From b876ef4126a1f94f55e1161919d78f50ceca4fb7 Mon Sep 17 00:00:00 2001 From: eabdullin Date: Wed, 20 Nov 2024 13:46:01 +0000 Subject: [PATCH] import RHEL 10 Beta openssl-3.2.2-12.el10 --- .gitignore | 2 +- .openssl.metadata | 1 - 0001-Aarch64-and-ppc64le-use-lib64.patch | 33 + ...eneral-default-values-in-openssl.cnf.patch | 31 +- 0003-Do-not-install-html-docs.patch | 30 + ...ault-paths-for-the-CA-directory-tree.patch | 78 + 0005-apps-ca-fix-md-option-help-text.patch | 28 + ...e-verification-with-totally-unsafe-h.patch | 29 + ...PROFILE-SYSTEM-system-default-cipher.patch | 196 +- 0008-Add-FIPS_mode-compatibility-macro.patch | 83 + 0009-Add-Kernel-FIPS-mode-flag-support.patch | 86 + 0010-Add-changes-to-ectest-and-eccurve.patch | 1148 ++ 0011-Remove-EC-curves.patch | 279 + 0012-Disable-explicit-ec.patch | 235 + 0013-skipped-tests-EC-curves.patch | 58 + 0024-load-legacy-prov.patch | 95 + 0025-for-tests.patch | 18 + 0032-Force-fips.patch | 81 + 0033-FIPS-embed-hmac.patch | 396 + 0034.fipsinstall_disable.patch | 473 + 0035-speed-skip-unavailable-dgst.patch | 31 + 0044-FIPS-140-3-keychecks.patch | 404 + 0045-FIPS-services-minimize.patch | 792 ++ 0047-FIPS-early-KATS.patch | 57 + 0049-Allow-disabling-of-SHA1-signatures.patch | 510 + 0056-strcasecmp.patch | 53 + 0058-FIPS-limit-rsa-encrypt.patch | 965 ++ ...nature-verification-in-FIPS-provider.patch | 570 + 0062-fips-Expose-a-FIPS-indicator.patch | 466 + ...OAEP-in-KATs-support-fixed-OAEP-seed.patch | 347 + ...gest_sign-digest_verify-in-self-test.patch | 408 + 0075-FIPS-Use-FFDHE2048-in-self-test.patch | 378 + 0076-FIPS-140-3-DRBG.patch | 317 + 0077-FIPS-140-3-zeroization.patch | 102 + 0078-KDF-Add-FIPS-indicators.patch | 911 ++ ...-truncated-hashes-SHA-3-in-FIPS-prov.patch | 1102 ++ ...-Remove-X9.31-padding-from-FIPS-prov.patch | 273 + ...plicit-FIPS-indicator-for-key-length.patch | 114 + ...t-minimum-password-length-of-8-bytes.patch | 69 + 0085-FIPS-RSA-disable-shake.patch | 101 + ...re-Add-indicator-for-PSS-salt-length.patch | 102 + 0091-FIPS-RSA-encapsulate.patch | 47 + ...S-186-4-type-parameters-in-FIPS-mode.patch | 330 + ...t-explicit-FIPS-indicator-for-IV-gen.patch | 98 + ...cator-if-pkcs5-param-disabled-checks.patch | 75 + ...hers-kem-Add-explicit-FIPS-indicator.patch | 140 + 0114-FIPS-enforce-EMS-support.patch | 251 + 0115-skip-quic-pairwise.patch | 85 + 0116-version-aliasing.patch | 84 + ...-ignore-unknown-sigalgorithms-groups.patch | 318 + 0121-FIPS-cms-defaults.patch | 65 + 0122-TMP-KTLS-test-skip.patch | 16 + ...kward-compatibility-with-older-provi.patch | 62 + 0124-PBMAC1-PKCS12-FIPS-support.patch | 1525 ++ 0125-PBMAC1-PKCS12-FIPS-default.patch | 21 + 0126-pkeyutl-encap.patch | 430 + ...eedup-SSL_add_cert_subjects_to_stack.patch | 201 + 0128-SAST-findings.patch | 24 + 0129-Fix-SSL_select_next_proto.patch | 109 + ...andle-a-selected_len-of-0-when-proce.patch | 39 + ...ectly-formatted-ALPN-data-in-tserver.patch | 34 + ...-SSL_select_next_proto-documentation.patch | 78 + ...Add-a-test-for-SSL_select_next_proto.patch | 172 + ...-NPN-ALPN-protocol-list-in-the-tests.patch | 1169 ++ ...alues-for-tls_construct_stoc_next_pr.patch | 39 + 0136-Add-ALPN-validation-in-the-client.patch | 62 + ...testing-of-ALN-and-NPN-in-sslapitest.patch | 267 + ...-test-for-an-empty-NextProto-message.patch | 199 + 0139-CVE-2024-6119.patch | 233 + ...kefile.certificate => Makefile.certificate | 0 SOURCES/README.FIPS | 72 - SOURCES/ec_curve.c | 582 - SOURCES/ectest.c | 1546 -- SOURCES/hobble-openssl | 40 - SOURCES/openssl-1.1.1-addrconfig.patch | 31 - SOURCES/openssl-1.1.1-alpn-cb.patch | 27 - SOURCES/openssl-1.1.1-apps-dgst.patch | 12 - SOURCES/openssl-1.1.1-arm-update.patch | 3706 ----- SOURCES/openssl-1.1.1-build.patch | 40 - ...enssl-1.1.1-cleanup-peer-point-reneg.patch | 36 - SOURCES/openssl-1.1.1-conf-paths.patch | 56 - SOURCES/openssl-1.1.1-cve-2022-0778.patch | 179 - SOURCES/openssl-1.1.1-cve-2022-1292.patch | 74 - SOURCES/openssl-1.1.1-cve-2022-2068.patch | 255 - SOURCES/openssl-1.1.1-cve-2022-2097.patch | 152 - ...enssl-1.1.1-cve-2022-4304-RSA-oracle.patch | 805 -- .../openssl-1.1.1-cve-2022-4450-PEM-bio.patch | 103 - .../openssl-1.1.1-cve-2023-0215-BIO-UAF.patch | 186 - .../openssl-1.1.1-cve-2023-0286-X400.patch | 63 - SOURCES/openssl-1.1.1-cve-2023-3446.patch | 127 - SOURCES/openssl-1.1.1-cve-2023-3817.patch | 60 - SOURCES/openssl-1.1.1-cve-2023-5678.patch | 154 - .../openssl-1.1.1-detected-addr-ipv6.patch | 34 - SOURCES/openssl-1.1.1-ec-curves.patch | 266 - SOURCES/openssl-1.1.1-edk2-build.patch | 57 - SOURCES/openssl-1.1.1-evp-kdf.patch | 5238 ------- SOURCES/openssl-1.1.1-fips-crng-test.patch | 408 - SOURCES/openssl-1.1.1-fips-curves.patch | 200 - SOURCES/openssl-1.1.1-fips-dh.patch | 2730 ---- .../openssl-1.1.1-fips-drbg-selftest.patch | 587 - SOURCES/openssl-1.1.1-fips-post-rand.patch | 189 - SOURCES/openssl-1.1.1-fips.patch | 11626 ---------------- ...nssl-1.1.1-fix-ssl-select-next-proto.patch | 255 - SOURCES/openssl-1.1.1-intel-cet.patch | 500 - SOURCES/openssl-1.1.1-kdf-selftest.patch | 456 - SOURCES/openssl-1.1.1-krb5-kdf.patch | 3030 ---- SOURCES/openssl-1.1.1-man-rename.patch | 19 - SOURCES/openssl-1.1.1-no-brainpool.patch | 112 - SOURCES/openssl-1.1.1-no-html.patch | 12 - SOURCES/openssl-1.1.1-no-weak-verify.patch | 26 - ...enssl-1.1.1-pkcs1-implicit-rejection.patch | 1141 -- SOURCES/openssl-1.1.1-read-buff.patch | 319 - .../openssl-1.1.1-replace-expired-certs.patch | 1176 -- SOURCES/openssl-1.1.1-rewire-fips-drbg.patch | 170 - SOURCES/openssl-1.1.1-s390x-aes-tests.patch | 497 - SOURCES/openssl-1.1.1-s390x-aes.patch | 381 - SOURCES/openssl-1.1.1-s390x-ecc.patch | 2306 --- SOURCES/openssl-1.1.1-s390x-update.patch | 5502 -------- SOURCES/openssl-1.1.1-seclevel.patch | 160 - SOURCES/openssl-1.1.1-servername-cb.patch | 108 - SOURCES/openssl-1.1.1-ssh-kdf.patch | 5612 -------- SOURCES/openssl-1.1.1-sslv3-keep-abi.patch | 72 - SOURCES/openssl-1.1.1-tls13-curves.patch | 43 - SOURCES/openssl-1.1.1-ts-sha256-default.patch | 70 - .../openssl-1.1.1-version-add-engines.patch | 38 - SOURCES/openssl-1.1.1-version-override.patch | 12 - SOURCES/openssl-1.1.1-weak-ciphers.patch | 57 - SOURCES/opensslconf-new.h | 47 - SPECS/openssl.spec | 2278 --- ...nf-new-warning.h => configuration-prefix.h | 2 +- configuration-switch.h | 47 + genpatches | 26 + SOURCES/make-dummy-cert => make-dummy-cert | 0 openssl.rpmlintrc | 9 + openssl.spec | 748 + SOURCES/renew-dummy-cert => renew-dummy-cert | 0 sources | 1 + 137 files changed, 18354 insertions(+), 54144 deletions(-) delete mode 100644 .openssl.metadata create mode 100644 0001-Aarch64-and-ppc64le-use-lib64.patch rename SOURCES/openssl-1.1.1-defaults.patch => 0002-Use-more-general-default-values-in-openssl.cnf.patch (66%) create mode 100644 0003-Do-not-install-html-docs.patch create mode 100644 0004-Override-default-paths-for-the-CA-directory-tree.patch create mode 100644 0005-apps-ca-fix-md-option-help-text.patch create mode 100644 0006-Disable-signature-verification-with-totally-unsafe-h.patch rename SOURCES/openssl-1.1.1-system-cipherlist.patch => 0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch (55%) create mode 100644 0008-Add-FIPS_mode-compatibility-macro.patch create mode 100644 0009-Add-Kernel-FIPS-mode-flag-support.patch create mode 100644 0010-Add-changes-to-ectest-and-eccurve.patch create mode 100644 0011-Remove-EC-curves.patch create mode 100644 0012-Disable-explicit-ec.patch create mode 100644 0013-skipped-tests-EC-curves.patch create mode 100644 0024-load-legacy-prov.patch create mode 100644 0025-for-tests.patch create mode 100644 0032-Force-fips.patch create mode 100644 0033-FIPS-embed-hmac.patch create mode 100644 0034.fipsinstall_disable.patch create mode 100644 0035-speed-skip-unavailable-dgst.patch create mode 100644 0044-FIPS-140-3-keychecks.patch create mode 100644 0045-FIPS-services-minimize.patch create mode 100644 0047-FIPS-early-KATS.patch create mode 100644 0049-Allow-disabling-of-SHA1-signatures.patch create mode 100644 0056-strcasecmp.patch create mode 100644 0058-FIPS-limit-rsa-encrypt.patch create mode 100644 0061-Deny-SHA-1-signature-verification-in-FIPS-provider.patch create mode 100644 0062-fips-Expose-a-FIPS-indicator.patch create mode 100644 0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch create mode 100644 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch create mode 100644 0075-FIPS-Use-FFDHE2048-in-self-test.patch create mode 100644 0076-FIPS-140-3-DRBG.patch create mode 100644 0077-FIPS-140-3-zeroization.patch create mode 100644 0078-KDF-Add-FIPS-indicators.patch create mode 100644 0080-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch create mode 100644 0081-signature-Remove-X9.31-padding-from-FIPS-prov.patch create mode 100644 0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch create mode 100644 0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch create mode 100644 0085-FIPS-RSA-disable-shake.patch create mode 100644 0088-signature-Add-indicator-for-PSS-salt-length.patch create mode 100644 0091-FIPS-RSA-encapsulate.patch create mode 100644 0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch create mode 100644 0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch create mode 100644 0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch create mode 100644 0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch create mode 100644 0114-FIPS-enforce-EMS-support.patch create mode 100644 0115-skip-quic-pairwise.patch create mode 100644 0116-version-aliasing.patch create mode 100644 0117-ignore-unknown-sigalgorithms-groups.patch create mode 100644 0121-FIPS-cms-defaults.patch create mode 100644 0122-TMP-KTLS-test-skip.patch create mode 100644 0123-kdf-Preserve-backward-compatibility-with-older-provi.patch create mode 100644 0124-PBMAC1-PKCS12-FIPS-support.patch create mode 100644 0125-PBMAC1-PKCS12-FIPS-default.patch create mode 100644 0126-pkeyutl-encap.patch create mode 100644 0127-speedup-SSL_add_cert_subjects_to_stack.patch create mode 100644 0128-SAST-findings.patch create mode 100644 0129-Fix-SSL_select_next_proto.patch create mode 100644 0130-More-correctly-handle-a-selected_len-of-0-when-proce.patch create mode 100644 0131-Use-correctly-formatted-ALPN-data-in-tserver.patch create mode 100644 0132-Clarify-the-SSL_select_next_proto-documentation.patch create mode 100644 0133-Add-a-test-for-SSL_select_next_proto.patch create mode 100644 0134-Allow-an-empty-NPN-ALPN-protocol-list-in-the-tests.patch create mode 100644 0135-Correct-return-values-for-tls_construct_stoc_next_pr.patch create mode 100644 0136-Add-ALPN-validation-in-the-client.patch create mode 100644 0137-Add-explicit-testing-of-ALN-and-NPN-in-sslapitest.patch create mode 100644 0138-Add-a-test-for-an-empty-NextProto-message.patch create mode 100644 0139-CVE-2024-6119.patch rename SOURCES/Makefile.certificate => Makefile.certificate (100%) delete mode 100644 SOURCES/README.FIPS delete mode 100644 SOURCES/ec_curve.c delete mode 100644 SOURCES/ectest.c delete mode 100755 SOURCES/hobble-openssl delete mode 100644 SOURCES/openssl-1.1.1-addrconfig.patch delete mode 100644 SOURCES/openssl-1.1.1-alpn-cb.patch delete mode 100644 SOURCES/openssl-1.1.1-apps-dgst.patch delete mode 100644 SOURCES/openssl-1.1.1-arm-update.patch delete mode 100644 SOURCES/openssl-1.1.1-build.patch delete mode 100644 SOURCES/openssl-1.1.1-cleanup-peer-point-reneg.patch delete mode 100644 SOURCES/openssl-1.1.1-conf-paths.patch delete mode 100644 SOURCES/openssl-1.1.1-cve-2022-0778.patch delete mode 100644 SOURCES/openssl-1.1.1-cve-2022-1292.patch delete mode 100644 SOURCES/openssl-1.1.1-cve-2022-2068.patch delete mode 100644 SOURCES/openssl-1.1.1-cve-2022-2097.patch delete mode 100644 SOURCES/openssl-1.1.1-cve-2022-4304-RSA-oracle.patch delete mode 100644 SOURCES/openssl-1.1.1-cve-2022-4450-PEM-bio.patch delete mode 100644 SOURCES/openssl-1.1.1-cve-2023-0215-BIO-UAF.patch delete mode 100644 SOURCES/openssl-1.1.1-cve-2023-0286-X400.patch delete mode 100644 SOURCES/openssl-1.1.1-cve-2023-3446.patch delete mode 100644 SOURCES/openssl-1.1.1-cve-2023-3817.patch delete mode 100644 SOURCES/openssl-1.1.1-cve-2023-5678.patch delete mode 100644 SOURCES/openssl-1.1.1-detected-addr-ipv6.patch delete mode 100644 SOURCES/openssl-1.1.1-ec-curves.patch delete mode 100644 SOURCES/openssl-1.1.1-edk2-build.patch delete mode 100644 SOURCES/openssl-1.1.1-evp-kdf.patch delete mode 100644 SOURCES/openssl-1.1.1-fips-crng-test.patch delete mode 100644 SOURCES/openssl-1.1.1-fips-curves.patch delete mode 100644 SOURCES/openssl-1.1.1-fips-dh.patch delete mode 100644 SOURCES/openssl-1.1.1-fips-drbg-selftest.patch delete mode 100644 SOURCES/openssl-1.1.1-fips-post-rand.patch delete mode 100644 SOURCES/openssl-1.1.1-fips.patch delete mode 100644 SOURCES/openssl-1.1.1-fix-ssl-select-next-proto.patch delete mode 100644 SOURCES/openssl-1.1.1-intel-cet.patch delete mode 100644 SOURCES/openssl-1.1.1-kdf-selftest.patch delete mode 100644 SOURCES/openssl-1.1.1-krb5-kdf.patch delete mode 100644 SOURCES/openssl-1.1.1-man-rename.patch delete mode 100644 SOURCES/openssl-1.1.1-no-brainpool.patch delete mode 100644 SOURCES/openssl-1.1.1-no-html.patch delete mode 100644 SOURCES/openssl-1.1.1-no-weak-verify.patch delete mode 100644 SOURCES/openssl-1.1.1-pkcs1-implicit-rejection.patch delete mode 100644 SOURCES/openssl-1.1.1-read-buff.patch delete mode 100644 SOURCES/openssl-1.1.1-replace-expired-certs.patch delete mode 100644 SOURCES/openssl-1.1.1-rewire-fips-drbg.patch delete mode 100644 SOURCES/openssl-1.1.1-s390x-aes-tests.patch delete mode 100644 SOURCES/openssl-1.1.1-s390x-aes.patch delete mode 100644 SOURCES/openssl-1.1.1-s390x-ecc.patch delete mode 100644 SOURCES/openssl-1.1.1-s390x-update.patch delete mode 100644 SOURCES/openssl-1.1.1-seclevel.patch delete mode 100644 SOURCES/openssl-1.1.1-servername-cb.patch delete mode 100644 SOURCES/openssl-1.1.1-ssh-kdf.patch delete mode 100644 SOURCES/openssl-1.1.1-sslv3-keep-abi.patch delete mode 100644 SOURCES/openssl-1.1.1-tls13-curves.patch delete mode 100644 SOURCES/openssl-1.1.1-ts-sha256-default.patch delete mode 100644 SOURCES/openssl-1.1.1-version-add-engines.patch delete mode 100644 SOURCES/openssl-1.1.1-version-override.patch delete mode 100644 SOURCES/openssl-1.1.1-weak-ciphers.patch delete mode 100644 SOURCES/opensslconf-new.h delete mode 100644 SPECS/openssl.spec rename SOURCES/opensslconf-new-warning.h => configuration-prefix.h (80%) create mode 100644 configuration-switch.h create mode 100755 genpatches rename SOURCES/make-dummy-cert => make-dummy-cert (100%) create mode 100644 openssl.rpmlintrc create mode 100644 openssl.spec rename SOURCES/renew-dummy-cert => renew-dummy-cert (100%) create mode 100644 sources diff --git a/.gitignore b/.gitignore index 2911f54..dafbcd4 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/openssl-1.1.1k-hobbled.tar.xz +openssl-3.2.2.tar.gz diff --git a/.openssl.metadata b/.openssl.metadata deleted file mode 100644 index dc703be..0000000 --- a/.openssl.metadata +++ /dev/null @@ -1 +0,0 @@ -6fde639a66329f2cd9135eb192f2228f2a402c0e SOURCES/openssl-1.1.1k-hobbled.tar.xz diff --git a/0001-Aarch64-and-ppc64le-use-lib64.patch b/0001-Aarch64-and-ppc64le-use-lib64.patch new file mode 100644 index 0000000..e5d23ba --- /dev/null +++ b/0001-Aarch64-and-ppc64le-use-lib64.patch @@ -0,0 +1,33 @@ +From 603a35802319c0459737e3f067369ceb990fe2e6 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Thu, 24 Sep 2020 09:01:41 +0200 +Subject: Aarch64 and ppc64le use lib64 + +(Was openssl-1.1.1-build.patch) +--- + Configurations/10-main.conf | 2 ++ + 1 file changed, 2 insertions(+) + +diff --git a/Configurations/10-main.conf b/Configurations/10-main.conf +index d7580bf3e1..a7dbfd7f40 100644 +--- a/Configurations/10-main.conf ++++ b/Configurations/10-main.conf +@@ -723,6 +723,7 @@ my %targets = ( + lib_cppflags => add("-DL_ENDIAN"), + asm_arch => 'ppc64', + perlasm_scheme => "linux64le", ++ multilib => "64", + }, + + "linux-armv4" => { +@@ -765,6 +766,7 @@ my %targets = ( + inherit_from => [ "linux-generic64" ], + asm_arch => 'aarch64', + perlasm_scheme => "linux64", ++ multilib => "64", + }, + "linux-arm64ilp32" => { # https://wiki.linaro.org/Platform/arm64-ilp32 + inherit_from => [ "linux-generic32" ], +-- +2.26.2 + diff --git a/SOURCES/openssl-1.1.1-defaults.patch b/0002-Use-more-general-default-values-in-openssl.cnf.patch similarity index 66% rename from SOURCES/openssl-1.1.1-defaults.patch rename to 0002-Use-more-general-default-values-in-openssl.cnf.patch index 291ed88..83ed599 100644 --- a/SOURCES/openssl-1.1.1-defaults.patch +++ b/0002-Use-more-general-default-values-in-openssl.cnf.patch @@ -1,7 +1,21 @@ -diff -up openssl-1.1.1a/apps/openssl.cnf.defaults openssl-1.1.1a/apps/openssl.cnf ---- openssl-1.1.1a/apps/openssl.cnf.defaults 2018-11-20 14:35:37.000000000 +0100 -+++ openssl-1.1.1a/apps/openssl.cnf 2019-01-15 13:56:50.841719776 +0100 -@@ -74,7 +74,7 @@ cert_opt = ca_default # Certificate fi +From 41df9ae215cee9574e17e6f887c96a7c97d588f5 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Thu, 24 Sep 2020 09:03:40 +0200 +Subject: Use more general default values in openssl.cnf + +Also set sha256 as default hash, although that should not be +necessary anymore. + +(was openssl-1.1.1-defaults.patch) +--- + apps/openssl.cnf | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git a/apps/openssl.cnf b/apps/openssl.cnf +index 97567a67be..eb25a0ac48 100644 +--- a/apps/openssl.cnf ++++ b/apps/openssl.cnf +@@ -104,7 +104,7 @@ cert_opt = ca_default # Certificate field options default_days = 365 # how long to certify for default_crl_days= 30 # how long before next CRL @@ -10,7 +24,7 @@ diff -up openssl-1.1.1a/apps/openssl.cnf.defaults openssl-1.1.1a/apps/openssl.cn preserve = no # keep passed DN ordering # A few difference way of specifying how similar the request should look -@@ -106,6 +106,7 @@ emailAddress = optional +@@ -136,6 +136,7 @@ emailAddress = optional #################################################################### [ req ] default_bits = 2048 @@ -18,7 +32,7 @@ diff -up openssl-1.1.1a/apps/openssl.cnf.defaults openssl-1.1.1a/apps/openssl.cn default_keyfile = privkey.pem distinguished_name = req_distinguished_name attributes = req_attributes -@@ -128,17 +129,18 @@ string_mask = utf8only +@@ -158,17 +159,18 @@ string_mask = utf8only [ req_distinguished_name ] countryName = Country Name (2 letter code) @@ -40,7 +54,7 @@ diff -up openssl-1.1.1a/apps/openssl.cnf.defaults openssl-1.1.1a/apps/openssl.cn # we can do this but it is not needed normally :-) #1.organizationName = Second Organization Name (eg, company) -@@ -147,7 +149,7 @@ localityName = Locality Name (eg, city +@@ -177,7 +179,7 @@ localityName = Locality Name (eg, city) organizationalUnitName = Organizational Unit Name (eg, section) #organizationalUnitName_default = @@ -49,3 +63,6 @@ diff -up openssl-1.1.1a/apps/openssl.cnf.defaults openssl-1.1.1a/apps/openssl.cn commonName_max = 64 emailAddress = Email Address +-- +2.26.2 + diff --git a/0003-Do-not-install-html-docs.patch b/0003-Do-not-install-html-docs.patch new file mode 100644 index 0000000..6be6e68 --- /dev/null +++ b/0003-Do-not-install-html-docs.patch @@ -0,0 +1,30 @@ +From a3e7963320ba44e96a60b389fccb8e1cccc30674 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Thu, 19 Oct 2023 13:12:39 +0200 +Subject: [PATCH 03/46] 0003-Do-not-install-html-docs.patch + +Patch-name: 0003-Do-not-install-html-docs.patch +Patch-id: 3 +Patch-status: | + # # Do not install html docs +From-dist-git-commit: 5c67b5adc311af297f425c09e3e1ac7ca8483911 +--- + Configurations/unix-Makefile.tmpl | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl +index a48fae5fb8..56b42926e7 100644 +--- a/Configurations/unix-Makefile.tmpl ++++ b/Configurations/unix-Makefile.tmpl +@@ -611,7 +611,7 @@ install_sw: install_dev install_engines install_modules install_runtime + + uninstall_sw: uninstall_runtime uninstall_modules uninstall_engines uninstall_dev ## Uninstall the software and libraries + +-install_docs: install_man_docs install_html_docs ## Install manpages and HTML documentation ++install_docs: install_man_docs ## Install manpages + + uninstall_docs: uninstall_man_docs uninstall_html_docs ## Uninstall manpages and HTML documentation + $(RM) -r "$(DESTDIR)$(DOCDIR)" +-- +2.41.0 + diff --git a/0004-Override-default-paths-for-the-CA-directory-tree.patch b/0004-Override-default-paths-for-the-CA-directory-tree.patch new file mode 100644 index 0000000..9ba7947 --- /dev/null +++ b/0004-Override-default-paths-for-the-CA-directory-tree.patch @@ -0,0 +1,78 @@ +From 7a65ee33793fa8a28c0dfc94e6872ce92f408b15 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Mon, 31 Jul 2023 09:41:27 +0200 +Subject: [PATCH 04/35] + 0004-Override-default-paths-for-the-CA-directory-tree.patch + +Patch-name: 0004-Override-default-paths-for-the-CA-directory-tree.patch +Patch-id: 4 +Patch-status: | + # Override default paths for the CA directory tree +From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd +--- + apps/CA.pl.in | 2 +- + apps/openssl.cnf | 20 ++++++++++++++++++-- + 2 files changed, 19 insertions(+), 3 deletions(-) + +diff --git a/apps/CA.pl.in b/apps/CA.pl.in +index c0afb96716..d6a5fabd16 100644 +--- a/apps/CA.pl.in ++++ b/apps/CA.pl.in +@@ -29,7 +29,7 @@ my $X509 = "$openssl x509"; + my $PKCS12 = "$openssl pkcs12"; + + # Default values for various configuration settings. +-my $CATOP = "./demoCA"; ++my $CATOP = "/etc/pki/CA"; + my $CAKEY = "cakey.pem"; + my $CAREQ = "careq.pem"; + my $CACERT = "cacert.pem"; +diff -up openssl-3.0.0-alpha16/apps/openssl.cnf.default-tls openssl-3.0.0-alpha16/apps/openssl.cnf +--- openssl-3.0.0-alpha16/apps/openssl.cnf.default-tls 2021-07-06 13:41:39.204978272 +0200 ++++ openssl-3.0.0-alpha16/apps/openssl.cnf 2021-07-06 13:49:50.362857683 +0200 +@@ -53,6 +53,13 @@ tsa_policy3 = 1.2.3.4.5.7 + + [openssl_init] + providers = provider_sect ++# Load default TLS policy configuration ++ssl_conf = ssl_module ++alg_section = evp_properties ++ ++[ evp_properties ] ++#This section is intentionally added empty here ++#to be tuned on particular systems + + # List of providers to load + [provider_sect] +@@ -64,6 +66,13 @@ default = default_sect + [default_sect] + # activate = 1 + ++[ ssl_module ] ++ ++system_default = crypto_policy ++ ++[ crypto_policy ] ++ ++.include = /etc/crypto-policies/back-ends/opensslcnf.config + + #################################################################### + [ ca ] +@@ -72,7 +81,7 @@ default_ca = CA_default # The default c + #################################################################### + [ CA_default ] + +-dir = ./demoCA # Where everything is kept ++dir = /etc/pki/CA # Where everything is kept + certs = $dir/certs # Where the issued certs are kept + crl_dir = $dir/crl # Where the issued crl are kept + database = $dir/index.txt # database index file. +@@ -304,7 +313,7 @@ default_tsa = tsa_config1 # the default + [ tsa_config1 ] + + # These are used by the TSA reply generation only. +-dir = ./demoCA # TSA root directory ++dir = /etc/pki/CA # TSA root directory + serial = $dir/tsaserial # The current serial number (mandatory) + crypto_device = builtin # OpenSSL engine to use for signing + signer_cert = $dir/tsacert.pem # The TSA signing certificate diff --git a/0005-apps-ca-fix-md-option-help-text.patch b/0005-apps-ca-fix-md-option-help-text.patch new file mode 100644 index 0000000..1fed4c4 --- /dev/null +++ b/0005-apps-ca-fix-md-option-help-text.patch @@ -0,0 +1,28 @@ +From 3d8fa9859501b07e02b76b5577e2915d5851e927 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Thu, 24 Sep 2020 09:27:18 +0200 +Subject: apps/ca: fix md option help text + +upstreamable + +(was openssl-1.1.1-apps-dgst.patch) +--- + apps/ca.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/apps/ca.c b/apps/ca.c +index 0f21b4fa1c..3d4b2c1673 100755 +--- a/apps/ca.c ++++ b/apps/ca.c +@@ -209,7 +209,7 @@ const OPTIONS ca_options[] = { + {"noemailDN", OPT_NOEMAILDN, '-', "Don't add the EMAIL field to the DN"}, + + OPT_SECTION("Signing"), +- {"md", OPT_MD, 's', "Digest to use, such as sha256"}, ++ {"md", OPT_MD, 's', "Digest to use, such as sha256; see openssl help for list"}, + {"keyfile", OPT_KEYFILE, 's', "The CA private key"}, + {"keyform", OPT_KEYFORM, 'f', + "Private key file format (ENGINE, other values ignored)"}, +-- +2.26.2 + diff --git a/0006-Disable-signature-verification-with-totally-unsafe-h.patch b/0006-Disable-signature-verification-with-totally-unsafe-h.patch new file mode 100644 index 0000000..f9dd2dd --- /dev/null +++ b/0006-Disable-signature-verification-with-totally-unsafe-h.patch @@ -0,0 +1,29 @@ +From 3f9deff30ae6efbfe979043b00cdf649b39793c0 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Thu, 24 Sep 2020 09:51:34 +0200 +Subject: Disable signature verification with totally unsafe hash algorithms + +(was openssl-1.1.1-no-weak-verify.patch) +--- + crypto/asn1/a_verify.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/crypto/asn1/a_verify.c b/crypto/asn1/a_verify.c +index b7eed914b0..af62f0ef08 100644 +--- a/crypto/asn1/a_verify.c ++++ b/crypto/asn1/a_verify.c +@@ -152,6 +152,11 @@ int ASN1_item_verify_ctx(const ASN1_ITEM *it, const X509_ALGOR *alg, + ERR_raise(ERR_LIB_ASN1, ERR_R_EVP_LIB); + if (ret <= 1) + goto err; ++ } else if ((mdnid == NID_md5 ++ && ossl_safe_getenv("OPENSSL_ENABLE_MD5_VERIFY") == NULL) || ++ mdnid == NID_md4 || mdnid == NID_md2 || mdnid == NID_sha) { ++ ERR_raise(ERR_LIB_ASN1, ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM); ++ goto err; + } else { + const EVP_MD *type = NULL; + +-- +2.26.2 + diff --git a/SOURCES/openssl-1.1.1-system-cipherlist.patch b/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch similarity index 55% rename from SOURCES/openssl-1.1.1-system-cipherlist.patch rename to 0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch index a70f20b..5189459 100644 --- a/SOURCES/openssl-1.1.1-system-cipherlist.patch +++ b/0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch @@ -1,7 +1,29 @@ -diff -up openssl-1.1.1c/Configurations/unix-Makefile.tmpl.system-cipherlist openssl-1.1.1c/Configurations/unix-Makefile.tmpl ---- openssl-1.1.1c/Configurations/unix-Makefile.tmpl.system-cipherlist 2019-05-29 15:42:27.951329271 +0200 -+++ openssl-1.1.1c/Configurations/unix-Makefile.tmpl 2019-05-29 15:42:27.974328867 +0200 -@@ -180,6 +180,10 @@ MANDIR=$(INSTALLTOP)/share/man +From 8be4ef77c64fcada41041c00e02c34b07658ba66 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 6 Mar 2024 19:17:14 +0100 +Subject: [PATCH 07/49] + 0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch + +Patch-name: 0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch +Patch-id: 7 +Patch-status: | + # # Add support for PROFILE=SYSTEM system default cipherlist +From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce +--- + Configurations/unix-Makefile.tmpl | 5 ++ + Configure | 11 +++- + doc/man1/openssl-ciphers.pod.in | 9 ++++ + include/openssl/ssl.h.in | 5 ++ + ssl/ssl_ciph.c | 86 +++++++++++++++++++++++++++---- + ssl/ssl_lib.c | 4 +- + test/cipherlist_test.c | 2 + + 7 files changed, 109 insertions(+), 13 deletions(-) + +diff --git a/Configurations/unix-Makefile.tmpl b/Configurations/unix-Makefile.tmpl +index 5d61ce9550..e9fba957f1 100644 +--- a/Configurations/unix-Makefile.tmpl ++++ b/Configurations/unix-Makefile.tmpl +@@ -324,6 +324,10 @@ MANDIR=$(INSTALLTOP)/share/man DOCDIR=$(INSTALLTOP)/share/doc/$(BASENAME) HTMLDIR=$(DOCDIR)/html @@ -12,7 +34,7 @@ diff -up openssl-1.1.1c/Configurations/unix-Makefile.tmpl.system-cipherlist open # MANSUFFIX is for the benefit of anyone who may want to have a suffix # appended after the manpage file section number. "ssl" is popular, # resulting in files such as config.5ssl rather than config.5. -@@ -203,6 +207,7 @@ CC=$(CROSS_COMPILE){- $config{CC} -} +@@ -347,6 +351,7 @@ CC=$(CROSS_COMPILE){- $config{CC} -} CXX={- $config{CXX} ? "\$(CROSS_COMPILE)$config{CXX}" : '' -} CPPFLAGS={- our $cppflags1 = join(" ", (map { "-D".$_} @{$config{CPPDEFINES}}), @@ -20,29 +42,31 @@ diff -up openssl-1.1.1c/Configurations/unix-Makefile.tmpl.system-cipherlist open (map { "-I".$_} @{$config{CPPINCLUDES}}), @{$config{CPPFLAGS}}) -} CFLAGS={- join(' ', @{$config{CFLAGS}}) -} -diff -up openssl-1.1.1c/Configure.system-cipherlist openssl-1.1.1c/Configure ---- openssl-1.1.1c/Configure.system-cipherlist 2019-05-28 15:12:21.000000000 +0200 -+++ openssl-1.1.1c/Configure 2019-05-29 15:45:10.465469533 +0200 -@@ -24,7 +24,7 @@ use OpenSSL::Glob; +diff --git a/Configure b/Configure +index cca1ac8d16..2ae1cd0bc2 100755 +--- a/Configure ++++ b/Configure +@@ -27,7 +27,7 @@ use OpenSSL::config; my $orig_death_handler = $SIG{__DIE__}; $SIG{__DIE__} = \&death_handler; --my $usage="Usage: Configure [no- ...] [enable- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n"; -+my $usage="Usage: Configure [no- ...] [enable- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--system-ciphers-file=SYSTEMCIPHERFILE] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n"; +-my $usage="Usage: Configure [no- ...] [enable- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]thread-pool] [[no-]default-thread-pool] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n"; ++my $usage="Usage: Configure [no- ...] [enable- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]thread-pool] [[no-]default-thread-pool] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--system-ciphers-file=SYSTEMCIPHERFILE] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n"; - # Options: - # -@@ -41,6 +41,9 @@ my $usage="Usage: Configure [no- + my $banner = <<"EOF"; + +@@ -61,6 +61,10 @@ EOF + # given with --prefix. # This becomes the value of OPENSSLDIR in Makefile and in C. # (Default: PREFIX/ssl) - # ++# +# --system-ciphers-file A file to read cipher string from when the PROFILE=SYSTEM +# cipher is specified (default). +# - # --cross-compile-prefix Add specified prefix to binutils components. + # --banner=".." Output specified text instead of default completion banner # - # --api One of 0.9.8, 1.0.0 or 1.1.0. Do not compile support for -@@ -295,6 +298,7 @@ $config{prefix}=""; + # -w Don't wait after showing a Configure warning +@@ -394,6 +398,7 @@ $config{prefix}=""; $config{openssldir}=""; $config{processor}=""; $config{libdir}=""; @@ -50,30 +74,22 @@ diff -up openssl-1.1.1c/Configure.system-cipherlist openssl-1.1.1c/Configure my $auto_threads=1; # enable threads automatically? true by default my $default_ranlib; -@@ -824,6 +828,10 @@ while (@argvcopy) - push @seed_sources, $x; - } +@@ -1047,6 +1052,10 @@ while (@argvcopy) + die "FIPS key too long (64 bytes max)\n" + if length $1 > 64; } + elsif (/^--system-ciphers-file=(.*)$/) + { + $config{system_ciphers_file}=$1; + } - elsif (/^--cross-compile-prefix=(.*)$/) + elsif (/^--banner=(.*)$/) { - $user{CROSS_COMPILE}=$1; -@@ -1016,6 +1024,8 @@ if ($target eq "HASH") { - exit 0; - } - -+chop $config{system_ciphers_file} if $config{system_ciphers_file} =~ /\/$/; -+ - print "Configuring OpenSSL version $config{version} ($config{version_num}) "; - print "for $target\n"; - -diff -up openssl-1.1.1c/doc/man1/ciphers.pod.system-cipherlist openssl-1.1.1c/doc/man1/ciphers.pod ---- openssl-1.1.1c/doc/man1/ciphers.pod.system-cipherlist 2019-05-28 15:12:21.000000000 +0200 -+++ openssl-1.1.1c/doc/man1/ciphers.pod 2019-05-29 15:42:27.975328849 +0200 -@@ -182,6 +182,15 @@ As of OpenSSL 1.0.0, the B cipher s + $banner = $1 . "\n"; +diff --git a/doc/man1/openssl-ciphers.pod.in b/doc/man1/openssl-ciphers.pod.in +index d4df30686f..cec4835268 100644 +--- a/doc/man1/openssl-ciphers.pod.in ++++ b/doc/man1/openssl-ciphers.pod.in +@@ -190,6 +190,15 @@ As of OpenSSL 1.0.0, the B cipher suites are sensibly ordered by default. The cipher suites not enabled by B, currently B. @@ -89,34 +105,27 @@ diff -up openssl-1.1.1c/doc/man1/ciphers.pod.system-cipherlist openssl-1.1.1c/do =item B "High" encryption cipher suites. This currently means those with key lengths -diff -up openssl-1.1.1c/include/openssl/ssl.h.system-cipherlist openssl-1.1.1c/include/openssl/ssl.h ---- openssl-1.1.1c/include/openssl/ssl.h.system-cipherlist 2019-05-28 15:12:21.000000000 +0200 -+++ openssl-1.1.1c/include/openssl/ssl.h 2019-05-29 15:42:27.975328849 +0200 -@@ -186,6 +186,11 @@ extern "C" { +diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in +index 9f91039f8a..fc34d4ca61 100644 +--- a/include/openssl/ssl.h.in ++++ b/include/openssl/ssl.h.in +@@ -209,6 +209,11 @@ extern "C" { * throwing out anonymous and unencrypted ciphersuites! (The latter are not * actually enabled by ALL, but "ALL:RSA" would enable some of them.) */ +# ifdef SYSTEM_CIPHERS_FILE +# define SSL_SYSTEM_DEFAULT_CIPHER_LIST "PROFILE=SYSTEM" +# else -+# define SSL_SYSTEM_DEFAULT_CIPHER_LIST SSL_DEFAULT_CIPHER_LIST ++# define SSL_SYSTEM_DEFAULT_CIPHER_LIST OSSL_default_cipher_list() +# endif /* Used in SSL_set_shutdown()/SSL_get_shutdown(); */ # define SSL_SENT_SHUTDOWN 1 -diff -up openssl-1.1.1c/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1c/ssl/ssl_ciph.c ---- openssl-1.1.1c/ssl/ssl_ciph.c.system-cipherlist 2019-05-28 15:12:21.000000000 +0200 -+++ openssl-1.1.1c/ssl/ssl_ciph.c 2019-05-29 15:42:27.976328831 +0200 -@@ -9,6 +9,8 @@ - * https://www.openssl.org/source/license.html - */ - -+/* for secure_getenv */ -+#define _GNU_SOURCE - #include - #include - #include -@@ -1399,6 +1401,53 @@ int SSL_set_ciphersuites(SSL *s, const c +diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c +index 8360991ce4..33c23efb0d 100644 +--- a/ssl/ssl_ciph.c ++++ b/ssl/ssl_ciph.c +@@ -1455,6 +1455,53 @@ int SSL_set_ciphersuites(SSL *s, const char *str) return ret; } @@ -167,19 +176,19 @@ diff -up openssl-1.1.1c/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1c/ssl/ssl_ +} +#endif + - STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(const SSL_METHOD *ssl_method, + STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, STACK_OF(SSL_CIPHER) *tls13_ciphersuites, STACK_OF(SSL_CIPHER) **cipher_list, -@@ -1412,15 +1461,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ - const char *rule_p; +@@ -1469,15 +1516,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr; const SSL_CIPHER **ca_list = NULL; + const SSL_METHOD *ssl_method = ctx->method; +#ifdef SYSTEM_CIPHERS_FILE + char *new_rules = NULL; + + if (rule_str != NULL && strncmp(rule_str, "PROFILE=SYSTEM", 14) == 0) { + char *p = rule_str + 14; -+ ++ + new_rules = load_system_str(p); + rule_str = new_rules; + } @@ -191,23 +200,23 @@ diff -up openssl-1.1.1c/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1c/ssl/ssl_ if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL) - return NULL; + goto err; - #ifndef OPENSSL_NO_EC + if (!check_suiteb_cipher_list(ssl_method, c, &rule_str)) - return NULL; + goto err; - #endif /* -@@ -1443,7 +1502,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ - co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers); - if (co_list == NULL) { - SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE); -- return NULL; /* Failure */ -+ goto err; + * To reduce the work to do we only want to process the compiled +@@ -1499,7 +1556,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, + if (num_of_ciphers > 0) { + co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers); + if (co_list == NULL) +- return NULL; /* Failure */ ++ goto err; } ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers, -@@ -1509,8 +1568,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ +@@ -1565,8 +1622,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, * in force within each class */ if (!ssl_cipher_strength_sort(&head, &tail)) { @@ -217,18 +226,17 @@ diff -up openssl-1.1.1c/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1c/ssl/ssl_ } /* -@@ -1555,9 +1613,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ +@@ -1611,8 +1667,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1; ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max); if (ca_list == NULL) { - OPENSSL_free(co_list); - SSLerr(SSL_F_SSL_CREATE_CIPHER_LIST, ERR_R_MALLOC_FAILURE); - return NULL; /* Failure */ + goto err; } ssl_cipher_collect_aliases(ca_list, num_of_group_aliases, disabled_mkey, disabled_auth, disabled_enc, -@@ -1583,8 +1640,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ +@@ -1637,8 +1693,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, OPENSSL_free(ca_list); /* Not needed anymore */ if (!ok) { /* Rule processing failure */ @@ -238,7 +246,7 @@ diff -up openssl-1.1.1c/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1c/ssl/ssl_ } /* -@@ -1592,14 +1648,18 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ +@@ -1646,10 +1701,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, * if we cannot get one. */ if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) { @@ -253,13 +261,8 @@ diff -up openssl-1.1.1c/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1c/ssl/ssl_ + /* Add TLSv1.3 ciphers first - we always prefer those if possible */ for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) { - if (!sk_SSL_CIPHER_push(cipherstack, - sk_SSL_CIPHER_value(tls13_ciphersuites, i))) { -+ OPENSSL_free(co_list); - sk_SSL_CIPHER_free(cipherstack); - return NULL; - } -@@ -1631,6 +1691,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ + const SSL_CIPHER *sslc = sk_SSL_CIPHER_value(tls13_ciphersuites, i); +@@ -1701,6 +1759,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, *cipher_list = cipherstack; return cipherstack; @@ -274,31 +277,33 @@ diff -up openssl-1.1.1c/ssl/ssl_ciph.c.system-cipherlist openssl-1.1.1c/ssl/ssl_ } char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) -diff -up openssl-1.1.1c/ssl/ssl_lib.c.system-cipherlist openssl-1.1.1c/ssl/ssl_lib.c ---- openssl-1.1.1c/ssl/ssl_lib.c.system-cipherlist 2019-05-29 15:42:27.970328937 +0200 -+++ openssl-1.1.1c/ssl/ssl_lib.c 2019-05-29 15:42:27.977328814 +0200 -@@ -662,7 +662,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx +diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c +index cf59d2dfa5..1329841aaf 100644 +--- a/ssl/ssl_lib.c ++++ b/ssl/ssl_lib.c +@@ -700,7 +700,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx, const SSL_METHOD *meth) ctx->tls13_ciphersuites, &(ctx->cipher_list), &(ctx->cipher_list_by_id), -- SSL_DEFAULT_CIPHER_LIST, ctx->cert); +- OSSL_default_cipher_list(), ctx->cert); + SSL_SYSTEM_DEFAULT_CIPHER_LIST, ctx->cert); if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) { - SSLerr(SSL_F_SSL_CTX_SET_SSL_VERSION, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS); + ERR_raise(ERR_LIB_SSL, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS); return 0; -@@ -2954,7 +2954,7 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m - if (!ssl_create_cipher_list(ret->method, +@@ -3966,7 +3966,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *libctx, const char *propq, + if (!ssl_create_cipher_list(ret, ret->tls13_ciphersuites, &ret->cipher_list, &ret->cipher_list_by_id, -- SSL_DEFAULT_CIPHER_LIST, ret->cert) +- OSSL_default_cipher_list(), ret->cert) + SSL_SYSTEM_DEFAULT_CIPHER_LIST, ret->cert) || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) { - SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_LIBRARY_HAS_NO_CIPHERS); - goto err2; -diff -up openssl-1.1.1c/test/cipherlist_test.c.system-cipherlist openssl-1.1.1c/test/cipherlist_test.c ---- openssl-1.1.1c/test/cipherlist_test.c.system-cipherlist 2019-05-28 15:12:21.000000000 +0200 -+++ openssl-1.1.1c/test/cipherlist_test.c 2019-05-29 15:42:27.977328814 +0200 -@@ -251,7 +251,9 @@ end: + ERR_raise(ERR_LIB_SSL, SSL_R_LIBRARY_HAS_NO_CIPHERS); + goto err; +diff --git a/test/cipherlist_test.c b/test/cipherlist_test.c +index c46e431b00..19d05e860b 100644 +--- a/test/cipherlist_test.c ++++ b/test/cipherlist_test.c +@@ -261,7 +261,9 @@ end: int setup_tests(void) { @@ -307,4 +312,7 @@ diff -up openssl-1.1.1c/test/cipherlist_test.c.system-cipherlist openssl-1.1.1c/ +#endif ADD_TEST(test_default_cipherlist_explicit); ADD_TEST(test_default_cipherlist_clear); - return 1; + ADD_TEST(test_stdname_cipherlist); +-- +2.44.0 + diff --git a/0008-Add-FIPS_mode-compatibility-macro.patch b/0008-Add-FIPS_mode-compatibility-macro.patch new file mode 100644 index 0000000..c05aa79 --- /dev/null +++ b/0008-Add-FIPS_mode-compatibility-macro.patch @@ -0,0 +1,83 @@ +From 8e29a10b39a649d751870eb1fd1b8c388e66acc3 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Mon, 31 Jul 2023 09:41:27 +0200 +Subject: [PATCH 08/35] 0008-Add-FIPS_mode-compatibility-macro.patch + +Patch-name: 0008-Add-FIPS_mode-compatibility-macro.patch +Patch-id: 8 +Patch-status: | + # Add FIPS_mode() compatibility macro +From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd +--- + include/openssl/fips.h | 26 ++++++++++++++++++++++++++ + test/property_test.c | 14 ++++++++++++++ + 2 files changed, 40 insertions(+) + create mode 100644 include/openssl/fips.h + +diff --git a/include/openssl/fips.h b/include/openssl/fips.h +new file mode 100644 +index 0000000000..4162cbf88e +--- /dev/null ++++ b/include/openssl/fips.h +@@ -0,0 +1,26 @@ ++/* ++ * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. ++ * ++ * Licensed under the Apache License 2.0 (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ */ ++ ++#ifndef OPENSSL_FIPS_H ++# define OPENSSL_FIPS_H ++# pragma once ++ ++# include ++# include ++ ++# ifdef __cplusplus ++extern "C" { ++# endif ++ ++# define FIPS_mode() EVP_default_properties_is_fips_enabled(NULL) ++ ++# ifdef __cplusplus ++} ++# endif ++#endif +diff --git a/test/property_test.c b/test/property_test.c +index 45b1db3e85..8894c1c1cb 100644 +--- a/test/property_test.c ++++ b/test/property_test.c +@@ -677,6 +677,19 @@ static int test_property_list_to_string(int i) + return ret; + } + ++#include ++static int test_downstream_FIPS_mode(void) ++{ ++ int ret = 0; ++ ++ ret = TEST_true(EVP_set_default_properties(NULL, "fips=yes")) ++ && TEST_true(FIPS_mode()) ++ && TEST_true(EVP_set_default_properties(NULL, "fips=no")) ++ && TEST_false(FIPS_mode()); ++ ++ return ret; ++} ++ + int setup_tests(void) + { + ADD_TEST(test_property_string); +@@ -690,6 +703,7 @@ int setup_tests(void) + ADD_TEST(test_property); + ADD_TEST(test_query_cache_stochastic); + ADD_TEST(test_fips_mode); ++ ADD_TEST(test_downstream_FIPS_mode); + ADD_ALL_TESTS(test_property_list_to_string, OSSL_NELEM(to_string_tests)); + return 1; + } +-- +2.41.0 + diff --git a/0009-Add-Kernel-FIPS-mode-flag-support.patch b/0009-Add-Kernel-FIPS-mode-flag-support.patch new file mode 100644 index 0000000..0848473 --- /dev/null +++ b/0009-Add-Kernel-FIPS-mode-flag-support.patch @@ -0,0 +1,86 @@ +From aa3aebf132959e7e44876042efaf9ff24ffe0f2b Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Mon, 31 Jul 2023 09:41:27 +0200 +Subject: [PATCH 09/35] 0009-Add-Kernel-FIPS-mode-flag-support.patch + +Patch-name: 0009-Add-Kernel-FIPS-mode-flag-support.patch +Patch-id: 9 +Patch-status: | + # Add check to see if fips flag is enabled in kernel +From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd +--- + crypto/context.c | 36 ++++++++++++++++++++++++++++++++++++ + include/internal/provider.h | 3 +++ + 2 files changed, 39 insertions(+) + +diff --git a/crypto/context.c b/crypto/context.c +index e294ea1512..51002ba79a 100644 +--- a/crypto/context.c ++++ b/crypto/context.c +@@ -16,6 +16,41 @@ + #include "crypto/decoder.h" + #include "crypto/context.h" + ++# include ++# include ++# include ++# include ++# include ++ ++# define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled" ++ ++static int kernel_fips_flag; ++ ++static void read_kernel_fips_flag(void) ++{ ++ char buf[2] = "0"; ++ int fd; ++ ++ if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) { ++ buf[0] = '1'; ++ } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) { ++ while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ; ++ close(fd); ++ } ++ ++ if (buf[0] == '1') { ++ kernel_fips_flag = 1; ++ } ++ ++ return; ++} ++ ++int ossl_get_kernel_fips_flag() ++{ ++ return kernel_fips_flag; ++} ++ ++ + struct ossl_lib_ctx_st { + CRYPTO_RWLOCK *lock, *rand_crngt_lock; + OSSL_EX_DATA_GLOBAL global; +@@ -336,6 +371,7 @@ static int default_context_inited = 0; + + DEFINE_RUN_ONCE_STATIC(default_context_do_init) + { ++ read_kernel_fips_flag(); + if (!CRYPTO_THREAD_init_local(&default_context_thread_local, NULL)) + goto err; + +diff --git a/include/internal/provider.h b/include/internal/provider.h +index 18937f84c7..1446bf7afb 100644 +--- a/include/internal/provider.h ++++ b/include/internal/provider.h +@@ -112,6 +112,9 @@ int ossl_provider_init_as_child(OSSL_LIB_CTX *ctx, + const OSSL_DISPATCH *in); + void ossl_provider_deinit_child(OSSL_LIB_CTX *ctx); + ++/* FIPS flag access */ ++int ossl_get_kernel_fips_flag(void); ++ + # ifdef __cplusplus + } + # endif +-- +2.41.0 + diff --git a/0010-Add-changes-to-ectest-and-eccurve.patch b/0010-Add-changes-to-ectest-and-eccurve.patch new file mode 100644 index 0000000..63a2ca2 --- /dev/null +++ b/0010-Add-changes-to-ectest-and-eccurve.patch @@ -0,0 +1,1148 @@ +From 37fae351c6fef272baf383469181aecfcac87592 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Mon, 31 Jul 2023 09:41:27 +0200 +Subject: [PATCH 10/35] 0010-Add-changes-to-ectest-and-eccurve.patch + +Patch-name: 0010-Add-changes-to-ectest-and-eccurve.patch +Patch-id: 10 +Patch-status: | + # Instead of replacing ectest.c and ec_curve.c, add the changes as a patch so + # that new modifications made to these files by upstream are not lost. +From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd +--- + crypto/ec/ec_curve.c | 844 ------------------------------------------- + test/ectest.c | 174 +-------- + 2 files changed, 8 insertions(+), 1010 deletions(-) + +diff --git a/crypto/ec/ec_curve.c b/crypto/ec/ec_curve.c +index b5b2f3342d..d32a768fe6 100644 +--- a/crypto/ec/ec_curve.c ++++ b/crypto/ec/ec_curve.c +@@ -30,38 +30,6 @@ typedef struct { + } EC_CURVE_DATA; + + /* the nist prime curves */ +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[20 + 24 * 6]; +-} _EC_NIST_PRIME_192 = { +- { +- NID_X9_62_prime_field, 20, 24, 1 +- }, +- { +- /* seed */ +- 0x30, 0x45, 0xAE, 0x6F, 0xC8, 0x42, 0x2F, 0x64, 0xED, 0x57, 0x95, 0x28, +- 0xD3, 0x81, 0x20, 0xEA, 0xE1, 0x21, 0x96, 0xD5, +- /* p */ +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- /* a */ +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC, +- /* b */ +- 0x64, 0x21, 0x05, 0x19, 0xE5, 0x9C, 0x80, 0xE7, 0x0F, 0xA7, 0xE9, 0xAB, +- 0x72, 0x24, 0x30, 0x49, 0xFE, 0xB8, 0xDE, 0xEC, 0xC1, 0x46, 0xB9, 0xB1, +- /* x */ +- 0x18, 0x8D, 0xA8, 0x0E, 0xB0, 0x30, 0x90, 0xF6, 0x7C, 0xBF, 0x20, 0xEB, +- 0x43, 0xA1, 0x88, 0x00, 0xF4, 0xFF, 0x0A, 0xFD, 0x82, 0xFF, 0x10, 0x12, +- /* y */ +- 0x07, 0x19, 0x2b, 0x95, 0xff, 0xc8, 0xda, 0x78, 0x63, 0x10, 0x11, 0xed, +- 0x6b, 0x24, 0xcd, 0xd5, 0x73, 0xf9, 0x77, 0xa1, 0x1e, 0x79, 0x48, 0x11, +- /* order */ +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0x99, 0xDE, 0xF8, 0x36, 0x14, 0x6B, 0xC9, 0xB1, 0xB4, 0xD2, 0x28, 0x31 +- } +-}; +- + static const struct { + EC_CURVE_DATA h; + unsigned char data[20 + 28 * 6]; +@@ -200,187 +168,6 @@ static const struct { + } + }; + +-# ifndef FIPS_MODULE +-/* the x9.62 prime curves (minus the nist prime curves) */ +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[20 + 24 * 6]; +-} _EC_X9_62_PRIME_192V2 = { +- { +- NID_X9_62_prime_field, 20, 24, 1 +- }, +- { +- /* seed */ +- 0x31, 0xA9, 0x2E, 0xE2, 0x02, 0x9F, 0xD1, 0x0D, 0x90, 0x1B, 0x11, 0x3E, +- 0x99, 0x07, 0x10, 0xF0, 0xD2, 0x1A, 0xC6, 0xB6, +- /* p */ +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- /* a */ +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC, +- /* b */ +- 0xCC, 0x22, 0xD6, 0xDF, 0xB9, 0x5C, 0x6B, 0x25, 0xE4, 0x9C, 0x0D, 0x63, +- 0x64, 0xA4, 0xE5, 0x98, 0x0C, 0x39, 0x3A, 0xA2, 0x16, 0x68, 0xD9, 0x53, +- /* x */ +- 0xEE, 0xA2, 0xBA, 0xE7, 0xE1, 0x49, 0x78, 0x42, 0xF2, 0xDE, 0x77, 0x69, +- 0xCF, 0xE9, 0xC9, 0x89, 0xC0, 0x72, 0xAD, 0x69, 0x6F, 0x48, 0x03, 0x4A, +- /* y */ +- 0x65, 0x74, 0xd1, 0x1d, 0x69, 0xb6, 0xec, 0x7a, 0x67, 0x2b, 0xb8, 0x2a, +- 0x08, 0x3d, 0xf2, 0xf2, 0xb0, 0x84, 0x7d, 0xe9, 0x70, 0xb2, 0xde, 0x15, +- /* order */ +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, +- 0x5F, 0xB1, 0xA7, 0x24, 0xDC, 0x80, 0x41, 0x86, 0x48, 0xD8, 0xDD, 0x31 +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[20 + 24 * 6]; +-} _EC_X9_62_PRIME_192V3 = { +- { +- NID_X9_62_prime_field, 20, 24, 1 +- }, +- { +- /* seed */ +- 0xC4, 0x69, 0x68, 0x44, 0x35, 0xDE, 0xB3, 0x78, 0xC4, 0xB6, 0x5C, 0xA9, +- 0x59, 0x1E, 0x2A, 0x57, 0x63, 0x05, 0x9A, 0x2E, +- /* p */ +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- /* a */ +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC, +- /* b */ +- 0x22, 0x12, 0x3D, 0xC2, 0x39, 0x5A, 0x05, 0xCA, 0xA7, 0x42, 0x3D, 0xAE, +- 0xCC, 0xC9, 0x47, 0x60, 0xA7, 0xD4, 0x62, 0x25, 0x6B, 0xD5, 0x69, 0x16, +- /* x */ +- 0x7D, 0x29, 0x77, 0x81, 0x00, 0xC6, 0x5A, 0x1D, 0xA1, 0x78, 0x37, 0x16, +- 0x58, 0x8D, 0xCE, 0x2B, 0x8B, 0x4A, 0xEE, 0x8E, 0x22, 0x8F, 0x18, 0x96, +- /* y */ +- 0x38, 0xa9, 0x0f, 0x22, 0x63, 0x73, 0x37, 0x33, 0x4b, 0x49, 0xdc, 0xb6, +- 0x6a, 0x6d, 0xc8, 0xf9, 0x97, 0x8a, 0xca, 0x76, 0x48, 0xa9, 0x43, 0xb0, +- /* order */ +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0x7A, 0x62, 0xD0, 0x31, 0xC8, 0x3F, 0x42, 0x94, 0xF6, 0x40, 0xEC, 0x13 +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[20 + 30 * 6]; +-} _EC_X9_62_PRIME_239V1 = { +- { +- NID_X9_62_prime_field, 20, 30, 1 +- }, +- { +- /* seed */ +- 0xE4, 0x3B, 0xB4, 0x60, 0xF0, 0xB8, 0x0C, 0xC0, 0xC0, 0xB0, 0x75, 0x79, +- 0x8E, 0x94, 0x80, 0x60, 0xF8, 0x32, 0x1B, 0x7D, +- /* p */ +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- /* a */ +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC, +- /* b */ +- 0x6B, 0x01, 0x6C, 0x3B, 0xDC, 0xF1, 0x89, 0x41, 0xD0, 0xD6, 0x54, 0x92, +- 0x14, 0x75, 0xCA, 0x71, 0xA9, 0xDB, 0x2F, 0xB2, 0x7D, 0x1D, 0x37, 0x79, +- 0x61, 0x85, 0xC2, 0x94, 0x2C, 0x0A, +- /* x */ +- 0x0F, 0xFA, 0x96, 0x3C, 0xDC, 0xA8, 0x81, 0x6C, 0xCC, 0x33, 0xB8, 0x64, +- 0x2B, 0xED, 0xF9, 0x05, 0xC3, 0xD3, 0x58, 0x57, 0x3D, 0x3F, 0x27, 0xFB, +- 0xBD, 0x3B, 0x3C, 0xB9, 0xAA, 0xAF, +- /* y */ +- 0x7d, 0xeb, 0xe8, 0xe4, 0xe9, 0x0a, 0x5d, 0xae, 0x6e, 0x40, 0x54, 0xca, +- 0x53, 0x0b, 0xa0, 0x46, 0x54, 0xb3, 0x68, 0x18, 0xce, 0x22, 0x6b, 0x39, +- 0xfc, 0xcb, 0x7b, 0x02, 0xf1, 0xae, +- /* order */ +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0x7F, 0xFF, 0xFF, 0x9E, 0x5E, 0x9A, 0x9F, 0x5D, 0x90, 0x71, 0xFB, 0xD1, +- 0x52, 0x26, 0x88, 0x90, 0x9D, 0x0B +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[20 + 30 * 6]; +-} _EC_X9_62_PRIME_239V2 = { +- { +- NID_X9_62_prime_field, 20, 30, 1 +- }, +- { +- /* seed */ +- 0xE8, 0xB4, 0x01, 0x16, 0x04, 0x09, 0x53, 0x03, 0xCA, 0x3B, 0x80, 0x99, +- 0x98, 0x2B, 0xE0, 0x9F, 0xCB, 0x9A, 0xE6, 0x16, +- /* p */ +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- /* a */ +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC, +- /* b */ +- 0x61, 0x7F, 0xAB, 0x68, 0x32, 0x57, 0x6C, 0xBB, 0xFE, 0xD5, 0x0D, 0x99, +- 0xF0, 0x24, 0x9C, 0x3F, 0xEE, 0x58, 0xB9, 0x4B, 0xA0, 0x03, 0x8C, 0x7A, +- 0xE8, 0x4C, 0x8C, 0x83, 0x2F, 0x2C, +- /* x */ +- 0x38, 0xAF, 0x09, 0xD9, 0x87, 0x27, 0x70, 0x51, 0x20, 0xC9, 0x21, 0xBB, +- 0x5E, 0x9E, 0x26, 0x29, 0x6A, 0x3C, 0xDC, 0xF2, 0xF3, 0x57, 0x57, 0xA0, +- 0xEA, 0xFD, 0x87, 0xB8, 0x30, 0xE7, +- /* y */ +- 0x5b, 0x01, 0x25, 0xe4, 0xdb, 0xea, 0x0e, 0xc7, 0x20, 0x6d, 0xa0, 0xfc, +- 0x01, 0xd9, 0xb0, 0x81, 0x32, 0x9f, 0xb5, 0x55, 0xde, 0x6e, 0xf4, 0x60, +- 0x23, 0x7d, 0xff, 0x8b, 0xe4, 0xba, +- /* order */ +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0x80, 0x00, 0x00, 0xCF, 0xA7, 0xE8, 0x59, 0x43, 0x77, 0xD4, 0x14, 0xC0, +- 0x38, 0x21, 0xBC, 0x58, 0x20, 0x63 +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[20 + 30 * 6]; +-} _EC_X9_62_PRIME_239V3 = { +- { +- NID_X9_62_prime_field, 20, 30, 1 +- }, +- { +- /* seed */ +- 0x7D, 0x73, 0x74, 0x16, 0x8F, 0xFE, 0x34, 0x71, 0xB6, 0x0A, 0x85, 0x76, +- 0x86, 0xA1, 0x94, 0x75, 0xD3, 0xBF, 0xA2, 0xFF, +- /* p */ +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- /* a */ +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC, +- /* b */ +- 0x25, 0x57, 0x05, 0xFA, 0x2A, 0x30, 0x66, 0x54, 0xB1, 0xF4, 0xCB, 0x03, +- 0xD6, 0xA7, 0x50, 0xA3, 0x0C, 0x25, 0x01, 0x02, 0xD4, 0x98, 0x87, 0x17, +- 0xD9, 0xBA, 0x15, 0xAB, 0x6D, 0x3E, +- /* x */ +- 0x67, 0x68, 0xAE, 0x8E, 0x18, 0xBB, 0x92, 0xCF, 0xCF, 0x00, 0x5C, 0x94, +- 0x9A, 0xA2, 0xC6, 0xD9, 0x48, 0x53, 0xD0, 0xE6, 0x60, 0xBB, 0xF8, 0x54, +- 0xB1, 0xC9, 0x50, 0x5F, 0xE9, 0x5A, +- /* y */ +- 0x16, 0x07, 0xe6, 0x89, 0x8f, 0x39, 0x0c, 0x06, 0xbc, 0x1d, 0x55, 0x2b, +- 0xad, 0x22, 0x6f, 0x3b, 0x6f, 0xcf, 0xe4, 0x8b, 0x6e, 0x81, 0x84, 0x99, +- 0xaf, 0x18, 0xe3, 0xed, 0x6c, 0xf3, +- /* order */ +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0x7F, 0xFF, 0xFF, 0x97, 0x5D, 0xEB, 0x41, 0xB3, 0xA6, 0x05, 0x7C, 0x3C, +- 0x43, 0x21, 0x46, 0x52, 0x65, 0x51 +- } +-}; +-#endif /* FIPS_MODULE */ +- + static const struct { + EC_CURVE_DATA h; + unsigned char data[20 + 32 * 6]; +@@ -421,294 +208,6 @@ static const struct { + + #ifndef FIPS_MODULE + /* the secg prime curves (minus the nist and x9.62 prime curves) */ +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[20 + 14 * 6]; +-} _EC_SECG_PRIME_112R1 = { +- { +- NID_X9_62_prime_field, 20, 14, 1 +- }, +- { +- /* seed */ +- 0x00, 0xF5, 0x0B, 0x02, 0x8E, 0x4D, 0x69, 0x6E, 0x67, 0x68, 0x75, 0x61, +- 0x51, 0x75, 0x29, 0x04, 0x72, 0x78, 0x3F, 0xB1, +- /* p */ +- 0xDB, 0x7C, 0x2A, 0xBF, 0x62, 0xE3, 0x5E, 0x66, 0x80, 0x76, 0xBE, 0xAD, +- 0x20, 0x8B, +- /* a */ +- 0xDB, 0x7C, 0x2A, 0xBF, 0x62, 0xE3, 0x5E, 0x66, 0x80, 0x76, 0xBE, 0xAD, +- 0x20, 0x88, +- /* b */ +- 0x65, 0x9E, 0xF8, 0xBA, 0x04, 0x39, 0x16, 0xEE, 0xDE, 0x89, 0x11, 0x70, +- 0x2B, 0x22, +- /* x */ +- 0x09, 0x48, 0x72, 0x39, 0x99, 0x5A, 0x5E, 0xE7, 0x6B, 0x55, 0xF9, 0xC2, +- 0xF0, 0x98, +- /* y */ +- 0xa8, 0x9c, 0xe5, 0xaf, 0x87, 0x24, 0xc0, 0xa2, 0x3e, 0x0e, 0x0f, 0xf7, +- 0x75, 0x00, +- /* order */ +- 0xDB, 0x7C, 0x2A, 0xBF, 0x62, 0xE3, 0x5E, 0x76, 0x28, 0xDF, 0xAC, 0x65, +- 0x61, 0xC5 +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[20 + 14 * 6]; +-} _EC_SECG_PRIME_112R2 = { +- { +- NID_X9_62_prime_field, 20, 14, 4 +- }, +- { +- /* seed */ +- 0x00, 0x27, 0x57, 0xA1, 0x11, 0x4D, 0x69, 0x6E, 0x67, 0x68, 0x75, 0x61, +- 0x51, 0x75, 0x53, 0x16, 0xC0, 0x5E, 0x0B, 0xD4, +- /* p */ +- 0xDB, 0x7C, 0x2A, 0xBF, 0x62, 0xE3, 0x5E, 0x66, 0x80, 0x76, 0xBE, 0xAD, +- 0x20, 0x8B, +- /* a */ +- 0x61, 0x27, 0xC2, 0x4C, 0x05, 0xF3, 0x8A, 0x0A, 0xAA, 0xF6, 0x5C, 0x0E, +- 0xF0, 0x2C, +- /* b */ +- 0x51, 0xDE, 0xF1, 0x81, 0x5D, 0xB5, 0xED, 0x74, 0xFC, 0xC3, 0x4C, 0x85, +- 0xD7, 0x09, +- /* x */ +- 0x4B, 0xA3, 0x0A, 0xB5, 0xE8, 0x92, 0xB4, 0xE1, 0x64, 0x9D, 0xD0, 0x92, +- 0x86, 0x43, +- /* y */ +- 0xad, 0xcd, 0x46, 0xf5, 0x88, 0x2e, 0x37, 0x47, 0xde, 0xf3, 0x6e, 0x95, +- 0x6e, 0x97, +- /* order */ +- 0x36, 0xDF, 0x0A, 0xAF, 0xD8, 0xB8, 0xD7, 0x59, 0x7C, 0xA1, 0x05, 0x20, +- 0xD0, 0x4B +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[20 + 16 * 6]; +-} _EC_SECG_PRIME_128R1 = { +- { +- NID_X9_62_prime_field, 20, 16, 1 +- }, +- { +- /* seed */ +- 0x00, 0x0E, 0x0D, 0x4D, 0x69, 0x6E, 0x67, 0x68, 0x75, 0x61, 0x51, 0x75, +- 0x0C, 0xC0, 0x3A, 0x44, 0x73, 0xD0, 0x36, 0x79, +- /* p */ +- 0xFF, 0xFF, 0xFF, 0xFD, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFF, +- /* a */ +- 0xFF, 0xFF, 0xFF, 0xFD, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFC, +- /* b */ +- 0xE8, 0x75, 0x79, 0xC1, 0x10, 0x79, 0xF4, 0x3D, 0xD8, 0x24, 0x99, 0x3C, +- 0x2C, 0xEE, 0x5E, 0xD3, +- /* x */ +- 0x16, 0x1F, 0xF7, 0x52, 0x8B, 0x89, 0x9B, 0x2D, 0x0C, 0x28, 0x60, 0x7C, +- 0xA5, 0x2C, 0x5B, 0x86, +- /* y */ +- 0xcf, 0x5a, 0xc8, 0x39, 0x5b, 0xaf, 0xeb, 0x13, 0xc0, 0x2d, 0xa2, 0x92, +- 0xdd, 0xed, 0x7a, 0x83, +- /* order */ +- 0xFF, 0xFF, 0xFF, 0xFE, 0x00, 0x00, 0x00, 0x00, 0x75, 0xA3, 0x0D, 0x1B, +- 0x90, 0x38, 0xA1, 0x15 +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[20 + 16 * 6]; +-} _EC_SECG_PRIME_128R2 = { +- { +- NID_X9_62_prime_field, 20, 16, 4 +- }, +- { +- /* seed */ +- 0x00, 0x4D, 0x69, 0x6E, 0x67, 0x68, 0x75, 0x61, 0x51, 0x75, 0x12, 0xD8, +- 0xF0, 0x34, 0x31, 0xFC, 0xE6, 0x3B, 0x88, 0xF4, +- /* p */ +- 0xFF, 0xFF, 0xFF, 0xFD, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFF, +- /* a */ +- 0xD6, 0x03, 0x19, 0x98, 0xD1, 0xB3, 0xBB, 0xFE, 0xBF, 0x59, 0xCC, 0x9B, +- 0xBF, 0xF9, 0xAE, 0xE1, +- /* b */ +- 0x5E, 0xEE, 0xFC, 0xA3, 0x80, 0xD0, 0x29, 0x19, 0xDC, 0x2C, 0x65, 0x58, +- 0xBB, 0x6D, 0x8A, 0x5D, +- /* x */ +- 0x7B, 0x6A, 0xA5, 0xD8, 0x5E, 0x57, 0x29, 0x83, 0xE6, 0xFB, 0x32, 0xA7, +- 0xCD, 0xEB, 0xC1, 0x40, +- /* y */ +- 0x27, 0xb6, 0x91, 0x6a, 0x89, 0x4d, 0x3a, 0xee, 0x71, 0x06, 0xfe, 0x80, +- 0x5f, 0xc3, 0x4b, 0x44, +- /* order */ +- 0x3F, 0xFF, 0xFF, 0xFF, 0x7F, 0xFF, 0xFF, 0xFF, 0xBE, 0x00, 0x24, 0x72, +- 0x06, 0x13, 0xB5, 0xA3 +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[0 + 21 * 6]; +-} _EC_SECG_PRIME_160K1 = { +- { +- NID_X9_62_prime_field, 0, 21, 1 +- }, +- { +- /* no seed */ +- /* p */ +- 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xAC, 0x73, +- /* a */ +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- /* b */ +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, +- /* x */ +- 0x00, 0x3B, 0x4C, 0x38, 0x2C, 0xE3, 0x7A, 0xA1, 0x92, 0xA4, 0x01, 0x9E, +- 0x76, 0x30, 0x36, 0xF4, 0xF5, 0xDD, 0x4D, 0x7E, 0xBB, +- /* y */ +- 0x00, 0x93, 0x8c, 0xf9, 0x35, 0x31, 0x8f, 0xdc, 0xed, 0x6b, 0xc2, 0x82, +- 0x86, 0x53, 0x17, 0x33, 0xc3, 0xf0, 0x3c, 0x4f, 0xee, +- /* order */ +- 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0xB8, +- 0xFA, 0x16, 0xDF, 0xAB, 0x9A, 0xCA, 0x16, 0xB6, 0xB3 +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[20 + 21 * 6]; +-} _EC_SECG_PRIME_160R1 = { +- { +- NID_X9_62_prime_field, 20, 21, 1 +- }, +- { +- /* seed */ +- 0x10, 0x53, 0xCD, 0xE4, 0x2C, 0x14, 0xD6, 0x96, 0xE6, 0x76, 0x87, 0x56, +- 0x15, 0x17, 0x53, 0x3B, 0xF3, 0xF8, 0x33, 0x45, +- /* p */ +- 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x7F, 0xFF, 0xFF, 0xFF, +- /* a */ +- 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x7F, 0xFF, 0xFF, 0xFC, +- /* b */ +- 0x00, 0x1C, 0x97, 0xBE, 0xFC, 0x54, 0xBD, 0x7A, 0x8B, 0x65, 0xAC, 0xF8, +- 0x9F, 0x81, 0xD4, 0xD4, 0xAD, 0xC5, 0x65, 0xFA, 0x45, +- /* x */ +- 0x00, 0x4A, 0x96, 0xB5, 0x68, 0x8E, 0xF5, 0x73, 0x28, 0x46, 0x64, 0x69, +- 0x89, 0x68, 0xC3, 0x8B, 0xB9, 0x13, 0xCB, 0xFC, 0x82, +- /* y */ +- 0x00, 0x23, 0xa6, 0x28, 0x55, 0x31, 0x68, 0x94, 0x7d, 0x59, 0xdc, 0xc9, +- 0x12, 0x04, 0x23, 0x51, 0x37, 0x7a, 0xc5, 0xfb, 0x32, +- /* order */ +- 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0xF4, +- 0xC8, 0xF9, 0x27, 0xAE, 0xD3, 0xCA, 0x75, 0x22, 0x57 +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[20 + 21 * 6]; +-} _EC_SECG_PRIME_160R2 = { +- { +- NID_X9_62_prime_field, 20, 21, 1 +- }, +- { +- /* seed */ +- 0xB9, 0x9B, 0x99, 0xB0, 0x99, 0xB3, 0x23, 0xE0, 0x27, 0x09, 0xA4, 0xD6, +- 0x96, 0xE6, 0x76, 0x87, 0x56, 0x15, 0x17, 0x51, +- /* p */ +- 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xAC, 0x73, +- /* a */ +- 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xAC, 0x70, +- /* b */ +- 0x00, 0xB4, 0xE1, 0x34, 0xD3, 0xFB, 0x59, 0xEB, 0x8B, 0xAB, 0x57, 0x27, +- 0x49, 0x04, 0x66, 0x4D, 0x5A, 0xF5, 0x03, 0x88, 0xBA, +- /* x */ +- 0x00, 0x52, 0xDC, 0xB0, 0x34, 0x29, 0x3A, 0x11, 0x7E, 0x1F, 0x4F, 0xF1, +- 0x1B, 0x30, 0xF7, 0x19, 0x9D, 0x31, 0x44, 0xCE, 0x6D, +- /* y */ +- 0x00, 0xfe, 0xaf, 0xfe, 0xf2, 0xe3, 0x31, 0xf2, 0x96, 0xe0, 0x71, 0xfa, +- 0x0d, 0xf9, 0x98, 0x2c, 0xfe, 0xa7, 0xd4, 0x3f, 0x2e, +- /* order */ +- 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x35, +- 0x1E, 0xE7, 0x86, 0xA8, 0x18, 0xF3, 0xA1, 0xA1, 0x6B +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[0 + 24 * 6]; +-} _EC_SECG_PRIME_192K1 = { +- { +- NID_X9_62_prime_field, 0, 24, 1 +- }, +- { +- /* no seed */ +- /* p */ +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xEE, 0x37, +- /* a */ +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- /* b */ +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, +- /* x */ +- 0xDB, 0x4F, 0xF1, 0x0E, 0xC0, 0x57, 0xE9, 0xAE, 0x26, 0xB0, 0x7D, 0x02, +- 0x80, 0xB7, 0xF4, 0x34, 0x1D, 0xA5, 0xD1, 0xB1, 0xEA, 0xE0, 0x6C, 0x7D, +- /* y */ +- 0x9b, 0x2f, 0x2f, 0x6d, 0x9c, 0x56, 0x28, 0xa7, 0x84, 0x41, 0x63, 0xd0, +- 0x15, 0xbe, 0x86, 0x34, 0x40, 0x82, 0xaa, 0x88, 0xd9, 0x5e, 0x2f, 0x9d, +- /* order */ +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, +- 0x26, 0xF2, 0xFC, 0x17, 0x0F, 0x69, 0x46, 0x6A, 0x74, 0xDE, 0xFD, 0x8D +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[0 + 29 * 6]; +-} _EC_SECG_PRIME_224K1 = { +- { +- NID_X9_62_prime_field, 0, 29, 1 +- }, +- { +- /* no seed */ +- /* p */ +- 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFE, 0xFF, 0xFF, 0xE5, 0x6D, +- /* a */ +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x00, 0x00, 0x00, +- /* b */ +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x00, 0x00, 0x05, +- /* x */ +- 0x00, 0xA1, 0x45, 0x5B, 0x33, 0x4D, 0xF0, 0x99, 0xDF, 0x30, 0xFC, 0x28, +- 0xA1, 0x69, 0xA4, 0x67, 0xE9, 0xE4, 0x70, 0x75, 0xA9, 0x0F, 0x7E, 0x65, +- 0x0E, 0xB6, 0xB7, 0xA4, 0x5C, +- /* y */ +- 0x00, 0x7e, 0x08, 0x9f, 0xed, 0x7f, 0xba, 0x34, 0x42, 0x82, 0xca, 0xfb, +- 0xd6, 0xf7, 0xe3, 0x19, 0xf7, 0xc0, 0xb0, 0xbd, 0x59, 0xe2, 0xca, 0x4b, +- 0xdb, 0x55, 0x6d, 0x61, 0xa5, +- /* order */ +- 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x01, 0xDC, 0xE8, 0xD2, 0xEC, 0x61, 0x84, 0xCA, 0xF0, 0xA9, +- 0x71, 0x76, 0x9F, 0xB1, 0xF7 +- } +-}; +- + static const struct { + EC_CURVE_DATA h; + unsigned char data[0 + 32 * 6]; +@@ -745,102 +244,6 @@ static const struct { + } + }; + +-/* some wap/wtls curves */ +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[0 + 15 * 6]; +-} _EC_WTLS_8 = { +- { +- NID_X9_62_prime_field, 0, 15, 1 +- }, +- { +- /* no seed */ +- /* p */ +- 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFD, 0xE7, +- /* a */ +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x00, +- /* b */ +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x03, +- /* x */ +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x01, +- /* y */ +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x02, +- /* order */ +- 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0xEC, 0xEA, 0x55, 0x1A, +- 0xD8, 0x37, 0xE9 +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[0 + 21 * 6]; +-} _EC_WTLS_9 = { +- { +- NID_X9_62_prime_field, 0, 21, 1 +- }, +- { +- /* no seed */ +- /* p */ +- 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC, 0x80, 0x8F, +- /* a */ +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- /* b */ +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, +- /* x */ +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, +- /* y */ +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, +- /* order */ +- 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0xCD, +- 0xC9, 0x8A, 0xE0, 0xE2, 0xDE, 0x57, 0x4A, 0xBF, 0x33 +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[0 + 28 * 6]; +-} _EC_WTLS_12 = { +- { +- NID_X9_62_prime_field, 0, 28, 1 +- }, +- { +- /* no seed */ +- /* p */ +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x00, 0x01, +- /* a */ +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFE, +- /* b */ +- 0xB4, 0x05, 0x0A, 0x85, 0x0C, 0x04, 0xB3, 0xAB, 0xF5, 0x41, 0x32, 0x56, +- 0x50, 0x44, 0xB0, 0xB7, 0xD7, 0xBF, 0xD8, 0xBA, 0x27, 0x0B, 0x39, 0x43, +- 0x23, 0x55, 0xFF, 0xB4, +- /* x */ +- 0xB7, 0x0E, 0x0C, 0xBD, 0x6B, 0xB4, 0xBF, 0x7F, 0x32, 0x13, 0x90, 0xB9, +- 0x4A, 0x03, 0xC1, 0xD3, 0x56, 0xC2, 0x11, 0x22, 0x34, 0x32, 0x80, 0xD6, +- 0x11, 0x5C, 0x1D, 0x21, +- /* y */ +- 0xbd, 0x37, 0x63, 0x88, 0xb5, 0xf7, 0x23, 0xfb, 0x4c, 0x22, 0xdf, 0xe6, +- 0xcd, 0x43, 0x75, 0xa0, 0x5a, 0x07, 0x47, 0x64, 0x44, 0xd5, 0x81, 0x99, +- 0x85, 0x00, 0x7e, 0x34, +- /* order */ +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0x16, 0xA2, 0xE0, 0xB8, 0xF0, 0x3E, 0x13, 0xDD, 0x29, 0x45, +- 0x5C, 0x5C, 0x2A, 0x3D +- } +-}; + #endif /* FIPS_MODULE */ + + #ifndef OPENSSL_NO_EC2M +@@ -2236,198 +1639,6 @@ static const struct { + */ + + #ifndef FIPS_MODULE +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[0 + 20 * 6]; +-} _EC_brainpoolP160r1 = { +- { +- NID_X9_62_prime_field, 0, 20, 1 +- }, +- { +- /* no seed */ +- /* p */ +- 0xE9, 0x5E, 0x4A, 0x5F, 0x73, 0x70, 0x59, 0xDC, 0x60, 0xDF, 0xC7, 0xAD, +- 0x95, 0xB3, 0xD8, 0x13, 0x95, 0x15, 0x62, 0x0F, +- /* a */ +- 0x34, 0x0E, 0x7B, 0xE2, 0xA2, 0x80, 0xEB, 0x74, 0xE2, 0xBE, 0x61, 0xBA, +- 0xDA, 0x74, 0x5D, 0x97, 0xE8, 0xF7, 0xC3, 0x00, +- /* b */ +- 0x1E, 0x58, 0x9A, 0x85, 0x95, 0x42, 0x34, 0x12, 0x13, 0x4F, 0xAA, 0x2D, +- 0xBD, 0xEC, 0x95, 0xC8, 0xD8, 0x67, 0x5E, 0x58, +- /* x */ +- 0xBE, 0xD5, 0xAF, 0x16, 0xEA, 0x3F, 0x6A, 0x4F, 0x62, 0x93, 0x8C, 0x46, +- 0x31, 0xEB, 0x5A, 0xF7, 0xBD, 0xBC, 0xDB, 0xC3, +- /* y */ +- 0x16, 0x67, 0xCB, 0x47, 0x7A, 0x1A, 0x8E, 0xC3, 0x38, 0xF9, 0x47, 0x41, +- 0x66, 0x9C, 0x97, 0x63, 0x16, 0xDA, 0x63, 0x21, +- /* order */ +- 0xE9, 0x5E, 0x4A, 0x5F, 0x73, 0x70, 0x59, 0xDC, 0x60, 0xDF, 0x59, 0x91, +- 0xD4, 0x50, 0x29, 0x40, 0x9E, 0x60, 0xFC, 0x09 +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[0 + 20 * 6]; +-} _EC_brainpoolP160t1 = { +- { +- NID_X9_62_prime_field, 0, 20, 1 +- }, +- { +- /* no seed */ +- /* p */ +- 0xE9, 0x5E, 0x4A, 0x5F, 0x73, 0x70, 0x59, 0xDC, 0x60, 0xDF, 0xC7, 0xAD, +- 0x95, 0xB3, 0xD8, 0x13, 0x95, 0x15, 0x62, 0x0F, +- /* a */ +- 0xE9, 0x5E, 0x4A, 0x5F, 0x73, 0x70, 0x59, 0xDC, 0x60, 0xDF, 0xC7, 0xAD, +- 0x95, 0xB3, 0xD8, 0x13, 0x95, 0x15, 0x62, 0x0C, +- /* b */ +- 0x7A, 0x55, 0x6B, 0x6D, 0xAE, 0x53, 0x5B, 0x7B, 0x51, 0xED, 0x2C, 0x4D, +- 0x7D, 0xAA, 0x7A, 0x0B, 0x5C, 0x55, 0xF3, 0x80, +- /* x */ +- 0xB1, 0x99, 0xB1, 0x3B, 0x9B, 0x34, 0xEF, 0xC1, 0x39, 0x7E, 0x64, 0xBA, +- 0xEB, 0x05, 0xAC, 0xC2, 0x65, 0xFF, 0x23, 0x78, +- /* y */ +- 0xAD, 0xD6, 0x71, 0x8B, 0x7C, 0x7C, 0x19, 0x61, 0xF0, 0x99, 0x1B, 0x84, +- 0x24, 0x43, 0x77, 0x21, 0x52, 0xC9, 0xE0, 0xAD, +- /* order */ +- 0xE9, 0x5E, 0x4A, 0x5F, 0x73, 0x70, 0x59, 0xDC, 0x60, 0xDF, 0x59, 0x91, +- 0xD4, 0x50, 0x29, 0x40, 0x9E, 0x60, 0xFC, 0x09 +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[0 + 24 * 6]; +-} _EC_brainpoolP192r1 = { +- { +- NID_X9_62_prime_field, 0, 24, 1 +- }, +- { +- /* no seed */ +- /* p */ +- 0xC3, 0x02, 0xF4, 0x1D, 0x93, 0x2A, 0x36, 0xCD, 0xA7, 0xA3, 0x46, 0x30, +- 0x93, 0xD1, 0x8D, 0xB7, 0x8F, 0xCE, 0x47, 0x6D, 0xE1, 0xA8, 0x62, 0x97, +- /* a */ +- 0x6A, 0x91, 0x17, 0x40, 0x76, 0xB1, 0xE0, 0xE1, 0x9C, 0x39, 0xC0, 0x31, +- 0xFE, 0x86, 0x85, 0xC1, 0xCA, 0xE0, 0x40, 0xE5, 0xC6, 0x9A, 0x28, 0xEF, +- /* b */ +- 0x46, 0x9A, 0x28, 0xEF, 0x7C, 0x28, 0xCC, 0xA3, 0xDC, 0x72, 0x1D, 0x04, +- 0x4F, 0x44, 0x96, 0xBC, 0xCA, 0x7E, 0xF4, 0x14, 0x6F, 0xBF, 0x25, 0xC9, +- /* x */ +- 0xC0, 0xA0, 0x64, 0x7E, 0xAA, 0xB6, 0xA4, 0x87, 0x53, 0xB0, 0x33, 0xC5, +- 0x6C, 0xB0, 0xF0, 0x90, 0x0A, 0x2F, 0x5C, 0x48, 0x53, 0x37, 0x5F, 0xD6, +- /* y */ +- 0x14, 0xB6, 0x90, 0x86, 0x6A, 0xBD, 0x5B, 0xB8, 0x8B, 0x5F, 0x48, 0x28, +- 0xC1, 0x49, 0x00, 0x02, 0xE6, 0x77, 0x3F, 0xA2, 0xFA, 0x29, 0x9B, 0x8F, +- /* order */ +- 0xC3, 0x02, 0xF4, 0x1D, 0x93, 0x2A, 0x36, 0xCD, 0xA7, 0xA3, 0x46, 0x2F, +- 0x9E, 0x9E, 0x91, 0x6B, 0x5B, 0xE8, 0xF1, 0x02, 0x9A, 0xC4, 0xAC, 0xC1 +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[0 + 24 * 6]; +-} _EC_brainpoolP192t1 = { +- { +- NID_X9_62_prime_field, 0, 24, 1 +- }, +- { +- /* no seed */ +- /* p */ +- 0xC3, 0x02, 0xF4, 0x1D, 0x93, 0x2A, 0x36, 0xCD, 0xA7, 0xA3, 0x46, 0x30, +- 0x93, 0xD1, 0x8D, 0xB7, 0x8F, 0xCE, 0x47, 0x6D, 0xE1, 0xA8, 0x62, 0x97, +- /* a */ +- 0xC3, 0x02, 0xF4, 0x1D, 0x93, 0x2A, 0x36, 0xCD, 0xA7, 0xA3, 0x46, 0x30, +- 0x93, 0xD1, 0x8D, 0xB7, 0x8F, 0xCE, 0x47, 0x6D, 0xE1, 0xA8, 0x62, 0x94, +- /* b */ +- 0x13, 0xD5, 0x6F, 0xFA, 0xEC, 0x78, 0x68, 0x1E, 0x68, 0xF9, 0xDE, 0xB4, +- 0x3B, 0x35, 0xBE, 0xC2, 0xFB, 0x68, 0x54, 0x2E, 0x27, 0x89, 0x7B, 0x79, +- /* x */ +- 0x3A, 0xE9, 0xE5, 0x8C, 0x82, 0xF6, 0x3C, 0x30, 0x28, 0x2E, 0x1F, 0xE7, +- 0xBB, 0xF4, 0x3F, 0xA7, 0x2C, 0x44, 0x6A, 0xF6, 0xF4, 0x61, 0x81, 0x29, +- /* y */ +- 0x09, 0x7E, 0x2C, 0x56, 0x67, 0xC2, 0x22, 0x3A, 0x90, 0x2A, 0xB5, 0xCA, +- 0x44, 0x9D, 0x00, 0x84, 0xB7, 0xE5, 0xB3, 0xDE, 0x7C, 0xCC, 0x01, 0xC9, +- /* order */ +- 0xC3, 0x02, 0xF4, 0x1D, 0x93, 0x2A, 0x36, 0xCD, 0xA7, 0xA3, 0x46, 0x2F, +- 0x9E, 0x9E, 0x91, 0x6B, 0x5B, 0xE8, 0xF1, 0x02, 0x9A, 0xC4, 0xAC, 0xC1 +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[0 + 28 * 6]; +-} _EC_brainpoolP224r1 = { +- { +- NID_X9_62_prime_field, 0, 28, 1 +- }, +- { +- /* no seed */ +- /* p */ +- 0xD7, 0xC1, 0x34, 0xAA, 0x26, 0x43, 0x66, 0x86, 0x2A, 0x18, 0x30, 0x25, +- 0x75, 0xD1, 0xD7, 0x87, 0xB0, 0x9F, 0x07, 0x57, 0x97, 0xDA, 0x89, 0xF5, +- 0x7E, 0xC8, 0xC0, 0xFF, +- /* a */ +- 0x68, 0xA5, 0xE6, 0x2C, 0xA9, 0xCE, 0x6C, 0x1C, 0x29, 0x98, 0x03, 0xA6, +- 0xC1, 0x53, 0x0B, 0x51, 0x4E, 0x18, 0x2A, 0xD8, 0xB0, 0x04, 0x2A, 0x59, +- 0xCA, 0xD2, 0x9F, 0x43, +- /* b */ +- 0x25, 0x80, 0xF6, 0x3C, 0xCF, 0xE4, 0x41, 0x38, 0x87, 0x07, 0x13, 0xB1, +- 0xA9, 0x23, 0x69, 0xE3, 0x3E, 0x21, 0x35, 0xD2, 0x66, 0xDB, 0xB3, 0x72, +- 0x38, 0x6C, 0x40, 0x0B, +- /* x */ +- 0x0D, 0x90, 0x29, 0xAD, 0x2C, 0x7E, 0x5C, 0xF4, 0x34, 0x08, 0x23, 0xB2, +- 0xA8, 0x7D, 0xC6, 0x8C, 0x9E, 0x4C, 0xE3, 0x17, 0x4C, 0x1E, 0x6E, 0xFD, +- 0xEE, 0x12, 0xC0, 0x7D, +- /* y */ +- 0x58, 0xAA, 0x56, 0xF7, 0x72, 0xC0, 0x72, 0x6F, 0x24, 0xC6, 0xB8, 0x9E, +- 0x4E, 0xCD, 0xAC, 0x24, 0x35, 0x4B, 0x9E, 0x99, 0xCA, 0xA3, 0xF6, 0xD3, +- 0x76, 0x14, 0x02, 0xCD, +- /* order */ +- 0xD7, 0xC1, 0x34, 0xAA, 0x26, 0x43, 0x66, 0x86, 0x2A, 0x18, 0x30, 0x25, +- 0x75, 0xD0, 0xFB, 0x98, 0xD1, 0x16, 0xBC, 0x4B, 0x6D, 0xDE, 0xBC, 0xA3, +- 0xA5, 0xA7, 0x93, 0x9F +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[0 + 28 * 6]; +-} _EC_brainpoolP224t1 = { +- { +- NID_X9_62_prime_field, 0, 28, 1 +- }, +- { +- /* no seed */ +- /* p */ +- 0xD7, 0xC1, 0x34, 0xAA, 0x26, 0x43, 0x66, 0x86, 0x2A, 0x18, 0x30, 0x25, +- 0x75, 0xD1, 0xD7, 0x87, 0xB0, 0x9F, 0x07, 0x57, 0x97, 0xDA, 0x89, 0xF5, +- 0x7E, 0xC8, 0xC0, 0xFF, +- /* a */ +- 0xD7, 0xC1, 0x34, 0xAA, 0x26, 0x43, 0x66, 0x86, 0x2A, 0x18, 0x30, 0x25, +- 0x75, 0xD1, 0xD7, 0x87, 0xB0, 0x9F, 0x07, 0x57, 0x97, 0xDA, 0x89, 0xF5, +- 0x7E, 0xC8, 0xC0, 0xFC, +- /* b */ +- 0x4B, 0x33, 0x7D, 0x93, 0x41, 0x04, 0xCD, 0x7B, 0xEF, 0x27, 0x1B, 0xF6, +- 0x0C, 0xED, 0x1E, 0xD2, 0x0D, 0xA1, 0x4C, 0x08, 0xB3, 0xBB, 0x64, 0xF1, +- 0x8A, 0x60, 0x88, 0x8D, +- /* x */ +- 0x6A, 0xB1, 0xE3, 0x44, 0xCE, 0x25, 0xFF, 0x38, 0x96, 0x42, 0x4E, 0x7F, +- 0xFE, 0x14, 0x76, 0x2E, 0xCB, 0x49, 0xF8, 0x92, 0x8A, 0xC0, 0xC7, 0x60, +- 0x29, 0xB4, 0xD5, 0x80, +- /* y */ +- 0x03, 0x74, 0xE9, 0xF5, 0x14, 0x3E, 0x56, 0x8C, 0xD2, 0x3F, 0x3F, 0x4D, +- 0x7C, 0x0D, 0x4B, 0x1E, 0x41, 0xC8, 0xCC, 0x0D, 0x1C, 0x6A, 0xBD, 0x5F, +- 0x1A, 0x46, 0xDB, 0x4C, +- /* order */ +- 0xD7, 0xC1, 0x34, 0xAA, 0x26, 0x43, 0x66, 0x86, 0x2A, 0x18, 0x30, 0x25, +- 0x75, 0xD0, 0xFB, 0x98, 0xD1, 0x16, 0xBC, 0x4B, 0x6D, 0xDE, 0xBC, 0xA3, +- 0xA5, 0xA7, 0x93, 0x9F +- } +-}; +- + static const struct { + EC_CURVE_DATA h; + unsigned char data[0 + 32 * 6]; +@@ -2854,8 +2065,6 @@ static const ec_list_element curve_list[] = { + "NIST/SECG curve over a 521 bit prime field"}, + + /* X9.62 curves */ +- {NID_X9_62_prime192v1, &_EC_NIST_PRIME_192.h, 0, +- "NIST/X9.62/SECG curve over a 192 bit prime field"}, + {NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h, + # if defined(ECP_NISTZ256_ASM) + EC_GFp_nistz256_method, +@@ -2899,25 +2108,6 @@ static const ec_list_element curve_list[] = { + static const ec_list_element curve_list[] = { + /* prime field curves */ + /* secg curves */ +- {NID_secp112r1, &_EC_SECG_PRIME_112R1.h, 0, +- "SECG/WTLS curve over a 112 bit prime field"}, +- {NID_secp112r2, &_EC_SECG_PRIME_112R2.h, 0, +- "SECG curve over a 112 bit prime field"}, +- {NID_secp128r1, &_EC_SECG_PRIME_128R1.h, 0, +- "SECG curve over a 128 bit prime field"}, +- {NID_secp128r2, &_EC_SECG_PRIME_128R2.h, 0, +- "SECG curve over a 128 bit prime field"}, +- {NID_secp160k1, &_EC_SECG_PRIME_160K1.h, 0, +- "SECG curve over a 160 bit prime field"}, +- {NID_secp160r1, &_EC_SECG_PRIME_160R1.h, 0, +- "SECG curve over a 160 bit prime field"}, +- {NID_secp160r2, &_EC_SECG_PRIME_160R2.h, 0, +- "SECG/WTLS curve over a 160 bit prime field"}, +- /* SECG secp192r1 is the same as X9.62 prime192v1 and hence omitted */ +- {NID_secp192k1, &_EC_SECG_PRIME_192K1.h, 0, +- "SECG curve over a 192 bit prime field"}, +- {NID_secp224k1, &_EC_SECG_PRIME_224K1.h, 0, +- "SECG curve over a 224 bit prime field"}, + # ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 + {NID_secp224r1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method, + "NIST/SECG curve over a 224 bit prime field"}, +@@ -2945,18 +2135,6 @@ static const ec_list_element curve_list[] = { + # endif + "NIST/SECG curve over a 521 bit prime field"}, + /* X9.62 curves */ +- {NID_X9_62_prime192v1, &_EC_NIST_PRIME_192.h, 0, +- "NIST/X9.62/SECG curve over a 192 bit prime field"}, +- {NID_X9_62_prime192v2, &_EC_X9_62_PRIME_192V2.h, 0, +- "X9.62 curve over a 192 bit prime field"}, +- {NID_X9_62_prime192v3, &_EC_X9_62_PRIME_192V3.h, 0, +- "X9.62 curve over a 192 bit prime field"}, +- {NID_X9_62_prime239v1, &_EC_X9_62_PRIME_239V1.h, 0, +- "X9.62 curve over a 239 bit prime field"}, +- {NID_X9_62_prime239v2, &_EC_X9_62_PRIME_239V2.h, 0, +- "X9.62 curve over a 239 bit prime field"}, +- {NID_X9_62_prime239v3, &_EC_X9_62_PRIME_239V3.h, 0, +- "X9.62 curve over a 239 bit prime field"}, + {NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h, + # if defined(ECP_NISTZ256_ASM) + EC_GFp_nistz256_method, +@@ -3053,22 +2231,12 @@ static const ec_list_element curve_list[] = { + {NID_wap_wsg_idm_ecid_wtls5, &_EC_X9_62_CHAR2_163V1.h, 0, + "X9.62 curve over a 163 bit binary field"}, + # endif +- {NID_wap_wsg_idm_ecid_wtls6, &_EC_SECG_PRIME_112R1.h, 0, +- "SECG/WTLS curve over a 112 bit prime field"}, +- {NID_wap_wsg_idm_ecid_wtls7, &_EC_SECG_PRIME_160R2.h, 0, +- "SECG/WTLS curve over a 160 bit prime field"}, +- {NID_wap_wsg_idm_ecid_wtls8, &_EC_WTLS_8.h, 0, +- "WTLS curve over a 112 bit prime field"}, +- {NID_wap_wsg_idm_ecid_wtls9, &_EC_WTLS_9.h, 0, +- "WTLS curve over a 160 bit prime field"}, + # ifndef OPENSSL_NO_EC2M + {NID_wap_wsg_idm_ecid_wtls10, &_EC_NIST_CHAR2_233K.h, 0, + "NIST/SECG/WTLS curve over a 233 bit binary field"}, + {NID_wap_wsg_idm_ecid_wtls11, &_EC_NIST_CHAR2_233B.h, 0, + "NIST/SECG/WTLS curve over a 233 bit binary field"}, + # endif +- {NID_wap_wsg_idm_ecid_wtls12, &_EC_WTLS_12.h, 0, +- "WTLS curve over a 224 bit prime field"}, + # ifndef OPENSSL_NO_EC2M + /* IPSec curves */ + {NID_ipsec3, &_EC_IPSEC_155_ID3.h, 0, +@@ -3079,18 +2247,6 @@ static const ec_list_element curve_list[] = { + "\tNot suitable for ECDSA.\n\tQuestionable extension field!"}, + # endif + /* brainpool curves */ +- {NID_brainpoolP160r1, &_EC_brainpoolP160r1.h, 0, +- "RFC 5639 curve over a 160 bit prime field"}, +- {NID_brainpoolP160t1, &_EC_brainpoolP160t1.h, 0, +- "RFC 5639 curve over a 160 bit prime field"}, +- {NID_brainpoolP192r1, &_EC_brainpoolP192r1.h, 0, +- "RFC 5639 curve over a 192 bit prime field"}, +- {NID_brainpoolP192t1, &_EC_brainpoolP192t1.h, 0, +- "RFC 5639 curve over a 192 bit prime field"}, +- {NID_brainpoolP224r1, &_EC_brainpoolP224r1.h, 0, +- "RFC 5639 curve over a 224 bit prime field"}, +- {NID_brainpoolP224t1, &_EC_brainpoolP224t1.h, 0, +- "RFC 5639 curve over a 224 bit prime field"}, + {NID_brainpoolP256r1, &_EC_brainpoolP256r1.h, 0, + "RFC 5639 curve over a 256 bit prime field"}, + {NID_brainpoolP256t1, &_EC_brainpoolP256t1.h, 0, +diff --git a/test/ectest.c b/test/ectest.c +index afef85b0e6..4890b0555e 100644 +--- a/test/ectest.c ++++ b/test/ectest.c +@@ -175,184 +175,26 @@ static int prime_field_tests(void) + || !TEST_ptr(p = BN_new()) + || !TEST_ptr(a = BN_new()) + || !TEST_ptr(b = BN_new()) +- || !TEST_true(BN_hex2bn(&p, "17")) +- || !TEST_true(BN_hex2bn(&a, "1")) +- || !TEST_true(BN_hex2bn(&b, "1")) +- || !TEST_ptr(group = EC_GROUP_new_curve_GFp(p, a, b, ctx)) +- || !TEST_true(EC_GROUP_get_curve(group, p, a, b, ctx))) ++ /* ++ * applications should use EC_GROUP_new_curve_GFp so ++ * that the library gets to choose the EC_METHOD ++ */ ++ || !TEST_ptr(group = EC_GROUP_new(EC_GFp_mont_method()))) + goto err; + +- TEST_info("Curve defined by Weierstrass equation"); +- TEST_note(" y^2 = x^3 + a*x + b (mod p)"); +- test_output_bignum("a", a); +- test_output_bignum("b", b); +- test_output_bignum("p", p); +- + buf[0] = 0; + if (!TEST_ptr(P = EC_POINT_new(group)) + || !TEST_ptr(Q = EC_POINT_new(group)) + || !TEST_ptr(R = EC_POINT_new(group)) +- || !TEST_true(EC_POINT_set_to_infinity(group, P)) +- || !TEST_true(EC_POINT_is_at_infinity(group, P)) +- || !TEST_true(EC_POINT_oct2point(group, Q, buf, 1, ctx)) +- || !TEST_true(EC_POINT_add(group, P, P, Q, ctx)) +- || !TEST_true(EC_POINT_is_at_infinity(group, P)) + || !TEST_ptr(x = BN_new()) + || !TEST_ptr(y = BN_new()) + || !TEST_ptr(z = BN_new()) +- || !TEST_ptr(yplusone = BN_new()) +- || !TEST_true(BN_hex2bn(&x, "D")) +- || !TEST_true(EC_POINT_set_compressed_coordinates(group, Q, x, 1, ctx))) +- goto err; +- +- if (!TEST_int_gt(EC_POINT_is_on_curve(group, Q, ctx), 0)) { +- if (!TEST_true(EC_POINT_get_affine_coordinates(group, Q, x, y, ctx))) +- goto err; +- TEST_info("Point is not on curve"); +- test_output_bignum("x", x); +- test_output_bignum("y", y); +- goto err; +- } +- +- TEST_note("A cyclic subgroup:"); +- k = 100; +- do { +- if (!TEST_int_ne(k--, 0)) +- goto err; +- +- if (EC_POINT_is_at_infinity(group, P)) { +- TEST_note(" point at infinity"); +- } else { +- if (!TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, +- ctx))) +- goto err; +- +- test_output_bignum("x", x); +- test_output_bignum("y", y); +- } +- +- if (!TEST_true(EC_POINT_copy(R, P)) +- || !TEST_true(EC_POINT_add(group, P, P, Q, ctx))) +- goto err; +- +- } while (!EC_POINT_is_at_infinity(group, P)); +- +- if (!TEST_true(EC_POINT_add(group, P, Q, R, ctx)) +- || !TEST_true(EC_POINT_is_at_infinity(group, P))) +- goto err; +- +- len = +- EC_POINT_point2oct(group, Q, POINT_CONVERSION_COMPRESSED, buf, +- sizeof(buf), ctx); +- if (!TEST_size_t_ne(len, 0) +- || !TEST_true(EC_POINT_oct2point(group, P, buf, len, ctx)) +- || !TEST_int_eq(0, EC_POINT_cmp(group, P, Q, ctx))) +- goto err; +- test_output_memory("Generator as octet string, compressed form:", +- buf, len); +- +- len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_UNCOMPRESSED, +- buf, sizeof(buf), ctx); +- if (!TEST_size_t_ne(len, 0) +- || !TEST_true(EC_POINT_oct2point(group, P, buf, len, ctx)) +- || !TEST_int_eq(0, EC_POINT_cmp(group, P, Q, ctx))) +- goto err; +- test_output_memory("Generator as octet string, uncompressed form:", +- buf, len); +- +- len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_HYBRID, +- buf, sizeof(buf), ctx); +- if (!TEST_size_t_ne(len, 0) +- || !TEST_true(EC_POINT_oct2point(group, P, buf, len, ctx)) +- || !TEST_int_eq(0, EC_POINT_cmp(group, P, Q, ctx))) +- goto err; +- test_output_memory("Generator as octet string, hybrid form:", +- buf, len); +- +- if (!TEST_true(EC_POINT_invert(group, P, ctx)) +- || !TEST_int_eq(0, EC_POINT_cmp(group, P, R, ctx)) +- +- /* +- * Curve secp160r1 (Certicom Research SEC 2 Version 1.0, section 2.4.2, +- * 2000) -- not a NIST curve, but commonly used +- */ +- +- || !TEST_true(BN_hex2bn(&p, "FFFFFFFF" +- "FFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFF")) +- || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL)) +- || !TEST_true(BN_hex2bn(&a, "FFFFFFFF" +- "FFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFC")) +- || !TEST_true(BN_hex2bn(&b, "1C97BEFC" +- "54BD7A8B65ACF89F81D4D4ADC565FA45")) +- || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx)) +- || !TEST_true(BN_hex2bn(&x, "4A96B568" +- "8EF573284664698968C38BB913CBFC82")) +- || !TEST_true(BN_hex2bn(&y, "23a62855" +- "3168947d59dcc912042351377ac5fb32")) +- || !TEST_true(BN_add(yplusone, y, BN_value_one())) +- /* +- * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, +- * and therefore setting the coordinates should fail. +- */ +- || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone, +- ctx)) +- || !TEST_true(EC_POINT_set_affine_coordinates(group, P, x, y, ctx)) +- || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0) +- || !TEST_true(BN_hex2bn(&z, "0100000000" +- "000000000001F4C8F927AED3CA752257")) +- || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one())) +- || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx))) +- goto err; +- TEST_info("SEC2 curve secp160r1 -- Generator"); +- test_output_bignum("x", x); +- test_output_bignum("y", y); +- /* G_y value taken from the standard: */ +- if (!TEST_true(BN_hex2bn(&z, "23a62855" +- "3168947d59dcc912042351377ac5fb32")) +- || !TEST_BN_eq(y, z) +- || !TEST_int_eq(EC_GROUP_get_degree(group), 160) +- || !group_order_tests(group) +- +- /* Curve P-192 (FIPS PUB 186-2, App. 6) */ +- +- || !TEST_true(BN_hex2bn(&p, "FFFFFFFFFFFFFFFF" +- "FFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF")) +- || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL)) +- || !TEST_true(BN_hex2bn(&a, "FFFFFFFFFFFFFFFF" +- "FFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC")) +- || !TEST_true(BN_hex2bn(&b, "64210519E59C80E7" +- "0FA7E9AB72243049FEB8DEECC146B9B1")) +- || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx)) +- || !TEST_true(BN_hex2bn(&x, "188DA80EB03090F6" +- "7CBF20EB43A18800F4FF0AFD82FF1012")) +- || !TEST_true(EC_POINT_set_compressed_coordinates(group, P, x, 1, ctx)) +- || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0) +- || !TEST_true(BN_hex2bn(&z, "FFFFFFFFFFFFFFFF" +- "FFFFFFFF99DEF836146BC9B1B4D22831")) +- || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one())) +- || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx))) ++ || !TEST_ptr(yplusone = BN_new())) + goto err; + +- TEST_info("NIST curve P-192 -- Generator"); +- test_output_bignum("x", x); +- test_output_bignum("y", y); +- /* G_y value taken from the standard: */ +- if (!TEST_true(BN_hex2bn(&z, "07192B95FFC8DA78" +- "631011ED6B24CDD573F977A11E794811")) +- || !TEST_BN_eq(y, z) +- || !TEST_true(BN_add(yplusone, y, BN_value_one())) +- /* +- * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, +- * and therefore setting the coordinates should fail. +- */ +- || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone, +- ctx)) +- || !TEST_int_eq(EC_GROUP_get_degree(group), 192) +- || !group_order_tests(group) +- + /* Curve P-224 (FIPS PUB 186-2, App. 6) */ + +- || !TEST_true(BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFF" ++ if (!TEST_true(BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFF" + "FFFFFFFF000000000000000000000001")) + || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL)) + || !TEST_true(BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFF" +@@ -3015,7 +2857,7 @@ int setup_tests(void) + + ADD_TEST(parameter_test); + ADD_TEST(ossl_parameter_test); +- ADD_TEST(cofactor_range_test); ++ /* ADD_TEST(cofactor_range_test); */ + ADD_ALL_TESTS(cardinality_test, crv_len); + ADD_TEST(prime_field_tests); + #ifndef OPENSSL_NO_EC2M +-- +2.41.0 + diff --git a/0011-Remove-EC-curves.patch b/0011-Remove-EC-curves.patch new file mode 100644 index 0000000..561714e --- /dev/null +++ b/0011-Remove-EC-curves.patch @@ -0,0 +1,279 @@ +From 4a275f852b61238161c053774736dc07b3ade200 Mon Sep 17 00:00:00 2001 +From: Dmitry Belyavskiy +Date: Mon, 21 Aug 2023 11:46:40 +0200 +Subject: [PATCH 11/48] 0011-Remove-EC-curves.patch + +Patch-name: 0011-Remove-EC-curves.patch +Patch-id: 11 +Patch-status: | + # remove unsupported EC curves +--- + apps/speed.c | 8 +--- + crypto/evp/ec_support.c | 87 ------------------------------------ + test/acvp_test.inc | 9 ---- + test/ecdsatest.h | 17 ------- + test/recipes/15-test_genec.t | 27 ----------- + 5 files changed, 1 insertion(+), 147 deletions(-) + +diff --git a/apps/speed.c b/apps/speed.c +index cace25eda1..d527f12f18 100644 +--- a/apps/speed.c ++++ b/apps/speed.c +@@ -385,7 +385,7 @@ static double ffdh_results[FFDH_NUM][1]; /* 1 op: derivation */ + #endif /* OPENSSL_NO_DH */ + + enum ec_curves_t { +- R_EC_P160, R_EC_P192, R_EC_P224, R_EC_P256, R_EC_P384, R_EC_P521, ++ R_EC_P224, R_EC_P256, R_EC_P384, R_EC_P521, + #ifndef OPENSSL_NO_EC2M + R_EC_K163, R_EC_K233, R_EC_K283, R_EC_K409, R_EC_K571, + R_EC_B163, R_EC_B233, R_EC_B283, R_EC_B409, R_EC_B571, +@@ -395,8 +395,6 @@ enum ec_curves_t { + }; + /* list of ecdsa curves */ + static const OPT_PAIR ecdsa_choices[ECDSA_NUM] = { +- {"ecdsap160", R_EC_P160}, +- {"ecdsap192", R_EC_P192}, + {"ecdsap224", R_EC_P224}, + {"ecdsap256", R_EC_P256}, + {"ecdsap384", R_EC_P384}, +@@ -423,8 +421,6 @@ static const OPT_PAIR ecdsa_choices[ECDSA_NUM] = { + }; + /* list of ecdh curves, extension of |ecdsa_choices| list above */ + static const OPT_PAIR ecdh_choices[EC_NUM] = { +- {"ecdhp160", R_EC_P160}, +- {"ecdhp192", R_EC_P192}, + {"ecdhp224", R_EC_P224}, + {"ecdhp256", R_EC_P256}, + {"ecdhp384", R_EC_P384}, +@@ -1442,8 +1438,6 @@ int speed_main(int argc, char **argv) + */ + static const EC_CURVE ec_curves[EC_NUM] = { + /* Prime Curves */ +- {"secp160r1", NID_secp160r1, 160}, +- {"nistp192", NID_X9_62_prime192v1, 192}, + {"nistp224", NID_secp224r1, 224}, + {"nistp256", NID_X9_62_prime256v1, 256}, + {"nistp384", NID_secp384r1, 384}, +diff --git a/crypto/evp/ec_support.c b/crypto/evp/ec_support.c +index 1ec10143d2..82b95294b4 100644 +--- a/crypto/evp/ec_support.c ++++ b/crypto/evp/ec_support.c +@@ -20,89 +20,15 @@ typedef struct ec_name2nid_st { + static const EC_NAME2NID curve_list[] = { + /* prime field curves */ + /* secg curves */ +- {"secp112r1", NID_secp112r1 }, +- {"secp112r2", NID_secp112r2 }, +- {"secp128r1", NID_secp128r1 }, +- {"secp128r2", NID_secp128r2 }, +- {"secp160k1", NID_secp160k1 }, +- {"secp160r1", NID_secp160r1 }, +- {"secp160r2", NID_secp160r2 }, +- {"secp192k1", NID_secp192k1 }, +- {"secp224k1", NID_secp224k1 }, + {"secp224r1", NID_secp224r1 }, + {"secp256k1", NID_secp256k1 }, + {"secp384r1", NID_secp384r1 }, + {"secp521r1", NID_secp521r1 }, + /* X9.62 curves */ +- {"prime192v1", NID_X9_62_prime192v1 }, +- {"prime192v2", NID_X9_62_prime192v2 }, +- {"prime192v3", NID_X9_62_prime192v3 }, +- {"prime239v1", NID_X9_62_prime239v1 }, +- {"prime239v2", NID_X9_62_prime239v2 }, +- {"prime239v3", NID_X9_62_prime239v3 }, + {"prime256v1", NID_X9_62_prime256v1 }, + /* characteristic two field curves */ + /* NIST/SECG curves */ +- {"sect113r1", NID_sect113r1 }, +- {"sect113r2", NID_sect113r2 }, +- {"sect131r1", NID_sect131r1 }, +- {"sect131r2", NID_sect131r2 }, +- {"sect163k1", NID_sect163k1 }, +- {"sect163r1", NID_sect163r1 }, +- {"sect163r2", NID_sect163r2 }, +- {"sect193r1", NID_sect193r1 }, +- {"sect193r2", NID_sect193r2 }, +- {"sect233k1", NID_sect233k1 }, +- {"sect233r1", NID_sect233r1 }, +- {"sect239k1", NID_sect239k1 }, +- {"sect283k1", NID_sect283k1 }, +- {"sect283r1", NID_sect283r1 }, +- {"sect409k1", NID_sect409k1 }, +- {"sect409r1", NID_sect409r1 }, +- {"sect571k1", NID_sect571k1 }, +- {"sect571r1", NID_sect571r1 }, +- /* X9.62 curves */ +- {"c2pnb163v1", NID_X9_62_c2pnb163v1 }, +- {"c2pnb163v2", NID_X9_62_c2pnb163v2 }, +- {"c2pnb163v3", NID_X9_62_c2pnb163v3 }, +- {"c2pnb176v1", NID_X9_62_c2pnb176v1 }, +- {"c2tnb191v1", NID_X9_62_c2tnb191v1 }, +- {"c2tnb191v2", NID_X9_62_c2tnb191v2 }, +- {"c2tnb191v3", NID_X9_62_c2tnb191v3 }, +- {"c2pnb208w1", NID_X9_62_c2pnb208w1 }, +- {"c2tnb239v1", NID_X9_62_c2tnb239v1 }, +- {"c2tnb239v2", NID_X9_62_c2tnb239v2 }, +- {"c2tnb239v3", NID_X9_62_c2tnb239v3 }, +- {"c2pnb272w1", NID_X9_62_c2pnb272w1 }, +- {"c2pnb304w1", NID_X9_62_c2pnb304w1 }, +- {"c2tnb359v1", NID_X9_62_c2tnb359v1 }, +- {"c2pnb368w1", NID_X9_62_c2pnb368w1 }, +- {"c2tnb431r1", NID_X9_62_c2tnb431r1 }, +- /* +- * the WAP/WTLS curves [unlike SECG, spec has its own OIDs for curves +- * from X9.62] +- */ +- {"wap-wsg-idm-ecid-wtls1", NID_wap_wsg_idm_ecid_wtls1 }, +- {"wap-wsg-idm-ecid-wtls3", NID_wap_wsg_idm_ecid_wtls3 }, +- {"wap-wsg-idm-ecid-wtls4", NID_wap_wsg_idm_ecid_wtls4 }, +- {"wap-wsg-idm-ecid-wtls5", NID_wap_wsg_idm_ecid_wtls5 }, +- {"wap-wsg-idm-ecid-wtls6", NID_wap_wsg_idm_ecid_wtls6 }, +- {"wap-wsg-idm-ecid-wtls7", NID_wap_wsg_idm_ecid_wtls7 }, +- {"wap-wsg-idm-ecid-wtls8", NID_wap_wsg_idm_ecid_wtls8 }, +- {"wap-wsg-idm-ecid-wtls9", NID_wap_wsg_idm_ecid_wtls9 }, +- {"wap-wsg-idm-ecid-wtls10", NID_wap_wsg_idm_ecid_wtls10 }, +- {"wap-wsg-idm-ecid-wtls11", NID_wap_wsg_idm_ecid_wtls11 }, +- {"wap-wsg-idm-ecid-wtls12", NID_wap_wsg_idm_ecid_wtls12 }, +- /* IPSec curves */ +- {"Oakley-EC2N-3", NID_ipsec3 }, +- {"Oakley-EC2N-4", NID_ipsec4 }, + /* brainpool curves */ +- {"brainpoolP160r1", NID_brainpoolP160r1 }, +- {"brainpoolP160t1", NID_brainpoolP160t1 }, +- {"brainpoolP192r1", NID_brainpoolP192r1 }, +- {"brainpoolP192t1", NID_brainpoolP192t1 }, +- {"brainpoolP224r1", NID_brainpoolP224r1 }, +- {"brainpoolP224t1", NID_brainpoolP224t1 }, + {"brainpoolP256r1", NID_brainpoolP256r1 }, + {"brainpoolP256t1", NID_brainpoolP256t1 }, + {"brainpoolP320r1", NID_brainpoolP320r1 }, +@@ -111,8 +37,6 @@ static const EC_NAME2NID curve_list[] = { + {"brainpoolP384t1", NID_brainpoolP384t1 }, + {"brainpoolP512r1", NID_brainpoolP512r1 }, + {"brainpoolP512t1", NID_brainpoolP512t1 }, +- /* SM2 curve */ +- {"SM2", NID_sm2 }, + }; + + const char *OSSL_EC_curve_nid2name(int nid) +@@ -150,17 +74,6 @@ int ossl_ec_curve_name2nid(const char *name) + /* Functions to translate between common NIST curve names and NIDs */ + + static const EC_NAME2NID nist_curves[] = { +- {"B-163", NID_sect163r2}, +- {"B-233", NID_sect233r1}, +- {"B-283", NID_sect283r1}, +- {"B-409", NID_sect409r1}, +- {"B-571", NID_sect571r1}, +- {"K-163", NID_sect163k1}, +- {"K-233", NID_sect233k1}, +- {"K-283", NID_sect283k1}, +- {"K-409", NID_sect409k1}, +- {"K-571", NID_sect571k1}, +- {"P-192", NID_X9_62_prime192v1}, + {"P-224", NID_secp224r1}, + {"P-256", NID_X9_62_prime256v1}, + {"P-384", NID_secp384r1}, +diff --git a/test/acvp_test.inc b/test/acvp_test.inc +index ad11d3ae1e..894a0bff9d 100644 +--- a/test/acvp_test.inc ++++ b/test/acvp_test.inc +@@ -211,15 +211,6 @@ static const unsigned char ecdsa_sigver_s1[] = { + 0xB1, 0xAC, + }; + static const struct ecdsa_sigver_st ecdsa_sigver_data[] = { +- { +- "SHA-1", +- "P-192", +- ITM(ecdsa_sigver_msg0), +- ITM(ecdsa_sigver_pub0), +- ITM(ecdsa_sigver_r0), +- ITM(ecdsa_sigver_s0), +- PASS, +- }, + { + "SHA2-512", + "P-521", +diff --git a/test/ecdsatest.h b/test/ecdsatest.h +index 63fe319025..06b5c0aac5 100644 +--- a/test/ecdsatest.h ++++ b/test/ecdsatest.h +@@ -32,23 +32,6 @@ typedef struct { + } ecdsa_cavs_kat_t; + + static const ecdsa_cavs_kat_t ecdsa_cavs_kats[] = { +- /* prime KATs from X9.62 */ +- {NID_X9_62_prime192v1, NID_sha1, +- "616263", /* "abc" */ +- "1a8d598fc15bf0fd89030b5cb1111aeb92ae8baf5ea475fb", +- "0462b12d60690cdcf330babab6e69763b471f994dd702d16a563bf5ec08069705ffff65e" +- "5ca5c0d69716dfcb3474373902", +- "fa6de29746bbeb7f8bb1e761f85f7dfb2983169d82fa2f4e", +- "885052380ff147b734c330c43d39b2c4a89f29b0f749fead", +- "e9ecc78106def82bf1070cf1d4d804c3cb390046951df686"}, +- {NID_X9_62_prime239v1, NID_sha1, +- "616263", /* "abc" */ +- "7ef7c6fabefffdea864206e80b0b08a9331ed93e698561b64ca0f7777f3d", +- "045b6dc53bc61a2548ffb0f671472de6c9521a9d2d2534e65abfcbd5fe0c707fd9f1ed2e" +- "65f09f6ce0893baf5e8e31e6ae82ea8c3592335be906d38dee", +- "656c7196bf87dcc5d1f1020906df2782360d36b2de7a17ece37d503784af", +- "2cb7f36803ebb9c427c58d8265f11fc5084747133078fc279de874fbecb0", +- "2eeae988104e9c2234a3c2beb1f53bfa5dc11ff36a875d1e3ccb1f7e45cf"}, + /* prime KATs from NIST CAVP */ + {NID_secp224r1, NID_sha224, + "699325d6fc8fbbb4981a6ded3c3a54ad2e4e3db8a5669201912064c64e700c139248cdc1" +diff --git a/test/recipes/15-test_genec.t b/test/recipes/15-test_genec.t +index 2dfed387ca..c733b68f83 100644 +--- a/test/recipes/15-test_genec.t ++++ b/test/recipes/15-test_genec.t +@@ -41,37 +41,11 @@ plan skip_all => "This test is unsupported in a no-ec build" + if disabled("ec"); + + my @prime_curves = qw( +- secp112r1 +- secp112r2 +- secp128r1 +- secp128r2 +- secp160k1 +- secp160r1 +- secp160r2 +- secp192k1 +- secp224k1 + secp224r1 + secp256k1 + secp384r1 + secp521r1 +- prime192v1 +- prime192v2 +- prime192v3 +- prime239v1 +- prime239v2 +- prime239v3 + prime256v1 +- wap-wsg-idm-ecid-wtls6 +- wap-wsg-idm-ecid-wtls7 +- wap-wsg-idm-ecid-wtls8 +- wap-wsg-idm-ecid-wtls9 +- wap-wsg-idm-ecid-wtls12 +- brainpoolP160r1 +- brainpoolP160t1 +- brainpoolP192r1 +- brainpoolP192t1 +- brainpoolP224r1 +- brainpoolP224t1 + brainpoolP256r1 + brainpoolP256t1 + brainpoolP320r1 +@@ -136,7 +110,6 @@ push(@other_curves, 'SM2') + if !disabled("sm2"); + + my @curve_aliases = qw( +- P-192 + P-224 + P-256 + P-384 +-- +2.41.0 + diff --git a/0012-Disable-explicit-ec.patch b/0012-Disable-explicit-ec.patch new file mode 100644 index 0000000..9b86309 --- /dev/null +++ b/0012-Disable-explicit-ec.patch @@ -0,0 +1,235 @@ +From 91bdd9b816b22bc1464ec323f3272b866b24114d Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Mon, 31 Jul 2023 09:41:28 +0200 +Subject: [PATCH 12/35] 0012-Disable-explicit-ec.patch + +Patch-name: 0012-Disable-explicit-ec.patch +Patch-id: 12 +Patch-status: | + # Disable explicit EC curves + # https://bugzilla.redhat.com/show_bug.cgi?id=2066412 +From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd +--- + crypto/ec/ec_asn1.c | 11 ++++++++++ + crypto/ec/ec_lib.c | 6 +++++ + test/ectest.c | 22 ++++++++++--------- + test/endecode_test.c | 20 ++++++++--------- + .../30-test_evp_data/evppkey_ecdsa.txt | 12 ---------- + 5 files changed, 39 insertions(+), 32 deletions(-) + +diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c +index 7a0b35a594..d19d57344e 100644 +--- a/crypto/ec/ec_asn1.c ++++ b/crypto/ec/ec_asn1.c +@@ -905,6 +905,12 @@ EC_GROUP *d2i_ECPKParameters(EC_GROUP **a, const unsigned char **in, long len) + if (params->type == ECPKPARAMETERS_TYPE_EXPLICIT) + group->decoded_from_explicit_params = 1; + ++ if (EC_GROUP_check_named_curve(group, 0, NULL) == NID_undef) { ++ EC_GROUP_free(group); ++ ECPKPARAMETERS_free(params); ++ return NULL; ++ } ++ + if (a) { + EC_GROUP_free(*a); + *a = group; +@@ -964,6 +970,11 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, const unsigned char **in, long len) + goto err; + } + ++ if (EC_GROUP_check_named_curve(ret->group, 0, NULL) == NID_undef) { ++ ERR_raise(ERR_LIB_EC, EC_R_UNKNOWN_GROUP); ++ goto err; ++ } ++ + ret->version = priv_key->version; + + if (priv_key->privateKey) { +diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c +index a84e088c19..6c37bf78ae 100644 +--- a/crypto/ec/ec_lib.c ++++ b/crypto/ec/ec_lib.c +@@ -1724,6 +1724,11 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[], + goto err; + } + if (named_group == group) { ++ if (EC_GROUP_check_named_curve(group, 0, NULL) == NID_undef) { ++ ERR_raise(ERR_LIB_EC, EC_R_UNKNOWN_GROUP); ++ goto err; ++ } ++#if 0 + /* + * If we did not find a named group then the encoding should be explicit + * if it was specified +@@ -1739,6 +1744,7 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[], + goto err; + } + EC_GROUP_set_asn1_flag(group, OPENSSL_EC_EXPLICIT_CURVE); ++#endif + } else { + EC_GROUP_free(group); + group = named_group; +diff --git a/test/ectest.c b/test/ectest.c +index 4890b0555e..e11aec5b3b 100644 +--- a/test/ectest.c ++++ b/test/ectest.c +@@ -2301,10 +2301,11 @@ static int do_test_custom_explicit_fromdata(EC_GROUP *group, BN_CTX *ctx, + if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld)) + || !TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL)) + || !TEST_int_gt(EVP_PKEY_fromdata_init(pctx), 0) +- || !TEST_int_gt(EVP_PKEY_fromdata(pctx, &pkeyparam, ++ || !TEST_int_le(EVP_PKEY_fromdata(pctx, &pkeyparam, + EVP_PKEY_KEY_PARAMETERS, params), 0)) + goto err; +- ++/* As creating the key should fail, the rest of the test is pointless */ ++# if 0 + /*- Check that all the set values are retrievable -*/ + + /* There should be no match to a group name since the generator changed */ +@@ -2433,6 +2434,7 @@ static int do_test_custom_explicit_fromdata(EC_GROUP *group, BN_CTX *ctx, + #endif + ) + goto err; ++#endif + ret = 1; + err: + BN_free(order_out); +@@ -2714,21 +2716,21 @@ static int custom_params_test(int id) + + /* Compute keyexchange in both directions */ + if (!TEST_ptr(pctx1 = EVP_PKEY_CTX_new(pkey1, NULL)) +- || !TEST_int_eq(EVP_PKEY_derive_init(pctx1), 1) +- || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx1, pkey2), 1) ++ || !TEST_int_le(EVP_PKEY_derive_init(pctx1), 0) ++/* || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx1, pkey2), 1) + || !TEST_int_eq(EVP_PKEY_derive(pctx1, NULL, &sslen), 1) + || !TEST_int_gt(bsize, sslen) +- || !TEST_int_eq(EVP_PKEY_derive(pctx1, buf1, &sslen), 1)) ++ || !TEST_int_eq(EVP_PKEY_derive(pctx1, buf1, &sslen), 1)*/) + goto err; + if (!TEST_ptr(pctx2 = EVP_PKEY_CTX_new(pkey2, NULL)) +- || !TEST_int_eq(EVP_PKEY_derive_init(pctx2), 1) +- || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx2, pkey1), 1) ++ || !TEST_int_le(EVP_PKEY_derive_init(pctx2), 1) ++/* || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx2, pkey1), 1) + || !TEST_int_eq(EVP_PKEY_derive(pctx2, NULL, &t), 1) + || !TEST_int_gt(bsize, t) + || !TEST_int_le(sslen, t) +- || !TEST_int_eq(EVP_PKEY_derive(pctx2, buf2, &t), 1)) ++ || !TEST_int_eq(EVP_PKEY_derive(pctx2, buf2, &t), 1) */) + goto err; +- ++#if 0 + /* Both sides should expect the same shared secret */ + if (!TEST_mem_eq(buf1, sslen, buf2, t)) + goto err; +@@ -2780,7 +2782,7 @@ static int custom_params_test(int id) + /* compare with previous result */ + || !TEST_mem_eq(buf1, t, buf2, sslen)) + goto err; +- ++#endif + ret = 1; + + err: +diff --git a/test/endecode_test.c b/test/endecode_test.c +index 14648287eb..9a437d8c64 100644 +--- a/test/endecode_test.c ++++ b/test/endecode_test.c +@@ -62,7 +62,7 @@ static BN_CTX *bnctx = NULL; + static OSSL_PARAM_BLD *bld_prime_nc = NULL; + static OSSL_PARAM_BLD *bld_prime = NULL; + static OSSL_PARAM *ec_explicit_prime_params_nc = NULL; +-static OSSL_PARAM *ec_explicit_prime_params_explicit = NULL; ++/*static OSSL_PARAM *ec_explicit_prime_params_explicit = NULL;*/ + + # ifndef OPENSSL_NO_EC2M + static OSSL_PARAM_BLD *bld_tri_nc = NULL; +@@ -1009,9 +1009,9 @@ IMPLEMENT_TEST_SUITE_LEGACY(EC, "EC") + DOMAIN_KEYS(ECExplicitPrimeNamedCurve); + IMPLEMENT_TEST_SUITE(ECExplicitPrimeNamedCurve, "EC", 1) + IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrimeNamedCurve, "EC") +-DOMAIN_KEYS(ECExplicitPrime2G); +-IMPLEMENT_TEST_SUITE(ECExplicitPrime2G, "EC", 0) +-IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrime2G, "EC") ++/*DOMAIN_KEYS(ECExplicitPrime2G);*/ ++/*IMPLEMENT_TEST_SUITE(ECExplicitPrime2G, "EC", 0)*/ ++/*IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrime2G, "EC")*/ + # ifndef OPENSSL_NO_EC2M + DOMAIN_KEYS(ECExplicitTriNamedCurve); + IMPLEMENT_TEST_SUITE(ECExplicitTriNamedCurve, "EC", 1) +@@ -1352,7 +1352,7 @@ int setup_tests(void) + || !create_ec_explicit_prime_params_namedcurve(bld_prime_nc) + || !create_ec_explicit_prime_params(bld_prime) + || !TEST_ptr(ec_explicit_prime_params_nc = OSSL_PARAM_BLD_to_param(bld_prime_nc)) +- || !TEST_ptr(ec_explicit_prime_params_explicit = OSSL_PARAM_BLD_to_param(bld_prime)) ++/* || !TEST_ptr(ec_explicit_prime_params_explicit = OSSL_PARAM_BLD_to_param(bld_prime))*/ + # ifndef OPENSSL_NO_EC2M + || !TEST_ptr(bld_tri_nc = OSSL_PARAM_BLD_new()) + || !TEST_ptr(bld_tri = OSSL_PARAM_BLD_new()) +@@ -1380,7 +1380,7 @@ int setup_tests(void) + TEST_info("Generating EC keys..."); + MAKE_DOMAIN_KEYS(EC, "EC", EC_params); + MAKE_DOMAIN_KEYS(ECExplicitPrimeNamedCurve, "EC", ec_explicit_prime_params_nc); +- MAKE_DOMAIN_KEYS(ECExplicitPrime2G, "EC", ec_explicit_prime_params_explicit); ++/* MAKE_DOMAIN_KEYS(ECExplicitPrime2G, "EC", ec_explicit_prime_params_explicit);*/ + # ifndef OPENSSL_NO_EC2M + MAKE_DOMAIN_KEYS(ECExplicitTriNamedCurve, "EC", ec_explicit_tri_params_nc); + MAKE_DOMAIN_KEYS(ECExplicitTri2G, "EC", ec_explicit_tri_params_explicit); +@@ -1423,8 +1423,8 @@ int setup_tests(void) + ADD_TEST_SUITE_LEGACY(EC); + ADD_TEST_SUITE(ECExplicitPrimeNamedCurve); + ADD_TEST_SUITE_LEGACY(ECExplicitPrimeNamedCurve); +- ADD_TEST_SUITE(ECExplicitPrime2G); +- ADD_TEST_SUITE_LEGACY(ECExplicitPrime2G); ++/* ADD_TEST_SUITE(ECExplicitPrime2G);*/ ++/* ADD_TEST_SUITE_LEGACY(ECExplicitPrime2G);*/ + # ifndef OPENSSL_NO_EC2M + ADD_TEST_SUITE(ECExplicitTriNamedCurve); + ADD_TEST_SUITE_LEGACY(ECExplicitTriNamedCurve); +@@ -1461,7 +1461,7 @@ void cleanup_tests(void) + { + #ifndef OPENSSL_NO_EC + OSSL_PARAM_free(ec_explicit_prime_params_nc); +- OSSL_PARAM_free(ec_explicit_prime_params_explicit); ++/* OSSL_PARAM_free(ec_explicit_prime_params_explicit);*/ + OSSL_PARAM_BLD_free(bld_prime_nc); + OSSL_PARAM_BLD_free(bld_prime); + # ifndef OPENSSL_NO_EC2M +@@ -1483,7 +1483,7 @@ void cleanup_tests(void) + #ifndef OPENSSL_NO_EC + FREE_DOMAIN_KEYS(EC); + FREE_DOMAIN_KEYS(ECExplicitPrimeNamedCurve); +- FREE_DOMAIN_KEYS(ECExplicitPrime2G); ++/* FREE_DOMAIN_KEYS(ECExplicitPrime2G);*/ + # ifndef OPENSSL_NO_EC2M + FREE_DOMAIN_KEYS(ECExplicitTriNamedCurve); + FREE_DOMAIN_KEYS(ECExplicitTri2G); +diff --git a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt +index ec3c032aba..584ecee0eb 100644 +--- a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt ++++ b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt +@@ -133,18 +133,6 @@ AAAA//////////+85vqtpxeehPO5ysL8YyVRAgEBBG0wawIBAQQgiUTxtr5vLVjj + 3ev1gTwRBduzqqlwd54AUSgI+pjttW8zrWNitO8H1sf59MPWOESKxNtZ1+Nl + -----END PRIVATE KEY----- + +-PrivateKey = EC_EXPLICIT +------BEGIN PRIVATE KEY----- +-MIIBeQIBADCCAQMGByqGSM49AgEwgfcCAQEwLAYHKoZIzj0BAQIhAP////8AAAAB +-AAAAAAAAAAAAAAAA////////////////MFsEIP////8AAAABAAAAAAAAAAAAAAAA +-///////////////8BCBaxjXYqjqT57PrvVV2mIa8ZR0GsMxTsPY7zjw+J9JgSwMV +-AMSdNgiG5wSTamZ44ROdJreBn36QBEEE5JcIvn36opqjEm/k59Al40rBAxWM2TPG +-l0L13Je51zHpfXQ9Z2o7IQicMXP4wSfJ0qCgg2bgydqoxlYrlLGuVQIhAP////8A +-AAAA//////////+85vqtpxeehPO5ysL8YyVRAgEBBG0wawIBAQQgec92jwduadCk +-OjoNRI+YT5Be5TkzZXzYCyTLkMOikDmhRANCAATtECEhQbLEaiUj/Wu0qjcr81lL +-46dx5zYgArz/iaSNJ3W80oO+F7v04jlQ7wxQzg96R0bwKiMeq5CcW9ZFt6xg +------END PRIVATE KEY----- +- + PrivateKey = B-163 + -----BEGIN PRIVATE KEY----- + MGMCAQAwEAYHKoZIzj0CAQYFK4EEAA8ETDBKAgEBBBUDnQW0mLiHVha/jqFznX/K +-- +2.41.0 + diff --git a/0013-skipped-tests-EC-curves.patch b/0013-skipped-tests-EC-curves.patch new file mode 100644 index 0000000..fc544c9 --- /dev/null +++ b/0013-skipped-tests-EC-curves.patch @@ -0,0 +1,58 @@ +From 9ede2b1e13f72db37718853faff74b4429084d59 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Mon, 31 Jul 2023 09:41:28 +0200 +Subject: [PATCH 13/35] 0013-skipped-tests-EC-curves.patch + +Patch-name: 0013-skipped-tests-EC-curves.patch +Patch-id: 13 +Patch-status: | + # Skipped tests from former 0011-Remove-EC-curves.patch +From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd +--- + test/recipes/15-test_ec.t | 2 +- + test/recipes/65-test_cmp_protect.t | 2 +- + test/recipes/65-test_cmp_vfy.t | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +diff --git a/test/recipes/15-test_ec.t b/test/recipes/15-test_ec.t +index 0638d626e7..c0efd77649 100644 +--- a/test/recipes/15-test_ec.t ++++ b/test/recipes/15-test_ec.t +@@ -90,7 +90,7 @@ subtest 'Ed448 conversions -- public key' => sub { + + subtest 'Check loading of fips and non-fips keys' => sub { + plan skip_all => "FIPS is disabled" +- if $no_fips; ++ if 1; #Red Hat specific, original value is $no_fips; + + plan tests => 2; + +diff --git a/test/recipes/65-test_cmp_protect.t b/test/recipes/65-test_cmp_protect.t +index 631603df7c..4cb2ffebbc 100644 +--- a/test/recipes/65-test_cmp_protect.t ++++ b/test/recipes/65-test_cmp_protect.t +@@ -27,7 +27,7 @@ plan skip_all => "This test is not supported in a no-cmp build" + plan skip_all => "This test is not supported in a shared library build on Windows" + if $^O eq 'MSWin32' && !disabled("shared"); + +-plan tests => 2 + ($no_fips ? 0 : 1); #fips test ++plan skip_all => 2 + ($no_fips ? 0 : 1); #fips test + + my @basic_cmd = ("cmp_protect_test", + data_file("prot_RSA.pem"), +diff --git a/test/recipes/65-test_cmp_vfy.t b/test/recipes/65-test_cmp_vfy.t +index f722800e27..26a01786bb 100644 +--- a/test/recipes/65-test_cmp_vfy.t ++++ b/test/recipes/65-test_cmp_vfy.t +@@ -27,7 +27,7 @@ plan skip_all => "This test is not supported in a no-cmp build" + plan skip_all => "This test is not supported in a no-ec build" + if disabled("ec"); + +-plan tests => 2 + ($no_fips ? 0 : 1); #fips test ++plan skip_all => 2 + ($no_fips ? 0 : 1); #fips test + + my @basic_cmd = ("cmp_vfy_test", + data_file("server.crt"), data_file("client.crt"), +-- +2.41.0 + diff --git a/0024-load-legacy-prov.patch b/0024-load-legacy-prov.patch new file mode 100644 index 0000000..1a65417 --- /dev/null +++ b/0024-load-legacy-prov.patch @@ -0,0 +1,95 @@ +From 69636828729ecc287863366dcdd6548dee78c7a4 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Mon, 31 Jul 2023 09:41:28 +0200 +Subject: [PATCH 14/35] 0024-load-legacy-prov.patch + +Patch-name: 0024-load-legacy-prov.patch +Patch-id: 24 +Patch-status: | + # Instructions to load legacy provider in openssl.cnf +From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd +--- + apps/openssl.cnf | 37 +++++++++++++++---------------------- + doc/man5/config.pod | 8 ++++++++ + 2 files changed, 23 insertions(+), 22 deletions(-) + +diff -up openssl-3.0.0/apps/openssl.cnf.legacy-prov openssl-3.0.0/apps/openssl.cnf +--- openssl-3.0.0/apps/openssl.cnf.legacy-prov 2021-09-09 12:06:40.895793297 +0200 ++++ openssl-3.0.0/apps/openssl.cnf 2021-09-09 12:12:33.947482500 +0200 +@@ -42,14 +42,6 @@ tsa_policy1 = 1.2.3.4.1 + tsa_policy2 = 1.2.3.4.5.6 + tsa_policy3 = 1.2.3.4.5.7 + +-# For FIPS +-# Optionally include a file that is generated by the OpenSSL fipsinstall +-# application. This file contains configuration data required by the OpenSSL +-# fips provider. It contains a named section e.g. [fips_sect] which is +-# referenced from the [provider_sect] below. +-# Refer to the OpenSSL security policy for more information. +-# .include fipsmodule.cnf +- + [openssl_init] + providers = provider_sect + # Load default TLS policy configuration +@@ -42,23 +42,27 @@ [ evp_properties ] + #This section is intentionally added empty here + #to be tuned on particular systems + +-# List of providers to load +-[provider_sect] +-default = default_sect +-# The fips section name should match the section name inside the +-# included fipsmodule.cnf. +-# fips = fips_sect ++# Uncomment the sections that start with ## below to enable the legacy provider. ++# Loading the legacy provider enables support for the following algorithms: ++# Hashing Algorithms / Message Digests: MD2, MD4, MDC2, WHIRLPOOL, RIPEMD160 ++# Symmetric Ciphers: Blowfish, CAST, DES, IDEA, RC2, RC4,RC5, SEED ++# Key Derivation Function (KDF): PBKDF1 ++# In general it is not recommended to use the above mentioned algorithms for ++# security critical operations, as they are cryptographically weak or vulnerable ++# to side-channel attacks and as such have been deprecated. + +-# If no providers are activated explicitly, the default one is activated implicitly. +-# See man 7 OSSL_PROVIDER-default for more details. +-# +-# If you add a section explicitly activating any other provider(s), you most +-# probably need to explicitly activate the default provider, otherwise it +-# becomes unavailable in openssl. As a consequence applications depending on +-# OpenSSL may not work correctly which could lead to significant system +-# problems including inability to remotely access the system. +-[default_sect] +-# activate = 1 ++[provider_sect] ++default = default_sect ++##legacy = legacy_sect ++## ++[default_sect] ++activate = 1 ++ ++##[legacy_sect] ++##activate = 1 ++ ++#Place the third party provider configuration files into this folder ++.include /etc/pki/tls/openssl.d + + [ ssl_module ] + +diff -up openssl-3.0.0/doc/man5/config.pod.legacy-prov openssl-3.0.0/doc/man5/config.pod +--- openssl-3.0.0/doc/man5/config.pod.legacy-prov 2021-09-09 12:09:38.079040853 +0200 ++++ openssl-3.0.0/doc/man5/config.pod 2021-09-09 12:11:56.646224876 +0200 +@@ -273,6 +273,14 @@ significant. + All parameters in the section as well as sub-sections are made + available to the provider. + ++=head3 Loading the legacy provider ++ ++Uncomment the sections that start with ## in openssl.cnf ++to enable the legacy provider. ++Note: In general it is not recommended to use the above mentioned algorithms for ++security critical operations, as they are cryptographically weak or vulnerable ++to side-channel attacks and as such have been deprecated. ++ + =head3 Default provider and its activation + + If no providers are activated explicitly, the default one is activated implicitly. diff --git a/0025-for-tests.patch b/0025-for-tests.patch new file mode 100644 index 0000000..aef200b --- /dev/null +++ b/0025-for-tests.patch @@ -0,0 +1,18 @@ +diff -up openssl-3.0.0/apps/openssl.cnf.xxx openssl-3.0.0/apps/openssl.cnf +--- openssl-3.0.0/apps/openssl.cnf.xxx 2021-11-23 16:29:50.618691603 +0100 ++++ openssl-3.0.0/apps/openssl.cnf 2021-11-23 16:28:16.872882099 +0100 +@@ -55,11 +55,11 @@ providers = provider_sect + # to side-channel attacks and as such have been deprecated. + + [provider_sect] +-default = default_sect ++##default = default_sect + ##legacy = legacy_sect + ## +-[default_sect] +-activate = 1 ++##[default_sect] ++##activate = 1 + + ##[legacy_sect] + ##activate = 1 diff --git a/0032-Force-fips.patch b/0032-Force-fips.patch new file mode 100644 index 0000000..985fadf --- /dev/null +++ b/0032-Force-fips.patch @@ -0,0 +1,81 @@ +From 2c110cf5551a3869514e697d8dc06682b62ca57d Mon Sep 17 00:00:00 2001 +From: Dmitry Belyavskiy +Date: Mon, 21 Aug 2023 11:59:02 +0200 +Subject: [PATCH 16/48] 0032-Force-fips.patch + +Patch-name: 0032-Force-fips.patch +Patch-id: 32 +Patch-status: | + # We load FIPS provider and set FIPS properties implicitly +--- + crypto/provider_conf.c | 28 +++++++++++++++++++++++++++- + 1 file changed, 27 insertions(+), 1 deletion(-) + +diff --git a/crypto/provider_conf.c b/crypto/provider_conf.c +index 058fb58837..5274265a70 100644 +--- a/crypto/provider_conf.c ++++ b/crypto/provider_conf.c +@@ -10,6 +10,8 @@ + #include + #include + #include ++#include ++#include + #include + #include + #include +@@ -169,7 +171,7 @@ static int provider_conf_activate(OSSL_LIB_CTX *libctx, const char *name, + if (path != NULL) + ossl_provider_set_module_path(prov, path); + +- ok = provider_conf_params(prov, NULL, NULL, value, cnf); ++ ok = cnf ? provider_conf_params(prov, NULL, NULL, value, cnf) : 1; + + if (ok == 1) { + if (!ossl_provider_activate(prov, 1, 0)) { +@@ -268,6 +268,8 @@ static int provider_conf_activate(OSSL_L + + if (ok <= 0) + ossl_provider_free(prov); ++ } else { ++ ok = 1; + } + CRYPTO_THREAD_unlock(pcgbl->lock); + +@@ -309,6 +311,33 @@ static int provider_conf_init(CONF_IMODULE *md, const CONF *cnf) + return 0; + } + ++ if (ossl_get_kernel_fips_flag() != 0) { /* XXX from provider_conf_load */ ++ OSSL_LIB_CTX *libctx = NCONF_get0_libctx((CONF *)cnf); ++# define FIPS_LOCAL_CONF OPENSSLDIR "/fips_local.cnf" ++ ++ if (access(FIPS_LOCAL_CONF, R_OK) == 0) { ++ CONF *fips_conf = NCONF_new_ex(libctx, NCONF_default()); ++ if (NCONF_load(fips_conf, FIPS_LOCAL_CONF, NULL) <= 0) ++ return 0; ++ ++ if (provider_conf_load(libctx, "fips", "fips_sect", fips_conf) != 1) { ++ NCONF_free(fips_conf); ++ return 0; ++ } ++ NCONF_free(fips_conf); ++ } else { ++ if (provider_conf_activate(libctx, "fips", NULL, NULL, 0, NULL) != 1) ++ return 0; ++ } ++ /* provider_conf_load can return 1 even when the test is failed so check explicitly */ ++ if (OSSL_PROVIDER_available(libctx, "fips") != 1) ++ return 0; ++ if (provider_conf_activate(libctx, "base", NULL, NULL, 0, NULL) != 1) ++ return 0; ++ if (EVP_default_properties_enable_fips(libctx, 1) != 1) ++ return 0; ++ } ++ + return 1; + } + +-- +2.41.0 + diff --git a/0033-FIPS-embed-hmac.patch b/0033-FIPS-embed-hmac.patch new file mode 100644 index 0000000..0bf3b2d --- /dev/null +++ b/0033-FIPS-embed-hmac.patch @@ -0,0 +1,396 @@ +From 831d0025257fd3746ab3fe30c05dbbfc0043f78e Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 6 Mar 2024 19:17:15 +0100 +Subject: [PATCH 16/49] 0033-FIPS-embed-hmac.patch + +Patch-name: 0033-FIPS-embed-hmac.patch +Patch-id: 33 +Patch-status: | + # # Embed HMAC into the fips.so + # Modify fips self test as per + # https://github.com/simo5/openssl/commit/9b95ef8bd2f5ac862e5eee74c724b535f1a8578a +From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce +--- + providers/fips/self_test.c | 204 ++++++++++++++++++++++++-- + test/fipsmodule.cnf | 2 + + test/recipes/00-prep_fipsmodule_cnf.t | 2 +- + test/recipes/01-test_fipsmodule_cnf.t | 2 +- + test/recipes/03-test_fipsinstall.t | 2 +- + test/recipes/30-test_defltfips.t | 2 +- + test/recipes/80-test_ssl_new.t | 2 +- + test/recipes/90-test_sslapi.t | 2 +- + 8 files changed, 200 insertions(+), 18 deletions(-) + create mode 100644 test/fipsmodule.cnf + +diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c +index b8dc9817b2..28f536d13c 100644 +--- a/providers/fips/self_test.c ++++ b/providers/fips/self_test.c +@@ -230,11 +230,133 @@ err: + return ok; + } + ++#define HMAC_LEN 32 ++/* ++ * The __attribute__ ensures we've created the .rodata1 section ++ * static ensures it's zero filled ++*/ ++static const unsigned char __attribute__ ((section (".rodata1"))) fips_hmac_container[HMAC_LEN] = {0}; ++ + /* + * Calculate the HMAC SHA256 of data read using a BIO and read_cb, and verify + * the result matches the expected value. + * Return 1 if verified, or 0 if it fails. + */ ++ ++#ifndef __USE_GNU ++#define __USE_GNU ++#include ++#undef __USE_GNU ++#else ++#include ++#endif ++#include ++ ++static int verify_integrity_rodata(OSSL_CORE_BIO *bio, ++ OSSL_FUNC_BIO_read_ex_fn read_ex_cb, ++ unsigned char *expected, size_t expected_len, ++ OSSL_LIB_CTX *libctx, OSSL_SELF_TEST *ev, ++ const char *event_type) ++{ ++ int ret = 0, status; ++ unsigned char out[MAX_MD_SIZE]; ++ unsigned char buf[INTEGRITY_BUF_SIZE]; ++ size_t bytes_read = 0, out_len = 0; ++ EVP_MAC *mac = NULL; ++ EVP_MAC_CTX *ctx = NULL; ++ OSSL_PARAM params[2], *p = params; ++ Dl_info info; ++ void *extra_info = NULL; ++ struct link_map *lm = NULL; ++ unsigned long paddr; ++ unsigned long off = 0; ++ ++ if (expected_len != HMAC_LEN) ++ goto err; ++ ++ if (!integrity_self_test(ev, libctx)) ++ goto err; ++ ++ OSSL_SELF_TEST_onbegin(ev, event_type, OSSL_SELF_TEST_DESC_INTEGRITY_HMAC); ++ ++ if (!dladdr1 ((const void *)fips_hmac_container, ++ &info, &extra_info, RTLD_DL_LINKMAP)) ++ goto err; ++ lm = extra_info; ++ paddr = (unsigned long)fips_hmac_container - lm->l_addr; ++ ++ mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL); ++ if (mac == NULL) ++ goto err; ++ ctx = EVP_MAC_CTX_new(mac); ++ if (ctx == NULL) ++ goto err; ++ ++ *p++ = OSSL_PARAM_construct_utf8_string("digest", DIGEST_NAME, 0); ++ *p = OSSL_PARAM_construct_end(); ++ ++ if (!EVP_MAC_init(ctx, fixed_key, sizeof(fixed_key), params)) ++ goto err; ++ ++ while ((off + INTEGRITY_BUF_SIZE) <= paddr) { ++ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read); ++ if (status != 1) ++ break; ++ if (!EVP_MAC_update(ctx, buf, bytes_read)) ++ goto err; ++ off += bytes_read; ++ } ++ ++ if (off < paddr) { ++ int delta = paddr - off; ++ status = read_ex_cb(bio, buf, delta, &bytes_read); ++ if (status != 1) ++ goto err; ++ if (!EVP_MAC_update(ctx, buf, bytes_read)) ++ goto err; ++ off += bytes_read; ++ } ++ ++ /* read away the buffer */ ++ status = read_ex_cb(bio, buf, HMAC_LEN, &bytes_read); ++ if (status != 1) ++ goto err; ++ ++ /* check that it is the expect bytes, no point in continuing otherwise */ ++ if (memcmp(expected, buf, HMAC_LEN) != 0) ++ goto err; ++ ++ /* replace in-file HMAC buffer with the original zeros */ ++ memset(buf, 0, HMAC_LEN); ++ if (!EVP_MAC_update(ctx, buf, HMAC_LEN)) ++ goto err; ++ off += HMAC_LEN; ++ ++ while (bytes_read > 0) { ++ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read); ++ if (status != 1) ++ break; ++ if (!EVP_MAC_update(ctx, buf, bytes_read)) ++ goto err; ++ off += bytes_read; ++ } ++ ++ if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out))) ++ goto err; ++ ++ OSSL_SELF_TEST_oncorrupt_byte(ev, out); ++ if (expected_len != out_len ++ || memcmp(expected, out, out_len) != 0) ++ goto err; ++ ret = 1; ++err: ++ OPENSSL_cleanse(out, MAX_MD_SIZE); ++ OSSL_SELF_TEST_onend(ev, ret); ++ EVP_MAC_CTX_free(ctx); ++ EVP_MAC_free(mac); ++ return ret; ++} ++ + static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex_cb, + unsigned char *expected, size_t expected_len, + OSSL_LIB_CTX *libctx, OSSL_SELF_TEST *ev, +@@ -247,12 +369,23 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex + EVP_MAC *mac = NULL; + EVP_MAC_CTX *ctx = NULL; + OSSL_PARAM params[2], *p = params; ++ Dl_info info; ++ void *extra_info = NULL; ++ struct link_map *lm = NULL; ++ unsigned long paddr; ++ unsigned long off = 0; + + if (!integrity_self_test(ev, libctx)) + goto err; + + OSSL_SELF_TEST_onbegin(ev, event_type, OSSL_SELF_TEST_DESC_INTEGRITY_HMAC); + ++ if (!dladdr1 ((const void *)fips_hmac_container, ++ &info, &extra_info, RTLD_DL_LINKMAP)) ++ goto err; ++ lm = extra_info; ++ paddr = (unsigned long)fips_hmac_container - lm->l_addr; ++ + mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL); + if (mac == NULL) + goto err; +@@ -266,13 +399,42 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex + if (!EVP_MAC_init(ctx, fixed_key, sizeof(fixed_key), params)) + goto err; + +- while (1) { +- status = read_ex_cb(bio, buf, sizeof(buf), &bytes_read); ++ while ((off + INTEGRITY_BUF_SIZE) <= paddr) { ++ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read); + if (status != 1) + break; + if (!EVP_MAC_update(ctx, buf, bytes_read)) + goto err; ++ off += bytes_read; + } ++ ++ if (off + INTEGRITY_BUF_SIZE > paddr) { ++ int delta = paddr - off; ++ status = read_ex_cb(bio, buf, delta, &bytes_read); ++ if (status != 1) ++ goto err; ++ if (!EVP_MAC_update(ctx, buf, bytes_read)) ++ goto err; ++ off += bytes_read; ++ ++ status = read_ex_cb(bio, buf, HMAC_LEN, &bytes_read); ++ memset(buf, 0, HMAC_LEN); ++ if (status != 1) ++ goto err; ++ if (!EVP_MAC_update(ctx, buf, bytes_read)) ++ goto err; ++ off += bytes_read; ++ } ++ ++ while (bytes_read > 0) { ++ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read); ++ if (status != 1) ++ break; ++ if (!EVP_MAC_update(ctx, buf, bytes_read)) ++ goto err; ++ off += bytes_read; ++ } ++ + if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out))) + goto err; + +@@ -282,6 +444,7 @@ static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex + goto err; + ret = 1; + err: ++ OPENSSL_cleanse(out, sizeof(out)); + OSSL_SELF_TEST_onend(ev, ret); + EVP_MAC_CTX_free(ctx); + EVP_MAC_free(mac); +@@ -335,8 +498,7 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) + return 0; + } + +- if (st == NULL +- || st->module_checksum_data == NULL) { ++ if (st == NULL) { + ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA); + goto end; + } +@@ -345,8 +507,14 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) + if (ev == NULL) + goto end; + +- module_checksum = OPENSSL_hexstr2buf(st->module_checksum_data, +- &checksum_len); ++ if (st->module_checksum_data == NULL) { ++ module_checksum = fips_hmac_container; ++ checksum_len = sizeof(fips_hmac_container); ++ } else { ++ module_checksum = OPENSSL_hexstr2buf(st->module_checksum_data, ++ &checksum_len); ++ } ++ + if (module_checksum == NULL) { + ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONFIG_DATA); + goto end; +@@ -354,14 +522,27 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) + bio_module = (*st->bio_new_file_cb)(st->module_filename, "rb"); + + /* Always check the integrity of the fips module */ +- if (bio_module == NULL +- || !verify_integrity(bio_module, st->bio_read_ex_cb, +- module_checksum, checksum_len, st->libctx, +- ev, OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY)) { ++ if (bio_module == NULL) { + ERR_raise(ERR_LIB_PROV, PROV_R_MODULE_INTEGRITY_FAILURE); + goto end; + } +- ++ if (st->module_checksum_data == NULL) { ++ if (!verify_integrity_rodata(bio_module, st->bio_read_ex_cb, ++ module_checksum, checksum_len, ++ st->libctx, ev, ++ OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY)) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_MODULE_INTEGRITY_FAILURE); ++ goto end; ++ } ++ } else { ++ if (!verify_integrity(bio_module, st->bio_read_ex_cb, ++ module_checksum, checksum_len, ++ st->libctx, ev, ++ OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY)) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_MODULE_INTEGRITY_FAILURE); ++ goto end; ++ } ++ } + /* This will be NULL during installation - so the self test KATS will run */ + if (st->indicator_data != NULL) { + /* +@@ -420,7 +601,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) + end: + EVP_RAND_free(testrand); + OSSL_SELF_TEST_free(ev); +- OPENSSL_free(module_checksum); + OPENSSL_free(indicator_checksum); + + if (st != NULL) { +diff --git a/test/fipsmodule.cnf b/test/fipsmodule.cnf +new file mode 100644 +index 0000000000..f05d0dedbe +--- /dev/null ++++ b/test/fipsmodule.cnf +@@ -0,0 +1,2 @@ ++[fips_sect] ++activate = 1 +diff --git a/test/recipes/00-prep_fipsmodule_cnf.t b/test/recipes/00-prep_fipsmodule_cnf.t +index 4e3a6d85e8..e8255ba974 100644 +--- a/test/recipes/00-prep_fipsmodule_cnf.t ++++ b/test/recipes/00-prep_fipsmodule_cnf.t +@@ -20,7 +20,7 @@ use lib srctop_dir('Configurations'); + use lib bldtop_dir('.'); + use platform; + +-my $no_check = disabled("fips"); ++my $no_check = 1; + plan skip_all => "FIPS module config file only supported in a fips build" + if $no_check; + +diff --git a/test/recipes/01-test_fipsmodule_cnf.t b/test/recipes/01-test_fipsmodule_cnf.t +index ce594817d5..00cebacff8 100644 +--- a/test/recipes/01-test_fipsmodule_cnf.t ++++ b/test/recipes/01-test_fipsmodule_cnf.t +@@ -23,7 +23,7 @@ use lib srctop_dir('Configurations'); + use lib bldtop_dir('.'); + use platform; + +-my $no_check = disabled("fips"); ++my $no_check = 1; + plan skip_all => "Test only supported in a fips build" + if $no_check; + plan tests => 1; +diff --git a/test/recipes/03-test_fipsinstall.t b/test/recipes/03-test_fipsinstall.t +index b8b136d110..8242f4ebc3 100644 +--- a/test/recipes/03-test_fipsinstall.t ++++ b/test/recipes/03-test_fipsinstall.t +@@ -22,7 +22,7 @@ use lib srctop_dir('Configurations'); + use lib bldtop_dir('.'); + use platform; + +-plan skip_all => "Test only supported in a fips build" if disabled("fips"); ++plan skip_all => "Test only supported in a fips build" if 1; + + # Compatible options for pedantic FIPS compliance + my @pedantic_okay = +diff --git a/test/recipes/30-test_defltfips.t b/test/recipes/30-test_defltfips.t +index c8f145405b..56a2ec5dc4 100644 +--- a/test/recipes/30-test_defltfips.t ++++ b/test/recipes/30-test_defltfips.t +@@ -24,7 +24,7 @@ use lib bldtop_dir('.'); + plan skip_all => "Configuration loading is turned off" + if disabled("autoload-config"); + +-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); ++my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0); + + plan tests => + ($no_fips ? 1 : 5); +diff --git a/test/recipes/80-test_ssl_new.t b/test/recipes/80-test_ssl_new.t +index 195b85ea8c..92d48dbf7d 100644 +--- a/test/recipes/80-test_ssl_new.t ++++ b/test/recipes/80-test_ssl_new.t +@@ -27,7 +27,7 @@ setup("test_ssl_new"); + use lib srctop_dir('Configurations'); + use lib bldtop_dir('.'); + +-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); ++my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0); + + $ENV{TEST_CERTS_DIR} = srctop_dir("test", "certs"); + +diff --git a/test/recipes/90-test_sslapi.t b/test/recipes/90-test_sslapi.t +index 18d9f3d204..71780d8caa 100644 +--- a/test/recipes/90-test_sslapi.t ++++ b/test/recipes/90-test_sslapi.t +@@ -17,7 +17,7 @@ setup("test_sslapi"); + setup("test_sslapi"); + } + +-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); ++my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0); + my $fipsmodcfg_filename = "fipsmodule.cnf"; + my $fipsmodcfg = bldtop_file("test", $fipsmodcfg_filename); + +-- +2.44.0 + diff --git a/0034.fipsinstall_disable.patch b/0034.fipsinstall_disable.patch new file mode 100644 index 0000000..f1d7b27 --- /dev/null +++ b/0034.fipsinstall_disable.patch @@ -0,0 +1,473 @@ +From a9825123e7ab3474d2794a5706d9bed047959c9c Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Mon, 31 Jul 2023 09:41:28 +0200 +Subject: [PATCH 18/35] 0034.fipsinstall_disable.patch + +Patch-name: 0034.fipsinstall_disable.patch +Patch-id: 34 +Patch-status: | + # Comment out fipsinstall command-line utility +From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd +--- + apps/fipsinstall.c | 3 + + doc/man1/openssl-fipsinstall.pod.in | 272 +--------------------------- + doc/man1/openssl.pod | 4 - + doc/man5/config.pod | 1 - + doc/man5/fips_config.pod | 104 +---------- + doc/man7/OSSL_PROVIDER-FIPS.pod | 1 - + 6 files changed, 10 insertions(+), 375 deletions(-) + +diff --git a/apps/fipsinstall.c b/apps/fipsinstall.c +index e1ef645b60..db92cb5fb2 100644 +--- a/apps/fipsinstall.c ++++ b/apps/fipsinstall.c +@@ -375,6 +375,9 @@ int fipsinstall_main(int argc, char **argv) + EVP_MAC *mac = NULL; + CONF *conf = NULL; + ++ BIO_printf(bio_err, "This command is not enabled in the Red Hat Enterprise Linux OpenSSL build, please consult Red Hat documentation to learn how to enable FIPS mode\n"); ++ return 1; ++ + if ((opts = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; + +diff --git a/doc/man1/openssl-fipsinstall.pod.in b/doc/man1/openssl-fipsinstall.pod.in +index b1768b7f91..b6b00e27d8 100644 +--- a/doc/man1/openssl-fipsinstall.pod.in ++++ b/doc/man1/openssl-fipsinstall.pod.in +@@ -8,275 +8,9 @@ openssl-fipsinstall - perform FIPS configuration installation + =head1 SYNOPSIS + + B +-[B<-help>] +-[B<-in> I] +-[B<-out> I] +-[B<-module> I] +-[B<-provider_name> I] +-[B<-section_name> I] +-[B<-verify>] +-[B<-mac_name> I] +-[B<-macopt> I:I] +-[B<-noout>] +-[B<-quiet>] +-[B<-pedantic>] +-[B<-no_conditional_errors>] +-[B<-no_security_checks>] +-[B<-ems_check>] +-[B<-no_drbg_truncated_digests>] +-[B<-self_test_onload>] +-[B<-self_test_oninstall>] +-[B<-corrupt_desc> I] +-[B<-corrupt_type> I] +-[B<-config> I] +- +-=head1 DESCRIPTION +- +-This command is used to generate a FIPS module configuration file. +-This configuration file can be used each time a FIPS module is loaded +-in order to pass data to the FIPS module self tests. The FIPS module always +-verifies its MAC, but optionally only needs to run the KAT's once, +-at installation. +- +-The generated configuration file consists of: +- +-=over 4 +- +-=item - A MAC of the FIPS module file. +- +-=item - A test status indicator. +- +-This indicates if the Known Answer Self Tests (KAT's) have successfully run. +- +-=item - A MAC of the status indicator. +- +-=item - A control for conditional self tests errors. +- +-By default if a continuous test (e.g a key pair test) fails then the FIPS module +-will enter an error state, and no services or cryptographic algorithms will be +-able to be accessed after this point. +-The default value of '1' will cause the fips module error state to be entered. +-If the value is '0' then the module error state will not be entered. +-Regardless of whether the error state is entered or not, the current operation +-(e.g. key generation) will return an error. The user is responsible for retrying +-the operation if the module error state is not entered. +- +-=item - A control to indicate whether run-time security checks are done. +- +-This indicates if run-time checks related to enforcement of security parameters +-such as minimum security strength of keys and approved curve names are used. +-The default value of '1' will perform the checks. +-If the value is '0' the checks are not performed and FIPS compliance must +-be done by procedures documented in the relevant Security Policy. +- +-=back +- +-This file is described in L. +- +-=head1 OPTIONS +- +-=over 4 +- +-=item B<-help> +- +-Print a usage message. +- +-=item B<-module> I +- +-Filename of the FIPS module to perform an integrity check on. +-The path provided in the filename is used to load the module when it is +-activated, and this overrides the environment variable B. +- +-=item B<-out> I +- +-Filename to output the configuration data to; the default is standard output. +- +-=item B<-in> I +- +-Input filename to load configuration data from. +-Must be used if the B<-verify> option is specified. +- +-=item B<-verify> +- +-Verify that the input configuration file contains the correct information. +- +-=item B<-provider_name> I +- +-Name of the provider inside the configuration file. +-The default value is C. +- +-=item B<-section_name> I +- +-Name of the section inside the configuration file. +-The default value is C. +- +-=item B<-mac_name> I +- +-Specifies the name of a supported MAC algorithm which will be used. +-The MAC mechanisms that are available will depend on the options +-used when building OpenSSL. +-To see the list of supported MAC's use the command +-C. The default is B. +- +-=item B<-macopt> I:I +- +-Passes options to the MAC algorithm. +-A comprehensive list of controls can be found in the EVP_MAC implementation +-documentation. +-Common control strings used for this command are: +- +-=over 4 +- +-=item B:I +- +-Specifies the MAC key as an alphanumeric string (use if the key contains +-printable characters only). +-The string length must conform to any restrictions of the MAC algorithm. +-A key must be specified for every MAC algorithm. +-If no key is provided, the default that was specified when OpenSSL was +-configured is used. +- +-=item B:I +- +-Specifies the MAC key in hexadecimal form (two hex digits per byte). +-The key length must conform to any restrictions of the MAC algorithm. +-A key must be specified for every MAC algorithm. +-If no key is provided, the default that was specified when OpenSSL was +-configured is used. +- +-=item B:I +- +-Used by HMAC as an alphanumeric string (use if the key contains printable +-characters only). +-The string length must conform to any restrictions of the MAC algorithm. +-To see the list of supported digests, use the command +-C. +-The default digest is SHA-256. +- +-=back +- +-=item B<-noout> +- +-Disable logging of the self tests. +- +-=item B<-pedantic> +- +-Configure the module so that it is strictly FIPS compliant rather +-than being backwards compatible. This enables conditional errors, +-security checks etc. Note that any previous configuration options will +-be overwritten and any subsequent configuration options that violate +-FIPS compliance will result in an error. +- +-=item B<-no_conditional_errors> +- +-Configure the module to not enter an error state if a conditional self test +-fails as described above. +- +-=item B<-no_security_checks> +- +-Configure the module to not perform run-time security checks as described above. +- +-Enabling the configuration option "no-fips-securitychecks" provides another way to +-turn off the check at compile time. +- +-=item B<-ems_check> +- +-Configure the module to enable a run-time Extended Master Secret (EMS) check +-when using the TLS1_PRF KDF algorithm. This check is disabled by default. +-See RFC 7627 for information related to EMS. +- +-=item B<-no_drbg_truncated_digests> +- +-Configure the module to not allow truncated digests to be used with Hash and +-HMAC DRBGs. See FIPS 140-3 IG D.R for details. +- +-=item B<-self_test_onload> +- +-Do not write the two fields related to the "test status indicator" and +-"MAC status indicator" to the output configuration file. Without these fields +-the self tests KATS will run each time the module is loaded. This option could be +-used for cross compiling, since the self tests need to run at least once on each +-target machine. Once the self tests have run on the target machine the user +-could possibly then add the 2 fields into the configuration using some other +-mechanism. +- +-This is the default. +- +-=item B<-self_test_oninstall> +- +-The converse of B<-self_test_oninstall>. The two fields related to the +-"test status indicator" and "MAC status indicator" are written to the +-output configuration file. +- +-=item B<-quiet> +- +-Do not output pass/fail messages. Implies B<-noout>. +- +-=item B<-corrupt_desc> I, +-B<-corrupt_type> I +- +-The corrupt options can be used to test failure of one or more self tests by +-name. +-Either option or both may be used to select the tests to corrupt. +-Refer to the entries for B and B in L for +-values that can be used. +- +-=item B<-config> I +- +-Test that a FIPS provider can be loaded from the specified configuration file. +-A previous call to this application needs to generate the extra configuration +-data that is included by the base C configuration file. +-See L for further information on how to set up a provider section. +-All other options are ignored if '-config' is used. +- +-=back +- +-=head1 NOTES +- +-Self tests results are logged by default if the options B<-quiet> and B<-noout> +-are not specified, or if either of the options B<-corrupt_desc> or +-B<-corrupt_type> are used. +-If the base configuration file is set up to autoload the fips module, then the +-fips module will be loaded and self tested BEFORE the fipsinstall application +-has a chance to set up its own self test callback. As a result of this the self +-test output and the options B<-corrupt_desc> and B<-corrupt_type> will be ignored. +-For normal usage the base configuration file should use the default provider +-when generating the fips configuration file. +- +-The B<-self_test_oninstall> option was added and the +-B<-self_test_onload> option was made the default in OpenSSL 3.1. +- +-The command and all remaining options were added in OpenSSL 3.0. +- +-=head1 EXAMPLES +- +-Calculate the mac of a FIPS module F and run a FIPS self test +-for the module, and save the F configuration file: +- +- openssl fipsinstall -module ./fips.so -out fips.cnf -provider_name fips +- +-Verify that the configuration file F contains the correct info: +- +- openssl fipsinstall -module ./fips.so -in fips.cnf -provider_name fips -verify +- +-Corrupt any self tests which have the description C: +- +- openssl fipsinstall -module ./fips.so -out fips.cnf -provider_name fips \ +- -corrupt_desc 'SHA1' +- +-Validate that the fips module can be loaded from a base configuration file: +- +- export OPENSSL_CONF_INCLUDE= +- export OPENSSL_MODULES= +- openssl fipsinstall -config' 'default.cnf' +- +- +-=head1 SEE ALSO +- +-L, +-L, +-L, +-L ++This command is disabled. ++Please consult Red Hat Enterprise Linux documentation to learn how to correctly ++enable FIPS mode on Red Hat Enterprise + + =head1 COPYRIGHT + +diff --git a/doc/man1/openssl.pod b/doc/man1/openssl.pod +index d9c22a580f..d5ec3b9a6a 100644 +--- a/doc/man1/openssl.pod ++++ b/doc/man1/openssl.pod +@@ -135,10 +135,6 @@ Engine (loadable module) information and manipulation. + + Error Number to Error String Conversion. + +-=item B +- +-FIPS configuration installation. +- + =item B + + Generation of DSA Private Key from Parameters. Superseded by +diff --git a/doc/man5/config.pod b/doc/man5/config.pod +index 714a10437b..bd05736220 100644 +--- a/doc/man5/config.pod ++++ b/doc/man5/config.pod +@@ -573,7 +573,6 @@ configuration files using that syntax will have to be modified. + =head1 SEE ALSO + + L, L, L, +-L, + L, + L, + L, +diff --git a/doc/man5/fips_config.pod b/doc/man5/fips_config.pod +index 2255464304..1c15e32a5c 100644 +--- a/doc/man5/fips_config.pod ++++ b/doc/man5/fips_config.pod +@@ -6,106 +6,10 @@ fips_config - OpenSSL FIPS configuration + + =head1 DESCRIPTION + +-A separate configuration file, using the OpenSSL L syntax, +-is used to hold information about the FIPS module. This includes a digest +-of the shared library file, and status about the self-testing. +-This data is used automatically by the module itself for two +-purposes: +- +-=over 4 +- +-=item - Run the startup FIPS self-test known answer tests (KATS). +- +-This is normally done once, at installation time, but may also be set up to +-run each time the module is used. +- +-=item - Verify the module's checksum. +- +-This is done each time the module is used. +- +-=back +- +-This file is generated by the L program, and +-used internally by the FIPS module during its initialization. +- +-The following options are supported. They should all appear in a section +-whose name is identified by the B option in the B +-section, as described in L. +- +-=over 4 +- +-=item B +- +-If present, the module is activated. The value assigned to this name is not +-significant. +- +-=item B +- +-A version number for the fips install process. Should be 1. +- +-=item B +- +-The FIPS module normally enters an internal error mode if any self test fails. +-Once this error mode is active, no services or cryptographic algorithms are +-accessible from this point on. +-Continuous tests are a subset of the self tests (e.g., a key pair test during key +-generation, or the CRNG output test). +-Setting this value to C<0> allows the error mode to not be triggered if any +-continuous test fails. The default value of C<1> will trigger the error mode. +-Regardless of the value, the operation (e.g., key generation) that called the +-continuous test will return an error code if its continuous test fails. The +-operation may then be retried if the error mode has not been triggered. +- +-=item B +- +-This indicates if run-time checks related to enforcement of security parameters +-such as minimum security strength of keys and approved curve names are used. +-A value of '1' will perform the checks, otherwise if the value is '0' the checks +-are not performed and FIPS compliance must be done by procedures documented in +-the relevant Security Policy. +- +-=item B +- +-The calculated MAC of the FIPS provider file. +- +-=item B +- +-An indicator that the self-tests were successfully run. +-This should only be written after the module has +-successfully passed its self tests during installation. +-If this field is not present, then the self tests will run when the module +-loads. +- +-=item B +- +-A MAC of the value of the B option, to prevent accidental +-changes to that value. +-It is written-to at the same time as B is updated. +- +-=back +- +-For example: +- +- [fips_sect] +- activate = 1 +- install-version = 1 +- conditional-errors = 1 +- security-checks = 1 +- module-mac = 41:D0:FA:C2:5D:41:75:CD:7D:C3:90:55:6F:A4:DC +- install-mac = FE:10:13:5A:D3:B4:C7:82:1B:1E:17:4C:AC:84:0C +- install-status = INSTALL_SELF_TEST_KATS_RUN +- +-=head1 NOTES +- +-When using the FIPS provider, it is recommended that the +-B option is enabled to prevent accidental use of +-non-FIPS validated algorithms via broken or mistaken configuration. +-See L. +- +-=head1 SEE ALSO +- +-L +-L ++This command is disabled in Red Hat Enterprise Linux. The FIPS provider is ++automatically loaded when the system is booted in FIPS mode, or when the ++environment variable B is set. See the documentation ++for more information. + + =head1 HISTORY + +diff --git a/doc/man7/OSSL_PROVIDER-FIPS.pod b/doc/man7/OSSL_PROVIDER-FIPS.pod +index 4f908888ba..ef00247770 100644 +--- a/doc/man7/OSSL_PROVIDER-FIPS.pod ++++ b/doc/man7/OSSL_PROVIDER-FIPS.pod +@@ -444,7 +444,6 @@ want to operate in a FIPS approved manner. The algorithms are: + + =head1 SEE ALSO + +-L, + L, + L, + L, +-- +2.41.0 + diff --git a/0035-speed-skip-unavailable-dgst.patch b/0035-speed-skip-unavailable-dgst.patch new file mode 100644 index 0000000..d52d5e1 --- /dev/null +++ b/0035-speed-skip-unavailable-dgst.patch @@ -0,0 +1,31 @@ +From 213f38dc580d39f2cb46592b5e6db585fc6a650f Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Mon, 31 Jul 2023 09:41:28 +0200 +Subject: [PATCH 19/35] 0035-speed-skip-unavailable-dgst.patch + +Patch-name: 0035-speed-skip-unavailable-dgst.patch +Patch-id: 35 +Patch-status: | + # Skip unavailable algorithms running `openssl speed` +From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd +--- + apps/speed.c | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/apps/speed.c b/apps/speed.c +index d527f12f18..2ff3eb53bd 100644 +--- a/apps/speed.c ++++ b/apps/speed.c +@@ -610,6 +610,9 @@ static int EVP_MAC_loop(int algindex, void *args) + for (count = 0; COND(c[algindex][testnum]); count++) { + size_t outl; + ++ if (mctx == NULL) ++ return -1; ++ + if (!EVP_MAC_init(mctx, NULL, 0, NULL) + || !EVP_MAC_update(mctx, buf, lengths[testnum]) + || !EVP_MAC_final(mctx, mac, &outl, sizeof(mac))) +-- +2.41.0 + diff --git a/0044-FIPS-140-3-keychecks.patch b/0044-FIPS-140-3-keychecks.patch new file mode 100644 index 0000000..e9012e4 --- /dev/null +++ b/0044-FIPS-140-3-keychecks.patch @@ -0,0 +1,404 @@ +From b300beb172d5813b01b93bfd62fe191f8187fe1e Mon Sep 17 00:00:00 2001 +From: Dmitry Belyavskiy +Date: Mon, 21 Aug 2023 12:05:23 +0200 +Subject: [PATCH 20/48] 0044-FIPS-140-3-keychecks.patch + +Patch-name: 0044-FIPS-140-3-keychecks.patch +Patch-id: 44 +Patch-status: | + # Extra public/private key checks required by FIPS-140-3 +--- + crypto/dh/dh_key.c | 26 ++++++++++ + .../implementations/exchange/ecdh_exch.c | 19 ++++++++ + providers/implementations/keymgmt/ec_kmgmt.c | 24 +++++++++- + providers/implementations/keymgmt/rsa_kmgmt.c | 18 +++++++ + .../implementations/signature/ecdsa_sig.c | 37 +++++++++++++-- + providers/implementations/signature/rsa_sig.c | 47 +++++++++++++++++-- + 6 files changed, 162 insertions(+), 9 deletions(-) + +diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c +index 4e9705beef..83773cceea 100644 +--- a/crypto/dh/dh_key.c ++++ b/crypto/dh/dh_key.c +@@ -43,6 +43,9 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) + BN_MONT_CTX *mont = NULL; + BIGNUM *z = NULL, *pminus1; + int ret = -1; ++#ifdef FIPS_MODULE ++ int validate = 0; ++#endif + + if (BN_num_bits(dh->params.p) > OPENSSL_DH_MAX_MODULUS_BITS) { + ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE); +@@ -54,6 +57,13 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) + return 0; + } + ++#ifdef FIPS_MODULE ++ if (DH_check_pub_key(dh, pub_key, &validate) <= 0) { ++ ERR_raise(ERR_LIB_DH, DH_R_CHECK_PUBKEY_INVALID); ++ return 0; ++ } ++#endif ++ + ctx = BN_CTX_new_ex(dh->libctx); + if (ctx == NULL) + goto err; +@@ -262,6 +272,9 @@ static int generate_key(DH *dh) + #endif + BN_CTX *ctx = NULL; + BIGNUM *pub_key = NULL, *priv_key = NULL; ++#ifdef FIPS_MODULE ++ int validate = 0; ++#endif + + if (BN_num_bits(dh->params.p) > OPENSSL_DH_MAX_MODULUS_BITS) { + ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE); +@@ -354,8 +367,21 @@ static int generate_key(DH *dh) + if (!ossl_dh_generate_public_key(ctx, dh, priv_key, pub_key)) + goto err; + ++#ifdef FIPS_MODULE ++ if (DH_check_pub_key(dh, pub_key, &validate) <= 0) { ++ ERR_raise(ERR_LIB_DH, DH_R_CHECK_PUBKEY_INVALID); ++ goto err; ++ } ++#endif ++ + dh->pub_key = pub_key; + dh->priv_key = priv_key; ++#ifdef FIPS_MODULE ++ if (ossl_dh_check_pairwise(dh) <= 0) { ++ abort(); ++ } ++#endif ++ + dh->dirty_cnt++; + ok = 1; + err: +diff --git a/providers/implementations/exchange/ecdh_exch.c b/providers/implementations/exchange/ecdh_exch.c +index 43caedb6df..73873f9758 100644 +--- a/providers/implementations/exchange/ecdh_exch.c ++++ b/providers/implementations/exchange/ecdh_exch.c +@@ -489,6 +489,25 @@ int ecdh_plain_derive(void *vpecdhctx, unsigned char *secret, + } + + ppubkey = EC_KEY_get0_public_key(pecdhctx->peerk); ++#ifdef FIPS_MODULE ++ { ++ BN_CTX *bn_ctx = BN_CTX_new_ex(ossl_ec_key_get_libctx(privk)); ++ int check = 0; ++ ++ if (bn_ctx == NULL) { ++ ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); ++ goto end; ++ } ++ ++ check = ossl_ec_key_public_check(pecdhctx->peerk, bn_ctx); ++ BN_CTX_free(bn_ctx); ++ ++ if (check <= 0) { ++ ERR_raise(ERR_LIB_PROV, EC_R_INVALID_PEER_KEY); ++ goto end; ++ } ++ } ++#endif + + retlen = ECDH_compute_key(secret, size, ppubkey, privk, NULL); + +diff --git a/providers/implementations/keymgmt/ec_kmgmt.c b/providers/implementations/keymgmt/ec_kmgmt.c +index a37cbbdba8..bca3f3c674 100644 +--- a/providers/implementations/keymgmt/ec_kmgmt.c ++++ b/providers/implementations/keymgmt/ec_kmgmt.c +@@ -989,8 +989,17 @@ struct ec_gen_ctx { + EC_GROUP *gen_group; + unsigned char *dhkem_ikm; + size_t dhkem_ikmlen; ++#ifdef FIPS_MODULE ++ void *ecdsa_sig_ctx; ++#endif + }; + ++#ifdef FIPS_MODULE ++void *ecdsa_newctx(void *provctx, const char *propq); ++void ecdsa_freectx(void *vctx); ++int do_ec_pct(void *, const char *, void *); ++#endif ++ + static void *ec_gen_init(void *provctx, int selection, + const OSSL_PARAM params[]) + { +@@ -1009,6 +1018,10 @@ static void *ec_gen_init(void *provctx, int selection, + gctx = NULL; + } + } ++#ifdef FIPS_MODULE ++ if (gctx != NULL) ++ gctx->ecdsa_sig_ctx = ecdsa_newctx(provctx, NULL); ++#endif + return gctx; + } + +@@ -1279,6 +1292,12 @@ static void *ec_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg) + + if (gctx->ecdh_mode != -1) + ret = ret && ossl_ec_set_ecdh_cofactor_mode(ec, gctx->ecdh_mode); ++#ifdef FIPS_MODULE ++ /* Pairwise consistency test */ ++ if ((gctx->selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0 ++ && do_ec_pct(gctx->ecdsa_sig_ctx, "sha256", ec) != 1) ++ abort(); ++#endif + + if (gctx->group_check != NULL) + ret = ret && ossl_ec_set_check_group_type_from_name(ec, +@@ -1348,7 +1367,10 @@ static void ec_gen_cleanup(void *genctx) + + if (gctx == NULL) + return; +- ++#ifdef FIPS_MODULE ++ ecdsa_freectx(gctx->ecdsa_sig_ctx); ++ gctx->ecdsa_sig_ctx = NULL; ++#endif + OPENSSL_clear_free(gctx->dhkem_ikm, gctx->dhkem_ikmlen); + EC_GROUP_free(gctx->gen_group); + BN_free(gctx->p); +diff --git a/providers/implementations/keymgmt/rsa_kmgmt.c b/providers/implementations/keymgmt/rsa_kmgmt.c +index 3ba12c4889..ff49f8fcd8 100644 +--- a/providers/implementations/keymgmt/rsa_kmgmt.c ++++ b/providers/implementations/keymgmt/rsa_kmgmt.c +@@ -434,6 +434,7 @@ struct rsa_gen_ctx { + #if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS) + /* ACVP test parameters */ + OSSL_PARAM *acvp_test_params; ++ void *prov_rsa_ctx; + #endif + }; + +@@ -447,6 +448,12 @@ static int rsa_gencb(int p, int n, BN_GENCB *cb) + return gctx->cb(params, gctx->cbarg); + } + ++#ifdef FIPS_MODULE ++void *rsa_newctx(void *provctx, const char *propq); ++void rsa_freectx(void *vctx); ++int do_rsa_pct(void *, const char *, void *); ++#endif ++ + static void *gen_init(void *provctx, int selection, int rsa_type, + const OSSL_PARAM params[]) + { +@@ -474,6 +481,10 @@ static void *gen_init(void *provctx, int selection, int rsa_type, + + if (!rsa_gen_set_params(gctx, params)) + goto err; ++#ifdef FIPS_MODULE ++ if (gctx != NULL) ++ gctx->prov_rsa_ctx = rsa_newctx(provctx, NULL); ++#endif + return gctx; + + err: +@@ -630,6 +641,11 @@ static void *rsa_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg) + + rsa = rsa_tmp; + rsa_tmp = NULL; ++#ifdef FIPS_MODULE ++ /* Pairwise consistency test */ ++ if (do_rsa_pct(gctx->prov_rsa_ctx, "sha256", rsa) != 1) ++ abort(); ++#endif + err: + BN_GENCB_free(gencb); + RSA_free(rsa_tmp); +@@ -645,6 +661,8 @@ static void rsa_gen_cleanup(void *genctx) + #if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS) + ossl_rsa_acvp_test_gen_params_free(gctx->acvp_test_params); + gctx->acvp_test_params = NULL; ++ rsa_freectx(gctx->prov_rsa_ctx); ++ gctx->prov_rsa_ctx = NULL; + #endif + BN_clear_free(gctx->pub_exp); + OPENSSL_free(gctx); +diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c +index 865d49d100..ebeb30e002 100644 +--- a/providers/implementations/signature/ecdsa_sig.c ++++ b/providers/implementations/signature/ecdsa_sig.c +@@ -32,7 +32,7 @@ + #include "crypto/ec.h" + #include "prov/der_ec.h" + +-static OSSL_FUNC_signature_newctx_fn ecdsa_newctx; ++OSSL_FUNC_signature_newctx_fn ecdsa_newctx; + static OSSL_FUNC_signature_sign_init_fn ecdsa_sign_init; + static OSSL_FUNC_signature_verify_init_fn ecdsa_verify_init; + static OSSL_FUNC_signature_sign_fn ecdsa_sign; +@@ -43,7 +43,7 @@ static OSSL_FUNC_signature_digest_sign_final_fn ecdsa_digest_sign_final; + static OSSL_FUNC_signature_digest_verify_init_fn ecdsa_digest_verify_init; + static OSSL_FUNC_signature_digest_verify_update_fn ecdsa_digest_signverify_update; + static OSSL_FUNC_signature_digest_verify_final_fn ecdsa_digest_verify_final; +-static OSSL_FUNC_signature_freectx_fn ecdsa_freectx; ++OSSL_FUNC_signature_freectx_fn ecdsa_freectx; + static OSSL_FUNC_signature_dupctx_fn ecdsa_dupctx; + static OSSL_FUNC_signature_get_ctx_params_fn ecdsa_get_ctx_params; + static OSSL_FUNC_signature_gettable_ctx_params_fn ecdsa_gettable_ctx_params; +@@ -104,7 +104,7 @@ typedef struct { + unsigned int nonce_type; + } PROV_ECDSA_CTX; + +-static void *ecdsa_newctx(void *provctx, const char *propq) ++void *ecdsa_newctx(void *provctx, const char *propq) + { + PROV_ECDSA_CTX *ctx; + +@@ -370,7 +370,7 @@ int ecdsa_digest_verify_final(void *vctx, const unsigned char *sig, + return ecdsa_verify(ctx, sig, siglen, digest, (size_t)dlen); + } + +-static void ecdsa_freectx(void *vctx) ++void ecdsa_freectx(void *vctx) + { + PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx; + +@@ -581,6 +581,35 @@ static const OSSL_PARAM *ecdsa_settable_ctx_md_params(void *vctx) + return EVP_MD_settable_ctx_params(ctx->md); + } + ++#ifdef FIPS_MODULE ++int do_ec_pct(void *vctx, const char *mdname, void *ec) ++{ ++ static const unsigned char data[32]; ++ unsigned char sigbuf[256]; ++ size_t siglen = sizeof(sigbuf); ++ ++ if (ecdsa_digest_sign_init(vctx, mdname, ec, NULL) <= 0) ++ return 0; ++ ++ if (ecdsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0) ++ return 0; ++ ++ if (ecdsa_digest_sign_final(vctx, sigbuf, &siglen, sizeof(sigbuf)) <= 0) ++ return 0; ++ ++ if (ecdsa_digest_verify_init(vctx, mdname, ec, NULL) <= 0) ++ return 0; ++ ++ if (ecdsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0) ++ return 0; ++ ++ if (ecdsa_digest_verify_final(vctx, sigbuf, siglen) <= 0) ++ return 0; ++ ++ return 1; ++} ++#endif ++ + const OSSL_DISPATCH ossl_ecdsa_signature_functions[] = { + { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))ecdsa_newctx }, + { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))ecdsa_sign_init }, +diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c +index cd5de6bd51..d4261e8f7d 100644 +--- a/providers/implementations/signature/rsa_sig.c ++++ b/providers/implementations/signature/rsa_sig.c +@@ -34,7 +34,7 @@ + + #define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1 + +-static OSSL_FUNC_signature_newctx_fn rsa_newctx; ++OSSL_FUNC_signature_newctx_fn rsa_newctx; + static OSSL_FUNC_signature_sign_init_fn rsa_sign_init; + static OSSL_FUNC_signature_verify_init_fn rsa_verify_init; + static OSSL_FUNC_signature_verify_recover_init_fn rsa_verify_recover_init; +@@ -47,7 +47,7 @@ static OSSL_FUNC_signature_digest_sign_final_fn rsa_digest_sign_final; + static OSSL_FUNC_signature_digest_verify_init_fn rsa_digest_verify_init; + static OSSL_FUNC_signature_digest_verify_update_fn rsa_digest_signverify_update; + static OSSL_FUNC_signature_digest_verify_final_fn rsa_digest_verify_final; +-static OSSL_FUNC_signature_freectx_fn rsa_freectx; ++OSSL_FUNC_signature_freectx_fn rsa_freectx; + static OSSL_FUNC_signature_dupctx_fn rsa_dupctx; + static OSSL_FUNC_signature_get_ctx_params_fn rsa_get_ctx_params; + static OSSL_FUNC_signature_gettable_ctx_params_fn rsa_gettable_ctx_params; +@@ -170,7 +170,7 @@ static int rsa_check_parameters(PROV_RSA_CTX *prsactx, int min_saltlen) + return 1; + } + +-static void *rsa_newctx(void *provctx, const char *propq) ++void *rsa_newctx(void *provctx, const char *propq) + { + PROV_RSA_CTX *prsactx = NULL; + char *propq_copy = NULL; +@@ -977,7 +977,7 @@ int rsa_digest_verify_final(void *vprsactx, const unsigned char *sig, + return rsa_verify(vprsactx, sig, siglen, digest, (size_t)dlen); + } + +-static void rsa_freectx(void *vprsactx) ++void rsa_freectx(void *vprsactx) + { + PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; + +@@ -1455,6 +1455,45 @@ static const OSSL_PARAM *rsa_settable_ctx_md_params(void *vprsactx) + return EVP_MD_settable_ctx_params(prsactx->md); + } + ++#ifdef FIPS_MODULE ++int do_rsa_pct(void *vctx, const char *mdname, void *rsa) ++{ ++ static const unsigned char data[32]; ++ unsigned char *sigbuf = NULL; ++ size_t siglen = 0; ++ int ret = 0; ++ ++ if (rsa_digest_sign_init(vctx, mdname, rsa, NULL) <= 0) ++ return 0; ++ ++ if (rsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0) ++ return 0; ++ ++ if (rsa_digest_sign_final(vctx, NULL, &siglen, 0) <= 0) ++ return 0; ++ ++ if ((sigbuf = OPENSSL_malloc(siglen)) == NULL) ++ return 0; ++ ++ if (rsa_digest_sign_final(vctx, sigbuf, &siglen, siglen) <= 0) ++ goto err; ++ ++ if (rsa_digest_verify_init(vctx, mdname, rsa, NULL) <= 0) ++ goto err; ++ ++ if (rsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0) ++ goto err; ++ ++ if (rsa_digest_verify_final(vctx, sigbuf, siglen) <= 0) ++ goto err; ++ ret = 1; ++ ++ err: ++ OPENSSL_free(sigbuf); ++ return ret; ++} ++#endif ++ + const OSSL_DISPATCH ossl_rsa_signature_functions[] = { + { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))rsa_newctx }, + { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))rsa_sign_init }, +-- +2.41.0 +diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c +index e0d139d..35f23b2 100644 +--- a/crypto/rsa/rsa_gen.c ++++ b/crypto/rsa/rsa_gen.c +@@ -463,6 +463,9 @@ static int rsa_keygen(OSSL_LIB_CTX *libctx, RSA *rsa, int bits, int primes, + rsa->dmp1 = NULL; + rsa->dmq1 = NULL; + rsa->iqmp = NULL; ++#ifdef FIPS_MODULE ++ abort(); ++#endif /* defined(FIPS_MODULE) */ + } + } + return ok; +-- +2.41.0 + diff --git a/0045-FIPS-services-minimize.patch b/0045-FIPS-services-minimize.patch new file mode 100644 index 0000000..befa23b --- /dev/null +++ b/0045-FIPS-services-minimize.patch @@ -0,0 +1,792 @@ +From a9dc983f82cabe29d6b48f3af3e30e26074ce5cf Mon Sep 17 00:00:00 2001 +From: Dmitry Belyavskiy +Date: Mon, 21 Aug 2023 12:55:57 +0200 +Subject: [PATCH 21/48] 0045-FIPS-services-minimize.patch + +Patch-name: 0045-FIPS-services-minimize.patch +Patch-id: 45 +Patch-status: | + # Minimize fips services +--- + apps/ecparam.c | 7 +++ + apps/req.c | 2 +- + providers/common/capabilities.c | 2 +- + providers/fips/fipsprov.c | 44 +++++++++++-------- + providers/fips/self_test_data.inc | 9 +++- + providers/implementations/signature/rsa_sig.c | 26 +++++++++++ + ssl/ssl_ciph.c | 3 ++ + test/acvp_test.c | 2 + + test/endecode_test.c | 4 ++ + test/evp_libctx_test.c | 9 +++- + test/recipes/15-test_gendsa.t | 2 +- + test/recipes/20-test_cli_fips.t | 3 +- + test/recipes/30-test_evp.t | 16 +++---- + .../30-test_evp_data/evpmac_common.txt | 22 ++++++++++ + test/recipes/80-test_cms.t | 22 +++++----- + test/recipes/80-test_ssl_old.t | 2 +- + 16 files changed, 128 insertions(+), 47 deletions(-) + +diff --git a/apps/ecparam.c b/apps/ecparam.c +index 9e9ad13683..9c66cf2434 100644 +--- a/apps/ecparam.c ++++ b/apps/ecparam.c +@@ -79,6 +79,13 @@ static int list_builtin_curves(BIO *out) + const char *comment = curves[n].comment; + const char *sname = OBJ_nid2sn(curves[n].nid); + ++ if (((curves[n].nid == NID_secp256k1) || (curves[n].nid == NID_brainpoolP256r1) ++ || (curves[n].nid == NID_brainpoolP256t1) || (curves[n].nid == NID_brainpoolP320r1) ++ || (curves[n].nid == NID_brainpoolP320t1) || (curves[n].nid == NID_brainpoolP384r1) ++ || (curves[n].nid == NID_brainpoolP384t1) || (curves[n].nid == NID_brainpoolP512r1) ++ || (curves[n].nid == NID_brainpoolP512t1)) && EVP_default_properties_is_fips_enabled(NULL)) ++ continue; ++ + if (comment == NULL) + comment = "CURVE DESCRIPTION NOT AVAILABLE"; + if (sname == NULL) +diff --git a/apps/req.c b/apps/req.c +index 23757044ab..5916914978 100644 +--- a/apps/req.c ++++ b/apps/req.c +@@ -266,7 +266,7 @@ int req_main(int argc, char **argv) + unsigned long chtype = MBSTRING_ASC, reqflag = 0; + + #ifndef OPENSSL_NO_DES +- cipher = (EVP_CIPHER *)EVP_des_ede3_cbc(); ++ cipher = (EVP_CIPHER *)EVP_aes_256_cbc(); + #endif + + opt_set_unknown_name("digest"); +diff --git a/providers/common/capabilities.c b/providers/common/capabilities.c +index ed37e76969..eb836dfa6a 100644 +--- a/providers/common/capabilities.c ++++ b/providers/common/capabilities.c +@@ -186,9 +186,9 @@ static const OSSL_PARAM param_group_list[][10] = { + TLS_GROUP_ENTRY("brainpoolP256r1", "brainpoolP256r1", "EC", 25), + TLS_GROUP_ENTRY("brainpoolP384r1", "brainpoolP384r1", "EC", 26), + TLS_GROUP_ENTRY("brainpoolP512r1", "brainpoolP512r1", "EC", 27), +-# endif + TLS_GROUP_ENTRY("x25519", "X25519", "X25519", 28), + TLS_GROUP_ENTRY("x448", "X448", "X448", 29), ++# endif + # ifndef FIPS_MODULE + TLS_GROUP_ENTRY("brainpoolP256r1tls13", "brainpoolP256r1", "EC", 30), + TLS_GROUP_ENTRY("brainpoolP384r1tls13", "brainpoolP384r1", "EC", 31), +diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c +index 518226dfc6..29438faea8 100644 +--- a/providers/fips/fipsprov.c ++++ b/providers/fips/fipsprov.c +@@ -199,13 +199,13 @@ static int fips_get_params(void *provctx, OSSL_PARAM params[]) + OSSL_LIB_CTX_FIPS_PROV_INDEX); + + p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME); +- if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "OpenSSL FIPS Provider")) ++ if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "Red Hat Enterprise Linux 9 - OpenSSL FIPS Provider")) + return 0; + p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_VERSION); +- if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_VERSION_STR)) ++ if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, REDHAT_FIPS_VERSION)) + return 0; + p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_BUILDINFO); +- if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_FULL_VERSION_STR)) ++ if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, REDHAT_FIPS_VERSION)) + return 0; + p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_STATUS); + if (p != NULL && !OSSL_PARAM_set_int(p, ossl_prov_is_running())) +@@ -298,10 +298,11 @@ static const OSSL_ALGORITHM fips_digests[] = { + * KECCAK-KMAC-128 and KECCAK-KMAC-256 as hashes are mostly useful for + * KMAC128 and KMAC256. + */ +- { PROV_NAMES_KECCAK_KMAC_128, FIPS_DEFAULT_PROPERTIES, ++ /* We don't certify KECCAK in our FIPS provider */ ++ /* { PROV_NAMES_KECCAK_KMAC_128, FIPS_DEFAULT_PROPERTIES, + ossl_keccak_kmac_128_functions }, + { PROV_NAMES_KECCAK_KMAC_256, FIPS_DEFAULT_PROPERTIES, +- ossl_keccak_kmac_256_functions }, ++ ossl_keccak_kmac_256_functions }, */ + { NULL, NULL, NULL } + }; + +@@ -360,8 +361,9 @@ static const OSSL_ALGORITHM_CAPABLE fips_ciphers[] = { + ALGC(PROV_NAMES_AES_256_CBC_HMAC_SHA256, ossl_aes256cbc_hmac_sha256_functions, + ossl_cipher_capable_aes_cbc_hmac_sha256), + #ifndef OPENSSL_NO_DES +- UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions), +- UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions), ++ /* We don't certify 3DES in our FIPS provider */ ++ /* UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions), ++ UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions), */ + #endif /* OPENSSL_NO_DES */ + { { NULL, NULL, NULL }, NULL } + }; +@@ -373,8 +375,9 @@ static const OSSL_ALGORITHM fips_macs[] = { + #endif + { PROV_NAMES_GMAC, FIPS_DEFAULT_PROPERTIES, ossl_gmac_functions }, + { PROV_NAMES_HMAC, FIPS_DEFAULT_PROPERTIES, ossl_hmac_functions }, +- { PROV_NAMES_KMAC_128, FIPS_DEFAULT_PROPERTIES, ossl_kmac128_functions }, +- { PROV_NAMES_KMAC_256, FIPS_DEFAULT_PROPERTIES, ossl_kmac256_functions }, ++ /* We don't certify KMAC in our FIPS provider */ ++ /*{ PROV_NAMES_KMAC_128, FIPS_DEFAULT_PROPERTIES, ossl_kmac128_functions }, ++ { PROV_NAMES_KMAC_256, FIPS_DEFAULT_PROPERTIES, ossl_kmac256_functions }, */ + { NULL, NULL, NULL } + }; + +@@ -409,8 +412,9 @@ static const OSSL_ALGORITHM fips_keyexch[] = { + #ifndef OPENSSL_NO_EC + { PROV_NAMES_ECDH, FIPS_DEFAULT_PROPERTIES, ossl_ecdh_keyexch_functions }, + # ifndef OPENSSL_NO_ECX +- { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keyexch_functions }, +- { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keyexch_functions }, ++ /* We don't certify Edwards curves in our FIPS provider */ ++ /*{ PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keyexch_functions }, ++ { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keyexch_functions },*/ + # endif + #endif + { PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES, +@@ -456,8 +462,9 @@ static const OSSL_ALGORITHM fips_keymgmt[] = { + PROV_DESCS_DHX }, + #endif + #ifndef OPENSSL_NO_DSA +- { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_keymgmt_functions, +- PROV_DESCS_DSA }, ++ /* We don't certify DSA in our FIPS provider */ ++ /* { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_keymgmt_functions, ++ PROV_DESCS_DSA }, */ + #endif + { PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_keymgmt_functions, + PROV_DESCS_RSA }, +@@ -466,14 +473,15 @@ static const OSSL_ALGORITHM fips_keymgmt[] = { + { PROV_NAMES_EC, FIPS_DEFAULT_PROPERTIES, ossl_ec_keymgmt_functions, + PROV_DESCS_EC }, + # ifndef OPENSSL_NO_ECX +- { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keymgmt_functions, ++ /* We don't certify Edwards curves in our FIPS provider */ ++ /* { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keymgmt_functions, + PROV_DESCS_X25519 }, + { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keymgmt_functions, + PROV_DESCS_X448 }, + { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES, ossl_ed25519_keymgmt_functions, + PROV_DESCS_ED25519 }, + { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_keymgmt_functions, +- PROV_DESCS_ED448 }, ++ PROV_DESCS_ED448 }, */ + # endif + #endif + { PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES, ossl_kdf_keymgmt_functions, +diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc +index 2057378d3d..4b80bb70b9 100644 +--- a/providers/fips/self_test_data.inc ++++ b/providers/fips/self_test_data.inc +@@ -177,6 +177,7 @@ static const ST_KAT_DIGEST st_kat_digest_tests[] = + /*- CIPHER TEST DATA */ + + /* DES3 test data */ ++#if 0 + static const unsigned char des_ede3_cbc_pt[] = { + 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96, + 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A, +@@ -197,7 +198,7 @@ static const unsigned char des_ede3_cbc_ct[] = { + 0x51, 0x65, 0x70, 0x48, 0x1F, 0x25, 0xB5, 0x0F, + 0x73, 0xC0, 0xBD, 0xA8, 0x5C, 0x8E, 0x0D, 0xA7 + }; +- ++#endif + /* AES-256 GCM test data */ + static const unsigned char aes_256_gcm_key[] = { + 0x92, 0xe1, 0x1d, 0xcd, 0xaa, 0x86, 0x6f, 0x5c, +@@ -1454,8 +1455,9 @@ static const ST_KAT_PARAM ecdsa_bin_key[] = { + # endif /* OPENSSL_NO_EC2M */ + #endif /* OPENSSL_NO_EC */ + +-#ifndef OPENSSL_NO_DSA + /* dsa 2048 */ ++#if 0 ++#ifndef OPENSSL_NO_DSA + static const unsigned char dsa_p[] = { + 0xa2, 0x9b, 0x88, 0x72, 0xce, 0x8b, 0x84, 0x23, + 0xb7, 0xd5, 0xd2, 0x1d, 0x4b, 0x02, 0xf5, 0x7e, +@@ -1590,6 +1592,7 @@ static const ST_KAT_PARAM dsa_key[] = { + ST_KAT_PARAM_END() + }; + #endif /* OPENSSL_NO_DSA */ ++#endif + + /* Hash DRBG inputs for signature KATs */ + static const unsigned char sig_kat_entropyin[] = { +@@ -1642,6 +1645,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = { + }, + # endif + #endif /* OPENSSL_NO_EC */ ++#if 0 + #ifndef OPENSSL_NO_DSA + { + OSSL_SELF_TEST_DESC_SIGN_DSA, +@@ -1654,6 +1658,7 @@ static const ST_KAT_SIGN st_kat_sign_tests[] = { + ITM(dsa_expected_sig) + }, + #endif /* OPENSSL_NO_DSA */ ++#endif + }; + + static const ST_KAT_ASYM_CIPHER st_kat_asym_cipher_tests[] = { +diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c +index d4261e8f7d..2a5504d104 100644 +--- a/providers/implementations/signature/rsa_sig.c ++++ b/providers/implementations/signature/rsa_sig.c +@@ -689,6 +689,19 @@ static int rsa_verify_recover(void *vprsactx, + { + PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; + int ret; ++# ifdef FIPS_MODULE ++ size_t rsabits = RSA_bits(prsactx->rsa); ++ ++ if (rsabits < 2048) { ++ if (rsabits != 1024 ++ && rsabits != 1280 ++ && rsabits != 1536 ++ && rsabits != 1792) { ++ ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH); ++ return 0; ++ } ++ } ++# endif + + if (!ossl_prov_is_running()) + return 0; +@@ -777,6 +790,19 @@ static int rsa_verify(void *vprsactx, const unsigned char *sig, size_t siglen, + { + PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; + size_t rslen; ++# ifdef FIPS_MODULE ++ size_t rsabits = RSA_bits(prsactx->rsa); ++ ++ if (rsabits < 2048) { ++ if (rsabits != 1024 ++ && rsabits != 1280 ++ && rsabits != 1536 ++ && rsabits != 1792) { ++ ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH); ++ return 0; ++ } ++ } ++# endif + + if (!ossl_prov_is_running()) + return 0; +diff --git a/ssl/ssl_ciph.c b/ssl/ssl_ciph.c +index a5e60e8839..f9af07d12b 100644 +--- a/ssl/ssl_ciph.c ++++ b/ssl/ssl_ciph.c +@@ -356,6 +356,9 @@ int ssl_load_ciphers(SSL_CTX *ctx) + ctx->disabled_mkey_mask = 0; + ctx->disabled_auth_mask = 0; + ++ if (EVP_default_properties_is_fips_enabled(ctx->libctx)) ++ ctx->disabled_mkey_mask |= SSL_kRSA | SSL_kRSAPSK; ++ + /* + * We ignore any errors from the fetches below. They are expected to fail + * if these algorithms are not available. +diff --git a/test/acvp_test.c b/test/acvp_test.c +index fee880d441..13d7a0ea8b 100644 +--- a/test/acvp_test.c ++++ b/test/acvp_test.c +@@ -1476,6 +1476,7 @@ int setup_tests(void) + OSSL_NELEM(dh_safe_prime_keyver_data)); + #endif /* OPENSSL_NO_DH */ + ++#if 0 /* Red Hat FIPS provider doesn't have fips=yes property on DSA */ + #ifndef OPENSSL_NO_DSA + ADD_ALL_TESTS(dsa_keygen_test, OSSL_NELEM(dsa_keygen_data)); + ADD_ALL_TESTS(dsa_paramgen_test, OSSL_NELEM(dsa_paramgen_data)); +@@ -1483,6 +1484,7 @@ int setup_tests(void) + ADD_ALL_TESTS(dsa_siggen_test, OSSL_NELEM(dsa_siggen_data)); + ADD_ALL_TESTS(dsa_sigver_test, OSSL_NELEM(dsa_sigver_data)); + #endif /* OPENSSL_NO_DSA */ ++#endif + + #ifndef OPENSSL_NO_EC + ADD_ALL_TESTS(ecdsa_keygen_test, OSSL_NELEM(ecdsa_keygen_data)); +diff --git a/test/endecode_test.c b/test/endecode_test.c +index 9a437d8c64..53385028fc 100644 +--- a/test/endecode_test.c ++++ b/test/endecode_test.c +@@ -1407,6 +1407,7 @@ int setup_tests(void) + * so no legacy tests. + */ + #endif ++ if (is_fips == 0) { + #ifndef OPENSSL_NO_DSA + ADD_TEST_SUITE(DSA); + ADD_TEST_SUITE_PARAMS(DSA); +@@ -1417,6 +1418,7 @@ int setup_tests(void) + ADD_TEST_SUITE_PROTECTED_PVK(DSA); + # endif + #endif ++ } + #ifndef OPENSSL_NO_EC + ADD_TEST_SUITE(EC); + ADD_TEST_SUITE_PARAMS(EC); +@@ -1431,10 +1433,12 @@ int setup_tests(void) + ADD_TEST_SUITE(ECExplicitTri2G); + ADD_TEST_SUITE_LEGACY(ECExplicitTri2G); + # endif ++ if (is_fips == 0) { + ADD_TEST_SUITE(ED25519); + ADD_TEST_SUITE(ED448); + ADD_TEST_SUITE(X25519); + ADD_TEST_SUITE(X448); ++ } + /* + * ED25519, ED448, X25519 and X448 have no support for + * PEM_write_bio_PrivateKey_traditional(), so no legacy tests. +diff --git a/test/evp_libctx_test.c b/test/evp_libctx_test.c +index 2448c35a14..a7913cda4c 100644 +--- a/test/evp_libctx_test.c ++++ b/test/evp_libctx_test.c +@@ -21,6 +21,7 @@ + */ + #include "internal/deprecated.h" + #include ++#include + #include + #include + #include +@@ -726,7 +727,9 @@ int setup_tests(void) + return 0; + + #if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DH) +- ADD_ALL_TESTS(test_dsa_param_keygen, 3 * 3 * 3); ++ if (strcmp(prov_name, "fips") != 0) { ++ ADD_ALL_TESTS(test_dsa_param_keygen, 3 * 3 * 3); ++ } + #endif + #ifndef OPENSSL_NO_DH + ADD_ALL_TESTS(test_dh_safeprime_param_keygen, 3 * 3 * 3); +@@ -746,7 +749,9 @@ int setup_tests(void) + ADD_TEST(kem_invalid_keytype); + #endif + #ifndef OPENSSL_NO_DES +- ADD_TEST(test_cipher_tdes_randkey); ++ if (strcmp(prov_name, "fips") != 0) { ++ ADD_TEST(test_cipher_tdes_randkey); ++ } + #endif + return 1; + } +diff --git a/test/recipes/15-test_gendsa.t b/test/recipes/15-test_gendsa.t +index b495b08bda..69bd299521 100644 +--- a/test/recipes/15-test_gendsa.t ++++ b/test/recipes/15-test_gendsa.t +@@ -24,7 +24,7 @@ use lib bldtop_dir('.'); + plan skip_all => "This test is unsupported in a no-dsa build" + if disabled("dsa"); + +-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); ++my $no_fips = 1; + + plan tests => + ($no_fips ? 0 : 2) # FIPS related tests +diff --git a/test/recipes/20-test_cli_fips.t b/test/recipes/20-test_cli_fips.t +index 6d3c5ba1bb..2ba47b5fca 100644 +--- a/test/recipes/20-test_cli_fips.t ++++ b/test/recipes/20-test_cli_fips.t +@@ -273,8 +273,7 @@ SKIP: { + } + + SKIP : { +- skip "FIPS DSA tests because of no dsa in this build", 1 +- if disabled("dsa"); ++ skip "FIPS DSA tests because of no dsa in this build", 1; + + subtest DSA => sub { + my $testtext_prefix = 'DSA'; +diff --git a/test/recipes/30-test_evp.t b/test/recipes/30-test_evp.t +index 9d7040ced2..f8beb538d4 100644 +--- a/test/recipes/30-test_evp.t ++++ b/test/recipes/30-test_evp.t +@@ -42,10 +42,8 @@ my @files = qw( + evpciph_aes_cts.txt + evpciph_aes_wrap.txt + evpciph_aes_stitched.txt +- evpciph_des3_common.txt + evpkdf_hkdf.txt + evpkdf_kbkdf_counter.txt +- evpkdf_kbkdf_kmac.txt + evpkdf_pbkdf1.txt + evpkdf_pbkdf2.txt + evpkdf_ss.txt +@@ -91,6 +83,7 @@ my @defltfiles = qw( + evpciph_cast5.txt + evpciph_chacha.txt + evpciph_des.txt ++ evpciph_des3_common.txt + evpciph_idea.txt + evpciph_rc2.txt + evpciph_rc4.txt +@@ -114,10 +107,17 @@ my @defltfiles = qw( + evpmd_whirlpool.txt + evppbe_scrypt.txt + evppbe_pkcs12.txt ++ evpkdf_kbkdf_kmac.txt + evppkey_kdf_scrypt.txt + evppkey_kdf_tls1_prf.txt + evppkey_rsa.txt + ); ++push @defltfiles, qw(evppkey_dsa.txt) unless $no_dsa; ++push @defltfiles, qw(evppkey_ecx.txt) unless $no_ec; ++push @defltfiles, qw( ++ evpkdf_x942_des.txt ++ evpmac_cmac_des.txt ++ ) unless $no_des; + push @defltfiles, qw(evppkey_brainpool.txt) unless $no_ec; + push @defltfiles, qw(evppkey_ecdsa_rfc6979.txt) unless $no_ec; + push @defltfiles, qw(evppkey_dsa_rfc6979.txt) unless $no_dsa; +diff --git a/test/recipes/30-test_evp_data/evpmac_common.txt b/test/recipes/30-test_evp_data/evpmac_common.txt +index 93195df97c..315413cd9b 100644 +--- a/test/recipes/30-test_evp_data/evpmac_common.txt ++++ b/test/recipes/30-test_evp_data/evpmac_common.txt +@@ -340,6 +340,7 @@ IV = 7AE8E2CA4EC500012E58495C + Input = 68F2E77696CE7AE8E2CA4EC588E541002E58495C08000F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D0007 + Result = MAC_INIT_ERROR + ++Availablein = default + Title = KMAC Tests (From NIST) + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F +@@ -350,12 +351,14 @@ Ctrl = xof:0 + OutputSize = 32 + BlockSize = 168 + ++Availablein = default + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 00010203 + Custom = "My Tagged Application" + Output = 3B1FBA963CD8B0B59E8C1A6D71888B7143651AF8BA0A7070C0979E2811324AA5 + ++Availablein = default + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +@@ -363,6 +366,7 @@ Custom = "My Tagged Application" + Output = 1F5B4E6CCA02209E0DCB5CA635B89A15E271ECC760071DFD805FAA38F9729230 + Ctrl = size:32 + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 00010203 +@@ -371,12 +375,14 @@ Output = 20C570C31346F703C9AC36C61C03CB64C3970D0CFC787E9B79599D273A68D2F7F69D4CC + OutputSize = 64 + BlockSize = 136 + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 + Custom = "" + Output = 75358CF39E41494E949707927CEE0AF20A3FF553904C86B08F21CC414BCFD691589D27CF5E15369CBBFF8B9A4C2EB17800855D0235FF635DA82533EC6B759B69 + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +@@ -386,12 +392,14 @@ Ctrl = size:64 + + Title = KMAC XOF Tests (From NIST) + ++Availablein = default + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 00010203 + Output = CD83740BBD92CCC8CF032B1481A0F4460E7CA9DD12B08A0C4031178BACD6EC35 + XOF = 1 + ++Availablein = default + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 00010203 +@@ -399,6 +407,7 @@ Custom = "My Tagged Application" + Output = 31A44527B4ED9F5C6101D11DE6D26F0620AA5C341DEF41299657FE9DF1A3B16C + XOF = 1 + ++Availablein = default + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +@@ -407,6 +416,7 @@ Output = 47026C7CD793084AA0283C253EF658490C0DB61438B8326FE9BDDF281B83AE0F + XOF = 1 + Ctrl = size:32 + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 00010203 +@@ -414,6 +424,7 @@ Custom = "My Tagged Application" + Output = 1755133F1534752AAD0748F2C706FB5C784512CAB835CD15676B16C0C6647FA96FAA7AF634A0BF8FF6DF39374FA00FAD9A39E322A7C92065A64EB1FB0801EB2B + XOF = 1 + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +@@ -421,6 +432,7 @@ Custom = "" + Output = FF7B171F1E8A2B24683EED37830EE797538BA8DC563F6DA1E667391A75EDC02CA633079F81CE12A25F45615EC89972031D18337331D24CEB8F8CA8E6A19FD98B + XOF = 1 + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +@@ -431,6 +443,7 @@ XOF = 1 + + Title = KMAC long customisation string (from NIST ACVP) + ++Availablein = default + MAC = KMAC256 + Key = 9743DBF93102FAF11227B154B8ACD16CF142671F7AA16C559A393A38B4CEF461ED29A6A328D7379C99718790E38B54CA25E9E831CBEA463EE704D1689F94629AB795DF0C77F756DA743309C0E054596BA2D9CC1768ACF7CD351D9A7EB1ABD0A3 + Input = BA63AC9C711F143CCE7FF92D0322649D1BE437D805FD225C0A2879A008373EC3BCCDB09971FAD2BCE5F4347AF7E5238EF01A90ED34193D6AFC1D +@@ -441,12 +454,14 @@ XOF = 1 + + Title = KMAC XOF Tests via ctrl (From NIST) + ++Availablein = default + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 00010203 + Output = CD83740BBD92CCC8CF032B1481A0F4460E7CA9DD12B08A0C4031178BACD6EC35 + Ctrl = xof:1 + ++Availablein = default + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 00010203 +@@ -454,6 +469,7 @@ Custom = "My Tagged Application" + Output = 31A44527B4ED9F5C6101D11DE6D26F0620AA5C341DEF41299657FE9DF1A3B16C + Ctrl = xof:1 + ++Availablein = default + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +@@ -462,6 +478,7 @@ Output = 47026C7CD793084AA0283C253EF658490C0DB61438B8326FE9BDDF281B83AE0F + Ctrl = xof:1 + Ctrl = size:32 + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 00010203 +@@ -469,6 +486,7 @@ Custom = "My Tagged Application" + Output = 1755133F1534752AAD0748F2C706FB5C784512CAB835CD15676B16C0C6647FA96FAA7AF634A0BF8FF6DF39374FA00FAD9A39E322A7C92065A64EB1FB0801EB2B + Ctrl = xof:1 + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +@@ -476,6 +494,7 @@ Custom = "" + Output = FF7B171F1E8A2B24683EED37830EE797538BA8DC563F6DA1E667391A75EDC02CA633079F81CE12A25F45615EC89972031D18337331D24CEB8F8CA8E6A19FD98B + Ctrl = xof:1 + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +@@ -486,6 +505,7 @@ Ctrl = xof:1 + + Title = KMAC long customisation string via ctrl (from NIST ACVP) + ++Availablein = default + MAC = KMAC256 + Key = 9743DBF93102FAF11227B154B8ACD16CF142671F7AA16C559A393A38B4CEF461ED29A6A328D7379C99718790E38B54CA25E9E831CBEA463EE704D1689F94629AB795DF0C77F756DA743309C0E054596BA2D9CC1768ACF7CD351D9A7EB1ABD0A3 + Input = BA63AC9C711F143CCE7FF92D0322649D1BE437D805FD225C0A2879A008373EC3BCCDB09971FAD2BCE5F4347AF7E5238EF01A90ED34193D6AFC1D +@@ -496,6 +516,7 @@ Ctrl = xof:1 + + Title = KMAC long customisation string negative test + ++Availablein = default + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +@@ -504,6 +525,7 @@ Result = MAC_INIT_ERROR + + Title = KMAC output is too large + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t +index 40dd585c18..cbec426137 100644 +--- a/test/recipes/80-test_cms.t ++++ b/test/recipes/80-test_cms.t +@@ -96,7 +96,7 @@ my @smime_pkcs7_tests = ( + \&final_compare + ], + +- [ "signed content DER format, DSA key", ++ [ "signed content DER format, DSA key, no Red Hat FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach", + "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ], + [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER", +@@ -104,7 +104,7 @@ my @smime_pkcs7_tests = ( + \&final_compare + ], + +- [ "signed detached content DER format, DSA key", ++ [ "signed detached content DER format, DSA key, no Red Hat FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", + "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ], + [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER", +@@ -113,7 +113,7 @@ my @smime_pkcs7_tests = ( + \&final_compare + ], + +- [ "signed detached content DER format, add RSA signer (with DSA existing)", ++ [ "signed detached content DER format, add RSA signer (with DSA existing), no Red Hat FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", + "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ], + [ "{cmd1}", @prov, "-resign", "-in", "{output}.cms", "-inform", "DER", "-outform", "DER", +@@ -124,7 +124,7 @@ my @smime_pkcs7_tests = ( + \&final_compare + ], + +- [ "signed content test streaming BER format, DSA key", ++ [ "signed content test streaming BER format, DSA key, no Red Hat FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", + "-nodetach", "-stream", + "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ], +@@ -133,7 +133,7 @@ my @smime_pkcs7_tests = ( + \&final_compare + ], + +- [ "signed content test streaming BER format, 2 DSA and 2 RSA keys", ++ [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no Red Hat FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", + "-nodetach", "-stream", + "-signer", $smrsa1, +@@ -146,7 +146,7 @@ my @smime_pkcs7_tests = ( + \&final_compare + ], + +- [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes", ++ [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes, no Red Hat FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", + "-noattr", "-nodetach", "-stream", + "-signer", $smrsa1, +@@ -176,7 +176,7 @@ my @smime_pkcs7_tests = ( + \&zero_compare + ], + +- [ "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys", ++ [ "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys, no Red Hat FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-nodetach", + "-signer", $smrsa1, + "-signer", catfile($smdir, "smrsa2.pem"), +@@ -188,7 +188,7 @@ my @smime_pkcs7_tests = ( + \&final_compare + ], + +- [ "signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys", ++ [ "signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys, no Red Hat FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, + "-signer", $smrsa1, + "-signer", catfile($smdir, "smrsa2.pem"), +@@ -248,7 +248,7 @@ my @smime_pkcs7_tests = ( + + my @smime_cms_tests = ( + +- [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid", ++ [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid, no Red Hat FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", + "-nodetach", "-keyid", + "-signer", $smrsa1, +@@ -261,7 +261,7 @@ my @smime_cms_tests = ( + \&final_compare + ], + +- [ "signed content test streaming PEM format, 2 DSA and 2 RSA keys", ++ [ "signed content test streaming PEM format, 2 DSA and 2 RSA keys, no Red Hat FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach", + "-signer", $smrsa1, + "-signer", catfile($smdir, "smrsa2.pem"), +@@ -371,7 +371,7 @@ my @smime_cms_tests = ( + \&final_compare + ], + +- [ "encrypted content test streaming PEM format, triple DES key", ++ [ "encrypted content test streaming PEM format, triple DES key, no Red Hat FIPS", + [ "{cmd1}", @prov, "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM", + "-des3", "-secretkey", "000102030405060708090A0B0C0D0E0F1011121314151617", + "-stream", "-out", "{output}.cms" ], +diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t +index 50b74a1e29..e2dcb68fb5 100644 +--- a/test/recipes/80-test_ssl_old.t ++++ b/test/recipes/80-test_ssl_old.t +@@ -436,7 +436,7 @@ sub testssl { + my @exkeys = (); + my $ciphers = '-PSK:-SRP:@SECLEVEL=0'; + +- if (!$no_dsa) { ++ if (!$no_dsa && $provider ne "fips") { + push @exkeys, "-s_cert", "certD.ss", "-s_key", $Dkey; + } + +-- +2.41.0 + +diff -up openssl-3.2.0/test/recipes/30-test_evp.t.patch openssl-3.2.0/test/recipes/30-test_evp.t +--- openssl-3.2.0/test/recipes/30-test_evp.t.patch 2023-12-06 15:33:27.843751147 +0100 ++++ openssl-3.2.0/test/recipes/30-test_evp.t 2023-12-06 15:34:27.585351920 +0100 +@@ -70,15 +70,6 @@ push @files, qw( + evppkey_dh.txt + ) unless $no_dh; + push @files, qw( +- evpkdf_x942_des.txt +- evpmac_cmac_des.txt +- ) unless $no_des; +-push @files, qw(evppkey_dsa.txt) unless $no_dsa; +-push @files, qw( +- evppkey_ecx.txt +- evppkey_mismatch_ecx.txt +- ) unless $no_ecx; +-push @files, qw( + evppkey_ecc.txt + evppkey_ecdh.txt + evppkey_ecdsa.txt +diff -up openssl-3.2.0/providers/fips/fipsprov.c.patch-fips openssl-3.2.0/providers/fips/fipsprov.c +--- openssl-3.2.0/providers/fips/fipsprov.c.patch-fips 2023-12-06 15:49:08.711198219 +0100 ++++ openssl-3.2.0/providers/fips/fipsprov.c 2023-12-06 15:55:42.362078721 +0100 +@@ -426,14 +426,16 @@ static const OSSL_ALGORITHM fips_keyexch + + static const OSSL_ALGORITHM fips_signature[] = { + #ifndef OPENSSL_NO_DSA +- { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_signature_functions }, ++ /* We don't certify DSA in our FIPS provider */ ++ /* { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_signature_functions },*/ + #endif + { PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_signature_functions }, + #ifndef OPENSSL_NO_EC + # ifndef OPENSSL_NO_ECX +- { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES, ++ /* We don't certify Edwards curves in our FIPS provider */ ++ /* { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES, + ossl_ed25519_signature_functions }, +- { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_signature_functions }, ++ { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_signature_functions },*/ + # endif + { PROV_NAMES_ECDSA, FIPS_DEFAULT_PROPERTIES, ossl_ecdsa_signature_functions }, + #endif +diff -up openssl-3.2.0/test/recipes/30-test_evp.t.fips-min openssl-3.2.0/test/recipes/30-test_evp.t +--- openssl-3.2.0/test/recipes/30-test_evp.t.fips-min 2024-02-01 11:00:56.823687618 +0100 ++++ openssl-3.2.0/test/recipes/30-test_evp.t 2024-02-01 11:01:20.131934678 +0100 +@@ -124,7 +124,6 @@ push @defltfiles, qw( + ) unless $no_des; + push @defltfiles, qw(evppkey_brainpool.txt) unless $no_ec; + push @defltfiles, qw(evppkey_ecdsa_rfc6979.txt) unless $no_ec; +-push @defltfiles, qw(evppkey_dsa_rfc6979.txt) unless $no_dsa; + push @defltfiles, qw(evppkey_sm2.txt) unless $no_sm2; + push @defltfiles, qw(evpciph_aes_gcm_siv.txt) unless $no_siv; + push @defltfiles, qw(evpciph_aes_siv.txt) unless $no_siv; diff --git a/0047-FIPS-early-KATS.patch b/0047-FIPS-early-KATS.patch new file mode 100644 index 0000000..6dffded --- /dev/null +++ b/0047-FIPS-early-KATS.patch @@ -0,0 +1,57 @@ +From ba6e65e2f7e7fe8d9cd62e1e7e345bc41dda424f Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Thu, 19 Oct 2023 13:12:40 +0200 +Subject: [PATCH 21/46] 0047-FIPS-early-KATS.patch + +Patch-name: 0047-FIPS-early-KATS.patch +Patch-id: 47 +Patch-status: | + # # Execute KATS before HMAC verification +From-dist-git-commit: 5c67b5adc311af297f425c09e3e1ac7ca8483911 +--- + providers/fips/self_test.c | 22 ++++++++++------------ + 1 file changed, 10 insertions(+), 12 deletions(-) + +diff --git a/providers/fips/self_test.c b/providers/fips/self_test.c +index e3a629018a..3c09bd8638 100644 +--- a/providers/fips/self_test.c ++++ b/providers/fips/self_test.c +@@ -401,6 +401,16 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) + if (ev == NULL) + goto end; + ++ /* ++ * Run the KAT's before HMAC verification according to FIPS-140-3 requirements ++ */ ++ if (kats_already_passed == 0) { ++ if (!SELF_TEST_kats(ev, st->libctx)) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE); ++ goto end; ++ } ++ } ++ + if (st->module_checksum_data == NULL) { + module_checksum = fips_hmac_container; + checksum_len = sizeof(fips_hmac_container); +@@ -451,18 +461,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS *st, int on_demand_test) + } + } + +- /* +- * Only runs the KAT's during installation OR on_demand(). +- * NOTE: If the installation option 'self_test_onload' is chosen then this +- * path will always be run, since kats_already_passed will always be 0. +- */ +- if (on_demand_test || kats_already_passed == 0) { +- if (!SELF_TEST_kats(ev, st->libctx)) { +- ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE); +- goto end; +- } +- } +- + /* Verify that the RNG has been restored properly */ + rng = ossl_rand_get0_private_noncreating(st->libctx); + if (rng != NULL) +-- +2.41.0 + diff --git a/0049-Allow-disabling-of-SHA1-signatures.patch b/0049-Allow-disabling-of-SHA1-signatures.patch new file mode 100644 index 0000000..487d1d9 --- /dev/null +++ b/0049-Allow-disabling-of-SHA1-signatures.patch @@ -0,0 +1,510 @@ +From 2e8388e06eafb703aeb315498915bf079561bdb5 Mon Sep 17 00:00:00 2001 +From: Dmitry Belyavskiy +Date: Mon, 21 Aug 2023 13:07:07 +0200 +Subject: [PATCH 23/48] 0049-Allow-disabling-of-SHA1-signatures.patch + +Patch-name: 0049-Allow-disabling-of-SHA1-signatures.patch +Patch-id: 49 +Patch-status: | + # Selectively disallow SHA1 signatures rhbz#2070977 +From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd +--- + crypto/context.c | 14 ++++ + crypto/evp/evp_cnf.c | 13 +++ + crypto/evp/m_sigver.c | 79 +++++++++++++++++++ + crypto/evp/pmeth_lib.c | 15 ++++ + doc/man5/config.pod | 13 +++ + include/crypto/context.h | 3 + + include/internal/cryptlib.h | 3 +- + include/internal/sslconf.h | 4 + + providers/common/securitycheck.c | 20 +++++ + providers/common/securitycheck_default.c | 9 ++- + providers/implementations/signature/dsa_sig.c | 11 ++- + .../implementations/signature/ecdsa_sig.c | 4 + + providers/implementations/signature/rsa_sig.c | 20 ++++- + ssl/t1_lib.c | 8 ++ + util/libcrypto.num | 2 + + 15 files changed, 209 insertions(+), 9 deletions(-) + +diff --git a/crypto/context.c b/crypto/context.c +index 51002ba79a..e697974c9d 100644 +--- a/crypto/context.c ++++ b/crypto/context.c +@@ -78,6 +78,8 @@ struct ossl_lib_ctx_st { + void *fips_prov; + #endif + ++ void *legacy_digest_signatures; ++ + unsigned int ischild:1; + }; + +@@ -206,6 +208,10 @@ static int context_init(OSSL_LIB_CTX *ctx) + goto err; + #endif + ++ ctx->legacy_digest_signatures = ossl_ctx_legacy_digest_signatures_new(ctx); ++ if (ctx->legacy_digest_signatures == NULL) ++ goto err; ++ + /* Low priority. */ + #ifndef FIPS_MODULE + ctx->child_provider = ossl_child_prov_ctx_new(ctx); +@@ -334,6 +340,11 @@ static void context_deinit_objs(OSSL_LIB_CTX *ctx) + } + #endif + ++ if (ctx->legacy_digest_signatures != NULL) { ++ ossl_ctx_legacy_digest_signatures_free(ctx->legacy_digest_signatures); ++ ctx->legacy_digest_signatures = NULL; ++ } ++ + /* Low priority. */ + #ifndef FIPS_MODULE + if (ctx->child_provider != NULL) { +@@ -625,6 +636,9 @@ void *ossl_lib_ctx_get_data(OSSL_LIB_CTX *ctx, int index) + return ctx->fips_prov; + #endif + ++ case OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES_INDEX: ++ return ctx->legacy_digest_signatures; ++ + default: + return NULL; + } +diff --git a/crypto/evp/evp_cnf.c b/crypto/evp/evp_cnf.c +index 0e7fe64cf9..b9d3b6d226 100644 +--- a/crypto/evp/evp_cnf.c ++++ b/crypto/evp/evp_cnf.c +@@ -10,6 +10,7 @@ + #include + #include + #include "internal/cryptlib.h" ++#include "internal/sslconf.h" + #include + #include + #include +@@ -57,6 +58,18 @@ static int alg_module_init(CONF_IMODULE *md, const CONF *cnf) + ERR_raise(ERR_LIB_EVP, EVP_R_SET_DEFAULT_PROPERTY_FAILURE); + return 0; + } ++ } else if (strcmp(oval->name, "rh-allow-sha1-signatures") == 0) { ++ int m; ++ ++ /* Detailed error already reported. */ ++ if (!X509V3_get_value_bool(oval, &m)) ++ return 0; ++ ++ if (!ossl_ctx_legacy_digest_signatures_allowed_set( ++ NCONF_get0_libctx((CONF *)cnf), m > 0, 0)) { ++ ERR_raise(ERR_LIB_EVP, EVP_R_SET_DEFAULT_PROPERTY_FAILURE); ++ return 0; ++ } + } else { + ERR_raise_data(ERR_LIB_EVP, EVP_R_UNKNOWN_OPTION, + "name=%s, value=%s", oval->name, oval->value); +diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c +index 630d339c35..6e4e9f5ae7 100644 +--- a/crypto/evp/m_sigver.c ++++ b/crypto/evp/m_sigver.c +@@ -15,6 +15,73 @@ + #include "internal/provider.h" + #include "internal/numbers.h" /* includes SIZE_MAX */ + #include "evp_local.h" ++#include "crypto/context.h" ++ ++typedef struct ossl_legacy_digest_signatures_st { ++ int allowed; ++} OSSL_LEGACY_DIGEST_SIGNATURES; ++ ++void ossl_ctx_legacy_digest_signatures_free(void *vldsigs) ++{ ++ OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs = vldsigs; ++ ++ if (ldsigs != NULL) { ++ OPENSSL_free(ldsigs); ++ } ++} ++ ++void *ossl_ctx_legacy_digest_signatures_new(OSSL_LIB_CTX *ctx) ++{ ++ OSSL_LEGACY_DIGEST_SIGNATURES* ldsigs = OPENSSL_zalloc(sizeof(OSSL_LEGACY_DIGEST_SIGNATURES)); ++ /* Warning: This patch differs from the same patch in CentOS and RHEL here, ++ * because the default on Fedora is to allow SHA-1 and support disabling ++ * it, while CentOS/RHEL disable it by default and allow enabling it. */ ++ ldsigs->allowed = 0; ++ return ldsigs; ++} ++ ++static OSSL_LEGACY_DIGEST_SIGNATURES *ossl_ctx_legacy_digest_signatures( ++ OSSL_LIB_CTX *libctx, int loadconfig) ++{ ++#ifndef FIPS_MODULE ++ if (loadconfig && !OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL)) ++ return NULL; ++#endif ++ ++ return ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES_INDEX); ++} ++ ++int ossl_ctx_legacy_digest_signatures_allowed(OSSL_LIB_CTX *libctx, int loadconfig) ++{ ++ OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs ++ = ossl_ctx_legacy_digest_signatures(libctx, loadconfig); ++ ++ #ifndef FIPS_MODULE ++ if (ossl_safe_getenv("OPENSSL_ENABLE_SHA1_SIGNATURES") != NULL) ++ /* used in tests */ ++ return 1; ++ #endif ++ ++ /* Warning: This patch differs from the same patch in CentOS and RHEL here, ++ * because the default on Fedora is to allow SHA-1 and support disabling ++ * it, while CentOS/RHEL disable it by default and allow enabling it. */ ++ return ldsigs != NULL ? ldsigs->allowed : 0; ++} ++ ++int ossl_ctx_legacy_digest_signatures_allowed_set(OSSL_LIB_CTX *libctx, int allow, ++ int loadconfig) ++{ ++ OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs ++ = ossl_ctx_legacy_digest_signatures(libctx, loadconfig); ++ ++ if (ldsigs == NULL) { ++ ERR_raise(ERR_LIB_EVP, ERR_R_INTERNAL_ERROR); ++ return 0; ++ } ++ ++ ldsigs->allowed = allow; ++ return 1; ++} + + #ifndef FIPS_MODULE + +@@ -251,6 +318,18 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, + } + } + ++ if (ctx->reqdigest != NULL ++ && !EVP_PKEY_is_a(locpctx->pkey, SN_hmac) ++ && !EVP_PKEY_is_a(locpctx->pkey, SN_tls1_prf) ++ && !EVP_PKEY_is_a(locpctx->pkey, SN_hkdf)) { ++ int mdnid = EVP_MD_nid(ctx->reqdigest); ++ if (!ossl_ctx_legacy_digest_signatures_allowed(locpctx->libctx, 0) ++ && (mdnid == NID_sha1 || mdnid == NID_md5_sha1)) { ++ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_DIGEST); ++ goto err; ++ } ++ } ++ + if (ver) { + if (signature->digest_verify_init == NULL) { + ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); +diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c +index ce6e1a1ccb..003926247b 100644 +--- a/crypto/evp/pmeth_lib.c ++++ b/crypto/evp/pmeth_lib.c +@@ -33,6 +33,7 @@ + #include "internal/ffc.h" + #include "internal/numbers.h" + #include "internal/provider.h" ++#include "internal/sslconf.h" + #include "evp_local.h" + + #ifndef FIPS_MODULE +@@ -958,6 +959,20 @@ static int evp_pkey_ctx_set_md(EVP_PKEY_CTX *ctx, const EVP_MD *md, + return -2; + } + ++ if (EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx) ++ && md != NULL ++ && ctx->pkey != NULL ++ && !EVP_PKEY_is_a(ctx->pkey, SN_hmac) ++ && !EVP_PKEY_is_a(ctx->pkey, SN_tls1_prf) ++ && !EVP_PKEY_is_a(ctx->pkey, SN_hkdf)) { ++ int mdnid = EVP_MD_nid(md); ++ if ((mdnid == NID_sha1 || mdnid == NID_md5_sha1) ++ && !ossl_ctx_legacy_digest_signatures_allowed(ctx->libctx, 0)) { ++ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_DIGEST); ++ return -1; ++ } ++ } ++ + if (fallback) + return EVP_PKEY_CTX_ctrl(ctx, -1, op, ctrl, 0, (void *)(md)); + +diff --git a/doc/man5/config.pod b/doc/man5/config.pod +index bd05736220..ed34ff4b9c 100644 +--- a/doc/man5/config.pod ++++ b/doc/man5/config.pod +@@ -304,6 +304,19 @@ Within the algorithm properties section, the following names have meaning: + The value may be anything that is acceptable as a property query + string for EVP_set_default_properties(). + ++=item B ++ ++The value is a boolean that can be B or B. If the value is not set, ++it behaves as if it was set to B. ++ ++When set to B, any attempt to create or verify a signature with a SHA1 ++digest will fail. To test whether your software will work with future versions ++of OpenSSL, set this option to B. This setting also affects TLS, where ++signature algorithms that use SHA1 as digest will no longer be supported if ++this option is set to B. Because TLS 1.1 or lower use MD5-SHA1 as ++pseudorandom function (PRF) to derive key material, disabling ++B requires the use of TLS 1.2 or newer. ++ + =item B (deprecated) + + The value is a boolean that can be B or B. If the value is +diff --git a/include/crypto/context.h b/include/crypto/context.h +index cc06c71be8..e9f74a414d 100644 +--- a/include/crypto/context.h ++++ b/include/crypto/context.h +@@ -39,3 +39,6 @@ void ossl_rand_crng_ctx_free(void *); + #if defined(OPENSSL_THREADS) + void ossl_threads_ctx_free(void *); + #endif ++ ++void *ossl_ctx_legacy_digest_signatures_new(OSSL_LIB_CTX *); ++void ossl_ctx_legacy_digest_signatures_free(void *); +diff --git a/include/internal/cryptlib.h b/include/internal/cryptlib.h +index ac50eb3bbd..3b115cc7df 100644 +--- a/include/internal/cryptlib.h ++++ b/include/internal/cryptlib.h +@@ -168,7 +168,8 @@ typedef struct ossl_ex_data_global_st { + # define OSSL_LIB_CTX_CHILD_PROVIDER_INDEX 18 + # define OSSL_LIB_CTX_THREAD_INDEX 19 + # define OSSL_LIB_CTX_DECODER_CACHE_INDEX 20 +-# define OSSL_LIB_CTX_MAX_INDEXES 20 ++# define OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES_INDEX 21 ++# define OSSL_LIB_CTX_MAX_INDEXES 21 + + OSSL_LIB_CTX *ossl_lib_ctx_get_concrete(OSSL_LIB_CTX *ctx); + int ossl_lib_ctx_is_default(OSSL_LIB_CTX *ctx); +diff --git a/include/internal/sslconf.h b/include/internal/sslconf.h +index fd7f7e3331..05464b0655 100644 +--- a/include/internal/sslconf.h ++++ b/include/internal/sslconf.h +@@ -18,4 +18,8 @@ int conf_ssl_name_find(const char *name, size_t *idx); + void conf_ssl_get_cmd(const SSL_CONF_CMD *cmd, size_t idx, char **cmdstr, + char **arg); + ++/* Methods to support disabling all signatures with legacy digests */ ++int ossl_ctx_legacy_digest_signatures_allowed(OSSL_LIB_CTX *libctx, int loadconfig); ++int ossl_ctx_legacy_digest_signatures_allowed_set(OSSL_LIB_CTX *libctx, int allow, ++ int loadconfig); + #endif +diff --git a/providers/common/securitycheck.c b/providers/common/securitycheck.c +index 699ada7c52..e534ad0a5f 100644 +--- a/providers/common/securitycheck.c ++++ b/providers/common/securitycheck.c +@@ -19,6 +19,7 @@ + #include + #include + #include "prov/securitycheck.h" ++#include "internal/sslconf.h" + + /* + * FIPS requires a minimum security strength of 112 bits (for encryption or +@@ -235,6 +236,15 @@ int ossl_digest_get_approved_nid_with_sha1(OSSL_LIB_CTX *ctx, const EVP_MD *md, + mdnid = -1; /* disallowed by security checks */ + } + # endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */ ++ ++#ifndef FIPS_MODULE ++ if (!ossl_ctx_legacy_digest_signatures_allowed(ctx, 0)) ++ /* SHA1 is globally disabled, check whether we want to locally allow ++ * it. */ ++ if (mdnid == NID_sha1 && !sha1_allowed) ++ mdnid = -1; ++#endif ++ + return mdnid; + } + +diff --git a/providers/common/securitycheck_default.c b/providers/common/securitycheck_default.c +index 246323493e..2ca7a59f39 100644 +--- a/providers/common/securitycheck_default.c ++++ b/providers/common/securitycheck_default.c +@@ -15,6 +15,7 @@ + #include + #include "prov/securitycheck.h" + #include "internal/nelem.h" ++#include "internal/sslconf.h" + + /* Disable the security checks in the default provider */ + int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx) +@@ -29,9 +30,10 @@ int ossl_tls1_prf_ems_check_enabled(OSSL_LIB_CTX *libctx) + } + + int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md, +- ossl_unused int sha1_allowed) ++ int sha1_allowed) + { + int mdnid; ++ int ldsigs_allowed; + + static const OSSL_ITEM name_to_nid[] = { + { NID_md5, OSSL_DIGEST_NAME_MD5 }, +@@ -42,8 +44,11 @@ int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md, + { NID_ripemd160, OSSL_DIGEST_NAME_RIPEMD160 }, + }; + +- mdnid = ossl_digest_get_approved_nid_with_sha1(ctx, md, 1); ++ ldsigs_allowed = ossl_ctx_legacy_digest_signatures_allowed(ctx, 0); ++ mdnid = ossl_digest_get_approved_nid_with_sha1(ctx, md, sha1_allowed || ldsigs_allowed); + if (mdnid == NID_undef) + mdnid = ossl_digest_md_to_nid(md, name_to_nid, OSSL_NELEM(name_to_nid)); ++ if (mdnid == NID_md5_sha1 && !ldsigs_allowed) ++ mdnid = -1; + return mdnid; + } +diff --git a/providers/implementations/signature/dsa_sig.c b/providers/implementations/signature/dsa_sig.c +index 70d0ea5d24..3c482e0181 100644 +--- a/providers/implementations/signature/dsa_sig.c ++++ b/providers/implementations/signature/dsa_sig.c +@@ -123,12 +123,17 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx, + mdprops = ctx->propq; + + if (mdname != NULL) { +- int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN); + WPACKET pkt; + EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops); +- int md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md, +- sha1_allowed); ++ int md_nid; + size_t mdname_len = strlen(mdname); ++#ifdef FIPS_MODULE ++ int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN); ++#else ++ int sha1_allowed = 0; ++#endif ++ md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md, ++ sha1_allowed); + + if (md == NULL || md_nid < 0) { + if (md == NULL) +diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c +index ebeb30e002..c874f87bd5 100644 +--- a/providers/implementations/signature/ecdsa_sig.c ++++ b/providers/implementations/signature/ecdsa_sig.c +@@ -237,7 +237,11 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx, const char *mdname, + "%s could not be fetched", mdname); + return 0; + } ++#ifdef FIPS_MODULE + sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN); ++#else ++ sha1_allowed = 0; ++#endif + md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md, + sha1_allowed); + if (md_nid < 0) { +diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c +index 2a5504d104..5f3a029566 100644 +--- a/providers/implementations/signature/rsa_sig.c ++++ b/providers/implementations/signature/rsa_sig.c +@@ -25,6 +25,7 @@ + #include "internal/cryptlib.h" + #include "internal/nelem.h" + #include "internal/sizes.h" ++#include "internal/sslconf.h" + #include "crypto/rsa.h" + #include "prov/providercommon.h" + #include "prov/implementations.h" +@@ -33,6 +34,7 @@ + #include "prov/securitycheck.h" + + #define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1 ++#define RSA_DEFAULT_DIGEST_NAME_NONLEGACY OSSL_DIGEST_NAME_SHA2_256 + + OSSL_FUNC_signature_newctx_fn rsa_newctx; + static OSSL_FUNC_signature_sign_init_fn rsa_sign_init; +@@ -302,10 +304,15 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname, + + if (mdname != NULL) { + EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops); ++ int md_nid; ++ size_t mdname_len = strlen(mdname); ++#ifdef FIPS_MODULE + int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN); +- int md_nid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md, ++#else ++ int sha1_allowed = 0; ++#endif ++ md_nid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md, + sha1_allowed); +- size_t mdname_len = strlen(mdname); + + if (md == NULL + || md_nid <= 0 +@@ -1396,8 +1403,15 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) + prsactx->pad_mode = pad_mode; + + if (prsactx->md == NULL && pmdname == NULL +- && pad_mode == RSA_PKCS1_PSS_PADDING) ++ && pad_mode == RSA_PKCS1_PSS_PADDING) { + pmdname = RSA_DEFAULT_DIGEST_NAME; ++#ifndef FIPS_MODULE ++ if (!ossl_ctx_legacy_digest_signatures_allowed(prsactx->libctx, 0)) { ++ pmdname = RSA_DEFAULT_DIGEST_NAME_NONLEGACY; ++ } ++#endif ++ } ++ + + if (pmgf1mdname != NULL + && !rsa_setup_mgf1_md(prsactx, pmgf1mdname, pmgf1mdprops)) +diff --git a/util/libcrypto.num b/util/libcrypto.num +index 9cb8a4dda2..feb660d030 100644 +--- a/util/libcrypto.num ++++ b/util/libcrypto.num +@@ -5436,3 +5436,5 @@ EVP_CIPHER_CTX_dup 5563 3_1_0 EXIST::FUNCTION: + X509_STORE_CTX_set_current_reasons 5664 3_2_0 EXIST::FUNCTION: + OSSL_STORE_delete 5665 3_2_0 EXIST::FUNCTION: + BIO_ADDR_copy 5666 3_2_0 EXIST::FUNCTION:SOCK ++ossl_ctx_legacy_digest_signatures_allowed ? 3_0_1 EXIST::FUNCTION: ++ossl_ctx_legacy_digest_signatures_allowed_set ? 3_0_1 EXIST::FUNCTION: +-- +2.41.0 + +diff -up openssl-3.2.0/ssl/t1_lib.c.patch-sha1 openssl-3.2.0/ssl/t1_lib.c +--- openssl-3.2.0/ssl/t1_lib.c.patch-sha1 2023-12-08 13:01:44.752501257 +0100 ++++ openssl-3.2.0/ssl/t1_lib.c 2023-12-08 13:04:18.969899853 +0100 +@@ -20,6 +20,7 @@ + #include + #include + #include ++#include "internal/sslconf.h" + #include "internal/nelem.h" + #include "internal/sizes.h" + #include "internal/tlsgroups.h" +@@ -1506,6 +1507,7 @@ int ssl_setup_sigalgs(SSL_CTX *ctx) + uint16_t *tls12_sigalgs_list = NULL; + EVP_PKEY *tmpkey = EVP_PKEY_new(); + int ret = 0; ++ int ldsigs_allowed; + + if (ctx == NULL) + goto err; +@@ -1521,6 +1523,7 @@ int ssl_setup_sigalgs(SSL_CTX *ctx) + goto err; + + ERR_set_mark(); ++ ldsigs_allowed = ossl_ctx_legacy_digest_signatures_allowed(ctx->libctx, 0); + /* First fill cache and tls12_sigalgs list from legacy algorithm list */ + for (i = 0, lu = sigalg_lookup_tbl; + i < OSSL_NELEM(sigalg_lookup_tbl); lu++, i++) { +@@ -1542,6 +1545,11 @@ int ssl_setup_sigalgs(SSL_CTX *ctx) + cache[i].enabled = 0; + continue; + } ++ if ((lu->hash == NID_sha1 || lu->hash == NID_md5_sha1) ++ && !ldsigs_allowed) { ++ cache[i].enabled = 0; ++ continue; ++ } + + if (!EVP_PKEY_set_type(tmpkey, lu->sig)) { + cache[i].enabled = 0; diff --git a/0056-strcasecmp.patch b/0056-strcasecmp.patch new file mode 100644 index 0000000..6b740ce --- /dev/null +++ b/0056-strcasecmp.patch @@ -0,0 +1,53 @@ +diff -up openssl-3.0.3/util/libcrypto.num.locale openssl-3.0.3/util/libcrypto.num +--- openssl-3.0.3/util/libcrypto.num.locale 2022-06-01 12:35:52.667498724 +0200 ++++ openssl-3.0.3/util/libcrypto.num 2022-06-01 12:36:08.112633093 +0200 +@@ -5425,5 +5425,7 @@ ASN1_item_d2i_ex + X509_STORE_CTX_set_current_reasons 5664 3_2_0 EXIST::FUNCTION: + OSSL_STORE_delete 5665 3_2_0 EXIST::FUNCTION: + BIO_ADDR_copy 5666 3_2_0 EXIST::FUNCTION:SOCK ++OPENSSL_strcasecmp ? 3_0_1 EXIST::FUNCTION: ++OPENSSL_strncasecmp ? 3_0_1 EXIST::FUNCTION: + ossl_ctx_legacy_digest_signatures_allowed ? 3_0_1 EXIST::FUNCTION: + ossl_ctx_legacy_digest_signatures_allowed_set ? 3_0_1 EXIST::FUNCTION: +diff -up openssl-3.0.7/crypto/o_str.c.cmp openssl-3.0.7/crypto/o_str.c +--- openssl-3.0.7/crypto/o_str.c.cmp 2022-11-25 12:50:22.449760653 +0100 ++++ openssl-3.0.7/crypto/o_str.c 2022-11-25 12:51:19.416350584 +0100 +@@ -342,7 +342,12 @@ int openssl_strerror_r(int errnum, char + #endif + } + +-int OPENSSL_strcasecmp(const char *s1, const char *s2) ++int ++#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI) ++__attribute__ ((symver ("OPENSSL_strcasecmp@@OPENSSL_3.0.3"), ++ symver ("OPENSSL_strcasecmp@OPENSSL_3.0.1"))) ++#endif ++OPENSSL_strcasecmp(const char *s1, const char *s2) + { + int t; + +@@ -352,7 +354,12 @@ int OPENSSL_strcasecmp(const char *s1, c + return t; + } + +-int OPENSSL_strncasecmp(const char *s1, const char *s2, size_t n) ++int ++#if !defined(FIPS_MODULE) && !defined(OPENSSL_SYS_UEFI) ++__attribute__ ((symver ("OPENSSL_strncasecmp@@OPENSSL_3.0.3"), ++ symver ("OPENSSL_strncasecmp@OPENSSL_3.0.1"))) ++#endif ++OPENSSL_strncasecmp(const char *s1, const char *s2, size_t n) + { + int t; + size_t i; +diff -up openssl-3.0.7/test/recipes/01-test_symbol_presence.t.cmp openssl-3.0.7/test/recipes/01-test_symbol_presence.t +--- openssl-3.0.7/test/recipes/01-test_symbol_presence.t.cmp 2022-11-25 18:19:05.669769076 +0100 ++++ openssl-3.0.7/test/recipes/01-test_symbol_presence.t 2022-11-25 18:31:20.993392678 +0100 +@@ -77,6 +80,7 @@ foreach my $libname (@libnames) { + s| .*||; + # Drop OpenSSL dynamic version information if there is any + s|\@\@.+$||; ++ s|\@.+$||; + # Return the result + $_ + } diff --git a/0058-FIPS-limit-rsa-encrypt.patch b/0058-FIPS-limit-rsa-encrypt.patch new file mode 100644 index 0000000..5d3ef9c --- /dev/null +++ b/0058-FIPS-limit-rsa-encrypt.patch @@ -0,0 +1,965 @@ +From 56511d480823bedafce604374fa3b15d3b3ffd6b Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Mon, 31 Jul 2023 09:41:28 +0200 +Subject: [PATCH 26/48] 0058-FIPS-limit-rsa-encrypt.patch + +Patch-name: 0058-FIPS-limit-rsa-encrypt.patch +Patch-id: 58 +Patch-status: | + # https://bugzilla.redhat.com/show_bug.cgi?id=2053289 +From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd +--- + providers/common/securitycheck.c | 1 + + .../implementations/asymciphers/rsa_enc.c | 35 +++++++++++ + .../30-test_evp_data/evppkey_rsa_common.txt | 58 ++++++++++++++++++- + test/recipes/80-test_cms.t | 5 +- + test/recipes/80-test_ssl_old.t | 27 +++++++-- + 5 files changed, 118 insertions(+), 8 deletions(-) + +diff --git a/providers/common/securitycheck.c b/providers/common/securitycheck.c +index e534ad0a5f..c017c658e5 100644 +--- a/providers/common/securitycheck.c ++++ b/providers/common/securitycheck.c +@@ -27,6 +27,7 @@ + * Set protect = 1 for encryption or signing operations, or 0 otherwise. See + * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf. + */ ++/* Red Hat build implements some extra limitations in providers/implementations/asymciphers/rsa_enc.c */ + int ossl_rsa_check_key(OSSL_LIB_CTX *ctx, const RSA *rsa, int operation) + { + int protect = 0; +diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c +index d865968058..872967bcb3 100644 +--- a/providers/implementations/asymciphers/rsa_enc.c ++++ b/providers/implementations/asymciphers/rsa_enc.c +@@ -132,6 +132,17 @@ static int rsa_decrypt_init(void *vprsactx, void *vrsa, + return rsa_init(vprsactx, vrsa, params, EVP_PKEY_OP_DECRYPT); + } + ++# ifdef FIPS_MODULE ++static int fips_padding_allowed(const PROV_RSA_CTX *prsactx) ++{ ++ if (prsactx->pad_mode == RSA_PKCS1_PADDING || prsactx->pad_mode == RSA_NO_PADDING ++ || prsactx->pad_mode == RSA_PKCS1_WITH_TLS_PADDING) ++ return 0; ++ ++ return 1; ++} ++# endif ++ + static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen, + size_t outsize, const unsigned char *in, size_t inlen) + { +@@ -141,6 +152,18 @@ static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen, + if (!ossl_prov_is_running()) + return 0; + ++# ifdef FIPS_MODULE ++ if (fips_padding_allowed(prsactx) == 0) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE); ++ return 0; ++ } ++ ++ if (RSA_bits(prsactx->rsa) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); ++ return 0; ++ } ++# endif ++ + if (out == NULL) { + size_t len = RSA_size(prsactx->rsa); + +@@ -204,6 +227,18 @@ static int rsa_decrypt(void *vprsactx, unsigned char *out, size_t *outlen, + if (!ossl_prov_is_running()) + return 0; + ++# ifdef FIPS_MODULE ++ if (fips_padding_allowed(prsactx) == 0) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE); ++ return 0; ++ } ++ ++ if (RSA_bits(prsactx->rsa) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); ++ return 0; ++ } ++# endif ++ + if (prsactx->pad_mode == RSA_PKCS1_WITH_TLS_PADDING) { + if (out == NULL) { + *outlen = SSL_MAX_MASTER_KEY_LENGTH; +diff --git a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt +index 8680797b90..95d5d51102 100644 +--- a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt ++++ b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt +@@ -619,36 +619,42 @@ vcDtKrdWo6btTWc1Kml9QhbpMhKxJ6Y9VBHOb6mNXb79cyY+NygUJ0OBgWbtfdY2 + h90qjKHS9PvY4Q== + -----END PRIVATE KEY----- + ++Availablein = default + Decrypt=RSA-OAEP-1 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=354fe67b4a126d5d35fe36c777791a3f7ba13def484e2d3908aff722fad468fb21696de95d0be911c2d3174f8afcc201035f7b6d8e69402de5451618c21a535fa9d7bfc5b8dd9fc243f8cf927db31322d6e881eaa91a996170e657a05a266426d98c88003f8477c1227094a0d9fa1e8c4024309ce1ecccb5210035d47ac72e8a + Output=6628194e12073db03ba94cda9ef9532397d50dba79b987004afefe34 + ++Availablein = default + Decrypt=RSA-OAEP-1 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=640db1acc58e0568fe5407e5f9b701dff8c3c91e716c536fc7fcec6cb5b71c1165988d4a279e1577d730fc7a29932e3f00c81515236d8d8e31017a7a09df4352d904cdeb79aa583adcc31ea698a4c05283daba9089be5491f67c1a4ee48dc74bbbe6643aef846679b4cb395a352d5ed115912df696ffe0702932946d71492b44 + Output=750c4047f547e8e41411856523298ac9bae245efaf1397fbe56f9dd5 + ++Availablein = default + Decrypt=RSA-OAEP-1 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=423736ed035f6026af276c35c0b3741b365e5f76ca091b4e8c29e2f0befee603595aa8322d602d2e625e95eb81b2f1c9724e822eca76db8618cf09c5343503a4360835b5903bc637e3879fb05e0ef32685d5aec5067cd7cc96fe4b2670b6eac3066b1fcf5686b68589aafb7d629b02d8f8625ca3833624d4800fb081b1cf94eb + Output=d94ae0832e6445ce42331cb06d531a82b1db4baad30f746dc916df24d4e3c2451fff59a6423eb0e1d02d4fe646cf699dfd818c6e97b051 + ++Availablein = default + Decrypt=RSA-OAEP-1 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=45ead4ca551e662c9800f1aca8283b0525e6abae30be4b4aba762fa40fd3d38e22abefc69794f6ebbbc05ddbb11216247d2f412fd0fba87c6e3acd888813646fd0e48e785204f9c3f73d6d8239562722dddd8771fec48b83a31ee6f592c4cfd4bc88174f3b13a112aae3b9f7b80e0fc6f7255ba880dc7d8021e22ad6a85f0755 + Output=52e650d98e7f2a048b4f86852153b97e01dd316f346a19f67a85 + ++Availablein = default + Decrypt=RSA-OAEP-1 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=36f6e34d94a8d34daacba33a2139d00ad85a9345a86051e73071620056b920e219005855a213a0f23897cdcd731b45257c777fe908202befdd0b58386b1244ea0cf539a05d5d10329da44e13030fd760dcd644cfef2094d1910d3f433e1c7c6dd18bc1f2df7f643d662fb9dd37ead9059190f4fa66ca39e869c4eb449cbdc439 + Output=8da89fd9e5f974a29feffb462b49180f6cf9e802 + ++Availablein = default + Decrypt=RSA-OAEP-1 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 +@@ -673,36 +679,42 @@ SwGNdhGLJDiac1Dsg2sAY6IXISNv2O222JtR5+64e2EbcTLLfqc1bCMVHB53UVB8 + eG2e4XlBcKjI6A== + -----END PRIVATE KEY----- + ++Availablein = default + Decrypt=RSA-OAEP-2 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=0181af8922b9fcb4d79d92ebe19815992fc0c1439d8bcd491398a0f4ad3a329a5bd9385560db532683c8b7da04e4b12aed6aacdf471c34c9cda891addcc2df3456653aa6382e9ae59b54455257eb099d562bbe10453f2b6d13c59c02e10f1f8abb5da0d0570932dacf2d0901db729d0fefcc054e70968ea540c81b04bcaefe720e + Output=8ff00caa605c702830634d9a6c3d42c652b58cf1d92fec570beee7 + ++Availablein = default + Decrypt=RSA-OAEP-2 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=018759ff1df63b2792410562314416a8aeaf2ac634b46f940ab82d64dbf165eee33011da749d4bab6e2fcd18129c9e49277d8453112b429a222a8471b070993998e758861c4d3f6d749d91c4290d332c7a4ab3f7ea35ff3a07d497c955ff0ffc95006b62c6d296810d9bfab024196c7934012c2df978ef299aba239940cba10245 + Output=2d + ++Availablein = default + Decrypt=RSA-OAEP-2 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=018802bab04c60325e81c4962311f2be7c2adce93041a00719c88f957575f2c79f1b7bc8ced115c706b311c08a2d986ca3b6a9336b147c29c6f229409ddec651bd1fdd5a0b7f610c9937fdb4a3a762364b8b3206b4ea485fd098d08f63d4aa8bb2697d027b750c32d7f74eaf5180d2e9b66b17cb2fa55523bc280da10d14be2053 + Output=74fc88c51bc90f77af9d5e9a4a70133d4b4e0b34da3c37c7ef8e + ++Availablein = default + Decrypt=RSA-OAEP-2 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=00a4578cbc176318a638fba7d01df15746af44d4f6cd96d7e7c495cbf425b09c649d32bf886da48fbaf989a2117187cafb1fb580317690e3ccd446920b7af82b31db5804d87d01514acbfa9156e782f867f6bed9449e0e9a2c09bcecc6aa087636965e34b3ec766f2fe2e43018a2fddeb140616a0e9d82e5331024ee0652fc7641 + Output=a7eb2a5036931d27d4e891326d99692ffadda9bf7efd3e34e622c4adc085f721dfe885072c78a203b151739be540fa8c153a10f00a + ++Availablein = default + Decrypt=RSA-OAEP-2 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=00ebc5f5fda77cfdad3c83641a9025e77d72d8a6fb33a810f5950f8d74c73e8d931e8634d86ab1246256ae07b6005b71b7f2fb98351218331ce69b8ffbdc9da08bbc9c704f876deb9df9fc2ec065cad87f9090b07acc17aa7f997b27aca48806e897f771d95141fe4526d8a5301b678627efab707fd40fbebd6e792a25613e7aec + Output=2ef2b066f854c33f3bdcbb5994a435e73d6c6c + ++Availablein = default + Decrypt=RSA-OAEP-2 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 +@@ -727,36 +739,42 @@ iUGx07dw5a0x7jc7KKzaaf+bb0D+V4ufGvuFg2+WJ9N6z/c8J3nmNLsmARwsj38z + Ya4qnqZe1onjY5o= + -----END PRIVATE KEY----- + ++Availablein = default + Decrypt=RSA-OAEP-3 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=026a0485d96aebd96b4382085099b962e6a2bdec3d90c8db625e14372de85e2d5b7baab65c8faf91bb5504fb495afce5c988b3f6a52e20e1d6cbd3566c5cd1f2b8318bb542cc0ea25c4aab9932afa20760eaddec784396a07ea0ef24d4e6f4d37e5052a7a31e146aa480a111bbe926401307e00f410033842b6d82fe5ce4dfae80 + Output=087820b569e8fa8d + ++Availablein = default + Decrypt=RSA-OAEP-3 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=024db89c7802989be0783847863084941bf209d761987e38f97cb5f6f1bc88da72a50b73ebaf11c879c4f95df37b850b8f65d7622e25b1b889e80fe80baca2069d6e0e1d829953fc459069de98ea9798b451e557e99abf8fe3d9ccf9096ebbf3e5255d3b4e1c6d2ecadf067a359eea86405acd47d5e165517ccafd47d6dbee4bf5 + Output=4653acaf171960b01f52a7be63a3ab21dc368ec43b50d82ec3781e04 + ++Availablein = default + Decrypt=RSA-OAEP-3 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=0239bce681032441528877d6d1c8bb28aa3bc97f1df584563618995797683844ca86664732f4bed7a0aab083aaabfb7238f582e30958c2024e44e57043b97950fd543da977c90cdde5337d618442f99e60d7783ab59ce6dd9d69c47ad1e962bec22d05895cff8d3f64ed5261d92b2678510393484990ba3f7f06818ae6ffce8a3a + Output=d94cd0e08fa404ed89 + ++Availablein = default + Decrypt=RSA-OAEP-3 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=02994c62afd76f498ba1fd2cf642857fca81f4373cb08f1cbaee6f025c3b512b42c3e8779113476648039dbe0493f9246292fac28950600e7c0f32edf9c81b9dec45c3bde0cc8d8847590169907b7dc5991ceb29bb0714d613d96df0f12ec5d8d3507c8ee7ae78dd83f216fa61de100363aca48a7e914ae9f42ddfbe943b09d9a0 + Output=6cc641b6b61e6f963974dad23a9013284ef1 + ++Availablein = default + Decrypt=RSA-OAEP-3 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=0162042ff6969592a6167031811a239834ce638abf54fec8b99478122afe2ee67f8c5b18b0339805bfdbc5a4e6720b37c59cfba942464c597ff532a119821545fd2e59b114e61daf71820529f5029cf524954327c34ec5e6f5ba7efcc4de943ab8ad4ed787b1454329f70db798a3a8f4d92f8274e2b2948ade627ce8ee33e43c60 + Output=df5151832b61f4f25891fb4172f328d2eddf8371ffcfdbe997939295f30eca6918017cfda1153bf7a6af87593223 + ++Availablein = default + Decrypt=RSA-OAEP-3 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 +@@ -781,36 +799,42 @@ s/XkIiO6MDAcQabYfLtw4wy308Z9JUc9sfbL8D4/kSbj6XloJ5qGWywrQmUkz8Uq + aD0x7TDrmEvkEro= + -----END PRIVATE KEY----- + ++Availablein = default + Decrypt=RSA-OAEP-4 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=04cce19614845e094152a3fe18e54e3330c44e5efbc64ae16886cb1869014cc5781b1f8f9e045384d0112a135ca0d12e9c88a8e4063416deaae3844f60d6e96fe155145f4525b9a34431ca3766180f70e15a5e5d8e8b1a516ff870609f13f896935ced188279a58ed13d07114277d75c6568607e0ab092fd803a223e4a8ee0b1a8 + Output=4a86609534ee434a6cbca3f7e962e76d455e3264c19f605f6e5ff6137c65c56d7fb344cd52bc93374f3d166c9f0c6f9c506bad19330972d2 + ++Availablein = default + Decrypt=RSA-OAEP-4 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=0097b698c6165645b303486fbf5a2a4479c0ee85889b541a6f0b858d6b6597b13b854eb4f839af03399a80d79bda6578c841f90d645715b280d37143992dd186c80b949b775cae97370e4ec97443136c6da484e970ffdb1323a20847821d3b18381de13bb49aaea66530c4a4b8271f3eae172cd366e07e6636f1019d2a28aed15e + Output=b0adc4f3fe11da59ce992773d9059943c03046497ee9d9f9a06df1166db46d98f58d27ec074c02eee6cbe2449c8b9fc5080c5c3f4433092512ec46aa793743c8 + ++Availablein = default + Decrypt=RSA-OAEP-4 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=0301f935e9c47abcb48acbbe09895d9f5971af14839da4ff95417ee453d1fd77319072bb7297e1b55d7561cd9d1bb24c1a9a37c619864308242804879d86ebd001dce5183975e1506989b70e5a83434154d5cbfd6a24787e60eb0c658d2ac193302d1192c6e622d4a12ad4b53923bca246df31c6395e37702c6a78ae081fb9d065 + Output=bf6d42e701707b1d0206b0c8b45a1c72641ff12889219a82bdea965b5e79a96b0d0163ed9d578ec9ada20f2fbcf1ea3c4089d83419ba81b0c60f3606da99 + ++Availablein = default + Decrypt=RSA-OAEP-4 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=02d110ad30afb727beb691dd0cf17d0af1a1e7fa0cc040ec1a4ba26a42c59d0a796a2e22c8f357ccc98b6519aceb682e945e62cb734614a529407cd452bee3e44fece8423cc19e55548b8b994b849c7ecde4933e76037e1d0ce44275b08710c68e430130b929730ed77e09b015642c5593f04e4ffb9410798102a8e96ffdfe11e4 + Output=fb2ef112f5e766eb94019297934794f7be2f6fc1c58e + ++Availablein = default + Decrypt=RSA-OAEP-4 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=00dbb8a7439d90efd919a377c54fae8fe11ec58c3b858362e23ad1b8a44310799066b99347aa525691d2adc58d9b06e34f288c170390c5f0e11c0aa3645959f18ee79e8f2be8d7ac5c23d061f18dd74b8c5f2a58fcb5eb0c54f99f01a83247568292536583340948d7a8c97c4acd1e98d1e29dc320e97a260532a8aa7a758a1ec2 + Output=28ccd447bb9e85166dabb9e5b7d1adadc4b9d39f204e96d5e440ce9ad928bc1c2284 + ++Availablein = default + Decrypt=RSA-OAEP-4 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 +@@ -835,36 +859,42 @@ OPlAQGLrhaQpJFILOPW7iGoBlvSLuNzqYP2SzAJ/GOeBWKNKXF1fhgoPbAQHGn0B + MSwGUGLx60i3nRyDyw== + -----END PRIVATE KEY----- + ++Availablein = default + Decrypt=RSA-OAEP-5 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=036046a4a47d9ed3ba9a89139c105038eb7492b05a5d68bfd53accff4597f7a68651b47b4a4627d927e485eed7b4566420e8b409879e5d606eae251d22a5df799f7920bfc117b992572a53b1263146bcea03385cc5e853c9a101c8c3e1bda31a519807496c6cb5e5efb408823a352b8fa0661fb664efadd593deb99fff5ed000e5 + Output=af71a901e3a61d3132f0fc1fdb474f9ea6579257ffc24d164170145b3dbde8 + ++Availablein = default + Decrypt=RSA-OAEP-5 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=03d6eb654edce615bc59f455265ed4e5a18223cbb9be4e4069b473804d5de96f54dcaaa603d049c5d94aa1470dfcd2254066b7c7b61ff1f6f6770e3215c51399fd4e34ec5082bc48f089840ad04354ae66dc0f1bd18e461a33cc1258b443a2837a6df26759aa2302334986f87380c9cc9d53be9f99605d2c9a97da7b0915a4a7ad + Output=a3b844a08239a8ac41605af17a6cfda4d350136585903a417a79268760519a4b4ac3303ec73f0f87cfb32399 + ++Availablein = default + Decrypt=RSA-OAEP-5 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=0770952181649f9f9f07ff626ff3a22c35c462443d905d456a9fd0bff43cac2ca7a9f554e9478b9acc3ac838b02040ffd3e1847de2e4253929f9dd9ee4044325a9b05cabb808b2ee840d34e15d105a3f1f7b27695a1a07a2d73fe08ecaaa3c9c9d4d5a89ff890d54727d7ae40c0ec1a8dd86165d8ee2c6368141016a48b55b6967 + Output=308b0ecbd2c76cb77fc6f70c5edd233fd2f20929d629f026953bb62a8f4a3a314bde195de85b5f816da2aab074d26cb6acddf323ae3b9c678ac3cf12fbdde7 + ++Availablein = default + Decrypt=RSA-OAEP-5 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=0812b76768ebcb642d040258e5f4441a018521bd96687e6c5e899fcd6c17588ff59a82cc8ae03a4b45b31299af1788c329f7dcd285f8cf4ced82606b97612671a45bedca133442144d1617d114f802857f0f9d739751c57a3f9ee400912c61e2e6992be031a43dd48fa6ba14eef7c422b5edc4e7afa04fdd38f402d1c8bb719abf + Output=15c5b9ee1185 + ++Availablein = default + Decrypt=RSA-OAEP-5 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=07b60e14ec954bfd29e60d0047e789f51d57186c63589903306793ced3f68241c743529aba6a6374f92e19e0163efa33697e196f7661dfaaa47aac6bde5e51deb507c72c589a2ca1693d96b1460381249b2cdb9eac44769f2489c5d3d2f99f0ee3c7ee5bf64a5ac79c42bd433f149be8cb59548361640595513c97af7bc2509723 + Output=21026e6800c7fa728fcaaba0d196ae28d7a2ac4ffd8abce794f0985f60c8a6737277365d3fea11db8923a2029a + ++Availablein = default + Decrypt=RSA-OAEP-5 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 +@@ -889,36 +919,42 @@ xT1F29tenZbQ/s9Cdd8JdLxKBza0p0wyaQU++2hqziQG4iyeBY3bSuVAYnri/bCC + Yejn5Ly8mU2q+jBcRQ== + -----END PRIVATE KEY----- + ++Availablein = default + Decrypt=RSA-OAEP-6 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=0630eebcd2856c24f798806e41f9e67345eda9ceda386acc9facaea1eeed06ace583709718d9d169fadf414d5c76f92996833ef305b75b1e4b95f662a20faedc3bae0c4827a8bf8a88edbd57ec203a27a841f02e43a615bab1a8cac0701de34debdef62a088089b55ec36ea7522fd3ec8d06b6a073e6df833153bc0aefd93bd1a3 + Output=4046ca8baa3347ca27f49e0d81f9cc1d71be9ba517d4 + ++Availablein = default + Decrypt=RSA-OAEP-6 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=0ebc37376173a4fd2f89cc55c2ca62b26b11d51c3c7ce49e8845f74e7607317c436bc8d23b9667dfeb9d087234b47bc6837175ae5c0559f6b81d7d22416d3e50f4ac533d8f0812f2db9e791fe9c775ac8b6ad0f535ad9ceb23a4a02014c58ab3f8d3161499a260f39348e714ae2a1d3443208fd8b722ccfdfb393e98011f99e63f + Output=5cc72c60231df03b3d40f9b57931bc31109f972527f28b19e7480c7288cb3c92b22512214e4be6c914792ddabdf57faa8aa7 + ++Availablein = default + Decrypt=RSA-OAEP-6 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=0a98bf1093619394436cf68d8f38e2f158fde8ea54f3435f239b8d06b8321844202476aeed96009492480ce3a8d705498c4c8c68f01501dc81db608f60087350c8c3b0bd2e9ef6a81458b7c801b89f2e4fe99d4900ba6a4b5e5a96d865dc676c7755928794130d6280a8160a190f2df3ea7cf9aa0271d88e9e6905ecf1c5152d65 + Output=b20e651303092f4bccb43070c0f86d23049362ed96642fc5632c27db4a52e3d831f2ab068b23b149879c002f6bf3feee97591112562c + ++Availablein = default + Decrypt=RSA-OAEP-6 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=008e7a67cacfb5c4e24bec7dee149117f19598ce8c45808fef88c608ff9cd6e695263b9a3c0ad4b8ba4c95238e96a8422b8535629c8d5382374479ad13fa39974b242f9a759eeaf9c83ad5a8ca18940a0162ba755876df263f4bd50c6525c56090267c1f0e09ce0899a0cf359e88120abd9bf893445b3cae77d3607359ae9a52f8 + Output=684e3038c5c041f7 + ++Availablein = default + Decrypt=RSA-OAEP-6 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=00003474416c7b68bdf961c385737944d7f1f40cb395343c693cc0b4fe63b31fedf1eaeeac9ccc0678b31dc32e0977489514c4f09085f6298a9653f01aea4045ff582ee887be26ae575b73eef7f3774921e375a3d19adda0ca31aa1849887c1f42cac9677f7a2f4e923f6e5a868b38c084ef187594dc9f7f048fea2e02955384ab + Output=32488cb262d041d6e4dd35f987bf3ca696db1f06ac29a44693 + ++Availablein = default + Decrypt=RSA-OAEP-6 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 +@@ -943,36 +979,42 @@ tu4XIedy0DiaVZw9PN+VUNRXxGsDe3RkGx1SFmr4ohPIOWIGzfukQi8Y1vYdvLXS + FMlxv0gq65dqc3DC + -----END PRIVATE KEY----- + ++Availablein = default + Decrypt=RSA-OAEP-7 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=1688e4ce7794bba6cb7014169ecd559cede2a30b56a52b68d9fe18cf1973ef97b2a03153951c755f6294aa49adbdb55845ab6875fb3986c93ecf927962840d282f9e54ce8b690f7c0cb8bbd73440d9571d1b16cd9260f9eab4783cc482e5223dc60973871783ec27b0ae0fd47732cbc286a173fc92b00fb4ba6824647cd93c85c1 + Output=47aae909 + ++Availablein = default + Decrypt=RSA-OAEP-7 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=1052ed397b2e01e1d0ee1c50bf24363f95e504f4a03434a08fd822574ed6b9736edbb5f390db10321479a8a139350e2bd4977c3778ef331f3e78ae118b268451f20a2f01d471f5d53c566937171b2dbc2d4bde459a5799f0372d6574239b2323d245d0bb81c286b63c89a361017337e4902f88a467f4c7f244bfd5ab46437ff3b6 + Output=1d9b2e2223d9bc13bfb9f162ce735db48ba7c68f6822a0a1a7b6ae165834e7 + ++Availablein = default + Decrypt=RSA-OAEP-7 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=2155cd843ff24a4ee8badb7694260028a490813ba8b369a4cbf106ec148e5298707f5965be7d101c1049ea8584c24cd63455ad9c104d686282d3fb803a4c11c1c2e9b91c7178801d1b6640f003f5728df007b8a4ccc92bce05e41a27278d7c85018c52414313a5077789001d4f01910b72aad05d220aa14a58733a7489bc54556b + Output=d976fc + ++Availablein = default + Decrypt=RSA-OAEP-7 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=0ab14c373aeb7d4328d0aaad8c094d88b9eb098b95f21054a29082522be7c27a312878b637917e3d819e6c3c568db5d843802b06d51d9e98a2be0bf40c031423b00edfbff8320efb9171bd2044653a4cb9c5122f6c65e83cda2ec3c126027a9c1a56ba874d0fea23f380b82cf240b8cf540004758c4c77d934157a74f3fc12bfac + Output=d4738623df223aa43843df8467534c41d013e0c803c624e263666b239bde40a5f29aeb8de79e3daa61dd0370f49bd4b013834b98212aef6b1c5ee373b3cb + ++Availablein = default + Decrypt=RSA-OAEP-7 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=028387a318277434798b4d97f460068df5298faba5041ba11761a1cb7316b24184114ec500257e2589ed3b607a1ebbe97a6cc2e02bf1b681f42312a33b7a77d8e7855c4a6de03e3c04643f786b91a264a0d6805e2cea91e68177eb7a64d9255e4f27e713b7ccec00dc200ebd21c2ea2bb890feae4942df941dc3f97890ed347478 + Output=bb47231ca5ea1d3ad46c99345d9a8a61 + ++Availablein = default + Decrypt=RSA-OAEP-7 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 +@@ -997,36 +1039,42 @@ njraT2MgdSwJ2AX/fR8a4NAXru7pzvoNfdf/d15EtXgyL2QF1iEdoZUZZmqof9xM + 2MiPa249Z+lh3Luj0A== + -----END PRIVATE KEY----- + ++Availablein = default + Decrypt=RSA-OAEP-8 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=09b3683d8a2eb0fb295b62ed1fb9290b714457b7825319f4647872af889b30409472020ad12912bf19b11d4819f49614824ffd84d09c0a17e7d17309d12919790410aa2995699f6a86dbe3242b5acc23af45691080d6b1ae810fb3e3057087f0970092ce00be9562ff4053b6262ce0caa93e13723d2e3a5ba075d45f0d61b54b61 + Output=050b755e5e6880f7b9e9d692a74c37aae449b31bfea6deff83747a897f6c2c825bb1adbf850a3c96994b5de5b33cbc7d4a17913a7967 + ++Availablein = default + Decrypt=RSA-OAEP-8 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=2ecf15c97c5a15b1476ae986b371b57a24284f4a162a8d0c8182e7905e792256f1812ba5f83f1f7a130e42dcc02232844edc14a31a68ee97ae564a383a3411656424c5f62ddb646093c367be1fcda426cf00a06d8acb7e57776fbbd855ac3df506fc16b1d7c3f2110f3d8068e91e186363831c8409680d8da9ecd8cf1fa20ee39d + Output=4eb68dcd93ca9b19df111bd43608f557026fe4aa1d5cfac227a3eb5ab9548c18a06dded23f81825986b2fcd71109ecef7eff88873f075c2aa0c469f69c92bc + ++Availablein = default + Decrypt=RSA-OAEP-8 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=4bc89130a5b2dabb7c2fcf90eb5d0eaf9e681b7146a38f3173a3d9cfec52ea9e0a41932e648a9d69344c50da763f51a03c95762131e8052254dcd2248cba40fd31667786ce05a2b7b531ac9dac9ed584a59b677c1a8aed8c5d15d68c05569e2be780bf7db638fd2bfd2a85ab276860f3777338fca989ffd743d13ee08e0ca9893f + Output=8604ac56328c1ab5ad917861 + ++Availablein = default + Decrypt=RSA-OAEP-8 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=2e456847d8fc36ff0147d6993594b9397227d577752c79d0f904fcb039d4d812fea605a7b574dd82ca786f93752348438ee9f5b5454985d5f0e1699e3e7ad175a32e15f03deb042ab9fe1dd9db1bb86f8c089ccb45e7ef0c5ee7ca9b7290ca6b15bed47039788a8a93ff83e0e8d6244c71006362deef69b6f416fb3c684383fbd0 + Output=fdda5fbf6ec361a9d9a4ac68af216a0686f438b1e0e5c36b955f74e107f39c0dddcc + ++Availablein = default + Decrypt=RSA-OAEP-8 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=1fb9356fd5c4b1796db2ebf7d0d393cc810adf6145defc2fce714f79d93800d5e2ac211ea8bbecca4b654b94c3b18b30dd576ce34dc95436ef57a09415645923359a5d7b4171ef22c24670f1b229d3603e91f76671b7df97e7317c97734476d5f3d17d21cf82b5ba9f83df2e588d36984fd1b584468bd23b2e875f32f68953f7b2 + Output=4a5f4914bee25de3c69341de07 + ++Availablein = default + Decrypt=RSA-OAEP-8 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 +@@ -1057,36 +1105,42 @@ Z7CDuaemy2HkLbNiuMmJbbcGTgKtWuYVh9oVtGSckFlJCf6zfby2VL63Jo7IAeWo + tKo5Eb69iFQvBb4= + -----END PRIVATE KEY----- + ++Availablein = default + Decrypt=RSA-OAEP-9 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=267bcd118acab1fc8ba81c85d73003cb8610fa55c1d97da8d48a7c7f06896a4db751aa284255b9d36ad65f37653d829f1b37f97b8001942545b2fc2c55a7376ca7a1be4b1760c8e05a33e5aa2526b8d98e317088e7834c755b2a59b12631a182c05d5d43ab1779264f8456f515ce57dfdf512d5493dab7b7338dc4b7d78db9c091ac3baf537a69fc7f549d979f0eff9a94fda4169bd4d1d19a69c99e33c3b55490d501b39b1edae118ff6793a153261584d3a5f39f6e682e3d17c8cd1261fa72 + Output=f735fd55ba92592c3b52b8f9c4f69aaa1cbef8fe88add095595412467f9cf4ec0b896c59eda16210e7549c8abb10cdbc21a12ec9b6b5b8fd2f10399eb6 + ++Availablein = default + Decrypt=RSA-OAEP-9 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=93ac9f0671ec29acbb444effc1a5741351d60fdb0e393fbf754acf0de49761a14841df7772e9bc82773966a1584c4d72baea00118f83f35cca6e537cbd4d811f5583b29783d8a6d94cd31be70d6f526c10ff09c6fa7ce069795a3fcd0511fd5fcb564bcc80ea9c78f38b80012539d8a4ddf6fe81e9cddb7f50dbbbbcc7e5d86097ccf4ec49189fb8bf318be6d5a0715d516b49af191258cd32dc833ce6eb4673c03a19bbace88cc54895f636cc0c1ec89096d11ce235a265ca1764232a689ae8 + Output=81b906605015a63aabe42ddf11e1978912f5404c7474b26dce3ed482bf961ecc818bf420c54659 + ++Availablein = default + Decrypt=RSA-OAEP-9 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=81ebdd95054b0c822ef9ad7693f5a87adfb4b4c4ce70df2df84ed49c04da58ba5fc20a19e1a6e8b7a3900b22796dc4e869ee6b42792d15a8eceb56c09c69914e813cea8f6931e4b8ed6f421af298d595c97f4789c7caa612c7ef360984c21b93edc5401068b5af4c78a8771b984d53b8ea8adf2f6a7d4a0ba76c75e1dd9f658f20ded4a46071d46d7791b56803d8fea7f0b0f8e41ae3f09383a6f9585fe7753eaaffd2bf94563108beecc207bbb535f5fcc705f0dde9f708c62f49a9c90371d3 + Output=fd326429df9b890e09b54b18b8f34f1e24 + ++Availablein = default + Decrypt=RSA-OAEP-9 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=bcc35f94cde66cb1136625d625b94432a35b22f3d2fa11a613ff0fca5bd57f87b902ccdc1cd0aebcb0715ee869d1d1fe395f6793003f5eca465059c88660d446ff5f0818552022557e38c08a67ead991262254f10682975ec56397768537f4977af6d5f6aaceb7fb25dec5937230231fd8978af49119a29f29e424ab8272b47562792d5c94f774b8829d0b0d9f1a8c9eddf37574d5fa248eefa9c5271fc5ec2579c81bdd61b410fa61fe36e424221c113addb275664c801d34ca8c6351e4a858 + Output=f1459b5f0c92f01a0f723a2e5662484d8f8c0a20fc29dad6acd43bb5f3effdf4e1b63e07fdfe6628d0d74ca19bf2d69e4a0abf86d293925a796772f8088e + ++Availablein = default + Decrypt=RSA-OAEP-9 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=232afbc927fa08c2f6a27b87d4a5cb09c07dc26fae73d73a90558839f4fd66d281b87ec734bce237ba166698ed829106a7de6942cd6cdce78fed8d2e4d81428e66490d036264cef92af941d3e35055fe3981e14d29cbb9a4f67473063baec79a1179f5a17c9c1832f2838fd7d5e59bb9659d56dce8a019edef1bb3accc697cc6cc7a778f60a064c7f6f5d529c6210262e003de583e81e3167b89971fb8c0e15d44fffef89b53d8d64dd797d159b56d2b08ea5307ea12c241bd58d4ee278a1f2e + Output=53e6e8c729d6f9c319dd317e74b0db8e4ccca25f3c8305746e137ac63a63ef3739e7b595abb96e8d55e54f7bd41ab433378ffb911d + ++Availablein = default + Decrypt=RSA-OAEP-9 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 +diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t +index cbec426137..9ba7fbeed2 100644 +--- a/test/recipes/80-test_cms.t ++++ b/test/recipes/80-test_cms.t +@@ -233,7 +233,7 @@ my @smime_pkcs7_tests = ( + \&final_compare + ], + +- [ "enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients", ++ [ "enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients, no Red Hat FIPS", + [ "{cmd1}", @prov, "-encrypt", "-in", $smcont, + "-aes256", "-stream", "-out", "{output}.cms", + $smrsa1, +@@ -1022,6 +1022,9 @@ sub check_availability { + return "$tnam: skipped, DSA disabled\n" + if ($no_dsa && $tnam =~ / DSA/); + ++ return "$tnam: skipped, Red Hat FIPS\n" ++ if ($tnam =~ /no Red Hat FIPS/); ++ + return ""; + } + +diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t +index e2dcb68fb5..0775112b40 100644 +--- a/test/recipes/80-test_ssl_old.t ++++ b/test/recipes/80-test_ssl_old.t +@@ -493,6 +493,18 @@ sub testssl { + # the default choice if TLSv1.3 enabled + my $flag = $protocol eq "-tls1_3" ? "" : $protocol; + my $ciphersuites = ""; ++ my %redhat_skip_cipher = map {$_ => 1} qw( ++AES256-GCM-SHA384:@SECLEVEL=0 ++AES256-CCM8:@SECLEVEL=0 ++AES256-CCM:@SECLEVEL=0 ++AES128-GCM-SHA256:@SECLEVEL=0 ++AES128-CCM8:@SECLEVEL=0 ++AES128-CCM:@SECLEVEL=0 ++AES256-SHA256:@SECLEVEL=0 ++AES128-SHA256:@SECLEVEL=0 ++AES256-SHA:@SECLEVEL=0 ++AES128-SHA:@SECLEVEL=0 ++ ); + foreach my $cipher (@{$ciphersuites{$protocol}}) { + if ($protocol eq "-ssl3" && $cipher =~ /ECDH/ ) { + note "*****SKIPPING $protocol $cipher"; +@@ -504,11 +516,16 @@ sub testssl { + } else { + $cipher = $cipher.':@SECLEVEL=0'; + } +- ok(run(test([@ssltest, @exkeys, "-cipher", +- $cipher, +- "-ciphersuites", $ciphersuites, +- $flag || ()])), +- "Testing $cipher"); ++ if ($provider eq "fips" && exists $redhat_skip_cipher{$cipher}) { ++ note "*****SKIPPING $cipher in Red Hat FIPS mode"; ++ ok(1); ++ } else { ++ ok(run(test([@ssltest, @exkeys, "-cipher", ++ $cipher, ++ "-ciphersuites", $ciphersuites, ++ $flag || ()])), ++ "Testing $cipher"); ++ } + } + } + next if $protocol eq "-tls1_3"; +-- +2.41.0 + +diff -up openssl-3.2.0/test/recipes/30-test_evp_data/evppkey_rsa_common.txt.patch-58 openssl-3.2.0/test/recipes/30-test_evp_data/evppkey_rsa_common.txt +--- openssl-3.2.0/test/recipes/30-test_evp_data/evppkey_rsa_common.txt.patch-58 2023-12-11 19:15:32.167790754 +0100 ++++ openssl-3.2.0/test/recipes/30-test_evp_data/evppkey_rsa_common.txt 2023-12-11 21:16:08.390089120 +0100 +@@ -248,7 +248,7 @@ Input = 64b0e9f9892371110c40ba5739dc0974 + Output = 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef + + # RSA decrypt +- ++Availablein = default + Decrypt = RSA-2048 + Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A78 + Output = "Hello World" +@@ -270,7 +270,7 @@ Input = 550AF55A2904E7B9762352F8FB7FA235 + Output = 4cbb988d6a46228379132b0b5f8c249b3860043848c93632fb982c807c7c82fffc7a9ef83f4908f890373ac181ffea6381e103bcaa27e65638b6ecebef38b59ed4226a9d12af675cfcb634d8c40e7a7aff + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # Corrupted ciphertext + # Note: disable the Bleichenbacher workaround to see if it fails + Decrypt = RSA-2048 +diff -up openssl-3.2.0/test/recipes/30-test_evp_data/evppkey_rsa_common.txt.only-default openssl-3.2.0/test/recipes/30-test_evp_data/evppkey_rsa_common.txt +--- openssl-3.2.0/test/recipes/30-test_evp_data/evppkey_rsa_common.txt.only-default 2024-02-01 15:09:31.498568631 +0100 ++++ openssl-3.2.0/test/recipes/30-test_evp_data/evppkey_rsa_common.txt 2024-02-01 15:14:45.858384004 +0100 +@@ -365,28 +365,28 @@ Input = 8bfe264e85d3bdeaa6b8851b8e3b956e + Output = "lorem ipsum dolor sit amet" + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # a random negative test case decrypting to empty + Decrypt = RSA-2048-2 + Input = 20aaa8adbbc593a924ba1c5c7990b5c2242ae4b99d0fe636a19a4cf754edbcee774e472fe028160ed42634f8864900cb514006da642cae6ae8c7d087caebcfa6dad1551301e130344989a1d462d4164505f6393933450c67bc6d39d8f5160907cabc251b737925a1cf21e5c6aa5781b7769f6a2a583d97cce008c0f8b6add5f0b2bd80bee60237aa39bb20719fe75749f4bc4e42466ef5a861ae3a92395c7d858d430bfe38040f445ea93fa2958b503539800ffa5ce5f8cf51fa8171a91f36cb4f4575e8de6b4d3f096ee140b938fd2f50ee13f0d050222e2a72b0a3069ff3a6738e82c87090caa5aed4fcbe882c49646aa250b98f12f83c8d528113614a29e7 + Output = + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # invalid decrypting to max length message + Decrypt = RSA-2048-2 + Input = 48cceab10f39a4db32f60074feea473cbcdb7accf92e150417f76b44756b190e843e79ec12aa85083a21f5437e7bad0a60482e601198f9d86923239c8786ee728285afd0937f7dde12717f28389843d7375912b07b991f4fdb0190fced8ba665314367e8c5f9d2981d0f5128feeb46cb50fc237e64438a86df198dd0209364ae3a842d77532b66b7ef263b83b1541ed671b120dfd660462e2107a4ee7b964e734a7bd68d90dda61770658a3c242948532da32648687e0318286473f675b412d6468f013f14d760a358dfcad3cda2afeec5e268a37d250c37f722f468a70dfd92d7294c3c1ee1e7f8843b7d16f9f37ef35748c3ae93aa155cdcdfeb4e78567303 + Output = 22d850137b9eebe092b24f602dc5bb7918c16bd89ddbf20467b119d205f9c2e4bd7d2592cf1e532106e0f33557565923c73a02d4f09c0c22bea89148183e60317f7028b3aa1f261f91c979393101d7e15f4067e63979b32751658ef769610fe97cf9cef3278b3117d384051c3b1d82c251c2305418c8f6840530e631aad63e70e20e025bcd8efb54c92ec6d3b106a2f8e64eeff7d38495b0fc50c97138af4b1c0a67a1c4e27b077b8439332edfa8608dfeae653cd6a628ac550395f7e74390e42c11682234870925eeaa1fa71b76cf1f2ee3bda69f6717033ff8b7c95c9799e7a3bea5e7e4a1c359772fb6b1c6e6c516661dfe30c3 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 + # invalid decrypting to message with length specified by second to last value from PRF ++Availablein = default + Decrypt = RSA-2048-2 + Input = 1439e08c3f84c1a7fec74ce07614b20e01f6fa4e8c2a6cffdc3520d8889e5d9a950c6425798f85d4be38d300ea5695f13ecd4cb389d1ff5b82484b494d6280ab7fa78e645933981cb934cce8bfcd114cc0e6811eefa47aae20af638a1cd163d2d3366186d0a07df0c81f6c9f3171cf3561472e98a6006bf75ddb457bed036dcce199369de7d94ef2c68e8467ee0604eea2b3009479162a7891ba5c40cab17f49e1c438cb6eaea4f76ce23cce0e483ff0e96fa790ea15be67671814342d0a23f4a20262b6182e72f3a67cd289711503c85516a9ed225422f98b116f1ab080a80abd6f0216df88d8cfd67c139243be8dd78502a7aaf6bc99d7da71bcdf627e7354 + Output = 0f9b + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # invalid decrypting to message with length specified by third to last value from PRF + Decrypt = RSA-2048-2 + Input = 1690ebcceece2ce024f382e467cf8510e74514120937978576caf684d4a02ad569e8d76cbe365a060e00779de2f0865ccf0d923de3b4783a4e2c74f422e2f326086c390b658ba47f31ab013aa80f468c71256e5fa5679b24e83cd82c3d1e05e398208155de2212993cd2b8bab6987cf4cc1293f19909219439d74127545e9ed8a706961b8ee2119f6bfacafbef91b75a789ba65b8b833bc6149cf49b5c4d2c6359f62808659ba6541e1cd24bf7f7410486b5103f6c0ea29334ea6f4975b17387474fe920710ea61568d7b7c0a7916acf21665ad5a31c4eabcde44f8fb6120d8457afa1f3c85d517cda364af620113ae5a3c52a048821731922737307f77a1081 +@@ -428,14 +428,14 @@ Input = 1ea0b50ca65203d0a09280d39704b24f + Output = "lorem ipsum" + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # a random negative test that generates an 11 byte long message + Decrypt = RSA-2048-2 + Input = 5f02f4b1f46935c742ebe62b6f05aa0a3286aab91a49b34780adde6410ab46f7386e05748331864ac98e1da63686e4babe3a19ed40a7f5ceefb89179596aab07ab1015e03b8f825084dab028b6731288f2e511a4b314b6ea3997d2e8fe2825cef8897cbbdfb6c939d441d6e04948414bb69e682927ef8576c9a7090d4aad0e74c520d6d5ce63a154720f00b76de8cc550b1aa14f016d63a7b6d6eaa1f7dbe9e50200d3159b3d099c900116bf4eba3b94204f18b1317b07529751abf64a26b0a0bf1c8ce757333b3d673211b67cc0653f2fe2620d57c8b6ee574a0323a167eab1106d9bc7fd90d415be5f1e9891a0e6c709f4fc0404e8226f8477b4e939b36eb2 + Output = af9ac70191c92413cb9f2d + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # an otherwise correct plaintext, but with wrong first byte + # (0x01 instead of 0x00), generates a random 11 byte long plaintext + Decrypt = RSA-2048-2 +@@ -443,7 +443,7 @@ Input = 9b2ec9c0c917c98f1ad3d0119aec6be5 + Output = a1f8c9255c35cfba403ccc + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # an otherwise correct plaintext, but with wrong second byte + # (0x01 instead of 0x02), generates a random 11 byte long plaintext + Decrypt = RSA-2048-2 +@@ -451,7 +451,7 @@ Input = 782c2b59a21a511243820acedd567c13 + Output = e6d700309ca0ed62452254 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # an invalid ciphertext, with a zero byte in first byte of + # ciphertext, decrypts to a random 11 byte long synthetic + # plaintext +@@ -460,7 +460,7 @@ Input = 0096136621faf36d5290b16bd26295de + Output = ba27b1842e7c21c0e7ef6a + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # an invalid ciphertext, with a zero byte removed from first byte of + # ciphertext, decrypts to a random 11 byte long synthetic + # plaintext +@@ -469,7 +469,7 @@ Input = 96136621faf36d5290b16bd26295de27 + Output = ba27b1842e7c21c0e7ef6a + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # an invalid ciphertext, with two zero bytes in first bytes of + # ciphertext, decrypts to a random 11 byte long synthetic + # plaintext +@@ -478,7 +478,7 @@ Input = 0000587cccc6b264bdfe0dc2149a9880 + Output = d5cf555b1d6151029a429a + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # an invalid ciphertext, with two zero bytes removed from first bytes of + # ciphertext, decrypts to a random 11 byte long synthetic + # plaintext +@@ -487,7 +487,7 @@ Input = 587cccc6b264bdfe0dc2149a988047fa + Output = d5cf555b1d6151029a429a + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # and invalid ciphertext, otherwise valid but starting with 000002, decrypts + # to random 11 byte long synthetic plaintext + Decrypt = RSA-2048-2 +@@ -495,7 +495,7 @@ Input = 1786550ce8d8433052e01ecba8b76d30 + Output = 3d4a054d9358209e9cbbb9 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # negative test with otherwise valid padding but a zero byte in first byte + # of padding + Decrypt = RSA-2048-2 +@@ -503,7 +503,7 @@ Input = 179598823812d2c58a7eb50521150a48 + Output = 1f037dd717b07d3e7f7359 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # negative test with otherwise valid padding but a zero byte at the eighth + # byte of padding + Decrypt = RSA-2048-2 +@@ -511,7 +511,7 @@ Input = a7a340675a82c30e22219a55bc07cdf3 + Output = 63cb0bf65fc8255dd29e17 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # negative test with an otherwise valid plaintext but with missing separator + # byte + Decrypt = RSA-2048-2 +@@ -566,53 +566,58 @@ PrivPubKeyPair = RSA-2049:RSA-2049-PUBLI + # RSA decrypt + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # malformed that generates length specified by 3rd last value from PRF + Decrypt = RSA-2049 + Input = 00b26f6404b82649629f2704494282443776929122e279a9cf30b0c6fe8122a0a9042870d97cc8ef65490fe58f031eb2442352191f5fbc311026b5147d32df914599f38b825ebb824af0d63f2d541a245c5775d1c4b78630e4996cc5fe413d38455a776cf4edcc0aa7fccb31c584d60502ed2b77398f536e137ff7ba6430e9258e21c2db5b82f5380f566876110ac4c759178900fbad7ab70ea07b1daf7a1639cbb4196543a6cbe8271f35dddb8120304f6eef83059e1c5c5678710f904a6d760c4d1d8ad076be17904b9e69910040b47914a0176fb7eea0c06444a6c4b86d674d19a556a1de5490373cb01ce31bbd15a5633362d3d2cd7d4af1b4c5121288b894 + Output = 42 + + # simple positive test case ++Availablein = default + Decrypt = RSA-2049 + Input = 013300edbf0bb3571e59889f7ed76970bf6d57e1c89bbb6d1c3991d9df8e65ed54b556d928da7d768facb395bbcc81e9f8573b45cf8195dbd85d83a59281cddf4163aec11b53b4140053e3bd109f787a7c3cec31d535af1f50e0598d85d96d91ea01913d07097d25af99c67464ebf2bb396fb28a9233e56f31f7e105d71a23e9ef3b736d1e80e713d1691713df97334779552fc94b40dd733c7251bc522b673d3ec9354af3dd4ad44fa71c0662213a57ada1d75149697d0eb55c053aaed5ffd0b815832f454179519d3736fb4faf808416071db0d0f801aca8548311ee708c131f4be658b15f6b54256872c2903ac708bd43b017b073b5707bc84c2cd9da70e967 + Output = "lorem ipsum" + + # positive test case with null padded ciphertext ++Availablein = default + Decrypt = RSA-2049 + Input = 0002aadf846a329fadc6760980303dbd87bfadfa78c2015ce4d6c5782fd9d3f1078bd3c0a2c5bfbdd1c024552e5054d98b5bcdc94e476dd280e64d650089326542ce7c61d4f1ab40004c2e6a88a883613568556a10f3f9edeab67ae8dddc1e6b0831c2793d2715de943f7ce34c5c05d1b09f14431fde566d17e76c9feee90d86a2c158616ec81dda0c642f58c0ba8fa4495843124a7235d46fb4069715a51bf710fd024259131ba94da73597ace494856c94e7a3ec261545793b0990279b15fa91c7fd13dbfb1df2f221dab9fa9f7c1d21e48aa49f6aaecbabf5ee76dc6c2af2317ffb4e303115386a97f8729afc3d0c89419669235f1a3a69570e0836c79fc162 + Output = "lorem ipsum" + + # positive test case with null truncated ciphertext ++Availablein = default + Decrypt = RSA-2049 + Input = 02aadf846a329fadc6760980303dbd87bfadfa78c2015ce4d6c5782fd9d3f1078bd3c0a2c5bfbdd1c024552e5054d98b5bcdc94e476dd280e64d650089326542ce7c61d4f1ab40004c2e6a88a883613568556a10f3f9edeab67ae8dddc1e6b0831c2793d2715de943f7ce34c5c05d1b09f14431fde566d17e76c9feee90d86a2c158616ec81dda0c642f58c0ba8fa4495843124a7235d46fb4069715a51bf710fd024259131ba94da73597ace494856c94e7a3ec261545793b0990279b15fa91c7fd13dbfb1df2f221dab9fa9f7c1d21e48aa49f6aaecbabf5ee76dc6c2af2317ffb4e303115386a97f8729afc3d0c89419669235f1a3a69570e0836c79fc162 + Output = "lorem ipsum" + + # positive test case with double null padded ciphertext ++Availablein = default + Decrypt = RSA-2049 + Input = 0000f36da3b72d8ff6ded74e7efd08c01908f3f5f0de7b55eab92b5f875190809c39d4162e1e6649618f854fd84aeab03970d16bb814e999852c06de38d82b95c0f32e2a7b5714021fe303389be9c0eac24c90a6b7210f929d390fabf903d44e04110bb7a7fd6c383c275804721efa6d7c93aa64c0bb2b18d97c5220a846c66a4895ae52adddbe2a9996825e013585adcec4b32ba61d782737bd343e5fabd68e8a95b8b1340318559860792dd70dffbe05a1052b54cbfb48cfa7bb3c19cea52076bddac5c25ee276f153a610f6d06ed696d192d8ae4507ffae4e5bdda10a625d6b67f32f7cffcd48dee2431fe66f6105f9d17e611cdcc674868e81692a360f4052 + Output = "lorem ipsum" + + # positive test case with double null truncated ciphertext ++Availablein = default + Decrypt = RSA-2049 + Input = f36da3b72d8ff6ded74e7efd08c01908f3f5f0de7b55eab92b5f875190809c39d4162e1e6649618f854fd84aeab03970d16bb814e999852c06de38d82b95c0f32e2a7b5714021fe303389be9c0eac24c90a6b7210f929d390fabf903d44e04110bb7a7fd6c383c275804721efa6d7c93aa64c0bb2b18d97c5220a846c66a4895ae52adddbe2a9996825e013585adcec4b32ba61d782737bd343e5fabd68e8a95b8b1340318559860792dd70dffbe05a1052b54cbfb48cfa7bb3c19cea52076bddac5c25ee276f153a610f6d06ed696d192d8ae4507ffae4e5bdda10a625d6b67f32f7cffcd48dee2431fe66f6105f9d17e611cdcc674868e81692a360f4052 + Output = "lorem ipsum" + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # a random negative test case that generates an 11 byte long message + Decrypt = RSA-2049 + Input = 00f910200830fc8fff478e99e145f1474b312e2512d0f90b8cef77f8001d09861688c156d1cbaf8a8957f7ebf35f724466952d0524cad48aad4fba1e45ce8ea27e8f3ba44131b7831b62d60c0762661f4c1d1a88cd06263a259abf1ba9e6b0b172069afb86a7e88387726f8ab3adb30bfd6b3f6be6d85d5dfd044e7ef052395474a9cbb1c3667a92780b43a22693015af6c513041bdaf87d43b24ddd244e791eeaea1066e1f4917117b3a468e22e0f7358852bb981248de4d720add2d15dccba6280355935b67c96f9dcb6c419cc38ab9f6fba2d649ef2066e0c34c9f788ae49babd9025fa85b21113e56ce4f43aa134c512b030dd7ac7ce82e76f0be9ce09ebca + Output = 1189b6f5498fd6df532b00 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # otherwise correct plaintext, but with wrong first byte (0x01 instead of 0x00) + Decrypt = RSA-2049 + Input = 002c9ddc36ba4cf0038692b2d3a1c61a4bb3786a97ce2e46a3ba74d03158aeef456ce0f4db04dda3fe062268a1711250a18c69778a6280d88e133a16254e1f0e30ce8dac9b57d2e39a2f7d7be3ee4e08aec2fdbe8dadad7fdbf442a29a8fb40857407bf6be35596b8eefb5c2b3f58b894452c2dc54a6123a1a38d642e23751746597e08d71ac92704adc17803b19e131b4d1927881f43b0200e6f95658f559f912c889b4cd51862784364896cd6e8618f485a992f82997ad6a0917e32ae5872eaf850092b2d6c782ad35f487b79682333c1750c685d7d32ab3e1538f31dcaa5e7d5d2825875242c83947308dcf63ba4bfff20334c9c140c837dbdbae7a8dee72ff + Output = f6d0f5b78082fe61c04674 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # otherwise correct plaintext, but with wrong second byte (0x01 instead of 0x02) + Decrypt = RSA-2049 + Input = 00c5d77826c1ab7a34d6390f9d342d5dbe848942e2618287952ba0350d7de6726112e9cebc391a0fae1839e2bf168229e3e0d71d4161801509f1f28f6e1487ca52df05c466b6b0a6fbbe57a3268a970610ec0beac39ec0fa67babce1ef2a86bf77466dc127d7d0d2962c20e66593126f276863cd38dc6351428f884c1384f67cad0a0ffdbc2af16711fb68dc559b96b37b4f04cd133ffc7d79c43c42ca4948fa895b9daeb853150c8a5169849b730cc77d68b0217d6c0e3dbf38d751a1998186633418367e7576530566c23d6d4e0da9b038d0bb5169ce40133ea076472d055001f0135645940fd08ea44269af2604c8b1ba225053d6db9ab43577689401bdc0f3 +diff -up openssl-3.2.0/test/recipes/30-test_evp_data/evppkey_rsa_common.txt.only-default openssl-3.2.0/test/recipes/30-test_evp_data/evppkey_rsa_common.txt +--- openssl-3.2.0/test/recipes/30-test_evp_data/evppkey_rsa_common.txt.only-default 2024-02-01 15:22:09.981463726 +0100 ++++ openssl-3.2.0/test/recipes/30-test_evp_data/evppkey_rsa_common.txt 2024-02-01 15:28:41.789966051 +0100 +@@ -269,7 +269,7 @@ Input = 550AF55A2904E7B9762352F8FB7FA235 + Output = "Hello World" + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # Note: disable the Bleichenbacher workaround to see if it passes + Decrypt = RSA-2048 + Ctrl = rsa_pkcs1_implicit_rejection:0 +@@ -277,7 +277,7 @@ Input = 550AF55A2904E7B9762352F8FB7FA235 + Output = "Hello World" + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # Corrupted ciphertext + # Note: output is generated synthethically by the Bleichenbacher workaround + Decrypt = RSA-2048 +@@ -360,6 +360,7 @@ PrivPubKeyPair = RSA-2048-2:RSA-2048-2-P + # RSA decrypt + + # a random positive test case ++Availablein = default + Decrypt = RSA-2048-2 + Input = 8bfe264e85d3bdeaa6b8851b8e3b956ee3d226fd3f69063a86880173a273d9f283b2eebdd1ed35f7e02d91c571981b6737d5320bd8396b0f3ad5b019daec1b0aab3cbbc026395f4fd14f13673f2dfc81f9b660ec26ac381e6db3299b4e460b43fab9955df2b3cfaa20e900e19c856238fd371899c2bf2ce8c868b76754e5db3b036533fd603746be13c10d4e3e6022ebc905d20c2a7f32b215a4cd53b3f44ca1c327d2c2b651145821c08396c89071f665349c25e44d2733cd9305985ceef6430c3cf57af5fa224089221218fa34737c79c446d28a94c41c96e4e92ac53fbcf384dea8419ea089f8784445a492c812eb0d409467f75afd7d4d1078886205a066 + Output = "lorem ipsum dolor sit amet" +@@ -393,36 +394,43 @@ Input = 1690ebcceece2ce024f382e467cf8510 + Output = 4f02 + + # positive test with 11 byte long value ++Availablein = default + Decrypt = RSA-2048-2 + Input = 6213634593332c485cef783ea2846e3d6e8b0e005cd8293eaebbaa5079712fd681579bdfbbda138ae4d9d952917a03c92398ec0cb2bb0c6b5a8d55061fed0d0d8d72473563152648cfe640b335dc95331c21cb133a91790fa93ae44497c128708970d2beeb77e8721b061b1c44034143734a77be8220877415a6dba073c3871605380542a9f25252a4babe8331cdd53cf828423f3cc70b560624d0581fb126b2ed4f4ed358f0eb8065cf176399ac1a846a31055f9ae8c9c24a1ba050bc20842125bc1753158f8065f3adb9cc16bfdf83816bdf38b624f12022c5a6fbfe29bc91542be8c0208a770bcd677dc597f5557dc2ce28a11bf3e3857f158717a33f6592 + Output = "lorem ipsum" + + # positive test with 11 byte long value and zero padded ciphertext ++Availablein = default + Decrypt = RSA-2048-2 + Input = 00a2e8f114ea8d05d12dc843e3cc3b2edc8229ff2a028bda29ba9d55e3cd02911902fef1f42a075bf05e8016e8567213d6f260fa49e360779dd81aeea3e04c2cb567e0d72b98bf754014561b7511e083d20e0bfb9cd23f8a0d3c88900c49d2fcd5843ff0765607b2026f28202a87aa94678aed22a0c20724541394cd8f44e373eba1d2bae98f516c1e2ba3d86852d064f856b1daf24795e767a2b90396e50743e3150664afab131fe40ea405dcf572dd1079af1d3f0392ccadcca0a12740dbb213b925ca2a06b1bc1383e83a658c82ba2e7427342379084d5f66b544579f07664cb26edd4f10fd913fdbc0de05ef887d4d1ec1ac95652397ea7fd4e4759fda8b + Output = "lorem ipsum" + + # positive test with 11 byte long value and zero truncated ciphertext ++Availablein = default + Decrypt = RSA-2048-2 + Input = a2e8f114ea8d05d12dc843e3cc3b2edc8229ff2a028bda29ba9d55e3cd02911902fef1f42a075bf05e8016e8567213d6f260fa49e360779dd81aeea3e04c2cb567e0d72b98bf754014561b7511e083d20e0bfb9cd23f8a0d3c88900c49d2fcd5843ff0765607b2026f28202a87aa94678aed22a0c20724541394cd8f44e373eba1d2bae98f516c1e2ba3d86852d064f856b1daf24795e767a2b90396e50743e3150664afab131fe40ea405dcf572dd1079af1d3f0392ccadcca0a12740dbb213b925ca2a06b1bc1383e83a658c82ba2e7427342379084d5f66b544579f07664cb26edd4f10fd913fdbc0de05ef887d4d1ec1ac95652397ea7fd4e4759fda8b + Output = "lorem ipsum" + + # positive test with 11 byte long value and double zero padded ciphertext ++Availablein = default + Decrypt = RSA-2048-2 + Input = 00001f71879b426127f7dead621f7380a7098cf7d22173aa27991b143c46d53383c209bd0c9c00d84078037e715f6b98c65005a77120070522ede51d472c87ef94b94ead4c5428ee108a345561658301911ec5a8f7dd43ed4a3957fd29fb02a3529bf63f8040d3953490939bd8f78b2a3404b6fb5ff70a4bfdaac5c541d6bcce49c9778cc390be24cbef1d1eca7e870457241d3ff72ca44f9f56bdf31a890fa5eb3a9107b603ccc9d06a5dd911a664c82b6abd4fe036f8db8d5a070c2d86386ae18d97adc1847640c211d91ff5c3387574a26f8ef27ca7f48d2dd1f0c7f14b81cc9d33ee6853031d3ecf10a914ffd90947909c8011fd30249219348ebff76bfc + Output = "lorem ipsum" + + # positive test with 11 byte long value and double zero truncated ciphertext ++Availablein = default + Decrypt = RSA-2048-2 + Input = 1f71879b426127f7dead621f7380a7098cf7d22173aa27991b143c46d53383c209bd0c9c00d84078037e715f6b98c65005a77120070522ede51d472c87ef94b94ead4c5428ee108a345561658301911ec5a8f7dd43ed4a3957fd29fb02a3529bf63f8040d3953490939bd8f78b2a3404b6fb5ff70a4bfdaac5c541d6bcce49c9778cc390be24cbef1d1eca7e870457241d3ff72ca44f9f56bdf31a890fa5eb3a9107b603ccc9d06a5dd911a664c82b6abd4fe036f8db8d5a070c2d86386ae18d97adc1847640c211d91ff5c3387574a26f8ef27ca7f48d2dd1f0c7f14b81cc9d33ee6853031d3ecf10a914ffd90947909c8011fd30249219348ebff76bfc + Output = "lorem ipsum" + + # positive that generates a 0 byte long synthetic message internally ++Availablein = default + Decrypt = RSA-2048-2 + Input = b5e49308f6e9590014ffaffc5b8560755739dd501f1d4e9227a7d291408cf4b753f292322ff8bead613bf2caa181b221bc38caf6392deafb28eb21ad60930841ed02fd6225cc9c463409adbe7d8f32440212fbe3881c51375bb09565efb22e62b071472fb38676e5b4e23a0617db5d14d93519ac0007a30a9c822eb31c38b57fcb1be29608fcf1ca2abdcaf5d5752bbc2b5ac7dba5afcff4a5641da360dd01f7112539b1ed46cdb550a3b1006559b9fe1891030ec80f0727c42401ddd6cbb5e3c80f312df6ec89394c5a7118f573105e7ab00fe57833c126141b50a935224842addfb479f75160659ba28877b512bb9a93084ad8bec540f92640f63a11a010e0 + Output = "lorem ipsum" + + # positive that generates a 245 byte long synthetic message internally ++Availablein = default + Decrypt = RSA-2048-2 + Input = 1ea0b50ca65203d0a09280d39704b24fe6e47800189db5033f202761a78bafb270c5e25abd1f7ecc6e7abc4f26d1b0cd9b8c648d529416ee64ccbdd7aa72a771d0353262b543f0e436076f40a1095f5c7dfd10dcf0059ccb30e92dfa5e0156618215f1c3ff3aa997a9d999e506924f5289e3ac72e5e2086cc7b499d71583ed561028671155db4005bee01800a7cdbdae781dd32199b8914b5d4011dd6ff11cd26d46aad54934d293b0bc403dd211bf13b5a5c6836a5e769930f437ffd8634fb7371776f4bc88fa6c271d8aa6013df89ae6470154497c4ac861be2a1c65ebffec139bf7aaba3a81c7c5cdd84da9af5d3edfb957848074686b5837ecbcb6a41c50 + Output = "lorem ipsum" +@@ -681,14 +690,14 @@ ooCElYcob01/JWzoXl61Z5sdrMH5CVZJty5foHKu + PrivPubKeyPair = RSA-3072:RSA-3072-PUBLIC + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # a random invalid ciphertext that generates an empty synthetic one + Decrypt = RSA-3072 + Input = 5e956cd9652f4a2ece902931013e09662b6a9257ad1e987fb75f73a0606df2a4b04789770820c2e02322c4e826f767bd895734a01e20609c3be4517a7a2a589ea1cdc137beb73eb38dac781b52e863de9620f79f9b90fd5b953651fcbfef4a9f1cc07421d511a87dd6942caab6a5a0f4df473e62defb529a7de1509ab99c596e1dff1320402298d8be73a896cc86c38ae3f2f576e9ea70cc28ad575cb0f854f0be43186baa9c18e29c47c6ca77135db79c811231b7c1730955887d321fdc06568382b86643cf089b10e35ab23e827d2e5aa7b4e99ff2e914f302351819eb4d1693243b35f8bf1d42d08f8ec4acafa35f747a4a975a28643ec630d8e4fa5be59d81995660a14bb64c1fea5146d6b11f92da6a3956dd5cb5e0d747cf2ea23f81617769185336263d46ef4c144b754de62a6337342d6c85a95f19f015724546ee3fc4823eca603dbc1dc01c2d5ed50bd72d8e96df2dc048edde0081284068283fc5e73a6139851abf2f29977d0b3d160c883a42a37efba1be05c1a0b1741d7ddf59 + Output = + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # a random invalid that has PRF output with a length one byte too long + # in the last value + Decrypt = RSA-3072 +@@ -696,46 +705,51 @@ Input = 7db0390d75fcf9d4c59cf27b264190d8 + Output = 56a3bea054e01338be9b7d7957539c + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # a random invalid that generates a synthetic of maximum size + Decrypt = RSA-3072 + Input = 1715065322522dff85049800f6a29ab5f98c465020467414b2a44127fe9446da47fa18047900f99afe67c2df6f50160bb8e90bff296610fde632b3859d4d0d2e644f23835028c46cca01b84b88231d7e03154edec6627bcba23de76740d839851fa12d74c8f92e540c73fe837b91b7d699b311997d5f0f7864c486d499c3a79c111faaacbe4799597a25066c6200215c3d158f3817c1aa57f18bdaad0be1658da9da93f5cc6c3c4dd72788af57adbb6a0c26f42d32d95b8a4f95e8c6feb2f8a5d53b19a50a0b7cbc25e055ad03e5ace8f3f7db13e57759f67b65d143f08cca15992c6b2aae643390483de111c2988d4e76b42596266005103c8de6044fb7398eb3c28a864fa672de5fd8774510ff45e05969a11a4c7d3f343e331190d2dcf24fb9154ba904dc94af98afc5774a9617d0418fe6d13f8245c7d7626c176138dd698a23547c25f27c2b98ea4d8a45c7842b81888e4cc14e5b72e9cf91f56956c93dbf2e5f44a8282a7813157fc481ff1371a0f66b31797e81ebdb09a673d4db96d6 + Output = 7b036fcd6243900e4236c894e2462c17738acc87e01a76f4d95cb9a328d9acde81650283b8e8f60a217e3bdee835c7b222ad4c85d0acdb9a309bd2a754609a65dec50f3aa04c6d5891034566b9563d42668ede1f8992b17753a2132e28970584e255efc8b45a41c5dbd7567f014acec5fe6fdb6d484790360a913ebb9defcd74ff377f2a8ba46d2ed85f733c9a3da08eb57ecedfafda806778f03c66b2c5d2874cec1c291b2d49eb194c7b5d0dd2908ae90f4843268a2c45563092ade08acb6ab481a08176102fc803fbb2f8ad11b0e1531bd37df543498daf180b12017f4d4d426ca29b4161075534bfb914968088a9d13785d0adc0e2580d3548494b2a9e91605f2b27e6cc701c796f0de7c6f471f6ab6cb9272a1ed637ca32a60d117505d82af3c1336104afb537d01a8f70b510e1eebf4869cb976c419473795a66c7f5e6e20a8094b1bb603a74330c537c5c0698c31538bd2e138c1275a1bdf24c5fa8ab3b7b526324e7918a382d1363b3d463764222150e04 + + # a positive test case that decrypts to 9 byte long value ++Availablein = default + Decrypt = RSA-3072 + Input = 6c60845a854b4571f678941ae35a2ac03f67c21e21146f9db1f2306be9f136453b86ad55647d4f7b5c9e62197aaff0c0e40a3b54c4cde14e774b1c5959b6c2a2302896ffae1f73b00b862a20ff4304fe06cea7ff30ecb3773ca9af27a0b54547350d7c07dfb0a39629c7e71e83fc5af9b2adbaf898e037f1de696a3f328cf45af7ec9aff7173854087fb8fbf34be981efbd8493f9438d1b2ba2a86af082662aa46ae9adfbec51e5f3d9550a4dd1dcb7c8969c9587a6edc82a8cabbc785c40d9fbd12064559fb769450ac3e47e87bc046148130d7eaa843e4b3ccef3675d0630500803cb7ffee3882378c1a404e850c3e20707bb745e42b13c18786c4976076ed9fa8fd0ff15e571bef02cbbe2f90c908ac3734a433b73e778d4d17fcc28f49185ebc6e8536a06d293202d94496453bfdf1c2c7833a3f99fa38ca8a81f42eaa529d603b890308a319c0ab63a35ff8ebac965f6278f5a7e5d622be5d5fe55f0ca3ec993d55430d2bf59c5d3e860e90c16d91a04596f6fdf60d89ed95d88c036dde + Output = "forty two" + + # a positive test case with null padded ciphertext ++Availablein = default + Decrypt = RSA-3072 + Input = 00f4d565a3286784dbb85327db8807ae557ead229f92aba945cecda5225f606a7d6130edeeb6f26724d1eff1110f9eb18dc3248140ee3837e6688391e78796c526791384f045e21b6b853fb6342a11f309eb77962f37ce23925af600847fbd30e6e07e57de50b606e6b7f288cc777c1a6834f27e6edace508452128916eef7788c8bb227e3548c6a761cc4e9dd1a3584176dc053ba3500adb1d5e1611291654f12dfc5722832f635db3002d73f9defc310ace62c63868d341619c7ee15b20243b3371e05078e11219770c701d9f341af35df1bc729de294825ff2e416aa11526612852777eb131f9c45151eb144980d70608d2fc4043477368369aa0fe487a48bd57e66b00c3c58f941549f5ec050fca64449debe7a0c4ac51e55cb71620a70312aa4bd85fac1410c9c7f9d6ec610b7d11bf8faeffa20255d1a1bead9297d0aa8765cd2805847d639bc439f4a6c896e2008f746f9590ff4596de5ddde000ed666c452c978043ff4298461eb5a26d5e63d821438627f91201924bf7f2aeee1727 + Output = "forty two" + + # a positive test case with null truncated ciphertext ++Availablein = default + Decrypt = RSA-3072 + Input = f4d565a3286784dbb85327db8807ae557ead229f92aba945cecda5225f606a7d6130edeeb6f26724d1eff1110f9eb18dc3248140ee3837e6688391e78796c526791384f045e21b6b853fb6342a11f309eb77962f37ce23925af600847fbd30e6e07e57de50b606e6b7f288cc777c1a6834f27e6edace508452128916eef7788c8bb227e3548c6a761cc4e9dd1a3584176dc053ba3500adb1d5e1611291654f12dfc5722832f635db3002d73f9defc310ace62c63868d341619c7ee15b20243b3371e05078e11219770c701d9f341af35df1bc729de294825ff2e416aa11526612852777eb131f9c45151eb144980d70608d2fc4043477368369aa0fe487a48bd57e66b00c3c58f941549f5ec050fca64449debe7a0c4ac51e55cb71620a70312aa4bd85fac1410c9c7f9d6ec610b7d11bf8faeffa20255d1a1bead9297d0aa8765cd2805847d639bc439f4a6c896e2008f746f9590ff4596de5ddde000ed666c452c978043ff4298461eb5a26d5e63d821438627f91201924bf7f2aeee1727 + Output = "forty two" + + # a positive test case with double null padded ciphertext ++Availablein = default + Decrypt = RSA-3072 + Input = 00001ec97ac981dfd9dcc7a7389fdfa9d361141dac80c23a060410d472c16094e6cdffc0c3684d84aa402d7051dfccb2f6da33f66985d2a259f5b7fbf39ac537e95c5b7050eb18844a0513abef812cc8e74a3c5240009e6e805dcadf532bc1a2702d5acc9e585fad5b89d461fcc1397351cdce35171523758b171dc041f412e42966de7f94856477356d06f2a6b40e3ff0547562a4d91bbf1338e9e049facbee8b20171164505468cd308997447d3dc4b0acb49e7d368fedd8c734251f30a83491d2506f3f87318cc118823244a393dc7c5c739a2733d93e1b13db6840a9429947357f47b23fbe39b7d2d61e5ee26f9946c4632f6c4699e452f412a26641d4751135400713cd56ec66f0370423d55d2af70f5e7ad0adea8e4a0d904a01e4ac272eba4af1a029dd53eb71f115bf31f7a6c8b19a6523adeecc0d4c3c107575e38572a8f8474ccad163e46e2e8b08111132aa97a16fb588c9b7e37b3b3d7490381f3c55d1a9869a0fd42cd86fed59ecec78cb6b2dfd06a497f5afe3419691314ba0 + Output = "forty two" + + # a positive test case with double null truncated ciphertext ++Availablein = default + Decrypt = RSA-3072 + Input = 1ec97ac981dfd9dcc7a7389fdfa9d361141dac80c23a060410d472c16094e6cdffc0c3684d84aa402d7051dfccb2f6da33f66985d2a259f5b7fbf39ac537e95c5b7050eb18844a0513abef812cc8e74a3c5240009e6e805dcadf532bc1a2702d5acc9e585fad5b89d461fcc1397351cdce35171523758b171dc041f412e42966de7f94856477356d06f2a6b40e3ff0547562a4d91bbf1338e9e049facbee8b20171164505468cd308997447d3dc4b0acb49e7d368fedd8c734251f30a83491d2506f3f87318cc118823244a393dc7c5c739a2733d93e1b13db6840a9429947357f47b23fbe39b7d2d61e5ee26f9946c4632f6c4699e452f412a26641d4751135400713cd56ec66f0370423d55d2af70f5e7ad0adea8e4a0d904a01e4ac272eba4af1a029dd53eb71f115bf31f7a6c8b19a6523adeecc0d4c3c107575e38572a8f8474ccad163e46e2e8b08111132aa97a16fb588c9b7e37b3b3d7490381f3c55d1a9869a0fd42cd86fed59ecec78cb6b2dfd06a497f5afe3419691314ba0 + Output = "forty two" + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # a random negative test case that generates a 9 byte long message + Decrypt = RSA-3072 + Input = 5c8555f5cef627c15d37f85c7f5fd6e499264ea4b8e3f9112023aeb722eb38d8eac2be3751fd5a3785ab7f2d59fa3728e5be8c3de78a67464e30b21ee23b5484bb3cd06d0e1c6ad25649c8518165653eb80488bfb491b20c04897a6772f69292222fc5ef50b5cf9efc6d60426a449b6c489569d48c83488df629d695653d409ce49a795447fcec2c58a1a672e4a391401d428baaf781516e11e323d302fcf20f6eab2b2dbe53a48c987e407c4d7e1cb41131329138313d330204173a4f3ff06c6fadf970f0ed1005d0b27e35c3d11693e0429e272d583e57b2c58d24315c397856b34485dcb077665592b747f889d34febf2be8fce66c265fd9fc3575a6286a5ce88b4b413a08efc57a07a8f57a999605a837b0542695c0d189e678b53662ecf7c3d37d9dbeea585eebfaf79141118e06762c2381fe27ca6288edddc19fd67cd64f16b46e06d8a59ac530f22cd83cc0bc4e37feb52015cbb2283043ccf5e78a4eb7146827d7a466b66c8a4a4826c1bad68123a7f2d00fc1736525ff90c058f56 + Output = 257906ca6de8307728 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # a random negative test case that generates a 9 byte long message based on + # second to last value from PRF + Decrypt = RSA-3072 +@@ -743,7 +757,7 @@ Input = 758c215aa6acd61248062b88284bf43c + Output = 043383c929060374ed + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # a random negative test that generates message based on 3rd last value from + # PRF + Decrypt = RSA-3072 +@@ -751,35 +765,35 @@ Input = 7b22d5e62d287968c6622171a1f75db4 + Output = 70263fa6050534b9e0 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # an otherwise valid plaintext, but with wrong first byte (0x01 instead of 0x00) + Decrypt = RSA-3072 + Input = 6db80adb5ff0a768caf1378ecc382a694e7d1bde2eff4ba12c48aaf794ded7a994a5b2b57acec20dbec4ae385c9dd531945c0f197a5496908725fc99d88601a17d3bb0b2d38d2c1c3100f39955a4cb3dbed5a38bf900f23d91e173640e4ec655c84fdfe71fcdb12a386108fcf718c9b7af37d39703e882436224c877a2235e8344fba6c951eb7e2a4d1d1de81fb463ac1b880f6cc0e59ade05c8ce35179ecd09546731fc07b141d3d6b342a97ae747e61a9130f72d37ac5a2c30215b6cbd66c7db893810df58b4c457b4b54f34428247d584e0fa71062446210db08254fb9ead1ba1a393c724bd291f0cf1a7143f32df849051dc896d7d176fef3b57ab6dffd626d0c3044e9edb2e3d012ace202d2581df01bec7e9aa0727a6650dd373d374f0bc0f4a611f8139dfe97d63e70c6188f4df5b672e47c51d8aa567097293fbff127c75ec690b43407578b73c85451710a0cece58fd497d7f7bd36a8a92783ef7dc6265dff52aac8b70340b996508d39217f2783ce6fc91a1cc94bb2ac487b84f62 + Output = 6d8d3a094ff3afff4c + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # an otherwise valid plaintext, but with wrong second byte (0x01 instead of 0x02) + Decrypt = RSA-3072 + Input = 417328c034458563079a4024817d0150340c34e25ae16dcad690623f702e5c748a6ebb3419ff48f486f83ba9df35c05efbd7f40613f0fc996c53706c30df6bba6dcd4a40825f96133f3c21638a342bd4663dffbd0073980dac47f8c1dd8e97ce1412e4f91f2a8adb1ac2b1071066efe8d718bbb88ca4a59bd61500e826f2365255a409bece0f972df97c3a55e09289ef5fa815a2353ef393fd1aecfc888d611c16aec532e5148be15ef1bf2834b8f75bb26db08b66d2baad6464f8439d1986b533813321dbb180080910f233bcc4dd784fb21871aef41be08b7bfad4ecc3b68f228cb5317ac6ec1227bc7d0e452037ba918ee1da9fdb8393ae93b1e937a8d4691a17871d5092d2384b6190a53df888f65b951b05ed4ad57fe4b0c6a47b5b22f32a7f23c1a234c9feb5d8713d949686760680da4db454f4acad972470033472b9864d63e8d23eefc87ebcf464ecf33f67fbcdd48eab38c5292586b36aef5981ed2fa07b2f9e23fc57d9eb71bfff4111c857e9fff23ceb31e72592e70c874b4936 + Output = c6ae80ffa80bc184b0 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # an otherwise valid plaintext, but with zero byte in first byte of padding + Decrypt = RSA-3072 + Input = 8542c626fe533467acffcd4e617692244c9b5a3bf0a215c5d64891ced4bf4f9591b4b2aedff9843057986d81631b0acb3704ec2180e5696e8bd15b217a0ec36d2061b0e2182faa3d1c59bd3f9086a10077a3337a3f5da503ec3753535ffd25b837a12f2541afefd0cffb0224b8f874e4bed13949e105c075ed44e287c5ae03b155e06b90ed247d2c07f1ef3323e3508cce4e4074606c54172ad74d12f8c3a47f654ad671104bf7681e5b061862747d9afd37e07d8e0e2291e01f14a95a1bb4cbb47c304ef067595a3947ee2d722067e38a0f046f43ec29cac6a8801c6e3e9a2331b1d45a7aa2c6af3205be382dd026e389614ee095665a611ab2e8dced2ee1c9d08ac9de11aef5b3803fc9a9ce8231ec87b5fed386fb92ee3db995a89307bcba844bd0a691c29ae51216e949dfc813133cb06a07265fd807bcb3377f6adb0a481d9b7f442003115895939773e6b95371c4febef29edae946fa245e7c50729e2e558cfaad773d1fd5f67b457a6d9d17a847c6fcbdb103a86f35f228cefc06cea0 + Output = a8a9301daa01bb25c7 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # an otherwise valid plaintext, but with zero byte in eight byte of padding + Decrypt = RSA-3072 + Input = 449dfa237a70a99cb0351793ec8677882021c2aa743580bf6a0ea672055cffe8303ac42855b1d1f3373aae6af09cb9074180fc963e9d1478a4f98b3b4861d3e7f0aa8560cf603711f139db77667ca14ba3a1acdedfca9ef4603d6d7eb0645bfc805304f9ad9d77d34762ce5cd84bd3ec9d35c30e3be72a1e8d355d5674a141b5530659ad64ebb6082e6f73a80832ab6388912538914654d34602f4b3b1c78589b4a5d964b2efcca1dc7004c41f6cafcb5a7159a7fc7c0398604d0edbd4c8f4f04067da6a153a05e7cbeea13b5ee412400ef7d4f3106f4798da707ec37a11286df2b7a204856d5ff773613fd1e453a7114b78e347d3e8078e1cb3276b3562486ba630bf719697e0073a123c3e60ebb5c7a1ccff4279faffa2402bc1109f8d559d6766e73591943dfcf25ba10c3762f02af85187799b8b4b135c3990793a6fd32642f1557405ba55cc7cf7336a0e967073c5fa50743f9cc5e3017c172d9898d2af83345e71b3e0c22ab791eacb6484a32ec60ebc226ec9deaee91b1a0560c2b571 + Output = 6c716fe01d44398018 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # an otherwise valid plaintext, but with null separator missing + Decrypt = RSA-3072 + Input = a7a5c99e50da48769ecb779d9abe86ef9ec8c38c6f43f17c7f2d7af608a4a1bd6cf695b47e97c191c61fb5a27318d02f495a176b9fae5a55b5d3fabd1d8aae4957e3879cb0c60f037724e11be5f30f08fc51c033731f14b44b414d11278cd3dba7e1c8bfe208d2b2bb7ec36366dacb6c88b24cd79ab394adf19dbbc21dfa5788bacbadc6a62f79cf54fd8cf585c615b5c0eb94c35aa9de25321c8ffefb8916bbaa2697cb2dd82ee98939df9b6704cee77793edd2b4947d82e00e5749664970736c59a84197bd72b5c71e36aae29cd39af6ac73a368edbc1ca792e1309f442aafcd77c992c88f8e4863149f221695cb7b0236e75b2339a02c4ea114854372c306b9412d8eedb600a31532002f2cea07b4df963a093185e4607732e46d753b540974fb5a5c3f9432df22e85bb17611370966c5522fd23f2ad3484341ba7fd8885fc8e6d379a611d13a2aca784fba2073208faad2137bf1979a0fa146c1880d4337db3274269493bab44a1bcd0681f7227ffdf589c2e925ed9d36302509d1109ba4 diff --git a/0061-Deny-SHA-1-signature-verification-in-FIPS-provider.patch b/0061-Deny-SHA-1-signature-verification-in-FIPS-provider.patch new file mode 100644 index 0000000..9991c5c --- /dev/null +++ b/0061-Deny-SHA-1-signature-verification-in-FIPS-provider.patch @@ -0,0 +1,570 @@ +From 5f4f350ce797a7cd2fdca84c474ee196da9d6fae Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Wed, 18 May 2022 17:25:59 +0200 +Subject: [PATCH] Deny SHA-1 signature verification in FIPS provider + +For RHEL, we already disable SHA-1 signatures by default in the default +provider, so it is unexpected that the FIPS provider would have a more +lenient configuration in this regard. Additionally, we do not think +continuing to accept SHA-1 signatures is a good idea due to the +published chosen-prefix collision attacks. + +As a consequence, disable verification of SHA-1 signatures in the FIPS +provider. + +This requires adjusting a few tests that would otherwise fail: +- 30-test_acvp: Remove the test vectors that use SHA-1. +- 30-test_evp: Mark tests in evppkey_rsa_common.txt and + evppkey_ecdsa.txt that use SHA-1 digests as "Availablein = default", + which will not run them when the FIPS provider is enabled. +- 80-test_cms: Re-create all certificates in test/smime-certificates + with SHA256 signatures while keeping the same private keys. These + certificates were signed with SHA-1 and thus fail verification in the + FIPS provider. + Fix some other tests by explicitly running them in the default + provider, where SHA-1 is available. +- 80-test_ssl_old: Skip tests that rely on SSLv3 and SHA-1 when run with + the FIPS provider. + +Signed-off-by: Clemens Lang +--- + providers/implementations/signature/dsa_sig.c | 4 -- + .../implementations/signature/ecdsa_sig.c | 4 -- + providers/implementations/signature/rsa_sig.c | 8 +-- + test/acvp_test.inc | 20 ------- + .../30-test_evp_data/evppkey_ecdsa.txt | 7 +++ + .../30-test_evp_data/evppkey_rsa_common.txt | 51 +++++++++++++++- + test/recipes/80-test_cms.t | 4 +- + test/recipes/80-test_ssl_old.t | 4 ++ + test/smime-certs/smdh.pem | 18 +++--- + test/smime-certs/smdsa1.pem | 60 +++++++++---------- + test/smime-certs/smdsa2.pem | 60 +++++++++---------- + test/smime-certs/smdsa3.pem | 60 +++++++++---------- + test/smime-certs/smec1.pem | 30 +++++----- + test/smime-certs/smec2.pem | 30 +++++----- + test/smime-certs/smec3.pem | 30 +++++----- + test/smime-certs/smroot.pem | 38 ++++++------ + test/smime-certs/smrsa1.pem | 38 ++++++------ + test/smime-certs/smrsa2.pem | 38 ++++++------ + test/smime-certs/smrsa3.pem | 38 ++++++------ + 19 files changed, 286 insertions(+), 256 deletions(-) + +diff --git a/providers/implementations/signature/dsa_sig.c b/providers/implementations/signature/dsa_sig.c +index fa3822f39f..c365d7b13a 100644 +--- a/providers/implementations/signature/dsa_sig.c ++++ b/providers/implementations/signature/dsa_sig.c +@@ -128,11 +128,7 @@ static int dsa_setup_md(PROV_DSA_CTX *ctx, + EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops); + int md_nid; + size_t mdname_len = strlen(mdname); +-#ifdef FIPS_MODULE +- int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN); +-#else + int sha1_allowed = 0; +-#endif + md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md, + sha1_allowed); + +diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c +index 99b228e82c..44a22832ec 100644 +--- a/providers/implementations/signature/ecdsa_sig.c ++++ b/providers/implementations/signature/ecdsa_sig.c +@@ -237,11 +237,7 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX *ctx, const char *mdname, + "%s could not be fetched", mdname); + return 0; + } +-#ifdef FIPS_MODULE +- sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN); +-#else + sha1_allowed = 0; +-#endif + md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md, + sha1_allowed); + if (md_nid < 0) { +diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c +index f66d7705c3..34f45175e8 100644 +--- a/providers/implementations/signature/rsa_sig.c ++++ b/providers/implementations/signature/rsa_sig.c +@@ -292,11 +292,7 @@ static int rsa_setup_md(PROV_RSA_CTX *ctx, const char *mdname, + EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops); + int md_nid; + size_t mdname_len = strlen(mdname); +-#ifdef FIPS_MODULE +- int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN); +-#else + int sha1_allowed = 0; +-#endif + md_nid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md, + sha1_allowed); + +@@ -1355,8 +1351,10 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) + + if (prsactx->md == NULL && pmdname == NULL + && pad_mode == RSA_PKCS1_PSS_PADDING) { ++#ifdef FIPS_MODULE ++ pmdname = RSA_DEFAULT_DIGEST_NAME_NONLEGACY; ++#else + pmdname = RSA_DEFAULT_DIGEST_NAME; +-#ifndef FIPS_MODULE + if (!ossl_ctx_legacy_digest_signatures_allowed(prsactx->libctx, 0)) { + pmdname = RSA_DEFAULT_DIGEST_NAME_NONLEGACY; + } +diff --git a/test/acvp_test.inc b/test/acvp_test.inc +index ad11d3ae1e..73b24bdb0c 100644 +--- a/test/acvp_test.inc ++++ b/test/acvp_test.inc +@@ -1841,17 +1841,6 @@ static const struct rsa_sigver_st rsa_sigver_data[] = { + NO_PSS_SALT_LEN, + FAIL + }, +- { +- "x931", +- 3072, +- "SHA1", +- ITM(rsa_sigverx931_0_msg), +- ITM(rsa_sigverx931_0_n), +- ITM(rsa_sigverx931_0_e), +- ITM(rsa_sigverx931_0_sig), +- NO_PSS_SALT_LEN, +- PASS +- }, + { + "x931", + 3072, +diff --git a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt +index f36982845d..51e507a61c 100644 +--- a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt ++++ b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt +@@ -37,12 +37,14 @@ PrivPubKeyPair = P-256:P-256-PUBLIC + + Title = ECDSA tests + ++Availablein = default + Verify = P-256 + Ctrl = digest:SHA1 + Input = "0123456789ABCDEF1234" + Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8 + + # Digest too long ++Availablein = default + Verify = P-256 + Ctrl = digest:SHA1 + Input = "0123456789ABCDEF12345" +@@ -50,6 +52,7 @@ Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e + Result = VERIFY_ERROR + + # Digest too short ++Availablein = default + Verify = P-256 + Ctrl = digest:SHA1 + Input = "0123456789ABCDEF123" +@@ -57,6 +60,7 @@ Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e + Result = VERIFY_ERROR + + # Digest invalid ++Availablein = default + Verify = P-256 + Ctrl = digest:SHA1 + Input = "0123456789ABCDEF1235" +@@ -64,6 +68,7 @@ Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e + Result = VERIFY_ERROR + + # Invalid signature ++Availablein = default + Verify = P-256 + Ctrl = digest:SHA1 + Input = "0123456789ABCDEF1234" +@@ -79,12 +84,14 @@ Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e + Result = VERIFY_ERROR + + # BER signature ++Availablein = default + Verify = P-256 + Ctrl = digest:SHA1 + Input = "0123456789ABCDEF1234" + Output = 3080022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec80000 + Result = VERIFY_ERROR + ++Availablein = default + Verify = P-256-PUBLIC + Ctrl = digest:SHA1 + Input = "0123456789ABCDEF1234" +diff --git a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt +index b8d8bb2993..8dd566067b 100644 +--- a/test/recipes/30-test_evp_data/evppkey_rsa_common.txt ++++ b/test/recipes/30-test_evp_data/evppkey_rsa_common.txt +@@ -96,6 +96,7 @@ NDL6WCBbets= + + Title = RSA tests + ++Availablein = default + Verify = RSA-2048 + Ctrl = digest:SHA1 + Input = "0123456789ABCDEF1234" +@@ -112,24 +113,28 @@ Ctrl = digest:SHA512-224 + Input = "0123456789ABCDEF123456789ABC" + Output = 5f720e9488139bb21e1c2f027fd5ce5993e6d31c5a8faaee833487b3a944d66891178868ace8070cad3ee2ffbe54aa4885a15fd1a7cc5166970fe1fd8c0423e72bd3e3b56fc4a53ed80aaaeca42497f0ec3c62113edc05cd006608f5eef7ce3ad4cba1069f68731dd28a524a1f93fcdc5547112d48d45586dd943ba0d443be9635720d8a61697c54c96627f0d85c5fbeaa3b4af86a65cf2fc3800dd5de34c046985f25d0efc0bb6edccc1d08b3a4fb9c8faffe181c7e68b31e374ad1440a4a664eec9ca0dc53a9d2f5bc7d9940d866f64201bcbc63612754df45727ea24b531d7de83d1bb707444859fa35521320c33bf6f4dbeb6fb56e653adbf7af15843f17 + ++Availablein = default + VerifyRecover = RSA-2048 + Ctrl = digest:SHA1 + Input = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad + Output = "0123456789ABCDEF1234" + + # Leading zero in the signature ++Availablein = default + Verify = RSA-2048 + Ctrl = digest:SHA1 + Input = "0123456789ABCDEF1234" + Output = 00c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad + Result = VERIFY_ERROR + ++Availablein = default + VerifyRecover = RSA-2048 + Ctrl = digest:SHA1 + Input = 00c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad + Result = KEYOP_ERROR + + # Mismatched digest ++Availablein = default + Verify = RSA-2048 + Ctrl = digest:SHA1 + Input = "0123456789ABCDEF1233" +@@ -137,6 +142,7 @@ Output = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2 + Result = VERIFY_ERROR + + # Corrupted signature ++Availablein = default + Verify = RSA-2048 + Ctrl = digest:SHA1 + Input = "0123456789ABCDEF1233" +@@ -144,6 +150,7 @@ Output = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2 + Result = VERIFY_ERROR + + # parameter is not NULLt ++Availablein = default + Verify = RSA-2048 + Ctrl = digest:sha1 + Input = "0123456789ABCDEF1234" +@@ -151,42 +158,49 @@ Output = 3ec3fc29eb6e122bd7aa361cd09fe1bcbe85311096a7b9e4799cedfb2351ce0ab7fe4e7 + Result = VERIFY_ERROR + + # embedded digest too long ++Availablein = default + Verify = RSA-2048 + Ctrl = digest:sha1 + Input = "0123456789ABCDEF1234" + Output = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d + Result = VERIFY_ERROR + ++Availablein = default + VerifyRecover = RSA-2048 + Ctrl = digest:sha1 + Input = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d + Result = KEYOP_ERROR + + # embedded digest too short ++Availablein = default + Verify = RSA-2048 + Ctrl = digest:sha1 + Input = "0123456789ABCDEF1234" + Output = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d + Result = VERIFY_ERROR + ++Availablein = default + VerifyRecover = RSA-2048 + Ctrl = digest:sha1 + Input = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d + Result = KEYOP_ERROR + + # Garbage after DigestInfo ++Availablein = default + Verify = RSA-2048 + Ctrl = digest:sha1 + Input = "0123456789ABCDEF1234" + Output = 9ee34872d4271a7d8808af0a4052a145a6d6a8437d00da3ed14428c7f087cd39f4d43334c41af63e7fa1ba363fee7bcef401d9d36a662abbab55ce89a696e1be0dfa19a5d09ca617dd488787b6048baaefeb29bc8688b2fe3882de2b77c905b5a8b56cf9616041e5ec934ba6de863efe93acc4eef783fe7f72a00fa65d6093ed32bf98ce527e62ccb1d56317f4be18b7e0f55d7c36617d2d0678a306e3350956b662ac15df45215dd8f6b314babb9788e6c272fa461e4c9b512a11a4b92bc77c3a4c95c903fccb238794eca5c750477bf56ea6ee6a167367d881b485ae3889e7c489af8fdf38e0c0f2aed780831182e34abedd43c39281b290774bf35cc25274 + Result = VERIFY_ERROR + ++Availablein = default + VerifyRecover = RSA-2048 + Ctrl = digest:sha1 + Input = 9ee34872d4271a7d8808af0a4052a145a6d6a8437d00da3ed14428c7f087cd39f4d43334c41af63e7fa1ba363fee7bcef401d9d36a662abbab55ce89a696e1be0dfa19a5d09ca617dd488787b6048baaefeb29bc8688b2fe3882de2b77c905b5a8b56cf9616041e5ec934ba6de863efe93acc4eef783fe7f72a00fa65d6093ed32bf98ce527e62ccb1d56317f4be18b7e0f55d7c36617d2d0678a306e3350956b662ac15df45215dd8f6b314babb9788e6c272fa461e4c9b512a11a4b92bc77c3a4c95c903fccb238794eca5c750477bf56ea6ee6a167367d881b485ae3889e7c489af8fdf38e0c0f2aed780831182e34abedd43c39281b290774bf35cc25274 + Result = KEYOP_ERROR + + # invalid tag for parameter ++Availablein = default + Verify = RSA-2048 + Ctrl = digest:sha1 + Input = "0123456789ABCDEF1234" +@@ -195,6 +209,7 @@ Result = VERIFY_ERROR + + # Verify using public key + ++Availablein = default + Verify = RSA-2048-PUBLIC + Ctrl = digest:SHA1 + Input = "0123456789ABCDEF1234" +@@ -370,6 +385,8 @@ Input="0123456789ABCDEF0123456789ABCDEF" + Output=4DE433D5844043EF08D354DA03CB29068780D52706D7D1E4D50EFB7D58C9D547D83A747DDD0635A96B28F854E50145518482CB49E963054621B53C60C498D07C16E9C2789C893CF38D4D86900DE71BDE463BD2761D1271E358C7480A1AC0BAB930DDF39602AD1BC165B5D7436B516B7A7858E8EB7AB1C420EEB482F4D207F0E462B1724959320A084E13848D11D10FB593E66BF680BF6D3F345FC3E9C3DE60ABBAC37E1C6EC80A268C8D9FC49626C679097AA690BC1AA662B95EB8DB70390861AA0898229F9349B4B5FDD030D4928C47084708A933144BE23BD3C6E661B85B2C0EF9ED36D498D5B7320E8194D363D4AD478C059BAE804181965E0B81B663158A + + # Verify using salt length auto detect ++# In the FIPS provider on RHEL-9, the default digest for PSS signatures is SHA-256 ++Availablein = default + Verify = RSA-2048-PUBLIC + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_pss_saltlen:auto +@@ -404,6 +421,10 @@ Output=4DE433D5844043EF08D354DA03CB29068780D52706D7D1E4D50EFB7D58C9D547D83A747DD + Result = VERIFY_ERROR + + # Verify using default parameters, explicitly setting parameters ++# NOTE: RSA-PSS-DEFAULT contains a restriction to use SHA1 as digest, which ++# RHEL-9 does not support in FIPS mode; all these tests are thus marked ++# Availablein = default. ++Availablein = default + Verify = RSA-PSS-DEFAULT + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_pss_saltlen:20 +@@ -412,6 +433,7 @@ Input="0123456789ABCDEF0123" + Output = 3EFE09D88509027D837BFA5F8471CF7B69E6DF395DD999BB9CA42021F15722D9AC76670507C6BCFB73F64FB2211B611B8F140E76EBDB064BD762FDBA89D019E304A0D6B274E1C2FE1DF50005598A0306AF805416094E2A5BA60BC72BDE38CE061E853ED40F14967A8B9CA4DC739B462F89558F12FDF2D8D19FBEF16AD66FE2DDDA8BEE983ECBD873064244849D8D94B5B33F45E076871A47ED653E73257A2BE2DB3C0878094B0D2B6B682C8007DFD989425FB39A1FEEC9EED5876414601A49176EC344F5E3EDEE81CA2DDD29B7364F4638112CB3A547E2BC170E28CB66BDABE863754BE8AD5BA230567B575266F4B6B4CF81F28310ABF05351CC9E2DB85D00BF + + # Verify explicitly setting parameters "digest" salt length ++Availablein = default + Verify = RSA-PSS-DEFAULT + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_pss_saltlen:digest +@@ -420,18 +442,21 @@ Input="0123456789ABCDEF0123" + Output = 3EFE09D88509027D837BFA5F8471CF7B69E6DF395DD999BB9CA42021F15722D9AC76670507C6BCFB73F64FB2211B611B8F140E76EBDB064BD762FDBA89D019E304A0D6B274E1C2FE1DF50005598A0306AF805416094E2A5BA60BC72BDE38CE061E853ED40F14967A8B9CA4DC739B462F89558F12FDF2D8D19FBEF16AD66FE2DDDA8BEE983ECBD873064244849D8D94B5B33F45E076871A47ED653E73257A2BE2DB3C0878094B0D2B6B682C8007DFD989425FB39A1FEEC9EED5876414601A49176EC344F5E3EDEE81CA2DDD29B7364F4638112CB3A547E2BC170E28CB66BDABE863754BE8AD5BA230567B575266F4B6B4CF81F28310ABF05351CC9E2DB85D00BF + + # Verify using salt length larger than minimum ++Availablein = default + Verify = RSA-PSS-DEFAULT + Ctrl = rsa_pss_saltlen:30 + Input="0123456789ABCDEF0123" + Output = 6BF7EDC63A0BA184EEEC7F3020FEC8F5EBF38C2B76481881F48BCCE5796E7AB294548BA9AE810457C7723CABD1BDE94CF59CF7C0FC7461B22760C8ED703DD98E97BFDD61FA8D1181C411F6DEE5FF159F4850746D78EDEE385A363DC28E2CB373D5CAD7953F3BD5E639BE345732C03A1BDEA268814DA036EB1891C82D4012F3B903D86636055F87B96FC98806AD1B217685A4D754046A5DE0B0D7870664BE07902153EC85BA457BE7D7F89D7FE0F626D02A9CBBB2BB479DDA1A5CAE75247FB7BF6BFB15C1D3FD9E6B1573CCDBC72011C3B97716058BB11C7EA2E4E56ADAFE1F5DE6A7FD405AC5890100F9C3408EFFB5C73BF73F48177FF743B4B819D0699D507B + + # Verify using maximum salt length ++Availablein = default + Verify = RSA-PSS-DEFAULT + Ctrl = rsa_pss_saltlen:max + Input="0123456789ABCDEF0123" + Output = 4470DCFE812DEE2E58E4301D4ED274AB348FE040B724B2CD1D8CD0914BFF375F0B86FCB32BFA8AEA9BD22BD7C4F1ADD4F3D215A5CFCC99055BAFECFC23800E9BECE19A08C66BEBC5802122D13A732E5958FC228DCC0B49B5B4B1154F032D8FA2F3564AA949C1310CC9266B0C47F86D449AC9D2E7678347E7266E2D7C888CCE1ADF44A109A293F8516AE2BD94CE220F26E137DB8E7A66BB9FCE052CDC1D0BE24D8CEBB20D10125F26B069F117044B9E1D16FDDAABCA5340AE1702F37D0E1C08A2E93801C0A41035C6C73DA02A0E32227EAFB0B85E79107B59650D0EE7DC32A6772CCCE90F06369B2880FE87ED76997BA61F5EA818091EE88F8B0D6F24D02A3FC6 + + # Attempt to change salt length below minimum ++Availablein = default + Verify = RSA-PSS-DEFAULT + Ctrl = rsa_pss_saltlen:0 + Result = PKEY_CTRL_ERROR +@@ -439,21 +464,25 @@ Result = PKEY_CTRL_ERROR + # Attempt to change padding mode + # Note this used to return PKEY_CTRL_INVALID + # but it is limited because setparams only returns 0 or 1. ++Availablein = default + Verify = RSA-PSS-DEFAULT + Ctrl = rsa_padding_mode:pkcs1 + Result = PKEY_CTRL_ERROR + + # Attempt to change digest ++Availablein = default + Verify = RSA-PSS-DEFAULT + Ctrl = digest:sha256 + Result = PKEY_CTRL_ERROR + + # Invalid key: rejected when we try to init ++Availablein = default + Verify = RSA-PSS-BAD + Result = KEYOP_INIT_ERROR + Reason = invalid salt length + + # Invalid key: rejected when we try to init ++Availablein = default + Verify = RSA-PSS-BAD2 + Result = KEYOP_INIT_ERROR + Reason = invalid salt length +@@ -472,36 +501,42 @@ CAltWyuLbfXWce9jd8CSHLI8Jwpw4lmOb/idGfEFrMLT8Ms18pKA4Thrb2TE7yLh + 4fINDOjP+yJJvZohNwIDAQAB + -----END PUBLIC KEY----- + ++Availablein = default + Verify=RSA-PSS-1 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=cd8b6538cb8e8de566b68bd067569dbf1ee2718e + Output=9074308fb598e9701b2294388e52f971faac2b60a5145af185df5287b5ed2887e57ce7fd44dc8634e407c8e0e4360bc226f3ec227f9d9e54638e8d31f5051215df6ebb9c2f9579aa77598a38f914b5b9c1bd83c4e2f9f382a0d0aa3542ffee65984a601bc69eb28deb27dca12c82c2d4c3f66cd500f1ff2b994d8a4e30cbb33c + ++Availablein = default + Verify=RSA-PSS-1 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=e35befc17a1d160b9ce35fbd8eb16e7ee491d3fd + Output=3ef7f46e831bf92b32274142a585ffcefbdca7b32ae90d10fb0f0c729984f04ef29a9df0780775ce43739b97838390db0a5505e63de927028d9d29b219ca2c4517832558a55d694a6d25b9dab66003c4cccd907802193be5170d26147d37b93590241be51c25055f47ef62752cfbe21418fafe98c22c4d4d47724fdb5669e843 + ++Availablein = default + Verify=RSA-PSS-1 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=0652ec67bcee30f9d2699122b91c19abdba89f91 + Output=666026fba71bd3e7cf13157cc2c51a8e4aa684af9778f91849f34335d141c00154c4197621f9624a675b5abc22ee7d5baaffaae1c9baca2cc373b3f33e78e6143c395a91aa7faca664eb733afd14d8827259d99a7550faca501ef2b04e33c23aa51f4b9e8282efdb728cc0ab09405a91607c6369961bc8270d2d4f39fce612b1 + ++Availablein = default + Verify=RSA-PSS-1 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=39c21c4cceda9c1adf839c744e1212a6437575ec + Output=4609793b23e9d09362dc21bb47da0b4f3a7622649a47d464019b9aeafe53359c178c91cd58ba6bcb78be0346a7bc637f4b873d4bab38ee661f199634c547a1ad8442e03da015b136e543f7ab07c0c13e4225b8de8cce25d4f6eb8400f81f7e1833b7ee6e334d370964ca79fdb872b4d75223b5eeb08101591fb532d155a6de87 + ++Availablein = default + Verify=RSA-PSS-1 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=36dae913b77bd17cae6e7b09453d24544cebb33c + Output=1d2aad221ca4d31ddf13509239019398e3d14b32dc34dc5af4aeaea3c095af73479cf0a45e5629635a53a018377615b16cb9b13b3e09d671eb71e387b8545c5960da5a64776e768e82b2c93583bf104c3fdb23512b7b4e89f633dd0063a530db4524b01c3f384c09310e315a79dcd3d684022a7f31c865a664e316978b759fad + ++Availablein = default + Verify=RSA-PSS-1 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 +@@ -517,36 +552,42 @@ swU7R97S7NSkyu/WFIM9yLtiLzF+0Ha4BX/o3j+ESArV6D5KYZBKTySPs5cCc1fh + 0w5GMTmBXG/U/VrFuBcqRSMOy2MYoE8UVdhOWosCAwEAAQ== + -----END PUBLIC KEY----- + ++Availablein = default + Verify=RSA-PSS-9 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=2715a49b8b0012cd7aee84c116446e6dfe3faec0 + Output=586107226c3ce013a7c8f04d1a6a2959bb4b8e205ba43a27b50f124111bc35ef589b039f5932187cb696d7d9a32c0c38300a5cdda4834b62d2eb240af33f79d13dfbf095bf599e0d9686948c1964747b67e89c9aba5cd85016236f566cc5802cb13ead51bc7ca6bef3b94dcbdbb1d570469771df0e00b1a8a06777472d2316279edae86474668d4e1efff95f1de61c6020da32ae92bbf16520fef3cf4d88f61121f24bbd9fe91b59caf1235b2a93ff81fc403addf4ebdea84934a9cdaf8e1a9e + ++Availablein = default + Verify=RSA-PSS-9 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=2dac956d53964748ac364d06595827c6b4f143cd + Output=80b6d643255209f0a456763897ac9ed259d459b49c2887e5882ecb4434cfd66dd7e1699375381e51cd7f554f2c271704b399d42b4be2540a0eca61951f55267f7c2878c122842dadb28b01bd5f8c025f7e228418a673c03d6bc0c736d0a29546bd67f786d9d692ccea778d71d98c2063b7a71092187a4d35af108111d83e83eae46c46aa34277e06044589903788f1d5e7cee25fb485e92949118814d6f2c3ee361489016f327fb5bc517eb50470bffa1afa5f4ce9aa0ce5b8ee19bf5501b958 + ++Availablein = default + Verify=RSA-PSS-9 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=28d98c46cccafbd3bc04e72f967a54bd3ea12298 + Output=484408f3898cd5f53483f80819efbf2708c34d27a8b2a6fae8b322f9240237f981817aca1846f1084daa6d7c0795f6e5bf1af59c38e1858437ce1f7ec419b98c8736adf6dd9a00b1806d2bd3ad0a73775e05f52dfef3a59ab4b08143f0df05cd1ad9d04bececa6daa4a2129803e200cbc77787caf4c1d0663a6c5987b605952019782caf2ec1426d68fb94ed1d4be816a7ed081b77e6ab330b3ffc073820fecde3727fcbe295ee61a050a343658637c3fd659cfb63736de32d9f90d3c2f63eca + ++Availablein = default + Verify=RSA-PSS-9 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=0866d2ff5a79f25ef668cd6f31b42dee421e4c0e + Output=84ebeb481be59845b46468bafb471c0112e02b235d84b5d911cbd1926ee5074ae0424495cb20e82308b8ebb65f419a03fb40e72b78981d88aad143053685172c97b29c8b7bf0ae73b5b2263c403da0ed2f80ff7450af7828eb8b86f0028bd2a8b176a4d228cccea18394f238b09ff758cc00bc04301152355742f282b54e663a919e709d8da24ade5500a7b9aa50226e0ca52923e6c2d860ec50ff480fa57477e82b0565f4379f79c772d5c2da80af9fbf325ece6fc20b00961614bee89a183e + ++Availablein = default + Verify=RSA-PSS-9 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=6a5b4be4cd36cc97dfde9995efbf8f097a4a991a + Output=82102df8cb91e7179919a04d26d335d64fbc2f872c44833943241de8454810274cdf3db5f42d423db152af7135f701420e39b494a67cbfd19f9119da233a23da5c6439b5ba0d2bc373eee3507001378d4a4073856b7fe2aba0b5ee93b27f4afec7d4d120921c83f606765b02c19e4d6a1a3b95fa4c422951be4f52131077ef17179729cddfbdb56950dbaceefe78cb16640a099ea56d24389eef10f8fecb31ba3ea3b227c0a86698bb89e3e9363905bf22777b2a3aa521b65b4cef76d83bde4c + ++Availablein = default + Verify=RSA-PSS-9 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 +@@ -564,36 +605,42 @@ F7jfF3jbOB3OCctK0FilEQAac4GY7ifPVaE7dUU5kGWC7IsXS9WNXR89dnxhNyGu + BQIDAQAB + -----END PUBLIC KEY----- + ++Availablein = default + Verify=RSA-PSS-10 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=9596bb630cf6a8d4ea4600422b9eba8b13675dd4 + Output=82c2b160093b8aa3c0f7522b19f87354066c77847abf2a9fce542d0e84e920c5afb49ffdfdace16560ee94a1369601148ebad7a0e151cf16331791a5727d05f21e74e7eb811440206935d744765a15e79f015cb66c532c87a6a05961c8bfad741a9a6657022894393e7223739796c02a77455d0f555b0ec01ddf259b6207fd0fd57614cef1a5573baaff4ec00069951659b85f24300a25160ca8522dc6e6727e57d019d7e63629b8fe5e89e25cc15beb3a647577559299280b9b28f79b0409000be25bbd96408ba3b43cc486184dd1c8e62553fa1af4040f60663de7f5e49c04388e257f1ce89c95dab48a315d9b66b1b7628233876ff2385230d070d07e1666 + ++Availablein = default + Verify=RSA-PSS-10 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=b503319399277fd6c1c8f1033cbf04199ea21716 + Output=14ae35d9dd06ba92f7f3b897978aed7cd4bf5ff0b585a40bd46ce1b42cd2703053bb9044d64e813d8f96db2dd7007d10118f6f8f8496097ad75e1ff692341b2892ad55a633a1c55e7f0a0ad59a0e203a5b8278aec54dd8622e2831d87174f8caff43ee6c46445345d84a59659bfb92ecd4c818668695f34706f66828a89959637f2bf3e3251c24bdba4d4b7649da0022218b119c84e79a6527ec5b8a5f861c159952e23ec05e1e717346faefe8b1686825bd2b262fb2531066c0de09acde2e4231690728b5d85e115a2f6b92b79c25abc9bd9399ff8bcf825a52ea1f56ea76dd26f43baafa18bfa92a504cbd35699e26d1dcc5a2887385f3c63232f06f3244c3 + ++Availablein = default + Verify=RSA-PSS-10 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=50aaede8536b2c307208b275a67ae2df196c7628 + Output=6e3e4d7b6b15d2fb46013b8900aa5bbb3939cf2c095717987042026ee62c74c54cffd5d7d57efbbf950a0f5c574fa09d3fc1c9f513b05b4ff50dd8df7edfa20102854c35e592180119a70ce5b085182aa02d9ea2aa90d1df03f2daae885ba2f5d05afdac97476f06b93b5bc94a1a80aa9116c4d615f333b098892b25fface266f5db5a5a3bcc10a824ed55aad35b727834fb8c07da28fcf416a5d9b2224f1f8b442b36f91e456fdea2d7cfe3367268de0307a4c74e924159ed33393d5e0655531c77327b89821bdedf880161c78cd4196b5419f7acc3f13e5ebf161b6e7c6724716ca33b85c2e25640192ac2859651d50bde7eb976e51cec828b98b6563b86bb + ++Availablein = default + Verify=RSA-PSS-10 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=aa0b72b8b371ddd10c8ae474425ccccf8842a294 + Output=34047ff96c4dc0dc90b2d4ff59a1a361a4754b255d2ee0af7d8bf87c9bc9e7ddeede33934c63ca1c0e3d262cb145ef932a1f2c0a997aa6a34f8eaee7477d82ccf09095a6b8acad38d4eec9fb7eab7ad02da1d11d8e54c1825e55bf58c2a23234b902be124f9e9038a8f68fa45dab72f66e0945bf1d8bacc9044c6f07098c9fcec58a3aab100c805178155f030a124c450e5acbda47d0e4f10b80a23f803e774d023b0015c20b9f9bbe7c91296338d5ecb471cafb032007b67a60be5f69504a9f01abb3cb467b260e2bce860be8d95bf92c0c8e1496ed1e528593a4abb6df462dde8a0968dffe4683116857a232f5ebf6c85be238745ad0f38f767a5fdbf486fb + ++Availablein = default + Verify=RSA-PSS-10 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=fad3902c9750622a2bc672622c48270cc57d3ea8 + Output=7e0935ea18f4d6c1d17ce82eb2b3836c55b384589ce19dfe743363ac9948d1f346b7bfddfe92efd78adb21faefc89ade42b10f374003fe122e67429a1cb8cbd1f8d9014564c44d120116f4990f1a6e38774c194bd1b8213286b077b0499d2e7b3f434ab12289c556684deed78131934bb3dd6537236f7c6f3dcb09d476be07721e37e1ceed9b2f7b406887bd53157305e1c8b4f84d733bc1e186fe06cc59b6edb8f4bd7ffefdf4f7ba9cfb9d570689b5a1a4109a746a690893db3799255a0cb9215d2d1cd490590e952e8c8786aa0011265252470c041dfbc3eec7c3cbf71c24869d115c0cb4a956f56d530b80ab589acfefc690751ddf36e8d383f83cedd2cc + ++Availablein = default + Verify=RSA-PSS-10 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 +@@ -1329,11 +1376,13 @@ Title = RSA FIPS tests + + # FIPS tests + +-# Verifying with SHA1 is permitted in fips mode for older applications ++# Verifying with SHA1 is not permitted on RHEL-9 in FIPS mode ++Availablein = fips + DigestVerify = SHA1 + Key = RSA-2048 + Input = "Hello " + Output = 87ea0e2226ef35e5a2aec9ca1222fcbe39ba723f05b3203564f671dd3601271806ead3240e61d424359ee3b17bd3e32f54b82df83998a8ac4148410710361de0400f9ddf98278618fbc87747a0531972543e6e5f18ab2fdfbfda02952f6ac69690e43864690af271bf43d4be9705b303d4ff994ab3abd4d5851562b73e59be3edc01cec41a4cc13b68206329bad1a46c6608d3609e951faa321d0fdbc765d54e9a7c59248d2f67913c9903e932b769c9c8a45520cabea06e8c0b231dd3bcc7f7ec55b46b0157ccb5fc5011fa57353cd3df32edcbadcb8d168133cbd0acfb64444cb040e1298f621508a38f79e14ae8c2c5c857f90aa9d24ef5fc07d34bf23859 ++Result = DIGESTVERIFYINIT_ERROR + + # Verifying with a 1024 bit key is permitted in fips mode for older applications + DigestVerify = SHA256 +diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t +index 48a92f735d..34afe91b88 100644 +--- a/test/recipes/80-test_cms.t ++++ b/test/recipes/80-test_cms.t +@@ -162,7 +162,7 @@ my @smime_pkcs7_tests = ( + [ "{cmd1}", @defaultprov, "-sign", "-in", $smcont, "-md", "sha1", + "-certfile", $smroot, + "-signer", $smrsa1, "-out", "{output}.cms" ], +- [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", ++ [ "{cmd2}", @defaultprov, "-verify", "-in", "{output}.cms", + "-CAfile", $smroot, "-out", "{output}.txt" ], + \&final_compare + ], +@@ -170,7 +170,7 @@ my @smime_pkcs7_tests = ( + [ "signed zero-length content S/MIME format, RSA key SHA1", + [ "{cmd1}", @defaultprov, "-sign", "-in", $smcont_zero, "-md", "sha1", + "-certfile", $smroot, "-signer", $smrsa1, "-out", "{output}.cms" ], +- [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", ++ [ "{cmd2}", @defaultprov, "-verify", "-in", "{output}.cms", + "-CAfile", $smroot, "-out", "{output}.txt" ], + \&zero_compare + ], +diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t +index 8c52b637fc..ff75c5b6ec 100644 +--- a/test/recipes/80-test_ssl_old.t ++++ b/test/recipes/80-test_ssl_old.t +@@ -394,6 +394,9 @@ sub testssl { + 'test sslv2/sslv3 with 1024bit DHE via BIO pair'); + } + ++ SKIP: { ++ skip "SSLv3 is not supported by the FIPS provider", 4 ++ if $provider eq "fips"; + ok(run(test([@ssltest, "-bio_pair", "-server_auth", @CA])), + 'test sslv2/sslv3 with server authentication'); + ok(run(test([@ssltest, "-bio_pair", "-client_auth", @CA])), +@@ -402,6 +405,7 @@ sub testssl { + 'test sslv2/sslv3 with both client and server authentication via BIO pair'); + ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", "-app_verify", @CA])), + 'test sslv2/sslv3 with both client and server authentication via BIO pair and app verify'); ++ } + + SKIP: { + skip "No IPv4 available on this machine", 4 diff --git a/0062-fips-Expose-a-FIPS-indicator.patch b/0062-fips-Expose-a-FIPS-indicator.patch new file mode 100644 index 0000000..f1ad59d --- /dev/null +++ b/0062-fips-Expose-a-FIPS-indicator.patch @@ -0,0 +1,466 @@ +From e3d6fca1af033d00c47bcd8f9ba28fcf1aa476aa Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Tue, 7 Jun 2022 12:02:49 +0200 +Subject: [PATCH] fips: Expose a FIPS indicator + +FIPS 140-3 requires us to indicate whether an operation was using +approved services or not. The FIPS 140-3 implementation guidelines +provide two basic approaches to doing this: implicit indicators, and +explicit indicators. + +Implicit indicators are basically the concept of "if the operation +passes, it was approved". We were originally aiming for implicit +indicators in our copy of OpenSSL. However, this proved to be a problem, +because we wanted to certify a signature service, and FIPS 140-3 +requires that a signature service computes the digest to be signed +within the boundaries of the FIPS module. Since we were planning to +certify fips.so only, this means that EVP_PKEY_sign/EVP_PKEY_verify +would have to be blocked. Unfortunately, EVP_SignFinal uses +EVP_PKEY_sign internally, but outside of fips.so and thus outside of the +FIPS module boundary. This means that using implicit indicators in +combination with certifying only fips.so would require us to block both +EVP_PKEY_sign and EVP_SignFinal, which are the two APIs currently used +by most users of OpenSSL for signatures. + +EVP_DigestSign would be acceptable, but has only been added in 3.0 and +is thus not yet widely used. + +As a consequence, we've decided to introduce explicit indicators so that +EVP_PKEY_sign and EVP_SignFinal can continue to work for now, but +FIPS-aware applications can query the explicit indicator to check +whether the operation was approved. + +To avoid affecting the ABI and public API too much, this is implemented +as an exported symbol in fips.so and a private header, so applications +that wish to use this will have to dlopen(3) fips.so, locate the +function using dlsym(3), and then call it. These applications will have +to build against the private header in order to use the returned +pointer. + +Modify util/mkdef.pl to support exposing a symbol only for a specific +provider identified by its name and path. + +Signed-off-by: Clemens Lang +--- + doc/build.info | 6 ++ + doc/man7/fips_module_indicators.pod | 154 ++++++++++++++++++++++++++++ + providers/fips/fipsprov.c | 71 +++++++++++++ + providers/fips/indicator.h | 66 ++++++++++++ + util/mkdef.pl | 25 ++++- + util/providers.num | 1 + + 6 files changed, 322 insertions(+), 1 deletion(-) + create mode 100644 doc/man7/fips_module_indicators.pod + create mode 100644 providers/fips/indicator.h + +diff --git a/doc/build.info b/doc/build.info +index b0aa4297a4..af235113bb 100644 +--- a/doc/build.info ++++ b/doc/build.info +@@ -4389,6 +4389,10 @@ DEPEND[html/man7/fips_module.html]=man7/fips_module.pod + GENERATE[html/man7/fips_module.html]=man7/fips_module.pod + DEPEND[man/man7/fips_module.7]=man7/fips_module.pod + GENERATE[man/man7/fips_module.7]=man7/fips_module.pod ++DEPEND[html/man7/fips_module_indicators.html]=man7/fips_module_indicators.pod ++GENERATE[html/man7/fips_module_indicators.html]=man7/fips_module_indicators.pod ++DEPEND[man/man7/fips_module_indicators.7]=man7/fips_module_indicators.pod ++GENERATE[man/man7/fips_module_indicators.7]=man7/fips_module_indicators.pod + DEPEND[html/man7/life_cycle-cipher.html]=man7/life_cycle-cipher.pod + GENERATE[html/man7/life_cycle-cipher.html]=man7/life_cycle-cipher.pod + DEPEND[man/man7/life_cycle-cipher.7]=man7/life_cycle-cipher.pod +@@ -4631,6 +4635,7 @@ html/man7/ct.html \ + html/man7/des_modes.html \ + html/man7/evp.html \ + html/man7/fips_module.html \ ++html/man7/fips_module_indicators.html \ + html/man7/life_cycle-cipher.html \ + html/man7/life_cycle-digest.html \ + html/man7/life_cycle-kdf.html \ +@@ -4754,6 +4759,7 @@ man/man7/ct.7 \ + man/man7/des_modes.7 \ + man/man7/evp.7 \ + man/man7/fips_module.7 \ ++man/man7/fips_module_indicators.7 \ + man/man7/life_cycle-cipher.7 \ + man/man7/life_cycle-digest.7 \ + man/man7/life_cycle-kdf.7 \ +diff --git a/doc/man7/fips_module_indicators.pod b/doc/man7/fips_module_indicators.pod +new file mode 100644 +index 0000000000..23db2b395c +--- /dev/null ++++ b/doc/man7/fips_module_indicators.pod +@@ -0,0 +1,154 @@ ++=pod ++ ++=head1 NAME ++ ++fips_module_indicators - Red Hat OpenSSL FIPS module indicators guide ++ ++=head1 DESCRIPTION ++ ++This guide documents how the Red Hat Enterprise Linux 9 OpenSSL FIPS provider ++implements Approved Security Service Indicators according to the FIPS 140-3 ++Implementation Guidelines, section 2.4.C. See ++L ++for the FIPS 140-3 Implementation Guidelines. ++ ++For all approved services except signatures, the Red Hat OpenSSL FIPS provider ++uses the return code as the indicator as understood by FIPS 140-3. That means ++that every operation that succeeds denotes use of an approved security service. ++Operations that do not succeed may not have been approved security services, or ++may have been used incorrectly. ++ ++For signatures, an explicit indicator API is available to determine whether ++a selected operation is an approved security service, in combination with the ++return code of the operation. For a signature operation to be approved, the ++explicit indicator must claim it as approved, and it must succeed. ++ ++=head2 Querying the explicit indicator ++ ++The Red Hat OpenSSL FIPS provider exports a symbol named ++I that provides information on which signature ++operations are approved security functions. To use this function, either link ++against I directly, or load it at runtime using dlopen(3) and ++dlsym(3). ++ ++ #include ++ #include "providers/fips/indicator.h" ++ ++ void *provider = dlopen("/usr/lib64/ossl-modules/fips.so", RTLD_LAZY); ++ if (provider == NULL) { ++ fprintf(stderr, "%s\n", dlerror()); ++ // handle error ++ } ++ ++ const OSSL_RH_FIPSINDICATOR_ALORITHM *(*redhat_ossl_query_fipsindicator)(int) \ ++ = dlsym(provider, "redhat_ossl_query_fipsindicator"); ++ if (redhat_ossl_query_fipsindicator == NULL) { ++ fprintf(stderr, "%s\n", dlerror()); ++ fprintf(stderr, "Does your copy of fips.so have the required Red Hat" ++ " patches?\n"); ++ // handle error ++ } ++ ++Note that this uses the I header, which is not ++public. Install the I package from the I ++repository using I and include ++I in the compiler's include path. ++ ++I expects an operation ID as its only ++argument. Currently, the only supported operation ID is I to ++obtain the indicators for signature operations. On success, the return value is ++a pointer to an array of Is. On failure, NULL is ++returned. The last entry in the array is indicated by I being ++NULL. ++ ++ typedef struct ossl_rh_fipsindicator_algorithm_st { ++ const char *algorithm_names; /* key */ ++ const char *property_definition; /* key */ ++ const OSSL_RH_FIPSINDICATOR_DISPATCH *indicators; ++ } OSSL_RH_FIPSINDICATOR_ALGORITHM; ++ ++ typedef struct ossl_rh_fipsindicator_dispatch_st { ++ int function_id; ++ int approved; ++ } OSSL_RH_FIPSINDICATOR_DISPATCH; ++ ++The I field is a colon-separated list of algorithm names from ++one of the I constants, e.g., I. strtok(3) can ++be used to locate the appropriate entry. See the example below, where ++I contains the algorithm name to search for: ++ ++ const OSSL_RH_FIPSINDICATOR_DISPATCH *indicator_dispatch = NULL; ++ const OSSL_RH_FIPSINDICATOR_ALGORITHM *indicator = ++ redhat_ossl_query_fipsindicator(operation_id); ++ if (indicator == NULL) { ++ fprintf(stderr, "No indicator for operation, probably using implicit" ++ " indicators.\n"); ++ // handle error ++ } ++ ++ for (; indicator->algorithm_names != NULL; ++indicator) { ++ char *algorithm_names = strdup(indicator->algorithm_names); ++ if (algorithm_names == NULL) { ++ perror("strdup(3)"); ++ // handle error ++ } ++ ++ const char *algorithm_name = strtok(algorithm_names, ":"); ++ for (; algorithm_name != NULL; algorithm_name = strtok(NULL, ":")) { ++ if (strcasecmp(algorithm_name, algorithm) == 0) { ++ indicator_dispatch = indicator->indicators; ++ free(algorithm_names); ++ algorithm_names = NULL; ++ break; ++ } ++ } ++ free(algorithm_names); ++ } ++ if (indicator_dispatch == NULL) { ++ fprintf(stderr, "No indicator for algorithm %s.\n", algorithm); ++ // handle error ++ } ++ ++If an appropriate I array is available for the ++given algorithm name, it maps function IDs to their approval status. The last ++entry is indicated by a zero I. I is ++I if the operation is an approved security ++service, or part of an approved security service, or ++I otherwise. Any other value is invalid. ++Function IDs are I constants from I, ++e.g., I or I. ++ ++Assuming I is the function in question, the following code can be ++used to query the approval status: ++ ++ for (; indicator_dispatch->function_id != 0; ++indicator_dispatch) { ++ if (indicator_dispatch->function_id == function_id) { ++ switch (indicator_dispatch->approved) { ++ case OSSL_RH_FIPSINDICATOR_APPROVED: ++ // approved security service ++ break; ++ case OSSL_RH_FIPSINDICATOR_UNAPPROVED: ++ // unapproved security service ++ break; ++ default: ++ // invalid result ++ break; ++ } ++ break; ++ } ++ } ++ ++=head1 SEE ALSO ++ ++L, L ++ ++=head1 COPYRIGHT ++ ++Copyright 2022 Red Hat, Inc. All Rights Reserved. ++ ++Licensed under the Apache License 2.0 (the "License"). You may not use ++this file except in compliance with the License. You can obtain a copy ++in the file LICENSE in the source distribution or at ++L. ++ ++=cut +diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c +index de391ce067..1cfd71c5cf 100644 +--- a/providers/fips/fipsprov.c ++++ b/providers/fips/fipsprov.c +@@ -23,6 +23,7 @@ + #include "self_test.h" + #include "crypto/context.h" + #include "internal/core.h" ++#include "indicator.h" + + static const char FIPS_DEFAULT_PROPERTIES[] = "provider=fips,fips=yes"; + static const char FIPS_UNAPPROVED_PROPERTIES[] = "provider=fips,fips=no"; +@@ -425,6 +426,68 @@ static const OSSL_ALGORITHM fips_signature[] = { + { NULL, NULL, NULL } + }; + ++static const OSSL_RH_FIPSINDICATOR_DISPATCH redhat_rsa_signature_indicators[] = { ++ { OSSL_FUNC_SIGNATURE_NEWCTX, OSSL_RH_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_SIGN_INIT, OSSL_RH_FIPSINDICATOR_UNAPPROVED }, ++ { OSSL_FUNC_SIGNATURE_SIGN, OSSL_RH_FIPSINDICATOR_UNAPPROVED }, ++ { OSSL_FUNC_SIGNATURE_VERIFY_INIT, OSSL_RH_FIPSINDICATOR_UNAPPROVED }, ++ { OSSL_FUNC_SIGNATURE_VERIFY, OSSL_RH_FIPSINDICATOR_UNAPPROVED }, ++ { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER_INIT, OSSL_RH_FIPSINDICATOR_UNAPPROVED }, ++ { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER, OSSL_RH_FIPSINDICATOR_UNAPPROVED }, ++ { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT, OSSL_RH_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_UPDATE, OSSL_RH_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_FINAL, OSSL_RH_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT, OSSL_RH_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_UPDATE, OSSL_RH_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_FINAL, OSSL_RH_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_FREECTX, OSSL_RH_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_DUPCTX, OSSL_RH_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_GET_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_SET_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED }, ++ { 0, OSSL_RH_FIPSINDICATOR_UNAPPROVED } ++}; ++ ++static const OSSL_RH_FIPSINDICATOR_DISPATCH redhat_ecdsa_signature_indicators[] = { ++ { OSSL_FUNC_SIGNATURE_NEWCTX, OSSL_RH_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_SIGN_INIT, OSSL_RH_FIPSINDICATOR_UNAPPROVED }, ++ { OSSL_FUNC_SIGNATURE_SIGN, OSSL_RH_FIPSINDICATOR_UNAPPROVED }, ++ { OSSL_FUNC_SIGNATURE_VERIFY_INIT, OSSL_RH_FIPSINDICATOR_UNAPPROVED }, ++ { OSSL_FUNC_SIGNATURE_VERIFY, OSSL_RH_FIPSINDICATOR_UNAPPROVED }, ++ { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT, OSSL_RH_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_UPDATE, OSSL_RH_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_FINAL, OSSL_RH_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT, OSSL_RH_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_UPDATE, OSSL_RH_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_FINAL, OSSL_RH_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_FREECTX, OSSL_RH_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_DUPCTX, OSSL_RH_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_GET_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_SET_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_MD_PARAMS, OSSL_RH_FIPSINDICATOR_APPROVED }, ++ { 0, OSSL_RH_FIPSINDICATOR_UNAPPROVED } ++}; ++ ++static const OSSL_RH_FIPSINDICATOR_ALGORITHM redhat_indicator_fips_signature[] = { ++ { PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ++ redhat_rsa_signature_indicators }, ++#ifndef OPENSSL_NO_EC ++ { PROV_NAMES_ECDSA, FIPS_DEFAULT_PROPERTIES, ++ redhat_ecdsa_signature_indicators }, ++#endif ++ { NULL, NULL, NULL } ++}; ++ + static const OSSL_ALGORITHM fips_asym_cipher[] = { + { PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_asym_cipher_functions }, + { NULL, NULL, NULL } +@@ -527,6 +590,14 @@ static void fips_deinit_casecmp(void) { + return NULL; + } + ++const OSSL_RH_FIPSINDICATOR_ALGORITHM *redhat_ossl_query_fipsindicator(int operation_id) { ++ switch (operation_id) { ++ case OSSL_OP_SIGNATURE: ++ return redhat_indicator_fips_signature; ++ } ++ return NULL; ++} ++ + static void fips_teardown(void *provctx) + { + OSSL_LIB_CTX_free(PROV_LIBCTX_OF(provctx)); +diff --git a/providers/fips/indicator.h b/providers/fips/indicator.h +new file mode 100644 +index 0000000000..b323efe44c +--- /dev/null ++++ b/providers/fips/indicator.h +@@ -0,0 +1,66 @@ ++/* ++ * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. ++ * ++ * Licensed under the Apache License 2.0 (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ */ ++ ++#ifndef OPENSSL_FIPS_INDICATOR_H ++# define OPENSSL_FIPS_INDICATOR_H ++# pragma once ++ ++# ifdef __cplusplus ++extern "C" { ++# endif ++ ++# define OSSL_RH_FIPSINDICATOR_UNAPPROVED (0) ++# define OSSL_RH_FIPSINDICATOR_APPROVED (1) ++ ++/* ++ * FIPS indicator dispatch table element. function_id numbers and the ++ * functions are defined in core_dispatch.h, see macros with ++ * 'OSSL_CORE_MAKE_FUNC' in their names. ++ * ++ * An array of these is always terminated by function_id == 0 ++ */ ++typedef struct ossl_rh_fipsindicator_dispatch_st { ++ int function_id; ++ int approved; ++} OSSL_RH_FIPSINDICATOR_DISPATCH; ++ ++/* ++ * Type to tie together algorithm names, property definition string and the ++ * algorithm implementation's FIPS indicator status in the form of a FIPS ++ * indicator dispatch table. ++ * ++ * An array of these is always terminated by algorithm_names == NULL ++ */ ++typedef struct ossl_rh_fipsindicator_algorithm_st { ++ const char *algorithm_names; /* key */ ++ const char *property_definition; /* key */ ++ const OSSL_RH_FIPSINDICATOR_DISPATCH *indicators; ++} OSSL_RH_FIPSINDICATOR_ALGORITHM; ++ ++/** ++ * Query FIPS indicator status for the given operation. Possible values for ++ * 'operation_id' are currently only OSSL_OP_SIGNATURE, as all other algorithms ++ * use implicit indicators. The return value is an array of ++ * OSSL_RH_FIPSINDICATOR_ALGORITHMs, terminated by an entry with ++ * algorithm_names == NULL. 'algorithm_names' is a colon-separated list of ++ * algorithm names, 'property_definition' a comma-separated list of properties, ++ * and 'indicators' is a list of OSSL_RH_FIPSINDICATOR_DISPATCH structs. This ++ * list is terminated by function_id == 0. 'function_id' is one of the ++ * OSSL_FUNC_* constants, e.g., OSSL_FUNC_SIGNATURE_DIGEST_SIGN_FINAL. ++ * ++ * If there is no entry in the returned struct for the given operation_id, ++ * algorithm name, or function_id, the algorithm is unapproved. ++ */ ++const OSSL_RH_FIPSINDICATOR_ALGORITHM *redhat_ossl_query_fipsindicator(int operation_id); ++ ++# ifdef __cplusplus ++} ++# endif ++ ++#endif +diff --git a/util/mkdef.pl b/util/mkdef.pl +index a1c76f7c97..eda39b71ee 100755 +--- a/util/mkdef.pl ++++ b/util/mkdef.pl +@@ -149,7 +149,8 @@ $ordinal_opts{filter} = + return + $item->exists() + && platform_filter($item) +- && feature_filter($item); ++ && feature_filter($item) ++ && fips_filter($item, $name); + }; + my $ordinals = OpenSSL::Ordinals->new(from => $ordinals_file); + +@@ -205,6 +206,28 @@ sub feature_filter { + return $verdict; + } + ++sub fips_filter { ++ my $item = shift; ++ my $name = uc(shift); ++ my @features = ( $item->features() ); ++ ++ # True if no features are defined ++ return 1 if scalar @features == 0; ++ ++ my @matches = grep(/^ONLY_.*$/, @features); ++ if (@matches) { ++ # There is at least one only_* flag on this symbol, check if any of ++ # them match the name ++ for (@matches) { ++ if ($_ eq "ONLY_${name}") { ++ return 1; ++ } ++ } ++ return 0; ++ } ++ return 1; ++} ++ + sub sorter_unix { + my $by_name = OpenSSL::Ordinals::by_name(); + my %weight = ( +diff --git a/util/providers.num b/util/providers.num +index 4e2fa81b98..77879d0e5f 100644 +--- a/util/providers.num ++++ b/util/providers.num +@@ -1 +1,2 @@ + OSSL_provider_init 1 * EXIST::FUNCTION: ++redhat_ossl_query_fipsindicator 1 * EXIST::FUNCTION:ONLY_PROVIDERS/FIPS +-- +2.35.3 + diff --git a/0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch b/0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch new file mode 100644 index 0000000..6f5fef2 --- /dev/null +++ b/0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch @@ -0,0 +1,347 @@ +From abeda0b0475adb0d4f89b0c97cfc349779915bbf Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Mon, 31 Jul 2023 09:41:28 +0200 +Subject: [PATCH 29/35] + 0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch + +Patch-name: 0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch +Patch-id: 73 +Patch-status: | + # https://bugzilla.redhat.com/show_bug.cgi?id=2102535 +From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd +--- + crypto/rsa/rsa_local.h | 8 ++ + crypto/rsa/rsa_oaep.c | 34 ++++++-- + include/openssl/core_names.h | 3 + + providers/fips/self_test_data.inc | 79 ++++++++++--------- + providers/fips/self_test_kats.c | 7 ++ + .../implementations/asymciphers/rsa_enc.c | 41 +++++++++- + 6 files changed, 128 insertions(+), 44 deletions(-) + +diff --git a/crypto/rsa/rsa_local.h b/crypto/rsa/rsa_local.h +index ea70da05ad..dde57a1a0e 100644 +--- a/crypto/rsa/rsa_local.h ++++ b/crypto/rsa/rsa_local.h +@@ -193,4 +193,12 @@ int ossl_rsa_padding_add_PKCS1_type_2_ex(OSSL_LIB_CTX *libctx, unsigned char *to + int tlen, const unsigned char *from, + int flen); + ++int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2(OSSL_LIB_CTX *libctx, ++ unsigned char *to, int tlen, ++ const unsigned char *from, int flen, ++ const unsigned char *param, ++ int plen, const EVP_MD *md, ++ const EVP_MD *mgf1md, ++ const char *redhat_st_seed); ++ + #endif /* OSSL_CRYPTO_RSA_LOCAL_H */ +diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c +index d9be1a4f98..b2f7f7dc4b 100644 +--- a/crypto/rsa/rsa_oaep.c ++++ b/crypto/rsa/rsa_oaep.c +@@ -44,6 +44,10 @@ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen, + param, plen, NULL, NULL); + } + ++#ifdef FIPS_MODULE ++extern int REDHAT_FIPS_asym_cipher_st; ++#endif /* FIPS_MODULE */ ++ + /* + * Perform the padding as per NIST 800-56B 7.2.2.3 + * from (K) is the key material. +@@ -51,12 +55,13 @@ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen, + * Step numbers are included here but not in the constant time inverse below + * to avoid complicating an already difficult enough function. + */ +-int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx, +- unsigned char *to, int tlen, +- const unsigned char *from, int flen, +- const unsigned char *param, +- int plen, const EVP_MD *md, +- const EVP_MD *mgf1md) ++int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2(OSSL_LIB_CTX *libctx, ++ unsigned char *to, int tlen, ++ const unsigned char *from, int flen, ++ const unsigned char *param, ++ int plen, const EVP_MD *md, ++ const EVP_MD *mgf1md, ++ const char *redhat_st_seed) + { + int rv = 0; + int i, emlen = tlen - 1; +@@ -107,6 +112,11 @@ int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx, + db[emlen - flen - mdlen - 1] = 0x01; + memcpy(db + emlen - flen - mdlen, from, (unsigned int)flen); + /* step 3d: generate random byte string */ ++#ifdef FIPS_MODULE ++ if (redhat_st_seed != NULL && REDHAT_FIPS_asym_cipher_st) { ++ memcpy(seed, redhat_st_seed, mdlen); ++ } else ++#endif + if (RAND_bytes_ex(libctx, seed, mdlen, 0) <= 0) + goto err; + +@@ -138,6 +148,18 @@ int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx, + return rv; + } + ++int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx, ++ unsigned char *to, int tlen, ++ const unsigned char *from, int flen, ++ const unsigned char *param, ++ int plen, const EVP_MD *md, ++ const EVP_MD *mgf1md) ++{ ++ return ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2(libctx, to, tlen, from, ++ flen, param, plen, md, ++ mgf1md, NULL); ++} ++ + int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, + const unsigned char *from, int flen, + const unsigned char *param, int plen, +diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc +index e0fdc0daa4..aa2012c04a 100644 +--- a/providers/fips/self_test_data.inc ++++ b/providers/fips/self_test_data.inc +@@ -1296,14 +1296,21 @@ static const ST_KAT_PARAM rsa_priv_key[] = { + }; + + /*- +- * Using OSSL_PKEY_RSA_PAD_MODE_NONE directly in the expansion of the ++ * Using OSSL_PKEY_RSA_PAD_MODE_OAEP directly in the expansion of the + * ST_KAT_PARAM_UTF8STRING macro below causes a failure on ancient + * HP/UX PA-RISC compilers. + */ +-static const char pad_mode_none[] = OSSL_PKEY_RSA_PAD_MODE_NONE; ++static const char pad_mode_oaep[] = OSSL_PKEY_RSA_PAD_MODE_OAEP; ++static const char oaep_fixed_seed[] = { ++ 0xf6, 0x10, 0xef, 0x0a, 0x97, 0xbf, 0x91, 0x25, ++ 0x97, 0xcf, 0x8e, 0x0a, 0x75, 0x51, 0x2f, 0xab, ++ 0x2e, 0x4b, 0x2c, 0xe6 ++}; + + static const ST_KAT_PARAM rsa_enc_params[] = { +- ST_KAT_PARAM_UTF8STRING(OSSL_ASYM_CIPHER_PARAM_PAD_MODE, pad_mode_none), ++ ST_KAT_PARAM_UTF8STRING(OSSL_ASYM_CIPHER_PARAM_PAD_MODE, pad_mode_oaep), ++ ST_KAT_PARAM_OCTET(OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED, ++ oaep_fixed_seed), + ST_KAT_PARAM_END() + }; + +@@ -1342,43 +1349,43 @@ static const unsigned char rsa_expected_sig[256] = { + 0x2c, 0x68, 0xf0, 0x37, 0xa9, 0xd2, 0x56, 0xd6 + }; + +-static const unsigned char rsa_asym_plaintext_encrypt[256] = { ++static const unsigned char rsa_asym_plaintext_encrypt[208] = { + 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, + 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, + }; + static const unsigned char rsa_asym_expected_encrypt[256] = { +- 0x54, 0xac, 0x23, 0x96, 0x1d, 0x82, 0x5d, 0x8b, +- 0x8f, 0x36, 0x33, 0xd0, 0xf4, 0x02, 0xa2, 0x61, +- 0xb1, 0x13, 0xd4, 0x4a, 0x46, 0x06, 0x37, 0x3c, +- 0xbf, 0x40, 0x05, 0x3c, 0xc6, 0x3b, 0x64, 0xdc, +- 0x22, 0x22, 0xaf, 0x36, 0x79, 0x62, 0x45, 0xf0, +- 0x97, 0x82, 0x22, 0x44, 0x86, 0x4a, 0x7c, 0xfa, +- 0xac, 0x03, 0x21, 0x84, 0x3f, 0x31, 0xad, 0x2a, +- 0xa4, 0x6e, 0x7a, 0xc5, 0x93, 0xf3, 0x0f, 0xfc, +- 0xf1, 0x62, 0xce, 0x82, 0x12, 0x45, 0xc9, 0x35, +- 0xb0, 0x7a, 0xcd, 0x99, 0x8c, 0x91, 0x6b, 0x5a, +- 0xd3, 0x46, 0xdb, 0xf9, 0x9e, 0x52, 0x49, 0xbd, +- 0x1e, 0xe8, 0xda, 0xac, 0x61, 0x47, 0xc2, 0xda, +- 0xfc, 0x1e, 0xfb, 0x74, 0xd7, 0xd6, 0xc1, 0x18, +- 0x86, 0x3e, 0x20, 0x9c, 0x7a, 0xe1, 0x04, 0xb7, +- 0x38, 0x43, 0xb1, 0x4e, 0xa0, 0xd8, 0xc1, 0x39, +- 0x4d, 0xe1, 0xd3, 0xb0, 0xb3, 0xf1, 0x82, 0x87, +- 0x1f, 0x74, 0xb5, 0x69, 0xfd, 0x33, 0xd6, 0x21, +- 0x7c, 0x61, 0x60, 0x28, 0xca, 0x70, 0xdb, 0xa0, +- 0xbb, 0xc8, 0x73, 0xa9, 0x82, 0xf8, 0x6b, 0xd8, +- 0xf0, 0xc9, 0x7b, 0x20, 0xdf, 0x9d, 0xfb, 0x8c, +- 0xd4, 0xa2, 0x89, 0xe1, 0x9b, 0x04, 0xad, 0xaa, +- 0x11, 0x6c, 0x8f, 0xce, 0x83, 0x29, 0x56, 0x69, +- 0xbb, 0x00, 0x3b, 0xef, 0xca, 0x2d, 0xcd, 0x52, +- 0xc8, 0xf1, 0xb3, 0x9b, 0xb4, 0x4f, 0x6d, 0x9c, +- 0x3d, 0x69, 0xcc, 0x6d, 0x1f, 0x38, 0x4d, 0xe6, +- 0xbb, 0x0c, 0x87, 0xdc, 0x5f, 0xa9, 0x24, 0x93, +- 0x03, 0x46, 0xa2, 0x33, 0x6c, 0xf4, 0xd8, 0x5d, +- 0x68, 0xf3, 0xd3, 0xe0, 0xf2, 0x30, 0xdb, 0xf5, +- 0x4f, 0x0f, 0xad, 0xc7, 0xd0, 0xaa, 0x47, 0xd9, +- 0x9f, 0x85, 0x1b, 0x2e, 0x6c, 0x3c, 0x57, 0x04, +- 0x29, 0xf4, 0xf5, 0x66, 0x7d, 0x93, 0x4a, 0xaa, +- 0x05, 0x52, 0x55, 0xc1, 0xc6, 0x06, 0x90, 0xab, ++ 0x6c, 0x21, 0xc1, 0x9e, 0x94, 0xee, 0xdf, 0x74, ++ 0x3a, 0x3c, 0x7c, 0x04, 0x1a, 0x53, 0x9e, 0x7c, ++ 0x42, 0xac, 0x7e, 0x28, 0x9a, 0xb7, 0xe2, 0x4e, ++ 0x87, 0xd4, 0x00, 0x69, 0x71, 0xf0, 0x3e, 0x0b, ++ 0xc1, 0xda, 0xd6, 0xbd, 0x21, 0x39, 0x4f, 0x25, ++ 0x22, 0x1f, 0x76, 0x0d, 0x62, 0x1f, 0xa2, 0x89, ++ 0xdb, 0x38, 0x32, 0x88, 0x21, 0x1d, 0x89, 0xf1, ++ 0xe0, 0x14, 0xd4, 0xb7, 0x90, 0xfc, 0xbc, 0x50, ++ 0xb0, 0x8d, 0x5c, 0x2f, 0x49, 0x9e, 0x90, 0x17, ++ 0x9e, 0x60, 0x9f, 0xe1, 0x77, 0x4f, 0x11, 0xa2, ++ 0xcf, 0x16, 0x65, 0x2d, 0x4a, 0x2c, 0x12, 0xcb, ++ 0x1e, 0x3c, 0x29, 0x8b, 0xdc, 0x27, 0x06, 0x9d, ++ 0xf4, 0x0d, 0xe1, 0xc9, 0xeb, 0x14, 0x6a, 0x7e, ++ 0xfd, 0xa7, 0xa8, 0xa7, 0x51, 0x82, 0x62, 0x0f, ++ 0x29, 0x8d, 0x8c, 0x5e, 0xf2, 0xb8, 0xcd, 0xd3, ++ 0x51, 0x92, 0xa7, 0x25, 0x39, 0x9d, 0xdd, 0x06, ++ 0xff, 0xb1, 0xb0, 0xd5, 0x61, 0x03, 0x8f, 0x25, ++ 0x5c, 0x49, 0x12, 0xc1, 0x50, 0x67, 0x61, 0x78, ++ 0xb3, 0xe3, 0xc4, 0xf6, 0x36, 0x16, 0xa9, 0x04, ++ 0x91, 0x0a, 0x4b, 0x27, 0x28, 0x97, 0x50, 0x7c, ++ 0x65, 0x2d, 0xd0, 0x08, 0x71, 0x84, 0xe7, 0x47, ++ 0x79, 0x83, 0x91, 0x46, 0xd9, 0x8f, 0x79, 0xce, ++ 0x49, 0xcb, 0xcd, 0x8b, 0x34, 0xac, 0x61, 0xe0, ++ 0xe6, 0x55, 0xbf, 0x10, 0xe4, 0xac, 0x9a, 0xd6, ++ 0xed, 0xc1, 0xc2, 0xb6, 0xb6, 0xf7, 0x41, 0x99, ++ 0xde, 0xfa, 0xde, 0x11, 0x16, 0xa2, 0x18, 0x30, ++ 0x30, 0xdc, 0x95, 0x76, 0x2f, 0x46, 0x43, 0x20, ++ 0xc4, 0xe7, 0x50, 0xb9, 0x1e, 0xcd, 0x69, 0xbb, ++ 0x29, 0x94, 0x27, 0x9c, 0xc9, 0xab, 0xb4, 0x27, ++ 0x8b, 0x4d, 0xe1, 0xcb, 0xc1, 0x04, 0x2c, 0x66, ++ 0x41, 0x3a, 0x4d, 0xeb, 0x61, 0x4c, 0x77, 0x5a, ++ 0xee, 0xb0, 0xca, 0x99, 0x0e, 0x7f, 0xbe, 0x06 + }; + + #ifndef OPENSSL_NO_EC +diff --git a/providers/fips/self_test_kats.c b/providers/fips/self_test_kats.c +index 74ee25dcb6..a9bc8be7fa 100644 +--- a/providers/fips/self_test_kats.c ++++ b/providers/fips/self_test_kats.c +@@ -641,14 +641,21 @@ static int self_test_ciphers(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx) + return ret; + } + ++int REDHAT_FIPS_asym_cipher_st = 0; ++ + static int self_test_asym_ciphers(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx) + { + int i, ret = 1; + ++ REDHAT_FIPS_asym_cipher_st = 1; ++ + for (i = 0; i < (int)OSSL_NELEM(st_kat_asym_cipher_tests); ++i) { + if (!self_test_asym_cipher(&st_kat_asym_cipher_tests[i], st, libctx)) + ret = 0; + } ++ ++ REDHAT_FIPS_asym_cipher_st = 0; ++ + return ret; + } + +diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c +index 9cd8904131..40de5ce8fa 100644 +--- a/providers/implementations/asymciphers/rsa_enc.c ++++ b/providers/implementations/asymciphers/rsa_enc.c +@@ -30,6 +30,9 @@ + #include "prov/implementations.h" + #include "prov/providercommon.h" + #include "prov/securitycheck.h" ++#ifdef FIPS_MODULE ++# include "crypto/rsa/rsa_local.h" ++#endif + + #include + +@@ -75,6 +78,9 @@ typedef struct { + /* TLS padding */ + unsigned int client_version; + unsigned int alt_version; ++#ifdef FIPS_MODULE ++ char *redhat_st_oaep_seed; ++#endif /* FIPS_MODULE */ + /* PKCS#1 v1.5 decryption mode */ + unsigned int implicit_rejection; + } PROV_RSA_CTX; +@@ -192,12 +198,21 @@ static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen, + } + } + ret = +- ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(prsactx->libctx, tbuf, ++#ifdef FIPS_MODULE ++ ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2( ++#else ++ ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex( ++#endif ++ prsactx->libctx, tbuf, + rsasize, in, inlen, + prsactx->oaep_label, + prsactx->oaep_labellen, + prsactx->oaep_md, +- prsactx->mgf1_md); ++ prsactx->mgf1_md ++#ifdef FIPS_MODULE ++ , prsactx->redhat_st_oaep_seed ++#endif ++ ); + + if (!ret) { + OPENSSL_free(tbuf); +@@ -328,6 +343,9 @@ static void rsa_freectx(void *vprsactx) + EVP_MD_free(prsactx->oaep_md); + EVP_MD_free(prsactx->mgf1_md); + OPENSSL_free(prsactx->oaep_label); ++#ifdef FIPS_MODULE ++ OPENSSL_free(prsactx->redhat_st_oaep_seed); ++#endif /* FIPS_MODULE */ + + OPENSSL_free(prsactx); + } +@@ -447,6 +465,9 @@ static const OSSL_PARAM known_gettable_ctx_params[] = { + NULL, 0), + OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION, NULL), + OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL), ++#ifdef FIPS_MODULE ++ OSSL_PARAM_octet_string(OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED, NULL, 0), ++#endif /* FIPS_MODULE */ + OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, NULL), + OSSL_PARAM_END + }; +@@ -456,6 +477,10 @@ static const OSSL_PARAM *rsa_gettable_ctx_params(ossl_unused void *vprsactx, + return known_gettable_ctx_params; + } + ++#ifdef FIPS_MODULE ++extern int REDHAT_FIPS_asym_cipher_st; ++#endif /* FIPS_MODULE */ ++ + static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) + { + PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; +@@ -567,6 +592,18 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) + prsactx->oaep_labellen = tmp_labellen; + } + ++#ifdef FIPS_MODULE ++ p = OSSL_PARAM_locate_const(params, OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED); ++ if (p != NULL && REDHAT_FIPS_asym_cipher_st) { ++ void *tmp_oaep_seed = NULL; ++ ++ if (!OSSL_PARAM_get_octet_string(p, &tmp_oaep_seed, 0, NULL)) ++ return 0; ++ OPENSSL_free(prsactx->redhat_st_oaep_seed); ++ prsactx->redhat_st_oaep_seed = (char *)tmp_oaep_seed; ++ } ++#endif /* FIPS_MODULE */ ++ + p = OSSL_PARAM_locate_const(params, OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION); + if (p != NULL) { + unsigned int client_version; +-- +2.41.0 + +diff -up openssl-3.2.0/util/perl/OpenSSL/paramnames.pm.patch-config openssl-3.2.0/util/perl/OpenSSL/paramnames.pm +--- openssl-3.2.0/util/perl/OpenSSL/paramnames.pm.patch-config 2023-12-14 13:48:23.398025507 +0100 ++++ openssl-3.2.0/util/perl/OpenSSL/paramnames.pm 2023-12-14 14:24:49.519488385 +0100 +@@ -401,6 +401,7 @@ my %params = ( + 'ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION' => "tls-client-version", + 'ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION' => "tls-negotiated-version", + 'ASYM_CIPHER_PARAM_IMPLICIT_REJECTION' => "implicit-rejection", ++ 'ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED' => "redhat-kat-oaep-seed", + + # Encoder / decoder parameters + diff --git a/0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch b/0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch new file mode 100644 index 0000000..e41fadd --- /dev/null +++ b/0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch @@ -0,0 +1,408 @@ +From 97ac06e5a8e3a8699279c06eeb64c8e958bad7bd Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Fri, 15 Jul 2022 17:45:40 +0200 +Subject: [PATCH] FIPS: Use digest_sign & digest_verify in self test + +In review for FIPS 140-3, the lack of a self-test for the digest_sign +and digest_verify provider functions was highlighted as a problem. NIST +no longer provides ACVP tests for the RSA SigVer primitive (see +https://github.com/usnistgov/ACVP/issues/1347). Because FIPS 140-3 +recommends the use of functions that compute the digest and signature +within the module, we have been advised in our module review that the +self tests should also use the combined digest and signature APIs, i.e. +the digest_sign and digest_verify provider functions. + +Modify the signature self-test to use these instead by switching to +EVP_DigestSign and EVP_DigestVerify. This requires adding more ifdefs to +crypto/evp/m_sigver.c to make these functions usable in the FIPS module. + +Signed-off-by: Clemens Lang +--- + crypto/evp/m_sigver.c | 43 +++++++++++++++++++++++++++------ + providers/fips/self_test_kats.c | 37 +++++++++++++++------------- + 2 files changed, 56 insertions(+), 24 deletions(-) + +diff --git a/crypto/evp/m_sigver.c b/crypto/evp/m_sigver.c +index db1a1d7bc3..c94c3c53bd 100644 +--- a/crypto/evp/m_sigver.c ++++ b/crypto/evp/m_sigver.c +@@ -88,6 +88,7 @@ static int update(EVP_MD_CTX *ctx, const void *data, size_t datalen) + ERR_raise(ERR_LIB_EVP, EVP_R_ONLY_ONESHOT_SUPPORTED); + return 0; + } ++#endif /* !defined(FIPS_MODULE) */ + + /* + * If we get the "NULL" md then the name comes back as "UNDEF". We want to use +@@ -130,8 +131,10 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, + reinit = 0; + if (e == NULL) + ctx->pctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, props); ++#ifndef FIPS_MODULE + else + ctx->pctx = EVP_PKEY_CTX_new(pkey, e); ++#endif /* !defined(FIPS_MODULE) */ + } + if (ctx->pctx == NULL) + return 0; +@@ -139,8 +142,10 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, + locpctx = ctx->pctx; + ERR_set_mark(); + ++#ifndef FIPS_MODULE + if (evp_pkey_ctx_is_legacy(locpctx)) + goto legacy; ++#endif /* !defined(FIPS_MODULE) */ + + /* do not reinitialize if pkey is set or operation is different */ + if (reinit +@@ -225,8 +230,10 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, + signature = + evp_signature_fetch_from_prov((OSSL_PROVIDER *)tmp_prov, + supported_sig, locpctx->propquery); ++#ifndef FIPS_MODULE + if (signature == NULL) + goto legacy; ++#endif /* !defined(FIPS_MODULE) */ + break; + } + if (signature == NULL) +@@ -310,6 +317,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, + ctx->fetched_digest = EVP_MD_fetch(locpctx->libctx, mdname, props); + if (ctx->fetched_digest != NULL) { + ctx->digest = ctx->reqdigest = ctx->fetched_digest; ++#ifndef FIPS_MODULE + } else { + /* legacy engine support : remove the mark when this is deleted */ + ctx->reqdigest = ctx->digest = EVP_get_digestbyname(mdname); +@@ -318,11 +326,13 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, + ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); + goto err; + } ++#endif /* !defined(FIPS_MODULE) */ + } + (void)ERR_pop_to_mark(); + } + } + ++#ifndef FIPS_MODULE + if (ctx->reqdigest != NULL + && !EVP_PKEY_is_a(locpctx->pkey, SN_hmac) + && !EVP_PKEY_is_a(locpctx->pkey, SN_tls1_prf) +@@ -334,6 +344,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, + goto err; + } + } ++#endif /* !defined(FIPS_MODULE) */ + + if (ver) { + if (signature->digest_verify_init == NULL) { +@@ -366,6 +377,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, + EVP_KEYMGMT_free(tmp_keymgmt); + return 0; + ++#ifndef FIPS_MODULE + legacy: + /* + * If we don't have the full support we need with provided methods, +@@ -437,6 +449,7 @@ static int do_sigver_init(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, + ctx->pctx->flag_call_digest_custom = 1; + + ret = 1; ++#endif /* !defined(FIPS_MODULE) */ + + end: + #ifndef FIPS_MODULE +@@ -479,7 +492,6 @@ int EVP_DigestVerifyInit(EVP_MD_CTX *ctx, EVP_PKEY_CTX **pctx, + return do_sigver_init(ctx, pctx, type, NULL, NULL, NULL, e, pkey, 1, + NULL); + } +-#endif /* FIPS_MDOE */ + + int EVP_DigestSignUpdate(EVP_MD_CTX *ctx, const void *data, size_t dsize) + { +@@ -639,6 +659,7 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret, + } + } + return 1; ++#endif /* !defined(FIPS_MODULE) */ + } + + int EVP_DigestSign(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen, +@@ -732,6 +761,7 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig, + if (vctx || !r) + return r; + return EVP_PKEY_verify(pctx, sig, siglen, md, mdlen); ++#endif /* !defined(FIPS_MODULE) */ + } + + int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret, +@@ -757,4 +787,3 @@ int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret, + return -1; + return EVP_DigestVerifyFinal(ctx, sigret, siglen); + } +-#endif /* FIPS_MODULE */ +diff --git a/providers/fips/self_test_kats.c b/providers/fips/self_test_kats.c +index b6d5e8e134..77eec075e6 100644 +--- a/providers/fips/self_test_kats.c ++++ b/providers/fips/self_test_kats.c +@@ -444,10 +444,13 @@ static int self_test_sign(const ST_KAT_SIGN *t, + int ret = 0; + OSSL_PARAM *params = NULL, *params_sig = NULL; + OSSL_PARAM_BLD *bld = NULL; ++ EVP_MD *md = NULL; ++ EVP_MD_CTX *ctx = NULL; + EVP_PKEY_CTX *sctx = NULL, *kctx = NULL; + EVP_PKEY *pkey = NULL; +- unsigned char sig[256]; + BN_CTX *bnctx = NULL; ++ const char *msg = "Hello World!"; ++ unsigned char sig[256]; + size_t siglen = sizeof(sig); + static const unsigned char dgst[] = { + 0x7f, 0x83, 0xb1, 0x65, 0x7f, 0xf1, 0xfc, 0x53, 0xb9, 0x2d, 0xc1, 0x81, +@@ -488,23 +491,26 @@ static int self_test_sign(const ST_KAT_SIGN *t, + || EVP_PKEY_fromdata(kctx, &pkey, EVP_PKEY_KEYPAIR, params) <= 0) + goto err; + +- /* Create a EVP_PKEY_CTX to use for the signing operation */ +- sctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, NULL); +- if (sctx == NULL +- || EVP_PKEY_sign_init(sctx) <= 0) +- goto err; +- +- /* set signature parameters */ +- if (!OSSL_PARAM_BLD_push_utf8_string(bld, OSSL_SIGNATURE_PARAM_DIGEST, +- t->mdalgorithm, +- strlen(t->mdalgorithm) + 1)) +- goto err; ++ /* Create a EVP_MD_CTX to use for the signature operation, assign signature ++ * parameters and sign */ + params_sig = OSSL_PARAM_BLD_to_param(bld); +- if (EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0) ++ md = EVP_MD_fetch(libctx, "SHA256", NULL); ++ ctx = EVP_MD_CTX_new(); ++ if (md == NULL || ctx == NULL) ++ goto err; ++ EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_FINALISE | EVP_MD_CTX_FLAG_ONESHOT); ++ if (EVP_DigestSignInit(ctx, &sctx, md, NULL, pkey) <= 0 ++ || EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0 ++ || EVP_DigestSign(ctx, sig, &siglen, (const unsigned char *)msg, strlen(msg)) <= 0 ++ || EVP_MD_CTX_reset(ctx) <= 0) + goto err; + +- if (EVP_PKEY_sign(sctx, sig, &siglen, dgst, sizeof(dgst)) <= 0 +- || EVP_PKEY_verify_init(sctx) <= 0 ++ /* sctx is not freed automatically inside the FIPS module */ ++ EVP_PKEY_CTX_free(sctx); ++ sctx = NULL; ++ ++ EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_FINALISE | EVP_MD_CTX_FLAG_ONESHOT); ++ if (EVP_DigestVerifyInit(ctx, &sctx, md, NULL, pkey) <= 0 + || EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0) + goto err; + +@@ -509,14 +510,17 @@ static int self_test_sign(const ST_KAT_SIGN *t, + goto err; + + OSSL_SELF_TEST_oncorrupt_byte(st, sig); +- if (EVP_PKEY_verify(sctx, sig, siglen, dgst, sizeof(dgst)) <= 0) ++ if (EVP_DigestVerify(ctx, sig, siglen, (const unsigned char *)msg, strlen(msg)) <= 0) + goto err; + ret = 1; + err: + BN_CTX_free(bnctx); + EVP_PKEY_free(pkey); +- EVP_PKEY_CTX_free(kctx); ++ EVP_MD_free(md); ++ EVP_MD_CTX_free(ctx); ++ /* sctx is not freed automatically inside the FIPS module */ + EVP_PKEY_CTX_free(sctx); ++ EVP_PKEY_CTX_free(kctx); + OSSL_PARAM_free(params); + OSSL_PARAM_free(params_sig); + OSSL_PARAM_BLD_free(bld); +-- +2.37.1 + +diff -up openssl-3.2.0/crypto/evp/m_sigver.c.digest-sign-patch openssl-3.2.0/crypto/evp/m_sigver.c +--- openssl-3.2.0/crypto/evp/m_sigver.c.digest-sign-patch 2024-01-04 11:44:18.761559765 +0100 ++++ openssl-3.2.0/crypto/evp/m_sigver.c 2024-01-04 11:51:18.297195401 +0100 +@@ -560,26 +560,33 @@ int EVP_DigestVerifyUpdate(EVP_MD_CTX *c + return EVP_DigestUpdate(ctx, data, dsize); + } + +-#ifndef FIPS_MODULE + int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret, + size_t *siglen) + { +- int sctx = 0, r = 0; +- EVP_PKEY_CTX *dctx = NULL, *pctx = ctx->pctx; ++ int r = 0; ++#ifndef FIPS_MODULE ++ int sctx = 0; ++ EVP_PKEY_CTX *dctx = NULL; ++#endif /* !defined(FIPS_MODULE) */ ++ EVP_PKEY_CTX *pctx = ctx->pctx; ++ + + if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISED) != 0) { + ERR_raise(ERR_LIB_EVP, EVP_R_FINAL_ERROR); + return 0; + } + ++#ifndef FIPS_MODULE + if (pctx == NULL + || pctx->operation != EVP_PKEY_OP_SIGNCTX + || pctx->op.sig.algctx == NULL + || pctx->op.sig.signature == NULL) + goto legacy; ++#endif /* !defined(FIPS_MODULE) */ + + if (sigret != NULL && (ctx->flags & EVP_MD_CTX_FLAG_FINALISE) == 0) { + /* try dup */ ++#ifndef FIPS_MODULE + dctx = EVP_PKEY_CTX_dup(pctx); + if (dctx != NULL) + pctx = dctx; +@@ -591,8 +598,10 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, + ctx->flags |= EVP_MD_CTX_FLAG_FINALISED; + else + EVP_PKEY_CTX_free(dctx); ++#endif /* !defined(FIPS_MODULE) */ + return r; + ++#ifndef FIPS_MODULE + legacy: + if (pctx == NULL || pctx->pmeth == NULL) { + ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); +@@ -704,25 +713,32 @@ int EVP_DigestSign(EVP_MD_CTX *ctx, unsi + int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig, + size_t siglen) + { +- unsigned char md[EVP_MAX_MD_SIZE]; + int r = 0; ++#ifndef FIPS_MODULE ++ unsigned char md[EVP_MAX_MD_SIZE]; + unsigned int mdlen = 0; + int vctx = 0; +- EVP_PKEY_CTX *dctx = NULL, *pctx = ctx->pctx; ++ EVP_PKEY_CTX *dctx = NULL; ++#endif /* !defined(FIPS_MODULE) */ ++ EVP_PKEY_CTX *pctx = ctx->pctx; ++ + + if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISED) != 0) { + ERR_raise(ERR_LIB_EVP, EVP_R_FINAL_ERROR); + return 0; + } + ++#ifndef FIPS_MODULE + if (pctx == NULL + || pctx->operation != EVP_PKEY_OP_VERIFYCTX + || pctx->op.sig.algctx == NULL + || pctx->op.sig.signature == NULL) + goto legacy; ++#endif /* !defined(FIPS_MODULE) */ + + if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISE) == 0) { + /* try dup */ ++#ifndef FIPS_MODULE + dctx = EVP_PKEY_CTX_dup(pctx); + if (dctx != NULL) + pctx = dctx; +@@ -733,8 +749,10 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ct + ctx->flags |= EVP_MD_CTX_FLAG_FINALISED; + else + EVP_PKEY_CTX_free(dctx); ++#endif /* !defined(FIPS_MODULE) */ + return r; + ++#ifndef FIPS_MODULE + legacy: + if (pctx == NULL || pctx->pmeth == NULL) { + ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); +diff -up openssl-3.2.0/crypto/evp/m_sigver.c.digest-sign-patch openssl-3.2.0/crypto/evp/m_sigver.c +--- openssl-3.2.0/crypto/evp/m_sigver.c.digest-sign-patch 2024-01-04 12:39:26.858137284 +0100 ++++ openssl-3.2.0/crypto/evp/m_sigver.c 2024-01-04 12:40:28.201680446 +0100 +@@ -736,9 +736,9 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ct + goto legacy; + #endif /* !defined(FIPS_MODULE) */ + ++#ifndef FIPS_MODULE + if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISE) == 0) { + /* try dup */ +-#ifndef FIPS_MODULE + dctx = EVP_PKEY_CTX_dup(pctx); + if (dctx != NULL) + pctx = dctx; +diff -up openssl-3.2.0/crypto/evp/m_sigver.c.digest-sign-patch openssl-3.2.0/crypto/evp/m_sigver.c +--- openssl-3.2.0/crypto/evp/m_sigver.c.digest-sign-patch 2024-01-04 12:55:41.172653897 +0100 ++++ openssl-3.2.0/crypto/evp/m_sigver.c 2024-01-04 12:56:23.562017396 +0100 +@@ -584,9 +584,9 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, + goto legacy; + #endif /* !defined(FIPS_MODULE) */ + ++#ifndef FIPS_MODULE + if (sigret != NULL && (ctx->flags & EVP_MD_CTX_FLAG_FINALISE) == 0) { + /* try dup */ +-#ifndef FIPS_MODULE + dctx = EVP_PKEY_CTX_dup(pctx); + if (dctx != NULL) + pctx = dctx; +diff -up openssl-3.2.0/crypto/evp/m_sigver.c.fips-new openssl-3.2.0/crypto/evp/m_sigver.c +--- openssl-3.2.0/crypto/evp/m_sigver.c.fips-new 2024-01-30 23:50:10.115710238 +0100 ++++ openssl-3.2.0/crypto/evp/m_sigver.c 2024-01-31 00:04:31.448164500 +0100 +@@ -598,7 +598,11 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, + ctx->flags |= EVP_MD_CTX_FLAG_FINALISED; + else + EVP_PKEY_CTX_free(dctx); ++ return r; + #endif /* !defined(FIPS_MODULE) */ ++ r = pctx->op.sig.signature->digest_sign_final(pctx->op.sig.algctx, ++ sigret, siglen, ++ sigret == NULL ? 0 : *siglen); + return r; + + #ifndef FIPS_MODULE +@@ -749,7 +753,10 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ct + ctx->flags |= EVP_MD_CTX_FLAG_FINALISED; + else + EVP_PKEY_CTX_free(dctx); ++ return r; + #endif /* !defined(FIPS_MODULE) */ ++ r = pctx->op.sig.signature->digest_verify_final(pctx->op.sig.algctx, ++ sig, siglen); + return r; + + #ifndef FIPS_MODULE +diff -up openssl-3.2.0/crypto/evp/m_sigver.c.fix-ifdef openssl-3.2.0/crypto/evp/m_sigver.c +--- openssl-3.2.0/crypto/evp/m_sigver.c.fix-ifdef 2024-02-01 09:23:07.877696442 +0100 ++++ openssl-3.2.0/crypto/evp/m_sigver.c 2024-02-01 09:25:30.857169997 +0100 +@@ -599,11 +599,12 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, + else + EVP_PKEY_CTX_free(dctx); + return r; +-#endif /* !defined(FIPS_MODULE) */ ++#else + r = pctx->op.sig.signature->digest_sign_final(pctx->op.sig.algctx, + sigret, siglen, + sigret == NULL ? 0 : *siglen); + return r; ++#endif /* !defined(FIPS_MODULE) */ + + #ifndef FIPS_MODULE + legacy: +@@ -754,10 +755,11 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ct + else + EVP_PKEY_CTX_free(dctx); + return r; +-#endif /* !defined(FIPS_MODULE) */ ++#else + r = pctx->op.sig.signature->digest_verify_final(pctx->op.sig.algctx, + sig, siglen); + return r; ++#endif /* !defined(FIPS_MODULE) */ + + #ifndef FIPS_MODULE + legacy: diff --git a/0075-FIPS-Use-FFDHE2048-in-self-test.patch b/0075-FIPS-Use-FFDHE2048-in-self-test.patch new file mode 100644 index 0000000..096e62d --- /dev/null +++ b/0075-FIPS-Use-FFDHE2048-in-self-test.patch @@ -0,0 +1,378 @@ +From e385647549c467fe263b68b72dd21bdfb875ee88 Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Fri, 22 Jul 2022 17:51:16 +0200 +Subject: [PATCH 2/2] FIPS: Use FFDHE2048 in self test + +Signed-off-by: Clemens Lang +--- + providers/fips/self_test_data.inc | 342 +++++++++++++++--------------- + 1 file changed, 172 insertions(+), 170 deletions(-) + +diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc +index a29cc650b5..1b5623833f 100644 +--- a/providers/fips/self_test_data.inc ++++ b/providers/fips/self_test_data.inc +@@ -821,188 +821,190 @@ static const ST_KAT_DRBG st_kat_drbg_tests[] = + + #ifndef OPENSSL_NO_DH + /* DH KAT */ ++/* RFC7919 FFDHE2048 p */ + static const unsigned char dh_p[] = { +- 0xdc, 0xca, 0x15, 0x11, 0xb2, 0x31, 0x32, 0x25, +- 0xf5, 0x21, 0x16, 0xe1, 0x54, 0x27, 0x89, 0xe0, +- 0x01, 0xf0, 0x42, 0x5b, 0xcc, 0xc7, 0xf3, 0x66, +- 0xf7, 0x40, 0x64, 0x07, 0xf1, 0xc9, 0xfa, 0x8b, +- 0xe6, 0x10, 0xf1, 0x77, 0x8b, 0xb1, 0x70, 0xbe, +- 0x39, 0xdb, 0xb7, 0x6f, 0x85, 0xbf, 0x24, 0xce, +- 0x68, 0x80, 0xad, 0xb7, 0x62, 0x9f, 0x7c, 0x6d, +- 0x01, 0x5e, 0x61, 0xd4, 0x3f, 0xa3, 0xee, 0x4d, +- 0xe1, 0x85, 0xf2, 0xcf, 0xd0, 0x41, 0xff, 0xde, +- 0x9d, 0x41, 0x84, 0x07, 0xe1, 0x51, 0x38, 0xbb, +- 0x02, 0x1d, 0xae, 0xb3, 0x5f, 0x76, 0x2d, 0x17, +- 0x82, 0xac, 0xc6, 0x58, 0xd3, 0x2b, 0xd4, 0xb0, +- 0x23, 0x2c, 0x92, 0x7d, 0xd3, 0x8f, 0xa0, 0x97, +- 0xb3, 0xd1, 0x85, 0x9f, 0xa8, 0xac, 0xaf, 0xb9, +- 0x8f, 0x06, 0x66, 0x08, 0xfc, 0x64, 0x4e, 0xc7, +- 0xdd, 0xb6, 0xf0, 0x85, 0x99, 0xf9, 0x2a, 0xc1, +- 0xb5, 0x98, 0x25, 0xda, 0x84, 0x32, 0x07, 0x7d, +- 0xef, 0x69, 0x56, 0x46, 0x06, 0x3c, 0x20, 0x82, +- 0x3c, 0x95, 0x07, 0xab, 0x6f, 0x01, 0x76, 0xd4, +- 0x73, 0x0d, 0x99, 0x0d, 0xbb, 0xe6, 0x36, 0x1c, +- 0xd8, 0xb2, 0xb9, 0x4d, 0x3d, 0x2f, 0x32, 0x9b, +- 0x82, 0x09, 0x9b, 0xd6, 0x61, 0xf4, 0x29, 0x50, +- 0xf4, 0x03, 0xdf, 0x3e, 0xde, 0x62, 0xa3, 0x31, +- 0x88, 0xb0, 0x27, 0x98, 0xba, 0x82, 0x3f, 0x44, +- 0xb9, 0x46, 0xfe, 0x9d, 0xf6, 0x77, 0xa0, 0xc5, +- 0xa1, 0x23, 0x8e, 0xaa, 0x97, 0xb7, 0x0f, 0x80, +- 0xda, 0x8c, 0xac, 0x88, 0xe0, 0x92, 0xb1, 0x12, +- 0x70, 0x60, 0xff, 0xbf, 0x45, 0x57, 0x99, 0x94, +- 0x01, 0x1d, 0xc2, 0xfa, 0xa5, 0xe7, 0xf6, 0xc7, +- 0x62, 0x45, 0xe1, 0xcc, 0x31, 0x22, 0x31, 0xc1, +- 0x7d, 0x1c, 0xa6, 0xb1, 0x90, 0x07, 0xef, 0x0d, +- 0xb9, 0x9f, 0x9c, 0xb6, 0x0e, 0x1d, 0x5f, 0x69 +-}; ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, ++ 0xad, 0xf8, 0x54, 0x58, 0xa2, 0xbb, 0x4a, 0x9a, ++ 0xaf, 0xdc, 0x56, 0x20, 0x27, 0x3d, 0x3c, 0xf1, ++ 0xd8, 0xb9, 0xc5, 0x83, 0xce, 0x2d, 0x36, 0x95, ++ 0xa9, 0xe1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xfb, ++ 0xcc, 0x93, 0x9d, 0xce, 0x24, 0x9b, 0x3e, 0xf9, ++ 0x7d, 0x2f, 0xe3, 0x63, 0x63, 0x0c, 0x75, 0xd8, ++ 0xf6, 0x81, 0xb2, 0x02, 0xae, 0xc4, 0x61, 0x7a, ++ 0xd3, 0xdf, 0x1e, 0xd5, 0xd5, 0xfd, 0x65, 0x61, ++ 0x24, 0x33, 0xf5, 0x1f, 0x5f, 0x06, 0x6e, 0xd0, ++ 0x85, 0x63, 0x65, 0x55, 0x3d, 0xed, 0x1a, 0xf3, ++ 0xb5, 0x57, 0x13, 0x5e, 0x7f, 0x57, 0xc9, 0x35, ++ 0x98, 0x4f, 0x0c, 0x70, 0xe0, 0xe6, 0x8b, 0x77, ++ 0xe2, 0xa6, 0x89, 0xda, 0xf3, 0xef, 0xe8, 0x72, ++ 0x1d, 0xf1, 0x58, 0xa1, 0x36, 0xad, 0xe7, 0x35, ++ 0x30, 0xac, 0xca, 0x4f, 0x48, 0x3a, 0x79, 0x7a, ++ 0xbc, 0x0a, 0xb1, 0x82, 0xb3, 0x24, 0xfb, 0x61, ++ 0xd1, 0x08, 0xa9, 0x4b, 0xb2, 0xc8, 0xe3, 0xfb, ++ 0xb9, 0x6a, 0xda, 0xb7, 0x60, 0xd7, 0xf4, 0x68, ++ 0x1d, 0x4f, 0x42, 0xa3, 0xde, 0x39, 0x4d, 0xf4, ++ 0xae, 0x56, 0xed, 0xe7, 0x63, 0x72, 0xbb, 0x19, ++ 0x0b, 0x07, 0xa7, 0xc8, 0xee, 0x0a, 0x6d, 0x70, ++ 0x9e, 0x02, 0xfc, 0xe1, 0xcd, 0xf7, 0xe2, 0xec, ++ 0xc0, 0x34, 0x04, 0xcd, 0x28, 0x34, 0x2f, 0x61, ++ 0x91, 0x72, 0xfe, 0x9c, 0xe9, 0x85, 0x83, 0xff, ++ 0x8e, 0x4f, 0x12, 0x32, 0xee, 0xf2, 0x81, 0x83, ++ 0xc3, 0xfe, 0x3b, 0x1b, 0x4c, 0x6f, 0xad, 0x73, ++ 0x3b, 0xb5, 0xfc, 0xbc, 0x2e, 0xc2, 0x20, 0x05, ++ 0xc5, 0x8e, 0xf1, 0x83, 0x7d, 0x16, 0x83, 0xb2, ++ 0xc6, 0xf3, 0x4a, 0x26, 0xc1, 0xb2, 0xef, 0xfa, ++ 0x88, 0x6b, 0x42, 0x38, 0x61, 0x28, 0x5c, 0x97, ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff ++}; ++/* RFC7919 FFDHE2048 q */ + static const unsigned char dh_q[] = { +- 0x89, 0x8b, 0x22, 0x67, 0x17, 0xef, 0x03, 0x9e, +- 0x60, 0x3e, 0x82, 0xe5, 0xc7, 0xaf, 0xe4, 0x83, +- 0x74, 0xac, 0x5f, 0x62, 0x5c, 0x54, 0xf1, 0xea, +- 0x11, 0xac, 0xb5, 0x7d +-}; ++ 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, ++ 0xd6, 0xfc, 0x2a, 0x2c, 0x51, 0x5d, 0xa5, 0x4d, ++ 0x57, 0xee, 0x2b, 0x10, 0x13, 0x9e, 0x9e, 0x78, ++ 0xec, 0x5c, 0xe2, 0xc1, 0xe7, 0x16, 0x9b, 0x4a, ++ 0xd4, 0xf0, 0x9b, 0x20, 0x8a, 0x32, 0x19, 0xfd, ++ 0xe6, 0x49, 0xce, 0xe7, 0x12, 0x4d, 0x9f, 0x7c, ++ 0xbe, 0x97, 0xf1, 0xb1, 0xb1, 0x86, 0x3a, 0xec, ++ 0x7b, 0x40, 0xd9, 0x01, 0x57, 0x62, 0x30, 0xbd, ++ 0x69, 0xef, 0x8f, 0x6a, 0xea, 0xfe, 0xb2, 0xb0, ++ 0x92, 0x19, 0xfa, 0x8f, 0xaf, 0x83, 0x37, 0x68, ++ 0x42, 0xb1, 0xb2, 0xaa, 0x9e, 0xf6, 0x8d, 0x79, ++ 0xda, 0xab, 0x89, 0xaf, 0x3f, 0xab, 0xe4, 0x9a, ++ 0xcc, 0x27, 0x86, 0x38, 0x70, 0x73, 0x45, 0xbb, ++ 0xf1, 0x53, 0x44, 0xed, 0x79, 0xf7, 0xf4, 0x39, ++ 0x0e, 0xf8, 0xac, 0x50, 0x9b, 0x56, 0xf3, 0x9a, ++ 0x98, 0x56, 0x65, 0x27, 0xa4, 0x1d, 0x3c, 0xbd, ++ 0x5e, 0x05, 0x58, 0xc1, 0x59, 0x92, 0x7d, 0xb0, ++ 0xe8, 0x84, 0x54, 0xa5, 0xd9, 0x64, 0x71, 0xfd, ++ 0xdc, 0xb5, 0x6d, 0x5b, 0xb0, 0x6b, 0xfa, 0x34, ++ 0x0e, 0xa7, 0xa1, 0x51, 0xef, 0x1c, 0xa6, 0xfa, ++ 0x57, 0x2b, 0x76, 0xf3, 0xb1, 0xb9, 0x5d, 0x8c, ++ 0x85, 0x83, 0xd3, 0xe4, 0x77, 0x05, 0x36, 0xb8, ++ 0x4f, 0x01, 0x7e, 0x70, 0xe6, 0xfb, 0xf1, 0x76, ++ 0x60, 0x1a, 0x02, 0x66, 0x94, 0x1a, 0x17, 0xb0, ++ 0xc8, 0xb9, 0x7f, 0x4e, 0x74, 0xc2, 0xc1, 0xff, ++ 0xc7, 0x27, 0x89, 0x19, 0x77, 0x79, 0x40, 0xc1, ++ 0xe1, 0xff, 0x1d, 0x8d, 0xa6, 0x37, 0xd6, 0xb9, ++ 0x9d, 0xda, 0xfe, 0x5e, 0x17, 0x61, 0x10, 0x02, ++ 0xe2, 0xc7, 0x78, 0xc1, 0xbe, 0x8b, 0x41, 0xd9, ++ 0x63, 0x79, 0xa5, 0x13, 0x60, 0xd9, 0x77, 0xfd, ++ 0x44, 0x35, 0xa1, 0x1c, 0x30, 0x94, 0x2e, 0x4b, ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff ++}; ++/* RFC7919 FFDHE2048 g */ + static const unsigned char dh_g[] = { +- 0x5e, 0xf7, 0xb8, 0x8f, 0x2d, 0xf6, 0x01, 0x39, +- 0x35, 0x1d, 0xfb, 0xfe, 0x12, 0x66, 0x80, 0x5f, +- 0xdf, 0x35, 0x6c, 0xdf, 0xd1, 0x3a, 0x4d, 0xa0, +- 0x05, 0x0c, 0x7e, 0xde, 0x24, 0x6d, 0xf5, 0x9f, +- 0x6a, 0xbf, 0x96, 0xad, 0xe5, 0xf2, 0xb2, 0x8f, +- 0xfe, 0x88, 0xd6, 0xbc, 0xe7, 0xf7, 0x89, 0x4a, +- 0x3d, 0x53, 0x5f, 0xc8, 0x21, 0x26, 0xdd, 0xd4, +- 0x24, 0x87, 0x2e, 0x16, 0xb8, 0x38, 0xdf, 0x8c, +- 0x51, 0xe9, 0x01, 0x6f, 0x88, 0x9c, 0x7c, 0x20, +- 0x3e, 0x98, 0xa8, 0xb6, 0x31, 0xf9, 0xc7, 0x25, +- 0x63, 0xd3, 0x8a, 0x49, 0x58, 0x9a, 0x07, 0x53, +- 0xd3, 0x58, 0xe7, 0x83, 0x31, 0x8c, 0xef, 0xd9, +- 0x67, 0x7c, 0x7b, 0x2d, 0xbb, 0x77, 0xd6, 0xdc, +- 0xe2, 0xa1, 0x96, 0x37, 0x95, 0xca, 0x64, 0xb9, +- 0x2d, 0x1c, 0x9a, 0xac, 0x6d, 0x0e, 0x8d, 0x43, +- 0x1d, 0xe5, 0xe5, 0x00, 0x60, 0xdf, 0xf7, 0x86, +- 0x89, 0xc9, 0xec, 0xa1, 0xc1, 0x24, 0x8c, 0x16, +- 0xed, 0x09, 0xc7, 0xad, 0x41, 0x2a, 0x17, 0x40, +- 0x6d, 0x2b, 0x52, 0x5a, 0xa1, 0xca, 0xbb, 0x23, +- 0x7b, 0x97, 0x34, 0xec, 0x7b, 0x8c, 0xe3, 0xfa, +- 0xe0, 0x2f, 0x29, 0xc5, 0xef, 0xed, 0x30, 0xd6, +- 0x91, 0x87, 0xda, 0x10, 0x9c, 0x2c, 0x9f, 0xe2, +- 0xaa, 0xdb, 0xb0, 0xc2, 0x2a, 0xf5, 0x4c, 0x61, +- 0x66, 0x55, 0x00, 0x0c, 0x43, 0x1c, 0x6b, 0x4a, +- 0x37, 0x97, 0x63, 0xb0, 0xa9, 0x16, 0x58, 0xef, +- 0xc8, 0x4e, 0x8b, 0x06, 0x35, 0x8c, 0x8b, 0x4f, +- 0x21, 0x37, 0x10, 0xfd, 0x10, 0x17, 0x2c, 0xf3, +- 0x9b, 0x83, 0x0c, 0x2d, 0xd8, 0x4a, 0x0c, 0x8a, +- 0xb8, 0x25, 0x16, 0xec, 0xab, 0x99, 0x5f, 0xa4, +- 0x21, 0x5e, 0x02, 0x3e, 0x4e, 0xcf, 0x80, 0x74, +- 0xc3, 0x9d, 0x6c, 0x88, 0xb7, 0x0d, 0x1e, 0xe4, +- 0xe9, 0x6f, 0xdc, 0x20, 0xea, 0x11, 0x5c, 0x32 ++ 0x02 + }; + static const unsigned char dh_priv[] = { +- 0x14, 0x33, 0xe0, 0xb5, 0xa9, 0x17, 0xb6, 0x0a, +- 0x30, 0x23, 0xf2, 0xf8, 0xaa, 0x2c, 0x2d, 0x70, +- 0xd2, 0x96, 0x8a, 0xba, 0x9a, 0xea, 0xc8, 0x15, +- 0x40, 0xb8, 0xfc, 0xe6 ++ 0x01, 0xdc, 0x2a, 0xb9, 0x87, 0x71, 0x57, 0x0f, ++ 0xcd, 0x93, 0x65, 0x4c, 0xa1, 0xd6, 0x56, 0x6d, ++ 0xc5, 0x35, 0xd5, 0xcb, 0x4c, 0xb8, 0xad, 0x8d, ++ 0x6c, 0xdc, 0x5d, 0x6e, 0x94 + }; + static const unsigned char dh_pub[] = { +- 0x95, 0xdd, 0x33, 0x8d, 0x29, 0xe5, 0x71, 0x04, +- 0x92, 0xb9, 0x18, 0x31, 0x7b, 0x72, 0xa3, 0x69, +- 0x36, 0xe1, 0x95, 0x1a, 0x2e, 0xe5, 0xa5, 0x59, +- 0x16, 0x99, 0xc0, 0x48, 0x6d, 0x0d, 0x4f, 0x9b, +- 0xdd, 0x6d, 0x5a, 0x3f, 0x6b, 0x98, 0x89, 0x0c, +- 0x62, 0xb3, 0x76, 0x52, 0xd3, 0x6e, 0x71, 0x21, +- 0x11, 0xe6, 0x8a, 0x73, 0x55, 0x37, 0x25, 0x06, +- 0x99, 0xef, 0xe3, 0x30, 0x53, 0x73, 0x91, 0xfb, +- 0xc2, 0xc5, 0x48, 0xbc, 0x5a, 0xc3, 0xe5, 0xb2, +- 0x33, 0x86, 0xc3, 0xee, 0xf5, 0xeb, 0x43, 0xc0, +- 0x99, 0xd7, 0x0a, 0x52, 0x02, 0x68, 0x7e, 0x83, +- 0x96, 0x42, 0x48, 0xfc, 0xa9, 0x1f, 0x40, 0x90, +- 0x8e, 0x8f, 0xb3, 0x31, 0x93, 0x15, 0xf6, 0xd2, +- 0x60, 0x6d, 0x7f, 0x7c, 0xd5, 0x2c, 0xc6, 0xe7, +- 0xc5, 0x84, 0x3a, 0xfb, 0x22, 0x51, 0x9c, 0xf0, +- 0xf0, 0xf9, 0xd3, 0xa0, 0xa4, 0xe8, 0xc8, 0x88, +- 0x99, 0xef, 0xed, 0xe7, 0x36, 0x43, 0x51, 0xfb, +- 0x6a, 0x36, 0x3e, 0xe7, 0x17, 0xe5, 0x44, 0x5a, +- 0xda, 0xb4, 0xc9, 0x31, 0xa6, 0x48, 0x39, 0x97, +- 0xb8, 0x7d, 0xad, 0x83, 0x67, 0x7e, 0x4d, 0x1d, +- 0x3a, 0x77, 0x75, 0xe0, 0xf6, 0xd0, 0x0f, 0xdf, +- 0x73, 0xc7, 0xad, 0x80, 0x1e, 0x66, 0x5a, 0x0e, +- 0x5a, 0x79, 0x6d, 0x0a, 0x03, 0x80, 0xa1, 0x9f, +- 0xa1, 0x82, 0xef, 0xc8, 0xa0, 0x4f, 0x5e, 0x4d, +- 0xb9, 0x0d, 0x1a, 0x86, 0x37, 0xf9, 0x5d, 0xb1, +- 0x64, 0x36, 0xbd, 0xc8, 0xf3, 0xfc, 0x09, 0x6c, +- 0x4f, 0xf7, 0xf2, 0x34, 0xbe, 0x8f, 0xef, 0x47, +- 0x9a, 0xc4, 0xb0, 0xdc, 0x4b, 0x77, 0x26, 0x3e, +- 0x07, 0xd9, 0x95, 0x9d, 0xe0, 0xf1, 0xbf, 0x3f, +- 0x0a, 0xe3, 0xd9, 0xd5, 0x0e, 0x4b, 0x89, 0xc9, +- 0x9e, 0x3e, 0xa1, 0x21, 0x73, 0x43, 0xdd, 0x8c, +- 0x65, 0x81, 0xac, 0xc4, 0x95, 0x9c, 0x91, 0xd3 ++ 0x00, 0xc4, 0x82, 0x14, 0x69, 0x16, 0x4c, 0x05, ++ 0x55, 0x2a, 0x7e, 0x55, 0x6d, 0x02, 0xbb, 0x7f, ++ 0xcc, 0x63, 0x74, 0xee, 0xcb, 0xb4, 0x98, 0x43, ++ 0x0e, 0x29, 0x43, 0x0d, 0x44, 0xc7, 0xf1, 0x23, ++ 0x81, 0xca, 0x1c, 0x5c, 0xc3, 0xff, 0x01, 0x4a, ++ 0x1a, 0x03, 0x9e, 0x5f, 0xd1, 0x4e, 0xa0, 0x0b, ++ 0xb9, 0x5c, 0x0d, 0xef, 0x14, 0x01, 0x62, 0x3c, ++ 0x8a, 0x8e, 0x60, 0xbb, 0x39, 0xd6, 0x38, 0x63, ++ 0xb7, 0x65, 0xd0, 0x0b, 0x1a, 0xaf, 0x53, 0x38, ++ 0x10, 0x0f, 0x3e, 0xeb, 0x9d, 0x0c, 0x24, 0xf6, ++ 0xe3, 0x70, 0x08, 0x8a, 0x4d, 0x01, 0xf8, 0x7a, ++ 0x87, 0x49, 0x64, 0x72, 0xb1, 0x75, 0x3b, 0x94, ++ 0xc8, 0x09, 0x2d, 0x6a, 0x63, 0xd8, 0x9a, 0x92, ++ 0xb9, 0x5b, 0x1a, 0xc3, 0x47, 0x0b, 0x63, 0x44, ++ 0x3b, 0xe3, 0xc0, 0x09, 0xc9, 0xf9, 0x02, 0x53, ++ 0xd8, 0xfb, 0x06, 0x44, 0xdb, 0xdf, 0xe8, 0x13, ++ 0x2b, 0x40, 0x6a, 0xd4, 0x13, 0x4e, 0x52, 0x30, ++ 0xd6, 0xc1, 0xd8, 0x59, 0x9d, 0x59, 0xba, 0x1b, ++ 0xbf, 0xaa, 0x6f, 0xe9, 0x3d, 0xfd, 0xff, 0x01, ++ 0x0b, 0x54, 0xe0, 0x6a, 0x4e, 0x27, 0x2b, 0x3d, ++ 0xe8, 0xef, 0xb0, 0xbe, 0x52, 0xc3, 0x52, 0x18, ++ 0x6f, 0xa3, 0x27, 0xab, 0x6c, 0x12, 0xc3, 0x81, ++ 0xcb, 0xae, 0x23, 0x11, 0xa0, 0x5d, 0xc3, 0x6f, ++ 0x23, 0x17, 0x40, 0xb3, 0x05, 0x4f, 0x5d, 0xb7, ++ 0x34, 0xbe, 0x87, 0x2c, 0xa9, 0x9e, 0x98, 0x39, ++ 0xbf, 0x2e, 0x9d, 0xad, 0x4f, 0x70, 0xad, 0xed, ++ 0x1b, 0x5e, 0x47, 0x90, 0x49, 0x2e, 0x61, 0x71, ++ 0x5f, 0x07, 0x0b, 0x35, 0x04, 0xfc, 0x53, 0xce, ++ 0x58, 0x60, 0x6c, 0x5b, 0x8b, 0xfe, 0x70, 0x04, ++ 0x2a, 0x6a, 0x98, 0x0a, 0xd0, 0x80, 0xae, 0x69, ++ 0x95, 0xf9, 0x99, 0x18, 0xfc, 0xe4, 0x8e, 0xed, ++ 0x61, 0xd9, 0x02, 0x9d, 0x4e, 0x05, 0xe9, 0xf2, ++ 0x32 + }; + static const unsigned char dh_peer_pub[] = { +- 0x1f, 0xc1, 0xda, 0x34, 0x1d, 0x1a, 0x84, 0x6a, +- 0x96, 0xb7, 0xbe, 0x24, 0x34, 0x0f, 0x87, 0x7d, +- 0xd0, 0x10, 0xaa, 0x03, 0x56, 0xd5, 0xad, 0x58, +- 0xaa, 0xe9, 0xc7, 0xb0, 0x8f, 0x74, 0x9a, 0x32, +- 0x23, 0x51, 0x10, 0xb5, 0xd8, 0x8e, 0xb5, 0xdb, +- 0xfa, 0x97, 0x8d, 0x27, 0xec, 0xc5, 0x30, 0xf0, +- 0x2d, 0x31, 0x14, 0x00, 0x5b, 0x64, 0xb1, 0xc0, +- 0xe0, 0x24, 0xcb, 0x8a, 0xe2, 0x16, 0x98, 0xbc, +- 0xa9, 0xe6, 0x0d, 0x42, 0x80, 0x86, 0x22, 0xf1, +- 0x81, 0xc5, 0x6e, 0x1d, 0xe7, 0xa9, 0x6e, 0x6e, +- 0xfe, 0xe9, 0xd6, 0x65, 0x67, 0xe9, 0x1b, 0x97, +- 0x70, 0x42, 0xc7, 0xe3, 0xd0, 0x44, 0x8f, 0x05, +- 0xfb, 0x77, 0xf5, 0x22, 0xb9, 0xbf, 0xc8, 0xd3, +- 0x3c, 0xc3, 0xc3, 0x1e, 0xd3, 0xb3, 0x1f, 0x0f, +- 0xec, 0xb6, 0xdb, 0x4f, 0x6e, 0xa3, 0x11, 0xe7, +- 0x7a, 0xfd, 0xbc, 0xd4, 0x7a, 0xee, 0x1b, 0xb1, +- 0x50, 0xf2, 0x16, 0x87, 0x35, 0x78, 0xfb, 0x96, +- 0x46, 0x8e, 0x8f, 0x9f, 0x3d, 0xe8, 0xef, 0xbf, +- 0xce, 0x75, 0x62, 0x4b, 0x1d, 0xf0, 0x53, 0x22, +- 0xa3, 0x4f, 0x14, 0x63, 0xe8, 0x39, 0xe8, 0x98, +- 0x4c, 0x4a, 0xd0, 0xa9, 0x6e, 0x1a, 0xc8, 0x42, +- 0xe5, 0x31, 0x8c, 0xc2, 0x3c, 0x06, 0x2a, 0x8c, +- 0xa1, 0x71, 0xb8, 0xd5, 0x75, 0x98, 0x0d, 0xde, +- 0x7f, 0xc5, 0x6f, 0x15, 0x36, 0x52, 0x38, 0x20, +- 0xd4, 0x31, 0x92, 0xbf, 0xd5, 0x1e, 0x8e, 0x22, +- 0x89, 0x78, 0xac, 0xa5, 0xb9, 0x44, 0x72, 0xf3, +- 0x39, 0xca, 0xeb, 0x99, 0x31, 0xb4, 0x2b, 0xe3, +- 0x01, 0x26, 0x8b, 0xc9, 0x97, 0x89, 0xc9, 0xb2, +- 0x55, 0x71, 0xc3, 0xc0, 0xe4, 0xcb, 0x3f, 0x00, +- 0x7f, 0x1a, 0x51, 0x1c, 0xbb, 0x53, 0xc8, 0x51, +- 0x9c, 0xdd, 0x13, 0x02, 0xab, 0xca, 0x6c, 0x0f, +- 0x34, 0xf9, 0x67, 0x39, 0xf1, 0x7f, 0xf4, 0x8b ++ 0x00, 0xef, 0x15, 0x02, 0xf5, 0x56, 0xa3, 0x79, ++ 0x40, 0x58, 0xbc, 0xeb, 0x56, 0xad, 0xcb, 0xda, ++ 0x8c, 0xda, 0xb8, 0xd1, 0xda, 0x6f, 0x25, 0x29, ++ 0x9e, 0x43, 0x76, 0x2d, 0xb2, 0xd8, 0xbc, 0x84, ++ 0xbc, 0x85, 0xd0, 0x94, 0x8d, 0x44, 0x27, 0x57, ++ 0xe4, 0xdf, 0xc1, 0x78, 0x42, 0x8f, 0x08, 0xf5, ++ 0x74, 0xfe, 0x02, 0x56, 0xd2, 0x09, 0xc8, 0x68, ++ 0xef, 0xed, 0x18, 0xc9, 0xfd, 0x2e, 0x95, 0x6c, ++ 0xba, 0x6c, 0x00, 0x0e, 0xf5, 0xd1, 0x1b, 0xf6, ++ 0x15, 0x14, 0x5b, 0x67, 0x22, 0x7c, 0x6a, 0x20, ++ 0x76, 0x43, 0x51, 0xef, 0x5e, 0x1e, 0xf9, 0x2d, ++ 0xd6, 0xb4, 0xc5, 0xc6, 0x18, 0x33, 0xd1, 0xa3, ++ 0x3b, 0xe6, 0xdd, 0x57, 0x9d, 0xad, 0x13, 0x7a, ++ 0x53, 0xde, 0xb3, 0x97, 0xc0, 0x7e, 0xd7, 0x77, ++ 0x6b, 0xf8, 0xbd, 0x13, 0x70, 0x8c, 0xba, 0x73, ++ 0x80, 0xb3, 0x80, 0x6f, 0xfb, 0x1c, 0xda, 0x53, ++ 0x4d, 0x3c, 0x8a, 0x2e, 0xa1, 0x37, 0xce, 0xb1, ++ 0xde, 0x45, 0x97, 0x58, 0x65, 0x4d, 0xcf, 0x05, ++ 0xbb, 0xc3, 0xd7, 0x38, 0x6d, 0x0a, 0x59, 0x7a, ++ 0x99, 0x15, 0xb7, 0x9a, 0x3d, 0xfd, 0x61, 0xe5, ++ 0x1a, 0xa2, 0xcc, 0xf6, 0xfe, 0xb1, 0xee, 0xe9, ++ 0xa9, 0xe2, 0xeb, 0x06, 0xbc, 0x14, 0x6e, 0x91, ++ 0x0d, 0xf1, 0xe3, 0xbb, 0xe0, 0x7e, 0x1d, 0x31, ++ 0x79, 0xf1, 0x6d, 0x5f, 0xcb, 0xaf, 0xb2, 0x4f, ++ 0x22, 0x12, 0xbf, 0x72, 0xbd, 0xd0, 0x30, 0xe4, ++ 0x1c, 0x35, 0x96, 0x61, 0x98, 0x39, 0xfb, 0x7e, ++ 0x6d, 0x66, 0xc4, 0x69, 0x41, 0x0d, 0x0d, 0x59, ++ 0xbb, 0xa7, 0xbf, 0x34, 0xe0, 0x39, 0x36, 0x84, ++ 0x5e, 0x0e, 0x03, 0x2d, 0xcf, 0xaa, 0x02, 0x8a, ++ 0xba, 0x59, 0x88, 0x47, 0xc4, 0x4d, 0xd7, 0xbd, ++ 0x78, 0x76, 0x24, 0xf1, 0x45, 0x56, 0x44, 0xc2, ++ 0x4a, 0xc2, 0xd5, 0x3a, 0x59, 0x40, 0xab, 0x87, ++ 0x64 + }; + + static const unsigned char dh_secret_expected[] = { +- 0x08, 0xff, 0x33, 0xbb, 0x2e, 0xcf, 0xf4, 0x9a, +- 0x7d, 0x4a, 0x79, 0x12, 0xae, 0xb1, 0xbb, 0x6a, +- 0xb5, 0x11, 0x64, 0x1b, 0x4a, 0x76, 0x77, 0x0c, +- 0x8c, 0xc1, 0xbc, 0xc2, 0x33, 0x34, 0x3d, 0xfe, +- 0x70, 0x0d, 0x11, 0x81, 0x3d, 0x2c, 0x9e, 0xd2, +- 0x3b, 0x21, 0x1c, 0xa9, 0xe8, 0x78, 0x69, 0x21, +- 0xed, 0xca, 0x28, 0x3c, 0x68, 0xb1, 0x61, 0x53, +- 0xfa, 0x01, 0xe9, 0x1a, 0xb8, 0x2c, 0x90, 0xdd, +- 0xab, 0x4a, 0x95, 0x81, 0x67, 0x70, 0xa9, 0x87, +- 0x10, 0xe1, 0x4c, 0x92, 0xab, 0x83, 0xb6, 0xe4, +- 0x6e, 0x1e, 0x42, 0x6e, 0xe8, 0x52, 0x43, 0x0d, +- 0x61, 0x87, 0xda, 0xa3, 0x72, 0x0a, 0x6b, 0xcd, +- 0x73, 0x23, 0x5c, 0x6b, 0x0f, 0x94, 0x1f, 0x33, +- 0x64, 0xf5, 0x04, 0x20, 0x55, 0x1a, 0x4b, 0xfe, +- 0xaf, 0xe2, 0xbc, 0x43, 0x85, 0x05, 0xa5, 0x9a, +- 0x4a, 0x40, 0xda, 0xca, 0x7a, 0x89, 0x5a, 0x73, +- 0xdb, 0x57, 0x5c, 0x74, 0xc1, 0x3a, 0x23, 0xad, +- 0x88, 0x32, 0x95, 0x7d, 0x58, 0x2d, 0x38, 0xf0, +- 0xa6, 0x16, 0x5f, 0xb0, 0xd7, 0xe9, 0xb8, 0x79, +- 0x9e, 0x42, 0xfd, 0x32, 0x20, 0xe3, 0x32, 0xe9, +- 0x81, 0x85, 0xa0, 0xc9, 0x42, 0x97, 0x57, 0xb2, +- 0xd0, 0xd0, 0x2c, 0x17, 0xdb, 0xaa, 0x1f, 0xf6, +- 0xed, 0x93, 0xd7, 0xe7, 0x3e, 0x24, 0x1e, 0xae, +- 0xd9, 0x0c, 0xaf, 0x39, 0x4d, 0x2b, 0xc6, 0x57, +- 0x0f, 0x18, 0xc8, 0x1f, 0x2b, 0xe5, 0xd0, 0x1a, +- 0x2c, 0xa9, 0x9f, 0xf1, 0x42, 0xb5, 0xd9, 0x63, +- 0xf9, 0xf5, 0x00, 0x32, 0x5e, 0x75, 0x56, 0xf9, +- 0x58, 0x49, 0xb3, 0xff, 0xc7, 0x47, 0x94, 0x86, +- 0xbe, 0x1d, 0x45, 0x96, 0xa3, 0x10, 0x6b, 0xd5, +- 0xcb, 0x4f, 0x61, 0xc5, 0x7e, 0xc5, 0xf1, 0x00, +- 0xfb, 0x7a, 0x0c, 0x82, 0xa1, 0x0b, 0x82, 0x52, +- 0x6a, 0x97, 0xd1, 0xd9, 0x7d, 0x98, 0xea, 0xf6 ++ 0x56, 0x13, 0xe3, 0x12, 0x6b, 0x5f, 0x67, 0xe5, ++ 0x08, 0xe5, 0x35, 0x0e, 0x11, 0x90, 0x9d, 0xf5, ++ 0x1a, 0x24, 0xfa, 0x42, 0xd1, 0x4a, 0x50, 0x93, ++ 0x5b, 0xf4, 0x11, 0x6f, 0xd0, 0xc3, 0xc5, 0xa5, ++ 0x80, 0xae, 0x01, 0x3d, 0x66, 0x92, 0xc0, 0x3e, ++ 0x5f, 0xe9, 0x75, 0xb6, 0x5b, 0x37, 0x82, 0x39, ++ 0x72, 0x66, 0x0b, 0xa2, 0x73, 0x94, 0xe5, 0x04, ++ 0x7c, 0x0c, 0x19, 0x9a, 0x03, 0x53, 0xc4, 0x9d, ++ 0xc1, 0x0f, 0xc3, 0xec, 0x0e, 0x2e, 0xa3, 0x7c, ++ 0x07, 0x0e, 0xaf, 0x18, 0x1d, 0xc7, 0x8b, 0x47, ++ 0x4b, 0x94, 0x05, 0x6d, 0xec, 0xdd, 0xa1, 0xae, ++ 0x7b, 0x21, 0x86, 0x53, 0xd3, 0x62, 0x38, 0x08, ++ 0xea, 0xda, 0xdc, 0xb2, 0x5a, 0x7c, 0xef, 0x19, ++ 0xf8, 0x29, 0xef, 0xf8, 0xd0, 0xfb, 0xde, 0xe8, ++ 0xb8, 0x2f, 0xb3, 0xa1, 0x16, 0xa2, 0xd0, 0x8f, ++ 0x48, 0xdc, 0x7d, 0xcb, 0xee, 0x5c, 0x06, 0x1e, ++ 0x2a, 0x66, 0xe8, 0x1f, 0xdb, 0x18, 0xe9, 0xd2, ++ 0xfd, 0xa2, 0x4e, 0x39, 0xa3, 0x2e, 0x88, 0x3d, ++ 0x7d, 0xac, 0x15, 0x18, 0x25, 0xe6, 0xba, 0xd4, ++ 0x0e, 0x89, 0x26, 0x60, 0x8f, 0xdc, 0x4a, 0xb4, ++ 0x49, 0x8f, 0x98, 0xe8, 0x62, 0x8c, 0xc6, 0x66, ++ 0x20, 0x4c, 0xe1, 0xed, 0xfc, 0x01, 0x88, 0x46, ++ 0xa7, 0x67, 0x48, 0x39, 0xc5, 0x22, 0x95, 0xa0, ++ 0x23, 0xb9, 0xd1, 0xed, 0x87, 0xcf, 0xa7, 0x70, ++ 0x1c, 0xac, 0xd3, 0xaf, 0x5c, 0x26, 0x50, 0x3c, ++ 0xe4, 0x23, 0xb6, 0xcc, 0xd7, 0xc5, 0xda, 0x2f, ++ 0xf4, 0x45, 0xf1, 0xe4, 0x40, 0xb5, 0x0a, 0x25, ++ 0x86, 0xe6, 0xde, 0x11, 0x3c, 0x46, 0x16, 0xbc, ++ 0x41, 0xc2, 0x28, 0x19, 0x81, 0x5a, 0x46, 0x02, ++ 0x87, 0xd0, 0x15, 0x0c, 0xd2, 0xfe, 0x75, 0x04, ++ 0x82, 0xd2, 0x0a, 0xb7, 0xbc, 0xc5, 0x6c, 0xb1, ++ 0x41, 0xa8, 0x2b, 0x28, 0xbb, 0x86, 0x0c, 0x89 + }; + + static const ST_KAT_PARAM dh_group[] = { +-- +2.35.3 + diff --git a/0076-FIPS-140-3-DRBG.patch b/0076-FIPS-140-3-DRBG.patch new file mode 100644 index 0000000..23084f0 --- /dev/null +++ b/0076-FIPS-140-3-DRBG.patch @@ -0,0 +1,317 @@ +From 0329eb6523363705946887d4f145dd77c741ae4a Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 6 Mar 2024 19:17:16 +0100 +Subject: [PATCH 30/49] 0076-FIPS-140-3-DRBG.patch + +Patch-name: 0076-FIPS-140-3-DRBG.patch +Patch-id: 76 +Patch-status: | + # # Downstream only. Reseed DRBG using getrandom(GRND_RANDOM) + # # https://bugzilla.redhat.com/show_bug.cgi?id=2102541 +From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce +--- + crypto/rand/prov_seed.c | 9 ++- + providers/implementations/rands/crngt.c | 6 +- + providers/implementations/rands/drbg.c | 11 ++- + providers/implementations/rands/drbg_local.h | 2 +- + .../implementations/rands/seeding/rand_unix.c | 68 ++----------------- + 5 files changed, 28 insertions(+), 68 deletions(-) + +diff -up openssl-3.0.1/crypto/rand/prov_seed.c.fipsrand openssl-3.0.1/crypto/rand/prov_seed.c +--- openssl-3.0.1/crypto/rand/prov_seed.c.fipsrand 2022-08-04 12:17:52.148556301 +0200 ++++ openssl-3.0.1/crypto/rand/prov_seed.c 2022-08-04 12:19:41.783533552 +0200 +@@ -20,7 +20,14 @@ size_t ossl_rand_get_entropy(ossl_unused + size_t entropy_available; + RAND_POOL *pool; + +- pool = ossl_rand_pool_new(entropy, 1, min_len, max_len); ++ /* ++ * OpenSSL still implements an internal entropy pool of ++ * some size that is hashed to get seed data. ++ * Note that this is a conditioning step for which SP800-90C requires ++ * 64 additional bits from the entropy source to claim the requested ++ * amount of entropy. ++ */ ++ pool = ossl_rand_pool_new(entropy + 64, 1, min_len, max_len); + if (pool == NULL) { + ERR_raise(ERR_LIB_RAND, ERR_R_RAND_LIB); + return 0; +diff -up openssl-3.0.1/providers/implementations/rands/crngt.c.fipsrand openssl-3.0.1/providers/implementations/rands/crngt.c +--- openssl-3.0.1/providers/implementations/rands/crngt.c.fipsrand 2022-08-04 11:56:10.100950299 +0200 ++++ openssl-3.0.1/providers/implementations/rands/crngt.c 2022-08-04 11:59:11.241564925 +0200 +@@ -139,7 +139,11 @@ size_t ossl_crngt_get_entropy(PROV_DRBG + * to the nearest byte. If the entropy is of less than full quality, + * the amount required should be scaled up appropriately here. + */ +- bytes_needed = (entropy + 7) / 8; ++ /* ++ * FIPS 140-3: the yet draft SP800-90C requires requested entropy ++ * + 128 bits during initial seeding ++ */ ++ bytes_needed = (entropy + 128 + 7) / 8; + if (bytes_needed < min_len) + bytes_needed = min_len; + if (bytes_needed > max_len) +diff -up openssl-3.0.1/providers/implementations/rands/drbg.c.fipsrand openssl-3.0.1/providers/implementations/rands/drbg.c +--- openssl-3.0.1/providers/implementations/rands/drbg.c.fipsrand 2022-08-03 12:14:39.409370134 +0200 ++++ openssl-3.0.1/providers/implementations/rands/drbg.c 2022-08-03 12:19:06.320700346 +0200 +@@ -575,6 +575,9 @@ int ossl_prov_drbg_reseed(PROV_DRBG *drb + #endif + } + ++#ifdef FIPS_MODULE ++ prediction_resistance = 1; ++#endif + /* Reseed using our sources in addition */ + entropylen = get_entropy(drbg, &entropy, drbg->strength, + drbg->min_entropylen, drbg->max_entropylen, +@@ -669,8 +669,14 @@ int ossl_prov_drbg_generate(PROV_DRBG *d + reseed_required = 1; + } + if (drbg->parent != NULL +- && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter) ++ && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter) { ++#ifdef FIPS_MODULE ++ /* Red Hat patches provide chain reseeding when necessary so just sync counters*/ ++ drbg->parent_reseed_counter = get_parent_reseed_count(drbg); ++#else + reseed_required = 1; ++#endif ++ } + + if (reseed_required || prediction_resistance) { + if (!ossl_prov_drbg_reseed_unlocked(drbg, prediction_resistance, NULL, +diff -up openssl-3.0.7/providers/implementations/rands/drbg_local.h.drbg openssl-3.0.7/providers/implementations/rands/drbg_local.h +--- openssl-3.0.7/providers/implementations/rands/drbg_local.h.drbg 2023-03-13 12:17:47.705538612 +0100 ++++ openssl-3.0.7/providers/implementations/rands/drbg_local.h 2023-03-13 12:18:03.060702092 +0100 +@@ -38,7 +38,7 @@ + * + * The value is in bytes. + */ +-#define CRNGT_BUFSIZ 16 ++#define CRNGT_BUFSIZ 32 + + /* + * Maximum input size for the DRBG (entropy, nonce, personalization string) +diff -up openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c.fipsrand openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c +--- openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c.fipsrand 2022-08-03 11:09:01.301637515 +0200 ++++ openssl-3.0.1/providers/implementations/rands/seeding/rand_unix.c 2022-08-03 11:13:00.058688605 +0200 +@@ -48,6 +48,8 @@ + # include + # include + # include ++# include ++# include + + static uint64_t get_time_stamp(void); + +@@ -339,70 +341,8 @@ static ssize_t syscall_random(void *buf, size_t buflen) + * which is way below the OSSL_SSIZE_MAX limit. Therefore sign conversion + * between size_t and ssize_t is safe even without a range check. + */ +- +- /* +- * Do runtime detection to find getentropy(). +- * +- * Known OSs that should support this: +- * - Darwin since 16 (OSX 10.12, IOS 10.0). +- * - Solaris since 11.3 +- * - OpenBSD since 5.6 +- * - Linux since 3.17 with glibc 2.25 +- * - FreeBSD since 12.0 (1200061) +- * +- * Note: Sometimes getentropy() can be provided but not implemented +- * internally. So we need to check errno for ENOSYS +- */ +-# if !defined(__DragonFly__) && !defined(__NetBSD__) +-# if defined(__GNUC__) && __GNUC__>=2 && defined(__ELF__) && !defined(__hpux) +- extern int getentropy(void *buffer, size_t length) __attribute__((weak)); +- +- if (getentropy != NULL) { +- if (getentropy(buf, buflen) == 0) +- return (ssize_t)buflen; +- if (errno != ENOSYS) +- return -1; +- } +-# elif defined(OPENSSL_APPLE_CRYPTO_RANDOM) +- +- if (CCRandomGenerateBytes(buf, buflen) == kCCSuccess) +- return (ssize_t)buflen; +- +- return -1; +-# else +- union { +- void *p; +- int (*f)(void *buffer, size_t length); +- } p_getentropy; +- +- /* +- * We could cache the result of the lookup, but we normally don't +- * call this function often. +- */ +- ERR_set_mark(); +- p_getentropy.p = DSO_global_lookup("getentropy"); +- ERR_pop_to_mark(); +- if (p_getentropy.p != NULL) +- return p_getentropy.f(buf, buflen) == 0 ? (ssize_t)buflen : -1; +-# endif +-# endif /* !__DragonFly__ */ +- +- /* Linux supports this since version 3.17 */ +-# if defined(__linux) && defined(__NR_getrandom) +- return syscall(__NR_getrandom, buf, buflen, 0); +-# elif (defined(__FreeBSD__) || defined(__NetBSD__)) && defined(KERN_ARND) +- return sysctl_random(buf, buflen); +-# elif (defined(__DragonFly__) && __DragonFly_version >= 500700) \ +- || (defined(__NetBSD__) && __NetBSD_Version >= 1000000000) +- return getrandom(buf, buflen, 0); +-# elif defined(__wasi__) +- if (getentropy(buf, buflen) == 0) +- return (ssize_t)buflen; +- return -1; +-# else +- errno = ENOSYS; +- return -1; +-# endif ++ int realbuflen = buflen > 32 ? 32 : buflen; /* Red Hat uses downstream patch to always seed from getrandom() */ ++ return EVP_default_properties_is_fips_enabled(NULL) ? getrandom(buf, realbuflen, GRND_RANDOM) : getrandom(buf, buflen, 0); + } + # endif /* defined(OPENSSL_RAND_SEED_GETRANDOM) */ + +diff -up openssl-3.2.1/providers/implementations/rands/seed_src.c.xxx openssl-3.2.1/providers/implementations/rands/seed_src.c +--- openssl-3.2.1/providers/implementations/rands/seed_src.c.xxx 2024-04-10 13:14:38.984033920 +0200 ++++ openssl-3.2.1/providers/implementations/rands/seed_src.c 2024-04-10 13:15:20.565045748 +0200 +@@ -102,7 +102,14 @@ static int seed_src_generate(void *vseed + return 0; + } + +- pool = ossl_rand_pool_new(strength, 1, outlen, outlen); ++ /* ++ * OpenSSL still implements an internal entropy pool of ++ * some size that is hashed to get seed data. ++ * Note that this is a conditioning step for which SP800-90C requires ++ * 64 additional bits from the entropy source to claim the requested ++ * amount of entropy. ++ */ ++ pool = ossl_rand_pool_new(strength + 64, 1, outlen, outlen); + if (pool == NULL) { + ERR_raise(ERR_LIB_PROV, ERR_R_RAND_LIB); + return 0; +@@ -189,7 +189,14 @@ static size_t seed_get_seed(void *vseed, + size_t i; + RAND_POOL *pool; + +- pool = ossl_rand_pool_new(entropy, 1, min_len, max_len); ++ /* ++ * OpenSSL still implements an internal entropy pool of ++ * some size that is hashed to get seed data. ++ * Note that this is a conditioning step for which SP800-90C requires ++ * 64 additional bits from the entropy source to claim the requested ++ * amount of entropy. ++ */ ++ pool = ossl_rand_pool_new(entropy + 64, 1, min_len, max_len); + if (pool == NULL) { + ERR_raise(ERR_LIB_PROV, ERR_R_RAND_LIB); + return 0; +diff --git a/crypto/rand/rand_lib.c b/crypto/rand/rand_lib.c +index 14999540ab..b05b84717b 100644 +--- a/crypto/rand/rand_lib.c ++++ b/crypto/rand/rand_lib.c +@@ -11,6 +11,7 @@ + #define OPENSSL_SUPPRESS_DEPRECATED + + #include ++#include + #include + #include + #include "internal/cryptlib.h" +@@ -723,15 +723,7 @@ EVP_RAND_CTX *RAND_get0_primary(OSSL_LIB_CTX *ctx) + return ret; + } + +-#ifndef FIPS_MODULE +- if (dgbl->seed == NULL) { +- ERR_set_mark(); +- dgbl->seed = rand_new_seed(ctx); +- ERR_pop_to_mark(); +- } +-#endif +- +- ret = dgbl->primary = rand_new_drbg(ctx, dgbl->seed, ++ ret = dgbl->primary = rand_new_drbg(ctx, NULL, + PRIMARY_RESEED_INTERVAL, + PRIMARY_RESEED_TIME_INTERVAL, 1); + /* +@@ -766,7 +766,7 @@ EVP_RAND_CTX *RAND_get0_public(OSSL_LIB_ + if (CRYPTO_THREAD_get_local(&dgbl->private) == NULL + && !ossl_init_thread_start(NULL, ctx, rand_delete_thread_state)) + return NULL; +- rand = rand_new_drbg(ctx, primary, SECONDARY_RESEED_INTERVAL, ++ rand = rand_new_drbg(ctx, NULL, SECONDARY_RESEED_INTERVAL, + SECONDARY_RESEED_TIME_INTERVAL, 0); + CRYPTO_THREAD_set_local(&dgbl->public, rand); + } +@@ -799,7 +799,7 @@ EVP_RAND_CTX *RAND_get0_private(OSSL_LIB + if (CRYPTO_THREAD_get_local(&dgbl->public) == NULL + && !ossl_init_thread_start(NULL, ctx, rand_delete_thread_state)) + return NULL; +- rand = rand_new_drbg(ctx, primary, SECONDARY_RESEED_INTERVAL, ++ rand = rand_new_drbg(ctx, NULL, SECONDARY_RESEED_INTERVAL, + SECONDARY_RESEED_TIME_INTERVAL, 0); + CRYPTO_THREAD_set_local(&dgbl->private, rand); + } +diff -up openssl-3.2.1/test/drbgtest.c.xxx openssl-3.2.1/test/drbgtest.c +--- openssl-3.2.1/test/drbgtest.c.xxx 2024-05-02 15:37:23.550979597 +0200 ++++ openssl-3.2.1/test/drbgtest.c 2024-05-02 15:45:37.189979881 +0200 +@@ -218,7 +218,7 @@ static int test_drbg_reseed(int expect_s + reseed_when = time(NULL); + + /* Generate random output from the public and private DRBG */ +- before_reseed = expect_primary_reseed == 1 ? reseed_when : 0; ++ before_reseed = 0; + if (!TEST_int_eq(rand_bytes((unsigned char*)public_random, + RANDOM_SIZE), expect_success) + || !TEST_int_eq(rand_priv_bytes((unsigned char*) private_random, +@@ -232,8 +232,8 @@ static int test_drbg_reseed(int expect_s + */ + + /* Test whether reseeding succeeded as expected */ +- if (!TEST_int_eq(state(primary), expected_state) +- || !TEST_int_eq(state(public), expected_state) ++ if (/*!TEST_int_eq(state(primary), expected_state) ++ ||*/ !TEST_int_eq(state(public), expected_state) + || !TEST_int_eq(state(private), expected_state)) + return 0; + +@@ -246,16 +246,16 @@ static int test_drbg_reseed(int expect_s + if (expect_public_reseed >= 0) { + /* Test whether public DRBG was reseeded as expected */ + if (!TEST_int_ge(reseed_counter(public), public_reseed) +- || !TEST_uint_ge(reseed_counter(public), +- reseed_counter(primary))) ++ /*|| !TEST_uint_ge(reseed_counter(public), ++ reseed_counter(primary))*/) + return 0; + } + + if (expect_private_reseed >= 0) { + /* Test whether public DRBG was reseeded as expected */ + if (!TEST_int_ge(reseed_counter(private), private_reseed) +- || !TEST_uint_ge(reseed_counter(private), +- reseed_counter(primary))) ++ /*|| !TEST_uint_ge(reseed_counter(private), ++ reseed_counter(primary))*/) + return 0; + } + +@@ -577,8 +577,8 @@ static int test_rand_reseed(void) + if (!TEST_ptr_ne(public, private) + || !TEST_ptr_ne(public, primary) + || !TEST_ptr_ne(private, primary) +- || !TEST_ptr_eq(prov_rand(public)->parent, prov_rand(primary)) +- || !TEST_ptr_eq(prov_rand(private)->parent, prov_rand(primary))) ++ /*|| !TEST_ptr_eq(prov_rand(public)->parent, prov_rand(primary)) ++ || !TEST_ptr_eq(prov_rand(private)->parent, prov_rand(primary))*/) + return 0; + + /* Disable CRNG testing for the primary DRBG */ diff --git a/0077-FIPS-140-3-zeroization.patch b/0077-FIPS-140-3-zeroization.patch new file mode 100644 index 0000000..692bebc --- /dev/null +++ b/0077-FIPS-140-3-zeroization.patch @@ -0,0 +1,102 @@ +From 9c667a7ba589329f3a777b012bf69a0db7f7eda9 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Mon, 31 Jul 2023 09:41:29 +0200 +Subject: [PATCH 33/35] 0077-FIPS-140-3-zeroization.patch + +Patch-name: 0077-FIPS-140-3-zeroization.patch +Patch-id: 77 +Patch-status: | + # https://bugzilla.redhat.com/show_bug.cgi?id=2102542 +From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd +--- + crypto/ec/ec_lib.c | 4 ++++ + crypto/ffc/ffc_params.c | 8 ++++---- + crypto/rsa/rsa_lib.c | 4 ++-- + providers/implementations/kdfs/hkdf.c | 2 +- + providers/implementations/kdfs/pbkdf2.c | 2 +- + 5 files changed, 12 insertions(+), 8 deletions(-) + +diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c +index 6c37bf78ae..cfbc3c3c1d 100644 +--- a/crypto/ec/ec_lib.c ++++ b/crypto/ec/ec_lib.c +@@ -744,12 +744,16 @@ EC_POINT *EC_POINT_new(const EC_GROUP *group) + + void EC_POINT_free(EC_POINT *point) + { ++#ifdef FIPS_MODULE ++ EC_POINT_clear_free(point); ++#else + if (point == NULL) + return; + + if (point->meth->point_finish != 0) + point->meth->point_finish(point); + OPENSSL_free(point); ++#endif + } + + void EC_POINT_clear_free(EC_POINT *point) +diff --git a/crypto/ffc/ffc_params.c b/crypto/ffc/ffc_params.c +index 3536efd1ad..f3c164b8fc 100644 +--- a/crypto/ffc/ffc_params.c ++++ b/crypto/ffc/ffc_params.c +@@ -27,10 +27,10 @@ void ossl_ffc_params_init(FFC_PARAMS *params) + + void ossl_ffc_params_cleanup(FFC_PARAMS *params) + { +- BN_free(params->p); +- BN_free(params->q); +- BN_free(params->g); +- BN_free(params->j); ++ BN_clear_free(params->p); ++ BN_clear_free(params->q); ++ BN_clear_free(params->g); ++ BN_clear_free(params->j); + OPENSSL_free(params->seed); + ossl_ffc_params_init(params); + } +diff --git a/crypto/rsa/rsa_lib.c b/crypto/rsa/rsa_lib.c +index 9588a75964..76b4aac6fc 100644 +--- a/crypto/rsa/rsa_lib.c ++++ b/crypto/rsa/rsa_lib.c +@@ -155,8 +155,8 @@ void RSA_free(RSA *r) + CRYPTO_THREAD_lock_free(r->lock); + CRYPTO_FREE_REF(&r->references); + +- BN_free(r->n); +- BN_free(r->e); ++ BN_clear_free(r->n); ++ BN_clear_free(r->e); + BN_clear_free(r->d); + BN_clear_free(r->p); + BN_clear_free(r->q); +diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c +index daa619b8af..5304baa6c9 100644 +--- a/providers/implementations/kdfs/hkdf.c ++++ b/providers/implementations/kdfs/hkdf.c +@@ -118,7 +118,7 @@ static void kdf_hkdf_reset(void *vctx) + void *provctx = ctx->provctx; + + ossl_prov_digest_reset(&ctx->digest); +- OPENSSL_free(ctx->salt); ++ OPENSSL_clear_free(ctx->salt, ctx->salt_len); + OPENSSL_free(ctx->prefix); + OPENSSL_free(ctx->label); + OPENSSL_clear_free(ctx->data, ctx->data_len); +diff --git a/providers/implementations/kdfs/pbkdf2.c b/providers/implementations/kdfs/pbkdf2.c +index 5c3e7b95ce..349c3dd657 100644 +--- a/providers/implementations/kdfs/pbkdf2.c ++++ b/providers/implementations/kdfs/pbkdf2.c +@@ -92,7 +92,7 @@ static void *kdf_pbkdf2_new(void *provctx) + static void kdf_pbkdf2_cleanup(KDF_PBKDF2 *ctx) + { + ossl_prov_digest_reset(&ctx->digest); +- OPENSSL_free(ctx->salt); ++ OPENSSL_clear_free(ctx->salt, ctx->salt_len); + OPENSSL_clear_free(ctx->pass, ctx->pass_len); + memset(ctx, 0, sizeof(*ctx)); + } +-- +2.41.0 + diff --git a/0078-KDF-Add-FIPS-indicators.patch b/0078-KDF-Add-FIPS-indicators.patch new file mode 100644 index 0000000..17ff63e --- /dev/null +++ b/0078-KDF-Add-FIPS-indicators.patch @@ -0,0 +1,911 @@ +From 2290280617183863eb15425b8925765966723725 Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Thu, 11 Aug 2022 09:27:12 +0200 +Subject: KDF: Add FIPS indicators + +FIPS requires a number of restrictions on the parameters of the various +key derivation functions implemented in OpenSSL. The KDFs that use +digest algorithms usually should not allow SHAKE (due to FIPS 140-3 IG +C.C). Additionally, some application-specific KDFs have further +restrictions defined in SP 800-135r1. + +Generally, all KDFs shall use a key-derivation key length of at least +112 bits due to SP 800-131Ar2 section 8. Additionally any use of a KDF +to generate and output length of less than 112 bits will also set the +indicator to unapproved. + +Add explicit indicators to all KDFs usable in FIPS mode except for +PBKDF2 (which has its specific FIPS limits already implemented). The +indicator can be queried using EVP_KDF_CTX_get_params() after setting +the required parameters and keys for the KDF. + +Our FIPS provider implements SHA1, SHA2 (both -256 and -512, and the +truncated variants -224 and -384) and SHA3 (-256 and -512, and the +truncated versions -224 and -384), as well as SHAKE-128 and -256. + +The SHAKE functions are generally not allowed in KDFs. For the rest, the +support matrix is: + + KDF | SHA-1 | SHA-2 | SHA-2 truncated | SHA-3 | SHA-3 truncated +========================================================================== +KBKDF | x | x | x | x | x +HKDF | x | x | x | x | x +TLS1PRF | | SHA-{256,384,512} only | | +SSHKDF | x | x | x | | +SSKDF | x | x | x | x | x +X9.63KDF | | x | x | x | x +X9.42-ASN1 | x | x | x | x | x +TLS1.3PRF | | SHA-{256,384} only | | + +Signed-off-by: Clemens Lang +Resolves: rhbz#2160733 rhbz#2164763 +Related: rhbz#2114772 rhbz#2141695 +--- + include/crypto/evp.h | 7 ++ + include/openssl/kdf.h | 4 + + providers/implementations/kdfs/hkdf.c | 100 +++++++++++++++++++++- + providers/implementations/kdfs/kbkdf.c | 82 ++++++++++++++++-- + providers/implementations/kdfs/sshkdf.c | 75 +++++++++++++++- + providers/implementations/kdfs/sskdf.c | 100 +++++++++++++++++++++- + providers/implementations/kdfs/tls1_prf.c | 74 +++++++++++++++- + providers/implementations/kdfs/x942kdf.c | 66 +++++++++++++- + util/perl/OpenSSL/paramnames.pm | 1 + + 9 files changed, 487 insertions(+), 22 deletions(-) + +diff --git a/include/crypto/evp.h b/include/crypto/evp.h +index e70d8e9e84..76fb990de4 100644 +--- a/include/crypto/evp.h ++++ b/include/crypto/evp.h +@@ -219,6 +219,13 @@ struct evp_mac_st { + OSSL_FUNC_mac_set_ctx_params_fn *set_ctx_params; + }; + ++#ifdef FIPS_MODULE ++/* According to NIST Special Publication 800-131Ar2, Section 8: Deriving ++ * Additional Keys from a Cryptographic Key, "[t]he length of the ++ * key-derivation key [i.e., the input key] shall be at least 112 bits". */ ++# define EVP_KDF_FIPS_MIN_KEY_LEN (112 / 8) ++#endif ++ + struct evp_kdf_st { + OSSL_PROVIDER *prov; + int name_id; +diff --git a/include/openssl/kdf.h b/include/openssl/kdf.h +index 0983230a48..86171635ea 100644 +--- a/include/openssl/kdf.h ++++ b/include/openssl/kdf.h +@@ -63,6 +63,10 @@ int EVP_KDF_names_do_all(const EVP_KDF *kdf, + # define EVP_KDF_HKDF_MODE_EXTRACT_ONLY 1 + # define EVP_KDF_HKDF_MODE_EXPAND_ONLY 2 + ++# define EVP_KDF_REDHAT_FIPS_INDICATOR_UNDETERMINED 0 ++# define EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED 1 ++# define EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2 ++ + #define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV 65 + #define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI 66 + #define EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV 67 +diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c +index dfa7786bde..f01e40ff5a 100644 +--- a/providers/implementations/kdfs/hkdf.c ++++ b/providers/implementations/kdfs/hkdf.c +@@ -42,6 +42,7 @@ static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_hkdf_settable_ctx_params; + static OSSL_FUNC_kdf_set_ctx_params_fn kdf_hkdf_set_ctx_params; + static OSSL_FUNC_kdf_gettable_ctx_params_fn kdf_hkdf_gettable_ctx_params; + static OSSL_FUNC_kdf_get_ctx_params_fn kdf_hkdf_get_ctx_params; ++static OSSL_FUNC_kdf_newctx_fn kdf_tls1_3_new; + static OSSL_FUNC_kdf_derive_fn kdf_tls1_3_derive; + static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_tls1_3_settable_ctx_params; + static OSSL_FUNC_kdf_set_ctx_params_fn kdf_tls1_3_set_ctx_params; +@@ -85,6 +86,10 @@ typedef struct { + size_t data_len; + unsigned char *info; + size_t info_len; ++ int is_tls13; ++#ifdef FIPS_MODULE ++ int fips_indicator; ++#endif /* defined(FIPS_MODULE) */ + } KDF_HKDF; + + static void *kdf_hkdf_new(void *provctx) +@@ -170,6 +175,11 @@ static int kdf_hkdf_derive(void *vctx, unsigned char *key, size_t keylen, + return 0; + } + ++#ifdef FIPS_MODULE ++ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN) ++ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++#endif /* defined(FIPS_MODULE) */ ++ + switch (ctx->mode) { + case EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND: + default: +@@ -318,22 +318,85 @@ static int kdf_hkdf_get_ctx_params(void + { + KDF_HKDF *ctx = (KDF_HKDF *)vctx; + OSSL_PARAM *p; ++ int any_valid = 0; /* set to 1 when at least one parameter was valid */ + + if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) { + size_t sz = kdf_hkdf_size(ctx); + ++ any_valid = 1; + if (sz == 0) + return 0; + return OSSL_PARAM_set_size_t(p, sz); + } + if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_INFO)) != NULL) { ++ any_valid = 1; + if (ctx->info == NULL || ctx->info_len == 0) { + p->return_size = 0; + return 1; + } + return OSSL_PARAM_set_octet_string(p, ctx->info, ctx->info_len); + } +- return -2; ++#ifdef FIPS_MODULE ++ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR)) ++ != NULL) { ++ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED; ++ const EVP_MD *md = ossl_prov_digest_md(&ctx->digest); ++ ++ any_valid = 1; ++ ++ /* According to NIST Special Publication 800-131Ar2, Section 8: ++ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of ++ * the key-derivation key [i.e., the input key] shall be at least 112 ++ * bits". */ ++ if (ctx->key_len < EVP_KDF_FIPS_MIN_KEY_LEN) ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ ++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module ++ * Verification Program, Section D.B and NIST Special Publication ++ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security ++ * strength < 112 bits is legacy use only, so all derived keys should ++ * be longer than that. If a derived key has ever been shorter than ++ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we ++ * should also set the returned FIPS indicator to unapproved. */ ++ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED) ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ ++ if (ctx->is_tls13) { ++ if (md != NULL ++ && !EVP_MD_is_a(md, "SHA2-256") ++ && !EVP_MD_is_a(md, "SHA2-384")) { ++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic ++ * Module Validation Program, Section 2.4.B, (5): "The TLS 1.3 ++ * key derivation function documented in Section 7.1 of RFC ++ * 8446. This is considered an approved CVL because the ++ * underlying functions performed within the TLS 1.3 KDF map to ++ * NIST approved standards, namely: SP 800-133rev2 (Section 6.3 ++ * Option #3), SP 800-56Crev2, and SP 800-108." ++ * ++ * RFC 8446 appendix B.4 only lists SHA-256 and SHA-384. */ ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ } ++ } else { ++ if (md != NULL ++ && (EVP_MD_is_a(md, "SHAKE-128") || ++ EVP_MD_is_a(md, "SHAKE-256"))) { ++ /* HKDF is a SP 800-56Cr2 TwoStep KDF, for which all SHA-1, ++ * SHA-2 and SHA-3 are approved. SHAKE is not approved, because ++ * of FIPS 140-3 IG, section C.C: "The SHAKE128 and SHAKE256 ++ * extendable-output functions may only be used as the ++ * standalone algorithms." */ ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ } ++ } ++ if (!OSSL_PARAM_set_int(p, fips_indicator)) ++ return 0; ++ } ++#endif /* defined(FIPS_MODULE) */ ++ ++ if (!any_valid) ++ return -2; ++ ++ return 1; + } + + static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx, +@@ -348,6 +421,9 @@ static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx, + static const OSSL_PARAM known_gettable_ctx_params[] = { + OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), + OSSL_PARAM_octet_string(OSSL_KDF_PARAM_INFO, NULL, 0), ++#ifdef FIPS_MODULE ++ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL), ++#endif /* defined(FIPS_MODULE) */ + OSSL_PARAM_END + }; + return known_gettable_ctx_params; +@@ -677,6 +753,17 @@ static int prov_tls13_hkdf_generate_secret(OSSL_LIB_CTX *libctx, + return ret; + } + ++static void *kdf_tls1_3_new(void *provctx) ++{ ++ KDF_HKDF *hkdf = kdf_hkdf_new(provctx); ++ ++ if (hkdf != NULL) ++ hkdf->is_tls13 = 1; ++ ++ return hkdf; ++} ++ ++ + static int kdf_tls1_3_derive(void *vctx, unsigned char *key, size_t keylen, + const OSSL_PARAM params[]) + { +@@ -692,6 +779,11 @@ static int kdf_tls1_3_derive(void *vctx, unsigned char *key, size_t keylen, + return 0; + } + ++#ifdef FIPS_MODULE ++ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN) ++ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++#endif /* defined(FIPS_MODULE) */ ++ + switch (ctx->mode) { + default: + return 0; +@@ -769,7 +861,7 @@ static const OSSL_PARAM *kdf_tls1_3_settable_ctx_params(ossl_unused void *ctx, + } + + const OSSL_DISPATCH ossl_kdf_tls1_3_kdf_functions[] = { +- { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_hkdf_new }, ++ { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_tls1_3_new }, + { OSSL_FUNC_KDF_DUPCTX, (void(*)(void))kdf_hkdf_dup }, + { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_hkdf_free }, + { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_hkdf_reset }, +diff --git a/providers/implementations/kdfs/kbkdf.c b/providers/implementations/kdfs/kbkdf.c +index a542f84dfa..6b6dfb94ac 100644 +--- a/providers/implementations/kdfs/kbkdf.c ++++ b/providers/implementations/kdfs/kbkdf.c +@@ -59,6 +59,9 @@ typedef struct { + kbkdf_mode mode; + EVP_MAC_CTX *ctx_init; + ++ /* HMAC digest algorithm, if any; used to compute FIPS indicator */ ++ PROV_DIGEST digest; ++ + /* Names are lowercased versions of those found in SP800-108. */ + int r; + unsigned char *ki; +@@ -73,6 +76,9 @@ typedef struct { + int use_l; + int is_kmac; + int use_separator; ++#ifdef FIPS_MODULE ++ int fips_indicator; ++#endif /* defined(FIPS_MODULE) */ + } KBKDF; + + /* Definitions needed for typechecking. */ +@@ -138,6 +144,7 @@ static void kbkdf_reset(void *vctx) + void *provctx = ctx->provctx; + + EVP_MAC_CTX_free(ctx->ctx_init); ++ ossl_prov_digest_reset(&ctx->digest); + OPENSSL_clear_free(ctx->context, ctx->context_len); + OPENSSL_clear_free(ctx->label, ctx->label_len); + OPENSSL_clear_free(ctx->ki, ctx->ki_len); +@@ -240,6 +247,11 @@ static int kbkdf_derive(void *vctx, unsigned char *key, size_t keylen, + goto done; + } + ++#ifdef FIPS_MODULE ++ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN) ++ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++#endif /* defined(FIPS_MODULE) */ ++ + h = EVP_MAC_CTX_get_mac_size(ctx->ctx_init); + if (h == 0) + goto done; +@@ -297,6 +309,9 @@ static int kbkdf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) + } + } + ++ if (!ossl_prov_digest_load_from_params(&ctx->digest, params, libctx)) ++ return 0; ++ + p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_MODE); + if (p != NULL + && OPENSSL_strncasecmp("counter", p->data, p->data_size) == 0) { +@@ -363,20 +378,77 @@ static const OSSL_PARAM *kbkdf_settable_ctx_params(ossl_unused void *ctx, + static int kbkdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) + { + OSSL_PARAM *p; ++ int any_valid = 0; /* set to 1 when at least one parameter was valid */ + + p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE); +- if (p == NULL) ++ if (p != NULL) { ++ any_valid = 1; ++ ++ /* KBKDF can produce results as large as you like. */ ++ if (!OSSL_PARAM_set_size_t(p, SIZE_MAX)) ++ return 0; ++ } ++ ++#ifdef FIPS_MODULE ++ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR); ++ if (p != NULL) { ++ KBKDF *ctx = (KBKDF *)vctx; ++ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED; ++ ++ any_valid = 1; ++ ++ /* According to NIST Special Publication 800-131Ar2, Section 8: ++ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of ++ * the key-derivation key [i.e., the input key] shall be at least 112 ++ * bits". */ ++ if (ctx->ki_len < EVP_KDF_FIPS_MIN_KEY_LEN) ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ ++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module ++ * Verification Program, Section D.B and NIST Special Publication ++ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security ++ * strength < 112 bits is legacy use only, so all derived keys should ++ * be longer than that. If a derived key has ever been shorter than ++ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we ++ * should also set the returned FIPS indicator to unapproved. */ ++ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED) ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ ++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module ++ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256 ++ * extendable-output functions may only be used as the standalone ++ * algorithms." Note that the digest is only used when the MAC ++ * algorithm is HMAC. */ ++ if (ctx->ctx_init != NULL ++ && EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx->ctx_init), OSSL_MAC_NAME_HMAC)) { ++ const EVP_MD *md = ossl_prov_digest_md(&ctx->digest); ++ if (md != NULL ++ && (EVP_MD_is_a(md, "SHAKE-128") || EVP_MD_is_a(md, "SHAKE-256"))) { ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ } ++ } ++ ++ if (!OSSL_PARAM_set_int(p, fips_indicator)) ++ return 0; ++ } ++#endif ++ ++ if (!any_valid) + return -2; + +- /* KBKDF can produce results as large as you like. */ +- return OSSL_PARAM_set_size_t(p, SIZE_MAX); ++ return 1; + } + + static const OSSL_PARAM *kbkdf_gettable_ctx_params(ossl_unused void *ctx, + ossl_unused void *provctx) + { +- static const OSSL_PARAM known_gettable_ctx_params[] = +- { OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), OSSL_PARAM_END }; ++ static const OSSL_PARAM known_gettable_ctx_params[] = { ++ OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), ++#ifdef FIPS_MODULE ++ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL), ++#endif /* defined(FIPS_MODULE) */ ++ OSSL_PARAM_END ++ }; + return known_gettable_ctx_params; + } + +diff --git a/providers/implementations/kdfs/sshkdf.c b/providers/implementations/kdfs/sshkdf.c +index c592ba72f1..4a52b38266 100644 +--- a/providers/implementations/kdfs/sshkdf.c ++++ b/providers/implementations/kdfs/sshkdf.c +@@ -48,6 +48,9 @@ typedef struct { + char type; /* X */ + unsigned char *session_id; + size_t session_id_len; ++#ifdef FIPS_MODULE ++ int fips_indicator; ++#endif /* defined(FIPS_MODULE) */ + } KDF_SSHKDF; + + static void *kdf_sshkdf_new(void *provctx) +@@ -126,6 +129,12 @@ static int kdf_sshkdf_derive(void *vctx, unsigned char *key, size_t keylen, + ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_TYPE); + return 0; + } ++ ++#ifdef FIPS_MODULE ++ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN) ++ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++#endif /* defined(FIPS_MODULE) */ ++ + return SSHKDF(md, ctx->key, ctx->key_len, + ctx->xcghash, ctx->xcghash_len, + ctx->session_id, ctx->session_id_len, +@@ -194,10 +203,67 @@ static const OSSL_PARAM *kdf_sshkdf_settable_ctx_params(ossl_unused void *ctx, + static int kdf_sshkdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) + { + OSSL_PARAM *p; ++ int any_valid = 0; /* set to 1 when at least one parameter was valid */ + +- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) +- return OSSL_PARAM_set_size_t(p, SIZE_MAX); +- return -2; ++ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) { ++ any_valid = 1; ++ ++ if (!OSSL_PARAM_set_size_t(p, SIZE_MAX)) ++ return 0; ++ } ++ ++#ifdef FIPS_MODULE ++ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR); ++ if (p != NULL) { ++ KDF_SSHKDF *ctx = vctx; ++ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED; ++ ++ any_valid = 1; ++ ++ /* According to NIST Special Publication 800-131Ar2, Section 8: ++ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of ++ * the key-derivation key [i.e., the input key] shall be at least 112 ++ * bits". */ ++ if (ctx->key_len < EVP_KDF_FIPS_MIN_KEY_LEN) ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ ++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module ++ * Verification Program, Section D.B and NIST Special Publication ++ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security ++ * strength < 112 bits is legacy use only, so all derived keys should ++ * be longer than that. If a derived key has ever been shorter than ++ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we ++ * should also set the returned FIPS indicator to unapproved. */ ++ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED) ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ ++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module ++ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256 ++ * extendable-output functions may only be used as the standalone ++ * algorithms." ++ * ++ * Additionally, SP 800-135r1 section 5.2 specifies that the hash ++ * function used in SSHKDF "is one of the hash functions specified in ++ * FIPS 180-3.", which rules out SHA-3 and truncated variants of SHA-2. ++ * */ ++ if (ctx->digest.md != NULL ++ && !EVP_MD_is_a(ctx->digest.md, "SHA-1") ++ && !EVP_MD_is_a(ctx->digest.md, "SHA2-224") ++ && !EVP_MD_is_a(ctx->digest.md, "SHA2-256") ++ && !EVP_MD_is_a(ctx->digest.md, "SHA2-384") ++ && !EVP_MD_is_a(ctx->digest.md, "SHA2-512")) { ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ } ++ ++ if (!OSSL_PARAM_set_int(p, fips_indicator)) ++ return 0; ++ } ++#endif ++ ++ if (!any_valid) ++ return -2; ++ ++ return 1; + } + + static const OSSL_PARAM *kdf_sshkdf_gettable_ctx_params(ossl_unused void *ctx, +@@ -205,6 +271,9 @@ static const OSSL_PARAM *kdf_sshkdf_gettable_ctx_params(ossl_unused void *ctx, + { + static const OSSL_PARAM known_gettable_ctx_params[] = { + OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), ++#ifdef FIPS_MODULE ++ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL), ++#endif /* defined(FIPS_MODULE) */ + OSSL_PARAM_END + }; + return known_gettable_ctx_params; +diff --git a/providers/implementations/kdfs/sskdf.c b/providers/implementations/kdfs/sskdf.c +index eb54972e1c..23865cd70f 100644 +--- a/providers/implementations/kdfs/sskdf.c ++++ b/providers/implementations/kdfs/sskdf.c +@@ -64,6 +64,10 @@ typedef struct { + size_t salt_len; + size_t out_len; /* optional KMAC parameter */ + int is_kmac; ++ int is_x963kdf; ++#ifdef FIPS_MODULE ++ int fips_indicator; ++#endif /* defined(FIPS_MODULE) */ + } KDF_SSKDF; + + #define SSKDF_MAX_INLEN (1<<30) +@@ -73,6 +77,7 @@ typedef struct { + static const unsigned char kmac_custom_str[] = { 0x4B, 0x44, 0x46 }; + + static OSSL_FUNC_kdf_newctx_fn sskdf_new; ++static OSSL_FUNC_kdf_newctx_fn x963kdf_new; + static OSSL_FUNC_kdf_dupctx_fn sskdf_dup; + static OSSL_FUNC_kdf_freectx_fn sskdf_free; + static OSSL_FUNC_kdf_reset_fn sskdf_reset; +@@ -296,6 +301,16 @@ static void *sskdf_new(void *provctx) + return ctx; + } + ++static void *x963kdf_new(void *provctx) ++{ ++ KDF_SSKDF *ctx = sskdf_new(provctx); ++ ++ if (ctx) ++ ctx->is_x963kdf = 1; ++ ++ return ctx; ++} ++ + static void sskdf_reset(void *vctx) + { + KDF_SSKDF *ctx = (KDF_SSKDF *)vctx; +@@ -361,6 +376,11 @@ static int sskdf_derive(void *vctx, unsigned char *key, size_t keylen, + } + md = ossl_prov_digest_md(&ctx->digest); + ++#ifdef FIPS_MODULE ++ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN) ++ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++#endif /* defined(FIPS_MODULE) */ ++ + if (ctx->macctx != NULL) { + /* H(x) = KMAC or H(x) = HMAC */ + int ret; +@@ -442,6 +462,11 @@ static int x963kdf_derive(void *vctx, unsigned char *key, size_t keylen, + return 0; + } + ++#ifdef FIPS_MODULE ++ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN) ++ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++#endif /* defined(FIPS_MODULE) */ ++ + return SSKDF_hash_kdm(md, ctx->secret, ctx->secret_len, + ctx->info, ctx->info_len, 1, key, keylen); + } +@@ -514,10 +539,74 @@ static int sskdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) + { + KDF_SSKDF *ctx = (KDF_SSKDF *)vctx; + OSSL_PARAM *p; ++ int any_valid = 0; /* set to 1 when at least one parameter was valid */ ++ ++ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) { ++ any_valid = 1; ++ ++ if (!OSSL_PARAM_set_size_t(p, sskdf_size(ctx))) ++ return 0; ++ } + +- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) +- return OSSL_PARAM_set_size_t(p, sskdf_size(ctx)); +- return -2; ++#ifdef FIPS_MODULE ++ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR); ++ if (p != NULL) { ++ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED; ++ ++ any_valid = 1; ++ ++ /* According to NIST Special Publication 800-131Ar2, Section 8: ++ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of ++ * the key-derivation key [i.e., the input key] shall be at least 112 ++ * bits". */ ++ if (ctx->secret_len < EVP_KDF_FIPS_MIN_KEY_LEN) ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ ++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module ++ * Verification Program, Section D.B and NIST Special Publication ++ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security ++ * strength < 112 bits is legacy use only, so all derived keys should ++ * be longer than that. If a derived key has ever been shorter than ++ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we ++ * should also set the returned FIPS indicator to unapproved. */ ++ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED) ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ ++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module ++ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256 ++ * extendable-output functions may only be used as the standalone ++ * algorithms." */ ++ if (ctx->macctx == NULL ++ || (ctx->macctx != NULL && ++ EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx->macctx), OSSL_MAC_NAME_HMAC))) { ++ if (ctx->digest.md != NULL ++ && (EVP_MD_is_a(ctx->digest.md, "SHAKE-128") || ++ EVP_MD_is_a(ctx->digest.md, "SHAKE-256"))) { ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ } ++ ++ /* Table H-3 in ANS X9.63-2001 says that 160-bit hash functions ++ * should only be used for 80-bit key agreement, but FIPS 140-3 ++ * requires a security strength of 112 bits, so SHA-1 cannot be ++ * used with X9.63. See the discussion in ++ * https://github.com/usnistgov/ACVP/issues/1403#issuecomment-1435300395. ++ */ ++ if (ctx->is_x963kdf ++ && ctx->digest.md != NULL ++ && EVP_MD_is_a(ctx->digest.md, "SHA-1")) { ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ } ++ } ++ ++ if (!OSSL_PARAM_set_int(p, fips_indicator)) ++ return 0; ++ } ++#endif ++ ++ if (!any_valid) ++ return -2; ++ ++ return 1; + } + + static const OSSL_PARAM *sskdf_gettable_ctx_params(ossl_unused void *ctx, +@@ -525,6 +614,9 @@ static const OSSL_PARAM *sskdf_gettable_ctx_params(ossl_unused void *ctx, + { + static const OSSL_PARAM known_gettable_ctx_params[] = { + OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), ++#ifdef FIPS_MODULE ++ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, 0), ++#endif /* defined(FIPS_MODULE) */ + OSSL_PARAM_END + }; + return known_gettable_ctx_params; +@@ -545,7 +637,7 @@ const OSSL_DISPATCH ossl_kdf_sskdf_functions[] = { + }; + + const OSSL_DISPATCH ossl_kdf_x963_kdf_functions[] = { +- { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))sskdf_new }, ++ { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))x963kdf_new }, + { OSSL_FUNC_KDF_DUPCTX, (void(*)(void))sskdf_dup }, + { OSSL_FUNC_KDF_FREECTX, (void(*)(void))sskdf_free }, + { OSSL_FUNC_KDF_RESET, (void(*)(void))sskdf_reset }, +diff --git a/providers/implementations/kdfs/tls1_prf.c b/providers/implementations/kdfs/tls1_prf.c +index a4d64b9352..f6782a6ca2 100644 +--- a/providers/implementations/kdfs/tls1_prf.c ++++ b/providers/implementations/kdfs/tls1_prf.c +@@ -93,6 +93,13 @@ typedef struct { + /* Buffer of concatenated seed data */ + unsigned char seed[TLS1_PRF_MAXBUF]; + size_t seedlen; ++ ++ /* MAC digest algorithm; used to compute FIPS indicator */ ++ PROV_DIGEST digest; ++ ++#ifdef FIPS_MODULE ++ int fips_indicator; ++#endif /* defined(FIPS_MODULE) */ + } TLS1_PRF; + + static void *kdf_tls1_prf_new(void *provctx) +@@ -129,6 +136,7 @@ static void kdf_tls1_prf_reset(void *vctx) + EVP_MAC_CTX_free(ctx->P_sha1); + OPENSSL_clear_free(ctx->sec, ctx->seclen); + OPENSSL_cleanse(ctx->seed, ctx->seedlen); ++ ossl_prov_digest_reset(&ctx->digest); + memset(ctx, 0, sizeof(*ctx)); + ctx->provctx = provctx; + } +@@ -157,6 +165,10 @@ static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, size_t keylen, + ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); + return 0; + } ++#ifdef FIPS_MODULE ++ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN) ++ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++#endif /* defined(FIPS_MODULE) */ + + /* + * The seed buffer is prepended with a label. +@@ -191,6 +203,9 @@ static int kdf_tls1_prf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) + } + } + ++ if (!ossl_prov_digest_load_from_params(&ctx->digest, params, libctx)) ++ return 0; ++ + if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SECRET)) != NULL) { + OPENSSL_clear_free(ctx->sec, ctx->seclen); + ctx->sec = NULL; +@@ -232,10 +247,60 @@ static const OSSL_PARAM *kdf_tls1_prf_settable_ctx_params( + static int kdf_tls1_prf_get_ctx_params(void *vctx, OSSL_PARAM params[]) + { + OSSL_PARAM *p; ++#ifdef FIPS_MODULE ++ TLS1_PRF *ctx = vctx; ++#endif /* defined(FIPS_MODULE) */ ++ int any_valid = 0; /* set to 1 when at least one parameter was valid */ ++ ++ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) { ++ any_valid = 1; ++ ++ if (!OSSL_PARAM_set_size_t(p, SIZE_MAX)) ++ return 0; ++ } ++ ++#ifdef FIPS_MODULE ++ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR); ++ if (p != NULL) { ++ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED; ++ ++ any_valid = 1; ++ ++ /* According to NIST Special Publication 800-131Ar2, Section 8: ++ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of ++ * the key-derivation key [i.e., the input key] shall be at least 112 ++ * bits". */ ++ if (ctx->seclen < EVP_KDF_FIPS_MIN_KEY_LEN) ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ ++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module ++ * Verification Program, Section D.B and NIST Special Publication ++ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security ++ * strength < 112 bits is legacy use only, so all derived keys should ++ * be longer than that. If a derived key has ever been shorter than ++ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we ++ * should also set the returned FIPS indicator to unapproved. */ ++ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED) ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ ++ /* SP 800-135r1 section 4.2.2 says TLS 1.2 KDF is approved when "(3) ++ * P_HASH uses either SHA-256, SHA-384 or SHA-512." */ ++ if (ctx->digest.md != NULL ++ && !EVP_MD_is_a(ctx->digest.md, "SHA2-256") ++ && !EVP_MD_is_a(ctx->digest.md, "SHA2-384") ++ && !EVP_MD_is_a(ctx->digest.md, "SHA2-512")) { ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ } ++ ++ if (!OSSL_PARAM_set_int(p, fips_indicator)) ++ return 0; ++ } ++#endif + +- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) +- return OSSL_PARAM_set_size_t(p, SIZE_MAX); +- return -2; ++ if (!any_valid) ++ return -2; ++ ++ return 1; + } + + static const OSSL_PARAM *kdf_tls1_prf_gettable_ctx_params( +@@ -243,6 +308,9 @@ static const OSSL_PARAM *kdf_tls1_prf_gettable_ctx_params( + { + static const OSSL_PARAM known_gettable_ctx_params[] = { + OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), ++#ifdef FIPS_MODULE ++ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, 0), ++#endif /* defined(FIPS_MODULE) */ + OSSL_PARAM_END + }; + return known_gettable_ctx_params; +diff --git a/providers/implementations/kdfs/x942kdf.c b/providers/implementations/kdfs/x942kdf.c +index b1bc6f7e1b..8173fc2cc7 100644 +--- a/providers/implementations/kdfs/x942kdf.c ++++ b/providers/implementations/kdfs/x942kdf.c +@@ -13,11 +13,13 @@ + #include + #include + #include ++#include + #include + #include + #include "internal/packet.h" + #include "internal/der.h" + #include "internal/nelem.h" ++#include "crypto/evp.h" + #include "prov/provider_ctx.h" + #include "prov/providercommon.h" + #include "prov/implementations.h" +@@ -47,6 +50,9 @@ typedef struct { + const unsigned char *cek_oid; + size_t cek_oid_len; + int use_keybits; ++#ifdef FIPS_MODULE ++ int fips_indicator; ++#endif /* defined(FIPS_MODULE) */ + } KDF_X942; + + /* +@@ -460,6 +466,10 @@ static int x942kdf_derive(void *vctx, unsigned char *key, size_t keylen, + ERR_raise(ERR_LIB_PROV, PROV_R_BAD_ENCODING); + return 0; + } ++#ifdef FIPS_MODULE ++ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN) ++ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++#endif /* defined(FIPS_MODULE) */ + ret = x942kdf_hash_kdm(md, ctx->secret, ctx->secret_len, + der, der_len, ctr, key, keylen); + OPENSSL_free(der); +@@ -563,10 +573,58 @@ static int x942kdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) + { + KDF_X942 *ctx = (KDF_X942 *)vctx; + OSSL_PARAM *p; ++ int any_valid = 0; /* set to 1 when at least one parameter was valid */ + +- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) +- return OSSL_PARAM_set_size_t(p, x942kdf_size(ctx)); +- return -2; ++ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) { ++ any_valid = 1; ++ ++ if (!OSSL_PARAM_set_size_t(p, x942kdf_size(ctx))) ++ return 0; ++ } ++ ++#ifdef FIPS_MODULE ++ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR); ++ if (p != NULL) { ++ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED; ++ ++ any_valid = 1; ++ ++ /* According to NIST Special Publication 800-131Ar2, Section 8: ++ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of ++ * the key-derivation key [i.e., the input key] shall be at least 112 ++ * bits". */ ++ if (ctx->secret_len < EVP_KDF_FIPS_MIN_KEY_LEN) ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ ++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module ++ * Verification Program, Section D.B and NIST Special Publication ++ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security ++ * strength < 112 bits is legacy use only, so all derived keys should ++ * be longer than that. If a derived key has ever been shorter than ++ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we ++ * should also set the returned FIPS indicator to unapproved. */ ++ if (ctx->fips_indicator == EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED) ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ ++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module ++ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256 ++ * extendable-output functions may only be used as the standalone ++ * algorithms." */ ++ if (ctx->digest.md != NULL ++ && (EVP_MD_is_a(ctx->digest.md, "SHAKE-128") || ++ EVP_MD_is_a(ctx->digest.md, "SHAKE-256"))) { ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ } ++ ++ if (!OSSL_PARAM_set_int(p, fips_indicator)) ++ return 0; ++ } ++#endif ++ ++ if (!any_valid) ++ return -2; ++ ++ return 1; + } + + static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx, +@@ -574,6 +632,9 @@ static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx, + { + static const OSSL_PARAM known_gettable_ctx_params[] = { + OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), ++#ifdef FIPS_MODULE ++ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, 0), ++#endif /* defined(FIPS_MODULE) */ + OSSL_PARAM_END + }; + return known_gettable_ctx_params; +diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm +index 70f7c50fe4..6618122417 100644 +--- a/util/perl/OpenSSL/paramnames.pm ++++ b/util/perl/OpenSSL/paramnames.pm +@@ -183,6 +183,7 @@ my %params = ( + 'KDF_PARAM_X942_SUPP_PUBINFO' => "supp-pubinfo", + 'KDF_PARAM_X942_SUPP_PRIVINFO' => "supp-privinfo", + 'KDF_PARAM_X942_USE_KEYBITS' => "use-keybits", ++ 'KDF_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator", + 'KDF_PARAM_HMACDRBG_ENTROPY' => "entropy", + 'KDF_PARAM_HMACDRBG_NONCE' => "nonce", + 'KDF_PARAM_THREADS' => "threads", # uint32_t +-- +2.39.2 + diff --git a/0080-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch b/0080-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch new file mode 100644 index 0000000..4308f5e --- /dev/null +++ b/0080-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch @@ -0,0 +1,1102 @@ +From 936e081bd752ca0a883568aaf3b5752c9eaccb12 Mon Sep 17 00:00:00 2001 +From: Dmitry Belyavskiy +Date: Mon, 21 Aug 2023 15:38:21 +0200 +Subject: [PATCH 36/48] + 0080-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch + +Patch-name: 0080-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch +Patch-id: 80 +Patch-status: | + # We believe that some changes present in CentOS are not necessary + # because ustream has a check for FIPS version +--- + providers/implementations/rands/drbg_hash.c | 12 ++ + providers/implementations/rands/drbg_hmac.c | 12 ++ + test/recipes/30-test_evp_data/evprand.txt | 129 ++++++++++++++++++++ + 3 files changed, 153 insertions(+) + +diff --git a/providers/implementations/rands/drbg_hash.c b/providers/implementations/rands/drbg_hash.c +index fb824abfa6..b90fee6dec 100644 +--- a/providers/implementations/rands/drbg_hash.c ++++ b/providers/implementations/rands/drbg_hash.c +@@ -471,6 +471,18 @@ static int drbg_hash_set_ctx_params(void *vctx, const OSSL_PARAM params[]) + if (!ossl_drbg_verify_digest(libctx, md)) + return 0; /* Error already raised for us */ + ++#ifdef FIPS_MODULE ++ if (!EVP_MD_is_a(md, SN_sha1) ++ && !EVP_MD_is_a(md, SN_sha256) ++ && !EVP_MD_is_a(md, SN_sha512)) { ++ ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED, ++ "%s is not an acceptable hash function for an SP 800-90A" ++ " DRBG according to FIPS 140-3 IG, section D.R", ++ EVP_MD_get0_name(md)); ++ return 0; ++ } ++#endif /* defined(FIPS_MODULE) */ ++ + /* These are taken from SP 800-90 10.1 Table 2 */ + hash->blocklen = EVP_MD_get_size(md); + /* See SP800-57 Part1 Rev4 5.6.1 Table 3 */ +diff --git a/providers/implementations/rands/drbg_hmac.c b/providers/implementations/rands/drbg_hmac.c +index 664a074639..cbd4d0f519 100644 +--- a/providers/implementations/rands/drbg_hmac.c ++++ b/providers/implementations/rands/drbg_hmac.c +@@ -367,6 +367,18 @@ static int drbg_hmac_set_ctx_params(void *vctx, const OSSL_PARAM params[]) + if (md != NULL && !ossl_drbg_verify_digest(libctx, md)) + return 0; /* Error already raised for us */ + ++#ifdef FIPS_MODULE ++ if (!EVP_MD_is_a(md, SN_sha1) ++ && !EVP_MD_is_a(md, SN_sha256) ++ && !EVP_MD_is_a(md, SN_sha512)) { ++ ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED, ++ "%s is not an acceptable hash function for an SP 800-90A" ++ " DRBG according to FIPS 140-3 IG, section D.R", ++ EVP_MD_get0_name(md)); ++ return 0; ++ } ++#endif /* defined(FIPS_MODULE) */ ++ + if (!ossl_prov_macctx_load_from_params(&hmac->ctx, params, + NULL, NULL, NULL, libctx)) + return 0; +diff --git a/test/recipes/30-test_evp_data/evprand.txt b/test/recipes/30-test_evp_data/evprand.txt +index 0e2ee82c58..7a17e7b3e1 100644 +--- a/test/recipes/30-test_evp_data/evprand.txt ++++ b/test/recipes/30-test_evp_data/evprand.txt +@@ -7388,6 +7388,7 @@ Nonce.14 = 7239f92b63fb3dbe + PersonalisationString.14 = 8d2e2ca3985bd2538a71f02cc3eb5568 + Output.14 = 0e4cb328c03faaedbec7215725851069bceae4332de6a70e3521dd065f2f7923485969571ebd7f24be460fd901c6b3e356da6ee5262ef2d76ad14eb0f697f8fb92af2f46630198c5f7018860886147b3 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-1 + PredictionResistance = 0 +@@ -8659,6 +8660,7 @@ AdditionalInputA.14 = e5c633ca50dcd83e0a34d397df53f6d7a6f7170a3f81f0e6 + AdditionalInputB.14 = 5f0beb5a2d2968e83ba87c92bfa420fd6e8526fbbfdea128 + Output.14 = 8bec11df1022aa50d95daeaf23d78d6ee45c43c5768b90181e106c7df8ff333d7cb87ca1ab83f8742370db1c8c0c0c22f141ff4de33ae8bdb14fee7e6c069819320629c66d94c7c97ff52930a3c1dcd501b60f0f84bda4720ee187ae858a6e068326eda5809716e366d1b608c61b0100 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -8709,6 +8711,7 @@ Entropy.14 = 1194beb668839c47c73e7516f9ba09d23dec3553b3b5532f75b260106dcc2abf + Nonce.14 = 3c8a77351e93065d584feeb08c8424a9 + Output.14 = fabd48bfcdd07968239fe538c2d8c9bde2e257b9b244078f39287c7ee90de167fff56a693c4e64f45081635511b5fd031c0270a31b4a014e44c0516a55ae72345aa11dffcda4ccf8cda50f6948d5ae425d8d53ad5c74cef1364277990156796e1c5dfa1ef095c0d8983477eb24241135760b02c86c86d4ec3627edac8c1a7e32 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -8789,6 +8792,7 @@ AdditionalInputA.14 = 626385595bef7103af0af700e1df048d7572286af709289b7894d2ab09 + AdditionalInputB.14 = bfe8946dbf27d3a2127ec600351c3920d2531eb9419408233e0a888059b5eb68 + Output.14 = ee6d07661828213e6453d94faaf76345c70949eca4965714c350313b0bcd8e079e6a07f8b2f7a91bcb7ef39a61568fd1c40ab78f154b3582f830095d571de29f81f9565e46b560d34c32bff55341a991f8e863bd9242c7cdd366be12538bb6922f1abfa19e7998aac61d465fc46538ee9142acc66786f4516ef4105fe1d80372 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -8854,6 +8858,7 @@ Nonce.14 = de2186bafa82b0d08a0b8215e3424512 + PersonalisationString.14 = d96db27febe22db935b117dc3068374e39c5b2119b497e3c1d858ef649e01de5 + Output.14 = d04435a8aab397cfcee5151f7aa24298ffc6eee4f577cda42d5e154b8d28cb2f0f945f11a15ed5b76486c88f03081cfd262d94a8e0b332e3c9c608461dcc8eba20d7db209810d25c226fda9fe218022a9b2c96876cb16c06c0553dd84ce57e20338c3d3e03c59ce22e668e25c2c50d5cc9afab91f50a28680964c2dacb9d2fb3 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -8949,6 +8954,7 @@ AdditionalInputA.14 = 5d9446eff72d59529a90b498d8f40983b3b2904f63664fc0aa1de8700d + AdditionalInputB.14 = e19707aafa391e8622539d52a05d930292bd0f7c17825dbed5fb7a2f8734081b + Output.14 = 6ce2ae37349cbef9ebd1f9b85485810a22d430d94abf66912dd7b6cc751400e777be2f1cebc19d65694a456b2c6429cefd95eb934030846708d50be3b274c2f7de299f3c311038491f271448c7d02ff51de048fa1184e8ee06b7b46a9f123daecbebae4a2183dc8eb6976abf0dae7cdbea6017cd1500f37dfadcce0c1956ea87 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -8999,6 +9005,7 @@ Entropy.14 = a7a1dbf7f828555610197e71e0ad563b8691589c5289ced03e9ef83b6f9ff938 + Nonce.14 = 4274788c5d80e26ec1ac3a57b9c7c0df + Output.14 = 5a907a26c1ef588219d4c69fcf4c5c283ab148a77588a40b323bd24e6dfb29551c4b6116c4d61349f5f8bd9ed497f38b239c37283902beb3c9700c768fa289ee4573f92316efb860a5ca4267b328f03c13138b774b4b9f7516003a699f7a0854a0efb045a5932753a771c2cc6119202b33336f10edb715bcce1d20ff503dda01 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -9079,6 +9086,7 @@ AdditionalInputA.14 = de1bbca12357943b4489cc7209b3f063b51b91acc168ec5e0ad88048b6 + AdditionalInputB.14 = 6ddd9aba4f100ef902ba50adee53ef44a4f45564c13e774e69557e36a357e7cf + Output.14 = 544ec80a966644454886fb97a0f05eb6a4a25fcbce795b5e5b27ee06ba14b7de18dbf54f80a670b87c76c336ac9af16c8958ad6c1bde9a97aa4c1ab5823d24a53c64f6766ce6eb9b7085cf7282499c37fc1e2e825f53bc357bf36d5901e0ae93cd3bd821fa18b5aa17548560f7ad6ef38124814fccf9b2b89de61cfc27c7269b + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -9144,6 +9152,7 @@ Nonce.14 = ab7843b73ecb4858f2cc5e9dfca803ef + PersonalisationString.14 = dee559515084d8ac49c3803f09f3d5fed3b307946a2752c267677f22786a0125 + Output.14 = a12f5e8ea3bb174934c15e5d114ba615da33210c98c38d7fde4b5aef9aecdeaef311d929d7fece7fee11db67134c3326b413b8dc17766ba4fb881105db68688b148fd95d812f6538b14f25afaae84d39025336136d270bd643f2a6c7164930372fb1c8f4f0dab60283e9d8d3440ce8dc66761c5d5c4c13cc3a367feb4869b559 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -9239,6 +9248,7 @@ AdditionalInputA.14 = ead8c0dcf4ddc909aab96eadab509a46908ee5f090983af609f08d8a8b + AdditionalInputB.14 = f357bda8f2048929a4e31969ec978cc333d58b4fc09a8aa1b73ec9bdfaa1a8f6 + Output.14 = 901aabb3f065be08e2f8072d5d3ffcb28ab291420644e407e7a6a3346b75a5be535bdbdd5a8245998689450292df877233ef0783e0bd1765413193790995d884ffcb2c8dc35fe4cfc12def2f091866d735b1dcfc9d8d8c26903d50e9397b1bbd674bb81fc908361b2bddb68f02031d87588cc3e94210422674e93fea6a5329af + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -9289,6 +9299,7 @@ Entropy.14 = dfa94c198483c5daa046f1dd1e4e83f854fd6c5cbc3465f671bdfd36837779ab + Nonce.14 = 298de64bbd817d009a71c1424ae839f9 + Output.14 = bfb9a54ce31406a82608aebc826441f8f633813a0c3bad723b802f3e905a6ee3512ff3513062aea51f93be17aebf1cfcd81868e85db3db9aa98680f974001fda8fe6a644f5efbb9d6e52e99ff606ef1ed7cd3b17fa6c6844790ed58da6df61aba0c200d7dff943588f4520891798098bddc65797b2f99c05efa090c60dc48a4e + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -9369,6 +9380,7 @@ AdditionalInputA.14 = 066b072d48f6cc6bb00273e0bc0ebc086235fe79af1fbdb46318f56c62 + AdditionalInputB.14 = cfb58f59c6d56993b9f0b5ba1643554072cf4ae8013c236120044ae909083f5f + Output.14 = d5dd7f55ffa7d53fc0f679cddadeb869f39b29a6d394c9f1185b11ebefbcb43419c6a26ae3c9ab9d456e2cdba1aead05e67eabd3596526ee431ba7cab7f94838062fcec2363cf0e19849ffef30064263b3a059ce38aa02c2729bff5af9450e035161816724163906112205196c642bfd70f36abb4639fd6e4f7f6a879ebbcc62 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -9434,6 +9446,7 @@ Nonce.14 = ea7d3c3b8f6da0667d7f0d543c68d7d1 + PersonalisationString.14 = 86c20a7e794c887898d5bc00e98398276a4e3ad8d674fb808a63a44330490d2b + Output.14 = ee8e21ff48af611a17d33e130f4e4224330efcc1402b6d55aaf1f514553b880f18df68c0e4279854eb2e9b904c552f69f0e1badc347ebe336b70456f221e07a2fc78df72551d99df3755997029ee1461e2b6e396370096d7e8c2dfceb73214a72ae2b25ccc60b92dd71988eda811ceac4b7c335528249aaf82826a14c142007c + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -9529,6 +9542,7 @@ AdditionalInputA.14 = ea12ddcafa4f578b8b43337508dd8627844d185b10af7de7e907d113c6 + AdditionalInputB.14 = 0cc670275cd2b0eac5df123eb1fd73c2f2b093b76806943918cf49930fa97515 + Output.14 = 88dc727007c0e03c8d27d00c87876f8990b271964a5275f636ecd7f18cac9c869e5f9df5fb2d34e7f89c2e9819af562a706a03d9be9318896f5ab16573aebbfd94a681cbf27e7202b8674437667893246c267785d0deca5033de88a61bf5158177391c2e3232ea6f812c468d5629ed9f89ad0bec0f6c7a469f56331f9eba1cd2 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -9579,6 +9593,7 @@ Entropy.14 = 6b9f904ac4b16d36e06a1bddc501d7ef98d5685c1ceadd0a6e1622e0c1e73716 + Nonce.14 = 4a42f39e5a241a2b96db29055159c91f + Output.14 = 785014b0460831b7b67346c6997217b0f6c8e7313687ea6ff4d0b09a0786bd6ac362a0b1ddc6ab8c9c624625a379cbec7f11cf30ddab23cdec054b986175cdae0ca4ba4610e0711bc94e9ab706539d5fa2c1a4fd3cd49042696b58dce465f8e09a200e7d214cda357021c62248a01aeb95f8ffa8bd49d354fdccf4c71eec3491 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -9659,6 +9674,7 @@ AdditionalInputA.14 = 147d51711ae8a420f165db0000d9d0cb9e9cd5447311eed43d7cc9217d + AdditionalInputB.14 = 2910968bb1976a1b8ced116e673f408da6fc563695c918ac0a230b0bb800c707 + Output.14 = 357a7269b30ca744e213d894f5c45d0db9fba897e0c863a56062f5018ad9be9f37b8d550014ed68f2c34bf5195c0b7460df171ff3bd4a590578670c92470d876c8de19d48a6d7fa15fc7996be78d3cc8a5c657439f4bb9865bd56e187d5df2531a405e3e0f4b87c611aa8e226b8b0266290f06f8062456a7a4bf0896e4ddd948 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -10995,6 +11011,7 @@ AdditionalInputA.14 = 23e4e6b0e0c1b28a6f9731f8b09960ce7adac17527b3bbaca7c811daea + AdditionalInputB.14 = dc7fac6aeded9e17b5bb5e2bcad9424d42dc07e809da59d52caecba6e75ca457 + Output.14 = 5a42b35cf1b72d2520d92719a94ef1a7ca5b6d6c7eef2de25c8ea44c1fc3a9a5ff2128f47bbe58084a0c7a3fc790626eff5666b4c1e68fb2f53de3370b29c398d5067b255f5f7f29fdb0f8bc256ee3afbe78a33981626837c55f981e56eb2e1bdd89ca081e48f6da7ce6576fbd37dbd57a3f41cf410cb375614af239f2e10218e777fb97a55d9cc73243882b8d8d2a2c812fbdeaaed90b5bd71a274b4b171cd7e661912c9b3de1714a3fe4931d8fc7cb1c9f64f4e37d4e5dbc31602d2f8699e0 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512 + PredictionResistance = 0 +@@ -11045,6 +11062,7 @@ Entropy.14 = 471746177fa3ebbc1f1e06fa42d61d5d491abc82eb7d66e749b87d562a7eff34 + Nonce.14 = 42f8a1ee9b09940e9e1dc64f51a78b4b + Output.14 = 238c9889284139945e657d2c4312ee3ca2013de69be10bdc8b90d54867889f2c15c6cc933913457d4f5a00bd52b0216d90c56bcb341dde7496218861b083f80d8c933627e19b7bd8b73d6dda1bb0b2b0f1f90e2b453cd063938cec3a08f34e5581c1322329d87709e552a97e8a8c8e8e598a5c5cd6623ad1eb9f7ddd12739b1d157b1020cb8cef19402938d31b74e490c0ce75a9f57a17476df1cffa55de73bb8151071edf396c3b9e4607b07c7e2b45c249f5a8194cca1e97af78be47cec0ab0096cf588f3d4432393a8f5423a165d585e2e5f98fe47510d9415418aba28aab1193261036214c35d8ba04650b4539be6b9f7377e3c75ed236d0e69cce004906 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512 + PredictionResistance = 0 +@@ -11125,6 +11143,7 @@ AdditionalInputA.14 = 4b69404b80b6f2fec36a7dff1b194a228761694129efa6c6b9a044f553 + AdditionalInputB.14 = 519c4cf1b30500f729e5426d76373c291e26cafceb594c10c96bdb9aef4b42fa + Output.14 = 53568141a5c09b6b02ac4ab674d341aa6300f8be93c0f36a7376a6850abfce068927510a1b98301aaa29252cfadfe5a2f241abc677e9e70fbca287c579acd276c2eec5c8b508f2b119a40164c6a12c0e0ca1d3d53595bbebe32fda2eef2b613329a614a28d3b374a7b031b49dba74b465a7db60a8dbdcc9e952ea143e9d5a3a651c1b0d6dad79341a7c3fd5816933f2579cc005f3c5655eb8d3f9d1e4562a756ecca3fc1d688c9824391ec8444c6024774a295c44c17fe592694dcf41f305f50a16e07fc28e247bb3d9dd0c52c6fde79df84c8d521606cec9a55f909691f5cfd797b69304dff5b60ac816b0d5046a47c2434127da1fbaa86d2844f5164a9dbdd + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512 + PredictionResistance = 0 +@@ -11190,6 +11209,7 @@ Nonce.14 = 8680d7b3f0a8ae576bb0f75364b463ea + PersonalisationString.14 = c0bf8f2ca4efb48b8dca73ca7148da3cd5981c5a459be32db5a14fc7762c68d6 + Output.14 = 269b3b656e58f9aeed32c80700d9d1b863b0253b3b33155cc0849efbedfa51cff82262c9342cff7f1a7a58a5954fe66547baa1831fee55ae0d322674c6c784095f43b30c1887fb9fa5e7e7f1905da2808ab810ecd224ab403b6f562bac54e65cf7f0473991ce7d7cbc1a669a022fde3141a9880d974b7ede2fad24a3263570443cab0e8017d242fb4c2032dc8be56d8fc1e0e8f92254c7480e4941259ecc29ea47a1d11e074148b259ff95a94711d767f0655f1e0574dfdc4ae4f27b12015af86aefd36f6c10056c3d83e639e3641cdd8ba178f7779dcf502bab3d7588cffb72f6489981aaa7139c255df0e76bf6bba32e4f547327da4597745b15042869b2c2 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512 + PredictionResistance = 0 +@@ -11285,6 +11305,7 @@ AdditionalInputA.14 = 64278bb6b8224b93c0b5339726fb752f6d81e85b204d76376d99779ff1 + AdditionalInputB.14 = 4995815c060c80e9bead55dfe823b869862bd0e5b4357afe810a53c68d4b0e7b + Output.14 = 9b4249e1e692153ecd20e968f86eb31bf9a22d3671d0ce9d3eea243bfc70890644a95d551cb9956cc3770e95c2f14ff154760cba1b24c51c41f7a961a4502aa053068751618eaaf743e0d37fd41ab4969444519c22c8fd96f9eb1be6ff3ae01a25abba84a259dad8bbc78f47dcab3ac2242e6974a56454999b4c59243102b731fc4bb4e01c92d36f232ca8cfe00fcbc0ac200c2e403d17d5d1dd3d6c2095ddd15ad58a070f18b69a5f5d3f240435d298bd48bd9be028ccaeb10997f88857a848882f51a193522bb0b979b37b5508775fe150cab8ce97c0760b7418b5bbe496562fe639540e77c1025c0e191fe000aa5d1e49bf02a5a3c6f46b40dd2c47786d45 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512 + PredictionResistance = 0 +@@ -11335,6 +11356,7 @@ Entropy.14 = 337373a24fe76f025575b3dbd7eeedd03d3459d6ef44cd53335a9c4963cc45de + Nonce.14 = ebbea7e8e1a3a45c58044b65ab7688b9 + Output.14 = 21ae4510a133fa0906c873eb73e00d777b68a45a1de8759b1497f5146f0c45cf612b02e972ec93ebccbb85c9adaf0f5942fcfbb3b808482f05497f2f4734dd6d42c8413e1bd1bad10463dd4b4cf29f1662c15efc6d24955b1e54a60508d9ed008c9d29f8a6bddfe564c21473271350137452f4601179af37e19d553ec738539cfd7a8df17f07e1f9db5df776256e3c00199997307de394a8ba41be2829defbd8105fcb3cda215219fecb607eb1e7137a29eef188ca7eb349d2d1fe27edc2526ccc6d8f1af7eec9c06910f3909907f966d5904b32577f2715cc32ac08f1b5e25a734716ffddf60c57d422b515ce817b605ead2f875db7a789e351b660704f0cbc + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512 + PredictionResistance = 0 +@@ -11415,6 +11437,7 @@ AdditionalInputA.14 = 771e91743429c40a2e3ececc9a3d73a92336c9c988c5d9dde47563b631 + AdditionalInputB.14 = ae1a58611aa54df3c655a1f20985552ed9e3610e92170a0de1a4573a5a1f93d7 + Output.14 = b2534bf690444513bdfecb35bd616b0de47b7cca7f8ab9c5e823b468da62855601b59c6bb75cf34fe3dbc7f795536b9619d243c0f6960895d6710130fbfda2a0bff803e856f1cf21a63e86e59be0d6da7516b697e9ff95c341913ff27c8abe10e6af1b7ad8dec9f7aab46b8d35c103f9bff3016b39ec24026a7b582f6e95261031f734e29a1b64c65639cf238381e5f7e31da624ad24290930501132c860118b6c59052aaa7cf982486219431311453a431a1cf50deaf068e2f9993c0ab851c9aec72be8f7c5c57ed03c488befe6ffc256efe6db52b7734c042b69a5ed74e2593c4788c5fa8a03a5017b927bb8f1c8262925d734c5604639a9b441187b0d95e3 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512 + PredictionResistance = 0 +@@ -11480,6 +11503,7 @@ Nonce.14 = 78e7f6e9e8e1511bc0ba7f230b65fe47 + PersonalisationString.14 = 37544eb1992fc569ff259946d639a00230ec1196c5565b8f9da62d9ce552e09a + Output.14 = 0ddbb84e21d4d7110b933bbeaddb35ad81dc1f331ac8293695b30924f2713eca6f93a13d520da4486f32a12412a927d00e3f27009a944056a5805b0e050f5bf6c6bd32c523c1d607d6e3e97b59fd059a610d664396f69961599ce7f0a0cbd1dcff15474ac267e36c0b871c559fd13b7ff0c3fcc11ff8dac26761a42697c3744981cc5c5ac10cd0f3b285c4ceb4a550ecead095f90fb6f53aa302218ede7ed5ae5deac91a83f957d15ee901746d11777b23c327ee811966690f5f253c7c314a2bf2bea73ca46c6c8cc332c3493f9d023029d762fc90e5dddbb838f2225c521f196332812570a17455b3db45306aa9100ca83185395435137a0b961531cbcafc03 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512 + PredictionResistance = 0 +@@ -11575,6 +11599,7 @@ AdditionalInputA.14 = 8dab17e96142c890eb16981b97364223e815130bdb0c0c284e50dd3349 + AdditionalInputB.14 = 1439e2d19a99703fc35607b5bde55331eca67b2b9a9f7587ddba0dd1fe690ab2 + Output.14 = aa088ba4682bd2285e90c7967a7b8a518e0ec45afd490d367022893e3822c09d967d06ff28748b5de3fb33b071b73c581bd893b6641a72cd5db35540b904eae19765cc121ca4dc9404530114c3369fa80d20dd63c8c09559c4be48aa26ca77b47579dc52fdf0eb2f2db84ab688b87f63097140aef65410fcd7a81c2bddb2c92f9d67b2e46647aadd9b85c9e17ff8b579cd672708282981ba54d854e7c9a1de66621845ae2d337a90025ccbdd1b0d695790b1f977b1e944bbc04d16a9a399628bfb33f98b40e13567514d8ce0b23340803718ea3da44fa84c923f2a85ba21495c2f9541cbe8cadc0b230b1b942e934eb4fe95c3754a77a09641ad730a550fc24e + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512 + PredictionResistance = 0 +@@ -11625,6 +11650,7 @@ Entropy.14 = 5f72e390aa960846a0004d266e3741b6fe0aaac98d9d87b4cbaaa7a2af0d0bdf + Nonce.14 = 2074991cf0c22cd34b2de48ea1f9ec66 + Output.14 = 7bf54b69e455c7941e8e24ef59b5525dc1ed3b7f934333713b9dc305dcae2cd1b74648149e04bb4f4e00b110926a6bfead7adef954b6d7e180ff820192677efa3c0c8af6a3e201d8d555cc599cdd2626d8778ea2c7a2a8e0c99e719929ae9ac4fb9a7e5176da8987508d1152909f456a4ce9461188e264cda1c879af1a8cca6c182e73c164986cbf07f441756791fa1fae40b784800335d94b0b54135831044bf0cb5dbb5c0c71de6b6ae33d6b87782d34be3cbc2991ad109d6c0440916d91baf96c4375ecdc9f09dca79671a45309c408062cd08ee623c8de007cda3b3d110425d7e8fee13b2a14215033d9ea2397cc6b5c995f37273a00dbcdf9437bc77857 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512 + PredictionResistance = 0 +@@ -11705,6 +11731,7 @@ AdditionalInputA.14 = 97f8c1e98fd25289be846d80f667341a095dfbabd610c691ad6b2b901c + AdditionalInputB.14 = 136912d2805ab8ffcb4e7d6a81e37e14b7f7bb65dd0241d56f11d7c72dd5de1d + Output.14 = 2e1f4954107f3654f51024f032518ba91512c9d8005265ff35248487b8c87d8862b8caaae27898a22f9ba7a0297fc071ceb6a1612bb99c0f15210a11f5a0725158832996f15106a7c43a216f90501c0dfb36933be940a875d4f6b0e5c29edb01614a26cb3ff7b906762fd6435eb7cec8c88f5fd7c4d76fcb018c08987108117c95d4d35c1c59efc06358c7abe7a73012ae4440b2ec86c3664e5549b8b0a30d6c8538d6e5151f9c17f9ce026556508b8b3d926e4364839bb526a94c7d8abf4c1241cd844bc6227a01d024affaedd4701129fb0f9b5ae853c7085ca13ec78ffa3476ddb1c1e71942c351c3ce9a855ccfa4c3c7f92b59d5b67e8eab16b699b7ed5b + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512 + PredictionResistance = 0 +@@ -11770,6 +11797,7 @@ Nonce.14 = fe9dfa1b683fa9cc70b7c7f8c81185b2 + PersonalisationString.14 = 7e86cf4111fbea8fa9b180a1bd9ff3e9d233304b1d293adffa49ce8e77f400ab + Output.14 = ca0a6268d034f6817edcb6875b4754b5e9b2061ce0bc2bcd27c28065d8258b40ae63bf6d1e15521196da0afea8139c10d7bf3b54694a82d24476c578991fce1371e40b78087d95b1117650af7134567513a017353bb4af85cdc98db757cec9f92df42b7323b1e5d05387debb02750683a5553bdfb5f9fa34e14d29e09ad18bc6ef2380c173a19631abde085369ff47fa8b4fdfebe13b95b90c6f5841fe5aa6334edcfae26c13cc5d14d17a02d684b64bd55841831bde4c75de7d49bdc1a405d4e3e0d327bec44644e972349a49cbd48a4d3b8e984f5847ffeba950fff55bba9b287d51d8475f7799752208da31d91853fe6d04d97ea2a33d53b07a4fc787be2a + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512 + PredictionResistance = 0 +@@ -11865,6 +11893,7 @@ AdditionalInputA.14 = 91e14e178a033e26e6f6a0b0f3890fa46f83731a14cf31445c51a92166 + AdditionalInputB.14 = 20299371a1de6f994260d1c59c1d3f731d8f70fea6e9389b3ede54d47594414d + Output.14 = 1b4efcce136b40bdc792d1607d4ab4fadc10d5e2b22eacca6f412d3aa1c60320bf825778e7ff8296db9ea360e068350f90d7d4947dc9a2e2a4074653458784059ceebf2a97db0e4a29f7c6107783fa3683b6846b8c8ce7161082405643bb84d602c6c36ca79b2b6562417f0d15f46a4fbdc445d50935f49eedf01bb131d104385369fdf88d91518618134a37c5bf73140400cced73795910ad0d2a89db2d79355ecedbcdabf135219d2afd7ac28cd7e45c6fd4e913ce5d464fd6de6e4c62b76ff86c28b0ab27a3c2622cacec075c790a7ff2f57f99ccb89c590a1dfb5a1862200c9cdf97f94eef18ddc85cf9830be662cec1885a629a6603add9396fb26341d9 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512 + PredictionResistance = 0 +@@ -11915,6 +11944,7 @@ Entropy.14 = c5ebb2ae08a03815e496c2db1e2a650b40893ea78fbd7ca8434edcde4432a43e + Nonce.14 = 0cede46aca7d2a60f2e98eb3c7d1dba7 + Output.14 = 6d8eeb5ba130de7dca993b44b46e08894fd84ab8c347992aeeac56ce5fb5f435bba92f1129aaf9b3035aa117301a1289acc222cdac043dac58b62567102dd5a57483d79fd703e188a0fe47254bb20b361281b5b8cedded86ba9b6d86deb30e539eb7ee007131ab2af99408f38ec7fd66bec4f1ed71251c149dbf8393b6dbe96cdeb9a3b5ee065ec8636444e72339ed2cb27fbbe5421f7f141940d6fa1cf570b8dd0393625ae16b10df2f1f6fe35dba15a732357dcdf4f56abcbb47a4640dcef618e27d049e27f2af7b8634faad00280e004cfe3f52d63185eccd6c4937a026830c38e1ed6aa9bfeaf739416706f63bb8b1475ac25d734db28e39163aa0c69c52 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512 + PredictionResistance = 0 +@@ -11995,6 +12025,7 @@ AdditionalInputA.14 = def9d8f7b18023b69c6cd4121c0adbc2a89b3ca37333d4523261d5eb20 + AdditionalInputB.14 = 06051dec796525094018b436605bd2ddd66359a2836a5996e8262bb7763fadc0 + Output.14 = 29e8184e37a5c26670bdc95c842c602ed8b0cf102ca144133e8cc841e1dc32fd038a72c26b8be8a568db60a4cfbd52b0d8b74cdf180a4931d6dd19a255104db105b3366d75e8f6afd0e5fab4dc14f6deac82e7703eb6a61f22b79bdad8ac7fab95a58a71f80fa510542615c305f7cbf84790060f17e7d78ab5d4b0ca34fad47133a0627b803c1caee3b97fe47626a8590672e2211f39cbe1b79d1999fb772b884122c8e50c59fdd3de13a53e805f40f8aa35501571a4c4cce79a8f738e60a43a11afdbed94e26f474ba5cd6ff5cdaf00d0fb84109aeb3510f1ea576c70ae78cdd0415a0521f3ff4083f9160011dcd6e2802cfbbbdfe9c4a3b114dd47b3a6cddb + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512 + PredictionResistance = 0 +@@ -12060,6 +12091,7 @@ Nonce.14 = 7b9a876017e5e14bd6a19719c73035da + PersonalisationString.14 = eb97028b093f820b182384baafa56ecf196dc11ebc515a405ac24f73e465ae9a + Output.14 = 3791ee66e505257b0bebc4319897e80ea8a70577b8a85d809cc7e4c77a458e8517368e2eaa7c0623b91ab3ebc4de3240e00e5f0cd20524d73b8000f00a3cecf869bee26763db9689dfaad9b5f21e3975f750e0c6b694d7df35fea26b2ff3c2bc679b5ecaf129320dde8245677aab9fb54b8faa97d394adae687a35b00f026430ef29bc7226957dac5edbc4a70dc82fcac00bf89d97e11d2a3e6ecfc4af4536c329ed3f4dda201db47236b03f30daf71e6368a18ab6224a023fca2ead589d9ea165d66fbce2b37a630d18ef1c97a619cd8949f16f44a9bc0f5837737d7fa4355587af5ab452f53fb82dd8b8b4706cf04e77938d7e0c3a9744c353edd0c6931591 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512 + PredictionResistance = 0 +@@ -31145,6 +31177,7 @@ Output.14 = 01f11971835819c1148aa079eea09fd5b1aa3ac6ba557ae3317b1a33f4505174cf9d + + Title = Hash DRBG No Reseed Tests (from NIST test vectors) + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-1 + PredictionResistance = 0 +@@ -31195,6 +31228,7 @@ Entropy.14 = 6fe9597b59903b1af4012a15368af7b1 + Nonce.14 = fd3e84b3a96caaff + Output.14 = 1eee4c786476d488e58d0e065bb025db548787fafbe757f29ee2bd4781cf69216091ba2b68919b54ad3070ac72a2342320eb1e697b9115acbe07e194d060562e4d0fd966ab29e2c5e560574b2dac04ce + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-1 + PredictionResistance = 0 +@@ -31275,6 +31309,7 @@ AdditionalInputA.14 = 93dc424bd0d266879601745a23317141 + AdditionalInputB.14 = a17321015d327c5dc0bc1e130aad81ee + Output.14 = f682834b5b492e09ff8e0f2c80683b032a3b262d16bc609c550dc0e74a4b7d8ebc0e3b8f2c9970d90aec9a82497dded20422b17b9e3cc3bca771cbe717ddaed5a7a6ae2601c7f765eaa719b71624e83b + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-1 + PredictionResistance = 0 +@@ -31340,6 +31375,7 @@ Nonce.14 = fa9adae924417150 + PersonalisationString.14 = dbad22c389c527715d21a5bdf38c1fad + Output.14 = a18d57e672218956e6c8cb9901d02888f3587177c3e11e1a99ea72370347b953a9f122c9446dfa109723b27f36fbf15edf103a56741c24968592479cfe30bc0053fa7b9818e9debcc494db64d15d038b + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-1 + PredictionResistance = 0 +@@ -31435,6 +31471,7 @@ AdditionalInputA.14 = e488e16f48c61dd2152afe925eceee92 + AdditionalInputB.14 = 12c692abd90ab485f4d9499680a6893f + Output.14 = 8ba04617a135d8abe0c3c0a170e7472e7ed750eac706e5c3ed8305d6f6f8a1a53e0c52d4853b21ab8951e80970b426008ae11952ff364817b6856ef0810860dc65faea487b5d7c3f3d63fd443756d2a8 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-1 + PredictionResistance = 0 +@@ -31485,6 +31522,7 @@ Entropy.14 = ceb354444d1a29c0c3e8a1cc24d02846 + Nonce.14 = 86d3fd9fc51f8b19 + Output.14 = 6f90ad611987a37bac54bea0782ac78215b7d17ecdd3991a81a36d0e263c6f0dda2c102cfba56b26c7b74b5dd2548be9bc81c7958e9d19821583c6f388132b9e19ae7609add9a296c1e92d66a2ef5464 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-1 + PredictionResistance = 0 +@@ -31565,6 +31603,7 @@ AdditionalInputA.14 = 32d09b604a65dc8daa35cdc34141b751 + AdditionalInputB.14 = b8186a294c7824b7c550c1054badec00 + Output.14 = ae9a091cfafbf0e74c2be8ad4b984e824a24e65ba7610b0f3ab1750e2f12de1620db6bb8c493b3d8b06ab78e69cf2dffd73d4322a67ee7725aad84fb458b8f26cf04846850202e53c874213221e761e5 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-1 + PredictionResistance = 0 +@@ -31630,6 +31669,7 @@ Nonce.14 = 8368ee0e29d35c67 + PersonalisationString.14 = f189a80d5619f53cce878ed57522a468 + Output.14 = aeac5933065c33ce2ace2531a193e367f73c83fc328f61ee2627f6f3841914c6b8a3ff767f96b3c3b685bac931af9ec10c6f3efe25b5109bb647b120e3a3f6971a4ec41f4ef0c7a900fdb09d7ff3b247 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-1 + PredictionResistance = 0 +@@ -31725,6 +31765,7 @@ AdditionalInputA.14 = af578fbbb8a830947e9b4e2c9e729336 + AdditionalInputB.14 = 5a69864ca39da1ba4719dfe1dc850a4a + Output.14 = 8b846f03cb66f7e49fdddf7cc449a5f3f6ccdc17ae7e2265a5d0e39ea10fc3e6cffefc04147b773a1584e429fe99e885f278aff74a49d8c842e7ccd870f1330692fc9c4836dac5046c544be74652da26 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-1 + PredictionResistance = 0 +@@ -31775,6 +31816,7 @@ Entropy.14 = b7ddb82f5664834b4fb17778d22e62f2 + Nonce.14 = 52461924becab175 + Output.14 = 8735d06e26814ee54b5daca4e1da3e321a5a19b062ec0c3afbe3b16f23332a687fadb29e65208130c3d667c075660ff70aea96430fee254c472686b8e82ca359a57bbdc3004bb3eb641c1f97e4b19e02 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-1 + PredictionResistance = 0 +@@ -31855,6 +31897,7 @@ AdditionalInputA.14 = 7725ef70592c362d70b088ed639f9d9b + AdditionalInputB.14 = 5ab2e0067c3b384e55a78492f0f6ed44 + Output.14 = ca095da39d9c21d7da073d9c95d2e415503b33c327d739f1838bbea4fc6f0254fdaf8ef6152e9263f46b864f39c7104d1d337d99fee588061152e623d7e00a27e03b5d16fe6e543453a31d4dafeda3b5 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-1 + PredictionResistance = 0 +@@ -31920,6 +31963,7 @@ Nonce.14 = 4e838a124e4b53df + PersonalisationString.14 = 163e393b290a4d390ab0beb392f52d26 + Output.14 = 76234afc296ea36a44254f999ac31fca258a24427cf4bfe2c54495fc41478ec4a00b540659b3b9461cc6188bc1f57c19ae414bd18aa81eca7b9d765a784f0ef24335e46c2c77b8dc915f5d12c26bc653 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-1 + PredictionResistance = 0 +@@ -32015,6 +32059,7 @@ AdditionalInputA.14 = 27486f8dae1b36462639ff7eee869a29 + AdditionalInputB.14 = d1bfc7eabd8eddf622297012169f351b + Output.14 = 4c893c3d1ed3a190fa88e159d6c99f26a02fb5fccb98bdef9fe43f1f492f490109224ba6c317db9569f618984409f2fb3db0b1e2cd4b95746f159cca76f1204f6d2a4c455c547a39a5f79fec95c8f4cd + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-1 + PredictionResistance = 0 +@@ -32065,6 +32110,7 @@ Entropy.14 = f484b922f492d19b58407c242ab90e76 + Nonce.14 = 8952a0a4b666b0c8 + Output.14 = 2d77235fa273cab3c1bb176d44817cc25300b3f0172a0b5aaa66b282c015d426edec5f1ebbfc0269956b85994167992a71002586923ea234be6c5df09f47d89132e440827b89f7ff97e032b3f74fe32f + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-1 + PredictionResistance = 0 +@@ -32145,6 +32191,7 @@ AdditionalInputA.14 = 9e3ea6eac120d663e330d282ca9b9d7c + AdditionalInputB.14 = b8d71fce7779a9906b9790cd1d4e48d5 + Output.14 = 63d28a300a329ca202b98498c9f46912620bc85c246f034dca4186cd9b0e0810a363785878effde90aec8cb584862524eebf940c44fed21cb580d4115f3e0dda07e0e4a66689c2ff3e9b87edfaa4d051 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-1 + PredictionResistance = 0 +@@ -32210,6 +32257,7 @@ Nonce.14 = 7239f92b63fb3dbe + PersonalisationString.14 = 8d2e2ca3985bd2538a71f02cc3eb5568 + Output.14 = 0e4cb328c03faaedbec7215725851069bceae4332de6a70e3521dd065f2f7923485969571ebd7f24be460fd901c6b3e356da6ee5262ef2d76ad14eb0f697f8fb92af2f46630198c5f7018860886147b3 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-1 + PredictionResistance = 0 +@@ -33481,6 +33529,7 @@ AdditionalInputA.14 = e5c633ca50dcd83e0a34d397df53f6d7a6f7170a3f81f0e6 + AdditionalInputB.14 = 5f0beb5a2d2968e83ba87c92bfa420fd6e8526fbbfdea128 + Output.14 = 8bec11df1022aa50d95daeaf23d78d6ee45c43c5768b90181e106c7df8ff333d7cb87ca1ab83f8742370db1c8c0c0c22f141ff4de33ae8bdb14fee7e6c069819320629c66d94c7c97ff52930a3c1dcd501b60f0f84bda4720ee187ae858a6e068326eda5809716e366d1b608c61b0100 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -33531,6 +33580,7 @@ Entropy.14 = 1194beb668839c47c73e7516f9ba09d23dec3553b3b5532f75b260106dcc2abf + Nonce.14 = 3c8a77351e93065d584feeb08c8424a9 + Output.14 = fabd48bfcdd07968239fe538c2d8c9bde2e257b9b244078f39287c7ee90de167fff56a693c4e64f45081635511b5fd031c0270a31b4a014e44c0516a55ae72345aa11dffcda4ccf8cda50f6948d5ae425d8d53ad5c74cef1364277990156796e1c5dfa1ef095c0d8983477eb24241135760b02c86c86d4ec3627edac8c1a7e32 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -33611,6 +33661,7 @@ AdditionalInputA.14 = 626385595bef7103af0af700e1df048d7572286af709289b7894d2ab09 + AdditionalInputB.14 = bfe8946dbf27d3a2127ec600351c3920d2531eb9419408233e0a888059b5eb68 + Output.14 = ee6d07661828213e6453d94faaf76345c70949eca4965714c350313b0bcd8e079e6a07f8b2f7a91bcb7ef39a61568fd1c40ab78f154b3582f830095d571de29f81f9565e46b560d34c32bff55341a991f8e863bd9242c7cdd366be12538bb6922f1abfa19e7998aac61d465fc46538ee9142acc66786f4516ef4105fe1d80372 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -33676,6 +33727,7 @@ Nonce.14 = de2186bafa82b0d08a0b8215e3424512 + PersonalisationString.14 = d96db27febe22db935b117dc3068374e39c5b2119b497e3c1d858ef649e01de5 + Output.14 = d04435a8aab397cfcee5151f7aa24298ffc6eee4f577cda42d5e154b8d28cb2f0f945f11a15ed5b76486c88f03081cfd262d94a8e0b332e3c9c608461dcc8eba20d7db209810d25c226fda9fe218022a9b2c96876cb16c06c0553dd84ce57e20338c3d3e03c59ce22e668e25c2c50d5cc9afab91f50a28680964c2dacb9d2fb3 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -33771,6 +33823,7 @@ AdditionalInputA.14 = 5d9446eff72d59529a90b498d8f40983b3b2904f63664fc0aa1de8700d + AdditionalInputB.14 = e19707aafa391e8622539d52a05d930292bd0f7c17825dbed5fb7a2f8734081b + Output.14 = 6ce2ae37349cbef9ebd1f9b85485810a22d430d94abf66912dd7b6cc751400e777be2f1cebc19d65694a456b2c6429cefd95eb934030846708d50be3b274c2f7de299f3c311038491f271448c7d02ff51de048fa1184e8ee06b7b46a9f123daecbebae4a2183dc8eb6976abf0dae7cdbea6017cd1500f37dfadcce0c1956ea87 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -33821,6 +33874,7 @@ Entropy.14 = a7a1dbf7f828555610197e71e0ad563b8691589c5289ced03e9ef83b6f9ff938 + Nonce.14 = 4274788c5d80e26ec1ac3a57b9c7c0df + Output.14 = 5a907a26c1ef588219d4c69fcf4c5c283ab148a77588a40b323bd24e6dfb29551c4b6116c4d61349f5f8bd9ed497f38b239c37283902beb3c9700c768fa289ee4573f92316efb860a5ca4267b328f03c13138b774b4b9f7516003a699f7a0854a0efb045a5932753a771c2cc6119202b33336f10edb715bcce1d20ff503dda01 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -33901,6 +33955,7 @@ AdditionalInputA.14 = de1bbca12357943b4489cc7209b3f063b51b91acc168ec5e0ad88048b6 + AdditionalInputB.14 = 6ddd9aba4f100ef902ba50adee53ef44a4f45564c13e774e69557e36a357e7cf + Output.14 = 544ec80a966644454886fb97a0f05eb6a4a25fcbce795b5e5b27ee06ba14b7de18dbf54f80a670b87c76c336ac9af16c8958ad6c1bde9a97aa4c1ab5823d24a53c64f6766ce6eb9b7085cf7282499c37fc1e2e825f53bc357bf36d5901e0ae93cd3bd821fa18b5aa17548560f7ad6ef38124814fccf9b2b89de61cfc27c7269b + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -33966,6 +34021,7 @@ Nonce.14 = ab7843b73ecb4858f2cc5e9dfca803ef + PersonalisationString.14 = dee559515084d8ac49c3803f09f3d5fed3b307946a2752c267677f22786a0125 + Output.14 = a12f5e8ea3bb174934c15e5d114ba615da33210c98c38d7fde4b5aef9aecdeaef311d929d7fece7fee11db67134c3326b413b8dc17766ba4fb881105db68688b148fd95d812f6538b14f25afaae84d39025336136d270bd643f2a6c7164930372fb1c8f4f0dab60283e9d8d3440ce8dc66761c5d5c4c13cc3a367feb4869b559 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -34061,6 +34117,7 @@ AdditionalInputA.14 = ead8c0dcf4ddc909aab96eadab509a46908ee5f090983af609f08d8a8b + AdditionalInputB.14 = f357bda8f2048929a4e31969ec978cc333d58b4fc09a8aa1b73ec9bdfaa1a8f6 + Output.14 = 901aabb3f065be08e2f8072d5d3ffcb28ab291420644e407e7a6a3346b75a5be535bdbdd5a8245998689450292df877233ef0783e0bd1765413193790995d884ffcb2c8dc35fe4cfc12def2f091866d735b1dcfc9d8d8c26903d50e9397b1bbd674bb81fc908361b2bddb68f02031d87588cc3e94210422674e93fea6a5329af + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -34111,6 +34168,7 @@ Entropy.14 = dfa94c198483c5daa046f1dd1e4e83f854fd6c5cbc3465f671bdfd36837779ab + Nonce.14 = 298de64bbd817d009a71c1424ae839f9 + Output.14 = bfb9a54ce31406a82608aebc826441f8f633813a0c3bad723b802f3e905a6ee3512ff3513062aea51f93be17aebf1cfcd81868e85db3db9aa98680f974001fda8fe6a644f5efbb9d6e52e99ff606ef1ed7cd3b17fa6c6844790ed58da6df61aba0c200d7dff943588f4520891798098bddc65797b2f99c05efa090c60dc48a4e + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -34191,6 +34249,7 @@ AdditionalInputA.14 = 066b072d48f6cc6bb00273e0bc0ebc086235fe79af1fbdb46318f56c62 + AdditionalInputB.14 = cfb58f59c6d56993b9f0b5ba1643554072cf4ae8013c236120044ae909083f5f + Output.14 = d5dd7f55ffa7d53fc0f679cddadeb869f39b29a6d394c9f1185b11ebefbcb43419c6a26ae3c9ab9d456e2cdba1aead05e67eabd3596526ee431ba7cab7f94838062fcec2363cf0e19849ffef30064263b3a059ce38aa02c2729bff5af9450e035161816724163906112205196c642bfd70f36abb4639fd6e4f7f6a879ebbcc62 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -34256,6 +34315,7 @@ Nonce.14 = ea7d3c3b8f6da0667d7f0d543c68d7d1 + PersonalisationString.14 = 86c20a7e794c887898d5bc00e98398276a4e3ad8d674fb808a63a44330490d2b + Output.14 = ee8e21ff48af611a17d33e130f4e4224330efcc1402b6d55aaf1f514553b880f18df68c0e4279854eb2e9b904c552f69f0e1badc347ebe336b70456f221e07a2fc78df72551d99df3755997029ee1461e2b6e396370096d7e8c2dfceb73214a72ae2b25ccc60b92dd71988eda811ceac4b7c335528249aaf82826a14c142007c + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -34351,6 +34411,7 @@ AdditionalInputA.14 = ea12ddcafa4f578b8b43337508dd8627844d185b10af7de7e907d113c6 + AdditionalInputB.14 = 0cc670275cd2b0eac5df123eb1fd73c2f2b093b76806943918cf49930fa97515 + Output.14 = 88dc727007c0e03c8d27d00c87876f8990b271964a5275f636ecd7f18cac9c869e5f9df5fb2d34e7f89c2e9819af562a706a03d9be9318896f5ab16573aebbfd94a681cbf27e7202b8674437667893246c267785d0deca5033de88a61bf5158177391c2e3232ea6f812c468d5629ed9f89ad0bec0f6c7a469f56331f9eba1cd2 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -34401,6 +34462,7 @@ Entropy.14 = 6b9f904ac4b16d36e06a1bddc501d7ef98d5685c1ceadd0a6e1622e0c1e73716 + Nonce.14 = 4a42f39e5a241a2b96db29055159c91f + Output.14 = 785014b0460831b7b67346c6997217b0f6c8e7313687ea6ff4d0b09a0786bd6ac362a0b1ddc6ab8c9c624625a379cbec7f11cf30ddab23cdec054b986175cdae0ca4ba4610e0711bc94e9ab706539d5fa2c1a4fd3cd49042696b58dce465f8e09a200e7d214cda357021c62248a01aeb95f8ffa8bd49d354fdccf4c71eec3491 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -34481,6 +34543,7 @@ AdditionalInputA.14 = 147d51711ae8a420f165db0000d9d0cb9e9cd5447311eed43d7cc9217d + AdditionalInputB.14 = 2910968bb1976a1b8ced116e673f408da6fc563695c918ac0a230b0bb800c707 + Output.14 = 357a7269b30ca744e213d894f5c45d0db9fba897e0c863a56062f5018ad9be9f37b8d550014ed68f2c34bf5195c0b7460df171ff3bd4a590578670c92470d876c8de19d48a6d7fa15fc7996be78d3cc8a5c657439f4bb9865bd56e187d5df2531a405e3e0f4b87c611aa8e226b8b0266290f06f8062456a7a4bf0896e4ddd948 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -34546,6 +34609,7 @@ Nonce.14 = 66ad2a0d5de624f3d709cc95e5c99220 + PersonalisationString.14 = 6f7f8f1ffdcf859adcf6020d5cffdd8e3e1bdcaef0b22e9e61384b888f1b3537 + Output.14 = 1bc4cd76787f031df8e4f592f56a845f7d8aa200aca0b910e68f149cde112d0f1e127faa7fae25ca4299eacf9e49e132f3e4083f1c5fb0304b714f06cea122bc1392cbe18289d2411ae08642a9196b654a8b177c127b9215f9df815eceb254b8d9b4f632d25d123ceec686124e58b3606ff1ce51fce0752f42232c03694a1d8a + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -39331,6 +39395,7 @@ Output.14 = c731cc7b21c42730bd3cca61fc5250b507ad08b24ac471d526f2217f15dc4d1fea85 + + Title = HMAC DRBG No Reseed Tests (from NIST test vectors) + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-1 + PredictionResistance = 0 +@@ -39381,6 +39446,7 @@ Entropy.14 = 5d80883ce24feb3911fdeb8e730f9588 + Nonce.14 = 6a63c01478ecd62b + Output.14 = 9e351b853091add2047e9ea2da07d41fa4ace03db3d4a43217e802352f1c97382ed7afee5cb2cf5848a93ce0a25a28cdc8e96ccdf14875cb9f845790800d542bac81d0be53376385baa5e7cbe2c3b469 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-1 + PredictionResistance = 0 +@@ -39461,6 +39527,7 @@ AdditionalInputA.14 = 7206a271499fb2ef9087fb8843b1ed64 + AdditionalInputB.14 = f14b17febd813294b3c4b22b7bae71b0 + Output.14 = 49c35814f44b54bf13f0db52bd8a7651d060ddae0b6dde8edbeb003dbc30a7ffea1ea5b08ebe1d50b52410b972bec51fd174190671eecae201568b73deb0454194ef5c7b57b13320a0ac4dd60c04ae3b + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-1 + PredictionResistance = 0 +@@ -39526,6 +39593,7 @@ Nonce.14 = 296bfe331b6578e6 + PersonalisationString.14 = 4fccbf2d3c73a8e1e92273a33e648eaa + Output.14 = 90dc6e1532022a9fe2161604fc79536b4afd9af06ab8adbb77f7490b355d0db3368d102d723a0d0f70d10475f9e99771fb774f7ad0ba7b5fe22a50bfda89e0215a014dc1f1605939590aa783360eb52e + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-1 + PredictionResistance = 0 +@@ -39621,6 +39689,7 @@ AdditionalInputA.14 = 4de6c923346d7adc16bbe89b9a184a79 + AdditionalInputB.14 = 9e9e3412635aec6fcfb9d00da0c49fb3 + Output.14 = 48ac8646b334e7434e5f73d60a8f6741e472baabe525257b78151c20872f331c169abe25faf800991f3d0a45c65e71261be0c8e14a1a8a6df9c6a80834a4f2237e23abd750f845ccbb4a46250ab1bb63 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-1 + PredictionResistance = 0 +@@ -39671,6 +39740,7 @@ Entropy.14 = f41d60edb7749acb68111045000ccef2 + Nonce.14 = bb5fb8962ca3002f + Output.14 = 262821119be1ee0bceedc1bcfd04f7fa2e199b2a7522c4a3a98c4174e0ac4ddcf7323dee2fcf9fbd2fe26c4fad347f7199be105730441f042865aeef50b89c00aa661361b6a1f20849bc7c70aa294543 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-1 + PredictionResistance = 0 +@@ -39751,6 +39821,7 @@ AdditionalInputA.14 = b4894bbb6435ffeb710bf5ae440bd744 + AdditionalInputB.14 = 689fb48c27983ededdd56d5a6b2c0345 + Output.14 = dfe8a9e17b938a1782fc3dba4f234dd9c9e36b67b28e1d901ca6b3628689aa4d2ae6b005ae3ce97e0d1e645da2710162294606ce51638b91e9c46d8f7f4f1a217e44c36b560f78b0541fececcf49b9b9 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-1 + PredictionResistance = 0 +@@ -39816,6 +39887,7 @@ Nonce.14 = 3c9434b7d7e18472 + PersonalisationString.14 = 55bfc33da17f712877829b7f8a134e55 + Output.14 = 705950e4790ada95b99ace57e31115610ebc65d755fe587eae8fb1aeae463bea8b50a278f45e61d3433272ec31b0d48afcf219f5f4a0adb20537be9c7cb65911df28976aed4b4278cc524639a1ca5f40 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-1 + PredictionResistance = 0 +@@ -39911,6 +39983,7 @@ AdditionalInputA.14 = 7ee4f3670c4671f128cbd743c408bdd1 + AdditionalInputB.14 = 38f8003e8fb8c119534a2c3400a87f8d + Output.14 = fedbb1636b83c5cc5379c9aa4d1319df6d30770e469c2f7bd65b4b74d9bc880d520e11b2c3642a7c4cb6d6138d1d92f716317dd762c0a841e56e7e0226971a7f470e918d44b4f374f9e7e3b5209516d3 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-1 + PredictionResistance = 0 +@@ -39961,6 +40034,7 @@ Entropy.14 = 5b6aaaf5c4e5acdacd2c0c14648eeb3f + Nonce.14 = 353cc1174da7f766 + Output.14 = f7664dd99fb870dad1a45a4ddb870c9936fb42b3a063336e447f15703c5a95dd79eacd9f41cd0c1b4f2e1a45229aca140f463c1beab47aa0525e5bd6e1accf360bc8525430ba05fd14d1f008009fd586 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-1 + PredictionResistance = 0 +@@ -40041,6 +40115,7 @@ AdditionalInputA.14 = 4eb5c1192fa86b355237b5a8bd43ebf9 + AdditionalInputB.14 = 7323d1a6f983b7d16df6b0aa9d14adb4 + Output.14 = cd41a0d7371b2eeb790fa8335660385c418ba84507ba94d1d1015b3353cdcad556993c19388461fd2cce38cc9fbc00e707b18dea9d712ac0616b443b23aee8131c295a1a741ffde36b2032bdb8ae2f6f + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-1 + PredictionResistance = 0 +@@ -40106,6 +40181,7 @@ Nonce.14 = 9bee7502db25ae7f + PersonalisationString.14 = d0e8fa47aed6b67ca4e8e521f733921c + Output.14 = 3c649d295fd9b98082706f3f841f5275834143698c202da4c881c7d0a3c9995329a54d440fc4d21ab596e95e5b6651c6e7138b332c97ef771bc6e3b0b3fa09090ffb402ed1116d8395e5f1cfea3eae6b + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-1 + PredictionResistance = 0 +@@ -40201,6 +40277,7 @@ AdditionalInputA.14 = d56ade0d74ea34577eb12a899d18d382 + AdditionalInputB.14 = ea83bdba8490ffd136def5f7d9240c59 + Output.14 = cd3d8174d8af97387ff02707d2757ce685ffb5d8dd91d95b8af4a3a757f9321b0e908096cd1321de0599640b7d81f43606b12e029ae158ed568ce1db429be75285c655e15f88da859f09b4cd843a0b61 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-1 + PredictionResistance = 0 +@@ -40251,6 +40328,7 @@ Entropy.14 = 1c3fc8de26ddc78651c9c2e4ba874ee0 + Nonce.14 = ca6a2d3cc5495dd0 + Output.14 = d00ff8d3b8ca273cf7c3650e36c892018c0f765da45ab5b902c5accb30ffe01a99d3b86752195dc9aa1232fc852790ef51860fd114bdc78ae02acb5ab2021ec726829591d623b0b66329e641c1f915ce + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-1 + PredictionResistance = 0 +@@ -40331,6 +40409,7 @@ AdditionalInputA.14 = b180d77e0ef217268d2d4dc9d4a9532f + AdditionalInputB.14 = b192957f3e98f7595768d00834eee1d9 + Output.14 = 7d4791ccae7980ad19e5d8eb8932ea8ea1756710349ab8b771558cfe471a278dcc263b737486179a4ffad12d5311d23912c3a46f07152808d288be2dfd2b315fc4f6df6418029be52daed643dd3c6110 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-1 + PredictionResistance = 0 +@@ -40396,6 +40475,7 @@ Nonce.14 = 84f7310a7ab653e6 + PersonalisationString.14 = 0fb2233c2cea27d17b6dd93bc4621285 + Output.14 = a2f373a523ac9f2524b059d0c23bcaa905e15948c7ebf71b6e82150aef562dae4003c1a8a3748cfd553d9a51a8f9450b9d569d96d897fed50eee23978e49b364c64db63fac9dc0fe9e8b58836aa04a74 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-1 + PredictionResistance = 0 +@@ -41667,6 +41747,7 @@ AdditionalInputA.14 = a58757b98280d90e84d6cf4e2fa89c01a9e6aad22d6cff0d + AdditionalInputB.14 = a3f5de1ec6d0ccd39fa153899f0c1a414106a2aa182acf31 + Output.14 = b1797707f1217d81c8463b44957df350dd139073b056c50d1c912fa111f9cb488bfb7d2ec6faebd078171cd6b71171ae33698ff96c7225d7fd36ddcfeb2630464974d12b3e03877bc73ce1a2f89aea7ff7ddc8ac85708b35dd94d3972875e2d3e7237ec33871e99301202b52e2ff89db + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -41717,6 +41798,7 @@ Entropy.14 = 451ed024bc4b95f1025b14ec3616f5e42e80824541dc795a2f07500f92adc665 + Nonce.14 = 2f28e6ee8de5879db1eccd58c994e5f0 + Output.14 = 3fb637085ab75f4e95655faae95885166a5fbb423bb03dbf0543be063bcd48799c4f05d4e522634d9275fe02e1edd920e26d9accd43709cb0d8f6e50aa54a5f3bdd618be23cf73ef736ed0ef7524b0d14d5bef8c8aec1cf1ed3e1c38a808b35e61a44078127c7cb3a8fd7addfa50fcf3ff3bc6d6bc355d5436fe9b71eb44f7fd + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -41797,6 +41879,7 @@ AdditionalInputA.14 = 4f53db89b9ba7fc00767bc751fb8f3c103fe0f76acd6d5c7891ab15b2b + AdditionalInputB.14 = 582c2a7d34679088cca6bd28723c99aac07db46c332dc0153d1673256903b446 + Output.14 = 6311f4c0c4cd1f86bd48349abb9eb930d4f63df5e5f7217d1d1b91a71d8a6938b0ad2b3e897bd7e3d8703db125fab30e03464fad41e5ddf5bf9aeeb5161b244468cfb26a9d956931a5412c97d64188b0da1bd907819c686f39af82e91cfeef0cbffb5d1e229e383bed26d06412988640706815a6e820796876f416653e464961 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -41862,6 +41945,7 @@ Nonce.14 = a59394e0af764e2f21cf751f623ffa6c + PersonalisationString.14 = eb8164b3bf6c1750a8de8528af16cffdf400856d82260acd5958894a98afeed5 + Output.14 = fc5701b508f0264f4fdb88414768e1afb0a5b445400dcfdeddd0eba67b4fea8c056d79a69fd050759fb3d626b29adb8438326fd583f1ba0475ce7707bd294ab01743d077605866425b1cbd0f6c7bba972b30fbe9fce0a719b044fcc1394354895a9f8304a2b5101909808ddfdf66df6237142b6566588e4e1e8949b90c27fc1f + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -41957,6 +42041,7 @@ AdditionalInputA.14 = 288e948a551284eb3cb23e26299955c2fb8f063c132a92683c1615ecae + AdditionalInputB.14 = d975b22f79e34acf5db25a2a167ef60a10682dd9964e15533d75f7fa9efc5dcb + Output.14 = ee8d707eea9bc7080d58768c8c64a991606bb808600cafab834db8bc884f866941b4a7eb8d0334d876c0f1151bccc7ce8970593dad0c1809075ce6dbca54c4d4667227331eeac97f83ccb76901762f153c5e8562a8ccf12c8a1f2f480ec6f1975ac097a49770219107d4edea54fb5ee23a8403874929d073d7ef0526a647011a + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -42007,6 +42092,7 @@ Entropy.14 = 17da1efd3e5250dfde3ef1683bd9cf4d4432a2f223399664f7645763bebd5ebd + Nonce.14 = 0b160c67b97d5302972b5c517bed5a7c + Output.14 = 859bab959dd16f2cddb05376b3d3e46cd13c191c18203bf3c0bbd5803cc559aacce48d88564166fd5f43c22d08cda1acd8004f36915739796a39ca96f8e7def14b58a8ee55ff72de7e2e2727389e027657447e32e47d4ea2f0fda48e86046d111cc334bebf4ee1019199c94fdb26169661cec0b0c47176cb5fb7aed8ad35afb1 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -42087,6 +42173,7 @@ AdditionalInputA.14 = 50687524beffed38fe27963340483886645153311dbd4d10d86e7d6b26 + AdditionalInputB.14 = 1e3ebe4a54c3092d540ad2898ec3be1af84a1d515c013632402ffdeede7caa8b + Output.14 = 007139a46072d9dbb6589b8ecf5f287d3aebb13b480ffcd6e95f0b2f916cd99e75f30a21971298257a80c17e9e41f8e0874dc9da8f6c18007a6e4cd5971df083ae62bb7b9f1bd4926f17e5574535f6009c0068b4ea3a50e2ba6c6aa6c7729fbe8ba58b4b795740ff6ae2f3d6fbe3e06828080cd1dcfb11771ec98ad9e0bac0b7 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -42152,6 +42239,7 @@ Nonce.14 = 2b653a89e549e3b1ee7817f5864fa684 + PersonalisationString.14 = 814146b3b340e042557b0e8482fcc496a14c02d89195782679172e99654991ed + Output.14 = 3ea100cf50c25d7b2ef286b5fa0720f344de2d568979e7349befa23589083e835205cdf6a4670722fff04260e54618c9c00af75cc26eee665b64e7e628ec4c56a8086dcd583681170f60d565bd97d0f416e4c231e281081b0fcd16c8db63ea9029abbfcb068bf57a36364aa9e27603f447adf337baa35f049a129abdc899f808 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -42247,6 +42335,7 @@ AdditionalInputA.14 = 95f6df9905b652de6d08399f61956acf943fe412bc71de60d6b69881f8 + AdditionalInputB.14 = 87b818568ed80f7c2e8f5b5d7be403f8badf9fa0e716aaf1d6409957b242aa07 + Output.14 = 45b5182f313a26008bb4ab82f68a12e7c783c243ba1ac6d8bfaed44ddddb607f964ace9c3505d59ef5a3691143a4845491661a1dff8ac4de2e56b54e263ac3aef86966fd656b5a65d4f3b89731d50fa919663bd5691678ee5f8f499e84b1822bd0b91409b62cf98c176df7e812513f3252d25d15fe13ef9f253af477d16bcfcd + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -42297,6 +42386,7 @@ Entropy.14 = 32695b2c55839eb3a048fabedcae1f23bf0c7206280ba4ba0d08b9bd9f119908 + Nonce.14 = 01f2a4cf8a9311abe5ecf58d6661dc5a + Output.14 = 4a4f44f418d585e03f508f2ff05345abffeafd75f610a957be7f3ccaae31ba28e69bf8ae441a405fdbc0ee761e39c76b69062f5a3866fc296be1ad306e6584ab2d250d717605c70a17c46a298f714e4e820c85a1fb84f4d61b9857a40c2902193ad703c78635a2791abe6abca6124229ed75827135c27f1a04d244e1d73ff059 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -42377,6 +42467,7 @@ AdditionalInputA.14 = 2e51dbbfda8c92f2c838bd85ca5dfd7f35504fae1ad438431b61c2f062 + AdditionalInputB.14 = 00f507a359585778988b6bb6b91f23d4ab29d2adbe632e4cd4646c8cd5f1b76a + Output.14 = b7adbbf07414551464711ad9a718315b0587db2782d34179b70b4c0e323a91ad9de40933023e3a6be71cd50dc58953ad1bf66354bc45dcd9ea23682d487b43903a8f426182536e170af8b04460c586d8ca56e4c307ab7116d8130634dc9a58e1c3077bbddd6bd58c8a0fb9b18c4b839aacf5fcd711c611db120e6a605745e86a + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -42442,6 +42533,7 @@ Nonce.14 = 3f9e88b93a6e69d070328c2c570c3be9 + PersonalisationString.14 = bbe702bbd2265e73aa073f47ce55fb65902abbe51635b414df688c60868546e1 + Output.14 = 0280555ba6b2379dce7cd56615d7d86feadb8ad995e2852a0607e663a34b1e0342c7bc649adcb204e271eeb87521591fad74b3bd841971cb100ae5f21599b732d8c5f9d578c1113da7034b580013720e62b1d013e28205d5024f8b1eb3219e6cf821792713354cf1349d32a64f32ecdbd7578c55e401fbea57f21ea3ebef0f9f + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -42537,6 +42629,7 @@ AdditionalInputA.14 = 38684dfa6edbd61e464e49f7d01932802a5a5d824db6b1df6087e84a8e + AdditionalInputB.14 = 4949b08a12656c497cc6760791982c0d4e674b0f8a14be730a91689ee77e981a + Output.14 = fda39bf8dc1aa785422281dec946bad99d5ead17cac55d47bdb9bd0a80a72f3c611f92bcf29e3e45475426a7a9f139b755f332cf75035b047697f4131c9bbc9ee825ede9a743b14f02dea122194405864aa2b538ed5cdf40ecf81e02bed1556ce0e7974548f050b084b8f3626c0fb2c7272d42cdcb039af4c7d957e285b53b5b + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -42587,6 +42680,7 @@ Entropy.14 = 1006646f977b83f4d90870f24b3b72d0b4947037f7671a64ce3b52829506a519 + Nonce.14 = 5698d50f59c42b26339d218fc985a41d + Output.14 = 44ab1d22fd3a84f8847c33d0fb0aea66408d5181b8ea95416beddd9784d86d72d2851857b503253016036246cea11f2ad2bd18fe56508697a50b14e7c85bd9b002deadbce5ff9f72508b6ebce741dd7803a2d8633dbec235cccd37c089c9d747a52000ed4cc1dc8545ddb65e784a698bdc74a6ff4fd7b3dbed31a22f83b4fd8f + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -42667,6 +42761,7 @@ AdditionalInputA.14 = 8d72118578abbd90ddbe6115ab10b499afa26c2360eaf6fa118ba590ac + AdditionalInputB.14 = 6ca4d45fcbd0c7e964557b2bd7622a528b4722335b47383f7bca004b7cd5cf04 + Output.14 = 360d9ff3111c6b713fc641b571b582770991885f2fea806a485006a1b4f41ece4ce83dcabfd403edde77780c044c96e85ce5d1f1a368ad881a64be8c41e87f0a682ab67170ae05a24b08b4a9178d13ac9928ecb3b5e23e745d93aaa5f111c335c77cb9a5c3da8163cb428fef60da737b884105ae57616637b0e40bad9594bd51 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -42732,6 +42827,7 @@ Nonce.14 = 50f723edc4f658862758e149e7ae4f20 + PersonalisationString.14 = 39d43e627ab7c7a6d12fce4cd8c001678bfadd9d07d4086674e5d8bdef4ac62e + Output.14 = 02e68bf3f78812aa270619b307dc0e57b05b8310084ecd1914a67d93b77127e0b3ec40e359adc451eac8788ac708fde70575fc1b9bbfd291bf5b8d7bda7bcc23a0271ba0bb0e6d617132399bd6cedf5a9a683ea98b3b0dd3bc6d811e4f66c9ec751012992cf54e3ce474e09b31ba9c01ea231d4fa8f09441e204c4d3285c78d0 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -44003,6 +44099,7 @@ AdditionalInputA.14 = 73cd5580972f69bb4b0d0cd8915a5b594c3a9fa40b82d6b37446dff4c0 + AdditionalInputB.14 = 304c2001d8bfb9f1b23f3b336db9f5da17752cbaba782d8932d2641aab4c34b8 + Output.14 = 5771705c788e15fd5f656d4b5555d532ee4c48453be651a69c30fa706abe7719d9842028c667fab59aab97fe64a6140baa5d42dbfb7ecd58f2ce557a7b8b2c01669232e0b8bb0ddc6ef8dbe627ec5b370ec74553640982a14bd38ad9824b9651b717f8e90f539c42d04f7cff648c38b26abf38dd2a777348a4c2872f6551ef0f9e148bec810025779e7cbe1055cb0250a764fca5a1feba53bba64b7ea0c4dd3d56a7e6b4f8a157264e6666d356fe5a7a29fde7f4391662c4e69f471c21c6beeb + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512 + PredictionResistance = 0 +@@ -44053,6 +44150,7 @@ Entropy.14 = 2c13e44674e89aa105fc11b05e8526769a53ab0b4688f3d0d9cf23af4c8469bb + Nonce.14 = 700ac6a616c1d1bb7bd8ff7e96a4d250 + Output.14 = f778161306fc5f1d9e649b2a26983f31266a84bc79dd1b0016c8de53706f9812c4cebdbde78a3592bc7752303154acd7f4d27c2d5751fc7b1fee62677a71fc90e259dfb4b6a9c372515fac6efe01958d199888c360504ffa4c7cf4517918c430f5640fedc738e0cc1fcec33945a34a62ca61a71a9067298d34ac4a93751ddcd9a0f142748a1f0a81a948c6c6a16179e70b6f13633fd03b838da20f81450b4fdc1752e98e71296f1941ca58e71b73ea93e99a98f58d0892fa16de6a16c602036ac857dd75f9ac2c9185932103db5430e80cde9131e814a0bf3f3e7a2200a7152424472fd27f791a854f29aecc448f8d3fca3f93290266df3193d9e13e08907ab2 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512 + PredictionResistance = 0 +@@ -44133,6 +44231,7 @@ AdditionalInputA.14 = 6cfccdd8253cc5b284701ef8d16f8888f79100373a7df50f43a122591b + AdditionalInputB.14 = 5795ae5be47a7f793423820352505e3890bac3805c102020e48226deab70140a + Output.14 = 4a398c114f2e0ac330893d103b585cadcf9cd3b2ac7e46cde15b2f32cc4b9a7c7172b1a73f86d6d12d02973e561fa7f615e30195f7715022df75157f41dc7f9a50029350e308e3345c9ab2029bdc0f1b72c195db098c26c1ab1864224504c72f48a64d722e41b00707c7f2f6cdfe8634d06abe838c85b419c02bf419b88cde35324b1bfdaddff8b7e95f6af0e55b5ff3f5475feb354f2a7a490597b36080322265b213541682572616f3d3276c713a978259d607c6d69eec26d524ba38163a329103e39e3b0a8ec989eca74f287d6d39c7ceda4df8558faeb9d25149963430f33b108dc136a4f9bfa416b3ceaa6632cd5505fe14fb0d78cf15f2acfa03b9c307 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512 + PredictionResistance = 0 +@@ -44198,6 +44297,7 @@ Nonce.14 = fff1f2e2ac117af8b2cb023f0dd6c6ea + PersonalisationString.14 = 0a4c2df69d6c69df0a9c58ab7c886ed9db294f5fe98eb066fde543b409ee91e0 + Output.14 = ae35e947a538e7da73f944b4dea689c064b144b753fe597369e58ec4868099c0f000995949e82dc3e5c00555a2cfe48c8a87e87ae5e7402e2b1679e413cc556f08796269ef3ea83d6a49116349a31710964fb2f936cccf249472eab3267cc1ca0073ff4d964eefc82dd1559c3737661f8b206757a64c756680fb7ab6be8cb433b93f21a04c1e99c777ac26c1f34918794085ee593ca27ae991c53d141e52f90e7872bbb036dce78e6a33e2d638360f9c15d5746d6ff13c1bcdff1cd01749fa51c3c72e68c0ce57423d4915abe84c15cfb3301d0c3b8ffc6a1962c1fd981790fa2a3da60d70e8e8557e4b2e7458ad85f5141ad46e1db751893e8327c8197571e8 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512 + PredictionResistance = 0 +@@ -44293,6 +44393,7 @@ AdditionalInputA.14 = 2b2dbe3834d8be93f1396b19be83bd96823dd82740da71c5eeb7b21865 + AdditionalInputB.14 = 49c322fc1bec86d3e20628d9bdc1644e6f5e0237c7c694746bfee32a00145696 + Output.14 = 9110cec7d07e6e32724bf043e73021b3ca0e4516b619d036ac9a00914e12f01ece71989f55c1caccd542c60a9cccffb91e203fd39dca2d92c8eb03ee7ee88abf21dc6891de326c3190f25ee9ab44ca72d178db0f846969465b25a07dcc83777e6b63a7f9f1a8246dd31ce50cd9eb70e6e383c9ad4dae19f7cec8bfe079b36d309c28b10161c28b8d66c357c7ee01f07403a596366725fd5bd3a5de3cb40dcf60aac10635615b866ae633fbdb7ece41695d533757d9d16c6d44fd170fae77c15b7426ed6ec8c9d6e9245cd5e19e8dc3c8c7e671007ce8454413bd07407e8a2248bee95a7669db6ee47377b4490a6251abb60cd4e2e404ab88aa4948e71ecec50c + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512 + PredictionResistance = 0 +@@ -44343,6 +44444,7 @@ Entropy.14 = 1436be35237c34bac5b5b36b24c998380883fb52621daa420112cb57bc84745c + Nonce.14 = ed884f91a94c1b0a51f316df776283af + Output.14 = c74ce568f0c465e79ef3700857cc8857b74ec8c075cada3f2698ff69569318b130b5b079ac5b69814d057097b0a107a546b011db601b2f7aa1708effd6479f383d7d484a5df76b63f1419eb360991475b2cd97590a1887487a76cd6fde7764cba5f101e4614c635ba7b1e18724a0a8fb39ca0948bffc441b6aa0216cf3c28ae6c06a24ad1bbe68970e06884d3b68325a3d7c1dce9a2fe87d565dccdcee7c62ed32b577763f510f0029a99530209628359bedf4bbfed1a13c222692d8cae60ca736df834a6e316db27642ed5839d2e11716a5c06e8d067e8548d7ac0687da801d292e2a6f414d7470d2e72261188347878d18e00fab3d4c15cb4c4a73cf963437 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512 + PredictionResistance = 0 +@@ -44423,6 +44525,7 @@ AdditionalInputA.14 = 48e994654ab1d109511a3b34f5fa9f12b8da17da510d7a71e3839ba86b + AdditionalInputB.14 = 949ee0617b277a3ddf4a51343104704775d91797be1826d78051496a87d9113d + Output.14 = c4bce916b00a8583ebe1e85feaa1f076315ec9433e18afa1252061a62fc7558491678cb31048e4b4551b697e8dcb58dff951337f0fb7a41546d9a7838a1da149cb44558d324eab9e7ae147e8ead666e3d4eabc9978626efc8710ba8b5eb485d5693e5d6cac36ddd3a1a878ffbc77e9ec5d333cdae2b5803dcbba70d4e0dc60366dae5cf25990f3ae6147c99ec6c998397a1ac02b1b6ef6867aa897ca90b7fb938e3ddeef57e40897a644a4f08e37c995210e00f07145d5b3620ce673072525f9f74adf79ad703c4a09adc6eadcf77e76c6b032270d4c68f01672decf9aa0e941086188304fc33a28f53bf121df747b7dfdc00ddfe68f6d06ab7e82295f70652e + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512 + PredictionResistance = 0 +@@ -44488,6 +44591,7 @@ Nonce.14 = 70916df78dd9ea799230435b3e48686b + PersonalisationString.14 = bf755696adb9c92839798798f836b063cbbe987f0163ef3f4a97222c888f5da0 + Output.14 = 411cd8e76e711447e8a93ca95aa3aac5e51f559d65a8385a15e71877ac8472a347d9d453bd6761655711ce2133900d28e41cfd1292d28848646e5cbdcac1e60e49e62aab169b1735e701e38d65ccc073f277972ca85444dea86c19c0c08317dbbeca4fbd5d4295c9da71b89623d0028cebf1ab68fd0aef5b37e76e2e0b3e7f72eee04c01b6afb180b1fa0c370975526b788ec4db076a16a798671451af3e20d323684e232a25d78aaa8ee43f734f1555bf0a324053c7c895dc3e098621e189962a914f486cd7a5ff330f39316afb762b1a06cf8b593ca00d7edf739e2e6827a7af662f33bb09fad09d6bdb3a565f2bd32512c79927d390c79a1cc6db968b13a0 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512 + PredictionResistance = 0 +@@ -44583,6 +44687,7 @@ AdditionalInputA.14 = 6f9f47857a60b6f3f9fe9a83ebcec5f16ca73e236d2af5b0daab45c0b9 + AdditionalInputB.14 = e6628fbe4a774bc5383218302b7c565da5a5bd9f19db6182b444af5ae5f62739 + Output.14 = d701c1824a82ff1803c4b59f490c3f37850ce85b5905059ac4484f5049f31772ab8401bc9b8fc1fd6ca06d01f01caecb3cbd914ea9574f497df0316a0d56e2830c8a908ba78d1dbe243d0fbc560c407052ec02e9c77f7b12264a46316a777955ae87a71f2da9cef2811f6328ccb288343abb65a36359c07122cb4e6639397829c48dbf8a821ddf00ddec2f294e48d05adfd0f7a706bfc337387bb7923641d08c288d23ed5a2a20f34684549f9f6b3d74ac0f04e10c7dec04aceac369f505d7ccacdf30ea0662cbab001740922e9ac32b6968e0c5a640345d1132e883e07fc82858980489893d0e38960883e989c41e72ee967c00b9a943f0666d1f5e93e848ef + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512 + PredictionResistance = 0 +@@ -44633,6 +44738,7 @@ Entropy.14 = f5ee32b61bd57a4a4d51309e846f636560a8bb2a576c65d37a3f715ff1878014 + Nonce.14 = c638557dae4f9ab6e078c61d54d0f566 + Output.14 = e929e6c5c4a629c49fbb8623aea903ea129bb6484ed542cf940dd97bedc292e8bce924ef0cc57fa9b50b17b82618a840375874735560aea57e4e9701e4ecd0e812d1bf9fdecf67f431e4d7f6f455dfe4bd3b9a1553c574b0bfbc933a31580319c97682dd990c7081b711c2fa67a4eb54472be39f634c5dd901848c012c309c43f34d189a72c219acf8ca393d3f2cb292d62bb4d5e88f2b6e5e0422dafeac17415af623473f26ec24e65082123db9b9c00dbce3ca1942269fdf66f14add6c486a00527a39b050c2f3a6bc461e750f6e33236de198742284998bff98b7b3f6566e66679b3d8a1e63561fb5f8228867b8ff92230a9f2a6b9427821b6d55a359994d + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512 + PredictionResistance = 0 +@@ -44713,6 +44819,7 @@ AdditionalInputA.14 = db7b290176b65f826aac2190a912672f8a9c97815706af33732f68b1f7 + AdditionalInputB.14 = 13425f17d8fbcca3b4d7793a53507a85813f6f50d3365d680c0620d5fe1bfc33 + Output.14 = 12d4cfe6574dddbf9de82b8a357bbd6e32a3addb7022c313ac401d0aecfbdfbc7229822f7db9012e8bb0e2907fd48d3eb435ef8368802e5eb948f1bd8d47569b694e23979652f6978b568d7e2288b596afbc67b6c1e0d662240356dc6257d9d273a9ca9f7dfc9bd4175a50ad5b328056c37046e734a76384d7418591a7604f332a457f2fbb277dce4fd2729fdd1319dc3a56b9901a50dc90feaf5969cd9e450bd8716e44253ca55c4e1dcf791658cc467cfba613c27a96f67bd68dd8ccf46bbca4294a0f548b919626d1712ed4290ec90c1098a082699450738d32a8c6516d83bd54a42413bc0ea0b37fe5d6b0663806df67f61d2c553aba3aed3f9aff111d2d + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512 + PredictionResistance = 0 +@@ -44778,6 +44885,7 @@ Nonce.14 = c600da30d68cddd9b823433845111880 + PersonalisationString.14 = 8896ff67866ff1f59c8e5074d91e6b9112410c9b6a1eefbcf05a1b8c7123dc89 + Output.14 = ad8150de910a0bbdad0a674d032919ac3304d5977fc43ad5d5b1fa9be46f22e94f5c2747db228315b0d0505867fd97f9b1582f97b4693ed542c416df1847a85bcd4ad07d6348a4df78412e3df4e675def7f44b1895a8a2156c811040a46198a863c0107aebc3a426b4c2b9ac294b227d323879a70cdf7ceeee7f6f51f102c3ba4ae9a7343aff295b664c869f2c2d6e4396362fdae7d9b5eb0802f37ff7a3a7f1c944044b1bd9b21fbf23f191c6f538398164c2d1b67390e7b059b1c9f5bb031b89a23895ac65770182c8072fb0ad4a7be055d9a4653d08e6b22a61ebdfb66adec2629030f47aca70a06d68c9e1c041ceb2dc9bcd1ceaf61655ef7bbb1653f3d6 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512 + PredictionResistance = 0 +@@ -44873,6 +44981,7 @@ AdditionalInputA.14 = 4adc98c66aa72da2c63172aba2a6c59fb20aa7b195a0b79edc709bfa99 + AdditionalInputB.14 = 83485ecbf938b8035d047956a3a1bea5adb66c4a7a24b21dfce4269681c31bae + Output.14 = 6c69a58a3b27c73ac396840a93ff914219fa80241d39d65890ea612017d7b92b12062fbc0e3c39508c86023f7d70e9b156b4a766465c01c554acd6b5d78568d2087834b3b14f3fdc4d4b959e78ae2fa5298c87321b777afaea4a5c271a584a23a262f8b679cc8198ccd116c88dcf529a6677ebf5189d287f56eb445ad7313acce013b3fe49fb5212cdc3cf8c5ed15aa26b1135d7d9e0570719c4230c104a652fb36ffc57e219e735c03346d18eb57bcba813965bcb39b6a81da624838ba7b9a65d3b684a021f4071c66ce705974f2bd0ce1ad6727136d77529e3b400db0d14ffeabbac877cdf6a38ca66d83492a90482343a5a427ae8b8f77a2f724aa30c11b9 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512 + PredictionResistance = 0 +@@ -44923,6 +45032,7 @@ Entropy.14 = 60da58990a377a615436ef43b1199f88c7a4629653dde2350a4c5115c42e52f6 + Nonce.14 = 592033d0de138ae7082c03553e3bfdf9 + Output.14 = 7a770dbe8e1d3af1dae5b93acd9e6f1748a4a6a88229a875d23b37665e0cc96d888dfdc428a32cab378a9ebe22409709cd9d11f0c751c08d98eeac13b6f76f0f51ccea254cae23177c3aa207c59b5ce221b93442d037256d553275a6c4b5c83c1fe555a630e37d8277e02c050c19e145a71ec98b96ae3ae44c9ff87c4501c1ff7fd5231510ac9df623b3fb178e147f07d1fe02b48e877cba89a822c91b5af56b71d60116c49f80d87656144854909a7d718b5aa8f071f18357c2c9f9b6c0fac3195040f26b86aa936fd35ff37287aa140cd01ca6c5e577d815790d6fcb1a57569d23e801e2eb2b669ae7cf17d87f9ee66e0b515bcab09087e111da199b6a15b2 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512 + PredictionResistance = 0 +@@ -45003,6 +45113,7 @@ AdditionalInputA.14 = 967911f9412d40f2c62e43f48ff965bb1579a2ace388c781e125fe70f4 + AdditionalInputB.14 = 052c401de1053b8dea309196bb8e326d4b643371976d1ff6be0a6ea4ad27e5e9 + Output.14 = f7e8cdc3f8d2796414b9c83486d746cb8b1675b37d0d7546392c59622c693045dbcb10e9343524a6e7a9cc757717af22ddb8127bcdfb29cb8da409bd69d42aed9708cb2f904dff562a695be004ab25d31b8485bdd677c96d156ce8037726519d1949cc15e91acfd1c7c0bd58058b72c7d340b2f0bb12115ef44af6d20ce5f429d681b614e06bcddbf8ba00b40732b4dd425d1a87b663afce0e9a87b942a543b055f00b2428de12464a1309fccd0a15d512691e3858666ea4dc6084283deb075877c0162dbaf8318c9cda01ca611d72fac0b386a753ef35f438757cdf732a61a1f6123d1de3f61eb072d022f56c679a86f7a05bd6fa420ba39ed2973d4007b9cc + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512 + PredictionResistance = 0 +@@ -45068,6 +45179,7 @@ Nonce.14 = 0a6bef6b736129740978e31c3fa279e8 + PersonalisationString.14 = a5ca2491479bda16341b2c14339a5307fc2e2f5df4fa625e0ea351a95a14f588 + Output.14 = df587647f8d440a6c8034e757cd47f28d0e58f8aad9a047cdc8a70a8b1cd0d8185240d47bc5d2f4657205ed218ec38307e68efad94714630cd490b939719a4a07ab994793112c021969a8c69872903315c74b00b677648673e5883b5f46e075550092914cfeab05454226ee3d2154698f368bfda0b8b99eff5d111c1649a0f7e67ec0f637c6d3466994d655066a95732590e521ca055b048dbafd219be1a04fcd047c3722c4adf29ebd8486e7171359292e11ac6b740b4d51093383d64d2a45e51115c689ae29357366f2013eb9b420c6bd069d22c2110182e842eccadae81797a5f57d9ff47311f094ea0a25d7e329fcccb93c28b92ed85ccc2d690a84f2b2a + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512 + PredictionResistance = 0 +@@ -68233,6 +68345,7 @@ Output.14 = 6af689cec62a633492f6e24b754d38dd6ab0b556e91802d72f14dc8c0e9ff50df728 + + Title = HMAC DRBG Prediction Resistance Tests (from NIST test vectors) + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-1 + PredictionResistance = 1 +@@ -68313,6 +68426,7 @@ EntropyPredictionResistanceA.14 = ae706e740dda50209b20acf90dfa8cec + EntropyPredictionResistanceB.14 = b4d4b4bc7cba4daa285ff88ce9e8d451 + Output.14 = 74acba48f0216087f18042ff14101707c27d281e5ddbc19c722bec3f77bf17ca31239382f4fc1d4dd0f44c296bc2f10f74864951f7da19a23e3e598ac43fb8bbdd1fca8047b98689ef1c05bc81102bb5 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-1 + PredictionResistance = 1 +@@ -68423,6 +68537,7 @@ AdditionalInputB.14 = ccdb3f7d7f6a4d169f5f2e24ec481fcb + EntropyPredictionResistanceB.14 = be4a2c87c875be0e1be01aadf2efeef6 + Output.14 = bfcc8f2ece23d22545ec2176aabd083855923ca9a673b54b66a3e2562212aad3cc74c4c8976de259cc95a2f09a85b7acd1f18c343eff0368a80e73a547efdcd954816b38df1c19556d714897e317d69f + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-1 + PredictionResistance = 1 +@@ -68518,6 +68633,7 @@ EntropyPredictionResistanceA.14 = f324c09f96434ceea7e756fc2f55a0b3 + EntropyPredictionResistanceB.14 = f043b6e11fc2f671ec00f4d478b791c6 + Output.14 = 40e87b822b1000441884a38b8776baa69fbea99962571e8a20d8af012d50c8c211860ad579869ec880320ea8057d5cb0de9496ec57d8b594ca8be5b94219eaa800af7205f8a83b66c87e0fee9aa9732f + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-1 + PredictionResistance = 1 +@@ -68643,6 +68759,7 @@ AdditionalInputB.14 = 0d5a2183c9f9ca6941f6a617892f5e47 + EntropyPredictionResistanceB.14 = 998f9cde45b1dc22db6d2d7bfd4f3930 + Output.14 = 934fe82b0951b97dafc5ba16e87b0459691156b42ff2dbbbd8f6ed9b04be952af267c6a17fbfc86de91f9f07eed482a5362b176216a8963af485503ba93b2e82c03a3ee6225077d90cd961e24f6026f6 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-1 + PredictionResistance = 1 +@@ -68723,6 +68840,7 @@ EntropyPredictionResistanceA.14 = 427b47ed008e489cfd06e1a6e0a9f07b + EntropyPredictionResistanceB.14 = e5ee8df96c0e929446502a4bbd23ab22 + Output.14 = a544ea7c3362570f48a42635f4b79f615d11a5d8a480d85ac71e4be90074fbd5e2d368d00755e95a262d79ed262003d3e2a26f82c37d091ae763a01fba08c87b3ec0ce817bbab8d1905f91f021b7d7d0 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-1 + PredictionResistance = 1 +@@ -68833,6 +68951,7 @@ AdditionalInputB.14 = 3e95f86a7168410eac0c84995c187fd9 + EntropyPredictionResistanceB.14 = fd15dfdd8cfeeb7ce0c76f759dfd47df + Output.14 = 480d9cbbfa6c923866179318b293c52c9ad86c2ee27faa745873a77d0242afe669d1773fd9c17284097ee8e644aa054deefbb9c73732ba6b5004623df15edeb49ef2e1bc8dbe023f7104ea1395d9fd38 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-1 + PredictionResistance = 1 +@@ -68928,6 +69047,7 @@ EntropyPredictionResistanceA.14 = 845decbe6e03e423b3660bfe7db383bf + EntropyPredictionResistanceB.14 = f4ee7409c076201255bc78ec82ca5530 + Output.14 = ac57a08b77c528b834df2757069b6330f05a9196fbbb17300f9c31ef596f551ecc56fa3256c0ab1534df4955f2da1e8d98026b7c5e07290faa5131a95d0fa35a56b075752656ab61a74f889fbb735c58 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-1 + PredictionResistance = 1 +@@ -69053,6 +69173,7 @@ AdditionalInputB.14 = 063e444dc2990f59e04839fd5e9eaeb6 + EntropyPredictionResistanceB.14 = e059229538a827fe9b7e5caa44fb1e3d + Output.14 = 62efebd7730c6999fd052b98e2bf26eebc96b617a03fe2f1aa7ea3be1aea833f705a3ef3776adc7578f5bb6955a60853ef267fbc18aa3d57b8e0d9134c81e8ffadd0c66d385e5d535d74a615fa896757 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-1 + PredictionResistance = 1 +@@ -69133,6 +69254,7 @@ EntropyPredictionResistanceA.14 = 74b72e7e1c5f16bf0389dafed9a86ae4 + EntropyPredictionResistanceB.14 = adef9418a342b4717e93df6450429a38 + Output.14 = eae51f34bfaa2970f41c3211ec228cfccc1d3c0fcc077d1d9ba159b3bac8685bc5783f61c67fdd4beca05dd4f14afcfc4d554ae75f73842637671102c3b81cabc9a0638cecad5a6615171be5265d5454 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-1 + PredictionResistance = 1 +@@ -69243,6 +69365,7 @@ AdditionalInputB.14 = 696d9380b814b456ca59ed58ea765400 + EntropyPredictionResistanceB.14 = d57fb196a634da13ba8695098ed79f9c + Output.14 = 069848aef419759b75896cd507a109f685228b5639470afeac0caa853f1c3dbe373f99db76bf06fe8bac356bedf6bf18787043970fb0a185c8a0a4d8482aa3059eeba0d244fc03c9b72857dc5188d44b + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-1 + PredictionResistance = 1 +@@ -69338,6 +69461,7 @@ EntropyPredictionResistanceA.14 = 015ef1f359f60a391b3720d578731070 + EntropyPredictionResistanceB.14 = 963736987090fe71e69b4a2480d9b314 + Output.14 = c75a102bea830a8a58d9a9a43cb03b21aea75d8d2a08c37aaae9180a5e1c78e5700b20a5fe1c7ef0a7e3d2adcf539c4c1357946a328a057e719b97d802b586910f804c166d4884d8bbb3bbc03074c53a + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-1 + PredictionResistance = 1 +@@ -69463,6 +69587,7 @@ AdditionalInputB.14 = e0b7ad60c542e6c2b324652fd2d7cdc6 + EntropyPredictionResistanceB.14 = dc7ea852c3e5467977c7946e77223567 + Output.14 = 0e2e5f47ca8ce1c7fdae1b49d6bc8594da1458eb8dfb35e0602d3812df7532cf6213eba8e75302444529565c40d23d0a336c4cadde37f0def2c3d412984360b65c668ef43263fada16b28860f6ee6ceb + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-1 + PredictionResistance = 1 +@@ -69543,6 +69668,7 @@ EntropyPredictionResistanceA.14 = 4912a46c447c2de26dbbaec01817d2a6 + EntropyPredictionResistanceB.14 = c182dc35363cd7e04394c28030e6d6b9 + Output.14 = 976daafdf1dd5163e88a928d91933678cda9c8ef9a8251070ee8a6b42efda3c00a73303d0426da4a4af7c587174dce9936bfbb68a73979afee9f3a5b4fb4da2eb2b2f2f1c0948b63b45bf583412b2890 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-1 + PredictionResistance = 1 +@@ -69653,6 +69779,7 @@ AdditionalInputB.14 = 8022a4985c745515682102a25b379301 + EntropyPredictionResistanceB.14 = 8cc2d8a789d343547ee48869f57ae225 + Output.14 = 5707c544445358767b1c4d6c319b6a8d9be38afbf945dd4e869e9136d63c9d74aa872139e8bdd374510ebcf8c36c39e45ff31596fa58721c2a089dea7b418b3f7a00d78c6ba531adbb59ae2ab44bb683 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-1 + PredictionResistance = 1 +@@ -69748,6 +69875,7 @@ EntropyPredictionResistanceA.14 = 701b8e70583effd1c4e901c50966127e + EntropyPredictionResistanceB.14 = 40e9ad701b63ee7bd6132d7f056a1f09 + Output.14 = a76b3e058ed1a8ca5860b15abe08a607894207d3d3be5bf6c3dc99c01523c85bf18927bc6d3f66cfef63a238aaef1ee87998100faabeef0d2518f3ccc0423d776a440ec9a87c5601fdf45c309c264dcd + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-1 + PredictionResistance = 1 +@@ -76340,6 +76468,7 @@ EntropyPredictionResistanceA.14 = a918ec35414b0bf1d9ba3b80ef838e75b9504fb6b77e40 + EntropyPredictionResistanceB.14 = c25de5d8b1f17acb7303c4a652ea1bcf284bfdc08a12c40ece16e3125fc8757e + Output.14 = a3072880e72e76ec1e467d7c4f4ab8013eca926c96f075a0a25f5550931f4d6b3aff2057ae6fc1382d579e8963ee24459d76d7414d250aaf5b302a539775862e26596176de2891589defa7aa66f763126c7fb7ced0fa80f3f5e1f0d15295e6025fad617e554838876c8c8efb4bef1e1227a1c967afe99540c1992328a70798167eaea5a768f1f4395178dc914cde01b8e6b98266a66c5c079e19e5d3b6599c6dec24e8e155b310164299d1b4d31ab2e0c3b917b0cb627a4cc19c86061c74c849aab764feacd33de7472b7c4e1403cb38f8f1c3062e75966b2e2c0b2d7d966271f3d180440aa2ed2194bbf7d8b9415a5c5bb7f3df7cf2d02740cd4366ee3781a9 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512 + PredictionResistance = 1 +-- +2.41.0 + diff --git a/0081-signature-Remove-X9.31-padding-from-FIPS-prov.patch b/0081-signature-Remove-X9.31-padding-from-FIPS-prov.patch new file mode 100644 index 0000000..01fa935 --- /dev/null +++ b/0081-signature-Remove-X9.31-padding-from-FIPS-prov.patch @@ -0,0 +1,273 @@ +From 930e7acf7dd225102b6e88d23f5e2a3f4acea9fa Mon Sep 17 00:00:00 2001 +From: Dmitry Belyavskiy +Date: Mon, 21 Aug 2023 15:43:57 +0200 +Subject: [PATCH 37/48] + 0081-signature-Remove-X9.31-padding-from-FIPS-prov.patch + +Patch-name: 0081-signature-Remove-X9.31-padding-from-FIPS-prov.patch +Patch-id: 81 +--- + providers/implementations/signature/rsa_sig.c | 6 + + test/acvp_test.inc | 214 ------------------ + 2 files changed, 6 insertions(+), 214 deletions(-) + +diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c +index 63ee11e566..cfaa4841cb 100644 +--- a/providers/implementations/signature/rsa_sig.c ++++ b/providers/implementations/signature/rsa_sig.c +@@ -1279,7 +1279,13 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) + err_extra_text = "No padding not allowed with RSA-PSS"; + goto cont; + case RSA_X931_PADDING: ++#ifndef FIPS_MODULE + err_extra_text = "X.931 padding not allowed with RSA-PSS"; ++#else /* !defined(FIPS_MODULE) */ ++ err_extra_text = "X.931 padding no longer allowed in FIPS mode," ++ " since it was removed from FIPS 186-5"; ++ goto bad_pad; ++#endif /* !defined(FIPS_MODULE) */ + cont: + if (RSA_test_flags(prsactx->rsa, + RSA_FLAG_TYPE_MASK) == RSA_FLAG_TYPE_RSA) +diff --git a/test/acvp_test.inc b/test/acvp_test.inc +index 73b24bdb0c..96a72073f9 100644 +--- a/test/acvp_test.inc ++++ b/test/acvp_test.inc +@@ -1204,13 +1204,6 @@ static const struct rsa_siggen_st rsa_siggen_data[] = { + ITM(rsa_siggen0_msg), + NO_PSS_SALT_LEN, + }, +- { +- "x931", +- 2048, +- "SHA384", +- ITM(rsa_siggen0_msg), +- NO_PSS_SALT_LEN, +- }, + { + "pss", + 2048, +@@ -1622,202 +1615,6 @@ static const unsigned char rsa_sigverpss_1_sig[] = { + 0x5c, 0xea, 0x8a, 0x92, 0x31, 0xd2, 0x11, 0x4b, + }; + +-static const unsigned char rsa_sigverx931_0_n[] = { +- 0xa0, 0x16, 0x14, 0x80, 0x8b, 0x17, 0x2b, 0xad, +- 0xd7, 0x07, 0x31, 0x6d, 0xfc, 0xba, 0x25, 0x83, +- 0x09, 0xa0, 0xf7, 0x71, 0xc6, 0x06, 0x22, 0x87, +- 0xd6, 0xbd, 0x13, 0xd9, 0xfe, 0x7c, 0xf7, 0xe6, +- 0x48, 0xdb, 0x27, 0xd8, 0xa5, 0x49, 0x8e, 0x8c, +- 0xea, 0xbe, 0xe0, 0x04, 0x6f, 0x3d, 0x3b, 0x73, +- 0xdc, 0xc5, 0xd4, 0xdc, 0x85, 0xef, 0xea, 0x10, +- 0x46, 0xf3, 0x88, 0xb9, 0x93, 0xbc, 0xa0, 0xb6, +- 0x06, 0x02, 0x82, 0xb4, 0x2d, 0x54, 0xec, 0x79, +- 0x50, 0x8a, 0xfc, 0xfa, 0x62, 0x45, 0xbb, 0xd7, +- 0x26, 0xcd, 0x88, 0xfa, 0xe8, 0x0f, 0x26, 0x5b, +- 0x1f, 0x21, 0x3f, 0x3b, 0x5d, 0x98, 0x3f, 0x02, +- 0x8c, 0xa1, 0xbf, 0xc0, 0x70, 0x4d, 0xd1, 0x41, +- 0xfd, 0xb9, 0x55, 0x12, 0x90, 0xc8, 0x6e, 0x0f, +- 0x19, 0xa8, 0x5c, 0x31, 0xd6, 0x16, 0x0e, 0xdf, +- 0x08, 0x84, 0xcd, 0x4b, 0xfd, 0x28, 0x8d, 0x7d, +- 0x6e, 0xea, 0xc7, 0x95, 0x4a, 0xc3, 0x84, 0x54, +- 0x7f, 0xb0, 0x20, 0x29, 0x96, 0x39, 0x4c, 0x3e, +- 0x85, 0xec, 0x22, 0xdd, 0xb9, 0x14, 0xbb, 0x04, +- 0x2f, 0x4c, 0x0c, 0xe3, 0xfa, 0xae, 0x47, 0x79, +- 0x59, 0x8e, 0x4e, 0x7d, 0x4a, 0x17, 0xae, 0x16, +- 0x38, 0x66, 0x4e, 0xff, 0x45, 0x7f, 0xac, 0x5e, +- 0x75, 0x9f, 0x51, 0x18, 0xe6, 0xad, 0x6b, 0x8b, +- 0x3d, 0x08, 0x4d, 0x9a, 0xd2, 0x11, 0xba, 0xa8, +- 0xc3, 0xb5, 0x17, 0xb5, 0xdf, 0xe7, 0x39, 0x89, +- 0x27, 0x7b, 0xeb, 0xf4, 0xe5, 0x7e, 0xa9, 0x7b, +- 0x39, 0x40, 0x6f, 0xe4, 0x82, 0x14, 0x3d, 0x62, +- 0xb6, 0xd4, 0x43, 0xd0, 0x0a, 0x2f, 0xc1, 0x73, +- 0x3d, 0x99, 0x37, 0xbe, 0x62, 0x13, 0x6a, 0x8b, +- 0xeb, 0xc5, 0x64, 0xd5, 0x2a, 0x8b, 0x4f, 0x7f, +- 0x82, 0x48, 0x69, 0x3e, 0x08, 0x1b, 0xb5, 0x77, +- 0xd3, 0xdc, 0x1b, 0x2c, 0xe5, 0x59, 0xf6, 0x33, +- 0x47, 0xa0, 0x0f, 0xff, 0x8a, 0x6a, 0x1d, 0x66, +- 0x24, 0x67, 0x36, 0x7d, 0x21, 0xda, 0xc1, 0xd4, +- 0x11, 0x6c, 0xe8, 0x5f, 0xd7, 0x8a, 0x53, 0x5c, +- 0xb2, 0xe2, 0xf9, 0x14, 0x29, 0x0f, 0xcf, 0x28, +- 0x32, 0x4f, 0xc6, 0x17, 0xf6, 0xbc, 0x0e, 0xb8, +- 0x99, 0x7c, 0x14, 0xa3, 0x40, 0x3f, 0xf3, 0xe4, +- 0x31, 0xbe, 0x54, 0x64, 0x5a, 0xad, 0x1d, 0xb0, +- 0x37, 0xcc, 0xd9, 0x0b, 0xa4, 0xbc, 0xe0, 0x07, +- 0x37, 0xd1, 0xe1, 0x65, 0xc6, 0x53, 0xfe, 0x60, +- 0x6a, 0x64, 0xa4, 0x01, 0x00, 0xf3, 0x5b, 0x9a, +- 0x28, 0x61, 0xde, 0x7a, 0xd7, 0x0d, 0x56, 0x1e, +- 0x4d, 0xa8, 0x6a, 0xb5, 0xf2, 0x86, 0x2a, 0x4e, +- 0xaa, 0x37, 0x23, 0x5a, 0x3b, 0x69, 0x66, 0x81, +- 0xc8, 0x8e, 0x1b, 0x31, 0x0f, 0x28, 0x31, 0x9a, +- 0x2d, 0xe5, 0x79, 0xcc, 0xa4, 0xca, 0x60, 0x45, +- 0xf7, 0x83, 0x73, 0x5a, 0x01, 0x29, 0xda, 0xf7, +- +-}; +-static const unsigned char rsa_sigverx931_0_e[] = { +- 0x01, 0x00, 0x01, +-}; +-static const unsigned char rsa_sigverx931_0_msg[] = { +- 0x82, 0x2e, 0x41, 0x70, 0x9d, 0x1f, 0xe9, 0x47, +- 0xec, 0xf1, 0x79, 0xcc, 0x05, 0xef, 0xdb, 0xcd, +- 0xca, 0x8b, 0x8e, 0x61, 0x45, 0xad, 0xa6, 0xd9, +- 0xd7, 0x4b, 0x15, 0xf4, 0x92, 0x3a, 0x2a, 0x52, +- 0xe3, 0x44, 0x57, 0x2b, 0x74, 0x7a, 0x37, 0x41, +- 0x50, 0xcb, 0xcf, 0x13, 0x49, 0xd6, 0x15, 0x54, +- 0x97, 0xfd, 0xae, 0x9b, 0xc1, 0xbb, 0xfc, 0x5c, +- 0xc1, 0x37, 0x58, 0x17, 0x63, 0x19, 0x9c, 0xcf, +- 0xee, 0x9c, 0xe5, 0xbe, 0x06, 0xe4, 0x97, 0x47, +- 0xd1, 0x93, 0xa1, 0x2c, 0x59, 0x97, 0x02, 0x01, +- 0x31, 0x45, 0x8c, 0xe1, 0x5c, 0xac, 0xe7, 0x5f, +- 0x6a, 0x23, 0xda, 0xbf, 0xe4, 0x25, 0xc6, 0x67, +- 0xea, 0x5f, 0x73, 0x90, 0x1b, 0x06, 0x0f, 0x41, +- 0xb5, 0x6e, 0x74, 0x7e, 0xfd, 0xd9, 0xaa, 0xbd, +- 0xe2, 0x8d, 0xad, 0x99, 0xdd, 0x29, 0x70, 0xca, +- 0x1b, 0x38, 0x21, 0x55, 0xde, 0x07, 0xaf, 0x00, +- +-}; +-static const unsigned char rsa_sigverx931_0_sig[] = { +- 0x29, 0xa9, 0x3a, 0x8e, 0x9e, 0x90, 0x1b, 0xdb, +- 0xaf, 0x0b, 0x47, 0x5b, 0xb5, 0xc3, 0x8c, 0xc3, +- 0x70, 0xbe, 0x73, 0xf9, 0x65, 0x8e, 0xc6, 0x1e, +- 0x95, 0x0b, 0xdb, 0x24, 0x76, 0x79, 0xf1, 0x00, +- 0x71, 0xcd, 0xc5, 0x6a, 0x7b, 0xd2, 0x8b, 0x18, +- 0xc4, 0xdd, 0xf1, 0x2a, 0x31, 0x04, 0x3f, 0xfc, +- 0x36, 0x06, 0x20, 0x71, 0x3d, 0x62, 0xf2, 0xb5, +- 0x79, 0x0a, 0xd5, 0xd2, 0x81, 0xf1, 0xb1, 0x4f, +- 0x9a, 0x17, 0xe8, 0x67, 0x64, 0x48, 0x09, 0x75, +- 0xff, 0x2d, 0xee, 0x36, 0xca, 0xca, 0x1d, 0x74, +- 0x99, 0xbe, 0x5c, 0x94, 0x31, 0xcc, 0x12, 0xf4, +- 0x59, 0x7e, 0x17, 0x00, 0x4f, 0x7b, 0xa4, 0xb1, +- 0xda, 0xdb, 0x3e, 0xa4, 0x34, 0x10, 0x4a, 0x19, +- 0x0a, 0xd2, 0xa7, 0xa0, 0xc5, 0xe6, 0xef, 0x82, +- 0xd4, 0x2e, 0x21, 0xbe, 0x15, 0x73, 0xac, 0xef, +- 0x05, 0xdb, 0x6a, 0x8a, 0x1a, 0xcb, 0x8e, 0xa5, +- 0xee, 0xfb, 0x28, 0xbf, 0x96, 0xa4, 0x2b, 0xd2, +- 0x85, 0x2b, 0x20, 0xc3, 0xaf, 0x9a, 0x32, 0x04, +- 0xa0, 0x49, 0x24, 0x47, 0xd0, 0x09, 0xf7, 0xcf, +- 0x73, 0xb6, 0xf6, 0x70, 0xda, 0x3b, 0xf8, 0x5a, +- 0x28, 0x2e, 0x14, 0x6c, 0x52, 0xbd, 0x2a, 0x7c, +- 0x8e, 0xc1, 0xa8, 0x0e, 0xb1, 0x1e, 0x6b, 0x8d, +- 0x76, 0xea, 0x70, 0x81, 0xa0, 0x02, 0x63, 0x74, +- 0xbc, 0x7e, 0xb9, 0xac, 0x0e, 0x7b, 0x1b, 0x75, +- 0x82, 0xe2, 0x98, 0x4e, 0x24, 0x55, 0xd4, 0xbd, +- 0x14, 0xde, 0x58, 0x56, 0x3a, 0x5d, 0x4e, 0x57, +- 0x0d, 0x54, 0x74, 0xe8, 0x86, 0x8c, 0xcb, 0x07, +- 0x9f, 0x0b, 0xfb, 0xc2, 0x08, 0x5c, 0xd7, 0x05, +- 0x3b, 0xc8, 0xd2, 0x15, 0x68, 0x8f, 0x3d, 0x3c, +- 0x4e, 0x85, 0xa9, 0x25, 0x6f, 0xf5, 0x2e, 0xca, +- 0xca, 0xa8, 0x27, 0x89, 0x61, 0x4e, 0x1f, 0x57, +- 0x2d, 0x99, 0x10, 0x3f, 0xbc, 0x9e, 0x96, 0x5e, +- 0x2f, 0x0a, 0x25, 0xa7, 0x5c, 0xea, 0x65, 0x2a, +- 0x22, 0x35, 0xa3, 0xf9, 0x13, 0x89, 0x05, 0x2e, +- 0x19, 0x73, 0x1d, 0x70, 0x74, 0x98, 0x15, 0x4b, +- 0xab, 0x56, 0x52, 0xe0, 0x01, 0x42, 0x95, 0x6a, +- 0x46, 0x2c, 0x78, 0xff, 0x26, 0xbc, 0x48, 0x10, +- 0x38, 0x25, 0xab, 0x32, 0x7c, 0x79, 0x7c, 0x5d, +- 0x6f, 0x45, 0x54, 0x74, 0x2d, 0x93, 0x56, 0x52, +- 0x11, 0x34, 0x1e, 0xe3, 0x4b, 0x6a, 0x17, 0x4f, +- 0x37, 0x14, 0x75, 0xac, 0xa3, 0xa1, 0xca, 0xda, +- 0x38, 0x06, 0xa9, 0x78, 0xb9, 0x5d, 0xd0, 0x59, +- 0x1b, 0x5d, 0x1e, 0xc2, 0x0b, 0xfb, 0x39, 0x37, +- 0x44, 0x85, 0xb6, 0x36, 0x06, 0x95, 0xbc, 0x15, +- 0x35, 0xb9, 0xe6, 0x27, 0x42, 0xe3, 0xc8, 0xec, +- 0x30, 0x37, 0x20, 0x26, 0x9a, 0x11, 0x61, 0xc0, +- 0xdb, 0xb2, 0x5a, 0x26, 0x78, 0x27, 0xb9, 0x13, +- 0xc9, 0x1a, 0xa7, 0x67, 0x93, 0xe8, 0xbe, 0xcb, +-}; +- +-#define rsa_sigverx931_1_n rsa_sigverx931_0_n +-#define rsa_sigverx931_1_e rsa_sigverx931_0_e +-static const unsigned char rsa_sigverx931_1_msg[] = { +- 0x79, 0x02, 0xb9, 0xd2, 0x3e, 0x84, 0x02, 0xc8, +- 0x2a, 0x94, 0x92, 0x14, 0x8d, 0xd5, 0xd3, 0x8d, +- 0xb2, 0xf6, 0x00, 0x8b, 0x61, 0x2c, 0xd2, 0xf9, +- 0xa8, 0xe0, 0x5d, 0xac, 0xdc, 0xa5, 0x34, 0xf3, +- 0xda, 0x6c, 0xd4, 0x70, 0x92, 0xfb, 0x40, 0x26, +- 0xc7, 0x9b, 0xe8, 0xd2, 0x10, 0x11, 0xcf, 0x7f, +- 0x23, 0xd0, 0xed, 0x55, 0x52, 0x6d, 0xd3, 0xb2, +- 0x56, 0x53, 0x8d, 0x7c, 0x4c, 0xb8, 0xcc, 0xb5, +- 0xfd, 0xd0, 0x45, 0x4f, 0x62, 0x40, 0x54, 0x42, +- 0x68, 0xd5, 0xe5, 0xdd, 0xf0, 0x76, 0x94, 0x59, +- 0x1a, 0x57, 0x13, 0xb4, 0xc3, 0x70, 0xcc, 0xbd, +- 0x4c, 0x2e, 0xc8, 0x6b, 0x9d, 0x68, 0xd0, 0x72, +- 0x6a, 0x94, 0xd2, 0x18, 0xb5, 0x3b, 0x86, 0x45, +- 0x95, 0xaa, 0x50, 0xda, 0x35, 0xeb, 0x69, 0x44, +- 0x1f, 0xf3, 0x3a, 0x51, 0xbb, 0x1d, 0x08, 0x42, +- 0x12, 0xd7, 0xd6, 0x21, 0xd8, 0x9b, 0x87, 0x55, +-}; +- +-static const unsigned char rsa_sigverx931_1_sig[] = { +- 0x3b, 0xba, 0xb3, 0xb1, 0xb2, 0x6a, 0x29, 0xb5, +- 0xf9, 0x94, 0xf1, 0x00, 0x5c, 0x16, 0x67, 0x67, +- 0x73, 0xd3, 0xde, 0x7e, 0x07, 0xfa, 0xaa, 0x95, +- 0xeb, 0x5a, 0x55, 0xdc, 0xb2, 0xa9, 0x70, 0x5a, +- 0xee, 0x8f, 0x8d, 0x69, 0x85, 0x2b, 0x00, 0xe3, +- 0xdc, 0xe2, 0x73, 0x9b, 0x68, 0xeb, 0x93, 0x69, +- 0x08, 0x03, 0x17, 0xd6, 0x50, 0x21, 0x14, 0x23, +- 0x8c, 0xe6, 0x54, 0x3a, 0xd9, 0xfc, 0x8b, 0x14, +- 0x81, 0xb1, 0x8b, 0x9d, 0xd2, 0xbe, 0x58, 0x75, +- 0x94, 0x74, 0x93, 0xc9, 0xbb, 0x4e, 0xf6, 0x1f, +- 0x73, 0x7d, 0x1a, 0x5f, 0xbd, 0xbf, 0x59, 0x37, +- 0x5b, 0x98, 0x54, 0xad, 0x3a, 0xef, 0xa0, 0xef, +- 0xcb, 0xc3, 0xe8, 0x84, 0xd8, 0x3d, 0xf5, 0x60, +- 0xb8, 0xc3, 0x8d, 0x1e, 0x78, 0xa0, 0x91, 0x94, +- 0xb7, 0xd7, 0xb1, 0xd4, 0xe2, 0xee, 0x81, 0x93, +- 0xfc, 0x41, 0xf0, 0x31, 0xbb, 0x03, 0x52, 0xde, +- 0x80, 0x20, 0x3a, 0x68, 0xe6, 0xc5, 0x50, 0x1b, +- 0x08, 0x3f, 0x40, 0xde, 0xb3, 0xe5, 0x81, 0x99, +- 0x7f, 0xdb, 0xb6, 0x5d, 0x61, 0x27, 0xd4, 0xfb, +- 0xcd, 0xc5, 0x7a, 0xea, 0xde, 0x7a, 0x66, 0xef, +- 0x55, 0x3f, 0x85, 0xea, 0x84, 0xc5, 0x0a, 0xf6, +- 0x3c, 0x40, 0x38, 0xf7, 0x6c, 0x66, 0xe5, 0xbe, +- 0x61, 0x41, 0xd3, 0xb1, 0x08, 0xe1, 0xb4, 0xf9, +- 0x6e, 0xf6, 0x0e, 0x4a, 0x72, 0x6c, 0x61, 0x63, +- 0x3e, 0x41, 0x33, 0x94, 0xd6, 0x27, 0xa4, 0xd9, +- 0x3a, 0x20, 0x2b, 0x39, 0xea, 0xe5, 0x82, 0x48, +- 0xd6, 0x5b, 0x58, 0x85, 0x44, 0xb0, 0xd2, 0xfd, +- 0xfb, 0x3e, 0xeb, 0x78, 0xac, 0xbc, 0xba, 0x16, +- 0x92, 0x0e, 0x20, 0xc1, 0xb2, 0xd1, 0x92, 0xa8, +- 0x00, 0x88, 0xc0, 0x41, 0x46, 0x38, 0xb6, 0x54, +- 0x70, 0x0c, 0x00, 0x62, 0x97, 0x6a, 0x8e, 0x66, +- 0x5a, 0xa1, 0x6c, 0xf7, 0x6d, 0xc2, 0x27, 0x56, +- 0x60, 0x5b, 0x0c, 0x52, 0xac, 0x5c, 0xae, 0x99, +- 0x55, 0x11, 0x62, 0x52, 0x09, 0x48, 0x53, 0x90, +- 0x3c, 0x0b, 0xd4, 0xdc, 0x7b, 0xe3, 0x4c, 0xe3, +- 0xa8, 0x6d, 0xc5, 0xdf, 0xc1, 0x5c, 0x59, 0x25, +- 0x99, 0x30, 0xde, 0x57, 0x6a, 0x84, 0x25, 0x34, +- 0x3e, 0x64, 0x11, 0xdb, 0x7a, 0x82, 0x8e, 0x70, +- 0xd2, 0x5c, 0x0e, 0x81, 0xa0, 0x24, 0x53, 0x75, +- 0x98, 0xd6, 0x10, 0x01, 0x6a, 0x14, 0xed, 0xc3, +- 0x6f, 0xc4, 0x18, 0xb8, 0xd2, 0x9f, 0x59, 0x53, +- 0x81, 0x3a, 0x86, 0x31, 0xfc, 0x9e, 0xbf, 0x6c, +- 0x52, 0x93, 0x86, 0x9c, 0xaa, 0x6c, 0x6f, 0x07, +- 0x8a, 0x40, 0x33, 0x64, 0xb2, 0x70, 0x48, 0x85, +- 0x05, 0x59, 0x65, 0x2d, 0x6b, 0x9a, 0xad, 0xab, +- 0x20, 0x7e, 0x02, 0x6d, 0xde, 0xcf, 0x22, 0x0b, +- 0xea, 0x6e, 0xbd, 0x1c, 0x39, 0x3a, 0xfd, 0xa4, +- 0xde, 0x54, 0xae, 0xde, 0x5e, 0xf7, 0xb0, 0x6d, +-}; +- + static const struct rsa_sigver_st rsa_sigver_data[] = { + { + "pkcs1", /* pkcs1v1.5 */ +@@ -1841,17 +1638,6 @@ static const struct rsa_sigver_st rsa_sigver_data[] = { + NO_PSS_SALT_LEN, + FAIL + }, +- { +- "x931", +- 3072, +- "SHA256", +- ITM(rsa_sigverx931_1_msg), +- ITM(rsa_sigverx931_1_n), +- ITM(rsa_sigverx931_1_e), +- ITM(rsa_sigverx931_1_sig), +- NO_PSS_SALT_LEN, +- FAIL +- }, + { + "pss", + 4096, +-- +2.41.0 + diff --git a/0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch b/0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch new file mode 100644 index 0000000..68953fb --- /dev/null +++ b/0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch @@ -0,0 +1,114 @@ +From 8e388e194e665286a8996d7d5926bab5c1a6b4f9 Mon Sep 17 00:00:00 2001 +From: Dmitry Belyavskiy +Date: Mon, 21 Aug 2023 15:46:40 +0200 +Subject: [PATCH 38/48] + 0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch + +Patch-name: 0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch +Patch-id: 83 +--- + include/crypto/evp.h | 7 +++++++ + include/openssl/evp.h | 3 +++ + providers/implementations/macs/hmac_prov.c | 17 +++++++++++++++++ + 4 files changed, 28 insertions(+) + +diff --git a/include/crypto/evp.h b/include/crypto/evp.h +index aa07153441..a13127bd59 100644 +--- a/include/crypto/evp.h ++++ b/include/crypto/evp.h +@@ -196,6 +196,13 @@ const EVP_PKEY_METHOD *ossl_ed448_pkey_method(void); + const EVP_PKEY_METHOD *ossl_rsa_pkey_method(void); + const EVP_PKEY_METHOD *ossl_rsa_pss_pkey_method(void); + ++#ifdef FIPS_MODULE ++/* NIST SP 800-131Ar2, Table 9: Approval Status of MAC Algorithms specifies key ++ * lengths < 112 bytes are disallowed for HMAC generation and legacy use for ++ * HMAC verification. */ ++# define EVP_HMAC_GEN_FIPS_MIN_KEY_LEN (112 / 8) ++#endif ++ + struct evp_mac_st { + OSSL_PROVIDER *prov; + int name_id; +diff --git a/include/openssl/evp.h b/include/openssl/evp.h +index 86f4e22c70..615857caf5 100644 +--- a/include/openssl/evp.h ++++ b/include/openssl/evp.h +@@ -1194,6 +1194,9 @@ void EVP_MD_do_all_provided(OSSL_LIB_CTX *libctx, + void *arg); + + /* MAC stuff */ ++# define EVP_MAC_REDHAT_FIPS_INDICATOR_UNDETERMINED 0 ++# define EVP_MAC_REDHAT_FIPS_INDICATOR_APPROVED 1 ++# define EVP_MAC_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2 + + EVP_MAC *EVP_MAC_fetch(OSSL_LIB_CTX *libctx, const char *algorithm, + const char *properties); +diff --git a/providers/implementations/macs/hmac_prov.c b/providers/implementations/macs/hmac_prov.c +index 52ebb08b8f..cf5c3ecbe7 100644 +--- a/providers/implementations/macs/hmac_prov.c ++++ b/providers/implementations/macs/hmac_prov.c +@@ -21,6 +21,8 @@ + #include + #include + ++#include "crypto/evp.h" ++ + #include "internal/ssl3_cbc.h" + + #include "prov/implementations.h" +@@ -244,6 +246,9 @@ static int hmac_final(void *vmacctx, unsigned char *out, size_t *outl, + static const OSSL_PARAM known_gettable_ctx_params[] = { + OSSL_PARAM_size_t(OSSL_MAC_PARAM_SIZE, NULL), + OSSL_PARAM_size_t(OSSL_MAC_PARAM_BLOCK_SIZE, NULL), ++#ifdef FIPS_MODULE ++ OSSL_PARAM_int(OSSL_MAC_PARAM_REDHAT_FIPS_INDICATOR, NULL), ++#endif /* defined(FIPS_MODULE) */ + OSSL_PARAM_END + }; + static const OSSL_PARAM *hmac_gettable_ctx_params(ossl_unused void *ctx, +@@ -265,6 +270,18 @@ static int hmac_get_ctx_params(void *vmacctx, OSSL_PARAM params[]) + && !OSSL_PARAM_set_int(p, hmac_block_size(macctx))) + return 0; + ++#ifdef FIPS_MODULE ++ if ((p = OSSL_PARAM_locate(params, OSSL_MAC_PARAM_REDHAT_FIPS_INDICATOR)) != NULL) { ++ int fips_indicator = EVP_MAC_REDHAT_FIPS_INDICATOR_APPROVED; ++ /* NIST SP 800-131Ar2, Table 9: Approval Status of MAC Algorithms ++ * specifies key lengths < 112 bytes are disallowed for HMAC generation ++ * and legacy use for HMAC verification. */ ++ if (macctx->keylen < EVP_HMAC_GEN_FIPS_MIN_KEY_LEN) ++ fips_indicator = EVP_MAC_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ return OSSL_PARAM_set_int(p, fips_indicator); ++ } ++#endif /* defined(FIPS_MODULE) */ ++ + return 1; + } + +-- +2.41.0 + +diff -up openssl-3.2.0/util/perl/OpenSSL/paramnames.pm.hmac-patch openssl-3.2.0/util/perl/OpenSSL/paramnames.pm +--- openssl-3.2.0/util/perl/OpenSSL/paramnames.pm.hmac-patch 2024-01-02 12:18:16.909596613 +0100 ++++ openssl-3.2.0/util/perl/OpenSSL/paramnames.pm 2024-01-02 12:20:18.465886160 +0100 +@@ -137,12 +137,13 @@ my %params = ( + # If "engine",or "properties",are specified, they should always be paired + # with "cipher",or "digest". + +- 'MAC_PARAM_CIPHER' => '*ALG_PARAM_CIPHER', # utf8 string +- 'MAC_PARAM_DIGEST' => '*ALG_PARAM_DIGEST', # utf8 string +- 'MAC_PARAM_PROPERTIES' => '*ALG_PARAM_PROPERTIES', # utf8 string +- 'MAC_PARAM_SIZE' => "size", # size_t +- 'MAC_PARAM_BLOCK_SIZE' => "block-size", # size_t +- 'MAC_PARAM_TLS_DATA_SIZE' => "tls-data-size", # size_t ++ 'MAC_PARAM_CIPHER' => '*ALG_PARAM_CIPHER', # utf8 string ++ 'MAC_PARAM_DIGEST' => '*ALG_PARAM_DIGEST', # utf8 string ++ 'MAC_PARAM_PROPERTIES' => '*ALG_PARAM_PROPERTIES', # utf8 string ++ 'MAC_PARAM_SIZE' => "size", # size_t ++ 'MAC_PARAM_BLOCK_SIZE' => "block-size", # size_t ++ 'MAC_PARAM_TLS_DATA_SIZE' => "tls-data-size", # size_t ++ 'MAC_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator", # size_t + + # KDF / PRF parameters + 'KDF_PARAM_SECRET' => "secret", # octet string diff --git a/0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch b/0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch new file mode 100644 index 0000000..bf94740 --- /dev/null +++ b/0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch @@ -0,0 +1,69 @@ +From 915990e450e769e370fcacbfd8ed58ab6afaf2bf Mon Sep 17 00:00:00 2001 +From: Dmitry Belyavskiy +Date: Mon, 21 Aug 2023 15:47:55 +0200 +Subject: [PATCH 39/48] + 0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch + +Patch-name: 0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch +Patch-id: 84 +--- + providers/implementations/kdfs/pbkdf2.c | 27 ++++++++++++++++++++++++- + 1 file changed, 26 insertions(+), 1 deletion(-) + +diff --git a/providers/implementations/kdfs/pbkdf2.c b/providers/implementations/kdfs/pbkdf2.c +index 349c3dd657..11820d1e69 100644 +--- a/providers/implementations/kdfs/pbkdf2.c ++++ b/providers/implementations/kdfs/pbkdf2.c +@@ -35,6 +35,21 @@ + #define KDF_PBKDF2_MAX_KEY_LEN_DIGEST_RATIO 0xFFFFFFFF + #define KDF_PBKDF2_MIN_ITERATIONS 1000 + #define KDF_PBKDF2_MIN_SALT_LEN (128 / 8) ++/* The Implementation Guidance for FIPS 140-3 says in section D.N ++ * "Password-Based Key Derivation for Storage Applications" that "the vendor ++ * shall document in the module’s Security Policy the length of ++ * a password/passphrase used in key derivation and establish an upper bound ++ * for the probability of having this parameter guessed at random. This ++ * probability shall take into account not only the length of the ++ * password/passphrase, but also the difficulty of guessing it. The decision on ++ * the minimum length of a password used for key derivation is the vendor’s, ++ * but the vendor shall at a minimum informally justify the decision." ++ * ++ * We are choosing a minimum password length of 8 bytes, because NIST's ACVP ++ * testing uses passwords as short as 8 bytes, and requiring longer passwords ++ * combined with an implicit indicator (i.e., returning an error) would cause ++ * the module to fail ACVP testing. */ ++#define KDF_PBKDF2_MIN_PASSWORD_LEN (8) + + static OSSL_FUNC_kdf_newctx_fn kdf_pbkdf2_new; + static OSSL_FUNC_kdf_dupctx_fn kdf_pbkdf2_dup; +@@ -219,9 +234,15 @@ static int kdf_pbkdf2_set_ctx_params(void *vctx, const OSSL_PARAM params[]) + ctx->lower_bound_checks = pkcs5 == 0; + } + +- if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PASSWORD)) != NULL) ++ if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PASSWORD)) != NULL) { ++ if (ctx->lower_bound_checks != 0 ++ && p->data_size < KDF_PBKDF2_MIN_PASSWORD_LEN) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); ++ return 0; ++ } + if (!pbkdf2_set_membuf(&ctx->pass, &ctx->pass_len, p)) + return 0; ++ } + + if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SALT)) != NULL) { + if (ctx->lower_bound_checks != 0 +@@ -331,6 +352,10 @@ static int pbkdf2_derive(const char *pass, size_t passlen, + } + + if (lower_bound_checks) { ++ if (passlen < KDF_PBKDF2_MIN_PASSWORD_LEN) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); ++ return 0; ++ } + if ((keylen * 8) < KDF_PBKDF2_MIN_KEY_LEN_BITS) { + ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL); + return 0; +-- +2.41.0 + diff --git a/0085-FIPS-RSA-disable-shake.patch b/0085-FIPS-RSA-disable-shake.patch new file mode 100644 index 0000000..9ae7a99 --- /dev/null +++ b/0085-FIPS-RSA-disable-shake.patch @@ -0,0 +1,101 @@ +From 2306fde5556cbcb875d095c09fed01a0f16fe7ec Mon Sep 17 00:00:00 2001 +From: Dmitry Belyavskiy +Date: Mon, 21 Aug 2023 15:51:55 +0200 +Subject: [PATCH 40/48] 0085-FIPS-RSA-disable-shake.patch + +Patch-name: 0085-FIPS-RSA-disable-shake.patch +Patch-id: 85 +--- + crypto/rsa/rsa_oaep.c | 28 ++++++++++++++++++++++++++++ + crypto/rsa/rsa_pss.c | 16 ++++++++++++++++ + 2 files changed, 44 insertions(+) + +diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c +index b2f7f7dc4b..af2b0b026c 100644 +--- a/crypto/rsa/rsa_oaep.c ++++ b/crypto/rsa/rsa_oaep.c +@@ -78,9 +78,23 @@ int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2(OSSL_LIB_CTX *libctx, + return 0; + #endif + } ++ ++#ifdef FIPS_MODULE ++ if (EVP_MD_is_a(md, "SHAKE-128") || EVP_MD_is_a(md, "SHAKE-256")) { ++ ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_NOT_ALLOWED); ++ return 0; ++ } ++#endif + if (mgf1md == NULL) + mgf1md = md; + ++#ifdef FIPS_MODULE ++ if (EVP_MD_is_a(mgf1md, "SHAKE-128") || EVP_MD_is_a(mgf1md, "SHAKE-256")) { ++ ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_NOT_ALLOWED); ++ return 0; ++ } ++#endif ++ + mdlen = EVP_MD_get_size(md); + if (mdlen <= 0) { + ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_LENGTH); +@@ -203,9 +217,23 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, + #endif + } + ++#ifdef FIPS_MODULE ++ if (EVP_MD_is_a(md, "SHAKE-128") || EVP_MD_is_a(md, "SHAKE-256")) { ++ ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_NOT_ALLOWED); ++ return -1; ++ } ++#endif ++ + if (mgf1md == NULL) + mgf1md = md; + ++#ifdef FIPS_MODULE ++ if (EVP_MD_is_a(mgf1md, "SHAKE-128") || EVP_MD_is_a(mgf1md, "SHAKE-256")) { ++ ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_NOT_ALLOWED); ++ return -1; ++ } ++#endif ++ + mdlen = EVP_MD_get_size(md); + + if (tlen <= 0 || flen <= 0) +diff --git a/crypto/rsa/rsa_pss.c b/crypto/rsa/rsa_pss.c +index bb46ec64c7..c0fdf232da 100644 +--- a/crypto/rsa/rsa_pss.c ++++ b/crypto/rsa/rsa_pss.c +@@ -53,6 +53,14 @@ int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, const unsigned char *mHash, + if (mgf1Hash == NULL) + mgf1Hash = Hash; + ++#ifdef FIPS_MODULE ++ if (EVP_MD_is_a(Hash, "SHAKE-128") || EVP_MD_is_a(Hash, "SHAKE-256")) ++ goto err; ++ ++ if (EVP_MD_is_a(mgf1Hash, "SHAKE-128") || EVP_MD_is_a(mgf1Hash, "SHAKE-256")) ++ goto err; ++#endif ++ + hLen = EVP_MD_get_size(Hash); + if (hLen < 0) + goto err; +@@ -168,6 +176,14 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA *rsa, unsigned char *EM, + if (mgf1Hash == NULL) + mgf1Hash = Hash; + ++#ifdef FIPS_MODULE ++ if (EVP_MD_is_a(Hash, "SHAKE-128") || EVP_MD_is_a(Hash, "SHAKE-256")) ++ goto err; ++ ++ if (EVP_MD_is_a(mgf1Hash, "SHAKE-128") || EVP_MD_is_a(mgf1Hash, "SHAKE-256")) ++ goto err; ++#endif ++ + hLen = EVP_MD_get_size(Hash); + if (hLen < 0) + goto err; +-- +2.41.0 + diff --git a/0088-signature-Add-indicator-for-PSS-salt-length.patch b/0088-signature-Add-indicator-for-PSS-salt-length.patch new file mode 100644 index 0000000..9cef315 --- /dev/null +++ b/0088-signature-Add-indicator-for-PSS-salt-length.patch @@ -0,0 +1,102 @@ +From 98ee6faef3da1439c04f11cd2796132d27d1e607 Mon Sep 17 00:00:00 2001 +From: Dmitry Belyavskiy +Date: Mon, 21 Aug 2023 15:58:07 +0200 +Subject: [PATCH 41/48] 0088-signature-Add-indicator-for-PSS-salt-length.patch + +Patch-name: 0088-signature-Add-indicator-for-PSS-salt-length.patch +Patch-id: 88 +--- + include/openssl/evp.h | 4 ++++ + providers/implementations/signature/rsa_sig.c | 21 +++++++++++++++++++ + 3 files changed, 26 insertions(+) + +diff --git a/include/openssl/evp.h b/include/openssl/evp.h +index 615857caf5..05f2d0f75a 100644 +--- a/include/openssl/evp.h ++++ b/include/openssl/evp.h +@@ -799,6 +799,10 @@ __owur int EVP_CipherFinal(EVP_CIPHER_CTX *ctx, unsigned char *outm, + __owur int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm, + int *outl); + ++# define EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_UNDETERMINED 0 ++# define EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_APPROVED 1 ++# define EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2 ++ + __owur int EVP_SignFinal(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s, + EVP_PKEY *pkey); + __owur int EVP_SignFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s, +diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c +index cfaa4841cb..851671cfb1 100644 +--- a/providers/implementations/signature/rsa_sig.c ++++ b/providers/implementations/signature/rsa_sig.c +@@ -1173,6 +1173,24 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params) + } + } + ++#ifdef FIPS_MODULE ++ p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_REDHAT_FIPS_INDICATOR); ++ if (p != NULL) { ++ int fips_indicator = EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_APPROVED; ++ if (prsactx->pad_mode == RSA_PKCS1_PSS_PADDING) { ++ if (prsactx->md == NULL) { ++ fips_indicator = EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_UNDETERMINED; ++ } else if (rsa_pss_compute_saltlen(prsactx) > EVP_MD_get_size(prsactx->md)) { ++ fips_indicator = EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ } ++ } else if (prsactx->pad_mode == RSA_NO_PADDING) { ++ if (prsactx->md == NULL) /* Should always be the case */ ++ fips_indicator = EVP_SIGNATURE_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ } ++ return OSSL_PARAM_set_int(p, fips_indicator); ++ } ++#endif ++ + return 1; + } + +@@ -1182,6 +1200,9 @@ static const OSSL_PARAM known_gettable_ctx_params[] = { + OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0), + OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0), + OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0), ++#ifdef FIPS_MODULE ++ OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_REDHAT_FIPS_INDICATOR, NULL), ++#endif + OSSL_PARAM_END + }; + +-- +2.41.0 + +diff -up openssl-3.2.0/util/perl/OpenSSL/paramnames.pm.salt-patch openssl-3.2.0/util/perl/OpenSSL/paramnames.pm +--- openssl-3.2.0/util/perl/OpenSSL/paramnames.pm.salt-patch 2024-01-02 12:23:57.106998142 +0100 ++++ openssl-3.2.0/util/perl/OpenSSL/paramnames.pm 2024-01-02 12:26:29.687472015 +0100 +@@ -377,17 +377,18 @@ my %params = ( + 'EXCHANGE_PARAM_KDF_UKM' => "kdf-ukm", + + # Signature parameters +- 'SIGNATURE_PARAM_ALGORITHM_ID' => "algorithm-id", +- 'SIGNATURE_PARAM_PAD_MODE' => '*PKEY_PARAM_PAD_MODE', +- 'SIGNATURE_PARAM_DIGEST' => '*PKEY_PARAM_DIGEST', +- 'SIGNATURE_PARAM_PROPERTIES' => '*PKEY_PARAM_PROPERTIES', +- 'SIGNATURE_PARAM_PSS_SALTLEN' => "saltlen", +- 'SIGNATURE_PARAM_MGF1_DIGEST' => '*PKEY_PARAM_MGF1_DIGEST', +- 'SIGNATURE_PARAM_MGF1_PROPERTIES' => '*PKEY_PARAM_MGF1_PROPERTIES', +- 'SIGNATURE_PARAM_DIGEST_SIZE' => '*PKEY_PARAM_DIGEST_SIZE', +- 'SIGNATURE_PARAM_NONCE_TYPE' => "nonce-type", +- 'SIGNATURE_PARAM_INSTANCE' => "instance", +- 'SIGNATURE_PARAM_CONTEXT_STRING' => "context-string", ++ 'SIGNATURE_PARAM_ALGORITHM_ID' => "algorithm-id", ++ 'SIGNATURE_PARAM_PAD_MODE' => '*PKEY_PARAM_PAD_MODE', ++ 'SIGNATURE_PARAM_DIGEST' => '*PKEY_PARAM_DIGEST', ++ 'SIGNATURE_PARAM_PROPERTIES' => '*PKEY_PARAM_PROPERTIES', ++ 'SIGNATURE_PARAM_PSS_SALTLEN' => "saltlen", ++ 'SIGNATURE_PARAM_MGF1_DIGEST' => '*PKEY_PARAM_MGF1_DIGEST', ++ 'SIGNATURE_PARAM_MGF1_PROPERTIES' => '*PKEY_PARAM_MGF1_PROPERTIES', ++ 'SIGNATURE_PARAM_DIGEST_SIZE' => '*PKEY_PARAM_DIGEST_SIZE', ++ 'SIGNATURE_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator", ++ 'SIGNATURE_PARAM_NONCE_TYPE' => "nonce-type", ++ 'SIGNATURE_PARAM_INSTANCE' => "instance", ++ 'SIGNATURE_PARAM_CONTEXT_STRING' => "context-string", + + # Asym cipher parameters + 'ASYM_CIPHER_PARAM_DIGEST' => '*PKEY_PARAM_DIGEST', diff --git a/0091-FIPS-RSA-encapsulate.patch b/0091-FIPS-RSA-encapsulate.patch new file mode 100644 index 0000000..69c8546 --- /dev/null +++ b/0091-FIPS-RSA-encapsulate.patch @@ -0,0 +1,47 @@ +From afab56d09edb525dd794fcb2ae2295ab7f39400a Mon Sep 17 00:00:00 2001 +From: Dmitry Belyavskiy +Date: Mon, 21 Aug 2023 16:01:48 +0200 +Subject: [PATCH 42/48] 0091-FIPS-RSA-encapsulate.patch + +Patch-name: 0091-FIPS-RSA-encapsulate.patch +Patch-id: 91 +--- + providers/implementations/kem/rsa_kem.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/providers/implementations/kem/rsa_kem.c b/providers/implementations/kem/rsa_kem.c +index 365ae3d7d6..8a6f585d0b 100644 +--- a/providers/implementations/kem/rsa_kem.c ++++ b/providers/implementations/kem/rsa_kem.c +@@ -265,6 +265,14 @@ static int rsasve_generate(PROV_RSA_CTX *prsactx, + *secretlen = nlen; + return 1; + } ++ ++#ifdef FIPS_MODULE ++ if (nlen < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS/8) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL); ++ return 0; ++ } ++#endif ++ + /* + * Step (2): Generate a random byte string z of nlen bytes where + * 1 < z < n - 1 +@@ -308,6 +316,13 @@ static int rsasve_recover(PROV_RSA_CTX *prsactx, + return 1; + } + ++#ifdef FIPS_MODULE ++ if (nlen < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS/8) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL); ++ return 0; ++ } ++#endif ++ + /* Step (2): check the input ciphertext 'inlen' matches the nlen */ + if (inlen != nlen) { + ERR_raise(ERR_LIB_PROV, PROV_R_BAD_LENGTH); +-- +2.41.0 + diff --git a/0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch b/0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch new file mode 100644 index 0000000..c92d417 --- /dev/null +++ b/0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch @@ -0,0 +1,330 @@ +From 590babb35e3aa399c889282747965e301333a656 Mon Sep 17 00:00:00 2001 +From: Dmitry Belyavskiy +Date: Mon, 21 Aug 2023 16:07:18 +0200 +Subject: [PATCH 43/48] + 0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch + +Patch-name: 0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch +Patch-id: 93 +--- + crypto/dh/dh_backend.c | 10 ++++ + crypto/dh/dh_check.c | 12 ++-- + crypto/dh/dh_gen.c | 12 +++- + crypto/dh/dh_key.c | 13 ++-- + crypto/dh/dh_pmeth.c | 10 +++- + providers/implementations/keymgmt/dh_kmgmt.c | 5 ++ + test/endecode_test.c | 4 +- + test/evp_libctx_test.c | 2 +- + test/helpers/predefined_dhparams.c | 62 ++++++++++++++++++++ + test/helpers/predefined_dhparams.h | 1 + + test/recipes/80-test_cms.t | 4 +- + test/recipes/80-test_ssl_old.t | 3 + + 12 files changed, 118 insertions(+), 20 deletions(-) + +diff --git a/crypto/dh/dh_backend.c b/crypto/dh/dh_backend.c +index 726843fd30..24c65ca84f 100644 +--- a/crypto/dh/dh_backend.c ++++ b/crypto/dh/dh_backend.c +@@ -53,6 +53,16 @@ int ossl_dh_params_fromdata(DH *dh, const OSSL_PARAM params[]) + if (!dh_ffc_params_fromdata(dh, params)) + return 0; + ++#ifdef FIPS_MODULE ++ if (!ossl_dh_is_named_safe_prime_group(dh)) { ++ ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS, ++ "FIPS 186-4 type domain parameters no longer allowed in" ++ " FIPS mode, since the required validation routines" ++ " were removed from FIPS 186-5"); ++ return 0; ++ } ++#endif ++ + param_priv_len = + OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_DH_PRIV_LEN); + if (param_priv_len != NULL +diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c +index 0b391910d6..75581ca347 100644 +--- a/crypto/dh/dh_check.c ++++ b/crypto/dh/dh_check.c +@@ -57,13 +57,15 @@ int DH_check_params(const DH *dh, int *ret) + nid = DH_get_nid((DH *)dh); + if (nid != NID_undef) + return 1; ++ + /* +- * OR +- * (2b) FFC domain params conform to FIPS-186-4 explicit domain param +- * validity tests. ++ * FIPS 186-4 explicit domain parameters are no longer supported in FIPS mode. + */ +- return ossl_ffc_params_FIPS186_4_validate(dh->libctx, &dh->params, +- FFC_PARAM_TYPE_DH, ret, NULL); ++ ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS, ++ "FIPS 186-4 type domain parameters no longer allowed in" ++ " FIPS mode, since the required validation routines were" ++ " removed from FIPS 186-5"); ++ return 0; + } + #else + int DH_check_params(const DH *dh, int *ret) +diff --git a/crypto/dh/dh_gen.c b/crypto/dh/dh_gen.c +index 204662a81c..9961f21920 100644 +--- a/crypto/dh/dh_gen.c ++++ b/crypto/dh/dh_gen.c +@@ -39,18 +39,26 @@ static int dh_builtin_genparams(DH *ret, int prime_len, int generator, + int ossl_dh_generate_ffc_parameters(DH *dh, int type, int pbits, int qbits, + BN_GENCB *cb) + { +- int ret, res; ++ int ret = 0; + + #ifndef FIPS_MODULE ++ int res; ++ + if (type == DH_PARAMGEN_TYPE_FIPS_186_2) + ret = ossl_ffc_params_FIPS186_2_generate(dh->libctx, &dh->params, + FFC_PARAM_TYPE_DH, + pbits, qbits, &res, cb); + else +-#endif + ret = ossl_ffc_params_FIPS186_4_generate(dh->libctx, &dh->params, + FFC_PARAM_TYPE_DH, + pbits, qbits, &res, cb); ++#else ++ /* In FIPS mode, we no longer support FIPS 186-4 domain parameters */ ++ ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS, ++ "FIPS 186-4 type domain parameters no longer allowed in" ++ " FIPS mode, since the required generation routines were" ++ " removed from FIPS 186-5"); ++#endif + if (ret > 0) + dh->dirty_cnt++; + return ret; +diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c +index 83773cceea..7e988368d3 100644 +--- a/crypto/dh/dh_key.c ++++ b/crypto/dh/dh_key.c +@@ -321,8 +321,12 @@ static int generate_key(DH *dh) + goto err; + } else { + #ifdef FIPS_MODULE +- if (dh->params.q == NULL) +- goto err; ++ ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS, ++ "FIPS 186-4 type domain parameters no longer" ++ " allowed in FIPS mode, since the required" ++ " generation routines were removed from FIPS" ++ " 186-5"); ++ goto err; + #else + if (dh->params.q == NULL) { + /* secret exponent length, must satisfy 2^(l-1) <= p */ +@@ -343,9 +347,7 @@ static int generate_key(DH *dh) + if (!BN_clear_bit(priv_key, 0)) + goto err; + } +- } else +-#endif +- { ++ } else { + /* Do a partial check for invalid p, q, g */ + if (!ossl_ffc_params_simple_validate(dh->libctx, &dh->params, + FFC_PARAM_TYPE_DH, NULL)) +@@ -361,6 +363,7 @@ static int generate_key(DH *dh) + priv_key)) + goto err; + } ++#endif + } + } + +diff --git a/crypto/dh/dh_pmeth.c b/crypto/dh/dh_pmeth.c +index f201eede0d..30f90d15be 100644 +--- a/crypto/dh/dh_pmeth.c ++++ b/crypto/dh/dh_pmeth.c +@@ -305,13 +305,17 @@ static DH *ffc_params_generate(OSSL_LIB_CTX *libctx, DH_PKEY_CTX *dctx, + prime_len, subprime_len, &res, + pcb); + else +-# endif +- /* For FIPS we always use the DH_PARAMGEN_TYPE_FIPS_186_4 generator */ +- if (dctx->paramgen_type >= DH_PARAMGEN_TYPE_FIPS_186_2) + rv = ossl_ffc_params_FIPS186_4_generate(libctx, &ret->params, + FFC_PARAM_TYPE_DH, + prime_len, subprime_len, &res, + pcb); ++# else ++ /* In FIPS mode, we no longer support FIPS 186-4 domain parameters */ ++ ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS, ++ "FIPS 186-4 type domain parameters no longer allowed in" ++ " FIPS mode, since the required generation routines were" ++ " removed from FIPS 186-5"); ++# endif + if (rv <= 0) { + DH_free(ret); + return NULL; +diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c +index 9a7dde7c66..b3e7bca5ac 100644 +--- a/providers/implementations/keymgmt/dh_kmgmt.c ++++ b/providers/implementations/keymgmt/dh_kmgmt.c +@@ -414,6 +414,11 @@ static int dh_validate(const void *keydata, int selection, int checktype) + if ((selection & DH_POSSIBLE_SELECTIONS) == 0) + return 1; /* nothing to validate */ + ++#ifdef FIPS_MODULE ++ /* In FIPS provider, always check the domain parameters to disallow ++ * operations on keys with FIPS 186-4 params. */ ++ selection |= OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS; ++#endif + if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0) { + /* + * Both of these functions check parameters. DH_check_params_ex() +diff --git a/test/endecode_test.c b/test/endecode_test.c +index 53385028fc..169f3ccd73 100644 +--- a/test/endecode_test.c ++++ b/test/endecode_test.c +@@ -84,10 +84,10 @@ static EVP_PKEY *make_template(const char *type, OSSL_PARAM *genparams) + * for testing only. Use a minimum key size of 2048 for security purposes. + */ + if (strcmp(type, "DH") == 0) +- return get_dh512(keyctx); ++ return get_dh2048(keyctx); + + if (strcmp(type, "X9.42 DH") == 0) +- return get_dhx512(keyctx); ++ return get_dhx_ffdhe2048(keyctx); + # endif + + /* +diff --git a/test/evp_libctx_test.c b/test/evp_libctx_test.c +index a7913cda4c..96a35ac1cc 100644 +--- a/test/evp_libctx_test.c ++++ b/test/evp_libctx_test.c +@@ -189,7 +189,7 @@ static int do_dh_param_keygen(int tstid, const BIGNUM **bn) + + if (!TEST_ptr(gen_ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey_parm, NULL)) + || !TEST_int_gt(EVP_PKEY_keygen_init(gen_ctx), 0) +- || !TEST_int_eq(EVP_PKEY_keygen(gen_ctx, &pkey), expected)) ++ || !TEST_int_eq(EVP_PKEY_keygen(gen_ctx, &pkey) == 1, expected)) + goto err; + + if (expected) { +diff --git a/test/helpers/predefined_dhparams.c b/test/helpers/predefined_dhparams.c +index 4bdadc4143..e5186e4b4a 100644 +--- a/test/helpers/predefined_dhparams.c ++++ b/test/helpers/predefined_dhparams.c +@@ -116,6 +116,68 @@ EVP_PKEY *get_dhx512(OSSL_LIB_CTX *libctx) + dhx512_q, sizeof(dhx512_q)); + } + ++EVP_PKEY *get_dhx_ffdhe2048(OSSL_LIB_CTX *libctx) ++{ ++ /* This is RFC 7919 ffdhe2048, since Red Hat removes support for ++ * non-well-known groups in FIPS mode. */ ++ static unsigned char dhx_p[] = { ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xad, 0xf8, 0x54, 0x58, ++ 0xa2, 0xbb, 0x4a, 0x9a, 0xaf, 0xdc, 0x56, 0x20, 0x27, 0x3d, 0x3c, 0xf1, ++ 0xd8, 0xb9, 0xc5, 0x83, 0xce, 0x2d, 0x36, 0x95, 0xa9, 0xe1, 0x36, 0x41, ++ 0x14, 0x64, 0x33, 0xfb, 0xcc, 0x93, 0x9d, 0xce, 0x24, 0x9b, 0x3e, 0xf9, ++ 0x7d, 0x2f, 0xe3, 0x63, 0x63, 0x0c, 0x75, 0xd8, 0xf6, 0x81, 0xb2, 0x02, ++ 0xae, 0xc4, 0x61, 0x7a, 0xd3, 0xdf, 0x1e, 0xd5, 0xd5, 0xfd, 0x65, 0x61, ++ 0x24, 0x33, 0xf5, 0x1f, 0x5f, 0x06, 0x6e, 0xd0, 0x85, 0x63, 0x65, 0x55, ++ 0x3d, 0xed, 0x1a, 0xf3, 0xb5, 0x57, 0x13, 0x5e, 0x7f, 0x57, 0xc9, 0x35, ++ 0x98, 0x4f, 0x0c, 0x70, 0xe0, 0xe6, 0x8b, 0x77, 0xe2, 0xa6, 0x89, 0xda, ++ 0xf3, 0xef, 0xe8, 0x72, 0x1d, 0xf1, 0x58, 0xa1, 0x36, 0xad, 0xe7, 0x35, ++ 0x30, 0xac, 0xca, 0x4f, 0x48, 0x3a, 0x79, 0x7a, 0xbc, 0x0a, 0xb1, 0x82, ++ 0xb3, 0x24, 0xfb, 0x61, 0xd1, 0x08, 0xa9, 0x4b, 0xb2, 0xc8, 0xe3, 0xfb, ++ 0xb9, 0x6a, 0xda, 0xb7, 0x60, 0xd7, 0xf4, 0x68, 0x1d, 0x4f, 0x42, 0xa3, ++ 0xde, 0x39, 0x4d, 0xf4, 0xae, 0x56, 0xed, 0xe7, 0x63, 0x72, 0xbb, 0x19, ++ 0x0b, 0x07, 0xa7, 0xc8, 0xee, 0x0a, 0x6d, 0x70, 0x9e, 0x02, 0xfc, 0xe1, ++ 0xcd, 0xf7, 0xe2, 0xec, 0xc0, 0x34, 0x04, 0xcd, 0x28, 0x34, 0x2f, 0x61, ++ 0x91, 0x72, 0xfe, 0x9c, 0xe9, 0x85, 0x83, 0xff, 0x8e, 0x4f, 0x12, 0x32, ++ 0xee, 0xf2, 0x81, 0x83, 0xc3, 0xfe, 0x3b, 0x1b, 0x4c, 0x6f, 0xad, 0x73, ++ 0x3b, 0xb5, 0xfc, 0xbc, 0x2e, 0xc2, 0x20, 0x05, 0xc5, 0x8e, 0xf1, 0x83, ++ 0x7d, 0x16, 0x83, 0xb2, 0xc6, 0xf3, 0x4a, 0x26, 0xc1, 0xb2, 0xef, 0xfa, ++ 0x88, 0x6b, 0x42, 0x38, 0x61, 0x28, 0x5c, 0x97, 0xff, 0xff, 0xff, 0xff, ++ 0xff, 0xff, 0xff, 0xff ++ }; ++ static unsigned char dhx_g[] = { ++ 0x02 ++ }; ++ static unsigned char dhx_q[] = { ++ 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xd6, 0xfc, 0x2a, 0x2c, ++ 0x51, 0x5d, 0xa5, 0x4d, 0x57, 0xee, 0x2b, 0x10, 0x13, 0x9e, 0x9e, 0x78, ++ 0xec, 0x5c, 0xe2, 0xc1, 0xe7, 0x16, 0x9b, 0x4a, 0xd4, 0xf0, 0x9b, 0x20, ++ 0x8a, 0x32, 0x19, 0xfd, 0xe6, 0x49, 0xce, 0xe7, 0x12, 0x4d, 0x9f, 0x7c, ++ 0xbe, 0x97, 0xf1, 0xb1, 0xb1, 0x86, 0x3a, 0xec, 0x7b, 0x40, 0xd9, 0x01, ++ 0x57, 0x62, 0x30, 0xbd, 0x69, 0xef, 0x8f, 0x6a, 0xea, 0xfe, 0xb2, 0xb0, ++ 0x92, 0x19, 0xfa, 0x8f, 0xaf, 0x83, 0x37, 0x68, 0x42, 0xb1, 0xb2, 0xaa, ++ 0x9e, 0xf6, 0x8d, 0x79, 0xda, 0xab, 0x89, 0xaf, 0x3f, 0xab, 0xe4, 0x9a, ++ 0xcc, 0x27, 0x86, 0x38, 0x70, 0x73, 0x45, 0xbb, 0xf1, 0x53, 0x44, 0xed, ++ 0x79, 0xf7, 0xf4, 0x39, 0x0e, 0xf8, 0xac, 0x50, 0x9b, 0x56, 0xf3, 0x9a, ++ 0x98, 0x56, 0x65, 0x27, 0xa4, 0x1d, 0x3c, 0xbd, 0x5e, 0x05, 0x58, 0xc1, ++ 0x59, 0x92, 0x7d, 0xb0, 0xe8, 0x84, 0x54, 0xa5, 0xd9, 0x64, 0x71, 0xfd, ++ 0xdc, 0xb5, 0x6d, 0x5b, 0xb0, 0x6b, 0xfa, 0x34, 0x0e, 0xa7, 0xa1, 0x51, ++ 0xef, 0x1c, 0xa6, 0xfa, 0x57, 0x2b, 0x76, 0xf3, 0xb1, 0xb9, 0x5d, 0x8c, ++ 0x85, 0x83, 0xd3, 0xe4, 0x77, 0x05, 0x36, 0xb8, 0x4f, 0x01, 0x7e, 0x70, ++ 0xe6, 0xfb, 0xf1, 0x76, 0x60, 0x1a, 0x02, 0x66, 0x94, 0x1a, 0x17, 0xb0, ++ 0xc8, 0xb9, 0x7f, 0x4e, 0x74, 0xc2, 0xc1, 0xff, 0xc7, 0x27, 0x89, 0x19, ++ 0x77, 0x79, 0x40, 0xc1, 0xe1, 0xff, 0x1d, 0x8d, 0xa6, 0x37, 0xd6, 0xb9, ++ 0x9d, 0xda, 0xfe, 0x5e, 0x17, 0x61, 0x10, 0x02, 0xe2, 0xc7, 0x78, 0xc1, ++ 0xbe, 0x8b, 0x41, 0xd9, 0x63, 0x79, 0xa5, 0x13, 0x60, 0xd9, 0x77, 0xfd, ++ 0x44, 0x35, 0xa1, 0x1c, 0x30, 0x94, 0x2e, 0x4b, 0xff, 0xff, 0xff, 0xff, ++ 0xff, 0xff, 0xff, 0xff ++ }; ++ ++ return get_dh_from_pg(libctx, "X9.42 DH", ++ dhx_p, sizeof(dhx_p), ++ dhx_g, sizeof(dhx_g), ++ dhx_q, sizeof(dhx_q)); ++} ++ + EVP_PKEY *get_dh1024dsa(OSSL_LIB_CTX *libctx) + { + static unsigned char dh1024_p[] = { +diff --git a/test/helpers/predefined_dhparams.h b/test/helpers/predefined_dhparams.h +index f0e8709062..2ff6d6e721 100644 +--- a/test/helpers/predefined_dhparams.h ++++ b/test/helpers/predefined_dhparams.h +@@ -12,6 +12,7 @@ + #ifndef OPENSSL_NO_DH + EVP_PKEY *get_dh512(OSSL_LIB_CTX *libctx); + EVP_PKEY *get_dhx512(OSSL_LIB_CTX *libctx); ++EVP_PKEY *get_dhx_ffdhe2048(OSSL_LIB_CTX *libctx); + EVP_PKEY *get_dh1024dsa(OSSL_LIB_CTX *libct); + EVP_PKEY *get_dh2048(OSSL_LIB_CTX *libctx); + EVP_PKEY *get_dh4096(OSSL_LIB_CTX *libctx); +diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t +index 2a459856f0..afac836fa3 100644 +--- a/test/recipes/80-test_cms.t ++++ b/test/recipes/80-test_cms.t +@@ -627,10 +627,10 @@ my @smime_cms_param_tests = ( + ], + + [ "enveloped content test streaming S/MIME format, X9.42 DH", +- [ "{cmd1}", @prov, "-encrypt", "-in", $smcont, ++ [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont, + "-stream", "-out", "{output}.cms", + "-recip", catfile($smdir, "smdh.pem"), "-aes128" ], +- [ "{cmd2}", @prov, "-decrypt", "-recip", catfile($smdir, "smdh.pem"), ++ [ "{cmd2}", @defaultprov, "-decrypt", "-recip", catfile($smdir, "smdh.pem"), + "-in", "{output}.cms", "-out", "{output}.txt" ], + \&final_compare + ] +diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t +index 527abcea6e..e1d38b1e62 100644 +--- a/test/recipes/80-test_ssl_old.t ++++ b/test/recipes/80-test_ssl_old.t +@@ -390,6 +390,9 @@ sub testssl { + skip "skipping dhe1024dsa test", 1 + if ($no_dh); + ++ skip "FIPS 186-4 type DH groups are no longer supported by the FIPS provider", 1 ++ if $provider eq "fips"; ++ + ok(run(test([@ssltest, "-bio_pair", "-dhe1024dsa", "-v"])), + 'test sslv2/sslv3 with 1024bit DHE via BIO pair'); + } +-- +2.41.0 + diff --git a/0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch b/0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch new file mode 100644 index 0000000..fcd53e6 --- /dev/null +++ b/0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch @@ -0,0 +1,98 @@ +From 5db03a4d024f1e396ff54d38ac70d9890b034074 Mon Sep 17 00:00:00 2001 +From: Dmitry Belyavskiy +Date: Mon, 21 Aug 2023 16:10:11 +0200 +Subject: [PATCH 45/48] + 0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch + +Patch-name: 0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch +Patch-id: 110 +--- + include/openssl/evp.h | 4 +++ + .../implementations/ciphers/ciphercommon.c | 4 +++ + .../ciphers/ciphercommon_gcm.c | 25 +++++++++++++++++++ + 4 files changed, 34 insertions(+) + +diff --git a/include/openssl/evp.h b/include/openssl/evp.h +index 05f2d0f75a..f1a33ff6f2 100644 +--- a/include/openssl/evp.h ++++ b/include/openssl/evp.h +@@ -748,6 +748,10 @@ void EVP_CIPHER_CTX_set_flags(EVP_CIPHER_CTX *ctx, int flags); + void EVP_CIPHER_CTX_clear_flags(EVP_CIPHER_CTX *ctx, int flags); + int EVP_CIPHER_CTX_test_flags(const EVP_CIPHER_CTX *ctx, int flags); + ++# define EVP_CIPHER_REDHAT_FIPS_INDICATOR_UNDETERMINED 0 ++# define EVP_CIPHER_REDHAT_FIPS_INDICATOR_APPROVED 1 ++# define EVP_CIPHER_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2 ++ + __owur int EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, + const unsigned char *key, const unsigned char *iv); + __owur int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx, +diff --git a/providers/implementations/ciphers/ciphercommon.c b/providers/implementations/ciphers/ciphercommon.c +index fa383165d8..716add7339 100644 +--- a/providers/implementations/ciphers/ciphercommon.c ++++ b/providers/implementations/ciphers/ciphercommon.c +@@ -149,6 +149,10 @@ static const OSSL_PARAM cipher_aead_known_gettable_ctx_params[] = { + OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, NULL, 0), + OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD, NULL), + OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TLS1_GET_IV_GEN, NULL, 0), ++ /* normally we would hide this under an #ifdef FIPS_MODULE, but that does ++ * not work in ciphercommon.c because it is compiled only once into ++ * libcommon.a */ ++ OSSL_PARAM_int(OSSL_CIPHER_PARAM_REDHAT_FIPS_INDICATOR, NULL), + OSSL_PARAM_END + }; + const OSSL_PARAM *ossl_cipher_aead_gettable_ctx_params( +diff --git a/providers/implementations/ciphers/ciphercommon_gcm.c b/providers/implementations/ciphers/ciphercommon_gcm.c +index ed95c97ff4..db7910eb0e 100644 +--- a/providers/implementations/ciphers/ciphercommon_gcm.c ++++ b/providers/implementations/ciphers/ciphercommon_gcm.c +@@ -224,6 +224,31 @@ int ossl_gcm_get_ctx_params(void *vctx, OSSL_PARAM params[]) + break; + } + } ++ ++ /* We would usually hide this under #ifdef FIPS_MODULE, but ++ * ciphercommon_gcm.c is only compiled once into libcommon.a, so ifdefs do ++ * not work here. */ ++ p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_REDHAT_FIPS_INDICATOR); ++ if (p != NULL) { ++ int fips_indicator = EVP_CIPHER_REDHAT_FIPS_INDICATOR_APPROVED; ++ ++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module ++ * Verification Program, Section C.H requires guarantees about the ++ * uniqueness of key/iv pairs, and proposes a few approaches to ensure ++ * this. This provides an indicator for option 2 "The IV may be ++ * generated internally at its entirety randomly." Note that one of the ++ * conditions of this option is that "The IV length shall be at least ++ * 96 bits (per SP 800-38D)." We do not specically check for this ++ * condition here, because gcm_iv_generate will fail in this case. */ ++ if (ctx->enc && !ctx->iv_gen_rand) ++ fips_indicator = EVP_CIPHER_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ ++ if (!OSSL_PARAM_set_int(p, fips_indicator)) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); ++ return 0; ++ } ++ } ++ + return 1; + } + +-- +2.41.0 + +diff -up openssl-3.2.0/util/perl/OpenSSL/paramnames.pm.ivgen-patch openssl-3.2.0/util/perl/OpenSSL/paramnames.pm +--- openssl-3.2.0/util/perl/OpenSSL/paramnames.pm.ivgen-patch 2024-01-02 12:29:45.119433637 +0100 ++++ openssl-3.2.0/util/perl/OpenSSL/paramnames.pm 2024-01-02 12:33:09.146723045 +0100 +@@ -101,8 +101,9 @@ my %params = ( + 'CIPHER_PARAM_SPEED' => "speed", # uint + 'CIPHER_PARAM_CTS_MODE' => "cts_mode", # utf8_string + # For passing the AlgorithmIdentifier parameter in DER form +- 'CIPHER_PARAM_ALGORITHM_ID_PARAMS' => "alg_id_param",# octet_string +- 'CIPHER_PARAM_XTS_STANDARD' => "xts_standard",# utf8_string ++ 'CIPHER_PARAM_ALGORITHM_ID_PARAMS' => "alg_id_param",# octet_string ++ 'CIPHER_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator", # int ++ 'CIPHER_PARAM_XTS_STANDARD' => "xts_standard",# utf8_string + + 'CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_SEND_FRAGMENT' => "tls1multi_maxsndfrag",# uint + 'CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_BUFSIZE' => "tls1multi_maxbufsz", # size_t diff --git a/0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch b/0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch new file mode 100644 index 0000000..aec08c9 --- /dev/null +++ b/0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch @@ -0,0 +1,75 @@ +From 48c763ed9cc889806bc01222382ce6f918a408a2 Mon Sep 17 00:00:00 2001 +From: Dmitry Belyavskiy +Date: Mon, 21 Aug 2023 16:12:33 +0200 +Subject: [PATCH 46/48] + 0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch + +Patch-name: 0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch +Patch-id: 112 +--- + providers/implementations/kdfs/pbkdf2.c | 40 +++++++++++++++++++++++-- + 1 file changed, 37 insertions(+), 3 deletions(-) + +diff --git a/providers/implementations/kdfs/pbkdf2.c b/providers/implementations/kdfs/pbkdf2.c +index 11820d1e69..bae2238ab5 100644 +--- a/providers/implementations/kdfs/pbkdf2.c ++++ b/providers/implementations/kdfs/pbkdf2.c +@@ -284,11 +284,42 @@ static const OSSL_PARAM *kdf_pbkdf2_settable_ctx_params(ossl_unused void *ctx, + + static int kdf_pbkdf2_get_ctx_params(void *vctx, OSSL_PARAM params[]) + { ++#ifdef FIPS_MODULE ++ KDF_PBKDF2 *ctx = (KDF_PBKDF2 *)vctx; ++#endif /* defined(FIPS_MODULE) */ + OSSL_PARAM *p; ++ int any_valid = 0; /* set to 1 when at least one parameter was valid */ ++ ++ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) { ++ any_valid = 1; ++ ++ if (!OSSL_PARAM_set_size_t(p, SIZE_MAX)) ++ return 0; ++ } ++ ++#ifdef FIPS_MODULE ++ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR)) ++ != NULL) { ++ int fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_APPROVED; ++ ++ /* The lower_bound_checks parameter enables checks required by FIPS. If ++ * those checks are disabled, the PBKDF2 implementation will also ++ * support non-approved parameters (e.g., salt lengths < 16 bytes, see ++ * NIST SP 800-132 section 5.1). */ ++ if (!ctx->lower_bound_checks) ++ fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; + +- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) +- return OSSL_PARAM_set_size_t(p, SIZE_MAX); +- return -2; ++ if (!OSSL_PARAM_set_int(p, fips_indicator)) ++ return 0; ++ ++ any_valid = 1; ++ } ++#endif /* defined(FIPS_MODULE) */ ++ ++ if (!any_valid) ++ return -2; ++ ++ return 1; + } + + static const OSSL_PARAM *kdf_pbkdf2_gettable_ctx_params(ossl_unused void *ctx, +@@ -296,6 +327,9 @@ static const OSSL_PARAM *kdf_pbkdf2_gettable_ctx_params(ossl_unused void *ctx, + { + static const OSSL_PARAM known_gettable_ctx_params[] = { + OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), ++#ifdef FIPS_MODULE ++ OSSL_PARAM_int(OSSL_KDF_PARAM_REDHAT_FIPS_INDICATOR, NULL), ++#endif /* defined(FIPS_MODULE) */ + OSSL_PARAM_END + }; + return known_gettable_ctx_params; +-- +2.41.0 + diff --git a/0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch b/0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch new file mode 100644 index 0000000..7a2e1f3 --- /dev/null +++ b/0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch @@ -0,0 +1,140 @@ +From 136988155862ce2b45683ef8045e7a8cdd11e215 Mon Sep 17 00:00:00 2001 +From: Dmitry Belyavskiy +Date: Mon, 21 Aug 2023 16:13:46 +0200 +Subject: [PATCH 47/48] 0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch + +Patch-name: 0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch +Patch-id: 113 +--- + include/openssl/core_names.h | 2 ++ + include/openssl/evp.h | 4 +++ + .../implementations/asymciphers/rsa_enc.c | 22 ++++++++++++++ + providers/implementations/kem/rsa_kem.c | 30 ++++++++++++++++++- + 4 files changed, 57 insertions(+), 1 deletion(-) + +diff --git a/include/openssl/evp.h b/include/openssl/evp.h +index f1a33ff6f2..dadbf46a5a 100644 +--- a/include/openssl/evp.h ++++ b/include/openssl/evp.h +@@ -1767,6 +1767,10 @@ OSSL_DEPRECATEDIN_3_0 size_t EVP_PKEY_meth_get_count(void); + OSSL_DEPRECATEDIN_3_0 const EVP_PKEY_METHOD *EVP_PKEY_meth_get0(size_t idx); + # endif + ++# define EVP_PKEY_REDHAT_FIPS_INDICATOR_UNDETERMINED 0 ++# define EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED 1 ++# define EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED 2 ++ + EVP_KEYMGMT *EVP_KEYMGMT_fetch(OSSL_LIB_CTX *ctx, const char *algorithm, + const char *properties); + int EVP_KEYMGMT_up_ref(EVP_KEYMGMT *keymgmt); +diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c +index d169bfd396..bd4dcb4e27 100644 +--- a/providers/implementations/asymciphers/rsa_enc.c ++++ b/providers/implementations/asymciphers/rsa_enc.c +@@ -466,6 +466,27 @@ static int rsa_get_ctx_params(void *vprsactx, OSSL_PARAM *params) + if (p != NULL && !OSSL_PARAM_set_uint(p, prsactx->implicit_rejection)) + return 0; + ++#ifdef FIPS_MODULE ++ p = OSSL_PARAM_locate(params, OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR); ++ if (p != NULL) { ++ int fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_APPROVED; ++ ++ /* NIST SP 800-56Br2 section 6.4.2.1 requires either explicit key ++ * confirmation (section 6.4.2.3.2), or assurance from a trusted third ++ * party (section 6.4.2.3.1) for the KTS-OAEP key transport scheme, but ++ * explicit key confirmation is not implemented here and cannot be ++ * implemented without protocol changes, and the FIPS provider does not ++ * implement trusted third party validation, since it relies on its ++ * callers to do that. We must thus mark RSA-OAEP as unapproved until ++ * we have received clarification from NIST on how library modules such ++ * as OpenSSL should implement TTP validation. */ ++ fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ ++ if (!OSSL_PARAM_set_int(p, fips_indicator)) ++ return 0; ++ } ++#endif /* defined(FIPS_MODULE) */ ++ + return 1; + } + +@@ -480,6 +501,7 @@ static const OSSL_PARAM known_gettable_ctx_params[] = { + OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL), + #ifdef FIPS_MODULE + OSSL_PARAM_octet_string(OSSL_ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED, NULL, 0), ++ OSSL_PARAM_int(OSSL_ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR, NULL), + #endif /* FIPS_MODULE */ + OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, NULL), + OSSL_PARAM_END +diff --git a/providers/implementations/kem/rsa_kem.c b/providers/implementations/kem/rsa_kem.c +index 8a6f585d0b..f4b7415074 100644 +--- a/providers/implementations/kem/rsa_kem.c ++++ b/providers/implementations/kem/rsa_kem.c +@@ -152,11 +152,39 @@ static int rsakem_decapsulate_init(void *vprsactx, void *vrsa, + static int rsakem_get_ctx_params(void *vprsactx, OSSL_PARAM *params) + { + PROV_RSA_CTX *ctx = (PROV_RSA_CTX *)vprsactx; ++#ifdef FIPS_MODULE ++ OSSL_PARAM *p; ++#endif /* defined(FIPS_MODULE) */ ++ ++ if (ctx == NULL) ++ return 0; ++ ++#ifdef FIPS_MODULE ++ p = OSSL_PARAM_locate(params, OSSL_KEM_PARAM_REDHAT_FIPS_INDICATOR); ++ if (p != NULL) { ++ /* NIST SP 800-56Br2 section 6.4.2.1 requires either explicit key ++ * confirmation (section 6.4.2.3.2), or assurance from a trusted third ++ * party (section 6.4.2.3.1) for key agreement or key transport, but ++ * explicit key confirmation is not implemented here and cannot be ++ * implemented without protocol changes, and the FIPS provider does not ++ * implement trusted third party validation, since it relies on its ++ * callers to do that. We must thus mark RSASVE unapproved until we ++ * have received clarification from NIST on how library modules such as ++ * OpenSSL should implement TTP validation. */ ++ int fips_indicator = EVP_PKEY_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++ ++ if (!OSSL_PARAM_set_int(p, fips_indicator)) ++ return 0; ++ } ++#endif /* defined(FIPS_MODULE) */ + +- return ctx != NULL; ++ return 1; + } + + static const OSSL_PARAM known_gettable_rsakem_ctx_params[] = { ++#ifdef FIPS_MODULE ++ OSSL_PARAM_int(OSSL_KEM_PARAM_REDHAT_FIPS_INDICATOR, NULL), ++#endif /* defined(FIPS_MODULE) */ + OSSL_PARAM_END + }; + +-- +2.41.0 + +diff -up openssl-3.2.0/util/perl/OpenSSL/paramnames.pm.kem-patch openssl-3.2.0/util/perl/OpenSSL/paramnames.pm +--- openssl-3.2.0/util/perl/OpenSSL/paramnames.pm.kem-patch 2024-01-02 12:49:04.598756268 +0100 ++++ openssl-3.2.0/util/perl/OpenSSL/paramnames.pm 2024-01-02 12:53:16.466464414 +0100 +@@ -406,6 +406,7 @@ my %params = ( + 'ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION' => "tls-negotiated-version", + 'ASYM_CIPHER_PARAM_IMPLICIT_REJECTION' => "implicit-rejection", + 'ASYM_CIPHER_PARAM_REDHAT_KAT_OEAP_SEED' => "redhat-kat-oaep-seed", ++ 'ASYM_CIPHER_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator", + + # Encoder / decoder parameters + +@@ -438,8 +439,9 @@ my %params = ( + 'SIGNATURE_PARAM_KAT' => "kat", + + # KEM parameters +- 'KEM_PARAM_OPERATION' => "operation", +- 'KEM_PARAM_IKME' => "ikme", ++ 'KEM_PARAM_OPERATION' => "operation", ++ 'KEM_PARAM_REDHAT_FIPS_INDICATOR' => "redhat-fips-indicator", ++ 'KEM_PARAM_IKME' => "ikme", + + # Capabilities + diff --git a/0114-FIPS-enforce-EMS-support.patch b/0114-FIPS-enforce-EMS-support.patch new file mode 100644 index 0000000..fd1e90e --- /dev/null +++ b/0114-FIPS-enforce-EMS-support.patch @@ -0,0 +1,251 @@ +From 9b02ad7225b74a5b9088b361caead0a41e570e93 Mon Sep 17 00:00:00 2001 +From: Dmitry Belyavskiy +Date: Mon, 21 Aug 2023 16:40:56 +0200 +Subject: [PATCH 48/48] 0114-FIPS-enforce-EMS-support.patch + +Patch-name: 0114-FIPS-enforce-EMS-support.patch +Patch-id: 114 +Patch-status: | + # We believe that some changes present in CentOS are not necessary + # because ustream has a check for FIPS version +--- + doc/man3/SSL_CONF_cmd.pod | 3 +++ + doc/man5/fips_config.pod | 13 +++++++++++ + include/openssl/fips_names.h | 8 +++++++ + include/openssl/ssl.h.in | 1 + + providers/fips/fipsprov.c | 2 +- + providers/implementations/kdfs/tls1_prf.c | 22 +++++++++++++++++++ + ssl/ssl_conf.c | 1 + + ssl/statem/extensions_srvr.c | 8 ++++++- + ssl/t1_enc.c | 11 ++++++++-- + .../30-test_evp_data/evpkdf_tls12_prf.txt | 10 +++++++++ + test/sslapitest.c | 2 +- + 11 files changed, 76 insertions(+), 5 deletions(-) + +diff --git a/doc/man3/SSL_CONF_cmd.pod b/doc/man3/SSL_CONF_cmd.pod +index ae6ca43282..b83c04a308 100644 +--- a/doc/man3/SSL_CONF_cmd.pod ++++ b/doc/man3/SSL_CONF_cmd.pod +@@ -524,6 +524,9 @@ B: use extended master secret extension, enabled by + default. Inverse of B: that is, + B<-ExtendedMasterSecret> is the same as setting B. + ++B: allow establishing connections without EMS in FIPS mode. ++This is a RedHat-based OS specific option, and normally it should be set up via crypto policies. ++ + B: use CA names extension, enabled by + default. Inverse of B: that is, + B<-CANames> is the same as setting B. +diff --git a/doc/man5/fips_config.pod b/doc/man5/fips_config.pod +index 1c15e32a5c..f2cedaf88d 100644 +--- a/doc/man5/fips_config.pod ++++ b/doc/man5/fips_config.pod +@@ -15,6 +15,19 @@ for more information. + + This functionality was added in OpenSSL 3.0. + ++Red Hat Enterprise Linux uses a supplementary config for FIPS module located in ++OpenSSL configuration directory and managed by crypto policies. If present, it ++should have format ++ ++ [fips_sect] ++ tls1-prf-ems-check = 0 ++ activate = 1 ++ ++The B option specifies whether FIPS module will require the ++presence of extended master secret or not. ++ ++The B option enforces FIPS provider activation. ++ + =head1 COPYRIGHT + + Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +diff --git a/include/openssl/fips_names.h b/include/openssl/fips_names.h +index 5c77f6d691..8cdd5a6bf7 100644 +--- a/include/openssl/fips_names.h ++++ b/include/openssl/fips_names.h +@@ -70,6 +70,14 @@ extern "C" { + */ + # define OSSL_PROV_FIPS_PARAM_DRBG_TRUNC_DIGEST "drbg-no-trunc-md" + ++/* ++ * A boolean that determines if the runtime FIPS check for TLS1_PRF EMS is performed. ++ * This is disabled by default. ++ * ++ * Type: OSSL_PARAM_UTF8_STRING ++ */ ++# define OSSL_PROV_FIPS_PARAM_TLS1_PRF_EMS_CHECK "tls1-prf-ems-check" ++ + # ifdef __cplusplus + } + # endif +diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in +index 0b6de603e2..26a69ca282 100644 +--- a/include/openssl/ssl.h.in ++++ b/include/openssl/ssl.h.in +@@ -415,6 +415,7 @@ typedef int (*SSL_async_callback_fn)(SSL *s, void *arg); + * interoperability with CryptoPro CSP 3.x + */ + # define SSL_OP_CRYPTOPRO_TLSEXT_BUG SSL_OP_BIT(31) ++# define SSL_OP_RH_PERMIT_NOEMS_FIPS SSL_OP_BIT(48) + /* + * Disable RFC8879 certificate compression + * SSL_OP_NO_TX_CERTIFICATE_COMPRESSION: don't send compressed certificates, +diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c +index 5ff9872bd8..eb9653a9df 100644 +--- a/providers/fips/fipsprov.c ++++ b/providers/fips/fipsprov.c +@@ -105,7 +105,7 @@ void *ossl_fips_prov_ossl_ctx_new(OSSL_LIB_CTX *libctx) + if (fgbl == NULL) + return NULL; + init_fips_option(&fgbl->fips_security_checks, 1); +- init_fips_option(&fgbl->fips_tls1_prf_ems_check, 0); /* Disabled by default */ ++ init_fips_option(&fgbl->fips_tls1_prf_ems_check, 1); /* Enabled by default */ + init_fips_option(&fgbl->fips_restricted_drgb_digests, 0); + return fgbl; + } +diff --git a/providers/implementations/kdfs/tls1_prf.c b/providers/implementations/kdfs/tls1_prf.c +index 25a6c79a2e..79bc7a9719 100644 +--- a/providers/implementations/kdfs/tls1_prf.c ++++ b/providers/implementations/kdfs/tls1_prf.c +@@ -131,6 +131,7 @@ static void *kdf_tls1_prf_new(void *provctx) + static void kdf_tls1_prf_free(void *vctx) + { + TLS1_PRF *ctx = (TLS1_PRF *)vctx; ++ OSSL_LIB_CTX *libctx = PROV_LIBCTX_OF(ctx->provctx); + + if (ctx != NULL) { + kdf_tls1_prf_reset(ctx); +@@ -222,6 +223,27 @@ static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, size_t keylen, + } + } + ++ /* ++ * The seed buffer is prepended with a label. ++ * If EMS mode is enforced then the label "master secret" is not allowed, ++ * We do the check this way since the PRF is used for other purposes, as well ++ * as "extended master secret". ++ */ ++#ifdef FIPS_MODULE ++ if (ctx->seedlen >= TLS_MD_MASTER_SECRET_CONST_SIZE ++ && memcmp(ctx->seed, TLS_MD_MASTER_SECRET_CONST, ++ TLS_MD_MASTER_SECRET_CONST_SIZE) == 0) ++ ctx->fips_indicator = EVP_KDF_REDHAT_FIPS_INDICATOR_NOT_APPROVED; ++#endif /* defined(FIPS_MODULE) */ ++ if (ossl_tls1_prf_ems_check_enabled(libctx)) { ++ if (ctx->seedlen >= TLS_MD_MASTER_SECRET_CONST_SIZE ++ && memcmp(ctx->seed, TLS_MD_MASTER_SECRET_CONST, ++ TLS_MD_MASTER_SECRET_CONST_SIZE) == 0) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_EMS_NOT_ENABLED); ++ return 0; ++ } ++ } ++ + return tls1_prf_alg(ctx->P_hash, ctx->P_sha1, + ctx->sec, ctx->seclen, + ctx->seed, ctx->seedlen, +diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c +index 5146cedb96..086db98c33 100644 +--- a/ssl/ssl_conf.c ++++ b/ssl/ssl_conf.c +@@ -389,6 +389,7 @@ static int cmd_Options(SSL_CONF_CTX *cctx, const char *value) + SSL_FLAG_TBL("ClientRenegotiation", + SSL_OP_ALLOW_CLIENT_RENEGOTIATION), + SSL_FLAG_TBL_INV("EncryptThenMac", SSL_OP_NO_ENCRYPT_THEN_MAC), ++ SSL_FLAG_TBL("RHNoEnforceEMSinFIPS", SSL_OP_RH_PERMIT_NOEMS_FIPS), + SSL_FLAG_TBL("NoRenegotiation", SSL_OP_NO_RENEGOTIATION), + SSL_FLAG_TBL("AllowNoDHEKEX", SSL_OP_ALLOW_NO_DHE_KEX), + SSL_FLAG_TBL("PrioritizeChaCha", SSL_OP_PRIORITIZE_CHACHA), +diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c +index 00b1ee531e..22cdabb308 100644 +--- a/ssl/statem/extensions_srvr.c ++++ b/ssl/statem/extensions_srvr.c +@@ -11,6 +11,7 @@ + #include "../ssl_local.h" + #include "statem_local.h" + #include "internal/cryptlib.h" ++#include + + #define COOKIE_STATE_FORMAT_VERSION 1 + +@@ -1552,8 +1553,13 @@ EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context, + unsigned int context, + X509 *x, size_t chainidx) + { +- if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0) ++ if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0) { ++ if (FIPS_mode() && !(SSL_get_options(SSL_CONNECTION_GET_SSL(s)) & SSL_OP_RH_PERMIT_NOEMS_FIPS) ) { ++ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_UNSUPPORTED); ++ return EXT_RETURN_FAIL; ++ } + return EXT_RETURN_NOT_SENT; ++ } + + if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret) + || !WPACKET_put_bytes_u16(pkt, 0)) { +diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c +index 91238e6457..e8ad8ecd9e 100644 +--- a/ssl/t1_enc.c ++++ b/ssl/t1_enc.c +@@ -20,6 +20,7 @@ + #include + #include + #include ++#include + + /* seed1 through seed5 are concatenated */ + static int tls1_PRF(SSL_CONNECTION *s, +@@ -75,8 +76,14 @@ static int tls1_PRF(SSL *s, + } + + err: +- if (fatal) +- SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); ++ if (fatal) { ++ /* The calls to this function are local so it's safe to implement the check */ ++ if (FIPS_mode() && seed1_len >= TLS_MD_MASTER_SECRET_CONST_SIZE ++ && memcmp(seed1, TLS_MD_MASTER_SECRET_CONST, TLS_MD_MASTER_SECRET_CONST_SIZE) == 0) ++ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_UNSUPPORTED); ++ else ++ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); ++ } + else + ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); + EVP_KDF_CTX_free(kctx); +diff --git a/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt b/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt +index 44040ff66b..deb6bf3fcb 100644 +--- a/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt ++++ b/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt +@@ -22,6 +22,16 @@ Ctrl.client_random = hexseed:36c129d01a3200894b9179faac589d9835d58775f9b5ea3587c + Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae043abfb50053fce + Output = 202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf + ++Availablein = fips ++KDF = TLS1-PRF ++Ctrl.digest = digest:SHA256 ++Ctrl.Secret = hexsecret:f8938ecc9edebc5030c0c6a441e213cd24e6f770a50dda07876f8d55da062bcadb386b411fd4fe4313a604fce6c17fbc ++Ctrl.label = seed:master secret ++Ctrl.client_random = hexseed:36c129d01a3200894b9179faac589d9835d58775f9b5ea3587cb8fd0364cae8c ++Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae043abfb50053fce ++Output = 202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf ++Result = KDF_DERIVE_ERROR ++ + FIPSversion = <=3.1.0 + KDF = TLS1-PRF + Ctrl.digest = digest:SHA256 +diff --git a/test/sslapitest.c b/test/sslapitest.c +index 169e3c7466..e67b5bb44c 100644 +--- a/test/sslapitest.c ++++ b/test/sslapitest.c +@@ -574,7 +574,7 @@ static int test_client_cert_verify_cb(void) + STACK_OF(X509) *server_chain; + SSL_CTX *cctx = NULL, *sctx = NULL; + SSL *clientssl = NULL, *serverssl = NULL; +- int testresult = 0; ++ int testresult = 0, status; + + if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), + TLS_client_method(), TLS1_VERSION, 0, +-- +2.41.0 + diff --git a/0115-skip-quic-pairwise.patch b/0115-skip-quic-pairwise.patch new file mode 100644 index 0000000..98bfae5 --- /dev/null +++ b/0115-skip-quic-pairwise.patch @@ -0,0 +1,85 @@ +From 42ed594a3a905830374fb65cced431748f8c639c Mon Sep 17 00:00:00 2001 +From: Dmitry Belyavskiy +Date: Thu, 4 Apr 2024 11:50:58 +0200 +Subject: [PATCH 45/50] 0115-skip-quic-pairwise.patch + +Patch-name: 0115-skip-quic-pairwise.patch +Patch-id: 115 +Patch-status: | + # Amend tests according to Fedora/RHEL code +--- + test/quicapitest.c | 4 +++- + test/recipes/01-test_symbol_presence.t | 1 + + test/recipes/30-test_pairwise_fail.t | 13 +++++++++++-- + 3 files changed, 15 insertions(+), 3 deletions(-) + +diff --git a/test/quicapitest.c b/test/quicapitest.c +index 41cf0fc7a8..0fb7492700 100644 +--- a/test/quicapitest.c ++++ b/test/quicapitest.c +@@ -2139,7 +2139,9 @@ int setup_tests(void) + ADD_TEST(test_cipher_find); + ADD_TEST(test_version); + #if defined(DO_SSL_TRACE_TEST) +- ADD_TEST(test_ssl_trace); ++ if (is_fips == 0) { ++ ADD_TEST(test_ssl_trace); ++ } + #endif + ADD_TEST(test_quic_forbidden_apis_ctx); + ADD_TEST(test_quic_forbidden_apis); +diff --git a/test/recipes/30-test_pairwise_fail.t b/test/recipes/30-test_pairwise_fail.t +index c837d48fb4..f06ef04b1a 100644 +--- a/test/recipes/30-test_pairwise_fail.t ++++ b/test/recipes/30-test_pairwise_fail.t +@@ -9,7 +9,7 @@ + use strict; + use warnings; + +-use OpenSSL::Test qw(:DEFAULT bldtop_dir srctop_file srctop_dir data_file); ++use OpenSSL::Test qw(:DEFAULT bldtop_dir srctop_file srctop_dir data_file with); + use OpenSSL::Test::Utils; + + BEGIN { +@@ -31,28 +31,37 @@ run(test(["fips_version_test", "-config", $provconf, ">=3.1.0"]), + SKIP: { + skip "Skip RSA test because of no rsa in this build", 1 + if disabled("rsa"); ++ with({ exit_checker => sub {my $val = shift; return $val == 134; } }, ++ sub { + ok(run(test(["pairwise_fail_test", "-config", $provconf, + "-pairwise", "rsa"])), + "fips provider rsa keygen pairwise failure test"); ++ }); + } + + SKIP: { + skip "Skip EC test because of no ec in this build", 2 + if disabled("ec"); ++ with({ exit_checker => sub {my $val = shift; return $val == 134; } }, ++ sub { + ok(run(test(["pairwise_fail_test", "-config", $provconf, + "-pairwise", "ec"])), + "fips provider ec keygen pairwise failure test"); ++ }); + + skip "FIPS provider version is too old", 1 + if !$fips_exit; ++ with({ exit_checker => sub {my $val = shift; return $val == 134; } }, ++ sub { + ok(run(test(["pairwise_fail_test", "-config", $provconf, + "-pairwise", "eckat"])), + "fips provider ec keygen kat failure test"); ++ }); + } + + SKIP: { + skip "Skip DSA tests because of no dsa in this build", 2 +- if disabled("dsa"); ++ if 1; #if disabled("dsa"); + ok(run(test(["pairwise_fail_test", "-config", $provconf, + "-pairwise", "dsa", "-dsaparam", data_file("dsaparam.pem")])), + "fips provider dsa keygen pairwise failure test"); +-- +2.44.0 + diff --git a/0116-version-aliasing.patch b/0116-version-aliasing.patch new file mode 100644 index 0000000..73f7981 --- /dev/null +++ b/0116-version-aliasing.patch @@ -0,0 +1,84 @@ +From a2673b5e2e95bcf54a1746bfd409cca688275e75 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 6 Mar 2024 19:17:17 +0100 +Subject: [PATCH 46/49] 0116-version-aliasing.patch + +Patch-name: 0116-version-aliasing.patch +Patch-id: 116 +Patch-status: | + # Add version aliasing due to + # https://github.com/openssl/openssl/issues/23534 +From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce +--- + crypto/evp/digest.c | 7 ++++++- + crypto/evp/evp_enc.c | 7 ++++++- + test/recipes/01-test_symbol_presence.t | 1 + + util/libcrypto.num | 2 ++ + 4 files changed, 15 insertions(+), 2 deletions(-) + +diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c +index 42331703da..3a280acc0e 100644 +--- a/crypto/evp/digest.c ++++ b/crypto/evp/digest.c +@@ -553,7 +553,12 @@ legacy: + return ret; + } + +-EVP_MD_CTX *EVP_MD_CTX_dup(const EVP_MD_CTX *in) ++EVP_MD_CTX ++#if !defined(FIPS_MODULE) ++__attribute__ ((symver ("EVP_MD_CTX_dup@@OPENSSL_3.1.0"), ++ symver ("EVP_MD_CTX_dup@OPENSSL_3.2.0"))) ++#endif ++*EVP_MD_CTX_dup(const EVP_MD_CTX *in) + { + EVP_MD_CTX *out = EVP_MD_CTX_new(); + +diff --git a/crypto/evp/evp_enc.c b/crypto/evp/evp_enc.c +index e9faf31057..5a29b8dbb7 100644 +--- a/crypto/evp/evp_enc.c ++++ b/crypto/evp/evp_enc.c +@@ -1444,7 +1444,12 @@ int EVP_CIPHER_CTX_rand_key(EVP_CIPHER_CTX *ctx, unsigned char *key) + #endif /* FIPS_MODULE */ + } + +-EVP_CIPHER_CTX *EVP_CIPHER_CTX_dup(const EVP_CIPHER_CTX *in) ++EVP_CIPHER_CTX ++#if !defined(FIPS_MODULE) ++__attribute__ ((symver ("EVP_CIPHER_CTX_dup@@OPENSSL_3.1.0"), ++ symver ("EVP_CIPHER_CTX_dup@OPENSSL_3.2.0"))) ++#endif ++*EVP_CIPHER_CTX_dup(const EVP_CIPHER_CTX *in) + { + EVP_CIPHER_CTX *out = EVP_CIPHER_CTX_new(); + +diff --git a/test/recipes/01-test_symbol_presence.t b/test/recipes/01-test_symbol_presence.t +index 222b1886ae..7e2f65cccb 100644 +--- a/test/recipes/01-test_symbol_presence.t ++++ b/test/recipes/01-test_symbol_presence.t +@@ -185,6 +185,8 @@ foreach (sort keys %stlibname) { + } + } + my @duplicates = sort grep { $symbols{$_} > 1 } keys %symbols; ++@duplicates = grep {($_ ne "OPENSSL_ia32cap_P") && ($_ ne "EVP_CIPHER_CTX_dup") && ($_ ne "EVP_MD_CTX_dup") } @duplicates; ++@duplicates = grep {($_ ne "OPENSSL_strcasecmp") && ($_ ne "OPENSSL_strncasecmp") } @duplicates; + if (@duplicates) { + note "Duplicates:"; + note join('\n', @duplicates); +diff --git a/util/libcrypto.num b/util/libcrypto.num +index 8046454025..068e9904e2 100644 +--- a/util/libcrypto.num ++++ b/util/libcrypto.num +@@ -5435,7 +5435,9 @@ X509_PUBKEY_set0_public_key 5562 3_2_0 EXIST::FUNCTION: + OSSL_STACK_OF_X509_free 5563 3_2_0 EXIST::FUNCTION: + OSSL_trace_string 5564 3_2_0 EXIST::FUNCTION: + EVP_MD_CTX_dup 5565 3_2_0 EXIST::FUNCTION: ++EVP_MD_CTX_dup ? 3_1_0 EXIST::FUNCTION: + EVP_CIPHER_CTX_dup 5566 3_2_0 EXIST::FUNCTION: ++EVP_CIPHER_CTX_dup ? 3_1_0 EXIST::FUNCTION: + BN_signed_bin2bn 5567 3_2_0 EXIST::FUNCTION: + BN_signed_bn2bin 5568 3_2_0 EXIST::FUNCTION: + BN_signed_lebin2bn 5569 3_2_0 EXIST::FUNCTION: +-- +2.44.0 + diff --git a/0117-ignore-unknown-sigalgorithms-groups.patch b/0117-ignore-unknown-sigalgorithms-groups.patch new file mode 100644 index 0000000..dd40e11 --- /dev/null +++ b/0117-ignore-unknown-sigalgorithms-groups.patch @@ -0,0 +1,318 @@ +From 242c746690dd1d0e500fa554c60536877d77776d Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Thu, 14 Dec 2023 17:08:56 +0100 +Subject: [PATCH 47/49] 0117-ignore-unknown-sigalgorithms-groups.patch + +Patch-name: 0117-ignore-unknown-sigalgorithms-groups.patch +Patch-id: 117 +Patch-status: | + # https://github.com/openssl/openssl/issues/23050 +--- + CHANGES.md | 13 +++++++ + doc/man3/SSL_CTX_set1_curves.pod | 6 ++- + doc/man3/SSL_CTX_set1_sigalgs.pod | 11 +++++- + ssl/t1_lib.c | 56 +++++++++++++++++++++------- + test/sslapitest.c | 61 +++++++++++++++++++++++++++++++ + 5 files changed, 132 insertions(+), 15 deletions(-) + +diff --git a/CHANGES.md b/CHANGES.md +index ca29762ac2..4e21d0ddf9 100644 +--- a/CHANGES.md ++++ b/CHANGES.md +@@ -27,6 +27,19 @@ OpenSSL 3.2 + + ### Changes between 3.2.0 and 3.2.1 [30 Jan 2024] + ++ * Unknown entries in TLS SignatureAlgorithms, ClientSignatureAlgorithms ++ config options and the respective calls to SSL[_CTX]_set1_sigalgs() and ++ SSL[_CTX]_set1_client_sigalgs() that start with `?` character are ++ ignored and the configuration will still be used. ++ ++ Similarly unknown entries that start with `?` character in a TLS ++ Groups config option or set with SSL[_CTX]_set1_groups_list() are ignored ++ and the configuration will still be used. ++ ++ In both cases if the resulting list is empty, an error is returned. ++ ++ *Tomáš Mráz* ++ + * A file in PKCS12 format can contain certificates and keys and may come from + an untrusted source. The PKCS12 specification allows certain fields to be + NULL, but OpenSSL did not correctly check for this case. A fix has been +diff --git a/doc/man3/SSL_CTX_set1_curves.pod b/doc/man3/SSL_CTX_set1_curves.pod +index c26ef00306..f0566e148e 100644 +--- a/doc/man3/SSL_CTX_set1_curves.pod ++++ b/doc/man3/SSL_CTX_set1_curves.pod +@@ -58,7 +58,8 @@ string B. The string is a colon separated list of group names, for example + are B, B, B, B, B, B, + B, B, B, B, + B, B and B. Support for other groups may be +-added by external providers. ++added by external providers. If a group name is preceded with the C ++character, it will be ignored if an implementation is missing. + + SSL_set1_groups() and SSL_set1_groups_list() are similar except they set + supported groups for the SSL structure B. +@@ -142,6 +143,9 @@ The curve functions were added in OpenSSL 1.0.2. The equivalent group + functions were added in OpenSSL 1.1.1. The SSL_get_negotiated_group() function + was added in OpenSSL 3.0.0. + ++Support for ignoring unknown groups in SSL_CTX_set1_groups_list() and ++SSL_set1_groups_list() was added in OpenSSL 3.3. ++ + =head1 COPYRIGHT + + Copyright 2013-2022 The OpenSSL Project Authors. All Rights Reserved. +diff --git a/doc/man3/SSL_CTX_set1_sigalgs.pod b/doc/man3/SSL_CTX_set1_sigalgs.pod +index eb31006346..5b7de7d956 100644 +--- a/doc/man3/SSL_CTX_set1_sigalgs.pod ++++ b/doc/man3/SSL_CTX_set1_sigalgs.pod +@@ -33,7 +33,9 @@ signature algorithms for B or B. The B parameter + must be a null terminated string consisting of a colon separated list of + elements, where each element is either a combination of a public key + algorithm and a digest separated by B<+>, or a TLS 1.3-style named +-SignatureScheme such as rsa_pss_pss_sha256. ++SignatureScheme such as rsa_pss_pss_sha256. If a list entry is preceded ++with the C character, it will be ignored if an implementation is missing. ++ + + SSL_CTX_set1_client_sigalgs(), SSL_set1_client_sigalgs(), + SSL_CTX_set1_client_sigalgs_list() and SSL_set1_client_sigalgs_list() set +@@ -106,6 +108,13 @@ using a string: + L, L, + L + ++=head1 HISTORY ++ ++Support for ignoring unknown signature algorithms in ++SSL_CTX_set1_sigalgs_list(), SSL_set1_sigalgs_list(), ++SSL_CTX_set1_client_sigalgs_list() and SSL_set1_client_sigalgs_list() ++was added in OpenSSL 3.3. ++ + =head1 COPYRIGHT + + Copyright 2015-2018 The OpenSSL Project Authors. All Rights Reserved. +diff --git a/ssl/t1_lib.c b/ssl/t1_lib.c +index 056aae3863..fe680449c5 100644 +--- a/ssl/t1_lib.c ++++ b/ssl/t1_lib.c +@@ -1052,9 +1052,15 @@ static int gid_cb(const char *elem, int len, void *arg) + size_t i; + uint16_t gid = 0; + char etmp[GROUP_NAME_BUFFER_LENGTH]; ++ int ignore_unknown = 0; + + if (elem == NULL) + return 0; ++ if (elem[0] == '?') { ++ ignore_unknown = 1; ++ ++elem; ++ --len; ++ } + if (garg->gidcnt == garg->gidmax) { + uint16_t *tmp = + OPENSSL_realloc(garg->gid_arr, +@@ -1070,13 +1076,14 @@ static int gid_cb(const char *elem, int len, void *arg) + + gid = tls1_group_name2id(garg->ctx, etmp); + if (gid == 0) { +- ERR_raise_data(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT, +- "group '%s' cannot be set", etmp); +- return 0; ++ /* Unknown group - ignore, if ignore_unknown */ ++ return ignore_unknown; + } + for (i = 0; i < garg->gidcnt; i++) +- if (garg->gid_arr[i] == gid) +- return 0; ++ if (garg->gid_arr[i] == gid) { ++ /* Duplicate group - ignore */ ++ return 1; ++ } + garg->gid_arr[garg->gidcnt++] = gid; + return 1; + } +@@ -1097,6 +1104,11 @@ int tls1_set_groups_list(SSL_CTX *ctx, uint16_t **pext, size_t *pextlen, + gcb.ctx = ctx; + if (!CONF_parse_list(str, ':', 1, gid_cb, &gcb)) + goto end; ++ if (gcb.gidcnt == 0) { ++ ERR_raise_data(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT, ++ "No valid groups in '%s'", str); ++ goto end; ++ } + if (pext == NULL) { + ret = 1; + goto end; +@@ -2905,8 +2917,15 @@ static int sig_cb(const char *elem, int len, void *arg) + const SIGALG_LOOKUP *s; + char etmp[TLS_MAX_SIGSTRING_LEN], *p; + int sig_alg = NID_undef, hash_alg = NID_undef; ++ int ignore_unknown = 0; ++ + if (elem == NULL) + return 0; ++ if (elem[0] == '?') { ++ ignore_unknown = 1; ++ ++elem; ++ --len; ++ } + if (sarg->sigalgcnt == TLS_MAX_SIGALGCNT) + return 0; + if (len > (int)(sizeof(etmp) - 1)) +@@ -2931,8 +2950,10 @@ static int sig_cb(const char *elem, int len, void *arg) + break; + } + } +- if (i == OSSL_NELEM(sigalg_lookup_tbl)) +- return 0; ++ if (i == OSSL_NELEM(sigalg_lookup_tbl)) { ++ /* Ignore unknown algorithms if ignore_unknown */ ++ return ignore_unknown; ++ } + } + } else { + *p = 0; +@@ -2940,8 +2961,10 @@ static int sig_cb(const char *elem, int len, void *arg) + return 0; + get_sigorhash(&sig_alg, &hash_alg, etmp); + get_sigorhash(&sig_alg, &hash_alg, p); +- if (sig_alg == NID_undef || hash_alg == NID_undef) +- return 0; ++ if (sig_alg == NID_undef || hash_alg == NID_undef) { ++ /* Ignore unknown algorithms if ignore_unknown */ ++ return ignore_unknown; ++ } + for (i = 0, s = sigalg_lookup_tbl; i < OSSL_NELEM(sigalg_lookup_tbl); + i++, s++) { + if (s->hash == hash_alg && s->sig == sig_alg) { +@@ -2949,15 +2972,17 @@ static int sig_cb(const char *elem, int len, void *arg) + break; + } + } +- if (i == OSSL_NELEM(sigalg_lookup_tbl)) +- return 0; ++ if (i == OSSL_NELEM(sigalg_lookup_tbl)) { ++ /* Ignore unknown algorithms if ignore_unknown */ ++ return ignore_unknown; ++ } + } + +- /* Reject duplicates */ ++ /* Ignore duplicates */ + for (i = 0; i < sarg->sigalgcnt - 1; i++) { + if (sarg->sigalgs[i] == sarg->sigalgs[sarg->sigalgcnt - 1]) { + sarg->sigalgcnt--; +- return 0; ++ return 1; + } + } + return 1; +@@ -2973,6 +2998,11 @@ int tls1_set_sigalgs_list(CERT *c, const char *str, int client) + } + if (!CONF_parse_list(str, ':', 1, sig_cb, &sig)) + return 0; ++ if (sig.sigalgcnt == 0) { ++ ERR_raise_data(ERR_LIB_SSL, ERR_R_PASSED_INVALID_ARGUMENT, ++ "No valid signature algorithms in '%s'", str); ++ return 0; ++ } + if (c == NULL) + return 1; + return tls1_set_raw_sigalgs(c, sig.sigalgs, sig.sigalgcnt, client); +diff --git a/test/sslapitest.c b/test/sslapitest.c +index 1c14f93ed1..184a0f1055 100644 +--- a/test/sslapitest.c ++++ b/test/sslapitest.c +@@ -39,6 +39,7 @@ + #include "testutil.h" + #include "testutil/output.h" + #include "internal/nelem.h" ++#include "internal/tlsgroups.h" + #include "internal/ktls.h" + #include "../ssl/ssl_local.h" + #include "../ssl/record/methods/recmethod_local.h" +@@ -3147,6 +3148,7 @@ static const sigalgs_list testsigalgs[] = { + {validlist3, OSSL_NELEM(validlist3), NULL, 1, 0}, + # endif + {NULL, 0, "RSA+SHA256", 1, 1}, ++ {NULL, 0, "RSA+SHA256:?Invalid", 1, 1}, + # ifndef OPENSSL_NO_EC + {NULL, 0, "RSA+SHA256:ECDSA+SHA512", 1, 1}, + {NULL, 0, "ECDSA+SHA512", 1, 0}, +@@ -9276,6 +9278,64 @@ static int test_servername(int tst) + return testresult; + } + ++static int test_unknown_sigalgs_groups(void) ++{ ++ int ret = 0; ++ SSL_CTX *ctx = NULL; ++ ++ if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method()))) ++ goto end; ++ ++ if (!TEST_int_gt(SSL_CTX_set1_sigalgs_list(ctx, ++ "RSA+SHA256:?nonexistent:?RSA+SHA512"), ++ 0)) ++ goto end; ++ if (!TEST_size_t_eq(ctx->cert->conf_sigalgslen, 2) ++ || !TEST_int_eq(ctx->cert->conf_sigalgs[0], TLSEXT_SIGALG_rsa_pkcs1_sha256) ++ || !TEST_int_eq(ctx->cert->conf_sigalgs[1], TLSEXT_SIGALG_rsa_pkcs1_sha512)) ++ goto end; ++ ++ if (!TEST_int_gt(SSL_CTX_set1_client_sigalgs_list(ctx, ++ "RSA+SHA256:?nonexistent:?RSA+SHA512"), ++ 0)) ++ goto end; ++ if (!TEST_size_t_eq(ctx->cert->client_sigalgslen, 2) ++ || !TEST_int_eq(ctx->cert->client_sigalgs[0], TLSEXT_SIGALG_rsa_pkcs1_sha256) ++ || !TEST_int_eq(ctx->cert->client_sigalgs[1], TLSEXT_SIGALG_rsa_pkcs1_sha512)) ++ goto end; ++ ++ if (!TEST_int_le(SSL_CTX_set1_groups_list(ctx, ++ "nonexistent"), ++ 0)) ++ goto end; ++ ++ if (!TEST_int_le(SSL_CTX_set1_groups_list(ctx, ++ "?nonexistent1:?nonexistent2:?nonexistent3"), ++ 0)) ++ goto end; ++ ++#ifndef OPENSSL_NO_EC ++ if (!TEST_int_le(SSL_CTX_set1_groups_list(ctx, ++ "P-256:nonexistent"), ++ 0)) ++ goto end; ++ ++ if (!TEST_int_gt(SSL_CTX_set1_groups_list(ctx, ++ "P-384:?nonexistent:?P-521"), ++ 0)) ++ goto end; ++ if (!TEST_size_t_eq(ctx->ext.supportedgroups_len, 2) ++ || !TEST_int_eq(ctx->ext.supportedgroups[0], OSSL_TLS_GROUP_ID_secp384r1) ++ || !TEST_int_eq(ctx->ext.supportedgroups[1], OSSL_TLS_GROUP_ID_secp521r1)) ++ goto end; ++#endif ++ ++ ret = 1; ++ end: ++ SSL_CTX_free(ctx); ++ return ret; ++} ++ + #if !defined(OPENSSL_NO_EC) \ + && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)) + /* +@@ -11519,6 +11579,7 @@ int setup_tests(void) + ADD_ALL_TESTS(test_multiblock_write, OSSL_NELEM(multiblock_cipherlist_data)); + #endif + ADD_ALL_TESTS(test_servername, 10); ++ ADD_TEST(test_unknown_sigalgs_groups); + #if !defined(OPENSSL_NO_EC) \ + && (!defined(OSSL_NO_USABLE_TLS1_3) || !defined(OPENSSL_NO_TLS1_2)) + ADD_ALL_TESTS(test_sigalgs_available, 6); +-- +2.44.0 + diff --git a/0121-FIPS-cms-defaults.patch b/0121-FIPS-cms-defaults.patch new file mode 100644 index 0000000..7598512 --- /dev/null +++ b/0121-FIPS-cms-defaults.patch @@ -0,0 +1,65 @@ +diff -up openssl-3.0.7/apps/cms.c.fips_cms openssl-3.0.7/apps/cms.c +--- openssl-3.0.7/apps/cms.c.fips_cms 2023-05-18 14:03:56.360555106 +0200 ++++ openssl-3.0.7/apps/cms.c 2023-05-18 14:13:33.765183185 +0200 +@@ -20,6 +20,7 @@ + #include + #include + #include ++#include + + static int save_certs(char *signerfile, STACK_OF(X509) *signers); + static int cms_cb(int ok, X509_STORE_CTX *ctx); +@@ -810,12 +811,16 @@ int cms_main(int argc, char **argv) + + if (operation == SMIME_ENCRYPT) { + if (!cipher) { ++ if (FIPS_mode()) { ++ cipher = (EVP_CIPHER *)EVP_aes_128_cbc(); ++ } else { + #ifndef OPENSSL_NO_DES +- cipher = (EVP_CIPHER *)EVP_des_ede3_cbc(); ++ cipher = (EVP_CIPHER *)EVP_des_ede3_cbc(); + #else +- BIO_printf(bio_err, "No cipher selected\n"); +- goto end; ++ BIO_printf(bio_err, "No cipher selected\n"); ++ goto end; + #endif ++ } + } + + if (secret_key && !secret_keyid) { +diff -up openssl-3.0.7/crypto/cms/cms_env.c.fips_cms openssl-3.0.7/crypto/cms/cms_env.c +--- openssl-3.0.7/crypto/cms/cms_env.c.fips_cms 2023-05-22 10:06:50.276528155 +0200 ++++ openssl-3.0.7/crypto/cms/cms_env.c 2023-05-22 10:08:58.406073945 +0200 +@@ -14,6 +14,7 @@ + #include + #include + #include ++#include + #include "internal/sizes.h" + #include "crypto/asn1.h" + #include "crypto/evp.h" +@@ -321,6 +321,10 @@ static int cms_RecipientInfo_ktri_init(C + return 0; + if (EVP_PKEY_encrypt_init(ktri->pctx) <= 0) + return 0; ++ if (FIPS_mode()) { ++ if (EVP_PKEY_CTX_ctrl_str(ktri->pctx, "rsa_padding_mode", "oaep") <= 0) ++ return 0; ++ } + } else if (!ossl_cms_env_asn1_ctrl(ri, 0)) + return 0; + return 1; +@@ -484,6 +489,11 @@ static int cms_RecipientInfo_ktri_encryp + + if (EVP_PKEY_encrypt_init(pctx) <= 0) + goto err; ++ ++ if (FIPS_mode()) { ++ if (EVP_PKEY_CTX_ctrl_str(pctx, "rsa_padding_mode", "oaep") <= 0) ++ goto err; ++ } + } + + if (EVP_PKEY_encrypt(pctx, NULL, &eklen, ec->key, ec->keylen) <= 0) diff --git a/0122-TMP-KTLS-test-skip.patch b/0122-TMP-KTLS-test-skip.patch new file mode 100644 index 0000000..f037ee3 --- /dev/null +++ b/0122-TMP-KTLS-test-skip.patch @@ -0,0 +1,16 @@ +diff -up openssl-3.2.1/test/sslapitest.c.xxx openssl-3.2.1/test/sslapitest.c +--- openssl-3.2.1/test/sslapitest.c.xxx 2024-04-15 10:14:47.292448045 +0200 ++++ openssl-3.2.1/test/sslapitest.c 2024-04-15 10:15:23.428396994 +0200 +@@ -1020,9 +1020,10 @@ static int execute_test_large_message(co + /* sock must be connected */ + static int ktls_chk_platform(int sock) + { +- if (!ktls_enable(sock)) ++/* if (!ktls_enable(sock)) + return 0; +- return 1; ++ return 1; */ ++ return 0; + } + + static int ping_pong_query(SSL *clientssl, SSL *serverssl) diff --git a/0123-kdf-Preserve-backward-compatibility-with-older-provi.patch b/0123-kdf-Preserve-backward-compatibility-with-older-provi.patch new file mode 100644 index 0000000..85f97c6 --- /dev/null +++ b/0123-kdf-Preserve-backward-compatibility-with-older-provi.patch @@ -0,0 +1,62 @@ +From a4daab0c29bce044d385bdeada177a88c32cba4c Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Mon, 17 Jun 2024 16:48:26 +0200 +Subject: [PATCH] Fix regression of EVP_PKEY_CTX_add1_hkdf_info() with older + providers + +If there is no get_ctx_params() implemented in the key exchange +provider implementation the fallback will not work. Instead +check the gettable_ctx_params() to see if the fallback should be +performed. + +Fixes #24611 + +Reviewed-by: Paul Dale +Reviewed-by: Tom Cosgrove +(Merged from https://github.com/openssl/openssl/pull/24661) + +(cherry picked from commit 663dbc9c9c897392a9f9d18aa9a8400ca024dc5d) +--- + crypto/evp/pmeth_lib.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c +index 2caff2cd6d..d15e43be05 100644 +--- a/crypto/evp/pmeth_lib.c ++++ b/crypto/evp/pmeth_lib.c +@@ -1026,6 +1026,7 @@ static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback, + int datalen) + { + OSSL_PARAM os_params[2]; ++ const OSSL_PARAM *gettables; + unsigned char *info = NULL; + size_t info_len = 0; + size_t info_alloc = 0; +@@ -1049,6 +1050,12 @@ static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback, + return 1; + } + ++ /* Check for older provider that doesn't support getting this parameter */ ++ gettables = EVP_PKEY_CTX_gettable_params(ctx); ++ if (gettables == NULL || OSSL_PARAM_locate_const(gettables, param) == NULL) ++ return evp_pkey_ctx_set1_octet_string(ctx, fallback, param, op, ctrl, ++ data, datalen); ++ + /* Get the original value length */ + os_params[0] = OSSL_PARAM_construct_octet_string(param, NULL, 0); + os_params[1] = OSSL_PARAM_construct_end(); +@@ -1056,9 +1063,9 @@ static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback, + if (!EVP_PKEY_CTX_get_params(ctx, os_params)) + return 0; + +- /* Older provider that doesn't support getting this parameter */ ++ /* This should not happen but check to be sure. */ + if (os_params[0].return_size == OSSL_PARAM_UNMODIFIED) +- return evp_pkey_ctx_set1_octet_string(ctx, fallback, param, op, ctrl, data, datalen); ++ return 0; + + info_alloc = os_params[0].return_size + datalen; + if (info_alloc == 0) +-- +2.45.1 + diff --git a/0124-PBMAC1-PKCS12-FIPS-support.patch b/0124-PBMAC1-PKCS12-FIPS-support.patch new file mode 100644 index 0000000..6e1cc96 --- /dev/null +++ b/0124-PBMAC1-PKCS12-FIPS-support.patch @@ -0,0 +1,1525 @@ +From d959252c47af0eb0dd55bc032606901fedaf029b Mon Sep 17 00:00:00 2001 +From: Dmitry Belyavskiy +Date: Fri, 7 Jun 2024 14:37:57 +0200 +Subject: [PATCH 1/4] Implementation of the RFC 9579, PBMAC1 in PKCS#12 + +--- + apps/pkcs12.c | 63 ++++++-- + crypto/asn1/p5_pbev2.c | 7 + + crypto/evp/digest.c | 54 +++++++ + crypto/pkcs12/p12_mutl.c | 296 ++++++++++++++++++++++++++++++++---- + include/crypto/evp.h | 3 + + include/openssl/pkcs12.h.in | 3 + + include/openssl/x509.h.in | 15 +- + 7 files changed, 394 insertions(+), 47 deletions(-) + +diff --git a/apps/pkcs12.c b/apps/pkcs12.c +index 54323a9713393..cbe133742a8be 100644 +--- a/apps/pkcs12.c ++++ b/apps/pkcs12.c +@@ -70,7 +70,7 @@ typedef enum OPTION_choice { + OPT_NAME, OPT_CSP, OPT_CANAME, + OPT_IN, OPT_OUT, OPT_PASSIN, OPT_PASSOUT, OPT_PASSWORD, OPT_CAPATH, + OPT_CAFILE, OPT_CASTORE, OPT_NOCAPATH, OPT_NOCAFILE, OPT_NOCASTORE, OPT_ENGINE, +- OPT_R_ENUM, OPT_PROV_ENUM, OPT_JDKTRUST, ++ OPT_R_ENUM, OPT_PROV_ENUM, OPT_JDKTRUST, OPT_PBMAC1_PBKDF2, OPT_PBMAC1_PBKDF2_MD, + #ifndef OPENSSL_NO_DES + OPT_LEGACY_ALG + #endif +@@ -147,6 +147,8 @@ const OPTIONS pkcs12_options[] = { + #endif + {"macalg", OPT_MACALG, 's', + "Digest algorithm to use in MAC (default SHA256)"}, ++ {"pbmac1_pbkdf2", OPT_PBMAC1_PBKDF2, '-', "Use PBMAC1 with PBKDF2 instead of MAC"}, ++ {"pbmac1_pbkdf2_md", OPT_PBMAC1_PBKDF2_MD, 's', "Digest to use for PBMAC1 KDF (default SHA256)"}, + {"iter", OPT_ITER, 'p', "Specify the iteration count for encryption and MAC"}, + {"noiter", OPT_NOITER, '-', "Don't use encryption iteration"}, + {"nomaciter", OPT_NOMACITER, '-', "Don't use MAC iteration)"}, +@@ -170,14 +172,14 @@ int pkcs12_main(int argc, char **argv) + int use_legacy = 0; + #endif + /* use library defaults for the iter, maciter, cert, and key PBE */ +- int iter = 0, maciter = 0; ++ int iter = 0, maciter = 0, pbmac1_pbkdf2 = 0; + int macsaltlen = PKCS12_SALT_LEN; + int cert_pbe = NID_undef; + int key_pbe = NID_undef; + int ret = 1, macver = 1, add_lmk = 0, private = 0; + int noprompt = 0; + char *passinarg = NULL, *passoutarg = NULL, *passarg = NULL; +- char *passin = NULL, *passout = NULL, *macalg = NULL; ++ char *passin = NULL, *passout = NULL, *macalg = NULL, *pbmac1_pbkdf2_md = NULL; + char *cpass = NULL, *mpass = NULL, *badpass = NULL; + const char *CApath = NULL, *CAfile = NULL, *CAstore = NULL, *prog; + int noCApath = 0, noCAfile = 0, noCAstore = 0; +@@ -283,6 +285,12 @@ int pkcs12_main(int argc, char **argv) + case OPT_MACALG: + macalg = opt_arg(); + break; ++ case OPT_PBMAC1_PBKDF2: ++ pbmac1_pbkdf2 = 1; ++ break; ++ case OPT_PBMAC1_PBKDF2_MD: ++ pbmac1_pbkdf2_md = opt_arg(); ++ break; + case OPT_CERTPBE: + if (!set_pbe(&cert_pbe, opt_arg())) + goto opthelp; +@@ -700,10 +708,20 @@ int pkcs12_main(int argc, char **argv) + } + + if (maciter != -1) { +- if (!PKCS12_set_mac(p12, mpass, -1, NULL, macsaltlen, maciter, macmd)) { +- BIO_printf(bio_err, "Error creating PKCS12 MAC; no PKCS12KDF support?\n"); +- BIO_printf(bio_err, "Use -nomac if MAC not required and PKCS12KDF support not available.\n"); +- goto export_end; ++ if (pbmac1_pbkdf2 == 1) { ++ if (!PKCS12_set_pbmac1_pbkdf2(p12, mpass, -1, NULL, ++ macsaltlen, maciter, ++ macmd, pbmac1_pbkdf2_md)) { ++ BIO_printf(bio_err, "Error creating PBMAC1\n"); ++ goto export_end; ++ } ++ } else { ++ if (!PKCS12_set_mac(p12, mpass, -1, NULL, macsaltlen, maciter, macmd)) { ++ BIO_printf(bio_err, "Error creating PKCS12 MAC; no PKCS12KDF support?\n"); ++ BIO_printf(bio_err, ++ "Use -nomac or -pbmac1_pbkdf2 if PKCS12KDF support not available\n"); ++ goto export_end; ++ } + } + } + assert(private); +@@ -774,23 +792,54 @@ int pkcs12_main(int argc, char **argv) + X509_ALGOR_get0(&macobj, NULL, NULL, macalgid); + BIO_puts(bio_err, "MAC: "); + i2a_ASN1_OBJECT(bio_err, macobj); +- BIO_printf(bio_err, ", Iteration %ld\n", +- tmaciter != NULL ? ASN1_INTEGER_get(tmaciter) : 1L); +- BIO_printf(bio_err, "MAC length: %ld, salt length: %ld\n", +- tmac != NULL ? ASN1_STRING_length(tmac) : 0L, +- tsalt != NULL ? ASN1_STRING_length(tsalt) : 0L); ++ if (OBJ_obj2nid(macobj) == NID_pbmac1) { ++ PBKDF2PARAM *pbkdf2_param = PBMAC1_get1_pbkdf2_param(macalgid); ++ ++ if (pbkdf2_param == NULL) { ++ BIO_printf(bio_err, ", Unsupported KDF or params for PBMAC1\n"); ++ } else { ++ const ASN1_OBJECT *prfobj; ++ ++ BIO_printf(bio_err, " using PBKDF2, Iteration %ld\n", ++ ASN1_INTEGER_get(pbkdf2_param->iter)); ++ BIO_printf(bio_err, "Key length: %ld, Salt length: %d\n", ++ ASN1_INTEGER_get(pbkdf2_param->keylength), ++ ASN1_STRING_length(pbkdf2_param->salt->value.octet_string)); ++ X509_ALGOR_get0(&prfobj, NULL, NULL, pbkdf2_param->prf); ++ BIO_printf(bio_err, "PBKDF2 PRF: "); ++ i2a_ASN1_OBJECT(bio_err, prfobj); ++ BIO_printf(bio_err, "\n"); ++ } ++ PBKDF2PARAM_free(pbkdf2_param); ++ } else { ++ BIO_printf(bio_err, ", Iteration %ld\n", ++ tmaciter != NULL ? ASN1_INTEGER_get(tmaciter) : 1L); ++ BIO_printf(bio_err, "MAC length: %ld, salt length: %ld\n", ++ tmac != NULL ? ASN1_STRING_length(tmac) : 0L, ++ tsalt != NULL ? ASN1_STRING_length(tsalt) : 0L); ++ } + } ++ + if (macver) { +- EVP_KDF *pkcs12kdf; ++ const X509_ALGOR *macalgid; ++ const ASN1_OBJECT *macobj; + +- pkcs12kdf = EVP_KDF_fetch(app_get0_libctx(), "PKCS12KDF", +- app_get0_propq()); +- if (pkcs12kdf == NULL) { +- BIO_printf(bio_err, "Error verifying PKCS12 MAC; no PKCS12KDF support.\n"); +- BIO_printf(bio_err, "Use -nomacver if MAC verification is not required.\n"); +- goto end; ++ PKCS12_get0_mac(NULL, &macalgid, NULL, NULL, p12); ++ X509_ALGOR_get0(&macobj, NULL, NULL, macalgid); ++ ++ if (OBJ_obj2nid(macobj) != NID_pbmac1) { ++ EVP_KDF *pkcs12kdf; ++ ++ pkcs12kdf = EVP_KDF_fetch(app_get0_libctx(), "PKCS12KDF", ++ app_get0_propq()); ++ if (pkcs12kdf == NULL) { ++ BIO_printf(bio_err, "Error verifying PKCS12 MAC; no PKCS12KDF support.\n"); ++ BIO_printf(bio_err, "Use -nomacver if MAC verification is not required.\n"); ++ goto end; ++ } ++ EVP_KDF_free(pkcs12kdf); + } +- EVP_KDF_free(pkcs12kdf); ++ + /* If we enter empty password try no password first */ + if (!mpass[0] && PKCS12_verify_mac(p12, NULL, 0)) { + /* If mac and crypto pass the same set it to NULL too */ +diff --git a/crypto/asn1/p5_pbev2.c b/crypto/asn1/p5_pbev2.c +index 8575d05bf6d5a..c22cc6b77075d 100644 +--- a/crypto/asn1/p5_pbev2.c ++++ b/crypto/asn1/p5_pbev2.c +@@ -35,6 +35,13 @@ ASN1_SEQUENCE(PBKDF2PARAM) = { + + IMPLEMENT_ASN1_FUNCTIONS(PBKDF2PARAM) + ++ASN1_SEQUENCE(PBMAC1PARAM) = { ++ ASN1_SIMPLE(PBMAC1PARAM, keyDerivationFunc, X509_ALGOR), ++ ASN1_SIMPLE(PBMAC1PARAM, messageAuthScheme, X509_ALGOR) ++} ASN1_SEQUENCE_END(PBMAC1PARAM) ++ ++IMPLEMENT_ASN1_FUNCTIONS(PBMAC1PARAM) ++ + /* + * Return an algorithm identifier for a PKCS#5 v2.0 PBE algorithm: yes I know + * this is horrible! Extended version to allow application supplied PRF NID +diff --git a/crypto/evp/digest.c b/crypto/evp/digest.c +index 18a64329b7a35..a74e2fa42c5bb 100644 +--- a/crypto/evp/digest.c ++++ b/crypto/evp/digest.c +@@ -20,6 +20,7 @@ + #include + #include + #include "internal/cryptlib.h" ++#include "internal/nelem.h" + #include "internal/provider.h" + #include "internal/core.h" + #include "crypto/evp.h" +@@ -1185,3 +1186,56 @@ void EVP_MD_do_all_provided(OSSL_LIB_CTX *libctx, + (void (*)(void *, void *))fn, arg, + evp_md_from_algorithm, evp_md_up_ref, evp_md_free); + } ++ ++typedef struct { ++ int md_nid; ++ int hmac_nid; ++} ossl_hmacmd_pair; ++ ++static const ossl_hmacmd_pair ossl_hmacmd_pairs[] = { ++ {NID_sha1, NID_hmacWithSHA1}, ++ {NID_md5, NID_hmacWithMD5}, ++ {NID_sha224, NID_hmacWithSHA224}, ++ {NID_sha256, NID_hmacWithSHA256}, ++ {NID_sha384, NID_hmacWithSHA384}, ++ {NID_sha512, NID_hmacWithSHA512}, ++ {NID_id_GostR3411_94, NID_id_HMACGostR3411_94}, ++ {NID_id_GostR3411_2012_256, NID_id_tc26_hmac_gost_3411_2012_256}, ++ {NID_id_GostR3411_2012_512, NID_id_tc26_hmac_gost_3411_2012_512}, ++ {NID_sha3_224, NID_hmac_sha3_224}, ++ {NID_sha3_256, NID_hmac_sha3_256}, ++ {NID_sha3_384, NID_hmac_sha3_384}, ++ {NID_sha3_512, NID_hmac_sha3_512}, ++ {NID_sha512_224, NID_hmacWithSHA512_224}, ++ {NID_sha512_256, NID_hmacWithSHA512_256} ++}; ++ ++int ossl_hmac2mdnid(int hmac_nid) ++{ ++ int md_nid = NID_undef; ++ size_t i; ++ ++ for (i = 0; i < OSSL_NELEM(ossl_hmacmd_pairs); i++) { ++ if (ossl_hmacmd_pairs[i].hmac_nid == hmac_nid) { ++ md_nid = ossl_hmacmd_pairs[i].md_nid; ++ break; ++ } ++ } ++ ++ return md_nid; ++} ++ ++int ossl_md2hmacnid(int md_nid) ++{ ++ int hmac_nid = NID_undef; ++ size_t i; ++ ++ for (i = 0; i < OSSL_NELEM(ossl_hmacmd_pairs); i++) { ++ if (ossl_hmacmd_pairs[i].md_nid == md_nid) { ++ hmac_nid = ossl_hmacmd_pairs[i].hmac_nid; ++ break; ++ } ++ } ++ ++ return hmac_nid; ++} +diff --git a/crypto/pkcs12/p12_mutl.c b/crypto/pkcs12/p12_mutl.c +index 4091e61d9dd06..d410978a49e1e 100644 +--- a/crypto/pkcs12/p12_mutl.c ++++ b/crypto/pkcs12/p12_mutl.c +@@ -15,12 +15,19 @@ + + #include + #include "internal/cryptlib.h" ++#include "crypto/evp.h" + #include + #include + #include + #include + #include "p12_local.h" + ++static int pkcs12_pbmac1_pbkdf2_key_gen(const char *pass, int passlen, ++ unsigned char *salt, int saltlen, ++ int id, int iter, int keylen, ++ unsigned char *out, ++ const EVP_MD *md_type); ++ + int PKCS12_mac_present(const PKCS12 *p12) + { + return p12->mac ? 1 : 0; +@@ -72,9 +79,76 @@ static int pkcs12_gen_gost_mac_key(const char *pass, int passlen, + return 1; + } + +-/* Generate a MAC */ ++PBKDF2PARAM *PBMAC1_get1_pbkdf2_param(const X509_ALGOR *macalg) ++{ ++ PBMAC1PARAM *param = NULL; ++ PBKDF2PARAM *pbkdf2_param = NULL; ++ const ASN1_OBJECT *kdf_oid; ++ ++ param = ASN1_TYPE_unpack_sequence(ASN1_ITEM_rptr(PBMAC1PARAM), macalg->parameter); ++ if (param == NULL) { ++ ERR_raise(ERR_LIB_PKCS12, ERR_R_PASSED_INVALID_ARGUMENT); ++ return NULL; ++ } ++ ++ X509_ALGOR_get0(&kdf_oid, NULL, NULL, param->keyDerivationFunc); ++ if (OBJ_obj2nid(kdf_oid) != NID_id_pbkdf2) { ++ ERR_raise(ERR_LIB_PKCS12, ERR_R_PASSED_INVALID_ARGUMENT); ++ PBMAC1PARAM_free(param); ++ return NULL; ++ } ++ ++ pbkdf2_param = ASN1_TYPE_unpack_sequence(ASN1_ITEM_rptr(PBKDF2PARAM), ++ param->keyDerivationFunc->parameter); ++ PBMAC1PARAM_free(param); ++ ++ return pbkdf2_param; ++} ++ ++static int PBMAC1_PBKDF2_HMAC(OSSL_LIB_CTX *ctx, const char *propq, ++ const char *pass, int passlen, ++ const X509_ALGOR *macalg, unsigned char *key) ++{ ++ PBKDF2PARAM *pbkdf2_param = NULL; ++ const ASN1_OBJECT *kdf_hmac_oid; ++ int ret = -1; ++ int keylen = 0; ++ EVP_MD *kdf_md = NULL; ++ const ASN1_OCTET_STRING *pbkdf2_salt = NULL; ++ ++ pbkdf2_param = PBMAC1_get1_pbkdf2_param(macalg); ++ if (pbkdf2_param == NULL) { ++ ERR_raise(ERR_LIB_PKCS12, ERR_R_UNSUPPORTED); ++ goto err; ++ } ++ keylen = ASN1_INTEGER_get(pbkdf2_param->keylength); ++ pbkdf2_salt = pbkdf2_param->salt->value.octet_string; ++ X509_ALGOR_get0(&kdf_hmac_oid, NULL, NULL, pbkdf2_param->prf); ++ ++ kdf_md = EVP_MD_fetch(ctx, OBJ_nid2sn(ossl_hmac2mdnid(OBJ_obj2nid(kdf_hmac_oid))), propq); ++ if (kdf_md == NULL) { ++ ERR_raise(ERR_LIB_PKCS12, ERR_R_FETCH_FAILED); ++ goto err; ++ } ++ ++ if (PKCS5_PBKDF2_HMAC(pass, passlen, pbkdf2_salt->data, pbkdf2_salt->length, ++ ASN1_INTEGER_get(pbkdf2_param->iter), kdf_md, keylen, key) <= 0) { ++ ERR_raise(ERR_LIB_PKCS12, ERR_R_INTERNAL_ERROR); ++ goto err; ++ } ++ ret = keylen; ++ ++ err: ++ EVP_MD_free(kdf_md); ++ PBKDF2PARAM_free(pbkdf2_param); ++ ++ return ret; ++} ++ ++/* Generate a MAC, also used for verification */ + static int pkcs12_gen_mac(PKCS12 *p12, const char *pass, int passlen, + unsigned char *mac, unsigned int *maclen, ++ int pbmac1_md_nid, int pbmac1_kdf_nid, + int (*pkcs12_key_gen)(const char *pass, int passlen, + unsigned char *salt, int slen, + int id, int iter, int n, +@@ -88,8 +162,8 @@ static int pkcs12_gen_mac(PKCS12 *p12, const char *pass, int passlen, + unsigned char key[EVP_MAX_MD_SIZE], *salt; + int saltlen, iter; + char md_name[80]; +- int md_size = 0; +- int md_nid; ++ int keylen = 0; ++ int md_nid = NID_undef; + const X509_ALGOR *macalg; + const ASN1_OBJECT *macoid; + +@@ -111,9 +185,13 @@ static int pkcs12_gen_mac(PKCS12 *p12, const char *pass, int passlen, + iter = ASN1_INTEGER_get(p12->mac->iter); + X509_SIG_get0(p12->mac->dinfo, &macalg, NULL); + X509_ALGOR_get0(&macoid, NULL, NULL, macalg); +- if (OBJ_obj2txt(md_name, sizeof(md_name), macoid, 0) < 0) +- return 0; +- ++ if (OBJ_obj2nid(macoid) == NID_pbmac1) { ++ if (OBJ_obj2txt(md_name, sizeof(md_name), OBJ_nid2obj(pbmac1_md_nid), 0) < 0) ++ return 0; ++ } else { ++ if (OBJ_obj2txt(md_name, sizeof(md_name), macoid, 0) < 0) ++ return 0; ++ } + (void)ERR_set_mark(); + md = md_fetch = EVP_MD_fetch(p12->authsafes->ctx.libctx, md_name, + p12->authsafes->ctx.propq); +@@ -127,40 +205,61 @@ static int pkcs12_gen_mac(PKCS12 *p12, const char *pass, int passlen, + } + (void)ERR_pop_to_mark(); + +- md_size = EVP_MD_get_size(md); ++ keylen = EVP_MD_get_size(md); + md_nid = EVP_MD_get_type(md); +- if (md_size < 0) ++ if (keylen < 0) + goto err; +- if ((md_nid == NID_id_GostR3411_94 +- || md_nid == NID_id_GostR3411_2012_256 +- || md_nid == NID_id_GostR3411_2012_512) +- && ossl_safe_getenv("LEGACY_GOST_PKCS12") == NULL) { +- md_size = TK26_MAC_KEY_LEN; ++ ++ /* For PBMAC1 we use a special keygen callback if not provided (e.g. on verification) */ ++ if (pbmac1_md_nid != NID_undef && pkcs12_key_gen == NULL) { ++ keylen = PBMAC1_PBKDF2_HMAC(p12->authsafes->ctx.libctx, p12->authsafes->ctx.propq, ++ pass, passlen, macalg, key); ++ if (keylen < 0) ++ goto err; ++ } else if ((md_nid == NID_id_GostR3411_94 ++ || md_nid == NID_id_GostR3411_2012_256 ++ || md_nid == NID_id_GostR3411_2012_512) ++ && ossl_safe_getenv("LEGACY_GOST_PKCS12") == NULL) { ++ keylen = TK26_MAC_KEY_LEN; + if (!pkcs12_gen_gost_mac_key(pass, passlen, salt, saltlen, iter, +- md_size, key, md)) { ++ keylen, key, md)) { + ERR_raise(ERR_LIB_PKCS12, PKCS12_R_KEY_GEN_ERROR); + goto err; + } + } else { ++ EVP_MD *hmac_md = (EVP_MD *)md; ++ int fetched = 0; ++ ++ if (pbmac1_kdf_nid != NID_undef) { ++ char hmac_md_name[128]; ++ ++ if (OBJ_obj2txt(hmac_md_name, sizeof(hmac_md_name), OBJ_nid2obj(pbmac1_kdf_nid), 0) < 0) ++ goto err; ++ hmac_md = EVP_MD_fetch(NULL, hmac_md_name, NULL); ++ fetched = 1; ++ } + if (pkcs12_key_gen != NULL) { +- if (!(*pkcs12_key_gen)(pass, passlen, salt, saltlen, PKCS12_MAC_ID, +- iter, md_size, key, md)) { ++ int res = (*pkcs12_key_gen)(pass, passlen, salt, saltlen, PKCS12_MAC_ID, ++ iter, keylen, key, hmac_md); ++ ++ if (fetched) ++ EVP_MD_free(hmac_md); ++ if (res != 1) { + ERR_raise(ERR_LIB_PKCS12, PKCS12_R_KEY_GEN_ERROR); + goto err; + } + } else { + /* Default to UTF-8 password */ + if (!PKCS12_key_gen_utf8_ex(pass, passlen, salt, saltlen, PKCS12_MAC_ID, +- iter, md_size, key, md, +- p12->authsafes->ctx.libctx, +- p12->authsafes->ctx.propq)) { ++ iter, keylen, key, md, ++ p12->authsafes->ctx.libctx, p12->authsafes->ctx.propq)) { + ERR_raise(ERR_LIB_PKCS12, PKCS12_R_KEY_GEN_ERROR); + goto err; + } + } + } + if ((hmac = HMAC_CTX_new()) == NULL +- || !HMAC_Init_ex(hmac, key, md_size, md, NULL) ++ || !HMAC_Init_ex(hmac, key, keylen, md, NULL) + || !HMAC_Update(hmac, p12->authsafes->d.data->data, + p12->authsafes->d.data->length) + || !HMAC_Final(hmac, mac, maclen)) { +@@ -178,7 +277,7 @@ static int pkcs12_gen_mac(PKCS12 *p12, const char *pass, int passlen, + int PKCS12_gen_mac(PKCS12 *p12, const char *pass, int passlen, + unsigned char *mac, unsigned int *maclen) + { +- return pkcs12_gen_mac(p12, pass, passlen, mac, maclen, NULL); ++ return pkcs12_gen_mac(p12, pass, passlen, mac, maclen, NID_undef, NID_undef, NULL); + } + + /* Verify the mac */ +@@ -187,14 +286,40 @@ int PKCS12_verify_mac(PKCS12 *p12, const char *pass, int passlen) + unsigned char mac[EVP_MAX_MD_SIZE]; + unsigned int maclen; + const ASN1_OCTET_STRING *macoct; ++ const X509_ALGOR *macalg; ++ const ASN1_OBJECT *macoid; + + if (p12->mac == NULL) { + ERR_raise(ERR_LIB_PKCS12, PKCS12_R_MAC_ABSENT); + return 0; + } +- if (!pkcs12_gen_mac(p12, pass, passlen, mac, &maclen, NULL)) { +- ERR_raise(ERR_LIB_PKCS12, PKCS12_R_MAC_GENERATION_ERROR); +- return 0; ++ ++ X509_SIG_get0(p12->mac->dinfo, &macalg, NULL); ++ X509_ALGOR_get0(&macoid, NULL, NULL, macalg); ++ if (OBJ_obj2nid(macoid) == NID_pbmac1) { ++ PBMAC1PARAM *param = NULL; ++ const ASN1_OBJECT *hmac_oid; ++ int md_nid = NID_undef; ++ ++ param = ASN1_TYPE_unpack_sequence(ASN1_ITEM_rptr(PBMAC1PARAM), macalg->parameter); ++ if (param == NULL) { ++ ERR_raise(ERR_LIB_PKCS12, ERR_R_UNSUPPORTED); ++ return 0; ++ } ++ X509_ALGOR_get0(&hmac_oid, NULL, NULL, param->messageAuthScheme); ++ md_nid = ossl_hmac2mdnid(OBJ_obj2nid(hmac_oid)); ++ ++ if (!pkcs12_gen_mac(p12, pass, passlen, mac, &maclen, md_nid, NID_undef, NULL)) { ++ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_MAC_GENERATION_ERROR); ++ PBMAC1PARAM_free(param); ++ return 0; ++ } ++ PBMAC1PARAM_free(param); ++ } else { ++ if (!pkcs12_gen_mac(p12, pass, passlen, mac, &maclen, NID_undef, NID_undef, NULL)) { ++ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_MAC_GENERATION_ERROR); ++ return 0; ++ } + } + X509_SIG_get0(p12->mac->dinfo, NULL, &macoct); + if ((maclen != (unsigned int)ASN1_STRING_length(macoct)) +@@ -205,7 +330,6 @@ int PKCS12_verify_mac(PKCS12 *p12, const char *pass, int passlen) + } + + /* Set a mac */ +- + int PKCS12_set_mac(PKCS12 *p12, const char *pass, int passlen, + unsigned char *salt, int saltlen, int iter, + const EVP_MD *md_type) +@@ -226,7 +350,7 @@ int PKCS12_set_mac(PKCS12 *p12, const char *pass, int passlen, + /* + * Note that output mac is forced to UTF-8... + */ +- if (!pkcs12_gen_mac(p12, pass, passlen, mac, &maclen, NULL)) { ++ if (!pkcs12_gen_mac(p12, pass, passlen, mac, &maclen, NID_undef, NID_undef, NULL)) { + ERR_raise(ERR_LIB_PKCS12, PKCS12_R_MAC_GENERATION_ERROR); + return 0; + } +@@ -238,9 +362,18 @@ int PKCS12_set_mac(PKCS12 *p12, const char *pass, int passlen, + return 1; + } + +-/* Set up a mac structure */ +-int PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt, int saltlen, +- const EVP_MD *md_type) ++static int pkcs12_pbmac1_pbkdf2_key_gen(const char *pass, int passlen, ++ unsigned char *salt, int saltlen, ++ int id, int iter, int keylen, ++ unsigned char *out, ++ const EVP_MD *md_type) ++{ ++ return PKCS5_PBKDF2_HMAC(pass, passlen, salt, saltlen, iter, ++ md_type, keylen, out); ++} ++ ++static int pkcs12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt, int saltlen, ++ int nid) + { + X509_ALGOR *macalg; + +@@ -274,11 +407,112 @@ int PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt, int saltlen, + memcpy(p12->mac->salt->data, salt, saltlen); + } + X509_SIG_getm(p12->mac->dinfo, &macalg, NULL); +- if (!X509_ALGOR_set0(macalg, OBJ_nid2obj(EVP_MD_get_type(md_type)), +- V_ASN1_NULL, NULL)) { ++ if (!X509_ALGOR_set0(macalg, OBJ_nid2obj(nid), V_ASN1_NULL, NULL)) { + ERR_raise(ERR_LIB_PKCS12, ERR_R_ASN1_LIB); + return 0; + } + + return 1; + } ++ ++/* Set up a mac structure */ ++int PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt, int saltlen, ++ const EVP_MD *md_type) ++{ ++ return pkcs12_setup_mac(p12, iter, salt, saltlen, EVP_MD_get_type(md_type)); ++} ++ ++int PKCS12_set_pbmac1_pbkdf2(PKCS12 *p12, const char *pass, int passlen, ++ unsigned char *salt, int saltlen, int iter, ++ const EVP_MD *md_type, const char *prf_md_name) ++{ ++ unsigned char mac[EVP_MAX_MD_SIZE]; ++ unsigned int maclen; ++ ASN1_OCTET_STRING *macoct; ++ X509_ALGOR *alg = NULL; ++ int ret = 0; ++ int prf_md_nid = NID_undef, prf_nid = NID_undef, hmac_nid; ++ unsigned char *known_salt = NULL; ++ int keylen = 0; ++ PBMAC1PARAM *param = NULL; ++ X509_ALGOR *hmac_alg = NULL, *macalg = NULL; ++ ++ if (md_type == NULL) ++ /* No need to do a fetch as the md_type is used only to get a NID */ ++ md_type = EVP_sha256(); ++ ++ if (prf_md_name == NULL) ++ prf_md_nid = EVP_MD_get_type(md_type); ++ else ++ prf_md_nid = OBJ_txt2nid(prf_md_name); ++ ++ if (iter == 0) ++ iter = PKCS12_DEFAULT_ITER; ++ ++ keylen = EVP_MD_get_size(md_type); ++ ++ prf_nid = ossl_md2hmacnid(prf_md_nid); ++ hmac_nid = ossl_md2hmacnid(EVP_MD_get_type(md_type)); ++ ++ if (prf_nid == NID_undef || hmac_nid == NID_undef) { ++ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_UNKNOWN_DIGEST_ALGORITHM); ++ goto err; ++ } ++ ++ if (salt == NULL) { ++ known_salt = OPENSSL_malloc(saltlen); ++ if (known_salt == NULL) ++ goto err; ++ ++ if (RAND_bytes_ex(NULL, known_salt, saltlen, 0) <= 0) { ++ ERR_raise(ERR_LIB_PKCS12, ERR_R_RAND_LIB); ++ goto err; ++ } ++ } ++ ++ param = PBMAC1PARAM_new(); ++ hmac_alg = X509_ALGOR_new(); ++ alg = PKCS5_pbkdf2_set(iter, salt ? salt : known_salt, saltlen, prf_nid, keylen); ++ if (param == NULL || hmac_alg == NULL || alg == NULL) ++ goto err; ++ ++ if (pkcs12_setup_mac(p12, iter, salt ? salt : known_salt, saltlen, ++ NID_pbmac1) == PKCS12_ERROR) { ++ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_MAC_SETUP_ERROR); ++ goto err; ++ } ++ ++ if (!X509_ALGOR_set0(hmac_alg, OBJ_nid2obj(hmac_nid), V_ASN1_NULL, NULL)) { ++ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_MAC_SETUP_ERROR); ++ goto err; ++ } ++ ++ X509_ALGOR_free(param->keyDerivationFunc); ++ X509_ALGOR_free(param->messageAuthScheme); ++ param->keyDerivationFunc = alg; ++ param->messageAuthScheme = hmac_alg; ++ ++ X509_SIG_getm(p12->mac->dinfo, &macalg, &macoct); ++ if (!ASN1_TYPE_pack_sequence(ASN1_ITEM_rptr(PBMAC1PARAM), param, &macalg->parameter)) ++ goto err; ++ ++ /* ++ * Note that output mac is forced to UTF-8... ++ */ ++ if (!pkcs12_gen_mac(p12, pass, passlen, mac, &maclen, ++ EVP_MD_get_type(md_type), prf_md_nid, ++ pkcs12_pbmac1_pbkdf2_key_gen)) { ++ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_MAC_GENERATION_ERROR); ++ goto err; ++ } ++ if (!ASN1_OCTET_STRING_set(macoct, mac, maclen)) { ++ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_MAC_STRING_SET_ERROR); ++ goto err; ++ } ++ ret = 1; ++ ++ err: ++ PBMAC1PARAM_free(param); ++ OPENSSL_free(known_salt); ++ return ret; ++} +diff --git a/include/crypto/evp.h b/include/crypto/evp.h +index 32c60f223c78c..72d9995e8f0f4 100644 +--- a/include/crypto/evp.h ++++ b/include/crypto/evp.h +@@ -964,4 +964,7 @@ int evp_pkey_decrypt_alloc(EVP_PKEY_CTX *ctx, unsigned char **outp, + size_t *outlenp, size_t expected_outlen, + const unsigned char *in, size_t inlen); + ++int ossl_md2hmacnid(int mdnid); ++int ossl_hmac2mdnid(int hmac_nid); ++ + #endif /* OSSL_CRYPTO_EVP_H */ +diff --git a/include/openssl/pkcs12.h.in b/include/openssl/pkcs12.h.in +index 35759d4deadc3..ab62207e49b55 100644 +--- a/include/openssl/pkcs12.h.in ++++ b/include/openssl/pkcs12.h.in +@@ -269,6 +269,9 @@ int PKCS12_verify_mac(PKCS12 *p12, const char *pass, int passlen); + int PKCS12_set_mac(PKCS12 *p12, const char *pass, int passlen, + unsigned char *salt, int saltlen, int iter, + const EVP_MD *md_type); ++int PKCS12_set_pbmac1_pbkdf2(PKCS12 *p12, const char *pass, int passlen, ++ unsigned char *salt, int saltlen, int iter, ++ const EVP_MD *md_type, const char *prf_md_name); + int PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt, + int saltlen, const EVP_MD *md_type); + unsigned char *OPENSSL_asc2uni(const char *asc, int asclen, +diff --git a/include/openssl/x509.h.in b/include/openssl/x509.h.in +index 99bc4aab29133..b7f080a5360db 100644 +--- a/include/openssl/x509.h.in ++++ b/include/openssl/x509.h.in +@@ -279,7 +279,12 @@ typedef struct PBKDF2PARAM_st { + X509_ALGOR *prf; + } PBKDF2PARAM; + +-#ifndef OPENSSL_NO_SCRYPT ++typedef struct { ++ X509_ALGOR *keyDerivationFunc; ++ X509_ALGOR *messageAuthScheme; ++} PBMAC1PARAM; ++ ++# ifndef OPENSSL_NO_SCRYPT + typedef struct SCRYPT_PARAMS_st { + ASN1_OCTET_STRING *salt; + ASN1_INTEGER *costParameter; +@@ -287,7 +292,7 @@ typedef struct SCRYPT_PARAMS_st { + ASN1_INTEGER *parallelizationParameter; + ASN1_INTEGER *keyLength; + } SCRYPT_PARAMS; +-#endif ++# endif + + #ifdef __cplusplus + } +@@ -1023,9 +1028,10 @@ X509 *X509_find_by_subject(STACK_OF(X509) *sk, const X509_NAME *name); + DECLARE_ASN1_FUNCTIONS(PBEPARAM) + DECLARE_ASN1_FUNCTIONS(PBE2PARAM) + DECLARE_ASN1_FUNCTIONS(PBKDF2PARAM) +-#ifndef OPENSSL_NO_SCRYPT ++DECLARE_ASN1_FUNCTIONS(PBMAC1PARAM) ++# ifndef OPENSSL_NO_SCRYPT + DECLARE_ASN1_FUNCTIONS(SCRYPT_PARAMS) +-#endif ++# endif + + int PKCS5_pbe_set0_algor(X509_ALGOR *algor, int alg, int iter, + const unsigned char *salt, int saltlen); +@@ -1062,6 +1068,7 @@ X509_ALGOR *PKCS5_pbkdf2_set_ex(int iter, unsigned char *salt, int saltlen, + int prf_nid, int keylen, + OSSL_LIB_CTX *libctx); + ++PBKDF2PARAM *PBMAC1_get1_pbkdf2_param(const X509_ALGOR *macalg); + /* PKCS#8 utilities */ + + DECLARE_ASN1_FUNCTIONS(PKCS8_PRIV_KEY_INFO) + +From 29d98a8287d217b2232344056934d3cd2c6f44a3 Mon Sep 17 00:00:00 2001 +From: Dmitry Belyavskiy +Date: Fri, 7 Jun 2024 14:38:40 +0200 +Subject: [PATCH 2/4] Implementation of the RFC 9579, PBMAC1 in PKCS#12 - + documentation + +--- + doc/man1/openssl-pkcs12.pod.in | 11 +++++++ + doc/man3/PBMAC1_get1_pbkdf2_param.pod | 46 +++++++++++++++++++++++++++ + doc/man3/PKCS12_gen_mac.pod | 37 ++++++++++++++++----- + doc/man3/X509_dup.pod | 3 ++ + doc/man3/d2i_X509.pod | 2 ++ + util/missingcrypto.txt | 1 - + util/missingcrypto111.txt | 1 - + 7 files changed, 91 insertions(+), 10 deletions(-) + create mode 100644 doc/man3/PBMAC1_get1_pbkdf2_param.pod + +diff --git a/doc/man1/openssl-pkcs12.pod.in b/doc/man1/openssl-pkcs12.pod.in +index 665b22bb644ac..020543cd5c895 100644 +--- a/doc/man1/openssl-pkcs12.pod.in ++++ b/doc/man1/openssl-pkcs12.pod.in +@@ -62,6 +62,8 @@ PKCS#12 output (export) options: + [B<-certpbe> I] + [B<-descert>] + [B<-macalg> I] ++[B<-pbmac1_pbkdf2>] ++[B<-pbmac1_pbkdf2_md> I] + [B<-iter> I] + [B<-noiter>] + [B<-nomaciter>] +@@ -345,6 +347,15 @@ then both, the private key and the certificates are encrypted using triple DES. + + Specify the MAC digest algorithm. If not included SHA256 will be used. + ++=item B<-pbmac1_pbkdf2> ++ ++Use PBMAC1 with PBKDF2 for MAC protection of the PKCS#12 file. ++ ++=item B<-pbmac1_pbkdf2_md> I ++ ++Specify the PBKDF2 KDF digest algorithm. If not specified, SHA256 will be used. ++Unless C<-pbmac1_pbkdf2> is specified, this parameter is ignored. ++ + =item B<-iter> I + + This option specifies the iteration count for the encryption key and MAC. The +diff --git a/doc/man3/PBMAC1_get1_pbkdf2_param.pod b/doc/man3/PBMAC1_get1_pbkdf2_param.pod +new file mode 100644 +index 0000000000000..415c3cd214a2e +--- /dev/null ++++ b/doc/man3/PBMAC1_get1_pbkdf2_param.pod +@@ -0,0 +1,46 @@ ++=pod ++ ++=head1 NAME ++ ++PBMAC1_get1_pbkdf2_param - Function to manipulate a PBMAC1 ++MAC structure ++ ++=head1 SYNOPSIS ++ ++ #include ++ ++ PBKDF2PARAM *PBMAC1_get1_pbkdf2_param(const X509_ALGOR *macalg); ++ ++=head1 DESCRIPTION ++ ++PBMAC1_get1_pbkdf2_param() retrieves a B structure from an ++I structure. ++ ++=head1 RETURN VALUES ++ ++PBMAC1_get1_pbkdf2_param() returns NULL in case when PBMAC1 uses an algorithm ++apart from B or when passed incorrect parameters and a pointer to ++B structure otherwise. ++ ++=head1 CONFORMING TO ++ ++IETF RFC 9579 (L) ++ ++=head1 SEE ALSO ++ ++L ++ ++=head1 HISTORY ++ ++The I function was added in OpenSSL 3.4. ++ ++=head1 COPYRIGHT ++ ++Copyright 2021-2024 The OpenSSL Project Authors. All Rights Reserved. ++ ++Licensed under the Apache License 2.0 (the "License"). You may not use ++this file except in compliance with the License. You can obtain a copy ++in the file LICENSE in the source distribution or at ++L. ++ ++=cut +diff --git a/doc/man3/PKCS12_gen_mac.pod b/doc/man3/PKCS12_gen_mac.pod +index a72df145fedd7..ebeee98f04e68 100644 +--- a/doc/man3/PKCS12_gen_mac.pod ++++ b/doc/man3/PKCS12_gen_mac.pod +@@ -3,7 +3,8 @@ + =head1 NAME + + PKCS12_gen_mac, PKCS12_setup_mac, PKCS12_set_mac, +-PKCS12_verify_mac - Functions to create and manipulate a PKCS#12 structure ++PKCS12_set_pbmac1_pbkdf2, PKCS12_verify_mac, PKCS12_get0_mac - ++Functions to create and manipulate a PKCS#12 MAC structure + + =head1 SYNOPSIS + +@@ -15,9 +16,19 @@ PKCS12_verify_mac - Functions to create and manipulate a PKCS#12 structure + int PKCS12_set_mac(PKCS12 *p12, const char *pass, int passlen, + unsigned char *salt, int saltlen, int iter, + const EVP_MD *md_type); ++ int PKCS12_set_pbmac1_pbkdf2(PKCS12 *p12, const char *pass, int passlen, ++ unsigned char *salt, int saltlen, int iter, ++ const EVP_MD *md_type, ++ const char *prf_md_name); + int PKCS12_setup_mac(PKCS12 *p12, int iter, unsigned char *salt, + int saltlen, const EVP_MD *md_type); + ++ void PKCS12_get0_mac(const ASN1_OCTET_STRING **pmac, ++ const X509_ALGOR **pmacalg, ++ const ASN1_OCTET_STRING **psalt, ++ const ASN1_INTEGER **piter, ++ const PKCS12 *p12); ++ + =head1 DESCRIPTION + + PKCS12_gen_mac() generates an HMAC over the entire PKCS#12 object using the +@@ -31,10 +42,15 @@ PKCS12_setup_mac() sets the MAC part of the PKCS#12 structure with the supplied + parameters. + + PKCS12_set_mac() sets the MAC and MAC parameters into the PKCS#12 object. ++PKCS12_set_pbmac1_pbkdf2() sets the MAC and MAC parameters into the PKCS#12 ++object when B with PBKDF2 is used for protection of the PKCS#12 object. + + I is the passphrase to use in the HMAC. I is the salt value to use, +-I is the iteration count and I is the message digest +-function to use. ++I is the iteration count and I is the message digest function to ++use. I specifies the digest used for the PBKDF2 in PBMAC1 KDF. ++ ++PKCS12_get0_mac() retrieves any included MAC value, B object, ++I, and I count from the PKCS12 object. + + =head1 NOTES + +@@ -43,17 +59,18 @@ If I is NULL then a suitable salt will be generated and used. + If I is 1 then an iteration count will be omitted from the PKCS#12 + structure. + +-PKCS12_gen_mac(), PKCS12_verify_mac() and PKCS12_set_mac() make assumptions +-regarding the encoding of the given passphrase. See L +-for more information. ++PKCS12_gen_mac(), PKCS12_verify_mac(), PKCS12_set_mac() and ++PKCS12_set_pbmac1_pbkdf2() make assumptions regarding the encoding of the ++given passphrase. See L for more information. + + =head1 RETURN VALUES + +-All functions return 1 on success and 0 if an error occurred. ++All functions returning an integer return 1 on success and 0 if an error occurred. + + =head1 CONFORMING TO + + IETF RFC 7292 (L) ++IETF RFC 9579 (L) + + =head1 SEE ALSO + +@@ -62,9 +79,13 @@ L, + L, + L + ++=head1 HISTORY ++ ++The I function was added in OpenSSL 3.4. ++ + =head1 COPYRIGHT + +-Copyright 2021-2023 The OpenSSL Project Authors. All Rights Reserved. ++Copyright 2021-2024 The OpenSSL Project Authors. All Rights Reserved. + + Licensed under the Apache License 2.0 (the "License"). You may not use + this file except in compliance with the License. You can obtain a copy +diff --git a/doc/man3/X509_dup.pod b/doc/man3/X509_dup.pod +index fc93494a76617..81ea2275d7414 100644 +--- a/doc/man3/X509_dup.pod ++++ b/doc/man3/X509_dup.pod +@@ -218,6 +218,9 @@ PBEPARAM_free, + PBEPARAM_new, + PBKDF2PARAM_free, + PBKDF2PARAM_new, ++PBMAC1PARAM_free, ++PBMAC1PARAM_it, ++PBMAC1PARAM_new, + PKCS12_BAGS_free, + PKCS12_BAGS_new, + PKCS12_MAC_DATA_free, +diff --git a/doc/man3/d2i_X509.pod b/doc/man3/d2i_X509.pod +index 75b37e5544396..3615bcaafe7c0 100644 +--- a/doc/man3/d2i_X509.pod ++++ b/doc/man3/d2i_X509.pod +@@ -115,6 +115,7 @@ d2i_OTHERNAME, + d2i_PBE2PARAM, + d2i_PBEPARAM, + d2i_PBKDF2PARAM, ++d2i_PBMAC1PARAM, + d2i_PKCS12, + d2i_PKCS12_BAGS, + d2i_PKCS12_MAC_DATA, +@@ -300,6 +301,7 @@ i2d_OTHERNAME, + i2d_PBE2PARAM, + i2d_PBEPARAM, + i2d_PBKDF2PARAM, ++i2d_PBMAC1PARAM, + i2d_PKCS12, + i2d_PKCS12_BAGS, + i2d_PKCS12_MAC_DATA, +diff --git a/util/missingcrypto.txt b/util/missingcrypto.txt +index b7d5091b31912..a56491d0f8b94 100644 +--- a/util/missingcrypto.txt ++++ b/util/missingcrypto.txt +@@ -749,7 +749,6 @@ PKCS12_MAC_DATA_it(3) + PKCS12_PBE_add(3) + PKCS12_SAFEBAGS_it(3) + PKCS12_SAFEBAG_it(3) +-PKCS12_get0_mac(3) + PKCS12_get_attr(3) + PKCS12_it(3) + PKCS12_item_pack_safebag(3) +diff --git a/util/missingcrypto111.txt b/util/missingcrypto111.txt +index 0386701ad1e32..f3402ada7e60f 100644 +--- a/util/missingcrypto111.txt ++++ b/util/missingcrypto111.txt +@@ -1027,7 +1027,6 @@ PKCS12_add_safe(3) + PKCS12_add_safes(3) + PKCS12_decrypt_skey(3) + PKCS12_gen_mac(3) +-PKCS12_get0_mac(3) + PKCS12_get_attr(3) + PKCS12_get_attr_gen(3) + PKCS12_get_friendlyname(3) + +From 7257898633703d5841aefa7fb4f9d192430fdad8 Mon Sep 17 00:00:00 2001 +From: Dmitry Belyavskiy +Date: Thu, 6 Jun 2024 13:07:48 +0200 +Subject: [PATCH 3/4] Make update + +--- + doc/build.info | 6 ++++++ + util/libcrypto.num | 7 +++++++ + 2 files changed, 13 insertions(+) + +diff --git a/doc/build.info b/doc/build.info +index d47371e88aa9f..60a5d9b86bd5c 100644 +--- a/doc/build.info ++++ b/doc/build.info +@@ -1847,6 +1847,10 @@ DEPEND[html/man3/OpenSSL_version.html]=man3/OpenSSL_version.pod + GENERATE[html/man3/OpenSSL_version.html]=man3/OpenSSL_version.pod + DEPEND[man/man3/OpenSSL_version.3]=man3/OpenSSL_version.pod + GENERATE[man/man3/OpenSSL_version.3]=man3/OpenSSL_version.pod ++DEPEND[html/man3/PBMAC1_get1_pbkdf2_param.html]=man3/PBMAC1_get1_pbkdf2_param.pod ++GENERATE[html/man3/PBMAC1_get1_pbkdf2_param.html]=man3/PBMAC1_get1_pbkdf2_param.pod ++DEPEND[man/man3/PBMAC1_get1_pbkdf2_param.3]=man3/PBMAC1_get1_pbkdf2_param.pod ++GENERATE[man/man3/PBMAC1_get1_pbkdf2_param.3]=man3/PBMAC1_get1_pbkdf2_param.pod + DEPEND[html/man3/PEM_X509_INFO_read_bio_ex.html]=man3/PEM_X509_INFO_read_bio_ex.pod + GENERATE[html/man3/PEM_X509_INFO_read_bio_ex.html]=man3/PEM_X509_INFO_read_bio_ex.pod + DEPEND[man/man3/PEM_X509_INFO_read_bio_ex.3]=man3/PEM_X509_INFO_read_bio_ex.pod +@@ -3453,6 +3457,7 @@ html/man3/OSSL_trace_get_category_num.html \ + html/man3/OSSL_trace_set_channel.html \ + html/man3/OpenSSL_add_all_algorithms.html \ + html/man3/OpenSSL_version.html \ ++html/man3/PBMAC1_get1_pbkdf2_param.html \ + html/man3/PEM_X509_INFO_read_bio_ex.html \ + html/man3/PEM_bytes_read_bio.html \ + html/man3/PEM_read.html \ +@@ -4113,6 +4118,7 @@ man/man3/OSSL_trace_get_category_num.3 \ + man/man3/OSSL_trace_set_channel.3 \ + man/man3/OpenSSL_add_all_algorithms.3 \ + man/man3/OpenSSL_version.3 \ ++man/man3/PBMAC1_get1_pbkdf2_param.3 \ + man/man3/PEM_X509_INFO_read_bio_ex.3 \ + man/man3/PEM_bytes_read_bio.3 \ + man/man3/PEM_read.3 \ +diff --git a/util/libcrypto.num b/util/libcrypto.num +index 7f958a4fa31db..ef11c0302e396 100644 +--- a/util/libcrypto.num ++++ b/util/libcrypto.num +@@ -5664,3 +5664,10 @@ OSSL_IETF_ATTR_SYNTAX_get_value_num ? 3_4_0 EXIST::FUNCTION: + OPENSSL_strncasecmp ? 3_0_1 EXIST::FUNCTION: + ossl_ctx_legacy_digest_signatures_allowed ? 3_0_1 EXIST::FUNCTION: + ossl_ctx_legacy_digest_signatures_allowed_set ? 3_0_1 EXIST::FUNCTION: ++PKCS12_set_pbmac1_pbkdf2 ? 3_4_0 EXIST::FUNCTION: ++PBMAC1_get1_pbkdf2_param ? 3_4_0 EXIST::FUNCTION: ++d2i_PBMAC1PARAM ? 3_4_0 EXIST::FUNCTION: ++i2d_PBMAC1PARAM ? 3_4_0 EXIST::FUNCTION: ++PBMAC1PARAM_free ? 3_4_0 EXIST::FUNCTION: ++PBMAC1PARAM_new ? 3_4_0 EXIST::FUNCTION: ++PBMAC1PARAM_it ? 3_4_0 EXIST::FUNCTION: + +From 97fbb9437163fb5114da40250b7ace83748a2e81 Mon Sep 17 00:00:00 2001 +From: Dmitry Belyavskiy +Date: Thu, 6 Jun 2024 17:01:45 +0200 +Subject: [PATCH 4/4] Test vectors from rfc9579 and creation tests + +--- + test/recipes/80-test_pkcs12.t | 55 +++++++++++++++++- + .../pbmac1_256_256.bad-iter.p12 | Bin 0 -> 2703 bytes + .../pbmac1_256_256.bad-salt.p12 | Bin 0 -> 2702 bytes + .../pbmac1_256_256.good.p12 | Bin 0 -> 2702 bytes + .../pbmac1_256_256.no-len.p12 | Bin 0 -> 2700 bytes + .../pbmac1_512_256.good.p12 | Bin 0 -> 2702 bytes + .../pbmac1_512_512.good.p12 | Bin 0 -> 2736 bytes + 7 files changed, 54 insertions(+), 1 deletion(-) + create mode 100644 test/recipes/80-test_pkcs12_data/pbmac1_256_256.bad-iter.p12 + create mode 100644 test/recipes/80-test_pkcs12_data/pbmac1_256_256.bad-salt.p12 + create mode 100644 test/recipes/80-test_pkcs12_data/pbmac1_256_256.good.p12 + create mode 100644 test/recipes/80-test_pkcs12_data/pbmac1_256_256.no-len.p12 + create mode 100644 test/recipes/80-test_pkcs12_data/pbmac1_512_256.good.p12 + create mode 100644 test/recipes/80-test_pkcs12_data/pbmac1_512_512.good.p12 + +diff --git a/test/recipes/80-test_pkcs12.t b/test/recipes/80-test_pkcs12.t +index 999129a03074d..c14ef94998cde 100644 +--- a/test/recipes/80-test_pkcs12.t ++++ b/test/recipes/80-test_pkcs12.t +@@ -9,7 +9,7 @@ + use strict; + use warnings; + +-use OpenSSL::Test qw/:DEFAULT srctop_file with/; ++use OpenSSL::Test qw/:DEFAULT srctop_file bldtop_dir with/; + use OpenSSL::Test::Utils; + + use Encode; +@@ -54,7 +54,9 @@ if (eval { require Win32::API; 1; }) { + } + $ENV{OPENSSL_WIN32_UTF8}=1; + +-plan tests => 31; ++my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); ++ ++plan tests => $no_fips ? 45 : 51; + + # Test different PKCS#12 formats + ok(run(test(["pkcs12_format_test"])), "test pkcs12 formats"); +@@ -170,6 +170,80 @@ ok(grep(/Trusted key usage (Oracle)/, @pkcs12info) == 0, + ok(scalar @match > 0 ? 0 : 1, "test_export_pkcs12_outerr6_empty"); + } + ++my %pbmac1_tests = ( ++ pbmac1_defaults => {args => [], lookup => "hmacWithSHA256"}, ++ pbmac1_nondefaults => {args => ["-pbmac1_pbkdf2_md", "sha512", "-macalg", "sha384"], lookup => "hmacWithSHA512"}, ++); ++ ++for my $instance (sort keys %pbmac1_tests) { ++ my $extra_args = $pbmac1_tests{$instance}{args}; ++ my $lookup = $pbmac1_tests{$instance}{lookup}; ++ # Test export of PEM file with both cert and key, with password. ++ { ++ my $pbmac1_id = $instance; ++ ok(run(app(["openssl", "pkcs12", "-export", "-pbmac1_pbkdf2", ++ "-inkey", srctop_file(@path, "cert-key-cert.pem"), ++ "-in", srctop_file(@path, "cert-key-cert.pem"), ++ "-passout", "pass:1234", ++ @$extra_args, ++ "-out", "$pbmac1_id.p12"], stderr => "${pbmac1_id}_err.txt")), ++ "test_export_pkcs12_${pbmac1_id}"); ++ open DATA, "${pbmac1_id}_err.txt"; ++ my @match = grep /:error:/, ; ++ close DATA; ++ ok(scalar @match > 0 ? 0 : 1, "test_export_pkcs12_${pbmac1_id}_err.empty"); ++ ++ ok(run(app(["openssl", "pkcs12", "-in", "$pbmac1_id.p12", "-info", "-noout", ++ "-passin", "pass:1234"], stderr => "${pbmac1_id}_info.txt")), ++ "test_export_pkcs12_${pbmac1_id}_info"); ++ open DATA, "${pbmac1_id}_info.txt"; ++ my @match = grep /$lookup/, ; ++ close DATA; ++ ok(scalar @match > 0 ? 1 : 0, "test_export_pkcs12_${pbmac1_id}_info"); ++ } ++} ++ ++# Test pbmac1 pkcs12 good files, RFC 9579 ++for my $file ("pbmac1_256_256.good.p12", "pbmac1_512_256.good.p12", "pbmac1_512_512.good.p12") ++{ ++ my $path = srctop_file("test", "recipes", "80-test_pkcs12_data", $file); ++ ok(run(app(["openssl", "pkcs12", "-in", $path, "-password", "pass:1234", "-noenc"])), ++ "test pbmac1 pkcs12 file $file"); ++} ++ ++unless ($no_fips) { ++ my $provpath = bldtop_dir("providers"); ++ my $provconf = srctop_file("test", "fips-and-base.cnf"); ++ my $provname = 'fips'; ++ my @prov = ("-provider-path", $provpath, ++ "-provider", $provname); ++ local $ENV{OPENSSL_CONF} = $provconf; ++ ++# Test pbmac1 pkcs12 good files, RFC 9579 ++ for my $file ("pbmac1_256_256.good.p12", "pbmac1_512_256.good.p12", "pbmac1_512_512.good.p12") ++ { ++ my $path = srctop_file("test", "recipes", "80-test_pkcs12_data", $file); ++ ok(run(app(["openssl", "pkcs12", @prov, "-in", $path, "-password", "pass:1234", "-noenc"])), ++ "test pbmac1 pkcs12 file $file"); ++ ++ ok(run(app(["openssl", "pkcs12", @prov, "-in", $path, "-info", "-noout", ++ "-passin", "pass:1234"], stderr => "${file}_info.txt")), ++ "test_export_pkcs12_${file}_info"); ++ } ++} ++ ++# Test pbmac1 pkcs12 bad files, RFC 9579 ++for my $file ("pbmac1_256_256.bad-iter.p12", "pbmac1_256_256.bad-salt.p12", "pbmac1_256_256.no-len.p12") ++{ ++ my $path = srctop_file("test", "recipes", "80-test_pkcs12_data", $file); ++ with({ exit_checker => sub { return shift == 1; } }, ++ sub { ++ ok(run(app(["openssl", "pkcs12", "-in", $path, "-password", "pass:1234", "-noenc"])), ++ "test pbmac1 pkcs12 bad file $file"); ++ } ++ ); ++} ++ + # Test some bad pkcs12 files + my $bad1 = srctop_file("test", "recipes", "80-test_pkcs12_data", "bad1.p12"); + my $bad2 = srctop_file("test", "recipes", "80-test_pkcs12_data", "bad2.p12"); +diff --git a/test/recipes/80-test_pkcs12_data/pbmac1_256_256.bad-iter.p12 b/test/recipes/80-test_pkcs12_data/pbmac1_256_256.bad-iter.p12 +new file mode 100644 +index 0000000000000000000000000000000000000000..9957d473c433bc9fb9572ecf51332a7f325fe36f +GIT binary patch +literal 2703 +zcmai$c{J1u8^_I<8ABNB4Pk6UgnstR*kkNVmbleK_MOQV5{B$bZuZ@TE(Q%DI~6Sy +za_>;K?Awg&gK)d&eNUbD{pbGioacPM-{+j?zt8ysc%~FEh#tT*L1Bzi@rLpHEFcC@ +z37&Bef@j+hBY7)1Ad8U9Q_fZY!PWdV!<$)A!L;D^99D!DhE +zeQE;1U^pGX41@pY8<-JF2ME9z9peo_uJjO)6ojpI>t?AXtBj{Jv>|^u>h6bVJpBw; +z+#a^-mWMrkMYg}Jfxic~-vQC^Kt6wiU3a5|Vneevb2UJ$z)2qnB(3bX+ki6$-vZY@ +z_jNXQZTo6cC8;EgG@yE-_xV79ZGQJ%I{69AF&s=P;{7m`BV^eD>hi8QDGbWW=k(N~ +z?rwAx=6c3#F>pv2L4VOaP$r$r8H)wPkN!jmp#f9wlbG_*(`oK#@rheWABcv-oOfog +zZYz%aTa??GYAh^>vo?%Ytn1k}?VQgy3?$BA43ITPmqN=#z7%|ZuMyYTsb!MrPNefm +zZqFRZBncUQLYTJFRO5#Vm}Abxr(6e>cmXMQ`{e6;(W1HbvJy+6ch6Ew4a%-^T)$S! +zZ-KnuFs_#(<>qmAQHUMRgA=lor{8J5+lgi3=XMhrn{rQ)Q8o{i>As;dbVXX%-pF_* +zZzgS@b5K1fKeg-SDJdp=IfDL64sDgQcs97g>-}r5xM&}z?CAJ5DfWlrG{Vclzf>dn +zo{V*Ewz$6%Lf?^0e0Q>3DIInhuW#>Yl@qx8n7!wUPXuV11Kb@ccR{%DDS;0qHY>mu +zu-vr2t#J+HN=T``{Vnn9R#VlV+Ii{wMEM1hhXQ^ve5Zr$o3Kq}n^%2LkRM1kp&yyN +zAIuV?4KWFhmGbLG$uK=egKjkyGTp!b68!4=amq-$qDri1b;qV9YFJH~WOizc9I_%J +z44_J>+hGh!f}QMW!}Tr^@1zS%n5t6Ov;=QmkAqZ|PFXjGT~H>*Zg3m@=;#5|xjVXa +z=7!*1ZMuW{7jRvPZEBWku= +z>pX3o*5O*R8WWG=%h|0czJp%Kpab&Azs(Zn5^hkb3c)52sAW^j`(JBf2EO(u;};5! +zJ78c=pipR;Q`}}oNj`E?>xmo1c;h+*jm-F +zvGHxT@3QKop@A(X%GI?VH>66GGkfm!BX8F_RG=h|*OTP)9Z`1b7<0OAi@nQHs^*85 +zy*k?D(T_YY`YGM_^c@Sl@gz6Yg;Gw|Vky;(_%~Rln$h^CvdyVE;n0ScW(%D_2ZaT( +z<3JvG*k_Ou-4q$NEa0%}?T(4#q1{(hydmIOYF_cub5Cw@>J!^KG*=9kyF|@s=|27Q +zk5EesrnuH`ef-b#>n}vJP!(M)-5U9(H%wuaT-Hq#?`FZSaO8=JSxam?LFa7UX-&BK +zIDm)7{outv0D=ZX@KD@$+xPo;!p{7cP0UOn@b^&eyD9T;z_IRE*SwPN?f9?2sdG23 +zR1)>R-S`UQdvhgZ6oQ8g4M@YO8nkG!jk}taE%TK@@R2z0qnt?s#hH5~A7!4`E7*MW!m9T778sjy_p@|)v(>Z)=gcJcZLp?ECAhRQ*>te0UgO>T +z2!WGkqg5>=c`{xYLI9e=7GvIPcLnpC&fKx}N>j5dT@r0A!A+m^|pCwV%3}UgTlK*(`F{ +zPE_J;HRlt|ru*VW!Bh<_#<*>;Jv5N5(AdP?(m~9_6tWxOYfDd`22P^04U&R2Zr$>- +z+S}&in23Z+TUPeaSFchSdhOE0HWRA57_5a4k<9K1n4QJ6@Ttyv(<|-^FIfAs){oKH +zqoB1uud(vU?4o(Mh)@Yne2`GvO5mxWbYq0!lNT2Fo9>2DjQiZ4nM|rNda1}rV7|GK^jbT#JYRA%BE6nLJBS9BEd(yLu>AqCaWH~S=o;Yl +zic31awmQ +z51!~>BfRljLJY^Qp!I#PjtaOIPDWYp+$&mbuVGcU)QqmMx@9N@lGwtF9@~Xn-;x*U +zRR}CmP}b3UWSLQx=yn#R!-^im4P0K}(>&NwVZrb@W~U1o6fNJ0i`^IUgM;lg5T9HE +zUp?nq!(DFHFFOZ^v`yg@3Tp0oG-OAq7r%L2@%9|U=R!)c$gbRS?~&Uuhq2aMJ4bF) +zf9njx1D3ZECBTEZrI0V={tmq_rW~!5r`TA@z92xfYOR#%H)xcyAYVzqvpW-~s7ggZ +zV|Wf(Fi+sk3X;)Gv!LJ@2C>OTp;CMfZI^QGP_q1}y?ib7d!@%IEYg|Tz27j)$Y$y3 +z`4@4b-II|shmwgiM~Bgiiypp>)Nf4n-UjRgh-0>@+qtPVBd)8s%)CyCu8_8O6#0mT +zf%CXFZHEb(A-2~HXCGkoY3Frim&%;~856h40r_N$o~%%u3OU(#^nHpCJf&869MoR0 +zqP7On(hy;EhPkfH46;KSkjHL35~I4ooaATVlj8K4mFeX(d6hS_vW^&Q1gR$l#1FOJ +zP3WkyRW%X8xE`;1+p8FC`VJL(1*uzfeD%;{Gp$p1BKOFmMcJo#Y&Mx?ruFQNH{1^7 +zOHZfkTqNCL8+mP1emzme1_TNP`D>}n-%12coa(BwP0IT9FXEZ1t{DyZoYPX;)PLp^dR +zK=cP-8M) +zf3265`=`i(z#yUj>vI3o>>xtn<-Ye+$zWwI^q_2ul78QG*>lf;C9Y5z5p$iWB-kVb +QZf;>CWNWRj_YbE31}omyrT_o{ + +literal 0 +HcmV?d00001 + +diff --git a/test/recipes/80-test_pkcs12_data/pbmac1_256_256.bad-salt.p12 b/test/recipes/80-test_pkcs12_data/pbmac1_256_256.bad-salt.p12 +new file mode 100644 +index 0000000000000000000000000000000000000000..fef1e51f71c94240b8d5e375b3e5273a7cb54be5 +GIT binary patch +literal 2702 +zcmai$cQo4z8^xrY#+` +zsC%QWRa;5aj(vO2`=0i^??3mC=RD{8{XXYB|9#FEz%!(PL9_s#0Scp+OfXE?X9CfI +zO7Zl25Ip@BfTyPbc!Q@&82E%CpMi~4*-@x=x8h{^0@0?%=a;JrWBq6NzTQ|xqnPt3Pp-qLOF?ZhM@U*k% +z8S;f2Y&sjIWE-ljnY#hYDxCPff~cAMW*cxt}-Y;CpLL2`8~mKlp|`+ +zVO#NIfJLR9srurg7<1Ej)w-T-%g)6@!yv*e+5k~^q#IT){H5sgJN5YPZcURUPXdi! +zN@w;^Hc`;<6N_m(RV87hh%xp;Lh5x;sSl8PXF$HOA0?7+FDt$bdiyl3%%I$X{ra_f +zJ`2RXrjL55k{(`MOM+~0Zmgi4Jnc^Foo);RAE$@##I$FsjIw!{Ot0hRk*m@=_D065 +z1+(e<9K&kCg=sx6&WN!QE0MHc@~B@qO6EeUeBQnCiO2c5Fw!CwRHFuyuQ7&RbJ5UBeuS)evzOVc5rXBoRm=UlL}s>=o~+5 +z;7ZH>w)!=YdqryP?c=0xTP-zzY87Pe6XX|(UJCf7h@CFhVn7Q`eZPV#0iQikCX3UsTbnBm^N7vPuIPg2J^6)(qm*LH1MB1ct~iDqZEh!HCS +zivd(AZ9AM!NuZkzWw_oW?3*mbfUYTXPfzsK@j6Jm+%4-tw+qTf+YN7{9vo#rU3+n5 +zvyK9Hv}g`0NA_53jmR_9k;_gERIxH8D-D?j$#GKkq575igo26mtuVg~ +zGDsY2l^9*E^X2>0K>0{pzxF_tt9z$axmMf^J6RHZ(xN+Bw%mTH@ym<=bJ%nxmQOGw +z{(z1#kxZs$Pji|XCHu)qt|x7j;Efv~^oce)=aynrS{KfxKLOty_<)g}W>R~>&)Tkv +ziA(6PeVfxD4Gn5DQLe4`a+EAp&hEQAh`3$vRD~2jSx=TPbVk~#q0MP}E%vU&sF)vG +z_G@dA#y@aBA0+qQ)psuP#S=Y{Qe_;>C6X#x39m5>b>j&w<(t#cf0>fi)_eBn +zA7Pdj4Ds#91AI^Q8>Mhe6h${nk7nMP4O197pLr9>vstt&6n$!9))v=Uq0QBBRu^IZ +z5x_&^fAHcT06{|_cqsO}?f-qeVdwtKCPoGj_L8EU{nVCi;PV<2bp?&S?k(E@@7*8Hki{T6W!VwY`WM~uJLSs +zfWV1!I28*C?yOf&q;ef)*q>6*lozg4rs>VMY-wLJ>nPM6xF}#_)8C&%VxR4zHplY7 +z&g4k?J9OzW$4XKG6wbv6o}**G7S@V&J$r}HfH})RM4pJKJm`bM)Nz}^}vK#1cOG}#$PNuO9mV`BL-SV;8 +z+va7TjD|~FR`=1?ekIfO+og+cCf4@QSqmK^7(ElwJ4@*i)7_1xS3MV>GY{mfpP(>D +z!D|CP6O~iB4;MTl!^FMu!GayDL1zNe&5?$WpIhK>cpApg?{j{1Z%B9`i$^O~`h2A7 +zFc!~-gk(m4b+Ns~QBKNW4!}#U6&Nne}zu +zVCmmIHHD4zx=e0W6gNCRT}`>)yw~CT=@+pIzGn)jH|qxU^6pFqE}rL8c2$i|t`3;} +zBX(lwi}BcaxlEcdYWblN|3Ygq@s(CsWue4oWM(6sRxlMTTMX#7vHk(EaWaBU>KNel +zN=m!FwL4RvX%O~MxS$fx3(h=xfw95%Q|04?@q@*z(%-RiHWk~c_k}_;c{_;43BNbK +zs!;%!ypwQcYS1Vv>u8aCwo5lhvu5n)jNN<_=-haJgX|{epA>}Ly4r>qeI-%l9zuo<(Q$-*MMz^<%G57c79sjnEO|3c0spzPiV(mvV3II +z&_!&AmeVBF5YumlwGXuVwDYRE=kk2OITMfSA^8-GzML@ZWm1a&_`6g;cxt`SM^IynL8BdRfNvN6Nf{u&Gc@a$^0XWHf6t(iMbS}*>*0+*PKoy +z-6t~*ZW5lbje-sepPq_JHyvuU>)D(vp +zmZFk4%`!FtN#jzg-76#o5in2U9)&z)xzS*!j>cZUTI%tJeG=nm-4jj4+gh9GjP%JN +z0g)eorRS9U1#-U6^%--@hOGy5lJh|xqas0@H(eZv0{j7^ABRw8Kn;-oDH#C-1a59& +zBWP=_ulEmE!63o^>vI3o>>z>>mHu~CNML16)Ua%ulK#L<`7`gp9+tpJq5r+oPI{IQar@!yJZdr(R^P9KNApO`$IsP03$%+r(^{9AaFGT*QT>i +zZ2%YyrvVsY@c(=R(?e+hei*%DyaC9S76L*+SnIZKmRT@MdpbiK3r3>uzK_P!&Tz)< +zVXJR@*wI$y_{r$|d0+<|SQ^vi3O3lZH%iy7sWzsr`YbDO()$XMM$VgUz!`&Yg==2; +zHXFOTZJ$ISm4=cAl}~j)AIP)L@4n3-KZZGmfl0+Y?}u{*EjmHn-c_eXf!PHdo*I!4CEAmwhqTtgpPB+pJpd@SOz{WH{tOq_Y`R*vk>W?8<&T#N@?2}8m;8d +zr0sJIsRkCLcE30y#e^+~(|*aNe&r~c4XW~b_sT0S+Q%s;I=&sn_CSnU@nYyNFn +z5V)&Jb5J?F$6{l+K206I>`+e?D^s*om##;RkqL)tSLWjL$J4e>vjkfdM|$ds>K#^E +zPnxE+IF~HP#iDp~cdJSw&m(cJp(*V>rDZ@td1qXDM@ +z(rAms$V#m@-=})YN7}m8hbrg0c3PBb#7%J%C4nc+IwNIEZI>FpObalFOjY9e1cTxZ +z=ok~$*Qr@kT&9LeKC-B_#ElZXQ9Xn{!CL#=Vw7^r{JFFz;9LD4urgCjsxSCi+f=Zz +z@$EKmv+Jdx0jpl1M91FeiBsZjF83%I-N;xzBHI|`vEWWvXb81c~r16F6LKo1v&cw3g +zKpuS1ub&d#92vUI@9@>z9TUe*y|18fgWt2vtm=j5p6ue(C)PD+o+vDDiIUmcbN1&S +zAr|Hgac#%_d{6ZnB%_%q3N99IO}x_^Cb0E9=1nBeX5p?-KzE1OGjXTEwOnR7#${VDZKY5q!Os_tC#mew`X_5z*$ivrfxeSO(v_L)vQWe#WJPbddO%C0O +zO1z`ue2Uq0U%Vucs)ofFwGVZK1h5tv8M|9Jh_?NVt>*p_jJi>pESZZJOw2LQOZFmCzxA(LDjPvzQh()zx5f)qUYPbAR^Q2^xD8 +zxZ3YEUOAalJnt4BBJPO~6l`A!I1`X+3O9KC+#G+?-5`p7pX;M*ef&ciJVv3?>mya0 +zv1leJC?oQ#lg%ZLa&kIz=tbe-BUzW{PL4zSL=}H6^{bCpA+J<9wezMHx*0O3*Vc3b +zrG9tU5H{59G`?L?RR8#NCHXjIqk&E{kP4P50(4qg|A1IK7{VsB_3^qT +zrJdi}9I4OLiF@eifD-o$jy$^lF@biI +zvEH?c*SD5fMq*dcdcO8!{H{flQC2(miobT$GOJpsM^{}~5$u(1;Tfq+Q$Y8k_C&?qGV-ctXk5ff)ff&!p6 +zGKVOfui(iJlvYnOU&ql6VUrC*P`nQ9I(fE889wA*fd=}W;-eHMsjQs7W6Uz5MQVEf +zd7MbkWaP}DMB>cRVf5mnhi?<*n4!U2pKXxkgthukUTW>A>sMS>ewTQ6aQoYJx$wrp +zi@0`8hY6|yw$Bu2=WqFG=M|y*@|@o}V>iN}T(Ws@b_nh=IoWsYU5XDprB3K0sH1R2 +zWfh{KCQR=Pb6uGkVuLgyPTaV~$Fzeu$WOtiB^fa*)63`b2{*H|kLYU!D5r(Q_jTUQ +z=&16qD#8MBycVynG#2dDFkA(R2=q5e$<~_y + +literal 0 +HcmV?d00001 + +diff --git a/test/recipes/80-test_pkcs12_data/pbmac1_256_256.no-len.p12 b/test/recipes/80-test_pkcs12_data/pbmac1_256_256.no-len.p12 +new file mode 100644 +index 0000000000000000000000000000000000000000..35ebe05d177f7d745251e2fce3ebb4f23e0ebd09 +GIT binary patch +literal 2700 +zcmai$cQ71^7RK$`T}$+Gm0-0cYF59jURE#BuVfLuv(bVGmgqv<=$){+SY-*KlY|r! +z#Jx+RMXxLRB6xZ8-X!nMdo%ZsGiT2CojK>f-+TxxO%f15iNMl;A=F|C`U%H$04hKk +zmih>UrQSnesYwVd$oZ!QDZ_#+ze{F70LAyF|I+~=Y<~=3I)ouY^yf&6;08feacsLT +zzI8!BAd~_@3xWRY8;}}If#88qJ0<7?+$cc+F%V<@-tBU8dPy%AaC6~U^!*PpSju_U +z_#<@99Zx&T>f8V+y#P=2kRwBLhD_lOlh#hzwiVgh#7&Q39ZL96Nl?#yyN_@|VcVe^ +zSHCXAZSLDA;|OKpgkhx%ozEw-j7x{_GKo(iP7y#t3Fn8=JU;VoK(9~rMR9OWA&Zwf +z>2RmJINvLFkBV8u0Q`&Ei2~tj-eep?`0P&xJ|x1J?IN}+>~fARMtJ&8@&~;B7|Xo{ +z`+d2o0JADvW7XwlVfyBY>Mb4X)`M$>`a$@4lpd_^OgpSX;7ifx_p0$dJ?chD9(W4h +zl&y;$ytw7Nd?m|$vy|gQ5y*@I|IY@ +zg8B4gmJyZU!nEF(mxS1ewMfb@dE^b2(uI&}@At30<70fCb7K-Z#h4xmlPh12{G}Ad +z^>ng#x836vAM&1P(z}Z_oJ9BytgfAtMPAV16Q+I}-$=k5Gq5j8TAaVQsgesWw7|m{ +zxYl~SuX+>UR+(CR_gm7}z1EsPH3~A1@iNN4`pCo+oLFJyPyehk$I9?Z`gz@mU7gr7xy@ +z-hubN2E|F$=n;dp!S)<^RMD}4EL<*cp(fcNHbKOls@_;kD40y&yU6BilOOAAz^ipx +zYBsgZX|k?bObSPHHyO?E8D=X1TZA(|un}Ggz(MUs3bpl~4q{~r+5HcOV0Y^stKlN&TgftoPH?g)8aJ~>Ef0dNg-go)u +zA7SQZH1QqZ2DzWp&>-CMZkc8nq0`SiPR&fTIz{-_HhllHi-N=^2L%en~D +zDFhZA|AQC*1Q0j`gau>1%YNU>3v%V(Y@($B0Kc2k-$lv41CHg8ikeNKkJH}*r@_Mz +zCokx8x8)Ve@Ai7=1PBWn9hQKSRLL86c}HDJ_Z +z_Tkz%l(qWkjaC{OC^9r=8=~v=VXW&2$(v6Z+@VhwOLXm^vFc`0y2-iw +z5d{ +z(LNXRbQDy=9M?}-yRl6*V4E(qn^@aRWyyaEqxDEc9jv5B%=R=I+juO$pdZZHI!B_< +zf;R`fC#z<1OP1Ut!$iEW!F-+TL6^J|Es^?9UzlNUd+0|~AG1xlH6%Qi!lLA=yr;-o +zw8irwA(>Gd&eqpiDu@~M;nxI4&!k;nI6I9T +zOZ@JkE?}V3ZFHxyxZ&x=ddj1gqfVbszX(@yKbO7muN&0KyFVSc%*w6cq8ycs3z+{S +zc5?WO;rK*_WSSvzwZwpDsjZmsS|hBgP;@skvyn<8m<*IEMrgM){sFRbG=NNN>0xzB +z%eudIIFX;L;g66pL8Ts7oj7#@V}tExDkks~C(Bu7zhk7WD)&<#@rPz|brK8{es6qT +zBMU5jFX}?qpjKYq*(&|~kZOTq)6mxmv->vCsqxXywyUsT(mfb|DK9v{lR?x~SZs)6 +zT}mz)4+B7U^o}`M5(!m_9OB`j*NLBFZa?EW&gZU#Igj8XtWMT?02Tp@)nQT@LKGPp +zPjzorzVTmW7>ip+>iXGF@VFJvL|Yy_DB0+$qgOFki>bD_qb~*!*~1E++lJoSlMxt@ +z4JwmW&{ThHo>h_L&JNe4M^0jfZ!B}Eog66Ap}3rKGx_vN*6zi}9rO7^fp)44pIn1p +zJ!jp-+-TFSxC#Yz&SGSX>K=GD=SHiPzIjsp_A1rq;_Xs_L+Q1FGxsrOL-n_|PHe^j +zmRb5IbZc&2pOGz|ji4TxEgJ?oD69adHUN +zu|-(XQYB|ju%ueL**1o11f60KCdTF1shw{Nm*R#W6{;iO%Rfn_lgQ2;_=Z}8wMon^ +zy@(g=n~9n~6-}ByJB?Xc@$_pUeWPjg(PJ8BIA^T6o1a!U?zVx+F6a^I4efllEfd*1 +zd=1m7;W$m!M-P}_>;f%59lXZ%DlP_GF>=QZ%cPj~=Y(Mti79>)?^AuDsrCF*fUcr- +z`@I{j?NR8=0}|KH*m)=p=FL2+B1xz~P|3Rx1K51d#aI-Wu!VoL~RKU#aPxSA{M*ucpt;un1#F +zN{O=! +wg4}<_IuKt(mEQv;B2YmcIU?0AuRAzb@!TtLl{HLKz*I9j88QQc{^zZK0K6{N*8l(j + +literal 0 +HcmV?d00001 + +diff --git a/test/recipes/80-test_pkcs12_data/pbmac1_512_256.good.p12 b/test/recipes/80-test_pkcs12_data/pbmac1_512_256.good.p12 +new file mode 100644 +index 0000000000000000000000000000000000000000..e8d4899691bfec94614bf1614c0e9d45b902cf24 +GIT binary patch +literal 2702 +zcmai$XHXM}7KKSjLJPg9krp5dtO*HCK!hMlfKXgfI#LZaQi2reL5lP$MT%7EC6I^; +zC`DLA7DP4z(iA~@4~T#+JMWFY_iKOLxpU6BGxy&&2Tf*=0|J=QWOguwO*UFLdXE#p +z0(eAb+Xa!?w$Nm@H8dII@GF8mB7;nhEn^^n>3He>N&slHp90K@)wmrh*}zO_5eS=Iv@YNlGYB9H;<3c(p-6ScN9EXskqoP5qi{0w +z47G^^7Gd+bc<}~Fgv7UOY||$9Vx7GWFqBwZz(2@Li=v*KZ6RzFhbL%5y>@HX*g|fK +zCFqY*(F=sh(a;N)GHI#~25yMcT_{*a)IDT;VNko2^?scCxtKjyLprQ(YXAh}L#%n( +zTQrhNI76$_g!lGcpUJy)#$0n;G6ZQ#gO>#8w>!LU{(S-z=WV6_Pg +zU*q$mxw1C5Ex$SI=B3N?jdOchd{4fgVv=pT4ZoVk9Z8}FNHUvYc4BhvoTUsI8L^sL +zopiZ;y2XdHfUO!V-Ar5BROQO(-K1jGZ7ZwQ!@L!*8;l#mKUQ?Yzp@bGbDg|ELDX}Q&X!Y4%3b*7*VHf%9yZv!SWi>t>qm6DRrsYEr;&BPo!3}4V@ +zk?AMeU*?oAW{xGA$SE*L7`tfRwiT#@v9gqOtDkqwN;#{ly0J}Nt?hZV1xAlN*4&`O +zo9da~^}MoxyT7Vk-92 +z`Y3n;E-oE~9xR#>@)u0sn#CVfstkUtzoh@2+a05kV*_uuuYEzSeI1hbS)7*QO!P~C +zUpz75Z=$s3)O#=QnbMzDER&L`hq$60tR+pC63&E_?TS#3G2b&kyp{F7S&&35;>&M5 +zoi(MtRe^Tbu7XhXI68w9sOH1As}p-duSoG*Qkw>vkUeG2mDftlHA~m$ge}onp(n8m +zjgL*GaTIZ6RA)2QALINZPma#jy)Ibw&1Y%$yleTJY&G+3C7q8dc)f9RLJ&!BHfys` +zaK2_A6@J2!er@{0=ws8BH6wK-N)Zh+u50iiFvMOD3ykZI*xk+il9(tg0csxxoP57w +znjV%tW3PLyr +zEqvBZD*alJHx#UUSUudi^LW71U$8h1Dw(>yN;V%GV;T|#h&eWq{{|fGcn3K57F4v8+{vgq3Oh~ZrmcEST-O8z4%K1s}M;tPIc +zvuMYpV5W+0Rp}Q}bxD!pJEs=sD=OV!n^Ee3qTtk`$Aw(zo%z>QnV?T|U!r)o;7w81 +zU8CuN( +zJMm~CzxWw161M$eue=Jp=M_L1i0#Y2MGA8K()rh?vW>%30k;T}1? +z73pvY=|4vmbzqOSv-E$-F!*{oNrwn~$f41DUk0TThvqA(==BjI2KmgHnSx1=#&OijuHpX8vmIu1PgNf;+T-W%LX3WP +z&{M@dfCZ%)WLtc}A*y(c^jYJ2tcE(uY+ewf71epylo^X+N#8rQb|Ue`>HI&+qd)mi +zId1=z#p>EI>l<)+iMA|za=3;zliQfPg_;_ezGxi5rM!wx@zl36fR6R;pK9|{zggX* +zI6Wwgv1upQj4OReh2&+=-Pn==w3ffs-CqWjKex5G188Rqb`XY6^RUk$`=4$`8sPh}=d +zv}X!M)}HY<>H3J5M?xOCT|9W&eD}BTmWQhLCqxa48DSh-kzZRxQ+j6ECqPlX{Qmc^GC9chTwY@c+_gztryy>w&dM=$U8i>Kpbf+D} +z?Vt}#Da&gwKZZJZ)>~u*r}KQ-=}o7F^3P&hdJSmW%72t?l7+Ayu%T4Lc{nj}7&S;y +zz22p-cu4Wo2I^8oDFG?Hj(rdN$71iy?jf1LKBnw%CeB1cCTX{@H=Qu31p;5@G-X&J +z1vYRNT{O^EkvCH4zO*k_)-C*YZk?&YXgTvRv&{EHw)K<0LYMb)dxsMdr7y};se-ZX +zj`eRLC6ZHm$aFaJ&TF0w;}^q&d-N7Xu0&R=9n)a$X>W)J+jk6IL8~=YwI;Vo$o%nPP#DS +zOsjaY(w>~gaR7Bor+MVily= +VW!Nl&SdEOYi{CK0av2B!{0(@<()a)X + +literal 0 +HcmV?d00001 + +diff --git a/test/recipes/80-test_pkcs12_data/pbmac1_512_512.good.p12 b/test/recipes/80-test_pkcs12_data/pbmac1_512_512.good.p12 +new file mode 100644 +index 0000000000000000000000000000000000000000..64e14341a10d04e7e98cf83dbb2b6409ae1fd72f +GIT binary patch +literal 2736 +zcmai$c{J3I8pdbF48|5&vqjlrhOaf*e~6LnON7GM*TRf3A}0Gbexk{eEm_A}b`r8> +zuMmwr#kJMgD&qQ`dr#f}?jP@Y&+|O*Iq!d;^8f?}G6YNm5Ex*zaLE`{%mFi)4xCSb +z??VZ2DnNj50R*V?pNKY}0JS)^Odw#;=|cTUz`%{)0>%tn11|lMOaMQWo?KOURPZ9w +z69S?|M>=i!$5!lE!;5%1$L!@f+eA>5>rmGyl-<5gfLWQhjpo01c7G3*uvx%W?sgue{9RT|s4#R>C6J%Edk<=-uq-d@r!ROUg)X-ILGkK7})ZpGl# +z6-*+R=UWkb{1Uk*#E0!_e;YnW&+pQ^eq4sI$Ww|Hv(}0#a +zKlQ^+B%Z=t5EUDbniPw$^O<*tICAC6KObyy_!1pUMJP=_w3MQ_L}_KLa~I$j`nTT} +zHKwJ_EiYl2+#BDc^{A=46L)q=)y5g6&!p^&Vq?l?HW_g0&*yWG8)~BcGLmG2_zkpD +zuJoXL67oBKU=FvPnif~prLZ59aGj)q&F+Tb8c-j#f&RP0OKAu!zYnC!R&k()qJN1D +zH)n{YHF**!la_j>+`ZaK*3+)|hY9ao;2E{SU;60toCXNT@qDh`ml?gc_3=eV{?51F +z=U0+nWJ9&68P5wsaB~Oh{Ml7-lZyT?nz7-@3_Pa$cFyfOH{VqUHj`A%$91}J$gqD1T>EH^|xG)1&ISL#*ZFlj`&Q|`X@`eO}%)v57KM?!MyKQ +zXc{9i<$mE}VxakYPTQpB%tY3V*Dl{DW5lfc_V}%EtVn1p7nY~{N*8NuoyQ_$)ws86do%hBVb(F1bVEvsA9>F&O +zRQs=KLrclFky%8f;cM0HkAnqrG!8bmFh0|w6SSh^JAOInR!2Krmr4GHh^F&q&BF29 +z*|eckw27|l!`5RThgUd3i2XeIHB||T+HmQF1 +zPDP#z=8kjer&j+4rM{T~`6CS-p+%{%^hoip*Obdm#BNa17XnqR4f#}AZEEru&#GzO +zS(|OatP(Y7WaOUxEG~h6fN5pGvEXc-|1Te>L%`F|$k|~yrON}$Q~GV(GItZZR5rtq +zx@@Va4Xu+B1WTkJN6(5zi^HOIP318BM~CGBgDH4 +zLaK$Ks@QD9D>chzYe`t>NjjE`cuObjo}66SL50g8p9$Sm^^tns +z;0_RAQNMZd4}f48C;@i&)b>3cPg=(RvWbZS3^@&DPfg_i15SP5i)Nv}TDSi%aONt8 +z`B0c7FBPnYhe9LB8cKkUDN;BJQl}W&QaCv2Pc-)0f6CFEbAOdK&Ob3`Zm!y`U3A_z +zODU+hSBxYWL41$n&+28lD!q0TwRAFBNsli%CnzuIPE_J$DjM&>bE7k^auH?~miFK) +zIqaBwg7QmEwp)ZSN6kj5jefLN-FgZBcH76~>AGKHJauJBXEOUCn_uh{(n3he>JRLQ +zR|B-g%xs4l(>}LpgECD!Tqrr!Vx|{2qiD6Sg)V5%4}U+mVekZjH08N`i}}Fy*3^0# +zKz&<(b0knfLr)75aA8X|3pbq_oeCq8e7yiN*S+Qd)>ig&jMwh9R+b7e+Im__SSes+ +zMDA};&vN=jlrY*Ehga$F@lBOSQ_Yyhk>Pz>=S5R8vmJc)scR +z=#Y@?kRW+Jndd2|TkldK}))zdux@RmaSl_TDG0?o5 +zMMh%2IT4G9~=#_+fE&WM@d6`gnk`K +z4ZAPu-T)R`7#!}|D~Z^i8YP*nzuQ&$t^)ex^SI)5bkOl@$Ch5et(hmU_H$6{=rd(= +zH*9Taf@8>5lz@Cc`s0rbN|)&x9;{@sX6g>J>@7D0-tggLsaChE +zzWcuCVOajxbVG+ly{x;j!jR)mBkL?no4>)=YitX8aX)SOTr(yPVoxrI*RR#up7#Q5 +z!0saXlgee#J^Ms>kaU^#^Pe+9Tw>CWyg)zG{L3(N9jlQ$s~q?b%j!`e#kFy^z8iAp +zQ|IfPf8O6EM%?ua$)DxW{I#W1QaAd&_M^8%JCiVwCzS=o!;k(}DaOl#W09 +zSk4>aZ7zFHy<|Igb>#!~?A4PQWj>6QxLJ@Kj1CZPTN_dw)mu~-BUvZrsoc9C#w#ld +zT>K4KIHxQZl%o^f%#yHeHs^H6%z +z8T%F9D?MlaAu9x|^*?Qn@wCnT>2{|Isuci|f7PzcNM|bXivb;s8AAv{)-jC$Rb~R?lGFsEHIm`3Psh-q4iM{;+CGg!1m8_f06hv5BRSmBm$E2pIft +D?Q7k< + +literal 0 +HcmV?d00001 + diff --git a/0125-PBMAC1-PKCS12-FIPS-default.patch b/0125-PBMAC1-PKCS12-FIPS-default.patch new file mode 100644 index 0000000..f7257ea --- /dev/null +++ b/0125-PBMAC1-PKCS12-FIPS-default.patch @@ -0,0 +1,21 @@ +diff -up openssl-3.2.2/apps/pkcs12.c.xxx openssl-3.2.2/apps/pkcs12.c +--- openssl-3.2.2/apps/pkcs12.c.xxx 2024-08-14 11:24:41.164589397 +0200 ++++ openssl-3.2.2/apps/pkcs12.c 2024-08-14 11:28:21.071004221 +0200 +@@ -17,6 +17,7 @@ + #include + #include + #include ++#include + #include + #include + #include +@@ -708,6 +709,9 @@ int pkcs12_main(int argc, char **argv) + } + + if (maciter != -1) { ++ if (EVP_default_properties_is_fips_enabled(NULL)) ++ pbmac1_pbkdf2 = 1; ++ + if (pbmac1_pbkdf2 == 1) { + if (!PKCS12_set_pbmac1_pbkdf2(p12, mpass, -1, NULL, + macsaltlen, maciter, diff --git a/0126-pkeyutl-encap.patch b/0126-pkeyutl-encap.patch new file mode 100644 index 0000000..8f82cce --- /dev/null +++ b/0126-pkeyutl-encap.patch @@ -0,0 +1,430 @@ +From 77a0eabe15b9c8c0fb5fde27f6ce1c593c278e20 Mon Sep 17 00:00:00 2001 +From: Dmitry Belyavskiy +Date: Wed, 7 Aug 2024 17:17:18 +0200 +Subject: [PATCH 1/3] Support of en/decapsulation in the pkeyutl command + +--- + apps/pkeyutl.c | 83 +++++++++++++++++++++++++++++++++++++++++--------- + 1 file changed, 69 insertions(+), 14 deletions(-) + +diff --git a/apps/pkeyutl.c b/apps/pkeyutl.c +index b5390c64c2a81..a14ad88217823 100644 +--- a/apps/pkeyutl.c ++++ b/apps/pkeyutl.c +@@ -24,7 +24,7 @@ static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize, + const char *keyfile, int keyform, int key_type, + char *passinarg, int pkey_op, ENGINE *e, + const int impl, int rawin, EVP_PKEY **ppkey, +- EVP_MD_CTX *mctx, const char *digestname, ++ EVP_MD_CTX *mctx, const char *digestname, const char *kemop, + OSSL_LIB_CTX *libctx, const char *propq); + + static int setup_peer(EVP_PKEY_CTX *ctx, int peerform, const char *file, +@@ -32,7 +32,8 @@ static int setup_peer(EVP_PKEY_CTX *ctx, int peerform, const char *file, + + static int do_keyop(EVP_PKEY_CTX *ctx, int pkey_op, + unsigned char *out, size_t *poutlen, +- const unsigned char *in, size_t inlen); ++ const unsigned char *in, size_t inlen, ++ unsigned char *secret, size_t *psecretlen); + + static int do_raw_keyop(int pkey_op, EVP_MD_CTX *mctx, + EVP_PKEY *pkey, BIO *in, +@@ -47,6 +48,7 @@ typedef enum OPTION_choice { + OPT_DERIVE, OPT_SIGFILE, OPT_INKEY, OPT_PEERKEY, OPT_PASSIN, + OPT_PEERFORM, OPT_KEYFORM, OPT_PKEYOPT, OPT_PKEYOPT_PASSIN, OPT_KDF, + OPT_KDFLEN, OPT_R_ENUM, OPT_PROV_ENUM, ++ OPT_DECAP, OPT_ENCAP, OPT_SECOUT, OPT_KEMOP, + OPT_CONFIG, + OPT_RAWIN, OPT_DIGEST + } OPTION_CHOICE; +@@ -64,6 +66,8 @@ const OPTIONS pkeyutl_options[] = { + {"encrypt", OPT_ENCRYPT, '-', "Encrypt input data with public key"}, + {"decrypt", OPT_DECRYPT, '-', "Decrypt input data with private key"}, + {"derive", OPT_DERIVE, '-', "Derive shared secret"}, ++ {"decap", OPT_DECAP, '-', "Decapsulate shared secret"}, ++ {"encap", OPT_ENCAP, '-', "Encapsulate shared secret"}, + OPT_CONFIG_OPTION, + + OPT_SECTION("Input"), +@@ -81,12 +85,13 @@ const OPTIONS pkeyutl_options[] = { + + OPT_SECTION("Output"), + {"out", OPT_OUT, '>', "Output file - default stdout"}, ++ {"secret", OPT_SECOUT, '>', "File to store secret on encapsulation"}, + {"asn1parse", OPT_ASN1PARSE, '-', "asn1parse the output data"}, + {"hexdump", OPT_HEXDUMP, '-', "Hex dump output"}, + {"verifyrecover", OPT_VERIFYRECOVER, '-', + "Verify with public key, recover original data"}, + +- OPT_SECTION("Signing/Derivation"), ++ OPT_SECTION("Signing/Derivation/Encapsulation"), + {"digest", OPT_DIGEST, 's', + "Specify the digest algorithm when signing the raw input data"}, + {"pkeyopt", OPT_PKEYOPT, 's', "Public key options as opt:value"}, +@@ -94,6 +99,7 @@ const OPTIONS pkeyutl_options[] = { + "Public key option that is read as a passphrase argument opt:passphrase"}, + {"kdf", OPT_KDF, 's', "Use KDF algorithm"}, + {"kdflen", OPT_KDFLEN, 'p', "KDF algorithm output length"}, ++ {"kemop", OPT_KEMOP, 's', "KEM operation specific to the key algorithm"}, + + OPT_R_OPTIONS, + OPT_PROV_OPTIONS, +@@ -103,23 +109,23 @@ const OPTIONS pkeyutl_options[] = { + int pkeyutl_main(int argc, char **argv) + { + CONF *conf = NULL; +- BIO *in = NULL, *out = NULL; ++ BIO *in = NULL, *out = NULL, *secout = NULL; + ENGINE *e = NULL; + EVP_PKEY_CTX *ctx = NULL; + EVP_PKEY *pkey = NULL; +- char *infile = NULL, *outfile = NULL, *sigfile = NULL, *passinarg = NULL; ++ char *infile = NULL, *outfile = NULL, *secoutfile = NULL, *sigfile = NULL, *passinarg = NULL; + char hexdump = 0, asn1parse = 0, rev = 0, *prog; +- unsigned char *buf_in = NULL, *buf_out = NULL, *sig = NULL; ++ unsigned char *buf_in = NULL, *buf_out = NULL, *sig = NULL, *secret = NULL; + OPTION_CHOICE o; + int buf_inlen = 0, siglen = -1; + int keyform = FORMAT_UNDEF, peerform = FORMAT_UNDEF; + int keysize = -1, pkey_op = EVP_PKEY_OP_SIGN, key_type = KEY_PRIVKEY; + int engine_impl = 0; + int ret = 1, rv = -1; +- size_t buf_outlen; ++ size_t buf_outlen = 0, secretlen = 0; + const char *inkey = NULL; + const char *peerkey = NULL; +- const char *kdfalg = NULL, *digestname = NULL; ++ const char *kdfalg = NULL, *digestname = NULL, *kemop = NULL; + int kdflen = 0; + STACK_OF(OPENSSL_STRING) *pkeyopts = NULL; + STACK_OF(OPENSSL_STRING) *pkeyopts_passin = NULL; +@@ -147,6 +153,9 @@ int pkeyutl_main(int argc, char **argv) + case OPT_OUT: + outfile = opt_arg(); + break; ++ case OPT_SECOUT: ++ secoutfile = opt_arg(); ++ break; + case OPT_SIGFILE: + sigfile = opt_arg(); + break; +@@ -216,6 +225,15 @@ int pkeyutl_main(int argc, char **argv) + case OPT_DERIVE: + pkey_op = EVP_PKEY_OP_DERIVE; + break; ++ case OPT_DECAP: ++ pkey_op = EVP_PKEY_OP_DECAPSULATE; ++ break; ++ case OPT_ENCAP: ++ pkey_op = EVP_PKEY_OP_ENCAPSULATE; ++ break; ++ case OPT_KEMOP: ++ kemop = opt_arg(); ++ break; + case OPT_KDF: + pkey_op = EVP_PKEY_OP_DERIVE; + key_type = KEY_NONE; +@@ -303,7 +321,7 @@ int pkeyutl_main(int argc, char **argv) + } + ctx = init_ctx(kdfalg, &keysize, inkey, keyform, key_type, + passinarg, pkey_op, e, engine_impl, rawin, &pkey, +- mctx, digestname, libctx, app_get0_propq()); ++ mctx, digestname, kemop, libctx, app_get0_propq()); + if (ctx == NULL) { + BIO_printf(bio_err, "%s: Error initializing context\n", prog); + goto end; +@@ -387,7 +405,7 @@ int pkeyutl_main(int argc, char **argv) + goto end; + } + +- if (pkey_op != EVP_PKEY_OP_DERIVE) { ++ if (pkey_op != EVP_PKEY_OP_DERIVE && pkey_op != EVP_PKEY_OP_ENCAPSULATE) { + in = bio_open_default(infile, 'r', FORMAT_BINARY); + if (infile != NULL) { + struct stat st; +@@ -402,6 +420,16 @@ int pkeyutl_main(int argc, char **argv) + if (out == NULL) + goto end; + ++ if (pkey_op == EVP_PKEY_OP_ENCAPSULATE) { ++ if (secoutfile == NULL) { ++ BIO_printf(bio_err, "Encapsulation requires '-secret' argument\n"); ++ goto end; ++ } ++ secout = bio_open_default(secoutfile, 'w', FORMAT_BINARY); ++ if (secout == NULL) ++ goto end; ++ } ++ + if (sigfile != NULL) { + BIO *sigbio = BIO_new_file(sigfile, "rb"); + +@@ -473,13 +501,15 @@ int pkeyutl_main(int argc, char **argv) + rv = 1; + } else { + rv = do_keyop(ctx, pkey_op, NULL, (size_t *)&buf_outlen, +- buf_in, (size_t)buf_inlen); ++ buf_in, (size_t)buf_inlen, NULL, (size_t *)&secretlen); + } + if (rv > 0 && buf_outlen != 0) { + buf_out = app_malloc(buf_outlen, "buffer output"); ++ if (secretlen > 0) ++ secret = app_malloc(secretlen, "secret output"); + rv = do_keyop(ctx, pkey_op, + buf_out, (size_t *)&buf_outlen, +- buf_in, (size_t)buf_inlen); ++ buf_in, (size_t)buf_inlen, secret, (size_t *)&secretlen); + } + } + if (rv <= 0) { +@@ -500,6 +530,8 @@ int pkeyutl_main(int argc, char **argv) + } else { + BIO_write(out, buf_out, buf_outlen); + } ++ if (secretlen > 0) ++ BIO_write(secout, secret, secretlen); + + end: + if (ret != 0) +@@ -510,9 +542,11 @@ int pkeyutl_main(int argc, char **argv) + release_engine(e); + BIO_free(in); + BIO_free_all(out); ++ BIO_free_all(secout); + OPENSSL_free(buf_in); + OPENSSL_free(buf_out); + OPENSSL_free(sig); ++ OPENSSL_free(secret); + sk_OPENSSL_STRING_free(pkeyopts); + sk_OPENSSL_STRING_free(pkeyopts_passin); + NCONF_free(conf); +@@ -524,7 +558,7 @@ static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize, + char *passinarg, int pkey_op, ENGINE *e, + const int engine_impl, int rawin, + EVP_PKEY **ppkey, EVP_MD_CTX *mctx, const char *digestname, +- OSSL_LIB_CTX *libctx, const char *propq) ++ const char *kemop, OSSL_LIB_CTX *libctx, const char *propq) + { + EVP_PKEY *pkey = NULL; + EVP_PKEY_CTX *ctx = NULL; +@@ -642,6 +676,18 @@ static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize, + case EVP_PKEY_OP_DERIVE: + rv = EVP_PKEY_derive_init(ctx); + break; ++ ++ case EVP_PKEY_OP_ENCAPSULATE: ++ rv = EVP_PKEY_encapsulate_init(ctx, NULL); ++ if (rv > 0 && kemop != NULL) ++ rv = EVP_PKEY_CTX_set_kem_op(ctx, kemop); ++ break; ++ ++ case EVP_PKEY_OP_DECAPSULATE: ++ rv = EVP_PKEY_decapsulate_init(ctx, NULL); ++ if (rv > 0 && kemop != NULL) ++ rv = EVP_PKEY_CTX_set_kem_op(ctx, kemop); ++ break; + } + } + +@@ -679,7 +725,8 @@ static int setup_peer(EVP_PKEY_CTX *ctx, int peerform, const char *file, + + static int do_keyop(EVP_PKEY_CTX *ctx, int pkey_op, + unsigned char *out, size_t *poutlen, +- const unsigned char *in, size_t inlen) ++ const unsigned char *in, size_t inlen, ++ unsigned char *secret, size_t *pseclen) + { + int rv = 0; + switch (pkey_op) { +@@ -703,6 +750,14 @@ static int do_keyop(EVP_PKEY_CTX *ctx, int pkey_op, + rv = EVP_PKEY_derive(ctx, out, poutlen); + break; + ++ case EVP_PKEY_OP_ENCAPSULATE: ++ rv = EVP_PKEY_encapsulate(ctx, out, poutlen, secret, pseclen); ++ break; ++ ++ case EVP_PKEY_OP_DECAPSULATE: ++ rv = EVP_PKEY_decapsulate(ctx, out, poutlen, in, inlen); ++ break; ++ + } + return rv; + } + +From 1598da873df55887c2d878549f74b7aaed6d5fde Mon Sep 17 00:00:00 2001 +From: Dmitry Belyavskiy +Date: Wed, 7 Aug 2024 17:50:51 +0200 +Subject: [PATCH 2/3] Encap/decap in pkeyutl - documentation + +--- + doc/man1/openssl-pkeyutl.pod.in | 33 +++++++++++++++++++++++++++++++++ + 1 file changed, 33 insertions(+) + +diff --git a/doc/man1/openssl-pkeyutl.pod.in b/doc/man1/openssl-pkeyutl.pod.in +index 50c2030aa353c..9de50dd6cee8f 100644 +--- a/doc/man1/openssl-pkeyutl.pod.in ++++ b/doc/man1/openssl-pkeyutl.pod.in +@@ -13,6 +13,7 @@ B B + [B<-rawin>] + [B<-digest> I] + [B<-out> I] ++[B<-secret> I] + [B<-sigfile> I] + [B<-inkey> I|I] + [B<-keyform> B|B|B|B] +@@ -28,8 +29,11 @@ B B + [B<-encrypt>] + [B<-decrypt>] + [B<-derive>] ++[B<-encap>] ++[B<-decap>] + [B<-kdf> I] + [B<-kdflen> I] ++[B<-kemop> I] + [B<-pkeyopt> I:I] + [B<-pkeyopt_passin> I[:I]] + [B<-hexdump>] +@@ -79,6 +83,10 @@ then the B<-rawin> option must be also specified. + Specifies the output filename to write to or standard output by + default. + ++=item B<-secret> I ++ ++Specifies the output filename to write the secret to on I<-encap>. ++ + =item B<-sigfile> I + + Signature file, required for B<-verify> operations only +@@ -147,6 +155,31 @@ Decrypt the input data using a private key. + + Derive a shared secret using the peer key. + ++=item B<-encap> ++ ++Encapsulate a generated secret using a private key. ++The encapsulated result (binary data) is written to standard output by default, ++or else to the file specified with I<-out>. ++The I<-secret> option must also be provided to specify the output file for the ++secret value generated in the encapsulation process. ++ ++=item B<-decap> ++ ++Decapsulate the secret using a private key. ++The result (binary data) is written to standard output by default, or else to ++the file specified with I<-out>. ++ ++=item B<-kemop> I ++ ++This option is used for I<-encap>/I<-decap> commands and specifies the KEM ++operation specific for the key algorithm when there is no default KEM ++operation. ++If the algorithm has the default KEM operation, this option can be omitted. ++ ++See L and algorithm-specific KEM documentation e.g. ++L, L, L, and ++L. ++ + =item B<-kdf> I + + Use key derivation function I. The supported algorithms are + +From 1fe7d5b3d96e2ce1e822a4e6e042959af55b0145 Mon Sep 17 00:00:00 2001 +From: Dmitry Belyavskiy +Date: Thu, 8 Aug 2024 13:45:19 +0200 +Subject: [PATCH 3/3] Encap/decap in pkeyutl - tests + +--- + test/decap_out.bin | 3 +++ + test/encap_out.bin | 4 ++++ + test/encap_secret.bin | 3 +++ + test/recipes/20-test_pkeyutl.t | 34 ++++++++++++++++++++++++++++++++-- + 4 files changed, 42 insertions(+), 2 deletions(-) + create mode 100644 test/decap_out.bin + create mode 100644 test/encap_out.bin + create mode 100644 test/encap_secret.bin + +diff --git a/test/decap_out.bin b/test/decap_out.bin +new file mode 100644 +index 0000000000000..b94441ed1c002 +--- /dev/null ++++ b/test/decap_out.bin +@@ -0,0 +1,3 @@ ++6žW«¡ŠòÌn‘©ú;’ù¡ÃÄmç Ä¥ÉB[HãÕË#äÓ‡(™‡hŽ] :\³PŸ›xñe¡ƒŽbòé)G¿fõÈ"¨ýË­fË ÊýJÝ)ïþÜì {ªHm‚\P ú+¸PÞ¸%èÄ/jÏ™%ç؆È<_æ~– ++K—JEhßù‡©lEa¼:¢(Ÿå/\Ñ®Íb€Ã®©Ê ×È-g,AYœ‹4 ++lÚtÚN­)~\HU4y០}qJŸ€ ”t# ¦}.™üTÅý”?ÚØÏŠÐÿcD=üLõ¨nmv{—éÅ¿Ô‹È£® +\ No newline at end of file +diff --git a/test/encap_out.bin b/test/encap_out.bin +new file mode 100644 +index 0000000000000..024fc40550f15 +--- /dev/null ++++ b/test/encap_out.bin +@@ -0,0 +1,4 @@ ++¼:÷Ùy‚ĉ5°ã ÿÙ[Û2ê<¾ê?«î±qÕª1·µŒ¸ºæÝ>YÎM寬3PÝ ++ìÛO’2rÈÙŠíùAd" Gç„m‡2mÏÄ7x•Ñhú7-ÿ@:?NµÇrSê‹œKÁ¡žè`«t¥ÉŸªÓxié头' Mhøñ‘˜3rÞÚƒ–Sd¦ðO±£ãHT„F§þ ++®‹kZ'xšFÛKùx”q"ÐÒúl@04E‰†ÌûŽ;c¾iA}U÷ÆŒ P6ýk0–‰ó%DôòLÄ.U– aO¨(LIý®QÇç¢ÏA ++Œ[´uÔžØ4s$¨†Ò%tÕB +\ No newline at end of file +diff --git a/test/encap_secret.bin b/test/encap_secret.bin +new file mode 100644 +index 0000000000000..b94441ed1c002 +--- /dev/null ++++ b/test/encap_secret.bin +@@ -0,0 +1,3 @@ ++6žW«¡ŠòÌn‘©ú;’ù¡ÃÄmç Ä¥ÉB[HãÕË#äÓ‡(™‡hŽ] :\³PŸ›xñe¡ƒŽbòé)G¿fõÈ"¨ýË­fË ÊýJÝ)ïþÜì {ªHm‚\P ú+¸PÞ¸%èÄ/jÏ™%ç؆È<_æ~– ++K—JEhßù‡©lEa¼:¢(Ÿå/\Ñ®Íb€Ã®©Ê ×È-g,AYœ‹4 ++lÚtÚN­)~\HU4y០}qJŸ€ ”t# ¦}.™üTÅý”?ÚØÏŠÐÿcD=üLõ¨nmv{—éÅ¿Ô‹È£® +\ No newline at end of file +diff --git a/test/recipes/20-test_pkeyutl.t b/test/recipes/20-test_pkeyutl.t +index 76e4f0a869459..e9472a21352e2 100644 +--- a/test/recipes/20-test_pkeyutl.t ++++ b/test/recipes/20-test_pkeyutl.t +@@ -13,11 +13,11 @@ use File::Spec; + use File::Basename; + use OpenSSL::Test qw/:DEFAULT srctop_file ok_nofips/; + use OpenSSL::Test::Utils; +-use File::Compare qw/compare_text/; ++use File::Compare qw/compare_text compare/; + + setup("test_pkeyutl"); + +-plan tests => 14; ++plan tests => 19; + + # For the tests below we use the cert itself as the TBS file + +@@ -200,3 +200,33 @@ SKIP: { + "-rawin"); + }; + } ++ ++#Encap/decap tests ++# openssl pkeyutl -encap -pubin -inkey rsa_pub.pem -secret secret.bin -out encap_out.bin ++# openssl pkeyutl -decap -inkey rsa_priv.pem -in encap_out.bin -out decap_out.bin ++# decap_out is equal to secret ++SKIP: { ++ skip "RSA is not supported by this OpenSSL build", 3 ++ if disabled("rsa"); ++ ++ # Self-compat ++ ok(run(app(([ 'openssl', 'pkeyutl', '-encap', '-pubin', '-kemop', 'RSASVE', ++ '-inkey', srctop_file('test', 'testrsa2048pub.pem'), ++ '-out', 'encap_out.bin', '-secret', 'secret.bin']))), ++ "RSA pubkey encapsulation"); ++ ok(run(app(([ 'openssl', 'pkeyutl', '-decap', '-kemop', 'RSASVE', ++ '-inkey', srctop_file('test', 'testrsa2048.pem'), ++ '-in', 'encap_out.bin', '-out', 'decap_out.bin']))), ++ "RSA pubkey decapsulation"); ++ is(compare("secret.bin", "decap_out.bin"), 0, "Secret is correctly decapsulated"); ++ ++ # Pregenerated ++ ok(run(app(([ 'openssl', 'pkeyutl', '-decap', '-kemop', 'RSASVE', ++ '-inkey', srctop_file('test', 'testrsa2048.pem'), ++ '-in', srctop_file('test', 'encap_out.bin'), '-out', 'decap_out_etl.bin']))), ++ "RSA pubkey decapsulation - pregenerated"); ++ ++ is(compare(srctop_file('test', 'encap_secret.bin'), "decap_out_etl.bin"), 0, ++ "Secret is correctly decapsulated - pregenerated"); ++} ++ diff --git a/0127-speedup-SSL_add_cert_subjects_to_stack.patch b/0127-speedup-SSL_add_cert_subjects_to_stack.patch new file mode 100644 index 0000000..a6bd503 --- /dev/null +++ b/0127-speedup-SSL_add_cert_subjects_to_stack.patch @@ -0,0 +1,201 @@ +From e2e469593a15681983d16e36d856bf8fb7de8589 Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Wed, 31 Jul 2024 12:45:11 +0200 +Subject: [PATCH] Speed up SSL_add_{file,dir}_cert_subjects_to_stack +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The X509_NAME comparison function converts its arguments to DER using +i2d_X509_NAME before comparing the results using memcmp(). For every +invocation of the comparison function (of which there are many when +loading many certificates), it allocates two buffers of the appropriate +size for the DER encoding. + +Switching to static buffers (possibly of X509_NAME_MAX size as defined +in crypto/x509/x_name.c) would not work with multithreaded use, e.g., +when two threads sort two separate STACK_OF(X509_NAME)s at the same +time. A suitable re-usable buffer could have been added to the +STACK_OF(X509_NAME) if sk_X509_NAME_compfunc did have a void* argument, +or a pointer to the STACK_OF(X509_NAME) – but it does not. + +Instead, copy the solution chosen in SSL_load_client_CA_file() by +filling an LHASH_OF(X509_NAME) with all existing names in the stack and +using that to deduplicate, rather than relying on sk_X509_NAME_find(), +which ends up being very slow. + +Adjust SSL_add_dir_cert_subjects_to_stack() to keep a local +LHASH_OF(X509_NAME)s over the complete directory it is processing. + +In a small benchmark that calls SSL_add_dir_cert_subjects_to_stack() +twice, once on a directory with one entry, and once with a directory +with 1000 certificates, and repeats this in a loop 10 times, this change +yields a speed-up of 5.32: + +| Benchmark 1: ./bench 10 dir-1 dir-1000 +| Time (mean ± σ): 6.685 s ± 0.017 s [User: 6.402 s, System: 0.231 s] +| Range (min … max): 6.658 s … 6.711 s 10 runs +| +| Benchmark 2: LD_LIBRARY_PATH=. ./bench 10 dir-1 dir-1000 +| Time (mean ± σ): 1.256 s ± 0.013 s [User: 1.034 s, System: 0.212 s] +| Range (min … max): 1.244 s … 1.286 s 10 runs +| +| Summary +| LD_LIBRARY_PATH=. ./bench 10 dir-1 dir-1000 ran +| 5.32 ± 0.06 times faster than ./bench 10 dir-1 dir-1000 + +In the worst case scenario where many entries are added to a stack that +is then repeatedly used to add more certificates, and with a larger test +size, the speedup is still very significant. With 15000 certificates, +a single pass to load them, followed by attempting to load a subset of +1000 of these 15000 certificates, followed by a single certificate, the +new approach is ~85 times faster: + +| Benchmark 1: ./bench 1 dir-15000 dir-1000 dir-1 +| Time (mean ± σ): 176.295 s ± 4.147 s [User: 174.593 s, System: 0.448 s] +| Range (min … max): 173.774 s … 185.594 s 10 runs +| +| Benchmark 2: LD_LIBRARY_PATH=. ./bench 1 dir-15000 dir-1000 dir-1 +| Time (mean ± σ): 2.087 s ± 0.034 s [User: 1.679 s, System: 0.393 s] +| Range (min … max): 2.057 s … 2.167 s 10 runs +| +| Summary +| LD_LIBRARY_PATH=. ./bench 1 dir-15000 dir-1000 dir-1 ran +| 84.48 ± 2.42 times faster than ./bench 1 dir-15000 dir-1000 dir-1 + +Signed-off-by: Clemens Lang +--- + ssl/ssl_cert.c | 74 ++++++++++++++++++++++++++++++++++++++++++++------ + 1 file changed, 65 insertions(+), 9 deletions(-) + +diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c +index 0ff407bf55edc..5e5ffe39d0655 100644 +--- a/ssl/ssl_cert.c ++++ b/ssl/ssl_cert.c +@@ -813,16 +813,14 @@ STACK_OF(X509_NAME) *SSL_load_client_CA_file(const char *file) + return SSL_load_client_CA_file_ex(file, NULL, NULL); + } + +-int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, +- const char *file) ++static int add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, ++ const char *file, ++ LHASH_OF(X509_NAME) *name_hash) + { + BIO *in; + X509 *x = NULL; + X509_NAME *xn = NULL; + int ret = 1; +- int (*oldcmp) (const X509_NAME *const *a, const X509_NAME *const *b); +- +- oldcmp = sk_X509_NAME_set_cmp_func(stack, xname_sk_cmp); + + in = BIO_new(BIO_s_file()); + +@@ -842,12 +840,15 @@ int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, + xn = X509_NAME_dup(xn); + if (xn == NULL) + goto err; +- if (sk_X509_NAME_find(stack, xn) >= 0) { ++ if (lh_X509_NAME_retrieve(name_hash, xn) != NULL) { + /* Duplicate. */ + X509_NAME_free(xn); + } else if (!sk_X509_NAME_push(stack, xn)) { + X509_NAME_free(xn); + goto err; ++ } else { ++ /* Successful insert, add to hash table */ ++ lh_X509_NAME_insert(name_hash, xn); + } + } + +@@ -859,7 +860,42 @@ int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, + done: + BIO_free(in); + X509_free(x); +- (void)sk_X509_NAME_set_cmp_func(stack, oldcmp); ++ return ret; ++} ++ ++int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, ++ const char *file) ++{ ++ X509_NAME *xn = NULL; ++ int ret = 1; ++ int idx = 0; ++ int num = 0; ++ LHASH_OF(X509_NAME) *name_hash = lh_X509_NAME_new(xname_hash, xname_cmp); ++ ++ if (name_hash == NULL) { ++ ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB); ++ goto err; ++ } ++ ++ /* ++ * Pre-populate the lhash with the existing entries of the stack, since ++ * using the LHASH_OF is much faster for duplicate checking. That's because ++ * xname_cmp converts the X509_NAMEs to DER involving a memory allocation ++ * for every single invocation of the comparison function. ++ */ ++ num = sk_X509_NAME_num(stack); ++ for (idx = 0; idx < num; idx++) { ++ xn = sk_X509_NAME_value(stack, idx); ++ lh_X509_NAME_insert(name_hash, xn); ++ } ++ ++ ret = add_file_cert_subjects_to_stack(stack, file, name_hash); ++ goto done; ++ ++ err: ++ ret = 0; ++ done: ++ lh_X509_NAME_free(name_hash); + return ret; + } + +@@ -869,8 +905,27 @@ int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, + OPENSSL_DIR_CTX *d = NULL; + const char *filename; + int ret = 0; ++ X509_NAME *xn = NULL; ++ int idx = 0; ++ int num = 0; ++ LHASH_OF(X509_NAME) *name_hash = lh_X509_NAME_new(xname_hash, xname_cmp); ++ ++ if (name_hash == NULL) { ++ ERR_raise(ERR_LIB_SSL, ERR_R_CRYPTO_LIB); ++ goto err; ++ } + +- /* Note that a side effect is that the CAs will be sorted by name */ ++ /* ++ * Pre-populate the lhash with the existing entries of the stack, since ++ * using the LHASH_OF is much faster for duplicate checking. That's because ++ * xname_cmp converts the X509_NAMEs to DER involving a memory allocation ++ * for every single invocation of the comparison function. ++ */ ++ num = sk_X509_NAME_num(stack); ++ for (idx = 0; idx < num; idx++) { ++ xn = sk_X509_NAME_value(stack, idx); ++ lh_X509_NAME_insert(name_hash, xn); ++ } + + while ((filename = OPENSSL_DIR_read(&d, dir))) { + char buf[1024]; +@@ -899,7 +954,7 @@ int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, + #endif + if (r <= 0 || r >= (int)sizeof(buf)) + goto err; +- if (!SSL_add_file_cert_subjects_to_stack(stack, buf)) ++ if (!add_file_cert_subjects_to_stack(stack, buf, name_hash)) + goto err; + } + +@@ -915,6 +970,7 @@ int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack, + err: + if (d) + OPENSSL_DIR_end(&d); ++ lh_X509_NAME_free(name_hash); + + return ret; + } diff --git a/0128-SAST-findings.patch b/0128-SAST-findings.patch new file mode 100644 index 0000000..77cb8e9 --- /dev/null +++ b/0128-SAST-findings.patch @@ -0,0 +1,24 @@ +diff -up openssl-3.2.2/crypto/rsa/rsa_oaep.c.xxx openssl-3.2.2/crypto/rsa/rsa_oaep.c +--- openssl-3.2.2/crypto/rsa/rsa_oaep.c.xxx 2024-08-14 14:22:48.733407808 +0200 ++++ openssl-3.2.2/crypto/rsa/rsa_oaep.c 2024-08-14 14:23:32.994483135 +0200 +@@ -233,7 +233,7 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(un + + mdlen = EVP_MD_get_size(md); + +- if (tlen <= 0 || flen <= 0) ++ if (tlen <= 0 || flen <= 0 || mdlen <= 0) + return -1; + /* + * |num| is the length of the modulus; |flen| is the length of the +diff -up openssl-3.2.2/crypto/x509/pcy_tree.c.xxx openssl-3.2.2/crypto/x509/pcy_tree.c +--- openssl-3.2.2/crypto/x509/pcy_tree.c.xxx 2024-08-14 14:14:13.144850097 +0200 ++++ openssl-3.2.2/crypto/x509/pcy_tree.c 2024-08-14 14:14:53.213826481 +0200 +@@ -110,6 +110,8 @@ static int tree_init(X509_POLICY_TREE **ptree, STACK_OF(X509) *certs, + + *ptree = NULL; + ++ if (n < 0) ++ return X509_PCY_TREE_INTERNAL; + /* Can't do anything with just a trust anchor */ + if (n == 0) + return X509_PCY_TREE_EMPTY; diff --git a/0129-Fix-SSL_select_next_proto.patch b/0129-Fix-SSL_select_next_proto.patch new file mode 100644 index 0000000..6458067 --- /dev/null +++ b/0129-Fix-SSL_select_next_proto.patch @@ -0,0 +1,109 @@ +From 99fb785a5f85315b95288921a321a935ea29a51e Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Fri, 31 May 2024 11:14:33 +0100 +Subject: [PATCH 01/10] Fix SSL_select_next_proto + +Ensure that the provided client list is non-NULL and starts with a valid +entry. When called from the ALPN callback the client list should already +have been validated by OpenSSL so this should not cause a problem. When +called from the NPN callback the client list is locally configured and +will not have already been validated. Therefore SSL_select_next_proto +should not assume that it is correctly formatted. + +We implement stricter checking of the client protocol list. We also do the +same for the server list while we are about it. + +CVE-2024-5535 + +Reviewed-by: Neil Horman +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/24717) +--- + ssl/ssl_lib.c | 63 ++++++++++++++++++++++++++++++++------------------- + 1 file changed, 40 insertions(+), 23 deletions(-) + +diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c +index 016135fe18..cf52b317cf 100644 +--- a/ssl/ssl_lib.c ++++ b/ssl/ssl_lib.c +@@ -3518,37 +3518,54 @@ int SSL_select_next_proto(unsigned char **out, unsigned char *outlen, + unsigned int server_len, + const unsigned char *client, unsigned int client_len) + { +- unsigned int i, j; +- const unsigned char *result; +- int status = OPENSSL_NPN_UNSUPPORTED; ++ PACKET cpkt, csubpkt, spkt, ssubpkt; ++ ++ if (!PACKET_buf_init(&cpkt, client, client_len) ++ || !PACKET_get_length_prefixed_1(&cpkt, &csubpkt) ++ || PACKET_remaining(&csubpkt) == 0) { ++ *out = NULL; ++ *outlen = 0; ++ return OPENSSL_NPN_NO_OVERLAP; ++ } ++ ++ /* ++ * Set the default opportunistic protocol. Will be overwritten if we find ++ * a match. ++ */ ++ *out = (unsigned char *)PACKET_data(&csubpkt); ++ *outlen = (unsigned char)PACKET_remaining(&csubpkt); + + /* + * For each protocol in server preference order, see if we support it. + */ +- for (i = 0; i < server_len;) { +- for (j = 0; j < client_len;) { +- if (server[i] == client[j] && +- memcmp(&server[i + 1], &client[j + 1], server[i]) == 0) { +- /* We found a match */ +- result = &server[i]; +- status = OPENSSL_NPN_NEGOTIATED; +- goto found; ++ if (PACKET_buf_init(&spkt, server, server_len)) { ++ while (PACKET_get_length_prefixed_1(&spkt, &ssubpkt)) { ++ if (PACKET_remaining(&ssubpkt) == 0) ++ continue; /* Invalid - ignore it */ ++ if (PACKET_buf_init(&cpkt, client, client_len)) { ++ while (PACKET_get_length_prefixed_1(&cpkt, &csubpkt)) { ++ if (PACKET_equal(&csubpkt, PACKET_data(&ssubpkt), ++ PACKET_remaining(&ssubpkt))) { ++ /* We found a match */ ++ *out = (unsigned char *)PACKET_data(&ssubpkt); ++ *outlen = (unsigned char)PACKET_remaining(&ssubpkt); ++ return OPENSSL_NPN_NEGOTIATED; ++ } ++ } ++ /* Ignore spurious trailing bytes in the client list */ ++ } else { ++ /* This should never happen */ ++ return OPENSSL_NPN_NO_OVERLAP; + } +- j += client[j]; +- j++; + } +- i += server[i]; +- i++; ++ /* Ignore spurious trailing bytes in the server list */ + } + +- /* There's no overlap between our protocols and the server's list. */ +- result = client; +- status = OPENSSL_NPN_NO_OVERLAP; +- +- found: +- *out = (unsigned char *)result + 1; +- *outlen = result[0]; +- return status; ++ /* ++ * There's no overlap between our protocols and the server's list. We use ++ * the default opportunistic protocol selected earlier ++ */ ++ return OPENSSL_NPN_NO_OVERLAP; + } + + #ifndef OPENSSL_NO_NEXTPROTONEG +-- +2.46.0 + diff --git a/0130-More-correctly-handle-a-selected_len-of-0-when-proce.patch b/0130-More-correctly-handle-a-selected_len-of-0-when-proce.patch new file mode 100644 index 0000000..29d22c6 --- /dev/null +++ b/0130-More-correctly-handle-a-selected_len-of-0-when-proce.patch @@ -0,0 +1,39 @@ +From 015255851371757d54c2560643eb3b3a88123cf1 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Fri, 31 May 2024 11:18:27 +0100 +Subject: [PATCH 02/10] More correctly handle a selected_len of 0 when + processing NPN + +In the case where the NPN callback returns with SSL_TLEXT_ERR_OK, but +the selected_len is 0 we should fail. Previously this would fail with an +internal_error alert because calling OPENSSL_malloc(selected_len) will +return NULL when selected_len is 0. We make this error detection more +explicit and return a handshake failure alert. + +Follow on from CVE-2024-5535 + +Reviewed-by: Neil Horman +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/24717) +--- + ssl/statem/extensions_clnt.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c +index 381a6c9d7b..1ab3c13d57 100644 +--- a/ssl/statem/extensions_clnt.c ++++ b/ssl/statem/extensions_clnt.c +@@ -1560,8 +1560,8 @@ int tls_parse_stoc_npn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, + if (sctx->ext.npn_select_cb(SSL_CONNECTION_GET_SSL(s), + &selected, &selected_len, + PACKET_data(pkt), PACKET_remaining(pkt), +- sctx->ext.npn_select_cb_arg) != +- SSL_TLSEXT_ERR_OK) { ++ sctx->ext.npn_select_cb_arg) != SSL_TLSEXT_ERR_OK ++ || selected_len == 0) { + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_EXTENSION); + return 0; + } +-- +2.46.0 + diff --git a/0131-Use-correctly-formatted-ALPN-data-in-tserver.patch b/0131-Use-correctly-formatted-ALPN-data-in-tserver.patch new file mode 100644 index 0000000..028732f --- /dev/null +++ b/0131-Use-correctly-formatted-ALPN-data-in-tserver.patch @@ -0,0 +1,34 @@ +From 6cc511826f09e513b4ec066d9b95acaf4f86d991 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Fri, 31 May 2024 11:22:13 +0100 +Subject: [PATCH 03/10] Use correctly formatted ALPN data in tserver + +The QUIC test server was using incorrectly formatted ALPN data. With the +previous implementation of SSL_select_next_proto this went unnoticed. With +the new stricter implemenation it was failing. + +Follow on from CVE-2024-5535 + +Reviewed-by: Neil Horman +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/24717) +--- + ssl/quic/quic_tserver.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/ssl/quic/quic_tserver.c b/ssl/quic/quic_tserver.c +index 86187d06ff..15694e723f 100644 +--- a/ssl/quic/quic_tserver.c ++++ b/ssl/quic/quic_tserver.c +@@ -58,7 +58,7 @@ static int alpn_select_cb(SSL *ssl, const unsigned char **out, + + if (srv->args.alpn == NULL) { + alpn = alpndeflt; +- alpnlen = sizeof(alpn); ++ alpnlen = sizeof(alpndeflt); + } else { + alpn = srv->args.alpn; + alpnlen = srv->args.alpnlen; +-- +2.46.0 + diff --git a/0132-Clarify-the-SSL_select_next_proto-documentation.patch b/0132-Clarify-the-SSL_select_next_proto-documentation.patch new file mode 100644 index 0000000..34e6261 --- /dev/null +++ b/0132-Clarify-the-SSL_select_next_proto-documentation.patch @@ -0,0 +1,78 @@ +From 8e81c57adbbf703dfb63955f65599765fdacc741 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Fri, 31 May 2024 11:46:38 +0100 +Subject: [PATCH 04/10] Clarify the SSL_select_next_proto() documentation + +We clarify the input preconditions and the expected behaviour in the event +of no overlap. + +Follow on from CVE-2024-5535 + +Reviewed-by: Neil Horman +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/24717) +--- + doc/man3/SSL_CTX_set_alpn_select_cb.pod | 26 +++++++++++++++++-------- + 1 file changed, 18 insertions(+), 8 deletions(-) + +diff --git a/doc/man3/SSL_CTX_set_alpn_select_cb.pod b/doc/man3/SSL_CTX_set_alpn_select_cb.pod +index 05fee2fbec..79e1a252f6 100644 +--- a/doc/man3/SSL_CTX_set_alpn_select_cb.pod ++++ b/doc/man3/SSL_CTX_set_alpn_select_cb.pod +@@ -52,7 +52,8 @@ SSL_select_next_proto, SSL_get0_alpn_selected, SSL_get0_next_proto_negotiated + SSL_CTX_set_alpn_protos() and SSL_set_alpn_protos() are used by the client to + set the list of protocols available to be negotiated. The B must be in + protocol-list format, described below. The length of B is specified in +-B. ++B. Setting B to 0 clears any existing list of ALPN ++protocols and no ALPN extension will be sent to the server. + + SSL_CTX_set_alpn_select_cb() sets the application callback B used by a + server to select which protocol to use for the incoming connection. When B +@@ -73,9 +74,16 @@ B and B, B must be in the protocol-list format + described below. The first item in the B, B list that + matches an item in the B, B list is selected, and returned + in B, B. The B value will point into either B or +-B, so it should be copied immediately. If no match is found, the first +-item in B, B is returned in B, B. This +-function can also be used in the NPN callback. ++B, so it should be copied immediately. The client list must include at ++least one valid (nonempty) protocol entry in the list. ++ ++The SSL_select_next_proto() helper function can be useful from either the ALPN ++callback or the NPN callback (described below). If no match is found, the first ++item in B, B is returned in B, B and ++B is returned. This can be useful when implementating ++the NPN callback. In the ALPN case, the value returned in B and B ++must be ignored if B has been returned from ++SSL_select_next_proto(). + + SSL_CTX_set_next_proto_select_cb() sets a callback B that is called when a + client needs to select a protocol from the server's provided list, and a +@@ -85,9 +93,10 @@ must be set to point to the selected protocol (which may be within B). + The length of the protocol name must be written into B. The + server's advertised protocols are provided in B and B. The + callback can assume that B is syntactically valid. The client must +-select a protocol. It is fatal to the connection if this callback returns +-a value other than B. The B parameter is the pointer +-set via SSL_CTX_set_next_proto_select_cb(). ++select a protocol (although it may be an empty, zero length protocol). It is ++fatal to the connection if this callback returns a value other than ++B or if the zero length protocol is selected. The B ++parameter is the pointer set via SSL_CTX_set_next_proto_select_cb(). + + SSL_CTX_set_next_protos_advertised_cb() sets a callback B that is called + when a TLS server needs a list of supported protocols for Next Protocol +@@ -154,7 +163,8 @@ A match was found and is returned in B, B. + =item OPENSSL_NPN_NO_OVERLAP + + No match was found. The first item in B, B is returned in +-B, B. ++B, B (or B and 0 in the case where the first entry in ++B is invalid). + + =back + +-- +2.46.0 + diff --git a/0133-Add-a-test-for-SSL_select_next_proto.patch b/0133-Add-a-test-for-SSL_select_next_proto.patch new file mode 100644 index 0000000..ccf1577 --- /dev/null +++ b/0133-Add-a-test-for-SSL_select_next_proto.patch @@ -0,0 +1,172 @@ +From add5c52a25c549cec4a730cdf96e2252f0a1862d Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Fri, 31 May 2024 16:35:16 +0100 +Subject: [PATCH 05/10] Add a test for SSL_select_next_proto + +Follow on from CVE-2024-5535 + +Reviewed-by: Neil Horman +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/24717) +--- + test/sslapitest.c | 137 ++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 137 insertions(+) + +diff --git a/test/sslapitest.c b/test/sslapitest.c +index ce163322cd..15cb9060cb 100644 +--- a/test/sslapitest.c ++++ b/test/sslapitest.c +@@ -11741,6 +11741,142 @@ static int test_multi_resume(int idx) + return testresult; + } + ++static struct next_proto_st { ++ int serverlen; ++ unsigned char server[40]; ++ int clientlen; ++ unsigned char client[40]; ++ int expected_ret; ++ size_t selectedlen; ++ unsigned char selected[40]; ++} next_proto_tests[] = { ++ { ++ 4, { 3, 'a', 'b', 'c' }, ++ 4, { 3, 'a', 'b', 'c' }, ++ OPENSSL_NPN_NEGOTIATED, ++ 3, { 'a', 'b', 'c' } ++ }, ++ { ++ 7, { 3, 'a', 'b', 'c', 2, 'a', 'b' }, ++ 4, { 3, 'a', 'b', 'c' }, ++ OPENSSL_NPN_NEGOTIATED, ++ 3, { 'a', 'b', 'c' } ++ }, ++ { ++ 7, { 2, 'a', 'b', 3, 'a', 'b', 'c', }, ++ 4, { 3, 'a', 'b', 'c' }, ++ OPENSSL_NPN_NEGOTIATED, ++ 3, { 'a', 'b', 'c' } ++ }, ++ { ++ 4, { 3, 'a', 'b', 'c' }, ++ 7, { 3, 'a', 'b', 'c', 2, 'a', 'b', }, ++ OPENSSL_NPN_NEGOTIATED, ++ 3, { 'a', 'b', 'c' } ++ }, ++ { ++ 4, { 3, 'a', 'b', 'c' }, ++ 7, { 2, 'a', 'b', 3, 'a', 'b', 'c'}, ++ OPENSSL_NPN_NEGOTIATED, ++ 3, { 'a', 'b', 'c' } ++ }, ++ { ++ 7, { 2, 'b', 'c', 3, 'a', 'b', 'c' }, ++ 7, { 2, 'a', 'b', 3, 'a', 'b', 'c'}, ++ OPENSSL_NPN_NEGOTIATED, ++ 3, { 'a', 'b', 'c' } ++ }, ++ { ++ 10, { 2, 'b', 'c', 3, 'a', 'b', 'c', 2, 'a', 'b' }, ++ 7, { 2, 'a', 'b', 3, 'a', 'b', 'c'}, ++ OPENSSL_NPN_NEGOTIATED, ++ 3, { 'a', 'b', 'c' } ++ }, ++ { ++ 4, { 3, 'b', 'c', 'd' }, ++ 4, { 3, 'a', 'b', 'c' }, ++ OPENSSL_NPN_NO_OVERLAP, ++ 3, { 'a', 'b', 'c' } ++ }, ++ { ++ 0, { 0 }, ++ 4, { 3, 'a', 'b', 'c' }, ++ OPENSSL_NPN_NO_OVERLAP, ++ 3, { 'a', 'b', 'c' } ++ }, ++ { ++ -1, { 0 }, ++ 4, { 3, 'a', 'b', 'c' }, ++ OPENSSL_NPN_NO_OVERLAP, ++ 3, { 'a', 'b', 'c' } ++ }, ++ { ++ 4, { 3, 'a', 'b', 'c' }, ++ 0, { 0 }, ++ OPENSSL_NPN_NO_OVERLAP, ++ 0, { 0 } ++ }, ++ { ++ 4, { 3, 'a', 'b', 'c' }, ++ -1, { 0 }, ++ OPENSSL_NPN_NO_OVERLAP, ++ 0, { 0 } ++ }, ++ { ++ 3, { 3, 'a', 'b', 'c' }, ++ 4, { 3, 'a', 'b', 'c' }, ++ OPENSSL_NPN_NO_OVERLAP, ++ 3, { 'a', 'b', 'c' } ++ }, ++ { ++ 4, { 3, 'a', 'b', 'c' }, ++ 3, { 3, 'a', 'b', 'c' }, ++ OPENSSL_NPN_NO_OVERLAP, ++ 0, { 0 } ++ } ++}; ++ ++static int test_select_next_proto(int idx) ++{ ++ struct next_proto_st *np = &next_proto_tests[idx]; ++ int ret = 0; ++ unsigned char *out, *client, *server; ++ unsigned char outlen; ++ unsigned int clientlen, serverlen; ++ ++ if (np->clientlen == -1) { ++ client = NULL; ++ clientlen = 0; ++ } else { ++ client = np->client; ++ clientlen = (unsigned int)np->clientlen; ++ } ++ if (np->serverlen == -1) { ++ server = NULL; ++ serverlen = 0; ++ } else { ++ server = np->server; ++ serverlen = (unsigned int)np->serverlen; ++ } ++ ++ if (!TEST_int_eq(SSL_select_next_proto(&out, &outlen, server, serverlen, ++ client, clientlen), ++ np->expected_ret)) ++ goto err; ++ ++ if (np->selectedlen == 0) { ++ if (!TEST_ptr_null(out) || !TEST_uchar_eq(outlen, 0)) ++ goto err; ++ } else { ++ if (!TEST_mem_eq(out, outlen, np->selected, np->selectedlen)) ++ goto err; ++ } ++ ++ ret = 1; ++ err: ++ return ret; ++} ++ + OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n") + + int setup_tests(void) +@@ -12053,6 +12189,7 @@ int setup_tests(void) + ADD_ALL_TESTS(test_handshake_retry, 16); + ADD_TEST(test_data_retry); + ADD_ALL_TESTS(test_multi_resume, 5); ++ ADD_ALL_TESTS(test_select_next_proto, OSSL_NELEM(next_proto_tests)); + return 1; + + err: +-- +2.46.0 + diff --git a/0134-Allow-an-empty-NPN-ALPN-protocol-list-in-the-tests.patch b/0134-Allow-an-empty-NPN-ALPN-protocol-list-in-the-tests.patch new file mode 100644 index 0000000..ae383c8 --- /dev/null +++ b/0134-Allow-an-empty-NPN-ALPN-protocol-list-in-the-tests.patch @@ -0,0 +1,1169 @@ +From 7ea1f6a85b299b976cb3f756b2a7f0153f31b2b6 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Tue, 4 Jun 2024 15:47:32 +0100 +Subject: [PATCH 06/10] Allow an empty NPN/ALPN protocol list in the tests + +Allow ourselves to configure an empty NPN/ALPN protocol list and test what +happens if we do. + +Follow on from CVE-2024-5535 + +Reviewed-by: Neil Horman +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/24717) +--- + test/helpers/handshake.c | 6 + + test/ssl-tests/08-npn.cnf | 553 +++++++++++++++++++--------------- + test/ssl-tests/08-npn.cnf.in | 35 +++ + test/ssl-tests/09-alpn.cnf | 66 +++- + test/ssl-tests/09-alpn.cnf.in | 33 ++ + 5 files changed, 449 insertions(+), 244 deletions(-) + +diff --git a/test/helpers/handshake.c b/test/helpers/handshake.c +index e0422469e4..6b1629b942 100644 +--- a/test/helpers/handshake.c ++++ b/test/helpers/handshake.c +@@ -348,6 +348,12 @@ static int parse_protos(const char *protos, unsigned char **out, size_t *outlen) + + len = strlen(protos); + ++ if (len == 0) { ++ *out = NULL; ++ *outlen = 0; ++ return 1; ++ } ++ + /* Should never have reuse. */ + if (!TEST_ptr_null(*out) + /* Test values are small, so we omit length limit checks. */ +diff --git a/test/ssl-tests/08-npn.cnf b/test/ssl-tests/08-npn.cnf +index f38b3f6975..1931d02de4 100644 +--- a/test/ssl-tests/08-npn.cnf ++++ b/test/ssl-tests/08-npn.cnf +@@ -1,6 +1,6 @@ + # Generated with generate_ssl_tests.pl + +-num_tests = 20 ++num_tests = 22 + + test-0 = 0-npn-simple + test-1 = 1-npn-client-finds-match +@@ -8,20 +8,22 @@ test-2 = 2-npn-client-honours-server-pref + test-3 = 3-npn-client-first-pref-on-mismatch + test-4 = 4-npn-no-server-support + test-5 = 5-npn-no-client-support +-test-6 = 6-npn-with-sni-no-context-switch +-test-7 = 7-npn-with-sni-context-switch +-test-8 = 8-npn-selected-sni-server-supports-npn +-test-9 = 9-npn-selected-sni-server-does-not-support-npn +-test-10 = 10-alpn-preferred-over-npn +-test-11 = 11-sni-npn-preferred-over-alpn +-test-12 = 12-npn-simple-resumption +-test-13 = 13-npn-server-switch-resumption +-test-14 = 14-npn-client-switch-resumption +-test-15 = 15-npn-client-first-pref-on-mismatch-resumption +-test-16 = 16-npn-no-server-support-resumption +-test-17 = 17-npn-no-client-support-resumption +-test-18 = 18-alpn-preferred-over-npn-resumption +-test-19 = 19-npn-used-if-alpn-not-supported-resumption ++test-6 = 6-npn-empty-client-list ++test-7 = 7-npn-empty-server-list ++test-8 = 8-npn-with-sni-no-context-switch ++test-9 = 9-npn-with-sni-context-switch ++test-10 = 10-npn-selected-sni-server-supports-npn ++test-11 = 11-npn-selected-sni-server-does-not-support-npn ++test-12 = 12-alpn-preferred-over-npn ++test-13 = 13-sni-npn-preferred-over-alpn ++test-14 = 14-npn-simple-resumption ++test-15 = 15-npn-server-switch-resumption ++test-16 = 16-npn-client-switch-resumption ++test-17 = 17-npn-client-first-pref-on-mismatch-resumption ++test-18 = 18-npn-no-server-support-resumption ++test-19 = 19-npn-no-client-support-resumption ++test-20 = 20-alpn-preferred-over-npn-resumption ++test-21 = 21-npn-used-if-alpn-not-supported-resumption + # =========================================================== + + [0-npn-simple] +@@ -206,253 +208,318 @@ NPNProtocols = foo + + # =========================================================== + +-[6-npn-with-sni-no-context-switch] +-ssl_conf = 6-npn-with-sni-no-context-switch-ssl ++[6-npn-empty-client-list] ++ssl_conf = 6-npn-empty-client-list-ssl + +-[6-npn-with-sni-no-context-switch-ssl] +-server = 6-npn-with-sni-no-context-switch-server +-client = 6-npn-with-sni-no-context-switch-client +-server2 = 6-npn-with-sni-no-context-switch-server2 ++[6-npn-empty-client-list-ssl] ++server = 6-npn-empty-client-list-server ++client = 6-npn-empty-client-list-client + +-[6-npn-with-sni-no-context-switch-server] ++[6-npn-empty-client-list-server] + Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem + CipherString = DEFAULT + PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +-[6-npn-with-sni-no-context-switch-server2] ++[6-npn-empty-client-list-client] ++CipherString = DEFAULT ++MaxProtocol = TLSv1.2 ++VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem ++VerifyMode = Peer ++ ++[test-6] ++ExpectedClientAlert = HandshakeFailure ++ExpectedResult = ClientFail ++server = 6-npn-empty-client-list-server-extra ++client = 6-npn-empty-client-list-client-extra ++ ++[6-npn-empty-client-list-server-extra] ++NPNProtocols = foo ++ ++[6-npn-empty-client-list-client-extra] ++NPNProtocols = ++ ++ ++# =========================================================== ++ ++[7-npn-empty-server-list] ++ssl_conf = 7-npn-empty-server-list-ssl ++ ++[7-npn-empty-server-list-ssl] ++server = 7-npn-empty-server-list-server ++client = 7-npn-empty-server-list-client ++ ++[7-npn-empty-server-list-server] + Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem + CipherString = DEFAULT + PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +-[6-npn-with-sni-no-context-switch-client] ++[7-npn-empty-server-list-client] + CipherString = DEFAULT + MaxProtocol = TLSv1.2 + VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem + VerifyMode = Peer + +-[test-6] ++[test-7] ++ExpectedNPNProtocol = foo ++server = 7-npn-empty-server-list-server-extra ++client = 7-npn-empty-server-list-client-extra ++ ++[7-npn-empty-server-list-server-extra] ++NPNProtocols = ++ ++[7-npn-empty-server-list-client-extra] ++NPNProtocols = foo ++ ++ ++# =========================================================== ++ ++[8-npn-with-sni-no-context-switch] ++ssl_conf = 8-npn-with-sni-no-context-switch-ssl ++ ++[8-npn-with-sni-no-context-switch-ssl] ++server = 8-npn-with-sni-no-context-switch-server ++client = 8-npn-with-sni-no-context-switch-client ++server2 = 8-npn-with-sni-no-context-switch-server2 ++ ++[8-npn-with-sni-no-context-switch-server] ++Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem ++CipherString = DEFAULT ++PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem ++ ++[8-npn-with-sni-no-context-switch-server2] ++Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem ++CipherString = DEFAULT ++PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem ++ ++[8-npn-with-sni-no-context-switch-client] ++CipherString = DEFAULT ++MaxProtocol = TLSv1.2 ++VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem ++VerifyMode = Peer ++ ++[test-8] + ExpectedNPNProtocol = foo + ExpectedServerName = server1 +-server = 6-npn-with-sni-no-context-switch-server-extra +-server2 = 6-npn-with-sni-no-context-switch-server2-extra +-client = 6-npn-with-sni-no-context-switch-client-extra ++server = 8-npn-with-sni-no-context-switch-server-extra ++server2 = 8-npn-with-sni-no-context-switch-server2-extra ++client = 8-npn-with-sni-no-context-switch-client-extra + +-[6-npn-with-sni-no-context-switch-server-extra] ++[8-npn-with-sni-no-context-switch-server-extra] + NPNProtocols = foo + ServerNameCallback = IgnoreMismatch + +-[6-npn-with-sni-no-context-switch-server2-extra] ++[8-npn-with-sni-no-context-switch-server2-extra] + NPNProtocols = bar + +-[6-npn-with-sni-no-context-switch-client-extra] ++[8-npn-with-sni-no-context-switch-client-extra] + NPNProtocols = foo,bar + ServerName = server1 + + + # =========================================================== + +-[7-npn-with-sni-context-switch] +-ssl_conf = 7-npn-with-sni-context-switch-ssl ++[9-npn-with-sni-context-switch] ++ssl_conf = 9-npn-with-sni-context-switch-ssl + +-[7-npn-with-sni-context-switch-ssl] +-server = 7-npn-with-sni-context-switch-server +-client = 7-npn-with-sni-context-switch-client +-server2 = 7-npn-with-sni-context-switch-server2 ++[9-npn-with-sni-context-switch-ssl] ++server = 9-npn-with-sni-context-switch-server ++client = 9-npn-with-sni-context-switch-client ++server2 = 9-npn-with-sni-context-switch-server2 + +-[7-npn-with-sni-context-switch-server] ++[9-npn-with-sni-context-switch-server] + Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem + CipherString = DEFAULT + PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +-[7-npn-with-sni-context-switch-server2] ++[9-npn-with-sni-context-switch-server2] + Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem + CipherString = DEFAULT + PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +-[7-npn-with-sni-context-switch-client] ++[9-npn-with-sni-context-switch-client] + CipherString = DEFAULT + MaxProtocol = TLSv1.2 + VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem + VerifyMode = Peer + +-[test-7] ++[test-9] + ExpectedNPNProtocol = bar + ExpectedServerName = server2 +-server = 7-npn-with-sni-context-switch-server-extra +-server2 = 7-npn-with-sni-context-switch-server2-extra +-client = 7-npn-with-sni-context-switch-client-extra ++server = 9-npn-with-sni-context-switch-server-extra ++server2 = 9-npn-with-sni-context-switch-server2-extra ++client = 9-npn-with-sni-context-switch-client-extra + +-[7-npn-with-sni-context-switch-server-extra] ++[9-npn-with-sni-context-switch-server-extra] + NPNProtocols = foo + ServerNameCallback = IgnoreMismatch + +-[7-npn-with-sni-context-switch-server2-extra] ++[9-npn-with-sni-context-switch-server2-extra] + NPNProtocols = bar + +-[7-npn-with-sni-context-switch-client-extra] ++[9-npn-with-sni-context-switch-client-extra] + NPNProtocols = foo,bar + ServerName = server2 + + + # =========================================================== + +-[8-npn-selected-sni-server-supports-npn] +-ssl_conf = 8-npn-selected-sni-server-supports-npn-ssl ++[10-npn-selected-sni-server-supports-npn] ++ssl_conf = 10-npn-selected-sni-server-supports-npn-ssl + +-[8-npn-selected-sni-server-supports-npn-ssl] +-server = 8-npn-selected-sni-server-supports-npn-server +-client = 8-npn-selected-sni-server-supports-npn-client +-server2 = 8-npn-selected-sni-server-supports-npn-server2 ++[10-npn-selected-sni-server-supports-npn-ssl] ++server = 10-npn-selected-sni-server-supports-npn-server ++client = 10-npn-selected-sni-server-supports-npn-client ++server2 = 10-npn-selected-sni-server-supports-npn-server2 + +-[8-npn-selected-sni-server-supports-npn-server] ++[10-npn-selected-sni-server-supports-npn-server] + Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem + CipherString = DEFAULT + PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +-[8-npn-selected-sni-server-supports-npn-server2] ++[10-npn-selected-sni-server-supports-npn-server2] + Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem + CipherString = DEFAULT + PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +-[8-npn-selected-sni-server-supports-npn-client] ++[10-npn-selected-sni-server-supports-npn-client] + CipherString = DEFAULT + MaxProtocol = TLSv1.2 + VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem + VerifyMode = Peer + +-[test-8] ++[test-10] + ExpectedNPNProtocol = bar + ExpectedServerName = server2 +-server = 8-npn-selected-sni-server-supports-npn-server-extra +-server2 = 8-npn-selected-sni-server-supports-npn-server2-extra +-client = 8-npn-selected-sni-server-supports-npn-client-extra ++server = 10-npn-selected-sni-server-supports-npn-server-extra ++server2 = 10-npn-selected-sni-server-supports-npn-server2-extra ++client = 10-npn-selected-sni-server-supports-npn-client-extra + +-[8-npn-selected-sni-server-supports-npn-server-extra] ++[10-npn-selected-sni-server-supports-npn-server-extra] + ServerNameCallback = IgnoreMismatch + +-[8-npn-selected-sni-server-supports-npn-server2-extra] ++[10-npn-selected-sni-server-supports-npn-server2-extra] + NPNProtocols = bar + +-[8-npn-selected-sni-server-supports-npn-client-extra] ++[10-npn-selected-sni-server-supports-npn-client-extra] + NPNProtocols = foo,bar + ServerName = server2 + + + # =========================================================== + +-[9-npn-selected-sni-server-does-not-support-npn] +-ssl_conf = 9-npn-selected-sni-server-does-not-support-npn-ssl ++[11-npn-selected-sni-server-does-not-support-npn] ++ssl_conf = 11-npn-selected-sni-server-does-not-support-npn-ssl + +-[9-npn-selected-sni-server-does-not-support-npn-ssl] +-server = 9-npn-selected-sni-server-does-not-support-npn-server +-client = 9-npn-selected-sni-server-does-not-support-npn-client +-server2 = 9-npn-selected-sni-server-does-not-support-npn-server2 ++[11-npn-selected-sni-server-does-not-support-npn-ssl] ++server = 11-npn-selected-sni-server-does-not-support-npn-server ++client = 11-npn-selected-sni-server-does-not-support-npn-client ++server2 = 11-npn-selected-sni-server-does-not-support-npn-server2 + +-[9-npn-selected-sni-server-does-not-support-npn-server] ++[11-npn-selected-sni-server-does-not-support-npn-server] + Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem + CipherString = DEFAULT + PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +-[9-npn-selected-sni-server-does-not-support-npn-server2] ++[11-npn-selected-sni-server-does-not-support-npn-server2] + Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem + CipherString = DEFAULT + PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +-[9-npn-selected-sni-server-does-not-support-npn-client] ++[11-npn-selected-sni-server-does-not-support-npn-client] + CipherString = DEFAULT + MaxProtocol = TLSv1.2 + VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem + VerifyMode = Peer + +-[test-9] ++[test-11] + ExpectedServerName = server2 +-server = 9-npn-selected-sni-server-does-not-support-npn-server-extra +-client = 9-npn-selected-sni-server-does-not-support-npn-client-extra ++server = 11-npn-selected-sni-server-does-not-support-npn-server-extra ++client = 11-npn-selected-sni-server-does-not-support-npn-client-extra + +-[9-npn-selected-sni-server-does-not-support-npn-server-extra] ++[11-npn-selected-sni-server-does-not-support-npn-server-extra] + NPNProtocols = bar + ServerNameCallback = IgnoreMismatch + +-[9-npn-selected-sni-server-does-not-support-npn-client-extra] ++[11-npn-selected-sni-server-does-not-support-npn-client-extra] + NPNProtocols = foo,bar + ServerName = server2 + + + # =========================================================== + +-[10-alpn-preferred-over-npn] +-ssl_conf = 10-alpn-preferred-over-npn-ssl ++[12-alpn-preferred-over-npn] ++ssl_conf = 12-alpn-preferred-over-npn-ssl + +-[10-alpn-preferred-over-npn-ssl] +-server = 10-alpn-preferred-over-npn-server +-client = 10-alpn-preferred-over-npn-client ++[12-alpn-preferred-over-npn-ssl] ++server = 12-alpn-preferred-over-npn-server ++client = 12-alpn-preferred-over-npn-client + +-[10-alpn-preferred-over-npn-server] ++[12-alpn-preferred-over-npn-server] + Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem + CipherString = DEFAULT + PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +-[10-alpn-preferred-over-npn-client] ++[12-alpn-preferred-over-npn-client] + CipherString = DEFAULT + MaxProtocol = TLSv1.2 + VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem + VerifyMode = Peer + +-[test-10] ++[test-12] + ExpectedALPNProtocol = foo +-server = 10-alpn-preferred-over-npn-server-extra +-client = 10-alpn-preferred-over-npn-client-extra ++server = 12-alpn-preferred-over-npn-server-extra ++client = 12-alpn-preferred-over-npn-client-extra + +-[10-alpn-preferred-over-npn-server-extra] ++[12-alpn-preferred-over-npn-server-extra] + ALPNProtocols = foo + NPNProtocols = bar + +-[10-alpn-preferred-over-npn-client-extra] ++[12-alpn-preferred-over-npn-client-extra] + ALPNProtocols = foo + NPNProtocols = bar + + + # =========================================================== + +-[11-sni-npn-preferred-over-alpn] +-ssl_conf = 11-sni-npn-preferred-over-alpn-ssl ++[13-sni-npn-preferred-over-alpn] ++ssl_conf = 13-sni-npn-preferred-over-alpn-ssl + +-[11-sni-npn-preferred-over-alpn-ssl] +-server = 11-sni-npn-preferred-over-alpn-server +-client = 11-sni-npn-preferred-over-alpn-client +-server2 = 11-sni-npn-preferred-over-alpn-server2 ++[13-sni-npn-preferred-over-alpn-ssl] ++server = 13-sni-npn-preferred-over-alpn-server ++client = 13-sni-npn-preferred-over-alpn-client ++server2 = 13-sni-npn-preferred-over-alpn-server2 + +-[11-sni-npn-preferred-over-alpn-server] ++[13-sni-npn-preferred-over-alpn-server] + Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem + CipherString = DEFAULT + PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +-[11-sni-npn-preferred-over-alpn-server2] ++[13-sni-npn-preferred-over-alpn-server2] + Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem + CipherString = DEFAULT + PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +-[11-sni-npn-preferred-over-alpn-client] ++[13-sni-npn-preferred-over-alpn-client] + CipherString = DEFAULT + MaxProtocol = TLSv1.2 + VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem + VerifyMode = Peer + +-[test-11] ++[test-13] + ExpectedNPNProtocol = bar + ExpectedServerName = server2 +-server = 11-sni-npn-preferred-over-alpn-server-extra +-server2 = 11-sni-npn-preferred-over-alpn-server2-extra +-client = 11-sni-npn-preferred-over-alpn-client-extra ++server = 13-sni-npn-preferred-over-alpn-server-extra ++server2 = 13-sni-npn-preferred-over-alpn-server2-extra ++client = 13-sni-npn-preferred-over-alpn-client-extra + +-[11-sni-npn-preferred-over-alpn-server-extra] ++[13-sni-npn-preferred-over-alpn-server-extra] + ALPNProtocols = foo + ServerNameCallback = IgnoreMismatch + +-[11-sni-npn-preferred-over-alpn-server2-extra] ++[13-sni-npn-preferred-over-alpn-server2-extra] + NPNProtocols = bar + +-[11-sni-npn-preferred-over-alpn-client-extra] ++[13-sni-npn-preferred-over-alpn-client-extra] + ALPNProtocols = foo + NPNProtocols = bar + ServerName = server2 +@@ -460,356 +527,356 @@ ServerName = server2 + + # =========================================================== + +-[12-npn-simple-resumption] +-ssl_conf = 12-npn-simple-resumption-ssl ++[14-npn-simple-resumption] ++ssl_conf = 14-npn-simple-resumption-ssl + +-[12-npn-simple-resumption-ssl] +-server = 12-npn-simple-resumption-server +-client = 12-npn-simple-resumption-client +-resume-server = 12-npn-simple-resumption-server +-resume-client = 12-npn-simple-resumption-client ++[14-npn-simple-resumption-ssl] ++server = 14-npn-simple-resumption-server ++client = 14-npn-simple-resumption-client ++resume-server = 14-npn-simple-resumption-server ++resume-client = 14-npn-simple-resumption-client + +-[12-npn-simple-resumption-server] ++[14-npn-simple-resumption-server] + Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem + CipherString = DEFAULT + PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +-[12-npn-simple-resumption-client] ++[14-npn-simple-resumption-client] + CipherString = DEFAULT + MaxProtocol = TLSv1.2 + VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem + VerifyMode = Peer + +-[test-12] ++[test-14] + ExpectedNPNProtocol = foo + HandshakeMode = Resume + ResumptionExpected = Yes +-server = 12-npn-simple-resumption-server-extra +-resume-server = 12-npn-simple-resumption-server-extra +-client = 12-npn-simple-resumption-client-extra +-resume-client = 12-npn-simple-resumption-client-extra ++server = 14-npn-simple-resumption-server-extra ++resume-server = 14-npn-simple-resumption-server-extra ++client = 14-npn-simple-resumption-client-extra ++resume-client = 14-npn-simple-resumption-client-extra + +-[12-npn-simple-resumption-server-extra] ++[14-npn-simple-resumption-server-extra] + NPNProtocols = foo + +-[12-npn-simple-resumption-client-extra] ++[14-npn-simple-resumption-client-extra] + NPNProtocols = foo + + + # =========================================================== + +-[13-npn-server-switch-resumption] +-ssl_conf = 13-npn-server-switch-resumption-ssl ++[15-npn-server-switch-resumption] ++ssl_conf = 15-npn-server-switch-resumption-ssl + +-[13-npn-server-switch-resumption-ssl] +-server = 13-npn-server-switch-resumption-server +-client = 13-npn-server-switch-resumption-client +-resume-server = 13-npn-server-switch-resumption-resume-server +-resume-client = 13-npn-server-switch-resumption-client ++[15-npn-server-switch-resumption-ssl] ++server = 15-npn-server-switch-resumption-server ++client = 15-npn-server-switch-resumption-client ++resume-server = 15-npn-server-switch-resumption-resume-server ++resume-client = 15-npn-server-switch-resumption-client + +-[13-npn-server-switch-resumption-server] ++[15-npn-server-switch-resumption-server] + Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem + CipherString = DEFAULT + PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +-[13-npn-server-switch-resumption-resume-server] ++[15-npn-server-switch-resumption-resume-server] + Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem + CipherString = DEFAULT + PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +-[13-npn-server-switch-resumption-client] ++[15-npn-server-switch-resumption-client] + CipherString = DEFAULT + MaxProtocol = TLSv1.2 + VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem + VerifyMode = Peer + +-[test-13] ++[test-15] + ExpectedNPNProtocol = baz + HandshakeMode = Resume + ResumptionExpected = Yes +-server = 13-npn-server-switch-resumption-server-extra +-resume-server = 13-npn-server-switch-resumption-resume-server-extra +-client = 13-npn-server-switch-resumption-client-extra +-resume-client = 13-npn-server-switch-resumption-client-extra ++server = 15-npn-server-switch-resumption-server-extra ++resume-server = 15-npn-server-switch-resumption-resume-server-extra ++client = 15-npn-server-switch-resumption-client-extra ++resume-client = 15-npn-server-switch-resumption-client-extra + +-[13-npn-server-switch-resumption-server-extra] ++[15-npn-server-switch-resumption-server-extra] + NPNProtocols = bar,foo + +-[13-npn-server-switch-resumption-resume-server-extra] ++[15-npn-server-switch-resumption-resume-server-extra] + NPNProtocols = baz,foo + +-[13-npn-server-switch-resumption-client-extra] ++[15-npn-server-switch-resumption-client-extra] + NPNProtocols = foo,bar,baz + + + # =========================================================== + +-[14-npn-client-switch-resumption] +-ssl_conf = 14-npn-client-switch-resumption-ssl ++[16-npn-client-switch-resumption] ++ssl_conf = 16-npn-client-switch-resumption-ssl + +-[14-npn-client-switch-resumption-ssl] +-server = 14-npn-client-switch-resumption-server +-client = 14-npn-client-switch-resumption-client +-resume-server = 14-npn-client-switch-resumption-server +-resume-client = 14-npn-client-switch-resumption-resume-client ++[16-npn-client-switch-resumption-ssl] ++server = 16-npn-client-switch-resumption-server ++client = 16-npn-client-switch-resumption-client ++resume-server = 16-npn-client-switch-resumption-server ++resume-client = 16-npn-client-switch-resumption-resume-client + +-[14-npn-client-switch-resumption-server] ++[16-npn-client-switch-resumption-server] + Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem + CipherString = DEFAULT + PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +-[14-npn-client-switch-resumption-client] ++[16-npn-client-switch-resumption-client] + CipherString = DEFAULT + MaxProtocol = TLSv1.2 + VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem + VerifyMode = Peer + +-[14-npn-client-switch-resumption-resume-client] ++[16-npn-client-switch-resumption-resume-client] + CipherString = DEFAULT + MaxProtocol = TLSv1.2 + VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem + VerifyMode = Peer + +-[test-14] ++[test-16] + ExpectedNPNProtocol = bar + HandshakeMode = Resume + ResumptionExpected = Yes +-server = 14-npn-client-switch-resumption-server-extra +-resume-server = 14-npn-client-switch-resumption-server-extra +-client = 14-npn-client-switch-resumption-client-extra +-resume-client = 14-npn-client-switch-resumption-resume-client-extra ++server = 16-npn-client-switch-resumption-server-extra ++resume-server = 16-npn-client-switch-resumption-server-extra ++client = 16-npn-client-switch-resumption-client-extra ++resume-client = 16-npn-client-switch-resumption-resume-client-extra + +-[14-npn-client-switch-resumption-server-extra] ++[16-npn-client-switch-resumption-server-extra] + NPNProtocols = foo,bar,baz + +-[14-npn-client-switch-resumption-client-extra] ++[16-npn-client-switch-resumption-client-extra] + NPNProtocols = foo,baz + +-[14-npn-client-switch-resumption-resume-client-extra] ++[16-npn-client-switch-resumption-resume-client-extra] + NPNProtocols = bar,baz + + + # =========================================================== + +-[15-npn-client-first-pref-on-mismatch-resumption] +-ssl_conf = 15-npn-client-first-pref-on-mismatch-resumption-ssl ++[17-npn-client-first-pref-on-mismatch-resumption] ++ssl_conf = 17-npn-client-first-pref-on-mismatch-resumption-ssl + +-[15-npn-client-first-pref-on-mismatch-resumption-ssl] +-server = 15-npn-client-first-pref-on-mismatch-resumption-server +-client = 15-npn-client-first-pref-on-mismatch-resumption-client +-resume-server = 15-npn-client-first-pref-on-mismatch-resumption-resume-server +-resume-client = 15-npn-client-first-pref-on-mismatch-resumption-client ++[17-npn-client-first-pref-on-mismatch-resumption-ssl] ++server = 17-npn-client-first-pref-on-mismatch-resumption-server ++client = 17-npn-client-first-pref-on-mismatch-resumption-client ++resume-server = 17-npn-client-first-pref-on-mismatch-resumption-resume-server ++resume-client = 17-npn-client-first-pref-on-mismatch-resumption-client + +-[15-npn-client-first-pref-on-mismatch-resumption-server] ++[17-npn-client-first-pref-on-mismatch-resumption-server] + Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem + CipherString = DEFAULT + PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +-[15-npn-client-first-pref-on-mismatch-resumption-resume-server] ++[17-npn-client-first-pref-on-mismatch-resumption-resume-server] + Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem + CipherString = DEFAULT + PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +-[15-npn-client-first-pref-on-mismatch-resumption-client] ++[17-npn-client-first-pref-on-mismatch-resumption-client] + CipherString = DEFAULT + MaxProtocol = TLSv1.2 + VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem + VerifyMode = Peer + +-[test-15] ++[test-17] + ExpectedNPNProtocol = foo + HandshakeMode = Resume + ResumptionExpected = Yes +-server = 15-npn-client-first-pref-on-mismatch-resumption-server-extra +-resume-server = 15-npn-client-first-pref-on-mismatch-resumption-resume-server-extra +-client = 15-npn-client-first-pref-on-mismatch-resumption-client-extra +-resume-client = 15-npn-client-first-pref-on-mismatch-resumption-client-extra ++server = 17-npn-client-first-pref-on-mismatch-resumption-server-extra ++resume-server = 17-npn-client-first-pref-on-mismatch-resumption-resume-server-extra ++client = 17-npn-client-first-pref-on-mismatch-resumption-client-extra ++resume-client = 17-npn-client-first-pref-on-mismatch-resumption-client-extra + +-[15-npn-client-first-pref-on-mismatch-resumption-server-extra] ++[17-npn-client-first-pref-on-mismatch-resumption-server-extra] + NPNProtocols = bar + +-[15-npn-client-first-pref-on-mismatch-resumption-resume-server-extra] ++[17-npn-client-first-pref-on-mismatch-resumption-resume-server-extra] + NPNProtocols = baz + +-[15-npn-client-first-pref-on-mismatch-resumption-client-extra] ++[17-npn-client-first-pref-on-mismatch-resumption-client-extra] + NPNProtocols = foo,bar + + + # =========================================================== + +-[16-npn-no-server-support-resumption] +-ssl_conf = 16-npn-no-server-support-resumption-ssl ++[18-npn-no-server-support-resumption] ++ssl_conf = 18-npn-no-server-support-resumption-ssl + +-[16-npn-no-server-support-resumption-ssl] +-server = 16-npn-no-server-support-resumption-server +-client = 16-npn-no-server-support-resumption-client +-resume-server = 16-npn-no-server-support-resumption-resume-server +-resume-client = 16-npn-no-server-support-resumption-client ++[18-npn-no-server-support-resumption-ssl] ++server = 18-npn-no-server-support-resumption-server ++client = 18-npn-no-server-support-resumption-client ++resume-server = 18-npn-no-server-support-resumption-resume-server ++resume-client = 18-npn-no-server-support-resumption-client + +-[16-npn-no-server-support-resumption-server] ++[18-npn-no-server-support-resumption-server] + Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem + CipherString = DEFAULT + PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +-[16-npn-no-server-support-resumption-resume-server] ++[18-npn-no-server-support-resumption-resume-server] + Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem + CipherString = DEFAULT + PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +-[16-npn-no-server-support-resumption-client] ++[18-npn-no-server-support-resumption-client] + CipherString = DEFAULT + MaxProtocol = TLSv1.2 + VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem + VerifyMode = Peer + +-[test-16] ++[test-18] + HandshakeMode = Resume + ResumptionExpected = Yes +-server = 16-npn-no-server-support-resumption-server-extra +-client = 16-npn-no-server-support-resumption-client-extra +-resume-client = 16-npn-no-server-support-resumption-client-extra ++server = 18-npn-no-server-support-resumption-server-extra ++client = 18-npn-no-server-support-resumption-client-extra ++resume-client = 18-npn-no-server-support-resumption-client-extra + +-[16-npn-no-server-support-resumption-server-extra] ++[18-npn-no-server-support-resumption-server-extra] + NPNProtocols = foo + +-[16-npn-no-server-support-resumption-client-extra] ++[18-npn-no-server-support-resumption-client-extra] + NPNProtocols = foo + + + # =========================================================== + +-[17-npn-no-client-support-resumption] +-ssl_conf = 17-npn-no-client-support-resumption-ssl ++[19-npn-no-client-support-resumption] ++ssl_conf = 19-npn-no-client-support-resumption-ssl + +-[17-npn-no-client-support-resumption-ssl] +-server = 17-npn-no-client-support-resumption-server +-client = 17-npn-no-client-support-resumption-client +-resume-server = 17-npn-no-client-support-resumption-server +-resume-client = 17-npn-no-client-support-resumption-resume-client ++[19-npn-no-client-support-resumption-ssl] ++server = 19-npn-no-client-support-resumption-server ++client = 19-npn-no-client-support-resumption-client ++resume-server = 19-npn-no-client-support-resumption-server ++resume-client = 19-npn-no-client-support-resumption-resume-client + +-[17-npn-no-client-support-resumption-server] ++[19-npn-no-client-support-resumption-server] + Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem + CipherString = DEFAULT + PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +-[17-npn-no-client-support-resumption-client] ++[19-npn-no-client-support-resumption-client] + CipherString = DEFAULT + MaxProtocol = TLSv1.2 + VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem + VerifyMode = Peer + +-[17-npn-no-client-support-resumption-resume-client] ++[19-npn-no-client-support-resumption-resume-client] + CipherString = DEFAULT + MaxProtocol = TLSv1.2 + VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem + VerifyMode = Peer + +-[test-17] ++[test-19] + HandshakeMode = Resume + ResumptionExpected = Yes +-server = 17-npn-no-client-support-resumption-server-extra +-resume-server = 17-npn-no-client-support-resumption-server-extra +-client = 17-npn-no-client-support-resumption-client-extra ++server = 19-npn-no-client-support-resumption-server-extra ++resume-server = 19-npn-no-client-support-resumption-server-extra ++client = 19-npn-no-client-support-resumption-client-extra + +-[17-npn-no-client-support-resumption-server-extra] ++[19-npn-no-client-support-resumption-server-extra] + NPNProtocols = foo + +-[17-npn-no-client-support-resumption-client-extra] ++[19-npn-no-client-support-resumption-client-extra] + NPNProtocols = foo + + + # =========================================================== + +-[18-alpn-preferred-over-npn-resumption] +-ssl_conf = 18-alpn-preferred-over-npn-resumption-ssl ++[20-alpn-preferred-over-npn-resumption] ++ssl_conf = 20-alpn-preferred-over-npn-resumption-ssl + +-[18-alpn-preferred-over-npn-resumption-ssl] +-server = 18-alpn-preferred-over-npn-resumption-server +-client = 18-alpn-preferred-over-npn-resumption-client +-resume-server = 18-alpn-preferred-over-npn-resumption-resume-server +-resume-client = 18-alpn-preferred-over-npn-resumption-client ++[20-alpn-preferred-over-npn-resumption-ssl] ++server = 20-alpn-preferred-over-npn-resumption-server ++client = 20-alpn-preferred-over-npn-resumption-client ++resume-server = 20-alpn-preferred-over-npn-resumption-resume-server ++resume-client = 20-alpn-preferred-over-npn-resumption-client + +-[18-alpn-preferred-over-npn-resumption-server] ++[20-alpn-preferred-over-npn-resumption-server] + Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem + CipherString = DEFAULT + PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +-[18-alpn-preferred-over-npn-resumption-resume-server] ++[20-alpn-preferred-over-npn-resumption-resume-server] + Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem + CipherString = DEFAULT + PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +-[18-alpn-preferred-over-npn-resumption-client] ++[20-alpn-preferred-over-npn-resumption-client] + CipherString = DEFAULT + MaxProtocol = TLSv1.2 + VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem + VerifyMode = Peer + +-[test-18] ++[test-20] + ExpectedALPNProtocol = foo + HandshakeMode = Resume + ResumptionExpected = Yes +-server = 18-alpn-preferred-over-npn-resumption-server-extra +-resume-server = 18-alpn-preferred-over-npn-resumption-resume-server-extra +-client = 18-alpn-preferred-over-npn-resumption-client-extra +-resume-client = 18-alpn-preferred-over-npn-resumption-client-extra ++server = 20-alpn-preferred-over-npn-resumption-server-extra ++resume-server = 20-alpn-preferred-over-npn-resumption-resume-server-extra ++client = 20-alpn-preferred-over-npn-resumption-client-extra ++resume-client = 20-alpn-preferred-over-npn-resumption-client-extra + +-[18-alpn-preferred-over-npn-resumption-server-extra] ++[20-alpn-preferred-over-npn-resumption-server-extra] + NPNProtocols = bar + +-[18-alpn-preferred-over-npn-resumption-resume-server-extra] ++[20-alpn-preferred-over-npn-resumption-resume-server-extra] + ALPNProtocols = foo + NPNProtocols = baz + +-[18-alpn-preferred-over-npn-resumption-client-extra] ++[20-alpn-preferred-over-npn-resumption-client-extra] + ALPNProtocols = foo + NPNProtocols = bar,baz + + + # =========================================================== + +-[19-npn-used-if-alpn-not-supported-resumption] +-ssl_conf = 19-npn-used-if-alpn-not-supported-resumption-ssl ++[21-npn-used-if-alpn-not-supported-resumption] ++ssl_conf = 21-npn-used-if-alpn-not-supported-resumption-ssl + +-[19-npn-used-if-alpn-not-supported-resumption-ssl] +-server = 19-npn-used-if-alpn-not-supported-resumption-server +-client = 19-npn-used-if-alpn-not-supported-resumption-client +-resume-server = 19-npn-used-if-alpn-not-supported-resumption-resume-server +-resume-client = 19-npn-used-if-alpn-not-supported-resumption-client ++[21-npn-used-if-alpn-not-supported-resumption-ssl] ++server = 21-npn-used-if-alpn-not-supported-resumption-server ++client = 21-npn-used-if-alpn-not-supported-resumption-client ++resume-server = 21-npn-used-if-alpn-not-supported-resumption-resume-server ++resume-client = 21-npn-used-if-alpn-not-supported-resumption-client + +-[19-npn-used-if-alpn-not-supported-resumption-server] ++[21-npn-used-if-alpn-not-supported-resumption-server] + Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem + CipherString = DEFAULT + PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +-[19-npn-used-if-alpn-not-supported-resumption-resume-server] ++[21-npn-used-if-alpn-not-supported-resumption-resume-server] + Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem + CipherString = DEFAULT + PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem + +-[19-npn-used-if-alpn-not-supported-resumption-client] ++[21-npn-used-if-alpn-not-supported-resumption-client] + CipherString = DEFAULT + MaxProtocol = TLSv1.2 + VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem + VerifyMode = Peer + +-[test-19] ++[test-21] + ExpectedNPNProtocol = baz + HandshakeMode = Resume + ResumptionExpected = Yes +-server = 19-npn-used-if-alpn-not-supported-resumption-server-extra +-resume-server = 19-npn-used-if-alpn-not-supported-resumption-resume-server-extra +-client = 19-npn-used-if-alpn-not-supported-resumption-client-extra +-resume-client = 19-npn-used-if-alpn-not-supported-resumption-client-extra ++server = 21-npn-used-if-alpn-not-supported-resumption-server-extra ++resume-server = 21-npn-used-if-alpn-not-supported-resumption-resume-server-extra ++client = 21-npn-used-if-alpn-not-supported-resumption-client-extra ++resume-client = 21-npn-used-if-alpn-not-supported-resumption-client-extra + +-[19-npn-used-if-alpn-not-supported-resumption-server-extra] ++[21-npn-used-if-alpn-not-supported-resumption-server-extra] + ALPNProtocols = foo + NPNProtocols = bar + +-[19-npn-used-if-alpn-not-supported-resumption-resume-server-extra] ++[21-npn-used-if-alpn-not-supported-resumption-resume-server-extra] + NPNProtocols = baz + +-[19-npn-used-if-alpn-not-supported-resumption-client-extra] ++[21-npn-used-if-alpn-not-supported-resumption-client-extra] + ALPNProtocols = foo + NPNProtocols = bar,baz + +diff --git a/test/ssl-tests/08-npn.cnf.in b/test/ssl-tests/08-npn.cnf.in +index 30783e45eb..1dc2704bdb 100644 +--- a/test/ssl-tests/08-npn.cnf.in ++++ b/test/ssl-tests/08-npn.cnf.in +@@ -110,6 +110,41 @@ our @tests = ( + "ExpectedNPNProtocol" => undef, + }, + }, ++ { ++ name => "npn-empty-client-list", ++ server => { ++ extra => { ++ "NPNProtocols" => "foo", ++ }, ++ }, ++ client => { ++ extra => { ++ "NPNProtocols" => "", ++ }, ++ "MaxProtocol" => "TLSv1.2" ++ }, ++ test => { ++ "ExpectedResult" => "ClientFail", ++ "ExpectedClientAlert" => "HandshakeFailure" ++ }, ++ }, ++ { ++ name => "npn-empty-server-list", ++ server => { ++ extra => { ++ "NPNProtocols" => "", ++ }, ++ }, ++ client => { ++ extra => { ++ "NPNProtocols" => "foo", ++ }, ++ "MaxProtocol" => "TLSv1.2" ++ }, ++ test => { ++ "ExpectedNPNProtocol" => "foo" ++ }, ++ }, + { + name => "npn-with-sni-no-context-switch", + server => { +diff --git a/test/ssl-tests/09-alpn.cnf b/test/ssl-tests/09-alpn.cnf +index e7e6cb9534..dd668739ab 100644 +--- a/test/ssl-tests/09-alpn.cnf ++++ b/test/ssl-tests/09-alpn.cnf +@@ -1,6 +1,6 @@ + # Generated with generate_ssl_tests.pl + +-num_tests = 16 ++num_tests = 18 + + test-0 = 0-alpn-simple + test-1 = 1-alpn-server-finds-match +@@ -18,6 +18,8 @@ test-12 = 12-alpn-client-switch-resumption + test-13 = 13-alpn-alert-on-mismatch-resumption + test-14 = 14-alpn-no-server-support-resumption + test-15 = 15-alpn-no-client-support-resumption ++test-16 = 16-alpn-empty-client-list ++test-17 = 17-alpn-empty-server-list + # =========================================================== + + [0-alpn-simple] +@@ -617,3 +619,65 @@ ALPNProtocols = foo + ALPNProtocols = foo + + ++# =========================================================== ++ ++[16-alpn-empty-client-list] ++ssl_conf = 16-alpn-empty-client-list-ssl ++ ++[16-alpn-empty-client-list-ssl] ++server = 16-alpn-empty-client-list-server ++client = 16-alpn-empty-client-list-client ++ ++[16-alpn-empty-client-list-server] ++Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem ++CipherString = DEFAULT ++PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem ++ ++[16-alpn-empty-client-list-client] ++CipherString = DEFAULT ++VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem ++VerifyMode = Peer ++ ++[test-16] ++server = 16-alpn-empty-client-list-server-extra ++client = 16-alpn-empty-client-list-client-extra ++ ++[16-alpn-empty-client-list-server-extra] ++ALPNProtocols = foo ++ ++[16-alpn-empty-client-list-client-extra] ++ALPNProtocols = ++ ++ ++# =========================================================== ++ ++[17-alpn-empty-server-list] ++ssl_conf = 17-alpn-empty-server-list-ssl ++ ++[17-alpn-empty-server-list-ssl] ++server = 17-alpn-empty-server-list-server ++client = 17-alpn-empty-server-list-client ++ ++[17-alpn-empty-server-list-server] ++Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem ++CipherString = DEFAULT ++PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem ++ ++[17-alpn-empty-server-list-client] ++CipherString = DEFAULT ++VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem ++VerifyMode = Peer ++ ++[test-17] ++ExpectedResult = ServerFail ++ExpectedServerAlert = NoApplicationProtocol ++server = 17-alpn-empty-server-list-server-extra ++client = 17-alpn-empty-server-list-client-extra ++ ++[17-alpn-empty-server-list-server-extra] ++ALPNProtocols = ++ ++[17-alpn-empty-server-list-client-extra] ++ALPNProtocols = foo ++ ++ +diff --git a/test/ssl-tests/09-alpn.cnf.in b/test/ssl-tests/09-alpn.cnf.in +index 81330756c6..322b7096a6 100644 +--- a/test/ssl-tests/09-alpn.cnf.in ++++ b/test/ssl-tests/09-alpn.cnf.in +@@ -322,4 +322,37 @@ our @tests = ( + "ExpectedALPNProtocol" => undef, + }, + }, ++ { ++ name => "alpn-empty-client-list", ++ server => { ++ extra => { ++ "ALPNProtocols" => "foo", ++ }, ++ }, ++ client => { ++ extra => { ++ "ALPNProtocols" => "", ++ }, ++ }, ++ test => { ++ "ExpectedALPNProtocol" => undef, ++ }, ++ }, ++ { ++ name => "alpn-empty-server-list", ++ server => { ++ extra => { ++ "ALPNProtocols" => "", ++ }, ++ }, ++ client => { ++ extra => { ++ "ALPNProtocols" => "foo", ++ }, ++ }, ++ test => { ++ "ExpectedResult" => "ServerFail", ++ "ExpectedServerAlert" => "NoApplicationProtocol", ++ }, ++ }, + ); +-- +2.46.0 + diff --git a/0135-Correct-return-values-for-tls_construct_stoc_next_pr.patch b/0135-Correct-return-values-for-tls_construct_stoc_next_pr.patch new file mode 100644 index 0000000..97c28ee --- /dev/null +++ b/0135-Correct-return-values-for-tls_construct_stoc_next_pr.patch @@ -0,0 +1,39 @@ +From 53f5677f358c4a4f69830d944ea40e71950673b8 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Fri, 21 Jun 2024 10:41:55 +0100 +Subject: [PATCH 07/10] Correct return values for + tls_construct_stoc_next_proto_neg + +Return EXT_RETURN_NOT_SENT in the event that we don't send the extension, +rather than EXT_RETURN_SENT. This actually makes no difference at all to +the current control flow since this return value is ignored in this case +anyway. But lets make it correct anyway. + +Follow on from CVE-2024-5535 + +Reviewed-by: Neil Horman +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/24717) +--- + ssl/statem/extensions_srvr.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c +index 800654450e..66ed7dacf2 100644 +--- a/ssl/statem/extensions_srvr.c ++++ b/ssl/statem/extensions_srvr.c +@@ -1501,9 +1501,10 @@ EXT_RETURN tls_construct_stoc_next_proto_neg(SSL_CONNECTION *s, WPACKET *pkt, + return EXT_RETURN_FAIL; + } + s->s3.npn_seen = 1; ++ return EXT_RETURN_SENT; + } + +- return EXT_RETURN_SENT; ++ return EXT_RETURN_NOT_SENT; + } + #endif + +-- +2.46.0 + diff --git a/0136-Add-ALPN-validation-in-the-client.patch b/0136-Add-ALPN-validation-in-the-client.patch new file mode 100644 index 0000000..1406860 --- /dev/null +++ b/0136-Add-ALPN-validation-in-the-client.patch @@ -0,0 +1,62 @@ +From 195e15421df113d7283aab2ccff8b8fb06df5465 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Fri, 21 Jun 2024 11:51:54 +0100 +Subject: [PATCH 08/10] Add ALPN validation in the client + +The ALPN protocol selected by the server must be one that we originally +advertised. We should verify that it is. + +Follow on from CVE-2024-5535 + +Reviewed-by: Neil Horman +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/24717) +--- + ssl/statem/extensions_clnt.c | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c +index 1ab3c13d57..ff9c009ee5 100644 +--- a/ssl/statem/extensions_clnt.c ++++ b/ssl/statem/extensions_clnt.c +@@ -1590,6 +1590,8 @@ int tls_parse_stoc_alpn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, + X509 *x, size_t chainidx) + { + size_t len; ++ PACKET confpkt, protpkt; ++ int valid = 0; + + /* We must have requested it. */ + if (!s->s3.alpn_sent) { +@@ -1608,6 +1610,28 @@ int tls_parse_stoc_alpn(SSL_CONNECTION *s, PACKET *pkt, unsigned int context, + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); + return 0; + } ++ ++ /* It must be a protocol that we sent */ ++ if (!PACKET_buf_init(&confpkt, s->ext.alpn, s->ext.alpn_len)) { ++ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); ++ return 0; ++ } ++ while (PACKET_get_length_prefixed_1(&confpkt, &protpkt)) { ++ if (PACKET_remaining(&protpkt) != len) ++ continue; ++ if (memcmp(PACKET_data(pkt), PACKET_data(&protpkt), len) == 0) { ++ /* Valid protocol found */ ++ valid = 1; ++ break; ++ } ++ } ++ ++ if (!valid) { ++ /* The protocol sent from the server does not match one we advertised */ ++ SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); ++ return 0; ++ } ++ + OPENSSL_free(s->s3.alpn_selected); + s->s3.alpn_selected = OPENSSL_malloc(len); + if (s->s3.alpn_selected == NULL) { +-- +2.46.0 + diff --git a/0137-Add-explicit-testing-of-ALN-and-NPN-in-sslapitest.patch b/0137-Add-explicit-testing-of-ALN-and-NPN-in-sslapitest.patch new file mode 100644 index 0000000..135fa25 --- /dev/null +++ b/0137-Add-explicit-testing-of-ALN-and-NPN-in-sslapitest.patch @@ -0,0 +1,267 @@ +From 7c95191434415d1c9b7fe9b130df13cce630b6b5 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Fri, 21 Jun 2024 10:09:41 +0100 +Subject: [PATCH 09/10] Add explicit testing of ALN and NPN in sslapitest + +We already had some tests elsewhere - but this extends that testing with +additional tests. + +Follow on from CVE-2024-5535 + +Reviewed-by: Neil Horman +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/24717) +--- + test/sslapitest.c | 229 ++++++++++++++++++++++++++++++++++++++++++++++ + 1 file changed, 229 insertions(+) + +diff --git a/test/sslapitest.c b/test/sslapitest.c +index 15cb9060cb..7a55a2b721 100644 +--- a/test/sslapitest.c ++++ b/test/sslapitest.c +@@ -11877,6 +11877,231 @@ static int test_select_next_proto(int idx) + return ret; + } + ++static const unsigned char fooprot[] = {3, 'f', 'o', 'o' }; ++static const unsigned char barprot[] = {3, 'b', 'a', 'r' }; ++ ++#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG) ++static int npn_advert_cb(SSL *ssl, const unsigned char **out, ++ unsigned int *outlen, void *arg) ++{ ++ int *idx = (int *)arg; ++ ++ switch (*idx) { ++ default: ++ case 0: ++ *out = fooprot; ++ *outlen = sizeof(fooprot); ++ return SSL_TLSEXT_ERR_OK; ++ ++ case 1: ++ *outlen = 0; ++ return SSL_TLSEXT_ERR_OK; ++ ++ case 2: ++ return SSL_TLSEXT_ERR_NOACK; ++ } ++} ++ ++static int npn_select_cb(SSL *s, unsigned char **out, unsigned char *outlen, ++ const unsigned char *in, unsigned int inlen, void *arg) ++{ ++ int *idx = (int *)arg; ++ ++ switch (*idx) { ++ case 0: ++ case 1: ++ *out = (unsigned char *)(fooprot + 1); ++ *outlen = *fooprot; ++ return SSL_TLSEXT_ERR_OK; ++ ++ case 3: ++ *out = (unsigned char *)(barprot + 1); ++ *outlen = *barprot; ++ return SSL_TLSEXT_ERR_OK; ++ ++ case 4: ++ *outlen = 0; ++ return SSL_TLSEXT_ERR_OK; ++ ++ default: ++ case 2: ++ return SSL_TLSEXT_ERR_ALERT_FATAL; ++ } ++} ++ ++/* ++ * Test the NPN callbacks ++ * Test 0: advert = foo, select = foo ++ * Test 1: advert = , select = foo ++ * Test 2: no advert ++ * Test 3: advert = foo, select = bar ++ * Test 4: advert = foo, select = (should fail) ++ */ ++static int test_npn(int idx) ++{ ++ SSL_CTX *sctx = NULL, *cctx = NULL; ++ SSL *serverssl = NULL, *clientssl = NULL; ++ int testresult = 0; ++ ++ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), ++ TLS_client_method(), 0, TLS1_2_VERSION, ++ &sctx, &cctx, cert, privkey))) ++ goto end; ++ ++ SSL_CTX_set_next_protos_advertised_cb(sctx, npn_advert_cb, &idx); ++ SSL_CTX_set_next_proto_select_cb(cctx, npn_select_cb, &idx); ++ ++ if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, ++ NULL))) ++ goto end; ++ ++ if (idx == 4) { ++ /* We don't allow empty selection of NPN, so this should fail */ ++ if (!TEST_false(create_ssl_connection(serverssl, clientssl, ++ SSL_ERROR_NONE))) ++ goto end; ++ } else { ++ const unsigned char *prot; ++ unsigned int protlen; ++ ++ if (!TEST_true(create_ssl_connection(serverssl, clientssl, ++ SSL_ERROR_NONE))) ++ goto end; ++ ++ SSL_get0_next_proto_negotiated(serverssl, &prot, &protlen); ++ switch (idx) { ++ case 0: ++ case 1: ++ if (!TEST_mem_eq(prot, protlen, fooprot + 1, *fooprot)) ++ goto end; ++ break; ++ case 2: ++ if (!TEST_uint_eq(protlen, 0)) ++ goto end; ++ break; ++ case 3: ++ if (!TEST_mem_eq(prot, protlen, barprot + 1, *barprot)) ++ goto end; ++ break; ++ default: ++ TEST_error("Should not get here"); ++ goto end; ++ } ++ } ++ ++ testresult = 1; ++ end: ++ SSL_free(serverssl); ++ SSL_free(clientssl); ++ SSL_CTX_free(sctx); ++ SSL_CTX_free(cctx); ++ ++ return testresult; ++} ++#endif /* !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG) */ ++ ++static int alpn_select_cb2(SSL *ssl, const unsigned char **out, ++ unsigned char *outlen, const unsigned char *in, ++ unsigned int inlen, void *arg) ++{ ++ int *idx = (int *)arg; ++ ++ switch (*idx) { ++ case 0: ++ *out = (unsigned char *)(fooprot + 1); ++ *outlen = *fooprot; ++ return SSL_TLSEXT_ERR_OK; ++ ++ case 2: ++ *out = (unsigned char *)(barprot + 1); ++ *outlen = *barprot; ++ return SSL_TLSEXT_ERR_OK; ++ ++ case 3: ++ *outlen = 0; ++ return SSL_TLSEXT_ERR_OK; ++ ++ default: ++ case 1: ++ return SSL_TLSEXT_ERR_ALERT_FATAL; ++ } ++ return 0; ++} ++ ++/* ++ * Test the ALPN callbacks ++ * Test 0: client = foo, select = foo ++ * Test 1: client = , select = none ++ * Test 2: client = foo, select = bar (should fail) ++ * Test 3: client = foo, select = (should fail) ++ */ ++static int test_alpn(int idx) ++{ ++ SSL_CTX *sctx = NULL, *cctx = NULL; ++ SSL *serverssl = NULL, *clientssl = NULL; ++ int testresult = 0; ++ const unsigned char *prots = fooprot; ++ unsigned int protslen = sizeof(fooprot); ++ ++ if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), ++ TLS_client_method(), 0, 0, ++ &sctx, &cctx, cert, privkey))) ++ goto end; ++ ++ SSL_CTX_set_alpn_select_cb(sctx, alpn_select_cb2, &idx); ++ ++ if (!TEST_true(create_ssl_objects(sctx, cctx, &serverssl, &clientssl, NULL, ++ NULL))) ++ goto end; ++ ++ if (idx == 1) { ++ prots = NULL; ++ protslen = 0; ++ } ++ ++ /* SSL_set_alpn_protos returns 0 for success! */ ++ if (!TEST_false(SSL_set_alpn_protos(clientssl, prots, protslen))) ++ goto end; ++ ++ if (idx == 2 || idx == 3) { ++ /* We don't allow empty selection of NPN, so this should fail */ ++ if (!TEST_false(create_ssl_connection(serverssl, clientssl, ++ SSL_ERROR_NONE))) ++ goto end; ++ } else { ++ const unsigned char *prot; ++ unsigned int protlen; ++ ++ if (!TEST_true(create_ssl_connection(serverssl, clientssl, ++ SSL_ERROR_NONE))) ++ goto end; ++ ++ SSL_get0_alpn_selected(clientssl, &prot, &protlen); ++ switch (idx) { ++ case 0: ++ if (!TEST_mem_eq(prot, protlen, fooprot + 1, *fooprot)) ++ goto end; ++ break; ++ case 1: ++ if (!TEST_uint_eq(protlen, 0)) ++ goto end; ++ break; ++ default: ++ TEST_error("Should not get here"); ++ goto end; ++ } ++ } ++ ++ testresult = 1; ++ end: ++ SSL_free(serverssl); ++ SSL_free(clientssl); ++ SSL_CTX_free(sctx); ++ SSL_CTX_free(cctx); ++ ++ return testresult; ++} ++ + OPT_TEST_DECLARE_USAGE("certfile privkeyfile srpvfile tmpfile provider config dhfile\n") + + int setup_tests(void) +@@ -12190,6 +12415,10 @@ int setup_tests(void) + ADD_TEST(test_data_retry); + ADD_ALL_TESTS(test_multi_resume, 5); + ADD_ALL_TESTS(test_select_next_proto, OSSL_NELEM(next_proto_tests)); ++#if !defined(OPENSSL_NO_TLS1_2) && !defined(OPENSSL_NO_NEXTPROTONEG) ++ ADD_ALL_TESTS(test_npn, 5); ++#endif ++ ADD_ALL_TESTS(test_alpn, 4); + return 1; + + err: +-- +2.46.0 + diff --git a/0138-Add-a-test-for-an-empty-NextProto-message.patch b/0138-Add-a-test-for-an-empty-NextProto-message.patch new file mode 100644 index 0000000..923ec66 --- /dev/null +++ b/0138-Add-a-test-for-an-empty-NextProto-message.patch @@ -0,0 +1,199 @@ +From 301b870546d1c7b2d8f0d66e04a2596142f0399f Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Fri, 21 Jun 2024 14:29:26 +0100 +Subject: [PATCH 10/10] Add a test for an empty NextProto message + +It is valid according to the spec for a NextProto message to have no +protocols listed in it. The OpenSSL implementation however does not allow +us to create such a message. In order to check that we work as expected +when communicating with a client that does generate such messages we have +to use a TLSProxy test. + +Follow on from CVE-2024-5535 + +Reviewed-by: Neil Horman +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/24717) +--- + test/recipes/70-test_npn.t | 73 +++++++++++++++++++++++++++++++++ + util/perl/TLSProxy/Message.pm | 9 ++++ + util/perl/TLSProxy/NextProto.pm | 54 ++++++++++++++++++++++++ + util/perl/TLSProxy/Proxy.pm | 1 + + 4 files changed, 137 insertions(+) + create mode 100644 test/recipes/70-test_npn.t + create mode 100644 util/perl/TLSProxy/NextProto.pm + +diff --git a/test/recipes/70-test_npn.t b/test/recipes/70-test_npn.t +new file mode 100644 +index 0000000000..f82e71af6a +--- /dev/null ++++ b/test/recipes/70-test_npn.t +@@ -0,0 +1,73 @@ ++#! /usr/bin/env perl ++# Copyright 2024 The OpenSSL Project Authors. All Rights Reserved. ++# ++# Licensed under the Apache License 2.0 (the "License"). You may not use ++# this file except in compliance with the License. You can obtain a copy ++# in the file LICENSE in the source distribution or at ++# https://www.openssl.org/source/license.html ++ ++use strict; ++use OpenSSL::Test qw/:DEFAULT cmdstr srctop_file/; ++use OpenSSL::Test::Utils; ++ ++use TLSProxy::Proxy; ++ ++my $test_name = "test_npn"; ++setup($test_name); ++ ++plan skip_all => "TLSProxy isn't usable on $^O" ++ if $^O =~ /^(VMS)$/; ++ ++plan skip_all => "$test_name needs the dynamic engine feature enabled" ++ if disabled("engine") || disabled("dynamic-engine"); ++ ++plan skip_all => "$test_name needs the sock feature enabled" ++ if disabled("sock"); ++ ++plan skip_all => "$test_name needs NPN enabled" ++ if disabled("nextprotoneg"); ++ ++plan skip_all => "$test_name needs TLSv1.2 enabled" ++ if disabled("tls1_2"); ++ ++my $proxy = TLSProxy::Proxy->new( ++ undef, ++ cmdstr(app(["openssl"]), display => 1), ++ srctop_file("apps", "server.pem"), ++ (!$ENV{HARNESS_ACTIVE} || $ENV{HARNESS_VERBOSE}) ++); ++ ++$proxy->start() or plan skip_all => "Unable to start up Proxy for tests"; ++plan tests => 1; ++ ++my $npnseen = 0; ++ ++# Test 1: Check sending an empty NextProto message from the client works. This is ++# valid as per the spec, but OpenSSL does not allow you to send it. ++# Therefore we must be prepared to receive such a message but we cannot ++# generate it except via TLSProxy ++$proxy->clear(); ++$proxy->filter(\&npn_filter); ++$proxy->clientflags("-nextprotoneg foo -no_tls1_3"); ++$proxy->serverflags("-nextprotoneg foo"); ++$proxy->start(); ++ok($npnseen && TLSProxy::Message->success(), "Empty NPN message"); ++ ++sub npn_filter ++{ ++ my $proxy = shift; ++ my $message; ++ ++ # The NextProto message always appears in flight 2 ++ return if $proxy->flight != 2; ++ ++ foreach my $message (@{$proxy->message_list}) { ++ if ($message->mt == TLSProxy::Message::MT_NEXT_PROTO) { ++ # Our TLSproxy NextProto message support doesn't support parsing of ++ # the message. If we repack it just creates an empty NextProto ++ # message - which is exactly the scenario we want to test here. ++ $message->repack(); ++ $npnseen = 1; ++ } ++ } ++} +diff --git a/util/perl/TLSProxy/Message.pm b/util/perl/TLSProxy/Message.pm +index ce22187569..fb41b2ffc8 100644 +--- a/util/perl/TLSProxy/Message.pm ++++ b/util/perl/TLSProxy/Message.pm +@@ -384,6 +384,15 @@ sub create_message + [@message_frag_lens] + ); + $message->parse(); ++ } elsif ($mt == MT_NEXT_PROTO) { ++ $message = TLSProxy::NextProto->new( ++ $server, ++ $data, ++ [@message_rec_list], ++ $startoffset, ++ [@message_frag_lens] ++ ); ++ $message->parse(); + } else { + #Unknown message type + $message = TLSProxy::Message->new( +diff --git a/util/perl/TLSProxy/NextProto.pm b/util/perl/TLSProxy/NextProto.pm +new file mode 100644 +index 0000000000..0e18347546 +--- /dev/null ++++ b/util/perl/TLSProxy/NextProto.pm +@@ -0,0 +1,54 @@ ++# Copyright 2024 The OpenSSL Project Authors. All Rights Reserved. ++# ++# Licensed under the Apache License 2.0 (the "License"). You may not use ++# this file except in compliance with the License. You can obtain a copy ++# in the file LICENSE in the source distribution or at ++# https://www.openssl.org/source/license.html ++ ++use strict; ++ ++package TLSProxy::NextProto; ++ ++use vars '@ISA'; ++push @ISA, 'TLSProxy::Message'; ++ ++sub new ++{ ++ my $class = shift; ++ my ($server, ++ $data, ++ $records, ++ $startoffset, ++ $message_frag_lens) = @_; ++ ++ my $self = $class->SUPER::new( ++ $server, ++ TLSProxy::Message::MT_NEXT_PROTO, ++ $data, ++ $records, ++ $startoffset, ++ $message_frag_lens); ++ ++ return $self; ++} ++ ++sub parse ++{ ++ # We don't support parsing at the moment ++} ++ ++# This is supposed to reconstruct the on-the-wire message data following changes. ++# For now though since we don't support parsing we just create an empty NextProto ++# message - this capability is used in test_npn ++sub set_message_contents ++{ ++ my $self = shift; ++ my $data; ++ ++ $data = pack("C32", 0x00, 0x1e, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, ++ 0x00, 0x00, 0x00); ++ $self->data($data); ++} ++1; +diff --git a/util/perl/TLSProxy/Proxy.pm b/util/perl/TLSProxy/Proxy.pm +index 3de10eccb9..b707722b6b 100644 +--- a/util/perl/TLSProxy/Proxy.pm ++++ b/util/perl/TLSProxy/Proxy.pm +@@ -23,6 +23,7 @@ use TLSProxy::CertificateRequest; + use TLSProxy::CertificateVerify; + use TLSProxy::ServerKeyExchange; + use TLSProxy::NewSessionTicket; ++use TLSProxy::NextProto; + + my $have_IPv6; + my $IP_factory; +-- +2.46.0 + diff --git a/0139-CVE-2024-6119.patch b/0139-CVE-2024-6119.patch new file mode 100644 index 0000000..a39106a --- /dev/null +++ b/0139-CVE-2024-6119.patch @@ -0,0 +1,233 @@ +diff --git a/crypto/x509/v3_utl.c b/crypto/x509/v3_utl.c +index 1a18174995..a09414c972 100644 +--- a/crypto/x509/v3_utl.c ++++ b/crypto/x509/v3_utl.c +@@ -916,36 +916,64 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen, + ASN1_STRING *cstr; + + gen = sk_GENERAL_NAME_value(gens, i); +- if ((gen->type == GEN_OTHERNAME) && (check_type == GEN_EMAIL)) { +- if (OBJ_obj2nid(gen->d.otherName->type_id) == +- NID_id_on_SmtpUTF8Mailbox) { +- san_present = 1; +- +- /* +- * If it is not a UTF8String then that is unexpected and we +- * treat it as no match +- */ +- if (gen->d.otherName->value->type == V_ASN1_UTF8STRING) { +- cstr = gen->d.otherName->value->value.utf8string; +- +- /* Positive on success, negative on error! */ +- if ((rv = do_check_string(cstr, 0, equal, flags, +- chk, chklen, peername)) != 0) +- break; +- } +- } else ++ switch (gen->type) { ++ default: ++ continue; ++ case GEN_OTHERNAME: ++ switch (OBJ_obj2nid(gen->d.otherName->type_id)) { ++ default: + continue; +- } else { +- if ((gen->type != check_type) && (gen->type != GEN_OTHERNAME)) ++ case NID_id_on_SmtpUTF8Mailbox: ++ /*- ++ * https://datatracker.ietf.org/doc/html/rfc8398#section-3 ++ * ++ * Due to name constraint compatibility reasons described ++ * in Section 6, SmtpUTF8Mailbox subjectAltName MUST NOT ++ * be used unless the local-part of the email address ++ * contains non-ASCII characters. When the local-part is ++ * ASCII, rfc822Name subjectAltName MUST be used instead ++ * of SmtpUTF8Mailbox. This is compatible with legacy ++ * software that supports only rfc822Name (and not ++ * SmtpUTF8Mailbox). [...] ++ * ++ * SmtpUTF8Mailbox is encoded as UTF8String. ++ * ++ * If it is not a UTF8String then that is unexpected, and ++ * we ignore the invalid SAN (neither set san_present nor ++ * consider it a candidate for equality). This does mean ++ * that the subject CN may be considered, as would be the ++ * case when the malformed SmtpUtf8Mailbox SAN is instead ++ * simply absent. ++ * ++ * When CN-ID matching is not desirable, applications can ++ * choose to turn it off, doing so is at this time a best ++ * practice. ++ */ ++ if (check_type != GEN_EMAIL ++ || gen->d.otherName->value->type != V_ASN1_UTF8STRING) ++ continue; ++ alt_type = 0; ++ cstr = gen->d.otherName->value->value.utf8string; ++ break; ++ } ++ break; ++ case GEN_EMAIL: ++ if (check_type != GEN_EMAIL) + continue; +- } +- san_present = 1; +- if (check_type == GEN_EMAIL) + cstr = gen->d.rfc822Name; +- else if (check_type == GEN_DNS) ++ break; ++ case GEN_DNS: ++ if (check_type != GEN_DNS) ++ continue; + cstr = gen->d.dNSName; +- else ++ break; ++ case GEN_IPADD: ++ if (check_type != GEN_IPADD) ++ continue; + cstr = gen->d.iPAddress; ++ break; ++ } ++ san_present = 1; + /* Positive on success, negative on error! */ + if ((rv = do_check_string(cstr, alt_type, equal, flags, + chk, chklen, peername)) != 0) +diff --git a/test/recipes/25-test_eai_data.t b/test/recipes/25-test_eai_data.t +index 522982ddfb..e18735d89a 100644 +--- a/test/recipes/25-test_eai_data.t ++++ b/test/recipes/25-test_eai_data.t +@@ -21,16 +21,18 @@ setup("test_eai_data"); + #./util/wrap.pl apps/openssl verify -nameopt utf8 -no_check_time -CAfile test/recipes/25-test_eai_data/utf8_chain.pem test/recipes/25-test_eai_data/ascii_leaf.pem + #./util/wrap.pl apps/openssl verify -nameopt utf8 -no_check_time -CAfile test/recipes/25-test_eai_data/ascii_chain.pem test/recipes/25-test_eai_data/utf8_leaf.pem + +-plan tests => 12; ++plan tests => 16; + + require_ok(srctop_file('test','recipes','tconversion.pl')); + my $folder = "test/recipes/25-test_eai_data"; + + my $ascii_pem = srctop_file($folder, "ascii_leaf.pem"); + my $utf8_pem = srctop_file($folder, "utf8_leaf.pem"); ++my $kdc_pem = srctop_file($folder, "kdc-cert.pem"); + + my $ascii_chain_pem = srctop_file($folder, "ascii_chain.pem"); + my $utf8_chain_pem = srctop_file($folder, "utf8_chain.pem"); ++my $kdc_chain_pem = srctop_file($folder, "kdc-root-cert.pem"); + + my $out; + my $outcnt = 0; +@@ -56,10 +58,18 @@ SKIP: { + + ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $ascii_chain_pem, $ascii_pem]))); + ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $utf8_chain_pem, $utf8_pem]))); ++ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $kdc_chain_pem, $kdc_pem]))); + + ok(!run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $ascii_chain_pem, $utf8_pem]))); + ok(!run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $utf8_chain_pem, $ascii_pem]))); + ++# Check an otherName does not get misparsed as an DNS name, (should trigger ASAN errors if violated). ++ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-verify_hostname", 'mx1.example.com', "-CAfile", $kdc_chain_pem, $kdc_pem]))); ++# Check an otherName does not get misparsed as an email address, (should trigger ASAN errors if violated). ++ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-verify_email", 'joe@example.com', "-CAfile", $kdc_chain_pem, $kdc_pem]))); ++# We expect SmtpUTF8Mailbox to be a UTF8 String, not an IA5String. ++ok(!run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-verify_email", 'moe@example.com', "-CAfile", $kdc_chain_pem, $kdc_pem]))); ++ + #Check that we get the expected failure return code + with({ exit_checker => sub { return shift == 2; } }, + sub { +diff --git a/test/recipes/25-test_eai_data/kdc-cert.pem b/test/recipes/25-test_eai_data/kdc-cert.pem +new file mode 100644 +index 0000000000..e8a2c6f55d +--- /dev/null ++++ b/test/recipes/25-test_eai_data/kdc-cert.pem +@@ -0,0 +1,21 @@ ++-----BEGIN CERTIFICATE----- ++MIIDbDCCAlSgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARSb290 ++MCAXDTI0MDYyMDA2MTQxNVoYDzIxMjQwNjIwMDYxNDE1WjAXMRUwEwYDVQQDDAxU ++RVNULkVYQU1QTEUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6wfP+ ++6go79dkpo/dGLMlPZ7Gw/Q6gUYrCWZWUEgEeRVHCrqOlgUEyA+PcWas/XDPUxXry ++BQlJHLvlqamAQn8gs4QPBARFYWKNiTVGyaRkgNA1N5gqyZdrP9UE+ZJmdqxRAAe8 ++vvpGZWSgevPhLUiSCFYDiD0Rtji2Hm3rGUrReQFBQDEw2pNGwz9zIaxUs08kQZcx ++Yzyiplz5Oau+R/6sAgUwDlrD9xOlUxx/tA/MSDIfkK8qioU11uUZtO5VjkNQy/bT ++7zQMmXxWgm2MIgOs1u4YN7YGOtgqHE9v9iPHHfgrkbQDtVDGQsa8AQEhkUDSCtW9 ++3VFAKx6dGNXYzFwfAgMBAAGjgcgwgcUwHQYDVR0OBBYEFFR5tZycW19DmtbL4Zqj ++te1c2vZLMAkGA1UdIwQCMAAwCQYDVR0TBAIwADCBjQYDVR0RBIGFMIGCoD8GBisG ++AQUCAqA1MDOgDhsMVEVTVC5FWEFNUExFoSEwH6ADAgEBoRgwFhsGa3JidGd0GwxU ++RVNULkVYQU1QTEWgHQYIKwYBBQUHCAmgERYPbW9lQGV4YW1wbGUuY29tgQ9qb2VA ++ZXhhbXBsZS5jb22CD214MS5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEA ++T0xzVtVpRtaOzIhgzw7XQUdzWD5UEGSJJ1cBCOmKUWwDLTAouCYLFB4TbEE7MMUb ++iuMy60bjmVtvfJIXorGUgSadRe5RWJ5DamJWvPA0Q9x7blnEcXqEF+9Td+ypevgU ++UYHFmg83OYwxOsFXZ5cRuXMk3WCsDHQIBi6D1L6oDDZ2pfArs5mqm3thQKVlqyl1 ++El3XRYEdqAz/5eCOFNfwxF0ALxjxVr/Z50StUZU8I7Zfev6+kHhyrR7dqzYJImv9 ++0fTCOBEMjIETDsrA70OxAMu4V16nrWZdJdvzblS2qrt97Omkj+2kiPAJFB76RpwI ++oDQ9fKfUOAmUFth2/R/eGA== ++-----END CERTIFICATE----- +diff --git a/test/recipes/25-test_eai_data/kdc-root-cert.pem b/test/recipes/25-test_eai_data/kdc-root-cert.pem +new file mode 100644 +index 0000000000..a74c96bf31 +--- /dev/null ++++ b/test/recipes/25-test_eai_data/kdc-root-cert.pem +@@ -0,0 +1,16 @@ ++-----BEGIN CERTIFICATE----- ++MIICnDCCAYQCCQCBswYcrlZSHjANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARS ++b290MCAXDTI0MDYyMDA2MTQxNVoYDzIxMjQwNjIwMDYxNDE1WjAPMQ0wCwYDVQQD ++DARSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqRj8S4kBbIUj ++61kZfi6nE35Q38U140+qt4uAiwAhKumfVHlBM0zQ98WFt5zMHIBQwIb3yjc2zj+0 ++qzUnQfwm1r/RfcMmBPEti9Ge+aEMSsds2gMXziOFM8wd2aAFPy7UVE0XpEWofsRK ++MGi61MKVdPSbGIxBwY9VW38/7D/wf1HtJe7y0xpuecR7GB2XAs+qST59NjuF+7wS ++dLM8Hb3TATgeYbXXWsRJgwz+SPzExg5WmLnU+7y4brZ32dHtdSmkRVSgSlaIf7Xj ++3Tc6Zi7I+W/JYk7hy1zUexVdWCak4PHcoWrXe0gNNN/t8VfLfMExt5z/HIylXnU7 ++pGUyqZlTGQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAHpLF1UCRy7b6Hk0rLokxI ++lgwiH9BU9mktigAGASvkbllpt+YbUbWnuYAvpHBGiP1qZtfX2r96UrSJaGO9BEzT ++Gp9ThnSjoj4Srul0+s/NArU22irFLmDzbalgevAmm9gMGkdqkiIm/mXbwrPj0ncl ++KGicevXryVpvaP62eZ8cc3C4p97frMmXxRX8sTdQpD/gRI7prdEILRSKveqT+AEW ++7rFGM5AOevb4U8ddop8A3D/kX0wcCAIBF6jCNk3uEJ57jVcagL04kPnVfdRiedTS ++vfq1DRNcD29d1H/9u0fHdSn1/+8Ep3X+afQ3C6//5NvOEaXcIGO4QSwkprQydfv8 ++-----END CERTIFICATE----- +diff --git a/test/recipes/25-test_eai_data/kdc.sh b/test/recipes/25-test_eai_data/kdc.sh +new file mode 100755 +index 0000000000..7a8dbc719f +--- /dev/null ++++ b/test/recipes/25-test_eai_data/kdc.sh +@@ -0,0 +1,41 @@ ++#! /usr/bin/env bash ++ ++# Create a root CA, signing a leaf cert with a KDC principal otherName SAN, and ++# also a non-UTF8 smtpUtf8Mailbox SAN followed by an rfc822Name SAN and a DNS ++# name SAN. In the vulnerable EAI code, the KDC principal `otherName` should ++# trigger ASAN errors in DNS name checks, while the non-UTF8 `smtpUtf8Mailbox` ++# should likewise lead to ASAN issues with email name checks. ++ ++rm -f root-key.pem root-cert.pem ++openssl req -nodes -new -newkey rsa:2048 -keyout kdc-root-key.pem \ ++ -x509 -subj /CN=Root -days 36524 -out kdc-root-cert.pem ++ ++exts=$( ++ printf "%s\n%s\n%s\n%s = " \ ++ "subjectKeyIdentifier = hash" \ ++ "authorityKeyIdentifier = keyid" \ ++ "basicConstraints = CA:false" \ ++ "subjectAltName" ++ printf "%s, " "otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name" ++ printf "%s, " "otherName:1.3.6.1.5.5.7.8.9;IA5:moe@example.com" ++ printf "%s, " "email:joe@example.com" ++ printf "%s\n" "DNS:mx1.example.com" ++ printf "[kdc_princ_name]\n" ++ printf "realm = EXP:0, GeneralString:TEST.EXAMPLE\n" ++ printf "principal_name = EXP:1, SEQUENCE:kdc_principal_seq\n" ++ printf "[kdc_principal_seq]\n" ++ printf "name_type = EXP:0, INTEGER:1\n" ++ printf "name_string = EXP:1, SEQUENCE:kdc_principal_components\n" ++ printf "[kdc_principal_components]\n" ++ printf "princ1 = GeneralString:krbtgt\n" ++ printf "princ2 = GeneralString:TEST.EXAMPLE\n" ++ ) ++ ++printf "%s\n" "$exts" ++ ++openssl req -nodes -new -newkey rsa:2048 -keyout kdc-key.pem \ ++ -subj "/CN=TEST.EXAMPLE" | ++ openssl x509 -req -out kdc-cert.pem \ ++ -CA "kdc-root-cert.pem" -CAkey "kdc-root-key.pem" \ ++ -set_serial 2 -days 36524 \ ++ -extfile <(printf "%s\n" "$exts") diff --git a/SOURCES/Makefile.certificate b/Makefile.certificate similarity index 100% rename from SOURCES/Makefile.certificate rename to Makefile.certificate diff --git a/SOURCES/README.FIPS b/SOURCES/README.FIPS deleted file mode 100644 index a36c547..0000000 --- a/SOURCES/README.FIPS +++ /dev/null @@ -1,72 +0,0 @@ -User guide for the FIPS Red Hat Enterprise Linux - OpenSSL Module -================================================================= - -This package contains libraries which comprise the FIPS 140-2 -Red Hat Enterprise Linux - OPENSSL Module. - -The module files -================ -/usr/lib[64]/libcrypto.so.1.1.0 -/usr/lib[64]/libssl.so.1.1.0 -/usr/lib[64]/.libcrypto.so.1.1.0.hmac -/usr/lib[64]/.libssl.so.1.1.0.hmac - -Dependencies -============ - -The approved mode of operation requires kernel with /dev/urandom RNG running -with properties as defined in the security policy of the module. This is -provided by kernel packages with validated Red Hat Enterprise Linux Kernel -Crytographic Module. - -Installation -============ - -The RPM package of the module can be installed by standard tools recommended -for installation of RPM packages on the Red Hat Enterprise Linux system (yum, -rpm, RHN remote management tool). - -The RPM package dracut-fips must be installed for the approved mode of -operation. - -Usage and API -============= - -The module respects kernel command line FIPS setting. If the kernel command -line contains option fips=1 the module will initialize in the FIPS approved -mode of operation automatically. To allow for the automatic initialization the -application using the module has to call one of the following API calls: - -- void OPENSSL_init_library(void) - this will do only a basic initialization -of the library and does initialization of the FIPS approved mode without setting -up EVP API with supported algorithms. - -- void OPENSSL_add_all_algorithms(void) - this API function calls -OPENSSL_init() implicitly and also adds all approved algorithms to the EVP API -in the approved mode - -- void SSL_library_init(void) - it calls OPENSSL_init() implicitly and also -adds algorithms which are necessary for TLS protocol support and initializes -the SSL library. - -To explicitely put the library to the approved mode the application can call -the following function: - -- int FIPS_mode_set(int on) - if called with 1 as a parameter it will switch -the library from the non-approved to the approved mode. If any of the selftests -and integrity verification tests fail, the library is put into the error state -and 0 is returned. If they succeed the return value is 1. - -To query the module whether it is in the approved mode or not: - -- int FIPS_mode(void) - returns 1 if the module is in the approved mode, -0 otherwise. - -To query whether the module is in the error state: - -- int FIPS_selftest_failed(void) - returns 1 if the module is in the error -state, 0 otherwise. - -To zeroize the FIPS RNG key and internal state the application calls: - -- void RAND_cleanup(void) diff --git a/SOURCES/ec_curve.c b/SOURCES/ec_curve.c deleted file mode 100644 index 9171ed4..0000000 --- a/SOURCES/ec_curve.c +++ /dev/null @@ -1,582 +0,0 @@ -/* - * Copyright 2002-2019 The OpenSSL Project Authors. All Rights Reserved. - * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved - * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html - */ - -#include -#include "ec_local.h" -#include -#include -#include -#include "internal/nelem.h" - -typedef struct { - int field_type, /* either NID_X9_62_prime_field or - * NID_X9_62_characteristic_two_field */ - seed_len, param_len; - unsigned int cofactor; /* promoted to BN_ULONG */ -} EC_CURVE_DATA; - -/* the nist prime curves */ -static const struct { - EC_CURVE_DATA h; - unsigned char data[20 + 28 * 6]; -} _EC_NIST_PRIME_224 = { - { - NID_X9_62_prime_field, 20, 28, 1 - }, - { - /* seed */ - 0xBD, 0x71, 0x34, 0x47, 0x99, 0xD5, 0xC7, 0xFC, 0xDC, 0x45, 0xB5, 0x9F, - 0xA3, 0xB9, 0xAB, 0x8F, 0x6A, 0x94, 0x8B, 0xC5, - /* p */ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x01, - /* a */ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFE, - /* b */ - 0xB4, 0x05, 0x0A, 0x85, 0x0C, 0x04, 0xB3, 0xAB, 0xF5, 0x41, 0x32, 0x56, - 0x50, 0x44, 0xB0, 0xB7, 0xD7, 0xBF, 0xD8, 0xBA, 0x27, 0x0B, 0x39, 0x43, - 0x23, 0x55, 0xFF, 0xB4, - /* x */ - 0xB7, 0x0E, 0x0C, 0xBD, 0x6B, 0xB4, 0xBF, 0x7F, 0x32, 0x13, 0x90, 0xB9, - 0x4A, 0x03, 0xC1, 0xD3, 0x56, 0xC2, 0x11, 0x22, 0x34, 0x32, 0x80, 0xD6, - 0x11, 0x5C, 0x1D, 0x21, - /* y */ - 0xbd, 0x37, 0x63, 0x88, 0xb5, 0xf7, 0x23, 0xfb, 0x4c, 0x22, 0xdf, 0xe6, - 0xcd, 0x43, 0x75, 0xa0, 0x5a, 0x07, 0x47, 0x64, 0x44, 0xd5, 0x81, 0x99, - 0x85, 0x00, 0x7e, 0x34, - /* order */ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0x16, 0xA2, 0xE0, 0xB8, 0xF0, 0x3E, 0x13, 0xDD, 0x29, 0x45, - 0x5C, 0x5C, 0x2A, 0x3D - } -}; - -static const struct { - EC_CURVE_DATA h; - unsigned char data[20 + 48 * 6]; -} _EC_NIST_PRIME_384 = { - { - NID_X9_62_prime_field, 20, 48, 1 - }, - { - /* seed */ - 0xA3, 0x35, 0x92, 0x6A, 0xA3, 0x19, 0xA2, 0x7A, 0x1D, 0x00, 0x89, 0x6A, - 0x67, 0x73, 0xA4, 0x82, 0x7A, 0xCD, 0xAC, 0x73, - /* p */ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, - /* a */ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFC, - /* b */ - 0xB3, 0x31, 0x2F, 0xA7, 0xE2, 0x3E, 0xE7, 0xE4, 0x98, 0x8E, 0x05, 0x6B, - 0xE3, 0xF8, 0x2D, 0x19, 0x18, 0x1D, 0x9C, 0x6E, 0xFE, 0x81, 0x41, 0x12, - 0x03, 0x14, 0x08, 0x8F, 0x50, 0x13, 0x87, 0x5A, 0xC6, 0x56, 0x39, 0x8D, - 0x8A, 0x2E, 0xD1, 0x9D, 0x2A, 0x85, 0xC8, 0xED, 0xD3, 0xEC, 0x2A, 0xEF, - /* x */ - 0xAA, 0x87, 0xCA, 0x22, 0xBE, 0x8B, 0x05, 0x37, 0x8E, 0xB1, 0xC7, 0x1E, - 0xF3, 0x20, 0xAD, 0x74, 0x6E, 0x1D, 0x3B, 0x62, 0x8B, 0xA7, 0x9B, 0x98, - 0x59, 0xF7, 0x41, 0xE0, 0x82, 0x54, 0x2A, 0x38, 0x55, 0x02, 0xF2, 0x5D, - 0xBF, 0x55, 0x29, 0x6C, 0x3A, 0x54, 0x5E, 0x38, 0x72, 0x76, 0x0A, 0xB7, - /* y */ - 0x36, 0x17, 0xde, 0x4a, 0x96, 0x26, 0x2c, 0x6f, 0x5d, 0x9e, 0x98, 0xbf, - 0x92, 0x92, 0xdc, 0x29, 0xf8, 0xf4, 0x1d, 0xbd, 0x28, 0x9a, 0x14, 0x7c, - 0xe9, 0xda, 0x31, 0x13, 0xb5, 0xf0, 0xb8, 0xc0, 0x0a, 0x60, 0xb1, 0xce, - 0x1d, 0x7e, 0x81, 0x9d, 0x7a, 0x43, 0x1d, 0x7c, 0x90, 0xea, 0x0e, 0x5f, - /* order */ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xC7, 0x63, 0x4D, 0x81, 0xF4, 0x37, 0x2D, 0xDF, 0x58, 0x1A, 0x0D, 0xB2, - 0x48, 0xB0, 0xA7, 0x7A, 0xEC, 0xEC, 0x19, 0x6A, 0xCC, 0xC5, 0x29, 0x73 - } -}; - -static const struct { - EC_CURVE_DATA h; - unsigned char data[20 + 66 * 6]; -} _EC_NIST_PRIME_521 = { - { - NID_X9_62_prime_field, 20, 66, 1 - }, - { - /* seed */ - 0xD0, 0x9E, 0x88, 0x00, 0x29, 0x1C, 0xB8, 0x53, 0x96, 0xCC, 0x67, 0x17, - 0x39, 0x32, 0x84, 0xAA, 0xA0, 0xDA, 0x64, 0xBA, - /* p */ - 0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - /* a */ - 0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC, - /* b */ - 0x00, 0x51, 0x95, 0x3E, 0xB9, 0x61, 0x8E, 0x1C, 0x9A, 0x1F, 0x92, 0x9A, - 0x21, 0xA0, 0xB6, 0x85, 0x40, 0xEE, 0xA2, 0xDA, 0x72, 0x5B, 0x99, 0xB3, - 0x15, 0xF3, 0xB8, 0xB4, 0x89, 0x91, 0x8E, 0xF1, 0x09, 0xE1, 0x56, 0x19, - 0x39, 0x51, 0xEC, 0x7E, 0x93, 0x7B, 0x16, 0x52, 0xC0, 0xBD, 0x3B, 0xB1, - 0xBF, 0x07, 0x35, 0x73, 0xDF, 0x88, 0x3D, 0x2C, 0x34, 0xF1, 0xEF, 0x45, - 0x1F, 0xD4, 0x6B, 0x50, 0x3F, 0x00, - /* x */ - 0x00, 0xC6, 0x85, 0x8E, 0x06, 0xB7, 0x04, 0x04, 0xE9, 0xCD, 0x9E, 0x3E, - 0xCB, 0x66, 0x23, 0x95, 0xB4, 0x42, 0x9C, 0x64, 0x81, 0x39, 0x05, 0x3F, - 0xB5, 0x21, 0xF8, 0x28, 0xAF, 0x60, 0x6B, 0x4D, 0x3D, 0xBA, 0xA1, 0x4B, - 0x5E, 0x77, 0xEF, 0xE7, 0x59, 0x28, 0xFE, 0x1D, 0xC1, 0x27, 0xA2, 0xFF, - 0xA8, 0xDE, 0x33, 0x48, 0xB3, 0xC1, 0x85, 0x6A, 0x42, 0x9B, 0xF9, 0x7E, - 0x7E, 0x31, 0xC2, 0xE5, 0xBD, 0x66, - /* y */ - 0x01, 0x18, 0x39, 0x29, 0x6a, 0x78, 0x9a, 0x3b, 0xc0, 0x04, 0x5c, 0x8a, - 0x5f, 0xb4, 0x2c, 0x7d, 0x1b, 0xd9, 0x98, 0xf5, 0x44, 0x49, 0x57, 0x9b, - 0x44, 0x68, 0x17, 0xaf, 0xbd, 0x17, 0x27, 0x3e, 0x66, 0x2c, 0x97, 0xee, - 0x72, 0x99, 0x5e, 0xf4, 0x26, 0x40, 0xc5, 0x50, 0xb9, 0x01, 0x3f, 0xad, - 0x07, 0x61, 0x35, 0x3c, 0x70, 0x86, 0xa2, 0x72, 0xc2, 0x40, 0x88, 0xbe, - 0x94, 0x76, 0x9f, 0xd1, 0x66, 0x50, - /* order */ - 0x01, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFA, 0x51, 0x86, - 0x87, 0x83, 0xBF, 0x2F, 0x96, 0x6B, 0x7F, 0xCC, 0x01, 0x48, 0xF7, 0x09, - 0xA5, 0xD0, 0x3B, 0xB5, 0xC9, 0xB8, 0x89, 0x9C, 0x47, 0xAE, 0xBB, 0x6F, - 0xB7, 0x1E, 0x91, 0x38, 0x64, 0x09 - } -}; - -static const struct { - EC_CURVE_DATA h; - unsigned char data[20 + 32 * 6]; -} _EC_X9_62_PRIME_256V1 = { - { - NID_X9_62_prime_field, 20, 32, 1 - }, - { - /* seed */ - 0xC4, 0x9D, 0x36, 0x08, 0x86, 0xE7, 0x04, 0x93, 0x6A, 0x66, 0x78, 0xE1, - 0x13, 0x9D, 0x26, 0xB7, 0x81, 0x9F, 0x7E, 0x90, - /* p */ - 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - /* a */ - 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC, - /* b */ - 0x5A, 0xC6, 0x35, 0xD8, 0xAA, 0x3A, 0x93, 0xE7, 0xB3, 0xEB, 0xBD, 0x55, - 0x76, 0x98, 0x86, 0xBC, 0x65, 0x1D, 0x06, 0xB0, 0xCC, 0x53, 0xB0, 0xF6, - 0x3B, 0xCE, 0x3C, 0x3E, 0x27, 0xD2, 0x60, 0x4B, - /* x */ - 0x6B, 0x17, 0xD1, 0xF2, 0xE1, 0x2C, 0x42, 0x47, 0xF8, 0xBC, 0xE6, 0xE5, - 0x63, 0xA4, 0x40, 0xF2, 0x77, 0x03, 0x7D, 0x81, 0x2D, 0xEB, 0x33, 0xA0, - 0xF4, 0xA1, 0x39, 0x45, 0xD8, 0x98, 0xC2, 0x96, - /* y */ - 0x4f, 0xe3, 0x42, 0xe2, 0xfe, 0x1a, 0x7f, 0x9b, 0x8e, 0xe7, 0xeb, 0x4a, - 0x7c, 0x0f, 0x9e, 0x16, 0x2b, 0xce, 0x33, 0x57, 0x6b, 0x31, 0x5e, 0xce, - 0xcb, 0xb6, 0x40, 0x68, 0x37, 0xbf, 0x51, 0xf5, - /* order */ - 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xBC, 0xE6, 0xFA, 0xAD, 0xA7, 0x17, 0x9E, 0x84, - 0xF3, 0xB9, 0xCA, 0xC2, 0xFC, 0x63, 0x25, 0x51 - } -}; - -static const struct { - EC_CURVE_DATA h; - unsigned char data[0 + 32 * 6]; -} _EC_SECG_PRIME_256K1 = { - { - NID_X9_62_prime_field, 0, 32, 1 - }, - { - /* no seed */ - /* p */ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFC, 0x2F, - /* a */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - /* b */ - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, - /* x */ - 0x79, 0xBE, 0x66, 0x7E, 0xF9, 0xDC, 0xBB, 0xAC, 0x55, 0xA0, 0x62, 0x95, - 0xCE, 0x87, 0x0B, 0x07, 0x02, 0x9B, 0xFC, 0xDB, 0x2D, 0xCE, 0x28, 0xD9, - 0x59, 0xF2, 0x81, 0x5B, 0x16, 0xF8, 0x17, 0x98, - /* y */ - 0x48, 0x3a, 0xda, 0x77, 0x26, 0xa3, 0xc4, 0x65, 0x5d, 0xa4, 0xfb, 0xfc, - 0x0e, 0x11, 0x08, 0xa8, 0xfd, 0x17, 0xb4, 0x48, 0xa6, 0x85, 0x54, 0x19, - 0x9c, 0x47, 0xd0, 0x8f, 0xfb, 0x10, 0xd4, 0xb8, - /* order */ - 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, - 0xFF, 0xFF, 0xFF, 0xFE, 0xBA, 0xAE, 0xDC, 0xE6, 0xAF, 0x48, 0xA0, 0x3B, - 0xBF, 0xD2, 0x5E, 0x8C, 0xD0, 0x36, 0x41, 0x41 - } -}; - -typedef struct _ec_list_element_st { - int nid; - const EC_CURVE_DATA *data; - const EC_METHOD *(*meth) (void); - const char *comment; -} ec_list_element; - -static const ec_list_element curve_list[] = { - /* prime field curves */ - /* secg curves */ -#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 - {NID_secp224r1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method, - "NIST/SECG curve over a 224 bit prime field"}, -#else - {NID_secp224r1, &_EC_NIST_PRIME_224.h, 0, - "NIST/SECG curve over a 224 bit prime field"}, -#endif - {NID_secp256k1, &_EC_SECG_PRIME_256K1.h, 0, - "SECG curve over a 256 bit prime field"}, - /* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */ - {NID_secp384r1, &_EC_NIST_PRIME_384.h, 0, - "NIST/SECG curve over a 384 bit prime field"}, -#ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 - {NID_secp521r1, &_EC_NIST_PRIME_521.h, EC_GFp_nistp521_method, - "NIST/SECG curve over a 521 bit prime field"}, -#else - {NID_secp521r1, &_EC_NIST_PRIME_521.h, 0, - "NIST/SECG curve over a 521 bit prime field"}, -#endif - /* X9.62 curves */ - {NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h, -#if defined(ECP_NISTZ256_ASM) - EC_GFp_nistz256_method, -#elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128) - EC_GFp_nistp256_method, -#else - 0, -#endif - "X9.62/SECG curve over a 256 bit prime field"}, -}; - -#define curve_list_length OSSL_NELEM(curve_list) - -static EC_GROUP *ec_group_new_from_data(const ec_list_element curve) -{ - EC_GROUP *group = NULL; - EC_POINT *P = NULL; - BN_CTX *ctx = NULL; - BIGNUM *p = NULL, *a = NULL, *b = NULL, *x = NULL, *y = NULL, *order = - NULL; - int ok = 0; - int seed_len, param_len; - const EC_METHOD *meth; - const EC_CURVE_DATA *data; - const unsigned char *params; - - /* If no curve data curve method must handle everything */ - if (curve.data == NULL) - return EC_GROUP_new(curve.meth != NULL ? curve.meth() : NULL); - - if ((ctx = BN_CTX_new()) == NULL) { - ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_MALLOC_FAILURE); - goto err; - } - - data = curve.data; - seed_len = data->seed_len; - param_len = data->param_len; - params = (const unsigned char *)(data + 1); /* skip header */ - params += seed_len; /* skip seed */ - - if ((p = BN_bin2bn(params + 0 * param_len, param_len, NULL)) == NULL - || (a = BN_bin2bn(params + 1 * param_len, param_len, NULL)) == NULL - || (b = BN_bin2bn(params + 2 * param_len, param_len, NULL)) == NULL) { - ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_BN_LIB); - goto err; - } - - if (curve.meth != 0) { - meth = curve.meth(); - if (((group = EC_GROUP_new(meth)) == NULL) || - (!(group->meth->group_set_curve(group, p, a, b, ctx)))) { - ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB); - goto err; - } - } else if (data->field_type == NID_X9_62_prime_field) { - if ((group = EC_GROUP_new_curve_GFp(p, a, b, ctx)) == NULL) { - ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB); - goto err; - } - } -#ifndef OPENSSL_NO_EC2M - else { /* field_type == - * NID_X9_62_characteristic_two_field */ - - if ((group = EC_GROUP_new_curve_GF2m(p, a, b, ctx)) == NULL) { - ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB); - goto err; - } - } -#endif - - EC_GROUP_set_curve_name(group, curve.nid); - - if ((P = EC_POINT_new(group)) == NULL) { - ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB); - goto err; - } - - if ((x = BN_bin2bn(params + 3 * param_len, param_len, NULL)) == NULL - || (y = BN_bin2bn(params + 4 * param_len, param_len, NULL)) == NULL) { - ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_BN_LIB); - goto err; - } - if (!EC_POINT_set_affine_coordinates(group, P, x, y, ctx)) { - ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB); - goto err; - } - if ((order = BN_bin2bn(params + 5 * param_len, param_len, NULL)) == NULL - || !BN_set_word(x, (BN_ULONG)data->cofactor)) { - ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_BN_LIB); - goto err; - } - if (!EC_GROUP_set_generator(group, P, order, x)) { - ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB); - goto err; - } - if (seed_len) { - if (!EC_GROUP_set_seed(group, params - seed_len, seed_len)) { - ECerr(EC_F_EC_GROUP_NEW_FROM_DATA, ERR_R_EC_LIB); - goto err; - } - } - ok = 1; - err: - if (!ok) { - EC_GROUP_free(group); - group = NULL; - } - EC_POINT_free(P); - BN_CTX_free(ctx); - BN_free(p); - BN_free(a); - BN_free(b); - BN_free(order); - BN_free(x); - BN_free(y); - return group; -} - -EC_GROUP *EC_GROUP_new_by_curve_name(int nid) -{ - size_t i; - EC_GROUP *ret = NULL; - - if (nid <= 0) - return NULL; - - for (i = 0; i < curve_list_length; i++) - if (curve_list[i].nid == nid) { - ret = ec_group_new_from_data(curve_list[i]); - break; - } - - if (ret == NULL) { - ECerr(EC_F_EC_GROUP_NEW_BY_CURVE_NAME, EC_R_UNKNOWN_GROUP); - return NULL; - } - - return ret; -} - -size_t EC_get_builtin_curves(EC_builtin_curve *r, size_t nitems) -{ - size_t i, min; - - if (r == NULL || nitems == 0) - return curve_list_length; - - min = nitems < curve_list_length ? nitems : curve_list_length; - - for (i = 0; i < min; i++) { - r[i].nid = curve_list[i].nid; - r[i].comment = curve_list[i].comment; - } - - return curve_list_length; -} - -/* Functions to translate between common NIST curve names and NIDs */ - -typedef struct { - const char *name; /* NIST Name of curve */ - int nid; /* Curve NID */ -} EC_NIST_NAME; - -static EC_NIST_NAME nist_curves[] = { - {"B-163", NID_sect163r2}, - {"B-233", NID_sect233r1}, - {"B-283", NID_sect283r1}, - {"B-409", NID_sect409r1}, - {"B-571", NID_sect571r1}, - {"K-163", NID_sect163k1}, - {"K-233", NID_sect233k1}, - {"K-283", NID_sect283k1}, - {"K-409", NID_sect409k1}, - {"K-571", NID_sect571k1}, - {"P-192", NID_X9_62_prime192v1}, - {"P-224", NID_secp224r1}, - {"P-256", NID_X9_62_prime256v1}, - {"P-384", NID_secp384r1}, - {"P-521", NID_secp521r1} -}; - -const char *EC_curve_nid2nist(int nid) -{ - size_t i; - for (i = 0; i < OSSL_NELEM(nist_curves); i++) { - if (nist_curves[i].nid == nid) - return nist_curves[i].name; - } - return NULL; -} - -int EC_curve_nist2nid(const char *name) -{ - size_t i; - for (i = 0; i < OSSL_NELEM(nist_curves); i++) { - if (strcmp(nist_curves[i].name, name) == 0) - return nist_curves[i].nid; - } - return NID_undef; -} - -#define NUM_BN_FIELDS 6 -/* - * Validates EC domain parameter data for known named curves. - * This can be used when a curve is loaded explicitly (without a curve - * name) or to validate that domain parameters have not been modified. - * - * Returns: The nid associated with the found named curve, or NID_undef - * if not found. If there was an error it returns -1. - */ -int ec_curve_nid_from_params(const EC_GROUP *group, BN_CTX *ctx) -{ - int ret = -1, nid, len, field_type, param_len; - size_t i, seed_len; - const unsigned char *seed, *params_seed, *params; - unsigned char *param_bytes = NULL; - const EC_CURVE_DATA *data; - const EC_POINT *generator = NULL; - const EC_METHOD *meth; - const BIGNUM *cofactor = NULL; - /* An array of BIGNUMs for (p, a, b, x, y, order) */ - BIGNUM *bn[NUM_BN_FIELDS] = {NULL, NULL, NULL, NULL, NULL, NULL}; - - meth = EC_GROUP_method_of(group); - if (meth == NULL) - return -1; - /* Use the optional named curve nid as a search field */ - nid = EC_GROUP_get_curve_name(group); - field_type = EC_METHOD_get_field_type(meth); - seed_len = EC_GROUP_get_seed_len(group); - seed = EC_GROUP_get0_seed(group); - cofactor = EC_GROUP_get0_cofactor(group); - - BN_CTX_start(ctx); - - /* - * The built-in curves contains data fields (p, a, b, x, y, order) that are - * all zero-padded to be the same size. The size of the padding is - * determined by either the number of bytes in the field modulus (p) or the - * EC group order, whichever is larger. - */ - param_len = BN_num_bytes(group->order); - len = BN_num_bytes(group->field); - if (len > param_len) - param_len = len; - - /* Allocate space to store the padded data for (p, a, b, x, y, order) */ - param_bytes = OPENSSL_malloc(param_len * NUM_BN_FIELDS); - if (param_bytes == NULL) - goto end; - - /* Create the bignums */ - for (i = 0; i < NUM_BN_FIELDS; ++i) { - if ((bn[i] = BN_CTX_get(ctx)) == NULL) - goto end; - } - /* - * Fill in the bn array with the same values as the internal curves - * i.e. the values are p, a, b, x, y, order. - */ - /* Get p, a & b */ - if (!(EC_GROUP_get_curve(group, bn[0], bn[1], bn[2], ctx) - && ((generator = EC_GROUP_get0_generator(group)) != NULL) - /* Get x & y */ - && EC_POINT_get_affine_coordinates(group, generator, bn[3], bn[4], ctx) - /* Get order */ - && EC_GROUP_get_order(group, bn[5], ctx))) - goto end; - - /* - * Convert the bignum array to bytes that are joined together to form - * a single buffer that contains data for all fields. - * (p, a, b, x, y, order) are all zero padded to be the same size. - */ - for (i = 0; i < NUM_BN_FIELDS; ++i) { - if (BN_bn2binpad(bn[i], ¶m_bytes[i*param_len], param_len) <= 0) - goto end; - } - - for (i = 0; i < curve_list_length; i++) { - const ec_list_element curve = curve_list[i]; - - data = curve.data; - /* Get the raw order byte data */ - params_seed = (const unsigned char *)(data + 1); /* skip header */ - params = params_seed + data->seed_len; - - /* Look for unique fields in the fixed curve data */ - if (data->field_type == field_type - && param_len == data->param_len - && (nid <= 0 || nid == curve.nid) - /* check the optional cofactor (ignore if its zero) */ - && (BN_is_zero(cofactor) - || BN_is_word(cofactor, (const BN_ULONG)curve.data->cofactor)) - /* Check the optional seed (ignore if its not set) */ - && (data->seed_len == 0 || seed_len == 0 - || ((size_t)data->seed_len == seed_len - && memcmp(params_seed, seed, seed_len) == 0)) - /* Check that the groups params match the built-in curve params */ - && memcmp(param_bytes, params, param_len * NUM_BN_FIELDS) - == 0) { - ret = curve.nid; - goto end; - } - } - /* Gets here if the group was not found */ - ret = NID_undef; -end: - OPENSSL_free(param_bytes); - BN_CTX_end(ctx); - return ret; -} diff --git a/SOURCES/ectest.c b/SOURCES/ectest.c deleted file mode 100644 index e4fd45b..0000000 --- a/SOURCES/ectest.c +++ /dev/null @@ -1,1546 +0,0 @@ -/* - * Copyright 2001-2020 The OpenSSL Project Authors. All Rights Reserved. - * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved - * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html - */ - -#include "internal/nelem.h" -#include "testutil.h" - -#ifndef OPENSSL_NO_EC -# include -# ifndef OPENSSL_NO_ENGINE -# include -# endif -# include -# include -# include -# include -# include -# include - -static size_t crv_len = 0; -static EC_builtin_curve *curves = NULL; - -/* test multiplication with group order, long and negative scalars */ -static int group_order_tests(EC_GROUP *group) -{ - BIGNUM *n1 = NULL, *n2 = NULL, *order = NULL; - EC_POINT *P = NULL, *Q = NULL, *R = NULL, *S = NULL; - const EC_POINT *G = NULL; - BN_CTX *ctx = NULL; - int i = 0, r = 0; - - if (!TEST_ptr(n1 = BN_new()) - || !TEST_ptr(n2 = BN_new()) - || !TEST_ptr(order = BN_new()) - || !TEST_ptr(ctx = BN_CTX_new()) - || !TEST_ptr(G = EC_GROUP_get0_generator(group)) - || !TEST_ptr(P = EC_POINT_new(group)) - || !TEST_ptr(Q = EC_POINT_new(group)) - || !TEST_ptr(R = EC_POINT_new(group)) - || !TEST_ptr(S = EC_POINT_new(group))) - goto err; - - if (!TEST_true(EC_GROUP_get_order(group, order, ctx)) - || !TEST_true(EC_POINT_mul(group, Q, order, NULL, NULL, ctx)) - || !TEST_true(EC_POINT_is_at_infinity(group, Q)) - || !TEST_true(EC_GROUP_precompute_mult(group, ctx)) - || !TEST_true(EC_POINT_mul(group, Q, order, NULL, NULL, ctx)) - || !TEST_true(EC_POINT_is_at_infinity(group, Q)) - || !TEST_true(EC_POINT_copy(P, G)) - || !TEST_true(BN_one(n1)) - || !TEST_true(EC_POINT_mul(group, Q, n1, NULL, NULL, ctx)) - || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx)) - || !TEST_true(BN_sub(n1, order, n1)) - || !TEST_true(EC_POINT_mul(group, Q, n1, NULL, NULL, ctx)) - || !TEST_true(EC_POINT_invert(group, Q, ctx)) - || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx))) - goto err; - - for (i = 1; i <= 2; i++) { - const BIGNUM *scalars[6]; - const EC_POINT *points[6]; - - if (!TEST_true(BN_set_word(n1, i)) - /* - * If i == 1, P will be the predefined generator for which - * EC_GROUP_precompute_mult has set up precomputation. - */ - || !TEST_true(EC_POINT_mul(group, P, n1, NULL, NULL, ctx)) - || (i == 1 && !TEST_int_eq(0, EC_POINT_cmp(group, P, G, ctx))) - || !TEST_true(BN_one(n1)) - /* n1 = 1 - order */ - || !TEST_true(BN_sub(n1, n1, order)) - || !TEST_true(EC_POINT_mul(group, Q, NULL, P, n1, ctx)) - || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx)) - - /* n2 = 1 + order */ - || !TEST_true(BN_add(n2, order, BN_value_one())) - || !TEST_true(EC_POINT_mul(group, Q, NULL, P, n2, ctx)) - || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx)) - - /* n2 = (1 - order) * (1 + order) = 1 - order^2 */ - || !TEST_true(BN_mul(n2, n1, n2, ctx)) - || !TEST_true(EC_POINT_mul(group, Q, NULL, P, n2, ctx)) - || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, ctx))) - goto err; - - /* n2 = order^2 - 1 */ - BN_set_negative(n2, 0); - if (!TEST_true(EC_POINT_mul(group, Q, NULL, P, n2, ctx)) - /* Add P to verify the result. */ - || !TEST_true(EC_POINT_add(group, Q, Q, P, ctx)) - || !TEST_true(EC_POINT_is_at_infinity(group, Q)) - - /* Exercise EC_POINTs_mul, including corner cases. */ - || !TEST_false(EC_POINT_is_at_infinity(group, P))) - goto err; - - scalars[0] = scalars[1] = BN_value_one(); - points[0] = points[1] = P; - - if (!TEST_true(EC_POINTs_mul(group, R, NULL, 2, points, scalars, ctx)) - || !TEST_true(EC_POINT_dbl(group, S, points[0], ctx)) - || !TEST_int_eq(0, EC_POINT_cmp(group, R, S, ctx))) - goto err; - - scalars[0] = n1; - points[0] = Q; /* => infinity */ - scalars[1] = n2; - points[1] = P; /* => -P */ - scalars[2] = n1; - points[2] = Q; /* => infinity */ - scalars[3] = n2; - points[3] = Q; /* => infinity */ - scalars[4] = n1; - points[4] = P; /* => P */ - scalars[5] = n2; - points[5] = Q; /* => infinity */ - if (!TEST_true(EC_POINTs_mul(group, P, NULL, 6, points, scalars, ctx)) - || !TEST_true(EC_POINT_is_at_infinity(group, P))) - goto err; - } - - r = 1; -err: - if (r == 0 && i != 0) - TEST_info(i == 1 ? "allowing precomputation" : - "without precomputation"); - EC_POINT_free(P); - EC_POINT_free(Q); - EC_POINT_free(R); - EC_POINT_free(S); - BN_free(n1); - BN_free(n2); - BN_free(order); - BN_CTX_free(ctx); - return r; -} - -static int prime_field_tests(void) -{ - BN_CTX *ctx = NULL; - BIGNUM *p = NULL, *a = NULL, *b = NULL, *scalar3 = NULL; - EC_GROUP *group = NULL, *tmp = NULL; - EC_GROUP *P_160 = NULL, *P_192 = NULL, *P_224 = NULL, - *P_256 = NULL, *P_384 = NULL, *P_521 = NULL; - EC_POINT *P = NULL, *Q = NULL, *R = NULL; - BIGNUM *x = NULL, *y = NULL, *z = NULL, *yplusone = NULL; - const EC_POINT *points[4]; - const BIGNUM *scalars[4]; - unsigned char buf[100]; - size_t len, r = 0; - int k; - - if (!TEST_ptr(ctx = BN_CTX_new()) - || !TEST_ptr(p = BN_new()) - || !TEST_ptr(a = BN_new()) - || !TEST_ptr(b = BN_new()) - /* - * applications should use EC_GROUP_new_curve_GFp so - * that the library gets to choose the EC_METHOD - */ - || !TEST_ptr(group = EC_GROUP_new(EC_GFp_mont_method())) - || !TEST_ptr(tmp = EC_GROUP_new(EC_GROUP_method_of(group))) - || !TEST_true(EC_GROUP_copy(tmp, group))) - goto err; - EC_GROUP_free(group); - group = tmp; - tmp = NULL; - - buf[0] = 0; - if (!TEST_ptr(P = EC_POINT_new(group)) - || !TEST_ptr(Q = EC_POINT_new(group)) - || !TEST_ptr(R = EC_POINT_new(group)) - || !TEST_ptr(x = BN_new()) - || !TEST_ptr(y = BN_new()) - || !TEST_ptr(z = BN_new()) - || !TEST_ptr(yplusone = BN_new())) - goto err; - - /* Curve P-224 (FIPS PUB 186-2, App. 6) */ - - if (!TEST_true(BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFF" - "FFFFFFFF000000000000000000000001")) - || !TEST_int_eq(1, BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) - || !TEST_true(BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFF" - "FFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFE")) - || !TEST_true(BN_hex2bn(&b, "B4050A850C04B3ABF5413256" - "5044B0B7D7BFD8BA270B39432355FFB4")) - || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx)) - || !TEST_true(BN_hex2bn(&x, "B70E0CBD6BB4BF7F321390B9" - "4A03C1D356C21122343280D6115C1D21")) - || !TEST_true(EC_POINT_set_compressed_coordinates(group, P, x, 0, ctx)) - || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0) - || !TEST_true(BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFF" - "FFFF16A2E0B8F03E13DD29455C5C2A3D")) - || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one())) - || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx))) - goto err; - - TEST_info("NIST curve P-224 -- Generator"); - test_output_bignum("x", x); - test_output_bignum("y", y); - /* G_y value taken from the standard: */ - if (!TEST_true(BN_hex2bn(&z, "BD376388B5F723FB4C22DFE6" - "CD4375A05A07476444D5819985007E34")) - || !TEST_BN_eq(y, z) - || !TEST_true(BN_add(yplusone, y, BN_value_one())) - /* - * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, - * and therefore setting the coordinates should fail. - */ - || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone, - ctx)) - || !TEST_int_eq(EC_GROUP_get_degree(group), 224) - || !group_order_tests(group) - || !TEST_ptr(P_224 = EC_GROUP_new(EC_GROUP_method_of(group))) - || !TEST_true(EC_GROUP_copy(P_224, group)) - - /* Curve P-256 (FIPS PUB 186-2, App. 6) */ - - || !TEST_true(BN_hex2bn(&p, "FFFFFFFF000000010000000000000000" - "00000000FFFFFFFFFFFFFFFFFFFFFFFF")) - || !TEST_int_eq(1, BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) - || !TEST_true(BN_hex2bn(&a, "FFFFFFFF000000010000000000000000" - "00000000FFFFFFFFFFFFFFFFFFFFFFFC")) - || !TEST_true(BN_hex2bn(&b, "5AC635D8AA3A93E7B3EBBD55769886BC" - "651D06B0CC53B0F63BCE3C3E27D2604B")) - || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx)) - - || !TEST_true(BN_hex2bn(&x, "6B17D1F2E12C4247F8BCE6E563A440F2" - "77037D812DEB33A0F4A13945D898C296")) - || !TEST_true(EC_POINT_set_compressed_coordinates(group, P, x, 1, ctx)) - || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0) - || !TEST_true(BN_hex2bn(&z, "FFFFFFFF00000000FFFFFFFFFFFFFFFF" - "BCE6FAADA7179E84F3B9CAC2FC632551")) - || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one())) - || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx))) - goto err; - - TEST_info("NIST curve P-256 -- Generator"); - test_output_bignum("x", x); - test_output_bignum("y", y); - /* G_y value taken from the standard: */ - if (!TEST_true(BN_hex2bn(&z, "4FE342E2FE1A7F9B8EE7EB4A7C0F9E16" - "2BCE33576B315ECECBB6406837BF51F5")) - || !TEST_BN_eq(y, z) - || !TEST_true(BN_add(yplusone, y, BN_value_one())) - /* - * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, - * and therefore setting the coordinates should fail. - */ - || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone, - ctx)) - || !TEST_int_eq(EC_GROUP_get_degree(group), 256) - || !group_order_tests(group) - || !TEST_ptr(P_256 = EC_GROUP_new(EC_GROUP_method_of(group))) - || !TEST_true(EC_GROUP_copy(P_256, group)) - - /* Curve P-384 (FIPS PUB 186-2, App. 6) */ - - || !TEST_true(BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" - "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE" - "FFFFFFFF0000000000000000FFFFFFFF")) - || !TEST_int_eq(1, BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) - || !TEST_true(BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" - "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFE" - "FFFFFFFF0000000000000000FFFFFFFC")) - || !TEST_true(BN_hex2bn(&b, "B3312FA7E23EE7E4988E056BE3F82D19" - "181D9C6EFE8141120314088F5013875A" - "C656398D8A2ED19D2A85C8EDD3EC2AEF")) - || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx)) - - || !TEST_true(BN_hex2bn(&x, "AA87CA22BE8B05378EB1C71EF320AD74" - "6E1D3B628BA79B9859F741E082542A38" - "5502F25DBF55296C3A545E3872760AB7")) - || !TEST_true(EC_POINT_set_compressed_coordinates(group, P, x, 1, ctx)) - || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0) - || !TEST_true(BN_hex2bn(&z, "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" - "FFFFFFFFFFFFFFFFC7634D81F4372DDF" - "581A0DB248B0A77AECEC196ACCC52973")) - || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one())) - || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx))) - goto err; - - TEST_info("NIST curve P-384 -- Generator"); - test_output_bignum("x", x); - test_output_bignum("y", y); - /* G_y value taken from the standard: */ - if (!TEST_true(BN_hex2bn(&z, "3617DE4A96262C6F5D9E98BF9292DC29" - "F8F41DBD289A147CE9DA3113B5F0B8C0" - "0A60B1CE1D7E819D7A431D7C90EA0E5F")) - || !TEST_BN_eq(y, z) - || !TEST_true(BN_add(yplusone, y, BN_value_one())) - /* - * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, - * and therefore setting the coordinates should fail. - */ - || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone, - ctx)) - || !TEST_int_eq(EC_GROUP_get_degree(group), 384) - || !group_order_tests(group) - || !TEST_ptr(P_384 = EC_GROUP_new(EC_GROUP_method_of(group))) - || !TEST_true(EC_GROUP_copy(P_384, group)) - - /* Curve P-521 (FIPS PUB 186-2, App. 6) */ - || !TEST_true(BN_hex2bn(&p, "1FF" - "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" - "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" - "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" - "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF")) - || !TEST_int_eq(1, BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) - || !TEST_true(BN_hex2bn(&a, "1FF" - "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" - "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" - "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" - "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFC")) - || !TEST_true(BN_hex2bn(&b, "051" - "953EB9618E1C9A1F929A21A0B68540EE" - "A2DA725B99B315F3B8B489918EF109E1" - "56193951EC7E937B1652C0BD3BB1BF07" - "3573DF883D2C34F1EF451FD46B503F00")) - || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx)) - || !TEST_true(BN_hex2bn(&x, "C6" - "858E06B70404E9CD9E3ECB662395B442" - "9C648139053FB521F828AF606B4D3DBA" - "A14B5E77EFE75928FE1DC127A2FFA8DE" - "3348B3C1856A429BF97E7E31C2E5BD66")) - || !TEST_true(EC_POINT_set_compressed_coordinates(group, P, x, 0, ctx)) - || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0) - || !TEST_true(BN_hex2bn(&z, "1FF" - "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" - "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFA" - "51868783BF2F966B7FCC0148F709A5D0" - "3BB5C9B8899C47AEBB6FB71E91386409")) - || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one())) - || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx))) - goto err; - - TEST_info("NIST curve P-521 -- Generator"); - test_output_bignum("x", x); - test_output_bignum("y", y); - /* G_y value taken from the standard: */ - if (!TEST_true(BN_hex2bn(&z, "118" - "39296A789A3BC0045C8A5FB42C7D1BD9" - "98F54449579B446817AFBD17273E662C" - "97EE72995EF42640C550B9013FAD0761" - "353C7086A272C24088BE94769FD16650")) - || !TEST_BN_eq(y, z) - || !TEST_true(BN_add(yplusone, y, BN_value_one())) - /* - * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, - * and therefore setting the coordinates should fail. - */ - || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone, - ctx)) - || !TEST_int_eq(EC_GROUP_get_degree(group), 521) - || !group_order_tests(group) - || !TEST_ptr(P_521 = EC_GROUP_new(EC_GROUP_method_of(group))) - || !TEST_true(EC_GROUP_copy(P_521, group)) - - /* more tests using the last curve */ - - /* Restore the point that got mangled in the (x, y + 1) test. */ - || !TEST_true(EC_POINT_set_affine_coordinates(group, P, x, y, ctx)) - || !TEST_true(EC_POINT_copy(Q, P)) - || !TEST_false(EC_POINT_is_at_infinity(group, Q)) - || !TEST_true(EC_POINT_dbl(group, P, P, ctx)) - || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0) - || !TEST_true(EC_POINT_invert(group, Q, ctx)) /* P = -2Q */ - || !TEST_true(EC_POINT_add(group, R, P, Q, ctx)) - || !TEST_true(EC_POINT_add(group, R, R, Q, ctx)) - || !TEST_true(EC_POINT_is_at_infinity(group, R)) /* R = P + 2Q */ - || !TEST_false(EC_POINT_is_at_infinity(group, Q))) - goto err; - points[0] = Q; - points[1] = Q; - points[2] = Q; - points[3] = Q; - - if (!TEST_true(EC_GROUP_get_order(group, z, ctx)) - || !TEST_true(BN_add(y, z, BN_value_one())) - || !TEST_BN_even(y) - || !TEST_true(BN_rshift1(y, y))) - goto err; - scalars[0] = y; /* (group order + 1)/2, so y*Q + y*Q = Q */ - scalars[1] = y; - - TEST_note("combined multiplication ..."); - - /* z is still the group order */ - if (!TEST_true(EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx)) - || !TEST_true(EC_POINTs_mul(group, R, z, 2, points, scalars, ctx)) - || !TEST_int_eq(0, EC_POINT_cmp(group, P, R, ctx)) - || !TEST_int_eq(0, EC_POINT_cmp(group, R, Q, ctx)) - || !TEST_true(BN_rand(y, BN_num_bits(y), 0, 0)) - || !TEST_true(BN_add(z, z, y))) - goto err; - BN_set_negative(z, 1); - scalars[0] = y; - scalars[1] = z; /* z = -(order + y) */ - - if (!TEST_true(EC_POINTs_mul(group, P, NULL, 2, points, scalars, ctx)) - || !TEST_true(EC_POINT_is_at_infinity(group, P)) - || !TEST_true(BN_rand(x, BN_num_bits(y) - 1, 0, 0)) - || !TEST_true(BN_add(z, x, y))) - goto err; - BN_set_negative(z, 1); - scalars[0] = x; - scalars[1] = y; - scalars[2] = z; /* z = -(x+y) */ - - if (!TEST_ptr(scalar3 = BN_new())) - goto err; - BN_zero(scalar3); - scalars[3] = scalar3; - - if (!TEST_true(EC_POINTs_mul(group, P, NULL, 4, points, scalars, ctx)) - || !TEST_true(EC_POINT_is_at_infinity(group, P))) - goto err; - - TEST_note(" ok\n"); - - - r = 1; -err: - BN_CTX_free(ctx); - BN_free(p); - BN_free(a); - BN_free(b); - EC_GROUP_free(group); - EC_GROUP_free(tmp); - EC_POINT_free(P); - EC_POINT_free(Q); - EC_POINT_free(R); - BN_free(x); - BN_free(y); - BN_free(z); - BN_free(yplusone); - BN_free(scalar3); - - EC_GROUP_free(P_224); - EC_GROUP_free(P_256); - EC_GROUP_free(P_384); - EC_GROUP_free(P_521); - return r; -} - -static int internal_curve_test(int n) -{ - EC_GROUP *group = NULL; - int nid = curves[n].nid; - - if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(nid))) { - TEST_info("EC_GROUP_new_curve_name() failed with curve %s\n", - OBJ_nid2sn(nid)); - return 0; - } - if (!TEST_true(EC_GROUP_check(group, NULL))) { - TEST_info("EC_GROUP_check() failed with curve %s\n", OBJ_nid2sn(nid)); - EC_GROUP_free(group); - return 0; - } - EC_GROUP_free(group); - return 1; -} - -static int internal_curve_test_method(int n) -{ - int r, nid = curves[n].nid; - EC_GROUP *group; - - if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(nid))) { - TEST_info("Curve %s failed\n", OBJ_nid2sn(nid)); - return 0; - } - r = group_order_tests(group); - EC_GROUP_free(group); - return r; -} - -# ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 -/* - * nistp_test_params contains magic numbers for testing our optimized - * implementations of several NIST curves with characteristic > 3. - */ -struct nistp_test_params { - const EC_METHOD *(*meth) (void); - int degree; - /* - * Qx, Qy and D are taken from - * http://csrc.nist.gov/groups/ST/toolkit/documents/Examples/ECDSA_Prime.pdf - * Otherwise, values are standard curve parameters from FIPS 180-3 - */ - const char *p, *a, *b, *Qx, *Qy, *Gx, *Gy, *order, *d; -}; - -static const struct nistp_test_params nistp_tests_params[] = { - { - /* P-224 */ - EC_GFp_nistp224_method, - 224, - /* p */ - "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF000000000000000000000001", - /* a */ - "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFFFFFFFFFE", - /* b */ - "B4050A850C04B3ABF54132565044B0B7D7BFD8BA270B39432355FFB4", - /* Qx */ - "E84FB0B8E7000CB657D7973CF6B42ED78B301674276DF744AF130B3E", - /* Qy */ - "4376675C6FC5612C21A0FF2D2A89D2987DF7A2BC52183B5982298555", - /* Gx */ - "B70E0CBD6BB4BF7F321390B94A03C1D356C21122343280D6115C1D21", - /* Gy */ - "BD376388B5F723FB4C22DFE6CD4375A05A07476444D5819985007E34", - /* order */ - "FFFFFFFFFFFFFFFFFFFFFFFFFFFF16A2E0B8F03E13DD29455C5C2A3D", - /* d */ - "3F0C488E987C80BE0FEE521F8D90BE6034EC69AE11CA72AA777481E8", - }, - { - /* P-256 */ - EC_GFp_nistp256_method, - 256, - /* p */ - "ffffffff00000001000000000000000000000000ffffffffffffffffffffffff", - /* a */ - "ffffffff00000001000000000000000000000000fffffffffffffffffffffffc", - /* b */ - "5ac635d8aa3a93e7b3ebbd55769886bc651d06b0cc53b0f63bce3c3e27d2604b", - /* Qx */ - "b7e08afdfe94bad3f1dc8c734798ba1c62b3a0ad1e9ea2a38201cd0889bc7a19", - /* Qy */ - "3603f747959dbf7a4bb226e41928729063adc7ae43529e61b563bbc606cc5e09", - /* Gx */ - "6b17d1f2e12c4247f8bce6e563a440f277037d812deb33a0f4a13945d898c296", - /* Gy */ - "4fe342e2fe1a7f9b8ee7eb4a7c0f9e162bce33576b315ececbb6406837bf51f5", - /* order */ - "ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551", - /* d */ - "c477f9f65c22cce20657faa5b2d1d8122336f851a508a1ed04e479c34985bf96", - }, - { - /* P-521 */ - EC_GFp_nistp521_method, - 521, - /* p */ - "1ff" - "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" - "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff", - /* a */ - "1ff" - "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" - "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffc", - /* b */ - "051" - "953eb9618e1c9a1f929a21a0b68540eea2da725b99b315f3b8b489918ef109e1" - "56193951ec7e937b1652c0bd3bb1bf073573df883d2c34f1ef451fd46b503f00", - /* Qx */ - "0098" - "e91eef9a68452822309c52fab453f5f117c1da8ed796b255e9ab8f6410cca16e" - "59df403a6bdc6ca467a37056b1e54b3005d8ac030decfeb68df18b171885d5c4", - /* Qy */ - "0164" - "350c321aecfc1cca1ba4364c9b15656150b4b78d6a48d7d28e7f31985ef17be8" - "554376b72900712c4b83ad668327231526e313f5f092999a4632fd50d946bc2e", - /* Gx */ - "c6" - "858e06b70404e9cd9e3ecb662395b4429c648139053fb521f828af606b4d3dba" - "a14b5e77efe75928fe1dc127a2ffa8de3348b3c1856a429bf97e7e31c2e5bd66", - /* Gy */ - "118" - "39296a789a3bc0045c8a5fb42c7d1bd998f54449579b446817afbd17273e662c" - "97ee72995ef42640c550b9013fad0761353c7086a272c24088be94769fd16650", - /* order */ - "1ff" - "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa" - "51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409", - /* d */ - "0100" - "085f47b8e1b8b11b7eb33028c0b2888e304bfc98501955b45bba1478dc184eee" - "df09b86a5f7c21994406072787205e69a63709fe35aa93ba333514b24f961722", - }, -}; - -static int nistp_single_test(int idx) -{ - const struct nistp_test_params *test = nistp_tests_params + idx; - BN_CTX *ctx = NULL; - BIGNUM *p = NULL, *a = NULL, *b = NULL, *x = NULL, *y = NULL; - BIGNUM *n = NULL, *m = NULL, *order = NULL, *yplusone = NULL; - EC_GROUP *NISTP = NULL; - EC_POINT *G = NULL, *P = NULL, *Q = NULL, *Q_CHECK = NULL; - int r = 0; - - TEST_note("NIST curve P-%d (optimised implementation):", - test->degree); - if (!TEST_ptr(ctx = BN_CTX_new()) - || !TEST_ptr(p = BN_new()) - || !TEST_ptr(a = BN_new()) - || !TEST_ptr(b = BN_new()) - || !TEST_ptr(x = BN_new()) - || !TEST_ptr(y = BN_new()) - || !TEST_ptr(m = BN_new()) - || !TEST_ptr(n = BN_new()) - || !TEST_ptr(order = BN_new()) - || !TEST_ptr(yplusone = BN_new()) - - || !TEST_ptr(NISTP = EC_GROUP_new(test->meth())) - || !TEST_true(BN_hex2bn(&p, test->p)) - || !TEST_int_eq(1, BN_is_prime_ex(p, BN_prime_checks, ctx, NULL)) - || !TEST_true(BN_hex2bn(&a, test->a)) - || !TEST_true(BN_hex2bn(&b, test->b)) - || !TEST_true(EC_GROUP_set_curve(NISTP, p, a, b, ctx)) - || !TEST_ptr(G = EC_POINT_new(NISTP)) - || !TEST_ptr(P = EC_POINT_new(NISTP)) - || !TEST_ptr(Q = EC_POINT_new(NISTP)) - || !TEST_ptr(Q_CHECK = EC_POINT_new(NISTP)) - || !TEST_true(BN_hex2bn(&x, test->Qx)) - || !TEST_true(BN_hex2bn(&y, test->Qy)) - || !TEST_true(BN_add(yplusone, y, BN_value_one())) - /* - * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, - * and therefore setting the coordinates should fail. - */ - || !TEST_false(EC_POINT_set_affine_coordinates(NISTP, Q_CHECK, x, - yplusone, ctx)) - || !TEST_true(EC_POINT_set_affine_coordinates(NISTP, Q_CHECK, x, y, - ctx)) - || !TEST_true(BN_hex2bn(&x, test->Gx)) - || !TEST_true(BN_hex2bn(&y, test->Gy)) - || !TEST_true(EC_POINT_set_affine_coordinates(NISTP, G, x, y, ctx)) - || !TEST_true(BN_hex2bn(&order, test->order)) - || !TEST_true(EC_GROUP_set_generator(NISTP, G, order, BN_value_one())) - || !TEST_int_eq(EC_GROUP_get_degree(NISTP), test->degree)) - goto err; - - TEST_note("NIST test vectors ... "); - if (!TEST_true(BN_hex2bn(&n, test->d))) - goto err; - /* fixed point multiplication */ - EC_POINT_mul(NISTP, Q, n, NULL, NULL, ctx); - if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))) - goto err; - /* random point multiplication */ - EC_POINT_mul(NISTP, Q, NULL, G, n, ctx); - if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) - - /* set generator to P = 2*G, where G is the standard generator */ - || !TEST_true(EC_POINT_dbl(NISTP, P, G, ctx)) - || !TEST_true(EC_GROUP_set_generator(NISTP, P, order, BN_value_one())) - /* set the scalar to m=n/2, where n is the NIST test scalar */ - || !TEST_true(BN_rshift(m, n, 1))) - goto err; - - /* test the non-standard generator */ - /* fixed point multiplication */ - EC_POINT_mul(NISTP, Q, m, NULL, NULL, ctx); - if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))) - goto err; - /* random point multiplication */ - EC_POINT_mul(NISTP, Q, NULL, P, m, ctx); - if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) - - /* - * We have not performed precomputation so have_precompute mult should be - * false - */ - || !TEST_false(EC_GROUP_have_precompute_mult(NISTP)) - - /* now repeat all tests with precomputation */ - || !TEST_true(EC_GROUP_precompute_mult(NISTP, ctx)) - || !TEST_true(EC_GROUP_have_precompute_mult(NISTP))) - goto err; - - /* fixed point multiplication */ - EC_POINT_mul(NISTP, Q, m, NULL, NULL, ctx); - if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))) - goto err; - /* random point multiplication */ - EC_POINT_mul(NISTP, Q, NULL, P, m, ctx); - if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx)) - - /* reset generator */ - || !TEST_true(EC_GROUP_set_generator(NISTP, G, order, BN_value_one()))) - goto err; - /* fixed point multiplication */ - EC_POINT_mul(NISTP, Q, n, NULL, NULL, ctx); - if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))) - goto err; - /* random point multiplication */ - EC_POINT_mul(NISTP, Q, NULL, G, n, ctx); - if (!TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, Q_CHECK, ctx))) - goto err; - - /* regression test for felem_neg bug */ - if (!TEST_true(BN_set_word(m, 32)) - || !TEST_true(BN_set_word(n, 31)) - || !TEST_true(EC_POINT_copy(P, G)) - || !TEST_true(EC_POINT_invert(NISTP, P, ctx)) - || !TEST_true(EC_POINT_mul(NISTP, Q, m, P, n, ctx)) - || !TEST_int_eq(0, EC_POINT_cmp(NISTP, Q, G, ctx))) - goto err; - - r = group_order_tests(NISTP); -err: - EC_GROUP_free(NISTP); - EC_POINT_free(G); - EC_POINT_free(P); - EC_POINT_free(Q); - EC_POINT_free(Q_CHECK); - BN_free(n); - BN_free(m); - BN_free(p); - BN_free(a); - BN_free(b); - BN_free(x); - BN_free(y); - BN_free(order); - BN_free(yplusone); - BN_CTX_free(ctx); - return r; -} - -/* - * Tests a point known to cause an incorrect underflow in an old version of - * ecp_nist521.c - */ -static int underflow_test(void) -{ - BN_CTX *ctx = NULL; - EC_GROUP *grp = NULL; - EC_POINT *P = NULL, *Q = NULL, *R = NULL; - BIGNUM *x1 = NULL, *y1 = NULL, *z1 = NULL, *x2 = NULL, *y2 = NULL; - BIGNUM *k = NULL; - int testresult = 0; - const char *x1str = - "1534f0077fffffe87e9adcfe000000000000000000003e05a21d2400002e031b1f4" - "b80000c6fafa4f3c1288798d624a247b5e2ffffffffffffffefe099241900004"; - const char *p521m1 = - "1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff" - "fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffe"; - - ctx = BN_CTX_new(); - if (!TEST_ptr(ctx)) - return 0; - - BN_CTX_start(ctx); - x1 = BN_CTX_get(ctx); - y1 = BN_CTX_get(ctx); - z1 = BN_CTX_get(ctx); - x2 = BN_CTX_get(ctx); - y2 = BN_CTX_get(ctx); - k = BN_CTX_get(ctx); - if (!TEST_ptr(k)) - goto err; - - grp = EC_GROUP_new_by_curve_name(NID_secp521r1); - P = EC_POINT_new(grp); - Q = EC_POINT_new(grp); - R = EC_POINT_new(grp); - if (!TEST_ptr(grp) || !TEST_ptr(P) || !TEST_ptr(Q) || !TEST_ptr(R)) - goto err; - - if (!TEST_int_gt(BN_hex2bn(&x1, x1str), 0) - || !TEST_int_gt(BN_hex2bn(&y1, p521m1), 0) - || !TEST_int_gt(BN_hex2bn(&z1, p521m1), 0) - || !TEST_int_gt(BN_hex2bn(&k, "02"), 0) - || !TEST_true(EC_POINT_set_Jprojective_coordinates_GFp(grp, P, x1, - y1, z1, ctx)) - || !TEST_true(EC_POINT_mul(grp, Q, NULL, P, k, ctx)) - || !TEST_true(EC_POINT_get_affine_coordinates(grp, Q, x1, y1, ctx)) - || !TEST_true(EC_POINT_dbl(grp, R, P, ctx)) - || !TEST_true(EC_POINT_get_affine_coordinates(grp, R, x2, y2, ctx))) - goto err; - - if (!TEST_int_eq(BN_cmp(x1, x2), 0) - || !TEST_int_eq(BN_cmp(y1, y2), 0)) - goto err; - - testresult = 1; - - err: - BN_CTX_end(ctx); - EC_POINT_free(P); - EC_POINT_free(Q); - EC_POINT_free(R); - EC_GROUP_free(grp); - BN_CTX_free(ctx); - - return testresult; -} -# endif - -static const unsigned char p521_named[] = { - 0x06, 0x05, 0x2b, 0x81, 0x04, 0x00, 0x23, -}; - -static const unsigned char p521_explicit[] = { - 0x30, 0x82, 0x01, 0xc3, 0x02, 0x01, 0x01, 0x30, 0x4d, 0x06, 0x07, 0x2a, - 0x86, 0x48, 0xce, 0x3d, 0x01, 0x01, 0x02, 0x42, 0x01, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0x30, 0x81, 0x9f, 0x04, 0x42, 0x01, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xfc, 0x04, 0x42, 0x00, 0x51, 0x95, 0x3e, 0xb9, 0x61, 0x8e, 0x1c, 0x9a, - 0x1f, 0x92, 0x9a, 0x21, 0xa0, 0xb6, 0x85, 0x40, 0xee, 0xa2, 0xda, 0x72, - 0x5b, 0x99, 0xb3, 0x15, 0xf3, 0xb8, 0xb4, 0x89, 0x91, 0x8e, 0xf1, 0x09, - 0xe1, 0x56, 0x19, 0x39, 0x51, 0xec, 0x7e, 0x93, 0x7b, 0x16, 0x52, 0xc0, - 0xbd, 0x3b, 0xb1, 0xbf, 0x07, 0x35, 0x73, 0xdf, 0x88, 0x3d, 0x2c, 0x34, - 0xf1, 0xef, 0x45, 0x1f, 0xd4, 0x6b, 0x50, 0x3f, 0x00, 0x03, 0x15, 0x00, - 0xd0, 0x9e, 0x88, 0x00, 0x29, 0x1c, 0xb8, 0x53, 0x96, 0xcc, 0x67, 0x17, - 0x39, 0x32, 0x84, 0xaa, 0xa0, 0xda, 0x64, 0xba, 0x04, 0x81, 0x85, 0x04, - 0x00, 0xc6, 0x85, 0x8e, 0x06, 0xb7, 0x04, 0x04, 0xe9, 0xcd, 0x9e, 0x3e, - 0xcb, 0x66, 0x23, 0x95, 0xb4, 0x42, 0x9c, 0x64, 0x81, 0x39, 0x05, 0x3f, - 0xb5, 0x21, 0xf8, 0x28, 0xaf, 0x60, 0x6b, 0x4d, 0x3d, 0xba, 0xa1, 0x4b, - 0x5e, 0x77, 0xef, 0xe7, 0x59, 0x28, 0xfe, 0x1d, 0xc1, 0x27, 0xa2, 0xff, - 0xa8, 0xde, 0x33, 0x48, 0xb3, 0xc1, 0x85, 0x6a, 0x42, 0x9b, 0xf9, 0x7e, - 0x7e, 0x31, 0xc2, 0xe5, 0xbd, 0x66, 0x01, 0x18, 0x39, 0x29, 0x6a, 0x78, - 0x9a, 0x3b, 0xc0, 0x04, 0x5c, 0x8a, 0x5f, 0xb4, 0x2c, 0x7d, 0x1b, 0xd9, - 0x98, 0xf5, 0x44, 0x49, 0x57, 0x9b, 0x44, 0x68, 0x17, 0xaf, 0xbd, 0x17, - 0x27, 0x3e, 0x66, 0x2c, 0x97, 0xee, 0x72, 0x99, 0x5e, 0xf4, 0x26, 0x40, - 0xc5, 0x50, 0xb9, 0x01, 0x3f, 0xad, 0x07, 0x61, 0x35, 0x3c, 0x70, 0x86, - 0xa2, 0x72, 0xc2, 0x40, 0x88, 0xbe, 0x94, 0x76, 0x9f, 0xd1, 0x66, 0x50, - 0x02, 0x42, 0x01, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, - 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xfa, - 0x51, 0x86, 0x87, 0x83, 0xbf, 0x2f, 0x96, 0x6b, 0x7f, 0xcc, 0x01, 0x48, - 0xf7, 0x09, 0xa5, 0xd0, 0x3b, 0xb5, 0xc9, 0xb8, 0x89, 0x9c, 0x47, 0xae, - 0xbb, 0x6f, 0xb7, 0x1e, 0x91, 0x38, 0x64, 0x09, 0x02, 0x01, 0x01, -}; - -/* - * Sometime we cannot compare nids for equality, as the built-in curve table - * includes aliases with different names for the same curve. - * - * This function returns TRUE (1) if the checked nids are identical, or if they - * alias to the same curve. FALSE (0) otherwise. - */ -static ossl_inline -int are_ec_nids_compatible(int n1d, int n2d) -{ - int ret = 0; - switch (n1d) { -# ifndef OPENSSL_NO_EC2M - case NID_sect113r1: - case NID_wap_wsg_idm_ecid_wtls4: - ret = (n2d == NID_sect113r1 || n2d == NID_wap_wsg_idm_ecid_wtls4); - break; - case NID_sect163k1: - case NID_wap_wsg_idm_ecid_wtls3: - ret = (n2d == NID_sect163k1 || n2d == NID_wap_wsg_idm_ecid_wtls3); - break; - case NID_sect233k1: - case NID_wap_wsg_idm_ecid_wtls10: - ret = (n2d == NID_sect233k1 || n2d == NID_wap_wsg_idm_ecid_wtls10); - break; - case NID_sect233r1: - case NID_wap_wsg_idm_ecid_wtls11: - ret = (n2d == NID_sect233r1 || n2d == NID_wap_wsg_idm_ecid_wtls11); - break; - case NID_X9_62_c2pnb163v1: - case NID_wap_wsg_idm_ecid_wtls5: - ret = (n2d == NID_X9_62_c2pnb163v1 - || n2d == NID_wap_wsg_idm_ecid_wtls5); - break; -# endif /* OPENSSL_NO_EC2M */ - case NID_secp112r1: - case NID_wap_wsg_idm_ecid_wtls6: - ret = (n2d == NID_secp112r1 || n2d == NID_wap_wsg_idm_ecid_wtls6); - break; - case NID_secp160r2: - case NID_wap_wsg_idm_ecid_wtls7: - ret = (n2d == NID_secp160r2 || n2d == NID_wap_wsg_idm_ecid_wtls7); - break; -# ifdef OPENSSL_NO_EC_NISTP_64_GCC_128 - case NID_secp224r1: - case NID_wap_wsg_idm_ecid_wtls12: - ret = (n2d == NID_secp224r1 || n2d == NID_wap_wsg_idm_ecid_wtls12); - break; -# else - /* - * For SEC P-224 we want to ensure that the SECP nid is returned, as - * that is associated with a specialized method. - */ - case NID_wap_wsg_idm_ecid_wtls12: - ret = (n2d == NID_secp224r1); - break; -# endif /* def(OPENSSL_NO_EC_NISTP_64_GCC_128) */ - - default: - ret = (n1d == n2d); - } - return ret; -} - -/* - * This checks that EC_GROUP_bew_from_ecparameters() returns a "named" - * EC_GROUP for built-in curves. - * - * Note that it is possible to retrieve an alternative alias that does not match - * the original nid. - * - * Ensure that the OPENSSL_EC_EXPLICIT_CURVE ASN1 flag is set. - */ -static int check_named_curve_from_ecparameters(int id) -{ - int ret = 0, nid, tnid; - EC_GROUP *group = NULL, *tgroup = NULL, *tmpg = NULL; - const EC_POINT *group_gen = NULL; - EC_POINT *other_gen = NULL; - BIGNUM *group_cofactor = NULL, *other_cofactor = NULL; - BIGNUM *other_gen_x = NULL, *other_gen_y = NULL; - const BIGNUM *group_order = NULL; - BIGNUM *other_order = NULL; - BN_CTX *bn_ctx = NULL; - static const unsigned char invalid_seed[] = "THIS IS NOT A VALID SEED"; - static size_t invalid_seed_len = sizeof(invalid_seed); - ECPARAMETERS *params = NULL, *other_params = NULL; - EC_GROUP *g_ary[8] = {NULL}; - EC_GROUP **g_next = &g_ary[0]; - ECPARAMETERS *p_ary[8] = {NULL}; - ECPARAMETERS **p_next = &p_ary[0]; - - /* Do some setup */ - nid = curves[id].nid; - TEST_note("Curve %s", OBJ_nid2sn(nid)); - if (!TEST_ptr(bn_ctx = BN_CTX_new())) - return ret; - BN_CTX_start(bn_ctx); - - if (/* Allocations */ - !TEST_ptr(group_cofactor = BN_CTX_get(bn_ctx)) - || !TEST_ptr(other_gen_x = BN_CTX_get(bn_ctx)) - || !TEST_ptr(other_gen_y = BN_CTX_get(bn_ctx)) - || !TEST_ptr(other_order = BN_CTX_get(bn_ctx)) - || !TEST_ptr(other_cofactor = BN_CTX_get(bn_ctx)) - /* Generate reference group and params */ - || !TEST_ptr(group = EC_GROUP_new_by_curve_name(nid)) - || !TEST_ptr(params = EC_GROUP_get_ecparameters(group, NULL)) - || !TEST_ptr(group_gen = EC_GROUP_get0_generator(group)) - || !TEST_ptr(group_order = EC_GROUP_get0_order(group)) - || !TEST_true(EC_GROUP_get_cofactor(group, group_cofactor, NULL)) - /* compute `other_*` values */ - || !TEST_ptr(tmpg = EC_GROUP_dup(group)) - || !TEST_ptr(other_gen = EC_POINT_dup(group_gen, group)) - || !TEST_true(EC_POINT_add(group, other_gen, group_gen, group_gen, NULL)) - || !TEST_true(EC_POINT_get_affine_coordinates(group, other_gen, - other_gen_x, other_gen_y, bn_ctx)) - || !TEST_true(BN_copy(other_order, group_order)) - || !TEST_true(BN_add_word(other_order, 1)) - || !TEST_true(BN_copy(other_cofactor, group_cofactor)) - || !TEST_true(BN_add_word(other_cofactor, 1))) - goto err; - - EC_POINT_free(other_gen); - other_gen = NULL; - - if (!TEST_ptr(other_gen = EC_POINT_new(tmpg)) - || !TEST_true(EC_POINT_set_affine_coordinates(tmpg, other_gen, - other_gen_x, other_gen_y, - bn_ctx))) - goto err; - - /* - * ########################### - * # Actual tests start here # - * ########################### - */ - - /* - * Creating a group from built-in explicit parameters returns a - * "named" EC_GROUP - */ - if (!TEST_ptr(tgroup = *g_next++ = EC_GROUP_new_from_ecparameters(params)) - || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef)) - goto err; - /* - * We cannot always guarantee the names match, as the built-in table - * contains aliases for the same curve with different names. - */ - if (!TEST_true(are_ec_nids_compatible(nid, tnid))) { - TEST_info("nid = %s, tnid = %s", OBJ_nid2sn(nid), OBJ_nid2sn(tnid)); - goto err; - } - /* Ensure that the OPENSSL_EC_EXPLICIT_CURVE ASN1 flag is set. */ - if (!TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup), OPENSSL_EC_EXPLICIT_CURVE)) - goto err; - - /* - * An invalid seed in the parameters should be ignored: expect a "named" - * group. - */ - if (!TEST_int_eq(EC_GROUP_set_seed(tmpg, invalid_seed, invalid_seed_len), - invalid_seed_len) - || !TEST_ptr(other_params = *p_next++ = - EC_GROUP_get_ecparameters(tmpg, NULL)) - || !TEST_ptr(tgroup = *g_next++ = - EC_GROUP_new_from_ecparameters(other_params)) - || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef) - || !TEST_true(are_ec_nids_compatible(nid, tnid)) - || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup), - OPENSSL_EC_EXPLICIT_CURVE)) { - TEST_info("nid = %s, tnid = %s", OBJ_nid2sn(nid), OBJ_nid2sn(tnid)); - goto err; - } - - /* - * A null seed in the parameters should be ignored, as it is optional: - * expect a "named" group. - */ - if (!TEST_int_eq(EC_GROUP_set_seed(tmpg, NULL, 0), 1) - || !TEST_ptr(other_params = *p_next++ = - EC_GROUP_get_ecparameters(tmpg, NULL)) - || !TEST_ptr(tgroup = *g_next++ = - EC_GROUP_new_from_ecparameters(other_params)) - || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef) - || !TEST_true(are_ec_nids_compatible(nid, tnid)) - || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup), - OPENSSL_EC_EXPLICIT_CURVE)) { - TEST_info("nid = %s, tnid = %s", OBJ_nid2sn(nid), OBJ_nid2sn(tnid)); - goto err; - } - - /* - * Check that changing any of the generator parameters does not yield a - * match with the built-in curves - */ - if (/* Other gen, same group order & cofactor */ - !TEST_true(EC_GROUP_set_generator(tmpg, other_gen, group_order, - group_cofactor)) - || !TEST_ptr(other_params = *p_next++ = - EC_GROUP_get_ecparameters(tmpg, NULL)) - || !TEST_ptr(tgroup = *g_next++ = - EC_GROUP_new_from_ecparameters(other_params)) - || !TEST_int_eq((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef) - /* Same gen & cofactor, different order */ - || !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, other_order, - group_cofactor)) - || !TEST_ptr(other_params = *p_next++ = - EC_GROUP_get_ecparameters(tmpg, NULL)) - || !TEST_ptr(tgroup = *g_next++ = - EC_GROUP_new_from_ecparameters(other_params)) - || !TEST_int_eq((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef) - /* The order is not an optional field, so this should fail */ - || !TEST_false(EC_GROUP_set_generator(tmpg, group_gen, NULL, - group_cofactor)) - /* Check that a wrong cofactor is ignored, and we still match */ - || !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, group_order, - other_cofactor)) - || !TEST_ptr(other_params = *p_next++ = - EC_GROUP_get_ecparameters(tmpg, NULL)) - || !TEST_ptr(tgroup = *g_next++ = - EC_GROUP_new_from_ecparameters(other_params)) - || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef) - || !TEST_true(are_ec_nids_compatible(nid, tnid)) - || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup), - OPENSSL_EC_EXPLICIT_CURVE) - /* Check that if the cofactor is not set then it still matches */ - || !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, group_order, - NULL)) - || !TEST_ptr(other_params = *p_next++ = - EC_GROUP_get_ecparameters(tmpg, NULL)) - || !TEST_ptr(tgroup = *g_next++ = - EC_GROUP_new_from_ecparameters(other_params)) - || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef) - || !TEST_true(are_ec_nids_compatible(nid, tnid)) - || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup), - OPENSSL_EC_EXPLICIT_CURVE) - /* check that restoring the generator passes */ - || !TEST_true(EC_GROUP_set_generator(tmpg, group_gen, group_order, - group_cofactor)) - || !TEST_ptr(other_params = *p_next++ = - EC_GROUP_get_ecparameters(tmpg, NULL)) - || !TEST_ptr(tgroup = *g_next++ = - EC_GROUP_new_from_ecparameters(other_params)) - || !TEST_int_ne((tnid = EC_GROUP_get_curve_name(tgroup)), NID_undef) - || !TEST_true(are_ec_nids_compatible(nid, tnid)) - || !TEST_int_eq(EC_GROUP_get_asn1_flag(tgroup), - OPENSSL_EC_EXPLICIT_CURVE)) - goto err; - - ret = 1; -err: - for (g_next = &g_ary[0]; g_next < g_ary + OSSL_NELEM(g_ary); g_next++) - EC_GROUP_free(*g_next); - for (p_next = &p_ary[0]; p_next < p_ary + OSSL_NELEM(g_ary); p_next++) - ECPARAMETERS_free(*p_next); - ECPARAMETERS_free(params); - EC_POINT_free(other_gen); - EC_GROUP_free(tmpg); - EC_GROUP_free(group); - BN_CTX_end(bn_ctx); - BN_CTX_free(bn_ctx); - return ret; -} - -static int parameter_test(void) -{ - EC_GROUP *group = NULL, *group2 = NULL; - ECPARAMETERS *ecparameters = NULL; - unsigned char *buf = NULL; - int r = 0, len; - - /* must use a curve without a special group method */ - if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(NID_secp256k1)) - || !TEST_ptr(ecparameters = EC_GROUP_get_ecparameters(group, NULL)) - || !TEST_ptr(group2 = EC_GROUP_new_from_ecparameters(ecparameters)) - || !TEST_int_eq(EC_GROUP_cmp(group, group2, NULL), 0)) - goto err; - - EC_GROUP_free(group); - group = NULL; - - /* Test the named curve encoding, which should be default. */ - if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(NID_secp521r1)) - || !TEST_true((len = i2d_ECPKParameters(group, &buf)) >= 0) - || !TEST_mem_eq(buf, len, p521_named, sizeof(p521_named))) - goto err; - - OPENSSL_free(buf); - buf = NULL; - - /* - * Test the explicit encoding. P-521 requires correctly zero-padding the - * curve coefficients. - */ - EC_GROUP_set_asn1_flag(group, OPENSSL_EC_EXPLICIT_CURVE); - if (!TEST_true((len = i2d_ECPKParameters(group, &buf)) >= 0) - || !TEST_mem_eq(buf, len, p521_explicit, sizeof(p521_explicit))) - goto err; - - r = 1; -err: - EC_GROUP_free(group); - EC_GROUP_free(group2); - ECPARAMETERS_free(ecparameters); - OPENSSL_free(buf); - return r; -} - -/*- - * random 256-bit explicit parameters curve, cofactor absent - * order: 0x0c38d96a9f892b88772ec2e39614a82f4f (132 bit) - * cofactor: 0x12bc94785251297abfafddf1565100da (125 bit) - */ -static const unsigned char params_cf_pass[] = { - 0x30, 0x81, 0xcd, 0x02, 0x01, 0x01, 0x30, 0x2c, 0x06, 0x07, 0x2a, 0x86, - 0x48, 0xce, 0x3d, 0x01, 0x01, 0x02, 0x21, 0x00, 0xe5, 0x00, 0x1f, 0xc5, - 0xca, 0x71, 0x9d, 0x8e, 0xf7, 0x07, 0x4b, 0x48, 0x37, 0xf9, 0x33, 0x2d, - 0x71, 0xbf, 0x79, 0xe7, 0xdc, 0x91, 0xc2, 0xff, 0xb6, 0x7b, 0xc3, 0x93, - 0x44, 0x88, 0xe6, 0x91, 0x30, 0x44, 0x04, 0x20, 0xe5, 0x00, 0x1f, 0xc5, - 0xca, 0x71, 0x9d, 0x8e, 0xf7, 0x07, 0x4b, 0x48, 0x37, 0xf9, 0x33, 0x2d, - 0x71, 0xbf, 0x79, 0xe7, 0xdc, 0x91, 0xc2, 0xff, 0xb6, 0x7b, 0xc3, 0x93, - 0x44, 0x88, 0xe6, 0x8e, 0x04, 0x20, 0x18, 0x8c, 0x59, 0x57, 0xc4, 0xbc, - 0x85, 0x57, 0xc3, 0x66, 0x9f, 0x89, 0xd5, 0x92, 0x0d, 0x7e, 0x42, 0x27, - 0x07, 0x64, 0xaa, 0x26, 0xed, 0x89, 0xc4, 0x09, 0x05, 0x4d, 0xc7, 0x23, - 0x47, 0xda, 0x04, 0x41, 0x04, 0x1b, 0x6b, 0x41, 0x0b, 0xf9, 0xfb, 0x77, - 0xfd, 0x50, 0xb7, 0x3e, 0x23, 0xa3, 0xec, 0x9a, 0x3b, 0x09, 0x31, 0x6b, - 0xfa, 0xf6, 0xce, 0x1f, 0xff, 0xeb, 0x57, 0x93, 0x24, 0x70, 0xf3, 0xf4, - 0xba, 0x7e, 0xfa, 0x86, 0x6e, 0x19, 0x89, 0xe3, 0x55, 0x6d, 0x5a, 0xe9, - 0xc0, 0x3d, 0xbc, 0xfb, 0xaf, 0xad, 0xd4, 0x7e, 0xa6, 0xe5, 0xfa, 0x1a, - 0x58, 0x07, 0x9e, 0x8f, 0x0d, 0x3b, 0xf7, 0x38, 0xca, 0x02, 0x11, 0x0c, - 0x38, 0xd9, 0x6a, 0x9f, 0x89, 0x2b, 0x88, 0x77, 0x2e, 0xc2, 0xe3, 0x96, - 0x14, 0xa8, 0x2f, 0x4f -}; - -/*- - * random 256-bit explicit parameters curve, cofactor absent - * order: 0x045a75c0c17228ebd9b169a10e34a22101 (131 bit) - * cofactor: 0x2e134b4ede82649f67a2e559d361e5fe (126 bit) - */ -static const unsigned char params_cf_fail[] = { - 0x30, 0x81, 0xcd, 0x02, 0x01, 0x01, 0x30, 0x2c, 0x06, 0x07, 0x2a, 0x86, - 0x48, 0xce, 0x3d, 0x01, 0x01, 0x02, 0x21, 0x00, 0xc8, 0x95, 0x27, 0x37, - 0xe8, 0xe1, 0xfd, 0xcc, 0xf9, 0x6e, 0x0c, 0xa6, 0x21, 0xc1, 0x7d, 0x6b, - 0x9d, 0x44, 0x42, 0xea, 0x73, 0x4e, 0x04, 0xb6, 0xac, 0x62, 0x50, 0xd0, - 0x33, 0xc2, 0xea, 0x13, 0x30, 0x44, 0x04, 0x20, 0xc8, 0x95, 0x27, 0x37, - 0xe8, 0xe1, 0xfd, 0xcc, 0xf9, 0x6e, 0x0c, 0xa6, 0x21, 0xc1, 0x7d, 0x6b, - 0x9d, 0x44, 0x42, 0xea, 0x73, 0x4e, 0x04, 0xb6, 0xac, 0x62, 0x50, 0xd0, - 0x33, 0xc2, 0xea, 0x10, 0x04, 0x20, 0xbf, 0xa6, 0xa8, 0x05, 0x1d, 0x09, - 0xac, 0x70, 0x39, 0xbb, 0x4d, 0xb2, 0x90, 0x8a, 0x15, 0x41, 0x14, 0x1d, - 0x11, 0x86, 0x9f, 0x13, 0xa2, 0x63, 0x1a, 0xda, 0x95, 0x22, 0x4d, 0x02, - 0x15, 0x0a, 0x04, 0x41, 0x04, 0xaf, 0x16, 0x71, 0xf9, 0xc4, 0xc8, 0x59, - 0x1d, 0xa3, 0x6f, 0xe7, 0xc3, 0x57, 0xa1, 0xfa, 0x9f, 0x49, 0x7c, 0x11, - 0x27, 0x05, 0xa0, 0x7f, 0xff, 0xf9, 0xe0, 0xe7, 0x92, 0xdd, 0x9c, 0x24, - 0x8e, 0xc7, 0xb9, 0x52, 0x71, 0x3f, 0xbc, 0x7f, 0x6a, 0x9f, 0x35, 0x70, - 0xe1, 0x27, 0xd5, 0x35, 0x8a, 0x13, 0xfa, 0xa8, 0x33, 0x3e, 0xd4, 0x73, - 0x1c, 0x14, 0x58, 0x9e, 0xc7, 0x0a, 0x87, 0x65, 0x8d, 0x02, 0x11, 0x04, - 0x5a, 0x75, 0xc0, 0xc1, 0x72, 0x28, 0xeb, 0xd9, 0xb1, 0x69, 0xa1, 0x0e, - 0x34, 0xa2, 0x21, 0x01 -}; - -/*- - * Test two random 256-bit explicit parameters curves with absent cofactor. - * The two curves are chosen to roughly straddle the bounds at which the lib - * can compute the cofactor automatically, roughly 4*sqrt(p). So test that: - * - * - params_cf_pass: order is sufficiently close to p to compute cofactor - * - params_cf_fail: order is too far away from p to compute cofactor - * - * For standards-compliant curves, cofactor is chosen as small as possible. - * So you can see neither of these curves are fit for cryptographic use. - * - * Some standards even mandate an upper bound on the cofactor, e.g. SECG1 v2: - * h <= 2**(t/8) where t is the security level of the curve, for which the lib - * will always succeed in computing the cofactor. Neither of these curves - * conform to that -- this is just robustness testing. - */ -static int cofactor_range_test(void) -{ - EC_GROUP *group = NULL; - BIGNUM *cf = NULL; - int ret = 0; - const unsigned char *b1 = (const unsigned char *)params_cf_fail; - const unsigned char *b2 = (const unsigned char *)params_cf_pass; - - if (!TEST_ptr(group = d2i_ECPKParameters(NULL, &b1, sizeof(params_cf_fail))) - || !TEST_BN_eq_zero(EC_GROUP_get0_cofactor(group)) - || !TEST_ptr(group = d2i_ECPKParameters(&group, &b2, - sizeof(params_cf_pass))) - || !TEST_int_gt(BN_hex2bn(&cf, "12bc94785251297abfafddf1565100da"), 0) - || !TEST_BN_eq(cf, EC_GROUP_get0_cofactor(group))) - goto err; - ret = 1; - err: - BN_free(cf); - EC_GROUP_free(group); - return ret; -} - -/*- - * For named curves, test that: - * - the lib correctly computes the cofactor if passed a NULL or zero cofactor - * - a nonsensical cofactor throws an error (negative test) - * - nonsensical orders throw errors (negative tests) - */ -static int cardinality_test(int n) -{ - int ret = 0; - int nid = curves[n].nid; - BN_CTX *ctx = NULL; - EC_GROUP *g1 = NULL, *g2 = NULL; - EC_POINT *g2_gen = NULL; - BIGNUM *g1_p = NULL, *g1_a = NULL, *g1_b = NULL, *g1_x = NULL, *g1_y = NULL, - *g1_order = NULL, *g1_cf = NULL, *g2_cf = NULL; - - TEST_info("Curve %s cardinality test", OBJ_nid2sn(nid)); - - if (!TEST_ptr(ctx = BN_CTX_new()) - || !TEST_ptr(g1 = EC_GROUP_new_by_curve_name(nid)) - || !TEST_ptr(g2 = EC_GROUP_new(EC_GROUP_method_of(g1)))) { - EC_GROUP_free(g1); - EC_GROUP_free(g2); - BN_CTX_free(ctx); - return 0; - } - - BN_CTX_start(ctx); - g1_p = BN_CTX_get(ctx); - g1_a = BN_CTX_get(ctx); - g1_b = BN_CTX_get(ctx); - g1_x = BN_CTX_get(ctx); - g1_y = BN_CTX_get(ctx); - g1_order = BN_CTX_get(ctx); - g1_cf = BN_CTX_get(ctx); - - if (!TEST_ptr(g2_cf = BN_CTX_get(ctx)) - /* pull out the explicit curve parameters */ - || !TEST_true(EC_GROUP_get_curve(g1, g1_p, g1_a, g1_b, ctx)) - || !TEST_true(EC_POINT_get_affine_coordinates(g1, - EC_GROUP_get0_generator(g1), g1_x, g1_y, ctx)) - || !TEST_true(BN_copy(g1_order, EC_GROUP_get0_order(g1))) - || !TEST_true(EC_GROUP_get_cofactor(g1, g1_cf, ctx)) - /* construct g2 manually with g1 parameters */ - || !TEST_true(EC_GROUP_set_curve(g2, g1_p, g1_a, g1_b, ctx)) - || !TEST_ptr(g2_gen = EC_POINT_new(g2)) - || !TEST_true(EC_POINT_set_affine_coordinates(g2, g2_gen, g1_x, g1_y, ctx)) - /* pass NULL cofactor: lib should compute it */ - || !TEST_true(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL)) - || !TEST_true(EC_GROUP_get_cofactor(g2, g2_cf, ctx)) - || !TEST_BN_eq(g1_cf, g2_cf) - /* pass zero cofactor: lib should compute it */ - || !TEST_true(BN_set_word(g2_cf, 0)) - || !TEST_true(EC_GROUP_set_generator(g2, g2_gen, g1_order, g2_cf)) - || !TEST_true(EC_GROUP_get_cofactor(g2, g2_cf, ctx)) - || !TEST_BN_eq(g1_cf, g2_cf) - /* negative test for invalid cofactor */ - || !TEST_true(BN_set_word(g2_cf, 0)) - || !TEST_true(BN_sub(g2_cf, g2_cf, BN_value_one())) - || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, g2_cf)) - /* negative test for NULL order */ - || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, NULL, NULL)) - /* negative test for zero order */ - || !TEST_true(BN_set_word(g1_order, 0)) - || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL)) - /* negative test for negative order */ - || !TEST_true(BN_set_word(g2_cf, 0)) - || !TEST_true(BN_sub(g2_cf, g2_cf, BN_value_one())) - || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL)) - /* negative test for too large order */ - || !TEST_true(BN_lshift(g1_order, g1_p, 2)) - || !TEST_false(EC_GROUP_set_generator(g2, g2_gen, g1_order, NULL))) - goto err; - ret = 1; - err: - EC_POINT_free(g2_gen); - EC_GROUP_free(g1); - EC_GROUP_free(g2); - BN_CTX_end(ctx); - BN_CTX_free(ctx); - return ret; -} - -/* - * Helper for ec_point_hex2point_test - * - * Self-tests EC_POINT_point2hex() against EC_POINT_hex2point() for the given - * (group,P) pair. - * - * If P is NULL use point at infinity. - */ -static ossl_inline -int ec_point_hex2point_test_helper(const EC_GROUP *group, const EC_POINT *P, - point_conversion_form_t form, - BN_CTX *bnctx) -{ - int ret = 0; - EC_POINT *Q = NULL, *Pinf = NULL; - char *hex = NULL; - - if (P == NULL) { - /* If P is NULL use point at infinity. */ - if (!TEST_ptr(Pinf = EC_POINT_new(group)) - || !TEST_true(EC_POINT_set_to_infinity(group, Pinf))) - goto err; - P = Pinf; - } - - if (!TEST_ptr(hex = EC_POINT_point2hex(group, P, form, bnctx)) - || !TEST_ptr(Q = EC_POINT_hex2point(group, hex, NULL, bnctx)) - || !TEST_int_eq(0, EC_POINT_cmp(group, Q, P, bnctx))) - goto err; - - /* - * The next check is most likely superfluous, as EC_POINT_cmp should already - * cover this. - * Nonetheless it increases the test coverage for EC_POINT_is_at_infinity, - * so we include it anyway! - */ - if (Pinf != NULL - && !TEST_true(EC_POINT_is_at_infinity(group, Q))) - goto err; - - ret = 1; - - err: - EC_POINT_free(Pinf); - OPENSSL_free(hex); - EC_POINT_free(Q); - - return ret; -} - -/* - * This test self-validates EC_POINT_hex2point() and EC_POINT_point2hex() - */ -static int ec_point_hex2point_test(int id) -{ - int ret = 0, nid; - EC_GROUP *group = NULL; - const EC_POINT *G = NULL; - EC_POINT *P = NULL; - BN_CTX * bnctx = NULL; - - /* Do some setup */ - nid = curves[id].nid; - if (!TEST_ptr(bnctx = BN_CTX_new()) - || !TEST_ptr(group = EC_GROUP_new_by_curve_name(nid)) - || !TEST_ptr(G = EC_GROUP_get0_generator(group)) - || !TEST_ptr(P = EC_POINT_dup(G, group))) - goto err; - - if (!TEST_true(ec_point_hex2point_test_helper(group, P, - POINT_CONVERSION_COMPRESSED, - bnctx)) - || !TEST_true(ec_point_hex2point_test_helper(group, NULL, - POINT_CONVERSION_COMPRESSED, - bnctx)) - || !TEST_true(ec_point_hex2point_test_helper(group, P, - POINT_CONVERSION_UNCOMPRESSED, - bnctx)) - || !TEST_true(ec_point_hex2point_test_helper(group, NULL, - POINT_CONVERSION_UNCOMPRESSED, - bnctx)) - || !TEST_true(ec_point_hex2point_test_helper(group, P, - POINT_CONVERSION_HYBRID, - bnctx)) - || !TEST_true(ec_point_hex2point_test_helper(group, NULL, - POINT_CONVERSION_HYBRID, - bnctx))) - goto err; - - ret = 1; - - err: - EC_POINT_free(P); - EC_GROUP_free(group); - BN_CTX_free(bnctx); - - return ret; -} - -/* - * check the EC_METHOD respects the supplied EC_GROUP_set_generator G - */ -static int custom_generator_test(int id) -{ - int ret = 0, nid, bsize; - EC_GROUP *group = NULL; - EC_POINT *G2 = NULL, *Q1 = NULL, *Q2 = NULL; - BN_CTX *ctx = NULL; - BIGNUM *k = NULL; - unsigned char *b1 = NULL, *b2 = NULL; - - /* Do some setup */ - nid = curves[id].nid; - TEST_note("Curve %s", OBJ_nid2sn(nid)); - if (!TEST_ptr(ctx = BN_CTX_new())) - return 0; - - BN_CTX_start(ctx); - - if (!TEST_ptr(group = EC_GROUP_new_by_curve_name(nid))) - goto err; - - /* expected byte length of encoded points */ - bsize = (EC_GROUP_get_degree(group) + 7) / 8; - bsize = 2 * bsize + 1; - - if (!TEST_ptr(k = BN_CTX_get(ctx)) - /* fetch a testing scalar k != 0,1 */ - || !TEST_true(BN_rand(k, EC_GROUP_order_bits(group) - 1, - BN_RAND_TOP_ONE, BN_RAND_BOTTOM_ANY)) - /* make k even */ - || !TEST_true(BN_clear_bit(k, 0)) - || !TEST_ptr(G2 = EC_POINT_new(group)) - || !TEST_ptr(Q1 = EC_POINT_new(group)) - /* Q1 := kG */ - || !TEST_true(EC_POINT_mul(group, Q1, k, NULL, NULL, ctx)) - /* pull out the bytes of that */ - || !TEST_int_eq(EC_POINT_point2oct(group, Q1, - POINT_CONVERSION_UNCOMPRESSED, NULL, - 0, ctx), bsize) - || !TEST_ptr(b1 = OPENSSL_malloc(bsize)) - || !TEST_int_eq(EC_POINT_point2oct(group, Q1, - POINT_CONVERSION_UNCOMPRESSED, b1, - bsize, ctx), bsize) - /* new generator is G2 := 2G */ - || !TEST_true(EC_POINT_dbl(group, G2, EC_GROUP_get0_generator(group), - ctx)) - || !TEST_true(EC_GROUP_set_generator(group, G2, - EC_GROUP_get0_order(group), - EC_GROUP_get0_cofactor(group))) - || !TEST_ptr(Q2 = EC_POINT_new(group)) - || !TEST_true(BN_rshift1(k, k)) - /* Q2 := k/2 G2 */ - || !TEST_true(EC_POINT_mul(group, Q2, k, NULL, NULL, ctx)) - || !TEST_int_eq(EC_POINT_point2oct(group, Q2, - POINT_CONVERSION_UNCOMPRESSED, NULL, - 0, ctx), bsize) - || !TEST_ptr(b2 = OPENSSL_malloc(bsize)) - || !TEST_int_eq(EC_POINT_point2oct(group, Q2, - POINT_CONVERSION_UNCOMPRESSED, b2, - bsize, ctx), bsize) - /* Q1 = kG = k/2 G2 = Q2 should hold */ - || !TEST_int_eq(CRYPTO_memcmp(b1, b2, bsize), 0)) - goto err; - - ret = 1; - - err: - BN_CTX_end(ctx); - EC_POINT_free(Q1); - EC_POINT_free(Q2); - EC_POINT_free(G2); - EC_GROUP_free(group); - BN_CTX_free(ctx); - OPENSSL_free(b1); - OPENSSL_free(b2); - - return ret; -} - -#endif /* OPENSSL_NO_EC */ - -int setup_tests(void) -{ -#ifndef OPENSSL_NO_EC - crv_len = EC_get_builtin_curves(NULL, 0); - if (!TEST_ptr(curves = OPENSSL_malloc(sizeof(*curves) * crv_len)) - || !TEST_true(EC_get_builtin_curves(curves, crv_len))) - return 0; - - ADD_TEST(parameter_test); - ADD_TEST(cofactor_range_test); - ADD_ALL_TESTS(cardinality_test, crv_len); - ADD_TEST(prime_field_tests); -# ifndef OPENSSL_NO_EC2M - ADD_TEST(char2_field_tests); - ADD_ALL_TESTS(char2_curve_test, OSSL_NELEM(char2_curve_tests)); -# endif -# ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 - ADD_ALL_TESTS(nistp_single_test, OSSL_NELEM(nistp_tests_params)); - ADD_TEST(underflow_test); -# endif - ADD_ALL_TESTS(internal_curve_test, crv_len); - ADD_ALL_TESTS(internal_curve_test_method, crv_len); - - ADD_ALL_TESTS(check_named_curve_from_ecparameters, crv_len); - ADD_ALL_TESTS(ec_point_hex2point_test, crv_len); - ADD_ALL_TESTS(custom_generator_test, crv_len); -#endif /* OPENSSL_NO_EC */ - return 1; -} - -void cleanup_tests(void) -{ -#ifndef OPENSSL_NO_EC - OPENSSL_free(curves); -#endif -} diff --git a/SOURCES/hobble-openssl b/SOURCES/hobble-openssl deleted file mode 100755 index 9a23ca6..0000000 --- a/SOURCES/hobble-openssl +++ /dev/null @@ -1,40 +0,0 @@ -#!/bin/sh - -# Quit out if anything fails. -set -e - -# Clean out patent-or-otherwise-encumbered code. -# MDC-2: 4,908,861 13/03/2007 - expired, we do not remove it but do not enable it anyway -# IDEA: 5,214,703 07/01/2012 - expired, we do not remove it anymore -# RC5: 5,724,428 01/11/2015 - expired, we do not remove it anymore -# EC: ????????? ??/??/2020 -# SRP: ????????? ??/??/2017 - expired, we do not remove it anymore - -# Remove assembler portions of IDEA, MDC2, and RC5. -# (find crypto/rc5/asm -type f | xargs -r rm -fv) - -for c in `find crypto/bn -name "*gf2m.c"`; do - echo Destroying $c - > $c -done - -for c in `find crypto/ec -name "ec2*.c" -o -name "ec_curve.c"`; do - echo Destroying $c - > $c -done - -for c in `find test -name "ectest.c"`; do - echo Destroying $c - > $c -done - -for h in `find crypto ssl apps test -name "*.h"` ; do - echo Removing EC2M references from $h - cat $h | \ - awk 'BEGIN {ech=1;} \ - /^#[ \t]*ifndef.*NO_EC2M/ {ech--; next;} \ - /^#[ \t]*if/ {if(ech < 1) ech--;} \ - {if(ech>0) {;print $0};} \ - /^#[ \t]*endif/ {if(ech < 1) ech++;}' > $h.hobbled && \ - mv $h.hobbled $h -done diff --git a/SOURCES/openssl-1.1.1-addrconfig.patch b/SOURCES/openssl-1.1.1-addrconfig.patch deleted file mode 100644 index 64c3f6c..0000000 --- a/SOURCES/openssl-1.1.1-addrconfig.patch +++ /dev/null @@ -1,31 +0,0 @@ -From a3f4cd5019b60649f6eb216ebe99caa43cd96f8e Mon Sep 17 00:00:00 2001 -From: Daiki Ueno -Date: Mon, 26 Apr 2021 14:40:17 +0200 -Subject: [PATCH] BIO_lookup_ex: use AI_ADDRCONFIG only if explicit host name - is given - -The flag only affects which record types are queried (A or AAAA, or -both), and when node is NULL, it prevents getaddrinfo returning the -right address associated with the loopback interface. - -Signed-off-by: Daiki Ueno ---- - crypto/bio/b_addr.c | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/crypto/bio/b_addr.c b/crypto/bio/b_addr.c -index b023bbda40..ea15601f3d 100644 ---- a/crypto/bio/b_addr.c -+++ b/crypto/bio/b_addr.c -@@ -689,7 +689,7 @@ int BIO_lookup_ex(const char *host, const char *service, int lookup_type, - hints.ai_protocol = protocol; - # ifdef AI_ADDRCONFIG - # ifdef AF_UNSPEC -- if (family == AF_UNSPEC) -+ if (host != NULL && family == AF_UNSPEC) - # endif - hints.ai_flags |= AI_ADDRCONFIG; - # endif --- -2.30.2 - diff --git a/SOURCES/openssl-1.1.1-alpn-cb.patch b/SOURCES/openssl-1.1.1-alpn-cb.patch deleted file mode 100644 index 465f7b8..0000000 --- a/SOURCES/openssl-1.1.1-alpn-cb.patch +++ /dev/null @@ -1,27 +0,0 @@ -commit 9e885a707d604e9528b5491b78fb9c00f41193fc -Author: Tomas Mraz -Date: Thu Mar 26 15:59:00 2020 +0100 - - s_server: Properly indicate ALPN protocol mismatch - - Return SSL_TLSEXT_ERR_ALERT_FATAL from alpn_select_cb so that - an alert is sent to the client on ALPN protocol mismatch. - - Fixes: #2708 - - Reviewed-by: Matt Caswell - (Merged from https://github.com/openssl/openssl/pull/11415) - -diff --git a/apps/s_server.c b/apps/s_server.c -index bcc83e562c..591c6c19c5 100644 ---- a/apps/s_server.c -+++ b/apps/s_server.c -@@ -707,7 +707,7 @@ static int alpn_cb(SSL *s, const unsigned char **out, unsigned char *outlen, - if (SSL_select_next_proto - ((unsigned char **)out, outlen, alpn_ctx->data, alpn_ctx->len, in, - inlen) != OPENSSL_NPN_NEGOTIATED) { -- return SSL_TLSEXT_ERR_NOACK; -+ return SSL_TLSEXT_ERR_ALERT_FATAL; - } - - if (!s_quiet) { diff --git a/SOURCES/openssl-1.1.1-apps-dgst.patch b/SOURCES/openssl-1.1.1-apps-dgst.patch deleted file mode 100644 index 655b6e2..0000000 --- a/SOURCES/openssl-1.1.1-apps-dgst.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up openssl-1.1.1b/apps/ca.c.dgst openssl-1.1.1b/apps/ca.c ---- openssl-1.1.1b/apps/ca.c.dgst 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/apps/ca.c 2019-03-15 15:53:46.622267688 +0100 -@@ -169,7 +169,7 @@ const OPTIONS ca_options[] = { - {"enddate", OPT_ENDDATE, 's', - "YYMMDDHHMMSSZ cert notAfter (overrides -days)"}, - {"days", OPT_DAYS, 'p', "Number of days to certify the cert for"}, -- {"md", OPT_MD, 's', "md to use; one of md2, md5, sha or sha1"}, -+ {"md", OPT_MD, 's', "md to use; see openssl help for list"}, - {"policy", OPT_POLICY, 's', "The CA 'policy' to support"}, - {"keyfile", OPT_KEYFILE, 's', "Private key"}, - {"keyform", OPT_KEYFORM, 'f', "Private key file format (PEM or ENGINE)"}, diff --git a/SOURCES/openssl-1.1.1-arm-update.patch b/SOURCES/openssl-1.1.1-arm-update.patch deleted file mode 100644 index 2b8c549..0000000 --- a/SOURCES/openssl-1.1.1-arm-update.patch +++ /dev/null @@ -1,3706 +0,0 @@ -diff -up openssl-1.1.1i/crypto/aes/asm/aesv8-armx.pl.arm-update openssl-1.1.1i/crypto/aes/asm/aesv8-armx.pl ---- openssl-1.1.1i/crypto/aes/asm/aesv8-armx.pl.arm-update 2020-12-08 14:20:59.000000000 +0100 -+++ openssl-1.1.1i/crypto/aes/asm/aesv8-armx.pl 2020-12-09 10:39:50.645705385 +0100 -@@ -27,44 +27,72 @@ - # CBC encrypt case. On Cortex-A57 parallelizable mode performance - # seems to be limited by sheer amount of NEON instructions... - # -+# April 2019 -+# -+# Key to performance of parallelize-able modes is round instruction -+# interleaving. But which factor to use? There is optimal one for -+# each combination of instruction latency and issue rate, beyond -+# which increasing interleave factor doesn't pay off. While on cons -+# side we have code size increase and resource waste on platforms for -+# which interleave factor is too high. In other words you want it to -+# be just right. So far interleave factor of 3x was serving well all -+# platforms. But for ThunderX2 optimal interleave factor was measured -+# to be 5x... -+# - # Performance in cycles per byte processed with 128-bit key: - # - # CBC enc CBC dec CTR - # Apple A7 2.39 1.20 1.20 --# Cortex-A53 1.32 1.29 1.46 --# Cortex-A57(*) 1.95 0.85 0.93 --# Denver 1.96 0.86 0.80 --# Mongoose 1.33 1.20 1.20 --# Kryo 1.26 0.94 1.00 -+# Cortex-A53 1.32 1.17/1.29(**) 1.36/1.46 -+# Cortex-A57(*) 1.95 0.82/0.85 0.89/0.93 -+# Cortex-A72 1.33 0.85/0.88 0.92/0.96 -+# Denver 1.96 0.65/0.86 0.76/0.80 -+# Mongoose 1.33 1.23/1.20 1.30/1.20 -+# Kryo 1.26 0.87/0.94 1.00/1.00 -+# ThunderX2 5.95 1.25 1.30 - # - # (*) original 3.64/1.34/1.32 results were for r0p0 revision - # and are still same even for updated module; -+# (**) numbers after slash are for 32-bit code, which is 3x- -+# interleaved; - --$flavour = shift; --$output = shift; -+# $output is the last argument if it looks like a file (it has an extension) -+# $flavour is the first argument if it doesn't look like a file -+$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef; -+$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef; - - $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; - ( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or - ( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or - die "can't locate arm-xlate.pl"; - --open OUT,"| \"$^X\" $xlate $flavour $output"; -+open OUT,"| \"$^X\" $xlate $flavour \"$output\"" -+ or die "can't call $xlate: $!"; - *STDOUT=*OUT; - - $prefix="aes_v8"; - -+$_byte = ($flavour =~ /win/ ? "DCB" : ".byte"); -+ - $code=<<___; - #include "arm_arch.h" - - #if __ARM_MAX_ARCH__>=7 --.text - ___ --$code.=".arch armv8-a+crypto\n" if ($flavour =~ /64/); -+$code.=".arch armv8-a+crypto\n.text\n" if ($flavour =~ /64/); - $code.=<<___ if ($flavour !~ /64/); - .arch armv7-a // don't confuse not-so-latest binutils with argv8 :-) - .fpu neon -+#ifdef __thumb2__ -+.syntax unified -+.thumb -+# define INST(a,b,c,d) $_byte c,d|0xc,a,b -+#else - .code 32 --#undef __thumb2__ -+# define INST(a,b,c,d) $_byte a,b,c,d -+#endif -+ -+.text - ___ - - # Assembler mnemonics are an eclectic mix of 32- and 64-bit syntax, -@@ -361,6 +389,836 @@ ___ - &gen_block("en"); - &gen_block("de"); - }}} -+ -+# Performance in cycles per byte. -+# Processed with AES-ECB different key size. -+# It shows the value before and after optimization as below: -+# (before/after): -+# -+# AES-128-ECB AES-192-ECB AES-256-ECB -+# Cortex-A57 1.85/0.82 2.16/0.96 2.47/1.10 -+# Cortex-A72 1.64/0.85 1.82/0.99 2.13/1.14 -+ -+# Optimization is implemented by loop unrolling and interleaving. -+# Commonly, we choose the unrolling factor as 5, if the input -+# data size smaller than 5 blocks, but not smaller than 3 blocks, -+# choose 3 as the unrolling factor. -+# If the input data size dsize >= 5*16 bytes, then take 5 blocks -+# as one iteration, every loop the left size lsize -= 5*16. -+# If 5*16 > lsize >= 3*16 bytes, take 3 blocks as one iteration, -+# every loop lsize -=3*16. -+# If lsize < 3*16 bytes, treat them as the tail, interleave the -+# two blocks AES instructions. -+# There is one special case, if the original input data size dsize -+# = 16 bytes, we will treat it seperately to improve the -+# performance: one independent code block without LR, FP load and -+# store, just looks like what the original ECB implementation does. -+ -+{{{ -+my ($inp,$out,$len,$key)=map("x$_",(0..3)); -+my ($enc,$rounds,$cnt,$key_,$step)=("w4","w5","w6","x7","x8"); -+my ($dat0,$dat1,$in0,$in1,$tmp0,$tmp1,$tmp2,$rndlast)=map("q$_",(0..7)); -+ -+my ($dat,$tmp,$rndzero_n_last)=($dat0,$tmp0,$tmp1); -+ -+### q7 last round key -+### q10-q15 q7 Last 7 round keys -+### q8-q9 preloaded round keys except last 7 keys for big size -+### q5, q6, q8-q9 preloaded round keys except last 7 keys for only 16 byte -+ -+{ -+my ($dat2,$in2,$tmp2)=map("q$_",(10,11,9)); -+ -+my ($dat3,$in3,$tmp3); # used only in 64-bit mode -+my ($dat4,$in4,$tmp4); -+if ($flavour =~ /64/) { -+ ($dat2,$dat3,$dat4,$in2,$in3,$in4,$tmp3,$tmp4)=map("q$_",(16..23)); -+} -+ -+$code.=<<___; -+.globl ${prefix}_ecb_encrypt -+.type ${prefix}_ecb_encrypt,%function -+.align 5 -+${prefix}_ecb_encrypt: -+___ -+$code.=<<___ if ($flavour =~ /64/); -+ subs $len,$len,#16 -+ // Original input data size bigger than 16, jump to big size processing. -+ b.ne .Lecb_big_size -+ vld1.8 {$dat0},[$inp] -+ cmp $enc,#0 // en- or decrypting? -+ ldr $rounds,[$key,#240] -+ vld1.32 {q5-q6},[$key],#32 // load key schedule... -+ -+ b.eq .Lecb_small_dec -+ aese $dat0,q5 -+ aesmc $dat0,$dat0 -+ vld1.32 {q8-q9},[$key],#32 // load key schedule... -+ aese $dat0,q6 -+ aesmc $dat0,$dat0 -+ subs $rounds,$rounds,#10 // if rounds==10, jump to aes-128-ecb processing -+ b.eq .Lecb_128_enc -+.Lecb_round_loop: -+ aese $dat0,q8 -+ aesmc $dat0,$dat0 -+ vld1.32 {q8},[$key],#16 // load key schedule... -+ aese $dat0,q9 -+ aesmc $dat0,$dat0 -+ vld1.32 {q9},[$key],#16 // load key schedule... -+ subs $rounds,$rounds,#2 // bias -+ b.gt .Lecb_round_loop -+.Lecb_128_enc: -+ vld1.32 {q10-q11},[$key],#32 // load key schedule... -+ aese $dat0,q8 -+ aesmc $dat0,$dat0 -+ aese $dat0,q9 -+ aesmc $dat0,$dat0 -+ vld1.32 {q12-q13},[$key],#32 // load key schedule... -+ aese $dat0,q10 -+ aesmc $dat0,$dat0 -+ aese $dat0,q11 -+ aesmc $dat0,$dat0 -+ vld1.32 {q14-q15},[$key],#32 // load key schedule... -+ aese $dat0,q12 -+ aesmc $dat0,$dat0 -+ aese $dat0,q13 -+ aesmc $dat0,$dat0 -+ vld1.32 {$rndlast},[$key] -+ aese $dat0,q14 -+ aesmc $dat0,$dat0 -+ aese $dat0,q15 -+ veor $dat0,$dat0,$rndlast -+ vst1.8 {$dat0},[$out] -+ b .Lecb_Final_abort -+.Lecb_small_dec: -+ aesd $dat0,q5 -+ aesimc $dat0,$dat0 -+ vld1.32 {q8-q9},[$key],#32 // load key schedule... -+ aesd $dat0,q6 -+ aesimc $dat0,$dat0 -+ subs $rounds,$rounds,#10 // bias -+ b.eq .Lecb_128_dec -+.Lecb_dec_round_loop: -+ aesd $dat0,q8 -+ aesimc $dat0,$dat0 -+ vld1.32 {q8},[$key],#16 // load key schedule... -+ aesd $dat0,q9 -+ aesimc $dat0,$dat0 -+ vld1.32 {q9},[$key],#16 // load key schedule... -+ subs $rounds,$rounds,#2 // bias -+ b.gt .Lecb_dec_round_loop -+.Lecb_128_dec: -+ vld1.32 {q10-q11},[$key],#32 // load key schedule... -+ aesd $dat0,q8 -+ aesimc $dat0,$dat0 -+ aesd $dat0,q9 -+ aesimc $dat0,$dat0 -+ vld1.32 {q12-q13},[$key],#32 // load key schedule... -+ aesd $dat0,q10 -+ aesimc $dat0,$dat0 -+ aesd $dat0,q11 -+ aesimc $dat0,$dat0 -+ vld1.32 {q14-q15},[$key],#32 // load key schedule... -+ aesd $dat0,q12 -+ aesimc $dat0,$dat0 -+ aesd $dat0,q13 -+ aesimc $dat0,$dat0 -+ vld1.32 {$rndlast},[$key] -+ aesd $dat0,q14 -+ aesimc $dat0,$dat0 -+ aesd $dat0,q15 -+ veor $dat0,$dat0,$rndlast -+ vst1.8 {$dat0},[$out] -+ b .Lecb_Final_abort -+.Lecb_big_size: -+___ -+$code.=<<___ if ($flavour =~ /64/); -+ stp x29,x30,[sp,#-16]! -+ add x29,sp,#0 -+___ -+$code.=<<___ if ($flavour !~ /64/); -+ mov ip,sp -+ stmdb sp!,{r4-r8,lr} -+ vstmdb sp!,{d8-d15} @ ABI specification says so -+ ldmia ip,{r4-r5} @ load remaining args -+ subs $len,$len,#16 -+___ -+$code.=<<___; -+ mov $step,#16 -+ b.lo .Lecb_done -+ cclr $step,eq -+ -+ cmp $enc,#0 // en- or decrypting? -+ ldr $rounds,[$key,#240] -+ and $len,$len,#-16 -+ vld1.8 {$dat},[$inp],$step -+ -+ vld1.32 {q8-q9},[$key] // load key schedule... -+ sub $rounds,$rounds,#6 -+ add $key_,$key,x5,lsl#4 // pointer to last 7 round keys -+ sub $rounds,$rounds,#2 -+ vld1.32 {q10-q11},[$key_],#32 -+ vld1.32 {q12-q13},[$key_],#32 -+ vld1.32 {q14-q15},[$key_],#32 -+ vld1.32 {$rndlast},[$key_] -+ -+ add $key_,$key,#32 -+ mov $cnt,$rounds -+ b.eq .Lecb_dec -+ -+ vld1.8 {$dat1},[$inp],#16 -+ subs $len,$len,#32 // bias -+ add $cnt,$rounds,#2 -+ vorr $in1,$dat1,$dat1 -+ vorr $dat2,$dat1,$dat1 -+ vorr $dat1,$dat,$dat -+ b.lo .Lecb_enc_tail -+ -+ vorr $dat1,$in1,$in1 -+ vld1.8 {$dat2},[$inp],#16 -+___ -+$code.=<<___ if ($flavour =~ /64/); -+ cmp $len,#32 -+ b.lo .Loop3x_ecb_enc -+ -+ vld1.8 {$dat3},[$inp],#16 -+ vld1.8 {$dat4},[$inp],#16 -+ sub $len,$len,#32 // bias -+ mov $cnt,$rounds -+ -+.Loop5x_ecb_enc: -+ aese $dat0,q8 -+ aesmc $dat0,$dat0 -+ aese $dat1,q8 -+ aesmc $dat1,$dat1 -+ aese $dat2,q8 -+ aesmc $dat2,$dat2 -+ aese $dat3,q8 -+ aesmc $dat3,$dat3 -+ aese $dat4,q8 -+ aesmc $dat4,$dat4 -+ vld1.32 {q8},[$key_],#16 -+ subs $cnt,$cnt,#2 -+ aese $dat0,q9 -+ aesmc $dat0,$dat0 -+ aese $dat1,q9 -+ aesmc $dat1,$dat1 -+ aese $dat2,q9 -+ aesmc $dat2,$dat2 -+ aese $dat3,q9 -+ aesmc $dat3,$dat3 -+ aese $dat4,q9 -+ aesmc $dat4,$dat4 -+ vld1.32 {q9},[$key_],#16 -+ b.gt .Loop5x_ecb_enc -+ -+ aese $dat0,q8 -+ aesmc $dat0,$dat0 -+ aese $dat1,q8 -+ aesmc $dat1,$dat1 -+ aese $dat2,q8 -+ aesmc $dat2,$dat2 -+ aese $dat3,q8 -+ aesmc $dat3,$dat3 -+ aese $dat4,q8 -+ aesmc $dat4,$dat4 -+ cmp $len,#0x40 // because .Lecb_enc_tail4x -+ sub $len,$len,#0x50 -+ -+ aese $dat0,q9 -+ aesmc $dat0,$dat0 -+ aese $dat1,q9 -+ aesmc $dat1,$dat1 -+ aese $dat2,q9 -+ aesmc $dat2,$dat2 -+ aese $dat3,q9 -+ aesmc $dat3,$dat3 -+ aese $dat4,q9 -+ aesmc $dat4,$dat4 -+ csel x6,xzr,$len,gt // borrow x6, $cnt, "gt" is not typo -+ mov $key_,$key -+ -+ aese $dat0,q10 -+ aesmc $dat0,$dat0 -+ aese $dat1,q10 -+ aesmc $dat1,$dat1 -+ aese $dat2,q10 -+ aesmc $dat2,$dat2 -+ aese $dat3,q10 -+ aesmc $dat3,$dat3 -+ aese $dat4,q10 -+ aesmc $dat4,$dat4 -+ add $inp,$inp,x6 // $inp is adjusted in such way that -+ // at exit from the loop $dat1-$dat4 -+ // are loaded with last "words" -+ add x6,$len,#0x60 // because .Lecb_enc_tail4x -+ -+ aese $dat0,q11 -+ aesmc $dat0,$dat0 -+ aese $dat1,q11 -+ aesmc $dat1,$dat1 -+ aese $dat2,q11 -+ aesmc $dat2,$dat2 -+ aese $dat3,q11 -+ aesmc $dat3,$dat3 -+ aese $dat4,q11 -+ aesmc $dat4,$dat4 -+ -+ aese $dat0,q12 -+ aesmc $dat0,$dat0 -+ aese $dat1,q12 -+ aesmc $dat1,$dat1 -+ aese $dat2,q12 -+ aesmc $dat2,$dat2 -+ aese $dat3,q12 -+ aesmc $dat3,$dat3 -+ aese $dat4,q12 -+ aesmc $dat4,$dat4 -+ -+ aese $dat0,q13 -+ aesmc $dat0,$dat0 -+ aese $dat1,q13 -+ aesmc $dat1,$dat1 -+ aese $dat2,q13 -+ aesmc $dat2,$dat2 -+ aese $dat3,q13 -+ aesmc $dat3,$dat3 -+ aese $dat4,q13 -+ aesmc $dat4,$dat4 -+ -+ aese $dat0,q14 -+ aesmc $dat0,$dat0 -+ aese $dat1,q14 -+ aesmc $dat1,$dat1 -+ aese $dat2,q14 -+ aesmc $dat2,$dat2 -+ aese $dat3,q14 -+ aesmc $dat3,$dat3 -+ aese $dat4,q14 -+ aesmc $dat4,$dat4 -+ -+ aese $dat0,q15 -+ vld1.8 {$in0},[$inp],#16 -+ aese $dat1,q15 -+ vld1.8 {$in1},[$inp],#16 -+ aese $dat2,q15 -+ vld1.8 {$in2},[$inp],#16 -+ aese $dat3,q15 -+ vld1.8 {$in3},[$inp],#16 -+ aese $dat4,q15 -+ vld1.8 {$in4},[$inp],#16 -+ cbz x6,.Lecb_enc_tail4x -+ vld1.32 {q8},[$key_],#16 // re-pre-load rndkey[0] -+ veor $tmp0,$rndlast,$dat0 -+ vorr $dat0,$in0,$in0 -+ veor $tmp1,$rndlast,$dat1 -+ vorr $dat1,$in1,$in1 -+ veor $tmp2,$rndlast,$dat2 -+ vorr $dat2,$in2,$in2 -+ veor $tmp3,$rndlast,$dat3 -+ vorr $dat3,$in3,$in3 -+ veor $tmp4,$rndlast,$dat4 -+ vst1.8 {$tmp0},[$out],#16 -+ vorr $dat4,$in4,$in4 -+ vst1.8 {$tmp1},[$out],#16 -+ mov $cnt,$rounds -+ vst1.8 {$tmp2},[$out],#16 -+ vld1.32 {q9},[$key_],#16 // re-pre-load rndkey[1] -+ vst1.8 {$tmp3},[$out],#16 -+ vst1.8 {$tmp4},[$out],#16 -+ b.hs .Loop5x_ecb_enc -+ -+ add $len,$len,#0x50 -+ cbz $len,.Lecb_done -+ -+ add $cnt,$rounds,#2 -+ subs $len,$len,#0x30 -+ vorr $dat0,$in2,$in2 -+ vorr $dat1,$in3,$in3 -+ vorr $dat2,$in4,$in4 -+ b.lo .Lecb_enc_tail -+ -+ b .Loop3x_ecb_enc -+ -+.align 4 -+.Lecb_enc_tail4x: -+ veor $tmp1,$rndlast,$dat1 -+ veor $tmp2,$rndlast,$dat2 -+ veor $tmp3,$rndlast,$dat3 -+ veor $tmp4,$rndlast,$dat4 -+ vst1.8 {$tmp1},[$out],#16 -+ vst1.8 {$tmp2},[$out],#16 -+ vst1.8 {$tmp3},[$out],#16 -+ vst1.8 {$tmp4},[$out],#16 -+ -+ b .Lecb_done -+.align 4 -+___ -+$code.=<<___; -+.Loop3x_ecb_enc: -+ aese $dat0,q8 -+ aesmc $dat0,$dat0 -+ aese $dat1,q8 -+ aesmc $dat1,$dat1 -+ aese $dat2,q8 -+ aesmc $dat2,$dat2 -+ vld1.32 {q8},[$key_],#16 -+ subs $cnt,$cnt,#2 -+ aese $dat0,q9 -+ aesmc $dat0,$dat0 -+ aese $dat1,q9 -+ aesmc $dat1,$dat1 -+ aese $dat2,q9 -+ aesmc $dat2,$dat2 -+ vld1.32 {q9},[$key_],#16 -+ b.gt .Loop3x_ecb_enc -+ -+ aese $dat0,q8 -+ aesmc $dat0,$dat0 -+ aese $dat1,q8 -+ aesmc $dat1,$dat1 -+ aese $dat2,q8 -+ aesmc $dat2,$dat2 -+ subs $len,$len,#0x30 -+ mov.lo x6,$len // x6, $cnt, is zero at this point -+ aese $dat0,q9 -+ aesmc $dat0,$dat0 -+ aese $dat1,q9 -+ aesmc $dat1,$dat1 -+ aese $dat2,q9 -+ aesmc $dat2,$dat2 -+ add $inp,$inp,x6 // $inp is adjusted in such way that -+ // at exit from the loop $dat1-$dat2 -+ // are loaded with last "words" -+ mov $key_,$key -+ aese $dat0,q12 -+ aesmc $dat0,$dat0 -+ aese $dat1,q12 -+ aesmc $dat1,$dat1 -+ aese $dat2,q12 -+ aesmc $dat2,$dat2 -+ vld1.8 {$in0},[$inp],#16 -+ aese $dat0,q13 -+ aesmc $dat0,$dat0 -+ aese $dat1,q13 -+ aesmc $dat1,$dat1 -+ aese $dat2,q13 -+ aesmc $dat2,$dat2 -+ vld1.8 {$in1},[$inp],#16 -+ aese $dat0,q14 -+ aesmc $dat0,$dat0 -+ aese $dat1,q14 -+ aesmc $dat1,$dat1 -+ aese $dat2,q14 -+ aesmc $dat2,$dat2 -+ vld1.8 {$in2},[$inp],#16 -+ aese $dat0,q15 -+ aese $dat1,q15 -+ aese $dat2,q15 -+ vld1.32 {q8},[$key_],#16 // re-pre-load rndkey[0] -+ add $cnt,$rounds,#2 -+ veor $tmp0,$rndlast,$dat0 -+ veor $tmp1,$rndlast,$dat1 -+ veor $dat2,$dat2,$rndlast -+ vld1.32 {q9},[$key_],#16 // re-pre-load rndkey[1] -+ vst1.8 {$tmp0},[$out],#16 -+ vorr $dat0,$in0,$in0 -+ vst1.8 {$tmp1},[$out],#16 -+ vorr $dat1,$in1,$in1 -+ vst1.8 {$dat2},[$out],#16 -+ vorr $dat2,$in2,$in2 -+ b.hs .Loop3x_ecb_enc -+ -+ cmn $len,#0x30 -+ b.eq .Lecb_done -+ nop -+ -+.Lecb_enc_tail: -+ aese $dat1,q8 -+ aesmc $dat1,$dat1 -+ aese $dat2,q8 -+ aesmc $dat2,$dat2 -+ vld1.32 {q8},[$key_],#16 -+ subs $cnt,$cnt,#2 -+ aese $dat1,q9 -+ aesmc $dat1,$dat1 -+ aese $dat2,q9 -+ aesmc $dat2,$dat2 -+ vld1.32 {q9},[$key_],#16 -+ b.gt .Lecb_enc_tail -+ -+ aese $dat1,q8 -+ aesmc $dat1,$dat1 -+ aese $dat2,q8 -+ aesmc $dat2,$dat2 -+ aese $dat1,q9 -+ aesmc $dat1,$dat1 -+ aese $dat2,q9 -+ aesmc $dat2,$dat2 -+ aese $dat1,q12 -+ aesmc $dat1,$dat1 -+ aese $dat2,q12 -+ aesmc $dat2,$dat2 -+ cmn $len,#0x20 -+ aese $dat1,q13 -+ aesmc $dat1,$dat1 -+ aese $dat2,q13 -+ aesmc $dat2,$dat2 -+ aese $dat1,q14 -+ aesmc $dat1,$dat1 -+ aese $dat2,q14 -+ aesmc $dat2,$dat2 -+ aese $dat1,q15 -+ aese $dat2,q15 -+ b.eq .Lecb_enc_one -+ veor $tmp1,$rndlast,$dat1 -+ veor $tmp2,$rndlast,$dat2 -+ vst1.8 {$tmp1},[$out],#16 -+ vst1.8 {$tmp2},[$out],#16 -+ b .Lecb_done -+ -+.Lecb_enc_one: -+ veor $tmp1,$rndlast,$dat2 -+ vst1.8 {$tmp1},[$out],#16 -+ b .Lecb_done -+___ -+ -+$code.=<<___; -+.align 5 -+.Lecb_dec: -+ vld1.8 {$dat1},[$inp],#16 -+ subs $len,$len,#32 // bias -+ add $cnt,$rounds,#2 -+ vorr $in1,$dat1,$dat1 -+ vorr $dat2,$dat1,$dat1 -+ vorr $dat1,$dat,$dat -+ b.lo .Lecb_dec_tail -+ -+ vorr $dat1,$in1,$in1 -+ vld1.8 {$dat2},[$inp],#16 -+___ -+$code.=<<___ if ($flavour =~ /64/); -+ cmp $len,#32 -+ b.lo .Loop3x_ecb_dec -+ -+ vld1.8 {$dat3},[$inp],#16 -+ vld1.8 {$dat4},[$inp],#16 -+ sub $len,$len,#32 // bias -+ mov $cnt,$rounds -+ -+.Loop5x_ecb_dec: -+ aesd $dat0,q8 -+ aesimc $dat0,$dat0 -+ aesd $dat1,q8 -+ aesimc $dat1,$dat1 -+ aesd $dat2,q8 -+ aesimc $dat2,$dat2 -+ aesd $dat3,q8 -+ aesimc $dat3,$dat3 -+ aesd $dat4,q8 -+ aesimc $dat4,$dat4 -+ vld1.32 {q8},[$key_],#16 -+ subs $cnt,$cnt,#2 -+ aesd $dat0,q9 -+ aesimc $dat0,$dat0 -+ aesd $dat1,q9 -+ aesimc $dat1,$dat1 -+ aesd $dat2,q9 -+ aesimc $dat2,$dat2 -+ aesd $dat3,q9 -+ aesimc $dat3,$dat3 -+ aesd $dat4,q9 -+ aesimc $dat4,$dat4 -+ vld1.32 {q9},[$key_],#16 -+ b.gt .Loop5x_ecb_dec -+ -+ aesd $dat0,q8 -+ aesimc $dat0,$dat0 -+ aesd $dat1,q8 -+ aesimc $dat1,$dat1 -+ aesd $dat2,q8 -+ aesimc $dat2,$dat2 -+ aesd $dat3,q8 -+ aesimc $dat3,$dat3 -+ aesd $dat4,q8 -+ aesimc $dat4,$dat4 -+ cmp $len,#0x40 // because .Lecb_tail4x -+ sub $len,$len,#0x50 -+ -+ aesd $dat0,q9 -+ aesimc $dat0,$dat0 -+ aesd $dat1,q9 -+ aesimc $dat1,$dat1 -+ aesd $dat2,q9 -+ aesimc $dat2,$dat2 -+ aesd $dat3,q9 -+ aesimc $dat3,$dat3 -+ aesd $dat4,q9 -+ aesimc $dat4,$dat4 -+ csel x6,xzr,$len,gt // borrow x6, $cnt, "gt" is not typo -+ mov $key_,$key -+ -+ aesd $dat0,q10 -+ aesimc $dat0,$dat0 -+ aesd $dat1,q10 -+ aesimc $dat1,$dat1 -+ aesd $dat2,q10 -+ aesimc $dat2,$dat2 -+ aesd $dat3,q10 -+ aesimc $dat3,$dat3 -+ aesd $dat4,q10 -+ aesimc $dat4,$dat4 -+ add $inp,$inp,x6 // $inp is adjusted in such way that -+ // at exit from the loop $dat1-$dat4 -+ // are loaded with last "words" -+ add x6,$len,#0x60 // because .Lecb_tail4x -+ -+ aesd $dat0,q11 -+ aesimc $dat0,$dat0 -+ aesd $dat1,q11 -+ aesimc $dat1,$dat1 -+ aesd $dat2,q11 -+ aesimc $dat2,$dat2 -+ aesd $dat3,q11 -+ aesimc $dat3,$dat3 -+ aesd $dat4,q11 -+ aesimc $dat4,$dat4 -+ -+ aesd $dat0,q12 -+ aesimc $dat0,$dat0 -+ aesd $dat1,q12 -+ aesimc $dat1,$dat1 -+ aesd $dat2,q12 -+ aesimc $dat2,$dat2 -+ aesd $dat3,q12 -+ aesimc $dat3,$dat3 -+ aesd $dat4,q12 -+ aesimc $dat4,$dat4 -+ -+ aesd $dat0,q13 -+ aesimc $dat0,$dat0 -+ aesd $dat1,q13 -+ aesimc $dat1,$dat1 -+ aesd $dat2,q13 -+ aesimc $dat2,$dat2 -+ aesd $dat3,q13 -+ aesimc $dat3,$dat3 -+ aesd $dat4,q13 -+ aesimc $dat4,$dat4 -+ -+ aesd $dat0,q14 -+ aesimc $dat0,$dat0 -+ aesd $dat1,q14 -+ aesimc $dat1,$dat1 -+ aesd $dat2,q14 -+ aesimc $dat2,$dat2 -+ aesd $dat3,q14 -+ aesimc $dat3,$dat3 -+ aesd $dat4,q14 -+ aesimc $dat4,$dat4 -+ -+ aesd $dat0,q15 -+ vld1.8 {$in0},[$inp],#16 -+ aesd $dat1,q15 -+ vld1.8 {$in1},[$inp],#16 -+ aesd $dat2,q15 -+ vld1.8 {$in2},[$inp],#16 -+ aesd $dat3,q15 -+ vld1.8 {$in3},[$inp],#16 -+ aesd $dat4,q15 -+ vld1.8 {$in4},[$inp],#16 -+ cbz x6,.Lecb_tail4x -+ vld1.32 {q8},[$key_],#16 // re-pre-load rndkey[0] -+ veor $tmp0,$rndlast,$dat0 -+ vorr $dat0,$in0,$in0 -+ veor $tmp1,$rndlast,$dat1 -+ vorr $dat1,$in1,$in1 -+ veor $tmp2,$rndlast,$dat2 -+ vorr $dat2,$in2,$in2 -+ veor $tmp3,$rndlast,$dat3 -+ vorr $dat3,$in3,$in3 -+ veor $tmp4,$rndlast,$dat4 -+ vst1.8 {$tmp0},[$out],#16 -+ vorr $dat4,$in4,$in4 -+ vst1.8 {$tmp1},[$out],#16 -+ mov $cnt,$rounds -+ vst1.8 {$tmp2},[$out],#16 -+ vld1.32 {q9},[$key_],#16 // re-pre-load rndkey[1] -+ vst1.8 {$tmp3},[$out],#16 -+ vst1.8 {$tmp4},[$out],#16 -+ b.hs .Loop5x_ecb_dec -+ -+ add $len,$len,#0x50 -+ cbz $len,.Lecb_done -+ -+ add $cnt,$rounds,#2 -+ subs $len,$len,#0x30 -+ vorr $dat0,$in2,$in2 -+ vorr $dat1,$in3,$in3 -+ vorr $dat2,$in4,$in4 -+ b.lo .Lecb_dec_tail -+ -+ b .Loop3x_ecb_dec -+ -+.align 4 -+.Lecb_tail4x: -+ veor $tmp1,$rndlast,$dat1 -+ veor $tmp2,$rndlast,$dat2 -+ veor $tmp3,$rndlast,$dat3 -+ veor $tmp4,$rndlast,$dat4 -+ vst1.8 {$tmp1},[$out],#16 -+ vst1.8 {$tmp2},[$out],#16 -+ vst1.8 {$tmp3},[$out],#16 -+ vst1.8 {$tmp4},[$out],#16 -+ -+ b .Lecb_done -+.align 4 -+___ -+$code.=<<___; -+.Loop3x_ecb_dec: -+ aesd $dat0,q8 -+ aesimc $dat0,$dat0 -+ aesd $dat1,q8 -+ aesimc $dat1,$dat1 -+ aesd $dat2,q8 -+ aesimc $dat2,$dat2 -+ vld1.32 {q8},[$key_],#16 -+ subs $cnt,$cnt,#2 -+ aesd $dat0,q9 -+ aesimc $dat0,$dat0 -+ aesd $dat1,q9 -+ aesimc $dat1,$dat1 -+ aesd $dat2,q9 -+ aesimc $dat2,$dat2 -+ vld1.32 {q9},[$key_],#16 -+ b.gt .Loop3x_ecb_dec -+ -+ aesd $dat0,q8 -+ aesimc $dat0,$dat0 -+ aesd $dat1,q8 -+ aesimc $dat1,$dat1 -+ aesd $dat2,q8 -+ aesimc $dat2,$dat2 -+ subs $len,$len,#0x30 -+ mov.lo x6,$len // x6, $cnt, is zero at this point -+ aesd $dat0,q9 -+ aesimc $dat0,$dat0 -+ aesd $dat1,q9 -+ aesimc $dat1,$dat1 -+ aesd $dat2,q9 -+ aesimc $dat2,$dat2 -+ add $inp,$inp,x6 // $inp is adjusted in such way that -+ // at exit from the loop $dat1-$dat2 -+ // are loaded with last "words" -+ mov $key_,$key -+ aesd $dat0,q12 -+ aesimc $dat0,$dat0 -+ aesd $dat1,q12 -+ aesimc $dat1,$dat1 -+ aesd $dat2,q12 -+ aesimc $dat2,$dat2 -+ vld1.8 {$in0},[$inp],#16 -+ aesd $dat0,q13 -+ aesimc $dat0,$dat0 -+ aesd $dat1,q13 -+ aesimc $dat1,$dat1 -+ aesd $dat2,q13 -+ aesimc $dat2,$dat2 -+ vld1.8 {$in1},[$inp],#16 -+ aesd $dat0,q14 -+ aesimc $dat0,$dat0 -+ aesd $dat1,q14 -+ aesimc $dat1,$dat1 -+ aesd $dat2,q14 -+ aesimc $dat2,$dat2 -+ vld1.8 {$in2},[$inp],#16 -+ aesd $dat0,q15 -+ aesd $dat1,q15 -+ aesd $dat2,q15 -+ vld1.32 {q8},[$key_],#16 // re-pre-load rndkey[0] -+ add $cnt,$rounds,#2 -+ veor $tmp0,$rndlast,$dat0 -+ veor $tmp1,$rndlast,$dat1 -+ veor $dat2,$dat2,$rndlast -+ vld1.32 {q9},[$key_],#16 // re-pre-load rndkey[1] -+ vst1.8 {$tmp0},[$out],#16 -+ vorr $dat0,$in0,$in0 -+ vst1.8 {$tmp1},[$out],#16 -+ vorr $dat1,$in1,$in1 -+ vst1.8 {$dat2},[$out],#16 -+ vorr $dat2,$in2,$in2 -+ b.hs .Loop3x_ecb_dec -+ -+ cmn $len,#0x30 -+ b.eq .Lecb_done -+ nop -+ -+.Lecb_dec_tail: -+ aesd $dat1,q8 -+ aesimc $dat1,$dat1 -+ aesd $dat2,q8 -+ aesimc $dat2,$dat2 -+ vld1.32 {q8},[$key_],#16 -+ subs $cnt,$cnt,#2 -+ aesd $dat1,q9 -+ aesimc $dat1,$dat1 -+ aesd $dat2,q9 -+ aesimc $dat2,$dat2 -+ vld1.32 {q9},[$key_],#16 -+ b.gt .Lecb_dec_tail -+ -+ aesd $dat1,q8 -+ aesimc $dat1,$dat1 -+ aesd $dat2,q8 -+ aesimc $dat2,$dat2 -+ aesd $dat1,q9 -+ aesimc $dat1,$dat1 -+ aesd $dat2,q9 -+ aesimc $dat2,$dat2 -+ aesd $dat1,q12 -+ aesimc $dat1,$dat1 -+ aesd $dat2,q12 -+ aesimc $dat2,$dat2 -+ cmn $len,#0x20 -+ aesd $dat1,q13 -+ aesimc $dat1,$dat1 -+ aesd $dat2,q13 -+ aesimc $dat2,$dat2 -+ aesd $dat1,q14 -+ aesimc $dat1,$dat1 -+ aesd $dat2,q14 -+ aesimc $dat2,$dat2 -+ aesd $dat1,q15 -+ aesd $dat2,q15 -+ b.eq .Lecb_dec_one -+ veor $tmp1,$rndlast,$dat1 -+ veor $tmp2,$rndlast,$dat2 -+ vst1.8 {$tmp1},[$out],#16 -+ vst1.8 {$tmp2},[$out],#16 -+ b .Lecb_done -+ -+.Lecb_dec_one: -+ veor $tmp1,$rndlast,$dat2 -+ vst1.8 {$tmp1},[$out],#16 -+ -+.Lecb_done: -+___ -+} -+$code.=<<___ if ($flavour !~ /64/); -+ vldmia sp!,{d8-d15} -+ ldmia sp!,{r4-r8,pc} -+___ -+$code.=<<___ if ($flavour =~ /64/); -+ ldr x29,[sp],#16 -+___ -+$code.=<<___ if ($flavour =~ /64/); -+.Lecb_Final_abort: -+ ret -+___ -+$code.=<<___; -+.size ${prefix}_ecb_encrypt,.-${prefix}_ecb_encrypt -+___ -+}}} - {{{ - my ($inp,$out,$len,$key,$ivp)=map("x$_",(0..4)); my $enc="w5"; - my ($rounds,$cnt,$key_,$step,$step1)=($enc,"w6","x7","x8","x12"); -@@ -519,6 +1377,13 @@ $code.=<<___; - ___ - { - my ($dat2,$in2,$tmp2)=map("q$_",(10,11,9)); -+ -+my ($dat3,$in3,$tmp3); # used only in 64-bit mode -+my ($dat4,$in4,$tmp4); -+if ($flavour =~ /64/) { -+ ($dat2,$dat3,$dat4,$in2,$in3,$in4,$tmp3,$tmp4)=map("q$_",(16..23)); -+} -+ - $code.=<<___; - .align 5 - .Lcbc_dec: -@@ -535,7 +1400,196 @@ $code.=<<___; - vorr $in0,$dat,$dat - vorr $in1,$dat1,$dat1 - vorr $in2,$dat2,$dat2 -+___ -+$code.=<<___ if ($flavour =~ /64/); -+ cmp $len,#32 -+ b.lo .Loop3x_cbc_dec -+ -+ vld1.8 {$dat3},[$inp],#16 -+ vld1.8 {$dat4},[$inp],#16 -+ sub $len,$len,#32 // bias -+ mov $cnt,$rounds -+ vorr $in3,$dat3,$dat3 -+ vorr $in4,$dat4,$dat4 -+ -+.Loop5x_cbc_dec: -+ aesd $dat0,q8 -+ aesimc $dat0,$dat0 -+ aesd $dat1,q8 -+ aesimc $dat1,$dat1 -+ aesd $dat2,q8 -+ aesimc $dat2,$dat2 -+ aesd $dat3,q8 -+ aesimc $dat3,$dat3 -+ aesd $dat4,q8 -+ aesimc $dat4,$dat4 -+ vld1.32 {q8},[$key_],#16 -+ subs $cnt,$cnt,#2 -+ aesd $dat0,q9 -+ aesimc $dat0,$dat0 -+ aesd $dat1,q9 -+ aesimc $dat1,$dat1 -+ aesd $dat2,q9 -+ aesimc $dat2,$dat2 -+ aesd $dat3,q9 -+ aesimc $dat3,$dat3 -+ aesd $dat4,q9 -+ aesimc $dat4,$dat4 -+ vld1.32 {q9},[$key_],#16 -+ b.gt .Loop5x_cbc_dec -+ -+ aesd $dat0,q8 -+ aesimc $dat0,$dat0 -+ aesd $dat1,q8 -+ aesimc $dat1,$dat1 -+ aesd $dat2,q8 -+ aesimc $dat2,$dat2 -+ aesd $dat3,q8 -+ aesimc $dat3,$dat3 -+ aesd $dat4,q8 -+ aesimc $dat4,$dat4 -+ cmp $len,#0x40 // because .Lcbc_tail4x -+ sub $len,$len,#0x50 -+ -+ aesd $dat0,q9 -+ aesimc $dat0,$dat0 -+ aesd $dat1,q9 -+ aesimc $dat1,$dat1 -+ aesd $dat2,q9 -+ aesimc $dat2,$dat2 -+ aesd $dat3,q9 -+ aesimc $dat3,$dat3 -+ aesd $dat4,q9 -+ aesimc $dat4,$dat4 -+ csel x6,xzr,$len,gt // borrow x6, $cnt, "gt" is not typo -+ mov $key_,$key -+ -+ aesd $dat0,q10 -+ aesimc $dat0,$dat0 -+ aesd $dat1,q10 -+ aesimc $dat1,$dat1 -+ aesd $dat2,q10 -+ aesimc $dat2,$dat2 -+ aesd $dat3,q10 -+ aesimc $dat3,$dat3 -+ aesd $dat4,q10 -+ aesimc $dat4,$dat4 -+ add $inp,$inp,x6 // $inp is adjusted in such way that -+ // at exit from the loop $dat1-$dat4 -+ // are loaded with last "words" -+ add x6,$len,#0x60 // because .Lcbc_tail4x -+ -+ aesd $dat0,q11 -+ aesimc $dat0,$dat0 -+ aesd $dat1,q11 -+ aesimc $dat1,$dat1 -+ aesd $dat2,q11 -+ aesimc $dat2,$dat2 -+ aesd $dat3,q11 -+ aesimc $dat3,$dat3 -+ aesd $dat4,q11 -+ aesimc $dat4,$dat4 -+ -+ aesd $dat0,q12 -+ aesimc $dat0,$dat0 -+ aesd $dat1,q12 -+ aesimc $dat1,$dat1 -+ aesd $dat2,q12 -+ aesimc $dat2,$dat2 -+ aesd $dat3,q12 -+ aesimc $dat3,$dat3 -+ aesd $dat4,q12 -+ aesimc $dat4,$dat4 -+ -+ aesd $dat0,q13 -+ aesimc $dat0,$dat0 -+ aesd $dat1,q13 -+ aesimc $dat1,$dat1 -+ aesd $dat2,q13 -+ aesimc $dat2,$dat2 -+ aesd $dat3,q13 -+ aesimc $dat3,$dat3 -+ aesd $dat4,q13 -+ aesimc $dat4,$dat4 -+ -+ aesd $dat0,q14 -+ aesimc $dat0,$dat0 -+ aesd $dat1,q14 -+ aesimc $dat1,$dat1 -+ aesd $dat2,q14 -+ aesimc $dat2,$dat2 -+ aesd $dat3,q14 -+ aesimc $dat3,$dat3 -+ aesd $dat4,q14 -+ aesimc $dat4,$dat4 - -+ veor $tmp0,$ivec,$rndlast -+ aesd $dat0,q15 -+ veor $tmp1,$in0,$rndlast -+ vld1.8 {$in0},[$inp],#16 -+ aesd $dat1,q15 -+ veor $tmp2,$in1,$rndlast -+ vld1.8 {$in1},[$inp],#16 -+ aesd $dat2,q15 -+ veor $tmp3,$in2,$rndlast -+ vld1.8 {$in2},[$inp],#16 -+ aesd $dat3,q15 -+ veor $tmp4,$in3,$rndlast -+ vld1.8 {$in3},[$inp],#16 -+ aesd $dat4,q15 -+ vorr $ivec,$in4,$in4 -+ vld1.8 {$in4},[$inp],#16 -+ cbz x6,.Lcbc_tail4x -+ vld1.32 {q8},[$key_],#16 // re-pre-load rndkey[0] -+ veor $tmp0,$tmp0,$dat0 -+ vorr $dat0,$in0,$in0 -+ veor $tmp1,$tmp1,$dat1 -+ vorr $dat1,$in1,$in1 -+ veor $tmp2,$tmp2,$dat2 -+ vorr $dat2,$in2,$in2 -+ veor $tmp3,$tmp3,$dat3 -+ vorr $dat3,$in3,$in3 -+ veor $tmp4,$tmp4,$dat4 -+ vst1.8 {$tmp0},[$out],#16 -+ vorr $dat4,$in4,$in4 -+ vst1.8 {$tmp1},[$out],#16 -+ mov $cnt,$rounds -+ vst1.8 {$tmp2},[$out],#16 -+ vld1.32 {q9},[$key_],#16 // re-pre-load rndkey[1] -+ vst1.8 {$tmp3},[$out],#16 -+ vst1.8 {$tmp4},[$out],#16 -+ b.hs .Loop5x_cbc_dec -+ -+ add $len,$len,#0x50 -+ cbz $len,.Lcbc_done -+ -+ add $cnt,$rounds,#2 -+ subs $len,$len,#0x30 -+ vorr $dat0,$in2,$in2 -+ vorr $in0,$in2,$in2 -+ vorr $dat1,$in3,$in3 -+ vorr $in1,$in3,$in3 -+ vorr $dat2,$in4,$in4 -+ vorr $in2,$in4,$in4 -+ b.lo .Lcbc_dec_tail -+ -+ b .Loop3x_cbc_dec -+ -+.align 4 -+.Lcbc_tail4x: -+ veor $tmp1,$tmp0,$dat1 -+ veor $tmp2,$tmp2,$dat2 -+ veor $tmp3,$tmp3,$dat3 -+ veor $tmp4,$tmp4,$dat4 -+ vst1.8 {$tmp1},[$out],#16 -+ vst1.8 {$tmp2},[$out],#16 -+ vst1.8 {$tmp3},[$out],#16 -+ vst1.8 {$tmp4},[$out],#16 -+ -+ b .Lcbc_done -+.align 4 -+___ -+$code.=<<___; - .Loop3x_cbc_dec: - aesd $dat0,q8 - aesimc $dat0,$dat0 -@@ -696,6 +1750,9 @@ my $step="x12"; # aliases with $tctr2 - my ($dat0,$dat1,$in0,$in1,$tmp0,$tmp1,$ivec,$rndlast)=map("q$_",(0..7)); - my ($dat2,$in2,$tmp2)=map("q$_",(10,11,9)); - -+# used only in 64-bit mode... -+my ($dat3,$dat4,$in3,$in4)=map("q$_",(16..23)); -+ - my ($dat,$tmp)=($dat0,$tmp0); - - ### q8-q15 preloaded key schedule -@@ -751,6 +1808,175 @@ $code.=<<___; - vmov.32 ${ivec}[3],$tctr2 - sub $len,$len,#3 // bias - vorr $dat2,$ivec,$ivec -+___ -+$code.=<<___ if ($flavour =~ /64/); -+ cmp $len,#2 -+ b.lo .Loop3x_ctr32 -+ -+ add w13,$ctr,#1 -+ add w14,$ctr,#2 -+ vorr $dat3,$dat0,$dat0 -+ rev w13,w13 -+ vorr $dat4,$dat0,$dat0 -+ rev w14,w14 -+ vmov.32 ${dat3}[3],w13 -+ sub $len,$len,#2 // bias -+ vmov.32 ${dat4}[3],w14 -+ add $ctr,$ctr,#2 -+ b .Loop5x_ctr32 -+ -+.align 4 -+.Loop5x_ctr32: -+ aese $dat0,q8 -+ aesmc $dat0,$dat0 -+ aese $dat1,q8 -+ aesmc $dat1,$dat1 -+ aese $dat2,q8 -+ aesmc $dat2,$dat2 -+ aese $dat3,q8 -+ aesmc $dat3,$dat3 -+ aese $dat4,q8 -+ aesmc $dat4,$dat4 -+ vld1.32 {q8},[$key_],#16 -+ subs $cnt,$cnt,#2 -+ aese $dat0,q9 -+ aesmc $dat0,$dat0 -+ aese $dat1,q9 -+ aesmc $dat1,$dat1 -+ aese $dat2,q9 -+ aesmc $dat2,$dat2 -+ aese $dat3,q9 -+ aesmc $dat3,$dat3 -+ aese $dat4,q9 -+ aesmc $dat4,$dat4 -+ vld1.32 {q9},[$key_],#16 -+ b.gt .Loop5x_ctr32 -+ -+ mov $key_,$key -+ aese $dat0,q8 -+ aesmc $dat0,$dat0 -+ aese $dat1,q8 -+ aesmc $dat1,$dat1 -+ aese $dat2,q8 -+ aesmc $dat2,$dat2 -+ aese $dat3,q8 -+ aesmc $dat3,$dat3 -+ aese $dat4,q8 -+ aesmc $dat4,$dat4 -+ vld1.32 {q8},[$key_],#16 // re-pre-load rndkey[0] -+ -+ aese $dat0,q9 -+ aesmc $dat0,$dat0 -+ aese $dat1,q9 -+ aesmc $dat1,$dat1 -+ aese $dat2,q9 -+ aesmc $dat2,$dat2 -+ aese $dat3,q9 -+ aesmc $dat3,$dat3 -+ aese $dat4,q9 -+ aesmc $dat4,$dat4 -+ vld1.32 {q9},[$key_],#16 // re-pre-load rndkey[1] -+ -+ aese $dat0,q12 -+ aesmc $dat0,$dat0 -+ add $tctr0,$ctr,#1 -+ add $tctr1,$ctr,#2 -+ aese $dat1,q12 -+ aesmc $dat1,$dat1 -+ add $tctr2,$ctr,#3 -+ add w13,$ctr,#4 -+ aese $dat2,q12 -+ aesmc $dat2,$dat2 -+ add w14,$ctr,#5 -+ rev $tctr0,$tctr0 -+ aese $dat3,q12 -+ aesmc $dat3,$dat3 -+ rev $tctr1,$tctr1 -+ rev $tctr2,$tctr2 -+ aese $dat4,q12 -+ aesmc $dat4,$dat4 -+ rev w13,w13 -+ rev w14,w14 -+ -+ aese $dat0,q13 -+ aesmc $dat0,$dat0 -+ aese $dat1,q13 -+ aesmc $dat1,$dat1 -+ aese $dat2,q13 -+ aesmc $dat2,$dat2 -+ aese $dat3,q13 -+ aesmc $dat3,$dat3 -+ aese $dat4,q13 -+ aesmc $dat4,$dat4 -+ -+ aese $dat0,q14 -+ aesmc $dat0,$dat0 -+ vld1.8 {$in0},[$inp],#16 -+ aese $dat1,q14 -+ aesmc $dat1,$dat1 -+ vld1.8 {$in1},[$inp],#16 -+ aese $dat2,q14 -+ aesmc $dat2,$dat2 -+ vld1.8 {$in2},[$inp],#16 -+ aese $dat3,q14 -+ aesmc $dat3,$dat3 -+ vld1.8 {$in3},[$inp],#16 -+ aese $dat4,q14 -+ aesmc $dat4,$dat4 -+ vld1.8 {$in4},[$inp],#16 -+ -+ aese $dat0,q15 -+ veor $in0,$in0,$rndlast -+ aese $dat1,q15 -+ veor $in1,$in1,$rndlast -+ aese $dat2,q15 -+ veor $in2,$in2,$rndlast -+ aese $dat3,q15 -+ veor $in3,$in3,$rndlast -+ aese $dat4,q15 -+ veor $in4,$in4,$rndlast -+ -+ veor $in0,$in0,$dat0 -+ vorr $dat0,$ivec,$ivec -+ veor $in1,$in1,$dat1 -+ vorr $dat1,$ivec,$ivec -+ veor $in2,$in2,$dat2 -+ vorr $dat2,$ivec,$ivec -+ veor $in3,$in3,$dat3 -+ vorr $dat3,$ivec,$ivec -+ veor $in4,$in4,$dat4 -+ vorr $dat4,$ivec,$ivec -+ -+ vst1.8 {$in0},[$out],#16 -+ vmov.32 ${dat0}[3],$tctr0 -+ vst1.8 {$in1},[$out],#16 -+ vmov.32 ${dat1}[3],$tctr1 -+ vst1.8 {$in2},[$out],#16 -+ vmov.32 ${dat2}[3],$tctr2 -+ vst1.8 {$in3},[$out],#16 -+ vmov.32 ${dat3}[3],w13 -+ vst1.8 {$in4},[$out],#16 -+ vmov.32 ${dat4}[3],w14 -+ -+ mov $cnt,$rounds -+ cbz $len,.Lctr32_done -+ -+ add $ctr,$ctr,#5 -+ subs $len,$len,#5 -+ b.hs .Loop5x_ctr32 -+ -+ add $len,$len,#5 -+ sub $ctr,$ctr,#5 -+ -+ cmp $len,#2 -+ mov $step,#16 -+ cclr $step,lo -+ b.ls .Lctr32_tail -+ -+ sub $len,$len,#3 // bias -+ add $ctr,$ctr,#3 -+___ -+$code.=<<___; - b .Loop3x_ctr32 - - .align 4 -@@ -905,6 +2131,1432 @@ $code.=<<___; - .size ${prefix}_ctr32_encrypt_blocks,.-${prefix}_ctr32_encrypt_blocks - ___ - }}} -+# Performance in cycles per byte. -+# Processed with AES-XTS different key size. -+# It shows the value before and after optimization as below: -+# (before/after): -+# -+# AES-128-XTS AES-256-XTS -+# Cortex-A57 3.36/1.09 4.02/1.37 -+# Cortex-A72 3.03/1.02 3.28/1.33 -+ -+# Optimization is implemented by loop unrolling and interleaving. -+# Commonly, we choose the unrolling factor as 5, if the input -+# data size smaller than 5 blocks, but not smaller than 3 blocks, -+# choose 3 as the unrolling factor. -+# If the input data size dsize >= 5*16 bytes, then take 5 blocks -+# as one iteration, every loop the left size lsize -= 5*16. -+# If lsize < 5*16 bytes, treat them as the tail. Note: left 4*16 bytes -+# will be processed specially, which be integrated into the 5*16 bytes -+# loop to improve the efficiency. -+# There is one special case, if the original input data size dsize -+# = 16 bytes, we will treat it seperately to improve the -+# performance: one independent code block without LR, FP load and -+# store. -+# Encryption will process the (length -tailcnt) bytes as mentioned -+# previously, then encrypt the composite block as last second -+# cipher block. -+# Decryption will process the (length -tailcnt -1) bytes as mentioned -+# previously, then decrypt the last second cipher block to get the -+# last plain block(tail), decrypt the composite block as last second -+# plain text block. -+ -+{{{ -+my ($inp,$out,$len,$key1,$key2,$ivp)=map("x$_",(0..5)); -+my ($rounds0,$rounds,$key_,$step,$ivl,$ivh)=("w5","w6","x7","x8","x9","x10"); -+my ($tmpoutp,$loutp,$l2outp,$tmpinp)=("x13","w14","w15","x20"); -+my ($tailcnt,$midnum,$midnumx,$constnum,$constnumx)=("x21","w22","x22","w19","x19"); -+my ($xoffset,$tmpmx,$tmpmw)=("x6","x11","w11"); -+my ($dat0,$dat1,$in0,$in1,$tmp0,$tmp1,$tmp2,$rndlast)=map("q$_",(0..7)); -+my ($iv0,$iv1,$iv2,$iv3,$iv4)=("v6.16b","v8.16b","v9.16b","v10.16b","v11.16b"); -+my ($ivd00,$ivd01,$ivd20,$ivd21)=("d6","v6.d[1]","d9","v9.d[1]"); -+my ($ivd10,$ivd11,$ivd30,$ivd31,$ivd40,$ivd41)=("d8","v8.d[1]","d10","v10.d[1]","d11","v11.d[1]"); -+ -+my ($tmpin)=("v26.16b"); -+my ($dat,$tmp,$rndzero_n_last)=($dat0,$tmp0,$tmp1); -+ -+# q7 last round key -+# q10-q15, q7 Last 7 round keys -+# q8-q9 preloaded round keys except last 7 keys for big size -+# q20, q21, q8-q9 preloaded round keys except last 7 keys for only 16 byte -+ -+ -+my ($dat2,$in2,$tmp2)=map("q$_",(10,11,9)); -+ -+my ($dat3,$in3,$tmp3); # used only in 64-bit mode -+my ($dat4,$in4,$tmp4); -+if ($flavour =~ /64/) { -+ ($dat2,$dat3,$dat4,$in2,$in3,$in4,$tmp3,$tmp4)=map("q$_",(16..23)); -+} -+ -+$code.=<<___ if ($flavour =~ /64/); -+.globl ${prefix}_xts_encrypt -+.type ${prefix}_xts_encrypt,%function -+.align 5 -+${prefix}_xts_encrypt: -+___ -+$code.=<<___ if ($flavour =~ /64/); -+ cmp $len,#16 -+ // Original input data size bigger than 16, jump to big size processing. -+ b.ne .Lxts_enc_big_size -+ // Encrypt the iv with key2, as the first XEX iv. -+ ldr $rounds,[$key2,#240] -+ vld1.8 {$dat},[$key2],#16 -+ vld1.8 {$iv0},[$ivp] -+ sub $rounds,$rounds,#2 -+ vld1.8 {$dat1},[$key2],#16 -+ -+.Loop_enc_iv_enc: -+ aese $iv0,$dat -+ aesmc $iv0,$iv0 -+ vld1.32 {$dat},[$key2],#16 -+ subs $rounds,$rounds,#2 -+ aese $iv0,$dat1 -+ aesmc $iv0,$iv0 -+ vld1.32 {$dat1},[$key2],#16 -+ b.gt .Loop_enc_iv_enc -+ -+ aese $iv0,$dat -+ aesmc $iv0,$iv0 -+ vld1.32 {$dat},[$key2] -+ aese $iv0,$dat1 -+ veor $iv0,$iv0,$dat -+ -+ vld1.8 {$dat0},[$inp] -+ veor $dat0,$iv0,$dat0 -+ -+ ldr $rounds,[$key1,#240] -+ vld1.32 {q20-q21},[$key1],#32 // load key schedule... -+ -+ aese $dat0,q20 -+ aesmc $dat0,$dat0 -+ vld1.32 {q8-q9},[$key1],#32 // load key schedule... -+ aese $dat0,q21 -+ aesmc $dat0,$dat0 -+ subs $rounds,$rounds,#10 // if rounds==10, jump to aes-128-xts processing -+ b.eq .Lxts_128_enc -+.Lxts_enc_round_loop: -+ aese $dat0,q8 -+ aesmc $dat0,$dat0 -+ vld1.32 {q8},[$key1],#16 // load key schedule... -+ aese $dat0,q9 -+ aesmc $dat0,$dat0 -+ vld1.32 {q9},[$key1],#16 // load key schedule... -+ subs $rounds,$rounds,#2 // bias -+ b.gt .Lxts_enc_round_loop -+.Lxts_128_enc: -+ vld1.32 {q10-q11},[$key1],#32 // load key schedule... -+ aese $dat0,q8 -+ aesmc $dat0,$dat0 -+ aese $dat0,q9 -+ aesmc $dat0,$dat0 -+ vld1.32 {q12-q13},[$key1],#32 // load key schedule... -+ aese $dat0,q10 -+ aesmc $dat0,$dat0 -+ aese $dat0,q11 -+ aesmc $dat0,$dat0 -+ vld1.32 {q14-q15},[$key1],#32 // load key schedule... -+ aese $dat0,q12 -+ aesmc $dat0,$dat0 -+ aese $dat0,q13 -+ aesmc $dat0,$dat0 -+ vld1.32 {$rndlast},[$key1] -+ aese $dat0,q14 -+ aesmc $dat0,$dat0 -+ aese $dat0,q15 -+ veor $dat0,$dat0,$rndlast -+ veor $dat0,$dat0,$iv0 -+ vst1.8 {$dat0},[$out] -+ b .Lxts_enc_final_abort -+ -+.align 4 -+.Lxts_enc_big_size: -+___ -+$code.=<<___ if ($flavour =~ /64/); -+ stp $constnumx,$tmpinp,[sp,#-64]! -+ stp $tailcnt,$midnumx,[sp,#48] -+ stp $ivd10,$ivd20,[sp,#32] -+ stp $ivd30,$ivd40,[sp,#16] -+ -+ // tailcnt store the tail value of length%16. -+ and $tailcnt,$len,#0xf -+ and $len,$len,#-16 -+ subs $len,$len,#16 -+ mov $step,#16 -+ b.lo .Lxts_abort -+ csel $step,xzr,$step,eq -+ -+ // Firstly, encrypt the iv with key2, as the first iv of XEX. -+ ldr $rounds,[$key2,#240] -+ vld1.32 {$dat},[$key2],#16 -+ vld1.8 {$iv0},[$ivp] -+ sub $rounds,$rounds,#2 -+ vld1.32 {$dat1},[$key2],#16 -+ -+.Loop_iv_enc: -+ aese $iv0,$dat -+ aesmc $iv0,$iv0 -+ vld1.32 {$dat},[$key2],#16 -+ subs $rounds,$rounds,#2 -+ aese $iv0,$dat1 -+ aesmc $iv0,$iv0 -+ vld1.32 {$dat1},[$key2],#16 -+ b.gt .Loop_iv_enc -+ -+ aese $iv0,$dat -+ aesmc $iv0,$iv0 -+ vld1.32 {$dat},[$key2] -+ aese $iv0,$dat1 -+ veor $iv0,$iv0,$dat -+ -+ // The iv for second block -+ // $ivl- iv(low), $ivh - iv(high) -+ // the five ivs stored into, $iv0,$iv1,$iv2,$iv3,$iv4 -+ fmov $ivl,$ivd00 -+ fmov $ivh,$ivd01 -+ mov $constnum,#0x87 -+ extr $midnumx,$ivh,$ivh,#32 -+ extr $ivh,$ivh,$ivl,#63 -+ and $tmpmw,$constnum,$midnum,asr#31 -+ eor $ivl,$tmpmx,$ivl,lsl#1 -+ fmov $ivd10,$ivl -+ fmov $ivd11,$ivh -+ -+ ldr $rounds0,[$key1,#240] // next starting point -+ vld1.8 {$dat},[$inp],$step -+ -+ vld1.32 {q8-q9},[$key1] // load key schedule... -+ sub $rounds0,$rounds0,#6 -+ add $key_,$key1,$ivp,lsl#4 // pointer to last 7 round keys -+ sub $rounds0,$rounds0,#2 -+ vld1.32 {q10-q11},[$key_],#32 -+ vld1.32 {q12-q13},[$key_],#32 -+ vld1.32 {q14-q15},[$key_],#32 -+ vld1.32 {$rndlast},[$key_] -+ -+ add $key_,$key1,#32 -+ mov $rounds,$rounds0 -+ -+ // Encryption -+.Lxts_enc: -+ vld1.8 {$dat2},[$inp],#16 -+ subs $len,$len,#32 // bias -+ add $rounds,$rounds0,#2 -+ vorr $in1,$dat,$dat -+ vorr $dat1,$dat,$dat -+ vorr $in3,$dat,$dat -+ vorr $in2,$dat2,$dat2 -+ vorr $in4,$dat2,$dat2 -+ b.lo .Lxts_inner_enc_tail -+ veor $dat,$dat,$iv0 // before encryption, xor with iv -+ veor $dat2,$dat2,$iv1 -+ -+ // The iv for third block -+ extr $midnumx,$ivh,$ivh,#32 -+ extr $ivh,$ivh,$ivl,#63 -+ and $tmpmw,$constnum,$midnum,asr#31 -+ eor $ivl,$tmpmx,$ivl,lsl#1 -+ fmov $ivd20,$ivl -+ fmov $ivd21,$ivh -+ -+ -+ vorr $dat1,$dat2,$dat2 -+ vld1.8 {$dat2},[$inp],#16 -+ vorr $in0,$dat,$dat -+ vorr $in1,$dat1,$dat1 -+ veor $in2,$dat2,$iv2 // the third block -+ veor $dat2,$dat2,$iv2 -+ cmp $len,#32 -+ b.lo .Lxts_outer_enc_tail -+ -+ // The iv for fourth block -+ extr $midnumx,$ivh,$ivh,#32 -+ extr $ivh,$ivh,$ivl,#63 -+ and $tmpmw,$constnum,$midnum,asr#31 -+ eor $ivl,$tmpmx,$ivl,lsl#1 -+ fmov $ivd30,$ivl -+ fmov $ivd31,$ivh -+ -+ vld1.8 {$dat3},[$inp],#16 -+ // The iv for fifth block -+ extr $midnumx,$ivh,$ivh,#32 -+ extr $ivh,$ivh,$ivl,#63 -+ and $tmpmw,$constnum,$midnum,asr#31 -+ eor $ivl,$tmpmx,$ivl,lsl#1 -+ fmov $ivd40,$ivl -+ fmov $ivd41,$ivh -+ -+ vld1.8 {$dat4},[$inp],#16 -+ veor $dat3,$dat3,$iv3 // the fourth block -+ veor $dat4,$dat4,$iv4 -+ sub $len,$len,#32 // bias -+ mov $rounds,$rounds0 -+ b .Loop5x_xts_enc -+ -+.align 4 -+.Loop5x_xts_enc: -+ aese $dat0,q8 -+ aesmc $dat0,$dat0 -+ aese $dat1,q8 -+ aesmc $dat1,$dat1 -+ aese $dat2,q8 -+ aesmc $dat2,$dat2 -+ aese $dat3,q8 -+ aesmc $dat3,$dat3 -+ aese $dat4,q8 -+ aesmc $dat4,$dat4 -+ vld1.32 {q8},[$key_],#16 -+ subs $rounds,$rounds,#2 -+ aese $dat0,q9 -+ aesmc $dat0,$dat0 -+ aese $dat1,q9 -+ aesmc $dat1,$dat1 -+ aese $dat2,q9 -+ aesmc $dat2,$dat2 -+ aese $dat3,q9 -+ aesmc $dat3,$dat3 -+ aese $dat4,q9 -+ aesmc $dat4,$dat4 -+ vld1.32 {q9},[$key_],#16 -+ b.gt .Loop5x_xts_enc -+ -+ aese $dat0,q8 -+ aesmc $dat0,$dat0 -+ aese $dat1,q8 -+ aesmc $dat1,$dat1 -+ aese $dat2,q8 -+ aesmc $dat2,$dat2 -+ aese $dat3,q8 -+ aesmc $dat3,$dat3 -+ aese $dat4,q8 -+ aesmc $dat4,$dat4 -+ subs $len,$len,#0x50 // because .Lxts_enc_tail4x -+ -+ aese $dat0,q9 -+ aesmc $dat0,$dat0 -+ aese $dat1,q9 -+ aesmc $dat1,$dat1 -+ aese $dat2,q9 -+ aesmc $dat2,$dat2 -+ aese $dat3,q9 -+ aesmc $dat3,$dat3 -+ aese $dat4,q9 -+ aesmc $dat4,$dat4 -+ csel $xoffset,xzr,$len,gt // borrow x6, w6, "gt" is not typo -+ mov $key_,$key1 -+ -+ aese $dat0,q10 -+ aesmc $dat0,$dat0 -+ aese $dat1,q10 -+ aesmc $dat1,$dat1 -+ aese $dat2,q10 -+ aesmc $dat2,$dat2 -+ aese $dat3,q10 -+ aesmc $dat3,$dat3 -+ aese $dat4,q10 -+ aesmc $dat4,$dat4 -+ add $inp,$inp,$xoffset // x0 is adjusted in such way that -+ // at exit from the loop v1.16b-v26.16b -+ // are loaded with last "words" -+ add $xoffset,$len,#0x60 // because .Lxts_enc_tail4x -+ -+ aese $dat0,q11 -+ aesmc $dat0,$dat0 -+ aese $dat1,q11 -+ aesmc $dat1,$dat1 -+ aese $dat2,q11 -+ aesmc $dat2,$dat2 -+ aese $dat3,q11 -+ aesmc $dat3,$dat3 -+ aese $dat4,q11 -+ aesmc $dat4,$dat4 -+ -+ aese $dat0,q12 -+ aesmc $dat0,$dat0 -+ aese $dat1,q12 -+ aesmc $dat1,$dat1 -+ aese $dat2,q12 -+ aesmc $dat2,$dat2 -+ aese $dat3,q12 -+ aesmc $dat3,$dat3 -+ aese $dat4,q12 -+ aesmc $dat4,$dat4 -+ -+ aese $dat0,q13 -+ aesmc $dat0,$dat0 -+ aese $dat1,q13 -+ aesmc $dat1,$dat1 -+ aese $dat2,q13 -+ aesmc $dat2,$dat2 -+ aese $dat3,q13 -+ aesmc $dat3,$dat3 -+ aese $dat4,q13 -+ aesmc $dat4,$dat4 -+ -+ aese $dat0,q14 -+ aesmc $dat0,$dat0 -+ aese $dat1,q14 -+ aesmc $dat1,$dat1 -+ aese $dat2,q14 -+ aesmc $dat2,$dat2 -+ aese $dat3,q14 -+ aesmc $dat3,$dat3 -+ aese $dat4,q14 -+ aesmc $dat4,$dat4 -+ -+ veor $tmp0,$rndlast,$iv0 -+ aese $dat0,q15 -+ // The iv for first block of one iteration -+ extr $midnumx,$ivh,$ivh,#32 -+ extr $ivh,$ivh,$ivl,#63 -+ and $tmpmw,$constnum,$midnum,asr#31 -+ eor $ivl,$tmpmx,$ivl,lsl#1 -+ fmov $ivd00,$ivl -+ fmov $ivd01,$ivh -+ veor $tmp1,$rndlast,$iv1 -+ vld1.8 {$in0},[$inp],#16 -+ aese $dat1,q15 -+ // The iv for second block -+ extr $midnumx,$ivh,$ivh,#32 -+ extr $ivh,$ivh,$ivl,#63 -+ and $tmpmw,$constnum,$midnum,asr#31 -+ eor $ivl,$tmpmx,$ivl,lsl#1 -+ fmov $ivd10,$ivl -+ fmov $ivd11,$ivh -+ veor $tmp2,$rndlast,$iv2 -+ vld1.8 {$in1},[$inp],#16 -+ aese $dat2,q15 -+ // The iv for third block -+ extr $midnumx,$ivh,$ivh,#32 -+ extr $ivh,$ivh,$ivl,#63 -+ and $tmpmw,$constnum,$midnum,asr#31 -+ eor $ivl,$tmpmx,$ivl,lsl#1 -+ fmov $ivd20,$ivl -+ fmov $ivd21,$ivh -+ veor $tmp3,$rndlast,$iv3 -+ vld1.8 {$in2},[$inp],#16 -+ aese $dat3,q15 -+ // The iv for fourth block -+ extr $midnumx,$ivh,$ivh,#32 -+ extr $ivh,$ivh,$ivl,#63 -+ and $tmpmw,$constnum,$midnum,asr#31 -+ eor $ivl,$tmpmx,$ivl,lsl#1 -+ fmov $ivd30,$ivl -+ fmov $ivd31,$ivh -+ veor $tmp4,$rndlast,$iv4 -+ vld1.8 {$in3},[$inp],#16 -+ aese $dat4,q15 -+ -+ // The iv for fifth block -+ extr $midnumx,$ivh,$ivh,#32 -+ extr $ivh,$ivh,$ivl,#63 -+ and $tmpmw,$constnum,$midnum,asr #31 -+ eor $ivl,$tmpmx,$ivl,lsl #1 -+ fmov $ivd40,$ivl -+ fmov $ivd41,$ivh -+ -+ vld1.8 {$in4},[$inp],#16 -+ cbz $xoffset,.Lxts_enc_tail4x -+ vld1.32 {q8},[$key_],#16 // re-pre-load rndkey[0] -+ veor $tmp0,$tmp0,$dat0 -+ veor $dat0,$in0,$iv0 -+ veor $tmp1,$tmp1,$dat1 -+ veor $dat1,$in1,$iv1 -+ veor $tmp2,$tmp2,$dat2 -+ veor $dat2,$in2,$iv2 -+ veor $tmp3,$tmp3,$dat3 -+ veor $dat3,$in3,$iv3 -+ veor $tmp4,$tmp4,$dat4 -+ vst1.8 {$tmp0},[$out],#16 -+ veor $dat4,$in4,$iv4 -+ vst1.8 {$tmp1},[$out],#16 -+ mov $rounds,$rounds0 -+ vst1.8 {$tmp2},[$out],#16 -+ vld1.32 {q9},[$key_],#16 // re-pre-load rndkey[1] -+ vst1.8 {$tmp3},[$out],#16 -+ vst1.8 {$tmp4},[$out],#16 -+ b.hs .Loop5x_xts_enc -+ -+ -+ // If left 4 blocks, borrow the five block's processing. -+ cmn $len,#0x10 -+ b.ne .Loop5x_enc_after -+ vorr $iv4,$iv3,$iv3 -+ vorr $iv3,$iv2,$iv2 -+ vorr $iv2,$iv1,$iv1 -+ vorr $iv1,$iv0,$iv0 -+ fmov $ivl,$ivd40 -+ fmov $ivh,$ivd41 -+ veor $dat0,$iv0,$in0 -+ veor $dat1,$iv1,$in1 -+ veor $dat2,$in2,$iv2 -+ veor $dat3,$in3,$iv3 -+ veor $dat4,$in4,$iv4 -+ b.eq .Loop5x_xts_enc -+ -+.Loop5x_enc_after: -+ add $len,$len,#0x50 -+ cbz $len,.Lxts_enc_done -+ -+ add $rounds,$rounds0,#2 -+ subs $len,$len,#0x30 -+ b.lo .Lxts_inner_enc_tail -+ -+ veor $dat0,$iv0,$in2 -+ veor $dat1,$iv1,$in3 -+ veor $dat2,$in4,$iv2 -+ b .Lxts_outer_enc_tail -+ -+.align 4 -+.Lxts_enc_tail4x: -+ add $inp,$inp,#16 -+ veor $tmp1,$dat1,$tmp1 -+ vst1.8 {$tmp1},[$out],#16 -+ veor $tmp2,$dat2,$tmp2 -+ vst1.8 {$tmp2},[$out],#16 -+ veor $tmp3,$dat3,$tmp3 -+ veor $tmp4,$dat4,$tmp4 -+ vst1.8 {$tmp3-$tmp4},[$out],#32 -+ -+ b .Lxts_enc_done -+.align 4 -+.Lxts_outer_enc_tail: -+ aese $dat0,q8 -+ aesmc $dat0,$dat0 -+ aese $dat1,q8 -+ aesmc $dat1,$dat1 -+ aese $dat2,q8 -+ aesmc $dat2,$dat2 -+ vld1.32 {q8},[$key_],#16 -+ subs $rounds,$rounds,#2 -+ aese $dat0,q9 -+ aesmc $dat0,$dat0 -+ aese $dat1,q9 -+ aesmc $dat1,$dat1 -+ aese $dat2,q9 -+ aesmc $dat2,$dat2 -+ vld1.32 {q9},[$key_],#16 -+ b.gt .Lxts_outer_enc_tail -+ -+ aese $dat0,q8 -+ aesmc $dat0,$dat0 -+ aese $dat1,q8 -+ aesmc $dat1,$dat1 -+ aese $dat2,q8 -+ aesmc $dat2,$dat2 -+ veor $tmp0,$iv0,$rndlast -+ subs $len,$len,#0x30 -+ // The iv for first block -+ fmov $ivl,$ivd20 -+ fmov $ivh,$ivd21 -+ //mov $constnum,#0x87 -+ extr $midnumx,$ivh,$ivh,#32 -+ extr $ivh,$ivh,$ivl,#63 -+ and $tmpmw,$constnum,$midnum,asr#31 -+ eor $ivl,$tmpmx,$ivl,lsl#1 -+ fmov $ivd00,$ivl -+ fmov $ivd01,$ivh -+ veor $tmp1,$iv1,$rndlast -+ csel $xoffset,$len,$xoffset,lo // x6, w6, is zero at this point -+ aese $dat0,q9 -+ aesmc $dat0,$dat0 -+ aese $dat1,q9 -+ aesmc $dat1,$dat1 -+ aese $dat2,q9 -+ aesmc $dat2,$dat2 -+ veor $tmp2,$iv2,$rndlast -+ -+ add $xoffset,$xoffset,#0x20 -+ add $inp,$inp,$xoffset -+ mov $key_,$key1 -+ -+ aese $dat0,q12 -+ aesmc $dat0,$dat0 -+ aese $dat1,q12 -+ aesmc $dat1,$dat1 -+ aese $dat2,q12 -+ aesmc $dat2,$dat2 -+ aese $dat0,q13 -+ aesmc $dat0,$dat0 -+ aese $dat1,q13 -+ aesmc $dat1,$dat1 -+ aese $dat2,q13 -+ aesmc $dat2,$dat2 -+ aese $dat0,q14 -+ aesmc $dat0,$dat0 -+ aese $dat1,q14 -+ aesmc $dat1,$dat1 -+ aese $dat2,q14 -+ aesmc $dat2,$dat2 -+ aese $dat0,q15 -+ aese $dat1,q15 -+ aese $dat2,q15 -+ vld1.8 {$in2},[$inp],#16 -+ add $rounds,$rounds0,#2 -+ vld1.32 {q8},[$key_],#16 // re-pre-load rndkey[0] -+ veor $tmp0,$tmp0,$dat0 -+ veor $tmp1,$tmp1,$dat1 -+ veor $dat2,$dat2,$tmp2 -+ vld1.32 {q9},[$key_],#16 // re-pre-load rndkey[1] -+ vst1.8 {$tmp0},[$out],#16 -+ vst1.8 {$tmp1},[$out],#16 -+ vst1.8 {$dat2},[$out],#16 -+ cmn $len,#0x30 -+ b.eq .Lxts_enc_done -+.Lxts_encxor_one: -+ vorr $in3,$in1,$in1 -+ vorr $in4,$in2,$in2 -+ nop -+ -+.Lxts_inner_enc_tail: -+ cmn $len,#0x10 -+ veor $dat1,$in3,$iv0 -+ veor $dat2,$in4,$iv1 -+ b.eq .Lxts_enc_tail_loop -+ veor $dat2,$in4,$iv0 -+.Lxts_enc_tail_loop: -+ aese $dat1,q8 -+ aesmc $dat1,$dat1 -+ aese $dat2,q8 -+ aesmc $dat2,$dat2 -+ vld1.32 {q8},[$key_],#16 -+ subs $rounds,$rounds,#2 -+ aese $dat1,q9 -+ aesmc $dat1,$dat1 -+ aese $dat2,q9 -+ aesmc $dat2,$dat2 -+ vld1.32 {q9},[$key_],#16 -+ b.gt .Lxts_enc_tail_loop -+ -+ aese $dat1,q8 -+ aesmc $dat1,$dat1 -+ aese $dat2,q8 -+ aesmc $dat2,$dat2 -+ aese $dat1,q9 -+ aesmc $dat1,$dat1 -+ aese $dat2,q9 -+ aesmc $dat2,$dat2 -+ aese $dat1,q12 -+ aesmc $dat1,$dat1 -+ aese $dat2,q12 -+ aesmc $dat2,$dat2 -+ cmn $len,#0x20 -+ aese $dat1,q13 -+ aesmc $dat1,$dat1 -+ aese $dat2,q13 -+ aesmc $dat2,$dat2 -+ veor $tmp1,$iv0,$rndlast -+ aese $dat1,q14 -+ aesmc $dat1,$dat1 -+ aese $dat2,q14 -+ aesmc $dat2,$dat2 -+ veor $tmp2,$iv1,$rndlast -+ aese $dat1,q15 -+ aese $dat2,q15 -+ b.eq .Lxts_enc_one -+ veor $tmp1,$tmp1,$dat1 -+ vst1.8 {$tmp1},[$out],#16 -+ veor $tmp2,$tmp2,$dat2 -+ vorr $iv0,$iv1,$iv1 -+ vst1.8 {$tmp2},[$out],#16 -+ fmov $ivl,$ivd10 -+ fmov $ivh,$ivd11 -+ mov $constnum,#0x87 -+ extr $midnumx,$ivh,$ivh,#32 -+ extr $ivh,$ivh,$ivl,#63 -+ and $tmpmw,$constnum,$midnum,asr #31 -+ eor $ivl,$tmpmx,$ivl,lsl #1 -+ fmov $ivd00,$ivl -+ fmov $ivd01,$ivh -+ b .Lxts_enc_done -+ -+.Lxts_enc_one: -+ veor $tmp1,$tmp1,$dat2 -+ vorr $iv0,$iv0,$iv0 -+ vst1.8 {$tmp1},[$out],#16 -+ fmov $ivl,$ivd00 -+ fmov $ivh,$ivd01 -+ mov $constnum,#0x87 -+ extr $midnumx,$ivh,$ivh,#32 -+ extr $ivh,$ivh,$ivl,#63 -+ and $tmpmw,$constnum,$midnum,asr #31 -+ eor $ivl,$tmpmx,$ivl,lsl #1 -+ fmov $ivd00,$ivl -+ fmov $ivd01,$ivh -+ b .Lxts_enc_done -+.align 5 -+.Lxts_enc_done: -+ // Process the tail block with cipher stealing. -+ tst $tailcnt,#0xf -+ b.eq .Lxts_abort -+ -+ mov $tmpinp,$inp -+ mov $tmpoutp,$out -+ sub $out,$out,#16 -+.composite_enc_loop: -+ subs $tailcnt,$tailcnt,#1 -+ ldrb $l2outp,[$out,$tailcnt] -+ ldrb $loutp,[$tmpinp,$tailcnt] -+ strb $l2outp,[$tmpoutp,$tailcnt] -+ strb $loutp,[$out,$tailcnt] -+ b.gt .composite_enc_loop -+.Lxts_enc_load_done: -+ vld1.8 {$tmpin},[$out] -+ veor $tmpin,$tmpin,$iv0 -+ -+ // Encrypt the composite block to get the last second encrypted text block -+ ldr $rounds,[$key1,#240] // load key schedule... -+ vld1.8 {$dat},[$key1],#16 -+ sub $rounds,$rounds,#2 -+ vld1.8 {$dat1},[$key1],#16 // load key schedule... -+.Loop_final_enc: -+ aese $tmpin,$dat0 -+ aesmc $tmpin,$tmpin -+ vld1.32 {$dat0},[$key1],#16 -+ subs $rounds,$rounds,#2 -+ aese $tmpin,$dat1 -+ aesmc $tmpin,$tmpin -+ vld1.32 {$dat1},[$key1],#16 -+ b.gt .Loop_final_enc -+ -+ aese $tmpin,$dat0 -+ aesmc $tmpin,$tmpin -+ vld1.32 {$dat0},[$key1] -+ aese $tmpin,$dat1 -+ veor $tmpin,$tmpin,$dat0 -+ veor $tmpin,$tmpin,$iv0 -+ vst1.8 {$tmpin},[$out] -+ -+.Lxts_abort: -+ ldp $tailcnt,$midnumx,[sp,#48] -+ ldp $ivd10,$ivd20,[sp,#32] -+ ldp $ivd30,$ivd40,[sp,#16] -+ ldp $constnumx,$tmpinp,[sp],#64 -+.Lxts_enc_final_abort: -+ ret -+.size ${prefix}_xts_encrypt,.-${prefix}_xts_encrypt -+___ -+ -+}}} -+{{{ -+my ($inp,$out,$len,$key1,$key2,$ivp)=map("x$_",(0..5)); -+my ($rounds0,$rounds,$key_,$step,$ivl,$ivh)=("w5","w6","x7","x8","x9","x10"); -+my ($tmpoutp,$loutp,$l2outp,$tmpinp)=("x13","w14","w15","x20"); -+my ($tailcnt,$midnum,$midnumx,$constnum,$constnumx)=("x21","w22","x22","w19","x19"); -+my ($xoffset,$tmpmx,$tmpmw)=("x6","x11","w11"); -+my ($dat0,$dat1,$in0,$in1,$tmp0,$tmp1,$tmp2,$rndlast)=map("q$_",(0..7)); -+my ($iv0,$iv1,$iv2,$iv3,$iv4,$tmpin)=("v6.16b","v8.16b","v9.16b","v10.16b","v11.16b","v26.16b"); -+my ($ivd00,$ivd01,$ivd20,$ivd21)=("d6","v6.d[1]","d9","v9.d[1]"); -+my ($ivd10,$ivd11,$ivd30,$ivd31,$ivd40,$ivd41)=("d8","v8.d[1]","d10","v10.d[1]","d11","v11.d[1]"); -+ -+my ($dat,$tmp,$rndzero_n_last)=($dat0,$tmp0,$tmp1); -+ -+# q7 last round key -+# q10-q15, q7 Last 7 round keys -+# q8-q9 preloaded round keys except last 7 keys for big size -+# q20, q21, q8-q9 preloaded round keys except last 7 keys for only 16 byte -+ -+{ -+my ($dat2,$in2,$tmp2)=map("q$_",(10,11,9)); -+ -+my ($dat3,$in3,$tmp3); # used only in 64-bit mode -+my ($dat4,$in4,$tmp4); -+if ($flavour =~ /64/) { -+ ($dat2,$dat3,$dat4,$in2,$in3,$in4,$tmp3,$tmp4)=map("q$_",(16..23)); -+} -+ -+$code.=<<___ if ($flavour =~ /64/); -+.globl ${prefix}_xts_decrypt -+.type ${prefix}_xts_decrypt,%function -+.align 5 -+${prefix}_xts_decrypt: -+___ -+$code.=<<___ if ($flavour =~ /64/); -+ cmp $len,#16 -+ // Original input data size bigger than 16, jump to big size processing. -+ b.ne .Lxts_dec_big_size -+ // Encrypt the iv with key2, as the first XEX iv. -+ ldr $rounds,[$key2,#240] -+ vld1.8 {$dat},[$key2],#16 -+ vld1.8 {$iv0},[$ivp] -+ sub $rounds,$rounds,#2 -+ vld1.8 {$dat1},[$key2],#16 -+ -+.Loop_dec_small_iv_enc: -+ aese $iv0,$dat -+ aesmc $iv0,$iv0 -+ vld1.32 {$dat},[$key2],#16 -+ subs $rounds,$rounds,#2 -+ aese $iv0,$dat1 -+ aesmc $iv0,$iv0 -+ vld1.32 {$dat1},[$key2],#16 -+ b.gt .Loop_dec_small_iv_enc -+ -+ aese $iv0,$dat -+ aesmc $iv0,$iv0 -+ vld1.32 {$dat},[$key2] -+ aese $iv0,$dat1 -+ veor $iv0,$iv0,$dat -+ -+ vld1.8 {$dat0},[$inp] -+ veor $dat0,$iv0,$dat0 -+ -+ ldr $rounds,[$key1,#240] -+ vld1.32 {q20-q21},[$key1],#32 // load key schedule... -+ -+ aesd $dat0,q20 -+ aesimc $dat0,$dat0 -+ vld1.32 {q8-q9},[$key1],#32 // load key schedule... -+ aesd $dat0,q21 -+ aesimc $dat0,$dat0 -+ subs $rounds,$rounds,#10 // bias -+ b.eq .Lxts_128_dec -+.Lxts_dec_round_loop: -+ aesd $dat0,q8 -+ aesimc $dat0,$dat0 -+ vld1.32 {q8},[$key1],#16 // load key schedule... -+ aesd $dat0,q9 -+ aesimc $dat0,$dat0 -+ vld1.32 {q9},[$key1],#16 // load key schedule... -+ subs $rounds,$rounds,#2 // bias -+ b.gt .Lxts_dec_round_loop -+.Lxts_128_dec: -+ vld1.32 {q10-q11},[$key1],#32 // load key schedule... -+ aesd $dat0,q8 -+ aesimc $dat0,$dat0 -+ aesd $dat0,q9 -+ aesimc $dat0,$dat0 -+ vld1.32 {q12-q13},[$key1],#32 // load key schedule... -+ aesd $dat0,q10 -+ aesimc $dat0,$dat0 -+ aesd $dat0,q11 -+ aesimc $dat0,$dat0 -+ vld1.32 {q14-q15},[$key1],#32 // load key schedule... -+ aesd $dat0,q12 -+ aesimc $dat0,$dat0 -+ aesd $dat0,q13 -+ aesimc $dat0,$dat0 -+ vld1.32 {$rndlast},[$key1] -+ aesd $dat0,q14 -+ aesimc $dat0,$dat0 -+ aesd $dat0,q15 -+ veor $dat0,$dat0,$rndlast -+ veor $dat0,$iv0,$dat0 -+ vst1.8 {$dat0},[$out] -+ b .Lxts_dec_final_abort -+.Lxts_dec_big_size: -+___ -+$code.=<<___ if ($flavour =~ /64/); -+ stp $constnumx,$tmpinp,[sp,#-64]! -+ stp $tailcnt,$midnumx,[sp,#48] -+ stp $ivd10,$ivd20,[sp,#32] -+ stp $ivd30,$ivd40,[sp,#16] -+ -+ and $tailcnt,$len,#0xf -+ and $len,$len,#-16 -+ subs $len,$len,#16 -+ mov $step,#16 -+ b.lo .Lxts_dec_abort -+ -+ // Encrypt the iv with key2, as the first XEX iv -+ ldr $rounds,[$key2,#240] -+ vld1.8 {$dat},[$key2],#16 -+ vld1.8 {$iv0},[$ivp] -+ sub $rounds,$rounds,#2 -+ vld1.8 {$dat1},[$key2],#16 -+ -+.Loop_dec_iv_enc: -+ aese $iv0,$dat -+ aesmc $iv0,$iv0 -+ vld1.32 {$dat},[$key2],#16 -+ subs $rounds,$rounds,#2 -+ aese $iv0,$dat1 -+ aesmc $iv0,$iv0 -+ vld1.32 {$dat1},[$key2],#16 -+ b.gt .Loop_dec_iv_enc -+ -+ aese $iv0,$dat -+ aesmc $iv0,$iv0 -+ vld1.32 {$dat},[$key2] -+ aese $iv0,$dat1 -+ veor $iv0,$iv0,$dat -+ -+ // The iv for second block -+ // $ivl- iv(low), $ivh - iv(high) -+ // the five ivs stored into, $iv0,$iv1,$iv2,$iv3,$iv4 -+ fmov $ivl,$ivd00 -+ fmov $ivh,$ivd01 -+ mov $constnum,#0x87 -+ extr $midnumx,$ivh,$ivh,#32 -+ extr $ivh,$ivh,$ivl,#63 -+ and $tmpmw,$constnum,$midnum,asr #31 -+ eor $ivl,$tmpmx,$ivl,lsl #1 -+ fmov $ivd10,$ivl -+ fmov $ivd11,$ivh -+ -+ ldr $rounds0,[$key1,#240] // load rounds number -+ -+ // The iv for third block -+ extr $midnumx,$ivh,$ivh,#32 -+ extr $ivh,$ivh,$ivl,#63 -+ and $tmpmw,$constnum,$midnum,asr #31 -+ eor $ivl,$tmpmx,$ivl,lsl #1 -+ fmov $ivd20,$ivl -+ fmov $ivd21,$ivh -+ -+ vld1.32 {q8-q9},[$key1] // load key schedule... -+ sub $rounds0,$rounds0,#6 -+ add $key_,$key1,$ivp,lsl#4 // pointer to last 7 round keys -+ sub $rounds0,$rounds0,#2 -+ vld1.32 {q10-q11},[$key_],#32 // load key schedule... -+ vld1.32 {q12-q13},[$key_],#32 -+ vld1.32 {q14-q15},[$key_],#32 -+ vld1.32 {$rndlast},[$key_] -+ -+ // The iv for fourth block -+ extr $midnumx,$ivh,$ivh,#32 -+ extr $ivh,$ivh,$ivl,#63 -+ and $tmpmw,$constnum,$midnum,asr #31 -+ eor $ivl,$tmpmx,$ivl,lsl #1 -+ fmov $ivd30,$ivl -+ fmov $ivd31,$ivh -+ -+ add $key_,$key1,#32 -+ mov $rounds,$rounds0 -+ b .Lxts_dec -+ -+ // Decryption -+.align 5 -+.Lxts_dec: -+ tst $tailcnt,#0xf -+ b.eq .Lxts_dec_begin -+ subs $len,$len,#16 -+ csel $step,xzr,$step,eq -+ vld1.8 {$dat},[$inp],#16 -+ b.lo .Lxts_done -+ sub $inp,$inp,#16 -+.Lxts_dec_begin: -+ vld1.8 {$dat},[$inp],$step -+ subs $len,$len,#32 // bias -+ add $rounds,$rounds0,#2 -+ vorr $in1,$dat,$dat -+ vorr $dat1,$dat,$dat -+ vorr $in3,$dat,$dat -+ vld1.8 {$dat2},[$inp],#16 -+ vorr $in2,$dat2,$dat2 -+ vorr $in4,$dat2,$dat2 -+ b.lo .Lxts_inner_dec_tail -+ veor $dat,$dat,$iv0 // before decryt, xor with iv -+ veor $dat2,$dat2,$iv1 -+ -+ vorr $dat1,$dat2,$dat2 -+ vld1.8 {$dat2},[$inp],#16 -+ vorr $in0,$dat,$dat -+ vorr $in1,$dat1,$dat1 -+ veor $in2,$dat2,$iv2 // third block xox with third iv -+ veor $dat2,$dat2,$iv2 -+ cmp $len,#32 -+ b.lo .Lxts_outer_dec_tail -+ -+ vld1.8 {$dat3},[$inp],#16 -+ -+ // The iv for fifth block -+ extr $midnumx,$ivh,$ivh,#32 -+ extr $ivh,$ivh,$ivl,#63 -+ and $tmpmw,$constnum,$midnum,asr #31 -+ eor $ivl,$tmpmx,$ivl,lsl #1 -+ fmov $ivd40,$ivl -+ fmov $ivd41,$ivh -+ -+ vld1.8 {$dat4},[$inp],#16 -+ veor $dat3,$dat3,$iv3 // the fourth block -+ veor $dat4,$dat4,$iv4 -+ sub $len,$len,#32 // bias -+ mov $rounds,$rounds0 -+ b .Loop5x_xts_dec -+ -+.align 4 -+.Loop5x_xts_dec: -+ aesd $dat0,q8 -+ aesimc $dat0,$dat0 -+ aesd $dat1,q8 -+ aesimc $dat1,$dat1 -+ aesd $dat2,q8 -+ aesimc $dat2,$dat2 -+ aesd $dat3,q8 -+ aesimc $dat3,$dat3 -+ aesd $dat4,q8 -+ aesimc $dat4,$dat4 -+ vld1.32 {q8},[$key_],#16 // load key schedule... -+ subs $rounds,$rounds,#2 -+ aesd $dat0,q9 -+ aesimc $dat0,$dat0 -+ aesd $dat1,q9 -+ aesimc $dat1,$dat1 -+ aesd $dat2,q9 -+ aesimc $dat2,$dat2 -+ aesd $dat3,q9 -+ aesimc $dat3,$dat3 -+ aesd $dat4,q9 -+ aesimc $dat4,$dat4 -+ vld1.32 {q9},[$key_],#16 // load key schedule... -+ b.gt .Loop5x_xts_dec -+ -+ aesd $dat0,q8 -+ aesimc $dat0,$dat0 -+ aesd $dat1,q8 -+ aesimc $dat1,$dat1 -+ aesd $dat2,q8 -+ aesimc $dat2,$dat2 -+ aesd $dat3,q8 -+ aesimc $dat3,$dat3 -+ aesd $dat4,q8 -+ aesimc $dat4,$dat4 -+ subs $len,$len,#0x50 // because .Lxts_dec_tail4x -+ -+ aesd $dat0,q9 -+ aesimc $dat0,$dat -+ aesd $dat1,q9 -+ aesimc $dat1,$dat1 -+ aesd $dat2,q9 -+ aesimc $dat2,$dat2 -+ aesd $dat3,q9 -+ aesimc $dat3,$dat3 -+ aesd $dat4,q9 -+ aesimc $dat4,$dat4 -+ csel $xoffset,xzr,$len,gt // borrow x6, w6, "gt" is not typo -+ mov $key_,$key1 -+ -+ aesd $dat0,q10 -+ aesimc $dat0,$dat0 -+ aesd $dat1,q10 -+ aesimc $dat1,$dat1 -+ aesd $dat2,q10 -+ aesimc $dat2,$dat2 -+ aesd $dat3,q10 -+ aesimc $dat3,$dat3 -+ aesd $dat4,q10 -+ aesimc $dat4,$dat4 -+ add $inp,$inp,$xoffset // x0 is adjusted in such way that -+ // at exit from the loop v1.16b-v26.16b -+ // are loaded with last "words" -+ add $xoffset,$len,#0x60 // because .Lxts_dec_tail4x -+ -+ aesd $dat0,q11 -+ aesimc $dat0,$dat0 -+ aesd $dat1,q11 -+ aesimc $dat1,$dat1 -+ aesd $dat2,q11 -+ aesimc $dat2,$dat2 -+ aesd $dat3,q11 -+ aesimc $dat3,$dat3 -+ aesd $dat4,q11 -+ aesimc $dat4,$dat4 -+ -+ aesd $dat0,q12 -+ aesimc $dat0,$dat0 -+ aesd $dat1,q12 -+ aesimc $dat1,$dat1 -+ aesd $dat2,q12 -+ aesimc $dat2,$dat2 -+ aesd $dat3,q12 -+ aesimc $dat3,$dat3 -+ aesd $dat4,q12 -+ aesimc $dat4,$dat4 -+ -+ aesd $dat0,q13 -+ aesimc $dat0,$dat0 -+ aesd $dat1,q13 -+ aesimc $dat1,$dat1 -+ aesd $dat2,q13 -+ aesimc $dat2,$dat2 -+ aesd $dat3,q13 -+ aesimc $dat3,$dat3 -+ aesd $dat4,q13 -+ aesimc $dat4,$dat4 -+ -+ aesd $dat0,q14 -+ aesimc $dat0,$dat0 -+ aesd $dat1,q14 -+ aesimc $dat1,$dat1 -+ aesd $dat2,q14 -+ aesimc $dat2,$dat2 -+ aesd $dat3,q14 -+ aesimc $dat3,$dat3 -+ aesd $dat4,q14 -+ aesimc $dat4,$dat4 -+ -+ veor $tmp0,$rndlast,$iv0 -+ aesd $dat0,q15 -+ // The iv for first block of next iteration. -+ extr $midnumx,$ivh,$ivh,#32 -+ extr $ivh,$ivh,$ivl,#63 -+ and $tmpmw,$constnum,$midnum,asr #31 -+ eor $ivl,$tmpmx,$ivl,lsl #1 -+ fmov $ivd00,$ivl -+ fmov $ivd01,$ivh -+ veor $tmp1,$rndlast,$iv1 -+ vld1.8 {$in0},[$inp],#16 -+ aesd $dat1,q15 -+ // The iv for second block -+ extr $midnumx,$ivh,$ivh,#32 -+ extr $ivh,$ivh,$ivl,#63 -+ and $tmpmw,$constnum,$midnum,asr #31 -+ eor $ivl,$tmpmx,$ivl,lsl #1 -+ fmov $ivd10,$ivl -+ fmov $ivd11,$ivh -+ veor $tmp2,$rndlast,$iv2 -+ vld1.8 {$in1},[$inp],#16 -+ aesd $dat2,q15 -+ // The iv for third block -+ extr $midnumx,$ivh,$ivh,#32 -+ extr $ivh,$ivh,$ivl,#63 -+ and $tmpmw,$constnum,$midnum,asr #31 -+ eor $ivl,$tmpmx,$ivl,lsl #1 -+ fmov $ivd20,$ivl -+ fmov $ivd21,$ivh -+ veor $tmp3,$rndlast,$iv3 -+ vld1.8 {$in2},[$inp],#16 -+ aesd $dat3,q15 -+ // The iv for fourth block -+ extr $midnumx,$ivh,$ivh,#32 -+ extr $ivh,$ivh,$ivl,#63 -+ and $tmpmw,$constnum,$midnum,asr #31 -+ eor $ivl,$tmpmx,$ivl,lsl #1 -+ fmov $ivd30,$ivl -+ fmov $ivd31,$ivh -+ veor $tmp4,$rndlast,$iv4 -+ vld1.8 {$in3},[$inp],#16 -+ aesd $dat4,q15 -+ -+ // The iv for fifth block -+ extr $midnumx,$ivh,$ivh,#32 -+ extr $ivh,$ivh,$ivl,#63 -+ and $tmpmw,$constnum,$midnum,asr #31 -+ eor $ivl,$tmpmx,$ivl,lsl #1 -+ fmov $ivd40,$ivl -+ fmov $ivd41,$ivh -+ -+ vld1.8 {$in4},[$inp],#16 -+ cbz $xoffset,.Lxts_dec_tail4x -+ vld1.32 {q8},[$key_],#16 // re-pre-load rndkey[0] -+ veor $tmp0,$tmp0,$dat0 -+ veor $dat0,$in0,$iv0 -+ veor $tmp1,$tmp1,$dat1 -+ veor $dat1,$in1,$iv1 -+ veor $tmp2,$tmp2,$dat2 -+ veor $dat2,$in2,$iv2 -+ veor $tmp3,$tmp3,$dat3 -+ veor $dat3,$in3,$iv3 -+ veor $tmp4,$tmp4,$dat4 -+ vst1.8 {$tmp0},[$out],#16 -+ veor $dat4,$in4,$iv4 -+ vst1.8 {$tmp1},[$out],#16 -+ mov $rounds,$rounds0 -+ vst1.8 {$tmp2},[$out],#16 -+ vld1.32 {q9},[$key_],#16 // re-pre-load rndkey[1] -+ vst1.8 {$tmp3},[$out],#16 -+ vst1.8 {$tmp4},[$out],#16 -+ b.hs .Loop5x_xts_dec -+ -+ cmn $len,#0x10 -+ b.ne .Loop5x_dec_after -+ // If x2($len) equal to -0x10, the left blocks is 4. -+ // After specially processing, utilize the five blocks processing again. -+ // It will use the following IVs: $iv0,$iv0,$iv1,$iv2,$iv3. -+ vorr $iv4,$iv3,$iv3 -+ vorr $iv3,$iv2,$iv2 -+ vorr $iv2,$iv1,$iv1 -+ vorr $iv1,$iv0,$iv0 -+ fmov $ivl,$ivd40 -+ fmov $ivh,$ivd41 -+ veor $dat0,$iv0,$in0 -+ veor $dat1,$iv1,$in1 -+ veor $dat2,$in2,$iv2 -+ veor $dat3,$in3,$iv3 -+ veor $dat4,$in4,$iv4 -+ b.eq .Loop5x_xts_dec -+ -+.Loop5x_dec_after: -+ add $len,$len,#0x50 -+ cbz $len,.Lxts_done -+ -+ add $rounds,$rounds0,#2 -+ subs $len,$len,#0x30 -+ b.lo .Lxts_inner_dec_tail -+ -+ veor $dat0,$iv0,$in2 -+ veor $dat1,$iv1,$in3 -+ veor $dat2,$in4,$iv2 -+ b .Lxts_outer_dec_tail -+ -+.align 4 -+.Lxts_dec_tail4x: -+ add $inp,$inp,#16 -+ vld1.32 {$dat0},[$inp],#16 -+ veor $tmp1,$dat1,$tmp0 -+ vst1.8 {$tmp1},[$out],#16 -+ veor $tmp2,$dat2,$tmp2 -+ vst1.8 {$tmp2},[$out],#16 -+ veor $tmp3,$dat3,$tmp3 -+ veor $tmp4,$dat4,$tmp4 -+ vst1.8 {$tmp3-$tmp4},[$out],#32 -+ -+ b .Lxts_done -+.align 4 -+.Lxts_outer_dec_tail: -+ aesd $dat0,q8 -+ aesimc $dat0,$dat0 -+ aesd $dat1,q8 -+ aesimc $dat1,$dat1 -+ aesd $dat2,q8 -+ aesimc $dat2,$dat2 -+ vld1.32 {q8},[$key_],#16 -+ subs $rounds,$rounds,#2 -+ aesd $dat0,q9 -+ aesimc $dat0,$dat0 -+ aesd $dat1,q9 -+ aesimc $dat1,$dat1 -+ aesd $dat2,q9 -+ aesimc $dat2,$dat2 -+ vld1.32 {q9},[$key_],#16 -+ b.gt .Lxts_outer_dec_tail -+ -+ aesd $dat0,q8 -+ aesimc $dat0,$dat0 -+ aesd $dat1,q8 -+ aesimc $dat1,$dat1 -+ aesd $dat2,q8 -+ aesimc $dat2,$dat2 -+ veor $tmp0,$iv0,$rndlast -+ subs $len,$len,#0x30 -+ // The iv for first block -+ fmov $ivl,$ivd20 -+ fmov $ivh,$ivd21 -+ mov $constnum,#0x87 -+ extr $midnumx,$ivh,$ivh,#32 -+ extr $ivh,$ivh,$ivl,#63 -+ and $tmpmw,$constnum,$midnum,asr #31 -+ eor $ivl,$tmpmx,$ivl,lsl #1 -+ fmov $ivd00,$ivl -+ fmov $ivd01,$ivh -+ veor $tmp1,$iv1,$rndlast -+ csel $xoffset,$len,$xoffset,lo // x6, w6, is zero at this point -+ aesd $dat0,q9 -+ aesimc $dat0,$dat0 -+ aesd $dat1,q9 -+ aesimc $dat1,$dat1 -+ aesd $dat2,q9 -+ aesimc $dat2,$dat2 -+ veor $tmp2,$iv2,$rndlast -+ // The iv for second block -+ extr $midnumx,$ivh,$ivh,#32 -+ extr $ivh,$ivh,$ivl,#63 -+ and $tmpmw,$constnum,$midnum,asr #31 -+ eor $ivl,$tmpmx,$ivl,lsl #1 -+ fmov $ivd10,$ivl -+ fmov $ivd11,$ivh -+ -+ add $xoffset,$xoffset,#0x20 -+ add $inp,$inp,$xoffset // $inp is adjusted to the last data -+ -+ mov $key_,$key1 -+ -+ // The iv for third block -+ extr $midnumx,$ivh,$ivh,#32 -+ extr $ivh,$ivh,$ivl,#63 -+ and $tmpmw,$constnum,$midnum,asr #31 -+ eor $ivl,$tmpmx,$ivl,lsl #1 -+ fmov $ivd20,$ivl -+ fmov $ivd21,$ivh -+ -+ aesd $dat0,q12 -+ aesimc $dat0,$dat0 -+ aesd $dat1,q12 -+ aesimc $dat1,$dat1 -+ aesd $dat2,q12 -+ aesimc $dat2,$dat2 -+ aesd $dat0,q13 -+ aesimc $dat0,$dat0 -+ aesd $dat1,q13 -+ aesimc $dat1,$dat1 -+ aesd $dat2,q13 -+ aesimc $dat2,$dat2 -+ aesd $dat0,q14 -+ aesimc $dat0,$dat0 -+ aesd $dat1,q14 -+ aesimc $dat1,$dat1 -+ aesd $dat2,q14 -+ aesimc $dat2,$dat2 -+ vld1.8 {$in2},[$inp],#16 -+ aesd $dat0,q15 -+ aesd $dat1,q15 -+ aesd $dat2,q15 -+ vld1.32 {q8},[$key_],#16 // re-pre-load rndkey[0] -+ add $rounds,$rounds0,#2 -+ veor $tmp0,$tmp0,$dat0 -+ veor $tmp1,$tmp1,$dat1 -+ veor $dat2,$dat2,$tmp2 -+ vld1.32 {q9},[$key_],#16 // re-pre-load rndkey[1] -+ vst1.8 {$tmp0},[$out],#16 -+ vst1.8 {$tmp1},[$out],#16 -+ vst1.8 {$dat2},[$out],#16 -+ -+ cmn $len,#0x30 -+ add $len,$len,#0x30 -+ b.eq .Lxts_done -+ sub $len,$len,#0x30 -+ vorr $in3,$in1,$in1 -+ vorr $in4,$in2,$in2 -+ nop -+ -+.Lxts_inner_dec_tail: -+ // $len == -0x10 means two blocks left. -+ cmn $len,#0x10 -+ veor $dat1,$in3,$iv0 -+ veor $dat2,$in4,$iv1 -+ b.eq .Lxts_dec_tail_loop -+ veor $dat2,$in4,$iv0 -+.Lxts_dec_tail_loop: -+ aesd $dat1,q8 -+ aesimc $dat1,$dat1 -+ aesd $dat2,q8 -+ aesimc $dat2,$dat2 -+ vld1.32 {q8},[$key_],#16 -+ subs $rounds,$rounds,#2 -+ aesd $dat1,q9 -+ aesimc $dat1,$dat1 -+ aesd $dat2,q9 -+ aesimc $dat2,$dat2 -+ vld1.32 {q9},[$key_],#16 -+ b.gt .Lxts_dec_tail_loop -+ -+ aesd $dat1,q8 -+ aesimc $dat1,$dat1 -+ aesd $dat2,q8 -+ aesimc $dat2,$dat2 -+ aesd $dat1,q9 -+ aesimc $dat1,$dat1 -+ aesd $dat2,q9 -+ aesimc $dat2,$dat2 -+ aesd $dat1,q12 -+ aesimc $dat1,$dat1 -+ aesd $dat2,q12 -+ aesimc $dat2,$dat2 -+ cmn $len,#0x20 -+ aesd $dat1,q13 -+ aesimc $dat1,$dat1 -+ aesd $dat2,q13 -+ aesimc $dat2,$dat2 -+ veor $tmp1,$iv0,$rndlast -+ aesd $dat1,q14 -+ aesimc $dat1,$dat1 -+ aesd $dat2,q14 -+ aesimc $dat2,$dat2 -+ veor $tmp2,$iv1,$rndlast -+ aesd $dat1,q15 -+ aesd $dat2,q15 -+ b.eq .Lxts_dec_one -+ veor $tmp1,$tmp1,$dat1 -+ veor $tmp2,$tmp2,$dat2 -+ vorr $iv0,$iv2,$iv2 -+ vorr $iv1,$iv3,$iv3 -+ vst1.8 {$tmp1},[$out],#16 -+ vst1.8 {$tmp2},[$out],#16 -+ add $len,$len,#16 -+ b .Lxts_done -+ -+.Lxts_dec_one: -+ veor $tmp1,$tmp1,$dat2 -+ vorr $iv0,$iv1,$iv1 -+ vorr $iv1,$iv2,$iv2 -+ vst1.8 {$tmp1},[$out],#16 -+ add $len,$len,#32 -+ -+.Lxts_done: -+ tst $tailcnt,#0xf -+ b.eq .Lxts_dec_abort -+ // Processing the last two blocks with cipher stealing. -+ mov x7,x3 -+ cbnz x2,.Lxts_dec_1st_done -+ vld1.32 {$dat0},[$inp],#16 -+ -+ // Decrypt the last secod block to get the last plain text block -+.Lxts_dec_1st_done: -+ eor $tmpin,$dat0,$iv1 -+ ldr $rounds,[$key1,#240] -+ vld1.32 {$dat0},[$key1],#16 -+ sub $rounds,$rounds,#2 -+ vld1.32 {$dat1},[$key1],#16 -+.Loop_final_2nd_dec: -+ aesd $tmpin,$dat0 -+ aesimc $tmpin,$tmpin -+ vld1.32 {$dat0},[$key1],#16 // load key schedule... -+ subs $rounds,$rounds,#2 -+ aesd $tmpin,$dat1 -+ aesimc $tmpin,$tmpin -+ vld1.32 {$dat1},[$key1],#16 // load key schedule... -+ b.gt .Loop_final_2nd_dec -+ -+ aesd $tmpin,$dat0 -+ aesimc $tmpin,$tmpin -+ vld1.32 {$dat0},[$key1] -+ aesd $tmpin,$dat1 -+ veor $tmpin,$tmpin,$dat0 -+ veor $tmpin,$tmpin,$iv1 -+ vst1.8 {$tmpin},[$out] -+ -+ mov $tmpinp,$inp -+ add $tmpoutp,$out,#16 -+ -+ // Composite the tailcnt "16 byte not aligned block" into the last second plain blocks -+ // to get the last encrypted block. -+.composite_dec_loop: -+ subs $tailcnt,$tailcnt,#1 -+ ldrb $l2outp,[$out,$tailcnt] -+ ldrb $loutp,[$tmpinp,$tailcnt] -+ strb $l2outp,[$tmpoutp,$tailcnt] -+ strb $loutp,[$out,$tailcnt] -+ b.gt .composite_dec_loop -+.Lxts_dec_load_done: -+ vld1.8 {$tmpin},[$out] -+ veor $tmpin,$tmpin,$iv0 -+ -+ // Decrypt the composite block to get the last second plain text block -+ ldr $rounds,[$key_,#240] -+ vld1.8 {$dat},[$key_],#16 -+ sub $rounds,$rounds,#2 -+ vld1.8 {$dat1},[$key_],#16 -+.Loop_final_dec: -+ aesd $tmpin,$dat0 -+ aesimc $tmpin,$tmpin -+ vld1.32 {$dat0},[$key_],#16 // load key schedule... -+ subs $rounds,$rounds,#2 -+ aesd $tmpin,$dat1 -+ aesimc $tmpin,$tmpin -+ vld1.32 {$dat1},[$key_],#16 // load key schedule... -+ b.gt .Loop_final_dec -+ -+ aesd $tmpin,$dat0 -+ aesimc $tmpin,$tmpin -+ vld1.32 {$dat0},[$key_] -+ aesd $tmpin,$dat1 -+ veor $tmpin,$tmpin,$dat0 -+ veor $tmpin,$tmpin,$iv0 -+ vst1.8 {$tmpin},[$out] -+ -+.Lxts_dec_abort: -+ ldp $tailcnt,$midnumx,[sp,#48] -+ ldp $ivd10,$ivd20,[sp,#32] -+ ldp $ivd30,$ivd40,[sp,#16] -+ ldp $constnumx,$tmpinp,[sp],#64 -+ -+.Lxts_dec_final_abort: -+ ret -+.size ${prefix}_xts_decrypt,.-${prefix}_xts_decrypt -+___ -+} -+}}} - $code.=<<___; - #endif - ___ -@@ -963,7 +3615,7 @@ if ($flavour =~ /64/) { ######## 64-bi - # since ARMv7 instructions are always encoded little-endian. - # correct solution is to use .inst directive, but older - # assemblers don't implement it:-( -- sprintf ".byte\t0x%02x,0x%02x,0x%02x,0x%02x\t@ %s %s", -+ sprintf "INST(0x%02x,0x%02x,0x%02x,0x%02x)\t@ %s %s", - $word&0xff,($word>>8)&0xff, - ($word>>16)&0xff,($word>>24)&0xff, - $mnemonic,$arg; -@@ -1004,14 +3656,17 @@ if ($flavour =~ /64/) { ######## 64-bi - s/\],#[0-9]+/]!/o; - - s/[v]?(aes\w+)\s+([qv].*)/unaes($1,$2)/geo or -- s/cclr\s+([^,]+),\s*([a-z]+)/mov$2 $1,#0/o or -+ s/cclr\s+([^,]+),\s*([a-z]+)/mov.$2 $1,#0/o or - s/vtbl\.8\s+(.*)/unvtbl($1)/geo or - s/vdup\.32\s+(.*)/unvdup32($1)/geo or - s/vmov\.32\s+(.*)/unvmov32($1)/geo or - s/^(\s+)b\./$1b/o or -- s/^(\s+)mov\./$1mov/o or - s/^(\s+)ret/$1bx\tlr/o; - -+ if (s/^(\s+)mov\.([a-z]+)/$1mov$2/) { -+ print " it $2\n"; -+ } -+ - print $_,"\n"; - } - } -diff -up openssl-1.1.1i/crypto/aes/asm/vpaes-armv8.pl.arm-update openssl-1.1.1i/crypto/aes/asm/vpaes-armv8.pl ---- openssl-1.1.1i/crypto/aes/asm/vpaes-armv8.pl.arm-update 2020-12-08 14:20:59.000000000 +0100 -+++ openssl-1.1.1i/crypto/aes/asm/vpaes-armv8.pl 2020-12-09 10:37:38.405558929 +0100 -@@ -30,6 +30,7 @@ - # Denver(***) 16.6(**) 15.1/17.8(**) [8.80/9.93 ] - # Apple A7(***) 22.7(**) 10.9/14.3 [8.45/10.0 ] - # Mongoose(***) 26.3(**) 21.0/25.0(**) [13.3/16.8 ] -+# ThunderX2(***) 39.4(**) 33.8/48.6(**) - # - # (*) ECB denotes approximate result for parallelizable modes - # such as CBC decrypt, CTR, etc.; -diff -up openssl-1.1.1i/crypto/chacha/asm/chacha-armv8.pl.arm-update openssl-1.1.1i/crypto/chacha/asm/chacha-armv8.pl ---- openssl-1.1.1i/crypto/chacha/asm/chacha-armv8.pl.arm-update 2020-12-08 14:20:59.000000000 +0100 -+++ openssl-1.1.1i/crypto/chacha/asm/chacha-armv8.pl 2020-12-09 10:40:57.922288627 +0100 -@@ -18,32 +18,44 @@ - # - # ChaCha20 for ARMv8. - # -+# April 2019 -+# -+# Replace 3xNEON+1xIALU code path with 4+1. 4+1 is actually fastest -+# option on most(*), but not all, processors, yet 6+2 is retained. -+# This is because penalties are considered tolerable in comparison to -+# improvement on processors where 6+2 helps. Most notably +37% on -+# ThunderX2. It's server-oriented processor which will have to serve -+# as many requests as possible. While others are mostly clients, when -+# performance doesn't have to be absolute top-notch, just fast enough, -+# as majority of time is spent "entertaining" relatively slow human. -+# - # Performance in cycles per byte out of large buffer. - # --# IALU/gcc-4.9 3xNEON+1xIALU 6xNEON+2xIALU -+# IALU/gcc-4.9 4xNEON+1xIALU 6xNEON+2xIALU - # --# Apple A7 5.50/+49% 3.33 1.70 --# Cortex-A53 8.40/+80% 4.72 4.72(*) --# Cortex-A57 8.06/+43% 4.90 4.43(**) --# Denver 4.50/+82% 2.63 2.67(*) --# X-Gene 9.50/+46% 8.82 8.89(*) --# Mongoose 8.00/+44% 3.64 3.25 --# Kryo 8.17/+50% 4.83 4.65 -+# Apple A7 5.50/+49% 2.72 1.60 -+# Cortex-A53 8.40/+80% 4.06 4.45(*) -+# Cortex-A57 8.06/+43% 4.15 4.40(*) -+# Denver 4.50/+82% 2.30 2.70(*) -+# X-Gene 9.50/+46% 8.20 8.90(*) -+# Mongoose 8.00/+44% 2.74 3.12(*) -+# Kryo 8.17/+50% 4.47 4.65(*) -+# ThunderX2 7.22/+48% 5.64 4.10 - # --# (*) it's expected that doubling interleave factor doesn't help --# all processors, only those with higher NEON latency and --# higher instruction issue rate; --# (**) expected improvement was actually higher; -+# (*) slower than 4+1:-( - --$flavour=shift; --$output=shift; -+# $output is the last argument if it looks like a file (it has an extension) -+# $flavour is the first argument if it doesn't look like a file -+$output = $#ARGV >= 0 && $ARGV[$#ARGV] =~ m|\.\w+$| ? pop : undef; -+$flavour = $#ARGV >= 0 && $ARGV[0] !~ m|\.| ? shift : undef; - - $0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; - ( $xlate="${dir}arm-xlate.pl" and -f $xlate ) or - ( $xlate="${dir}../../perlasm/arm-xlate.pl" and -f $xlate) or - die "can't locate arm-xlate.pl"; - --open OUT,"| \"$^X\" $xlate $flavour $output"; -+open OUT,"| \"$^X\" $xlate $flavour \"$output\"" -+ or die "can't call $xlate: $!"; - *STDOUT=*OUT; - - sub AUTOLOAD() # thunk [simplified] x86-style perlasm -@@ -120,42 +132,37 @@ my ($a3,$b3,$c3,$d3)=map(($_&~3)+(($_+1) - } - - $code.=<<___; --#include "arm_arch.h" -- --.text -- -+#ifndef __KERNEL__ -+# include "arm_arch.h" - .extern OPENSSL_armcap_P - .hidden OPENSSL_armcap_P -+#endif -+ -+.text - - .align 5 - .Lsigma: - .quad 0x3320646e61707865,0x6b20657479622d32 // endian-neutral - .Lone: --.long 1,0,0,0 --.LOPENSSL_armcap_P: --#ifdef __ILP32__ --.long OPENSSL_armcap_P-. --#else --.quad OPENSSL_armcap_P-. --#endif --.asciz "ChaCha20 for ARMv8, CRYPTOGAMS by " -+.long 1,2,3,4 -+.Lrot24: -+.long 0x02010003,0x06050407,0x0a09080b,0x0e0d0c0f -+.asciz "ChaCha20 for ARMv8, CRYPTOGAMS by \@dot-asm" - - .globl ChaCha20_ctr32 - .type ChaCha20_ctr32,%function - .align 5 - ChaCha20_ctr32: - cbz $len,.Labort -- adr @x[0],.LOPENSSL_armcap_P - cmp $len,#192 - b.lo .Lshort --#ifdef __ILP32__ -- ldrsw @x[1],[@x[0]] --#else -- ldr @x[1],[@x[0]] --#endif -- ldr w17,[@x[1],@x[0]] -+ -+#ifndef __KERNEL__ -+ adrp x17,OPENSSL_armcap_P -+ ldr w17,[x17,#:lo12:OPENSSL_armcap_P] - tst w17,#ARMV7_NEON -- b.ne ChaCha20_neon -+ b.ne .LChaCha20_neon -+#endif - - .Lshort: - .inst 0xd503233f // paciasp -@@ -174,7 +181,7 @@ ChaCha20_ctr32: - ldp @d[2],@d[3],[$key] // load key - ldp @d[4],@d[5],[$key,#16] - ldp @d[6],@d[7],[$ctr] // load counter --#ifdef __ARMEB__ -+#ifdef __AARCH64EB__ - ror @d[2],@d[2],#32 - ror @d[3],@d[3],#32 - ror @d[4],@d[4],#32 -@@ -243,7 +250,7 @@ $code.=<<___; - add @x[14],@x[14],@x[15],lsl#32 - ldp @x[13],@x[15],[$inp,#48] - add $inp,$inp,#64 --#ifdef __ARMEB__ -+#ifdef __AARCH64EB__ - rev @x[0],@x[0] - rev @x[2],@x[2] - rev @x[4],@x[4] -@@ -300,7 +307,7 @@ $code.=<<___; - add @x[10],@x[10],@x[11],lsl#32 - add @x[12],@x[12],@x[13],lsl#32 - add @x[14],@x[14],@x[15],lsl#32 --#ifdef __ARMEB__ -+#ifdef __AARCH64EB__ - rev @x[0],@x[0] - rev @x[2],@x[2] - rev @x[4],@x[4] -@@ -341,46 +348,91 @@ $code.=<<___; - ___ - - {{{ --my ($A0,$B0,$C0,$D0,$A1,$B1,$C1,$D1,$A2,$B2,$C2,$D2,$T0,$T1,$T2,$T3) = -- map("v$_.4s",(0..7,16..23)); --my (@K)=map("v$_.4s",(24..30)); --my $ONE="v31.4s"; -+my @K = map("v$_.4s",(0..3)); -+my ($xt0,$xt1,$xt2,$xt3, $CTR,$ROT24) = map("v$_.4s",(4..9)); -+my @X = map("v$_.4s",(16,20,24,28, 17,21,25,29, 18,22,26,30, 19,23,27,31)); -+my ($xa0,$xa1,$xa2,$xa3, $xb0,$xb1,$xb2,$xb3, -+ $xc0,$xc1,$xc2,$xc3, $xd0,$xd1,$xd2,$xd3) = @X; - --sub NEONROUND { --my $odd = pop; --my ($a,$b,$c,$d,$t)=@_; -+sub NEON_lane_ROUND { -+my ($a0,$b0,$c0,$d0)=@_; -+my ($a1,$b1,$c1,$d1)=map(($_&~3)+(($_+1)&3),($a0,$b0,$c0,$d0)); -+my ($a2,$b2,$c2,$d2)=map(($_&~3)+(($_+1)&3),($a1,$b1,$c1,$d1)); -+my ($a3,$b3,$c3,$d3)=map(($_&~3)+(($_+1)&3),($a2,$b2,$c2,$d2)); -+my @x=map("'$_'",@X); - - ( -- "&add ('$a','$a','$b')", -- "&eor ('$d','$d','$a')", -- "&rev32_16 ('$d','$d')", # vrot ($d,16) -- -- "&add ('$c','$c','$d')", -- "&eor ('$t','$b','$c')", -- "&ushr ('$b','$t',20)", -- "&sli ('$b','$t',12)", -- -- "&add ('$a','$a','$b')", -- "&eor ('$t','$d','$a')", -- "&ushr ('$d','$t',24)", -- "&sli ('$d','$t',8)", -- -- "&add ('$c','$c','$d')", -- "&eor ('$t','$b','$c')", -- "&ushr ('$b','$t',25)", -- "&sli ('$b','$t',7)", -- -- "&ext ('$c','$c','$c',8)", -- "&ext ('$d','$d','$d',$odd?4:12)", -- "&ext ('$b','$b','$b',$odd?12:4)" -+ "&add (@x[$a0],@x[$a0],@x[$b0])", # Q1 -+ "&add (@x[$a1],@x[$a1],@x[$b1])", # Q2 -+ "&add (@x[$a2],@x[$a2],@x[$b2])", # Q3 -+ "&add (@x[$a3],@x[$a3],@x[$b3])", # Q4 -+ "&eor (@x[$d0],@x[$d0],@x[$a0])", -+ "&eor (@x[$d1],@x[$d1],@x[$a1])", -+ "&eor (@x[$d2],@x[$d2],@x[$a2])", -+ "&eor (@x[$d3],@x[$d3],@x[$a3])", -+ "&rev32_16 (@x[$d0],@x[$d0])", -+ "&rev32_16 (@x[$d1],@x[$d1])", -+ "&rev32_16 (@x[$d2],@x[$d2])", -+ "&rev32_16 (@x[$d3],@x[$d3])", -+ -+ "&add (@x[$c0],@x[$c0],@x[$d0])", -+ "&add (@x[$c1],@x[$c1],@x[$d1])", -+ "&add (@x[$c2],@x[$c2],@x[$d2])", -+ "&add (@x[$c3],@x[$c3],@x[$d3])", -+ "&eor ('$xt0',@x[$b0],@x[$c0])", -+ "&eor ('$xt1',@x[$b1],@x[$c1])", -+ "&eor ('$xt2',@x[$b2],@x[$c2])", -+ "&eor ('$xt3',@x[$b3],@x[$c3])", -+ "&ushr (@x[$b0],'$xt0',20)", -+ "&ushr (@x[$b1],'$xt1',20)", -+ "&ushr (@x[$b2],'$xt2',20)", -+ "&ushr (@x[$b3],'$xt3',20)", -+ "&sli (@x[$b0],'$xt0',12)", -+ "&sli (@x[$b1],'$xt1',12)", -+ "&sli (@x[$b2],'$xt2',12)", -+ "&sli (@x[$b3],'$xt3',12)", -+ -+ "&add (@x[$a0],@x[$a0],@x[$b0])", -+ "&add (@x[$a1],@x[$a1],@x[$b1])", -+ "&add (@x[$a2],@x[$a2],@x[$b2])", -+ "&add (@x[$a3],@x[$a3],@x[$b3])", -+ "&eor ('$xt0',@x[$d0],@x[$a0])", -+ "&eor ('$xt1',@x[$d1],@x[$a1])", -+ "&eor ('$xt2',@x[$d2],@x[$a2])", -+ "&eor ('$xt3',@x[$d3],@x[$a3])", -+ "&tbl (@x[$d0],'{$xt0}','$ROT24')", -+ "&tbl (@x[$d1],'{$xt1}','$ROT24')", -+ "&tbl (@x[$d2],'{$xt2}','$ROT24')", -+ "&tbl (@x[$d3],'{$xt3}','$ROT24')", -+ -+ "&add (@x[$c0],@x[$c0],@x[$d0])", -+ "&add (@x[$c1],@x[$c1],@x[$d1])", -+ "&add (@x[$c2],@x[$c2],@x[$d2])", -+ "&add (@x[$c3],@x[$c3],@x[$d3])", -+ "&eor ('$xt0',@x[$b0],@x[$c0])", -+ "&eor ('$xt1',@x[$b1],@x[$c1])", -+ "&eor ('$xt2',@x[$b2],@x[$c2])", -+ "&eor ('$xt3',@x[$b3],@x[$c3])", -+ "&ushr (@x[$b0],'$xt0',25)", -+ "&ushr (@x[$b1],'$xt1',25)", -+ "&ushr (@x[$b2],'$xt2',25)", -+ "&ushr (@x[$b3],'$xt3',25)", -+ "&sli (@x[$b0],'$xt0',7)", -+ "&sli (@x[$b1],'$xt1',7)", -+ "&sli (@x[$b2],'$xt2',7)", -+ "&sli (@x[$b3],'$xt3',7)" - ); - } - - $code.=<<___; - -+#ifdef __KERNEL__ -+.globl ChaCha20_neon -+#endif - .type ChaCha20_neon,%function - .align 5 - ChaCha20_neon: -+.LChaCha20_neon: - .inst 0xd503233f // paciasp - stp x29,x30,[sp,#-96]! - add x29,sp,#0 -@@ -403,8 +455,9 @@ ChaCha20_neon: - ld1 {@K[1],@K[2]},[$key] - ldp @d[6],@d[7],[$ctr] // load counter - ld1 {@K[3]},[$ctr] -- ld1 {$ONE},[@x[0]] --#ifdef __ARMEB__ -+ stp d8,d9,[sp] // meet ABI requirements -+ ld1 {$CTR,$ROT24},[@x[0]] -+#ifdef __AARCH64EB__ - rev64 @K[0],@K[0] - ror @d[2],@d[2],#32 - ror @d[3],@d[3],#32 -@@ -413,115 +466,129 @@ ChaCha20_neon: - ror @d[6],@d[6],#32 - ror @d[7],@d[7],#32 - #endif -- add @K[3],@K[3],$ONE // += 1 -- add @K[4],@K[3],$ONE -- add @K[5],@K[4],$ONE -- shl $ONE,$ONE,#2 // 1 -> 4 - - .Loop_outer_neon: -- mov.32 @x[0],@d[0] // unpack key block -- lsr @x[1],@d[0],#32 -- mov $A0,@K[0] -- mov.32 @x[2],@d[1] -- lsr @x[3],@d[1],#32 -- mov $A1,@K[0] -- mov.32 @x[4],@d[2] -- lsr @x[5],@d[2],#32 -- mov $A2,@K[0] -- mov.32 @x[6],@d[3] -- mov $B0,@K[1] -- lsr @x[7],@d[3],#32 -- mov $B1,@K[1] -- mov.32 @x[8],@d[4] -- mov $B2,@K[1] -- lsr @x[9],@d[4],#32 -- mov $D0,@K[3] -- mov.32 @x[10],@d[5] -- mov $D1,@K[4] -- lsr @x[11],@d[5],#32 -- mov $D2,@K[5] -- mov.32 @x[12],@d[6] -- mov $C0,@K[2] -- lsr @x[13],@d[6],#32 -- mov $C1,@K[2] -- mov.32 @x[14],@d[7] -- mov $C2,@K[2] -- lsr @x[15],@d[7],#32 -+ dup $xa0,@{K[0]}[0] // unpack key block -+ mov.32 @x[0],@d[0] -+ dup $xa1,@{K[0]}[1] -+ lsr @x[1],@d[0],#32 -+ dup $xa2,@{K[0]}[2] -+ mov.32 @x[2],@d[1] -+ dup $xa3,@{K[0]}[3] -+ lsr @x[3],@d[1],#32 -+ dup $xb0,@{K[1]}[0] -+ mov.32 @x[4],@d[2] -+ dup $xb1,@{K[1]}[1] -+ lsr @x[5],@d[2],#32 -+ dup $xb2,@{K[1]}[2] -+ mov.32 @x[6],@d[3] -+ dup $xb3,@{K[1]}[3] -+ lsr @x[7],@d[3],#32 -+ dup $xd0,@{K[3]}[0] -+ mov.32 @x[8],@d[4] -+ dup $xd1,@{K[3]}[1] -+ lsr @x[9],@d[4],#32 -+ dup $xd2,@{K[3]}[2] -+ mov.32 @x[10],@d[5] -+ dup $xd3,@{K[3]}[3] -+ lsr @x[11],@d[5],#32 -+ add $xd0,$xd0,$CTR -+ mov.32 @x[12],@d[6] -+ dup $xc0,@{K[2]}[0] -+ lsr @x[13],@d[6],#32 -+ dup $xc1,@{K[2]}[1] -+ mov.32 @x[14],@d[7] -+ dup $xc2,@{K[2]}[2] -+ lsr @x[15],@d[7],#32 -+ dup $xc3,@{K[2]}[3] - - mov $ctr,#10 -- subs $len,$len,#256 -+ subs $len,$len,#320 - .Loop_neon: - sub $ctr,$ctr,#1 - ___ -- my @thread0=&NEONROUND($A0,$B0,$C0,$D0,$T0,0); -- my @thread1=&NEONROUND($A1,$B1,$C1,$D1,$T1,0); -- my @thread2=&NEONROUND($A2,$B2,$C2,$D2,$T2,0); -- my @thread3=&ROUND(0,4,8,12); -- -- foreach (@thread0) { -- eval; eval(shift(@thread3)); -- eval(shift(@thread1)); eval(shift(@thread3)); -- eval(shift(@thread2)); eval(shift(@thread3)); -- } -- -- @thread0=&NEONROUND($A0,$B0,$C0,$D0,$T0,1); -- @thread1=&NEONROUND($A1,$B1,$C1,$D1,$T1,1); -- @thread2=&NEONROUND($A2,$B2,$C2,$D2,$T2,1); -- @thread3=&ROUND(0,5,10,15); -+ my @plus_one=&ROUND(0,4,8,12); -+ foreach (&NEON_lane_ROUND(0,4,8,12)) { eval; eval(shift(@plus_one)); } - -- foreach (@thread0) { -- eval; eval(shift(@thread3)); -- eval(shift(@thread1)); eval(shift(@thread3)); -- eval(shift(@thread2)); eval(shift(@thread3)); -- } -+ @plus_one=&ROUND(0,5,10,15); -+ foreach (&NEON_lane_ROUND(0,5,10,15)) { eval; eval(shift(@plus_one)); } - $code.=<<___; - cbnz $ctr,.Loop_neon - -- add.32 @x[0],@x[0],@d[0] // accumulate key block -- add $A0,$A0,@K[0] -- add @x[1],@x[1],@d[0],lsr#32 -- add $A1,$A1,@K[0] -- add.32 @x[2],@x[2],@d[1] -- add $A2,$A2,@K[0] -- add @x[3],@x[3],@d[1],lsr#32 -- add $C0,$C0,@K[2] -- add.32 @x[4],@x[4],@d[2] -- add $C1,$C1,@K[2] -- add @x[5],@x[5],@d[2],lsr#32 -- add $C2,$C2,@K[2] -- add.32 @x[6],@x[6],@d[3] -- add $D0,$D0,@K[3] -- add @x[7],@x[7],@d[3],lsr#32 -- add.32 @x[8],@x[8],@d[4] -- add $D1,$D1,@K[4] -- add @x[9],@x[9],@d[4],lsr#32 -- add.32 @x[10],@x[10],@d[5] -- add $D2,$D2,@K[5] -- add @x[11],@x[11],@d[5],lsr#32 -- add.32 @x[12],@x[12],@d[6] -- add $B0,$B0,@K[1] -- add @x[13],@x[13],@d[6],lsr#32 -- add.32 @x[14],@x[14],@d[7] -- add $B1,$B1,@K[1] -- add @x[15],@x[15],@d[7],lsr#32 -- add $B2,$B2,@K[1] -+ add $xd0,$xd0,$CTR -+ -+ zip1 $xt0,$xa0,$xa1 // transpose data -+ zip1 $xt1,$xa2,$xa3 -+ zip2 $xt2,$xa0,$xa1 -+ zip2 $xt3,$xa2,$xa3 -+ zip1.64 $xa0,$xt0,$xt1 -+ zip2.64 $xa1,$xt0,$xt1 -+ zip1.64 $xa2,$xt2,$xt3 -+ zip2.64 $xa3,$xt2,$xt3 -+ -+ zip1 $xt0,$xb0,$xb1 -+ zip1 $xt1,$xb2,$xb3 -+ zip2 $xt2,$xb0,$xb1 -+ zip2 $xt3,$xb2,$xb3 -+ zip1.64 $xb0,$xt0,$xt1 -+ zip2.64 $xb1,$xt0,$xt1 -+ zip1.64 $xb2,$xt2,$xt3 -+ zip2.64 $xb3,$xt2,$xt3 -+ -+ zip1 $xt0,$xc0,$xc1 -+ add.32 @x[0],@x[0],@d[0] // accumulate key block -+ zip1 $xt1,$xc2,$xc3 -+ add @x[1],@x[1],@d[0],lsr#32 -+ zip2 $xt2,$xc0,$xc1 -+ add.32 @x[2],@x[2],@d[1] -+ zip2 $xt3,$xc2,$xc3 -+ add @x[3],@x[3],@d[1],lsr#32 -+ zip1.64 $xc0,$xt0,$xt1 -+ add.32 @x[4],@x[4],@d[2] -+ zip2.64 $xc1,$xt0,$xt1 -+ add @x[5],@x[5],@d[2],lsr#32 -+ zip1.64 $xc2,$xt2,$xt3 -+ add.32 @x[6],@x[6],@d[3] -+ zip2.64 $xc3,$xt2,$xt3 -+ add @x[7],@x[7],@d[3],lsr#32 -+ -+ zip1 $xt0,$xd0,$xd1 -+ add.32 @x[8],@x[8],@d[4] -+ zip1 $xt1,$xd2,$xd3 -+ add @x[9],@x[9],@d[4],lsr#32 -+ zip2 $xt2,$xd0,$xd1 -+ add.32 @x[10],@x[10],@d[5] -+ zip2 $xt3,$xd2,$xd3 -+ add @x[11],@x[11],@d[5],lsr#32 -+ zip1.64 $xd0,$xt0,$xt1 -+ add.32 @x[12],@x[12],@d[6] -+ zip2.64 $xd1,$xt0,$xt1 -+ add @x[13],@x[13],@d[6],lsr#32 -+ zip1.64 $xd2,$xt2,$xt3 -+ add.32 @x[14],@x[14],@d[7] -+ zip2.64 $xd3,$xt2,$xt3 -+ add @x[15],@x[15],@d[7],lsr#32 - - b.lo .Ltail_neon - - add @x[0],@x[0],@x[1],lsl#32 // pack - add @x[2],@x[2],@x[3],lsl#32 - ldp @x[1],@x[3],[$inp,#0] // load input -+ add $xa0,$xa0,@K[0] // accumulate key block - add @x[4],@x[4],@x[5],lsl#32 - add @x[6],@x[6],@x[7],lsl#32 - ldp @x[5],@x[7],[$inp,#16] -+ add $xb0,$xb0,@K[1] - add @x[8],@x[8],@x[9],lsl#32 - add @x[10],@x[10],@x[11],lsl#32 - ldp @x[9],@x[11],[$inp,#32] -+ add $xc0,$xc0,@K[2] - add @x[12],@x[12],@x[13],lsl#32 - add @x[14],@x[14],@x[15],lsl#32 - ldp @x[13],@x[15],[$inp,#48] -+ add $xd0,$xd0,@K[3] - add $inp,$inp,#64 --#ifdef __ARMEB__ -+#ifdef __AARCH64EB__ - rev @x[0],@x[0] - rev @x[2],@x[2] - rev @x[4],@x[4] -@@ -531,48 +598,68 @@ $code.=<<___; - rev @x[12],@x[12] - rev @x[14],@x[14] - #endif -- ld1.8 {$T0-$T3},[$inp],#64 -+ ld1.8 {$xt0-$xt3},[$inp],#64 - eor @x[0],@x[0],@x[1] -+ add $xa1,$xa1,@K[0] - eor @x[2],@x[2],@x[3] -+ add $xb1,$xb1,@K[1] - eor @x[4],@x[4],@x[5] -+ add $xc1,$xc1,@K[2] - eor @x[6],@x[6],@x[7] -+ add $xd1,$xd1,@K[3] - eor @x[8],@x[8],@x[9] -- eor $A0,$A0,$T0 -+ eor $xa0,$xa0,$xt0 -+ movi $xt0,#5 - eor @x[10],@x[10],@x[11] -- eor $B0,$B0,$T1 -+ eor $xb0,$xb0,$xt1 - eor @x[12],@x[12],@x[13] -- eor $C0,$C0,$T2 -+ eor $xc0,$xc0,$xt2 - eor @x[14],@x[14],@x[15] -- eor $D0,$D0,$T3 -- ld1.8 {$T0-$T3},[$inp],#64 -+ eor $xd0,$xd0,$xt3 -+ add $CTR,$CTR,$xt0 // += 5 -+ ld1.8 {$xt0-$xt3},[$inp],#64 - - stp @x[0],@x[2],[$out,#0] // store output -- add @d[6],@d[6],#4 // increment counter -+ add @d[6],@d[6],#5 // increment counter - stp @x[4],@x[6],[$out,#16] -- add @K[3],@K[3],$ONE // += 4 - stp @x[8],@x[10],[$out,#32] -- add @K[4],@K[4],$ONE - stp @x[12],@x[14],[$out,#48] -- add @K[5],@K[5],$ONE - add $out,$out,#64 - -- st1.8 {$A0-$D0},[$out],#64 -- ld1.8 {$A0-$D0},[$inp],#64 -- -- eor $A1,$A1,$T0 -- eor $B1,$B1,$T1 -- eor $C1,$C1,$T2 -- eor $D1,$D1,$T3 -- st1.8 {$A1-$D1},[$out],#64 -- -- eor $A2,$A2,$A0 -- eor $B2,$B2,$B0 -- eor $C2,$C2,$C0 -- eor $D2,$D2,$D0 -- st1.8 {$A2-$D2},[$out],#64 -+ st1.8 {$xa0-$xd0},[$out],#64 -+ add $xa2,$xa2,@K[0] -+ add $xb2,$xb2,@K[1] -+ add $xc2,$xc2,@K[2] -+ add $xd2,$xd2,@K[3] -+ ld1.8 {$xa0-$xd0},[$inp],#64 -+ -+ eor $xa1,$xa1,$xt0 -+ eor $xb1,$xb1,$xt1 -+ eor $xc1,$xc1,$xt2 -+ eor $xd1,$xd1,$xt3 -+ st1.8 {$xa1-$xd1},[$out],#64 -+ add $xa3,$xa3,@K[0] -+ add $xb3,$xb3,@K[1] -+ add $xc3,$xc3,@K[2] -+ add $xd3,$xd3,@K[3] -+ ld1.8 {$xa1-$xd1},[$inp],#64 -+ -+ eor $xa2,$xa2,$xa0 -+ eor $xb2,$xb2,$xb0 -+ eor $xc2,$xc2,$xc0 -+ eor $xd2,$xd2,$xd0 -+ st1.8 {$xa2-$xd2},[$out],#64 -+ -+ eor $xa3,$xa3,$xa1 -+ eor $xb3,$xb3,$xb1 -+ eor $xc3,$xc3,$xc1 -+ eor $xd3,$xd3,$xd1 -+ st1.8 {$xa3-$xd3},[$out],#64 - - b.hi .Loop_outer_neon - -+ ldp d8,d9,[sp] // meet ABI requirements -+ - ldp x19,x20,[x29,#16] - add sp,sp,#64 - ldp x21,x22,[x29,#32] -@@ -583,8 +670,10 @@ $code.=<<___; - .inst 0xd50323bf // autiasp - ret - -+.align 4 - .Ltail_neon: -- add $len,$len,#256 -+ add $len,$len,#320 -+ ldp d8,d9,[sp] // meet ABI requirements - cmp $len,#64 - b.lo .Less_than_64 - -@@ -601,7 +690,7 @@ $code.=<<___; - add @x[14],@x[14],@x[15],lsl#32 - ldp @x[13],@x[15],[$inp,#48] - add $inp,$inp,#64 --#ifdef __ARMEB__ -+#ifdef __AARCH64EB__ - rev @x[0],@x[0] - rev @x[2],@x[2] - rev @x[4],@x[4] -@@ -621,48 +710,68 @@ $code.=<<___; - eor @x[14],@x[14],@x[15] - - stp @x[0],@x[2],[$out,#0] // store output -- add @d[6],@d[6],#4 // increment counter -+ add $xa0,$xa0,@K[0] // accumulate key block - stp @x[4],@x[6],[$out,#16] -+ add $xb0,$xb0,@K[1] - stp @x[8],@x[10],[$out,#32] -+ add $xc0,$xc0,@K[2] - stp @x[12],@x[14],[$out,#48] -+ add $xd0,$xd0,@K[3] - add $out,$out,#64 - b.eq .Ldone_neon - sub $len,$len,#64 - cmp $len,#64 -- b.lo .Less_than_128 -+ b.lo .Last_neon - -- ld1.8 {$T0-$T3},[$inp],#64 -- eor $A0,$A0,$T0 -- eor $B0,$B0,$T1 -- eor $C0,$C0,$T2 -- eor $D0,$D0,$T3 -- st1.8 {$A0-$D0},[$out],#64 -+ ld1.8 {$xt0-$xt3},[$inp],#64 -+ eor $xa0,$xa0,$xt0 -+ eor $xb0,$xb0,$xt1 -+ eor $xc0,$xc0,$xt2 -+ eor $xd0,$xd0,$xt3 -+ st1.8 {$xa0-$xd0},[$out],#64 - b.eq .Ldone_neon -+ -+ add $xa0,$xa1,@K[0] -+ add $xb0,$xb1,@K[1] - sub $len,$len,#64 -+ add $xc0,$xc1,@K[2] - cmp $len,#64 -- b.lo .Less_than_192 -+ add $xd0,$xd1,@K[3] -+ b.lo .Last_neon - -- ld1.8 {$T0-$T3},[$inp],#64 -- eor $A1,$A1,$T0 -- eor $B1,$B1,$T1 -- eor $C1,$C1,$T2 -- eor $D1,$D1,$T3 -- st1.8 {$A1-$D1},[$out],#64 -+ ld1.8 {$xt0-$xt3},[$inp],#64 -+ eor $xa1,$xa0,$xt0 -+ eor $xb1,$xb0,$xt1 -+ eor $xc1,$xc0,$xt2 -+ eor $xd1,$xd0,$xt3 -+ st1.8 {$xa1-$xd1},[$out],#64 - b.eq .Ldone_neon -+ -+ add $xa0,$xa2,@K[0] -+ add $xb0,$xb2,@K[1] - sub $len,$len,#64 -+ add $xc0,$xc2,@K[2] -+ cmp $len,#64 -+ add $xd0,$xd2,@K[3] -+ b.lo .Last_neon - -- st1.8 {$A2-$D2},[sp] -- b .Last_neon -+ ld1.8 {$xt0-$xt3},[$inp],#64 -+ eor $xa2,$xa0,$xt0 -+ eor $xb2,$xb0,$xt1 -+ eor $xc2,$xc0,$xt2 -+ eor $xd2,$xd0,$xt3 -+ st1.8 {$xa2-$xd2},[$out],#64 -+ b.eq .Ldone_neon - --.Less_than_128: -- st1.8 {$A0-$D0},[sp] -- b .Last_neon --.Less_than_192: -- st1.8 {$A1-$D1},[sp] -- b .Last_neon -+ add $xa0,$xa3,@K[0] -+ add $xb0,$xb3,@K[1] -+ add $xc0,$xc3,@K[2] -+ add $xd0,$xd3,@K[3] -+ sub $len,$len,#64 - --.align 4 - .Last_neon: -+ st1.8 {$xa0-$xd0},[sp] -+ - sub $out,$out,#1 - add $inp,$inp,$len - add $out,$out,$len -@@ -695,9 +804,41 @@ $code.=<<___; - .size ChaCha20_neon,.-ChaCha20_neon - ___ - { -+my @K = map("v$_.4s",(0..6)); - my ($T0,$T1,$T2,$T3,$T4,$T5)=@K; - my ($A0,$B0,$C0,$D0,$A1,$B1,$C1,$D1,$A2,$B2,$C2,$D2, -- $A3,$B3,$C3,$D3,$A4,$B4,$C4,$D4,$A5,$B5,$C5,$D5) = map("v$_.4s",(0..23)); -+ $A3,$B3,$C3,$D3,$A4,$B4,$C4,$D4,$A5,$B5,$C5,$D5) = map("v$_.4s",(8..31)); -+my $rot24 = @K[6]; -+my $ONE = "v7.4s"; -+ -+sub NEONROUND { -+my $odd = pop; -+my ($a,$b,$c,$d,$t)=@_; -+ -+ ( -+ "&add ('$a','$a','$b')", -+ "&eor ('$d','$d','$a')", -+ "&rev32_16 ('$d','$d')", # vrot ($d,16) -+ -+ "&add ('$c','$c','$d')", -+ "&eor ('$t','$b','$c')", -+ "&ushr ('$b','$t',20)", -+ "&sli ('$b','$t',12)", -+ -+ "&add ('$a','$a','$b')", -+ "&eor ('$d','$d','$a')", -+ "&tbl ('$d','{$d}','$rot24')", -+ -+ "&add ('$c','$c','$d')", -+ "&eor ('$t','$b','$c')", -+ "&ushr ('$b','$t',25)", -+ "&sli ('$b','$t',7)", -+ -+ "&ext ('$c','$c','$c',8)", -+ "&ext ('$d','$d','$d',$odd?4:12)", -+ "&ext ('$b','$b','$b',$odd?12:4)" -+ ); -+} - - $code.=<<___; - .type ChaCha20_512_neon,%function -@@ -717,6 +858,7 @@ ChaCha20_512_neon: - .L512_or_more_neon: - sub sp,sp,#128+64 - -+ eor $ONE,$ONE,$ONE - ldp @d[0],@d[1],[@x[0]] // load sigma - ld1 {@K[0]},[@x[0]],#16 - ldp @d[2],@d[3],[$key] // load key -@@ -724,8 +866,9 @@ ChaCha20_512_neon: - ld1 {@K[1],@K[2]},[$key] - ldp @d[6],@d[7],[$ctr] // load counter - ld1 {@K[3]},[$ctr] -- ld1 {$ONE},[@x[0]] --#ifdef __ARMEB__ -+ ld1 {$ONE}[0],[@x[0]] -+ add $key,@x[0],#16 // .Lrot24 -+#ifdef __AARCH64EB__ - rev64 @K[0],@K[0] - ror @d[2],@d[2],#32 - ror @d[3],@d[3],#32 -@@ -792,9 +935,10 @@ ChaCha20_512_neon: - mov $C4,@K[2] - stp @K[3],@K[4],[sp,#48] // off-load key block, variable part - mov $C5,@K[2] -- str @K[5],[sp,#80] -+ stp @K[5],@K[6],[sp,#80] - - mov $ctr,#5 -+ ld1 {$rot24},[$key] - subs $len,$len,#512 - .Loop_upper_neon: - sub $ctr,$ctr,#1 -@@ -867,7 +1011,7 @@ $code.=<<___; - add @x[14],@x[14],@x[15],lsl#32 - ldp @x[13],@x[15],[$inp,#48] - add $inp,$inp,#64 --#ifdef __ARMEB__ -+#ifdef __AARCH64EB__ - rev @x[0],@x[0] - rev @x[2],@x[2] - rev @x[4],@x[4] -@@ -956,6 +1100,7 @@ $code.=<<___; - add.32 @x[2],@x[2],@d[1] - ldp @K[4],@K[5],[sp,#64] - add @x[3],@x[3],@d[1],lsr#32 -+ ldr @K[6],[sp,#96] - add $A0,$A0,@K[0] - add.32 @x[4],@x[4],@d[2] - add $A1,$A1,@K[0] -@@ -1008,7 +1153,7 @@ $code.=<<___; - add $inp,$inp,#64 - add $B5,$B5,@K[1] - --#ifdef __ARMEB__ -+#ifdef __AARCH64EB__ - rev @x[0],@x[0] - rev @x[2],@x[2] - rev @x[4],@x[4] -@@ -1086,26 +1231,26 @@ $code.=<<___; - b.hs .Loop_outer_512_neon - - adds $len,$len,#512 -- ushr $A0,$ONE,#2 // 4 -> 1 -+ ushr $ONE,$ONE,#1 // 4 -> 2 - -- ldp d8,d9,[sp,#128+0] // meet ABI requirements - ldp d10,d11,[sp,#128+16] - ldp d12,d13,[sp,#128+32] - ldp d14,d15,[sp,#128+48] - -- stp @K[0],$ONE,[sp,#0] // wipe off-load area -- stp @K[0],$ONE,[sp,#32] -- stp @K[0],$ONE,[sp,#64] -+ stp @K[0],@K[0],[sp,#0] // wipe off-load area -+ stp @K[0],@K[0],[sp,#32] -+ stp @K[0],@K[0],[sp,#64] - - b.eq .Ldone_512_neon - -+ sub $key,$key,#16 // .Lone - cmp $len,#192 -- sub @K[3],@K[3],$A0 // -= 1 -- sub @K[4],@K[4],$A0 -- sub @K[5],@K[5],$A0 - add sp,sp,#128 -+ sub @K[3],@K[3],$ONE // -= 2 -+ ld1 {$CTR,$ROT24},[$key] - b.hs .Loop_outer_neon - -+ ldp d8,d9,[sp,#0] // meet ABI requirements - eor @K[1],@K[1],@K[1] - eor @K[2],@K[2],@K[2] - eor @K[3],@K[3],@K[3] -@@ -1115,6 +1260,7 @@ $code.=<<___; - b .Loop_outer - - .Ldone_512_neon: -+ ldp d8,d9,[sp,#128+0] // meet ABI requirements - ldp x19,x20,[x29,#16] - add sp,sp,#128+64 - ldp x21,x22,[x29,#32] -@@ -1133,9 +1279,11 @@ foreach (split("\n",$code)) { - s/\`([^\`]*)\`/eval $1/geo; - - (s/\b([a-z]+)\.32\b/$1/ and (s/x([0-9]+)/w$1/g or 1)) or -- (m/\b(eor|ext|mov)\b/ and (s/\.4s/\.16b/g or 1)) or -+ (m/\b(eor|ext|mov|tbl)\b/ and (s/\.4s/\.16b/g or 1)) or - (s/\b((?:ld|st)1)\.8\b/$1/ and (s/\.4s/\.16b/g or 1)) or - (m/\b(ld|st)[rp]\b/ and (s/v([0-9]+)\.4s/q$1/g or 1)) or -+ (m/\b(dup|ld1)\b/ and (s/\.4(s}?\[[0-3]\])/.$1/g or 1)) or -+ (s/\b(zip[12])\.64\b/$1/ and (s/\.4s/\.2d/g or 1)) or - (s/\brev32\.16\b/rev32/ and (s/\.4s/\.8h/g or 1)); - - #s/\bq([0-9]+)#(lo|hi)/sprintf "d%d",2*$1+($2 eq "hi")/geo; -diff -up openssl-1.1.1i/crypto/modes/asm/ghashv8-armx.pl.arm-update openssl-1.1.1i/crypto/modes/asm/ghashv8-armx.pl ---- openssl-1.1.1i/crypto/modes/asm/ghashv8-armx.pl.arm-update 2020-12-08 14:20:59.000000000 +0100 -+++ openssl-1.1.1i/crypto/modes/asm/ghashv8-armx.pl 2020-12-09 10:37:38.408558954 +0100 -@@ -42,6 +42,7 @@ - # Denver 0.51 0.65 6.02 - # Mongoose 0.65 1.10 8.06 - # Kryo 0.76 1.16 8.00 -+# ThunderX2 1.05 - # - # (*) presented for reference/comparison purposes; - -diff -up openssl-1.1.1i/crypto/poly1305/asm/poly1305-armv8.pl.arm-update openssl-1.1.1i/crypto/poly1305/asm/poly1305-armv8.pl ---- openssl-1.1.1i/crypto/poly1305/asm/poly1305-armv8.pl.arm-update 2020-12-08 14:20:59.000000000 +0100 -+++ openssl-1.1.1i/crypto/poly1305/asm/poly1305-armv8.pl 2020-12-09 10:37:38.408558954 +0100 -@@ -29,6 +29,7 @@ - # X-Gene 2.13/+68% 2.27 - # Mongoose 1.77/+75% 1.12 - # Kryo 2.70/+55% 1.13 -+# ThunderX2 1.17/+95% 1.36 - # - # (*) estimate based on resources availability is less than 1.0, - # i.e. measured result is worse than expected, presumably binary -diff -up openssl-1.1.1i/crypto/sha/asm/keccak1600-armv8.pl.arm-update openssl-1.1.1i/crypto/sha/asm/keccak1600-armv8.pl ---- openssl-1.1.1i/crypto/sha/asm/keccak1600-armv8.pl.arm-update 2020-12-08 14:20:59.000000000 +0100 -+++ openssl-1.1.1i/crypto/sha/asm/keccak1600-armv8.pl 2020-12-09 10:37:38.408558954 +0100 -@@ -51,6 +51,7 @@ - # Kryo 12 - # Denver 7.8 - # Apple A7 7.2 -+# ThunderX2 9.7 - # - # (*) Corresponds to SHA3-256. No improvement coefficients are listed - # because they vary too much from compiler to compiler. Newer -diff -up openssl-1.1.1i/crypto/sha/asm/sha1-armv8.pl.arm-update openssl-1.1.1i/crypto/sha/asm/sha1-armv8.pl ---- openssl-1.1.1i/crypto/sha/asm/sha1-armv8.pl.arm-update 2020-12-08 14:20:59.000000000 +0100 -+++ openssl-1.1.1i/crypto/sha/asm/sha1-armv8.pl 2020-12-09 10:37:38.408558954 +0100 -@@ -27,6 +27,7 @@ - # X-Gene 8.80 (+200%) - # Mongoose 2.05 6.50 (+160%) - # Kryo 1.88 8.00 (+90%) -+# ThunderX2 2.64 6.36 (+150%) - # - # (*) Software results are presented mostly for reference purposes. - # (**) Keep in mind that Denver relies on binary translation, which -diff -up openssl-1.1.1i/crypto/sha/asm/sha512-armv8.pl.arm-update openssl-1.1.1i/crypto/sha/asm/sha512-armv8.pl ---- openssl-1.1.1i/crypto/sha/asm/sha512-armv8.pl.arm-update 2020-12-08 14:20:59.000000000 +0100 -+++ openssl-1.1.1i/crypto/sha/asm/sha512-armv8.pl 2020-12-09 10:37:38.408558954 +0100 -@@ -28,6 +28,7 @@ - # X-Gene 20.0 (+100%) 12.8 (+300%(***)) - # Mongoose 2.36 13.0 (+50%) 8.36 (+33%) - # Kryo 1.92 17.4 (+30%) 11.2 (+8%) -+# ThunderX2 2.54 13.2 (+40%) 8.40 (+18%) - # - # (*) Software SHA256 results are of lesser relevance, presented - # mostly for informational purposes. diff --git a/SOURCES/openssl-1.1.1-build.patch b/SOURCES/openssl-1.1.1-build.patch deleted file mode 100644 index c0ef62b..0000000 --- a/SOURCES/openssl-1.1.1-build.patch +++ /dev/null @@ -1,40 +0,0 @@ -diff -up openssl-1.1.1f/Configurations/10-main.conf.build openssl-1.1.1f/Configurations/10-main.conf ---- openssl-1.1.1f/Configurations/10-main.conf.build 2020-03-31 14:17:45.000000000 +0200 -+++ openssl-1.1.1f/Configurations/10-main.conf 2020-04-07 16:42:10.920546387 +0200 -@@ -678,6 +678,7 @@ my %targets = ( - cxxflags => add("-m64"), - lib_cppflags => add("-DL_ENDIAN"), - perlasm_scheme => "linux64le", -+ multilib => "64", - }, - - "linux-armv4" => { -@@ -718,6 +719,7 @@ my %targets = ( - "linux-aarch64" => { - inherit_from => [ "linux-generic64", asm("aarch64_asm") ], - perlasm_scheme => "linux64", -+ multilib => "64", - }, - "linux-arm64ilp32" => { # https://wiki.linaro.org/Platform/arm64-ilp32 - inherit_from => [ "linux-generic32", asm("aarch64_asm") ], -diff -up openssl-1.1.1f/Configurations/unix-Makefile.tmpl.build openssl-1.1.1f/Configurations/unix-Makefile.tmpl ---- openssl-1.1.1f/Configurations/unix-Makefile.tmpl.build 2020-04-07 16:42:10.920546387 +0200 -+++ openssl-1.1.1f/Configurations/unix-Makefile.tmpl 2020-04-07 16:44:23.539142108 +0200 -@@ -823,7 +823,7 @@ uninstall_runtime_libs: - install_man_docs: - @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1) - @$(ECHO) "*** Installing manpages" -- $(PERL) $(SRCDIR)/util/process_docs.pl \ -+ TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \ - "--destdir=$(DESTDIR)$(MANDIR)" --type=man --suffix=$(MANSUFFIX) - - uninstall_man_docs: -@@ -835,7 +835,7 @@ uninstall_man_docs: - install_html_docs: - @[ -n "$(INSTALLTOP)" ] || (echo INSTALLTOP should not be empty; exit 1) - @$(ECHO) "*** Installing HTML manpages" -- $(PERL) $(SRCDIR)/util/process_docs.pl \ -+ TZ=UTC $(PERL) $(SRCDIR)/util/process_docs.pl \ - "--destdir=$(DESTDIR)$(HTMLDIR)" --type=html - - uninstall_html_docs: diff --git a/SOURCES/openssl-1.1.1-cleanup-peer-point-reneg.patch b/SOURCES/openssl-1.1.1-cleanup-peer-point-reneg.patch deleted file mode 100644 index 8ea99e0..0000000 --- a/SOURCES/openssl-1.1.1-cleanup-peer-point-reneg.patch +++ /dev/null @@ -1,36 +0,0 @@ -diff -up openssl-1.1.1k/ssl/statem/extensions.c.cleanup-reneg openssl-1.1.1k/ssl/statem/extensions.c ---- openssl-1.1.1k/ssl/statem/extensions.c.cleanup-reneg 2021-03-25 14:28:38.000000000 +0100 -+++ openssl-1.1.1k/ssl/statem/extensions.c 2021-06-24 16:16:19.526181743 +0200 -@@ -42,6 +42,7 @@ static int tls_parse_certificate_authori - #ifndef OPENSSL_NO_SRP - static int init_srp(SSL *s, unsigned int context); - #endif -+static int init_ec_point_formats(SSL *s, unsigned int context); - static int init_etm(SSL *s, unsigned int context); - static int init_ems(SSL *s, unsigned int context); - static int final_ems(SSL *s, unsigned int context, int sent); -@@ -158,7 +159,7 @@ static const EXTENSION_DEFINITION ext_de - TLSEXT_TYPE_ec_point_formats, - SSL_EXT_CLIENT_HELLO | SSL_EXT_TLS1_2_SERVER_HELLO - | SSL_EXT_TLS1_2_AND_BELOW_ONLY, -- NULL, tls_parse_ctos_ec_pt_formats, tls_parse_stoc_ec_pt_formats, -+ init_ec_point_formats, tls_parse_ctos_ec_pt_formats, tls_parse_stoc_ec_pt_formats, - tls_construct_stoc_ec_pt_formats, tls_construct_ctos_ec_pt_formats, - final_ec_pt_formats - }, -@@ -1164,6 +1165,15 @@ static int init_srp(SSL *s, unsigned int - } - #endif - -+static int init_ec_point_formats(SSL *s, unsigned int context) -+{ -+ OPENSSL_free(s->ext.peer_ecpointformats); -+ s->ext.peer_ecpointformats = NULL; -+ s->ext.peer_ecpointformats_len = 0; -+ -+ return 1; -+} -+ - static int init_etm(SSL *s, unsigned int context) - { - s->ext.use_etm = 0; diff --git a/SOURCES/openssl-1.1.1-conf-paths.patch b/SOURCES/openssl-1.1.1-conf-paths.patch deleted file mode 100644 index 1b02c2f..0000000 --- a/SOURCES/openssl-1.1.1-conf-paths.patch +++ /dev/null @@ -1,56 +0,0 @@ -diff -up openssl-1.1.1-pre8/apps/CA.pl.in.conf-paths openssl-1.1.1-pre8/apps/CA.pl.in ---- openssl-1.1.1-pre8/apps/CA.pl.in.conf-paths 2018-06-20 16:48:09.000000000 +0200 -+++ openssl-1.1.1-pre8/apps/CA.pl.in 2018-07-25 17:26:58.388624296 +0200 -@@ -33,7 +33,7 @@ my $X509 = "$openssl x509"; - my $PKCS12 = "$openssl pkcs12"; - - # default openssl.cnf file has setup as per the following --my $CATOP = "./demoCA"; -+my $CATOP = "/etc/pki/CA"; - my $CAKEY = "cakey.pem"; - my $CAREQ = "careq.pem"; - my $CACERT = "cacert.pem"; -diff -up openssl-1.1.1-pre8/apps/openssl.cnf.conf-paths openssl-1.1.1-pre8/apps/openssl.cnf ---- openssl-1.1.1-pre8/apps/openssl.cnf.conf-paths 2018-07-25 17:26:58.378624057 +0200 -+++ openssl-1.1.1-pre8/apps/openssl.cnf 2018-07-27 13:20:08.198513471 +0200 -@@ -23,6 +23,22 @@ oid_section = new_oids - # (Alternatively, use a configuration file that has only - # X.509v3 extensions in its main [= default] section.) - -+# Load default TLS policy configuration -+ -+openssl_conf = default_modules -+ -+[ default_modules ] -+ -+ssl_conf = ssl_module -+ -+[ ssl_module ] -+ -+system_default = crypto_policy -+ -+[ crypto_policy ] -+ -+.include /etc/crypto-policies/back-ends/opensslcnf.config -+ - [ new_oids ] - - # We can add new OIDs in here for use by 'ca', 'req' and 'ts'. -@@ -43,7 +59,7 @@ default_ca = CA_default # The default c - #################################################################### - [ CA_default ] - --dir = ./demoCA # Where everything is kept -+dir = /etc/pki/CA # Where everything is kept - certs = $dir/certs # Where the issued certs are kept - crl_dir = $dir/crl # Where the issued crl are kept - database = $dir/index.txt # database index file. -@@ -329,7 +345,7 @@ default_tsa = tsa_config1 # the default - [ tsa_config1 ] - - # These are used by the TSA reply generation only. --dir = ./demoCA # TSA root directory -+dir = /etc/pki/CA # TSA root directory - serial = $dir/tsaserial # The current serial number (mandatory) - crypto_device = builtin # OpenSSL engine to use for signing - signer_cert = $dir/tsacert.pem # The TSA signing certificate diff --git a/SOURCES/openssl-1.1.1-cve-2022-0778.patch b/SOURCES/openssl-1.1.1-cve-2022-0778.patch deleted file mode 100644 index 4e62b3f..0000000 --- a/SOURCES/openssl-1.1.1-cve-2022-0778.patch +++ /dev/null @@ -1,179 +0,0 @@ -From 3118eb64934499d93db3230748a452351d1d9a65 Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Mon, 28 Feb 2022 18:26:21 +0100 -Subject: [PATCH] Fix possible infinite loop in BN_mod_sqrt() - -The calculation in some cases does not finish for non-prime p. - -This fixes CVE-2022-0778. - -Based on patch by David Benjamin . - -Reviewed-by: Paul Dale -Reviewed-by: Matt Caswell ---- - crypto/bn/bn_sqrt.c | 30 ++++++++++++++++++------------ - 1 file changed, 18 insertions(+), 12 deletions(-) - -From b5fcb7e133725b8b2eb66f63f5142710ed63a6d1 Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Mon, 28 Feb 2022 18:26:30 +0100 -Subject: [PATCH] Add documentation of BN_mod_sqrt() - -Reviewed-by: Paul Dale -Reviewed-by: Matt Caswell ---- - doc/man3/BN_add.pod | 15 +++++++++++++-- - 1 file changed, 13 insertions(+), 2 deletions(-) - -From 3ef5c3034e5c545f34d6929568f3f2b10ac4bdf0 Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Mon, 28 Feb 2022 18:26:35 +0100 -Subject: [PATCH] Add a negative testcase for BN_mod_sqrt - -Reviewed-by: Paul Dale -Reviewed-by: Matt Caswell ---- - test/bntest.c | 11 ++++++++++- - test/recipes/10-test_bn_data/bnmod.txt | 12 ++++++++++++ - 2 files changed, 22 insertions(+), 1 deletion(-) - -diff --git a/crypto/bn/bn_sqrt.c b/crypto/bn/bn_sqrt.c -index 1723d5ded5a8..53b0f559855c 100644 ---- a/crypto/bn/bn_sqrt.c -+++ b/crypto/bn/bn_sqrt.c -@@ -14,7 +14,8 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) - /* - * Returns 'ret' such that ret^2 == a (mod p), using the Tonelli/Shanks - * algorithm (cf. Henri Cohen, "A Course in Algebraic Computational Number -- * Theory", algorithm 1.5.1). 'p' must be prime! -+ * Theory", algorithm 1.5.1). 'p' must be prime, otherwise an error or -+ * an incorrect "result" will be returned. - */ - { - BIGNUM *ret = in; -@@ -301,18 +302,23 @@ BIGNUM *BN_mod_sqrt(BIGNUM *in, const BIGNUM *a, const BIGNUM *p, BN_CTX *ctx) - goto vrfy; - } - -- /* find smallest i such that b^(2^i) = 1 */ -- i = 1; -- if (!BN_mod_sqr(t, b, p, ctx)) -- goto end; -- while (!BN_is_one(t)) { -- i++; -- if (i == e) { -- BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE); -- goto end; -+ /* Find the smallest i, 0 < i < e, such that b^(2^i) = 1. */ -+ for (i = 1; i < e; i++) { -+ if (i == 1) { -+ if (!BN_mod_sqr(t, b, p, ctx)) -+ goto end; -+ -+ } else { -+ if (!BN_mod_mul(t, t, t, p, ctx)) -+ goto end; - } -- if (!BN_mod_mul(t, t, t, p, ctx)) -- goto end; -+ if (BN_is_one(t)) -+ break; -+ } -+ /* If not found, a is not a square or p is not prime. */ -+ if (i >= e) { -+ BNerr(BN_F_BN_MOD_SQRT, BN_R_NOT_A_SQUARE); -+ goto end; - } - - /* t := y^2^(e - i - 1) */ -diff --git a/doc/man3/BN_add.pod b/doc/man3/BN_add.pod -index dccd4790ede7..1f5e37a4d183 100644 ---- a/doc/man3/BN_add.pod -+++ b/doc/man3/BN_add.pod -@@ -3,7 +3,7 @@ - =head1 NAME - - BN_add, BN_sub, BN_mul, BN_sqr, BN_div, BN_mod, BN_nnmod, BN_mod_add, --BN_mod_sub, BN_mod_mul, BN_mod_sqr, BN_exp, BN_mod_exp, BN_gcd - -+BN_mod_sub, BN_mod_mul, BN_mod_sqr, BN_mod_sqrt, BN_exp, BN_mod_exp, BN_gcd - - arithmetic operations on BIGNUMs - - =head1 SYNOPSIS -@@ -36,6 +36,8 @@ arithmetic operations on BIGNUMs - - int BN_mod_sqr(BIGNUM *r, BIGNUM *a, const BIGNUM *m, BN_CTX *ctx); - -+ BIGNUM *BN_mod_sqrt(BIGNUM *in, BIGNUM *a, const BIGNUM *p, BN_CTX *ctx); -+ - int BN_exp(BIGNUM *r, BIGNUM *a, BIGNUM *p, BN_CTX *ctx); - - int BN_mod_exp(BIGNUM *r, BIGNUM *a, const BIGNUM *p, -@@ -87,6 +89,12 @@ L. - BN_mod_sqr() takes the square of I modulo B and places the - result in I. - -+BN_mod_sqrt() returns the modular square root of I such that -+C. The modulus I

must be a -+prime, otherwise an error or an incorrect "result" will be returned. -+The result is stored into I which can be NULL. The result will be -+newly allocated in that case. -+ - BN_exp() raises I to the I

-th power and places the result in I - (C). This function is faster than repeated applications of - BN_mul(). -@@ -108,7 +116,10 @@ the arguments. - - =head1 RETURN VALUES - --For all functions, 1 is returned for success, 0 on error. The return -+The BN_mod_sqrt() returns the result (possibly incorrect if I

is -+not a prime), or NULL. -+ -+For all remaining functions, 1 is returned for success, 0 on error. The return - value should always be checked (e.g., C). - The error codes can be obtained by L. - -diff --git a/test/bntest.c b/test/bntest.c -index 390dd800733e..1cab660bcafb 100644 ---- a/test/bntest.c -+++ b/test/bntest.c -@@ -1729,8 +1729,17 @@ static int file_modsqrt(STANZA *s) - || !TEST_ptr(ret2 = BN_new())) - goto err; - -+ if (BN_is_negative(mod_sqrt)) { -+ /* A negative testcase */ -+ if (!TEST_ptr_null(BN_mod_sqrt(ret, a, p, ctx))) -+ goto err; -+ -+ st = 1; -+ goto err; -+ } -+ - /* There are two possible answers. */ -- if (!TEST_true(BN_mod_sqrt(ret, a, p, ctx)) -+ if (!TEST_ptr(BN_mod_sqrt(ret, a, p, ctx)) - || !TEST_true(BN_sub(ret2, p, ret))) - goto err; - -diff --git a/test/recipes/10-test_bn_data/bnmod.txt b/test/recipes/10-test_bn_data/bnmod.txt -index 5ea4d031f271..e28cc6bfb02e 100644 ---- a/test/recipes/10-test_bn_data/bnmod.txt -+++ b/test/recipes/10-test_bn_data/bnmod.txt -@@ -2799,3 +2799,15 @@ P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f - ModSqrt = a1d52989f12f204d3d2167d9b1e6c8a6174c0c786a979a5952383b7b8bd186 - A = 2eee37cf06228a387788188e650bc6d8a2ff402931443f69156a29155eca07dcb45f3aac238d92943c0c25c896098716baa433f25bd696a142f5a69d5d937e81 - P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f -+ -+# Negative testcases for BN_mod_sqrt() -+ -+# This one triggers an infinite loop with unfixed implementation -+# It should just fail. -+ModSqrt = -1 -+A = 20a7ee -+P = 460201 -+ -+ModSqrt = -1 -+A = 65bebdb00a96fc814ec44b81f98b59fba3c30203928fa5214c51e0a97091645280c947b005847f239758482b9bfc45b066fde340d1fe32fc9c1bf02e1b2d0ed -+P = 9df9d6cc20b8540411af4e5357ef2b0353cb1f2ab5ffc3e246b41c32f71e951f diff --git a/SOURCES/openssl-1.1.1-cve-2022-1292.patch b/SOURCES/openssl-1.1.1-cve-2022-1292.patch deleted file mode 100644 index f628110..0000000 --- a/SOURCES/openssl-1.1.1-cve-2022-1292.patch +++ /dev/null @@ -1,74 +0,0 @@ -From e5fd1728ef4c7a5bf7c7a7163ca60370460a6e23 Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Tue, 26 Apr 2022 12:40:24 +0200 -Subject: [PATCH] c_rehash: Do not use shell to invoke openssl - -Except on VMS where it is safe. - -This fixes CVE-2022-1292. - -Reviewed-by: Matthias St. Pierre -Reviewed-by: Matt Caswell -Upstream-Status: Backport [https://github.com/openssl/openssl/commit/e5fd1728ef4c7a5bf7c7a7163ca60370460a6e23] ---- - tools/c_rehash.in | 29 +++++++++++++++++++++++++---- - 1 file changed, 25 insertions(+), 4 deletions(-) - -diff --git a/tools/c_rehash.in b/tools/c_rehash.in -index fa7c6c9fef91..83c1cc80e08a 100644 ---- a/tools/c_rehash.in -+++ b/tools/c_rehash.in -@@ -152,6 +152,23 @@ sub check_file { - return ($is_cert, $is_crl); - } - -+sub compute_hash { -+ my $fh; -+ if ( $^O eq "VMS" ) { -+ # VMS uses the open through shell -+ # The file names are safe there and list form is unsupported -+ if (!open($fh, "-|", join(' ', @_))) { -+ print STDERR "Cannot compute hash on '$fname'\n"; -+ return; -+ } -+ } else { -+ if (!open($fh, "-|", @_)) { -+ print STDERR "Cannot compute hash on '$fname'\n"; -+ return; -+ } -+ } -+ return (<$fh>, <$fh>); -+} - - # Link a certificate to its subject name hash value, each hash is of - # the form . where n is an integer. If the hash value already exists -@@ -161,10 +178,12 @@ sub check_file { - - sub link_hash_cert { - my $fname = $_[0]; -- $fname =~ s/\"/\\\"/g; -- my ($hash, $fprint) = `"$openssl" x509 $x509hash -fingerprint -noout -in "$fname"`; -+ my ($hash, $fprint) = compute_hash($openssl, "x509", $x509hash, -+ "-fingerprint", "-noout", -+ "-in", $fname); - chomp $hash; - chomp $fprint; -+ return if !$hash; - $fprint =~ s/^.*=//; - $fprint =~ tr/://d; - my $suffix = 0; -@@ -202,10 +221,12 @@ sub link_hash_cert { - - sub link_hash_crl { - my $fname = $_[0]; -- $fname =~ s/'/'\\''/g; -- my ($hash, $fprint) = `"$openssl" crl $crlhash -fingerprint -noout -in '$fname'`; -+ my ($hash, $fprint) = compute_hash($openssl, "crl", $crlhash, -+ "-fingerprint", "-noout", -+ "-in", $fname); - chomp $hash; - chomp $fprint; -+ return if !$hash; - $fprint =~ s/^.*=//; - $fprint =~ tr/://d; - my $suffix = 0; diff --git a/SOURCES/openssl-1.1.1-cve-2022-2068.patch b/SOURCES/openssl-1.1.1-cve-2022-2068.patch deleted file mode 100644 index a3f9f5a..0000000 --- a/SOURCES/openssl-1.1.1-cve-2022-2068.patch +++ /dev/null @@ -1,255 +0,0 @@ -From 9639817dac8bbbaa64d09efad7464ccc405527c7 Mon Sep 17 00:00:00 2001 -From: Daniel Fiala -Date: Sun, 29 May 2022 20:11:24 +0200 -Subject: [PATCH] Fix file operations in c_rehash. - -CVE-2022-2068 - -Reviewed-by: Matt Caswell -Reviewed-by: Richard Levitte -Upstream-Status: Backport [https://github.com/openssl/openssl/commit/9639817dac8bbbaa64d09efad7464ccc405527c7] ---- - tools/c_rehash.in | 216 +++++++++++++++++++++++----------------------- - 1 file changed, 107 insertions(+), 109 deletions(-) - -diff --git a/tools/c_rehash.in b/tools/c_rehash.in -index cfd18f5da110..9d2a6f6db73b 100644 ---- a/tools/c_rehash.in -+++ b/tools/c_rehash.in -@@ -104,52 +104,78 @@ foreach (@dirlist) { - } - exit($errorcount); - -+sub copy_file { -+ my ($src_fname, $dst_fname) = @_; -+ -+ if (open(my $in, "<", $src_fname)) { -+ if (open(my $out, ">", $dst_fname)) { -+ print $out $_ while (<$in>); -+ close $out; -+ } else { -+ warn "Cannot open $dst_fname for write, $!"; -+ } -+ close $in; -+ } else { -+ warn "Cannot open $src_fname for read, $!"; -+ } -+} -+ - sub hash_dir { -- my %hashlist; -- print "Doing $_[0]\n"; -- chdir $_[0]; -- opendir(DIR, "."); -- my @flist = sort readdir(DIR); -- closedir DIR; -- if ( $removelinks ) { -- # Delete any existing symbolic links -- foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) { -- if (-l $_) { -- print "unlink $_" if $verbose; -- unlink $_ || warn "Can't unlink $_, $!\n"; -- } -- } -- } -- FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) { -- # Check to see if certificates and/or CRLs present. -- my ($cert, $crl) = check_file($fname); -- if (!$cert && !$crl) { -- print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n"; -- next; -- } -- link_hash_cert($fname) if ($cert); -- link_hash_crl($fname) if ($crl); -- } -+ my $dir = shift; -+ my %hashlist; -+ -+ print "Doing $dir\n"; -+ -+ if (!chdir $dir) { -+ print STDERR "WARNING: Cannot chdir to '$dir', $!\n"; -+ return; -+ } -+ -+ opendir(DIR, ".") || print STDERR "WARNING: Cannot opendir '.', $!\n"; -+ my @flist = sort readdir(DIR); -+ closedir DIR; -+ if ( $removelinks ) { -+ # Delete any existing symbolic links -+ foreach (grep {/^[\da-f]+\.r{0,1}\d+$/} @flist) { -+ if (-l $_) { -+ print "unlink $_\n" if $verbose; -+ unlink $_ || warn "Can't unlink $_, $!\n"; -+ } -+ } -+ } -+ FILE: foreach $fname (grep {/\.(pem)|(crt)|(cer)|(crl)$/} @flist) { -+ # Check to see if certificates and/or CRLs present. -+ my ($cert, $crl) = check_file($fname); -+ if (!$cert && !$crl) { -+ print STDERR "WARNING: $fname does not contain a certificate or CRL: skipping\n"; -+ next; -+ } -+ link_hash_cert($fname) if ($cert); -+ link_hash_crl($fname) if ($crl); -+ } -+ -+ chdir $pwd; - } - - sub check_file { -- my ($is_cert, $is_crl) = (0,0); -- my $fname = $_[0]; -- open IN, $fname; -- while() { -- if (/^-----BEGIN (.*)-----/) { -- my $hdr = $1; -- if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) { -- $is_cert = 1; -- last if ($is_crl); -- } elsif ($hdr eq "X509 CRL") { -- $is_crl = 1; -- last if ($is_cert); -- } -- } -- } -- close IN; -- return ($is_cert, $is_crl); -+ my ($is_cert, $is_crl) = (0,0); -+ my $fname = $_[0]; -+ -+ open(my $in, "<", $fname); -+ while(<$in>) { -+ if (/^-----BEGIN (.*)-----/) { -+ my $hdr = $1; -+ if ($hdr =~ /^(X509 |TRUSTED |)CERTIFICATE$/) { -+ $is_cert = 1; -+ last if ($is_crl); -+ } elsif ($hdr eq "X509 CRL") { -+ $is_crl = 1; -+ last if ($is_cert); -+ } -+ } -+ } -+ close $in; -+ return ($is_cert, $is_crl); - } - - sub compute_hash { -@@ -177,76 +203,48 @@ sub compute_hash { - # certificate fingerprints - - sub link_hash_cert { -- my $fname = $_[0]; -- my ($hash, $fprint) = compute_hash($openssl, "x509", $x509hash, -- "-fingerprint", "-noout", -- "-in", $fname); -- chomp $hash; -- chomp $fprint; -- return if !$hash; -- $fprint =~ s/^.*=//; -- $fprint =~ tr/://d; -- my $suffix = 0; -- # Search for an unused hash filename -- while(exists $hashlist{"$hash.$suffix"}) { -- # Hash matches: if fingerprint matches its a duplicate cert -- if ($hashlist{"$hash.$suffix"} eq $fprint) { -- print STDERR "WARNING: Skipping duplicate certificate $fname\n"; -- return; -- } -- $suffix++; -- } -- $hash .= ".$suffix"; -- if ($symlink_exists) { -- print "link $fname -> $hash\n" if $verbose; -- symlink $fname, $hash || warn "Can't symlink, $!"; -- } else { -- print "copy $fname -> $hash\n" if $verbose; -- if (open($in, "<", $fname)) { -- if (open($out,">", $hash)) { -- print $out $_ while (<$in>); -- close $out; -- } else { -- warn "can't open $hash for write, $!"; -- } -- close $in; -- } else { -- warn "can't open $fname for read, $!"; -- } -- } -- $hashlist{$hash} = $fprint; -+ link_hash($_[0], 'cert'); - } - - # Same as above except for a CRL. CRL links are of the form .r - - sub link_hash_crl { -- my $fname = $_[0]; -- my ($hash, $fprint) = compute_hash($openssl, "crl", $crlhash, -- "-fingerprint", "-noout", -- "-in", $fname); -- chomp $hash; -- chomp $fprint; -- return if !$hash; -- $fprint =~ s/^.*=//; -- $fprint =~ tr/://d; -- my $suffix = 0; -- # Search for an unused hash filename -- while(exists $hashlist{"$hash.r$suffix"}) { -- # Hash matches: if fingerprint matches its a duplicate cert -- if ($hashlist{"$hash.r$suffix"} eq $fprint) { -- print STDERR "WARNING: Skipping duplicate CRL $fname\n"; -- return; -- } -- $suffix++; -- } -- $hash .= ".r$suffix"; -- if ($symlink_exists) { -- print "link $fname -> $hash\n" if $verbose; -- symlink $fname, $hash || warn "Can't symlink, $!"; -- } else { -- print "cp $fname -> $hash\n" if $verbose; -- system ("cp", $fname, $hash); -- warn "Can't copy, $!" if ($? >> 8) != 0; -- } -- $hashlist{$hash} = $fprint; -+ link_hash($_[0], 'crl'); -+} -+ -+sub link_hash { -+ my ($fname, $type) = @_; -+ my $is_cert = $type eq 'cert'; -+ -+ my ($hash, $fprint) = compute_hash($openssl, -+ $is_cert ? "x509" : "crl", -+ $is_cert ? $x509hash : $crlhash, -+ "-fingerprint", "-noout", -+ "-in", $fname); -+ chomp $hash; -+ chomp $fprint; -+ return if !$hash; -+ $fprint =~ s/^.*=//; -+ $fprint =~ tr/://d; -+ my $suffix = 0; -+ # Search for an unused hash filename -+ my $crlmark = $is_cert ? "" : "r"; -+ while(exists $hashlist{"$hash.$crlmark$suffix"}) { -+ # Hash matches: if fingerprint matches its a duplicate cert -+ if ($hashlist{"$hash.$crlmark$suffix"} eq $fprint) { -+ my $what = $is_cert ? 'certificate' : 'CRL'; -+ print STDERR "WARNING: Skipping duplicate $what $fname\n"; -+ return; -+ } -+ $suffix++; -+ } -+ $hash .= ".$crlmark$suffix"; -+ if ($symlink_exists) { -+ print "link $fname -> $hash\n" if $verbose; -+ symlink $fname, $hash || warn "Can't symlink, $!"; -+ } else { -+ print "copy $fname -> $hash\n" if $verbose; -+ copy_file($fname, $hash); -+ } -+ $hashlist{$hash} = $fprint; - } diff --git a/SOURCES/openssl-1.1.1-cve-2022-2097.patch b/SOURCES/openssl-1.1.1-cve-2022-2097.patch deleted file mode 100644 index ade404d..0000000 --- a/SOURCES/openssl-1.1.1-cve-2022-2097.patch +++ /dev/null @@ -1,152 +0,0 @@ -From 919925673d6c9cfed3c1085497f5dfbbed5fc431 Mon Sep 17 00:00:00 2001 -From: Alex Chernyakhovsky -Date: Thu, 16 Jun 2022 12:00:22 +1000 -Subject: [PATCH] Fix AES OCB encrypt/decrypt for x86 AES-NI -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -aesni_ocb_encrypt and aesni_ocb_decrypt operate by having a fast-path -that performs operations on 6 16-byte blocks concurrently (the -"grandloop") and then proceeds to handle the "short" tail (which can -be anywhere from 0 to 5 blocks) that remain. - -As part of initialization, the assembly initializes $len to the true -length, less 96 bytes and converts it to a pointer so that the $inp -can be compared to it. Each iteration of "grandloop" checks to see if -there's a full 96-byte chunk to process, and if so, continues. Once -this has been exhausted, it falls through to "short", which handles -the remaining zero to five blocks. - -Unfortunately, the jump at the end of "grandloop" had a fencepost -error, doing a `jb` ("jump below") rather than `jbe` (jump below or -equal). This should be `jbe`, as $inp is pointing to the *end* of the -chunk currently being handled. If $inp == $len, that means that -there's a whole 96-byte chunk waiting to be handled. If $inp > $len, -then there's 5 or fewer 16-byte blocks left to be handled, and the -fall-through is intended. - -The net effect of `jb` instead of `jbe` is that the last 16-byte block -of the last 96-byte chunk was completely omitted. The contents of -`out` in this position were never written to. Additionally, since -those bytes were never processed, the authentication tag generated is -also incorrect. - -The same fencepost error, and identical logic, exists in both -aesni_ocb_encrypt and aesni_ocb_decrypt. - -This addresses CVE-2022-2097. - -Co-authored-by: Alejandro Sedeño -Co-authored-by: David Benjamin - -Reviewed-by: Paul Dale -Reviewed-by: Tomas Mraz -Upstream-Status: Backport [https://github.com/openssl/openssl/commit/919925673d6c9cfed3c1085497f5dfbbed5fc431] ---- - crypto/aes/asm/aesni-x86.pl | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/crypto/aes/asm/aesni-x86.pl b/crypto/aes/asm/aesni-x86.pl -index fe2b26542ab6..812758e02e04 100644 ---- a/crypto/aes/asm/aesni-x86.pl -+++ b/crypto/aes/asm/aesni-x86.pl -@@ -2027,7 +2027,7 @@ sub aesni_generate6 - &movdqu (&QWP(-16*2,$out,$inp),$inout4); - &movdqu (&QWP(-16*1,$out,$inp),$inout5); - &cmp ($inp,$len); # done yet? -- &jb (&label("grandloop")); -+ &jbe (&label("grandloop")); - - &set_label("short"); - &add ($len,16*6); -@@ -2453,7 +2453,7 @@ sub aesni_generate6 - &pxor ($rndkey1,$inout5); - &movdqu (&QWP(-16*1,$out,$inp),$inout5); - &cmp ($inp,$len); # done yet? -- &jb (&label("grandloop")); -+ &jbe (&label("grandloop")); - - &set_label("short"); - &add ($len,16*6); -From 9131afdca30b6d1650af9ea6179569a80ab8cb06 Mon Sep 17 00:00:00 2001 -From: Alex Chernyakhovsky -Date: Thu, 16 Jun 2022 12:02:37 +1000 -Subject: [PATCH] AES OCB test vectors -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Add test vectors for AES OCB for x86 AES-NI multiple of 96 byte issue. - -Co-authored-by: Alejandro Sedeño -Co-authored-by: David Benjamin - -Reviewed-by: Paul Dale -Reviewed-by: Tomas Mraz -Upstream-Status: Backport [https://github.com/openssl/openssl/commit/9131afdca30b6d1650af9ea6179569a80ab8cb06] ---- - test/recipes/30-test_evp_data/evpciph.txt | 50 +++++++++++++++++++++++ - 1 file changed, 50 insertions(+) - -diff --git a/test/recipes/30-test_evp_data/evpciph.txt b/test/recipes/30-test_evp_data/evpciph.txt -index 1c02ea1e9c2d..e12670d9a4b4 100644 ---- a/test/recipes/30-test_evp_data/evpciph.txt -+++ b/test/recipes/30-test_evp_data/evpciph.txt -@@ -1188,6 +1188,56 @@ Ciphertext = 09A4FD29DE949D9A9AA9924248422097AD4883B4713E6C214FF6567ADA08A967B21 - Operation = DECRYPT - Result = CIPHERFINAL_ERROR - -+#Test vectors generated to validate aesni_ocb_encrypt on x86 -+Cipher = aes-128-ocb -+Key = 000102030405060708090A0B0C0D0E0F -+IV = 000000000001020304050607 -+Tag = C14DFF7D62A13C4A3422456207453190 -+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F -+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B819333 -+ -+Cipher = aes-128-ocb -+Key = 000102030405060708090A0B0C0D0E0F -+IV = 000000000001020304050607 -+Tag = D47D84F6FF912C79B6A4223AB9BE2DB8 -+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F -+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC204 -+ -+Cipher = aes-128-ocb -+Key = 000102030405060708090A0B0C0D0E0F -+IV = 000000000001020304050607 -+Tag = 41970D13737B7BD1B5FBF49ED4412CA5 -+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D -+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91 -+ -+Cipher = aes-128-ocb -+Key = 000102030405060708090A0B0C0D0E0F -+IV = 000000000001020304050607 -+Tag = BE0228651ED4E48A11BDED68D953F3A0 -+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D -+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F -+ -+Cipher = aes-128-ocb -+Key = 000102030405060708090A0B0C0D0E0F -+IV = 000000000001020304050607 -+Tag = 17BC6E10B16E5FDC52836E7D589518C7 -+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D -+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B -+ -+Cipher = aes-128-ocb -+Key = 000102030405060708090A0B0C0D0E0F -+IV = 000000000001020304050607 -+Tag = E84AAC18666116990A3A37B3A5FC55BD -+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D -+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B11CF99263D693AEBDF8ADE1A1D838DED -+ -+Cipher = aes-128-ocb -+Key = 000102030405060708090A0B0C0D0E0F -+IV = 000000000001020304050607 -+Tag = 3E5EA7EE064FE83B313E28D411E91EAD -+Plaintext = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F7071000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D -+Ciphertext = F5186C9CC3506386919B6FD9443956E05B203313F8AB35E916AB36932EBDDCD2945901BABE7CF29404929F322F954C916065FABF8F1E52F4BD7C538C0F96899519DBC6BC504D837D8EBD1436B45D33F528CB642FA2EB2C403FE604C12B8193332374120A78A1171D23ED9E9CB1ADC20412C017AD0CA498827C768DDD99B26E91EDB8681700FF30366F07AEDE8CEACC1F39BE69B91BC808FA7A193F7EEA43137B11CF99263D693AEBDF8ADE1A1D838DED48D9E09F452F8E6FBEB76A3DED47611C -+ - Title = AES XTS test vectors from IEEE Std 1619-2007 - - # Using the same key twice for encryption is always banned. diff --git a/SOURCES/openssl-1.1.1-cve-2022-4304-RSA-oracle.patch b/SOURCES/openssl-1.1.1-cve-2022-4304-RSA-oracle.patch deleted file mode 100644 index 9a888a6..0000000 --- a/SOURCES/openssl-1.1.1-cve-2022-4304-RSA-oracle.patch +++ /dev/null @@ -1,805 +0,0 @@ -From 43d8f88511991533f53680a751e9326999a6a31f Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Fri, 20 Jan 2023 15:26:54 +0000 -Subject: [PATCH 1/6] Fix Timing Oracle in RSA decryption - -A timing based side channel exists in the OpenSSL RSA Decryption -implementation which could be sufficient to recover a plaintext across -a network in a Bleichenbacher style attack. To achieve a successful -decryption an attacker would have to be able to send a very large number -of trial messages for decryption. The vulnerability affects all RSA -padding modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. - -Patch written by Dmitry Belyavsky and Hubert Kario - -CVE-2022-4304 - -Reviewed-by: Dmitry Belyavskiy -Reviewed-by: Tomas Mraz ---- - crypto/bn/bn_blind.c | 14 - - crypto/bn/bn_err.c | 2 + - crypto/bn/bn_local.h | 14 + - crypto/bn/build.info | 3 +- - crypto/bn/rsa_sup_mul.c | 614 ++++++++++++++++++++++++++++++++++++++++ - crypto/err/openssl.txt | 3 +- - crypto/rsa/rsa_ossl.c | 17 +- - include/crypto/bn.h | 5 + - include/openssl/bnerr.h | 1 + - 9 files changed, 653 insertions(+), 20 deletions(-) - create mode 100644 crypto/bn/rsa_sup_mul.c - -diff --git a/crypto/bn/bn_blind.c b/crypto/bn/bn_blind.c -index 76fc7ebcff..6e9d239321 100644 ---- a/crypto/bn/bn_blind.c -+++ b/crypto/bn/bn_blind.c -@@ -13,20 +13,6 @@ - - #define BN_BLINDING_COUNTER 32 - --struct bn_blinding_st { -- BIGNUM *A; -- BIGNUM *Ai; -- BIGNUM *e; -- BIGNUM *mod; /* just a reference */ -- CRYPTO_THREAD_ID tid; -- int counter; -- unsigned long flags; -- BN_MONT_CTX *m_ctx; -- int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p, -- const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); -- CRYPTO_RWLOCK *lock; --}; -- - BN_BLINDING *BN_BLINDING_new(const BIGNUM *A, const BIGNUM *Ai, BIGNUM *mod) - { - BN_BLINDING *ret = NULL; -diff --git a/crypto/bn/bn_err.c b/crypto/bn/bn_err.c -index dd87c152cf..3dd8d9a568 100644 ---- a/crypto/bn/bn_err.c -+++ b/crypto/bn/bn_err.c -@@ -73,6 +73,8 @@ static const ERR_STRING_DATA BN_str_functs[] = { - {ERR_PACK(ERR_LIB_BN, BN_F_BN_SET_WORDS, 0), "bn_set_words"}, - {ERR_PACK(ERR_LIB_BN, BN_F_BN_STACK_PUSH, 0), "BN_STACK_push"}, - {ERR_PACK(ERR_LIB_BN, BN_F_BN_USUB, 0), "BN_usub"}, -+ {ERR_PACK(ERR_LIB_BN, BN_F_OSSL_BN_RSA_DO_UNBLIND, 0), -+ "ossl_bn_rsa_do_unblind"}, - {0, NULL} - }; - -diff --git a/crypto/bn/bn_local.h b/crypto/bn/bn_local.h -index 62a969b134..4d8cb64675 100644 ---- a/crypto/bn/bn_local.h -+++ b/crypto/bn/bn_local.h -@@ -283,6 +283,20 @@ struct bn_gencb_st { - } cb; - }; - -+struct bn_blinding_st { -+ BIGNUM *A; -+ BIGNUM *Ai; -+ BIGNUM *e; -+ BIGNUM *mod; /* just a reference */ -+ CRYPTO_THREAD_ID tid; -+ int counter; -+ unsigned long flags; -+ BN_MONT_CTX *m_ctx; -+ int (*bn_mod_exp) (BIGNUM *r, const BIGNUM *a, const BIGNUM *p, -+ const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *m_ctx); -+ CRYPTO_RWLOCK *lock; -+}; -+ - /*- - * BN_window_bits_for_exponent_size -- macro for sliding window mod_exp functions - * -diff --git a/crypto/bn/build.info b/crypto/bn/build.info -index b9ed5322fa..c9fe2fdada 100644 ---- a/crypto/bn/build.info -+++ b/crypto/bn/build.info -@@ -5,7 +5,8 @@ SOURCE[../../libcrypto]=\ - bn_kron.c bn_sqrt.c bn_gcd.c bn_prime.c bn_err.c bn_sqr.c \ - {- $target{bn_asm_src} -} \ - bn_recp.c bn_mont.c bn_mpi.c bn_exp2.c bn_gf2m.c bn_nist.c \ -- bn_depr.c bn_const.c bn_x931p.c bn_intern.c bn_dh.c bn_srp.c -+ bn_depr.c bn_const.c bn_x931p.c bn_intern.c bn_dh.c bn_srp.c \ -+ rsa_sup_mul.c - - INCLUDE[bn_exp.o]=.. - -diff --git a/crypto/bn/rsa_sup_mul.c b/crypto/bn/rsa_sup_mul.c -new file mode 100644 -index 0000000000..acafefd5fe ---- /dev/null -+++ b/crypto/bn/rsa_sup_mul.c -@@ -0,0 +1,614 @@ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include "internal/numbers.h" -+#include "internal/constant_time.h" -+#include "bn_local.h" -+ -+# if BN_BYTES == 8 -+typedef uint64_t limb_t; -+# if defined(__SIZEOF_INT128__) && __SIZEOF_INT128__ == 16 -+/* nonstandard; implemented by gcc on 64-bit platforms */ -+typedef __uint128_t limb2_t; -+# define HAVE_LIMB2_T -+# endif -+# define LIMB_BIT_SIZE 64 -+# define LIMB_BYTE_SIZE 8 -+# elif BN_BYTES == 4 -+typedef uint32_t limb_t; -+typedef uint64_t limb2_t; -+# define LIMB_BIT_SIZE 32 -+# define LIMB_BYTE_SIZE 4 -+# define HAVE_LIMB2_T -+# else -+# error "Not supported" -+# endif -+ -+/* -+ * For multiplication we're using schoolbook multiplication, -+ * so if we have two numbers, each with 6 "digits" (words) -+ * the multiplication is calculated as follows: -+ * A B C D E F -+ * x I J K L M N -+ * -------------- -+ * N*F -+ * N*E -+ * N*D -+ * N*C -+ * N*B -+ * N*A -+ * M*F -+ * M*E -+ * M*D -+ * M*C -+ * M*B -+ * M*A -+ * L*F -+ * L*E -+ * L*D -+ * L*C -+ * L*B -+ * L*A -+ * K*F -+ * K*E -+ * K*D -+ * K*C -+ * K*B -+ * K*A -+ * J*F -+ * J*E -+ * J*D -+ * J*C -+ * J*B -+ * J*A -+ * I*F -+ * I*E -+ * I*D -+ * I*C -+ * I*B -+ * + I*A -+ * ========================== -+ * N*B N*D N*F -+ * + N*A N*C N*E -+ * + M*B M*D M*F -+ * + M*A M*C M*E -+ * + L*B L*D L*F -+ * + L*A L*C L*E -+ * + K*B K*D K*F -+ * + K*A K*C K*E -+ * + J*B J*D J*F -+ * + J*A J*C J*E -+ * + I*B I*D I*F -+ * + I*A I*C I*E -+ * -+ * 1+1 1+3 1+5 -+ * 1+0 1+2 1+4 -+ * 0+1 0+3 0+5 -+ * 0+0 0+2 0+4 -+ * -+ * 0 1 2 3 4 5 6 -+ * which requires n^2 multiplications and 2n full length additions -+ * as we can keep every other result of limb multiplication in two separate -+ * limbs -+ */ -+ -+#if defined HAVE_LIMB2_T -+static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b) -+{ -+ limb2_t t; -+ /* -+ * this is idiomatic code to tell compiler to use the native mul -+ * those three lines will actually compile to single instruction -+ */ -+ -+ t = (limb2_t)a * b; -+ *hi = t >> LIMB_BIT_SIZE; -+ *lo = (limb_t)t; -+} -+#elif (BN_BYTES == 8) && (defined _MSC_VER) -+/* https://learn.microsoft.com/en-us/cpp/intrinsics/umul128?view=msvc-170 */ -+#pragma intrinsic(_umul128) -+static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b) -+{ -+ *lo = _umul128(a, b, hi); -+} -+#else -+/* -+ * if the compiler doesn't have either a 128bit data type nor a "return -+ * high 64 bits of multiplication" -+ */ -+static ossl_inline void _mul_limb(limb_t *hi, limb_t *lo, limb_t a, limb_t b) -+{ -+ limb_t a_low = (limb_t)(uint32_t)a; -+ limb_t a_hi = a >> 32; -+ limb_t b_low = (limb_t)(uint32_t)b; -+ limb_t b_hi = b >> 32; -+ -+ limb_t p0 = a_low * b_low; -+ limb_t p1 = a_low * b_hi; -+ limb_t p2 = a_hi * b_low; -+ limb_t p3 = a_hi * b_hi; -+ -+ uint32_t cy = (uint32_t)(((p0 >> 32) + (uint32_t)p1 + (uint32_t)p2) >> 32); -+ -+ *lo = p0 + (p1 << 32) + (p2 << 32); -+ *hi = p3 + (p1 >> 32) + (p2 >> 32) + cy; -+} -+#endif -+ -+/* add two limbs with carry in, return carry out */ -+static ossl_inline limb_t _add_limb(limb_t *ret, limb_t a, limb_t b, limb_t carry) -+{ -+ limb_t carry1, carry2, t; -+ /* -+ * `c = a + b; if (c < a)` is idiomatic code that makes compilers -+ * use add with carry on assembly level -+ */ -+ -+ *ret = a + carry; -+ if (*ret < a) -+ carry1 = 1; -+ else -+ carry1 = 0; -+ -+ t = *ret; -+ *ret = t + b; -+ if (*ret < t) -+ carry2 = 1; -+ else -+ carry2 = 0; -+ -+ return carry1 + carry2; -+} -+ -+/* -+ * add two numbers of the same size, return overflow -+ * -+ * add a to b, place result in ret; all arrays need to be n limbs long -+ * return overflow from addition (0 or 1) -+ */ -+static ossl_inline limb_t add(limb_t *ret, limb_t *a, limb_t *b, size_t n) -+{ -+ limb_t c = 0; -+ ossl_ssize_t i; -+ -+ for(i = n - 1; i > -1; i--) -+ c = _add_limb(&ret[i], a[i], b[i], c); -+ -+ return c; -+} -+ -+/* -+ * return number of limbs necessary for temporary values -+ * when multiplying numbers n limbs large -+ */ -+static ossl_inline size_t mul_limb_numb(size_t n) -+{ -+ return 2 * n * 2; -+} -+ -+/* -+ * multiply two numbers of the same size -+ * -+ * multiply a by b, place result in ret; a and b need to be n limbs long -+ * ret needs to be 2*n limbs long, tmp needs to be mul_limb_numb(n) limbs -+ * long -+ */ -+static void limb_mul(limb_t *ret, limb_t *a, limb_t *b, size_t n, limb_t *tmp) -+{ -+ limb_t *r_odd, *r_even; -+ size_t i, j, k; -+ -+ r_odd = tmp; -+ r_even = &tmp[2 * n]; -+ -+ memset(ret, 0, 2 * n * sizeof(limb_t)); -+ -+ for (i = 0; i < n; i++) { -+ for (k = 0; k < i + n + 1; k++) { -+ r_even[k] = 0; -+ r_odd[k] = 0; -+ } -+ for (j = 0; j < n; j++) { -+ /* -+ * place results from even and odd limbs in separate arrays so that -+ * we don't have to calculate overflow every time we get individual -+ * limb multiplication result -+ */ -+ if (j % 2 == 0) -+ _mul_limb(&r_even[i + j], &r_even[i + j + 1], a[i], b[j]); -+ else -+ _mul_limb(&r_odd[i + j], &r_odd[i + j + 1], a[i], b[j]); -+ } -+ /* -+ * skip the least significant limbs when adding multiples of -+ * more significant limbs (they're zero anyway) -+ */ -+ add(ret, ret, r_even, n + i + 1); -+ add(ret, ret, r_odd, n + i + 1); -+ } -+} -+ -+/* modifies the value in place by performing a right shift by one bit */ -+static ossl_inline void rshift1(limb_t *val, size_t n) -+{ -+ limb_t shift_in = 0, shift_out = 0; -+ size_t i; -+ -+ for (i = 0; i < n; i++) { -+ shift_out = val[i] & 1; -+ val[i] = shift_in << (LIMB_BIT_SIZE - 1) | (val[i] >> 1); -+ shift_in = shift_out; -+ } -+} -+ -+/* extend the LSB of flag to all bits of limb */ -+static ossl_inline limb_t mk_mask(limb_t flag) -+{ -+ flag |= flag << 1; -+ flag |= flag << 2; -+ flag |= flag << 4; -+ flag |= flag << 8; -+ flag |= flag << 16; -+#if (LIMB_BYTE_SIZE == 8) -+ flag |= flag << 32; -+#endif -+ return flag; -+} -+ -+/* -+ * copy from either a or b to ret based on flag -+ * when flag == 0, then copies from b -+ * when flag == 1, then copies from a -+ */ -+static ossl_inline void cselect(limb_t flag, limb_t *ret, limb_t *a, limb_t *b, size_t n) -+{ -+ /* -+ * would be more efficient with non volatile mask, but then gcc -+ * generates code with jumps -+ */ -+ volatile limb_t mask; -+ size_t i; -+ -+ mask = mk_mask(flag); -+ for (i = 0; i < n; i++) { -+#if (LIMB_BYTE_SIZE == 8) -+ ret[i] = constant_time_select_64(mask, a[i], b[i]); -+#else -+ ret[i] = constant_time_select_32(mask, a[i], b[i]); -+#endif -+ } -+} -+ -+static limb_t _sub_limb(limb_t *ret, limb_t a, limb_t b, limb_t borrow) -+{ -+ limb_t borrow1, borrow2, t; -+ /* -+ * while it doesn't look constant-time, this is idiomatic code -+ * to tell compilers to use the carry bit from subtraction -+ */ -+ -+ *ret = a - borrow; -+ if (*ret > a) -+ borrow1 = 1; -+ else -+ borrow1 = 0; -+ -+ t = *ret; -+ *ret = t - b; -+ if (*ret > t) -+ borrow2 = 1; -+ else -+ borrow2 = 0; -+ -+ return borrow1 + borrow2; -+} -+ -+/* -+ * place the result of a - b into ret, return the borrow bit. -+ * All arrays need to be n limbs long -+ */ -+static limb_t sub(limb_t *ret, limb_t *a, limb_t *b, size_t n) -+{ -+ limb_t borrow = 0; -+ ossl_ssize_t i; -+ -+ for (i = n - 1; i > -1; i--) -+ borrow = _sub_limb(&ret[i], a[i], b[i], borrow); -+ -+ return borrow; -+} -+ -+/* return the number of limbs necessary to allocate for the mod() tmp operand */ -+static ossl_inline size_t mod_limb_numb(size_t anum, size_t modnum) -+{ -+ return (anum + modnum) * 3; -+} -+ -+/* -+ * calculate a % mod, place the result in ret -+ * size of a is defined by anum, size of ret and mod is modnum, -+ * size of tmp is returned by mod_limb_numb() -+ */ -+static void mod(limb_t *ret, limb_t *a, size_t anum, limb_t *mod, -+ size_t modnum, limb_t *tmp) -+{ -+ limb_t *atmp, *modtmp, *rettmp; -+ limb_t res; -+ size_t i; -+ -+ memset(tmp, 0, mod_limb_numb(anum, modnum) * LIMB_BYTE_SIZE); -+ -+ atmp = tmp; -+ modtmp = &tmp[anum + modnum]; -+ rettmp = &tmp[(anum + modnum) * 2]; -+ -+ for (i = modnum; i 0; i--, rp--) { -+ v = _mul_add_limb(rp, mod, modnum, rp[modnum - 1] * ni0, tmp2); -+ v = v + carry + rp[-1]; -+ carry |= (v != rp[-1]); -+ carry &= (v <= rp[-1]); -+ rp[-1] = v; -+ } -+ -+ /* perform the final reduction by mod... */ -+ carry -= sub(ret, rp, mod, modnum); -+ -+ /* ...conditionally */ -+ cselect(carry, ret, rp, ret, modnum); -+} -+ -+/* allocated buffer should be freed afterwards */ -+static void BN_to_limb(const BIGNUM *bn, limb_t *buf, size_t limbs) -+{ -+ int i; -+ int real_limbs = (BN_num_bytes(bn) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE; -+ limb_t *ptr = buf + (limbs - real_limbs); -+ -+ for (i = 0; i < real_limbs; i++) -+ ptr[i] = bn->d[real_limbs - i - 1]; -+} -+ -+#if LIMB_BYTE_SIZE == 8 -+static ossl_inline uint64_t be64(uint64_t host) -+{ -+ const union { -+ long one; -+ char little; -+ } is_endian = { 1 }; -+ -+ if (is_endian.little) { -+ uint64_t big = 0; -+ -+ big |= (host & 0xff00000000000000) >> 56; -+ big |= (host & 0x00ff000000000000) >> 40; -+ big |= (host & 0x0000ff0000000000) >> 24; -+ big |= (host & 0x000000ff00000000) >> 8; -+ big |= (host & 0x00000000ff000000) << 8; -+ big |= (host & 0x0000000000ff0000) << 24; -+ big |= (host & 0x000000000000ff00) << 40; -+ big |= (host & 0x00000000000000ff) << 56; -+ return big; -+ } else { -+ return host; -+ } -+} -+ -+#else -+/* Not all platforms have htobe32(). */ -+static ossl_inline uint32_t be32(uint32_t host) -+{ -+ const union { -+ long one; -+ char little; -+ } is_endian = { 1 }; -+ -+ if (is_endian.little) { -+ uint32_t big = 0; -+ -+ big |= (host & 0xff000000) >> 24; -+ big |= (host & 0x00ff0000) >> 8; -+ big |= (host & 0x0000ff00) << 8; -+ big |= (host & 0x000000ff) << 24; -+ return big; -+ } else { -+ return host; -+ } -+} -+#endif -+ -+/* -+ * We assume that intermediate, possible_arg2, blinding, and ctx are used -+ * similar to BN_BLINDING_invert_ex() arguments. -+ * to_mod is RSA modulus. -+ * buf and num is the serialization buffer and its length. -+ * -+ * Here we use classic/Montgomery multiplication and modulo. After the calculation finished -+ * we serialize the new structure instead of BIGNUMs taking endianness into account. -+ */ -+int ossl_bn_rsa_do_unblind(const BIGNUM *intermediate, -+ const BN_BLINDING *blinding, -+ const BIGNUM *possible_arg2, -+ const BIGNUM *to_mod, BN_CTX *ctx, -+ unsigned char *buf, int num) -+{ -+ limb_t *l_im = NULL, *l_mul = NULL, *l_mod = NULL; -+ limb_t *l_ret = NULL, *l_tmp = NULL, l_buf; -+ size_t l_im_count = 0, l_mul_count = 0, l_size = 0, l_mod_count = 0; -+ size_t l_tmp_count = 0; -+ int ret = 0; -+ size_t i; -+ unsigned char *tmp; -+ const BIGNUM *arg1 = intermediate; -+ const BIGNUM *arg2 = (possible_arg2 == NULL) ? blinding->Ai : possible_arg2; -+ -+ l_im_count = (BN_num_bytes(arg1) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE; -+ l_mul_count = (BN_num_bytes(arg2) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE; -+ l_mod_count = (BN_num_bytes(to_mod) + LIMB_BYTE_SIZE - 1) / LIMB_BYTE_SIZE; -+ -+ l_size = l_im_count > l_mul_count ? l_im_count : l_mul_count; -+ l_im = OPENSSL_zalloc(l_size * LIMB_BYTE_SIZE); -+ l_mul = OPENSSL_zalloc(l_size * LIMB_BYTE_SIZE); -+ l_mod = OPENSSL_zalloc(l_mod_count * LIMB_BYTE_SIZE); -+ -+ if ((l_im == NULL) || (l_mul == NULL) || (l_mod == NULL)) -+ goto err; -+ -+ BN_to_limb(arg1, l_im, l_size); -+ BN_to_limb(arg2, l_mul, l_size); -+ BN_to_limb(to_mod, l_mod, l_mod_count); -+ -+ l_ret = OPENSSL_malloc(2 * l_size * LIMB_BYTE_SIZE); -+ -+ if (blinding->m_ctx != NULL) { -+ l_tmp_count = mul_limb_numb(l_size) > mod_montgomery_limb_numb(l_mod_count) ? -+ mul_limb_numb(l_size) : mod_montgomery_limb_numb(l_mod_count); -+ l_tmp = OPENSSL_malloc(l_tmp_count * LIMB_BYTE_SIZE); -+ } else { -+ l_tmp_count = mul_limb_numb(l_size) > mod_limb_numb(2 * l_size, l_mod_count) ? -+ mul_limb_numb(l_size) : mod_limb_numb(2 * l_size, l_mod_count); -+ l_tmp = OPENSSL_malloc(l_tmp_count * LIMB_BYTE_SIZE); -+ } -+ -+ if ((l_ret == NULL) || (l_tmp == NULL)) -+ goto err; -+ -+ if (blinding->m_ctx != NULL) { -+ limb_mul(l_ret, l_im, l_mul, l_size, l_tmp); -+ mod_montgomery(l_ret, l_ret, 2 * l_size, l_mod, l_mod_count, -+ blinding->m_ctx->n0[0], l_tmp); -+ } else { -+ limb_mul(l_ret, l_im, l_mul, l_size, l_tmp); -+ mod(l_ret, l_ret, 2 * l_size, l_mod, l_mod_count, l_tmp); -+ } -+ -+ /* modulus size in bytes can be equal to num but after limbs conversion it becomes bigger */ -+ if (num < BN_num_bytes(to_mod)) { -+ BNerr(BN_F_OSSL_BN_RSA_DO_UNBLIND, ERR_R_PASSED_INVALID_ARGUMENT); -+ goto err; -+ } -+ -+ memset(buf, 0, num); -+ tmp = buf + num - BN_num_bytes(to_mod); -+ for (i = 0; i < l_mod_count; i++) { -+#if LIMB_BYTE_SIZE == 8 -+ l_buf = be64(l_ret[i]); -+#else -+ l_buf = be32(l_ret[i]); -+#endif -+ if (i == 0) { -+ int delta = LIMB_BYTE_SIZE - ((l_mod_count * LIMB_BYTE_SIZE) - num); -+ -+ memcpy(tmp, ((char *)&l_buf) + LIMB_BYTE_SIZE - delta, delta); -+ tmp += delta; -+ } else { -+ memcpy(tmp, &l_buf, LIMB_BYTE_SIZE); -+ tmp += LIMB_BYTE_SIZE; -+ } -+ } -+ ret = num; -+ -+ err: -+ OPENSSL_free(l_im); -+ OPENSSL_free(l_mul); -+ OPENSSL_free(l_mod); -+ OPENSSL_free(l_tmp); -+ OPENSSL_free(l_ret); -+ -+ return ret; -+} -diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt -index 9f91a4a811..ba3a46d5b9 100644 ---- a/crypto/err/openssl.txt -+++ b/crypto/err/openssl.txt -@@ -1,4 +1,4 @@ --# Copyright 1999-2021 The OpenSSL Project Authors. All Rights Reserved. -+# Copyright 1999-2023 The OpenSSL Project Authors. All Rights Reserved. - # - # Licensed under the OpenSSL license (the "License"). You may not use - # this file except in compliance with the License. You can obtain a copy -@@ -232,6 +232,7 @@ BN_F_BN_RSHIFT:146:BN_rshift - BN_F_BN_SET_WORDS:144:bn_set_words - BN_F_BN_STACK_PUSH:148:BN_STACK_push - BN_F_BN_USUB:115:BN_usub -+BN_F_OSSL_BN_RSA_DO_UNBLIND:151:ossl_bn_rsa_do_unblind - BUF_F_BUF_MEM_GROW:100:BUF_MEM_grow - BUF_F_BUF_MEM_GROW_CLEAN:105:BUF_MEM_grow_clean - BUF_F_BUF_MEM_NEW:101:BUF_MEM_new -diff --git a/crypto/rsa/rsa_ossl.c b/crypto/rsa/rsa_ossl.c -index b52a66f6a6..6c3c0cf78d 100644 ---- a/crypto/rsa/rsa_ossl.c -+++ b/crypto/rsa/rsa_ossl.c -@@ -465,11 +465,20 @@ static int rsa_ossl_private_decrypt(int flen, const unsigned char *from, - BN_free(d); - } - -- if (blinding) -- if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) -+ if (blinding) { -+ /* -+ * ossl_bn_rsa_do_unblind() combines blinding inversion and -+ * 0-padded BN BE serialization -+ */ -+ j = ossl_bn_rsa_do_unblind(ret, blinding, unblind, rsa->n, ctx, -+ buf, num); -+ if (j == 0) - goto err; -- -- j = BN_bn2binpad(ret, buf, num); -+ } else { -+ j = BN_bn2binpad(ret, buf, num); -+ if (j < 0) -+ goto err; -+ } - - switch (padding) { - case RSA_PKCS1_PADDING: -diff --git a/include/crypto/bn.h b/include/crypto/bn.h -index 60afda1dad..b5f36fb25a 100644 ---- a/include/crypto/bn.h -+++ b/include/crypto/bn.h -@@ -86,5 +86,10 @@ int bn_lshift_fixed_top(BIGNUM *r, const BIGNUM *a, int n); - int bn_rshift_fixed_top(BIGNUM *r, const BIGNUM *a, int n); - int bn_div_fixed_top(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, - const BIGNUM *d, BN_CTX *ctx); -+int ossl_bn_rsa_do_unblind(const BIGNUM *intermediate, -+ const BN_BLINDING *blinding, -+ const BIGNUM *possible_arg2, -+ const BIGNUM *to_mod, BN_CTX *ctx, -+ unsigned char *buf, int num); - - #endif -diff --git a/include/openssl/bnerr.h b/include/openssl/bnerr.h -index 9f3c7cfaab..a0752cea52 100644 ---- a/include/openssl/bnerr.h -+++ b/include/openssl/bnerr.h -@@ -72,6 +72,7 @@ int ERR_load_BN_strings(void); - # define BN_F_BN_SET_WORDS 144 - # define BN_F_BN_STACK_PUSH 148 - # define BN_F_BN_USUB 115 -+# define BN_F_OSSL_BN_RSA_DO_UNBLIND 151 - - /* - * BN reason codes. --- -2.39.1 - diff --git a/SOURCES/openssl-1.1.1-cve-2022-4450-PEM-bio.patch b/SOURCES/openssl-1.1.1-cve-2022-4450-PEM-bio.patch deleted file mode 100644 index c2e9f22..0000000 --- a/SOURCES/openssl-1.1.1-cve-2022-4450-PEM-bio.patch +++ /dev/null @@ -1,103 +0,0 @@ -From bbcf509bd046b34cca19c766bbddc31683d0858b Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Tue, 13 Dec 2022 14:54:55 +0000 -Subject: [PATCH 2/6] Avoid dangling ptrs in header and data params for - PEM_read_bio_ex - -In the event of a failure in PEM_read_bio_ex() we free the buffers we -allocated for the header and data buffers. However we were not clearing -the ptrs stored in *header and *data. Since, on success, the caller is -responsible for freeing these ptrs this can potentially lead to a double -free if the caller frees them even on failure. - -Thanks to Dawei Wang for reporting this issue. - -Based on a proposed patch by Kurt Roeckx. - -CVE-2022-4450 - -Reviewed-by: Paul Dale -Reviewed-by: Hugo Landau ---- - crypto/pem/pem_lib.c | 2 ++ - 1 file changed, 2 insertions(+) - -diff --git a/crypto/pem/pem_lib.c b/crypto/pem/pem_lib.c -index d416d939ea..328c30cdbb 100644 ---- a/crypto/pem/pem_lib.c -+++ b/crypto/pem/pem_lib.c -@@ -957,7 +957,9 @@ int PEM_read_bio_ex(BIO *bp, char **name_out, char **header, - *data = pem_malloc(len, flags); - if (*header == NULL || *data == NULL) { - pem_free(*header, flags, 0); -+ *header = NULL; - pem_free(*data, flags, 0); -+ *data = NULL; - goto end; - } - BIO_read(headerB, *header, headerlen); --- -2.39.1 - -From 2bd611267868a008afa576846ba71566bd0d4d15 Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Tue, 13 Dec 2022 15:02:26 +0000 -Subject: [PATCH 3/6] Add a test for CVE-2022-4450 - -Call PEM_read_bio_ex() and expect a failure. There should be no dangling -ptrs and therefore there should be no double free if we free the ptrs on -error. - -Reviewed-by: Paul Dale -Reviewed-by: Hugo Landau ---- - test/pemtest.c | 30 ++++++++++++++++++++++++++++++ - 1 file changed, 30 insertions(+) - -diff --git a/test/pemtest.c b/test/pemtest.c -index 3203d976be..edeb0a1205 100644 ---- a/test/pemtest.c -+++ b/test/pemtest.c -@@ -83,9 +83,39 @@ static int test_invalid(void) - return 1; - } - -+static int test_empty_payload(void) -+{ -+ BIO *b; -+ static char *emptypay = -+ "-----BEGIN CERTIFICATE-----\n" -+ "-\n" /* Base64 EOF character */ -+ "-----END CERTIFICATE-----"; -+ char *name = NULL, *header = NULL; -+ unsigned char *data = NULL; -+ long len; -+ int ret = 0; -+ -+ b = BIO_new_mem_buf(emptypay, strlen(emptypay)); -+ if (!TEST_ptr(b)) -+ return 0; -+ -+ /* Expected to fail because the payload is empty */ -+ if (!TEST_false(PEM_read_bio_ex(b, &name, &header, &data, &len, 0))) -+ goto err; -+ -+ ret = 1; -+ err: -+ OPENSSL_free(name); -+ OPENSSL_free(header); -+ OPENSSL_free(data); -+ BIO_free(b); -+ return ret; -+} -+ - int setup_tests(void) - { - ADD_ALL_TESTS(test_b64, OSSL_NELEM(b64_pem_data)); - ADD_TEST(test_invalid); -+ ADD_TEST(test_empty_payload); - return 1; - } --- -2.39.1 - diff --git a/SOURCES/openssl-1.1.1-cve-2023-0215-BIO-UAF.patch b/SOURCES/openssl-1.1.1-cve-2023-0215-BIO-UAF.patch deleted file mode 100644 index 7b8fdb5..0000000 --- a/SOURCES/openssl-1.1.1-cve-2023-0215-BIO-UAF.patch +++ /dev/null @@ -1,186 +0,0 @@ -From c3829dd8825c654652201e16f8a0a0c46ee3f344 Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Wed, 14 Dec 2022 16:18:14 +0000 -Subject: [PATCH 4/6] Fix a UAF resulting from a bug in BIO_new_NDEF - -If the aux->asn1_cb() call fails in BIO_new_NDEF then the "out" BIO will -be part of an invalid BIO chain. This causes a "use after free" when the -BIO is eventually freed. - -Based on an original patch by Viktor Dukhovni and an idea from Theo -Buehler. - -Thanks to Octavio Galland for reporting this issue. - -Reviewed-by: Paul Dale -Reviewed-by: Tomas Mraz ---- - crypto/asn1/bio_ndef.c | 39 ++++++++++++++++++++++++++++++++------- - 1 file changed, 32 insertions(+), 7 deletions(-) - -diff --git a/crypto/asn1/bio_ndef.c b/crypto/asn1/bio_ndef.c -index 760e4846a4..f8d4b1b9aa 100644 ---- a/crypto/asn1/bio_ndef.c -+++ b/crypto/asn1/bio_ndef.c -@@ -49,12 +49,19 @@ static int ndef_suffix(BIO *b, unsigned char **pbuf, int *plen, void *parg); - static int ndef_suffix_free(BIO *b, unsigned char **pbuf, int *plen, - void *parg); - -+/* -+ * On success, the returned BIO owns the input BIO as part of its BIO chain. -+ * On failure, NULL is returned and the input BIO is owned by the caller. -+ * -+ * Unfortunately cannot constify this due to CMS_stream() and PKCS7_stream() -+ */ - BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it) - { - NDEF_SUPPORT *ndef_aux = NULL; - BIO *asn_bio = NULL; - const ASN1_AUX *aux = it->funcs; - ASN1_STREAM_ARG sarg; -+ BIO *pop_bio = NULL; - - if (!aux || !aux->asn1_cb) { - ASN1err(ASN1_F_BIO_NEW_NDEF, ASN1_R_STREAMING_NOT_SUPPORTED); -@@ -69,21 +76,39 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it) - out = BIO_push(asn_bio, out); - if (out == NULL) - goto err; -+ pop_bio = asn_bio; - -- BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free); -- BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free); -+ if (BIO_asn1_set_prefix(asn_bio, ndef_prefix, ndef_prefix_free) <= 0 -+ || BIO_asn1_set_suffix(asn_bio, ndef_suffix, ndef_suffix_free) <= 0 -+ || BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux) <= 0) -+ goto err; - - /* -- * Now let callback prepends any digest, cipher etc BIOs ASN1 structure -- * needs. -+ * Now let the callback prepend any digest, cipher, etc., that the BIO's -+ * ASN1 structure needs. - */ - - sarg.out = out; - sarg.ndef_bio = NULL; - sarg.boundary = NULL; - -- if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0) -+ /* -+ * The asn1_cb(), must not have mutated asn_bio on error, leaving it in the -+ * middle of some partially built, but not returned BIO chain. -+ */ -+ if (aux->asn1_cb(ASN1_OP_STREAM_PRE, &val, it, &sarg) <= 0) { -+ /* -+ * ndef_aux is now owned by asn_bio so we must not free it in the err -+ * clean up block -+ */ -+ ndef_aux = NULL; - goto err; -+ } -+ -+ /* -+ * We must not fail now because the callback has prepended additional -+ * BIOs to the chain -+ */ - - ndef_aux->val = val; - ndef_aux->it = it; -@@ -91,11 +116,11 @@ BIO *BIO_new_NDEF(BIO *out, ASN1_VALUE *val, const ASN1_ITEM *it) - ndef_aux->boundary = sarg.boundary; - ndef_aux->out = out; - -- BIO_ctrl(asn_bio, BIO_C_SET_EX_ARG, 0, ndef_aux); -- - return sarg.ndef_bio; - - err: -+ /* BIO_pop() is NULL safe */ -+ (void)BIO_pop(pop_bio); - BIO_free(asn_bio); - OPENSSL_free(ndef_aux); - return NULL; --- -2.39.1 - -From f040f2577891d2bdb7610566c172233844cf673a Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Wed, 14 Dec 2022 17:15:18 +0000 -Subject: [PATCH 5/6] Check CMS failure during BIO setup with -stream is - handled correctly - -Test for the issue fixed in the previous commit - -Reviewed-by: Paul Dale -Reviewed-by: Tomas Mraz ---- - test/recipes/80-test_cms.t | 15 +++++++++++++-- - test/smime-certs/badrsa.pem | 18 ++++++++++++++++++ - 2 files changed, 31 insertions(+), 2 deletions(-) - create mode 100644 test/smime-certs/badrsa.pem - -diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t -index 5dc6a3aebe..ec11bfc253 100644 ---- a/test/recipes/80-test_cms.t -+++ b/test/recipes/80-test_cms.t -@@ -13,7 +13,7 @@ use warnings; - use POSIX; - use File::Spec::Functions qw/catfile/; - use File::Compare qw/compare_text/; --use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file/; -+use OpenSSL::Test qw/:DEFAULT srctop_dir srctop_file with/; - use OpenSSL::Test::Utils; - - setup("test_cms"); -@@ -27,7 +27,7 @@ my $smcont = srctop_file("test", "smcont.txt"); - my ($no_des, $no_dh, $no_dsa, $no_ec, $no_ec2m, $no_rc2, $no_zlib) - = disabled qw/des dh dsa ec ec2m rc2 zlib/; - --plan tests => 6; -+plan tests => 7; - - my @smime_pkcs7_tests = ( - -@@ -584,3 +584,14 @@ sub check_availability { - - return ""; - } -+ -+# Check that we get the expected failure return code -+with({ exit_checker => sub { return shift == 6; } }, -+ sub { -+ ok(run(app(['openssl', 'cms', '-encrypt', -+ '-in', srctop_file("test", "smcont.txt"), -+ '-stream', '-recip', -+ srctop_file("test/smime-certs", "badrsa.pem"), -+ ])), -+ "Check failure during BIO setup with -stream is handled correctly"); -+ }); -diff --git a/test/smime-certs/badrsa.pem b/test/smime-certs/badrsa.pem -new file mode 100644 -index 0000000000..f824fc2267 ---- /dev/null -+++ b/test/smime-certs/badrsa.pem -@@ -0,0 +1,18 @@ -+-----BEGIN CERTIFICATE----- -+MIIDbTCCAlWgAwIBAgIToTV4Z0iuK08vZP20oTh//hC8BDANBgkqhkiG9w0BAQ0FADAtMSswKQYD -+VfcDEyJTYW1wbGUgTEFNUFMgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MCAXDTE5MTEyMDA2NTQxOFoY -+DzIwNTIwOTI3MDY1NDE4WjAZMRcwFQYDVQQDEw5BbGljZSBMb3ZlbGFjZTCCASIwDQYJKoZIhvcN -+AQEBBQADggEPADCCAQoCggEBALT0iehYOBY+TZp/T5K2KNI05Hwr+E3wP6XTvyi6WWyTgBK9LCOw -+I2juwdRrjFBmXkk7pWpjXwsA3A5GOtz0FpfgyC7OxsVcF7q4WHWZWleYXFKlQHJD73nQwXP968+A -+/3rBX7PhO0DBbZnfitOLPgPEwjTtdg0VQQ6Wz+CRQ/YbHPKaw7aRphZO63dKvIKp4cQVtkWQHi6s -+yTjGsgkLcLNau5LZDQUdsGV+SAo3nBdWCRYV+I65x8Kf4hCxqqmjV3d/2NKRu0BXnDe/N+iDz3X0 -+zEoj0fqXgq4SWcC0nsG1lyyXt1TL270I6ATKRGJWiQVCCpDtc0NT6vdJ45bCSxgCAwEAAaOBlzCB -+lDAMBgNVHRMBAf8EAjAAMB4GA1UdEQQXMBWBE2FsaWNlQHNtaW1lLmV4YW1wbGUwEwYDVR0lBAww -+CgYIKwYBBQUHAwQwDwYDVR0PAQH/BAUDAwfAADAdBgNVHQ4EFgQUu/bMsi0dBhIcl64papAQ0yBm -+ZnMwHwYDVR0jBBgwFoAUeF8OWnjYa+RUcD2z3ez38fL6wEcwDQYJKoZIhvcNAQENBQADggEBABbW -+eonR6TMTckehDKNOabwaCIcekahAIL6l9tTzUX5ew6ufiAPlC6I/zQlmUaU0iSyFDG1NW14kNbFt -+5CAokyLhMtE4ASHBIHbiOp/ZSbUBTVYJZB61ot7w1/ol5QECSs08b8zrxIncf+t2DHGuVEy/Qq1d -+rBz8d4ay8zpqAE1tUyL5Da6ZiKUfWwZQXSI/JlbjQFzYQqTRDnzHWrg1xPeMTO1P2/cplFaseTiv -+yk4cYwOp/W9UAWymOZXF8WcJYCIUXkdcG/nEZxr057KlScrJmFXOoh7Y+8ON4iWYYcAfiNgpUFo/ -+j8BAwrKKaFvdlZS9k1Ypb2+UQY75mKJE9Bg= -+-----END CERTIFICATE----- --- -2.39.1 - diff --git a/SOURCES/openssl-1.1.1-cve-2023-0286-X400.patch b/SOURCES/openssl-1.1.1-cve-2023-0286-X400.patch deleted file mode 100644 index 170699e..0000000 --- a/SOURCES/openssl-1.1.1-cve-2023-0286-X400.patch +++ /dev/null @@ -1,63 +0,0 @@ -From 2c6c9d439b484e1ba9830d8454a34fa4f80fdfe9 Mon Sep 17 00:00:00 2001 -From: Hugo Landau -Date: Tue, 17 Jan 2023 17:45:42 +0000 -Subject: [PATCH 6/6] CVE-2023-0286: Fix GENERAL_NAME_cmp for x400Address - (1.1.1) - -Reviewed-by: Paul Dale -Reviewed-by: Tomas Mraz ---- - CHANGES | 18 +++++++++++++++++- - crypto/x509v3/v3_genn.c | 2 +- - include/openssl/x509v3.h | 2 +- - test/v3nametest.c | 8 ++++++++ - 4 files changed, 27 insertions(+), 3 deletions(-) - -diff --git a/crypto/x509v3/v3_genn.c b/crypto/x509v3/v3_genn.c -index 87a5eff47c..e54ddc55c9 100644 ---- a/crypto/x509v3/v3_genn.c -+++ b/crypto/x509v3/v3_genn.c -@@ -98,7 +98,7 @@ int GENERAL_NAME_cmp(GENERAL_NAME *a, GENERAL_NAME *b) - return -1; - switch (a->type) { - case GEN_X400: -- result = ASN1_TYPE_cmp(a->d.x400Address, b->d.x400Address); -+ result = ASN1_STRING_cmp(a->d.x400Address, b->d.x400Address); - break; - - case GEN_EDIPARTY: -diff --git a/include/openssl/x509v3.h b/include/openssl/x509v3.h -index 90fa3592ce..e61c0f29d4 100644 ---- a/include/openssl/x509v3.h -+++ b/include/openssl/x509v3.h -@@ -136,7 +136,7 @@ typedef struct GENERAL_NAME_st { - OTHERNAME *otherName; /* otherName */ - ASN1_IA5STRING *rfc822Name; - ASN1_IA5STRING *dNSName; -- ASN1_TYPE *x400Address; -+ ASN1_STRING *x400Address; - X509_NAME *directoryName; - EDIPARTYNAME *ediPartyName; - ASN1_IA5STRING *uniformResourceIdentifier; -diff --git a/test/v3nametest.c b/test/v3nametest.c -index d1852190b8..37819da8fd 100644 ---- a/test/v3nametest.c -+++ b/test/v3nametest.c -@@ -646,6 +646,14 @@ static struct gennamedata { - 0xb7, 0x09, 0x02, 0x02 - }, - 15 -+ }, { -+ /* -+ * Regression test for CVE-2023-0286. -+ */ -+ { -+ 0xa3, 0x00 -+ }, -+ 2 - } - }; - --- -2.39.1 - diff --git a/SOURCES/openssl-1.1.1-cve-2023-3446.patch b/SOURCES/openssl-1.1.1-cve-2023-3446.patch deleted file mode 100644 index 43695b0..0000000 --- a/SOURCES/openssl-1.1.1-cve-2023-3446.patch +++ /dev/null @@ -1,127 +0,0 @@ -From 8780a896543a654e757db1b9396383f9d8095528 Mon Sep 17 00:00:00 2001 -From: Matt Caswell -Date: Thu, 6 Jul 2023 16:36:35 +0100 -Subject: [PATCH] Fix DH_check() excessive time with over sized modulus - -The DH_check() function checks numerous aspects of the key or parameters -that have been supplied. Some of those checks use the supplied modulus -value even if it is excessively large. - -There is already a maximum DH modulus size (10,000 bits) over which -OpenSSL will not generate or derive keys. DH_check() will however still -perform various tests for validity on such a large modulus. We introduce a -new maximum (32,768) over which DH_check() will just fail. - -An application that calls DH_check() and supplies a key or parameters -obtained from an untrusted source could be vulnerable to a Denial of -Service attack. - -The function DH_check() is itself called by a number of other OpenSSL -functions. An application calling any of those other functions may -similarly be affected. The other functions affected by this are -DH_check_ex() and EVP_PKEY_param_check(). - -CVE-2023-3446 - -Reviewed-by: Paul Dale -Reviewed-by: Tom Cosgrove -Reviewed-by: Bernd Edlinger -Reviewed-by: Tomas Mraz -(Merged from https://github.com/openssl/openssl/pull/21452) - -Upstream-Status: Backport [8780a896543a654e757db1b9396383f9d8095528] ---- - crypto/dh/dh_check.c | 6 ++++++ - crypto/dh/dh_err.c | 3 ++- - crypto/err/openssl.txt | 3 ++- - include/openssl/dh.h | 3 +++ - include/openssl/dherr.h | 3 ++- - 5 files changed, 15 insertions(+), 3 deletions(-) - -diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c -index 4ac169e75c..e5f9dd5030 100644 ---- a/crypto/dh/dh_check.c -+++ b/crypto/dh/dh_check.c -@@ -101,6 +101,12 @@ int DH_check(const DH *dh, int *ret) - BN_CTX *ctx = NULL; - BIGNUM *t1 = NULL, *t2 = NULL; - -+ /* Don't do any checks at all with an excessively large modulus */ -+ if (BN_num_bits(dh->p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) { -+ DHerr(DH_F_DH_CHECK, DH_R_MODULUS_TOO_LARGE); -+ return 0; -+ } -+ - if (!DH_check_params(dh, ret)) - return 0; - -diff --git a/crypto/dh/dh_err.c b/crypto/dh/dh_err.c -index 7285587b4a..92800d3fcc 100644 ---- a/crypto/dh/dh_err.c -+++ b/crypto/dh/dh_err.c -@@ -1,6 +1,6 @@ - /* - * Generated by util/mkerr.pl DO NOT EDIT -- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. -+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy -@@ -18,6 +18,7 @@ static const ERR_STRING_DATA DH_str_functs[] = { - {ERR_PACK(ERR_LIB_DH, DH_F_DHPARAMS_PRINT_FP, 0), "DHparams_print_fp"}, - {ERR_PACK(ERR_LIB_DH, DH_F_DH_BUILTIN_GENPARAMS, 0), - "dh_builtin_genparams"}, -+ {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK, 0), "DH_check"}, - {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_EX, 0), "DH_check_ex"}, - {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_PARAMS_EX, 0), "DH_check_params_ex"}, - {ERR_PACK(ERR_LIB_DH, DH_F_DH_CHECK_PUB_KEY_EX, 0), "DH_check_pub_key_ex"}, -diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt -index 9f91a4a811..c0a3cd720b 100644 ---- a/crypto/err/openssl.txt -+++ b/crypto/err/openssl.txt -@@ -402,6 +402,7 @@ CT_F_SCT_SET_VERSION:104:SCT_set_version - DH_F_COMPUTE_KEY:102:compute_key - DH_F_DHPARAMS_PRINT_FP:101:DHparams_print_fp - DH_F_DH_BUILTIN_GENPARAMS:106:dh_builtin_genparams -+DH_F_DH_CHECK:126:DH_check - DH_F_DH_CHECK_EX:121:DH_check_ex - DH_F_DH_CHECK_PARAMS_EX:122:DH_check_params_ex - DH_F_DH_CHECK_PUB_KEY_EX:123:DH_check_pub_key_ex -diff --git a/include/openssl/dh.h b/include/openssl/dh.h -index 3527540cdd..892e31559d 100644 ---- a/include/openssl/dh.h -+++ b/include/openssl/dh.h -@@ -29,6 +29,9 @@ extern "C" { - # ifndef OPENSSL_DH_MAX_MODULUS_BITS - # define OPENSSL_DH_MAX_MODULUS_BITS 10000 - # endif -+# ifndef OPENSSL_DH_CHECK_MAX_MODULUS_BITS -+# define OPENSSL_DH_CHECK_MAX_MODULUS_BITS 32768 -+# endif - - # define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024 - # define OPENSSL_DH_FIPS_MIN_MODULUS_BITS_GEN 2048 - -diff --git a/include/openssl/dherr.h b/include/openssl/dherr.h -index 916b3bed0b..528c819856 100644 ---- a/include/openssl/dherr.h -+++ b/include/openssl/dherr.h -@@ -1,6 +1,6 @@ - /* - * Generated by util/mkerr.pl DO NOT EDIT -- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. -+ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy -@@ -30,6 +30,7 @@ int ERR_load_DH_strings(void); - # define DH_F_COMPUTE_KEY 102 - # define DH_F_DHPARAMS_PRINT_FP 101 - # define DH_F_DH_BUILTIN_GENPARAMS 106 -+# define DH_F_DH_CHECK 126 - # define DH_F_DH_CHECK_EX 121 - # define DH_F_DH_CHECK_PARAMS_EX 122 - # define DH_F_DH_CHECK_PUB_KEY_EX 123 --- -2.41.0 - diff --git a/SOURCES/openssl-1.1.1-cve-2023-3817.patch b/SOURCES/openssl-1.1.1-cve-2023-3817.patch deleted file mode 100644 index 453e2b3..0000000 --- a/SOURCES/openssl-1.1.1-cve-2023-3817.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 91ddeba0f2269b017dc06c46c993a788974b1aa5 Mon Sep 17 00:00:00 2001 -From: Tomas Mraz -Date: Fri, 21 Jul 2023 11:39:41 +0200 -Subject: [PATCH] DH_check(): Do not try checking q properties if it is - obviously invalid - -If |q| >= |p| then the q value is obviously wrong as q -is supposed to be a prime divisor of p-1. - -We check if p is overly large so this added test implies that -q is not large either when performing subsequent tests using that -q value. - -Otherwise if it is too large these additional checks of the q value -such as the primality test can then trigger DoS by doing overly long -computations. - -Fixes CVE-2023-3817 - -Reviewed-by: Paul Dale -Reviewed-by: Matt Caswell -(Merged from https://github.com/openssl/openssl/pull/21551) - -Upstream-Status: Backport [91ddeba0f2269b017dc06c46c993a788974b1aa5] ---- - crypto/dh/dh_check.c | 11 +++++++++-- - 1 file changed, 9 insertions(+), 2 deletions(-) - -diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c -index 2001d2e7cb..9ae96991eb 100644 ---- a/crypto/dh/dh_check.c -+++ b/crypto/dh/dh_check.c -@@ -105,7 +105,7 @@ int DH_check_ex(const DH *dh) - /* Note: according to documentation - this only checks the params */ - int DH_check(const DH *dh, int *ret) - { -- int ok = 0, r; -+ int ok = 0, r, q_good = 0; - BN_CTX *ctx = NULL; - BIGNUM *t1 = NULL, *t2 = NULL; - -@@ -130,7 +130,14 @@ int DH_check(const DH *dh, int *ret) - if (t2 == NULL) - goto err; - -- if (dh->q) { -+ if (dh->q != NULL) { -+ if (BN_ucmp(dh->p, dh->q) > 0) -+ q_good = 1; -+ else -+ *ret |= DH_CHECK_INVALID_Q_VALUE; -+ } -+ -+ if (q_good) { - if (BN_cmp(dh->g, BN_value_one()) <= 0) - *ret |= DH_NOT_SUITABLE_GENERATOR; - else if (BN_cmp(dh->g, dh->p) >= 0) --- -2.41.0 - diff --git a/SOURCES/openssl-1.1.1-cve-2023-5678.patch b/SOURCES/openssl-1.1.1-cve-2023-5678.patch deleted file mode 100644 index 869437f..0000000 --- a/SOURCES/openssl-1.1.1-cve-2023-5678.patch +++ /dev/null @@ -1,154 +0,0 @@ -From 0814467cc1b6a2839877277d3efa69cdd4582dd7 Mon Sep 17 00:00:00 2001 -From: Richard Levitte -Date: Fri, 20 Oct 2023 09:18:19 +0200 -Subject: [PATCH] Make DH_check_pub_key() and DH_generate_key() safer yet - -We already check for an excessively large P in DH_generate_key(), but not in -DH_check_pub_key(), and none of them check for an excessively large Q. - -This change adds all the missing excessive size checks of P and Q. - -It's to be noted that behaviours surrounding excessively sized P and Q -differ. DH_check() raises an error on the excessively sized P, but only -sets a flag for the excessively sized Q. This behaviour is mimicked in -DH_check_pub_key(). - -Reviewed-by: Tomas Mraz -Reviewed-by: Matt Caswell -Reviewed-by: Hugo Landau -(Merged from https://github.com/openssl/openssl/pull/22518) - -(cherry picked from commit ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6) -Backported-by: Clemens Lang ---- - crypto/dh/dh_check.c | 17 +++++++++++++++++ - crypto/dh/dh_err.c | 1 + - crypto/dh/dh_key.c | 10 ++++++++++ - crypto/err/openssl.txt | 1 + - include/openssl/dh.h | 6 ++++-- - include/openssl/dherr.h | 1 + - 6 files changed, 34 insertions(+), 2 deletions(-) - -diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c -index ae1b03bc92..424a3bb4cd 100644 ---- a/crypto/dh/dh_check.c -+++ b/crypto/dh/dh_check.c -@@ -198,10 +198,27 @@ int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret) - BN_CTX *ctx = NULL; - - *ret = 0; -+ - ctx = BN_CTX_new(); - if (ctx == NULL) - goto err; - BN_CTX_start(ctx); -+ -+ /* Don't do any checks at all with an excessively large modulus */ -+ if (BN_num_bits(dh->p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) { -+ DHerr(DH_F_DH_CHECK, DH_R_MODULUS_TOO_LARGE); -+ *ret = DH_MODULUS_TOO_LARGE | DH_CHECK_PUBKEY_INVALID; -+ goto err; -+ } -+ if (dh->q != NULL && BN_ucmp(dh->p, dh->q) < 0) { -+ *ret |= DH_CHECK_INVALID_Q_VALUE | DH_CHECK_PUBKEY_INVALID; -+ /* This may look strange here, but returning 1 after setting ret is -+ * correct. See also the behavior of the pub_key^q == 1 mod p check -+ * further down, which behaves in the same way. */ -+ ok = 1; -+ goto err; -+ } -+ - tmp = BN_CTX_get(ctx); - if (tmp == NULL || !BN_set_word(tmp, 1)) - goto err; -diff --git a/crypto/dh/dh_err.c b/crypto/dh/dh_err.c -index 92800d3fcc..b3b1e7a706 100644 ---- a/crypto/dh/dh_err.c -+++ b/crypto/dh/dh_err.c -@@ -87,6 +87,7 @@ static const ERR_STRING_DATA DH_str_reasons[] = { - {ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR), - "parameter encoding error"}, - {ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"}, -+ {ERR_PACK(ERR_LIB_DH, 0, DH_R_Q_TOO_LARGE), "q too large"}, - {ERR_PACK(ERR_LIB_DH, 0, DH_R_SHARED_INFO_ERROR), "shared info error"}, - {ERR_PACK(ERR_LIB_DH, 0, DH_R_UNABLE_TO_CHECK_GENERATOR), - "unable to check generator"}, -diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c -index 117f2fa883..9f5e6f6d4c 100644 ---- a/crypto/dh/dh_key.c -+++ b/crypto/dh/dh_key.c -@@ -140,6 +140,11 @@ static int generate_key(DH *dh) - return 0; - } - -+ if (dh->q != NULL && BN_num_bits(dh->q) > OPENSSL_DH_MAX_MODULUS_BITS) { -+ DHerr(DH_F_GENERATE_KEY, DH_R_Q_TOO_LARGE); -+ return 0; -+ } -+ - ctx = BN_CTX_new(); - if (ctx == NULL) - goto err; -@@ -250,6 +255,12 @@ static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) - DHerr(DH_F_COMPUTE_KEY, DH_R_MODULUS_TOO_LARGE); - goto err; - } -+ -+ if (dh->q != NULL && BN_num_bits(dh->q) > OPENSSL_DH_MAX_MODULUS_BITS) { -+ DHerr(DH_F_COMPUTE_KEY, DH_R_Q_TOO_LARGE); -+ goto err; -+ } -+ - #ifdef OPENSSL_FIPS - if (FIPS_mode() - && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) { -diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt -index c0a3cd720b..5e0ff47516 100644 ---- a/crypto/err/openssl.txt -+++ b/crypto/err/openssl.txt -@@ -2151,6 +2151,7 @@DH_R_NO_PARAMETERS_SET:107:no parameters set - DH_R_NO_PRIVATE_VALUE:100:no private value - DH_R_PARAMETER_ENCODING_ERROR:105:parameter encoding error - DH_R_PEER_KEY_ERROR:111:peer key error -+DH_R_Q_TOO_LARGE:130:q too large - DH_R_SHARED_INFO_ERROR:113:shared info error - DH_R_UNABLE_TO_CHECK_GENERATOR:121:unable to check generator - DSA_R_BAD_Q_VALUE:102:bad q value -diff --git a/include/openssl/dh.h b/include/openssl/dh.h -index 6c6ff3636a..b7df43b44f 100644 ---- a/include/openssl/dh.h -+++ b/include/openssl/dh.h -@@ -72,14 +72,16 @@ DECLARE_ASN1_ITEM(DHparams) - /* #define DH_GENERATOR_3 3 */ - # define DH_GENERATOR_5 5 - --/* DH_check error codes */ -+/* DH_check error codes, some of them shared with DH_check_pub_key */ - # define DH_CHECK_P_NOT_PRIME 0x01 - # define DH_CHECK_P_NOT_SAFE_PRIME 0x02 - # define DH_UNABLE_TO_CHECK_GENERATOR 0x04 - # define DH_NOT_SUITABLE_GENERATOR 0x08 - # define DH_CHECK_Q_NOT_PRIME 0x10 --# define DH_CHECK_INVALID_Q_VALUE 0x20 -+# define DH_CHECK_INVALID_Q_VALUE 0x20 /* +DH_check_pub_key */ - # define DH_CHECK_INVALID_J_VALUE 0x40 -+/* DH_MODULUS_TOO_SMALL is 0x80 upstream */ -+# define DH_MODULUS_TOO_LARGE 0x100 /* +DH_check_pub_key */ - - /* DH_check_pub_key error codes */ - # define DH_CHECK_PUBKEY_TOO_SMALL 0x01 -diff --git a/include/openssl/dherr.h b/include/openssl/dherr.h -index 528c819856..d66c35aa8e 100644 ---- a/include/openssl/dherr.h -+++ b/include/openssl/dherr.h -@@ -87,6 +87,7 @@ int ERR_load_DH_strings(void); - # define DH_R_NON_FIPS_METHOD 202 - # define DH_R_PARAMETER_ENCODING_ERROR 105 - # define DH_R_PEER_KEY_ERROR 111 -+# define DH_R_Q_TOO_LARGE 130 - # define DH_R_SHARED_INFO_ERROR 113 - # define DH_R_UNABLE_TO_CHECK_GENERATOR 121 - --- -2.41.0 - diff --git a/SOURCES/openssl-1.1.1-detected-addr-ipv6.patch b/SOURCES/openssl-1.1.1-detected-addr-ipv6.patch deleted file mode 100644 index d477e5d..0000000 --- a/SOURCES/openssl-1.1.1-detected-addr-ipv6.patch +++ /dev/null @@ -1,34 +0,0 @@ -diff -up openssl-1.1.1k/apps/s_socket.c.addr-ipv6 openssl-1.1.1k/apps/s_socket.c ---- openssl-1.1.1k/apps/s_socket.c.addr-ipv6 2021-07-16 15:14:08.491986682 +0200 -+++ openssl-1.1.1k/apps/s_socket.c 2021-07-16 15:23:21.271329197 +0200 -@@ -214,6 +214,8 @@ int do_server(int *accept_sock, const ch - const BIO_ADDRINFO *next; - int sock_family, sock_type, sock_protocol, sock_port; - const BIO_ADDR *sock_address; -+ int sock_family_fallback = AF_UNSPEC; -+ const BIO_ADDR *sock_address_fallback = NULL; - int sock_options = BIO_SOCK_REUSEADDR; - int ret = 0; - -@@ -244,6 +246,10 @@ int do_server(int *accept_sock, const ch - && BIO_ADDRINFO_protocol(next) == sock_protocol) { - if (sock_family == AF_INET - && BIO_ADDRINFO_family(next) == AF_INET6) { -+ /* In case AF_INET6 is returned but not supported by the -+ * kernel, retry with the first detected address family */ -+ sock_family_fallback = sock_family; -+ sock_address_fallback = sock_address; - sock_family = AF_INET6; - sock_address = BIO_ADDRINFO_address(next); - } else if (sock_family == AF_INET6 -@@ -253,6 +259,10 @@ int do_server(int *accept_sock, const ch - } - - asock = BIO_socket(sock_family, sock_type, sock_protocol, 0); -+ if (asock == INVALID_SOCKET && sock_family_fallback != AF_UNSPEC) { -+ asock = BIO_socket(sock_family_fallback, sock_type, sock_protocol, 0); -+ sock_address = sock_address_fallback; -+ } - if (asock == INVALID_SOCKET - || !BIO_listen(asock, sock_address, sock_options)) { - BIO_ADDRINFO_free(res); diff --git a/SOURCES/openssl-1.1.1-ec-curves.patch b/SOURCES/openssl-1.1.1-ec-curves.patch deleted file mode 100644 index 27f23ca..0000000 --- a/SOURCES/openssl-1.1.1-ec-curves.patch +++ /dev/null @@ -1,266 +0,0 @@ -diff -up openssl-1.1.1h/apps/speed.c.curves openssl-1.1.1h/apps/speed.c ---- openssl-1.1.1h/apps/speed.c.curves 2020-09-22 14:55:07.000000000 +0200 -+++ openssl-1.1.1h/apps/speed.c 2020-11-06 13:27:15.659288431 +0100 -@@ -490,90 +490,30 @@ static double rsa_results[RSA_NUM][2]; - #endif /* OPENSSL_NO_RSA */ - - enum { -- R_EC_P160, -- R_EC_P192, - R_EC_P224, - R_EC_P256, - R_EC_P384, - R_EC_P521, --#ifndef OPENSSL_NO_EC2M -- R_EC_K163, -- R_EC_K233, -- R_EC_K283, -- R_EC_K409, -- R_EC_K571, -- R_EC_B163, -- R_EC_B233, -- R_EC_B283, -- R_EC_B409, -- R_EC_B571, --#endif -- R_EC_BRP256R1, -- R_EC_BRP256T1, -- R_EC_BRP384R1, -- R_EC_BRP384T1, -- R_EC_BRP512R1, -- R_EC_BRP512T1, - R_EC_X25519, - R_EC_X448 - }; - - #ifndef OPENSSL_NO_EC - static OPT_PAIR ecdsa_choices[] = { -- {"ecdsap160", R_EC_P160}, -- {"ecdsap192", R_EC_P192}, - {"ecdsap224", R_EC_P224}, - {"ecdsap256", R_EC_P256}, - {"ecdsap384", R_EC_P384}, - {"ecdsap521", R_EC_P521}, --# ifndef OPENSSL_NO_EC2M -- {"ecdsak163", R_EC_K163}, -- {"ecdsak233", R_EC_K233}, -- {"ecdsak283", R_EC_K283}, -- {"ecdsak409", R_EC_K409}, -- {"ecdsak571", R_EC_K571}, -- {"ecdsab163", R_EC_B163}, -- {"ecdsab233", R_EC_B233}, -- {"ecdsab283", R_EC_B283}, -- {"ecdsab409", R_EC_B409}, -- {"ecdsab571", R_EC_B571}, --# endif -- {"ecdsabrp256r1", R_EC_BRP256R1}, -- {"ecdsabrp256t1", R_EC_BRP256T1}, -- {"ecdsabrp384r1", R_EC_BRP384R1}, -- {"ecdsabrp384t1", R_EC_BRP384T1}, -- {"ecdsabrp512r1", R_EC_BRP512R1}, -- {"ecdsabrp512t1", R_EC_BRP512T1} - }; - # define ECDSA_NUM OSSL_NELEM(ecdsa_choices) - - static double ecdsa_results[ECDSA_NUM][2]; /* 2 ops: sign then verify */ - - static const OPT_PAIR ecdh_choices[] = { -- {"ecdhp160", R_EC_P160}, -- {"ecdhp192", R_EC_P192}, - {"ecdhp224", R_EC_P224}, - {"ecdhp256", R_EC_P256}, - {"ecdhp384", R_EC_P384}, - {"ecdhp521", R_EC_P521}, --# ifndef OPENSSL_NO_EC2M -- {"ecdhk163", R_EC_K163}, -- {"ecdhk233", R_EC_K233}, -- {"ecdhk283", R_EC_K283}, -- {"ecdhk409", R_EC_K409}, -- {"ecdhk571", R_EC_K571}, -- {"ecdhb163", R_EC_B163}, -- {"ecdhb233", R_EC_B233}, -- {"ecdhb283", R_EC_B283}, -- {"ecdhb409", R_EC_B409}, -- {"ecdhb571", R_EC_B571}, --# endif -- {"ecdhbrp256r1", R_EC_BRP256R1}, -- {"ecdhbrp256t1", R_EC_BRP256T1}, -- {"ecdhbrp384r1", R_EC_BRP384R1}, -- {"ecdhbrp384t1", R_EC_BRP384T1}, -- {"ecdhbrp512r1", R_EC_BRP512R1}, -- {"ecdhbrp512t1", R_EC_BRP512T1}, - {"ecdhx25519", R_EC_X25519}, - {"ecdhx448", R_EC_X448} - }; -@@ -1502,31 +1442,10 @@ int speed_main(int argc, char **argv) - unsigned int bits; - } test_curves[] = { - /* Prime Curves */ -- {"secp160r1", NID_secp160r1, 160}, -- {"nistp192", NID_X9_62_prime192v1, 192}, - {"nistp224", NID_secp224r1, 224}, - {"nistp256", NID_X9_62_prime256v1, 256}, - {"nistp384", NID_secp384r1, 384}, - {"nistp521", NID_secp521r1, 521}, --# ifndef OPENSSL_NO_EC2M -- /* Binary Curves */ -- {"nistk163", NID_sect163k1, 163}, -- {"nistk233", NID_sect233k1, 233}, -- {"nistk283", NID_sect283k1, 283}, -- {"nistk409", NID_sect409k1, 409}, -- {"nistk571", NID_sect571k1, 571}, -- {"nistb163", NID_sect163r2, 163}, -- {"nistb233", NID_sect233r1, 233}, -- {"nistb283", NID_sect283r1, 283}, -- {"nistb409", NID_sect409r1, 409}, -- {"nistb571", NID_sect571r1, 571}, --# endif -- {"brainpoolP256r1", NID_brainpoolP256r1, 256}, -- {"brainpoolP256t1", NID_brainpoolP256t1, 256}, -- {"brainpoolP384r1", NID_brainpoolP384r1, 384}, -- {"brainpoolP384t1", NID_brainpoolP384t1, 384}, -- {"brainpoolP512r1", NID_brainpoolP512r1, 512}, -- {"brainpoolP512t1", NID_brainpoolP512t1, 512}, - /* Other and ECDH only ones */ - {"X25519", NID_X25519, 253}, - {"X448", NID_X448, 448} -@@ -2026,9 +1945,9 @@ int speed_main(int argc, char **argv) - # endif - - # ifndef OPENSSL_NO_EC -- ecdsa_c[R_EC_P160][0] = count / 1000; -- ecdsa_c[R_EC_P160][1] = count / 1000 / 2; -- for (i = R_EC_P192; i <= R_EC_P521; i++) { -+ ecdsa_c[R_EC_P224][0] = count / 1000; -+ ecdsa_c[R_EC_P224][1] = count / 1000 / 2; -+ for (i = R_EC_P256; i <= R_EC_P521; i++) { - ecdsa_c[i][0] = ecdsa_c[i - 1][0] / 2; - ecdsa_c[i][1] = ecdsa_c[i - 1][1] / 2; - if (ecdsa_doit[i] <= 1 && ecdsa_c[i][0] == 0) -@@ -2040,7 +1959,7 @@ int speed_main(int argc, char **argv) - } - } - } --# ifndef OPENSSL_NO_EC2M -+# if 0 - ecdsa_c[R_EC_K163][0] = count / 1000; - ecdsa_c[R_EC_K163][1] = count / 1000 / 2; - for (i = R_EC_K233; i <= R_EC_K571; i++) { -@@ -2071,8 +1990,8 @@ int speed_main(int argc, char **argv) - } - # endif - -- ecdh_c[R_EC_P160][0] = count / 1000; -- for (i = R_EC_P192; i <= R_EC_P521; i++) { -+ ecdh_c[R_EC_P224][0] = count / 1000; -+ for (i = R_EC_P256; i <= R_EC_P521; i++) { - ecdh_c[i][0] = ecdh_c[i - 1][0] / 2; - if (ecdh_doit[i] <= 1 && ecdh_c[i][0] == 0) - ecdh_doit[i] = 0; -@@ -2082,7 +2001,7 @@ int speed_main(int argc, char **argv) - } - } - } --# ifndef OPENSSL_NO_EC2M -+# if 0 - ecdh_c[R_EC_K163][0] = count / 1000; - for (i = R_EC_K233; i <= R_EC_K571; i++) { - ecdh_c[i][0] = ecdh_c[i - 1][0] / 2; -diff -up openssl-1.1.1h/crypto/ec/ecp_smpl.c.curves openssl-1.1.1h/crypto/ec/ecp_smpl.c ---- openssl-1.1.1h/crypto/ec/ecp_smpl.c.curves 2020-09-22 14:55:07.000000000 +0200 -+++ openssl-1.1.1h/crypto/ec/ecp_smpl.c 2020-11-06 13:27:15.659288431 +0100 -@@ -145,6 +145,11 @@ int ec_GFp_simple_group_set_curve(EC_GRO - return 0; - } - -+ if (BN_num_bits(p) < 224) { -+ ECerr(EC_F_EC_GFP_SIMPLE_GROUP_SET_CURVE, EC_R_UNSUPPORTED_FIELD); -+ return 0; -+ } -+ - if (ctx == NULL) { - ctx = new_ctx = BN_CTX_new(); - if (ctx == NULL) -diff -up openssl-1.1.1h/test/ecdsatest.h.curves openssl-1.1.1h/test/ecdsatest.h ---- openssl-1.1.1h/test/ecdsatest.h.curves 2020-11-06 13:27:15.627288114 +0100 -+++ openssl-1.1.1h/test/ecdsatest.h 2020-11-06 13:27:15.660288441 +0100 -@@ -32,23 +32,6 @@ typedef struct { - } ecdsa_cavs_kat_t; - - static const ecdsa_cavs_kat_t ecdsa_cavs_kats[] = { -- /* prime KATs from X9.62 */ -- {NID_X9_62_prime192v1, NID_sha1, -- "616263", /* "abc" */ -- "1a8d598fc15bf0fd89030b5cb1111aeb92ae8baf5ea475fb", -- "0462b12d60690cdcf330babab6e69763b471f994dd702d16a563bf5ec08069705ffff65e" -- "5ca5c0d69716dfcb3474373902", -- "fa6de29746bbeb7f8bb1e761f85f7dfb2983169d82fa2f4e", -- "885052380ff147b734c330c43d39b2c4a89f29b0f749fead", -- "e9ecc78106def82bf1070cf1d4d804c3cb390046951df686"}, -- {NID_X9_62_prime239v1, NID_sha1, -- "616263", /* "abc" */ -- "7ef7c6fabefffdea864206e80b0b08a9331ed93e698561b64ca0f7777f3d", -- "045b6dc53bc61a2548ffb0f671472de6c9521a9d2d2534e65abfcbd5fe0c707fd9f1ed2e" -- "65f09f6ce0893baf5e8e31e6ae82ea8c3592335be906d38dee", -- "656c7196bf87dcc5d1f1020906df2782360d36b2de7a17ece37d503784af", -- "2cb7f36803ebb9c427c58d8265f11fc5084747133078fc279de874fbecb0", -- "2eeae988104e9c2234a3c2beb1f53bfa5dc11ff36a875d1e3ccb1f7e45cf"}, - /* prime KATs from NIST CAVP */ - {NID_secp224r1, NID_sha224, - "699325d6fc8fbbb4981a6ded3c3a54ad2e4e3db8a5669201912064c64e700c139248cdc1" ---- openssl-1.1.1h/test/recipes/15-test_genec.t.ec-curves 2020-11-06 13:58:36.402895540 +0100 -+++ openssl-1.1.1h/test/recipes/15-test_genec.t 2020-11-06 13:59:38.508484498 +0100 -@@ -20,45 +20,11 @@ plan skip_all => "This test is unsupport - if disabled("ec"); - - my @prime_curves = qw( -- secp112r1 -- secp112r2 -- secp128r1 -- secp128r2 -- secp160k1 -- secp160r1 -- secp160r2 -- secp192k1 -- secp224k1 - secp224r1 - secp256k1 - secp384r1 - secp521r1 -- prime192v1 -- prime192v2 -- prime192v3 -- prime239v1 -- prime239v2 -- prime239v3 - prime256v1 -- wap-wsg-idm-ecid-wtls6 -- wap-wsg-idm-ecid-wtls7 -- wap-wsg-idm-ecid-wtls8 -- wap-wsg-idm-ecid-wtls9 -- wap-wsg-idm-ecid-wtls12 -- brainpoolP160r1 -- brainpoolP160t1 -- brainpoolP192r1 -- brainpoolP192t1 -- brainpoolP224r1 -- brainpoolP224t1 -- brainpoolP256r1 -- brainpoolP256t1 -- brainpoolP320r1 -- brainpoolP320t1 -- brainpoolP384r1 -- brainpoolP384t1 -- brainpoolP512r1 -- brainpoolP512t1 - ); - - my @binary_curves = qw( -@@ -115,7 +81,6 @@ push(@other_curves, 'SM2') - if !disabled("sm2"); - - my @curve_aliases = qw( -- P-192 - P-224 - P-256 - P-384 diff --git a/SOURCES/openssl-1.1.1-edk2-build.patch b/SOURCES/openssl-1.1.1-edk2-build.patch deleted file mode 100644 index b13708e..0000000 --- a/SOURCES/openssl-1.1.1-edk2-build.patch +++ /dev/null @@ -1,57 +0,0 @@ -diff -up openssl-1.1.1g/crypto/evp/pkey_kdf.c.edk2-build openssl-1.1.1g/crypto/evp/pkey_kdf.c ---- openssl-1.1.1g/crypto/evp/pkey_kdf.c.edk2-build 2020-05-18 12:55:53.299548432 +0200 -+++ openssl-1.1.1g/crypto/evp/pkey_kdf.c 2020-05-18 12:55:53.340548788 +0200 -@@ -12,6 +12,7 @@ - #include - #include - #include -+#include "internal/numbers.h" - #include "crypto/evp.h" - - static int pkey_kdf_init(EVP_PKEY_CTX *ctx) -diff -up openssl-1.1.1g/crypto/kdf/hkdf.c.edk2-build openssl-1.1.1g/crypto/kdf/hkdf.c ---- openssl-1.1.1g/crypto/kdf/hkdf.c.edk2-build 2020-05-18 12:55:53.340548788 +0200 -+++ openssl-1.1.1g/crypto/kdf/hkdf.c 2020-05-18 12:57:18.648288904 +0200 -@@ -13,6 +13,7 @@ - #include - #include - #include -+#include "internal/numbers.h" - #include "internal/cryptlib.h" - #include "crypto/evp.h" - #include "kdf_local.h" -diff -up openssl-1.1.1g/crypto/rand/rand_unix.c.edk2-build openssl-1.1.1g/crypto/rand/rand_unix.c ---- openssl-1.1.1g/crypto/rand/rand_unix.c.edk2-build 2020-05-18 12:56:05.646655554 +0200 -+++ openssl-1.1.1g/crypto/rand/rand_unix.c 2020-05-18 12:58:51.088090896 +0200 -@@ -20,7 +20,7 @@ - #include "crypto/fips.h" - #include - #include "internal/dso.h" --#ifdef __linux -+#if defined(__linux) && !defined(OPENSSL_SYS_UEFI) - # include - # include - # ifdef DEVRANDOM_WAIT -diff -up openssl-1.1.1g/include/crypto/fips.h.edk2-build openssl-1.1.1g/include/crypto/fips.h ---- openssl-1.1.1g/include/crypto/fips.h.edk2-build 2020-05-18 12:55:53.296548406 +0200 -+++ openssl-1.1.1g/include/crypto/fips.h 2020-05-18 12:55:53.340548788 +0200 -@@ -50,10 +50,6 @@ - #include - #include - --#ifndef OPENSSL_FIPS --# error FIPS is disabled. --#endif -- - #ifdef OPENSSL_FIPS - - int FIPS_module_mode_set(int onoff); -@@ -97,4 +93,8 @@ void fips_set_selftest_fail(void); - - void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr); - -+#else -+ -+# define fips_in_post() 0 -+ - #endif diff --git a/SOURCES/openssl-1.1.1-evp-kdf.patch b/SOURCES/openssl-1.1.1-evp-kdf.patch deleted file mode 100644 index 6145753..0000000 --- a/SOURCES/openssl-1.1.1-evp-kdf.patch +++ /dev/null @@ -1,5238 +0,0 @@ -diff -up openssl-1.1.1j/crypto/err/openssl.txt.evp-kdf openssl-1.1.1j/crypto/err/openssl.txt ---- openssl-1.1.1j/crypto/err/openssl.txt.evp-kdf 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/crypto/err/openssl.txt 2021-03-03 14:10:13.729466935 +0100 -@@ -748,6 +748,9 @@ EVP_F_EVP_DIGESTINIT_EX:128:EVP_DigestIn - EVP_F_EVP_ENCRYPTDECRYPTUPDATE:219:evp_EncryptDecryptUpdate - EVP_F_EVP_ENCRYPTFINAL_EX:127:EVP_EncryptFinal_ex - EVP_F_EVP_ENCRYPTUPDATE:167:EVP_EncryptUpdate -+EVP_F_EVP_KDF_CTRL:224:EVP_KDF_ctrl -+EVP_F_EVP_KDF_CTRL_STR:225:EVP_KDF_ctrl_str -+EVP_F_EVP_KDF_CTX_NEW_ID:226:EVP_KDF_CTX_new_id - EVP_F_EVP_MD_CTX_COPY_EX:110:EVP_MD_CTX_copy_ex - EVP_F_EVP_MD_SIZE:162:EVP_MD_size - EVP_F_EVP_OPENINIT:102:EVP_OpenInit -@@ -810,12 +813,31 @@ EVP_F_PKCS5_PBE_KEYIVGEN:117:PKCS5_PBE_k - EVP_F_PKCS5_V2_PBE_KEYIVGEN:118:PKCS5_v2_PBE_keyivgen - EVP_F_PKCS5_V2_PBKDF2_KEYIVGEN:164:PKCS5_v2_PBKDF2_keyivgen - EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN:180:PKCS5_v2_scrypt_keyivgen -+EVP_F_PKEY_KDF_CTRL:227:pkey_kdf_ctrl - EVP_F_PKEY_SET_TYPE:158:pkey_set_type - EVP_F_RC2_MAGIC_TO_METH:109:rc2_magic_to_meth - EVP_F_RC5_CTRL:125:rc5_ctrl - EVP_F_R_32_12_16_INIT_KEY:242:r_32_12_16_init_key - EVP_F_S390X_AES_GCM_CTRL:201:s390x_aes_gcm_ctrl -+EVP_F_SCRYPT_ALG:228:scrypt_alg - EVP_F_UPDATE:173:update -+KDF_F_HKDF_EXTRACT:112:HKDF_Extract -+KDF_F_KDF_HKDF_DERIVE:113:kdf_hkdf_derive -+KDF_F_KDF_HKDF_NEW:114:kdf_hkdf_new -+KDF_F_KDF_HKDF_SIZE:115:kdf_hkdf_size -+KDF_F_KDF_MD2CTRL:116:kdf_md2ctrl -+KDF_F_KDF_PBKDF2_CTRL_STR:117:kdf_pbkdf2_ctrl_str -+KDF_F_KDF_PBKDF2_DERIVE:118:kdf_pbkdf2_derive -+KDF_F_KDF_PBKDF2_NEW:119:kdf_pbkdf2_new -+KDF_F_KDF_SCRYPT_CTRL_STR:120:kdf_scrypt_ctrl_str -+KDF_F_KDF_SCRYPT_CTRL_UINT32:121:kdf_scrypt_ctrl_uint32 -+KDF_F_KDF_SCRYPT_CTRL_UINT64:122:kdf_scrypt_ctrl_uint64 -+KDF_F_KDF_SCRYPT_DERIVE:123:kdf_scrypt_derive -+KDF_F_KDF_SCRYPT_NEW:124:kdf_scrypt_new -+KDF_F_KDF_TLS1_PRF_CTRL_STR:125:kdf_tls1_prf_ctrl_str -+KDF_F_KDF_TLS1_PRF_DERIVE:126:kdf_tls1_prf_derive -+KDF_F_KDF_TLS1_PRF_NEW:127:kdf_tls1_prf_new -+KDF_F_PBKDF2_SET_MEMBUF:128:pbkdf2_set_membuf - KDF_F_PKEY_HKDF_CTRL_STR:103:pkey_hkdf_ctrl_str - KDF_F_PKEY_HKDF_DERIVE:102:pkey_hkdf_derive - KDF_F_PKEY_HKDF_INIT:108:pkey_hkdf_init -@@ -827,6 +849,7 @@ KDF_F_PKEY_SCRYPT_SET_MEMBUF:107:pkey_sc - KDF_F_PKEY_TLS1_PRF_CTRL_STR:100:pkey_tls1_prf_ctrl_str - KDF_F_PKEY_TLS1_PRF_DERIVE:101:pkey_tls1_prf_derive - KDF_F_PKEY_TLS1_PRF_INIT:110:pkey_tls1_prf_init -+KDF_F_SCRYPT_SET_MEMBUF:129:scrypt_set_membuf - KDF_F_TLS1_PRF_ALG:111:tls1_prf_alg - OBJ_F_OBJ_ADD_OBJECT:105:OBJ_add_object - OBJ_F_OBJ_ADD_SIGID:107:OBJ_add_sigid -@@ -2284,6 +2307,7 @@ EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_K - operation not supported for this keytype - EVP_R_OPERATON_NOT_INITIALIZED:151:operaton not initialized - EVP_R_OUTPUT_WOULD_OVERFLOW:184:output would overflow -+EVP_R_PARAMETER_TOO_LARGE:187:parameter too large - EVP_R_PARTIALLY_OVERLAPPING:162:partially overlapping buffers - EVP_R_PBKDF2_ERROR:181:pbkdf2 error - EVP_R_PKEY_APPLICATION_ASN1_METHOD_ALREADY_REGISTERED:179:\ -@@ -2320,6 +2344,7 @@ KDF_R_MISSING_SEED:106:missing seed - KDF_R_UNKNOWN_PARAMETER_TYPE:103:unknown parameter type - KDF_R_VALUE_ERROR:108:value error - KDF_R_VALUE_MISSING:102:value missing -+KDF_R_WRONG_OUTPUT_BUFFER_SIZE:112:wrong output buffer size - OBJ_R_OID_EXISTS:102:oid exists - OBJ_R_UNKNOWN_NID:101:unknown nid - OCSP_R_CERTIFICATE_VERIFY_ERROR:101:certificate verify error -diff -up openssl-1.1.1j/crypto/evp/build.info.evp-kdf openssl-1.1.1j/crypto/evp/build.info ---- openssl-1.1.1j/crypto/evp/build.info.evp-kdf 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/crypto/evp/build.info 2021-03-03 14:08:02.490294839 +0100 -@@ -9,7 +9,8 @@ SOURCE[../../libcrypto]=\ - p_open.c p_seal.c p_sign.c p_verify.c p_lib.c p_enc.c p_dec.c \ - bio_md.c bio_b64.c bio_enc.c evp_err.c e_null.c \ - c_allc.c c_alld.c evp_lib.c bio_ok.c \ -- evp_pkey.c evp_pbe.c p5_crpt.c p5_crpt2.c pbe_scrypt.c \ -+ evp_pkey.c kdf_lib.c evp_pbe.c p5_crpt.c p5_crpt2.c pbe_scrypt.c \ -+ pkey_kdf.c \ - e_old.c pmeth_lib.c pmeth_fn.c pmeth_gn.c m_sigver.c \ - e_aes_cbc_hmac_sha1.c e_aes_cbc_hmac_sha256.c e_rc4_hmac_md5.c \ - e_chacha20_poly1305.c cmeth_lib.c -diff -up openssl-1.1.1j/crypto/evp/e_chacha20_poly1305.c.evp-kdf openssl-1.1.1j/crypto/evp/e_chacha20_poly1305.c ---- openssl-1.1.1j/crypto/evp/e_chacha20_poly1305.c.evp-kdf 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/crypto/evp/e_chacha20_poly1305.c 2021-03-03 14:08:02.490294839 +0100 -@@ -14,9 +14,9 @@ - - # include - # include --# include "evp_local.h" - # include "crypto/evp.h" - # include "crypto/chacha.h" -+# include "evp_local.h" - - typedef struct { - union { -diff -up openssl-1.1.1j/crypto/evp/encode.c.evp-kdf openssl-1.1.1j/crypto/evp/encode.c ---- openssl-1.1.1j/crypto/evp/encode.c.evp-kdf 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/crypto/evp/encode.c 2021-03-03 14:08:02.491294847 +0100 -@@ -11,8 +11,8 @@ - #include - #include "internal/cryptlib.h" - #include --#include "evp_local.h" - #include "crypto/evp.h" -+#include "evp_local.h" - - static unsigned char conv_ascii2bin(unsigned char a, - const unsigned char *table); -diff -up openssl-1.1.1j/crypto/evp/evp_err.c.evp-kdf openssl-1.1.1j/crypto/evp/evp_err.c ---- openssl-1.1.1j/crypto/evp/evp_err.c.evp-kdf 2021-03-03 14:08:02.469294651 +0100 -+++ openssl-1.1.1j/crypto/evp/evp_err.c 2021-03-03 14:12:08.272351600 +0100 -@@ -60,6 +60,9 @@ static const ERR_STRING_DATA EVP_str_fun - {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_ENCRYPTFINAL_EX, 0), - "EVP_EncryptFinal_ex"}, - {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_ENCRYPTUPDATE, 0), "EVP_EncryptUpdate"}, -+ {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_KDF_CTRL, 0), "EVP_KDF_ctrl"}, -+ {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_KDF_CTRL_STR, 0), "EVP_KDF_ctrl_str"}, -+ {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_KDF_CTX_NEW_ID, 0), "EVP_KDF_CTX_new_id"}, - {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_MD_CTX_COPY_EX, 0), "EVP_MD_CTX_copy_ex"}, - {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_MD_SIZE, 0), "EVP_MD_size"}, - {ERR_PACK(ERR_LIB_EVP, EVP_F_EVP_OPENINIT, 0), "EVP_OpenInit"}, -@@ -151,12 +154,14 @@ static const ERR_STRING_DATA EVP_str_fun - "PKCS5_v2_PBKDF2_keyivgen"}, - {ERR_PACK(ERR_LIB_EVP, EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN, 0), - "PKCS5_v2_scrypt_keyivgen"}, -+ {ERR_PACK(ERR_LIB_EVP, EVP_F_PKEY_KDF_CTRL, 0), "pkey_kdf_ctrl"}, - {ERR_PACK(ERR_LIB_EVP, EVP_F_PKEY_SET_TYPE, 0), "pkey_set_type"}, - {ERR_PACK(ERR_LIB_EVP, EVP_F_RC2_MAGIC_TO_METH, 0), "rc2_magic_to_meth"}, - {ERR_PACK(ERR_LIB_EVP, EVP_F_RC5_CTRL, 0), "rc5_ctrl"}, - {ERR_PACK(ERR_LIB_EVP, EVP_F_R_32_12_16_INIT_KEY, 0), - "r_32_12_16_init_key"}, - {ERR_PACK(ERR_LIB_EVP, EVP_F_S390X_AES_GCM_CTRL, 0), "s390x_aes_gcm_ctrl"}, -+ {ERR_PACK(ERR_LIB_EVP, EVP_F_SCRYPT_ALG, 0), "scrypt_alg"}, - {ERR_PACK(ERR_LIB_EVP, EVP_F_UPDATE, 0), "update"}, - {0, NULL} - }; -@@ -243,6 +248,8 @@ static const ERR_STRING_DATA EVP_str_rea - "operaton not initialized"}, - {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_OUTPUT_WOULD_OVERFLOW), - "output would overflow"}, -+ {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PARAMETER_TOO_LARGE), -+ "parameter too large"}, - {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PARTIALLY_OVERLAPPING), - "partially overlapping buffers"}, - {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PBKDF2_ERROR), "pbkdf2 error"}, -diff -up openssl-1.1.1j/crypto/evp/evp_local.h.evp-kdf openssl-1.1.1j/crypto/evp/evp_local.h ---- openssl-1.1.1j/crypto/evp/evp_local.h.evp-kdf 2021-03-03 14:08:02.362293695 +0100 -+++ openssl-1.1.1j/crypto/evp/evp_local.h 2021-03-03 14:08:02.491294847 +0100 -@@ -41,6 +41,11 @@ struct evp_cipher_ctx_st { - unsigned char final[EVP_MAX_BLOCK_LENGTH]; /* possible final block */ - } /* EVP_CIPHER_CTX */ ; - -+struct evp_kdf_ctx_st { -+ const EVP_KDF_METHOD *kmeth; -+ EVP_KDF_IMPL *impl; /* Algorithm-specific data */ -+} /* EVP_KDF_CTX */ ; -+ - int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, - int passlen, ASN1_TYPE *param, - const EVP_CIPHER *c, const EVP_MD *md, -diff -up openssl-1.1.1j/crypto/evp/evp_pbe.c.evp-kdf openssl-1.1.1j/crypto/evp/evp_pbe.c ---- openssl-1.1.1j/crypto/evp/evp_pbe.c.evp-kdf 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/crypto/evp/evp_pbe.c 2021-03-03 14:08:02.491294847 +0100 -@@ -12,6 +12,7 @@ - #include - #include - #include -+#include "crypto/evp.h" - #include "evp_local.h" - - /* Password based encryption (PBE) functions */ -diff -up openssl-1.1.1j/crypto/evp/kdf_lib.c.evp-kdf openssl-1.1.1j/crypto/evp/kdf_lib.c ---- openssl-1.1.1j/crypto/evp/kdf_lib.c.evp-kdf 2021-03-03 14:08:02.491294847 +0100 -+++ openssl-1.1.1j/crypto/evp/kdf_lib.c 2021-03-03 14:08:02.491294847 +0100 -@@ -0,0 +1,165 @@ -+/* -+ * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. -+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved. -+ * -+ * Licensed under the Apache License 2.0 (the "License"). You may not use -+ * this file except in compliance with the License. You can obtain a copy -+ * in the file LICENSE in the source distribution or at -+ * https://www.openssl.org/source/license.html -+ */ -+ -+#include -+#include -+#include "internal/cryptlib.h" -+#include -+#include -+#include -+#include -+#include "crypto/asn1.h" -+#include "crypto/evp.h" -+#include "internal/numbers.h" -+#include "evp_local.h" -+ -+typedef int sk_cmp_fn_type(const char *const *a, const char *const *b); -+ -+/* This array needs to be in order of NIDs */ -+static const EVP_KDF_METHOD *standard_methods[] = { -+ &pbkdf2_kdf_meth, -+#ifndef OPENSSL_NO_SCRYPT -+ &scrypt_kdf_meth, -+#endif -+ &tls1_prf_kdf_meth, -+ &hkdf_kdf_meth -+}; -+ -+DECLARE_OBJ_BSEARCH_CMP_FN(const EVP_KDF_METHOD *, const EVP_KDF_METHOD *, -+ kmeth); -+ -+static int kmeth_cmp(const EVP_KDF_METHOD *const *a, -+ const EVP_KDF_METHOD *const *b) -+{ -+ return ((*a)->type - (*b)->type); -+} -+ -+IMPLEMENT_OBJ_BSEARCH_CMP_FN(const EVP_KDF_METHOD *, const EVP_KDF_METHOD *, -+ kmeth); -+ -+static const EVP_KDF_METHOD *kdf_meth_find(int type) -+{ -+ EVP_KDF_METHOD tmp; -+ const EVP_KDF_METHOD *t = &tmp, **ret; -+ -+ tmp.type = type; -+ ret = OBJ_bsearch_kmeth(&t, standard_methods, -+ OSSL_NELEM(standard_methods)); -+ if (ret == NULL || *ret == NULL) -+ return NULL; -+ -+ return *ret; -+} -+ -+EVP_KDF_CTX *EVP_KDF_CTX_new_id(int id) -+{ -+ EVP_KDF_CTX *ret; -+ const EVP_KDF_METHOD *kmeth; -+ -+ kmeth = kdf_meth_find(id); -+ if (kmeth == NULL) { -+ EVPerr(EVP_F_EVP_KDF_CTX_NEW_ID, EVP_R_UNSUPPORTED_ALGORITHM); -+ return NULL; -+ } -+ -+ ret = OPENSSL_zalloc(sizeof(*ret)); -+ if (ret == NULL) { -+ EVPerr(EVP_F_EVP_KDF_CTX_NEW_ID, ERR_R_MALLOC_FAILURE); -+ return NULL; -+ } -+ -+ if (kmeth->new != NULL && (ret->impl = kmeth->new()) == NULL) { -+ EVP_KDF_CTX_free(ret); -+ return NULL; -+ } -+ -+ ret->kmeth = kmeth; -+ return ret; -+} -+ -+void EVP_KDF_CTX_free(EVP_KDF_CTX *ctx) -+{ -+ if (ctx == NULL) -+ return; -+ -+ ctx->kmeth->free(ctx->impl); -+ OPENSSL_free(ctx); -+} -+ -+void EVP_KDF_reset(EVP_KDF_CTX *ctx) -+{ -+ if (ctx == NULL) -+ return; -+ -+ if (ctx->kmeth->reset != NULL) -+ ctx->kmeth->reset(ctx->impl); -+} -+ -+int EVP_KDF_ctrl(EVP_KDF_CTX *ctx, int cmd, ...) -+{ -+ int ret; -+ va_list args; -+ -+ va_start(args, cmd); -+ ret = EVP_KDF_vctrl(ctx, cmd, args); -+ va_end(args); -+ -+ if (ret == -2) -+ EVPerr(EVP_F_EVP_KDF_CTRL, EVP_R_COMMAND_NOT_SUPPORTED); -+ -+ return ret; -+} -+ -+int EVP_KDF_vctrl(EVP_KDF_CTX *ctx, int cmd, va_list args) -+{ -+ if (ctx == NULL) -+ return 0; -+ -+ return ctx->kmeth->ctrl(ctx->impl, cmd, args); -+} -+ -+int EVP_KDF_ctrl_str(EVP_KDF_CTX *ctx, const char *type, const char *value) -+{ -+ int ret; -+ -+ if (ctx == NULL) -+ return 0; -+ -+ if (ctx->kmeth->ctrl_str == NULL) { -+ EVPerr(EVP_F_EVP_KDF_CTRL_STR, EVP_R_COMMAND_NOT_SUPPORTED); -+ return -2; -+ } -+ -+ ret = ctx->kmeth->ctrl_str(ctx->impl, type, value); -+ if (ret == -2) -+ EVPerr(EVP_F_EVP_KDF_CTRL_STR, EVP_R_COMMAND_NOT_SUPPORTED); -+ -+ return ret; -+} -+ -+size_t EVP_KDF_size(EVP_KDF_CTX *ctx) -+{ -+ if (ctx == NULL) -+ return 0; -+ -+ if (ctx->kmeth->size == NULL) -+ return SIZE_MAX; -+ -+ return ctx->kmeth->size(ctx->impl); -+} -+ -+int EVP_KDF_derive(EVP_KDF_CTX *ctx, unsigned char *key, size_t keylen) -+{ -+ if (ctx == NULL) -+ return 0; -+ -+ return ctx->kmeth->derive(ctx->impl, key, keylen); -+} -+ -diff -up openssl-1.1.1j/crypto/evp/p5_crpt2.c.evp-kdf openssl-1.1.1j/crypto/evp/p5_crpt2.c ---- openssl-1.1.1j/crypto/evp/p5_crpt2.c.evp-kdf 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/crypto/evp/p5_crpt2.c 2021-03-03 14:08:02.491294847 +0100 -@@ -1,5 +1,5 @@ - /* -- * Copyright 1999-2016 The OpenSSL Project Authors. All Rights Reserved. -+ * Copyright 1999-2018 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy -@@ -10,105 +10,51 @@ - #include - #include - #include "internal/cryptlib.h" --# include --# include --# include --# include "evp_local.h" -+#include -+#include -+#include -+#include -+#include "crypto/evp.h" -+#include "evp_local.h" - - /* set this to print out info about the keygen algorithm */ - /* #define OPENSSL_DEBUG_PKCS5V2 */ - --# ifdef OPENSSL_DEBUG_PKCS5V2 -+#ifdef OPENSSL_DEBUG_PKCS5V2 - static void h__dump(const unsigned char *p, int len); --# endif -- --/* -- * This is an implementation of PKCS#5 v2.0 password based encryption key -- * derivation function PBKDF2. SHA1 version verified against test vectors -- * posted by Peter Gutmann to the PKCS-TNG mailing list. -- */ -+#endif - - int PKCS5_PBKDF2_HMAC(const char *pass, int passlen, - const unsigned char *salt, int saltlen, int iter, - const EVP_MD *digest, int keylen, unsigned char *out) - { - const char *empty = ""; -- unsigned char digtmp[EVP_MAX_MD_SIZE], *p, itmp[4]; -- int cplen, j, k, tkeylen, mdlen; -- unsigned long i = 1; -- HMAC_CTX *hctx_tpl = NULL, *hctx = NULL; -- -- mdlen = EVP_MD_size(digest); -- if (mdlen < 0) -- return 0; -+ int rv = 1; -+ EVP_KDF_CTX *kctx; - -- hctx_tpl = HMAC_CTX_new(); -- if (hctx_tpl == NULL) -- return 0; -- p = out; -- tkeylen = keylen; -+ /* Keep documented behaviour. */ - if (pass == NULL) { - pass = empty; - passlen = 0; - } else if (passlen == -1) { - passlen = strlen(pass); - } -- if (!HMAC_Init_ex(hctx_tpl, pass, passlen, digest, NULL)) { -- HMAC_CTX_free(hctx_tpl); -- return 0; -- } -- hctx = HMAC_CTX_new(); -- if (hctx == NULL) { -- HMAC_CTX_free(hctx_tpl); -+ if (salt == NULL && saltlen == 0) -+ salt = (unsigned char *)empty; -+ -+ kctx = EVP_KDF_CTX_new_id(EVP_KDF_PBKDF2); -+ if (kctx == NULL) - return 0; -- } -- while (tkeylen) { -- if (tkeylen > mdlen) -- cplen = mdlen; -- else -- cplen = tkeylen; -- /* -- * We are unlikely to ever use more than 256 blocks (5120 bits!) but -- * just in case... -- */ -- itmp[0] = (unsigned char)((i >> 24) & 0xff); -- itmp[1] = (unsigned char)((i >> 16) & 0xff); -- itmp[2] = (unsigned char)((i >> 8) & 0xff); -- itmp[3] = (unsigned char)(i & 0xff); -- if (!HMAC_CTX_copy(hctx, hctx_tpl)) { -- HMAC_CTX_free(hctx); -- HMAC_CTX_free(hctx_tpl); -- return 0; -- } -- if (!HMAC_Update(hctx, salt, saltlen) -- || !HMAC_Update(hctx, itmp, 4) -- || !HMAC_Final(hctx, digtmp, NULL)) { -- HMAC_CTX_free(hctx); -- HMAC_CTX_free(hctx_tpl); -- return 0; -- } -- memcpy(p, digtmp, cplen); -- for (j = 1; j < iter; j++) { -- if (!HMAC_CTX_copy(hctx, hctx_tpl)) { -- HMAC_CTX_free(hctx); -- HMAC_CTX_free(hctx_tpl); -- return 0; -- } -- if (!HMAC_Update(hctx, digtmp, mdlen) -- || !HMAC_Final(hctx, digtmp, NULL)) { -- HMAC_CTX_free(hctx); -- HMAC_CTX_free(hctx_tpl); -- return 0; -- } -- for (k = 0; k < cplen; k++) -- p[k] ^= digtmp[k]; -- } -- tkeylen -= cplen; -- i++; -- p += cplen; -- } -- HMAC_CTX_free(hctx); -- HMAC_CTX_free(hctx_tpl); -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PASS, pass, (size_t)passlen) != 1 -+ || EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, -+ salt, (size_t)saltlen) != 1 -+ || EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_ITER, iter) != 1 -+ || EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, digest) != 1 -+ || EVP_KDF_derive(kctx, out, keylen) != 1) -+ rv = 0; -+ -+ EVP_KDF_CTX_free(kctx); -+ - # ifdef OPENSSL_DEBUG_PKCS5V2 - fprintf(stderr, "Password:\n"); - h__dump(pass, passlen); -@@ -118,7 +64,7 @@ int PKCS5_PBKDF2_HMAC(const char *pass, - fprintf(stderr, "Key:\n"); - h__dump(out, keylen); - # endif -- return 1; -+ return rv; - } - - int PKCS5_PBKDF2_HMAC_SHA1(const char *pass, int passlen, -diff -up openssl-1.1.1j/crypto/evp/pbe_scrypt.c.evp-kdf openssl-1.1.1j/crypto/evp/pbe_scrypt.c ---- openssl-1.1.1j/crypto/evp/pbe_scrypt.c.evp-kdf 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/crypto/evp/pbe_scrypt.c 2021-03-03 14:08:02.491294847 +0100 -@@ -7,135 +7,12 @@ - * https://www.openssl.org/source/license.html - */ - --#include --#include --#include - #include - #include --#include "internal/numbers.h" -+#include - - #ifndef OPENSSL_NO_SCRYPT - --#define R(a,b) (((a) << (b)) | ((a) >> (32 - (b)))) --static void salsa208_word_specification(uint32_t inout[16]) --{ -- int i; -- uint32_t x[16]; -- memcpy(x, inout, sizeof(x)); -- for (i = 8; i > 0; i -= 2) { -- x[4] ^= R(x[0] + x[12], 7); -- x[8] ^= R(x[4] + x[0], 9); -- x[12] ^= R(x[8] + x[4], 13); -- x[0] ^= R(x[12] + x[8], 18); -- x[9] ^= R(x[5] + x[1], 7); -- x[13] ^= R(x[9] + x[5], 9); -- x[1] ^= R(x[13] + x[9], 13); -- x[5] ^= R(x[1] + x[13], 18); -- x[14] ^= R(x[10] + x[6], 7); -- x[2] ^= R(x[14] + x[10], 9); -- x[6] ^= R(x[2] + x[14], 13); -- x[10] ^= R(x[6] + x[2], 18); -- x[3] ^= R(x[15] + x[11], 7); -- x[7] ^= R(x[3] + x[15], 9); -- x[11] ^= R(x[7] + x[3], 13); -- x[15] ^= R(x[11] + x[7], 18); -- x[1] ^= R(x[0] + x[3], 7); -- x[2] ^= R(x[1] + x[0], 9); -- x[3] ^= R(x[2] + x[1], 13); -- x[0] ^= R(x[3] + x[2], 18); -- x[6] ^= R(x[5] + x[4], 7); -- x[7] ^= R(x[6] + x[5], 9); -- x[4] ^= R(x[7] + x[6], 13); -- x[5] ^= R(x[4] + x[7], 18); -- x[11] ^= R(x[10] + x[9], 7); -- x[8] ^= R(x[11] + x[10], 9); -- x[9] ^= R(x[8] + x[11], 13); -- x[10] ^= R(x[9] + x[8], 18); -- x[12] ^= R(x[15] + x[14], 7); -- x[13] ^= R(x[12] + x[15], 9); -- x[14] ^= R(x[13] + x[12], 13); -- x[15] ^= R(x[14] + x[13], 18); -- } -- for (i = 0; i < 16; ++i) -- inout[i] += x[i]; -- OPENSSL_cleanse(x, sizeof(x)); --} -- --static void scryptBlockMix(uint32_t *B_, uint32_t *B, uint64_t r) --{ -- uint64_t i, j; -- uint32_t X[16], *pB; -- -- memcpy(X, B + (r * 2 - 1) * 16, sizeof(X)); -- pB = B; -- for (i = 0; i < r * 2; i++) { -- for (j = 0; j < 16; j++) -- X[j] ^= *pB++; -- salsa208_word_specification(X); -- memcpy(B_ + (i / 2 + (i & 1) * r) * 16, X, sizeof(X)); -- } -- OPENSSL_cleanse(X, sizeof(X)); --} -- --static void scryptROMix(unsigned char *B, uint64_t r, uint64_t N, -- uint32_t *X, uint32_t *T, uint32_t *V) --{ -- unsigned char *pB; -- uint32_t *pV; -- uint64_t i, k; -- -- /* Convert from little endian input */ -- for (pV = V, i = 0, pB = B; i < 32 * r; i++, pV++) { -- *pV = *pB++; -- *pV |= *pB++ << 8; -- *pV |= *pB++ << 16; -- *pV |= (uint32_t)*pB++ << 24; -- } -- -- for (i = 1; i < N; i++, pV += 32 * r) -- scryptBlockMix(pV, pV - 32 * r, r); -- -- scryptBlockMix(X, V + (N - 1) * 32 * r, r); -- -- for (i = 0; i < N; i++) { -- uint32_t j; -- j = X[16 * (2 * r - 1)] % N; -- pV = V + 32 * r * j; -- for (k = 0; k < 32 * r; k++) -- T[k] = X[k] ^ *pV++; -- scryptBlockMix(X, T, r); -- } -- /* Convert output to little endian */ -- for (i = 0, pB = B; i < 32 * r; i++) { -- uint32_t xtmp = X[i]; -- *pB++ = xtmp & 0xff; -- *pB++ = (xtmp >> 8) & 0xff; -- *pB++ = (xtmp >> 16) & 0xff; -- *pB++ = (xtmp >> 24) & 0xff; -- } --} -- --#ifndef SIZE_MAX --# define SIZE_MAX ((size_t)-1) --#endif -- --/* -- * Maximum power of two that will fit in uint64_t: this should work on -- * most (all?) platforms. -- */ -- --#define LOG2_UINT64_MAX (sizeof(uint64_t) * 8 - 1) -- --/* -- * Maximum value of p * r: -- * p <= ((2^32-1) * hLen) / MFLen => -- * p <= ((2^32-1) * 32) / (128 * r) => -- * p * r <= (2^30-1) -- * -- */ -- --#define SCRYPT_PR_MAX ((1 << 30) - 1) -- - /* - * Maximum permitted memory allow this to be overridden with Configuration - * option: e.g. -DSCRYPT_MAX_MEM=0 for maximum possible. -@@ -160,107 +37,43 @@ int EVP_PBE_scrypt(const char *pass, siz - uint64_t N, uint64_t r, uint64_t p, uint64_t maxmem, - unsigned char *key, size_t keylen) - { -- int rv = 0; -- unsigned char *B; -- uint32_t *X, *V, *T; -- uint64_t i, Blen, Vlen; -- -- /* Sanity check parameters */ -- /* initial check, r,p must be non zero, N >= 2 and a power of 2 */ -- if (r == 0 || p == 0 || N < 2 || (N & (N - 1))) -- return 0; -- /* Check p * r < SCRYPT_PR_MAX avoiding overflow */ -- if (p > SCRYPT_PR_MAX / r) { -- EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED); -- return 0; -- } -- -- /* -- * Need to check N: if 2^(128 * r / 8) overflows limit this is -- * automatically satisfied since N <= UINT64_MAX. -- */ -- -- if (16 * r <= LOG2_UINT64_MAX) { -- if (N >= (((uint64_t)1) << (16 * r))) { -- EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED); -- return 0; -- } -- } -+ const char *empty = ""; -+ int rv = 1; -+ EVP_KDF_CTX *kctx; - -- /* Memory checks: check total allocated buffer size fits in uint64_t */ -- -- /* -- * B size in section 5 step 1.S -- * Note: we know p * 128 * r < UINT64_MAX because we already checked -- * p * r < SCRYPT_PR_MAX -- */ -- Blen = p * 128 * r; -- /* -- * Yet we pass it as integer to PKCS5_PBKDF2_HMAC... [This would -- * have to be revised when/if PKCS5_PBKDF2_HMAC accepts size_t.] -- */ -- if (Blen > INT_MAX) { -- EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED); -+ if (r > UINT32_MAX || p > UINT32_MAX) { -+ EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_PARAMETER_TOO_LARGE); - return 0; - } - -- /* -- * Check 32 * r * (N + 2) * sizeof(uint32_t) fits in uint64_t -- * This is combined size V, X and T (section 4) -- */ -- i = UINT64_MAX / (32 * sizeof(uint32_t)); -- if (N + 2 > i / r) { -- EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED); -- return 0; -+ /* Maintain existing behaviour. */ -+ if (pass == NULL) { -+ pass = empty; -+ passlen = 0; - } -- Vlen = 32 * r * (N + 2) * sizeof(uint32_t); -- -- /* check total allocated size fits in uint64_t */ -- if (Blen > UINT64_MAX - Vlen) { -- EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED); -- return 0; -+ if (salt == NULL) { -+ salt = (const unsigned char *)empty; -+ saltlen = 0; - } -- - if (maxmem == 0) - maxmem = SCRYPT_MAX_MEM; - -- /* Check that the maximum memory doesn't exceed a size_t limits */ -- if (maxmem > SIZE_MAX) -- maxmem = SIZE_MAX; -- -- if (Blen + Vlen > maxmem) { -- EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_MEMORY_LIMIT_EXCEEDED); -+ kctx = EVP_KDF_CTX_new_id(EVP_KDF_SCRYPT); -+ if (kctx == NULL) - return 0; -- } - -- /* If no key return to indicate parameters are OK */ -- if (key == NULL) -- return 1; -- -- B = OPENSSL_malloc((size_t)(Blen + Vlen)); -- if (B == NULL) { -- EVPerr(EVP_F_EVP_PBE_SCRYPT, ERR_R_MALLOC_FAILURE); -- return 0; -- } -- X = (uint32_t *)(B + Blen); -- T = X + 32 * r; -- V = T + 32 * r; -- if (PKCS5_PBKDF2_HMAC(pass, passlen, salt, saltlen, 1, EVP_sha256(), -- (int)Blen, B) == 0) -- goto err; -- -- for (i = 0; i < p; i++) -- scryptROMix(B + 128 * r * i, r, N, X, T, V); -- -- if (PKCS5_PBKDF2_HMAC(pass, passlen, B, (int)Blen, 1, EVP_sha256(), -- keylen, key) == 0) -- goto err; -- rv = 1; -- err: -- if (rv == 0) -- EVPerr(EVP_F_EVP_PBE_SCRYPT, EVP_R_PBKDF2_ERROR); -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PASS, pass, (size_t)passlen) != 1 -+ || EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, -+ salt, (size_t)saltlen) != 1 -+ || EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_N, N) != 1 -+ || EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_R, (uint32_t)r) != 1 -+ || EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_P, (uint32_t)p) != 1 -+ || EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MAXMEM_BYTES, maxmem) != 1 -+ || EVP_KDF_derive(kctx, key, keylen) != 1) -+ rv = 0; - -- OPENSSL_clear_free(B, (size_t)(Blen + Vlen)); -+ EVP_KDF_CTX_free(kctx); - return rv; - } -+ - #endif -diff -up openssl-1.1.1j/crypto/evp/pkey_kdf.c.evp-kdf openssl-1.1.1j/crypto/evp/pkey_kdf.c ---- openssl-1.1.1j/crypto/evp/pkey_kdf.c.evp-kdf 2021-03-03 14:08:02.491294847 +0100 -+++ openssl-1.1.1j/crypto/evp/pkey_kdf.c 2021-03-03 14:08:02.491294847 +0100 -@@ -0,0 +1,255 @@ -+/* -+ * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. -+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved. -+ * -+ * Licensed under the Apache License 2.0 (the "License"). You may not use -+ * this file except in compliance with the License. You can obtain a copy -+ * in the file LICENSE in the source distribution or at -+ * https://www.openssl.org/source/license.html -+ */ -+ -+#include -+#include -+#include -+#include -+#include "crypto/evp.h" -+ -+static int pkey_kdf_init(EVP_PKEY_CTX *ctx) -+{ -+ EVP_KDF_CTX *kctx; -+ -+ kctx = EVP_KDF_CTX_new_id(ctx->pmeth->pkey_id); -+ if (kctx == NULL) -+ return 0; -+ -+ ctx->data = kctx; -+ return 1; -+} -+ -+static void pkey_kdf_cleanup(EVP_PKEY_CTX *ctx) -+{ -+ EVP_KDF_CTX *kctx = ctx->data; -+ -+ EVP_KDF_CTX_free(kctx); -+} -+ -+static int pkey_kdf_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) -+{ -+ EVP_KDF_CTX *kctx = ctx->data; -+ uint64_t u64_value; -+ int cmd; -+ int ret; -+ -+ switch (type) { -+ case EVP_PKEY_CTRL_PASS: -+ cmd = EVP_KDF_CTRL_SET_PASS; -+ break; -+ case EVP_PKEY_CTRL_HKDF_SALT: -+ case EVP_PKEY_CTRL_SCRYPT_SALT: -+ cmd = EVP_KDF_CTRL_SET_SALT; -+ break; -+ case EVP_PKEY_CTRL_TLS_MD: -+ case EVP_PKEY_CTRL_HKDF_MD: -+ cmd = EVP_KDF_CTRL_SET_MD; -+ break; -+ case EVP_PKEY_CTRL_TLS_SECRET: -+ cmd = EVP_KDF_CTRL_SET_TLS_SECRET; -+ ret = EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_RESET_TLS_SEED); -+ if (ret < 1) -+ return ret; -+ break; -+ case EVP_PKEY_CTRL_TLS_SEED: -+ cmd = EVP_KDF_CTRL_ADD_TLS_SEED; -+ break; -+ case EVP_PKEY_CTRL_HKDF_KEY: -+ cmd = EVP_KDF_CTRL_SET_KEY; -+ break; -+ case EVP_PKEY_CTRL_HKDF_INFO: -+ cmd = EVP_KDF_CTRL_ADD_HKDF_INFO; -+ break; -+ case EVP_PKEY_CTRL_HKDF_MODE: -+ cmd = EVP_KDF_CTRL_SET_HKDF_MODE; -+ break; -+ case EVP_PKEY_CTRL_SCRYPT_N: -+ cmd = EVP_KDF_CTRL_SET_SCRYPT_N; -+ break; -+ case EVP_PKEY_CTRL_SCRYPT_R: -+ cmd = EVP_KDF_CTRL_SET_SCRYPT_R; -+ break; -+ case EVP_PKEY_CTRL_SCRYPT_P: -+ cmd = EVP_KDF_CTRL_SET_SCRYPT_P; -+ break; -+ case EVP_PKEY_CTRL_SCRYPT_MAXMEM_BYTES: -+ cmd = EVP_KDF_CTRL_SET_MAXMEM_BYTES; -+ break; -+ default: -+ return -2; -+ } -+ -+ switch (cmd) { -+ case EVP_KDF_CTRL_SET_PASS: -+ case EVP_KDF_CTRL_SET_SALT: -+ case EVP_KDF_CTRL_SET_KEY: -+ case EVP_KDF_CTRL_SET_TLS_SECRET: -+ case EVP_KDF_CTRL_ADD_TLS_SEED: -+ case EVP_KDF_CTRL_ADD_HKDF_INFO: -+ return EVP_KDF_ctrl(kctx, cmd, (const unsigned char *)p2, (size_t)p1); -+ -+ case EVP_KDF_CTRL_SET_MD: -+ return EVP_KDF_ctrl(kctx, cmd, (const EVP_MD *)p2); -+ -+ case EVP_KDF_CTRL_SET_HKDF_MODE: -+ return EVP_KDF_ctrl(kctx, cmd, (int)p1); -+ -+ case EVP_KDF_CTRL_SET_SCRYPT_R: -+ case EVP_KDF_CTRL_SET_SCRYPT_P: -+ u64_value = *(uint64_t *)p2; -+ if (u64_value > UINT32_MAX) { -+ EVPerr(EVP_F_PKEY_KDF_CTRL, EVP_R_PARAMETER_TOO_LARGE); -+ return 0; -+ } -+ -+ return EVP_KDF_ctrl(kctx, cmd, (uint32_t)u64_value); -+ -+ case EVP_KDF_CTRL_SET_SCRYPT_N: -+ case EVP_KDF_CTRL_SET_MAXMEM_BYTES: -+ return EVP_KDF_ctrl(kctx, cmd, *(uint64_t *)p2); -+ -+ default: -+ return 0; -+ } -+} -+ -+static int pkey_kdf_ctrl_str(EVP_PKEY_CTX *ctx, const char *type, -+ const char *value) -+{ -+ EVP_KDF_CTX *kctx = ctx->data; -+ -+ if (strcmp(type, "md") == 0) -+ return EVP_KDF_ctrl_str(kctx, "digest", value); -+ return EVP_KDF_ctrl_str(kctx, type, value); -+} -+ -+static int pkey_kdf_derive_init(EVP_PKEY_CTX *ctx) -+{ -+ EVP_KDF_CTX *kctx = ctx->data; -+ -+ EVP_KDF_reset(kctx); -+ return 1; -+} -+ -+/* -+ * For fixed-output algorithms the keylen parameter is an "out" parameter -+ * otherwise it is an "in" parameter. -+ */ -+static int pkey_kdf_derive(EVP_PKEY_CTX *ctx, unsigned char *key, -+ size_t *keylen) -+{ -+ EVP_KDF_CTX *kctx = ctx->data; -+ size_t outlen = EVP_KDF_size(kctx); -+ -+ if (outlen == 0 || outlen == SIZE_MAX) { -+ /* Variable-output algorithm */ -+ if (key == NULL) -+ return 0; -+ } else { -+ /* Fixed-output algorithm */ -+ *keylen = outlen; -+ if (key == NULL) -+ return 1; -+ } -+ return EVP_KDF_derive(kctx, key, *keylen); -+} -+ -+#ifndef OPENSSL_NO_SCRYPT -+const EVP_PKEY_METHOD scrypt_pkey_meth = { -+ EVP_PKEY_SCRYPT, -+ 0, -+ pkey_kdf_init, -+ 0, -+ pkey_kdf_cleanup, -+ -+ 0, 0, -+ 0, 0, -+ -+ 0, -+ 0, -+ -+ 0, -+ 0, -+ -+ 0, 0, -+ -+ 0, 0, 0, 0, -+ -+ 0, 0, -+ -+ 0, 0, -+ -+ pkey_kdf_derive_init, -+ pkey_kdf_derive, -+ pkey_kdf_ctrl, -+ pkey_kdf_ctrl_str -+}; -+#endif -+ -+const EVP_PKEY_METHOD tls1_prf_pkey_meth = { -+ EVP_PKEY_TLS1_PRF, -+ EVP_PKEY_FLAG_FIPS, -+ pkey_kdf_init, -+ 0, -+ pkey_kdf_cleanup, -+ -+ 0, 0, -+ 0, 0, -+ -+ 0, -+ 0, -+ -+ 0, -+ 0, -+ -+ 0, 0, -+ -+ 0, 0, 0, 0, -+ -+ 0, 0, -+ -+ 0, 0, -+ -+ pkey_kdf_derive_init, -+ pkey_kdf_derive, -+ pkey_kdf_ctrl, -+ pkey_kdf_ctrl_str -+}; -+ -+const EVP_PKEY_METHOD hkdf_pkey_meth = { -+ EVP_PKEY_HKDF, -+ EVP_PKEY_FLAG_FIPS, -+ pkey_kdf_init, -+ 0, -+ pkey_kdf_cleanup, -+ -+ 0, 0, -+ 0, 0, -+ -+ 0, -+ 0, -+ -+ 0, -+ 0, -+ -+ 0, 0, -+ -+ 0, 0, 0, 0, -+ -+ 0, 0, -+ -+ 0, 0, -+ -+ pkey_kdf_derive_init, -+ pkey_kdf_derive, -+ pkey_kdf_ctrl, -+ pkey_kdf_ctrl_str -+}; -+ -diff -up openssl-1.1.1j/crypto/kdf/build.info.evp-kdf openssl-1.1.1j/crypto/kdf/build.info ---- openssl-1.1.1j/crypto/kdf/build.info.evp-kdf 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/crypto/kdf/build.info 2021-03-03 14:08:02.491294847 +0100 -@@ -1,3 +1,3 @@ - LIBS=../../libcrypto - SOURCE[../../libcrypto]=\ -- tls1_prf.c kdf_err.c hkdf.c scrypt.c -+ tls1_prf.c kdf_err.c kdf_util.c hkdf.c scrypt.c pbkdf2.c -diff -up openssl-1.1.1j/crypto/kdf/hkdf.c.evp-kdf openssl-1.1.1j/crypto/kdf/hkdf.c ---- openssl-1.1.1j/crypto/kdf/hkdf.c.evp-kdf 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/crypto/kdf/hkdf.c 2021-03-03 14:08:02.492294856 +0100 -@@ -8,32 +8,33 @@ - */ - - #include -+#include - #include - #include - #include - #include - #include "internal/cryptlib.h" - #include "crypto/evp.h" -+#include "kdf_local.h" - - #define HKDF_MAXBUF 1024 - --static unsigned char *HKDF(const EVP_MD *evp_md, -- const unsigned char *salt, size_t salt_len, -- const unsigned char *key, size_t key_len, -- const unsigned char *info, size_t info_len, -- unsigned char *okm, size_t okm_len); -- --static unsigned char *HKDF_Extract(const EVP_MD *evp_md, -- const unsigned char *salt, size_t salt_len, -- const unsigned char *key, size_t key_len, -- unsigned char *prk, size_t *prk_len); -- --static unsigned char *HKDF_Expand(const EVP_MD *evp_md, -- const unsigned char *prk, size_t prk_len, -- const unsigned char *info, size_t info_len, -- unsigned char *okm, size_t okm_len); -+static void kdf_hkdf_reset(EVP_KDF_IMPL *impl); -+static int HKDF(const EVP_MD *evp_md, -+ const unsigned char *salt, size_t salt_len, -+ const unsigned char *key, size_t key_len, -+ const unsigned char *info, size_t info_len, -+ unsigned char *okm, size_t okm_len); -+static int HKDF_Extract(const EVP_MD *evp_md, -+ const unsigned char *salt, size_t salt_len, -+ const unsigned char *key, size_t key_len, -+ unsigned char *prk, size_t prk_len); -+static int HKDF_Expand(const EVP_MD *evp_md, -+ const unsigned char *prk, size_t prk_len, -+ const unsigned char *info, size_t info_len, -+ unsigned char *okm, size_t okm_len); - --typedef struct { -+struct evp_kdf_impl_st { - int mode; - const EVP_MD *md; - unsigned char *salt; -@@ -42,230 +43,208 @@ typedef struct { - size_t key_len; - unsigned char info[HKDF_MAXBUF]; - size_t info_len; --} HKDF_PKEY_CTX; -+}; - --static int pkey_hkdf_init(EVP_PKEY_CTX *ctx) -+static EVP_KDF_IMPL *kdf_hkdf_new(void) - { -- HKDF_PKEY_CTX *kctx; -- -- if ((kctx = OPENSSL_zalloc(sizeof(*kctx))) == NULL) { -- KDFerr(KDF_F_PKEY_HKDF_INIT, ERR_R_MALLOC_FAILURE); -- return 0; -- } -+ EVP_KDF_IMPL *impl; - -- ctx->data = kctx; -+ if ((impl = OPENSSL_zalloc(sizeof(*impl))) == NULL) -+ KDFerr(KDF_F_KDF_HKDF_NEW, ERR_R_MALLOC_FAILURE); -+ return impl; -+} - -- return 1; -+static void kdf_hkdf_free(EVP_KDF_IMPL *impl) -+{ -+ kdf_hkdf_reset(impl); -+ OPENSSL_free(impl); - } - --static void pkey_hkdf_cleanup(EVP_PKEY_CTX *ctx) -+static void kdf_hkdf_reset(EVP_KDF_IMPL *impl) - { -- HKDF_PKEY_CTX *kctx = ctx->data; -- OPENSSL_clear_free(kctx->salt, kctx->salt_len); -- OPENSSL_clear_free(kctx->key, kctx->key_len); -- OPENSSL_cleanse(kctx->info, kctx->info_len); -- OPENSSL_free(kctx); -+ OPENSSL_free(impl->salt); -+ OPENSSL_clear_free(impl->key, impl->key_len); -+ OPENSSL_cleanse(impl->info, impl->info_len); -+ memset(impl, 0, sizeof(*impl)); - } - --static int pkey_hkdf_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) -+static int kdf_hkdf_ctrl(EVP_KDF_IMPL *impl, int cmd, va_list args) - { -- HKDF_PKEY_CTX *kctx = ctx->data; -+ const unsigned char *p; -+ size_t len; -+ const EVP_MD *md; - -- switch (type) { -- case EVP_PKEY_CTRL_HKDF_MD: -- if (p2 == NULL) -+ switch (cmd) { -+ case EVP_KDF_CTRL_SET_MD: -+ md = va_arg(args, const EVP_MD *); -+ if (md == NULL) - return 0; - -- kctx->md = p2; -+ impl->md = md; - return 1; - -- case EVP_PKEY_CTRL_HKDF_MODE: -- kctx->mode = p1; -+ case EVP_KDF_CTRL_SET_HKDF_MODE: -+ impl->mode = va_arg(args, int); - return 1; - -- case EVP_PKEY_CTRL_HKDF_SALT: -- if (p1 == 0 || p2 == NULL) -+ case EVP_KDF_CTRL_SET_SALT: -+ p = va_arg(args, const unsigned char *); -+ len = va_arg(args, size_t); -+ if (len == 0 || p == NULL) - return 1; - -- if (p1 < 0) -+ OPENSSL_free(impl->salt); -+ impl->salt = OPENSSL_memdup(p, len); -+ if (impl->salt == NULL) - return 0; - -- if (kctx->salt != NULL) -- OPENSSL_clear_free(kctx->salt, kctx->salt_len); -- -- kctx->salt = OPENSSL_memdup(p2, p1); -- if (kctx->salt == NULL) -- return 0; -- -- kctx->salt_len = p1; -+ impl->salt_len = len; - return 1; - -- case EVP_PKEY_CTRL_HKDF_KEY: -- if (p1 < 0) -+ case EVP_KDF_CTRL_SET_KEY: -+ p = va_arg(args, const unsigned char *); -+ len = va_arg(args, size_t); -+ OPENSSL_clear_free(impl->key, impl->key_len); -+ impl->key = OPENSSL_memdup(p, len); -+ if (impl->key == NULL) - return 0; - -- if (kctx->key != NULL) -- OPENSSL_clear_free(kctx->key, kctx->key_len); -- -- kctx->key = OPENSSL_memdup(p2, p1); -- if (kctx->key == NULL) -- return 0; -+ impl->key_len = len; -+ return 1; - -- kctx->key_len = p1; -+ case EVP_KDF_CTRL_RESET_HKDF_INFO: -+ OPENSSL_cleanse(impl->info, impl->info_len); -+ impl->info_len = 0; - return 1; - -- case EVP_PKEY_CTRL_HKDF_INFO: -- if (p1 == 0 || p2 == NULL) -+ case EVP_KDF_CTRL_ADD_HKDF_INFO: -+ p = va_arg(args, const unsigned char *); -+ len = va_arg(args, size_t); -+ if (len == 0 || p == NULL) - return 1; - -- if (p1 < 0 || p1 > (int)(HKDF_MAXBUF - kctx->info_len)) -+ if (len > (HKDF_MAXBUF - impl->info_len)) - return 0; - -- memcpy(kctx->info + kctx->info_len, p2, p1); -- kctx->info_len += p1; -+ memcpy(impl->info + impl->info_len, p, len); -+ impl->info_len += len; - return 1; - - default: - return -2; -- - } - } - --static int pkey_hkdf_ctrl_str(EVP_PKEY_CTX *ctx, const char *type, -- const char *value) -+static int kdf_hkdf_ctrl_str(EVP_KDF_IMPL *impl, const char *type, -+ const char *value) - { - if (strcmp(type, "mode") == 0) { - int mode; - - if (strcmp(value, "EXTRACT_AND_EXPAND") == 0) -- mode = EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND; -+ mode = EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND; - else if (strcmp(value, "EXTRACT_ONLY") == 0) -- mode = EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY; -+ mode = EVP_KDF_HKDF_MODE_EXTRACT_ONLY; - else if (strcmp(value, "EXPAND_ONLY") == 0) -- mode = EVP_PKEY_HKDEF_MODE_EXPAND_ONLY; -+ mode = EVP_KDF_HKDF_MODE_EXPAND_ONLY; - else - return 0; - -- return EVP_PKEY_CTX_hkdf_mode(ctx, mode); -+ return call_ctrl(kdf_hkdf_ctrl, impl, EVP_KDF_CTRL_SET_HKDF_MODE, mode); - } - -- if (strcmp(type, "md") == 0) -- return EVP_PKEY_CTX_md(ctx, EVP_PKEY_OP_DERIVE, -- EVP_PKEY_CTRL_HKDF_MD, value); -+ if (strcmp(type, "digest") == 0) -+ return kdf_md2ctrl(impl, kdf_hkdf_ctrl, EVP_KDF_CTRL_SET_MD, value); - - if (strcmp(type, "salt") == 0) -- return EVP_PKEY_CTX_str2ctrl(ctx, EVP_PKEY_CTRL_HKDF_SALT, value); -+ return kdf_str2ctrl(impl, kdf_hkdf_ctrl, EVP_KDF_CTRL_SET_SALT, value); - - if (strcmp(type, "hexsalt") == 0) -- return EVP_PKEY_CTX_hex2ctrl(ctx, EVP_PKEY_CTRL_HKDF_SALT, value); -+ return kdf_hex2ctrl(impl, kdf_hkdf_ctrl, EVP_KDF_CTRL_SET_SALT, value); - - if (strcmp(type, "key") == 0) -- return EVP_PKEY_CTX_str2ctrl(ctx, EVP_PKEY_CTRL_HKDF_KEY, value); -+ return kdf_str2ctrl(impl, kdf_hkdf_ctrl, EVP_KDF_CTRL_SET_KEY, value); - - if (strcmp(type, "hexkey") == 0) -- return EVP_PKEY_CTX_hex2ctrl(ctx, EVP_PKEY_CTRL_HKDF_KEY, value); -+ return kdf_hex2ctrl(impl, kdf_hkdf_ctrl, EVP_KDF_CTRL_SET_KEY, value); - - if (strcmp(type, "info") == 0) -- return EVP_PKEY_CTX_str2ctrl(ctx, EVP_PKEY_CTRL_HKDF_INFO, value); -+ return kdf_str2ctrl(impl, kdf_hkdf_ctrl, EVP_KDF_CTRL_ADD_HKDF_INFO, -+ value); - - if (strcmp(type, "hexinfo") == 0) -- return EVP_PKEY_CTX_hex2ctrl(ctx, EVP_PKEY_CTRL_HKDF_INFO, value); -+ return kdf_hex2ctrl(impl, kdf_hkdf_ctrl, EVP_KDF_CTRL_ADD_HKDF_INFO, -+ value); - -- KDFerr(KDF_F_PKEY_HKDF_CTRL_STR, KDF_R_UNKNOWN_PARAMETER_TYPE); - return -2; - } - --static int pkey_hkdf_derive_init(EVP_PKEY_CTX *ctx) -+static size_t kdf_hkdf_size(EVP_KDF_IMPL *impl) - { -- HKDF_PKEY_CTX *kctx = ctx->data; -+ if (impl->mode != EVP_KDF_HKDF_MODE_EXTRACT_ONLY) -+ return SIZE_MAX; - -- OPENSSL_clear_free(kctx->key, kctx->key_len); -- OPENSSL_clear_free(kctx->salt, kctx->salt_len); -- OPENSSL_cleanse(kctx->info, kctx->info_len); -- memset(kctx, 0, sizeof(*kctx)); -- -- return 1; -+ if (impl->md == NULL) { -+ KDFerr(KDF_F_KDF_HKDF_SIZE, KDF_R_MISSING_MESSAGE_DIGEST); -+ return 0; -+ } -+ return EVP_MD_size(impl->md); - } - --static int pkey_hkdf_derive(EVP_PKEY_CTX *ctx, unsigned char *key, -- size_t *keylen) -+static int kdf_hkdf_derive(EVP_KDF_IMPL *impl, unsigned char *key, -+ size_t keylen) - { -- HKDF_PKEY_CTX *kctx = ctx->data; -- -- if (kctx->md == NULL) { -- KDFerr(KDF_F_PKEY_HKDF_DERIVE, KDF_R_MISSING_MESSAGE_DIGEST); -+ if (impl->md == NULL) { -+ KDFerr(KDF_F_KDF_HKDF_DERIVE, KDF_R_MISSING_MESSAGE_DIGEST); - return 0; - } -- if (kctx->key == NULL) { -- KDFerr(KDF_F_PKEY_HKDF_DERIVE, KDF_R_MISSING_KEY); -+ if (impl->key == NULL) { -+ KDFerr(KDF_F_KDF_HKDF_DERIVE, KDF_R_MISSING_KEY); - return 0; - } - -- switch (kctx->mode) { -- case EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND: -- return HKDF(kctx->md, kctx->salt, kctx->salt_len, kctx->key, -- kctx->key_len, kctx->info, kctx->info_len, key, -- *keylen) != NULL; -- -- case EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY: -- if (key == NULL) { -- *keylen = EVP_MD_size(kctx->md); -- return 1; -- } -- return HKDF_Extract(kctx->md, kctx->salt, kctx->salt_len, kctx->key, -- kctx->key_len, key, keylen) != NULL; -- -- case EVP_PKEY_HKDEF_MODE_EXPAND_ONLY: -- return HKDF_Expand(kctx->md, kctx->key, kctx->key_len, kctx->info, -- kctx->info_len, key, *keylen) != NULL; -+ switch (impl->mode) { -+ case EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND: -+ return HKDF(impl->md, impl->salt, impl->salt_len, impl->key, -+ impl->key_len, impl->info, impl->info_len, key, -+ keylen); -+ -+ case EVP_KDF_HKDF_MODE_EXTRACT_ONLY: -+ return HKDF_Extract(impl->md, impl->salt, impl->salt_len, impl->key, -+ impl->key_len, key, keylen); -+ -+ case EVP_KDF_HKDF_MODE_EXPAND_ONLY: -+ return HKDF_Expand(impl->md, impl->key, impl->key_len, impl->info, -+ impl->info_len, key, keylen); - - default: - return 0; - } - } - --const EVP_PKEY_METHOD hkdf_pkey_meth = { -- EVP_PKEY_HKDF, -- 0, -- pkey_hkdf_init, -- 0, -- pkey_hkdf_cleanup, -- -- 0, 0, -- 0, 0, -- -- 0, -- 0, -- -- 0, -- 0, -- -- 0, 0, -- -- 0, 0, 0, 0, -- -- 0, 0, -- -- 0, 0, -- -- pkey_hkdf_derive_init, -- pkey_hkdf_derive, -- pkey_hkdf_ctrl, -- pkey_hkdf_ctrl_str -+const EVP_KDF_METHOD hkdf_kdf_meth = { -+ EVP_KDF_HKDF, -+ kdf_hkdf_new, -+ kdf_hkdf_free, -+ kdf_hkdf_reset, -+ kdf_hkdf_ctrl, -+ kdf_hkdf_ctrl_str, -+ kdf_hkdf_size, -+ kdf_hkdf_derive - }; - --static unsigned char *HKDF(const EVP_MD *evp_md, -- const unsigned char *salt, size_t salt_len, -- const unsigned char *key, size_t key_len, -- const unsigned char *info, size_t info_len, -- unsigned char *okm, size_t okm_len) -+static int HKDF(const EVP_MD *evp_md, -+ const unsigned char *salt, size_t salt_len, -+ const unsigned char *key, size_t key_len, -+ const unsigned char *info, size_t info_len, -+ unsigned char *okm, size_t okm_len) - { - unsigned char prk[EVP_MAX_MD_SIZE]; -- unsigned char *ret; -- size_t prk_len; -+ int ret; -+ size_t prk_len = EVP_MD_size(evp_md); - -- if (!HKDF_Extract(evp_md, salt, salt_len, key, key_len, prk, &prk_len)) -- return NULL; -+ if (!HKDF_Extract(evp_md, salt, salt_len, key, key_len, prk, prk_len)) -+ return 0; - - ret = HKDF_Expand(evp_md, prk, prk_len, info, info_len, okm, okm_len); - OPENSSL_cleanse(prk, sizeof(prk)); -@@ -273,43 +252,38 @@ static unsigned char *HKDF(const EVP_MD - return ret; - } - --static unsigned char *HKDF_Extract(const EVP_MD *evp_md, -- const unsigned char *salt, size_t salt_len, -- const unsigned char *key, size_t key_len, -- unsigned char *prk, size_t *prk_len) -+static int HKDF_Extract(const EVP_MD *evp_md, -+ const unsigned char *salt, size_t salt_len, -+ const unsigned char *key, size_t key_len, -+ unsigned char *prk, size_t prk_len) - { -- unsigned int tmp_len; -- -- if (!HMAC(evp_md, salt, salt_len, key, key_len, prk, &tmp_len)) -- return NULL; -- -- *prk_len = tmp_len; -- return prk; -+ if (prk_len != (size_t)EVP_MD_size(evp_md)) { -+ KDFerr(KDF_F_HKDF_EXTRACT, KDF_R_WRONG_OUTPUT_BUFFER_SIZE); -+ return 0; -+ } -+ return HMAC(evp_md, salt, salt_len, key, key_len, prk, NULL) != NULL; - } - --static unsigned char *HKDF_Expand(const EVP_MD *evp_md, -- const unsigned char *prk, size_t prk_len, -- const unsigned char *info, size_t info_len, -- unsigned char *okm, size_t okm_len) -+static int HKDF_Expand(const EVP_MD *evp_md, -+ const unsigned char *prk, size_t prk_len, -+ const unsigned char *info, size_t info_len, -+ unsigned char *okm, size_t okm_len) - { - HMAC_CTX *hmac; -- unsigned char *ret = NULL; -- -+ int ret = 0; - unsigned int i; -- - unsigned char prev[EVP_MAX_MD_SIZE]; -- - size_t done_len = 0, dig_len = EVP_MD_size(evp_md); -- - size_t n = okm_len / dig_len; -+ - if (okm_len % dig_len) - n++; - - if (n > 255 || okm == NULL) -- return NULL; -+ return 0; - - if ((hmac = HMAC_CTX_new()) == NULL) -- return NULL; -+ return 0; - - if (!HMAC_Init_ex(hmac, prk, prk_len, evp_md, NULL)) - goto err; -@@ -343,7 +317,7 @@ static unsigned char *HKDF_Expand(const - - done_len += copy_len; - } -- ret = okm; -+ ret = 1; - - err: - OPENSSL_cleanse(prev, sizeof(prev)); -diff -up openssl-1.1.1j/crypto/kdf/kdf_err.c.evp-kdf openssl-1.1.1j/crypto/kdf/kdf_err.c ---- openssl-1.1.1j/crypto/kdf/kdf_err.c.evp-kdf 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/crypto/kdf/kdf_err.c 2021-03-03 14:08:02.492294856 +0100 -@@ -1,6 +1,6 @@ - /* - * Generated by util/mkerr.pl DO NOT EDIT -- * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved. -+ * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy -@@ -14,6 +14,29 @@ - #ifndef OPENSSL_NO_ERR - - static const ERR_STRING_DATA KDF_str_functs[] = { -+ {ERR_PACK(ERR_LIB_KDF, KDF_F_HKDF_EXTRACT, 0), "HKDF_Extract"}, -+ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_HKDF_DERIVE, 0), "kdf_hkdf_derive"}, -+ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_HKDF_NEW, 0), "kdf_hkdf_new"}, -+ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_HKDF_SIZE, 0), "kdf_hkdf_size"}, -+ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_MD2CTRL, 0), "kdf_md2ctrl"}, -+ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_PBKDF2_CTRL_STR, 0), -+ "kdf_pbkdf2_ctrl_str"}, -+ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_PBKDF2_DERIVE, 0), "kdf_pbkdf2_derive"}, -+ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_PBKDF2_NEW, 0), "kdf_pbkdf2_new"}, -+ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_SCRYPT_CTRL_STR, 0), -+ "kdf_scrypt_ctrl_str"}, -+ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_SCRYPT_CTRL_UINT32, 0), -+ "kdf_scrypt_ctrl_uint32"}, -+ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_SCRYPT_CTRL_UINT64, 0), -+ "kdf_scrypt_ctrl_uint64"}, -+ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_SCRYPT_DERIVE, 0), "kdf_scrypt_derive"}, -+ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_SCRYPT_NEW, 0), "kdf_scrypt_new"}, -+ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_TLS1_PRF_CTRL_STR, 0), -+ "kdf_tls1_prf_ctrl_str"}, -+ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_TLS1_PRF_DERIVE, 0), -+ "kdf_tls1_prf_derive"}, -+ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_TLS1_PRF_NEW, 0), "kdf_tls1_prf_new"}, -+ {ERR_PACK(ERR_LIB_KDF, KDF_F_PBKDF2_SET_MEMBUF, 0), "pbkdf2_set_membuf"}, - {ERR_PACK(ERR_LIB_KDF, KDF_F_PKEY_HKDF_CTRL_STR, 0), "pkey_hkdf_ctrl_str"}, - {ERR_PACK(ERR_LIB_KDF, KDF_F_PKEY_HKDF_DERIVE, 0), "pkey_hkdf_derive"}, - {ERR_PACK(ERR_LIB_KDF, KDF_F_PKEY_HKDF_INIT, 0), "pkey_hkdf_init"}, -@@ -30,6 +53,7 @@ static const ERR_STRING_DATA KDF_str_fun - {ERR_PACK(ERR_LIB_KDF, KDF_F_PKEY_TLS1_PRF_DERIVE, 0), - "pkey_tls1_prf_derive"}, - {ERR_PACK(ERR_LIB_KDF, KDF_F_PKEY_TLS1_PRF_INIT, 0), "pkey_tls1_prf_init"}, -+ {ERR_PACK(ERR_LIB_KDF, KDF_F_SCRYPT_SET_MEMBUF, 0), "scrypt_set_membuf"}, - {ERR_PACK(ERR_LIB_KDF, KDF_F_TLS1_PRF_ALG, 0), "tls1_prf_alg"}, - {0, NULL} - }; -@@ -50,6 +74,8 @@ static const ERR_STRING_DATA KDF_str_rea - "unknown parameter type"}, - {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_VALUE_ERROR), "value error"}, - {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_VALUE_MISSING), "value missing"}, -+ {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_WRONG_OUTPUT_BUFFER_SIZE), -+ "wrong output buffer size"}, - {0, NULL} - }; - -diff -up openssl-1.1.1j/crypto/kdf/kdf_local.h.evp-kdf openssl-1.1.1j/crypto/kdf/kdf_local.h ---- openssl-1.1.1j/crypto/kdf/kdf_local.h.evp-kdf 2021-03-03 14:08:02.492294856 +0100 -+++ openssl-1.1.1j/crypto/kdf/kdf_local.h 2021-03-03 14:08:02.492294856 +0100 -@@ -0,0 +1,22 @@ -+/* -+ * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. -+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved. -+ * -+ * Licensed under the Apache License 2.0 (the "License"). You may not use -+ * this file except in compliance with the License. You can obtain a copy -+ * in the file LICENSE in the source distribution or at -+ * https://www.openssl.org/source/license.html -+ */ -+ -+int call_ctrl(int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args), -+ EVP_KDF_IMPL *impl, int cmd, ...); -+int kdf_str2ctrl(EVP_KDF_IMPL *impl, -+ int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args), -+ int cmd, const char *str); -+int kdf_hex2ctrl(EVP_KDF_IMPL *impl, -+ int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args), -+ int cmd, const char *hex); -+int kdf_md2ctrl(EVP_KDF_IMPL *impl, -+ int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args), -+ int cmd, const char *md_name); -+ -diff -up openssl-1.1.1j/crypto/kdf/kdf_util.c.evp-kdf openssl-1.1.1j/crypto/kdf/kdf_util.c ---- openssl-1.1.1j/crypto/kdf/kdf_util.c.evp-kdf 2021-03-03 14:08:02.492294856 +0100 -+++ openssl-1.1.1j/crypto/kdf/kdf_util.c 2021-03-03 14:08:02.492294856 +0100 -@@ -0,0 +1,73 @@ -+/* -+ * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. -+ * Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved. -+ * -+ * Licensed under the Apache License 2.0 (the "License"). You may not use -+ * this file except in compliance with the License. You can obtain a copy -+ * in the file LICENSE in the source distribution or at -+ * https://www.openssl.org/source/license.html -+ */ -+ -+#include -+#include -+#include -+#include -+#include "internal/cryptlib.h" -+#include "crypto/evp.h" -+#include "internal/numbers.h" -+#include "kdf_local.h" -+ -+int call_ctrl(int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args), -+ EVP_KDF_IMPL *impl, int cmd, ...) -+{ -+ int ret; -+ va_list args; -+ -+ va_start(args, cmd); -+ ret = ctrl(impl, cmd, args); -+ va_end(args); -+ -+ return ret; -+} -+ -+/* Utility functions to send a string or hex string to a ctrl */ -+ -+int kdf_str2ctrl(EVP_KDF_IMPL *impl, -+ int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args), -+ int cmd, const char *str) -+{ -+ return call_ctrl(ctrl, impl, cmd, (const unsigned char *)str, strlen(str)); -+} -+ -+int kdf_hex2ctrl(EVP_KDF_IMPL *impl, -+ int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args), -+ int cmd, const char *hex) -+{ -+ unsigned char *bin; -+ long binlen; -+ int ret = -1; -+ -+ bin = OPENSSL_hexstr2buf(hex, &binlen); -+ if (bin == NULL) -+ return 0; -+ -+ if (binlen <= INT_MAX) -+ ret = call_ctrl(ctrl, impl, cmd, bin, (size_t)binlen); -+ OPENSSL_free(bin); -+ return ret; -+} -+ -+/* Pass a message digest to a ctrl */ -+int kdf_md2ctrl(EVP_KDF_IMPL *impl, -+ int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args), -+ int cmd, const char *md_name) -+{ -+ const EVP_MD *md; -+ -+ if (md_name == NULL || (md = EVP_get_digestbyname(md_name)) == NULL) { -+ KDFerr(KDF_F_KDF_MD2CTRL, KDF_R_INVALID_DIGEST); -+ return 0; -+ } -+ return call_ctrl(ctrl, impl, cmd, md); -+} -+ -diff -up openssl-1.1.1j/crypto/kdf/pbkdf2.c.evp-kdf openssl-1.1.1j/crypto/kdf/pbkdf2.c ---- openssl-1.1.1j/crypto/kdf/pbkdf2.c.evp-kdf 2021-03-03 14:08:02.492294856 +0100 -+++ openssl-1.1.1j/crypto/kdf/pbkdf2.c 2021-03-03 14:08:02.492294856 +0100 -@@ -0,0 +1,264 @@ -+/* -+ * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. -+ * -+ * Licensed under the Apache License 2.0 (the "License"). You may not use -+ * this file except in compliance with the License. You can obtain a copy -+ * in the file LICENSE in the source distribution or at -+ * https://www.openssl.org/source/license.html -+ */ -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include "internal/cryptlib.h" -+#include "crypto/evp.h" -+#include "kdf_local.h" -+ -+static void kdf_pbkdf2_reset(EVP_KDF_IMPL *impl); -+static void kdf_pbkdf2_init(EVP_KDF_IMPL *impl); -+static int pkcs5_pbkdf2_alg(const char *pass, size_t passlen, -+ const unsigned char *salt, int saltlen, int iter, -+ const EVP_MD *digest, unsigned char *key, -+ size_t keylen); -+ -+struct evp_kdf_impl_st { -+ unsigned char *pass; -+ size_t pass_len; -+ unsigned char *salt; -+ size_t salt_len; -+ int iter; -+ const EVP_MD *md; -+}; -+ -+static EVP_KDF_IMPL *kdf_pbkdf2_new(void) -+{ -+ EVP_KDF_IMPL *impl; -+ -+ impl = OPENSSL_zalloc(sizeof(*impl)); -+ if (impl == NULL) { -+ KDFerr(KDF_F_KDF_PBKDF2_NEW, ERR_R_MALLOC_FAILURE); -+ return NULL; -+ } -+ kdf_pbkdf2_init(impl); -+ return impl; -+} -+ -+static void kdf_pbkdf2_free(EVP_KDF_IMPL *impl) -+{ -+ kdf_pbkdf2_reset(impl); -+ OPENSSL_free(impl); -+} -+ -+static void kdf_pbkdf2_reset(EVP_KDF_IMPL *impl) -+{ -+ OPENSSL_free(impl->salt); -+ OPENSSL_clear_free(impl->pass, impl->pass_len); -+ memset(impl, 0, sizeof(*impl)); -+ kdf_pbkdf2_init(impl); -+} -+ -+static void kdf_pbkdf2_init(EVP_KDF_IMPL *impl) -+{ -+ impl->iter = PKCS5_DEFAULT_ITER; -+ impl->md = EVP_sha1(); -+} -+ -+static int pbkdf2_set_membuf(unsigned char **buffer, size_t *buflen, -+ const unsigned char *new_buffer, -+ size_t new_buflen) -+{ -+ if (new_buffer == NULL) -+ return 1; -+ -+ OPENSSL_clear_free(*buffer, *buflen); -+ -+ if (new_buflen > 0) { -+ *buffer = OPENSSL_memdup(new_buffer, new_buflen); -+ } else { -+ *buffer = OPENSSL_malloc(1); -+ } -+ if (*buffer == NULL) { -+ KDFerr(KDF_F_PBKDF2_SET_MEMBUF, ERR_R_MALLOC_FAILURE); -+ return 0; -+ } -+ -+ *buflen = new_buflen; -+ return 1; -+} -+ -+static int kdf_pbkdf2_ctrl(EVP_KDF_IMPL *impl, int cmd, va_list args) -+{ -+ int iter; -+ const unsigned char *p; -+ size_t len; -+ const EVP_MD *md; -+ -+ switch (cmd) { -+ case EVP_KDF_CTRL_SET_PASS: -+ p = va_arg(args, const unsigned char *); -+ len = va_arg(args, size_t); -+ return pbkdf2_set_membuf(&impl->pass, &impl->pass_len, p, len); -+ -+ case EVP_KDF_CTRL_SET_SALT: -+ p = va_arg(args, const unsigned char *); -+ len = va_arg(args, size_t); -+ return pbkdf2_set_membuf(&impl->salt, &impl->salt_len, p, len); -+ -+ case EVP_KDF_CTRL_SET_ITER: -+ iter = va_arg(args, int); -+ if (iter < 1) -+ return 0; -+ -+ impl->iter = iter; -+ return 1; -+ -+ case EVP_KDF_CTRL_SET_MD: -+ md = va_arg(args, const EVP_MD *); -+ if (md == NULL) -+ return 0; -+ -+ impl->md = md; -+ return 1; -+ -+ default: -+ return -2; -+ } -+} -+ -+static int kdf_pbkdf2_ctrl_str(EVP_KDF_IMPL *impl, const char *type, -+ const char *value) -+{ -+ if (value == NULL) { -+ KDFerr(KDF_F_KDF_PBKDF2_CTRL_STR, KDF_R_VALUE_MISSING); -+ return 0; -+ } -+ -+ if (strcmp(type, "pass") == 0) -+ return kdf_str2ctrl(impl, kdf_pbkdf2_ctrl, EVP_KDF_CTRL_SET_PASS, -+ value); -+ -+ if (strcmp(type, "hexpass") == 0) -+ return kdf_hex2ctrl(impl, kdf_pbkdf2_ctrl, EVP_KDF_CTRL_SET_PASS, -+ value); -+ -+ if (strcmp(type, "salt") == 0) -+ return kdf_str2ctrl(impl, kdf_pbkdf2_ctrl, EVP_KDF_CTRL_SET_SALT, -+ value); -+ -+ if (strcmp(type, "hexsalt") == 0) -+ return kdf_hex2ctrl(impl, kdf_pbkdf2_ctrl, EVP_KDF_CTRL_SET_SALT, -+ value); -+ -+ if (strcmp(type, "iter") == 0) -+ return call_ctrl(kdf_pbkdf2_ctrl, impl, EVP_KDF_CTRL_SET_ITER, -+ atoi(value)); -+ -+ if (strcmp(type, "digest") == 0) -+ return kdf_md2ctrl(impl, kdf_pbkdf2_ctrl, EVP_KDF_CTRL_SET_MD, value); -+ -+ return -2; -+} -+ -+static int kdf_pbkdf2_derive(EVP_KDF_IMPL *impl, unsigned char *key, -+ size_t keylen) -+{ -+ if (impl->pass == NULL) { -+ KDFerr(KDF_F_KDF_PBKDF2_DERIVE, KDF_R_MISSING_PASS); -+ return 0; -+ } -+ -+ if (impl->salt == NULL) { -+ KDFerr(KDF_F_KDF_PBKDF2_DERIVE, KDF_R_MISSING_SALT); -+ return 0; -+ } -+ -+ return pkcs5_pbkdf2_alg((char *)impl->pass, impl->pass_len, -+ impl->salt, impl->salt_len, impl->iter, -+ impl->md, key, keylen); -+} -+ -+const EVP_KDF_METHOD pbkdf2_kdf_meth = { -+ EVP_KDF_PBKDF2, -+ kdf_pbkdf2_new, -+ kdf_pbkdf2_free, -+ kdf_pbkdf2_reset, -+ kdf_pbkdf2_ctrl, -+ kdf_pbkdf2_ctrl_str, -+ NULL, -+ kdf_pbkdf2_derive -+}; -+ -+/* -+ * This is an implementation of PKCS#5 v2.0 password based encryption key -+ * derivation function PBKDF2. SHA1 version verified against test vectors -+ * posted by Peter Gutmann to the PKCS-TNG mailing list. -+ */ -+ -+static int pkcs5_pbkdf2_alg(const char *pass, size_t passlen, -+ const unsigned char *salt, int saltlen, int iter, -+ const EVP_MD *digest, unsigned char *key, -+ size_t keylen) -+{ -+ int ret = 0; -+ unsigned char digtmp[EVP_MAX_MD_SIZE], *p, itmp[4]; -+ int cplen, j, k, tkeylen, mdlen; -+ unsigned long i = 1; -+ HMAC_CTX *hctx_tpl = NULL, *hctx = NULL; -+ -+ mdlen = EVP_MD_size(digest); -+ if (mdlen < 0) -+ return 0; -+ -+ hctx_tpl = HMAC_CTX_new(); -+ if (hctx_tpl == NULL) -+ return 0; -+ p = key; -+ tkeylen = keylen; -+ if (!HMAC_Init_ex(hctx_tpl, pass, passlen, digest, NULL)) -+ goto err; -+ hctx = HMAC_CTX_new(); -+ if (hctx == NULL) -+ goto err; -+ while (tkeylen) { -+ if (tkeylen > mdlen) -+ cplen = mdlen; -+ else -+ cplen = tkeylen; -+ /* -+ * We are unlikely to ever use more than 256 blocks (5120 bits!) but -+ * just in case... -+ */ -+ itmp[0] = (unsigned char)((i >> 24) & 0xff); -+ itmp[1] = (unsigned char)((i >> 16) & 0xff); -+ itmp[2] = (unsigned char)((i >> 8) & 0xff); -+ itmp[3] = (unsigned char)(i & 0xff); -+ if (!HMAC_CTX_copy(hctx, hctx_tpl)) -+ goto err; -+ if (!HMAC_Update(hctx, salt, saltlen) -+ || !HMAC_Update(hctx, itmp, 4) -+ || !HMAC_Final(hctx, digtmp, NULL)) -+ goto err; -+ memcpy(p, digtmp, cplen); -+ for (j = 1; j < iter; j++) { -+ if (!HMAC_CTX_copy(hctx, hctx_tpl)) -+ goto err; -+ if (!HMAC_Update(hctx, digtmp, mdlen) -+ || !HMAC_Final(hctx, digtmp, NULL)) -+ goto err; -+ for (k = 0; k < cplen; k++) -+ p[k] ^= digtmp[k]; -+ } -+ tkeylen -= cplen; -+ i++; -+ p += cplen; -+ } -+ ret = 1; -+ -+err: -+ HMAC_CTX_free(hctx); -+ HMAC_CTX_free(hctx_tpl); -+ return ret; -+} -diff -up openssl-1.1.1j/crypto/kdf/scrypt.c.evp-kdf openssl-1.1.1j/crypto/kdf/scrypt.c ---- openssl-1.1.1j/crypto/kdf/scrypt.c.evp-kdf 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/crypto/kdf/scrypt.c 2021-03-03 14:08:02.492294856 +0100 -@@ -8,25 +8,35 @@ - */ - - #include -+#include - #include - #include - #include - #include --#include "internal/cryptlib.h" -+#include - #include "crypto/evp.h" -+#include "internal/numbers.h" -+#include "kdf_local.h" - - #ifndef OPENSSL_NO_SCRYPT - -+static void kdf_scrypt_reset(EVP_KDF_IMPL *impl); -+static void kdf_scrypt_init(EVP_KDF_IMPL *impl); - static int atou64(const char *nptr, uint64_t *result); -+static int scrypt_alg(const char *pass, size_t passlen, -+ const unsigned char *salt, size_t saltlen, -+ uint64_t N, uint64_t r, uint64_t p, uint64_t maxmem, -+ unsigned char *key, size_t keylen); - --typedef struct { -+struct evp_kdf_impl_st { - unsigned char *pass; - size_t pass_len; - unsigned char *salt; - size_t salt_len; -- uint64_t N, r, p; -+ uint64_t N; -+ uint32_t r, p; - uint64_t maxmem_bytes; --} SCRYPT_PKEY_CTX; -+}; - - /* Custom uint64_t parser since we do not have strtoull */ - static int atou64(const char *nptr, uint64_t *result) -@@ -53,51 +63,53 @@ static int atou64(const char *nptr, uint - return 1; - } - --static int pkey_scrypt_init(EVP_PKEY_CTX *ctx) -+static EVP_KDF_IMPL *kdf_scrypt_new(void) - { -- SCRYPT_PKEY_CTX *kctx; -+ EVP_KDF_IMPL *impl; - -- kctx = OPENSSL_zalloc(sizeof(*kctx)); -- if (kctx == NULL) { -- KDFerr(KDF_F_PKEY_SCRYPT_INIT, ERR_R_MALLOC_FAILURE); -- return 0; -+ impl = OPENSSL_zalloc(sizeof(*impl)); -+ if (impl == NULL) { -+ KDFerr(KDF_F_KDF_SCRYPT_NEW, ERR_R_MALLOC_FAILURE); -+ return NULL; - } -+ kdf_scrypt_init(impl); -+ return impl; -+} - -- /* Default values are the most conservative recommendation given in the -- * original paper of C. Percival. Derivation uses roughly 1 GiB of memory -- * for this parameter choice (approx. 128 * r * (N + p) bytes). -- */ -- kctx->N = 1 << 20; -- kctx->r = 8; -- kctx->p = 1; -- kctx->maxmem_bytes = 1025 * 1024 * 1024; -- -- ctx->data = kctx; -- -- return 1; -+static void kdf_scrypt_free(EVP_KDF_IMPL *impl) -+{ -+ kdf_scrypt_reset(impl); -+ OPENSSL_free(impl); - } - --static void pkey_scrypt_cleanup(EVP_PKEY_CTX *ctx) -+static void kdf_scrypt_reset(EVP_KDF_IMPL *impl) - { -- SCRYPT_PKEY_CTX *kctx = ctx->data; -+ OPENSSL_free(impl->salt); -+ OPENSSL_clear_free(impl->pass, impl->pass_len); -+ memset(impl, 0, sizeof(*impl)); -+ kdf_scrypt_init(impl); -+} - -- OPENSSL_clear_free(kctx->salt, kctx->salt_len); -- OPENSSL_clear_free(kctx->pass, kctx->pass_len); -- OPENSSL_free(kctx); -+static void kdf_scrypt_init(EVP_KDF_IMPL *impl) -+{ -+ /* Default values are the most conservative recommendation given in the -+ * original paper of C. Percival. Derivation uses roughly 1 GiB of memory -+ * for this parameter choice (approx. 128 * r * N * p bytes). -+ */ -+ impl->N = 1 << 20; -+ impl->r = 8; -+ impl->p = 1; -+ impl->maxmem_bytes = 1025 * 1024 * 1024; - } - --static int pkey_scrypt_set_membuf(unsigned char **buffer, size_t *buflen, -- const unsigned char *new_buffer, -- const int new_buflen) -+static int scrypt_set_membuf(unsigned char **buffer, size_t *buflen, -+ const unsigned char *new_buffer, -+ size_t new_buflen) - { - if (new_buffer == NULL) - return 1; - -- if (new_buflen < 0) -- return 0; -- -- if (*buffer != NULL) -- OPENSSL_clear_free(*buffer, *buflen); -+ OPENSSL_clear_free(*buffer, *buflen); - - if (new_buflen > 0) { - *buffer = OPENSSL_memdup(new_buffer, new_buflen); -@@ -105,7 +117,7 @@ static int pkey_scrypt_set_membuf(unsign - *buffer = OPENSSL_malloc(1); - } - if (*buffer == NULL) { -- KDFerr(KDF_F_PKEY_SCRYPT_SET_MEMBUF, ERR_R_MALLOC_FAILURE); -+ KDFerr(KDF_F_SCRYPT_SET_MEMBUF, ERR_R_MALLOC_FAILURE); - return 0; - } - -@@ -118,149 +130,378 @@ static int is_power_of_two(uint64_t valu - return (value != 0) && ((value & (value - 1)) == 0); - } - --static int pkey_scrypt_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) -+static int kdf_scrypt_ctrl(EVP_KDF_IMPL *impl, int cmd, va_list args) - { -- SCRYPT_PKEY_CTX *kctx = ctx->data; - uint64_t u64_value; -+ uint32_t value; -+ const unsigned char *p; -+ size_t len; -+ -+ switch (cmd) { -+ case EVP_KDF_CTRL_SET_PASS: -+ p = va_arg(args, const unsigned char *); -+ len = va_arg(args, size_t); -+ return scrypt_set_membuf(&impl->pass, &impl->pass_len, p, len); -+ -+ case EVP_KDF_CTRL_SET_SALT: -+ p = va_arg(args, const unsigned char *); -+ len = va_arg(args, size_t); -+ return scrypt_set_membuf(&impl->salt, &impl->salt_len, p, len); - -- switch (type) { -- case EVP_PKEY_CTRL_PASS: -- return pkey_scrypt_set_membuf(&kctx->pass, &kctx->pass_len, p2, p1); -- -- case EVP_PKEY_CTRL_SCRYPT_SALT: -- return pkey_scrypt_set_membuf(&kctx->salt, &kctx->salt_len, p2, p1); -- -- case EVP_PKEY_CTRL_SCRYPT_N: -- u64_value = *((uint64_t *)p2); -+ case EVP_KDF_CTRL_SET_SCRYPT_N: -+ u64_value = va_arg(args, uint64_t); - if ((u64_value <= 1) || !is_power_of_two(u64_value)) - return 0; -- kctx->N = u64_value; -+ -+ impl->N = u64_value; - return 1; - -- case EVP_PKEY_CTRL_SCRYPT_R: -- u64_value = *((uint64_t *)p2); -- if (u64_value < 1) -+ case EVP_KDF_CTRL_SET_SCRYPT_R: -+ value = va_arg(args, uint32_t); -+ if (value < 1) - return 0; -- kctx->r = u64_value; -+ -+ impl->r = value; - return 1; - -- case EVP_PKEY_CTRL_SCRYPT_P: -- u64_value = *((uint64_t *)p2); -- if (u64_value < 1) -+ case EVP_KDF_CTRL_SET_SCRYPT_P: -+ value = va_arg(args, uint32_t); -+ if (value < 1) - return 0; -- kctx->p = u64_value; -+ -+ impl->p = value; - return 1; - -- case EVP_PKEY_CTRL_SCRYPT_MAXMEM_BYTES: -- u64_value = *((uint64_t *)p2); -+ case EVP_KDF_CTRL_SET_MAXMEM_BYTES: -+ u64_value = va_arg(args, uint64_t); - if (u64_value < 1) - return 0; -- kctx->maxmem_bytes = u64_value; -+ -+ impl->maxmem_bytes = u64_value; - return 1; - - default: - return -2; -+ } -+} - -+static int kdf_scrypt_ctrl_uint32(EVP_KDF_IMPL *impl, int cmd, -+ const char *value) -+{ -+ int int_value = atoi(value); -+ -+ if (int_value < 0 || (uint64_t)int_value > UINT32_MAX) { -+ KDFerr(KDF_F_KDF_SCRYPT_CTRL_UINT32, KDF_R_VALUE_ERROR); -+ return 0; - } -+ return call_ctrl(kdf_scrypt_ctrl, impl, cmd, (uint32_t)int_value); - } - --static int pkey_scrypt_ctrl_uint64(EVP_PKEY_CTX *ctx, int type, -- const char *value) -+static int kdf_scrypt_ctrl_uint64(EVP_KDF_IMPL *impl, int cmd, -+ const char *value) - { -- uint64_t int_value; -+ uint64_t u64_value; - -- if (!atou64(value, &int_value)) { -- KDFerr(KDF_F_PKEY_SCRYPT_CTRL_UINT64, KDF_R_VALUE_ERROR); -+ if (!atou64(value, &u64_value)) { -+ KDFerr(KDF_F_KDF_SCRYPT_CTRL_UINT64, KDF_R_VALUE_ERROR); - return 0; - } -- return pkey_scrypt_ctrl(ctx, type, 0, &int_value); -+ return call_ctrl(kdf_scrypt_ctrl, impl, cmd, u64_value); - } - --static int pkey_scrypt_ctrl_str(EVP_PKEY_CTX *ctx, const char *type, -- const char *value) -+static int kdf_scrypt_ctrl_str(EVP_KDF_IMPL *impl, const char *type, -+ const char *value) - { - if (value == NULL) { -- KDFerr(KDF_F_PKEY_SCRYPT_CTRL_STR, KDF_R_VALUE_MISSING); -+ KDFerr(KDF_F_KDF_SCRYPT_CTRL_STR, KDF_R_VALUE_MISSING); - return 0; - } - - if (strcmp(type, "pass") == 0) -- return EVP_PKEY_CTX_str2ctrl(ctx, EVP_PKEY_CTRL_PASS, value); -+ return kdf_str2ctrl(impl, kdf_scrypt_ctrl, EVP_KDF_CTRL_SET_PASS, -+ value); - - if (strcmp(type, "hexpass") == 0) -- return EVP_PKEY_CTX_hex2ctrl(ctx, EVP_PKEY_CTRL_PASS, value); -+ return kdf_hex2ctrl(impl, kdf_scrypt_ctrl, EVP_KDF_CTRL_SET_PASS, -+ value); - - if (strcmp(type, "salt") == 0) -- return EVP_PKEY_CTX_str2ctrl(ctx, EVP_PKEY_CTRL_SCRYPT_SALT, value); -+ return kdf_str2ctrl(impl, kdf_scrypt_ctrl, EVP_KDF_CTRL_SET_SALT, -+ value); - - if (strcmp(type, "hexsalt") == 0) -- return EVP_PKEY_CTX_hex2ctrl(ctx, EVP_PKEY_CTRL_SCRYPT_SALT, value); -+ return kdf_hex2ctrl(impl, kdf_scrypt_ctrl, EVP_KDF_CTRL_SET_SALT, -+ value); - - if (strcmp(type, "N") == 0) -- return pkey_scrypt_ctrl_uint64(ctx, EVP_PKEY_CTRL_SCRYPT_N, value); -+ return kdf_scrypt_ctrl_uint64(impl, EVP_KDF_CTRL_SET_SCRYPT_N, value); - - if (strcmp(type, "r") == 0) -- return pkey_scrypt_ctrl_uint64(ctx, EVP_PKEY_CTRL_SCRYPT_R, value); -+ return kdf_scrypt_ctrl_uint32(impl, EVP_KDF_CTRL_SET_SCRYPT_R, value); - - if (strcmp(type, "p") == 0) -- return pkey_scrypt_ctrl_uint64(ctx, EVP_PKEY_CTRL_SCRYPT_P, value); -+ return kdf_scrypt_ctrl_uint32(impl, EVP_KDF_CTRL_SET_SCRYPT_P, value); - - if (strcmp(type, "maxmem_bytes") == 0) -- return pkey_scrypt_ctrl_uint64(ctx, EVP_PKEY_CTRL_SCRYPT_MAXMEM_BYTES, -- value); -+ return kdf_scrypt_ctrl_uint64(impl, EVP_KDF_CTRL_SET_MAXMEM_BYTES, -+ value); - -- KDFerr(KDF_F_PKEY_SCRYPT_CTRL_STR, KDF_R_UNKNOWN_PARAMETER_TYPE); - return -2; - } - --static int pkey_scrypt_derive(EVP_PKEY_CTX *ctx, unsigned char *key, -- size_t *keylen) -+static int kdf_scrypt_derive(EVP_KDF_IMPL *impl, unsigned char *key, -+ size_t keylen) - { -- SCRYPT_PKEY_CTX *kctx = ctx->data; -- -- if (kctx->pass == NULL) { -- KDFerr(KDF_F_PKEY_SCRYPT_DERIVE, KDF_R_MISSING_PASS); -+ if (impl->pass == NULL) { -+ KDFerr(KDF_F_KDF_SCRYPT_DERIVE, KDF_R_MISSING_PASS); - return 0; - } - -- if (kctx->salt == NULL) { -- KDFerr(KDF_F_PKEY_SCRYPT_DERIVE, KDF_R_MISSING_SALT); -+ if (impl->salt == NULL) { -+ KDFerr(KDF_F_KDF_SCRYPT_DERIVE, KDF_R_MISSING_SALT); - return 0; - } - -- return EVP_PBE_scrypt((char *)kctx->pass, kctx->pass_len, kctx->salt, -- kctx->salt_len, kctx->N, kctx->r, kctx->p, -- kctx->maxmem_bytes, key, *keylen); -+ return scrypt_alg((char *)impl->pass, impl->pass_len, impl->salt, -+ impl->salt_len, impl->N, impl->r, impl->p, -+ impl->maxmem_bytes, key, keylen); - } - --const EVP_PKEY_METHOD scrypt_pkey_meth = { -- EVP_PKEY_SCRYPT, -- 0, -- pkey_scrypt_init, -- 0, -- pkey_scrypt_cleanup, -+const EVP_KDF_METHOD scrypt_kdf_meth = { -+ EVP_KDF_SCRYPT, -+ kdf_scrypt_new, -+ kdf_scrypt_free, -+ kdf_scrypt_reset, -+ kdf_scrypt_ctrl, -+ kdf_scrypt_ctrl_str, -+ NULL, -+ kdf_scrypt_derive -+}; - -- 0, 0, -- 0, 0, -+#define R(a,b) (((a) << (b)) | ((a) >> (32 - (b)))) -+static void salsa208_word_specification(uint32_t inout[16]) -+{ -+ int i; -+ uint32_t x[16]; - -- 0, -- 0, -+ memcpy(x, inout, sizeof(x)); -+ for (i = 8; i > 0; i -= 2) { -+ x[4] ^= R(x[0] + x[12], 7); -+ x[8] ^= R(x[4] + x[0], 9); -+ x[12] ^= R(x[8] + x[4], 13); -+ x[0] ^= R(x[12] + x[8], 18); -+ x[9] ^= R(x[5] + x[1], 7); -+ x[13] ^= R(x[9] + x[5], 9); -+ x[1] ^= R(x[13] + x[9], 13); -+ x[5] ^= R(x[1] + x[13], 18); -+ x[14] ^= R(x[10] + x[6], 7); -+ x[2] ^= R(x[14] + x[10], 9); -+ x[6] ^= R(x[2] + x[14], 13); -+ x[10] ^= R(x[6] + x[2], 18); -+ x[3] ^= R(x[15] + x[11], 7); -+ x[7] ^= R(x[3] + x[15], 9); -+ x[11] ^= R(x[7] + x[3], 13); -+ x[15] ^= R(x[11] + x[7], 18); -+ x[1] ^= R(x[0] + x[3], 7); -+ x[2] ^= R(x[1] + x[0], 9); -+ x[3] ^= R(x[2] + x[1], 13); -+ x[0] ^= R(x[3] + x[2], 18); -+ x[6] ^= R(x[5] + x[4], 7); -+ x[7] ^= R(x[6] + x[5], 9); -+ x[4] ^= R(x[7] + x[6], 13); -+ x[5] ^= R(x[4] + x[7], 18); -+ x[11] ^= R(x[10] + x[9], 7); -+ x[8] ^= R(x[11] + x[10], 9); -+ x[9] ^= R(x[8] + x[11], 13); -+ x[10] ^= R(x[9] + x[8], 18); -+ x[12] ^= R(x[15] + x[14], 7); -+ x[13] ^= R(x[12] + x[15], 9); -+ x[14] ^= R(x[13] + x[12], 13); -+ x[15] ^= R(x[14] + x[13], 18); -+ } -+ for (i = 0; i < 16; ++i) -+ inout[i] += x[i]; -+ OPENSSL_cleanse(x, sizeof(x)); -+} - -- 0, -- 0, -+static void scryptBlockMix(uint32_t *B_, uint32_t *B, uint64_t r) -+{ -+ uint64_t i, j; -+ uint32_t X[16], *pB; - -- 0, 0, -+ memcpy(X, B + (r * 2 - 1) * 16, sizeof(X)); -+ pB = B; -+ for (i = 0; i < r * 2; i++) { -+ for (j = 0; j < 16; j++) -+ X[j] ^= *pB++; -+ salsa208_word_specification(X); -+ memcpy(B_ + (i / 2 + (i & 1) * r) * 16, X, sizeof(X)); -+ } -+ OPENSSL_cleanse(X, sizeof(X)); -+} - -- 0, 0, 0, 0, -+static void scryptROMix(unsigned char *B, uint64_t r, uint64_t N, -+ uint32_t *X, uint32_t *T, uint32_t *V) -+{ -+ unsigned char *pB; -+ uint32_t *pV; -+ uint64_t i, k; -+ -+ /* Convert from little endian input */ -+ for (pV = V, i = 0, pB = B; i < 32 * r; i++, pV++) { -+ *pV = *pB++; -+ *pV |= *pB++ << 8; -+ *pV |= *pB++ << 16; -+ *pV |= (uint32_t)*pB++ << 24; -+ } - -- 0, 0, -+ for (i = 1; i < N; i++, pV += 32 * r) -+ scryptBlockMix(pV, pV - 32 * r, r); - -- 0, 0, -+ scryptBlockMix(X, V + (N - 1) * 32 * r, r); - -- 0, -- pkey_scrypt_derive, -- pkey_scrypt_ctrl, -- pkey_scrypt_ctrl_str --}; -+ for (i = 0; i < N; i++) { -+ uint32_t j; -+ j = X[16 * (2 * r - 1)] % N; -+ pV = V + 32 * r * j; -+ for (k = 0; k < 32 * r; k++) -+ T[k] = X[k] ^ *pV++; -+ scryptBlockMix(X, T, r); -+ } -+ /* Convert output to little endian */ -+ for (i = 0, pB = B; i < 32 * r; i++) { -+ uint32_t xtmp = X[i]; -+ *pB++ = xtmp & 0xff; -+ *pB++ = (xtmp >> 8) & 0xff; -+ *pB++ = (xtmp >> 16) & 0xff; -+ *pB++ = (xtmp >> 24) & 0xff; -+ } -+} -+ -+#ifndef SIZE_MAX -+# define SIZE_MAX ((size_t)-1) -+#endif -+ -+/* -+ * Maximum power of two that will fit in uint64_t: this should work on -+ * most (all?) platforms. -+ */ -+ -+#define LOG2_UINT64_MAX (sizeof(uint64_t) * 8 - 1) -+ -+/* -+ * Maximum value of p * r: -+ * p <= ((2^32-1) * hLen) / MFLen => -+ * p <= ((2^32-1) * 32) / (128 * r) => -+ * p * r <= (2^30-1) -+ */ -+ -+#define SCRYPT_PR_MAX ((1 << 30) - 1) -+ -+static int scrypt_alg(const char *pass, size_t passlen, -+ const unsigned char *salt, size_t saltlen, -+ uint64_t N, uint64_t r, uint64_t p, uint64_t maxmem, -+ unsigned char *key, size_t keylen) -+{ -+ int rv = 0; -+ unsigned char *B; -+ uint32_t *X, *V, *T; -+ uint64_t i, Blen, Vlen; -+ -+ /* Sanity check parameters */ -+ /* initial check, r,p must be non zero, N >= 2 and a power of 2 */ -+ if (r == 0 || p == 0 || N < 2 || (N & (N - 1))) -+ return 0; -+ /* Check p * r < SCRYPT_PR_MAX avoiding overflow */ -+ if (p > SCRYPT_PR_MAX / r) { -+ EVPerr(EVP_F_SCRYPT_ALG, EVP_R_MEMORY_LIMIT_EXCEEDED); -+ return 0; -+ } -+ -+ /* -+ * Need to check N: if 2^(128 * r / 8) overflows limit this is -+ * automatically satisfied since N <= UINT64_MAX. -+ */ -+ -+ if (16 * r <= LOG2_UINT64_MAX) { -+ if (N >= (((uint64_t)1) << (16 * r))) { -+ EVPerr(EVP_F_SCRYPT_ALG, EVP_R_MEMORY_LIMIT_EXCEEDED); -+ return 0; -+ } -+ } -+ -+ /* Memory checks: check total allocated buffer size fits in uint64_t */ -+ -+ /* -+ * B size in section 5 step 1.S -+ * Note: we know p * 128 * r < UINT64_MAX because we already checked -+ * p * r < SCRYPT_PR_MAX -+ */ -+ Blen = p * 128 * r; -+ /* -+ * Yet we pass it as integer to PKCS5_PBKDF2_HMAC... [This would -+ * have to be revised when/if PKCS5_PBKDF2_HMAC accepts size_t.] -+ */ -+ if (Blen > INT_MAX) { -+ EVPerr(EVP_F_SCRYPT_ALG, EVP_R_MEMORY_LIMIT_EXCEEDED); -+ return 0; -+ } -+ -+ /* -+ * Check 32 * r * (N + 2) * sizeof(uint32_t) fits in uint64_t -+ * This is combined size V, X and T (section 4) -+ */ -+ i = UINT64_MAX / (32 * sizeof(uint32_t)); -+ if (N + 2 > i / r) { -+ EVPerr(EVP_F_SCRYPT_ALG, EVP_R_MEMORY_LIMIT_EXCEEDED); -+ return 0; -+ } -+ Vlen = 32 * r * (N + 2) * sizeof(uint32_t); -+ -+ /* check total allocated size fits in uint64_t */ -+ if (Blen > UINT64_MAX - Vlen) { -+ EVPerr(EVP_F_SCRYPT_ALG, EVP_R_MEMORY_LIMIT_EXCEEDED); -+ return 0; -+ } -+ -+ /* Check that the maximum memory doesn't exceed a size_t limits */ -+ if (maxmem > SIZE_MAX) -+ maxmem = SIZE_MAX; -+ -+ if (Blen + Vlen > maxmem) { -+ EVPerr(EVP_F_SCRYPT_ALG, EVP_R_MEMORY_LIMIT_EXCEEDED); -+ return 0; -+ } -+ -+ /* If no key return to indicate parameters are OK */ -+ if (key == NULL) -+ return 1; -+ -+ B = OPENSSL_malloc((size_t)(Blen + Vlen)); -+ if (B == NULL) { -+ EVPerr(EVP_F_SCRYPT_ALG, ERR_R_MALLOC_FAILURE); -+ return 0; -+ } -+ X = (uint32_t *)(B + Blen); -+ T = X + 32 * r; -+ V = T + 32 * r; -+ if (PKCS5_PBKDF2_HMAC(pass, passlen, salt, saltlen, 1, EVP_sha256(), -+ (int)Blen, B) == 0) -+ goto err; -+ -+ for (i = 0; i < p; i++) -+ scryptROMix(B + 128 * r * i, r, N, X, T, V); -+ -+ if (PKCS5_PBKDF2_HMAC(pass, passlen, B, (int)Blen, 1, EVP_sha256(), -+ keylen, key) == 0) -+ goto err; -+ rv = 1; -+ err: -+ if (rv == 0) -+ EVPerr(EVP_F_SCRYPT_ALG, EVP_R_PBKDF2_ERROR); -+ -+ OPENSSL_clear_free(B, (size_t)(Blen + Vlen)); -+ return rv; -+} - - #endif -diff -up openssl-1.1.1j/crypto/kdf/tls1_prf.c.evp-kdf openssl-1.1.1j/crypto/kdf/tls1_prf.c ---- openssl-1.1.1j/crypto/kdf/tls1_prf.c.evp-kdf 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/crypto/kdf/tls1_prf.c 2021-03-03 14:08:02.492294856 +0100 -@@ -8,11 +8,15 @@ - */ - - #include -+#include -+#include - #include "internal/cryptlib.h" - #include - #include - #include "crypto/evp.h" -+#include "kdf_local.h" - -+static void kdf_tls1_prf_reset(EVP_KDF_IMPL *impl); - static int tls1_prf_alg(const EVP_MD *md, - const unsigned char *sec, size_t slen, - const unsigned char *seed, size_t seed_len, -@@ -20,9 +24,9 @@ static int tls1_prf_alg(const EVP_MD *md - - #define TLS1_PRF_MAXBUF 1024 - --/* TLS KDF pkey context structure */ -+/* TLS KDF kdf context structure */ - --typedef struct { -+struct evp_kdf_impl_st { - /* Digest to use for PRF */ - const EVP_MD *md; - /* Secret value to use for PRF */ -@@ -31,145 +35,137 @@ typedef struct { - /* Buffer of concatenated seed data */ - unsigned char seed[TLS1_PRF_MAXBUF]; - size_t seedlen; --} TLS1_PRF_PKEY_CTX; -+}; - --static int pkey_tls1_prf_init(EVP_PKEY_CTX *ctx) -+static EVP_KDF_IMPL *kdf_tls1_prf_new(void) - { -- TLS1_PRF_PKEY_CTX *kctx; -+ EVP_KDF_IMPL *impl; - -- if ((kctx = OPENSSL_zalloc(sizeof(*kctx))) == NULL) { -- KDFerr(KDF_F_PKEY_TLS1_PRF_INIT, ERR_R_MALLOC_FAILURE); -- return 0; -- } -- ctx->data = kctx; -+ if ((impl = OPENSSL_zalloc(sizeof(*impl))) == NULL) -+ KDFerr(KDF_F_KDF_TLS1_PRF_NEW, ERR_R_MALLOC_FAILURE); -+ return impl; -+} - -- return 1; -+static void kdf_tls1_prf_free(EVP_KDF_IMPL *impl) -+{ -+ kdf_tls1_prf_reset(impl); -+ OPENSSL_free(impl); - } - --static void pkey_tls1_prf_cleanup(EVP_PKEY_CTX *ctx) -+static void kdf_tls1_prf_reset(EVP_KDF_IMPL *impl) - { -- TLS1_PRF_PKEY_CTX *kctx = ctx->data; -- OPENSSL_clear_free(kctx->sec, kctx->seclen); -- OPENSSL_cleanse(kctx->seed, kctx->seedlen); -- OPENSSL_free(kctx); -+ OPENSSL_clear_free(impl->sec, impl->seclen); -+ OPENSSL_cleanse(impl->seed, impl->seedlen); -+ memset(impl, 0, sizeof(*impl)); - } - --static int pkey_tls1_prf_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) -+static int kdf_tls1_prf_ctrl(EVP_KDF_IMPL *impl, int cmd, va_list args) - { -- TLS1_PRF_PKEY_CTX *kctx = ctx->data; -- switch (type) { -- case EVP_PKEY_CTRL_TLS_MD: -- kctx->md = p2; -- return 1; -+ const unsigned char *p; -+ size_t len; -+ const EVP_MD *md; - -- case EVP_PKEY_CTRL_TLS_SECRET: -- if (p1 < 0) -+ switch (cmd) { -+ case EVP_KDF_CTRL_SET_MD: -+ md = va_arg(args, const EVP_MD *); -+ if (md == NULL) - return 0; -- if (kctx->sec != NULL) -- OPENSSL_clear_free(kctx->sec, kctx->seclen); -- OPENSSL_cleanse(kctx->seed, kctx->seedlen); -- kctx->seedlen = 0; -- kctx->sec = OPENSSL_memdup(p2, p1); -- if (kctx->sec == NULL) -+ -+ impl->md = md; -+ return 1; -+ -+ case EVP_KDF_CTRL_SET_TLS_SECRET: -+ p = va_arg(args, const unsigned char *); -+ len = va_arg(args, size_t); -+ OPENSSL_clear_free(impl->sec, impl->seclen); -+ impl->sec = OPENSSL_memdup(p, len); -+ if (impl->sec == NULL) - return 0; -- kctx->seclen = p1; -+ -+ impl->seclen = len; -+ return 1; -+ -+ case EVP_KDF_CTRL_RESET_TLS_SEED: -+ OPENSSL_cleanse(impl->seed, impl->seedlen); -+ impl->seedlen = 0; - return 1; - -- case EVP_PKEY_CTRL_TLS_SEED: -- if (p1 == 0 || p2 == NULL) -+ case EVP_KDF_CTRL_ADD_TLS_SEED: -+ p = va_arg(args, const unsigned char *); -+ len = va_arg(args, size_t); -+ if (len == 0 || p == NULL) - return 1; -- if (p1 < 0 || p1 > (int)(TLS1_PRF_MAXBUF - kctx->seedlen)) -+ -+ if (len > (TLS1_PRF_MAXBUF - impl->seedlen)) - return 0; -- memcpy(kctx->seed + kctx->seedlen, p2, p1); -- kctx->seedlen += p1; -+ -+ memcpy(impl->seed + impl->seedlen, p, len); -+ impl->seedlen += len; - return 1; - - default: - return -2; -- - } - } - --static int pkey_tls1_prf_ctrl_str(EVP_PKEY_CTX *ctx, -- const char *type, const char *value) -+static int kdf_tls1_prf_ctrl_str(EVP_KDF_IMPL *impl, -+ const char *type, const char *value) - { - if (value == NULL) { -- KDFerr(KDF_F_PKEY_TLS1_PRF_CTRL_STR, KDF_R_VALUE_MISSING); -+ KDFerr(KDF_F_KDF_TLS1_PRF_CTRL_STR, KDF_R_VALUE_MISSING); - return 0; - } -- if (strcmp(type, "md") == 0) { -- TLS1_PRF_PKEY_CTX *kctx = ctx->data; -+ if (strcmp(type, "digest") == 0) -+ return kdf_md2ctrl(impl, kdf_tls1_prf_ctrl, EVP_KDF_CTRL_SET_MD, value); - -- const EVP_MD *md = EVP_get_digestbyname(value); -- if (md == NULL) { -- KDFerr(KDF_F_PKEY_TLS1_PRF_CTRL_STR, KDF_R_INVALID_DIGEST); -- return 0; -- } -- kctx->md = md; -- return 1; -- } - if (strcmp(type, "secret") == 0) -- return EVP_PKEY_CTX_str2ctrl(ctx, EVP_PKEY_CTRL_TLS_SECRET, value); -+ return kdf_str2ctrl(impl, kdf_tls1_prf_ctrl, -+ EVP_KDF_CTRL_SET_TLS_SECRET, value); -+ - if (strcmp(type, "hexsecret") == 0) -- return EVP_PKEY_CTX_hex2ctrl(ctx, EVP_PKEY_CTRL_TLS_SECRET, value); -+ return kdf_hex2ctrl(impl, kdf_tls1_prf_ctrl, -+ EVP_KDF_CTRL_SET_TLS_SECRET, value); -+ - if (strcmp(type, "seed") == 0) -- return EVP_PKEY_CTX_str2ctrl(ctx, EVP_PKEY_CTRL_TLS_SEED, value); -+ return kdf_str2ctrl(impl, kdf_tls1_prf_ctrl, EVP_KDF_CTRL_ADD_TLS_SEED, -+ value); -+ - if (strcmp(type, "hexseed") == 0) -- return EVP_PKEY_CTX_hex2ctrl(ctx, EVP_PKEY_CTRL_TLS_SEED, value); -+ return kdf_hex2ctrl(impl, kdf_tls1_prf_ctrl, EVP_KDF_CTRL_ADD_TLS_SEED, -+ value); - -- KDFerr(KDF_F_PKEY_TLS1_PRF_CTRL_STR, KDF_R_UNKNOWN_PARAMETER_TYPE); - return -2; - } - --static int pkey_tls1_prf_derive(EVP_PKEY_CTX *ctx, unsigned char *key, -- size_t *keylen) -+static int kdf_tls1_prf_derive(EVP_KDF_IMPL *impl, unsigned char *key, -+ size_t keylen) - { -- TLS1_PRF_PKEY_CTX *kctx = ctx->data; -- if (kctx->md == NULL) { -- KDFerr(KDF_F_PKEY_TLS1_PRF_DERIVE, KDF_R_MISSING_MESSAGE_DIGEST); -+ if (impl->md == NULL) { -+ KDFerr(KDF_F_KDF_TLS1_PRF_DERIVE, KDF_R_MISSING_MESSAGE_DIGEST); - return 0; - } -- if (kctx->sec == NULL) { -- KDFerr(KDF_F_PKEY_TLS1_PRF_DERIVE, KDF_R_MISSING_SECRET); -+ if (impl->sec == NULL) { -+ KDFerr(KDF_F_KDF_TLS1_PRF_DERIVE, KDF_R_MISSING_SECRET); - return 0; - } -- if (kctx->seedlen == 0) { -- KDFerr(KDF_F_PKEY_TLS1_PRF_DERIVE, KDF_R_MISSING_SEED); -+ if (impl->seedlen == 0) { -+ KDFerr(KDF_F_KDF_TLS1_PRF_DERIVE, KDF_R_MISSING_SEED); - return 0; - } -- return tls1_prf_alg(kctx->md, kctx->sec, kctx->seclen, -- kctx->seed, kctx->seedlen, -- key, *keylen); -+ return tls1_prf_alg(impl->md, impl->sec, impl->seclen, -+ impl->seed, impl->seedlen, -+ key, keylen); - } - --const EVP_PKEY_METHOD tls1_prf_pkey_meth = { -- EVP_PKEY_TLS1_PRF, -- 0, -- pkey_tls1_prf_init, -- 0, -- pkey_tls1_prf_cleanup, -- -- 0, 0, -- 0, 0, -- -- 0, -- 0, -- -- 0, -- 0, -- -- 0, 0, -- -- 0, 0, 0, 0, -- -- 0, 0, -- -- 0, 0, -- -- 0, -- pkey_tls1_prf_derive, -- pkey_tls1_prf_ctrl, -- pkey_tls1_prf_ctrl_str -+const EVP_KDF_METHOD tls1_prf_kdf_meth = { -+ EVP_KDF_TLS1_PRF, -+ kdf_tls1_prf_new, -+ kdf_tls1_prf_free, -+ kdf_tls1_prf_reset, -+ kdf_tls1_prf_ctrl, -+ kdf_tls1_prf_ctrl_str, -+ NULL, -+ kdf_tls1_prf_derive - }; - - static int tls1_prf_P_hash(const EVP_MD *md, -@@ -249,12 +245,11 @@ static int tls1_prf_alg(const EVP_MD *md - const unsigned char *seed, size_t seed_len, - unsigned char *out, size_t olen) - { -- - if (EVP_MD_type(md) == NID_md5_sha1) { - size_t i; - unsigned char *tmp; - if (!tls1_prf_P_hash(EVP_md5(), sec, slen/2 + (slen & 1), -- seed, seed_len, out, olen)) -+ seed, seed_len, out, olen)) - return 0; - - if ((tmp = OPENSSL_malloc(olen)) == NULL) { -@@ -262,7 +257,7 @@ static int tls1_prf_alg(const EVP_MD *md - return 0; - } - if (!tls1_prf_P_hash(EVP_sha1(), sec + slen/2, slen/2 + (slen & 1), -- seed, seed_len, tmp, olen)) { -+ seed, seed_len, tmp, olen)) { - OPENSSL_clear_free(tmp, olen); - return 0; - } -diff -up openssl-1.1.1j/doc/man3/EVP_KDF_CTX.pod.evp-kdf openssl-1.1.1j/doc/man3/EVP_KDF_CTX.pod ---- openssl-1.1.1j/doc/man3/EVP_KDF_CTX.pod.evp-kdf 2021-03-03 14:08:02.492294856 +0100 -+++ openssl-1.1.1j/doc/man3/EVP_KDF_CTX.pod 2021-03-03 14:08:02.492294856 +0100 -@@ -0,0 +1,217 @@ -+=pod -+ -+=head1 NAME -+ -+EVP_KDF_CTX, EVP_KDF_CTX_new_id, EVP_KDF_CTX_free, EVP_KDF_reset, -+EVP_KDF_ctrl, EVP_KDF_vctrl, EVP_KDF_ctrl_str, EVP_KDF_size, -+EVP_KDF_derive - EVP KDF routines -+ -+=head1 SYNOPSIS -+ -+ #include -+ -+ typedef struct evp_kdf_ctx_st EVP_KDF_CTX; -+ -+ EVP_KDF_CTX *EVP_KDF_CTX_new_id(int id); -+ void EVP_KDF_CTX_free(EVP_KDF_CTX *ctx); -+ void EVP_KDF_reset(EVP_KDF_CTX *ctx); -+ int EVP_KDF_ctrl(EVP_KDF_CTX *ctx, int cmd, ...); -+ int EVP_KDF_vctrl(EVP_KDF_CTX *ctx, int cmd, va_list args); -+ int EVP_KDF_ctrl_str(EVP_KDF_CTX *ctx, const char *type, const char *value); -+ size_t EVP_KDF_size(EVP_KDF_CTX *ctx); -+ int EVP_KDF_derive(EVP_KDF_CTX *ctx, unsigned char *key, size_t keylen); -+ -+=head1 DESCRIPTION -+ -+The EVP KDF routines are a high level interface to Key Derivation Function -+algorithms and should be used instead of algorithm-specific functions. -+ -+After creating a C for the required algorithm using -+EVP_KDF_CTX_new_id(), inputs to the algorithm are supplied using calls to -+EVP_KDF_ctrl(), EVP_KDF_vctrl() or EVP_KDF_ctrl_str() before calling -+EVP_KDF_derive() to derive the key. -+ -+=head2 Types -+ -+B is a context type that holds the algorithm inputs. -+ -+=head2 Context manipulation functions -+ -+EVP_KDF_CTX_new_id() creates a KDF context for the algorithm identified by the -+specified NID. -+ -+EVP_KDF_CTX_free() frees up the context C. If C is C, nothing -+is done. -+ -+=head2 Computing functions -+ -+EVP_KDF_reset() resets the context to the default state as if the context -+had just been created. -+ -+EVP_KDF_ctrl() is used to provide inputs to the KDF algorithm prior to -+EVP_KDF_derive() being called. The inputs that may be provided will vary -+depending on the KDF algorithm or its implementation. This functions takes -+variable arguments, the exact expected arguments depend on C. -+See L below for a description of standard controls. -+ -+EVP_KDF_vctrl() is the variant of EVP_KDF_ctrl() that takes a C -+argument instead of variadic arguments. -+ -+EVP_KDF_ctrl_str() allows an application to send an algorithm specific control -+operation to a context C in string form. This is intended to be used for -+options specified on the command line or in text files. -+ -+EVP_KDF_size() returns the output size if the algorithm produces a fixed amount -+of output and C otherwise. If an error occurs then 0 is returned. -+For some algorithms an error may result if input parameters necessary to -+calculate a fixed output size have not yet been supplied. -+ -+EVP_KDF_derive() derives C bytes of key material and places it in the -+C buffer. If the algorithm produces a fixed amount of output then an -+error will occur unless the C parameter is equal to that output size, -+as returned by EVP_KDF_size(). -+ -+=head1 CONTROLS -+ -+The standard controls are: -+ -+=over 4 -+ -+=item B -+ -+This control expects two arguments: C, C -+ -+Some KDF implementations require a password. For those KDF implementations -+that support it, this control sets the password. -+ -+EVP_KDF_ctrl_str() takes two type strings for this control: -+ -+=over 4 -+ -+=item "pass" -+ -+The value string is used as is. -+ -+=item "hexpass" -+ -+The value string is expected to be a hexadecimal number, which will be -+decoded before being passed on as the control value. -+ -+=back -+ -+=item B -+ -+This control expects two arguments: C, C -+ -+Some KDF implementations can take a salt. For those KDF implementations that -+support it, this control sets the salt. -+ -+The default value, if any, is implementation dependent. -+ -+EVP_KDF_ctrl_str() takes two type strings for this control: -+ -+=over 4 -+ -+=item "salt" -+ -+The value string is used as is. -+ -+=item "hexsalt" -+ -+The value string is expected to be a hexadecimal number, which will be -+decoded before being passed on as the control value. -+ -+=back -+ -+=item B -+ -+This control expects one argument: C -+ -+Some KDF implementations require an iteration count. For those KDF implementations that support it, this control sets the iteration count. -+ -+The default value, if any, is implementation dependent. -+ -+EVP_KDF_ctrl_str() type string: "iter" -+ -+The value string is expected to be a decimal number. -+ -+=item B -+ -+This control expects one argument: C -+ -+For MAC implementations that use a message digest as an underlying computation -+algorithm, this control set what the digest algorithm should be. -+ -+EVP_KDF_ctrl_str() type string: "md" -+ -+The value string is expected to be the name of a digest. -+ -+=item B -+ -+This control expects two arguments: C, C -+ -+Some KDF implementations require a key. For those KDF implementations that -+support it, this control sets the key. -+ -+EVP_KDF_ctrl_str() takes two type strings for this control: -+ -+=over 4 -+ -+=item "key" -+ -+The value string is used as is. -+ -+=item "hexkey" -+ -+The value string is expected to be a hexadecimal number, which will be -+decoded before being passed on as the control value. -+ -+=back -+ -+=item B -+ -+This control expects one argument: C -+ -+Memory-hard password-based KDF algorithms, such as scrypt, use an amount of -+memory that depends on the load factors provided as input. For those KDF -+implementations that support it, this control sets an upper limit on the amount -+of memory that may be consumed while performing a key derivation. If this -+memory usage limit is exceeded because the load factors are chosen too high, -+the key derivation will fail. -+ -+The default value is implementation dependent. -+ -+EVP_KDF_ctrl_str() type string: "maxmem_bytes" -+ -+The value string is expected to be a decimal number. -+ -+=back -+ -+=head1 RETURN VALUES -+ -+EVP_KDF_CTX_new_id() returns either the newly allocated C -+structure or C if an error occurred. -+ -+EVP_KDF_CTX_free() and EVP_KDF_reset() do not return a value. -+ -+EVP_KDF_size() returns the output size. C is returned to indicate -+that the algorithm produces a variable amount of output; 0 to indicate failure. -+ -+The remaining functions return 1 for success and 0 or a negative value for -+failure. In particular, a return value of -2 indicates the operation is not -+supported by the KDF algorithm. -+ -+=head1 SEE ALSO -+ -+L -+ -+=head1 COPYRIGHT -+ -+Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. -+ -+Licensed under the Apache License 2.0 (the "License"). You may not use -+this file except in compliance with the License. You can obtain a copy -+in the file LICENSE in the source distribution or at -+L. -+ -+=cut -diff -up openssl-1.1.1j/doc/man7/EVP_KDF_HKDF.pod.evp-kdf openssl-1.1.1j/doc/man7/EVP_KDF_HKDF.pod ---- openssl-1.1.1j/doc/man7/EVP_KDF_HKDF.pod.evp-kdf 2021-03-03 14:08:02.493294865 +0100 -+++ openssl-1.1.1j/doc/man7/EVP_KDF_HKDF.pod 2021-03-03 14:08:02.493294865 +0100 -@@ -0,0 +1,180 @@ -+=pod -+ -+=head1 NAME -+ -+EVP_KDF_HKDF - The HKDF EVP_KDF implementation -+ -+=head1 DESCRIPTION -+ -+Support for computing the B KDF through the B API. -+ -+The EVP_KDF_HKDF algorithm implements the HKDF key derivation function. -+HKDF follows the "extract-then-expand" paradigm, where the KDF logically -+consists of two modules. The first stage takes the input keying material -+and "extracts" from it a fixed-length pseudorandom key K. The second stage -+"expands" the key K into several additional pseudorandom keys (the output -+of the KDF). -+ -+=head2 Numeric identity -+ -+B is the numeric identity for this implementation; it -+can be used with the EVP_KDF_CTX_new_id() function. -+ -+=head2 Supported controls -+ -+The supported controls are: -+ -+=over 4 -+ -+=item B -+ -+=item B -+ -+=item B -+ -+These controls work as described in L. -+ -+=item B -+ -+This control does not expect any arguments. -+ -+Resets the context info buffer to zero length. -+ -+=item B -+ -+This control expects two arguments: C, C -+ -+Sets the info value to the first B bytes of the buffer B. If a -+value is already set, the contents of the buffer are appended to the existing -+value. -+ -+The total length of the context info buffer cannot exceed 1024 bytes; -+this should be more than enough for any normal use of HKDF. -+ -+EVP_KDF_ctrl_str() takes two type strings for this control: -+ -+=over 4 -+ -+=item "info" -+ -+The value string is used as is. -+ -+=item "hexinfo" -+ -+The value string is expected to be a hexadecimal number, which will be -+decoded before being passed on as the control value. -+ -+=back -+ -+=item B -+ -+This control expects one argument: C -+ -+Sets the mode for the HKDF operation. There are three modes that are currently -+defined: -+ -+=over 4 -+ -+=item EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND -+ -+This is the default mode. Calling L on an EVP_KDF_CTX set -+up for HKDF will perform an extract followed by an expand operation in one go. -+The derived key returned will be the result after the expand operation. The -+intermediate fixed-length pseudorandom key K is not returned. -+ -+In this mode the digest, key, salt and info values must be set before a key is -+derived otherwise an error will occur. -+ -+=item EVP_KDF_HKDF_MODE_EXTRACT_ONLY -+ -+In this mode calling L will just perform the extract -+operation. The value returned will be the intermediate fixed-length pseudorandom -+key K. The C parameter must match the size of K, which can be looked -+up by calling EVP_KDF_size() after setting the mode and digest. -+ -+The digest, key and salt values must be set before a key is derived otherwise -+an error will occur. -+ -+=item EVP_KDF_HKDF_MODE_EXPAND_ONLY -+ -+In this mode calling L will just perform the expand -+operation. The input key should be set to the intermediate fixed-length -+pseudorandom key K returned from a previous extract operation. -+ -+The digest, key and info values must be set before a key is derived otherwise -+an error will occur. -+ -+=back -+ -+EVP_KDF_ctrl_str() type string: "mode" -+ -+The value string is expected to be one of: "EXTRACT_AND_EXPAND", "EXTRACT_ONLY" -+or "EXPAND_ONLY". -+ -+=back -+ -+=head1 NOTES -+ -+A context for HKDF can be obtained by calling: -+ -+ EVP_KDF_CTX *kctx = EVP_KDF_CTX_new_id(EVP_KDF_HKDF); -+ -+The output length of an HKDF expand operation is specified via the C -+parameter to the L function. When using -+EVP_KDF_HKDF_MODE_EXTRACT_ONLY the C parameter must equal the size of -+the intermediate fixed-length pseudorandom key otherwise an error will occur. -+For that mode, the fixed output size can be looked up by calling EVP_KDF_size() -+after setting the mode and digest on the C. -+ -+=head1 EXAMPLE -+ -+This example derives 10 bytes using SHA-256 with the secret key "secret", -+salt value "salt" and info value "label": -+ -+ EVP_KDF_CTX *kctx; -+ unsigned char out[10]; -+ -+ kctx = EVP_KDF_CTX_new_id(EVP_KDF_HKDF); -+ -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) { -+ error("EVP_KDF_CTRL_SET_MD"); -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "salt", (size_t)4) <= 0) { -+ error("EVP_KDF_CTRL_SET_SALT"); -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, "secret", (size_t)6) <= 0) { -+ error("EVP_KDF_CTRL_SET_KEY"); -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_ADD_HKDF_INFO, "label", (size_t)5) <= 0) { -+ error("EVP_KDF_CTRL_ADD_HKDF_INFO"); -+ } -+ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) { -+ error("EVP_KDF_derive"); -+ } -+ -+ EVP_KDF_CTX_free(kctx); -+ -+=head1 CONFORMING TO -+ -+RFC 5869 -+ -+=head1 SEE ALSO -+ -+L, -+L, -+L, -+L, -+L, -+L, -+L -+ -+=head1 COPYRIGHT -+ -+Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved. -+ -+Licensed under the Apache License 2.0 (the "License"). You may not use -+this file except in compliance with the License. You can obtain a copy -+in the file LICENSE in the source distribution or at -+L. -+ -+=cut -diff -up openssl-1.1.1j/doc/man7/EVP_KDF_PBKDF2.pod.evp-kdf openssl-1.1.1j/doc/man7/EVP_KDF_PBKDF2.pod ---- openssl-1.1.1j/doc/man7/EVP_KDF_PBKDF2.pod.evp-kdf 2021-03-03 14:08:02.493294865 +0100 -+++ openssl-1.1.1j/doc/man7/EVP_KDF_PBKDF2.pod 2021-03-03 14:08:02.493294865 +0100 -@@ -0,0 +1,78 @@ -+=pod -+ -+=head1 NAME -+ -+EVP_KDF_PBKDF2 - The PBKDF2 EVP_KDF implementation -+ -+=head1 DESCRIPTION -+ -+Support for computing the B password-based KDF through the B -+API. -+ -+The EVP_KDF_PBKDF2 algorithm implements the PBKDF2 password-based key -+derivation function, as described in RFC 2898; it derives a key from a password -+using a salt and iteration count. -+ -+=head2 Numeric identity -+ -+B is the numeric identity for this implementation; it -+can be used with the EVP_KDF_CTX_new_id() function. -+ -+=head2 Supported controls -+ -+The supported controls are: -+ -+=over 4 -+ -+=item B -+ -+=item B -+ -+=item B -+ -+=item B -+ -+These controls work as described in L. -+ -+B is the iteration count and its value should be greater than or equal to -+1. RFC 2898 suggests an iteration count of at least 1000. The default value is -+2048. Any B less than 1 is treated as a single iteration. -+ -+=back -+ -+=head1 NOTES -+ -+A typical application of this algorithm is to derive keying material for an -+encryption algorithm from a password in the B, a salt in B, -+and an iteration count. -+ -+Increasing the B parameter slows down the algorithm which makes it -+harder for an attacker to perform a brute force attack using a large number -+of candidate passwords. -+ -+No assumption is made regarding the given password; it is simply treated as a -+byte sequence. -+ -+=head1 CONFORMING TO -+ -+RFC 2898 -+ -+=head1 SEE ALSO -+ -+L, -+L, -+L, -+L, -+L, -+L -+ -+=head1 COPYRIGHT -+ -+Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. -+ -+Licensed under the Apache License 2.0 (the "License"). You may not use -+this file except in compliance with the License. You can obtain a copy -+in the file LICENSE in the source distribution or at -+L. -+ -+=cut -diff -up openssl-1.1.1j/doc/man7/EVP_KDF_SCRYPT.pod.evp-kdf openssl-1.1.1j/doc/man7/EVP_KDF_SCRYPT.pod ---- openssl-1.1.1j/doc/man7/EVP_KDF_SCRYPT.pod.evp-kdf 2021-03-03 14:08:02.493294865 +0100 -+++ openssl-1.1.1j/doc/man7/EVP_KDF_SCRYPT.pod 2021-03-03 14:08:02.493294865 +0100 -@@ -0,0 +1,149 @@ -+=pod -+ -+=head1 NAME -+ -+EVP_KDF_SCRYPT - The scrypt EVP_KDF implementation -+ -+=head1 DESCRIPTION -+ -+Support for computing the B password-based KDF through the B -+API. -+ -+The EVP_KDF_SCRYPT algorithm implements the scrypt password-based key -+derivation function, as described in RFC 7914. It is memory-hard in the sense -+that it deliberately requires a significant amount of RAM for efficient -+computation. The intention of this is to render brute forcing of passwords on -+systems that lack large amounts of main memory (such as GPUs or ASICs) -+computationally infeasible. -+ -+scrypt provides three work factors that can be customized: N, r and p. N, which -+has to be a positive power of two, is the general work factor and scales CPU -+time in an approximately linear fashion. r is the block size of the internally -+used hash function and p is the parallelization factor. Both r and p need to be -+greater than zero. The amount of RAM that scrypt requires for its computation -+is roughly (128 * N * r * p) bytes. -+ -+In the original paper of Colin Percival ("Stronger Key Derivation via -+Sequential Memory-Hard Functions", 2009), the suggested values that give a -+computation time of less than 5 seconds on a 2.5 GHz Intel Core 2 Duo are N = -+2^20 = 1048576, r = 8, p = 1. Consequently, the required amount of memory for -+this computation is roughly 1 GiB. On a more recent CPU (Intel i7-5930K at 3.5 -+GHz), this computation takes about 3 seconds. When N, r or p are not specified, -+they default to 1048576, 8, and 1, respectively. The maximum amount of RAM that -+may be used by scrypt defaults to 1025 MiB. -+ -+=head2 Numeric identity -+ -+B is the numeric identity for this implementation; it -+can be used with the EVP_KDF_CTX_new_id() function. -+ -+=head2 Supported controls -+ -+The supported controls are: -+ -+=over 4 -+ -+=item B -+ -+=item B -+ -+These controls work as described in L. -+ -+=item B -+ -+=item B -+ -+=item B -+ -+B expects one argument: C -+ -+B expects one argument: C -+ -+B expects one argument: C -+ -+These controls configure the scrypt work factors N, r and p. -+ -+EVP_KDF_ctrl_str() type strings: "N", "r" and "p", respectively. -+ -+The corresponding value strings are expected to be decimal numbers. -+ -+=back -+ -+=head1 NOTES -+ -+A context for scrypt can be obtained by calling: -+ -+ EVP_KDF_CTX *kctx = EVP_KDF_CTX_new_id(EVP_KDF_SCRYPT); -+ -+The output length of an scrypt key derivation is specified via the -+B parameter to the L function. -+ -+=head1 EXAMPLE -+ -+This example derives a 64-byte long test vector using scrypt with the password -+"password", salt "NaCl" and N = 1024, r = 8, p = 16. -+ -+ EVP_KDF_CTX *kctx; -+ unsigned char out[64]; -+ -+ kctx = EVP_KDF_CTX_new_id(EVP_KDF_SCRYPT); -+ -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PASS, "password", (size_t)8) <= 0) { -+ error("EVP_KDF_CTRL_SET_PASS"); -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "NaCl", (size_t)4) <= 0) { -+ error("EVP_KDF_CTRL_SET_SALT"); -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_N, (uint64_t)1024) <= 0) { -+ error("EVP_KDF_CTRL_SET_SCRYPT_N"); -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_R, (uint32_t)8) <= 0) { -+ error("EVP_KDF_CTRL_SET_SCRYPT_R"); -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_P, (uint32_t)16) <= 0) { -+ error("EVP_KDF_CTRL_SET_SCRYPT_P"); -+ } -+ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) { -+ error("EVP_KDF_derive"); -+ } -+ -+ { -+ const unsigned char expected[sizeof(out)] = { -+ 0xfd, 0xba, 0xbe, 0x1c, 0x9d, 0x34, 0x72, 0x00, -+ 0x78, 0x56, 0xe7, 0x19, 0x0d, 0x01, 0xe9, 0xfe, -+ 0x7c, 0x6a, 0xd7, 0xcb, 0xc8, 0x23, 0x78, 0x30, -+ 0xe7, 0x73, 0x76, 0x63, 0x4b, 0x37, 0x31, 0x62, -+ 0x2e, 0xaf, 0x30, 0xd9, 0x2e, 0x22, 0xa3, 0x88, -+ 0x6f, 0xf1, 0x09, 0x27, 0x9d, 0x98, 0x30, 0xda, -+ 0xc7, 0x27, 0xaf, 0xb9, 0x4a, 0x83, 0xee, 0x6d, -+ 0x83, 0x60, 0xcb, 0xdf, 0xa2, 0xcc, 0x06, 0x40 -+ }; -+ -+ assert(!memcmp(out, expected, sizeof(out))); -+ } -+ -+ EVP_KDF_CTX_free(kctx); -+ -+=head1 CONFORMING TO -+ -+RFC 7914 -+ -+=head1 SEE ALSO -+ -+L, -+L, -+L, -+L, -+L, -+L -+ -+=head1 COPYRIGHT -+ -+Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. -+ -+Licensed under the OpenSSL license (the "License"). You may not use -+this file except in compliance with the License. You can obtain a copy -+in the file LICENSE in the source distribution or at -+L. -+ -+=cut -diff -up openssl-1.1.1j/doc/man7/EVP_KDF_TLS1_PRF.pod.evp-kdf openssl-1.1.1j/doc/man7/EVP_KDF_TLS1_PRF.pod ---- openssl-1.1.1j/doc/man7/EVP_KDF_TLS1_PRF.pod.evp-kdf 2021-03-03 14:08:02.493294865 +0100 -+++ openssl-1.1.1j/doc/man7/EVP_KDF_TLS1_PRF.pod 2021-03-03 14:08:02.493294865 +0100 -@@ -0,0 +1,142 @@ -+=pod -+ -+=head1 NAME -+ -+EVP_KDF_TLS1_PRF - The TLS1 PRF EVP_KDF implementation -+ -+=head1 DESCRIPTION -+ -+Support for computing the B PRF through the B API. -+ -+The EVP_KDF_TLS1_PRF algorithm implements the PRF used by TLS versions up to -+and including TLS 1.2. -+ -+=head2 Numeric identity -+ -+B is the numeric identity for this implementation; it -+can be used with the EVP_KDF_CTX_new_id() function. -+ -+=head2 Supported controls -+ -+The supported controls are: -+ -+=over 4 -+ -+=item B -+ -+This control works as described in L. -+ -+The C control is used to set the message digest associated -+with the TLS PRF. EVP_md5_sha1() is treated as a special case which uses the -+PRF algorithm using both B and B as used in TLS 1.0 and 1.1. -+ -+=item B -+ -+This control expects two arguments: C, C -+ -+Sets the secret value of the TLS PRF to B bytes of the buffer B. -+Any existing secret value is replaced. -+ -+EVP_KDF_ctrl_str() takes two type strings for this control: -+ -+=over 4 -+ -+=item "secret" -+ -+The value string is used as is. -+ -+=item "hexsecret" -+ -+The value string is expected to be a hexadecimal number, which will be -+decoded before being passed on as the control value. -+ -+=back -+ -+=item B -+ -+This control does not expect any arguments. -+ -+Resets the context seed buffer to zero length. -+ -+=item B -+ -+This control expects two arguments: C, C -+ -+Sets the seed to B bytes of B. If a seed is already set it is -+appended to the existing value. -+ -+The total length of the context seed buffer cannot exceed 1024 bytes; -+this should be more than enough for any normal use of the TLS PRF. -+ -+EVP_KDF_ctrl_str() takes two type strings for this control: -+ -+=over 4 -+ -+=item "seed" -+ -+The value string is used as is. -+ -+=item "hexseed" -+ -+The value string is expected to be a hexadecimal number, which will be -+decoded before being passed on as the control value. -+ -+=back -+ -+=back -+ -+=head1 NOTES -+ -+A context for the TLS PRF can be obtained by calling: -+ -+ EVP_KDF_CTX *kctx = EVP_KDF_CTX_new_id(EVP_KDF_TLS1_PRF, NULL); -+ -+The digest, secret value and seed must be set before a key is derived otherwise -+an error will occur. -+ -+The output length of the PRF is specified by the C parameter to the -+EVP_KDF_derive() function. -+ -+=head1 EXAMPLE -+ -+This example derives 10 bytes using SHA-256 with the secret key "secret" -+and seed value "seed": -+ -+ EVP_KDF_CTX *kctx; -+ unsigned char out[10]; -+ -+ kctx = EVP_KDF_CTX_new_id(EVP_KDF_TLS1_PRF); -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) { -+ error("EVP_KDF_CTRL_SET_MD"); -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_TLS_SECRET, -+ "secret", (size_t)6) <= 0) { -+ error("EVP_KDF_CTRL_SET_TLS_SECRET"); -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_ADD_TLS_SEED, "seed", (size_t)4) <= 0) { -+ error("EVP_KDF_CTRL_ADD_TLS_SEED"); -+ } -+ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) { -+ error("EVP_KDF_derive"); -+ } -+ EVP_KDF_CTX_free(kctx); -+ -+=head1 SEE ALSO -+ -+L, -+L, -+L, -+L, -+L, -+L -+ -+=head1 COPYRIGHT -+ -+Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. -+ -+Licensed under the Apache License 2.0 (the "License"). You may not use -+this file except in compliance with the License. You can obtain a copy -+in the file LICENSE in the source distribution or at -+L. -+ -+=cut -diff -up openssl-1.1.1j/include/crypto/evp.h.evp-kdf openssl-1.1.1j/include/crypto/evp.h ---- openssl-1.1.1j/include/crypto/evp.h.evp-kdf 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/include/crypto/evp.h 2021-03-03 14:08:02.493294865 +0100 -@@ -112,6 +112,24 @@ extern const EVP_PKEY_METHOD hkdf_pkey_m - extern const EVP_PKEY_METHOD poly1305_pkey_meth; - extern const EVP_PKEY_METHOD siphash_pkey_meth; - -+/* struct evp_kdf_impl_st is defined by the implementation */ -+typedef struct evp_kdf_impl_st EVP_KDF_IMPL; -+typedef struct { -+ int type; -+ EVP_KDF_IMPL *(*new) (void); -+ void (*free) (EVP_KDF_IMPL *impl); -+ void (*reset) (EVP_KDF_IMPL *impl); -+ int (*ctrl) (EVP_KDF_IMPL *impl, int cmd, va_list args); -+ int (*ctrl_str) (EVP_KDF_IMPL *impl, const char *type, const char *value); -+ size_t (*size) (EVP_KDF_IMPL *impl); -+ int (*derive) (EVP_KDF_IMPL *impl, unsigned char *key, size_t keylen); -+} EVP_KDF_METHOD; -+ -+extern const EVP_KDF_METHOD pbkdf2_kdf_meth; -+extern const EVP_KDF_METHOD scrypt_kdf_meth; -+extern const EVP_KDF_METHOD tls1_prf_kdf_meth; -+extern const EVP_KDF_METHOD hkdf_kdf_meth; -+ - struct evp_md_st { - int type; - int pkey_type; -diff -up openssl-1.1.1j/include/openssl/evperr.h.evp-kdf openssl-1.1.1j/include/openssl/evperr.h ---- openssl-1.1.1j/include/openssl/evperr.h.evp-kdf 2021-03-03 14:08:02.477294722 +0100 -+++ openssl-1.1.1j/include/openssl/evperr.h 2021-03-03 14:13:37.587003722 +0100 -@@ -56,6 +56,9 @@ int ERR_load_EVP_strings(void); - # define EVP_F_EVP_ENCRYPTDECRYPTUPDATE 219 - # define EVP_F_EVP_ENCRYPTFINAL_EX 127 - # define EVP_F_EVP_ENCRYPTUPDATE 167 -+# define EVP_F_EVP_KDF_CTRL 224 -+# define EVP_F_EVP_KDF_CTRL_STR 225 -+# define EVP_F_EVP_KDF_CTX_NEW_ID 226 - # define EVP_F_EVP_MD_CTX_COPY_EX 110 - # define EVP_F_EVP_MD_SIZE 162 - # define EVP_F_EVP_OPENINIT 102 -@@ -118,11 +121,13 @@ int ERR_load_EVP_strings(void); - # define EVP_F_PKCS5_V2_PBE_KEYIVGEN 118 - # define EVP_F_PKCS5_V2_PBKDF2_KEYIVGEN 164 - # define EVP_F_PKCS5_V2_SCRYPT_KEYIVGEN 180 -+# define EVP_F_PKEY_KDF_CTRL 227 - # define EVP_F_PKEY_SET_TYPE 158 - # define EVP_F_RC2_MAGIC_TO_METH 109 - # define EVP_F_RC5_CTRL 125 - # define EVP_F_R_32_12_16_INIT_KEY 242 - # define EVP_F_S390X_AES_GCM_CTRL 201 -+# define EVP_F_SCRYPT_ALG 228 - # define EVP_F_UPDATE 173 - - /* -@@ -179,6 +184,7 @@ int ERR_load_EVP_strings(void); - # define EVP_R_ONLY_ONESHOT_SUPPORTED 177 - # define EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 150 - # define EVP_R_OPERATON_NOT_INITIALIZED 151 -+# define EVP_R_PARAMETER_TOO_LARGE 187 - # define EVP_R_OUTPUT_WOULD_OVERFLOW 184 - # define EVP_R_PARTIALLY_OVERLAPPING 162 - # define EVP_R_PBKDF2_ERROR 181 -diff -up openssl-1.1.1j/include/openssl/kdferr.h.evp-kdf openssl-1.1.1j/include/openssl/kdferr.h ---- openssl-1.1.1j/include/openssl/kdferr.h.evp-kdf 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/include/openssl/kdferr.h 2021-03-03 14:08:02.493294865 +0100 -@@ -23,6 +23,23 @@ int ERR_load_KDF_strings(void); - /* - * KDF function codes. - */ -+# define KDF_F_HKDF_EXTRACT 112 -+# define KDF_F_KDF_HKDF_DERIVE 113 -+# define KDF_F_KDF_HKDF_NEW 114 -+# define KDF_F_KDF_HKDF_SIZE 115 -+# define KDF_F_KDF_MD2CTRL 116 -+# define KDF_F_KDF_PBKDF2_CTRL_STR 117 -+# define KDF_F_KDF_PBKDF2_DERIVE 118 -+# define KDF_F_KDF_PBKDF2_NEW 119 -+# define KDF_F_KDF_SCRYPT_CTRL_STR 120 -+# define KDF_F_KDF_SCRYPT_CTRL_UINT32 121 -+# define KDF_F_KDF_SCRYPT_CTRL_UINT64 122 -+# define KDF_F_KDF_SCRYPT_DERIVE 123 -+# define KDF_F_KDF_SCRYPT_NEW 124 -+# define KDF_F_KDF_TLS1_PRF_CTRL_STR 125 -+# define KDF_F_KDF_TLS1_PRF_DERIVE 126 -+# define KDF_F_KDF_TLS1_PRF_NEW 127 -+# define KDF_F_PBKDF2_SET_MEMBUF 128 - # define KDF_F_PKEY_HKDF_CTRL_STR 103 - # define KDF_F_PKEY_HKDF_DERIVE 102 - # define KDF_F_PKEY_HKDF_INIT 108 -@@ -34,6 +51,7 @@ int ERR_load_KDF_strings(void); - # define KDF_F_PKEY_TLS1_PRF_CTRL_STR 100 - # define KDF_F_PKEY_TLS1_PRF_DERIVE 101 - # define KDF_F_PKEY_TLS1_PRF_INIT 110 -+# define KDF_F_SCRYPT_SET_MEMBUF 129 - # define KDF_F_TLS1_PRF_ALG 111 - - /* -@@ -51,5 +69,6 @@ int ERR_load_KDF_strings(void); - # define KDF_R_UNKNOWN_PARAMETER_TYPE 103 - # define KDF_R_VALUE_ERROR 108 - # define KDF_R_VALUE_MISSING 102 -+# define KDF_R_WRONG_OUTPUT_BUFFER_SIZE 112 - - #endif -diff -up openssl-1.1.1j/include/openssl/kdf.h.evp-kdf openssl-1.1.1j/include/openssl/kdf.h ---- openssl-1.1.1j/include/openssl/kdf.h.evp-kdf 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/include/openssl/kdf.h 2021-03-03 14:08:02.493294865 +0100 -@@ -10,10 +10,50 @@ - #ifndef HEADER_KDF_H - # define HEADER_KDF_H - -+# include - # include --#ifdef __cplusplus -+# ifdef __cplusplus - extern "C" { --#endif -+# endif -+ -+# define EVP_KDF_PBKDF2 NID_id_pbkdf2 -+# define EVP_KDF_SCRYPT NID_id_scrypt -+# define EVP_KDF_TLS1_PRF NID_tls1_prf -+# define EVP_KDF_HKDF NID_hkdf -+ -+EVP_KDF_CTX *EVP_KDF_CTX_new_id(int id); -+void EVP_KDF_CTX_free(EVP_KDF_CTX *ctx); -+ -+void EVP_KDF_reset(EVP_KDF_CTX *ctx); -+int EVP_KDF_ctrl(EVP_KDF_CTX *ctx, int cmd, ...); -+int EVP_KDF_vctrl(EVP_KDF_CTX *ctx, int cmd, va_list args); -+int EVP_KDF_ctrl_str(EVP_KDF_CTX *ctx, const char *type, const char *value); -+size_t EVP_KDF_size(EVP_KDF_CTX *ctx); -+int EVP_KDF_derive(EVP_KDF_CTX *ctx, unsigned char *key, size_t keylen); -+ -+ -+# define EVP_KDF_CTRL_SET_PASS 0x01 /* unsigned char *, size_t */ -+# define EVP_KDF_CTRL_SET_SALT 0x02 /* unsigned char *, size_t */ -+# define EVP_KDF_CTRL_SET_ITER 0x03 /* int */ -+# define EVP_KDF_CTRL_SET_MD 0x04 /* EVP_MD * */ -+# define EVP_KDF_CTRL_SET_KEY 0x05 /* unsigned char *, size_t */ -+# define EVP_KDF_CTRL_SET_MAXMEM_BYTES 0x06 /* uint64_t */ -+# define EVP_KDF_CTRL_SET_TLS_SECRET 0x07 /* unsigned char *, size_t */ -+# define EVP_KDF_CTRL_RESET_TLS_SEED 0x08 -+# define EVP_KDF_CTRL_ADD_TLS_SEED 0x09 /* unsigned char *, size_t */ -+# define EVP_KDF_CTRL_RESET_HKDF_INFO 0x0a -+# define EVP_KDF_CTRL_ADD_HKDF_INFO 0x0b /* unsigned char *, size_t */ -+# define EVP_KDF_CTRL_SET_HKDF_MODE 0x0c /* int */ -+# define EVP_KDF_CTRL_SET_SCRYPT_N 0x0d /* uint64_t */ -+# define EVP_KDF_CTRL_SET_SCRYPT_R 0x0e /* uint32_t */ -+# define EVP_KDF_CTRL_SET_SCRYPT_P 0x0f /* uint32_t */ -+ -+# define EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND 0 -+# define EVP_KDF_HKDF_MODE_EXTRACT_ONLY 1 -+# define EVP_KDF_HKDF_MODE_EXPAND_ONLY 2 -+ -+ -+/**** The legacy PKEY-based KDF API follows. ****/ - - # define EVP_PKEY_CTRL_TLS_MD (EVP_PKEY_ALG_CTRL) - # define EVP_PKEY_CTRL_TLS_SECRET (EVP_PKEY_ALG_CTRL + 1) -@@ -30,9 +70,12 @@ extern "C" { - # define EVP_PKEY_CTRL_SCRYPT_P (EVP_PKEY_ALG_CTRL + 12) - # define EVP_PKEY_CTRL_SCRYPT_MAXMEM_BYTES (EVP_PKEY_ALG_CTRL + 13) - --# define EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND 0 --# define EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY 1 --# define EVP_PKEY_HKDEF_MODE_EXPAND_ONLY 2 -+# define EVP_PKEY_HKDEF_MODE_EXTRACT_AND_EXPAND \ -+ EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND -+# define EVP_PKEY_HKDEF_MODE_EXTRACT_ONLY \ -+ EVP_KDF_HKDF_MODE_EXTRACT_ONLY -+# define EVP_PKEY_HKDEF_MODE_EXPAND_ONLY \ -+ EVP_KDF_HKDF_MODE_EXPAND_ONLY - - # define EVP_PKEY_CTX_set_tls1_prf_md(pctx, md) \ - EVP_PKEY_CTX_ctrl(pctx, -1, EVP_PKEY_OP_DERIVE, \ -@@ -91,7 +134,7 @@ extern "C" { - EVP_PKEY_CTRL_SCRYPT_MAXMEM_BYTES, maxmem_bytes) - - --# ifdef __cplusplus -+# ifdef __cplusplus - } - # endif - #endif -diff -up openssl-1.1.1j/include/openssl/ossl_typ.h.evp-kdf openssl-1.1.1j/include/openssl/ossl_typ.h ---- openssl-1.1.1j/include/openssl/ossl_typ.h.evp-kdf 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/include/openssl/ossl_typ.h 2021-03-03 14:08:02.493294865 +0100 -@@ -97,6 +97,8 @@ typedef struct evp_pkey_asn1_method_st E - typedef struct evp_pkey_method_st EVP_PKEY_METHOD; - typedef struct evp_pkey_ctx_st EVP_PKEY_CTX; - -+typedef struct evp_kdf_ctx_st EVP_KDF_CTX; -+ - typedef struct evp_Encode_Ctx_st EVP_ENCODE_CTX; - - typedef struct hmac_ctx_st HMAC_CTX; -diff -up openssl-1.1.1j/test/build.info.evp-kdf openssl-1.1.1j/test/build.info ---- openssl-1.1.1j/test/build.info.evp-kdf 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/test/build.info 2021-03-03 14:08:02.493294865 +0100 -@@ -44,7 +44,8 @@ INCLUDE_MAIN___test_libtestutil_OLB = /I - ssl_test_ctx_test ssl_test x509aux cipherlist_test asynciotest \ - bio_callback_test bio_memleak_test \ - bioprinttest sslapitest dtlstest sslcorrupttest bio_enc_test \ -- pkey_meth_test pkey_meth_kdf_test uitest cipherbytes_test \ -+ pkey_meth_test pkey_meth_kdf_test evp_kdf_test uitest \ -+ cipherbytes_test \ - asn1_encode_test asn1_decode_test asn1_string_table_test \ - x509_time_test x509_dup_cert_test x509_check_cert_pkey_test \ - recordlentest drbgtest sslbuffertest \ -@@ -336,6 +337,10 @@ INCLUDE_MAIN___test_libtestutil_OLB = /I - INCLUDE[pkey_meth_kdf_test]=../include - DEPEND[pkey_meth_kdf_test]=../libcrypto libtestutil.a - -+ SOURCE[evp_kdf_test]=evp_kdf_test.c -+ INCLUDE[evp_kdf_test]=../include -+ DEPEND[evp_kdf_test]=../libcrypto libtestutil.a -+ - SOURCE[x509_time_test]=x509_time_test.c - INCLUDE[x509_time_test]=../include - DEPEND[x509_time_test]=../libcrypto libtestutil.a -diff -up openssl-1.1.1j/test/evp_kdf_test.c.evp-kdf openssl-1.1.1j/test/evp_kdf_test.c ---- openssl-1.1.1j/test/evp_kdf_test.c.evp-kdf 2021-03-03 14:08:02.494294874 +0100 -+++ openssl-1.1.1j/test/evp_kdf_test.c 2021-03-03 14:08:02.494294874 +0100 -@@ -0,0 +1,237 @@ -+/* -+ * Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved. -+ * Copyright (c) 2018-2019, Oracle and/or its affiliates. All rights reserved. -+ * -+ * Licensed under the Apache License 2.0 (the "License"). You may not use -+ * this file except in compliance with the License. You can obtain a copy -+ * in the file LICENSE in the source distribution or at -+ * https://www.openssl.org/source/license.html -+ */ -+ -+/* Tests of the EVP_KDF_CTX APIs */ -+ -+#include -+#include -+ -+#include -+#include -+#include "testutil.h" -+ -+static int test_kdf_tls1_prf(void) -+{ -+ int ret = 0; -+ EVP_KDF_CTX *kctx; -+ unsigned char out[16]; -+ -+ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_TLS1_PRF)) == NULL) { -+ TEST_error("EVP_KDF_TLS1_PRF"); -+ goto err; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) { -+ TEST_error("EVP_KDF_CTRL_SET_MD"); -+ goto err; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_TLS_SECRET, -+ "secret", (size_t)6) <= 0) { -+ TEST_error("EVP_KDF_CTRL_SET_TLS_SECRET"); -+ goto err; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_ADD_TLS_SEED, "seed", (size_t)4) <= 0) { -+ TEST_error("EVP_KDF_CTRL_ADD_TLS_SEED"); -+ goto err; -+ } -+ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) { -+ TEST_error("EVP_KDF_derive"); -+ goto err; -+ } -+ -+ { -+ const unsigned char expected[sizeof(out)] = { -+ 0x8e, 0x4d, 0x93, 0x25, 0x30, 0xd7, 0x65, 0xa0, -+ 0xaa, 0xe9, 0x74, 0xc3, 0x04, 0x73, 0x5e, 0xcc -+ }; -+ if (!TEST_mem_eq(out, sizeof(out), expected, sizeof(expected))) { -+ goto err; -+ } -+ } -+ ret = 1; -+err: -+ EVP_KDF_CTX_free(kctx); -+ return ret; -+} -+ -+static int test_kdf_hkdf(void) -+{ -+ int ret = 0; -+ EVP_KDF_CTX *kctx; -+ unsigned char out[10]; -+ -+ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_HKDF)) == NULL) { -+ TEST_error("EVP_KDF_HKDF"); -+ goto err; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) { -+ TEST_error("EVP_KDF_CTRL_SET_MD"); -+ goto err; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "salt", (size_t)4) <= 0) { -+ TEST_error("EVP_KDF_CTRL_SET_SALT"); -+ goto err; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, "secret", (size_t)6) <= 0) { -+ TEST_error("EVP_KDF_CTRL_SET_KEY"); -+ goto err; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_ADD_HKDF_INFO, -+ "label", (size_t)5) <= 0) { -+ TEST_error("EVP_KDF_CTRL_ADD_HKDF_INFO"); -+ goto err; -+ } -+ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) { -+ TEST_error("EVP_KDF_derive"); -+ goto err; -+ } -+ -+ { -+ const unsigned char expected[sizeof(out)] = { -+ 0x2a, 0xc4, 0x36, 0x9f, 0x52, 0x59, 0x96, 0xf8, 0xde, 0x13 -+ }; -+ if (!TEST_mem_eq(out, sizeof(out), expected, sizeof(expected))) { -+ goto err; -+ } -+ } -+ ret = 1; -+err: -+ EVP_KDF_CTX_free(kctx); -+ return ret; -+} -+ -+static int test_kdf_pbkdf2(void) -+{ -+ int ret = 0; -+ EVP_KDF_CTX *kctx; -+ unsigned char out[32]; -+ -+ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_PBKDF2)) == NULL) { -+ TEST_error("EVP_KDF_PBKDF2"); -+ goto err; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PASS, "password", (size_t)8) <= 0) { -+ TEST_error("EVP_KDF_CTRL_SET_PASS"); -+ goto err; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "salt", (size_t)4) <= 0) { -+ TEST_error("EVP_KDF_CTRL_SET_SALT"); -+ goto err; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_ITER, 2) <= 0) { -+ TEST_error("EVP_KDF_CTRL_SET_ITER"); -+ goto err; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) { -+ TEST_error("EVP_KDF_CTRL_SET_MD"); -+ goto err; -+ } -+ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) { -+ TEST_error("EVP_KDF_derive"); -+ goto err; -+ } -+ -+ { -+ const unsigned char expected[sizeof(out)] = { -+ 0xae, 0x4d, 0x0c, 0x95, 0xaf, 0x6b, 0x46, 0xd3, -+ 0x2d, 0x0a, 0xdf, 0xf9, 0x28, 0xf0, 0x6d, 0xd0, -+ 0x2a, 0x30, 0x3f, 0x8e, 0xf3, 0xc2, 0x51, 0xdf, -+ 0xd6, 0xe2, 0xd8, 0x5a, 0x95, 0x47, 0x4c, 0x43 -+ }; -+ if (!TEST_mem_eq(out, sizeof(out), expected, sizeof(expected))) { -+ goto err; -+ } -+ } -+ ret = 1; -+err: -+ EVP_KDF_CTX_free(kctx); -+ return ret; -+} -+ -+#ifndef OPENSSL_NO_SCRYPT -+static int test_kdf_scrypt(void) -+{ -+ int ret = 0; -+ EVP_KDF_CTX *kctx; -+ unsigned char out[64]; -+ -+ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_SCRYPT)) == NULL) { -+ TEST_error("EVP_KDF_SCRYPT"); -+ goto err; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PASS, "password", (size_t)8) <= 0) { -+ TEST_error("EVP_KDF_CTRL_SET_PASS"); -+ goto err; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "NaCl", (size_t)4) <= 0) { -+ TEST_error("EVP_KDF_CTRL_SET_SALT"); -+ goto err; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_N, (uint64_t)1024) <= 0) { -+ TEST_error("EVP_KDF_CTRL_SET_SCRYPT_N"); -+ goto err; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_R, (uint32_t)8) <= 0) { -+ TEST_error("EVP_KDF_CTRL_SET_SCRYPT_R"); -+ goto err; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SCRYPT_P, (uint32_t)16) <= 0) { -+ TEST_error("EVP_KDF_CTRL_SET_SCRYPT_P"); -+ goto err; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MAXMEM_BYTES, (uint64_t)16) <= 0) { -+ TEST_error("EVP_KDF_CTRL_SET_MAXMEM_BYTES"); -+ goto err; -+ } -+ if (EVP_KDF_derive(kctx, out, sizeof(out)) > 0) { -+ TEST_error("EVP_KDF_derive should have failed"); -+ goto err; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MAXMEM_BYTES, -+ (uint64_t)(10 * 1024 * 1024)) <= 0) { -+ TEST_error("EVP_KDF_CTRL_SET_MAXMEM_BYTES"); -+ goto err; -+ } -+ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) { -+ TEST_error("EVP_KDF_derive"); -+ goto err; -+ } -+ -+ { -+ const unsigned char expected[sizeof(out)] = { -+ 0xfd, 0xba, 0xbe, 0x1c, 0x9d, 0x34, 0x72, 0x00, -+ 0x78, 0x56, 0xe7, 0x19, 0x0d, 0x01, 0xe9, 0xfe, -+ 0x7c, 0x6a, 0xd7, 0xcb, 0xc8, 0x23, 0x78, 0x30, -+ 0xe7, 0x73, 0x76, 0x63, 0x4b, 0x37, 0x31, 0x62, -+ 0x2e, 0xaf, 0x30, 0xd9, 0x2e, 0x22, 0xa3, 0x88, -+ 0x6f, 0xf1, 0x09, 0x27, 0x9d, 0x98, 0x30, 0xda, -+ 0xc7, 0x27, 0xaf, 0xb9, 0x4a, 0x83, 0xee, 0x6d, -+ 0x83, 0x60, 0xcb, 0xdf, 0xa2, 0xcc, 0x06, 0x40 -+ }; -+ if (!TEST_mem_eq(out, sizeof(out), expected, sizeof(expected))) { -+ goto err; -+ } -+ } -+ ret = 1; -+err: -+ EVP_KDF_CTX_free(kctx); -+ return ret; -+} -+#endif -+ -+int setup_tests(void) -+{ -+ ADD_TEST(test_kdf_tls1_prf); -+ ADD_TEST(test_kdf_hkdf); -+ ADD_TEST(test_kdf_pbkdf2); -+#ifndef OPENSSL_NO_SCRYPT -+ ADD_TEST(test_kdf_scrypt); -+#endif -+ return 1; -+} -diff -up openssl-1.1.1j/test/evp_test.c.evp-kdf openssl-1.1.1j/test/evp_test.c ---- openssl-1.1.1j/test/evp_test.c.evp-kdf 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/test/evp_test.c 2021-03-03 14:08:02.494294874 +0100 -@@ -1705,13 +1705,14 @@ static const EVP_TEST_METHOD encode_test - encode_test_run, - }; - -+ - /** - *** KDF TESTS - **/ - - typedef struct kdf_data_st { - /* Context for this operation */ -- EVP_PKEY_CTX *ctx; -+ EVP_KDF_CTX *ctx; - /* Expected output */ - unsigned char *output; - size_t output_len; -@@ -1738,16 +1739,11 @@ static int kdf_test_init(EVP_TEST *t, co - - if (!TEST_ptr(kdata = OPENSSL_zalloc(sizeof(*kdata)))) - return 0; -- kdata->ctx = EVP_PKEY_CTX_new_id(kdf_nid, NULL); -+ kdata->ctx = EVP_KDF_CTX_new_id(kdf_nid); - if (kdata->ctx == NULL) { - OPENSSL_free(kdata); - return 0; - } -- if (EVP_PKEY_derive_init(kdata->ctx) <= 0) { -- EVP_PKEY_CTX_free(kdata->ctx); -- OPENSSL_free(kdata); -- return 0; -- } - t->data = kdata; - return 1; - } -@@ -1756,7 +1752,42 @@ static void kdf_test_cleanup(EVP_TEST *t - { - KDF_DATA *kdata = t->data; - OPENSSL_free(kdata->output); -- EVP_PKEY_CTX_free(kdata->ctx); -+ EVP_KDF_CTX_free(kdata->ctx); -+} -+ -+static int kdf_test_ctrl(EVP_TEST *t, EVP_KDF_CTX *kctx, -+ const char *value) -+{ -+ int rv; -+ char *p, *tmpval; -+ -+ if (!TEST_ptr(tmpval = OPENSSL_strdup(value))) -+ return 0; -+ p = strchr(tmpval, ':'); -+ if (p != NULL) -+ *p++ = '\0'; -+ rv = EVP_KDF_ctrl_str(kctx, tmpval, p); -+ if (rv == -2) { -+ t->err = "KDF_CTRL_INVALID"; -+ rv = 1; -+ } else if (p != NULL && rv <= 0) { -+ /* If p has an OID and lookup fails assume disabled algorithm */ -+ int nid = OBJ_sn2nid(p); -+ -+ if (nid == NID_undef) -+ nid = OBJ_ln2nid(p); -+ if (nid != NID_undef -+ && EVP_get_digestbynid(nid) == NULL -+ && EVP_get_cipherbynid(nid) == NULL) { -+ t->skip = 1; -+ rv = 1; -+ } else { -+ t->err = "KDF_CTRL_ERROR"; -+ rv = 1; -+ } -+ } -+ OPENSSL_free(tmpval); -+ return rv > 0; - } - - static int kdf_test_parse(EVP_TEST *t, -@@ -1767,7 +1798,7 @@ static int kdf_test_parse(EVP_TEST *t, - if (strcmp(keyword, "Output") == 0) - return parse_bin(value, &kdata->output, &kdata->output_len); - if (strncmp(keyword, "Ctrl", 4) == 0) -- return pkey_test_ctrl(t, kdata->ctx, value); -+ return kdf_test_ctrl(t, kdata->ctx, value); - return 0; - } - -@@ -1781,7 +1812,7 @@ static int kdf_test_run(EVP_TEST *t) - t->err = "INTERNAL_ERROR"; - goto err; - } -- if (EVP_PKEY_derive(expected->ctx, got, &got_len) <= 0) { -+ if (EVP_KDF_derive(expected->ctx, got, got_len) <= 0) { - t->err = "KDF_DERIVE_ERROR"; - goto err; - } -@@ -1807,6 +1838,106 @@ static const EVP_TEST_METHOD kdf_test_me - - - /** -+*** PKEY KDF TESTS -+**/ -+ -+typedef struct pkey_kdf_data_st { -+ /* Context for this operation */ -+ EVP_PKEY_CTX *ctx; -+ /* Expected output */ -+ unsigned char *output; -+ size_t output_len; -+} PKEY_KDF_DATA; -+ -+/* -+ * Perform public key operation setup: lookup key, allocated ctx and call -+ * the appropriate initialisation function -+ */ -+static int pkey_kdf_test_init(EVP_TEST *t, const char *name) -+{ -+ PKEY_KDF_DATA *kdata; -+ int kdf_nid = OBJ_sn2nid(name); -+ -+#ifdef OPENSSL_NO_SCRYPT -+ if (strcmp(name, "scrypt") == 0) { -+ t->skip = 1; -+ return 1; -+ } -+#endif -+ -+ if (kdf_nid == NID_undef) -+ kdf_nid = OBJ_ln2nid(name); -+ -+ if (!TEST_ptr(kdata = OPENSSL_zalloc(sizeof(*kdata)))) -+ return 0; -+ kdata->ctx = EVP_PKEY_CTX_new_id(kdf_nid, NULL); -+ if (kdata->ctx == NULL) { -+ OPENSSL_free(kdata); -+ return 0; -+ } -+ if (EVP_PKEY_derive_init(kdata->ctx) <= 0) { -+ EVP_PKEY_CTX_free(kdata->ctx); -+ OPENSSL_free(kdata); -+ return 0; -+ } -+ t->data = kdata; -+ return 1; -+} -+ -+static void pkey_kdf_test_cleanup(EVP_TEST *t) -+{ -+ PKEY_KDF_DATA *kdata = t->data; -+ OPENSSL_free(kdata->output); -+ EVP_PKEY_CTX_free(kdata->ctx); -+} -+ -+static int pkey_kdf_test_parse(EVP_TEST *t, -+ const char *keyword, const char *value) -+{ -+ PKEY_KDF_DATA *kdata = t->data; -+ -+ if (strcmp(keyword, "Output") == 0) -+ return parse_bin(value, &kdata->output, &kdata->output_len); -+ if (strncmp(keyword, "Ctrl", 4) == 0) -+ return pkey_test_ctrl(t, kdata->ctx, value); -+ return 0; -+} -+ -+static int pkey_kdf_test_run(EVP_TEST *t) -+{ -+ PKEY_KDF_DATA *expected = t->data; -+ unsigned char *got = NULL; -+ size_t got_len = expected->output_len; -+ -+ if (!TEST_ptr(got = OPENSSL_malloc(got_len))) { -+ t->err = "INTERNAL_ERROR"; -+ goto err; -+ } -+ if (EVP_PKEY_derive(expected->ctx, got, &got_len) <= 0) { -+ t->err = "KDF_DERIVE_ERROR"; -+ goto err; -+ } -+ if (!TEST_mem_eq(expected->output, expected->output_len, got, got_len)) { -+ t->err = "KDF_MISMATCH"; -+ goto err; -+ } -+ t->err = NULL; -+ -+ err: -+ OPENSSL_free(got); -+ return 1; -+} -+ -+static const EVP_TEST_METHOD pkey_kdf_test_method = { -+ "PKEYKDF", -+ pkey_kdf_test_init, -+ pkey_kdf_test_cleanup, -+ pkey_kdf_test_parse, -+ pkey_kdf_test_run -+}; -+ -+ -+/** - *** KEYPAIR TESTS - **/ - -@@ -2310,6 +2441,7 @@ static const EVP_TEST_METHOD *evp_test_l - &digestverify_test_method, - &encode_test_method, - &kdf_test_method, -+ &pkey_kdf_test_method, - &keypair_test_method, - &keygen_test_method, - &mac_test_method, -diff -up openssl-1.1.1j/test/pkey_meth_kdf_test.c.evp-kdf openssl-1.1.1j/test/pkey_meth_kdf_test.c ---- openssl-1.1.1j/test/pkey_meth_kdf_test.c.evp-kdf 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/test/pkey_meth_kdf_test.c 2021-03-03 14:08:02.494294874 +0100 -@@ -1,5 +1,5 @@ - /* -- * Copyright 2017-2018 The OpenSSL Project Authors. All Rights Reserved. -+ * Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved. - * - * Licensed under the OpenSSL license (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy -@@ -18,30 +18,34 @@ - - static int test_kdf_tls1_prf(void) - { -+ int ret = 0; - EVP_PKEY_CTX *pctx; - unsigned char out[16]; - size_t outlen = sizeof(out); -- pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_TLS1_PRF, NULL); - -+ if ((pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_TLS1_PRF, NULL)) == NULL) { -+ TEST_error("EVP_PKEY_TLS1_PRF"); -+ goto err; -+ } - if (EVP_PKEY_derive_init(pctx) <= 0) { - TEST_error("EVP_PKEY_derive_init"); -- return 0; -+ goto err; - } - if (EVP_PKEY_CTX_set_tls1_prf_md(pctx, EVP_sha256()) <= 0) { - TEST_error("EVP_PKEY_CTX_set_tls1_prf_md"); -- return 0; -+ goto err; - } - if (EVP_PKEY_CTX_set1_tls1_prf_secret(pctx, "secret", 6) <= 0) { - TEST_error("EVP_PKEY_CTX_set1_tls1_prf_secret"); -- return 0; -+ goto err; - } - if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, "seed", 4) <= 0) { - TEST_error("EVP_PKEY_CTX_add1_tls1_prf_seed"); -- return 0; -+ goto err; - } - if (EVP_PKEY_derive(pctx, out, &outlen) <= 0) { - TEST_error("EVP_PKEY_derive"); -- return 0; -+ goto err; - } - - { -@@ -50,43 +54,49 @@ static int test_kdf_tls1_prf(void) - 0xaa, 0xe9, 0x74, 0xc3, 0x04, 0x73, 0x5e, 0xcc - }; - if (!TEST_mem_eq(out, sizeof(out), expected, sizeof(expected))) { -- return 0; -+ goto err; - } - } -+ ret = 1; -+err: - EVP_PKEY_CTX_free(pctx); -- return 1; -+ return ret; - } - - static int test_kdf_hkdf(void) - { -+ int ret = 0; - EVP_PKEY_CTX *pctx; - unsigned char out[10]; - size_t outlen = sizeof(out); -- pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL); - -+ if ((pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_HKDF, NULL)) == NULL) { -+ TEST_error("EVP_PKEY_HKDF"); -+ goto err; -+ } - if (EVP_PKEY_derive_init(pctx) <= 0) { - TEST_error("EVP_PKEY_derive_init"); -- return 0; -+ goto err; - } - if (EVP_PKEY_CTX_set_hkdf_md(pctx, EVP_sha256()) <= 0) { - TEST_error("EVP_PKEY_CTX_set_hkdf_md"); -- return 0; -+ goto err; - } - if (EVP_PKEY_CTX_set1_hkdf_salt(pctx, "salt", 4) <= 0) { - TEST_error("EVP_PKEY_CTX_set1_hkdf_salt"); -- return 0; -+ goto err; - } - if (EVP_PKEY_CTX_set1_hkdf_key(pctx, "secret", 6) <= 0) { - TEST_error("EVP_PKEY_CTX_set1_hkdf_key"); -- return 0; -+ goto err; - } - if (EVP_PKEY_CTX_add1_hkdf_info(pctx, "label", 5) <= 0) { - TEST_error("EVP_PKEY_CTX_set1_hkdf_info"); -- return 0; -+ goto err; - } - if (EVP_PKEY_derive(pctx, out, &outlen) <= 0) { - TEST_error("EVP_PKEY_derive"); -- return 0; -+ goto err; - } - - { -@@ -94,60 +104,66 @@ static int test_kdf_hkdf(void) - 0x2a, 0xc4, 0x36, 0x9f, 0x52, 0x59, 0x96, 0xf8, 0xde, 0x13 - }; - if (!TEST_mem_eq(out, sizeof(out), expected, sizeof(expected))) { -- return 0; -+ goto err; - } - } -+ ret = 1; -+err: - EVP_PKEY_CTX_free(pctx); -- return 1; -+ return ret; - } - - #ifndef OPENSSL_NO_SCRYPT - static int test_kdf_scrypt(void) - { -+ int ret = 0; - EVP_PKEY_CTX *pctx; - unsigned char out[64]; - size_t outlen = sizeof(out); -- pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_SCRYPT, NULL); - -+ if ((pctx = EVP_PKEY_CTX_new_id(EVP_PKEY_SCRYPT, NULL)) == NULL) { -+ TEST_error("EVP_PKEY_SCRYPT"); -+ goto err; -+ } - if (EVP_PKEY_derive_init(pctx) <= 0) { - TEST_error("EVP_PKEY_derive_init"); -- return 0; -+ goto err; - } - if (EVP_PKEY_CTX_set1_pbe_pass(pctx, "password", 8) <= 0) { - TEST_error("EVP_PKEY_CTX_set1_pbe_pass"); -- return 0; -+ goto err; - } - if (EVP_PKEY_CTX_set1_scrypt_salt(pctx, "NaCl", 4) <= 0) { - TEST_error("EVP_PKEY_CTX_set1_scrypt_salt"); -- return 0; -+ goto err; - } - if (EVP_PKEY_CTX_set_scrypt_N(pctx, 1024) <= 0) { - TEST_error("EVP_PKEY_CTX_set_scrypt_N"); -- return 0; -+ goto err; - } - if (EVP_PKEY_CTX_set_scrypt_r(pctx, 8) <= 0) { - TEST_error("EVP_PKEY_CTX_set_scrypt_r"); -- return 0; -+ goto err; - } - if (EVP_PKEY_CTX_set_scrypt_p(pctx, 16) <= 0) { - TEST_error("EVP_PKEY_CTX_set_scrypt_p"); -- return 0; -+ goto err; - } - if (EVP_PKEY_CTX_set_scrypt_maxmem_bytes(pctx, 16) <= 0) { - TEST_error("EVP_PKEY_CTX_set_maxmem_bytes"); -- return 0; -+ goto err; - } - if (EVP_PKEY_derive(pctx, out, &outlen) > 0) { - TEST_error("EVP_PKEY_derive should have failed"); -- return 0; -+ goto err; - } - if (EVP_PKEY_CTX_set_scrypt_maxmem_bytes(pctx, 10 * 1024 * 1024) <= 0) { - TEST_error("EVP_PKEY_CTX_set_maxmem_bytes"); -- return 0; -+ goto err; - } - if (EVP_PKEY_derive(pctx, out, &outlen) <= 0) { - TEST_error("EVP_PKEY_derive"); -- return 0; -+ goto err; - } - - { -@@ -162,11 +178,13 @@ static int test_kdf_scrypt(void) - 0x83, 0x60, 0xcb, 0xdf, 0xa2, 0xcc, 0x06, 0x40 - }; - if (!TEST_mem_eq(out, sizeof(out), expected, sizeof(expected))) { -- return 0; -+ goto err; - } - } -+ ret = 1; -+err: - EVP_PKEY_CTX_free(pctx); -- return 1; -+ return ret; - } - #endif - -diff -up openssl-1.1.1j/test/recipes/30-test_evp_data/evpkdf.txt.evp-kdf openssl-1.1.1j/test/recipes/30-test_evp_data/evpkdf.txt ---- openssl-1.1.1j/test/recipes/30-test_evp_data/evpkdf.txt.evp-kdf 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/test/recipes/30-test_evp_data/evpkdf.txt 2021-03-03 14:08:02.494294874 +0100 -@@ -1,5 +1,5 @@ - # --# Copyright 2001-2017 The OpenSSL Project Authors. All Rights Reserved. -+# Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved. - # - # Licensed under the OpenSSL license (the "License"). You may not use - # this file except in compliance with the License. You can obtain a copy -@@ -15,7 +15,7 @@ - Title = TLS1 PRF tests (from NIST test vectors) - - KDF=TLS1-PRF --Ctrl.md = md:MD5-SHA1 -+Ctrl.digest = digest:MD5-SHA1 - Ctrl.Secret = hexsecret:bded7fa5c1699c010be23dd06ada3a48349f21e5f86263d512c0c5cc379f0e780ec55d9844b2f1db02a96453513568d0 - Ctrl.label = seed:master secret - Ctrl.client_random = hexseed:e5acaf549cd25c22d964c0d930fa4b5261d2507fad84c33715b7b9a864020693 -@@ -23,7 +23,7 @@ Ctrl.server_random = hexseed:135e4d557fd - Output = 2f6962dfbc744c4b2138bb6b3d33054c5ecc14f24851d9896395a44ab3964efc2090c5bf51a0891209f46c1e1e998f62 - - KDF=TLS1-PRF --Ctrl.md = md:MD5-SHA1 -+Ctrl.digest = digest:MD5-SHA1 - Ctrl.Secret = hexsecret:2f6962dfbc744c4b2138bb6b3d33054c5ecc14f24851d9896395a44ab3964efc2090c5bf51a0891209f46c1e1e998f62 - Ctrl.label = seed:key expansion - Ctrl.server_random = hexseed:67267e650eb32444119d222a368c191af3082888dc35afe8368e638c828874be -@@ -31,7 +31,7 @@ Ctrl.client_random = hexseed:d58a7b1cd4f - Output = 3088825988e77fce68d19f756e18e43eb7fe672433504feaf99b3c503d9091b164f166db301d70c9fc0870b4a94563907bee1a61fb786cb717576890bcc51cb9ead97e01d0a2fea99c953377b195205ff07b369589178796edc963fd80fdbe518a2fc1c35c18ae8d - - KDF=TLS1-PRF --Ctrl.md = md:SHA256 -+Ctrl.digest = digest:SHA256 - Ctrl.Secret = hexsecret:f8938ecc9edebc5030c0c6a441e213cd24e6f770a50dda07876f8d55da062bcadb386b411fd4fe4313a604fce6c17fbc - Ctrl.label = seed:master secret - Ctrl.client_random = hexseed:36c129d01a3200894b9179faac589d9835d58775f9b5ea3587cb8fd0364cae8c -@@ -39,7 +39,7 @@ Ctrl.server_random = hexseed:f6c9575ed7d - Output = 202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf - - KDF=TLS1-PRF --Ctrl.md = md:SHA256 -+Ctrl.digest = digest:SHA256 - Ctrl.Secret = hexsecret:202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf - Ctrl.label = seed:key expansion - Ctrl.server_random = hexseed:ae6c806f8ad4d80784549dff28a4b58fd837681a51d928c3e30ee5ff14f39868 -@@ -48,7 +48,7 @@ Output = d06139889fffac1e3a71865f504aa5d - - # As above but use long name for KDF - KDF=tls1-prf --Ctrl.md = md:SHA256 -+Ctrl.digest = digest:SHA256 - Ctrl.Secret = hexsecret:202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf - Ctrl.label = seed:key expansion - Ctrl.server_random = hexseed:ae6c806f8ad4d80784549dff28a4b58fd837681a51d928c3e30ee5ff14f39868 -@@ -64,7 +64,7 @@ Result = KDF_DERIVE_ERROR - - # Missing secret. - KDF=TLS1-PRF --Ctrl.md = md:MD5-SHA1 -+Ctrl.digest = digest:MD5-SHA1 - Ctrl.Seed = hexseed:02 - Output = 03 - Result = KDF_DERIVE_ERROR -@@ -72,7 +72,7 @@ Result = KDF_DERIVE_ERROR - Title = HKDF tests (from RFC5869 test vectors) - - KDF = HKDF --Ctrl.md = md:SHA256 -+Ctrl.digest = digest:SHA256 - Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b - Ctrl.salt = hexsalt:000102030405060708090a0b0c - Ctrl.info = hexinfo:f0f1f2f3f4f5f6f7f8f9 -@@ -80,20 +80,20 @@ Output = 3cb25f25faacd57a90434f64d0362f2 - - KDF = HKDF - Ctrl.mode = mode:EXTRACT_ONLY --Ctrl.md = md:SHA256 -+Ctrl.digest = digest:SHA256 - Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b - Ctrl.salt = hexsalt:000102030405060708090a0b0c - Output = 077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e5 - - KDF = HKDF - Ctrl.mode = mode:EXPAND_ONLY --Ctrl.md = md:SHA256 -+Ctrl.digest = digest:SHA256 - Ctrl.IKM = hexkey:077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e5 - Ctrl.info = hexinfo:f0f1f2f3f4f5f6f7f8f9 - Output = 3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865 - - KDF = HKDF --Ctrl.md = md:SHA256 -+Ctrl.digest = digest:SHA256 - Ctrl.IKM = hexkey:000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f - Ctrl.salt = hexsalt:606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf - Ctrl.info = hexinfo:b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff -@@ -101,20 +101,20 @@ Output = b11e398dc80327a1c8e7f78c596a493 - - KDF = HKDF - Ctrl.mode = mode:EXTRACT_ONLY --Ctrl.md = md:SHA256 -+Ctrl.digest = digest:SHA256 - Ctrl.IKM = hexkey:000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f - Ctrl.salt = hexsalt:606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf - Output = 06a6b88c5853361a06104c9ceb35b45cef760014904671014a193f40c15fc244 - - KDF = HKDF - Ctrl.mode = mode:EXPAND_ONLY --Ctrl.md = md:SHA256 -+Ctrl.digest = digest:SHA256 - Ctrl.IKM = hexkey:06a6b88c5853361a06104c9ceb35b45cef760014904671014a193f40c15fc244 - Ctrl.info = hexinfo:b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff - Output = b11e398dc80327a1c8e7f78c596a49344f012eda2d4efad8a050cc4c19afa97c59045a99cac7827271cb41c65e590e09da3275600c2f09b8367793a9aca3db71cc30c58179ec3e87c14c01d5c1f3434f1d87 - - KDF = HKDF --Ctrl.md = md:SHA256 -+Ctrl.digest = digest:SHA256 - Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b - Ctrl.salt = salt: - Ctrl.info = info: -@@ -122,7 +122,7 @@ Output = 8da4e775a563c18f715f802a063c5a3 - - KDF = HKDF - Ctrl.mode = mode:EXTRACT_ONLY --Ctrl.md = md:SHA256 -+Ctrl.digest = digest:SHA256 - Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b - Ctrl.salt = salt: - Ctrl.info = info: -@@ -130,13 +130,13 @@ Output = 19ef24a32c717b167f33a91d6f648bd - - KDF = HKDF - Ctrl.mode = mode:EXPAND_ONLY --Ctrl.md = md:SHA256 -+Ctrl.digest = digest:SHA256 - Ctrl.IKM = hexkey:19ef24a32c717b167f33a91d6f648bdf96596776afdb6377ac434c1c293ccb04 - Ctrl.info = info: - Output = 8da4e775a563c18f715f802a063c5a31b8a11f5c5ee1879ec3454e5f3c738d2d9d201395faa4b61a96c8 - - KDF = HKDF --Ctrl.md = md:SHA1 -+Ctrl.digest = digest:SHA1 - Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b - Ctrl.salt = hexsalt:000102030405060708090a0b0c - Ctrl.info = hexinfo:f0f1f2f3f4f5f6f7f8f9 -@@ -144,20 +144,20 @@ Output = 085a01ea1b10f36933068b56efa5ad8 - - KDF = HKDF - Ctrl.mode = mode:EXTRACT_ONLY --Ctrl.md = md:SHA1 -+Ctrl.digest = digest:SHA1 - Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b - Ctrl.salt = hexsalt:000102030405060708090a0b0c - Output = 9b6c18c432a7bf8f0e71c8eb88f4b30baa2ba243 - - KDF = HKDF - Ctrl.mode = mode:EXPAND_ONLY --Ctrl.md = md:SHA1 -+Ctrl.digest = digest:SHA1 - Ctrl.IKM = hexkey:9b6c18c432a7bf8f0e71c8eb88f4b30baa2ba243 - Ctrl.info = hexinfo:f0f1f2f3f4f5f6f7f8f9 - Output = 085a01ea1b10f36933068b56efa5ad81a4f14b822f5b091568a9cdd4f155fda2c22e422478d305f3f896 - - KDF = HKDF --Ctrl.md = md:SHA1 -+Ctrl.digest = digest:SHA1 - Ctrl.IKM = hexkey:000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f - Ctrl.salt = hexsalt:606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf - Ctrl.info = hexinfo:b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff -@@ -165,20 +165,20 @@ Output = 0bd770a74d1160f7c9f12cd5912a06e - - KDF = HKDF - Ctrl.mode = mode:EXTRACT_ONLY --Ctrl.md = md:SHA1 -+Ctrl.digest = digest:SHA1 - Ctrl.IKM = hexkey:000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f - Ctrl.salt = hexsalt:606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf - Output = 8adae09a2a307059478d309b26c4115a224cfaf6 - - KDF = HKDF - Ctrl.mode = mode:EXPAND_ONLY --Ctrl.md = md:SHA1 -+Ctrl.digest = digest:SHA1 - Ctrl.IKM = hexkey:8adae09a2a307059478d309b26c4115a224cfaf6 - Ctrl.info = hexinfo:b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff - Output = 0bd770a74d1160f7c9f12cd5912a06ebff6adcae899d92191fe4305673ba2ffe8fa3f1a4e5ad79f3f334b3b202b2173c486ea37ce3d397ed034c7f9dfeb15c5e927336d0441f4c4300e2cff0d0900b52d3b4 - - KDF = HKDF --Ctrl.md = md:SHA1 -+Ctrl.digest = digest:SHA1 - Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b - Ctrl.salt = salt: - Ctrl.info = info: -@@ -186,20 +186,20 @@ Output = 0ac1af7002b3d761d1e55298da9d050 - - KDF = HKDF - Ctrl.mode = mode:EXTRACT_ONLY --Ctrl.md = md:SHA1 -+Ctrl.digest = digest:SHA1 - Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b - Ctrl.salt = salt: - Output = da8c8a73c7fa77288ec6f5e7c297786aa0d32d01 - - KDF = HKDF - Ctrl.mode = mode:EXPAND_ONLY --Ctrl.md = md:SHA1 -+Ctrl.digest = digest:SHA1 - Ctrl.IKM = hexkey:da8c8a73c7fa77288ec6f5e7c297786aa0d32d01 - Ctrl.info = info: - Output = 0ac1af7002b3d761d1e55298da9d0506b9ae52057220a306e07b6b87e8df21d0ea00033de03984d34918 - - KDF = HKDF --Ctrl.md = md:SHA1 -+Ctrl.digest = digest:SHA1 - Ctrl.IKM = hexkey:0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c - Ctrl.salt = salt: - Ctrl.info = info: -@@ -207,14 +207,14 @@ Output = 2c91117204d745f3500d636a62f64f0 - - KDF = HKDF - Ctrl.mode = mode:EXTRACT_ONLY --Ctrl.md = md:SHA1 -+Ctrl.digest = digest:SHA1 - Ctrl.IKM = hexkey:0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c - Ctrl.salt = salt: - Output = 2adccada18779e7c2077ad2eb19d3f3e731385dd - - KDF = HKDF - Ctrl.mode = mode:EXPAND_ONLY --Ctrl.md = md:SHA1 -+Ctrl.digest = digest:SHA1 - Ctrl.IKM = hexkey:2adccada18779e7c2077ad2eb19d3f3e731385dd - Ctrl.info = info: - Output = 2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48 -@@ -227,27 +227,27 @@ Output = 00 - Result = KDF_DERIVE_ERROR - - KDF = HKDF --Ctrl.md = md:SHA1 -+Ctrl.digest = digest:SHA1 - Ctrl.salt = salt: - Ctrl.info = info: - Output = 00 - Result = KDF_DERIVE_ERROR - - KDF = HKDF --Ctrl.md = md:SHA1 -+Ctrl.digest = digest:SHA1 - Ctrl.IKM = hexkey:0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c - Ctrl.info = info: - Output = 2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48 - - KDF = HKDF --Ctrl.md = md:SHA1 -+Ctrl.digest = digest:SHA1 - Ctrl.IKM = hexkey:0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c - Ctrl.salt = salt: - Output = 2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48 - - KDF = HKDF - Ctrl.mode = mode:EXTRACT_AND_EXPAND --Ctrl.md = md:SHA1 -+Ctrl.digest = digest:SHA1 - Ctrl.IKM = hexkey:0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c - Ctrl.salt = salt: - Output = 2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48 -@@ -303,3 +303,133 @@ Ctrl.r = r:8 - Ctrl.p = p:1 - Result = INTERNAL_ERROR - -+Title = PBKDF2 tests -+ -+KDF = PBKDF2 -+Ctrl.pass = pass:password -+Ctrl.salt = salt:salt -+Ctrl.iter = iter:1 -+Ctrl.digest = digest:sha1 -+Output = 0c60c80f961f0e71f3a9b524af6012062fe037a6 -+ -+KDF = PBKDF2 -+Ctrl.pass = pass:password -+Ctrl.salt = salt:salt -+Ctrl.iter = iter:1 -+Ctrl.digest = digest:sha256 -+Output = 120fb6cffcf8b32c43e7225256c4f837a86548c92ccc35480805987cb70be17b -+ -+KDF = PBKDF2 -+Ctrl.pass = pass:password -+Ctrl.salt = salt:salt -+Ctrl.iter = iter:1 -+Ctrl.digest = digest:sha512 -+Output = 867f70cf1ade02cff3752599a3a53dc4af34c7a669815ae5d513554e1c8cf252c02d470a285a0501bad999bfe943c08f050235d7d68b1da55e63f73b60a57fce -+ -+KDF = PBKDF2 -+Ctrl.pass = pass:password -+Ctrl.salt = salt:salt -+Ctrl.iter = iter:2 -+Ctrl.digest = digest:sha1 -+Output = ea6c014dc72d6f8ccd1ed92ace1d41f0d8de8957 -+ -+KDF = PBKDF2 -+Ctrl.pass = pass:password -+Ctrl.salt = salt:salt -+Ctrl.iter = iter:2 -+Ctrl.digest = digest:sha256 -+Output = ae4d0c95af6b46d32d0adff928f06dd02a303f8ef3c251dfd6e2d85a95474c43 -+ -+KDF = PBKDF2 -+Ctrl.pass = pass:password -+Ctrl.salt = salt:salt -+Ctrl.iter = iter:2 -+Ctrl.digest = digest:sha512 -+Output = e1d9c16aa681708a45f5c7c4e215ceb66e011a2e9f0040713f18aefdb866d53cf76cab2868a39b9f7840edce4fef5a82be67335c77a6068e04112754f27ccf4e -+ -+KDF = PBKDF2 -+Ctrl.pass = pass:password -+Ctrl.salt = salt:salt -+Ctrl.iter = iter:4096 -+Ctrl.digest = digest:sha1 -+Output = 4b007901b765489abead49d926f721d065a429c1 -+ -+KDF = PBKDF2 -+Ctrl.pass = pass:password -+Ctrl.salt = salt:salt -+Ctrl.iter = iter:4096 -+Ctrl.digest = digest:sha256 -+Output = c5e478d59288c841aa530db6845c4c8d962893a001ce4e11a4963873aa98134a -+ -+KDF = PBKDF2 -+Ctrl.pass = pass:password -+Ctrl.salt = salt:salt -+Ctrl.iter = iter:4096 -+Ctrl.digest = digest:sha512 -+Output = d197b1b33db0143e018b12f3d1d1479e6cdebdcc97c5c0f87f6902e072f457b5143f30602641b3d55cd335988cb36b84376060ecd532e039b742a239434af2d5 -+ -+KDF = PBKDF2 -+Ctrl.pass = pass:passwordPASSWORDpassword -+Ctrl.salt = salt:saltSALTsaltSALTsaltSALTsaltSALTsalt -+Ctrl.iter = iter:4096 -+Ctrl.digest = digest:sha1 -+Output = 3d2eec4fe41c849b80c8d83662c0e44a8b291a964cf2f07038 -+ -+KDF = PBKDF2 -+Ctrl.pass = pass:passwordPASSWORDpassword -+Ctrl.salt = salt:saltSALTsaltSALTsaltSALTsaltSALTsalt -+Ctrl.iter = iter:4096 -+Ctrl.digest = digest:sha256 -+Output = 348c89dbcbd32b2f32d814b8116e84cf2b17347ebc1800181c4e2a1fb8dd53e1c635518c7dac47e9 -+ -+KDF = PBKDF2 -+Ctrl.pass = pass:passwordPASSWORDpassword -+Ctrl.salt = salt:saltSALTsaltSALTsaltSALTsaltSALTsalt -+Ctrl.iter = iter:4096 -+Ctrl.digest = digest:sha512 -+Output = 8c0511f4c6e597c6ac6315d8f0362e225f3c501495ba23b868c005174dc4ee71115b59f9e60cd9532fa33e0f75aefe30225c583a186cd82bd4daea9724a3d3b8 -+ -+KDF = PBKDF2 -+Ctrl.hexpass = hexpass:7061737300776f7264 -+Ctrl.hexsalt = hexsalt:7361006c74 -+Ctrl.iter = iter:4096 -+Ctrl.digest = digest:sha1 -+Output = 56fa6aa75548099dcc37d7f03425e0c3 -+ -+KDF = PBKDF2 -+Ctrl.hexpass = hexpass:7061737300776f7264 -+Ctrl.hexsalt = hexsalt:7361006c74 -+Ctrl.iter = iter:4096 -+Ctrl.digest = digest:sha256 -+Output = 89b69d0516f829893c696226650a8687 -+ -+KDF = PBKDF2 -+Ctrl.hexpass = hexpass:7061737300776f7264 -+Ctrl.hexsalt = hexsalt:7361006c74 -+Ctrl.iter = iter:4096 -+Ctrl.digest = digest:sha512 -+Output = 9d9e9c4cd21fe4be24d5b8244c759665 -+ -+Title = PBKDF2 tests for empty inputs -+ -+KDF = PBKDF2 -+Ctrl.pass = pass: -+Ctrl.salt = salt:salt -+Ctrl.iter = iter:1 -+Ctrl.digest = digest:sha1 -+Output = a33dddc30478185515311f8752895d36ea4363a2 -+ -+KDF = PBKDF2 -+Ctrl.pass = pass: -+Ctrl.salt = salt:salt -+Ctrl.iter = iter:1 -+Ctrl.digest = digest:sha256 -+Output = f135c27993baf98773c5cdb40a5706ce6a345cde -+ -+KDF = PBKDF2 -+Ctrl.pass = pass: -+Ctrl.salt = salt:salt -+Ctrl.iter = iter:1 -+Ctrl.digest = digest:sha512 -+Output = 00ef42cdbfc98d29db20976608e455567fdddf14 -+ -diff -up openssl-1.1.1j/test/recipes/30-test_evp_data/evppkey_kdf.txt.evp-kdf openssl-1.1.1j/test/recipes/30-test_evp_data/evppkey_kdf.txt ---- openssl-1.1.1j/test/recipes/30-test_evp_data/evppkey_kdf.txt.evp-kdf 2021-03-03 14:08:02.494294874 +0100 -+++ openssl-1.1.1j/test/recipes/30-test_evp_data/evppkey_kdf.txt 2021-03-03 14:08:02.494294874 +0100 -@@ -0,0 +1,305 @@ -+# -+# Copyright 2001-2018 The OpenSSL Project Authors. All Rights Reserved. -+# -+# Licensed under the Apache License 2.0 (the "License"). You may not use -+# this file except in compliance with the License. You can obtain a copy -+# in the file LICENSE in the source distribution or at -+# https://www.openssl.org/source/license.html -+ -+# Tests start with one of these keywords -+# Cipher Decrypt Derive Digest Encoding KDF PKEYKDF MAC PBE -+# PrivPubKeyPair Sign Verify VerifyRecover -+# and continue until a blank line. Lines starting with a pound sign, -+# like this prolog, are ignored. -+ -+Title = TLS1 PRF tests (from NIST test vectors) -+ -+PKEYKDF=TLS1-PRF -+Ctrl.md = md:MD5-SHA1 -+Ctrl.Secret = hexsecret:bded7fa5c1699c010be23dd06ada3a48349f21e5f86263d512c0c5cc379f0e780ec55d9844b2f1db02a96453513568d0 -+Ctrl.label = seed:master secret -+Ctrl.client_random = hexseed:e5acaf549cd25c22d964c0d930fa4b5261d2507fad84c33715b7b9a864020693 -+Ctrl.server_random = hexseed:135e4d557fdf3aa6406d82975d5c606a9734c9334b42136e96990fbd5358cdb2 -+Output = 2f6962dfbc744c4b2138bb6b3d33054c5ecc14f24851d9896395a44ab3964efc2090c5bf51a0891209f46c1e1e998f62 -+ -+PKEYKDF=TLS1-PRF -+Ctrl.md = md:MD5-SHA1 -+Ctrl.Secret = hexsecret:2f6962dfbc744c4b2138bb6b3d33054c5ecc14f24851d9896395a44ab3964efc2090c5bf51a0891209f46c1e1e998f62 -+Ctrl.label = seed:key expansion -+Ctrl.server_random = hexseed:67267e650eb32444119d222a368c191af3082888dc35afe8368e638c828874be -+Ctrl.client_random = hexseed:d58a7b1cd4fedaa232159df652ce188f9d997e061b9bf48e83b62990440931f6 -+Output = 3088825988e77fce68d19f756e18e43eb7fe672433504feaf99b3c503d9091b164f166db301d70c9fc0870b4a94563907bee1a61fb786cb717576890bcc51cb9ead97e01d0a2fea99c953377b195205ff07b369589178796edc963fd80fdbe518a2fc1c35c18ae8d -+ -+PKEYKDF=TLS1-PRF -+Ctrl.md = md:SHA256 -+Ctrl.Secret = hexsecret:f8938ecc9edebc5030c0c6a441e213cd24e6f770a50dda07876f8d55da062bcadb386b411fd4fe4313a604fce6c17fbc -+Ctrl.label = seed:master secret -+Ctrl.client_random = hexseed:36c129d01a3200894b9179faac589d9835d58775f9b5ea3587cb8fd0364cae8c -+Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae043abfb50053fce -+Output = 202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf -+ -+PKEYKDF=TLS1-PRF -+Ctrl.md = md:SHA256 -+Ctrl.Secret = hexsecret:202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf -+Ctrl.label = seed:key expansion -+Ctrl.server_random = hexseed:ae6c806f8ad4d80784549dff28a4b58fd837681a51d928c3e30ee5ff14f39868 -+Ctrl.client_random = hexseed:62e1fd91f23f558a605f28478c58cf72637b89784d959df7e946d3f07bd1b616 -+Output = d06139889fffac1e3a71865f504aa5d0d2a2e89506c6f2279b670c3e1b74f531016a2530c51a3a0f7e1d6590d0f0566b2f387f8d11fd4f731cdd572d2eae927f6f2f81410b25e6960be68985add6c38445ad9f8c64bf8068bf9a6679485d966f1ad6f68b43495b10a683755ea2b858d70ccac7ec8b053c6bd41ca299d4e51928 -+ -+# As above but use long name for KDF -+PKEYKDF=tls1-prf -+Ctrl.md = md:SHA256 -+Ctrl.Secret = hexsecret:202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf -+Ctrl.label = seed:key expansion -+Ctrl.server_random = hexseed:ae6c806f8ad4d80784549dff28a4b58fd837681a51d928c3e30ee5ff14f39868 -+Ctrl.client_random = hexseed:62e1fd91f23f558a605f28478c58cf72637b89784d959df7e946d3f07bd1b616 -+Output = d06139889fffac1e3a71865f504aa5d0d2a2e89506c6f2279b670c3e1b74f531016a2530c51a3a0f7e1d6590d0f0566b2f387f8d11fd4f731cdd572d2eae927f6f2f81410b25e6960be68985add6c38445ad9f8c64bf8068bf9a6679485d966f1ad6f68b43495b10a683755ea2b858d70ccac7ec8b053c6bd41ca299d4e51928 -+ -+# Missing digest. -+PKEYKDF=TLS1-PRF -+Ctrl.Secret = hexsecret:01 -+Ctrl.Seed = hexseed:02 -+Output = 03 -+Result = KDF_DERIVE_ERROR -+ -+# Missing secret. -+PKEYKDF=TLS1-PRF -+Ctrl.md = md:MD5-SHA1 -+Ctrl.Seed = hexseed:02 -+Output = 03 -+Result = KDF_DERIVE_ERROR -+ -+Title = HKDF tests (from RFC5869 test vectors) -+ -+PKEYKDF = HKDF -+Ctrl.md = md:SHA256 -+Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b -+Ctrl.salt = hexsalt:000102030405060708090a0b0c -+Ctrl.info = hexinfo:f0f1f2f3f4f5f6f7f8f9 -+Output = 3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865 -+ -+PKEYKDF = HKDF -+Ctrl.mode = mode:EXTRACT_ONLY -+Ctrl.md = md:SHA256 -+Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b -+Ctrl.salt = hexsalt:000102030405060708090a0b0c -+Output = 077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e5 -+ -+PKEYKDF = HKDF -+Ctrl.mode = mode:EXPAND_ONLY -+Ctrl.md = md:SHA256 -+Ctrl.IKM = hexkey:077709362c2e32df0ddc3f0dc47bba6390b6c73bb50f9c3122ec844ad7c2b3e5 -+Ctrl.info = hexinfo:f0f1f2f3f4f5f6f7f8f9 -+Output = 3cb25f25faacd57a90434f64d0362f2a2d2d0a90cf1a5a4c5db02d56ecc4c5bf34007208d5b887185865 -+ -+PKEYKDF = HKDF -+Ctrl.md = md:SHA256 -+Ctrl.IKM = hexkey:000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f -+Ctrl.salt = hexsalt:606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf -+Ctrl.info = hexinfo:b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff -+Output = b11e398dc80327a1c8e7f78c596a49344f012eda2d4efad8a050cc4c19afa97c59045a99cac7827271cb41c65e590e09da3275600c2f09b8367793a9aca3db71cc30c58179ec3e87c14c01d5c1f3434f1d87 -+ -+PKEYKDF = HKDF -+Ctrl.mode = mode:EXTRACT_ONLY -+Ctrl.md = md:SHA256 -+Ctrl.IKM = hexkey:000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f -+Ctrl.salt = hexsalt:606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf -+Output = 06a6b88c5853361a06104c9ceb35b45cef760014904671014a193f40c15fc244 -+ -+PKEYKDF = HKDF -+Ctrl.mode = mode:EXPAND_ONLY -+Ctrl.md = md:SHA256 -+Ctrl.IKM = hexkey:06a6b88c5853361a06104c9ceb35b45cef760014904671014a193f40c15fc244 -+Ctrl.info = hexinfo:b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff -+Output = b11e398dc80327a1c8e7f78c596a49344f012eda2d4efad8a050cc4c19afa97c59045a99cac7827271cb41c65e590e09da3275600c2f09b8367793a9aca3db71cc30c58179ec3e87c14c01d5c1f3434f1d87 -+ -+PKEYKDF = HKDF -+Ctrl.md = md:SHA256 -+Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b -+Ctrl.salt = salt: -+Ctrl.info = info: -+Output = 8da4e775a563c18f715f802a063c5a31b8a11f5c5ee1879ec3454e5f3c738d2d9d201395faa4b61a96c8 -+ -+PKEYKDF = HKDF -+Ctrl.mode = mode:EXTRACT_ONLY -+Ctrl.md = md:SHA256 -+Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b -+Ctrl.salt = salt: -+Ctrl.info = info: -+Output = 19ef24a32c717b167f33a91d6f648bdf96596776afdb6377ac434c1c293ccb04 -+ -+PKEYKDF = HKDF -+Ctrl.mode = mode:EXPAND_ONLY -+Ctrl.md = md:SHA256 -+Ctrl.IKM = hexkey:19ef24a32c717b167f33a91d6f648bdf96596776afdb6377ac434c1c293ccb04 -+Ctrl.info = info: -+Output = 8da4e775a563c18f715f802a063c5a31b8a11f5c5ee1879ec3454e5f3c738d2d9d201395faa4b61a96c8 -+ -+PKEYKDF = HKDF -+Ctrl.md = md:SHA1 -+Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b -+Ctrl.salt = hexsalt:000102030405060708090a0b0c -+Ctrl.info = hexinfo:f0f1f2f3f4f5f6f7f8f9 -+Output = 085a01ea1b10f36933068b56efa5ad81a4f14b822f5b091568a9cdd4f155fda2c22e422478d305f3f896 -+ -+PKEYKDF = HKDF -+Ctrl.mode = mode:EXTRACT_ONLY -+Ctrl.md = md:SHA1 -+Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b -+Ctrl.salt = hexsalt:000102030405060708090a0b0c -+Output = 9b6c18c432a7bf8f0e71c8eb88f4b30baa2ba243 -+ -+PKEYKDF = HKDF -+Ctrl.mode = mode:EXPAND_ONLY -+Ctrl.md = md:SHA1 -+Ctrl.IKM = hexkey:9b6c18c432a7bf8f0e71c8eb88f4b30baa2ba243 -+Ctrl.info = hexinfo:f0f1f2f3f4f5f6f7f8f9 -+Output = 085a01ea1b10f36933068b56efa5ad81a4f14b822f5b091568a9cdd4f155fda2c22e422478d305f3f896 -+ -+PKEYKDF = HKDF -+Ctrl.md = md:SHA1 -+Ctrl.IKM = hexkey:000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f -+Ctrl.salt = hexsalt:606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf -+Ctrl.info = hexinfo:b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff -+Output = 0bd770a74d1160f7c9f12cd5912a06ebff6adcae899d92191fe4305673ba2ffe8fa3f1a4e5ad79f3f334b3b202b2173c486ea37ce3d397ed034c7f9dfeb15c5e927336d0441f4c4300e2cff0d0900b52d3b4 -+ -+PKEYKDF = HKDF -+Ctrl.mode = mode:EXTRACT_ONLY -+Ctrl.md = md:SHA1 -+Ctrl.IKM = hexkey:000102030405060708090a0b0c0d0e0f101112131415161718191a1b1c1d1e1f202122232425262728292a2b2c2d2e2f303132333435363738393a3b3c3d3e3f404142434445464748494a4b4c4d4e4f -+Ctrl.salt = hexsalt:606162636465666768696a6b6c6d6e6f707172737475767778797a7b7c7d7e7f808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9fa0a1a2a3a4a5a6a7a8a9aaabacadaeaf -+Output = 8adae09a2a307059478d309b26c4115a224cfaf6 -+ -+PKEYKDF = HKDF -+Ctrl.mode = mode:EXPAND_ONLY -+Ctrl.md = md:SHA1 -+Ctrl.IKM = hexkey:8adae09a2a307059478d309b26c4115a224cfaf6 -+Ctrl.info = hexinfo:b0b1b2b3b4b5b6b7b8b9babbbcbdbebfc0c1c2c3c4c5c6c7c8c9cacbcccdcecfd0d1d2d3d4d5d6d7d8d9dadbdcdddedfe0e1e2e3e4e5e6e7e8e9eaebecedeeeff0f1f2f3f4f5f6f7f8f9fafbfcfdfeff -+Output = 0bd770a74d1160f7c9f12cd5912a06ebff6adcae899d92191fe4305673ba2ffe8fa3f1a4e5ad79f3f334b3b202b2173c486ea37ce3d397ed034c7f9dfeb15c5e927336d0441f4c4300e2cff0d0900b52d3b4 -+ -+PKEYKDF = HKDF -+Ctrl.md = md:SHA1 -+Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b -+Ctrl.salt = salt: -+Ctrl.info = info: -+Output = 0ac1af7002b3d761d1e55298da9d0506b9ae52057220a306e07b6b87e8df21d0ea00033de03984d34918 -+ -+PKEYKDF = HKDF -+Ctrl.mode = mode:EXTRACT_ONLY -+Ctrl.md = md:SHA1 -+Ctrl.IKM = hexkey:0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b -+Ctrl.salt = salt: -+Output = da8c8a73c7fa77288ec6f5e7c297786aa0d32d01 -+ -+PKEYKDF = HKDF -+Ctrl.mode = mode:EXPAND_ONLY -+Ctrl.md = md:SHA1 -+Ctrl.IKM = hexkey:da8c8a73c7fa77288ec6f5e7c297786aa0d32d01 -+Ctrl.info = info: -+Output = 0ac1af7002b3d761d1e55298da9d0506b9ae52057220a306e07b6b87e8df21d0ea00033de03984d34918 -+ -+PKEYKDF = HKDF -+Ctrl.md = md:SHA1 -+Ctrl.IKM = hexkey:0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c -+Ctrl.salt = salt: -+Ctrl.info = info: -+Output = 2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48 -+ -+PKEYKDF = HKDF -+Ctrl.mode = mode:EXTRACT_ONLY -+Ctrl.md = md:SHA1 -+Ctrl.IKM = hexkey:0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c -+Ctrl.salt = salt: -+Output = 2adccada18779e7c2077ad2eb19d3f3e731385dd -+ -+PKEYKDF = HKDF -+Ctrl.mode = mode:EXPAND_ONLY -+Ctrl.md = md:SHA1 -+Ctrl.IKM = hexkey:2adccada18779e7c2077ad2eb19d3f3e731385dd -+Ctrl.info = info: -+Output = 2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48 -+ -+PKEYKDF = HKDF -+Ctrl.IKM = hexkey:0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c -+Ctrl.salt = salt: -+Ctrl.info = info: -+Output = 00 -+Result = KDF_DERIVE_ERROR -+ -+PKEYKDF = HKDF -+Ctrl.md = md:SHA1 -+Ctrl.salt = salt: -+Ctrl.info = info: -+Output = 00 -+Result = KDF_DERIVE_ERROR -+ -+PKEYKDF = HKDF -+Ctrl.md = md:SHA1 -+Ctrl.IKM = hexkey:0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c -+Ctrl.info = info: -+Output = 2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48 -+ -+PKEYKDF = HKDF -+Ctrl.md = md:SHA1 -+Ctrl.IKM = hexkey:0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c -+Ctrl.salt = salt: -+Output = 2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48 -+ -+PKEYKDF = HKDF -+Ctrl.mode = mode:EXTRACT_AND_EXPAND -+Ctrl.md = md:SHA1 -+Ctrl.IKM = hexkey:0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c0c -+Ctrl.salt = salt: -+Output = 2c91117204d745f3500d636a62f64f0ab3bae548aa53d423b0d1f27ebba6f5e5673a081d70cce7acfc48 -+ -+Title = id-scrypt tests (from draft-josefsson-id-scrypt-kdf-03 and others) -+ -+PKEYKDF = scrypt -+Ctrl.pass = pass: -+Ctrl.salt = salt: -+Ctrl.N = N:16 -+Ctrl.r = r:1 -+Ctrl.p = p:1 -+Output = 77d6576238657b203b19ca42c18a0497f16b4844e3074ae8dfdffa3fede21442fcd0069ded0948f8326a753a0fc81f17e8d3e0fb2e0d3628cf35e20c38d18906 -+ -+PKEYKDF = scrypt -+Ctrl.pass = pass:password -+Ctrl.salt = salt:NaCl -+Ctrl.N = N:1024 -+Ctrl.r = r:8 -+Ctrl.p = p:16 -+Output = fdbabe1c9d3472007856e7190d01e9fe7c6ad7cbc8237830e77376634b3731622eaf30d92e22a3886ff109279d9830dac727afb94a83ee6d8360cbdfa2cc0640 -+ -+PKEYKDF = scrypt -+Ctrl.hexpass = hexpass:70617373776f7264 -+Ctrl.salt = salt:NaCl -+Ctrl.N = N:1024 -+Ctrl.r = r:8 -+Ctrl.p = p:16 -+Output = fdbabe1c9d3472007856e7190d01e9fe7c6ad7cbc8237830e77376634b3731622eaf30d92e22a3886ff109279d9830dac727afb94a83ee6d8360cbdfa2cc0640 -+ -+PKEYKDF = scrypt -+Ctrl.pass = pass:password -+Ctrl.hexsalt = hexsalt:4e61436c -+Ctrl.N = N:1024 -+Ctrl.r = r:8 -+Ctrl.p = p:16 -+Output = fdbabe1c9d3472007856e7190d01e9fe7c6ad7cbc8237830e77376634b3731622eaf30d92e22a3886ff109279d9830dac727afb94a83ee6d8360cbdfa2cc0640 -+ -+PKEYKDF = scrypt -+Ctrl.pass = pass:pleaseletmein -+Ctrl.salt = salt:SodiumChloride -+Ctrl.N = N:16384 -+Ctrl.r = r:8 -+Ctrl.p = p:1 -+Output = 7023bdcb3afd7348461c06cd81fd38ebfda8fbba904f8e3ea9b543f6545da1f2d5432955613f0fcf62d49705242a9af9e61e85dc0d651e40dfcf017b45575887 -+ -+# Out of memory -+PKEYKDF = scrypt -+Ctrl.pass = pass:pleaseletmein -+Ctrl.salt = salt:SodiumChloride -+Ctrl.N = N:1048576 -+Ctrl.r = r:8 -+Ctrl.p = p:1 -+Result = INTERNAL_ERROR -+ -diff -up openssl-1.1.1j/test/recipes/30-test_evp_kdf.t.evp-kdf openssl-1.1.1j/test/recipes/30-test_evp_kdf.t ---- openssl-1.1.1j/test/recipes/30-test_evp_kdf.t.evp-kdf 2021-03-03 14:08:02.494294874 +0100 -+++ openssl-1.1.1j/test/recipes/30-test_evp_kdf.t 2021-03-03 14:08:02.494294874 +0100 -@@ -0,0 +1,13 @@ -+#! /usr/bin/env perl -+# Copyright 2018 The OpenSSL Project Authors. All Rights Reserved. -+# Copyright (c) 2018, Oracle and/or its affiliates. All rights reserved. -+# -+# Licensed under the Apache License 2.0 (the "License"). You may not use -+# this file except in compliance with the License. You can obtain a copy -+# in the file LICENSE in the source distribution or at -+# https://www.openssl.org/source/license.html -+ -+ -+use OpenSSL::Test::Simple; -+ -+simple_test("test_evp_kdf", "evp_kdf_test"); -diff -up openssl-1.1.1j/test/recipes/30-test_evp.t.evp-kdf openssl-1.1.1j/test/recipes/30-test_evp.t ---- openssl-1.1.1j/test/recipes/30-test_evp.t.evp-kdf 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/test/recipes/30-test_evp.t 2021-03-03 14:08:02.495294883 +0100 -@@ -15,7 +15,7 @@ use OpenSSL::Test qw/:DEFAULT data_file/ - setup("test_evp"); - - my @files = ( "evpciph.txt", "evpdigest.txt", "evpencod.txt", "evpkdf.txt", -- "evpmac.txt", "evppbe.txt", "evppkey.txt", "evppkey_ecc.txt", -+ "evppkey_kdf.txt", "evpmac.txt", "evppbe.txt", "evppkey.txt", "evppkey_ecc.txt", - "evpcase.txt", "evpccmcavs.txt" ); - - plan tests => scalar(@files); -diff -up openssl-1.1.1j/util/libcrypto.num.evp-kdf openssl-1.1.1j/util/libcrypto.num ---- openssl-1.1.1j/util/libcrypto.num.evp-kdf 2021-03-03 14:08:02.481294758 +0100 -+++ openssl-1.1.1j/util/libcrypto.num 2021-03-03 14:08:02.495294883 +0100 -@@ -4626,3 +4626,11 @@ FIPS_drbg_get_strength - FIPS_rand_strength 6380 1_1_0g EXIST::FUNCTION: - FIPS_drbg_get_blocklength 6381 1_1_0g EXIST::FUNCTION: - FIPS_drbg_init 6382 1_1_0g EXIST::FUNCTION: -+EVP_KDF_CTX_new_id 6590 1_1_1b EXIST::FUNCTION: -+EVP_KDF_CTX_free 6591 1_1_1b EXIST::FUNCTION: -+EVP_KDF_reset 6592 1_1_1b EXIST::FUNCTION: -+EVP_KDF_ctrl 6593 1_1_1b EXIST::FUNCTION: -+EVP_KDF_vctrl 6594 1_1_1b EXIST::FUNCTION: -+EVP_KDF_ctrl_str 6595 1_1_1b EXIST::FUNCTION: -+EVP_KDF_size 6596 1_1_1b EXIST::FUNCTION: -+EVP_KDF_derive 6597 1_1_1b EXIST::FUNCTION: -diff -up openssl-1.1.1j/util/private.num.evp-kdf openssl-1.1.1j/util/private.num ---- openssl-1.1.1j/util/private.num.evp-kdf 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/util/private.num 2021-03-03 14:08:02.495294883 +0100 -@@ -21,6 +21,7 @@ CRYPTO_EX_dup - CRYPTO_EX_free datatype - CRYPTO_EX_new datatype - DTLS_timer_cb datatype -+EVP_KDF_CTX datatype - EVP_PKEY_gen_cb datatype - EVP_PKEY_METHOD datatype - EVP_PKEY_ASN1_METHOD datatype diff --git a/SOURCES/openssl-1.1.1-fips-crng-test.patch b/SOURCES/openssl-1.1.1-fips-crng-test.patch deleted file mode 100644 index 267a3ea..0000000 --- a/SOURCES/openssl-1.1.1-fips-crng-test.patch +++ /dev/null @@ -1,408 +0,0 @@ -diff -up openssl-1.1.1g/crypto/rand/build.info.crng-test openssl-1.1.1g/crypto/rand/build.info ---- openssl-1.1.1g/crypto/rand/build.info.crng-test 2020-04-23 13:30:45.863389837 +0200 -+++ openssl-1.1.1g/crypto/rand/build.info 2020-04-23 13:31:55.847069892 +0200 -@@ -1,6 +1,6 @@ - LIBS=../../libcrypto - SOURCE[../../libcrypto]=\ -- randfile.c rand_lib.c rand_err.c rand_egd.c \ -+ randfile.c rand_lib.c rand_err.c rand_crng_test.c rand_egd.c \ - rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_ctr.c - - INCLUDE[drbg_ctr.o]=../modes -diff -up openssl-1.1.1g/crypto/rand/drbg_lib.c.crng-test openssl-1.1.1g/crypto/rand/drbg_lib.c ---- openssl-1.1.1g/crypto/rand/drbg_lib.c.crng-test 2020-04-23 13:30:45.818390686 +0200 -+++ openssl-1.1.1g/crypto/rand/drbg_lib.c 2020-04-23 13:30:45.864389819 +0200 -@@ -67,7 +67,7 @@ static CRYPTO_THREAD_LOCAL private_drbg; - - - /* NIST SP 800-90A DRBG recommends the use of a personalization string. */ --static const char ossl_pers_string[] = "OpenSSL NIST SP 800-90A DRBG"; -+static const char ossl_pers_string[] = DRBG_DEFAULT_PERS_STRING; - - static CRYPTO_ONCE rand_drbg_init = CRYPTO_ONCE_STATIC_INIT; - -@@ -201,8 +201,13 @@ static RAND_DRBG *rand_drbg_new(int secu - drbg->parent = parent; - - if (parent == NULL) { -+#ifdef OPENSSL_FIPS -+ drbg->get_entropy = rand_crngt_get_entropy; -+ drbg->cleanup_entropy = rand_crngt_cleanup_entropy; -+#else - drbg->get_entropy = rand_drbg_get_entropy; - drbg->cleanup_entropy = rand_drbg_cleanup_entropy; -+#endif - #ifndef RAND_DRBG_GET_RANDOM_NONCE - drbg->get_nonce = rand_drbg_get_nonce; - drbg->cleanup_nonce = rand_drbg_cleanup_nonce; -diff -up openssl-1.1.1g/crypto/rand/rand_crng_test.c.crng-test openssl-1.1.1g/crypto/rand/rand_crng_test.c ---- openssl-1.1.1g/crypto/rand/rand_crng_test.c.crng-test 2020-04-23 13:30:45.864389819 +0200 -+++ openssl-1.1.1g/crypto/rand/rand_crng_test.c 2020-04-23 13:30:45.864389819 +0200 -@@ -0,0 +1,118 @@ -+/* -+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. -+ * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved. -+ * -+ * Licensed under the Apache License 2.0 (the "License"). You may not use -+ * this file except in compliance with the License. You can obtain a copy -+ * in the file LICENSE in the source distribution or at -+ * https://www.openssl.org/source/license.html -+ */ -+ -+/* -+ * Implementation of the FIPS 140-2 section 4.9.2 Conditional Tests. -+ */ -+ -+#include -+#include -+#include "crypto/rand.h" -+#include "internal/thread_once.h" -+#include "rand_local.h" -+ -+static RAND_POOL *crngt_pool; -+static unsigned char crngt_prev[EVP_MAX_MD_SIZE]; -+ -+int (*crngt_get_entropy)(unsigned char *, unsigned char *, unsigned int *) -+ = &rand_crngt_get_entropy_cb; -+ -+int rand_crngt_get_entropy_cb(unsigned char *buf, unsigned char *md, -+ unsigned int *md_size) -+{ -+ int r; -+ size_t n; -+ unsigned char *p; -+ -+ n = rand_pool_acquire_entropy(crngt_pool); -+ if (n >= CRNGT_BUFSIZ) { -+ p = rand_pool_detach(crngt_pool); -+ r = EVP_Digest(p, CRNGT_BUFSIZ, md, md_size, EVP_sha256(), NULL); -+ if (r != 0) -+ memcpy(buf, p, CRNGT_BUFSIZ); -+ rand_pool_reattach(crngt_pool, p); -+ return r; -+ } -+ return 0; -+} -+ -+void rand_crngt_cleanup(void) -+{ -+ rand_pool_free(crngt_pool); -+ crngt_pool = NULL; -+} -+ -+int rand_crngt_init(void) -+{ -+ unsigned char buf[CRNGT_BUFSIZ]; -+ -+ if ((crngt_pool = rand_pool_new(0, 1, CRNGT_BUFSIZ, CRNGT_BUFSIZ)) == NULL) -+ return 0; -+ if (crngt_get_entropy(buf, crngt_prev, NULL)) { -+ OPENSSL_cleanse(buf, sizeof(buf)); -+ return 1; -+ } -+ rand_crngt_cleanup(); -+ return 0; -+} -+ -+static CRYPTO_ONCE rand_crngt_init_flag = CRYPTO_ONCE_STATIC_INIT; -+DEFINE_RUN_ONCE_STATIC(do_rand_crngt_init) -+{ -+ return OPENSSL_init_crypto(0, NULL) -+ && rand_crngt_init() -+ && OPENSSL_atexit(&rand_crngt_cleanup); -+} -+ -+int rand_crngt_single_init(void) -+{ -+ return RUN_ONCE(&rand_crngt_init_flag, do_rand_crngt_init); -+} -+ -+size_t rand_crngt_get_entropy(RAND_DRBG *drbg, -+ unsigned char **pout, -+ int entropy, size_t min_len, size_t max_len, -+ int prediction_resistance) -+{ -+ unsigned char buf[CRNGT_BUFSIZ], md[EVP_MAX_MD_SIZE]; -+ unsigned int sz; -+ RAND_POOL *pool; -+ size_t q, r = 0, s, t = 0; -+ int attempts = 3; -+ -+ if (!RUN_ONCE(&rand_crngt_init_flag, do_rand_crngt_init)) -+ return 0; -+ -+ if ((pool = rand_pool_new(entropy, 1, min_len, max_len)) == NULL) -+ return 0; -+ -+ while ((q = rand_pool_bytes_needed(pool, 1)) > 0 && attempts-- > 0) { -+ s = q > sizeof(buf) ? sizeof(buf) : q; -+ if (!crngt_get_entropy(buf, md, &sz) -+ || memcmp(crngt_prev, md, sz) == 0 -+ || !rand_pool_add(pool, buf, s, s * 8)) -+ goto err; -+ memcpy(crngt_prev, md, sz); -+ t += s; -+ attempts++; -+ } -+ r = t; -+ *pout = rand_pool_detach(pool); -+err: -+ OPENSSL_cleanse(buf, sizeof(buf)); -+ rand_pool_free(pool); -+ return r; -+} -+ -+void rand_crngt_cleanup_entropy(RAND_DRBG *drbg, -+ unsigned char *out, size_t outlen) -+{ -+ OPENSSL_secure_clear_free(out, outlen); -+} -diff -up openssl-1.1.1g/crypto/rand/rand_local.h.crng-test openssl-1.1.1g/crypto/rand/rand_local.h ---- openssl-1.1.1g/crypto/rand/rand_local.h.crng-test 2020-04-23 13:30:45.470397250 +0200 -+++ openssl-1.1.1g/crypto/rand/rand_local.h 2020-04-23 13:30:45.864389819 +0200 -@@ -33,7 +33,15 @@ - # define MASTER_RESEED_TIME_INTERVAL (60*60) /* 1 hour */ - # define SLAVE_RESEED_TIME_INTERVAL (7*60) /* 7 minutes */ - -- -+/* -+ * The number of bytes that constitutes an atomic lump of entropy with respect -+ * to the FIPS 140-2 section 4.9.2 Conditional Tests. The size is somewhat -+ * arbitrary, the smaller the value, the less entropy is consumed on first -+ * read but the higher the probability of the test failing by accident. -+ * -+ * The value is in bytes. -+ */ -+#define CRNGT_BUFSIZ 16 - - /* - * Maximum input size for the DRBG (entropy, nonce, personalization string) -@@ -44,6 +52,8 @@ - */ - # define DRBG_MAX_LENGTH INT32_MAX - -+/* The default nonce */ -+# define DRBG_DEFAULT_PERS_STRING "OpenSSL NIST SP 800-90A DRBG" - - /* - * Maximum allocation size for RANDOM_POOL buffers -@@ -296,4 +306,22 @@ int rand_drbg_enable_locking(RAND_DRBG * - /* initializes the AES-CTR DRBG implementation */ - int drbg_ctr_init(RAND_DRBG *drbg); - -+/* -+ * Entropy call back for the FIPS 140-2 section 4.9.2 Conditional Tests. -+ * These need to be exposed for the unit tests. -+ */ -+int rand_crngt_get_entropy_cb(unsigned char *buf, unsigned char *md, -+ unsigned int *md_size); -+extern int (*crngt_get_entropy)(unsigned char *buf, unsigned char *md, -+ unsigned int *md_size); -+int rand_crngt_init(void); -+void rand_crngt_cleanup(void); -+ -+/* -+ * Expose the run once initialisation function for the unit tests because. -+ * they need to restart from scratch to validate the first block is skipped -+ * properly. -+ */ -+int rand_crngt_single_init(void); -+ - #endif -diff -up openssl-1.1.1g/include/crypto/rand.h.crng-test openssl-1.1.1g/include/crypto/rand.h ---- openssl-1.1.1g/include/crypto/rand.h.crng-test 2020-04-23 13:30:45.824390573 +0200 -+++ openssl-1.1.1g/include/crypto/rand.h 2020-04-23 13:30:45.864389819 +0200 -@@ -49,6 +49,14 @@ size_t rand_drbg_get_additional_data(RAN - - void rand_drbg_cleanup_additional_data(RAND_POOL *pool, unsigned char *out); - -+/* CRNG test entropy filter callbacks. */ -+size_t rand_crngt_get_entropy(RAND_DRBG *drbg, -+ unsigned char **pout, -+ int entropy, size_t min_len, size_t max_len, -+ int prediction_resistance); -+void rand_crngt_cleanup_entropy(RAND_DRBG *drbg, -+ unsigned char *out, size_t outlen); -+ - /* - * RAND_POOL functions - */ -diff -up openssl-1.1.1g/test/drbgtest.c.crng-test openssl-1.1.1g/test/drbgtest.c ---- openssl-1.1.1g/test/drbgtest.c.crng-test 2020-04-21 14:22:39.000000000 +0200 -+++ openssl-1.1.1g/test/drbgtest.c 2020-04-23 13:30:45.865389800 +0200 -@@ -150,6 +150,31 @@ static size_t kat_nonce(RAND_DRBG *drbg, - return t->noncelen; - } - -+ /* -+ * Disable CRNG testing if it is enabled. -+ * If the DRBG is ready or in an error state, this means an instantiate cycle -+ * for which the default personalisation string is used. -+ */ -+static int disable_crngt(RAND_DRBG *drbg) -+{ -+ static const char pers[] = DRBG_DEFAULT_PERS_STRING; -+ const int instantiate = drbg->state != DRBG_UNINITIALISED; -+ -+ if (drbg->get_entropy != rand_crngt_get_entropy) -+ return 1; -+ -+ if ((instantiate && !RAND_DRBG_uninstantiate(drbg)) -+ || !TEST_true(RAND_DRBG_set_callbacks(drbg, &rand_drbg_get_entropy, -+ &rand_drbg_cleanup_entropy, -+ &rand_drbg_get_nonce, -+ &rand_drbg_cleanup_nonce)) -+ || (instantiate -+ && !RAND_DRBG_instantiate(drbg, (const unsigned char *)pers, -+ sizeof(pers) - 1))) -+ return 0; -+ return 1; -+} -+ - static int uninstantiate(RAND_DRBG *drbg) - { - int ret = drbg == NULL ? 1 : RAND_DRBG_uninstantiate(drbg); -@@ -175,7 +200,8 @@ static int single_kat(DRBG_SELFTEST_DATA - if (!TEST_ptr(drbg = RAND_DRBG_new(td->nid, td->flags, NULL))) - return 0; - if (!TEST_true(RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL, -- kat_nonce, NULL))) { -+ kat_nonce, NULL)) -+ || !TEST_true(disable_crngt(drbg))) { - failures++; - goto err; - } -@@ -293,7 +319,8 @@ static int error_check(DRBG_SELFTEST_DAT - unsigned int reseed_counter_tmp; - int ret = 0; - -- if (!TEST_ptr(drbg = RAND_DRBG_new(0, 0, NULL))) -+ if (!TEST_ptr(drbg = RAND_DRBG_new(0, 0, NULL)) -+ || !TEST_true(disable_crngt(drbg))) - goto err; - - /* -@@ -740,6 +767,10 @@ static int test_rand_drbg_reseed(void) - || !TEST_ptr_eq(private->parent, master)) - return 0; - -+ /* Disable CRNG testing for the master DRBG */ -+ if (!TEST_true(disable_crngt(master))) -+ return 0; -+ - /* uninstantiate the three global DRBGs */ - RAND_DRBG_uninstantiate(private); - RAND_DRBG_uninstantiate(public); -@@ -964,7 +995,8 @@ static int test_rand_seed(void) - size_t rand_buflen; - size_t required_seed_buflen = 0; - -- if (!TEST_ptr(master = RAND_DRBG_get0_master())) -+ if (!TEST_ptr(master = RAND_DRBG_get0_master()) -+ || !TEST_true(disable_crngt(master))) - return 0; - - #ifdef OPENSSL_RAND_SEED_NONE -@@ -1013,6 +1045,95 @@ static int test_rand_add(void) - return 1; - } - -+/* -+ * A list of the FIPS DRGB types. -+ */ -+static const struct s_drgb_types { -+ int nid; -+ int flags; -+} drgb_types[] = { -+ { NID_aes_128_ctr, 0 }, -+ { NID_aes_192_ctr, 0 }, -+ { NID_aes_256_ctr, 0 }, -+}; -+ -+/* Six cases for each covers seed sizes up to 32 bytes */ -+static const size_t crngt_num_cases = 6; -+ -+static size_t crngt_case, crngt_idx; -+ -+static int crngt_entropy_cb(unsigned char *buf, unsigned char *md, -+ unsigned int *md_size) -+{ -+ size_t i, z; -+ -+ if (!TEST_int_lt(crngt_idx, crngt_num_cases)) -+ return 0; -+ /* Generate a block of unique data unless this is the duplication point */ -+ z = crngt_idx++; -+ if (z > 0 && crngt_case == z) -+ z--; -+ for (i = 0; i < CRNGT_BUFSIZ; i++) -+ buf[i] = (unsigned char)(i + 'A' + z); -+ return EVP_Digest(buf, CRNGT_BUFSIZ, md, md_size, EVP_sha256(), NULL); -+} -+ -+static int test_crngt(int n) -+{ -+ const struct s_drgb_types *dt = drgb_types + n / crngt_num_cases; -+ RAND_DRBG *drbg = NULL; -+ unsigned char buff[100]; -+ size_t ent; -+ int res = 0; -+ int expect; -+ -+ if (!TEST_true(rand_crngt_single_init())) -+ return 0; -+ rand_crngt_cleanup(); -+ -+ if (!TEST_ptr(drbg = RAND_DRBG_new(dt->nid, dt->flags, NULL))) -+ return 0; -+ ent = (drbg->min_entropylen + CRNGT_BUFSIZ - 1) / CRNGT_BUFSIZ; -+ crngt_case = n % crngt_num_cases; -+ crngt_idx = 0; -+ crngt_get_entropy = &crngt_entropy_cb; -+ if (!TEST_true(rand_crngt_init())) -+ goto err; -+#ifndef OPENSSL_FIPS -+ if (!TEST_true(RAND_DRBG_set_callbacks(drbg, &rand_crngt_get_entropy, -+ &rand_crngt_cleanup_entropy, -+ &rand_drbg_get_nonce, -+ &rand_drbg_cleanup_nonce))) -+ goto err; -+#endif -+ expect = crngt_case == 0 || crngt_case > ent; -+ if (!TEST_int_eq(RAND_DRBG_instantiate(drbg, NULL, 0), expect)) -+ goto err; -+ if (!expect) -+ goto fin; -+ if (!TEST_true(RAND_DRBG_generate(drbg, buff, sizeof(buff), 0, NULL, 0))) -+ goto err; -+ -+ expect = crngt_case == 0 || crngt_case > 2 * ent; -+ if (!TEST_int_eq(RAND_DRBG_reseed(drbg, NULL, 0, 0), expect)) -+ goto err; -+ if (!expect) -+ goto fin; -+ if (!TEST_true(RAND_DRBG_generate(drbg, buff, sizeof(buff), 0, NULL, 0))) -+ goto err; -+ -+fin: -+ res = 1; -+err: -+ if (!res) -+ TEST_note("DRBG %zd case %zd block %zd", n / crngt_num_cases, -+ crngt_case, crngt_idx); -+ uninstantiate(drbg); -+ RAND_DRBG_free(drbg); -+ crngt_get_entropy = &rand_crngt_get_entropy_cb; -+ return res; -+} -+ - int setup_tests(void) - { - app_data_index = RAND_DRBG_get_ex_new_index(0L, NULL, NULL, NULL, NULL); -@@ -1025,5 +1146,6 @@ int setup_tests(void) - #if defined(OPENSSL_THREADS) - ADD_TEST(test_multi_thread); - #endif -+ ADD_ALL_TESTS(test_crngt, crngt_num_cases * OSSL_NELEM(drgb_types)); - return 1; - } diff --git a/SOURCES/openssl-1.1.1-fips-curves.patch b/SOURCES/openssl-1.1.1-fips-curves.patch deleted file mode 100644 index 33e9fc5..0000000 --- a/SOURCES/openssl-1.1.1-fips-curves.patch +++ /dev/null @@ -1,200 +0,0 @@ -diff -up openssl-1.1.1g/crypto/ec/ec_curve.c.fips-curves openssl-1.1.1g/crypto/ec/ec_curve.c ---- openssl-1.1.1g/crypto/ec/ec_curve.c.fips-curves 2020-05-18 12:59:54.839643980 +0200 -+++ openssl-1.1.1g/crypto/ec/ec_curve.c 2020-05-18 12:59:54.852644093 +0200 -@@ -13,6 +13,7 @@ - #include - #include - #include -+#include - #include "internal/nelem.h" - - typedef struct { -@@ -237,6 +238,7 @@ static const struct { - - typedef struct _ec_list_element_st { - int nid; -+ int fips_allowed; - const EC_CURVE_DATA *data; - const EC_METHOD *(*meth) (void); - const char *comment; -@@ -246,23 +248,23 @@ static const ec_list_element curve_list[ - /* prime field curves */ - /* secg curves */ - #ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 -- {NID_secp224r1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method, -+ {NID_secp224r1, 1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method, - "NIST/SECG curve over a 224 bit prime field"}, - #else -- {NID_secp224r1, &_EC_NIST_PRIME_224.h, 0, -+ {NID_secp224r1, 1, &_EC_NIST_PRIME_224.h, 0, - "NIST/SECG curve over a 224 bit prime field"}, - #endif -- {NID_secp256k1, &_EC_SECG_PRIME_256K1.h, 0, -+ {NID_secp256k1, 0, &_EC_SECG_PRIME_256K1.h, 0, - "SECG curve over a 256 bit prime field"}, - /* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */ -- {NID_secp384r1, &_EC_NIST_PRIME_384.h, -+ {NID_secp384r1, 1, &_EC_NIST_PRIME_384.h, - # if defined(S390X_EC_ASM) - EC_GFp_s390x_nistp384_method, - # else - 0, - # endif - "NIST/SECG curve over a 384 bit prime field"}, -- {NID_secp521r1, &_EC_NIST_PRIME_521.h, -+ {NID_secp521r1, 1, &_EC_NIST_PRIME_521.h, - # if defined(S390X_EC_ASM) - EC_GFp_s390x_nistp521_method, - # elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128) -@@ -272,7 +274,7 @@ static const ec_list_element curve_list[ - # endif - "NIST/SECG curve over a 521 bit prime field"}, - /* X9.62 curves */ -- {NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h, -+ {NID_X9_62_prime256v1, 1, &_EC_X9_62_PRIME_256V1.h, - #if defined(ECP_NISTZ256_ASM) - EC_GFp_nistz256_method, - # elif defined(S390X_EC_ASM) -@@ -404,6 +406,10 @@ EC_GROUP *EC_GROUP_new_by_curve_name(int - - for (i = 0; i < curve_list_length; i++) - if (curve_list[i].nid == nid) { -+ if (!curve_list[i].fips_allowed && FIPS_mode()) { -+ ECerr(EC_F_EC_GROUP_NEW_BY_CURVE_NAME, EC_R_NOT_A_NIST_PRIME); -+ return NULL; -+ } - ret = ec_group_new_from_data(curve_list[i]); - break; - } -@@ -418,19 +424,31 @@ EC_GROUP *EC_GROUP_new_by_curve_name(int - - size_t EC_get_builtin_curves(EC_builtin_curve *r, size_t nitems) - { -- size_t i, min; -+ size_t i, j, num; -+ int fips_mode = FIPS_mode(); - -- if (r == NULL || nitems == 0) -- return curve_list_length; -+ num = curve_list_length; -+ if (fips_mode) -+ for (i = 0; i < curve_list_length; i++) { -+ if (!curve_list[i].fips_allowed) -+ --num; -+ } - -- min = nitems < curve_list_length ? nitems : curve_list_length; -+ if (r == NULL || nitems == 0) { -+ return num; -+ } - -- for (i = 0; i < min; i++) { -- r[i].nid = curve_list[i].nid; -- r[i].comment = curve_list[i].comment; -+ for (i = 0, j = 0; i < curve_list_length; i++) { -+ if (j >= nitems) -+ break; -+ if (!fips_mode || curve_list[i].fips_allowed) { -+ r[j].nid = curve_list[i].nid; -+ r[j].comment = curve_list[i].comment; -+ ++j; -+ } - } - -- return curve_list_length; -+ return num; - } - - /* Functions to translate between common NIST curve names and NIDs */ -diff -up openssl-1.1.1g/ssl/t1_lib.c.fips-curves openssl-1.1.1g/ssl/t1_lib.c ---- openssl-1.1.1g/ssl/t1_lib.c.fips-curves 2020-05-18 12:59:54.797643616 +0200 -+++ openssl-1.1.1g/ssl/t1_lib.c 2020-05-18 13:03:54.748725463 +0200 -@@ -678,6 +678,36 @@ static const uint16_t tls12_sigalgs[] = - #endif - }; - -+static const uint16_t tls12_fips_sigalgs[] = { -+#ifndef OPENSSL_NO_EC -+ TLSEXT_SIGALG_ecdsa_secp256r1_sha256, -+ TLSEXT_SIGALG_ecdsa_secp384r1_sha384, -+ TLSEXT_SIGALG_ecdsa_secp521r1_sha512, -+#endif -+ -+ TLSEXT_SIGALG_rsa_pss_pss_sha256, -+ TLSEXT_SIGALG_rsa_pss_pss_sha384, -+ TLSEXT_SIGALG_rsa_pss_pss_sha512, -+ TLSEXT_SIGALG_rsa_pss_rsae_sha256, -+ TLSEXT_SIGALG_rsa_pss_rsae_sha384, -+ TLSEXT_SIGALG_rsa_pss_rsae_sha512, -+ -+ TLSEXT_SIGALG_rsa_pkcs1_sha256, -+ TLSEXT_SIGALG_rsa_pkcs1_sha384, -+ TLSEXT_SIGALG_rsa_pkcs1_sha512, -+ -+#ifndef OPENSSL_NO_EC -+ TLSEXT_SIGALG_ecdsa_sha224, -+#endif -+ TLSEXT_SIGALG_rsa_pkcs1_sha224, -+#ifndef OPENSSL_NO_DSA -+ TLSEXT_SIGALG_dsa_sha224, -+ TLSEXT_SIGALG_dsa_sha256, -+ TLSEXT_SIGALG_dsa_sha384, -+ TLSEXT_SIGALG_dsa_sha512, -+#endif -+}; -+ - #ifndef OPENSSL_NO_EC - static const uint16_t suiteb_sigalgs[] = { - TLSEXT_SIGALG_ecdsa_secp256r1_sha256, -@@ -894,6 +924,8 @@ static const SIGALG_LOOKUP *tls1_get_leg - } - if (idx < 0 || idx >= (int)OSSL_NELEM(tls_default_sigalg)) - return NULL; -+ if (FIPS_mode()) /* We do not allow legacy SHA1 signatures in FIPS mode */ -+ return NULL; - if (SSL_USE_SIGALGS(s) || idx != SSL_PKEY_RSA) { - const SIGALG_LOOKUP *lu = tls1_lookup_sigalg(tls_default_sigalg[idx]); - -@@ -954,6 +986,9 @@ size_t tls12_get_psigalgs(SSL *s, int se - } else if (s->cert->conf_sigalgs) { - *psigs = s->cert->conf_sigalgs; - return s->cert->conf_sigalgslen; -+ } else if (FIPS_mode()) { -+ *psigs = tls12_fips_sigalgs; -+ return OSSL_NELEM(tls12_fips_sigalgs); - } else { - *psigs = tls12_sigalgs; - return OSSL_NELEM(tls12_sigalgs); -@@ -973,6 +1008,9 @@ int tls_check_sigalg_curve(const SSL *s, - if (s->cert->conf_sigalgs) { - sigs = s->cert->conf_sigalgs; - siglen = s->cert->conf_sigalgslen; -+ } else if (FIPS_mode()) { -+ sigs = tls12_fips_sigalgs; -+ siglen = OSSL_NELEM(tls12_fips_sigalgs); - } else { - sigs = tls12_sigalgs; - siglen = OSSL_NELEM(tls12_sigalgs); -@@ -1617,6 +1655,8 @@ static int tls12_sigalg_allowed(const SS - if (lu->sig == NID_id_GostR3410_2012_256 - || lu->sig == NID_id_GostR3410_2012_512 - || lu->sig == NID_id_GostR3410_2001) { -+ if (FIPS_mode()) -+ return 0; - /* We never allow GOST sig algs on the server with TLSv1.3 */ - if (s->server && SSL_IS_TLS13(s)) - return 0; -@@ -2842,6 +2882,13 @@ int tls_choose_sigalg(SSL *s, int fatale - const uint16_t *sent_sigs; - size_t sent_sigslen; - -+ if (fatalerrs && FIPS_mode()) { -+ /* There are no suitable legacy algorithms in FIPS mode */ -+ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, -+ SSL_F_TLS_CHOOSE_SIGALG, -+ SSL_R_NO_SUITABLE_SIGNATURE_ALGORITHM); -+ return 0; -+ } - if ((lu = tls1_get_legacy_sigalg(s, -1)) == NULL) { - if (!fatalerrs) - return 1; diff --git a/SOURCES/openssl-1.1.1-fips-dh.patch b/SOURCES/openssl-1.1.1-fips-dh.patch deleted file mode 100644 index e1c739b..0000000 --- a/SOURCES/openssl-1.1.1-fips-dh.patch +++ /dev/null @@ -1,2730 +0,0 @@ -diff -up openssl-1.1.1j/crypto/bn/bn_const.c.fips-dh openssl-1.1.1j/crypto/bn/bn_const.c ---- openssl-1.1.1j/crypto/bn/bn_const.c.fips-dh 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/crypto/bn/bn_const.c 2021-03-03 14:23:27.403092418 +0100 -@@ -1,13 +1,17 @@ - /* -- * Copyright 2005-2016 The OpenSSL Project Authors. All Rights Reserved. -+ * Copyright 2005-2020 The OpenSSL Project Authors. All Rights Reserved. - * -- * Licensed under the OpenSSL license (the "License"). You may not use -+ * Licensed under the Apache License 2.0 (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html - */ - - #include -+#include "crypto/bn_dh.h" -+ -+#define COPY_BN(dst, src) (dst != NULL) ? BN_copy(dst, &src) : BN_dup(&src) -+ - - /*- - * "First Oakley Default Group" from RFC2409, section 6.1. -@@ -80,33 +84,7 @@ BIGNUM *BN_get_rfc2409_prime_1024(BIGNUM - - BIGNUM *BN_get_rfc3526_prime_1536(BIGNUM *bn) - { -- static const unsigned char RFC3526_PRIME_1536[] = { -- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, -- 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34, -- 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, -- 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, -- 0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22, -- 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, -- 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, -- 0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37, -- 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, -- 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, -- 0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B, -- 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED, -- 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, -- 0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6, -- 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, -- 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, -- 0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A, -- 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F, -- 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, -- 0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB, -- 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, -- 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, -- 0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x23, 0x73, 0x27, -- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, -- }; -- return BN_bin2bn(RFC3526_PRIME_1536, sizeof(RFC3526_PRIME_1536), bn); -+ return COPY_BN(bn, _bignum_modp_1536_p); - } - - /*- -@@ -119,41 +97,7 @@ BIGNUM *BN_get_rfc3526_prime_1536(BIGNUM - - BIGNUM *BN_get_rfc3526_prime_2048(BIGNUM *bn) - { -- static const unsigned char RFC3526_PRIME_2048[] = { -- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, -- 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34, -- 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, -- 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, -- 0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22, -- 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, -- 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, -- 0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37, -- 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, -- 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, -- 0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B, -- 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED, -- 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, -- 0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6, -- 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, -- 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, -- 0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A, -- 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F, -- 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, -- 0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB, -- 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, -- 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, -- 0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, 0x21, 0x7C, -- 0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B, -- 0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, -- 0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, 0x8F, -- 0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9, -- 0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, -- 0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, 0xE5, -- 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10, -- 0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAC, 0xAA, 0x68, -- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, -- }; -- return BN_bin2bn(RFC3526_PRIME_2048, sizeof(RFC3526_PRIME_2048), bn); -+ return COPY_BN(bn, _bignum_modp_2048_p); - } - - /*- -@@ -166,57 +110,7 @@ BIGNUM *BN_get_rfc3526_prime_2048(BIGNUM - - BIGNUM *BN_get_rfc3526_prime_3072(BIGNUM *bn) - { -- static const unsigned char RFC3526_PRIME_3072[] = { -- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, -- 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34, -- 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, -- 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, -- 0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22, -- 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, -- 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, -- 0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37, -- 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, -- 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, -- 0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B, -- 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED, -- 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, -- 0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6, -- 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, -- 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, -- 0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A, -- 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F, -- 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, -- 0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB, -- 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, -- 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, -- 0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, 0x21, 0x7C, -- 0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B, -- 0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, -- 0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, 0x8F, -- 0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9, -- 0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, -- 0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, 0xE5, -- 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10, -- 0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAA, 0xC4, 0x2D, -- 0xAD, 0x33, 0x17, 0x0D, 0x04, 0x50, 0x7A, 0x33, -- 0xA8, 0x55, 0x21, 0xAB, 0xDF, 0x1C, 0xBA, 0x64, -- 0xEC, 0xFB, 0x85, 0x04, 0x58, 0xDB, 0xEF, 0x0A, -- 0x8A, 0xEA, 0x71, 0x57, 0x5D, 0x06, 0x0C, 0x7D, -- 0xB3, 0x97, 0x0F, 0x85, 0xA6, 0xE1, 0xE4, 0xC7, -- 0xAB, 0xF5, 0xAE, 0x8C, 0xDB, 0x09, 0x33, 0xD7, -- 0x1E, 0x8C, 0x94, 0xE0, 0x4A, 0x25, 0x61, 0x9D, -- 0xCE, 0xE3, 0xD2, 0x26, 0x1A, 0xD2, 0xEE, 0x6B, -- 0xF1, 0x2F, 0xFA, 0x06, 0xD9, 0x8A, 0x08, 0x64, -- 0xD8, 0x76, 0x02, 0x73, 0x3E, 0xC8, 0x6A, 0x64, -- 0x52, 0x1F, 0x2B, 0x18, 0x17, 0x7B, 0x20, 0x0C, -- 0xBB, 0xE1, 0x17, 0x57, 0x7A, 0x61, 0x5D, 0x6C, -- 0x77, 0x09, 0x88, 0xC0, 0xBA, 0xD9, 0x46, 0xE2, -- 0x08, 0xE2, 0x4F, 0xA0, 0x74, 0xE5, 0xAB, 0x31, -- 0x43, 0xDB, 0x5B, 0xFC, 0xE0, 0xFD, 0x10, 0x8E, -- 0x4B, 0x82, 0xD1, 0x20, 0xA9, 0x3A, 0xD2, 0xCA, -- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, -- }; -- return BN_bin2bn(RFC3526_PRIME_3072, sizeof(RFC3526_PRIME_3072), bn); -+ return COPY_BN(bn, _bignum_modp_3072_p); - } - - /*- -@@ -229,73 +123,7 @@ BIGNUM *BN_get_rfc3526_prime_3072(BIGNUM - - BIGNUM *BN_get_rfc3526_prime_4096(BIGNUM *bn) - { -- static const unsigned char RFC3526_PRIME_4096[] = { -- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, -- 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34, -- 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, -- 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, -- 0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22, -- 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, -- 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, -- 0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37, -- 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, -- 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, -- 0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B, -- 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED, -- 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, -- 0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6, -- 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, -- 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, -- 0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A, -- 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F, -- 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, -- 0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB, -- 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, -- 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, -- 0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, 0x21, 0x7C, -- 0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B, -- 0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, -- 0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, 0x8F, -- 0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9, -- 0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, -- 0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, 0xE5, -- 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10, -- 0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAA, 0xC4, 0x2D, -- 0xAD, 0x33, 0x17, 0x0D, 0x04, 0x50, 0x7A, 0x33, -- 0xA8, 0x55, 0x21, 0xAB, 0xDF, 0x1C, 0xBA, 0x64, -- 0xEC, 0xFB, 0x85, 0x04, 0x58, 0xDB, 0xEF, 0x0A, -- 0x8A, 0xEA, 0x71, 0x57, 0x5D, 0x06, 0x0C, 0x7D, -- 0xB3, 0x97, 0x0F, 0x85, 0xA6, 0xE1, 0xE4, 0xC7, -- 0xAB, 0xF5, 0xAE, 0x8C, 0xDB, 0x09, 0x33, 0xD7, -- 0x1E, 0x8C, 0x94, 0xE0, 0x4A, 0x25, 0x61, 0x9D, -- 0xCE, 0xE3, 0xD2, 0x26, 0x1A, 0xD2, 0xEE, 0x6B, -- 0xF1, 0x2F, 0xFA, 0x06, 0xD9, 0x8A, 0x08, 0x64, -- 0xD8, 0x76, 0x02, 0x73, 0x3E, 0xC8, 0x6A, 0x64, -- 0x52, 0x1F, 0x2B, 0x18, 0x17, 0x7B, 0x20, 0x0C, -- 0xBB, 0xE1, 0x17, 0x57, 0x7A, 0x61, 0x5D, 0x6C, -- 0x77, 0x09, 0x88, 0xC0, 0xBA, 0xD9, 0x46, 0xE2, -- 0x08, 0xE2, 0x4F, 0xA0, 0x74, 0xE5, 0xAB, 0x31, -- 0x43, 0xDB, 0x5B, 0xFC, 0xE0, 0xFD, 0x10, 0x8E, -- 0x4B, 0x82, 0xD1, 0x20, 0xA9, 0x21, 0x08, 0x01, -- 0x1A, 0x72, 0x3C, 0x12, 0xA7, 0x87, 0xE6, 0xD7, -- 0x88, 0x71, 0x9A, 0x10, 0xBD, 0xBA, 0x5B, 0x26, -- 0x99, 0xC3, 0x27, 0x18, 0x6A, 0xF4, 0xE2, 0x3C, -- 0x1A, 0x94, 0x68, 0x34, 0xB6, 0x15, 0x0B, 0xDA, -- 0x25, 0x83, 0xE9, 0xCA, 0x2A, 0xD4, 0x4C, 0xE8, -- 0xDB, 0xBB, 0xC2, 0xDB, 0x04, 0xDE, 0x8E, 0xF9, -- 0x2E, 0x8E, 0xFC, 0x14, 0x1F, 0xBE, 0xCA, 0xA6, -- 0x28, 0x7C, 0x59, 0x47, 0x4E, 0x6B, 0xC0, 0x5D, -- 0x99, 0xB2, 0x96, 0x4F, 0xA0, 0x90, 0xC3, 0xA2, -- 0x23, 0x3B, 0xA1, 0x86, 0x51, 0x5B, 0xE7, 0xED, -- 0x1F, 0x61, 0x29, 0x70, 0xCE, 0xE2, 0xD7, 0xAF, -- 0xB8, 0x1B, 0xDD, 0x76, 0x21, 0x70, 0x48, 0x1C, -- 0xD0, 0x06, 0x91, 0x27, 0xD5, 0xB0, 0x5A, 0xA9, -- 0x93, 0xB4, 0xEA, 0x98, 0x8D, 0x8F, 0xDD, 0xC1, -- 0x86, 0xFF, 0xB7, 0xDC, 0x90, 0xA6, 0xC0, 0x8F, -- 0x4D, 0xF4, 0x35, 0xC9, 0x34, 0x06, 0x31, 0x99, -- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, -- }; -- return BN_bin2bn(RFC3526_PRIME_4096, sizeof(RFC3526_PRIME_4096), bn); -+ return COPY_BN(bn, _bignum_modp_4096_p); - } - - /*- -@@ -308,105 +136,7 @@ BIGNUM *BN_get_rfc3526_prime_4096(BIGNUM - - BIGNUM *BN_get_rfc3526_prime_6144(BIGNUM *bn) - { -- static const unsigned char RFC3526_PRIME_6144[] = { -- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, -- 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34, -- 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, -- 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, -- 0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22, -- 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, -- 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, -- 0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37, -- 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, -- 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, -- 0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B, -- 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED, -- 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, -- 0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6, -- 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, -- 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, -- 0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A, -- 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F, -- 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, -- 0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB, -- 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, -- 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, -- 0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, 0x21, 0x7C, -- 0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B, -- 0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, -- 0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, 0x8F, -- 0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9, -- 0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, -- 0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, 0xE5, -- 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10, -- 0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAA, 0xC4, 0x2D, -- 0xAD, 0x33, 0x17, 0x0D, 0x04, 0x50, 0x7A, 0x33, -- 0xA8, 0x55, 0x21, 0xAB, 0xDF, 0x1C, 0xBA, 0x64, -- 0xEC, 0xFB, 0x85, 0x04, 0x58, 0xDB, 0xEF, 0x0A, -- 0x8A, 0xEA, 0x71, 0x57, 0x5D, 0x06, 0x0C, 0x7D, -- 0xB3, 0x97, 0x0F, 0x85, 0xA6, 0xE1, 0xE4, 0xC7, -- 0xAB, 0xF5, 0xAE, 0x8C, 0xDB, 0x09, 0x33, 0xD7, -- 0x1E, 0x8C, 0x94, 0xE0, 0x4A, 0x25, 0x61, 0x9D, -- 0xCE, 0xE3, 0xD2, 0x26, 0x1A, 0xD2, 0xEE, 0x6B, -- 0xF1, 0x2F, 0xFA, 0x06, 0xD9, 0x8A, 0x08, 0x64, -- 0xD8, 0x76, 0x02, 0x73, 0x3E, 0xC8, 0x6A, 0x64, -- 0x52, 0x1F, 0x2B, 0x18, 0x17, 0x7B, 0x20, 0x0C, -- 0xBB, 0xE1, 0x17, 0x57, 0x7A, 0x61, 0x5D, 0x6C, -- 0x77, 0x09, 0x88, 0xC0, 0xBA, 0xD9, 0x46, 0xE2, -- 0x08, 0xE2, 0x4F, 0xA0, 0x74, 0xE5, 0xAB, 0x31, -- 0x43, 0xDB, 0x5B, 0xFC, 0xE0, 0xFD, 0x10, 0x8E, -- 0x4B, 0x82, 0xD1, 0x20, 0xA9, 0x21, 0x08, 0x01, -- 0x1A, 0x72, 0x3C, 0x12, 0xA7, 0x87, 0xE6, 0xD7, -- 0x88, 0x71, 0x9A, 0x10, 0xBD, 0xBA, 0x5B, 0x26, -- 0x99, 0xC3, 0x27, 0x18, 0x6A, 0xF4, 0xE2, 0x3C, -- 0x1A, 0x94, 0x68, 0x34, 0xB6, 0x15, 0x0B, 0xDA, -- 0x25, 0x83, 0xE9, 0xCA, 0x2A, 0xD4, 0x4C, 0xE8, -- 0xDB, 0xBB, 0xC2, 0xDB, 0x04, 0xDE, 0x8E, 0xF9, -- 0x2E, 0x8E, 0xFC, 0x14, 0x1F, 0xBE, 0xCA, 0xA6, -- 0x28, 0x7C, 0x59, 0x47, 0x4E, 0x6B, 0xC0, 0x5D, -- 0x99, 0xB2, 0x96, 0x4F, 0xA0, 0x90, 0xC3, 0xA2, -- 0x23, 0x3B, 0xA1, 0x86, 0x51, 0x5B, 0xE7, 0xED, -- 0x1F, 0x61, 0x29, 0x70, 0xCE, 0xE2, 0xD7, 0xAF, -- 0xB8, 0x1B, 0xDD, 0x76, 0x21, 0x70, 0x48, 0x1C, -- 0xD0, 0x06, 0x91, 0x27, 0xD5, 0xB0, 0x5A, 0xA9, -- 0x93, 0xB4, 0xEA, 0x98, 0x8D, 0x8F, 0xDD, 0xC1, -- 0x86, 0xFF, 0xB7, 0xDC, 0x90, 0xA6, 0xC0, 0x8F, -- 0x4D, 0xF4, 0x35, 0xC9, 0x34, 0x02, 0x84, 0x92, -- 0x36, 0xC3, 0xFA, 0xB4, 0xD2, 0x7C, 0x70, 0x26, -- 0xC1, 0xD4, 0xDC, 0xB2, 0x60, 0x26, 0x46, 0xDE, -- 0xC9, 0x75, 0x1E, 0x76, 0x3D, 0xBA, 0x37, 0xBD, -- 0xF8, 0xFF, 0x94, 0x06, 0xAD, 0x9E, 0x53, 0x0E, -- 0xE5, 0xDB, 0x38, 0x2F, 0x41, 0x30, 0x01, 0xAE, -- 0xB0, 0x6A, 0x53, 0xED, 0x90, 0x27, 0xD8, 0x31, -- 0x17, 0x97, 0x27, 0xB0, 0x86, 0x5A, 0x89, 0x18, -- 0xDA, 0x3E, 0xDB, 0xEB, 0xCF, 0x9B, 0x14, 0xED, -- 0x44, 0xCE, 0x6C, 0xBA, 0xCE, 0xD4, 0xBB, 0x1B, -- 0xDB, 0x7F, 0x14, 0x47, 0xE6, 0xCC, 0x25, 0x4B, -- 0x33, 0x20, 0x51, 0x51, 0x2B, 0xD7, 0xAF, 0x42, -- 0x6F, 0xB8, 0xF4, 0x01, 0x37, 0x8C, 0xD2, 0xBF, -- 0x59, 0x83, 0xCA, 0x01, 0xC6, 0x4B, 0x92, 0xEC, -- 0xF0, 0x32, 0xEA, 0x15, 0xD1, 0x72, 0x1D, 0x03, -- 0xF4, 0x82, 0xD7, 0xCE, 0x6E, 0x74, 0xFE, 0xF6, -- 0xD5, 0x5E, 0x70, 0x2F, 0x46, 0x98, 0x0C, 0x82, -- 0xB5, 0xA8, 0x40, 0x31, 0x90, 0x0B, 0x1C, 0x9E, -- 0x59, 0xE7, 0xC9, 0x7F, 0xBE, 0xC7, 0xE8, 0xF3, -- 0x23, 0xA9, 0x7A, 0x7E, 0x36, 0xCC, 0x88, 0xBE, -- 0x0F, 0x1D, 0x45, 0xB7, 0xFF, 0x58, 0x5A, 0xC5, -- 0x4B, 0xD4, 0x07, 0xB2, 0x2B, 0x41, 0x54, 0xAA, -- 0xCC, 0x8F, 0x6D, 0x7E, 0xBF, 0x48, 0xE1, 0xD8, -- 0x14, 0xCC, 0x5E, 0xD2, 0x0F, 0x80, 0x37, 0xE0, -- 0xA7, 0x97, 0x15, 0xEE, 0xF2, 0x9B, 0xE3, 0x28, -- 0x06, 0xA1, 0xD5, 0x8B, 0xB7, 0xC5, 0xDA, 0x76, -- 0xF5, 0x50, 0xAA, 0x3D, 0x8A, 0x1F, 0xBF, 0xF0, -- 0xEB, 0x19, 0xCC, 0xB1, 0xA3, 0x13, 0xD5, 0x5C, -- 0xDA, 0x56, 0xC9, 0xEC, 0x2E, 0xF2, 0x96, 0x32, -- 0x38, 0x7F, 0xE8, 0xD7, 0x6E, 0x3C, 0x04, 0x68, -- 0x04, 0x3E, 0x8F, 0x66, 0x3F, 0x48, 0x60, 0xEE, -- 0x12, 0xBF, 0x2D, 0x5B, 0x0B, 0x74, 0x74, 0xD6, -- 0xE6, 0x94, 0xF9, 0x1E, 0x6D, 0xCC, 0x40, 0x24, -- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, -- }; -- return BN_bin2bn(RFC3526_PRIME_6144, sizeof(RFC3526_PRIME_6144), bn); -+ return COPY_BN(bn, _bignum_modp_6144_p); - } - - /*- -@@ -419,135 +149,5 @@ BIGNUM *BN_get_rfc3526_prime_6144(BIGNUM - - BIGNUM *BN_get_rfc3526_prime_8192(BIGNUM *bn) - { -- static const unsigned char RFC3526_PRIME_8192[] = { -- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, -- 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34, -- 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, -- 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, -- 0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22, -- 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, -- 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, -- 0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37, -- 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, -- 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, -- 0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B, -- 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED, -- 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, -- 0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6, -- 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, -- 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, -- 0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A, -- 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F, -- 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, -- 0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB, -- 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, -- 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, -- 0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, 0x21, 0x7C, -- 0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B, -- 0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, -- 0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, 0x8F, -- 0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9, -- 0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, -- 0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, 0xE5, -- 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10, -- 0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAA, 0xC4, 0x2D, -- 0xAD, 0x33, 0x17, 0x0D, 0x04, 0x50, 0x7A, 0x33, -- 0xA8, 0x55, 0x21, 0xAB, 0xDF, 0x1C, 0xBA, 0x64, -- 0xEC, 0xFB, 0x85, 0x04, 0x58, 0xDB, 0xEF, 0x0A, -- 0x8A, 0xEA, 0x71, 0x57, 0x5D, 0x06, 0x0C, 0x7D, -- 0xB3, 0x97, 0x0F, 0x85, 0xA6, 0xE1, 0xE4, 0xC7, -- 0xAB, 0xF5, 0xAE, 0x8C, 0xDB, 0x09, 0x33, 0xD7, -- 0x1E, 0x8C, 0x94, 0xE0, 0x4A, 0x25, 0x61, 0x9D, -- 0xCE, 0xE3, 0xD2, 0x26, 0x1A, 0xD2, 0xEE, 0x6B, -- 0xF1, 0x2F, 0xFA, 0x06, 0xD9, 0x8A, 0x08, 0x64, -- 0xD8, 0x76, 0x02, 0x73, 0x3E, 0xC8, 0x6A, 0x64, -- 0x52, 0x1F, 0x2B, 0x18, 0x17, 0x7B, 0x20, 0x0C, -- 0xBB, 0xE1, 0x17, 0x57, 0x7A, 0x61, 0x5D, 0x6C, -- 0x77, 0x09, 0x88, 0xC0, 0xBA, 0xD9, 0x46, 0xE2, -- 0x08, 0xE2, 0x4F, 0xA0, 0x74, 0xE5, 0xAB, 0x31, -- 0x43, 0xDB, 0x5B, 0xFC, 0xE0, 0xFD, 0x10, 0x8E, -- 0x4B, 0x82, 0xD1, 0x20, 0xA9, 0x21, 0x08, 0x01, -- 0x1A, 0x72, 0x3C, 0x12, 0xA7, 0x87, 0xE6, 0xD7, -- 0x88, 0x71, 0x9A, 0x10, 0xBD, 0xBA, 0x5B, 0x26, -- 0x99, 0xC3, 0x27, 0x18, 0x6A, 0xF4, 0xE2, 0x3C, -- 0x1A, 0x94, 0x68, 0x34, 0xB6, 0x15, 0x0B, 0xDA, -- 0x25, 0x83, 0xE9, 0xCA, 0x2A, 0xD4, 0x4C, 0xE8, -- 0xDB, 0xBB, 0xC2, 0xDB, 0x04, 0xDE, 0x8E, 0xF9, -- 0x2E, 0x8E, 0xFC, 0x14, 0x1F, 0xBE, 0xCA, 0xA6, -- 0x28, 0x7C, 0x59, 0x47, 0x4E, 0x6B, 0xC0, 0x5D, -- 0x99, 0xB2, 0x96, 0x4F, 0xA0, 0x90, 0xC3, 0xA2, -- 0x23, 0x3B, 0xA1, 0x86, 0x51, 0x5B, 0xE7, 0xED, -- 0x1F, 0x61, 0x29, 0x70, 0xCE, 0xE2, 0xD7, 0xAF, -- 0xB8, 0x1B, 0xDD, 0x76, 0x21, 0x70, 0x48, 0x1C, -- 0xD0, 0x06, 0x91, 0x27, 0xD5, 0xB0, 0x5A, 0xA9, -- 0x93, 0xB4, 0xEA, 0x98, 0x8D, 0x8F, 0xDD, 0xC1, -- 0x86, 0xFF, 0xB7, 0xDC, 0x90, 0xA6, 0xC0, 0x8F, -- 0x4D, 0xF4, 0x35, 0xC9, 0x34, 0x02, 0x84, 0x92, -- 0x36, 0xC3, 0xFA, 0xB4, 0xD2, 0x7C, 0x70, 0x26, -- 0xC1, 0xD4, 0xDC, 0xB2, 0x60, 0x26, 0x46, 0xDE, -- 0xC9, 0x75, 0x1E, 0x76, 0x3D, 0xBA, 0x37, 0xBD, -- 0xF8, 0xFF, 0x94, 0x06, 0xAD, 0x9E, 0x53, 0x0E, -- 0xE5, 0xDB, 0x38, 0x2F, 0x41, 0x30, 0x01, 0xAE, -- 0xB0, 0x6A, 0x53, 0xED, 0x90, 0x27, 0xD8, 0x31, -- 0x17, 0x97, 0x27, 0xB0, 0x86, 0x5A, 0x89, 0x18, -- 0xDA, 0x3E, 0xDB, 0xEB, 0xCF, 0x9B, 0x14, 0xED, -- 0x44, 0xCE, 0x6C, 0xBA, 0xCE, 0xD4, 0xBB, 0x1B, -- 0xDB, 0x7F, 0x14, 0x47, 0xE6, 0xCC, 0x25, 0x4B, -- 0x33, 0x20, 0x51, 0x51, 0x2B, 0xD7, 0xAF, 0x42, -- 0x6F, 0xB8, 0xF4, 0x01, 0x37, 0x8C, 0xD2, 0xBF, -- 0x59, 0x83, 0xCA, 0x01, 0xC6, 0x4B, 0x92, 0xEC, -- 0xF0, 0x32, 0xEA, 0x15, 0xD1, 0x72, 0x1D, 0x03, -- 0xF4, 0x82, 0xD7, 0xCE, 0x6E, 0x74, 0xFE, 0xF6, -- 0xD5, 0x5E, 0x70, 0x2F, 0x46, 0x98, 0x0C, 0x82, -- 0xB5, 0xA8, 0x40, 0x31, 0x90, 0x0B, 0x1C, 0x9E, -- 0x59, 0xE7, 0xC9, 0x7F, 0xBE, 0xC7, 0xE8, 0xF3, -- 0x23, 0xA9, 0x7A, 0x7E, 0x36, 0xCC, 0x88, 0xBE, -- 0x0F, 0x1D, 0x45, 0xB7, 0xFF, 0x58, 0x5A, 0xC5, -- 0x4B, 0xD4, 0x07, 0xB2, 0x2B, 0x41, 0x54, 0xAA, -- 0xCC, 0x8F, 0x6D, 0x7E, 0xBF, 0x48, 0xE1, 0xD8, -- 0x14, 0xCC, 0x5E, 0xD2, 0x0F, 0x80, 0x37, 0xE0, -- 0xA7, 0x97, 0x15, 0xEE, 0xF2, 0x9B, 0xE3, 0x28, -- 0x06, 0xA1, 0xD5, 0x8B, 0xB7, 0xC5, 0xDA, 0x76, -- 0xF5, 0x50, 0xAA, 0x3D, 0x8A, 0x1F, 0xBF, 0xF0, -- 0xEB, 0x19, 0xCC, 0xB1, 0xA3, 0x13, 0xD5, 0x5C, -- 0xDA, 0x56, 0xC9, 0xEC, 0x2E, 0xF2, 0x96, 0x32, -- 0x38, 0x7F, 0xE8, 0xD7, 0x6E, 0x3C, 0x04, 0x68, -- 0x04, 0x3E, 0x8F, 0x66, 0x3F, 0x48, 0x60, 0xEE, -- 0x12, 0xBF, 0x2D, 0x5B, 0x0B, 0x74, 0x74, 0xD6, -- 0xE6, 0x94, 0xF9, 0x1E, 0x6D, 0xBE, 0x11, 0x59, -- 0x74, 0xA3, 0x92, 0x6F, 0x12, 0xFE, 0xE5, 0xE4, -- 0x38, 0x77, 0x7C, 0xB6, 0xA9, 0x32, 0xDF, 0x8C, -- 0xD8, 0xBE, 0xC4, 0xD0, 0x73, 0xB9, 0x31, 0xBA, -- 0x3B, 0xC8, 0x32, 0xB6, 0x8D, 0x9D, 0xD3, 0x00, -- 0x74, 0x1F, 0xA7, 0xBF, 0x8A, 0xFC, 0x47, 0xED, -- 0x25, 0x76, 0xF6, 0x93, 0x6B, 0xA4, 0x24, 0x66, -- 0x3A, 0xAB, 0x63, 0x9C, 0x5A, 0xE4, 0xF5, 0x68, -- 0x34, 0x23, 0xB4, 0x74, 0x2B, 0xF1, 0xC9, 0x78, -- 0x23, 0x8F, 0x16, 0xCB, 0xE3, 0x9D, 0x65, 0x2D, -- 0xE3, 0xFD, 0xB8, 0xBE, 0xFC, 0x84, 0x8A, 0xD9, -- 0x22, 0x22, 0x2E, 0x04, 0xA4, 0x03, 0x7C, 0x07, -- 0x13, 0xEB, 0x57, 0xA8, 0x1A, 0x23, 0xF0, 0xC7, -- 0x34, 0x73, 0xFC, 0x64, 0x6C, 0xEA, 0x30, 0x6B, -- 0x4B, 0xCB, 0xC8, 0x86, 0x2F, 0x83, 0x85, 0xDD, -- 0xFA, 0x9D, 0x4B, 0x7F, 0xA2, 0xC0, 0x87, 0xE8, -- 0x79, 0x68, 0x33, 0x03, 0xED, 0x5B, 0xDD, 0x3A, -- 0x06, 0x2B, 0x3C, 0xF5, 0xB3, 0xA2, 0x78, 0xA6, -- 0x6D, 0x2A, 0x13, 0xF8, 0x3F, 0x44, 0xF8, 0x2D, -- 0xDF, 0x31, 0x0E, 0xE0, 0x74, 0xAB, 0x6A, 0x36, -- 0x45, 0x97, 0xE8, 0x99, 0xA0, 0x25, 0x5D, 0xC1, -- 0x64, 0xF3, 0x1C, 0xC5, 0x08, 0x46, 0x85, 0x1D, -- 0xF9, 0xAB, 0x48, 0x19, 0x5D, 0xED, 0x7E, 0xA1, -- 0xB1, 0xD5, 0x10, 0xBD, 0x7E, 0xE7, 0x4D, 0x73, -- 0xFA, 0xF3, 0x6B, 0xC3, 0x1E, 0xCF, 0xA2, 0x68, -- 0x35, 0x90, 0x46, 0xF4, 0xEB, 0x87, 0x9F, 0x92, -- 0x40, 0x09, 0x43, 0x8B, 0x48, 0x1C, 0x6C, 0xD7, -- 0x88, 0x9A, 0x00, 0x2E, 0xD5, 0xEE, 0x38, 0x2B, -- 0xC9, 0x19, 0x0D, 0xA6, 0xFC, 0x02, 0x6E, 0x47, -- 0x95, 0x58, 0xE4, 0x47, 0x56, 0x77, 0xE9, 0xAA, -- 0x9E, 0x30, 0x50, 0xE2, 0x76, 0x56, 0x94, 0xDF, -- 0xC8, 0x1F, 0x56, 0xE8, 0x80, 0xB9, 0x6E, 0x71, -- 0x60, 0xC9, 0x80, 0xDD, 0x98, 0xED, 0xD3, 0xDF, -- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, -- }; -- return BN_bin2bn(RFC3526_PRIME_8192, sizeof(RFC3526_PRIME_8192), bn); -+ return COPY_BN(bn, _bignum_modp_8192_p); - } -diff -up openssl-1.1.1j/crypto/bn/bn_dh.c.fips-dh openssl-1.1.1j/crypto/bn/bn_dh.c ---- openssl-1.1.1j/crypto/bn/bn_dh.c.fips-dh 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/crypto/bn/bn_dh.c 2021-03-03 14:23:27.404092427 +0100 -@@ -1,7 +1,7 @@ - /* -- * Copyright 2014-2017 The OpenSSL Project Authors. All Rights Reserved. -+ * Copyright 2014-2020 The OpenSSL Project Authors. All Rights Reserved. - * -- * Licensed under the OpenSSL license (the "License"). You may not use -+ * Licensed under the Apache License 2.0 (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html -@@ -11,474 +11,995 @@ - #include "internal/nelem.h" - - #ifndef OPENSSL_NO_DH --#include --#include "crypto/bn_dh.h" --/* DH parameters from RFC5114 */ -+# include -+# include "crypto/bn_dh.h" - - # if BN_BITS2 == 64 --static const BN_ULONG dh1024_160_p[] = { -- 0xDF1FB2BC2E4A4371ULL, 0xE68CFDA76D4DA708ULL, 0x45BF37DF365C1A65ULL, -- 0xA151AF5F0DC8B4BDULL, 0xFAA31A4FF55BCCC0ULL, 0x4EFFD6FAE5644738ULL, -- 0x98488E9C219A7372ULL, 0xACCBDD7D90C4BD70ULL, 0x24975C3CD49B83BFULL, -- 0x13ECB4AEA9061123ULL, 0x9838EF1E2EE652C0ULL, 0x6073E28675A23D18ULL, -- 0x9A6A9DCA52D23B61ULL, 0x52C99FBCFB06A3C6ULL, 0xDE92DE5EAE5D54ECULL, -- 0xB10B8F96A080E01DULL --}; -- --static const BN_ULONG dh1024_160_g[] = { -- 0x855E6EEB22B3B2E5ULL, 0x858F4DCEF97C2A24ULL, 0x2D779D5918D08BC8ULL, -- 0xD662A4D18E73AFA3ULL, 0x1DBF0A0169B6A28AULL, 0xA6A24C087A091F53ULL, -- 0x909D0D2263F80A76ULL, 0xD7FBD7D3B9A92EE1ULL, 0x5E91547F9E2749F4ULL, -- 0x160217B4B01B886AULL, 0x777E690F5504F213ULL, 0x266FEA1E5C41564BULL, -- 0xD6406CFF14266D31ULL, 0xF8104DD258AC507FULL, 0x6765A442EFB99905ULL, -- 0xA4D1CBD5C3FD3412ULL --}; -- --static const BN_ULONG dh1024_160_q[] = { -- 0x64B7CB9D49462353ULL, 0x81A8DF278ABA4E7DULL, 0x00000000F518AA87ULL --}; -- --static const BN_ULONG dh2048_224_p[] = { -- 0x0AC4DFFE0C10E64FULL, 0xCF9DE5384E71B81CULL, 0x7EF363E2FFA31F71ULL, -- 0xE3FB73C16B8E75B9ULL, 0xC9B53DCF4BA80A29ULL, 0x23F10B0E16E79763ULL, -- 0xC52172E413042E9BULL, 0xBE60E69CC928B2B9ULL, 0x80CD86A1B9E587E8ULL, -- 0x315D75E198C641A4ULL, 0xCDF93ACC44328387ULL, 0x15987D9ADC0A486DULL, -- 0x7310F7121FD5A074ULL, 0x278273C7DE31EFDCULL, 0x1602E714415D9330ULL, -- 0x81286130BC8985DBULL, 0xB3BF8A3170918836ULL, 0x6A00E0A0B9C49708ULL, -- 0xC6BA0B2C8BBC27BEULL, 0xC9F98D11ED34DBF6ULL, 0x7AD5B7D0B6C12207ULL, -- 0xD91E8FEF55B7394BULL, 0x9037C9EDEFDA4DF8ULL, 0x6D3F8152AD6AC212ULL, -- 0x1DE6B85A1274A0A6ULL, 0xEB3D688A309C180EULL, 0xAF9A3C407BA1DF15ULL, -- 0xE6FA141DF95A56DBULL, 0xB54B1597B61D0A75ULL, 0xA20D64E5683B9FD1ULL, -- 0xD660FAA79559C51FULL, 0xAD107E1E9123A9D0ULL --}; -- --static const BN_ULONG dh2048_224_g[] = { -- 0x84B890D3191F2BFAULL, 0x81BC087F2A7065B3ULL, 0x19C418E1F6EC0179ULL, -- 0x7B5A0F1C71CFFF4CULL, 0xEDFE72FE9B6AA4BDULL, 0x81E1BCFE94B30269ULL, -- 0x566AFBB48D6C0191ULL, 0xB539CCE3409D13CDULL, 0x6AA21E7F5F2FF381ULL, -- 0xD9E263E4770589EFULL, 0x10E183EDD19963DDULL, 0xB70A8137150B8EEBULL, -- 0x051AE3D428C8F8ACULL, 0xBB77A86F0C1AB15BULL, 0x6E3025E316A330EFULL, -- 0x19529A45D6F83456ULL, 0xF180EB34118E98D1ULL, 0xB5F6C6B250717CBEULL, -- 0x09939D54DA7460CDULL, 0xE247150422EA1ED4ULL, 0xB8A762D0521BC98AULL, -- 0xF4D027275AC1348BULL, 0xC17669101999024AULL, 0xBE5E9001A8D66AD7ULL, -- 0xC57DB17C620A8652ULL, 0xAB739D7700C29F52ULL, 0xDD921F01A70C4AFAULL, -- 0xA6824A4E10B9A6F0ULL, 0x74866A08CFE4FFE3ULL, 0x6CDEBE7B89998CAFULL, -- 0x9DF30B5C8FFDAC50ULL, 0xAC4032EF4F2D9AE3ULL --}; -- --static const BN_ULONG dh2048_224_q[] = { -- 0xBF389A99B36371EBULL, 0x1F80535A4738CEBCULL, 0xC58D93FE99717710ULL, -- 0x00000000801C0D34ULL --}; -- --static const BN_ULONG dh2048_256_p[] = { -- 0xDB094AE91E1A1597ULL, 0x693877FAD7EF09CAULL, 0x6116D2276E11715FULL, -- 0xA4B54330C198AF12ULL, 0x75F26375D7014103ULL, 0xC3A3960A54E710C3ULL, -- 0xDED4010ABD0BE621ULL, 0xC0B857F689962856ULL, 0xB3CA3F7971506026ULL, -- 0x1CCACB83E6B486F6ULL, 0x67E144E514056425ULL, 0xF6A167B5A41825D9ULL, -- 0x3AD8347796524D8EULL, 0xF13C6D9A51BFA4ABULL, 0x2D52526735488A0EULL, -- 0xB63ACAE1CAA6B790ULL, 0x4FDB70C581B23F76ULL, 0xBC39A0BF12307F5CULL, -- 0xB941F54EB1E59BB8ULL, 0x6C5BFC11D45F9088ULL, 0x22E0B1EF4275BF7BULL, -- 0x91F9E6725B4758C0ULL, 0x5A8A9D306BCF67EDULL, 0x209E0C6497517ABDULL, -- 0x3BF4296D830E9A7CULL, 0x16C3D91134096FAAULL, 0xFAF7DF4561B2AA30ULL, -- 0xE00DF8F1D61957D4ULL, 0x5D2CEED4435E3B00ULL, 0x8CEEF608660DD0F2ULL, -- 0xFFBBD19C65195999ULL, 0x87A8E61DB4B6663CULL --}; -+# define BN_DEF(lo, hi) (BN_ULONG)hi << 32 | lo -+# else -+# define BN_DEF(lo, hi) lo, hi -+# endif - --static const BN_ULONG dh2048_256_g[] = { -- 0x664B4C0F6CC41659ULL, 0x5E2327CFEF98C582ULL, 0xD647D148D4795451ULL, -- 0x2F63078490F00EF8ULL, 0x184B523D1DB246C3ULL, 0xC7891428CDC67EB6ULL, -- 0x7FD028370DF92B52ULL, 0xB3353BBB64E0EC37ULL, 0xECD06E1557CD0915ULL, -- 0xB7D2BBD2DF016199ULL, 0xC8484B1E052588B9ULL, 0xDB2A3B7313D3FE14ULL, -- 0xD052B985D182EA0AULL, 0xA4BD1BFFE83B9C80ULL, 0xDFC967C1FB3F2E55ULL, -- 0xB5045AF2767164E1ULL, 0x1D14348F6F2F9193ULL, 0x64E67982428EBC83ULL, -- 0x8AC376D282D6ED38ULL, 0x777DE62AAAB8A862ULL, 0xDDF463E5E9EC144BULL, -- 0x0196F931C77A57F2ULL, 0xA55AE31341000A65ULL, 0x901228F8C28CBB18ULL, -- 0xBC3773BF7E8C6F62ULL, 0xBE3A6C1B0C6B47B1ULL, 0xFF4FED4AAC0BB555ULL, -- 0x10DBC15077BE463FULL, 0x07F4793A1A0BA125ULL, 0x4CA7B18F21EF2054ULL, -- 0x2E77506660EDBD48ULL, 0x3FB32C9B73134D0BULL --}; -+/* DH parameters from RFC3526 */ - --static const BN_ULONG dh2048_256_q[] = { -- 0xA308B0FE64F5FBD3ULL, 0x99B1A47D1EB3750BULL, 0xB447997640129DA2ULL, -- 0x8CF83642A709A097ULL -+/* -+ * "1536-bit MODP Group" from RFC3526, Section 2. -+ * -+ * The prime is: 2^1536 - 2^1472 - 1 + 2^64 * { [2^1406 pi] + 741804 } -+ * -+ * RFC3526 specifies a generator of 2. -+ * RFC2312 specifies a generator of 22. -+ */ -+static const BN_ULONG modp_1536_p[] = { -+ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0xCA237327, 0xF1746C08), -+ BN_DEF(0x4ABC9804, 0x670C354E), BN_DEF(0x7096966D, 0x9ED52907), -+ BN_DEF(0x208552BB, 0x1C62F356), BN_DEF(0xDCA3AD96, 0x83655D23), -+ BN_DEF(0xFD24CF5F, 0x69163FA8), BN_DEF(0x1C55D39A, 0x98DA4836), -+ BN_DEF(0xA163BF05, 0xC2007CB8), BN_DEF(0xECE45B3D, 0x49286651), -+ BN_DEF(0x7C4B1FE6, 0xAE9F2411), BN_DEF(0x5A899FA5, 0xEE386BFB), -+ BN_DEF(0xF406B7ED, 0x0BFF5CB6), BN_DEF(0xA637ED6B, 0xF44C42E9), -+ BN_DEF(0x625E7EC6, 0xE485B576), BN_DEF(0x6D51C245, 0x4FE1356D), -+ BN_DEF(0xF25F1437, 0x302B0A6D), BN_DEF(0xCD3A431B, 0xEF9519B3), -+ BN_DEF(0x8E3404DD, 0x514A0879), BN_DEF(0x3B139B22, 0x020BBEA6), -+ BN_DEF(0x8A67CC74, 0x29024E08), BN_DEF(0x80DC1CD1, 0xC4C6628B), -+ BN_DEF(0x2168C234, 0xC90FDAA2), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) -+}; -+/* q = (p - 1) / 2 */ -+static const BN_ULONG modp_1536_q[] = { -+ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x6511B993, 0x78BA3604), -+ BN_DEF(0x255E4C02, 0xB3861AA7), BN_DEF(0xB84B4B36, 0xCF6A9483), -+ BN_DEF(0x1042A95D, 0x0E3179AB), BN_DEF(0xEE51D6CB, 0xC1B2AE91), -+ BN_DEF(0x7E9267AF, 0x348B1FD4), BN_DEF(0x0E2AE9CD, 0xCC6D241B), -+ BN_DEF(0x50B1DF82, 0xE1003E5C), BN_DEF(0xF6722D9E, 0x24943328), -+ BN_DEF(0xBE258FF3, 0xD74F9208), BN_DEF(0xAD44CFD2, 0xF71C35FD), -+ BN_DEF(0x7A035BF6, 0x85FFAE5B), BN_DEF(0xD31BF6B5, 0x7A262174), -+ BN_DEF(0x312F3F63, 0xF242DABB), BN_DEF(0xB6A8E122, 0xA7F09AB6), -+ BN_DEF(0xF92F8A1B, 0x98158536), BN_DEF(0xE69D218D, 0xF7CA8CD9), -+ BN_DEF(0xC71A026E, 0x28A5043C), BN_DEF(0x1D89CD91, 0x0105DF53), -+ BN_DEF(0x4533E63A, 0x94812704), BN_DEF(0xC06E0E68, 0x62633145), -+ BN_DEF(0x10B4611A, 0xE487ED51), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF) - }; - --/* Primes from RFC 7919 */ --static const BN_ULONG ffdhe2048_p[] = { -- 0xFFFFFFFFFFFFFFFFULL, 0x886B423861285C97ULL, 0xC6F34A26C1B2EFFAULL, -- 0xC58EF1837D1683B2ULL, 0x3BB5FCBC2EC22005ULL, 0xC3FE3B1B4C6FAD73ULL, -- 0x8E4F1232EEF28183ULL, 0x9172FE9CE98583FFULL, 0xC03404CD28342F61ULL, -- 0x9E02FCE1CDF7E2ECULL, 0x0B07A7C8EE0A6D70ULL, 0xAE56EDE76372BB19ULL, -- 0x1D4F42A3DE394DF4ULL, 0xB96ADAB760D7F468ULL, 0xD108A94BB2C8E3FBULL, -- 0xBC0AB182B324FB61ULL, 0x30ACCA4F483A797AULL, 0x1DF158A136ADE735ULL, -- 0xE2A689DAF3EFE872ULL, 0x984F0C70E0E68B77ULL, 0xB557135E7F57C935ULL, -- 0x856365553DED1AF3ULL, 0x2433F51F5F066ED0ULL, 0xD3DF1ED5D5FD6561ULL, -- 0xF681B202AEC4617AULL, 0x7D2FE363630C75D8ULL, 0xCC939DCE249B3EF9ULL, -- 0xA9E13641146433FBULL, 0xD8B9C583CE2D3695ULL, 0xAFDC5620273D3CF1ULL, -- 0xADF85458A2BB4A9AULL, 0xFFFFFFFFFFFFFFFFULL -+/*- -+ * "2048-bit MODP Group" from RFC3526, Section 3. -+ * -+ * The prime is: 2^2048 - 2^1984 - 1 + 2^64 * { [2^1918 pi] + 124476 } -+ * -+ * RFC3526 specifies a generator of 2. -+ */ -+static const BN_ULONG modp_2048_p[] = { -+ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x8AACAA68, 0x15728E5A), -+ BN_DEF(0x98FA0510, 0x15D22618), BN_DEF(0xEA956AE5, 0x3995497C), -+ BN_DEF(0x95581718, 0xDE2BCBF6), BN_DEF(0x6F4C52C9, 0xB5C55DF0), -+ BN_DEF(0xEC07A28F, 0x9B2783A2), BN_DEF(0x180E8603, 0xE39E772C), -+ BN_DEF(0x2E36CE3B, 0x32905E46), BN_DEF(0xCA18217C, 0xF1746C08), -+ BN_DEF(0x4ABC9804, 0x670C354E), BN_DEF(0x7096966D, 0x9ED52907), -+ BN_DEF(0x208552BB, 0x1C62F356), BN_DEF(0xDCA3AD96, 0x83655D23), -+ BN_DEF(0xFD24CF5F, 0x69163FA8), BN_DEF(0x1C55D39A, 0x98DA4836), -+ BN_DEF(0xA163BF05, 0xC2007CB8), BN_DEF(0xECE45B3D, 0x49286651), -+ BN_DEF(0x7C4B1FE6, 0xAE9F2411), BN_DEF(0x5A899FA5, 0xEE386BFB), -+ BN_DEF(0xF406B7ED, 0x0BFF5CB6), BN_DEF(0xA637ED6B, 0xF44C42E9), -+ BN_DEF(0x625E7EC6, 0xE485B576), BN_DEF(0x6D51C245, 0x4FE1356D), -+ BN_DEF(0xF25F1437, 0x302B0A6D), BN_DEF(0xCD3A431B, 0xEF9519B3), -+ BN_DEF(0x8E3404DD, 0x514A0879), BN_DEF(0x3B139B22, 0x020BBEA6), -+ BN_DEF(0x8A67CC74, 0x29024E08), BN_DEF(0x80DC1CD1, 0xC4C6628B), -+ BN_DEF(0x2168C234, 0xC90FDAA2), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) -+}; -+/* q = (p - 1) / 2 */ -+static const BN_ULONG modp_2048_q[] = { -+ BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), BN_DEF(0x45565534, 0x0AB9472D), -+ BN_DEF(0x4C7D0288, 0x8AE9130C), BN_DEF(0x754AB572, 0x1CCAA4BE), -+ BN_DEF(0x4AAC0B8C, 0xEF15E5FB), BN_DEF(0x37A62964, 0xDAE2AEF8), -+ BN_DEF(0x7603D147, 0xCD93C1D1), BN_DEF(0x0C074301, 0xF1CF3B96), -+ BN_DEF(0x171B671D, 0x19482F23), BN_DEF(0x650C10BE, 0x78BA3604), -+ BN_DEF(0x255E4C02, 0xB3861AA7), BN_DEF(0xB84B4B36, 0xCF6A9483), -+ BN_DEF(0x1042A95D, 0x0E3179AB), BN_DEF(0xEE51D6CB, 0xC1B2AE91), -+ BN_DEF(0x7E9267AF, 0x348B1FD4), BN_DEF(0x0E2AE9CD, 0xCC6D241B), -+ BN_DEF(0x50B1DF82, 0xE1003E5C), BN_DEF(0xF6722D9E, 0x24943328), -+ BN_DEF(0xBE258FF3, 0xD74F9208), BN_DEF(0xAD44CFD2, 0xF71C35FD), -+ BN_DEF(0x7A035BF6, 0x85FFAE5B), BN_DEF(0xD31BF6B5, 0x7A262174), -+ BN_DEF(0x312F3F63, 0xF242DABB), BN_DEF(0xB6A8E122, 0xA7F09AB6), -+ BN_DEF(0xF92F8A1B, 0x98158536), BN_DEF(0xE69D218D, 0xF7CA8CD9), -+ BN_DEF(0xC71A026E, 0x28A5043C), BN_DEF(0x1D89CD91, 0x0105DF53), -+ BN_DEF(0x4533E63A, 0x94812704), BN_DEF(0xC06E0E68, 0x62633145), -+ BN_DEF(0x10B4611A, 0xE487ED51), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), - }; - --static const BN_ULONG ffdhe3072_p[] = { -- 0xFFFFFFFFFFFFFFFFULL, 0x25E41D2B66C62E37ULL, 0x3C1B20EE3FD59D7CULL, -- 0x0ABCD06BFA53DDEFULL, 0x1DBF9A42D5C4484EULL, 0xABC521979B0DEADAULL, -- 0xE86D2BC522363A0DULL, 0x5CAE82AB9C9DF69EULL, 0x64F2E21E71F54BFFULL, -- 0xF4FD4452E2D74DD3ULL, 0xB4130C93BC437944ULL, 0xAEFE130985139270ULL, -- 0x598CB0FAC186D91CULL, 0x7AD91D2691F7F7EEULL, 0x61B46FC9D6E6C907ULL, -- 0xBC34F4DEF99C0238ULL, 0xDE355B3B6519035BULL, 0x886B4238611FCFDCULL, -- 0xC6F34A26C1B2EFFAULL, 0xC58EF1837D1683B2ULL, 0x3BB5FCBC2EC22005ULL, -- 0xC3FE3B1B4C6FAD73ULL, 0x8E4F1232EEF28183ULL, 0x9172FE9CE98583FFULL, -- 0xC03404CD28342F61ULL, 0x9E02FCE1CDF7E2ECULL, 0x0B07A7C8EE0A6D70ULL, -- 0xAE56EDE76372BB19ULL, 0x1D4F42A3DE394DF4ULL, 0xB96ADAB760D7F468ULL, -- 0xD108A94BB2C8E3FBULL, 0xBC0AB182B324FB61ULL, 0x30ACCA4F483A797AULL, -- 0x1DF158A136ADE735ULL, 0xE2A689DAF3EFE872ULL, 0x984F0C70E0E68B77ULL, -- 0xB557135E7F57C935ULL, 0x856365553DED1AF3ULL, 0x2433F51F5F066ED0ULL, -- 0xD3DF1ED5D5FD6561ULL, 0xF681B202AEC4617AULL, 0x7D2FE363630C75D8ULL, -- 0xCC939DCE249B3EF9ULL, 0xA9E13641146433FBULL, 0xD8B9C583CE2D3695ULL, -- 0xAFDC5620273D3CF1ULL, 0xADF85458A2BB4A9AULL, 0xFFFFFFFFFFFFFFFFULL -+/*- -+ * "3072-bit MODP Group" from RFC3526, Section 4. -+ * -+ * The prime is: 2^3072 - 2^3008 - 1 + 2^64 * { [2^2942 pi] + 1690314 } -+ * -+ * RFC3526 specifies a generator of 2. -+ */ -+static const BN_ULONG modp_3072_p[] = { -+ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0xA93AD2CA, 0x4B82D120), -+ BN_DEF(0xE0FD108E, 0x43DB5BFC), BN_DEF(0x74E5AB31, 0x08E24FA0), -+ BN_DEF(0xBAD946E2, 0x770988C0), BN_DEF(0x7A615D6C, 0xBBE11757), -+ BN_DEF(0x177B200C, 0x521F2B18), BN_DEF(0x3EC86A64, 0xD8760273), -+ BN_DEF(0xD98A0864, 0xF12FFA06), BN_DEF(0x1AD2EE6B, 0xCEE3D226), -+ BN_DEF(0x4A25619D, 0x1E8C94E0), BN_DEF(0xDB0933D7, 0xABF5AE8C), -+ BN_DEF(0xA6E1E4C7, 0xB3970F85), BN_DEF(0x5D060C7D, 0x8AEA7157), -+ BN_DEF(0x58DBEF0A, 0xECFB8504), BN_DEF(0xDF1CBA64, 0xA85521AB), -+ BN_DEF(0x04507A33, 0xAD33170D), BN_DEF(0x8AAAC42D, 0x15728E5A), -+ BN_DEF(0x98FA0510, 0x15D22618), BN_DEF(0xEA956AE5, 0x3995497C), -+ BN_DEF(0x95581718, 0xDE2BCBF6), BN_DEF(0x6F4C52C9, 0xB5C55DF0), -+ BN_DEF(0xEC07A28F, 0x9B2783A2), BN_DEF(0x180E8603, 0xE39E772C), -+ BN_DEF(0x2E36CE3B, 0x32905E46), BN_DEF(0xCA18217C, 0xF1746C08), -+ BN_DEF(0x4ABC9804, 0x670C354E), BN_DEF(0x7096966D, 0x9ED52907), -+ BN_DEF(0x208552BB, 0x1C62F356), BN_DEF(0xDCA3AD96, 0x83655D23), -+ BN_DEF(0xFD24CF5F, 0x69163FA8), BN_DEF(0x1C55D39A, 0x98DA4836), -+ BN_DEF(0xA163BF05, 0xC2007CB8), BN_DEF(0xECE45B3D, 0x49286651), -+ BN_DEF(0x7C4B1FE6, 0xAE9F2411), BN_DEF(0x5A899FA5, 0xEE386BFB), -+ BN_DEF(0xF406B7ED, 0x0BFF5CB6), BN_DEF(0xA637ED6B, 0xF44C42E9), -+ BN_DEF(0x625E7EC6, 0xE485B576), BN_DEF(0x6D51C245, 0x4FE1356D), -+ BN_DEF(0xF25F1437, 0x302B0A6D), BN_DEF(0xCD3A431B, 0xEF9519B3), -+ BN_DEF(0x8E3404DD, 0x514A0879), BN_DEF(0x3B139B22, 0x020BBEA6), -+ BN_DEF(0x8A67CC74, 0x29024E08), BN_DEF(0x80DC1CD1, 0xC4C6628B), -+ BN_DEF(0x2168C234, 0xC90FDAA2), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) -+}; -+/* q = (p - 1) / 2 */ -+static const BN_ULONG modp_3072_q[] = { -+ BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), BN_DEF(0x549D6965, 0x25C16890), -+ BN_DEF(0x707E8847, 0xA1EDADFE), BN_DEF(0x3A72D598, 0x047127D0), -+ BN_DEF(0x5D6CA371, 0x3B84C460), BN_DEF(0xBD30AEB6, 0x5DF08BAB), -+ BN_DEF(0x0BBD9006, 0x290F958C), BN_DEF(0x9F643532, 0x6C3B0139), -+ BN_DEF(0x6CC50432, 0xF897FD03), BN_DEF(0x0D697735, 0xE771E913), -+ BN_DEF(0x2512B0CE, 0x8F464A70), BN_DEF(0x6D8499EB, 0xD5FAD746), -+ BN_DEF(0xD370F263, 0xD9CB87C2), BN_DEF(0xAE83063E, 0x457538AB), -+ BN_DEF(0x2C6DF785, 0x767DC282), BN_DEF(0xEF8E5D32, 0xD42A90D5), -+ BN_DEF(0x82283D19, 0xD6998B86), BN_DEF(0x45556216, 0x0AB9472D), -+ BN_DEF(0x4C7D0288, 0x8AE9130C), BN_DEF(0x754AB572, 0x1CCAA4BE), -+ BN_DEF(0x4AAC0B8C, 0xEF15E5FB), BN_DEF(0x37A62964, 0xDAE2AEF8), -+ BN_DEF(0x7603D147, 0xCD93C1D1), BN_DEF(0x0C074301, 0xF1CF3B96), -+ BN_DEF(0x171B671D, 0x19482F23), BN_DEF(0x650C10BE, 0x78BA3604), -+ BN_DEF(0x255E4C02, 0xB3861AA7), BN_DEF(0xB84B4B36, 0xCF6A9483), -+ BN_DEF(0x1042A95D, 0x0E3179AB), BN_DEF(0xEE51D6CB, 0xC1B2AE91), -+ BN_DEF(0x7E9267AF, 0x348B1FD4), BN_DEF(0x0E2AE9CD, 0xCC6D241B), -+ BN_DEF(0x50B1DF82, 0xE1003E5C), BN_DEF(0xF6722D9E, 0x24943328), -+ BN_DEF(0xBE258FF3, 0xD74F9208), BN_DEF(0xAD44CFD2, 0xF71C35FD), -+ BN_DEF(0x7A035BF6, 0x85FFAE5B), BN_DEF(0xD31BF6B5, 0x7A262174), -+ BN_DEF(0x312F3F63, 0xF242DABB), BN_DEF(0xB6A8E122, 0xA7F09AB6), -+ BN_DEF(0xF92F8A1B, 0x98158536), BN_DEF(0xE69D218D, 0xF7CA8CD9), -+ BN_DEF(0xC71A026E, 0x28A5043C), BN_DEF(0x1D89CD91, 0x0105DF53), -+ BN_DEF(0x4533E63A, 0x94812704), BN_DEF(0xC06E0E68, 0x62633145), -+ BN_DEF(0x10B4611A, 0xE487ED51), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), - }; - --static const BN_ULONG ffdhe4096_p[] = { -- 0xFFFFFFFFFFFFFFFFULL, 0xC68A007E5E655F6AULL, 0x4DB5A851F44182E1ULL, -- 0x8EC9B55A7F88A46BULL, 0x0A8291CDCEC97DCFULL, 0x2A4ECEA9F98D0ACCULL, -- 0x1A1DB93D7140003CULL, 0x092999A333CB8B7AULL, 0x6DC778F971AD0038ULL, -- 0xA907600A918130C4ULL, 0xED6A1E012D9E6832ULL, 0x7135C886EFB4318AULL, -- 0x87F55BA57E31CC7AULL, 0x7763CF1D55034004ULL, 0xAC7D5F42D69F6D18ULL, -- 0x7930E9E4E58857B6ULL, 0x6E6F52C3164DF4FBULL, 0x25E41D2B669E1EF1ULL, -- 0x3C1B20EE3FD59D7CULL, 0x0ABCD06BFA53DDEFULL, 0x1DBF9A42D5C4484EULL, -- 0xABC521979B0DEADAULL, 0xE86D2BC522363A0DULL, 0x5CAE82AB9C9DF69EULL, -- 0x64F2E21E71F54BFFULL, 0xF4FD4452E2D74DD3ULL, 0xB4130C93BC437944ULL, -- 0xAEFE130985139270ULL, 0x598CB0FAC186D91CULL, 0x7AD91D2691F7F7EEULL, -- 0x61B46FC9D6E6C907ULL, 0xBC34F4DEF99C0238ULL, 0xDE355B3B6519035BULL, -- 0x886B4238611FCFDCULL, 0xC6F34A26C1B2EFFAULL, 0xC58EF1837D1683B2ULL, -- 0x3BB5FCBC2EC22005ULL, 0xC3FE3B1B4C6FAD73ULL, 0x8E4F1232EEF28183ULL, -- 0x9172FE9CE98583FFULL, 0xC03404CD28342F61ULL, 0x9E02FCE1CDF7E2ECULL, -- 0x0B07A7C8EE0A6D70ULL, 0xAE56EDE76372BB19ULL, 0x1D4F42A3DE394DF4ULL, -- 0xB96ADAB760D7F468ULL, 0xD108A94BB2C8E3FBULL, 0xBC0AB182B324FB61ULL, -- 0x30ACCA4F483A797AULL, 0x1DF158A136ADE735ULL, 0xE2A689DAF3EFE872ULL, -- 0x984F0C70E0E68B77ULL, 0xB557135E7F57C935ULL, 0x856365553DED1AF3ULL, -- 0x2433F51F5F066ED0ULL, 0xD3DF1ED5D5FD6561ULL, 0xF681B202AEC4617AULL, -- 0x7D2FE363630C75D8ULL, 0xCC939DCE249B3EF9ULL, 0xA9E13641146433FBULL, -- 0xD8B9C583CE2D3695ULL, 0xAFDC5620273D3CF1ULL, 0xADF85458A2BB4A9AULL, -- 0xFFFFFFFFFFFFFFFFULL -+/*- -+ * "4096-bit MODP Group" from RFC3526, Section 5. -+ * -+ * The prime is: 2^4096 - 2^4032 - 1 + 2^64 * { [2^3966 pi] + 240904 } -+ * -+ * RFC3526 specifies a generator of 2. -+ */ -+static const BN_ULONG modp_4096_p[] = { -+ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x34063199, 0x4DF435C9), -+ BN_DEF(0x90A6C08F, 0x86FFB7DC), BN_DEF(0x8D8FDDC1, 0x93B4EA98), -+ BN_DEF(0xD5B05AA9, 0xD0069127), BN_DEF(0x2170481C, 0xB81BDD76), -+ BN_DEF(0xCEE2D7AF, 0x1F612970), BN_DEF(0x515BE7ED, 0x233BA186), -+ BN_DEF(0xA090C3A2, 0x99B2964F), BN_DEF(0x4E6BC05D, 0x287C5947), -+ BN_DEF(0x1FBECAA6, 0x2E8EFC14), BN_DEF(0x04DE8EF9, 0xDBBBC2DB), -+ BN_DEF(0x2AD44CE8, 0x2583E9CA), BN_DEF(0xB6150BDA, 0x1A946834), -+ BN_DEF(0x6AF4E23C, 0x99C32718), BN_DEF(0xBDBA5B26, 0x88719A10), -+ BN_DEF(0xA787E6D7, 0x1A723C12), BN_DEF(0xA9210801, 0x4B82D120), -+ BN_DEF(0xE0FD108E, 0x43DB5BFC), BN_DEF(0x74E5AB31, 0x08E24FA0), -+ BN_DEF(0xBAD946E2, 0x770988C0), BN_DEF(0x7A615D6C, 0xBBE11757), -+ BN_DEF(0x177B200C, 0x521F2B18), BN_DEF(0x3EC86A64, 0xD8760273), -+ BN_DEF(0xD98A0864, 0xF12FFA06), BN_DEF(0x1AD2EE6B, 0xCEE3D226), -+ BN_DEF(0x4A25619D, 0x1E8C94E0), BN_DEF(0xDB0933D7, 0xABF5AE8C), -+ BN_DEF(0xA6E1E4C7, 0xB3970F85), BN_DEF(0x5D060C7D, 0x8AEA7157), -+ BN_DEF(0x58DBEF0A, 0xECFB8504), BN_DEF(0xDF1CBA64, 0xA85521AB), -+ BN_DEF(0x04507A33, 0xAD33170D), BN_DEF(0x8AAAC42D, 0x15728E5A), -+ BN_DEF(0x98FA0510, 0x15D22618), BN_DEF(0xEA956AE5, 0x3995497C), -+ BN_DEF(0x95581718, 0xDE2BCBF6), BN_DEF(0x6F4C52C9, 0xB5C55DF0), -+ BN_DEF(0xEC07A28F, 0x9B2783A2), BN_DEF(0x180E8603, 0xE39E772C), -+ BN_DEF(0x2E36CE3B, 0x32905E46), BN_DEF(0xCA18217C, 0xF1746C08), -+ BN_DEF(0x4ABC9804, 0x670C354E), BN_DEF(0x7096966D, 0x9ED52907), -+ BN_DEF(0x208552BB, 0x1C62F356), BN_DEF(0xDCA3AD96, 0x83655D23), -+ BN_DEF(0xFD24CF5F, 0x69163FA8), BN_DEF(0x1C55D39A, 0x98DA4836), -+ BN_DEF(0xA163BF05, 0xC2007CB8), BN_DEF(0xECE45B3D, 0x49286651), -+ BN_DEF(0x7C4B1FE6, 0xAE9F2411), BN_DEF(0x5A899FA5, 0xEE386BFB), -+ BN_DEF(0xF406B7ED, 0x0BFF5CB6), BN_DEF(0xA637ED6B, 0xF44C42E9), -+ BN_DEF(0x625E7EC6, 0xE485B576), BN_DEF(0x6D51C245, 0x4FE1356D), -+ BN_DEF(0xF25F1437, 0x302B0A6D), BN_DEF(0xCD3A431B, 0xEF9519B3), -+ BN_DEF(0x8E3404DD, 0x514A0879), BN_DEF(0x3B139B22, 0x020BBEA6), -+ BN_DEF(0x8A67CC74, 0x29024E08), BN_DEF(0x80DC1CD1, 0xC4C6628B), -+ BN_DEF(0x2168C234, 0xC90FDAA2), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) -+}; -+/* q = (p - 1) / 2 */ -+static const BN_ULONG modp_4096_q[] = { -+ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x9A0318CC, 0xA6FA1AE4), -+ BN_DEF(0x48536047, 0xC37FDBEE), BN_DEF(0x46C7EEE0, 0xC9DA754C), -+ BN_DEF(0xEAD82D54, 0x68034893), BN_DEF(0x10B8240E, 0xDC0DEEBB), -+ BN_DEF(0x67716BD7, 0x8FB094B8), BN_DEF(0x28ADF3F6, 0x119DD0C3), -+ BN_DEF(0xD04861D1, 0xCCD94B27), BN_DEF(0xA735E02E, 0x143E2CA3), -+ BN_DEF(0x0FDF6553, 0x97477E0A), BN_DEF(0x826F477C, 0x6DDDE16D), -+ BN_DEF(0x156A2674, 0x12C1F4E5), BN_DEF(0x5B0A85ED, 0x0D4A341A), -+ BN_DEF(0x357A711E, 0x4CE1938C), BN_DEF(0x5EDD2D93, 0xC438CD08), -+ BN_DEF(0x53C3F36B, 0x8D391E09), BN_DEF(0x54908400, 0x25C16890), -+ BN_DEF(0x707E8847, 0xA1EDADFE), BN_DEF(0x3A72D598, 0x047127D0), -+ BN_DEF(0x5D6CA371, 0x3B84C460), BN_DEF(0xBD30AEB6, 0x5DF08BAB), -+ BN_DEF(0x0BBD9006, 0x290F958C), BN_DEF(0x9F643532, 0x6C3B0139), -+ BN_DEF(0x6CC50432, 0xF897FD03), BN_DEF(0x0D697735, 0xE771E913), -+ BN_DEF(0x2512B0CE, 0x8F464A70), BN_DEF(0x6D8499EB, 0xD5FAD746), -+ BN_DEF(0xD370F263, 0xD9CB87C2), BN_DEF(0xAE83063E, 0x457538AB), -+ BN_DEF(0x2C6DF785, 0x767DC282), BN_DEF(0xEF8E5D32, 0xD42A90D5), -+ BN_DEF(0x82283D19, 0xD6998B86), BN_DEF(0x45556216, 0x0AB9472D), -+ BN_DEF(0x4C7D0288, 0x8AE9130C), BN_DEF(0x754AB572, 0x1CCAA4BE), -+ BN_DEF(0x4AAC0B8C, 0xEF15E5FB), BN_DEF(0x37A62964, 0xDAE2AEF8), -+ BN_DEF(0x7603D147, 0xCD93C1D1), BN_DEF(0x0C074301, 0xF1CF3B96), -+ BN_DEF(0x171B671D, 0x19482F23), BN_DEF(0x650C10BE, 0x78BA3604), -+ BN_DEF(0x255E4C02, 0xB3861AA7), BN_DEF(0xB84B4B36, 0xCF6A9483), -+ BN_DEF(0x1042A95D, 0x0E3179AB), BN_DEF(0xEE51D6CB, 0xC1B2AE91), -+ BN_DEF(0x7E9267AF, 0x348B1FD4), BN_DEF(0x0E2AE9CD, 0xCC6D241B), -+ BN_DEF(0x50B1DF82, 0xE1003E5C), BN_DEF(0xF6722D9E, 0x24943328), -+ BN_DEF(0xBE258FF3, 0xD74F9208), BN_DEF(0xAD44CFD2, 0xF71C35FD), -+ BN_DEF(0x7A035BF6, 0x85FFAE5B), BN_DEF(0xD31BF6B5, 0x7A262174), -+ BN_DEF(0x312F3F63, 0xF242DABB), BN_DEF(0xB6A8E122, 0xA7F09AB6), -+ BN_DEF(0xF92F8A1B, 0x98158536), BN_DEF(0xE69D218D, 0xF7CA8CD9), -+ BN_DEF(0xC71A026E, 0x28A5043C), BN_DEF(0x1D89CD91, 0x0105DF53), -+ BN_DEF(0x4533E63A, 0x94812704), BN_DEF(0xC06E0E68, 0x62633145), -+ BN_DEF(0x10B4611A, 0xE487ED51), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), - }; - --static const BN_ULONG ffdhe6144_p[] = { -- 0xFFFFFFFFFFFFFFFFULL, 0xA40E329CD0E40E65ULL, 0xA41D570D7938DAD4ULL, -- 0x62A69526D43161C1ULL, 0x3FDD4A8E9ADB1E69ULL, 0x5B3B71F9DC6B80D6ULL, -- 0xEC9D1810C6272B04ULL, 0x8CCF2DD5CACEF403ULL, 0xE49F5235C95B9117ULL, -- 0x505DC82DB854338AULL, 0x62292C311562A846ULL, 0xD72B03746AE77F5EULL, -- 0xF9C9091B462D538CULL, 0x0AE8DB5847A67CBEULL, 0xB3A739C122611682ULL, -- 0xEEAAC0232A281BF6ULL, 0x94C6651E77CAF992ULL, 0x763E4E4B94B2BBC1ULL, -- 0x587E38DA0077D9B4ULL, 0x7FB29F8C183023C3ULL, 0x0ABEC1FFF9E3A26EULL, -- 0xA00EF092350511E3ULL, 0xB855322EDB6340D8ULL, 0xA52471F7A9A96910ULL, -- 0x388147FB4CFDB477ULL, 0x9B1F5C3E4E46041FULL, 0xCDAD0657FCCFEC71ULL, -- 0xB38E8C334C701C3AULL, 0x917BDD64B1C0FD4CULL, 0x3BB454329B7624C8ULL, -- 0x23BA4442CAF53EA6ULL, 0x4E677D2C38532A3AULL, 0x0BFD64B645036C7AULL, -- 0xC68A007E5E0DD902ULL, 0x4DB5A851F44182E1ULL, 0x8EC9B55A7F88A46BULL, -- 0x0A8291CDCEC97DCFULL, 0x2A4ECEA9F98D0ACCULL, 0x1A1DB93D7140003CULL, -- 0x092999A333CB8B7AULL, 0x6DC778F971AD0038ULL, 0xA907600A918130C4ULL, -- 0xED6A1E012D9E6832ULL, 0x7135C886EFB4318AULL, 0x87F55BA57E31CC7AULL, -- 0x7763CF1D55034004ULL, 0xAC7D5F42D69F6D18ULL, 0x7930E9E4E58857B6ULL, -- 0x6E6F52C3164DF4FBULL, 0x25E41D2B669E1EF1ULL, 0x3C1B20EE3FD59D7CULL, -- 0x0ABCD06BFA53DDEFULL, 0x1DBF9A42D5C4484EULL, 0xABC521979B0DEADAULL, -- 0xE86D2BC522363A0DULL, 0x5CAE82AB9C9DF69EULL, 0x64F2E21E71F54BFFULL, -- 0xF4FD4452E2D74DD3ULL, 0xB4130C93BC437944ULL, 0xAEFE130985139270ULL, -- 0x598CB0FAC186D91CULL, 0x7AD91D2691F7F7EEULL, 0x61B46FC9D6E6C907ULL, -- 0xBC34F4DEF99C0238ULL, 0xDE355B3B6519035BULL, 0x886B4238611FCFDCULL, -- 0xC6F34A26C1B2EFFAULL, 0xC58EF1837D1683B2ULL, 0x3BB5FCBC2EC22005ULL, -- 0xC3FE3B1B4C6FAD73ULL, 0x8E4F1232EEF28183ULL, 0x9172FE9CE98583FFULL, -- 0xC03404CD28342F61ULL, 0x9E02FCE1CDF7E2ECULL, 0x0B07A7C8EE0A6D70ULL, -- 0xAE56EDE76372BB19ULL, 0x1D4F42A3DE394DF4ULL, 0xB96ADAB760D7F468ULL, -- 0xD108A94BB2C8E3FBULL, 0xBC0AB182B324FB61ULL, 0x30ACCA4F483A797AULL, -- 0x1DF158A136ADE735ULL, 0xE2A689DAF3EFE872ULL, 0x984F0C70E0E68B77ULL, -- 0xB557135E7F57C935ULL, 0x856365553DED1AF3ULL, 0x2433F51F5F066ED0ULL, -- 0xD3DF1ED5D5FD6561ULL, 0xF681B202AEC4617AULL, 0x7D2FE363630C75D8ULL, -- 0xCC939DCE249B3EF9ULL, 0xA9E13641146433FBULL, 0xD8B9C583CE2D3695ULL, -- 0xAFDC5620273D3CF1ULL, 0xADF85458A2BB4A9AULL, 0xFFFFFFFFFFFFFFFFULL -+/*- -+ * "6144-bit MODP Group" from RFC3526, Section 6. -+ * -+ * The prime is: 2^6144 - 2^6080 - 1 + 2^64 * { [2^6014 pi] + 929484 } -+ * -+ * RFC3526 specifies a generator of 2. -+ */ -+static const BN_ULONG modp_6144_p[] = { -+ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x6DCC4024, 0xE694F91E), -+ BN_DEF(0x0B7474D6, 0x12BF2D5B), BN_DEF(0x3F4860EE, 0x043E8F66), -+ BN_DEF(0x6E3C0468, 0x387FE8D7), BN_DEF(0x2EF29632, 0xDA56C9EC), -+ BN_DEF(0xA313D55C, 0xEB19CCB1), BN_DEF(0x8A1FBFF0, 0xF550AA3D), -+ BN_DEF(0xB7C5DA76, 0x06A1D58B), BN_DEF(0xF29BE328, 0xA79715EE), -+ BN_DEF(0x0F8037E0, 0x14CC5ED2), BN_DEF(0xBF48E1D8, 0xCC8F6D7E), -+ BN_DEF(0x2B4154AA, 0x4BD407B2), BN_DEF(0xFF585AC5, 0x0F1D45B7), -+ BN_DEF(0x36CC88BE, 0x23A97A7E), BN_DEF(0xBEC7E8F3, 0x59E7C97F), -+ BN_DEF(0x900B1C9E, 0xB5A84031), BN_DEF(0x46980C82, 0xD55E702F), -+ BN_DEF(0x6E74FEF6, 0xF482D7CE), BN_DEF(0xD1721D03, 0xF032EA15), -+ BN_DEF(0xC64B92EC, 0x5983CA01), BN_DEF(0x378CD2BF, 0x6FB8F401), -+ BN_DEF(0x2BD7AF42, 0x33205151), BN_DEF(0xE6CC254B, 0xDB7F1447), -+ BN_DEF(0xCED4BB1B, 0x44CE6CBA), BN_DEF(0xCF9B14ED, 0xDA3EDBEB), -+ BN_DEF(0x865A8918, 0x179727B0), BN_DEF(0x9027D831, 0xB06A53ED), -+ BN_DEF(0x413001AE, 0xE5DB382F), BN_DEF(0xAD9E530E, 0xF8FF9406), -+ BN_DEF(0x3DBA37BD, 0xC9751E76), BN_DEF(0x602646DE, 0xC1D4DCB2), -+ BN_DEF(0xD27C7026, 0x36C3FAB4), BN_DEF(0x34028492, 0x4DF435C9), -+ BN_DEF(0x90A6C08F, 0x86FFB7DC), BN_DEF(0x8D8FDDC1, 0x93B4EA98), -+ BN_DEF(0xD5B05AA9, 0xD0069127), BN_DEF(0x2170481C, 0xB81BDD76), -+ BN_DEF(0xCEE2D7AF, 0x1F612970), BN_DEF(0x515BE7ED, 0x233BA186), -+ BN_DEF(0xA090C3A2, 0x99B2964F), BN_DEF(0x4E6BC05D, 0x287C5947), -+ BN_DEF(0x1FBECAA6, 0x2E8EFC14), BN_DEF(0x04DE8EF9, 0xDBBBC2DB), -+ BN_DEF(0x2AD44CE8, 0x2583E9CA), BN_DEF(0xB6150BDA, 0x1A946834), -+ BN_DEF(0x6AF4E23C, 0x99C32718), BN_DEF(0xBDBA5B26, 0x88719A10), -+ BN_DEF(0xA787E6D7, 0x1A723C12), BN_DEF(0xA9210801, 0x4B82D120), -+ BN_DEF(0xE0FD108E, 0x43DB5BFC), BN_DEF(0x74E5AB31, 0x08E24FA0), -+ BN_DEF(0xBAD946E2, 0x770988C0), BN_DEF(0x7A615D6C, 0xBBE11757), -+ BN_DEF(0x177B200C, 0x521F2B18), BN_DEF(0x3EC86A64, 0xD8760273), -+ BN_DEF(0xD98A0864, 0xF12FFA06), BN_DEF(0x1AD2EE6B, 0xCEE3D226), -+ BN_DEF(0x4A25619D, 0x1E8C94E0), BN_DEF(0xDB0933D7, 0xABF5AE8C), -+ BN_DEF(0xA6E1E4C7, 0xB3970F85), BN_DEF(0x5D060C7D, 0x8AEA7157), -+ BN_DEF(0x58DBEF0A, 0xECFB8504), BN_DEF(0xDF1CBA64, 0xA85521AB), -+ BN_DEF(0x04507A33, 0xAD33170D), BN_DEF(0x8AAAC42D, 0x15728E5A), -+ BN_DEF(0x98FA0510, 0x15D22618), BN_DEF(0xEA956AE5, 0x3995497C), -+ BN_DEF(0x95581718, 0xDE2BCBF6), BN_DEF(0x6F4C52C9, 0xB5C55DF0), -+ BN_DEF(0xEC07A28F, 0x9B2783A2), BN_DEF(0x180E8603, 0xE39E772C), -+ BN_DEF(0x2E36CE3B, 0x32905E46), BN_DEF(0xCA18217C, 0xF1746C08), -+ BN_DEF(0x4ABC9804, 0x670C354E), BN_DEF(0x7096966D, 0x9ED52907), -+ BN_DEF(0x208552BB, 0x1C62F356), BN_DEF(0xDCA3AD96, 0x83655D23), -+ BN_DEF(0xFD24CF5F, 0x69163FA8), BN_DEF(0x1C55D39A, 0x98DA4836), -+ BN_DEF(0xA163BF05, 0xC2007CB8), BN_DEF(0xECE45B3D, 0x49286651), -+ BN_DEF(0x7C4B1FE6, 0xAE9F2411), BN_DEF(0x5A899FA5, 0xEE386BFB), -+ BN_DEF(0xF406B7ED, 0x0BFF5CB6), BN_DEF(0xA637ED6B, 0xF44C42E9), -+ BN_DEF(0x625E7EC6, 0xE485B576), BN_DEF(0x6D51C245, 0x4FE1356D), -+ BN_DEF(0xF25F1437, 0x302B0A6D), BN_DEF(0xCD3A431B, 0xEF9519B3), -+ BN_DEF(0x8E3404DD, 0x514A0879), BN_DEF(0x3B139B22, 0x020BBEA6), -+ BN_DEF(0x8A67CC74, 0x29024E08), BN_DEF(0x80DC1CD1, 0xC4C6628B), -+ BN_DEF(0x2168C234, 0xC90FDAA2), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) -+}; -+/* q = (p - 1) / 2 */ -+static const BN_ULONG modp_6144_q[] = { -+ BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), BN_DEF(0x36E62012, 0x734A7C8F), -+ BN_DEF(0x85BA3A6B, 0x095F96AD), BN_DEF(0x1FA43077, 0x021F47B3), -+ BN_DEF(0xB71E0234, 0x1C3FF46B), BN_DEF(0x17794B19, 0x6D2B64F6), -+ BN_DEF(0xD189EAAE, 0x758CE658), BN_DEF(0xC50FDFF8, 0x7AA8551E), -+ BN_DEF(0xDBE2ED3B, 0x0350EAC5), BN_DEF(0x794DF194, 0x53CB8AF7), -+ BN_DEF(0x07C01BF0, 0x0A662F69), BN_DEF(0x5FA470EC, 0x6647B6BF), -+ BN_DEF(0x15A0AA55, 0xA5EA03D9), BN_DEF(0xFFAC2D62, 0x078EA2DB), -+ BN_DEF(0x1B66445F, 0x91D4BD3F), BN_DEF(0xDF63F479, 0x2CF3E4BF), -+ BN_DEF(0xC8058E4F, 0x5AD42018), BN_DEF(0xA34C0641, 0x6AAF3817), -+ BN_DEF(0x373A7F7B, 0xFA416BE7), BN_DEF(0xE8B90E81, 0x7819750A), -+ BN_DEF(0xE325C976, 0xACC1E500), BN_DEF(0x9BC6695F, 0x37DC7A00), -+ BN_DEF(0x95EBD7A1, 0x999028A8), BN_DEF(0xF36612A5, 0xEDBF8A23), -+ BN_DEF(0x676A5D8D, 0xA267365D), BN_DEF(0xE7CD8A76, 0x6D1F6DF5), -+ BN_DEF(0x432D448C, 0x8BCB93D8), BN_DEF(0xC813EC18, 0x583529F6), -+ BN_DEF(0xA09800D7, 0x72ED9C17), BN_DEF(0x56CF2987, 0xFC7FCA03), -+ BN_DEF(0x1EDD1BDE, 0x64BA8F3B), BN_DEF(0x3013236F, 0x60EA6E59), -+ BN_DEF(0x693E3813, 0x1B61FD5A), BN_DEF(0x9A014249, 0xA6FA1AE4), -+ BN_DEF(0x48536047, 0xC37FDBEE), BN_DEF(0x46C7EEE0, 0xC9DA754C), -+ BN_DEF(0xEAD82D54, 0x68034893), BN_DEF(0x10B8240E, 0xDC0DEEBB), -+ BN_DEF(0x67716BD7, 0x8FB094B8), BN_DEF(0x28ADF3F6, 0x119DD0C3), -+ BN_DEF(0xD04861D1, 0xCCD94B27), BN_DEF(0xA735E02E, 0x143E2CA3), -+ BN_DEF(0x0FDF6553, 0x97477E0A), BN_DEF(0x826F477C, 0x6DDDE16D), -+ BN_DEF(0x156A2674, 0x12C1F4E5), BN_DEF(0x5B0A85ED, 0x0D4A341A), -+ BN_DEF(0x357A711E, 0x4CE1938C), BN_DEF(0x5EDD2D93, 0xC438CD08), -+ BN_DEF(0x53C3F36B, 0x8D391E09), BN_DEF(0x54908400, 0x25C16890), -+ BN_DEF(0x707E8847, 0xA1EDADFE), BN_DEF(0x3A72D598, 0x047127D0), -+ BN_DEF(0x5D6CA371, 0x3B84C460), BN_DEF(0xBD30AEB6, 0x5DF08BAB), -+ BN_DEF(0x0BBD9006, 0x290F958C), BN_DEF(0x9F643532, 0x6C3B0139), -+ BN_DEF(0x6CC50432, 0xF897FD03), BN_DEF(0x0D697735, 0xE771E913), -+ BN_DEF(0x2512B0CE, 0x8F464A70), BN_DEF(0x6D8499EB, 0xD5FAD746), -+ BN_DEF(0xD370F263, 0xD9CB87C2), BN_DEF(0xAE83063E, 0x457538AB), -+ BN_DEF(0x2C6DF785, 0x767DC282), BN_DEF(0xEF8E5D32, 0xD42A90D5), -+ BN_DEF(0x82283D19, 0xD6998B86), BN_DEF(0x45556216, 0x0AB9472D), -+ BN_DEF(0x4C7D0288, 0x8AE9130C), BN_DEF(0x754AB572, 0x1CCAA4BE), -+ BN_DEF(0x4AAC0B8C, 0xEF15E5FB), BN_DEF(0x37A62964, 0xDAE2AEF8), -+ BN_DEF(0x7603D147, 0xCD93C1D1), BN_DEF(0x0C074301, 0xF1CF3B96), -+ BN_DEF(0x171B671D, 0x19482F23), BN_DEF(0x650C10BE, 0x78BA3604), -+ BN_DEF(0x255E4C02, 0xB3861AA7), BN_DEF(0xB84B4B36, 0xCF6A9483), -+ BN_DEF(0x1042A95D, 0x0E3179AB), BN_DEF(0xEE51D6CB, 0xC1B2AE91), -+ BN_DEF(0x7E9267AF, 0x348B1FD4), BN_DEF(0x0E2AE9CD, 0xCC6D241B), -+ BN_DEF(0x50B1DF82, 0xE1003E5C), BN_DEF(0xF6722D9E, 0x24943328), -+ BN_DEF(0xBE258FF3, 0xD74F9208), BN_DEF(0xAD44CFD2, 0xF71C35FD), -+ BN_DEF(0x7A035BF6, 0x85FFAE5B), BN_DEF(0xD31BF6B5, 0x7A262174), -+ BN_DEF(0x312F3F63, 0xF242DABB), BN_DEF(0xB6A8E122, 0xA7F09AB6), -+ BN_DEF(0xF92F8A1B, 0x98158536), BN_DEF(0xE69D218D, 0xF7CA8CD9), -+ BN_DEF(0xC71A026E, 0x28A5043C), BN_DEF(0x1D89CD91, 0x0105DF53), -+ BN_DEF(0x4533E63A, 0x94812704), BN_DEF(0xC06E0E68, 0x62633145), -+ BN_DEF(0x10B4611A, 0xE487ED51), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), - }; - --static const BN_ULONG ffdhe8192_p[] = { -- 0xFFFFFFFFFFFFFFFFULL, 0xD68C8BB7C5C6424CULL, 0x011E2A94838FF88CULL, -- 0x0822E506A9F4614EULL, 0x97D11D49F7A8443DULL, 0xA6BBFDE530677F0DULL, -- 0x2F741EF8C1FE86FEULL, 0xFAFABE1C5D71A87EULL, 0xDED2FBABFBE58A30ULL, -- 0xB6855DFE72B0A66EULL, 0x1EFC8CE0BA8A4FE8ULL, 0x83F81D4A3F2FA457ULL, -- 0xA1FE3075A577E231ULL, 0xD5B8019488D9C0A0ULL, 0x624816CDAD9A95F9ULL, -- 0x99E9E31650C1217BULL, 0x51AA691E0E423CFCULL, 0x1C217E6C3826E52CULL, -- 0x51A8A93109703FEEULL, 0xBB7099876A460E74ULL, 0x541FC68C9C86B022ULL, -- 0x59160CC046FD8251ULL, 0x2846C0BA35C35F5CULL, 0x54504AC78B758282ULL, -- 0x29388839D2AF05E4ULL, 0xCB2C0F1CC01BD702ULL, 0x555B2F747C932665ULL, -- 0x86B63142A3AB8829ULL, 0x0B8CC3BDF64B10EFULL, 0x687FEB69EDD1CC5EULL, -- 0xFDB23FCEC9509D43ULL, 0x1E425A31D951AE64ULL, 0x36AD004CF600C838ULL, -- 0xA40E329CCFF46AAAULL, 0xA41D570D7938DAD4ULL, 0x62A69526D43161C1ULL, -- 0x3FDD4A8E9ADB1E69ULL, 0x5B3B71F9DC6B80D6ULL, 0xEC9D1810C6272B04ULL, -- 0x8CCF2DD5CACEF403ULL, 0xE49F5235C95B9117ULL, 0x505DC82DB854338AULL, -- 0x62292C311562A846ULL, 0xD72B03746AE77F5EULL, 0xF9C9091B462D538CULL, -- 0x0AE8DB5847A67CBEULL, 0xB3A739C122611682ULL, 0xEEAAC0232A281BF6ULL, -- 0x94C6651E77CAF992ULL, 0x763E4E4B94B2BBC1ULL, 0x587E38DA0077D9B4ULL, -- 0x7FB29F8C183023C3ULL, 0x0ABEC1FFF9E3A26EULL, 0xA00EF092350511E3ULL, -- 0xB855322EDB6340D8ULL, 0xA52471F7A9A96910ULL, 0x388147FB4CFDB477ULL, -- 0x9B1F5C3E4E46041FULL, 0xCDAD0657FCCFEC71ULL, 0xB38E8C334C701C3AULL, -- 0x917BDD64B1C0FD4CULL, 0x3BB454329B7624C8ULL, 0x23BA4442CAF53EA6ULL, -- 0x4E677D2C38532A3AULL, 0x0BFD64B645036C7AULL, 0xC68A007E5E0DD902ULL, -- 0x4DB5A851F44182E1ULL, 0x8EC9B55A7F88A46BULL, 0x0A8291CDCEC97DCFULL, -- 0x2A4ECEA9F98D0ACCULL, 0x1A1DB93D7140003CULL, 0x092999A333CB8B7AULL, -- 0x6DC778F971AD0038ULL, 0xA907600A918130C4ULL, 0xED6A1E012D9E6832ULL, -- 0x7135C886EFB4318AULL, 0x87F55BA57E31CC7AULL, 0x7763CF1D55034004ULL, -- 0xAC7D5F42D69F6D18ULL, 0x7930E9E4E58857B6ULL, 0x6E6F52C3164DF4FBULL, -- 0x25E41D2B669E1EF1ULL, 0x3C1B20EE3FD59D7CULL, 0x0ABCD06BFA53DDEFULL, -- 0x1DBF9A42D5C4484EULL, 0xABC521979B0DEADAULL, 0xE86D2BC522363A0DULL, -- 0x5CAE82AB9C9DF69EULL, 0x64F2E21E71F54BFFULL, 0xF4FD4452E2D74DD3ULL, -- 0xB4130C93BC437944ULL, 0xAEFE130985139270ULL, 0x598CB0FAC186D91CULL, -- 0x7AD91D2691F7F7EEULL, 0x61B46FC9D6E6C907ULL, 0xBC34F4DEF99C0238ULL, -- 0xDE355B3B6519035BULL, 0x886B4238611FCFDCULL, 0xC6F34A26C1B2EFFAULL, -- 0xC58EF1837D1683B2ULL, 0x3BB5FCBC2EC22005ULL, 0xC3FE3B1B4C6FAD73ULL, -- 0x8E4F1232EEF28183ULL, 0x9172FE9CE98583FFULL, 0xC03404CD28342F61ULL, -- 0x9E02FCE1CDF7E2ECULL, 0x0B07A7C8EE0A6D70ULL, 0xAE56EDE76372BB19ULL, -- 0x1D4F42A3DE394DF4ULL, 0xB96ADAB760D7F468ULL, 0xD108A94BB2C8E3FBULL, -- 0xBC0AB182B324FB61ULL, 0x30ACCA4F483A797AULL, 0x1DF158A136ADE735ULL, -- 0xE2A689DAF3EFE872ULL, 0x984F0C70E0E68B77ULL, 0xB557135E7F57C935ULL, -- 0x856365553DED1AF3ULL, 0x2433F51F5F066ED0ULL, 0xD3DF1ED5D5FD6561ULL, -- 0xF681B202AEC4617AULL, 0x7D2FE363630C75D8ULL, 0xCC939DCE249B3EF9ULL, -- 0xA9E13641146433FBULL, 0xD8B9C583CE2D3695ULL, 0xAFDC5620273D3CF1ULL, -- 0xADF85458A2BB4A9AULL, 0xFFFFFFFFFFFFFFFFULL -+/* -+ * "8192-bit MODP Group" from RFC3526, Section 7. -+ * -+ * The prime is: 2^8192 - 2^8128 - 1 + 2^64 * { [2^8062 pi] + 4743158 } -+ * -+ * RFC3526 specifies a generator of 2. -+ */ -+static const BN_ULONG modp_8192_p[] = { -+ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x98EDD3DF, 0x60C980DD), -+ BN_DEF(0x80B96E71, 0xC81F56E8), BN_DEF(0x765694DF, 0x9E3050E2), -+ BN_DEF(0x5677E9AA, 0x9558E447), BN_DEF(0xFC026E47, 0xC9190DA6), -+ BN_DEF(0xD5EE382B, 0x889A002E), BN_DEF(0x481C6CD7, 0x4009438B), -+ BN_DEF(0xEB879F92, 0x359046F4), BN_DEF(0x1ECFA268, 0xFAF36BC3), -+ BN_DEF(0x7EE74D73, 0xB1D510BD), BN_DEF(0x5DED7EA1, 0xF9AB4819), -+ BN_DEF(0x0846851D, 0x64F31CC5), BN_DEF(0xA0255DC1, 0x4597E899), -+ BN_DEF(0x74AB6A36, 0xDF310EE0), BN_DEF(0x3F44F82D, 0x6D2A13F8), -+ BN_DEF(0xB3A278A6, 0x062B3CF5), BN_DEF(0xED5BDD3A, 0x79683303), -+ BN_DEF(0xA2C087E8, 0xFA9D4B7F), BN_DEF(0x2F8385DD, 0x4BCBC886), -+ BN_DEF(0x6CEA306B, 0x3473FC64), BN_DEF(0x1A23F0C7, 0x13EB57A8), -+ BN_DEF(0xA4037C07, 0x22222E04), BN_DEF(0xFC848AD9, 0xE3FDB8BE), -+ BN_DEF(0xE39D652D, 0x238F16CB), BN_DEF(0x2BF1C978, 0x3423B474), -+ BN_DEF(0x5AE4F568, 0x3AAB639C), BN_DEF(0x6BA42466, 0x2576F693), -+ BN_DEF(0x8AFC47ED, 0x741FA7BF), BN_DEF(0x8D9DD300, 0x3BC832B6), -+ BN_DEF(0x73B931BA, 0xD8BEC4D0), BN_DEF(0xA932DF8C, 0x38777CB6), -+ BN_DEF(0x12FEE5E4, 0x74A3926F), BN_DEF(0x6DBE1159, 0xE694F91E), -+ BN_DEF(0x0B7474D6, 0x12BF2D5B), BN_DEF(0x3F4860EE, 0x043E8F66), -+ BN_DEF(0x6E3C0468, 0x387FE8D7), BN_DEF(0x2EF29632, 0xDA56C9EC), -+ BN_DEF(0xA313D55C, 0xEB19CCB1), BN_DEF(0x8A1FBFF0, 0xF550AA3D), -+ BN_DEF(0xB7C5DA76, 0x06A1D58B), BN_DEF(0xF29BE328, 0xA79715EE), -+ BN_DEF(0x0F8037E0, 0x14CC5ED2), BN_DEF(0xBF48E1D8, 0xCC8F6D7E), -+ BN_DEF(0x2B4154AA, 0x4BD407B2), BN_DEF(0xFF585AC5, 0x0F1D45B7), -+ BN_DEF(0x36CC88BE, 0x23A97A7E), BN_DEF(0xBEC7E8F3, 0x59E7C97F), -+ BN_DEF(0x900B1C9E, 0xB5A84031), BN_DEF(0x46980C82, 0xD55E702F), -+ BN_DEF(0x6E74FEF6, 0xF482D7CE), BN_DEF(0xD1721D03, 0xF032EA15), -+ BN_DEF(0xC64B92EC, 0x5983CA01), BN_DEF(0x378CD2BF, 0x6FB8F401), -+ BN_DEF(0x2BD7AF42, 0x33205151), BN_DEF(0xE6CC254B, 0xDB7F1447), -+ BN_DEF(0xCED4BB1B, 0x44CE6CBA), BN_DEF(0xCF9B14ED, 0xDA3EDBEB), -+ BN_DEF(0x865A8918, 0x179727B0), BN_DEF(0x9027D831, 0xB06A53ED), -+ BN_DEF(0x413001AE, 0xE5DB382F), BN_DEF(0xAD9E530E, 0xF8FF9406), -+ BN_DEF(0x3DBA37BD, 0xC9751E76), BN_DEF(0x602646DE, 0xC1D4DCB2), -+ BN_DEF(0xD27C7026, 0x36C3FAB4), BN_DEF(0x34028492, 0x4DF435C9), -+ BN_DEF(0x90A6C08F, 0x86FFB7DC), BN_DEF(0x8D8FDDC1, 0x93B4EA98), -+ BN_DEF(0xD5B05AA9, 0xD0069127), BN_DEF(0x2170481C, 0xB81BDD76), -+ BN_DEF(0xCEE2D7AF, 0x1F612970), BN_DEF(0x515BE7ED, 0x233BA186), -+ BN_DEF(0xA090C3A2, 0x99B2964F), BN_DEF(0x4E6BC05D, 0x287C5947), -+ BN_DEF(0x1FBECAA6, 0x2E8EFC14), BN_DEF(0x04DE8EF9, 0xDBBBC2DB), -+ BN_DEF(0x2AD44CE8, 0x2583E9CA), BN_DEF(0xB6150BDA, 0x1A946834), -+ BN_DEF(0x6AF4E23C, 0x99C32718), BN_DEF(0xBDBA5B26, 0x88719A10), -+ BN_DEF(0xA787E6D7, 0x1A723C12), BN_DEF(0xA9210801, 0x4B82D120), -+ BN_DEF(0xE0FD108E, 0x43DB5BFC), BN_DEF(0x74E5AB31, 0x08E24FA0), -+ BN_DEF(0xBAD946E2, 0x770988C0), BN_DEF(0x7A615D6C, 0xBBE11757), -+ BN_DEF(0x177B200C, 0x521F2B18), BN_DEF(0x3EC86A64, 0xD8760273), -+ BN_DEF(0xD98A0864, 0xF12FFA06), BN_DEF(0x1AD2EE6B, 0xCEE3D226), -+ BN_DEF(0x4A25619D, 0x1E8C94E0), BN_DEF(0xDB0933D7, 0xABF5AE8C), -+ BN_DEF(0xA6E1E4C7, 0xB3970F85), BN_DEF(0x5D060C7D, 0x8AEA7157), -+ BN_DEF(0x58DBEF0A, 0xECFB8504), BN_DEF(0xDF1CBA64, 0xA85521AB), -+ BN_DEF(0x04507A33, 0xAD33170D), BN_DEF(0x8AAAC42D, 0x15728E5A), -+ BN_DEF(0x98FA0510, 0x15D22618), BN_DEF(0xEA956AE5, 0x3995497C), -+ BN_DEF(0x95581718, 0xDE2BCBF6), BN_DEF(0x6F4C52C9, 0xB5C55DF0), -+ BN_DEF(0xEC07A28F, 0x9B2783A2), BN_DEF(0x180E8603, 0xE39E772C), -+ BN_DEF(0x2E36CE3B, 0x32905E46), BN_DEF(0xCA18217C, 0xF1746C08), -+ BN_DEF(0x4ABC9804, 0x670C354E), BN_DEF(0x7096966D, 0x9ED52907), -+ BN_DEF(0x208552BB, 0x1C62F356), BN_DEF(0xDCA3AD96, 0x83655D23), -+ BN_DEF(0xFD24CF5F, 0x69163FA8), BN_DEF(0x1C55D39A, 0x98DA4836), -+ BN_DEF(0xA163BF05, 0xC2007CB8), BN_DEF(0xECE45B3D, 0x49286651), -+ BN_DEF(0x7C4B1FE6, 0xAE9F2411), BN_DEF(0x5A899FA5, 0xEE386BFB), -+ BN_DEF(0xF406B7ED, 0x0BFF5CB6), BN_DEF(0xA637ED6B, 0xF44C42E9), -+ BN_DEF(0x625E7EC6, 0xE485B576), BN_DEF(0x6D51C245, 0x4FE1356D), -+ BN_DEF(0xF25F1437, 0x302B0A6D), BN_DEF(0xCD3A431B, 0xEF9519B3), -+ BN_DEF(0x8E3404DD, 0x514A0879), BN_DEF(0x3B139B22, 0x020BBEA6), -+ BN_DEF(0x8A67CC74, 0x29024E08), BN_DEF(0x80DC1CD1, 0xC4C6628B), -+ BN_DEF(0x2168C234, 0xC90FDAA2), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) -+}; -+/* q = (p - 1) / 2 */ -+static const BN_ULONG modp_8192_q[] = { -+ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0xCC76E9EF, 0xB064C06E), -+ BN_DEF(0x405CB738, 0xE40FAB74), BN_DEF(0x3B2B4A6F, 0x4F182871), -+ BN_DEF(0xAB3BF4D5, 0xCAAC7223), BN_DEF(0x7E013723, 0xE48C86D3), -+ BN_DEF(0x6AF71C15, 0xC44D0017), BN_DEF(0xA40E366B, 0x2004A1C5), -+ BN_DEF(0x75C3CFC9, 0x1AC8237A), BN_DEF(0x8F67D134, 0xFD79B5E1), -+ BN_DEF(0xBF73A6B9, 0xD8EA885E), BN_DEF(0xAEF6BF50, 0xFCD5A40C), -+ BN_DEF(0x8423428E, 0xB2798E62), BN_DEF(0xD012AEE0, 0x22CBF44C), -+ BN_DEF(0x3A55B51B, 0xEF988770), BN_DEF(0x1FA27C16, 0x369509FC), -+ BN_DEF(0xD9D13C53, 0x03159E7A), BN_DEF(0xF6ADEE9D, 0x3CB41981), -+ BN_DEF(0xD16043F4, 0xFD4EA5BF), BN_DEF(0x17C1C2EE, 0xA5E5E443), -+ BN_DEF(0x36751835, 0x9A39FE32), BN_DEF(0x0D11F863, 0x89F5ABD4), -+ BN_DEF(0x5201BE03, 0x91111702), BN_DEF(0x7E42456C, 0xF1FEDC5F), -+ BN_DEF(0xF1CEB296, 0x11C78B65), BN_DEF(0x15F8E4BC, 0x1A11DA3A), -+ BN_DEF(0x2D727AB4, 0x1D55B1CE), BN_DEF(0xB5D21233, 0x92BB7B49), -+ BN_DEF(0xC57E23F6, 0x3A0FD3DF), BN_DEF(0x46CEE980, 0x1DE4195B), -+ BN_DEF(0x39DC98DD, 0x6C5F6268), BN_DEF(0x54996FC6, 0x1C3BBE5B), -+ BN_DEF(0x897F72F2, 0xBA51C937), BN_DEF(0x36DF08AC, 0x734A7C8F), -+ BN_DEF(0x85BA3A6B, 0x095F96AD), BN_DEF(0x1FA43077, 0x021F47B3), -+ BN_DEF(0xB71E0234, 0x1C3FF46B), BN_DEF(0x17794B19, 0x6D2B64F6), -+ BN_DEF(0xD189EAAE, 0x758CE658), BN_DEF(0xC50FDFF8, 0x7AA8551E), -+ BN_DEF(0xDBE2ED3B, 0x0350EAC5), BN_DEF(0x794DF194, 0x53CB8AF7), -+ BN_DEF(0x07C01BF0, 0x0A662F69), BN_DEF(0x5FA470EC, 0x6647B6BF), -+ BN_DEF(0x15A0AA55, 0xA5EA03D9), BN_DEF(0xFFAC2D62, 0x078EA2DB), -+ BN_DEF(0x1B66445F, 0x91D4BD3F), BN_DEF(0xDF63F479, 0x2CF3E4BF), -+ BN_DEF(0xC8058E4F, 0x5AD42018), BN_DEF(0xA34C0641, 0x6AAF3817), -+ BN_DEF(0x373A7F7B, 0xFA416BE7), BN_DEF(0xE8B90E81, 0x7819750A), -+ BN_DEF(0xE325C976, 0xACC1E500), BN_DEF(0x9BC6695F, 0x37DC7A00), -+ BN_DEF(0x95EBD7A1, 0x999028A8), BN_DEF(0xF36612A5, 0xEDBF8A23), -+ BN_DEF(0x676A5D8D, 0xA267365D), BN_DEF(0xE7CD8A76, 0x6D1F6DF5), -+ BN_DEF(0x432D448C, 0x8BCB93D8), BN_DEF(0xC813EC18, 0x583529F6), -+ BN_DEF(0xA09800D7, 0x72ED9C17), BN_DEF(0x56CF2987, 0xFC7FCA03), -+ BN_DEF(0x1EDD1BDE, 0x64BA8F3B), BN_DEF(0x3013236F, 0x60EA6E59), -+ BN_DEF(0x693E3813, 0x1B61FD5A), BN_DEF(0x9A014249, 0xA6FA1AE4), -+ BN_DEF(0x48536047, 0xC37FDBEE), BN_DEF(0x46C7EEE0, 0xC9DA754C), -+ BN_DEF(0xEAD82D54, 0x68034893), BN_DEF(0x10B8240E, 0xDC0DEEBB), -+ BN_DEF(0x67716BD7, 0x8FB094B8), BN_DEF(0x28ADF3F6, 0x119DD0C3), -+ BN_DEF(0xD04861D1, 0xCCD94B27), BN_DEF(0xA735E02E, 0x143E2CA3), -+ BN_DEF(0x0FDF6553, 0x97477E0A), BN_DEF(0x826F477C, 0x6DDDE16D), -+ BN_DEF(0x156A2674, 0x12C1F4E5), BN_DEF(0x5B0A85ED, 0x0D4A341A), -+ BN_DEF(0x357A711E, 0x4CE1938C), BN_DEF(0x5EDD2D93, 0xC438CD08), -+ BN_DEF(0x53C3F36B, 0x8D391E09), BN_DEF(0x54908400, 0x25C16890), -+ BN_DEF(0x707E8847, 0xA1EDADFE), BN_DEF(0x3A72D598, 0x047127D0), -+ BN_DEF(0x5D6CA371, 0x3B84C460), BN_DEF(0xBD30AEB6, 0x5DF08BAB), -+ BN_DEF(0x0BBD9006, 0x290F958C), BN_DEF(0x9F643532, 0x6C3B0139), -+ BN_DEF(0x6CC50432, 0xF897FD03), BN_DEF(0x0D697735, 0xE771E913), -+ BN_DEF(0x2512B0CE, 0x8F464A70), BN_DEF(0x6D8499EB, 0xD5FAD746), -+ BN_DEF(0xD370F263, 0xD9CB87C2), BN_DEF(0xAE83063E, 0x457538AB), -+ BN_DEF(0x2C6DF785, 0x767DC282), BN_DEF(0xEF8E5D32, 0xD42A90D5), -+ BN_DEF(0x82283D19, 0xD6998B86), BN_DEF(0x45556216, 0x0AB9472D), -+ BN_DEF(0x4C7D0288, 0x8AE9130C), BN_DEF(0x754AB572, 0x1CCAA4BE), -+ BN_DEF(0x4AAC0B8C, 0xEF15E5FB), BN_DEF(0x37A62964, 0xDAE2AEF8), -+ BN_DEF(0x7603D147, 0xCD93C1D1), BN_DEF(0x0C074301, 0xF1CF3B96), -+ BN_DEF(0x171B671D, 0x19482F23), BN_DEF(0x650C10BE, 0x78BA3604), -+ BN_DEF(0x255E4C02, 0xB3861AA7), BN_DEF(0xB84B4B36, 0xCF6A9483), -+ BN_DEF(0x1042A95D, 0x0E3179AB), BN_DEF(0xEE51D6CB, 0xC1B2AE91), -+ BN_DEF(0x7E9267AF, 0x348B1FD4), BN_DEF(0x0E2AE9CD, 0xCC6D241B), -+ BN_DEF(0x50B1DF82, 0xE1003E5C), BN_DEF(0xF6722D9E, 0x24943328), -+ BN_DEF(0xBE258FF3, 0xD74F9208), BN_DEF(0xAD44CFD2, 0xF71C35FD), -+ BN_DEF(0x7A035BF6, 0x85FFAE5B), BN_DEF(0xD31BF6B5, 0x7A262174), -+ BN_DEF(0x312F3F63, 0xF242DABB), BN_DEF(0xB6A8E122, 0xA7F09AB6), -+ BN_DEF(0xF92F8A1B, 0x98158536), BN_DEF(0xE69D218D, 0xF7CA8CD9), -+ BN_DEF(0xC71A026E, 0x28A5043C), BN_DEF(0x1D89CD91, 0x0105DF53), -+ BN_DEF(0x4533E63A, 0x94812704), BN_DEF(0xC06E0E68, 0x62633145), -+ BN_DEF(0x10B4611A, 0xE487ED51), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), - }; - --# elif BN_BITS2 == 32 -- -+/* DH parameters from RFC5114 */ - static const BN_ULONG dh1024_160_p[] = { -- 0x2E4A4371, 0xDF1FB2BC, 0x6D4DA708, 0xE68CFDA7, 0x365C1A65, 0x45BF37DF, -- 0x0DC8B4BD, 0xA151AF5F, 0xF55BCCC0, 0xFAA31A4F, 0xE5644738, 0x4EFFD6FA, -- 0x219A7372, 0x98488E9C, 0x90C4BD70, 0xACCBDD7D, 0xD49B83BF, 0x24975C3C, -- 0xA9061123, 0x13ECB4AE, 0x2EE652C0, 0x9838EF1E, 0x75A23D18, 0x6073E286, -- 0x52D23B61, 0x9A6A9DCA, 0xFB06A3C6, 0x52C99FBC, 0xAE5D54EC, 0xDE92DE5E, -- 0xA080E01D, 0xB10B8F96 -+ BN_DEF(0x2E4A4371, 0xDF1FB2BC), BN_DEF(0x6D4DA708, 0xE68CFDA7), -+ BN_DEF(0x365C1A65, 0x45BF37DF), BN_DEF(0x0DC8B4BD, 0xA151AF5F), -+ BN_DEF(0xF55BCCC0, 0xFAA31A4F), BN_DEF(0xE5644738, 0x4EFFD6FA), -+ BN_DEF(0x219A7372, 0x98488E9C), BN_DEF(0x90C4BD70, 0xACCBDD7D), -+ BN_DEF(0xD49B83BF, 0x24975C3C), BN_DEF(0xA9061123, 0x13ECB4AE), -+ BN_DEF(0x2EE652C0, 0x9838EF1E), BN_DEF(0x75A23D18, 0x6073E286), -+ BN_DEF(0x52D23B61, 0x9A6A9DCA), BN_DEF(0xFB06A3C6, 0x52C99FBC), -+ BN_DEF(0xAE5D54EC, 0xDE92DE5E), BN_DEF(0xA080E01D, 0xB10B8F96) - }; -- --static const BN_ULONG dh1024_160_g[] = { -- 0x22B3B2E5, 0x855E6EEB, 0xF97C2A24, 0x858F4DCE, 0x18D08BC8, 0x2D779D59, -- 0x8E73AFA3, 0xD662A4D1, 0x69B6A28A, 0x1DBF0A01, 0x7A091F53, 0xA6A24C08, -- 0x63F80A76, 0x909D0D22, 0xB9A92EE1, 0xD7FBD7D3, 0x9E2749F4, 0x5E91547F, -- 0xB01B886A, 0x160217B4, 0x5504F213, 0x777E690F, 0x5C41564B, 0x266FEA1E, -- 0x14266D31, 0xD6406CFF, 0x58AC507F, 0xF8104DD2, 0xEFB99905, 0x6765A442, -- 0xC3FD3412, 0xA4D1CBD5 --}; -- - static const BN_ULONG dh1024_160_q[] = { -- 0x49462353, 0x64B7CB9D, 0x8ABA4E7D, 0x81A8DF27, 0xF518AA87 -+ BN_DEF(0x49462353, 0x64B7CB9D), BN_DEF(0x8ABA4E7D, 0x81A8DF27), -+ (BN_ULONG)0xF518AA87 - }; -- --static const BN_ULONG dh2048_224_p[] = { -- 0x0C10E64F, 0x0AC4DFFE, 0x4E71B81C, 0xCF9DE538, 0xFFA31F71, 0x7EF363E2, -- 0x6B8E75B9, 0xE3FB73C1, 0x4BA80A29, 0xC9B53DCF, 0x16E79763, 0x23F10B0E, -- 0x13042E9B, 0xC52172E4, 0xC928B2B9, 0xBE60E69C, 0xB9E587E8, 0x80CD86A1, -- 0x98C641A4, 0x315D75E1, 0x44328387, 0xCDF93ACC, 0xDC0A486D, 0x15987D9A, -- 0x1FD5A074, 0x7310F712, 0xDE31EFDC, 0x278273C7, 0x415D9330, 0x1602E714, -- 0xBC8985DB, 0x81286130, 0x70918836, 0xB3BF8A31, 0xB9C49708, 0x6A00E0A0, -- 0x8BBC27BE, 0xC6BA0B2C, 0xED34DBF6, 0xC9F98D11, 0xB6C12207, 0x7AD5B7D0, -- 0x55B7394B, 0xD91E8FEF, 0xEFDA4DF8, 0x9037C9ED, 0xAD6AC212, 0x6D3F8152, -- 0x1274A0A6, 0x1DE6B85A, 0x309C180E, 0xEB3D688A, 0x7BA1DF15, 0xAF9A3C40, -- 0xF95A56DB, 0xE6FA141D, 0xB61D0A75, 0xB54B1597, 0x683B9FD1, 0xA20D64E5, -- 0x9559C51F, 0xD660FAA7, 0x9123A9D0, 0xAD107E1E -+static const BN_ULONG dh1024_160_g[] = { -+ BN_DEF(0x22B3B2E5, 0x855E6EEB), BN_DEF(0xF97C2A24, 0x858F4DCE), -+ BN_DEF(0x18D08BC8, 0x2D779D59), BN_DEF(0x8E73AFA3, 0xD662A4D1), -+ BN_DEF(0x69B6A28A, 0x1DBF0A01), BN_DEF(0x7A091F53, 0xA6A24C08), -+ BN_DEF(0x63F80A76, 0x909D0D22), BN_DEF(0xB9A92EE1, 0xD7FBD7D3), -+ BN_DEF(0x9E2749F4, 0x5E91547F), BN_DEF(0xB01B886A, 0x160217B4), -+ BN_DEF(0x5504F213, 0x777E690F), BN_DEF(0x5C41564B, 0x266FEA1E), -+ BN_DEF(0x14266D31, 0xD6406CFF), BN_DEF(0x58AC507F, 0xF8104DD2), -+ BN_DEF(0xEFB99905, 0x6765A442), BN_DEF(0xC3FD3412, 0xA4D1CBD5) - }; - --static const BN_ULONG dh2048_224_g[] = { -- 0x191F2BFA, 0x84B890D3, 0x2A7065B3, 0x81BC087F, 0xF6EC0179, 0x19C418E1, -- 0x71CFFF4C, 0x7B5A0F1C, 0x9B6AA4BD, 0xEDFE72FE, 0x94B30269, 0x81E1BCFE, -- 0x8D6C0191, 0x566AFBB4, 0x409D13CD, 0xB539CCE3, 0x5F2FF381, 0x6AA21E7F, -- 0x770589EF, 0xD9E263E4, 0xD19963DD, 0x10E183ED, 0x150B8EEB, 0xB70A8137, -- 0x28C8F8AC, 0x051AE3D4, 0x0C1AB15B, 0xBB77A86F, 0x16A330EF, 0x6E3025E3, -- 0xD6F83456, 0x19529A45, 0x118E98D1, 0xF180EB34, 0x50717CBE, 0xB5F6C6B2, -- 0xDA7460CD, 0x09939D54, 0x22EA1ED4, 0xE2471504, 0x521BC98A, 0xB8A762D0, -- 0x5AC1348B, 0xF4D02727, 0x1999024A, 0xC1766910, 0xA8D66AD7, 0xBE5E9001, -- 0x620A8652, 0xC57DB17C, 0x00C29F52, 0xAB739D77, 0xA70C4AFA, 0xDD921F01, -- 0x10B9A6F0, 0xA6824A4E, 0xCFE4FFE3, 0x74866A08, 0x89998CAF, 0x6CDEBE7B, -- 0x8FFDAC50, 0x9DF30B5C, 0x4F2D9AE3, 0xAC4032EF -+static const BN_ULONG dh2048_224_p[] = { -+ BN_DEF(0x0C10E64F, 0x0AC4DFFE), BN_DEF(0x4E71B81C, 0xCF9DE538), -+ BN_DEF(0xFFA31F71, 0x7EF363E2), BN_DEF(0x6B8E75B9, 0xE3FB73C1), -+ BN_DEF(0x4BA80A29, 0xC9B53DCF), BN_DEF(0x16E79763, 0x23F10B0E), -+ BN_DEF(0x13042E9B, 0xC52172E4), BN_DEF(0xC928B2B9, 0xBE60E69C), -+ BN_DEF(0xB9E587E8, 0x80CD86A1), BN_DEF(0x98C641A4, 0x315D75E1), -+ BN_DEF(0x44328387, 0xCDF93ACC), BN_DEF(0xDC0A486D, 0x15987D9A), -+ BN_DEF(0x1FD5A074, 0x7310F712), BN_DEF(0xDE31EFDC, 0x278273C7), -+ BN_DEF(0x415D9330, 0x1602E714), BN_DEF(0xBC8985DB, 0x81286130), -+ BN_DEF(0x70918836, 0xB3BF8A31), BN_DEF(0xB9C49708, 0x6A00E0A0), -+ BN_DEF(0x8BBC27BE, 0xC6BA0B2C), BN_DEF(0xED34DBF6, 0xC9F98D11), -+ BN_DEF(0xB6C12207, 0x7AD5B7D0), BN_DEF(0x55B7394B, 0xD91E8FEF), -+ BN_DEF(0xEFDA4DF8, 0x9037C9ED), BN_DEF(0xAD6AC212, 0x6D3F8152), -+ BN_DEF(0x1274A0A6, 0x1DE6B85A), BN_DEF(0x309C180E, 0xEB3D688A), -+ BN_DEF(0x7BA1DF15, 0xAF9A3C40), BN_DEF(0xF95A56DB, 0xE6FA141D), -+ BN_DEF(0xB61D0A75, 0xB54B1597), BN_DEF(0x683B9FD1, 0xA20D64E5), -+ BN_DEF(0x9559C51F, 0xD660FAA7), BN_DEF(0x9123A9D0, 0xAD107E1E) - }; -- - static const BN_ULONG dh2048_224_q[] = { -- 0xB36371EB, 0xBF389A99, 0x4738CEBC, 0x1F80535A, 0x99717710, 0xC58D93FE, -- 0x801C0D34 -+ BN_DEF(0xB36371EB, 0xBF389A99), BN_DEF(0x4738CEBC, 0x1F80535A), -+ BN_DEF(0x99717710, 0xC58D93FE), (BN_ULONG)0x801C0D34 - }; -- --static const BN_ULONG dh2048_256_p[] = { -- 0x1E1A1597, 0xDB094AE9, 0xD7EF09CA, 0x693877FA, 0x6E11715F, 0x6116D227, -- 0xC198AF12, 0xA4B54330, 0xD7014103, 0x75F26375, 0x54E710C3, 0xC3A3960A, -- 0xBD0BE621, 0xDED4010A, 0x89962856, 0xC0B857F6, 0x71506026, 0xB3CA3F79, -- 0xE6B486F6, 0x1CCACB83, 0x14056425, 0x67E144E5, 0xA41825D9, 0xF6A167B5, -- 0x96524D8E, 0x3AD83477, 0x51BFA4AB, 0xF13C6D9A, 0x35488A0E, 0x2D525267, -- 0xCAA6B790, 0xB63ACAE1, 0x81B23F76, 0x4FDB70C5, 0x12307F5C, 0xBC39A0BF, -- 0xB1E59BB8, 0xB941F54E, 0xD45F9088, 0x6C5BFC11, 0x4275BF7B, 0x22E0B1EF, -- 0x5B4758C0, 0x91F9E672, 0x6BCF67ED, 0x5A8A9D30, 0x97517ABD, 0x209E0C64, -- 0x830E9A7C, 0x3BF4296D, 0x34096FAA, 0x16C3D911, 0x61B2AA30, 0xFAF7DF45, -- 0xD61957D4, 0xE00DF8F1, 0x435E3B00, 0x5D2CEED4, 0x660DD0F2, 0x8CEEF608, -- 0x65195999, 0xFFBBD19C, 0xB4B6663C, 0x87A8E61D -+static const BN_ULONG dh2048_224_g[] = { -+ BN_DEF(0x191F2BFA, 0x84B890D3), BN_DEF(0x2A7065B3, 0x81BC087F), -+ BN_DEF(0xF6EC0179, 0x19C418E1), BN_DEF(0x71CFFF4C, 0x7B5A0F1C), -+ BN_DEF(0x9B6AA4BD, 0xEDFE72FE), BN_DEF(0x94B30269, 0x81E1BCFE), -+ BN_DEF(0x8D6C0191, 0x566AFBB4), BN_DEF(0x409D13CD, 0xB539CCE3), -+ BN_DEF(0x5F2FF381, 0x6AA21E7F), BN_DEF(0x770589EF, 0xD9E263E4), -+ BN_DEF(0xD19963DD, 0x10E183ED), BN_DEF(0x150B8EEB, 0xB70A8137), -+ BN_DEF(0x28C8F8AC, 0x051AE3D4), BN_DEF(0x0C1AB15B, 0xBB77A86F), -+ BN_DEF(0x16A330EF, 0x6E3025E3), BN_DEF(0xD6F83456, 0x19529A45), -+ BN_DEF(0x118E98D1, 0xF180EB34), BN_DEF(0x50717CBE, 0xB5F6C6B2), -+ BN_DEF(0xDA7460CD, 0x09939D54), BN_DEF(0x22EA1ED4, 0xE2471504), -+ BN_DEF(0x521BC98A, 0xB8A762D0), BN_DEF(0x5AC1348B, 0xF4D02727), -+ BN_DEF(0x1999024A, 0xC1766910), BN_DEF(0xA8D66AD7, 0xBE5E9001), -+ BN_DEF(0x620A8652, 0xC57DB17C), BN_DEF(0x00C29F52, 0xAB739D77), -+ BN_DEF(0xA70C4AFA, 0xDD921F01), BN_DEF(0x10B9A6F0, 0xA6824A4E), -+ BN_DEF(0xCFE4FFE3, 0x74866A08), BN_DEF(0x89998CAF, 0x6CDEBE7B), -+ BN_DEF(0x8FFDAC50, 0x9DF30B5C), BN_DEF(0x4F2D9AE3, 0xAC4032EF) - }; - --static const BN_ULONG dh2048_256_g[] = { -- 0x6CC41659, 0x664B4C0F, 0xEF98C582, 0x5E2327CF, 0xD4795451, 0xD647D148, -- 0x90F00EF8, 0x2F630784, 0x1DB246C3, 0x184B523D, 0xCDC67EB6, 0xC7891428, -- 0x0DF92B52, 0x7FD02837, 0x64E0EC37, 0xB3353BBB, 0x57CD0915, 0xECD06E15, -- 0xDF016199, 0xB7D2BBD2, 0x052588B9, 0xC8484B1E, 0x13D3FE14, 0xDB2A3B73, -- 0xD182EA0A, 0xD052B985, 0xE83B9C80, 0xA4BD1BFF, 0xFB3F2E55, 0xDFC967C1, -- 0x767164E1, 0xB5045AF2, 0x6F2F9193, 0x1D14348F, 0x428EBC83, 0x64E67982, -- 0x82D6ED38, 0x8AC376D2, 0xAAB8A862, 0x777DE62A, 0xE9EC144B, 0xDDF463E5, -- 0xC77A57F2, 0x0196F931, 0x41000A65, 0xA55AE313, 0xC28CBB18, 0x901228F8, -- 0x7E8C6F62, 0xBC3773BF, 0x0C6B47B1, 0xBE3A6C1B, 0xAC0BB555, 0xFF4FED4A, -- 0x77BE463F, 0x10DBC150, 0x1A0BA125, 0x07F4793A, 0x21EF2054, 0x4CA7B18F, -- 0x60EDBD48, 0x2E775066, 0x73134D0B, 0x3FB32C9B -+static const BN_ULONG dh2048_256_p[] = { -+ BN_DEF(0x1E1A1597, 0xDB094AE9), BN_DEF(0xD7EF09CA, 0x693877FA), -+ BN_DEF(0x6E11715F, 0x6116D227), BN_DEF(0xC198AF12, 0xA4B54330), -+ BN_DEF(0xD7014103, 0x75F26375), BN_DEF(0x54E710C3, 0xC3A3960A), -+ BN_DEF(0xBD0BE621, 0xDED4010A), BN_DEF(0x89962856, 0xC0B857F6), -+ BN_DEF(0x71506026, 0xB3CA3F79), BN_DEF(0xE6B486F6, 0x1CCACB83), -+ BN_DEF(0x14056425, 0x67E144E5), BN_DEF(0xA41825D9, 0xF6A167B5), -+ BN_DEF(0x96524D8E, 0x3AD83477), BN_DEF(0x51BFA4AB, 0xF13C6D9A), -+ BN_DEF(0x35488A0E, 0x2D525267), BN_DEF(0xCAA6B790, 0xB63ACAE1), -+ BN_DEF(0x81B23F76, 0x4FDB70C5), BN_DEF(0x12307F5C, 0xBC39A0BF), -+ BN_DEF(0xB1E59BB8, 0xB941F54E), BN_DEF(0xD45F9088, 0x6C5BFC11), -+ BN_DEF(0x4275BF7B, 0x22E0B1EF), BN_DEF(0x5B4758C0, 0x91F9E672), -+ BN_DEF(0x6BCF67ED, 0x5A8A9D30), BN_DEF(0x97517ABD, 0x209E0C64), -+ BN_DEF(0x830E9A7C, 0x3BF4296D), BN_DEF(0x34096FAA, 0x16C3D911), -+ BN_DEF(0x61B2AA30, 0xFAF7DF45), BN_DEF(0xD61957D4, 0xE00DF8F1), -+ BN_DEF(0x435E3B00, 0x5D2CEED4), BN_DEF(0x660DD0F2, 0x8CEEF608), -+ BN_DEF(0x65195999, 0xFFBBD19C), BN_DEF(0xB4B6663C, 0x87A8E61D) - }; -- - static const BN_ULONG dh2048_256_q[] = { -- 0x64F5FBD3, 0xA308B0FE, 0x1EB3750B, 0x99B1A47D, 0x40129DA2, 0xB4479976, -- 0xA709A097, 0x8CF83642 -+ BN_DEF(0x64F5FBD3, 0xA308B0FE), BN_DEF(0x1EB3750B, 0x99B1A47D), -+ BN_DEF(0x40129DA2, 0xB4479976), BN_DEF(0xA709A097, 0x8CF83642) -+}; -+static const BN_ULONG dh2048_256_g[] = { -+ BN_DEF(0x6CC41659, 0x664B4C0F), BN_DEF(0xEF98C582, 0x5E2327CF), -+ BN_DEF(0xD4795451, 0xD647D148), BN_DEF(0x90F00EF8, 0x2F630784), -+ BN_DEF(0x1DB246C3, 0x184B523D), BN_DEF(0xCDC67EB6, 0xC7891428), -+ BN_DEF(0x0DF92B52, 0x7FD02837), BN_DEF(0x64E0EC37, 0xB3353BBB), -+ BN_DEF(0x57CD0915, 0xECD06E15), BN_DEF(0xDF016199, 0xB7D2BBD2), -+ BN_DEF(0x052588B9, 0xC8484B1E), BN_DEF(0x13D3FE14, 0xDB2A3B73), -+ BN_DEF(0xD182EA0A, 0xD052B985), BN_DEF(0xE83B9C80, 0xA4BD1BFF), -+ BN_DEF(0xFB3F2E55, 0xDFC967C1), BN_DEF(0x767164E1, 0xB5045AF2), -+ BN_DEF(0x6F2F9193, 0x1D14348F), BN_DEF(0x428EBC83, 0x64E67982), -+ BN_DEF(0x82D6ED38, 0x8AC376D2), BN_DEF(0xAAB8A862, 0x777DE62A), -+ BN_DEF(0xE9EC144B, 0xDDF463E5), BN_DEF(0xC77A57F2, 0x0196F931), -+ BN_DEF(0x41000A65, 0xA55AE313), BN_DEF(0xC28CBB18, 0x901228F8), -+ BN_DEF(0x7E8C6F62, 0xBC3773BF), BN_DEF(0x0C6B47B1, 0xBE3A6C1B), -+ BN_DEF(0xAC0BB555, 0xFF4FED4A), BN_DEF(0x77BE463F, 0x10DBC150), -+ BN_DEF(0x1A0BA125, 0x07F4793A), BN_DEF(0x21EF2054, 0x4CA7B18F), -+ BN_DEF(0x60EDBD48, 0x2E775066), BN_DEF(0x73134D0B, 0x3FB32C9B) - }; - - /* Primes from RFC 7919 */ -- - static const BN_ULONG ffdhe2048_p[] = { -- 0xFFFFFFFF, 0xFFFFFFFF, 0x61285C97, 0x886B4238, 0xC1B2EFFA, 0xC6F34A26, -- 0x7D1683B2, 0xC58EF183, 0x2EC22005, 0x3BB5FCBC, 0x4C6FAD73, 0xC3FE3B1B, -- 0xEEF28183, 0x8E4F1232, 0xE98583FF, 0x9172FE9C, 0x28342F61, 0xC03404CD, -- 0xCDF7E2EC, 0x9E02FCE1, 0xEE0A6D70, 0x0B07A7C8, 0x6372BB19, 0xAE56EDE7, -- 0xDE394DF4, 0x1D4F42A3, 0x60D7F468, 0xB96ADAB7, 0xB2C8E3FB, 0xD108A94B, -- 0xB324FB61, 0xBC0AB182, 0x483A797A, 0x30ACCA4F, 0x36ADE735, 0x1DF158A1, -- 0xF3EFE872, 0xE2A689DA, 0xE0E68B77, 0x984F0C70, 0x7F57C935, 0xB557135E, -- 0x3DED1AF3, 0x85636555, 0x5F066ED0, 0x2433F51F, 0xD5FD6561, 0xD3DF1ED5, -- 0xAEC4617A, 0xF681B202, 0x630C75D8, 0x7D2FE363, 0x249B3EF9, 0xCC939DCE, -- 0x146433FB, 0xA9E13641, 0xCE2D3695, 0xD8B9C583, 0x273D3CF1, 0xAFDC5620, -- 0xA2BB4A9A, 0xADF85458, 0xFFFFFFFF, 0xFFFFFFFF -+ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x61285C97, 0x886B4238), -+ BN_DEF(0xC1B2EFFA, 0xC6F34A26), BN_DEF(0x7D1683B2, 0xC58EF183), -+ BN_DEF(0x2EC22005, 0x3BB5FCBC), BN_DEF(0x4C6FAD73, 0xC3FE3B1B), -+ BN_DEF(0xEEF28183, 0x8E4F1232), BN_DEF(0xE98583FF, 0x9172FE9C), -+ BN_DEF(0x28342F61, 0xC03404CD), BN_DEF(0xCDF7E2EC, 0x9E02FCE1), -+ BN_DEF(0xEE0A6D70, 0x0B07A7C8), BN_DEF(0x6372BB19, 0xAE56EDE7), -+ BN_DEF(0xDE394DF4, 0x1D4F42A3), BN_DEF(0x60D7F468, 0xB96ADAB7), -+ BN_DEF(0xB2C8E3FB, 0xD108A94B), BN_DEF(0xB324FB61, 0xBC0AB182), -+ BN_DEF(0x483A797A, 0x30ACCA4F), BN_DEF(0x36ADE735, 0x1DF158A1), -+ BN_DEF(0xF3EFE872, 0xE2A689DA), BN_DEF(0xE0E68B77, 0x984F0C70), -+ BN_DEF(0x7F57C935, 0xB557135E), BN_DEF(0x3DED1AF3, 0x85636555), -+ BN_DEF(0x5F066ED0, 0x2433F51F), BN_DEF(0xD5FD6561, 0xD3DF1ED5), -+ BN_DEF(0xAEC4617A, 0xF681B202), BN_DEF(0x630C75D8, 0x7D2FE363), -+ BN_DEF(0x249B3EF9, 0xCC939DCE), BN_DEF(0x146433FB, 0xA9E13641), -+ BN_DEF(0xCE2D3695, 0xD8B9C583), BN_DEF(0x273D3CF1, 0xAFDC5620), -+ BN_DEF(0xA2BB4A9A, 0xADF85458), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) -+}; -+/* q = (p - 1) / 2 */ -+static const BN_ULONG ffdhe2048_q[] = { -+ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x30942E4B, 0x4435A11C), -+ BN_DEF(0x60D977FD, 0x6379A513), BN_DEF(0xBE8B41D9, 0xE2C778C1), -+ BN_DEF(0x17611002, 0x9DDAFE5E), BN_DEF(0xA637D6B9, 0xE1FF1D8D), -+ BN_DEF(0x777940C1, 0xC7278919), BN_DEF(0x74C2C1FF, 0xC8B97F4E), -+ BN_DEF(0x941A17B0, 0x601A0266), BN_DEF(0xE6FBF176, 0x4F017E70), -+ BN_DEF(0x770536B8, 0x8583D3E4), BN_DEF(0xB1B95D8C, 0x572B76F3), -+ BN_DEF(0xEF1CA6FA, 0x0EA7A151), BN_DEF(0xB06BFA34, 0xDCB56D5B), -+ BN_DEF(0xD96471FD, 0xE88454A5), BN_DEF(0x59927DB0, 0x5E0558C1), -+ BN_DEF(0xA41D3CBD, 0x98566527), BN_DEF(0x9B56F39A, 0x0EF8AC50), -+ BN_DEF(0x79F7F439, 0xF15344ED), BN_DEF(0x707345BB, 0xCC278638), -+ BN_DEF(0x3FABE49A, 0xDAAB89AF), BN_DEF(0x9EF68D79, 0x42B1B2AA), -+ BN_DEF(0xAF833768, 0x9219FA8F), BN_DEF(0xEAFEB2B0, 0x69EF8F6A), -+ BN_DEF(0x576230BD, 0x7B40D901), BN_DEF(0xB1863AEC, 0xBE97F1B1), -+ BN_DEF(0x124D9F7C, 0xE649CEE7), BN_DEF(0x8A3219FD, 0xD4F09B20), -+ BN_DEF(0xE7169B4A, 0xEC5CE2C1), BN_DEF(0x139E9E78, 0x57EE2B10), -+ BN_DEF(0x515DA54D, 0xD6FC2A2C), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), - }; - - static const BN_ULONG ffdhe3072_p[] = { -- 0xFFFFFFFF, 0xFFFFFFFF, 0x66C62E37, 0x25E41D2B, 0x3FD59D7C, 0x3C1B20EE, -- 0xFA53DDEF, 0x0ABCD06B, 0xD5C4484E, 0x1DBF9A42, 0x9B0DEADA, 0xABC52197, -- 0x22363A0D, 0xE86D2BC5, 0x9C9DF69E, 0x5CAE82AB, 0x71F54BFF, 0x64F2E21E, -- 0xE2D74DD3, 0xF4FD4452, 0xBC437944, 0xB4130C93, 0x85139270, 0xAEFE1309, -- 0xC186D91C, 0x598CB0FA, 0x91F7F7EE, 0x7AD91D26, 0xD6E6C907, 0x61B46FC9, -- 0xF99C0238, 0xBC34F4DE, 0x6519035B, 0xDE355B3B, 0x611FCFDC, 0x886B4238, -- 0xC1B2EFFA, 0xC6F34A26, 0x7D1683B2, 0xC58EF183, 0x2EC22005, 0x3BB5FCBC, -- 0x4C6FAD73, 0xC3FE3B1B, 0xEEF28183, 0x8E4F1232, 0xE98583FF, 0x9172FE9C, -- 0x28342F61, 0xC03404CD, 0xCDF7E2EC, 0x9E02FCE1, 0xEE0A6D70, 0x0B07A7C8, -- 0x6372BB19, 0xAE56EDE7, 0xDE394DF4, 0x1D4F42A3, 0x60D7F468, 0xB96ADAB7, -- 0xB2C8E3FB, 0xD108A94B, 0xB324FB61, 0xBC0AB182, 0x483A797A, 0x30ACCA4F, -- 0x36ADE735, 0x1DF158A1, 0xF3EFE872, 0xE2A689DA, 0xE0E68B77, 0x984F0C70, -- 0x7F57C935, 0xB557135E, 0x3DED1AF3, 0x85636555, 0x5F066ED0, 0x2433F51F, -- 0xD5FD6561, 0xD3DF1ED5, 0xAEC4617A, 0xF681B202, 0x630C75D8, 0x7D2FE363, -- 0x249B3EF9, 0xCC939DCE, 0x146433FB, 0xA9E13641, 0xCE2D3695, 0xD8B9C583, -- 0x273D3CF1, 0xAFDC5620, 0xA2BB4A9A, 0xADF85458, 0xFFFFFFFF, 0xFFFFFFFF -+ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x66C62E37, 0x25E41D2B), -+ BN_DEF(0x3FD59D7C, 0x3C1B20EE), BN_DEF(0xFA53DDEF, 0x0ABCD06B), -+ BN_DEF(0xD5C4484E, 0x1DBF9A42), BN_DEF(0x9B0DEADA, 0xABC52197), -+ BN_DEF(0x22363A0D, 0xE86D2BC5), BN_DEF(0x9C9DF69E, 0x5CAE82AB), -+ BN_DEF(0x71F54BFF, 0x64F2E21E), BN_DEF(0xE2D74DD3, 0xF4FD4452), -+ BN_DEF(0xBC437944, 0xB4130C93), BN_DEF(0x85139270, 0xAEFE1309), -+ BN_DEF(0xC186D91C, 0x598CB0FA), BN_DEF(0x91F7F7EE, 0x7AD91D26), -+ BN_DEF(0xD6E6C907, 0x61B46FC9), BN_DEF(0xF99C0238, 0xBC34F4DE), -+ BN_DEF(0x6519035B, 0xDE355B3B), BN_DEF(0x611FCFDC, 0x886B4238), -+ BN_DEF(0xC1B2EFFA, 0xC6F34A26), BN_DEF(0x7D1683B2, 0xC58EF183), -+ BN_DEF(0x2EC22005, 0x3BB5FCBC), BN_DEF(0x4C6FAD73, 0xC3FE3B1B), -+ BN_DEF(0xEEF28183, 0x8E4F1232), BN_DEF(0xE98583FF, 0x9172FE9C), -+ BN_DEF(0x28342F61, 0xC03404CD), BN_DEF(0xCDF7E2EC, 0x9E02FCE1), -+ BN_DEF(0xEE0A6D70, 0x0B07A7C8), BN_DEF(0x6372BB19, 0xAE56EDE7), -+ BN_DEF(0xDE394DF4, 0x1D4F42A3), BN_DEF(0x60D7F468, 0xB96ADAB7), -+ BN_DEF(0xB2C8E3FB, 0xD108A94B), BN_DEF(0xB324FB61, 0xBC0AB182), -+ BN_DEF(0x483A797A, 0x30ACCA4F), BN_DEF(0x36ADE735, 0x1DF158A1), -+ BN_DEF(0xF3EFE872, 0xE2A689DA), BN_DEF(0xE0E68B77, 0x984F0C70), -+ BN_DEF(0x7F57C935, 0xB557135E), BN_DEF(0x3DED1AF3, 0x85636555), -+ BN_DEF(0x5F066ED0, 0x2433F51F), BN_DEF(0xD5FD6561, 0xD3DF1ED5), -+ BN_DEF(0xAEC4617A, 0xF681B202), BN_DEF(0x630C75D8, 0x7D2FE363), -+ BN_DEF(0x249B3EF9, 0xCC939DCE), BN_DEF(0x146433FB, 0xA9E13641), -+ BN_DEF(0xCE2D3695, 0xD8B9C583), BN_DEF(0x273D3CF1, 0xAFDC5620), -+ BN_DEF(0xA2BB4A9A, 0xADF85458), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) -+}; -+/* q = (p - 1) / 2 */ -+static const BN_ULONG ffdhe3072_q[] = { -+ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0xB363171B, 0x12F20E95), -+ BN_DEF(0x1FEACEBE, 0x9E0D9077), BN_DEF(0xFD29EEF7, 0x055E6835), -+ BN_DEF(0x6AE22427, 0x0EDFCD21), BN_DEF(0xCD86F56D, 0xD5E290CB), -+ BN_DEF(0x911B1D06, 0x743695E2), BN_DEF(0xCE4EFB4F, 0xAE574155), -+ BN_DEF(0x38FAA5FF, 0xB279710F), BN_DEF(0x716BA6E9, 0x7A7EA229), -+ BN_DEF(0xDE21BCA2, 0x5A098649), BN_DEF(0xC289C938, 0x577F0984), -+ BN_DEF(0x60C36C8E, 0x2CC6587D), BN_DEF(0x48FBFBF7, 0xBD6C8E93), -+ BN_DEF(0xEB736483, 0x30DA37E4), BN_DEF(0x7CCE011C, 0xDE1A7A6F), -+ BN_DEF(0xB28C81AD, 0x6F1AAD9D), BN_DEF(0x308FE7EE, 0x4435A11C), -+ BN_DEF(0x60D977FD, 0x6379A513), BN_DEF(0xBE8B41D9, 0xE2C778C1), -+ BN_DEF(0x17611002, 0x9DDAFE5E), BN_DEF(0xA637D6B9, 0xE1FF1D8D), -+ BN_DEF(0x777940C1, 0xC7278919), BN_DEF(0x74C2C1FF, 0xC8B97F4E), -+ BN_DEF(0x941A17B0, 0x601A0266), BN_DEF(0xE6FBF176, 0x4F017E70), -+ BN_DEF(0x770536B8, 0x8583D3E4), BN_DEF(0xB1B95D8C, 0x572B76F3), -+ BN_DEF(0xEF1CA6FA, 0x0EA7A151), BN_DEF(0xB06BFA34, 0xDCB56D5B), -+ BN_DEF(0xD96471FD, 0xE88454A5), BN_DEF(0x59927DB0, 0x5E0558C1), -+ BN_DEF(0xA41D3CBD, 0x98566527), BN_DEF(0x9B56F39A, 0x0EF8AC50), -+ BN_DEF(0x79F7F439, 0xF15344ED), BN_DEF(0x707345BB, 0xCC278638), -+ BN_DEF(0x3FABE49A, 0xDAAB89AF), BN_DEF(0x9EF68D79, 0x42B1B2AA), -+ BN_DEF(0xAF833768, 0x9219FA8F), BN_DEF(0xEAFEB2B0, 0x69EF8F6A), -+ BN_DEF(0x576230BD, 0x7B40D901), BN_DEF(0xB1863AEC, 0xBE97F1B1), -+ BN_DEF(0x124D9F7C, 0xE649CEE7), BN_DEF(0x8A3219FD, 0xD4F09B20), -+ BN_DEF(0xE7169B4A, 0xEC5CE2C1), BN_DEF(0x139E9E78, 0x57EE2B10), -+ BN_DEF(0x515DA54D, 0xD6FC2A2C), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), - }; - - static const BN_ULONG ffdhe4096_p[] = { -- 0xFFFFFFFF, 0xFFFFFFFF, 0x5E655F6A, 0xC68A007E, 0xF44182E1, 0x4DB5A851, -- 0x7F88A46B, 0x8EC9B55A, 0xCEC97DCF, 0x0A8291CD, 0xF98D0ACC, 0x2A4ECEA9, -- 0x7140003C, 0x1A1DB93D, 0x33CB8B7A, 0x092999A3, 0x71AD0038, 0x6DC778F9, -- 0x918130C4, 0xA907600A, 0x2D9E6832, 0xED6A1E01, 0xEFB4318A, 0x7135C886, -- 0x7E31CC7A, 0x87F55BA5, 0x55034004, 0x7763CF1D, 0xD69F6D18, 0xAC7D5F42, -- 0xE58857B6, 0x7930E9E4, 0x164DF4FB, 0x6E6F52C3, 0x669E1EF1, 0x25E41D2B, -- 0x3FD59D7C, 0x3C1B20EE, 0xFA53DDEF, 0x0ABCD06B, 0xD5C4484E, 0x1DBF9A42, -- 0x9B0DEADA, 0xABC52197, 0x22363A0D, 0xE86D2BC5, 0x9C9DF69E, 0x5CAE82AB, -- 0x71F54BFF, 0x64F2E21E, 0xE2D74DD3, 0xF4FD4452, 0xBC437944, 0xB4130C93, -- 0x85139270, 0xAEFE1309, 0xC186D91C, 0x598CB0FA, 0x91F7F7EE, 0x7AD91D26, -- 0xD6E6C907, 0x61B46FC9, 0xF99C0238, 0xBC34F4DE, 0x6519035B, 0xDE355B3B, -- 0x611FCFDC, 0x886B4238, 0xC1B2EFFA, 0xC6F34A26, 0x7D1683B2, 0xC58EF183, -- 0x2EC22005, 0x3BB5FCBC, 0x4C6FAD73, 0xC3FE3B1B, 0xEEF28183, 0x8E4F1232, -- 0xE98583FF, 0x9172FE9C, 0x28342F61, 0xC03404CD, 0xCDF7E2EC, 0x9E02FCE1, -- 0xEE0A6D70, 0x0B07A7C8, 0x6372BB19, 0xAE56EDE7, 0xDE394DF4, 0x1D4F42A3, -- 0x60D7F468, 0xB96ADAB7, 0xB2C8E3FB, 0xD108A94B, 0xB324FB61, 0xBC0AB182, -- 0x483A797A, 0x30ACCA4F, 0x36ADE735, 0x1DF158A1, 0xF3EFE872, 0xE2A689DA, -- 0xE0E68B77, 0x984F0C70, 0x7F57C935, 0xB557135E, 0x3DED1AF3, 0x85636555, -- 0x5F066ED0, 0x2433F51F, 0xD5FD6561, 0xD3DF1ED5, 0xAEC4617A, 0xF681B202, -- 0x630C75D8, 0x7D2FE363, 0x249B3EF9, 0xCC939DCE, 0x146433FB, 0xA9E13641, -- 0xCE2D3695, 0xD8B9C583, 0x273D3CF1, 0xAFDC5620, 0xA2BB4A9A, 0xADF85458, -- 0xFFFFFFFF, 0xFFFFFFFF -+ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x5E655F6A, 0xC68A007E), -+ BN_DEF(0xF44182E1, 0x4DB5A851), BN_DEF(0x7F88A46B, 0x8EC9B55A), -+ BN_DEF(0xCEC97DCF, 0x0A8291CD), BN_DEF(0xF98D0ACC, 0x2A4ECEA9), -+ BN_DEF(0x7140003C, 0x1A1DB93D), BN_DEF(0x33CB8B7A, 0x092999A3), -+ BN_DEF(0x71AD0038, 0x6DC778F9), BN_DEF(0x918130C4, 0xA907600A), -+ BN_DEF(0x2D9E6832, 0xED6A1E01), BN_DEF(0xEFB4318A, 0x7135C886), -+ BN_DEF(0x7E31CC7A, 0x87F55BA5), BN_DEF(0x55034004, 0x7763CF1D), -+ BN_DEF(0xD69F6D18, 0xAC7D5F42), BN_DEF(0xE58857B6, 0x7930E9E4), -+ BN_DEF(0x164DF4FB, 0x6E6F52C3), BN_DEF(0x669E1EF1, 0x25E41D2B), -+ BN_DEF(0x3FD59D7C, 0x3C1B20EE), BN_DEF(0xFA53DDEF, 0x0ABCD06B), -+ BN_DEF(0xD5C4484E, 0x1DBF9A42), BN_DEF(0x9B0DEADA, 0xABC52197), -+ BN_DEF(0x22363A0D, 0xE86D2BC5), BN_DEF(0x9C9DF69E, 0x5CAE82AB), -+ BN_DEF(0x71F54BFF, 0x64F2E21E), BN_DEF(0xE2D74DD3, 0xF4FD4452), -+ BN_DEF(0xBC437944, 0xB4130C93), BN_DEF(0x85139270, 0xAEFE1309), -+ BN_DEF(0xC186D91C, 0x598CB0FA), BN_DEF(0x91F7F7EE, 0x7AD91D26), -+ BN_DEF(0xD6E6C907, 0x61B46FC9), BN_DEF(0xF99C0238, 0xBC34F4DE), -+ BN_DEF(0x6519035B, 0xDE355B3B), BN_DEF(0x611FCFDC, 0x886B4238), -+ BN_DEF(0xC1B2EFFA, 0xC6F34A26), BN_DEF(0x7D1683B2, 0xC58EF183), -+ BN_DEF(0x2EC22005, 0x3BB5FCBC), BN_DEF(0x4C6FAD73, 0xC3FE3B1B), -+ BN_DEF(0xEEF28183, 0x8E4F1232), BN_DEF(0xE98583FF, 0x9172FE9C), -+ BN_DEF(0x28342F61, 0xC03404CD), BN_DEF(0xCDF7E2EC, 0x9E02FCE1), -+ BN_DEF(0xEE0A6D70, 0x0B07A7C8), BN_DEF(0x6372BB19, 0xAE56EDE7), -+ BN_DEF(0xDE394DF4, 0x1D4F42A3), BN_DEF(0x60D7F468, 0xB96ADAB7), -+ BN_DEF(0xB2C8E3FB, 0xD108A94B), BN_DEF(0xB324FB61, 0xBC0AB182), -+ BN_DEF(0x483A797A, 0x30ACCA4F), BN_DEF(0x36ADE735, 0x1DF158A1), -+ BN_DEF(0xF3EFE872, 0xE2A689DA), BN_DEF(0xE0E68B77, 0x984F0C70), -+ BN_DEF(0x7F57C935, 0xB557135E), BN_DEF(0x3DED1AF3, 0x85636555), -+ BN_DEF(0x5F066ED0, 0x2433F51F), BN_DEF(0xD5FD6561, 0xD3DF1ED5), -+ BN_DEF(0xAEC4617A, 0xF681B202), BN_DEF(0x630C75D8, 0x7D2FE363), -+ BN_DEF(0x249B3EF9, 0xCC939DCE), BN_DEF(0x146433FB, 0xA9E13641), -+ BN_DEF(0xCE2D3695, 0xD8B9C583), BN_DEF(0x273D3CF1, 0xAFDC5620), -+ BN_DEF(0xA2BB4A9A, 0xADF85458), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) -+}; -+/* q = (p - 1) / 2 */ -+static const BN_ULONG ffdhe4096_q[] = { -+ BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), BN_DEF(0x2F32AFB5, 0xE345003F), -+ BN_DEF(0xFA20C170, 0xA6DAD428), BN_DEF(0x3FC45235, 0xC764DAAD), -+ BN_DEF(0xE764BEE7, 0x054148E6), BN_DEF(0xFCC68566, 0x15276754), -+ BN_DEF(0xB8A0001E, 0x0D0EDC9E), BN_DEF(0x99E5C5BD, 0x0494CCD1), -+ BN_DEF(0xB8D6801C, 0x36E3BC7C), BN_DEF(0x48C09862, 0x5483B005), -+ BN_DEF(0x96CF3419, 0x76B50F00), BN_DEF(0x77DA18C5, 0x389AE443), -+ BN_DEF(0xBF18E63D, 0x43FAADD2), BN_DEF(0xAA81A002, 0x3BB1E78E), -+ BN_DEF(0x6B4FB68C, 0x563EAFA1), BN_DEF(0x72C42BDB, 0xBC9874F2), -+ BN_DEF(0x8B26FA7D, 0xB737A961), BN_DEF(0xB34F0F78, 0x12F20E95), -+ BN_DEF(0x1FEACEBE, 0x9E0D9077), BN_DEF(0xFD29EEF7, 0x055E6835), -+ BN_DEF(0x6AE22427, 0x0EDFCD21), BN_DEF(0xCD86F56D, 0xD5E290CB), -+ BN_DEF(0x911B1D06, 0x743695E2), BN_DEF(0xCE4EFB4F, 0xAE574155), -+ BN_DEF(0x38FAA5FF, 0xB279710F), BN_DEF(0x716BA6E9, 0x7A7EA229), -+ BN_DEF(0xDE21BCA2, 0x5A098649), BN_DEF(0xC289C938, 0x577F0984), -+ BN_DEF(0x60C36C8E, 0x2CC6587D), BN_DEF(0x48FBFBF7, 0xBD6C8E93), -+ BN_DEF(0xEB736483, 0x30DA37E4), BN_DEF(0x7CCE011C, 0xDE1A7A6F), -+ BN_DEF(0xB28C81AD, 0x6F1AAD9D), BN_DEF(0x308FE7EE, 0x4435A11C), -+ BN_DEF(0x60D977FD, 0x6379A513), BN_DEF(0xBE8B41D9, 0xE2C778C1), -+ BN_DEF(0x17611002, 0x9DDAFE5E), BN_DEF(0xA637D6B9, 0xE1FF1D8D), -+ BN_DEF(0x777940C1, 0xC7278919), BN_DEF(0x74C2C1FF, 0xC8B97F4E), -+ BN_DEF(0x941A17B0, 0x601A0266), BN_DEF(0xE6FBF176, 0x4F017E70), -+ BN_DEF(0x770536B8, 0x8583D3E4), BN_DEF(0xB1B95D8C, 0x572B76F3), -+ BN_DEF(0xEF1CA6FA, 0x0EA7A151), BN_DEF(0xB06BFA34, 0xDCB56D5B), -+ BN_DEF(0xD96471FD, 0xE88454A5), BN_DEF(0x59927DB0, 0x5E0558C1), -+ BN_DEF(0xA41D3CBD, 0x98566527), BN_DEF(0x9B56F39A, 0x0EF8AC50), -+ BN_DEF(0x79F7F439, 0xF15344ED), BN_DEF(0x707345BB, 0xCC278638), -+ BN_DEF(0x3FABE49A, 0xDAAB89AF), BN_DEF(0x9EF68D79, 0x42B1B2AA), -+ BN_DEF(0xAF833768, 0x9219FA8F), BN_DEF(0xEAFEB2B0, 0x69EF8F6A), -+ BN_DEF(0x576230BD, 0x7B40D901), BN_DEF(0xB1863AEC, 0xBE97F1B1), -+ BN_DEF(0x124D9F7C, 0xE649CEE7), BN_DEF(0x8A3219FD, 0xD4F09B20), -+ BN_DEF(0xE7169B4A, 0xEC5CE2C1), BN_DEF(0x139E9E78, 0x57EE2B10), -+ BN_DEF(0x515DA54D, 0xD6FC2A2C), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), - }; - - static const BN_ULONG ffdhe6144_p[] = { -- 0xFFFFFFFF, 0xFFFFFFFF, 0xD0E40E65, 0xA40E329C, 0x7938DAD4, 0xA41D570D, -- 0xD43161C1, 0x62A69526, 0x9ADB1E69, 0x3FDD4A8E, 0xDC6B80D6, 0x5B3B71F9, -- 0xC6272B04, 0xEC9D1810, 0xCACEF403, 0x8CCF2DD5, 0xC95B9117, 0xE49F5235, -- 0xB854338A, 0x505DC82D, 0x1562A846, 0x62292C31, 0x6AE77F5E, 0xD72B0374, -- 0x462D538C, 0xF9C9091B, 0x47A67CBE, 0x0AE8DB58, 0x22611682, 0xB3A739C1, -- 0x2A281BF6, 0xEEAAC023, 0x77CAF992, 0x94C6651E, 0x94B2BBC1, 0x763E4E4B, -- 0x0077D9B4, 0x587E38DA, 0x183023C3, 0x7FB29F8C, 0xF9E3A26E, 0x0ABEC1FF, -- 0x350511E3, 0xA00EF092, 0xDB6340D8, 0xB855322E, 0xA9A96910, 0xA52471F7, -- 0x4CFDB477, 0x388147FB, 0x4E46041F, 0x9B1F5C3E, 0xFCCFEC71, 0xCDAD0657, -- 0x4C701C3A, 0xB38E8C33, 0xB1C0FD4C, 0x917BDD64, 0x9B7624C8, 0x3BB45432, -- 0xCAF53EA6, 0x23BA4442, 0x38532A3A, 0x4E677D2C, 0x45036C7A, 0x0BFD64B6, -- 0x5E0DD902, 0xC68A007E, 0xF44182E1, 0x4DB5A851, 0x7F88A46B, 0x8EC9B55A, -- 0xCEC97DCF, 0x0A8291CD, 0xF98D0ACC, 0x2A4ECEA9, 0x7140003C, 0x1A1DB93D, -- 0x33CB8B7A, 0x092999A3, 0x71AD0038, 0x6DC778F9, 0x918130C4, 0xA907600A, -- 0x2D9E6832, 0xED6A1E01, 0xEFB4318A, 0x7135C886, 0x7E31CC7A, 0x87F55BA5, -- 0x55034004, 0x7763CF1D, 0xD69F6D18, 0xAC7D5F42, 0xE58857B6, 0x7930E9E4, -- 0x164DF4FB, 0x6E6F52C3, 0x669E1EF1, 0x25E41D2B, 0x3FD59D7C, 0x3C1B20EE, -- 0xFA53DDEF, 0x0ABCD06B, 0xD5C4484E, 0x1DBF9A42, 0x9B0DEADA, 0xABC52197, -- 0x22363A0D, 0xE86D2BC5, 0x9C9DF69E, 0x5CAE82AB, 0x71F54BFF, 0x64F2E21E, -- 0xE2D74DD3, 0xF4FD4452, 0xBC437944, 0xB4130C93, 0x85139270, 0xAEFE1309, -- 0xC186D91C, 0x598CB0FA, 0x91F7F7EE, 0x7AD91D26, 0xD6E6C907, 0x61B46FC9, -- 0xF99C0238, 0xBC34F4DE, 0x6519035B, 0xDE355B3B, 0x611FCFDC, 0x886B4238, -- 0xC1B2EFFA, 0xC6F34A26, 0x7D1683B2, 0xC58EF183, 0x2EC22005, 0x3BB5FCBC, -- 0x4C6FAD73, 0xC3FE3B1B, 0xEEF28183, 0x8E4F1232, 0xE98583FF, 0x9172FE9C, -- 0x28342F61, 0xC03404CD, 0xCDF7E2EC, 0x9E02FCE1, 0xEE0A6D70, 0x0B07A7C8, -- 0x6372BB19, 0xAE56EDE7, 0xDE394DF4, 0x1D4F42A3, 0x60D7F468, 0xB96ADAB7, -- 0xB2C8E3FB, 0xD108A94B, 0xB324FB61, 0xBC0AB182, 0x483A797A, 0x30ACCA4F, -- 0x36ADE735, 0x1DF158A1, 0xF3EFE872, 0xE2A689DA, 0xE0E68B77, 0x984F0C70, -- 0x7F57C935, 0xB557135E, 0x3DED1AF3, 0x85636555, 0x5F066ED0, 0x2433F51F, -- 0xD5FD6561, 0xD3DF1ED5, 0xAEC4617A, 0xF681B202, 0x630C75D8, 0x7D2FE363, -- 0x249B3EF9, 0xCC939DCE, 0x146433FB, 0xA9E13641, 0xCE2D3695, 0xD8B9C583, -- 0x273D3CF1, 0xAFDC5620, 0xA2BB4A9A, 0xADF85458, 0xFFFFFFFF, 0xFFFFFFFF -+ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0xD0E40E65, 0xA40E329C), -+ BN_DEF(0x7938DAD4, 0xA41D570D), BN_DEF(0xD43161C1, 0x62A69526), -+ BN_DEF(0x9ADB1E69, 0x3FDD4A8E), BN_DEF(0xDC6B80D6, 0x5B3B71F9), -+ BN_DEF(0xC6272B04, 0xEC9D1810), BN_DEF(0xCACEF403, 0x8CCF2DD5), -+ BN_DEF(0xC95B9117, 0xE49F5235), BN_DEF(0xB854338A, 0x505DC82D), -+ BN_DEF(0x1562A846, 0x62292C31), BN_DEF(0x6AE77F5E, 0xD72B0374), -+ BN_DEF(0x462D538C, 0xF9C9091B), BN_DEF(0x47A67CBE, 0x0AE8DB58), -+ BN_DEF(0x22611682, 0xB3A739C1), BN_DEF(0x2A281BF6, 0xEEAAC023), -+ BN_DEF(0x77CAF992, 0x94C6651E), BN_DEF(0x94B2BBC1, 0x763E4E4B), -+ BN_DEF(0x0077D9B4, 0x587E38DA), BN_DEF(0x183023C3, 0x7FB29F8C), -+ BN_DEF(0xF9E3A26E, 0x0ABEC1FF), BN_DEF(0x350511E3, 0xA00EF092), -+ BN_DEF(0xDB6340D8, 0xB855322E), BN_DEF(0xA9A96910, 0xA52471F7), -+ BN_DEF(0x4CFDB477, 0x388147FB), BN_DEF(0x4E46041F, 0x9B1F5C3E), -+ BN_DEF(0xFCCFEC71, 0xCDAD0657), BN_DEF(0x4C701C3A, 0xB38E8C33), -+ BN_DEF(0xB1C0FD4C, 0x917BDD64), BN_DEF(0x9B7624C8, 0x3BB45432), -+ BN_DEF(0xCAF53EA6, 0x23BA4442), BN_DEF(0x38532A3A, 0x4E677D2C), -+ BN_DEF(0x45036C7A, 0x0BFD64B6), BN_DEF(0x5E0DD902, 0xC68A007E), -+ BN_DEF(0xF44182E1, 0x4DB5A851), BN_DEF(0x7F88A46B, 0x8EC9B55A), -+ BN_DEF(0xCEC97DCF, 0x0A8291CD), BN_DEF(0xF98D0ACC, 0x2A4ECEA9), -+ BN_DEF(0x7140003C, 0x1A1DB93D), BN_DEF(0x33CB8B7A, 0x092999A3), -+ BN_DEF(0x71AD0038, 0x6DC778F9), BN_DEF(0x918130C4, 0xA907600A), -+ BN_DEF(0x2D9E6832, 0xED6A1E01), BN_DEF(0xEFB4318A, 0x7135C886), -+ BN_DEF(0x7E31CC7A, 0x87F55BA5), BN_DEF(0x55034004, 0x7763CF1D), -+ BN_DEF(0xD69F6D18, 0xAC7D5F42), BN_DEF(0xE58857B6, 0x7930E9E4), -+ BN_DEF(0x164DF4FB, 0x6E6F52C3), BN_DEF(0x669E1EF1, 0x25E41D2B), -+ BN_DEF(0x3FD59D7C, 0x3C1B20EE), BN_DEF(0xFA53DDEF, 0x0ABCD06B), -+ BN_DEF(0xD5C4484E, 0x1DBF9A42), BN_DEF(0x9B0DEADA, 0xABC52197), -+ BN_DEF(0x22363A0D, 0xE86D2BC5), BN_DEF(0x9C9DF69E, 0x5CAE82AB), -+ BN_DEF(0x71F54BFF, 0x64F2E21E), BN_DEF(0xE2D74DD3, 0xF4FD4452), -+ BN_DEF(0xBC437944, 0xB4130C93), BN_DEF(0x85139270, 0xAEFE1309), -+ BN_DEF(0xC186D91C, 0x598CB0FA), BN_DEF(0x91F7F7EE, 0x7AD91D26), -+ BN_DEF(0xD6E6C907, 0x61B46FC9), BN_DEF(0xF99C0238, 0xBC34F4DE), -+ BN_DEF(0x6519035B, 0xDE355B3B), BN_DEF(0x611FCFDC, 0x886B4238), -+ BN_DEF(0xC1B2EFFA, 0xC6F34A26), BN_DEF(0x7D1683B2, 0xC58EF183), -+ BN_DEF(0x2EC22005, 0x3BB5FCBC), BN_DEF(0x4C6FAD73, 0xC3FE3B1B), -+ BN_DEF(0xEEF28183, 0x8E4F1232), BN_DEF(0xE98583FF, 0x9172FE9C), -+ BN_DEF(0x28342F61, 0xC03404CD), BN_DEF(0xCDF7E2EC, 0x9E02FCE1), -+ BN_DEF(0xEE0A6D70, 0x0B07A7C8), BN_DEF(0x6372BB19, 0xAE56EDE7), -+ BN_DEF(0xDE394DF4, 0x1D4F42A3), BN_DEF(0x60D7F468, 0xB96ADAB7), -+ BN_DEF(0xB2C8E3FB, 0xD108A94B), BN_DEF(0xB324FB61, 0xBC0AB182), -+ BN_DEF(0x483A797A, 0x30ACCA4F), BN_DEF(0x36ADE735, 0x1DF158A1), -+ BN_DEF(0xF3EFE872, 0xE2A689DA), BN_DEF(0xE0E68B77, 0x984F0C70), -+ BN_DEF(0x7F57C935, 0xB557135E), BN_DEF(0x3DED1AF3, 0x85636555), -+ BN_DEF(0x5F066ED0, 0x2433F51F), BN_DEF(0xD5FD6561, 0xD3DF1ED5), -+ BN_DEF(0xAEC4617A, 0xF681B202), BN_DEF(0x630C75D8, 0x7D2FE363), -+ BN_DEF(0x249B3EF9, 0xCC939DCE), BN_DEF(0x146433FB, 0xA9E13641), -+ BN_DEF(0xCE2D3695, 0xD8B9C583), BN_DEF(0x273D3CF1, 0xAFDC5620), -+ BN_DEF(0xA2BB4A9A, 0xADF85458), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) -+}; -+/* q = (p - 1) / 2 */ -+static const BN_ULONG ffdhe6144_q[] = { -+ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x68720732, 0x5207194E), -+ BN_DEF(0xBC9C6D6A, 0xD20EAB86), BN_DEF(0x6A18B0E0, 0xB1534A93), -+ BN_DEF(0x4D6D8F34, 0x1FEEA547), BN_DEF(0xEE35C06B, 0x2D9DB8FC), -+ BN_DEF(0x63139582, 0xF64E8C08), BN_DEF(0xE5677A01, 0xC66796EA), -+ BN_DEF(0xE4ADC88B, 0x724FA91A), BN_DEF(0xDC2A19C5, 0x282EE416), -+ BN_DEF(0x8AB15423, 0x31149618), BN_DEF(0x3573BFAF, 0x6B9581BA), -+ BN_DEF(0xA316A9C6, 0x7CE4848D), BN_DEF(0x23D33E5F, 0x05746DAC), -+ BN_DEF(0x91308B41, 0x59D39CE0), BN_DEF(0x95140DFB, 0x77556011), -+ BN_DEF(0x3BE57CC9, 0xCA63328F), BN_DEF(0xCA595DE0, 0x3B1F2725), -+ BN_DEF(0x003BECDA, 0xAC3F1C6D), BN_DEF(0x0C1811E1, 0x3FD94FC6), -+ BN_DEF(0xFCF1D137, 0x855F60FF), BN_DEF(0x1A8288F1, 0x50077849), -+ BN_DEF(0x6DB1A06C, 0x5C2A9917), BN_DEF(0xD4D4B488, 0xD29238FB), -+ BN_DEF(0xA67EDA3B, 0x9C40A3FD), BN_DEF(0x2723020F, 0xCD8FAE1F), -+ BN_DEF(0xFE67F638, 0x66D6832B), BN_DEF(0xA6380E1D, 0x59C74619), -+ BN_DEF(0x58E07EA6, 0x48BDEEB2), BN_DEF(0x4DBB1264, 0x1DDA2A19), -+ BN_DEF(0x657A9F53, 0x11DD2221), BN_DEF(0x1C29951D, 0x2733BE96), -+ BN_DEF(0x2281B63D, 0x05FEB25B), BN_DEF(0x2F06EC81, 0xE345003F), -+ BN_DEF(0xFA20C170, 0xA6DAD428), BN_DEF(0x3FC45235, 0xC764DAAD), -+ BN_DEF(0xE764BEE7, 0x054148E6), BN_DEF(0xFCC68566, 0x15276754), -+ BN_DEF(0xB8A0001E, 0x0D0EDC9E), BN_DEF(0x99E5C5BD, 0x0494CCD1), -+ BN_DEF(0xB8D6801C, 0x36E3BC7C), BN_DEF(0x48C09862, 0x5483B005), -+ BN_DEF(0x96CF3419, 0x76B50F00), BN_DEF(0x77DA18C5, 0x389AE443), -+ BN_DEF(0xBF18E63D, 0x43FAADD2), BN_DEF(0xAA81A002, 0x3BB1E78E), -+ BN_DEF(0x6B4FB68C, 0x563EAFA1), BN_DEF(0x72C42BDB, 0xBC9874F2), -+ BN_DEF(0x8B26FA7D, 0xB737A961), BN_DEF(0xB34F0F78, 0x12F20E95), -+ BN_DEF(0x1FEACEBE, 0x9E0D9077), BN_DEF(0xFD29EEF7, 0x055E6835), -+ BN_DEF(0x6AE22427, 0x0EDFCD21), BN_DEF(0xCD86F56D, 0xD5E290CB), -+ BN_DEF(0x911B1D06, 0x743695E2), BN_DEF(0xCE4EFB4F, 0xAE574155), -+ BN_DEF(0x38FAA5FF, 0xB279710F), BN_DEF(0x716BA6E9, 0x7A7EA229), -+ BN_DEF(0xDE21BCA2, 0x5A098649), BN_DEF(0xC289C938, 0x577F0984), -+ BN_DEF(0x60C36C8E, 0x2CC6587D), BN_DEF(0x48FBFBF7, 0xBD6C8E93), -+ BN_DEF(0xEB736483, 0x30DA37E4), BN_DEF(0x7CCE011C, 0xDE1A7A6F), -+ BN_DEF(0xB28C81AD, 0x6F1AAD9D), BN_DEF(0x308FE7EE, 0x4435A11C), -+ BN_DEF(0x60D977FD, 0x6379A513), BN_DEF(0xBE8B41D9, 0xE2C778C1), -+ BN_DEF(0x17611002, 0x9DDAFE5E), BN_DEF(0xA637D6B9, 0xE1FF1D8D), -+ BN_DEF(0x777940C1, 0xC7278919), BN_DEF(0x74C2C1FF, 0xC8B97F4E), -+ BN_DEF(0x941A17B0, 0x601A0266), BN_DEF(0xE6FBF176, 0x4F017E70), -+ BN_DEF(0x770536B8, 0x8583D3E4), BN_DEF(0xB1B95D8C, 0x572B76F3), -+ BN_DEF(0xEF1CA6FA, 0x0EA7A151), BN_DEF(0xB06BFA34, 0xDCB56D5B), -+ BN_DEF(0xD96471FD, 0xE88454A5), BN_DEF(0x59927DB0, 0x5E0558C1), -+ BN_DEF(0xA41D3CBD, 0x98566527), BN_DEF(0x9B56F39A, 0x0EF8AC50), -+ BN_DEF(0x79F7F439, 0xF15344ED), BN_DEF(0x707345BB, 0xCC278638), -+ BN_DEF(0x3FABE49A, 0xDAAB89AF), BN_DEF(0x9EF68D79, 0x42B1B2AA), -+ BN_DEF(0xAF833768, 0x9219FA8F), BN_DEF(0xEAFEB2B0, 0x69EF8F6A), -+ BN_DEF(0x576230BD, 0x7B40D901), BN_DEF(0xB1863AEC, 0xBE97F1B1), -+ BN_DEF(0x124D9F7C, 0xE649CEE7), BN_DEF(0x8A3219FD, 0xD4F09B20), -+ BN_DEF(0xE7169B4A, 0xEC5CE2C1), BN_DEF(0x139E9E78, 0x57EE2B10), -+ BN_DEF(0x515DA54D, 0xD6FC2A2C), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), - }; - - static const BN_ULONG ffdhe8192_p[] = { -- 0xFFFFFFFF, 0xFFFFFFFF, 0xC5C6424C, 0xD68C8BB7, 0x838FF88C, 0x011E2A94, -- 0xA9F4614E, 0x0822E506, 0xF7A8443D, 0x97D11D49, 0x30677F0D, 0xA6BBFDE5, -- 0xC1FE86FE, 0x2F741EF8, 0x5D71A87E, 0xFAFABE1C, 0xFBE58A30, 0xDED2FBAB, -- 0x72B0A66E, 0xB6855DFE, 0xBA8A4FE8, 0x1EFC8CE0, 0x3F2FA457, 0x83F81D4A, -- 0xA577E231, 0xA1FE3075, 0x88D9C0A0, 0xD5B80194, 0xAD9A95F9, 0x624816CD, -- 0x50C1217B, 0x99E9E316, 0x0E423CFC, 0x51AA691E, 0x3826E52C, 0x1C217E6C, -- 0x09703FEE, 0x51A8A931, 0x6A460E74, 0xBB709987, 0x9C86B022, 0x541FC68C, -- 0x46FD8251, 0x59160CC0, 0x35C35F5C, 0x2846C0BA, 0x8B758282, 0x54504AC7, -- 0xD2AF05E4, 0x29388839, 0xC01BD702, 0xCB2C0F1C, 0x7C932665, 0x555B2F74, -- 0xA3AB8829, 0x86B63142, 0xF64B10EF, 0x0B8CC3BD, 0xEDD1CC5E, 0x687FEB69, -- 0xC9509D43, 0xFDB23FCE, 0xD951AE64, 0x1E425A31, 0xF600C838, 0x36AD004C, -- 0xCFF46AAA, 0xA40E329C, 0x7938DAD4, 0xA41D570D, 0xD43161C1, 0x62A69526, -- 0x9ADB1E69, 0x3FDD4A8E, 0xDC6B80D6, 0x5B3B71F9, 0xC6272B04, 0xEC9D1810, -- 0xCACEF403, 0x8CCF2DD5, 0xC95B9117, 0xE49F5235, 0xB854338A, 0x505DC82D, -- 0x1562A846, 0x62292C31, 0x6AE77F5E, 0xD72B0374, 0x462D538C, 0xF9C9091B, -- 0x47A67CBE, 0x0AE8DB58, 0x22611682, 0xB3A739C1, 0x2A281BF6, 0xEEAAC023, -- 0x77CAF992, 0x94C6651E, 0x94B2BBC1, 0x763E4E4B, 0x0077D9B4, 0x587E38DA, -- 0x183023C3, 0x7FB29F8C, 0xF9E3A26E, 0x0ABEC1FF, 0x350511E3, 0xA00EF092, -- 0xDB6340D8, 0xB855322E, 0xA9A96910, 0xA52471F7, 0x4CFDB477, 0x388147FB, -- 0x4E46041F, 0x9B1F5C3E, 0xFCCFEC71, 0xCDAD0657, 0x4C701C3A, 0xB38E8C33, -- 0xB1C0FD4C, 0x917BDD64, 0x9B7624C8, 0x3BB45432, 0xCAF53EA6, 0x23BA4442, -- 0x38532A3A, 0x4E677D2C, 0x45036C7A, 0x0BFD64B6, 0x5E0DD902, 0xC68A007E, -- 0xF44182E1, 0x4DB5A851, 0x7F88A46B, 0x8EC9B55A, 0xCEC97DCF, 0x0A8291CD, -- 0xF98D0ACC, 0x2A4ECEA9, 0x7140003C, 0x1A1DB93D, 0x33CB8B7A, 0x092999A3, -- 0x71AD0038, 0x6DC778F9, 0x918130C4, 0xA907600A, 0x2D9E6832, 0xED6A1E01, -- 0xEFB4318A, 0x7135C886, 0x7E31CC7A, 0x87F55BA5, 0x55034004, 0x7763CF1D, -- 0xD69F6D18, 0xAC7D5F42, 0xE58857B6, 0x7930E9E4, 0x164DF4FB, 0x6E6F52C3, -- 0x669E1EF1, 0x25E41D2B, 0x3FD59D7C, 0x3C1B20EE, 0xFA53DDEF, 0x0ABCD06B, -- 0xD5C4484E, 0x1DBF9A42, 0x9B0DEADA, 0xABC52197, 0x22363A0D, 0xE86D2BC5, -- 0x9C9DF69E, 0x5CAE82AB, 0x71F54BFF, 0x64F2E21E, 0xE2D74DD3, 0xF4FD4452, -- 0xBC437944, 0xB4130C93, 0x85139270, 0xAEFE1309, 0xC186D91C, 0x598CB0FA, -- 0x91F7F7EE, 0x7AD91D26, 0xD6E6C907, 0x61B46FC9, 0xF99C0238, 0xBC34F4DE, -- 0x6519035B, 0xDE355B3B, 0x611FCFDC, 0x886B4238, 0xC1B2EFFA, 0xC6F34A26, -- 0x7D1683B2, 0xC58EF183, 0x2EC22005, 0x3BB5FCBC, 0x4C6FAD73, 0xC3FE3B1B, -- 0xEEF28183, 0x8E4F1232, 0xE98583FF, 0x9172FE9C, 0x28342F61, 0xC03404CD, -- 0xCDF7E2EC, 0x9E02FCE1, 0xEE0A6D70, 0x0B07A7C8, 0x6372BB19, 0xAE56EDE7, -- 0xDE394DF4, 0x1D4F42A3, 0x60D7F468, 0xB96ADAB7, 0xB2C8E3FB, 0xD108A94B, -- 0xB324FB61, 0xBC0AB182, 0x483A797A, 0x30ACCA4F, 0x36ADE735, 0x1DF158A1, -- 0xF3EFE872, 0xE2A689DA, 0xE0E68B77, 0x984F0C70, 0x7F57C935, 0xB557135E, -- 0x3DED1AF3, 0x85636555, 0x5F066ED0, 0x2433F51F, 0xD5FD6561, 0xD3DF1ED5, -- 0xAEC4617A, 0xF681B202, 0x630C75D8, 0x7D2FE363, 0x249B3EF9, 0xCC939DCE, -- 0x146433FB, 0xA9E13641, 0xCE2D3695, 0xD8B9C583, 0x273D3CF1, 0xAFDC5620, -- 0xA2BB4A9A, 0xADF85458, 0xFFFFFFFF, 0xFFFFFFFF -+ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0xC5C6424C, 0xD68C8BB7), -+ BN_DEF(0x838FF88C, 0x011E2A94), BN_DEF(0xA9F4614E, 0x0822E506), -+ BN_DEF(0xF7A8443D, 0x97D11D49), BN_DEF(0x30677F0D, 0xA6BBFDE5), -+ BN_DEF(0xC1FE86FE, 0x2F741EF8), BN_DEF(0x5D71A87E, 0xFAFABE1C), -+ BN_DEF(0xFBE58A30, 0xDED2FBAB), BN_DEF(0x72B0A66E, 0xB6855DFE), -+ BN_DEF(0xBA8A4FE8, 0x1EFC8CE0), BN_DEF(0x3F2FA457, 0x83F81D4A), -+ BN_DEF(0xA577E231, 0xA1FE3075), BN_DEF(0x88D9C0A0, 0xD5B80194), -+ BN_DEF(0xAD9A95F9, 0x624816CD), BN_DEF(0x50C1217B, 0x99E9E316), -+ BN_DEF(0x0E423CFC, 0x51AA691E), BN_DEF(0x3826E52C, 0x1C217E6C), -+ BN_DEF(0x09703FEE, 0x51A8A931), BN_DEF(0x6A460E74, 0xBB709987), -+ BN_DEF(0x9C86B022, 0x541FC68C), BN_DEF(0x46FD8251, 0x59160CC0), -+ BN_DEF(0x35C35F5C, 0x2846C0BA), BN_DEF(0x8B758282, 0x54504AC7), -+ BN_DEF(0xD2AF05E4, 0x29388839), BN_DEF(0xC01BD702, 0xCB2C0F1C), -+ BN_DEF(0x7C932665, 0x555B2F74), BN_DEF(0xA3AB8829, 0x86B63142), -+ BN_DEF(0xF64B10EF, 0x0B8CC3BD), BN_DEF(0xEDD1CC5E, 0x687FEB69), -+ BN_DEF(0xC9509D43, 0xFDB23FCE), BN_DEF(0xD951AE64, 0x1E425A31), -+ BN_DEF(0xF600C838, 0x36AD004C), BN_DEF(0xCFF46AAA, 0xA40E329C), -+ BN_DEF(0x7938DAD4, 0xA41D570D), BN_DEF(0xD43161C1, 0x62A69526), -+ BN_DEF(0x9ADB1E69, 0x3FDD4A8E), BN_DEF(0xDC6B80D6, 0x5B3B71F9), -+ BN_DEF(0xC6272B04, 0xEC9D1810), BN_DEF(0xCACEF403, 0x8CCF2DD5), -+ BN_DEF(0xC95B9117, 0xE49F5235), BN_DEF(0xB854338A, 0x505DC82D), -+ BN_DEF(0x1562A846, 0x62292C31), BN_DEF(0x6AE77F5E, 0xD72B0374), -+ BN_DEF(0x462D538C, 0xF9C9091B), BN_DEF(0x47A67CBE, 0x0AE8DB58), -+ BN_DEF(0x22611682, 0xB3A739C1), BN_DEF(0x2A281BF6, 0xEEAAC023), -+ BN_DEF(0x77CAF992, 0x94C6651E), BN_DEF(0x94B2BBC1, 0x763E4E4B), -+ BN_DEF(0x0077D9B4, 0x587E38DA), BN_DEF(0x183023C3, 0x7FB29F8C), -+ BN_DEF(0xF9E3A26E, 0x0ABEC1FF), BN_DEF(0x350511E3, 0xA00EF092), -+ BN_DEF(0xDB6340D8, 0xB855322E), BN_DEF(0xA9A96910, 0xA52471F7), -+ BN_DEF(0x4CFDB477, 0x388147FB), BN_DEF(0x4E46041F, 0x9B1F5C3E), -+ BN_DEF(0xFCCFEC71, 0xCDAD0657), BN_DEF(0x4C701C3A, 0xB38E8C33), -+ BN_DEF(0xB1C0FD4C, 0x917BDD64), BN_DEF(0x9B7624C8, 0x3BB45432), -+ BN_DEF(0xCAF53EA6, 0x23BA4442), BN_DEF(0x38532A3A, 0x4E677D2C), -+ BN_DEF(0x45036C7A, 0x0BFD64B6), BN_DEF(0x5E0DD902, 0xC68A007E), -+ BN_DEF(0xF44182E1, 0x4DB5A851), BN_DEF(0x7F88A46B, 0x8EC9B55A), -+ BN_DEF(0xCEC97DCF, 0x0A8291CD), BN_DEF(0xF98D0ACC, 0x2A4ECEA9), -+ BN_DEF(0x7140003C, 0x1A1DB93D), BN_DEF(0x33CB8B7A, 0x092999A3), -+ BN_DEF(0x71AD0038, 0x6DC778F9), BN_DEF(0x918130C4, 0xA907600A), -+ BN_DEF(0x2D9E6832, 0xED6A1E01), BN_DEF(0xEFB4318A, 0x7135C886), -+ BN_DEF(0x7E31CC7A, 0x87F55BA5), BN_DEF(0x55034004, 0x7763CF1D), -+ BN_DEF(0xD69F6D18, 0xAC7D5F42), BN_DEF(0xE58857B6, 0x7930E9E4), -+ BN_DEF(0x164DF4FB, 0x6E6F52C3), BN_DEF(0x669E1EF1, 0x25E41D2B), -+ BN_DEF(0x3FD59D7C, 0x3C1B20EE), BN_DEF(0xFA53DDEF, 0x0ABCD06B), -+ BN_DEF(0xD5C4484E, 0x1DBF9A42), BN_DEF(0x9B0DEADA, 0xABC52197), -+ BN_DEF(0x22363A0D, 0xE86D2BC5), BN_DEF(0x9C9DF69E, 0x5CAE82AB), -+ BN_DEF(0x71F54BFF, 0x64F2E21E), BN_DEF(0xE2D74DD3, 0xF4FD4452), -+ BN_DEF(0xBC437944, 0xB4130C93), BN_DEF(0x85139270, 0xAEFE1309), -+ BN_DEF(0xC186D91C, 0x598CB0FA), BN_DEF(0x91F7F7EE, 0x7AD91D26), -+ BN_DEF(0xD6E6C907, 0x61B46FC9), BN_DEF(0xF99C0238, 0xBC34F4DE), -+ BN_DEF(0x6519035B, 0xDE355B3B), BN_DEF(0x611FCFDC, 0x886B4238), -+ BN_DEF(0xC1B2EFFA, 0xC6F34A26), BN_DEF(0x7D1683B2, 0xC58EF183), -+ BN_DEF(0x2EC22005, 0x3BB5FCBC), BN_DEF(0x4C6FAD73, 0xC3FE3B1B), -+ BN_DEF(0xEEF28183, 0x8E4F1232), BN_DEF(0xE98583FF, 0x9172FE9C), -+ BN_DEF(0x28342F61, 0xC03404CD), BN_DEF(0xCDF7E2EC, 0x9E02FCE1), -+ BN_DEF(0xEE0A6D70, 0x0B07A7C8), BN_DEF(0x6372BB19, 0xAE56EDE7), -+ BN_DEF(0xDE394DF4, 0x1D4F42A3), BN_DEF(0x60D7F468, 0xB96ADAB7), -+ BN_DEF(0xB2C8E3FB, 0xD108A94B), BN_DEF(0xB324FB61, 0xBC0AB182), -+ BN_DEF(0x483A797A, 0x30ACCA4F), BN_DEF(0x36ADE735, 0x1DF158A1), -+ BN_DEF(0xF3EFE872, 0xE2A689DA), BN_DEF(0xE0E68B77, 0x984F0C70), -+ BN_DEF(0x7F57C935, 0xB557135E), BN_DEF(0x3DED1AF3, 0x85636555), -+ BN_DEF(0x5F066ED0, 0x2433F51F), BN_DEF(0xD5FD6561, 0xD3DF1ED5), -+ BN_DEF(0xAEC4617A, 0xF681B202), BN_DEF(0x630C75D8, 0x7D2FE363), -+ BN_DEF(0x249B3EF9, 0xCC939DCE), BN_DEF(0x146433FB, 0xA9E13641), -+ BN_DEF(0xCE2D3695, 0xD8B9C583), BN_DEF(0x273D3CF1, 0xAFDC5620), -+ BN_DEF(0xA2BB4A9A, 0xADF85458), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) -+}; -+/* q = (p - 1) / 2 */ -+static const BN_ULONG ffdhe8192_q[] = { -+ BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), BN_DEF(0xE2E32126, 0x6B4645DB), -+ BN_DEF(0x41C7FC46, 0x008F154A), BN_DEF(0x54FA30A7, 0x84117283), -+ BN_DEF(0xFBD4221E, 0xCBE88EA4), BN_DEF(0x9833BF86, 0x535DFEF2), -+ BN_DEF(0x60FF437F, 0x17BA0F7C), BN_DEF(0x2EB8D43F, 0x7D7D5F0E), -+ BN_DEF(0xFDF2C518, 0x6F697DD5), BN_DEF(0x39585337, 0x5B42AEFF), -+ BN_DEF(0x5D4527F4, 0x8F7E4670), BN_DEF(0x1F97D22B, 0xC1FC0EA5), -+ BN_DEF(0xD2BBF118, 0x50FF183A), BN_DEF(0x446CE050, 0xEADC00CA), -+ BN_DEF(0xD6CD4AFC, 0xB1240B66), BN_DEF(0x286090BD, 0x4CF4F18B), -+ BN_DEF(0x07211E7E, 0x28D5348F), BN_DEF(0x1C137296, 0x0E10BF36), -+ BN_DEF(0x84B81FF7, 0x28D45498), BN_DEF(0xB523073A, 0x5DB84CC3), -+ BN_DEF(0x4E435811, 0xAA0FE346), BN_DEF(0x237EC128, 0x2C8B0660), -+ BN_DEF(0x1AE1AFAE, 0x1423605D), BN_DEF(0xC5BAC141, 0x2A282563), -+ BN_DEF(0xE95782F2, 0x149C441C), BN_DEF(0x600DEB81, 0xE596078E), -+ BN_DEF(0x3E499332, 0xAAAD97BA), BN_DEF(0x51D5C414, 0xC35B18A1), -+ BN_DEF(0xFB258877, 0x05C661DE), BN_DEF(0xF6E8E62F, 0xB43FF5B4), -+ BN_DEF(0x64A84EA1, 0x7ED91FE7), BN_DEF(0xECA8D732, 0x0F212D18), -+ BN_DEF(0x7B00641C, 0x1B568026), BN_DEF(0x67FA3555, 0x5207194E), -+ BN_DEF(0xBC9C6D6A, 0xD20EAB86), BN_DEF(0x6A18B0E0, 0xB1534A93), -+ BN_DEF(0x4D6D8F34, 0x1FEEA547), BN_DEF(0xEE35C06B, 0x2D9DB8FC), -+ BN_DEF(0x63139582, 0xF64E8C08), BN_DEF(0xE5677A01, 0xC66796EA), -+ BN_DEF(0xE4ADC88B, 0x724FA91A), BN_DEF(0xDC2A19C5, 0x282EE416), -+ BN_DEF(0x8AB15423, 0x31149618), BN_DEF(0x3573BFAF, 0x6B9581BA), -+ BN_DEF(0xA316A9C6, 0x7CE4848D), BN_DEF(0x23D33E5F, 0x05746DAC), -+ BN_DEF(0x91308B41, 0x59D39CE0), BN_DEF(0x95140DFB, 0x77556011), -+ BN_DEF(0x3BE57CC9, 0xCA63328F), BN_DEF(0xCA595DE0, 0x3B1F2725), -+ BN_DEF(0x003BECDA, 0xAC3F1C6D), BN_DEF(0x0C1811E1, 0x3FD94FC6), -+ BN_DEF(0xFCF1D137, 0x855F60FF), BN_DEF(0x1A8288F1, 0x50077849), -+ BN_DEF(0x6DB1A06C, 0x5C2A9917), BN_DEF(0xD4D4B488, 0xD29238FB), -+ BN_DEF(0xA67EDA3B, 0x9C40A3FD), BN_DEF(0x2723020F, 0xCD8FAE1F), -+ BN_DEF(0xFE67F638, 0x66D6832B), BN_DEF(0xA6380E1D, 0x59C74619), -+ BN_DEF(0x58E07EA6, 0x48BDEEB2), BN_DEF(0x4DBB1264, 0x1DDA2A19), -+ BN_DEF(0x657A9F53, 0x11DD2221), BN_DEF(0x1C29951D, 0x2733BE96), -+ BN_DEF(0x2281B63D, 0x05FEB25B), BN_DEF(0x2F06EC81, 0xE345003F), -+ BN_DEF(0xFA20C170, 0xA6DAD428), BN_DEF(0x3FC45235, 0xC764DAAD), -+ BN_DEF(0xE764BEE7, 0x054148E6), BN_DEF(0xFCC68566, 0x15276754), -+ BN_DEF(0xB8A0001E, 0x0D0EDC9E), BN_DEF(0x99E5C5BD, 0x0494CCD1), -+ BN_DEF(0xB8D6801C, 0x36E3BC7C), BN_DEF(0x48C09862, 0x5483B005), -+ BN_DEF(0x96CF3419, 0x76B50F00), BN_DEF(0x77DA18C5, 0x389AE443), -+ BN_DEF(0xBF18E63D, 0x43FAADD2), BN_DEF(0xAA81A002, 0x3BB1E78E), -+ BN_DEF(0x6B4FB68C, 0x563EAFA1), BN_DEF(0x72C42BDB, 0xBC9874F2), -+ BN_DEF(0x8B26FA7D, 0xB737A961), BN_DEF(0xB34F0F78, 0x12F20E95), -+ BN_DEF(0x1FEACEBE, 0x9E0D9077), BN_DEF(0xFD29EEF7, 0x055E6835), -+ BN_DEF(0x6AE22427, 0x0EDFCD21), BN_DEF(0xCD86F56D, 0xD5E290CB), -+ BN_DEF(0x911B1D06, 0x743695E2), BN_DEF(0xCE4EFB4F, 0xAE574155), -+ BN_DEF(0x38FAA5FF, 0xB279710F), BN_DEF(0x716BA6E9, 0x7A7EA229), -+ BN_DEF(0xDE21BCA2, 0x5A098649), BN_DEF(0xC289C938, 0x577F0984), -+ BN_DEF(0x60C36C8E, 0x2CC6587D), BN_DEF(0x48FBFBF7, 0xBD6C8E93), -+ BN_DEF(0xEB736483, 0x30DA37E4), BN_DEF(0x7CCE011C, 0xDE1A7A6F), -+ BN_DEF(0xB28C81AD, 0x6F1AAD9D), BN_DEF(0x308FE7EE, 0x4435A11C), -+ BN_DEF(0x60D977FD, 0x6379A513), BN_DEF(0xBE8B41D9, 0xE2C778C1), -+ BN_DEF(0x17611002, 0x9DDAFE5E), BN_DEF(0xA637D6B9, 0xE1FF1D8D), -+ BN_DEF(0x777940C1, 0xC7278919), BN_DEF(0x74C2C1FF, 0xC8B97F4E), -+ BN_DEF(0x941A17B0, 0x601A0266), BN_DEF(0xE6FBF176, 0x4F017E70), -+ BN_DEF(0x770536B8, 0x8583D3E4), BN_DEF(0xB1B95D8C, 0x572B76F3), -+ BN_DEF(0xEF1CA6FA, 0x0EA7A151), BN_DEF(0xB06BFA34, 0xDCB56D5B), -+ BN_DEF(0xD96471FD, 0xE88454A5), BN_DEF(0x59927DB0, 0x5E0558C1), -+ BN_DEF(0xA41D3CBD, 0x98566527), BN_DEF(0x9B56F39A, 0x0EF8AC50), -+ BN_DEF(0x79F7F439, 0xF15344ED), BN_DEF(0x707345BB, 0xCC278638), -+ BN_DEF(0x3FABE49A, 0xDAAB89AF), BN_DEF(0x9EF68D79, 0x42B1B2AA), -+ BN_DEF(0xAF833768, 0x9219FA8F), BN_DEF(0xEAFEB2B0, 0x69EF8F6A), -+ BN_DEF(0x576230BD, 0x7B40D901), BN_DEF(0xB1863AEC, 0xBE97F1B1), -+ BN_DEF(0x124D9F7C, 0xE649CEE7), BN_DEF(0x8A3219FD, 0xD4F09B20), -+ BN_DEF(0xE7169B4A, 0xEC5CE2C1), BN_DEF(0x139E9E78, 0x57EE2B10), -+ BN_DEF(0x515DA54D, 0xD6FC2A2C), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), - }; - --# else --# error "unsupported BN_BITS2" --# endif -- - /* Macro to make a BIGNUM from static data */ - - # define make_dh_bn(x) extern const BIGNUM _bignum_##x; \ -@@ -489,24 +1010,42 @@ static const BN_ULONG ffdhe8192_p[] = { - - static const BN_ULONG value_2 = 2; - --const BIGNUM _bignum_const_2 = -- { (BN_ULONG *)&value_2, 1, 1, 0, BN_FLG_STATIC_DATA }; -+const BIGNUM _bignum_const_2 = { -+ (BN_ULONG *)&value_2, 1, 1, 0, BN_FLG_STATIC_DATA -+}; - - make_dh_bn(dh1024_160_p) --make_dh_bn(dh1024_160_g) - make_dh_bn(dh1024_160_q) -+make_dh_bn(dh1024_160_g) - make_dh_bn(dh2048_224_p) --make_dh_bn(dh2048_224_g) - make_dh_bn(dh2048_224_q) -+make_dh_bn(dh2048_224_g) - make_dh_bn(dh2048_256_p) --make_dh_bn(dh2048_256_g) - make_dh_bn(dh2048_256_q) -+make_dh_bn(dh2048_256_g) - - make_dh_bn(ffdhe2048_p) -+make_dh_bn(ffdhe2048_q) - make_dh_bn(ffdhe3072_p) -+make_dh_bn(ffdhe3072_q) - make_dh_bn(ffdhe4096_p) -+make_dh_bn(ffdhe4096_q) - make_dh_bn(ffdhe6144_p) -+make_dh_bn(ffdhe6144_q) - make_dh_bn(ffdhe8192_p) -+make_dh_bn(ffdhe8192_q) - -+make_dh_bn(modp_1536_p) -+make_dh_bn(modp_1536_q) -+make_dh_bn(modp_2048_p) -+make_dh_bn(modp_2048_q) -+make_dh_bn(modp_3072_p) -+make_dh_bn(modp_3072_q) -+make_dh_bn(modp_4096_p) -+make_dh_bn(modp_4096_q) -+make_dh_bn(modp_6144_p) -+make_dh_bn(modp_6144_q) -+make_dh_bn(modp_8192_p) -+make_dh_bn(modp_8192_q) - --#endif -+#endif /* OPENSSL_NO_DH */ -diff -up openssl-1.1.1j/crypto/dh/dh_check.c.fips-dh openssl-1.1.1j/crypto/dh/dh_check.c ---- openssl-1.1.1j/crypto/dh/dh_check.c.fips-dh 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/crypto/dh/dh_check.c 2021-03-03 14:23:27.404092427 +0100 -@@ -10,6 +10,7 @@ - #include - #include "internal/cryptlib.h" - #include -+#include - #include "dh_local.h" - - # define DH_NUMBER_ITERATIONS_FOR_PRIME 64 -@@ -41,6 +42,12 @@ int DH_check_params(const DH *dh, int *r - BIGNUM *tmp = NULL; - BN_CTX *ctx = NULL; - -+ if (FIPS_mode()) { -+ int nid = dh->nid == NID_undef ? DH_get_nid(dh) : dh->nid; -+ -+ return nid != NID_undef; -+ } -+ - *ret = 0; - ctx = BN_CTX_new(); - if (ctx == NULL) -@@ -95,6 +102,7 @@ int DH_check_ex(const DH *dh) - return errflags == 0; - } - -+/* Note: according to documentation - this only checks the params */ - int DH_check(const DH *dh, int *ret) - { - int ok = 0, r; -@@ -104,6 +112,9 @@ int DH_check(const DH *dh, int *ret) - if (!DH_check_params(dh, ret)) - return 0; - -+ if (FIPS_mode()) /* we allow only well-known params */ -+ return 1; -+ - ctx = BN_CTX_new(); - if (ctx == NULL) - goto err; -@@ -177,7 +188,7 @@ int DH_check_pub_key_ex(const DH *dh, co - return errflags == 0; - } - --int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret) -+static int dh_check_pub_key_int(const DH *dh, const BIGNUM *q, const BIGNUM *pub_key, int *ret) - { - int ok = 0; - BIGNUM *tmp = NULL; -@@ -198,9 +209,9 @@ int DH_check_pub_key(const DH *dh, const - if (BN_cmp(pub_key, tmp) >= 0) - *ret |= DH_CHECK_PUBKEY_TOO_LARGE; - -- if (dh->q != NULL) { -+ if (q != NULL) { - /* Check pub_key^q == 1 mod p */ -- if (!BN_mod_exp(tmp, pub_key, dh->q, dh->p, ctx)) -+ if (!BN_mod_exp(tmp, pub_key, q, dh->p, ctx)) - goto err; - if (!BN_is_one(tmp)) - *ret |= DH_CHECK_PUBKEY_INVALID; -@@ -212,3 +223,23 @@ int DH_check_pub_key(const DH *dh, const - BN_CTX_free(ctx); - return ok; - } -+ -+int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret) -+{ -+ return dh_check_pub_key_int(dh, dh->q, pub_key, ret); -+} -+ -+int dh_check_pub_key_full(const DH *dh, const BIGNUM *pub_key, int *ret) -+{ -+ BIGNUM *q = dh->q; -+ -+ if (q == NULL) { -+ if (dh_get_known_q(dh, &q) == 0) { -+ *ret |= DH_CHECK_INVALID_Q_VALUE; -+ return 0; -+ } -+ } -+ -+ return dh_check_pub_key_int(dh, q, pub_key, ret); -+} -+ -diff -up openssl-1.1.1j/crypto/dh/dh_gen.c.fips-dh openssl-1.1.1j/crypto/dh/dh_gen.c ---- openssl-1.1.1j/crypto/dh/dh_gen.c.fips-dh 2021-03-03 14:23:27.338091859 +0100 -+++ openssl-1.1.1j/crypto/dh/dh_gen.c 2021-03-03 14:23:27.404092427 +0100 -@@ -27,8 +27,7 @@ int DH_generate_parameters_ex(DH *ret, i - BN_GENCB *cb) - { - #ifdef OPENSSL_FIPS -- if (FIPS_mode() && !(ret->meth->flags & DH_FLAG_FIPS_METHOD) -- && !(ret->flags & DH_FLAG_NON_FIPS_ALLOW)) { -+ if (FIPS_mode()) { - DHerr(DH_F_DH_GENERATE_PARAMETERS_EX, DH_R_NON_FIPS_METHOD); - return 0; - } -@@ -75,18 +74,6 @@ static int dh_builtin_genparams(DH *ret, - int g, ok = -1; - BN_CTX *ctx = NULL; - --#ifdef OPENSSL_FIPS -- if (FIPS_selftest_failed()) { -- FIPSerr(FIPS_F_DH_BUILTIN_GENPARAMS, FIPS_R_FIPS_SELFTEST_FAILED); -- return 0; -- } -- -- if (FIPS_mode() && (prime_len < OPENSSL_DH_FIPS_MIN_MODULUS_BITS_GEN)) { -- DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_KEY_SIZE_TOO_SMALL); -- goto err; -- } --#endif -- - ctx = BN_CTX_new(); - if (ctx == NULL) - goto err; -diff -up openssl-1.1.1j/crypto/dh/dh_key.c.fips-dh openssl-1.1.1j/crypto/dh/dh_key.c ---- openssl-1.1.1j/crypto/dh/dh_key.c.fips-dh 2021-03-03 14:23:27.338091859 +0100 -+++ openssl-1.1.1j/crypto/dh/dh_key.c 2021-03-03 14:51:36.235296236 +0100 -@@ -120,10 +120,18 @@ static int generate_key(DH *dh) - BIGNUM *pub_key = NULL, *priv_key = NULL; - - #ifdef OPENSSL_FIPS -- if (FIPS_mode() -- && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) { -- DHerr(DH_F_GENERATE_KEY, DH_R_KEY_SIZE_TOO_SMALL); -- return 0; -+ if (FIPS_mode()) { -+ if (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS) { -+ DHerr(DH_F_GENERATE_KEY, DH_R_KEY_SIZE_TOO_SMALL); -+ return 0; -+ } -+ if (dh->nid == NID_undef) -+ dh_cache_nid(dh); -+ if (dh->nid == NID_undef || dh->length > BN_num_bits(dh->p) - 2 -+ || dh->length < 224) { -+ DHerr(DH_F_GENERATE_KEY, DH_R_NON_FIPS_METHOD); -+ return 0; -+ } - } - #endif - -@@ -159,7 +167,15 @@ static int generate_key(DH *dh) - } - - if (generate_new_key) { -- if (dh->q) { -+ if (FIPS_mode()) { -+ do { -+ if (!BN_priv_rand(priv_key, dh->length, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY)) -+ goto err; -+ if (!BN_add_word(priv_key, 1)) -+ goto err; -+ } -+ while (BN_num_bits(priv_key) > dh->length); -+ } else if (dh->q) { - do { - if (!BN_priv_rand_range(priv_key, dh->q)) - goto err; -@@ -195,6 +211,15 @@ static int generate_key(DH *dh) - } - /* We MUST free prk before any further use of priv_key */ - BN_clear_free(prk); -+ -+ if (FIPS_mode()) { -+ int check_result; -+ -+ if (!dh_check_pub_key_full(dh, pub_key, &check_result) || check_result) { -+ DHerr(DH_F_GENERATE_KEY, DH_R_INVALID_PUBKEY); -+ goto err; -+ } -+ } - } - - dh->pub_key = pub_key; -@@ -217,6 +242,7 @@ static int compute_key(unsigned char *ke - BN_CTX *ctx = NULL; - BN_MONT_CTX *mont = NULL; - BIGNUM *tmp; -+ BIGNUM *p1; - int ret = -1; - int check_result; - -@@ -263,6 +289,18 @@ static int compute_key(unsigned char *ke - DHerr(DH_F_COMPUTE_KEY, ERR_R_BN_LIB); - goto err; - } -+ -+ if (BN_is_zero(tmp) || BN_is_one(tmp) || BN_is_negative(tmp)) { -+ DHerr(DH_F_COMPUTE_KEY, ERR_R_BN_LIB); -+ goto err; -+ } -+ -+ if ((p1 = BN_CTX_get(ctx)) == NULL -+ || !BN_sub(p1, dh->p, BN_value_one()) -+ || BN_cmp(p1, tmp) <= 0) { -+ DHerr(DH_F_COMPUTE_KEY, ERR_R_BN_LIB); -+ goto err; -+ } - - ret = BN_bn2binpad(tmp, key, BN_num_bytes(dh->p)); - err: -diff -up openssl-1.1.1j/crypto/dh/dh_lib.c.fips-dh openssl-1.1.1j/crypto/dh/dh_lib.c ---- openssl-1.1.1j/crypto/dh/dh_lib.c.fips-dh 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/crypto/dh/dh_lib.c 2021-03-03 14:23:27.405092436 +0100 -@@ -8,6 +8,7 @@ - */ - - #include -+#include - #include "internal/cryptlib.h" - #include "internal/refcount.h" - #include -@@ -86,6 +87,8 @@ DH *DH_new_method(ENGINE *engine) - goto err; - } - -+ ret->nid = NID_undef; -+ - return ret; - - err: -@@ -205,7 +208,10 @@ int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNU - dh->g = g; - } - -- if (q != NULL) { -+ dh->nid = NID_undef; -+ dh_cache_nid(dh); -+ -+ if (q != NULL && dh->nid == NID_undef) { - dh->length = BN_num_bits(q); - } - -diff -up openssl-1.1.1j/crypto/dh/dh_local.h.fips-dh openssl-1.1.1j/crypto/dh/dh_local.h ---- openssl-1.1.1j/crypto/dh/dh_local.h.fips-dh 2021-03-03 14:23:27.202090689 +0100 -+++ openssl-1.1.1j/crypto/dh/dh_local.h 2021-03-03 14:23:27.405092436 +0100 -@@ -35,6 +35,7 @@ struct dh_st { - const DH_METHOD *meth; - ENGINE *engine; - CRYPTO_RWLOCK *lock; -+ int nid; - }; - - struct dh_method { -@@ -55,3 +56,10 @@ struct dh_method { - int (*generate_params) (DH *dh, int prime_len, int generator, - BN_GENCB *cb); - }; -+ -+void dh_cache_nid(DH *dh); -+/* Obtain known q value based on nid or p */ -+int dh_get_known_q(const DH *dh, BIGNUM **q); -+/* FIPS mode only check which requires nid set and looks up q based on it. */ -+int dh_check_pub_key_full(const DH *dh, const BIGNUM *pub_key, int *ret); -+ -diff -up openssl-1.1.1j/crypto/dh/dh_rfc7919.c.fips-dh openssl-1.1.1j/crypto/dh/dh_rfc7919.c ---- openssl-1.1.1j/crypto/dh/dh_rfc7919.c.fips-dh 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/crypto/dh/dh_rfc7919.c 2021-03-03 14:23:27.405092436 +0100 -@@ -7,6 +7,8 @@ - * https://www.openssl.org/source/license.html - */ - -+/* DH parameters from RFC7919 and RFC3526 */ -+ - #include - #include "internal/cryptlib.h" - #include "dh_local.h" -@@ -14,14 +16,19 @@ - #include - #include "crypto/bn_dh.h" - --static DH *dh_param_init(const BIGNUM *p, int32_t nbits) -+static DH *dh_param_init(int nid, const BIGNUM *p, const BIGNUM *q, int32_t nbits) - { - DH *dh = DH_new(); - if (dh == NULL) - return NULL; - dh->p = (BIGNUM *)p; -+ /* -+ * We do not set q as it would enable the inefficient and -+ * unnecessary pubkey modular exponentiation check. -+ */ - dh->g = (BIGNUM *)&_bignum_const_2; - dh->length = nbits; -+ dh->nid = nid; - return dh; - } - -@@ -29,46 +36,121 @@ DH *DH_new_by_nid(int nid) - { - switch (nid) { - case NID_ffdhe2048: -- return dh_param_init(&_bignum_ffdhe2048_p, 225); -+ return dh_param_init(nid, &_bignum_ffdhe2048_p, &_bignum_ffdhe2048_q, 225); - case NID_ffdhe3072: -- return dh_param_init(&_bignum_ffdhe3072_p, 275); -+ return dh_param_init(nid, &_bignum_ffdhe3072_p, &_bignum_ffdhe3072_q, 275); - case NID_ffdhe4096: -- return dh_param_init(&_bignum_ffdhe4096_p, 325); -+ return dh_param_init(nid, &_bignum_ffdhe4096_p, &_bignum_ffdhe4096_q, 325); - case NID_ffdhe6144: -- return dh_param_init(&_bignum_ffdhe6144_p, 375); -+ return dh_param_init(nid, &_bignum_ffdhe6144_p, &_bignum_ffdhe6144_q, 375); - case NID_ffdhe8192: -- return dh_param_init(&_bignum_ffdhe8192_p, 400); -+ return dh_param_init(nid, &_bignum_ffdhe8192_p, &_bignum_ffdhe8192_q, 400); -+ case NID_modp_2048: -+ return dh_param_init(nid, &_bignum_modp_2048_p, &_bignum_modp_2048_q, 225); -+ case NID_modp_3072: -+ return dh_param_init(nid, &_bignum_modp_3072_p, &_bignum_modp_3072_q, 275); -+ case NID_modp_4096: -+ return dh_param_init(nid, &_bignum_modp_4096_p, &_bignum_modp_4096_q, 325); -+ case NID_modp_6144: -+ return dh_param_init(nid, &_bignum_modp_6144_p, &_bignum_modp_6144_q, 375); -+ case NID_modp_8192: -+ return dh_param_init(nid, &_bignum_modp_8192_p, &_bignum_modp_8192_q, 400); -+ case NID_modp_1536: -+ if (!FIPS_mode()) -+ return dh_param_init(nid, &_bignum_modp_1536_p, &_bignum_modp_1536_q, 175); -+ /* fallthrough */ - default: - DHerr(DH_F_DH_NEW_BY_NID, DH_R_INVALID_PARAMETER_NID); - return NULL; - } - } - --int DH_get_nid(const DH *dh) -+static int dh_match_group(const DH *dh, BIGNUM **qout, int *lout) - { - int nid; -+ const BIGNUM *q; -+ int length; - - if (BN_get_word(dh->g) != 2) - return NID_undef; -- if (!BN_cmp(dh->p, &_bignum_ffdhe2048_p)) -+ -+ if (dh->nid == NID_ffdhe2048 || !BN_cmp(dh->p, &_bignum_ffdhe2048_p)) { - nid = NID_ffdhe2048; -- else if (!BN_cmp(dh->p, &_bignum_ffdhe3072_p)) -+ q = &_bignum_ffdhe2048_q; -+ length = 225; -+ } else if (dh->nid == NID_ffdhe3072 || !BN_cmp(dh->p, &_bignum_ffdhe3072_p)) { - nid = NID_ffdhe3072; -- else if (!BN_cmp(dh->p, &_bignum_ffdhe4096_p)) -+ q = &_bignum_ffdhe3072_q; -+ length = 275; -+ } else if (dh->nid == NID_ffdhe4096 || !BN_cmp(dh->p, &_bignum_ffdhe4096_p)) { - nid = NID_ffdhe4096; -- else if (!BN_cmp(dh->p, &_bignum_ffdhe6144_p)) -+ q = &_bignum_ffdhe4096_q; -+ length = 325; -+ } else if (dh->nid == NID_ffdhe6144 || !BN_cmp(dh->p, &_bignum_ffdhe6144_p)) { - nid = NID_ffdhe6144; -- else if (!BN_cmp(dh->p, &_bignum_ffdhe8192_p)) -+ q = &_bignum_ffdhe6144_q; -+ length = 375; -+ } else if (dh->nid == NID_ffdhe8192 || !BN_cmp(dh->p, &_bignum_ffdhe8192_p)) { - nid = NID_ffdhe8192; -- else -+ q = &_bignum_ffdhe8192_q; -+ length = 400; -+ } else if (dh->nid == NID_modp_2048 || !BN_cmp(dh->p, &_bignum_modp_2048_p)) { -+ nid = NID_modp_2048; -+ q = &_bignum_modp_2048_q; -+ length = 225; -+ } else if (dh->nid == NID_modp_3072 || !BN_cmp(dh->p, &_bignum_modp_3072_p)) { -+ nid = NID_modp_3072; -+ q = &_bignum_modp_3072_q; -+ length = 275; -+ } else if (dh->nid == NID_modp_4096 || !BN_cmp(dh->p, &_bignum_modp_4096_p)) { -+ nid = NID_modp_4096; -+ q = &_bignum_modp_4096_q; -+ length = 325; -+ } else if (dh->nid == NID_modp_6144 || !BN_cmp(dh->p, &_bignum_modp_6144_p)) { -+ nid = NID_modp_6144; -+ q = &_bignum_modp_6144_q; -+ length = 375; -+ } else if (dh->nid == NID_modp_8192 || !BN_cmp(dh->p, &_bignum_modp_8192_p)) { -+ nid = NID_modp_8192; -+ q = &_bignum_modp_8192_q; -+ length = 400; -+ } else if (!FIPS_mode() && (dh->nid == NID_modp_1536 || !BN_cmp(dh->p, &_bignum_modp_1536_p))) { -+ nid = NID_modp_1536; -+ q = &_bignum_modp_1536_q; -+ length = 175; -+ } else { - return NID_undef; -+ } -+ - if (dh->q != NULL) { -- BIGNUM *q = BN_dup(dh->p); -+ /* Check that q matches the known q. */ -+ if (BN_cmp(dh->q, q)) -+ return NID_undef; -+ } else if (qout != NULL) { -+ *qout = (BIGNUM *)q; -+ } - -- /* Check q = p * 2 + 1 we already know q is odd, so just shift right */ -- if (q == NULL || !BN_rshift1(q, q) || !BN_cmp(dh->q, q)) -- nid = NID_undef; -- BN_free(q); -+ if (lout != NULL) { -+ *lout = length; - } - return nid; - } -+ -+int DH_get_nid(const DH *dh) -+{ -+ if (dh->nid != NID_undef) { -+ return dh->nid; -+ } -+ return dh_match_group(dh, NULL, NULL); -+} -+ -+void dh_cache_nid(DH *dh) -+{ -+ dh->nid = dh_match_group(dh, NULL, &dh->length); -+} -+ -+int dh_get_known_q(const DH *dh, BIGNUM **q) -+{ -+ return dh_match_group(dh, q, NULL) != NID_undef; -+} -+ -diff -up openssl-1.1.1j/crypto/ec/ec_key.c.fips-dh openssl-1.1.1j/crypto/ec/ec_key.c ---- openssl-1.1.1j/crypto/ec/ec_key.c.fips-dh 2021-03-03 14:23:27.339091868 +0100 -+++ openssl-1.1.1j/crypto/ec/ec_key.c 2021-03-03 14:23:27.405092436 +0100 -@@ -281,9 +281,18 @@ int ec_key_simple_generate_key(EC_KEY *e - if (!EC_POINT_mul(eckey->group, pub_key, priv_key, NULL, NULL, ctx)) - goto err; - -- eckey->priv_key = priv_key; - eckey->pub_key = pub_key; - -+ if (FIPS_mode()) { -+ eckey->priv_key = NULL; -+ if (EC_KEY_check_key(eckey) <= 0) { -+ eckey->pub_key = NULL; -+ goto err; -+ } -+ } -+ -+ eckey->priv_key = priv_key; -+ - ok = 1; - - err: -@@ -297,8 +306,23 @@ int ec_key_simple_generate_key(EC_KEY *e - - int ec_key_simple_generate_public_key(EC_KEY *eckey) - { -- return EC_POINT_mul(eckey->group, eckey->pub_key, eckey->priv_key, NULL, -+ BIGNUM *priv_key; -+ int ret = EC_POINT_mul(eckey->group, eckey->pub_key, eckey->priv_key, NULL, - NULL, NULL); -+ -+ if (ret <= 0 || !FIPS_mode()) -+ return ret; -+ -+ /* no need to perform private key test, temporarily hide it */ -+ priv_key = eckey->priv_key; -+ eckey->priv_key = NULL; -+ ret = EC_KEY_check_key(eckey); -+ eckey->priv_key = priv_key; -+ -+ if (ret <= 0) -+ EC_POINT_set_to_infinity(eckey->group, eckey->pub_key); -+ -+ return ret; - } - - int EC_KEY_check_key(const EC_KEY *eckey) -diff -up openssl-1.1.1j/crypto/evp/p_lib.c.fips-dh openssl-1.1.1j/crypto/evp/p_lib.c ---- openssl-1.1.1j/crypto/evp/p_lib.c.fips-dh 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/crypto/evp/p_lib.c 2021-03-03 14:23:27.405092436 +0100 -@@ -540,7 +540,8 @@ EC_KEY *EVP_PKEY_get1_EC_KEY(EVP_PKEY *p - - int EVP_PKEY_set1_DH(EVP_PKEY *pkey, DH *key) - { -- int type = DH_get0_q(key) == NULL ? EVP_PKEY_DH : EVP_PKEY_DHX; -+ int type = DH_get0_q(key) == NULL || DH_get_nid(key) != NID_undef ? -+ EVP_PKEY_DH : EVP_PKEY_DHX; - int ret = EVP_PKEY_assign(pkey, type, key); - - if (ret) -diff -up openssl-1.1.1j/crypto/objects/obj_dat.h.fips-dh openssl-1.1.1j/crypto/objects/obj_dat.h ---- openssl-1.1.1j/crypto/objects/obj_dat.h.fips-dh 2021-03-03 14:23:27.394092341 +0100 -+++ openssl-1.1.1j/crypto/objects/obj_dat.h 2021-03-03 14:23:27.406092444 +0100 -@@ -1078,7 +1078,7 @@ static const unsigned char so[7762] = { - 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x0D, /* [ 7753] OBJ_hmacWithSHA512_256 */ - }; - --#define NUM_NID 1199 -+#define NUM_NID 1205 - static const ASN1_OBJECT nid_objs[NUM_NID] = { - {"UNDEF", "undefined", NID_undef}, - {"rsadsi", "RSA Data Security, Inc.", NID_rsadsi, 6, &so[0]}, -@@ -2279,9 +2279,15 @@ static const ASN1_OBJECT nid_objs[NUM_NI - {"KBKDF", "kbkdf", NID_kbkdf}, - {"KRB5KDF", "krb5kdf", NID_krb5kdf}, - {"SSKDF", "sskdf", NID_sskdf}, -+ {"modp_1536", "modp_1536", NID_modp_1536}, -+ {"modp_2048", "modp_2048", NID_modp_2048}, -+ {"modp_3072", "modp_3072", NID_modp_3072}, -+ {"modp_4096", "modp_4096", NID_modp_4096}, -+ {"modp_6144", "modp_6144", NID_modp_6144}, -+ {"modp_8192", "modp_8192", NID_modp_8192}, - }; - --#define NUM_SN 1190 -+#define NUM_SN 1196 - static const unsigned int sn_objs[NUM_SN] = { - 364, /* "AD_DVCS" */ - 419, /* "AES-128-CBC" */ -@@ -3127,6 +3133,12 @@ static const unsigned int sn_objs[NUM_SN - 506, /* "mime-mhs-bodies" */ - 505, /* "mime-mhs-headings" */ - 488, /* "mobileTelephoneNumber" */ -+ 1199, /* "modp_1536" */ -+ 1200, /* "modp_2048" */ -+ 1201, /* "modp_3072" */ -+ 1202, /* "modp_4096" */ -+ 1203, /* "modp_6144" */ -+ 1204, /* "modp_8192" */ - 136, /* "msCTLSign" */ - 135, /* "msCodeCom" */ - 134, /* "msCodeInd" */ -@@ -3475,7 +3487,7 @@ static const unsigned int sn_objs[NUM_SN - 1093, /* "x509ExtAdmission" */ - }; - --#define NUM_LN 1190 -+#define NUM_LN 1196 - static const unsigned int ln_objs[NUM_LN] = { - 363, /* "AD Time Stamping" */ - 405, /* "ANSI X9.62" */ -@@ -4313,6 +4325,12 @@ static const unsigned int ln_objs[NUM_LN - 506, /* "mime-mhs-bodies" */ - 505, /* "mime-mhs-headings" */ - 488, /* "mobileTelephoneNumber" */ -+ 1199, /* "modp_1536" */ -+ 1200, /* "modp_2048" */ -+ 1201, /* "modp_3072" */ -+ 1202, /* "modp_4096" */ -+ 1203, /* "modp_6144" */ -+ 1204, /* "modp_8192" */ - 481, /* "nSRecord" */ - 173, /* "name" */ - 681, /* "onBasis" */ -diff -up openssl-1.1.1j/crypto/objects/objects.txt.fips-dh openssl-1.1.1j/crypto/objects/objects.txt ---- openssl-1.1.1j/crypto/objects/objects.txt.fips-dh 2021-03-03 14:23:27.395092350 +0100 -+++ openssl-1.1.1j/crypto/objects/objects.txt 2021-03-03 14:23:27.406092444 +0100 -@@ -1657,6 +1657,13 @@ id-pkinit 5 : pkInit - : ffdhe4096 - : ffdhe6144 - : ffdhe8192 -+# NIDs for RFC3526 DH parameters -+ : modp_1536 -+ : modp_2048 -+ : modp_3072 -+ : modp_4096 -+ : modp_6144 -+ : modp_8192 - - # OIDs for DSTU-4145/DSTU-7564 (http://zakon2.rada.gov.ua/laws/show/z0423-17) - -diff -up openssl-1.1.1j/crypto/objects/obj_mac.num.fips-dh openssl-1.1.1j/crypto/objects/obj_mac.num ---- openssl-1.1.1j/crypto/objects/obj_mac.num.fips-dh 2021-03-03 14:23:27.395092350 +0100 -+++ openssl-1.1.1j/crypto/objects/obj_mac.num 2021-03-03 14:23:27.406092444 +0100 -@@ -1196,3 +1196,9 @@ sshkdf 1195 - kbkdf 1196 - krb5kdf 1197 - sskdf 1198 -+modp_1536 1199 -+modp_2048 1200 -+modp_3072 1201 -+modp_4096 1202 -+modp_6144 1203 -+modp_8192 1204 -diff -up openssl-1.1.1j/doc/man3/DH_new_by_nid.pod.fips-dh openssl-1.1.1j/doc/man3/DH_new_by_nid.pod ---- openssl-1.1.1j/doc/man3/DH_new_by_nid.pod.fips-dh 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/doc/man3/DH_new_by_nid.pod 2021-03-03 14:23:27.406092444 +0100 -@@ -8,13 +8,15 @@ DH_new_by_nid, DH_get_nid - get or find - - #include - DH *DH_new_by_nid(int nid); -- int *DH_get_nid(const DH *dh); -+ int DH_get_nid(const DH *dh); - - =head1 DESCRIPTION - - DH_new_by_nid() creates and returns a DH structure containing named parameters - B. Currently B must be B, B, --B, B or B. -+B, B, B, -+B, B, B, -+B, B or B. - - DH_get_nid() determines if the parameters contained in B match - any named set. It returns the NID corresponding to the matching parameters or -diff -up openssl-1.1.1j/doc/man3/EVP_PKEY_CTX_ctrl.pod.fips-dh openssl-1.1.1j/doc/man3/EVP_PKEY_CTX_ctrl.pod ---- openssl-1.1.1j/doc/man3/EVP_PKEY_CTX_ctrl.pod.fips-dh 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/doc/man3/EVP_PKEY_CTX_ctrl.pod 2021-03-03 14:23:27.406092444 +0100 -@@ -294,10 +294,11 @@ The EVP_PKEY_CTX_set_dh_pad() macro sets - If B is zero (the default) then no padding is performed. - - EVP_PKEY_CTX_set_dh_nid() sets the DH parameters to values corresponding to --B as defined in RFC7919. The B parameter must be B, --B, B, B, B --or B to clear the stored value. This macro can be called during --parameter or key generation. -+I as defined in RFC7919 or RFC3526. The I parameter must be -+B, B, B, B, -+B, B, B, B, -+B, B, B or B to clear -+the stored value. This macro can be called during parameter or key generation. - The nid parameter and the rfc5114 parameter are mutually exclusive. - - The EVP_PKEY_CTX_set_dh_rfc5114() and EVP_PKEY_CTX_set_dhx_rfc5114() macros are -diff -up openssl-1.1.1j/include/crypto/bn_dh.h.fips-dh openssl-1.1.1j/include/crypto/bn_dh.h ---- openssl-1.1.1j/include/crypto/bn_dh.h.fips-dh 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/include/crypto/bn_dh.h 2021-03-03 14:23:27.406092444 +0100 -@@ -1,7 +1,7 @@ - /* -- * Copyright 2015-2016 The OpenSSL Project Authors. All Rights Reserved. -+ * Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved. - * -- * Licensed under the OpenSSL license (the "License"). You may not use -+ * Licensed under the Apache License 2.0 (the "License"). You may not use - * this file except in compliance with the License. You can obtain a copy - * in the file LICENSE in the source distribution or at - * https://www.openssl.org/source/license.html -@@ -9,16 +9,35 @@ - - #define declare_dh_bn(x) \ - extern const BIGNUM _bignum_dh##x##_p; \ -+ extern const BIGNUM _bignum_dh##x##_q; \ - extern const BIGNUM _bignum_dh##x##_g; \ -- extern const BIGNUM _bignum_dh##x##_q; - - declare_dh_bn(1024_160) - declare_dh_bn(2048_224) - declare_dh_bn(2048_256) - -+extern const BIGNUM _bignum_const_2; -+ - extern const BIGNUM _bignum_ffdhe2048_p; - extern const BIGNUM _bignum_ffdhe3072_p; - extern const BIGNUM _bignum_ffdhe4096_p; - extern const BIGNUM _bignum_ffdhe6144_p; - extern const BIGNUM _bignum_ffdhe8192_p; --extern const BIGNUM _bignum_const_2; -+extern const BIGNUM _bignum_ffdhe2048_q; -+extern const BIGNUM _bignum_ffdhe3072_q; -+extern const BIGNUM _bignum_ffdhe4096_q; -+extern const BIGNUM _bignum_ffdhe6144_q; -+extern const BIGNUM _bignum_ffdhe8192_q; -+ -+extern const BIGNUM _bignum_modp_1536_p; -+extern const BIGNUM _bignum_modp_2048_p; -+extern const BIGNUM _bignum_modp_3072_p; -+extern const BIGNUM _bignum_modp_4096_p; -+extern const BIGNUM _bignum_modp_6144_p; -+extern const BIGNUM _bignum_modp_8192_p; -+extern const BIGNUM _bignum_modp_1536_q; -+extern const BIGNUM _bignum_modp_2048_q; -+extern const BIGNUM _bignum_modp_3072_q; -+extern const BIGNUM _bignum_modp_4096_q; -+extern const BIGNUM _bignum_modp_6144_q; -+extern const BIGNUM _bignum_modp_8192_q; -diff -up openssl-1.1.1j/include/openssl/obj_mac.h.fips-dh openssl-1.1.1j/include/openssl/obj_mac.h ---- openssl-1.1.1j/include/openssl/obj_mac.h.fips-dh 2021-03-03 14:23:27.396092358 +0100 -+++ openssl-1.1.1j/include/openssl/obj_mac.h 2021-03-03 14:23:27.407092453 +0100 -@@ -5115,6 +5115,24 @@ - #define SN_ffdhe8192 "ffdhe8192" - #define NID_ffdhe8192 1130 - -+#define SN_modp_1536 "modp_1536" -+#define NID_modp_1536 1199 -+ -+#define SN_modp_2048 "modp_2048" -+#define NID_modp_2048 1200 -+ -+#define SN_modp_3072 "modp_3072" -+#define NID_modp_3072 1201 -+ -+#define SN_modp_4096 "modp_4096" -+#define NID_modp_4096 1202 -+ -+#define SN_modp_6144 "modp_6144" -+#define NID_modp_6144 1203 -+ -+#define SN_modp_8192 "modp_8192" -+#define NID_modp_8192 1204 -+ - #define SN_ISO_UA "ISO-UA" - #define NID_ISO_UA 1150 - #define OBJ_ISO_UA OBJ_member_body,804L -diff -up openssl-1.1.1j/ssl/s3_lib.c.fips-dh openssl-1.1.1j/ssl/s3_lib.c ---- openssl-1.1.1j/ssl/s3_lib.c.fips-dh 2021-03-03 14:23:27.354091997 +0100 -+++ openssl-1.1.1j/ssl/s3_lib.c 2021-03-03 14:23:27.407092453 +0100 -@@ -4849,13 +4849,51 @@ int ssl_derive(SSL *s, EVP_PKEY *privkey - EVP_PKEY *ssl_dh_to_pkey(DH *dh) - { - EVP_PKEY *ret; -+ DH *dhp = NULL; -+ - if (dh == NULL) - return NULL; -+ -+ if (FIPS_mode() && DH_get_nid(dh) == NID_undef) { -+ int bits = DH_bits(dh); -+ BIGNUM *p, *g; -+ -+ dhp = DH_new(); -+ if (dhp == NULL) -+ return NULL; -+ g = BN_new(); -+ if (g == NULL || !BN_set_word(g, 2)) { -+ DH_free(dhp); -+ BN_free(g); -+ return NULL; -+ } -+ -+ if (bits >= 7000) -+ p = BN_get_rfc3526_prime_8192(NULL); -+ else if (bits >= 5000) -+ p = BN_get_rfc3526_prime_6144(NULL); -+ else if (bits >= 3800) -+ p = BN_get_rfc3526_prime_4096(NULL); -+ else if (bits >= 2500) -+ p = BN_get_rfc3526_prime_3072(NULL); -+ else -+ p = BN_get_rfc3526_prime_2048(NULL); -+ if (p == NULL || !DH_set0_pqg(dhp, p, NULL, g)) { -+ DH_free(dhp); -+ BN_free(p); -+ BN_free(g); -+ return NULL; -+ } -+ dh = dhp; -+ } -+ - ret = EVP_PKEY_new(); - if (EVP_PKEY_set1_DH(ret, dh) <= 0) { -+ DH_free(dhp); - EVP_PKEY_free(ret); - return NULL; - } -+ DH_free(dhp); - return ret; - } - #endif -diff -up openssl-1.1.1j/ssl/t1_lib.c.fips-dh openssl-1.1.1j/ssl/t1_lib.c ---- openssl-1.1.1j/ssl/t1_lib.c.fips-dh 2021-03-03 14:23:27.401092401 +0100 -+++ openssl-1.1.1j/ssl/t1_lib.c 2021-03-03 14:23:27.407092453 +0100 -@@ -2542,7 +2542,7 @@ DH *ssl_get_auto_dh(SSL *s) - p = BN_get_rfc3526_prime_4096(NULL); - else if (dh_secbits >= 128) - p = BN_get_rfc3526_prime_3072(NULL); -- else if (dh_secbits >= 112) -+ else if (dh_secbits >= 112 || FIPS_mode()) - p = BN_get_rfc3526_prime_2048(NULL); - else - p = BN_get_rfc2409_prime_1024(NULL); diff --git a/SOURCES/openssl-1.1.1-fips-drbg-selftest.patch b/SOURCES/openssl-1.1.1-fips-drbg-selftest.patch deleted file mode 100644 index b800c06..0000000 --- a/SOURCES/openssl-1.1.1-fips-drbg-selftest.patch +++ /dev/null @@ -1,587 +0,0 @@ -diff -up openssl-1.1.1g/crypto/fips/fips_post.c.drbg-selftest openssl-1.1.1g/crypto/fips/fips_post.c ---- openssl-1.1.1g/crypto/fips/fips_post.c.drbg-selftest 2020-04-23 13:33:12.500624151 +0200 -+++ openssl-1.1.1g/crypto/fips/fips_post.c 2020-04-23 13:33:12.618621925 +0200 -@@ -67,12 +67,18 @@ - - # include - # include "crypto/fips.h" -+# include "crypto/rand.h" - # include "fips_locl.h" - - /* Run all selftests */ - int FIPS_selftest(void) - { - int rv = 1; -+ if (!rand_drbg_selftest()) { -+ FIPSerr(FIPS_F_FIPS_SELFTEST, FIPS_R_TEST_FAILURE); -+ ERR_add_error_data(2, "Type=", "rand_drbg_selftest"); -+ rv = 0; -+ } - if (!FIPS_selftest_drbg()) - rv = 0; - if (!FIPS_selftest_sha1()) -diff -up openssl-1.1.1g/crypto/rand/build.info.drbg-selftest openssl-1.1.1g/crypto/rand/build.info ---- openssl-1.1.1g/crypto/rand/build.info.drbg-selftest 2020-04-23 13:33:12.619621907 +0200 -+++ openssl-1.1.1g/crypto/rand/build.info 2020-04-23 13:34:10.857523497 +0200 -@@ -1,6 +1,6 @@ - LIBS=../../libcrypto - SOURCE[../../libcrypto]=\ - randfile.c rand_lib.c rand_err.c rand_crng_test.c rand_egd.c \ -- rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_ctr.c -+ rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_ctr.c drbg_selftest.c - - INCLUDE[drbg_ctr.o]=../modes -diff -up openssl-1.1.1g/crypto/rand/drbg_selftest.c.drbg-selftest openssl-1.1.1g/crypto/rand/drbg_selftest.c ---- openssl-1.1.1g/crypto/rand/drbg_selftest.c.drbg-selftest 2020-04-23 13:33:12.619621907 +0200 -+++ openssl-1.1.1g/crypto/rand/drbg_selftest.c 2020-04-23 13:33:12.619621907 +0200 -@@ -0,0 +1,537 @@ -+/* -+ * Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved. -+ * -+ * Licensed under the OpenSSL license (the "License"). You may not use -+ * this file except in compliance with the License. You can obtain a copy -+ * in the file LICENSE in the source distribution or at -+ * https://www.openssl.org/source/license.html -+ */ -+ -+#include -+#include -+#include "internal/nelem.h" -+#include -+#include -+#include -+#include -+#include "internal/thread_once.h" -+#include "crypto/rand.h" -+ -+typedef struct test_ctx_st { -+ const unsigned char *entropy; -+ size_t entropylen; -+ int entropycnt; -+ const unsigned char *nonce; -+ size_t noncelen; -+ int noncecnt; -+} TEST_CTX; -+ -+static int app_data_index = -1; -+static CRYPTO_ONCE get_index_once = CRYPTO_ONCE_STATIC_INIT; -+DEFINE_RUN_ONCE_STATIC(drbg_app_data_index_init) -+{ -+ app_data_index = RAND_DRBG_get_ex_new_index(0L, NULL, NULL, NULL, NULL); -+ -+ return 1; -+} -+ -+enum drbg_kat_type { -+ NO_RESEED, -+ PR_FALSE, -+ PR_TRUE -+}; -+ -+enum drbg_df { -+ USE_DF, -+ NO_DF, -+ NA -+}; -+ -+struct drbg_kat_no_reseed { -+ size_t count; -+ const unsigned char *entropyin; -+ const unsigned char *nonce; -+ const unsigned char *persstr; -+ const unsigned char *addin1; -+ const unsigned char *addin2; -+ const unsigned char *retbytes; -+}; -+ -+struct drbg_kat_pr_false { -+ size_t count; -+ const unsigned char *entropyin; -+ const unsigned char *nonce; -+ const unsigned char *persstr; -+ const unsigned char *entropyinreseed; -+ const unsigned char *addinreseed; -+ const unsigned char *addin1; -+ const unsigned char *addin2; -+ const unsigned char *retbytes; -+}; -+ -+struct drbg_kat_pr_true { -+ size_t count; -+ const unsigned char *entropyin; -+ const unsigned char *nonce; -+ const unsigned char *persstr; -+ const unsigned char *entropyinpr1; -+ const unsigned char *addin1; -+ const unsigned char *entropyinpr2; -+ const unsigned char *addin2; -+ const unsigned char *retbytes; -+}; -+ -+struct drbg_kat { -+ enum drbg_kat_type type; -+ enum drbg_df df; -+ int nid; -+ -+ size_t entropyinlen; -+ size_t noncelen; -+ size_t persstrlen; -+ size_t addinlen; -+ size_t retbyteslen; -+ -+ const void *t; -+}; -+ -+/* -+ * Excerpt from test/drbg_cavs_data.c -+ * DRBG test vectors from: -+ * https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/ -+ */ -+ -+static const unsigned char kat1308_entropyin[] = { -+ 0x7c, 0x5d, 0x90, 0x70, 0x3b, 0x8a, 0xc7, 0x0f, 0x23, 0x73, 0x24, 0x9c, -+ 0xa7, 0x15, 0x41, 0x71, 0x7a, 0x31, 0xea, 0x32, 0xfc, 0x28, 0x0d, 0xd7, -+ 0x5b, 0x09, 0x01, 0x98, 0x1b, 0xe2, 0xa5, 0x53, 0xd9, 0x05, 0x32, 0x97, -+ 0xec, 0xbe, 0x86, 0xfd, 0x1c, 0x1c, 0x71, 0x4c, 0x52, 0x29, 0x9e, 0x52, -+}; -+static const unsigned char kat1308_nonce[] = {0}; -+static const unsigned char kat1308_persstr[] = { -+ 0xdc, 0x07, 0x2f, 0x68, 0xfa, 0x77, 0x03, 0x23, 0x42, 0xb0, 0xf5, 0xa2, -+ 0xd9, 0xad, 0xa1, 0xd0, 0xad, 0xa2, 0x14, 0xb4, 0xd0, 0x8e, 0xfb, 0x39, -+ 0xdd, 0xc2, 0xac, 0xfb, 0x98, 0xdf, 0x7f, 0xce, 0x4c, 0x75, 0x56, 0x45, -+ 0xcd, 0x86, 0x93, 0x74, 0x90, 0x6e, 0xf6, 0x9e, 0x85, 0x7e, 0xfb, 0xc3, -+}; -+static const unsigned char kat1308_addin0[] = { -+ 0x52, 0x25, 0xc4, 0x2f, 0x03, 0xce, 0x29, 0x71, 0xc5, 0x0b, 0xc3, 0x4e, -+ 0xad, 0x8d, 0x6f, 0x17, 0x82, 0xe1, 0xf3, 0xfd, 0xfd, 0x9b, 0x94, 0x9a, -+ 0x1d, 0xac, 0xd0, 0xd4, 0x3f, 0x2b, 0xe3, 0xab, 0x7c, 0x3d, 0x3e, 0x5a, -+ 0x68, 0xbb, 0xa4, 0x74, 0x68, 0x1a, 0xc6, 0x27, 0xff, 0xe0, 0xc0, 0x6c, -+}; -+static const unsigned char kat1308_addin1[] = { -+ 0xdc, 0x91, 0xd7, 0xb7, 0xb9, 0x94, 0x79, 0x0f, 0x06, 0xc4, 0x70, 0x19, -+ 0x33, 0x25, 0x7c, 0x96, 0x01, 0xa0, 0x62, 0xb0, 0x50, 0xe6, 0xc0, 0x3a, -+ 0x56, 0x8f, 0xc5, 0x50, 0x48, 0xc6, 0xf4, 0x49, 0xe5, 0x70, 0x16, 0x2e, -+ 0xae, 0xf2, 0x99, 0xb4, 0x2d, 0x70, 0x18, 0x16, 0xcd, 0xe0, 0x24, 0xe4, -+}; -+static const unsigned char kat1308_retbits[] = { -+ 0xde, 0xf8, 0x91, 0x1b, 0xf1, 0xe1, 0xa9, 0x97, 0xd8, 0x61, 0x84, 0xe2, -+ 0xdb, 0x83, 0x3e, 0x60, 0x45, 0xcd, 0xc8, 0x66, 0x93, 0x28, 0xc8, 0x92, -+ 0xbc, 0x25, 0xae, 0xe8, 0xb0, 0xed, 0xed, 0x16, 0x3d, 0xa5, 0xf9, 0x0f, -+ 0xb3, 0x72, 0x08, 0x84, 0xac, 0x3c, 0x3b, 0xaa, 0x5f, 0xf9, 0x7d, 0x63, -+ 0x3e, 0xde, 0x59, 0x37, 0x0e, 0x40, 0x12, 0x2b, 0xbc, 0x6c, 0x96, 0x53, -+ 0x26, 0x32, 0xd0, 0xb8, -+}; -+static const struct drbg_kat_no_reseed kat1308_t = { -+ 2, kat1308_entropyin, kat1308_nonce, kat1308_persstr, -+ kat1308_addin0, kat1308_addin1, kat1308_retbits -+}; -+static const struct drbg_kat kat1308 = { -+ NO_RESEED, NO_DF, NID_aes_256_ctr, 48, 0, 48, 48, 64, &kat1308_t -+}; -+ -+static const unsigned char kat1465_entropyin[] = { -+ 0xc9, 0x96, 0x3a, 0x15, 0x51, 0x76, 0x4f, 0xe0, 0x45, 0x82, 0x8a, 0x64, -+ 0x87, 0xbe, 0xaa, 0xc0, -+}; -+static const unsigned char kat1465_nonce[] = { -+ 0x08, 0xcd, 0x69, 0x39, 0xf8, 0x58, 0x9a, 0x85, -+}; -+static const unsigned char kat1465_persstr[] = {0}; -+static const unsigned char kat1465_entropyinreseed[] = { -+ 0x16, 0xcc, 0x35, 0x15, 0xb1, 0x17, 0xf5, 0x33, 0x80, 0x9a, 0x80, 0xc5, -+ 0x1f, 0x4b, 0x7b, 0x51, -+}; -+static const unsigned char kat1465_addinreseed[] = { -+ 0xf5, 0x3d, 0xf1, 0x2e, 0xdb, 0x28, 0x1c, 0x00, 0x7b, 0xcb, 0xb6, 0x12, -+ 0x61, 0x9f, 0x26, 0x5f, -+}; -+static const unsigned char kat1465_addin0[] = { -+ 0xe2, 0x67, 0x06, 0x62, 0x09, 0xa7, 0xcf, 0xd6, 0x84, 0x8c, 0x20, 0xf6, -+ 0x10, 0x5a, 0x73, 0x9c, -+}; -+static const unsigned char kat1465_addin1[] = { -+ 0x26, 0xfa, 0x50, 0xe1, 0xb3, 0xcb, 0x65, 0xed, 0xbc, 0x6d, 0xda, 0x18, -+ 0x47, 0x99, 0x1f, 0xeb, -+}; -+static const unsigned char kat1465_retbits[] = { -+ 0xf9, 0x47, 0xc6, 0xb0, 0x58, 0xa8, 0x66, 0x8a, 0xf5, 0x2b, 0x2a, 0x6d, -+ 0x4e, 0x24, 0x6f, 0x65, 0xbf, 0x51, 0x22, 0xbf, 0xe8, 0x8d, 0x6c, 0xeb, -+ 0xf9, 0x68, 0x7f, 0xed, 0x3b, 0xdd, 0x6b, 0xd5, 0x28, 0x47, 0x56, 0x52, -+ 0xda, 0x50, 0xf0, 0x90, 0x73, 0x95, 0x06, 0x58, 0xaf, 0x08, 0x98, 0x6e, -+ 0x24, 0x18, 0xfd, 0x2f, 0x48, 0x72, 0x57, 0xd6, 0x59, 0xab, 0xe9, 0x41, -+ 0x58, 0xdb, 0x27, 0xba, -+}; -+static const struct drbg_kat_pr_false kat1465_t = { -+ 9, kat1465_entropyin, kat1465_nonce, kat1465_persstr, -+ kat1465_entropyinreseed, kat1465_addinreseed, kat1465_addin0, -+ kat1465_addin1, kat1465_retbits -+}; -+static const struct drbg_kat kat1465 = { -+ PR_FALSE, USE_DF, NID_aes_128_ctr, 16, 8, 0, 16, 64, &kat1465_t -+}; -+ -+static const unsigned char kat3146_entropyin[] = { -+ 0xd7, 0x08, 0x42, 0x82, 0xc2, 0xd2, 0xd1, 0xde, 0x01, 0xb4, 0x36, 0xb3, -+ 0x7f, 0xbd, 0xd3, 0xdd, 0xb3, 0xc4, 0x31, 0x4f, 0x8f, 0xa7, 0x10, 0xf4, -+}; -+static const unsigned char kat3146_nonce[] = { -+ 0x7b, 0x9e, 0xcd, 0x49, 0x4f, 0x46, 0xa0, 0x08, 0x32, 0xff, 0x2e, 0xc3, -+ 0x50, 0x86, 0xca, 0xca, -+}; -+static const unsigned char kat3146_persstr[] = {0}; -+static const unsigned char kat3146_entropyinpr1[] = { -+ 0x68, 0xd0, 0x7b, 0xa4, 0xe7, 0x22, 0x19, 0xe6, 0xb6, 0x46, 0x6a, 0xda, -+ 0x8e, 0x67, 0xea, 0x63, 0x3f, 0xaf, 0x2f, 0x6c, 0x9d, 0x5e, 0x48, 0x15, -+}; -+static const unsigned char kat3146_addinpr1[] = { -+ 0x70, 0x0f, 0x54, 0xf4, 0x53, 0xde, 0xca, 0x61, 0x5c, 0x49, 0x51, 0xd1, -+ 0x41, 0xc4, 0xf1, 0x2f, 0x65, 0xfb, 0x7e, 0xbc, 0x9b, 0x14, 0xba, 0x90, -+ 0x05, 0x33, 0x7e, 0x64, 0xb7, 0x2b, 0xaf, 0x99, -+}; -+static const unsigned char kat3146_entropyinpr2[] = { -+ 0xeb, 0x77, 0xb0, 0xe9, 0x2d, 0x31, 0xc8, 0x66, 0xc5, 0xc4, 0xa7, 0xf7, -+ 0x6c, 0xb2, 0x74, 0x36, 0x4b, 0x25, 0x78, 0x04, 0xd8, 0xd7, 0xd2, 0x34, -+}; -+static const unsigned char kat3146_addinpr2[] = { -+ 0x05, 0xcd, 0x2a, 0x97, 0x5a, 0x5d, 0xfb, 0x98, 0xc1, 0xf1, 0x00, 0x0c, -+ 0xed, 0xe6, 0x2a, 0xba, 0xf0, 0x89, 0x1f, 0x5a, 0x4f, 0xd7, 0x48, 0xb3, -+ 0x24, 0xc0, 0x8a, 0x3d, 0x60, 0x59, 0x5d, 0xb6, -+}; -+static const unsigned char kat3146_retbits[] = { -+ 0x29, 0x94, 0xa4, 0xa8, 0x17, 0x3e, 0x62, 0x2f, 0x94, 0xdd, 0x40, 0x1f, -+ 0xe3, 0x7e, 0x77, 0xd4, 0x38, 0xbc, 0x0e, 0x49, 0x46, 0xf6, 0x0e, 0x28, -+ 0x91, 0xc6, 0x9c, 0xc4, 0xa6, 0xa1, 0xf8, 0x9a, 0x64, 0x5e, 0x99, 0x76, -+ 0xd0, 0x2d, 0xee, 0xde, 0xe1, 0x2c, 0x93, 0x29, 0x4b, 0x12, 0xcf, 0x87, -+ 0x03, 0x98, 0xb9, 0x74, 0x41, 0xdb, 0x3a, 0x49, 0x9f, 0x92, 0xd0, 0x45, -+ 0xd4, 0x30, 0x73, 0xbb, -+}; -+static const struct drbg_kat_pr_true kat3146_t = { -+ 10, kat3146_entropyin, kat3146_nonce, kat3146_persstr, -+ kat3146_entropyinpr1, kat3146_addinpr1, kat3146_entropyinpr2, -+ kat3146_addinpr2, kat3146_retbits -+}; -+static const struct drbg_kat kat3146 = { -+ PR_TRUE, USE_DF, NID_aes_192_ctr, 24, 16, 0, 32, 64, &kat3146_t -+}; -+ -+static const struct drbg_kat *drbg_test[] = { &kat1308, &kat1465, &kat3146 }; -+ -+static const size_t drbg_test_nelem = OSSL_NELEM(drbg_test); -+ -+static size_t kat_entropy(RAND_DRBG *drbg, unsigned char **pout, -+ int entropy, size_t min_len, size_t max_len, -+ int prediction_resistance) -+{ -+ TEST_CTX *t = (TEST_CTX *)RAND_DRBG_get_ex_data(drbg, app_data_index); -+ -+ t->entropycnt++; -+ *pout = (unsigned char *)t->entropy; -+ return t->entropylen; -+} -+ -+static size_t kat_nonce(RAND_DRBG *drbg, unsigned char **pout, -+ int entropy, size_t min_len, size_t max_len) -+{ -+ TEST_CTX *t = (TEST_CTX *)RAND_DRBG_get_ex_data(drbg, app_data_index); -+ -+ t->noncecnt++; -+ *pout = (unsigned char *)t->nonce; -+ return t->noncelen; -+} -+ -+/* -+ * Do a single NO_RESEED KAT: -+ * -+ * Instantiate -+ * Generate Random Bits (pr=false) -+ * Generate Random Bits (pr=false) -+ * Uninstantiate -+ * -+ * Return 0 on failure. -+ */ -+static int single_kat_no_reseed(const struct drbg_kat *td) -+{ -+ struct drbg_kat_no_reseed *data = (struct drbg_kat_no_reseed *)td->t; -+ RAND_DRBG *drbg = NULL; -+ unsigned char *buff = NULL; -+ unsigned int flags = 0; -+ int failures = 0; -+ TEST_CTX t; -+ -+ if (td->df != USE_DF) -+ flags |= RAND_DRBG_FLAG_CTR_NO_DF; -+ -+ if ((drbg = RAND_DRBG_new(td->nid, flags, NULL)) == NULL) -+ return 0; -+ -+ if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL, -+ kat_nonce, NULL)) { -+ failures++; -+ goto err; -+ } -+ memset(&t, 0, sizeof(t)); -+ t.entropy = data->entropyin; -+ t.entropylen = td->entropyinlen; -+ t.nonce = data->nonce; -+ t.noncelen = td->noncelen; -+ RAND_DRBG_set_ex_data(drbg, app_data_index, &t); -+ -+ buff = OPENSSL_malloc(td->retbyteslen); -+ if (buff == NULL) { -+ failures++; -+ goto err; -+ } -+ -+ if (!RAND_DRBG_instantiate(drbg, data->persstr, td->persstrlen) -+ || !RAND_DRBG_generate(drbg, buff, td->retbyteslen, 0, -+ data->addin1, td->addinlen) -+ || !RAND_DRBG_generate(drbg, buff, td->retbyteslen, 0, -+ data->addin2, td->addinlen) -+ || memcmp(data->retbytes, buff, -+ td->retbyteslen) != 0) -+ failures++; -+ -+err: -+ OPENSSL_free(buff); -+ RAND_DRBG_uninstantiate(drbg); -+ RAND_DRBG_free(drbg); -+ return failures == 0; -+} -+ -+/*- -+ * Do a single PR_FALSE KAT: -+ * -+ * Instantiate -+ * Reseed -+ * Generate Random Bits (pr=false) -+ * Generate Random Bits (pr=false) -+ * Uninstantiate -+ * -+ * Return 0 on failure. -+ */ -+static int single_kat_pr_false(const struct drbg_kat *td) -+{ -+ struct drbg_kat_pr_false *data = (struct drbg_kat_pr_false *)td->t; -+ RAND_DRBG *drbg = NULL; -+ unsigned char *buff = NULL; -+ unsigned int flags = 0; -+ int failures = 0; -+ TEST_CTX t; -+ -+ if (td->df != USE_DF) -+ flags |= RAND_DRBG_FLAG_CTR_NO_DF; -+ -+ if ((drbg = RAND_DRBG_new(td->nid, flags, NULL)) == NULL) -+ return 0; -+ -+ if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL, -+ kat_nonce, NULL)) { -+ failures++; -+ goto err; -+ } -+ memset(&t, 0, sizeof(t)); -+ t.entropy = data->entropyin; -+ t.entropylen = td->entropyinlen; -+ t.nonce = data->nonce; -+ t.noncelen = td->noncelen; -+ RAND_DRBG_set_ex_data(drbg, app_data_index, &t); -+ -+ buff = OPENSSL_malloc(td->retbyteslen); -+ if (buff == NULL) { -+ failures++; -+ goto err; -+ } -+ -+ if (!RAND_DRBG_instantiate(drbg, data->persstr, td->persstrlen)) -+ failures++; -+ -+ t.entropy = data->entropyinreseed; -+ t.entropylen = td->entropyinlen; -+ -+ if (!RAND_DRBG_reseed(drbg, data->addinreseed, td->addinlen, 0) -+ || !RAND_DRBG_generate(drbg, buff, td->retbyteslen, 0, -+ data->addin1, td->addinlen) -+ || !RAND_DRBG_generate(drbg, buff, td->retbyteslen, 0, -+ data->addin2, td->addinlen) -+ || memcmp(data->retbytes, buff, -+ td->retbyteslen) != 0) -+ failures++; -+ -+err: -+ OPENSSL_free(buff); -+ RAND_DRBG_uninstantiate(drbg); -+ RAND_DRBG_free(drbg); -+ return failures == 0; -+} -+ -+/*- -+ * Do a single PR_TRUE KAT: -+ * -+ * Instantiate -+ * Generate Random Bits (pr=true) -+ * Generate Random Bits (pr=true) -+ * Uninstantiate -+ * -+ * Return 0 on failure. -+ */ -+static int single_kat_pr_true(const struct drbg_kat *td) -+{ -+ struct drbg_kat_pr_true *data = (struct drbg_kat_pr_true *)td->t; -+ RAND_DRBG *drbg = NULL; -+ unsigned char *buff = NULL; -+ unsigned int flags = 0; -+ int failures = 0; -+ TEST_CTX t; -+ -+ if (td->df != USE_DF) -+ flags |= RAND_DRBG_FLAG_CTR_NO_DF; -+ -+ if ((drbg = RAND_DRBG_new(td->nid, flags, NULL)) == NULL) -+ return 0; -+ -+ if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL, -+ kat_nonce, NULL)) { -+ failures++; -+ goto err; -+ } -+ memset(&t, 0, sizeof(t)); -+ t.nonce = data->nonce; -+ t.noncelen = td->noncelen; -+ t.entropy = data->entropyin; -+ t.entropylen = td->entropyinlen; -+ RAND_DRBG_set_ex_data(drbg, app_data_index, &t); -+ -+ buff = OPENSSL_malloc(td->retbyteslen); -+ if (buff == NULL) { -+ failures++; -+ goto err; -+ } -+ -+ if (!RAND_DRBG_instantiate(drbg, data->persstr, td->persstrlen)) -+ failures++; -+ -+ t.entropy = data->entropyinpr1; -+ t.entropylen = td->entropyinlen; -+ -+ if (!RAND_DRBG_generate(drbg, buff, td->retbyteslen, 1, -+ data->addin1, td->addinlen)) -+ failures++; -+ -+ t.entropy = data->entropyinpr2; -+ t.entropylen = td->entropyinlen; -+ -+ if (!RAND_DRBG_generate(drbg, buff, td->retbyteslen, 1, -+ data->addin2, td->addinlen) -+ || memcmp(data->retbytes, buff, -+ td->retbyteslen) != 0) -+ failures++; -+ -+err: -+ OPENSSL_free(buff); -+ RAND_DRBG_uninstantiate(drbg); -+ RAND_DRBG_free(drbg); -+ return failures == 0; -+} -+ -+static int test_kats(int i) -+{ -+ const struct drbg_kat *td = drbg_test[i]; -+ int rv = 0; -+ -+ switch (td->type) { -+ case NO_RESEED: -+ if (!single_kat_no_reseed(td)) -+ goto err; -+ break; -+ case PR_FALSE: -+ if (!single_kat_pr_false(td)) -+ goto err; -+ break; -+ case PR_TRUE: -+ if (!single_kat_pr_true(td)) -+ goto err; -+ break; -+ default: /* cant happen */ -+ goto err; -+ } -+ rv = 1; -+err: -+ return rv; -+} -+ -+/*- -+ * Do one expected-error test: -+ * -+ * Instantiate with no entropy supplied -+ * -+ * Return 0 on failure. -+ */ -+static int test_drbg_sanity(const struct drbg_kat *td) -+{ -+ struct drbg_kat_pr_false *data = (struct drbg_kat_pr_false *)td->t; -+ RAND_DRBG *drbg = NULL; -+ unsigned int flags = 0; -+ int failures = 0; -+ TEST_CTX t; -+ -+ if (td->df != USE_DF) -+ flags |= RAND_DRBG_FLAG_CTR_NO_DF; -+ -+ if ((drbg = RAND_DRBG_new(td->nid, flags, NULL)) == NULL) -+ return 0; -+ -+ if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL, -+ kat_nonce, NULL)) { -+ failures++; -+ goto err; -+ } -+ memset(&t, 0, sizeof(t)); -+ t.entropy = data->entropyin; -+ t.entropylen = 0; /* No entropy */ -+ t.nonce = data->nonce; -+ t.noncelen = td->noncelen; -+ RAND_DRBG_set_ex_data(drbg, app_data_index, &t); -+ -+ ERR_set_mark(); -+ /* This must fail. */ -+ if (RAND_DRBG_instantiate(drbg, data->persstr, td->persstrlen)) -+ failures++; -+ RAND_DRBG_uninstantiate(drbg); -+ ERR_pop_to_mark(); -+ -+err: -+ RAND_DRBG_free(drbg); -+ return failures == 0; -+} -+ -+ -+int rand_drbg_selftest(void) -+{ -+ int i; -+ -+ if (!RUN_ONCE(&get_index_once, drbg_app_data_index_init)) -+ return 0; -+ -+ for (i = 0; i < drbg_test_nelem; i++) { -+ if (test_kats(i) <= 0) -+ return 0; -+ } -+ -+ if (test_drbg_sanity(&kat1465) <= 0) -+ return 0; -+ -+ return 1; -+} -diff -up openssl-1.1.1g/include/crypto/rand.h.drbg-selftest openssl-1.1.1g/include/crypto/rand.h ---- openssl-1.1.1g/include/crypto/rand.h.drbg-selftest 2020-04-23 13:33:12.587622510 +0200 -+++ openssl-1.1.1g/include/crypto/rand.h 2020-04-23 13:33:12.619621907 +0200 -@@ -140,4 +140,9 @@ void rand_pool_cleanup(void); - */ - void rand_pool_keep_random_devices_open(int keep); - -+/* -+ * Perform the DRBG KAT selftests -+ */ -+int rand_drbg_selftest(void); -+ - #endif diff --git a/SOURCES/openssl-1.1.1-fips-post-rand.patch b/SOURCES/openssl-1.1.1-fips-post-rand.patch deleted file mode 100644 index 027dc55..0000000 --- a/SOURCES/openssl-1.1.1-fips-post-rand.patch +++ /dev/null @@ -1,189 +0,0 @@ -diff -up openssl-1.1.1i/crypto/fips/fips.c.fips-post-rand openssl-1.1.1i/crypto/fips/fips.c ---- openssl-1.1.1i/crypto/fips/fips.c.fips-post-rand 2020-12-09 10:26:41.634106328 +0100 -+++ openssl-1.1.1i/crypto/fips/fips.c 2020-12-09 10:26:41.652106475 +0100 -@@ -68,6 +68,7 @@ - - # include - # include "internal/thread_once.h" -+# include "crypto/rand.h" - - # ifndef PATH_MAX - # define PATH_MAX 1024 -@@ -76,6 +77,7 @@ - static int fips_selftest_fail = 0; - static int fips_mode = 0; - static int fips_started = 0; -+static int fips_post = 0; - - static int fips_is_owning_thread(void); - static int fips_set_owning_thread(void); -@@ -158,6 +160,11 @@ void fips_set_selftest_fail(void) - fips_selftest_fail = 1; - } - -+int fips_in_post(void) -+{ -+ return fips_post; -+} -+ - /* we implement what libfipscheck does ourselves */ - - static int -@@ -445,6 +452,8 @@ int FIPS_module_mode_set(int onoff) - } - # endif - -+ fips_post = 1; -+ - if (!FIPS_selftest()) { - fips_selftest_fail = 1; - ret = 0; -@@ -459,7 +468,12 @@ int FIPS_module_mode_set(int onoff) - goto end; - } - -+ fips_post = 0; -+ - fips_set_mode(onoff); -+ /* force RNG reseed with entropy from getrandom() on next call */ -+ rand_force_reseed(); -+ - ret = 1; - goto end; - } -diff -up openssl-1.1.1i/crypto/rand/drbg_lib.c.fips-post-rand openssl-1.1.1i/crypto/rand/drbg_lib.c ---- openssl-1.1.1i/crypto/rand/drbg_lib.c.fips-post-rand 2020-12-08 14:20:59.000000000 +0100 -+++ openssl-1.1.1i/crypto/rand/drbg_lib.c 2020-12-09 10:26:41.652106475 +0100 -@@ -1005,6 +1005,20 @@ size_t rand_drbg_seedlen(RAND_DRBG *drbg - return min_entropy > min_entropylen ? min_entropy : min_entropylen; - } - -+void rand_force_reseed(void) -+{ -+ RAND_DRBG *drbg; -+ -+ drbg = RAND_DRBG_get0_master(); -+ drbg->fork_id = 0; -+ -+ drbg = RAND_DRBG_get0_private(); -+ drbg->fork_id = 0; -+ -+ drbg = RAND_DRBG_get0_public(); -+ drbg->fork_id = 0; -+} -+ - /* Implements the default OpenSSL RAND_add() method */ - static int drbg_add(const void *buf, int num, double randomness) - { -diff -up openssl-1.1.1i/crypto/rand/rand_unix.c.fips-post-rand openssl-1.1.1i/crypto/rand/rand_unix.c ---- openssl-1.1.1i/crypto/rand/rand_unix.c.fips-post-rand 2020-12-08 14:20:59.000000000 +0100 -+++ openssl-1.1.1i/crypto/rand/rand_unix.c 2020-12-09 10:36:59.531221903 +0100 -@@ -17,10 +17,12 @@ - #include - #include "rand_local.h" - #include "crypto/rand.h" -+#include "crypto/fips.h" - #include - #include "internal/dso.h" - #ifdef __linux - # include -+# include - # ifdef DEVRANDOM_WAIT - # include - # include -@@ -344,7 +346,7 @@ static ssize_t sysctl_random(char *buf, - * syscall_random(): Try to get random data using a system call - * returns the number of bytes returned in buf, or < 0 on error. - */ --static ssize_t syscall_random(void *buf, size_t buflen) -+static ssize_t syscall_random(void *buf, size_t buflen, int nonblock) - { - /* - * Note: 'buflen' equals the size of the buffer which is used by the -@@ -369,6 +371,7 @@ static ssize_t syscall_random(void *buf, - * Note: Sometimes getentropy() can be provided but not implemented - * internally. So we need to check errno for ENOSYS - */ -+# if 0 - # if defined(__GNUC__) && __GNUC__>=2 && defined(__ELF__) && !defined(__hpux) - extern int getentropy(void *buffer, size_t length) __attribute__((weak)); - -@@ -394,10 +397,10 @@ static ssize_t syscall_random(void *buf, - if (p_getentropy.p != NULL) - return p_getentropy.f(buf, buflen) == 0 ? (ssize_t)buflen : -1; - # endif -- -+# endif - /* Linux supports this since version 3.17 */ --# if defined(__linux) && defined(__NR_getrandom) -- return syscall(__NR_getrandom, buf, buflen, 0); -+# if defined(__linux) && defined(SYS_getrandom) -+ return syscall(SYS_getrandom, buf, buflen, nonblock?GRND_NONBLOCK:0); - # elif (defined(__FreeBSD__) || defined(__NetBSD__)) && defined(KERN_ARND) - return sysctl_random(buf, buflen); - # else -@@ -633,6 +636,9 @@ size_t rand_pool_acquire_entropy(RAND_PO - size_t entropy_available; - - # if defined(OPENSSL_RAND_SEED_GETRANDOM) -+ int in_post; -+ -+ for (in_post = fips_in_post(); in_post >= 0; --in_post) { - { - size_t bytes_needed; - unsigned char *buffer; -@@ -643,7 +649,7 @@ size_t rand_pool_acquire_entropy(RAND_PO - bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/); - while (bytes_needed != 0 && attempts-- > 0) { - buffer = rand_pool_add_begin(pool, bytes_needed); -- bytes = syscall_random(buffer, bytes_needed); -+ bytes = syscall_random(buffer, bytes_needed, in_post); - if (bytes > 0) { - rand_pool_add_end(pool, bytes, 8 * bytes); - bytes_needed -= bytes; -@@ -678,8 +684,10 @@ size_t rand_pool_acquire_entropy(RAND_PO - int attempts = 3; - const int fd = get_random_device(i); - -- if (fd == -1) -+ if (fd == -1) { -+ OPENSSL_showfatal("Random device %s cannot be opened.\n", random_device_paths[i]); - continue; -+ } - - while (bytes_needed != 0 && attempts-- > 0) { - buffer = rand_pool_add_begin(pool, bytes_needed); -@@ -742,7 +750,9 @@ size_t rand_pool_acquire_entropy(RAND_PO - return entropy_available; - } - # endif -- -+# ifdef OPENSSL_RAND_SEED_GETRANDOM -+ } -+# endif - return rand_pool_entropy_available(pool); - # endif - } -diff -up openssl-1.1.1i/include/crypto/fips.h.fips-post-rand openssl-1.1.1i/include/crypto/fips.h ---- openssl-1.1.1i/include/crypto/fips.h.fips-post-rand 2020-12-09 10:26:41.639106369 +0100 -+++ openssl-1.1.1i/include/crypto/fips.h 2020-12-09 10:26:41.657106516 +0100 -@@ -77,6 +77,8 @@ int FIPS_selftest_hmac(void); - int FIPS_selftest_drbg(void); - int FIPS_selftest_cmac(void); - -+int fips_in_post(void); -+ - int fips_pkey_signature_test(EVP_PKEY *pkey, - const unsigned char *tbs, int tbslen, - const unsigned char *kat, -diff -up openssl-1.1.1i/include/crypto/rand.h.fips-post-rand openssl-1.1.1i/include/crypto/rand.h ---- openssl-1.1.1i/include/crypto/rand.h.fips-post-rand 2020-12-08 14:20:59.000000000 +0100 -+++ openssl-1.1.1i/include/crypto/rand.h 2020-12-09 10:26:41.657106516 +0100 -@@ -24,6 +24,7 @@ - typedef struct rand_pool_st RAND_POOL; - - void rand_cleanup_int(void); -+void rand_force_reseed(void); - void rand_drbg_cleanup_int(void); - void drbg_delete_thread_state(void); - diff --git a/SOURCES/openssl-1.1.1-fips.patch b/SOURCES/openssl-1.1.1-fips.patch deleted file mode 100644 index 6ab63f1..0000000 --- a/SOURCES/openssl-1.1.1-fips.patch +++ /dev/null @@ -1,11626 +0,0 @@ -diff -up openssl-1.1.1j/apps/pkcs12.c.fips openssl-1.1.1j/apps/pkcs12.c ---- openssl-1.1.1j/apps/pkcs12.c.fips 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/apps/pkcs12.c 2021-03-03 12:57:42.194734484 +0100 -@@ -123,7 +123,7 @@ int pkcs12_main(int argc, char **argv) - int export_cert = 0, options = 0, chain = 0, twopass = 0, keytype = 0; - int iter = PKCS12_DEFAULT_ITER, maciter = PKCS12_DEFAULT_ITER; - #ifndef OPENSSL_NO_RC2 -- int cert_pbe = NID_pbe_WithSHA1And40BitRC2_CBC; -+ int cert_pbe = FIPS_mode() ? NID_pbe_WithSHA1And3_Key_TripleDES_CBC : NID_pbe_WithSHA1And40BitRC2_CBC; - #else - int cert_pbe = NID_pbe_WithSHA1And3_Key_TripleDES_CBC; - #endif -diff -up openssl-1.1.1j/apps/speed.c.fips openssl-1.1.1j/apps/speed.c ---- openssl-1.1.1j/apps/speed.c.fips 2021-03-03 12:57:42.185734409 +0100 -+++ openssl-1.1.1j/apps/speed.c 2021-03-03 12:57:42.195734492 +0100 -@@ -1593,7 +1593,8 @@ int speed_main(int argc, char **argv) - continue; - if (strcmp(*argv, "rsa") == 0) { - for (loop = 0; loop < OSSL_NELEM(rsa_doit); loop++) -- rsa_doit[loop] = 1; -+ if (!FIPS_mode() || loop != R_RSA_512) -+ rsa_doit[loop] = 1; - continue; - } - if (found(*argv, rsa_choices, &i)) { -@@ -1603,7 +1604,9 @@ int speed_main(int argc, char **argv) - #endif - #ifndef OPENSSL_NO_DSA - if (strcmp(*argv, "dsa") == 0) { -- dsa_doit[R_DSA_512] = dsa_doit[R_DSA_1024] = -+ if (!FIPS_mode()) -+ dsa_doit[R_DSA_512] = 1; -+ dsa_doit[R_DSA_1024] = - dsa_doit[R_DSA_2048] = 1; - continue; - } -@@ -1634,19 +1637,21 @@ int speed_main(int argc, char **argv) - } - if (strcmp(*argv, "ecdh") == 0) { - for (loop = 0; loop < OSSL_NELEM(ecdh_doit); loop++) -- ecdh_doit[loop] = 1; -+ if(!FIPS_mode() || (loop != R_EC_X25519 && loop != R_EC_X448)) -+ ecdh_doit[loop] = 1; - continue; - } - if (found(*argv, ecdh_choices, &i)) { -- ecdh_doit[i] = 2; -+ if(!FIPS_mode() || (i != R_EC_X25519 && i != R_EC_X448)) -+ ecdh_doit[i] = 2; - continue; - } -- if (strcmp(*argv, "eddsa") == 0) { -+ if (!FIPS_mode() && strcmp(*argv, "eddsa") == 0) { - for (loop = 0; loop < OSSL_NELEM(eddsa_doit); loop++) - eddsa_doit[loop] = 1; - continue; - } -- if (found(*argv, eddsa_choices, &i)) { -+ if (!FIPS_mode() && found(*argv, eddsa_choices, &i)) { - eddsa_doit[i] = 2; - continue; - } -@@ -1735,23 +1740,31 @@ int speed_main(int argc, char **argv) - /* No parameters; turn on everything. */ - if ((argc == 0) && !doit[D_EVP]) { - for (i = 0; i < ALGOR_NUM; i++) -- if (i != D_EVP) -+ if (i != D_EVP && -+ (!FIPS_mode() || (i != D_WHIRLPOOL && -+ i != D_MD2 && i != D_MD4 && -+ i != D_MD5 && i != D_MDC2 && -+ i != D_RMD160))) - doit[i] = 1; - #ifndef OPENSSL_NO_RSA - for (i = 0; i < RSA_NUM; i++) -- rsa_doit[i] = 1; -+ if (!FIPS_mode() || i != R_RSA_512) -+ rsa_doit[i] = 1; - #endif - #ifndef OPENSSL_NO_DSA - for (i = 0; i < DSA_NUM; i++) -- dsa_doit[i] = 1; -+ if (!FIPS_mode() || i != R_DSA_512) -+ dsa_doit[i] = 1; - #endif - #ifndef OPENSSL_NO_EC - for (loop = 0; loop < OSSL_NELEM(ecdsa_doit); loop++) - ecdsa_doit[loop] = 1; - for (loop = 0; loop < OSSL_NELEM(ecdh_doit); loop++) -- ecdh_doit[loop] = 1; -- for (loop = 0; loop < OSSL_NELEM(eddsa_doit); loop++) -- eddsa_doit[loop] = 1; -+ if(!FIPS_mode() || (loop != R_EC_X25519 && loop != R_EC_X448)) -+ ecdh_doit[loop] = 1; -+ if (!FIPS_mode()) -+ for (loop = 0; loop < OSSL_NELEM(eddsa_doit); loop++) -+ eddsa_doit[loop] = 1; - #endif - } - for (i = 0; i < ALGOR_NUM; i++) -@@ -1799,30 +1812,46 @@ int speed_main(int argc, char **argv) - AES_set_encrypt_key(key24, 192, &aes_ks2); - AES_set_encrypt_key(key32, 256, &aes_ks3); - #ifndef OPENSSL_NO_CAMELLIA -- Camellia_set_key(key16, 128, &camellia_ks1); -- Camellia_set_key(ckey24, 192, &camellia_ks2); -- Camellia_set_key(ckey32, 256, &camellia_ks3); -+ if (doit[D_CBC_128_CML] || doit[D_CBC_192_CML] || doit[D_CBC_256_CML]) { -+ Camellia_set_key(key16, 128, &camellia_ks1); -+ Camellia_set_key(ckey24, 192, &camellia_ks2); -+ Camellia_set_key(ckey32, 256, &camellia_ks3); -+ } - #endif - #ifndef OPENSSL_NO_IDEA -- IDEA_set_encrypt_key(key16, &idea_ks); -+ if (doit[D_CBC_IDEA]) { -+ IDEA_set_encrypt_key(key16, &idea_ks); -+ } - #endif - #ifndef OPENSSL_NO_SEED -- SEED_set_key(key16, &seed_ks); -+ if (doit[D_CBC_SEED]) { -+ SEED_set_key(key16, &seed_ks); -+ } - #endif - #ifndef OPENSSL_NO_RC4 -- RC4_set_key(&rc4_ks, 16, key16); -+ if (doit[D_RC4]) { -+ RC4_set_key(&rc4_ks, 16, key16); -+ } - #endif - #ifndef OPENSSL_NO_RC2 -- RC2_set_key(&rc2_ks, 16, key16, 128); -+ if (doit[D_CBC_RC2]) { -+ RC2_set_key(&rc2_ks, 16, key16, 128); -+ } - #endif - #ifndef OPENSSL_NO_RC5 -- RC5_32_set_key(&rc5_ks, 16, key16, 12); -+ if (doit[D_CBC_RC5]) { -+ RC5_32_set_key(&rc5_ks, 16, key16, 12); -+ } - #endif - #ifndef OPENSSL_NO_BF -- BF_set_key(&bf_ks, 16, key16); -+ if (doit[D_CBC_BF]) { -+ BF_set_key(&bf_ks, 16, key16); -+ } - #endif - #ifndef OPENSSL_NO_CAST -- CAST_set_key(&cast_ks, 16, key16); -+ if (doit[D_CBC_CAST]) { -+ CAST_set_key(&cast_ks, 16, key16); -+ } - #endif - #ifndef SIGALRM - # ifndef OPENSSL_NO_DES -@@ -2120,6 +2149,7 @@ int speed_main(int argc, char **argv) - - for (i = 0; i < loopargs_len; i++) { - loopargs[i].hctx = HMAC_CTX_new(); -+ HMAC_CTX_set_flags(loopargs[i].hctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW); - if (loopargs[i].hctx == NULL) { - BIO_printf(bio_err, "HMAC malloc failure, exiting..."); - exit(1); -diff -up openssl-1.1.1j/Configure.fips openssl-1.1.1j/Configure ---- openssl-1.1.1j/Configure.fips 2021-03-03 12:57:42.192734467 +0100 -+++ openssl-1.1.1j/Configure 2021-03-03 12:57:42.195734492 +0100 -@@ -329,7 +329,7 @@ $config{sdirs} = [ - "md2", "md4", "md5", "sha", "mdc2", "hmac", "ripemd", "whrlpool", "poly1305", "blake2", "siphash", "sm3", - "des", "aes", "rc2", "rc4", "rc5", "idea", "aria", "bf", "cast", "camellia", "seed", "sm4", "chacha", "modes", - "bn", "ec", "rsa", "dsa", "dh", "sm2", "dso", "engine", -- "buffer", "bio", "stack", "lhash", "rand", "err", -+ "buffer", "bio", "stack", "lhash", "rand", "err", "fips", - "evp", "asn1", "pem", "x509", "x509v3", "conf", "txt_db", "pkcs7", "pkcs12", "comp", "ocsp", "ui", - "cms", "ts", "srp", "cmac", "ct", "async", "kdf", "store" - ]; -diff -up openssl-1.1.1j/crypto/cmac/cm_pmeth.c.fips openssl-1.1.1j/crypto/cmac/cm_pmeth.c ---- openssl-1.1.1j/crypto/cmac/cm_pmeth.c.fips 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/crypto/cmac/cm_pmeth.c 2021-03-03 12:57:42.195734492 +0100 -@@ -129,7 +129,7 @@ static int pkey_cmac_ctrl_str(EVP_PKEY_C - - const EVP_PKEY_METHOD cmac_pkey_meth = { - EVP_PKEY_CMAC, -- EVP_PKEY_FLAG_SIGCTX_CUSTOM, -+ EVP_PKEY_FLAG_SIGCTX_CUSTOM | EVP_PKEY_FLAG_FIPS, - pkey_cmac_init, - pkey_cmac_copy, - pkey_cmac_cleanup, -diff -up openssl-1.1.1j/crypto/dh/dh_err.c.fips openssl-1.1.1j/crypto/dh/dh_err.c ---- openssl-1.1.1j/crypto/dh/dh_err.c.fips 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/crypto/dh/dh_err.c 2021-03-03 12:57:42.195734492 +0100 -@@ -25,6 +25,9 @@ static const ERR_STRING_DATA DH_str_func - {ERR_PACK(ERR_LIB_DH, DH_F_DH_CMS_SET_PEERKEY, 0), "dh_cms_set_peerkey"}, - {ERR_PACK(ERR_LIB_DH, DH_F_DH_CMS_SET_SHARED_INFO, 0), - "dh_cms_set_shared_info"}, -+ {ERR_PACK(ERR_LIB_DH, DH_F_DH_COMPUTE_KEY, 0), "DH_compute_key"}, -+ {ERR_PACK(ERR_LIB_DH, DH_F_DH_GENERATE_KEY, 0), "DH_generate_key"}, -+ {ERR_PACK(ERR_LIB_DH, DH_F_DH_GENERATE_PARAMETERS_EX, 0), "DH_generate_parameters_ex"}, - {ERR_PACK(ERR_LIB_DH, DH_F_DH_METH_DUP, 0), "DH_meth_dup"}, - {ERR_PACK(ERR_LIB_DH, DH_F_DH_METH_NEW, 0), "DH_meth_new"}, - {ERR_PACK(ERR_LIB_DH, DH_F_DH_METH_SET1_NAME, 0), "DH_meth_set1_name"}, -@@ -72,12 +75,14 @@ static const ERR_STRING_DATA DH_str_reas - {ERR_PACK(ERR_LIB_DH, 0, DH_R_INVALID_PUBKEY), "invalid public key"}, - {ERR_PACK(ERR_LIB_DH, 0, DH_R_KDF_PARAMETER_ERROR), "kdf parameter error"}, - {ERR_PACK(ERR_LIB_DH, 0, DH_R_KEYS_NOT_SET), "keys not set"}, -+ {ERR_PACK(ERR_LIB_DH, 0, DH_R_KEY_SIZE_TOO_SMALL), "key size too small"}, - {ERR_PACK(ERR_LIB_DH, 0, DH_R_MISSING_PUBKEY), "missing pubkey"}, - {ERR_PACK(ERR_LIB_DH, 0, DH_R_MODULUS_TOO_LARGE), "modulus too large"}, - {ERR_PACK(ERR_LIB_DH, 0, DH_R_NOT_SUITABLE_GENERATOR), - "not suitable generator"}, - {ERR_PACK(ERR_LIB_DH, 0, DH_R_NO_PARAMETERS_SET), "no parameters set"}, - {ERR_PACK(ERR_LIB_DH, 0, DH_R_NO_PRIVATE_VALUE), "no private value"}, -+ {ERR_PACK(ERR_LIB_DH, 0, DH_R_NON_FIPS_METHOD), "non FIPS method"}, - {ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR), - "parameter encoding error"}, - {ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"}, -diff -up openssl-1.1.1j/crypto/dh/dh_gen.c.fips openssl-1.1.1j/crypto/dh/dh_gen.c ---- openssl-1.1.1j/crypto/dh/dh_gen.c.fips 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/crypto/dh/dh_gen.c 2021-03-03 12:57:42.195734492 +0100 -@@ -16,6 +16,9 @@ - #include "internal/cryptlib.h" - #include - #include "dh_local.h" -+#ifdef OPENSSL_FIPS -+# include -+#endif - - static int dh_builtin_genparams(DH *ret, int prime_len, int generator, - BN_GENCB *cb); -@@ -23,6 +26,13 @@ static int dh_builtin_genparams(DH *ret, - int DH_generate_parameters_ex(DH *ret, int prime_len, int generator, - BN_GENCB *cb) - { -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode() && !(ret->meth->flags & DH_FLAG_FIPS_METHOD) -+ && !(ret->flags & DH_FLAG_NON_FIPS_ALLOW)) { -+ DHerr(DH_F_DH_GENERATE_PARAMETERS_EX, DH_R_NON_FIPS_METHOD); -+ return 0; -+ } -+#endif - if (ret->meth->generate_params) - return ret->meth->generate_params(ret, prime_len, generator, cb); - return dh_builtin_genparams(ret, prime_len, generator, cb); -@@ -65,6 +75,18 @@ static int dh_builtin_genparams(DH *ret, - int g, ok = -1; - BN_CTX *ctx = NULL; - -+#ifdef OPENSSL_FIPS -+ if (FIPS_selftest_failed()) { -+ FIPSerr(FIPS_F_DH_BUILTIN_GENPARAMS, FIPS_R_FIPS_SELFTEST_FAILED); -+ return 0; -+ } -+ -+ if (FIPS_mode() && (prime_len < OPENSSL_DH_FIPS_MIN_MODULUS_BITS_GEN)) { -+ DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_KEY_SIZE_TOO_SMALL); -+ goto err; -+ } -+#endif -+ - ctx = BN_CTX_new(); - if (ctx == NULL) - goto err; -diff -up openssl-1.1.1j/crypto/dh/dh_key.c.fips openssl-1.1.1j/crypto/dh/dh_key.c ---- openssl-1.1.1j/crypto/dh/dh_key.c.fips 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/crypto/dh/dh_key.c 2021-03-03 13:02:45.963247596 +0100 -@@ -11,6 +11,9 @@ - #include "internal/cryptlib.h" - #include "dh_local.h" - #include "crypto/bn.h" -+#ifdef OPENSSL_FIPS -+# include -+#endif - - static int generate_key(DH *dh); - static int compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh); -@@ -34,6 +37,13 @@ int DH_compute_key(unsigned char *key, c - int ret = 0, i; - volatile size_t npad = 0, mask = 1; - -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode() && !(dh->meth->flags & DH_FLAG_FIPS_METHOD) -+ && !(dh->flags & DH_FLAG_NON_FIPS_ALLOW)) { -+ DHerr(DH_F_DH_COMPUTE_KEY, DH_R_NON_FIPS_METHOD); -+ return 0; -+ } -+#endif - /* compute the key; ret is constant unless compute_key is external */ - if ((ret = dh->meth->compute_key(key, pub_key, dh)) <= 0) - return ret; -@@ -109,6 +119,14 @@ static int generate_key(DH *dh) - BN_MONT_CTX *mont = NULL; - BIGNUM *pub_key = NULL, *priv_key = NULL; - -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode() -+ && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) { -+ DHerr(DH_F_GENERATE_KEY, DH_R_KEY_SIZE_TOO_SMALL); -+ return 0; -+ } -+#endif -+ - if (BN_num_bits(dh->p) > OPENSSL_DH_MAX_MODULUS_BITS) { - DHerr(DH_F_GENERATE_KEY, DH_R_MODULUS_TOO_LARGE); - return 0; -@@ -206,6 +224,13 @@ static int compute_key(unsigned char *ke - DHerr(DH_F_COMPUTE_KEY, DH_R_MODULUS_TOO_LARGE); - goto err; - } -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode() -+ && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) { -+ DHerr(DH_F_COMPUTE_KEY, DH_R_KEY_SIZE_TOO_SMALL); -+ goto err; -+ } -+#endif - - ctx = BN_CTX_new(); - if (ctx == NULL) -@@ -255,6 +280,9 @@ static int dh_bn_mod_exp(const DH *dh, B - - static int dh_init(DH *dh) - { -+#ifdef OPENSSL_FIPS -+ FIPS_selftest_check(); -+#endif - dh->flags |= DH_FLAG_CACHE_MONT_P; - return 1; - } -diff -up openssl-1.1.1j/crypto/dh/dh_pmeth.c.fips openssl-1.1.1j/crypto/dh/dh_pmeth.c ---- openssl-1.1.1j/crypto/dh/dh_pmeth.c.fips 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/crypto/dh/dh_pmeth.c 2021-03-03 12:57:42.196734500 +0100 -@@ -480,7 +480,7 @@ static int pkey_dh_derive(EVP_PKEY_CTX * - - const EVP_PKEY_METHOD dh_pkey_meth = { - EVP_PKEY_DH, -- 0, -+ EVP_PKEY_FLAG_FIPS, - pkey_dh_init, - pkey_dh_copy, - pkey_dh_cleanup, -@@ -514,7 +514,7 @@ const EVP_PKEY_METHOD dh_pkey_meth = { - - const EVP_PKEY_METHOD dhx_pkey_meth = { - EVP_PKEY_DHX, -- 0, -+ EVP_PKEY_FLAG_FIPS, - pkey_dh_init, - pkey_dh_copy, - pkey_dh_cleanup, -diff -up openssl-1.1.1j/crypto/dsa/dsa_err.c.fips openssl-1.1.1j/crypto/dsa/dsa_err.c ---- openssl-1.1.1j/crypto/dsa/dsa_err.c.fips 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/crypto/dsa/dsa_err.c 2021-03-03 12:57:42.196734500 +0100 -@@ -16,12 +16,15 @@ - static const ERR_STRING_DATA DSA_str_functs[] = { - {ERR_PACK(ERR_LIB_DSA, DSA_F_DSAPARAMS_PRINT, 0), "DSAparams_print"}, - {ERR_PACK(ERR_LIB_DSA, DSA_F_DSAPARAMS_PRINT_FP, 0), "DSAparams_print_fp"}, -+ {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_BUILTIN_KEYGEN, 0), "dsa_builtin_keygen"}, - {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_BUILTIN_PARAMGEN, 0), - "dsa_builtin_paramgen"}, - {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_BUILTIN_PARAMGEN2, 0), - "dsa_builtin_paramgen2"}, - {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_DO_SIGN, 0), "DSA_do_sign"}, - {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_DO_VERIFY, 0), "DSA_do_verify"}, -+ {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_GENERATE_KEY, 0), "DSA_generate_key"}, -+ {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_GENERATE_PARAMETERS_EX, 0), "DSA_generate_parameters_ex"}, - {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_METH_DUP, 0), "DSA_meth_dup"}, - {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_METH_NEW, 0), "DSA_meth_new"}, - {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_METH_SET1_NAME, 0), "DSA_meth_set1_name"}, -@@ -51,11 +54,14 @@ static const ERR_STRING_DATA DSA_str_rea - {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_INVALID_DIGEST_TYPE), - "invalid digest type"}, - {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_INVALID_PARAMETERS), "invalid parameters"}, -+ {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_KEY_SIZE_INVALID), "key size invalid"}, -+ {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_KEY_SIZE_TOO_SMALL), "key size too small"}, - {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_MISSING_PARAMETERS), "missing parameters"}, - {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_MISSING_PRIVATE_KEY), - "missing private key"}, - {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_MODULUS_TOO_LARGE), "modulus too large"}, - {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_NO_PARAMETERS_SET), "no parameters set"}, -+ {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_NON_FIPS_DSA_METHOD), "non FIPS DSA method"}, - {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_PARAMETER_ENCODING_ERROR), - "parameter encoding error"}, - {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_Q_NOT_PRIME), "q not prime"}, -diff -up openssl-1.1.1j/crypto/dsa/dsa_gen.c.fips openssl-1.1.1j/crypto/dsa/dsa_gen.c ---- openssl-1.1.1j/crypto/dsa/dsa_gen.c.fips 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/crypto/dsa/dsa_gen.c 2021-03-03 12:57:42.196734500 +0100 -@@ -22,12 +22,22 @@ - #include - #include - #include "dsa_local.h" -+#ifdef OPENSSL_FIPS -+# include -+#endif - - int DSA_generate_parameters_ex(DSA *ret, int bits, - const unsigned char *seed_in, int seed_len, - int *counter_ret, unsigned long *h_ret, - BN_GENCB *cb) - { -+# ifdef OPENSSL_FIPS -+ if (FIPS_mode() && !(ret->meth->flags & DSA_FLAG_FIPS_METHOD) -+ && !(ret->flags & DSA_FLAG_NON_FIPS_ALLOW)) { -+ DSAerr(DSA_F_DSA_GENERATE_PARAMETERS_EX, DSA_R_NON_FIPS_DSA_METHOD); -+ return 0; -+ } -+# endif - if (ret->meth->dsa_paramgen) - return ret->meth->dsa_paramgen(ret, bits, seed_in, seed_len, - counter_ret, h_ret, cb); -@@ -35,9 +45,15 @@ int DSA_generate_parameters_ex(DSA *ret, - const EVP_MD *evpmd = bits >= 2048 ? EVP_sha256() : EVP_sha1(); - size_t qbits = EVP_MD_size(evpmd) * 8; - -+# ifdef OPENSSL_FIPS -+ return dsa_builtin_paramgen2(ret, bits, qbits, evpmd, -+ seed_in, seed_len, -1, NULL, counter_ret, -+ h_ret, cb); -+# else - return dsa_builtin_paramgen(ret, bits, qbits, evpmd, - seed_in, seed_len, NULL, counter_ret, - h_ret, cb); -+# endif - } - } - -@@ -309,7 +325,7 @@ int dsa_builtin_paramgen2(DSA *ret, size - int *counter_ret, unsigned long *h_ret, - BN_GENCB *cb) - { -- int ok = -1; -+ int ok = 0; - unsigned char *seed = NULL, *seed_tmp = NULL; - unsigned char md[EVP_MAX_MD_SIZE]; - int mdsize; -@@ -332,6 +348,20 @@ int dsa_builtin_paramgen2(DSA *ret, size - goto err; - } - -+# ifdef OPENSSL_FIPS -+ if (FIPS_selftest_failed()) { -+ FIPSerr(FIPS_F_DSA_BUILTIN_PARAMGEN2, FIPS_R_FIPS_SELFTEST_FAILED); -+ goto err; -+ } -+ -+ if (FIPS_mode() && -+ (L != 2048 || N != 224) && (L != 2048 || N != 256) && -+ (L != 3072 || N != 256)) { -+ DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN2, DSA_R_KEY_SIZE_INVALID); -+ goto err; -+ } -+# endif -+ - if (evpmd == NULL) { - if (N == 160) - evpmd = EVP_sha1(); -@@ -432,9 +462,10 @@ int dsa_builtin_paramgen2(DSA *ret, size - goto err; - /* Provided seed didn't produce a prime: error */ - if (seed_in) { -- ok = 0; -- DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN2, DSA_R_Q_NOT_PRIME); -- goto err; -+ /* Different seed_out will indicate that seed_in -+ * did not generate primes. -+ */ -+ seed_in = NULL; - } - - /* do a callback call */ -@@ -520,11 +551,14 @@ int dsa_builtin_paramgen2(DSA *ret, size - if (counter >= (int)(4 * L)) - break; - } -+#if 0 -+ /* Cannot happen */ - if (seed_in) { - ok = 0; - DSAerr(DSA_F_DSA_BUILTIN_PARAMGEN2, DSA_R_INVALID_PARAMETERS); - goto err; - } -+#endif - } - end: - if (!BN_GENCB_call(cb, 2, 1)) -@@ -595,7 +629,7 @@ int dsa_builtin_paramgen2(DSA *ret, size - BN_free(ret->g); - ret->g = BN_dup(g); - if (ret->p == NULL || ret->q == NULL || ret->g == NULL) { -- ok = -1; -+ ok = 0; - goto err; - } - if (counter_ret != NULL) -@@ -612,3 +646,53 @@ int dsa_builtin_paramgen2(DSA *ret, size - EVP_MD_CTX_free(mctx); - return ok; - } -+ -+#ifdef OPENSSL_FIPS -+ -+int FIPS_dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N, -+ const EVP_MD *evpmd, const unsigned char *seed_in, -+ size_t seed_len, int idx, unsigned char *seed_out, -+ int *counter_ret, unsigned long *h_ret, -+ BN_GENCB *cb) -+{ -+ return dsa_builtin_paramgen2(ret, L, N, evpmd, seed_in, seed_len, -+ idx, seed_out, counter_ret, h_ret, cb); -+} -+ -+int FIPS_dsa_paramgen_check_g(DSA *dsa) -+{ -+ BN_CTX *ctx; -+ BIGNUM *tmp; -+ BN_MONT_CTX *mont = NULL; -+ int rv = -1; -+ -+ ctx = BN_CTX_new(); -+ if (ctx == NULL) -+ return -1; -+ if (BN_cmp(dsa->g, BN_value_one()) <= 0) -+ return 0; -+ if (BN_cmp(dsa->g, dsa->p) >= 0) -+ return 0; -+ BN_CTX_start(ctx); -+ tmp = BN_CTX_get(ctx); -+ if (tmp == NULL) -+ goto err; -+ if ((mont=BN_MONT_CTX_new()) == NULL) -+ goto err; -+ if (!BN_MONT_CTX_set(mont,dsa->p,ctx)) -+ goto err; -+ /* Work out g^q mod p */ -+ if (!BN_mod_exp_mont(tmp,dsa->g,dsa->q, dsa->p, ctx, mont)) -+ goto err; -+ if (!BN_cmp(tmp, BN_value_one())) -+ rv = 1; -+ else -+ rv = 0; -+ err: -+ BN_CTX_end(ctx); -+ BN_MONT_CTX_free(mont); -+ BN_CTX_free(ctx); -+ return rv; -+} -+ -+#endif -diff -up openssl-1.1.1j/crypto/dsa/dsa_key.c.fips openssl-1.1.1j/crypto/dsa/dsa_key.c ---- openssl-1.1.1j/crypto/dsa/dsa_key.c.fips 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/crypto/dsa/dsa_key.c 2021-03-03 12:57:42.196734500 +0100 -@@ -13,10 +13,49 @@ - #include - #include "dsa_local.h" - -+#ifdef OPENSSL_FIPS -+# include -+# include "crypto/fips.h" -+ -+static int fips_check_dsa(DSA *dsa) -+{ -+ EVP_PKEY *pk; -+ unsigned char tbs[] = "DSA Pairwise Check Data"; -+ int ret = 0; -+ -+ if ((pk = EVP_PKEY_new()) == NULL) -+ goto err; -+ -+ EVP_PKEY_set1_DSA(pk, dsa); -+ -+ if (fips_pkey_signature_test(pk, tbs, -1, NULL, 0, NULL, 0, NULL)) -+ ret = 1; -+ -+ err: -+ if (ret == 0) { -+ FIPSerr(FIPS_F_FIPS_CHECK_DSA, FIPS_R_PAIRWISE_TEST_FAILED); -+ fips_set_selftest_fail(); -+ } -+ -+ if (pk) -+ EVP_PKEY_free(pk); -+ -+ return ret; -+} -+ -+#endif -+ - static int dsa_builtin_keygen(DSA *dsa); - - int DSA_generate_key(DSA *dsa) - { -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode() && !(dsa->meth->flags & DSA_FLAG_FIPS_METHOD) -+ && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW)) { -+ DSAerr(DSA_F_DSA_GENERATE_KEY, DSA_R_NON_FIPS_DSA_METHOD); -+ return 0; -+ } -+#endif - if (dsa->meth->dsa_keygen) - return dsa->meth->dsa_keygen(dsa); - return dsa_builtin_keygen(dsa); -@@ -28,6 +67,14 @@ static int dsa_builtin_keygen(DSA *dsa) - BN_CTX *ctx = NULL; - BIGNUM *pub_key = NULL, *priv_key = NULL; - -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW) -+ && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS_GEN)) { -+ DSAerr(DSA_F_DSA_BUILTIN_KEYGEN, DSA_R_KEY_SIZE_TOO_SMALL); -+ goto err; -+ } -+#endif -+ - if ((ctx = BN_CTX_new()) == NULL) - goto err; - -@@ -65,6 +112,13 @@ static int dsa_builtin_keygen(DSA *dsa) - - dsa->priv_key = priv_key; - dsa->pub_key = pub_key; -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode() && !fips_check_dsa(dsa)) { -+ dsa->pub_key = NULL; -+ dsa->priv_key = NULL; -+ goto err; -+ } -+#endif - ok = 1; - - err: -diff -up openssl-1.1.1j/crypto/dsa/dsa_ossl.c.fips openssl-1.1.1j/crypto/dsa/dsa_ossl.c ---- openssl-1.1.1j/crypto/dsa/dsa_ossl.c.fips 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/crypto/dsa/dsa_ossl.c 2021-03-03 12:57:42.196734500 +0100 -@@ -14,6 +14,9 @@ - #include - #include "dsa_local.h" - #include -+#ifdef OPENSSL_FIPS -+# include -+#endif - - static DSA_SIG *dsa_do_sign(const unsigned char *dgst, int dlen, DSA *dsa); - static int dsa_sign_setup_no_digest(DSA *dsa, BN_CTX *ctx_in, BIGNUM **kinvp, -@@ -77,6 +80,19 @@ static DSA_SIG *dsa_do_sign(const unsign - goto err; - } - -+#ifdef OPENSSL_FIPS -+ if (FIPS_selftest_failed()) { -+ FIPSerr(FIPS_F_DSA_DO_SIGN, FIPS_R_FIPS_SELFTEST_FAILED); -+ return NULL; -+ } -+ -+ if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW) -+ && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS)) { -+ DSAerr(DSA_F_DSA_DO_SIGN, DSA_R_KEY_SIZE_TOO_SMALL); -+ return NULL; -+ } -+#endif -+ - ret = DSA_SIG_new(); - if (ret == NULL) - goto err; -@@ -315,6 +331,18 @@ static int dsa_do_verify(const unsigned - DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_BAD_Q_VALUE); - return -1; - } -+#ifdef OPENSSL_FIPS -+ if (FIPS_selftest_failed()) { -+ FIPSerr(FIPS_F_DSA_DO_VERIFY, FIPS_R_FIPS_SELFTEST_FAILED); -+ return -1; -+ } -+ -+ if (FIPS_mode() && !(dsa->flags & DSA_FLAG_NON_FIPS_ALLOW) -+ && (BN_num_bits(dsa->p) < OPENSSL_DSA_FIPS_MIN_MODULUS_BITS)) { -+ DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_KEY_SIZE_TOO_SMALL); -+ return -1; -+ } -+#endif - - if (BN_num_bits(dsa->p) > OPENSSL_DSA_MAX_MODULUS_BITS) { - DSAerr(DSA_F_DSA_DO_VERIFY, DSA_R_MODULUS_TOO_LARGE); -@@ -403,6 +431,9 @@ static int dsa_do_verify(const unsigned - - static int dsa_init(DSA *dsa) - { -+#ifdef OPENSSL_FIPS -+ FIPS_selftest_check(); -+#endif - dsa->flags |= DSA_FLAG_CACHE_MONT_P; - return 1; - } -diff -up openssl-1.1.1j/crypto/dsa/dsa_pmeth.c.fips openssl-1.1.1j/crypto/dsa/dsa_pmeth.c ---- openssl-1.1.1j/crypto/dsa/dsa_pmeth.c.fips 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/crypto/dsa/dsa_pmeth.c 2021-03-03 12:57:42.196734500 +0100 -@@ -211,8 +211,8 @@ static int pkey_dsa_paramgen(EVP_PKEY_CT - BN_GENCB_free(pcb); - return 0; - } -- ret = dsa_builtin_paramgen(dsa, dctx->nbits, dctx->qbits, dctx->pmd, -- NULL, 0, NULL, NULL, NULL, pcb); -+ ret = dsa_builtin_paramgen2(dsa, dctx->nbits, dctx->qbits, dctx->pmd, -+ NULL, 0, -1, NULL, NULL, NULL, pcb); - BN_GENCB_free(pcb); - if (ret) - EVP_PKEY_assign_DSA(pkey, dsa); -@@ -241,7 +241,7 @@ static int pkey_dsa_keygen(EVP_PKEY_CTX - - const EVP_PKEY_METHOD dsa_pkey_meth = { - EVP_PKEY_DSA, -- EVP_PKEY_FLAG_AUTOARGLEN, -+ EVP_PKEY_FLAG_AUTOARGLEN | EVP_PKEY_FLAG_FIPS, - pkey_dsa_init, - pkey_dsa_copy, - pkey_dsa_cleanup, -diff -up openssl-1.1.1j/crypto/ec/ecdh_ossl.c.fips openssl-1.1.1j/crypto/ec/ecdh_ossl.c ---- openssl-1.1.1j/crypto/ec/ecdh_ossl.c.fips 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/crypto/ec/ecdh_ossl.c 2021-03-03 12:57:42.196734500 +0100 -@@ -19,9 +19,20 @@ - #include - #include "ec_local.h" - -+#ifdef OPENSSL_FIPS -+# include -+#endif -+ - int ossl_ecdh_compute_key(unsigned char **psec, size_t *pseclen, - const EC_POINT *pub_key, const EC_KEY *ecdh) - { -+#ifdef OPENSSL_FIPS -+ if (FIPS_selftest_failed()) { -+ FIPSerr(FIPS_F_ECDH_COMPUTE_KEY, FIPS_R_FIPS_SELFTEST_FAILED); -+ return -1; -+ } -+#endif -+ - if (ecdh->group->meth->ecdh_compute_key == NULL) { - ECerr(EC_F_OSSL_ECDH_COMPUTE_KEY, EC_R_CURVE_DOES_NOT_SUPPORT_ECDH); - return 0; -diff -up openssl-1.1.1j/crypto/ec/ecdsa_ossl.c.fips openssl-1.1.1j/crypto/ec/ecdsa_ossl.c ---- openssl-1.1.1j/crypto/ec/ecdsa_ossl.c.fips 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/crypto/ec/ecdsa_ossl.c 2021-03-03 12:57:42.196734500 +0100 -@@ -14,6 +14,10 @@ - #include "crypto/bn.h" - #include "ec_local.h" - -+#ifdef OPENSSL_FIPS -+# include -+#endif -+ - int ossl_ecdsa_sign(int type, const unsigned char *dgst, int dlen, - unsigned char *sig, unsigned int *siglen, - const BIGNUM *kinv, const BIGNUM *r, EC_KEY *eckey) -@@ -163,6 +167,13 @@ ECDSA_SIG *ossl_ecdsa_sign_sig(const uns - ECDSA_SIG *ret; - const BIGNUM *priv_key; - -+#ifdef OPENSSL_FIPS -+ if (FIPS_selftest_failed()) { -+ FIPSerr(FIPS_F_OSSL_ECDSA_SIGN_SIG, FIPS_R_FIPS_SELFTEST_FAILED); -+ return NULL; -+ } -+#endif -+ - group = EC_KEY_get0_group(eckey); - priv_key = EC_KEY_get0_private_key(eckey); - -@@ -325,6 +336,13 @@ int ossl_ecdsa_verify_sig(const unsigned - const EC_GROUP *group; - const EC_POINT *pub_key; - -+#ifdef OPENSSL_FIPS -+ if (FIPS_selftest_failed()) { -+ FIPSerr(FIPS_F_OSSL_ECDSA_VERIFY_SIG, FIPS_R_FIPS_SELFTEST_FAILED); -+ return -1; -+ } -+#endif -+ - /* check input values */ - if (eckey == NULL || (group = EC_KEY_get0_group(eckey)) == NULL || - (pub_key = EC_KEY_get0_public_key(eckey)) == NULL || sig == NULL) { -diff -up openssl-1.1.1j/crypto/ec/ec_key.c.fips openssl-1.1.1j/crypto/ec/ec_key.c ---- openssl-1.1.1j/crypto/ec/ec_key.c.fips 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/crypto/ec/ec_key.c 2021-03-03 12:57:42.196734500 +0100 -@@ -179,14 +179,62 @@ ENGINE *EC_KEY_get0_engine(const EC_KEY - return eckey->engine; - } - -+#ifdef OPENSSL_FIPS -+ -+# include -+# include "crypto/fips.h" -+ -+static int fips_check_ec(EC_KEY *key) -+{ -+ EVP_PKEY *pk; -+ unsigned char tbs[] = "ECDSA Pairwise Check Data"; -+ int ret = 0; -+ -+ if (!EC_KEY_can_sign(key)) /* no test for non-signing keys */ -+ return 1; -+ -+ if ((pk = EVP_PKEY_new()) == NULL) -+ goto err; -+ -+ EVP_PKEY_set1_EC_KEY(pk, key); -+ -+ if (fips_pkey_signature_test(pk, tbs, -1, NULL, 0, NULL, 0, NULL)) -+ ret = 1; -+ -+ err: -+ if (ret == 0) { -+ FIPSerr(FIPS_F_FIPS_CHECK_EC, FIPS_R_PAIRWISE_TEST_FAILED); -+ fips_set_selftest_fail(); -+ } -+ if (pk) -+ EVP_PKEY_free(pk); -+ return ret; -+} -+ -+#endif -+ - int EC_KEY_generate_key(EC_KEY *eckey) - { -+#ifdef OPENSSL_FIPS -+ if (FIPS_selftest_failed()) { -+ ECerr(EC_F_EC_KEY_GENERATE_KEY, EC_R_NOT_INITIALIZED); -+ return 0; -+ } -+#endif - if (eckey == NULL || eckey->group == NULL) { - ECerr(EC_F_EC_KEY_GENERATE_KEY, ERR_R_PASSED_NULL_PARAMETER); - return 0; - } -- if (eckey->meth->keygen != NULL) -- return eckey->meth->keygen(eckey); -+ if (eckey->meth->keygen != NULL) { -+ int rv = eckey->meth->keygen(eckey); -+ -+#ifdef OPENSSL_FIPS -+ if (rv > 0 && FIPS_mode()) { -+ rv = fips_check_ec(eckey); -+ } -+#endif -+ return rv; -+ } - ECerr(EC_F_EC_KEY_GENERATE_KEY, EC_R_OPERATION_NOT_SUPPORTED); - return 0; - } -diff -up openssl-1.1.1j/crypto/ec/ec_pmeth.c.fips openssl-1.1.1j/crypto/ec/ec_pmeth.c ---- openssl-1.1.1j/crypto/ec/ec_pmeth.c.fips 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/crypto/ec/ec_pmeth.c 2021-03-03 12:57:42.197734509 +0100 -@@ -438,7 +438,7 @@ static int pkey_ec_keygen(EVP_PKEY_CTX * - - const EVP_PKEY_METHOD ec_pkey_meth = { - EVP_PKEY_EC, -- 0, -+ EVP_PKEY_FLAG_FIPS, - pkey_ec_init, - pkey_ec_copy, - pkey_ec_cleanup, -diff -up openssl-1.1.1j/crypto/evp/digest.c.fips openssl-1.1.1j/crypto/evp/digest.c ---- openssl-1.1.1j/crypto/evp/digest.c.fips 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/crypto/evp/digest.c 2021-03-03 12:57:42.197734509 +0100 -@@ -14,6 +14,9 @@ - #include - #include "crypto/evp.h" - #include "evp_local.h" -+#ifdef OPENSSL_FIPS -+# include -+#endif - - /* This call frees resources associated with the context */ - int EVP_MD_CTX_reset(EVP_MD_CTX *ctx) -@@ -66,6 +69,12 @@ int EVP_DigestInit(EVP_MD_CTX *ctx, cons - int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl) - { - EVP_MD_CTX_clear_flags(ctx, EVP_MD_CTX_FLAG_CLEANED); -+#ifdef OPENSSL_FIPS -+ if (FIPS_selftest_failed()) { -+ FIPSerr(FIPS_F_EVP_DIGESTINIT_EX, FIPS_R_FIPS_SELFTEST_FAILED); -+ return 0; -+ } -+#endif - #ifndef OPENSSL_NO_ENGINE - /* - * Whether it's nice or not, "Inits" can be used on "Final"'d contexts so -@@ -119,6 +128,15 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c - } - #endif - if (ctx->digest != type) { -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode()) { -+ if (!(type->flags & EVP_MD_FLAG_FIPS) -+ && !(ctx->flags & EVP_MD_CTX_FLAG_NON_FIPS_ALLOW)) { -+ EVPerr(EVP_F_EVP_DIGESTINIT_EX, EVP_R_DISABLED_FOR_FIPS); -+ return 0; -+ } -+ } -+#endif - if (ctx->digest && ctx->digest->ctx_size) { - OPENSSL_clear_free(ctx->md_data, ctx->digest->ctx_size); - ctx->md_data = NULL; -@@ -150,6 +168,10 @@ int EVP_DigestInit_ex(EVP_MD_CTX *ctx, c - - int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *data, size_t count) - { -+#ifdef OPENSSL_FIPS -+ FIPS_selftest_check(); -+#endif -+ - if (count == 0) - return 1; - -@@ -170,6 +192,9 @@ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, - { - int ret; - -+#ifdef OPENSSL_FIPS -+ FIPS_selftest_check(); -+#endif - OPENSSL_assert(ctx->digest->md_size <= EVP_MAX_MD_SIZE); - ret = ctx->digest->final(ctx, md); - if (size != NULL) -diff -up openssl-1.1.1j/crypto/evp/e_aes.c.fips openssl-1.1.1j/crypto/evp/e_aes.c ---- openssl-1.1.1j/crypto/evp/e_aes.c.fips 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/crypto/evp/e_aes.c 2021-03-03 12:57:42.197734509 +0100 -@@ -397,7 +397,7 @@ static int aesni_xts_init_key(EVP_CIPHER - * This addresses Rogaway's vulnerability. - * See comment in aes_xts_init_key() below. - */ -- if (enc && CRYPTO_memcmp(key, key + bytes, bytes) == 0) { -+ if (CRYPTO_memcmp(key, key + bytes, bytes) == 0) { - EVPerr(EVP_F_AESNI_XTS_INIT_KEY, EVP_R_XTS_DUPLICATED_KEYS); - return 0; - } -@@ -817,7 +817,7 @@ static int aes_t4_xts_init_key(EVP_CIPHE - * This addresses Rogaway's vulnerability. - * See comment in aes_xts_init_key() below. - */ -- if (enc && CRYPTO_memcmp(key, key + bytes, bytes) == 0) { -+ if (CRYPTO_memcmp(key, key + bytes, bytes) == 0) { - EVPerr(EVP_F_AES_T4_XTS_INIT_KEY, EVP_R_XTS_DUPLICATED_KEYS); - return 0; - } -@@ -2833,9 +2833,9 @@ static int aes_ctr_cipher(EVP_CIPHER_CTX - return 1; - } - --BLOCK_CIPHER_generic_pack(NID_aes, 128, 0) -- BLOCK_CIPHER_generic_pack(NID_aes, 192, 0) -- BLOCK_CIPHER_generic_pack(NID_aes, 256, 0) -+BLOCK_CIPHER_generic_pack(NID_aes, 128, EVP_CIPH_FLAG_FIPS) -+ BLOCK_CIPHER_generic_pack(NID_aes, 192, EVP_CIPH_FLAG_FIPS) -+ BLOCK_CIPHER_generic_pack(NID_aes, 256, EVP_CIPH_FLAG_FIPS) - - static int aes_gcm_cleanup(EVP_CIPHER_CTX *c) - { -@@ -2869,6 +2869,11 @@ static int aes_gcm_ctrl(EVP_CIPHER_CTX * - case EVP_CTRL_AEAD_SET_IVLEN: - if (arg <= 0) - return 0; -+# ifdef OPENSSL_FIPS -+ if (FIPS_mode() && !(c->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) -+ && arg < 12) -+ return 0; -+# endif - /* Allocate memory for IV if needed */ - if ((arg > EVP_MAX_IV_LENGTH) && (arg > gctx->ivlen)) { - if (gctx->iv != c->iv) -@@ -3318,11 +3323,14 @@ static int aes_gcm_cipher(EVP_CIPHER_CTX - | EVP_CIPH_CUSTOM_COPY | EVP_CIPH_CUSTOM_IV_LENGTH) - - BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, gcm, GCM, -- EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) -+ EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER | -+ CUSTOM_FLAGS) - BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, gcm, GCM, -- EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) -+ EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER | -+ CUSTOM_FLAGS) - BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, gcm, GCM, -- EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) -+ EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER | -+ CUSTOM_FLAGS) - - static int aes_xts_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) - { -@@ -3380,7 +3388,7 @@ static int aes_xts_init_key(EVP_CIPHER_C - * BEFORE using the keys in the XTS-AES algorithm to process - * data with them." - */ -- if (enc && CRYPTO_memcmp(key, key + bytes, bytes) == 0) { -+ if (CRYPTO_memcmp(key, key + bytes, bytes) == 0) { - EVPerr(EVP_F_AES_XTS_INIT_KEY, EVP_R_XTS_DUPLICATED_KEYS); - return 0; - } -@@ -3484,6 +3492,14 @@ static int aes_xts_cipher(EVP_CIPHER_CTX - return 0; - if (!out || !in || len < AES_BLOCK_SIZE) - return 0; -+# ifdef OPENSSL_FIPS -+ /* Requirement of SP800-38E */ -+ if (FIPS_mode() && !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW) && -+ (len > (1UL << 20) * 16)) { -+ EVPerr(EVP_F_AES_XTS_CIPHER, EVP_R_TOO_LARGE); -+ return 0; -+ } -+# endif - if (xctx->stream) - (*xctx->stream) (in, out, len, - xctx->xts.key1, xctx->xts.key2, -@@ -3501,8 +3517,10 @@ static int aes_xts_cipher(EVP_CIPHER_CTX - | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_CTRL_INIT \ - | EVP_CIPH_CUSTOM_COPY) - --BLOCK_CIPHER_custom(NID_aes, 128, 1, 16, xts, XTS, XTS_FLAGS) -- BLOCK_CIPHER_custom(NID_aes, 256, 1, 16, xts, XTS, XTS_FLAGS) -+BLOCK_CIPHER_custom(NID_aes, 128, 1, 16, xts, XTS, -+ EVP_CIPH_FLAG_FIPS | XTS_FLAGS) -+ BLOCK_CIPHER_custom(NID_aes, 256, 1, 16, xts, XTS, -+ EVP_CIPH_FLAG_FIPS | XTS_FLAGS) - - static int aes_ccm_ctrl(EVP_CIPHER_CTX *c, int type, int arg, void *ptr) - { -@@ -3772,11 +3790,11 @@ static int aes_ccm_cipher(EVP_CIPHER_CTX - #define aes_ccm_cleanup NULL - - BLOCK_CIPHER_custom(NID_aes, 128, 1, 12, ccm, CCM, -- EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) -+ EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) - BLOCK_CIPHER_custom(NID_aes, 192, 1, 12, ccm, CCM, -- EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) -+ EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) - BLOCK_CIPHER_custom(NID_aes, 256, 1, 12, ccm, CCM, -- EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) -+ EVP_CIPH_FLAG_FIPS | EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) - - typedef struct { - union { -@@ -3869,7 +3887,7 @@ static int aes_wrap_cipher(EVP_CIPHER_CT - return rv ? (int)rv : -1; - } - --#define WRAP_FLAGS (EVP_CIPH_WRAP_MODE \ -+#define WRAP_FLAGS (EVP_CIPH_WRAP_MODE | EVP_CIPH_FLAG_FIPS \ - | EVP_CIPH_CUSTOM_IV | EVP_CIPH_FLAG_CUSTOM_CIPHER \ - | EVP_CIPH_ALWAYS_CALL_INIT | EVP_CIPH_FLAG_DEFAULT_ASN1) - -diff -up openssl-1.1.1j/crypto/evp/e_des3.c.fips openssl-1.1.1j/crypto/evp/e_des3.c ---- openssl-1.1.1j/crypto/evp/e_des3.c.fips 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/crypto/evp/e_des3.c 2021-03-03 12:57:42.197734509 +0100 -@@ -211,16 +211,19 @@ BLOCK_CIPHER_defs(des_ede, DES_EDE_KEY, - # define des_ede3_cbc_cipher des_ede_cbc_cipher - # define des_ede3_ecb_cipher des_ede_ecb_cipher - BLOCK_CIPHER_defs(des_ede3, DES_EDE_KEY, NID_des_ede3, 8, 24, 8, 64, -- EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_DEFAULT_ASN1, -- des_ede3_init_key, NULL, NULL, NULL, des3_ctrl) -+ EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_FIPS | -+ EVP_CIPH_FLAG_DEFAULT_ASN1, des_ede3_init_key, NULL, NULL, NULL, -+ des3_ctrl) - - BLOCK_CIPHER_def_cfb(des_ede3, DES_EDE_KEY, NID_des_ede3, 24, 8, 1, -- EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_DEFAULT_ASN1, -- des_ede3_init_key, NULL, NULL, NULL, des3_ctrl) -+ EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_FIPS | -+ EVP_CIPH_FLAG_DEFAULT_ASN1, des_ede3_init_key, NULL, NULL, -+ NULL, des3_ctrl) - - BLOCK_CIPHER_def_cfb(des_ede3, DES_EDE_KEY, NID_des_ede3, 24, 8, 8, -- EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_DEFAULT_ASN1, -- des_ede3_init_key, NULL, NULL, NULL, des3_ctrl) -+ EVP_CIPH_RAND_KEY | EVP_CIPH_FLAG_FIPS | -+ EVP_CIPH_FLAG_DEFAULT_ASN1, des_ede3_init_key, NULL, NULL, -+ NULL, des3_ctrl) - - static int des_ede_init_key(EVP_CIPHER_CTX *ctx, const unsigned char *key, - const unsigned char *iv, int enc) -diff -up openssl-1.1.1j/crypto/evp/e_null.c.fips openssl-1.1.1j/crypto/evp/e_null.c ---- openssl-1.1.1j/crypto/evp/e_null.c.fips 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/crypto/evp/e_null.c 2021-03-03 12:57:42.197734509 +0100 -@@ -19,7 +19,8 @@ static int null_cipher(EVP_CIPHER_CTX *c - const unsigned char *in, size_t inl); - static const EVP_CIPHER n_cipher = { - NID_undef, -- 1, 0, 0, 0, -+ 1, 0, 0, -+ EVP_CIPH_FLAG_FIPS, - null_init_key, - null_cipher, - NULL, -diff -up openssl-1.1.1j/crypto/evp/evp_enc.c.fips openssl-1.1.1j/crypto/evp/evp_enc.c ---- openssl-1.1.1j/crypto/evp/evp_enc.c.fips 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/crypto/evp/evp_enc.c 2021-03-03 12:57:42.197734509 +0100 -@@ -18,9 +18,18 @@ - #include - #include "crypto/evp.h" - #include "evp_local.h" -+#ifdef OPENSSL_FIPS -+# include -+#endif - - int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX *c) - { -+#ifdef OPENSSL_FIPS -+ if (FIPS_selftest_failed()) { -+ FIPSerr(FIPS_F_EVP_CIPHER_CTX_RESET, FIPS_R_FIPS_SELFTEST_FAILED); -+ return 0; -+ } -+#endif - if (c == NULL) - return 1; - if (c->cipher != NULL) { -@@ -40,6 +49,12 @@ int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX - - EVP_CIPHER_CTX *EVP_CIPHER_CTX_new(void) - { -+#ifdef OPENSSL_FIPS -+ if (FIPS_selftest_failed()) { -+ FIPSerr(FIPS_F_EVP_CIPHER_CTX_NEW, FIPS_R_FIPS_SELFTEST_FAILED); -+ return NULL; -+ } -+#endif - return OPENSSL_zalloc(sizeof(EVP_CIPHER_CTX)); - } - -@@ -68,6 +83,12 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct - enc = 1; - ctx->encrypt = enc; - } -+#ifdef OPENSSL_FIPS -+ if (FIPS_selftest_failed()) { -+ FIPSerr(FIPS_F_EVP_CIPHERINIT_EX, FIPS_R_FIPS_SELFTEST_FAILED); -+ return 0; -+ } -+#endif - #ifndef OPENSSL_NO_ENGINE - /* - * Whether it's nice or not, "Inits" can be used on "Final"'d contexts so -@@ -137,7 +158,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct - } - ctx->key_len = cipher->key_len; - /* Preserve wrap enable flag, zero everything else */ -- ctx->flags &= EVP_CIPHER_CTX_FLAG_WRAP_ALLOW; -+ ctx->flags &= EVP_CIPHER_CTX_FLAG_WRAP_ALLOW | EVP_CIPH_FLAG_NON_FIPS_ALLOW; - if (ctx->cipher->flags & EVP_CIPH_CTRL_INIT) { - if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_INIT, 0, NULL)) { - ctx->cipher = NULL; -@@ -196,6 +217,18 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct - return 0; - } - } -+#ifdef OPENSSL_FIPS -+ /* After 'key' is set no further parameters changes are permissible. -+ * So only check for non FIPS enabling at this point. -+ */ -+ if (key && FIPS_mode()) { -+ if (!(ctx->cipher->flags & EVP_CIPH_FLAG_FIPS) -+ & !(ctx->flags & EVP_CIPH_FLAG_NON_FIPS_ALLOW)) { -+ EVPerr(EVP_F_EVP_CIPHERINIT_EX, EVP_R_DISABLED_FOR_FIPS); -+ return 0; -+ } -+ } -+#endif - - if (key || (ctx->cipher->flags & EVP_CIPH_ALWAYS_CALL_INIT)) { - if (!ctx->cipher->init(ctx, key, iv, enc)) -diff -up openssl-1.1.1j/crypto/evp/evp_err.c.fips openssl-1.1.1j/crypto/evp/evp_err.c ---- openssl-1.1.1j/crypto/evp/evp_err.c.fips 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/crypto/evp/evp_err.c 2021-03-03 12:57:42.198734517 +0100 -@@ -23,6 +23,7 @@ static const ERR_STRING_DATA EVP_str_fun - {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_T4_XTS_INIT_KEY, 0), - "aes_t4_xts_init_key"}, - {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_WRAP_CIPHER, 0), "aes_wrap_cipher"}, -+ {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_XTS_CIPHER, 0), "aes_xts_cipher"}, - {ERR_PACK(ERR_LIB_EVP, EVP_F_AES_XTS_INIT_KEY, 0), "aes_xts_init_key"}, - {ERR_PACK(ERR_LIB_EVP, EVP_F_ALG_MODULE_INIT, 0), "alg_module_init"}, - {ERR_PACK(ERR_LIB_EVP, EVP_F_ARIA_CCM_INIT_KEY, 0), "aria_ccm_init_key"}, -@@ -186,6 +187,7 @@ static const ERR_STRING_DATA EVP_str_rea - "different key types"}, - {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_DIFFERENT_PARAMETERS), - "different parameters"}, -+ {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_DISABLED_FOR_FIPS), "disabled for FIPS"}, - {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_ERROR_LOADING_SECTION), - "error loading section"}, - {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_ERROR_SETTING_FIPS_MODE), -@@ -251,6 +253,7 @@ static const ERR_STRING_DATA EVP_str_rea - {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PRIVATE_KEY_ENCODE_ERROR), - "private key encode error"}, - {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_PUBLIC_KEY_NOT_RSA), "public key not rsa"}, -+ {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_TOO_LARGE), "too large"}, - {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNKNOWN_CIPHER), "unknown cipher"}, - {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNKNOWN_DIGEST), "unknown digest"}, - {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_UNKNOWN_OPTION), "unknown option"}, -@@ -276,6 +279,8 @@ static const ERR_STRING_DATA EVP_str_rea - "wrap mode not allowed"}, - {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_WRONG_FINAL_BLOCK_LENGTH), - "wrong final block length"}, -+ {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_XTS_DATA_UNIT_IS_TOO_LARGE), -+ "xts data unit is too large"}, - {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_XTS_DUPLICATED_KEYS), - "xts duplicated keys"}, - {0, NULL} -diff -up openssl-1.1.1j/crypto/evp/evp_lib.c.fips openssl-1.1.1j/crypto/evp/evp_lib.c ---- openssl-1.1.1j/crypto/evp/evp_lib.c.fips 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/crypto/evp/evp_lib.c 2021-03-03 12:57:42.198734517 +0100 -@@ -192,6 +192,9 @@ int EVP_CIPHER_impl_ctx_size(const EVP_C - int EVP_Cipher(EVP_CIPHER_CTX *ctx, unsigned char *out, - const unsigned char *in, unsigned int inl) - { -+#ifdef OPENSSL_FIPS -+ FIPS_selftest_check(); -+#endif - return ctx->cipher->do_cipher(ctx, out, in, inl); - } - -diff -up openssl-1.1.1j/crypto/evp/m_sha1.c.fips openssl-1.1.1j/crypto/evp/m_sha1.c ---- openssl-1.1.1j/crypto/evp/m_sha1.c.fips 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/crypto/evp/m_sha1.c 2021-03-03 12:57:42.198734517 +0100 -@@ -95,7 +95,7 @@ static const EVP_MD sha1_md = { - NID_sha1, - NID_sha1WithRSAEncryption, - SHA_DIGEST_LENGTH, -- EVP_MD_FLAG_DIGALGID_ABSENT, -+ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS, - init, - update, - final, -@@ -145,7 +145,7 @@ static const EVP_MD sha224_md = { - NID_sha224, - NID_sha224WithRSAEncryption, - SHA224_DIGEST_LENGTH, -- EVP_MD_FLAG_DIGALGID_ABSENT, -+ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS, - init224, - update224, - final224, -@@ -164,7 +164,7 @@ static const EVP_MD sha256_md = { - NID_sha256, - NID_sha256WithRSAEncryption, - SHA256_DIGEST_LENGTH, -- EVP_MD_FLAG_DIGALGID_ABSENT, -+ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS, - init256, - update256, - final256, -@@ -224,7 +224,7 @@ static const EVP_MD sha512_224_md = { - NID_sha512_224, - NID_sha512_224WithRSAEncryption, - SHA224_DIGEST_LENGTH, -- EVP_MD_FLAG_DIGALGID_ABSENT, -+ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS, - init512_224, - update512, - final512, -@@ -243,7 +243,7 @@ static const EVP_MD sha512_256_md = { - NID_sha512_256, - NID_sha512_256WithRSAEncryption, - SHA256_DIGEST_LENGTH, -- EVP_MD_FLAG_DIGALGID_ABSENT, -+ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS, - init512_256, - update512, - final512, -@@ -262,7 +262,7 @@ static const EVP_MD sha384_md = { - NID_sha384, - NID_sha384WithRSAEncryption, - SHA384_DIGEST_LENGTH, -- EVP_MD_FLAG_DIGALGID_ABSENT, -+ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS, - init384, - update384, - final384, -@@ -281,7 +281,7 @@ static const EVP_MD sha512_md = { - NID_sha512, - NID_sha512WithRSAEncryption, - SHA512_DIGEST_LENGTH, -- EVP_MD_FLAG_DIGALGID_ABSENT, -+ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS, - init512, - update512, - final512, -diff -up openssl-1.1.1j/crypto/evp/m_sha3.c.fips openssl-1.1.1j/crypto/evp/m_sha3.c ---- openssl-1.1.1j/crypto/evp/m_sha3.c.fips 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/crypto/evp/m_sha3.c 2021-03-03 12:57:42.198734517 +0100 -@@ -295,7 +295,7 @@ const EVP_MD *EVP_sha3_##bitlen(void) - NID_sha3_##bitlen, \ - NID_RSA_SHA3_##bitlen, \ - bitlen / 8, \ -- EVP_MD_FLAG_DIGALGID_ABSENT, \ -+ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS, \ - s390x_sha3_init, \ - s390x_sha3_update, \ - s390x_sha3_final, \ -@@ -308,7 +308,7 @@ const EVP_MD *EVP_sha3_##bitlen(void) - NID_sha3_##bitlen, \ - NID_RSA_SHA3_##bitlen, \ - bitlen / 8, \ -- EVP_MD_FLAG_DIGALGID_ABSENT, \ -+ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS, \ - sha3_init, \ - sha3_update, \ - sha3_final, \ -@@ -329,7 +329,7 @@ const EVP_MD *EVP_shake##bitlen(void) - NID_shake##bitlen, \ - 0, \ - bitlen / 8, \ -- EVP_MD_FLAG_XOF, \ -+ EVP_MD_FLAG_XOF | EVP_MD_FLAG_FIPS, \ - s390x_shake_init, \ - s390x_sha3_update, \ - s390x_shake_final, \ -@@ -343,7 +343,7 @@ const EVP_MD *EVP_shake##bitlen(void) - NID_shake##bitlen, \ - 0, \ - bitlen / 8, \ -- EVP_MD_FLAG_XOF, \ -+ EVP_MD_FLAG_XOF | EVP_MD_FLAG_FIPS, \ - shake_init, \ - sha3_update, \ - sha3_final, \ -@@ -367,7 +367,7 @@ const EVP_MD *EVP_sha3_##bitlen(void) - NID_sha3_##bitlen, \ - NID_RSA_SHA3_##bitlen, \ - bitlen / 8, \ -- EVP_MD_FLAG_DIGALGID_ABSENT, \ -+ EVP_MD_FLAG_DIGALGID_ABSENT | EVP_MD_FLAG_FIPS, \ - sha3_init, \ - sha3_update, \ - sha3_final, \ -@@ -386,7 +386,7 @@ const EVP_MD *EVP_shake##bitlen(void) - NID_shake##bitlen, \ - 0, \ - bitlen / 8, \ -- EVP_MD_FLAG_XOF, \ -+ EVP_MD_FLAG_XOF | EVP_MD_FLAG_FIPS, \ - shake_init, \ - sha3_update, \ - sha3_final, \ -diff -up openssl-1.1.1j/crypto/evp/pmeth_lib.c.fips openssl-1.1.1j/crypto/evp/pmeth_lib.c ---- openssl-1.1.1j/crypto/evp/pmeth_lib.c.fips 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/crypto/evp/pmeth_lib.c 2021-03-03 12:57:42.198734517 +0100 -@@ -131,7 +131,15 @@ static EVP_PKEY_CTX *int_ctx_new(EVP_PKE - pmeth = ENGINE_get_pkey_meth(e, id); - else - #endif -+ { - pmeth = EVP_PKEY_meth_find(id); -+#ifdef OPENSSL_FIPS -+ if (pmeth && !(pmeth->flags & EVP_PKEY_FLAG_FIPS) && FIPS_mode()) { -+ EVPerr(EVP_F_INT_CTX_NEW, EVP_R_DISABLED_FOR_FIPS); -+ return NULL; -+ } -+#endif -+ } - - if (pmeth == NULL) { - #ifndef OPENSSL_NO_ENGINE -diff -up openssl-1.1.1j/crypto/fips/build.info.fips openssl-1.1.1j/crypto/fips/build.info ---- openssl-1.1.1j/crypto/fips/build.info.fips 2021-03-03 12:57:42.198734517 +0100 -+++ openssl-1.1.1j/crypto/fips/build.info 2021-03-03 12:57:42.198734517 +0100 -@@ -0,0 +1,15 @@ -+LIBS=../../libcrypto -+SOURCE[../../libcrypto]=\ -+ fips_aes_selftest.c fips_des_selftest.c fips_hmac_selftest.c \ -+ fips_rsa_selftest.c fips_sha_selftest.c fips.c fips_dsa_selftest.c \ -+ fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \ -+ fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \ -+ fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c \ -+ fips_dh_selftest.c fips_ers.c -+ -+PROGRAMS_NO_INST=\ -+ fips_standalone_hmac -+ -+SOURCE[fips_standalone_hmac]=fips_standalone_hmac.c -+INCLUDE[fips_standalone_hmac]=../../include -+DEPEND[fips_standalone_hmac]=../../libcrypto -diff -up openssl-1.1.1j/crypto/fips/fips_aes_selftest.c.fips openssl-1.1.1j/crypto/fips/fips_aes_selftest.c ---- openssl-1.1.1j/crypto/fips/fips_aes_selftest.c.fips 2021-03-03 12:57:42.198734517 +0100 -+++ openssl-1.1.1j/crypto/fips/fips_aes_selftest.c 2021-03-03 12:57:42.198734517 +0100 -@@ -0,0 +1,372 @@ -+/* ==================================================================== -+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+#include -+#include -+#ifdef OPENSSL_FIPS -+# include -+# include "crypto/fips.h" -+#endif -+ -+#ifdef OPENSSL_FIPS -+static const struct { -+ const unsigned char key[16]; -+ const unsigned char plaintext[16]; -+ const unsigned char ciphertext[16]; -+} tests[] = { -+ { -+ { -+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, -+ 0x08, 0x09, 0x0A, 0x0B, 0x0C, 0x0D, 0x0E, 0x0F}, { -+ 0x00, 0x11, 0x22, 0x33, 0x44, 0x55, 0x66, 0x77, -+ 0x88, 0x99, 0xAA, 0xBB, 0xCC, 0xDD, 0xEE, 0xFF}, { -+0x69, 0xC4, 0xE0, 0xD8, 0x6A, 0x7B, 0x04, 0x30, -+ 0xD8, 0xCD, 0xB7, 0x80, 0x70, 0xB4, 0xC5, 0x5A},},}; -+ -+int FIPS_selftest_aes() -+{ -+ int n; -+ int ret = 0; -+ EVP_CIPHER_CTX *ctx; -+ -+ ctx = EVP_CIPHER_CTX_new(); -+ if (ctx == NULL) -+ goto err; -+ -+ for (n = 0; n < 1; ++n) { -+ unsigned char key[16]; -+ -+ memcpy(key, tests[n].key, sizeof(key)); -+ if (fips_cipher_test(ctx, EVP_aes_128_ecb(), -+ key, NULL, -+ tests[n].plaintext, -+ tests[n].ciphertext, 16) <= 0) -+ goto err; -+ } -+ ret = 1; -+ err: -+ EVP_CIPHER_CTX_free(ctx); -+ if (ret == 0) -+ FIPSerr(FIPS_F_FIPS_SELFTEST_AES, FIPS_R_SELFTEST_FAILED); -+ return ret; -+} -+ -+/* AES-CCM test data from NIST public test vectors */ -+ -+static const unsigned char ccm_key[] = { -+ 0xce, 0xb0, 0x09, 0xae, 0xa4, 0x45, 0x44, 0x51, 0xfe, 0xad, 0xf0, 0xe6, -+ 0xb3, 0x6f, 0x45, 0x55, 0x5d, 0xd0, 0x47, 0x23, 0xba, 0xa4, 0x48, 0xe8 -+}; -+ -+static const unsigned char ccm_nonce[] = { -+ 0x76, 0x40, 0x43, 0xc4, 0x94, 0x60, 0xb7 -+}; -+ -+static const unsigned char ccm_adata[] = { -+ 0x6e, 0x80, 0xdd, 0x7f, 0x1b, 0xad, 0xf3, 0xa1, 0xc9, 0xab, 0x25, 0xc7, -+ 0x5f, 0x10, 0xbd, 0xe7, 0x8c, 0x23, 0xfa, 0x0e, 0xb8, 0xf9, 0xaa, 0xa5, -+ 0x3a, 0xde, 0xfb, 0xf4, 0xcb, 0xf7, 0x8f, 0xe4 -+}; -+ -+static const unsigned char ccm_pt[] = { -+ 0xc8, 0xd2, 0x75, 0xf9, 0x19, 0xe1, 0x7d, 0x7f, 0xe6, 0x9c, 0x2a, 0x1f, -+ 0x58, 0x93, 0x9d, 0xfe, 0x4d, 0x40, 0x37, 0x91, 0xb5, 0xdf, 0x13, 0x10 -+}; -+ -+static const unsigned char ccm_ct[] = { -+ 0x8a, 0x0f, 0x3d, 0x82, 0x29, 0xe4, 0x8e, 0x74, 0x87, 0xfd, 0x95, 0xa2, -+ 0x8a, 0xd3, 0x92, 0xc8, 0x0b, 0x36, 0x81, 0xd4, 0xfb, 0xc7, 0xbb, 0xfd -+}; -+ -+static const unsigned char ccm_tag[] = { -+ 0x2d, 0xd6, 0xef, 0x1c, 0x45, 0xd4, 0xcc, 0xb7, 0x23, 0xdc, 0x07, 0x44, -+ 0x14, 0xdb, 0x50, 0x6d -+}; -+ -+int FIPS_selftest_aes_ccm(void) -+{ -+ int ret = 0; -+ unsigned char out[128], tag[16]; -+ EVP_CIPHER_CTX *ctx; -+ -+ ctx = EVP_CIPHER_CTX_new(); -+ if (ctx == NULL) -+ goto err; -+ -+ memset(out, 0, sizeof(out)); -+ if (!EVP_CipherInit_ex(ctx, EVP_aes_192_ccm(), NULL, NULL, NULL, 1)) -+ goto err; -+ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_IVLEN, -+ sizeof(ccm_nonce), NULL)) -+ goto err; -+ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_TAG, -+ sizeof(ccm_tag), NULL)) -+ goto err; -+ if (!EVP_CipherInit_ex(ctx, NULL, NULL, ccm_key, ccm_nonce, 1)) -+ goto err; -+ if (EVP_Cipher(ctx, NULL, NULL, sizeof(ccm_pt)) != sizeof(ccm_pt)) -+ goto err; -+ if (EVP_Cipher(ctx, NULL, ccm_adata, sizeof(ccm_adata)) < 0) -+ goto err; -+ if (EVP_Cipher(ctx, out, ccm_pt, sizeof(ccm_pt)) != sizeof(ccm_ct)) -+ goto err; -+ -+ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_GET_TAG, 16, tag)) -+ goto err; -+ if (memcmp(tag, ccm_tag, sizeof(ccm_tag)) -+ || memcmp(out, ccm_ct, sizeof(ccm_ct))) -+ goto err; -+ -+ memset(out, 0, sizeof(out)); -+ -+ if (!EVP_CipherInit_ex(ctx, EVP_aes_192_ccm(), NULL, NULL, NULL, 0)) -+ goto err; -+ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_IVLEN, -+ sizeof(ccm_nonce), NULL)) -+ goto err; -+ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_CCM_SET_TAG, 16, tag)) -+ goto err; -+ if (!EVP_CipherInit_ex(ctx, NULL, NULL, ccm_key, ccm_nonce, 0)) -+ goto err; -+ if (EVP_Cipher(ctx, NULL, NULL, sizeof(ccm_ct)) != sizeof(ccm_ct)) -+ goto err; -+ if (EVP_Cipher(ctx, NULL, ccm_adata, sizeof(ccm_adata)) < 0) -+ goto err; -+ if (EVP_Cipher(ctx, out, ccm_ct, sizeof(ccm_ct)) != sizeof(ccm_pt)) -+ goto err; -+ -+ if (memcmp(out, ccm_pt, sizeof(ccm_pt))) -+ goto err; -+ -+ ret = 1; -+ -+ err: -+ EVP_CIPHER_CTX_free(ctx); -+ -+ if (ret == 0) { -+ FIPSerr(FIPS_F_FIPS_SELFTEST_AES_CCM, FIPS_R_SELFTEST_FAILED); -+ return 0; -+ } else -+ return ret; -+ -+} -+ -+/* AES-GCM test data from NIST public test vectors */ -+ -+static const unsigned char gcm_key[] = { -+ 0xee, 0xbc, 0x1f, 0x57, 0x48, 0x7f, 0x51, 0x92, 0x1c, 0x04, 0x65, 0x66, -+ 0x5f, 0x8a, 0xe6, 0xd1, 0x65, 0x8b, 0xb2, 0x6d, 0xe6, 0xf8, 0xa0, 0x69, -+ 0xa3, 0x52, 0x02, 0x93, 0xa5, 0x72, 0x07, 0x8f -+}; -+ -+static const unsigned char gcm_iv[] = { -+ 0x99, 0xaa, 0x3e, 0x68, 0xed, 0x81, 0x73, 0xa0, 0xee, 0xd0, 0x66, 0x84 -+}; -+ -+static const unsigned char gcm_pt[] = { -+ 0xf5, 0x6e, 0x87, 0x05, 0x5b, 0xc3, 0x2d, 0x0e, 0xeb, 0x31, 0xb2, 0xea, -+ 0xcc, 0x2b, 0xf2, 0xa5 -+}; -+ -+static const unsigned char gcm_aad[] = { -+ 0x4d, 0x23, 0xc3, 0xce, 0xc3, 0x34, 0xb4, 0x9b, 0xdb, 0x37, 0x0c, 0x43, -+ 0x7f, 0xec, 0x78, 0xde -+}; -+ -+static const unsigned char gcm_ct[] = { -+ 0xf7, 0x26, 0x44, 0x13, 0xa8, 0x4c, 0x0e, 0x7c, 0xd5, 0x36, 0x86, 0x7e, -+ 0xb9, 0xf2, 0x17, 0x36 -+}; -+ -+static const unsigned char gcm_tag[] = { -+ 0x67, 0xba, 0x05, 0x10, 0x26, 0x2a, 0xe4, 0x87, 0xd7, 0x37, 0xee, 0x62, -+ 0x98, 0xf7, 0x7e, 0x0c -+}; -+ -+int FIPS_selftest_aes_gcm(void) -+{ -+ int ret = 0; -+ unsigned char out[128], tag[16]; -+ EVP_CIPHER_CTX *ctx; -+ -+ ctx = EVP_CIPHER_CTX_new(); -+ if (ctx == NULL) -+ goto err; -+ -+ memset(out, 0, sizeof(out)); -+ memset(tag, 0, sizeof(tag)); -+ if (!EVP_CipherInit_ex(ctx, EVP_aes_256_gcm(), NULL, NULL, NULL, 1)) -+ goto err; -+ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, -+ sizeof(gcm_iv), NULL)) -+ goto err; -+ if (!EVP_CipherInit_ex(ctx, NULL, NULL, gcm_key, gcm_iv, 1)) -+ goto err; -+ if (EVP_Cipher(ctx, NULL, gcm_aad, sizeof(gcm_aad)) < 0) -+ goto err; -+ if (EVP_Cipher(ctx, out, gcm_pt, sizeof(gcm_pt)) != sizeof(gcm_ct)) -+ goto err; -+ if (EVP_Cipher(ctx, NULL, NULL, 0) < 0) -+ goto err; -+ -+ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_GET_TAG, 16, tag)) -+ goto err; -+ -+ if (memcmp(tag, gcm_tag, 16) || memcmp(out, gcm_ct, 16)) -+ goto err; -+ -+ memset(out, 0, sizeof(out)); -+ -+ if (!EVP_CipherInit_ex(ctx, EVP_aes_256_gcm(), NULL, NULL, NULL, 0)) -+ goto err; -+ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_IVLEN, -+ sizeof(gcm_iv), NULL)) -+ goto err; -+ if (!EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_GCM_SET_TAG, 16, tag)) -+ goto err; -+ if (!EVP_CipherInit_ex(ctx, NULL, NULL, gcm_key, gcm_iv, 0)) -+ goto err; -+ if (EVP_Cipher(ctx, NULL, gcm_aad, sizeof(gcm_aad)) < 0) -+ goto err; -+ if (EVP_Cipher(ctx, out, gcm_ct, sizeof(gcm_ct)) != sizeof(gcm_pt)) -+ goto err; -+ if (EVP_Cipher(ctx, NULL, NULL, 0) < 0) -+ goto err; -+ -+ if (memcmp(out, gcm_pt, 16)) -+ goto err; -+ -+ ret = 1; -+ -+ err: -+ EVP_CIPHER_CTX_free(ctx); -+ -+ if (ret == 0) { -+ FIPSerr(FIPS_F_FIPS_SELFTEST_AES_GCM, FIPS_R_SELFTEST_FAILED); -+ return 0; -+ } else -+ return ret; -+ -+} -+ -+static const unsigned char XTS_128_key[] = { -+ 0xa1, 0xb9, 0x0c, 0xba, 0x3f, 0x06, 0xac, 0x35, 0x3b, 0x2c, 0x34, 0x38, -+ 0x76, 0x08, 0x17, 0x62, 0x09, 0x09, 0x23, 0x02, 0x6e, 0x91, 0x77, 0x18, -+ 0x15, 0xf2, 0x9d, 0xab, 0x01, 0x93, 0x2f, 0x2f -+}; -+ -+static const unsigned char XTS_128_i[] = { -+ 0x4f, 0xae, 0xf7, 0x11, 0x7c, 0xda, 0x59, 0xc6, 0x6e, 0x4b, 0x92, 0x01, -+ 0x3e, 0x76, 0x8a, 0xd5 -+}; -+ -+static const unsigned char XTS_128_pt[] = { -+ 0xeb, 0xab, 0xce, 0x95, 0xb1, 0x4d, 0x3c, 0x8d, 0x6f, 0xb3, 0x50, 0x39, -+ 0x07, 0x90, 0x31, 0x1c -+}; -+ -+static const unsigned char XTS_128_ct[] = { -+ 0x77, 0x8a, 0xe8, 0xb4, 0x3c, 0xb9, 0x8d, 0x5a, 0x82, 0x50, 0x81, 0xd5, -+ 0xbe, 0x47, 0x1c, 0x63 -+}; -+ -+static const unsigned char XTS_256_key[] = { -+ 0x1e, 0xa6, 0x61, 0xc5, 0x8d, 0x94, 0x3a, 0x0e, 0x48, 0x01, 0xe4, 0x2f, -+ 0x4b, 0x09, 0x47, 0x14, 0x9e, 0x7f, 0x9f, 0x8e, 0x3e, 0x68, 0xd0, 0xc7, -+ 0x50, 0x52, 0x10, 0xbd, 0x31, 0x1a, 0x0e, 0x7c, 0xd6, 0xe1, 0x3f, 0xfd, -+ 0xf2, 0x41, 0x8d, 0x8d, 0x19, 0x11, 0xc0, 0x04, 0xcd, 0xa5, 0x8d, 0xa3, -+ 0xd6, 0x19, 0xb7, 0xe2, 0xb9, 0x14, 0x1e, 0x58, 0x31, 0x8e, 0xea, 0x39, -+ 0x2c, 0xf4, 0x1b, 0x08 -+}; -+ -+static const unsigned char XTS_256_i[] = { -+ 0xad, 0xf8, 0xd9, 0x26, 0x27, 0x46, 0x4a, 0xd2, 0xf0, 0x42, 0x8e, 0x84, -+ 0xa9, 0xf8, 0x75, 0x64 -+}; -+ -+static const unsigned char XTS_256_pt[] = { -+ 0x2e, 0xed, 0xea, 0x52, 0xcd, 0x82, 0x15, 0xe1, 0xac, 0xc6, 0x47, 0xe8, -+ 0x10, 0xbb, 0xc3, 0x64, 0x2e, 0x87, 0x28, 0x7f, 0x8d, 0x2e, 0x57, 0xe3, -+ 0x6c, 0x0a, 0x24, 0xfb, 0xc1, 0x2a, 0x20, 0x2e -+}; -+ -+static const unsigned char XTS_256_ct[] = { -+ 0xcb, 0xaa, 0xd0, 0xe2, 0xf6, 0xce, 0xa3, 0xf5, 0x0b, 0x37, 0xf9, 0x34, -+ 0xd4, 0x6a, 0x9b, 0x13, 0x0b, 0x9d, 0x54, 0xf0, 0x7e, 0x34, 0xf3, 0x6a, -+ 0xf7, 0x93, 0xe8, 0x6f, 0x73, 0xc6, 0xd7, 0xdb -+}; -+ -+int FIPS_selftest_aes_xts() -+{ -+ int ret = 1; -+ EVP_CIPHER_CTX *ctx; -+ -+ ctx = EVP_CIPHER_CTX_new(); -+ if (ctx == NULL) -+ goto err; -+ -+ if (fips_cipher_test(ctx, EVP_aes_128_xts(), -+ XTS_128_key, XTS_128_i, XTS_128_pt, XTS_128_ct, -+ sizeof(XTS_128_pt)) <= 0) -+ ret = 0; -+ -+ if (fips_cipher_test(ctx, EVP_aes_256_xts(), -+ XTS_256_key, XTS_256_i, XTS_256_pt, XTS_256_ct, -+ sizeof(XTS_256_pt)) <= 0) -+ ret = 0; -+ -+ EVP_CIPHER_CTX_free(ctx); -+ -+ err: -+ if (ret == 0) -+ FIPSerr(FIPS_F_FIPS_SELFTEST_AES_XTS, FIPS_R_SELFTEST_FAILED); -+ return ret; -+} -+ -+#endif -diff -up openssl-1.1.1j/crypto/fips/fips.c.fips openssl-1.1.1j/crypto/fips/fips.c ---- openssl-1.1.1j/crypto/fips/fips.c.fips 2021-03-03 12:57:42.198734517 +0100 -+++ openssl-1.1.1j/crypto/fips/fips.c 2021-03-03 12:57:42.198734517 +0100 -@@ -0,0 +1,526 @@ -+/* ==================================================================== -+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+#define _GNU_SOURCE -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include "fips_locl.h" -+ -+#ifdef OPENSSL_FIPS -+ -+# include -+# include "internal/thread_once.h" -+ -+# ifndef PATH_MAX -+# define PATH_MAX 1024 -+# endif -+ -+static int fips_selftest_fail = 0; -+static int fips_mode = 0; -+static int fips_started = 0; -+ -+static int fips_is_owning_thread(void); -+static int fips_set_owning_thread(void); -+static int fips_clear_owning_thread(void); -+ -+static CRYPTO_RWLOCK *fips_lock = NULL; -+static CRYPTO_RWLOCK *fips_owning_lock = NULL; -+static CRYPTO_ONCE fips_lock_init = CRYPTO_ONCE_STATIC_INIT; -+ -+DEFINE_RUN_ONCE_STATIC(do_fips_lock_init) -+{ -+ fips_lock = CRYPTO_THREAD_lock_new(); -+ fips_owning_lock = CRYPTO_THREAD_lock_new(); -+ return fips_lock != NULL && fips_owning_lock != NULL; -+} -+ -+# define fips_w_lock() CRYPTO_THREAD_write_lock(fips_lock) -+# define fips_w_unlock() CRYPTO_THREAD_unlock(fips_lock) -+# define fips_r_lock() CRYPTO_THREAD_read_lock(fips_lock) -+# define fips_r_unlock() CRYPTO_THREAD_unlock(fips_lock) -+ -+static void fips_set_mode(int onoff) -+{ -+ int owning_thread = fips_is_owning_thread(); -+ -+ if (fips_started) { -+ if (!owning_thread) -+ fips_w_lock(); -+ fips_mode = onoff; -+ if (!owning_thread) -+ fips_w_unlock(); -+ } -+} -+ -+int FIPS_module_mode(void) -+{ -+ int ret = 0; -+ int owning_thread = fips_is_owning_thread(); -+ -+ if (fips_started) { -+ if (!owning_thread) -+ fips_r_lock(); -+ ret = fips_mode; -+ if (!owning_thread) -+ fips_r_unlock(); -+ } -+ return ret; -+} -+ -+/* just a compat symbol - return NULL */ -+int FIPS_selftest_failed(void) -+{ -+ int ret = 0; -+ if (fips_started) { -+ int owning_thread = fips_is_owning_thread(); -+ -+ if (!owning_thread) -+ fips_r_lock(); -+ ret = fips_selftest_fail; -+ if (!owning_thread) -+ fips_r_unlock(); -+ } -+ return ret; -+} -+ -+/* Selftest failure fatal exit routine. This will be called -+ * during *any* cryptographic operation. It has the minimum -+ * overhead possible to avoid too big a performance hit. -+ */ -+ -+void FIPS_selftest_check(void) -+{ -+ if (fips_selftest_fail) { -+ OpenSSLDie(__FILE__, __LINE__, "FATAL FIPS SELFTEST FAILURE"); -+ } -+} -+ -+void fips_set_selftest_fail(void) -+{ -+ fips_selftest_fail = 1; -+} -+ -+/* we implement what libfipscheck does ourselves */ -+ -+static int -+get_library_path(const char *libname, const char *symbolname, char *path, -+ size_t pathlen) -+{ -+ Dl_info info; -+ void *dl, *sym; -+ int rv = -1; -+ -+ dl = dlopen(libname, RTLD_LAZY); -+ if (dl == NULL) { -+ return -1; -+ } -+ -+ sym = dlsym(dl, symbolname); -+ -+ if (sym != NULL && dladdr(sym, &info)) { -+ strncpy(path, info.dli_fname, pathlen - 1); -+ path[pathlen - 1] = '\0'; -+ rv = 0; -+ } -+ -+ dlclose(dl); -+ -+ return rv; -+} -+ -+static const char conv[] = "0123456789abcdef"; -+ -+static char *bin2hex(void *buf, size_t len) -+{ -+ char *hex, *p; -+ unsigned char *src = buf; -+ -+ hex = malloc(len * 2 + 1); -+ if (hex == NULL) -+ return NULL; -+ -+ p = hex; -+ -+ while (len > 0) { -+ unsigned c; -+ -+ c = *src; -+ src++; -+ -+ *p = conv[c >> 4]; -+ ++p; -+ *p = conv[c & 0x0f]; -+ ++p; -+ --len; -+ } -+ *p = '\0'; -+ return hex; -+} -+ -+# define HMAC_PREFIX "." -+# ifndef HMAC_SUFFIX -+# define HMAC_SUFFIX ".hmac" -+# endif -+# define READ_BUFFER_LENGTH 16384 -+ -+static char *make_hmac_path(const char *origpath) -+{ -+ char *path, *p; -+ const char *fn; -+ -+ path = -+ malloc(sizeof(HMAC_PREFIX) + sizeof(HMAC_SUFFIX) + strlen(origpath)); -+ if (path == NULL) { -+ return NULL; -+ } -+ -+ fn = strrchr(origpath, '/'); -+ if (fn == NULL) { -+ fn = origpath; -+ } else { -+ ++fn; -+ } -+ -+ strncpy(path, origpath, fn - origpath); -+ p = path + (fn - origpath); -+ p = stpcpy(p, HMAC_PREFIX); -+ p = stpcpy(p, fn); -+ p = stpcpy(p, HMAC_SUFFIX); -+ -+ return path; -+} -+ -+static const char hmackey[] = "orboDeJITITejsirpADONivirpUkvarP"; -+ -+static int compute_file_hmac(const char *path, void **buf, size_t *hmaclen) -+{ -+ FILE *f = NULL; -+ int rv = -1; -+ unsigned char rbuf[READ_BUFFER_LENGTH]; -+ size_t len; -+ unsigned int hlen; -+ HMAC_CTX *c; -+ -+ c = HMAC_CTX_new(); -+ if (c == NULL) -+ return rv; -+ -+ f = fopen(path, "r"); -+ -+ if (f == NULL) { -+ goto end; -+ } -+ -+ if (HMAC_Init_ex(c, hmackey, sizeof(hmackey) - 1, EVP_sha256(), NULL) <= 0) { -+ goto end; -+ } -+ -+ while ((len = fread(rbuf, 1, sizeof(rbuf), f)) != 0) { -+ if (HMAC_Update(c, rbuf, len) <= 0) { -+ goto end; -+ } -+ } -+ -+ len = sizeof(rbuf); -+ /* reuse rbuf for hmac */ -+ if (HMAC_Final(c, rbuf, &hlen) <= 0) { -+ goto end; -+ } -+ -+ *buf = malloc(hlen); -+ if (*buf == NULL) { -+ goto end; -+ } -+ -+ *hmaclen = hlen; -+ -+ memcpy(*buf, rbuf, hlen); -+ -+ rv = 0; -+ end: -+ HMAC_CTX_free(c); -+ -+ if (f) -+ fclose(f); -+ -+ return rv; -+} -+ -+static int FIPSCHECK_verify(const char *path) -+{ -+ int rv = 0; -+ FILE *hf; -+ char *hmacpath, *p; -+ char *hmac = NULL; -+ size_t n; -+ -+ hmacpath = make_hmac_path(path); -+ if (hmacpath == NULL) -+ return 0; -+ -+ hf = fopen(hmacpath, "r"); -+ if (hf == NULL) { -+ free(hmacpath); -+ return 0; -+ } -+ -+ if (getline(&hmac, &n, hf) > 0) { -+ void *buf; -+ size_t hmaclen; -+ char *hex; -+ -+ if ((p = strchr(hmac, '\n')) != NULL) -+ *p = '\0'; -+ -+ if (compute_file_hmac(path, &buf, &hmaclen) < 0) { -+ rv = -4; -+ goto end; -+ } -+ -+ if ((hex = bin2hex(buf, hmaclen)) == NULL) { -+ free(buf); -+ rv = -5; -+ goto end; -+ } -+ -+ if (strcmp(hex, hmac) != 0) { -+ rv = -1; -+ } -+ free(buf); -+ free(hex); -+ } else { -+ rv = -1; -+ } -+ -+ end: -+ free(hmac); -+ free(hmacpath); -+ fclose(hf); -+ -+ if (rv < 0) -+ return 0; -+ -+ /* check successful */ -+ return 1; -+} -+ -+static int verify_checksums(void) -+{ -+ int rv; -+ char path[PATH_MAX + 1]; -+ char *p; -+ -+ /* we need to avoid dlopening libssl, assume both libcrypto and libssl -+ are in the same directory */ -+ -+ rv = get_library_path("libcrypto.so." SHLIB_VERSION_NUMBER, -+ "FIPS_mode_set", path, sizeof(path)); -+ if (rv < 0) -+ return 0; -+ -+ rv = FIPSCHECK_verify(path); -+ if (!rv) -+ return 0; -+ -+ /* replace libcrypto with libssl */ -+ while ((p = strstr(path, "libcrypto.so")) != NULL) { -+ p = stpcpy(p, "libssl"); -+ memmove(p, p + 3, strlen(p + 2)); -+ } -+ -+ rv = FIPSCHECK_verify(path); -+ if (!rv) -+ return 0; -+ return 1; -+} -+ -+# ifndef FIPS_MODULE_PATH -+# define FIPS_MODULE_PATH "/etc/system-fips" -+# endif -+ -+int FIPS_module_installed(void) -+{ -+ int rv; -+ rv = access(FIPS_MODULE_PATH, F_OK); -+ if (rv < 0 && errno != ENOENT) -+ rv = 0; -+ -+ /* Installed == true */ -+ return !rv || FIPS_module_mode(); -+} -+ -+int FIPS_module_mode_set(int onoff) -+{ -+ int ret = 0; -+ -+ if (!RUN_ONCE(&fips_lock_init, do_fips_lock_init)) -+ return 0; -+ -+ fips_w_lock(); -+ fips_started = 1; -+ fips_set_owning_thread(); -+ -+ if (onoff) { -+ -+ fips_selftest_fail = 0; -+ -+ /* Don't go into FIPS mode twice, just so we can do automagic -+ seeding */ -+ if (FIPS_module_mode()) { -+ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET, -+ FIPS_R_FIPS_MODE_ALREADY_SET); -+ fips_selftest_fail = 1; -+ ret = 0; -+ goto end; -+ } -+# ifdef OPENSSL_IA32_SSE2 -+ { -+ extern unsigned int OPENSSL_ia32cap_P[2]; -+ if ((OPENSSL_ia32cap_P[0] & (1 << 25 | 1 << 26)) != -+ (1 << 25 | 1 << 26)) { -+ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET, -+ FIPS_R_UNSUPPORTED_PLATFORM); -+ fips_selftest_fail = 1; -+ ret = 0; -+ goto end; -+ } -+ } -+# endif -+ -+ if (!FIPS_selftest()) { -+ fips_selftest_fail = 1; -+ ret = 0; -+ goto end; -+ } -+ -+ if (!verify_checksums()) { -+ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET, -+ FIPS_R_FINGERPRINT_DOES_NOT_MATCH); -+ fips_selftest_fail = 1; -+ ret = 0; -+ goto end; -+ } -+ -+ fips_set_mode(onoff); -+ ret = 1; -+ goto end; -+ } -+ fips_set_mode(0); -+ fips_selftest_fail = 0; -+ ret = 1; -+ end: -+ fips_clear_owning_thread(); -+ fips_w_unlock(); -+ return ret; -+} -+ -+static CRYPTO_THREAD_ID fips_threadid; -+static int fips_thread_set = 0; -+ -+static int fips_is_owning_thread(void) -+{ -+ int ret = 0; -+ -+ if (fips_started) { -+ CRYPTO_THREAD_read_lock(fips_owning_lock); -+ if (fips_thread_set) { -+ CRYPTO_THREAD_ID cur = CRYPTO_THREAD_get_current_id(); -+ if (CRYPTO_THREAD_compare_id(fips_threadid, cur)) -+ ret = 1; -+ } -+ CRYPTO_THREAD_unlock(fips_owning_lock); -+ } -+ return ret; -+} -+ -+int fips_set_owning_thread(void) -+{ -+ int ret = 0; -+ -+ if (fips_started) { -+ CRYPTO_THREAD_write_lock(fips_owning_lock); -+ if (!fips_thread_set) { -+ fips_threadid = CRYPTO_THREAD_get_current_id(); -+ ret = 1; -+ fips_thread_set = 1; -+ } -+ CRYPTO_THREAD_unlock(fips_owning_lock); -+ } -+ return ret; -+} -+ -+int fips_clear_owning_thread(void) -+{ -+ int ret = 0; -+ -+ if (fips_started) { -+ CRYPTO_THREAD_write_lock(fips_owning_lock); -+ if (fips_thread_set) { -+ CRYPTO_THREAD_ID cur = CRYPTO_THREAD_get_current_id(); -+ if (CRYPTO_THREAD_compare_id(fips_threadid, cur)) -+ fips_thread_set = 0; -+ } -+ CRYPTO_THREAD_unlock(fips_owning_lock); -+ } -+ return ret; -+} -+ -+#endif -diff -up openssl-1.1.1j/crypto/fips/fips_cmac_selftest.c.fips openssl-1.1.1j/crypto/fips/fips_cmac_selftest.c ---- openssl-1.1.1j/crypto/fips/fips_cmac_selftest.c.fips 2021-03-03 12:57:42.199734525 +0100 -+++ openssl-1.1.1j/crypto/fips/fips_cmac_selftest.c 2021-03-03 12:57:42.199734525 +0100 -@@ -0,0 +1,161 @@ -+/* ==================================================================== -+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+#include -+#include -+#include -+#include "crypto/fips.h" -+#include -+#include "fips_locl.h" -+ -+#ifdef OPENSSL_FIPS -+typedef struct { -+ int nid; -+ const unsigned char key[EVP_MAX_KEY_LENGTH]; -+ size_t keysize; -+ const unsigned char msg[64]; -+ size_t msgsize; -+ const unsigned char mac[32]; -+ size_t macsize; -+} CMAC_KAT; -+ -+/* from http://csrc.nist.gov/publications/nistpubs/800-38B/SP_800-38B.pdf */ -+static const CMAC_KAT vector[] = { -+ {NID_aes_128_cbc, /* Count = 32 from CMACGenAES128.txt */ -+ {0x77, 0xa7, 0x7f, 0xaf, 0x29, 0x0c, 0x1f, 0xa3, -+ 0x0c, 0x68, 0x3d, 0xf1, 0x6b, 0xa7, 0xa7, 0x7b,}, 128, -+ {0x02, 0x06, 0x83, 0xe1, 0xf0, 0x39, 0x2f, 0x4c, -+ 0xac, 0x54, 0x31, 0x8b, 0x60, 0x29, 0x25, 0x9e, -+ 0x9c, 0x55, 0x3d, 0xbc, 0x4b, 0x6a, 0xd9, 0x98, -+ 0xe6, 0x4d, 0x58, 0xe4, 0xe7, 0xdc, 0x2e, 0x13,}, 256, -+ {0xfb, 0xfe, 0xa4, 0x1b,}, 32}, -+ {NID_aes_192_cbc, /* Count = 23 from CMACGenAES192.txt */ -+ {0x7b, 0x32, 0x39, 0x13, 0x69, 0xaa, 0x4c, 0xa9, -+ 0x75, 0x58, 0x09, 0x5b, 0xe3, 0xc3, 0xec, 0x86, -+ 0x2b, 0xd0, 0x57, 0xce, 0xf1, 0xe3, 0x2d, 0x62,}, 192, -+ {0x0}, 0, -+ {0xe4, 0xd9, 0x34, 0x0b, 0x03, 0xe6, 0x7d, 0xef, -+ 0xd4, 0x96, 0x9c, 0xc1, 0xed, 0x37, 0x35, 0xe6,}, 128, -+ }, -+ {NID_aes_256_cbc, /* Count = 33 from CMACGenAES256.txt */ -+ {0x0b, 0x12, 0x2a, 0xc8, 0xf3, 0x4e, 0xd1, 0xfe, -+ 0x08, 0x2a, 0x36, 0x25, 0xd1, 0x57, 0x56, 0x14, -+ 0x54, 0x16, 0x7a, 0xc1, 0x45, 0xa1, 0x0b, 0xbf, -+ 0x77, 0xc6, 0xa7, 0x05, 0x96, 0xd5, 0x74, 0xf1,}, 256, -+ {0x49, 0x8b, 0x53, 0xfd, 0xec, 0x87, 0xed, 0xcb, -+ 0xf0, 0x70, 0x97, 0xdc, 0xcd, 0xe9, 0x3a, 0x08, -+ 0x4b, 0xad, 0x75, 0x01, 0xa2, 0x24, 0xe3, 0x88, -+ 0xdf, 0x34, 0x9c, 0xe1, 0x89, 0x59, 0xfe, 0x84, -+ 0x85, 0xf8, 0xad, 0x15, 0x37, 0xf0, 0xd8, 0x96, -+ 0xea, 0x73, 0xbe, 0xdc, 0x72, 0x14, 0x71, 0x3f,}, 384, -+ {0xf6, 0x2c, 0x46, 0x32, 0x9b,}, 40, -+ }, -+ {NID_des_ede3_cbc, /* Count = 41 from CMACGenTDES3.req */ -+ {0x89, 0xbc, 0xd9, 0x52, 0xa8, 0xc8, 0xab, 0x37, -+ 0x1a, 0xf4, 0x8a, 0xc7, 0xd0, 0x70, 0x85, 0xd5, -+ 0xef, 0xf7, 0x02, 0xe6, 0xd6, 0x2c, 0xdc, 0x23,}, 192, -+ {0xfa, 0x62, 0x0c, 0x1b, 0xbe, 0x97, 0x31, 0x9e, -+ 0x9a, 0x0c, 0xf0, 0x49, 0x21, 0x21, 0xf7, 0xa2, -+ 0x0e, 0xb0, 0x8a, 0x6a, 0x70, 0x9d, 0xcb, 0xd0, -+ 0x0a, 0xaf, 0x38, 0xe4, 0xf9, 0x9e, 0x75, 0x4e,}, 256, -+ {0x8f, 0x49, 0xa1, 0xb7, 0xd6, 0xaa, 0x22, 0x58,}, 64, -+ }, -+}; -+ -+int FIPS_selftest_cmac() -+{ -+ size_t n, outlen; -+ unsigned char out[32]; -+ const EVP_CIPHER *cipher; -+ CMAC_CTX *ctx = CMAC_CTX_new(); -+ const CMAC_KAT *t; -+ int rv = 1; -+ -+ if (ctx == NULL) { -+ rv = -1; -+ goto err; -+ } -+ -+ for (n = 0, t = vector; n < sizeof(vector) / sizeof(vector[0]); n++, t++) { -+ cipher = EVP_get_cipherbynid(t->nid); -+ if (!cipher) { -+ rv = -1; -+ goto err; -+ } -+ if (!CMAC_Init(ctx, t->key, t->keysize / 8, cipher, 0)) { -+ rv = -1; -+ goto err; -+ } -+ if (!CMAC_Update(ctx, t->msg, t->msgsize / 8)) { -+ rv = -1; -+ goto err; -+ } -+ -+ if (!CMAC_Final(ctx, out, &outlen)) { -+ rv = -1; -+ goto err; -+ } -+ -+ if (outlen < t->macsize / 8 || memcmp(out, t->mac, t->macsize / 8)) { -+ rv = 0; -+ } -+ } -+ -+ err: -+ CMAC_CTX_free(ctx); -+ -+ if (rv == -1) { -+ rv = 0; -+ } -+ if (!rv) -+ FIPSerr(FIPS_F_FIPS_SELFTEST_CMAC, FIPS_R_SELFTEST_FAILED); -+ -+ return rv; -+} -+#endif -diff -up openssl-1.1.1j/crypto/fips/fips_des_selftest.c.fips openssl-1.1.1j/crypto/fips/fips_des_selftest.c ---- openssl-1.1.1j/crypto/fips/fips_des_selftest.c.fips 2021-03-03 12:57:42.199734525 +0100 -+++ openssl-1.1.1j/crypto/fips/fips_des_selftest.c 2021-03-03 12:57:42.199734525 +0100 -@@ -0,0 +1,103 @@ -+/* ==================================================================== -+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+#include -+#include -+#ifdef OPENSSL_FIPS -+# include -+# include "crypto/fips.h" -+#endif -+#include -+ -+#ifdef OPENSSL_FIPS -+ -+static const struct { -+ const unsigned char key[24]; -+ const unsigned char plaintext[8]; -+ const unsigned char ciphertext[8]; -+} tests3[] = { -+ { -+ { -+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, -+ 0xFE, 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x10, -+ 0x12, 0x34, 0x56, 0x78, 0x9a, 0xbc, 0xde, 0xf0}, { -+ 0x8f, 0x8f, 0xbf, 0x9b, 0x5d, 0x48, 0xb4, 0x1c}, { -+ 0x59, 0x8c, 0xe5, 0xd3, 0x6c, 0xa2, 0xea, 0x1b},}, { -+ { -+ 0xDC, 0xBA, 0x98, 0x76, 0x54, 0x32, 0x10, 0xFE, -+ 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF, -+ 0xED, 0x39, 0xD9, 0x50, 0xFA, 0x74, 0xBC, 0xC4}, { -+ 0x01, 0x23, 0x45, 0x67, 0x89, 0xAB, 0xCD, 0xEF}, { -+0x11, 0x25, 0xb0, 0x35, 0xbe, 0xa0, 0x82, 0x86},},}; -+ -+int FIPS_selftest_des() -+{ -+ int n, ret = 0; -+ EVP_CIPHER_CTX *ctx; -+ -+ ctx = EVP_CIPHER_CTX_new(); -+ if (ctx == NULL) -+ goto err; -+ -+ /* Encrypt/decrypt with 3DES and compare to known answers */ -+ for (n = 0; n < 2; ++n) { -+ if (!fips_cipher_test(ctx, EVP_des_ede3_ecb(), -+ tests3[n].key, NULL, -+ tests3[n].plaintext, tests3[n].ciphertext, 8)) -+ goto err; -+ } -+ ret = 1; -+ err: -+ EVP_CIPHER_CTX_free(ctx); -+ if (ret == 0) -+ FIPSerr(FIPS_F_FIPS_SELFTEST_DES, FIPS_R_SELFTEST_FAILED); -+ -+ return ret; -+} -+#endif -diff -up openssl-1.1.1j/crypto/fips/fips_dh_selftest.c.fips openssl-1.1.1j/crypto/fips/fips_dh_selftest.c ---- openssl-1.1.1j/crypto/fips/fips_dh_selftest.c.fips 2021-03-03 12:57:42.199734525 +0100 -+++ openssl-1.1.1j/crypto/fips/fips_dh_selftest.c 2021-03-03 12:57:42.199734525 +0100 -@@ -0,0 +1,196 @@ -+/* ==================================================================== -+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. -+ * Copyright (c) 2013 Red Hat, Inc. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include "fips_locl.h" -+ -+#ifdef OPENSSL_FIPS -+ -+static unsigned char dh_test_2048_p[] = { -+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xAD, 0xF8, -+ 0x54, 0x58, 0xA2, 0xBB, 0x4A, 0x9A, 0xAF, 0xDC, 0x56, 0x20, -+ 0x27, 0x3D, 0x3C, 0xF1, 0xD8, 0xB9, 0xC5, 0x83, 0xCE, 0x2D, -+ 0x36, 0x95, 0xA9, 0xE1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xFB, -+ 0xCC, 0x93, 0x9D, 0xCE, 0x24, 0x9B, 0x3E, 0xF9, 0x7D, 0x2F, -+ 0xE3, 0x63, 0x63, 0x0C, 0x75, 0xD8, 0xF6, 0x81, 0xB2, 0x02, -+ 0xAE, 0xC4, 0x61, 0x7A, 0xD3, 0xDF, 0x1E, 0xD5, 0xD5, 0xFD, -+ 0x65, 0x61, 0x24, 0x33, 0xF5, 0x1F, 0x5F, 0x06, 0x6E, 0xD0, -+ 0x85, 0x63, 0x65, 0x55, 0x3D, 0xED, 0x1A, 0xF3, 0xB5, 0x57, -+ 0x13, 0x5E, 0x7F, 0x57, 0xC9, 0x35, 0x98, 0x4F, 0x0C, 0x70, -+ 0xE0, 0xE6, 0x8B, 0x77, 0xE2, 0xA6, 0x89, 0xDA, 0xF3, 0xEF, -+ 0xE8, 0x72, 0x1D, 0xF1, 0x58, 0xA1, 0x36, 0xAD, 0xE7, 0x35, -+ 0x30, 0xAC, 0xCA, 0x4F, 0x48, 0x3A, 0x79, 0x7A, 0xBC, 0x0A, -+ 0xB1, 0x82, 0xB3, 0x24, 0xFB, 0x61, 0xD1, 0x08, 0xA9, 0x4B, -+ 0xB2, 0xC8, 0xE3, 0xFB, 0xB9, 0x6A, 0xDA, 0xB7, 0x60, 0xD7, -+ 0xF4, 0x68, 0x1D, 0x4F, 0x42, 0xA3, 0xDE, 0x39, 0x4D, 0xF4, -+ 0xAE, 0x56, 0xED, 0xE7, 0x63, 0x72, 0xBB, 0x19, 0x0B, 0x07, -+ 0xA7, 0xC8, 0xEE, 0x0A, 0x6D, 0x70, 0x9E, 0x02, 0xFC, 0xE1, -+ 0xCD, 0xF7, 0xE2, 0xEC, 0xC0, 0x34, 0x04, 0xCD, 0x28, 0x34, -+ 0x2F, 0x61, 0x91, 0x72, 0xFE, 0x9C, 0xE9, 0x85, 0x83, 0xFF, -+ 0x8E, 0x4F, 0x12, 0x32, 0xEE, 0xF2, 0x81, 0x83, 0xC3, 0xFE, -+ 0x3B, 0x1B, 0x4C, 0x6F, 0xAD, 0x73, 0x3B, 0xB5, 0xFC, 0xBC, -+ 0x2E, 0xC2, 0x20, 0x05, 0xC5, 0x8E, 0xF1, 0x83, 0x7D, 0x16, -+ 0x83, 0xB2, 0xC6, 0xF3, 0x4A, 0x26, 0xC1, 0xB2, 0xEF, 0xFA, -+ 0x88, 0x6B, 0x42, 0x38, 0x61, 0x28, 0x5C, 0x97, 0xFF, 0xFF, -+ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF -+}; -+ -+ -+static const unsigned char dh_test_2048_g[] = { -+ 0x02 -+}; -+ -+static const unsigned char dh_test_2048_pub_key[] = { -+0x89, 0x25, 0x56, 0x5f, 0x4e, 0x17, 0x00, 0xa4, 0x32, 0x83, 0x71, 0x70, 0x87, 0xd7, -+0x14, 0x1d, 0x6d, 0xde, 0x0d, 0x44, 0x33, 0x8d, 0x6d, 0xb4, 0xa9, 0x2c, 0xf8, 0x3c, 0x21, -+0x41, 0xb4, 0x64, 0x70, 0x10, 0x85, 0x11, 0x28, 0x82, 0xd8, 0x9f, 0x4a, 0x51, 0xb8, 0x3e, -+0x06, 0x60, 0xdd, 0x28, 0x3b, 0x24, 0xf2, 0xba, 0x69, 0xee, 0x52, 0x64, 0x31, 0x98, 0x31, -+0x5a, 0x54, 0xdb, 0xd9, 0x44, 0x44, 0x91, 0x49, 0xfd, 0x6b, 0x69, 0x58, 0x06, 0x1c, 0x52, -+0xa9, 0x4f, 0xca, 0x3f, 0xdb, 0xcf, 0x3a, 0xff, 0xda, 0xea, 0x85, 0xdf, 0x49, 0x64, 0x7b, -+0xfe, 0xdb, 0x60, 0x60, 0xfd, 0x47, 0xb0, 0xef, 0xc3, 0x2d, 0x36, 0x70, 0x19, 0x35, 0xf9, -+0xc7, 0x10, 0xf6, 0xe2, 0xbc, 0x20, 0xa3, 0x13, 0x8d, 0x61, 0xee, 0x56, 0x64, 0x29, 0xb4, -+0xab, 0xca, 0x41, 0xc1, 0xd7, 0x76, 0x7e, 0xcd, 0x9d, 0x67, 0x39, 0xb4, 0x57, 0x0c, 0xb2, -+0x42, 0x07, 0xe8, 0x8a, 0x21, 0x47, 0x3d, 0xa2, 0x3a, 0x97, 0xf1, 0xc9, 0x4e, 0x67, 0xaf, -+0x7f, 0x74, 0x34, 0x60, 0xf4, 0xcf, 0xe4, 0x66, 0x1e, 0xb4, 0x95, 0xaf, 0x66, 0x97, 0x44, -+0xdf, 0x70, 0xb5, 0x08, 0xc7, 0x4d, 0x66, 0x1f, 0x95, 0x6b, 0x7b, 0x93, 0xe2, 0x31, 0x9f, -+0x69, 0xe9, 0x56, 0xaa, 0xac, 0xf1, 0x52, 0x25, 0xb7, 0x67, 0x94, 0xaf, 0x1c, 0x65, 0x8f, -+0xca, 0x7a, 0xf6, 0x68, 0x60, 0xc9, 0x54, 0xd4, 0x9a, 0x51, 0x6e, 0x18, 0x64, 0xb9, 0x5d, -+0xed, 0xe4, 0x23, 0x68, 0xf3, 0x01, 0x6b, 0xf5, 0xd4, 0xd1, 0x83, 0x81, 0x33, 0xe5, 0x55, -+0x5a, 0x28, 0x60, 0xfb, 0xa1, 0x21, 0xf9, 0x2b, 0x60, 0xa5, 0x2c, 0x30, 0x07, 0x8c, 0x04, -+0x5b, 0xdb, 0xca, 0x6e, 0x1f, 0x81, 0x6d, 0x33, 0x35, 0x04, 0x70, 0x9e, 0x7f, 0x3c, 0xba, -+0x77, 0xc6 -+}; -+ -+static const unsigned char dh_test_2048_priv_key[] = { -+0x6d, 0x76, 0xeb, 0xc3, 0x39, 0xcd, 0xf7, 0x22, 0xb1, 0x63, 0xb5, 0x06, 0xb4, 0xa5, 0xdf, -+0x9d, 0x1d, 0xcf, 0x22, 0x59, 0xe3, 0x38, 0x5b, 0xb5, 0x4f, 0xbb, 0x82, 0xf4, 0x4d, 0xd0, -+0x9e, 0x2e, 0x91, 0x2c, 0x05, 0xfb, 0x5c, 0x4a, 0x9f, 0x81, 0x93, 0x4f, 0x93, 0x92, 0x0b, -+0xaa, 0xcd, 0x47, 0x78, 0x16, 0xcb, 0xe2, 0x11, 0x92, 0x18, 0x6a, 0x6a, 0xc9, 0x59, 0x22, -+0xb0, 0x2a, 0x61, 0x6b, 0xa7, 0xee, 0xcb, 0x00, 0x30, 0x43, 0xe9, 0x6e, 0xa0, 0x42, 0x3f, -+0xf0, 0xda, 0xda, 0xd1, 0x77, 0x1b, 0x71, 0x81, 0x60, 0x30, 0x03, 0xcb, 0x6d, 0xd7, 0xdf, -+0xc5, 0x79, 0x79, 0xad, 0x31, 0x33, 0x4a, 0xc7, 0xd3, 0xf4, 0x4a, 0x9e, 0xa8, 0xfd, 0x29, -+0xb0, 0xb6, 0x63, 0x3e, 0x1f, 0x75, 0x3e, 0x8b, 0x83, 0xbf, 0xa0, 0xb2, 0x61, 0x37, 0x8e, -+0xe5, 0x1a, 0xd6, 0xdc, 0xed, 0xf8, 0x71, 0xb5, 0x94, 0x08, 0x26, 0xc0, 0xa8, 0x50, 0xa4, -+0x7c, 0x04, 0xdc, 0x72, 0x95, 0xbf, 0xf0, 0x68, 0x62, 0xeb, 0x8c, 0x0a, 0x14, 0xc8, 0xad, -+0x81, 0x18, 0x52, 0x76, 0x94, 0xb2, 0xae, 0x51, 0xaa, 0xb1, 0x6c, 0xcd, 0xfa, 0x49, 0x2d, -+0x2a, 0x0d, 0x64, 0x9f, 0x51, 0x28, 0xd4, 0x41, 0xf1, 0xd2, 0x1b, 0xd5, 0xda, 0x82, 0x21, -+0x31, 0x94, 0xc4, 0x1e, 0xdc, 0x86, 0xf4, 0x47, 0xee, 0xab, 0x3e, 0x08, 0x8d, 0x51, 0xd9, -+0xbe, 0xec, 0x1e, 0x23, 0x30, 0x9c, 0xe9, 0xc1, 0x46, 0x8a, 0x2b, 0xa3, 0x11, 0x18, 0x94, -+0x2d, 0x6e, 0x92, 0xb6, 0x50, 0x9d, 0x8e, 0x8c, 0xcb, 0x78, 0x5a, 0x84, 0xca, 0xbf, 0x6d, -+0x83, 0x71, 0xa0, 0xe0, 0x19, 0x5a, 0x58, 0x37, 0x4c, 0x0e, 0x29, 0x62, 0x66, 0xb8, 0x25, -+0x30, 0x36, 0x6a, 0xe7, 0x06, 0x2d, 0xfd, 0xa3, 0x9b, 0xb8, 0xd7, 0x4b, 0xca, 0x82, 0xdb, -+0xcb -+}; -+ -+int FIPS_selftest_dh() -+{ -+ DH *dh = NULL; -+ int ret = 0; -+ void *pub_key_bin = NULL; -+ int len; -+ BIGNUM *p = NULL, *g = NULL, *priv_key = NULL, *tmp_pub_key = NULL; -+ const BIGNUM *pub_key; -+ -+ fips_load_key_component(p, dh_test_2048); -+ fips_load_key_component(g, dh_test_2048); -+ /* note that the private key is much shorter than normally used -+ * but still g ** priv_key > p -+ */ -+ fips_load_key_component(priv_key, dh_test_2048); -+ if ((tmp_pub_key = BN_new()) == NULL) -+ goto err; -+ -+ dh = DH_new(); -+ -+ if (dh == NULL) -+ goto err; -+ -+ DH_set0_pqg(dh, p, NULL, g); -+ DH_set0_key(dh, tmp_pub_key, priv_key); -+ -+ if (DH_generate_key(dh) <= 0) -+ goto err; -+ -+ DH_get0_key(dh, &pub_key, NULL); -+ -+ if (pub_key == NULL) -+ goto err; -+ -+ len = BN_num_bytes(pub_key); -+ if ((pub_key_bin = OPENSSL_malloc(len)) == NULL) -+ goto err; -+ BN_bn2bin(pub_key, pub_key_bin); -+ -+ if (len != sizeof(dh_test_2048_pub_key) || -+ memcmp(pub_key_bin, dh_test_2048_pub_key, len) != 0) -+ goto err; -+ -+ ret = 1; -+ -+ err: -+ if (dh) -+ DH_free(dh); -+ else { -+ BN_free(p); -+ BN_free(g); -+ BN_free(priv_key); -+ BN_free(tmp_pub_key); -+ } -+ -+ OPENSSL_free(pub_key_bin); -+ return ret; -+} -+#endif -diff -up openssl-1.1.1j/crypto/fips/fips_drbg_ctr.c.fips openssl-1.1.1j/crypto/fips/fips_drbg_ctr.c ---- openssl-1.1.1j/crypto/fips/fips_drbg_ctr.c.fips 2021-03-03 12:57:42.199734525 +0100 -+++ openssl-1.1.1j/crypto/fips/fips_drbg_ctr.c 2021-03-03 12:57:42.199734525 +0100 -@@ -0,0 +1,406 @@ -+/* fips/rand/fips_drbg_ctr.c */ -+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL -+ * project. -+ */ -+/* ==================================================================== -+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * licensing@OpenSSL.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * ==================================================================== -+ */ -+ -+#include -+#include -+#include -+#include -+#include -+#include "fips_rand_lcl.h" -+ -+static void inc_128(DRBG_CTR_CTX * cctx) -+{ -+ int i; -+ unsigned char c; -+ unsigned char *p = cctx->V + 15; -+ for (i = 0; i < 16; i++) { -+ c = *p; -+ c++; -+ *p = c; -+ if (c) -+ return; -+ p--; -+ } -+} -+ -+static void ctr_XOR(DRBG_CTR_CTX * cctx, const unsigned char *in, -+ size_t inlen) -+{ -+ size_t i, n; -+ /* Any zero padding will have no effect on the result as we -+ * are XORing. So just process however much input we have. -+ */ -+ -+ if (!in || !inlen) -+ return; -+ -+ if (inlen < cctx->keylen) -+ n = inlen; -+ else -+ n = cctx->keylen; -+ -+ for (i = 0; i < n; i++) -+ cctx->K[i] ^= in[i]; -+ if (inlen <= cctx->keylen) -+ return; -+ -+ n = inlen - cctx->keylen; -+ /* Should never happen */ -+ if (n > 16) -+ n = 16; -+ for (i = 0; i < 16; i++) -+ cctx->V[i] ^= in[i + cctx->keylen]; -+} -+ -+/* Process a complete block using BCC algorithm of SPP 800-90 10.4.3 */ -+ -+static void ctr_BCC_block(DRBG_CTR_CTX * cctx, unsigned char *out, -+ const unsigned char *in) -+{ -+ int i; -+ for (i = 0; i < 16; i++) -+ out[i] ^= in[i]; -+ AES_encrypt(out, out, &cctx->df_ks); -+#if 0 -+ fprintf(stderr, "BCC in+out\n"); -+ BIO_dump_fp(stderr, in, 16); -+ BIO_dump_fp(stderr, out, 16); -+#endif -+} -+ -+/* Handle several BCC operations for as much data as we need for K and X */ -+static void ctr_BCC_blocks(DRBG_CTR_CTX * cctx, const unsigned char *in) -+{ -+ ctr_BCC_block(cctx, cctx->KX, in); -+ ctr_BCC_block(cctx, cctx->KX + 16, in); -+ if (cctx->keylen != 16) -+ ctr_BCC_block(cctx, cctx->KX + 32, in); -+} -+ -+/* Initialise BCC blocks: these have the value 0,1,2 in leftmost positions: -+ * see 10.4.2 stage 7. -+ */ -+static void ctr_BCC_init(DRBG_CTR_CTX * cctx) -+{ -+ memset(cctx->KX, 0, 48); -+ memset(cctx->bltmp, 0, 16); -+ ctr_BCC_block(cctx, cctx->KX, cctx->bltmp); -+ cctx->bltmp[3] = 1; -+ ctr_BCC_block(cctx, cctx->KX + 16, cctx->bltmp); -+ if (cctx->keylen != 16) { -+ cctx->bltmp[3] = 2; -+ ctr_BCC_block(cctx, cctx->KX + 32, cctx->bltmp); -+ } -+} -+ -+/* Process several blocks into BCC algorithm, some possibly partial */ -+static void ctr_BCC_update(DRBG_CTR_CTX * cctx, -+ const unsigned char *in, size_t inlen) -+{ -+ if (!in || !inlen) -+ return; -+ /* If we have partial block handle it first */ -+ if (cctx->bltmp_pos) { -+ size_t left = 16 - cctx->bltmp_pos; -+ /* If we now have a complete block process it */ -+ if (inlen >= left) { -+ memcpy(cctx->bltmp + cctx->bltmp_pos, in, left); -+ ctr_BCC_blocks(cctx, cctx->bltmp); -+ cctx->bltmp_pos = 0; -+ inlen -= left; -+ in += left; -+ } -+ } -+ /* Process zero or more complete blocks */ -+ while (inlen >= 16) { -+ ctr_BCC_blocks(cctx, in); -+ in += 16; -+ inlen -= 16; -+ } -+ /* Copy any remaining partial block to the temporary buffer */ -+ if (inlen > 0) { -+ memcpy(cctx->bltmp + cctx->bltmp_pos, in, inlen); -+ cctx->bltmp_pos += inlen; -+ } -+} -+ -+static void ctr_BCC_final(DRBG_CTR_CTX * cctx) -+{ -+ if (cctx->bltmp_pos) { -+ memset(cctx->bltmp + cctx->bltmp_pos, 0, 16 - cctx->bltmp_pos); -+ ctr_BCC_blocks(cctx, cctx->bltmp); -+ } -+} -+ -+static void ctr_df(DRBG_CTR_CTX * cctx, -+ const unsigned char *in1, size_t in1len, -+ const unsigned char *in2, size_t in2len, -+ const unsigned char *in3, size_t in3len) -+{ -+ size_t inlen; -+ unsigned char *p = cctx->bltmp; -+ static unsigned char c80 = 0x80; -+ -+ ctr_BCC_init(cctx); -+ if (!in1) -+ in1len = 0; -+ if (!in2) -+ in2len = 0; -+ if (!in3) -+ in3len = 0; -+ inlen = in1len + in2len + in3len; -+ /* Initialise L||N in temporary block */ -+ *p++ = (inlen >> 24) & 0xff; -+ *p++ = (inlen >> 16) & 0xff; -+ *p++ = (inlen >> 8) & 0xff; -+ *p++ = inlen & 0xff; -+ /* NB keylen is at most 32 bytes */ -+ *p++ = 0; -+ *p++ = 0; -+ *p++ = 0; -+ *p = (unsigned char)((cctx->keylen + 16) & 0xff); -+ cctx->bltmp_pos = 8; -+ ctr_BCC_update(cctx, in1, in1len); -+ ctr_BCC_update(cctx, in2, in2len); -+ ctr_BCC_update(cctx, in3, in3len); -+ ctr_BCC_update(cctx, &c80, 1); -+ ctr_BCC_final(cctx); -+ /* Set up key K */ -+ AES_set_encrypt_key(cctx->KX, cctx->keylen * 8, &cctx->df_kxks); -+ /* X follows key K */ -+ AES_encrypt(cctx->KX + cctx->keylen, cctx->KX, &cctx->df_kxks); -+ AES_encrypt(cctx->KX, cctx->KX + 16, &cctx->df_kxks); -+ if (cctx->keylen != 16) -+ AES_encrypt(cctx->KX + 16, cctx->KX + 32, &cctx->df_kxks); -+#if 0 -+ fprintf(stderr, "Output of ctr_df:\n"); -+ BIO_dump_fp(stderr, cctx->KX, cctx->keylen + 16); -+#endif -+} -+ -+/* NB the no-df Update in SP800-90 specifies a constant input length -+ * of seedlen, however other uses of this algorithm pad the input with -+ * zeroes if necessary and have up to two parameters XORed together, -+ * handle both cases in this function instead. -+ */ -+ -+static void ctr_Update(DRBG_CTX *dctx, -+ const unsigned char *in1, size_t in1len, -+ const unsigned char *in2, size_t in2len, -+ const unsigned char *nonce, size_t noncelen) -+{ -+ DRBG_CTR_CTX *cctx = &dctx->d.ctr; -+ /* ks is already setup for correct key */ -+ inc_128(cctx); -+ AES_encrypt(cctx->V, cctx->K, &cctx->ks); -+ /* If keylen longer than 128 bits need extra encrypt */ -+ if (cctx->keylen != 16) { -+ inc_128(cctx); -+ AES_encrypt(cctx->V, cctx->K + 16, &cctx->ks); -+ } -+ inc_128(cctx); -+ AES_encrypt(cctx->V, cctx->V, &cctx->ks); -+ /* If 192 bit key part of V is on end of K */ -+ if (cctx->keylen == 24) { -+ memcpy(cctx->V + 8, cctx->V, 8); -+ memcpy(cctx->V, cctx->K + 24, 8); -+ } -+ -+ if (dctx->xflags & DRBG_FLAG_CTR_USE_DF) { -+ /* If no input reuse existing derived value */ -+ if (in1 || nonce || in2) -+ ctr_df(cctx, in1, in1len, nonce, noncelen, in2, in2len); -+ /* If this a reuse input in1len != 0 */ -+ if (in1len) -+ ctr_XOR(cctx, cctx->KX, dctx->seedlen); -+ } else { -+ ctr_XOR(cctx, in1, in1len); -+ ctr_XOR(cctx, in2, in2len); -+ } -+ -+ AES_set_encrypt_key(cctx->K, dctx->strength, &cctx->ks); -+#if 0 -+ fprintf(stderr, "K+V after update is:\n"); -+ BIO_dump_fp(stderr, cctx->K, cctx->keylen); -+ BIO_dump_fp(stderr, cctx->V, 16); -+#endif -+} -+ -+static int drbg_ctr_instantiate(DRBG_CTX *dctx, -+ const unsigned char *ent, size_t entlen, -+ const unsigned char *nonce, size_t noncelen, -+ const unsigned char *pers, size_t perslen) -+{ -+ DRBG_CTR_CTX *cctx = &dctx->d.ctr; -+ memset(cctx->K, 0, sizeof(cctx->K)); -+ memset(cctx->V, 0, sizeof(cctx->V)); -+ AES_set_encrypt_key(cctx->K, dctx->strength, &cctx->ks); -+ ctr_Update(dctx, ent, entlen, pers, perslen, nonce, noncelen); -+ return 1; -+} -+ -+static int drbg_ctr_reseed(DRBG_CTX *dctx, -+ const unsigned char *ent, size_t entlen, -+ const unsigned char *adin, size_t adinlen) -+{ -+ ctr_Update(dctx, ent, entlen, adin, adinlen, NULL, 0); -+ return 1; -+} -+ -+static int drbg_ctr_generate(DRBG_CTX *dctx, -+ unsigned char *out, size_t outlen, -+ const unsigned char *adin, size_t adinlen) -+{ -+ DRBG_CTR_CTX *cctx = &dctx->d.ctr; -+ if (adin && adinlen) { -+ ctr_Update(dctx, adin, adinlen, NULL, 0, NULL, 0); -+ /* This means we reuse derived value */ -+ if (dctx->xflags & DRBG_FLAG_CTR_USE_DF) { -+ adin = NULL; -+ adinlen = 1; -+ } -+ } else -+ adinlen = 0; -+ -+ for (;;) { -+ inc_128(cctx); -+ if (outlen < 16) { -+ /* Use K as temp space as it will be updated */ -+ AES_encrypt(cctx->V, cctx->K, &cctx->ks); -+ memcpy(out, cctx->K, outlen); -+ break; -+ } -+ AES_encrypt(cctx->V, out, &cctx->ks); -+ out += 16; -+ outlen -= 16; -+ if (outlen == 0) -+ break; -+ } -+ -+ ctr_Update(dctx, adin, adinlen, NULL, 0, NULL, 0); -+ -+ return 1; -+ -+} -+ -+static int drbg_ctr_uninstantiate(DRBG_CTX *dctx) -+{ -+ memset(&dctx->d.ctr, 0, sizeof(DRBG_CTR_CTX)); -+ return 1; -+} -+ -+int fips_drbg_ctr_init(DRBG_CTX *dctx) -+{ -+ DRBG_CTR_CTX *cctx = &dctx->d.ctr; -+ -+ size_t keylen; -+ -+ switch (dctx->type) { -+ case NID_aes_128_ctr: -+ keylen = 16; -+ break; -+ -+ case NID_aes_192_ctr: -+ keylen = 24; -+ break; -+ -+ case NID_aes_256_ctr: -+ keylen = 32; -+ break; -+ -+ default: -+ return -2; -+ } -+ -+ dctx->instantiate = drbg_ctr_instantiate; -+ dctx->reseed = drbg_ctr_reseed; -+ dctx->generate = drbg_ctr_generate; -+ dctx->uninstantiate = drbg_ctr_uninstantiate; -+ -+ cctx->keylen = keylen; -+ dctx->strength = keylen * 8; -+ dctx->blocklength = 16; -+ dctx->seedlen = keylen + 16; -+ -+ if (dctx->xflags & DRBG_FLAG_CTR_USE_DF) { -+ /* df initialisation */ -+ static unsigned char df_key[32] = { -+ 0x00, 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, -+ 0x08, 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, -+ 0x10, 0x11, 0x12, 0x13, 0x14, 0x15, 0x16, 0x17, -+ 0x18, 0x19, 0x1a, 0x1b, 0x1c, 0x1d, 0x1e, 0x1f -+ }; -+ /* Set key schedule for df_key */ -+ AES_set_encrypt_key(df_key, dctx->strength, &cctx->df_ks); -+ -+ dctx->min_entropy = cctx->keylen; -+ dctx->max_entropy = DRBG_MAX_LENGTH; -+ dctx->min_nonce = dctx->min_entropy / 2; -+ dctx->max_nonce = DRBG_MAX_LENGTH; -+ dctx->max_pers = DRBG_MAX_LENGTH; -+ dctx->max_adin = DRBG_MAX_LENGTH; -+ } else { -+ dctx->min_entropy = dctx->seedlen; -+ dctx->max_entropy = dctx->seedlen; -+ /* Nonce not used */ -+ dctx->min_nonce = 0; -+ dctx->max_nonce = 0; -+ dctx->max_pers = dctx->seedlen; -+ dctx->max_adin = dctx->seedlen; -+ } -+ -+ dctx->max_request = 1 << 16; -+ dctx->reseed_interval = 1 << 24; -+ -+ return 1; -+} -diff -up openssl-1.1.1j/crypto/fips/fips_drbg_hash.c.fips openssl-1.1.1j/crypto/fips/fips_drbg_hash.c ---- openssl-1.1.1j/crypto/fips/fips_drbg_hash.c.fips 2021-03-03 12:57:42.199734525 +0100 -+++ openssl-1.1.1j/crypto/fips/fips_drbg_hash.c 2021-03-03 12:57:42.199734525 +0100 -@@ -0,0 +1,354 @@ -+/* fips/rand/fips_drbg_hash.c */ -+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL -+ * project. -+ */ -+/* ==================================================================== -+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * licensing@OpenSSL.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * ==================================================================== -+ */ -+ -+#define OPENSSL_FIPSAPI -+ -+#include -+#include -+#include -+#include -+#include "crypto/fips.h" -+#include -+#include "fips_rand_lcl.h" -+ -+/* This is Hash_df from SP 800-90 10.4.1 */ -+ -+static int hash_df(DRBG_CTX *dctx, unsigned char *out, -+ const unsigned char *in1, size_t in1len, -+ const unsigned char *in2, size_t in2len, -+ const unsigned char *in3, size_t in3len, -+ const unsigned char *in4, size_t in4len) -+{ -+ EVP_MD_CTX *mctx = dctx->d.hash.mctx; -+ unsigned char *vtmp = dctx->d.hash.vtmp; -+ unsigned char tmp[6]; -+ /* Standard only ever needs seedlen bytes which is always less than -+ * maximum permitted so no need to check length. -+ */ -+ size_t outlen = dctx->seedlen; -+ tmp[0] = 1; -+ tmp[1] = ((outlen * 8) >> 24) & 0xff; -+ tmp[2] = ((outlen * 8) >> 16) & 0xff; -+ tmp[3] = ((outlen * 8) >> 8) & 0xff; -+ tmp[4] = (outlen * 8) & 0xff; -+ if (!in1) { -+ tmp[5] = (unsigned char)in1len; -+ in1 = tmp + 5; -+ in1len = 1; -+ } -+ for (;;) { -+ if (!FIPS_digestinit(mctx, dctx->d.hash.md)) -+ return 0; -+ if (!FIPS_digestupdate(mctx, tmp, 5)) -+ return 0; -+ if (in1 && !FIPS_digestupdate(mctx, in1, in1len)) -+ return 0; -+ if (in2 && !FIPS_digestupdate(mctx, in2, in2len)) -+ return 0; -+ if (in3 && !FIPS_digestupdate(mctx, in3, in3len)) -+ return 0; -+ if (in4 && !FIPS_digestupdate(mctx, in4, in4len)) -+ return 0; -+ if (outlen < dctx->blocklength) { -+ if (!FIPS_digestfinal(mctx, vtmp, NULL)) -+ return 0; -+ memcpy(out, vtmp, outlen); -+ OPENSSL_cleanse(vtmp, dctx->blocklength); -+ return 1; -+ } else if (!FIPS_digestfinal(mctx, out, NULL)) -+ return 0; -+ -+ outlen -= dctx->blocklength; -+ if (outlen == 0) -+ return 1; -+ tmp[0]++; -+ out += dctx->blocklength; -+ } -+} -+ -+/* Add an unsigned buffer to the buf value, storing the result in buf. For -+ * this algorithm the length of input never exceeds the seed length. -+ */ -+ -+static void ctx_add_buf(DRBG_CTX *dctx, unsigned char *buf, -+ unsigned char *in, size_t inlen) -+{ -+ size_t i = inlen; -+ const unsigned char *q; -+ unsigned char c, *p; -+ p = buf + dctx->seedlen; -+ q = in + inlen; -+ -+ OPENSSL_assert(i <= dctx->seedlen); -+ -+ /* Special case: zero length, just increment buffer */ -+ if (i) -+ c = 0; -+ else -+ c = 1; -+ -+ while (i) { -+ int r; -+ p--; -+ q--; -+ r = *p + *q + c; -+ /* Carry */ -+ if (r > 0xff) -+ c = 1; -+ else -+ c = 0; -+ *p = r & 0xff; -+ i--; -+ } -+ -+ i = dctx->seedlen - inlen; -+ -+ /* If not adding whole buffer handle final carries */ -+ if (c && i) { -+ do { -+ p--; -+ c = *p; -+ c++; -+ *p = c; -+ if (c) -+ return; -+ } while (i--); -+ } -+} -+ -+/* Finalise and add hash to V */ -+ -+static int ctx_add_md(DRBG_CTX *dctx) -+{ -+ if (!FIPS_digestfinal(dctx->d.hash.mctx, dctx->d.hash.vtmp, NULL)) -+ return 0; -+ ctx_add_buf(dctx, dctx->d.hash.V, dctx->d.hash.vtmp, dctx->blocklength); -+ return 1; -+} -+ -+static int hash_gen(DRBG_CTX *dctx, unsigned char *out, size_t outlen) -+{ -+ DRBG_HASH_CTX *hctx = &dctx->d.hash; -+ if (outlen == 0) -+ return 1; -+ memcpy(hctx->vtmp, hctx->V, dctx->seedlen); -+ for (;;) { -+ FIPS_digestinit(hctx->mctx, hctx->md); -+ FIPS_digestupdate(hctx->mctx, hctx->vtmp, dctx->seedlen); -+ if (outlen < dctx->blocklength) { -+ FIPS_digestfinal(hctx->mctx, hctx->vtmp, NULL); -+ memcpy(out, hctx->vtmp, outlen); -+ return 1; -+ } else { -+ FIPS_digestfinal(hctx->mctx, out, NULL); -+ outlen -= dctx->blocklength; -+ if (outlen == 0) -+ return 1; -+ out += dctx->blocklength; -+ } -+ ctx_add_buf(dctx, hctx->vtmp, NULL, 0); -+ } -+} -+ -+static int drbg_hash_instantiate(DRBG_CTX *dctx, -+ const unsigned char *ent, size_t ent_len, -+ const unsigned char *nonce, size_t nonce_len, -+ const unsigned char *pstr, size_t pstr_len) -+{ -+ DRBG_HASH_CTX *hctx = &dctx->d.hash; -+ if (!hash_df(dctx, hctx->V, -+ ent, ent_len, nonce, nonce_len, pstr, pstr_len, NULL, 0)) -+ return 0; -+ if (!hash_df(dctx, hctx->C, -+ NULL, 0, hctx->V, dctx->seedlen, NULL, 0, NULL, 0)) -+ return 0; -+ -+#ifdef HASH_DRBG_TRACE -+ fprintf(stderr, "V+C after instantiate:\n"); -+ hexprint(stderr, hctx->V, dctx->seedlen); -+ hexprint(stderr, hctx->C, dctx->seedlen); -+#endif -+ return 1; -+} -+ -+static int drbg_hash_reseed(DRBG_CTX *dctx, -+ const unsigned char *ent, size_t ent_len, -+ const unsigned char *adin, size_t adin_len) -+{ -+ DRBG_HASH_CTX *hctx = &dctx->d.hash; -+ /* V about to be updated so use C as output instead */ -+ if (!hash_df(dctx, hctx->C, -+ NULL, 1, hctx->V, dctx->seedlen, -+ ent, ent_len, adin, adin_len)) -+ return 0; -+ memcpy(hctx->V, hctx->C, dctx->seedlen); -+ if (!hash_df(dctx, hctx->C, NULL, 0, -+ hctx->V, dctx->seedlen, NULL, 0, NULL, 0)) -+ return 0; -+#ifdef HASH_DRBG_TRACE -+ fprintf(stderr, "V+C after reseed:\n"); -+ hexprint(stderr, hctx->V, dctx->seedlen); -+ hexprint(stderr, hctx->C, dctx->seedlen); -+#endif -+ return 1; -+} -+ -+static int drbg_hash_generate(DRBG_CTX *dctx, -+ unsigned char *out, size_t outlen, -+ const unsigned char *adin, size_t adin_len) -+{ -+ DRBG_HASH_CTX *hctx = &dctx->d.hash; -+ EVP_MD_CTX *mctx = hctx->mctx; -+ unsigned char tmp[4]; -+ if (adin && adin_len) { -+ tmp[0] = 2; -+ if (!FIPS_digestinit(mctx, hctx->md)) -+ return 0; -+ if (!EVP_DigestUpdate(mctx, tmp, 1)) -+ return 0; -+ if (!EVP_DigestUpdate(mctx, hctx->V, dctx->seedlen)) -+ return 0; -+ if (!EVP_DigestUpdate(mctx, adin, adin_len)) -+ return 0; -+ if (!ctx_add_md(dctx)) -+ return 0; -+ } -+ if (!hash_gen(dctx, out, outlen)) -+ return 0; -+ -+ tmp[0] = 3; -+ if (!FIPS_digestinit(mctx, hctx->md)) -+ return 0; -+ if (!EVP_DigestUpdate(mctx, tmp, 1)) -+ return 0; -+ if (!EVP_DigestUpdate(mctx, hctx->V, dctx->seedlen)) -+ return 0; -+ -+ if (!ctx_add_md(dctx)) -+ return 0; -+ -+ ctx_add_buf(dctx, hctx->V, hctx->C, dctx->seedlen); -+ -+ tmp[0] = (dctx->reseed_counter >> 24) & 0xff; -+ tmp[1] = (dctx->reseed_counter >> 16) & 0xff; -+ tmp[2] = (dctx->reseed_counter >> 8) & 0xff; -+ tmp[3] = dctx->reseed_counter & 0xff; -+ ctx_add_buf(dctx, hctx->V, tmp, 4); -+#ifdef HASH_DRBG_TRACE -+ fprintf(stderr, "V+C after generate:\n"); -+ hexprint(stderr, hctx->V, dctx->seedlen); -+ hexprint(stderr, hctx->C, dctx->seedlen); -+#endif -+ return 1; -+} -+ -+static int drbg_hash_uninstantiate(DRBG_CTX *dctx) -+{ -+ EVP_MD_CTX_free(dctx->d.hash.mctx); -+ OPENSSL_cleanse(&dctx->d.hash, sizeof(DRBG_HASH_CTX)); -+ return 1; -+} -+ -+int fips_drbg_hash_init(DRBG_CTX *dctx) -+{ -+ const EVP_MD *md; -+ DRBG_HASH_CTX *hctx = &dctx->d.hash; -+ md = EVP_get_digestbynid(dctx->type); -+ if (!md) -+ return -2; -+ switch (dctx->type) { -+ case NID_sha1: -+ dctx->strength = 128; -+ break; -+ -+ case NID_sha224: -+ dctx->strength = 192; -+ break; -+ -+ default: -+ dctx->strength = 256; -+ break; -+ } -+ -+ dctx->instantiate = drbg_hash_instantiate; -+ dctx->reseed = drbg_hash_reseed; -+ dctx->generate = drbg_hash_generate; -+ dctx->uninstantiate = drbg_hash_uninstantiate; -+ -+ dctx->d.hash.md = md; -+ hctx->mctx = EVP_MD_CTX_new(); -+ if (hctx->mctx == NULL) -+ return -1; -+ -+ /* These are taken from SP 800-90 10.1 table 2 */ -+ -+ dctx->blocklength = EVP_MD_size(md); -+ if (dctx->blocklength > 32) -+ dctx->seedlen = 111; -+ else -+ dctx->seedlen = 55; -+ -+ dctx->min_entropy = dctx->strength / 8; -+ dctx->max_entropy = DRBG_MAX_LENGTH; -+ -+ dctx->min_nonce = dctx->min_entropy / 2; -+ dctx->max_nonce = DRBG_MAX_LENGTH; -+ -+ dctx->max_pers = DRBG_MAX_LENGTH; -+ dctx->max_adin = DRBG_MAX_LENGTH; -+ -+ dctx->max_request = 1 << 16; -+ dctx->reseed_interval = 1 << 24; -+ -+ return 1; -+} -diff -up openssl-1.1.1j/crypto/fips/fips_drbg_hmac.c.fips openssl-1.1.1j/crypto/fips/fips_drbg_hmac.c ---- openssl-1.1.1j/crypto/fips/fips_drbg_hmac.c.fips 2021-03-03 12:57:42.199734525 +0100 -+++ openssl-1.1.1j/crypto/fips/fips_drbg_hmac.c 2021-03-03 12:57:42.199734525 +0100 -@@ -0,0 +1,262 @@ -+/* fips/rand/fips_drbg_hmac.c */ -+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL -+ * project. -+ */ -+/* ==================================================================== -+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * licensing@OpenSSL.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * ==================================================================== -+ */ -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include "fips_rand_lcl.h" -+ -+static int drbg_hmac_update(DRBG_CTX *dctx, -+ const unsigned char *in1, size_t in1len, -+ const unsigned char *in2, size_t in2len, -+ const unsigned char *in3, size_t in3len) -+{ -+ static unsigned char c0 = 0, c1 = 1; -+ DRBG_HMAC_CTX *hmac = &dctx->d.hmac; -+ HMAC_CTX *hctx = hmac->hctx; -+ -+ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL)) -+ return 0; -+ if (!HMAC_Update(hctx, hmac->V, dctx->blocklength)) -+ return 0; -+ if (!HMAC_Update(hctx, &c0, 1)) -+ return 0; -+ if (in1len && !HMAC_Update(hctx, in1, in1len)) -+ return 0; -+ if (in2len && !HMAC_Update(hctx, in2, in2len)) -+ return 0; -+ if (in3len && !HMAC_Update(hctx, in3, in3len)) -+ return 0; -+ -+ if (!HMAC_Final(hctx, hmac->K, NULL)) -+ return 0; -+ -+ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL)) -+ return 0; -+ if (!HMAC_Update(hctx, hmac->V, dctx->blocklength)) -+ return 0; -+ -+ if (!HMAC_Final(hctx, hmac->V, NULL)) -+ return 0; -+ -+ if (!in1len && !in2len && !in3len) -+ return 1; -+ -+ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL)) -+ return 0; -+ if (!HMAC_Update(hctx, hmac->V, dctx->blocklength)) -+ return 0; -+ if (!HMAC_Update(hctx, &c1, 1)) -+ return 0; -+ if (in1len && !HMAC_Update(hctx, in1, in1len)) -+ return 0; -+ if (in2len && !HMAC_Update(hctx, in2, in2len)) -+ return 0; -+ if (in3len && !HMAC_Update(hctx, in3, in3len)) -+ return 0; -+ -+ if (!HMAC_Final(hctx, hmac->K, NULL)) -+ return 0; -+ -+ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL)) -+ return 0; -+ if (!HMAC_Update(hctx, hmac->V, dctx->blocklength)) -+ return 0; -+ -+ if (!HMAC_Final(hctx, hmac->V, NULL)) -+ return 0; -+ -+ return 1; -+ -+} -+ -+static int drbg_hmac_instantiate(DRBG_CTX *dctx, -+ const unsigned char *ent, size_t ent_len, -+ const unsigned char *nonce, size_t nonce_len, -+ const unsigned char *pstr, size_t pstr_len) -+{ -+ DRBG_HMAC_CTX *hmac = &dctx->d.hmac; -+ memset(hmac->K, 0, dctx->blocklength); -+ memset(hmac->V, 1, dctx->blocklength); -+ if (!drbg_hmac_update(dctx, -+ ent, ent_len, nonce, nonce_len, pstr, pstr_len)) -+ return 0; -+ -+#ifdef HMAC_DRBG_TRACE -+ fprintf(stderr, "K+V after instantiate:\n"); -+ hexprint(stderr, hmac->K, hmac->blocklength); -+ hexprint(stderr, hmac->V, hmac->blocklength); -+#endif -+ return 1; -+} -+ -+static int drbg_hmac_reseed(DRBG_CTX *dctx, -+ const unsigned char *ent, size_t ent_len, -+ const unsigned char *adin, size_t adin_len) -+{ -+ if (!drbg_hmac_update(dctx, ent, ent_len, adin, adin_len, NULL, 0)) -+ return 0; -+ -+#ifdef HMAC_DRBG_TRACE -+ { -+ DRBG_HMAC_CTX *hmac = &dctx->d.hmac; -+ fprintf(stderr, "K+V after reseed:\n"); -+ hexprint(stderr, hmac->K, hmac->blocklength); -+ hexprint(stderr, hmac->V, hmac->blocklength); -+ } -+#endif -+ return 1; -+} -+ -+static int drbg_hmac_generate(DRBG_CTX *dctx, -+ unsigned char *out, size_t outlen, -+ const unsigned char *adin, size_t adin_len) -+{ -+ DRBG_HMAC_CTX *hmac = &dctx->d.hmac; -+ HMAC_CTX *hctx = hmac->hctx; -+ const unsigned char *Vtmp = hmac->V; -+ if (adin_len && !drbg_hmac_update(dctx, adin, adin_len, NULL, 0, NULL, 0)) -+ return 0; -+ for (;;) { -+ if (!HMAC_Init_ex(hctx, hmac->K, dctx->blocklength, hmac->md, NULL)) -+ return 0; -+ if (!HMAC_Update(hctx, Vtmp, dctx->blocklength)) -+ return 0; -+ if (outlen > dctx->blocklength) { -+ if (!HMAC_Final(hctx, out, NULL)) -+ return 0; -+ Vtmp = out; -+ } else { -+ if (!HMAC_Final(hctx, hmac->V, NULL)) -+ return 0; -+ memcpy(out, hmac->V, outlen); -+ break; -+ } -+ out += dctx->blocklength; -+ outlen -= dctx->blocklength; -+ } -+ if (!drbg_hmac_update(dctx, adin, adin_len, NULL, 0, NULL, 0)) -+ return 0; -+ -+ return 1; -+} -+ -+static int drbg_hmac_uninstantiate(DRBG_CTX *dctx) -+{ -+ HMAC_CTX_free(dctx->d.hmac.hctx); -+ OPENSSL_cleanse(&dctx->d.hmac, sizeof(DRBG_HMAC_CTX)); -+ return 1; -+} -+ -+int fips_drbg_hmac_init(DRBG_CTX *dctx) -+{ -+ const EVP_MD *md = NULL; -+ DRBG_HMAC_CTX *hctx = &dctx->d.hmac; -+ dctx->strength = 256; -+ switch (dctx->type) { -+ case NID_hmacWithSHA1: -+ md = EVP_sha1(); -+ dctx->strength = 128; -+ break; -+ -+ case NID_hmacWithSHA224: -+ md = EVP_sha224(); -+ dctx->strength = 192; -+ break; -+ -+ case NID_hmacWithSHA256: -+ md = EVP_sha256(); -+ break; -+ -+ case NID_hmacWithSHA384: -+ md = EVP_sha384(); -+ break; -+ -+ case NID_hmacWithSHA512: -+ md = EVP_sha512(); -+ break; -+ -+ default: -+ dctx->strength = 0; -+ return -2; -+ } -+ dctx->instantiate = drbg_hmac_instantiate; -+ dctx->reseed = drbg_hmac_reseed; -+ dctx->generate = drbg_hmac_generate; -+ dctx->uninstantiate = drbg_hmac_uninstantiate; -+ hctx->hctx = HMAC_CTX_new(); -+ if (hctx->hctx == NULL) -+ return -1; -+ hctx->md = md; -+ dctx->blocklength = M_EVP_MD_size(md); -+ dctx->seedlen = M_EVP_MD_size(md); -+ -+ dctx->min_entropy = dctx->strength / 8; -+ dctx->max_entropy = DRBG_MAX_LENGTH; -+ -+ dctx->min_nonce = dctx->min_entropy / 2; -+ dctx->max_nonce = DRBG_MAX_LENGTH; -+ -+ dctx->max_pers = DRBG_MAX_LENGTH; -+ dctx->max_adin = DRBG_MAX_LENGTH; -+ -+ dctx->max_request = 1 << 16; -+ dctx->reseed_interval = 1 << 24; -+ -+ return 1; -+} -diff -up openssl-1.1.1j/crypto/fips/fips_drbg_lib.c.fips openssl-1.1.1j/crypto/fips/fips_drbg_lib.c ---- openssl-1.1.1j/crypto/fips/fips_drbg_lib.c.fips 2021-03-03 12:57:42.199734525 +0100 -+++ openssl-1.1.1j/crypto/fips/fips_drbg_lib.c 2021-03-03 12:57:42.199734525 +0100 -@@ -0,0 +1,528 @@ -+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL -+ * project. -+ */ -+/* ==================================================================== -+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * licensing@OpenSSL.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * ==================================================================== -+ */ -+ -+#include -+#include -+#include -+#include -+#include "crypto/fips.h" -+#include -+#include "fips_locl.h" -+#include "fips_rand_lcl.h" -+ -+/* Support framework for SP800-90 DRBGs */ -+ -+int FIPS_drbg_init(DRBG_CTX *dctx, int type, unsigned int flags) -+{ -+ int rv; -+ memset(dctx, 0, sizeof(DRBG_CTX)); -+ dctx->status = DRBG_STATUS_UNINITIALISED; -+ dctx->xflags = flags; -+ dctx->type = type; -+ -+ dctx->iflags = 0; -+ dctx->entropy_blocklen = 0; -+ dctx->health_check_cnt = 0; -+ dctx->health_check_interval = DRBG_HEALTH_INTERVAL; -+ -+ rv = fips_drbg_hash_init(dctx); -+ -+ if (rv == -2) -+ rv = fips_drbg_ctr_init(dctx); -+ if (rv == -2) -+ rv = fips_drbg_hmac_init(dctx); -+ -+ if (rv <= 0) { -+ if (rv == -2) -+ FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_UNSUPPORTED_DRBG_TYPE); -+ else -+ FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_ERROR_INITIALISING_DRBG); -+ } -+ -+ /* If not in test mode run selftests on DRBG of the same type */ -+ -+ if (!(dctx->xflags & DRBG_FLAG_TEST)) { -+ if (!FIPS_drbg_health_check(dctx)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_INIT, FIPS_R_SELFTEST_FAILURE); -+ return 0; -+ } -+ } -+ -+ return rv; -+} -+ -+DRBG_CTX *FIPS_drbg_new(int type, unsigned int flags) -+{ -+ DRBG_CTX *dctx; -+ dctx = OPENSSL_malloc(sizeof(DRBG_CTX)); -+ if (!dctx) { -+ FIPSerr(FIPS_F_FIPS_DRBG_NEW, ERR_R_MALLOC_FAILURE); -+ return NULL; -+ } -+ -+ if (type == 0) { -+ memset(dctx, 0, sizeof(DRBG_CTX)); -+ dctx->type = 0; -+ dctx->status = DRBG_STATUS_UNINITIALISED; -+ return dctx; -+ } -+ -+ if (FIPS_drbg_init(dctx, type, flags) <= 0) { -+ OPENSSL_free(dctx); -+ return NULL; -+ } -+ -+ return dctx; -+} -+ -+void FIPS_drbg_free(DRBG_CTX *dctx) -+{ -+ if (dctx->uninstantiate) -+ dctx->uninstantiate(dctx); -+ /* Don't free up default DRBG */ -+ if (dctx == FIPS_get_default_drbg()) { -+ memset(dctx, 0, sizeof(DRBG_CTX)); -+ dctx->type = 0; -+ dctx->status = DRBG_STATUS_UNINITIALISED; -+ } else { -+ OPENSSL_cleanse(&dctx->d, sizeof(dctx->d)); -+ OPENSSL_free(dctx); -+ } -+} -+ -+static size_t fips_get_entropy(DRBG_CTX *dctx, unsigned char **pout, -+ int entropy, size_t min_len, size_t max_len) -+{ -+ unsigned char *tout, *p; -+ size_t bl = dctx->entropy_blocklen, rv; -+ if (!dctx->get_entropy) -+ return 0; -+ if (dctx->xflags & DRBG_FLAG_TEST || !bl) -+ return dctx->get_entropy(dctx, pout, entropy, min_len, max_len); -+ rv = dctx->get_entropy(dctx, &tout, entropy + bl, -+ min_len + bl, max_len + bl); -+ if (tout == NULL) -+ return 0; -+ *pout = tout + bl; -+ if (rv < (min_len + bl) || (rv % bl)) -+ return 0; -+ /* Compare consecutive blocks for continuous PRNG test */ -+ for (p = tout; p < tout + rv - bl; p += bl) { -+ if (!memcmp(p, p + bl, bl)) { -+ FIPSerr(FIPS_F_FIPS_GET_ENTROPY, FIPS_R_ENTROPY_SOURCE_STUCK); -+ return 0; -+ } -+ } -+ rv -= bl; -+ if (rv > max_len) -+ return max_len; -+ return rv; -+} -+ -+static void fips_cleanup_entropy(DRBG_CTX *dctx, -+ unsigned char *out, size_t olen) -+{ -+ size_t bl; -+ if (dctx->xflags & DRBG_FLAG_TEST) -+ bl = 0; -+ else -+ bl = dctx->entropy_blocklen; -+ /* Call cleanup with original arguments */ -+ dctx->cleanup_entropy(dctx, out - bl, olen + bl); -+} -+ -+int FIPS_drbg_instantiate(DRBG_CTX *dctx, -+ const unsigned char *pers, size_t perslen) -+{ -+ size_t entlen = 0, noncelen = 0; -+ unsigned char *nonce = NULL, *entropy = NULL; -+ -+#if 0 -+ /* Put here so error script picks them up */ -+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, -+ FIPS_R_PERSONALISATION_STRING_TOO_LONG); -+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_IN_ERROR_STATE); -+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ALREADY_INSTANTIATED); -+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ERROR_RETRIEVING_ENTROPY); -+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_ERROR_RETRIEVING_NONCE); -+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_INSTANTIATE_ERROR); -+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, FIPS_R_DRBG_NOT_INITIALISED); -+#endif -+ -+ int r = 0; -+ -+ if (perslen > dctx->max_pers) { -+ r = FIPS_R_PERSONALISATION_STRING_TOO_LONG; -+ goto end; -+ } -+ -+ if (!dctx->instantiate) { -+ r = FIPS_R_DRBG_NOT_INITIALISED; -+ goto end; -+ } -+ -+ if (dctx->status != DRBG_STATUS_UNINITIALISED) { -+ if (dctx->status == DRBG_STATUS_ERROR) -+ r = FIPS_R_IN_ERROR_STATE; -+ else -+ r = FIPS_R_ALREADY_INSTANTIATED; -+ goto end; -+ } -+ -+ dctx->status = DRBG_STATUS_ERROR; -+ -+ entlen = fips_get_entropy(dctx, &entropy, dctx->strength, -+ dctx->min_entropy, dctx->max_entropy); -+ -+ if (entlen < dctx->min_entropy || entlen > dctx->max_entropy) { -+ r = FIPS_R_ERROR_RETRIEVING_ENTROPY; -+ goto end; -+ } -+ -+ if (dctx->max_nonce > 0 && dctx->get_nonce) { -+ noncelen = dctx->get_nonce(dctx, &nonce, -+ dctx->strength / 2, -+ dctx->min_nonce, dctx->max_nonce); -+ -+ if (noncelen < dctx->min_nonce || noncelen > dctx->max_nonce) { -+ r = FIPS_R_ERROR_RETRIEVING_NONCE; -+ goto end; -+ } -+ -+ } -+ -+ if (!dctx->instantiate(dctx, -+ entropy, entlen, nonce, noncelen, pers, perslen)) { -+ r = FIPS_R_ERROR_INSTANTIATING_DRBG; -+ goto end; -+ } -+ -+ dctx->status = DRBG_STATUS_READY; -+ if (!(dctx->iflags & DRBG_CUSTOM_RESEED)) -+ dctx->reseed_counter = 1; -+ -+ end: -+ -+ if (entropy && dctx->cleanup_entropy) -+ fips_cleanup_entropy(dctx, entropy, entlen); -+ -+ if (nonce && dctx->cleanup_nonce) -+ dctx->cleanup_nonce(dctx, nonce, noncelen); -+ -+ if (dctx->status == DRBG_STATUS_READY) -+ return 1; -+ -+ if (r && !(dctx->iflags & DRBG_FLAG_NOERR)) -+ FIPSerr(FIPS_F_FIPS_DRBG_INSTANTIATE, r); -+ -+ return 0; -+ -+} -+ -+static int drbg_reseed(DRBG_CTX *dctx, -+ const unsigned char *adin, size_t adinlen, int hcheck) -+{ -+ unsigned char *entropy = NULL; -+ size_t entlen = 0; -+ int r = 0; -+ -+#if 0 -+ FIPSerr(FIPS_F_DRBG_RESEED, FIPS_R_NOT_INSTANTIATED); -+ FIPSerr(FIPS_F_DRBG_RESEED, FIPS_R_ADDITIONAL_INPUT_TOO_LONG); -+#endif -+ if (dctx->status != DRBG_STATUS_READY -+ && dctx->status != DRBG_STATUS_RESEED) { -+ if (dctx->status == DRBG_STATUS_ERROR) -+ r = FIPS_R_IN_ERROR_STATE; -+ else if (dctx->status == DRBG_STATUS_UNINITIALISED) -+ r = FIPS_R_NOT_INSTANTIATED; -+ goto end; -+ } -+ -+ if (!adin) -+ adinlen = 0; -+ else if (adinlen > dctx->max_adin) { -+ r = FIPS_R_ADDITIONAL_INPUT_TOO_LONG; -+ goto end; -+ } -+ -+ dctx->status = DRBG_STATUS_ERROR; -+ /* Peform health check on all reseed operations if not a prediction -+ * resistance request and not in test mode. -+ */ -+ if (hcheck && !(dctx->xflags & DRBG_FLAG_TEST)) { -+ if (!FIPS_drbg_health_check(dctx)) { -+ r = FIPS_R_SELFTEST_FAILURE; -+ goto end; -+ } -+ } -+ -+ entlen = fips_get_entropy(dctx, &entropy, dctx->strength, -+ dctx->min_entropy, dctx->max_entropy); -+ -+ if (entlen < dctx->min_entropy || entlen > dctx->max_entropy) { -+ r = FIPS_R_ERROR_RETRIEVING_ENTROPY; -+ goto end; -+ } -+ -+ if (!dctx->reseed(dctx, entropy, entlen, adin, adinlen)) -+ goto end; -+ -+ dctx->status = DRBG_STATUS_READY; -+ if (!(dctx->iflags & DRBG_CUSTOM_RESEED)) -+ dctx->reseed_counter = 1; -+ end: -+ -+ if (entropy && dctx->cleanup_entropy) -+ fips_cleanup_entropy(dctx, entropy, entlen); -+ -+ if (dctx->status == DRBG_STATUS_READY) -+ return 1; -+ -+ if (r && !(dctx->iflags & DRBG_FLAG_NOERR)) -+ FIPSerr(FIPS_F_DRBG_RESEED, r); -+ -+ return 0; -+} -+ -+int FIPS_drbg_reseed(DRBG_CTX *dctx, -+ const unsigned char *adin, size_t adinlen) -+{ -+ return drbg_reseed(dctx, adin, adinlen, 1); -+} -+ -+static int fips_drbg_check(DRBG_CTX *dctx) -+{ -+ if (dctx->xflags & DRBG_FLAG_TEST) -+ return 1; -+ dctx->health_check_cnt++; -+ if (dctx->health_check_cnt >= dctx->health_check_interval) { -+ if (!FIPS_drbg_health_check(dctx)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_CHECK, FIPS_R_SELFTEST_FAILURE); -+ return 0; -+ } -+ } -+ return 1; -+} -+ -+int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen, -+ int prediction_resistance, -+ const unsigned char *adin, size_t adinlen) -+{ -+ int r = 0; -+ -+ if (FIPS_selftest_failed()) { -+ FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, FIPS_R_SELFTEST_FAILED); -+ return 0; -+ } -+ -+ if (!fips_drbg_check(dctx)) -+ return 0; -+ -+ if (dctx->status != DRBG_STATUS_READY -+ && dctx->status != DRBG_STATUS_RESEED) { -+ if (dctx->status == DRBG_STATUS_ERROR) -+ r = FIPS_R_IN_ERROR_STATE; -+ else if (dctx->status == DRBG_STATUS_UNINITIALISED) -+ r = FIPS_R_NOT_INSTANTIATED; -+ goto end; -+ } -+ -+ if (outlen > dctx->max_request) { -+ r = FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG; -+ return 0; -+ } -+ -+ if (adinlen > dctx->max_adin) { -+ r = FIPS_R_ADDITIONAL_INPUT_TOO_LONG; -+ goto end; -+ } -+ -+ if (dctx->iflags & DRBG_CUSTOM_RESEED) -+ dctx->generate(dctx, NULL, outlen, NULL, 0); -+ else if (dctx->reseed_counter >= dctx->reseed_interval) -+ dctx->status = DRBG_STATUS_RESEED; -+ -+ if (dctx->status == DRBG_STATUS_RESEED || prediction_resistance) { -+ /* If prediction resistance request don't do health check */ -+ int hcheck = prediction_resistance ? 0 : 1; -+ -+ if (!drbg_reseed(dctx, adin, adinlen, hcheck)) { -+ r = FIPS_R_RESEED_ERROR; -+ goto end; -+ } -+ adin = NULL; -+ adinlen = 0; -+ } -+ -+ if (!dctx->generate(dctx, out, outlen, adin, adinlen)) { -+ r = FIPS_R_GENERATE_ERROR; -+ dctx->status = DRBG_STATUS_ERROR; -+ goto end; -+ } -+ if (!(dctx->iflags & DRBG_CUSTOM_RESEED)) { -+ if (dctx->reseed_counter >= dctx->reseed_interval) -+ dctx->status = DRBG_STATUS_RESEED; -+ else -+ dctx->reseed_counter++; -+ } -+ -+ end: -+ if (r) { -+ if (!(dctx->iflags & DRBG_FLAG_NOERR)) -+ FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, r); -+ return 0; -+ } -+ -+ return 1; -+} -+ -+int FIPS_drbg_uninstantiate(DRBG_CTX *dctx) -+{ -+ int rv; -+ if (!dctx->uninstantiate) -+ rv = 1; -+ else -+ rv = dctx->uninstantiate(dctx); -+ /* Although we'd like to cleanse here we can't because we have to -+ * test the uninstantiate really zeroes the data. -+ */ -+ memset(&dctx->d, 0, sizeof(dctx->d)); -+ dctx->status = DRBG_STATUS_UNINITIALISED; -+ /* If method has problems uninstantiating, return error */ -+ return rv; -+} -+ -+int FIPS_drbg_set_callbacks(DRBG_CTX *dctx, -+ size_t (*get_entropy) (DRBG_CTX *ctx, -+ unsigned char **pout, -+ int entropy, -+ size_t min_len, -+ size_t max_len), -+ void (*cleanup_entropy) (DRBG_CTX *ctx, -+ unsigned char *out, -+ size_t olen), -+ size_t entropy_blocklen, -+ size_t (*get_nonce) (DRBG_CTX *ctx, -+ unsigned char **pout, -+ int entropy, size_t min_len, -+ size_t max_len), -+ void (*cleanup_nonce) (DRBG_CTX *ctx, -+ unsigned char *out, -+ size_t olen)) -+{ -+ if (dctx->status != DRBG_STATUS_UNINITIALISED) -+ return 0; -+ dctx->entropy_blocklen = entropy_blocklen; -+ dctx->get_entropy = get_entropy; -+ dctx->cleanup_entropy = cleanup_entropy; -+ dctx->get_nonce = get_nonce; -+ dctx->cleanup_nonce = cleanup_nonce; -+ return 1; -+} -+ -+int FIPS_drbg_set_rand_callbacks(DRBG_CTX *dctx, -+ size_t (*get_adin) (DRBG_CTX *ctx, -+ unsigned char **pout), -+ void (*cleanup_adin) (DRBG_CTX *ctx, -+ unsigned char *out, -+ size_t olen), -+ int (*rand_seed_cb) (DRBG_CTX *ctx, -+ const void *buf, -+ int num), -+ int (*rand_add_cb) (DRBG_CTX *ctx, -+ const void *buf, int num, -+ double entropy)) -+{ -+ if (dctx->status != DRBG_STATUS_UNINITIALISED) -+ return 0; -+ dctx->get_adin = get_adin; -+ dctx->cleanup_adin = cleanup_adin; -+ dctx->rand_seed_cb = rand_seed_cb; -+ dctx->rand_add_cb = rand_add_cb; -+ return 1; -+} -+ -+void *FIPS_drbg_get_app_data(DRBG_CTX *dctx) -+{ -+ return dctx->app_data; -+} -+ -+void FIPS_drbg_set_app_data(DRBG_CTX *dctx, void *app_data) -+{ -+ dctx->app_data = app_data; -+} -+ -+size_t FIPS_drbg_get_blocklength(DRBG_CTX *dctx) -+{ -+ return dctx->blocklength; -+} -+ -+int FIPS_drbg_get_strength(DRBG_CTX *dctx) -+{ -+ return dctx->strength; -+} -+ -+void FIPS_drbg_set_check_interval(DRBG_CTX *dctx, int interval) -+{ -+ dctx->health_check_interval = interval; -+} -+ -+void FIPS_drbg_set_reseed_interval(DRBG_CTX *dctx, int interval) -+{ -+ dctx->reseed_interval = interval; -+} -+ -+void FIPS_drbg_stick(int onoff) -+{ -+ /* Just backwards compatibility API call with no effect. */ -+} -diff -up openssl-1.1.1j/crypto/fips/fips_drbg_rand.c.fips openssl-1.1.1j/crypto/fips/fips_drbg_rand.c ---- openssl-1.1.1j/crypto/fips/fips_drbg_rand.c.fips 2021-03-03 12:57:42.199734525 +0100 -+++ openssl-1.1.1j/crypto/fips/fips_drbg_rand.c 2021-03-03 12:57:42.199734525 +0100 -@@ -0,0 +1,185 @@ -+/* fips/rand/fips_drbg_rand.c */ -+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL -+ * project. -+ */ -+/* ==================================================================== -+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * licensing@OpenSSL.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * ==================================================================== -+ */ -+ -+#include -+#include -+#include "internal/thread_once.h" -+#include -+#include -+#include -+#include -+#include "fips_rand_lcl.h" -+ -+/* Mapping of SP800-90 DRBGs to OpenSSL RAND_METHOD */ -+ -+/* Since we only have one global PRNG used at any time in OpenSSL use a global -+ * variable to store context. -+ */ -+ -+static DRBG_CTX ossl_dctx; -+ -+static CRYPTO_RWLOCK *fips_rand_lock = NULL; -+static CRYPTO_ONCE fips_rand_lock_init = CRYPTO_ONCE_STATIC_INIT; -+ -+DEFINE_RUN_ONCE_STATIC(do_fips_rand_lock_init) -+{ -+ fips_rand_lock = CRYPTO_THREAD_lock_new(); -+ return fips_rand_lock != NULL; -+} -+ -+DRBG_CTX *FIPS_get_default_drbg(void) -+{ -+ if (!RUN_ONCE(&fips_rand_lock_init, do_fips_rand_lock_init)) -+ return NULL; -+ return &ossl_dctx; -+} -+ -+static int fips_drbg_bytes(unsigned char *out, int count) -+{ -+ DRBG_CTX *dctx = &ossl_dctx; -+ int rv = 0; -+ unsigned char *adin = NULL; -+ size_t adinlen = 0; -+ CRYPTO_THREAD_write_lock(fips_rand_lock); -+ do { -+ size_t rcnt; -+ if (count > (int)dctx->max_request) -+ rcnt = dctx->max_request; -+ else -+ rcnt = count; -+ if (dctx->get_adin) { -+ adinlen = dctx->get_adin(dctx, &adin); -+ if (adinlen && !adin) { -+ FIPSerr(FIPS_F_FIPS_DRBG_BYTES, -+ FIPS_R_ERROR_RETRIEVING_ADDITIONAL_INPUT); -+ goto err; -+ } -+ } -+ rv = FIPS_drbg_generate(dctx, out, rcnt, 0, adin, adinlen); -+ if (adin) { -+ if (dctx->cleanup_adin) -+ dctx->cleanup_adin(dctx, adin, adinlen); -+ adin = NULL; -+ } -+ if (!rv) -+ goto err; -+ out += rcnt; -+ count -= rcnt; -+ } -+ while (count); -+ rv = 1; -+ err: -+ CRYPTO_THREAD_unlock(fips_rand_lock); -+ return rv; -+} -+ -+static int fips_drbg_pseudo(unsigned char *out, int count) -+{ -+ if (fips_drbg_bytes(out, count) <= 0) -+ return -1; -+ return 1; -+} -+ -+static int fips_drbg_status(void) -+{ -+ DRBG_CTX *dctx = &ossl_dctx; -+ int rv; -+ CRYPTO_THREAD_read_lock(fips_rand_lock); -+ rv = dctx->status == DRBG_STATUS_READY ? 1 : 0; -+ CRYPTO_THREAD_unlock(fips_rand_lock); -+ return rv; -+} -+ -+static void fips_drbg_cleanup(void) -+{ -+ DRBG_CTX *dctx = &ossl_dctx; -+ CRYPTO_THREAD_write_lock(fips_rand_lock); -+ FIPS_drbg_uninstantiate(dctx); -+ CRYPTO_THREAD_unlock(fips_rand_lock); -+} -+ -+static int fips_drbg_seed(const void *seed, int seedlen) -+{ -+ DRBG_CTX *dctx = &ossl_dctx; -+ int ret = 1; -+ CRYPTO_THREAD_write_lock(fips_rand_lock); -+ if (dctx->rand_seed_cb) -+ ret = dctx->rand_seed_cb(dctx, seed, seedlen); -+ CRYPTO_THREAD_unlock(fips_rand_lock); -+ return ret; -+} -+ -+static int fips_drbg_add(const void *seed, int seedlen, double add_entropy) -+{ -+ DRBG_CTX *dctx = &ossl_dctx; -+ int ret = 1; -+ CRYPTO_THREAD_write_lock(fips_rand_lock); -+ if (dctx->rand_add_cb) -+ ret = dctx->rand_add_cb(dctx, seed, seedlen, add_entropy); -+ CRYPTO_THREAD_unlock(fips_rand_lock); -+ return ret; -+} -+ -+static const RAND_METHOD rand_drbg_meth = { -+ fips_drbg_seed, -+ fips_drbg_bytes, -+ fips_drbg_cleanup, -+ fips_drbg_add, -+ fips_drbg_pseudo, -+ fips_drbg_status -+}; -+ -+const RAND_METHOD *FIPS_drbg_method(void) -+{ -+ return &rand_drbg_meth; -+} -diff -up openssl-1.1.1j/crypto/fips/fips_drbg_selftest.c.fips openssl-1.1.1j/crypto/fips/fips_drbg_selftest.c ---- openssl-1.1.1j/crypto/fips/fips_drbg_selftest.c.fips 2021-03-03 12:57:42.200734534 +0100 -+++ openssl-1.1.1j/crypto/fips/fips_drbg_selftest.c 2021-03-03 12:57:42.200734534 +0100 -@@ -0,0 +1,828 @@ -+/* fips/rand/fips_drbg_selftest.c */ -+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL -+ * project. -+ */ -+/* ==================================================================== -+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * licensing@OpenSSL.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * ==================================================================== -+ */ -+ -+#include -+#include -+#include -+#include -+#include -+#include "fips_rand_lcl.h" -+#include "fips_locl.h" -+ -+#include "fips_drbg_selftest.h" -+ -+typedef struct { -+ int post; -+ int nid; -+ unsigned int flags; -+ -+ /* KAT data for no PR */ -+ const unsigned char *ent; -+ size_t entlen; -+ const unsigned char *nonce; -+ size_t noncelen; -+ const unsigned char *pers; -+ size_t perslen; -+ const unsigned char *adin; -+ size_t adinlen; -+ const unsigned char *entreseed; -+ size_t entreseedlen; -+ const unsigned char *adinreseed; -+ size_t adinreseedlen; -+ const unsigned char *adin2; -+ size_t adin2len; -+ const unsigned char *kat; -+ size_t katlen; -+ const unsigned char *kat2; -+ size_t kat2len; -+ -+ /* KAT data for PR */ -+ const unsigned char *ent_pr; -+ size_t entlen_pr; -+ const unsigned char *nonce_pr; -+ size_t noncelen_pr; -+ const unsigned char *pers_pr; -+ size_t perslen_pr; -+ const unsigned char *adin_pr; -+ size_t adinlen_pr; -+ const unsigned char *entpr_pr; -+ size_t entprlen_pr; -+ const unsigned char *ading_pr; -+ size_t adinglen_pr; -+ const unsigned char *entg_pr; -+ size_t entglen_pr; -+ const unsigned char *kat_pr; -+ size_t katlen_pr; -+ const unsigned char *kat2_pr; -+ size_t kat2len_pr; -+ -+} DRBG_SELFTEST_DATA; -+ -+#define make_drbg_test_data(nid, flag, pr, p) {p, nid, flag | DRBG_FLAG_TEST, \ -+ pr##_entropyinput, sizeof(pr##_entropyinput), \ -+ pr##_nonce, sizeof(pr##_nonce), \ -+ pr##_personalizationstring, sizeof(pr##_personalizationstring), \ -+ pr##_additionalinput, sizeof(pr##_additionalinput), \ -+ pr##_entropyinputreseed, sizeof(pr##_entropyinputreseed), \ -+ pr##_additionalinputreseed, sizeof(pr##_additionalinputreseed), \ -+ pr##_additionalinput2, sizeof(pr##_additionalinput2), \ -+ pr##_int_returnedbits, sizeof(pr##_int_returnedbits), \ -+ pr##_returnedbits, sizeof(pr##_returnedbits), \ -+ pr##_pr_entropyinput, sizeof(pr##_pr_entropyinput), \ -+ pr##_pr_nonce, sizeof(pr##_pr_nonce), \ -+ pr##_pr_personalizationstring, sizeof(pr##_pr_personalizationstring), \ -+ pr##_pr_additionalinput, sizeof(pr##_pr_additionalinput), \ -+ pr##_pr_entropyinputpr, sizeof(pr##_pr_entropyinputpr), \ -+ pr##_pr_additionalinput2, sizeof(pr##_pr_additionalinput2), \ -+ pr##_pr_entropyinputpr2, sizeof(pr##_pr_entropyinputpr2), \ -+ pr##_pr_int_returnedbits, sizeof(pr##_pr_int_returnedbits), \ -+ pr##_pr_returnedbits, sizeof(pr##_pr_returnedbits), \ -+ } -+ -+#define make_drbg_test_data_df(nid, pr, p) \ -+ make_drbg_test_data(nid, DRBG_FLAG_CTR_USE_DF, pr, p) -+ -+#define make_drbg_test_data_ec(curve, md, pr, p) \ -+ make_drbg_test_data((curve << 16) | md , 0, pr, p) -+ -+static DRBG_SELFTEST_DATA drbg_test[] = { -+ make_drbg_test_data_df(NID_aes_128_ctr, aes_128_use_df, 0), -+ make_drbg_test_data_df(NID_aes_192_ctr, aes_192_use_df, 0), -+ make_drbg_test_data_df(NID_aes_256_ctr, aes_256_use_df, 1), -+ make_drbg_test_data(NID_aes_128_ctr, 0, aes_128_no_df, 0), -+ make_drbg_test_data(NID_aes_192_ctr, 0, aes_192_no_df, 0), -+ make_drbg_test_data(NID_aes_256_ctr, 0, aes_256_no_df, 1), -+ make_drbg_test_data(NID_sha1, 0, sha1, 0), -+ make_drbg_test_data(NID_sha224, 0, sha224, 0), -+ make_drbg_test_data(NID_sha256, 0, sha256, 1), -+ make_drbg_test_data(NID_sha384, 0, sha384, 0), -+ make_drbg_test_data(NID_sha512, 0, sha512, 0), -+ make_drbg_test_data(NID_hmacWithSHA1, 0, hmac_sha1, 0), -+ make_drbg_test_data(NID_hmacWithSHA224, 0, hmac_sha224, 0), -+ make_drbg_test_data(NID_hmacWithSHA256, 0, hmac_sha256, 1), -+ make_drbg_test_data(NID_hmacWithSHA384, 0, hmac_sha384, 0), -+ make_drbg_test_data(NID_hmacWithSHA512, 0, hmac_sha512, 0), -+ {0, 0, 0} -+}; -+ -+typedef struct { -+ const unsigned char *ent; -+ size_t entlen; -+ int entcnt; -+ const unsigned char *nonce; -+ size_t noncelen; -+ int noncecnt; -+} TEST_ENT; -+ -+static size_t test_entropy(DRBG_CTX *dctx, unsigned char **pout, -+ int entropy, size_t min_len, size_t max_len) -+{ -+ TEST_ENT *t = FIPS_drbg_get_app_data(dctx); -+ *pout = (unsigned char *)t->ent; -+ t->entcnt++; -+ return t->entlen; -+} -+ -+static size_t test_nonce(DRBG_CTX *dctx, unsigned char **pout, -+ int entropy, size_t min_len, size_t max_len) -+{ -+ TEST_ENT *t = FIPS_drbg_get_app_data(dctx); -+ *pout = (unsigned char *)t->nonce; -+ t->noncecnt++; -+ return t->noncelen; -+} -+ -+static int fips_drbg_single_kat(DRBG_CTX *dctx, DRBG_SELFTEST_DATA * td, -+ int quick) -+{ -+ TEST_ENT t; -+ int rv = 0; -+ size_t adinlen; -+ unsigned char randout[1024]; -+ -+ /* Initial test without PR */ -+ -+ /* Instantiate DRBG with test entropy, nonce and personalisation -+ * string. -+ */ -+ -+ if (!FIPS_drbg_init(dctx, td->nid, td->flags)) -+ return 0; -+ if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0)) -+ return 0; -+ -+ FIPS_drbg_set_app_data(dctx, &t); -+ -+ t.ent = td->ent; -+ t.entlen = td->entlen; -+ t.nonce = td->nonce; -+ t.noncelen = td->noncelen; -+ t.entcnt = 0; -+ t.noncecnt = 0; -+ -+ if (!FIPS_drbg_instantiate(dctx, td->pers, td->perslen)) -+ goto err; -+ -+ /* Note for CTR without DF some additional input values -+ * ignore bytes after the keylength: so reduce adinlen -+ * to half to ensure invalid data is fed in. -+ */ -+ if (!fips_post_corrupt(FIPS_TEST_DRBG, dctx->type, &dctx->iflags)) -+ adinlen = td->adinlen / 2; -+ else -+ adinlen = td->adinlen; -+ -+ /* Generate with no PR and verify output matches expected data */ -+ if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, td->adin, adinlen)) -+ goto err; -+ -+ if (memcmp(randout, td->kat, td->katlen)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_NOPR_TEST1_FAILURE); -+ goto err2; -+ } -+ /* If abbreviated POST end of test */ -+ if (quick) { -+ rv = 1; -+ goto err; -+ } -+ /* Reseed DRBG with test entropy and additional input */ -+ t.ent = td->entreseed; -+ t.entlen = td->entreseedlen; -+ -+ if (!FIPS_drbg_reseed(dctx, td->adinreseed, td->adinreseedlen)) -+ goto err; -+ -+ /* Generate with no PR and verify output matches expected data */ -+ if (!FIPS_drbg_generate(dctx, randout, td->kat2len, 0, -+ td->adin2, td->adin2len)) -+ goto err; -+ -+ if (memcmp(randout, td->kat2, td->kat2len)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_NOPR_TEST2_FAILURE); -+ goto err2; -+ } -+ -+ FIPS_drbg_uninstantiate(dctx); -+ -+ /* Now test with PR */ -+ -+ /* Instantiate DRBG with test entropy, nonce and personalisation -+ * string. -+ */ -+ if (!FIPS_drbg_init(dctx, td->nid, td->flags)) -+ return 0; -+ if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0)) -+ return 0; -+ -+ FIPS_drbg_set_app_data(dctx, &t); -+ -+ t.ent = td->ent_pr; -+ t.entlen = td->entlen_pr; -+ t.nonce = td->nonce_pr; -+ t.noncelen = td->noncelen_pr; -+ t.entcnt = 0; -+ t.noncecnt = 0; -+ -+ if (!FIPS_drbg_instantiate(dctx, td->pers_pr, td->perslen_pr)) -+ goto err; -+ -+ /* Now generate with PR: we need to supply entropy as this will -+ * perform a reseed operation. Check output matches expected value. -+ */ -+ -+ t.ent = td->entpr_pr; -+ t.entlen = td->entprlen_pr; -+ -+ /* Note for CTR without DF some additional input values -+ * ignore bytes after the keylength: so reduce adinlen -+ * to half to ensure invalid data is fed in. -+ */ -+ if (!fips_post_corrupt(FIPS_TEST_DRBG, dctx->type, &dctx->iflags)) -+ adinlen = td->adinlen_pr / 2; -+ else -+ adinlen = td->adinlen_pr; -+ if (!FIPS_drbg_generate(dctx, randout, td->katlen_pr, 1, -+ td->adin_pr, adinlen)) -+ goto err; -+ -+ if (memcmp(randout, td->kat_pr, td->katlen_pr)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_PR_TEST1_FAILURE); -+ goto err2; -+ } -+ -+ /* Now generate again with PR: supply new entropy again. -+ * Check output matches expected value. -+ */ -+ -+ t.ent = td->entg_pr; -+ t.entlen = td->entglen_pr; -+ -+ if (!FIPS_drbg_generate(dctx, randout, td->kat2len_pr, 1, -+ td->ading_pr, td->adinglen_pr)) -+ goto err; -+ -+ if (memcmp(randout, td->kat2_pr, td->kat2len_pr)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_PR_TEST2_FAILURE); -+ goto err2; -+ } -+ /* All OK, test complete */ -+ rv = 1; -+ -+ err: -+ if (rv == 0) -+ FIPSerr(FIPS_F_FIPS_DRBG_SINGLE_KAT, FIPS_R_SELFTEST_FAILED); -+ err2: -+ FIPS_drbg_uninstantiate(dctx); -+ -+ return rv; -+ -+} -+ -+/* Initialise a DRBG based on selftest data */ -+ -+static int do_drbg_init(DRBG_CTX *dctx, DRBG_SELFTEST_DATA * td, TEST_ENT * t) -+{ -+ -+ if (!FIPS_drbg_init(dctx, td->nid, td->flags)) -+ return 0; -+ -+ if (!FIPS_drbg_set_callbacks(dctx, test_entropy, 0, 0, test_nonce, 0)) -+ return 0; -+ -+ FIPS_drbg_set_app_data(dctx, t); -+ -+ t->ent = td->ent; -+ t->entlen = td->entlen; -+ t->nonce = td->nonce; -+ t->noncelen = td->noncelen; -+ t->entcnt = 0; -+ t->noncecnt = 0; -+ return 1; -+} -+ -+/* Initialise and instantiate DRBG based on selftest data */ -+static int do_drbg_instantiate(DRBG_CTX *dctx, DRBG_SELFTEST_DATA * td, -+ TEST_ENT * t) -+{ -+ if (!do_drbg_init(dctx, td, t)) -+ return 0; -+ if (!FIPS_drbg_instantiate(dctx, td->pers, td->perslen)) -+ return 0; -+ -+ return 1; -+} -+ -+/* This function performs extensive error checking as required by SP800-90. -+ * Induce several failure modes and check an error condition is set. -+ * This function along with fips_drbg_single_kat peforms the health checking -+ * operation. -+ */ -+ -+static int fips_drbg_error_check(DRBG_CTX *dctx, DRBG_SELFTEST_DATA * td) -+{ -+ unsigned char randout[1024]; -+ TEST_ENT t; -+ size_t i; -+ unsigned int reseed_counter_tmp; -+ unsigned char *p = (unsigned char *)dctx; -+ -+ /* Initialise DRBG */ -+ -+ if (!do_drbg_init(dctx, td, &t)) -+ goto err; -+ -+ /* Don't report induced errors */ -+ dctx->iflags |= DRBG_FLAG_NOERR; -+ -+ /* Personalisation string tests */ -+ -+ /* Test detection of too large personlisation string */ -+ -+ if (FIPS_drbg_instantiate(dctx, td->pers, dctx->max_pers + 1) > 0) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, -+ FIPS_R_PERSONALISATION_ERROR_UNDETECTED); -+ goto err; -+ } -+ -+ /* Entropy source tests */ -+ -+ /* Test entropy source failure detecion: i.e. returns no data */ -+ -+ t.entlen = 0; -+ -+ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, -+ FIPS_R_ENTROPY_ERROR_UNDETECTED); -+ goto err; -+ } -+ -+ /* Try to generate output from uninstantiated DRBG */ -+ if (FIPS_drbg_generate(dctx, randout, td->katlen, 0, -+ td->adin, td->adinlen)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, -+ FIPS_R_GENERATE_ERROR_UNDETECTED); -+ goto err; -+ } -+ -+ dctx->iflags &= ~DRBG_FLAG_NOERR; -+ if (!FIPS_drbg_uninstantiate(dctx)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); -+ goto err; -+ } -+ -+ if (!do_drbg_init(dctx, td, &t)) -+ goto err; -+ -+ dctx->iflags |= DRBG_FLAG_NOERR; -+ -+ /* Test insufficient entropy */ -+ -+ t.entlen = dctx->min_entropy - 1; -+ -+ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, -+ FIPS_R_ENTROPY_ERROR_UNDETECTED); -+ goto err; -+ } -+ -+ dctx->iflags &= ~DRBG_FLAG_NOERR; -+ if (!FIPS_drbg_uninstantiate(dctx)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); -+ goto err; -+ } -+ -+ /* Test too much entropy */ -+ -+ if (!do_drbg_init(dctx, td, &t)) -+ goto err; -+ -+ dctx->iflags |= DRBG_FLAG_NOERR; -+ -+ t.entlen = dctx->max_entropy + 1; -+ -+ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, -+ FIPS_R_ENTROPY_ERROR_UNDETECTED); -+ goto err; -+ } -+ -+ dctx->iflags &= ~DRBG_FLAG_NOERR; -+ if (!FIPS_drbg_uninstantiate(dctx)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); -+ goto err; -+ } -+ -+ /* Nonce tests */ -+ -+ /* Test too small nonce */ -+ -+ if (dctx->min_nonce) { -+ -+ if (!do_drbg_init(dctx, td, &t)) -+ goto err; -+ -+ dctx->iflags |= DRBG_FLAG_NOERR; -+ -+ t.noncelen = dctx->min_nonce - 1; -+ -+ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, -+ FIPS_R_NONCE_ERROR_UNDETECTED); -+ goto err; -+ } -+ -+ dctx->iflags &= ~DRBG_FLAG_NOERR; -+ if (!FIPS_drbg_uninstantiate(dctx)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); -+ goto err; -+ } -+ -+ } -+ -+ /* Test too large nonce */ -+ -+ if (dctx->max_nonce) { -+ -+ if (!do_drbg_init(dctx, td, &t)) -+ goto err; -+ -+ dctx->iflags |= DRBG_FLAG_NOERR; -+ -+ t.noncelen = dctx->max_nonce + 1; -+ -+ if (FIPS_drbg_instantiate(dctx, td->pers, td->perslen) > 0) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, -+ FIPS_R_NONCE_ERROR_UNDETECTED); -+ goto err; -+ } -+ -+ dctx->iflags &= ~DRBG_FLAG_NOERR; -+ if (!FIPS_drbg_uninstantiate(dctx)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); -+ goto err; -+ } -+ -+ } -+ -+ /* Instantiate with valid data. */ -+ if (!do_drbg_instantiate(dctx, td, &t)) -+ goto err; -+ -+ /* Check generation is now OK */ -+ if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, -+ td->adin, td->adinlen)) -+ goto err; -+ -+ dctx->iflags |= DRBG_FLAG_NOERR; -+ -+ /* Request too much data for one request */ -+ if (FIPS_drbg_generate(dctx, randout, dctx->max_request + 1, 0, -+ td->adin, td->adinlen)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, -+ FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED); -+ goto err; -+ } -+ -+ /* Try too large additional input */ -+ if (FIPS_drbg_generate(dctx, randout, td->katlen, 0, -+ td->adin, dctx->max_adin + 1)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, -+ FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED); -+ goto err; -+ } -+ -+ /* Check prediction resistance request fails if entropy source -+ * failure. -+ */ -+ -+ t.entlen = 0; -+ -+ if (FIPS_drbg_generate(dctx, randout, td->katlen, 1, -+ td->adin, td->adinlen)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, -+ FIPS_R_ENTROPY_ERROR_UNDETECTED); -+ goto err; -+ } -+ -+ dctx->iflags &= ~DRBG_FLAG_NOERR; -+ if (!FIPS_drbg_uninstantiate(dctx)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); -+ goto err; -+ } -+ -+ /* Instantiate again with valid data */ -+ -+ if (!do_drbg_instantiate(dctx, td, &t)) -+ goto err; -+ /* Test reseed counter works */ -+ /* Save initial reseed counter */ -+ reseed_counter_tmp = dctx->reseed_counter; -+ /* Set reseed counter to beyond interval */ -+ dctx->reseed_counter = dctx->reseed_interval; -+ -+ /* Generate output and check entropy has been requested for reseed */ -+ t.entcnt = 0; -+ if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, -+ td->adin, td->adinlen)) -+ goto err; -+ if (t.entcnt != 1) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, -+ FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED); -+ goto err; -+ } -+ /* Check reseed counter has been reset */ -+ if (dctx->reseed_counter != reseed_counter_tmp + 1) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_RESEED_COUNTER_ERROR); -+ goto err; -+ } -+ -+ dctx->iflags &= ~DRBG_FLAG_NOERR; -+ if (!FIPS_drbg_uninstantiate(dctx)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); -+ goto err; -+ } -+ -+ /* Check prediction resistance request fails if entropy source -+ * failure. -+ */ -+ -+ t.entlen = 0; -+ -+ dctx->iflags |= DRBG_FLAG_NOERR; -+ if (FIPS_drbg_generate(dctx, randout, td->katlen, 1, -+ td->adin, td->adinlen)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, -+ FIPS_R_ENTROPY_ERROR_UNDETECTED); -+ goto err; -+ } -+ -+ dctx->iflags &= ~DRBG_FLAG_NOERR; -+ -+ if (!FIPS_drbg_uninstantiate(dctx)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); -+ goto err; -+ } -+ -+ if (!do_drbg_instantiate(dctx, td, &t)) -+ goto err; -+ /* Test reseed counter works */ -+ /* Save initial reseed counter */ -+ reseed_counter_tmp = dctx->reseed_counter; -+ /* Set reseed counter to beyond interval */ -+ dctx->reseed_counter = dctx->reseed_interval; -+ -+ /* Generate output and check entropy has been requested for reseed */ -+ t.entcnt = 0; -+ if (!FIPS_drbg_generate(dctx, randout, td->katlen, 0, -+ td->adin, td->adinlen)) -+ goto err; -+ if (t.entcnt != 1) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, -+ FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED); -+ goto err; -+ } -+ /* Check reseed counter has been reset */ -+ if (dctx->reseed_counter != reseed_counter_tmp + 1) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_RESEED_COUNTER_ERROR); -+ goto err; -+ } -+ -+ dctx->iflags &= ~DRBG_FLAG_NOERR; -+ if (!FIPS_drbg_uninstantiate(dctx)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); -+ goto err; -+ } -+ -+ /* Explicit reseed tests */ -+ -+ /* Test explicit reseed with too large additional input */ -+ if (!do_drbg_init(dctx, td, &t)) -+ goto err; -+ -+ dctx->iflags |= DRBG_FLAG_NOERR; -+ -+ if (FIPS_drbg_reseed(dctx, td->adin, dctx->max_adin + 1) > 0) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, -+ FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED); -+ goto err; -+ } -+ -+ /* Test explicit reseed with entropy source failure */ -+ -+ t.entlen = 0; -+ -+ if (FIPS_drbg_reseed(dctx, td->adin, td->adinlen) > 0) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, -+ FIPS_R_ENTROPY_ERROR_UNDETECTED); -+ goto err; -+ } -+ -+ if (!FIPS_drbg_uninstantiate(dctx)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); -+ goto err; -+ } -+ -+ /* Test explicit reseed with too much entropy */ -+ -+ if (!do_drbg_init(dctx, td, &t)) -+ goto err; -+ -+ dctx->iflags |= DRBG_FLAG_NOERR; -+ -+ t.entlen = dctx->max_entropy + 1; -+ -+ if (FIPS_drbg_reseed(dctx, td->adin, td->adinlen) > 0) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, -+ FIPS_R_ENTROPY_ERROR_UNDETECTED); -+ goto err; -+ } -+ -+ if (!FIPS_drbg_uninstantiate(dctx)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); -+ goto err; -+ } -+ -+ /* Test explicit reseed with too little entropy */ -+ -+ if (!do_drbg_init(dctx, td, &t)) -+ goto err; -+ -+ dctx->iflags |= DRBG_FLAG_NOERR; -+ -+ t.entlen = dctx->min_entropy - 1; -+ -+ if (FIPS_drbg_reseed(dctx, td->adin, td->adinlen) > 0) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, -+ FIPS_R_ENTROPY_ERROR_UNDETECTED); -+ goto err; -+ } -+ -+ if (!FIPS_drbg_uninstantiate(dctx)) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_UNINSTANTIATE_ERROR); -+ goto err; -+ } -+ -+ p = (unsigned char *)&dctx->d; -+ /* Standard says we have to check uninstantiate really zeroes -+ * the data... -+ */ -+ for (i = 0; i < sizeof(dctx->d); i++) { -+ if (*p != 0) { -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, -+ FIPS_R_UNINSTANTIATE_ZEROISE_ERROR); -+ goto err; -+ } -+ p++; -+ } -+ -+ return 1; -+ -+ err: -+ /* A real error as opposed to an induced one: underlying function will -+ * indicate the error. -+ */ -+ if (!(dctx->iflags & DRBG_FLAG_NOERR)) -+ FIPSerr(FIPS_F_FIPS_DRBG_ERROR_CHECK, FIPS_R_FUNCTION_ERROR); -+ FIPS_drbg_uninstantiate(dctx); -+ return 0; -+ -+} -+ -+int fips_drbg_kat(DRBG_CTX *dctx, int nid, unsigned int flags) -+{ -+ DRBG_SELFTEST_DATA *td; -+ flags |= DRBG_FLAG_TEST; -+ for (td = drbg_test; td->nid != 0; td++) { -+ if (td->nid == nid && td->flags == flags) { -+ if (!fips_drbg_single_kat(dctx, td, 0)) -+ return 0; -+ return fips_drbg_error_check(dctx, td); -+ } -+ } -+ return 0; -+} -+ -+int FIPS_drbg_health_check(DRBG_CTX *dctx) -+{ -+ int rv; -+ DRBG_CTX *tctx = NULL; -+ tctx = FIPS_drbg_new(0, 0); -+ fips_post_started(FIPS_TEST_DRBG, dctx->type, &dctx->xflags); -+ if (!tctx) -+ return 0; -+ rv = fips_drbg_kat(tctx, dctx->type, dctx->xflags); -+ if (tctx) -+ FIPS_drbg_free(tctx); -+ if (rv) -+ fips_post_success(FIPS_TEST_DRBG, dctx->type, &dctx->xflags); -+ else -+ fips_post_failed(FIPS_TEST_DRBG, dctx->type, &dctx->xflags); -+ if (!rv) -+ dctx->status = DRBG_STATUS_ERROR; -+ else -+ dctx->health_check_cnt = 0; -+ return rv; -+} -+ -+int FIPS_selftest_drbg(void) -+{ -+ DRBG_CTX *dctx; -+ DRBG_SELFTEST_DATA *td; -+ int rv = 1; -+ dctx = FIPS_drbg_new(0, 0); -+ if (!dctx) -+ return 0; -+ for (td = drbg_test; td->nid != 0; td++) { -+ if (td->post != 1) -+ continue; -+ if (!fips_post_started(FIPS_TEST_DRBG, td->nid, &td->flags)) -+ return 1; -+ if (!fips_drbg_single_kat(dctx, td, 1)) { -+ fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags); -+ rv = 0; -+ continue; -+ } -+ if (!fips_post_success(FIPS_TEST_DRBG, td->nid, &td->flags)) -+ return 0; -+ } -+ FIPS_drbg_free(dctx); -+ return rv; -+} -+ -+int FIPS_selftest_drbg_all(void) -+{ -+ DRBG_CTX *dctx; -+ DRBG_SELFTEST_DATA *td; -+ int rv = 1; -+ dctx = FIPS_drbg_new(0, 0); -+ if (!dctx) -+ return 0; -+ for (td = drbg_test; td->nid != 0; td++) { -+ if (!fips_post_started(FIPS_TEST_DRBG, td->nid, &td->flags)) -+ return 1; -+ if (!fips_drbg_single_kat(dctx, td, 0)) { -+ fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags); -+ rv = 0; -+ continue; -+ } -+ if (!fips_drbg_error_check(dctx, td)) { -+ fips_post_failed(FIPS_TEST_DRBG, td->nid, &td->flags); -+ rv = 0; -+ continue; -+ } -+ if (!fips_post_success(FIPS_TEST_DRBG, td->nid, &td->flags)) -+ return 0; -+ } -+ FIPS_drbg_free(dctx); -+ return rv; -+} -diff -up openssl-1.1.1j/crypto/fips/fips_drbg_selftest.h.fips openssl-1.1.1j/crypto/fips/fips_drbg_selftest.h ---- openssl-1.1.1j/crypto/fips/fips_drbg_selftest.h.fips 2021-03-03 12:57:42.200734534 +0100 -+++ openssl-1.1.1j/crypto/fips/fips_drbg_selftest.h 2021-03-03 12:57:42.200734534 +0100 -@@ -0,0 +1,1791 @@ -+/* ==================================================================== -+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+/* Selftest and health check data for the SP800-90 DRBG */ -+ -+#define __fips_constseg -+ -+/* AES-128 use df PR */ -+__fips_constseg static const unsigned char aes_128_use_df_pr_entropyinput[] = { -+ 0x61, 0x52, 0x7c, 0xe3, 0x23, 0x7d, 0x0a, 0x07, 0x10, 0x0c, 0x50, 0x33, -+ 0xc8, 0xdb, 0xff, 0x12 -+}; -+ -+__fips_constseg static const unsigned char aes_128_use_df_pr_nonce[] = { -+ 0x51, 0x0d, 0x85, 0x77, 0xed, 0x22, 0x97, 0x28 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_128_use_df_pr_personalizationstring[] = { -+ 0x59, 0x9f, 0xbb, 0xcd, 0xd5, 0x25, 0x69, 0xb5, 0xcb, 0xb5, 0x03, 0xfe, -+ 0xd7, 0xd7, 0x01, 0x67 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_128_use_df_pr_additionalinput[] = { -+ 0xef, 0x88, 0x76, 0x01, 0xaf, 0x3c, 0xfe, 0x8b, 0xaf, 0x26, 0x06, 0x9e, -+ 0x9a, 0x47, 0x08, 0x76 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_128_use_df_pr_entropyinputpr[] = { -+ 0xe2, 0x76, 0xf9, 0xf6, 0x3a, 0xba, 0x10, 0x9f, 0xbf, 0x47, 0x0e, 0x51, -+ 0x09, 0xfb, 0xa3, 0xb6 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_128_use_df_pr_int_returnedbits[] = { -+ 0xd4, 0x98, 0x8a, 0x46, 0x80, 0x4c, 0xdb, 0xa3, 0x59, 0x02, 0x57, 0x52, -+ 0x66, 0x1c, 0xea, 0x5b -+}; -+ -+__fips_constseg -+ static const unsigned char aes_128_use_df_pr_additionalinput2[] = { -+ 0x88, 0x8c, 0x91, 0xd6, 0xbe, 0x56, 0x6e, 0x08, 0x9a, 0x62, 0x2b, 0x11, -+ 0x3f, 0x5e, 0x31, 0x06 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_128_use_df_pr_entropyinputpr2[] = { -+ 0xc0, 0x5c, 0x6b, 0x98, 0x01, 0x0d, 0x58, 0x18, 0x51, 0x18, 0x96, 0xae, -+ 0xa7, 0xe3, 0xa8, 0x67 -+}; -+ -+__fips_constseg static const unsigned char aes_128_use_df_pr_returnedbits[] = { -+ 0xcf, 0x01, 0xac, 0x22, 0x31, 0x06, 0x8e, 0xfc, 0xce, 0x56, 0xea, 0x24, -+ 0x0f, 0x38, 0x43, 0xc6 -+}; -+ -+/* AES-128 use df No PR */ -+__fips_constseg static const unsigned char aes_128_use_df_entropyinput[] = { -+ 0x1f, 0x8e, 0x34, 0x82, 0x0c, 0xb7, 0xbe, 0xc5, 0x01, 0x3e, 0xd0, 0xa3, -+ 0x9d, 0x7d, 0x1c, 0x9b -+}; -+ -+__fips_constseg static const unsigned char aes_128_use_df_nonce[] = { -+ 0xd5, 0x4d, 0xbd, 0x4a, 0x93, 0x7f, 0xb8, 0x96 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_128_use_df_personalizationstring[] = { -+ 0xab, 0xd6, 0x3f, 0x04, 0xfe, 0x27, 0x6b, 0x2d, 0xd7, 0xc3, 0x1c, 0xf3, -+ 0x38, 0x66, 0xba, 0x1b -+}; -+ -+__fips_constseg static const unsigned char aes_128_use_df_additionalinput[] = { -+ 0xfe, 0xf4, 0x09, 0xa8, 0xb7, 0x73, 0x27, 0x9c, 0x5f, 0xa7, 0xea, 0x46, -+ 0xb5, 0xe2, 0xb2, 0x41 -+}; -+ -+__fips_constseg static const unsigned char aes_128_use_df_int_returnedbits[] = { -+ 0x42, 0xe4, 0x4e, 0x7b, 0x27, 0xdd, 0xcb, 0xbc, 0x0a, 0xcf, 0xa6, 0x67, -+ 0xe7, 0x57, 0x11, 0xb4 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_128_use_df_entropyinputreseed[] = { -+ 0x14, 0x26, 0x69, 0xd9, 0xf3, 0x65, 0x03, 0xd6, 0x6b, 0xb9, 0x44, 0x0b, -+ 0xc7, 0xc4, 0x9e, 0x39 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_128_use_df_additionalinputreseed[] = { -+ 0x55, 0x2e, 0x60, 0x9a, 0x05, 0x72, 0x8a, 0xa8, 0xef, 0x22, 0x81, 0x5a, -+ 0xc8, 0x93, 0xfa, 0x84 -+}; -+ -+__fips_constseg static const unsigned char aes_128_use_df_additionalinput2[] = { -+ 0x3c, 0x40, 0xc8, 0xc4, 0x16, 0x0c, 0x21, 0xa4, 0x37, 0x2c, 0x8f, 0xa5, -+ 0x06, 0x0c, 0x15, 0x2c -+}; -+ -+__fips_constseg static const unsigned char aes_128_use_df_returnedbits[] = { -+ 0xe1, 0x3e, 0x99, 0x98, 0x86, 0x67, 0x0b, 0x63, 0x7b, 0xbe, 0x3f, 0x88, -+ 0x46, 0x81, 0xc7, 0x19 -+}; -+ -+/* AES-192 use df PR */ -+__fips_constseg static const unsigned char aes_192_use_df_pr_entropyinput[] = { -+ 0x2b, 0x4e, 0x8b, 0xe1, 0xf1, 0x34, 0x80, 0x56, 0x81, 0xf9, 0x74, 0xec, -+ 0x17, 0x44, 0x2a, 0xf1, 0x14, 0xb0, 0xbf, 0x97, 0x39, 0xb7, 0x04, 0x7d -+}; -+ -+__fips_constseg static const unsigned char aes_192_use_df_pr_nonce[] = { -+ 0xd6, 0x9d, 0xeb, 0x14, 0x4e, 0x6c, 0x30, 0x1e, 0x39, 0x55, 0x73, 0xd0, -+ 0xd1, 0x80, 0x78, 0xfa -+}; -+ -+__fips_constseg -+ static const unsigned char aes_192_use_df_pr_personalizationstring[] = { -+ 0xfc, 0x43, 0x4a, 0xf8, 0x9a, 0x55, 0xb3, 0x53, 0x83, 0xe2, 0x18, 0x16, -+ 0x0c, 0xdc, 0xcd, 0x5e, 0x4f, 0xa0, 0x03, 0x01, 0x2b, 0x9f, 0xe4, 0xd5, -+ 0x7d, 0x49, 0xf0, 0x41, 0x9e, 0x3d, 0x99, 0x04 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_192_use_df_pr_additionalinput[] = { -+ 0x5e, 0x9f, 0x49, 0x6f, 0x21, 0x8b, 0x1d, 0x32, 0xd5, 0x84, 0x5c, 0xac, -+ 0xaf, 0xdf, 0xe4, 0x79, 0x9e, 0xaf, 0xa9, 0x82, 0xd0, 0xf8, 0x4f, 0xcb, -+ 0x69, 0x10, 0x0a, 0x7e, 0x81, 0x57, 0xb5, 0x36 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_192_use_df_pr_entropyinputpr[] = { -+ 0xd4, 0x81, 0x0c, 0xd7, 0x66, 0x39, 0xec, 0x42, 0x53, 0x87, 0x41, 0xa5, -+ 0x1e, 0x7d, 0x80, 0x91, 0x8e, 0xbb, 0xed, 0xac, 0x14, 0x02, 0x1a, 0xd5 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_192_use_df_pr_int_returnedbits[] = { -+ 0xdf, 0x1d, 0x39, 0x45, 0x7c, 0x9b, 0xc6, 0x2b, 0x7d, 0x8c, 0x93, 0xe9, -+ 0x19, 0x30, 0x6b, 0x67 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_192_use_df_pr_additionalinput2[] = { -+ 0x00, 0x71, 0x27, 0x4e, 0xd3, 0x14, 0xf1, 0x20, 0x7f, 0x4a, 0x41, 0x32, -+ 0x2a, 0x97, 0x11, 0x43, 0x8f, 0x4a, 0x15, 0x7b, 0x9b, 0x51, 0x79, 0xda, -+ 0x49, 0x3d, 0xde, 0xe8, 0xbc, 0x93, 0x91, 0x99 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_192_use_df_pr_entropyinputpr2[] = { -+ 0x90, 0xee, 0x76, 0xa1, 0x45, 0x8d, 0xb7, 0x40, 0xb0, 0x11, 0xbf, 0xd0, -+ 0x65, 0xd7, 0x3c, 0x7c, 0x4f, 0x20, 0x3f, 0x4e, 0x11, 0x9d, 0xb3, 0x5e -+}; -+ -+__fips_constseg static const unsigned char aes_192_use_df_pr_returnedbits[] = { -+ 0x24, 0x3b, 0x20, 0xa4, 0x37, 0x66, 0xba, 0x72, 0x39, 0x3f, 0xcf, 0x3c, -+ 0x7e, 0x1a, 0x2b, 0x83 -+}; -+ -+/* AES-192 use df No PR */ -+__fips_constseg static const unsigned char aes_192_use_df_entropyinput[] = { -+ 0x8d, 0x74, 0xa4, 0x50, 0x1a, 0x02, 0x68, 0x0c, 0x2a, 0x69, 0xc4, 0x82, -+ 0x3b, 0xbb, 0xda, 0x0e, 0x7f, 0x77, 0xa3, 0x17, 0x78, 0x57, 0xb2, 0x7b -+}; -+ -+__fips_constseg static const unsigned char aes_192_use_df_nonce[] = { -+ 0x75, 0xd5, 0x1f, 0xac, 0xa4, 0x8d, 0x42, 0x78, 0xd7, 0x69, 0x86, 0x9d, -+ 0x77, 0xd7, 0x41, 0x0e -+}; -+ -+__fips_constseg -+ static const unsigned char aes_192_use_df_personalizationstring[] = { -+ 0x4e, 0x33, 0x41, 0x3c, 0x9c, 0xc2, 0xd2, 0x53, 0xaf, 0x90, 0xea, 0xcf, -+ 0x19, 0x50, 0x1e, 0xe6, 0x6f, 0x63, 0xc8, 0x32, 0x22, 0xdc, 0x07, 0x65, -+ 0x9c, 0xd3, 0xf8, 0x30, 0x9e, 0xed, 0x35, 0x70 -+}; -+ -+__fips_constseg static const unsigned char aes_192_use_df_additionalinput[] = { -+ 0x5d, 0x8b, 0x8c, 0xc1, 0xdf, 0x0e, 0x02, 0x78, 0xfb, 0x19, 0xb8, 0x69, -+ 0x78, 0x4e, 0x9c, 0x52, 0xbc, 0xc7, 0x20, 0xc9, 0xe6, 0x5e, 0x77, 0x22, -+ 0x28, 0x3d, 0x0c, 0x9e, 0x68, 0xa8, 0x45, 0xd7 -+}; -+ -+__fips_constseg static const unsigned char aes_192_use_df_int_returnedbits[] = { -+ 0xd5, 0xe7, 0x08, 0xc5, 0x19, 0x99, 0xd5, 0x31, 0x03, 0x0a, 0x74, 0xb6, -+ 0xb7, 0xed, 0xe9, 0xea -+}; -+ -+__fips_constseg -+ static const unsigned char aes_192_use_df_entropyinputreseed[] = { -+ 0x9c, 0x26, 0xda, 0xf1, 0xac, 0xd9, 0x5a, 0xd6, 0xa8, 0x65, 0xf5, 0x02, -+ 0x8f, 0xdc, 0xa2, 0x09, 0x54, 0xa6, 0xe2, 0xa4, 0xde, 0x32, 0xe0, 0x01 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_192_use_df_additionalinputreseed[] = { -+ 0x9b, 0x90, 0xb0, 0x3a, 0x0e, 0x3a, 0x80, 0x07, 0x4a, 0xf4, 0xda, 0x76, -+ 0x28, 0x30, 0x3c, 0xee, 0x54, 0x1b, 0x94, 0x59, 0x51, 0x43, 0x56, 0x77, -+ 0xaf, 0x88, 0xdd, 0x63, 0x89, 0x47, 0x06, 0x65 -+}; -+ -+__fips_constseg static const unsigned char aes_192_use_df_additionalinput2[] = { -+ 0x3c, 0x11, 0x64, 0x7a, 0x96, 0xf5, 0xd8, 0xb8, 0xae, 0xd6, 0x70, 0x4e, -+ 0x16, 0x96, 0xde, 0xe9, 0x62, 0xbc, 0xee, 0x28, 0x2f, 0x26, 0xa6, 0xf0, -+ 0x56, 0xef, 0xa3, 0xf1, 0x6b, 0xa1, 0xb1, 0x77 -+}; -+ -+__fips_constseg static const unsigned char aes_192_use_df_returnedbits[] = { -+ 0x0b, 0xe2, 0x56, 0x03, 0x1e, 0xdb, 0x2c, 0x6d, 0x7f, 0x1b, 0x15, 0x58, -+ 0x1a, 0xf9, 0x13, 0x28 -+}; -+ -+/* AES-256 use df PR */ -+__fips_constseg static const unsigned char aes_256_use_df_pr_entropyinput[] = { -+ 0x61, 0x68, 0xfc, 0x1a, 0xf0, 0xb5, 0x95, 0x6b, 0x85, 0x09, 0x9b, 0x74, -+ 0x3f, 0x13, 0x78, 0x49, 0x3b, 0x85, 0xec, 0x93, 0x13, 0x3b, 0xa9, 0x4f, -+ 0x96, 0xab, 0x2c, 0xe4, 0xc8, 0x8f, 0xdd, 0x6a -+}; -+ -+__fips_constseg static const unsigned char aes_256_use_df_pr_nonce[] = { -+ 0xad, 0xd2, 0xbb, 0xba, 0xb7, 0x65, 0x89, 0xc3, 0x21, 0x6c, 0x55, 0x33, -+ 0x2b, 0x36, 0xff, 0xa4 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_256_use_df_pr_personalizationstring[] = { -+ 0x6e, 0xca, 0xe7, 0x20, 0x72, 0xd3, 0x84, 0x5a, 0x32, 0xd3, 0x4b, 0x24, -+ 0x72, 0xc4, 0x63, 0x2b, 0x9d, 0x12, 0x24, 0x0c, 0x23, 0x26, 0x8e, 0x83, -+ 0x16, 0x37, 0x0b, 0xd1, 0x06, 0x4f, 0x68, 0x6d -+}; -+ -+__fips_constseg -+ static const unsigned char aes_256_use_df_pr_additionalinput[] = { -+ 0x7e, 0x08, 0x4a, 0xbb, 0xe3, 0x21, 0x7c, 0xc9, 0x23, 0xd2, 0xf8, 0xb0, -+ 0x73, 0x98, 0xba, 0x84, 0x74, 0x23, 0xab, 0x06, 0x8a, 0xe2, 0x22, 0xd3, -+ 0x7b, 0xce, 0x9b, 0xd2, 0x4a, 0x76, 0xb8, 0xde -+}; -+ -+__fips_constseg -+ static const unsigned char aes_256_use_df_pr_entropyinputpr[] = { -+ 0x0b, 0x23, 0xaf, 0xdf, 0xf1, 0x62, 0xd7, 0xd3, 0x43, 0x97, 0xf8, 0x77, -+ 0x04, 0xa8, 0x42, 0x20, 0xbd, 0xf6, 0x0f, 0xc1, 0x17, 0x2f, 0x9f, 0x54, -+ 0xbb, 0x56, 0x17, 0x86, 0x68, 0x0e, 0xba, 0xa9 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_256_use_df_pr_int_returnedbits[] = { -+ 0x31, 0x8e, 0xad, 0xaf, 0x40, 0xeb, 0x6b, 0x74, 0x31, 0x46, 0x80, 0xc7, -+ 0x17, 0xab, 0x3c, 0x7a -+}; -+ -+__fips_constseg -+ static const unsigned char aes_256_use_df_pr_additionalinput2[] = { -+ 0x94, 0x6b, 0xc9, 0x9f, 0xab, 0x8d, 0xc5, 0xec, 0x71, 0x88, 0x1d, 0x00, -+ 0x8c, 0x89, 0x68, 0xe4, 0xc8, 0x07, 0x77, 0x36, 0x17, 0x6d, 0x79, 0x78, -+ 0xc7, 0x06, 0x4e, 0x99, 0x04, 0x28, 0x29, 0xc3 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_256_use_df_pr_entropyinputpr2[] = { -+ 0xbf, 0x6c, 0x59, 0x2a, 0x0d, 0x44, 0x0f, 0xae, 0x9a, 0x5e, 0x03, 0x73, -+ 0xd8, 0xa6, 0xe1, 0xcf, 0x25, 0x61, 0x38, 0x24, 0x86, 0x9e, 0x53, 0xe8, -+ 0xa4, 0xdf, 0x56, 0xf4, 0x06, 0x07, 0x9c, 0x0f -+}; -+ -+__fips_constseg static const unsigned char aes_256_use_df_pr_returnedbits[] = { -+ 0x22, 0x4a, 0xb4, 0xb8, 0xb6, 0xee, 0x7d, 0xb1, 0x9e, 0xc9, 0xf9, 0xa0, -+ 0xd9, 0xe2, 0x97, 0x00 -+}; -+ -+/* AES-256 use df No PR */ -+__fips_constseg static const unsigned char aes_256_use_df_entropyinput[] = { -+ 0xa5, 0x3e, 0x37, 0x10, 0x17, 0x43, 0x91, 0x93, 0x59, 0x1e, 0x47, 0x50, -+ 0x87, 0xaa, 0xdd, 0xd5, 0xc1, 0xc3, 0x86, 0xcd, 0xca, 0x0d, 0xdb, 0x68, -+ 0xe0, 0x02, 0xd8, 0x0f, 0xdc, 0x40, 0x1a, 0x47 -+}; -+ -+__fips_constseg static const unsigned char aes_256_use_df_nonce[] = { -+ 0xa9, 0x4d, 0xa5, 0x5a, 0xfd, 0xc5, 0x0c, 0xe5, 0x1c, 0x9a, 0x3b, 0x8a, -+ 0x4c, 0x44, 0x84, 0x40 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_256_use_df_personalizationstring[] = { -+ 0x8b, 0x52, 0xa2, 0x4a, 0x93, 0xc3, 0x4e, 0xa7, 0x1e, 0x1c, 0xa7, 0x05, -+ 0xeb, 0x82, 0x9b, 0xa6, 0x5d, 0xe4, 0xd4, 0xe0, 0x7f, 0xa3, 0xd8, 0x6b, -+ 0x37, 0x84, 0x5f, 0xf1, 0xc7, 0xd5, 0xf6, 0xd2 -+}; -+ -+__fips_constseg static const unsigned char aes_256_use_df_additionalinput[] = { -+ 0x20, 0xf4, 0x22, 0xed, 0xf8, 0x5c, 0xa1, 0x6a, 0x01, 0xcf, 0xbe, 0x5f, -+ 0x8d, 0x6c, 0x94, 0x7f, 0xae, 0x12, 0xa8, 0x57, 0xdb, 0x2a, 0xa9, 0xbf, -+ 0xc7, 0xb3, 0x65, 0x81, 0x80, 0x8d, 0x0d, 0x46 -+}; -+ -+__fips_constseg static const unsigned char aes_256_use_df_int_returnedbits[] = { -+ 0x4e, 0x44, 0xfd, 0xf3, 0x9e, 0x29, 0xa2, 0xb8, 0x0f, 0x5d, 0x6c, 0xe1, -+ 0x28, 0x0c, 0x3b, 0xc1 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_256_use_df_entropyinputreseed[] = { -+ 0xdd, 0x40, 0xe5, 0x98, 0x7b, 0x27, 0x16, 0x73, 0x15, 0x68, 0xd2, 0x76, -+ 0xbf, 0x0c, 0x67, 0x15, 0x75, 0x79, 0x03, 0xd3, 0xde, 0xde, 0x91, 0x46, -+ 0x42, 0xdd, 0xd4, 0x67, 0xc8, 0x79, 0xc8, 0x1e -+}; -+ -+__fips_constseg -+ static const unsigned char aes_256_use_df_additionalinputreseed[] = { -+ 0x7f, 0xd8, 0x1f, 0xbd, 0x2a, 0xb5, 0x1c, 0x11, 0x5d, 0x83, 0x4e, 0x99, -+ 0xf6, 0x5c, 0xa5, 0x40, 0x20, 0xed, 0x38, 0x8e, 0xd5, 0x9e, 0xe0, 0x75, -+ 0x93, 0xfe, 0x12, 0x5e, 0x5d, 0x73, 0xfb, 0x75 -+}; -+ -+__fips_constseg static const unsigned char aes_256_use_df_additionalinput2[] = { -+ 0xcd, 0x2c, 0xff, 0x14, 0x69, 0x3e, 0x4c, 0x9e, 0xfd, 0xfe, 0x26, 0x0d, -+ 0xe9, 0x86, 0x00, 0x49, 0x30, 0xba, 0xb1, 0xc6, 0x50, 0x57, 0x77, 0x2a, -+ 0x62, 0x39, 0x2c, 0x3b, 0x74, 0xeb, 0xc9, 0x0d -+}; -+ -+__fips_constseg static const unsigned char aes_256_use_df_returnedbits[] = { -+ 0x4f, 0x78, 0xbe, 0xb9, 0x4d, 0x97, 0x8c, 0xe9, 0xd0, 0x97, 0xfe, 0xad, -+ 0xfa, 0xfd, 0x35, 0x5e -+}; -+ -+/* AES-128 no df PR */ -+__fips_constseg static const unsigned char aes_128_no_df_pr_entropyinput[] = { -+ 0x9a, 0x25, 0x65, 0x10, 0x67, 0xd5, 0xb6, 0x6b, 0x70, 0xa1, 0xb3, 0xa4, -+ 0x43, 0x95, 0x80, 0xc0, 0x84, 0x0a, 0x79, 0xb0, 0x88, 0x74, 0xf2, 0xbf, -+ 0x31, 0x6c, 0x33, 0x38, 0x0b, 0x00, 0xb2, 0x5a -+}; -+ -+__fips_constseg static const unsigned char aes_128_no_df_pr_nonce[] = { -+ 0x78, 0x47, 0x6b, 0xf7, 0x90, 0x8e, 0x87, 0xf1 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_128_no_df_pr_personalizationstring[] = { -+ 0xf7, 0x22, 0x1d, 0x3a, 0xbe, 0x1d, 0xca, 0x32, 0x1b, 0xbd, 0x87, 0x0c, -+ 0x51, 0x24, 0x19, 0xee, 0xa3, 0x23, 0x09, 0x63, 0x33, 0x3d, 0xa8, 0x0c, -+ 0x1c, 0xfa, 0x42, 0x89, 0xcc, 0x6f, 0xa0, 0xa8 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_128_no_df_pr_additionalinput[] = { -+ 0xc9, 0xe0, 0x80, 0xbf, 0x8c, 0x45, 0x58, 0x39, 0xff, 0x00, 0xab, 0x02, -+ 0x4c, 0x3e, 0x3a, 0x95, 0x9b, 0x80, 0xa8, 0x21, 0x2a, 0xee, 0xba, 0x73, -+ 0xb1, 0xd9, 0xcf, 0x28, 0xf6, 0x8f, 0x9b, 0x12 -+}; -+ -+__fips_constseg static const unsigned char aes_128_no_df_pr_entropyinputpr[] = { -+ 0x4c, 0xa8, 0xc5, 0xf0, 0x59, 0x9e, 0xa6, 0x8d, 0x26, 0x53, 0xd7, 0x8a, -+ 0xa9, 0xd8, 0xf7, 0xed, 0xb2, 0xf9, 0x12, 0x42, 0xe1, 0xe5, 0xbd, 0xe7, -+ 0xe7, 0x1d, 0x74, 0x99, 0x00, 0x9d, 0x31, 0x3e -+}; -+ -+__fips_constseg -+ static const unsigned char aes_128_no_df_pr_int_returnedbits[] = { -+ 0xe2, 0xac, 0x20, 0xf0, 0x80, 0xe7, 0xbc, 0x7e, 0x9c, 0x7b, 0x65, 0x71, -+ 0xaf, 0x19, 0x32, 0x16 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_128_no_df_pr_additionalinput2[] = { -+ 0x32, 0x7f, 0x38, 0x8b, 0x73, 0x0a, 0x78, 0x83, 0xdc, 0x30, 0xbe, 0x9f, -+ 0x10, 0x1f, 0xf5, 0x1f, 0xca, 0x00, 0xb5, 0x0d, 0xd6, 0x9d, 0x60, 0x83, -+ 0x51, 0x54, 0x7d, 0x38, 0x23, 0x3a, 0x52, 0x50 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_128_no_df_pr_entropyinputpr2[] = { -+ 0x18, 0x61, 0x53, 0x56, 0xed, 0xed, 0xd7, 0x20, 0xfb, 0x71, 0x04, 0x7a, -+ 0xb2, 0xac, 0xc1, 0x28, 0xcd, 0xf2, 0xc2, 0xfc, 0xaa, 0xb1, 0x06, 0x07, -+ 0xe9, 0x46, 0x95, 0x02, 0x48, 0x01, 0x78, 0xf9 -+}; -+ -+__fips_constseg static const unsigned char aes_128_no_df_pr_returnedbits[] = { -+ 0x29, 0xc8, 0x1b, 0x15, 0xb1, 0xd1, 0xc2, 0xf6, 0x71, 0x86, 0x68, 0x33, -+ 0x57, 0x82, 0x33, 0xaf -+}; -+ -+/* AES-128 no df No PR */ -+__fips_constseg static const unsigned char aes_128_no_df_entropyinput[] = { -+ 0xc9, 0xc5, 0x79, 0xbc, 0xe8, 0xc5, 0x19, 0xd8, 0xbc, 0x66, 0x73, 0x67, -+ 0xf6, 0xd3, 0x72, 0xaa, 0xa6, 0x16, 0xb8, 0x50, 0xb7, 0x47, 0x3a, 0x42, -+ 0xab, 0xf4, 0x16, 0xb2, 0x96, 0xd2, 0xb6, 0x60 -+}; -+ -+__fips_constseg static const unsigned char aes_128_no_df_nonce[] = { -+ 0x5f, 0xbf, 0x97, 0x0c, 0x4b, 0xa4, 0x87, 0x13 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_128_no_df_personalizationstring[] = { -+ 0xce, 0xfb, 0x7b, 0x3f, 0xd4, 0x6b, 0x29, 0x0d, 0x69, 0x06, 0xff, 0xbb, -+ 0xf2, 0xe5, 0xc6, 0x6c, 0x0a, 0x10, 0xa0, 0xcf, 0x1a, 0x48, 0xc7, 0x8b, -+ 0x3c, 0x16, 0x88, 0xed, 0x50, 0x13, 0x81, 0xce -+}; -+ -+__fips_constseg static const unsigned char aes_128_no_df_additionalinput[] = { -+ 0x4b, 0x22, 0x46, 0x18, 0x02, 0x7b, 0xd2, 0x1b, 0x22, 0x42, 0x7c, 0x37, -+ 0xd9, 0xf6, 0xe8, 0x9b, 0x12, 0x30, 0x5f, 0xe9, 0x90, 0xe8, 0x08, 0x24, -+ 0x4f, 0x06, 0x66, 0xdb, 0x19, 0x2b, 0x13, 0x95 -+}; -+ -+__fips_constseg static const unsigned char aes_128_no_df_int_returnedbits[] = { -+ 0x2e, 0x96, 0x70, 0x64, 0xfa, 0xdf, 0xdf, 0x57, 0xb5, 0x82, 0xee, 0xd6, -+ 0xed, 0x3e, 0x65, 0xc2 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_128_no_df_entropyinputreseed[] = { -+ 0x26, 0xc0, 0x72, 0x16, 0x3a, 0x4b, 0xb7, 0x99, 0xd4, 0x07, 0xaf, 0x66, -+ 0x62, 0x36, 0x96, 0xa4, 0x51, 0x17, 0xfa, 0x07, 0x8b, 0x17, 0x5e, 0xa1, -+ 0x2f, 0x3c, 0x10, 0xe7, 0x90, 0xd0, 0x46, 0x00 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_128_no_df_additionalinputreseed[] = { -+ 0x83, 0x39, 0x37, 0x7b, 0x02, 0x06, 0xd2, 0x12, 0x13, 0x8d, 0x8b, 0xf2, -+ 0xf0, 0xf6, 0x26, 0xeb, 0xa4, 0x22, 0x7b, 0xc2, 0xe7, 0xba, 0x79, 0xe4, -+ 0x3b, 0x77, 0x5d, 0x4d, 0x47, 0xb2, 0x2d, 0xb4 -+}; -+ -+__fips_constseg static const unsigned char aes_128_no_df_additionalinput2[] = { -+ 0x0b, 0xb9, 0x67, 0x37, 0xdb, 0x83, 0xdf, 0xca, 0x81, 0x8b, 0xf9, 0x3f, -+ 0xf1, 0x11, 0x1b, 0x2f, 0xf0, 0x61, 0xa6, 0xdf, 0xba, 0xa3, 0xb1, 0xac, -+ 0xd3, 0xe6, 0x09, 0xb8, 0x2c, 0x6a, 0x67, 0xd6 -+}; -+ -+__fips_constseg static const unsigned char aes_128_no_df_returnedbits[] = { -+ 0x1e, 0xa7, 0xa4, 0xe4, 0xe1, 0xa6, 0x7c, 0x69, 0x9a, 0x44, 0x6c, 0x36, -+ 0x81, 0x37, 0x19, 0xd4 -+}; -+ -+/* AES-192 no df PR */ -+__fips_constseg static const unsigned char aes_192_no_df_pr_entropyinput[] = { -+ 0x9d, 0x2c, 0xd2, 0x55, 0x66, 0xea, 0xe0, 0xbe, 0x18, 0xb7, 0x76, 0xe7, -+ 0x73, 0x35, 0xd8, 0x1f, 0xad, 0x3a, 0xe3, 0x81, 0x0e, 0x92, 0xd0, 0x61, -+ 0xc9, 0x12, 0x26, 0xf6, 0x1c, 0xdf, 0xfe, 0x47, 0xaa, 0xfe, 0x7d, 0x5a, -+ 0x17, 0x1f, 0x8d, 0x9a -+}; -+ -+__fips_constseg static const unsigned char aes_192_no_df_pr_nonce[] = { -+ 0x44, 0x82, 0xed, 0xe8, 0x4c, 0x28, 0x5a, 0x14, 0xff, 0x88, 0x8d, 0x19, -+ 0x61, 0x5c, 0xee, 0x0f -+}; -+ -+__fips_constseg -+ static const unsigned char aes_192_no_df_pr_personalizationstring[] = { -+ 0x47, 0xd7, 0x9b, 0x99, 0xaa, 0xcb, 0xe7, 0xd2, 0x57, 0x66, 0x2c, 0xe1, -+ 0x78, 0xd6, 0x2c, 0xea, 0xa3, 0x23, 0x5f, 0x2a, 0xc1, 0x3a, 0xf0, 0xa4, -+ 0x20, 0x3b, 0xfa, 0x07, 0xd5, 0x05, 0x02, 0xe4, 0x57, 0x01, 0xb6, 0x10, -+ 0x57, 0x2e, 0xe7, 0x55 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_192_no_df_pr_additionalinput[] = { -+ 0x4b, 0x74, 0x0b, 0x40, 0xce, 0x6b, 0xc2, 0x6a, 0x24, 0xb4, 0xf3, 0xad, -+ 0x7a, 0xa5, 0x7a, 0xa2, 0x15, 0xe2, 0xc8, 0x61, 0x15, 0xc6, 0xb7, 0x85, -+ 0x69, 0x11, 0xad, 0x7b, 0x14, 0xd2, 0xf6, 0x12, 0xa1, 0x95, 0x5d, 0x3f, -+ 0xe2, 0xd0, 0x0c, 0x2f -+}; -+ -+__fips_constseg static const unsigned char aes_192_no_df_pr_entropyinputpr[] = { -+ 0x0c, 0x9c, 0xad, 0x05, 0xee, 0xae, 0x48, 0x23, 0x89, 0x59, 0xa1, 0x94, -+ 0xd7, 0xd8, 0x75, 0xd5, 0x54, 0x93, 0xc7, 0x4a, 0xd9, 0x26, 0xde, 0xeb, -+ 0xba, 0xb0, 0x7e, 0x30, 0x1d, 0x5f, 0x69, 0x40, 0x9c, 0x3b, 0x17, 0x58, -+ 0x1d, 0x30, 0xb3, 0x78 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_192_no_df_pr_int_returnedbits[] = { -+ 0xf7, 0x93, 0xb0, 0x6d, 0x77, 0x83, 0xd5, 0x38, 0x01, 0xe1, 0x52, 0x40, -+ 0x7e, 0x3e, 0x0c, 0x26 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_192_no_df_pr_additionalinput2[] = { -+ 0xbc, 0x4b, 0x37, 0x44, 0x1c, 0xc5, 0x45, 0x5f, 0x8f, 0x51, 0x62, 0x8a, -+ 0x85, 0x30, 0x1d, 0x7c, 0xe4, 0xcf, 0xf7, 0x44, 0xce, 0x32, 0x3e, 0x57, -+ 0x95, 0xa4, 0x2a, 0xdf, 0xfd, 0x9e, 0x38, 0x41, 0xb3, 0xf6, 0xc5, 0xee, -+ 0x0c, 0x4b, 0xee, 0x6e -+}; -+ -+__fips_constseg -+ static const unsigned char aes_192_no_df_pr_entropyinputpr2[] = { -+ 0xec, 0xaf, 0xf6, 0x4f, 0xb1, 0xa0, 0x54, 0xb5, 0x5b, 0xe3, 0x46, 0xb0, -+ 0x76, 0x5a, 0x7c, 0x3f, 0x7b, 0x94, 0x69, 0x21, 0x51, 0x02, 0xe5, 0x9f, -+ 0x04, 0x59, 0x02, 0x98, 0xc6, 0x43, 0x2c, 0xcc, 0x26, 0x4c, 0x87, 0x6b, -+ 0x8e, 0x0a, 0x83, 0xdf -+}; -+ -+__fips_constseg static const unsigned char aes_192_no_df_pr_returnedbits[] = { -+ 0x74, 0x45, 0xfb, 0x53, 0x84, 0x96, 0xbe, 0xff, 0x15, 0xcc, 0x41, 0x91, -+ 0xb9, 0xa1, 0x21, 0x68 -+}; -+ -+/* AES-192 no df No PR */ -+__fips_constseg static const unsigned char aes_192_no_df_entropyinput[] = { -+ 0x3c, 0x7d, 0xb5, 0xe0, 0x54, 0xd9, 0x6e, 0x8c, 0xa9, 0x86, 0xce, 0x4e, -+ 0x6b, 0xaf, 0xeb, 0x2f, 0xe7, 0x75, 0xe0, 0x8b, 0xa4, 0x3b, 0x07, 0xfe, -+ 0xbe, 0x33, 0x75, 0x93, 0x80, 0x27, 0xb5, 0x29, 0x47, 0x8b, 0xc7, 0x28, -+ 0x94, 0xc3, 0x59, 0x63 -+}; -+ -+__fips_constseg static const unsigned char aes_192_no_df_nonce[] = { -+ 0x43, 0xf1, 0x7d, 0xb8, 0xc3, 0xfe, 0xd0, 0x23, 0x6b, 0xb4, 0x92, 0xdb, -+ 0x29, 0xfd, 0x45, 0x71 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_192_no_df_personalizationstring[] = { -+ 0x9f, 0x24, 0x29, 0x99, 0x9e, 0x01, 0xab, 0xe9, 0x19, 0xd8, 0x23, 0x08, -+ 0xb7, 0xd6, 0x7e, 0x8c, 0xc0, 0x9e, 0x7f, 0x6e, 0x5b, 0x33, 0x20, 0x96, -+ 0x0b, 0x23, 0x2c, 0xa5, 0x6a, 0xf8, 0x1b, 0x04, 0x26, 0xdb, 0x2e, 0x2b, -+ 0x3b, 0x88, 0xce, 0x35 -+}; -+ -+__fips_constseg static const unsigned char aes_192_no_df_additionalinput[] = { -+ 0x94, 0xe9, 0x7c, 0x3d, 0xa7, 0xdb, 0x60, 0x83, 0x1f, 0x98, 0x3f, 0x0b, -+ 0x88, 0x59, 0x57, 0x51, 0x88, 0x9f, 0x76, 0x49, 0x9f, 0xa6, 0xda, 0x71, -+ 0x1d, 0x0d, 0x47, 0x16, 0x63, 0xc5, 0x68, 0xe4, 0x5d, 0x39, 0x69, 0xb3, -+ 0x3e, 0xbe, 0xd4, 0x8e -+}; -+ -+__fips_constseg static const unsigned char aes_192_no_df_int_returnedbits[] = { -+ 0xf9, 0xd7, 0xad, 0x69, 0xab, 0x8f, 0x23, 0x56, 0x70, 0x17, 0x4f, 0x2a, -+ 0x45, 0xe7, 0x4a, 0xc5 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_192_no_df_entropyinputreseed[] = { -+ 0xa6, 0x71, 0x6a, 0x3d, 0xba, 0xd1, 0xe8, 0x66, 0xa6, 0xef, 0xb2, 0x0e, -+ 0xa8, 0x9c, 0xaa, 0x4e, 0xaf, 0x17, 0x89, 0x50, 0x00, 0xda, 0xa1, 0xb1, -+ 0x0b, 0xa4, 0xd9, 0x35, 0x89, 0xc8, 0xe5, 0xb0, 0xd9, 0xb7, 0xc4, 0x33, -+ 0x9b, 0xcb, 0x7e, 0x75 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_192_no_df_additionalinputreseed[] = { -+ 0x27, 0x21, 0xfc, 0xc2, 0xbd, 0xf3, 0x3c, 0xce, 0xc3, 0xca, 0xc1, 0x01, -+ 0xe0, 0xff, 0x93, 0x12, 0x7d, 0x54, 0x42, 0xe3, 0x9f, 0x03, 0xdf, 0x27, -+ 0x04, 0x07, 0x3c, 0x53, 0x7f, 0xa8, 0x66, 0xc8, 0x97, 0x4b, 0x61, 0x40, -+ 0x5d, 0x7a, 0x25, 0x79 -+}; -+ -+__fips_constseg static const unsigned char aes_192_no_df_additionalinput2[] = { -+ 0x2d, 0x8e, 0x16, 0x5d, 0x0b, 0x9f, 0xeb, 0xaa, 0xd6, 0xec, 0x28, 0x71, -+ 0x7c, 0x0b, 0xc1, 0x1d, 0xd4, 0x44, 0x19, 0x47, 0xfd, 0x1d, 0x7c, 0xe5, -+ 0xf3, 0x27, 0xe1, 0xb6, 0x72, 0x0a, 0xe0, 0xec, 0x0e, 0xcd, 0xef, 0x1a, -+ 0x91, 0x6a, 0xe3, 0x5f -+}; -+ -+__fips_constseg static const unsigned char aes_192_no_df_returnedbits[] = { -+ 0xe5, 0xda, 0xb8, 0xe0, 0x63, 0x59, 0x5a, 0xcc, 0x3d, 0xdc, 0x9f, 0xe8, -+ 0x66, 0x67, 0x2c, 0x92 -+}; -+ -+/* AES-256 no df PR */ -+__fips_constseg static const unsigned char aes_256_no_df_pr_entropyinput[] = { -+ 0x15, 0xc7, 0x5d, 0xcb, 0x41, 0x4b, 0x16, 0x01, 0x3a, 0xd1, 0x44, 0xe8, -+ 0x22, 0x32, 0xc6, 0x9c, 0x3f, 0xe7, 0x43, 0xf5, 0x9a, 0xd3, 0xea, 0xf2, -+ 0xd7, 0x4e, 0x6e, 0x6a, 0x55, 0x73, 0x40, 0xef, 0x89, 0xad, 0x0d, 0x03, -+ 0x96, 0x7e, 0x78, 0x81, 0x2f, 0x91, 0x1b, 0x44, 0xb0, 0x02, 0xba, 0x1c -+}; -+ -+__fips_constseg static const unsigned char aes_256_no_df_pr_nonce[] = { -+ 0xdc, 0xe4, 0xd4, 0x27, 0x7a, 0x90, 0xd7, 0x99, 0x43, 0xa1, 0x3c, 0x30, -+ 0xcc, 0x4b, 0xee, 0x2e -+}; -+ -+__fips_constseg -+ static const unsigned char aes_256_no_df_pr_personalizationstring[] = { -+ 0xe3, 0xe6, 0xb9, 0x11, 0xe4, 0x7a, 0xa4, 0x40, 0x6b, 0xf8, 0x73, 0xf7, -+ 0x7e, 0xec, 0xc7, 0xb9, 0x97, 0xbf, 0xf8, 0x25, 0x7b, 0xbe, 0x11, 0x9b, -+ 0x5b, 0x6a, 0x0c, 0x2e, 0x2b, 0x01, 0x51, 0xcd, 0x41, 0x4b, 0x6b, 0xac, -+ 0x31, 0xa8, 0x0b, 0xf7, 0xe6, 0x59, 0x42, 0xb8, 0x03, 0x0c, 0xf8, 0x06 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_256_no_df_pr_additionalinput[] = { -+ 0x6a, 0x9f, 0x00, 0x91, 0xae, 0xfe, 0xcf, 0x84, 0x99, 0xce, 0xb1, 0x40, -+ 0x6d, 0x5d, 0x33, 0x28, 0x84, 0xf4, 0x8c, 0x63, 0x4c, 0x7e, 0xbd, 0x2c, -+ 0x80, 0x76, 0xee, 0x5a, 0xaa, 0x15, 0x07, 0x31, 0xd8, 0xbb, 0x8c, 0x69, -+ 0x9d, 0x9d, 0xbc, 0x7e, 0x49, 0xae, 0xec, 0x39, 0x6b, 0xd1, 0x1f, 0x7e -+}; -+ -+__fips_constseg static const unsigned char aes_256_no_df_pr_entropyinputpr[] = { -+ 0xf3, 0xb9, 0x75, 0x9c, 0xbd, 0x88, 0xea, 0xa2, 0x50, 0xad, 0xd6, 0x16, -+ 0x1a, 0x12, 0x3c, 0x86, 0x68, 0xaf, 0x6f, 0xbe, 0x19, 0xf2, 0xee, 0xcc, -+ 0xa5, 0x70, 0x84, 0x53, 0x50, 0xcb, 0x9f, 0x14, 0xa9, 0xe5, 0xee, 0xb9, -+ 0x48, 0x45, 0x40, 0xe2, 0xc7, 0xc9, 0x9a, 0x74, 0xff, 0x8c, 0x99, 0x1f -+}; -+ -+__fips_constseg -+ static const unsigned char aes_256_no_df_pr_int_returnedbits[] = { -+ 0x2e, 0xf2, 0x45, 0x4c, 0x62, 0x2e, 0x0a, 0xb9, 0x6b, 0xa2, 0xfd, 0x56, -+ 0x79, 0x60, 0x93, 0xcf -+}; -+ -+__fips_constseg -+ static const unsigned char aes_256_no_df_pr_additionalinput2[] = { -+ 0xaf, 0x69, 0x20, 0xe9, 0x3b, 0x37, 0x9d, 0x3f, 0xb4, 0x80, 0x02, 0x7a, -+ 0x25, 0x7d, 0xb8, 0xde, 0x71, 0xc5, 0x06, 0x0c, 0xb4, 0xe2, 0x8f, 0x35, -+ 0xd8, 0x14, 0x0d, 0x7f, 0x76, 0x63, 0x4e, 0xb5, 0xee, 0xe9, 0x6f, 0x34, -+ 0xc7, 0x5f, 0x56, 0x14, 0x4a, 0xe8, 0x73, 0x95, 0x5b, 0x1c, 0xb9, 0xcb -+}; -+ -+__fips_constseg -+ static const unsigned char aes_256_no_df_pr_entropyinputpr2[] = { -+ 0xe5, 0xb0, 0x2e, 0x7e, 0x52, 0x30, 0xe3, 0x63, 0x82, 0xb6, 0x44, 0xd3, -+ 0x25, 0x19, 0x05, 0x24, 0x9a, 0x9f, 0x5f, 0x27, 0x6a, 0x29, 0xab, 0xfa, -+ 0x07, 0xa2, 0x42, 0x0f, 0xc5, 0xa8, 0x94, 0x7c, 0x17, 0x7b, 0x85, 0x83, -+ 0x0c, 0x25, 0x0e, 0x63, 0x0b, 0xe9, 0x12, 0x60, 0xcd, 0xef, 0x80, 0x0f -+}; -+ -+__fips_constseg static const unsigned char aes_256_no_df_pr_returnedbits[] = { -+ 0x5e, 0xf2, 0x26, 0xef, 0x9f, 0x58, 0x5d, 0xd5, 0x4a, 0x10, 0xfe, 0xa7, -+ 0x2d, 0x5f, 0x4a, 0x46 -+}; -+ -+/* AES-256 no df No PR */ -+__fips_constseg static const unsigned char aes_256_no_df_entropyinput[] = { -+ 0xfb, 0xcf, 0x1b, 0x61, 0x16, 0x89, 0x78, 0x23, 0xf5, 0xd8, 0x96, 0xe3, -+ 0x4e, 0x64, 0x0b, 0x29, 0x9a, 0x3f, 0xf8, 0xa5, 0xed, 0xf2, 0xfe, 0xdb, -+ 0x16, 0xca, 0x7f, 0x10, 0xfa, 0x5e, 0x18, 0x76, 0x2c, 0x63, 0x5e, 0x96, -+ 0xcf, 0xb3, 0xd6, 0xfc, 0xaf, 0x99, 0x39, 0x28, 0x9c, 0x61, 0xe8, 0xb3 -+}; -+ -+__fips_constseg static const unsigned char aes_256_no_df_nonce[] = { -+ 0x12, 0x96, 0xf0, 0x52, 0xf3, 0x8d, 0x81, 0xcf, 0xde, 0x86, 0xf2, 0x99, -+ 0x43, 0x96, 0xb9, 0xf0 -+}; -+ -+__fips_constseg -+ static const unsigned char aes_256_no_df_personalizationstring[] = { -+ 0x63, 0x0d, 0x78, 0xf5, 0x90, 0x8e, 0x32, 0x47, 0xb0, 0x4d, 0x37, 0x60, -+ 0x09, 0x96, 0xbc, 0xbf, 0x97, 0x7a, 0x62, 0x14, 0x45, 0xbd, 0x8d, 0xcc, -+ 0x69, 0xfb, 0x03, 0xe1, 0x80, 0x1c, 0xc7, 0xe2, 0x2a, 0xf9, 0x37, 0x3f, -+ 0x66, 0x4d, 0x62, 0xd9, 0x10, 0xe0, 0xad, 0xc8, 0x9a, 0xf0, 0xa8, 0x6d -+}; -+ -+__fips_constseg static const unsigned char aes_256_no_df_additionalinput[] = { -+ 0x36, 0xc6, 0x13, 0x60, 0xbb, 0x14, 0xad, 0x22, 0xb0, 0x38, 0xac, 0xa6, -+ 0x18, 0x16, 0x93, 0x25, 0x86, 0xb7, 0xdc, 0xdc, 0x36, 0x98, 0x2b, 0xf9, -+ 0x68, 0x33, 0xd3, 0xc6, 0xff, 0xce, 0x8d, 0x15, 0x59, 0x82, 0x76, 0xed, -+ 0x6f, 0x8d, 0x49, 0x74, 0x2f, 0xda, 0xdc, 0x1f, 0x17, 0xd0, 0xde, 0x17 -+}; -+ -+__fips_constseg static const unsigned char aes_256_no_df_int_returnedbits[] = { -+ 0x16, 0x2f, 0x8e, 0x3f, 0x21, 0x7a, 0x1c, 0x20, 0x56, 0xd1, 0x92, 0xf6, -+ 0xd2, 0x25, 0x75, 0x0e -+}; -+ -+__fips_constseg -+ static const unsigned char aes_256_no_df_entropyinputreseed[] = { -+ 0x91, 0x79, 0x76, 0xee, 0xe0, 0xcf, 0x9e, 0xc2, 0xd5, 0xd4, 0x23, 0x9b, -+ 0x12, 0x8c, 0x7e, 0x0a, 0xb7, 0xd2, 0x8b, 0xd6, 0x7c, 0xa3, 0xc6, 0xe5, -+ 0x0e, 0xaa, 0xc7, 0x6b, 0xae, 0x0d, 0xfa, 0x53, 0x06, 0x79, 0xa1, 0xed, -+ 0x4d, 0x6a, 0x0e, 0xd8, 0x9d, 0xbe, 0x1b, 0x31, 0x93, 0x7b, 0xec, 0xfb -+}; -+ -+__fips_constseg -+ static const unsigned char aes_256_no_df_additionalinputreseed[] = { -+ 0xd2, 0x46, 0x50, 0x22, 0x10, 0x14, 0x63, 0xf7, 0xea, 0x0f, 0xb9, 0x7e, -+ 0x0d, 0xe1, 0x94, 0x07, 0xaf, 0x09, 0x44, 0x31, 0xea, 0x64, 0xa4, 0x18, -+ 0x5b, 0xf9, 0xd8, 0xc2, 0xfa, 0x03, 0x47, 0xc5, 0x39, 0x43, 0xd5, 0x3b, -+ 0x62, 0x86, 0x64, 0xea, 0x2c, 0x73, 0x8c, 0xae, 0x9d, 0x98, 0x98, 0x29 -+}; -+ -+__fips_constseg static const unsigned char aes_256_no_df_additionalinput2[] = { -+ 0x8c, 0xab, 0x18, 0xf8, 0xc3, 0xec, 0x18, 0x5c, 0xb3, 0x1e, 0x9d, 0xbe, -+ 0x3f, 0x03, 0xb4, 0x00, 0x98, 0x9d, 0xae, 0xeb, 0xf4, 0x94, 0xf8, 0x42, -+ 0x8f, 0xe3, 0x39, 0x07, 0xe1, 0xc9, 0xad, 0x0b, 0x1f, 0xed, 0xc0, 0xba, -+ 0xf6, 0xd1, 0xec, 0x27, 0x86, 0x7b, 0xd6, 0x55, 0x9b, 0x60, 0xa5, 0xc6 -+}; -+ -+__fips_constseg static const unsigned char aes_256_no_df_returnedbits[] = { -+ 0xef, 0xd2, 0xd8, 0x5c, 0xdc, 0x62, 0x25, 0x9f, 0xaa, 0x1e, 0x2c, 0x67, -+ 0xf6, 0x02, 0x32, 0xe2 -+}; -+ -+/* SHA-1 PR */ -+__fips_constseg static const unsigned char sha1_pr_entropyinput[] = { -+ 0xd2, 0x36, 0xa5, 0x27, 0x31, 0x73, 0xdd, 0x11, 0x4f, 0x93, 0xbd, 0xe2, -+ 0x31, 0xa5, 0x91, 0x13 -+}; -+ -+__fips_constseg static const unsigned char sha1_pr_nonce[] = { -+ 0xb5, 0xb3, 0x60, 0xef, 0xf7, 0x63, 0x31, 0xf3 -+}; -+ -+__fips_constseg static const unsigned char sha1_pr_personalizationstring[] = { -+ 0xd4, 0xbb, 0x02, 0x10, 0xb2, 0x71, 0xdb, 0x81, 0xd6, 0xf0, 0x42, 0x60, -+ 0xda, 0xea, 0x77, 0x52 -+}; -+ -+__fips_constseg static const unsigned char sha1_pr_additionalinput[] = { -+ 0x4d, 0xd2, 0x6c, 0x87, 0xfb, 0x2c, 0x4f, 0xa6, 0x8d, 0x16, 0x63, 0x22, -+ 0x6a, 0x51, 0xe3, 0xf8 -+}; -+ -+__fips_constseg static const unsigned char sha1_pr_entropyinputpr[] = { -+ 0xc9, 0x83, 0x9e, 0x16, 0xf6, 0x1c, 0x0f, 0xb2, 0xec, 0x60, 0x31, 0xa9, -+ 0xcb, 0xa9, 0x36, 0x7a -+}; -+ -+__fips_constseg static const unsigned char sha1_pr_int_returnedbits[] = { -+ 0xa8, 0x13, 0x4f, 0xf4, 0x31, 0x02, 0x44, 0xe3, 0xd3, 0x3d, 0x61, 0x9e, -+ 0xe5, 0xc6, 0x3e, 0x89, 0xb5, 0x9b, 0x0f, 0x35 -+}; -+ -+__fips_constseg static const unsigned char sha1_pr_additionalinput2[] = { -+ 0xf9, 0xe8, 0xd2, 0x72, 0x13, 0x34, 0x95, 0x6f, 0x15, 0x49, 0x47, 0x99, -+ 0x16, 0x03, 0x19, 0x47 -+}; -+ -+__fips_constseg static const unsigned char sha1_pr_entropyinputpr2[] = { -+ 0x4e, 0x8c, 0x49, 0x9b, 0x4a, 0x5c, 0x9b, 0x9c, 0x3a, 0xee, 0xfb, 0xd2, -+ 0xae, 0xcd, 0x8c, 0xc4 -+}; -+ -+__fips_constseg static const unsigned char sha1_pr_returnedbits[] = { -+ 0x50, 0xb4, 0xb4, 0xcd, 0x68, 0x57, 0xfc, 0x2e, 0xc1, 0x52, 0xcc, 0xf6, -+ 0x68, 0xa4, 0x81, 0xed, 0x7e, 0xe4, 0x1d, 0x87 -+}; -+ -+/* SHA-1 No PR */ -+__fips_constseg static const unsigned char sha1_entropyinput[] = { -+ 0xa9, 0x47, 0x1b, 0x29, 0x2d, 0x1c, 0x05, 0xdf, 0x76, 0xd0, 0x62, 0xf9, -+ 0xe2, 0x7f, 0x4c, 0x7b -+}; -+ -+__fips_constseg static const unsigned char sha1_nonce[] = { -+ 0x53, 0x23, 0x24, 0xe3, 0xec, 0x0c, 0x54, 0x14 -+}; -+ -+__fips_constseg static const unsigned char sha1_personalizationstring[] = { -+ 0x7a, 0x87, 0xa1, 0xac, 0x1c, 0xfd, 0xab, 0xae, 0xf7, 0xd6, 0xfb, 0x76, -+ 0x28, 0xec, 0x6d, 0xca -+}; -+ -+__fips_constseg static const unsigned char sha1_additionalinput[] = { -+ 0xfc, 0x92, 0x35, 0xd6, 0x7e, 0xb7, 0x24, 0x65, 0xfd, 0x12, 0x27, 0x35, -+ 0xc0, 0x72, 0xca, 0x28 -+}; -+ -+__fips_constseg static const unsigned char sha1_int_returnedbits[] = { -+ 0x57, 0x88, 0x82, 0xe5, 0x25, 0xa5, 0x2c, 0x4a, 0x06, 0x20, 0x6c, 0x72, -+ 0x55, 0x61, 0xdd, 0x90, 0x71, 0x9f, 0x95, 0xea -+}; -+ -+__fips_constseg static const unsigned char sha1_entropyinputreseed[] = { -+ 0x69, 0xa5, 0x40, 0x62, 0x98, 0x47, 0x56, 0x73, 0x4a, 0x8f, 0x60, 0x96, -+ 0xd6, 0x99, 0x27, 0xed -+}; -+ -+__fips_constseg static const unsigned char sha1_additionalinputreseed[] = { -+ 0xe5, 0x40, 0x4e, 0xbd, 0x50, 0x00, 0xf5, 0x15, 0xa6, 0xee, 0x45, 0xda, -+ 0x84, 0x3d, 0xd4, 0xc0 -+}; -+ -+__fips_constseg static const unsigned char sha1_additionalinput2[] = { -+ 0x11, 0x51, 0x14, 0xf0, 0x09, 0x1b, 0x4e, 0x56, 0x0d, 0xe9, 0xf6, 0x1e, -+ 0x52, 0x65, 0xcd, 0x96 -+}; -+ -+__fips_constseg static const unsigned char sha1_returnedbits[] = { -+ 0xa1, 0x9c, 0x94, 0x6e, 0x29, 0xe1, 0x33, 0x0d, 0x32, 0xd6, 0xaa, 0xce, -+ 0x71, 0x3f, 0x52, 0x72, 0x8b, 0x42, 0xa8, 0xd7 -+}; -+ -+/* SHA-224 PR */ -+__fips_constseg static const unsigned char sha224_pr_entropyinput[] = { -+ 0x12, 0x69, 0x32, 0x4f, 0x83, 0xa6, 0xf5, 0x14, 0xe3, 0x49, 0x3e, 0x75, -+ 0x3e, 0xde, 0xad, 0xa1, 0x29, 0xc3, 0xf3, 0x19, 0x20, 0xb5, 0x4c, 0xd9 -+}; -+ -+__fips_constseg static const unsigned char sha224_pr_nonce[] = { -+ 0x6a, 0x78, 0xd0, 0xeb, 0xbb, 0x5a, 0xf0, 0xee, 0xe8, 0xc3, 0xba, 0x71 -+}; -+ -+__fips_constseg static const unsigned char sha224_pr_personalizationstring[] = { -+ 0xd5, 0xb8, 0xb6, 0xbc, 0xc1, 0x5b, 0x60, 0x31, 0x3c, 0xf5, 0xe5, 0xc0, -+ 0x8e, 0x52, 0x7a, 0xbd, 0xea, 0x47, 0xa9, 0x5f, 0x8f, 0xf9, 0x8b, 0xae -+}; -+ -+__fips_constseg static const unsigned char sha224_pr_additionalinput[] = { -+ 0x1f, 0x55, 0xec, 0xae, 0x16, 0x12, 0x84, 0xba, 0x84, 0x16, 0x19, 0x88, -+ 0x8e, 0xb8, 0x33, 0x25, 0x54, 0xff, 0xca, 0x79, 0xaf, 0x07, 0x25, 0x50 -+}; -+ -+__fips_constseg static const unsigned char sha224_pr_entropyinputpr[] = { -+ 0x92, 0xa3, 0x32, 0xa8, 0x9a, 0x0a, 0x58, 0x7c, 0x1d, 0x5a, 0x7e, 0xe1, -+ 0xb2, 0x73, 0xab, 0x0e, 0x16, 0x79, 0x23, 0xd3, 0x29, 0x89, 0x81, 0xe1 -+}; -+ -+__fips_constseg static const unsigned char sha224_pr_int_returnedbits[] = { -+ 0xf3, 0x38, 0x91, 0x40, 0x37, 0x7a, 0x51, 0x72, 0x42, 0x74, 0x78, 0x0a, -+ 0x69, 0xfd, 0xa6, 0x44, 0x43, 0x45, 0x6c, 0x0c, 0x5a, 0x19, 0xff, 0xf1, -+ 0x54, 0x60, 0xee, 0x6a -+}; -+ -+__fips_constseg static const unsigned char sha224_pr_additionalinput2[] = { -+ 0x75, 0xf3, 0x04, 0x25, 0xdd, 0x36, 0xa8, 0x37, 0x46, 0xae, 0x0c, 0x52, -+ 0x05, 0x79, 0x4c, 0x26, 0xdb, 0xe9, 0x71, 0x16, 0x4c, 0x0a, 0xf2, 0x60 -+}; -+ -+__fips_constseg static const unsigned char sha224_pr_entropyinputpr2[] = { -+ 0xea, 0xc5, 0x03, 0x0a, 0x4f, 0xb0, 0x38, 0x8d, 0x23, 0xd4, 0xc8, 0x77, -+ 0xe2, 0x6d, 0x9c, 0x0b, 0x44, 0xf7, 0x2d, 0x5b, 0xbf, 0x5d, 0x2a, 0x11 -+}; -+ -+__fips_constseg static const unsigned char sha224_pr_returnedbits[] = { -+ 0x60, 0x50, 0x2b, 0xe7, 0x86, 0xd8, 0x26, 0x73, 0xe3, 0x1d, 0x95, 0x20, -+ 0xb3, 0x2c, 0x32, 0x1c, 0xf5, 0xce, 0x57, 0xa6, 0x67, 0x2b, 0xdc, 0x4e, -+ 0xdd, 0x11, 0x4c, 0xc4 -+}; -+ -+/* SHA-224 No PR */ -+__fips_constseg static const unsigned char sha224_entropyinput[] = { -+ 0xb2, 0x1c, 0x77, 0x4d, 0xf6, 0xd3, 0xb6, 0x40, 0xb7, 0x30, 0x3e, 0x29, -+ 0xb0, 0x85, 0x1c, 0xbe, 0x4a, 0xea, 0x6b, 0x5a, 0xb5, 0x8a, 0x97, 0xeb -+}; -+ -+__fips_constseg static const unsigned char sha224_nonce[] = { -+ 0x42, 0x02, 0x0a, 0x1c, 0x98, 0x9a, 0x77, 0x9e, 0x9f, 0x80, 0xba, 0xe0 -+}; -+ -+__fips_constseg static const unsigned char sha224_personalizationstring[] = { -+ 0x98, 0xb8, 0x04, 0x41, 0xfc, 0xc1, 0x5d, 0xc5, 0xe9, 0xb9, 0x08, 0xda, -+ 0xf9, 0xfa, 0x0d, 0x90, 0xce, 0xdf, 0x1d, 0x10, 0xa9, 0x8d, 0x50, 0x0c -+}; -+ -+__fips_constseg static const unsigned char sha224_additionalinput[] = { -+ 0x9a, 0x8d, 0x39, 0x49, 0x42, 0xd5, 0x0b, 0xae, 0xe1, 0xaf, 0xb7, 0x00, -+ 0x02, 0xfa, 0x96, 0xb1, 0xa5, 0x1d, 0x2d, 0x25, 0x78, 0xee, 0x83, 0x3f -+}; -+ -+__fips_constseg static const unsigned char sha224_int_returnedbits[] = { -+ 0xe4, 0xf5, 0x53, 0x79, 0x5a, 0x97, 0x58, 0x06, 0x08, 0xba, 0x7b, 0xfa, -+ 0xf0, 0x83, 0x05, 0x8c, 0x22, 0xc0, 0xc9, 0xdb, 0x15, 0xe7, 0xde, 0x20, -+ 0x55, 0x22, 0x9a, 0xad -+}; -+ -+__fips_constseg static const unsigned char sha224_entropyinputreseed[] = { -+ 0x67, 0x09, 0x48, 0xaa, 0x07, 0x16, 0x99, 0x89, 0x7f, 0x6d, 0xa0, 0xe5, -+ 0x8f, 0xdf, 0xbc, 0xdb, 0xfe, 0xe5, 0x6c, 0x7a, 0x95, 0x4a, 0x66, 0x17 -+}; -+ -+__fips_constseg static const unsigned char sha224_additionalinputreseed[] = { -+ 0x0f, 0x4b, 0x1c, 0x6f, 0xb7, 0xe3, 0x47, 0xe5, 0x5d, 0x7d, 0x38, 0xd6, -+ 0x28, 0x9b, 0xeb, 0x55, 0x63, 0x09, 0x3e, 0x7c, 0x56, 0xea, 0xf8, 0x19 -+}; -+ -+__fips_constseg static const unsigned char sha224_additionalinput2[] = { -+ 0x2d, 0x26, 0x7c, 0x37, 0xe4, 0x7a, 0x28, 0x5e, 0x5a, 0x3c, 0xaf, 0x3d, -+ 0x5a, 0x8e, 0x55, 0xa2, 0x1a, 0x6e, 0xc0, 0xe5, 0xf6, 0x21, 0xd3, 0xf6 -+}; -+ -+__fips_constseg static const unsigned char sha224_returnedbits[] = { -+ 0x4d, 0x83, 0x35, 0xdf, 0x67, 0xa9, 0xfc, 0x17, 0xda, 0x70, 0xcc, 0x8b, -+ 0x7f, 0x77, 0xae, 0xa2, 0x5f, 0xb9, 0x7e, 0x74, 0x4c, 0x26, 0xc1, 0x7a, -+ 0x3b, 0xa7, 0x5c, 0x93 -+}; -+ -+/* SHA-256 PR */ -+__fips_constseg static const unsigned char sha256_pr_entropyinput[] = { -+ 0xce, 0x49, 0x00, 0x7a, 0x56, 0xe3, 0x67, 0x8f, 0xe1, 0xb6, 0xa7, 0xd4, -+ 0x4f, 0x08, 0x7a, 0x1b, 0x01, 0xf4, 0xfa, 0x6b, 0xef, 0xb7, 0xe5, 0xeb, -+ 0x07, 0x3d, 0x11, 0x0d, 0xc8, 0xea, 0x2b, 0xfe -+}; -+ -+__fips_constseg static const unsigned char sha256_pr_nonce[] = { -+ 0x73, 0x41, 0xc8, 0x92, 0x94, 0xe2, 0xc5, 0x5f, 0x93, 0xfd, 0x39, 0x5d, -+ 0x2b, 0x91, 0x4d, 0x38 -+}; -+ -+__fips_constseg static const unsigned char sha256_pr_personalizationstring[] = { -+ 0x50, 0x6d, 0x01, 0x01, 0x07, 0x5a, 0x80, 0x35, 0x7a, 0x56, 0x1a, 0x56, -+ 0x2f, 0x9a, 0x0b, 0x35, 0xb2, 0xb1, 0xc9, 0xe5, 0xca, 0x69, 0x61, 0x48, -+ 0xff, 0xfb, 0x0f, 0xd9, 0x4b, 0x79, 0x1d, 0xba -+}; -+ -+__fips_constseg static const unsigned char sha256_pr_additionalinput[] = { -+ 0x20, 0xb8, 0xdf, 0x44, 0x77, 0x5a, 0xb8, 0xd3, 0xbf, 0xf6, 0xcf, 0xac, -+ 0x5e, 0xa6, 0x96, 0x62, 0x73, 0x44, 0x40, 0x4a, 0x30, 0xfb, 0x38, 0xa5, -+ 0x7b, 0x0d, 0xe4, 0x0d, 0xc6, 0xe4, 0x9a, 0x1f -+}; -+ -+__fips_constseg static const unsigned char sha256_pr_entropyinputpr[] = { -+ 0x04, 0xc4, 0x65, 0xf4, 0xd3, 0xbf, 0x83, 0x4b, 0xab, 0xc8, 0x41, 0xa8, -+ 0xc2, 0xe0, 0x44, 0x63, 0x77, 0x4c, 0x6f, 0x6c, 0x49, 0x46, 0xff, 0x94, -+ 0x17, 0xea, 0xe6, 0x1a, 0x9d, 0x5e, 0x66, 0x78 -+}; -+ -+__fips_constseg static const unsigned char sha256_pr_int_returnedbits[] = { -+ 0x07, 0x4d, 0xac, 0x9b, 0x86, 0xca, 0x4a, 0xaa, 0x6e, 0x7a, 0x03, 0xa2, -+ 0x5d, 0x10, 0xea, 0x0b, 0xf9, 0x83, 0xcc, 0xd1, 0xfc, 0xe2, 0x07, 0xc7, -+ 0x06, 0x34, 0x60, 0x6f, 0x83, 0x94, 0x99, 0x76 -+}; -+ -+__fips_constseg static const unsigned char sha256_pr_additionalinput2[] = { -+ 0x89, 0x4e, 0x45, 0x8c, 0x11, 0xf9, 0xbc, 0x5b, 0xac, 0x74, 0x8b, 0x4b, -+ 0x5f, 0xf7, 0x19, 0xf3, 0xf5, 0x24, 0x54, 0x14, 0xd1, 0x15, 0xb1, 0x43, -+ 0x12, 0xa4, 0x5f, 0xd4, 0xec, 0xfc, 0xcd, 0x09 -+}; -+ -+__fips_constseg static const unsigned char sha256_pr_entropyinputpr2[] = { -+ 0x0e, 0xeb, 0x1f, 0xd7, 0xfc, 0xd1, 0x9d, 0xd4, 0x05, 0x36, 0x8b, 0xb2, -+ 0xfb, 0xe4, 0xf4, 0x51, 0x0c, 0x87, 0x9b, 0x02, 0x44, 0xd5, 0x92, 0x4d, -+ 0x44, 0xfe, 0x1a, 0x03, 0x43, 0x56, 0xbd, 0x86 -+}; -+ -+__fips_constseg static const unsigned char sha256_pr_returnedbits[] = { -+ 0x02, 0xaa, 0xb6, 0x1d, 0x7e, 0x2a, 0x40, 0x03, 0x69, 0x2d, 0x49, 0xa3, -+ 0x41, 0xe7, 0x44, 0x0b, 0xaf, 0x7b, 0x85, 0xe4, 0x5f, 0x53, 0x3b, 0x64, -+ 0xbc, 0x89, 0xc8, 0x82, 0xd4, 0x78, 0x37, 0xa2 -+}; -+ -+/* SHA-256 No PR */ -+__fips_constseg static const unsigned char sha256_entropyinput[] = { -+ 0x5b, 0x1b, 0xec, 0x4d, 0xa9, 0x38, 0x74, 0x5a, 0x34, 0x0b, 0x7b, 0xc5, -+ 0xe5, 0xd7, 0x66, 0x7c, 0xbc, 0x82, 0xb9, 0x0e, 0x2d, 0x1f, 0x92, 0xd7, -+ 0xc1, 0xbc, 0x67, 0x69, 0xec, 0x6b, 0x03, 0x3c -+}; -+ -+__fips_constseg static const unsigned char sha256_nonce[] = { -+ 0xa4, 0x0c, 0xd8, 0x9c, 0x61, 0xd8, 0xc3, 0x54, 0xfe, 0x53, 0xc9, 0xe5, -+ 0x5d, 0x6f, 0x6d, 0x35 -+}; -+ -+__fips_constseg static const unsigned char sha256_personalizationstring[] = { -+ 0x22, 0x5e, 0x62, 0x93, 0x42, 0x83, 0x78, 0x24, 0xd8, 0x40, 0x8c, 0xde, -+ 0x6f, 0xf9, 0xa4, 0x7a, 0xc5, 0xa7, 0x3b, 0x88, 0xa3, 0xee, 0x42, 0x20, -+ 0xfd, 0x61, 0x56, 0xc6, 0x4c, 0x13, 0x41, 0x9c -+}; -+ -+__fips_constseg static const unsigned char sha256_additionalinput[] = { -+ 0xbf, 0x74, 0x5b, 0xf6, 0xc5, 0x64, 0x5e, 0x99, 0x34, 0x8f, 0xbc, 0xa4, -+ 0xe2, 0xbd, 0xd8, 0x85, 0x26, 0x37, 0xea, 0xba, 0x4f, 0xf2, 0x9a, 0x9a, -+ 0x66, 0xfc, 0xdf, 0x63, 0x26, 0x26, 0x19, 0x87 -+}; -+ -+__fips_constseg static const unsigned char sha256_int_returnedbits[] = { -+ 0xb3, 0xc6, 0x07, 0x07, 0xd6, 0x75, 0xf6, 0x2b, 0xd6, 0x21, 0x96, 0xf1, -+ 0xae, 0xdb, 0x2b, 0xac, 0x25, 0x2a, 0xae, 0xae, 0x41, 0x72, 0x03, 0x5e, -+ 0xbf, 0xd3, 0x64, 0xbc, 0x59, 0xf9, 0xc0, 0x76 -+}; -+ -+__fips_constseg static const unsigned char sha256_entropyinputreseed[] = { -+ 0xbf, 0x20, 0x33, 0x56, 0x29, 0xa8, 0x37, 0x04, 0x1f, 0x78, 0x34, 0x3d, -+ 0x81, 0x2a, 0xc9, 0x86, 0xc6, 0x7a, 0x2f, 0x88, 0x5e, 0xd5, 0xbe, 0x34, -+ 0x46, 0x20, 0xa4, 0x35, 0xeb, 0xc7, 0xe2, 0x9d -+}; -+ -+__fips_constseg static const unsigned char sha256_additionalinputreseed[] = { -+ 0x9b, 0xae, 0x2d, 0x2d, 0x61, 0xa4, 0x89, 0xeb, 0x43, 0x46, 0xa7, 0xda, -+ 0xef, 0x40, 0xca, 0x4a, 0x99, 0x11, 0x41, 0xdc, 0x5c, 0x94, 0xe9, 0xac, -+ 0xd4, 0xd0, 0xe6, 0xbd, 0xfb, 0x03, 0x9c, 0xa8 -+}; -+ -+__fips_constseg static const unsigned char sha256_additionalinput2[] = { -+ 0x23, 0xaa, 0x0c, 0xbd, 0x28, 0x33, 0xe2, 0x51, 0xfc, 0x71, 0xd2, 0x15, -+ 0x1f, 0x76, 0xfd, 0x0d, 0xe0, 0xb7, 0xb5, 0x84, 0x75, 0x5b, 0xbe, 0xf3, -+ 0x5c, 0xca, 0xc5, 0x30, 0xf2, 0x75, 0x1f, 0xda -+}; -+ -+__fips_constseg static const unsigned char sha256_returnedbits[] = { -+ 0x90, 0x3c, 0xc1, 0x10, 0x8c, 0x12, 0x01, 0xc6, 0xa6, 0x3a, 0x0f, 0x4d, -+ 0xb6, 0x3a, 0x4f, 0x41, 0x9c, 0x61, 0x75, 0x84, 0xe9, 0x74, 0x75, 0xfd, -+ 0xfe, 0xf2, 0x1f, 0x43, 0xd8, 0x5e, 0x24, 0xa3 -+}; -+ -+/* SHA-384 PR */ -+__fips_constseg static const unsigned char sha384_pr_entropyinput[] = { -+ 0x71, 0x9d, 0xb2, 0x5a, 0x71, 0x6d, 0x04, 0xe9, 0x1e, 0xc7, 0x92, 0x24, -+ 0x6e, 0x12, 0x33, 0xa9, 0x52, 0x64, 0x31, 0xef, 0x71, 0xeb, 0x22, 0x55, -+ 0x28, 0x97, 0x06, 0x6a, 0xc0, 0x0c, 0xa0, 0x7e -+}; -+ -+__fips_constseg static const unsigned char sha384_pr_nonce[] = { -+ 0xf5, 0x0d, 0xfa, 0xb0, 0xec, 0x6a, 0x7c, 0xd6, 0xbd, 0x9b, 0x05, 0xfd, -+ 0x38, 0x3e, 0x2e, 0x56 -+}; -+ -+__fips_constseg static const unsigned char sha384_pr_personalizationstring[] = { -+ 0x74, 0xac, 0x7e, 0x6d, 0xb1, 0xa4, 0xe7, 0x21, 0xd1, 0x1e, 0x6e, 0x96, -+ 0x6d, 0x4d, 0x53, 0x46, 0x82, 0x96, 0x6e, 0xcf, 0xaa, 0x81, 0x8d, 0x7d, -+ 0x9e, 0xe1, 0x0f, 0x15, 0xea, 0x41, 0xbf, 0xe3 -+}; -+ -+__fips_constseg static const unsigned char sha384_pr_additionalinput[] = { -+ 0xda, 0x95, 0xd4, 0xd0, 0xb8, 0x11, 0xd3, 0x49, 0x27, 0x5d, 0xa9, 0x39, -+ 0x68, 0xf3, 0xa8, 0xe9, 0x5d, 0x19, 0x8a, 0x2b, 0x66, 0xe8, 0x69, 0x06, -+ 0x7c, 0x9e, 0x03, 0xa1, 0x8b, 0x26, 0x2d, 0x6e -+}; -+ -+__fips_constseg static const unsigned char sha384_pr_entropyinputpr[] = { -+ 0x49, 0xdf, 0x44, 0x00, 0xe4, 0x1c, 0x75, 0x0b, 0x26, 0x5a, 0x59, 0x64, -+ 0x1f, 0x4e, 0xb1, 0xb2, 0x13, 0xf1, 0x22, 0x4e, 0xb4, 0x6d, 0x9a, 0xcc, -+ 0xa0, 0x48, 0xe6, 0xcf, 0x1d, 0xd1, 0x92, 0x0d -+}; -+ -+__fips_constseg static const unsigned char sha384_pr_int_returnedbits[] = { -+ 0xc8, 0x52, 0xae, 0xbf, 0x04, 0x3c, 0x27, 0xb7, 0x78, 0x18, 0xaa, 0x8f, -+ 0xff, 0xcf, 0xa4, 0xf1, 0xcc, 0xe7, 0x68, 0xfa, 0x22, 0xa2, 0x13, 0x45, -+ 0xe8, 0xdd, 0x87, 0xe6, 0xf2, 0x6e, 0xdd, 0xc7, 0x52, 0x90, 0x9f, 0x7b, -+ 0xfa, 0x61, 0x2d, 0x9d, 0x9e, 0xcf, 0x98, 0xac, 0x52, 0x40, 0xce, 0xaf -+}; -+ -+__fips_constseg static const unsigned char sha384_pr_additionalinput2[] = { -+ 0x61, 0x7c, 0x03, 0x9a, 0x3e, 0x50, 0x57, 0x60, 0xc5, 0x83, 0xc9, 0xb2, -+ 0xd1, 0x87, 0x85, 0x66, 0x92, 0x5d, 0x84, 0x0e, 0x53, 0xfb, 0x70, 0x03, -+ 0x72, 0xfd, 0xba, 0xae, 0x9c, 0x8f, 0xf8, 0x18 -+}; -+ -+__fips_constseg static const unsigned char sha384_pr_entropyinputpr2[] = { -+ 0xf8, 0xeb, 0x89, 0xb1, 0x8d, 0x78, 0xbe, 0x21, 0xe0, 0xbb, 0x9d, 0xb7, -+ 0x95, 0x0e, 0xd9, 0x46, 0x0c, 0x8c, 0xe2, 0x63, 0xb7, 0x9d, 0x67, 0x90, -+ 0xbd, 0xc7, 0x0b, 0xa5, 0xce, 0xb2, 0x65, 0x81 -+}; -+ -+__fips_constseg static const unsigned char sha384_pr_returnedbits[] = { -+ 0xe6, 0x9f, 0xfe, 0x68, 0xd6, 0xb5, 0x79, 0xf1, 0x06, 0x5f, 0xa3, 0xbb, -+ 0x23, 0x85, 0xd8, 0xf0, 0x29, 0x5a, 0x68, 0x9e, 0xf5, 0xf4, 0xa6, 0x12, -+ 0xe0, 0x9a, 0xe2, 0xac, 0x00, 0x1d, 0x98, 0x26, 0xfc, 0x53, 0x95, 0x53, -+ 0xe4, 0x3e, 0x17, 0xd5, 0x08, 0x0b, 0x70, 0x3d, 0x67, 0x99, 0xac, 0x66 -+}; -+ -+/* SHA-384 No PR */ -+__fips_constseg static const unsigned char sha384_entropyinput[] = { -+ 0x07, 0x15, 0x27, 0x2a, 0xaf, 0x74, 0x24, 0x37, 0xbc, 0xd5, 0x14, 0x69, -+ 0xce, 0x11, 0xff, 0xa2, 0x6b, 0xb8, 0x05, 0x67, 0x34, 0xf8, 0xbd, 0x6d, -+ 0x6a, 0xcc, 0xcd, 0x60, 0xa3, 0x68, 0xca, 0xf4 -+}; -+ -+__fips_constseg static const unsigned char sha384_nonce[] = { -+ 0x70, 0x17, 0xc2, 0x5b, 0x5d, 0x22, 0x0b, 0x06, 0x15, 0x54, 0x78, 0x77, -+ 0x44, 0xaf, 0x2f, 0x09 -+}; -+ -+__fips_constseg static const unsigned char sha384_personalizationstring[] = { -+ 0x89, 0x39, 0x28, 0xb0, 0x60, 0xeb, 0x3d, 0xdc, 0x55, 0x75, 0x86, 0xeb, -+ 0xae, 0xa2, 0x8f, 0xbc, 0x1b, 0x75, 0xd4, 0xe1, 0x0f, 0xaa, 0x38, 0xca, -+ 0x62, 0x8b, 0xcb, 0x2c, 0x26, 0xf6, 0xbc, 0xb1 -+}; -+ -+__fips_constseg static const unsigned char sha384_additionalinput[] = { -+ 0x30, 0x2b, 0x42, 0x35, 0xef, 0xda, 0x40, 0x55, 0x28, 0xc6, 0x95, 0xfb, -+ 0x54, 0x01, 0x62, 0xd7, 0x87, 0x14, 0x48, 0x6d, 0x90, 0x4c, 0xa9, 0x02, -+ 0x54, 0x40, 0x22, 0xc8, 0x66, 0xa5, 0x48, 0x48 -+}; -+ -+__fips_constseg static const unsigned char sha384_int_returnedbits[] = { -+ 0x82, 0xc4, 0xa1, 0x9c, 0x21, 0xd2, 0xe7, 0xa5, 0xa6, 0xf6, 0x5f, 0x04, -+ 0x5c, 0xc7, 0x31, 0x9d, 0x8d, 0x59, 0x74, 0x50, 0x19, 0x89, 0x2f, 0x63, -+ 0xd5, 0xb7, 0x7e, 0xeb, 0x15, 0xe3, 0x70, 0x83, 0xa1, 0x24, 0x59, 0xfa, -+ 0x2c, 0x56, 0xf6, 0x88, 0x3a, 0x92, 0x93, 0xa1, 0xfb, 0x79, 0xc1, 0x7a -+}; -+ -+__fips_constseg static const unsigned char sha384_entropyinputreseed[] = { -+ 0x39, 0xa6, 0xe8, 0x5c, 0x82, 0x17, 0x71, 0x26, 0x57, 0x4f, 0x9f, 0xc2, -+ 0x55, 0xff, 0x5c, 0x9b, 0x53, 0x1a, 0xd1, 0x5f, 0xbc, 0x62, 0xe4, 0x27, -+ 0x2d, 0x32, 0xf0, 0xe4, 0x52, 0x8c, 0xc5, 0x0c -+}; -+ -+__fips_constseg static const unsigned char sha384_additionalinputreseed[] = { -+ 0x8d, 0xcb, 0x8d, 0xce, 0x08, 0xea, 0x80, 0xe8, 0x9b, 0x61, 0xa8, 0x0f, -+ 0xaf, 0x49, 0x20, 0x9e, 0x74, 0xcb, 0x57, 0x80, 0x42, 0xb0, 0x84, 0x5e, -+ 0x30, 0x2a, 0x67, 0x08, 0xf4, 0xe3, 0x40, 0x22 -+}; -+ -+__fips_constseg static const unsigned char sha384_additionalinput2[] = { -+ 0x7c, 0x8f, 0xc2, 0xae, 0x22, 0x4a, 0xd6, 0xf6, 0x05, 0xa4, 0x7a, 0xea, -+ 0xbb, 0x25, 0xd0, 0xb7, 0x5a, 0xd6, 0xcf, 0x9d, 0xf3, 0x6c, 0xe2, 0xb2, -+ 0x4e, 0xb4, 0xbd, 0xf4, 0xe5, 0x40, 0x80, 0x94 -+}; -+ -+__fips_constseg static const unsigned char sha384_returnedbits[] = { -+ 0x9e, 0x7e, 0xfb, 0x59, 0xbb, 0xaa, 0x3c, 0xf7, 0xe1, 0xf8, 0x76, 0xdd, -+ 0x63, 0x5f, 0xaf, 0x23, 0xd6, 0x64, 0x61, 0xc0, 0x9a, 0x09, 0x47, 0xc9, -+ 0x33, 0xdf, 0x6d, 0x55, 0x91, 0x34, 0x79, 0x70, 0xc4, 0x99, 0x6e, 0x54, -+ 0x09, 0x64, 0x21, 0x1a, 0xbd, 0x1e, 0x80, 0x40, 0x34, 0xad, 0xfa, 0xd7 -+}; -+ -+/* SHA-512 PR */ -+__fips_constseg static const unsigned char sha512_pr_entropyinput[] = { -+ 0x13, 0xf7, 0x61, 0x75, 0x65, 0x28, 0xa2, 0x59, 0x13, 0x5a, 0x4a, 0x4f, -+ 0x56, 0x60, 0x8c, 0x53, 0x7d, 0xb0, 0xbd, 0x06, 0x4f, 0xed, 0xcc, 0xd2, -+ 0xa2, 0xb5, 0xfd, 0x5b, 0x3a, 0xab, 0xec, 0x28 -+}; -+ -+__fips_constseg static const unsigned char sha512_pr_nonce[] = { -+ 0xbe, 0xa3, 0x91, 0x93, 0x1d, 0xc3, 0x31, 0x3a, 0x23, 0x33, 0x50, 0x67, -+ 0x88, 0xc7, 0xa2, 0xc4 -+}; -+ -+__fips_constseg static const unsigned char sha512_pr_personalizationstring[] = { -+ 0x1f, 0x59, 0x4d, 0x7b, 0xe6, 0x46, 0x91, 0x48, 0xc1, 0x25, 0xfa, 0xff, -+ 0x89, 0x12, 0x77, 0x35, 0xdf, 0x3e, 0xf4, 0x80, 0x5f, 0xd9, 0xb0, 0x07, -+ 0x22, 0x41, 0xdd, 0x48, 0x78, 0x6b, 0x77, 0x2b -+}; -+ -+__fips_constseg static const unsigned char sha512_pr_additionalinput[] = { -+ 0x30, 0xff, 0x63, 0x6f, 0xac, 0xd9, 0x84, 0x39, 0x6f, 0xe4, 0x99, 0xce, -+ 0x91, 0x7d, 0x7e, 0xc8, 0x58, 0xf2, 0x12, 0xc3, 0xb6, 0xad, 0xda, 0x22, -+ 0x04, 0xa0, 0xd2, 0x21, 0xfe, 0xf2, 0x95, 0x1d -+}; -+ -+__fips_constseg static const unsigned char sha512_pr_entropyinputpr[] = { -+ 0x64, 0x54, 0x13, 0xec, 0x4f, 0x77, 0xda, 0xb2, 0x92, 0x2e, 0x52, 0x80, -+ 0x11, 0x10, 0xc2, 0xf8, 0xe6, 0xa7, 0xcd, 0x4b, 0xfc, 0x32, 0x2e, 0x9e, -+ 0xeb, 0xbb, 0xb1, 0xbf, 0x15, 0x5c, 0x73, 0x08 -+}; -+ -+__fips_constseg static const unsigned char sha512_pr_int_returnedbits[] = { -+ 0xef, 0x1e, 0xdc, 0x0a, 0xa4, 0x36, 0x91, 0x9c, 0x3d, 0x27, 0x97, 0x50, -+ 0x8d, 0x36, 0x29, 0x8d, 0xce, 0x6a, 0x0c, 0xf7, 0x21, 0xc0, 0x91, 0xae, -+ 0x0c, 0x96, 0x72, 0xbd, 0x52, 0x81, 0x58, 0xfc, 0x6d, 0xe5, 0xf7, 0xa5, -+ 0xfd, 0x5d, 0xa7, 0x58, 0x68, 0xc8, 0x99, 0x58, 0x8e, 0xc8, 0xce, 0x95, -+ 0x01, 0x7d, 0xff, 0xa4, 0xc8, 0xf7, 0x63, 0xfe, 0x5f, 0x69, 0x83, 0x53, -+ 0xe2, 0xc6, 0x8b, 0xc3 -+}; -+ -+__fips_constseg static const unsigned char sha512_pr_additionalinput2[] = { -+ 0xe6, 0x9b, 0xc4, 0x88, 0x34, 0xca, 0xea, 0x29, 0x2f, 0x98, 0x05, 0xa4, -+ 0xd3, 0xc0, 0x7b, 0x11, 0xe8, 0xbb, 0x75, 0xf2, 0xbd, 0x29, 0xb7, 0x40, -+ 0x25, 0x7f, 0xc1, 0xb7, 0xb1, 0xf1, 0x25, 0x61 -+}; -+ -+__fips_constseg static const unsigned char sha512_pr_entropyinputpr2[] = { -+ 0x23, 0x6d, 0xff, 0xde, 0xfb, 0xd1, 0xba, 0x33, 0x18, 0xe6, 0xbe, 0xb5, -+ 0x48, 0x77, 0x6d, 0x7f, 0xa7, 0xe1, 0x4d, 0x48, 0x1e, 0x3c, 0xa7, 0x34, -+ 0x1a, 0xc8, 0x60, 0xdb, 0x8f, 0x99, 0x15, 0x99 -+}; -+ -+__fips_constseg static const unsigned char sha512_pr_returnedbits[] = { -+ 0x70, 0x27, 0x31, 0xdb, 0x92, 0x70, 0x21, 0xfe, 0x16, 0xb6, 0xc8, 0x51, -+ 0x34, 0x87, 0x65, 0xd0, 0x4e, 0xfd, 0xfe, 0x68, 0xec, 0xac, 0xdc, 0x93, -+ 0x41, 0x38, 0x92, 0x90, 0xb4, 0x94, 0xf9, 0x0d, 0xa4, 0xf7, 0x4e, 0x80, -+ 0x92, 0x67, 0x48, 0x40, 0xa7, 0x08, 0xc7, 0xbc, 0x66, 0x00, 0xfd, 0xf7, -+ 0x4c, 0x8b, 0x17, 0x6e, 0xd1, 0x8f, 0x9b, 0xf3, 0x6f, 0xf6, 0x34, 0xdd, -+ 0x67, 0xf7, 0x68, 0xdd -+}; -+ -+/* SHA-512 No PR */ -+__fips_constseg static const unsigned char sha512_entropyinput[] = { -+ 0xb6, 0x0b, 0xb7, 0xbc, 0x84, 0x56, 0xf6, 0x12, 0xaf, 0x45, 0x67, 0x17, -+ 0x7c, 0xd1, 0xb2, 0x78, 0x2b, 0xa0, 0xf2, 0xbe, 0xb6, 0x6d, 0x8b, 0x56, -+ 0xc6, 0xbc, 0x4d, 0xe1, 0xf7, 0xbe, 0xce, 0xbd -+}; -+ -+__fips_constseg static const unsigned char sha512_nonce[] = { -+ 0x9d, 0xed, 0xc0, 0xe5, 0x5a, 0x98, 0x6a, 0xcb, 0x51, 0x7d, 0x76, 0x31, -+ 0x5a, 0x64, 0xf0, 0xf7 -+}; -+ -+__fips_constseg static const unsigned char sha512_personalizationstring[] = { -+ 0xc2, 0x6d, 0xa3, 0xc3, 0x06, 0x74, 0xe5, 0x01, 0x5c, 0x10, 0x17, 0xc7, -+ 0xaf, 0x83, 0x9d, 0x59, 0x8d, 0x2d, 0x29, 0x38, 0xc5, 0x59, 0x70, 0x8b, -+ 0x46, 0x48, 0x2d, 0xcf, 0x36, 0x7d, 0x59, 0xc0 -+}; -+ -+__fips_constseg static const unsigned char sha512_additionalinput[] = { -+ 0xec, 0x8c, 0xd4, 0xf7, 0x61, 0x6e, 0x0d, 0x95, 0x79, 0xb7, 0x28, 0xad, -+ 0x5f, 0x69, 0x74, 0x5f, 0x2d, 0x36, 0x06, 0x8a, 0x6b, 0xac, 0x54, 0x97, -+ 0xc4, 0xa1, 0x12, 0x85, 0x0a, 0xdf, 0x4b, 0x34 -+}; -+ -+__fips_constseg static const unsigned char sha512_int_returnedbits[] = { -+ 0x84, 0x2f, 0x1f, 0x68, 0x6a, 0xa3, 0xad, 0x1e, 0xfb, 0xf4, 0x15, 0xbd, -+ 0xde, 0x38, 0xd4, 0x30, 0x80, 0x51, 0xe9, 0xd3, 0xc7, 0x20, 0x88, 0xe9, -+ 0xf5, 0xcc, 0xdf, 0x57, 0x5c, 0x47, 0x2f, 0x57, 0x3c, 0x5f, 0x13, 0x56, -+ 0xcc, 0xc5, 0x4f, 0x84, 0xf8, 0x10, 0x41, 0xd5, 0x7e, 0x58, 0x6e, 0x19, -+ 0x19, 0x9e, 0xaf, 0xc2, 0x22, 0x58, 0x41, 0x50, 0x79, 0xc2, 0xd8, 0x04, -+ 0x28, 0xd4, 0x39, 0x9a -+}; -+ -+__fips_constseg static const unsigned char sha512_entropyinputreseed[] = { -+ 0xfa, 0x7f, 0x46, 0x51, 0x83, 0x62, 0x98, 0x16, 0x9a, 0x19, 0xa2, 0x49, -+ 0xa9, 0xe6, 0x4a, 0xd8, 0x85, 0xe7, 0xd4, 0x3b, 0x2c, 0x82, 0xc5, 0x82, -+ 0xbf, 0x11, 0xf9, 0x9e, 0xbc, 0xd0, 0x01, 0xee -+}; -+ -+__fips_constseg static const unsigned char sha512_additionalinputreseed[] = { -+ 0xb9, 0x12, 0xe0, 0x4f, 0xf7, 0xa7, 0xc4, 0xd8, 0xd0, 0x8e, 0x99, 0x29, -+ 0x7c, 0x9a, 0xe9, 0xcf, 0xc4, 0x6c, 0xf8, 0xc3, 0xa7, 0x41, 0x83, 0xd6, -+ 0x2e, 0xfa, 0xb8, 0x5e, 0x8e, 0x6b, 0x78, 0x20 -+}; -+ -+__fips_constseg static const unsigned char sha512_additionalinput2[] = { -+ 0xd7, 0x07, 0x52, 0xb9, 0x83, 0x2c, 0x03, 0x71, 0xee, 0xc9, 0xc0, 0x85, -+ 0xe1, 0x57, 0xb2, 0xcd, 0x3a, 0xf0, 0xc9, 0x34, 0x24, 0x41, 0x1c, 0x42, -+ 0x99, 0xb2, 0x84, 0xe9, 0x17, 0xd2, 0x76, 0x92 -+}; -+ -+__fips_constseg static const unsigned char sha512_returnedbits[] = { -+ 0x36, 0x17, 0x5d, 0x98, 0x2b, 0x65, 0x25, 0x8e, 0xc8, 0x29, 0xdf, 0x27, -+ 0x05, 0x36, 0x26, 0x12, 0x8a, 0x68, 0x74, 0x27, 0x37, 0xd4, 0x7f, 0x32, -+ 0xb1, 0x12, 0xd6, 0x85, 0x83, 0xeb, 0x2e, 0xa0, 0xed, 0x4b, 0xb5, 0x7b, -+ 0x6f, 0x39, 0x3c, 0x71, 0x77, 0x02, 0x12, 0xcc, 0x2c, 0x3a, 0x8e, 0x63, -+ 0xdf, 0x4a, 0xbd, 0x6f, 0x6e, 0x2e, 0xed, 0x0a, 0x85, 0xa5, 0x2f, 0xa2, -+ 0x68, 0xde, 0x42, 0xb5 -+}; -+ -+/* HMAC SHA-1 PR */ -+__fips_constseg static const unsigned char hmac_sha1_pr_entropyinput[] = { -+ 0x26, 0x5f, 0x36, 0x14, 0xff, 0x3d, 0x83, 0xfa, 0x73, 0x5e, 0x75, 0xdc, -+ 0x2c, 0x18, 0x17, 0x1b -+}; -+ -+__fips_constseg static const unsigned char hmac_sha1_pr_nonce[] = { -+ 0xc8, 0xe3, 0x57, 0xa5, 0x7b, 0x74, 0x86, 0x6e -+}; -+ -+__fips_constseg -+ static const unsigned char hmac_sha1_pr_personalizationstring[] = { -+ 0x6e, 0xdb, 0x0d, 0xfe, 0x7d, 0xac, 0x79, 0xd0, 0xa5, 0x3a, 0x48, 0x85, -+ 0x80, 0xe2, 0x7f, 0x2a -+}; -+ -+__fips_constseg static const unsigned char hmac_sha1_pr_additionalinput[] = { -+ 0x31, 0xcd, 0x5e, 0x43, 0xdc, 0xfb, 0x7a, 0x79, 0xca, 0x88, 0xde, 0x1f, -+ 0xd7, 0xbb, 0x42, 0x09 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha1_pr_entropyinputpr[] = { -+ 0x7c, 0x23, 0x95, 0x38, 0x00, 0x95, 0xc1, 0x78, 0x1f, 0x8f, 0xd7, 0x63, -+ 0x23, 0x87, 0x2a, 0xed -+}; -+ -+__fips_constseg static const unsigned char hmac_sha1_pr_int_returnedbits[] = { -+ 0xbb, 0x34, 0xe7, 0x93, 0xa3, 0x02, 0x2c, 0x4a, 0xd0, 0x89, 0xda, 0x7f, -+ 0xed, 0xf4, 0x4c, 0xde, 0x17, 0xec, 0xe5, 0x6c -+}; -+ -+__fips_constseg static const unsigned char hmac_sha1_pr_additionalinput2[] = { -+ 0x49, 0xbc, 0x2d, 0x2c, 0xb7, 0x32, 0xcb, 0x20, 0xdf, 0xf5, 0x77, 0x58, -+ 0xa0, 0x4b, 0x93, 0x6e -+}; -+ -+__fips_constseg static const unsigned char hmac_sha1_pr_entropyinputpr2[] = { -+ 0x3c, 0xaa, 0xb0, 0x21, 0x42, 0xb0, 0xdd, 0x34, 0xf0, 0x16, 0x7f, 0x0c, -+ 0x0f, 0xff, 0x2e, 0xaf -+}; -+ -+__fips_constseg static const unsigned char hmac_sha1_pr_returnedbits[] = { -+ 0x8e, 0xcb, 0xa3, 0x64, 0xb2, 0xb8, 0x33, 0x6c, 0x64, 0x3b, 0x78, 0x16, -+ 0x99, 0x35, 0xc8, 0x30, 0xcb, 0x3e, 0xa0, 0xd8 -+}; -+ -+/* HMAC SHA-1 No PR */ -+__fips_constseg static const unsigned char hmac_sha1_entropyinput[] = { -+ 0x32, 0x9a, 0x2a, 0x87, 0x7b, 0x89, 0x7c, 0xf6, 0xcb, 0x95, 0xd5, 0x40, -+ 0x17, 0xfe, 0x47, 0x70 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha1_nonce[] = { -+ 0x16, 0xd8, 0xe0, 0xc7, 0x52, 0xcf, 0x4a, 0x25 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha1_personalizationstring[] = { -+ 0x35, 0x35, 0xa9, 0xa5, 0x40, 0xbe, 0x9b, 0xd1, 0x56, 0xdd, 0x44, 0x00, -+ 0x72, 0xf7, 0xd3, 0x5e -+}; -+ -+__fips_constseg static const unsigned char hmac_sha1_additionalinput[] = { -+ 0x1b, 0x2c, 0x84, 0x2d, 0x4a, 0x89, 0x8f, 0x69, 0x19, 0xf1, 0xf3, 0xdb, -+ 0xbb, 0xe3, 0xaa, 0xea -+}; -+ -+__fips_constseg static const unsigned char hmac_sha1_int_returnedbits[] = { -+ 0xcf, 0xfa, 0x7d, 0x72, 0x0f, 0xe6, 0xc7, 0x96, 0xa0, 0x69, 0x31, 0x11, -+ 0x9b, 0x0b, 0x1a, 0x20, 0x1f, 0x3f, 0xaa, 0xd1 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha1_entropyinputreseed[] = { -+ 0x90, 0x75, 0x15, 0x04, 0x95, 0xf1, 0xba, 0x81, 0x0c, 0x37, 0x94, 0x6f, -+ 0x86, 0x52, 0x6d, 0x9c -+}; -+ -+__fips_constseg static const unsigned char hmac_sha1_additionalinputreseed[] = { -+ 0x5b, 0x40, 0xba, 0x5f, 0x17, 0x70, 0xf0, 0x4b, 0xdf, 0xc9, 0x97, 0x92, -+ 0x79, 0xc5, 0x82, 0x28 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha1_additionalinput2[] = { -+ 0x97, 0xc8, 0x80, 0x90, 0xb3, 0xaa, 0x6e, 0x60, 0xea, 0x83, 0x7a, 0xe3, -+ 0x8a, 0xca, 0xa4, 0x7f -+}; -+ -+__fips_constseg static const unsigned char hmac_sha1_returnedbits[] = { -+ 0x90, 0xbd, 0x05, 0x56, 0x6d, 0xb5, 0x22, 0xd5, 0xb9, 0x5a, 0x29, 0x2d, -+ 0xe9, 0x0b, 0xe1, 0xac, 0xde, 0x27, 0x0b, 0xb0 -+}; -+ -+/* HMAC SHA-224 PR */ -+__fips_constseg static const unsigned char hmac_sha224_pr_entropyinput[] = { -+ 0x17, 0x32, 0x2b, 0x2e, 0x6f, 0x1b, 0x9c, 0x6d, 0x31, 0xe0, 0x34, 0x07, -+ 0xcf, 0xed, 0xf6, 0xb6, 0x5a, 0x76, 0x4c, 0xbc, 0x62, 0x85, 0x01, 0x90 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha224_pr_nonce[] = { -+ 0x38, 0xbf, 0x5f, 0x20, 0xb3, 0x68, 0x2f, 0x43, 0x61, 0x05, 0x8f, 0x23 -+}; -+ -+__fips_constseg -+ static const unsigned char hmac_sha224_pr_personalizationstring[] = { -+ 0xc0, 0xc9, 0x45, 0xac, 0x8d, 0x27, 0x77, 0x08, 0x0b, 0x17, 0x6d, 0xed, -+ 0xc1, 0x7d, 0xd5, 0x07, 0x9d, 0x6e, 0xf8, 0x23, 0x2a, 0x22, 0x13, 0xbd -+}; -+ -+__fips_constseg static const unsigned char hmac_sha224_pr_additionalinput[] = { -+ 0xa4, 0x3c, 0xe7, 0x3b, 0xea, 0x19, 0x45, 0x32, 0xc2, 0x83, 0x6d, 0x21, -+ 0x8a, 0xc0, 0xee, 0x67, 0x45, 0xde, 0x13, 0x7d, 0x9d, 0x61, 0x00, 0x3b -+}; -+ -+__fips_constseg static const unsigned char hmac_sha224_pr_entropyinputpr[] = { -+ 0x15, 0x05, 0x74, 0x4a, 0x7f, 0x8d, 0x5c, 0x60, 0x16, 0xe5, 0x7b, 0xad, -+ 0xf5, 0x41, 0x8f, 0x55, 0x60, 0xc4, 0x09, 0xee, 0x1e, 0x11, 0x81, 0xab -+}; -+ -+__fips_constseg static const unsigned char hmac_sha224_pr_int_returnedbits[] = { -+ 0x6f, 0xf5, 0x9a, 0xe2, 0x54, 0x53, 0x30, 0x3d, 0x5a, 0x27, 0x29, 0x38, -+ 0x27, 0xf2, 0x0d, 0x05, 0xe9, 0x26, 0xcb, 0x16, 0xc3, 0x51, 0x5f, 0x13, -+ 0x41, 0xfe, 0x99, 0xf2 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha224_pr_additionalinput2[] = { -+ 0x73, 0x81, 0x88, 0x84, 0x8f, 0xed, 0x6f, 0x10, 0x9f, 0x93, 0xbf, 0x17, -+ 0x35, 0x7c, 0xef, 0xd5, 0x8d, 0x26, 0xa6, 0x7a, 0xe8, 0x09, 0x36, 0x4f -+}; -+ -+__fips_constseg static const unsigned char hmac_sha224_pr_entropyinputpr2[] = { -+ 0xe6, 0xcf, 0xcf, 0x7e, 0x12, 0xe5, 0x43, 0xd2, 0x38, 0xd8, 0x24, 0x6f, -+ 0x5a, 0x37, 0x68, 0xbf, 0x4f, 0xa0, 0xff, 0xd5, 0x61, 0x8a, 0x93, 0xe0 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha224_pr_returnedbits[] = { -+ 0xaf, 0xf9, 0xd8, 0x19, 0x91, 0x30, 0x82, 0x6f, 0xa9, 0x1e, 0x9d, 0xd7, -+ 0xf3, 0x50, 0xe0, 0xc7, 0xd5, 0x64, 0x96, 0x7d, 0x4c, 0x4d, 0x78, 0x03, -+ 0x6d, 0xd8, 0x9e, 0x72 -+}; -+ -+/* HMAC SHA-224 No PR */ -+__fips_constseg static const unsigned char hmac_sha224_entropyinput[] = { -+ 0x11, 0x82, 0xfd, 0xd9, 0x42, 0xf4, 0xfa, 0xc8, 0xf2, 0x41, 0xe6, 0x54, -+ 0x01, 0xae, 0x22, 0x6e, 0xc6, 0xaf, 0xaf, 0xd0, 0xa6, 0xb2, 0xe2, 0x6d -+}; -+ -+__fips_constseg static const unsigned char hmac_sha224_nonce[] = { -+ 0xa9, 0x48, 0xd7, 0x92, 0x39, 0x7e, 0x2a, 0xdc, 0x30, 0x1f, 0x0e, 0x2b -+}; -+ -+__fips_constseg -+ static const unsigned char hmac_sha224_personalizationstring[] = { -+ 0x11, 0xd5, 0xf4, 0xbd, 0x67, 0x8c, 0x31, 0xcf, 0xa3, 0x3f, 0x1e, 0x6b, -+ 0xa8, 0x07, 0x02, 0x0b, 0xc8, 0x2e, 0x6c, 0x64, 0x41, 0x5b, 0xc8, 0x37 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha224_additionalinput[] = { -+ 0x68, 0x18, 0xc2, 0x06, 0xeb, 0x3e, 0x04, 0x95, 0x44, 0x5e, 0xfb, 0xe6, -+ 0x41, 0xc1, 0x5c, 0xcc, 0x40, 0x2f, 0xb7, 0xd2, 0x0f, 0xf3, 0x6b, 0xe7 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha224_int_returnedbits[] = { -+ 0x7f, 0x45, 0xc7, 0x5d, 0x32, 0xe6, 0x17, 0x60, 0xba, 0xdc, 0xb8, 0x42, -+ 0x1b, 0x9c, 0xf1, 0xfa, 0x3b, 0x4d, 0x29, 0x54, 0xc6, 0x90, 0xff, 0x5c, -+ 0xcd, 0xd6, 0xa9, 0xcc -+}; -+ -+__fips_constseg static const unsigned char hmac_sha224_entropyinputreseed[] = { -+ 0xc4, 0x8e, 0x37, 0x95, 0x69, 0x53, 0x28, 0xd7, 0x37, 0xbb, 0x70, 0x95, -+ 0x1c, 0x07, 0x1d, 0xd9, 0xb7, 0xe6, 0x1b, 0xbb, 0xfe, 0x41, 0xeb, 0xc9 -+}; -+ -+__fips_constseg -+ static const unsigned char hmac_sha224_additionalinputreseed[] = { -+ 0x53, 0x17, 0xa1, 0x6a, 0xfa, 0x77, 0x47, 0xb0, 0x95, 0x56, 0x9a, 0x20, -+ 0x57, 0xde, 0x5c, 0x89, 0x9f, 0x7f, 0xe2, 0xde, 0x17, 0x3a, 0x50, 0x23 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha224_additionalinput2[] = { -+ 0x3a, 0x32, 0xf9, 0x85, 0x0c, 0xc1, 0xed, 0x76, 0x2d, 0xdf, 0x40, 0xc3, -+ 0x06, 0x22, 0x66, 0xd4, 0x9a, 0x9a, 0xff, 0x5a, 0x7e, 0x7a, 0xf3, 0x96 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha224_returnedbits[] = { -+ 0x43, 0xb4, 0x57, 0x5c, 0x38, 0x25, 0x9d, 0xae, 0xec, 0x96, 0xd1, 0x85, -+ 0x3a, 0x84, 0x8d, 0xfe, 0x68, 0xd5, 0x0e, 0x5c, 0x8f, 0x65, 0xa5, 0x4e, -+ 0x45, 0x84, 0xa8, 0x94 -+}; -+ -+/* HMAC SHA-256 PR */ -+__fips_constseg static const unsigned char hmac_sha256_pr_entropyinput[] = { -+ 0x4d, 0xb0, 0x43, 0xd8, 0x34, 0x4b, 0x10, 0x70, 0xb1, 0x8b, 0xed, 0xea, -+ 0x07, 0x92, 0x9f, 0x6c, 0x79, 0x31, 0xaf, 0x81, 0x29, 0xeb, 0x6e, 0xca, -+ 0x32, 0x48, 0x28, 0xe7, 0x02, 0x5d, 0xa6, 0xa6 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha256_pr_nonce[] = { -+ 0x3a, 0xae, 0x15, 0xa9, 0x99, 0xdc, 0xe4, 0x67, 0x34, 0x3b, 0x70, 0x15, -+ 0xaa, 0xd3, 0x30, 0x9a -+}; -+ -+__fips_constseg -+ static const unsigned char hmac_sha256_pr_personalizationstring[] = { -+ 0x13, 0x1d, 0x24, 0x04, 0xb0, 0x18, 0x81, 0x15, 0x21, 0x51, 0x2a, 0x24, -+ 0x52, 0x61, 0xbe, 0x64, 0x82, 0x6b, 0x55, 0x2f, 0xe2, 0xf1, 0x40, 0x7d, -+ 0x71, 0xd8, 0x01, 0x86, 0x15, 0xb7, 0x8b, 0xb5 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha256_pr_additionalinput[] = { -+ 0x8f, 0xa6, 0x54, 0x5f, 0xb1, 0xd0, 0xd8, 0xc3, 0xe7, 0x0c, 0x15, 0xa9, -+ 0x23, 0x6e, 0xfe, 0xfb, 0x93, 0xf7, 0x3a, 0xbd, 0x59, 0x01, 0xfa, 0x18, -+ 0x8e, 0xe9, 0x1a, 0xa9, 0x78, 0xfc, 0x79, 0x0b -+}; -+ -+__fips_constseg static const unsigned char hmac_sha256_pr_entropyinputpr[] = { -+ 0xcf, 0x24, 0xb9, 0xeb, 0xb3, 0xd4, 0xcd, 0x17, 0x37, 0x38, 0x75, 0x79, -+ 0x15, 0xcb, 0x2d, 0x75, 0x51, 0xf1, 0xcc, 0xaa, 0x32, 0xa4, 0xa7, 0x36, -+ 0x7c, 0x5c, 0xe4, 0x47, 0xf1, 0x3e, 0x1d, 0xe5 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha256_pr_int_returnedbits[] = { -+ 0x52, 0x42, 0xfa, 0xeb, 0x85, 0xe0, 0x30, 0x22, 0x79, 0x00, 0x16, 0xb2, -+ 0x88, 0x2f, 0x14, 0x6a, 0xb7, 0xfc, 0xb7, 0x53, 0xdc, 0x4a, 0x12, 0xef, -+ 0x54, 0xd6, 0x33, 0xe9, 0x20, 0xd6, 0xfd, 0x56 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha256_pr_additionalinput2[] = { -+ 0xf4, 0xf6, 0x49, 0xa1, 0x2d, 0x64, 0x2b, 0x30, 0x58, 0xf8, 0xbd, 0xb8, -+ 0x75, 0xeb, 0xbb, 0x5e, 0x1c, 0x9b, 0x81, 0x6a, 0xda, 0x14, 0x86, 0x6e, -+ 0xd0, 0xda, 0x18, 0xb7, 0x88, 0xfb, 0x59, 0xf3 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha256_pr_entropyinputpr2[] = { -+ 0x21, 0xcd, 0x6e, 0x46, 0xad, 0x99, 0x07, 0x17, 0xb4, 0x3d, 0x76, 0x0a, -+ 0xff, 0x5b, 0x52, 0x50, 0x78, 0xdf, 0x1f, 0x24, 0x06, 0x0d, 0x3f, 0x74, -+ 0xa9, 0xc9, 0x37, 0xcf, 0xd8, 0x26, 0x25, 0x91 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha256_pr_returnedbits[] = { -+ 0xa7, 0xaf, 0x2f, 0x29, 0xe0, 0x3a, 0x72, 0x95, 0x96, 0x1c, 0xa9, 0xf0, -+ 0x4a, 0x17, 0x4d, 0x66, 0x06, 0x10, 0xbf, 0x39, 0x89, 0x88, 0xb8, 0x91, -+ 0x37, 0x18, 0x99, 0xcf, 0x8c, 0x53, 0x3b, 0x7e -+}; -+ -+/* HMAC SHA-256 No PR */ -+__fips_constseg static const unsigned char hmac_sha256_entropyinput[] = { -+ 0x96, 0xb7, 0x53, 0x22, 0x1e, 0x52, 0x2a, 0x96, 0xb1, 0x15, 0x3c, 0x35, -+ 0x5a, 0x8b, 0xd3, 0x4a, 0xa6, 0x6c, 0x83, 0x0a, 0x7d, 0xa3, 0x23, 0x3d, -+ 0x43, 0xa1, 0x07, 0x2c, 0x2d, 0xe3, 0x81, 0xcc -+}; -+ -+__fips_constseg static const unsigned char hmac_sha256_nonce[] = { -+ 0xf1, 0xac, 0x97, 0xcb, 0x5e, 0x06, 0x48, 0xd2, 0x94, 0xbe, 0x15, 0x2e, -+ 0xc7, 0xfc, 0xc2, 0x01 -+}; -+ -+__fips_constseg -+ static const unsigned char hmac_sha256_personalizationstring[] = { -+ 0x98, 0xc5, 0x1e, 0x35, 0x5e, 0x89, 0x0d, 0xce, 0x64, 0x6d, 0x18, 0xa7, -+ 0x5a, 0xc6, 0xf3, 0xe7, 0xd6, 0x9e, 0xc0, 0xea, 0xb7, 0x3a, 0x8d, 0x65, -+ 0xb8, 0xeb, 0x10, 0xd7, 0x57, 0x18, 0xa0, 0x32 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha256_additionalinput[] = { -+ 0x1b, 0x10, 0xaf, 0xac, 0xd0, 0x65, 0x95, 0xad, 0x04, 0xad, 0x03, 0x1c, -+ 0xe0, 0x40, 0xd6, 0x3e, 0x1c, 0x46, 0x53, 0x39, 0x7c, 0xe2, 0xbc, 0xda, -+ 0x8c, 0xa2, 0x33, 0xa7, 0x9a, 0x26, 0xd3, 0x27 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha256_int_returnedbits[] = { -+ 0xba, 0x61, 0x0e, 0x55, 0xfe, 0x11, 0x8a, 0x9e, 0x0f, 0x80, 0xdf, 0x1d, -+ 0x03, 0x0a, 0xfe, 0x15, 0x94, 0x28, 0x4b, 0xba, 0xf4, 0x9f, 0x51, 0x25, -+ 0x88, 0xe5, 0x4e, 0xfb, 0xaf, 0xce, 0x69, 0x90 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha256_entropyinputreseed[] = { -+ 0x62, 0x7f, 0x1e, 0x6b, 0xe8, 0x8e, 0xe1, 0x35, 0x7d, 0x9b, 0x4f, 0xc7, -+ 0xec, 0xc8, 0xac, 0xef, 0x6b, 0x13, 0x9e, 0x05, 0x56, 0xc1, 0x08, 0xf9, -+ 0x2f, 0x0f, 0x27, 0x9c, 0xd4, 0x15, 0xed, 0x2d -+}; -+ -+__fips_constseg -+ static const unsigned char hmac_sha256_additionalinputreseed[] = { -+ 0xc7, 0x76, 0x6e, 0xa9, 0xd2, 0xb2, 0x76, 0x40, 0x82, 0x25, 0x2c, 0xb3, -+ 0x6f, 0xac, 0xe9, 0x74, 0xef, 0x8f, 0x3c, 0x8e, 0xcd, 0xf1, 0xbf, 0xb3, -+ 0x49, 0x77, 0x34, 0x88, 0x52, 0x36, 0xe6, 0x2e -+}; -+ -+__fips_constseg static const unsigned char hmac_sha256_additionalinput2[] = { -+ 0x8d, 0xb8, 0x0c, 0xd1, 0xbf, 0x70, 0xf6, 0x19, 0xc3, 0x41, 0x80, 0x9f, -+ 0xe1, 0xa5, 0xa4, 0x1f, 0x2c, 0x26, 0xb1, 0xe5, 0xd8, 0xeb, 0xbe, 0xf8, -+ 0xdf, 0x88, 0x6a, 0x89, 0xd6, 0x05, 0xd8, 0x9d -+}; -+ -+__fips_constseg static const unsigned char hmac_sha256_returnedbits[] = { -+ 0x43, 0x12, 0x2a, 0x2c, 0x40, 0x53, 0x2e, 0x7c, 0x66, 0x34, 0xac, 0xc3, -+ 0x43, 0xe3, 0xe0, 0x6a, 0xfc, 0xfa, 0xea, 0x87, 0x21, 0x1f, 0xe2, 0x26, -+ 0xc4, 0xf9, 0x09, 0x9a, 0x0d, 0x6e, 0x7f, 0xe0 -+}; -+ -+/* HMAC SHA-384 PR */ -+__fips_constseg static const unsigned char hmac_sha384_pr_entropyinput[] = { -+ 0x69, 0x81, 0x98, 0x88, 0x44, 0xf5, 0xd6, 0x2e, 0x00, 0x08, 0x3b, 0xc5, -+ 0xfb, 0xd7, 0x8e, 0x6f, 0x23, 0xf8, 0x6d, 0x09, 0xd6, 0x85, 0x49, 0xd1, -+ 0xf8, 0x6d, 0xa4, 0x58, 0x54, 0xfd, 0x88, 0xa9 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha384_pr_nonce[] = { -+ 0x6e, 0x38, 0x81, 0xca, 0xb7, 0xe8, 0x6e, 0x66, 0x49, 0x8a, 0xb2, 0x59, -+ 0xee, 0x16, 0xc9, 0xde -+}; -+ -+__fips_constseg -+ static const unsigned char hmac_sha384_pr_personalizationstring[] = { -+ 0xfe, 0x4c, 0xd9, 0xf4, 0x78, 0x3b, 0x08, 0x41, 0x8d, 0x8f, 0x55, 0xc4, -+ 0x43, 0x56, 0xb6, 0x12, 0x36, 0x6b, 0x30, 0xb7, 0x5e, 0xe1, 0xb9, 0x47, -+ 0x04, 0xb1, 0x4e, 0xa9, 0x00, 0xa1, 0x52, 0xa1 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha384_pr_additionalinput[] = { -+ 0x89, 0xe9, 0xcc, 0x8f, 0x27, 0x3c, 0x26, 0xd1, 0x95, 0xc8, 0x7d, 0x0f, -+ 0x5b, 0x1a, 0xf0, 0x78, 0x39, 0x56, 0x6f, 0xa4, 0x23, 0xe7, 0xd1, 0xda, -+ 0x7c, 0x66, 0x33, 0xa0, 0x90, 0xc9, 0x92, 0x88 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha384_pr_entropyinputpr[] = { -+ 0xbe, 0x3d, 0x7c, 0x0d, 0xca, 0xda, 0x7c, 0x49, 0xb8, 0x12, 0x36, 0xc0, -+ 0xdb, 0xad, 0x35, 0xa8, 0xc7, 0x0b, 0x2a, 0x2c, 0x69, 0x6d, 0x25, 0x56, -+ 0x63, 0x82, 0x11, 0x3e, 0xa7, 0x33, 0x70, 0x72 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha384_pr_int_returnedbits[] = { -+ 0x82, 0x3d, 0xe6, 0x54, 0x80, 0x42, 0xf8, 0xba, 0x90, 0x4f, 0x06, 0xa6, -+ 0xd2, 0x7f, 0xbf, 0x79, 0x7c, 0x12, 0x7d, 0xa6, 0xa2, 0x66, 0xe8, 0xa6, -+ 0xc0, 0xd6, 0x4a, 0x55, 0xbf, 0xd8, 0x0a, 0xc5, 0xf8, 0x03, 0x88, 0xdd, -+ 0x8e, 0x87, 0xd1, 0x5a, 0x48, 0x26, 0x72, 0x2a, 0x8e, 0xcf, 0xee, 0xba -+}; -+ -+__fips_constseg static const unsigned char hmac_sha384_pr_additionalinput2[] = { -+ 0x8f, 0xff, 0xd9, 0x84, 0xbb, 0x85, 0x3a, 0x66, 0xa1, 0x21, 0xce, 0xb2, -+ 0x3a, 0x3a, 0x17, 0x22, 0x19, 0xae, 0xc7, 0xb6, 0x63, 0x81, 0xd5, 0xff, -+ 0x0d, 0xc8, 0xe1, 0xaf, 0x57, 0xd2, 0xcb, 0x60 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha384_pr_entropyinputpr2[] = { -+ 0xd7, 0xfb, 0xc9, 0xe8, 0xe2, 0xf2, 0xaa, 0x4c, 0xb8, 0x51, 0x2f, 0xe1, -+ 0x22, 0xba, 0xf3, 0xda, 0x0a, 0x19, 0x76, 0x71, 0x57, 0xb2, 0x1d, 0x94, -+ 0x09, 0x69, 0x6c, 0xd3, 0x97, 0x51, 0x81, 0x87 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha384_pr_returnedbits[] = { -+ 0xe6, 0x19, 0x28, 0xa8, 0x21, 0xce, 0x5e, 0xdb, 0x24, 0x79, 0x8c, 0x76, -+ 0x5d, 0x73, 0xb2, 0xdf, 0xac, 0xef, 0x85, 0xa7, 0x3b, 0x19, 0x09, 0x8b, -+ 0x7f, 0x98, 0x28, 0xa9, 0x93, 0xd8, 0x7a, 0xad, 0x55, 0x8b, 0x24, 0x9d, -+ 0xe6, 0x98, 0xfe, 0x47, 0xd5, 0x48, 0xc1, 0x23, 0xd8, 0x1d, 0x62, 0x75 -+}; -+ -+/* HMAC SHA-384 No PR */ -+__fips_constseg static const unsigned char hmac_sha384_entropyinput[] = { -+ 0xc3, 0x56, 0x2b, 0x1d, 0xc2, 0xbb, 0xa8, 0xf0, 0xae, 0x1b, 0x0d, 0xd3, -+ 0x5a, 0x6c, 0xda, 0x57, 0x8e, 0xa5, 0x8a, 0x0d, 0x6c, 0x4b, 0x18, 0xb1, -+ 0x04, 0x3e, 0xb4, 0x99, 0x35, 0xc4, 0xc0, 0x5f -+}; -+ -+__fips_constseg static const unsigned char hmac_sha384_nonce[] = { -+ 0xc5, 0x49, 0x1e, 0x66, 0x27, 0x92, 0xbe, 0xec, 0xb5, 0x1e, 0x4b, 0xb1, -+ 0x38, 0xe3, 0xeb, 0x62 -+}; -+ -+__fips_constseg -+ static const unsigned char hmac_sha384_personalizationstring[] = { -+ 0xbe, 0xe7, 0x6b, 0x57, 0xde, 0x88, 0x11, 0x96, 0x9b, 0x6e, 0xea, 0xe5, -+ 0x63, 0x83, 0x4c, 0xb6, 0x8d, 0x66, 0xaa, 0x1f, 0x8b, 0x54, 0xe7, 0x62, -+ 0x6d, 0x5a, 0xfc, 0xbf, 0x97, 0xba, 0xcd, 0x77 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha384_additionalinput[] = { -+ 0xe5, 0x28, 0x5f, 0x43, 0xf5, 0x83, 0x6e, 0x0a, 0x83, 0x5c, 0xe3, 0x81, -+ 0x03, 0xf2, 0xf8, 0x78, 0x00, 0x7c, 0x95, 0x87, 0x16, 0xd6, 0x6c, 0x58, -+ 0x33, 0x6c, 0x53, 0x35, 0x0d, 0x66, 0xe3, 0xce -+}; -+ -+__fips_constseg static const unsigned char hmac_sha384_int_returnedbits[] = { -+ 0xe2, 0x1f, 0xf3, 0xda, 0x0d, 0x19, 0x99, 0x87, 0xc4, 0x90, 0xa2, 0x31, -+ 0xca, 0x2a, 0x89, 0x58, 0x43, 0x44, 0xb8, 0xde, 0xcf, 0xa4, 0xbe, 0x3b, -+ 0x53, 0x26, 0x22, 0x31, 0x76, 0x41, 0x22, 0xb5, 0xa8, 0x70, 0x2f, 0x4b, -+ 0x64, 0x95, 0x4d, 0x48, 0x96, 0x35, 0xe6, 0xbd, 0x3c, 0x34, 0xdb, 0x1b -+}; -+ -+__fips_constseg static const unsigned char hmac_sha384_entropyinputreseed[] = { -+ 0x77, 0x61, 0xba, 0xbc, 0xf2, 0xc1, 0xf3, 0x4b, 0x86, 0x65, 0xfd, 0x48, -+ 0x0e, 0x3c, 0x02, 0x5e, 0xa2, 0x7a, 0x6b, 0x7c, 0xed, 0x21, 0x5e, 0xf9, -+ 0xcd, 0xcd, 0x77, 0x07, 0x2b, 0xbe, 0xc5, 0x5c -+}; -+ -+__fips_constseg -+ static const unsigned char hmac_sha384_additionalinputreseed[] = { -+ 0x18, 0x24, 0x5f, 0xc6, 0x84, 0xd1, 0x67, 0xc3, 0x9a, 0x11, 0xa5, 0x8c, -+ 0x07, 0x39, 0x21, 0x83, 0x4d, 0x04, 0xc4, 0x6a, 0x28, 0x19, 0xcf, 0x92, -+ 0x21, 0xd9, 0x9e, 0x41, 0x72, 0x6c, 0x9e, 0x63 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha384_additionalinput2[] = { -+ 0x96, 0x67, 0x41, 0x28, 0x9b, 0xb7, 0x92, 0x8d, 0x64, 0x3b, 0xe4, 0xcf, -+ 0x7e, 0xaa, 0x1e, 0xb1, 0x4b, 0x1d, 0x09, 0x56, 0x67, 0x9c, 0xc6, 0x6d, -+ 0x3b, 0xe8, 0x91, 0x9d, 0xe1, 0x8a, 0xb7, 0x32 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha384_returnedbits[] = { -+ 0xe3, 0x59, 0x61, 0x38, 0x92, 0xec, 0xe2, 0x3c, 0xff, 0xb7, 0xdb, 0x19, -+ 0x0f, 0x5b, 0x93, 0x68, 0x0d, 0xa4, 0x94, 0x40, 0x72, 0x0b, 0xe0, 0xed, -+ 0x4d, 0xcd, 0x68, 0xa0, 0x1e, 0xfe, 0x67, 0xb2, 0xfa, 0x21, 0x56, 0x74, -+ 0xa4, 0xad, 0xcf, 0xb7, 0x60, 0x66, 0x2e, 0x40, 0xde, 0x82, 0xca, 0xfb -+}; -+ -+/* HMAC SHA-512 PR */ -+__fips_constseg static const unsigned char hmac_sha512_pr_entropyinput[] = { -+ 0xaa, 0x9e, 0x45, 0x67, 0x0e, 0x00, 0x2a, 0x67, 0x98, 0xd6, 0xda, 0x0b, -+ 0x0f, 0x17, 0x7e, 0xac, 0xfd, 0x27, 0xc4, 0xca, 0x84, 0xdf, 0xde, 0xba, -+ 0x85, 0xd9, 0xbe, 0x8f, 0xf3, 0xff, 0x91, 0x4d -+}; -+ -+__fips_constseg static const unsigned char hmac_sha512_pr_nonce[] = { -+ 0x8c, 0x49, 0x2f, 0x58, 0x1e, 0x7a, 0xda, 0x4b, 0x7e, 0x8a, 0x30, 0x7b, -+ 0x86, 0xea, 0xaf, 0xa2 -+}; -+ -+__fips_constseg -+ static const unsigned char hmac_sha512_pr_personalizationstring[] = { -+ 0x71, 0xe1, 0xbb, 0xad, 0xa7, 0x4b, 0x2e, 0x31, 0x3b, 0x0b, 0xec, 0x24, -+ 0x99, 0x38, 0xbc, 0xaa, 0x05, 0x4c, 0x46, 0x44, 0xfa, 0xad, 0x8e, 0x02, -+ 0xc1, 0x7e, 0xad, 0xec, 0x54, 0xa6, 0xd0, 0xad -+}; -+ -+__fips_constseg static const unsigned char hmac_sha512_pr_additionalinput[] = { -+ 0x3d, 0x6e, 0xa6, 0xa8, 0x29, 0x2a, 0xb2, 0xf5, 0x98, 0x42, 0xe4, 0x92, -+ 0x78, 0x22, 0x67, 0xfd, 0x1b, 0x15, 0x1e, 0x29, 0xaa, 0x71, 0x3c, 0x3c, -+ 0xe7, 0x05, 0x20, 0xa9, 0x29, 0xc6, 0x75, 0x71 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha512_pr_entropyinputpr[] = { -+ 0xab, 0xb9, 0x16, 0xd8, 0x55, 0x35, 0x54, 0xb7, 0x97, 0x3f, 0x94, 0xbc, -+ 0x2f, 0x7c, 0x70, 0xc7, 0xd0, 0xed, 0xb7, 0x4b, 0xf7, 0xf6, 0x6c, 0x03, -+ 0x0c, 0xb0, 0x03, 0xd8, 0xbb, 0x71, 0xd9, 0x10 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha512_pr_int_returnedbits[] = { -+ 0x8e, 0xd3, 0xfd, 0x52, 0x9e, 0x83, 0x08, 0x49, 0x18, 0x6e, 0x23, 0x56, -+ 0x5c, 0x45, 0x93, 0x34, 0x05, 0xe2, 0x98, 0x8f, 0x0c, 0xd4, 0x32, 0x0c, -+ 0xfd, 0xda, 0x5f, 0x92, 0x3a, 0x8c, 0x81, 0xbd, 0xf6, 0x6c, 0x55, 0xfd, -+ 0xb8, 0x20, 0xce, 0x8d, 0x97, 0x27, 0xe8, 0xe8, 0xe0, 0xb3, 0x85, 0x50, -+ 0xa2, 0xc2, 0xb2, 0x95, 0x1d, 0x48, 0xd3, 0x7b, 0x4b, 0x78, 0x13, 0x35, -+ 0x05, 0x17, 0xbe, 0x0d -+}; -+ -+__fips_constseg static const unsigned char hmac_sha512_pr_additionalinput2[] = { -+ 0xc3, 0xfc, 0x95, 0xaa, 0x69, 0x06, 0xae, 0x59, 0x41, 0xce, 0x26, 0x08, -+ 0x29, 0x6d, 0x45, 0xda, 0xe8, 0xb3, 0x6c, 0x95, 0x60, 0x0f, 0x70, 0x2c, -+ 0x10, 0xba, 0x38, 0x8c, 0xcf, 0x29, 0x99, 0xaa -+}; -+ -+__fips_constseg static const unsigned char hmac_sha512_pr_entropyinputpr2[] = { -+ 0x3b, 0x9a, 0x25, 0xce, 0xd7, 0xf9, 0x5c, 0xd1, 0x3a, 0x3e, 0xaa, 0x71, -+ 0x14, 0x3e, 0x19, 0xe8, 0xce, 0xe6, 0xfe, 0x51, 0x84, 0xe9, 0x1b, 0xfe, -+ 0x3f, 0xa7, 0xf2, 0xfd, 0x76, 0x5f, 0x6a, 0xe7 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha512_pr_returnedbits[] = { -+ 0xb7, 0x82, 0xa9, 0x57, 0x81, 0x67, 0x53, 0xb5, 0xa1, 0xe9, 0x3d, 0x35, -+ 0xf9, 0xe4, 0x97, 0xbe, 0xa6, 0xca, 0xf1, 0x01, 0x13, 0x09, 0xe7, 0x21, -+ 0xc0, 0xed, 0x93, 0x5d, 0x4b, 0xf4, 0xeb, 0x8d, 0x53, 0x25, 0x8a, 0xc4, -+ 0xb1, 0x6f, 0x6e, 0x37, 0xcd, 0x2e, 0xac, 0x39, 0xb2, 0xb6, 0x99, 0xa3, -+ 0x82, 0x00, 0xb0, 0x21, 0xf0, 0xc7, 0x2f, 0x4c, 0x73, 0x92, 0xfd, 0x00, -+ 0xb6, 0xaf, 0xbc, 0xd3 -+}; -+ -+/* HMAC SHA-512 No PR */ -+__fips_constseg static const unsigned char hmac_sha512_entropyinput[] = { -+ 0x6e, 0x85, 0xe6, 0x25, 0x96, 0x29, 0xa7, 0x52, 0x5b, 0x60, 0xba, 0xaa, -+ 0xde, 0xdb, 0x36, 0x0a, 0x51, 0x9a, 0x15, 0xae, 0x6e, 0x18, 0xd3, 0xfe, -+ 0x39, 0xb9, 0x4a, 0x96, 0xf8, 0x77, 0xcb, 0x95 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha512_nonce[] = { -+ 0xe0, 0xa6, 0x5d, 0x08, 0xc3, 0x7c, 0xae, 0x25, 0x2e, 0x80, 0xd1, 0x3e, -+ 0xd9, 0xaf, 0x43, 0x3c -+}; -+ -+__fips_constseg -+ static const unsigned char hmac_sha512_personalizationstring[] = { -+ 0x53, 0x99, 0x52, 0x5f, 0x11, 0xa9, 0x64, 0x66, 0x20, 0x5e, 0x1b, 0x5f, -+ 0x42, 0xb3, 0xf4, 0xda, 0xed, 0xbb, 0x63, 0xc1, 0x23, 0xaf, 0xd0, 0x01, -+ 0x90, 0x3b, 0xd0, 0x78, 0xe4, 0x0b, 0xa7, 0x20 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha512_additionalinput[] = { -+ 0x85, 0x90, 0x80, 0xd3, 0x98, 0xf1, 0x53, 0x6d, 0x68, 0x15, 0x8f, 0xe5, -+ 0x60, 0x3f, 0x17, 0x29, 0x55, 0x8d, 0x33, 0xb1, 0x45, 0x64, 0x64, 0x8d, -+ 0x50, 0x21, 0x89, 0xae, 0xf6, 0xfd, 0x32, 0x73 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha512_int_returnedbits[] = { -+ 0x28, 0x56, 0x30, 0x6f, 0xf4, 0xa1, 0x48, 0xe0, 0xc9, 0xf5, 0x75, 0x90, -+ 0xcc, 0xfb, 0xdf, 0xdf, 0x71, 0x3d, 0x0a, 0x9a, 0x03, 0x65, 0x3b, 0x18, -+ 0x61, 0xe3, 0xd1, 0xda, 0xcc, 0x4a, 0xfe, 0x55, 0x38, 0xf8, 0x21, 0x6b, -+ 0xfa, 0x18, 0x01, 0x42, 0x39, 0x2f, 0x99, 0x53, 0x38, 0x15, 0x82, 0x34, -+ 0xc5, 0x93, 0x92, 0xbc, 0x4d, 0x75, 0x1a, 0x5f, 0x21, 0x27, 0xcc, 0xa1, -+ 0xb1, 0x57, 0x69, 0xe8 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha512_entropyinputreseed[] = { -+ 0x8c, 0x52, 0x7e, 0x77, 0x72, 0x3f, 0xa3, 0x04, 0x97, 0x10, 0x9b, 0x41, -+ 0xbd, 0xe8, 0xff, 0x89, 0xed, 0x80, 0xe3, 0xbd, 0xaa, 0x12, 0x2d, 0xca, -+ 0x75, 0x82, 0x36, 0x77, 0x88, 0xcd, 0xa6, 0x73 -+}; -+ -+__fips_constseg -+ static const unsigned char hmac_sha512_additionalinputreseed[] = { -+ 0x7e, 0x32, 0xe3, 0x69, 0x69, 0x07, 0x34, 0xa2, 0x16, 0xa2, 0x5d, 0x1a, -+ 0x10, 0x91, 0xd3, 0xe2, 0x21, 0xa2, 0xa3, 0xdd, 0xcd, 0x0c, 0x09, 0x86, -+ 0x11, 0xe1, 0x50, 0xff, 0x5c, 0xb7, 0xeb, 0x5c -+}; -+ -+__fips_constseg static const unsigned char hmac_sha512_additionalinput2[] = { -+ 0x7f, 0x78, 0x66, 0xd8, 0xfb, 0x67, 0xcf, 0x8d, 0x8c, 0x08, 0x30, 0xa5, -+ 0xf8, 0x7d, 0xcf, 0x44, 0x59, 0xce, 0xf8, 0xdf, 0x58, 0xd3, 0x60, 0xcb, -+ 0xa8, 0x60, 0xb9, 0x07, 0xc4, 0xb1, 0x95, 0x48 -+}; -+ -+__fips_constseg static const unsigned char hmac_sha512_returnedbits[] = { -+ 0xdf, 0xa7, 0x36, 0xd4, 0xdc, 0x5d, 0x4d, 0x31, 0xad, 0x69, 0x46, 0x9f, -+ 0xf1, 0x7c, 0xd7, 0x3b, 0x4f, 0x55, 0xf2, 0xd7, 0xb9, 0x9d, 0xad, 0x7a, -+ 0x79, 0x08, 0x59, 0xa5, 0xdc, 0x74, 0xf5, 0x9b, 0x73, 0xd2, 0x13, 0x25, -+ 0x0b, 0x81, 0x08, 0x08, 0x25, 0xfb, 0x39, 0xf2, 0xf0, 0xa3, 0xa4, 0x8d, -+ 0xef, 0x05, 0x9e, 0xb8, 0xc7, 0x52, 0xe4, 0x0e, 0x42, 0xaa, 0x7c, 0x79, -+ 0xc2, 0xd6, 0xfd, 0xa5 -+}; -diff -up openssl-1.1.1j/crypto/fips/fips_dsa_selftest.c.fips openssl-1.1.1j/crypto/fips/fips_dsa_selftest.c ---- openssl-1.1.1j/crypto/fips/fips_dsa_selftest.c.fips 2021-03-03 12:57:42.200734534 +0100 -+++ openssl-1.1.1j/crypto/fips/fips_dsa_selftest.c 2021-03-03 12:57:42.200734534 +0100 -@@ -0,0 +1,195 @@ -+/* ==================================================================== -+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+#include -+#include -+#include -+#include -+#include "crypto/fips.h" -+#include -+#include -+#include -+#include "fips_locl.h" -+ -+#ifdef OPENSSL_FIPS -+ -+static const unsigned char dsa_test_2048_p[] = { -+ 0xa8, 0x53, 0x78, 0xd8, 0xfd, 0x3f, 0x8d, 0x72, 0xec, 0x74, 0x18, 0x08, -+ 0x0d, 0xa2, 0x13, 0x17, 0xe4, 0x3e, 0xc4, 0xb6, 0x2b, 0xa8, 0xc8, 0x62, -+ 0x3b, 0x7e, 0x4d, 0x04, 0x44, 0x1d, 0xd1, 0xa0, 0x65, 0x86, 0x62, 0x59, -+ 0x64, 0x93, 0xca, 0x8e, 0x9e, 0x8f, 0xbb, 0x7e, 0x34, 0xaa, 0xdd, 0xb6, -+ 0x2e, 0x5d, 0x67, 0xb6, 0xd0, 0x9a, 0x6e, 0x61, 0xb7, 0x69, 0xe7, 0xc3, -+ 0x52, 0xaa, 0x2b, 0x10, 0xe2, 0x0c, 0xa0, 0x63, 0x69, 0x63, 0xb5, 0x52, -+ 0x3e, 0x86, 0x47, 0x0d, 0xec, 0xbb, 0xed, 0xa0, 0x27, 0xe7, 0x97, 0xe7, -+ 0xb6, 0x76, 0x35, 0xd4, 0xd4, 0x9c, 0x30, 0x70, 0x0e, 0x74, 0xaf, 0x8a, -+ 0x0f, 0xf1, 0x56, 0xa8, 0x01, 0xaf, 0x57, 0xa2, 0x6e, 0x70, 0x78, 0xf1, -+ 0xd8, 0x2f, 0x74, 0x90, 0x8e, 0xcb, 0x6d, 0x07, 0xe7, 0x0b, 0x35, 0x03, -+ 0xee, 0xd9, 0x4f, 0xa3, 0x2c, 0xf1, 0x7a, 0x7f, 0xc3, 0xd6, 0xcf, 0x40, -+ 0xdc, 0x7b, 0x00, 0x83, 0x0e, 0x6a, 0x25, 0x66, 0xdc, 0x07, 0x3e, 0x34, -+ 0x33, 0x12, 0x51, 0x7c, 0x6a, 0xa5, 0x15, 0x2b, 0x4b, 0xfe, 0xcd, 0x2e, -+ 0x55, 0x1f, 0xee, 0x34, 0x63, 0x18, 0xa1, 0x53, 0x42, 0x3c, 0x99, 0x6b, -+ 0x0d, 0x5d, 0xcb, 0x91, 0x02, 0xae, 0xdd, 0x38, 0x79, 0x86, 0x16, 0xf1, -+ 0xf1, 0xe0, 0xd6, 0xc4, 0x03, 0x52, 0x5b, 0x1f, 0x9b, 0x3d, 0x4d, 0xc7, -+ 0x66, 0xde, 0x2d, 0xfc, 0x4a, 0x56, 0xd7, 0xb8, 0xba, 0x59, 0x63, 0xd6, -+ 0x0f, 0x3e, 0x16, 0x31, 0x88, 0x70, 0xad, 0x43, 0x69, 0x52, 0xe5, 0x57, -+ 0x65, 0x37, 0x4e, 0xab, 0x85, 0xe8, 0xec, 0x17, 0xd6, 0xb9, 0xa4, 0x54, -+ 0x7b, 0x9b, 0x5f, 0x27, 0x52, 0xf3, 0x10, 0x5b, 0xe8, 0x09, 0xb2, 0x3a, -+ 0x2c, 0x8d, 0x74, 0x69, 0xdb, 0x02, 0xe2, 0x4d, 0x59, 0x23, 0x94, 0xa7, -+ 0xdb, 0xa0, 0x69, 0xe9 -+}; -+ -+static const unsigned char dsa_test_2048_q[] = { -+ 0xd2, 0x77, 0x04, 0x4e, 0x50, 0xf5, 0xa4, 0xe3, 0xf5, 0x10, 0xa5, 0x0a, -+ 0x0b, 0x84, 0xfd, 0xff, 0xbc, 0xa0, 0x47, 0xed, 0x27, 0x60, 0x20, 0x56, -+ 0x74, 0x41, 0xa0, 0xa5 -+}; -+ -+static const unsigned char dsa_test_2048_g[] = { -+ 0x13, 0xd7, 0x54, 0xe2, 0x1f, 0xd2, 0x41, 0x65, 0x5d, 0xa8, 0x91, 0xc5, -+ 0x22, 0xa6, 0x5a, 0x72, 0xa8, 0x9b, 0xdc, 0x64, 0xec, 0x9b, 0x54, 0xa8, -+ 0x21, 0xed, 0x4a, 0x89, 0x8b, 0x49, 0x0e, 0x0c, 0x4f, 0xcb, 0x72, 0x19, -+ 0x2a, 0x4a, 0x20, 0xf5, 0x41, 0xf3, 0xf2, 0x92, 0x53, 0x99, 0xf0, 0xba, -+ 0xec, 0xf9, 0x29, 0xaa, 0xfb, 0xf7, 0x9d, 0xfe, 0x43, 0x32, 0x39, 0x3b, -+ 0x32, 0xcd, 0x2e, 0x2f, 0xcf, 0x27, 0x2f, 0x32, 0xa6, 0x27, 0x43, 0x4a, -+ 0x0d, 0xf2, 0x42, 0xb7, 0x5b, 0x41, 0x4d, 0xf3, 0x72, 0x12, 0x1e, 0x53, -+ 0xa5, 0x53, 0xf2, 0x22, 0xf8, 0x36, 0xb0, 0x00, 0xf0, 0x16, 0x48, 0x5b, -+ 0x6b, 0xd0, 0x89, 0x84, 0x51, 0x80, 0x1d, 0xcd, 0x8d, 0xe6, 0x4c, 0xd5, -+ 0x36, 0x56, 0x96, 0xff, 0xc5, 0x32, 0xd5, 0x28, 0xc5, 0x06, 0x62, 0x0a, -+ 0x94, 0x2a, 0x03, 0x05, 0x04, 0x6d, 0x8f, 0x18, 0x76, 0x34, 0x1f, 0x1e, -+ 0x57, 0x0b, 0xc3, 0x97, 0x4b, 0xa6, 0xb9, 0xa4, 0x38, 0xe9, 0x70, 0x23, -+ 0x02, 0xa2, 0xe6, 0xe6, 0x7b, 0xfd, 0x06, 0xd3, 0x2b, 0xc6, 0x79, 0x96, -+ 0x22, 0x71, 0xd7, 0xb4, 0x0c, 0xd7, 0x2f, 0x38, 0x6e, 0x64, 0xe0, 0xd7, -+ 0xef, 0x86, 0xca, 0x8c, 0xa5, 0xd1, 0x42, 0x28, 0xdc, 0x2a, 0x4f, 0x16, -+ 0xe3, 0x18, 0x98, 0x86, 0xb5, 0x99, 0x06, 0x74, 0xf4, 0x20, 0x0f, 0x3a, -+ 0x4c, 0xf6, 0x5a, 0x3f, 0x0d, 0xdb, 0xa1, 0xfa, 0x67, 0x2d, 0xff, 0x2f, -+ 0x5e, 0x14, 0x3d, 0x10, 0xe4, 0xe9, 0x7a, 0xe8, 0x4f, 0x6d, 0xa0, 0x95, -+ 0x35, 0xd5, 0xb9, 0xdf, 0x25, 0x91, 0x81, 0xa7, 0x9b, 0x63, 0xb0, 0x69, -+ 0xe9, 0x49, 0x97, 0x2b, 0x02, 0xba, 0x36, 0xb3, 0x58, 0x6a, 0xab, 0x7e, -+ 0x45, 0xf3, 0x22, 0xf8, 0x2e, 0x4e, 0x85, 0xca, 0x3a, 0xb8, 0x55, 0x91, -+ 0xb3, 0xc2, 0xa9, 0x66 -+}; -+ -+static const unsigned char dsa_test_2048_pub_key[] = { -+ 0x24, 0x52, 0xf3, 0xcc, 0xbe, 0x9e, 0xd5, 0xca, 0x7d, 0xc7, 0x4c, 0x60, -+ 0x2b, 0x99, 0x22, 0x6e, 0x8f, 0x2f, 0xab, 0x38, 0xe7, 0xd7, 0xdd, 0xfb, -+ 0x75, 0x53, 0x9b, 0x17, 0x15, 0x5e, 0x9f, 0xcf, 0xd1, 0xab, 0xa5, 0x64, -+ 0xeb, 0x85, 0x35, 0xd8, 0x12, 0xc9, 0xc2, 0xdc, 0xf9, 0x72, 0x84, 0x44, -+ 0x1b, 0xc4, 0x82, 0x24, 0x36, 0x24, 0xc7, 0xf4, 0x57, 0x58, 0x0c, 0x1c, -+ 0x38, 0xa5, 0x7c, 0x46, 0xc4, 0x57, 0x39, 0x24, 0x70, 0xed, 0xb5, 0x2c, -+ 0xb5, 0xa6, 0xe0, 0x3f, 0xe6, 0x28, 0x7b, 0xb6, 0xf4, 0x9a, 0x42, 0xa2, -+ 0x06, 0x5a, 0x05, 0x4f, 0x03, 0x08, 0x39, 0xdf, 0x1f, 0xd3, 0x14, 0x9c, -+ 0x4c, 0xa0, 0x53, 0x1d, 0xd8, 0xca, 0x8a, 0xaa, 0x9c, 0xc7, 0x33, 0x71, -+ 0x93, 0x38, 0x73, 0x48, 0x33, 0x61, 0x18, 0x22, 0x45, 0x45, 0xe8, 0x8c, -+ 0x80, 0xff, 0xd8, 0x76, 0x5d, 0x74, 0x36, 0x03, 0x33, 0xcc, 0xab, 0x99, -+ 0x72, 0x77, 0x9b, 0x65, 0x25, 0xa6, 0x5b, 0xdd, 0x0d, 0x10, 0xc6, 0x75, -+ 0xc1, 0x09, 0xbb, 0xd3, 0xe5, 0xbe, 0x4d, 0x72, 0xef, 0x6e, 0xba, 0x6e, -+ 0x43, 0x8d, 0x52, 0x26, 0x23, 0x7d, 0xb8, 0x88, 0x37, 0x9c, 0x5f, 0xcc, -+ 0x47, 0xa3, 0x84, 0x7f, 0xf6, 0x37, 0x11, 0xba, 0xed, 0x6d, 0x03, 0xaf, -+ 0xe8, 0x1e, 0x69, 0x4a, 0x41, 0x3b, 0x68, 0x0b, 0xd3, 0x8a, 0xb4, 0x90, -+ 0x3f, 0x83, 0x70, 0xa7, 0x07, 0xef, 0x55, 0x1d, 0x49, 0x41, 0x02, 0x6d, -+ 0x95, 0x79, 0xd6, 0x91, 0xde, 0x8e, 0xda, 0xa1, 0x61, 0x05, 0xeb, 0x9d, -+ 0xba, 0x3c, 0x2f, 0x4c, 0x1b, 0xec, 0x50, 0x82, 0x75, 0xaa, 0x02, 0x07, -+ 0xe2, 0x51, 0xb5, 0xec, 0xcb, 0x28, 0x6a, 0x4b, 0x01, 0xd4, 0x49, 0xd3, -+ 0x0a, 0xcb, 0x67, 0x37, 0x17, 0xa0, 0xd2, 0xfb, 0x3b, 0x50, 0xc8, 0x93, -+ 0xf7, 0xda, 0xb1, 0x4f -+}; -+ -+static const unsigned char dsa_test_2048_priv_key[] = { -+ 0x0c, 0x4b, 0x30, 0x89, 0xd1, 0xb8, 0x62, 0xcb, 0x3c, 0x43, 0x64, 0x91, -+ 0xf0, 0x91, 0x54, 0x70, 0xc5, 0x27, 0x96, 0xe3, 0xac, 0xbe, 0xe8, 0x00, -+ 0xec, 0x55, 0xf6, 0xcc -+}; -+ -+int FIPS_selftest_dsa() -+{ -+ DSA *dsa = NULL; -+ EVP_PKEY *pk = NULL; -+ int ret = 0; -+ BIGNUM *p = NULL, *q = NULL, *g = NULL, *pub_key = NULL, *priv_key = NULL; -+ -+ fips_load_key_component(p, dsa_test_2048); -+ fips_load_key_component(q, dsa_test_2048); -+ fips_load_key_component(g, dsa_test_2048); -+ fips_load_key_component(pub_key, dsa_test_2048); -+ fips_load_key_component(priv_key, dsa_test_2048); -+ -+ dsa = DSA_new(); -+ -+ if (dsa == NULL) -+ goto err; -+ -+ DSA_set0_pqg(dsa, p, q, g); -+ -+ DSA_set0_key(dsa, pub_key, priv_key); -+ -+ if ((pk = EVP_PKEY_new()) == NULL) -+ goto err; -+ -+ EVP_PKEY_assign_DSA(pk, dsa); -+ -+ if (!fips_pkey_signature_test(pk, NULL, 0, -+ NULL, 0, EVP_sha256(), 0, "DSA SHA256")) -+ goto err; -+ ret = 1; -+ -+ err: -+ if (pk) -+ EVP_PKEY_free(pk); -+ else if (dsa) -+ DSA_free(dsa); -+ else { -+ BN_free(p); -+ BN_free(q); -+ BN_free(g); -+ BN_free(pub_key); -+ BN_free(priv_key); -+ } -+ return ret; -+} -+#endif -diff -up openssl-1.1.1j/crypto/fips/fips_ecdh_selftest.c.fips openssl-1.1.1j/crypto/fips/fips_ecdh_selftest.c ---- openssl-1.1.1j/crypto/fips/fips_ecdh_selftest.c.fips 2021-03-03 12:57:42.200734534 +0100 -+++ openssl-1.1.1j/crypto/fips/fips_ecdh_selftest.c 2021-03-03 12:57:42.200734534 +0100 -@@ -0,0 +1,242 @@ -+/* fips/ecdh/fips_ecdh_selftest.c */ -+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL -+ * project 2011. -+ */ -+/* ==================================================================== -+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * licensing@OpenSSL.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * ==================================================================== -+ * -+ */ -+ -+#define OPENSSL_FIPSAPI -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#ifdef OPENSSL_FIPS -+ -+# include "fips_locl.h" -+ -+static const unsigned char p256_qcavsx[] = { -+ 0x52, 0xc6, 0xa5, 0x75, 0xf3, 0x04, 0x98, 0xb3, 0x29, 0x66, 0x0c, 0x62, -+ 0x18, 0x60, 0x55, 0x41, 0x59, 0xd4, 0x60, 0x85, 0x99, 0xc1, 0x51, 0x13, -+ 0x6f, 0x97, 0x85, 0x93, 0x33, 0x34, 0x07, 0x50 -+}; -+ -+static const unsigned char p256_qcavsy[] = { -+ 0x6f, 0x69, 0x24, 0xeb, 0xe9, 0x3b, 0xa7, 0xcc, 0x47, 0x17, 0xaa, 0x3f, -+ 0x70, 0xfc, 0x10, 0x73, 0x0a, 0xcd, 0x21, 0xee, 0x29, 0x19, 0x1f, 0xaf, -+ 0xb4, 0x1c, 0x1e, 0xc2, 0x8e, 0x97, 0x81, 0x6e -+}; -+ -+static const unsigned char p256_qiutx[] = { -+ 0x71, 0x46, 0x88, 0x08, 0x92, 0x21, 0x1b, 0x10, 0x21, 0x74, 0xff, 0x0c, -+ 0x94, 0xde, 0x34, 0x7c, 0x86, 0x74, 0xbe, 0x67, 0x41, 0x68, 0xd4, 0xc1, -+ 0xe5, 0x75, 0x63, 0x9c, 0xa7, 0x46, 0x93, 0x6f -+}; -+ -+static const unsigned char p256_qiuty[] = { -+ 0x33, 0x40, 0xa9, 0x6a, 0xf5, 0x20, 0xb5, 0x9e, 0xfc, 0x60, 0x1a, 0xae, -+ 0x3d, 0xf8, 0x21, 0xd2, 0xa7, 0xca, 0x52, 0x34, 0xb9, 0x5f, 0x27, 0x75, -+ 0x6c, 0x81, 0xbe, 0x32, 0x4d, 0xba, 0xbb, 0xf8 -+}; -+ -+static const unsigned char p256_qiutd[] = { -+ 0x1a, 0x48, 0x55, 0x6b, 0x11, 0xbe, 0x92, 0xd4, 0x1c, 0xd7, 0x45, 0xc3, -+ 0x82, 0x81, 0x51, 0xf1, 0x23, 0x40, 0xb7, 0x83, 0xfd, 0x01, 0x6d, 0xbc, -+ 0xa1, 0x66, 0xaf, 0x0a, 0x03, 0x23, 0xcd, 0xc8 -+}; -+ -+static const unsigned char p256_ziut[] = { -+ 0x77, 0x2a, 0x1e, 0x37, 0xee, 0xe6, 0x51, 0x02, 0x71, 0x40, 0xf8, 0x6a, -+ 0x36, 0xf8, 0x65, 0x61, 0x2b, 0x18, 0x71, 0x82, 0x23, 0xe6, 0xf2, 0x77, -+ 0xce, 0xec, 0xb8, 0x49, 0xc7, 0xbf, 0x36, 0x4f -+}; -+ -+typedef struct { -+ int curve; -+ const unsigned char *x1; -+ size_t x1len; -+ const unsigned char *y1; -+ size_t y1len; -+ const unsigned char *d1; -+ size_t d1len; -+ const unsigned char *x2; -+ size_t x2len; -+ const unsigned char *y2; -+ size_t y2len; -+ const unsigned char *z; -+ size_t zlen; -+} ECDH_SELFTEST_DATA; -+ -+# define make_ecdh_test(nid, pr) { nid, \ -+ pr##_qiutx, sizeof(pr##_qiutx), \ -+ pr##_qiuty, sizeof(pr##_qiuty), \ -+ pr##_qiutd, sizeof(pr##_qiutd), \ -+ pr##_qcavsx, sizeof(pr##_qcavsx), \ -+ pr##_qcavsy, sizeof(pr##_qcavsy), \ -+ pr##_ziut, sizeof(pr##_ziut) } -+ -+static ECDH_SELFTEST_DATA test_ecdh_data[] = { -+ make_ecdh_test(NID_X9_62_prime256v1, p256), -+}; -+ -+int FIPS_selftest_ecdh(void) -+{ -+ EC_KEY *ec1 = NULL, *ec2 = NULL; -+ const EC_POINT *ecp = NULL; -+ BIGNUM *x = NULL, *y = NULL, *d = NULL; -+ unsigned char *ztmp = NULL; -+ int rv = 1; -+ size_t i; -+ -+ for (i = 0; i < sizeof(test_ecdh_data) / sizeof(ECDH_SELFTEST_DATA); i++) { -+ ECDH_SELFTEST_DATA *ecd = test_ecdh_data + i; -+ if (!fips_post_started(FIPS_TEST_ECDH, ecd->curve, 0)) -+ continue; -+ ztmp = OPENSSL_malloc(ecd->zlen); -+ -+ x = BN_bin2bn(ecd->x1, ecd->x1len, x); -+ y = BN_bin2bn(ecd->y1, ecd->y1len, y); -+ d = BN_bin2bn(ecd->d1, ecd->d1len, d); -+ -+ if (!x || !y || !d || !ztmp) { -+ rv = 0; -+ goto err; -+ } -+ -+ ec1 = EC_KEY_new_by_curve_name(ecd->curve); -+ if (!ec1) { -+ rv = 0; -+ goto err; -+ } -+ EC_KEY_set_flags(ec1, EC_FLAG_COFACTOR_ECDH); -+ -+ if (!EC_KEY_set_public_key_affine_coordinates(ec1, x, y)) { -+ rv = 0; -+ goto err; -+ } -+ -+ if (!EC_KEY_set_private_key(ec1, d)) { -+ rv = 0; -+ goto err; -+ } -+ -+ x = BN_bin2bn(ecd->x2, ecd->x2len, x); -+ y = BN_bin2bn(ecd->y2, ecd->y2len, y); -+ -+ if (!x || !y) { -+ rv = 0; -+ goto err; -+ } -+ -+ ec2 = EC_KEY_new_by_curve_name(ecd->curve); -+ if (!ec2) { -+ rv = 0; -+ goto err; -+ } -+ EC_KEY_set_flags(ec1, EC_FLAG_COFACTOR_ECDH); -+ -+ if (!EC_KEY_set_public_key_affine_coordinates(ec2, x, y)) { -+ rv = 0; -+ goto err; -+ } -+ -+ ecp = EC_KEY_get0_public_key(ec2); -+ if (!ecp) { -+ rv = 0; -+ goto err; -+ } -+ -+ if (!ECDH_compute_key(ztmp, ecd->zlen, ecp, ec1, 0)) { -+ rv = 0; -+ goto err; -+ } -+ -+ if (!fips_post_corrupt(FIPS_TEST_ECDH, ecd->curve, NULL)) -+ ztmp[0] ^= 0x1; -+ -+ if (memcmp(ztmp, ecd->z, ecd->zlen)) { -+ fips_post_failed(FIPS_TEST_ECDH, ecd->curve, 0); -+ rv = 0; -+ } else if (!fips_post_success(FIPS_TEST_ECDH, ecd->curve, 0)) -+ goto err; -+ -+ EC_KEY_free(ec1); -+ ec1 = NULL; -+ EC_KEY_free(ec2); -+ ec2 = NULL; -+ OPENSSL_free(ztmp); -+ ztmp = NULL; -+ } -+ -+ err: -+ -+ if (x) -+ BN_clear_free(x); -+ if (y) -+ BN_clear_free(y); -+ if (d) -+ BN_clear_free(d); -+ if (ec1) -+ EC_KEY_free(ec1); -+ if (ec2) -+ EC_KEY_free(ec2); -+ if (ztmp) -+ OPENSSL_free(ztmp); -+ -+ return rv; -+ -+} -+ -+#endif -diff -up openssl-1.1.1j/crypto/fips/fips_ecdsa_selftest.c.fips openssl-1.1.1j/crypto/fips/fips_ecdsa_selftest.c ---- openssl-1.1.1j/crypto/fips/fips_ecdsa_selftest.c.fips 2021-03-03 12:57:42.200734534 +0100 -+++ openssl-1.1.1j/crypto/fips/fips_ecdsa_selftest.c 2021-03-03 12:57:42.200734534 +0100 -@@ -0,0 +1,166 @@ -+/* fips/ecdsa/fips_ecdsa_selftest.c */ -+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL -+ * project 2011. -+ */ -+/* ==================================================================== -+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * licensing@OpenSSL.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * ==================================================================== -+ * -+ */ -+ -+#define OPENSSL_FIPSAPI -+ -+#include -+#include -+#include -+#include -+#include -+#include "crypto/fips.h" -+#include -+#include -+#include -+ -+#ifdef OPENSSL_FIPS -+ -+static const char P_256_name[] = "ECDSA P-256"; -+ -+static const unsigned char P_256_d[] = { -+ 0x51, 0xbd, 0x06, 0xa1, 0x1c, 0xda, 0xe2, 0x12, 0x99, 0xc9, 0x52, 0x3f, -+ 0xea, 0xa4, 0xd2, 0xd1, 0xf4, 0x7f, 0xd4, 0x3e, 0xbd, 0xf8, 0xfc, 0x87, -+ 0xdc, 0x82, 0x53, 0x21, 0xee, 0xa0, 0xdc, 0x64 -+}; -+ -+static const unsigned char P_256_qx[] = { -+ 0x23, 0x89, 0xe0, 0xf4, 0x69, 0xe0, 0x49, 0xe5, 0xc7, 0xe5, 0x40, 0x6e, -+ 0x8f, 0x25, 0xdd, 0xad, 0x11, 0x16, 0x14, 0x9b, 0xab, 0x44, 0x06, 0x31, -+ 0xbf, 0x5e, 0xa6, 0x44, 0xac, 0x86, 0x00, 0x07 -+}; -+ -+static const unsigned char P_256_qy[] = { -+ 0xb3, 0x05, 0x0d, 0xd0, 0xdc, 0xf7, 0x40, 0xe6, 0xf9, 0xd8, 0x6d, 0x7b, -+ 0x63, 0xca, 0x97, 0xe6, 0x12, 0xf9, 0xd4, 0x18, 0x59, 0xbe, 0xb2, 0x5e, -+ 0x4a, 0x6a, 0x77, 0x23, 0xf4, 0x11, 0x9d, 0xeb -+}; -+ -+typedef struct { -+ int curve; -+ const char *name; -+ const unsigned char *x; -+ size_t xlen; -+ const unsigned char *y; -+ size_t ylen; -+ const unsigned char *d; -+ size_t dlen; -+} EC_SELFTEST_DATA; -+ -+# define make_ecdsa_test(nid, pr) { nid, pr##_name, \ -+ pr##_qx, sizeof(pr##_qx), \ -+ pr##_qy, sizeof(pr##_qy), \ -+ pr##_d, sizeof(pr##_d)} -+ -+static EC_SELFTEST_DATA test_ec_data[] = { -+ make_ecdsa_test(NID_X9_62_prime256v1, P_256), -+}; -+ -+int FIPS_selftest_ecdsa() -+{ -+ EC_KEY *ec = NULL; -+ BIGNUM *x = NULL, *y = NULL, *d = NULL; -+ EVP_PKEY *pk = NULL; -+ int rv = 0; -+ size_t i; -+ -+ for (i = 0; i < sizeof(test_ec_data) / sizeof(EC_SELFTEST_DATA); i++) { -+ EC_SELFTEST_DATA *ecd = test_ec_data + i; -+ -+ x = BN_bin2bn(ecd->x, ecd->xlen, x); -+ y = BN_bin2bn(ecd->y, ecd->ylen, y); -+ d = BN_bin2bn(ecd->d, ecd->dlen, d); -+ -+ if (!x || !y || !d) -+ goto err; -+ -+ ec = EC_KEY_new_by_curve_name(ecd->curve); -+ if (!ec) -+ goto err; -+ -+ if (!EC_KEY_set_public_key_affine_coordinates(ec, x, y)) -+ goto err; -+ -+ if (!EC_KEY_set_private_key(ec, d)) -+ goto err; -+ -+ if ((pk = EVP_PKEY_new()) == NULL) -+ goto err; -+ -+ EVP_PKEY_assign_EC_KEY(pk, ec); -+ -+ if (!fips_pkey_signature_test(pk, NULL, 0, -+ NULL, 0, EVP_sha256(), 0, ecd->name)) -+ goto err; -+ } -+ -+ rv = 1; -+ -+ err: -+ -+ if (x) -+ BN_clear_free(x); -+ if (y) -+ BN_clear_free(y); -+ if (d) -+ BN_clear_free(d); -+ if (pk) -+ EVP_PKEY_free(pk); -+ else if (ec) -+ EC_KEY_free(ec); -+ -+ return rv; -+ -+} -+ -+#endif -diff -up openssl-1.1.1j/crypto/fips/fips_err.h.fips openssl-1.1.1j/crypto/fips/fips_err.h ---- openssl-1.1.1j/crypto/fips/fips_err.h.fips 2021-03-03 12:57:42.201734542 +0100 -+++ openssl-1.1.1j/crypto/fips/fips_err.h 2021-03-03 12:57:42.201734542 +0100 -@@ -0,0 +1,197 @@ -+/* crypto/fips_err.h */ -+/* ==================================================================== -+ * Copyright (c) 1999-2011 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@OpenSSL.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * ==================================================================== -+ * -+ * This product includes cryptographic software written by Eric Young -+ * (eay@cryptsoft.com). This product includes software written by Tim -+ * Hudson (tjh@cryptsoft.com). -+ * -+ */ -+ -+/* -+ * NOTE: this file was auto generated by the mkerr.pl script: any changes -+ * made to it will be overwritten when the script next updates this file, -+ * only reason strings will be preserved. -+ */ -+ -+#include -+#include -+#include -+ -+/* BEGIN ERROR CODES */ -+#ifndef OPENSSL_NO_ERR -+ -+# define ERR_FUNC(func) ERR_PACK(ERR_LIB_FIPS,func,0) -+# define ERR_REASON(reason) ERR_PACK(ERR_LIB_FIPS,0,reason) -+ -+static ERR_STRING_DATA FIPS_str_functs[] = { -+ {ERR_FUNC(FIPS_F_DH_BUILTIN_GENPARAMS), "dh_builtin_genparams"}, -+ {ERR_FUNC(FIPS_F_DRBG_RESEED), "drbg_reseed"}, -+ {ERR_FUNC(FIPS_F_DSA_BUILTIN_PARAMGEN2), "dsa_builtin_paramgen2"}, -+ {ERR_FUNC(FIPS_F_DSA_DO_SIGN), "DSA_do_sign"}, -+ {ERR_FUNC(FIPS_F_DSA_DO_VERIFY), "DSA_do_verify"}, -+ {ERR_FUNC(FIPS_F_ECDH_COMPUTE_KEY), "ECDH_compute_key"}, -+ {ERR_FUNC(FIPS_F_EVP_CIPHER_CTX_NEW), "EVP_CIPHER_CTX_new"}, -+ {ERR_FUNC(FIPS_F_EVP_CIPHER_CTX_RESET), "EVP_CIPHER_CTX_reset"}, -+ {ERR_FUNC(FIPS_F_FIPS_CHECK_DSA), "fips_check_dsa"}, -+ {ERR_FUNC(FIPS_F_FIPS_CHECK_EC), "fips_check_ec"}, -+ {ERR_FUNC(FIPS_F_FIPS_CHECK_RSA), "fips_check_rsa"}, -+ {ERR_FUNC(FIPS_F_FIPS_DRBG_BYTES), "fips_drbg_bytes"}, -+ {ERR_FUNC(FIPS_F_FIPS_DRBG_CHECK), "fips_drbg_check"}, -+ {ERR_FUNC(FIPS_F_FIPS_DRBG_CPRNG_TEST), "fips_drbg_cprng_test"}, -+ {ERR_FUNC(FIPS_F_FIPS_DRBG_ERROR_CHECK), "fips_drbg_error_check"}, -+ {ERR_FUNC(FIPS_F_FIPS_DRBG_GENERATE), "FIPS_drbg_generate"}, -+ {ERR_FUNC(FIPS_F_FIPS_DRBG_INIT), "FIPS_drbg_init"}, -+ {ERR_FUNC(FIPS_F_FIPS_DRBG_INSTANTIATE), "FIPS_drbg_instantiate"}, -+ {ERR_FUNC(FIPS_F_FIPS_DRBG_NEW), "FIPS_drbg_new"}, -+ {ERR_FUNC(FIPS_F_FIPS_DRBG_RESEED), "FIPS_drbg_reseed"}, -+ {ERR_FUNC(FIPS_F_FIPS_DRBG_SINGLE_KAT), "FIPS_DRBG_SINGLE_KAT"}, -+ {ERR_FUNC(FIPS_F_FIPS_GET_ENTROPY), "fips_get_entropy"}, -+ {ERR_FUNC(FIPS_F_FIPS_MODULE_MODE_SET), "FIPS_module_mode_set"}, -+ {ERR_FUNC(FIPS_F_FIPS_PKEY_SIGNATURE_TEST), "fips_pkey_signature_test"}, -+ {ERR_FUNC(FIPS_F_FIPS_RAND_BYTES), "FIPS_rand_bytes"}, -+ {ERR_FUNC(FIPS_F_FIPS_RAND_SEED), "FIPS_rand_seed"}, -+ {ERR_FUNC(FIPS_F_FIPS_RAND_SET_METHOD), "FIPS_rand_set_method"}, -+ {ERR_FUNC(FIPS_F_FIPS_RAND_STATUS), "FIPS_rand_status"}, -+ {ERR_FUNC(FIPS_F_FIPS_RSA_BUILTIN_KEYGEN), "fips_rsa_builtin_keygen"}, -+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST), "FIPS_selftest"}, -+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_AES), "FIPS_selftest_aes"}, -+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_AES_CCM), "FIPS_selftest_aes_ccm"}, -+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_AES_GCM), "FIPS_selftest_aes_gcm"}, -+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_AES_XTS), "FIPS_selftest_aes_xts"}, -+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_CMAC), "FIPS_selftest_cmac"}, -+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_DES), "FIPS_selftest_des"}, -+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_DSA), "FIPS_selftest_dsa"}, -+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_ECDSA), "FIPS_selftest_ecdsa"}, -+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_HMAC), "FIPS_selftest_hmac"}, -+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA1), "FIPS_selftest_sha1"}, -+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA2), "FIPS_selftest_sha2"}, -+ {ERR_FUNC(FIPS_F_OSSL_ECDSA_SIGN_SIG), "ossl_ecdsa_sign_sig"}, -+ {ERR_FUNC(FIPS_F_OSSL_ECDSA_VERIFY_SIG), "ossl_ecdsa_verify_sig"}, -+ {ERR_FUNC(FIPS_F_RSA_BUILTIN_KEYGEN), "rsa_builtin_keygen"}, -+ {ERR_FUNC(FIPS_F_RSA_OSSL_INIT), "rsa_ossl_init"}, -+ {ERR_FUNC(FIPS_F_RSA_OSSL_PRIVATE_DECRYPT), "rsa_ossl_private_decrypt"}, -+ {ERR_FUNC(FIPS_F_RSA_OSSL_PRIVATE_ENCRYPT), "rsa_ossl_private_encrypt"}, -+ {ERR_FUNC(FIPS_F_RSA_OSSL_PUBLIC_DECRYPT), "rsa_ossl_public_decrypt"}, -+ {ERR_FUNC(FIPS_F_RSA_OSSL_PUBLIC_ENCRYPT), "rsa_ossl_public_encrypt"}, -+ {0, NULL} -+}; -+ -+static ERR_STRING_DATA FIPS_str_reasons[] = { -+ {ERR_REASON(FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED), -+ "additional input error undetected"}, -+ {ERR_REASON(FIPS_R_ADDITIONAL_INPUT_TOO_LONG), -+ "additional input too long"}, -+ {ERR_REASON(FIPS_R_ALREADY_INSTANTIATED), "already instantiated"}, -+ {ERR_REASON(FIPS_R_DRBG_NOT_INITIALISED), "drbg not initialised"}, -+ {ERR_REASON(FIPS_R_DRBG_STUCK), "drbg stuck"}, -+ {ERR_REASON(FIPS_R_ENTROPY_ERROR_UNDETECTED), "entropy error undetected"}, -+ {ERR_REASON(FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED), -+ "entropy not requested for reseed"}, -+ {ERR_REASON(FIPS_R_ENTROPY_SOURCE_STUCK), "entropy source stuck"}, -+ {ERR_REASON(FIPS_R_ERROR_INITIALISING_DRBG), "error initialising drbg"}, -+ {ERR_REASON(FIPS_R_ERROR_INSTANTIATING_DRBG), "error instantiating drbg"}, -+ {ERR_REASON(FIPS_R_ERROR_RETRIEVING_ADDITIONAL_INPUT), -+ "error retrieving additional input"}, -+ {ERR_REASON(FIPS_R_ERROR_RETRIEVING_ENTROPY), "error retrieving entropy"}, -+ {ERR_REASON(FIPS_R_ERROR_RETRIEVING_NONCE), "error retrieving nonce"}, -+ {ERR_REASON(FIPS_R_FINGERPRINT_DOES_NOT_MATCH), -+ "fingerprint does not match"}, -+ {ERR_REASON(FIPS_R_FIPS_MODE_ALREADY_SET), "fips mode already set"}, -+ {ERR_REASON(FIPS_R_FIPS_SELFTEST_FAILED), "fips selftest failed"}, -+ {ERR_REASON(FIPS_R_FUNCTION_ERROR), "function error"}, -+ {ERR_REASON(FIPS_R_GENERATE_ERROR), "generate error"}, -+ {ERR_REASON(FIPS_R_GENERATE_ERROR_UNDETECTED), -+ "generate error undetected"}, -+ {ERR_REASON(FIPS_R_INSTANTIATE_ERROR), "instantiate error"}, -+ {ERR_REASON(FIPS_R_INTERNAL_ERROR), "internal error"}, -+ {ERR_REASON(FIPS_R_INVALID_KEY_LENGTH), "invalid key length"}, -+ {ERR_REASON(FIPS_R_IN_ERROR_STATE), "in error state"}, -+ {ERR_REASON(FIPS_R_KEY_TOO_SHORT), "key too short"}, -+ {ERR_REASON(FIPS_R_NONCE_ERROR_UNDETECTED), "nonce error undetected"}, -+ {ERR_REASON(FIPS_R_NON_FIPS_METHOD), "non fips method"}, -+ {ERR_REASON(FIPS_R_NOPR_TEST1_FAILURE), "nopr test1 failure"}, -+ {ERR_REASON(FIPS_R_NOPR_TEST2_FAILURE), "nopr test2 failure"}, -+ {ERR_REASON(FIPS_R_NOT_INSTANTIATED), "not instantiated"}, -+ {ERR_REASON(FIPS_R_PAIRWISE_TEST_FAILED), "pairwise test failed"}, -+ {ERR_REASON(FIPS_R_PERSONALISATION_ERROR_UNDETECTED), -+ "personalisation error undetected"}, -+ {ERR_REASON(FIPS_R_PERSONALISATION_STRING_TOO_LONG), -+ "personalisation string too long"}, -+ {ERR_REASON(FIPS_R_PR_TEST1_FAILURE), "pr test1 failure"}, -+ {ERR_REASON(FIPS_R_PR_TEST2_FAILURE), "pr test2 failure"}, -+ {ERR_REASON(FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED), -+ "request length error undetected"}, -+ {ERR_REASON(FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG), -+ "request too large for drbg"}, -+ {ERR_REASON(FIPS_R_RESEED_COUNTER_ERROR), "reseed counter error"}, -+ {ERR_REASON(FIPS_R_RESEED_ERROR), "reseed error"}, -+ {ERR_REASON(FIPS_R_SELFTEST_FAILED), "selftest failed"}, -+ {ERR_REASON(FIPS_R_SELFTEST_FAILURE), "selftest failure"}, -+ {ERR_REASON(FIPS_R_TEST_FAILURE), "test failure"}, -+ {ERR_REASON(FIPS_R_UNINSTANTIATE_ERROR), "uninstantiate error"}, -+ {ERR_REASON(FIPS_R_UNINSTANTIATE_ZEROISE_ERROR), -+ "uninstantiate zeroise error"}, -+ {ERR_REASON(FIPS_R_UNSUPPORTED_DRBG_TYPE), "unsupported drbg type"}, -+ {ERR_REASON(FIPS_R_UNSUPPORTED_PLATFORM), "unsupported platform"}, -+ {0, NULL} -+}; -+ -+#endif -+ -+int ERR_load_FIPS_strings(void) -+{ -+#ifndef OPENSSL_NO_ERR -+ -+ if (ERR_func_error_string(FIPS_str_functs[0].error) == NULL) { -+ ERR_load_strings(0, FIPS_str_functs); -+ ERR_load_strings(0, FIPS_str_reasons); -+ } -+#endif -+ return 1; -+} -diff -up openssl-1.1.1j/crypto/fips/fips_ers.c.fips openssl-1.1.1j/crypto/fips/fips_ers.c ---- openssl-1.1.1j/crypto/fips/fips_ers.c.fips 2021-03-03 12:57:42.201734542 +0100 -+++ openssl-1.1.1j/crypto/fips/fips_ers.c 2021-03-03 12:57:42.201734542 +0100 -@@ -0,0 +1,7 @@ -+#include -+ -+#ifdef OPENSSL_FIPS -+# include "fips_err.h" -+#else -+static void *dummy = &dummy; -+#endif -diff -up openssl-1.1.1j/crypto/fips/fips_hmac_selftest.c.fips openssl-1.1.1j/crypto/fips/fips_hmac_selftest.c ---- openssl-1.1.1j/crypto/fips/fips_hmac_selftest.c.fips 2021-03-03 12:57:42.201734542 +0100 -+++ openssl-1.1.1j/crypto/fips/fips_hmac_selftest.c 2021-03-03 12:57:42.201734542 +0100 -@@ -0,0 +1,134 @@ -+/* ==================================================================== -+ * Copyright (c) 2005 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+#include -+#include -+#ifdef OPENSSL_FIPS -+# include -+#endif -+#include -+ -+#ifdef OPENSSL_FIPS -+typedef struct { -+ const EVP_MD *(*alg) (void); -+ const char *key, *iv; -+ unsigned char kaval[EVP_MAX_MD_SIZE]; -+} HMAC_KAT; -+ -+static const HMAC_KAT vector[] = { -+ {EVP_sha1, -+ /* from http://csrc.nist.gov/publications/fips/fips198/fips-198a.pdf */ -+ "0123456789:;<=>?@ABC", -+ "Sample #2", -+ {0x09, 0x22, 0xd3, 0x40, 0x5f, 0xaa, 0x3d, 0x19, -+ 0x4f, 0x82, 0xa4, 0x58, 0x30, 0x73, 0x7d, 0x5c, -+ 0xc6, 0xc7, 0x5d, 0x24} -+ }, -+ {EVP_sha224, -+ /* just keep extending the above... */ -+ "0123456789:;<=>?@ABC", -+ "Sample #2", -+ {0xdd, 0xef, 0x0a, 0x40, 0xcb, 0x7d, 0x50, 0xfb, -+ 0x6e, 0xe6, 0xce, 0xa1, 0x20, 0xba, 0x26, 0xaa, -+ 0x08, 0xf3, 0x07, 0x75, 0x87, 0xb8, 0xad, 0x1b, -+ 0x8c, 0x8d, 0x12, 0xc7} -+ }, -+ {EVP_sha256, -+ "0123456789:;<=>?@ABC", -+ "Sample #2", -+ {0xb8, 0xf2, 0x0d, 0xb5, 0x41, 0xea, 0x43, 0x09, -+ 0xca, 0x4e, 0xa9, 0x38, 0x0c, 0xd0, 0xe8, 0x34, -+ 0xf7, 0x1f, 0xbe, 0x91, 0x74, 0xa2, 0x61, 0x38, -+ 0x0d, 0xc1, 0x7e, 0xae, 0x6a, 0x34, 0x51, 0xd9} -+ }, -+ {EVP_sha384, -+ "0123456789:;<=>?@ABC", -+ "Sample #2", -+ {0x08, 0xbc, 0xb0, 0xda, 0x49, 0x1e, 0x87, 0xad, -+ 0x9a, 0x1d, 0x6a, 0xce, 0x23, 0xc5, 0x0b, 0xf6, -+ 0xb7, 0x18, 0x06, 0xa5, 0x77, 0xcd, 0x49, 0x04, -+ 0x89, 0xf1, 0xe6, 0x23, 0x44, 0x51, 0x51, 0x9f, -+ 0x85, 0x56, 0x80, 0x79, 0x0c, 0xbd, 0x4d, 0x50, -+ 0xa4, 0x5f, 0x29, 0xe3, 0x93, 0xf0, 0xe8, 0x7f} -+ }, -+ {EVP_sha512, -+ "0123456789:;<=>?@ABC", -+ "Sample #2", -+ {0x80, 0x9d, 0x44, 0x05, 0x7c, 0x5b, 0x95, 0x41, -+ 0x05, 0xbd, 0x04, 0x13, 0x16, 0xdb, 0x0f, 0xac, -+ 0x44, 0xd5, 0xa4, 0xd5, 0xd0, 0x89, 0x2b, 0xd0, -+ 0x4e, 0x86, 0x64, 0x12, 0xc0, 0x90, 0x77, 0x68, -+ 0xf1, 0x87, 0xb7, 0x7c, 0x4f, 0xae, 0x2c, 0x2f, -+ 0x21, 0xa5, 0xb5, 0x65, 0x9a, 0x4f, 0x4b, 0xa7, -+ 0x47, 0x02, 0xa3, 0xde, 0x9b, 0x51, 0xf1, 0x45, -+ 0xbd, 0x4f, 0x25, 0x27, 0x42, 0x98, 0x99, 0x05} -+ }, -+}; -+ -+int FIPS_selftest_hmac() -+{ -+ int n; -+ unsigned int outlen; -+ unsigned char out[EVP_MAX_MD_SIZE]; -+ const EVP_MD *md; -+ const HMAC_KAT *t; -+ -+ for (n = 0, t = vector; n < sizeof(vector) / sizeof(vector[0]); n++, t++) { -+ md = (*t->alg) (); -+ HMAC(md, t->key, strlen(t->key), -+ (const unsigned char *)t->iv, strlen(t->iv), out, &outlen); -+ -+ if (memcmp(out, t->kaval, outlen)) { -+ FIPSerr(FIPS_F_FIPS_SELFTEST_HMAC, FIPS_R_SELFTEST_FAILED); -+ return 0; -+ } -+ } -+ return 1; -+} -+#endif -diff -up openssl-1.1.1j/crypto/fips/fips_locl.h.fips openssl-1.1.1j/crypto/fips/fips_locl.h ---- openssl-1.1.1j/crypto/fips/fips_locl.h.fips 2021-03-03 12:57:42.201734542 +0100 -+++ openssl-1.1.1j/crypto/fips/fips_locl.h 2021-03-03 12:57:42.201734542 +0100 -@@ -0,0 +1,71 @@ -+/* ==================================================================== -+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+#ifdef OPENSSL_FIPS -+ -+# ifdef __cplusplus -+extern "C" { -+# endif -+ -+# define FIPS_MAX_CIPHER_TEST_SIZE 32 -+# define fips_load_key_component(comp, pre) \ -+ comp = BN_bin2bn(pre##_##comp, sizeof(pre##_##comp), NULL); \ -+ if (!comp) \ -+ goto err -+ -+# define fips_post_started(id, subid, ex) 1 -+# define fips_post_success(id, subid, ex) 1 -+# define fips_post_failed(id, subid, ex) 1 -+# define fips_post_corrupt(id, subid, ex) 1 -+# define fips_post_status() 1 -+ -+# ifdef __cplusplus -+} -+# endif -+#endif -diff -up openssl-1.1.1j/crypto/fips/fips_post.c.fips openssl-1.1.1j/crypto/fips/fips_post.c ---- openssl-1.1.1j/crypto/fips/fips_post.c.fips 2021-03-03 12:57:42.201734542 +0100 -+++ openssl-1.1.1j/crypto/fips/fips_post.c 2021-03-03 12:57:42.201734542 +0100 -@@ -0,0 +1,224 @@ -+/* ==================================================================== -+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+#define OPENSSL_FIPSAPI -+ -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+#include -+ -+#ifdef OPENSSL_FIPS -+ -+/* Power on self test (POST) support functions */ -+ -+# include -+# include "crypto/fips.h" -+# include "fips_locl.h" -+ -+/* Run all selftests */ -+int FIPS_selftest(void) -+{ -+ int rv = 1; -+ if (!FIPS_selftest_drbg()) -+ rv = 0; -+ if (!FIPS_selftest_sha1()) -+ rv = 0; -+ if (!FIPS_selftest_sha2()) -+ rv = 0; -+ if (!FIPS_selftest_sha3()) -+ rv = 0; -+ if (!FIPS_selftest_hmac()) -+ rv = 0; -+ if (!FIPS_selftest_cmac()) -+ rv = 0; -+ if (!FIPS_selftest_aes()) -+ rv = 0; -+ if (!FIPS_selftest_aes_ccm()) -+ rv = 0; -+ if (!FIPS_selftest_aes_gcm()) -+ rv = 0; -+ if (!FIPS_selftest_aes_xts()) -+ rv = 0; -+ if (!FIPS_selftest_des()) -+ rv = 0; -+ if (!FIPS_selftest_rsa()) -+ rv = 0; -+ if (!FIPS_selftest_ecdsa()) -+ rv = 0; -+ if (!FIPS_selftest_dsa()) -+ rv = 0; -+ if (!FIPS_selftest_dh()) -+ rv = 0; -+ if (!FIPS_selftest_ecdh()) -+ rv = 0; -+ return rv; -+} -+ -+/* Generalized public key test routine. Signs and verifies the data -+ * supplied in tbs using mesage digest md and setting option digest -+ * flags md_flags. If the 'kat' parameter is not NULL it will -+ * additionally check the signature matches it: a known answer test -+ * The string "fail_str" is used for identification purposes in case -+ * of failure. If "pkey" is NULL just perform a message digest check. -+ */ -+ -+int fips_pkey_signature_test(EVP_PKEY *pkey, -+ const unsigned char *tbs, int tbslen, -+ const unsigned char *kat, unsigned int katlen, -+ const EVP_MD *digest, unsigned int flags, -+ const char *fail_str) -+{ -+ int ret = 0; -+ unsigned char sigtmp[256], *sig = sigtmp; -+ size_t siglen = sizeof(sigtmp); -+ EVP_MD_CTX *mctx; -+ EVP_PKEY_CTX *pctx; -+ -+ if (digest == NULL) -+ digest = EVP_sha256(); -+ -+ mctx = EVP_MD_CTX_new(); -+ -+ if ((EVP_PKEY_id(pkey) == EVP_PKEY_RSA) -+ && (RSA_size(EVP_PKEY_get0_RSA(pkey)) > sizeof(sigtmp))) { -+ sig = OPENSSL_malloc(RSA_size(EVP_PKEY_get0_RSA(pkey))); -+ siglen = RSA_size(EVP_PKEY_get0_RSA(pkey)); -+ } -+ if (!sig || ! mctx) { -+ EVP_MD_CTX_free(mctx); -+ FIPSerr(FIPS_F_FIPS_PKEY_SIGNATURE_TEST, ERR_R_MALLOC_FAILURE); -+ return 0; -+ } -+ -+ if (tbslen == -1) -+ tbslen = strlen((char *)tbs); -+ -+ if (EVP_DigestSignInit(mctx, &pctx, digest, NULL, pkey) <= 0) -+ goto error; -+ -+ if (flags == EVP_MD_CTX_FLAG_PAD_PSS) { -+ EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING); -+ EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, 0); -+ } -+ -+ if (EVP_DigestSignUpdate(mctx, tbs, tbslen) <= 0) -+ goto error; -+ -+ if (EVP_DigestSignFinal(mctx, sig, &siglen) <= 0) -+ goto error; -+ -+ if (kat && ((siglen != katlen) || memcmp(kat, sig, katlen))) -+ goto error; -+ -+ if (EVP_DigestVerifyInit(mctx, &pctx, digest, NULL, pkey) <= 0) -+ goto error; -+ -+ if (flags == EVP_MD_CTX_FLAG_PAD_PSS) { -+ EVP_PKEY_CTX_set_rsa_padding(pctx, RSA_PKCS1_PSS_PADDING); -+ EVP_PKEY_CTX_set_rsa_pss_saltlen(pctx, 0); -+ } -+ -+ if (EVP_DigestVerifyUpdate(mctx, tbs, tbslen) <= 0) -+ goto error; -+ -+ ret = EVP_DigestVerifyFinal(mctx, sig, siglen); -+ -+ error: -+ if (sig != sigtmp) -+ OPENSSL_free(sig); -+ EVP_MD_CTX_free(mctx); -+ if (ret <= 0) { -+ FIPSerr(FIPS_F_FIPS_PKEY_SIGNATURE_TEST, FIPS_R_TEST_FAILURE); -+ if (fail_str) -+ ERR_add_error_data(2, "Type=", fail_str); -+ return 0; -+ } -+ return 1; -+} -+ -+/* Generalized symmetric cipher test routine. Encrypt data, verify result -+ * against known answer, decrypt and compare with original plaintext. -+ */ -+ -+int fips_cipher_test(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, -+ const unsigned char *key, -+ const unsigned char *iv, -+ const unsigned char *plaintext, -+ const unsigned char *ciphertext, int len) -+{ -+ unsigned char pltmp[FIPS_MAX_CIPHER_TEST_SIZE]; -+ unsigned char citmp[FIPS_MAX_CIPHER_TEST_SIZE]; -+ -+ OPENSSL_assert(len <= FIPS_MAX_CIPHER_TEST_SIZE); -+ memset(pltmp, 0, FIPS_MAX_CIPHER_TEST_SIZE); -+ memset(citmp, 0, FIPS_MAX_CIPHER_TEST_SIZE); -+ -+ if (EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, 1) <= 0) -+ return 0; -+ if (EVP_Cipher(ctx, citmp, plaintext, len) <= 0) -+ return 0; -+ if (memcmp(citmp, ciphertext, len)) -+ return 0; -+ if (EVP_CipherInit_ex(ctx, cipher, NULL, key, iv, 0) <= 0) -+ return 0; -+ if (EVP_Cipher(ctx, pltmp, citmp, len) <= 0) -+ return 0; -+ if (memcmp(pltmp, plaintext, len)) -+ return 0; -+ return 1; -+} -+#endif -diff -up openssl-1.1.1j/crypto/fips/fips_rand_lcl.h.fips openssl-1.1.1j/crypto/fips/fips_rand_lcl.h ---- openssl-1.1.1j/crypto/fips/fips_rand_lcl.h.fips 2021-03-03 12:57:42.201734542 +0100 -+++ openssl-1.1.1j/crypto/fips/fips_rand_lcl.h 2021-03-03 12:57:42.201734542 +0100 -@@ -0,0 +1,203 @@ -+/* fips/rand/fips_rand_lcl.h */ -+/* Written by Dr Stephen N Henson (steve@openssl.org) for the OpenSSL -+ * project. -+ */ -+/* ==================================================================== -+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.OpenSSL.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * licensing@OpenSSL.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.OpenSSL.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * ==================================================================== -+ */ -+ -+typedef struct drbg_hash_ctx_st DRBG_HASH_CTX; -+typedef struct drbg_hmac_ctx_st DRBG_HMAC_CTX; -+typedef struct drbg_ctr_ctx_st DRBG_CTR_CTX; -+ -+/* 888 bits from 10.1 table 2 */ -+#define HASH_PRNG_MAX_SEEDLEN 111 -+ -+struct drbg_hash_ctx_st { -+ const EVP_MD *md; -+ EVP_MD_CTX *mctx; -+ unsigned char V[HASH_PRNG_MAX_SEEDLEN]; -+ unsigned char C[HASH_PRNG_MAX_SEEDLEN]; -+ /* Temporary value storage: should always exceed max digest length */ -+ unsigned char vtmp[HASH_PRNG_MAX_SEEDLEN]; -+}; -+ -+struct drbg_hmac_ctx_st { -+ const EVP_MD *md; -+ HMAC_CTX *hctx; -+ unsigned char K[EVP_MAX_MD_SIZE]; -+ unsigned char V[EVP_MAX_MD_SIZE]; -+}; -+ -+struct drbg_ctr_ctx_st { -+ AES_KEY ks; -+ size_t keylen; -+ unsigned char K[32]; -+ unsigned char V[16]; -+ /* Temp variables used by derivation function */ -+ AES_KEY df_ks; -+ AES_KEY df_kxks; -+ /* Temporary block storage used by ctr_df */ -+ unsigned char bltmp[16]; -+ size_t bltmp_pos; -+ unsigned char KX[48]; -+}; -+ -+/* DRBG internal flags */ -+ -+/* Functions shouldn't call err library */ -+#define DRBG_FLAG_NOERR 0x1 -+/* Custom reseed checking */ -+#define DRBG_CUSTOM_RESEED 0x2 -+ -+/* DRBG status values */ -+/* not initialised */ -+#define DRBG_STATUS_UNINITIALISED 0 -+/* ok and ready to generate random bits */ -+#define DRBG_STATUS_READY 1 -+/* reseed required */ -+#define DRBG_STATUS_RESEED 2 -+/* fatal error condition */ -+#define DRBG_STATUS_ERROR 3 -+ -+/* A default maximum length: larger than any reasonable value used in pratice */ -+ -+#define DRBG_MAX_LENGTH 0x7ffffff0 -+/* Maximum DRBG block length: all md sizes are bigger than cipher blocks sizes -+ * so use max digest length. -+ */ -+#define DRBG_MAX_BLOCK EVP_MAX_MD_SIZE -+ -+#define DRBG_HEALTH_INTERVAL (1 << 24) -+ -+/* DRBG context structure */ -+ -+struct drbg_ctx_st { -+ /* First types common to all implementations */ -+ /* DRBG type: a NID for the underlying algorithm */ -+ int type; -+ /* Various external flags */ -+ unsigned int xflags; -+ /* Various internal use only flags */ -+ unsigned int iflags; -+ /* Used for periodic health checks */ -+ int health_check_cnt, health_check_interval; -+ -+ /* The following parameters are setup by mechanism drbg_init() call */ -+ int strength; -+ size_t blocklength; -+ size_t max_request; -+ -+ size_t min_entropy, max_entropy; -+ size_t min_nonce, max_nonce; -+ size_t max_pers, max_adin; -+ unsigned int reseed_counter; -+ unsigned int reseed_interval; -+ size_t seedlen; -+ int status; -+ /* Application data: typically used by test get_entropy */ -+ void *app_data; -+ /* Implementation specific structures */ -+ union { -+ DRBG_HASH_CTX hash; -+ DRBG_HMAC_CTX hmac; -+ DRBG_CTR_CTX ctr; -+ } d; -+ /* Initialiase PRNG and setup callbacks below */ -+ int (*init) (DRBG_CTX *ctx, int nid, int security, unsigned int flags); -+ /* Intantiate PRNG */ -+ int (*instantiate) (DRBG_CTX *ctx, -+ const unsigned char *ent, size_t entlen, -+ const unsigned char *nonce, size_t noncelen, -+ const unsigned char *pers, size_t perslen); -+ /* reseed */ -+ int (*reseed) (DRBG_CTX *ctx, -+ const unsigned char *ent, size_t entlen, -+ const unsigned char *adin, size_t adinlen); -+ /* generat output */ -+ int (*generate) (DRBG_CTX *ctx, -+ unsigned char *out, size_t outlen, -+ const unsigned char *adin, size_t adinlen); -+ /* uninstantiate */ -+ int (*uninstantiate) (DRBG_CTX *ctx); -+ -+ /* Entropy source block length */ -+ size_t entropy_blocklen; -+ -+ /* entropy gathering function */ -+ size_t (*get_entropy) (DRBG_CTX *ctx, unsigned char **pout, -+ int entropy, size_t min_len, size_t max_len); -+ /* Indicates we have finished with entropy buffer */ -+ void (*cleanup_entropy) (DRBG_CTX *ctx, unsigned char *out, size_t olen); -+ -+ /* nonce gathering function */ -+ size_t (*get_nonce) (DRBG_CTX *ctx, unsigned char **pout, -+ int entropy, size_t min_len, size_t max_len); -+ /* Indicates we have finished with nonce buffer */ -+ void (*cleanup_nonce) (DRBG_CTX *ctx, unsigned char *out, size_t olen); -+ -+ /* Callbacks used when called through RAND interface */ -+ /* Get any additional input for generate */ -+ size_t (*get_adin) (DRBG_CTX *ctx, unsigned char **pout); -+ void (*cleanup_adin) (DRBG_CTX *ctx, unsigned char *out, size_t olen); -+ /* Callback for RAND_seed(), RAND_add() */ -+ int (*rand_seed_cb) (DRBG_CTX *ctx, const void *buf, int num); -+ int (*rand_add_cb) (DRBG_CTX *ctx, -+ const void *buf, int num, double entropy); -+}; -+ -+int fips_drbg_ctr_init(DRBG_CTX *dctx); -+int fips_drbg_hash_init(DRBG_CTX *dctx); -+int fips_drbg_hmac_init(DRBG_CTX *dctx); -+int fips_drbg_kat(DRBG_CTX *dctx, int nid, unsigned int flags); -+int fips_drbg_cprng_test(DRBG_CTX *dctx, const unsigned char *out); -+ -+#define FIPS_digestinit EVP_DigestInit -+#define FIPS_digestupdate EVP_DigestUpdate -+#define FIPS_digestfinal EVP_DigestFinal -+#define M_EVP_MD_size EVP_MD_size -diff -up openssl-1.1.1j/crypto/fips/fips_rand_lib.c.fips openssl-1.1.1j/crypto/fips/fips_rand_lib.c ---- openssl-1.1.1j/crypto/fips/fips_rand_lib.c.fips 2021-03-03 12:57:42.201734542 +0100 -+++ openssl-1.1.1j/crypto/fips/fips_rand_lib.c 2021-03-03 12:57:42.201734542 +0100 -@@ -0,0 +1,234 @@ -+/* ==================================================================== -+ * Copyright (c) 2011 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+/* If we don't define _XOPEN_SOURCE_EXTENDED, struct timeval won't -+ be defined and gettimeofday() won't be declared with strict compilers -+ like DEC C in ANSI C mode. */ -+#ifndef _XOPEN_SOURCE_EXTENDED -+# define _XOPEN_SOURCE_EXTENDED 1 -+#endif -+ -+#include -+#include -+#include -+#include -+#include "crypto/fips.h" -+#include -+#include "e_os.h" -+ -+#if !(defined(OPENSSL_SYS_WIN32) || defined(OPENSSL_SYS_VXWORKS)) -+# include -+#endif -+#if defined(OPENSSL_SYS_VXWORKS) -+# include -+#endif -+#ifndef OPENSSL_SYS_WIN32 -+# ifdef OPENSSL_UNISTD -+# include OPENSSL_UNISTD -+# else -+# include -+# endif -+#endif -+ -+/* FIPS API for PRNG use. Similar to RAND functionality but without -+ * ENGINE and additional checking for non-FIPS rand methods. -+ */ -+ -+static const RAND_METHOD *fips_rand_meth = NULL; -+static int fips_approved_rand_meth = 0; -+static int fips_rand_bits = 0; -+ -+/* Allows application to override number of bits and uses non-FIPS methods */ -+void FIPS_rand_set_bits(int nbits) -+{ -+ fips_rand_bits = nbits; -+} -+ -+int FIPS_rand_set_method(const RAND_METHOD *meth) -+{ -+ if (!fips_rand_bits) { -+ if (meth == FIPS_drbg_method()) -+ fips_approved_rand_meth = 1; -+ else { -+ fips_approved_rand_meth = 0; -+ if (FIPS_module_mode()) { -+ FIPSerr(FIPS_F_FIPS_RAND_SET_METHOD, FIPS_R_NON_FIPS_METHOD); -+ return 0; -+ } -+ } -+ } -+ fips_rand_meth = meth; -+ return 1; -+} -+ -+const RAND_METHOD *FIPS_rand_get_method(void) -+{ -+ return fips_rand_meth; -+} -+ -+void FIPS_rand_reset(void) -+{ -+ if (fips_rand_meth && fips_rand_meth->cleanup) -+ fips_rand_meth->cleanup(); -+} -+ -+int FIPS_rand_seed(const void *buf, int num) -+{ -+ if (!fips_approved_rand_meth && FIPS_module_mode()) { -+ FIPSerr(FIPS_F_FIPS_RAND_SEED, FIPS_R_NON_FIPS_METHOD); -+ return 0; -+ } -+ if (fips_rand_meth && fips_rand_meth->seed) -+ fips_rand_meth->seed(buf, num); -+ return 1; -+} -+ -+int FIPS_rand_bytes(unsigned char *buf, int num) -+{ -+ if (!fips_approved_rand_meth && FIPS_module_mode()) { -+ FIPSerr(FIPS_F_FIPS_RAND_BYTES, FIPS_R_NON_FIPS_METHOD); -+ return 0; -+ } -+ if (fips_rand_meth && fips_rand_meth->bytes) -+ return fips_rand_meth->bytes(buf, num); -+ return 0; -+} -+ -+int FIPS_rand_status(void) -+{ -+ if (!fips_approved_rand_meth && FIPS_module_mode()) { -+ FIPSerr(FIPS_F_FIPS_RAND_STATUS, FIPS_R_NON_FIPS_METHOD); -+ return 0; -+ } -+ if (fips_rand_meth && fips_rand_meth->status) -+ return fips_rand_meth->status(); -+ return 0; -+} -+ -+/* Return instantiated strength of PRNG. For DRBG this is an internal -+ * parameter. Any other type of PRNG is not approved and returns 0 in -+ * FIPS mode and maximum 256 outside FIPS mode. -+ */ -+ -+int FIPS_rand_strength(void) -+{ -+ if (fips_rand_bits) -+ return fips_rand_bits; -+ if (fips_approved_rand_meth == 1) -+ return FIPS_drbg_get_strength(FIPS_get_default_drbg()); -+ else if (fips_approved_rand_meth == 0) { -+ if (FIPS_module_mode()) -+ return 0; -+ else -+ return 256; -+ } -+ return 0; -+} -+ -+void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr) -+{ -+# ifdef OPENSSL_SYS_WIN32 -+ FILETIME ft; -+# elif defined(OPENSSL_SYS_VXWORKS) -+ struct timespec ts; -+# else -+ struct timeval tv; -+# endif -+ -+# ifndef GETPID_IS_MEANINGLESS -+ unsigned long pid; -+# endif -+ -+# ifdef OPENSSL_SYS_WIN32 -+ GetSystemTimeAsFileTime(&ft); -+ buf[0] = (unsigned char)(ft.dwHighDateTime & 0xff); -+ buf[1] = (unsigned char)((ft.dwHighDateTime >> 8) & 0xff); -+ buf[2] = (unsigned char)((ft.dwHighDateTime >> 16) & 0xff); -+ buf[3] = (unsigned char)((ft.dwHighDateTime >> 24) & 0xff); -+ buf[4] = (unsigned char)(ft.dwLowDateTime & 0xff); -+ buf[5] = (unsigned char)((ft.dwLowDateTime >> 8) & 0xff); -+ buf[6] = (unsigned char)((ft.dwLowDateTime >> 16) & 0xff); -+ buf[7] = (unsigned char)((ft.dwLowDateTime >> 24) & 0xff); -+# elif defined(OPENSSL_SYS_VXWORKS) -+ clock_gettime(CLOCK_REALTIME, &ts); -+ buf[0] = (unsigned char)(ts.tv_sec & 0xff); -+ buf[1] = (unsigned char)((ts.tv_sec >> 8) & 0xff); -+ buf[2] = (unsigned char)((ts.tv_sec >> 16) & 0xff); -+ buf[3] = (unsigned char)((ts.tv_sec >> 24) & 0xff); -+ buf[4] = (unsigned char)(ts.tv_nsec & 0xff); -+ buf[5] = (unsigned char)((ts.tv_nsec >> 8) & 0xff); -+ buf[6] = (unsigned char)((ts.tv_nsec >> 16) & 0xff); -+ buf[7] = (unsigned char)((ts.tv_nsec >> 24) & 0xff); -+# else -+ gettimeofday(&tv, NULL); -+ buf[0] = (unsigned char)(tv.tv_sec & 0xff); -+ buf[1] = (unsigned char)((tv.tv_sec >> 8) & 0xff); -+ buf[2] = (unsigned char)((tv.tv_sec >> 16) & 0xff); -+ buf[3] = (unsigned char)((tv.tv_sec >> 24) & 0xff); -+ buf[4] = (unsigned char)(tv.tv_usec & 0xff); -+ buf[5] = (unsigned char)((tv.tv_usec >> 8) & 0xff); -+ buf[6] = (unsigned char)((tv.tv_usec >> 16) & 0xff); -+ buf[7] = (unsigned char)((tv.tv_usec >> 24) & 0xff); -+# endif -+ buf[8] = (unsigned char)(*pctr & 0xff); -+ buf[9] = (unsigned char)((*pctr >> 8) & 0xff); -+ buf[10] = (unsigned char)((*pctr >> 16) & 0xff); -+ buf[11] = (unsigned char)((*pctr >> 24) & 0xff); -+ -+ (*pctr)++; -+ -+# ifndef GETPID_IS_MEANINGLESS -+ pid = (unsigned long)getpid(); -+ buf[12] = (unsigned char)(pid & 0xff); -+ buf[13] = (unsigned char)((pid >> 8) & 0xff); -+ buf[14] = (unsigned char)((pid >> 16) & 0xff); -+ buf[15] = (unsigned char)((pid >> 24) & 0xff); -+# endif -+} -+ -diff -up openssl-1.1.1j/crypto/fips/fips_rsa_selftest.c.fips openssl-1.1.1j/crypto/fips/fips_rsa_selftest.c ---- openssl-1.1.1j/crypto/fips/fips_rsa_selftest.c.fips 2021-03-03 12:57:42.201734542 +0100 -+++ openssl-1.1.1j/crypto/fips/fips_rsa_selftest.c 2021-03-03 12:57:42.201734542 +0100 -@@ -0,0 +1,338 @@ -+/* ==================================================================== -+ * Copyright (c) 2003-2007 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+#include -+#include -+#ifdef OPENSSL_FIPS -+# include -+# include "crypto/fips.h" -+#endif -+#include -+#include -+#include -+#include -+#include "fips_locl.h" -+ -+#ifdef OPENSSL_FIPS -+ -+static int setrsakey(RSA *key) -+{ -+ static const unsigned char keydata_n[] = { -+ 0x00, 0xc9, 0xd5, 0x6d, 0x9d, 0x90, 0xdb, 0x43, 0xd6, 0x02, 0xed, 0x96, 0x88, 0x13, 0x8a, -+ 0xb2, 0xbf, 0x6e, 0xa1, 0x06, 0x10, 0xb2, 0x78, 0x37, 0xa7, 0x14, 0xa8, 0xff, 0xdd, 0x00, -+ 0xdd, 0xb4, 0x93, 0xa0, 0x45, 0xcc, 0x96, 0x90, 0xed, 0xad, 0xa9, 0xdd, 0xc4, 0xd6, 0xca, -+ 0x0c, 0xf0, 0xed, 0x4f, 0x72, 0x5e, 0x21, 0x49, 0x9a, 0x18, 0x12, 0x15, 0x8f, 0x90, 0x5a, -+ 0xdb, 0xb6, 0x33, 0x99, 0xa3, 0xe6, 0xb4, 0xf0, 0xc4, 0x97, 0x21, 0x26, 0xbb, 0xe3, 0xba, -+ 0xf2, 0xff, 0xa0, 0x72, 0xda, 0x89, 0x63, 0x8e, 0x8b, 0x3e, 0x08, 0x9d, 0x92, 0x2a, 0xbe, -+ 0x16, 0xe1, 0x43, 0x15, 0xfc, 0x57, 0xc7, 0x1f, 0x09, 0x11, 0x67, 0x1c, 0xa9, 0x96, 0xd1, -+ 0x8b, 0x3e, 0x80, 0x93, 0xc1, 0x59, 0xd0, 0x6d, 0x39, 0xf2, 0xac, 0x95, 0xcc, 0x10, 0x75, -+ 0xe9, 0x31, 0x24, 0xd1, 0x43, 0xaf, 0x68, 0x52, 0x4b, 0xe7, 0x16, 0xd7, 0x49, 0x65, 0x6f, -+ 0x26, 0xc0, 0x86, 0xad, 0xc0, 0x07, 0x0a, 0xc1, 0xe1, 0x2f, 0x87, 0x85, 0x86, 0x3b, 0xdc, -+ 0x5a, 0x99, 0xbe, 0xe9, 0xf9, 0xb9, 0xe9, 0x82, 0x27, 0x51, 0x04, 0x15, 0xab, 0x06, 0x0e, -+ 0x76, 0x5a, 0x28, 0x8d, 0x92, 0xbd, 0xc5, 0xb5, 0x7b, 0xa8, 0xdf, 0x4e, 0x47, 0xa2, 0xc1, -+ 0xe7, 0x52, 0xbf, 0x47, 0xf7, 0x62, 0xe0, 0x3a, 0x6f, 0x4d, 0x6a, 0x4d, 0x4e, 0xd4, 0xb9, -+ 0x59, 0x69, 0xfa, 0xb2, 0x14, 0xc1, 0xee, 0xe6, 0x2f, 0x95, 0xcd, 0x94, 0x72, 0xae, 0xe4, -+ 0xdb, 0x18, 0x9a, 0xc4, 0xcd, 0x70, 0xbd, 0xee, 0x31, 0x16, 0xb7, 0x49, 0x65, 0xac, 0x40, -+ 0x19, 0x0e, 0xb5, 0x6d, 0x83, 0xf1, 0x36, 0xbb, 0x08, 0x2f, 0x2e, 0x4e, 0x92, 0x62, 0xa4, -+ 0xff, 0x50, 0xdb, 0x20, 0x45, 0xa2, 0xeb, 0x16, 0x7a, 0xf2, 0xd5, 0x28, 0xc1, 0xfd, 0x4e, -+ 0x03, 0x71 -+ }; -+ -+ static const unsigned char keydata_e[] = { 0x01, 0x00, 0x01 }; -+ -+ static const unsigned char keydata_d[] = { -+ 0x36, 0x27, 0x3d, 0xb1, 0xf9, 0x1b, 0xdb, 0xa7, 0xa0, 0x41, 0x7f, 0x12, 0x23, 0xac, 0x23, -+ 0x29, 0x99, 0xd5, 0x3a, 0x7b, 0x60, 0x67, 0x41, 0x07, 0x63, 0x53, 0xb4, 0xd2, 0xe7, 0x58, -+ 0x95, 0x0a, 0xc7, 0x05, 0xf3, 0x4e, 0xb2, 0xb4, 0x12, 0xd4, 0x70, 0xdc, 0x4f, 0x85, 0x06, -+ 0xd3, 0xdd, 0xd8, 0x63, 0x27, 0x3e, 0x67, 0x31, 0x21, 0x24, 0x39, 0x04, 0xbc, 0x06, 0xa4, -+ 0xcc, 0xce, 0x2b, 0x7a, 0xfe, 0x7b, 0xad, 0xde, 0x11, 0x6e, 0xa3, 0xa5, 0xe6, 0x04, 0x53, -+ 0x0e, 0xa3, 0x4e, 0x2d, 0xb4, 0x8f, 0x31, 0xbf, 0xca, 0x75, 0x25, 0x52, 0x02, 0x85, 0xde, -+ 0x3d, 0xb2, 0x72, 0x43, 0xb2, 0x89, 0x8a, 0x9a, 0x34, 0x41, 0x26, 0x3f, 0x9a, 0x67, 0xbe, -+ 0xa4, 0x96, 0x7b, 0x0e, 0x75, 0xba, 0xa6, 0x93, 0xd5, 0xb8, 0xd8, 0xb8, 0x57, 0xf2, 0x4b, -+ 0x0f, 0x14, 0x81, 0xd1, 0x57, 0x4e, 0xf6, 0x45, 0x4c, 0xa6, 0x3b, 0xd0, 0x70, 0xca, 0xd3, -+ 0x9d, 0x55, 0xde, 0x22, 0x05, 0xe7, 0x8e, 0x28, 0x4d, 0xee, 0x11, 0xcf, 0xb6, 0x67, 0x76, -+ 0x09, 0xd3, 0xe3, 0x3c, 0x13, 0xf9, 0x99, 0x34, 0x10, 0x7b, 0xec, 0x81, 0x38, 0xf0, 0xb6, -+ 0x34, 0x9c, 0x9b, 0x50, 0x6f, 0x0b, 0x91, 0x81, 0x4d, 0x89, 0x94, 0x04, 0x7b, 0xf0, 0x3c, -+ 0xf4, 0xb1, 0xb2, 0x00, 0x48, 0x8d, 0x5a, 0x8f, 0x88, 0x9e, 0xc5, 0xab, 0x3a, 0x9e, 0x44, -+ 0x3f, 0x54, 0xe7, 0xd9, 0x6e, 0x47, 0xaa, 0xa1, 0xbd, 0x40, 0x46, 0x31, 0xf9, 0xf0, 0x34, -+ 0xb6, 0x04, 0xe1, 0x2b, 0x5b, 0x73, 0x86, 0xdd, 0x3a, 0x92, 0x1b, 0x71, 0xc7, 0x3f, 0x32, -+ 0xe5, 0xc3, 0xc2, 0xab, 0xa1, 0x7e, 0xbf, 0xa4, 0x52, 0xa0, 0xb0, 0x68, 0x90, 0xd1, 0x20, -+ 0x12, 0x79, 0xe9, 0xd7, 0xc9, 0x40, 0xba, 0xf2, 0x19, 0xc7, 0xa5, 0x00, 0x92, 0x86, 0x0d, -+ 0x01 -+ }; -+ -+ static const unsigned char keydata_p[] = { -+ 0x00, 0xfc, 0x5c, 0x6e, 0x16, 0xce, 0x1f, 0x03, 0x7b, 0xcd, 0xf7, 0xb3, 0x72, 0xb2, 0x8f, -+ 0x16, 0x72, 0xb8, 0x56, 0xae, 0xf7, 0xcd, 0x67, 0xd8, 0x4e, 0x7d, 0x07, 0xaf, 0xd5, 0x43, -+ 0x26, 0xc3, 0x35, 0xbe, 0x43, 0x8f, 0x4e, 0x2f, 0x1c, 0x43, 0x4e, 0x6b, 0xd2, 0xb2, 0xec, -+ 0x52, 0x6d, 0x97, 0x52, 0x2b, 0xcc, 0x5c, 0x3a, 0x6b, 0xf4, 0x14, 0xc6, 0x74, 0xda, 0x66, -+ 0x38, 0x1c, 0x7a, 0x3f, 0x84, 0x2f, 0xe3, 0xf9, 0x5a, 0xb8, 0x65, 0x69, 0x46, 0x06, 0xa3, -+ 0x37, 0x79, 0xb2, 0xa1, 0x5b, 0x58, 0xed, 0x5e, 0xa7, 0x5f, 0x8c, 0x65, 0x66, 0xbb, 0xd1, -+ 0x24, 0x36, 0xe6, 0x37, 0xa7, 0x3d, 0x49, 0x77, 0x8a, 0x8c, 0x34, 0xd8, 0x69, 0x29, 0xf3, -+ 0x4d, 0x58, 0x22, 0xb0, 0x51, 0x24, 0xb6, 0x40, 0xa8, 0x86, 0x59, 0x0a, 0xb7, 0xba, 0x5c, -+ 0x97, 0xda, 0x57, 0xe8, 0x36, 0xda, 0x7a, 0x9c, 0xad -+ }; -+ -+ static const unsigned char keydata_q[] = { -+ 0x00, 0xcc, 0xbe, 0x7b, 0x09, 0x69, 0x06, 0xee, 0x45, 0xbf, 0x88, 0x47, 0x38, 0xa8, 0xf8, -+ 0x17, 0xe5, 0xb6, 0xba, 0x67, 0x55, 0xe3, 0xe8, 0x05, 0x8b, 0xb8, 0xe2, 0x53, 0xd6, 0x8e, -+ 0xef, 0x2c, 0xe7, 0x4f, 0x4a, 0xf7, 0x4e, 0x26, 0x8d, 0x85, 0x0b, 0x3f, 0xec, 0xc3, 0x1c, -+ 0xd4, 0xeb, 0xec, 0x6a, 0xc8, 0x72, 0x2a, 0x25, 0x7d, 0xfd, 0xa6, 0x77, 0x96, 0xf0, 0x1e, -+ 0xcd, 0x28, 0x57, 0xf8, 0x37, 0x30, 0x75, 0x6b, 0xbd, 0xd4, 0x7b, 0x0c, 0x87, 0xc5, 0x6c, -+ 0x87, 0x40, 0xa5, 0xbb, 0x27, 0x2c, 0x78, 0xc9, 0x74, 0x5a, 0x54, 0x5b, 0x0b, 0x30, 0x6f, -+ 0x44, 0x4a, 0xfa, 0x71, 0xe4, 0x21, 0x61, 0x66, 0xf9, 0xee, 0x65, 0xde, 0x7c, 0x04, 0xd7, -+ 0xfd, 0xa9, 0x15, 0x5b, 0x7f, 0xe2, 0x7a, 0xba, 0x69, 0x86, 0x72, 0xa6, 0x06, 0x8d, 0x9b, -+ 0x90, 0x55, 0x60, 0x9e, 0x4c, 0x5d, 0xa9, 0xb6, 0x55 -+ }; -+ -+ static const unsigned char keydata_dmp1[] = { -+ 0x7a, 0xd6, 0x12, 0xd0, 0x0e, 0xec, 0x91, 0xa9, 0x85, 0x8b, 0xf8, 0x50, 0xf0, 0x11, 0x2e, -+ 0x00, 0x11, 0x32, 0x40, 0x60, 0x66, 0x1f, 0x11, 0xee, 0xc2, 0x75, 0x27, 0x65, 0x4b, 0x16, -+ 0x67, 0x16, 0x95, 0xd2, 0x14, 0xc3, 0x1d, 0xb3, 0x48, 0x1f, 0xb7, 0xe4, 0x0b, 0x2b, 0x74, -+ 0xc3, 0xdb, 0x50, 0x27, 0xf9, 0x85, 0x3a, 0xfa, 0xa9, 0x08, 0x23, 0xc1, 0x65, 0x3d, 0x34, -+ 0x3a, 0xc8, 0x56, 0x7a, 0x65, 0x45, 0x36, 0x6e, 0xae, 0x2a, 0xce, 0x9f, 0x43, 0x43, 0xd7, -+ 0x10, 0xe9, 0x9e, 0x18, 0xf4, 0xa4, 0x35, 0xda, 0x8a, 0x6b, 0xb0, 0x3f, 0xdd, 0x53, 0xe3, -+ 0xa8, 0xc5, 0x4e, 0x79, 0x9d, 0x1f, 0x51, 0x8c, 0xa2, 0xca, 0x66, 0x3c, 0x6a, 0x2a, 0xff, -+ 0x8e, 0xd2, 0xf3, 0xb7, 0xcb, 0x82, 0xda, 0xde, 0x2c, 0xe6, 0xd2, 0x8c, 0xb3, 0xad, 0xb6, -+ 0x4c, 0x95, 0x55, 0x76, 0xbd, 0xc9, 0xc8, 0xd1 -+ }; -+ -+ static const unsigned char keydata_dmq1[] = { -+ 0x00, 0x83, 0x23, 0x1d, 0xbb, 0x11, 0x42, 0x17, 0x2b, 0x25, 0x5a, 0x2c, 0x03, 0xe6, 0x75, -+ 0xc1, 0x18, 0xa8, 0xc9, 0x0b, 0x96, 0xbf, 0xba, 0xc4, 0x92, 0x91, 0x80, 0xa5, 0x22, 0x2f, -+ 0xba, 0x91, 0x90, 0x36, 0x01, 0x56, 0x15, 0x00, 0x2c, 0x74, 0xa2, 0x97, 0xf7, 0x15, 0xa1, -+ 0x49, 0xdf, 0x32, 0x35, 0xd2, 0xdd, 0x0c, 0x91, 0xa6, 0xf8, 0xe7, 0xbe, 0x81, 0x36, 0x9b, -+ 0x03, 0xdc, 0x6b, 0x3b, 0xd8, 0x5d, 0x79, 0x57, 0xe0, 0xe6, 0x4f, 0x49, 0xdf, 0x4c, 0x5c, -+ 0x0e, 0xe5, 0x21, 0x41, 0x95, 0xfd, 0xad, 0xff, 0x9a, 0x3e, 0xa0, 0xf9, 0x0f, 0x59, 0x9e, -+ 0x6a, 0xa7, 0x7b, 0x71, 0xa7, 0x24, 0x9a, 0x36, 0x52, 0xae, 0x97, 0x20, 0xc1, 0x5e, 0x78, -+ 0xd9, 0x47, 0x8b, 0x1e, 0x67, 0xf2, 0xaf, 0x98, 0xe6, 0x2d, 0xef, 0x10, 0xd7, 0xf1, 0xab, -+ 0x49, 0xee, 0xe5, 0x4b, 0x7e, 0xae, 0x1f, 0x1d, 0x61 -+ }; -+ -+ static const unsigned char keydata_iqmp[] = { -+ 0x23, 0x96, 0xc1, 0x91, 0x17, 0x5e, 0x0a, 0x83, 0xd2, 0xdc, 0x7b, 0x69, 0xb2, 0x59, 0x1d, -+ 0x33, 0x58, 0x52, 0x3f, 0x18, 0xc7, 0x09, 0x50, 0x1c, 0xb9, 0xa1, 0xbb, 0x4c, 0xa2, 0x38, -+ 0x40, 0x4c, 0x9a, 0x8e, 0xfe, 0x9c, 0x90, 0x92, 0xd0, 0x71, 0x9f, 0x89, 0x99, 0x50, 0x91, -+ 0x1f, 0x34, 0x8b, 0x74, 0x53, 0x11, 0x11, 0x4a, 0x70, 0xe2, 0xf7, 0x30, 0xd8, 0x8c, 0x80, -+ 0xe1, 0xcc, 0x9f, 0xf1, 0x63, 0x17, 0x1a, 0x7d, 0x67, 0x29, 0x4c, 0xcb, 0x4e, 0x74, 0x7b, -+ 0xe0, 0x3e, 0x9e, 0x2f, 0xf4, 0x67, 0x8f, 0xec, 0xb9, 0x5c, 0x00, 0x1e, 0x7e, 0xa2, 0x7b, -+ 0x92, 0xc9, 0x6f, 0x4c, 0xe4, 0x0e, 0xf9, 0x48, 0x63, 0xcd, 0x50, 0x22, 0x5d, 0xbf, 0xb6, -+ 0x9d, 0x01, 0x33, 0x6a, 0xf4, 0x50, 0xbe, 0x86, 0x98, 0x4f, 0xca, 0x3f, 0x3a, 0xfa, 0xcf, -+ 0x07, 0x40, 0xc4, 0xaa, 0xad, 0xae, 0xbe, 0xbf -+ }; -+ -+ int rv = 0; -+ BIGNUM *n = NULL, *e = NULL, *d = NULL, *p = NULL, *q = NULL, *dmp1 = NULL, *dmq1 = NULL, *iqmp = NULL; -+ -+ fips_load_key_component(n, keydata); -+ fips_load_key_component(e, keydata); -+ fips_load_key_component(d, keydata); -+ fips_load_key_component(p, keydata); -+ fips_load_key_component(q, keydata); -+ fips_load_key_component(dmp1, keydata); -+ fips_load_key_component(dmq1, keydata); -+ fips_load_key_component(iqmp, keydata); -+ -+ RSA_set0_key(key, n, e, d); -+ RSA_set0_factors(key, p, q); -+ RSA_set0_crt_params(key, dmp1, dmq1, iqmp); -+ -+ rv = 1; -+err: -+ if (!rv) { -+ BN_free(n); -+ BN_free(e); -+ BN_free(d); -+ BN_free(p); -+ BN_free(q); -+ BN_free(dmp1); -+ BN_free(dmq1); -+ BN_free(iqmp); -+ } -+ return rv; -+} -+ -+/* Known Answer Test (KAT) data for the above RSA private key signing -+ * kat_tbs. -+ */ -+ -+static const unsigned char kat_tbs[] = -+ "OpenSSL FIPS 140-2 Public Key RSA KAT"; -+ -+static const unsigned char kat_RSA_PSS_SHA256[] = { -+ 0x38, 0xDA, 0x99, 0x51, 0x26, 0x38, 0xC6, 0x7F, 0xC4, 0x81, 0x57, 0x19, -+ 0x35, 0xC6, 0xF6, 0x1E, 0x90, 0x47, 0x20, 0x55, 0x47, 0x56, 0x26, 0xE9, -+ 0xF2, 0xA8, 0x39, 0x6C, 0xD5, 0xCD, 0xCB, 0x55, 0xFC, 0x0C, 0xC5, 0xCB, -+ 0xF7, 0x40, 0x17, 0x3B, 0xCF, 0xE4, 0x05, 0x03, 0x3B, 0xA0, 0xB2, 0xC9, -+ 0x0D, 0x5E, 0x48, 0x3A, 0xE9, 0xAD, 0x28, 0x71, 0x7D, 0x8F, 0x89, 0x16, -+ 0x59, 0x93, 0x35, 0xDC, 0x4D, 0x7B, 0xDF, 0x84, 0xE4, 0x68, 0xAA, 0x33, -+ 0xAA, 0xDC, 0x66, 0x50, 0xC8, 0xA9, 0x32, 0x12, 0xDC, 0xC6, 0x90, 0x49, -+ 0x0B, 0x75, 0xFF, 0x9B, 0x95, 0x00, 0x9A, 0x90, 0xE0, 0xD4, 0x0E, 0x67, -+ 0xAB, 0x3C, 0x47, 0x36, 0xC5, 0x2E, 0x1C, 0x46, 0xF0, 0x2D, 0xD3, 0x8B, -+ 0x42, 0x08, 0xDE, 0x0D, 0xB6, 0x2C, 0x86, 0xB0, 0x35, 0x71, 0x18, 0x6B, -+ 0x89, 0x67, 0xC0, 0x05, 0xAD, 0xF4, 0x1D, 0x62, 0x4E, 0x75, 0xEC, 0xD6, -+ 0xC2, 0xDB, 0x07, 0xB0, 0xB6, 0x8D, 0x15, 0xAD, 0xCD, 0xBF, 0xF5, 0x60, -+ 0x76, 0xAE, 0x48, 0xB8, 0x77, 0x7F, 0xC5, 0x01, 0xD9, 0x29, 0xBB, 0xD6, -+ 0x17, 0xA2, 0x20, 0x5A, 0xC0, 0x4A, 0x3B, 0x34, 0xC8, 0xB9, 0x39, 0xCF, -+ 0x06, 0x89, 0x95, 0x6F, 0xC7, 0xCA, 0xC4, 0xE4, 0x43, 0xDF, 0x5A, 0x23, -+ 0xE2, 0x89, 0xA3, 0x38, 0x78, 0x31, 0x38, 0xC6, 0xA4, 0x6F, 0x5F, 0x73, -+ 0x5A, 0xE5, 0x9E, 0x09, 0xE7, 0x6F, 0xD4, 0xF8, 0x3E, 0xB7, 0xB0, 0x56, -+ 0x9A, 0xF3, 0x65, 0xF0, 0xC2, 0xA6, 0x8A, 0x08, 0xBA, 0x44, 0xAC, 0x97, -+ 0xDE, 0xB4, 0x16, 0x83, 0xDF, 0xE3, 0xEE, 0x71, 0xFA, 0xF9, 0x51, 0x50, -+ 0x14, 0xDC, 0xFD, 0x6A, 0x82, 0x20, 0x68, 0x64, 0x7D, 0x4E, 0x82, 0x68, -+ 0xD7, 0x45, 0xFA, 0x6A, 0xE4, 0xE5, 0x29, 0x3A, 0x70, 0xFB, 0xE4, 0x62, -+ 0x2B, 0x31, 0xB9, 0x7D -+}; -+ -+static const unsigned char kat_RSA_SHA256[] = { -+ 0xC2, 0xB1, 0x97, 0x00, 0x9A, 0xE5, 0x80, 0x6A, 0xE2, 0x51, 0x68, 0xB9, -+ 0x7A, 0x0C, 0xF2, 0xB4, 0x77, 0xED, 0x15, 0x0C, 0x4E, 0xE1, 0xDC, 0xFF, -+ 0x8E, 0xBC, 0xDE, 0xC7, 0x9A, 0x96, 0xF1, 0x47, 0x45, 0x24, 0x9D, 0x6F, -+ 0xA6, 0xF3, 0x1D, 0x0D, 0x35, 0x4C, 0x1A, 0xF3, 0x58, 0x2C, 0x6C, 0x06, -+ 0xD6, 0x22, 0x37, 0x77, 0x8C, 0x33, 0xE5, 0x07, 0x53, 0x93, 0x28, 0xCF, -+ 0x67, 0xFA, 0xC4, 0x1F, 0x1B, 0x24, 0xDB, 0x4C, 0xC5, 0x2A, 0x51, 0xA2, -+ 0x60, 0x15, 0x8C, 0x54, 0xB4, 0x30, 0xE2, 0x24, 0x47, 0x86, 0xF2, 0xF8, -+ 0x6C, 0xD6, 0x12, 0x59, 0x2C, 0x74, 0x9A, 0x37, 0xF3, 0xC4, 0xA2, 0xD5, -+ 0x4E, 0x1F, 0x77, 0xF0, 0x27, 0xCE, 0x77, 0xF8, 0x4A, 0x79, 0x03, 0xBE, -+ 0xC8, 0x06, 0x2D, 0xA7, 0xA6, 0x46, 0xF5, 0x55, 0x79, 0xD7, 0x5C, 0xC6, -+ 0x5B, 0xB1, 0x00, 0x4E, 0x7C, 0xD9, 0x11, 0x85, 0xE0, 0xB1, 0x4D, 0x2D, -+ 0x13, 0xD7, 0xAC, 0xEA, 0x64, 0xD1, 0xAC, 0x8F, 0x8D, 0x8F, 0xEA, 0x42, -+ 0x7F, 0xF9, 0xB7, 0x7D, 0x2C, 0x68, 0x49, 0x07, 0x7A, 0x74, 0xEF, 0xB4, -+ 0xC9, 0x97, 0x16, 0x5C, 0x6C, 0x6E, 0x5C, 0x09, 0x2E, 0x8E, 0x13, 0x2E, -+ 0x1A, 0x8D, 0xA6, 0x0C, 0x6E, 0x0C, 0x1C, 0x0F, 0xCC, 0xB2, 0x78, 0x8A, -+ 0x07, 0xFC, 0x5C, 0xC2, 0xF5, 0x65, 0xEC, 0xAB, 0x8B, 0x3C, 0xCA, 0x91, -+ 0x6F, 0x84, 0x7C, 0x21, 0x0E, 0xB8, 0xDA, 0x7B, 0x6C, 0xF7, 0xDF, 0xAB, -+ 0x7E, 0x15, 0xFD, 0x85, 0x0B, 0x33, 0x9B, 0x6A, 0x3A, 0xC3, 0xEF, 0x65, -+ 0x04, 0x6E, 0xB2, 0xAC, 0x98, 0xFD, 0xEB, 0x02, 0xF5, 0xC0, 0x0B, 0x5E, -+ 0xCB, 0xD4, 0x83, 0x82, 0x18, 0x1B, 0xDA, 0xB4, 0xCD, 0xE8, 0x71, 0x6B, -+ 0x1D, 0xB5, 0x4F, 0xE9, 0xD6, 0x43, 0xA0, 0x0A, 0x14, 0xA0, 0xE7, 0x5D, -+ 0x47, 0x9D, 0x18, 0xD7 -+}; -+ -+static int fips_rsa_encrypt_test(RSA *rsa, const unsigned char *plaintext, -+ int ptlen) -+{ -+ unsigned char *ctbuf = NULL, *ptbuf = NULL; -+ int ret = 0; -+ int len; -+ -+ ctbuf = OPENSSL_malloc(RSA_size(rsa)); -+ if (!ctbuf) -+ goto err; -+ -+ len = RSA_public_encrypt(ptlen, plaintext, ctbuf, rsa, RSA_PKCS1_PADDING); -+ if (len <= 0) -+ goto err; -+ /* Check ciphertext doesn't match plaintext */ -+ if (len >= ptlen && !memcmp(plaintext, ctbuf, ptlen)) -+ goto err; -+ -+ ptbuf = OPENSSL_malloc(RSA_size(rsa)); -+ if (!ptbuf) -+ goto err; -+ -+ len = RSA_private_decrypt(len, ctbuf, ptbuf, rsa, RSA_PKCS1_PADDING); -+ if (len != ptlen) -+ goto err; -+ if (memcmp(ptbuf, plaintext, len)) -+ goto err; -+ -+ ret = 1; -+ -+ err: -+ if (ctbuf) -+ OPENSSL_free(ctbuf); -+ if (ptbuf) -+ OPENSSL_free(ptbuf); -+ return ret; -+} -+ -+int FIPS_selftest_rsa() -+{ -+ int ret = 0; -+ RSA *key; -+ EVP_PKEY *pk = NULL; -+ -+ if ((key = RSA_new()) == NULL) -+ goto err; -+ -+ if (!setrsakey(key)) -+ goto err; -+ -+ if ((pk = EVP_PKEY_new()) == NULL) -+ goto err; -+ -+ EVP_PKEY_set1_RSA(pk, key); -+ -+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, -+ kat_RSA_SHA256, sizeof(kat_RSA_SHA256), -+ EVP_sha256(), EVP_MD_CTX_FLAG_PAD_PKCS1, -+ "RSA SHA256 PKCS#1")) -+ goto err; -+ -+ if (!fips_pkey_signature_test(pk, kat_tbs, sizeof(kat_tbs) - 1, -+ kat_RSA_PSS_SHA256, -+ sizeof(kat_RSA_PSS_SHA256), EVP_sha256(), -+ EVP_MD_CTX_FLAG_PAD_PSS, "RSA SHA256 PSS")) -+ goto err; -+ -+ if (!fips_rsa_encrypt_test(key, kat_tbs, sizeof(kat_tbs) - 1)) -+ goto err; -+ -+ ret = 1; -+ -+ err: -+ if (pk) -+ EVP_PKEY_free(pk); -+ if (key) -+ RSA_free(key); -+ return ret; -+} -+ -+#endif /* def OPENSSL_FIPS */ -diff -up openssl-1.1.1j/crypto/fips/fips_sha_selftest.c.fips openssl-1.1.1j/crypto/fips/fips_sha_selftest.c ---- openssl-1.1.1j/crypto/fips/fips_sha_selftest.c.fips 2021-03-03 12:57:42.201734542 +0100 -+++ openssl-1.1.1j/crypto/fips/fips_sha_selftest.c 2021-03-03 12:57:42.201734542 +0100 -@@ -0,0 +1,223 @@ -+/* ==================================================================== -+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+#include -+#include -+#ifdef OPENSSL_FIPS -+# include -+#endif -+#include -+#include -+ -+#ifdef OPENSSL_FIPS -+static const char test[][60] = { -+ "", -+ "abc", -+ "abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" -+}; -+ -+static const unsigned char ret[][SHA_DIGEST_LENGTH] = { -+ {0xda, 0x39, 0xa3, 0xee, 0x5e, 0x6b, 0x4b, 0x0d, 0x32, 0x55, -+ 0xbf, 0xef, 0x95, 0x60, 0x18, 0x90, 0xaf, 0xd8, 0x07, 0x09}, -+ {0xa9, 0x99, 0x3e, 0x36, 0x47, 0x06, 0x81, 0x6a, 0xba, 0x3e, -+ 0x25, 0x71, 0x78, 0x50, 0xc2, 0x6c, 0x9c, 0xd0, 0xd8, 0x9d}, -+ {0x84, 0x98, 0x3e, 0x44, 0x1c, 0x3b, 0xd2, 0x6e, 0xba, 0xae, -+ 0x4a, 0xa1, 0xf9, 0x51, 0x29, 0xe5, 0xe5, 0x46, 0x70, 0xf1}, -+}; -+ -+int FIPS_selftest_sha1() -+{ -+ int n; -+ -+ for (n = 0; n < sizeof(test) / sizeof(test[0]); ++n) { -+ unsigned char md[SHA_DIGEST_LENGTH]; -+ -+ EVP_Digest(test[n], strlen(test[n]), md, NULL, -+ EVP_sha1(), NULL); -+ if (memcmp(md, ret[n], sizeof md)) { -+ FIPSerr(FIPS_F_FIPS_SELFTEST_SHA1, FIPS_R_SELFTEST_FAILED); -+ return 0; -+ } -+ } -+ return 1; -+} -+ -+static const unsigned char msg_sha256[] = -+ { 0xfa, 0x48, 0x59, 0x2a, 0xe1, 0xae, 0x1f, 0x30, -+ 0xfc -+}; -+ -+static const unsigned char dig_sha256[] = -+ { 0xf7, 0x26, 0xd8, 0x98, 0x47, 0x91, 0x68, 0x5b, -+ 0x9e, 0x39, 0xb2, 0x58, 0xbb, 0x75, 0xbf, 0x01, -+ 0x17, 0x0c, 0x84, 0x00, 0x01, 0x7a, 0x94, 0x83, -+ 0xf3, 0x0b, 0x15, 0x84, 0x4b, 0x69, 0x88, 0x8a -+}; -+ -+static const unsigned char msg_sha512[] = -+ { 0x37, 0xd1, 0x35, 0x9d, 0x18, 0x41, 0xe9, 0xb7, -+ 0x6d, 0x9a, 0x13, 0xda, 0x5f, 0xf3, 0xbd -+}; -+ -+static const unsigned char dig_sha512[] = -+ { 0x11, 0x13, 0xc4, 0x19, 0xed, 0x2b, 0x1d, 0x16, -+ 0x11, 0xeb, 0x9b, 0xbe, 0xf0, 0x7f, 0xcf, 0x44, -+ 0x8b, 0xd7, 0x57, 0xbd, 0x8d, 0xa9, 0x25, 0xb0, -+ 0x47, 0x25, 0xd6, 0x6c, 0x9a, 0x54, 0x7f, 0x8f, -+ 0x0b, 0x53, 0x1a, 0x10, 0x68, 0x32, 0x03, 0x38, -+ 0x82, 0xc4, 0x87, 0xc4, 0xea, 0x0e, 0xd1, 0x04, -+ 0xa9, 0x98, 0xc1, 0x05, 0xa3, 0xf3, 0xf8, 0xb1, -+ 0xaf, 0xbc, 0xd9, 0x78, 0x7e, 0xee, 0x3d, 0x43 -+}; -+ -+int FIPS_selftest_sha2(void) -+{ -+ unsigned char md[SHA512_DIGEST_LENGTH]; -+ -+ EVP_Digest(msg_sha256, sizeof(msg_sha256), md, NULL, EVP_sha256(), NULL); -+ if (memcmp(dig_sha256, md, sizeof(dig_sha256))) { -+ FIPSerr(FIPS_F_FIPS_SELFTEST_SHA2, FIPS_R_SELFTEST_FAILED); -+ return 0; -+ } -+ -+ EVP_Digest(msg_sha512, sizeof(msg_sha512), md, NULL, EVP_sha512(), NULL); -+ if (memcmp(dig_sha512, md, sizeof(dig_sha512))) { -+ FIPSerr(FIPS_F_FIPS_SELFTEST_SHA2, FIPS_R_SELFTEST_FAILED); -+ return 0; -+ } -+ -+ return 1; -+} -+ -+static const unsigned char msg_sha3_256[] = { -+ 0xa1, 0xd7, 0xce, 0x51, 0x04, 0xeb, 0x25, 0xd6, -+ 0x13, 0x1b, 0xb8, 0xf6, 0x6e, 0x1f, 0xb1, 0x3f, -+ 0x35, 0x23 -+}; -+ -+static const unsigned char dig_sha3_256[] = { -+ 0xee, 0x90, 0x62, 0xf3, 0x97, 0x20, 0xb8, 0x21, -+ 0xb8, 0x8b, 0xe5, 0xe6, 0x46, 0x21, 0xd7, 0xe0, -+ 0xca, 0x02, 0x6a, 0x9f, 0xe7, 0x24, 0x8d, 0x78, -+ 0x15, 0x0b, 0x14, 0xbd, 0xba, 0xa4, 0x0b, 0xed -+}; -+ -+static const unsigned char msg_sha3_512[] = { -+ 0x13, 0x3b, 0x49, 0x7b, 0x00, 0x93, 0x27, 0x73, -+ 0xa5, 0x3b, 0xa9, 0xbf, 0x8e, 0x61, 0xd5, 0x9f, -+ 0x05, 0xf4 -+}; -+ -+static const unsigned char dig_sha3_512[] = { -+ 0x78, 0x39, 0x64, 0xa1, 0xcf, 0x41, 0xd6, 0xd2, -+ 0x10, 0xa8, 0xd7, 0xc8, 0x1c, 0xe6, 0x97, 0x0a, -+ 0xa6, 0x2c, 0x90, 0x53, 0xcb, 0x89, 0xe1, 0x5f, -+ 0x88, 0x05, 0x39, 0x57, 0xec, 0xf6, 0x07, 0xf4, -+ 0x2a, 0xf0, 0x88, 0x04, 0xe7, 0x6f, 0x2f, 0xbd, -+ 0xbb, 0x31, 0x80, 0x9c, 0x9e, 0xef, 0xc6, 0x0e, -+ 0x23, 0x3d, 0x66, 0x24, 0x36, 0x7a, 0x3b, 0x9c, -+ 0x30, 0xf8, 0xee, 0x5f, 0x65, 0xbe, 0x56, 0xac -+}; -+ -+static const unsigned char msg_shake_128[] = { -+ 0x43, 0xbd, 0xb1, 0x1e, 0xac, 0x71, 0x03, 0x1f, -+ 0x02, 0xa1, 0x1c, 0x15, 0xa1, 0x88, 0x5f, 0xa4, -+ 0x28, 0x98 -+}; -+ -+static const unsigned char dig_shake_128[] = { -+ 0xde, 0x68, 0x02, 0x7d, 0xa1, 0x30, 0x66, 0x3a, -+ 0x73, 0x98, 0x0e, 0x35, 0x25, 0xb8, 0x8c, 0x75 -+}; -+ -+static const unsigned char msg_shake_256[] = { -+ 0x8f, 0x84, 0xa3, 0x7d, 0xbd, 0x44, 0xd0, 0xf6, -+ 0x95, 0x36, 0xc5, 0xf4, 0x44, 0x6b, 0xa3, 0x23, -+ 0x9b, 0xfc -+}; -+ -+static const unsigned char dig_shake_256[] = { -+ 0x05, 0xca, 0x83, 0x5e, 0x0c, 0xdb, 0xfa, 0xf5, -+ 0x95, 0xc6, 0x86, 0x7e, 0x2d, 0x9d, 0xb9, 0x3f, -+ 0xca, 0x9c, 0x8b, 0xc6, 0x65, 0x02, 0x2e, 0xdd, -+ 0x6f, 0xe7, 0xb3, 0xda, 0x5e, 0x07, 0xc4, 0xcf -+}; -+ -+int FIPS_selftest_sha3(void) -+{ -+ unsigned char md[SHA512_DIGEST_LENGTH]; -+ -+ EVP_Digest(msg_sha3_256, sizeof(msg_sha3_256), md, NULL, EVP_sha3_256(), NULL); -+ if (memcmp(dig_sha3_256, md, sizeof(dig_sha3_256))) { -+ FIPSerr(FIPS_F_FIPS_SELFTEST, FIPS_R_SELFTEST_FAILED); -+ return 0; -+ } -+ -+ EVP_Digest(msg_sha3_512, sizeof(msg_sha3_512), md, NULL, EVP_sha3_512(), NULL); -+ if (memcmp(dig_sha3_512, md, sizeof(dig_sha3_512))) { -+ FIPSerr(FIPS_F_FIPS_SELFTEST, FIPS_R_SELFTEST_FAILED); -+ return 0; -+ } -+ -+ EVP_Digest(msg_shake_128, sizeof(msg_shake_128), md, NULL, EVP_shake128(), NULL); -+ if (memcmp(dig_shake_128, md, sizeof(dig_shake_128))) { -+ FIPSerr(FIPS_F_FIPS_SELFTEST, FIPS_R_SELFTEST_FAILED); -+ return 0; -+ } -+ -+ EVP_Digest(msg_shake_256, sizeof(msg_shake_256), md, NULL, EVP_shake256(), NULL); -+ if (memcmp(dig_shake_256, md, sizeof(dig_shake_256))) { -+ FIPSerr(FIPS_F_FIPS_SELFTEST, FIPS_R_SELFTEST_FAILED); -+ return 0; -+ } -+ -+ return 1; -+} -+ -+#endif -diff -up openssl-1.1.1j/crypto/fips/fips_standalone_hmac.c.fips openssl-1.1.1j/crypto/fips/fips_standalone_hmac.c ---- openssl-1.1.1j/crypto/fips/fips_standalone_hmac.c.fips 2021-03-03 12:57:42.201734542 +0100 -+++ openssl-1.1.1j/crypto/fips/fips_standalone_hmac.c 2021-03-03 12:57:42.201734542 +0100 -@@ -0,0 +1,127 @@ -+/* ==================================================================== -+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+#include -+#include -+#include -+#include -+#include -+#include -+ -+int main(int argc, char **argv) -+{ -+#ifdef OPENSSL_FIPS -+ static char key[] = "orboDeJITITejsirpADONivirpUkvarP"; -+ int n, binary = 0; -+ -+ if (argc < 2) { -+ fprintf(stderr, "%s []+\n", argv[0]); -+ exit(1); -+ } -+ -+ n = 1; -+ if (!strcmp(argv[n], "-binary")) { -+ n++; -+ binary = 1; /* emit binary fingerprint... */ -+ } -+ -+ for (; n < argc; ++n) { -+ FILE *f = fopen(argv[n], "rb"); -+ HMAC_CTX *hmac_ctx; -+ unsigned char mac[EVP_MAX_MD_SIZE]; -+ unsigned int len; -+ unsigned int i; -+ -+ if (!f) { -+ perror(argv[n]); -+ exit(2); -+ } -+ hmac_ctx = HMAC_CTX_new(); -+ if (!hmac_ctx) -+ exit(3); -+ -+ if (HMAC_Init_ex(hmac_ctx, key, strlen(key), EVP_sha256(), NULL) <= 0) { -+ fprintf(stderr, "HMAC SHA256 initialization failed.\n"); -+ exit(4); -+ } -+ -+ for (;;) { -+ unsigned char buf[1024]; -+ size_t l = fread(buf, 1, sizeof buf, f); -+ -+ if (l == 0) { -+ if (ferror(f)) { -+ perror(argv[n]); -+ exit(3); -+ } else -+ break; -+ } -+ if (HMAC_Update(hmac_ctx, buf, l) <= 0) { -+ fprintf(stderr, "HMAC_Update() failed.\n"); -+ exit(4); -+ } -+ } -+ if (HMAC_Final(hmac_ctx, mac, &len) <= 0) { -+ fprintf(stderr, "HMAC_Final() failed.\n"); -+ exit(4); -+ } -+ -+ if (binary) { -+ fwrite(mac, len, 1, stdout); -+ break; /* ... for single(!) file */ -+ } -+ -+/* printf("HMAC-SHA1(%s)= ",argv[n]); */ -+ for (i = 0; i < len; ++i) -+ printf("%02x", mac[i]); -+ printf("\n"); -+ } -+#endif -+ return 0; -+} -diff -up openssl-1.1.1j/crypto/hmac/hmac.c.fips openssl-1.1.1j/crypto/hmac/hmac.c ---- openssl-1.1.1j/crypto/hmac/hmac.c.fips 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/crypto/hmac/hmac.c 2021-03-03 12:57:42.202734550 +0100 -@@ -44,6 +44,13 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo - return 0; - - if (key != NULL) { -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode() && !(EVP_MD_flags(md) & EVP_MD_FLAG_FIPS) -+ && (!EVP_MD_CTX_test_flags(ctx->md_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW) -+ || !EVP_MD_CTX_test_flags(ctx->i_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW) -+ || !EVP_MD_CTX_test_flags(ctx->o_ctx, EVP_MD_CTX_FLAG_NON_FIPS_ALLOW))) -+ goto err; -+#endif - reset = 1; - - j = EVP_MD_block_size(md); -diff -up openssl-1.1.1j/crypto/hmac/hm_pmeth.c.fips openssl-1.1.1j/crypto/hmac/hm_pmeth.c ---- openssl-1.1.1j/crypto/hmac/hm_pmeth.c.fips 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/crypto/hmac/hm_pmeth.c 2021-03-03 12:57:42.202734550 +0100 -@@ -180,7 +180,7 @@ static int pkey_hmac_ctrl_str(EVP_PKEY_C - - const EVP_PKEY_METHOD hmac_pkey_meth = { - EVP_PKEY_HMAC, -- 0, -+ EVP_PKEY_FLAG_FIPS, - pkey_hmac_init, - pkey_hmac_copy, - pkey_hmac_cleanup, -diff -up openssl-1.1.1j/crypto/o_fips.c.fips openssl-1.1.1j/crypto/o_fips.c ---- openssl-1.1.1j/crypto/o_fips.c.fips 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/crypto/o_fips.c 2021-03-03 12:57:42.202734550 +0100 -@@ -8,17 +8,28 @@ - */ - - #include "internal/cryptlib.h" -+#include "crypto/fips.h" - - int FIPS_mode(void) - { -+#ifdef OPENSSL_FIPS -+ return FIPS_module_mode(); -+#else - /* This version of the library does not support FIPS mode. */ - return 0; -+#endif - } - - int FIPS_mode_set(int r) - { -+#ifdef OPENSSL_FIPS -+ if (r && FIPS_module_mode()) /* can be implicitly initialized by OPENSSL_init() */ -+ return 1; -+ return FIPS_module_mode_set(r); -+#else - if (r == 0) - return 1; - CRYPTOerr(CRYPTO_F_FIPS_MODE_SET, CRYPTO_R_FIPS_MODE_NOT_SUPPORTED); - return 0; -+#endif - } -diff -up openssl-1.1.1j/crypto/o_init.c.fips openssl-1.1.1j/crypto/o_init.c ---- openssl-1.1.1j/crypto/o_init.c.fips 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/crypto/o_init.c 2021-03-03 12:57:42.202734550 +0100 -@@ -7,8 +7,69 @@ - * https://www.openssl.org/source/license.html - */ - -+/* for secure_getenv */ -+#define _GNU_SOURCE - #include "e_os.h" - #include -+#ifdef OPENSSL_FIPS -+# include -+# include -+# include -+# include -+# include -+# include -+# include -+# include -+# include "crypto/fips.h" -+ -+# define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled" -+ -+static void init_fips_mode(void) -+{ -+ char buf[2] = "0"; -+ int fd; -+ -+ if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) { -+ buf[0] = '1'; -+ } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) { -+ while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ; -+ close(fd); -+ } -+ -+ if (buf[0] != '1' && !FIPS_module_installed()) -+ return; -+ -+ /* Ensure the selftests always run */ -+ /* XXX: TO SOLVE - premature initialization due to selftests */ -+ FIPS_mode_set(1); -+ -+ /* Failure reading the fips mode switch file means just not -+ * switching into FIPS mode. We would break too many things -+ * otherwise.. -+ */ -+ -+ if (buf[0] != '1') { -+ /* drop down to non-FIPS mode if it is not requested */ -+ FIPS_mode_set(0); -+ } else { -+ /* abort if selftest failed */ -+ FIPS_selftest_check(); -+ } -+} -+ -+/* -+ * Perform FIPS module power on selftest and automatic FIPS mode switch. -+ */ -+ -+void __attribute__ ((constructor)) OPENSSL_init_library(void) -+{ -+ static int done = 0; -+ if (done) -+ return; -+ done = 1; -+ init_fips_mode(); -+} -+#endif - - /* - * Perform any essential OpenSSL initialization operations. Currently does -diff -up openssl-1.1.1j/crypto/rand/rand_lib.c.fips openssl-1.1.1j/crypto/rand/rand_lib.c ---- openssl-1.1.1j/crypto/rand/rand_lib.c.fips 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/crypto/rand/rand_lib.c 2021-03-03 12:57:42.202734550 +0100 -@@ -16,6 +16,10 @@ - #include "internal/thread_once.h" - #include "rand_local.h" - #include "e_os.h" -+#ifdef OPENSSL_FIPS -+# include -+# include -+#endif - - #ifndef OPENSSL_NO_ENGINE - /* non-NULL if default_RAND_meth is ENGINE-provided */ -@@ -959,3 +963,15 @@ int RAND_status(void) - return meth->status(); - return 0; - } -+ -+#ifdef OPENSSL_FIPS -+void RAND_set_fips_drbg_type(int type, int flags) -+{ /* just a stub for ABI compatibility */ -+} -+ -+int RAND_init_fips(void) -+{ -+ /* just a stub for ABI compatibility */ -+ return 1; -+} -+#endif -diff -up openssl-1.1.1j/crypto/rsa/rsa_crpt.c.fips openssl-1.1.1j/crypto/rsa/rsa_crpt.c ---- openssl-1.1.1j/crypto/rsa/rsa_crpt.c.fips 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/crypto/rsa/rsa_crpt.c 2021-03-03 12:57:42.202734550 +0100 -@@ -27,24 +27,52 @@ int RSA_size(const RSA *r) - int RSA_public_encrypt(int flen, const unsigned char *from, unsigned char *to, - RSA *rsa, int padding) - { -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) -+ && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) { -+ RSAerr(RSA_F_RSA_PUBLIC_ENCRYPT, RSA_R_NON_FIPS_RSA_METHOD); -+ return -1; -+ } -+#endif - return rsa->meth->rsa_pub_enc(flen, from, to, rsa, padding); - } - - int RSA_private_encrypt(int flen, const unsigned char *from, - unsigned char *to, RSA *rsa, int padding) - { -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) { -+ RSAerr(RSA_F_RSA_PRIVATE_ENCRYPT, -+ RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE); -+ return -1; -+ } -+#endif - return rsa->meth->rsa_priv_enc(flen, from, to, rsa, padding); - } - - int RSA_private_decrypt(int flen, const unsigned char *from, - unsigned char *to, RSA *rsa, int padding) - { -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) -+ && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) { -+ RSAerr(RSA_F_RSA_PRIVATE_DECRYPT, RSA_R_NON_FIPS_RSA_METHOD); -+ return -1; -+ } -+#endif - return rsa->meth->rsa_priv_dec(flen, from, to, rsa, padding); - } - - int RSA_public_decrypt(int flen, const unsigned char *from, unsigned char *to, - RSA *rsa, int padding) - { -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode() && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) { -+ RSAerr(RSA_F_RSA_PUBLIC_DECRYPT, -+ RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE); -+ return -1; -+ } -+#endif - return rsa->meth->rsa_pub_dec(flen, from, to, rsa, padding); - } - -diff -up openssl-1.1.1j/crypto/rsa/rsa_err.c.fips openssl-1.1.1j/crypto/rsa/rsa_err.c ---- openssl-1.1.1j/crypto/rsa/rsa_err.c.fips 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/crypto/rsa/rsa_err.c 2021-03-03 12:57:42.202734550 +0100 -@@ -16,6 +16,8 @@ - static const ERR_STRING_DATA RSA_str_functs[] = { - {ERR_PACK(ERR_LIB_RSA, RSA_F_CHECK_PADDING_MD, 0), "check_padding_md"}, - {ERR_PACK(ERR_LIB_RSA, RSA_F_ENCODE_PKCS1, 0), "encode_pkcs1"}, -+ {ERR_PACK(ERR_LIB_RSA, RSA_F_FIPS_RSA_BUILTIN_KEYGEN, 0), -+ "fips_rsa_builtin_keygen"}, - {ERR_PACK(ERR_LIB_RSA, RSA_F_INT_RSA_VERIFY, 0), "int_rsa_verify"}, - {ERR_PACK(ERR_LIB_RSA, RSA_F_OLD_RSA_PRIV_DECODE, 0), - "old_rsa_priv_decode"}, -@@ -32,6 +34,9 @@ static const ERR_STRING_DATA RSA_str_fun - {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_CHECK_KEY_EX, 0), "RSA_check_key_ex"}, - {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_CMS_DECRYPT, 0), "rsa_cms_decrypt"}, - {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_CMS_VERIFY, 0), "rsa_cms_verify"}, -+ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_GENERATE_KEY_EX, 0), "RSA_generate_key_ex"}, -+ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_GENERATE_MULTI_PRIME_KEY, 0), -+ "RSA_generate_multi_prime_key"}, - {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_ITEM_VERIFY, 0), "rsa_item_verify"}, - {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_METH_DUP, 0), "RSA_meth_dup"}, - {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_METH_NEW, 0), "RSA_meth_new"}, -@@ -90,9 +95,13 @@ static const ERR_STRING_DATA RSA_str_fun - {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRINT_FP, 0), "RSA_print_fp"}, - {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRIV_DECODE, 0), "rsa_priv_decode"}, - {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRIV_ENCODE, 0), "rsa_priv_encode"}, -+ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRIVATE_DECRYPT, 0), "RSA_private_decrypt"}, -+ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRIVATE_ENCRYPT, 0), "RSA_private_encrypt"}, - {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PSS_GET_PARAM, 0), "rsa_pss_get_param"}, - {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PSS_TO_CTX, 0), "rsa_pss_to_ctx"}, - {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PUB_DECODE, 0), "rsa_pub_decode"}, -+ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PUBLIC_DECRYPT, 0), "RSA_public_decrypt"}, -+ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PUBLIC_ENCRYPT, 0), "RSA_public_encrypt"}, - {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_SETUP_BLINDING, 0), "RSA_setup_blinding"}, - {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_SIGN, 0), "RSA_sign"}, - {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_SIGN_ASN1_OCTET_STRING, 0), -@@ -102,6 +111,8 @@ static const ERR_STRING_DATA RSA_str_fun - "RSA_verify_ASN1_OCTET_STRING"}, - {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, 0), - "RSA_verify_PKCS1_PSS_mgf1"}, -+ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_SET_DEFAULT_METHOD, 0), "RSA_set_default_method"}, -+ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_SET_METHOD, 0), "RSA_set_method"}, - {ERR_PACK(ERR_LIB_RSA, RSA_F_SETUP_TBUF, 0), "setup_tbuf"}, - {0, NULL} - }; -@@ -183,6 +194,7 @@ static const ERR_STRING_DATA RSA_str_rea - "mp exponent not congruent to d"}, - {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_MP_R_NOT_PRIME), "mp r not prime"}, - {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_NO_PUBLIC_EXPONENT), "no public exponent"}, -+ {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_NON_FIPS_RSA_METHOD), "non FIPS rsa method"}, - {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_NULL_BEFORE_BLOCK_MISSING), - "null before block missing"}, - {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_N_DOES_NOT_EQUAL_PRODUCT_OF_PRIMES), -@@ -191,6 +203,8 @@ static const ERR_STRING_DATA RSA_str_rea - "n does not equal p q"}, - {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_OAEP_DECODING_ERROR), - "oaep decoding error"}, -+ {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE), -+ "operation not allowed in FIPS mode"}, - {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE), - "operation not supported for this keytype"}, - {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_PADDING_CHECK_FAILED), -@@ -226,6 +240,8 @@ static const ERR_STRING_DATA RSA_str_rea - "unsupported mask algorithm"}, - {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_UNSUPPORTED_MASK_PARAMETER), - "unsupported mask parameter"}, -+ {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_UNSUPPORTED_PARAMETERS), -+ "unsupported parameters"}, - {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_UNSUPPORTED_SIGNATURE_TYPE), - "unsupported signature type"}, - {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_VALUE_MISSING), "value missing"}, -diff -up openssl-1.1.1j/crypto/rsa/rsa_gen.c.fips openssl-1.1.1j/crypto/rsa/rsa_gen.c ---- openssl-1.1.1j/crypto/rsa/rsa_gen.c.fips 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/crypto/rsa/rsa_gen.c 2021-03-03 12:57:42.202734550 +0100 -@@ -18,6 +18,76 @@ - #include "internal/cryptlib.h" - #include - #include "rsa_local.h" -+#ifdef OPENSSL_FIPS -+# include -+# include "crypto/fips.h" -+ -+int fips_check_rsa(RSA *rsa) -+{ -+ const unsigned char tbs[] = "RSA Pairwise Check Data"; -+ unsigned char *ctbuf = NULL, *ptbuf = NULL; -+ int len, ret = 0; -+ EVP_PKEY *pk; -+ -+ if ((pk = EVP_PKEY_new()) == NULL) -+ goto err; -+ -+ EVP_PKEY_set1_RSA(pk, rsa); -+ -+ /* Perform pairwise consistency signature test */ -+ if (!fips_pkey_signature_test(pk, tbs, -1, -+ NULL, 0, EVP_sha256(), -+ EVP_MD_CTX_FLAG_PAD_PKCS1, NULL) -+ || !fips_pkey_signature_test(pk, tbs, -1, NULL, 0, EVP_sha256(), -+ EVP_MD_CTX_FLAG_PAD_PSS, NULL)) -+ goto err; -+ /* Now perform pairwise consistency encrypt/decrypt test */ -+ ctbuf = OPENSSL_malloc(RSA_size(rsa)); -+ if (!ctbuf) -+ goto err; -+ -+ len = -+ RSA_public_encrypt(sizeof(tbs) - 1, tbs, ctbuf, rsa, -+ RSA_PKCS1_PADDING); -+ if (len <= 0) -+ goto err; -+ /* Check ciphertext doesn't match plaintext */ -+ if ((len == (sizeof(tbs) - 1)) && !memcmp(tbs, ctbuf, len)) -+ goto err; -+ ptbuf = OPENSSL_malloc(RSA_size(rsa)); -+ -+ if (!ptbuf) -+ goto err; -+ len = RSA_private_decrypt(len, ctbuf, ptbuf, rsa, RSA_PKCS1_PADDING); -+ if (len != (sizeof(tbs) - 1)) -+ goto err; -+ if (memcmp(ptbuf, tbs, len)) -+ goto err; -+ -+ ret = 1; -+ -+ if (!ptbuf) -+ goto err; -+ -+ err: -+ if (ret == 0) { -+ fips_set_selftest_fail(); -+ FIPSerr(FIPS_F_FIPS_CHECK_RSA, FIPS_R_PAIRWISE_TEST_FAILED); -+ } -+ -+ if (ctbuf) -+ OPENSSL_free(ctbuf); -+ if (ptbuf) -+ OPENSSL_free(ptbuf); -+ if (pk) -+ EVP_PKEY_free(pk); -+ -+ return ret; -+} -+ -+static int fips_rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, -+ BN_GENCB *cb); -+#endif - - static int rsa_builtin_keygen(RSA *rsa, int bits, int primes, BIGNUM *e_value, - BN_GENCB *cb); -@@ -31,6 +101,13 @@ static int rsa_builtin_keygen(RSA *rsa, - */ - int RSA_generate_key_ex(RSA *rsa, int bits, BIGNUM *e_value, BN_GENCB *cb) - { -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) -+ && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) { -+ RSAerr(RSA_F_RSA_GENERATE_KEY_EX, RSA_R_NON_FIPS_RSA_METHOD); -+ return 0; -+ } -+#endif - if (rsa->meth->rsa_keygen != NULL) - return rsa->meth->rsa_keygen(rsa, bits, e_value, cb); - -@@ -41,6 +118,13 @@ int RSA_generate_key_ex(RSA *rsa, int bi - int RSA_generate_multi_prime_key(RSA *rsa, int bits, int primes, - BIGNUM *e_value, BN_GENCB *cb) - { -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) -+ && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) { -+ RSAerr(RSA_F_RSA_GENERATE_MULTI_PRIME_KEY, RSA_R_NON_FIPS_RSA_METHOD); -+ return 0; -+ } -+#endif - /* multi-prime is only supported with the builtin key generation */ - if (rsa->meth->rsa_multi_prime_keygen != NULL) { - return rsa->meth->rsa_multi_prime_keygen(rsa, bits, primes, -@@ -57,10 +141,285 @@ int RSA_generate_multi_prime_key(RSA *rs - else - return 0; - } -- -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode()) { -+ if (primes != 2) { -+ RSAerr(RSA_F_RSA_GENERATE_MULTI_PRIME_KEY, RSA_R_UNSUPPORTED_PARAMETERS); -+ return 0; -+ } -+ return fips_rsa_builtin_keygen(rsa, bits, e_value, cb); -+ } -+#endif - return rsa_builtin_keygen(rsa, bits, primes, e_value, cb); - } - -+#ifdef OPENSSL_FIPS -+static int fips_rsa_builtin_keygen(RSA *rsa, int bits, BIGNUM *e_value, -+ BN_GENCB *cb) -+{ -+ BIGNUM *r0 = NULL, *r1 = NULL, *r2 = NULL, *r3 = NULL, *tmp; -+ BN_CTX *ctx = NULL; -+ int ok = -1; -+ int i; -+ int n = 0; -+ int test = 0; -+ int pbits = bits / 2; -+ unsigned long error = 0; -+ -+ if (FIPS_selftest_failed()) { -+ FIPSerr(FIPS_F_FIPS_RSA_BUILTIN_KEYGEN, FIPS_R_FIPS_SELFTEST_FAILED); -+ return 0; -+ } -+ -+ if (bits < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS -+ || (getenv("OPENSSL_ENFORCE_MODULUS_BITS") && bits < 2048)) { -+ FIPSerr(FIPS_F_FIPS_RSA_BUILTIN_KEYGEN, FIPS_R_KEY_TOO_SHORT); -+ return 0; -+ } -+ if ((pbits & 0xFF) != 0) { -+ FIPSerr(FIPS_F_FIPS_RSA_BUILTIN_KEYGEN, FIPS_R_INVALID_KEY_LENGTH); -+ return 0; -+ } -+ -+ ctx = BN_CTX_new(); -+ if (ctx == NULL) -+ goto err; -+ BN_CTX_start(ctx); -+ r0 = BN_CTX_get(ctx); -+ r1 = BN_CTX_get(ctx); -+ r2 = BN_CTX_get(ctx); -+ r3 = BN_CTX_get(ctx); -+ -+ if (r3 == NULL) -+ goto err; -+ -+ /* We need the RSA components non-NULL */ -+ if (!rsa->n && ((rsa->n = BN_new()) == NULL)) -+ goto err; -+ if (!rsa->d && ((rsa->d = BN_secure_new()) == NULL)) -+ goto err; -+ if (!rsa->e && ((rsa->e = BN_new()) == NULL)) -+ goto err; -+ if (!rsa->p && ((rsa->p = BN_secure_new()) == NULL)) -+ goto err; -+ if (!rsa->q && ((rsa->q = BN_secure_new()) == NULL)) -+ goto err; -+ if (!rsa->dmp1 && ((rsa->dmp1 = BN_secure_new()) == NULL)) -+ goto err; -+ if (!rsa->dmq1 && ((rsa->dmq1 = BN_secure_new()) == NULL)) -+ goto err; -+ if (!rsa->iqmp && ((rsa->iqmp = BN_secure_new()) == NULL)) -+ goto err; -+ -+ if (!BN_set_word(r0, RSA_F4)) -+ goto err; -+ if (BN_cmp(e_value, r0) < 0 || BN_num_bits(e_value) > 256) { -+ ok = 0; /* we set our own err */ -+ RSAerr(RSA_F_FIPS_RSA_BUILTIN_KEYGEN, RSA_R_BAD_E_VALUE); -+ goto err; -+ } -+ -+ /* prepare approximate minimum p and q */ -+ if (!BN_set_word(r0, 0xB504F334)) -+ goto err; -+ if (!BN_lshift(r0, r0, pbits - 32)) -+ goto err; -+ -+ /* prepare minimum p and q difference */ -+ if (!BN_one(r3)) -+ goto err; -+ if (!BN_lshift(r3, r3, pbits - 100)) -+ goto err; -+ -+ BN_copy(rsa->e, e_value); -+ -+ if (!BN_is_zero(rsa->p) && !BN_is_zero(rsa->q)) -+ test = 1; -+ -+ BN_set_flags(r0, BN_FLG_CONSTTIME); -+ BN_set_flags(r1, BN_FLG_CONSTTIME); -+ BN_set_flags(r2, BN_FLG_CONSTTIME); -+ BN_set_flags(rsa->p, BN_FLG_CONSTTIME); -+ BN_set_flags(rsa->q, BN_FLG_CONSTTIME); -+ -+ retry: -+ /* generate p and q */ -+ for (i = 0; i < 5 * pbits; i++) { -+ ploop: -+ if (!test) -+ if (!BN_rand(rsa->p, pbits, 0, 1)) -+ goto err; -+ if (BN_cmp(rsa->p, r0) < 0) { -+ if (test) -+ goto err; -+ goto ploop; -+ } -+ -+ if (!BN_sub(r2, rsa->p, BN_value_one())) -+ goto err; -+ ERR_set_mark(); -+ if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) { -+ /* GCD == 1 since inverse exists */ -+ int r; -+ r = BN_is_prime_fasttest_ex(rsa->p, pbits > 1024 ? 4 : 5, ctx, 0, -+ cb); -+ if (r == -1 || (test && r <= 0)) -+ goto err; -+ if (r > 0) -+ break; -+ } else { -+ error = ERR_peek_last_error(); -+ if (ERR_GET_LIB(error) == ERR_LIB_BN -+ && ERR_GET_REASON(error) == BN_R_NO_INVERSE) { -+ /* GCD != 1 */ -+ ERR_pop_to_mark(); -+ } else { -+ goto err; -+ } -+ } -+ if (!BN_GENCB_call(cb, 2, n++)) -+ goto err; -+ } -+ -+ if (!BN_GENCB_call(cb, 3, 0)) -+ goto err; -+ -+ if (i >= 5 * pbits) -+ /* prime not found */ -+ goto err; -+ -+ for (i = 0; i < 5 * pbits; i++) { -+ qloop: -+ if (!test) -+ if (!BN_rand(rsa->q, pbits, 0, 1)) -+ goto err; -+ if (BN_cmp(rsa->q, r0) < 0) { -+ if (test) -+ goto err; -+ goto qloop; -+ } -+ if (!BN_sub(r2, rsa->q, rsa->p)) -+ goto err; -+ if (BN_ucmp(r2, r3) <= 0) { -+ if (test) -+ goto err; -+ goto qloop; -+ } -+ -+ if (!BN_sub(r2, rsa->q, BN_value_one())) -+ goto err; -+ ERR_set_mark(); -+ if (BN_mod_inverse(r1, r2, rsa->e, ctx) != NULL) { -+ /* GCD == 1 since inverse exists */ -+ int r; -+ r = BN_is_prime_fasttest_ex(rsa->q, pbits > 1024 ? 4 : 5, ctx, 0, -+ cb); -+ if (r == -1 || (test && r <= 0)) -+ goto err; -+ if (r > 0) -+ break; -+ } else { -+ error = ERR_peek_last_error(); -+ if (ERR_GET_LIB(error) == ERR_LIB_BN -+ && ERR_GET_REASON(error) == BN_R_NO_INVERSE) { -+ /* GCD != 1 */ -+ ERR_pop_to_mark(); -+ } else { -+ goto err; -+ } -+ } -+ if (!BN_GENCB_call(cb, 2, n++)) -+ goto err; -+ } -+ -+ if (!BN_GENCB_call(cb, 3, 1)) -+ goto err; -+ -+ if (i >= 5 * pbits) -+ /* prime not found */ -+ goto err; -+ -+ if (test) { -+ /* do not try to calculate the remaining key values */ -+ BN_clear(rsa->n); -+ ok = 1; -+ goto err; -+ } -+ -+ if (BN_cmp(rsa->p, rsa->q) < 0) { -+ tmp = rsa->p; -+ rsa->p = rsa->q; -+ rsa->q = tmp; -+ } -+ -+ /* calculate n */ -+ if (!BN_mul(rsa->n, rsa->p, rsa->q, ctx)) -+ goto err; -+ -+ /* calculate d */ -+ if (!BN_sub(r1, rsa->p, BN_value_one())) -+ goto err; /* p-1 */ -+ if (!BN_sub(r2, rsa->q, BN_value_one())) -+ goto err; /* q-1 */ -+ -+ /* note that computing gcd is not safe to timing attacks */ -+ if (!BN_gcd(r0, r1, r2, ctx)) -+ goto err; -+ -+ { -+ if (!BN_div(r0, NULL, r1, r0, ctx)) -+ goto err; -+ -+ if (!BN_mul(r0, r0, r2, ctx)) /* lcm(p-1, q-1) */ -+ goto err; -+ -+ if (!BN_mod_inverse(rsa->d, rsa->e, r0, ctx)) /* d */ -+ goto err; -+ } -+ -+ if (BN_num_bits(rsa->d) < pbits) -+ goto retry; /* d is too small */ -+ -+ { -+ BIGNUM *d = BN_new(); -+ -+ if (d == NULL) -+ goto err; -+ BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); -+ -+ if (/* calculate d mod (p-1) */ -+ !BN_mod(rsa->dmp1, d, r1, ctx) -+ /* calculate d mod (q-1) */ -+ || !BN_mod(rsa->dmq1, d, r2, ctx)) { -+ BN_free(d); -+ goto err; -+ } -+ /* We MUST free d before any further use of rsa->d */ -+ BN_free(d); -+ } -+ -+ /* calculate inverse of q mod p */ -+ if (!BN_mod_inverse(rsa->iqmp, rsa->q, rsa->p, ctx)) -+ goto err; -+ -+ if (!fips_check_rsa(rsa)) -+ goto err; -+ -+ ok = 1; -+ err: -+ if (ok == -1) { -+ RSAerr(RSA_F_FIPS_RSA_BUILTIN_KEYGEN, ERR_LIB_BN); -+ ok = 0; -+ } -+ if (ctx != NULL) { -+ BN_CTX_end(ctx); -+ BN_CTX_free(ctx); -+ } -+ -+ return ok; -+} -+#endif -+ - static int rsa_builtin_keygen(RSA *rsa, int bits, int primes, BIGNUM *e_value, - BN_GENCB *cb) - { -diff -up openssl-1.1.1j/crypto/rsa/rsa_lib.c.fips openssl-1.1.1j/crypto/rsa/rsa_lib.c ---- openssl-1.1.1j/crypto/rsa/rsa_lib.c.fips 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/crypto/rsa/rsa_lib.c 2021-03-03 12:57:42.203734558 +0100 -@@ -34,6 +34,12 @@ int RSA_set_method(RSA *rsa, const RSA_M - * to deal with which ENGINE it comes from. - */ - const RSA_METHOD *mtmp; -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode() && !(meth->flags & RSA_FLAG_FIPS_METHOD)) { -+ RSAerr(RSA_F_RSA_SET_METHOD, RSA_R_NON_FIPS_RSA_METHOD); -+ return 0; -+ } -+#endif - mtmp = rsa->meth; - if (mtmp->finish) - mtmp->finish(rsa); -@@ -66,7 +72,6 @@ RSA *RSA_new_method(ENGINE *engine) - - ret->meth = RSA_get_default_method(); - #ifndef OPENSSL_NO_ENGINE -- ret->flags = ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW; - if (engine) { - if (!ENGINE_init(engine)) { - RSAerr(RSA_F_RSA_NEW_METHOD, ERR_R_ENGINE_LIB); -@@ -84,8 +89,19 @@ RSA *RSA_new_method(ENGINE *engine) - } - } - #endif -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode() && !(ret->meth->flags & RSA_FLAG_FIPS_METHOD)) { -+ RSAerr(RSA_F_RSA_NEW_METHOD, RSA_R_NON_FIPS_RSA_METHOD); -+# ifndef OPENSSL_NO_ENGINE -+ if (ret->engine) -+ ENGINE_finish(ret->engine); -+# endif -+ OPENSSL_free(ret); -+ return NULL; -+ } -+#endif - -- ret->flags = ret->meth->flags & ~RSA_FLAG_NON_FIPS_ALLOW; -+ ret->flags = ret->meth->flags; - if (!CRYPTO_new_ex_data(CRYPTO_EX_INDEX_RSA, ret, &ret->ex_data)) { - goto err; - } -diff -up openssl-1.1.1j/crypto/rsa/rsa_ossl.c.fips openssl-1.1.1j/crypto/rsa/rsa_ossl.c ---- openssl-1.1.1j/crypto/rsa/rsa_ossl.c.fips 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/crypto/rsa/rsa_ossl.c 2021-03-03 12:57:42.203734558 +0100 -@@ -12,6 +12,10 @@ - #include "rsa_local.h" - #include "internal/constant_time.h" - -+#ifdef OPENSSL_FIPS -+# include -+#endif -+ - static int rsa_ossl_public_encrypt(int flen, const unsigned char *from, - unsigned char *to, RSA *rsa, int padding); - static int rsa_ossl_private_encrypt(int flen, const unsigned char *from, -@@ -47,6 +51,12 @@ static const RSA_METHOD *default_RSA_met - - void RSA_set_default_method(const RSA_METHOD *meth) - { -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode() && !(meth->flags & RSA_FLAG_FIPS_METHOD)) { -+ RSAerr(RSA_F_RSA_SET_DEFAULT_METHOD, RSA_R_NON_FIPS_RSA_METHOD); -+ return; -+ } -+#endif - default_RSA_meth = meth; - } - -@@ -73,6 +83,22 @@ static int rsa_ossl_public_encrypt(int f - unsigned char *buf = NULL; - BN_CTX *ctx = NULL; - -+# ifdef OPENSSL_FIPS -+ if (FIPS_mode()) { -+ if (FIPS_selftest_failed()) { -+ FIPSerr(FIPS_F_RSA_OSSL_PUBLIC_ENCRYPT, -+ FIPS_R_FIPS_SELFTEST_FAILED); -+ goto err; -+ } -+ -+ if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW) -+ && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) { -+ RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL); -+ return -1; -+ } -+ } -+# endif -+ - if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) { - RSAerr(RSA_F_RSA_OSSL_PUBLIC_ENCRYPT, RSA_R_MODULUS_TOO_LARGE); - return -1; -@@ -246,6 +272,22 @@ static int rsa_ossl_private_encrypt(int - BIGNUM *unblind = NULL; - BN_BLINDING *blinding = NULL; - -+# ifdef OPENSSL_FIPS -+ if (FIPS_mode()) { -+ if (FIPS_selftest_failed()) { -+ FIPSerr(FIPS_F_RSA_OSSL_PRIVATE_ENCRYPT, -+ FIPS_R_FIPS_SELFTEST_FAILED); -+ return -1; -+ } -+ -+ if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW) -+ && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) { -+ RSAerr(RSA_F_RSA_OSSL_PRIVATE_ENCRYPT, RSA_R_KEY_SIZE_TOO_SMALL); -+ return -1; -+ } -+ } -+# endif -+ - if ((ctx = BN_CTX_new()) == NULL) - goto err; - BN_CTX_start(ctx); -@@ -380,6 +422,22 @@ static int rsa_ossl_private_decrypt(int - BIGNUM *unblind = NULL; - BN_BLINDING *blinding = NULL; - -+# ifdef OPENSSL_FIPS -+ if (FIPS_mode()) { -+ if (FIPS_selftest_failed()) { -+ FIPSerr(FIPS_F_RSA_OSSL_PRIVATE_DECRYPT, -+ FIPS_R_FIPS_SELFTEST_FAILED); -+ return -1; -+ } -+ -+ if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW) -+ && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) { -+ RSAerr(RSA_F_RSA_OSSL_PRIVATE_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL); -+ return -1; -+ } -+ } -+# endif -+ - if ((ctx = BN_CTX_new()) == NULL) - goto err; - BN_CTX_start(ctx); -@@ -507,6 +565,22 @@ static int rsa_ossl_public_decrypt(int f - unsigned char *buf = NULL; - BN_CTX *ctx = NULL; - -+# ifdef OPENSSL_FIPS -+ if (FIPS_mode()) { -+ if (FIPS_selftest_failed()) { -+ FIPSerr(FIPS_F_RSA_OSSL_PUBLIC_DECRYPT, -+ FIPS_R_FIPS_SELFTEST_FAILED); -+ goto err; -+ } -+ -+ if (!(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW) -+ && (BN_num_bits(rsa->n) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS)) { -+ RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_KEY_SIZE_TOO_SMALL); -+ return -1; -+ } -+ } -+# endif -+ - if (BN_num_bits(rsa->n) > OPENSSL_RSA_MAX_MODULUS_BITS) { - RSAerr(RSA_F_RSA_OSSL_PUBLIC_DECRYPT, RSA_R_MODULUS_TOO_LARGE); - return -1; -diff -up openssl-1.1.1j/crypto/rsa/rsa_pmeth.c.fips openssl-1.1.1j/crypto/rsa/rsa_pmeth.c ---- openssl-1.1.1j/crypto/rsa/rsa_pmeth.c.fips 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/crypto/rsa/rsa_pmeth.c 2021-03-03 12:57:42.203734558 +0100 -@@ -756,7 +756,7 @@ static int pkey_rsa_keygen(EVP_PKEY_CTX - - const EVP_PKEY_METHOD rsa_pkey_meth = { - EVP_PKEY_RSA, -- EVP_PKEY_FLAG_AUTOARGLEN, -+ EVP_PKEY_FLAG_AUTOARGLEN | EVP_PKEY_FLAG_FIPS, - pkey_rsa_init, - pkey_rsa_copy, - pkey_rsa_cleanup, -@@ -838,7 +838,7 @@ static int pkey_pss_init(EVP_PKEY_CTX *c - - const EVP_PKEY_METHOD rsa_pss_pkey_meth = { - EVP_PKEY_RSA_PSS, -- EVP_PKEY_FLAG_AUTOARGLEN, -+ EVP_PKEY_FLAG_AUTOARGLEN | EVP_PKEY_FLAG_FIPS, - pkey_rsa_init, - pkey_rsa_copy, - pkey_rsa_cleanup, -diff -up openssl-1.1.1j/crypto/rsa/rsa_sign.c.fips openssl-1.1.1j/crypto/rsa/rsa_sign.c ---- openssl-1.1.1j/crypto/rsa/rsa_sign.c.fips 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/crypto/rsa/rsa_sign.c 2021-03-03 12:57:42.203734558 +0100 -@@ -73,6 +73,13 @@ int RSA_sign(int type, const unsigned ch - unsigned char *tmps = NULL; - const unsigned char *encoded = NULL; - -+#ifdef OPENSSL_FIPS -+ if (FIPS_mode() && !(rsa->meth->flags & RSA_FLAG_FIPS_METHOD) -+ && !(rsa->flags & RSA_FLAG_NON_FIPS_ALLOW)) { -+ RSAerr(RSA_F_RSA_SIGN, RSA_R_NON_FIPS_RSA_METHOD); -+ return 0; -+ } -+#endif - if (rsa->meth->rsa_sign) { - return rsa->meth->rsa_sign(type, m, m_len, sigret, siglen, rsa); - } -@@ -100,8 +107,9 @@ int RSA_sign(int type, const unsigned ch - RSAerr(RSA_F_RSA_SIGN, RSA_R_DIGEST_TOO_BIG_FOR_RSA_KEY); - goto err; - } -- encrypt_len = RSA_private_encrypt(encoded_len, encoded, sigret, rsa, -- RSA_PKCS1_PADDING); -+ /* NB: call underlying method directly to avoid FIPS blocking */ -+ encrypt_len = rsa->meth->rsa_priv_enc ? rsa->meth->rsa_priv_enc(encoded_len, encoded, sigret, rsa, -+ RSA_PKCS1_PADDING) : 0; - if (encrypt_len <= 0) - goto err; - -diff -up openssl-1.1.1j/crypto/sha/sha256.c.fips openssl-1.1.1j/crypto/sha/sha256.c ---- openssl-1.1.1j/crypto/sha/sha256.c.fips 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/crypto/sha/sha256.c 2021-03-03 12:57:42.203734558 +0100 -@@ -18,6 +18,9 @@ - - int SHA224_Init(SHA256_CTX *c) - { -+# ifdef OPENSSL_FIPS -+ FIPS_selftest_check(); -+# endif - memset(c, 0, sizeof(*c)); - c->h[0] = 0xc1059ed8UL; - c->h[1] = 0x367cd507UL; -@@ -33,6 +36,9 @@ int SHA224_Init(SHA256_CTX *c) - - int SHA256_Init(SHA256_CTX *c) - { -+# ifdef OPENSSL_FIPS -+ FIPS_selftest_check(); -+# endif - memset(c, 0, sizeof(*c)); - c->h[0] = 0x6a09e667UL; - c->h[1] = 0xbb67ae85UL; -diff -up openssl-1.1.1j/crypto/sha/sha512.c.fips openssl-1.1.1j/crypto/sha/sha512.c ---- openssl-1.1.1j/crypto/sha/sha512.c.fips 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/crypto/sha/sha512.c 2021-03-03 12:57:42.203734558 +0100 -@@ -98,6 +98,9 @@ int sha512_256_init(SHA512_CTX *c) - - int SHA384_Init(SHA512_CTX *c) - { -+# ifdef OPENSSL_FIPS -+ FIPS_selftest_check(); -+# endif - c->h[0] = U64(0xcbbb9d5dc1059ed8); - c->h[1] = U64(0x629a292a367cd507); - c->h[2] = U64(0x9159015a3070dd17); -@@ -116,6 +119,9 @@ int SHA384_Init(SHA512_CTX *c) - - int SHA512_Init(SHA512_CTX *c) - { -+# ifdef OPENSSL_FIPS -+ FIPS_selftest_check(); -+# endif - c->h[0] = U64(0x6a09e667f3bcc908); - c->h[1] = U64(0xbb67ae8584caa73b); - c->h[2] = U64(0x3c6ef372fe94f82b); -diff -up openssl-1.1.1j/crypto/sha/sha_local.h.fips openssl-1.1.1j/crypto/sha/sha_local.h ---- openssl-1.1.1j/crypto/sha/sha_local.h.fips 2021-03-03 12:57:41.941732391 +0100 -+++ openssl-1.1.1j/crypto/sha/sha_local.h 2021-03-03 12:57:42.203734558 +0100 -@@ -52,6 +52,9 @@ void sha1_block_data_order(SHA_CTX *c, c - - int HASH_INIT(SHA_CTX *c) - { -+#if defined(OPENSSL_FIPS) -+ FIPS_selftest_check(); -+#endif - memset(c, 0, sizeof(*c)); - c->h0 = INIT_DATA_h0; - c->h1 = INIT_DATA_h1; -diff -up openssl-1.1.1j/doc/man3/DSA_generate_parameters.pod.fips openssl-1.1.1j/doc/man3/DSA_generate_parameters.pod ---- openssl-1.1.1j/doc/man3/DSA_generate_parameters.pod.fips 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/doc/man3/DSA_generate_parameters.pod 2021-03-03 12:57:42.203734558 +0100 -@@ -30,8 +30,10 @@ B is the length of the prime p to - For lengths under 2048 bits, the length of q is 160 bits; for lengths - greater than or equal to 2048 bits, the length of q is set to 256 bits. - --If B is NULL, the primes will be generated at random. --If B is less than the length of q, an error is returned. -+If B is NULL, or it does not generate primes, the primes will be -+generated at random. -+If B is less than the length of q, an error is returned -+if old DSA parameter generation method is used as a backend. - - DSA_generate_parameters_ex() places the iteration count in - *B and a counter used for finding a generator in -diff -up openssl-1.1.1j/include/crypto/fips.h.fips openssl-1.1.1j/include/crypto/fips.h ---- openssl-1.1.1j/include/crypto/fips.h.fips 2021-03-03 12:57:42.202734550 +0100 -+++ openssl-1.1.1j/include/crypto/fips.h 2021-03-03 12:57:42.202734550 +0100 -@@ -0,0 +1,98 @@ -+/* ==================================================================== -+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+#include -+#include -+ -+#ifndef OPENSSL_FIPS -+# error FIPS is disabled. -+#endif -+ -+#ifdef OPENSSL_FIPS -+ -+int FIPS_module_mode_set(int onoff); -+int FIPS_module_mode(void); -+int FIPS_module_installed(void); -+int FIPS_selftest_sha1(void); -+int FIPS_selftest_sha2(void); -+int FIPS_selftest_sha3(void); -+int FIPS_selftest_aes_ccm(void); -+int FIPS_selftest_aes_gcm(void); -+int FIPS_selftest_aes_xts(void); -+int FIPS_selftest_aes(void); -+int FIPS_selftest_des(void); -+int FIPS_selftest_rsa(void); -+int FIPS_selftest_dsa(void); -+int FIPS_selftest_ecdsa(void); -+int FIPS_selftest_ecdh(void); -+int FIPS_selftest_dh(void); -+void FIPS_drbg_stick(int onoff); -+int FIPS_selftest_hmac(void); -+int FIPS_selftest_drbg(void); -+int FIPS_selftest_cmac(void); -+ -+int fips_pkey_signature_test(EVP_PKEY *pkey, -+ const unsigned char *tbs, int tbslen, -+ const unsigned char *kat, -+ unsigned int katlen, -+ const EVP_MD *digest, -+ unsigned int md_flags, const char *fail_str); -+ -+int fips_cipher_test(EVP_CIPHER_CTX *ctx, -+ const EVP_CIPHER *cipher, -+ const unsigned char *key, -+ const unsigned char *iv, -+ const unsigned char *plaintext, -+ const unsigned char *ciphertext, int len); -+ -+void fips_set_selftest_fail(void); -+ -+void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr); -+ -+#endif -diff -up openssl-1.1.1j/include/openssl/crypto.h.fips openssl-1.1.1j/include/openssl/crypto.h ---- openssl-1.1.1j/include/openssl/crypto.h.fips 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/include/openssl/crypto.h 2021-03-03 12:57:42.204734567 +0100 -@@ -331,6 +331,11 @@ int OPENSSL_isservice(void); - int FIPS_mode(void); - int FIPS_mode_set(int r); - -+# ifdef OPENSSL_FIPS -+/* die if FIPS selftest failed */ -+void FIPS_selftest_check(void); -+# endif -+ - void OPENSSL_init(void); - # ifdef OPENSSL_SYS_UNIX - void OPENSSL_fork_prepare(void); -diff -up openssl-1.1.1j/include/openssl/dherr.h.fips openssl-1.1.1j/include/openssl/dherr.h ---- openssl-1.1.1j/include/openssl/dherr.h.fips 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/include/openssl/dherr.h 2021-03-03 12:57:42.204734567 +0100 -@@ -36,6 +36,9 @@ int ERR_load_DH_strings(void); - # define DH_F_DH_CMS_DECRYPT 114 - # define DH_F_DH_CMS_SET_PEERKEY 115 - # define DH_F_DH_CMS_SET_SHARED_INFO 116 -+# define DH_F_DH_COMPUTE_KEY 203 -+# define DH_F_DH_GENERATE_KEY 202 -+# define DH_F_DH_GENERATE_PARAMETERS_EX 201 - # define DH_F_DH_METH_DUP 117 - # define DH_F_DH_METH_NEW 118 - # define DH_F_DH_METH_SET1_NAME 119 -@@ -73,12 +76,14 @@ int ERR_load_DH_strings(void); - # define DH_R_INVALID_PARAMETER_NID 114 - # define DH_R_INVALID_PUBKEY 102 - # define DH_R_KDF_PARAMETER_ERROR 112 -+# define DH_R_KEY_SIZE_TOO_SMALL 201 - # define DH_R_KEYS_NOT_SET 108 - # define DH_R_MISSING_PUBKEY 125 - # define DH_R_MODULUS_TOO_LARGE 103 - # define DH_R_NOT_SUITABLE_GENERATOR 120 - # define DH_R_NO_PARAMETERS_SET 107 - # define DH_R_NO_PRIVATE_VALUE 100 -+# define DH_R_NON_FIPS_METHOD 202 - # define DH_R_PARAMETER_ENCODING_ERROR 105 - # define DH_R_PEER_KEY_ERROR 111 - # define DH_R_SHARED_INFO_ERROR 113 -diff -up openssl-1.1.1j/include/openssl/dh.h.fips openssl-1.1.1j/include/openssl/dh.h ---- openssl-1.1.1j/include/openssl/dh.h.fips 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/include/openssl/dh.h 2021-03-03 12:57:42.204734567 +0100 -@@ -31,6 +31,7 @@ extern "C" { - # endif - - # define OPENSSL_DH_FIPS_MIN_MODULUS_BITS 1024 -+# define OPENSSL_DH_FIPS_MIN_MODULUS_BITS_GEN 2048 - - # define DH_FLAG_CACHE_MONT_P 0x01 - -diff -up openssl-1.1.1j/include/openssl/dsaerr.h.fips openssl-1.1.1j/include/openssl/dsaerr.h ---- openssl-1.1.1j/include/openssl/dsaerr.h.fips 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/include/openssl/dsaerr.h 2021-03-03 12:57:42.204734567 +0100 -@@ -29,8 +29,11 @@ int ERR_load_DSA_strings(void); - */ - # define DSA_F_DSAPARAMS_PRINT 100 - # define DSA_F_DSAPARAMS_PRINT_FP 101 -+# define DSA_F_DSA_BUILTIN_KEYGEN 202 - # define DSA_F_DSA_BUILTIN_PARAMGEN 125 - # define DSA_F_DSA_BUILTIN_PARAMGEN2 126 -+# define DSA_F_DSA_GENERATE_KEY 201 -+# define DSA_F_DSA_GENERATE_PARAMETERS_EX 200 - # define DSA_F_DSA_DO_SIGN 112 - # define DSA_F_DSA_DO_VERIFY 113 - # define DSA_F_DSA_METH_DUP 127 -@@ -60,10 +63,13 @@ int ERR_load_DSA_strings(void); - # define DSA_R_DECODE_ERROR 104 - # define DSA_R_INVALID_DIGEST_TYPE 106 - # define DSA_R_INVALID_PARAMETERS 112 -+# define DSA_R_KEY_SIZE_INVALID 201 -+# define DSA_R_KEY_SIZE_TOO_SMALL 202 - # define DSA_R_MISSING_PARAMETERS 101 - # define DSA_R_MISSING_PRIVATE_KEY 111 - # define DSA_R_MODULUS_TOO_LARGE 103 - # define DSA_R_NO_PARAMETERS_SET 107 -+# define DSA_R_NON_FIPS_DSA_METHOD 200 - # define DSA_R_PARAMETER_ENCODING_ERROR 105 - # define DSA_R_Q_NOT_PRIME 113 - # define DSA_R_SEED_LEN_SMALL 110 -diff -up openssl-1.1.1j/include/openssl/dsa.h.fips openssl-1.1.1j/include/openssl/dsa.h ---- openssl-1.1.1j/include/openssl/dsa.h.fips 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/include/openssl/dsa.h 2021-03-03 12:57:42.204734567 +0100 -@@ -31,6 +31,7 @@ extern "C" { - # endif - - # define OPENSSL_DSA_FIPS_MIN_MODULUS_BITS 1024 -+# define OPENSSL_DSA_FIPS_MIN_MODULUS_BITS_GEN 2048 - - # define DSA_FLAG_CACHE_MONT_P 0x01 - # if OPENSSL_API_COMPAT < 0x10100000L -diff -up openssl-1.1.1j/include/openssl/evperr.h.fips openssl-1.1.1j/include/openssl/evperr.h ---- openssl-1.1.1j/include/openssl/evperr.h.fips 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/include/openssl/evperr.h 2021-03-03 12:57:42.204734567 +0100 -@@ -22,14 +22,15 @@ int ERR_load_EVP_strings(void); - * EVP function codes. - */ - # define EVP_F_AESNI_INIT_KEY 165 --# define EVP_F_AESNI_XTS_INIT_KEY 207 -+# define EVP_F_AESNI_XTS_INIT_KEY 233 - # define EVP_F_AES_GCM_CTRL 196 - # define EVP_F_AES_INIT_KEY 133 - # define EVP_F_AES_OCB_CIPHER 169 - # define EVP_F_AES_T4_INIT_KEY 178 --# define EVP_F_AES_T4_XTS_INIT_KEY 208 -+# define EVP_F_AES_T4_XTS_INIT_KEY 234 - # define EVP_F_AES_WRAP_CIPHER 170 --# define EVP_F_AES_XTS_INIT_KEY 209 -+# define EVP_F_AES_XTS_CIPHER 229 -+# define EVP_F_AES_XTS_INIT_KEY 235 - # define EVP_F_ALG_MODULE_INIT 177 - # define EVP_F_ARIA_CCM_INIT_KEY 175 - # define EVP_F_ARIA_GCM_CTRL 197 -@@ -140,6 +141,7 @@ int ERR_load_EVP_strings(void); - # define EVP_R_CTRL_OPERATION_NOT_IMPLEMENTED 133 - # define EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH 138 - # define EVP_R_DECODE_ERROR 114 -+# define EVP_R_DISABLED_FOR_FIPS 200 - # define EVP_R_DIFFERENT_KEY_TYPES 101 - # define EVP_R_DIFFERENT_PARAMETERS 153 - # define EVP_R_ERROR_LOADING_SECTION 165 -@@ -184,6 +186,7 @@ int ERR_load_EVP_strings(void); - # define EVP_R_PRIVATE_KEY_DECODE_ERROR 145 - # define EVP_R_PRIVATE_KEY_ENCODE_ERROR 146 - # define EVP_R_PUBLIC_KEY_NOT_RSA 106 -+# define EVP_R_TOO_LARGE 201 - # define EVP_R_UNKNOWN_CIPHER 160 - # define EVP_R_UNKNOWN_DIGEST 161 - # define EVP_R_UNKNOWN_OPTION 169 -@@ -199,6 +202,7 @@ int ERR_load_EVP_strings(void); - # define EVP_R_UNSUPPORTED_SALT_TYPE 126 - # define EVP_R_WRAP_MODE_NOT_ALLOWED 170 - # define EVP_R_WRONG_FINAL_BLOCK_LENGTH 109 --# define EVP_R_XTS_DUPLICATED_KEYS 183 -+# define EVP_R_XTS_DATA_UNIT_IS_TOO_LARGE 191 -+# define EVP_R_XTS_DUPLICATED_KEYS 192 - - #endif -diff -up openssl-1.1.1j/include/openssl/evp.h.fips openssl-1.1.1j/include/openssl/evp.h ---- openssl-1.1.1j/include/openssl/evp.h.fips 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/include/openssl/evp.h 2021-03-03 12:57:42.204734567 +0100 -@@ -1324,6 +1324,9 @@ void EVP_PKEY_asn1_set_security_bits(EVP - */ - # define EVP_PKEY_FLAG_SIGCTX_CUSTOM 4 - -+/* Downstream modification, large value to avoid conflict */ -+# define EVP_PKEY_FLAG_FIPS 0x4000 -+ - const EVP_PKEY_METHOD *EVP_PKEY_meth_find(int type); - EVP_PKEY_METHOD *EVP_PKEY_meth_new(int id, int flags); - void EVP_PKEY_meth_get0_info(int *ppkey_id, int *pflags, -diff -up openssl-1.1.1j/include/openssl/fips.h.fips openssl-1.1.1j/include/openssl/fips.h ---- openssl-1.1.1j/include/openssl/fips.h.fips 2021-03-03 12:57:42.204734567 +0100 -+++ openssl-1.1.1j/include/openssl/fips.h 2021-03-03 12:57:42.204734567 +0100 -@@ -0,0 +1,187 @@ -+/* ==================================================================== -+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+#include -+#include -+#include -+#include -+ -+#ifndef OPENSSL_FIPS -+# error FIPS is disabled. -+#endif -+ -+#ifdef OPENSSL_FIPS -+ -+# ifdef __cplusplus -+extern "C" { -+# endif -+ -+ int FIPS_selftest(void); -+ int FIPS_selftest_failed(void); -+ int FIPS_selftest_drbg_all(void); -+ -+ int FIPS_dsa_builtin_paramgen2(DSA *ret, size_t L, size_t N, -+ const EVP_MD *evpmd, const unsigned char *seed_in, -+ size_t seed_len, int idx, unsigned char *seed_out, -+ int *counter_ret, unsigned long *h_ret, -+ BN_GENCB *cb); -+ int FIPS_dsa_paramgen_check_g(DSA *dsa); -+ -+/* BEGIN ERROR CODES */ -+/* The following lines are auto generated by the script mkerr.pl. Any changes -+ * made after this point may be overwritten when the script is next run. -+ */ -+ int ERR_load_FIPS_strings(void); -+ -+/* Error codes for the FIPS functions. */ -+ -+/* Function codes. */ -+# define FIPS_F_DH_BUILTIN_GENPARAMS 100 -+# define FIPS_F_DRBG_RESEED 121 -+# define FIPS_F_DSA_BUILTIN_PARAMGEN2 107 -+# define FIPS_F_DSA_DO_SIGN 102 -+# define FIPS_F_DSA_DO_VERIFY 103 -+# define FIPS_F_EVP_CIPHER_CTX_NEW 137 -+# define FIPS_F_EVP_CIPHER_CTX_RESET 122 -+# define FIPS_F_ECDH_COMPUTE_KEY 123 -+# define FIPS_F_EVP_CIPHERINIT_EX 124 -+# define FIPS_F_EVP_DIGESTINIT_EX 125 -+# define FIPS_F_FIPS_CHECK_DSA 104 -+# define FIPS_F_FIPS_CHECK_EC 142 -+# define FIPS_F_FIPS_CHECK_RSA 106 -+# define FIPS_F_FIPS_DRBG_BYTES 131 -+# define FIPS_F_FIPS_DRBG_CHECK 146 -+# define FIPS_F_FIPS_DRBG_CPRNG_TEST 132 -+# define FIPS_F_FIPS_DRBG_ERROR_CHECK 136 -+# define FIPS_F_FIPS_DRBG_GENERATE 134 -+# define FIPS_F_FIPS_DRBG_INIT 135 -+# define FIPS_F_FIPS_DRBG_INSTANTIATE 138 -+# define FIPS_F_FIPS_DRBG_NEW 139 -+# define FIPS_F_FIPS_DRBG_RESEED 140 -+# define FIPS_F_FIPS_DRBG_SINGLE_KAT 141 -+# define FIPS_F_FIPS_GET_ENTROPY 147 -+# define FIPS_F_FIPS_MODULE_MODE_SET 108 -+# define FIPS_F_FIPS_PKEY_SIGNATURE_TEST 109 -+# define FIPS_F_FIPS_RAND_BYTES 114 -+# define FIPS_F_FIPS_RAND_SEED 128 -+# define FIPS_F_FIPS_RAND_SET_METHOD 126 -+# define FIPS_F_FIPS_RAND_STATUS 127 -+# define FIPS_F_FIPS_RSA_BUILTIN_KEYGEN 101 -+# define FIPS_F_FIPS_SELFTEST 150 -+# define FIPS_F_FIPS_SELFTEST_AES 110 -+# define FIPS_F_FIPS_SELFTEST_AES_CCM 145 -+# define FIPS_F_FIPS_SELFTEST_AES_GCM 129 -+# define FIPS_F_FIPS_SELFTEST_AES_XTS 144 -+# define FIPS_F_FIPS_SELFTEST_CMAC 130 -+# define FIPS_F_FIPS_SELFTEST_DES 111 -+# define FIPS_F_FIPS_SELFTEST_DSA 112 -+# define FIPS_F_FIPS_SELFTEST_ECDSA 133 -+# define FIPS_F_FIPS_SELFTEST_HMAC 113 -+# define FIPS_F_FIPS_SELFTEST_SHA1 115 -+# define FIPS_F_FIPS_SELFTEST_SHA2 105 -+# define FIPS_F_OSSL_ECDSA_SIGN_SIG 143 -+# define FIPS_F_OSSL_ECDSA_VERIFY_SIG 148 -+# define FIPS_F_RSA_BUILTIN_KEYGEN 116 -+# define FIPS_F_RSA_OSSL_INIT 149 -+# define FIPS_F_RSA_OSSL_PRIVATE_DECRYPT 117 -+# define FIPS_F_RSA_OSSL_PRIVATE_ENCRYPT 118 -+# define FIPS_F_RSA_OSSL_PUBLIC_DECRYPT 119 -+# define FIPS_F_RSA_OSSL_PUBLIC_ENCRYPT 120 -+ -+/* Reason codes. */ -+# define FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED 150 -+# define FIPS_R_ADDITIONAL_INPUT_TOO_LONG 125 -+# define FIPS_R_ALREADY_INSTANTIATED 134 -+# define FIPS_R_DRBG_NOT_INITIALISED 152 -+# define FIPS_R_DRBG_STUCK 103 -+# define FIPS_R_ENTROPY_ERROR_UNDETECTED 104 -+# define FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED 105 -+# define FIPS_R_ENTROPY_SOURCE_STUCK 142 -+# define FIPS_R_ERROR_INITIALISING_DRBG 115 -+# define FIPS_R_ERROR_INSTANTIATING_DRBG 127 -+# define FIPS_R_ERROR_RETRIEVING_ADDITIONAL_INPUT 124 -+# define FIPS_R_ERROR_RETRIEVING_ENTROPY 122 -+# define FIPS_R_ERROR_RETRIEVING_NONCE 140 -+# define FIPS_R_FINGERPRINT_DOES_NOT_MATCH 110 -+# define FIPS_R_FIPS_MODE_ALREADY_SET 102 -+# define FIPS_R_FIPS_SELFTEST_FAILED 106 -+# define FIPS_R_FUNCTION_ERROR 116 -+# define FIPS_R_GENERATE_ERROR 137 -+# define FIPS_R_GENERATE_ERROR_UNDETECTED 118 -+# define FIPS_R_INSTANTIATE_ERROR 119 -+# define FIPS_R_INTERNAL_ERROR 121 -+# define FIPS_R_INVALID_KEY_LENGTH 109 -+# define FIPS_R_IN_ERROR_STATE 123 -+# define FIPS_R_KEY_TOO_SHORT 108 -+# define FIPS_R_NONCE_ERROR_UNDETECTED 149 -+# define FIPS_R_NON_FIPS_METHOD 100 -+# define FIPS_R_NOPR_TEST1_FAILURE 145 -+# define FIPS_R_NOPR_TEST2_FAILURE 146 -+# define FIPS_R_NOT_INSTANTIATED 126 -+# define FIPS_R_PAIRWISE_TEST_FAILED 107 -+# define FIPS_R_PERSONALISATION_ERROR_UNDETECTED 128 -+# define FIPS_R_PERSONALISATION_STRING_TOO_LONG 129 -+# define FIPS_R_PR_TEST1_FAILURE 147 -+# define FIPS_R_PR_TEST2_FAILURE 148 -+# define FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED 130 -+# define FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG 131 -+# define FIPS_R_RESEED_COUNTER_ERROR 132 -+# define FIPS_R_RESEED_ERROR 133 -+# define FIPS_R_SELFTEST_FAILED 101 -+# define FIPS_R_SELFTEST_FAILURE 135 -+# define FIPS_R_TEST_FAILURE 117 -+# define FIPS_R_UNINSTANTIATE_ERROR 141 -+# define FIPS_R_UNINSTANTIATE_ZEROISE_ERROR 138 -+# define FIPS_R_UNSUPPORTED_DRBG_TYPE 139 -+# define FIPS_R_UNSUPPORTED_PLATFORM 113 -+ -+# ifdef __cplusplus -+} -+# endif -+#endif -diff -up openssl-1.1.1j/include/openssl/fips_rand.h.fips openssl-1.1.1j/include/openssl/fips_rand.h ---- openssl-1.1.1j/include/openssl/fips_rand.h.fips 2021-03-03 12:57:42.204734567 +0100 -+++ openssl-1.1.1j/include/openssl/fips_rand.h 2021-03-03 12:57:42.204734567 +0100 -@@ -0,0 +1,145 @@ -+/* ==================================================================== -+ * Copyright (c) 2003 The OpenSSL Project. All rights reserved. -+ * -+ * Redistribution and use in source and binary forms, with or without -+ * modification, are permitted provided that the following conditions -+ * are met: -+ * -+ * 1. Redistributions of source code must retain the above copyright -+ * notice, this list of conditions and the following disclaimer. -+ * -+ * 2. Redistributions in binary form must reproduce the above copyright -+ * notice, this list of conditions and the following disclaimer in -+ * the documentation and/or other materials provided with the -+ * distribution. -+ * -+ * 3. All advertising materials mentioning features or use of this -+ * software must display the following acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" -+ * -+ * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to -+ * endorse or promote products derived from this software without -+ * prior written permission. For written permission, please contact -+ * openssl-core@openssl.org. -+ * -+ * 5. Products derived from this software may not be called "OpenSSL" -+ * nor may "OpenSSL" appear in their names without prior written -+ * permission of the OpenSSL Project. -+ * -+ * 6. Redistributions of any form whatsoever must retain the following -+ * acknowledgment: -+ * "This product includes software developed by the OpenSSL Project -+ * for use in the OpenSSL Toolkit (http://www.openssl.org/)" -+ * -+ * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY -+ * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE -+ * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR -+ * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR -+ * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -+ * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT -+ * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; -+ * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) -+ * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, -+ * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) -+ * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED -+ * OF THE POSSIBILITY OF SUCH DAMAGE. -+ * -+ */ -+ -+#ifndef HEADER_FIPS_RAND_H -+# define HEADER_FIPS_RAND_H -+ -+# include -+# include -+# include -+# include -+ -+# ifdef OPENSSL_FIPS -+ -+# ifdef __cplusplus -+extern "C" { -+# endif -+ typedef struct drbg_ctx_st DRBG_CTX; -+/* DRBG external flags */ -+/* Flag for CTR mode only: use derivation function ctr_df */ -+# define DRBG_FLAG_CTR_USE_DF 0x1 -+/* PRNG is in test state */ -+# define DRBG_FLAG_TEST 0x2 -+ -+ DRBG_CTX *FIPS_drbg_new(int type, unsigned int flags); -+ int FIPS_drbg_init(DRBG_CTX *dctx, int type, unsigned int flags); -+ int FIPS_drbg_instantiate(DRBG_CTX *dctx, -+ const unsigned char *pers, size_t perslen); -+ int FIPS_drbg_reseed(DRBG_CTX *dctx, const unsigned char *adin, -+ size_t adinlen); -+ int FIPS_drbg_generate(DRBG_CTX *dctx, unsigned char *out, size_t outlen, -+ int prediction_resistance, -+ const unsigned char *adin, size_t adinlen); -+ -+ int FIPS_drbg_uninstantiate(DRBG_CTX *dctx); -+ void FIPS_drbg_free(DRBG_CTX *dctx); -+ -+ int FIPS_drbg_set_callbacks(DRBG_CTX *dctx, -+ size_t (*get_entropy) (DRBG_CTX *ctx, -+ unsigned char **pout, -+ int entropy, -+ size_t min_len, -+ size_t max_len), -+ void (*cleanup_entropy) (DRBG_CTX *ctx, -+ unsigned char *out, -+ size_t olen), -+ size_t entropy_blocklen, -+ size_t (*get_nonce) (DRBG_CTX *ctx, -+ unsigned char **pout, -+ int entropy, -+ size_t min_len, -+ size_t max_len), -+ void (*cleanup_nonce) (DRBG_CTX *ctx, -+ unsigned char *out, -+ size_t olen)); -+ -+ int FIPS_drbg_set_rand_callbacks(DRBG_CTX *dctx, -+ size_t (*get_adin) (DRBG_CTX *ctx, -+ unsigned char -+ **pout), -+ void (*cleanup_adin) (DRBG_CTX *ctx, -+ unsigned char *out, -+ size_t olen), -+ int (*rand_seed_cb) (DRBG_CTX *ctx, -+ const void *buf, -+ int num), -+ int (*rand_add_cb) (DRBG_CTX *ctx, -+ const void *buf, -+ int num, -+ double entropy)); -+ -+ void *FIPS_drbg_get_app_data(DRBG_CTX *ctx); -+ void FIPS_drbg_set_app_data(DRBG_CTX *ctx, void *app_data); -+ size_t FIPS_drbg_get_blocklength(DRBG_CTX *dctx); -+ int FIPS_drbg_get_strength(DRBG_CTX *dctx); -+ void FIPS_drbg_set_check_interval(DRBG_CTX *dctx, int interval); -+ void FIPS_drbg_set_reseed_interval(DRBG_CTX *dctx, int interval); -+ -+ int FIPS_drbg_health_check(DRBG_CTX *dctx); -+ -+ DRBG_CTX *FIPS_get_default_drbg(void); -+ const RAND_METHOD *FIPS_drbg_method(void); -+ -+ int FIPS_rand_set_method(const RAND_METHOD *meth); -+ const RAND_METHOD *FIPS_rand_get_method(void); -+ -+ void FIPS_rand_set_bits(int nbits); -+ -+ int FIPS_rand_strength(void); -+ -+/* 1.0.0 compat functions */ -+ int FIPS_rand_seed(const void *buf, int num); -+ int FIPS_rand_bytes(unsigned char *out, int outlen); -+ void FIPS_rand_reset(void); -+ int FIPS_rand_status(void); -+# ifdef __cplusplus -+} -+# endif -+# endif -+#endif -diff -up openssl-1.1.1j/include/openssl/opensslconf.h.in.fips openssl-1.1.1j/include/openssl/opensslconf.h.in ---- openssl-1.1.1j/include/openssl/opensslconf.h.in.fips 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/include/openssl/opensslconf.h.in 2021-03-03 12:57:42.205734575 +0100 -@@ -155,6 +155,11 @@ extern "C" { - - #define RC4_INT {- $config{rc4_int} -} - -+/* Always build FIPS module */ -+#ifndef OPENSSL_FIPS -+# define OPENSSL_FIPS -+#endif -+ - #ifdef __cplusplus - } - #endif -diff -up openssl-1.1.1j/include/openssl/randerr.h.fips openssl-1.1.1j/include/openssl/randerr.h ---- openssl-1.1.1j/include/openssl/randerr.h.fips 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/include/openssl/randerr.h 2021-03-03 12:57:42.205734575 +0100 -@@ -38,6 +38,7 @@ int ERR_load_RAND_strings(void); - # define RAND_F_RAND_DRBG_SET 104 - # define RAND_F_RAND_DRBG_SET_DEFAULTS 121 - # define RAND_F_RAND_DRBG_UNINSTANTIATE 118 -+# define RAND_F_RAND_INIT_FIPS 200 - # define RAND_F_RAND_LOAD_FILE 111 - # define RAND_F_RAND_POOL_ACQUIRE_ENTROPY 122 - # define RAND_F_RAND_POOL_ADD 103 -diff -up openssl-1.1.1j/include/openssl/rand.h.fips openssl-1.1.1j/include/openssl/rand.h ---- openssl-1.1.1j/include/openssl/rand.h.fips 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/include/openssl/rand.h 2021-03-03 12:57:42.205734575 +0100 -@@ -69,6 +69,11 @@ DEPRECATEDIN_1_1_0(void RAND_screen(void - DEPRECATEDIN_1_1_0(int RAND_event(UINT, WPARAM, LPARAM)) - # endif - -+# ifdef OPENSSL_FIPS -+/* just stubs for API compatibility */ -+void RAND_set_fips_drbg_type(int type, int flags); -+int RAND_init_fips(void); -+# endif - - #ifdef __cplusplus - } -diff -up openssl-1.1.1j/include/openssl/rsaerr.h.fips openssl-1.1.1j/include/openssl/rsaerr.h ---- openssl-1.1.1j/include/openssl/rsaerr.h.fips 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/include/openssl/rsaerr.h 2021-03-03 12:57:42.205734575 +0100 -@@ -25,6 +25,7 @@ int ERR_load_RSA_strings(void); - */ - # define RSA_F_CHECK_PADDING_MD 140 - # define RSA_F_ENCODE_PKCS1 146 -+# define RSA_F_FIPS_RSA_BUILTIN_KEYGEN 206 - # define RSA_F_INT_RSA_VERIFY 145 - # define RSA_F_OLD_RSA_PRIV_DECODE 147 - # define RSA_F_PKEY_PSS_INIT 165 -@@ -39,6 +40,8 @@ int ERR_load_RSA_strings(void); - # define RSA_F_RSA_CHECK_KEY_EX 160 - # define RSA_F_RSA_CMS_DECRYPT 159 - # define RSA_F_RSA_CMS_VERIFY 158 -+# define RSA_F_RSA_GENERATE_KEY_EX 204 -+# define RSA_F_RSA_GENERATE_MULTI_PRIME_KEY 207 - # define RSA_F_RSA_ITEM_VERIFY 148 - # define RSA_F_RSA_METH_DUP 161 - # define RSA_F_RSA_METH_NEW 162 -@@ -76,10 +79,16 @@ int ERR_load_RSA_strings(void); - # define RSA_F_RSA_PRINT_FP 116 - # define RSA_F_RSA_PRIV_DECODE 150 - # define RSA_F_RSA_PRIV_ENCODE 138 -+# define RSA_F_RSA_PRIVATE_DECRYPT 200 -+# define RSA_F_RSA_PRIVATE_ENCRYPT 201 - # define RSA_F_RSA_PSS_GET_PARAM 151 - # define RSA_F_RSA_PSS_TO_CTX 155 - # define RSA_F_RSA_PUB_DECODE 139 -+# define RSA_F_RSA_PUBLIC_DECRYPT 202 -+# define RSA_F_RSA_PUBLIC_ENCRYPT 203 - # define RSA_F_RSA_SETUP_BLINDING 136 -+# define RSA_F_RSA_SET_DEFAULT_METHOD 205 -+# define RSA_F_RSA_SET_METHOD 204 - # define RSA_F_RSA_SIGN 117 - # define RSA_F_RSA_SIGN_ASN1_OCTET_STRING 118 - # define RSA_F_RSA_VERIFY 119 -@@ -137,10 +146,12 @@ int ERR_load_RSA_strings(void); - # define RSA_R_MP_EXPONENT_NOT_CONGRUENT_TO_D 169 - # define RSA_R_MP_R_NOT_PRIME 170 - # define RSA_R_NO_PUBLIC_EXPONENT 140 -+# define RSA_R_NON_FIPS_RSA_METHOD 200 - # define RSA_R_NULL_BEFORE_BLOCK_MISSING 113 - # define RSA_R_N_DOES_NOT_EQUAL_PRODUCT_OF_PRIMES 172 - # define RSA_R_N_DOES_NOT_EQUAL_P_Q 127 - # define RSA_R_OAEP_DECODING_ERROR 121 -+# define RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE 201 - # define RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 148 - # define RSA_R_PADDING_CHECK_FAILED 114 - # define RSA_R_PKCS_DECODING_ERROR 159 -@@ -160,6 +171,7 @@ int ERR_load_RSA_strings(void); - # define RSA_R_UNSUPPORTED_LABEL_SOURCE 163 - # define RSA_R_UNSUPPORTED_MASK_ALGORITHM 153 - # define RSA_R_UNSUPPORTED_MASK_PARAMETER 154 -+# define RSA_R_UNSUPPORTED_PARAMETERS 202 - # define RSA_R_UNSUPPORTED_SIGNATURE_TYPE 155 - # define RSA_R_VALUE_MISSING 147 - # define RSA_R_WRONG_SIGNATURE_LENGTH 119 -diff -up openssl-1.1.1j/ssl/s3_lib.c.fips openssl-1.1.1j/ssl/s3_lib.c ---- openssl-1.1.1j/ssl/s3_lib.c.fips 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/ssl/s3_lib.c 2021-03-03 12:57:42.205734575 +0100 -@@ -43,7 +43,7 @@ static SSL_CIPHER tls13_ciphers[] = { - SSL_AEAD, - TLS1_3_VERSION, TLS1_3_VERSION, - 0, 0, -- SSL_HIGH, -+ SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_SHA256, - 128, - 128, -@@ -58,7 +58,7 @@ static SSL_CIPHER tls13_ciphers[] = { - SSL_AEAD, - TLS1_3_VERSION, TLS1_3_VERSION, - 0, 0, -- SSL_HIGH, -+ SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_SHA384, - 256, - 256, -@@ -92,7 +92,7 @@ static SSL_CIPHER tls13_ciphers[] = { - SSL_AEAD, - TLS1_3_VERSION, TLS1_3_VERSION, - 0, 0, -- SSL_NOT_DEFAULT | SSL_HIGH, -+ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_SHA256, - 128, - 128, -@@ -634,7 +634,7 @@ static SSL_CIPHER ssl3_ciphers[] = { - SSL_AEAD, - TLS1_2_VERSION, TLS1_2_VERSION, - DTLS1_2_VERSION, DTLS1_2_VERSION, -- SSL_NOT_DEFAULT | SSL_HIGH, -+ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, - 128, - 128, -@@ -650,7 +650,7 @@ static SSL_CIPHER ssl3_ciphers[] = { - SSL_AEAD, - TLS1_2_VERSION, TLS1_2_VERSION, - DTLS1_2_VERSION, DTLS1_2_VERSION, -- SSL_NOT_DEFAULT | SSL_HIGH, -+ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, - 256, - 256, -@@ -666,7 +666,7 @@ static SSL_CIPHER ssl3_ciphers[] = { - SSL_AEAD, - TLS1_2_VERSION, TLS1_2_VERSION, - DTLS1_2_VERSION, DTLS1_2_VERSION, -- SSL_NOT_DEFAULT | SSL_HIGH, -+ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, - 128, - 128, -@@ -682,7 +682,7 @@ static SSL_CIPHER ssl3_ciphers[] = { - SSL_AEAD, - TLS1_2_VERSION, TLS1_2_VERSION, - DTLS1_2_VERSION, DTLS1_2_VERSION, -- SSL_NOT_DEFAULT | SSL_HIGH, -+ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, - 256, - 256, -@@ -794,7 +794,7 @@ static SSL_CIPHER ssl3_ciphers[] = { - SSL_AEAD, - TLS1_2_VERSION, TLS1_2_VERSION, - DTLS1_2_VERSION, DTLS1_2_VERSION, -- SSL_NOT_DEFAULT | SSL_HIGH, -+ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, - 128, - 128, -@@ -810,7 +810,7 @@ static SSL_CIPHER ssl3_ciphers[] = { - SSL_AEAD, - TLS1_2_VERSION, TLS1_2_VERSION, - DTLS1_2_VERSION, DTLS1_2_VERSION, -- SSL_NOT_DEFAULT | SSL_HIGH, -+ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, - 256, - 256, -@@ -890,7 +890,7 @@ static SSL_CIPHER ssl3_ciphers[] = { - SSL_AEAD, - TLS1_2_VERSION, TLS1_2_VERSION, - DTLS1_2_VERSION, DTLS1_2_VERSION, -- SSL_NOT_DEFAULT | SSL_HIGH, -+ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, - 128, - 128, -@@ -906,7 +906,7 @@ static SSL_CIPHER ssl3_ciphers[] = { - SSL_AEAD, - TLS1_2_VERSION, TLS1_2_VERSION, - DTLS1_2_VERSION, DTLS1_2_VERSION, -- SSL_NOT_DEFAULT | SSL_HIGH, -+ SSL_NOT_DEFAULT | SSL_HIGH | SSL_FIPS, - SSL_HANDSHAKE_MAC_SHA256 | TLS1_PRF_SHA256, - 256, - 256, -diff -up openssl-1.1.1j/ssl/ssl_ciph.c.fips openssl-1.1.1j/ssl/ssl_ciph.c ---- openssl-1.1.1j/ssl/ssl_ciph.c.fips 2021-03-03 12:57:42.193734476 +0100 -+++ openssl-1.1.1j/ssl/ssl_ciph.c 2021-03-03 12:57:42.206734583 +0100 -@@ -387,7 +387,7 @@ int ssl_load_ciphers(void) - } - } - /* Make sure we can access MD5 and SHA1 */ -- if (!ossl_assert(ssl_digest_methods[SSL_MD_MD5_IDX] != NULL)) -+ if (!FIPS_mode() && !ossl_assert(ssl_digest_methods[SSL_MD_MD5_IDX] != NULL)) - return 0; - if (!ossl_assert(ssl_digest_methods[SSL_MD_SHA1_IDX] != NULL)) - return 0; -@@ -559,6 +559,9 @@ int ssl_cipher_get_evp(const SSL_SESSION - s->ssl_version < TLS1_VERSION) - return 1; - -+ if (FIPS_mode()) -+ return 1; -+ - if (c->algorithm_enc == SSL_RC4 && - c->algorithm_mac == SSL_MD5 && - (evp = EVP_get_cipherbyname("RC4-HMAC-MD5"))) -@@ -667,6 +670,8 @@ static void ssl_cipher_collect_ciphers(c - /* drop those that use any of that is not available */ - if (c == NULL || !c->valid) - continue; -+ if (FIPS_mode() && !(c->algo_strength & SSL_FIPS)) -+ continue; - if ((c->algorithm_mkey & disabled_mkey) || - (c->algorithm_auth & disabled_auth) || - (c->algorithm_enc & disabled_enc) || -@@ -1671,7 +1676,8 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ - * to the resulting precedence to the STACK_OF(SSL_CIPHER). - */ - for (curr = head; curr != NULL; curr = curr->next) { -- if (curr->active) { -+ if (curr->active -+ && (!FIPS_mode() || curr->cipher->algo_strength & SSL_FIPS)) { - if (!sk_SSL_CIPHER_push(cipherstack, curr->cipher)) { - OPENSSL_free(co_list); - sk_SSL_CIPHER_free(cipherstack); -diff -up openssl-1.1.1j/ssl/ssl_init.c.fips openssl-1.1.1j/ssl/ssl_init.c ---- openssl-1.1.1j/ssl/ssl_init.c.fips 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/ssl/ssl_init.c 2021-03-03 12:57:42.206734583 +0100 -@@ -27,6 +27,10 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_ssl_bas - fprintf(stderr, "OPENSSL_INIT: ossl_init_ssl_base: " - "Adding SSL ciphers and digests\n"); - #endif -+#ifdef OPENSSL_FIPS -+ if (!FIPS_mode()) { -+#endif -+ - #ifndef OPENSSL_NO_DES - EVP_add_cipher(EVP_des_cbc()); - EVP_add_cipher(EVP_des_ede3_cbc()); -@@ -87,6 +91,31 @@ DEFINE_RUN_ONCE_STATIC(ossl_init_ssl_bas - EVP_add_digest(EVP_sha256()); - EVP_add_digest(EVP_sha384()); - EVP_add_digest(EVP_sha512()); -+#ifdef OPENSSL_FIPS -+ } else { -+# ifndef OPENSSL_NO_DES -+ EVP_add_cipher(EVP_des_ede3_cbc()); -+# endif -+ EVP_add_cipher(EVP_aes_128_cbc()); -+ EVP_add_cipher(EVP_aes_192_cbc()); -+ EVP_add_cipher(EVP_aes_256_cbc()); -+ EVP_add_cipher(EVP_aes_128_gcm()); -+ EVP_add_cipher(EVP_aes_256_gcm()); -+ EVP_add_cipher(EVP_aes_128_ccm()); -+ EVP_add_cipher(EVP_aes_256_ccm()); -+# ifndef OPENSSL_NO_MD5 -+ /* needed even in the FIPS mode for TLS-1.0 */ -+ EVP_add_digest(EVP_md5_sha1()); -+# endif -+ EVP_add_digest(EVP_sha1()); /* RSA with sha1 */ -+ EVP_add_digest_alias(SN_sha1, "ssl3-sha1"); -+ EVP_add_digest_alias(SN_sha1WithRSAEncryption, SN_sha1WithRSA); -+ EVP_add_digest(EVP_sha224()); -+ EVP_add_digest(EVP_sha256()); -+ EVP_add_digest(EVP_sha384()); -+ EVP_add_digest(EVP_sha512()); -+ } -+#endif - #ifndef OPENSSL_NO_COMP - # ifdef OPENSSL_INIT_DEBUG - fprintf(stderr, "OPENSSL_INIT: ossl_init_ssl_base: " -diff -up openssl-1.1.1j/ssl/ssl_lib.c.fips openssl-1.1.1j/ssl/ssl_lib.c ---- openssl-1.1.1j/ssl/ssl_lib.c.fips 2021-03-03 12:57:42.193734476 +0100 -+++ openssl-1.1.1j/ssl/ssl_lib.c 2021-03-03 12:57:42.206734583 +0100 -@@ -2973,6 +2973,11 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m - if (!OPENSSL_init_ssl(OPENSSL_INIT_LOAD_SSL_STRINGS, NULL)) - return NULL; - -+ if (FIPS_mode() && (meth->version < TLS1_VERSION)) { -+ SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_AT_LEAST_TLS_1_0_NEEDED_IN_FIPS_MODE); -+ return NULL; -+ } -+ - if (SSL_get_ex_data_X509_STORE_CTX_idx() < 0) { - SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_X509_VERIFICATION_SETUP_PROBLEMS); - goto err; -@@ -3029,13 +3034,17 @@ SSL_CTX *SSL_CTX_new(const SSL_METHOD *m - if (ret->param == NULL) - goto err; - -- if ((ret->md5 = EVP_get_digestbyname("ssl3-md5")) == NULL) { -- SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES); -- goto err2; -- } -- if ((ret->sha1 = EVP_get_digestbyname("ssl3-sha1")) == NULL) { -- SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES); -- goto err2; -+ if (!FIPS_mode()) { -+ if ((ret->md5 = EVP_get_digestbyname("ssl3-md5")) == NULL) { -+ SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_MD5_ROUTINES); -+ goto err2; -+ } -+ if ((ret->sha1 = EVP_get_digestbyname("ssl3-sha1")) == NULL) { -+ SSLerr(SSL_F_SSL_CTX_NEW, SSL_R_UNABLE_TO_LOAD_SSL3_SHA1_ROUTINES); -+ goto err2; -+ } -+ } else { -+ ret->min_proto_version = TLS1_VERSION; - } - - if ((ret->ca_names = sk_X509_NAME_new_null()) == NULL) -diff -up openssl-1.1.1j/ssl/ssl_local.h.fips openssl-1.1.1j/ssl/ssl_local.h ---- openssl-1.1.1j/ssl/ssl_local.h.fips 2021-03-03 12:57:42.100733706 +0100 -+++ openssl-1.1.1j/ssl/ssl_local.h 2021-03-03 12:57:42.206734583 +0100 -@@ -1515,6 +1515,7 @@ typedef struct tls_group_info_st { - # define TLS_CURVE_PRIME 0x0 - # define TLS_CURVE_CHAR2 0x1 - # define TLS_CURVE_CUSTOM 0x2 -+# define TLS_CURVE_FIPS 0x80 - - typedef struct cert_pkey_st CERT_PKEY; - -diff -up openssl-1.1.1j/ssl/t1_lib.c.fips openssl-1.1.1j/ssl/t1_lib.c ---- openssl-1.1.1j/ssl/t1_lib.c.fips 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/ssl/t1_lib.c 2021-03-03 12:57:42.207734591 +0100 -@@ -159,11 +159,11 @@ static const TLS_GROUP_INFO nid_list[] = - {NID_secp192k1, 80, TLS_CURVE_PRIME}, /* secp192k1 (18) */ - {NID_X9_62_prime192v1, 80, TLS_CURVE_PRIME}, /* secp192r1 (19) */ - {NID_secp224k1, 112, TLS_CURVE_PRIME}, /* secp224k1 (20) */ -- {NID_secp224r1, 112, TLS_CURVE_PRIME}, /* secp224r1 (21) */ -+ {NID_secp224r1, 112, TLS_CURVE_PRIME | TLS_CURVE_FIPS}, /* secp224r1 (21) */ - {NID_secp256k1, 128, TLS_CURVE_PRIME}, /* secp256k1 (22) */ -- {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME}, /* secp256r1 (23) */ -- {NID_secp384r1, 192, TLS_CURVE_PRIME}, /* secp384r1 (24) */ -- {NID_secp521r1, 256, TLS_CURVE_PRIME}, /* secp521r1 (25) */ -+ {NID_X9_62_prime256v1, 128, TLS_CURVE_PRIME | TLS_CURVE_FIPS}, /* secp256r1 (23) */ -+ {NID_secp384r1, 192, TLS_CURVE_PRIME | TLS_CURVE_FIPS}, /* secp384r1 (24) */ -+ {NID_secp521r1, 256, TLS_CURVE_PRIME | TLS_CURVE_FIPS}, /* secp521r1 (25) */ - {NID_brainpoolP256r1, 128, TLS_CURVE_PRIME}, /* brainpoolP256r1 (26) */ - {NID_brainpoolP384r1, 192, TLS_CURVE_PRIME}, /* brainpoolP384r1 (27) */ - {NID_brainpoolP512r1, 256, TLS_CURVE_PRIME}, /* brainpool512r1 (28) */ -@@ -258,6 +258,8 @@ int tls_curve_allowed(SSL *s, uint16_t c - if (cinfo->flags & TLS_CURVE_CHAR2) - return 0; - # endif -+ if (FIPS_mode() && !(cinfo->flags & TLS_CURVE_FIPS)) -+ return 0; - ctmp[0] = curve >> 8; - ctmp[1] = curve & 0xff; - return ssl_security(s, op, cinfo->secbits, cinfo->nid, (void *)ctmp); -diff -up openssl-1.1.1j/test/dsatest.c.fips openssl-1.1.1j/test/dsatest.c ---- openssl-1.1.1j/test/dsatest.c.fips 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/test/dsatest.c 2021-03-03 12:57:42.207734591 +0100 -@@ -24,41 +24,42 @@ - #ifndef OPENSSL_NO_DSA - static int dsa_cb(int p, int n, BN_GENCB *arg); - --/* -- * seed, out_p, out_q, out_g are taken from the updated Appendix 5 to FIPS -- * PUB 186 and also appear in Appendix 5 to FIPS PIB 186-1 -- */ - static unsigned char seed[20] = { -- 0xd5, 0x01, 0x4e, 0x4b, 0x60, 0xef, 0x2b, 0xa8, 0xb6, 0x21, 0x1b, 0x40, -- 0x62, 0xba, 0x32, 0x24, 0xe0, 0x42, 0x7d, 0xd3, -+ 0x02, 0x47, 0x11, 0x92, 0x11, 0x88, 0xC8, 0xFB, 0xAF, 0x48, 0x4C, 0x62, -+ 0xDF, 0xA5, 0xBE, 0xA0, 0xA4, 0x3C, 0x56, 0xE3, - }; - - static unsigned char out_p[] = { -- 0x8d, 0xf2, 0xa4, 0x94, 0x49, 0x22, 0x76, 0xaa, -- 0x3d, 0x25, 0x75, 0x9b, 0xb0, 0x68, 0x69, 0xcb, -- 0xea, 0xc0, 0xd8, 0x3a, 0xfb, 0x8d, 0x0c, 0xf7, -- 0xcb, 0xb8, 0x32, 0x4f, 0x0d, 0x78, 0x82, 0xe5, -- 0xd0, 0x76, 0x2f, 0xc5, 0xb7, 0x21, 0x0e, 0xaf, -- 0xc2, 0xe9, 0xad, 0xac, 0x32, 0xab, 0x7a, 0xac, -- 0x49, 0x69, 0x3d, 0xfb, 0xf8, 0x37, 0x24, 0xc2, -- 0xec, 0x07, 0x36, 0xee, 0x31, 0xc8, 0x02, 0x91, -+ 0xAC, 0xCB, 0x1E, 0x63, 0x60, 0x69, 0x0C, 0xFB, 0x06, 0x19, 0x68, 0x3E, -+ 0xA5, 0x01, 0x5A, 0xA2, 0x15, 0x5C, 0xE2, 0x99, 0x2D, 0xD5, 0x30, 0x99, -+ 0x7E, 0x5F, 0x8D, 0xE2, 0xF7, 0xC6, 0x2E, 0x8D, 0xA3, 0x9F, 0x58, 0xAD, -+ 0xD6, 0xA9, 0x7D, 0x0E, 0x0D, 0x95, 0x53, 0xA6, 0x71, 0x3A, 0xDE, 0xAB, -+ 0xAC, 0xE9, 0xF4, 0x36, 0x55, 0x9E, 0xB9, 0xD6, 0x93, 0xBF, 0xF3, 0x18, -+ 0x1C, 0x14, 0x7B, 0xA5, 0x42, 0x2E, 0xCD, 0x00, 0xEB, 0x35, 0x3B, 0x1B, -+ 0xA8, 0x51, 0xBB, 0xE1, 0x58, 0x42, 0x85, 0x84, 0x22, 0xA7, 0x97, 0x5E, -+ 0x99, 0x6F, 0x38, 0x20, 0xBD, 0x9D, 0xB6, 0xD9, 0x33, 0x37, 0x2A, 0xFD, -+ 0xBB, 0xD4, 0xBC, 0x0C, 0x2A, 0x67, 0xCB, 0x9F, 0xBB, 0xDF, 0xF9, 0x93, -+ 0xAA, 0xD6, 0xF0, 0xD6, 0x95, 0x0B, 0x5D, 0x65, 0x14, 0xD0, 0x18, 0x9D, -+ 0xC6, 0xAF, 0xF0, 0xC6, 0x37, 0x7C, 0xF3, 0x5F, - }; - - static unsigned char out_q[] = { -- 0xc7, 0x73, 0x21, 0x8c, 0x73, 0x7e, 0xc8, 0xee, -- 0x99, 0x3b, 0x4f, 0x2d, 0xed, 0x30, 0xf4, 0x8e, -- 0xda, 0xce, 0x91, 0x5f, -+ 0xE3, 0x8E, 0x5E, 0x6D, 0xBF, 0x2B, 0x79, 0xF8, 0xC5, 0x4B, 0x89, 0x8B, -+ 0xBA, 0x2D, 0x91, 0xC3, 0x6C, 0x80, 0xAC, 0x87, - }; - - static unsigned char out_g[] = { -- 0x62, 0x6d, 0x02, 0x78, 0x39, 0xea, 0x0a, 0x13, -- 0x41, 0x31, 0x63, 0xa5, 0x5b, 0x4c, 0xb5, 0x00, -- 0x29, 0x9d, 0x55, 0x22, 0x95, 0x6c, 0xef, 0xcb, -- 0x3b, 0xff, 0x10, 0xf3, 0x99, 0xce, 0x2c, 0x2e, -- 0x71, 0xcb, 0x9d, 0xe5, 0xfa, 0x24, 0xba, 0xbf, -- 0x58, 0xe5, 0xb7, 0x95, 0x21, 0x92, 0x5c, 0x9c, -- 0xc4, 0x2e, 0x9f, 0x6f, 0x46, 0x4b, 0x08, 0x8c, -- 0xc5, 0x72, 0xaf, 0x53, 0xe6, 0xd7, 0x88, 0x02, -+ 0x42, 0x4A, 0x04, 0x4E, 0x79, 0xB4, 0x99, 0x7F, 0xFD, 0x58, 0x36, 0x2C, -+ 0x1B, 0x5F, 0x18, 0x7E, 0x0D, 0xCC, 0xAB, 0x81, 0xC9, 0x5D, 0x10, 0xCE, -+ 0x4E, 0x80, 0x7E, 0x58, 0xB4, 0x34, 0x3F, 0xA7, 0x45, 0xC7, 0xAA, 0x36, -+ 0x24, 0x42, 0xA9, 0x3B, 0xE8, 0x0E, 0x04, 0x02, 0x2D, 0xFB, 0xA6, 0x13, -+ 0xB9, 0xB5, 0x15, 0xA5, 0x56, 0x07, 0x35, 0xE4, 0x03, 0xB6, 0x79, 0x7C, -+ 0x62, 0xDD, 0xDF, 0x3F, 0x71, 0x3A, 0x9D, 0x8B, 0xC4, 0xF6, 0xE7, 0x1D, -+ 0x52, 0xA8, 0xA9, 0x43, 0x1D, 0x33, 0x51, 0x88, 0x39, 0xBD, 0x73, 0xE9, -+ 0x5F, 0xBE, 0x82, 0x49, 0x27, 0xE6, 0xB5, 0x53, 0xC1, 0x38, 0xAC, 0x2F, -+ 0x6D, 0x97, 0x6C, 0xEB, 0x67, 0xC1, 0x5F, 0x67, 0xF8, 0x35, 0x05, 0x5E, -+ 0xD5, 0x68, 0x80, 0xAA, 0x96, 0xCA, 0x0B, 0x8A, 0xE6, 0xF1, 0xB1, 0x41, -+ 0xC6, 0x75, 0x94, 0x0A, 0x0A, 0x2A, 0xFA, 0x29, - }; - - static const unsigned char str1[] = "12345678901234567890"; -@@ -79,11 +80,11 @@ static int dsa_test(void) - - BN_GENCB_set(cb, dsa_cb, NULL); - if (!TEST_ptr(dsa = DSA_new()) -- || !TEST_true(DSA_generate_parameters_ex(dsa, 512, seed, 20, -+ || !TEST_true(DSA_generate_parameters_ex(dsa, 1024, seed, 20, - &counter, &h, cb))) - goto end; - -- if (!TEST_int_eq(counter, 105)) -+ if (!TEST_int_eq(counter, 239)) - goto end; - if (!TEST_int_eq(h, 2)) - goto end; -diff -up openssl-1.1.1j/test/recipes/30-test_evp_data/evpciph.txt.fips openssl-1.1.1j/test/recipes/30-test_evp_data/evpciph.txt ---- openssl-1.1.1j/test/recipes/30-test_evp_data/evpciph.txt.fips 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/test/recipes/30-test_evp_data/evpciph.txt 2021-03-03 12:57:42.207734591 +0100 -@@ -1206,6 +1206,7 @@ Key = 0000000000000000000000000000000000 - IV = 00000000000000000000000000000000 - Plaintext = 0000000000000000000000000000000000000000000000000000000000000000 - Ciphertext = 917cf69ebd68b2ec9b9fe9a3eadda692cd43d2f59598ed858c02c2652fbf922e -+Result = KEY_SET_ERROR - - Cipher = aes-128-xts - Key = 1111111111111111111111111111111122222222222222222222222222222222 -diff -up openssl-1.1.1j/util/libcrypto.num.fips openssl-1.1.1j/util/libcrypto.num ---- openssl-1.1.1j/util/libcrypto.num.fips 2021-02-16 16:24:01.000000000 +0100 -+++ openssl-1.1.1j/util/libcrypto.num 2021-03-03 12:57:42.208734600 +0100 -@@ -4591,3 +4591,38 @@ X509_ALGOR_copy - X509_REQ_set0_signature 4545 1_1_1h EXIST::FUNCTION: - X509_REQ_set1_signature_algo 4546 1_1_1h EXIST::FUNCTION: - EC_KEY_decoded_from_explicit_params 4547 1_1_1h EXIST::FUNCTION:EC -+FIPS_drbg_reseed 6348 1_1_0g EXIST::FUNCTION: -+FIPS_selftest_check 6349 1_1_0g EXIST::FUNCTION: -+FIPS_rand_set_method 6350 1_1_0g EXIST::FUNCTION: -+FIPS_get_default_drbg 6351 1_1_0g EXIST::FUNCTION: -+FIPS_drbg_set_reseed_interval 6352 1_1_0g EXIST::FUNCTION: -+FIPS_drbg_set_app_data 6353 1_1_0g EXIST::FUNCTION: -+FIPS_drbg_method 6354 1_1_0g EXIST::FUNCTION: -+FIPS_rand_status 6355 1_1_0g EXIST::FUNCTION: -+FIPS_drbg_instantiate 6356 1_1_0g EXIST::FUNCTION: -+FIPS_drbg_set_callbacks 6357 1_1_0g EXIST::FUNCTION: -+FIPS_drbg_new 6358 1_1_0g EXIST::FUNCTION: -+FIPS_dsa_paramgen_check_g 6359 1_1_0g EXIST::FUNCTION: -+FIPS_selftest 6360 1_1_0g EXIST::FUNCTION: -+FIPS_rand_set_bits 6361 1_1_0g EXIST::FUNCTION: -+FIPS_rand_bytes 6362 1_1_0g EXIST::FUNCTION: -+FIPS_drbg_get_app_data 6363 1_1_0g EXIST::FUNCTION: -+FIPS_selftest_failed 6364 1_1_0g EXIST::FUNCTION: -+FIPS_dsa_builtin_paramgen2 6365 1_1_0g EXIST::FUNCTION: -+FIPS_rand_reset 6366 1_1_0g EXIST::FUNCTION: -+ERR_load_FIPS_strings 6367 1_1_0g EXIST::FUNCTION: -+FIPS_drbg_generate 6368 1_1_0g EXIST::FUNCTION: -+FIPS_drbg_uninstantiate 6369 1_1_0g EXIST::FUNCTION: -+FIPS_drbg_set_check_interval 6370 1_1_0g EXIST::FUNCTION: -+FIPS_drbg_free 6371 1_1_0g EXIST::FUNCTION: -+FIPS_selftest_drbg_all 6372 1_1_0g EXIST::FUNCTION: -+FIPS_rand_get_method 6373 1_1_0g EXIST::FUNCTION: -+RAND_set_fips_drbg_type 6374 1_1_0g EXIST::FUNCTION: -+FIPS_drbg_health_check 6375 1_1_0g EXIST::FUNCTION: -+RAND_init_fips 6376 1_1_0g EXIST::FUNCTION: -+FIPS_drbg_set_rand_callbacks 6377 1_1_0g EXIST::FUNCTION: -+FIPS_rand_seed 6378 1_1_0g EXIST::FUNCTION: -+FIPS_drbg_get_strength 6379 1_1_0g EXIST::FUNCTION: -+FIPS_rand_strength 6380 1_1_0g EXIST::FUNCTION: -+FIPS_drbg_get_blocklength 6381 1_1_0g EXIST::FUNCTION: -+FIPS_drbg_init 6382 1_1_0g EXIST::FUNCTION: diff --git a/SOURCES/openssl-1.1.1-fix-ssl-select-next-proto.patch b/SOURCES/openssl-1.1.1-fix-ssl-select-next-proto.patch deleted file mode 100644 index 4ddc940..0000000 --- a/SOURCES/openssl-1.1.1-fix-ssl-select-next-proto.patch +++ /dev/null @@ -1,255 +0,0 @@ -From d1d4b56fe0c9a4200276d630f62108e1165e0990 Mon Sep 17 00:00:00 2001 -From: Maurizio Barbaro -Date: Mon, 16 Sep 2024 10:53:53 +0200 -Subject: [PATCH] Backport openssl: SSL_select_next_proto buffer overread from 3.2 - -Ensure that the provided client list is non-NULL and starts with a valid -entry. When called from the ALPN callback the client list should already -have been validated by OpenSSL so this should not cause a problem. When -called from the NPN callback the client list is locally configured and -will not have already been validated. Therefore SSL_select_next_proto -should not assume that it is correctly formatted. - -We implement stricter checking of the client protocol list. We also do the -same for the server list while we are about it. - -CVE-2024-5535 - -From: Matt Caswell -Date: Fri, 31 May 2024 11:14:33 +0100 -Merged from: https://github.com/openssl/openssl/pull/24717. - -Backported-by: Maurizio Barbaro -we did't ported test changes because rely on internal testing framework. - ---- - doc/man3/SSL_CTX_set_alpn_select_cb.pod | 28 +++++++---- - ssl/ssl_lib.c | 64 +++++++++++++++---------- - ssl/statem/extensions_clnt.c | 30 +++++++++++- - ssl/statem/extensions_srvr.c | 3 +- - 4 files changed, 89 insertions(+), 36 deletions(-) - -diff --git a/doc/man3/SSL_CTX_set_alpn_select_cb.pod b/doc/man3/SSL_CTX_set_alpn_select_cb.pod -index e90caec..a3f8dfd 100644 ---- a/doc/man3/SSL_CTX_set_alpn_select_cb.pod -+++ b/doc/man3/SSL_CTX_set_alpn_select_cb.pod -@@ -43,7 +43,7 @@ SSL_select_next_proto, SSL_get0_alpn_selected, SSL_get0_next_proto_negotiated - const unsigned char *server, - unsigned int server_len, - const unsigned char *client, -- unsigned int client_len) -+ unsigned int client_len); - void SSL_get0_next_proto_negotiated(const SSL *s, const unsigned char **data, - unsigned *len); - -@@ -52,7 +52,8 @@ SSL_select_next_proto, SSL_get0_alpn_selected, SSL_get0_next_proto_negotiated - SSL_CTX_set_alpn_protos() and SSL_set_alpn_protos() are used by the client to - set the list of protocols available to be negotiated. The B must be in - protocol-list format, described below. The length of B is specified in --B. -+B. Setting B to 0 clears any existing list of ALPN -+protocols and no ALPN extension will be sent to the server. - - SSL_CTX_set_alpn_select_cb() sets the application callback B used by a - server to select which protocol to use for the incoming connection. When B -@@ -73,9 +74,16 @@ B and B, B must be in the protocol-list format - described below. The first item in the B, B list that - matches an item in the B, B list is selected, and returned - in B, B. The B value will point into either B or --B, so it should be copied immediately. If no match is found, the first --item in B, B is returned in B, B. This --function can also be used in the NPN callback. -+B, so it should be copied immediately. The client list must include at -+least one valid (nonempty) protocol entry in the list. -+ -+The SSL_select_next_proto() helper function can be useful from either the ALPN -+callback or the NPN callback (described below). If no match is found, the first -+item in B, B is returned in B, B and -+B is returned. This can be useful when implementating -+the NPN callback. In the ALPN case, the value returned in B and B -+must be ignored if B has been returned from -+SSL_select_next_proto(). - - SSL_CTX_set_next_proto_select_cb() sets a callback B that is called when a - client needs to select a protocol from the server's provided list, and a -@@ -85,9 +93,10 @@ must be set to point to the selected protocol (which may be within B). - The length of the protocol name must be written into B. The - server's advertised protocols are provided in B and B. The - callback can assume that B is syntactically valid. The client must --select a protocol. It is fatal to the connection if this callback returns --a value other than B. The B parameter is the pointer --set via SSL_CTX_set_next_proto_select_cb(). -+select a protocol (although it may be an empty, zero length protocol). It is -+fatal to the connection if this callback returns a value other than -+B or if the zero length protocol is selected. The B -+parameter is the pointer set via SSL_CTX_set_next_proto_select_cb(). - - SSL_CTX_set_next_protos_advertised_cb() sets a callback B that is called - when a TLS server needs a list of supported protocols for Next Protocol -@@ -149,7 +158,8 @@ A match was found and is returned in B, B. - =item OPENSSL_NPN_NO_OVERLAP - - No match was found. The first item in B, B is returned in --B, B. -+B, B (or B and 0 in the case where the first entry in -+B is invalid). - - =back - -diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c -index c71c686..21e6c45 100644 ---- a/ssl/ssl_lib.c -+++ b/ssl/ssl_lib.c -@@ -2739,38 +2739,54 @@ int SSL_select_next_proto(unsigned char **out, unsigned char *outlen, - unsigned int server_len, - const unsigned char *client, unsigned int client_len) - { -- unsigned int i, j; -- const unsigned char *result; -- int status = OPENSSL_NPN_UNSUPPORTED; -+ PACKET cpkt, csubpkt, spkt, ssubpkt; -+ if (!PACKET_buf_init(&cpkt, client, client_len) -+ || !PACKET_get_length_prefixed_1(&cpkt, &csubpkt) -+ || PACKET_remaining(&csubpkt) == 0) { -+ *out = NULL; -+ *outlen = 0; -+ return OPENSSL_NPN_NO_OVERLAP; -+ } -+ -+ /* -+ * Set the default opportunistic protocol. Will be overwritten if we find -+ * a match. -+ */ -+ *out = (unsigned char *)PACKET_data(&csubpkt); -+ *outlen = (unsigned char)PACKET_remaining(&csubpkt); - - /* - * For each protocol in server preference order, see if we support it. - */ -- for (i = 0; i < server_len;) { -- for (j = 0; j < client_len;) { -- if (server[i] == client[j] && -- memcmp(&server[i + 1], &client[j + 1], server[i]) == 0) { -- /* We found a match */ -- result = &server[i]; -- status = OPENSSL_NPN_NEGOTIATED; -- goto found; -+ if (PACKET_buf_init(&spkt, server, server_len)) { -+ while (PACKET_get_length_prefixed_1(&spkt, &ssubpkt)) { -+ if (PACKET_remaining(&ssubpkt) == 0) -+ continue; /* Invalid - ignore it */ -+ if (PACKET_buf_init(&cpkt, client, client_len)) { -+ while (PACKET_get_length_prefixed_1(&cpkt, &csubpkt)) { -+ if (PACKET_equal(&csubpkt, PACKET_data(&ssubpkt), -+ PACKET_remaining(&ssubpkt))) { -+ /* We found a match */ -+ *out = (unsigned char *)PACKET_data(&ssubpkt); -+ *outlen = (unsigned char)PACKET_remaining(&ssubpkt); -+ return OPENSSL_NPN_NEGOTIATED; -+ } -+ } -+ /* Ignore spurious trailing bytes in the client list */ -+ } else { -+ /* This should never happen */ -+ return OPENSSL_NPN_NO_OVERLAP; - } -- j += client[j]; -- j++; - } -- i += server[i]; -- i++; -+ /* Ignore spurious trailing bytes in the server list */ - } - -- /* There's no overlap between our protocols and the server's list. */ -- result = client; -- status = OPENSSL_NPN_NO_OVERLAP; -- -- found: -- *out = (unsigned char *)result + 1; -- *outlen = result[0]; -- return status; --} -+ /* -+ * There's no overlap between our protocols and the server's list. We use -+ * the default opportunistic protocol selected earlier -+ */ -+ return OPENSSL_NPN_NO_OVERLAP; -+ } - - #ifndef OPENSSL_NO_NEXTPROTONEG - /* -diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c -index ce8a757..cfde733 100644 ---- a/ssl/statem/extensions_clnt.c -+++ b/ssl/statem/extensions_clnt.c -@@ -1585,8 +1585,8 @@ int tls_parse_stoc_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x, - if (s->ctx->ext.npn_select_cb(s, &selected, &selected_len, - PACKET_data(pkt), - PACKET_remaining(pkt), -- s->ctx->ext.npn_select_cb_arg) != -- SSL_TLSEXT_ERR_OK) { -+ s->ctx->ext.npn_select_cb_arg) != SSL_TLSEXT_ERR_OK -+ || selected_len == 0) { - SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_F_TLS_PARSE_STOC_NPN, - SSL_R_BAD_EXTENSION); - return 0; -@@ -1617,6 +1617,8 @@ int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x, - size_t chainidx) - { - size_t len; -+ PACKET confpkt, protpkt; -+ int valid = 0; - - /* We must have requested it. */ - if (!s->s3->alpn_sent) { -@@ -1637,6 +1639,30 @@ int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x, - SSL_R_BAD_EXTENSION); - return 0; - } -+ -+ /* It must be a protocol that we sent */ -+ if (!PACKET_buf_init(&confpkt, s->ext.alpn, s->ext.alpn_len)) { -+ SSLfatal(s, SSL_AD_INTERNAL_ERROR, SSL_F_TLS_PARSE_STOC_ALPN, -+ ERR_R_INTERNAL_ERROR); -+ return 0; -+ } -+ while (PACKET_get_length_prefixed_1(&confpkt, &protpkt)) { -+ if (PACKET_remaining(&protpkt) != len) -+ continue; -+ if (memcmp(PACKET_data(pkt), PACKET_data(&protpkt), len) == 0) { -+ /* Valid protocol found */ -+ valid = 1; -+ break; -+ } -+ } -+ -+ if (!valid) { -+ /* The protocol sent from the server does not match one we advertised */ -+ SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PARSE_STOC_ALPN, -+ SSL_R_BAD_EXTENSION); -+ return 0; -+ } -+ - OPENSSL_free(s->s3->alpn_selected); - s->s3->alpn_selected = OPENSSL_malloc(len); - if (s->s3->alpn_selected == NULL) { -diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c -index 3c7395c..4e3cbf8 100644 ---- a/ssl/statem/extensions_srvr.c -+++ b/ssl/statem/extensions_srvr.c -@@ -1559,9 +1559,10 @@ EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt, - return EXT_RETURN_FAIL; - } - s->s3->npn_seen = 1; -+ return EXT_RETURN_SENT; - } - -- return EXT_RETURN_SENT; -+ return EXT_RETURN_NOT_SENT; - } - #endif - --- -2.46.0 - diff --git a/SOURCES/openssl-1.1.1-intel-cet.patch b/SOURCES/openssl-1.1.1-intel-cet.patch deleted file mode 100644 index a95bf9c..0000000 --- a/SOURCES/openssl-1.1.1-intel-cet.patch +++ /dev/null @@ -1,500 +0,0 @@ -diff -up openssl-1.1.1e/crypto/aes/asm/aesni-x86_64.pl.intel-cet openssl-1.1.1e/crypto/aes/asm/aesni-x86_64.pl ---- openssl-1.1.1e/crypto/aes/asm/aesni-x86_64.pl.intel-cet 2020-03-17 15:31:17.000000000 +0100 -+++ openssl-1.1.1e/crypto/aes/asm/aesni-x86_64.pl 2020-03-19 17:07:02.626522694 +0100 -@@ -275,6 +275,7 @@ $code.=<<___; - .align 16 - ${PREFIX}_encrypt: - .cfi_startproc -+ endbranch - movups ($inp),$inout0 # load input - mov 240($key),$rounds # key->rounds - ___ -@@ -293,6 +294,7 @@ $code.=<<___; - .align 16 - ${PREFIX}_decrypt: - .cfi_startproc -+ endbranch - movups ($inp),$inout0 # load input - mov 240($key),$rounds # key->rounds - ___ -@@ -613,6 +615,7 @@ $code.=<<___; - .align 16 - aesni_ecb_encrypt: - .cfi_startproc -+ endbranch - ___ - $code.=<<___ if ($win64); - lea -0x58(%rsp),%rsp -@@ -985,6 +988,7 @@ $code.=<<___; - .align 16 - aesni_ccm64_encrypt_blocks: - .cfi_startproc -+ endbranch - ___ - $code.=<<___ if ($win64); - lea -0x58(%rsp),%rsp -@@ -1077,6 +1081,7 @@ $code.=<<___; - .align 16 - aesni_ccm64_decrypt_blocks: - .cfi_startproc -+ endbranch - ___ - $code.=<<___ if ($win64); - lea -0x58(%rsp),%rsp -@@ -1203,6 +1208,7 @@ $code.=<<___; - .align 16 - aesni_ctr32_encrypt_blocks: - .cfi_startproc -+ endbranch - cmp \$1,$len - jne .Lctr32_bulk - -@@ -1775,6 +1781,7 @@ $code.=<<___; - .align 16 - aesni_xts_encrypt: - .cfi_startproc -+ endbranch - lea (%rsp),%r11 # frame pointer - .cfi_def_cfa_register %r11 - push %rbp -@@ -2258,6 +2265,7 @@ $code.=<<___; - .align 16 - aesni_xts_decrypt: - .cfi_startproc -+ endbranch - lea (%rsp),%r11 # frame pointer - .cfi_def_cfa_register %r11 - push %rbp -@@ -2783,6 +2791,7 @@ $code.=<<___; - .align 32 - aesni_ocb_encrypt: - .cfi_startproc -+ endbranch - lea (%rsp),%rax - push %rbx - .cfi_push %rbx -@@ -3249,6 +3258,7 @@ __ocb_encrypt1: - .align 32 - aesni_ocb_decrypt: - .cfi_startproc -+ endbranch - lea (%rsp),%rax - push %rbx - .cfi_push %rbx -@@ -3737,6 +3747,7 @@ $code.=<<___; - .align 16 - ${PREFIX}_cbc_encrypt: - .cfi_startproc -+ endbranch - test $len,$len # check length - jz .Lcbc_ret - -diff -up openssl-1.1.1e/crypto/aes/asm/vpaes-x86_64.pl.intel-cet openssl-1.1.1e/crypto/aes/asm/vpaes-x86_64.pl ---- openssl-1.1.1e/crypto/aes/asm/vpaes-x86_64.pl.intel-cet 2020-03-17 15:31:17.000000000 +0100 -+++ openssl-1.1.1e/crypto/aes/asm/vpaes-x86_64.pl 2020-03-19 17:00:15.974621757 +0100 -@@ -696,6 +696,7 @@ _vpaes_schedule_mangle: - .align 16 - ${PREFIX}_set_encrypt_key: - .cfi_startproc -+ endbranch - ___ - $code.=<<___ if ($win64); - lea -0xb8(%rsp),%rsp -@@ -746,6 +747,7 @@ $code.=<<___; - .align 16 - ${PREFIX}_set_decrypt_key: - .cfi_startproc -+ endbranch - ___ - $code.=<<___ if ($win64); - lea -0xb8(%rsp),%rsp -@@ -801,6 +803,7 @@ $code.=<<___; - .align 16 - ${PREFIX}_encrypt: - .cfi_startproc -+ endbranch - ___ - $code.=<<___ if ($win64); - lea -0xb8(%rsp),%rsp -@@ -846,6 +849,7 @@ $code.=<<___; - .align 16 - ${PREFIX}_decrypt: - .cfi_startproc -+ endbranch - ___ - $code.=<<___ if ($win64); - lea -0xb8(%rsp),%rsp -@@ -897,6 +901,7 @@ $code.=<<___; - .align 16 - ${PREFIX}_cbc_encrypt: - .cfi_startproc -+ endbranch - xchg $key,$len - ___ - ($len,$key)=($key,$len); -diff -up openssl-1.1.1e/crypto/async/arch/async_posix.c.intel-cet openssl-1.1.1e/crypto/async/arch/async_posix.c ---- openssl-1.1.1e/crypto/async/arch/async_posix.c.intel-cet 2020-03-17 15:31:17.000000000 +0100 -+++ openssl-1.1.1e/crypto/async/arch/async_posix.c 2020-03-19 17:00:15.974621757 +0100 -@@ -34,7 +34,9 @@ void async_local_cleanup(void) - - int async_fibre_makecontext(async_fibre *fibre) - { -+#ifndef USE_SWAPCONTEXT - fibre->env_init = 0; -+#endif - if (getcontext(&fibre->fibre) == 0) { - fibre->fibre.uc_stack.ss_sp = OPENSSL_malloc(STACKSIZE); - if (fibre->fibre.uc_stack.ss_sp != NULL) { -diff -up openssl-1.1.1e/crypto/async/arch/async_posix.h.intel-cet openssl-1.1.1e/crypto/async/arch/async_posix.h ---- openssl-1.1.1e/crypto/async/arch/async_posix.h.intel-cet 2020-03-19 17:00:15.435631166 +0100 -+++ openssl-1.1.1e/crypto/async/arch/async_posix.h 2020-03-19 17:00:15.975621739 +0100 -@@ -25,17 +25,33 @@ - # define ASYNC_POSIX - # define ASYNC_ARCH - -+# ifdef __CET__ -+/* -+ * When Intel CET is enabled, makecontext will create a different -+ * shadow stack for each context. async_fibre_swapcontext cannot -+ * use _longjmp. It must call swapcontext to swap shadow stack as -+ * well as normal stack. -+ */ -+# define USE_SWAPCONTEXT -+# endif - # include --# include -+# ifndef USE_SWAPCONTEXT -+# include -+# endif - - typedef struct async_fibre_st { - ucontext_t fibre; -+# ifndef USE_SWAPCONTEXT - jmp_buf env; - int env_init; -+# endif - } async_fibre; - - static ossl_inline int async_fibre_swapcontext(async_fibre *o, async_fibre *n, int r) - { -+# ifdef USE_SWAPCONTEXT -+ swapcontext(&o->fibre, &n->fibre); -+# else - o->env_init = 1; - - if (!r || !_setjmp(o->env)) { -@@ -44,6 +60,7 @@ static ossl_inline int async_fibre_swapc - else - setcontext(&n->fibre); - } -+# endif - - return 1; - } -diff -up openssl-1.1.1e/crypto/camellia/asm/cmll-x86_64.pl.intel-cet openssl-1.1.1e/crypto/camellia/asm/cmll-x86_64.pl ---- openssl-1.1.1e/crypto/camellia/asm/cmll-x86_64.pl.intel-cet 2020-03-17 15:31:17.000000000 +0100 -+++ openssl-1.1.1e/crypto/camellia/asm/cmll-x86_64.pl 2020-03-19 17:00:15.975621739 +0100 -@@ -685,6 +685,7 @@ $code.=<<___; - .align 16 - Camellia_cbc_encrypt: - .cfi_startproc -+ endbranch - cmp \$0,%rdx - je .Lcbc_abort - push %rbx -diff -up openssl-1.1.1e/crypto/modes/asm/ghash-x86_64.pl.intel-cet openssl-1.1.1e/crypto/modes/asm/ghash-x86_64.pl ---- openssl-1.1.1e/crypto/modes/asm/ghash-x86_64.pl.intel-cet 2020-03-17 15:31:17.000000000 +0100 -+++ openssl-1.1.1e/crypto/modes/asm/ghash-x86_64.pl 2020-03-19 17:00:15.975621739 +0100 -@@ -239,6 +239,7 @@ $code=<<___; - .align 16 - gcm_gmult_4bit: - .cfi_startproc -+ endbranch - push %rbx - .cfi_push %rbx - push %rbp # %rbp and others are pushed exclusively in -@@ -286,6 +287,7 @@ $code.=<<___; - .align 16 - gcm_ghash_4bit: - .cfi_startproc -+ endbranch - push %rbx - .cfi_push %rbx - push %rbp -@@ -612,6 +614,7 @@ $code.=<<___; - .align 16 - gcm_gmult_clmul: - .cfi_startproc -+ endbranch - .L_gmult_clmul: - movdqu ($Xip),$Xi - movdqa .Lbswap_mask(%rip),$T3 -@@ -663,6 +666,7 @@ $code.=<<___; - .align 32 - gcm_ghash_clmul: - .cfi_startproc -+ endbranch - .L_ghash_clmul: - ___ - $code.=<<___ if ($win64); -@@ -1166,6 +1170,7 @@ $code.=<<___; - .align 32 - gcm_gmult_avx: - .cfi_startproc -+ endbranch - jmp .L_gmult_clmul - .cfi_endproc - .size gcm_gmult_avx,.-gcm_gmult_avx -@@ -1177,6 +1182,7 @@ $code.=<<___; - .align 32 - gcm_ghash_avx: - .cfi_startproc -+ endbranch - ___ - if ($avx) { - my ($Xip,$Htbl,$inp,$len)=@_4args; -diff -up openssl-1.1.1e/crypto/perlasm/cbc.pl.intel-cet openssl-1.1.1e/crypto/perlasm/cbc.pl ---- openssl-1.1.1e/crypto/perlasm/cbc.pl.intel-cet 2020-03-17 15:31:17.000000000 +0100 -+++ openssl-1.1.1e/crypto/perlasm/cbc.pl 2020-03-19 17:00:15.976621722 +0100 -@@ -165,21 +165,28 @@ sub cbc - &jmp_ptr($count); - - &set_label("ej7"); -+ &endbranch() - &movb(&HB("edx"), &BP(6,$in,"",0)); - &shl("edx",8); - &set_label("ej6"); -+ &endbranch() - &movb(&HB("edx"), &BP(5,$in,"",0)); - &set_label("ej5"); -+ &endbranch() - &movb(&LB("edx"), &BP(4,$in,"",0)); - &set_label("ej4"); -+ &endbranch() - &mov("ecx", &DWP(0,$in,"",0)); - &jmp(&label("ejend")); - &set_label("ej3"); -+ &endbranch() - &movb(&HB("ecx"), &BP(2,$in,"",0)); - &shl("ecx",8); - &set_label("ej2"); -+ &endbranch() - &movb(&HB("ecx"), &BP(1,$in,"",0)); - &set_label("ej1"); -+ &endbranch() - &movb(&LB("ecx"), &BP(0,$in,"",0)); - &set_label("ejend"); - -diff -up openssl-1.1.1e/crypto/perlasm/x86_64-xlate.pl.intel-cet openssl-1.1.1e/crypto/perlasm/x86_64-xlate.pl ---- openssl-1.1.1e/crypto/perlasm/x86_64-xlate.pl.intel-cet 2020-03-17 15:31:17.000000000 +0100 -+++ openssl-1.1.1e/crypto/perlasm/x86_64-xlate.pl 2020-03-19 17:00:15.984621582 +0100 -@@ -101,6 +101,33 @@ elsif (!$gas) - $decor="\$L\$"; - } - -+my $cet_property; -+if ($flavour =~ /elf/) { -+ # Always generate .note.gnu.property section for ELF outputs to -+ # mark Intel CET support since all input files must be marked -+ # with Intel CET support in order for linker to mark output with -+ # Intel CET support. -+ my $p2align=3; $p2align=2 if ($flavour eq "elf32"); -+ $cet_property = <<_____; -+ .section ".note.gnu.property", "a" -+ .p2align $p2align -+ .long 1f - 0f -+ .long 4f - 1f -+ .long 5 -+0: -+ .asciz "GNU" -+1: -+ .p2align $p2align -+ .long 0xc0000002 -+ .long 3f - 2f -+2: -+ .long 3 -+3: -+ .p2align $p2align -+4: -+_____ -+} -+ - my $current_segment; - my $current_function; - my %globals; -@@ -1213,6 +1240,7 @@ while(defined(my $line=<>)) { - print $line,"\n"; - } - -+print "$cet_property" if ($cet_property); - print "\n$current_segment\tENDS\n" if ($current_segment && $masm); - print "END\n" if ($masm); - -diff -up openssl-1.1.1e/crypto/perlasm/x86gas.pl.intel-cet openssl-1.1.1e/crypto/perlasm/x86gas.pl ---- openssl-1.1.1e/crypto/perlasm/x86gas.pl.intel-cet 2020-03-17 15:31:17.000000000 +0100 -+++ openssl-1.1.1e/crypto/perlasm/x86gas.pl 2020-03-19 17:00:15.985621565 +0100 -@@ -124,6 +124,7 @@ sub ::function_begin_B - push(@out,".align\t$align\n"); - push(@out,"$func:\n"); - push(@out,"$begin:\n") if ($global); -+ &::endbranch(); - $::stack=4; - } - -@@ -172,6 +173,26 @@ sub ::file_end - else { push (@out,"$tmp\n"); } - } - push(@out,$initseg) if ($initseg); -+ if ($::elf) { -+ push(@out," -+ .section \".note.gnu.property\", \"a\" -+ .p2align 2 -+ .long 1f - 0f -+ .long 4f - 1f -+ .long 5 -+0: -+ .asciz \"GNU\" -+1: -+ .p2align 2 -+ .long 0xc0000002 -+ .long 3f - 2f -+2: -+ .long 3 -+3: -+ .p2align 2 -+4: -+"); -+ } - } - - sub ::data_byte { push(@out,".byte\t".join(',',@_)."\n"); } -diff -up openssl-1.1.1e/crypto/poly1305/asm/poly1305-x86_64.pl.intel-cet openssl-1.1.1e/crypto/poly1305/asm/poly1305-x86_64.pl ---- openssl-1.1.1e/crypto/poly1305/asm/poly1305-x86_64.pl.intel-cet 2020-03-19 17:00:38.185234015 +0100 -+++ openssl-1.1.1e/crypto/poly1305/asm/poly1305-x86_64.pl 2020-03-19 17:05:46.575850341 +0100 -@@ -2806,6 +2806,7 @@ $code.=<<___; - .align 32 - poly1305_blocks_vpmadd52: - .cfi_startproc -+ endbranch - shr \$4,$len - jz .Lno_data_vpmadd52 # too short - -@@ -3739,6 +3740,7 @@ $code.=<<___; - .align 32 - poly1305_emit_base2_44: - .cfi_startproc -+ endbranch - mov 0($ctx),%r8 # load hash value - mov 8($ctx),%r9 - mov 16($ctx),%r10 -diff -up openssl-1.1.1e/crypto/rc4/asm/rc4-x86_64.pl.intel-cet openssl-1.1.1e/crypto/rc4/asm/rc4-x86_64.pl ---- openssl-1.1.1e/crypto/rc4/asm/rc4-x86_64.pl.intel-cet 2020-03-19 17:00:38.190233928 +0100 -+++ openssl-1.1.1e/crypto/rc4/asm/rc4-x86_64.pl 2020-03-19 17:05:02.598618064 +0100 -@@ -140,6 +140,7 @@ $code=<<___; - .align 16 - RC4: - .cfi_startproc -+ endbranch - or $len,$len - jne .Lentry - ret -@@ -455,6 +456,7 @@ $code.=<<___; - .align 16 - RC4_set_key: - .cfi_startproc -+ endbranch - lea 8($dat),$dat - lea ($inp,$len),$inp - neg $len -@@ -529,6 +531,7 @@ RC4_set_key: - .align 16 - RC4_options: - .cfi_startproc -+ endbranch - lea .Lopts(%rip),%rax - mov OPENSSL_ia32cap_P(%rip),%edx - bt \$20,%edx -diff -up openssl-1.1.1e/crypto/x86_64cpuid.pl.intel-cet openssl-1.1.1e/crypto/x86_64cpuid.pl ---- openssl-1.1.1e/crypto/x86_64cpuid.pl.intel-cet 2020-03-17 15:31:17.000000000 +0100 -+++ openssl-1.1.1e/crypto/x86_64cpuid.pl 2020-03-19 17:03:58.172742775 +0100 -@@ -40,6 +40,7 @@ print<<___; - .align 16 - OPENSSL_atomic_add: - .cfi_startproc -+ endbranch - movl ($arg1),%eax - .Lspin: leaq ($arg2,%rax),%r8 - .byte 0xf0 # lock -@@ -56,6 +57,7 @@ OPENSSL_atomic_add: - .align 16 - OPENSSL_rdtsc: - .cfi_startproc -+ endbranch - rdtsc - shl \$32,%rdx - or %rdx,%rax -@@ -68,6 +70,7 @@ OPENSSL_rdtsc: - .align 16 - OPENSSL_ia32_cpuid: - .cfi_startproc -+ endbranch - mov %rbx,%r8 # save %rbx - .cfi_register %rbx,%r8 - -@@ -237,6 +240,7 @@ OPENSSL_ia32_cpuid: - .align 16 - OPENSSL_cleanse: - .cfi_startproc -+ endbranch - xor %rax,%rax - cmp \$15,$arg2 - jae .Lot -@@ -274,6 +278,7 @@ OPENSSL_cleanse: - .align 16 - CRYPTO_memcmp: - .cfi_startproc -+ endbranch - xor %rax,%rax - xor %r10,%r10 - cmp \$0,$arg3 -@@ -312,6 +317,7 @@ print<<___ if (!$win64); - .align 16 - OPENSSL_wipe_cpu: - .cfi_startproc -+ endbranch - pxor %xmm0,%xmm0 - pxor %xmm1,%xmm1 - pxor %xmm2,%xmm2 -@@ -346,6 +352,8 @@ print<<___ if ($win64); - .type OPENSSL_wipe_cpu,\@abi-omnipotent - .align 16 - OPENSSL_wipe_cpu: -+.cfi_startproc -+ endbranch - pxor %xmm0,%xmm0 - pxor %xmm1,%xmm1 - pxor %xmm2,%xmm2 -@@ -376,6 +384,7 @@ print<<___; - .align 16 - OPENSSL_instrument_bus: - .cfi_startproc -+ endbranch - mov $arg1,$out # tribute to Win64 - mov $arg2,$cnt - mov $arg2,$max -@@ -410,6 +419,7 @@ OPENSSL_instrument_bus: - .align 16 - OPENSSL_instrument_bus2: - .cfi_startproc -+ endbranch - mov $arg1,$out # tribute to Win64 - mov $arg2,$cnt - mov $arg3,$max -@@ -465,6 +475,7 @@ print<<___; - .align 16 - OPENSSL_ia32_${rdop}_bytes: - .cfi_startproc -+ endbranch - xor %rax, %rax # return value - cmp \$0,$arg2 - je .Ldone_${rdop}_bytes diff --git a/SOURCES/openssl-1.1.1-kdf-selftest.patch b/SOURCES/openssl-1.1.1-kdf-selftest.patch deleted file mode 100644 index e54684e..0000000 --- a/SOURCES/openssl-1.1.1-kdf-selftest.patch +++ /dev/null @@ -1,456 +0,0 @@ -diff -up openssl-1.1.1g/crypto/fips/build.info.kdf-selftest openssl-1.1.1g/crypto/fips/build.info ---- openssl-1.1.1g/crypto/fips/build.info.kdf-selftest 2020-06-03 16:08:36.274849058 +0200 -+++ openssl-1.1.1g/crypto/fips/build.info 2020-06-03 16:11:05.609079372 +0200 -@@ -5,7 +5,7 @@ SOURCE[../../libcrypto]=\ - fips_post.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \ - fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \ - fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c \ -- fips_dh_selftest.c fips_ers.c -+ fips_dh_selftest.c fips_kdf_selftest.c fips_ers.c - - PROGRAMS_NO_INST=\ - fips_standalone_hmac -diff -up openssl-1.1.1g/crypto/fips/fips_err.h.kdf-selftest openssl-1.1.1g/crypto/fips/fips_err.h ---- openssl-1.1.1g/crypto/fips/fips_err.h.kdf-selftest 2020-07-14 15:27:51.681785958 +0200 -+++ openssl-1.1.1g/crypto/fips/fips_err.h 2020-10-22 14:07:13.645614388 +0200 -@@ -108,9 +108,16 @@ static ERR_STRING_DATA FIPS_str_functs[] - {ERR_FUNC(FIPS_F_FIPS_SELFTEST_DES), "FIPS_selftest_des"}, - {ERR_FUNC(FIPS_F_FIPS_SELFTEST_DSA), "FIPS_selftest_dsa"}, - {ERR_FUNC(FIPS_F_FIPS_SELFTEST_ECDSA), "FIPS_selftest_ecdsa"}, -+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_HKDF), "FIPS_selftest_hkdf"}, - {ERR_FUNC(FIPS_F_FIPS_SELFTEST_HMAC), "FIPS_selftest_hmac"}, -+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_KBKDF), "FIPS_selftest_kbkdf"}, -+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_KRB5KDF), "FIPS_selftest_krb5kdf"}, -+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_PBKDF2), "FIPS_selftest_pbkdf2"}, - {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA1), "FIPS_selftest_sha1"}, - {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA2), "FIPS_selftest_sha2"}, -+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SSHKDF), "FIPS_selftest_sshkdf"}, -+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SSKDF), "FIPS_selftest_sskdf"}, -+ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_TLS1_PRF), "FIPS_selftest_tls1_prf"}, - {ERR_FUNC(FIPS_F_OSSL_ECDSA_SIGN_SIG), "ossl_ecdsa_sign_sig"}, - {ERR_FUNC(FIPS_F_OSSL_ECDSA_VERIFY_SIG), "ossl_ecdsa_verify_sig"}, - {ERR_FUNC(FIPS_F_RSA_BUILTIN_KEYGEN), "rsa_builtin_keygen"}, -diff -up openssl-1.1.1g/crypto/fips/fips_kdf_selftest.c.kdf-selftest openssl-1.1.1g/crypto/fips/fips_kdf_selftest.c ---- openssl-1.1.1g/crypto/fips/fips_kdf_selftest.c.kdf-selftest 2020-10-22 16:25:33.211248158 +0200 -+++ openssl-1.1.1g/crypto/fips/fips_kdf_selftest.c 2020-10-22 16:56:54.652267521 +0200 -@@ -0,0 +1,377 @@ -+/* -+ * Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved. -+ * Copyright (c) 2018-2019, Oracle and/or its affiliates. All rights reserved. -+ * -+ * Licensed under the Apache License 2.0 (the "License"). You may not use -+ * this file except in compliance with the License. You can obtain a copy -+ * in the file LICENSE in the source distribution or at -+ * https://www.openssl.org/source/license.html -+ */ -+ -+#include -+#include -+#include -+#include "crypto/fips.h" -+ -+#include -+#include -+ -+#ifdef OPENSSL_FIPS -+static int FIPS_selftest_tls1_prf(void) -+{ -+ int ret = 0; -+ EVP_KDF_CTX *kctx; -+ unsigned char out[16]; -+ -+ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_TLS1_PRF)) == NULL) { -+ goto err; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) { -+ goto err; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_TLS_SECRET, -+ "secret", (size_t)6) <= 0) { -+ goto err; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_ADD_TLS_SEED, "seed", (size_t)4) <= 0) { -+ goto err; -+ } -+ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) { -+ goto err; -+ } -+ -+ { -+ const unsigned char expected[sizeof(out)] = { -+ 0x8e, 0x4d, 0x93, 0x25, 0x30, 0xd7, 0x65, 0xa0, -+ 0xaa, 0xe9, 0x74, 0xc3, 0x04, 0x73, 0x5e, 0xcc -+ }; -+ if (memcmp(out, expected, sizeof(expected))) { -+ goto err; -+ } -+ } -+ ret = 1; -+ -+err: -+ if (!ret) -+ FIPSerr(FIPS_F_FIPS_SELFTEST_TLS1_PRF, FIPS_R_SELFTEST_FAILED); -+ EVP_KDF_CTX_free(kctx); -+ return ret; -+} -+ -+static int FIPS_selftest_hkdf(void) -+{ -+ int ret = 0; -+ EVP_KDF_CTX *kctx; -+ unsigned char out[10]; -+ -+ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_HKDF)) == NULL) { -+ goto err; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) { -+ goto err; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "salt", (size_t)4) <= 0) { -+ goto err; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, "secret", (size_t)6) <= 0) { -+ goto err; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_ADD_HKDF_INFO, -+ "label", (size_t)5) <= 0) { -+ goto err; -+ } -+ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) { -+ goto err; -+ } -+ -+ { -+ const unsigned char expected[sizeof(out)] = { -+ 0x2a, 0xc4, 0x36, 0x9f, 0x52, 0x59, 0x96, 0xf8, 0xde, 0x13 -+ }; -+ if (memcmp(out, expected, sizeof(expected))) { -+ goto err; -+ } -+ } -+ ret = 1; -+err: -+ if (!ret) -+ FIPSerr(FIPS_F_FIPS_SELFTEST_HKDF, FIPS_R_SELFTEST_FAILED); -+ EVP_KDF_CTX_free(kctx); -+ return ret; -+} -+ -+static int FIPS_selftest_sshkdf(void) -+{ -+ int ret = 0; -+ EVP_KDF_CTX *kctx; -+ unsigned char out[32]; -+ const unsigned char input_key[] = { -+ 0x00, 0x00, 0x00, 0x80, 0x0f, 0xaa, 0x17, 0x2b, -+ 0x8c, 0x28, 0x7e, 0x37, 0x2b, 0xb2, 0x36, 0xad, -+ 0x34, 0xc7, 0x33, 0x69, 0x5c, 0x13, 0xd7, 0x7f, -+ 0x88, 0x2a, 0xdc, 0x0f, 0x47, 0xe5, 0xa7, 0xf6, -+ 0xa3, 0xde, 0x07, 0xef, 0xb1, 0x01, 0x20, 0x7a, -+ 0xa5, 0xd6, 0x65, 0xb6, 0x19, 0x82, 0x6f, 0x75, -+ 0x65, 0x91, 0xf6, 0x53, 0x10, 0xbb, 0xd2, 0xc9, -+ 0x2c, 0x93, 0x84, 0xe6, 0xc6, 0xa6, 0x7b, 0x42, -+ 0xde, 0xc3, 0x82, 0xfd, 0xb2, 0x4c, 0x59, 0x1d, -+ 0x79, 0xff, 0x5e, 0x47, 0x73, 0x7b, 0x0f, 0x5b, -+ 0x84, 0x79, 0x69, 0x4c, 0x3a, 0xdc, 0x19, 0x40, -+ 0x17, 0x04, 0x91, 0x2b, 0xbf, 0xec, 0x27, 0x04, -+ 0xd4, 0xd5, 0xbe, 0xbb, 0xfc, 0x1a, 0x7f, 0xc7, -+ 0x96, 0xe2, 0x77, 0x63, 0x4e, 0x40, 0x85, 0x18, -+ 0x51, 0xa1, 0x87, 0xec, 0x2d, 0x37, 0xed, 0x3f, -+ 0x35, 0x1c, 0x45, 0x96, 0xa5, 0xa0, 0x89, 0x29, -+ 0x16, 0xb4, 0xc5, 0x5f -+ }; -+ const unsigned char xcghash[] = { -+ 0xa3, 0x47, 0xf5, 0xf1, 0xe1, 0x91, 0xc3, 0x5f, -+ 0x21, 0x2c, 0x93, 0x24, 0xd5, 0x86, 0x7e, 0xfd, -+ 0xf8, 0x30, 0x26, 0xbe, 0x62, 0xc2, 0xb1, 0x6a, -+ 0xe0, 0x06, 0xed, 0xb3, 0x37, 0x8d, 0x40, 0x06 -+ }; -+ const unsigned char session_id[] = { -+ 0x90, 0xbe, 0xfc, 0xef, 0x3f, 0xf8, 0xf9, 0x20, -+ 0x67, 0x4a, 0x9f, 0xab, 0x94, 0x19, 0x8c, 0xf3, -+ 0xfd, 0x9d, 0xca, 0x24, 0xa2, 0x1d, 0x3c, 0x9d, -+ 0xba, 0x39, 0x4d, 0xaa, 0xfb, 0xc6, 0x21, 0xed -+ }; -+ -+ -+ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_SSHKDF)) == NULL) { -+ goto err; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) { -+ goto err; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, input_key, -+ sizeof(input_key)) <= 0) { -+ goto err; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSHKDF_XCGHASH, xcghash, -+ sizeof(xcghash)) <= 0) { -+ goto err; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID, session_id, -+ sizeof(session_id)) <= 0) { -+ goto err; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSHKDF_TYPE, (int)'F') <= 0) { -+ goto err; -+ } -+ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) { -+ goto err; -+ } -+ -+ { -+ const unsigned char expected[sizeof(out)] = { -+ 0x14, 0x7a, 0x77, 0x14, 0x45, 0x12, 0x3f, 0x84, -+ 0x6d, 0x8a, 0xe5, 0x14, 0xd7, 0xff, 0x9b, 0x3c, -+ 0x93, 0xb2, 0xbc, 0xeb, 0x7c, 0x7c, 0x95, 0x00, -+ 0x94, 0x21, 0x61, 0xb8, 0xe2, 0xd0, 0x11, 0x0f -+ }; -+ if (memcmp(out, expected, sizeof(expected))) { -+ goto err; -+ } -+ } -+ ret = 1; -+ -+err: -+ if (!ret) -+ FIPSerr(FIPS_F_FIPS_SELFTEST_SSHKDF, FIPS_R_SELFTEST_FAILED); -+ EVP_KDF_CTX_free(kctx); -+ return ret; -+} -+ -+static int FIPS_selftest_pbkdf2(void) -+{ -+ int ret = 0; -+ EVP_KDF_CTX *kctx; -+ unsigned char out[32]; -+ -+ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_PBKDF2)) == NULL) { -+ goto err; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PASS, "password", (size_t)8) <= 0) { -+ goto err; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "salt", (size_t)4) <= 0) { -+ goto err; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_ITER, 2) <= 0) { -+ goto err; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) { -+ goto err; -+ } -+ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) { -+ goto err; -+ } -+ -+ { -+ const unsigned char expected[sizeof(out)] = { -+ 0xae, 0x4d, 0x0c, 0x95, 0xaf, 0x6b, 0x46, 0xd3, -+ 0x2d, 0x0a, 0xdf, 0xf9, 0x28, 0xf0, 0x6d, 0xd0, -+ 0x2a, 0x30, 0x3f, 0x8e, 0xf3, 0xc2, 0x51, 0xdf, -+ 0xd6, 0xe2, 0xd8, 0x5a, 0x95, 0x47, 0x4c, 0x43 -+ }; -+ if (memcmp(out, expected, sizeof(expected))) { -+ goto err; -+ } -+ } -+ ret = 1; -+ -+err: -+ if (!ret) -+ FIPSerr(FIPS_F_FIPS_SELFTEST_PBKDF2, FIPS_R_SELFTEST_FAILED); -+ EVP_KDF_CTX_free(kctx); -+ return ret; -+} -+ -+/* Test vector from RFC 8009 (AES Encryption with HMAC-SHA2 for Kerberos -+ * 5) appendix A. */ -+static int FIPS_selftest_kbkdf(void) -+{ -+ int ret = 0; -+ EVP_KDF_CTX *kctx; -+ char *label = "prf", *prf_input = "test"; -+ const unsigned char input_key[] = { -+ 0x37, 0x05, 0xD9, 0x60, 0x80, 0xC1, 0x77, 0x28, -+ 0xA0, 0xE8, 0x00, 0xEA, 0xB6, 0xE0, 0xD2, 0x3C, -+ }; -+ const unsigned char output[] = { -+ 0x9D, 0x18, 0x86, 0x16, 0xF6, 0x38, 0x52, 0xFE, -+ 0x86, 0x91, 0x5B, 0xB8, 0x40, 0xB4, 0xA8, 0x86, -+ 0xFF, 0x3E, 0x6B, 0xB0, 0xF8, 0x19, 0xB4, 0x9B, -+ 0x89, 0x33, 0x93, 0xD3, 0x93, 0x85, 0x42, 0x95, -+ }; -+ unsigned char result[sizeof(output)] = { 0 }; -+ -+ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_KB)) == NULL) { -+ goto err; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_MAC_TYPE, EVP_KDF_KB_MAC_TYPE_HMAC) <= 0) { -+ goto err; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) { -+ goto err; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, input_key, sizeof(input_key)) <= 0) { -+ goto err; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, label, strlen(label)) <= 0) { -+ goto err; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_INFO, prf_input, strlen(prf_input)) <= 0) { -+ goto err; -+ } -+ ret = EVP_KDF_derive(kctx, result, sizeof(result)) > 0 -+ && memcmp(result, output, sizeof(output)) == 0; -+err: -+ if (!ret) -+ FIPSerr(FIPS_F_FIPS_SELFTEST_KBKDF, FIPS_R_SELFTEST_FAILED); -+ EVP_KDF_CTX_free(kctx); -+ return ret; -+} -+ -+static int FIPS_selftest_krb5kdf(void) -+{ -+ int ret = 0; -+ EVP_KDF_CTX *kctx; -+ unsigned char out[16]; -+ const unsigned char key[] = { -+ 0x42, 0x26, 0x3C, 0x6E, 0x89, 0xF4, 0xFC, 0x28, -+ 0xB8, 0xDF, 0x68, 0xEE, 0x09, 0x79, 0x9F, 0x15 -+ }; -+ const unsigned char constant[] = { -+ 0x00, 0x00, 0x00, 0x02, 0x99 -+ }; -+ const unsigned char expected[sizeof(out)] = { -+ 0x34, 0x28, 0x0A, 0x38, 0x2B, 0xC9, 0x27, 0x69, -+ 0xB2, 0xDA, 0x2F, 0x9E, 0xF0, 0x66, 0x85, 0x4B -+ }; -+ -+ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_KRB5KDF)) == NULL) { -+ goto err; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_CIPHER, EVP_aes_128_cbc()) <= 0) { -+ goto err; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, key, sizeof(key)) <= 0) { -+ goto err; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KRB5KDF_CONSTANT, constant, sizeof(constant)) <= 0) { -+ goto err; -+ } -+ -+ ret = -+ EVP_KDF_derive(kctx, out, sizeof(out)) > 0 -+ && memcmp(out, expected, sizeof(expected)) == 0; -+ -+err: -+ if (!ret) -+ FIPSerr(FIPS_F_FIPS_SELFTEST_KRB5KDF, FIPS_R_SELFTEST_FAILED); -+ EVP_KDF_CTX_free(kctx); -+ return ret; -+} -+ -+static int FIPS_selftest_sskdf(void) -+{ -+ int ret = 0; -+ EVP_KDF_CTX *kctx; -+ const unsigned char z[] = { -+ 0x6d,0xbd,0xc2,0x3f,0x04,0x54,0x88,0xe4,0x06,0x27,0x57,0xb0,0x6b,0x9e, -+ 0xba,0xe1,0x83,0xfc,0x5a,0x59,0x46,0xd8,0x0d,0xb9,0x3f,0xec,0x6f,0x62, -+ 0xec,0x07,0xe3,0x72,0x7f,0x01,0x26,0xae,0xd1,0x2c,0xe4,0xb2,0x62,0xf4, -+ 0x7d,0x48,0xd5,0x42,0x87,0xf8,0x1d,0x47,0x4c,0x7c,0x3b,0x18,0x50,0xe9 -+ }; -+ const unsigned char other[] = { -+ 0xa1,0xb2,0xc3,0xd4,0xe5,0x43,0x41,0x56,0x53,0x69,0x64,0x3c,0x83,0x2e, -+ 0x98,0x49,0xdc,0xdb,0xa7,0x1e,0x9a,0x31,0x39,0xe6,0x06,0xe0,0x95,0xde, -+ 0x3c,0x26,0x4a,0x66,0xe9,0x8a,0x16,0x58,0x54,0xcd,0x07,0x98,0x9b,0x1e, -+ 0xe0,0xec,0x3f,0x8d,0xbe -+ }; -+ const unsigned char expected[] = { -+ 0xa4,0x62,0xde,0x16,0xa8,0x9d,0xe8,0x46,0x6e,0xf5,0x46,0x0b,0x47,0xb8 -+ }; -+ unsigned char out[14]; -+ -+ kctx = EVP_KDF_CTX_new_id(EVP_KDF_SS); -+ -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha224()) <= 0) { -+ goto err; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, z, sizeof(z)) <= 0) { -+ goto err; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSKDF_INFO, other, -+ sizeof(other)) <= 0) { -+ goto err; -+ } -+ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) { -+ goto err; -+ } -+ -+ if (memcmp(out, expected, sizeof(expected))) -+ goto err; -+ ret = 1; -+ -+err: -+ if (!ret) -+ FIPSerr(FIPS_F_FIPS_SELFTEST_SSKDF, FIPS_R_SELFTEST_FAILED); -+ EVP_KDF_CTX_free(kctx); -+ return ret; -+} -+ -+int FIPS_selftest_kdf(void) -+{ -+ return FIPS_selftest_tls1_prf() -+ && FIPS_selftest_hkdf() -+ && FIPS_selftest_sshkdf() -+ && FIPS_selftest_pbkdf2() -+ && FIPS_selftest_kbkdf() -+ && FIPS_selftest_krb5kdf() -+ && FIPS_selftest_sskdf(); -+} -+ -+#endif -diff -up openssl-1.1.1g/crypto/fips/fips_post.c.kdf-selftest openssl-1.1.1g/crypto/fips/fips_post.c ---- openssl-1.1.1g/crypto/fips/fips_post.c.kdf-selftest 2020-06-03 16:08:36.332849536 +0200 -+++ openssl-1.1.1g/crypto/fips/fips_post.c 2020-06-03 16:08:36.338849585 +0200 -@@ -111,6 +111,8 @@ int FIPS_selftest(void) - rv = 0; - if (!FIPS_selftest_ecdh()) - rv = 0; -+ if (!FIPS_selftest_kdf()) -+ rv = 0; - return rv; - } - -diff -up openssl-1.1.1g/include/crypto/fips.h.kdf-selftest openssl-1.1.1g/include/crypto/fips.h ---- openssl-1.1.1g/include/crypto/fips.h.kdf-selftest 2020-06-03 16:08:36.330849519 +0200 -+++ openssl-1.1.1g/include/crypto/fips.h 2020-06-03 16:08:36.338849585 +0200 -@@ -72,6 +72,7 @@ void FIPS_drbg_stick(int onoff); - int FIPS_selftest_hmac(void); - int FIPS_selftest_drbg(void); - int FIPS_selftest_cmac(void); -+int FIPS_selftest_kdf(void); - - int fips_in_post(void); - -diff -up openssl-1.1.1g/include/openssl/fips.h.kdf-selftest openssl-1.1.1g/include/openssl/fips.h ---- openssl-1.1.1g/include/openssl/fips.h.kdf-selftest 2020-07-14 15:27:51.685785988 +0200 -+++ openssl-1.1.1g/include/openssl/fips.h 2020-10-22 14:03:28.868575785 +0200 -@@ -122,9 +122,16 @@ extern "C" { - # define FIPS_F_FIPS_SELFTEST_DES 111 - # define FIPS_F_FIPS_SELFTEST_DSA 112 - # define FIPS_F_FIPS_SELFTEST_ECDSA 133 -+# define FIPS_F_FIPS_SELFTEST_HKDF 153 - # define FIPS_F_FIPS_SELFTEST_HMAC 113 -+# define FIPS_F_FIPS_SELFTEST_KBKDF 151 -+# define FIPS_F_FIPS_SELFTEST_KRB5KDF 154 -+# define FIPS_F_FIPS_SELFTEST_PBKDF2 152 - # define FIPS_F_FIPS_SELFTEST_SHA1 115 - # define FIPS_F_FIPS_SELFTEST_SHA2 105 -+# define FIPS_F_FIPS_SELFTEST_SSHKDF 155 -+# define FIPS_F_FIPS_SELFTEST_SSKDF 156 -+# define FIPS_F_FIPS_SELFTEST_TLS1_PRF 157 - # define FIPS_F_OSSL_ECDSA_SIGN_SIG 143 - # define FIPS_F_OSSL_ECDSA_VERIFY_SIG 148 - # define FIPS_F_RSA_BUILTIN_KEYGEN 116 diff --git a/SOURCES/openssl-1.1.1-krb5-kdf.patch b/SOURCES/openssl-1.1.1-krb5-kdf.patch deleted file mode 100644 index 249a5c5..0000000 --- a/SOURCES/openssl-1.1.1-krb5-kdf.patch +++ /dev/null @@ -1,3030 +0,0 @@ -diff -up openssl-1.1.1d/crypto/err/openssl.txt.krb5-kdf openssl-1.1.1d/crypto/err/openssl.txt ---- openssl-1.1.1d/crypto/err/openssl.txt.krb5-kdf 2019-11-14 15:07:05.320094521 +0100 -+++ openssl-1.1.1d/crypto/err/openssl.txt 2019-11-14 15:07:05.342094129 +0100 -@@ -821,6 +821,11 @@ EVP_F_S390X_AES_GCM_CTRL:201:s390x_aes_g - EVP_F_SCRYPT_ALG:228:scrypt_alg - EVP_F_UPDATE:173:update - KDF_F_HKDF_EXTRACT:112:HKDF_Extract -+KDF_F_KBKDF_CTRL:134:kbkdf_ctrl -+KDF_F_KBKDF_CTRL_STR:135:kbkdf_ctrl_str -+KDF_F_KBKDF_DERIVE:136:kbkdf_derive -+KDF_F_KBKDF_NEW:137:kbkdf_new -+KDF_F_KDF_CIPHER2CTRL:138:kdf_cipher2ctrl - KDF_F_KDF_HKDF_DERIVE:113:kdf_hkdf_derive - KDF_F_KDF_HKDF_NEW:114:kdf_hkdf_new - KDF_F_KDF_HKDF_SIZE:115:kdf_hkdf_size -@@ -840,6 +845,8 @@ KDF_F_KDF_SSHKDF_NEW:133:kdf_sshkdf_new - KDF_F_KDF_TLS1_PRF_CTRL_STR:125:kdf_tls1_prf_ctrl_str - KDF_F_KDF_TLS1_PRF_DERIVE:126:kdf_tls1_prf_derive - KDF_F_KDF_TLS1_PRF_NEW:127:kdf_tls1_prf_new -+KDF_F_KRB5KDF:139:KRB5KDF -+KDF_F_KRB5KDF_DERIVE:140:krb5kdf_derive - KDF_F_PBKDF2_SET_MEMBUF:128:pbkdf2_set_membuf - KDF_F_PKEY_HKDF_CTRL_STR:103:pkey_hkdf_ctrl_str - KDF_F_PKEY_HKDF_DERIVE:102:pkey_hkdf_derive -@@ -853,6 +860,9 @@ KDF_F_PKEY_TLS1_PRF_CTRL_STR:100:pkey_tl - KDF_F_PKEY_TLS1_PRF_DERIVE:101:pkey_tls1_prf_derive - KDF_F_PKEY_TLS1_PRF_INIT:110:pkey_tls1_prf_init - KDF_F_SCRYPT_SET_MEMBUF:129:scrypt_set_membuf -+KDF_F_SSKDF_DERIVE:141:sskdf_derive -+KDF_F_SSKDF_NEW:142:sskdf_new -+KDF_F_SSKDF_SIZE:143:sskdf_size - KDF_F_TLS1_PRF_ALG:111:tls1_prf_alg - OBJ_F_OBJ_ADD_OBJECT:105:OBJ_add_object - OBJ_F_OBJ_ADD_SIGID:107:OBJ_add_sigid -@@ -2325,7 +2335,13 @@ EVP_R_UNSUPPORTED_SALT_TYPE:126:unsuppor - EVP_R_WRAP_MODE_NOT_ALLOWED:170:wrap mode not allowed - EVP_R_WRONG_FINAL_BLOCK_LENGTH:109:wrong final block length - EVP_R_XTS_DUPLICATED_KEYS:183:xts duplicated keys -+KDF_R_FAILED_TO_GENERATE_KEY:118:failed to generate key -+KDF_R_INVALID_CIPHER:116:invalid cipher -+KDF_R_INVALID_CONSTANT_LENGTH:119:invalid constant length - KDF_R_INVALID_DIGEST:100:invalid digest -+KDF_R_INVALID_SEED_LENGTH:117:invalid seed length -+KDF_R_MISSING_CIPHER:120:missing cipher -+KDF_R_MISSING_CONSTANT:121:missing constant - KDF_R_MISSING_ITERATION_COUNT:109:missing iteration count - KDF_R_MISSING_KEY:104:missing key - KDF_R_MISSING_MESSAGE_DIGEST:105:missing message digest -@@ -2340,6 +2356,7 @@ KDF_R_MISSING_XCGHASH:115:missing xcghas - KDF_R_UNKNOWN_PARAMETER_TYPE:103:unknown parameter type - KDF_R_VALUE_ERROR:108:value error - KDF_R_VALUE_MISSING:102:value missing -+KDF_R_WRONG_FINAL_BLOCK_LENGTH:120:wrong final block length - KDF_R_WRONG_OUTPUT_BUFFER_SIZE:112:wrong output buffer size - OBJ_R_OID_EXISTS:102:oid exists - OBJ_R_UNKNOWN_NID:101:unknown nid -diff -up openssl-1.1.1d/crypto/evp/kdf_lib.c.krb5-kdf openssl-1.1.1d/crypto/evp/kdf_lib.c ---- openssl-1.1.1d/crypto/evp/kdf_lib.c.krb5-kdf 2019-11-14 15:07:05.320094521 +0100 -+++ openssl-1.1.1d/crypto/evp/kdf_lib.c 2019-11-14 15:07:05.342094129 +0100 -@@ -31,6 +31,9 @@ static const EVP_KDF_METHOD *standard_me - &tls1_prf_kdf_meth, - &hkdf_kdf_meth, - &sshkdf_kdf_meth, -+ &kb_kdf_meth, -+ &krb5kdf_kdf_meth, -+ &ss_kdf_meth - }; - - DECLARE_OBJ_BSEARCH_CMP_FN(const EVP_KDF_METHOD *, const EVP_KDF_METHOD *, -diff -up openssl-1.1.1d/include/crypto/evp.h.krb5-kdf openssl-1.1.1d/include/crypto/evp.h ---- openssl-1.1.1d/include/crypto/evp.h.krb5-kdf 2019-11-14 15:07:05.320094521 +0100 -+++ openssl-1.1.1d/include/crypto/evp.h 2019-11-14 15:07:05.342094129 +0100 -@@ -130,6 +130,9 @@ extern const EVP_KDF_METHOD scrypt_kdf_m - extern const EVP_KDF_METHOD tls1_prf_kdf_meth; - extern const EVP_KDF_METHOD hkdf_kdf_meth; - extern const EVP_KDF_METHOD sshkdf_kdf_meth; -+extern const EVP_KDF_METHOD kb_kdf_meth; -+extern const EVP_KDF_METHOD krb5kdf_kdf_meth; -+extern const EVP_KDF_METHOD ss_kdf_meth; - - struct evp_md_st { - int type; -diff -up openssl-1.1.1d/crypto/kdf/build.info.krb5-kdf openssl-1.1.1d/crypto/kdf/build.info ---- openssl-1.1.1d/crypto/kdf/build.info.krb5-kdf 2019-11-14 15:07:05.320094521 +0100 -+++ openssl-1.1.1d/crypto/kdf/build.info 2019-11-14 15:07:05.342094129 +0100 -@@ -1,3 +1,3 @@ - LIBS=../../libcrypto - SOURCE[../../libcrypto]=\ -- tls1_prf.c kdf_err.c kdf_util.c hkdf.c scrypt.c pbkdf2.c sshkdf.c -+ tls1_prf.c kdf_err.c kdf_util.c hkdf.c scrypt.c pbkdf2.c sshkdf.c kbkdf.c krb5kdf.c sskdf.c -diff -up openssl-1.1.1d/crypto/kdf/kbkdf.c.krb5-kdf openssl-1.1.1d/crypto/kdf/kbkdf.c ---- openssl-1.1.1d/crypto/kdf/kbkdf.c.krb5-kdf 2019-11-14 15:07:05.343094112 +0100 -+++ openssl-1.1.1d/crypto/kdf/kbkdf.c 2019-11-18 17:21:58.326635901 +0100 -@@ -0,0 +1,540 @@ -+/* -+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. -+ * Copyright 2019 Red Hat, Inc. -+ * -+ * Licensed under the Apache License 2.0 (the "License"). You may not use -+ * this file except in compliance with the License. You can obtain a copy -+ * in the file LICENSE in the source distribution or at -+ * https://www.openssl.org/source/license.html -+ */ -+ -+/* -+ * This implements https://csrc.nist.gov/publications/detail/sp/800-108/final -+ * section 5.1 ("counter mode") and section 5.2 ("feedback mode") in both HMAC -+ * and CMAC. That document does not name the KDFs it defines; the name is -+ * derived from -+ * https://csrc.nist.gov/Projects/Cryptographic-Algorithm-Validation-Program/Key-Derivation -+ * -+ * Note that section 5.3 ("double-pipeline mode") is not implemented, though -+ * it would be possible to do so in the future. -+ * -+ * These versions all assume the counter is used. It would be relatively -+ * straightforward to expose a configuration handle should the need arise. -+ * -+ * Variable names attempt to match those of SP800-108. -+ */ -+ -+#include -+#include -+#include -+ -+#include -+#include -+#include -+#include -+ -+#include "internal/numbers.h" -+#include "internal/cryptlib.h" -+#include "crypto/evp.h" -+#include "kdf_local.h" -+ -+#include "e_os.h" -+ -+#ifdef MIN -+# undef MIN -+#endif -+#define MIN(a, b) ((a) < (b)) ? (a) : (b) -+ -+typedef struct { -+ int mac_type; -+ union { -+ HMAC_CTX *hmac; -+ CMAC_CTX *cmac; -+ } m; -+} MAC_CTX; -+ -+/* Our context structure. */ -+struct evp_kdf_impl_st { -+ int mode; -+ -+ MAC_CTX *ctx_init; -+ -+ const EVP_CIPHER *cipher; -+ const EVP_MD *md; -+ -+ /* Names are lowercased versions of those found in SP800-108. */ -+ unsigned char *ki; -+ size_t ki_len; -+ unsigned char *label; -+ size_t label_len; -+ unsigned char *context; -+ size_t context_len; -+ unsigned char *iv; -+ size_t iv_len; -+}; -+ -+static MAC_CTX *EVP_MAC_CTX_new(int mac_type) -+{ -+ MAC_CTX *ctx; -+ -+ ctx = OPENSSL_zalloc(sizeof(*ctx)); -+ if (ctx == NULL) -+ return NULL; -+ -+ ctx->mac_type = mac_type; -+ if (mac_type == EVP_KDF_KB_MAC_TYPE_HMAC) { -+ if ((ctx->m.hmac = HMAC_CTX_new()) == NULL) -+ goto err; -+ } else { -+ if ((ctx->m.cmac = CMAC_CTX_new()) == NULL) -+ goto err; -+ } -+ return ctx; -+ -+err: -+ OPENSSL_free(ctx); -+ return NULL; -+} -+ -+static void EVP_MAC_CTX_free(MAC_CTX *ctx) -+{ -+ if (ctx == NULL) -+ return; -+ -+ if (ctx->mac_type == EVP_KDF_KB_MAC_TYPE_HMAC) -+ HMAC_CTX_free(ctx->m.hmac); -+ else -+ CMAC_CTX_free(ctx->m.cmac); -+ OPENSSL_free(ctx); -+} -+ -+static MAC_CTX *EVP_MAC_CTX_dup(MAC_CTX *sctx) -+{ -+ MAC_CTX *ctx; -+ -+ ctx = OPENSSL_zalloc(sizeof(*sctx)); -+ if (ctx == NULL) -+ return NULL; -+ -+ ctx->mac_type = sctx->mac_type; -+ if (sctx->mac_type == EVP_KDF_KB_MAC_TYPE_HMAC) { -+ if ((ctx->m.hmac = HMAC_CTX_new()) == NULL -+ || HMAC_CTX_copy(ctx->m.hmac, sctx->m.hmac) <= 0) -+ goto err; -+ } else { -+ if ((ctx->m.cmac = CMAC_CTX_new()) == NULL -+ || CMAC_CTX_copy(ctx->m.cmac, sctx->m.cmac) <= 0) -+ goto err; -+ } -+ return ctx; -+ -+err: -+ EVP_MAC_CTX_free(ctx); -+ return NULL; -+} -+ -+static size_t EVP_MAC_size(MAC_CTX *ctx) -+{ -+ if (ctx->mac_type == EVP_KDF_KB_MAC_TYPE_HMAC) { -+ const EVP_MD *md; -+ -+ if (ctx->m.hmac == NULL) -+ return 0; -+ if ((md = HMAC_CTX_get_md(ctx->m.hmac)) == NULL) -+ return 0; -+ return (size_t)EVP_MD_size(md); -+ } else { -+ const EVP_CIPHER_CTX *cctx; -+ -+ if (ctx->m.cmac == NULL) -+ return 0; -+ if ((cctx = CMAC_CTX_get0_cipher_ctx(ctx->m.cmac)) == NULL) -+ return 0; -+ return EVP_CIPHER_CTX_block_size(cctx); -+ } -+} -+ -+static int EVP_MAC_update(MAC_CTX *ctx, const unsigned char *data, -+ size_t datalen) -+{ -+ if (ctx->mac_type == EVP_KDF_KB_MAC_TYPE_HMAC) -+ return HMAC_Update(ctx->m.hmac, data, datalen); -+ else -+ return CMAC_Update(ctx->m.cmac, data, datalen); -+} -+ -+static int EVP_MAC_final(MAC_CTX *ctx, unsigned char *out, -+ size_t *outl, size_t outsize) -+{ -+ if (outsize != EVP_MAC_size(ctx)) -+ /* we do not cope with anything else */ -+ return 0; -+ -+ if (ctx->mac_type == EVP_KDF_KB_MAC_TYPE_HMAC) { -+ unsigned int intsize = (unsigned int)outsize; -+ int ret; -+ -+ ret = HMAC_Final(ctx->m.hmac, out, &intsize); -+ if (outl != NULL) -+ *outl = intsize; -+ return ret; -+ } else { -+ size_t size = outsize; -+ int ret; -+ -+ ret = CMAC_Final(ctx->m.cmac, out, &size); -+ if (outl != NULL) -+ *outl = size; -+ return ret; -+ } -+} -+ -+static int evp_mac_init(MAC_CTX *ctx, const EVP_MD *md, -+ const EVP_CIPHER *cipher, unsigned char *key, size_t keylen) -+{ -+ if (ctx->mac_type == EVP_KDF_KB_MAC_TYPE_HMAC) { -+ if (md == NULL) -+ return 0; -+ return HMAC_Init_ex(ctx->m.hmac, key, (int)keylen, md, NULL); -+ } else { -+ if (cipher == NULL) -+ return 0; -+ return CMAC_Init(ctx->m.cmac, key, keylen, cipher, NULL); -+ } -+} -+ -+static void kbkdf_reset(EVP_KDF_IMPL *ctx); -+ -+/* Not all platforms have htobe32(). */ -+static uint32_t be32(uint32_t host) -+{ -+ uint32_t big = 0; -+ const union { -+ long one; -+ char little; -+ } is_endian = { 1 }; -+ -+ if (!is_endian.little) -+ return host; -+ -+ big |= (host & 0xff000000) >> 24; -+ big |= (host & 0x00ff0000) >> 8; -+ big |= (host & 0x0000ff00) << 8; -+ big |= (host & 0x000000ff) << 24; -+ return big; -+} -+ -+static EVP_KDF_IMPL *kbkdf_new(void) -+{ -+ EVP_KDF_IMPL *ctx; -+ -+ ctx = OPENSSL_zalloc(sizeof(*ctx)); -+ if (ctx == NULL) { -+ KDFerr(KDF_F_KBKDF_NEW, ERR_R_MALLOC_FAILURE); -+ return NULL; -+ } -+ -+ return ctx; -+} -+ -+static void kbkdf_free(EVP_KDF_IMPL *ctx) -+{ -+ kbkdf_reset(ctx); -+ OPENSSL_free(ctx); -+} -+ -+static void kbkdf_reset(EVP_KDF_IMPL *ctx) -+{ -+ EVP_MAC_CTX_free(ctx->ctx_init); -+ OPENSSL_clear_free(ctx->context, ctx->context_len); -+ OPENSSL_clear_free(ctx->label, ctx->label_len); -+ OPENSSL_clear_free(ctx->ki, ctx->ki_len); -+ OPENSSL_clear_free(ctx->iv, ctx->iv_len); -+ memset(ctx, 0, sizeof(*ctx)); -+} -+ -+/* SP800-108 section 5.1 or section 5.2 depending on mode. */ -+static int derive(MAC_CTX *ctx_init, int mode, unsigned char *iv, -+ size_t iv_len, unsigned char *label, size_t label_len, -+ unsigned char *context, size_t context_len, -+ unsigned char *k_i, size_t h, uint32_t l, unsigned char *ko, -+ size_t ko_len) -+{ -+ int ret = 0; -+ MAC_CTX *ctx = NULL; -+ size_t written = 0, to_write, k_i_len = iv_len; -+ const unsigned char zero = 0; -+ uint32_t counter, i; -+ -+ /* Setup K(0) for feedback mode. */ -+ if (iv_len > 0) -+ memcpy(k_i, iv, iv_len); -+ -+ for (counter = 1; written < ko_len; counter++) { -+ i = be32(counter); -+ -+ ctx = EVP_MAC_CTX_dup(ctx_init); -+ if (ctx == NULL) -+ goto done; -+ -+ /* Perform feedback, if appropriate. */ -+ if (mode == EVP_KDF_KB_MODE_FEEDBACK && !EVP_MAC_update(ctx, k_i, k_i_len)) -+ goto done; -+ -+ if (!EVP_MAC_update(ctx, (unsigned char *)&i, 4) -+ || !EVP_MAC_update(ctx, label, label_len) -+ || !EVP_MAC_update(ctx, &zero, 1) -+ || !EVP_MAC_update(ctx, context, context_len) -+ || !EVP_MAC_update(ctx, (unsigned char *)&l, 4) -+ || !EVP_MAC_final(ctx, k_i, NULL, h)) -+ goto done; -+ -+ to_write = ko_len - written; -+ memcpy(ko + written, k_i, MIN(to_write, h)); -+ written += h; -+ -+ k_i_len = h; -+ EVP_MAC_CTX_free(ctx); -+ ctx = NULL; -+ } -+ -+ ret = 1; -+done: -+ EVP_MAC_CTX_free(ctx); -+ return ret; -+} -+ -+static int kbkdf_derive(EVP_KDF_IMPL *ctx, unsigned char *key, size_t keylen) -+{ -+ int ret = 0; -+ unsigned char *k_i = NULL; -+ uint32_t l = be32(keylen * 8); -+ size_t h = 0; -+ -+ /* label, context, and iv are permitted to be empty. Check everything -+ * else. */ -+ if (ctx->ctx_init == NULL -+ || evp_mac_init(ctx->ctx_init, ctx->md, ctx->cipher, ctx->ki, ctx->ki_len) <= 0) { -+ if (ctx->ki_len == 0 || ctx->ki == NULL) { -+ KDFerr(KDF_F_KBKDF_DERIVE, KDF_R_MISSING_KEY); -+ return 0; -+ } -+ /* Could either be missing MAC or missing message digest or missing -+ * cipher - arbitrarily, I pick this one. */ -+ KDFerr(KDF_F_KBKDF_DERIVE, KDF_R_MISSING_PARAMETER); -+ return 0; -+ } -+ -+ h = EVP_MAC_size(ctx->ctx_init); -+ if (h == 0) -+ goto done; -+ if (ctx->iv_len != 0 && ctx->iv_len != h) { -+ KDFerr(KDF_F_KBKDF_DERIVE, KDF_R_INVALID_SEED_LENGTH); -+ goto done; -+ } -+ -+ k_i = OPENSSL_zalloc(h); -+ if (k_i == NULL) -+ goto done; -+ -+ ret = derive(ctx->ctx_init, ctx->mode, ctx->iv, ctx->iv_len, ctx->label, -+ ctx->label_len, ctx->context, ctx->context_len, k_i, h, l, -+ key, keylen); -+done: -+ if (ret != 1) -+ OPENSSL_cleanse(key, keylen); -+ OPENSSL_clear_free(k_i, h); -+ return ret; -+} -+ -+static size_t kbkdf_size(EVP_KDF_IMPL *ctx) -+{ -+ return UINT32_MAX/8; -+} -+ -+static int kbkdf_parse_buffer_arg(unsigned char **dst, size_t *dst_len, -+ va_list args) -+{ -+ const unsigned char *p; -+ size_t len; -+ -+ p = va_arg(args, const unsigned char *); -+ len = va_arg(args, size_t); -+ OPENSSL_clear_free(*dst, *dst_len); -+ if (len == 0) { -+ *dst = NULL; -+ *dst_len = 0; -+ return 1; -+ } -+ -+ *dst = OPENSSL_memdup(p, len); -+ if (*dst == NULL) -+ return 0; -+ -+ *dst_len = len; -+ return 1; -+} -+ -+static int kbkdf_ctrl(EVP_KDF_IMPL *ctx, int cmd, va_list args) -+{ -+ int t; -+ -+ switch (cmd) { -+ case EVP_KDF_CTRL_SET_MD: -+ ctx->md = va_arg(args, const EVP_MD *); -+ if (ctx->md == NULL) -+ return 0; -+ -+ return 1; -+ -+ case EVP_KDF_CTRL_SET_CIPHER: -+ ctx->cipher = va_arg(args, const EVP_CIPHER *); -+ if (ctx->cipher == NULL) -+ return 0; -+ -+ return 1; -+ -+ case EVP_KDF_CTRL_SET_KEY: -+ return kbkdf_parse_buffer_arg(&ctx->ki, -+ &ctx->ki_len, args); -+ -+ case EVP_KDF_CTRL_SET_SALT: -+ return kbkdf_parse_buffer_arg(&ctx->label, -+ &ctx->label_len, args); -+ -+ case EVP_KDF_CTRL_SET_KB_INFO: -+ return kbkdf_parse_buffer_arg(&ctx->context, -+ &ctx->context_len, args); -+ -+ case EVP_KDF_CTRL_SET_KB_SEED: -+ return kbkdf_parse_buffer_arg(&ctx->iv, -+ &ctx->iv_len, args); -+ -+ case EVP_KDF_CTRL_SET_KB_MODE: -+ t = va_arg(args, int); -+ if (t != EVP_KDF_KB_MODE_COUNTER && t != EVP_KDF_KB_MODE_FEEDBACK ) { -+ KDFerr(KDF_F_KBKDF_CTRL, KDF_R_VALUE_ERROR); -+ return 0; -+ } -+ ctx->mode = t; -+ return 1; -+ -+ case EVP_KDF_CTRL_SET_KB_MAC_TYPE: -+ t = va_arg(args, int); -+ if (t != EVP_KDF_KB_MAC_TYPE_HMAC && t != EVP_KDF_KB_MAC_TYPE_CMAC ) { -+ KDFerr(KDF_F_KBKDF_CTRL, KDF_R_VALUE_ERROR); -+ return 0; -+ } -+ -+ if (ctx->ctx_init != NULL) { -+ EVP_MAC_CTX_free(ctx->ctx_init); -+ } -+ ctx->ctx_init = EVP_MAC_CTX_new(t); -+ if (ctx->ctx_init == NULL) { -+ KDFerr(KDF_F_KBKDF_CTRL, ERR_R_MALLOC_FAILURE); -+ return 0; -+ } -+ return 1; -+ -+ default: -+ return -2; -+ -+ } -+} -+ -+static int kbkdf_ctrl_str(EVP_KDF_IMPL *ctx, const char *type, -+ const char *value) -+{ -+ if (value == NULL) { -+ KDFerr(KDF_F_KDF_SSHKDF_CTRL_STR, KDF_R_VALUE_MISSING); -+ return 0; -+ } -+ -+ if (strcmp(type, "digest") == 0) -+ return kdf_md2ctrl(ctx, kbkdf_ctrl, EVP_KDF_CTRL_SET_MD, value); -+ /* alias, for historical reasons */ -+ if (strcmp(type, "md") == 0) -+ return kdf_md2ctrl(ctx, kbkdf_ctrl, EVP_KDF_CTRL_SET_MD, value); -+ -+ if (strcmp(type, "cipher") == 0) -+ return kdf_cipher2ctrl(ctx, kbkdf_ctrl, EVP_KDF_CTRL_SET_CIPHER, value); -+ -+ if (strcmp(type, "key") == 0) -+ return kdf_str2ctrl(ctx, kbkdf_ctrl, -+ EVP_KDF_CTRL_SET_KEY, value); -+ -+ if (strcmp(type, "hexkey") == 0) -+ return kdf_hex2ctrl(ctx, kbkdf_ctrl, -+ EVP_KDF_CTRL_SET_KEY, value); -+ -+ if (strcmp(type, "salt") == 0) -+ return kdf_str2ctrl(ctx, kbkdf_ctrl, -+ EVP_KDF_CTRL_SET_SALT, value); -+ -+ if (strcmp(type, "hexsalt") == 0) -+ return kdf_hex2ctrl(ctx, kbkdf_ctrl, -+ EVP_KDF_CTRL_SET_SALT, value); -+ -+ if (strcmp(type, "info") == 0) -+ return kdf_str2ctrl(ctx, kbkdf_ctrl, -+ EVP_KDF_CTRL_SET_KB_INFO, value); -+ -+ if (strcmp(type, "hexinfo") == 0) -+ return kdf_hex2ctrl(ctx, kbkdf_ctrl, -+ EVP_KDF_CTRL_SET_KB_INFO, value); -+ -+ if (strcmp(type, "seed") == 0) -+ return kdf_str2ctrl(ctx, kbkdf_ctrl, -+ EVP_KDF_CTRL_SET_KB_SEED, value); -+ -+ if (strcmp(type, "hexseed") == 0) -+ return kdf_hex2ctrl(ctx, kbkdf_ctrl, -+ EVP_KDF_CTRL_SET_KB_SEED, value); -+ -+ if (strcmp(type, "mode") == 0) { -+ int mode; -+ -+ if (strcasecmp(value, "counter") == 0) { -+ mode = EVP_KDF_KB_MODE_COUNTER; -+ } else if (strcasecmp(value, "feedback") == 0) { -+ mode = EVP_KDF_KB_MODE_FEEDBACK; -+ } else { -+ KDFerr(KDF_F_KBKDF_CTRL_STR, KDF_R_VALUE_ERROR); -+ return 0; -+ } -+ -+ return call_ctrl(kbkdf_ctrl, ctx, EVP_KDF_CTRL_SET_KB_MODE, -+ mode); -+ } -+ -+ if (strcmp(type, "mac_type") == 0) { -+ int mac_type; -+ -+ if (strcasecmp(value, "hmac") == 0) { -+ mac_type = EVP_KDF_KB_MAC_TYPE_HMAC; -+ } else if (strcasecmp(value, "cmac") == 0) { -+ mac_type = EVP_KDF_KB_MAC_TYPE_CMAC; -+ } else { -+ KDFerr(KDF_F_KBKDF_CTRL_STR, KDF_R_VALUE_ERROR); -+ return 0; -+ } -+ -+ return call_ctrl(kbkdf_ctrl, ctx, EVP_KDF_CTRL_SET_KB_MAC_TYPE, -+ mac_type); -+ } -+ -+ KDFerr(KDF_F_KBKDF_CTRL_STR, KDF_R_UNKNOWN_PARAMETER_TYPE); -+ return -2; -+} -+ -+const EVP_KDF_METHOD kb_kdf_meth = { -+ EVP_KDF_KB, -+ kbkdf_new, -+ kbkdf_free, -+ kbkdf_reset, -+ kbkdf_ctrl, -+ kbkdf_ctrl_str, -+ kbkdf_size, -+ kbkdf_derive, -+}; -+ -diff -up openssl-1.1.1d/crypto/kdf/kdf_err.c.krb5-kdf openssl-1.1.1d/crypto/kdf/kdf_err.c ---- openssl-1.1.1d/crypto/kdf/kdf_err.c.krb5-kdf 2019-11-14 15:07:05.320094521 +0100 -+++ openssl-1.1.1d/crypto/kdf/kdf_err.c 2019-11-14 15:07:05.343094112 +0100 -@@ -15,6 +15,11 @@ - - static const ERR_STRING_DATA KDF_str_functs[] = { - {ERR_PACK(ERR_LIB_KDF, KDF_F_HKDF_EXTRACT, 0), "HKDF_Extract"}, -+ {ERR_PACK(ERR_LIB_KDF, KDF_F_KBKDF_CTRL, 0), "kbkdf_ctrl"}, -+ {ERR_PACK(ERR_LIB_KDF, KDF_F_KBKDF_CTRL_STR, 0), "kbkdf_ctrl_str"}, -+ {ERR_PACK(ERR_LIB_KDF, KDF_F_KBKDF_DERIVE, 0), "kbkdf_derive"}, -+ {ERR_PACK(ERR_LIB_KDF, KDF_F_KBKDF_NEW, 0), "kbkdf_new"}, -+ {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_CIPHER2CTRL, 0), "kdf_cipher2ctrl"}, - {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_HKDF_DERIVE, 0), "kdf_hkdf_derive"}, - {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_HKDF_NEW, 0), "kdf_hkdf_new"}, - {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_HKDF_SIZE, 0), "kdf_hkdf_size"}, -@@ -41,6 +46,8 @@ static const ERR_STRING_DATA KDF_str_fun - {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_TLS1_PRF_DERIVE, 0), - "kdf_tls1_prf_derive"}, - {ERR_PACK(ERR_LIB_KDF, KDF_F_KDF_TLS1_PRF_NEW, 0), "kdf_tls1_prf_new"}, -+ {ERR_PACK(ERR_LIB_KDF, KDF_F_KRB5KDF, 0), "KRB5KDF"}, -+ {ERR_PACK(ERR_LIB_KDF, KDF_F_KRB5KDF_DERIVE, 0), "krb5kdf_derive"}, - {ERR_PACK(ERR_LIB_KDF, KDF_F_PBKDF2_SET_MEMBUF, 0), "pbkdf2_set_membuf"}, - {ERR_PACK(ERR_LIB_KDF, KDF_F_PKEY_HKDF_CTRL_STR, 0), "pkey_hkdf_ctrl_str"}, - {ERR_PACK(ERR_LIB_KDF, KDF_F_PKEY_HKDF_DERIVE, 0), "pkey_hkdf_derive"}, -@@ -59,12 +66,22 @@ static const ERR_STRING_DATA KDF_str_fun - "pkey_tls1_prf_derive"}, - {ERR_PACK(ERR_LIB_KDF, KDF_F_PKEY_TLS1_PRF_INIT, 0), "pkey_tls1_prf_init"}, - {ERR_PACK(ERR_LIB_KDF, KDF_F_SCRYPT_SET_MEMBUF, 0), "scrypt_set_membuf"}, -+ {ERR_PACK(ERR_LIB_KDF, KDF_F_SSKDF_DERIVE, 0), "sskdf_derive"}, -+ {ERR_PACK(ERR_LIB_KDF, KDF_F_SSKDF_NEW, 0), "sskdf_new"}, -+ {ERR_PACK(ERR_LIB_KDF, KDF_F_SSKDF_SIZE, 0), "sskdf_size"}, - {ERR_PACK(ERR_LIB_KDF, KDF_F_TLS1_PRF_ALG, 0), "tls1_prf_alg"}, - {0, NULL} - }; - - static const ERR_STRING_DATA KDF_str_reasons[] = { -+ {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_FAILED_TO_GENERATE_KEY), -+ "failed to generate key"}, -+ {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_INVALID_CIPHER), "invalid cipher"}, -+ {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_INVALID_CONSTANT_LENGTH), "invalid constant length"}, - {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_INVALID_DIGEST), "invalid digest"}, -+ {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_INVALID_SEED_LENGTH), "invalid seed length"}, -+ {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_MISSING_CIPHER), "missing cipher"}, -+ {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_MISSING_CONSTANT), "missing constant"}, - {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_MISSING_ITERATION_COUNT), - "missing iteration count"}, - {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_MISSING_KEY), "missing key"}, -@@ -82,6 +99,8 @@ static const ERR_STRING_DATA KDF_str_rea - "unknown parameter type"}, - {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_VALUE_ERROR), "value error"}, - {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_VALUE_MISSING), "value missing"}, -+ {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_WRONG_FINAL_BLOCK_LENGTH), -+ "wrong final block length"}, - {ERR_PACK(ERR_LIB_KDF, 0, KDF_R_WRONG_OUTPUT_BUFFER_SIZE), - "wrong output buffer size"}, - {0, NULL} -diff -up openssl-1.1.1d/crypto/kdf/kdf_local.h.krb5-kdf openssl-1.1.1d/crypto/kdf/kdf_local.h ---- openssl-1.1.1d/crypto/kdf/kdf_local.h.krb5-kdf 2019-11-14 15:07:05.313094646 +0100 -+++ openssl-1.1.1d/crypto/kdf/kdf_local.h 2019-11-14 15:07:05.344094093 +0100 -@@ -19,4 +19,6 @@ int kdf_hex2ctrl(EVP_KDF_IMPL *impl, - int kdf_md2ctrl(EVP_KDF_IMPL *impl, - int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args), - int cmd, const char *md_name); -- -+int kdf_cipher2ctrl(EVP_KDF_IMPL *impl, -+ int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args), -+ int cmd, const char *cipher_name); -diff -up openssl-1.1.1d/crypto/kdf/kdf_util.c.krb5-kdf openssl-1.1.1d/crypto/kdf/kdf_util.c ---- openssl-1.1.1d/crypto/kdf/kdf_util.c.krb5-kdf 2019-11-14 15:07:05.313094646 +0100 -+++ openssl-1.1.1d/crypto/kdf/kdf_util.c 2019-11-14 15:07:05.344094093 +0100 -@@ -71,3 +71,16 @@ int kdf_md2ctrl(EVP_KDF_IMPL *impl, - return call_ctrl(ctrl, impl, cmd, md); - } - -+/* Pass a cipher to a ctrl */ -+int kdf_cipher2ctrl(EVP_KDF_IMPL *impl, -+ int (*ctrl)(EVP_KDF_IMPL *impl, int cmd, va_list args), -+ int cmd, const char *cipher_name) -+{ -+ const EVP_CIPHER *cipher; -+ -+ if (cipher_name == NULL || (cipher = EVP_get_cipherbyname(cipher_name)) == NULL) { -+ KDFerr(KDF_F_KDF_CIPHER2CTRL, KDF_R_INVALID_CIPHER); -+ return 0; -+ } -+ return call_ctrl(ctrl, impl, cmd, cipher); -+} -diff -up openssl-1.1.1d/crypto/kdf/krb5kdf.c.krb5-kdf openssl-1.1.1d/crypto/kdf/krb5kdf.c ---- openssl-1.1.1d/crypto/kdf/krb5kdf.c.krb5-kdf 2019-11-14 15:07:05.344094093 +0100 -+++ openssl-1.1.1d/crypto/kdf/krb5kdf.c 2019-11-18 17:18:13.056604404 +0100 -@@ -0,0 +1,423 @@ -+/* -+ * Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved. -+ * -+ * Licensed under the OpenSSL license (the "License"). You may not use -+ * this file except in compliance with the License. You can obtain a copy -+ * in the file LICENSE in the source distribution or at -+ * https://www.openssl.org/source/license.html -+ */ -+ -+#include -+#include -+#include -+ -+#include -+#include -+#include -+ -+#include "internal/cryptlib.h" -+#include "crypto/evp.h" -+#include "kdf_local.h" -+ -+/* KRB5 KDF defined in RFC 3961, Section 5.1 */ -+ -+static int KRB5KDF(const EVP_CIPHER *cipher, -+ const unsigned char *key, size_t key_len, -+ const unsigned char *constant, size_t constant_len, -+ unsigned char *okey, size_t okey_len); -+ -+struct evp_kdf_impl_st { -+ const EVP_CIPHER *cipher; -+ unsigned char *key; -+ size_t key_len; -+ unsigned char *constant; -+ size_t constant_len; -+}; -+ -+static void krb5kdf_reset(EVP_KDF_IMPL *ctx); -+ -+static EVP_KDF_IMPL *krb5kdf_new(void) -+{ -+ EVP_KDF_IMPL *ctx; -+ -+ if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) == NULL) -+ KDFerr(KDF_F_KBKDF_NEW, ERR_R_MALLOC_FAILURE); -+ return ctx; -+} -+ -+static void krb5kdf_free(EVP_KDF_IMPL *ctx) -+{ -+ krb5kdf_reset(ctx); -+ OPENSSL_free(ctx); -+} -+ -+static void krb5kdf_reset(EVP_KDF_IMPL *ctx) -+{ -+ OPENSSL_clear_free(ctx->key, ctx->key_len); -+ OPENSSL_clear_free(ctx->constant, ctx->constant_len); -+ memset(ctx, 0, sizeof(*ctx)); -+} -+ -+static int krb5kdf_derive(EVP_KDF_IMPL *ctx, unsigned char *key, -+ size_t keylen) -+{ -+ if (ctx->cipher == NULL) { -+ KDFerr(KDF_F_KRB5KDF_DERIVE, KDF_R_MISSING_CIPHER); -+ return 0; -+ } -+ if (ctx->key == NULL) { -+ KDFerr(KDF_F_KRB5KDF_DERIVE, KDF_R_MISSING_KEY); -+ return 0; -+ } -+ if (ctx->constant == NULL) { -+ KDFerr(KDF_F_KRB5KDF_DERIVE, KDF_R_MISSING_CONSTANT); -+ return 0; -+ } -+ return KRB5KDF(ctx->cipher, ctx->key, ctx->key_len, -+ ctx->constant, ctx->constant_len, -+ key, keylen); -+} -+ -+static size_t krb5kdf_size(EVP_KDF_IMPL *ctx) -+{ -+ if (ctx->cipher != NULL) -+ return EVP_CIPHER_key_length(ctx->cipher); -+ else -+ return EVP_MAX_KEY_LENGTH; -+} -+ -+ -+static int krb5kdf_parse_buffer_arg(unsigned char **dst, size_t *dst_len, -+ va_list args) -+{ -+ const unsigned char *p; -+ size_t len; -+ -+ p = va_arg(args, const unsigned char *); -+ len = va_arg(args, size_t); -+ OPENSSL_clear_free(*dst, *dst_len); -+ if (len == 0) { -+ *dst = NULL; -+ *dst_len = 0; -+ return 1; -+ } -+ -+ *dst = OPENSSL_memdup(p, len); -+ if (*dst == NULL) -+ return 0; -+ -+ *dst_len = len; -+ return 1; -+} -+ -+static int krb5kdf_ctrl(EVP_KDF_IMPL *ctx, int cmd, va_list args) -+{ -+ switch (cmd) { -+ case EVP_KDF_CTRL_SET_CIPHER: -+ ctx->cipher = va_arg(args, const EVP_CIPHER *); -+ if (ctx->cipher == NULL) -+ return 0; -+ -+ return 1; -+ -+ case EVP_KDF_CTRL_SET_KEY: -+ return krb5kdf_parse_buffer_arg(&ctx->key, -+ &ctx->key_len, args); -+ -+ case EVP_KDF_CTRL_SET_KRB5KDF_CONSTANT: -+ return krb5kdf_parse_buffer_arg(&ctx->constant, -+ &ctx->constant_len, args); -+ default: -+ return -2; -+ -+ } -+} -+ -+static int krb5kdf_ctrl_str(EVP_KDF_IMPL *ctx, const char *type, -+ const char *value) -+{ -+ if (value == NULL) { -+ KDFerr(KDF_F_KDF_SSHKDF_CTRL_STR, KDF_R_VALUE_MISSING); -+ return 0; -+ } -+ -+ if (strcmp(type, "cipher") == 0) -+ return kdf_cipher2ctrl(ctx, krb5kdf_ctrl, EVP_KDF_CTRL_SET_CIPHER, value); -+ -+ if (strcmp(type, "key") == 0) -+ return kdf_str2ctrl(ctx, krb5kdf_ctrl, -+ EVP_KDF_CTRL_SET_KEY, value); -+ -+ if (strcmp(type, "hexkey") == 0) -+ return kdf_hex2ctrl(ctx, krb5kdf_ctrl, -+ EVP_KDF_CTRL_SET_KEY, value); -+ -+ if (strcmp(type, "constant") == 0) -+ return kdf_str2ctrl(ctx, krb5kdf_ctrl, -+ EVP_KDF_CTRL_SET_KRB5KDF_CONSTANT, value); -+ -+ if (strcmp(type, "hexconstant") == 0) -+ return kdf_hex2ctrl(ctx, krb5kdf_ctrl, -+ EVP_KDF_CTRL_SET_KRB5KDF_CONSTANT, value); -+ -+ KDFerr(KDF_F_KBKDF_CTRL_STR, KDF_R_UNKNOWN_PARAMETER_TYPE); -+ return -2; -+} -+ -+ -+#ifndef OPENSSL_NO_DES -+/* -+ * DES3 is a special case, it requires a random-to-key function and its -+ * input truncated to 21 bytes of the 24 produced by the cipher. -+ * See RFC3961 6.3.1 -+ */ -+static int fixup_des3_key(unsigned char *key) -+{ -+ unsigned char *cblock; -+ int i, j; -+ -+ for (i = 2; i >= 0; i--) { -+ cblock = &key[i * 8]; -+ memmove(cblock, &key[i * 7], 7); -+ cblock[7] = 0; -+ for (j = 0; j < 7; j++) -+ cblock[7] |= (cblock[j] & 1) << (j + 1); -+ DES_set_odd_parity((DES_cblock *)cblock); -+ } -+ -+ /* fail if keys are such that triple des degrades to single des */ -+ if (CRYPTO_memcmp(&key[0], &key[8], 8) == 0 || -+ CRYPTO_memcmp(&key[8], &key[16], 8) == 0) { -+ return 0; -+ } -+ -+ return 1; -+} -+#endif -+ -+/* -+ * N-fold(K) where blocksize is N, and constant_len is K -+ * Note: Here |= denotes concatenation -+ * -+ * L = lcm(N,K) -+ * R = L/K -+ * -+ * for r: 1 -> R -+ * s |= constant rot 13*(r-1)) -+ * -+ * block = 0 -+ * for k: 1 -> K -+ * block += s[N(k-1)..(N-1)k] (one's complement addition) -+ * -+ * Optimizing for space we compute: -+ * for each l in L-1 -> 0: -+ * s[l] = (constant rot 13*(l/K))[l%k] -+ * block[l % N] += s[l] (with carry) -+ * finally add carry if any -+ */ -+static void n_fold(unsigned char *block, unsigned int blocksize, -+ const unsigned char *constant, size_t constant_len) -+{ -+ unsigned int tmp, gcd, remainder, lcm, carry; -+ int b, l; -+ -+ if (constant_len == blocksize) { -+ memcpy(block, constant, constant_len); -+ return; -+ } -+ -+ /* Least Common Multiple of lengths: LCM(a,b)*/ -+ gcd = blocksize; -+ remainder = constant_len; -+ /* Calculate Great Common Divisor first GCD(a,b) */ -+ while (remainder != 0) { -+ tmp = gcd % remainder; -+ gcd = remainder; -+ remainder = tmp; -+ } -+ /* resulting a is the GCD, LCM(a,b) = |a*b|/GCD(a,b) */ -+ lcm = blocksize * constant_len / gcd; -+ -+ /* now spread out the bits */ -+ memset(block, 0, blocksize); -+ -+ /* last to first to be able to bring carry forward */ -+ carry = 0; -+ for (l = lcm - 1; l >= 0; l--) { -+ unsigned int rotbits, rshift, rbyte; -+ -+ /* destination byte in block is l % N */ -+ b = l % blocksize; -+ /* Our virtual s buffer is R = L/K long (K = constant_len) */ -+ /* So we rotate backwards from R-1 to 0 (none) rotations */ -+ rotbits = 13 * (l / constant_len); -+ /* find the byte on s where rotbits falls onto */ -+ rbyte = l - (rotbits / 8); -+ /* calculate how much shift on that byte */ -+ rshift = rotbits & 0x07; -+ /* rbyte % constant_len gives us the unrotated byte in the -+ * constant buffer, get also the previous byte then -+ * appropriately shift them to get the rotated byte we need */ -+ tmp = (constant[(rbyte-1) % constant_len] << (8 - rshift) -+ | constant[rbyte % constant_len] >> rshift) -+ & 0xff; -+ /* add with carry to any value placed by previous passes */ -+ tmp += carry + block[b]; -+ block[b] = tmp & 0xff; -+ /* save any carry that may be left */ -+ carry = tmp >> 8; -+ } -+ -+ /* if any carry is left at the end, add it through the number */ -+ for (b = blocksize - 1; b >= 0 && carry != 0; b--) { -+ carry += block[b]; -+ block[b] = carry & 0xff; -+ carry >>= 8; -+ } -+} -+ -+static int cipher_init(EVP_CIPHER_CTX *ctx, -+ const EVP_CIPHER *cipher, -+ const unsigned char *key, size_t key_len) -+{ -+ int klen, ret; -+ -+ ret = EVP_EncryptInit_ex(ctx, cipher, NULL, key, NULL); -+ if (!ret) -+ goto out; -+ /* set the key len for the odd variable key len cipher */ -+ klen = EVP_CIPHER_CTX_key_length(ctx); -+ if (key_len != (size_t)klen) { -+ ret = EVP_CIPHER_CTX_set_key_length(ctx, key_len); -+ if (!ret) -+ goto out; -+ } -+ /* we never want padding, either the length requested is a multiple of -+ * the cipher block size or we are passed a cipher that can cope with -+ * partial blocks via techniques like cipher text stealing */ -+ ret = EVP_CIPHER_CTX_set_padding(ctx, 0); -+ if (!ret) -+ goto out; -+ -+out: -+ return ret; -+} -+ -+static int KRB5KDF(const EVP_CIPHER *cipher, -+ const unsigned char *key, size_t key_len, -+ const unsigned char *constant, size_t constant_len, -+ unsigned char *okey, size_t okey_len) -+{ -+ EVP_CIPHER_CTX *ctx = NULL; -+ unsigned char block[EVP_MAX_BLOCK_LENGTH * 2]; -+ unsigned char *plainblock, *cipherblock; -+ size_t blocksize; -+ size_t cipherlen; -+ size_t osize; -+ int des3_no_fixup = 0; -+ int ret; -+ -+ if (key_len != okey_len) { -+ /* special case for 3des, where the caller may be requesting -+ * the random raw key, instead of the fixed up key */ -+ if (EVP_CIPHER_nid(cipher) == NID_des_ede3_cbc && -+ key_len == 24 && okey_len == 21) { -+ des3_no_fixup = 1; -+ } else { -+ KDFerr(KDF_F_KRB5KDF, KDF_R_WRONG_OUTPUT_BUFFER_SIZE); -+ return 0; -+ } -+ } -+ -+ ctx = EVP_CIPHER_CTX_new(); -+ if (ctx == NULL) -+ return 0; -+ -+ ret = cipher_init(ctx, cipher, key, key_len); -+ if (!ret) -+ goto out; -+ -+ /* Initialize input block */ -+ blocksize = EVP_CIPHER_CTX_block_size(ctx); -+ -+ if (constant_len == 0 || constant_len > blocksize) { -+ KDFerr(KDF_F_KRB5KDF, KDF_R_INVALID_CONSTANT_LENGTH); -+ ret = 0; -+ goto out; -+ } -+ -+ n_fold(block, blocksize, constant, constant_len); -+ plainblock = block; -+ cipherblock = block + EVP_MAX_BLOCK_LENGTH; -+ -+ for (osize = 0; osize < okey_len; osize += cipherlen) { -+ int olen; -+ -+ ret = EVP_EncryptUpdate(ctx, cipherblock, &olen, -+ plainblock, blocksize); -+ if (!ret) -+ goto out; -+ cipherlen = olen; -+ ret = EVP_EncryptFinal_ex(ctx, cipherblock, &olen); -+ if (!ret) -+ goto out; -+ if (olen != 0) { -+ KDFerr(KDF_F_KRB5KDF, KDF_R_WRONG_FINAL_BLOCK_LENGTH); -+ ret = 0; -+ goto out; -+ } -+ -+ /* write cipherblock out */ -+ if (cipherlen > okey_len - osize) -+ cipherlen = okey_len - osize; -+ memcpy(okey + osize, cipherblock, cipherlen); -+ -+ if (okey_len > osize + cipherlen) { -+ /* we need to reinitialize cipher context per spec */ -+ ret = EVP_CIPHER_CTX_reset(ctx); -+ if (!ret) -+ goto out; -+ ret = cipher_init(ctx, cipher, key, key_len); -+ if (!ret) -+ goto out; -+ -+ /* also swap block offsets so last ciphertext becomes new -+ * plaintext */ -+ plainblock = cipherblock; -+ if (cipherblock == block) { -+ cipherblock += EVP_MAX_BLOCK_LENGTH; -+ } else { -+ cipherblock = block; -+ } -+ } -+ } -+ -+#ifndef OPENSSL_NO_DES -+ if (EVP_CIPHER_nid(cipher) == NID_des_ede3_cbc && !des3_no_fixup) { -+ ret = fixup_des3_key(okey); -+ if (!ret) { -+ KDFerr(KDF_F_KRB5KDF, KDF_R_FAILED_TO_GENERATE_KEY); -+ goto out; -+ } -+ } -+#endif -+ -+ ret = 1; -+ -+out: -+ EVP_CIPHER_CTX_free(ctx); -+ OPENSSL_cleanse(block, EVP_MAX_BLOCK_LENGTH * 2); -+ return ret; -+} -+ -+const EVP_KDF_METHOD krb5kdf_kdf_meth = { -+ EVP_KDF_KRB5KDF, -+ krb5kdf_new, -+ krb5kdf_free, -+ krb5kdf_reset, -+ krb5kdf_ctrl, -+ krb5kdf_ctrl_str, -+ krb5kdf_size, -+ krb5kdf_derive, -+}; -+ -diff -up openssl-1.1.1d/crypto/kdf/sshkdf.c.krb5-kdf openssl-1.1.1d/crypto/kdf/sshkdf.c ---- openssl-1.1.1d/crypto/kdf/sshkdf.c.krb5-kdf 2019-11-14 15:07:05.327094396 +0100 -+++ openssl-1.1.1d/crypto/kdf/sshkdf.c 2019-11-18 17:18:25.343388314 +0100 -@@ -12,6 +12,7 @@ - #include - #include - #include -+#include "internal/numbers.h" - #include "internal/cryptlib.h" - #include "crypto/evp.h" - #include "kdf_local.h" -@@ -68,6 +69,12 @@ static int kdf_sshkdf_parse_buffer_arg(u - p = va_arg(args, const unsigned char *); - len = va_arg(args, size_t); - OPENSSL_clear_free(*dst, *dst_len); -+ if (len == 0) { -+ *dst = NULL; -+ *dst_len = 0; -+ return 1; -+ } -+ - *dst = OPENSSL_memdup(p, len); - if (*dst == NULL) - return 0; -diff -up openssl-1.1.1d/crypto/kdf/sskdf.c.krb5-kdf openssl-1.1.1d/crypto/kdf/sskdf.c ---- openssl-1.1.1d/crypto/kdf/sskdf.c.krb5-kdf 2019-11-14 15:07:05.344094093 +0100 -+++ openssl-1.1.1d/crypto/kdf/sskdf.c 2019-11-18 17:21:40.349952802 +0100 -@@ -0,0 +1,255 @@ -+/* -+ * Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. -+ * Copyright (c) 2019, Oracle and/or its affiliates. All rights reserved. -+ * -+ * Licensed under the Apache License 2.0 (the "License"). You may not use -+ * this file except in compliance with the License. You can obtain a copy -+ * in the file LICENSE in the source distribution or at -+ * https://www.openssl.org/source/license.html -+ */ -+ -+/* -+ * Refer to https://csrc.nist.gov/publications/detail/sp/800-56c/rev-1/final -+ * Section 4.1. -+ * -+ * The Single Step KDF algorithm is given by: -+ * -+ * Result(0) = empty bit string (i.e., the null string). -+ * For i = 1 to reps, do the following: -+ * Increment counter by 1. -+ * Result(i) = Result(i – 1) || H(counter || Z || FixedInfo). -+ * DKM = LeftmostBits(Result(reps), L)) -+ * -+ * NOTES: -+ * Z is a shared secret required to produce the derived key material. -+ * counter is a 4 byte buffer. -+ * FixedInfo is a bit string containing context specific data. -+ * DKM is the output derived key material. -+ * L is the required size of the DKM. -+ * reps = [L / H_outputBits] -+ * H(x) is the auxiliary function that can be either a hash, HMAC or KMAC. -+ * This backported version supports only a hash. -+ * H_outputBits is the length of the output of the auxiliary function H(x). -+ * -+ * Currently there is not a comprehensive list of test vectors for this -+ * algorithm, especially for H(x) = HMAC and H(x) = KMAC. -+ * Test vectors for H(x) = Hash are indirectly used by CAVS KAS tests. -+ */ -+#include -+#include -+#include -+#include -+#include -+#include -+#include "internal/cryptlib.h" -+#include "crypto/evp.h" -+#include "kdf_local.h" -+ -+struct evp_kdf_impl_st { -+ const EVP_MD *md; /* H(x) = hash */ -+ unsigned char *secret; -+ size_t secret_len; -+ unsigned char *info; -+ size_t info_len; -+}; -+ -+#define SSKDF_MAX_INLEN (1<<30) -+ -+/* -+ * Refer to https://csrc.nist.gov/publications/detail/sp/800-56c/rev-1/final -+ * Section 4. One-Step Key Derivation using H(x) = hash(x) -+ */ -+static int SSKDF_hash_kdm(const EVP_MD *kdf_md, -+ const unsigned char *z, size_t z_len, -+ const unsigned char *info, size_t info_len, -+ unsigned char *derived_key, size_t derived_key_len) -+{ -+ int ret = 0, hlen; -+ size_t counter, out_len, len = derived_key_len; -+ unsigned char c[4]; -+ unsigned char mac[EVP_MAX_MD_SIZE]; -+ unsigned char *out = derived_key; -+ EVP_MD_CTX *ctx = NULL, *ctx_init = NULL; -+ -+ if (z_len > SSKDF_MAX_INLEN || info_len > SSKDF_MAX_INLEN -+ || derived_key_len > SSKDF_MAX_INLEN -+ || derived_key_len == 0) -+ return 0; -+ -+ hlen = EVP_MD_size(kdf_md); -+ if (hlen <= 0) -+ return 0; -+ out_len = (size_t)hlen; -+ -+ ctx = EVP_MD_CTX_create(); -+ ctx_init = EVP_MD_CTX_create(); -+ if (ctx == NULL || ctx_init == NULL) -+ goto end; -+ -+ if (!EVP_DigestInit(ctx_init, kdf_md)) -+ goto end; -+ -+ for (counter = 1;; counter++) { -+ c[0] = (unsigned char)((counter >> 24) & 0xff); -+ c[1] = (unsigned char)((counter >> 16) & 0xff); -+ c[2] = (unsigned char)((counter >> 8) & 0xff); -+ c[3] = (unsigned char)(counter & 0xff); -+ -+ if (!(EVP_MD_CTX_copy_ex(ctx, ctx_init) -+ && EVP_DigestUpdate(ctx, c, sizeof(c)) -+ && EVP_DigestUpdate(ctx, z, z_len) -+ && EVP_DigestUpdate(ctx, info, info_len))) -+ goto end; -+ if (len >= out_len) { -+ if (!EVP_DigestFinal_ex(ctx, out, NULL)) -+ goto end; -+ out += out_len; -+ len -= out_len; -+ if (len == 0) -+ break; -+ } else { -+ if (!EVP_DigestFinal_ex(ctx, mac, NULL)) -+ goto end; -+ memcpy(out, mac, len); -+ break; -+ } -+ } -+ ret = 1; -+end: -+ EVP_MD_CTX_destroy(ctx); -+ EVP_MD_CTX_destroy(ctx_init); -+ OPENSSL_cleanse(mac, sizeof(mac)); -+ return ret; -+} -+ -+static EVP_KDF_IMPL *sskdf_new(void) -+{ -+ EVP_KDF_IMPL *impl; -+ -+ if ((impl = OPENSSL_zalloc(sizeof(*impl))) == NULL) -+ KDFerr(KDF_F_SSKDF_NEW, ERR_R_MALLOC_FAILURE); -+ return impl; -+} -+ -+static void sskdf_reset(EVP_KDF_IMPL *impl) -+{ -+ OPENSSL_clear_free(impl->secret, impl->secret_len); -+ OPENSSL_clear_free(impl->info, impl->info_len); -+ memset(impl, 0, sizeof(*impl)); -+} -+ -+static void sskdf_free(EVP_KDF_IMPL *impl) -+{ -+ sskdf_reset(impl); -+ OPENSSL_free(impl); -+} -+ -+static int sskdf_set_buffer(va_list args, unsigned char **out, size_t *out_len) -+{ -+ const unsigned char *p; -+ size_t len; -+ -+ p = va_arg(args, const unsigned char *); -+ len = va_arg(args, size_t); -+ OPENSSL_clear_free(*out, *out_len); -+ if (len == 0) { -+ *out = NULL; -+ *out_len = 0; -+ return 1; -+ } -+ -+ *out = OPENSSL_memdup(p, len); -+ if (*out == NULL) -+ return 0; -+ -+ *out_len = len; -+ return 1; -+} -+ -+static int sskdf_ctrl(EVP_KDF_IMPL *impl, int cmd, va_list args) -+{ -+ const EVP_MD *md; -+ -+ switch (cmd) { -+ case EVP_KDF_CTRL_SET_KEY: -+ return sskdf_set_buffer(args, &impl->secret, &impl->secret_len); -+ -+ case EVP_KDF_CTRL_SET_SSKDF_INFO: -+ return sskdf_set_buffer(args, &impl->info, &impl->info_len); -+ -+ case EVP_KDF_CTRL_SET_MD: -+ md = va_arg(args, const EVP_MD *); -+ if (md == NULL) -+ return 0; -+ -+ impl->md = md; -+ return 1; -+ -+ default: -+ return -2; -+ } -+} -+ -+static int sskdf_ctrl_str(EVP_KDF_IMPL *impl, const char *type, -+ const char *value) -+{ -+ if (strcmp(type, "secret") == 0 || strcmp(type, "key") == 0) -+ return kdf_str2ctrl(impl, sskdf_ctrl, EVP_KDF_CTRL_SET_KEY, -+ value); -+ -+ if (strcmp(type, "hexsecret") == 0 || strcmp(type, "hexkey") == 0) -+ return kdf_hex2ctrl(impl, sskdf_ctrl, EVP_KDF_CTRL_SET_KEY, -+ value); -+ -+ if (strcmp(type, "info") == 0) -+ return kdf_str2ctrl(impl, sskdf_ctrl, EVP_KDF_CTRL_SET_SSKDF_INFO, -+ value); -+ -+ if (strcmp(type, "hexinfo") == 0) -+ return kdf_hex2ctrl(impl, sskdf_ctrl, EVP_KDF_CTRL_SET_SSKDF_INFO, -+ value); -+ -+ if (strcmp(type, "digest") == 0) -+ return kdf_md2ctrl(impl, sskdf_ctrl, EVP_KDF_CTRL_SET_MD, value); -+ -+ return -2; -+} -+ -+static size_t sskdf_size(EVP_KDF_IMPL *impl) -+{ -+ int len; -+ -+ if (impl->md == NULL) { -+ KDFerr(KDF_F_SSKDF_SIZE, KDF_R_MISSING_MESSAGE_DIGEST); -+ return 0; -+ } -+ len = EVP_MD_size(impl->md); -+ return (len <= 0) ? 0 : (size_t)len; -+} -+ -+static int sskdf_derive(EVP_KDF_IMPL *impl, unsigned char *key, size_t keylen) -+{ -+ if (impl->secret == NULL) { -+ KDFerr(KDF_F_SSKDF_DERIVE, KDF_R_MISSING_SECRET); -+ return 0; -+ } -+ -+ /* H(x) = hash */ -+ if (impl->md == NULL) { -+ KDFerr(KDF_F_SSKDF_DERIVE, KDF_R_MISSING_MESSAGE_DIGEST); -+ return 0; -+ } -+ return SSKDF_hash_kdm(impl->md, impl->secret, impl->secret_len, -+ impl->info, impl->info_len, key, keylen); -+} -+ -+const EVP_KDF_METHOD ss_kdf_meth = { -+ EVP_KDF_SS, -+ sskdf_new, -+ sskdf_free, -+ sskdf_reset, -+ sskdf_ctrl, -+ sskdf_ctrl_str, -+ sskdf_size, -+ sskdf_derive -+}; -diff -up openssl-1.1.1d/crypto/objects/obj_dat.h.krb5-kdf openssl-1.1.1d/crypto/objects/obj_dat.h ---- openssl-1.1.1d/crypto/objects/obj_dat.h.krb5-kdf 2019-11-14 15:07:05.322094485 +0100 -+++ openssl-1.1.1d/crypto/objects/obj_dat.h 2019-11-14 15:07:05.345094076 +0100 -@@ -1078,7 +1078,7 @@ static const unsigned char so[7762] = { - 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x0D, /* [ 7753] OBJ_hmacWithSHA512_256 */ - }; - --#define NUM_NID 1196 -+#define NUM_NID 1199 - static const ASN1_OBJECT nid_objs[NUM_NID] = { - {"UNDEF", "undefined", NID_undef}, - {"rsadsi", "RSA Data Security, Inc.", NID_rsadsi, 6, &so[0]}, -@@ -2276,9 +2276,12 @@ static const ASN1_OBJECT nid_objs[NUM_NI - {"hmacWithSHA512-224", "hmacWithSHA512-224", NID_hmacWithSHA512_224, 8, &so[7745]}, - {"hmacWithSHA512-256", "hmacWithSHA512-256", NID_hmacWithSHA512_256, 8, &so[7753]}, - {"SSHKDF", "sshkdf", NID_sshkdf}, -+ {"KBKDF", "kbkdf", NID_kbkdf}, -+ {"KRB5KDF", "krb5kdf", NID_krb5kdf}, -+ {"SSKDF", "sskdf", NID_sskdf}, - }; - --#define NUM_SN 1187 -+#define NUM_SN 1190 - static const unsigned int sn_objs[NUM_SN] = { - 364, /* "AD_DVCS" */ - 419, /* "AES-128-CBC" */ -@@ -2442,7 +2445,9 @@ static const unsigned int sn_objs[NUM_SN - 183, /* "ISO-US" */ - 645, /* "ITU-T" */ - 646, /* "JOINT-ISO-ITU-T" */ -+ 1196, /* "KBKDF" */ - 773, /* "KISA" */ -+ 1197, /* "KRB5KDF" */ - 1063, /* "KxANY" */ - 1039, /* "KxDHE" */ - 1041, /* "KxDHE-PSK" */ -@@ -2557,6 +2562,7 @@ static const unsigned int sn_objs[NUM_SN - 100, /* "SN" */ - 1006, /* "SNILS" */ - 1195, /* "SSHKDF" */ -+ 1198, /* "SSKDF" */ - 16, /* "ST" */ - 143, /* "SXNetID" */ - 1062, /* "SipHash" */ -@@ -3469,7 +3475,7 @@ static const unsigned int sn_objs[NUM_SN - 1093, /* "x509ExtAdmission" */ - }; - --#define NUM_LN 1187 -+#define NUM_LN 1190 - static const unsigned int ln_objs[NUM_LN] = { - 363, /* "AD Time Stamping" */ - 405, /* "ANSI X9.62" */ -@@ -4262,8 +4268,10 @@ static const unsigned int ln_objs[NUM_LN - 957, /* "jurisdictionCountryName" */ - 955, /* "jurisdictionLocalityName" */ - 956, /* "jurisdictionStateOrProvinceName" */ -+ 1196, /* "kbkdf" */ - 150, /* "keyBag" */ - 773, /* "kisa" */ -+ 1197, /* "krb5kdf" */ - 1063, /* "kx-any" */ - 1039, /* "kx-dhe" */ - 1041, /* "kx-dhe-psk" */ -@@ -4612,6 +4620,7 @@ static const unsigned int ln_objs[NUM_LN - 1133, /* "sm4-ecb" */ - 1135, /* "sm4-ofb" */ - 1195, /* "sshkdf" */ -+ 1198, /* "sskdf" */ - 16, /* "stateOrProvinceName" */ - 660, /* "streetAddress" */ - 498, /* "subtreeMaximumQuality" */ -diff -up openssl-1.1.1d/crypto/objects/objects.txt.krb5-kdf openssl-1.1.1d/crypto/objects/objects.txt ---- openssl-1.1.1d/crypto/objects/objects.txt.krb5-kdf 2019-11-14 15:07:05.322094485 +0100 -+++ openssl-1.1.1d/crypto/objects/objects.txt 2019-11-14 15:07:05.345094076 +0100 -@@ -1603,6 +1603,15 @@ secg-scheme 14 3 : dhSinglePass-cofactor - # NID for SSHKDF - : SSHKDF : sshkdf - -+# NID for KBKDF -+ : KBKDF : kbkdf -+ -+# NID for KRB5KDF -+ : KRB5KDF : krb5kdf -+ -+# NID for SSKDF -+ : SSKDF : sskdf -+ - # RFC 4556 - 1 3 6 1 5 2 3 : id-pkinit - id-pkinit 4 : pkInitClientAuth : PKINIT Client Auth -diff -up openssl-1.1.1d/crypto/objects/obj_mac.num.krb5-kdf openssl-1.1.1d/crypto/objects/obj_mac.num ---- openssl-1.1.1d/crypto/objects/obj_mac.num.krb5-kdf 2019-11-14 15:07:05.322094485 +0100 -+++ openssl-1.1.1d/crypto/objects/obj_mac.num 2019-11-14 15:07:05.346094058 +0100 -@@ -1193,3 +1193,6 @@ magma_mac 1192 - hmacWithSHA512_224 1193 - hmacWithSHA512_256 1194 - sshkdf 1195 -+kbkdf 1196 -+krb5kdf 1197 -+sskdf 1198 -diff -up openssl-1.1.1d/doc/man3/EVP_KDF_CTX.pod.krb5-kdf openssl-1.1.1d/doc/man3/EVP_KDF_CTX.pod ---- openssl-1.1.1d/doc/man3/EVP_KDF_CTX.pod.krb5-kdf 2019-11-14 15:07:05.314094628 +0100 -+++ openssl-1.1.1d/doc/man3/EVP_KDF_CTX.pod 2019-11-14 15:07:05.346094058 +0100 -@@ -140,7 +140,14 @@ The value string is expected to be a dec - This control expects one argument: C - - For MAC implementations that use a message digest as an underlying computation --algorithm, this control set what the digest algorithm should be. -+algorithm, this control sets what the digest algorithm should be. -+ -+=item B -+ -+This control expects one argument: C -+ -+For MAC implementations that use a cipher as an underlying computation -+algorithm, this control sets what the cipher algorithm should be. - - EVP_KDF_ctrl_str() type string: "md" - -diff -up openssl-1.1.1d/doc/man7/EVP_KDF_KB.pod.krb5-kdf openssl-1.1.1d/doc/man7/EVP_KDF_KB.pod ---- openssl-1.1.1d/doc/man7/EVP_KDF_KB.pod.krb5-kdf 2019-11-14 15:07:05.346094058 +0100 -+++ openssl-1.1.1d/doc/man7/EVP_KDF_KB.pod 2019-11-14 15:07:05.346094058 +0100 -@@ -0,0 +1,173 @@ -+=pod -+ -+=head1 NAME -+ -+EVP_KDF_KB - The Key-Based EVP_KDF implementation -+ -+=head1 DESCRIPTION -+ -+The EVP_KDF_KB algorithm implements the Key-Based key derivation function -+(KBKDF). KBKDF derives a key from repeated application of a keyed MAC to an -+input secret (and other optional values). -+ -+=head2 Numeric identity -+ -+B is the numeric identity for this implementation; it can be used with the -+EVP_KDF_CTX_new_id() function. -+ -+=head2 Supported controls -+ -+The supported controls are: -+ -+=over 4 -+ -+=item B -+ -+This control expects one argument: C -+ -+Sets the mode for the KBKDF operation. There are two supported modes: -+ -+=over 4 -+ -+=item B -+ -+The counter mode of KBKDF should be used. This is the default. -+ -+=item B -+ -+The feedback mode of KBKDF should be used. -+ -+=back -+ -+=item B -+ -+This control expects one argument: C -+ -+Sets the mac type for the KBKDF operation. There are two supported mac types: -+ -+=over 4 -+ -+=item B -+ -+The HMAC with the digest set by B should be used as the mac. -+ -+=item B -+ -+The CMAC with the cipher set by B should be used as the mac. -+ -+=back -+ -+=item B -+ -+=item B -+ -+=item B -+ -+=item B -+ -+These controls work as described in L. -+ -+=item B -+ -+This control expects two arguments: C, C -+ -+=item B -+ -+This control expects two arguments: C, C -+ -+It is used only in the feedback mode and the length must be the same -+as the block length of the cipher in CMAC or the size of the digest in HMAC. -+ -+=back -+ -+The controls B, B, -+B, and B -+correspond to KI, Label, Context, and IV (respectively) in SP800-108. -+As in that document, salt, info, and seed are optional and may be -+omitted. -+ -+Depending on whether mac is CMAC or HMAC, either digest or cipher is -+required (respectively) and the other is unused. -+ -+=head1 NOTES -+ -+A context for KBKDF can be obtained by calling: -+ -+ EVP_KDF_CTX *kctx = EVP_KDF_CTX_new_id(EVP_KDF_KB); -+ -+The output length of an KBKDF is specified via the C -+parameter to the L function. -+ -+Note that currently OpenSSL only implements counter and feedback modes. Other -+variants may be supported in the future. -+ -+=head1 EXAMPLES -+ -+This example derives 10 bytes using COUNTER-HMAC-SHA256, with KI "secret", -+Label "label", and Context "context". -+ -+ EVP_KDF_CTX *kctx; -+ unsigned char out[10]; -+ -+ kctx = EVP_KDF_CTX_new_id(EVP_KDF_KB); -+ -+ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()); -+ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_MAC_TYPE, EVP_KDF_KB_MAC_TYPE_HMAC); -+ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, "secret", strlen("secret")); -+ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "label", strlen("label")); -+ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_INFO, "context", strlen("context")); -+ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) -+ error("EVP_KDF_derive"); -+ -+ EVP_KDF_CTX_free(kctx); -+ -+This example derives 10 bytes using FEEDBACK-CMAC-AES256, with KI "secret", -+Label "label", Context "context", and IV "sixteen bytes iv". -+ -+ EVP_KDF_CTX *kctx; -+ unsigned char out[10]; -+ unsigned char *iv = "sixteen bytes iv"; -+ -+ kctx = EVP_KDF_CTX_new_id(EVP_KDF_KB); -+ -+ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_CIPHER, EVP_aes_256_cbc()); -+ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_MAC_TYPE, EVP_KDF_KB_MAC_TYPE_CMAC); -+ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_MODE, EVP_KDF_KB_MODE_FEEDBACK); -+ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, "secret", strlen("secret")); -+ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "label", strlen("label")); -+ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_INFO, "context", strlen("context")); -+ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_SEED, iv, strlen(iv)); -+ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) -+ error("EVP_KDF_derive"); -+ -+ EVP_KDF_CTX_free(kctx); -+ -+=head1 CONFORMING TO -+ -+NIST SP800-108, IETF RFC 6803, IETF RFC 8009. -+ -+=head1 SEE ALSO -+ -+L, -+L, -+L, -+L, -+L, -+L, -+L -+ -+=head1 HISTORY -+ -+This functionality was added to OpenSSL 3.0. -+ -+=head1 COPYRIGHT -+ -+Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. -+Copyright 2019 Red Hat, Inc. -+ -+Licensed under the Apache License 2.0 (the "License"). You may not use -+this file except in compliance with the License. You can obtain a copy -+in the file LICENSE in the source distribution or at -+L. -+ -+=cut -diff -up openssl-1.1.1d/doc/man7/EVP_KDF_KRB5KDF.pod.krb5-kdf openssl-1.1.1d/doc/man7/EVP_KDF_KRB5KDF.pod ---- openssl-1.1.1d/doc/man7/EVP_KDF_KRB5KDF.pod.krb5-kdf 2019-11-14 15:07:05.346094058 +0100 -+++ openssl-1.1.1d/doc/man7/EVP_KDF_KRB5KDF.pod 2019-11-14 15:07:05.346094058 +0100 -@@ -0,0 +1,107 @@ -+=pod -+ -+=head1 NAME -+ -+EVP_KDF_KRB5KDF - The RFC3961 Krb5 KDF EVP_KDF implementation -+ -+=head1 DESCRIPTION -+ -+Support for computing the B KDF through the B API. -+ -+The B algorithm implements the key derivation function defined -+in RFC 3961, section 5.1 and is used by Krb5 to derive session keys. -+Three inputs are required to perform key derivation: a cipher, (for example -+AES-128-CBC), the initial key, and a constant. -+ -+=head2 Numeric identity -+ -+B is the numeric identity for this implementation; it can be used with the -+EVP_KDF_CTX_new_id() function. -+ -+=head2 Supported controls -+ -+The supported controls are: -+ -+=over 4 -+ -+=item B -+ -+=item B -+ -+These controls work as described in L. -+ -+=item B -+ -+This control expects two arguments: C, C -+ -+This control sets the I value for the KDF. -+If a value is already set, the contents are replaced. -+ -+=back -+ -+ -+=head1 NOTES -+ -+A context for KRB5KDF can be obtained by calling: -+ -+ EVP_KDF_CTX *kctx = EVP_KDF_CTX_new_id(EVP_KDF_KRB5KDF); -+ -+The output length of the KRB5KDF derivation is specified via the I -+parameter to the L function, and MUST match the key -+length for the chosen cipher or an error is returned. Moreover the -+I's length must not exceed the block size of the cipher. -+Since the KRB5KDF output length depends on the chosen cipher, calling -+L to obtain the requisite length returns the correct length -+only after the cipher is set. Prior to that B is returned. -+The caller must allocate a buffer of the correct length for the chosen -+cipher, and pass that buffer to the L function along -+with that length. -+ -+=head1 EXAMPLES -+ -+This example derives a key using the AES-128-CBC cipher: -+ -+ EVP_KDF_CTX *kctx; -+ unsigned char key[16] = "01234..."; -+ unsigned char constant[] = "I'm a constant"; -+ unsigned char out[16]; -+ size_t outlen = sizeof(out); -+ -+ kctx = EVP_KDF_CTX_new_id(EVP_KDF_KRB5KDF); -+ -+ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_CIPHER, EVP_aes_128_cbc()); -+ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, key, (size_t)16); -+ EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KRB5KDF_CONSTANT, constant, strlen(constant)); -+ if (EVP_KDF_derive(kctx, out, outlen) <= 0) -+ /* Error */ -+ EVP_KDF_CTX_free(kctx); -+ -+=head1 CONFORMING TO -+ -+RFC 3961 -+ -+=head1 SEE ALSO -+ -+L, -+L, -+L, -+L, -+L, -+L, -+L -+ -+=head1 HISTORY -+ -+This functionality was added to OpenSSL 3.0. -+ -+=head1 COPYRIGHT -+ -+Copyright 2016-2019 The OpenSSL Project Authors. All Rights Reserved. -+ -+Licensed under the OpenSSL license (the "License"). You may not use -+this file except in compliance with the License. You can obtain a copy -+in the file LICENSE in the source distribution or at -+L. -+ -+=cut -+ -diff -up openssl-1.1.1d/doc/man7/EVP_KDF_SS.pod.krb5-kdf openssl-1.1.1d/doc/man7/EVP_KDF_SS.pod ---- openssl-1.1.1d/doc/man7/EVP_KDF_SS.pod.krb5-kdf 2019-11-14 15:07:05.346094058 +0100 -+++ openssl-1.1.1d/doc/man7/EVP_KDF_SS.pod 2019-11-14 15:07:05.346094058 +0100 -@@ -0,0 +1,146 @@ -+=pod -+ -+=head1 NAME -+ -+EVP_KDF_SS - The Single Step / One Step EVP_KDF implementation -+ -+=head1 DESCRIPTION -+ -+The EVP_KDF_SS algorithm implements the Single Step key derivation function (SSKDF). -+SSKDF derives a key using input such as a shared secret key (that was generated -+during the execution of a key establishment scheme) and fixedinfo. -+SSKDF is also informally referred to as 'Concat KDF'. -+ -+=head2 Auxilary function -+ -+The implementation uses a selectable auxiliary function H, which can be in the -+backported version only a: -+ -+=over 4 -+ -+=item B -+ -+=back -+ -+=head2 Numeric identity -+ -+B is the numeric identity for this implementation; it -+can be used with the EVP_KDF_CTX_new_id() function. -+ -+=head2 Supported controls -+ -+The supported controls are: -+ -+=over 4 -+ -+=item B -+ -+This control works as described in L. -+ -+=item B -+ -+This control expects two arguments: C, C -+ -+The shared secret used for key derivation. This control sets the secret. -+ -+EVP_KDF_ctrl_str() takes two type strings for this control: -+ -+=over 4 -+ -+=item "secret" -+ -+The value string is used as is. -+ -+=item "hexsecret" -+ -+The value string is expected to be a hexadecimal number, which will be -+decoded before being passed on as the control value. -+ -+=back -+ -+=item B -+ -+This control expects two arguments: C, C -+ -+An optional value for fixedinfo, also known as otherinfo. This control sets the fixedinfo. -+ -+EVP_KDF_ctrl_str() takes two type strings for this control: -+ -+=over 4 -+ -+=item "info" -+ -+The value string is used as is. -+ -+=item "hexinfo" -+ -+The value string is expected to be a hexadecimal number, which will be -+decoded before being passed on as the control value. -+ -+=back -+ -+=back -+ -+=head1 NOTES -+ -+A context for SSKDF can be obtained by calling: -+ -+EVP_KDF_CTX *kctx = EVP_KDF_CTX_new_id(EVP_KDF_SS); -+ -+The output length of an SSKDF is specified via the C -+parameter to the L function. -+ -+=head1 EXAMPLE -+ -+This example derives 10 bytes using H(x) = SHA-256, with the secret key "secret" -+and fixedinfo value "label": -+ -+ EVP_KDF_CTX *kctx; -+ unsigned char out[10]; -+ -+ kctx = EVP_KDF_CTX_new_id(EVP_KDF_SS); -+ -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) { -+ error("EVP_KDF_CTRL_SET_MD"); -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, "secret", (size_t)6) <= 0) { -+ error("EVP_KDF_CTRL_SET_KEY"); -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSKDF_INFO, "label", (size_t)5) <= 0) { -+ error("EVP_KDF_CTRL_SET_SSKDF_INFO"); -+ } -+ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) { -+ error("EVP_KDF_derive"); -+ } -+ -+ EVP_KDF_CTX_free(kctx); -+ -+=head1 CONFORMING TO -+ -+NIST SP800-56Cr1. -+ -+=head1 SEE ALSO -+ -+L, -+L, -+L, -+L, -+L, -+L, -+L -+ -+=head1 HISTORY -+ -+This functionality was added to OpenSSL 3.0.0. -+ -+=head1 COPYRIGHT -+ -+Copyright 2019 The OpenSSL Project Authors. All Rights Reserved. Copyright -+(c) 2019, Oracle and/or its affiliates. All rights reserved. -+ -+Licensed under the Apache License 2.0 (the "License"). You may not use -+this file except in compliance with the License. You can obtain a copy -+in the file LICENSE in the source distribution or at -+L. -+ -+=cut -diff -up openssl-1.1.1d/include/openssl/kdferr.h.krb5-kdf openssl-1.1.1d/include/openssl/kdferr.h ---- openssl-1.1.1d/include/openssl/kdferr.h.krb5-kdf 2019-11-14 15:07:05.323094468 +0100 -+++ openssl-1.1.1d/include/openssl/kdferr.h 2019-11-14 15:07:05.347094040 +0100 -@@ -24,6 +24,11 @@ int ERR_load_KDF_strings(void); - * KDF function codes. - */ - # define KDF_F_HKDF_EXTRACT 112 -+# define KDF_F_KBKDF_CTRL 134 -+# define KDF_F_KBKDF_CTRL_STR 135 -+# define KDF_F_KBKDF_DERIVE 136 -+# define KDF_F_KBKDF_NEW 137 -+# define KDF_F_KDF_CIPHER2CTRL 138 - # define KDF_F_KDF_HKDF_DERIVE 113 - # define KDF_F_KDF_HKDF_NEW 114 - # define KDF_F_KDF_HKDF_SIZE 115 -@@ -43,6 +48,8 @@ int ERR_load_KDF_strings(void); - # define KDF_F_KDF_TLS1_PRF_CTRL_STR 125 - # define KDF_F_KDF_TLS1_PRF_DERIVE 126 - # define KDF_F_KDF_TLS1_PRF_NEW 127 -+# define KDF_F_KRB5KDF 139 -+# define KDF_F_KRB5KDF_DERIVE 140 - # define KDF_F_PBKDF2_SET_MEMBUF 128 - # define KDF_F_PKEY_HKDF_CTRL_STR 103 - # define KDF_F_PKEY_HKDF_DERIVE 102 -@@ -56,12 +63,21 @@ int ERR_load_KDF_strings(void); - # define KDF_F_PKEY_TLS1_PRF_DERIVE 101 - # define KDF_F_PKEY_TLS1_PRF_INIT 110 - # define KDF_F_SCRYPT_SET_MEMBUF 129 -+# define KDF_F_SSKDF_DERIVE 141 -+# define KDF_F_SSKDF_NEW 142 -+# define KDF_F_SSKDF_SIZE 143 - # define KDF_F_TLS1_PRF_ALG 111 - - /* - * KDF reason codes. - */ -+# define KDF_R_FAILED_TO_GENERATE_KEY 118 -+# define KDF_R_INVALID_CIPHER 116 -+# define KDF_R_INVALID_CONSTANT_LENGTH 119 - # define KDF_R_INVALID_DIGEST 100 -+# define KDF_R_INVALID_SEED_LENGTH 117 -+# define KDF_R_MISSING_CIPHER 120 -+# define KDF_R_MISSING_CONSTANT 121 - # define KDF_R_MISSING_ITERATION_COUNT 109 - # define KDF_R_MISSING_KEY 104 - # define KDF_R_MISSING_MESSAGE_DIGEST 105 -@@ -76,6 +92,7 @@ int ERR_load_KDF_strings(void); - # define KDF_R_UNKNOWN_PARAMETER_TYPE 103 - # define KDF_R_VALUE_ERROR 108 - # define KDF_R_VALUE_MISSING 102 -+# define KDF_R_WRONG_FINAL_BLOCK_LENGTH 122 - # define KDF_R_WRONG_OUTPUT_BUFFER_SIZE 112 - - #endif -diff -up openssl-1.1.1d/include/openssl/kdf.h.krb5-kdf openssl-1.1.1d/include/openssl/kdf.h ---- openssl-1.1.1d/include/openssl/kdf.h.krb5-kdf 2019-11-14 15:07:05.323094468 +0100 -+++ openssl-1.1.1d/include/openssl/kdf.h 2019-11-14 15:07:05.347094040 +0100 -@@ -21,6 +21,9 @@ extern "C" { - # define EVP_KDF_TLS1_PRF NID_tls1_prf - # define EVP_KDF_HKDF NID_hkdf - # define EVP_KDF_SSHKDF NID_sshkdf -+# define EVP_KDF_KB NID_kbkdf -+# define EVP_KDF_KRB5KDF NID_krb5kdf -+# define EVP_KDF_SS NID_sskdf - - EVP_KDF_CTX *EVP_KDF_CTX_new_id(int id); - void EVP_KDF_CTX_free(EVP_KDF_CTX *ctx); -@@ -51,6 +54,13 @@ int EVP_KDF_derive(EVP_KDF_CTX *ctx, uns - # define EVP_KDF_CTRL_SET_SSHKDF_XCGHASH 0x10 /* unsigned char *, size_t */ - # define EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID 0x11 /* unsigned char *, size_t */ - # define EVP_KDF_CTRL_SET_SSHKDF_TYPE 0x12 /* int */ -+# define EVP_KDF_CTRL_SET_KB_MODE 0x13 /* int */ -+# define EVP_KDF_CTRL_SET_KB_MAC_TYPE 0x14 /* int */ -+# define EVP_KDF_CTRL_SET_CIPHER 0x15 /* EVP_CIPHER * */ -+# define EVP_KDF_CTRL_SET_KB_INFO 0x16 /* unsigned char *, size_t */ -+# define EVP_KDF_CTRL_SET_KB_SEED 0x17 /* unsigned char *, size_t */ -+# define EVP_KDF_CTRL_SET_KRB5KDF_CONSTANT 0x18 /* unsigned char *, size_t */ -+# define EVP_KDF_CTRL_SET_SSKDF_INFO 0x19 /* unsigned char *, size_t */ - - # define EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND 0 - # define EVP_KDF_HKDF_MODE_EXTRACT_ONLY 1 -@@ -63,6 +73,12 @@ int EVP_KDF_derive(EVP_KDF_CTX *ctx, uns - #define EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_CLI_TO_SRV 69 - #define EVP_KDF_SSHKDF_TYPE_INTEGRITY_KEY_SRV_TO_CLI 70 - -+#define EVP_KDF_KB_MODE_COUNTER 0 -+#define EVP_KDF_KB_MODE_FEEDBACK 1 -+ -+#define EVP_KDF_KB_MAC_TYPE_HMAC 0 -+#define EVP_KDF_KB_MAC_TYPE_CMAC 1 -+ - /**** The legacy PKEY-based KDF API follows. ****/ - - # define EVP_PKEY_CTRL_TLS_MD (EVP_PKEY_ALG_CTRL) -diff -up openssl-1.1.1d/include/openssl/obj_mac.h.krb5-kdf openssl-1.1.1d/include/openssl/obj_mac.h ---- openssl-1.1.1d/include/openssl/obj_mac.h.krb5-kdf 2019-11-14 15:07:05.323094468 +0100 -+++ openssl-1.1.1d/include/openssl/obj_mac.h 2019-11-14 15:07:05.347094040 +0100 -@@ -4974,6 +4974,18 @@ - #define LN_sshkdf "sshkdf" - #define NID_sshkdf 1203 - -+#define SN_kbkdf "KBKDF" -+#define LN_kbkdf "kbkdf" -+#define NID_kbkdf 1204 -+ -+#define SN_krb5kdf "KRB5KDF" -+#define LN_krb5kdf "krb5kdf" -+#define NID_krb5kdf 1205 -+ -+#define SN_sskdf "SSKDF" -+#define LN_sskdf "sskdf" -+#define NID_sskdf 1206 -+ - #define SN_id_pkinit "id-pkinit" - #define NID_id_pkinit 1031 - #define OBJ_id_pkinit 1L,3L,6L,1L,5L,2L,3L -diff -up openssl-1.1.1d/test/evp_kdf_test.c.krb5-kdf openssl-1.1.1d/test/evp_kdf_test.c ---- openssl-1.1.1d/test/evp_kdf_test.c.krb5-kdf 2019-11-14 15:07:05.315094610 +0100 -+++ openssl-1.1.1d/test/evp_kdf_test.c 2019-11-14 15:07:05.348094022 +0100 -@@ -225,13 +225,358 @@ err: - } - #endif - -+/* -+ * KBKDF test vectors from RFC 6803 (Camellia Encryption for Kerberos 5) -+ * section 10. -+ */ -+static int test_kdf_kbkdf_6803_128(void) -+{ -+ int ret = 0, i; -+ EVP_KDF_CTX *kctx; -+ static unsigned char input_key[] = { -+ 0x57, 0xD0, 0x29, 0x72, 0x98, 0xFF, 0xD9, 0xD3, -+ 0x5D, 0xE5, 0xA4, 0x7F, 0xB4, 0xBD, 0xE2, 0x4B, -+ }; -+ static unsigned char constants[][5] = { -+ { 0x00, 0x00, 0x00, 0x02, 0x99 }, -+ { 0x00, 0x00, 0x00, 0x02, 0xaa }, -+ { 0x00, 0x00, 0x00, 0x02, 0x55 }, -+ }; -+ static unsigned char outputs[][16] = { -+ {0xD1, 0x55, 0x77, 0x5A, 0x20, 0x9D, 0x05, 0xF0, -+ 0x2B, 0x38, 0xD4, 0x2A, 0x38, 0x9E, 0x5A, 0x56}, -+ {0x64, 0xDF, 0x83, 0xF8, 0x5A, 0x53, 0x2F, 0x17, -+ 0x57, 0x7D, 0x8C, 0x37, 0x03, 0x57, 0x96, 0xAB}, -+ {0x3E, 0x4F, 0xBD, 0xF3, 0x0F, 0xB8, 0x25, 0x9C, -+ 0x42, 0x5C, 0xB6, 0xC9, 0x6F, 0x1F, 0x46, 0x35} -+ }; -+ static unsigned char iv[16] = { 0 }; -+ unsigned char result[16] = { 0 }; -+ -+ for (i = 0; i < 3; i++) { -+ ret = 0; -+ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_KB)) == NULL) { -+ TEST_error("EVP_KDF_KB"); -+ goto err; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_MAC_TYPE, EVP_KDF_KB_MAC_TYPE_CMAC) <= 0) { -+ TEST_error("EVP_KDF_CTRL_SET_KB_MAC_TYPE"); -+ goto err; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_MODE, EVP_KDF_KB_MODE_FEEDBACK) <= 0) { -+ TEST_error("EVP_KDF_CTRL_SET_KB_MODE"); -+ goto err; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_CIPHER, EVP_camellia_128_cbc()) <= 0) { -+ TEST_error("EVP_KDF_CTRL_SET_CIPHER"); -+ goto err; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, input_key, sizeof(input_key)) <= 0) { -+ TEST_error("EVP_KDF_CTRL_SET_KEY"); -+ goto err; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, constants[i], sizeof(constants[i])) <= 0) { -+ TEST_error("EVP_KDF_CTRL_SET_SALT"); -+ goto err; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_SEED, iv, sizeof(iv)) <= 0) { -+ TEST_error("EVP_KDF_CTRL_SET_KB_SEED"); -+ goto err; -+ } -+ ret = TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result)), 0) -+ && TEST_mem_eq(result, sizeof(result), outputs[i], -+ sizeof(outputs[i])); -+err: -+ EVP_KDF_CTX_free(kctx); -+ if (ret != 1) -+ return ret; -+ } -+ return ret; -+} -+ -+static int test_kdf_kbkdf_6803_256(void) -+{ -+ int ret = 0, i; -+ EVP_KDF_CTX *kctx; -+ static unsigned char input_key[] = { -+ 0xB9, 0xD6, 0x82, 0x8B, 0x20, 0x56, 0xB7, 0xBE, -+ 0x65, 0x6D, 0x88, 0xA1, 0x23, 0xB1, 0xFA, 0xC6, -+ 0x82, 0x14, 0xAC, 0x2B, 0x72, 0x7E, 0xCF, 0x5F, -+ 0x69, 0xAF, 0xE0, 0xC4, 0xDF, 0x2A, 0x6D, 0x2C, -+ }; -+ static unsigned char constants[][5] = { -+ { 0x00, 0x00, 0x00, 0x02, 0x99 }, -+ { 0x00, 0x00, 0x00, 0x02, 0xaa }, -+ { 0x00, 0x00, 0x00, 0x02, 0x55 }, -+ }; -+ static unsigned char outputs[][32] = { -+ {0xE4, 0x67, 0xF9, 0xA9, 0x55, 0x2B, 0xC7, 0xD3, -+ 0x15, 0x5A, 0x62, 0x20, 0xAF, 0x9C, 0x19, 0x22, -+ 0x0E, 0xEE, 0xD4, 0xFF, 0x78, 0xB0, 0xD1, 0xE6, -+ 0xA1, 0x54, 0x49, 0x91, 0x46, 0x1A, 0x9E, 0x50, -+ }, -+ {0x41, 0x2A, 0xEF, 0xC3, 0x62, 0xA7, 0x28, 0x5F, -+ 0xC3, 0x96, 0x6C, 0x6A, 0x51, 0x81, 0xE7, 0x60, -+ 0x5A, 0xE6, 0x75, 0x23, 0x5B, 0x6D, 0x54, 0x9F, -+ 0xBF, 0xC9, 0xAB, 0x66, 0x30, 0xA4, 0xC6, 0x04, -+ }, -+ {0xFA, 0x62, 0x4F, 0xA0, 0xE5, 0x23, 0x99, 0x3F, -+ 0xA3, 0x88, 0xAE, 0xFD, 0xC6, 0x7E, 0x67, 0xEB, -+ 0xCD, 0x8C, 0x08, 0xE8, 0xA0, 0x24, 0x6B, 0x1D, -+ 0x73, 0xB0, 0xD1, 0xDD, 0x9F, 0xC5, 0x82, 0xB0, -+ }, -+ }; -+ static unsigned char iv[16] = { 0 }; -+ unsigned char result[32] = { 0 }; -+ -+ for (i = 0; i < 3; i++) { -+ ret = 0; -+ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_KB)) == NULL) { -+ TEST_error("EVP_KDF_KB"); -+ goto err; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_MAC_TYPE, EVP_KDF_KB_MAC_TYPE_CMAC) <= 0) { -+ TEST_error("EVP_KDF_CTRL_SET_KB_MAC_TYPE"); -+ goto err; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_MODE, EVP_KDF_KB_MODE_FEEDBACK) <= 0) { -+ TEST_error("EVP_KDF_CTRL_SET_KB_MODE"); -+ goto err; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_CIPHER, EVP_camellia_256_cbc()) <= 0) { -+ TEST_error("EVP_KDF_CTRL_SET_CIPHER"); -+ goto err; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, input_key, sizeof(input_key)) <= 0) { -+ TEST_error("EVP_KDF_CTRL_SET_KEY"); -+ goto err; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, constants[i], sizeof(constants[i])) <= 0) { -+ TEST_error("EVP_KDF_CTRL_SET_SALT"); -+ goto err; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_SEED, iv, sizeof(iv)) <= 0) { -+ TEST_error("EVP_KDF_CTRL_SET_KB_SEED"); -+ goto err; -+ } -+ ret = TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result)), 0) -+ && TEST_mem_eq(result, sizeof(result), outputs[i], -+ sizeof(outputs[i])); -+err: -+ EVP_KDF_CTX_free(kctx); -+ if (ret != 1) -+ return ret; -+ } -+ return ret; -+} -+ -+/* Two test vectors from RFC 8009 (AES Encryption with HMAC-SHA2 for Kerberos -+ * 5) appendix A. */ -+static int test_kdf_kbkdf_8009_prf1(void) -+{ -+ int ret = 0; -+ EVP_KDF_CTX *kctx; -+ char *label = "prf", *prf_input = "test"; -+ static unsigned char input_key[] = { -+ 0x37, 0x05, 0xD9, 0x60, 0x80, 0xC1, 0x77, 0x28, -+ 0xA0, 0xE8, 0x00, 0xEA, 0xB6, 0xE0, 0xD2, 0x3C, -+ }; -+ static unsigned char output[] = { -+ 0x9D, 0x18, 0x86, 0x16, 0xF6, 0x38, 0x52, 0xFE, -+ 0x86, 0x91, 0x5B, 0xB8, 0x40, 0xB4, 0xA8, 0x86, -+ 0xFF, 0x3E, 0x6B, 0xB0, 0xF8, 0x19, 0xB4, 0x9B, -+ 0x89, 0x33, 0x93, 0xD3, 0x93, 0x85, 0x42, 0x95, -+ }; -+ unsigned char result[sizeof(output)] = { 0 }; -+ -+ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_KB)) == NULL) { -+ TEST_error("EVP_KDF_KB"); -+ goto err; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_MAC_TYPE, EVP_KDF_KB_MAC_TYPE_HMAC) <= 0) { -+ TEST_error("EVP_KDF_CTRL_SET_KB_MAC_TYPE"); -+ goto err; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) { -+ TEST_error("EVP_KDF_CTRL_SET_MD"); -+ goto err; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, input_key, sizeof(input_key)) <= 0) { -+ TEST_error("EVP_KDF_CTRL_SET_KEY"); -+ goto err; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, label, strlen(label)) <= 0) { -+ TEST_error("EVP_KDF_CTRL_SET_SALT"); -+ goto err; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_INFO, prf_input, strlen(prf_input)) <= 0) { -+ TEST_error("EVP_KDF_CTRL_SET_KB_INFO"); -+ goto err; -+ } -+ ret = TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result)), 0) -+ && TEST_mem_eq(result, sizeof(result), output, -+ sizeof(output)); -+err: -+ EVP_KDF_CTX_free(kctx); -+ return ret; -+} -+ -+static int test_kdf_kbkdf_8009_prf2(void) -+{ -+ int ret = 0; -+ EVP_KDF_CTX *kctx; -+ char *label = "prf", *prf_input = "test"; -+ static unsigned char input_key[] = { -+ 0x6D, 0x40, 0x4D, 0x37, 0xFA, 0xF7, 0x9F, 0x9D, -+ 0xF0, 0xD3, 0x35, 0x68, 0xD3, 0x20, 0x66, 0x98, -+ 0x00, 0xEB, 0x48, 0x36, 0x47, 0x2E, 0xA8, 0xA0, -+ 0x26, 0xD1, 0x6B, 0x71, 0x82, 0x46, 0x0C, 0x52, -+ }; -+ static unsigned char output[] = { -+ 0x98, 0x01, 0xF6, 0x9A, 0x36, 0x8C, 0x2B, 0xF6, -+ 0x75, 0xE5, 0x95, 0x21, 0xE1, 0x77, 0xD9, 0xA0, -+ 0x7F, 0x67, 0xEF, 0xE1, 0xCF, 0xDE, 0x8D, 0x3C, -+ 0x8D, 0x6F, 0x6A, 0x02, 0x56, 0xE3, 0xB1, 0x7D, -+ 0xB3, 0xC1, 0xB6, 0x2A, 0xD1, 0xB8, 0x55, 0x33, -+ 0x60, 0xD1, 0x73, 0x67, 0xEB, 0x15, 0x14, 0xD2, -+ }; -+ unsigned char result[sizeof(output)] = { 0 }; -+ -+ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_KB)) == NULL) { -+ TEST_error("EVP_KDF_KB"); -+ goto err; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_MAC_TYPE, EVP_KDF_KB_MAC_TYPE_HMAC) <= 0) { -+ TEST_error("EVP_KDF_CTRL_SET_KB_MAC_TYPE"); -+ goto err; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha384()) <= 0) { -+ TEST_error("EVP_KDF_CTRL_SET_MD"); -+ goto err; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, input_key, sizeof(input_key)) <= 0) { -+ TEST_error("EVP_KDF_CTRL_SET_KEY"); -+ goto err; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, label, strlen(label)) <= 0) { -+ TEST_error("EVP_KDF_CTRL_SET_SALT"); -+ goto err; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KB_INFO, prf_input, strlen(prf_input)) <= 0) { -+ TEST_error("EVP_KDF_CTRL_SET_KB_INFO"); -+ goto err; -+ } -+ ret = TEST_int_gt(EVP_KDF_derive(kctx, result, sizeof(result)), 0) -+ && TEST_mem_eq(result, sizeof(result), output, -+ sizeof(output)); -+err: -+ EVP_KDF_CTX_free(kctx); -+ return ret; -+} -+ -+static int test_kdf_krb5kdf(void) -+{ -+ int ret = 0; -+ EVP_KDF_CTX *kctx; -+ unsigned char out[16]; -+ static unsigned char key[] = { -+ 0x42, 0x26, 0x3C, 0x6E, 0x89, 0xF4, 0xFC, 0x28, -+ 0xB8, 0xDF, 0x68, 0xEE, 0x09, 0x79, 0x9F, 0x15 -+ }; -+ static unsigned char constant[] = { -+ 0x00, 0x00, 0x00, 0x02, 0x99 -+ }; -+ static const unsigned char expected[sizeof(out)] = { -+ 0x34, 0x28, 0x0A, 0x38, 0x2B, 0xC9, 0x27, 0x69, -+ 0xB2, 0xDA, 0x2F, 0x9E, 0xF0, 0x66, 0x85, 0x4B -+ }; -+ -+ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_KRB5KDF)) == NULL) { -+ TEST_error("EVP_KDF_KRB5KDF"); -+ goto err; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_CIPHER, EVP_aes_128_cbc()) <= 0) { -+ TEST_error("EVP_KDF_CTRL_SET_CIPHER"); -+ goto err; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, key, sizeof(key)) <= 0) { -+ TEST_error("EVP_KDF_CTRL_SET_KEY"); -+ goto err; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KRB5KDF_CONSTANT, constant, sizeof(constant)) <= 0) { -+ TEST_error("EVP_KDF_CTRL_SET_KRB5KDF_CONSTANT"); -+ goto err; -+ } -+ -+ ret = -+ TEST_int_gt(EVP_KDF_derive(kctx, out, sizeof(out)), 0) -+ && TEST_mem_eq(out, sizeof(out), expected, sizeof(expected)); -+ -+err: -+ EVP_KDF_CTX_free(kctx); -+ return ret; -+} -+ -+static int test_kdf_ss_hash(void) -+{ -+ EVP_KDF_CTX *kctx; -+ const unsigned char z[] = { -+ 0x6d,0xbd,0xc2,0x3f,0x04,0x54,0x88,0xe4,0x06,0x27,0x57,0xb0,0x6b,0x9e, -+ 0xba,0xe1,0x83,0xfc,0x5a,0x59,0x46,0xd8,0x0d,0xb9,0x3f,0xec,0x6f,0x62, -+ 0xec,0x07,0xe3,0x72,0x7f,0x01,0x26,0xae,0xd1,0x2c,0xe4,0xb2,0x62,0xf4, -+ 0x7d,0x48,0xd5,0x42,0x87,0xf8,0x1d,0x47,0x4c,0x7c,0x3b,0x18,0x50,0xe9 -+ }; -+ const unsigned char other[] = { -+ 0xa1,0xb2,0xc3,0xd4,0xe5,0x43,0x41,0x56,0x53,0x69,0x64,0x3c,0x83,0x2e, -+ 0x98,0x49,0xdc,0xdb,0xa7,0x1e,0x9a,0x31,0x39,0xe6,0x06,0xe0,0x95,0xde, -+ 0x3c,0x26,0x4a,0x66,0xe9,0x8a,0x16,0x58,0x54,0xcd,0x07,0x98,0x9b,0x1e, -+ 0xe0,0xec,0x3f,0x8d,0xbe -+ }; -+ const unsigned char expected[] = { -+ 0xa4,0x62,0xde,0x16,0xa8,0x9d,0xe8,0x46,0x6e,0xf5,0x46,0x0b,0x47,0xb8 -+ }; -+ unsigned char out[14]; -+ -+ kctx = EVP_KDF_CTX_new_id(EVP_KDF_SS); -+ -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha224()) <= 0) { -+ TEST_error("EVP_KDF_CTRL_SET_MD"); -+ return 0; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, z, sizeof(z)) <= 0) { -+ TEST_error("EVP_KDF_CTRL_SET_KEY"); -+ return 0; -+ } -+ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSKDF_INFO, other, -+ sizeof(other)) <= 0) { -+ TEST_error("EVP_KDF_CTRL_SET_SSKDF_INFO"); -+ return 0; -+ } -+ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) { -+ TEST_error("EVP_KDF_derive"); -+ return 0; -+ } -+ -+ if (!TEST_mem_eq(out, sizeof(out), expected, sizeof(expected))) -+ return 0; -+ -+ EVP_KDF_CTX_free(kctx); -+ return 1; -+} -+ - int setup_tests(void) - { -+ ADD_TEST(test_kdf_kbkdf_6803_128); -+ ADD_TEST(test_kdf_kbkdf_6803_256); -+ ADD_TEST(test_kdf_kbkdf_8009_prf1); -+ ADD_TEST(test_kdf_kbkdf_8009_prf2); - ADD_TEST(test_kdf_tls1_prf); - ADD_TEST(test_kdf_hkdf); - ADD_TEST(test_kdf_pbkdf2); - #ifndef OPENSSL_NO_SCRYPT - ADD_TEST(test_kdf_scrypt); - #endif -+ ADD_TEST(test_kdf_krb5kdf); -+ ADD_TEST(test_kdf_ss_hash); - return 1; - } -diff -up openssl-1.1.1d/test/recipes/30-test_evp_data/evpkdf.txt.krb5-kdf openssl-1.1.1d/test/recipes/30-test_evp_data/evpkdf.txt ---- openssl-1.1.1d/test/recipes/30-test_evp_data/evpkdf.txt.krb5-kdf 2019-11-14 15:07:05.327094396 +0100 -+++ openssl-1.1.1d/test/recipes/30-test_evp_data/evpkdf.txt 2019-11-14 15:07:05.349094005 +0100 -@@ -5286,3 +5286,559 @@ Ctrl.hexsession_id = hexsession_id:a4ebd - Ctrl.type = type:A - Output = FF - Result = KDF_MISMATCH -+ -+Title = KRB5KDF tests (from RFC 3961 test vectors and krb5 sources) -+ -+#RFC3961 -+KDF = KRB5KDF -+Ctrl.cipher = cipher:DES-EDE3-CBC -+Ctrl.hexkey = hexkey:dce06b1f64c857a11c3db57c51899b2cc1791008ce973b92 -+Ctrl.hexconstant = hexconstant:0000000155 -+Output = 925179d04591a79b5d3192c4a7e9c289b049c71f6ee604cd -+ -+KDF = KRB5KDF -+Ctrl.cipher = cipher:DES-EDE3-CBC -+Ctrl.hexkey = hexkey:5e13d31c70ef765746578531cb51c15bf11ca82c97cee9f2 -+Ctrl.hexconstant = hexconstant:00000001aa -+Output = 9e58e5a146d9942a101c469845d67a20e3c4259ed913f207 -+ -+KDF = KRB5KDF -+Ctrl.cipher = cipher:DES-EDE3-CBC -+Ctrl.hexkey = hexkey:98e6fd8a04a4b6859b75a176540b9752bad3ecd610a252bc -+Ctrl.hexconstant = hexconstant:0000000155 -+Output = 13fef80d763e94ec6d13fd2ca1d085070249dad39808eabf -+ -+KDF = KRB5KDF -+Ctrl.cipher = cipher:DES-EDE3-CBC -+Ctrl.hexkey = hexkey:622aec25a2fe2cad7094680b7c64940280084c1a7cec92b5 -+Ctrl.hexconstant = hexconstant:00000001aa -+Output = f8dfbf04b097e6d9dc0702686bcb3489d91fd9a4516b703e -+ -+KDF = KRB5KDF -+Ctrl.cipher = cipher:DES-EDE3-CBC -+Ctrl.hexkey = hexkey:d3f8298ccb166438dcb9b93ee5a7629286a491f838f802fb -+Ctrl.hexconstant = hexconstant:6b65726265726f73 -+Output = 2370da575d2a3da864cebfdc5204d56df779a7df43d9da43 -+ -+KDF = KRB5KDF -+Ctrl.cipher = cipher:DES-EDE3-CBC -+Ctrl.hexkey = hexkey:c1081649ada74362e6a1459d01dfd30d67c2234c940704da -+Ctrl.hexconstant = hexconstant:0000000155 -+Output = 348057ec98fdc48016161c2a4c7a943e92ae492c989175f7 -+ -+KDF = KRB5KDF -+Ctrl.cipher = cipher:DES-EDE3-CBC -+Ctrl.hexkey = hexkey:5d154af238f46713155719d55e2f1f790dd661f279a7917c -+Ctrl.hexconstant = hexconstant:00000001aa -+Output = a8808ac267dada3dcbe9a7c84626fbc761c294b01315e5c1 -+ -+KDF = KRB5KDF -+Ctrl.cipher = cipher:DES-EDE3-CBC -+Ctrl.hexkey = hexkey:798562e049852f57dc8c343ba17f2ca1d97394efc8adc443 -+Ctrl.hexconstant = hexconstant:0000000155 -+Output = c813f88a3be3b334f75425ce9175fbe3c8493b89c8703b49 -+ -+KDF = KRB5KDF -+Ctrl.cipher = cipher:DES-EDE3-CBC -+Ctrl.hexkey = hexkey:26dce334b545292f2feab9a8701a89a4b99eb9942cecd016 -+Ctrl.hexconstant = hexconstant:00000001aa -+Output = f48ffd6e83f83e7354e694fd252cf83bfe58f7d5ba37ec5d -+ -+#Krb5 sources -+KDF = KRB5KDF -+Ctrl.cipher = cipher:DES-EDE3-CBC -+Ctrl.hexkey = hexkey:850BB51358548CD05E86768C313E3BFEF7511937DCF72C3E -+Ctrl.hexconstant = hexconstant:0000000299 -+Output = F78C496D16E6C2DAE0E0B6C24057A84C0426AEEF26FD6DCE -+ -+KDF = KRB5KDF -+Ctrl.cipher = cipher:DES-EDE3-CBC -+Ctrl.hexkey = hexkey:850BB51358548CD05E86768C313E3BFEF7511937DCF72C3E -+Ctrl.hexconstant = hexconstant:00000002AA -+Output = 5B5723D0B634CB684C3EBA5264E9A70D52E683231AD3C4CE -+ -+KDF = KRB5KDF -+Ctrl.cipher = cipher:DES-EDE3-CBC -+Ctrl.hexkey = hexkey:850BB51358548CD05E86768C313E3BFEF7511937DCF72C3E -+Ctrl.hexconstant = hexconstant:0000000255 -+Output = A77C94980E9B7345A81525C423A737CE67F4CD91B6B3DA45 -+ -+KDF = KRB5KDF -+Ctrl.cipher = cipher:AES-128-CBC -+Ctrl.hexkey = hexkey:42263C6E89F4FC28B8DF68EE09799F15 -+Ctrl.hexconstant = hexconstant:0000000299 -+Output = 34280A382BC92769B2DA2F9EF066854B -+ -+KDF = KRB5KDF -+Ctrl.cipher = cipher:AES-128-CBC -+Ctrl.hexkey = hexkey:42263C6E89F4FC28B8DF68EE09799F15 -+Ctrl.hexconstant = hexconstant:00000002AA -+Output = 5B14FC4E250E14DDF9DCCF1AF6674F53 -+ -+KDF = KRB5KDF -+Ctrl.cipher = cipher:AES-128-CBC -+Ctrl.hexkey = hexkey:42263C6E89F4FC28B8DF68EE09799F15 -+Ctrl.hexconstant = hexconstant:0000000255 -+Output = 4ED31063621684F09AE8D89991AF3E8F -+ -+KDF = KRB5KDF -+Ctrl.cipher = cipher:AES-256-CBC -+Ctrl.hexkey = hexkey:FE697B52BC0D3CE14432BA036A92E65BBB52280990A2FA27883998D72AF30161 -+Ctrl.hexconstant = hexconstant:0000000299 -+Output = BFAB388BDCB238E9F9C98D6A878304F04D30C82556375AC507A7A852790F4674 -+ -+KDF = KRB5KDF -+Ctrl.cipher = cipher:AES-256-CBC -+Ctrl.hexkey = hexkey:FE697B52BC0D3CE14432BA036A92E65BBB52280990A2FA27883998D72AF30161 -+Ctrl.hexconstant = hexconstant:00000002AA -+Output = C7CFD9CD75FE793A586A542D87E0D1396F1134A104BB1A9190B8C90ADA3DDF37 -+ -+KDF = KRB5KDF -+Ctrl.cipher = cipher:AES-256-CBC -+Ctrl.hexkey = hexkey:FE697B52BC0D3CE14432BA036A92E65BBB52280990A2FA27883998D72AF30161 -+Ctrl.hexconstant = hexconstant:0000000255 -+Output = 97151B4C76945063E2EB0529DC067D97D7BBA90776D8126D91F34F3101AEA8BA -+ -+#Same as the first but with no "fixup" -+KDF = KRB5KDF -+Ctrl.cipher = cipher:DES-EDE3-CBC -+Ctrl.hexkey = hexkey:dce06b1f64c857a11c3db57c51899b2cc1791008ce973b92 -+Ctrl.hexconstant = hexconstant:0000000155 -+Output = 935079d14490a75c3093c4a6e8c3b049c71e6ee705 -+ -+#There are currently no official test vectors for Single Step KDF -+#https://github.com/patrickfav/singlestep-kdf/wiki/NIST-SP-800-56C-Rev1:-Non-Official-Test-Vectors -+Title = Single Step KDF tests -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA1 -+Ctrl.hexsecret = hexsecret:d09a6b1a472f930db4f5e6b967900744 -+Ctrl.hexinfo = hexinfo:b117255ab5f1b6b96fc434b0 -+Output = b5a3c52e97ae6e8c5069954354eab3c7 -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA1 -+Ctrl.hexsecret = hexsecret:343666c0dd34b756e70f759f14c304f5 -+Ctrl.hexinfo = hexinfo:722b28448d7eab85491bce09 -+Output = 1003b650ddd3f0891a15166db5ec881d -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA1 -+Ctrl.hexsecret = hexsecret:b84acf03ab08652dd7f82fa956933261 -+Ctrl.hexinfo = hexinfo:3d8773ec068c86053a918565 -+Output = 1635dcd1ce698f736831b4badb68ab2b -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA1 -+Ctrl.hexsecret = hexsecret:8cc24ca3f1d1a8b34783780b79890430 -+Ctrl.hexinfo = hexinfo:f08d4f2d9a8e6d7105c0bc16 -+Output = b8e716fb84a420aed4812cd76d9700ee -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA1 -+Ctrl.hexsecret = hexsecret:b616905a6f7562cd2689142ce21e42a3 -+Ctrl.hexinfo = hexinfo:ead310159a909da87e7b4b40 -+Output = 1b9201358c50fe5d5d42907c4a9fce78 -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA1 -+Ctrl.hexsecret = hexsecret:3f57fd3fd56199b3eb33890f7ee28180 -+Ctrl.hexinfo = hexinfo:7a5056ba4fdb034c7cb6c4fe -+Output = e51ebd30a8c4b8449b0fb29d9adc11af -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA1 -+Ctrl.hexsecret = hexsecret:fb9fb108d104e9f662d6593fc84cde69 -+Ctrl.hexinfo = hexinfo:5faf29211c1bdbf1b2696a7c -+Output = 7a3a7e670656e48c390cdd7c51e167e0 -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA1 -+Ctrl.hexsecret = hexsecret:237a39981794f4516dccffc3dda28396 -+Ctrl.hexinfo = hexinfo:62ed9528d104c241e0f66275 -+Output = 0c26fc9e90e1c5c5f943428301682045 -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA1 -+Ctrl.hexsecret = hexsecret:b9b6c45f7279218fa09894e06366a3a1 -+Ctrl.hexinfo = hexinfo:0f384339670aaed4b89ecb7e -+Output = ee5fad414e32fad5d52a2bf61a7f6c72 -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA1 -+Ctrl.hexsecret = hexsecret:08b7140e2cd0a4abd79171e4d5a71cad -+Ctrl.hexinfo = hexinfo:099211f0d8a2e02dbb5958c0 -+Output = 6162f5142e057efafd2c4f2bad5985a1 -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA1 -+Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 -+Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b -+Output = b4a2 -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA1 -+Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 -+Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b -+Output = b4a23963 -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA1 -+Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 -+Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b -+Output = b4a23963e07f -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA1 -+Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 -+Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b -+Output = b4a23963e07f4853 -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA1 -+Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 -+Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b -+Output = b4a23963e07f485382cb -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA1 -+Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 -+Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b -+Output = b4a23963e07f485382cb358a -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA1 -+Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 -+Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b -+Output = b4a23963e07f485382cb358a493d -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA1 -+Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 -+Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b -+Output = b4a23963e07f485382cb358a493daec1 -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA1 -+Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 -+Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b -+Output = b4a23963e07f485382cb358a493daec1759a -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA1 -+Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 -+Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b -+Output = b4a23963e07f485382cb358a493daec1759ac704 -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA1 -+Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 -+Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b -+Output = b4a23963e07f485382cb358a493daec1759ac7043dbe -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA1 -+Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 -+Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b -+Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37 -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA1 -+Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 -+Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b -+Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA1 -+Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 -+Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b -+Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA1 -+Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 -+Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b -+Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf1050 -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA1 -+Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 -+Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b -+Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0 -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA1 -+Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 -+Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b -+Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239 -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA1 -+Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 -+Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b -+Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239f270 -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA1 -+Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 -+Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b -+Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239f270b7f3 -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA1 -+Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 -+Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b -+Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239f270b7f30616 -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA1 -+Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 -+Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b -+Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239f270b7f30616166f -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA1 -+Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 -+Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b -+Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239f270b7f30616166f10e5 -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA1 -+Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 -+Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b -+Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239f270b7f30616166f10e5d2b4 -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA1 -+Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 -+Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b -+Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239f270b7f30616166f10e5d2b4cb11 -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA1 -+Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 -+Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b -+Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239f270b7f30616166f10e5d2b4cb11ba8b -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA1 -+Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 -+Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b -+Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239f270b7f30616166f10e5d2b4cb11ba8bf4ba -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA1 -+Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 -+Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b -+Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239f270b7f30616166f10e5d2b4cb11ba8bf4ba3f22 -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA1 -+Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 -+Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b -+Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239f270b7f30616166f10e5d2b4cb11ba8bf4ba3f227688 -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA1 -+Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 -+Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b -+Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239f270b7f30616166f10e5d2b4cb11ba8bf4ba3f2276885abf -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA1 -+Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 -+Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b -+Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239f270b7f30616166f10e5d2b4cb11ba8bf4ba3f2276885abfbc3e -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA1 -+Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 -+Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b -+Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239f270b7f30616166f10e5d2b4cb11ba8bf4ba3f2276885abfbc3e811a -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA1 -+Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 -+Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b -+Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239f270b7f30616166f10e5d2b4cb11ba8bf4ba3f2276885abfbc3e811a568d -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA1 -+Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 -+Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b -+Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239f270b7f30616166f10e5d2b4cb11ba8bf4ba3f2276885abfbc3e811a568d480d -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA1 -+Ctrl.hexsecret = hexsecret:ebe28edbae5a410b87a479243db3f690 -+Ctrl.hexinfo = hexinfo:e60dd8b28228ce5b9be74d3b -+Output = b4a23963e07f485382cb358a493daec1759ac7043dbeac37152c6ddf105031f0f239f270b7f30616166f10e5d2b4cb11ba8bf4ba3f2276885abfbc3e811a568d480d9192 -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA1 -+Ctrl.hexsecret = hexsecret:d7e6 -+Ctrl.hexinfo = hexinfo:0bbe1fa8722023d7c3da4fff -+Output = 31e798e9931b612a3ad1b9b1008faa8c -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA1 -+Ctrl.hexsecret = hexsecret:4646779d -+Ctrl.hexinfo = hexinfo:0bbe1fa8722023d7c3da4fff -+Output = 139f68bcca879b490e268e569087d04d -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA1 -+Ctrl.hexsecret = hexsecret:d9811c81d4c6 -+Ctrl.hexinfo = hexinfo:0bbe1fa8722023d7c3da4fff -+Output = 914dc4f09cb633a76e6c389e04c64485 -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA1 -+Ctrl.hexsecret = hexsecret:8838f9d99ec46f09 -+Ctrl.hexinfo = hexinfo:0bbe1fa8722023d7c3da4fff -+Output = 4f07dfb6f7a5bf348689e08b2e29c948 -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA1 -+Ctrl.hexsecret = hexsecret:3e0939b33f34e779f30e -+Ctrl.hexinfo = hexinfo:0bbe1fa8722023d7c3da4fff -+Output = b42c7a98c23be19d1187ff960e87557f -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA1 -+Ctrl.hexsecret = hexsecret:f36230cacca4d245d303058c -+Ctrl.hexinfo = hexinfo:0bbe1fa8722023d7c3da4fff -+Output = 50f2068d8010d355d56c5e34aaffbc67 -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA1 -+Ctrl.hexsecret = hexsecret:7005d32c3d4284c73c3aefc70438 -+Ctrl.hexinfo = hexinfo:0bbe1fa8722023d7c3da4fff -+Output = 66fd712ccf5462bbd41e89041ea7ea26 -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA1 -+Ctrl.hexsecret = hexsecret:c01c83150b7734f8dbd6efd6f54d7365 -+Ctrl.hexinfo = hexinfo:0bbe1fa8722023d7c3da4fff -+Output = 5c5edb0ceda9cd0c7f1f3d9e239c67d5 -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA1 -+Ctrl.hexsecret = hexsecret:da69f1dbbebc837480af692e7e9ee6b9 -+Ctrl.hexinfo = hexinfo:9949 -+Output = 33c83f54ed00fb1bccd2113e88550941 -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA1 -+Ctrl.hexsecret = hexsecret:da69f1dbbebc837480af692e7e9ee6b9 -+Ctrl.hexinfo = hexinfo:17144da6 -+Output = a999c28961424cab35ec06015e8c376a -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA1 -+Ctrl.hexsecret = hexsecret:da69f1dbbebc837480af692e7e9ee6b9 -+Ctrl.hexinfo = hexinfo:dffdee1062eb -+Output = 4101ad50e626ed6f957bff926dfbb7db -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA1 -+Ctrl.hexsecret = hexsecret:da69f1dbbebc837480af692e7e9ee6b9 -+Ctrl.hexinfo = hexinfo:9f365043e23b4648 -+Output = 4d3e4b971b88771f229df9f564984832 -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA1 -+Ctrl.hexsecret = hexsecret:da69f1dbbebc837480af692e7e9ee6b9 -+Ctrl.hexinfo = hexinfo:a885a0c4567ddc4f96da -+Output = bebbc30f5a83df5e9c9b57db33c0c879 -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA1 -+Ctrl.hexsecret = hexsecret:da69f1dbbebc837480af692e7e9ee6b9 -+Ctrl.hexinfo = hexinfo:c9d86183295bfe4c3d85f0fd -+Output = 87c947e45407db63eb94cbaa02d14e94 -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA1 -+Ctrl.hexsecret = hexsecret:da69f1dbbebc837480af692e7e9ee6b9 -+Ctrl.hexinfo = hexinfo:825fadce46964236a486732c5dad -+Output = 192370a85ff78e3c0245129d9b398558 -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA1 -+Ctrl.hexsecret = hexsecret:da69f1dbbebc837480af692e7e9ee6b9 -+Ctrl.hexinfo = hexinfo:5c0b5eb3ac9f342347d73d7a521723aa -+Output = c7b7634fd809383e87c4b1b3e728be56 -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA1 -+Ctrl.hexsecret = hexsecret:8d7a4e7d5cf34b3f74873b862aeb33b7 -+Output = 6a5594f402f74f69 -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA1 -+Ctrl.hexsecret = hexsecret:9b208e7ee1e641fac1dff48fc1beb2d2 -+Output = 556ed67e24ac0c7c46cc432da8bdb23c -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA1 -+Ctrl.hexsecret = hexsecret:4d2572539fed433211da28c8a0eebac3 -+Output = 5a4054c59c5b92814025578f43c1b79fe84968fc284e240b -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA1 -+Ctrl.hexsecret = hexsecret:4e1e70c9886819a31bc29a537911add9 -+Output = ddbfc440449aab4131c6d8aec08ce1496f2702241d0e27cc155c5c7c3cda75b5 -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA1 -+Ctrl.hexsecret = hexsecret:68f144c952528e540c686dc353b766f2 -+Output = 59ed66bb6f54a9688a0b891d0b2ea6743621d9e1b5cc098cf3a55e6f864f9af8a95e4d945d2f987f -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA1 -+Ctrl.hexsecret = hexsecret:b66c9d507c9f837fbe60b6675fdbf38b -+Output = c282787ddf421a72fc88811be81b08d0d6ab66c92d1011974aa58335a6bbbd62e9e982bfae5929865ea1d517247089d2 -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA1 -+Ctrl.hexsecret = hexsecret:34e730b49e46c7ed2fb25975a4cccd2d -+Output = 39e76e6571cb00740260b9070accbdcc4a492c295cbef33d9e37dac21e5e9d07e0f12dc7063d2172641475d4e08b8e3712fb26a10c8376b8 -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA1 -+Ctrl.hexsecret = hexsecret:e340d87e2d7adbc1b95ec2dbdc3b82be -+Output = a660c0037a53f76f1e7667043f5869348ad07ac0e272e615ce31f16d4ab90d4b35fe5c370c0010ce79aff45682c6fb8b97f9a05b7d40b5af3c62999a10df9c6d -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA256 -+Ctrl.hexsecret = hexsecret:afc4e154498d4770aa8365f6903dc83b -+Ctrl.hexinfo = hexinfo:662af20379b29d5ef813e655 -+Output = f0b80d6ae4c1e19e2105a37024e35dc6 -+ -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA512 -+Ctrl.hexsecret = hexsecret:108cf63318555c787fa578731dd4f037 -+Ctrl.hexinfo = hexinfo:53191b1dd3f94d83084d61d6 -+Output = 0ad475c1826da3007637970c8b92b993 -+ -+Title = SSKDF Test vectors from RFC 8636 Section 8 (With precoumputed ASN.1 info) -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA1 -+Ctrl.hexsecret = hexsecret:00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 -+Ctrl.hexinfo = hexinfo:307e300a06082b06010502030601a01f041d301ba0071b0553552e5345a110300ea003020101a10730051b036c6861a12904273025a0071b0553552e5345a11a3018a003020101a111300f1b066b72627467741b0553552e5345a22404223020a003020112a10c040aaaaaaaaaaaaaaaaaaaaaa20b0409bbbbbbbbbbbbbbbbbb -+Output = e6ab38c9413e035bb079201ed0b6b73d8d49a814a737c04ee6649614206f73ad -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA256 -+Ctrl.hexsecret = hexsecret:00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 -+Ctrl.hexinfo = hexinfo:307e300a06082b06010502030602a01f041d301ba0071b0553552e5345a110300ea003020101a10730051b036c6861a12904273025a0071b0553552e5345a11a3018a003020101a111300f1b066b72627467741b0553552e5345a22404223020a003020112a10c040aaaaaaaaaaaaaaaaaaaaaa20b0409bbbbbbbbbbbbbbbbbb -+Output = 77ef4e48c420ae3fec75109d7981697eed5d295c90c62564f7bfd101fa9bc1d5 -+ -+KDF = SSKDF -+Ctrl.digest = digest:SHA512 -+Ctrl.hexsecret = hexsecret:00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 -+Ctrl.hexinfo = hexinfo:307e300a06082b06010502030603a01f041d301ba0071b0553552e5345a110300ea003020101a10730051b036c6861a12904273025a0071b0553552e5345a11a3018a003020101a111300f1b066b72627467741b0553552e5345a22404223020a003020110a10c040aaaaaaaaaaaaaaaaaaaaaa20b0409bbbbbbbbbbbbbbbbbb -+Output = d3c78b78d75313e9a926f75dfb012363fa17fa01db diff --git a/SOURCES/openssl-1.1.1-man-rename.patch b/SOURCES/openssl-1.1.1-man-rename.patch deleted file mode 100644 index 4e504b4..0000000 --- a/SOURCES/openssl-1.1.1-man-rename.patch +++ /dev/null @@ -1,19 +0,0 @@ -diff -up openssl-1.1.1-pre9/doc/man1/openssl.pod.man-rename openssl-1.1.1-pre9/doc/man1/openssl.pod ---- openssl-1.1.1-pre9/doc/man1/openssl.pod.man-rename 2018-08-21 14:14:13.000000000 +0200 -+++ openssl-1.1.1-pre9/doc/man1/openssl.pod 2018-08-22 12:13:04.092568064 +0200 -@@ -482,13 +482,13 @@ L, L, L - L, L, - L, L, L, L, L, - L, L, L, --L, - L, L, L, - L, L, L, L, --L, L, L, L, -+L, L, L, - L, L, - L, L, L, - L, L, L, L, L, -+L, L, - L, - L, L, L, - L, L, L diff --git a/SOURCES/openssl-1.1.1-no-brainpool.patch b/SOURCES/openssl-1.1.1-no-brainpool.patch deleted file mode 100644 index 90c87a8..0000000 --- a/SOURCES/openssl-1.1.1-no-brainpool.patch +++ /dev/null @@ -1,112 +0,0 @@ -diff -up openssl-1.1.1d/test/ssl-tests/20-cert-select.conf.in.no-brainpool openssl-1.1.1d/test/ssl-tests/20-cert-select.conf.in ---- openssl-1.1.1d/test/ssl-tests/20-cert-select.conf.in.no-brainpool 2019-09-10 15:13:07.000000000 +0200 -+++ openssl-1.1.1d/test/ssl-tests/20-cert-select.conf.in 2019-09-13 15:11:07.358687169 +0200 -@@ -147,22 +147,22 @@ our @tests = ( - { - name => "ECDSA with brainpool", - server => { -- "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"), -- "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"), -- "Groups" => "brainpoolP256r1", -+ "Certificate" => test_pem("server-ecdsa-cert.pem"), -+ "PrivateKey" => test_pem("server-ecdsa-key.pem"), -+# "Groups" => "brainpoolP256r1", - }, - client => { - #We don't restrict this to TLSv1.2, although use of brainpool - #should force this anyway so that this should succeed - "CipherString" => "aECDSA", - "RequestCAFile" => test_pem("root-cert.pem"), -- "Groups" => "brainpoolP256r1", -+# "Groups" => "brainpoolP256r1", - }, - test => { -- "ExpectedServerCertType" =>, "brainpoolP256r1", -- "ExpectedServerSignType" =>, "EC", -+# "ExpectedServerCertType" =>, "brainpoolP256r1", -+# "ExpectedServerSignType" =>, "EC", - # Note: certificate_authorities not sent for TLS < 1.3 -- "ExpectedServerCANames" =>, "empty", -+# "ExpectedServerCANames" =>, "empty", - "ExpectedResult" => "Success" - }, - }, -@@ -853,18 +853,18 @@ my @tests_tls_1_3 = ( - { - name => "TLS 1.3 ECDSA with brainpool", - server => { -- "Certificate" => test_pem("server-ecdsa-brainpoolP256r1-cert.pem"), -- "PrivateKey" => test_pem("server-ecdsa-brainpoolP256r1-key.pem"), -- "Groups" => "brainpoolP256r1", -+ "Certificate" => test_pem("server-ecdsa-cert.pem"), -+ "PrivateKey" => test_pem("server-ecdsa-key.pem"), -+# "Groups" => "brainpoolP256r1", - }, - client => { - "RequestCAFile" => test_pem("root-cert.pem"), -- "Groups" => "brainpoolP256r1", -+# "Groups" => "brainpoolP256r1", - "MinProtocol" => "TLSv1.3", - "MaxProtocol" => "TLSv1.3" - }, - test => { -- "ExpectedResult" => "ServerFail" -+ "ExpectedResult" => "Success" - }, - }, - ); -diff -up openssl-1.1.1d/test/ssl-tests/20-cert-select.conf.no-brainpool openssl-1.1.1d/test/ssl-tests/20-cert-select.conf ---- openssl-1.1.1d/test/ssl-tests/20-cert-select.conf.no-brainpool 2019-09-10 15:13:07.000000000 +0200 -+++ openssl-1.1.1d/test/ssl-tests/20-cert-select.conf 2019-09-13 15:12:27.380288469 +0200 -@@ -238,23 +238,18 @@ server = 5-ECDSA with brainpool-server - client = 5-ECDSA with brainpool-client - - [5-ECDSA with brainpool-server] --Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem -+Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem - CipherString = DEFAULT --Groups = brainpoolP256r1 --PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem -+PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem - - [5-ECDSA with brainpool-client] - CipherString = aECDSA --Groups = brainpoolP256r1 - RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem - VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem - VerifyMode = Peer - - [test-5] - ExpectedResult = Success --ExpectedServerCANames = empty --ExpectedServerCertType = brainpoolP256r1 --ExpectedServerSignType = EC - - - # =========================================================== -@@ -1713,14 +1708,12 @@ server = 52-TLS 1.3 ECDSA with brainpool - client = 52-TLS 1.3 ECDSA with brainpool-client - - [52-TLS 1.3 ECDSA with brainpool-server] --Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-cert.pem -+Certificate = ${ENV::TEST_CERTS_DIR}/server-ecdsa-cert.pem - CipherString = DEFAULT --Groups = brainpoolP256r1 --PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-brainpoolP256r1-key.pem -+PrivateKey = ${ENV::TEST_CERTS_DIR}/server-ecdsa-key.pem - - [52-TLS 1.3 ECDSA with brainpool-client] - CipherString = DEFAULT --Groups = brainpoolP256r1 - MaxProtocol = TLSv1.3 - MinProtocol = TLSv1.3 - RequestCAFile = ${ENV::TEST_CERTS_DIR}/root-cert.pem -@@ -1728,7 +1721,7 @@ VerifyCAFile = ${ENV::TEST_CERTS_DIR}/ro - VerifyMode = Peer - - [test-52] --ExpectedResult = ServerFail -+ExpectedResult = Success - - - # =========================================================== diff --git a/SOURCES/openssl-1.1.1-no-html.patch b/SOURCES/openssl-1.1.1-no-html.patch deleted file mode 100644 index d0e335e..0000000 --- a/SOURCES/openssl-1.1.1-no-html.patch +++ /dev/null @@ -1,12 +0,0 @@ -diff -up openssl-1.1.1f/Configurations/unix-Makefile.tmpl.no-html openssl-1.1.1f/Configurations/unix-Makefile.tmpl ---- openssl-1.1.1f/Configurations/unix-Makefile.tmpl.no-html 2020-04-07 16:45:21.904083989 +0200 -+++ openssl-1.1.1f/Configurations/unix-Makefile.tmpl 2020-04-07 16:45:56.218461895 +0200 -@@ -544,7 +544,7 @@ install_sw: install_dev install_engines - - uninstall_sw: uninstall_runtime uninstall_engines uninstall_dev - --install_docs: install_man_docs install_html_docs -+install_docs: install_man_docs - - uninstall_docs: uninstall_man_docs uninstall_html_docs - $(RM) -r "$(DESTDIR)$(DOCDIR)" diff --git a/SOURCES/openssl-1.1.1-no-weak-verify.patch b/SOURCES/openssl-1.1.1-no-weak-verify.patch deleted file mode 100644 index 5756c68..0000000 --- a/SOURCES/openssl-1.1.1-no-weak-verify.patch +++ /dev/null @@ -1,26 +0,0 @@ -diff -up openssl-1.1.1b/crypto/asn1/a_verify.c.no-weak-verify openssl-1.1.1b/crypto/asn1/a_verify.c ---- openssl-1.1.1b/crypto/asn1/a_verify.c.no-weak-verify 2019-02-26 15:15:30.000000000 +0100 -+++ openssl-1.1.1b/crypto/asn1/a_verify.c 2019-02-28 11:25:31.531862873 +0100 -@@ -7,6 +7,9 @@ - * https://www.openssl.org/source/license.html - */ - -+/* for secure_getenv */ -+#define _GNU_SOURCE -+ - #include - #include - #include -@@ -130,6 +133,12 @@ int ASN1_item_verify(const ASN1_ITEM *it - if (ret != 2) - goto err; - ret = -1; -+ } else if ((mdnid == NID_md5 -+ && secure_getenv("OPENSSL_ENABLE_MD5_VERIFY") == NULL) || -+ mdnid == NID_md4 || mdnid == NID_md2 || mdnid == NID_sha) { -+ ASN1err(ASN1_F_ASN1_ITEM_VERIFY, -+ ASN1_R_UNKNOWN_MESSAGE_DIGEST_ALGORITHM); -+ goto err; - } else { - const EVP_MD *type = EVP_get_digestbynid(mdnid); - diff --git a/SOURCES/openssl-1.1.1-pkcs1-implicit-rejection.patch b/SOURCES/openssl-1.1.1-pkcs1-implicit-rejection.patch deleted file mode 100644 index 24041fb..0000000 --- a/SOURCES/openssl-1.1.1-pkcs1-implicit-rejection.patch +++ /dev/null @@ -1,1141 +0,0 @@ ---- openssl-1.1.1k/doc/man3/EVP_PKEY_CTX_ctrl.pod.pkcs1-implicit-rejection 2023-11-17 17:29:02.881552878 +0100 -+++ openssl-1.1.1k/doc/man3/EVP_PKEY_CTX_ctrl.pod 2023-11-17 17:29:02.923553658 +0100 -@@ -256,6 +256,15 @@ B

ssl instead of
-- break the m2crypto modules into a separate package - -* Tue Mar 13 2001 Nalin Dahyabhai -- use BN_LLONG on s390 - -* Mon Mar 12 2001 Nalin Dahyabhai -- fix the s390 changes for 0.9.6 (isn't supposed to be marked as 64-bit) - -* Sat Mar 3 2001 Nalin Dahyabhai -- move c_rehash to the perl subpackage, because it's a perl script now - -* Fri Mar 2 2001 Nalin Dahyabhai -- update to 0.9.6 -- enable MD2 -- use the libcrypto.so and libssl.so targets to build shared libs with -- bump the soversion to 1 because we're no longer compatible with any of - the various 0.9.5a packages circulating around, which provide lib*.so.0 - -* Wed Feb 28 2001 Florian La Roche -- change hobble-openssl for disabling MD2 again - -* Tue Feb 27 2001 Nalin Dahyabhai -- re-disable MD2 -- the EVP_MD_CTX structure would grow from 100 to 152 - bytes or so, causing EVP_DigestInit() to zero out stack variables in - apps built against a version of the library without it - -* Mon Feb 26 2001 Nalin Dahyabhai -- disable some inline assembly, which on x86 is Pentium-specific -- re-enable MD2 (see http://www.ietf.org/ietf/IPR/RSA-MD-all) - -* Thu Feb 08 2001 Florian La Roche -- fix s390 patch - -* Fri Dec 8 2000 Than Ngo -- added support s390 - -* Mon Nov 20 2000 Nalin Dahyabhai -- remove -Wa,* and -m* compiler flags from the default Configure file (#20656) -- add the CA.pl man page to the perl subpackage - -* Thu Nov 2 2000 Nalin Dahyabhai -- always build with -mcpu=ev5 on alpha - -* Tue Oct 31 2000 Nalin Dahyabhai -- add a symlink from cert.pem to ca-bundle.crt - -* Wed Oct 25 2000 Nalin Dahyabhai -- add a ca-bundle file for packages like Samba to reference for CA certificates - -* Tue Oct 24 2000 Nalin Dahyabhai -- remove libcrypto's crypt(), which doesn't handle md5crypt (#19295) - -* Mon Oct 2 2000 Nalin Dahyabhai -- add unzip as a buildprereq (#17662) -- update m2crypto to 0.05-snap4 - -* Tue Sep 26 2000 Bill Nottingham -- fix some issues in building when it's not installed - -* Wed Sep 6 2000 Nalin Dahyabhai -- make sure the headers we include are the ones we built with (aaaaarrgh!) - -* Fri Sep 1 2000 Nalin Dahyabhai -- add Richard Henderson's patch for BN on ia64 -- clean up the changelog - -* Tue Aug 29 2000 Nalin Dahyabhai -- fix the building of python modules without openssl-devel already installed - -* Wed Aug 23 2000 Nalin Dahyabhai -- byte-compile python extensions without the build-root -- adjust the makefile to not remove temporary files (like .key files when - building .csr files) by marking them as .PRECIOUS - -* Sat Aug 19 2000 Nalin Dahyabhai -- break out python extensions into a subpackage - -* Mon Jul 17 2000 Nalin Dahyabhai -- tweak the makefile some more - -* Tue Jul 11 2000 Nalin Dahyabhai -- disable MD2 support - -* Thu Jul 6 2000 Nalin Dahyabhai -- disable MDC2 support - -* Sun Jul 2 2000 Nalin Dahyabhai -- tweak the disabling of RC5, IDEA support -- tweak the makefile - -* Thu Jun 29 2000 Nalin Dahyabhai -- strip binaries and libraries -- rework certificate makefile to have the right parts for Apache - -* Wed Jun 28 2000 Nalin Dahyabhai -- use %%{_perl} instead of /usr/bin/perl -- disable alpha until it passes its own test suite - -* Fri Jun 9 2000 Nalin Dahyabhai -- move the passwd.1 man page out of the passwd package's way - -* Fri Jun 2 2000 Nalin Dahyabhai -- update to 0.9.5a, modified for U.S. -- add perl as a build-time requirement -- move certificate makefile to another package -- disable RC5, IDEA, RSA support -- remove optimizations for now - -* Wed Mar 1 2000 Florian La Roche -- Bero told me to move the Makefile into this package - -* Wed Mar 1 2000 Florian La Roche -- add lib*.so symlinks to link dynamically against shared libs - -* Tue Feb 29 2000 Florian La Roche -- update to 0.9.5 -- run ldconfig directly in post/postun -- add FAQ - -* Sat Dec 18 1999 Bernhard Rosenkrdnzer -- Fix build on non-x86 platforms - -* Fri Nov 12 1999 Bernhard Rosenkrdnzer -- move /usr/share/ssl/* from -devel to main package - -* Tue Oct 26 1999 Bernhard Rosenkrdnzer -- inital packaging -- changes from base: - - Move /usr/local/ssl to /usr/share/ssl for FHS compliance - - handle RPM_OPT_FLAGS diff --git a/SOURCES/opensslconf-new-warning.h b/configuration-prefix.h similarity index 80% rename from SOURCES/opensslconf-new-warning.h rename to configuration-prefix.h index de091c8..13b6e23 100644 --- a/SOURCES/opensslconf-new-warning.h +++ b/configuration-prefix.h @@ -1,7 +1,7 @@ /* Prepended at openssl package build-time. Don't include this file directly, * use instead. */ -#ifndef openssl_opensslconf_multilib_redirection_h +#ifndef openssl_conf_multilib_redirection_h #error "Don't include this file directly, use instead!" #endif diff --git a/configuration-switch.h b/configuration-switch.h new file mode 100644 index 0000000..1c4d238 --- /dev/null +++ b/configuration-switch.h @@ -0,0 +1,47 @@ +/* This file is here to prevent a file conflict on multiarch systems. A + * conflict will frequently occur because arch-specific build-time + * configuration options are stored (and used, so they can't just be stripped + * out) in configuration.h. The original configuration.h has been renamed. + * DO NOT INCLUDE THE NEW FILE DIRECTLY -- ALWAYS INCLUDE THIS ONE INSTEAD. */ + +#ifdef openssl_conf_multilib_redirection_h +#error "Do not define openssl_conf_multilib_redirection_h!" +#endif +#define openssl_conf_multilib_redirection_h + +#if defined(__i386__) +#include "configuration-i386.h" +#elif defined(__ia64__) +#include "configuration-ia64.h" +#elif defined(__mips64) && defined(__MIPSEL__) +#include "configuration-mips64el.h" +#elif defined(__mips64) +#include "configuration-mips64.h" +#elif defined(__mips) && defined(__MIPSEL__) +#include "configuration-mipsel.h" +#elif defined(__mips) +#include "configuration-mips.h" +#elif defined(__powerpc64__) +#include +#if __BYTE_ORDER__ == __ORDER_BIG_ENDIAN__ +#include "configuration-ppc64.h" +#else +#include "configuration-ppc64le.h" +#endif +#elif defined(__powerpc__) +#include "configuration-ppc.h" +#elif defined(__s390x__) +#include "configuration-s390x.h" +#elif defined(__s390__) +#include "configuration-s390.h" +#elif defined(__sparc__) && defined(__arch64__) +#include "configuration-sparc64.h" +#elif defined(__sparc__) +#include "configuration-sparc.h" +#elif defined(__x86_64__) +#include "configuration-x86_64.h" +#else +#error "The openssl-devel package does not work your architecture?" +#endif + +#undef openssl_conf_multilib_redirection_h diff --git a/genpatches b/genpatches new file mode 100755 index 0000000..60c36a4 --- /dev/null +++ b/genpatches @@ -0,0 +1,26 @@ +#!/bin/bash + +if [ $# -ne 2 ] ; then + echo "Usage:" + echo " $0 " + exit 1 +fi + +git_dir="$1" +base_tag="$2" + +target_dir="$(pwd)" + +pushd "$git_dir" >/dev/null +git format-patch -k -o "$target_dir" "$base_tag" >/dev/null +popd >/dev/null + +echo "# Patches exported from source git" + +i=1 +for p in *.patch ; do + printf "# " + sed '/^Subject:/{s/^Subject: //;p};d' "$p" + printf "Patch%s: %s\n" $i "$p" + i=$(($i + 1)) +done diff --git a/SOURCES/make-dummy-cert b/make-dummy-cert similarity index 100% rename from SOURCES/make-dummy-cert rename to make-dummy-cert diff --git a/openssl.rpmlintrc b/openssl.rpmlintrc new file mode 100644 index 0000000..3539843 --- /dev/null +++ b/openssl.rpmlintrc @@ -0,0 +1,9 @@ +# capi.so is a dummy only used on Windows, it doesn't need dependency information +addFilter("E: shared-lib(rary)?-without-dependency-information /usr/lib64/engines-3/capi.so") + +# The sources are hobbled and thus not a valid URL. That's expected. +addFilter("W: invalid-url Source0: openssl-[0-9\\.]+-hobbled.tar.gz") + +# Technically this warning is correct, but in the case of the openssl binary we +# want to allow SSL_CTX_set_cipher_list +addFilter("W: crypto-policy-non-compliance-openssl /usr/bin/openssl SSL_CTX_set_cipher_list") diff --git a/openssl.spec b/openssl.spec new file mode 100644 index 0000000..9aefbb8 --- /dev/null +++ b/openssl.spec @@ -0,0 +1,748 @@ +# For the curious: +# 0.9.8jk + EAP-FAST soversion = 8 +# 1.0.0 soversion = 10 +# 1.1.0 soversion = 1.1 (same as upstream although presence of some symbols +# depends on build configuration options) +# 3.0.0 soversion = 3 (same as upstream) +%define soversion 3 + +# Arches on which we need to prevent arch conflicts on opensslconf.h, must +# also be handled in opensslconf-new.h. +%define multilib_arches %{ix86} ia64 %{mips} ppc ppc64 s390 s390x sparcv9 sparc64 x86_64 + +%define srpmhash() %{lua: +local files = rpm.expand("%_specdir/openssl.spec") +for i, p in ipairs(patches) do + files = files.." "..p +end +for i, p in ipairs(sources) do + files = files.." "..p +end +local sha256sum = assert(io.popen("cat "..files.." 2>/dev/null | sha256sum")) +local hash = sha256sum:read("*a") +sha256sum:close() +print(string.sub(hash, 0, 16)) +} + +%global _performance_build 1 + +Summary: Utilities from the general purpose cryptography library with TLS implementation +Name: openssl +Version: 3.2.2 +Release: 12%{?dist} +Epoch: 1 +Source: openssl-%{version}.tar.gz +Source2: Makefile.certificate +Source3: genpatches +Source4: openssl.rpmlintrc +Source6: make-dummy-cert +Source7: renew-dummy-cert +Source9: configuration-switch.h +Source10: configuration-prefix.h +Source14: 0025-for-tests.patch +# # Patches exported from source git +# # Aarch64 and ppc64le use lib64 +Patch1: 0001-Aarch64-and-ppc64le-use-lib64.patch +# # Use more general default values in openssl.cnf +Patch2: 0002-Use-more-general-default-values-in-openssl.cnf.patch +# # Do not install html docs +Patch3: 0003-Do-not-install-html-docs.patch +# # Override default paths for the CA directory tree +Patch4: 0004-Override-default-paths-for-the-CA-directory-tree.patch +# # apps/ca: fix md option help text +Patch5: 0005-apps-ca-fix-md-option-help-text.patch +# # Disable signature verification with totally unsafe hash algorithms +Patch6: 0006-Disable-signature-verification-with-totally-unsafe-h.patch +# # Add support for PROFILE=SYSTEM system default cipherlist +Patch7: 0007-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch +# # Add FIPS_mode() compatibility macro +Patch8: 0008-Add-FIPS_mode-compatibility-macro.patch +# # Add check to see if fips flag is enabled in kernel +Patch9: 0009-Add-Kernel-FIPS-mode-flag-support.patch +# # Instead of replacing ectest.c and ec_curve.c, add the changes as a patch so +# # that new modifications made to these files by upstream are not lost. +Patch10: 0010-Add-changes-to-ectest-and-eccurve.patch +# # remove unsupported EC curves +Patch11: 0011-Remove-EC-curves.patch +# # Disable explicit EC curves +# # https://bugzilla.redhat.com/show_bug.cgi?id=2066412 +Patch12: 0012-Disable-explicit-ec.patch +# # Skipped tests from former 0011-Remove-EC-curves.patch +Patch13: 0013-skipped-tests-EC-curves.patch +# # Instructions to load legacy provider in openssl.cnf +Patch24: 0024-load-legacy-prov.patch +# # We load FIPS provider and set FIPS properties implicitly +Patch32: 0032-Force-fips.patch +# # Embed HMAC into the fips.so +# Modify fips self test as per +# https://github.com/simo5/openssl/commit/9b95ef8bd2f5ac862e5eee74c724b535f1a8578a +Patch33: 0033-FIPS-embed-hmac.patch +# # Comment out fipsinstall command-line utility +Patch34: 0034.fipsinstall_disable.patch +# # Skip unavailable algorithms running `openssl speed` +Patch35: 0035-speed-skip-unavailable-dgst.patch +# # Extra public/private key checks required by FIPS-140-3 +Patch44: 0044-FIPS-140-3-keychecks.patch +# # Minimize fips services +Patch45: 0045-FIPS-services-minimize.patch +# # Execute KATS before HMAC verification +Patch47: 0047-FIPS-early-KATS.patch +# # Selectively disallow SHA1 signatures rhbz#2070977 +Patch49: 0049-Allow-disabling-of-SHA1-signatures.patch +# Originally from https://github.com/openssl/openssl/pull/18103 +# As we rebased to 3.0.7 and used the version of the function +# not matching the upstream one, we have to use aliasing. +# When we eliminate this patch, the `-Wl,--allow-multiple-definition` +# should also be removed +Patch56: 0056-strcasecmp.patch +# # https://bugzilla.redhat.com/show_bug.cgi?id=2053289 +Patch58: 0058-FIPS-limit-rsa-encrypt.patch +# # https://bugzilla.redhat.com/show_bug.cgi?id=2087147 +Patch61: 0061-Deny-SHA-1-signature-verification-in-FIPS-provider.patch +# 0062-fips-Expose-a-FIPS-indicator.patch +Patch62: 0062-fips-Expose-a-FIPS-indicator.patch +# # https://bugzilla.redhat.com/show_bug.cgi?id=2102535 +Patch73: 0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch +# [PATCH 29/46] +# 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch +Patch74: 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch +# # https://bugzilla.redhat.com/show_bug.cgi?id=2102535 +Patch75: 0075-FIPS-Use-FFDHE2048-in-self-test.patch +# # Downstream only. Reseed DRBG using getrandom(GRND_RANDOM) +# # https://bugzilla.redhat.com/show_bug.cgi?id=2102541 +Patch76: 0076-FIPS-140-3-DRBG.patch +# # https://bugzilla.redhat.com/show_bug.cgi?id=2102542 +Patch77: 0077-FIPS-140-3-zeroization.patch +# # https://bugzilla.redhat.com/show_bug.cgi?id=2114772 +Patch78: 0078-KDF-Add-FIPS-indicators.patch +# # We believe that some changes present in CentOS are not necessary +# # because ustream has a check for FIPS version +Patch80: 0080-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch +# [PATCH 36/46] +# 0081-signature-Remove-X9.31-padding-from-FIPS-prov.patch +Patch81: 0081-signature-Remove-X9.31-padding-from-FIPS-prov.patch +# [PATCH 37/46] +# 0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch +Patch83: 0083-hmac-Add-explicit-FIPS-indicator-for-key-length.patch +# [PATCH 38/46] +# 0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch +Patch84: 0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch +# 0085-FIPS-RSA-disable-shake.patch +Patch85: 0085-FIPS-RSA-disable-shake.patch +# 0088-signature-Add-indicator-for-PSS-salt-length.patch +Patch88: 0088-signature-Add-indicator-for-PSS-salt-length.patch +# 0091-FIPS-RSA-encapsulate.patch +Patch91: 0091-FIPS-RSA-encapsulate.patch +# [PATCH 42/46] +# 0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch +Patch93: 0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch +# [PATCH 43/46] +# 0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch +Patch110: 0110-GCM-Implement-explicit-FIPS-indicator-for-IV-gen.patch +# [PATCH 44/46] +# 0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch +Patch112: 0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch +# 0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch +Patch113: 0113-asymciphers-kem-Add-explicit-FIPS-indicator.patch +# # We believe that some changes present in CentOS are not necessary +# # because ustream has a check for FIPS version +Patch114: 0114-FIPS-enforce-EMS-support.patch +# Amend tests according to Fedora/RHEL code +Patch115: 0115-skip-quic-pairwise.patch +# Add version aliasing due to +# https://github.com/openssl/openssl/issues/23534 +Patch116: 0116-version-aliasing.patch +# https://github.com/openssl/openssl/issues/23050 +Patch117: 0117-ignore-unknown-sigalgorithms-groups.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=2160797 +Patch121: 0121-FIPS-cms-defaults.patch +# skip KTLS tests on infrastructure +Patch122: 0122-TMP-KTLS-test-skip.patch +# HKDF regression with older provider implementations +Patch123: 0123-kdf-Preserve-backward-compatibility-with-older-provi.patch +# https://github.com/openssl/openssl/issues/24577 +Patch124: 0124-PBMAC1-PKCS12-FIPS-support.patch +# Downstream patch: enforce PBMAC1 in FIPS mode +Patch125: 0125-PBMAC1-PKCS12-FIPS-default.patch +# https://github.com/openssl/openssl/issues/25127 +Patch126: 0126-pkeyutl-encap.patch +# https://github.com/openssl/openssl/issues/25056 +Patch127: 0127-speedup-SSL_add_cert_subjects_to_stack.patch +Patch128: 0128-SAST-findings.patch +# https://github.com/openssl/openssl/pull/24717 +Patch129: 0129-Fix-SSL_select_next_proto.patch +Patch130: 0130-More-correctly-handle-a-selected_len-of-0-when-proce.patch +Patch131: 0131-Use-correctly-formatted-ALPN-data-in-tserver.patch +Patch132: 0132-Clarify-the-SSL_select_next_proto-documentation.patch +Patch133: 0133-Add-a-test-for-SSL_select_next_proto.patch +Patch134: 0134-Allow-an-empty-NPN-ALPN-protocol-list-in-the-tests.patch +Patch135: 0135-Correct-return-values-for-tls_construct_stoc_next_pr.patch +Patch136: 0136-Add-ALPN-validation-in-the-client.patch +Patch137: 0137-Add-explicit-testing-of-ALN-and-NPN-in-sslapitest.patch +Patch138: 0138-Add-a-test-for-an-empty-NextProto-message.patch +Patch139: 0139-CVE-2024-6119.patch + +License: Apache-2.0 +URL: http://www.openssl.org/ +BuildRequires: gcc g++ +BuildRequires: coreutils, perl-interpreter, sed, zlib-devel, /usr/bin/cmp +BuildRequires: lksctp-tools-devel +BuildRequires: /usr/bin/rename +BuildRequires: /usr/bin/pod2man +BuildRequires: /usr/sbin/sysctl +BuildRequires: perl(Test::Harness), perl(Test::More), perl(Math::BigInt) +BuildRequires: perl(Module::Load::Conditional), perl(File::Temp) +BuildRequires: perl(Time::HiRes), perl(IPC::Cmd), perl(Pod::Html), perl(Digest::SHA) +BuildRequires: perl(FindBin), perl(lib), perl(File::Compare), perl(File::Copy), perl(bigint) +BuildRequires: git-core +BuildRequires: systemtap-sdt-devel +Requires: coreutils +Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release} + +%description +The OpenSSL toolkit provides support for secure communications between +machines. OpenSSL includes a certificate management tool and shared +libraries which provide various cryptographic algorithms and +protocols. + +%package libs +Summary: A general purpose cryptography library with TLS implementation +Requires: ca-certificates >= 2008-5 +Requires: crypto-policies >= 20180730 +%if ( %{defined rhel} && (! %{defined centos}) ) +Requires: openssl-fips-provider +%endif + +%description libs +OpenSSL is a toolkit for supporting cryptography. The openssl-libs +package contains the libraries that are used by various applications which +support cryptographic algorithms and protocols. + +%package devel +Summary: Files for development of applications which will use OpenSSL +Requires: %{name}-libs%{?_isa} = %{epoch}:%{version}-%{release} +Requires: pkgconfig + +%description devel +OpenSSL is a toolkit for supporting cryptography. The openssl-devel +package contains include files needed to develop applications which +support various cryptographic algorithms and protocols. + +%package perl +Summary: Perl scripts provided with OpenSSL +Requires: perl-interpreter +Requires: %{name}%{?_isa} = %{epoch}:%{version}-%{release} + +%description perl +OpenSSL is a toolkit for supporting cryptography. The openssl-perl +package provides Perl scripts for converting certificates and keys +from other formats to the formats used by the OpenSSL toolkit. + +%prep +%autosetup -S git -n %{name}-%{version} + +%build +# Figure out which flags we want to use. +# default +sslarch=%{_os}-%{_target_cpu} +%ifarch %ix86 +sslarch=linux-elf +if ! echo %{_target} | grep -q i686 ; then + sslflags="no-asm 386" +fi +%endif +%ifarch x86_64 +sslflags=enable-ec_nistp_64_gcc_128 +%endif +%ifarch sparcv9 +sslarch=linux-sparcv9 +sslflags=no-asm +%endif +%ifarch sparc64 +sslarch=linux64-sparcv9 +sslflags=no-asm +%endif +%ifarch alpha alphaev56 alphaev6 alphaev67 +sslarch=linux-alpha-gcc +%endif +%ifarch s390 sh3eb sh4eb +sslarch="linux-generic32 -DB_ENDIAN" +%endif +%ifarch s390x +sslarch="linux64-s390x" +%endif +%ifarch %{arm} +sslarch=linux-armv4 +%endif +%ifarch aarch64 +sslarch=linux-aarch64 +sslflags=enable-ec_nistp_64_gcc_128 +%endif +%ifarch sh3 sh4 +sslarch=linux-generic32 +%endif +%ifarch ppc64 ppc64p7 +sslarch=linux-ppc64 +%endif +%ifarch ppc64le +sslarch="linux-ppc64le" +sslflags=enable-ec_nistp_64_gcc_128 +%endif +%ifarch mips mipsel +sslarch="linux-mips32 -mips32r2" +%endif +%ifarch mips64 mips64el +sslarch="linux64-mips64 -mips64r2" +%endif +%ifarch mips64el +sslflags=enable-ec_nistp_64_gcc_128 +%endif +%ifarch riscv64 +sslarch=linux-generic64 +%endif +#temporarily disable ktls to unblock c10s builds +ktlsopt=enable-ktls +%ifarch armv7hl +ktlsopt=disable-ktls +%endif + +# Add -Wa,--noexecstack here so that libcrypto's assembler modules will be +# marked as not requiring an executable stack. +# Also add -DPURIFY to make using valgrind with openssl easier as we do not +# want to depend on the uninitialized memory as a source of entropy anyway. +RPM_OPT_FLAGS="$RPM_OPT_FLAGS -Wa,--noexecstack -Wa,--generate-missing-build-notes=yes -DPURIFY $RPM_LD_FLAGS" + +export HASHBANGPERL=/usr/bin/perl + +%define fips %{version}-%{srpmhash} +# ia64, x86_64, ppc are OK by default +# Configure the build tree. Override OpenSSL defaults with known-good defaults +# usable on all platforms. The Configure script already knows to use -fPIC and +# RPM_OPT_FLAGS, so we can skip specifiying them here. +./Configure \ + --prefix=%{_prefix} --openssldir=%{_sysconfdir}/pki/tls ${sslflags} \ + --system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config \ + zlib enable-camellia enable-seed enable-rfc3779 enable-sctp \ + enable-cms enable-md2 enable-rc5 ${ktlsopt} enable-fips -D_GNU_SOURCE\ + no-mdc2 no-ec2m no-sm2 no-sm4 no-atexit enable-buildtest-c++\ + shared ${sslarch} $RPM_OPT_FLAGS '-DDEVRANDOM="\"/dev/urandom\"" -DREDHAT_FIPS_VERSION="\"%{fips}\""'\ + -Wl,--allow-multiple-definition + +# Do not run this in a production package the FIPS symbols must be patched-in +#util/mkdef.pl crypto update + +make -s %{?_smp_mflags} all + +# Clean up the .pc files +for i in libcrypto.pc libssl.pc openssl.pc ; do + sed -i '/^Libs.private:/{s/-L[^ ]* //;s/-Wl[^ ]* //}' $i +done + +%check +# Verify that what was compiled actually works. + +# Hack - either enable SCTP AUTH chunks in kernel or disable sctp for check +(sysctl net.sctp.addip_enable=1 && sysctl net.sctp.auth_enable=1) || \ +(echo 'Failed to enable SCTP AUTH chunks, disabling SCTP for tests...' && + sed '/"msan" => "default",/a\ \ "sctp" => "default",' configdata.pm > configdata.pm.new && \ + touch -r configdata.pm configdata.pm.new && \ + mv -f configdata.pm.new configdata.pm) + +# We must revert patch4 before tests otherwise they will fail +patch -p1 -R < %{PATCH4} +#We must disable default provider before tests otherwise they will fail +patch -p1 < %{SOURCE14} + +OPENSSL_ENABLE_MD5_VERIFY= +export OPENSSL_ENABLE_MD5_VERIFY +OPENSSL_ENABLE_SHA1_SIGNATURES= +export OPENSSL_ENABLE_SHA1_SIGNATURES +OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file +export OPENSSL_SYSTEM_CIPHERS_OVERRIDE +#embed HMAC into fips provider for test run +LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < providers/fips.so > providers/fips.so.hmac +objcopy --update-section .rodata1=providers/fips.so.hmac providers/fips.so providers/fips.so.mac +mv providers/fips.so.mac providers/fips.so +#run tests itself +make test HARNESS_JOBS=8 + +# Add generation of HMAC checksum of the final stripped library +# We manually copy standard definition of __spec_install_post +# and add hmac calculation/embedding to fips.so +%if ( %{defined rhel} && (! %{defined centos}) ) +%define __spec_install_post \ + rm -rf $RPM_BUILD_ROOT/%{_libdir}/ossl-modules/fips.so \ + %{?__debug_package:%{__debug_install_post}} \ + %{__arch_install_post} \ + %{__os_install_post} \ +%{nil} +%else +%define __spec_install_post \ + %{?__debug_package:%{__debug_install_post}} \ + %{__arch_install_post} \ + %{__os_install_post} \ + LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so > $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac \ + objcopy --update-section .rodata1=$RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.mac \ + mv $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.mac $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so \ + rm $RPM_BUILD_ROOT%{_libdir}/ossl-modules/fips.so.hmac \ +%{nil} +%endif + +%define __provides_exclude_from %{_libdir}/openssl + +%install +[ "$RPM_BUILD_ROOT" != "/" ] && rm -rf $RPM_BUILD_ROOT +# Install OpenSSL. +install -d $RPM_BUILD_ROOT{%{_bindir},%{_includedir},%{_libdir},%{_mandir},%{_libdir}/openssl,%{_pkgdocdir}} +%make_install +rename so.%{soversion} so.%{version} $RPM_BUILD_ROOT%{_libdir}/*.so.%{soversion} +for lib in $RPM_BUILD_ROOT%{_libdir}/*.so.%{version} ; do + chmod 755 ${lib} + ln -s -f `basename ${lib}` $RPM_BUILD_ROOT%{_libdir}/`basename ${lib} .%{version}` + ln -s -f `basename ${lib}` $RPM_BUILD_ROOT%{_libdir}/`basename ${lib} .%{version}`.%{soversion} +done + +# Remove static libraries +for lib in $RPM_BUILD_ROOT%{_libdir}/*.a ; do + rm -f ${lib} +done + +# Install a makefile for generating keys and self-signed certs, and a script +# for generating them on the fly. +mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/certs +mkdir -p $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.d +install -m644 %{SOURCE2} $RPM_BUILD_ROOT%{_pkgdocdir}/Makefile.certificate +install -m755 %{SOURCE6} $RPM_BUILD_ROOT%{_bindir}/make-dummy-cert +install -m755 %{SOURCE7} $RPM_BUILD_ROOT%{_bindir}/renew-dummy-cert + +# Move runable perl scripts to bindir +mv $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/misc/*.pl $RPM_BUILD_ROOT%{_bindir} +mv $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/misc/tsget $RPM_BUILD_ROOT%{_bindir} + +# Rename man pages so that they don't conflict with other system man pages. +pushd $RPM_BUILD_ROOT%{_mandir} +mv man5/config.5ossl man5/openssl.cnf.5 +popd + +mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA +mkdir -m700 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/private +mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/certs +mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/crl +mkdir -m755 $RPM_BUILD_ROOT%{_sysconfdir}/pki/CA/newcerts + +# Ensure the config file timestamps are identical across builds to avoid +# mulitlib conflicts and unnecessary renames on upgrade +touch -r %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf +touch -r %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf + +rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/openssl.cnf.dist +rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/ct_log_list.cnf.dist +#we don't use native fipsmodule.cnf because FIPS module is loaded automatically +rm -f $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/fipsmodule.cnf + +# Determine which arch opensslconf.h is going to try to #include. +basearch=%{_arch} +%ifarch %{ix86} +basearch=i386 +%endif +%ifarch sparcv9 +basearch=sparc +%endif +%ifarch sparc64 +basearch=sparc64 +%endif + +sed -i '/^\# ifndef OPENSSL_NO_STATIC_ENGINE/i\ +# ifndef OPENSSL_NO_ENGINE\ +# define OPENSSL_NO_ENGINE\ +# endif' $RPM_BUILD_ROOT/%{_prefix}/include/openssl/configuration.h + +%ifarch %{multilib_arches} +# Do an configuration.h switcheroo to avoid file conflicts on systems where you +# can have both a 32- and 64-bit version of the library, and they each need +# their own correct-but-different versions of opensslconf.h to be usable. +install -m644 %{SOURCE10} \ + $RPM_BUILD_ROOT/%{_prefix}/include/openssl/configuration-${basearch}.h +cat $RPM_BUILD_ROOT/%{_prefix}/include/openssl/configuration.h >> \ + $RPM_BUILD_ROOT/%{_prefix}/include/openssl/configuration-${basearch}.h +install -m644 %{SOURCE9} \ + $RPM_BUILD_ROOT/%{_prefix}/include/openssl/configuration.h +%endif +ln -s /etc/crypto-policies/back-ends/openssl_fips.config $RPM_BUILD_ROOT%{_sysconfdir}/pki/tls/fips_local.cnf + +%files +%{!?_licensedir:%global license %%doc} +%license LICENSE.txt +%doc NEWS.md README.md +%{_bindir}/make-dummy-cert +%{_bindir}/renew-dummy-cert +%{_bindir}/openssl +%{_mandir}/man1/* +%{_mandir}/man5/* +%{_mandir}/man7/* +%{_pkgdocdir}/Makefile.certificate +%exclude %{_mandir}/man1/*.pl* +%exclude %{_mandir}/man1/tsget* + +%files libs +%{!?_licensedir:%global license %%doc} +%license LICENSE.txt +%dir %{_sysconfdir}/pki/tls +%dir %{_sysconfdir}/pki/tls/certs +%dir %{_sysconfdir}/pki/tls/misc +%dir %{_sysconfdir}/pki/tls/private +%dir %{_sysconfdir}/pki/tls/openssl.d +%config(noreplace) %{_sysconfdir}/pki/tls/openssl.cnf +%config(noreplace) %{_sysconfdir}/pki/tls/ct_log_list.cnf +%config %{_sysconfdir}/pki/tls/fips_local.cnf +%attr(0755,root,root) %{_libdir}/libcrypto.so.%{version} +%{_libdir}/libcrypto.so.%{soversion} +%attr(0755,root,root) %{_libdir}/libssl.so.%{version} +%{_libdir}/libssl.so.%{soversion} +%attr(0755,root,root) %{_libdir}/engines-%{soversion} +%attr(0755,root,root) %{_libdir}/ossl-modules + +%files devel +%doc CHANGES.md doc/dir-locals.example.el doc/openssl-c-indent.el +%{_prefix}/include/openssl +%exclude %{_prefix}/include/openssl/engine*.h +%{_libdir}/*.so +%{_mandir}/man3/* +%exclude %{_mandir}/man3/ENGINE* +%{_libdir}/pkgconfig/*.pc + +%files perl +%{_bindir}/c_rehash +%{_bindir}/*.pl +%{_bindir}/tsget +%{_mandir}/man1/*.pl* +%{_mandir}/man1/tsget* +%dir %{_sysconfdir}/pki/CA +%dir %{_sysconfdir}/pki/CA/private +%dir %{_sysconfdir}/pki/CA/certs +%dir %{_sysconfdir}/pki/CA/crl +%dir %{_sysconfdir}/pki/CA/newcerts + +%ldconfig_scriptlets libs + +%changelog +* Wed Sep 04 2024 Dmitry Belyavskiy - 1:3.2.2-12 +- Fix CVE-2024-6119: Possible denial of service in X.509 name checks + Resolves: RHEL-55303 + +* Wed Aug 21 2024 Clemens Lang - 1:3.2.2-11 +- Fix CVE-2024-5535: SSL_select_next_proto buffer overread + Resolves: RHEL-45692 + +* Wed Aug 14 2024 Dmitry Belyavskiy - 1:3.2.2-10 +- Use PBMAC1 by default when creating PKCS#12 files in FIPS mode + Related: RHEL-36659 +- Support key encapsulation/decapsulation in openssl pkeyutl command + Resolves: RHEL-54156 +- Fix typo in the patch numeration + Related: RHEL-41261 +- Enable KTLS, temporary disable KTLS tests + Related: RHEL-47335 +- Speedup SSL_add_{file,dir}_cert_subjects_to_stack + Resolves: RHEL-54232 +- Resolve SAST package scan results + Resolves: RHEL-37561 + +* Fri Aug 09 2024 Dmitry Belyavskiy - 1:3.2.2-9 +- An interface to create PKCS #12 files in FIPS compliant way + Related: RHEL-36659 + +* Wed Aug 07 2024 Dmitry Belyavskiy - 1:3.2.2-8 +- An interface to create PKCS #12 files in FIPS compliant way + Resolves: RHEL-36659 + +* Wed Jul 10 2024 Dmitry Belyavskiy - 1:3.2.2-7 +- Disallow SHA1 at SECLEVEL2 in OpenSSL + Resolves: RHEL-39962 +- SHA-1 signature shouldn't work in normal mode + Resolves: RHEL-36677 + +* Mon Jul 01 2024 Dmitry Belyavskiy - 1:3.2.2-6 +- Do not install ENGINE headers, man pages, and define OPENSSL_NO_ENGINE + Resolves: RHEL-45704 + +* Mon Jul 1 2024 Daiki Ueno - 1:3.2.2-5 +- Replace HKDF backward compatibility patch with the official one + Related: RHEL-41261 + +* Mon Jun 24 2024 Troy Dawson - 1:3.2.2-4 +- Bump release for June 2024 mass rebuild + +* Sat Jun 15 2024 Daiki Ueno - 1:3.2.2-3 +- Add workaround for EVP_PKEY_CTX_add1_hkdf_info with older providers + Resolves: RHEL-41261 + +* Wed Jun 12 2024 Dmitry Belyavskiy - 1:3.2.2-2 +- Build openssl with no-atexit + Resolves: RHEL-40408 + +* Wed Jun 05 2024 Dmitry Belyavskiy - 1:3.2.2-1 +- Rebase to OpenSSL 3.2.2. + Related: RHEL-31762 + +* Mon Jun 03 2024 Sahana Prasad - 1:3.2.1-4 +- Synchronize patches from c9s and Fedora +- Resolves: RHEL-31762 + +* Tue Feb 13 2024 Sahana Prasad - 1:3.2.1-3 +- Temporarily disable ktls to unblock c10s builds +- Resolves: RHEL-25259 + +* Fri Feb 09 2024 Sahana Prasad - 1:3.2.1-2 +- Fix version aliasing issue +- https://github.com/openssl/openssl/issues/23534 + +* Tue Feb 06 2024 Sahana Prasad - 1:3.2.1-1 +- Rebase to upstream version 3.2.1 + +* Thu Jan 25 2024 Fedora Release Engineering - 1:3.1.4-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Sun Jan 21 2024 Fedora Release Engineering - 1:3.1.4-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild + +* Wed Jan 10 2024 Dmitry Belyavskiy - 1:3.1.4-2 +- We don't want to ship openssl-pkcs11 in RHEL10/Centos 10 + +* Thu Oct 26 2023 Sahana Prasad - 1:3.1.4-1 +- Rebase to upstream version 3.1.4 + +* Thu Oct 19 2023 Sahana Prasad - 1:3.1.3-1 +- Rebase to upstream version 3.1.3 + +* Thu Aug 31 2023 Dmitry Belyavskiy - 1:3.1.1-4 +- Drop duplicated patch and do some contamination + +* Tue Aug 22 2023 Dmitry Belyavskiy - 1:3.1.1-3 +- Integrate FIPS patches from CentOS + +* Fri Aug 04 2023 Dmitry Belyavskiy - 1:3.1.1-2 +- migrated to SPDX license + +* Thu Jul 27 2023 Sahana Prasad - 1:3.1.1-1 +- Rebase to upstream version 3.1.1 + Resolves: CVE-2023-0464 + Resolves: CVE-2023-0465 + Resolves: CVE-2023-0466 + Resolves: CVE-2023-1255 + Resolves: CVE-2023-2650 + +* Thu Jul 27 2023 Dmitry Belyavskiy - 1:3.0.8-4 +- Forbid custom EC more completely + Resolves: rhbz#2223953 + +* Thu Jul 20 2023 Fedora Release Engineering - 1:3.0.8-3 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_39_Mass_Rebuild + +* Tue Mar 21 2023 Sahana Prasad - 1:3.0.8-2 +- Upload new upstream sources without manually hobbling them. +- Remove the hobbling script as it is redundant. It is now allowed to ship + the sources of patented EC curves, however it is still made unavailable to use + by compiling with the 'no-ec2m' Configure option. The additional forbidden + curves such as P-160, P-192, wap-tls curves are manually removed by updating + 0011-Remove-EC-curves.patch. +- Enable Brainpool curves. +- Apply the changes to ec_curve.c and ectest.c as a new patch + 0010-Add-changes-to-ectest-and-eccurve.patch instead of replacing them. +- Modify 0011-Remove-EC-curves.patch to allow Brainpool curves. +- Modify 0011-Remove-EC-curves.patch to allow code under macro OPENSSL_NO_EC2M. + Resolves: rhbz#2130618, rhbz#2141672 + +* Thu Feb 09 2023 Dmitry Belyavskiy - 1:3.0.8-1 +- Rebase to upstream version 3.0.8 + Resolves: CVE-2022-4203 + Resolves: CVE-2022-4304 + Resolves: CVE-2022-4450 + Resolves: CVE-2023-0215 + Resolves: CVE-2023-0216 + Resolves: CVE-2023-0217 + Resolves: CVE-2023-0286 + Resolves: CVE-2023-0401 + +* Thu Jan 19 2023 Fedora Release Engineering - 1:3.0.7-4 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_38_Mass_Rebuild + +* Thu Jan 05 2023 Dmitry Belyavskiy - 1:3.0.7-3 +- Backport implicit rejection for RSA PKCS#1 v1.5 encryption + Resolves: rhbz#2153470 + +* Thu Jan 05 2023 Dmitry Belyavskiy - 1:3.0.7-2 +- Refactor embedded mac verification in FIPS module + Resolves: rhbz#2156045 + +* Fri Dec 23 2022 Dmitry Belyavskiy - 1:3.0.7-1 +- Rebase to upstream version 3.0.7 +- C99 compatibility in downstream-only 0032-Force-fips.patch + Resolves: rhbz#2152504 +- Adjusting include for the FIPS_mode macro + Resolves: rhbz#2083876 + +* Wed Nov 16 2022 Simo sorce - 1:3.0.5-7 +- Backport patches to fix external providers compatibility issues + +* Tue Nov 01 2022 Dmitry Belyavskiy - 1:3.0.5-6 +- CVE-2022-3602: X.509 Email Address Buffer Overflow +- CVE-2022-3786: X.509 Email Address Buffer Overflow + Resolves: CVE-2022-3602 + Resolves: CVE-2022-3786 + +* Mon Sep 12 2022 Dmitry Belyavskiy - 1:3.0.5-5 +- Update patches to make ELN build happy + Resolves: rhbz#2123755 + +* Fri Sep 09 2022 Clemens Lang - 1:3.0.5-4 +- Fix AES-GCM on Power 8 CPUs + Resolves: rhbz#2124845 + +* Thu Sep 01 2022 Dmitry Belyavskiy - 1:3.0.5-3 +- Sync patches with RHEL + Related: rhbz#2123755 +* Fri Jul 22 2022 Fedora Release Engineering - 1:3.0.5-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild + +* Tue Jul 05 2022 Clemens Lang - 1:3.0.5-1 +- Rebase to upstream version 3.0.5 + Related: rhbz#2099972, CVE-2022-2097 + +* Wed Jun 01 2022 Dmitry Belyavskiy - 1:3.0.3-1 +- Rebase to upstream version 3.0.3 + +* Thu Apr 28 2022 Clemens Lang - 1:3.0.2-5 +- Instrument with USDT probes related to SHA-1 deprecation + +* Wed Apr 27 2022 Clemens Lang - 1:3.0.2-4 +- Support rsa_pkcs1_md5_sha1 in TLS 1.0/1.1 with rh-allow-sha1-signatures = yes + to restore TLS 1.0 and 1.1 support in LEGACY crypto-policy. + Related: rhbz#2069239 + +* Tue Apr 26 2022 Alexander Sosedkin - 1:3.0.2-4 +- Instrument with USDT probes related to SHA-1 deprecation + +* Wed Apr 20 2022 Clemens Lang - 1:3.0.2-3 +- Disable SHA-1 by default in ELN using the patches from CentOS +- Fix a FIXME in the openssl.cnf(5) manpage + +* Thu Apr 07 2022 Clemens Lang - 1:3.0.2-2 +- Silence a few rpmlint false positives. + +* Thu Apr 07 2022 Clemens Lang - 1:3.0.2-2 +- Allow disabling SHA1 signature creation and verification. + Set rh-allow-sha1-signatures = no to disable. + Allow SHA1 in TLS in SECLEVEL 1 if rh-allow-sha1-signatures = yes. This will + support SHA1 in TLS in the LEGACY crypto-policy. + Resolves: rhbz#2070977 + Related: rhbz#2031742, rhbz#2062640 + +* Fri Mar 18 2022 Dmitry Belyavskiy - 1:3.0.2-1 +- Rebase to upstream version 3.0.2 + +* Thu Jan 20 2022 Fedora Release Engineering - 1:3.0.0-2 +- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild + +* Thu Sep 09 2021 Sahana Prasad - 1:3.0.0-1 +- Rebase to upstream version 3.0.0 diff --git a/SOURCES/renew-dummy-cert b/renew-dummy-cert similarity index 100% rename from SOURCES/renew-dummy-cert rename to renew-dummy-cert diff --git a/sources b/sources new file mode 100644 index 0000000..6d3dc96 --- /dev/null +++ b/sources @@ -0,0 +1 @@ +SHA512 (openssl-3.2.2.tar.gz) = ebc945065f62a8a2ea4e2f136a2afaea4d38a03bb07a148f7fb73c34a64475a4069de122ebee11a66e421dbd58756ad7ab2d3f905dc90acee72d62757d8c0a2d