node; - -+ /* Verify that the tree isn't too large. This mitigates CVE-2023-0464 */ -+ if (tree->node_maximum > 0 && tree->node_count >= tree->node_maximum) -+ return NULL; -+ - node = OPENSSL_zalloc(sizeof(*node)); - if (node == NULL) { - ERR_raise(ERR_LIB_X509V3, ERR_R_MALLOC_FAILURE); -@@ -70,7 +75,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, - } - node->data = data; - node->parent = parent; -- if (level) { -+ if (level != NULL) { - if (OBJ_obj2nid(data->valid_policy) == NID_any_policy) { - if (level->anyPolicy) - goto node_error; -@@ -90,7 +95,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, - } - } - -- if (tree) { -+ if (extra_data) { - if (tree->extra_data == NULL) - tree->extra_data = sk_X509_POLICY_DATA_new_null(); - if (tree->extra_data == NULL){ -@@ -103,6 +108,7 @@ X509_POLICY_NODE *ossl_policy_level_add_node(X509_POLICY_LEVEL *level, - } - } - -+ tree->node_count++; - if (parent) - parent->nchild++; - -diff --git a/crypto/x509/pcy_tree.c b/crypto/x509/pcy_tree.c -index fa45da5117..f953a05a41 100644 ---- a/crypto/x509/pcy_tree.c -+++ b/crypto/x509/pcy_tree.c -@@ -14,6 +14,17 @@ - - #include "pcy_local.h" - -+/* -+ * If the maximum number of nodes in the policy tree isn't defined, set it to -+ * a generous default of 1000 nodes. -+ * -+ * Defining this to be zero means unlimited policy tree growth which opens the -+ * door on CVE-2023-0464. -+ */ -+#ifndef OPENSSL_POLICY_TREE_NODES_MAX -+# define OPENSSL_POLICY_TREE_NODES_MAX 1000 -+#endif -+ - static void expected_print(BIO *channel, - X509_POLICY_LEVEL *lev, X509_POLICY_NODE *node, - int indent) -@@ -163,6 +174,9 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, - return X509_PCY_TREE_INTERNAL; - } - -+ /* Limit the growth of the tree to mitigate CVE-2023-0464 */ -+ tree->node_maximum = OPENSSL_POLICY_TREE_NODES_MAX; -+ - /* - * http://tools.ietf.org/html/rfc5280#section-6.1.2, figure 3. - * -@@ -180,7 +194,7 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, - if ((data = ossl_policy_data_new(NULL, - OBJ_nid2obj(NID_any_policy), 0)) == NULL) - goto bad_tree; -- if (ossl_policy_level_add_node(level, data, NULL, tree) == NULL) { -+ if (ossl_policy_level_add_node(level, data, NULL, tree, 1) == NULL) { - ossl_policy_data_free(data); - goto bad_tree; - } -@@ -239,7 +253,8 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, - * Return value: 1 on success, 0 otherwise - */ - static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr, -- X509_POLICY_DATA *data) -+ X509_POLICY_DATA *data, -+ X509_POLICY_TREE *tree) - { - X509_POLICY_LEVEL *last = curr - 1; - int i, matched = 0; -@@ -249,13 +264,13 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr, - X509_POLICY_NODE *node = sk_X509_POLICY_NODE_value(last->nodes, i); - - if (ossl_policy_node_match(last, node, data->valid_policy)) { -- if (ossl_policy_level_add_node(curr, data, node, NULL) == NULL) -+ if (ossl_policy_level_add_node(curr, data, node, tree, 0) == NULL) - return 0; - matched = 1; - } - } - if (!matched && last->anyPolicy) { -- if (ossl_policy_level_add_node(curr, data, last->anyPolicy, NULL) == NULL) -+ if (ossl_policy_level_add_node(curr, data, last->anyPolicy, tree, 0) == NULL) - return 0; - } - return 1; -@@ -268,7 +283,8 @@ static int tree_link_matching_nodes(X509_POLICY_LEVEL *curr, - * Return value: 1 on success, 0 otherwise. - */ - static int tree_link_nodes(X509_POLICY_LEVEL *curr, -- const X509_POLICY_CACHE *cache) -+ const X509_POLICY_CACHE *cache, -+ X509_POLICY_TREE *tree) - { - int i; - -@@ -276,7 +292,7 @@ static int tree_link_nodes(X509_POLICY_LEVEL *curr, - X509_POLICY_DATA *data = sk_X509_POLICY_DATA_value(cache->data, i); - - /* Look for matching nodes in previous level */ -- if (!tree_link_matching_nodes(curr, data)) -+ if (!tree_link_matching_nodes(curr, data, tree)) - return 0; - } - return 1; -@@ -307,7 +323,7 @@ static int tree_add_unmatched(X509_POLICY_LEVEL *curr, - /* Curr may not have anyPolicy */ - data->qualifier_set = cache->anyPolicy->qualifier_set; - data->flags |= POLICY_DATA_FLAG_SHARED_QUALIFIERS; -- if (ossl_policy_level_add_node(curr, data, node, tree) == NULL) { -+ if (ossl_policy_level_add_node(curr, data, node, tree, 1) == NULL) { - ossl_policy_data_free(data); - return 0; - } -@@ -370,7 +386,7 @@ static int tree_link_any(X509_POLICY_LEVEL *curr, - /* Finally add link to anyPolicy */ - if (last->anyPolicy && - ossl_policy_level_add_node(curr, cache->anyPolicy, -- last->anyPolicy, NULL) == NULL) -+ last->anyPolicy, tree, 0) == NULL) - return 0; - return 1; - } -@@ -553,7 +569,7 @@ static int tree_calculate_user_set(X509_POLICY_TREE *tree, - extra->flags = POLICY_DATA_FLAG_SHARED_QUALIFIERS - | POLICY_DATA_FLAG_EXTRA_NODE; - node = ossl_policy_level_add_node(NULL, extra, anyPolicy->parent, -- tree); -+ tree, 1); - } - if (!tree->user_policies) { - tree->user_policies = sk_X509_POLICY_NODE_new_null(); -@@ -580,7 +596,7 @@ static int tree_evaluate(X509_POLICY_TREE *tree) - - for (i = 1; i < tree->nlevel; i++, curr++) { - cache = ossl_policy_cache_set(curr->cert); -- if (!tree_link_nodes(curr, cache)) -+ if (!tree_link_nodes(curr, cache, tree)) - return X509_PCY_TREE_INTERNAL; - - if (!(curr->flags & X509_V_FLAG_INHIBIT_ANY) diff --git a/SOURCES/0115-skip-quic-pairwise.patch b/SOURCES/0115-skip-quic-pairwise.patch new file mode 100644 index 0000000..90f8cb8 --- /dev/null +++ b/SOURCES/0115-skip-quic-pairwise.patch @@ -0,0 +1,85 @@ +From ec8e4e25cc5e5c67313c5fd6af94fa248685c3d1 Mon Sep 17 00:00:00 2001 +From: Dmitry Belyavskiy +Date: Thu, 7 Mar 2024 17:37:09 +0100 +Subject: [PATCH 45/49] 0115-skip-quic-pairwise.patch + +Patch-name: 0115-skip-quic-pairwise.patch +Patch-id: 115 +Patch-status: | + # skip quic and pairwise tests temporarily +--- + test/quicapitest.c | 4 +++- + test/recipes/01-test_symbol_presence.t | 1 + + test/recipes/30-test_pairwise_fail.t | 10 ++++++++-- + 3 files changed, 12 insertions(+), 3 deletions(-) + +diff --git a/test/quicapitest.c b/test/quicapitest.c +index 41cf0fc7a8..0fb7492700 100644 +--- a/test/quicapitest.c ++++ b/test/quicapitest.c +@@ -2139,7 +2139,9 @@ int setup_tests(void) + ADD_TEST(test_cipher_find); + ADD_TEST(test_version); + #if defined(DO_SSL_TRACE_TEST) +- ADD_TEST(test_ssl_trace); ++ if (is_fips == 0) { ++ ADD_TEST(test_ssl_trace); ++ } + #endif + ADD_TEST(test_quic_forbidden_apis_ctx); + ADD_TEST(test_quic_forbidden_apis); +diff --git a/test/recipes/30-test_pairwise_fail.t b/test/recipes/30-test_pairwise_fail.t +index c837d48fb4..6291c08c49 100644 +--- a/test/recipes/30-test_pairwise_fail.t ++++ b/test/recipes/30-test_pairwise_fail.t +@@ -9,7 +9,7 @@ + use strict; + use warnings; + +-use OpenSSL::Test qw(:DEFAULT bldtop_dir srctop_file srctop_dir data_file); ++use OpenSSL::Test qw(:DEFAULT bldtop_dir srctop_file srctop_dir data_file with); + use OpenSSL::Test::Utils; + + BEGIN { +@@ -31,28 +31,37 @@ run(test(["fips_version_test", "-config" + SKIP: { + skip "Skip RSA test because of no rsa in this build", 1 + if disabled("rsa"); ++ with({ exit_checker => sub {my $val = shift; return $val == 134; } }, ++ sub { + ok(run(test(["pairwise_fail_test", "-config", $provconf, + "-pairwise", "rsa"])), + "fips provider rsa keygen pairwise failure test"); ++ }); + } + + SKIP: { + skip "Skip EC test because of no ec in this build", 2 + if disabled("ec"); ++ with({ exit_checker => sub {my $val = shift; return $val == 134; } }, ++ sub { + ok(run(test(["pairwise_fail_test", "-config", $provconf, + "-pairwise", "ec"])), + "fips provider ec keygen pairwise failure test"); ++ }); + + skip "FIPS provider version is too old", 1 + if !$fips_exit; ++ with({ exit_checker => sub {my $val = shift; return $val == 134; } }, ++ sub { + ok(run(test(["pairwise_fail_test", "-config", $provconf, + "-pairwise", "eckat"])), + "fips provider ec keygen kat failure test"); ++ }); + } + + SKIP: { + skip "Skip DSA tests because of no dsa in this build", 2 +- if disabled("dsa"); ++ if 1; #if disabled("dsa"); + ok(run(test(["pairwise_fail_test", "-config", $provconf, + "-pairwise", "dsa", "-dsaparam", data_file("dsaparam.pem")])), + "fips provider dsa keygen pairwise failure test"); +-- +2.44.0 + diff --git a/SOURCES/0116-CVE-2023-0465.patch b/SOURCES/0116-CVE-2023-0465.patch deleted file mode 100644 index 3a9acb5..0000000 --- a/SOURCES/0116-CVE-2023-0465.patch +++ /dev/null @@ -1,179 +0,0 @@ -diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c -index 9384f1da9b..a0282c3ef1 100644 ---- a/crypto/x509/x509_vfy.c -+++ b/crypto/x509/x509_vfy.c -@@ -1654,15 +1654,23 @@ static int check_policy(X509_STORE_CTX *ctx) - goto memerr; - /* Invalid or inconsistent extensions */ - if (ret == X509_PCY_TREE_INVALID) { -- int i; -+ int i, cbcalled = 0; - - /* Locate certificates with bad extensions and notify callback. */ -- for (i = 1; i < sk_X509_num(ctx->chain); i++) { -+ for (i = 0; i < sk_X509_num(ctx->chain); i++) { - X509 *x = sk_X509_value(ctx->chain, i); - -+ if ((x->ex_flags & EXFLAG_INVALID_POLICY) != 0) -+ cbcalled = 1; - CB_FAIL_IF((x->ex_flags & EXFLAG_INVALID_POLICY) != 0, - ctx, x, i, X509_V_ERR_INVALID_POLICY_EXTENSION); - } -+ if (!cbcalled) { -+ /* Should not be able to get here */ -+ ERR_raise(ERR_LIB_X509, ERR_R_INTERNAL_ERROR); -+ return 0; -+ } -+ /* The callback ignored the error so we return success */ - return 1; - } - if (ret == X509_PCY_TREE_FAILURE) { -diff --git a/test/certs/ca-pol-cert.pem b/test/certs/ca-pol-cert.pem -new file mode 100644 -index 0000000000..244af3292b ---- /dev/null -+++ b/test/certs/ca-pol-cert.pem -@@ -0,0 +1,19 @@ -+-----BEGIN CERTIFICATE----- -+MIIDFzCCAf+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290 -+IENBMCAXDTIzMDMwODEyMjMxNloYDzIxMjMwMzA5MTIyMzE2WjANMQswCQYDVQQD -+DAJDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJadpD0ASxxfxsvd -+j9IxsogVzMSGLFziaYuE9KejU9+R479RifvwfBANO62sNWJ19X//9G5UjwWmkiOz -+n1k50DkYsBBA3mJzik6wjt/c58lBIlSEgAgpvDU8ht8w3t20JP9+YqXAeugqFj/W -+l9rFQtsvaWSRywjXVlp5fxuEQelNnXcJEKhsKTNExsBUZebo4/J1BWpklWzA9P0l -+YW5INvDAAwcF1nzlEf0Y6Eot03IMNyg2MTE4hehxjdgCSci8GYnFirE/ojXqqpAc -+ZGh7r2dqWgZUD1Dh+bT2vjrUzj8eTH3GdzI+oljt29102JIUaqj3yzRYkah8FLF9 -+CLNNsUcCAwEAAaN7MHkwDwYDVR0TAQH/BAUwAwEB/zALBgNVHQ8EBAMCAQYwHQYD -+VR0OBBYEFLQRM/HX4l73U54gIhBPhga/H8leMB8GA1UdIwQYMBaAFI71Ja8em2uE -+PXyAmslTnE1y96NSMBkGA1UdIAQSMBAwDgYMKwYBBAGBgVy8+0cBMA0GCSqGSIb3 -+DQEBCwUAA4IBAQBbE+MO9mewWIUY2kt85yhl0oZtvVxbn9K2Hty59ItwJGRNfzx7 -+Ge7KgawkvNzMOXmj6qf8TpbJnf41ZLWdRyVZBVyIwrAKIVw1VxfGh8aEifHKN97H -+unZkBPcUkAhUJSiC1BOD/euaMYqOi8QwiI702Q6q1NBY1/UKnV/ZIBLecnqfj9vZ -+7T0wKxrwGYBztP4pNcxCmBoD9Dg+Dx3ZElo0WXyO4SOh/BgrsKJHKyhbuTpjrI/g -+DhcINRp6+lIzuFBtJ67+YXnAEspb3lKMk0YL/LXrCNF2scdmNfOPwHi+OKBqt69C -+9FJyWFEMxx2qm/ENE9sbOswgJRnKkaAqHBHx -+-----END CERTIFICATE----- -diff --git a/test/certs/ee-cert-policies-bad.pem b/test/certs/ee-cert-policies-bad.pem -new file mode 100644 -index 0000000000..0fcd6372b3 ---- /dev/null -+++ b/test/certs/ee-cert-policies-bad.pem -@@ -0,0 +1,20 @@ -+-----BEGIN CERTIFICATE----- -+MIIDTTCCAjWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg -+Fw0yMzAzMDgxMjIzMzJaGA8yMTIzMDMwOTEyMjMzMlowGTEXMBUGA1UEAwwOc2Vy -+dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY -+YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT -+5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l -+Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1 -+U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5 -+ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn -+iIQPYf55NB9KiR+3AgMBAAGjgakwgaYwHQYDVR0OBBYEFOeb4iqtimw6y3ZR5Y4H -+mCKX4XOiMB8GA1UdIwQYMBaAFLQRM/HX4l73U54gIhBPhga/H8leMAkGA1UdEwQC -+MAAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGQYDVR0RBBIwEIIOc2VydmVyLmV4YW1w -+bGUwKQYDVR0gBCIwIDAOBgwrBgEEAYGBXLz7RwEwDgYMKwYBBAGBgVy8+0cBMA0G -+CSqGSIb3DQEBCwUAA4IBAQArwtwNO++7kStcJeMg3ekz2D/m/8UEjTA1rknBjQiQ -+P0FK7tNeRqus9i8PxthNWk+biRayvDzaGIBV7igpDBPfXemDgmW9Adc4MKyiQDfs -+YfkHi3xJKvsK2fQmyCs2InVDaKpVAkNFcgAW8nSOhGliqIxLb0EOLoLNwaktou0N -+XQHmRzY8S7aIr8K9Qo9y/+MLar+PS4h8l6FkLLkTICiFzE4/wje5S3NckAnadRJa -+QpjwM2S6NuA+tYWuOcN//r7BSpW/AZKanYWPzHMrKlqCh+9o7sthPd72+hObG9kx -+wSGdzfStNK1I1zM5LiI08WtXCvR6AfLANTo2x1AYhSxF -+-----END CERTIFICATE----- -diff --git a/test/certs/ee-cert-policies.pem b/test/certs/ee-cert-policies.pem -new file mode 100644 -index 0000000000..2f06d7433f ---- /dev/null -+++ b/test/certs/ee-cert-policies.pem -@@ -0,0 +1,20 @@ -+-----BEGIN CERTIFICATE----- -+MIIDPTCCAiWgAwIBAgIBAjANBgkqhkiG9w0BAQsFADANMQswCQYDVQQDDAJDQTAg -+Fw0yMzAzMDgxMjIzMjNaGA8yMTIzMDMwOTEyMjMyM1owGTEXMBUGA1UEAwwOc2Vy -+dmVyLmV4YW1wbGUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCo/4lY -+YYWu3tssD9Vz++K3qBt6dWAr1H08c3a1rt6TL38kkG3JHPSKOM2fooAWVsu0LLuT -+5Rcf/w3GQ/4xNPgo2HXpo7uIgu+jcuJTYgVFTeAxl++qnRDSWA2eBp4yuxsIVl1l -+Dz9mjsI2oBH/wFk1/Ukc3RxCMwZ4rgQ4I+XndWfTlK1aqUAfrFkQ9QzBZK1KxMY1 -+U7OWaoIbFYvRmavknm+UqtKW5Vf7jJFkijwkFsbSGb6CYBM7YrDtPh2zyvlr3zG5 -+ep5LR2inKcc/SuIiJ7TvkGPX79ByST5brbkb1Ctvhmjd1XMSuEPJ3EEPoqNGT4tn -+iIQPYf55NB9KiR+3AgMBAAGjgZkwgZYwHQYDVR0OBBYEFOeb4iqtimw6y3ZR5Y4H -+mCKX4XOiMB8GA1UdIwQYMBaAFLQRM/HX4l73U54gIhBPhga/H8leMAkGA1UdEwQC -+MAAwEwYDVR0lBAwwCgYIKwYBBQUHAwEwGQYDVR0RBBIwEIIOc2VydmVyLmV4YW1w -+bGUwGQYDVR0gBBIwEDAOBgwrBgEEAYGBXLz7RwEwDQYJKoZIhvcNAQELBQADggEB -+AGbWslmAAdMX3+5ChcnFrX+NqDGoyhb3PTgWdtlQB5qtWdIt4rSxN50OcQxFTX0D -+QOBabSzR0DDKrgfBe4waL19WsdEvR9GyO4M7ASze/A3IEZue9C9k0n7Vq8zDaAZl -+CiR/Zqo9nAOuhKHMgmC/NjUlX7STv5pJVgc4SH8VEKmSRZDmNihaOalUtK5X8/Oa -+dawKxsZcaP5IKnOEPPKjtVNJxBu5CXywJHsO0GcoDEnEx1/NLdFoJ6WFw8NuTyDK -+NGLq2MHEdyKaigHQlptEs9bXyu9McJjzbx0uXj3BenRULASreccFej0L1RU6jDlk -+D3brBn24UISaFRZoB7jsjok= -+-----END CERTIFICATE----- -diff --git a/test/certs/mkcert.sh b/test/certs/mkcert.sh -index c3f7ac14b5..a57d9f38dc 100755 ---- a/test/certs/mkcert.sh -+++ b/test/certs/mkcert.sh -@@ -119,11 +119,12 @@ genca() { - local OPTIND=1 - local purpose= - -- while getopts p: o -+ while getopts p:c: o - do - case $o in - p) purpose="$OPTARG";; -- *) echo "Usage: $0 genca [-p EKU] cn keyname certname cakeyname cacertname" >&2 -+ c) certpol="$OPTARG";; -+ *) echo "Usage: $0 genca [-p EKU][-c policyoid] cn keyname certname cakeyname cacertname" >&2 - return 1;; - esac - done -@@ -146,6 +147,10 @@ genca() { - if [ -n "$NC" ]; then - exts=$(printf "%s\nnameConstraints = %s\n" "$exts" "$NC") - fi -+ if [ -n "$certpol" ]; then -+ exts=$(printf "%s\ncertificatePolicies = %s\n" "$exts" "$certpol") -+ fi -+ - csr=$(req "$key" "CN = $cn") || return 1 - echo "$csr" | - cert "$cert" "$exts" -CA "${cacert}.pem" -CAkey "${cakey}.pem" \ -diff --git a/test/certs/setup.sh b/test/certs/setup.sh -index 2240cd9df0..76ceadc7d8 100755 ---- a/test/certs/setup.sh -+++ b/test/certs/setup.sh -@@ -440,3 +440,9 @@ OPENSSL_SIGALG=ED448 OPENSSL_KEYALG=ed448 ./mkcert.sh genee ed448 \ - - # critical id-pkix-ocsp-no-check extension - ./mkcert.sh geneeextra server.example ee-key ee-cert-ocsp-nocheck ca-key ca-cert "1.3.6.1.5.5.7.48.1.5=critical,DER:05:00" -+ -+# certificatePolicies extension -+./mkcert.sh genca -c "1.3.6.1.4.1.16604.998855.1" "CA" ca-key ca-pol-cert root-key root-cert -+./mkcert.sh geneeextra server.example ee-key ee-cert-policies ca-key ca-cert "certificatePolicies=1.3.6.1.4.1.16604.998855.1" -+# We can create a cert with a duplicate policy oid - but its actually invalid! -+./mkcert.sh geneeextra server.example ee-key ee-cert-policies-bad ca-key ca-cert "certificatePolicies=1.3.6.1.4.1.16604.998855.1,1.3.6.1.4.1.16604.998855.1" -diff --git a/test/recipes/25-test_verify.t b/test/recipes/25-test_verify.t -index 2a4c36e86d..818c9ac50d 100644 ---- a/test/recipes/25-test_verify.t -+++ b/test/recipes/25-test_verify.t -@@ -29,7 +29,7 @@ sub verify { - run(app([@args])); - } - --plan tests => 163; -+plan tests => 165; - - # Canonical success - ok(verify("ee-cert", "sslserver", ["root-cert"], ["ca-cert"]), -@@ -516,3 +516,14 @@ SKIP: { - ok(run(app([ qw(openssl verify -trusted), $rsapluscert_file, $cert_file ])), - 'Mixed key + cert file test'); - } -+ -+# Certificate Policies -+ok(verify("ee-cert-policies", "", ["root-cert"], ["ca-pol-cert"], -+ "-policy_check", "-policy", "1.3.6.1.4.1.16604.998855.1", -+ "-explicit_policy"), -+ "Certificate policy"); -+ -+ok(!verify("ee-cert-policies-bad", "", ["root-cert"], ["ca-pol-cert"], -+ "-policy_check", "-policy", "1.3.6.1.4.1.16604.998855.1", -+ "-explicit_policy"), -+ "Bad certificate policy"); diff --git a/SOURCES/0116-version-aliasing.patch b/SOURCES/0116-version-aliasing.patch new file mode 100644 index 0000000..73f7981 --- /dev/null +++ b/SOURCES/0116-version-aliasing.patch @@ -0,0 +1,84 @@ +From a2673b5e2e95bcf54a1746bfd409cca688275e75 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 6 Mar 2024 19:17:17 +0100 +Subject: [PATCH 46/49] 0116-version-aliasing.patch + +Patch-name: 0116-version-aliasing.patch +Patch-id: 116 +Patch-status: | + # Add version aliasing due to + # https://github.com/openssl/openssl/issues/23534 +From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce +--- + crypto/evp/digest.c | 7 ++++++- + crypto/evp/evp_enc.c | 7 ++++++- + test/recipes/01-test_symbol_presence.t | 1 + + util/libcrypto.num | 2 ++ + 4 files changed, 15 insertions(+), 2 deletions(-) + +diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c +index 42331703da..3a280acc0e 100644 +--- a/crypto/evp/digest.c ++++ b/crypto/evp/digest.c +@@ -553,7 +553,12 @@ legacy: + return ret; + } + +-EVP_MD_CTX *EVP_MD_CTX_dup(const EVP_MD_CTX *in) ++EVP_MD_CTX ++#if !defined(FIPS_MODULE) ++__attribute__ ((symver ("EVP_MD_CTX_dup@@OPENSSL_3.1.0"), ++ symver ("EVP_MD_CTX_dup@OPENSSL_3.2.0"))) ++#endif ++*EVP_MD_CTX_dup(const EVP_MD_CTX *in) + { + EVP_MD_CTX *out = EVP_MD_CTX_new(); + +diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c +index e9faf31057..5a29b8dbb7 100644 +--- a/crypto/evp/evp_enc.c ++++ b/crypto/evp/evp_enc.c +@@ -1444,7 +1444,12 @@ int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key) + #endif /* FIPS_MODULE */ + } + +-EVP_CIPHER_CTX *EVP_CIPHER_CTX_dup(const EVP_CIPHER_CTX *in) ++EVP_CIPHER_CTX ++#if !defined(FIPS_MODULE) ++__attribute__ ((symver ("EVP_CIPHER_CTX_dup@@OPENSSL_3.1.0"), ++ symver ("EVP_CIPHER_CTX_dup@OPENSSL_3.2.0"))) ++#endif ++*EVP_CIPHER_CTX_dup(const EVP_CIPHER_CTX *in) + { + EVP_CIPHER_CTX *out = EVP_CIPHER_CTX_new(); + +diff --git a/test/recipes/01-test_symbol_presence.t b/test/recipes/01-test_symbol_presence.t +index 222b1886ae..7e2f65cccb 100644 +--- a/test/recipes/01-test_symbol_presence.t ++++ b/test/recipes/01-test_symbol_presence.t +@@ -185,6 +185,8 @@ foreach (sort keys %stlibname) { + } + } + my @duplicates = sort grep { $symbols{$_} > 1 } keys %symbols; ++@duplicates = grep {($_ ne "OPENSSL_ia32cap_P") && ($_ ne "EVP_CIPHER_CTX_dup") && ($_ ne "EVP_MD_CTX_dup") } @duplicates; ++@duplicates = grep {($_ ne "OPENSSL_strcasecmp") && ($_ ne "OPENSSL_strncasecmp") } @duplicates; + if (@duplicates) { + note "Duplicates:"; + note join('\n', @duplicates); +diff --git a/util/libcrypto.num b/util/libcrypto.num +index 8046454025..068e9904e2 100644 +--- a/util/libcrypto.num ++++ b/util/libcrypto.num +@@ -5435,7 +5435,9 @@ X509_PUBKEY_set0_public_key 5562 3_2_0 EXIST::FUNCTION: + OSSL_STACK_OF_X509_free 5563 3_2_0 EXIST::FUNCTION: + OSSL_trace_string 5564 3_2_0 EXIST::FUNCTION: + EVP_MD_CTX_dup 5565 3_2_0 EXIST::FUNCTION: ++EVP_MD_CTX_dup ? 3_1_0 EXIST::FUNCTION: + EVP_CIPHER_CTX_dup 5566 3_2_0 EXIST::FUNCTION: ++EVP_CIPHER_CTX_dup ? 3_1_0 EXIST::FUNCTION: + BN_signed_bin2bn 5567 3_2_0 EXIST::FUNCTION: + BN_signed_bn2bin 5568 3_2_0 EXIST::FUNCTION: + BN_signed_lebin2bn 5569 3_2_0 EXIST::FUNCTION: +-- +2.44.0 + diff --git a/SOURCES/0117-CVE-2023-0466.patch b/SOURCES/0117-CVE-2023-0466.patch deleted file mode 100644 index ef06edf..0000000 --- a/SOURCES/0117-CVE-2023-0466.patch +++ /dev/null @@ -1,27 +0,0 @@ -diff --git a/doc/man3/X509_VERIFY_PARAM_set_flags.pod b/doc/man3/X509_VERIFY_PARAM_set_flags.pod -index 75a1677022..43c1900bca 100644 ---- a/doc/man3/X509_VERIFY_PARAM_set_flags.pod -+++ b/doc/man3/X509_VERIFY_PARAM_set_flags.pod -@@ -98,8 +98,9 @@ B. - X509_VERIFY_PARAM_set_time() sets the verification time in B to - B. Normally the current time is used. - --X509_VERIFY_PARAM_add0_policy() enables policy checking (it is disabled --by default) and adds B to the acceptable policy set. -+X509_VERIFY_PARAM_add0_policy() adds B to the acceptable policy set. -+Contrary to preexisting documentation of this function it does not enable -+policy checking. - - X509_VERIFY_PARAM_set1_policies() enables policy checking (it is disabled - by default) and sets the acceptable policy set to B. Any existing -@@ -400,6 +401,10 @@ The X509_VERIFY_PARAM_get_hostflags() function was added in OpenSSL 1.1.0i. - The X509_VERIFY_PARAM_get0_host(), X509_VERIFY_PARAM_get0_email(), - and X509_VERIFY_PARAM_get1_ip_asc() functions were added in OpenSSL 3.0. - -+The function X509_VERIFY_PARAM_add0_policy() was historically documented as -+enabling policy checking however the implementation has never done this. -+The documentation was changed to align with the implementation. -+ - =head1 COPYRIGHT - - Copyright 2009-2022 The OpenSSL Project Authors. All Rights Reserved. diff --git a/SOURCES/0117-ignore-unknown-sigalgorithms-groups.patch b/SOURCES/0117-ignore-unknown-sigalgorithms-groups.patch new file mode 100644 index 0000000..dd40e11 --- /dev/null +++ b/SOURCES/0117-ignore-unknown-sigalgorithms-groups.patch @@ -0,0 +1,318 @@ +From 242c746690dd1d0e500fa554c60536877d77776d Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Thu, 14 Dec 2023 17:08:56 +0100 +Subject: [PATCH 47/49] 0117-ignore-unknown-sigalgorithms-groups.patch + +Patch-name: 0117-ignore-unknown-sigalgorithms-groups.patch +Patch-id: 117 +Patch-status: | + # https://github.com/openssl/openssl/issues/23050 +--- + CHANGES.md | 13 +++++++ + doc/man3/SSL_CTX_set1_curves.pod | 6 ++- + doc/man3/SSL_CTX_set1_sigalgs.pod | 11 +++++- + ssl/t1_lib.c | 56 +++++++++++++++++++++------- + test/sslapitest.c | 61 +++++++++++++++++++++++++++++++ + 5 files changed, 132 insertions(+), 15 deletions(-) + +diff --git a/CHANGES.md b/CHANGES.md +index ca29762ac2..4e21d0ddf9 100644 +--- a/CHANGES.md ++++ b/CHANGES.md +@@ -27,6 +27,19 @@ OpenSSL 3.2 + + ### Changes between 3.2.0 and 3.2.1 [30 Jan 2024] + ++ * Unknown entries in TLS SignatureAlgorithms, ClientSignatureAlgorithms ++ config options and the respective calls to SSL[_CTX]_set1_sigalgs() and ++ SSL[_CTX]_set1_client_sigalgs() that start with `?` character are ++ ignored and the configuration will still be used. ++ ++ Similarly unknown entries that start with `?` character in a TLS ++ Groups config option or set with SSL[_CTX]_set1_groups_list() are ignored ++ and the configuration will still be used. ++ ++ In both cases if the resulting list is empty, an error is returned. ++ ++ *Tomáš Mráz* ++ + * A file in PKCS12 format can contain certificates and keys and may come from + an untrusted source. The PKCS12 specification allows certain fields to be + NULL, but OpenSSL did not correctly check for this case. A fix has been +diff --git a/doc/man3/SSL_CTX_set1_curves.pod b/doc/man3/SSL_CTX_set1_curves.pod +index c26ef00306..f0566e148e 100644 +--- a/doc/man3/SSL_CTX_set1_curves.pod ++++ b/doc/man3/SSL_CTX_set1_curves.pod +@@ -58,7 +58,8 @@ string B. The string is a colon separated list of group names, for example + are B, B, B, B, B, B, + B, B, B, B, + B, B and B. Support for other groups may be +-added by external providers. ++added by external providers. If a group name is preceded with the C ++character, it will be ignored if an implementation is missing. + + SSL_set1_groups() and SSL_set1_groups_list() are similar except they set + supported groups for the SSL structure B. +@@ -142,6 +143,9 @@ The curve functions were added in OpenSSL 1.0.2. The equivalent group + functions were added in OpenSSL 1.1.1. The SSL_get_negotiated_group() function + was added in OpenSSL 3.0.0. + ++Support for ignoring unknown groups in SSL_CTX_set1_groups_list() and ++SSL_set1_groups_list() was added in OpenSSL 3.3. ++ + =head1 COPYRIGHT + + Copyright 2013-2022 The OpenSSL Project Authors. All Rights Reserved. +diff --git a/doc/man3/SSL_CTX_set1_sigalgs.pod b/doc/man3/SSL_CTX_set1_sigalgs.pod +index eb31006346..5b7de7d956 100644 +--- a/doc/man3/SSL_CTX_set1_sigalgs.pod ++++ b/doc/man3/SSL_CTX_set1_sigalgs.pod +@@ -33,7 +33,9 @@ signature algorithms for B or B. The B parameter + must be a null terminated string consisting of a colon separated list of + elements, where each element is either a combination of a public key + algorithm and a digest separated by B<+>, or a TLS 1.3-style named +-SignatureScheme such as rsa_pss_pss_sha256. ++SignatureScheme such as rsa_pss_pss_sha256. If a list entry is preceded ++with the C character, it will be ignored if an implementation is missing. ++ + + SSL_CTX_set1_client_sigalgs(), SSL_set1_client_sigalgs(), + SSL_CTX_set1_client_sigalgs_list() and SSL_set1_client_sigalgs_list() set +@@ -106,6 +108,13 @@ using a string: + L, L, + L + ++=head1 HISTORY ++ ++Support for ignoring unknown signature algorithms in ++SSL_CTX_set1_sigalgs_list(), SSL_set1_sigalgs_list(), ++SSL_CTX_set1_client_sigalgs_list() and SSL_set1_client_sigalgs_list() ++was added in OpenSSL 3.3. ++ + =head1 COPYRIGHT + + Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. +diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c +index 056aae3863..fe680449c5 100644 +--- a/ssl/t1_lib.c ++++ b/ssl/t1_lib.c +@@ -1052,9 +1052,15 @@ static int gid_cb(const char *elem, int len, void *arg) + size_t i; + uint16_t gid = 0; + char etmp[GROUP_NAME_BUFFER_LENGTH]; ++ int ignore_unknown = 0; + + if (elem == NULL) + return 0; ++ if (elem[0] == '?') { ++ ignore_unknown = 1; ++ ++elem; ++ --len; ++ } + if (garg->gidcnt == garg->gidmax) { + uint16_t *tmp = + OPENSSL_realloc(garg->gid_arr, +@@ -1070,13 +1076,14 @@ static int gid_cb(const char *elem, int len, void *arg) + + gid = tls1_group_name2id(garg->ctx, etmp); + if (gid == 0) { +- ERR_raise_data(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT, +- "group '%s' cannot be set", etmp); +- return 0; ++ /* Unknown group - ignore, if ignore_unknown */ ++ return ignore_unknown; + } + for (i = 0; i < garg->gidcnt; i++) +- if (garg->gid_arr[i] == gid) +- return 0; ++ if (garg->gid_arr[i] == gid) { ++ /* Duplicate group - ignore */ ++ return 1; ++ } + garg->gid_arr[garg->gidcnt++] = gid; + return 1; + } +@@ -1097,6 +1104,11 @@ int tls1_set_groups_list(SSL_CTX *ctx, uint16_t **pext, size_t *pextlen, + gcb.ctx = ctx; + if (!CONF_parse_list(str, ':', 1, gid_cb, &gcb)) + goto end; ++ if (gcb.gidcnt == 0) { ++ ERR_raise_data(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT, ++ "No valid groups in '%s'", str); ++ goto end; ++ } + if (pext == NULL) { + ret = 1; + goto end; +@@ -2905,8 +2917,15 @@ static int sig_cb(const char *elem, int len, void *arg) + const SIGALG_LOOKUP *s; + char etmp[TLS_MAX_SIGSTRING_LEN], *p; + int sig_alg = NID_undef, hash_alg = NID_undef; ++ int ignore_unknown = 0; ++ + if (elem == NULL) + return 0; ++ if (elem[0] == '?') { ++ ignore_unknown = 1; ++ ++elem; ++ --len; ++ } + if (sarg->sigalgcnt == TLS_MAX_SIGALGCNT) + return 0; + if (len > (int)(sizeof(etmp) - 1)) +@@ -2931,8 +2950,10 @@ static int sig_cb(const char *elem, int len, void *arg) + break; + } + } +- if (i == OSSL_NELEM(sigalg_lookup_tbl)) +- return 0; ++ if (i == OSSL_NELEM(sigalg_lookup_tbl)) { ++ /* Ignore unknown algorithms if ignore_unknown */ ++ return ignore_unknown; ++ } + } + } else { + *p = 0; +@@ -2940,8 +2961,10 @@ static int sig_cb(const char *elem, int len, void *arg) + return 0; + get_sigorhash(&sig_alg, &hash_alg, etmp); + get_sigorhash(&sig_alg, &hash_alg, p); +- if (sig_alg == NID_undef || hash_alg == NID_undef) +- return 0; ++ if (sig_alg == NID_undef || hash_alg == NID_undef) { ++ /* Ignore unknown algorithms if ignore_unknown */ ++ return ignore_unknown; ++ } + for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl); + i++, s++) { + if (s->hash == hash_alg && s->sig == sig_alg) { +@@ -2949,15 +2972,17 @@ static int sig_cb(const char *elem, int len, void *arg) + break; + } + } +- if (i == OSSL_NELEM(sigalg_lookup_tbl)) +- return 0; ++ if (i == OSSL_NELEM(sigalg_lookup_tbl)) { ++ /* Ignore unknown algorithms if ignore_unknown */ ++ return ignore_unknown; ++ } + } + +- /* Reject duplicates */ ++ /* Ignore duplicates */ + for (i = 0; i < sarg->sigalgcnt - 1; i++) { + if (sarg->sigalgs[i] == sarg->sigalgs[sarg->sigalgcnt - 1]) { + sarg->sigalgcnt--; +- return 0; ++ return 1; + } + } + return 1; +@@ -2973,6 +2998,11 @@ int tls1_set_sigalgs_list(CERT *c, const char *str, int client) + } + if (!CONF_parse_list(str, ':', 1, sig_cb, &sig)) + return 0; ++ if (sig.sigalgcnt == 0) { ++ ERR_raise_data(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT, ++ "No valid signature algorithms in '%s'", str); ++ return 0; ++ } + if (c == NULL) + return 1; + return tls1_set_raw_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client); +diff --git a/test/sslapitest.c b/test/sslapitest.c +index 1c14f93ed1..184a0f1055 100644 +--- a/test/sslapitest.c ++++ b/test/sslapitest.c +@@ -39,6 +39,7 @@ + #include "testutil.h" + #include "testutil/output.h" + #include "internal/nelem.h" ++#include "internal/tlsgroups.h" + #include "internal/ktls.h" + #include "../ssl/ssl_local.h" + #include "../ssl/record/methods/recmethod_local.h" +@@ -3147,6 +3148,7 @@ static const sigalgs_list testsigalgs[] = { + {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0}, + # endif + {NULL, 0, "RSA+SHA256", 1, 1}, ++ {NULL, 0, "RSA+SHA256:?Invalid", 1, 1}, + # ifndef OPENSSL_NO_EC + {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1}, + {NULL, 0, "ECDSA+SHA512", 1, 0}, +@@ -9276,6 +9278,64 @@ static int test_servername(int tst) + return testresult; + } + ++static int test_unknown_sigalgs_groups(void) ++{ ++ int ret = 0; ++ SSL_CTX *ctx = NULL; ++ ++ if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method()))) ++ goto end; ++ ++ if (!TEST_int_gt(SSL_CTX_set1_sigalgs_list(ctx, ++ "RSA+SHA256:?nonexistent:?RSA+SHA512"), ++ 0)) ++ goto end; ++ if (!TEST_size_t_eq(ctx->cert->conf_sigalgslen, 2) ++ || !TEST_int_eq(ctx->cert->conf_sigalgs[0], TLSEXT_SIGALG_rsa_pkcs1_sha256) ++ || !TEST_int_eq(ctx->cert->conf_sigalgs[1], TLSEXT_SIGALG_rsa_pkcs1_sha512)) ++ goto end; ++ ++ if (!TEST_int_gt(SSL_CTX_set1_client_sigalgs_list(ctx, ++ "RSA+SHA256:?nonexistent:?RSA+SHA512"), ++ 0)) ++ goto end; ++ if (!TEST_size_t_eq(ctx->cert->client_sigalgslen, 2) ++ || !TEST_int_eq(ctx->cert->client_sigalgs[0], TLSEXT_SIGALG_rsa_pkcs1_sha256) ++ || !TEST_int_eq(ctx->cert->client_sigalgs[1], TLSEXT_SIGALG_rsa_pkcs1_sha512)) ++ goto end; ++ ++ if (!TEST_int_le(SSL_CTX_set1_groups_list(ctx, ++ "nonexistent"), ++ 0)) ++ goto end; ++ ++ if (!TEST_int_le(SSL_CTX_set1_groups_list(ctx, ++ "?nonexistent1:?nonexistent2:?nonexistent3"), ++ 0)) ++ goto end; ++ ++#ifndef OPENSSL_NO_EC ++ if (!TEST_int_le(SSL_CTX_set1_groups_list(ctx, ++ "P-256:nonexistent"), ++ 0)) ++ goto end; ++ ++ if (!TEST_int_gt(SSL_CTX_set1_groups_list(ctx, ++ "P-384:?nonexistent:?P-521"), ++ 0)) ++ goto end; ++ if (!TEST_size_t_eq(ctx->ext.supportedgroups_len, 2) ++ || !TEST_int_eq(ctx->ext.supportedgroups[0], OSSL_TLS_GROUP_ID_secp384r1) ++ || !TEST_int_eq(ctx->ext.supportedgroups[1], OSSL_TLS_GROUP_ID_secp521r1)) ++ goto end; ++#endif ++ ++ ret = 1; ++ end: ++ SSL_CTX_free(ctx); ++ return ret; ++} ++ + #if !defined(OPENSSL_NO_EC) \ + && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)) + /* +@@ -11519,6 +11579,7 @@ int setup_tests(void) + ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data)); + #endif + ADD_ALL_TESTS(test_servername, 10); ++ ADD_TEST(test_unknown_sigalgs_groups); + #if !defined(OPENSSL_NO_EC) \ + && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)) + ADD_ALL_TESTS(test_sigalgs_available, 6); +-- +2.44.0 + diff --git a/SOURCES/0118-CVE-2023-1255.patch b/SOURCES/0118-CVE-2023-1255.patch deleted file mode 100644 index 91efb20..0000000 --- a/SOURCES/0118-CVE-2023-1255.patch +++ /dev/null @@ -1,20 +0,0 @@ ---- a/crypto/aes/asm/aesv8-armx.pl -+++ b/crypto/aes/asm/aesv8-armx.pl -@@ -3353,7 +3353,7 @@ $code.=<<___ if ($flavour =~ /64/); - .align 4 - .Lxts_dec_tail4x: - add $inp,$inp,#16 -- vld1.32 {$dat0},[$inp],#16 -+ tst $tailcnt,#0xf - veor $tmp1,$dat1,$tmp0 - vst1.8 {$tmp1},[$out],#16 - veor $tmp2,$dat2,$tmp2 -@@ -3362,6 +3362,8 @@ $code.=<<___ if ($flavour =~ /64/); - veor $tmp4,$dat4,$tmp4 - vst1.8 {$tmp3-$tmp4},[$out],#32 - -+ b.eq .Lxts_dec_abort -+ vld1.32 {$dat0},[$inp],#16 - b .Lxts_done - .align 4 - .Lxts_outer_dec_tail: diff --git a/SOURCES/0120-RSA-PKCS15-implicit-rejection.patch b/SOURCES/0120-RSA-PKCS15-implicit-rejection.patch deleted file mode 100644 index 3cb36bb..0000000 --- a/SOURCES/0120-RSA-PKCS15-implicit-rejection.patch +++ /dev/null @@ -1,1354 +0,0 @@ -diff --git a/crypto/cms/cms_env.c b/crypto/cms/cms_env.c -index d25504a03f7..c55511011f6 100644 ---- a/crypto/cms/cms_env.c -+++ b/crypto/cms/cms_env.c -@@ -608,6 +608,13 @@ static int cms_RecipientInfo_ktri_decrypt(CMS_ContentInfo *cms, - if (!ossl_cms_env_asn1_ctrl(ri, 1)) - goto err; - -+ if (EVP_PKEY_is_a(pkey, "RSA")) -+ /* upper layer CMS code incorrectly assumes that a successful RSA -+ * decryption means that the key matches ciphertext (which never -+ * was the case, implicit rejection or not), so to make it work -+ * disable implicit rejection for RSA keys */ -+ EVP_PKEY_CTX_ctrl_str(ktri->pctx, "rsa_pkcs1_implicit_rejection", "0"); -+ - if (EVP_PKEY_decrypt(ktri->pctx, NULL, &eklen, - ktri->encryptedKey->data, - ktri->encryptedKey->length) <= 0) -diff --git a/crypto/evp/ctrl_params_translate.c b/crypto/evp/ctrl_params_translate.c -index 56ed5ea6d68..f64c1fcb2ac 100644 ---- a/crypto/evp/ctrl_params_translate.c -+++ b/crypto/evp/ctrl_params_translate.c -@@ -2201,6 +2201,12 @@ static const struct translation_st evp_pkey_ctx_translations[] = { - EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL, NULL, NULL, - OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL, OSSL_PARAM_OCTET_STRING, NULL }, - -+ { SET, EVP_PKEY_RSA, 0, EVP_PKEY_OP_TYPE_CRYPT, -+ EVP_PKEY_CTRL_RSA_IMPLICIT_REJECTION, NULL, -+ "rsa_pkcs1_implicit_rejection", -+ OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, OSSL_PARAM_UNSIGNED_INTEGER, -+ NULL }, -+ - { SET, EVP_PKEY_RSA_PSS, 0, EVP_PKEY_OP_TYPE_GEN, - EVP_PKEY_CTRL_MD, "rsa_pss_keygen_md", NULL, - OSSL_ALG_PARAM_DIGEST, OSSL_PARAM_UTF8_STRING, fix_md }, -diff --git a/crypto/pkcs7/pk7_doit.c b/crypto/pkcs7/pk7_doit.c -index 31b368bda3b..8a46ab471df 100644 ---- a/crypto/pkcs7/pk7_doit.c -+++ b/crypto/pkcs7/pk7_doit.c -@@ -163,6 +163,13 @@ static int pkcs7_decrypt_rinfo(unsigned char **pek, int *peklen, - if (EVP_PKEY_decrypt_init(pctx) <= 0) - goto err; - -+ if (EVP_PKEY_is_a(pkey, "RSA")) -+ /* upper layer pkcs7 code incorrectly assumes that a successful RSA -+ * decryption means that the key matches ciphertext (which never -+ * was the case, implicit rejection or not), so to make it work -+ * disable implicit rejection for RSA keys */ -+ EVP_PKEY_CTX_ctrl_str(pctx, "rsa_pkcs1_implicit_rejection", "0"); -+ - if (EVP_PKEY_decrypt(pctx, NULL, &eklen, - ri->enc_key->data, ri->enc_key->length) <= 0) - goto err; -diff --git a/crypto/rsa/rsa_ossl.c b/crypto/rsa/rsa_ossl.c -index 54e2a1c61ca..094a6632b66 100644 ---- a/crypto/rsa/rsa_ossl.c -+++ b/crypto/rsa/rsa_ossl.c -@@ -17,6 +17,9 @@ - #include "crypto/bn.h" - #include "rsa_local.h" - #include "internal/constant_time.h" -+#include -+#include -+#include - - static int rsa_ossl_public_encrypt(int flen, const unsigned char *from, - unsigned char *to, RSA *rsa, int padding); -@@ -372,8 +375,13 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, - BIGNUM *f, *ret; - int j, num = 0, r = -1; - unsigned char *buf = NULL; -+ unsigned char d_hash[SHA256_DIGEST_LENGTH] = {0}; -+ HMAC_CTX *hmac = NULL; -+ unsigned int md_len = SHA256_DIGEST_LENGTH; -+ unsigned char kdk[SHA256_DIGEST_LENGTH] = {0}; - BN_CTX *ctx = NULL; - int local_blinding = 0; -+ EVP_MD *md = NULL; - /* - * Used only if the blinding structure is shared. A non-NULL unblind - * instructs rsa_blinding_convert() and rsa_blinding_invert() to store -@@ -382,6 +390,12 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, - BIGNUM *unblind = NULL; - BN_BLINDING *blinding = NULL; - -+ /* -+ * we need the value of the private exponent to perform implicit rejection -+ */ -+ if ((rsa->flags & RSA_FLAG_EXT_PKEY) && (padding == RSA_PKCS1_PADDING)) -+ padding = RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING; -+ - if ((ctx = BN_CTX_new_ex(rsa->libctx)) == NULL) - goto err; - BN_CTX_start(ctx); -@@ -405,6 +419,11 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, - goto err; - } - -+ if (flen < 1) { -+ ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_SMALL); -+ goto err; -+ } -+ - /* make data into a big number */ - if (BN_bin2bn(from, (int)flen, f) == NULL) - goto err; -@@ -471,6 +490,81 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, - BN_free(d); - } - -+ /* -+ * derive the Key Derivation Key from private exponent and public -+ * ciphertext -+ */ -+ if (padding == RSA_PKCS1_PADDING) { -+ /* -+ * because we use d as a handle to rsa->d we need to keep it local and -+ * free before any further use of rsa->d -+ */ -+ BIGNUM *d = BN_new(); -+ if (d == NULL) { -+ ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE); -+ goto err; -+ } -+ if (rsa->d == NULL) { -+ ERR_raise(ERR_LIB_RSA, RSA_R_MISSING_PRIVATE_KEY); -+ BN_free(d); -+ goto err; -+ } -+ BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); -+ if (BN_bn2binpad(d, buf, num) < 0) { -+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); -+ BN_free(d); -+ goto err; -+ } -+ BN_free(d); -+ -+ /* -+ * we use hardcoded hash so that migrating between versions that use -+ * different hash doesn't provide a Bleichenbacher oracle: -+ * if the attacker can see that different versions return different -+ * messages for the same ciphertext, they'll know that the message is -+ * syntethically generated, which means that the padding check failed -+ */ -+ md = EVP_MD_fetch(rsa->libctx, "sha256", NULL); -+ if (md == NULL) { -+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); -+ goto err; -+ } -+ -+ if (EVP_Digest(buf, num, d_hash, NULL, md, NULL) <= 0) { -+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); -+ goto err; -+ } -+ -+ hmac = HMAC_CTX_new(); -+ if (hmac == NULL) { -+ ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE); -+ goto err; -+ } -+ -+ if (HMAC_Init_ex(hmac, d_hash, sizeof(d_hash), md, NULL) <= 0) { -+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); -+ goto err; -+ } -+ -+ if (flen < num) { -+ memset(buf, 0, num - flen); -+ if (HMAC_Update(hmac, buf, num - flen) <= 0) { -+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); -+ goto err; -+ } -+ } -+ if (HMAC_Update(hmac, from, flen) <= 0) { -+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); -+ goto err; -+ } -+ -+ md_len = SHA256_DIGEST_LENGTH; -+ if (HMAC_Final(hmac, kdk, &md_len) <= 0) { -+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); -+ goto err; -+ } -+ } -+ - if (blinding) { - /* - * ossl_bn_rsa_do_unblind() combines blinding inversion and -@@ -471,9 +545,12 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, - } - - switch (padding) { -- case RSA_PKCS1_PADDING: -+ case RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING: - r = RSA_padding_check_PKCS1_type_2(to, num, buf, j, num); - break; -+ case RSA_PKCS1_PADDING: -+ r = ossl_rsa_padding_check_PKCS1_type_2(rsa->libctx, to, num, buf, j, num, kdk); -+ break; - case RSA_PKCS1_OAEP_PADDING: - r = RSA_padding_check_PKCS1_OAEP(to, num, buf, j, num, NULL, 0); - break; -@@ -500,6 +597,8 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, - #endif - - err: -+ HMAC_CTX_free(hmac); -+ EVP_MD_free(md); - BN_CTX_end(ctx); - BN_CTX_free(ctx); - OPENSSL_clear_free(buf, num); -diff --git a/crypto/rsa/rsa_pk1.c b/crypto/rsa/rsa_pk1.c -index 5f72fe1735d..04fb0e4ed5e 100644 ---- a/crypto/rsa/rsa_pk1.c -+++ b/crypto/rsa/rsa_pk1.c -@@ -21,10 +21,14 @@ - #include - /* Just for the SSL_MAX_MASTER_KEY_LENGTH value */ - #include -+#include -+#include -+#include - #include "internal/cryptlib.h" - #include "crypto/rsa.h" - #include "rsa_local.h" - -+ - int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen, - const unsigned char *from, int flen) - { -@@ -271,6 +275,254 @@ int RSA_padding_check_PKCS1_type_2(unsigned char *to, int tlen, - return constant_time_select_int(good, mlen, -1); - } - -+ -+static int ossl_rsa_prf(OSSL_LIB_CTX *ctx, -+ unsigned char *to, int tlen, -+ const char *label, int llen, -+ const unsigned char *kdk, -+ uint16_t bitlen) -+{ -+ int pos; -+ int ret = -1; -+ uint16_t iter = 0; -+ unsigned char be_iter[sizeof(iter)]; -+ unsigned char be_bitlen[sizeof(bitlen)]; -+ HMAC_CTX *hmac = NULL; -+ EVP_MD *md = NULL; -+ unsigned char hmac_out[SHA256_DIGEST_LENGTH]; -+ unsigned int md_len; -+ -+ if (tlen * 8 != bitlen) { -+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); -+ return ret; -+ } -+ -+ be_bitlen[0] = (bitlen >> 8) & 0xff; -+ be_bitlen[1] = bitlen & 0xff; -+ -+ hmac = HMAC_CTX_new(); -+ if (hmac == NULL) { -+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); -+ goto err; -+ } -+ -+ /* -+ * we use hardcoded hash so that migrating between versions that use -+ * different hash doesn't provide a Bleichenbacher oracle: -+ * if the attacker can see that different versions return different -+ * messages for the same ciphertext, they'll know that the message is -+ * syntethically generated, which means that the padding check failed -+ */ -+ md = EVP_MD_fetch(ctx, "sha256", NULL); -+ if (md == NULL) { -+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); -+ goto err; -+ } -+ -+ if (HMAC_Init_ex(hmac, kdk, SHA256_DIGEST_LENGTH, md, NULL) <= 0) { -+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); -+ goto err; -+ } -+ -+ for (pos = 0; pos < tlen; pos += SHA256_DIGEST_LENGTH, iter++) { -+ if (HMAC_Init_ex(hmac, NULL, 0, NULL, NULL) <= 0) { -+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); -+ goto err; -+ } -+ -+ be_iter[0] = (iter >> 8) & 0xff; -+ be_iter[1] = iter & 0xff; -+ -+ if (HMAC_Update(hmac, be_iter, sizeof(be_iter)) <= 0) { -+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); -+ goto err; -+ } -+ if (HMAC_Update(hmac, (unsigned char *)label, llen) <= 0) { -+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); -+ goto err; -+ } -+ if (HMAC_Update(hmac, be_bitlen, sizeof(be_bitlen)) <= 0) { -+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); -+ goto err; -+ } -+ -+ /* -+ * HMAC_Final requires the output buffer to fit the whole MAC -+ * value, so we need to use the intermediate buffer for the last -+ * unaligned block -+ */ -+ md_len = SHA256_DIGEST_LENGTH; -+ if (pos + SHA256_DIGEST_LENGTH > tlen) { -+ if (HMAC_Final(hmac, hmac_out, &md_len) <= 0) { -+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); -+ goto err; -+ } -+ memcpy(to + pos, hmac_out, tlen - pos); -+ } else { -+ if (HMAC_Final(hmac, to + pos, &md_len) <= 0) { -+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); -+ goto err; -+ } -+ } -+ } -+ -+ ret = 0; -+ -+err: -+ HMAC_CTX_free(hmac); -+ EVP_MD_free(md); -+ return ret; -+} -+ -+/* -+ * ossl_rsa_padding_check_PKCS1_type_2() checks and removes the PKCS#1 type 2 -+ * padding from a decrypted RSA message. Unlike the -+ * RSA_padding_check_PKCS1_type_2() it will not return an error in case it -+ * detects a padding error, rather it will return a deterministically generated -+ * random message. In other words it will perform an implicit rejection -+ * of an invalid padding. This means that the returned value does not indicate -+ * if the padding of the encrypted message was correct or not, making -+ * side channel attacks like the ones described by Bleichenbacher impossible -+ * without access to the full decrypted value and a brute-force search of -+ * remaining padding bytes -+ */ -+int ossl_rsa_padding_check_PKCS1_type_2(OSSL_LIB_CTX *ctx, -+ unsigned char *to, int tlen, -+ const unsigned char *from, int flen, -+ int num, unsigned char *kdk) -+{ -+/* -+ * We need to generate a random length for the synthethic message, to avoid -+ * bias towards zero and avoid non-constant timeness of DIV, we prepare -+ * 128 values to check if they are not too large for the used key size, -+ * and use 0 in case none of them are small enough, as 2^-128 is a good enough -+ * safety margin -+ */ -+#define MAX_LEN_GEN_TRIES 128 -+ unsigned char *synthetic = NULL; -+ int synthethic_length; -+ uint16_t len_candidate; -+ unsigned char candidate_lengths[MAX_LEN_GEN_TRIES * sizeof(len_candidate)]; -+ uint16_t len_mask; -+ uint16_t max_sep_offset; -+ int synth_msg_index = 0; -+ int ret = -1; -+ int i, j; -+ unsigned int good, found_zero_byte; -+ int zero_index = 0, msg_index; -+ -+ /* -+ * If these checks fail then either the message in publicly invalid, or -+ * we've been called incorrectly. We can fail immediately. -+ * Since this code is called only internally by openssl, those are just -+ * sanity checks -+ */ -+ if (num != flen || tlen <= 0 || flen <= 0) { -+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); -+ return -1; -+ } -+ -+ /* Generate a random message to return in case the padding checks fail */ -+ synthetic = OPENSSL_malloc(flen); -+ if (synthetic == NULL) { -+ ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE); -+ return -1; -+ } -+ -+ if (ossl_rsa_prf(ctx, synthetic, flen, "message", 7, kdk, flen * 8) < 0) -+ goto err; -+ -+ /* decide how long the random message should be */ -+ if (ossl_rsa_prf(ctx, candidate_lengths, sizeof(candidate_lengths), -+ "length", 6, kdk, -+ MAX_LEN_GEN_TRIES * sizeof(len_candidate) * 8) < 0) -+ goto err; -+ -+ /* -+ * max message size is the size of the modulus size less 2 bytes for -+ * version and padding type and a minimum of 8 bytes padding -+ */ -+ len_mask = max_sep_offset = flen - 2 - 8; -+ /* -+ * we want a mask so lets propagate the high bit to all positions less -+ * significant than it -+ */ -+ len_mask |= len_mask >> 1; -+ len_mask |= len_mask >> 2; -+ len_mask |= len_mask >> 4; -+ len_mask |= len_mask >> 8; -+ -+ synthethic_length = 0; -+ for (i = 0; i < MAX_LEN_GEN_TRIES * (int)sizeof(len_candidate); -+ i += sizeof(len_candidate)) { -+ len_candidate = (candidate_lengths[i] << 8) | candidate_lengths[i + 1]; -+ len_candidate &= len_mask; -+ -+ synthethic_length = constant_time_select_int( -+ constant_time_lt(len_candidate, max_sep_offset), -+ len_candidate, synthethic_length); -+ } -+ -+ synth_msg_index = flen - synthethic_length; -+ -+ /* we have alternative message ready, check the real one */ -+ good = constant_time_is_zero(from[0]); -+ good &= constant_time_eq(from[1], 2); -+ -+ /* then look for the padding|message separator (the first zero byte) */ -+ found_zero_byte = 0; -+ for (i = 2; i < flen; i++) { -+ unsigned int equals0 = constant_time_is_zero(from[i]); -+ zero_index = constant_time_select_int(~found_zero_byte & equals0, -+ i, zero_index); -+ found_zero_byte |= equals0; -+ } -+ -+ /* -+ * padding must be at least 8 bytes long, and it starts two bytes into -+ * |from|. If we never found a 0-byte, then |zero_index| is 0 and the check -+ * also fails. -+ */ -+ good &= constant_time_ge(zero_index, 2 + 8); -+ -+ /* -+ * Skip the zero byte. This is incorrect if we never found a zero-byte -+ * but in this case we also do not copy the message out. -+ */ -+ msg_index = zero_index + 1; -+ -+ /* -+ * old code returned an error in case the decrypted message wouldn't fit -+ * into the |to|, since that would leak information, return the synthethic -+ * message instead -+ */ -+ good &= constant_time_ge(tlen, num - msg_index); -+ -+ msg_index = constant_time_select_int(good, msg_index, synth_msg_index); -+ -+ /* -+ * since at this point the |msg_index| does not provide the signal -+ * indicating if the padding check failed or not, we don't have to worry -+ * about leaking the length of returned message, we still need to ensure -+ * that we read contents of both buffers so that cache accesses don't leak -+ * the value of |good| -+ */ -+ for (i = msg_index, j = 0; i < flen && j < tlen; i++, j++) -+ to[j] = constant_time_select_8(good, from[i], synthetic[i]); -+ ret = j; -+ -+err: -+ /* -+ * the only time ret < 0 is when the ciphertext is publicly invalid -+ * or we were called with invalid parameters, so we don't have to perform -+ * a side-channel secure raising of the error -+ */ -+ if (ret < 0) -+ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); -+ OPENSSL_free(synthetic); -+ return ret; -+} -+ - /* - * ossl_rsa_padding_check_PKCS1_type_2_TLS() checks and removes the PKCS1 type 2 - * padding from a decrypted RSA message in a TLS signature. The result is stored -diff --git a/crypto/rsa/rsa_pmeth.c b/crypto/rsa/rsa_pmeth.c -index 8b35e5c3c6d..c67b20baf56 100644 ---- a/crypto/rsa/rsa_pmeth.c -+++ b/crypto/rsa/rsa_pmeth.c -@@ -52,6 +52,8 @@ typedef struct { - /* OAEP label */ - unsigned char *oaep_label; - size_t oaep_labellen; -+ /* if to use implicit rejection in PKCS#1 v1.5 decryption */ -+ int implicit_rejection; - } RSA_PKEY_CTX; - - /* True if PSS parameters are restricted */ -@@ -72,6 +74,7 @@ static int pkey_rsa_init(EVP_PKEY_CTX *ctx) - /* Maximum for sign, auto for verify */ - rctx->saltlen = RSA_PSS_SALTLEN_AUTO; - rctx->min_saltlen = -1; -+ rctx->implicit_rejection = 1; - ctx->data = rctx; - ctx->keygen_info = rctx->gentmp; - ctx->keygen_info_count = 2; -@@ -97,6 +100,7 @@ static int pkey_rsa_copy(EVP_PKEY_CTX *dst, const EVP_PKEY_CTX *src) - dctx->md = sctx->md; - dctx->mgf1md = sctx->mgf1md; - dctx->saltlen = sctx->saltlen; -+ dctx->implicit_rejection = sctx->implicit_rejection; - if (sctx->oaep_label) { - OPENSSL_free(dctx->oaep_label); - dctx->oaep_label = OPENSSL_memdup(sctx->oaep_label, sctx->oaep_labellen); -@@ -345,6 +349,7 @@ static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx, - const unsigned char *in, size_t inlen) - { - int ret; -+ int pad_mode; - RSA_PKEY_CTX *rctx = ctx->data; - /* - * Discard const. Its marked as const because this may be a cached copy of -@@ -365,7 +370,12 @@ static int pkey_rsa_decrypt(EVP_PKEY_CTX *ctx, - rctx->oaep_labellen, - rctx->md, rctx->mgf1md); - } else { -- ret = RSA_private_decrypt(inlen, in, out, rsa, rctx->pad_mode); -+ if (rctx->pad_mode == RSA_PKCS1_PADDING && -+ rctx->implicit_rejection == 0) -+ pad_mode = RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING; -+ else -+ pad_mode = rctx->pad_mode; -+ ret = RSA_private_decrypt(inlen, in, out, rsa, pad_mode); - } - *outlen = constant_time_select_s(constant_time_msb_s(ret), *outlen, ret); - ret = constant_time_select_int(constant_time_msb(ret), ret, 1); -@@ -585,6 +595,14 @@ static int pkey_rsa_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) - *(unsigned char **)p2 = rctx->oaep_label; - return rctx->oaep_labellen; - -+ case EVP_PKEY_CTRL_RSA_IMPLICIT_REJECTION: -+ if (rctx->pad_mode != RSA_PKCS1_PADDING) { -+ ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_PADDING_MODE); -+ return -2; -+ } -+ rctx->implicit_rejection = p1; -+ return 1; -+ - case EVP_PKEY_CTRL_DIGESTINIT: - case EVP_PKEY_CTRL_PKCS7_SIGN: - #ifndef OPENSSL_NO_CMS -diff --git a/doc/man1/openssl-pkeyutl.pod.in b/doc/man1/openssl-pkeyutl.pod.in -index b0054ead66f..dd878297987 100644 ---- a/doc/man1/openssl-pkeyutl.pod.in -+++ b/doc/man1/openssl-pkeyutl.pod.in -@@ -240,6 +240,11 @@ signed or verified directly instead of using a B structure. If a - digest is set then the a B structure is used and its the length - must correspond to the digest type. - -+Note, for B padding, as a protection against Bleichenbacher attack, -+the decryption will not fail in case of padding check failures. Use B -+and manual inspection of the decrypted message to verify if the decrypted -+value has correct PKCS#1 v1.5 padding. -+ - For B mode only encryption and decryption is supported. - - For B if the digest type is set it is used to format the block data -@@ -267,6 +272,16 @@ explicitly set in PSS mode then the signing digest is used. - Sets the digest used for the OAEP hash function. If not explicitly set then - SHA1 is used. - -+=item BI -+ -+Disables (when set to 0) or enables (when set to 1) the use of implicit -+rejection with PKCS#1 v1.5 decryption. When enabled (the default), as a -+protection against Bleichenbacher attack, the library will generate a -+deterministic random plaintext that it will return to the caller in case -+of padding check failure. -+When disabled, it's the callers' responsibility to handle the returned -+errors in a side-channel free manner. -+ - =back - - =head1 RSA-PSS ALGORITHM -diff --git a/doc/man1/openssl-rsautl.pod.in b/doc/man1/openssl-rsautl.pod.in -index 186e49e5e49..eab34979de3 100644 ---- a/doc/man1/openssl-rsautl.pod.in -+++ b/doc/man1/openssl-rsautl.pod.in -@@ -105,6 +105,11 @@ The padding to use: PKCS#1 v1.5 (the default), PKCS#1 OAEP, - ANSI X9.31, or no padding, respectively. - For signatures, only B<-pkcs> and B<-raw> can be used. - -+Note: because of protection against Bleichenbacher attacks, decryption -+using PKCS#1 v1.5 mode will not return errors in case padding check failed. -+Use B<-raw> and inspect the returned value manually to check if the -+padding is correct. -+ - =item B<-hexdump> - - Hex dump the output data. -diff --git a/doc/man3/EVP_PKEY_CTX_ctrl.pod b/doc/man3/EVP_PKEY_CTX_ctrl.pod -index 9b96f42dbc9..f7957e95f7f 100644 ---- a/doc/man3/EVP_PKEY_CTX_ctrl.pod -+++ b/doc/man3/EVP_PKEY_CTX_ctrl.pod -@@ -393,6 +393,15 @@ this behaviour should be tolerated then - OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION should be set to the actual - negotiated protocol version. Otherwise it should be left unset. - -+Similarly to the B above, since OpenSSL version -+3.1.0, the use of B will return a randomly generated message -+instead of padding errors in case padding checks fail. Applications that -+want to remain secure while using earlier versions of OpenSSL, still need to -+handle both the error code from the RSA decryption operation and the -+returned message in a side channel secure manner. -+This protection against Bleichenbacher attacks can be disabled by setting -+the OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION (an unsigned integer) to 0. -+ - =head2 DSA parameters - - EVP_PKEY_CTX_set_dsa_paramgen_bits() sets the number of bits used for DSA -diff --git a/doc/man3/EVP_PKEY_decrypt.pod b/doc/man3/EVP_PKEY_decrypt.pod -index 0cd1a6548d0..462265c5a67 100644 ---- a/doc/man3/EVP_PKEY_decrypt.pod -+++ b/doc/man3/EVP_PKEY_decrypt.pod -@@ -51,6 +51,18 @@ return 1 for success and 0 or a negative value for failure. In particular a - return value of -2 indicates the operation is not supported by the public key - algorithm. - -+=head1 WARNINGS -+ -+In OpenSSL versions before 3.1.0, when used in PKCS#1 v1.5 padding, -+both the return value from the EVP_PKEY_decrypt() and the B provided -+information useful in mounting a Bleichenbacher attack against the -+used private key. They had to processed in a side-channel free way. -+ -+Since version 3.1.0, the EVP_PKEY_decrypt() method when used with PKCS#1 -+v1.5 padding doesn't return an error in case it detects an error in padding, -+instead it returns a pseudo-randomly generated message, removing the need -+of side-channel secure code from applications using OpenSSL. -+ - =head1 EXAMPLES - - Decrypt data using OAEP (for RSA keys): -diff --git a/doc/man3/RSA_padding_add_PKCS1_type_1.pod b/doc/man3/RSA_padding_add_PKCS1_type_1.pod -index 9f7025c4975..36ae18563f2 100644 ---- a/doc/man3/RSA_padding_add_PKCS1_type_1.pod -+++ b/doc/man3/RSA_padding_add_PKCS1_type_1.pod -@@ -121,8 +121,8 @@ L. - - =head1 WARNINGS - --The result of RSA_padding_check_PKCS1_type_2() is a very sensitive --information which can potentially be used to mount a Bleichenbacher -+The result of RSA_padding_check_PKCS1_type_2() is exactly the -+information which is used to mount a classical Bleichenbacher - padding oracle attack. This is an inherent weakness in the PKCS #1 - v1.5 padding design. Prefer PKCS1_OAEP padding. If that is not - possible, the result of RSA_padding_check_PKCS1_type_2() should be -@@ -137,6 +137,9 @@ as this would create a small timing side channel which could be - used to mount a Bleichenbacher attack against any padding mode - including PKCS1_OAEP. - -+You should prefer the use of EVP PKEY APIs for PKCS#1 v1.5 decryption -+as they implement the necessary workarounds internally. -+ - =head1 SEE ALSO - - L, -diff --git a/doc/man3/RSA_public_encrypt.pod b/doc/man3/RSA_public_encrypt.pod -index 1d38073aead..bd3f835ac6d 100644 ---- a/doc/man3/RSA_public_encrypt.pod -+++ b/doc/man3/RSA_public_encrypt.pod -@@ -52,8 +52,8 @@ Encrypting user data directly with RSA is insecure. - - =back - --B must not be more than RSA_size(B) - 11 for the PKCS #1 v1.5 --based padding modes, not more than RSA_size(B) - 42 for -+When encrypting B must not be more than RSA_size(B) - 11 for the -+PKCS #1 v1.5 based padding modes, not more than RSA_size(B) - 42 for - RSA_PKCS1_OAEP_PADDING and exactly RSA_size(B) for RSA_NO_PADDING. - When a padding mode other than RSA_NO_PADDING is in use, then - RSA_public_encrypt() will include some random bytes into the ciphertext -@@ -92,6 +92,13 @@ which can potentially be used to mount a Bleichenbacher padding oracle - attack. This is an inherent weakness in the PKCS #1 v1.5 padding - design. Prefer RSA_PKCS1_OAEP_PADDING. - -+In OpenSSL before version 3.1.0, both the return value and the length of -+returned value could be used to mount the Bleichenbacher attack. -+Since version 3.1.0, OpenSSL does not return an error in case of padding -+checks failed. Instead it generates a random message based on used private -+key and provided ciphertext so that application code doesn't have to implement -+a side-channel secure error handling. -+ - =head1 CONFORMING TO - - SSL, PKCS #1 v2.0 -diff --git a/doc/man7/provider-asym_cipher.pod b/doc/man7/provider-asym_cipher.pod -index ac3f6271969..cb770c9e857 100644 ---- a/doc/man7/provider-asym_cipher.pod -+++ b/doc/man7/provider-asym_cipher.pod -@@ -235,6 +235,15 @@ The TLS protocol version first requested by the client. - The negotiated TLS protocol version. See - B on the page L. - -+=item "implicit-rejection" (B) -+ -+Gets of sets the use of the implicit rejection mechanism for RSA PKCS#1 v1.5 -+decryption. When set (non zero value), the decryption API will return -+a deterministically random value if the PKCS#1 v1.5 padding check fails. -+This makes explotation of the Bleichenbacher significantly harder, even -+if the code using the RSA decryption API is not implemented in side-channel -+free manner. Set by default. -+ - =back - - OSSL_FUNC_asym_cipher_gettable_ctx_params() and OSSL_FUNC_asym_cipher_settable_ctx_params() -diff --git a/include/crypto/rsa.h b/include/crypto/rsa.h -index 949873d0ee3..f267e5d9d1c 100644 ---- a/include/crypto/rsa.h -+++ b/include/crypto/rsa.h -@@ -83,6 +83,10 @@ int ossl_rsa_param_decode(RSA *rsa, const X509_ALGOR *alg); - RSA *ossl_rsa_key_from_pkcs8(const PKCS8_PRIV_KEY_INFO *p8inf, - OSSL_LIB_CTX *libctx, const char *propq); - -+int ossl_rsa_padding_check_PKCS1_type_2(OSSL_LIB_CTX *ctx, -+ unsigned char *to, int tlen, -+ const unsigned char *from, int flen, -+ int num, unsigned char *kdk); - int ossl_rsa_padding_check_PKCS1_type_2_TLS(OSSL_LIB_CTX *ctx, unsigned char *to, - size_t tlen, - const unsigned char *from, -diff --git a/include/openssl/core_names.h b/include/openssl/core_names.h -index e6c4758a33e..6e4a4f8539d 100644 ---- a/include/openssl/core_names.h -+++ b/include/openssl/core_names.h -@@ -302,6 +302,7 @@ extern "C" { - #define OSSL_PKEY_PARAM_DIST_ID "distid" - #define OSSL_PKEY_PARAM_PUB_KEY "pub" - #define OSSL_PKEY_PARAM_PRIV_KEY "priv" -+#define OSSL_PKEY_PARAM_IMPLICIT_REJECTION "implicit-rejection" - #define OSSL_PKEY_PARAM_REDHAT_SIGN_KAT_K "rh_sign_kat_k" - - /* Diffie-Hellman/DSA Parameters */ -@@ -482,6 +483,7 @@ extern "C" { - #define OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL "oaep-label" - #define OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION "tls-client-version" - #define OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION "tls-negotiated-version" -+#define OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION "implicit-rejection" - #ifdef FIPS_MODULE - #define OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED "redhat-kat-oaep-seed" - #endif -diff --git a/include/openssl/rsa.h b/include/openssl/rsa.h -index bce21258227..167427d3c48 100644 ---- a/include/openssl/rsa.h -+++ b/include/openssl/rsa.h -@@ -189,6 +189,8 @@ int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX *ctx, unsigned char **label); - - # define EVP_PKEY_CTRL_RSA_KEYGEN_PRIMES (EVP_PKEY_ALG_CTRL + 13) - -+# define EVP_PKEY_CTRL_RSA_IMPLICIT_REJECTION (EVP_PKEY_ALG_CTRL + 14) -+ - # define RSA_PKCS1_PADDING 1 - # define RSA_NO_PADDING 3 - # define RSA_PKCS1_OAEP_PADDING 4 -@@ -198,6 +200,9 @@ int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP_PKEY_CTX *ctx, unsigned char **label); - # define RSA_PKCS1_PSS_PADDING 6 - # define RSA_PKCS1_WITH_TLS_PADDING 7 - -+/* internal RSA_ only */ -+# define RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING 8 -+ - # define RSA_PKCS1_PADDING_SIZE 11 - - # define RSA_set_app_data(s,arg) RSA_set_ex_data(s,0,arg) -diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c -index 3d331ea8dfd..fbafb84f8cb 100644 ---- a/providers/implementations/asymciphers/rsa_enc.c -+++ b/providers/implementations/asymciphers/rsa_enc.c -@@ -75,6 +75,8 @@ typedef struct { - /* TLS padding */ - unsigned int client_version; - unsigned int alt_version; -+ /* PKCS#1 v1.5 decryption mode */ -+ unsigned int implicit_rejection; - #ifdef FIPS_MODULE - char *redhat_st_oaep_seed; - #endif /* FIPS_MODULE */ -@@ -107,6 +109,7 @@ static int rsa_init(void *vprsactx, void *vrsa, const OSSL_PARAM params[], - RSA_free(prsactx->rsa); - prsactx->rsa = vrsa; - prsactx->operation = operation; -+ prsactx->implicit_rejection = 1; - - switch (RSA_test_flags(prsactx->rsa, RSA_FLAG_TYPE_MASK)) { - case RSA_FLAG_TYPE_RSA: -@@ -195,6 +198,7 @@ static int rsa_decrypt(void *vprsactx, unsigned char *out, size_t *outlen, - { - PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; - int ret; -+ int pad_mode; - size_t len = RSA_size(prsactx->rsa); - - if (!ossl_prov_is_running()) -@@ -270,8 +274,12 @@ static int rsa_decrypt(void *vprsactx, unsigned char *out, size_t *outlen, - } - OPENSSL_free(tbuf); - } else { -- ret = RSA_private_decrypt(inlen, in, out, prsactx->rsa, -- prsactx->pad_mode); -+ if ((prsactx->implicit_rejection == 0) && -+ (prsactx->pad_mode == RSA_PKCS1_PADDING)) -+ pad_mode = RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING; -+ else -+ pad_mode = prsactx->pad_mode; -+ ret = RSA_private_decrypt(inlen, in, out, prsactx->rsa, pad_mode); - } - *outlen = constant_time_select_s(constant_time_msb_s(ret), *outlen, ret); - ret = constant_time_select_int(constant_time_msb(ret), 0, 1); -@@ -395,6 +403,10 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params) - } - #endif /* defined(FIPS_MODULE) */ - -+ p = OSSL_PARAM_locate(params, OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION); -+ if (p != NULL && !OSSL_PARAM_set_uint(p, prsactx->implicit_rejection)) -+ return 0; -+ - return 1; - } - -@@ -406,6 +418,7 @@ static const OSSL_PARAM known_gettable_ctx_params[] = { - NULL, 0), - OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION, NULL), - OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL), -+ OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, NULL), - #ifdef FIPS_MODULE - OSSL_PARAM_octet_string(OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED, NULL, 0), - OSSL_PARAM_int(OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR, NULL), -@@ -543,6 +556,14 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) - return 0; - prsactx->alt_version = alt_version; - } -+ p = OSSL_PARAM_locate_const(params, OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION); -+ if (p != NULL) { -+ unsigned int implicit_rejection; -+ -+ if (!OSSL_PARAM_get_uint(p, &implicit_rejection)) -+ return 0; -+ prsactx->implicit_rejection = implicit_rejection; -+ } - - return 1; - } -@@ -555,6 +576,7 @@ static const OSSL_PARAM known_settable_ctx_params[] = { - OSSL_PARAM_octet_string(OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL, NULL, 0), - OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION, NULL), - OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL), -+ OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, NULL), - OSSL_PARAM_END - }; - -diff --git a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt -index b8d8bb2993e..a3d01eec457 100644 ---- a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt -+++ b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt -@@ -253,9 +253,25 @@ Decrypt = RSA-2048 - Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A78 - Output = "Hello World" - -+Availablein = default -+# Note: disable the Bleichenbacher workaround to see if it passes -+Decrypt = RSA-2048 -+Ctrl = rsa_pkcs1_implicit_rejection:0 -+Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A78 -+Output = "Hello World" -+ -+Availablein = default -+# Corrupted ciphertext -+# Note: output is generated synthethically by the Bleichenbacher workaround -+Decrypt = RSA-2048 -+Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A79 -+Output = 4cbb988d6a46228379132b0b5f8c249b3860043848c93632fb982c807c7c82fffc7a9ef83f4908f890373ac181ffea6381e103bcaa27e65638b6ecebef38b59ed4226a9d12af675cfcb634d8c40e7a7aff -+ - # Corrupted ciphertext - Availablein = default -+# Note: disable the Bleichenbacher workaround to see if it fails - Decrypt = RSA-2048 -+Ctrl = rsa_pkcs1_implicit_rejection:0 - Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A79 - Output = "Hello World" - Result = KEYOP_ERROR -@@ -277,6 +297,462 @@ Derive = RSA-2048 - Result = KEYOP_INIT_ERROR - Reason = operation not supported for this keytype - -+# Test vectors for the Bleichenbacher workaround -+ -+PrivateKey = RSA-2048-2 -+-----BEGIN RSA PRIVATE KEY----- -+MIIEowIBAAKCAQEAyMyDlxQJjaVsqiNkD5PciZfBY3KWj8Gwxt9RE8HJTosh5IrS -+KX5lQZARtObY9ec7G3iyV0ADIdHva2AtTsjOjRQclJBetK0wZjmkkgZTS25/JgdC -+Ppff/RM8iNchOZ3vvH6WzNy9fzquH+iScSv7SSmBfVEWZkQKH6y3ogj16hZZEK3Y -+o/LUlyAjYMy2MgJPDQcWnBkY8xb3lLFDrvVOyHUipMApePlomYC/+/ZJwwfoGBm/ -++IQJY41IvZS+FStZ/2SfoL1inQ/6GBPDq/S1a9PC6lRl3/oUWJKSqdiiStJr5+4F -+EHQbY4LUPIPVv6QKRmE9BivkRVF9vK8MtOGnaQIDAQABAoIBABRVAQ4PLVh2Y6Zm -+pv8czbvw7dgQBkbQKgI5IpCJksStOeVWWSlybvZQjDpxFY7wtv91HTnQdYC7LS8G -+MhBELQYD/1DbvXs1/iybsZpHoa+FpMJJAeAsqLWLeRmyDt8yqs+/Ua20vEthubfp -+aMqk1XD3DvGNgGMiiJPkfUOe/KeTJZvPLNEIo9hojN8HjnrHmZafIznSwfUiuWlo -+RimpM7quwmgWJeq4T05W9ER+nYj7mhmc9xAj4OJXsURBszyE07xnyoAx0mEmGBA6 -+egpAhEJi912IkM1hblH5A1SI/W4Jnej/bWWk/xGCVIB8n1jS+7qLoVHcjGi+NJyX -+eiBOBMECgYEA+PWta6gokxvqRZuKP23AQdI0gkCcJXHpY/MfdIYColY3GziD7UWe -+z5cFJkWe3RbgVSL1pF2UdRsuwtrycsf4gWpSwA0YCAFxY02omdeXMiL1G5N2MFSG -+lqn32MJKWUl8HvzUVc+5fuhtK200lyszL9owPwSZm062tcwLsz53Yd0CgYEAznou -+O0mpC5YzChLcaCvfvfuujdbcA7YUeu+9V1dD8PbaTYYjUGG3Gv2crS00Al5WrIaw -+93Q+s14ay8ojeJVCRGW3Bu0iF15XGMjHC2cD6o9rUQ+UW+SOWja7PDyRcytYnfwF -+1y2AkDGURSvaITSGR+xylD8RqEbmL66+jrU2sP0CgYB2/hXxiuI5zfHfa0RcpLxr -+uWjXiMIZM6T13NKAAz1nEgYswIpt8gTB+9C+RjB0Q+bdSmRWN1Qp1OA4yiVvrxyb -+3pHGsXt2+BmV+RxIy768e/DjSUwINZ5OjNalh9e5bWIh/X4PtcVXXwgu5XdpeYBx -+sru0oyI4FRtHMUu2VHkDEQKBgQCZiEiwVUmaEAnLx9KUs2sf/fICDm5zZAU+lN4a -+AA3JNAWH9+JydvaM32CNdTtjN3sDtvQITSwCfEs4lgpiM7qe2XOLdvEOp1vkVgeL -+9wH2fMaz8/3BhuZDNsdrNy6AkQ7ICwrcwj0C+5rhBIaigkgHW06n5W3fzziC5FFW -+FHGikQKBgGQ790ZCn32DZnoGUwITR++/wF5jUfghqd67YODszeUAWtnp7DHlWPfp -+LCkyjnRWnXzvfHTKvCs1XtQBoaCRS048uwZITlgZYFEWntFMqi76bqBE4FTSYUTM -+FinFUBBVigThM/RLfCRNrCW/kTxXuJDuSfVIJZzWNAT+9oWdz5da -+-----END RSA PRIVATE KEY----- -+ -+# corresponding public key -+PublicKey = RSA-2048-2-PUBLIC -+-----BEGIN PUBLIC KEY----- -+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyMyDlxQJjaVsqiNkD5Pc -+iZfBY3KWj8Gwxt9RE8HJTosh5IrSKX5lQZARtObY9ec7G3iyV0ADIdHva2AtTsjO -+jRQclJBetK0wZjmkkgZTS25/JgdCPpff/RM8iNchOZ3vvH6WzNy9fzquH+iScSv7 -+SSmBfVEWZkQKH6y3ogj16hZZEK3Yo/LUlyAjYMy2MgJPDQcWnBkY8xb3lLFDrvVO -+yHUipMApePlomYC/+/ZJwwfoGBm/+IQJY41IvZS+FStZ/2SfoL1inQ/6GBPDq/S1 -+a9PC6lRl3/oUWJKSqdiiStJr5+4FEHQbY4LUPIPVv6QKRmE9BivkRVF9vK8MtOGn -+aQIDAQAB -+-----END PUBLIC KEY----- -+ -+PrivPubKeyPair = RSA-2048-2:RSA-2048-2-PUBLIC -+ -+# RSA decrypt -+ -+# a random positive test case -+Availablein = default -+Decrypt = RSA-2048-2 -+Input = 8bfe264e85d3bdeaa6b8851b8e3b956ee3d226fd3f69063a86880173a273d9f283b2eebdd1ed35f7e02d91c571981b6737d5320bd8396b0f3ad5b019daec1b0aab3cbbc026395f4fd14f13673f2dfc81f9b660ec26ac381e6db3299b4e460b43fab9955df2b3cfaa20e900e19c856238fd371899c2bf2ce8c868b76754e5db3b036533fd603746be13c10d4e3e6022ebc905d20c2a7f32b215a4cd53b3f44ca1c327d2c2b651145821c08396c89071f665349c25e44d2733cd9305985ceef6430c3cf57af5fa224089221218fa34737c79c446d28a94c41c96e4e92ac53fbcf384dea8419ea089f8784445a492c812eb0d409467f75afd7d4d1078886205a066 -+Output = "lorem ipsum dolor sit amet" -+ -+Availablein = default -+# a random negative test case decrypting to empty -+Decrypt = RSA-2048-2 -+Input = 20aaa8adbbc593a924ba1c5c7990b5c2242ae4b99d0fe636a19a4cf754edbcee774e472fe028160ed42634f8864900cb514006da642cae6ae8c7d087caebcfa6dad1551301e130344989a1d462d4164505f6393933450c67bc6d39d8f5160907cabc251b737925a1cf21e5c6aa5781b7769f6a2a583d97cce008c0f8b6add5f0b2bd80bee60237aa39bb20719fe75749f4bc4e42466ef5a861ae3a92395c7d858d430bfe38040f445ea93fa2958b503539800ffa5ce5f8cf51fa8171a91f36cb4f4575e8de6b4d3f096ee140b938fd2f50ee13f0d050222e2a72b0a3069ff3a6738e82c87090caa5aed4fcbe882c49646aa250b98f12f83c8d528113614a29e7 -+Output = -+ -+Availablein = default -+# invalid decrypting to max length message -+Decrypt = RSA-2048-2 -+Input = 48cceab10f39a4db32f60074feea473cbcdb7accf92e150417f76b44756b190e843e79ec12aa85083a21f5437e7bad0a60482e601198f9d86923239c8786ee728285afd0937f7dde12717f28389843d7375912b07b991f4fdb0190fced8ba665314367e8c5f9d2981d0f5128feeb46cb50fc237e64438a86df198dd0209364ae3a842d77532b66b7ef263b83b1541ed671b120dfd660462e2107a4ee7b964e734a7bd68d90dda61770658a3c242948532da32648687e0318286473f675b412d6468f013f14d760a358dfcad3cda2afeec5e268a37d250c37f722f468a70dfd92d7294c3c1ee1e7f8843b7d16f9f37ef35748c3ae93aa155cdcdfeb4e78567303 -+Output = 22d850137b9eebe092b24f602dc5bb7918c16bd89ddbf20467b119d205f9c2e4bd7d2592cf1e532106e0f33557565923c73a02d4f09c0c22bea89148183e60317f7028b3aa1f261f91c979393101d7e15f4067e63979b32751658ef769610fe97cf9cef3278b3117d384051c3b1d82c251c2305418c8f6840530e631aad63e70e20e025bcd8efb54c92ec6d3b106a2f8e64eeff7d38495b0fc50c97138af4b1c0a67a1c4e27b077b8439332edfa8608dfeae653cd6a628ac550395f7e74390e42c11682234870925eeaa1fa71b76cf1f2ee3bda69f6717033ff8b7c95c9799e7a3bea5e7e4a1c359772fb6b1c6e6c516661dfe30c3 -+ -+Availablein = default -+# invalid decrypting to message with length specified by second to last value from PRF -+Decrypt = RSA-2048-2 -+Input = 1439e08c3f84c1a7fec74ce07614b20e01f6fa4e8c2a6cffdc3520d8889e5d9a950c6425798f85d4be38d300ea5695f13ecd4cb389d1ff5b82484b494d6280ab7fa78e645933981cb934cce8bfcd114cc0e6811eefa47aae20af638a1cd163d2d3366186d0a07df0c81f6c9f3171cf3561472e98a6006bf75ddb457bed036dcce199369de7d94ef2c68e8467ee0604eea2b3009479162a7891ba5c40cab17f49e1c438cb6eaea4f76ce23cce0e483ff0e96fa790ea15be67671814342d0a23f4a20262b6182e72f3a67cd289711503c85516a9ed225422f98b116f1ab080a80abd6f0216df88d8cfd67c139243be8dd78502a7aaf6bc99d7da71bcdf627e7354 -+Output = 0f9b -+ -+Availablein = default -+# invalid decrypting to message with length specified by third to last value from PRF -+Decrypt = RSA-2048-2 -+Input = 1690ebcceece2ce024f382e467cf8510e74514120937978576caf684d4a02ad569e8d76cbe365a060e00779de2f0865ccf0d923de3b4783a4e2c74f422e2f326086c390b658ba47f31ab013aa80f468c71256e5fa5679b24e83cd82c3d1e05e398208155de2212993cd2b8bab6987cf4cc1293f19909219439d74127545e9ed8a706961b8ee2119f6bfacafbef91b75a789ba65b8b833bc6149cf49b5c4d2c6359f62808659ba6541e1cd24bf7f7410486b5103f6c0ea29334ea6f4975b17387474fe920710ea61568d7b7c0a7916acf21665ad5a31c4eabcde44f8fb6120d8457afa1f3c85d517cda364af620113ae5a3c52a048821731922737307f77a1081 -+Output = 4f02 -+ -+# positive test with 11 byte long value -+Availablein = default -+Decrypt = RSA-2048-2 -+Input = 6213634593332c485cef783ea2846e3d6e8b0e005cd8293eaebbaa5079712fd681579bdfbbda138ae4d9d952917a03c92398ec0cb2bb0c6b5a8d55061fed0d0d8d72473563152648cfe640b335dc95331c21cb133a91790fa93ae44497c128708970d2beeb77e8721b061b1c44034143734a77be8220877415a6dba073c3871605380542a9f25252a4babe8331cdd53cf828423f3cc70b560624d0581fb126b2ed4f4ed358f0eb8065cf176399ac1a846a31055f9ae8c9c24a1ba050bc20842125bc1753158f8065f3adb9cc16bfdf83816bdf38b624f12022c5a6fbfe29bc91542be8c0208a770bcd677dc597f5557dc2ce28a11bf3e3857f158717a33f6592 -+Output = "lorem ipsum" -+ -+# positive test with 11 byte long value and zero padded ciphertext -+Availablein = default -+Decrypt = RSA-2048-2 -+Input = 00a2e8f114ea8d05d12dc843e3cc3b2edc8229ff2a028bda29ba9d55e3cd02911902fef1f42a075bf05e8016e8567213d6f260fa49e360779dd81aeea3e04c2cb567e0d72b98bf754014561b7511e083d20e0bfb9cd23f8a0d3c88900c49d2fcd5843ff0765607b2026f28202a87aa94678aed22a0c20724541394cd8f44e373eba1d2bae98f516c1e2ba3d86852d064f856b1daf24795e767a2b90396e50743e3150664afab131fe40ea405dcf572dd1079af1d3f0392ccadcca0a12740dbb213b925ca2a06b1bc1383e83a658c82ba2e7427342379084d5f66b544579f07664cb26edd4f10fd913fdbc0de05ef887d4d1ec1ac95652397ea7fd4e4759fda8b -+Output = "lorem ipsum" -+ -+# positive test with 11 byte long value and zero truncated ciphertext -+Availablein = default -+Decrypt = RSA-2048-2 -+Input = a2e8f114ea8d05d12dc843e3cc3b2edc8229ff2a028bda29ba9d55e3cd02911902fef1f42a075bf05e8016e8567213d6f260fa49e360779dd81aeea3e04c2cb567e0d72b98bf754014561b7511e083d20e0bfb9cd23f8a0d3c88900c49d2fcd5843ff0765607b2026f28202a87aa94678aed22a0c20724541394cd8f44e373eba1d2bae98f516c1e2ba3d86852d064f856b1daf24795e767a2b90396e50743e3150664afab131fe40ea405dcf572dd1079af1d3f0392ccadcca0a12740dbb213b925ca2a06b1bc1383e83a658c82ba2e7427342379084d5f66b544579f07664cb26edd4f10fd913fdbc0de05ef887d4d1ec1ac95652397ea7fd4e4759fda8b -+Output = "lorem ipsum" -+ -+# positive test with 11 byte long value and double zero padded ciphertext -+Availablein = default -+Decrypt = RSA-2048-2 -+Input = 00001f71879b426127f7dead621f7380a7098cf7d22173aa27991b143c46d53383c209bd0c9c00d84078037e715f6b98c65005a77120070522ede51d472c87ef94b94ead4c5428ee108a345561658301911ec5a8f7dd43ed4a3957fd29fb02a3529bf63f8040d3953490939bd8f78b2a3404b6fb5ff70a4bfdaac5c541d6bcce49c9778cc390be24cbef1d1eca7e870457241d3ff72ca44f9f56bdf31a890fa5eb3a9107b603ccc9d06a5dd911a664c82b6abd4fe036f8db8d5a070c2d86386ae18d97adc1847640c211d91ff5c3387574a26f8ef27ca7f48d2dd1f0c7f14b81cc9d33ee6853031d3ecf10a914ffd90947909c8011fd30249219348ebff76bfc -+Output = "lorem ipsum" -+ -+# positive test with 11 byte long value and double zero truncated ciphertext -+Availablein = default -+Decrypt = RSA-2048-2 -+Input = 1f71879b426127f7dead621f7380a7098cf7d22173aa27991b143c46d53383c209bd0c9c00d84078037e715f6b98c65005a77120070522ede51d472c87ef94b94ead4c5428ee108a345561658301911ec5a8f7dd43ed4a3957fd29fb02a3529bf63f8040d3953490939bd8f78b2a3404b6fb5ff70a4bfdaac5c541d6bcce49c9778cc390be24cbef1d1eca7e870457241d3ff72ca44f9f56bdf31a890fa5eb3a9107b603ccc9d06a5dd911a664c82b6abd4fe036f8db8d5a070c2d86386ae18d97adc1847640c211d91ff5c3387574a26f8ef27ca7f48d2dd1f0c7f14b81cc9d33ee6853031d3ecf10a914ffd90947909c8011fd30249219348ebff76bfc -+Output = "lorem ipsum" -+ -+# positive that generates a 0 byte long synthethic message internally -+Availablein = default -+Decrypt = RSA-2048-2 -+Input = b5e49308f6e9590014ffaffc5b8560755739dd501f1d4e9227a7d291408cf4b753f292322ff8bead613bf2caa181b221bc38caf6392deafb28eb21ad60930841ed02fd6225cc9c463409adbe7d8f32440212fbe3881c51375bb09565efb22e62b071472fb38676e5b4e23a0617db5d14d93519ac0007a30a9c822eb31c38b57fcb1be29608fcf1ca2abdcaf5d5752bbc2b5ac7dba5afcff4a5641da360dd01f7112539b1ed46cdb550a3b1006559b9fe1891030ec80f0727c42401ddd6cbb5e3c80f312df6ec89394c5a7118f573105e7ab00fe57833c126141b50a935224842addfb479f75160659ba28877b512bb9a93084ad8bec540f92640f63a11a010e0 -+Output = "lorem ipsum" -+ -+# positive that generates a 245 byte long synthethic message internally -+Availablein = default -+Decrypt = RSA-2048-2 -+Input = 1ea0b50ca65203d0a09280d39704b24fe6e47800189db5033f202761a78bafb270c5e25abd1f7ecc6e7abc4f26d1b0cd9b8c648d529416ee64ccbdd7aa72a771d0353262b543f0e436076f40a1095f5c7dfd10dcf0059ccb30e92dfa5e0156618215f1c3ff3aa997a9d999e506924f5289e3ac72e5e2086cc7b499d71583ed561028671155db4005bee01800a7cdbdae781dd32199b8914b5d4011dd6ff11cd26d46aad54934d293b0bc403dd211bf13b5a5c6836a5e769930f437ffd8634fb7371776f4bc88fa6c271d8aa6013df89ae6470154497c4ac861be2a1c65ebffec139bf7aaba3a81c7c5cdd84da9af5d3edfb957848074686b5837ecbcb6a41c50 -+Output = "lorem ipsum" -+ -+Availablein = default -+# a random negative test that generates an 11 byte long message -+Decrypt = RSA-2048-2 -+Input = 5f02f4b1f46935c742ebe62b6f05aa0a3286aab91a49b34780adde6410ab46f7386e05748331864ac98e1da63686e4babe3a19ed40a7f5ceefb89179596aab07ab1015e03b8f825084dab028b6731288f2e511a4b314b6ea3997d2e8fe2825cef8897cbbdfb6c939d441d6e04948414bb69e682927ef8576c9a7090d4aad0e74c520d6d5ce63a154720f00b76de8cc550b1aa14f016d63a7b6d6eaa1f7dbe9e50200d3159b3d099c900116bf4eba3b94204f18b1317b07529751abf64a26b0a0bf1c8ce757333b3d673211b67cc0653f2fe2620d57c8b6ee574a0323a167eab1106d9bc7fd90d415be5f1e9891a0e6c709f4fc0404e8226f8477b4e939b36eb2 -+Output = af9ac70191c92413cb9f2d -+ -+Availablein = default -+# an otherwise correct plaintext, but with wrong first byte -+# (0x01 instead of 0x00), generates a random 11 byte long plaintext -+Decrypt = RSA-2048-2 -+Input = 9b2ec9c0c917c98f1ad3d0119aec6be51ae3106e9af1914d48600ab6a2c0c0c8ae02a2dc3039906ff3aac904af32ec798fd65f3ad1afa2e69400e7c1de81f5728f3b3291f38263bc7a90a0563e43ce7a0d4ee9c0d8a716621ca5d3d081188769ce1b131af7d35b13dea99153579c86db31fe07d5a2c14d621b77854e48a8df41b5798563af489a291e417b6a334c63222627376118c02c53b6e86310f728734ffc86ef9d7c8bf56c0c841b24b82b59f51aee4526ba1c4268506d301e4ebc498c6aebb6fd5258c876bf900bac8ca4d309dd522f6a6343599a8bc3760f422c10c72d0ad527ce4af1874124ace3d99bb74db8d69d2528db22c3a37644640f95c05f -+Output = a1f8c9255c35cfba403ccc -+ -+Availablein = default -+# an otherwise correct plaintext, but with wrong second byte -+# (0x01 instead of 0x02), generates a random 11 byte long plaintext -+Decrypt = RSA-2048-2 -+Input = 782c2b59a21a511243820acedd567c136f6d3090c115232a82a5efb0b178285f55b5ec2d2bac96bf00d6592ea7cdc3341610c8fb07e527e5e2d20cfaf2c7f23e375431f45e998929a02f25fd95354c33838090bca838502259e92d86d568bc2cdb132fab2a399593ca60a015dc2bb1afcd64fef8a3834e17e5358d822980dc446e845b3ab4702b1ee41fe5db716d92348d5091c15d35a110555a35deb4650a5a1d2c98025d42d4544f8b32aa6a5e02dc02deaed9a7313b73b49b0d4772a3768b0ea0db5846ace6569cae677bf67fb0acf3c255dc01ec8400c963b6e49b1067728b4e563d7e1e1515664347b92ee64db7efb5452357a02fff7fcb7437abc2e579 -+Output = e6d700309ca0ed62452254 -+ -+Availablein = default -+# an invalid ciphertext, with a zero byte in first byte of -+# ciphertext, decrypts to a random 11 byte long synthethic -+# plaintext -+Decrypt = RSA-2048-2 -+Input = 0096136621faf36d5290b16bd26295de27f895d1faa51c800dafce73d001d60796cd4e2ac3fa2162131d859cd9da5a0c8a42281d9a63e5f353971b72e36b5722e4ac444d77f892a5443deb3dca49fa732fe855727196e23c26eeac55eeced8267a209ebc0f92f4656d64a6c13f7f7ce544ebeb0f668fe3a6c0f189e4bcd5ea12b73cf63e0c8350ee130dd62f01e5c97a1e13f52fde96a9a1bc9936ce734fdd61f27b18216f1d6de87f49cf4f2ea821fb8efd1f92cdad529baf7e31aff9bff4074f2cad2b4243dd15a711adcf7de900851fbd6bcb53dac399d7c880531d06f25f7002e1aaf1722765865d2c2b902c7736acd27bc6cbd3e38b560e2eecf7d4b576 -+Output = ba27b1842e7c21c0e7ef6a -+ -+Availablein = default -+# an invalid ciphertext, with a zero byte removed from first byte of -+# ciphertext, decrypts to a random 11 byte long synthethic -+# plaintext -+Decrypt = RSA-2048-2 -+Input = 96136621faf36d5290b16bd26295de27f895d1faa51c800dafce73d001d60796cd4e2ac3fa2162131d859cd9da5a0c8a42281d9a63e5f353971b72e36b5722e4ac444d77f892a5443deb3dca49fa732fe855727196e23c26eeac55eeced8267a209ebc0f92f4656d64a6c13f7f7ce544ebeb0f668fe3a6c0f189e4bcd5ea12b73cf63e0c8350ee130dd62f01e5c97a1e13f52fde96a9a1bc9936ce734fdd61f27b18216f1d6de87f49cf4f2ea821fb8efd1f92cdad529baf7e31aff9bff4074f2cad2b4243dd15a711adcf7de900851fbd6bcb53dac399d7c880531d06f25f7002e1aaf1722765865d2c2b902c7736acd27bc6cbd3e38b560e2eecf7d4b576 -+Output = ba27b1842e7c21c0e7ef6a -+ -+Availablein = default -+# an invalid ciphertext, with two zero bytes in first bytes of -+# ciphertext, decrypts to a random 11 byte long synthethic -+# plaintext -+Decrypt = RSA-2048-2 -+Input = 0000587cccc6b264bdfe0dc2149a988047fa921801f3502ea64624c510c6033d2f427e3f136c26e88ea9f6519e86a542cec96aad1e5e9013c3cc203b6de15a69183050813af5c9ad79703136d4b92f50ce171eefc6aa7988ecf02f319ffc5eafd6ee7a137f8fce64b255bb1b8dd19cfe767d64fdb468b9b2e9e7a0c24dae03239c8c714d3f40b7ee9c4e59ac15b17e4d328f1100756bce17133e8e7493b54e5006c3cbcdacd134130c5132a1edebdbd01a0c41452d16ed7a0788003c34730d0808e7e14c797a21f2b45a8aa1644357fd5e988f99b017d9df37563a354c788dc0e2f9466045622fa3f3e17db63414d27761f57392623a2bef6467501c63e8d645 -+Output = d5cf555b1d6151029a429a -+ -+Availablein = default -+# an invalid ciphertext, with two zero bytes removed from first bytes of -+# ciphertext, decrypts to a random 11 byte long synthethic -+# plaintext -+Decrypt = RSA-2048-2 -+Input = 587cccc6b264bdfe0dc2149a988047fa921801f3502ea64624c510c6033d2f427e3f136c26e88ea9f6519e86a542cec96aad1e5e9013c3cc203b6de15a69183050813af5c9ad79703136d4b92f50ce171eefc6aa7988ecf02f319ffc5eafd6ee7a137f8fce64b255bb1b8dd19cfe767d64fdb468b9b2e9e7a0c24dae03239c8c714d3f40b7ee9c4e59ac15b17e4d328f1100756bce17133e8e7493b54e5006c3cbcdacd134130c5132a1edebdbd01a0c41452d16ed7a0788003c34730d0808e7e14c797a21f2b45a8aa1644357fd5e988f99b017d9df37563a354c788dc0e2f9466045622fa3f3e17db63414d27761f57392623a2bef6467501c63e8d645 -+Output = d5cf555b1d6151029a429a -+ -+Availablein = default -+# and invalid ciphertext, otherwise valid but starting with 000002, decrypts -+# to random 11 byte long synthethic plaintext -+Decrypt = RSA-2048-2 -+Input = 1786550ce8d8433052e01ecba8b76d3019f1355b212ac9d0f5191b023325a7e7714b7802f8e9a17c4cb3cd3a84041891471b10ca1fcfb5d041d34c82e6d0011cf4dc76b90e9c2e0743590579d55bcd7857057152c4a8040361343d1d22ba677d62b011407c652e234b1d663af25e2386251d7409190f19fc8ec3f9374fdf1254633874ce2ec2bff40ad0cb473f9761ec7b68da45a4bd5e33f5d7dac9b9a20821df9406b653f78a95a6c0ea0a4d57f867e4db22c17bf9a12c150f809a7b72b6db86c22a8732241ebf3c6a4f2cf82671d917aba8bc61052b40ccddd743a94ea9b538175106201971cca9d136d25081739aaf6cd18b2aecf9ad320ea3f89502f955 -+Output = 3d4a054d9358209e9cbbb9 -+ -+Availablein = default -+# negative test with otherwise valid padding but a zero byte in first byte -+# of padding -+Decrypt = RSA-2048-2 -+Input = 179598823812d2c58a7eb50521150a48bcca8b4eb53414018b6bca19f4801456c5e36a940037ac516b0d6412ba44ec6b4f268a55ef1c5ffbf18a2f4e3522bb7b6ed89774b79bffa22f7d3102165565642de0d43a955e96a1f2e80e5430671d7266eb4f905dc8ff5e106dc5588e5b0289e49a4913940e392a97062616d2bda38155471b7d360cfb94681c702f60ed2d4de614ea72bf1c53160e63179f6c5b897b59492bee219108309f0b7b8cb2b136c346a5e98b8b4b8415fb1d713bae067911e3057f1c335b4b7e39101eafd5d28f0189037e4334f4fdb9038427b1d119a6702aa8233319cc97d496cc289ae8c956ddc84042659a2d43d6aa22f12b81ab884e -+Output = 1f037dd717b07d3e7f7359 -+ -+Availablein = default -+# negative test with otherwise valid padding but a zero byte at the eigth -+# byte of padding -+Decrypt = RSA-2048-2 -+Input = a7a340675a82c30e22219a55bc07cdf36d47d01834c1834f917f18b517419ce9de2a96460e745024436470ed85e94297b283537d52189c406a3f533cb405cc6a9dba46b482ce98b6e3dd52d8fce2237425617e38c11fbc46b61897ef200d01e4f25f5f6c4c5b38cd0de38ba11908b86595a8036a08a42a3d05b79600a97ac18ba368a08d6cf6ccb624f6e8002afc75599fba4de3d4f3ba7d208391ebe8d21f8282b18e2c10869eb2702e68f9176b42b0ddc9d763f0c86ba0ff92c957aaeab76d9ab8da52ea297ec11d92d770146faa1b300e0f91ef969b53e7d2907ffc984e9a9c9d11fb7d6cba91972059b46506b035efec6575c46d7114a6b935864858445f -+Output = 63cb0bf65fc8255dd29e17 -+ -+Availablein = default -+# negative test with an otherwise valid plaintext but with missing separator -+# byte -+Decrypt = RSA-2048-2 -+Input = 3d1b97e7aa34eaf1f4fc171ceb11dcfffd9a46a5b6961205b10b302818c1fcc9f4ec78bf18ea0cee7e9fa5b16fb4c611463b368b3312ac11cf9c06b7cf72b54e284848a508d3f02328c62c2999d0fb60929f81783c7a256891bc2ff4d91df2af96a24fc5701a1823af939ce6dbdc510608e3d41eec172ad2d51b9fc61b4217c923cadcf5bac321355ef8be5e5f090cdc2bd0c697d9058247db3ad613fdce87d2955a6d1c948a5160f93da21f731d74137f5d1f53a1923adb513d2e6e1589d44cc079f4c6ddd471d38ac82d20d8b1d21f8d65f3b6907086809f4123e08d86fb38729585de026a485d8f0e703fd4772f6668febf67df947b82195fa3867e3a3065 -+Output = 6f09a0b62699337c497b0b -+ -+# Test vectors for the Bleichenbacher workaround (2049 bit key size) -+ -+PrivateKey = RSA-2049 -+-----BEGIN RSA PRIVATE KEY----- -+MIIEpQIBAAKCAQEBVfiJVWoXdfHHp3hqULGLwoyemG7eVmfKs5uEEk6Q66dcHbCD -+rD5EO7qU3CNWD3XjqBaToqQ73HQm2MTq/mjIXeD+dX9uSbue1EfmAkMIANuwTOsi -+5/pXoY0zj7ZgJs20Z+cMwEDn02fvQDx78ePfYkZQCUYx8h6v0vtbyRX/BDeazRES -+9zLAtGYHwXjTiiD1LtpQny+cBAXVEGnoDM+UFVTQRwRnUFw89UHqCJffyfQAzssp -+j/x1M3LZ9pM68XTMQO2W1GcDFzO5f4zd0/krw6A+qFdsQX8kAHteT3UBEFtUTen6 -+3N/635jftLsFuBmfP4Ws/ZH3qaCUuaOD9QSQlwIDAQABAoIBAQEZwrP1CnrWFSZ5 -+1/9RCVisLYym8AKFkvMy1VoWc2F4qOZ/F+cFzjAOPodUclEAYBP5dNCj20nvNEyl -+omo0wEUHBNDkIuDOI6aUJcFf77bybhBu7/ZMyLnXRC5NpOjIUAjq6zZYWaIpT6OT -+e8Jr5WMy59geLBYO9jXMUoqnvlXmM6cj28Hha6KeUrKa7y+eVlT9wGZrsPwlSsvo -+DmOHTw9fAgeC48nc/CUg0MnEp7Y05FA/u0k+Gq/us/iL16EzmHJdrm/jmed1zV1M -+8J/IODR8TJjasaSIPM5iBRNhWvqhCmM2jm17ed9BZqsWJznvUVpEAu4eBgHFpVvH -+HfDjDt+BAoGBAYj2k2DwHhjZot4pUlPSUsMeRHbOpf97+EE99/3jVlI83JdoBfhP -+wN3sdw3wbO0GXIETSHVLNGrxaXVod/07PVaGgsh4fQsxTvasZ9ZegTM5i2Kgg8D4 -+dlxa1A1agfm73OJSftfpUAjLECnLTKvR+em+38KGyWVSJV2n6rGSF473AoGBAN7H -+zxHa3oOkxD0vgBl/If1dRv1XtDH0T+gaHeN/agkf/ARk7ZcdyFCINa3mzF9Wbzll -+YTqLNnmMkubiP1LvkH6VZ+NBvrxTNxiWJfu+qx87ez+S/7JoHm71p4SowtePfC2J -+qqok0s7b0GaBz+ZcNse/o8W6E1FiIi71wukUyYNhAoGAEgk/OnPK7dkPYKME5FQC -++HGrMsjJVbCa9GOjvkNw8tVYSpq7q2n9sDHqRPmEBl0EYehAqyGIhmAONxVUbIsL -+ha0m04y0MI9S0H+ZRH2R8IfzndNAONsuk46XrQU6cfvtZ3Xh3IcY5U5sr35lRn2c -+ut3H52XIWJ4smN/cJcpOyoECgYEAjM5hNHnPlgj392wkXPkbtJXWHp3mSISQVLTd -+G0MW8/mBQg3AlXi/eRb+RpHPrppk5jQLhgMjRSPyXXe2amb8PuWTqfGN6l32PtX3 -+3+udILpppb71Wf+w7JTbcl9v9uq7o9SVR8DKdPA+AeweSQ0TmqCnlHuNZizOSjwP -+G16GF0ECgYEA+ZWbNMS8qM5IiHgbMbHptdit9dDT4+1UXoNn0/hUW6ZEMriHMDXv -+iBwrzeANGAn5LEDYeDe1xPms9Is2uNxTpZVhpFZSNALR6Po68wDlTJG2PmzuBv5t -+5mbzkpWCoD4fRU53ifsHgaTW+7Um74gWIf0erNIUZuTN2YrtEPTnb3k= -+-----END RSA PRIVATE KEY----- -+ -+# corresponding public key -+PublicKey = RSA-2049-PUBLIC -+-----BEGIN PUBLIC KEY----- -+MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEBVfiJVWoXdfHHp3hqULGL -+woyemG7eVmfKs5uEEk6Q66dcHbCDrD5EO7qU3CNWD3XjqBaToqQ73HQm2MTq/mjI -+XeD+dX9uSbue1EfmAkMIANuwTOsi5/pXoY0zj7ZgJs20Z+cMwEDn02fvQDx78ePf -+YkZQCUYx8h6v0vtbyRX/BDeazRES9zLAtGYHwXjTiiD1LtpQny+cBAXVEGnoDM+U -+FVTQRwRnUFw89UHqCJffyfQAzsspj/x1M3LZ9pM68XTMQO2W1GcDFzO5f4zd0/kr -+w6A+qFdsQX8kAHteT3UBEFtUTen63N/635jftLsFuBmfP4Ws/ZH3qaCUuaOD9QSQ -+lwIDAQAB -+-----END PUBLIC KEY----- -+ -+PrivPubKeyPair = RSA-2049:RSA-2049-PUBLIC -+ -+# RSA decrypt -+ -+Availablein = default -+# malformed that generates length specified by 3rd last value from PRF -+Decrypt = RSA-2049 -+Input = 00b26f6404b82649629f2704494282443776929122e279a9cf30b0c6fe8122a0a9042870d97cc8ef65490fe58f031eb2442352191f5fbc311026b5147d32df914599f38b825ebb824af0d63f2d541a245c5775d1c4b78630e4996cc5fe413d38455a776cf4edcc0aa7fccb31c584d60502ed2b77398f536e137ff7ba6430e9258e21c2db5b82f5380f566876110ac4c759178900fbad7ab70ea07b1daf7a1639cbb4196543a6cbe8271f35dddb8120304f6eef83059e1c5c5678710f904a6d760c4d1d8ad076be17904b9e69910040b47914a0176fb7eea0c06444a6c4b86d674d19a556a1de5490373cb01ce31bbd15a5633362d3d2cd7d4af1b4c5121288b894 -+Output = 42 -+ -+# simple positive test case -+Availablein = default -+Decrypt = RSA-2049 -+Input = 013300edbf0bb3571e59889f7ed76970bf6d57e1c89bbb6d1c3991d9df8e65ed54b556d928da7d768facb395bbcc81e9f8573b45cf8195dbd85d83a59281cddf4163aec11b53b4140053e3bd109f787a7c3cec31d535af1f50e0598d85d96d91ea01913d07097d25af99c67464ebf2bb396fb28a9233e56f31f7e105d71a23e9ef3b736d1e80e713d1691713df97334779552fc94b40dd733c7251bc522b673d3ec9354af3dd4ad44fa71c0662213a57ada1d75149697d0eb55c053aaed5ffd0b815832f454179519d3736fb4faf808416071db0d0f801aca8548311ee708c131f4be658b15f6b54256872c2903ac708bd43b017b073b5707bc84c2cd9da70e967 -+Output = "lorem ipsum" -+ -+# positive test case with null padded ciphertext -+Availablein = default -+Decrypt = RSA-2049 -+Input = 0002aadf846a329fadc6760980303dbd87bfadfa78c2015ce4d6c5782fd9d3f1078bd3c0a2c5bfbdd1c024552e5054d98b5bcdc94e476dd280e64d650089326542ce7c61d4f1ab40004c2e6a88a883613568556a10f3f9edeab67ae8dddc1e6b0831c2793d2715de943f7ce34c5c05d1b09f14431fde566d17e76c9feee90d86a2c158616ec81dda0c642f58c0ba8fa4495843124a7235d46fb4069715a51bf710fd024259131ba94da73597ace494856c94e7a3ec261545793b0990279b15fa91c7fd13dbfb1df2f221dab9fa9f7c1d21e48aa49f6aaecbabf5ee76dc6c2af2317ffb4e303115386a97f8729afc3d0c89419669235f1a3a69570e0836c79fc162 -+Output = "lorem ipsum" -+ -+# positive test case with null truncated ciphertext -+Availablein = default -+Decrypt = RSA-2049 -+Input = 02aadf846a329fadc6760980303dbd87bfadfa78c2015ce4d6c5782fd9d3f1078bd3c0a2c5bfbdd1c024552e5054d98b5bcdc94e476dd280e64d650089326542ce7c61d4f1ab40004c2e6a88a883613568556a10f3f9edeab67ae8dddc1e6b0831c2793d2715de943f7ce34c5c05d1b09f14431fde566d17e76c9feee90d86a2c158616ec81dda0c642f58c0ba8fa4495843124a7235d46fb4069715a51bf710fd024259131ba94da73597ace494856c94e7a3ec261545793b0990279b15fa91c7fd13dbfb1df2f221dab9fa9f7c1d21e48aa49f6aaecbabf5ee76dc6c2af2317ffb4e303115386a97f8729afc3d0c89419669235f1a3a69570e0836c79fc162 -+Output = "lorem ipsum" -+ -+# positive test case with double null padded ciphertext -+Availablein = default -+Decrypt = RSA-2049 -+Input = 0000f36da3b72d8ff6ded74e7efd08c01908f3f5f0de7b55eab92b5f875190809c39d4162e1e6649618f854fd84aeab03970d16bb814e999852c06de38d82b95c0f32e2a7b5714021fe303389be9c0eac24c90a6b7210f929d390fabf903d44e04110bb7a7fd6c383c275804721efa6d7c93aa64c0bb2b18d97c5220a846c66a4895ae52adddbe2a9996825e013585adcec4b32ba61d782737bd343e5fabd68e8a95b8b1340318559860792dd70dffbe05a1052b54cbfb48cfa7bb3c19cea52076bddac5c25ee276f153a610f6d06ed696d192d8ae4507ffae4e5bdda10a625d6b67f32f7cffcd48dee2431fe66f6105f9d17e611cdcc674868e81692a360f4052 -+Output = "lorem ipsum" -+ -+# positive test case with double null truncated ciphertext -+Availablein = default -+Decrypt = RSA-2049 -+Input = f36da3b72d8ff6ded74e7efd08c01908f3f5f0de7b55eab92b5f875190809c39d4162e1e6649618f854fd84aeab03970d16bb814e999852c06de38d82b95c0f32e2a7b5714021fe303389be9c0eac24c90a6b7210f929d390fabf903d44e04110bb7a7fd6c383c275804721efa6d7c93aa64c0bb2b18d97c5220a846c66a4895ae52adddbe2a9996825e013585adcec4b32ba61d782737bd343e5fabd68e8a95b8b1340318559860792dd70dffbe05a1052b54cbfb48cfa7bb3c19cea52076bddac5c25ee276f153a610f6d06ed696d192d8ae4507ffae4e5bdda10a625d6b67f32f7cffcd48dee2431fe66f6105f9d17e611cdcc674868e81692a360f4052 -+Output = "lorem ipsum" -+ -+Availablein = default -+# a random negative test case that generates an 11 byte long message -+Decrypt = RSA-2049 -+Input = 00f910200830fc8fff478e99e145f1474b312e2512d0f90b8cef77f8001d09861688c156d1cbaf8a8957f7ebf35f724466952d0524cad48aad4fba1e45ce8ea27e8f3ba44131b7831b62d60c0762661f4c1d1a88cd06263a259abf1ba9e6b0b172069afb86a7e88387726f8ab3adb30bfd6b3f6be6d85d5dfd044e7ef052395474a9cbb1c3667a92780b43a22693015af6c513041bdaf87d43b24ddd244e791eeaea1066e1f4917117b3a468e22e0f7358852bb981248de4d720add2d15dccba6280355935b67c96f9dcb6c419cc38ab9f6fba2d649ef2066e0c34c9f788ae49babd9025fa85b21113e56ce4f43aa134c512b030dd7ac7ce82e76f0be9ce09ebca -+Output = 1189b6f5498fd6df532b00 -+ -+Availablein = default -+# otherwise correct plaintext, but with wrong first byte (0x01 instead of 0x00) -+Decrypt = RSA-2049 -+Input = 002c9ddc36ba4cf0038692b2d3a1c61a4bb3786a97ce2e46a3ba74d03158aeef456ce0f4db04dda3fe062268a1711250a18c69778a6280d88e133a16254e1f0e30ce8dac9b57d2e39a2f7d7be3ee4e08aec2fdbe8dadad7fdbf442a29a8fb40857407bf6be35596b8eefb5c2b3f58b894452c2dc54a6123a1a38d642e23751746597e08d71ac92704adc17803b19e131b4d1927881f43b0200e6f95658f559f912c889b4cd51862784364896cd6e8618f485a992f82997ad6a0917e32ae5872eaf850092b2d6c782ad35f487b79682333c1750c685d7d32ab3e1538f31dcaa5e7d5d2825875242c83947308dcf63ba4bfff20334c9c140c837dbdbae7a8dee72ff -+Output = f6d0f5b78082fe61c04674 -+ -+Availablein = default -+# otherwise correct plaintext, but with wrong second byte (0x01 instead of 0x02) -+Decrypt = RSA-2049 -+Input = 00c5d77826c1ab7a34d6390f9d342d5dbe848942e2618287952ba0350d7de6726112e9cebc391a0fae1839e2bf168229e3e0d71d4161801509f1f28f6e1487ca52df05c466b6b0a6fbbe57a3268a970610ec0beac39ec0fa67babce1ef2a86bf77466dc127d7d0d2962c20e66593126f276863cd38dc6351428f884c1384f67cad0a0ffdbc2af16711fb68dc559b96b37b4f04cd133ffc7d79c43c42ca4948fa895b9daeb853150c8a5169849b730cc77d68b0217d6c0e3dbf38d751a1998186633418367e7576530566c23d6d4e0da9b038d0bb5169ce40133ea076472d055001f0135645940fd08ea44269af2604c8b1ba225053d6db9ab43577689401bdc0f3 -+Output = 1ab287fcef3ff17067914d -+ -+# RSA decrypt with 3072 bit keys -+PrivateKey = RSA-3072 -+-----BEGIN RSA PRIVATE KEY----- -+MIIG5AIBAAKCAYEAr9ccqtXp9bjGw2cHCkfxnX5mrt4YpbJ0H7PE0zQ0VgaSotkJ -+72iI7GAv9rk68ljudDA8MBr81O2+xDMR3cjdvwDdu+OG0zuNDiKxtEk23EiYcbhS -+N7NM50etj9sMTk0dqnqt8HOFxchzLMt9Wkni5QyIPH16wQ7Wp02ayQ35EpkFoX1K -+CHIQ/Hi20EseuWlILBGm7recUOWxbz8lT3VxUosvFxargW1uygcnveqYBZMpcw64 -+wzznHWHdSsOTtiVuB6wdEk8CANHD4FpMG8fx7S/IPlcZnP5ZCLEAh+J/vZfSwkIU -+YZxxR8j778o5vCVnYqaCNTH34jTWjq56DZ+vEN0V6VI3gMfVrlgJStUlqQY7TDP5 -+XhAG2i6xLTdDaJSVwfICPkBzU8XrPkyhxIz/gaEJANFIIOuAGvTxpZbEuc6aUx/P -+ilTZ/9ckJYtu7CAQjfb9/XbUrgO6fqWY3LDkooCElYcob01/JWzoXl61Z5sdrMH5 -+CVZJty5foHKusAN5AgMBAAECggGAJRfqyzr+9L/65gOY35lXpdKhVKgzaNjhWEKy -+9Z7gn3kZe9LvHprdr4eG9rQSdEdAXjBCsh8vULeqc3cWgMO7y2wiWl1f9rVsRxwY -+gqCjOwrxZaPtbCSdx3g+a8dYrDfmVy0z/jJQeO2VJlDy65YEkC75mlEaERnRPE/J -+pDoXXc37+xoUAP4XCTtpzTzbiV9lQy6iGV+QURxzNrWKaF2s/y2vTF6S5WWxZlrm -+DlErqplluAjV/xGc63zWksv5IAZ6+s2An2a+cG2iaBCseQ2xVslI5v5YG8mEkVf0 -+2kk/OmSwxuEZ4DGxB/hDbOKRYLRYuPnxCV/esZJjOE/1OHVXvE8QtANN6EFwO60s -+HnacI4U+tjCjbRBh3UbipruvdDqX8LMsNvUMGjci3vOjlNkcLgeL8J15Xs3l5WuC -+Avl0Am91/FbpoN1qiPLny3jvEpjMbGUgfKRb03GIgHtPzbHmDdjluFZI+376i2/d -+RI85dBqNmAn+Fjrz3kW6wkpahByBAoHBAOSj2DDXPosxxoLidP/J/RKsMT0t0FE9 -+UFcNt+tHYv6hk+e7VAuUqUpd3XQqz3P13rnK4xvSOsVguyeU/WgmH4ID9XGSgpBP -+Rh6s7izn4KAJeqfI26vTPxvyaZEqB4JxT6k7SerENus95zSn1v/f2MLBQ16EP8cJ -++QSOVCoZfEhUK+srherQ9eZKpj0OwBUrP4VhLdymv96r8xddWX1AVj4OBi2RywKI -+gAgv6fjwkb292jFu6x6FjKRNKwKK6c3jqQKBwQDE4c0Oz0KYYV4feJun3iL9UJSv -+StGsKVDuljA4WiBAmigMZTii/u0DFEjibiLWcJOnH53HTr0avA6c6D1nCwJ2qxyF -+rHNN2L+cdMx/7L1zLR11+InvRgpIGbpeGwHeIzJVUYG3b6llRJMZimBvAMr9ipM1 -+bkVvIjt1G9W1ypeuKzm6d/t8F0yC7AIYZWDV4nvxiiY8whLZzGawHR2iZz8pfUwb -+7URbTvxdsGE27Kq9gstU0PzEJpnU1goCJ7/gA1ECgcBA8w5B6ZM5xV0H5z6nPwDm -+IgYmw/HucgV1hU8exfuoK8wxQvTACW4B0yJKkrK11T1899aGG7VYRn9D4j4OLO48 -+Z9V8esseJXbc1fEezovvymGOci984xiFXtqAQzk44+lmQJJh33VeZApe2eLocvVH -+ddEmc1kOuJWFpszf3LeCcG69cnKrXsrLrZ8Frz//g3aa9B0sFi5hGeWHWJxISVN2 -+c1Nr9IN/57i/GqVTcztjdCAcdM7Tr8phDg7OvRlnxGkCgcEAuYhMFBuulyiSaTff -+/3ZvJKYOJ45rPkEFGoD/2ercn+RlvyCYGcoAEjnIYVEGlWwrSH+b0NlbjVkQsD6O -+to8CeE/RpgqX8hFCqC7NE/RFp8cpDyXy3j/zqnRMUyhCP1KNuScBBZs9V8gikxv6 -+ukBWCk3PYbeTySHKRBbB8vmCrMfhM96jaBIQsQO1CcZnVceDo1/bnsAIwaREVMxr -+Q8LmG7QOx/Z0x1MMsUFoqzilwccC09/JgxMZPh+h+Nv6jiCxAoHBAOEqQgFAfSdR -+ya60LLH55q803NRFMamuKiPbVJLzwiKfbjOiiopmQOS/LxxqIzeMXlYV4OsSvxTo -+G7mcTOFRtU5hKCK+t8qeQQpa/dsMpiHllwArnRyBjIVgL5lFKRpHUGLsavU/T1IH -+mtgaxZo32dXvcAh1+ndCHVBwbHTOF4conA+g+Usp4bZSSWn5nU4oIizvSVpG7SGe -+0GngdxH9Usdqbvzcip1EKeHRTZrHIEYmB+x0LaRIB3dwZNidK3TkKw== -+-----END RSA PRIVATE KEY----- -+ -+PublicKey = RSA-3072-PUBLIC -+-----BEGIN PUBLIC KEY----- -+MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAr9ccqtXp9bjGw2cHCkfx -+nX5mrt4YpbJ0H7PE0zQ0VgaSotkJ72iI7GAv9rk68ljudDA8MBr81O2+xDMR3cjd -+vwDdu+OG0zuNDiKxtEk23EiYcbhSN7NM50etj9sMTk0dqnqt8HOFxchzLMt9Wkni -+5QyIPH16wQ7Wp02ayQ35EpkFoX1KCHIQ/Hi20EseuWlILBGm7recUOWxbz8lT3Vx -+UosvFxargW1uygcnveqYBZMpcw64wzznHWHdSsOTtiVuB6wdEk8CANHD4FpMG8fx -+7S/IPlcZnP5ZCLEAh+J/vZfSwkIUYZxxR8j778o5vCVnYqaCNTH34jTWjq56DZ+v -+EN0V6VI3gMfVrlgJStUlqQY7TDP5XhAG2i6xLTdDaJSVwfICPkBzU8XrPkyhxIz/ -+gaEJANFIIOuAGvTxpZbEuc6aUx/PilTZ/9ckJYtu7CAQjfb9/XbUrgO6fqWY3LDk -+ooCElYcob01/JWzoXl61Z5sdrMH5CVZJty5foHKusAN5AgMBAAE= -+-----END PUBLIC KEY----- -+ -+PrivPubKeyPair = RSA-3072:RSA-3072-PUBLIC -+ -+Availablein = default -+# a random invalid ciphertext that generates an empty synthethic one -+Decrypt = RSA-3072 -+Input = 5e956cd9652f4a2ece902931013e09662b6a9257ad1e987fb75f73a0606df2a4b04789770820c2e02322c4e826f767bd895734a01e20609c3be4517a7a2a589ea1cdc137beb73eb38dac781b52e863de9620f79f9b90fd5b953651fcbfef4a9f1cc07421d511a87dd6942caab6a5a0f4df473e62defb529a7de1509ab99c596e1dff1320402298d8be73a896cc86c38ae3f2f576e9ea70cc28ad575cb0f854f0be43186baa9c18e29c47c6ca77135db79c811231b7c1730955887d321fdc06568382b86643cf089b10e35ab23e827d2e5aa7b4e99ff2e914f302351819eb4d1693243b35f8bf1d42d08f8ec4acafa35f747a4a975a28643ec630d8e4fa5be59d81995660a14bb64c1fea5146d6b11f92da6a3956dd5cb5e0d747cf2ea23f81617769185336263d46ef4c144b754de62a6337342d6c85a95f19f015724546ee3fc4823eca603dbc1dc01c2d5ed50bd72d8e96df2dc048edde0081284068283fc5e73a6139851abf2f29977d0b3d160c883a42a37efba1be05c1a0b1741d7ddf59 -+Output = -+ -+Availablein = default -+# a random invalid that has PRF output with a length one byte too long -+# in the last value -+Decrypt = RSA-3072 -+Input = 7db0390d75fcf9d4c59cf27b264190d856da9abd11e92334d0e5f71005cfed865a711dfa28b791188374b61916dbc11339bf14b06f5f3f68c206c5607380e13da3129bfb744157e1527dd6fdf6651248b028a496ae1b97702d44706043cdaa7a59c0f41367303f21f268968bf3bd2904db3ae5239b55f8b438d93d7db9d1666c071c0857e2ec37757463769c54e51f052b2a71b04c2869e9e7049a1037b8429206c99726f07289bac18363e7eb2a5b417f47c37a55090cda676517b3549c873f2fe95da9681752ec9864b069089a2ed2f340c8b04ee00079055a817a3355b46ac7dc00d17f4504ccfbcfcadb0c04cb6b22069e179385ae1eafabad5521bac2b8a8ee1dfff59a22eb3fdacfc87175d10d7894cfd869d056057dd9944b869c1784fcc27f731bc46171d39570fbffbadf082d33f6352ecf44aca8d9478e53f5a5b7c852b401e8f5f74da49da91e65bdc97765a9523b7a0885a6f8afe5759d58009fbfa837472a968e6ae92026a5e0202a395483095302d6c3985b5f5831c521a271 -+Output = 56a3bea054e01338be9b7d7957539c -+ -+Availablein = default -+# a random invalid that generates a synthethic of maximum size -+Decrypt = RSA-3072 -+Input = 1715065322522dff85049800f6a29ab5f98c465020467414b2a44127fe9446da47fa18047900f99afe67c2df6f50160bb8e90bff296610fde632b3859d4d0d2e644f23835028c46cca01b84b88231d7e03154edec6627bcba23de76740d839851fa12d74c8f92e540c73fe837b91b7d699b311997d5f0f7864c486d499c3a79c111faaacbe4799597a25066c6200215c3d158f3817c1aa57f18bdaad0be1658da9da93f5cc6c3c4dd72788af57adbb6a0c26f42d32d95b8a4f95e8c6feb2f8a5d53b19a50a0b7cbc25e055ad03e5ace8f3f7db13e57759f67b65d143f08cca15992c6b2aae643390483de111c2988d4e76b42596266005103c8de6044fb7398eb3c28a864fa672de5fd8774510ff45e05969a11a4c7d3f343e331190d2dcf24fb9154ba904dc94af98afc5774a9617d0418fe6d13f8245c7d7626c176138dd698a23547c25f27c2b98ea4d8a45c7842b81888e4cc14e5b72e9cf91f56956c93dbf2e5f44a8282a7813157fc481ff1371a0f66b31797e81ebdb09a673d4db96d6 -+Output = 7b036fcd6243900e4236c894e2462c17738acc87e01a76f4d95cb9a328d9acde81650283b8e8f60a217e3bdee835c7b222ad4c85d0acdb9a309bd2a754609a65dec50f3aa04c6d5891034566b9563d42668ede1f8992b17753a2132e28970584e255efc8b45a41c5dbd7567f014acec5fe6fdb6d484790360a913ebb9defcd74ff377f2a8ba46d2ed85f733c9a3da08eb57ecedfafda806778f03c66b2c5d2874cec1c291b2d49eb194c7b5d0dd2908ae90f4843268a2c45563092ade08acb6ab481a08176102fc803fbb2f8ad11b0e1531bd37df543498daf180b12017f4d4d426ca29b4161075534bfb914968088a9d13785d0adc0e2580d3548494b2a9e91605f2b27e6cc701c796f0de7c6f471f6ab6cb9272a1ed637ca32a60d117505d82af3c1336104afb537d01a8f70b510e1eebf4869cb976c419473795a66c7f5e6e20a8094b1bb603a74330c537c5c0698c31538bd2e138c1275a1bdf24c5fa8ab3b7b526324e7918a382d1363b3d463764222150e04 -+ -+# a positive test case that decrypts to 9 byte long value -+Availablein = default -+Decrypt = RSA-3072 -+Input = 6c60845a854b4571f678941ae35a2ac03f67c21e21146f9db1f2306be9f136453b86ad55647d4f7b5c9e62197aaff0c0e40a3b54c4cde14e774b1c5959b6c2a2302896ffae1f73b00b862a20ff4304fe06cea7ff30ecb3773ca9af27a0b54547350d7c07dfb0a39629c7e71e83fc5af9b2adbaf898e037f1de696a3f328cf45af7ec9aff7173854087fb8fbf34be981efbd8493f9438d1b2ba2a86af082662aa46ae9adfbec51e5f3d9550a4dd1dcb7c8969c9587a6edc82a8cabbc785c40d9fbd12064559fb769450ac3e47e87bc046148130d7eaa843e4b3ccef3675d0630500803cb7ffee3882378c1a404e850c3e20707bb745e42b13c18786c4976076ed9fa8fd0ff15e571bef02cbbe2f90c908ac3734a433b73e778d4d17fcc28f49185ebc6e8536a06d293202d94496453bfdf1c2c7833a3f99fa38ca8a81f42eaa529d603b890308a319c0ab63a35ff8ebac965f6278f5a7e5d622be5d5fe55f0ca3ec993d55430d2bf59c5d3e860e90c16d91a04596f6fdf60d89ed95d88c036dde -+Output = "forty two" -+ -+# a positive test case with null padded ciphertext -+Availablein = default -+Decrypt = RSA-3072 -+Input = 00f4d565a3286784dbb85327db8807ae557ead229f92aba945cecda5225f606a7d6130edeeb6f26724d1eff1110f9eb18dc3248140ee3837e6688391e78796c526791384f045e21b6b853fb6342a11f309eb77962f37ce23925af600847fbd30e6e07e57de50b606e6b7f288cc777c1a6834f27e6edace508452128916eef7788c8bb227e3548c6a761cc4e9dd1a3584176dc053ba3500adb1d5e1611291654f12dfc5722832f635db3002d73f9defc310ace62c63868d341619c7ee15b20243b3371e05078e11219770c701d9f341af35df1bc729de294825ff2e416aa11526612852777eb131f9c45151eb144980d70608d2fc4043477368369aa0fe487a48bd57e66b00c3c58f941549f5ec050fca64449debe7a0c4ac51e55cb71620a70312aa4bd85fac1410c9c7f9d6ec610b7d11bf8faeffa20255d1a1bead9297d0aa8765cd2805847d639bc439f4a6c896e2008f746f9590ff4596de5ddde000ed666c452c978043ff4298461eb5a26d5e63d821438627f91201924bf7f2aeee1727 -+Output = "forty two" -+ -+# a positive test case with null truncated ciphertext -+Availablein = default -+Decrypt = RSA-3072 -+Input = f4d565a3286784dbb85327db8807ae557ead229f92aba945cecda5225f606a7d6130edeeb6f26724d1eff1110f9eb18dc3248140ee3837e6688391e78796c526791384f045e21b6b853fb6342a11f309eb77962f37ce23925af600847fbd30e6e07e57de50b606e6b7f288cc777c1a6834f27e6edace508452128916eef7788c8bb227e3548c6a761cc4e9dd1a3584176dc053ba3500adb1d5e1611291654f12dfc5722832f635db3002d73f9defc310ace62c63868d341619c7ee15b20243b3371e05078e11219770c701d9f341af35df1bc729de294825ff2e416aa11526612852777eb131f9c45151eb144980d70608d2fc4043477368369aa0fe487a48bd57e66b00c3c58f941549f5ec050fca64449debe7a0c4ac51e55cb71620a70312aa4bd85fac1410c9c7f9d6ec610b7d11bf8faeffa20255d1a1bead9297d0aa8765cd2805847d639bc439f4a6c896e2008f746f9590ff4596de5ddde000ed666c452c978043ff4298461eb5a26d5e63d821438627f91201924bf7f2aeee1727 -+Output = "forty two" -+ -+# a positive test case with double null padded ciphertext -+Availablein = default -+Decrypt = RSA-3072 -+Input = 00001ec97ac981dfd9dcc7a7389fdfa9d361141dac80c23a060410d472c16094e6cdffc0c3684d84aa402d7051dfccb2f6da33f66985d2a259f5b7fbf39ac537e95c5b7050eb18844a0513abef812cc8e74a3c5240009e6e805dcadf532bc1a2702d5acc9e585fad5b89d461fcc1397351cdce35171523758b171dc041f412e42966de7f94856477356d06f2a6b40e3ff0547562a4d91bbf1338e9e049facbee8b20171164505468cd308997447d3dc4b0acb49e7d368fedd8c734251f30a83491d2506f3f87318cc118823244a393dc7c5c739a2733d93e1b13db6840a9429947357f47b23fbe39b7d2d61e5ee26f9946c4632f6c4699e452f412a26641d4751135400713cd56ec66f0370423d55d2af70f5e7ad0adea8e4a0d904a01e4ac272eba4af1a029dd53eb71f115bf31f7a6c8b19a6523adeecc0d4c3c107575e38572a8f8474ccad163e46e2e8b08111132aa97a16fb588c9b7e37b3b3d7490381f3c55d1a9869a0fd42cd86fed59ecec78cb6b2dfd06a497f5afe3419691314ba0 -+Output = "forty two" -+ -+# a positive test case with double null truncated ciphertext -+Availablein = default -+Decrypt = RSA-3072 -+Input = 1ec97ac981dfd9dcc7a7389fdfa9d361141dac80c23a060410d472c16094e6cdffc0c3684d84aa402d7051dfccb2f6da33f66985d2a259f5b7fbf39ac537e95c5b7050eb18844a0513abef812cc8e74a3c5240009e6e805dcadf532bc1a2702d5acc9e585fad5b89d461fcc1397351cdce35171523758b171dc041f412e42966de7f94856477356d06f2a6b40e3ff0547562a4d91bbf1338e9e049facbee8b20171164505468cd308997447d3dc4b0acb49e7d368fedd8c734251f30a83491d2506f3f87318cc118823244a393dc7c5c739a2733d93e1b13db6840a9429947357f47b23fbe39b7d2d61e5ee26f9946c4632f6c4699e452f412a26641d4751135400713cd56ec66f0370423d55d2af70f5e7ad0adea8e4a0d904a01e4ac272eba4af1a029dd53eb71f115bf31f7a6c8b19a6523adeecc0d4c3c107575e38572a8f8474ccad163e46e2e8b08111132aa97a16fb588c9b7e37b3b3d7490381f3c55d1a9869a0fd42cd86fed59ecec78cb6b2dfd06a497f5afe3419691314ba0 -+Output = "forty two" -+ -+Availablein = default -+# a random negative test case that generates a 9 byte long message -+Decrypt = RSA-3072 -+Input = 5c8555f5cef627c15d37f85c7f5fd6e499264ea4b8e3f9112023aeb722eb38d8eac2be3751fd5a3785ab7f2d59fa3728e5be8c3de78a67464e30b21ee23b5484bb3cd06d0e1c6ad25649c8518165653eb80488bfb491b20c04897a6772f69292222fc5ef50b5cf9efc6d60426a449b6c489569d48c83488df629d695653d409ce49a795447fcec2c58a1a672e4a391401d428baaf781516e11e323d302fcf20f6eab2b2dbe53a48c987e407c4d7e1cb41131329138313d330204173a4f3ff06c6fadf970f0ed1005d0b27e35c3d11693e0429e272d583e57b2c58d24315c397856b34485dcb077665592b747f889d34febf2be8fce66c265fd9fc3575a6286a5ce88b4b413a08efc57a07a8f57a999605a837b0542695c0d189e678b53662ecf7c3d37d9dbeea585eebfaf79141118e06762c2381fe27ca6288edddc19fd67cd64f16b46e06d8a59ac530f22cd83cc0bc4e37feb52015cbb2283043ccf5e78a4eb7146827d7a466b66c8a4a4826c1bad68123a7f2d00fc1736525ff90c058f56 -+Output = 257906ca6de8307728 -+ -+Availablein = default -+# a random negative test case that generates a 9 byte long message based on -+# second to last value from PRF -+Decrypt = RSA-3072 -+Input = 758c215aa6acd61248062b88284bf43c13cb3b3d02410be4238607442f1c0216706e21a03a2c10eb624a63322d854da195c017b76fea83e274fa371834dcd2f3b7accf433fc212ad76c0bac366e1ed32e25b279f94129be7c64d6e162adc08ccebc0cfe8e926f01c33ab9c065f0e0ac83ae5137a4cb66702615ad68a35707d8676d2740d7c1a954680c83980e19778ed11eed3a7c2dbdfc461a9bbef671c1bc00c882d361d29d5f80c42bdf5efec886c34138f83369c6933b2ac4e93e764265351b4a0083f040e14f511f09b22f96566138864e4e6ff24da4810095da98e0585410951538ced2f757a277ff8e17172f06572c9024eeae503f176fd46eb6c5cd9ba07af11cde31dccac12eb3a4249a7bfd3b19797ad1656984bfcbf6f74e8f99d8f1ac420811f3d166d87f935ef15ae858cf9e72c8e2b547bf16c3fb09a8c9bf88fd2e5d38bf24ed610896131a84df76b9f920fe76d71fff938e9199f3b8cd0c11fd0201f9139d7673a871a9e7d4adc3bbe360c8813617cd60a90128fbe34c9d5 -+Output = 043383c929060374ed -+ -+Availablein = default -+# a random negative test that generates message based on 3rd last value from -+# PRF -+Decrypt = RSA-3072 -+Input = 7b22d5e62d287968c6622171a1f75db4b0fd15cdf3134a1895d235d56f8d8fe619f2bf4868174a91d7601a82975d2255190d28b869141d7c395f0b8c4e2be2b2c1b4ffc12ce749a6f6803d4cfe7fba0a8d6949c04151f981c0d84592aa2ff25d1bd3ce5d10cb03daca6b496c6ad40d30bfa8acdfd02cdb9326c4bdd93b949c9dc46caa8f0e5f429785bce64136a429a3695ee674b647452bea1b0c6de9c5f1e8760d5ef6d5a9cfff40457b023d3c233c1dcb323e7808103e73963b2eafc928c9eeb0ee3294955415c1ddd9a1bb7e138fecd79a3cb89c57bd2305524624814aaf0fd1acbf379f7f5b39421f12f115ba488d380586095bb53f174fae424fa4c8e3b299709cd344b9f949b1ab57f1c645d7ed3c8f81d5594197355029fee8960970ff59710dc0e5eb50ea6f4c3938e3f89ed7933023a2c2ddffaba07be147f686828bd7d520f300507ed6e71bdaee05570b27bc92741108ac2eb433f028e138dd6d63067bc206ea2d826a7f41c0d613daed020f0f30f4e272e9618e0a8c39018a83 -+Output = 70263fa6050534b9e0 -+ -+Availablein = default -+# an otherwise valid plaintext, but with wrong first byte (0x01 instead of 0x00) -+Decrypt = RSA-3072 -+Input = 6db80adb5ff0a768caf1378ecc382a694e7d1bde2eff4ba12c48aaf794ded7a994a5b2b57acec20dbec4ae385c9dd531945c0f197a5496908725fc99d88601a17d3bb0b2d38d2c1c3100f39955a4cb3dbed5a38bf900f23d91e173640e4ec655c84fdfe71fcdb12a386108fcf718c9b7af37d39703e882436224c877a2235e8344fba6c951eb7e2a4d1d1de81fb463ac1b880f6cc0e59ade05c8ce35179ecd09546731fc07b141d3d6b342a97ae747e61a9130f72d37ac5a2c30215b6cbd66c7db893810df58b4c457b4b54f34428247d584e0fa71062446210db08254fb9ead1ba1a393c724bd291f0cf1a7143f32df849051dc896d7d176fef3b57ab6dffd626d0c3044e9edb2e3d012ace202d2581df01bec7e9aa0727a6650dd373d374f0bc0f4a611f8139dfe97d63e70c6188f4df5b672e47c51d8aa567097293fbff127c75ec690b43407578b73c85451710a0cece58fd497d7f7bd36a8a92783ef7dc6265dff52aac8b70340b996508d39217f2783ce6fc91a1cc94bb2ac487b84f62 -+Output = 6d8d3a094ff3afff4c -+ -+Availablein = default -+# an otherwise valid plaintext, but with wrong second byte (0x01 instead of 0x02) -+Decrypt = RSA-3072 -+Input = 417328c034458563079a4024817d0150340c34e25ae16dcad690623f702e5c748a6ebb3419ff48f486f83ba9df35c05efbd7f40613f0fc996c53706c30df6bba6dcd4a40825f96133f3c21638a342bd4663dffbd0073980dac47f8c1dd8e97ce1412e4f91f2a8adb1ac2b1071066efe8d718bbb88ca4a59bd61500e826f2365255a409bece0f972df97c3a55e09289ef5fa815a2353ef393fd1aecfc888d611c16aec532e5148be15ef1bf2834b8f75bb26db08b66d2baad6464f8439d1986b533813321dbb180080910f233bcc4dd784fb21871aef41be08b7bfad4ecc3b68f228cb5317ac6ec1227bc7d0e452037ba918ee1da9fdb8393ae93b1e937a8d4691a17871d5092d2384b6190a53df888f65b951b05ed4ad57fe4b0c6a47b5b22f32a7f23c1a234c9feb5d8713d949686760680da4db454f4acad972470033472b9864d63e8d23eefc87ebcf464ecf33f67fbcdd48eab38c5292586b36aef5981ed2fa07b2f9e23fc57d9eb71bfff4111c857e9fff23ceb31e72592e70c874b4936 -+Output = c6ae80ffa80bc184b0 -+ -+Availablein = default -+# an otherwise valid plaintext, but with zero byte in first byte of padding -+Decrypt = RSA-3072 -+Input = 8542c626fe533467acffcd4e617692244c9b5a3bf0a215c5d64891ced4bf4f9591b4b2aedff9843057986d81631b0acb3704ec2180e5696e8bd15b217a0ec36d2061b0e2182faa3d1c59bd3f9086a10077a3337a3f5da503ec3753535ffd25b837a12f2541afefd0cffb0224b8f874e4bed13949e105c075ed44e287c5ae03b155e06b90ed247d2c07f1ef3323e3508cce4e4074606c54172ad74d12f8c3a47f654ad671104bf7681e5b061862747d9afd37e07d8e0e2291e01f14a95a1bb4cbb47c304ef067595a3947ee2d722067e38a0f046f43ec29cac6a8801c6e3e9a2331b1d45a7aa2c6af3205be382dd026e389614ee095665a611ab2e8dced2ee1c9d08ac9de11aef5b3803fc9a9ce8231ec87b5fed386fb92ee3db995a89307bcba844bd0a691c29ae51216e949dfc813133cb06a07265fd807bcb3377f6adb0a481d9b7f442003115895939773e6b95371c4febef29edae946fa245e7c50729e2e558cfaad773d1fd5f67b457a6d9d17a847c6fcbdb103a86f35f228cefc06cea0 -+Output = a8a9301daa01bb25c7 -+ -+Availablein = default -+# an otherwise valid plaintext, but with zero byte in eight byte of padding -+Decrypt = RSA-3072 -+Input = 449dfa237a70a99cb0351793ec8677882021c2aa743580bf6a0ea672055cffe8303ac42855b1d1f3373aae6af09cb9074180fc963e9d1478a4f98b3b4861d3e7f0aa8560cf603711f139db77667ca14ba3a1acdedfca9ef4603d6d7eb0645bfc805304f9ad9d77d34762ce5cd84bd3ec9d35c30e3be72a1e8d355d5674a141b5530659ad64ebb6082e6f73a80832ab6388912538914654d34602f4b3b1c78589b4a5d964b2efcca1dc7004c41f6cafcb5a7159a7fc7c0398604d0edbd4c8f4f04067da6a153a05e7cbeea13b5ee412400ef7d4f3106f4798da707ec37a11286df2b7a204856d5ff773613fd1e453a7114b78e347d3e8078e1cb3276b3562486ba630bf719697e0073a123c3e60ebb5c7a1ccff4279faffa2402bc1109f8d559d6766e73591943dfcf25ba10c3762f02af85187799b8b4b135c3990793a6fd32642f1557405ba55cc7cf7336a0e967073c5fa50743f9cc5e3017c172d9898d2af83345e71b3e0c22ab791eacb6484a32ec60ebc226ec9deaee91b1a0560c2b571 -+Output = 6c716fe01d44398018 -+ -+Availablein = default -+# an otherwise valid plaintext, but with null separator missing -+Decrypt = RSA-3072 -+Input = a7a5c99e50da48769ecb779d9abe86ef9ec8c38c6f43f17c7f2d7af608a4a1bd6cf695b47e97c191c61fb5a27318d02f495a176b9fae5a55b5d3fabd1d8aae4957e3879cb0c60f037724e11be5f30f08fc51c033731f14b44b414d11278cd3dba7e1c8bfe208d2b2bb7ec36366dacb6c88b24cd79ab394adf19dbbc21dfa5788bacbadc6a62f79cf54fd8cf585c615b5c0eb94c35aa9de25321c8ffefb8916bbaa2697cb2dd82ee98939df9b6704cee77793edd2b4947d82e00e5749664970736c59a84197bd72b5c71e36aae29cd39af6ac73a368edbc1ca792e1309f442aafcd77c992c88f8e4863149f221695cb7b0236e75b2339a02c4ea114854372c306b9412d8eedb600a31532002f2cea07b4df963a093185e4607732e46d753b540974fb5a5c3f9432df22e85bb17611370966c5522fd23f2ad3484341ba7fd8885fc8e6d379a611d13a2aca784fba2073208faad2137bf1979a0fa146c1880d4337db3274269493bab44a1bcd0681f7227ffdf589c2e925ed9d36302509d1109ba4 -+Output = aa2de6cde4e2442884 -+ - # RSA PSS key tests - - # PSS only key, no parameter restrictions diff --git a/SOURCES/0122-CVE-2023-2650.patch b/SOURCES/0122-CVE-2023-2650.patch deleted file mode 100644 index ba56969..0000000 --- a/SOURCES/0122-CVE-2023-2650.patch +++ /dev/null @@ -1,30 +0,0 @@ -diff --git a/crypto/objects/obj_dat.c b/crypto/objects/obj_dat.c -index 01cde00e98..c0e55197a0 100644 ---- a/crypto/objects/obj_dat.c -+++ b/crypto/objects/obj_dat.c -@@ -443,6 +443,25 @@ int OBJ_obj2txt(char *buf, int buf_len, const ASN1_OBJECT *a, int no_name) - first = 1; - bl = NULL; - -+ /* -+ * RFC 2578 (STD 58) says this about OBJECT IDENTIFIERs: -+ * -+ * > 3.5. OBJECT IDENTIFIER values -+ * > -+ * > An OBJECT IDENTIFIER value is an ordered list of non-negative -+ * > numbers. For the SMIv2, each number in the list is referred to as a -+ * > sub-identifier, there are at most 128 sub-identifiers in a value, -+ * > and each sub-identifier has a maximum value of 2^32-1 (4294967295 -+ * > decimal). -+ * -+ * So a legitimate OID according to this RFC is at most (32 * 128 / 7), -+ * i.e. 586 bytes long. -+ * -+ * Ref: https://datatracker.ietf.org/doc/html/rfc2578#section-3.5 -+ */ -+ if (len > 586) -+ goto err; -+ - while (len > 0) { - l = 0; - use_bn = 0; diff --git a/SOURCES/0122-TMP-KTLS-test-skip.patch b/SOURCES/0122-TMP-KTLS-test-skip.patch new file mode 100644 index 0000000..f037ee3 --- /dev/null +++ b/SOURCES/0122-TMP-KTLS-test-skip.patch @@ -0,0 +1,16 @@ +diff -up openssl-3.2.1/test/sslapitest.c.xxx openssl-3.2.1/test/sslapitest.c +--- openssl-3.2.1/test/sslapitest.c.xxx 2024-04-15 10:14:47.292448045 +0200 ++++ openssl-3.2.1/test/sslapitest.c 2024-04-15 10:15:23.428396994 +0200 +@@ -1020,9 +1020,10 @@ static int execute_test_large_message(co + /* sock must be connected */ + static int ktls_chk_platform(int sock) + { +- if (!ktls_enable(sock)) ++/* if (!ktls_enable(sock)) + return 0; +- return 1; ++ return 1; */ ++ return 0; + } + + static int ping_pong_query(SSL *clientssl, SSL *serverssl) diff --git a/SOURCES/0123-ibmca-atexit-crash.patch b/SOURCES/0123-ibmca-atexit-crash.patch deleted file mode 100644 index 893e598..0000000 --- a/SOURCES/0123-ibmca-atexit-crash.patch +++ /dev/null @@ -1,244 +0,0 @@ -diff --git a/crypto/context.c b/crypto/context.c -index bdfc4d02a3f0..548665fba265 100644 ---- a/crypto/context.c -+++ b/crypto/context.c -@@ -15,6 +15,7 @@ - #include "internal/bio.h" - #include "internal/provider.h" - #include "crypto/ctype.h" -+#include "crypto/rand.h" - - # include - # include -@@ -271,6 +272,20 @@ OSSL_LIB_CTX *OSSL_LIB_CTX_set0_default(OSSL_LIB_CTX *libctx) - - return NULL; - } -+ -+void ossl_release_default_drbg_ctx(void) -+{ -+ int dynidx = default_context_int.dyn_indexes[OSSL_LIB_CTX_DRBG_INDEX]; -+ -+ /* early release of the DRBG in global default libctx, no locking */ -+ if (dynidx != -1) { -+ void *data; -+ -+ data = CRYPTO_get_ex_data(&default_context_int.data, dynidx); -+ ossl_rand_ctx_free(data); -+ CRYPTO_set_ex_data(&default_context_int.data, dynidx, NULL); -+ } -+} - #endif - - OSSL_LIB_CTX *ossl_lib_ctx_get_concrete(OSSL_LIB_CTX *ctx) -diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c -index c453d3226133..f341d915db76 100644 ---- a/crypto/rand/rand_lib.c -+++ b/crypto/rand/rand_lib.c -@@ -96,6 +96,7 @@ void ossl_rand_cleanup_int(void) - CRYPTO_THREAD_lock_free(rand_meth_lock); - rand_meth_lock = NULL; - # endif -+ ossl_release_default_drbg_ctx(); - rand_inited = 0; - } - -@@ -469,7 +470,7 @@ static void *rand_ossl_ctx_new(OSSL_LIB_CTX *libctx) - return NULL; - } - --static void rand_ossl_ctx_free(void *vdgbl) -+void ossl_rand_ctx_free(void *vdgbl) - { - RAND_GLOBAL *dgbl = vdgbl; - -@@ -494,7 +495,7 @@ static void rand_ossl_ctx_free(void *vdgbl) - static const OSSL_LIB_CTX_METHOD rand_drbg_ossl_ctx_method = { - OSSL_LIB_CTX_METHOD_PRIORITY_2, - rand_ossl_ctx_new, -- rand_ossl_ctx_free, -+ ossl_rand_ctx_free, - }; - - static RAND_GLOBAL *rand_get_global(OSSL_LIB_CTX *libctx) -diff --git a/engines/e_dasync.c b/engines/e_dasync.c -index 5a303a9f8528..7974106ae219 100644 ---- a/engines/e_dasync.c -+++ b/engines/e_dasync.c -@@ -139,6 +139,14 @@ static int dasync_aes128_cbc_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, - const unsigned char *in, size_t inl); - static int dasync_aes128_cbc_cleanup(EVP_CIPHER_CTX *ctx); - -+static int dasync_aes256_ctr_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, -+ void *ptr); -+static int dasync_aes256_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, -+ const unsigned char *iv, int enc); -+static int dasync_aes256_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, -+ const unsigned char *in, size_t inl); -+static int dasync_aes256_ctr_cleanup(EVP_CIPHER_CTX *ctx); -+ - static int dasync_aes128_cbc_hmac_sha1_ctrl(EVP_CIPHER_CTX *ctx, int type, - int arg, void *ptr); - static int dasync_aes128_cbc_hmac_sha1_init_key(EVP_CIPHER_CTX *ctx, -@@ -171,6 +179,12 @@ static const EVP_CIPHER *dasync_aes_128_cbc(void) - return _hidden_aes_128_cbc; - } - -+static EVP_CIPHER *_hidden_aes_256_ctr = NULL; -+static const EVP_CIPHER *dasync_aes_256_ctr(void) -+{ -+ return _hidden_aes_256_ctr; -+} -+ - /* - * Holds the EVP_CIPHER object for aes_128_cbc_hmac_sha1 in this engine. Set up - * once only during engine bind and can then be reused many times. -@@ -192,8 +206,10 @@ static const EVP_CIPHER *dasync_aes_128_cbc_hmac_sha1(void) - static void destroy_ciphers(void) - { - EVP_CIPHER_meth_free(_hidden_aes_128_cbc); -+ EVP_CIPHER_meth_free(_hidden_aes_256_ctr); - EVP_CIPHER_meth_free(_hidden_aes_128_cbc_hmac_sha1); - _hidden_aes_128_cbc = NULL; -+ _hidden_aes_256_ctr = NULL; - _hidden_aes_128_cbc_hmac_sha1 = NULL; - } - -@@ -202,6 +218,7 @@ static int dasync_ciphers(ENGINE *e, const EVP_CIPHER **cipher, - - static int dasync_cipher_nids[] = { - NID_aes_128_cbc, -+ NID_aes_256_ctr, - NID_aes_128_cbc_hmac_sha1, - 0 - }; -@@ -284,6 +301,30 @@ static int bind_dasync(ENGINE *e) - _hidden_aes_128_cbc = NULL; - } - -+ _hidden_aes_256_ctr = EVP_CIPHER_meth_new(NID_aes_256_ctr, -+ 1 /* block size */, -+ 32 /* key len */); -+ if (_hidden_aes_256_ctr == NULL -+ || !EVP_CIPHER_meth_set_iv_length(_hidden_aes_256_ctr,16) -+ || !EVP_CIPHER_meth_set_flags(_hidden_aes_256_ctr, -+ EVP_CIPH_FLAG_DEFAULT_ASN1 -+ | EVP_CIPH_CTR_MODE -+ | EVP_CIPH_FLAG_PIPELINE -+ | EVP_CIPH_CUSTOM_COPY) -+ || !EVP_CIPHER_meth_set_init(_hidden_aes_256_ctr, -+ dasync_aes256_init_key) -+ || !EVP_CIPHER_meth_set_do_cipher(_hidden_aes_256_ctr, -+ dasync_aes256_ctr_cipher) -+ || !EVP_CIPHER_meth_set_cleanup(_hidden_aes_256_ctr, -+ dasync_aes256_ctr_cleanup) -+ || !EVP_CIPHER_meth_set_ctrl(_hidden_aes_256_ctr, -+ dasync_aes256_ctr_ctrl) -+ || !EVP_CIPHER_meth_set_impl_ctx_size(_hidden_aes_256_ctr, -+ sizeof(struct dasync_pipeline_ctx))) { -+ EVP_CIPHER_meth_free(_hidden_aes_256_ctr); -+ _hidden_aes_256_ctr = NULL; -+ } -+ - _hidden_aes_128_cbc_hmac_sha1 = EVP_CIPHER_meth_new( - NID_aes_128_cbc_hmac_sha1, - 16 /* block size */, -@@ -445,6 +486,9 @@ static int dasync_ciphers(ENGINE *e, const EVP_CIPHER **cipher, - case NID_aes_128_cbc: - *cipher = dasync_aes_128_cbc(); - break; -+ case NID_aes_256_ctr: -+ *cipher = dasync_aes_256_ctr(); -+ break; - case NID_aes_128_cbc_hmac_sha1: - *cipher = dasync_aes_128_cbc_hmac_sha1(); - break; -@@ -779,6 +823,29 @@ static int dasync_aes128_cbc_cleanup(EVP_CIPHER_CTX *ctx) - return dasync_cipher_cleanup_helper(ctx, EVP_aes_128_cbc()); - } - -+static int dasync_aes256_ctr_ctrl(EVP_CIPHER_CTX *ctx, int type, int arg, -+ void *ptr) -+{ -+ return dasync_cipher_ctrl_helper(ctx, type, arg, ptr, 0, EVP_aes_256_ctr()); -+} -+ -+static int dasync_aes256_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, -+ const unsigned char *iv, int enc) -+{ -+ return dasync_cipher_init_key_helper(ctx, key, iv, enc, EVP_aes_256_ctr()); -+} -+ -+static int dasync_aes256_ctr_cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, -+ const unsigned char *in, size_t inl) -+{ -+ return dasync_cipher_helper(ctx, out, in, inl, EVP_aes_256_ctr()); -+} -+ -+static int dasync_aes256_ctr_cleanup(EVP_CIPHER_CTX *ctx) -+{ -+ return dasync_cipher_cleanup_helper(ctx, EVP_aes_256_ctr()); -+} -+ - - /* - * AES128 CBC HMAC SHA1 Implementation -diff --git a/include/crypto/rand.h b/include/crypto/rand.h -index 6a71a339c812..165deaf95c5e 100644 ---- a/include/crypto/rand.h -+++ b/include/crypto/rand.h -@@ -125,4 +125,5 @@ void ossl_rand_cleanup_nonce(ossl_unused const OSSL_CORE_HANDLE *handle, - size_t ossl_pool_acquire_entropy(RAND_POOL *pool); - int ossl_pool_add_nonce_data(RAND_POOL *pool); - -+void ossl_rand_ctx_free(void *vdgbl); - #endif -diff --git a/include/internal/cryptlib.h b/include/internal/cryptlib.h -index 1291299b6e50..934d4b089c20 100644 ---- a/include/internal/cryptlib.h -+++ b/include/internal/cryptlib.h -@@ -199,6 +199,8 @@ int ossl_lib_ctx_run_once(OSSL_LIB_CTX *ctx, unsigned int idx, - int ossl_lib_ctx_onfree(OSSL_LIB_CTX *ctx, ossl_lib_ctx_onfree_fn onfreefn); - const char *ossl_lib_ctx_get_descriptor(OSSL_LIB_CTX *libctx); - -+void ossl_release_default_drbg_ctx(void); -+ - OSSL_LIB_CTX *ossl_crypto_ex_data_get_ossl_lib_ctx(const CRYPTO_EX_DATA *ad); - int ossl_crypto_new_ex_data_ex(OSSL_LIB_CTX *ctx, int class_index, void *obj, - CRYPTO_EX_DATA *ad); -diff --git a/test/recipes/05-test_rand.t b/test/recipes/05-test_rand.t -index 4da1e64cb6da..3f352db9df3a 100644 ---- a/test/recipes/05-test_rand.t -+++ b/test/recipes/05-test_rand.t -@@ -11,9 +11,30 @@ use warnings; - use OpenSSL::Test; - use OpenSSL::Test::Utils; - --plan tests => 3; -+plan tests => 5; - setup("test_rand"); - - ok(run(test(["rand_test"]))); - ok(run(test(["drbgtest"]))); - ok(run(test(["rand_status_test"]))); -+ -+SKIP: { -+ skip "engine is not supported by this OpenSSL build", 2 -+ if disabled("engine") || disabled("dynamic-engine"); -+ -+ my $success; -+ my @randdata; -+ my $expected = '0102030405060708090a0b0c0d0e0f10'; -+ -+ @randdata = run(app(['openssl', 'rand', '-engine', 'ossltest', '-hex', '16' ]), -+ capture => 1, statusvar => \$success); -+ chomp(@randdata); -+ ok($success and $randdata[0] eq $expected, -+ "rand with ossltest: Check rand output is as expected"); -+ -+ @randdata = run(app(['openssl', 'rand', '-engine', 'dasync', '-hex', '16' ]), -+ capture => 1, statusvar => \$success); -+ chomp(@randdata); -+ ok($success and length($randdata[0]) == 32, -+ "rand with dasync: Check rand output is of expected length"); -+} diff --git a/SOURCES/0123-kdf-Preserve-backward-compatibility-with-older-provi.patch b/SOURCES/0123-kdf-Preserve-backward-compatibility-with-older-provi.patch new file mode 100644 index 0000000..85f97c6 --- /dev/null +++ b/SOURCES/0123-kdf-Preserve-backward-compatibility-with-older-provi.patch @@ -0,0 +1,62 @@ +From a4daab0c29bce044d385bdeada177a88c32cba4c Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Mon, 17 Jun 2024 16:48:26 +0200 +Subject: [PATCH] Fix regression of EVP_PKEY_CTX_add1_hkdf_info() with older + providers + +If there is no get_ctx_params() implemented in the key exchange +provider implementation the fallback will not work. Instead +check the gettable_ctx_params() to see if the fallback should be +performed. + +Fixes #24611 + +Reviewed-by: Paul Dale +Reviewed-by: Tom Cosgrove +(Merged from https://github.com/openssl/openssl/pull/24661) + +(cherry picked from commit 663dbc9c9c897392a9f9d18aa9a8400ca024dc5d) +--- + crypto/evp/pmeth_lib.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c +index 2caff2cd6d..d15e43be05 100644 +--- a/crypto/evp/pmeth_lib.c ++++ b/crypto/evp/pmeth_lib.c +@@ -1026,6 +1026,7 @@ static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback, + int datalen) + { + OSSL_PARAM os_params[2]; ++ const OSSL_PARAM *gettables; + unsigned char *info = NULL; + size_t info_len = 0; + size_t info_alloc = 0; +@@ -1049,6 +1050,12 @@ static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback, + return 1; + } + ++ /* Check for older provider that doesn't support getting this parameter */ ++ gettables = EVP_PKEY_CTX_gettable_params(ctx); ++ if (gettables == NULL || OSSL_PARAM_locate_const(gettables, param) == NULL) ++ return evp_pkey_ctx_set1_octet_string(ctx, fallback, param, op, ctrl, ++ data, datalen); ++ + /* Get the original value length */ + os_params[0] = OSSL_PARAM_construct_octet_string(param, NULL, 0); + os_params[1] = OSSL_PARAM_construct_end(); +@@ -1056,9 +1063,9 @@ static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback, + if (!EVP_PKEY_CTX_get_params(ctx, os_params)) + return 0; + +- /* Older provider that doesn't support getting this parameter */ ++ /* This should not happen but check to be sure. */ + if (os_params[0].return_size == OSSL_PARAM_UNMODIFIED) +- return evp_pkey_ctx_set1_octet_string(ctx, fallback, param, op, ctrl, data, datalen); ++ return 0; + + info_alloc = os_params[0].return_size + datalen; + if (info_alloc == 0) +-- +2.45.1 + diff --git a/SOURCES/0124-Fix-SSL_select_next_proto.patch b/SOURCES/0124-Fix-SSL_select_next_proto.patch new file mode 100644 index 0000000..6458067 --- /dev/null +++ b/SOURCES/0124-Fix-SSL_select_next_proto.patch @@ -0,0 +1,109 @@ +From 99fb785a5f85315b95288921a321a935ea29a51e Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Fri, 31 May 2024 11:14:33 +0100 +Subject: [PATCH 01/10] Fix SSL_select_next_proto + +Ensure that the provided client list is non-NULL and starts with a valid +entry. When called from the ALPN callback the client list should already +have been validated by OpenSSL so this should not cause a problem. When +called from the NPN callback the client list is locally configured and +will not have already been validated. Therefore SSL_select_next_proto +should not assume that it is correctly formatted. + +We implement stricter checking of the client protocol list. We also do the +same for the server list while we are about it. + +CVE-2024-5535 + +Reviewed-by: Neil Horman +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/24717) +--- + ssl/ssl_lib.c | 63 ++++++++++++++++++++++++++++++++------------------- + 1 file changed, 40 insertions(+), 23 deletions(-) + +diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c +index 016135fe18..cf52b317cf 100644 +--- a/ssl/ssl_lib.c ++++ b/ssl/ssl_lib.c +@@ -3518,37 +3518,54 @@ int SSL_select_next_proto(unsigned char **out, unsigned char *outlen, + unsigned int server_len, + const unsigned char *client, unsigned int client_len) + { +- unsigned int i, j; +- const unsigned char *result; +- int status = OPENSSL_NPN_UNSUPPORTED; ++ PACKET cpkt, csubpkt, spkt, ssubpkt; ++ ++ if (!PACKET_buf_init(&cpkt, client, client_len) ++ || !PACKET_get_length_prefixed_1(&cpkt, &csubpkt) ++ || PACKET_remaining(&csubpkt) == 0) { ++ *out = NULL; ++ *outlen = 0; ++ return OPENSSL_NPN_NO_OVERLAP; ++ } ++ ++ /* ++ * Set the default opportunistic protocol. Will be overwritten if we find ++ * a match. ++ */ ++ *out = (unsigned char *)PACKET_data(&csubpkt); ++ *outlen = (unsigned char)PACKET_remaining(&csubpkt); + + /* + * For each protocol in server preference order, see if we support it. + */ +- for (i = 0; i < server_len;) { +- for (j = 0; j < client_len;) { +- if (server[i] == client[j] && +- memcmp(&server[i + 1], &client[j + 1], server[i]) == 0) { +- /* We found a match */ +- result = &server[i]; +- status = OPENSSL_NPN_NEGOTIATED; +- goto found; ++ if (PACKET_buf_init(&spkt, server, server_len)) { ++ while (PACKET_get_length_prefixed_1(&spkt, &ssubpkt)) { ++ if (PACKET_remaining(&ssubpkt) == 0) ++ continue; /* Invalid - ignore it */ ++ if (PACKET_buf_init(&cpkt, client, client_len)) { ++ while (PACKET_get_length_prefixed_1(&cpkt, &csubpkt)) { ++ if (PACKET_equal(&csubpkt, PACKET_data(&ssubpkt), ++ PACKET_remaining(&ssubpkt))) { ++ /* We found a match */ ++ *out = (unsigned char *)PACKET_data(&ssubpkt); ++ *outlen = (unsigned char)PACKET_remaining(&ssubpkt); ++ return OPENSSL_NPN_NEGOTIATED; ++ } ++ } ++ /* Ignore spurious trailing bytes in the client list */ ++ } else { ++ /* This should never happen */ ++ return OPENSSL_NPN_NO_OVERLAP; + } +- j += client[j]; +- j++; + } +- i += server[i]; +- i++; ++ /* Ignore spurious trailing bytes in the server list */ + } + +- /* There's no overlap between our protocols and the server's list. */ +- result = client; +- status = OPENSSL_NPN_NO_OVERLAP; +- +- found: +- *out = (unsigned char *)result + 1; +- *outlen = result[0]; +- return status; ++ /* ++ * There's no overlap between our protocols and the server's list. We use ++ * the default opportunistic protocol selected earlier ++ */ ++ return OPENSSL_NPN_NO_OVERLAP; + } + + #ifndef OPENSSL_NO_NEXTPROTONEG +-- +2.46.0 + diff --git a/SOURCES/0125-CVE-2023-2975.patch b/SOURCES/0125-CVE-2023-2975.patch deleted file mode 100644 index 4717087..0000000 --- a/SOURCES/0125-CVE-2023-2975.patch +++ /dev/null @@ -1,30 +0,0 @@ -diff --git a/providers/implementations/ciphers/cipher_aes_siv.c b/providers/implementations/ciphers/cipher_aes_siv.c -index 45010b90db..b396c8651a 100644 ---- a/providers/implementations/ciphers/cipher_aes_siv.c -+++ b/providers/implementations/ciphers/cipher_aes_siv.c -@@ -120,14 +120,18 @@ static int siv_cipher(void *vctx, unsigned char *out, size_t *outl, - if (!ossl_prov_is_running()) - return 0; - -- if (inl == 0) { -- *outl = 0; -- return 1; -- } -+ /* Ignore just empty encryption/decryption call and not AAD. */ -+ if (out != NULL) { -+ if (inl == 0) { -+ if (outl != NULL) -+ *outl = 0; -+ return 1; -+ } - -- if (outsize < inl) { -- ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL); -- return 0; -+ if (outsize < inl) { -+ ERR_raise(ERR_LIB_PROV, PROV_R_OUTPUT_BUFFER_TOO_SMALL); -+ return 0; -+ } - } - - if (ctx->hw->cipher(ctx, out, in, inl) <= 0) diff --git a/SOURCES/0125-More-correctly-handle-a-selected_len-of-0-when-proce.patch b/SOURCES/0125-More-correctly-handle-a-selected_len-of-0-when-proce.patch new file mode 100644 index 0000000..29d22c6 --- /dev/null +++ b/SOURCES/0125-More-correctly-handle-a-selected_len-of-0-when-proce.patch @@ -0,0 +1,39 @@ +From 015255851371757d54c2560643eb3b3a88123cf1 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Fri, 31 May 2024 11:18:27 +0100 +Subject: [PATCH 02/10] More correctly handle a selected_len of 0 when + processing NPN + +In the case where the NPN callback returns with SSL_TLEXT_ERR_OK, but +the selected_len is 0 we should fail. Previously this would fail with an +internal_error alert because calling OPENSSL_malloc(selected_len) will +return NULL when selected_len is 0. We make this error detection more +explicit and return a handshake failure alert. + +Follow on from CVE-2024-5535 + +Reviewed-by: Neil Horman +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/24717) +--- + ssl/statem/extensions_clnt.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c +index 381a6c9d7b..1ab3c13d57 100644 +--- a/ssl/statem/extensions_clnt.c ++++ b/ssl/statem/extensions_clnt.c +@@ -1560,8 +1560,8 @@ int tls_parse_stoc_npn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, + if (sctx->ext.npn_select_cb(SSL_CONNECTION_GET_SSL(s), + &selected, &selected_len, + PACKET_data(pkt), PACKET_remaining(pkt), +- sctx->ext.npn_select_cb_arg) != +- SSL_TLSEXT_ERR_OK) { ++ sctx->ext.npn_select_cb_arg) != SSL_TLSEXT_ERR_OK ++ || selected_len == 0) { + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_EXTENSION); + return 0; + } +-- +2.46.0 + diff --git a/SOURCES/0126-CVE-2023-3446.patch b/SOURCES/0126-CVE-2023-3446.patch deleted file mode 100644 index 38132cf..0000000 --- a/SOURCES/0126-CVE-2023-3446.patch +++ /dev/null @@ -1,74 +0,0 @@ -diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c -index 0b391910d6..84a926998e 100644 ---- a/crypto/dh/dh_check.c -+++ b/crypto/dh/dh_check.c -@@ -152,6 +152,12 @@ int DH_check(const DH *dh, int *ret) - if (nid != NID_undef) - return 1; - -+ /* Don't do any checks at all with an excessively large modulus */ -+ if (BN_num_bits(dh->params.p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) { -+ ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE); -+ return 0; -+ } -+ - if (!DH_check_params(dh, ret)) - return 0; - -diff --git a/include/openssl/dh.h b/include/openssl/dh.h -index b97871eca7..36420f51d8 100644 ---- a/include/openssl/dh.h -+++ b/include/openssl/dh.h -@@ -89,7 +89,11 @@ int EVP_PKEY_CTX_get0_dh_kdf_ukm(EVP_PKEY_CTX *ctx, unsigned char **ukm); - # include - - # ifndef OPENSSL_DH_MAX_MODULUS_BITS --# define OPENSSL_DH_MAX_MODULUS_BITS 10000 -+# define OPENSSL_DH_MAX_MODULUS_BITS 10000 -+# endif -+ -+# ifndef OPENSSL_DH_CHECK_MAX_MODULUS_BITS -+# define OPENSSL_DH_CHECK_MAX_MODULUS_BITS 32768 - # endif - - # define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024 -diff --git a/test/dhtest.c b/test/dhtest.c -index 7b587f3cfa..f8dd8f3aa7 100644 ---- a/test/dhtest.c -+++ b/test/dhtest.c -@@ -73,7 +73,7 @@ static int dh_test(void) - goto err1; - - /* check fails, because p is way too small */ -- if (!DH_check(dh, &i)) -+ if (!TEST_true(DH_check(dh, &i))) - goto err2; - i ^= DH_MODULUS_TOO_SMALL; - if (!TEST_false(i & DH_CHECK_P_NOT_PRIME) -@@ -124,6 +124,17 @@ static int dh_test(void) - /* We'll have a stale error on the queue from the above test so clear it */ - ERR_clear_error(); - -+ /* Modulus of size: dh check max modulus bits + 1 */ -+ if (!TEST_true(BN_set_word(p, 1)) -+ || !TEST_true(BN_lshift(p, p, OPENSSL_DH_CHECK_MAX_MODULUS_BITS))) -+ goto err3; -+ -+ /* -+ * We expect no checks at all for an excessively large modulus -+ */ -+ if (!TEST_false(DH_check(dh, &i))) -+ goto err3; -+ - /* - * II) key generation - */ -@@ -138,7 +149,7 @@ static int dh_test(void) - goto err3; - - /* ... and check whether it is valid */ -- if (!DH_check(a, &i)) -+ if (!TEST_true(DH_check(a, &i))) - goto err3; - if (!TEST_false(i & DH_CHECK_P_NOT_PRIME) - || !TEST_false(i & DH_CHECK_P_NOT_SAFE_PRIME) diff --git a/SOURCES/0126-Use-correctly-formatted-ALPN-data-in-tserver.patch b/SOURCES/0126-Use-correctly-formatted-ALPN-data-in-tserver.patch new file mode 100644 index 0000000..028732f --- /dev/null +++ b/SOURCES/0126-Use-correctly-formatted-ALPN-data-in-tserver.patch @@ -0,0 +1,34 @@ +From 6cc511826f09e513b4ec066d9b95acaf4f86d991 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Fri, 31 May 2024 11:22:13 +0100 +Subject: [PATCH 03/10] Use correctly formatted ALPN data in tserver + +The QUIC test server was using incorrectly formatted ALPN data. With the +previous implementation of SSL_select_next_proto this went unnoticed. With +the new stricter implemenation it was failing. + +Follow on from CVE-2024-5535 + +Reviewed-by: Neil Horman +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/24717) +--- + ssl/quic/quic_tserver.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ssl/quic/quic_tserver.c b/ssl/quic/quic_tserver.c +index 86187d06ff..15694e723f 100644 +--- a/ssl/quic/quic_tserver.c ++++ b/ssl/quic/quic_tserver.c +@@ -58,7 +58,7 @@ static int alpn_select_cb(SSL *ssl, const unsigned char **out, + + if (srv->args.alpn == NULL) { + alpn = alpndeflt; +- alpnlen = sizeof(alpn); ++ alpnlen = sizeof(alpndeflt); + } else { + alpn = srv->args.alpn; + alpnlen = srv->args.alpnlen; +-- +2.46.0 + diff --git a/SOURCES/0127-CVE-2023-3817.patch b/SOURCES/0127-CVE-2023-3817.patch deleted file mode 100644 index 5fc72e7..0000000 --- a/SOURCES/0127-CVE-2023-3817.patch +++ /dev/null @@ -1,57 +0,0 @@ -diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c -index aef6f9b1b7..fbe2797569 100644 ---- a/crypto/dh/dh_check.c -+++ b/crypto/dh/dh_check.c -@@ -143,7 +143,7 @@ int DH_check(const DH *dh, int *ret) - #ifdef FIPS_MODULE - return DH_check_params(dh, ret); - #else -- int ok = 0, r; -+ int ok = 0, r, q_good = 0; - BN_CTX *ctx = NULL; - BIGNUM *t1 = NULL, *t2 = NULL; - int nid = DH_get_nid((DH *)dh); -@@ -172,6 +172,13 @@ int DH_check(const DH *dh, int *ret) - goto err; - - if (dh->params.q != NULL) { -+ if (BN_ucmp(dh->params.p, dh->params.q) > 0) -+ q_good = 1; -+ else -+ *ret |= DH_CHECK_INVALID_Q_VALUE; -+ } -+ -+ if (q_good) { - if (BN_cmp(dh->params.g, BN_value_one()) <= 0) - *ret |= DH_NOT_SUITABLE_GENERATOR; - else if (BN_cmp(dh->params.g, dh->params.p) >= 0) -diff --git a/test/dhtest.c b/test/dhtest.c -index f8dd8f3aa7..d02b3b7c58 100644 ---- a/test/dhtest.c -+++ b/test/dhtest.c -@@ -124,6 +124,15 @@ static int dh_test(void) - /* We'll have a stale error on the queue from the above test so clear it */ - ERR_clear_error(); - -+ if (!TEST_ptr(BN_copy(q, p)) || !TEST_true(BN_add(q, q, BN_value_one()))) -+ goto err3; -+ -+ if (!TEST_true(DH_check(dh, &i))) -+ goto err3; -+ if (!TEST_true(i & DH_CHECK_INVALID_Q_VALUE) -+ || !TEST_false(i & DH_CHECK_Q_NOT_PRIME)) -+ goto err3; -+ - /* Modulus of size: dh check max modulus bits + 1 */ - if (!TEST_true(BN_set_word(p, 1)) - || !TEST_true(BN_lshift(p, p, OPENSSL_DH_CHECK_MAX_MODULUS_BITS))) -@@ -135,6 +144,9 @@ static int dh_test(void) - if (!TEST_false(DH_check(dh, &i))) - goto err3; - -+ /* We'll have a stale error on the queue from the above test so clear it */ -+ ERR_clear_error(); -+ - /* - * II) key generation - */ diff --git a/SOURCES/0127-Clarify-the-SSL_select_next_proto-documentation.patch b/SOURCES/0127-Clarify-the-SSL_select_next_proto-documentation.patch new file mode 100644 index 0000000..34e6261 --- /dev/null +++ b/SOURCES/0127-Clarify-the-SSL_select_next_proto-documentation.patch @@ -0,0 +1,78 @@ +From 8e81c57adbbf703dfb63955f65599765fdacc741 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Fri, 31 May 2024 11:46:38 +0100 +Subject: [PATCH 04/10] Clarify the SSL_select_next_proto() documentation + +We clarify the input preconditions and the expected behaviour in the event +of no overlap. + +Follow on from CVE-2024-5535 + +Reviewed-by: Neil Horman +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/24717) +--- + doc/man3/SSL_CTX_set_alpn_select_cb.pod | 26 +++++++++++++++++-------- + 1 file changed, 18 insertions(+), 8 deletions(-) + +diff --git a/doc/man3/SSL_CTX_set_alpn_select_cb.pod b/doc/man3/SSL_CTX_set_alpn_select_cb.pod +index 05fee2fbec..79e1a252f6 100644 +--- a/doc/man3/SSL_CTX_set_alpn_select_cb.pod ++++ b/doc/man3/SSL_CTX_set_alpn_select_cb.pod +@@ -52,7 +52,8 @@ SSL_select_next_proto, SSL_get0_alpn_selected, SSL_get0_next_proto_negotiated + SSL_CTX_set_alpn_protos() and SSL_set_alpn_protos() are used by the client to + set the list of protocols available to be negotiated. The B must be in + protocol-list format, described below. The length of B is specified in +-B. ++B. Setting B to 0 clears any existing list of ALPN ++protocols and no ALPN extension will be sent to the server. + + SSL_CTX_set_alpn_select_cb() sets the application callback B used by a + server to select which protocol to use for the incoming connection. When B +@@ -73,9 +74,16 @@ B and B, B must be in the protocol-list format + described below. The first item in the B, B list that + matches an item in the B, B list is selected, and returned + in B, B. The B value will point into either B or +-B, so it should be copied immediately. If no match is found, the first +-item in B, B is returned in B, B. This +-function can also be used in the NPN callback. ++B, so it should be copied immediately. The client list must include at ++least one valid (nonempty) protocol entry in the list. ++ ++The SSL_select_next_proto() helper function can be useful from either the ALPN ++callback or the NPN callback (described below). If no match is found, the first ++item in B, B is returned in B, B and ++B is returned. This can be useful when implementating ++the NPN callback. In the ALPN case, the value returned in B and B ++must be ignored if B has been returned from ++SSL_select_next_proto(). + + SSL_CTX_set_next_proto_select_cb() sets a callback B that is called when a + client needs to select a protocol from the server's provided list, and a +@@ -85,9 +93,10 @@ must be set to point to the selected protocol (which may be within B). + The length of the protocol name must be written into B. The + server's advertised protocols are provided in B and B. The + callback can assume that B is syntactically valid. The client must +-select a protocol. It is fatal to the connection if this callback returns +-a value other than B. The B parameter is the pointer +-set via SSL_CTX_set_next_proto_select_cb(). ++select a protocol (although it may be an empty, zero length protocol). It is ++fatal to the connection if this callback returns a value other than ++B or if the zero length protocol is selected. The B ++parameter is the pointer set via SSL_CTX_set_next_proto_select_cb(). + + SSL_CTX_set_next_protos_advertised_cb() sets a callback B that is called + when a TLS server needs a list of supported protocols for Next Protocol +@@ -154,7 +163,8 @@ A match was found and is returned in B, B. + =item OPENSSL_NPN_NO_OVERLAP + + No match was found. The first item in B, B is returned in +-B, B. ++B, B (or B and 0 in the case where the first entry in ++B is invalid). + + =back + +-- +2.46.0 + diff --git a/SOURCES/0128-Add-a-test-for-SSL_select_next_proto.patch b/SOURCES/0128-Add-a-test-for-SSL_select_next_proto.patch new file mode 100644 index 0000000..ccf1577 --- /dev/null +++ b/SOURCES/0128-Add-a-test-for-SSL_select_next_proto.patch @@ -0,0 +1,172 @@ +From add5c52a25c549cec4a730cdf96e2252f0a1862d Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Fri, 31 May 2024 16:35:16 +0100 +Subject: [PATCH 05/10] Add a test for SSL_select_next_proto + +Follow on from CVE-2024-5535 + +Reviewed-by: Neil Horman +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/24717) +--- + test/sslapitest.c | 137 ++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 137 insertions(+) + +diff --git a/test/sslapitest.c b/test/sslapitest.c +index ce163322cd..15cb9060cb 100644 +--- a/test/sslapitest.c ++++ b/test/sslapitest.c +@@ -11741,6 +11741,142 @@ static int test_multi_resume(int idx) + return testresult; + } + ++static struct next_proto_st { ++ int serverlen; ++ unsigned char server[40]; ++ int clientlen; ++ unsigned char client[40]; ++ int expected_ret; ++ size_t selectedlen; ++ unsigned char selected[40]; ++} next_proto_tests[] = { ++ { ++ 4, { 3, 'a', 'b', 'c' }, ++ 4, { 3, 'a', 'b', 'c' }, ++ OPENSSL_NPN_NEGOTIATED, ++ 3, { 'a', 'b', 'c' } ++ }, ++ { ++ 7, { 3, 'a', 'b', 'c', 2, 'a', 'b' }, ++ 4, { 3, 'a', 'b', 'c' }, ++ OPENSSL_NPN_NEGOTIATED, ++ 3, { 'a', 'b', 'c' } ++ }, ++ { ++ 7, { 2, 'a', 'b', 3, 'a', 'b', 'c', }, ++ 4, { 3, 'a', 'b', 'c' }, ++ OPENSSL_NPN_NEGOTIATED, ++ 3, { 'a', 'b', 'c' } ++ }, ++ { ++ 4, { 3, 'a', 'b', 'c' }, ++ 7, { 3, 'a', 'b', 'c', 2, 'a', 'b', }, ++ OPENSSL_NPN_NEGOTIATED, ++ 3, { 'a', 'b', 'c' } ++ }, ++ { ++ 4, { 3, 'a', 'b', 'c' }, ++ 7, { 2, 'a', 'b', 3, 'a', 'b', 'c'}, ++ OPENSSL_NPN_NEGOTIATED, ++ 3, { 'a', 'b', 'c' } ++ }, ++ { ++ 7, { 2, 'b', 'c', 3, 'a', 'b', 'c' }, ++ 7, { 2, 'a', 'b', 3, 'a', 'b', 'c'}, ++ OPENSSL_NPN_NEGOTIATED, ++ 3, { 'a', 'b', 'c' } ++ }, ++ { ++ 10, { 2, 'b', 'c', 3, 'a', 'b', 'c', 2, 'a', 'b' }, ++ 7, { 2, 'a', 'b', 3, 'a', 'b', 'c'}, ++ OPENSSL_NPN_NEGOTIATED, ++ 3, { 'a', 'b', 'c' } ++ }, ++ { ++ 4, { 3, 'b', 'c', 'd' }, ++ 4, { 3, 'a', 'b', 'c' }, ++ OPENSSL_NPN_NO_OVERLAP, ++ 3, { 'a', 'b', 'c' } ++ }, ++ { ++ 0, { 0 }, ++ 4, { 3, 'a', 'b', 'c' }, ++ OPENSSL_NPN_NO_OVERLAP, ++ 3, { 'a', 'b', 'c' } ++ }, ++ { ++ -1, { 0 }, ++ 4, { 3, 'a', 'b', 'c' }, ++ OPENSSL_NPN_NO_OVERLAP, ++ 3, { 'a', 'b', 'c' } ++ }, ++ { ++ 4, { 3, 'a', 'b', 'c' }, ++ 0, { 0 }, ++ OPENSSL_NPN_NO_OVERLAP, ++ 0, { 0 } ++ }, ++ { ++ 4, { 3, 'a', 'b', 'c' }, ++ -1, { 0 }, ++ OPENSSL_NPN_NO_OVERLAP, ++ 0, { 0 } ++ }, ++ { ++ 3, { 3, 'a', 'b', 'c' }, ++ 4, { 3, 'a', 'b', 'c' }, ++ OPENSSL_NPN_NO_OVERLAP, ++ 3, { 'a', 'b', 'c' } ++ }, ++ { ++ 4, { 3, 'a', 'b', 'c' }, ++ 3, { 3, 'a', 'b', 'c' }, ++ OPENSSL_NPN_NO_OVERLAP, ++ 0, { 0 } ++ } ++}; ++ ++static int test_select_next_proto(int idx) ++{ ++ struct next_proto_st *np = &next_proto_tests[idx]; ++ int ret = 0; ++ unsigned char *out, *client, *server; ++ unsigned char outlen; ++ unsigned int clientlen, serverlen; ++ ++ if (np->clientlen == -1) { ++ client = NULL; ++ clientlen = 0; ++ } else { ++ client = np->client; ++ clientlen = (unsigned int)np->clientlen; ++ } ++ if (np->serverlen == -1) { ++ server = NULL; ++ serverlen = 0; ++ } else { ++ server = np->server; ++ serverlen = (unsigned int)np->serverlen; ++ } ++ ++ if (!TEST_int_eq(SSL_select_next_proto(&out, &outlen, server, serverlen, ++ client, clientlen), ++ np->expected_ret)) ++ goto err; ++ ++ if (np->selectedlen == 0) { ++ if (!TEST_ptr_null(out) || !TEST_uchar_eq(outlen, 0)) ++ goto err; ++ } else { ++ if (!TEST_mem_eq(out, outlen, np->selected, np->selectedlen)) ++ goto err; ++ } ++ ++ ret = 1; ++ err: ++ return ret; ++} ++ + OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n") + + int setup_tests(void) +@@ -12053,6 +12189,7 @@ int setup_tests(void) + ADD_ALL_TESTS(test_handshake_retry, 16); + ADD_TEST(test_data_retry); + ADD_ALL_TESTS(test_multi_resume, 5); ++ ADD_ALL_TESTS(test_select_next_proto, OSSL_NELEM(next_proto_tests)); + return 1; + + err: +-- +2.46.0 + diff --git a/SOURCES/0128-CVE-2023-5363.patch b/SOURCES/0128-CVE-2023-5363.patch deleted file mode 100644 index 8610da0..0000000 --- a/SOURCES/0128-CVE-2023-5363.patch +++ /dev/null @@ -1,318 +0,0 @@ -diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c -index d2ed3fd378..6a819590e6 100644 ---- a/crypto/evp/evp_enc.c -+++ b/crypto/evp/evp_enc.c -@@ -223,6 +223,42 @@ static int evp_cipher_init_internal(EVP_CIPHER_CTX *ctx, - return 0; - } - -+#ifndef FIPS_MODULE -+ /* -+ * Fix for CVE-2023-5363 -+ * Passing in a size as part of the init call takes effect late -+ * so, force such to occur before the initialisation. -+ * -+ * The FIPS provider's internal library context is used in a manner -+ * such that this is not an issue. -+ */ -+ if (params != NULL) { -+ OSSL_PARAM param_lens[3] = { OSSL_PARAM_END, OSSL_PARAM_END, -+ OSSL_PARAM_END }; -+ OSSL_PARAM *q = param_lens; -+ const OSSL_PARAM *p; -+ -+ p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_KEYLEN); -+ if (p != NULL) -+ memcpy(q++, p, sizeof(*q)); -+ -+ /* -+ * Note that OSSL_CIPHER_PARAM_AEAD_IVLEN is a synomym for -+ * OSSL_CIPHER_PARAM_IVLEN so both are covered here. -+ */ -+ p = OSSL_PARAM_locate_const(params, OSSL_CIPHER_PARAM_IVLEN); -+ if (p != NULL) -+ memcpy(q++, p, sizeof(*q)); -+ -+ if (q != param_lens) { -+ if (!EVP_CIPHER_CTX_set_params(ctx, param_lens)) { -+ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_LENGTH); -+ return 0; -+ } -+ } -+ } -+#endif -+ - if (enc) { - if (ctx->cipher->einit == NULL) { - ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); -diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c -index cfffa21350..2318bf6a68 100644 ---- a/test/evp_extra_test.c -+++ b/test/evp_extra_test.c -@@ -4851,6 +4851,253 @@ static int test_ecx_not_private_key(int tst) - return options; - } - -+static int aes_gcm_encrypt(const unsigned char *gcm_key, size_t gcm_key_s, -+ const unsigned char *gcm_iv, size_t gcm_ivlen, -+ const unsigned char *gcm_pt, size_t gcm_pt_s, -+ const unsigned char *gcm_aad, size_t gcm_aad_s, -+ const unsigned char *gcm_ct, size_t gcm_ct_s, -+ const unsigned char *gcm_tag, size_t gcm_tag_s) -+{ -+ int ret = 0; -+ EVP_CIPHER_CTX *ctx; -+ EVP_CIPHER *cipher = NULL; -+ int outlen, tmplen; -+ unsigned char outbuf[1024]; -+ unsigned char outtag[16]; -+ OSSL_PARAM params[2] = { -+ OSSL_PARAM_END, OSSL_PARAM_END -+ }; -+ -+ if (!TEST_ptr(ctx = EVP_CIPHER_CTX_new()) -+ || !TEST_ptr(cipher = EVP_CIPHER_fetch(testctx, "AES-256-GCM", ""))) -+ goto err; -+ -+ params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_AEAD_IVLEN, -+ &gcm_ivlen); -+ -+ if (!TEST_true(EVP_EncryptInit_ex2(ctx, cipher, gcm_key, gcm_iv, params)) -+ || (gcm_aad != NULL -+ && !TEST_true(EVP_EncryptUpdate(ctx, NULL, &outlen, -+ gcm_aad, gcm_aad_s))) -+ || !TEST_true(EVP_EncryptUpdate(ctx, outbuf, &outlen, -+ gcm_pt, gcm_pt_s)) -+ || !TEST_true(EVP_EncryptFinal_ex(ctx, outbuf, &tmplen))) -+ goto err; -+ -+ params[0] = OSSL_PARAM_construct_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, -+ outtag, sizeof(outtag)); -+ -+ if (!TEST_true(EVP_CIPHER_CTX_get_params(ctx, params)) -+ || !TEST_mem_eq(outbuf, outlen, gcm_ct, gcm_ct_s) -+ || !TEST_mem_eq(outtag, gcm_tag_s, gcm_tag, gcm_tag_s)) -+ goto err; -+ -+ ret = 1; -+err: -+ EVP_CIPHER_free(cipher); -+ EVP_CIPHER_CTX_free(ctx); -+ -+ return ret; -+} -+ -+static int aes_gcm_decrypt(const unsigned char *gcm_key, size_t gcm_key_s, -+ const unsigned char *gcm_iv, size_t gcm_ivlen, -+ const unsigned char *gcm_pt, size_t gcm_pt_s, -+ const unsigned char *gcm_aad, size_t gcm_aad_s, -+ const unsigned char *gcm_ct, size_t gcm_ct_s, -+ const unsigned char *gcm_tag, size_t gcm_tag_s) -+{ -+ int ret = 0; -+ EVP_CIPHER_CTX *ctx; -+ EVP_CIPHER *cipher = NULL; -+ int outlen; -+ unsigned char outbuf[1024]; -+ OSSL_PARAM params[2] = { -+ OSSL_PARAM_END, OSSL_PARAM_END -+ }; -+ -+ if ((ctx = EVP_CIPHER_CTX_new()) == NULL) -+ goto err; -+ -+ if ((cipher = EVP_CIPHER_fetch(testctx, "AES-256-GCM", "")) == NULL) -+ goto err; -+ -+ params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_AEAD_IVLEN, -+ &gcm_ivlen); -+ -+ if (!TEST_true(EVP_DecryptInit_ex2(ctx, cipher, gcm_key, gcm_iv, params)) -+ || (gcm_aad != NULL -+ && !TEST_true(EVP_DecryptUpdate(ctx, NULL, &outlen, -+ gcm_aad, gcm_aad_s))) -+ || !TEST_true(EVP_DecryptUpdate(ctx, outbuf, &outlen, -+ gcm_ct, gcm_ct_s)) -+ || !TEST_mem_eq(outbuf, outlen, gcm_pt, gcm_pt_s)) -+ goto err; -+ -+ params[0] = OSSL_PARAM_construct_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, -+ (void*)gcm_tag, gcm_tag_s); -+ -+ if (!TEST_true(EVP_CIPHER_CTX_set_params(ctx, params)) -+ ||!TEST_true(EVP_DecryptFinal_ex(ctx, outbuf, &outlen))) -+ goto err; -+ -+ ret = 1; -+err: -+ EVP_CIPHER_free(cipher); -+ EVP_CIPHER_CTX_free(ctx); -+ -+ return ret; -+} -+ -+static int test_aes_gcm_ivlen_change_cve_2023_5363(void) -+{ -+ /* AES-GCM test data obtained from NIST public test vectors */ -+ static const unsigned char gcm_key[] = { -+ 0xd0, 0xc2, 0x67, 0xc1, 0x9f, 0x30, 0xd8, 0x0b, 0x89, 0x14, 0xbb, 0xbf, -+ 0xb7, 0x2f, 0x73, 0xb8, 0xd3, 0xcd, 0x5f, 0x6a, 0x78, 0x70, 0x15, 0x84, -+ 0x8a, 0x7b, 0x30, 0xe3, 0x8f, 0x16, 0xf1, 0x8b, -+ }; -+ static const unsigned char gcm_iv[] = { -+ 0xb6, 0xdc, 0xda, 0x95, 0xac, 0x99, 0x77, 0x76, 0x25, 0xae, 0x87, 0xf8, -+ 0xa3, 0xa9, 0xdd, 0x64, 0xd7, 0x9b, 0xbd, 0x5f, 0x4a, 0x0e, 0x54, 0xca, -+ 0x1a, 0x9f, 0xa2, 0xe3, 0xf4, 0x5f, 0x5f, 0xc2, 0xce, 0xa7, 0xb6, 0x14, -+ 0x12, 0x6f, 0xf0, 0xaf, 0xfd, 0x3e, 0x17, 0x35, 0x6e, 0xa0, 0x16, 0x09, -+ 0xdd, 0xa1, 0x3f, 0xd8, 0xdd, 0xf3, 0xdf, 0x4f, 0xcb, 0x18, 0x49, 0xb8, -+ 0xb3, 0x69, 0x2c, 0x5d, 0x4f, 0xad, 0x30, 0x91, 0x08, 0xbc, 0xbe, 0x24, -+ 0x01, 0x0f, 0xbe, 0x9c, 0xfb, 0x4f, 0x5d, 0x19, 0x7f, 0x4c, 0x53, 0xb0, -+ 0x95, 0x90, 0xac, 0x7b, 0x1f, 0x7b, 0xa0, 0x99, 0xe1, 0xf3, 0x48, 0x54, -+ 0xd0, 0xfc, 0xa9, 0xcc, 0x91, 0xf8, 0x1f, 0x9b, 0x6c, 0x9a, 0xe0, 0xdc, -+ 0x63, 0xea, 0x7d, 0x2a, 0x4a, 0x7d, 0xa5, 0xed, 0x68, 0x57, 0x27, 0x6b, -+ 0x68, 0xe0, 0xf2, 0xb8, 0x51, 0x50, 0x8d, 0x3d, -+ }; -+ static const unsigned char gcm_pt[] = { -+ 0xb8, 0xb6, 0x88, 0x36, 0x44, 0xe2, 0x34, 0xdf, 0x24, 0x32, 0x91, 0x07, -+ 0x4f, 0xe3, 0x6f, 0x81, -+ }; -+ static const unsigned char gcm_ct[] = { -+ 0xff, 0x4f, 0xb3, 0xf3, 0xf9, 0xa2, 0x51, 0xd4, 0x82, 0xc2, 0xbe, 0xf3, -+ 0xe2, 0xd0, 0xec, 0xed, -+ }; -+ static const unsigned char gcm_tag[] = { -+ 0xbd, 0x06, 0x38, 0x09, 0xf7, 0xe1, 0xc4, 0x72, 0x0e, 0xf2, 0xea, 0x63, -+ 0xdb, 0x99, 0x6c, 0x21, -+ }; -+ -+ return aes_gcm_encrypt(gcm_key, sizeof(gcm_key), gcm_iv, sizeof(gcm_iv), -+ gcm_pt, sizeof(gcm_pt), NULL, 0, -+ gcm_ct, sizeof(gcm_ct), gcm_tag, sizeof(gcm_tag)) -+ && aes_gcm_decrypt(gcm_key, sizeof(gcm_key), gcm_iv, sizeof(gcm_iv), -+ gcm_pt, sizeof(gcm_pt), NULL, 0, -+ gcm_ct, sizeof(gcm_ct), gcm_tag, sizeof(gcm_tag)); -+} -+ -+#ifndef OPENSSL_NO_RC4 -+static int rc4_encrypt(const unsigned char *rc4_key, size_t rc4_key_s, -+ const unsigned char *rc4_pt, size_t rc4_pt_s, -+ const unsigned char *rc4_ct, size_t rc4_ct_s) -+{ -+ int ret = 0; -+ EVP_CIPHER_CTX *ctx; -+ EVP_CIPHER *cipher = NULL; -+ int outlen, tmplen; -+ unsigned char outbuf[1024]; -+ OSSL_PARAM params[2] = { -+ OSSL_PARAM_END, OSSL_PARAM_END -+ }; -+ -+ if (!TEST_ptr(ctx = EVP_CIPHER_CTX_new()) -+ || !TEST_ptr(cipher = EVP_CIPHER_fetch(testctx, "RC4", ""))) -+ goto err; -+ -+ params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_KEYLEN, -+ &rc4_key_s); -+ -+ if (!TEST_true(EVP_EncryptInit_ex2(ctx, cipher, rc4_key, NULL, params)) -+ || !TEST_true(EVP_EncryptUpdate(ctx, outbuf, &outlen, -+ rc4_pt, rc4_pt_s)) -+ || !TEST_true(EVP_EncryptFinal_ex(ctx, outbuf, &tmplen))) -+ goto err; -+ -+ if (!TEST_mem_eq(outbuf, outlen, rc4_ct, rc4_ct_s)) -+ goto err; -+ -+ ret = 1; -+err: -+ EVP_CIPHER_free(cipher); -+ EVP_CIPHER_CTX_free(ctx); -+ -+ return ret; -+} -+ -+static int rc4_decrypt(const unsigned char *rc4_key, size_t rc4_key_s, -+ const unsigned char *rc4_pt, size_t rc4_pt_s, -+ const unsigned char *rc4_ct, size_t rc4_ct_s) -+{ -+ int ret = 0; -+ EVP_CIPHER_CTX *ctx; -+ EVP_CIPHER *cipher = NULL; -+ int outlen; -+ unsigned char outbuf[1024]; -+ OSSL_PARAM params[2] = { -+ OSSL_PARAM_END, OSSL_PARAM_END -+ }; -+ -+ if ((ctx = EVP_CIPHER_CTX_new()) == NULL) -+ goto err; -+ -+ if ((cipher = EVP_CIPHER_fetch(testctx, "RC4", "")) == NULL) -+ goto err; -+ -+ params[0] = OSSL_PARAM_construct_size_t(OSSL_CIPHER_PARAM_KEYLEN, -+ &rc4_key_s); -+ -+ if (!TEST_true(EVP_DecryptInit_ex2(ctx, cipher, rc4_key, NULL, params)) -+ || !TEST_true(EVP_DecryptUpdate(ctx, outbuf, &outlen, -+ rc4_ct, rc4_ct_s)) -+ || !TEST_mem_eq(outbuf, outlen, rc4_pt, rc4_pt_s)) -+ goto err; -+ -+ ret = 1; -+err: -+ EVP_CIPHER_free(cipher); -+ EVP_CIPHER_CTX_free(ctx); -+ -+ return ret; -+} -+ -+static int test_aes_rc4_keylen_change_cve_2023_5363(void) -+{ -+ /* RC4 test data obtained from RFC 6229 */ -+ static const struct { -+ unsigned char key[5]; -+ unsigned char padding[11]; -+ } rc4_key = { -+ { /* Five bytes of key material */ -+ 0x83, 0x32, 0x22, 0x77, 0x2a, -+ }, -+ { /* Random padding to 16 bytes */ -+ 0x80, 0xad, 0x97, 0xbd, 0xc9, 0x73, 0xdf, 0x8a, 0xaa, 0x32, 0x91 -+ } -+ }; -+ static const unsigned char rc4_pt[] = { -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 -+ }; -+ static const unsigned char rc4_ct[] = { -+ 0x80, 0xad, 0x97, 0xbd, 0xc9, 0x73, 0xdf, 0x8a, -+ 0x2e, 0x87, 0x9e, 0x92, 0xa4, 0x97, 0xef, 0xda -+ }; -+ -+ if (lgcyprov == NULL) -+ return TEST_skip("Test requires legacy provider to be loaded"); -+ -+ return rc4_encrypt(rc4_key.key, sizeof(rc4_key.key), -+ rc4_pt, sizeof(rc4_pt), rc4_ct, sizeof(rc4_ct)) -+ && rc4_decrypt(rc4_key.key, sizeof(rc4_key.key), -+ rc4_pt, sizeof(rc4_pt), rc4_ct, sizeof(rc4_ct)); -+} -+#endif -+ - int setup_tests(void) - { - OPTION_CHOICE o; -@@ -4994,6 +5241,12 @@ int setup_tests(void) - - ADD_ALL_TESTS(test_ecx_short_keys, OSSL_NELEM(ecxnids)); - -+ /* Test cases for CVE-2023-5363 */ -+ ADD_TEST(test_aes_gcm_ivlen_change_cve_2023_5363); -+#ifndef OPENSSL_NO_RC4 -+ ADD_TEST(test_aes_rc4_keylen_change_cve_2023_5363); -+#endif -+ - return 1; - } - diff --git a/SOURCES/0129-Allow-an-empty-NPN-ALPN-protocol-list-in-the-tests.patch b/SOURCES/0129-Allow-an-empty-NPN-ALPN-protocol-list-in-the-tests.patch new file mode 100644 index 0000000..ae383c8 --- /dev/null +++ b/SOURCES/0129-Allow-an-empty-NPN-ALPN-protocol-list-in-the-tests.patch @@ -0,0 +1,1169 @@ +From 7ea1f6a85b299b976cb3f756b2a7f0153f31b2b6 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Tue, 4 Jun 2024 15:47:32 +0100 +Subject: [PATCH 06/10] Allow an empty NPN/ALPN protocol list in the tests + +Allow ourselves to configure an empty NPN/ALPN protocol list and test what +happens if we do. + +Follow on from CVE-2024-5535 + +Reviewed-by: Neil Horman +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/24717) +--- + test/helpers/handshake.c | 6 + + test/ssl-tests/08-npn.cnf | 553 +++++++++++++++++++--------------- + test/ssl-tests/08-npn.cnf.in | 35 +++ + test/ssl-tests/09-alpn.cnf | 66 +++- + test/ssl-tests/09-alpn.cnf.in | 33 ++ + 5 files changed, 449 insertions(+), 244 deletions(-) + +diff --git a/test/helpers/handshake.c b/test/helpers/handshake.c +index e0422469e4..6b1629b942 100644 +--- a/test/helpers/handshake.c ++++ b/test/helpers/handshake.c +@@ -348,6 +348,12 @@ static int parse_protos(const char *protos, unsigned char **out, size_t *outlen) + + len = strlen(protos); + ++ if (len == 0) { ++ *out = NULL; ++ *outlen = 0; ++ return 1; ++ } ++ + /* Should never have reuse. */ + if (!TEST_ptr_null(*out) + /* Test values are small, so we omit length limit checks. */ +diff --git a/test/ssl-tests/08-npn.cnf b/test/ssl-tests/08-npn.cnf +index f38b3f6975..1931d02de4 100644 +--- a/test/ssl-tests/08-npn.cnf ++++ b/test/ssl-tests/08-npn.cnf +@@ -1,6 +1,6 @@ + # Generated with generate_ssl_tests.pl + +-num_tests = 20 ++num_tests = 22 + + test-0 = 0-npn-simple + test-1 = 1-npn-client-finds-match +@@ -8,20 +8,22 @@ test-2 = 2-npn-client-honours-server-pref + test-3 = 3-npn-client-first-pref-on-mismatch + test-4 = 4-npn-no-server-support + test-5 = 5-npn-no-client-support +-test-6 = 6-npn-with-sni-no-context-switch +-test-7 = 7-npn-with-sni-context-switch +-test-8 = 8-npn-selected-sni-server-supports-npn +-test-9 = 9-npn-selected-sni-server-does-not-support-npn +-test-10 = 10-alpn-preferred-over-npn +-test-11 = 11-sni-npn-preferred-over-alpn +-test-12 = 12-npn-simple-resumption +-test-13 = 13-npn-server-switch-resumption +-test-14 = 14-npn-client-switch-resumption +-test-15 = 15-npn-client-first-pref-on-mismatch-resumption +-test-16 = 16-npn-no-server-support-resumption +-test-17 = 17-npn-no-client-support-resumption +-test-18 = 18-alpn-preferred-over-npn-resumption +-test-19 = 19-npn-used-if-alpn-not-supported-resumption ++test-6 = 6-npn-empty-client-list ++test-7 = 7-npn-empty-server-list ++test-8 = 8-npn-with-sni-no-context-switch ++test-9 = 9-npn-with-sni-context-switch ++test-10 = 10-npn-selected-sni-server-supports-npn ++test-11 = 11-npn-selected-sni-server-does-not-support-npn ++test-12 = 12-alpn-preferred-over-npn ++test-13 = 13-sni-npn-preferred-over-alpn ++test-14 = 14-npn-simple-resumption ++test-15 = 15-npn-server-switch-resumption ++test-16 = 16-npn-client-switch-resumption ++test-17 = 17-npn-client-first-pref-on-mismatch-resumption ++test-18 = 18-npn-no-server-support-resumption ++test-19 = 19-npn-no-client-support-resumption ++test-20 = 20-alpn-preferred-over-npn-resumption ++test-21 = 21-npn-used-if-alpn-not-supported-resumption + # =========================================================== + + [0-npn-simple] +@@ -206,253 +208,318 @@ NPNProtocols = foo + + # =========================================================== + +-[6-npn-with-sni-no-context-switch] +-ssl_conf = 6-npn-with-sni-no-context-switch-ssl ++[6-npn-empty-client-list] ++ssl_conf = 6-npn-empty-client-list-ssl + +-[6-npn-with-sni-no-context-switch-ssl] +-server = 6-npn-with-sni-no-context-switch-server +-client = 6-npn-with-sni-no-context-switch-client +-server2 = 6-npn-with-sni-no-context-switch-server2 ++[6-npn-empty-client-list-ssl] ++server = 6-npn-empty-client-list-server ++client = 6-npn-empty-client-list-client + +-[6-npn-with-sni-no-context-switch-server] ++[6-npn-empty-client-list-server] + Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem + CipherString = DEFAULT + PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +-[6-npn-with-sni-no-context-switch-server2] ++[6-npn-empty-client-list-client] ++CipherString = DEFAULT ++MaxProtocol = TLSv1.2 ++VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem ++VerifyMode = Peer ++ ++[test-6] ++ExpectedClientAlert = HandshakeFailure ++ExpectedResult = ClientFail ++server = 6-npn-empty-client-list-server-extra ++client = 6-npn-empty-client-list-client-extra ++ ++[6-npn-empty-client-list-server-extra] ++NPNProtocols = foo ++ ++[6-npn-empty-client-list-client-extra] ++NPNProtocols = ++ ++ ++# =========================================================== ++ ++[7-npn-empty-server-list] ++ssl_conf = 7-npn-empty-server-list-ssl ++ ++[7-npn-empty-server-list-ssl] ++server = 7-npn-empty-server-list-server ++client = 7-npn-empty-server-list-client ++ ++[7-npn-empty-server-list-server] + Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem + CipherString = DEFAULT + PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +-[6-npn-with-sni-no-context-switch-client] ++[7-npn-empty-server-list-client] + CipherString = DEFAULT + MaxProtocol = TLSv1.2 + VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem + VerifyMode = Peer + +-[test-6] ++[test-7] ++ExpectedNPNProtocol = foo ++server = 7-npn-empty-server-list-server-extra ++client = 7-npn-empty-server-list-client-extra ++ ++[7-npn-empty-server-list-server-extra] ++NPNProtocols = ++ ++[7-npn-empty-server-list-client-extra] ++NPNProtocols = foo ++ ++ ++# =========================================================== ++ ++[8-npn-with-sni-no-context-switch] ++ssl_conf = 8-npn-with-sni-no-context-switch-ssl ++ ++[8-npn-with-sni-no-context-switch-ssl] ++server = 8-npn-with-sni-no-context-switch-server ++client = 8-npn-with-sni-no-context-switch-client ++server2 = 8-npn-with-sni-no-context-switch-server2 ++ ++[8-npn-with-sni-no-context-switch-server] ++Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem ++CipherString = DEFAULT ++PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem ++ ++[8-npn-with-sni-no-context-switch-server2] ++Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem ++CipherString = DEFAULT ++PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem ++ ++[8-npn-with-sni-no-context-switch-client] ++CipherString = DEFAULT ++MaxProtocol = TLSv1.2 ++VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem ++VerifyMode = Peer ++ ++[test-8] + ExpectedNPNProtocol = foo + ExpectedServerName = server1 +-server = 6-npn-with-sni-no-context-switch-server-extra +-server2 = 6-npn-with-sni-no-context-switch-server2-extra +-client = 6-npn-with-sni-no-context-switch-client-extra ++server = 8-npn-with-sni-no-context-switch-server-extra ++server2 = 8-npn-with-sni-no-context-switch-server2-extra ++client = 8-npn-with-sni-no-context-switch-client-extra + +-[6-npn-with-sni-no-context-switch-server-extra] ++[8-npn-with-sni-no-context-switch-server-extra] + NPNProtocols = foo + ServerNameCallback = IgnoreMismatch + +-[6-npn-with-sni-no-context-switch-server2-extra] ++[8-npn-with-sni-no-context-switch-server2-extra] + NPNProtocols = bar + +-[6-npn-with-sni-no-context-switch-client-extra] ++[8-npn-with-sni-no-context-switch-client-extra] + NPNProtocols = foo,bar + ServerName = server1 + + + # =========================================================== + +-[7-npn-with-sni-context-switch] +-ssl_conf = 7-npn-with-sni-context-switch-ssl ++[9-npn-with-sni-context-switch] ++ssl_conf = 9-npn-with-sni-context-switch-ssl + +-[7-npn-with-sni-context-switch-ssl] +-server = 7-npn-with-sni-context-switch-server +-client = 7-npn-with-sni-context-switch-client +-server2 = 7-npn-with-sni-context-switch-server2 ++[9-npn-with-sni-context-switch-ssl] ++server = 9-npn-with-sni-context-switch-server ++client = 9-npn-with-sni-context-switch-client ++server2 = 9-npn-with-sni-context-switch-server2 + +-[7-npn-with-sni-context-switch-server] ++[9-npn-with-sni-context-switch-server] + Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem + CipherString = DEFAULT + PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +-[7-npn-with-sni-context-switch-server2] ++[9-npn-with-sni-context-switch-server2] + Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem + CipherString = DEFAULT + PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +-[7-npn-with-sni-context-switch-client] ++[9-npn-with-sni-context-switch-client] + CipherString = DEFAULT + MaxProtocol = TLSv1.2 + VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem + VerifyMode = Peer + +-[test-7] ++[test-9] + ExpectedNPNProtocol = bar + ExpectedServerName = server2 +-server = 7-npn-with-sni-context-switch-server-extra +-server2 = 7-npn-with-sni-context-switch-server2-extra +-client = 7-npn-with-sni-context-switch-client-extra ++server = 9-npn-with-sni-context-switch-server-extra ++server2 = 9-npn-with-sni-context-switch-server2-extra ++client = 9-npn-with-sni-context-switch-client-extra + +-[7-npn-with-sni-context-switch-server-extra] ++[9-npn-with-sni-context-switch-server-extra] + NPNProtocols = foo + ServerNameCallback = IgnoreMismatch + +-[7-npn-with-sni-context-switch-server2-extra] ++[9-npn-with-sni-context-switch-server2-extra] + NPNProtocols = bar + +-[7-npn-with-sni-context-switch-client-extra] ++[9-npn-with-sni-context-switch-client-extra] + NPNProtocols = foo,bar + ServerName = server2 + + + # =========================================================== + +-[8-npn-selected-sni-server-supports-npn] +-ssl_conf = 8-npn-selected-sni-server-supports-npn-ssl ++[10-npn-selected-sni-server-supports-npn] ++ssl_conf = 10-npn-selected-sni-server-supports-npn-ssl + +-[8-npn-selected-sni-server-supports-npn-ssl] +-server = 8-npn-selected-sni-server-supports-npn-server +-client = 8-npn-selected-sni-server-supports-npn-client +-server2 = 8-npn-selected-sni-server-supports-npn-server2 ++[10-npn-selected-sni-server-supports-npn-ssl] ++server = 10-npn-selected-sni-server-supports-npn-server ++client = 10-npn-selected-sni-server-supports-npn-client ++server2 = 10-npn-selected-sni-server-supports-npn-server2 + +-[8-npn-selected-sni-server-supports-npn-server] ++[10-npn-selected-sni-server-supports-npn-server] + Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem + CipherString = DEFAULT + PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +-[8-npn-selected-sni-server-supports-npn-server2] ++[10-npn-selected-sni-server-supports-npn-server2] + Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem + CipherString = DEFAULT + PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +-[8-npn-selected-sni-server-supports-npn-client] ++[10-npn-selected-sni-server-supports-npn-client] + CipherString = DEFAULT + MaxProtocol = TLSv1.2 + VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem + VerifyMode = Peer + +-[test-8] ++[test-10] + ExpectedNPNProtocol = bar + ExpectedServerName = server2 +-server = 8-npn-selected-sni-server-supports-npn-server-extra +-server2 = 8-npn-selected-sni-server-supports-npn-server2-extra +-client = 8-npn-selected-sni-server-supports-npn-client-extra ++server = 10-npn-selected-sni-server-supports-npn-server-extra ++server2 = 10-npn-selected-sni-server-supports-npn-server2-extra ++client = 10-npn-selected-sni-server-supports-npn-client-extra + +-[8-npn-selected-sni-server-supports-npn-server-extra] ++[10-npn-selected-sni-server-supports-npn-server-extra] + ServerNameCallback = IgnoreMismatch + +-[8-npn-selected-sni-server-supports-npn-server2-extra] ++[10-npn-selected-sni-server-supports-npn-server2-extra] + NPNProtocols = bar + +-[8-npn-selected-sni-server-supports-npn-client-extra] ++[10-npn-selected-sni-server-supports-npn-client-extra] + NPNProtocols = foo,bar + ServerName = server2 + + + # =========================================================== + +-[9-npn-selected-sni-server-does-not-support-npn] +-ssl_conf = 9-npn-selected-sni-server-does-not-support-npn-ssl ++[11-npn-selected-sni-server-does-not-support-npn] ++ssl_conf = 11-npn-selected-sni-server-does-not-support-npn-ssl + +-[9-npn-selected-sni-server-does-not-support-npn-ssl] +-server = 9-npn-selected-sni-server-does-not-support-npn-server +-client = 9-npn-selected-sni-server-does-not-support-npn-client +-server2 = 9-npn-selected-sni-server-does-not-support-npn-server2 ++[11-npn-selected-sni-server-does-not-support-npn-ssl] ++server = 11-npn-selected-sni-server-does-not-support-npn-server ++client = 11-npn-selected-sni-server-does-not-support-npn-client ++server2 = 11-npn-selected-sni-server-does-not-support-npn-server2 + +-[9-npn-selected-sni-server-does-not-support-npn-server] ++[11-npn-selected-sni-server-does-not-support-npn-server] + Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem + CipherString = DEFAULT + PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +-[9-npn-selected-sni-server-does-not-support-npn-server2] ++[11-npn-selected-sni-server-does-not-support-npn-server2] + Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem + CipherString = DEFAULT + PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +-[9-npn-selected-sni-server-does-not-support-npn-client] ++[11-npn-selected-sni-server-does-not-support-npn-client] + CipherString = DEFAULT + MaxProtocol = TLSv1.2 + VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem + VerifyMode = Peer + +-[test-9] ++[test-11] + ExpectedServerName = server2 +-server = 9-npn-selected-sni-server-does-not-support-npn-server-extra +-client = 9-npn-selected-sni-server-does-not-support-npn-client-extra ++server = 11-npn-selected-sni-server-does-not-support-npn-server-extra ++client = 11-npn-selected-sni-server-does-not-support-npn-client-extra + +-[9-npn-selected-sni-server-does-not-support-npn-server-extra] ++[11-npn-selected-sni-server-does-not-support-npn-server-extra] + NPNProtocols = bar + ServerNameCallback = IgnoreMismatch + +-[9-npn-selected-sni-server-does-not-support-npn-client-extra] ++[11-npn-selected-sni-server-does-not-support-npn-client-extra] + NPNProtocols = foo,bar + ServerName = server2 + + + # =========================================================== + +-[10-alpn-preferred-over-npn] +-ssl_conf = 10-alpn-preferred-over-npn-ssl ++[12-alpn-preferred-over-npn] ++ssl_conf = 12-alpn-preferred-over-npn-ssl + +-[10-alpn-preferred-over-npn-ssl] +-server = 10-alpn-preferred-over-npn-server +-client = 10-alpn-preferred-over-npn-client ++[12-alpn-preferred-over-npn-ssl] ++server = 12-alpn-preferred-over-npn-server ++client = 12-alpn-preferred-over-npn-client + +-[10-alpn-preferred-over-npn-server] ++[12-alpn-preferred-over-npn-server] + Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem + CipherString = DEFAULT + PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +-[10-alpn-preferred-over-npn-client] ++[12-alpn-preferred-over-npn-client] + CipherString = DEFAULT + MaxProtocol = TLSv1.2 + VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem + VerifyMode = Peer + +-[test-10] ++[test-12] + ExpectedALPNProtocol = foo +-server = 10-alpn-preferred-over-npn-server-extra +-client = 10-alpn-preferred-over-npn-client-extra ++server = 12-alpn-preferred-over-npn-server-extra ++client = 12-alpn-preferred-over-npn-client-extra + +-[10-alpn-preferred-over-npn-server-extra] ++[12-alpn-preferred-over-npn-server-extra] + ALPNProtocols = foo + NPNProtocols = bar + +-[10-alpn-preferred-over-npn-client-extra] ++[12-alpn-preferred-over-npn-client-extra] + ALPNProtocols = foo + NPNProtocols = bar + + + # =========================================================== + +-[11-sni-npn-preferred-over-alpn] +-ssl_conf = 11-sni-npn-preferred-over-alpn-ssl ++[13-sni-npn-preferred-over-alpn] ++ssl_conf = 13-sni-npn-preferred-over-alpn-ssl + +-[11-sni-npn-preferred-over-alpn-ssl] +-server = 11-sni-npn-preferred-over-alpn-server +-client = 11-sni-npn-preferred-over-alpn-client +-server2 = 11-sni-npn-preferred-over-alpn-server2 ++[13-sni-npn-preferred-over-alpn-ssl] ++server = 13-sni-npn-preferred-over-alpn-server ++client = 13-sni-npn-preferred-over-alpn-client ++server2 = 13-sni-npn-preferred-over-alpn-server2 + +-[11-sni-npn-preferred-over-alpn-server] ++[13-sni-npn-preferred-over-alpn-server] + Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem + CipherString = DEFAULT + PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +-[11-sni-npn-preferred-over-alpn-server2] ++[13-sni-npn-preferred-over-alpn-server2] + Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem + CipherString = DEFAULT + PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +-[11-sni-npn-preferred-over-alpn-client] ++[13-sni-npn-preferred-over-alpn-client] + CipherString = DEFAULT + MaxProtocol = TLSv1.2 + VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem + VerifyMode = Peer + +-[test-11] ++[test-13] + ExpectedNPNProtocol = bar + ExpectedServerName = server2 +-server = 11-sni-npn-preferred-over-alpn-server-extra +-server2 = 11-sni-npn-preferred-over-alpn-server2-extra +-client = 11-sni-npn-preferred-over-alpn-client-extra ++server = 13-sni-npn-preferred-over-alpn-server-extra ++server2 = 13-sni-npn-preferred-over-alpn-server2-extra ++client = 13-sni-npn-preferred-over-alpn-client-extra + +-[11-sni-npn-preferred-over-alpn-server-extra] ++[13-sni-npn-preferred-over-alpn-server-extra] + ALPNProtocols = foo + ServerNameCallback = IgnoreMismatch + +-[11-sni-npn-preferred-over-alpn-server2-extra] ++[13-sni-npn-preferred-over-alpn-server2-extra] + NPNProtocols = bar + +-[11-sni-npn-preferred-over-alpn-client-extra] ++[13-sni-npn-preferred-over-alpn-client-extra] + ALPNProtocols = foo + NPNProtocols = bar + ServerName = server2 +@@ -460,356 +527,356 @@ ServerName = server2 + + # =========================================================== + +-[12-npn-simple-resumption] +-ssl_conf = 12-npn-simple-resumption-ssl ++[14-npn-simple-resumption] ++ssl_conf = 14-npn-simple-resumption-ssl + +-[12-npn-simple-resumption-ssl] +-server = 12-npn-simple-resumption-server +-client = 12-npn-simple-resumption-client +-resume-server = 12-npn-simple-resumption-server +-resume-client = 12-npn-simple-resumption-client ++[14-npn-simple-resumption-ssl] ++server = 14-npn-simple-resumption-server ++client = 14-npn-simple-resumption-client ++resume-server = 14-npn-simple-resumption-server ++resume-client = 14-npn-simple-resumption-client + +-[12-npn-simple-resumption-server] ++[14-npn-simple-resumption-server] + Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem + CipherString = DEFAULT + PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +-[12-npn-simple-resumption-client] ++[14-npn-simple-resumption-client] + CipherString = DEFAULT + MaxProtocol = TLSv1.2 + VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem + VerifyMode = Peer + +-[test-12] ++[test-14] + ExpectedNPNProtocol = foo + HandshakeMode = Resume + ResumptionExpected = Yes +-server = 12-npn-simple-resumption-server-extra +-resume-server = 12-npn-simple-resumption-server-extra +-client = 12-npn-simple-resumption-client-extra +-resume-client = 12-npn-simple-resumption-client-extra ++server = 14-npn-simple-resumption-server-extra ++resume-server = 14-npn-simple-resumption-server-extra ++client = 14-npn-simple-resumption-client-extra ++resume-client = 14-npn-simple-resumption-client-extra + +-[12-npn-simple-resumption-server-extra] ++[14-npn-simple-resumption-server-extra] + NPNProtocols = foo + +-[12-npn-simple-resumption-client-extra] ++[14-npn-simple-resumption-client-extra] + NPNProtocols = foo + + + # =========================================================== + +-[13-npn-server-switch-resumption] +-ssl_conf = 13-npn-server-switch-resumption-ssl ++[15-npn-server-switch-resumption] ++ssl_conf = 15-npn-server-switch-resumption-ssl + +-[13-npn-server-switch-resumption-ssl] +-server = 13-npn-server-switch-resumption-server +-client = 13-npn-server-switch-resumption-client +-resume-server = 13-npn-server-switch-resumption-resume-server +-resume-client = 13-npn-server-switch-resumption-client ++[15-npn-server-switch-resumption-ssl] ++server = 15-npn-server-switch-resumption-server ++client = 15-npn-server-switch-resumption-client ++resume-server = 15-npn-server-switch-resumption-resume-server ++resume-client = 15-npn-server-switch-resumption-client + +-[13-npn-server-switch-resumption-server] ++[15-npn-server-switch-resumption-server] + Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem + CipherString = DEFAULT + PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +-[13-npn-server-switch-resumption-resume-server] ++[15-npn-server-switch-resumption-resume-server] + Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem + CipherString = DEFAULT + PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +-[13-npn-server-switch-resumption-client] ++[15-npn-server-switch-resumption-client] + CipherString = DEFAULT + MaxProtocol = TLSv1.2 + VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem + VerifyMode = Peer + +-[test-13] ++[test-15] + ExpectedNPNProtocol = baz + HandshakeMode = Resume + ResumptionExpected = Yes +-server = 13-npn-server-switch-resumption-server-extra +-resume-server = 13-npn-server-switch-resumption-resume-server-extra +-client = 13-npn-server-switch-resumption-client-extra +-resume-client = 13-npn-server-switch-resumption-client-extra ++server = 15-npn-server-switch-resumption-server-extra ++resume-server = 15-npn-server-switch-resumption-resume-server-extra ++client = 15-npn-server-switch-resumption-client-extra ++resume-client = 15-npn-server-switch-resumption-client-extra + +-[13-npn-server-switch-resumption-server-extra] ++[15-npn-server-switch-resumption-server-extra] + NPNProtocols = bar,foo + +-[13-npn-server-switch-resumption-resume-server-extra] ++[15-npn-server-switch-resumption-resume-server-extra] + NPNProtocols = baz,foo + +-[13-npn-server-switch-resumption-client-extra] ++[15-npn-server-switch-resumption-client-extra] + NPNProtocols = foo,bar,baz + + + # =========================================================== + +-[14-npn-client-switch-resumption] +-ssl_conf = 14-npn-client-switch-resumption-ssl ++[16-npn-client-switch-resumption] ++ssl_conf = 16-npn-client-switch-resumption-ssl + +-[14-npn-client-switch-resumption-ssl] +-server = 14-npn-client-switch-resumption-server +-client = 14-npn-client-switch-resumption-client +-resume-server = 14-npn-client-switch-resumption-server +-resume-client = 14-npn-client-switch-resumption-resume-client ++[16-npn-client-switch-resumption-ssl] ++server = 16-npn-client-switch-resumption-server ++client = 16-npn-client-switch-resumption-client ++resume-server = 16-npn-client-switch-resumption-server ++resume-client = 16-npn-client-switch-resumption-resume-client + +-[14-npn-client-switch-resumption-server] ++[16-npn-client-switch-resumption-server] + Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem + CipherString = DEFAULT + PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +-[14-npn-client-switch-resumption-client] ++[16-npn-client-switch-resumption-client] + CipherString = DEFAULT + MaxProtocol = TLSv1.2 + VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem + VerifyMode = Peer + +-[14-npn-client-switch-resumption-resume-client] ++[16-npn-client-switch-resumption-resume-client] + CipherString = DEFAULT + MaxProtocol = TLSv1.2 + VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem + VerifyMode = Peer + +-[test-14] ++[test-16] + ExpectedNPNProtocol = bar + HandshakeMode = Resume + ResumptionExpected = Yes +-server = 14-npn-client-switch-resumption-server-extra +-resume-server = 14-npn-client-switch-resumption-server-extra +-client = 14-npn-client-switch-resumption-client-extra +-resume-client = 14-npn-client-switch-resumption-resume-client-extra ++server = 16-npn-client-switch-resumption-server-extra ++resume-server = 16-npn-client-switch-resumption-server-extra ++client = 16-npn-client-switch-resumption-client-extra ++resume-client = 16-npn-client-switch-resumption-resume-client-extra + +-[14-npn-client-switch-resumption-server-extra] ++[16-npn-client-switch-resumption-server-extra] + NPNProtocols = foo,bar,baz + +-[14-npn-client-switch-resumption-client-extra] ++[16-npn-client-switch-resumption-client-extra] + NPNProtocols = foo,baz + +-[14-npn-client-switch-resumption-resume-client-extra] ++[16-npn-client-switch-resumption-resume-client-extra] + NPNProtocols = bar,baz + + + # =========================================================== + +-[15-npn-client-first-pref-on-mismatch-resumption] +-ssl_conf = 15-npn-client-first-pref-on-mismatch-resumption-ssl ++[17-npn-client-first-pref-on-mismatch-resumption] ++ssl_conf = 17-npn-client-first-pref-on-mismatch-resumption-ssl + +-[15-npn-client-first-pref-on-mismatch-resumption-ssl] +-server = 15-npn-client-first-pref-on-mismatch-resumption-server +-client = 15-npn-client-first-pref-on-mismatch-resumption-client +-resume-server = 15-npn-client-first-pref-on-mismatch-resumption-resume-server +-resume-client = 15-npn-client-first-pref-on-mismatch-resumption-client ++[17-npn-client-first-pref-on-mismatch-resumption-ssl] ++server = 17-npn-client-first-pref-on-mismatch-resumption-server ++client = 17-npn-client-first-pref-on-mismatch-resumption-client ++resume-server = 17-npn-client-first-pref-on-mismatch-resumption-resume-server ++resume-client = 17-npn-client-first-pref-on-mismatch-resumption-client + +-[15-npn-client-first-pref-on-mismatch-resumption-server] ++[17-npn-client-first-pref-on-mismatch-resumption-server] + Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem + CipherString = DEFAULT + PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +-[15-npn-client-first-pref-on-mismatch-resumption-resume-server] ++[17-npn-client-first-pref-on-mismatch-resumption-resume-server] + Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem + CipherString = DEFAULT + PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +-[15-npn-client-first-pref-on-mismatch-resumption-client] ++[17-npn-client-first-pref-on-mismatch-resumption-client] + CipherString = DEFAULT + MaxProtocol = TLSv1.2 + VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem + VerifyMode = Peer + +-[test-15] ++[test-17] + ExpectedNPNProtocol = foo + HandshakeMode = Resume + ResumptionExpected = Yes +-server = 15-npn-client-first-pref-on-mismatch-resumption-server-extra +-resume-server = 15-npn-client-first-pref-on-mismatch-resumption-resume-server-extra +-client = 15-npn-client-first-pref-on-mismatch-resumption-client-extra +-resume-client = 15-npn-client-first-pref-on-mismatch-resumption-client-extra ++server = 17-npn-client-first-pref-on-mismatch-resumption-server-extra ++resume-server = 17-npn-client-first-pref-on-mismatch-resumption-resume-server-extra ++client = 17-npn-client-first-pref-on-mismatch-resumption-client-extra ++resume-client = 17-npn-client-first-pref-on-mismatch-resumption-client-extra + +-[15-npn-client-first-pref-on-mismatch-resumption-server-extra] ++[17-npn-client-first-pref-on-mismatch-resumption-server-extra] + NPNProtocols = bar + +-[15-npn-client-first-pref-on-mismatch-resumption-resume-server-extra] ++[17-npn-client-first-pref-on-mismatch-resumption-resume-server-extra] + NPNProtocols = baz + +-[15-npn-client-first-pref-on-mismatch-resumption-client-extra] ++[17-npn-client-first-pref-on-mismatch-resumption-client-extra] + NPNProtocols = foo,bar + + + # =========================================================== + +-[16-npn-no-server-support-resumption] +-ssl_conf = 16-npn-no-server-support-resumption-ssl ++[18-npn-no-server-support-resumption] ++ssl_conf = 18-npn-no-server-support-resumption-ssl + +-[16-npn-no-server-support-resumption-ssl] +-server = 16-npn-no-server-support-resumption-server +-client = 16-npn-no-server-support-resumption-client +-resume-server = 16-npn-no-server-support-resumption-resume-server +-resume-client = 16-npn-no-server-support-resumption-client ++[18-npn-no-server-support-resumption-ssl] ++server = 18-npn-no-server-support-resumption-server ++client = 18-npn-no-server-support-resumption-client ++resume-server = 18-npn-no-server-support-resumption-resume-server ++resume-client = 18-npn-no-server-support-resumption-client + +-[16-npn-no-server-support-resumption-server] ++[18-npn-no-server-support-resumption-server] + Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem + CipherString = DEFAULT + PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +-[16-npn-no-server-support-resumption-resume-server] ++[18-npn-no-server-support-resumption-resume-server] + Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem + CipherString = DEFAULT + PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +-[16-npn-no-server-support-resumption-client] ++[18-npn-no-server-support-resumption-client] + CipherString = DEFAULT + MaxProtocol = TLSv1.2 + VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem + VerifyMode = Peer + +-[test-16] ++[test-18] + HandshakeMode = Resume + ResumptionExpected = Yes +-server = 16-npn-no-server-support-resumption-server-extra +-client = 16-npn-no-server-support-resumption-client-extra +-resume-client = 16-npn-no-server-support-resumption-client-extra ++server = 18-npn-no-server-support-resumption-server-extra ++client = 18-npn-no-server-support-resumption-client-extra ++resume-client = 18-npn-no-server-support-resumption-client-extra + +-[16-npn-no-server-support-resumption-server-extra] ++[18-npn-no-server-support-resumption-server-extra] + NPNProtocols = foo + +-[16-npn-no-server-support-resumption-client-extra] ++[18-npn-no-server-support-resumption-client-extra] + NPNProtocols = foo + + + # =========================================================== + +-[17-npn-no-client-support-resumption] +-ssl_conf = 17-npn-no-client-support-resumption-ssl ++[19-npn-no-client-support-resumption] ++ssl_conf = 19-npn-no-client-support-resumption-ssl + +-[17-npn-no-client-support-resumption-ssl] +-server = 17-npn-no-client-support-resumption-server +-client = 17-npn-no-client-support-resumption-client +-resume-server = 17-npn-no-client-support-resumption-server +-resume-client = 17-npn-no-client-support-resumption-resume-client ++[19-npn-no-client-support-resumption-ssl] ++server = 19-npn-no-client-support-resumption-server ++client = 19-npn-no-client-support-resumption-client ++resume-server = 19-npn-no-client-support-resumption-server ++resume-client = 19-npn-no-client-support-resumption-resume-client + +-[17-npn-no-client-support-resumption-server] ++[19-npn-no-client-support-resumption-server] + Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem + CipherString = DEFAULT + PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +-[17-npn-no-client-support-resumption-client] ++[19-npn-no-client-support-resumption-client] + CipherString = DEFAULT + MaxProtocol = TLSv1.2 + VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem + VerifyMode = Peer + +-[17-npn-no-client-support-resumption-resume-client] ++[19-npn-no-client-support-resumption-resume-client] + CipherString = DEFAULT + MaxProtocol = TLSv1.2 + VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem + VerifyMode = Peer + +-[test-17] ++[test-19] + HandshakeMode = Resume + ResumptionExpected = Yes +-server = 17-npn-no-client-support-resumption-server-extra +-resume-server = 17-npn-no-client-support-resumption-server-extra +-client = 17-npn-no-client-support-resumption-client-extra ++server = 19-npn-no-client-support-resumption-server-extra ++resume-server = 19-npn-no-client-support-resumption-server-extra ++client = 19-npn-no-client-support-resumption-client-extra + +-[17-npn-no-client-support-resumption-server-extra] ++[19-npn-no-client-support-resumption-server-extra] + NPNProtocols = foo + +-[17-npn-no-client-support-resumption-client-extra] ++[19-npn-no-client-support-resumption-client-extra] + NPNProtocols = foo + + + # =========================================================== + +-[18-alpn-preferred-over-npn-resumption] +-ssl_conf = 18-alpn-preferred-over-npn-resumption-ssl ++[20-alpn-preferred-over-npn-resumption] ++ssl_conf = 20-alpn-preferred-over-npn-resumption-ssl + +-[18-alpn-preferred-over-npn-resumption-ssl] +-server = 18-alpn-preferred-over-npn-resumption-server +-client = 18-alpn-preferred-over-npn-resumption-client +-resume-server = 18-alpn-preferred-over-npn-resumption-resume-server +-resume-client = 18-alpn-preferred-over-npn-resumption-client ++[20-alpn-preferred-over-npn-resumption-ssl] ++server = 20-alpn-preferred-over-npn-resumption-server ++client = 20-alpn-preferred-over-npn-resumption-client ++resume-server = 20-alpn-preferred-over-npn-resumption-resume-server ++resume-client = 20-alpn-preferred-over-npn-resumption-client + +-[18-alpn-preferred-over-npn-resumption-server] ++[20-alpn-preferred-over-npn-resumption-server] + Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem + CipherString = DEFAULT + PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +-[18-alpn-preferred-over-npn-resumption-resume-server] ++[20-alpn-preferred-over-npn-resumption-resume-server] + Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem + CipherString = DEFAULT + PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +-[18-alpn-preferred-over-npn-resumption-client] ++[20-alpn-preferred-over-npn-resumption-client] + CipherString = DEFAULT + MaxProtocol = TLSv1.2 + VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem + VerifyMode = Peer + +-[test-18] ++[test-20] + ExpectedALPNProtocol = foo + HandshakeMode = Resume + ResumptionExpected = Yes +-server = 18-alpn-preferred-over-npn-resumption-server-extra +-resume-server = 18-alpn-preferred-over-npn-resumption-resume-server-extra +-client = 18-alpn-preferred-over-npn-resumption-client-extra +-resume-client = 18-alpn-preferred-over-npn-resumption-client-extra ++server = 20-alpn-preferred-over-npn-resumption-server-extra ++resume-server = 20-alpn-preferred-over-npn-resumption-resume-server-extra ++client = 20-alpn-preferred-over-npn-resumption-client-extra ++resume-client = 20-alpn-preferred-over-npn-resumption-client-extra + +-[18-alpn-preferred-over-npn-resumption-server-extra] ++[20-alpn-preferred-over-npn-resumption-server-extra] + NPNProtocols = bar + +-[18-alpn-preferred-over-npn-resumption-resume-server-extra] ++[20-alpn-preferred-over-npn-resumption-resume-server-extra] + ALPNProtocols = foo + NPNProtocols = baz + +-[18-alpn-preferred-over-npn-resumption-client-extra] ++[20-alpn-preferred-over-npn-resumption-client-extra] + ALPNProtocols = foo + NPNProtocols = bar,baz + + + # =========================================================== + +-[19-npn-used-if-alpn-not-supported-resumption] +-ssl_conf = 19-npn-used-if-alpn-not-supported-resumption-ssl ++[21-npn-used-if-alpn-not-supported-resumption] ++ssl_conf = 21-npn-used-if-alpn-not-supported-resumption-ssl + +-[19-npn-used-if-alpn-not-supported-resumption-ssl] +-server = 19-npn-used-if-alpn-not-supported-resumption-server +-client = 19-npn-used-if-alpn-not-supported-resumption-client +-resume-server = 19-npn-used-if-alpn-not-supported-resumption-resume-server +-resume-client = 19-npn-used-if-alpn-not-supported-resumption-client ++[21-npn-used-if-alpn-not-supported-resumption-ssl] ++server = 21-npn-used-if-alpn-not-supported-resumption-server ++client = 21-npn-used-if-alpn-not-supported-resumption-client ++resume-server = 21-npn-used-if-alpn-not-supported-resumption-resume-server ++resume-client = 21-npn-used-if-alpn-not-supported-resumption-client + +-[19-npn-used-if-alpn-not-supported-resumption-server] ++[21-npn-used-if-alpn-not-supported-resumption-server] + Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem + CipherString = DEFAULT + PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +-[19-npn-used-if-alpn-not-supported-resumption-resume-server] ++[21-npn-used-if-alpn-not-supported-resumption-resume-server] + Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem + CipherString = DEFAULT + PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +-[19-npn-used-if-alpn-not-supported-resumption-client] ++[21-npn-used-if-alpn-not-supported-resumption-client] + CipherString = DEFAULT + MaxProtocol = TLSv1.2 + VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem + VerifyMode = Peer + +-[test-19] ++[test-21] + ExpectedNPNProtocol = baz + HandshakeMode = Resume + ResumptionExpected = Yes +-server = 19-npn-used-if-alpn-not-supported-resumption-server-extra +-resume-server = 19-npn-used-if-alpn-not-supported-resumption-resume-server-extra +-client = 19-npn-used-if-alpn-not-supported-resumption-client-extra +-resume-client = 19-npn-used-if-alpn-not-supported-resumption-client-extra ++server = 21-npn-used-if-alpn-not-supported-resumption-server-extra ++resume-server = 21-npn-used-if-alpn-not-supported-resumption-resume-server-extra ++client = 21-npn-used-if-alpn-not-supported-resumption-client-extra ++resume-client = 21-npn-used-if-alpn-not-supported-resumption-client-extra + +-[19-npn-used-if-alpn-not-supported-resumption-server-extra] ++[21-npn-used-if-alpn-not-supported-resumption-server-extra] + ALPNProtocols = foo + NPNProtocols = bar + +-[19-npn-used-if-alpn-not-supported-resumption-resume-server-extra] ++[21-npn-used-if-alpn-not-supported-resumption-resume-server-extra] + NPNProtocols = baz + +-[19-npn-used-if-alpn-not-supported-resumption-client-extra] ++[21-npn-used-if-alpn-not-supported-resumption-client-extra] + ALPNProtocols = foo + NPNProtocols = bar,baz + +diff --git a/test/ssl-tests/08-npn.cnf.in b/test/ssl-tests/08-npn.cnf.in +index 30783e45eb..1dc2704bdb 100644 +--- a/test/ssl-tests/08-npn.cnf.in ++++ b/test/ssl-tests/08-npn.cnf.in +@@ -110,6 +110,41 @@ our @tests = ( + "ExpectedNPNProtocol" => undef, + }, + }, ++ { ++ name => "npn-empty-client-list", ++ server => { ++ extra => { ++ "NPNProtocols" => "foo", ++ }, ++ }, ++ client => { ++ extra => { ++ "NPNProtocols" => "", ++ }, ++ "MaxProtocol" => "TLSv1.2" ++ }, ++ test => { ++ "ExpectedResult" => "ClientFail", ++ "ExpectedClientAlert" => "HandshakeFailure" ++ }, ++ }, ++ { ++ name => "npn-empty-server-list", ++ server => { ++ extra => { ++ "NPNProtocols" => "", ++ }, ++ }, ++ client => { ++ extra => { ++ "NPNProtocols" => "foo", ++ }, ++ "MaxProtocol" => "TLSv1.2" ++ }, ++ test => { ++ "ExpectedNPNProtocol" => "foo" ++ }, ++ }, + { + name => "npn-with-sni-no-context-switch", + server => { +diff --git a/test/ssl-tests/09-alpn.cnf b/test/ssl-tests/09-alpn.cnf +index e7e6cb9534..dd668739ab 100644 +--- a/test/ssl-tests/09-alpn.cnf ++++ b/test/ssl-tests/09-alpn.cnf +@@ -1,6 +1,6 @@ + # Generated with generate_ssl_tests.pl + +-num_tests = 16 ++num_tests = 18 + + test-0 = 0-alpn-simple + test-1 = 1-alpn-server-finds-match +@@ -18,6 +18,8 @@ test-12 = 12-alpn-client-switch-resumption + test-13 = 13-alpn-alert-on-mismatch-resumption + test-14 = 14-alpn-no-server-support-resumption + test-15 = 15-alpn-no-client-support-resumption ++test-16 = 16-alpn-empty-client-list ++test-17 = 17-alpn-empty-server-list + # =========================================================== + + [0-alpn-simple] +@@ -617,3 +619,65 @@ ALPNProtocols = foo + ALPNProtocols = foo + + ++# =========================================================== ++ ++[16-alpn-empty-client-list] ++ssl_conf = 16-alpn-empty-client-list-ssl ++ ++[16-alpn-empty-client-list-ssl] ++server = 16-alpn-empty-client-list-server ++client = 16-alpn-empty-client-list-client ++ ++[16-alpn-empty-client-list-server] ++Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem ++CipherString = DEFAULT ++PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem ++ ++[16-alpn-empty-client-list-client] ++CipherString = DEFAULT ++VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem ++VerifyMode = Peer ++ ++[test-16] ++server = 16-alpn-empty-client-list-server-extra ++client = 16-alpn-empty-client-list-client-extra ++ ++[16-alpn-empty-client-list-server-extra] ++ALPNProtocols = foo ++ ++[16-alpn-empty-client-list-client-extra] ++ALPNProtocols = ++ ++ ++# =========================================================== ++ ++[17-alpn-empty-server-list] ++ssl_conf = 17-alpn-empty-server-list-ssl ++ ++[17-alpn-empty-server-list-ssl] ++server = 17-alpn-empty-server-list-server ++client = 17-alpn-empty-server-list-client ++ ++[17-alpn-empty-server-list-server] ++Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem ++CipherString = DEFAULT ++PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem ++ ++[17-alpn-empty-server-list-client] ++CipherString = DEFAULT ++VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem ++VerifyMode = Peer ++ ++[test-17] ++ExpectedResult = ServerFail ++ExpectedServerAlert = NoApplicationProtocol ++server = 17-alpn-empty-server-list-server-extra ++client = 17-alpn-empty-server-list-client-extra ++ ++[17-alpn-empty-server-list-server-extra] ++ALPNProtocols = ++ ++[17-alpn-empty-server-list-client-extra] ++ALPNProtocols = foo ++ ++ +diff --git a/test/ssl-tests/09-alpn.cnf.in b/test/ssl-tests/09-alpn.cnf.in +index 81330756c6..322b7096a6 100644 +--- a/test/ssl-tests/09-alpn.cnf.in ++++ b/test/ssl-tests/09-alpn.cnf.in +@@ -322,4 +322,37 @@ our @tests = ( + "ExpectedALPNProtocol" => undef, + }, + }, ++ { ++ name => "alpn-empty-client-list", ++ server => { ++ extra => { ++ "ALPNProtocols" => "foo", ++ }, ++ }, ++ client => { ++ extra => { ++ "ALPNProtocols" => "", ++ }, ++ }, ++ test => { ++ "ExpectedALPNProtocol" => undef, ++ }, ++ }, ++ { ++ name => "alpn-empty-server-list", ++ server => { ++ extra => { ++ "ALPNProtocols" => "", ++ }, ++ }, ++ client => { ++ extra => { ++ "ALPNProtocols" => "foo", ++ }, ++ }, ++ test => { ++ "ExpectedResult" => "ServerFail", ++ "ExpectedServerAlert" => "NoApplicationProtocol", ++ }, ++ }, + ); +-- +2.46.0 + diff --git a/SOURCES/0129-rsa-Add-SP800-56Br2-6.4.1.2.1-3.c-check.patch b/SOURCES/0129-rsa-Add-SP800-56Br2-6.4.1.2.1-3.c-check.patch deleted file mode 100644 index 8ee8793..0000000 --- a/SOURCES/0129-rsa-Add-SP800-56Br2-6.4.1.2.1-3.c-check.patch +++ /dev/null @@ -1,49 +0,0 @@ -From 0d873f9f647764df147d818a6e998b1c318bac31 Mon Sep 17 00:00:00 2001 -From: Clemens Lang -Date: Mon, 16 Oct 2023 15:30:26 +0200 -Subject: [PATCH] rsa: Add SP800-56Br2 6.4.1.2.1 (3.c) check - -The code did not yet check that the length of the RSA key is positive -and even. - -Signed-off-by: Clemens Lang -Upstream-Status: Backport [8b268541d9aabee51699aef22963407362830ef9] ---- - crypto/rsa/rsa_sp800_56b_check.c | 5 +++++ - test/rsa_sp800_56b_test.c | 4 ++++ - 2 files changed, 9 insertions(+) - -diff --git a/crypto/rsa/rsa_sp800_56b_check.c b/crypto/rsa/rsa_sp800_56b_check.c -index fc8f19b487..e6b79e953d 100644 ---- a/crypto/rsa/rsa_sp800_56b_check.c -+++ b/crypto/rsa/rsa_sp800_56b_check.c -@@ -403,6 +403,11 @@ int ossl_rsa_sp800_56b_check_keypair(const RSA *rsa, const BIGNUM *efixed, - ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_KEYPAIR); - return 0; - } -+ /* (Step 3.c): check that the modulus length is a positive even integer */ -+ if (nbits <= 0 || (nbits & 0x1)) { -+ ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_KEYPAIR); -+ return 0; -+ } - - ctx = BN_CTX_new_ex(rsa->libctx); - if (ctx == NULL) -diff --git a/test/rsa_sp800_56b_test.c b/test/rsa_sp800_56b_test.c -index 7660019f47..aa58bbbe6c 100644 ---- a/test/rsa_sp800_56b_test.c -+++ b/test/rsa_sp800_56b_test.c -@@ -458,6 +458,10 @@ static int test_invalid_keypair(void) - && TEST_true(BN_add_word(n, 1)) - && TEST_false(ossl_rsa_sp800_56b_check_keypair(key, NULL, -1, 2048)) - && TEST_true(BN_sub_word(n, 1)) -+ /* check that validation fails if len(n) is not even */ -+ && TEST_true(BN_lshift1(n, n)) -+ && TEST_false(ossl_rsa_sp800_56b_check_keypair(key, NULL, -1, 2049)) -+ && TEST_true(BN_rshift1(n, n)) - /* check p */ - && TEST_true(BN_sub_word(p, 2)) - && TEST_true(BN_mul(n, p, q, ctx)) --- -2.41.0 - diff --git a/SOURCES/0130-CVE-2023-5678.patch b/SOURCES/0130-CVE-2023-5678.patch deleted file mode 100644 index aa98d3b..0000000 --- a/SOURCES/0130-CVE-2023-5678.patch +++ /dev/null @@ -1,143 +0,0 @@ -diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c -index 7ba2beae7f..e20eb62081 100644 ---- a/crypto/dh/dh_check.c -+++ b/crypto/dh/dh_check.c -@@ -249,6 +249,18 @@ int DH_check_pub_key_ex(const DH *dh, const BIGNUM *pub_key) - */ - int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret) - { -+ /* Don't do any checks at all with an excessively large modulus */ -+ if (BN_num_bits(dh->params.p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) { -+ ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE); -+ *ret = DH_MODULUS_TOO_LARGE | DH_CHECK_PUBKEY_INVALID; -+ return 0; -+ } -+ -+ if (dh->params.q != NULL && BN_ucmp(dh->params.p, dh->params.q) < 0) { -+ *ret |= DH_CHECK_INVALID_Q_VALUE | DH_CHECK_PUBKEY_INVALID; -+ return 1; -+ } -+ - return ossl_ffc_validate_public_key(&dh->params, pub_key, ret); - } - -diff --git a/crypto/dh/dh_err.c b/crypto/dh/dh_err.c -index 4152397426..f76ac0dd14 100644 ---- a/crypto/dh/dh_err.c -+++ b/crypto/dh/dh_err.c -@@ -1,6 +1,6 @@ - /* - * Generated by util/mkerr.pl DO NOT EDIT -- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. -+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the Apache License 2.0 (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy -@@ -54,6 +54,7 @@ static const ERR_STRING_DATA DH_str_reasons[] = { - {ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR), - "parameter encoding error"}, - {ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"}, -+ {ERR_PACK(ERR_LIB_DH, 0, DH_R_Q_TOO_LARGE), "q too large"}, - {ERR_PACK(ERR_LIB_DH, 0, DH_R_SHARED_INFO_ERROR), "shared info error"}, - {ERR_PACK(ERR_LIB_DH, 0, DH_R_UNABLE_TO_CHECK_GENERATOR), - "unable to check generator"}, -diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c -index d84ea99241..afc49f5cdc 100644 ---- a/crypto/dh/dh_key.c -+++ b/crypto/dh/dh_key.c -@@ -49,6 +49,12 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) - goto err; - } - -+ if (dh->params.q != NULL -+ && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) { -+ ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE); -+ goto err; -+ } -+ - if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) { - ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL); - return 0; -@@ -267,6 +273,12 @@ static int generate_key(DH *dh) - return 0; - } - -+ if (dh->params.q != NULL -+ && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) { -+ ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE); -+ return 0; -+ } -+ - if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) { - ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL); - return 0; -diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt -index e51504b7ab..36de321b74 100644 ---- a/crypto/err/openssl.txt -+++ b/crypto/err/openssl.txt -@@ -500,6 +500,7 @@ DH_R_NO_PARAMETERS_SET:107:no parameters set - DH_R_NO_PRIVATE_VALUE:100:no private value - DH_R_PARAMETER_ENCODING_ERROR:105:parameter encoding error - DH_R_PEER_KEY_ERROR:111:peer key error -+DH_R_Q_TOO_LARGE:130:q too large - DH_R_SHARED_INFO_ERROR:113:shared info error - DH_R_UNABLE_TO_CHECK_GENERATOR:121:unable to check generator - DSA_R_BAD_FFC_PARAMETERS:114:bad ffc parameters -diff --git a/include/crypto/dherr.h b/include/crypto/dherr.h -index bb24d131eb..519327f795 100644 ---- a/include/crypto/dherr.h -+++ b/include/crypto/dherr.h -@@ -1,6 +1,6 @@ - /* - * Generated by util/mkerr.pl DO NOT EDIT -- * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. -+ * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the Apache License 2.0 (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy -diff --git a/include/openssl/dh.h b/include/openssl/dh.h -index 6533260f20..50e0cf54be 100644 ---- a/include/openssl/dh.h -+++ b/include/openssl/dh.h -@@ -141,7 +141,7 @@ DECLARE_ASN1_ITEM(DHparams) - # define DH_GENERATOR_3 3 - # define DH_GENERATOR_5 5 - --/* DH_check error codes */ -+/* DH_check error codes, some of them shared with DH_check_pub_key */ - /* - * NB: These values must align with the equivalently named macros in - * internal/ffc.h. -@@ -151,10 +151,10 @@ DECLARE_ASN1_ITEM(DHparams) - # define DH_UNABLE_TO_CHECK_GENERATOR 0x04 - # define DH_NOT_SUITABLE_GENERATOR 0x08 - # define DH_CHECK_Q_NOT_PRIME 0x10 --# define DH_CHECK_INVALID_Q_VALUE 0x20 -+# define DH_CHECK_INVALID_Q_VALUE 0x20 /* +DH_check_pub_key */ - # define DH_CHECK_INVALID_J_VALUE 0x40 - # define DH_MODULUS_TOO_SMALL 0x80 --# define DH_MODULUS_TOO_LARGE 0x100 -+# define DH_MODULUS_TOO_LARGE 0x100 /* +DH_check_pub_key */ - - /* DH_check_pub_key error codes */ - # define DH_CHECK_PUBKEY_TOO_SMALL 0x01 -diff --git a/include/openssl/dherr.h b/include/openssl/dherr.h -index 5d2a762a96..074a70145f 100644 ---- a/include/openssl/dherr.h -+++ b/include/openssl/dherr.h -@@ -1,6 +1,6 @@ - /* - * Generated by util/mkerr.pl DO NOT EDIT -- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. -+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the Apache License 2.0 (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy -@@ -50,6 +50,7 @@ - # define DH_R_NO_PRIVATE_VALUE 100 - # define DH_R_PARAMETER_ENCODING_ERROR 105 - # define DH_R_PEER_KEY_ERROR 111 -+# define DH_R_Q_TOO_LARGE 130 - # define DH_R_SHARED_INFO_ERROR 113 - # define DH_R_UNABLE_TO_CHECK_GENERATOR 121 - diff --git a/SOURCES/0130-Correct-return-values-for-tls_construct_stoc_next_pr.patch b/SOURCES/0130-Correct-return-values-for-tls_construct_stoc_next_pr.patch new file mode 100644 index 0000000..97c28ee --- /dev/null +++ b/SOURCES/0130-Correct-return-values-for-tls_construct_stoc_next_pr.patch @@ -0,0 +1,39 @@ +From 53f5677f358c4a4f69830d944ea40e71950673b8 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Fri, 21 Jun 2024 10:41:55 +0100 +Subject: [PATCH 07/10] Correct return values for + tls_construct_stoc_next_proto_neg + +Return EXT_RETURN_NOT_SENT in the event that we don't send the extension, +rather than EXT_RETURN_SENT. This actually makes no difference at all to +the current control flow since this return value is ignored in this case +anyway. But lets make it correct anyway. + +Follow on from CVE-2024-5535 + +Reviewed-by: Neil Horman +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/24717) +--- + ssl/statem/extensions_srvr.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c +index 800654450e..66ed7dacf2 100644 +--- a/ssl/statem/extensions_srvr.c ++++ b/ssl/statem/extensions_srvr.c +@@ -1501,9 +1501,10 @@ EXT_RETURN tls_construct_stoc_next_proto_neg(SSL_CONNECTION *s, WPACKET *pkt, + return EXT_RETURN_FAIL; + } + s->s3.npn_seen = 1; ++ return EXT_RETURN_SENT; + } + +- return EXT_RETURN_SENT; ++ return EXT_RETURN_NOT_SENT; + } + #endif + +-- +2.46.0 + diff --git a/SOURCES/0131-Add-ALPN-validation-in-the-client.patch b/SOURCES/0131-Add-ALPN-validation-in-the-client.patch new file mode 100644 index 0000000..1406860 --- /dev/null +++ b/SOURCES/0131-Add-ALPN-validation-in-the-client.patch @@ -0,0 +1,62 @@ +From 195e15421df113d7283aab2ccff8b8fb06df5465 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Fri, 21 Jun 2024 11:51:54 +0100 +Subject: [PATCH 08/10] Add ALPN validation in the client + +The ALPN protocol selected by the server must be one that we originally +advertised. We should verify that it is. + +Follow on from CVE-2024-5535 + +Reviewed-by: Neil Horman +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/24717) +--- + ssl/statem/extensions_clnt.c | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c +index 1ab3c13d57..ff9c009ee5 100644 +--- a/ssl/statem/extensions_clnt.c ++++ b/ssl/statem/extensions_clnt.c +@@ -1590,6 +1590,8 @@ int tls_parse_stoc_alpn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, + X509 *x, size_t chainidx) + { + size_t len; ++ PACKET confpkt, protpkt; ++ int valid = 0; + + /* We must have requested it. */ + if (!s->s3.alpn_sent) { +@@ -1608,6 +1610,28 @@ int tls_parse_stoc_alpn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); + return 0; + } ++ ++ /* It must be a protocol that we sent */ ++ if (!PACKET_buf_init(&confpkt, s->ext.alpn, s->ext.alpn_len)) { ++ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); ++ return 0; ++ } ++ while (PACKET_get_length_prefixed_1(&confpkt, &protpkt)) { ++ if (PACKET_remaining(&protpkt) != len) ++ continue; ++ if (memcmp(PACKET_data(pkt), PACKET_data(&protpkt), len) == 0) { ++ /* Valid protocol found */ ++ valid = 1; ++ break; ++ } ++ } ++ ++ if (!valid) { ++ /* The protocol sent from the server does not match one we advertised */ ++ SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); ++ return 0; ++ } ++ + OPENSSL_free(s->s3.alpn_selected); + s->s3.alpn_selected = OPENSSL_malloc(len); + if (s->s3.alpn_selected == NULL) { +-- +2.46.0 + diff --git a/SOURCES/0131-sslgroups-memleak.patch b/SOURCES/0131-sslgroups-memleak.patch deleted file mode 100644 index f292790..0000000 --- a/SOURCES/0131-sslgroups-memleak.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c -index 51c2283db915d..0928a30c2d37b 100644 ---- a/ssl/t1_lib.c -+++ b/ssl/t1_lib.c -@@ -765,6 +765,7 @@ int tls1_set_groups_list(SSL_CTX *ctx, uint16_t **pext, size_t *pextlen, - tmparr = OPENSSL_memdup(gcb.gid_arr, gcb.gidcnt * sizeof(*tmparr)); - if (tmparr == NULL) - goto end; -+ OPENSSL_free(*pext); - *pext = tmparr; - *pextlen = gcb.gidcnt; - ret = 1; diff --git a/SOURCES/0132-Add-explicit-testing-of-ALN-and-NPN-in-sslapitest.patch b/SOURCES/0132-Add-explicit-testing-of-ALN-and-NPN-in-sslapitest.patch new file mode 100644 index 0000000..135fa25 --- /dev/null +++ b/SOURCES/0132-Add-explicit-testing-of-ALN-and-NPN-in-sslapitest.patch @@ -0,0 +1,267 @@ +From 7c95191434415d1c9b7fe9b130df13cce630b6b5 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Fri, 21 Jun 2024 10:09:41 +0100 +Subject: [PATCH 09/10] Add explicit testing of ALN and NPN in sslapitest + +We already had some tests elsewhere - but this extends that testing with +additional tests. + +Follow on from CVE-2024-5535 + +Reviewed-by: Neil Horman +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/24717) +--- + test/sslapitest.c | 229 ++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 229 insertions(+) + +diff --git a/test/sslapitest.c b/test/sslapitest.c +index 15cb9060cb..7a55a2b721 100644 +--- a/test/sslapitest.c ++++ b/test/sslapitest.c +@@ -11877,6 +11877,231 @@ static int test_select_next_proto(int idx) + return ret; + } + ++static const unsigned char fooprot[] = {3, 'f', 'o', 'o' }; ++static const unsigned char barprot[] = {3, 'b', 'a', 'r' }; ++ ++#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG) ++static int npn_advert_cb(SSL *ssl, const unsigned char **out, ++ unsigned int *outlen, void *arg) ++{ ++ int *idx = (int *)arg; ++ ++ switch (*idx) { ++ default: ++ case 0: ++ *out = fooprot; ++ *outlen = sizeof(fooprot); ++ return SSL_TLSEXT_ERR_OK; ++ ++ case 1: ++ *outlen = 0; ++ return SSL_TLSEXT_ERR_OK; ++ ++ case 2: ++ return SSL_TLSEXT_ERR_NOACK; ++ } ++} ++ ++static int npn_select_cb(SSL *s, unsigned char **out, unsigned char *outlen, ++ const unsigned char *in, unsigned int inlen, void *arg) ++{ ++ int *idx = (int *)arg; ++ ++ switch (*idx) { ++ case 0: ++ case 1: ++ *out = (unsigned char *)(fooprot + 1); ++ *outlen = *fooprot; ++ return SSL_TLSEXT_ERR_OK; ++ ++ case 3: ++ *out = (unsigned char *)(barprot + 1); ++ *outlen = *barprot; ++ return SSL_TLSEXT_ERR_OK; ++ ++ case 4: ++ *outlen = 0; ++ return SSL_TLSEXT_ERR_OK; ++ ++ default: ++ case 2: ++ return SSL_TLSEXT_ERR_ALERT_FATAL; ++ } ++} ++ ++/* ++ * Test the NPN callbacks ++ * Test 0: advert = foo, select = foo ++ * Test 1: advert = , select = foo ++ * Test 2: no advert ++ * Test 3: advert = foo, select = bar ++ * Test 4: advert = foo, select = (should fail) ++ */ ++static int test_npn(int idx) ++{ ++ SSL_CTX *sctx = NULL, *cctx = NULL; ++ SSL *serverssl = NULL, *clientssl = NULL; ++ int testresult = 0; ++ ++ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), ++ TLS_client_method(), 0, TLS1_2_VERSION, ++ &sctx, &cctx, cert, privkey))) ++ goto end; ++ ++ SSL_CTX_set_next_protos_advertised_cb(sctx, npn_advert_cb, &idx); ++ SSL_CTX_set_next_proto_select_cb(cctx, npn_select_cb, &idx); ++ ++ if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, ++ NULL))) ++ goto end; ++ ++ if (idx == 4) { ++ /* We don't allow empty selection of NPN, so this should fail */ ++ if (!TEST_false(create_ssl_connection(serverssl, clientssl, ++ SSL_ERROR_NONE))) ++ goto end; ++ } else { ++ const unsigned char *prot; ++ unsigned int protlen; ++ ++ if (!TEST_true(create_ssl_connection(serverssl, clientssl, ++ SSL_ERROR_NONE))) ++ goto end; ++ ++ SSL_get0_next_proto_negotiated(serverssl, &prot, &protlen); ++ switch (idx) { ++ case 0: ++ case 1: ++ if (!TEST_mem_eq(prot, protlen, fooprot + 1, *fooprot)) ++ goto end; ++ break; ++ case 2: ++ if (!TEST_uint_eq(protlen, 0)) ++ goto end; ++ break; ++ case 3: ++ if (!TEST_mem_eq(prot, protlen, barprot + 1, *barprot)) ++ goto end; ++ break; ++ default: ++ TEST_error("Should not get here"); ++ goto end; ++ } ++ } ++ ++ testresult = 1; ++ end: ++ SSL_free(serverssl); ++ SSL_free(clientssl); ++ SSL_CTX_free(sctx); ++ SSL_CTX_free(cctx); ++ ++ return testresult; ++} ++#endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG) */ ++ ++static int alpn_select_cb2(SSL *ssl, const unsigned char **out, ++ unsigned char *outlen, const unsigned char *in, ++ unsigned int inlen, void *arg) ++{ ++ int *idx = (int *)arg; ++ ++ switch (*idx) { ++ case 0: ++ *out = (unsigned char *)(fooprot + 1); ++ *outlen = *fooprot; ++ return SSL_TLSEXT_ERR_OK; ++ ++ case 2: ++ *out = (unsigned char *)(barprot + 1); ++ *outlen = *barprot; ++ return SSL_TLSEXT_ERR_OK; ++ ++ case 3: ++ *outlen = 0; ++ return SSL_TLSEXT_ERR_OK; ++ ++ default: ++ case 1: ++ return SSL_TLSEXT_ERR_ALERT_FATAL; ++ } ++ return 0; ++} ++ ++/* ++ * Test the ALPN callbacks ++ * Test 0: client = foo, select = foo ++ * Test 1: client = , select = none ++ * Test 2: client = foo, select = bar (should fail) ++ * Test 3: client = foo, select = (should fail) ++ */ ++static int test_alpn(int idx) ++{ ++ SSL_CTX *sctx = NULL, *cctx = NULL; ++ SSL *serverssl = NULL, *clientssl = NULL; ++ int testresult = 0; ++ const unsigned char *prots = fooprot; ++ unsigned int protslen = sizeof(fooprot); ++ ++ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), ++ TLS_client_method(), 0, 0, ++ &sctx, &cctx, cert, privkey))) ++ goto end; ++ ++ SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb2, &idx); ++ ++ if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, ++ NULL))) ++ goto end; ++ ++ if (idx == 1) { ++ prots = NULL; ++ protslen = 0; ++ } ++ ++ /* SSL_set_alpn_protos returns 0 for success! */ ++ if (!TEST_false(SSL_set_alpn_protos(clientssl, prots, protslen))) ++ goto end; ++ ++ if (idx == 2 || idx == 3) { ++ /* We don't allow empty selection of NPN, so this should fail */ ++ if (!TEST_false(create_ssl_connection(serverssl, clientssl, ++ SSL_ERROR_NONE))) ++ goto end; ++ } else { ++ const unsigned char *prot; ++ unsigned int protlen; ++ ++ if (!TEST_true(create_ssl_connection(serverssl, clientssl, ++ SSL_ERROR_NONE))) ++ goto end; ++ ++ SSL_get0_alpn_selected(clientssl, &prot, &protlen); ++ switch (idx) { ++ case 0: ++ if (!TEST_mem_eq(prot, protlen, fooprot + 1, *fooprot)) ++ goto end; ++ break; ++ case 1: ++ if (!TEST_uint_eq(protlen, 0)) ++ goto end; ++ break; ++ default: ++ TEST_error("Should not get here"); ++ goto end; ++ } ++ } ++ ++ testresult = 1; ++ end: ++ SSL_free(serverssl); ++ SSL_free(clientssl); ++ SSL_CTX_free(sctx); ++ SSL_CTX_free(cctx); ++ ++ return testresult; ++} ++ + OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n") + + int setup_tests(void) +@@ -12190,6 +12415,10 @@ int setup_tests(void) + ADD_TEST(test_data_retry); + ADD_ALL_TESTS(test_multi_resume, 5); + ADD_ALL_TESTS(test_select_next_proto, OSSL_NELEM(next_proto_tests)); ++#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG) ++ ADD_ALL_TESTS(test_npn, 5); ++#endif ++ ADD_ALL_TESTS(test_alpn, 4); + return 1; + + err: +-- +2.46.0 + diff --git a/SOURCES/0132-CVE-2023-6129.patch b/SOURCES/0132-CVE-2023-6129.patch deleted file mode 100644 index 05e7300..0000000 --- a/SOURCES/0132-CVE-2023-6129.patch +++ /dev/null @@ -1,86 +0,0 @@ -diff --git a/crypto/poly1305/asm/poly1305-ppc.pl b/crypto/poly1305/asm/poly1305-ppc.pl -index 9f86134d923fb..2e601bb9c24be 100755 ---- a/crypto/poly1305/asm/poly1305-ppc.pl -+++ b/crypto/poly1305/asm/poly1305-ppc.pl -@@ -744,7 +744,7 @@ - my $LOCALS= 6*$SIZE_T; - my $VSXFRAME = $LOCALS + 6*$SIZE_T; - $VSXFRAME += 128; # local variables -- $VSXFRAME += 13*16; # v20-v31 offload -+ $VSXFRAME += 12*16; # v20-v31 offload - - my $BIG_ENDIAN = ($flavour !~ /le/) ? 4 : 0; - -@@ -919,12 +919,12 @@ - addi r11,r11,32 - stvx v22,r10,$sp - addi r10,r10,32 -- stvx v23,r10,$sp -- addi r10,r10,32 -- stvx v24,r11,$sp -+ stvx v23,r11,$sp - addi r11,r11,32 -- stvx v25,r10,$sp -+ stvx v24,r10,$sp - addi r10,r10,32 -+ stvx v25,r11,$sp -+ addi r11,r11,32 - stvx v26,r10,$sp - addi r10,r10,32 - stvx v27,r11,$sp -@@ -1153,12 +1153,12 @@ - addi r11,r11,32 - stvx v22,r10,$sp - addi r10,r10,32 -- stvx v23,r10,$sp -- addi r10,r10,32 -- stvx v24,r11,$sp -+ stvx v23,r11,$sp - addi r11,r11,32 -- stvx v25,r10,$sp -+ stvx v24,r10,$sp - addi r10,r10,32 -+ stvx v25,r11,$sp -+ addi r11,r11,32 - stvx v26,r10,$sp - addi r10,r10,32 - stvx v27,r11,$sp -@@ -1899,26 +1899,26 @@ - mtspr 256,r12 # restore vrsave - lvx v20,r10,$sp - addi r10,r10,32 -- lvx v21,r10,$sp -- addi r10,r10,32 -- lvx v22,r11,$sp -+ lvx v21,r11,$sp - addi r11,r11,32 -- lvx v23,r10,$sp -+ lvx v22,r10,$sp - addi r10,r10,32 -- lvx v24,r11,$sp -+ lvx v23,r11,$sp - addi r11,r11,32 -- lvx v25,r10,$sp -+ lvx v24,r10,$sp - addi r10,r10,32 -- lvx v26,r11,$sp -+ lvx v25,r11,$sp - addi r11,r11,32 -- lvx v27,r10,$sp -+ lvx v26,r10,$sp - addi r10,r10,32 -- lvx v28,r11,$sp -+ lvx v27,r11,$sp - addi r11,r11,32 -- lvx v29,r10,$sp -+ lvx v28,r10,$sp - addi r10,r10,32 -- lvx v30,r11,$sp -- lvx v31,r10,$sp -+ lvx v29,r11,$sp -+ addi r11,r11,32 -+ lvx v30,r10,$sp -+ lvx v31,r11,$sp - $POP r27,`$VSXFRAME-$SIZE_T*5`($sp) - $POP r28,`$VSXFRAME-$SIZE_T*4`($sp) - $POP r29,`$VSXFRAME-$SIZE_T*3`($sp) diff --git a/SOURCES/0133-Add-a-test-for-an-empty-NextProto-message.patch b/SOURCES/0133-Add-a-test-for-an-empty-NextProto-message.patch new file mode 100644 index 0000000..923ec66 --- /dev/null +++ b/SOURCES/0133-Add-a-test-for-an-empty-NextProto-message.patch @@ -0,0 +1,199 @@ +From 301b870546d1c7b2d8f0d66e04a2596142f0399f Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Fri, 21 Jun 2024 14:29:26 +0100 +Subject: [PATCH 10/10] Add a test for an empty NextProto message + +It is valid according to the spec for a NextProto message to have no +protocols listed in it. The OpenSSL implementation however does not allow +us to create such a message. In order to check that we work as expected +when communicating with a client that does generate such messages we have +to use a TLSProxy test. + +Follow on from CVE-2024-5535 + +Reviewed-by: Neil Horman +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/24717) +--- + test/recipes/70-test_npn.t | 73 +++++++++++++++++++++++++++++++++ + util/perl/TLSProxy/Message.pm | 9 ++++ + util/perl/TLSProxy/NextProto.pm | 54 ++++++++++++++++++++++++ + util/perl/TLSProxy/Proxy.pm | 1 + + 4 files changed, 137 insertions(+) + create mode 100644 test/recipes/70-test_npn.t + create mode 100644 util/perl/TLSProxy/NextProto.pm + +diff --git a/test/recipes/70-test_npn.t b/test/recipes/70-test_npn.t +new file mode 100644 +index 0000000000..f82e71af6a +--- /dev/null ++++ b/test/recipes/70-test_npn.t +@@ -0,0 +1,73 @@ ++#! /usr/bin/env perl ++# Copyright 2024 The OpenSSL Project Authors. All Rights Reserved. ++# ++# Licensed under the Apache License 2.0 (the "License"). You may not use ++# this file except in compliance with the License. You can obtain a copy ++# in the file LICENSE in the source distribution or at ++# https://www.openssl.org/source/license.html ++ ++use strict; ++use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file/; ++use OpenSSL::Test::Utils; ++ ++use TLSProxy::Proxy; ++ ++my $test_name = "test_npn"; ++setup($test_name); ++ ++plan skip_all => "TLSProxy isn't usable on $^O" ++ if $^O =~ /^(VMS)$/; ++ ++plan skip_all => "$test_name needs the dynamic engine feature enabled" ++ if disabled("engine") || disabled("dynamic-engine"); ++ ++plan skip_all => "$test_name needs the sock feature enabled" ++ if disabled("sock"); ++ ++plan skip_all => "$test_name needs NPN enabled" ++ if disabled("nextprotoneg"); ++ ++plan skip_all => "$test_name needs TLSv1.2 enabled" ++ if disabled("tls1_2"); ++ ++my $proxy = TLSProxy::Proxy->new( ++ undef, ++ cmdstr(app(["openssl"]), display => 1), ++ srctop_file("apps", "server.pem"), ++ (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) ++); ++ ++$proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; ++plan tests => 1; ++ ++my $npnseen = 0; ++ ++# Test 1: Check sending an empty NextProto message from the client works. This is ++# valid as per the spec, but OpenSSL does not allow you to send it. ++# Therefore we must be prepared to receive such a message but we cannot ++# generate it except via TLSProxy ++$proxy->clear(); ++$proxy->filter(\&npn_filter); ++$proxy->clientflags("-nextprotoneg foo -no_tls1_3"); ++$proxy->serverflags("-nextprotoneg foo"); ++$proxy->start(); ++ok($npnseen && TLSProxy::Message->success(), "Empty NPN message"); ++ ++sub npn_filter ++{ ++ my $proxy = shift; ++ my $message; ++ ++ # The NextProto message always appears in flight 2 ++ return if $proxy->flight != 2; ++ ++ foreach my $message (@{$proxy->message_list}) { ++ if ($message->mt == TLSProxy::Message::MT_NEXT_PROTO) { ++ # Our TLSproxy NextProto message support doesn't support parsing of ++ # the message. If we repack it just creates an empty NextProto ++ # message - which is exactly the scenario we want to test here. ++ $message->repack(); ++ $npnseen = 1; ++ } ++ } ++} +diff --git a/util/perl/TLSProxy/Message.pm b/util/perl/TLSProxy/Message.pm +index ce22187569..fb41b2ffc8 100644 +--- a/util/perl/TLSProxy/Message.pm ++++ b/util/perl/TLSProxy/Message.pm +@@ -384,6 +384,15 @@ sub create_message + [@message_frag_lens] + ); + $message->parse(); ++ } elsif ($mt == MT_NEXT_PROTO) { ++ $message = TLSProxy::NextProto->new( ++ $server, ++ $data, ++ [@message_rec_list], ++ $startoffset, ++ [@message_frag_lens] ++ ); ++ $message->parse(); + } else { + #Unknown message type + $message = TLSProxy::Message->new( +diff --git a/util/perl/TLSProxy/NextProto.pm b/util/perl/TLSProxy/NextProto.pm +new file mode 100644 +index 0000000000..0e18347546 +--- /dev/null ++++ b/util/perl/TLSProxy/NextProto.pm +@@ -0,0 +1,54 @@ ++# Copyright 2024 The OpenSSL Project Authors. All Rights Reserved. ++# ++# Licensed under the Apache License 2.0 (the "License"). You may not use ++# this file except in compliance with the License. You can obtain a copy ++# in the file LICENSE in the source distribution or at ++# https://www.openssl.org/source/license.html ++ ++use strict; ++ ++package TLSProxy::NextProto; ++ ++use vars '@ISA'; ++push @ISA, 'TLSProxy::Message'; ++ ++sub new ++{ ++ my $class = shift; ++ my ($server, ++ $data, ++ $records, ++ $startoffset, ++ $message_frag_lens) = @_; ++ ++ my $self = $class->SUPER::new( ++ $server, ++ TLSProxy::Message::MT_NEXT_PROTO, ++ $data, ++ $records, ++ $startoffset, ++ $message_frag_lens); ++ ++ return $self; ++} ++ ++sub parse ++{ ++ # We don't support parsing at the moment ++} ++ ++# This is supposed to reconstruct the on-the-wire message data following changes. ++# For now though since we don't support parsing we just create an empty NextProto ++# message - this capability is used in test_npn ++sub set_message_contents ++{ ++ my $self = shift; ++ my $data; ++ ++ $data = pack("C32", 0x00, 0x1e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00); ++ $self->data($data); ++} ++1; +diff --git a/util/perl/TLSProxy/Proxy.pm b/util/perl/TLSProxy/Proxy.pm +index 3de10eccb9..b707722b6b 100644 +--- a/util/perl/TLSProxy/Proxy.pm ++++ b/util/perl/TLSProxy/Proxy.pm +@@ -23,6 +23,7 @@ use TLSProxy::CertificateRequest; + use TLSProxy::CertificateVerify; + use TLSProxy::ServerKeyExchange; + use TLSProxy::NewSessionTicket; ++use TLSProxy::NextProto; + + my $have_IPv6; + my $IP_factory; +-- +2.46.0 + diff --git a/SOURCES/0133-CVE-2023-6237.patch b/SOURCES/0133-CVE-2023-6237.patch deleted file mode 100644 index a6f7a9a..0000000 --- a/SOURCES/0133-CVE-2023-6237.patch +++ /dev/null @@ -1,93 +0,0 @@ -diff --git a/crypto/rsa/rsa_sp800_56b_check.c b/crypto/rsa/rsa_sp800_56b_check.c -index fc8f19b48770b..bcbdd24fb8199 100644 ---- a/crypto/rsa/rsa_sp800_56b_check.c -+++ b/crypto/rsa/rsa_sp800_56b_check.c -@@ -289,6 +289,11 @@ int ossl_rsa_sp800_56b_check_public(const RSA *rsa) - return 0; - - nbits = BN_num_bits(rsa->n); -+ if (nbits > OPENSSL_RSA_MAX_MODULUS_BITS) { -+ ERR_raise(ERR_LIB_RSA, RSA_R_MODULUS_TOO_LARGE); -+ return 0; -+ } -+ - #ifdef FIPS_MODULE - /* - * (Step a): modulus must be 2048 or 3072 (caveat from SP800-56Br1) -@@ -324,7 +329,8 @@ int ossl_rsa_sp800_56b_check_public(const RSA *rsa) - goto err; - } - -- ret = ossl_bn_miller_rabin_is_prime(rsa->n, 0, ctx, NULL, 1, &status); -+ /* Highest number of MR rounds from FIPS 186-5 Section B.3 Table B.1 */ -+ ret = ossl_bn_miller_rabin_is_prime(rsa->n, 5, ctx, NULL, 1, &status); - #ifdef FIPS_MODULE - if (ret != 1 || status != BN_PRIMETEST_COMPOSITE_NOT_POWER_OF_PRIME) { - #else -diff --git a/test/recipes/91-test_pkey_check.t b/test/recipes/91-test_pkey_check.t -index dc7cc64533af2..f8088df14d36c 100644 ---- a/test/recipes/91-test_pkey_check.t -+++ b/test/recipes/91-test_pkey_check.t -@@ -70,7 +70,7 @@ push(@positive_tests, ( - "dhpkey.pem" - )) unless disabled("dh"); - --my @negative_pubtests = (); -+my @negative_pubtests = ("rsapub_17k.pem"); # Too big RSA public key - - push(@negative_pubtests, ( - "dsapub_noparam.der" -diff --git a/test/recipes/91-test_pkey_check_data/rsapub_17k.pem b/test/recipes/91-test_pkey_check_data/rsapub_17k.pem -new file mode 100644 -index 0000000000000..9a2eaedaf1b22 ---- /dev/null -+++ b/test/recipes/91-test_pkey_check_data/rsapub_17k.pem -@@ -0,0 +1,48 @@ -+-----BEGIN PUBLIC KEY----- -+MIIIbzANBgkqhkiG9w0BAQEFAAOCCFwAMIIIVwKCCE4Ang+cE5H+hg3RbapDAHqR -+B9lUnp2MlAwsZxQ/FhYepaR60bFQeumbu7817Eo5YLMObVI99hF1C4u/qcpD4Jph -+gZt87/JAYDbP+DIh/5gUXCL9m5Fp4u7mvZaZdnlcftBvR1uKUTCAwc9pZ/Cfr8W2 -+GzrRODzsNYnk2DcZMfe2vRDuDZRopE+Y+I72rom2SZLxoN547N1daM/M/CL9KVQ/ -+XMI/YOpJrBI0jI3brMRhLkvLckwies9joufydlGbJkeil9H7/grj3fQZtFkZ2Pkj -+b87XDzRVX7wsEpAgPJxskL3jApokCp1kQYKG+Uc3dKM9Ade6IAPK7VKcmbAQTYw2 -+gZxsc28dtstazmfGz0ACCTSMrmbgWAM3oPL7RRzhrXDWgmYQ0jHefGh8SNTIgtPq -+TuHxPYkDMQNaf0LmDGCxqlnf4b5ld3YaU8zZ/RqIRx5v/+w0rJUvU53qY1bYSnL1 -+vbqKSnN2mip0GYyQ4AUgkS1NBV4rGYU/VTvzEjLfkg02KOtHKandvEoUjmZPzCT0 -+V2ZhGc8K1UJNGYlIiHqCdwCBoghvly/pYajTkDXyd6BsukzA5H3IkZB1xDgl035j -+/0Cr7QeZLEOdi9fPdSSaBT6OmD0WFuZfJF0wMr7ucRhWzPXvSensD9v7MBE7tNfH -+SLeTSx8tLt8UeWriiM+0CnkPR1IOqMOxubOyf1eV8NQqEWm5wEQG/0IskbOKnaHa -+PqLFJZn/bvyL3XK5OxVIJG3z6bnRDOMS9SzkjqgPdIO8tkySEHVSi/6iuGUltx3Y -+Fmq6ye/r34ekyHPbfn6UuTON7joM6SIXb5bHM64x4iMVWx4hMvDjfy0UqfywAUyu -+C1o7BExSMxxFG8GJcqR0K8akpPp7EM588PC+YuItoxzXgfUJnP3BQ1Beev2Ve7/J -+xeGZH0N4ntfr+cuaLAakAER9zDglwChWflw3NNFgIdAgSxXv3XXx5xDXpdP4lxUo -+F5zAN4Mero3yV90FaJl7Vhq/UFVidbwFc15jUDwaE0mKRcsBeVd3GOhoECAgE0id -+aIPT20z8oVY0FyTJlRk7QSjo8WjJSrHY/Fn14gctX07ZdfkufyL6w+NijBdYluvB -+nIrgHEvpkDEWoIa8qcx0EppoIcmqgMV2mTShfFYSybsO33Pm8WXec2FXjwhzs1Pi -+R/BuIW8rHPI67xqWm0h8dEw11vtfi9a/BBBikFHe59KBjMTG+lW/gADNvRoTzGh7 -+kN4+UVDS3jlSisRZZOn1XoeQtpubNYWgUsecjKy45IwIj8h1SHgn3wkmUesY0woN -+mOdoNtq+NezN4RFtbCOHhxFVpKKDi/HQP2ro0ykkXMDjwEIVf2Lii1Mg9UP8m+Ux -+AOqkTrIkdogkRx+70h7/wUOfDIFUq2JbKzqxJYamyEphcdAko7/B8efQKc61Z93O -+f2SHa4++4WI7wIIx18v5KV4M/cRmrfc8w9WRkQN3gBT5AJMuqwcSHVXBWvNQeGmi -+ScMh7X6cCZ0daEujqb8svq4WgsJ8UT4GaGBRIYtt7QUKEh+JQwNJzneRYZ3pzpaH -+UJeeoYobMlkp3rM9cYzdq90nBQiI9Jsbim9m9ggb2dMOS5CsI9S/IuG2O5uTjfxx -+wkwsd5nLDFtNXHYZ7W6XlVJ1Rc6zShnEmdCn3mmibb6OaMUmun2yl9ryEjVSoXLP -+fSA8W9K9yNhKTRkzdXJfqlC+s/ovX2xBGxsuOoUDaXhRVz0qmpKIHeSFjIP4iXq4 -+y8gDiwvM3HbZfvVonbg6siPwpn4uvw3hesojk1DKAENS52i6U3uK2fs1ALVxsFNS -+Yh914rDu0Q3e4RXVhURaYzoEbLCot6WGYeCCfQOK0rkETMv+sTYYscC8/THuW7SL -+HG5zy9Ed95N1Xmf8J+My7gM7ZFodGdHsWvdzEmqsdOFh6IVx/VfHFX0MDBq0t6lZ -+eRvVgVCfu3gkYLwPScn/04E02vOom51ISKHsF/I11erC66jjNYV9BSpH8O7sAHxZ -+EmPT2ZVVRSgivOHdQW/FZ3UZQQhVaVSympo2Eb4yWEMFn84Q8T+9Honj6gnB5PXz -+chmeCsOMlcg1mwWwhn0k+OAWEZy7VRUk5Ahp0fBAGJgwBdqrZ3kM356DjUkVBiYq -+4eHyvafNKmjf2mnFsI3g2NKRNyl1Lh63wyCFx60yYvBUfXF/W9PFJbD9CiP83kEW -+gV36gxTsbOSfhpO1OXR90ODy0kx06XzWmJCUugK8u9bx4F/CjV+LIHExuNJiethC -+A8sIup/MT0fWp4RO/SsVblGqfoqJTaPnhptQzeH2N07pbWkxeMuL6ppPuwFmfVjK -+FJndqCVrAukcPEOQ16iVURuloJMudqYRc9QKkJFsnv0W/iMNbqQGmXe8Q/5qFiys -+26NIQBiE2ad9hNLnoccEnmYSRgnW3ZPSKuq5TDdYyDqTZH2r8cam65pr3beKw2XC -+xw4cc7VaxiwGC2Mg2wRmwwPaTjrcEt6sMa3RjwFEVBxBFyM26wnTEZsTBquCxV0J -+pgERaeplkixP2Q0m7XAdlDaob973SM2vOoUgypzDchWmpx7u775bnOfU5CihwXl+ -+k0i09WZuT8bPmhEAiGCw5sNzMkz1BC2cCZFfJIkE2vc/wXYOrGxBTJo0EKaUFswa -+2dnP/u0bn+VksBUM7ywW9LJSXh4mN+tpzdeJtxEObKwX1I0dQxSPWmjd2++wMr9q -+Unre5fCrDToy2H7C2VKSpuOCT2/Kv4JDQRWwI4KxQOpn0UknAGNmfBoTtpIZ3LEb -+77oBUJdMQD7tQBBLL0a6f1TdK0dHVprWWawJ+gGFMiMQXqAqblHcxFKWuHv9bQID -+AQAB -+-----END PUBLIC KEY----- diff --git a/SOURCES/0134-engine-based-ECDHE-kex.patch b/SOURCES/0134-engine-based-ECDHE-kex.patch deleted file mode 100644 index fee56f7..0000000 --- a/SOURCES/0134-engine-based-ECDHE-kex.patch +++ /dev/null @@ -1,47 +0,0 @@ -diff --git a/crypto/evp/ctrl_params_translate.c b/crypto/evp/ctrl_params_translate.c -index 448a3c3043c1c..9010fa6c4638c 100644 ---- a/crypto/evp/ctrl_params_translate.c -+++ b/crypto/evp/ctrl_params_translate.c -@@ -1134,6 +1134,7 @@ static int fix_ec_paramgen_curve_nid(enum state state, - const struct translation_st *translation, - struct translation_ctx_st *ctx) - { -+ char *p2 = NULL; - int ret; - - if ((ret = default_check(state, translation, ctx)) <= 0) -@@ -1146,13 +1147,25 @@ static int fix_ec_paramgen_curve_nid(enum state state, - if (state == PRE_CTRL_TO_PARAMS) { - ctx->p2 = (char *)OBJ_nid2sn(ctx->p1); - ctx->p1 = 0; -+ } else if (state == PRE_PARAMS_TO_CTRL) { -+ /* -+ * We're translating from params to ctrl and setting the curve name. -+ * The ctrl function needs it to be a NID, but meanwhile, we need -+ * space to get the curve name from the param. |ctx->name_buf| is -+ * sufficient for that. -+ * The double indirection is necessary for default_fixup_args()'s -+ * call of OSSL_PARAM_get_utf8_string() to be done correctly. -+ */ -+ p2 = ctx->name_buf; -+ ctx->p2 = &p2; -+ ctx->sz = sizeof(ctx->name_buf); - } - - if ((ret = default_fixup_args(state, translation, ctx)) <= 0) - return ret; - - if (state == PRE_PARAMS_TO_CTRL) { -- ctx->p1 = OBJ_sn2nid(ctx->p2); -+ ctx->p1 = OBJ_sn2nid(p2); - ctx->p2 = NULL; - } - -@@ -2789,6 +2802,7 @@ static int evp_pkey_ctx_setget_params_to_ctrl(EVP_PKEY_CTX *pctx, - if (translation->fixup_args != NULL) - fixup = translation->fixup_args; - ctx.action_type = translation->action_type; -+ ctx.ctrl_cmd = translation->ctrl_num; - } - ctx.pctx = pctx; - ctx.params = params; diff --git a/SOURCES/0135-CVE-2024-0727.patch b/SOURCES/0135-CVE-2024-0727.patch deleted file mode 100644 index ddebf85..0000000 --- a/SOURCES/0135-CVE-2024-0727.patch +++ /dev/null @@ -1,178 +0,0 @@ -diff --git a/crypto/pkcs12/p12_add.c b/crypto/pkcs12/p12_add.c -index 6fd4184af5a52..80ce31b3bca66 100644 ---- a/crypto/pkcs12/p12_add.c -+++ b/crypto/pkcs12/p12_add.c -@@ -78,6 +78,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7data(PKCS7 *p7) - ERR_raise(ERR_LIB_PKCS12, PKCS12_R_CONTENT_TYPE_NOT_DATA); - return NULL; - } -+ -+ if (p7->d.data == NULL) { -+ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR); -+ return NULL; -+ } -+ - return ASN1_item_unpack(p7->d.data, ASN1_ITEM_rptr(PKCS12_SAFEBAGS)); - } - -@@ -150,6 +156,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7encdata(PKCS7 *p7, const char *pass, - { - if (!PKCS7_type_is_encrypted(p7)) - return NULL; -+ -+ if (p7->d.encrypted == NULL) { -+ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR); -+ return NULL; -+ } -+ - return PKCS12_item_decrypt_d2i_ex(p7->d.encrypted->enc_data->algorithm, - ASN1_ITEM_rptr(PKCS12_SAFEBAGS), - pass, passlen, -@@ -188,6 +200,12 @@ STACK_OF(PKCS7) *PKCS12_unpack_authsafes(const PKCS12 *p12) - ERR_raise(ERR_LIB_PKCS12, PKCS12_R_CONTENT_TYPE_NOT_DATA); - return NULL; - } -+ -+ if (p12->authsafes->d.data == NULL) { -+ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR); -+ return NULL; -+ } -+ - p7s = ASN1_item_unpack(p12->authsafes->d.data, - ASN1_ITEM_rptr(PKCS12_AUTHSAFES)); - if (p7s != NULL) { -diff --git a/crypto/pkcs12/p12_mutl.c b/crypto/pkcs12/p12_mutl.c -index 67a885a45f89e..68ff54d0e90ee 100644 ---- a/crypto/pkcs12/p12_mutl.c -+++ b/crypto/pkcs12/p12_mutl.c -@@ -98,6 +98,11 @@ static int pkcs12_gen_mac(PKCS12 *p12, const char *pass, int passlen, - return 0; - } - -+ if (p12->authsafes->d.data == NULL) { -+ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR); -+ return 0; -+ } -+ - salt = p12->mac->salt->data; - saltlen = p12->mac->salt->length; - if (p12->mac->iter == NULL) -diff --git a/crypto/pkcs12/p12_npas.c b/crypto/pkcs12/p12_npas.c -index 62230bc6187ff..1e5b5495991a4 100644 ---- a/crypto/pkcs12/p12_npas.c -+++ b/crypto/pkcs12/p12_npas.c -@@ -77,8 +77,9 @@ static int newpass_p12(PKCS12 *p12, const char *oldpass, const char *newpass) - bags = PKCS12_unpack_p7data(p7); - } else if (bagnid == NID_pkcs7_encrypted) { - bags = PKCS12_unpack_p7encdata(p7, oldpass, -1); -- if (!alg_get(p7->d.encrypted->enc_data->algorithm, -- &pbe_nid, &pbe_iter, &pbe_saltlen)) -+ if (p7->d.encrypted == NULL -+ || !alg_get(p7->d.encrypted->enc_data->algorithm, -+ &pbe_nid, &pbe_iter, &pbe_saltlen)) - goto err; - } else { - continue; -diff --git a/crypto/pkcs7/pk7_mime.c b/crypto/pkcs7/pk7_mime.c -index 49a0da5f819c4..8228315eeaa3a 100644 ---- a/crypto/pkcs7/pk7_mime.c -+++ b/crypto/pkcs7/pk7_mime.c -@@ -33,10 +33,13 @@ int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags) - int ctype_nid = OBJ_obj2nid(p7->type); - const PKCS7_CTX *ctx = ossl_pkcs7_get0_ctx(p7); - -- if (ctype_nid == NID_pkcs7_signed) -+ if (ctype_nid == NID_pkcs7_signed) { -+ if (p7->d.sign == NULL) -+ return 0; - mdalgs = p7->d.sign->md_algs; -- else -+ } else { - mdalgs = NULL; -+ } - - flags ^= SMIME_OLDMIME; - -diff --git a/test/recipes/80-test_pkcs12.t b/test/recipes/80-test_pkcs12.t -index 1f0cb4d501488..b2c376249646d 100644 ---- a/test/recipes/80-test_pkcs12.t -+++ b/test/recipes/80-test_pkcs12.t -@@ -9,7 +9,7 @@ - use strict; - use warnings; - --use OpenSSL::Test qw/:DEFAULT srctop_file/; -+use OpenSSL::Test qw/:DEFAULT srctop_file with/; - use OpenSSL::Test::Utils; - - use Encode; -@@ -54,7 +54,7 @@ if (eval { require Win32::API; 1; }) { - } - $ENV{OPENSSL_WIN32_UTF8}=1; - --plan tests => 13; -+plan tests => 17; - - # Test different PKCS#12 formats - ok(run(test(["pkcs12_format_test"])), "test pkcs12 formats"); -@@ -148,4 +148,25 @@ ok(grep(/subject=CN = server.example/, @pkcs12info) == 1, - # Test that the expected friendly name is present in the output - ok(grep(/testname/, @pkcs12info) == 1, "test friendly name in output"); - -+# Test some bad pkcs12 files -+my $bad1 = srctop_file("test", "recipes", "80-test_pkcs12_data", "bad1.p12"); -+my $bad2 = srctop_file("test", "recipes", "80-test_pkcs12_data", "bad2.p12"); -+my $bad3 = srctop_file("test", "recipes", "80-test_pkcs12_data", "bad3.p12"); -+ -+with({ exit_checker => sub { return shift == 1; } }, -+ sub { -+ ok(run(app(["openssl", "pkcs12", "-in", $bad1, "-password", "pass:"])), -+ "test bad pkcs12 file 1"); -+ -+ ok(run(app(["openssl", "pkcs12", "-in", $bad1, "-password", "pass:", -+ "-nomacver"])), -+ "test bad pkcs12 file 1 (nomacver)"); -+ -+ ok(run(app(["openssl", "pkcs12", "-in", $bad2, "-password", "pass:"])), -+ "test bad pkcs12 file 2"); -+ -+ ok(run(app(["openssl", "pkcs12", "-in", $bad3, "-password", "pass:"])), -+ "test bad pkcs12 file 3"); -+ }); -+ - SetConsoleOutputCP($savedcp) if (defined($savedcp)); -diff --git a/test/recipes/80-test_pkcs12_data/bad1.p12 b/test/recipes/80-test_pkcs12_data/bad1.p12 -new file mode 100644 -index 0000000000000000000000000000000000000000..8f3387c7e356e4aa374729f3f3939343557b9c09 -GIT binary patch -literal 85 -zcmV-b0IL5mQvv}4Fbf6=Duzgg_YDCD0Wd)@F)$4V31Egu0c8UO0s#d81R(r{)waiY -rfR=Py6XX#<$m7-wj)xrauuD`}hF=Ng9=0`~S~)@=J%OiUaM0Oze6 -AD*ylh - -literal 0 -HcmV?d00001 - -diff --git a/test/recipes/80-test_pkcs12_data/bad3.p12 b/test/recipes/80-test_pkcs12_data/bad3.p12 -new file mode 100644 -index 0000000000000000000000000000000000000000..ef86a1d86fb0bc09471ca2596d82e7d521d973a4 -GIT binary patch -literal 104 -zcmXp=V`5}BkYnT2YV&CO&dbQoxImDF-+oA$5$MVJL*60=F*5iN*C_e&wD%dwCM*q{=+OBX|Z+F7XSHN#>B+I003La -BAqM~e - -literal 0 -HcmV?d00001 - diff --git a/SPECS/openssl.spec b/SPECS/openssl.spec index fa2eb97..32a20f8 100644 --- a/SPECS/openssl.spec +++ b/SPECS/openssl.spec @@ -28,8 +28,8 @@ print(string.sub(hash, 0, 16)) Summary: Utilities from the general purpose cryptography library with TLS implementation Name: openssl -Version: 3.0.7 -Release: 28%{?dist} +Version: 3.2.2 +Release: 6%{?dist} Epoch: 1 # We have to remove certain patented algorithms from the openssl source # tarball with the hobble-openssl script which is included below. @@ -74,8 +74,6 @@ Patch12: 0012-Disable-explicit-ec.patch Patch13: 0013-skipped-tests-EC-curves.patch # Instructions to load legacy provider in openssl.cnf Patch24: 0024-load-legacy-prov.patch -# Tmp: test name change -Patch31: 0031-tmp-Fix-test-names.patch # We load FIPS provider and set FIPS properties implicitly Patch32: 0032-Force-fips.patch # Embed HMAC into the fips.so @@ -94,8 +92,6 @@ Patch47: 0047-FIPS-early-KATS.patch Patch49: 0049-Selectively-disallow-SHA1-signatures.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2049265 Patch50: 0050-FIPS-enable-pkcs12-mac.patch -# Backport of patch for RHEL for Edge rhbz #2027261 -Patch51: 0051-Support-different-R_BITS-lengths-for-KBKDF.patch # Allow SHA1 in seclevel 2 if rh-allow-sha1-signatures = yes Patch52: 0052-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch # Originally from https://github.com/openssl/openssl/pull/18103 @@ -106,21 +102,9 @@ Patch52: 0052-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch Patch56: 0056-strcasecmp.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2053289 Patch58: 0058-FIPS-limit-rsa-encrypt.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=2069235 -Patch60: 0060-FIPS-KAT-signature-tests.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2087147 Patch61: 0061-Deny-SHA-1-signature-verification-in-FIPS-provider.patch Patch62: 0062-fips-Expose-a-FIPS-indicator.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=2130708 -# https://github.com/openssl/openssl/pull/18883 -Patch67: 0067-ppc64le-Montgomery-multiply.patch -# https://github.com/openssl/openssl/commit/44a563dde1584cd9284e80b6e45ee5019be8d36c -# https://github.com/openssl/openssl/commit/345c99b6654b8313c792d54f829943068911ddbd -Patch71: 0071-AES-GCM-performance-optimization.patch -# https://github.com/openssl/openssl/commit/f596bbe4da779b56eea34d96168b557d78e1149 -# https://github.com/openssl/openssl/commit/7e1f3ffcc5bc15fb9a12b9e3bb202f544c6ed5aa -# hunks in crypto/ppccap.c from https://github.com/openssl/openssl/commit/f5485b97b6c9977c0d39c7669b9f97a879312447 -Patch72: 0072-ChaCha20-performance-optimizations-for-ppc64le.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2102535 Patch73: 0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2102535 @@ -149,72 +133,43 @@ Patch84: 0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch Patch85: 0085-FIPS-RSA-disable-shake.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2142087 Patch88: 0088-signature-Add-indicator-for-PSS-salt-length.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=2142087 -Patch89: 0089-PSS-salt-length-from-provider.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=2142087 -Patch90: 0090-signature-Clamp-PSS-salt-len-to-MD-len.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2144561 Patch91: 0091-FIPS-RSA-encapsulate.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=2142517 -Patch92: 0092-provider-improvements.patch # FIPS-95 Patch93: 0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch -# OpenSSL 3.0.8 CVEs -Patch101: 0101-CVE-2022-4203-nc-match.patch -Patch102: 0102-CVE-2022-4304-RSA-time-oracle.patch -Patch103: 0103-CVE-2022-4450-pem-read-bio.patch -Patch104: 0104-CVE-2023-0215-UAF-bio.patch -Patch105: 0105-CVE-2023-0216-pkcs7-deref.patch -Patch106: 0106-CVE-2023-0217-dsa.patch -Patch107: 0107-CVE-2023-0286-X400.patch -Patch108: 0108-CVE-2023-0401-pkcs7-md.patch - -# https://bugzilla.redhat.com/show_bug.cgi?id=2169314 -Patch109: 0109-fips-Zeroize-out-in-fips-selftest.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2168289 Patch110: 0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch -# https://bugzilla.redhat.com/show_bug.cgi?id=2175145 -Patch111: 0111-fips-Use-salt-16-bytes-in-PBKDF2-selftest.patch Patch112: 0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2179331 Patch113: 0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2157951 Patch114: 0114-FIPS-enforce-EMS-support.patch +# skip quic and pairwise tests temporarily +Patch115: 0115-skip-quic-pairwise.patch +# Add version aliasing due to +# https://github.com/openssl/openssl/issues/23534 +Patch116: 0116-version-aliasing.patch +# https://github.com/openssl/openssl/issues/23050 +Patch117: 0117-ignore-unknown-sigalgorithms-groups.patch -# X.509 policies minor CVEs -Patch115: 0115-CVE-2023-0464.patch -Patch116: 0116-CVE-2023-0465.patch -Patch117: 0117-CVE-2023-0466.patch -# AES-XTS CVE -Patch118: 0118-CVE-2023-1255.patch - -#https://github.com/openssl/openssl/pull/13817 -#https://bugzilla.redhat.com/show_bug.cgi?id=2153471 -Patch120: 0120-RSA-PKCS15-implicit-rejection.patch # https://bugzilla.redhat.com/show_bug.cgi?id=2160797 Patch121: 0121-FIPS-cms-defaults.patch -Patch122: 0122-CVE-2023-2650.patch -# https://github.com/openssl/openssl/pull/19386 -Patch123: 0123-ibmca-atexit-crash.patch -Patch125: 0125-CVE-2023-2975.patch -Patch126: 0126-CVE-2023-3446.patch -Patch127: 0127-CVE-2023-3817.patch -Patch128: 0128-CVE-2023-5363.patch -# https://github.com/openssl/openssl/pull/22403 -Patch129: 0129-rsa-Add-SP800-56Br2-6.4.1.2.1-3.c-check.patch -Patch130: 0130-CVE-2023-5678.patch -# https://github.com/openssl/openssl/pull/20317 -Patch131: 0131-sslgroups-memleak.patch -# https://github.com/openssl/openssl/commit/050d26383d4e264966fb83428e72d5d48f402d35 -Patch132: 0132-CVE-2023-6129.patch -# https://github.com/openssl/openssl/commit/18c02492138d1eb8b6548cb26e7b625fb2414a2a -Patch133: 0133-CVE-2023-6237.patch -# https://github.com/openssl/openssl/pull/20780 -Patch134: 0134-engine-based-ECDHE-kex.patch -# https://github.com/openssl/openssl/pull/23362 -Patch135: 0135-CVE-2024-0727.patch -# https://github.com/openssl/openssl/commit/05f360d9e849a1b277db628f1f13083a7f8dd04f +# KTLS regression, temporary skip tests +Patch122: 0122-TMP-KTLS-test-skip.patch +# HKDF regression with older provider implementations +Patch123: 0123-kdf-Preserve-backward-compatibility-with-older-provi.patch +# https://github.com/openssl/openssl/pull/24717 +Patch124: 0124-Fix-SSL_select_next_proto.patch +Patch125: 0125-More-correctly-handle-a-selected_len-of-0-when-proce.patch +Patch126: 0126-Use-correctly-formatted-ALPN-data-in-tserver.patch +Patch127: 0127-Clarify-the-SSL_select_next_proto-documentation.patch +Patch128: 0128-Add-a-test-for-SSL_select_next_proto.patch +Patch129: 0129-Allow-an-empty-NPN-ALPN-protocol-list-in-the-tests.patch +Patch130: 0130-Correct-return-values-for-tls_construct_stoc_next_pr.patch +Patch131: 0131-Add-ALPN-validation-in-the-client.patch +Patch132: 0132-Add-explicit-testing-of-ALN-and-NPN-in-sslapitest.patch +Patch133: 0133-Add-a-test-for-an-empty-NextProto-message.patch Patch136: 0136-CVE-2024-6119.patch License: ASL 2.0 @@ -555,9 +510,41 @@ ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysco %ldconfig_scriptlets libs %changelog -* Tue Sep 03 2024 Dmitry Belyavskiy - 1:3.0.7-28 -- Patch for CVE-2024-6119 - Resolves: RHEL-55340 +* Thu Sep 05 2024 Dmitry Belyavskiy - 1:3.2.2-6 +- rebuilt + Related: RHEL-55339 + +* Wed Sep 04 2024 Dmitry Belyavskiy - 1:3.2.2-5 +- Fix CVE-2024-6119: Possible denial of service in X.509 name checks + Resolves: RHEL-55339 + +* Wed Aug 21 2024 Clemens Lang - 1:3.2.2-4 +- Fix CVE-2024-5535: SSL_select_next_proto buffer overread + Resolves: RHEL-45657 + +* Sat Jun 22 2024 Daiki Ueno - 1:3.2.2-3 +- Replace HKDF backward compatibility patch with the official one + Related: RHEL-40823 + +* Wed Jun 12 2024 Daiki Ueno - 1:3.2.2-2 +- Add workaround for EVP_PKEY_CTX_add1_hkdf_info with older providers + Resolves: RHEL-40823 + +* Wed Jun 05 2024 Dmitry Belyavskiy - 1:3.2.2-1 +- Rebase to OpenSSL 3.2.2. Fixes CVE-2024-2511, CVE-2024-4603, CVE-2024-4741, + and Minerva attack. + Resolves: RHEL-32148 + Resolves: RHEL-36792 + Resolves: RHEL-38514 + Resolves: RHEL-39111 + +* Thu May 23 2024 Dmitry Belyavskiy - 1:3.2.1-2 +- Update RNG changing for FIPS purpose + Resolves: RHEL-35380 + +* Wed Apr 03 2024 Dmitry Belyavskiy - 1:3.2.1-1 +- Rebasing OpenSSL to 3.2.1 + Resolves: RHEL-26271 * Wed Feb 21 2024 Dmitry Belyavskiy - 1:3.0.7-27 - Use certified FIPS module instead of freshly built one in Red Hat distribution