diff --git a/bsc1185319-FIPS-KAT-for-ECDSA.patch b/bsc1185319-FIPS-KAT-for-ECDSA.patch new file mode 100644 index 0000000..d96832a --- /dev/null +++ b/bsc1185319-FIPS-KAT-for-ECDSA.patch @@ -0,0 +1,399 @@ +diff --git a/crypto/fips/fips_ecdsa_selftest.c b/crypto/fips/fips_ecdsa_selftest.c +index 9895aa8..77a1c77 100644 +--- a/crypto/fips/fips_ecdsa_selftest.c ++++ b/crypto/fips/fips_ecdsa_selftest.c +@@ -65,102 +65,319 @@ + #include + + #ifdef OPENSSL_FIPS ++#include ++#include "internal/nelem.h" ++#include "fips_locl.h" + +-static const char P_256_name[] = "ECDSA P-256"; ++/* functions to change the RAND_METHOD */ ++static int fbytes(unsigned char *buf, int num); + +-static const unsigned char P_256_d[] = { +- 0x51, 0xbd, 0x06, 0xa1, 0x1c, 0xda, 0xe2, 0x12, 0x99, 0xc9, 0x52, 0x3f, +- 0xea, 0xa4, 0xd2, 0xd1, 0xf4, 0x7f, 0xd4, 0x3e, 0xbd, 0xf8, 0xfc, 0x87, +- 0xdc, 0x82, 0x53, 0x21, 0xee, 0xa0, 0xdc, 0x64 +-}; ++static RAND_METHOD fake_rand; ++static const RAND_METHOD *old_rand; ++static int use_fake = 0; ++static const unsigned char *numbers[2]; ++static int numbers_len[2]; + +-static const unsigned char P_256_qx[] = { +- 0x23, 0x89, 0xe0, 0xf4, 0x69, 0xe0, 0x49, 0xe5, 0xc7, 0xe5, 0x40, 0x6e, +- 0x8f, 0x25, 0xdd, 0xad, 0x11, 0x16, 0x14, 0x9b, 0xab, 0x44, 0x06, 0x31, +- 0xbf, 0x5e, 0xa6, 0x44, 0xac, 0x86, 0x00, 0x07 +-}; ++static int change_rand(void) ++{ ++ /* save old rand method */ ++ old_rand = RAND_get_rand_method(); ++ if (!old_rand) ++ return 0; ++ ++ fake_rand = *old_rand; ++ /* use own random function */ ++ fake_rand.bytes = fbytes; ++ /* set new RAND_METHOD */ ++ if (!RAND_set_rand_method(&fake_rand)) ++ return 0; ++ ++ return 1; ++} + +-static const unsigned char P_256_qy[] = { +- 0xb3, 0x05, 0x0d, 0xd0, 0xdc, 0xf7, 0x40, 0xe6, 0xf9, 0xd8, 0x6d, 0x7b, +- 0x63, 0xca, 0x97, 0xe6, 0x12, 0xf9, 0xd4, 0x18, 0x59, 0xbe, 0xb2, 0x5e, +- 0x4a, 0x6a, 0x77, 0x23, 0xf4, 0x11, 0x9d, 0xeb +-}; ++static int restore_rand(void) ++{ ++ if (!RAND_set_rand_method(old_rand)) ++ return 0; ++ ++ return 1; ++} ++ ++static int fbytes(unsigned char *buf, int num) ++{ ++ int ret = 0; ++ static int fbytes_counter = 0; ++ ++ if (use_fake == 0) ++ return old_rand->bytes(buf, num); ++ ++ use_fake = 0; ++ ++ if (fbytes_counter >= OSSL_NELEM(numbers)) ++ goto err; ++ ++ if (numbers_len[fbytes_counter] > num) ++ goto err; ++ ++ /* first zero out the buffer */ ++ memset(buf, 0, num); ++ ++ /* Now set the "random" values */ ++ memcpy(buf + (num - numbers_len[fbytes_counter]), numbers[fbytes_counter], numbers_len[fbytes_counter]); ++ ++ fbytes_counter = (fbytes_counter + 1) % OSSL_NELEM(numbers); ++ ret = 1; ++err: ++ return ret; ++} ++ ++ ++ ++/*- ++ * NIST CAVP ECDSA KATs ++ * 2 X9.62 KATs; one for prime fields and one for binary fields. ++ * ++ * Taken from: ++ * https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Algorithm-Validation-Program/documents/dss/186-3ecdsatestvectors.zip ++ */ + + typedef struct { +- int curve; +- const char *name; +- const unsigned char *x; +- size_t xlen; +- const unsigned char *y; +- size_t ylen; +- const unsigned char *d; +- size_t dlen; +-} EC_SELFTEST_DATA; +- +-# define make_ecdsa_test(nid, pr) { nid, pr##_name, \ +- pr##_qx, sizeof(pr##_qx), \ +- pr##_qy, sizeof(pr##_qy), \ +- pr##_d, sizeof(pr##_d)} +- +-static EC_SELFTEST_DATA test_ec_data[] = { +- make_ecdsa_test(NID_X9_62_prime256v1, P_256), +-}; ++ const int nid; /* curve NID */ ++ const int md_nid; /* hash function NID */ ++ const unsigned char *msg; /* message to sign */ ++ size_t msglen; ++ const unsigned char *d; /* ECDSA private key */ ++ size_t dlen; ++ const unsigned char *Q; /* ECDSA public key: (Qx,Qy) */ ++ size_t Qlen; ++ const unsigned char *k; /* ECDSA nonce */ ++ size_t klen; ++ const unsigned char *r; /* ECDSA signature (r,s) */ ++ size_t rlen; ++ const unsigned char *s; ++ size_t slen; ++} ECDSA_KAT_SELFTEST_DATA; + +-int FIPS_selftest_ecdsa() +-{ +- EC_KEY *ec = NULL; +- BIGNUM *x = NULL, *y = NULL, *d = NULL; +- EVP_PKEY *pk = NULL; +- int rv = 0; +- size_t i; + +- for (i = 0; i < sizeof(test_ec_data) / sizeof(EC_SELFTEST_DATA); i++) { +- EC_SELFTEST_DATA *ecd = test_ec_data + i; ++static const unsigned char data1_msg[] = { ++ 0x59, 0x05, 0x23, 0x88, 0x77, 0xc7, 0x74, 0x21, ++ 0xf7, 0x3e, 0x43, 0xee, 0x3d, 0xa6, 0xf2, 0xd9, ++ 0xe2, 0xcc, 0xad, 0x5f, 0xc9, 0x42, 0xdc, 0xec, ++ 0x0c, 0xbd, 0x25, 0x48, 0x29, 0x35, 0xfa, 0xaf, ++ 0x41, 0x69, 0x83, 0xfe, 0x16, 0x5b, 0x1a, 0x04, ++ 0x5e, 0xe2, 0xbc, 0xd2, 0xe6, 0xdc, 0xa3, 0xbd, ++ 0xf4, 0x6c, 0x43, 0x10, 0xa7, 0x46, 0x1f, 0x9a, ++ 0x37, 0x96, 0x0c, 0xa6, 0x72, 0xd3, 0xfe, 0xb5, ++ 0x47, 0x3e, 0x25, 0x36, 0x05, 0xfb, 0x1d, 0xdf, ++ 0xd2, 0x80, 0x65, 0xb5, 0x3c, 0xb5, 0x85, 0x8a, ++ 0x8a, 0xd2, 0x81, 0x75, 0xbf, 0x9b, 0xd3, 0x86, ++ 0xa5, 0xe4, 0x71, 0xea, 0x7a, 0x65, 0xc1, 0x7c, ++ 0xc9, 0x34, 0xa9, 0xd7, 0x91, 0xe9, 0x14, 0x91, ++ 0xeb, 0x37, 0x54, 0xd0, 0x37, 0x99, 0x79, 0x0f, ++ 0xe2, 0xd3, 0x08, 0xd1, 0x61, 0x46, 0xd5, 0xc9, ++ 0xb0, 0xd0, 0xde, 0xbd, 0x97, 0xd7, 0x9c, 0xe8 ++}; + +- x = BN_bin2bn(ecd->x, ecd->xlen, x); +- y = BN_bin2bn(ecd->y, ecd->ylen, y); +- d = BN_bin2bn(ecd->d, ecd->dlen, d); ++static const unsigned char data1_d[] = { ++ 0x51, 0x9b, 0x42, 0x3d, 0x71, 0x5f, 0x8b, 0x58, ++ 0x1f, 0x4f, 0xa8, 0xee, 0x59, 0xf4, 0x77, 0x1a, ++ 0x5b, 0x44, 0xc8, 0x13, 0x0b, 0x4e, 0x3e, 0xac, ++ 0xca, 0x54, 0xa5, 0x6d, 0xda, 0x72, 0xb4, 0x64 ++}; + +- if (!x || !y || !d) +- goto err; ++static const unsigned char data1_Q[] = { ++ 0x04, 0x0c, 0xec, 0x02, 0x8e, 0xe0, 0x8d, 0x09, ++ 0xe0, 0x26, 0x72, 0xa6, 0x83, 0x10, 0x81, 0x43, ++ 0x54, 0xf9, 0xea, 0xbf, 0xff, 0x0d, 0xe6, 0xda, ++ 0xcc, 0x1c, 0xd3, 0xa7, 0x74, 0x49, 0x60, 0x76, ++ 0xae, 0xef, 0xf4, 0x71, 0xfb, 0xa0, 0x40, 0x98, ++ 0x97, 0xb6, 0xa4, 0x8e, 0x88, 0x01, 0xad, 0x12, ++ 0xf9, 0x5d, 0x00, 0x09, 0xb7, 0x53, 0xcf, 0x8f, ++ 0x51, 0xc1, 0x28, 0xbf, 0x6b, 0x0b, 0xd2, 0x7f, ++ 0xbd ++}; + +- ec = EC_KEY_new_by_curve_name(ecd->curve); +- if (!ec) +- goto err; ++static const unsigned char data1_k[] = { ++ 0x94, 0xa1, 0xbb, 0xb1, 0x4b, 0x90, 0x6a, 0x61, ++ 0xa2, 0x80, 0xf2, 0x45, 0xf9, 0xe9, 0x3c, 0x7f, ++ 0x3b, 0x4a, 0x62, 0x47, 0x82, 0x4f, 0x5d, 0x33, ++ 0xb9, 0x67, 0x07, 0x87, 0x64, 0x2a, 0x68, 0xde ++}; + +- if (!EC_KEY_set_public_key_affine_coordinates(ec, x, y)) +- goto err; ++static const unsigned char data1_r[] = { ++ 0xe3, 0x95, 0xf6, 0xdb, 0x12, 0x71, 0x90, 0xfa, ++ 0x70, 0xa6, 0x80, 0xeb, 0xf6, 0x8a, 0x18, 0x35, ++ 0x6f, 0xef, 0xf2, 0x36, 0x65, 0xb9, 0x31, 0xc3, ++ 0xa2, 0x14, 0x80, 0xdf, 0x86, 0xc4, 0xec, 0xbc ++}; + +- if (!EC_KEY_set_private_key(ec, d)) +- goto err; ++static const unsigned char data1_s[] = { ++ 0xa5, 0x01, 0x04, 0x78, 0x93, 0xd9, 0x60, 0xcc, ++ 0x20, 0xce, 0xbd, 0xbb, 0x6f, 0x79, 0xb9, 0x7e, ++ 0x45, 0x23, 0x80, 0x73, 0x87, 0x83, 0x53, 0x63, ++ 0xe3, 0x80, 0x2b, 0x68, 0xcf, 0x32, 0xa1, 0xa2 ++}; + +- if ((pk = EVP_PKEY_new()) == NULL) +- goto err; + +- EVP_PKEY_assign_EC_KEY(pk, ec); ++# define make_ecdsa_kat_test(nid, md_nid, pr) { \ ++nid, md_nid, \ ++pr##_msg, sizeof(pr##_msg), \ ++pr##_d, sizeof(pr##_d), \ ++pr##_Q, sizeof(pr##_Q), \ ++pr##_k, sizeof(pr##_k), \ ++pr##_r, sizeof(pr##_r), \ ++pr##_s, sizeof(pr##_s) \ ++} + +- if (!fips_pkey_signature_test(pk, NULL, 0, +- NULL, 0, EVP_sha256(), 0, ecd->name)) +- goto err; +- } ++static ECDSA_KAT_SELFTEST_DATA test_ecdsa_data[] = { ++ make_ecdsa_kat_test(NID_secp256k1, NID_sha256, data1) ++}; + +- rv = 1; ++int FIPS_selftest_ecdsa() ++{ ++ int rv; ++ size_t i, siglen, p_len; ++ ++ for (i = 0; i < sizeof(test_ecdsa_data) / sizeof(ECDSA_KAT_SELFTEST_DATA); i++) { ++ EC_KEY *ec = NULL; ++ BIGNUM *r = NULL, *s = NULL; ++ BIGNUM *sig_r = NULL, *sig_s = NULL; ++ EVP_PKEY *pk = NULL; ++ unsigned char *sig = NULL; ++ unsigned char *tsig = NULL; ++ unsigned char *p_buf = NULL; ++ ECDSA_SIG *dsa_sig = NULL; ++ rv = 0; ++ ++ ECDSA_KAT_SELFTEST_DATA *ecd = test_ecdsa_data + i; ++ ++ /* Create the Message Digest Context */ ++ EVP_MD_CTX *mdctx = EVP_MD_CTX_new(); ++ if (!mdctx) goto err; ++ ++ r = BN_bin2bn(ecd->r, ecd->rlen, r); ++ s = BN_bin2bn(ecd->s, ecd->slen, s); ++ ++ if (!r || !s) ++ goto err; ++ ++ /* d[] will be used to generate a key. */ ++ /* k[] will be used for signature generation. */ ++ numbers[0] = ecd->d; ++ numbers_len[0] = ecd->dlen; ++ numbers[1] = ecd->k; ++ numbers_len[1] = ecd->klen; ++ /* swap the RNG source */ ++ if (!change_rand()) ++ goto err; ++ ++ ec = EC_KEY_new_by_curve_name(ecd->nid); ++ if (!ec) ++ goto err; ++ ++ /* Use d[] to generate key. */ ++ use_fake = 1; ++ if (EC_KEY_generate_key(ec) != 1) ++ goto err; ++ ++ if ((pk = EVP_PKEY_new()) == NULL) ++ goto err; ++ ++ EVP_PKEY_assign_EC_KEY(pk, ec); ++ ++ p_len = EC_KEY_key2buf(ec, POINT_CONVERSION_UNCOMPRESSED, &p_buf, NULL); ++ if (!p_len) ++ goto err; ++ ++ /* Make sure generated public key matches */ ++ if (p_len != ecd->Qlen) ++ goto err; ++ if (memcmp(p_buf, ecd->Q, p_len)) ++ goto err; ++ ++ /* Initialise the DigestSign operation */ ++ if(1 != EVP_DigestSignInit(mdctx, NULL, EVP_get_digestbynid(ecd->md_nid), NULL, pk)) ++ goto err; ++ ++ /* Call update with the message */ ++ if(1 != EVP_DigestSignUpdate(mdctx, ecd->msg, ecd->msglen)) ++ goto err; ++ ++ /* Finalise the DigestSign operation */ ++ /* First call EVP_DigestSignFinal with a NULL sig parameter to */ ++ /* obtain the length of the signature. Length is returned in slen */ ++ if(1 != EVP_DigestSignFinal(mdctx, NULL, &siglen)) ++ goto err; ++ ++ /* Allocate memory for the signature based on size in slen */ ++ if(!(sig = OPENSSL_malloc(siglen))) ++ goto err; ++ ++ /* Use k[] for signature. */ ++ use_fake = 1; ++ ++ /* Obtain the signature */ ++ if(1 != EVP_DigestSignFinal(mdctx, sig, &siglen)) ++ goto err; + +- err: ++ /* extract r and s */ ++ tsig = sig; ++ dsa_sig = d2i_ECDSA_SIG(NULL, &tsig, siglen); ++ if (dsa_sig == NULL) ++ goto err; ++ ++ sig_r = ECDSA_SIG_get0_r(dsa_sig); ++ sig_s = ECDSA_SIG_get0_s(dsa_sig); ++ if ((sig_r == NULL) || (sig_s == NULL)) ++ goto err; + +- if (x) +- BN_clear_free(x); +- if (y) +- BN_clear_free(y); +- if (d) +- BN_clear_free(d); ++ /* Compare r and s against known. */ ++ if ((BN_cmp(sig_r, r) != 0) || (BN_cmp(sig_s, s) != 0)) ++ goto err; ++ ++ /* Verify signature */ ++ if(1 != EVP_DigestVerifyInit(mdctx, NULL, EVP_get_digestbynid(ecd->md_nid), NULL, pk)) ++ goto err; ++ ++ if (EVP_DigestVerify(mdctx, sig, siglen, ecd->msg, ecd->msglen) != 1) ++ goto err; ++ ++ if (1 != restore_rand()) ++ goto err; ++ ++ /* Success */ ++ rv = 1; ++ ++ ++ err: ++ ++ if (mdctx) ++ EVP_MD_CTX_free(mdctx); ++ if (r) ++ BN_clear_free(r); ++ if (s) ++ BN_clear_free(s); ++ if (sig) ++ OPENSSL_free(sig); ++ if (dsa_sig) ++ ECDSA_SIG_free(dsa_sig); ++ if (p_buf) ++ OPENSSL_free(p_buf); + if (pk) +- EVP_PKEY_free(pk); ++ EVP_PKEY_free(pk); + else if (ec) +- EC_KEY_free(ec); +- +- return rv; ++ EC_KEY_free(ec); ++ ++ if (rv != 1) { ++ FIPSerr(FIPS_F_FIPS_SELFTEST_ECDSA, FIPS_R_SELFTEST_FAILED); ++ break; ++ } ++ ++ } + ++ return rv; ++ + } + ++ + #endif + diff --git a/bsc1198207-FIPS-add-hash_hmac-drbg-kat.patch b/bsc1198207-FIPS-add-hash_hmac-drbg-kat.patch new file mode 100644 index 0000000..16b9623 --- /dev/null +++ b/bsc1198207-FIPS-add-hash_hmac-drbg-kat.patch @@ -0,0 +1,13 @@ +diff --git a/crypto/fips/fips_post.c b/crypto/fips/fips_post.c +index 80de6f6..46003d1 100644 +--- a/crypto/fips/fips_post.c ++++ b/crypto/fips/fips_post.c +@@ -72,7 +72,7 @@ + int FIPS_selftest(void) + { + int rv = 1; +- if (!FIPS_selftest_drbg()) ++ if (!FIPS_selftest_drbg_all()) + rv = 0; + if (!FIPS_selftest_sha1()) + rv = 0; diff --git a/openssl-1.1.1-fips-fix-memory-leaks.patch b/openssl-1.1.1-fips-fix-memory-leaks.patch new file mode 100644 index 0000000..4f6bc33 --- /dev/null +++ b/openssl-1.1.1-fips-fix-memory-leaks.patch @@ -0,0 +1,80 @@ +--- + crypto/fips/fips.c | 8 ++++++++ + crypto/fips/fips_drbg_rand.c | 6 ++++++ + crypto/init.c | 4 ++++ + include/crypto/fips_int.h | 1 + + include/openssl/fips_rand.h | 1 + + 5 files changed, 20 insertions(+) + +--- a/crypto/fips/fips.c ++++ b/crypto/fips/fips.c +@@ -93,6 +93,14 @@ DEFINE_RUN_ONCE_STATIC(do_fips_lock_init + return fips_lock != NULL && fips_owning_lock != NULL; + } + ++void FIPS_owning_thread_lock_cleanup(void) ++{ ++ CRYPTO_THREAD_lock_free(fips_lock); ++ fips_lock = NULL; ++ CRYPTO_THREAD_lock_free(fips_owning_lock); ++ fips_owning_lock = NULL; ++} ++ + # define fips_w_lock() CRYPTO_THREAD_write_lock(fips_lock) + # define fips_w_unlock() CRYPTO_THREAD_unlock(fips_lock) + # define fips_r_lock() CRYPTO_THREAD_read_lock(fips_lock) +--- a/crypto/fips/fips_drbg_rand.c ++++ b/crypto/fips/fips_drbg_rand.c +@@ -84,6 +84,12 @@ DRBG_CTX *FIPS_get_default_drbg(void) + return &ossl_dctx; + } + ++void FIPS_drbg_lock_cleanup(void) ++{ ++ CRYPTO_THREAD_lock_free(fips_rand_lock); ++ fips_rand_lock = NULL; ++} ++ + static int fips_drbg_bytes(unsigned char *out, int count) + { + DRBG_CTX *dctx = &ossl_dctx; +--- a/crypto/init.c ++++ b/crypto/init.c +@@ -28,6 +28,8 @@ + #include "internal/dso.h" + #include "crypto/store.h" + #include "openssl/fips.h" ++#include "openssl/fips_rand.h" ++#include "crypto/fips_int.h" + + static int stopped = 0; + +@@ -591,6 +593,8 @@ void OPENSSL_cleanup(void) + conf_modules_free_int(); + #ifdef OPENSSL_FIPS + FIPS_entropy_cleanup(); ++ FIPS_drbg_lock_cleanup(); ++ FIPS_owning_thread_lock_cleanup(); + #endif + #ifndef OPENSSL_NO_ENGINE + engine_cleanup_int(); +--- a/include/crypto/fips_int.h ++++ b/include/crypto/fips_int.h +@@ -56,6 +56,7 @@ + + #ifdef OPENSSL_FIPS + ++void FIPS_owning_thread_lock_cleanup(void); + int FIPS_module_mode_set(int onoff); + int FIPS_module_mode(void); + int FIPS_module_installed(void); +--- a/include/openssl/fips_rand.h ++++ b/include/openssl/fips_rand.h +@@ -125,6 +125,7 @@ extern "C" { + + DRBG_CTX *FIPS_get_default_drbg(void); + const RAND_METHOD *FIPS_drbg_method(void); ++ void FIPS_drbg_lock_cleanup(void); + + int FIPS_rand_set_method(const RAND_METHOD *meth); + const RAND_METHOD *FIPS_rand_get_method(void); diff --git a/openssl-1.1.1-fips.patch b/openssl-1.1.1-fips.patch index 6dbc095..7c4631f 100644 --- a/openssl-1.1.1-fips.patch +++ b/openssl-1.1.1-fips.patch @@ -288,7 +288,7 @@ Index: openssl-1.1.1n/crypto/dh/dh_key.c +#ifdef OPENSSL_FIPS + if (FIPS_mode() && !(dh->meth->flags & DH_FLAG_FIPS_METHOD) + && !(dh->flags & DH_FLAG_NON_FIPS_ALLOW)) { -+ DHerr(DH_F_DH_GENERATE_KEY, DH_R_NON_FIPS_METHOD); ++ DHerr(DH_F_DH_COMPUTE_KEY, DH_R_NON_FIPS_METHOD); + return 0; + } +#endif @@ -2341,7 +2341,7 @@ Index: openssl-1.1.1n/crypto/fips/fips.c + rv = 0; + + /* Installed == true */ -+ return !rv; ++ return !rv || FIPS_module_mode(); +} + +int FIPS_module_mode_set(int onoff) @@ -7491,7 +7491,7 @@ Index: openssl-1.1.1n/crypto/fips/fips_dsa_selftest.c +{ + DSA *dsa = NULL; + EVP_PKEY *pk = NULL; -+ int ret = -1; ++ int ret = 0; + BIGNUM *p = NULL, *q = NULL, *g = NULL, *pub_key = NULL, *priv_key = NULL; + + fips_load_key_component(p, dsa_test_2048); @@ -7692,24 +7692,24 @@ Index: openssl-1.1.1n/crypto/fips/fips_ecdh_selftest.c + d = BN_bin2bn(ecd->d1, ecd->d1len, d); + + if (!x || !y || !d || !ztmp) { -+ rv = -1; ++ rv = 0; + goto err; + } + + ec1 = EC_KEY_new_by_curve_name(ecd->curve); + if (!ec1) { -+ rv = -1; ++ rv = 0; + goto err; + } + EC_KEY_set_flags(ec1, EC_FLAG_COFACTOR_ECDH); + + if (!EC_KEY_set_public_key_affine_coordinates(ec1, x, y)) { -+ rv = -1; ++ rv = 0; + goto err; + } + + if (!EC_KEY_set_private_key(ec1, d)) { -+ rv = -1; ++ rv = 0; + goto err; + } + @@ -7717,30 +7717,30 @@ Index: openssl-1.1.1n/crypto/fips/fips_ecdh_selftest.c + y = BN_bin2bn(ecd->y2, ecd->y2len, y); + + if (!x || !y) { -+ rv = -1; ++ rv = 0; + goto err; + } + + ec2 = EC_KEY_new_by_curve_name(ecd->curve); + if (!ec2) { -+ rv = -1; ++ rv = 0; + goto err; + } + EC_KEY_set_flags(ec1, EC_FLAG_COFACTOR_ECDH); + + if (!EC_KEY_set_public_key_affine_coordinates(ec2, x, y)) { -+ rv = -1; ++ rv = 0; + goto err; + } + + ecp = EC_KEY_get0_public_key(ec2); + if (!ecp) { -+ rv = -1; ++ rv = 0; + goto err; + } + + if (!ECDH_compute_key(ztmp, ecd->zlen, ecp, ec1, 0)) { -+ rv = -1; ++ rv = 0; + goto err; + } + @@ -9933,7 +9933,7 @@ Index: openssl-1.1.1n/crypto/o_init.c =================================================================== --- openssl-1.1.1n.orig/crypto/o_init.c +++ openssl-1.1.1n/crypto/o_init.c -@@ -7,8 +7,68 @@ +@@ -7,8 +7,69 @@ * https://www.openssl.org/source/license.html */ @@ -9959,16 +9959,20 @@ Index: openssl-1.1.1n/crypto/o_init.c + char buf[2] = "0"; + int fd; + -+ /* Ensure the selftests always run */ -+ /* XXX: TO SOLVE - premature initialization due to selftests */ -+ FIPS_mode_set(1); -+ + if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) { + buf[0] = '1'; + } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) { + while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ; + close(fd); + } ++ ++ if (buf[0] != '1' && !FIPS_module_installed()) ++ return; ++ ++ /* Ensure the selftests always run */ ++ /* XXX: TO SOLVE - premature initialization due to selftests */ ++ FIPS_mode_set(1); ++ + /* Failure reading the fips mode switch file means just not + * switching into FIPS mode. We would break too many things + * otherwise.. @@ -9993,9 +9997,6 @@ Index: openssl-1.1.1n/crypto/o_init.c + if (done) + return; + done = 1; -+ if (!FIPS_module_installed()) { -+ return; -+ } + init_fips_mode(); +} +#endif diff --git a/openssl-1.1.1v.tar.gz b/openssl-1.1.1v.tar.gz deleted file mode 100644 index f4d327a..0000000 --- a/openssl-1.1.1v.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:d6697e2871e77238460402e9362d47d18382b15ef9f246aba6c7bd780d38a6b0 -size 9893443 diff --git a/openssl-1.1.1v.tar.gz.asc b/openssl-1.1.1v.tar.gz.asc deleted file mode 100644 index b5d3f7a..0000000 --- a/openssl-1.1.1v.tar.gz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCAAdFiEE78CkZ9YTy4PH7W0w2JTizos9efUFAmTJDewACgkQ2JTizos9 -efVPDBAAjgNq842XSAhmH3CBHHFtMuVlg5RV+tAV7PF7tDm/Bu0VPxZecvDhEHyk -y1bIzYki9kPQrnDc5Cz3UYHjnBp2n2GH+JDShedSJMH3qbsAlSB4j5b15UFjE8b4 -yDl4rlcug3SydqEdYJAGnOD3QBghsX7GiS6S9BgnU1D1XDZ1LYF6NumrjeypGm2r -vodcjel0tD+Xu2Du398sGmXLZLfK7eBT8dYtzWHAZubf+dNQmfRRDALo2Q5Xux6p -xIDlEQvTUkt5mF+Rx0CI1boIKeaFoZFOReUW0zkKYfwNkfq1WvGj3sGA+StQsgn1 -Dvfx6ONoS9UT+6KTegsLOIX2xOAHa8k4UgtW19eCovYzJNkBwNnq83lrvIEMoLY7 -brALTqBmlFq4prPgzpDHlTeC78uDcf/Ao95CeBw5yKVsKAN7W7vA2u6Gr2ZgUWsF -zVnrxJ9difkrvkFxm6uO2qu1qA/84Bow77M6/7FSHFZ+oDB3tjGXtq4Tf6iBkhpf -XIRu79S1LxCY7HxKVHHfpKuGSfefV/tgPeOac8CvucIq6r1Be20h0crRnDEGJt8G -Otznvt04iX+FkSVC7PjiAVZqubQQWjXUZxDngQgUOye/suExGwEoaTMmhj95eiVu -ufee+jDrVGOjhLLoEClP/+zpl2Wplq3KzLVsvvJa8v5KTVot9r4= -=mu7b ------END PGP SIGNATURE----- diff --git a/openssl-1.1.1w.tar.gz b/openssl-1.1.1w.tar.gz new file mode 100644 index 0000000..04883c9 --- /dev/null +++ b/openssl-1.1.1w.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cf3098950cb4d853ad95c0841f1f9c6d3dc102dccfcacd521d93925208b76ac8 +size 9893384 diff --git a/openssl-1.1.1w.tar.gz.asc b/openssl-1.1.1w.tar.gz.asc new file mode 100644 index 0000000..0091ceb --- /dev/null +++ b/openssl-1.1.1w.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEE78CkZ9YTy4PH7W0w2JTizos9efUFAmT/H2QACgkQ2JTizos9 +efVL8A//XiYVgTnhAtnBs8W5+8fTJ2WUh+lcG7I+GF1wi1PRMaA9YddmXu70b9VF +x5EOcAVo7RsjlQ/VeWUtVuyTjd6eXCzoKRlbAwo9YovEsWcIo5sb6lSzuN17bIJi +NOrALx3+TF7SZfuOdd/czohfJfFUX/5mfEmcrkwY67UvIDFgO6E04+S2eFnU9HdC +KEF4kK10IObHRfvnAj+nSfUrnq5xtAAIpj2PBg9GFIEIxKBU72vvJYGdJ0HKFN8/ +352rNVIxGMXlwsAtWY2L09S0kt4iFST4fANM4CkxTnvloimmCtcWJvcst6tTgCMD +PKqXJ4hJpElzCVJJJBNQxz+T2dxc97Upvense/lkB6h8bwQgYaZNgk6B8UsSZyE8 +5v1p1HcOCJBNKc8zW86a3RvGCfxOfjrFz2CC7QPdT84Rv4S/xeCeUqM5b63Ws7pZ +3kA5jHUkP0yXsVOjxdMdqlJxqQ1wE2Q459fklLnsoHERrEQtsoaEW0DG6Kgima58 +YGwY8GxQ/QFLPxYRMjsfaLO54pdSlXa2EZ3nmL6WTY1ScdzN8K+huXz8Ok2lbi7O +oPZCVaDl8cpO9Kh8y5Hc8KAqCU72eTgx4kDGmEou9z//bl33fq0s5+PAjaz0XDvZ +gdOlsOngaAlvcVF50ZkVERBvfVb41O0uWD8MSk+vvBKQvuecrQ0= +=ZcG7 +-----END PGP SIGNATURE----- diff --git a/openssl-1_1-FIPS-PBKDF2-KAT-requirements.patch b/openssl-1_1-FIPS-PBKDF2-KAT-requirements.patch new file mode 100644 index 0000000..fb58237 --- /dev/null +++ b/openssl-1_1-FIPS-PBKDF2-KAT-requirements.patch @@ -0,0 +1,45 @@ +Index: openssl-1.1.1l/crypto/fips/fips_kdf_selftest.c +=================================================================== +--- openssl-1.1.1l.orig/crypto/fips/fips_kdf_selftest.c ++++ openssl-1.1.1l/crypto/fips/fips_kdf_selftest.c +@@ -63,18 +63,20 @@ int FIPS_selftest_pbkdf2(void) + { + int ret = 0; + EVP_KDF_CTX *kctx; +- unsigned char out[32]; ++ unsigned char out[40]; + + if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_PBKDF2)) == NULL) { + goto err; + } +- if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PASS, "password", (size_t)8) <= 0) { ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PASS, ++ "passwordPASSWORDpassword", (size_t)24) <= 0) { + goto err; + } +- if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "salt", (size_t)4) <= 0) { ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, ++ "saltSALTsaltSALTsaltSALTsaltSALTsalt", (size_t)36) <= 0) { + goto err; + } +- if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_ITER, 2) <= 0) { ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_ITER, 4096) <= 0) { + goto err; + } + if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) { +@@ -86,10 +88,11 @@ int FIPS_selftest_pbkdf2(void) + + { + const unsigned char expected[sizeof(out)] = { +- 0xae, 0x4d, 0x0c, 0x95, 0xaf, 0x6b, 0x46, 0xd3, +- 0x2d, 0x0a, 0xdf, 0xf9, 0x28, 0xf0, 0x6d, 0xd0, +- 0x2a, 0x30, 0x3f, 0x8e, 0xf3, 0xc2, 0x51, 0xdf, +- 0xd6, 0xe2, 0xd8, 0x5a, 0x95, 0x47, 0x4c, 0x43 ++ 0x34, 0x8c, 0x89, 0xdb, 0xcb, 0xd3, 0x2b, 0x2f, ++ 0x32, 0xd8, 0x14, 0xb8, 0x11, 0x6e, 0x84, 0xcf, ++ 0x2b, 0x17, 0x34, 0x7e, 0xbc, 0x18, 0x00, 0x18, ++ 0x1c, 0x4e, 0x2a, 0x1f, 0xb8, 0xdd, 0x53, 0xe1, ++ 0xc6, 0x35, 0x51, 0x8c, 0x7d, 0xac, 0x47, 0xe9 + }; + if (memcmp(out, expected, sizeof(expected))) { + goto err; diff --git a/openssl-1_1-FIPS-fix-error-reason-codes.patch b/openssl-1_1-FIPS-fix-error-reason-codes.patch index a7bb4e1..54f063f 100644 --- a/openssl-1_1-FIPS-fix-error-reason-codes.patch +++ b/openssl-1_1-FIPS-fix-error-reason-codes.patch @@ -32,7 +32,7 @@ Index: openssl-1.1.1l/crypto/err/openssl.ec L KDF include/openssl/kdf.h crypto/kdf/kdf_err.c L SM2 include/crypto/sm2.h crypto/sm2/sm2_err.c L OSSL_STORE include/openssl/store.h crypto/store/store_err.c -+L FIPS include/crypto/fips.h crypto/fips/fips_ers.c ++L FIPS include/crypto/fips_int.h crypto/fips/fips_ers.c # additional header files to be scanned for function names L NONE include/openssl/x509_vfy.h NONE diff --git a/openssl-1_1-FIPS_drbg-rewire.patch b/openssl-1_1-FIPS_drbg-rewire.patch new file mode 100644 index 0000000..48358b7 --- /dev/null +++ b/openssl-1_1-FIPS_drbg-rewire.patch @@ -0,0 +1,182 @@ +Index: openssl-1.1.1l/crypto/fips/fips_drbg_lib.c +=================================================================== +--- openssl-1.1.1l.orig/crypto/fips/fips_drbg_lib.c ++++ openssl-1.1.1l/crypto/fips/fips_drbg_lib.c +@@ -337,6 +337,19 @@ static int drbg_reseed(DRBG_CTX *dctx, + int FIPS_drbg_reseed(DRBG_CTX *dctx, + const unsigned char *adin, size_t adinlen) + { ++ int len = (int)adinlen; ++ ++ if (len < 0 || (size_t)len != adinlen) { ++ FIPSerr(FIPS_F_DRBG_RESEED, FIPS_R_ADDITIONAL_INPUT_TOO_LONG); ++ return 0; ++ } ++ RAND_seed(adin, len); ++ return 1; ++} ++ ++int FIPS_drbg_reseed_internal(DRBG_CTX *dctx, ++ const unsigned char *adin, size_t adinlen) ++{ + return drbg_reseed(dctx, adin, adinlen, 1); + } + +@@ -358,6 +371,19 @@ int FIPS_drbg_generate(DRBG_CTX *dctx, u + int prediction_resistance, + const unsigned char *adin, size_t adinlen) + { ++ int len = (int)outlen; ++ ++ if (len < 0 || (size_t)len != outlen) { ++ FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG); ++ return 0; ++ } ++ return RAND_bytes(out, len); ++} ++ ++int FIPS_drbg_generate_internal(DRBG_CTX *dctx, unsigned char *out, size_t outlen, ++ int prediction_resistance, ++ const unsigned char *adin, size_t adinlen) ++{ + int r = 0; + + if (FIPS_selftest_failed()) { +Index: openssl-1.1.1l/crypto/fips/fips_drbg_rand.c +=================================================================== +--- openssl-1.1.1l.orig/crypto/fips/fips_drbg_rand.c ++++ openssl-1.1.1l/crypto/fips/fips_drbg_rand.c +@@ -57,6 +57,8 @@ + #include + #include + #include ++#define FIPS_DRBG_generate FIPS_DRBG_generate_internal ++#define FIPS_DRBG_reseed FIPS_DRBG_reseed_internal + #include + #include "fips_rand_lcl.h" + +Index: openssl-1.1.1l/crypto/fips/fips_drbg_selftest.c +=================================================================== +--- openssl-1.1.1l.orig/crypto/fips/fips_drbg_selftest.c ++++ openssl-1.1.1l/crypto/fips/fips_drbg_selftest.c +@@ -55,6 +55,8 @@ + #include + #include + #include ++#define FIPS_DRBG_generate FIPS_DRBG_generate_internal ++#define FIPS_DRBG_reseed FIPS_DRBG_reseed_internal + #include + #include "fips_rand_lcl.h" + #include "fips_locl.h" +Index: openssl-1.1.1l/crypto/fips/fips_rand_lib.c +=================================================================== +--- openssl-1.1.1l.orig/crypto/fips/fips_rand_lib.c ++++ openssl-1.1.1l/crypto/fips/fips_rand_lib.c +@@ -120,6 +120,7 @@ void FIPS_rand_reset(void) + + int FIPS_rand_seed(const void *buf, int num) + { ++#if 0 + if (!fips_approved_rand_meth && FIPS_module_mode()) { + FIPSerr(FIPS_F_FIPS_RAND_SEED, FIPS_R_NON_FIPS_METHOD); + return 0; +@@ -127,10 +128,15 @@ int FIPS_rand_seed(const void *buf, int + if (fips_rand_meth && fips_rand_meth->seed) + fips_rand_meth->seed(buf, num); + return 1; ++#else ++ RAND_seed(buf, num); ++ return 1; ++#endif + } + + int FIPS_rand_bytes(unsigned char *buf, int num) + { ++#if 0 + if (!fips_approved_rand_meth && FIPS_module_mode()) { + FIPSerr(FIPS_F_FIPS_RAND_BYTES, FIPS_R_NON_FIPS_METHOD); + return 0; +@@ -138,10 +144,14 @@ int FIPS_rand_bytes(unsigned char *buf, + if (fips_rand_meth && fips_rand_meth->bytes) + return fips_rand_meth->bytes(buf, num); + return 0; ++#else ++ return RAND_bytes(buf, num); ++#endif + } + + int FIPS_rand_status(void) + { ++#if 0 + if (!fips_approved_rand_meth && FIPS_module_mode()) { + FIPSerr(FIPS_F_FIPS_RAND_STATUS, FIPS_R_NON_FIPS_METHOD); + return 0; +@@ -149,6 +159,9 @@ int FIPS_rand_status(void) + if (fips_rand_meth && fips_rand_meth->status) + return fips_rand_meth->status(); + return 0; ++#else ++ return RAND_status(); ++#endif + } + + /* Return instantiated strength of PRNG. For DRBG this is an internal +Index: openssl-1.1.1l/include/openssl/fips.h +=================================================================== +--- openssl-1.1.1l.orig/include/openssl/fips.h ++++ openssl-1.1.1l/include/openssl/fips.h +@@ -64,6 +64,11 @@ extern "C" { + + int FIPS_selftest(void); + int FIPS_selftest_failed(void); ++ ++ /* ++ * This function is deprecated as it performs selftest of the old FIPS drbg ++ * implementation that is not validated. ++ */ + int FIPS_selftest_drbg_all(void); + void NONFIPS_selftest_check(void); + +Index: openssl-1.1.1l/include/openssl/fips_rand.h +=================================================================== +--- openssl-1.1.1l.orig/include/openssl/fips_rand.h ++++ openssl-1.1.1l/include/openssl/fips_rand.h +@@ -60,6 +60,20 @@ + # ifdef __cplusplus + extern "C" { + # endif ++ ++/* ++ * IMPORTANT NOTE: ++ * All functions in this header file are deprecated and should not be used ++ * as they use the old FIPS_drbg implementation that is not FIPS validated ++ * anymore. ++ * To provide backwards compatibility for applications that need FIPS compliant ++ * RNG number generation and use FIPS_drbg_generate, this function was ++ * re-wired to call the FIPS validated DRBG instance instead through ++ * the RAND_bytes() call. ++ * ++ * All these functions will be removed in future. ++ */ ++ + typedef struct drbg_ctx_st DRBG_CTX; + /* DRBG external flags */ + /* Flag for CTR mode only: use derivation function ctr_df */ +Index: openssl-1.1.1l/crypto/fips/fips_post.c +=================================================================== +--- openssl-1.1.1l.orig/crypto/fips/fips_post.c ++++ openssl-1.1.1l/crypto/fips/fips_post.c +@@ -72,8 +72,13 @@ + int FIPS_selftest(void) + { + int rv = 1; ++#if 0 ++ /* This selftest is deprecated as it uses the old FIPS_drbg ++ * implementation that is not FIPS validated. ++ */ + if (!FIPS_selftest_drbg_all()) + rv = 0; ++#endif + if (!FIPS_selftest_sha1()) + rv = 0; + if (!FIPS_selftest_sha2()) diff --git a/openssl-1_1-Zeroization.patch b/openssl-1_1-Zeroization.patch new file mode 100644 index 0000000..2f13470 --- /dev/null +++ b/openssl-1_1-Zeroization.patch @@ -0,0 +1,25 @@ +--- openssl-1.1.1l/crypto/fips/fips.c ++++ openssl-1.1.1l/crypto/fips/fips.c +@@ -350,6 +350,10 @@ static int FIPSCHECK_verify(const char * + if (strcmp(hex, hmac) != 0) { + rv = -1; + } ++ if (hmaclen != 0) { ++ OPENSSL_cleanse(buf, hmaclen); ++ OPENSSL_cleanse(hex, hmaclen * 2 + 1); ++ } + free(buf); + free(hex); + } else { +@@ -357,7 +360,11 @@ static int FIPSCHECK_verify(const char * + } + + end: ++ if (n != 0) ++ OPENSSL_cleanse(hmac, n); + free(hmac); ++ if (strlen(hmacpath) != 0) ++ OPENSSL_cleanse(hmacpath, strlen(hmacpath)); + free(hmacpath); + fclose(hf); + diff --git a/openssl-1_1-fips-drbg-selftest.patch b/openssl-1_1-fips-drbg-selftest.patch new file mode 100644 index 0000000..81f2a83 --- /dev/null +++ b/openssl-1_1-fips-drbg-selftest.patch @@ -0,0 +1,588 @@ +--- + crypto/fips/fips_post.c | 3 + crypto/rand/build.info | 2 + crypto/rand/drbg_selftest.c | 537 ++++++++++++++++++++++++++++++++++++++++++++ + include/crypto/rand.h | 5 + 4 files changed, 546 insertions(+), 1 deletion(-) + +--- a/crypto/fips/fips_post.c ++++ b/crypto/fips/fips_post.c +@@ -66,6 +66,7 @@ + + # include + # include "crypto/fips_int.h" ++# include "crypto/rand.h" + # include "fips_locl.h" + + /* Run all selftests */ +@@ -79,6 +80,8 @@ int FIPS_selftest(void) + if (!FIPS_selftest_drbg_all()) + rv = 0; + #endif ++ if (!FIPS_selftest_drbg_new()) ++ rv = 0; + if (!FIPS_selftest_sha1()) + rv = 0; + if (!FIPS_selftest_sha2()) +--- a/crypto/rand/build.info ++++ b/crypto/rand/build.info +@@ -1,6 +1,6 @@ + LIBS=../../libcrypto + SOURCE[../../libcrypto]=\ + randfile.c rand_lib.c rand_err.c rand_crng_test.c rand_egd.c \ +- rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_ctr.c ++ rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_ctr.c drbg_selftest.c + + INCLUDE[drbg_ctr.o]=../modes +--- /dev/null ++++ b/crypto/rand/drbg_selftest.c +@@ -0,0 +1,537 @@ ++/* ++ * Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved. ++ * ++ * Licensed under the OpenSSL license (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ */ ++ ++#include ++#include ++#include "internal/nelem.h" ++#include ++#include ++#include ++#include ++#include "internal/thread_once.h" ++#include "crypto/rand.h" ++ ++typedef struct test_ctx_st { ++ const unsigned char *entropy; ++ size_t entropylen; ++ int entropycnt; ++ const unsigned char *nonce; ++ size_t noncelen; ++ int noncecnt; ++} TEST_CTX; ++ ++static int app_data_index = -1; ++static CRYPTO_ONCE get_index_once = CRYPTO_ONCE_STATIC_INIT; ++DEFINE_RUN_ONCE_STATIC(drbg_app_data_index_init) ++{ ++ app_data_index = RAND_DRBG_get_ex_new_index(0L, NULL, NULL, NULL, NULL); ++ ++ return 1; ++} ++ ++enum drbg_kat_type { ++ NO_RESEED, ++ PR_FALSE, ++ PR_TRUE ++}; ++ ++enum drbg_df { ++ USE_DF, ++ NO_DF, ++ NA ++}; ++ ++struct drbg_kat_no_reseed { ++ size_t count; ++ const unsigned char *entropyin; ++ const unsigned char *nonce; ++ const unsigned char *persstr; ++ const unsigned char *addin1; ++ const unsigned char *addin2; ++ const unsigned char *retbytes; ++}; ++ ++struct drbg_kat_pr_false { ++ size_t count; ++ const unsigned char *entropyin; ++ const unsigned char *nonce; ++ const unsigned char *persstr; ++ const unsigned char *entropyinreseed; ++ const unsigned char *addinreseed; ++ const unsigned char *addin1; ++ const unsigned char *addin2; ++ const unsigned char *retbytes; ++}; ++ ++struct drbg_kat_pr_true { ++ size_t count; ++ const unsigned char *entropyin; ++ const unsigned char *nonce; ++ const unsigned char *persstr; ++ const unsigned char *entropyinpr1; ++ const unsigned char *addin1; ++ const unsigned char *entropyinpr2; ++ const unsigned char *addin2; ++ const unsigned char *retbytes; ++}; ++ ++struct drbg_kat { ++ enum drbg_kat_type type; ++ enum drbg_df df; ++ int nid; ++ ++ size_t entropyinlen; ++ size_t noncelen; ++ size_t persstrlen; ++ size_t addinlen; ++ size_t retbyteslen; ++ ++ const void *t; ++}; ++ ++/* ++ * Excerpt from test/drbg_cavs_data.c ++ * DRBG test vectors from: ++ * https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/ ++ */ ++ ++static const unsigned char kat1308_entropyin[] = { ++ 0x7c, 0x5d, 0x90, 0x70, 0x3b, 0x8a, 0xc7, 0x0f, 0x23, 0x73, 0x24, 0x9c, ++ 0xa7, 0x15, 0x41, 0x71, 0x7a, 0x31, 0xea, 0x32, 0xfc, 0x28, 0x0d, 0xd7, ++ 0x5b, 0x09, 0x01, 0x98, 0x1b, 0xe2, 0xa5, 0x53, 0xd9, 0x05, 0x32, 0x97, ++ 0xec, 0xbe, 0x86, 0xfd, 0x1c, 0x1c, 0x71, 0x4c, 0x52, 0x29, 0x9e, 0x52, ++}; ++static const unsigned char kat1308_nonce[] = {0}; ++static const unsigned char kat1308_persstr[] = { ++ 0xdc, 0x07, 0x2f, 0x68, 0xfa, 0x77, 0x03, 0x23, 0x42, 0xb0, 0xf5, 0xa2, ++ 0xd9, 0xad, 0xa1, 0xd0, 0xad, 0xa2, 0x14, 0xb4, 0xd0, 0x8e, 0xfb, 0x39, ++ 0xdd, 0xc2, 0xac, 0xfb, 0x98, 0xdf, 0x7f, 0xce, 0x4c, 0x75, 0x56, 0x45, ++ 0xcd, 0x86, 0x93, 0x74, 0x90, 0x6e, 0xf6, 0x9e, 0x85, 0x7e, 0xfb, 0xc3, ++}; ++static const unsigned char kat1308_addin0[] = { ++ 0x52, 0x25, 0xc4, 0x2f, 0x03, 0xce, 0x29, 0x71, 0xc5, 0x0b, 0xc3, 0x4e, ++ 0xad, 0x8d, 0x6f, 0x17, 0x82, 0xe1, 0xf3, 0xfd, 0xfd, 0x9b, 0x94, 0x9a, ++ 0x1d, 0xac, 0xd0, 0xd4, 0x3f, 0x2b, 0xe3, 0xab, 0x7c, 0x3d, 0x3e, 0x5a, ++ 0x68, 0xbb, 0xa4, 0x74, 0x68, 0x1a, 0xc6, 0x27, 0xff, 0xe0, 0xc0, 0x6c, ++}; ++static const unsigned char kat1308_addin1[] = { ++ 0xdc, 0x91, 0xd7, 0xb7, 0xb9, 0x94, 0x79, 0x0f, 0x06, 0xc4, 0x70, 0x19, ++ 0x33, 0x25, 0x7c, 0x96, 0x01, 0xa0, 0x62, 0xb0, 0x50, 0xe6, 0xc0, 0x3a, ++ 0x56, 0x8f, 0xc5, 0x50, 0x48, 0xc6, 0xf4, 0x49, 0xe5, 0x70, 0x16, 0x2e, ++ 0xae, 0xf2, 0x99, 0xb4, 0x2d, 0x70, 0x18, 0x16, 0xcd, 0xe0, 0x24, 0xe4, ++}; ++static const unsigned char kat1308_retbits[] = { ++ 0xde, 0xf8, 0x91, 0x1b, 0xf1, 0xe1, 0xa9, 0x97, 0xd8, 0x61, 0x84, 0xe2, ++ 0xdb, 0x83, 0x3e, 0x60, 0x45, 0xcd, 0xc8, 0x66, 0x93, 0x28, 0xc8, 0x92, ++ 0xbc, 0x25, 0xae, 0xe8, 0xb0, 0xed, 0xed, 0x16, 0x3d, 0xa5, 0xf9, 0x0f, ++ 0xb3, 0x72, 0x08, 0x84, 0xac, 0x3c, 0x3b, 0xaa, 0x5f, 0xf9, 0x7d, 0x63, ++ 0x3e, 0xde, 0x59, 0x37, 0x0e, 0x40, 0x12, 0x2b, 0xbc, 0x6c, 0x96, 0x53, ++ 0x26, 0x32, 0xd0, 0xb8, ++}; ++static const struct drbg_kat_no_reseed kat1308_t = { ++ 2, kat1308_entropyin, kat1308_nonce, kat1308_persstr, ++ kat1308_addin0, kat1308_addin1, kat1308_retbits ++}; ++static const struct drbg_kat kat1308 = { ++ NO_RESEED, NO_DF, NID_aes_256_ctr, 48, 0, 48, 48, 64, &kat1308_t ++}; ++ ++static const unsigned char kat1465_entropyin[] = { ++ 0xc9, 0x96, 0x3a, 0x15, 0x51, 0x76, 0x4f, 0xe0, 0x45, 0x82, 0x8a, 0x64, ++ 0x87, 0xbe, 0xaa, 0xc0, ++}; ++static const unsigned char kat1465_nonce[] = { ++ 0x08, 0xcd, 0x69, 0x39, 0xf8, 0x58, 0x9a, 0x85, ++}; ++static const unsigned char kat1465_persstr[] = {0}; ++static const unsigned char kat1465_entropyinreseed[] = { ++ 0x16, 0xcc, 0x35, 0x15, 0xb1, 0x17, 0xf5, 0x33, 0x80, 0x9a, 0x80, 0xc5, ++ 0x1f, 0x4b, 0x7b, 0x51, ++}; ++static const unsigned char kat1465_addinreseed[] = { ++ 0xf5, 0x3d, 0xf1, 0x2e, 0xdb, 0x28, 0x1c, 0x00, 0x7b, 0xcb, 0xb6, 0x12, ++ 0x61, 0x9f, 0x26, 0x5f, ++}; ++static const unsigned char kat1465_addin0[] = { ++ 0xe2, 0x67, 0x06, 0x62, 0x09, 0xa7, 0xcf, 0xd6, 0x84, 0x8c, 0x20, 0xf6, ++ 0x10, 0x5a, 0x73, 0x9c, ++}; ++static const unsigned char kat1465_addin1[] = { ++ 0x26, 0xfa, 0x50, 0xe1, 0xb3, 0xcb, 0x65, 0xed, 0xbc, 0x6d, 0xda, 0x18, ++ 0x47, 0x99, 0x1f, 0xeb, ++}; ++static const unsigned char kat1465_retbits[] = { ++ 0xf9, 0x47, 0xc6, 0xb0, 0x58, 0xa8, 0x66, 0x8a, 0xf5, 0x2b, 0x2a, 0x6d, ++ 0x4e, 0x24, 0x6f, 0x65, 0xbf, 0x51, 0x22, 0xbf, 0xe8, 0x8d, 0x6c, 0xeb, ++ 0xf9, 0x68, 0x7f, 0xed, 0x3b, 0xdd, 0x6b, 0xd5, 0x28, 0x47, 0x56, 0x52, ++ 0xda, 0x50, 0xf0, 0x90, 0x73, 0x95, 0x06, 0x58, 0xaf, 0x08, 0x98, 0x6e, ++ 0x24, 0x18, 0xfd, 0x2f, 0x48, 0x72, 0x57, 0xd6, 0x59, 0xab, 0xe9, 0x41, ++ 0x58, 0xdb, 0x27, 0xba, ++}; ++static const struct drbg_kat_pr_false kat1465_t = { ++ 9, kat1465_entropyin, kat1465_nonce, kat1465_persstr, ++ kat1465_entropyinreseed, kat1465_addinreseed, kat1465_addin0, ++ kat1465_addin1, kat1465_retbits ++}; ++static const struct drbg_kat kat1465 = { ++ PR_FALSE, USE_DF, NID_aes_128_ctr, 16, 8, 0, 16, 64, &kat1465_t ++}; ++ ++static const unsigned char kat3146_entropyin[] = { ++ 0xd7, 0x08, 0x42, 0x82, 0xc2, 0xd2, 0xd1, 0xde, 0x01, 0xb4, 0x36, 0xb3, ++ 0x7f, 0xbd, 0xd3, 0xdd, 0xb3, 0xc4, 0x31, 0x4f, 0x8f, 0xa7, 0x10, 0xf4, ++}; ++static const unsigned char kat3146_nonce[] = { ++ 0x7b, 0x9e, 0xcd, 0x49, 0x4f, 0x46, 0xa0, 0x08, 0x32, 0xff, 0x2e, 0xc3, ++ 0x50, 0x86, 0xca, 0xca, ++}; ++static const unsigned char kat3146_persstr[] = {0}; ++static const unsigned char kat3146_entropyinpr1[] = { ++ 0x68, 0xd0, 0x7b, 0xa4, 0xe7, 0x22, 0x19, 0xe6, 0xb6, 0x46, 0x6a, 0xda, ++ 0x8e, 0x67, 0xea, 0x63, 0x3f, 0xaf, 0x2f, 0x6c, 0x9d, 0x5e, 0x48, 0x15, ++}; ++static const unsigned char kat3146_addinpr1[] = { ++ 0x70, 0x0f, 0x54, 0xf4, 0x53, 0xde, 0xca, 0x61, 0x5c, 0x49, 0x51, 0xd1, ++ 0x41, 0xc4, 0xf1, 0x2f, 0x65, 0xfb, 0x7e, 0xbc, 0x9b, 0x14, 0xba, 0x90, ++ 0x05, 0x33, 0x7e, 0x64, 0xb7, 0x2b, 0xaf, 0x99, ++}; ++static const unsigned char kat3146_entropyinpr2[] = { ++ 0xeb, 0x77, 0xb0, 0xe9, 0x2d, 0x31, 0xc8, 0x66, 0xc5, 0xc4, 0xa7, 0xf7, ++ 0x6c, 0xb2, 0x74, 0x36, 0x4b, 0x25, 0x78, 0x04, 0xd8, 0xd7, 0xd2, 0x34, ++}; ++static const unsigned char kat3146_addinpr2[] = { ++ 0x05, 0xcd, 0x2a, 0x97, 0x5a, 0x5d, 0xfb, 0x98, 0xc1, 0xf1, 0x00, 0x0c, ++ 0xed, 0xe6, 0x2a, 0xba, 0xf0, 0x89, 0x1f, 0x5a, 0x4f, 0xd7, 0x48, 0xb3, ++ 0x24, 0xc0, 0x8a, 0x3d, 0x60, 0x59, 0x5d, 0xb6, ++}; ++static const unsigned char kat3146_retbits[] = { ++ 0x29, 0x94, 0xa4, 0xa8, 0x17, 0x3e, 0x62, 0x2f, 0x94, 0xdd, 0x40, 0x1f, ++ 0xe3, 0x7e, 0x77, 0xd4, 0x38, 0xbc, 0x0e, 0x49, 0x46, 0xf6, 0x0e, 0x28, ++ 0x91, 0xc6, 0x9c, 0xc4, 0xa6, 0xa1, 0xf8, 0x9a, 0x64, 0x5e, 0x99, 0x76, ++ 0xd0, 0x2d, 0xee, 0xde, 0xe1, 0x2c, 0x93, 0x29, 0x4b, 0x12, 0xcf, 0x87, ++ 0x03, 0x98, 0xb9, 0x74, 0x41, 0xdb, 0x3a, 0x49, 0x9f, 0x92, 0xd0, 0x45, ++ 0xd4, 0x30, 0x73, 0xbb, ++}; ++static const struct drbg_kat_pr_true kat3146_t = { ++ 10, kat3146_entropyin, kat3146_nonce, kat3146_persstr, ++ kat3146_entropyinpr1, kat3146_addinpr1, kat3146_entropyinpr2, ++ kat3146_addinpr2, kat3146_retbits ++}; ++static const struct drbg_kat kat3146 = { ++ PR_TRUE, USE_DF, NID_aes_192_ctr, 24, 16, 0, 32, 64, &kat3146_t ++}; ++ ++static const struct drbg_kat *drbg_test[] = { &kat1308, &kat1465, &kat3146 }; ++ ++static const size_t drbg_test_nelem = OSSL_NELEM(drbg_test); ++ ++static size_t kat_entropy(RAND_DRBG *drbg, unsigned char **pout, ++ int entropy, size_t min_len, size_t max_len, ++ int prediction_resistance) ++{ ++ TEST_CTX *t = (TEST_CTX *)RAND_DRBG_get_ex_data(drbg, app_data_index); ++ ++ t->entropycnt++; ++ *pout = (unsigned char *)t->entropy; ++ return t->entropylen; ++} ++ ++static size_t kat_nonce(RAND_DRBG *drbg, unsigned char **pout, ++ int entropy, size_t min_len, size_t max_len) ++{ ++ TEST_CTX *t = (TEST_CTX *)RAND_DRBG_get_ex_data(drbg, app_data_index); ++ ++ t->noncecnt++; ++ *pout = (unsigned char *)t->nonce; ++ return t->noncelen; ++} ++ ++/* ++ * Do a single NO_RESEED KAT: ++ * ++ * Instantiate ++ * Generate Random Bits (pr=false) ++ * Generate Random Bits (pr=false) ++ * Uninstantiate ++ * ++ * Return 0 on failure. ++ */ ++static int single_kat_no_reseed(const struct drbg_kat *td) ++{ ++ struct drbg_kat_no_reseed *data = (struct drbg_kat_no_reseed *)td->t; ++ RAND_DRBG *drbg = NULL; ++ unsigned char *buff = NULL; ++ unsigned int flags = 0; ++ int failures = 0; ++ TEST_CTX t; ++ ++ if (td->df != USE_DF) ++ flags |= RAND_DRBG_FLAG_CTR_NO_DF; ++ ++ if ((drbg = RAND_DRBG_new(td->nid, flags, NULL)) == NULL) ++ return 0; ++ ++ if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL, ++ kat_nonce, NULL)) { ++ failures++; ++ goto err; ++ } ++ memset(&t, 0, sizeof(t)); ++ t.entropy = data->entropyin; ++ t.entropylen = td->entropyinlen; ++ t.nonce = data->nonce; ++ t.noncelen = td->noncelen; ++ RAND_DRBG_set_ex_data(drbg, app_data_index, &t); ++ ++ buff = OPENSSL_malloc(td->retbyteslen); ++ if (buff == NULL) { ++ failures++; ++ goto err; ++ } ++ ++ if (!RAND_DRBG_instantiate(drbg, data->persstr, td->persstrlen) ++ || !RAND_DRBG_generate(drbg, buff, td->retbyteslen, 0, ++ data->addin1, td->addinlen) ++ || !RAND_DRBG_generate(drbg, buff, td->retbyteslen, 0, ++ data->addin2, td->addinlen) ++ || memcmp(data->retbytes, buff, ++ td->retbyteslen) != 0) ++ failures++; ++ ++err: ++ OPENSSL_free(buff); ++ RAND_DRBG_uninstantiate(drbg); ++ RAND_DRBG_free(drbg); ++ return failures == 0; ++} ++ ++/*- ++ * Do a single PR_FALSE KAT: ++ * ++ * Instantiate ++ * Reseed ++ * Generate Random Bits (pr=false) ++ * Generate Random Bits (pr=false) ++ * Uninstantiate ++ * ++ * Return 0 on failure. ++ */ ++static int single_kat_pr_false(const struct drbg_kat *td) ++{ ++ struct drbg_kat_pr_false *data = (struct drbg_kat_pr_false *)td->t; ++ RAND_DRBG *drbg = NULL; ++ unsigned char *buff = NULL; ++ unsigned int flags = 0; ++ int failures = 0; ++ TEST_CTX t; ++ ++ if (td->df != USE_DF) ++ flags |= RAND_DRBG_FLAG_CTR_NO_DF; ++ ++ if ((drbg = RAND_DRBG_new(td->nid, flags, NULL)) == NULL) ++ return 0; ++ ++ if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL, ++ kat_nonce, NULL)) { ++ failures++; ++ goto err; ++ } ++ memset(&t, 0, sizeof(t)); ++ t.entropy = data->entropyin; ++ t.entropylen = td->entropyinlen; ++ t.nonce = data->nonce; ++ t.noncelen = td->noncelen; ++ RAND_DRBG_set_ex_data(drbg, app_data_index, &t); ++ ++ buff = OPENSSL_malloc(td->retbyteslen); ++ if (buff == NULL) { ++ failures++; ++ goto err; ++ } ++ ++ if (!RAND_DRBG_instantiate(drbg, data->persstr, td->persstrlen)) ++ failures++; ++ ++ t.entropy = data->entropyinreseed; ++ t.entropylen = td->entropyinlen; ++ ++ if (!RAND_DRBG_reseed(drbg, data->addinreseed, td->addinlen, 0) ++ || !RAND_DRBG_generate(drbg, buff, td->retbyteslen, 0, ++ data->addin1, td->addinlen) ++ || !RAND_DRBG_generate(drbg, buff, td->retbyteslen, 0, ++ data->addin2, td->addinlen) ++ || memcmp(data->retbytes, buff, ++ td->retbyteslen) != 0) ++ failures++; ++ ++err: ++ OPENSSL_free(buff); ++ RAND_DRBG_uninstantiate(drbg); ++ RAND_DRBG_free(drbg); ++ return failures == 0; ++} ++ ++/*- ++ * Do a single PR_TRUE KAT: ++ * ++ * Instantiate ++ * Generate Random Bits (pr=true) ++ * Generate Random Bits (pr=true) ++ * Uninstantiate ++ * ++ * Return 0 on failure. ++ */ ++static int single_kat_pr_true(const struct drbg_kat *td) ++{ ++ struct drbg_kat_pr_true *data = (struct drbg_kat_pr_true *)td->t; ++ RAND_DRBG *drbg = NULL; ++ unsigned char *buff = NULL; ++ unsigned int flags = 0; ++ int failures = 0; ++ TEST_CTX t; ++ ++ if (td->df != USE_DF) ++ flags |= RAND_DRBG_FLAG_CTR_NO_DF; ++ ++ if ((drbg = RAND_DRBG_new(td->nid, flags, NULL)) == NULL) ++ return 0; ++ ++ if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL, ++ kat_nonce, NULL)) { ++ failures++; ++ goto err; ++ } ++ memset(&t, 0, sizeof(t)); ++ t.nonce = data->nonce; ++ t.noncelen = td->noncelen; ++ t.entropy = data->entropyin; ++ t.entropylen = td->entropyinlen; ++ RAND_DRBG_set_ex_data(drbg, app_data_index, &t); ++ ++ buff = OPENSSL_malloc(td->retbyteslen); ++ if (buff == NULL) { ++ failures++; ++ goto err; ++ } ++ ++ if (!RAND_DRBG_instantiate(drbg, data->persstr, td->persstrlen)) ++ failures++; ++ ++ t.entropy = data->entropyinpr1; ++ t.entropylen = td->entropyinlen; ++ ++ if (!RAND_DRBG_generate(drbg, buff, td->retbyteslen, 1, ++ data->addin1, td->addinlen)) ++ failures++; ++ ++ t.entropy = data->entropyinpr2; ++ t.entropylen = td->entropyinlen; ++ ++ if (!RAND_DRBG_generate(drbg, buff, td->retbyteslen, 1, ++ data->addin2, td->addinlen) ++ || memcmp(data->retbytes, buff, ++ td->retbyteslen) != 0) ++ failures++; ++ ++err: ++ OPENSSL_free(buff); ++ RAND_DRBG_uninstantiate(drbg); ++ RAND_DRBG_free(drbg); ++ return failures == 0; ++} ++ ++static int test_kats(int i) ++{ ++ const struct drbg_kat *td = drbg_test[i]; ++ int rv = 0; ++ ++ switch (td->type) { ++ case NO_RESEED: ++ if (!single_kat_no_reseed(td)) ++ goto err; ++ break; ++ case PR_FALSE: ++ if (!single_kat_pr_false(td)) ++ goto err; ++ break; ++ case PR_TRUE: ++ if (!single_kat_pr_true(td)) ++ goto err; ++ break; ++ default: /* cant happen */ ++ goto err; ++ } ++ rv = 1; ++err: ++ return rv; ++} ++ ++/*- ++ * Do one expected-error test: ++ * ++ * Instantiate with no entropy supplied ++ * ++ * Return 0 on failure. ++ */ ++static int test_drbg_sanity(const struct drbg_kat *td) ++{ ++ struct drbg_kat_pr_false *data = (struct drbg_kat_pr_false *)td->t; ++ RAND_DRBG *drbg = NULL; ++ unsigned int flags = 0; ++ int failures = 0; ++ TEST_CTX t; ++ ++ if (td->df != USE_DF) ++ flags |= RAND_DRBG_FLAG_CTR_NO_DF; ++ ++ if ((drbg = RAND_DRBG_new(td->nid, flags, NULL)) == NULL) ++ return 0; ++ ++ if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL, ++ kat_nonce, NULL)) { ++ failures++; ++ goto err; ++ } ++ memset(&t, 0, sizeof(t)); ++ t.entropy = data->entropyin; ++ t.entropylen = 0; /* No entropy */ ++ t.nonce = data->nonce; ++ t.noncelen = td->noncelen; ++ RAND_DRBG_set_ex_data(drbg, app_data_index, &t); ++ ++ ERR_set_mark(); ++ /* This must fail. */ ++ if (RAND_DRBG_instantiate(drbg, data->persstr, td->persstrlen)) ++ failures++; ++ RAND_DRBG_uninstantiate(drbg); ++ ERR_pop_to_mark(); ++ ++err: ++ RAND_DRBG_free(drbg); ++ return failures == 0; ++} ++ ++ ++int FIPS_selftest_drbg_new(void) ++{ ++ int i; ++ ++ if (!RUN_ONCE(&get_index_once, drbg_app_data_index_init)) ++ return 0; ++ ++ for (i = 0; i < drbg_test_nelem; i++) { ++ if (test_kats(i) <= 0) ++ return 0; ++ } ++ ++ if (test_drbg_sanity(&kat1465) <= 0) ++ return 0; ++ ++ return 1; ++} +--- a/include/crypto/rand.h ++++ b/include/crypto/rand.h +@@ -150,4 +150,9 @@ void rand_pool_cleanup(void); + */ + void rand_pool_keep_random_devices_open(int keep); + ++/* ++ * Perform the DRBG KAT selftests ++ */ ++int FIPS_selftest_drbg_new(void); ++ + #endif diff --git a/openssl-1_1-fips-list-only-approved-digest-and-pubkey-algorithms.patch b/openssl-1_1-fips-list-only-approved-digest-and-pubkey-algorithms.patch new file mode 100644 index 0000000..27fb624 --- /dev/null +++ b/openssl-1_1-fips-list-only-approved-digest-and-pubkey-algorithms.patch @@ -0,0 +1,104 @@ +--- + crypto/asn1/ameth_lib.c | 18 ++++++++++++++++++ + crypto/asn1/standard_methods.h | 29 +++++++++++++++++++++++++++++ + crypto/evp/c_alld.c | 6 +++++- + 3 files changed, 52 insertions(+), 1 deletion(-) + +--- a/crypto/asn1/ameth_lib.c ++++ b/crypto/asn1/ameth_lib.c +@@ -35,7 +35,11 @@ IMPLEMENT_OBJ_BSEARCH_CMP_FN(const EVP_P + + int EVP_PKEY_asn1_get_count(void) + { ++#ifdef OPENSSL_FIPS ++ int num = FIPS_mode() ? OSSL_NELEM(standard_fips_methods) : OSSL_NELEM(standard_methods); ++#else + int num = OSSL_NELEM(standard_methods); ++#endif + if (app_methods) + num += sk_EVP_PKEY_ASN1_METHOD_num(app_methods); + return num; +@@ -43,11 +47,19 @@ int EVP_PKEY_asn1_get_count(void) + + const EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_get0(int idx) + { ++#ifdef OPENSSL_FIPS ++ int num = FIPS_mode() ? OSSL_NELEM(standard_fips_methods) : OSSL_NELEM(standard_methods); ++#else + int num = OSSL_NELEM(standard_methods); ++#endif + if (idx < 0) + return NULL; + if (idx < num) ++#ifdef OPENSSL_FIPS ++ return FIPS_mode() ? standard_fips_methods[idx] : standard_methods[idx]; ++#else + return standard_methods[idx]; ++#endif + idx -= num; + return sk_EVP_PKEY_ASN1_METHOD_value(app_methods, idx); + } +@@ -63,7 +75,13 @@ static const EVP_PKEY_ASN1_METHOD *pkey_ + if (idx >= 0) + return sk_EVP_PKEY_ASN1_METHOD_value(app_methods, idx); + } ++#ifdef OPENSSL_FIPS ++ ret = FIPS_mode() ? \ ++ OBJ_bsearch_ameth(&t, standard_fips_methods, OSSL_NELEM(standard_fips_methods)) : \ ++ OBJ_bsearch_ameth(&t, standard_methods, OSSL_NELEM(standard_methods)); ++#else + ret = OBJ_bsearch_ameth(&t, standard_methods, OSSL_NELEM(standard_methods)); ++#endif + if (!ret || !*ret) + return NULL; + return *ret; +--- a/crypto/asn1/standard_methods.h ++++ b/crypto/asn1/standard_methods.h +@@ -59,3 +59,32 @@ static const EVP_PKEY_ASN1_METHOD *stand + #endif + }; + ++static const EVP_PKEY_ASN1_METHOD *standard_fips_methods[] = { ++#ifndef OPENSSL_NO_RSA ++ &rsa_asn1_meths[0], ++ &rsa_asn1_meths[1], ++#endif ++#ifndef OPENSSL_NO_DH ++ &dh_asn1_meth, ++#endif ++#ifndef OPENSSL_NO_DSA ++ &dsa_asn1_meths[0], ++ &dsa_asn1_meths[1], ++ &dsa_asn1_meths[2], ++ &dsa_asn1_meths[3], ++ &dsa_asn1_meths[4], ++#endif ++#ifndef OPENSSL_NO_EC ++ &eckey_asn1_meth, ++#endif ++ &hmac_asn1_meth, ++#ifndef OPENSSL_NO_CMAC ++ &cmac_asn1_meth, ++#endif ++#ifndef OPENSSL_NO_RSA ++ &rsa_pss_asn1_meth, ++#endif ++#ifndef OPENSSL_NO_DH ++ &dhx_asn1_meth, ++#endif ++}; +--- a/crypto/evp/c_alld.c ++++ b/crypto/evp/c_alld.c +@@ -17,7 +17,11 @@ + void openssl_add_all_digests_int(void) + { + #ifdef OPENSSL_FIPS +- if (!FIPS_mode()) { ++ /* ++ * This function is called from FIPS_selftest_ecdsa() before FIPS mode is ++ * turned on. That is the reason why we need to also check fips_in_post(). ++ */ ++ if (!FIPS_mode() && !fips_in_post()) { + #endif + #ifndef OPENSSL_NO_MD4 + EVP_add_digest(EVP_md4()); diff --git a/openssl-1_1-jitterentropy-3.4.0.patch b/openssl-1_1-jitterentropy-3.4.0.patch new file mode 100644 index 0000000..b4b9d6e --- /dev/null +++ b/openssl-1_1-jitterentropy-3.4.0.patch @@ -0,0 +1,203 @@ +--- + Configurations/00-base-templates.conf | 2 - + crypto/fips/build.info | 3 +- + crypto/fips/fips.c | 8 +++++++ + crypto/fips/fips_entropy.c | 38 ++++++++++++++++++++++++++++++++++ + crypto/fips/fips_err.h | 1 + crypto/init.c | 4 +++ + crypto/rand/rand_unix.c | 30 +++++++++++++++++++++++++- + include/crypto/fips_int.h | 2 + + include/openssl/fips.h | 4 +++ + util/libcrypto.num | 2 + + 10 files changed, 91 insertions(+), 3 deletions(-) + +--- a/Configurations/00-base-templates.conf ++++ b/Configurations/00-base-templates.conf +@@ -96,7 +96,7 @@ my %targets=( + ex_libs => + sub { !defined($disabled{zlib}) + && defined($disabled{"zlib-dynamic"}) +- ? "-lz" : () }, ++ ? "-lz -ljitterentropy" : "-ljitterentropy" }, + HASHBANGPERL => "/usr/bin/env perl", # Only Unix actually cares + RANLIB => sub { which("$config{cross_compile_prefix}ranlib") + ? "ranlib" : "" }, +--- a/crypto/fips/build.info ++++ b/crypto/fips/build.info +@@ -5,7 +5,8 @@ SOURCE[../../libcrypto]=\ + fips_post.c drbgtest.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \ + fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \ + fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c \ +- fips_dh_selftest.c fips_kdf_selftest.c fips_ers.c fips_sli.c ++ fips_dh_selftest.c fips_kdf_selftest.c fips_ers.c fips_sli.c \ ++ fips_entropy.c + + PROGRAMS=\ + fips_standalone_hmac +--- a/crypto/fips/fips.c ++++ b/crypto/fips/fips.c +@@ -461,6 +461,14 @@ int FIPS_module_mode_set(int onoff) + + fips_post = 1; + ++ if (!FIPS_entropy_init()) { ++ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET, ++ FIPS_R_ENTROPY_INIT_FAILED); ++ fips_selftest_fail = 1; ++ ret = 0; ++ goto end; ++ } ++ + /* Run the KATs before the HMAC verification for FIPS 140-3 compliance */ + if (!FIPS_selftest()) { + fips_selftest_fail = 1; +--- /dev/null ++++ b/crypto/fips/fips_entropy.c +@@ -0,0 +1,38 @@ ++#include ++ ++#include "crypto/fips_int.h" ++#include "jitterentropy.h" ++ ++static struct rand_data* ec = NULL; ++ ++struct rand_data* FIPS_entropy_init(void) ++{ ++ if (ec != NULL) ++ /* Entropy source has been initiated and collector allocated */ ++ return ec; ++ /* If the initialization is successful, the call returns with 0 */ ++ if (jent_entropy_init_ex(1, JENT_FORCE_FIPS) == 0) ++ /* Allocate entropy collector */ ++ ec = jent_entropy_collector_alloc(1, JENT_FORCE_FIPS); ++ return ec; ++} ++ ++void FIPS_entropy_cleanup(void) ++{ ++ /* Free entropy collector */ ++ if (ec != NULL) { ++ jent_entropy_collector_free(ec); ++ ec = NULL; ++ } ++} ++ ++ssize_t FIPS_jitter_entropy(unsigned char *buf, size_t buflen) ++{ ++ ssize_t ent_bytes = -1; ++ ++ if (buf != NULL && buflen != 0 && FIPS_entropy_init()) { ++ /* Get entropy */ ++ ent_bytes = jent_read_entropy_safe(&ec, (char *)buf, buflen); ++ } ++ return ent_bytes; ++} +--- a/crypto/fips/fips_err.h ++++ b/crypto/fips/fips_err.h +@@ -135,6 +135,7 @@ static ERR_STRING_DATA FIPS_str_reasons[ + {ERR_REASON(FIPS_R_DRBG_NOT_INITIALISED), "drbg not initialised"}, + {ERR_REASON(FIPS_R_DRBG_STUCK), "drbg stuck"}, + {ERR_REASON(FIPS_R_ENTROPY_ERROR_UNDETECTED), "entropy error undetected"}, ++ {ERR_REASON(FIPS_R_ENTROPY_INIT_FAILED), "entropy init failed"}, + {ERR_REASON(FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED), + "entropy not requested for reseed"}, + {ERR_REASON(FIPS_R_ENTROPY_SOURCE_STUCK), "entropy source stuck"}, +--- a/crypto/init.c ++++ b/crypto/init.c +@@ -27,6 +27,7 @@ + #include "crypto/dso_conf.h" + #include "internal/dso.h" + #include "crypto/store.h" ++#include "openssl/fips.h" + + static int stopped = 0; + +@@ -597,6 +598,9 @@ void OPENSSL_cleanup(void) + rand_cleanup_int(); + rand_drbg_cleanup_int(); + conf_modules_free_int(); ++#ifdef OPENSSL_FIPS ++ FIPS_entropy_cleanup(); ++#endif + #ifndef OPENSSL_NO_ENGINE + engine_cleanup_int(); + #endif +--- a/crypto/rand/rand_unix.c ++++ b/crypto/rand/rand_unix.c +@@ -642,9 +642,37 @@ size_t rand_pool_acquire_entropy(RAND_PO + return rand_pool_entropy_available(pool); + # else + size_t entropy_available; ++ int in_post; ++ ++# ifdef OPENSSL_FIPS ++ if (FIPS_mode()) { ++ /* Use jitter entropy in FIPS mode */ ++ for (in_post = fips_in_post(); in_post >= 0; --in_post) { ++ size_t bytes_needed; ++ unsigned char *buffer; ++ ssize_t bytes; ++ /* Maximum allowed number of consecutive unsuccessful attempts */ ++ int attempts = 3; ++ ++ bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/); ++ while (bytes_needed != 0 && attempts-- > 0) { ++ buffer = rand_pool_add_begin(pool, bytes_needed); ++ bytes = FIPS_jitter_entropy(buffer, bytes_needed); ++ if (bytes > 0) { ++ rand_pool_add_end(pool, bytes, 8 * bytes); ++ bytes_needed -= bytes; ++ attempts = 3; /* reset counter after successful attempt */ ++ } else if (bytes < 0) { ++ break; ++ } ++ } ++ } ++ entropy_available = rand_pool_entropy_available(pool); ++ return entropy_available; ++ } ++# endif + + # if defined(OPENSSL_RAND_SEED_GETRANDOM) +- int in_post; + + for (in_post = fips_in_post(); in_post >= 0; --in_post) { + { +--- a/include/crypto/fips_int.h ++++ b/include/crypto/fips_int.h +@@ -101,4 +101,6 @@ void fips_set_selftest_fail(void); + + void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr); + ++ssize_t FIPS_jitter_entropy(unsigned char *buf, size_t buflen); ++ + #endif +--- a/include/openssl/fips.h ++++ b/include/openssl/fips.h +@@ -74,6 +74,9 @@ extern "C" { + BN_GENCB *cb); + int FIPS_dsa_paramgen_check_g(DSA *dsa); + ++ struct rand_data* FIPS_entropy_init(void); ++ void FIPS_entropy_cleanup(void); ++ + /* BEGIN ERROR CODES */ + /* The following lines are auto generated by the script mkerr.pl. Any changes + * made after this point may be overwritten when the script is next run. +@@ -151,6 +154,7 @@ extern "C" { + # define FIPS_R_DRBG_NOT_INITIALISED 152 + # define FIPS_R_DRBG_STUCK 103 + # define FIPS_R_ENTROPY_ERROR_UNDETECTED 104 ++# define FIPS_R_ENTROPY_INIT_FAILED 161 + # define FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED 105 + # define FIPS_R_ENTROPY_SOURCE_STUCK 142 + # define FIPS_R_ERROR_INITIALISING_DRBG 115 +--- a/util/libcrypto.num ++++ b/util/libcrypto.num +@@ -4647,3 +4647,5 @@ fips_sli_PKCS5_PBKDF2_HMAC_is_approved + fips_sli_HMAC_is_approved 6608 1_1_1l EXIST::FUNCTION: + fips_sli_RAND_bytes_is_approved 6609 1_1_1l EXIST::FUNCTION: + fips_sli_RAND_priv_bytes_is_approved 6610 1_1_1l EXIST::FUNCTION: ++FIPS_entropy_init 6611 1_1_1l EXIST::FUNCTION: ++FIPS_entropy_cleanup 6612 1_1_1l EXIST::FUNCTION: + diff --git a/openssl-1_1-ossl-sli-000-fix-build-error.patch b/openssl-1_1-ossl-sli-000-fix-build-error.patch new file mode 100644 index 0000000..3714d48 --- /dev/null +++ b/openssl-1_1-ossl-sli-000-fix-build-error.patch @@ -0,0 +1,10 @@ +diff --git a/util/libcrypto.num b/util/libcrypto.num +index e4a490a82..2a778ce92 100644 +--- a/util/libcrypto.num ++++ b/util/libcrypto.num +@@ -4634,3 +4634,5 @@ EVP_KDF_vctrl 6594 1_1_1d EXIST::FUNCTION: + EVP_KDF_ctrl_str 6595 1_1_1d EXIST::FUNCTION: + EVP_KDF_size 6596 1_1_1d EXIST::FUNCTION: + EVP_KDF_derive 6597 1_1_1d EXIST::FUNCTION: ++EC_GROUP_get0_field 6598 1_1_1l EXIST::FUNCTION:EC ++NONFIPS_selftest_check 6599 1_1_1l EXIST::FUNCTION: diff --git a/openssl-1_1-ossl-sli-001-fix-faults-preventing-make-update.patch b/openssl-1_1-ossl-sli-001-fix-faults-preventing-make-update.patch new file mode 100644 index 0000000..babe1cf --- /dev/null +++ b/openssl-1_1-ossl-sli-001-fix-faults-preventing-make-update.patch @@ -0,0 +1,111 @@ +diff --git a/crypto/ec/ec_key.c b/crypto/ec/ec_key.c +index 43c916fc1..fab410b9e 100644 +--- a/crypto/ec/ec_key.c ++++ b/crypto/ec/ec_key.c +@@ -472,16 +472,16 @@ int ec_key_public_check(const EC_KEY *eckey, BN_CTX *ctx) + */ + if (eckey->priv_key != NULL) { + if (BN_cmp(eckey->priv_key, order) >= 0) { +- ECerr(EC_F_EC_KEY_SIMPLE_CHECK_KEY, EC_R_WRONG_ORDER); ++ ECerr(EC_F_EC_KEY_PUBLIC_CHECK, EC_R_WRONG_ORDER); + goto err; + } + if (!EC_POINT_mul(eckey->group, point, eckey->priv_key, + NULL, NULL, ctx)) { +- ECerr(EC_F_EC_KEY_SIMPLE_CHECK_KEY, ERR_R_EC_LIB); ++ ECerr(EC_F_EC_KEY_PUBLIC_CHECK, ERR_R_EC_LIB); + goto err; + } + if (EC_POINT_cmp(eckey->group, point, eckey->pub_key, ctx) != 0) { +- ECerr(EC_F_EC_KEY_SIMPLE_CHECK_KEY, EC_R_INVALID_PRIVATE_KEY); ++ ECerr(EC_F_EC_KEY_PUBLIC_CHECK, EC_R_INVALID_PRIVATE_KEY); + goto err; + } + } +diff --git a/crypto/ec/ecdh_ossl.c b/crypto/ec/ecdh_ossl.c +index 8794a6781..f38137388 100644 +--- a/crypto/ec/ecdh_ossl.c ++++ b/crypto/ec/ecdh_ossl.c +@@ -28,7 +28,7 @@ int ossl_ecdh_compute_key(unsigned char **psec, size_t *pseclen, + { + #ifdef OPENSSL_FIPS + if (FIPS_selftest_failed()) { +- FIPSerr(FIPS_F_ECDH_COMPUTE_KEY, FIPS_R_FIPS_SELFTEST_FAILED); ++ FIPSerr(FIPS_F_OSSL_ECDH_COMPUTE_KEY, FIPS_R_FIPS_SELFTEST_FAILED); + return -1; + } + #endif +diff --git a/crypto/ec/ecdsa_ossl.c b/crypto/ec/ecdsa_ossl.c +index 3445abd02..9e9526241 100644 +--- a/crypto/ec/ecdsa_ossl.c ++++ b/crypto/ec/ecdsa_ossl.c +@@ -204,7 +204,7 @@ ECDSA_SIG *ecdsa_simple_sign_sig(const unsigned char *dgst, int dgst_len, + + #ifdef OPENSSL_FIPS + if (FIPS_selftest_failed()) { +- FIPSerr(FIPS_F_OSSL_ECDSA_SIGN_SIG, FIPS_R_FIPS_SELFTEST_FAILED); ++ FIPSerr(FIPS_F_ECDSA_SIMPLE_SIGN_SIG, FIPS_R_FIPS_SELFTEST_FAILED); + return NULL; + } + #endif +@@ -373,7 +373,7 @@ int ecdsa_simple_verify_sig(const unsigned char *dgst, int dgst_len, + + #ifdef OPENSSL_FIPS + if (FIPS_selftest_failed()) { +- FIPSerr(FIPS_F_OSSL_ECDSA_VERIFY_SIG, FIPS_R_FIPS_SELFTEST_FAILED); ++ FIPSerr(FIPS_F_ECDSA_SIMPLE_VERIFY_SIG, FIPS_R_FIPS_SELFTEST_FAILED); + return -1; + } + #endif +diff --git a/crypto/fips/fips_sha_selftest.c b/crypto/fips/fips_sha_selftest.c +index 035c2c092..4a6336248 100644 +--- a/crypto/fips/fips_sha_selftest.c ++++ b/crypto/fips/fips_sha_selftest.c +@@ -195,25 +195,25 @@ int FIPS_selftest_sha3(void) + + EVP_Digest(msg_sha3_256, sizeof(msg_sha3_256), md, NULL, EVP_sha3_256(), NULL); + if (memcmp(dig_sha3_256, md, sizeof(dig_sha3_256))) { +- FIPSerr(FIPS_F_FIPS_SELFTEST, FIPS_R_SELFTEST_FAILED); ++ FIPSerr(FIPS_F_FIPS_SELFTEST_SHA3, FIPS_R_SELFTEST_FAILED); + return 0; + } + + EVP_Digest(msg_sha3_512, sizeof(msg_sha3_512), md, NULL, EVP_sha3_512(), NULL); + if (memcmp(dig_sha3_512, md, sizeof(dig_sha3_512))) { +- FIPSerr(FIPS_F_FIPS_SELFTEST, FIPS_R_SELFTEST_FAILED); ++ FIPSerr(FIPS_F_FIPS_SELFTEST_SHA3, FIPS_R_SELFTEST_FAILED); + return 0; + } + + EVP_Digest(msg_shake_128, sizeof(msg_shake_128), md, NULL, EVP_shake128(), NULL); + if (memcmp(dig_shake_128, md, sizeof(dig_shake_128))) { +- FIPSerr(FIPS_F_FIPS_SELFTEST, FIPS_R_SELFTEST_FAILED); ++ FIPSerr(FIPS_F_FIPS_SELFTEST_SHA3, FIPS_R_SELFTEST_FAILED); + return 0; + } + + EVP_Digest(msg_shake_256, sizeof(msg_shake_256), md, NULL, EVP_shake256(), NULL); + if (memcmp(dig_shake_256, md, sizeof(dig_shake_256))) { +- FIPSerr(FIPS_F_FIPS_SELFTEST, FIPS_R_SELFTEST_FAILED); ++ FIPSerr(FIPS_F_FIPS_SELFTEST_SHA3, FIPS_R_SELFTEST_FAILED); + return 0; + } + +diff --git a/include/openssl/fips.h b/include/openssl/fips.h +index e4208cbfa..7af006e7b 100644 +--- a/include/openssl/fips.h ++++ b/include/openssl/fips.h +@@ -130,8 +130,13 @@ extern "C" { + # define FIPS_F_FIPS_SELFTEST_HKDF 155 + # define FIPS_F_FIPS_SELFTEST_SHA1 115 + # define FIPS_F_FIPS_SELFTEST_SHA2 105 ++# define FIPS_F_FIPS_SELFTEST_SHA3 156 ++# define FIPS_F_ECDSA_SIMPLE_VERIFY_SIG 157 ++# define FIPS_F_ECDSA_SIMPLE_SIGN_SIG 158 + # define FIPS_F_OSSL_ECDSA_SIGN_SIG 143 + # define FIPS_F_OSSL_ECDSA_VERIFY_SIG 148 ++# define FIPS_F_OSSL_ECDSA_SIMPLE_VERIFY_SIG 159 ++# define FIPS_F_OSSL_ECDH_COMPUTE_KEY 160 + # define FIPS_F_RSA_BUILTIN_KEYGEN 116 + # define FIPS_F_RSA_OSSL_INIT 149 + # define FIPS_F_RSA_OSSL_PRIVATE_DECRYPT 117 diff --git a/openssl-1_1-ossl-sli-002-ran-make-update.patch b/openssl-1_1-ossl-sli-002-ran-make-update.patch new file mode 100644 index 0000000..ccb5bba --- /dev/null +++ b/openssl-1_1-ossl-sli-002-ran-make-update.patch @@ -0,0 +1,946 @@ +--- + apps/openssl-vms.cnf | 18 ++++ + crypto/dh/dh_err.c | 8 - + crypto/dsa/dsa_err.c | 8 + + crypto/ec/ec_err.c | 29 ++++++- + crypto/err/openssl.txt | 40 +++++++++ + crypto/evp/evp_err.c | 6 - + crypto/fips/fips_ers.c | 189 +++++++++++++++++++++++++++++++++++++++++++++-- + crypto/rsa/rsa_err.c | 23 +++-- + include/openssl/dherr.h | 15 +-- + include/openssl/dsaerr.h | 18 +--- + include/openssl/ecerr.h | 7 - + include/openssl/evperr.h | 19 ++-- + include/openssl/rsaerr.h | 32 +++---- + 13 files changed, 333 insertions(+), 79 deletions(-) + +--- a/apps/openssl-vms.cnf ++++ b/apps/openssl-vms.cnf +@@ -11,6 +11,24 @@ + # defined. + HOME = . + ++openssl_conf = openssl_init ++ ++[ openssl_init ] ++ ++engines = engine_section ++ ++[ engine_section ] ++ ++# This include will look through the directory that will contain the ++# engine declarations for any engines provided by other packages. ++.include /etc/ssl/engines.d ++ ++# This include will look through the directory that will contain the ++# definitions of the engines declared in the engine section. ++.include /etc/ssl/engdef.d ++ ++[ oid_section ] ++ + # Extra OBJECT IDENTIFIER info: + #oid_file = $ENV::HOME/.oid + oid_section = new_oids +--- a/crypto/dh/dh_err.c ++++ b/crypto/dh/dh_err.c +@@ -26,8 +26,8 @@ static const ERR_STRING_DATA DH_str_func + {ERR_PACK(ERR_LIB_DH, DH_F_DH_CMS_SET_SHARED_INFO, 0), + "dh_cms_set_shared_info"}, + {ERR_PACK(ERR_LIB_DH, DH_F_DH_COMPUTE_KEY, 0), "DH_compute_key"}, +- {ERR_PACK(ERR_LIB_DH, DH_F_DH_GENERATE_KEY, 0), "DH_generate_key"}, +- {ERR_PACK(ERR_LIB_DH, DH_F_DH_GENERATE_PARAMETERS_EX, 0), "DH_generate_parameters_ex"}, ++ {ERR_PACK(ERR_LIB_DH, DH_F_DH_GENERATE_PARAMETERS_EX, 0), ++ "DH_generate_parameters_ex"}, + {ERR_PACK(ERR_LIB_DH, DH_F_DH_METH_DUP, 0), "DH_meth_dup"}, + {ERR_PACK(ERR_LIB_DH, DH_F_DH_METH_NEW, 0), "DH_meth_new"}, + {ERR_PACK(ERR_LIB_DH, DH_F_DH_METH_SET1_NAME, 0), "DH_meth_set1_name"}, +@@ -78,11 +78,11 @@ static const ERR_STRING_DATA DH_str_reas + {ERR_PACK(ERR_LIB_DH, 0, DH_R_KEY_SIZE_TOO_SMALL), "key size too small"}, + {ERR_PACK(ERR_LIB_DH, 0, DH_R_MISSING_PUBKEY), "missing pubkey"}, + {ERR_PACK(ERR_LIB_DH, 0, DH_R_MODULUS_TOO_LARGE), "modulus too large"}, ++ {ERR_PACK(ERR_LIB_DH, 0, DH_R_NON_FIPS_METHOD), "non fips method"}, + {ERR_PACK(ERR_LIB_DH, 0, DH_R_NOT_SUITABLE_GENERATOR), + "not suitable generator"}, + {ERR_PACK(ERR_LIB_DH, 0, DH_R_NO_PARAMETERS_SET), "no parameters set"}, + {ERR_PACK(ERR_LIB_DH, 0, DH_R_NO_PRIVATE_VALUE), "no private value"}, +- {ERR_PACK(ERR_LIB_DH, 0, DH_R_NON_FIPS_METHOD), "non FIPS method"}, + {ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR), + "parameter encoding error"}, + {ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"}, +--- a/crypto/dsa/dsa_err.c ++++ b/crypto/dsa/dsa_err.c +@@ -1,6 +1,6 @@ + /* + * Generated by util/mkerr.pl DO NOT EDIT +- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -24,7 +24,8 @@ static const ERR_STRING_DATA DSA_str_fun + {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_DO_SIGN, 0), "DSA_do_sign"}, + {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_DO_VERIFY, 0), "DSA_do_verify"}, + {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_GENERATE_KEY, 0), "DSA_generate_key"}, +- {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_GENERATE_PARAMETERS_EX, 0), "DSA_generate_parameters_ex"}, ++ {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_GENERATE_PARAMETERS_EX, 0), ++ "DSA_generate_parameters_ex"}, + {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_METH_DUP, 0), "DSA_meth_dup"}, + {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_METH_NEW, 0), "DSA_meth_new"}, + {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_METH_SET1_NAME, 0), "DSA_meth_set1_name"}, +@@ -60,8 +61,9 @@ static const ERR_STRING_DATA DSA_str_rea + {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_MISSING_PRIVATE_KEY), + "missing private key"}, + {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_MODULUS_TOO_LARGE), "modulus too large"}, ++ {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_NON_FIPS_DSA_METHOD), ++ "non fips dsa method"}, + {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_NO_PARAMETERS_SET), "no parameters set"}, +- {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_NON_FIPS_DSA_METHOD), "non FIPS DSA method"}, + {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_PARAMETER_ENCODING_ERROR), + "parameter encoding error"}, + {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_Q_NOT_PRIME), "q not prime"}, +--- a/crypto/ec/ec_err.c ++++ b/crypto/ec/ec_err.c +@@ -1,6 +1,6 @@ + /* + * Generated by util/mkerr.pl DO NOT EDIT +- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -27,9 +27,19 @@ static const ERR_STRING_DATA EC_str_func + "ecdh_simple_compute_key"}, + {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_DO_SIGN_EX, 0), "ECDSA_do_sign_ex"}, + {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_DO_VERIFY, 0), "ECDSA_do_verify"}, ++ {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_S390X_NISTP_SIGN_SIG, 0), ++ "ecdsa_s390x_nistp_sign_sig"}, ++ {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_S390X_NISTP_VERIFY_SIG, 0), ++ "ecdsa_s390x_nistp_verify_sig"}, + {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_SIGN_EX, 0), "ECDSA_sign_ex"}, + {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_SIGN_SETUP, 0), "ECDSA_sign_setup"}, + {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_SIG_NEW, 0), "ECDSA_SIG_new"}, ++ {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_SIMPLE_SIGN_SETUP, 0), ++ "ecdsa_simple_sign_setup"}, ++ {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_SIMPLE_SIGN_SIG, 0), ++ "ecdsa_simple_sign_sig"}, ++ {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_SIMPLE_VERIFY_SIG, 0), ++ "ecdsa_simple_verify_sig"}, + {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_VERIFY, 0), "ECDSA_verify"}, + {ERR_PACK(ERR_LIB_EC, EC_F_ECD_ITEM_VERIFY, 0), "ecd_item_verify"}, + {ERR_PACK(ERR_LIB_EC, EC_F_ECKEY_PARAM2TYPE, 0), "eckey_param2type"}, +@@ -193,6 +203,7 @@ static const ERR_STRING_DATA EC_str_func + {ERR_PACK(ERR_LIB_EC, EC_F_EC_KEY_PRINT_FP, 0), "EC_KEY_print_fp"}, + {ERR_PACK(ERR_LIB_EC, EC_F_EC_KEY_PRIV2BUF, 0), "EC_KEY_priv2buf"}, + {ERR_PACK(ERR_LIB_EC, EC_F_EC_KEY_PRIV2OCT, 0), "EC_KEY_priv2oct"}, ++ {ERR_PACK(ERR_LIB_EC, EC_F_EC_KEY_PUBLIC_CHECK, 0), "ec_key_public_check"}, + {ERR_PACK(ERR_LIB_EC, EC_F_EC_KEY_SET_PUBLIC_KEY_AFFINE_COORDINATES, 0), + "EC_KEY_set_public_key_affine_coordinates"}, + {ERR_PACK(ERR_LIB_EC, EC_F_EC_KEY_SIMPLE_CHECK_KEY, 0), +@@ -266,6 +277,8 @@ static const ERR_STRING_DATA EC_str_func + {ERR_PACK(ERR_LIB_EC, EC_F_OLD_EC_PRIV_DECODE, 0), "old_ec_priv_decode"}, + {ERR_PACK(ERR_LIB_EC, EC_F_OSSL_ECDH_COMPUTE_KEY, 0), + "ossl_ecdh_compute_key"}, ++ {ERR_PACK(ERR_LIB_EC, EC_F_OSSL_ECDSA_SIGN_SETUP, 0), ++ "ossl_ecdsa_sign_setup"}, + {ERR_PACK(ERR_LIB_EC, EC_F_OSSL_ECDSA_SIGN_SIG, 0), "ossl_ecdsa_sign_sig"}, + {ERR_PACK(ERR_LIB_EC, EC_F_OSSL_ECDSA_VERIFY_SIG, 0), + "ossl_ecdsa_verify_sig"}, +@@ -284,6 +297,18 @@ static const ERR_STRING_DATA EC_str_func + {ERR_PACK(ERR_LIB_EC, EC_F_PKEY_EC_KEYGEN, 0), "pkey_ec_keygen"}, + {ERR_PACK(ERR_LIB_EC, EC_F_PKEY_EC_PARAMGEN, 0), "pkey_ec_paramgen"}, + {ERR_PACK(ERR_LIB_EC, EC_F_PKEY_EC_SIGN, 0), "pkey_ec_sign"}, ++ {ERR_PACK(ERR_LIB_EC, EC_F_S390X_PKEY_ECD_DIGESTSIGN25519, 0), ++ "s390x_pkey_ecd_digestsign25519"}, ++ {ERR_PACK(ERR_LIB_EC, EC_F_S390X_PKEY_ECD_DIGESTSIGN448, 0), ++ "s390x_pkey_ecd_digestsign448"}, ++ {ERR_PACK(ERR_LIB_EC, EC_F_S390X_PKEY_ECD_KEYGEN25519, 0), ++ "s390x_pkey_ecd_keygen25519"}, ++ {ERR_PACK(ERR_LIB_EC, EC_F_S390X_PKEY_ECD_KEYGEN448, 0), ++ "s390x_pkey_ecd_keygen448"}, ++ {ERR_PACK(ERR_LIB_EC, EC_F_S390X_PKEY_ECX_KEYGEN25519, 0), ++ "s390x_pkey_ecx_keygen25519"}, ++ {ERR_PACK(ERR_LIB_EC, EC_F_S390X_PKEY_ECX_KEYGEN448, 0), ++ "s390x_pkey_ecx_keygen448"}, + {ERR_PACK(ERR_LIB_EC, EC_F_VALIDATE_ECX_DERIVE, 0), "validate_ecx_derive"}, + {0, NULL} + }; +@@ -298,6 +323,8 @@ static const ERR_STRING_DATA EC_str_reas + "coordinates out of range"}, + {ERR_PACK(ERR_LIB_EC, 0, EC_R_CURVE_DOES_NOT_SUPPORT_ECDH), + "curve does not support ecdh"}, ++ {ERR_PACK(ERR_LIB_EC, 0, EC_R_CURVE_DOES_NOT_SUPPORT_ECDSA), ++ "curve does not support ecdsa"}, + {ERR_PACK(ERR_LIB_EC, 0, EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING), + "curve does not support signing"}, + {ERR_PACK(ERR_LIB_EC, 0, EC_R_D2I_ECPKPARAMETERS_FAILURE), +--- a/crypto/err/openssl.txt ++++ b/crypto/err/openssl.txt +@@ -408,6 +408,8 @@ DH_F_DH_CHECK_PUB_KEY_EX:123:DH_check_pu + DH_F_DH_CMS_DECRYPT:114:dh_cms_decrypt + DH_F_DH_CMS_SET_PEERKEY:115:dh_cms_set_peerkey + DH_F_DH_CMS_SET_SHARED_INFO:116:dh_cms_set_shared_info ++DH_F_DH_COMPUTE_KEY:126:DH_compute_key ++DH_F_DH_GENERATE_PARAMETERS_EX:127:DH_generate_parameters_ex + DH_F_DH_METH_DUP:117:DH_meth_dup + DH_F_DH_METH_NEW:118:DH_meth_new + DH_F_DH_METH_SET1_NAME:119:DH_meth_set1_name +@@ -427,10 +429,13 @@ DH_F_PKEY_DH_INIT:125:pkey_dh_init + DH_F_PKEY_DH_KEYGEN:113:pkey_dh_keygen + DSA_F_DSAPARAMS_PRINT:100:DSAparams_print + DSA_F_DSAPARAMS_PRINT_FP:101:DSAparams_print_fp ++DSA_F_DSA_BUILTIN_KEYGEN:108:dsa_builtin_keygen + DSA_F_DSA_BUILTIN_PARAMGEN:125:dsa_builtin_paramgen + DSA_F_DSA_BUILTIN_PARAMGEN2:126:dsa_builtin_paramgen2 + DSA_F_DSA_DO_SIGN:112:DSA_do_sign + DSA_F_DSA_DO_VERIFY:113:DSA_do_verify ++DSA_F_DSA_GENERATE_KEY:109:DSA_generate_key ++DSA_F_DSA_GENERATE_PARAMETERS_EX:110:DSA_generate_parameters_ex + DSA_F_DSA_METH_DUP:127:DSA_meth_dup + DSA_F_DSA_METH_NEW:128:DSA_meth_new + DSA_F_DSA_METH_SET1_NAME:129:DSA_meth_set1_name +@@ -494,15 +499,15 @@ EC_F_ECDH_COMPUTE_KEY:246:ECDH_compute_k + EC_F_ECDH_SIMPLE_COMPUTE_KEY:257:ecdh_simple_compute_key + EC_F_ECDSA_DO_SIGN_EX:251:ECDSA_do_sign_ex + EC_F_ECDSA_DO_VERIFY:252:ECDSA_do_verify ++EC_F_ECDSA_S390X_NISTP_SIGN_SIG:313:ecdsa_s390x_nistp_sign_sig ++EC_F_ECDSA_S390X_NISTP_VERIFY_SIG:314:ecdsa_s390x_nistp_verify_sig + EC_F_ECDSA_SIGN_EX:254:ECDSA_sign_ex + EC_F_ECDSA_SIGN_SETUP:248:ECDSA_sign_setup + EC_F_ECDSA_SIG_NEW:265:ECDSA_SIG_new +-EC_F_ECDSA_VERIFY:253:ECDSA_verify + EC_F_ECDSA_SIMPLE_SIGN_SETUP:310:ecdsa_simple_sign_setup + EC_F_ECDSA_SIMPLE_SIGN_SIG:311:ecdsa_simple_sign_sig + EC_F_ECDSA_SIMPLE_VERIFY_SIG:312:ecdsa_simple_verify_sig +-EC_F_ECDSA_S390X_NISTP_SIGN_SIG:313:ecdsa_s390x_nistp_sign_sig +-EC_F_ECDSA_S390X_NISTP_VERIFY_SIG:314:ecdsa_s390x_nistp_verify_sig ++EC_F_ECDSA_VERIFY:253:ECDSA_verify + EC_F_ECD_ITEM_VERIFY:270:ecd_item_verify + EC_F_ECKEY_PARAM2TYPE:223:eckey_param2type + EC_F_ECKEY_PARAM_DECODE:212:eckey_param_decode +@@ -610,6 +615,7 @@ EC_F_EC_KEY_PRINT:180:EC_KEY_print + EC_F_EC_KEY_PRINT_FP:181:EC_KEY_print_fp + EC_F_EC_KEY_PRIV2BUF:279:EC_KEY_priv2buf + EC_F_EC_KEY_PRIV2OCT:256:EC_KEY_priv2oct ++EC_F_EC_KEY_PUBLIC_CHECK:299:ec_key_public_check + EC_F_EC_KEY_SET_PUBLIC_KEY_AFFINE_COORDINATES:229:\ + EC_KEY_set_public_key_affine_coordinates + EC_F_EC_KEY_SIMPLE_CHECK_KEY:258:ec_key_simple_check_key +@@ -735,6 +741,7 @@ EVP_F_AES_OCB_CIPHER:169:aes_ocb_cipher + EVP_F_AES_T4_INIT_KEY:178:aes_t4_init_key + EVP_F_AES_T4_XTS_INIT_KEY:208:aes_t4_xts_init_key + EVP_F_AES_WRAP_CIPHER:170:aes_wrap_cipher ++EVP_F_AES_XTS_CIPHER:210:aes_xts_cipher + EVP_F_AES_XTS_INIT_KEY:209:aes_xts_init_key + EVP_F_ALG_MODULE_INIT:177:alg_module_init + EVP_F_ARIA_CCM_INIT_KEY:175:aria_ccm_init_key +@@ -844,6 +851,8 @@ FIPS_F_EVP_CIPHER_CTX_NEW:137:EVP_CIPHER + FIPS_F_EVP_CIPHER_CTX_RESET:122:EVP_CIPHER_CTX_reset + FIPS_F_EVP_CIPHERINIT_EX:124:EVP_CipherInit_ex + FIPS_F_EVP_DIGESTINIT_EX:125:EVP_DigestInit_ex ++FIPS_F_ECDSA_SIMPLE_SIGN_SIG:104:ecdsa_simple_sign_sig ++FIPS_F_ECDSA_SIMPLE_VERIFY_SIG:105:ecdsa_simple_verify_sig + FIPS_F_FIPS_CHECK_DSA:104:fips_check_dsa + FIPS_F_FIPS_CHECK_EC:142:fips_check_ec + FIPS_F_FIPS_CHECK_RSA:106:fips_check_rsa +@@ -874,9 +883,15 @@ FIPS_F_FIPS_SELFTEST_CMAC:130:FIPS_selft + FIPS_F_FIPS_SELFTEST_DES:111:FIPS_selftest_des + FIPS_F_FIPS_SELFTEST_DSA:112:FIPS_selftest_dsa + FIPS_F_FIPS_SELFTEST_ECDSA:133:FIPS_selftest_ecdsa ++FIPS_F_FIPS_SELFTEST_HKDF:136:FIPS_selftest_hkdf + FIPS_F_FIPS_SELFTEST_HMAC:113:FIPS_selftest_hmac ++FIPS_F_FIPS_SELFTEST_PBKDF2:138:FIPS_selftest_pbkdf2 + FIPS_F_FIPS_SELFTEST_SHA1:115:FIPS_selftest_sha1 + FIPS_F_FIPS_SELFTEST_SHA2:105:FIPS_selftest_sha2 ++FIPS_F_FIPS_SELFTEST_SHA3:141:FIPS_selftest_sha3 ++FIPS_F_FIPS_SELFTEST_SSH:142:FIPS_selftest_ssh ++FIPS_F_FIPS_SELFTEST_TLS:143:FIPS_selftest_tls ++FIPS_F_OSSL_ECDH_COMPUTE_KEY:144:ossl_ecdh_compute_key + FIPS_F_OSSL_ECDSA_SIGN_SIG:143:ossl_ecdsa_sign_sig + FIPS_F_OSSL_ECDSA_VERIFY_SIG:148:ossl_ecdsa_verify_sig + FIPS_F_RSA_BUILTIN_KEYGEN:116:rsa_builtin_keygen +@@ -1126,6 +1141,7 @@ RAND_F_RAND_PSEUDO_BYTES:126:RAND_pseudo + RAND_F_RAND_WRITE_FILE:112:RAND_write_file + RSA_F_CHECK_PADDING_MD:140:check_padding_md + RSA_F_ENCODE_PKCS1:146:encode_pkcs1 ++RSA_F_FIPS_RSA_BUILTIN_KEYGEN:168:fips_rsa_builtin_keygen + RSA_F_INT_RSA_VERIFY:145:int_rsa_verify + RSA_F_OLD_RSA_PRIV_DECODE:147:old_rsa_priv_decode + RSA_F_PKEY_PSS_INIT:165:pkey_pss_init +@@ -1140,6 +1156,8 @@ RSA_F_RSA_CHECK_KEY:123:RSA_check_key + RSA_F_RSA_CHECK_KEY_EX:160:RSA_check_key_ex + RSA_F_RSA_CMS_DECRYPT:159:rsa_cms_decrypt + RSA_F_RSA_CMS_VERIFY:158:rsa_cms_verify ++RSA_F_RSA_GENERATE_KEY_EX:169:RSA_generate_key_ex ++RSA_F_RSA_GENERATE_MULTI_PRIME_KEY:170:RSA_generate_multi_prime_key + RSA_F_RSA_ITEM_VERIFY:148:rsa_item_verify + RSA_F_RSA_METH_DUP:161:RSA_meth_dup + RSA_F_RSA_METH_NEW:162:RSA_meth_new +@@ -1175,12 +1193,18 @@ RSA_F_RSA_PADDING_CHECK_X931:128:RSA_pad + RSA_F_RSA_PARAM_DECODE:164:rsa_param_decode + RSA_F_RSA_PRINT:115:RSA_print + RSA_F_RSA_PRINT_FP:116:RSA_print_fp ++RSA_F_RSA_PRIVATE_DECRYPT:171:RSA_private_decrypt ++RSA_F_RSA_PRIVATE_ENCRYPT:172:RSA_private_encrypt + RSA_F_RSA_PRIV_DECODE:150:rsa_priv_decode + RSA_F_RSA_PRIV_ENCODE:138:rsa_priv_encode + RSA_F_RSA_PSS_GET_PARAM:151:rsa_pss_get_param + RSA_F_RSA_PSS_TO_CTX:155:rsa_pss_to_ctx ++RSA_F_RSA_PUBLIC_DECRYPT:173:RSA_public_decrypt ++RSA_F_RSA_PUBLIC_ENCRYPT:174:RSA_public_encrypt + RSA_F_RSA_PUB_DECODE:139:rsa_pub_decode + RSA_F_RSA_SETUP_BLINDING:136:RSA_setup_blinding ++RSA_F_RSA_SET_DEFAULT_METHOD:175:RSA_set_default_method ++RSA_F_RSA_SET_METHOD:176:RSA_set_method + RSA_F_RSA_SIGN:117:RSA_sign + RSA_F_RSA_SIGN_ASN1_OCTET_STRING:118:RSA_sign_ASN1_OCTET_STRING + RSA_F_RSA_VERIFY:119:RSA_verify +@@ -2189,8 +2213,10 @@ DH_R_INVALID_PARAMETER_NID:114:invalid p + DH_R_INVALID_PUBKEY:102:invalid public key + DH_R_KDF_PARAMETER_ERROR:112:kdf parameter error + DH_R_KEYS_NOT_SET:108:keys not set ++DH_R_KEY_SIZE_TOO_SMALL:126:key size too small + DH_R_MISSING_PUBKEY:125:missing pubkey + DH_R_MODULUS_TOO_LARGE:103:modulus too large ++DH_R_NON_FIPS_METHOD:127:non fips method + DH_R_NOT_SUITABLE_GENERATOR:120:not suitable generator + DH_R_NO_PARAMETERS_SET:107:no parameters set + DH_R_NO_PRIVATE_VALUE:100:no private value +@@ -2204,9 +2230,12 @@ DSA_R_BN_ERROR:109:bn error + DSA_R_DECODE_ERROR:104:decode error + DSA_R_INVALID_DIGEST_TYPE:106:invalid digest type + DSA_R_INVALID_PARAMETERS:112:invalid parameters ++DSA_R_KEY_SIZE_INVALID:114:key size invalid ++DSA_R_KEY_SIZE_TOO_SMALL:115:key size too small + DSA_R_MISSING_PARAMETERS:101:missing parameters + DSA_R_MISSING_PRIVATE_KEY:111:missing private key + DSA_R_MODULUS_TOO_LARGE:103:modulus too large ++DSA_R_NON_FIPS_DSA_METHOD:116:non fips dsa method + DSA_R_NO_PARAMETERS_SET:107:no parameters set + DSA_R_PARAMETER_ENCODING_ERROR:105:parameter encoding error + DSA_R_Q_NOT_PRIME:113:q not prime +@@ -2344,6 +2373,7 @@ EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH: + EVP_R_DECODE_ERROR:114:decode error + EVP_R_DIFFERENT_KEY_TYPES:101:different key types + EVP_R_DIFFERENT_PARAMETERS:153:different parameters ++EVP_R_DISABLED_FOR_FIPS:185:disabled for fips + EVP_R_ERROR_LOADING_SECTION:165:error loading section + EVP_R_ERROR_SETTING_FIPS_MODE:166:error setting fips mode + EVP_R_EXPECTING_AN_HMAC_KEY:174:expecting an hmac key +@@ -2389,6 +2419,7 @@ EVP_R_PKEY_APPLICATION_ASN1_METHOD_ALREA + EVP_R_PRIVATE_KEY_DECODE_ERROR:145:private key decode error + EVP_R_PRIVATE_KEY_ENCODE_ERROR:146:private key encode error + EVP_R_PUBLIC_KEY_NOT_RSA:106:public key not rsa ++EVP_R_TOO_LARGE:186:too large + EVP_R_UNKNOWN_CIPHER:160:unknown cipher + EVP_R_UNKNOWN_DIGEST:161:unknown digest + EVP_R_UNKNOWN_OPTION:169:unknown option +@@ -2711,11 +2742,13 @@ RSA_R_MODULUS_TOO_LARGE:105:modulus too + RSA_R_MP_COEFFICIENT_NOT_INVERSE_OF_R:168:mp coefficient not inverse of r + RSA_R_MP_EXPONENT_NOT_CONGRUENT_TO_D:169:mp exponent not congruent to d + RSA_R_MP_R_NOT_PRIME:170:mp r not prime ++RSA_R_NON_FIPS_RSA_METHOD:171:non fips rsa method + RSA_R_NO_PUBLIC_EXPONENT:140:no public exponent + RSA_R_NULL_BEFORE_BLOCK_MISSING:113:null before block missing + RSA_R_N_DOES_NOT_EQUAL_PRODUCT_OF_PRIMES:172:n does not equal product of primes + RSA_R_N_DOES_NOT_EQUAL_P_Q:127:n does not equal p q + RSA_R_OAEP_DECODING_ERROR:121:oaep decoding error ++RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE:173:operation not allowed in fips mode + RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE:148:\ + operation not supported for this keytype + RSA_R_PADDING_CHECK_FAILED:114:padding check failed +@@ -2737,6 +2770,7 @@ RSA_R_UNSUPPORTED_ENCRYPTION_TYPE:162:un + RSA_R_UNSUPPORTED_LABEL_SOURCE:163:unsupported label source + RSA_R_UNSUPPORTED_MASK_ALGORITHM:153:unsupported mask algorithm + RSA_R_UNSUPPORTED_MASK_PARAMETER:154:unsupported mask parameter ++RSA_R_UNSUPPORTED_PARAMETERS:174:unsupported parameters + RSA_R_UNSUPPORTED_SIGNATURE_TYPE:155:unsupported signature type + RSA_R_VALUE_MISSING:147:value missing + RSA_R_WRONG_SIGNATURE_LENGTH:119:wrong signature length +--- a/crypto/evp/evp_err.c ++++ b/crypto/evp/evp_err.c +@@ -1,6 +1,6 @@ + /* + * Generated by util/mkerr.pl DO NOT EDIT +- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -192,7 +192,7 @@ static const ERR_STRING_DATA EVP_str_rea + "different key types"}, + {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_DIFFERENT_PARAMETERS), + "different parameters"}, +- {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_DISABLED_FOR_FIPS), "disabled for FIPS"}, ++ {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_DISABLED_FOR_FIPS), "disabled for fips"}, + {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_ERROR_LOADING_SECTION), + "error loading section"}, + {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_ERROR_SETTING_FIPS_MODE), +@@ -286,8 +286,6 @@ static const ERR_STRING_DATA EVP_str_rea + "wrap mode not allowed"}, + {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_WRONG_FINAL_BLOCK_LENGTH), + "wrong final block length"}, +- {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_XTS_DATA_UNIT_IS_TOO_LARGE), +- "xts data unit is too large"}, + {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_XTS_DUPLICATED_KEYS), + "xts duplicated keys"}, + {0, NULL} +--- a/crypto/fips/fips_ers.c ++++ b/crypto/fips/fips_ers.c +@@ -1,7 +1,186 @@ +-#include ++/* ++ * Generated by util/mkerr.pl DO NOT EDIT ++ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. ++ * ++ * Licensed under the OpenSSL license (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ */ + +-#ifdef OPENSSL_FIPS +-# include "fips_err.h" +-#else +-static void *dummy = &dummy; ++#include ++#include "crypto/fipserr.h" ++ ++#ifndef OPENSSL_NO_ERR ++ ++static const ERR_STRING_DATA FIPS_str_functs[] = { ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_DRBG_RESEED, 0), "drbg_reseed"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_DSA_BUILTIN_PARAMGEN2, 0), ++ "dsa_builtin_paramgen2"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_DSA_DO_SIGN, 0), "DSA_do_sign"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_DSA_DO_VERIFY, 0), "DSA_do_verify"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_ECDSA_SIMPLE_SIGN_SIG, 0), ++ "ecdsa_simple_sign_sig"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_ECDSA_SIMPLE_VERIFY_SIG, 0), ++ "ecdsa_simple_verify_sig"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_EVP_CIPHERINIT_EX, 0), "EVP_CipherInit_ex"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_EVP_CIPHER_CTX_NEW, 0), ++ "EVP_CIPHER_CTX_new"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_EVP_CIPHER_CTX_RESET, 0), ++ "EVP_CIPHER_CTX_reset"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_EVP_DIGESTINIT_EX, 0), "EVP_DigestInit_ex"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_CHECK_DSA, 0), "fips_check_dsa"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_CHECK_EC, 0), "fips_check_ec"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_CHECK_RSA, 0), "fips_check_rsa"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_DRBG_BYTES, 0), "fips_drbg_bytes"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_DRBG_CHECK, 0), "fips_drbg_check"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_DRBG_ERROR_CHECK, 0), ++ "fips_drbg_error_check"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_DRBG_GENERATE, 0), ++ "FIPS_drbg_generate"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_DRBG_INIT, 0), "FIPS_drbg_init"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_DRBG_INSTANTIATE, 0), ++ "FIPS_drbg_instantiate"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_DRBG_NEW, 0), "FIPS_drbg_new"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_DRBG_SINGLE_KAT, 0), ++ "fips_drbg_single_kat"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_GET_ENTROPY, 0), "fips_get_entropy"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_MODULE_MODE_SET, 0), ++ "FIPS_module_mode_set"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_PKEY_SIGNATURE_TEST, 0), ++ "fips_pkey_signature_test"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_RAND_BYTES, 0), "FIPS_rand_bytes"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_RAND_SEED, 0), "FIPS_rand_seed"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_RAND_SET_METHOD, 0), ++ "FIPS_rand_set_method"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_RAND_STATUS, 0), "FIPS_rand_status"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_RSA_BUILTIN_KEYGEN, 0), ++ "fips_rsa_builtin_keygen"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_SELFTEST_AES, 0), "FIPS_selftest_aes"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_SELFTEST_AES_CCM, 0), ++ "FIPS_selftest_aes_ccm"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_SELFTEST_AES_GCM, 0), ++ "FIPS_selftest_aes_gcm"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_SELFTEST_AES_XTS, 0), ++ "FIPS_selftest_aes_xts"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_SELFTEST_CMAC, 0), ++ "FIPS_selftest_cmac"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_SELFTEST_DES, 0), "FIPS_selftest_des"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_SELFTEST_ECDSA, 0), ++ "FIPS_selftest_ecdsa"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_SELFTEST_HKDF, 0), ++ "FIPS_selftest_hkdf"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_SELFTEST_HMAC, 0), ++ "FIPS_selftest_hmac"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_SELFTEST_PBKDF2, 0), ++ "FIPS_selftest_pbkdf2"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_SELFTEST_SHA1, 0), ++ "FIPS_selftest_sha1"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_SELFTEST_SHA2, 0), ++ "FIPS_selftest_sha2"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_SELFTEST_SHA3, 0), ++ "FIPS_selftest_sha3"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_SELFTEST_SSH, 0), "FIPS_selftest_ssh"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_SELFTEST_TLS, 0), "FIPS_selftest_tls"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_OSSL_ECDH_COMPUTE_KEY, 0), ++ "ossl_ecdh_compute_key"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_RSA_OSSL_PRIVATE_DECRYPT, 0), ++ "rsa_ossl_private_decrypt"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_RSA_OSSL_PRIVATE_ENCRYPT, 0), ++ "rsa_ossl_private_encrypt"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_RSA_OSSL_PUBLIC_DECRYPT, 0), ++ "rsa_ossl_public_decrypt"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_RSA_OSSL_PUBLIC_ENCRYPT, 0), ++ "rsa_ossl_public_encrypt"}, ++ {0, NULL} ++}; ++ ++static const ERR_STRING_DATA FIPS_str_reasons[] = { ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED), ++ "additional input error undetected"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_ADDITIONAL_INPUT_TOO_LONG), ++ "additional input too long"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_ALREADY_INSTANTIATED), ++ "already instantiated"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_DRBG_NOT_INITIALISED), ++ "drbg not initialised"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_ENTROPY_ERROR_UNDETECTED), ++ "entropy error undetected"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED), ++ "entropy not requested for reseed"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_ENTROPY_SOURCE_STUCK), ++ "entropy source stuck"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_ERROR_INITIALISING_DRBG), ++ "error initialising drbg"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_ERROR_INSTANTIATING_DRBG), ++ "error instantiating drbg"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_ERROR_RETRIEVING_ADDITIONAL_INPUT), ++ "error retrieving additional input"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_ERROR_RETRIEVING_ENTROPY), ++ "error retrieving entropy"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_ERROR_RETRIEVING_NONCE), ++ "error retrieving nonce"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_FINGERPRINT_DOES_NOT_MATCH), ++ "fingerprint does not match"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_FIPS_MODE_ALREADY_SET), ++ "fips mode already set"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_FIPS_SELFTEST_FAILED), ++ "fips selftest failed"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_FUNCTION_ERROR), "function error"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_GENERATE_ERROR), "generate error"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_GENERATE_ERROR_UNDETECTED), ++ "generate error undetected"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_INSTANTIATE_ERROR), "instantiate error"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_INVALID_KEY_LENGTH), ++ "invalid key length"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_IN_ERROR_STATE), "in error state"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_KEY_TOO_SHORT), "key too short"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_NONCE_ERROR_UNDETECTED), ++ "nonce error undetected"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_NON_FIPS_METHOD), "non fips method"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_NOPR_TEST1_FAILURE), ++ "nopr test1 failure"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_NOPR_TEST2_FAILURE), ++ "nopr test2 failure"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_NOT_INSTANTIATED), "not instantiated"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_PAIRWISE_TEST_FAILED), ++ "pairwise test failed"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_PERSONALISATION_ERROR_UNDETECTED), ++ "personalisation error undetected"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_PERSONALISATION_STRING_TOO_LONG), ++ "personalisation string too long"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_PR_TEST1_FAILURE), "pr test1 failure"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_PR_TEST2_FAILURE), "pr test2 failure"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED), ++ "request length error undetected"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG), ++ "request too large for drbg"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_RESEED_COUNTER_ERROR), ++ "reseed counter error"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_RESEED_ERROR), "reseed error"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_SELFTEST_FAILED), "selftest failed"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_SELFTEST_FAILURE), "selftest failure"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_TEST_FAILURE), "test failure"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_UNINSTANTIATE_ERROR), ++ "uninstantiate error"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_UNINSTANTIATE_ZEROISE_ERROR), ++ "uninstantiate zeroise error"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_UNSUPPORTED_DRBG_TYPE), ++ "unsupported drbg type"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_UNSUPPORTED_PLATFORM), ++ "unsupported platform"}, ++ {0, NULL} ++}; ++ ++#endif ++ ++int ERR_load_FIPS_strings(void) ++{ ++#ifndef OPENSSL_NO_ERR ++ if (ERR_func_error_string(FIPS_str_functs[0].error) == NULL) { ++ ERR_load_strings_const(FIPS_str_functs); ++ ERR_load_strings_const(FIPS_str_reasons); ++ } + #endif ++ return 1; ++} +--- a/crypto/rsa/rsa_err.c ++++ b/crypto/rsa/rsa_err.c +@@ -1,6 +1,6 @@ + /* + * Generated by util/mkerr.pl DO NOT EDIT +- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -34,7 +34,8 @@ static const ERR_STRING_DATA RSA_str_fun + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_CHECK_KEY_EX, 0), "RSA_check_key_ex"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_CMS_DECRYPT, 0), "rsa_cms_decrypt"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_CMS_VERIFY, 0), "rsa_cms_verify"}, +- {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_GENERATE_KEY_EX, 0), "RSA_generate_key_ex"}, ++ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_GENERATE_KEY_EX, 0), ++ "RSA_generate_key_ex"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_GENERATE_MULTI_PRIME_KEY, 0), + "RSA_generate_multi_prime_key"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_ITEM_VERIFY, 0), "rsa_item_verify"}, +@@ -93,16 +94,21 @@ static const ERR_STRING_DATA RSA_str_fun + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PARAM_DECODE, 0), "rsa_param_decode"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRINT, 0), "RSA_print"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRINT_FP, 0), "RSA_print_fp"}, ++ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRIVATE_DECRYPT, 0), ++ "RSA_private_decrypt"}, ++ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRIVATE_ENCRYPT, 0), ++ "RSA_private_encrypt"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRIV_DECODE, 0), "rsa_priv_decode"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRIV_ENCODE, 0), "rsa_priv_encode"}, +- {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRIVATE_DECRYPT, 0), "RSA_private_decrypt"}, +- {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRIVATE_ENCRYPT, 0), "RSA_private_encrypt"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PSS_GET_PARAM, 0), "rsa_pss_get_param"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PSS_TO_CTX, 0), "rsa_pss_to_ctx"}, +- {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PUB_DECODE, 0), "rsa_pub_decode"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PUBLIC_DECRYPT, 0), "RSA_public_decrypt"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PUBLIC_ENCRYPT, 0), "RSA_public_encrypt"}, ++ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PUB_DECODE, 0), "rsa_pub_decode"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_SETUP_BLINDING, 0), "RSA_setup_blinding"}, ++ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_SET_DEFAULT_METHOD, 0), ++ "RSA_set_default_method"}, ++ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_SET_METHOD, 0), "RSA_set_method"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_SIGN, 0), "RSA_sign"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_SIGN_ASN1_OCTET_STRING, 0), + "RSA_sign_ASN1_OCTET_STRING"}, +@@ -111,8 +117,6 @@ static const ERR_STRING_DATA RSA_str_fun + "RSA_verify_ASN1_OCTET_STRING"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, 0), + "RSA_verify_PKCS1_PSS_mgf1"}, +- {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_SET_DEFAULT_METHOD, 0), "RSA_set_default_method"}, +- {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_SET_METHOD, 0), "RSA_set_method"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_SETUP_TBUF, 0), "setup_tbuf"}, + {0, NULL} + }; +@@ -193,8 +197,9 @@ static const ERR_STRING_DATA RSA_str_rea + {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_MP_EXPONENT_NOT_CONGRUENT_TO_D), + "mp exponent not congruent to d"}, + {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_MP_R_NOT_PRIME), "mp r not prime"}, ++ {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_NON_FIPS_RSA_METHOD), ++ "non fips rsa method"}, + {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_NO_PUBLIC_EXPONENT), "no public exponent"}, +- {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_NON_FIPS_RSA_METHOD), "non FIPS rsa method"}, + {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_NULL_BEFORE_BLOCK_MISSING), + "null before block missing"}, + {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_N_DOES_NOT_EQUAL_PRODUCT_OF_PRIMES), +@@ -204,7 +209,7 @@ static const ERR_STRING_DATA RSA_str_rea + {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_OAEP_DECODING_ERROR), + "oaep decoding error"}, + {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE), +- "operation not allowed in FIPS mode"}, ++ "operation not allowed in fips mode"}, + {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE), + "operation not supported for this keytype"}, + {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_PADDING_CHECK_FAILED), +--- a/include/openssl/dherr.h ++++ b/include/openssl/dherr.h +@@ -11,9 +11,7 @@ + #ifndef HEADER_DHERR_H + # define HEADER_DHERR_H + +-# ifndef HEADER_SYMHACKS_H +-# include +-# endif ++# include + + # include + +@@ -36,9 +34,8 @@ int ERR_load_DH_strings(void); + # define DH_F_DH_CMS_DECRYPT 114 + # define DH_F_DH_CMS_SET_PEERKEY 115 + # define DH_F_DH_CMS_SET_SHARED_INFO 116 +-# define DH_F_DH_COMPUTE_KEY 203 +-# define DH_F_DH_GENERATE_KEY 202 +-# define DH_F_DH_GENERATE_PARAMETERS_EX 201 ++# define DH_F_DH_COMPUTE_KEY 126 ++# define DH_F_DH_GENERATE_PARAMETERS_EX 127 + # define DH_F_DH_METH_DUP 117 + # define DH_F_DH_METH_NEW 118 + # define DH_F_DH_METH_SET1_NAME 119 +@@ -76,14 +73,14 @@ int ERR_load_DH_strings(void); + # define DH_R_INVALID_PARAMETER_NID 114 + # define DH_R_INVALID_PUBKEY 102 + # define DH_R_KDF_PARAMETER_ERROR 112 +-# define DH_R_KEY_SIZE_TOO_SMALL 201 + # define DH_R_KEYS_NOT_SET 108 ++# define DH_R_KEY_SIZE_TOO_SMALL 126 + # define DH_R_MISSING_PUBKEY 125 + # define DH_R_MODULUS_TOO_LARGE 103 ++# define DH_R_NON_FIPS_METHOD 127 + # define DH_R_NOT_SUITABLE_GENERATOR 120 + # define DH_R_NO_PARAMETERS_SET 107 + # define DH_R_NO_PRIVATE_VALUE 100 +-# define DH_R_NON_FIPS_METHOD 202 + # define DH_R_PARAMETER_ENCODING_ERROR 105 + # define DH_R_PEER_KEY_ERROR 111 + # define DH_R_SHARED_INFO_ERROR 113 +--- a/include/openssl/dsaerr.h ++++ b/include/openssl/dsaerr.h +@@ -1,6 +1,6 @@ + /* + * Generated by util/mkerr.pl DO NOT EDIT +- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -11,9 +11,7 @@ + #ifndef HEADER_DSAERR_H + # define HEADER_DSAERR_H + +-# ifndef HEADER_SYMHACKS_H +-# include +-# endif ++# include + + # include + +@@ -29,13 +27,13 @@ int ERR_load_DSA_strings(void); + */ + # define DSA_F_DSAPARAMS_PRINT 100 + # define DSA_F_DSAPARAMS_PRINT_FP 101 +-# define DSA_F_DSA_BUILTIN_KEYGEN 202 ++# define DSA_F_DSA_BUILTIN_KEYGEN 108 + # define DSA_F_DSA_BUILTIN_PARAMGEN 125 + # define DSA_F_DSA_BUILTIN_PARAMGEN2 126 +-# define DSA_F_DSA_GENERATE_KEY 201 +-# define DSA_F_DSA_GENERATE_PARAMETERS_EX 200 + # define DSA_F_DSA_DO_SIGN 112 + # define DSA_F_DSA_DO_VERIFY 113 ++# define DSA_F_DSA_GENERATE_KEY 109 ++# define DSA_F_DSA_GENERATE_PARAMETERS_EX 110 + # define DSA_F_DSA_METH_DUP 127 + # define DSA_F_DSA_METH_NEW 128 + # define DSA_F_DSA_METH_SET1_NAME 129 +@@ -63,13 +61,13 @@ int ERR_load_DSA_strings(void); + # define DSA_R_DECODE_ERROR 104 + # define DSA_R_INVALID_DIGEST_TYPE 106 + # define DSA_R_INVALID_PARAMETERS 112 +-# define DSA_R_KEY_SIZE_INVALID 201 +-# define DSA_R_KEY_SIZE_TOO_SMALL 202 ++# define DSA_R_KEY_SIZE_INVALID 114 ++# define DSA_R_KEY_SIZE_TOO_SMALL 115 + # define DSA_R_MISSING_PARAMETERS 101 + # define DSA_R_MISSING_PRIVATE_KEY 111 + # define DSA_R_MODULUS_TOO_LARGE 103 ++# define DSA_R_NON_FIPS_DSA_METHOD 116 + # define DSA_R_NO_PARAMETERS_SET 107 +-# define DSA_R_NON_FIPS_DSA_METHOD 200 + # define DSA_R_PARAMETER_ENCODING_ERROR 105 + # define DSA_R_Q_NOT_PRIME 113 + # define DSA_R_SEED_LEN_SMALL 110 +--- a/include/openssl/ecerr.h ++++ b/include/openssl/ecerr.h +@@ -1,6 +1,6 @@ + /* + * Generated by util/mkerr.pl DO NOT EDIT +- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -11,9 +11,7 @@ + #ifndef HEADER_ECERR_H + # define HEADER_ECERR_H + +-# ifndef HEADER_SYMHACKS_H +-# include +-# endif ++# include + + # include + +@@ -143,6 +141,7 @@ int ERR_load_EC_strings(void); + # define EC_F_EC_KEY_PRINT_FP 181 + # define EC_F_EC_KEY_PRIV2BUF 279 + # define EC_F_EC_KEY_PRIV2OCT 256 ++# define EC_F_EC_KEY_PUBLIC_CHECK 299 + # define EC_F_EC_KEY_SET_PUBLIC_KEY_AFFINE_COORDINATES 229 + # define EC_F_EC_KEY_SIMPLE_CHECK_KEY 258 + # define EC_F_EC_KEY_SIMPLE_OCT2PRIV 259 +--- a/include/openssl/evperr.h ++++ b/include/openssl/evperr.h +@@ -1,6 +1,6 @@ + /* + * Generated by util/mkerr.pl DO NOT EDIT +- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -22,15 +22,15 @@ int ERR_load_EVP_strings(void); + * EVP function codes. + */ + # define EVP_F_AESNI_INIT_KEY 165 +-# define EVP_F_AESNI_XTS_INIT_KEY 233 ++# define EVP_F_AESNI_XTS_INIT_KEY 207 + # define EVP_F_AES_GCM_CTRL 196 + # define EVP_F_AES_INIT_KEY 133 + # define EVP_F_AES_OCB_CIPHER 169 + # define EVP_F_AES_T4_INIT_KEY 178 +-# define EVP_F_AES_T4_XTS_INIT_KEY 234 ++# define EVP_F_AES_T4_XTS_INIT_KEY 208 + # define EVP_F_AES_WRAP_CIPHER 170 +-# define EVP_F_AES_XTS_CIPHER 229 +-# define EVP_F_AES_XTS_INIT_KEY 235 ++# define EVP_F_AES_XTS_CIPHER 210 ++# define EVP_F_AES_XTS_INIT_KEY 209 + # define EVP_F_ALG_MODULE_INIT 177 + # define EVP_F_ARIA_CCM_INIT_KEY 175 + # define EVP_F_ARIA_GCM_CTRL 197 +@@ -146,9 +146,9 @@ int ERR_load_EVP_strings(void); + # define EVP_R_CTRL_OPERATION_NOT_IMPLEMENTED 133 + # define EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH 138 + # define EVP_R_DECODE_ERROR 114 +-# define EVP_R_DISABLED_FOR_FIPS 200 + # define EVP_R_DIFFERENT_KEY_TYPES 101 + # define EVP_R_DIFFERENT_PARAMETERS 153 ++# define EVP_R_DISABLED_FOR_FIPS 185 + # define EVP_R_ERROR_LOADING_SECTION 165 + # define EVP_R_ERROR_SETTING_FIPS_MODE 166 + # define EVP_R_EXPECTING_AN_HMAC_KEY 174 +@@ -184,15 +184,15 @@ int ERR_load_EVP_strings(void); + # define EVP_R_ONLY_ONESHOT_SUPPORTED 177 + # define EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 150 + # define EVP_R_OPERATON_NOT_INITIALIZED 151 +-# define EVP_R_PARAMETER_TOO_LARGE 187 + # define EVP_R_OUTPUT_WOULD_OVERFLOW 184 ++# define EVP_R_PARAMETER_TOO_LARGE 187 + # define EVP_R_PARTIALLY_OVERLAPPING 162 + # define EVP_R_PBKDF2_ERROR 181 + # define EVP_R_PKEY_APPLICATION_ASN1_METHOD_ALREADY_REGISTERED 179 + # define EVP_R_PRIVATE_KEY_DECODE_ERROR 145 + # define EVP_R_PRIVATE_KEY_ENCODE_ERROR 146 + # define EVP_R_PUBLIC_KEY_NOT_RSA 106 +-# define EVP_R_TOO_LARGE 201 ++# define EVP_R_TOO_LARGE 186 + # define EVP_R_UNKNOWN_CIPHER 160 + # define EVP_R_UNKNOWN_DIGEST 161 + # define EVP_R_UNKNOWN_OPTION 169 +@@ -208,7 +208,6 @@ int ERR_load_EVP_strings(void); + # define EVP_R_UNSUPPORTED_SALT_TYPE 126 + # define EVP_R_WRAP_MODE_NOT_ALLOWED 170 + # define EVP_R_WRONG_FINAL_BLOCK_LENGTH 109 +-# define EVP_R_XTS_DATA_UNIT_IS_TOO_LARGE 191 +-# define EVP_R_XTS_DUPLICATED_KEYS 192 ++# define EVP_R_XTS_DUPLICATED_KEYS 183 + + #endif +--- a/include/openssl/rsaerr.h ++++ b/include/openssl/rsaerr.h +@@ -1,6 +1,6 @@ + /* + * Generated by util/mkerr.pl DO NOT EDIT +- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -11,9 +11,7 @@ + #ifndef HEADER_RSAERR_H + # define HEADER_RSAERR_H + +-# ifndef HEADER_SYMHACKS_H +-# include +-# endif ++# include + + # ifdef __cplusplus + extern "C" +@@ -25,7 +23,7 @@ int ERR_load_RSA_strings(void); + */ + # define RSA_F_CHECK_PADDING_MD 140 + # define RSA_F_ENCODE_PKCS1 146 +-# define RSA_F_FIPS_RSA_BUILTIN_KEYGEN 206 ++# define RSA_F_FIPS_RSA_BUILTIN_KEYGEN 168 + # define RSA_F_INT_RSA_VERIFY 145 + # define RSA_F_OLD_RSA_PRIV_DECODE 147 + # define RSA_F_PKEY_PSS_INIT 165 +@@ -40,8 +38,8 @@ int ERR_load_RSA_strings(void); + # define RSA_F_RSA_CHECK_KEY_EX 160 + # define RSA_F_RSA_CMS_DECRYPT 159 + # define RSA_F_RSA_CMS_VERIFY 158 +-# define RSA_F_RSA_GENERATE_KEY_EX 204 +-# define RSA_F_RSA_GENERATE_MULTI_PRIME_KEY 207 ++# define RSA_F_RSA_GENERATE_KEY_EX 169 ++# define RSA_F_RSA_GENERATE_MULTI_PRIME_KEY 170 + # define RSA_F_RSA_ITEM_VERIFY 148 + # define RSA_F_RSA_METH_DUP 161 + # define RSA_F_RSA_METH_NEW 162 +@@ -77,18 +75,18 @@ int ERR_load_RSA_strings(void); + # define RSA_F_RSA_PARAM_DECODE 164 + # define RSA_F_RSA_PRINT 115 + # define RSA_F_RSA_PRINT_FP 116 ++# define RSA_F_RSA_PRIVATE_DECRYPT 171 ++# define RSA_F_RSA_PRIVATE_ENCRYPT 172 + # define RSA_F_RSA_PRIV_DECODE 150 + # define RSA_F_RSA_PRIV_ENCODE 138 +-# define RSA_F_RSA_PRIVATE_DECRYPT 200 +-# define RSA_F_RSA_PRIVATE_ENCRYPT 201 + # define RSA_F_RSA_PSS_GET_PARAM 151 + # define RSA_F_RSA_PSS_TO_CTX 155 ++# define RSA_F_RSA_PUBLIC_DECRYPT 173 ++# define RSA_F_RSA_PUBLIC_ENCRYPT 174 + # define RSA_F_RSA_PUB_DECODE 139 +-# define RSA_F_RSA_PUBLIC_DECRYPT 202 +-# define RSA_F_RSA_PUBLIC_ENCRYPT 203 + # define RSA_F_RSA_SETUP_BLINDING 136 +-# define RSA_F_RSA_SET_DEFAULT_METHOD 205 +-# define RSA_F_RSA_SET_METHOD 204 ++# define RSA_F_RSA_SET_DEFAULT_METHOD 175 ++# define RSA_F_RSA_SET_METHOD 176 + # define RSA_F_RSA_SIGN 117 + # define RSA_F_RSA_SIGN_ASN1_OCTET_STRING 118 + # define RSA_F_RSA_VERIFY 119 +@@ -139,19 +137,19 @@ int ERR_load_RSA_strings(void); + # define RSA_R_KEY_PRIME_NUM_INVALID 165 + # define RSA_R_KEY_SIZE_TOO_SMALL 120 + # define RSA_R_LAST_OCTET_INVALID 134 +-# define RSA_R_MISSING_PRIVATE_KEY 179 + # define RSA_R_MGF1_DIGEST_NOT_ALLOWED 152 ++# define RSA_R_MISSING_PRIVATE_KEY 179 + # define RSA_R_MODULUS_TOO_LARGE 105 + # define RSA_R_MP_COEFFICIENT_NOT_INVERSE_OF_R 168 + # define RSA_R_MP_EXPONENT_NOT_CONGRUENT_TO_D 169 + # define RSA_R_MP_R_NOT_PRIME 170 ++# define RSA_R_NON_FIPS_RSA_METHOD 171 + # define RSA_R_NO_PUBLIC_EXPONENT 140 +-# define RSA_R_NON_FIPS_RSA_METHOD 200 + # define RSA_R_NULL_BEFORE_BLOCK_MISSING 113 + # define RSA_R_N_DOES_NOT_EQUAL_PRODUCT_OF_PRIMES 172 + # define RSA_R_N_DOES_NOT_EQUAL_P_Q 127 + # define RSA_R_OAEP_DECODING_ERROR 121 +-# define RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE 201 ++# define RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE 173 + # define RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 148 + # define RSA_R_PADDING_CHECK_FAILED 114 + # define RSA_R_PKCS_DECODING_ERROR 159 +@@ -171,7 +169,7 @@ int ERR_load_RSA_strings(void); + # define RSA_R_UNSUPPORTED_LABEL_SOURCE 163 + # define RSA_R_UNSUPPORTED_MASK_ALGORITHM 153 + # define RSA_R_UNSUPPORTED_MASK_PARAMETER 154 +-# define RSA_R_UNSUPPORTED_PARAMETERS 202 ++# define RSA_R_UNSUPPORTED_PARAMETERS 174 + # define RSA_R_UNSUPPORTED_SIGNATURE_TYPE 155 + # define RSA_R_VALUE_MISSING 147 + # define RSA_R_WRONG_SIGNATURE_LENGTH 119 diff --git a/openssl-1_1-ossl-sli-003-add-sli.patch b/openssl-1_1-ossl-sli-003-add-sli.patch new file mode 100644 index 0000000..5509b3d --- /dev/null +++ b/openssl-1_1-ossl-sli-003-add-sli.patch @@ -0,0 +1,3333 @@ +--- + crypto/cmac/cm_pmeth.c | 5 + crypto/cmac/cmac.c | 16 + crypto/dh/dh_pmeth.c | 4 + crypto/dsa/dsa_pmeth.c | 5 + crypto/ec/ec_pmeth.c | 13 + crypto/ec/ecx_meth.c | 2 + crypto/evp/digest.c | 2 + crypto/evp/e_aes.c | 70 +++ + crypto/evp/evp_enc.c | 3 + crypto/evp/evp_local.h | 4 + crypto/evp/kdf_lib.c | 11 + crypto/evp/m_sigver.c | 54 ++ + crypto/evp/p5_crpt2.c | 38 + + crypto/evp/p_open.c | 3 + crypto/evp/p_seal.c | 3 + crypto/evp/p_sign.c | 5 + crypto/evp/p_verify.c | 4 + crypto/evp/pkey_kdf.c | 5 + crypto/evp/pmeth_lib.c | 2 + crypto/fips/build.info | 2 + crypto/fips/fips_sli.c | 371 ++++++++++++++++ + crypto/hmac/hm_pmeth.c | 5 + crypto/hmac/hmac.c | 49 +- + crypto/hmac/hmac_local.h | 4 + crypto/kdf/hkdf.c | 8 + crypto/kdf/pbkdf2.c | 14 + crypto/kdf/scrypt.c | 7 + crypto/kdf/sshkdf.c | 13 + crypto/kdf/tls1_prf.c | 12 + crypto/poly1305/poly1305_pmeth.c | 4 + crypto/rand/rand_lib.c | 12 + crypto/rsa/rsa_pmeth.c | 61 ++ + crypto/sha/sha1_one.c | 5 + crypto/siphash/siphash_pmeth.c | 4 + crypto/sm2/sm2_pmeth.c | 5 + doc/man3/FIPS_service_level_indicator.pod | 110 +++++ + include/crypto/evp.h | 5 + include/crypto/fipserr.h | 121 +++++ + include/internal/fips_sli_local.h | 96 ++++ + include/openssl/fips_sli.h | 32 + + test/build.info | 6 + test/fips_slitest.c | 659 ++++++++++++++++++++++++++++++ + test/fips_slitest_helper.c | 489 ++++++++++++++++++++++ + test/fips_slitest_helper.h | 29 + + test/recipes/30-test_fips_sli.t | 4 + util/libcrypto.num | 11 + 46 files changed, 2345 insertions(+), 42 deletions(-) + +--- a/crypto/cmac/cm_pmeth.c ++++ b/crypto/cmac/cm_pmeth.c +@@ -72,7 +72,10 @@ static int cmac_signctx_init(EVP_PKEY_CT + static int cmac_signctx(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen, + EVP_MD_CTX *mctx) + { +- return CMAC_Final(ctx->data, sig, siglen); ++ const int r = CMAC_Final(ctx->data, sig, siglen); ++ if (!fips_sli_is_approved_CMAC_CTX(ctx->data)) ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); ++ return r; + } + + static int pkey_cmac_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) +--- a/crypto/cmac/cmac.c ++++ b/crypto/cmac/cmac.c +@@ -13,6 +13,7 @@ + #include "internal/cryptlib.h" + #include + #include ++#include "internal/fips_sli_local.h" + + struct CMAC_CTX_st { + /* Cipher context to use */ +@@ -26,8 +27,11 @@ struct CMAC_CTX_st { + unsigned char last_block[EVP_MAX_BLOCK_LENGTH]; + /* Number of bytes in last block: -1 means context not initialised */ + int nlast_block; ++ FIPS_STATUS sli; /* Service Level Indicator */ + }; + ++fips_sli_define_for(CMAC_CTX) ++ + /* Make temporary keys K1 and K2 */ + + static void make_kn(unsigned char *k1, const unsigned char *l, int bl) +@@ -62,6 +66,7 @@ CMAC_CTX *CMAC_CTX_new(void) + + void CMAC_CTX_cleanup(CMAC_CTX *ctx) + { ++ ctx->sli = FIPS_UNSET; + EVP_CIPHER_CTX_reset(ctx->cctx); + OPENSSL_cleanse(ctx->tbl, EVP_MAX_BLOCK_LENGTH); + OPENSSL_cleanse(ctx->k1, EVP_MAX_BLOCK_LENGTH); +@@ -97,6 +102,7 @@ int CMAC_CTX_copy(CMAC_CTX *out, const C + memcpy(out->tbl, in->tbl, bl); + memcpy(out->last_block, in->last_block, bl); + out->nlast_block = in->nlast_block; ++ out->sli = in->sli; + return 1; + } + +@@ -104,6 +110,7 @@ int CMAC_Init(CMAC_CTX *ctx, const void + const EVP_CIPHER *cipher, ENGINE *impl) + { + static const unsigned char zero_iv[EVP_MAX_BLOCK_LENGTH] = { 0 }; ++ ctx->sli = FIPS_UNSET; + /* All zeros means restart */ + if (!key && !cipher && !impl && keylen == 0) { + /* Not initialised */ +@@ -215,6 +222,15 @@ int CMAC_Final(CMAC_CTX *ctx, unsigned c + OPENSSL_cleanse(out, bl); + return 0; + } ++ switch (EVP_CIPHER_nid(EVP_CIPHER_CTX_cipher(ctx->cctx))) { ++ case NID_aes_128_cbc: ++ case NID_aes_192_cbc: ++ case NID_aes_256_cbc: ++ fips_sli_approve_CMAC_CTX(ctx); ++ break; ++ default: ++ fips_sli_disapprove_CMAC_CTX(ctx); ++ } + return 1; + } + +--- a/crypto/dh/dh_pmeth.c ++++ b/crypto/dh/dh_pmeth.c +@@ -466,6 +466,8 @@ static int pkey_dh_derive(EVP_PKEY_CTX * + if (ret < 0) + return ret; + *keylen = ret; ++ fips_sli_check_key_dh_EVP_PKEY_CTX(ctx, ctx->peerkey->pkey.dh); ++ fips_sli_check_key_dh_EVP_PKEY_CTX(ctx, dh); + return 1; + } + #ifndef OPENSSL_NO_CMS +@@ -493,6 +495,8 @@ static int pkey_dh_derive(EVP_PKEY_CTX * + dctx->kdf_ukm, dctx->kdf_ukmlen, dctx->kdf_md)) + goto err; + *keylen = dctx->kdf_outlen; ++ fips_sli_check_key_dh_EVP_PKEY_CTX(ctx, ctx->peerkey->pkey.dh); ++ fips_sli_check_key_dh_EVP_PKEY_CTX(ctx, dh); + ret = 1; + err: + OPENSSL_clear_free(Z, Zlen); +--- a/crypto/dsa/dsa_pmeth.c ++++ b/crypto/dsa/dsa_pmeth.c +@@ -77,6 +77,8 @@ static int pkey_dsa_sign(EVP_PKEY_CTX *c + DSA_PKEY_CTX *dctx = ctx->data; + DSA *dsa = ctx->pkey->pkey.dsa; + ++ fips_sli_check_key_dsa_siggen_EVP_PKEY_CTX(ctx, dsa); ++ + if (dctx->md != NULL && tbslen != (size_t)EVP_MD_size(dctx->md)) + return 0; + +@@ -96,6 +98,8 @@ static int pkey_dsa_verify(EVP_PKEY_CTX + DSA_PKEY_CTX *dctx = ctx->data; + DSA *dsa = ctx->pkey->pkey.dsa; + ++ fips_sli_check_key_dsa_sigver_EVP_PKEY_CTX(ctx, dsa); ++ + if (dctx->md != NULL && tbslen != (size_t)EVP_MD_size(dctx->md)) + return 0; + +@@ -224,6 +228,7 @@ static int pkey_dsa_paramgen(EVP_PKEY_CT + static int pkey_dsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) + { + DSA *dsa = NULL; ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); + + if (ctx->pkey == NULL) { + DSAerr(DSA_F_PKEY_DSA_KEYGEN, DSA_R_NO_PARAMETERS_SET); +--- a/crypto/ec/ec_pmeth.c ++++ b/crypto/ec/ec_pmeth.c +@@ -122,6 +122,7 @@ static int pkey_ec_sign(EVP_PKEY_CTX *ct + + type = (dctx->md != NULL) ? EVP_MD_type(dctx->md) : NID_sha1; + ++ fips_sli_check_curve_siggen_EVP_PKEY_CTX(ctx, EC_KEY_get0_group(ec)); + ret = ECDSA_sign(type, tbs, tbslen, sig, &sltmp, ec); + + if (ret <= 0) +@@ -143,6 +144,7 @@ static int pkey_ec_verify(EVP_PKEY_CTX * + else + type = NID_sha1; + ++ fips_sli_check_curve_sigver_EVP_PKEY_CTX(ctx, EC_KEY_get0_group(ec)); + ret = ECDSA_verify(type, tbs, tbslen, sig, siglen, ec); + + return ret; +@@ -182,6 +184,8 @@ static int pkey_ec_derive(EVP_PKEY_CTX * + if (ret <= 0) + return 0; + *keylen = ret; ++ fips_sli_check_key_ecdh_EVP_PKEY_CTX(ctx, eckey); ++ fips_sli_check_key_ecdh_EVP_PKEY_CTX(ctx, ctx->peerkey->pkey.ec); + return 1; + } + +@@ -208,6 +212,8 @@ static int pkey_ec_kdf_derive(EVP_PKEY_C + } + if (!pkey_ec_derive(ctx, ktmp, &ktmplen)) + goto err; ++ /* ANSI-X9.63-KDF (X9_62) is FIPS-approved, but we don't have a selftest */ ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); + /* Do KDF stuff */ + if (!ecdh_KDF_X9_63(key, *keylen, ktmp, ktmplen, + dctx->kdf_ukm, dctx->kdf_ukmlen, dctx->kdf_md)) +@@ -433,7 +439,12 @@ static int pkey_ec_keygen(EVP_PKEY_CTX * + else + ret = EC_KEY_set_group(ec, dctx->gen_group); + +- return ret ? EC_KEY_generate_key(ec) : 0; ++ if (ret) { ++ fips_sli_check_key_ec_keygen_EVP_PKEY_CTX(ctx, ec); ++ return EC_KEY_generate_key(ec); ++ } else { ++ return 0; ++ } + } + + static const EVP_PKEY_METHOD ec_pkey_meth = { +--- a/crypto/ec/ecx_meth.c ++++ b/crypto/ec/ecx_meth.c +@@ -691,6 +691,7 @@ static int pkey_ecx_derive25519(EVP_PKEY + && X25519(key, privkey, pubkey) == 0)) + return 0; + *keylen = X25519_KEYLEN; ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); + return 1; + } + +@@ -704,6 +705,7 @@ static int pkey_ecx_derive448(EVP_PKEY_C + && X448(key, privkey, pubkey) == 0)) + return 0; + *keylen = X448_KEYLEN; ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); + return 1; + } + +--- a/crypto/evp/digest.c ++++ b/crypto/evp/digest.c +@@ -40,6 +40,7 @@ int EVP_MD_CTX_reset(EVP_MD_CTX *ctx) + if (ctx == NULL) + return 1; + ++ ctx->sli = FIPS_UNSET; + /* + * Don't assume ctx->md_data was cleaned in EVP_Digest_Final, because + * sometimes only copies of the context are ever finalised. +@@ -80,6 +81,7 @@ int EVP_DigestInit(EVP_MD_CTX *ctx, cons + int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl) + { + EVP_MD_CTX_clear_flags(ctx, EVP_MD_CTX_FLAG_CLEANED); ++ ctx->sli = FIPS_UNSET; + #ifdef OPENSSL_FIPS + if (FIPS_selftest_failed()) { + FIPSerr(FIPS_F_EVP_DIGESTINIT_EX, FIPS_R_FIPS_SELFTEST_FAILED); +--- a/crypto/evp/e_aes.c ++++ b/crypto/evp/e_aes.c +@@ -4303,3 +4303,73 @@ BLOCK_CIPHER_custom(NID_aes, 192, 16, 12 + BLOCK_CIPHER_custom(NID_aes, 256, 16, 12, ocb, OCB, + EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) + #endif /* OPENSSL_NO_OCB */ ++ ++/* Use an explicit whitelist here (due to the number of ciphers and modes) */ ++FIPS_STATUS EVP_CIPHER_get_fips_status(const EVP_CIPHER *cipher) { ++ /* switch on pointers is not entirely portable */ ++ if (cipher->do_cipher == aes_cbc_cipher ++ || cipher->do_cipher == aes_ecb_cipher ++ || cipher->do_cipher == aes_xts_cipher ++ || cipher->do_cipher == aes_ofb_cipher ++ || cipher->do_cipher == aes_cfb_cipher ++ || cipher->do_cipher == aes_cfb1_cipher ++ || cipher->do_cipher == aes_cfb8_cipher ++ || cipher->do_cipher == aes_ctr_cipher ++ || cipher->do_cipher == aes_gcm_cipher ++ || cipher->do_cipher == aes_gcm_tls_cipher ++ || cipher->do_cipher == aes_ccm_cipher ++ #if defined(OPENSSL_CPUID_OBJ) && ( \ ++ ((defined(__i386) || defined(__i386__) || defined(_M_IX86))\ ++ && defined(OPENSSL_IA32_SSE2)) \ ++ || defined(__x86_64) || defined(__x86_64__) \ ++ || defined(_M_AMD64) || defined(_M_X64)) ++ || cipher->do_cipher == aesni_cbc_cipher /* AES-NI */ ++ || cipher->do_cipher == aesni_ecb_cipher ++ || cipher->do_cipher == aesni_xts_cipher ++ || cipher->do_cipher == aesni_ofb_cipher ++ || cipher->do_cipher == aesni_cfb_cipher ++ || cipher->do_cipher == aesni_cfb1_cipher ++ || cipher->do_cipher == aesni_cfb8_cipher ++ || cipher->do_cipher == aesni_ctr_cipher ++ || cipher->do_cipher == aesni_gcm_cipher ++ || cipher->do_cipher == aesni_ccm_cipher ++ #elif defined(OPENSSL_CPUID_OBJ) && defined(__s390__) ++ || cipher->do_cipher == s390x_aes_cbc_cipher /* System/390 */ ++ || cipher->do_cipher == s390x_aes_ecb_cipher ++ || cipher->do_cipher == s390x_aes_xts_cipher ++ || cipher->do_cipher == s390x_aes_ofb_cipher ++ || cipher->do_cipher == s390x_aes_cfb_cipher ++ || cipher->do_cipher == s390x_aes_cfb1_cipher ++ || cipher->do_cipher == s390x_aes_cfb8_cipher ++ || cipher->do_cipher == s390x_aes_ctr_cipher ++ || cipher->do_cipher == s390x_aes_gcm_cipher ++ || cipher->do_cipher == s390x_aes_gcm_tls_cipher ++ || cipher->do_cipher == s390x_aes_ccm_cipher ++ #endif ++ || cipher->do_cipher == aes_wrap_cipher /* key wrapping */ ++ ) { ++ switch (EVP_CIPHER_key_length(cipher) * 8) { ++ case 128: ++ case 192: ++ if (cipher->do_cipher == aes_xts_cipher ++ #if defined(OPENSSL_CPUID_OBJ) && ( \ ++ ((defined(__i386) || defined(__i386__) || defined(_M_IX86))\ ++ && defined(OPENSSL_IA32_SSE2)) \ ++ || defined(__x86_64) || defined(__x86_64__) \ ++ || defined(_M_AMD64) || defined(_M_X64)) ++ || cipher->do_cipher == aesni_xts_cipher ++ #elif defined(OPENSSL_CPUID_OBJ) && defined(__s390__) ++ || cipher->do_cipher == s390x_aes_xts_cipher ++ #endif ++ ) ++ return FIPS_NONAPPROVED; ++ /* intended fall-through */ ++ case 256: ++ return FIPS_APPROVED; ++ } ++ } ++ /* disapproved for enc and dec: all others, including ++ * 3DES and AES modes ++ * aes_ocb_cipher */ ++ return FIPS_NONAPPROVED; ++} +--- a/crypto/evp/evp_enc.c ++++ b/crypto/evp/evp_enc.c +@@ -32,6 +32,7 @@ int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX + #endif + if (c == NULL) + return 1; ++ c->sli = FIPS_UNSET; + if (c->cipher != NULL) { + if (c->cipher->cleanup && !c->cipher->cleanup(c)) + return 0; +@@ -116,6 +117,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct + /* Restore encrypt and flags */ + ctx->encrypt = enc; + ctx->flags = flags; ++ ctx->sli = FIPS_UNSET; + } + #ifndef OPENSSL_NO_ENGINE + if (impl) { +@@ -237,6 +239,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct + ctx->buf_len = 0; + ctx->final_used = 0; + ctx->block_mask = ctx->cipher->block_size - 1; ++ fips_sli_check_cipher_EVP_CIPHER_CTX(ctx, ctx->cipher); + return 1; + } + +--- a/crypto/evp/evp_local.h ++++ b/crypto/evp/evp_local.h +@@ -1,3 +1,4 @@ ++#include "internal/fips_sli_local.h" + /* + * Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. + * +@@ -19,6 +20,7 @@ struct evp_md_ctx_st { + EVP_PKEY_CTX *pctx; + /* Update function: usually copied from EVP_MD */ + int (*update) (EVP_MD_CTX *ctx, const void *data, size_t count); ++ FIPS_STATUS sli; /* Service Level Indicator */ + } /* EVP_MD_CTX */ ; + + struct evp_cipher_ctx_st { +@@ -39,11 +41,13 @@ struct evp_cipher_ctx_st { + int final_used; + int block_mask; + unsigned char final[EVP_MAX_BLOCK_LENGTH]; /* possible final block */ ++ FIPS_STATUS sli; /* Service Level Indicator */ + } /* EVP_CIPHER_CTX */ ; + + struct evp_kdf_ctx_st { + const EVP_KDF_METHOD *kmeth; + EVP_KDF_IMPL *impl; /* Algorithm-specific data */ ++ FIPS_STATUS sli; /* Service Level Indicator */ + } /* EVP_KDF_CTX */ ; + + int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, +--- a/crypto/evp/kdf_lib.c ++++ b/crypto/evp/kdf_lib.c +@@ -17,6 +17,7 @@ + #include + #include "crypto/asn1.h" + #include "crypto/evp.h" ++#include "internal/fips_sli_local.h" + #include "internal/numbers.h" + #include "evp_local.h" + +@@ -82,6 +83,7 @@ EVP_KDF_CTX *EVP_KDF_CTX_new_id(int id) + } + + ret->kmeth = kmeth; ++ ret->sli = FIPS_UNSET; + return ret; + } + +@@ -101,6 +103,7 @@ void EVP_KDF_reset(EVP_KDF_CTX *ctx) + + if (ctx->kmeth->reset != NULL) + ctx->kmeth->reset(ctx->impl); ++ ctx->sli = FIPS_UNSET; + } + + int EVP_KDF_ctrl(EVP_KDF_CTX *ctx, int cmd, ...) +@@ -161,6 +164,12 @@ int EVP_KDF_derive(EVP_KDF_CTX *ctx, uns + if (ctx == NULL) + return 0; + +- return ctx->kmeth->derive(ctx->impl, key, keylen); ++ int ret = ctx->kmeth->derive(ctx->impl, key, keylen); ++ if (ctx->kmeth->fips_sli_is_approved(ctx->impl)) ++ fips_sli_approve_EVP_KDF_CTX(ctx); ++ else ++ fips_sli_disapprove_EVP_KDF_CTX(ctx); ++ ++ return ret; + } + +--- a/crypto/evp/m_sigver.c ++++ b/crypto/evp/m_sigver.c +@@ -105,15 +105,21 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, + if (pctx->pmeth->flags & EVP_PKEY_FLAG_SIGCTX_CUSTOM) { + if (!sigret) + return pctx->pmeth->signctx(pctx, sigret, siglen, ctx); +- if (ctx->flags & EVP_MD_CTX_FLAG_FINALISE) ++ if (ctx->flags & EVP_MD_CTX_FLAG_FINALISE) { + r = pctx->pmeth->signctx(pctx, sigret, siglen, ctx); +- else { ++ if (!fips_sli_is_approved_EVP_PKEY_CTX(pctx)) ++ fips_sli_disapprove_EVP_MD_CTX(ctx); ++ } else { + EVP_PKEY_CTX *dctx = EVP_PKEY_CTX_dup(ctx->pctx); + if (!dctx) + return 0; + r = dctx->pmeth->signctx(dctx, sigret, siglen, ctx); ++ if (!fips_sli_is_approved_EVP_PKEY_CTX(dctx)) ++ fips_sli_disapprove_EVP_MD_CTX(ctx); + EVP_PKEY_CTX_free(dctx); + } ++ /* stricter than necessary, ctx->digest might be set but unused */ ++ fips_sli_check_hash_siggen_EVP_MD_CTX(ctx, ctx->digest); + return r; + } + if (pctx->pmeth->signctx) +@@ -124,8 +130,11 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, + unsigned char md[EVP_MAX_MD_SIZE]; + unsigned int mdlen = 0; + if (ctx->flags & EVP_MD_CTX_FLAG_FINALISE) { +- if (sctx) ++ if (sctx) { + r = ctx->pctx->pmeth->signctx(ctx->pctx, sigret, siglen, ctx); ++ if (!fips_sli_is_approved_EVP_PKEY_CTX(ctx->pctx)) ++ fips_sli_disapprove_EVP_MD_CTX(ctx); ++ } + else + r = EVP_DigestFinal_ex(ctx, md, &mdlen); + } else { +@@ -136,16 +145,25 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, + EVP_MD_CTX_free(tmp_ctx); + return 0; + } +- if (sctx) ++ if (sctx) { + r = tmp_ctx->pctx->pmeth->signctx(tmp_ctx->pctx, + sigret, siglen, tmp_ctx); ++ if (!fips_sli_is_approved_EVP_PKEY_CTX(tmp_ctx->pctx)) ++ fips_sli_disapprove_EVP_MD_CTX(ctx); ++ } + else + r = EVP_DigestFinal_ex(tmp_ctx, md, &mdlen); + EVP_MD_CTX_free(tmp_ctx); + } ++ /* stricter than necessary, ctx->digest might be set but unused */ ++ fips_sli_check_hash_siggen_EVP_MD_CTX(ctx, ctx->digest); ++ + if (sctx || !r) + return r; +- if (EVP_PKEY_sign(ctx->pctx, sigret, siglen, md, mdlen) <= 0) ++ r = EVP_PKEY_sign(ctx->pctx, sigret, siglen, md, mdlen); ++ if (!fips_sli_is_approved_EVP_PKEY_CTX(ctx->pctx)) ++ fips_sli_disapprove_EVP_MD_CTX(ctx); ++ if (r <= 0) + return 0; + } else { + if (sctx) { +@@ -163,8 +181,12 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, + int EVP_DigestSign(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen, + const unsigned char *tbs, size_t tbslen) + { +- if (ctx->pctx->pmeth->digestsign != NULL) ++ if (ctx->pctx->pmeth->digestsign != NULL) { ++ /* digestsign is only used for ed25519 and ed448 signatures, so should ++ * be safe to disapprove it completely */ ++ fips_sli_disapprove_EVP_MD_CTX(ctx); + return ctx->pctx->pmeth->digestsign(ctx, sigret, siglen, tbs, tbslen); ++ } + if (sigret != NULL && EVP_DigestSignUpdate(ctx, tbs, tbslen) <= 0) + return 0; + return EVP_DigestSignFinal(ctx, sigret, siglen); +@@ -178,9 +200,14 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ct + unsigned int mdlen = 0; + int vctx = 0; + +- if (ctx->pctx->pmeth->verifyctx) ++ fips_sli_check_hash_sigver_EVP_MD_CTX(ctx, EVP_MD_CTX_md(ctx)); ++ ++ if (ctx->pctx->pmeth->verifyctx) { + vctx = 1; +- else ++ /* verifyctx seems to be unused by openssl, so should be safe to ++ * disapprove it */ ++ fips_sli_disapprove_EVP_MD_CTX(ctx); ++ } else + vctx = 0; + if (ctx->flags & EVP_MD_CTX_FLAG_FINALISE) { + if (vctx) +@@ -204,14 +231,21 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ct + } + if (vctx || !r) + return r; +- return EVP_PKEY_verify(ctx->pctx, sig, siglen, md, mdlen); ++ const int res = EVP_PKEY_verify(ctx->pctx, sig, siglen, md, mdlen); ++ if (!fips_sli_is_approved_EVP_PKEY_CTX(ctx->pctx)) ++ fips_sli_disapprove_EVP_MD_CTX(ctx); ++ return res; + } + + int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret, + size_t siglen, const unsigned char *tbs, size_t tbslen) + { +- if (ctx->pctx->pmeth->digestverify != NULL) ++ if (ctx->pctx->pmeth->digestverify != NULL) { ++ /* digestverify is only used for ed25519 and ed448 signatures, so should ++ * be safe to disapprove it completely */ ++ fips_sli_disapprove_EVP_MD_CTX(ctx); + return ctx->pctx->pmeth->digestverify(ctx, sigret, siglen, tbs, tbslen); ++ } + if (EVP_DigestVerifyUpdate(ctx, tbs, tbslen) <= 0) + return -1; + return EVP_DigestVerifyFinal(ctx, sigret, siglen); +--- a/crypto/evp/p5_crpt2.c ++++ b/crypto/evp/p5_crpt2.c +@@ -10,6 +10,7 @@ + #include + #include + #include "internal/cryptlib.h" ++#include "internal/fips_sli_local.h" + #include + #include + #include +@@ -24,13 +25,13 @@ + static void h__dump(const unsigned char *p, int len); + #endif + +-int PKCS5_PBKDF2_HMAC(const char *pass, int passlen, ++static int PKCS5_PBKDF2_HMAC_internal(const char *pass, int passlen, + const unsigned char *salt, int saltlen, int iter, +- const EVP_MD *digest, int keylen, unsigned char *out) ++ const EVP_MD *digest, int keylen, unsigned char *out, ++ EVP_KDF_CTX *kctx) + { + const char *empty = ""; + int rv = 1; +- EVP_KDF_CTX *kctx; + + /* Keep documented behaviour. */ + if (pass == NULL) { +@@ -42,9 +43,6 @@ int PKCS5_PBKDF2_HMAC(const char *pass, + if (salt == NULL && saltlen == 0) + salt = (unsigned char *)empty; + +- kctx = EVP_KDF_CTX_new_id(EVP_KDF_PBKDF2); +- if (kctx == NULL) +- return 0; + if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PASS, pass, (size_t)passlen) != 1 + || EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, + salt, (size_t)saltlen) != 1 +@@ -53,8 +51,6 @@ int PKCS5_PBKDF2_HMAC(const char *pass, + || EVP_KDF_derive(kctx, out, keylen) != 1) + rv = 0; + +- EVP_KDF_CTX_free(kctx); +- + # ifdef OPENSSL_DEBUG_PKCS5V2 + fprintf(stderr, "Password:\n"); + h__dump(pass, passlen); +@@ -67,6 +63,32 @@ int PKCS5_PBKDF2_HMAC(const char *pass, + return rv; + } + ++int PKCS5_PBKDF2_HMAC(const char *pass, int passlen, ++ const unsigned char *salt, int saltlen, int iter, ++ const EVP_MD *digest, int keylen, unsigned char *out) ++{ ++ EVP_KDF_CTX *kctx; ++ kctx = EVP_KDF_CTX_new_id(EVP_KDF_PBKDF2); ++ if (kctx == NULL) ++ return 0; ++ int ret = PKCS5_PBKDF2_HMAC_internal(pass, passlen, salt, saltlen, iter, digest, keylen, out, kctx); ++ EVP_KDF_CTX_free(kctx); ++ return ret; ++} ++ ++int fips_sli_PKCS5_PBKDF2_HMAC_is_approved(const char *pass, int passlen, ++ const unsigned char *salt, int saltlen, int iter, ++ const EVP_MD *digest, int keylen, unsigned char *out) ++{ ++ EVP_KDF_CTX *kctx = EVP_KDF_CTX_new_id(EVP_KDF_PBKDF2); ++ if (kctx == NULL) ++ return 0; ++ PKCS5_PBKDF2_HMAC_internal(pass, passlen, salt, saltlen, iter, digest, keylen, out, kctx); ++ int ret = fips_sli_is_approved_EVP_KDF_CTX(kctx); ++ EVP_KDF_CTX_free(kctx); ++ return ret; ++} ++ + int PKCS5_PBKDF2_HMAC_SHA1(const char *pass, int passlen, + const unsigned char *salt, int saltlen, int iter, + int keylen, unsigned char *out) +--- a/crypto/evp/p_open.c ++++ b/crypto/evp/p_open.c +@@ -8,6 +8,7 @@ + */ + + #include "internal/cryptlib.h" ++#include "internal/fips_sli_local.h" + #ifdef OPENSSL_NO_RSA + NON_EMPTY_TRANSLATION_UNIT + #else +@@ -47,6 +48,8 @@ int EVP_OpenInit(EVP_CIPHER_CTX *ctx, co + goto err; + } + ++ // EVP_PKEY_decrypt_old always uses RSA dec ++ fips_sli_disapprove_EVP_CIPHER_CTX(ctx); + i = EVP_PKEY_decrypt_old(key, ek, ekl, priv); + if ((i <= 0) || !EVP_CIPHER_CTX_set_key_length(ctx, i)) { + /* ERROR */ +--- a/crypto/evp/p_seal.c ++++ b/crypto/evp/p_seal.c +@@ -9,6 +9,7 @@ + + #include + #include "internal/cryptlib.h" ++#include "internal/fips_sli_local.h" + #include + #include + #include +@@ -44,6 +45,8 @@ int EVP_SealInit(EVP_CIPHER_CTX *ctx, co + ekl[i] = + EVP_PKEY_encrypt_old(ek[i], key, EVP_CIPHER_CTX_key_length(ctx), + pubk[i]); ++ // EVP_PKEY_encrypt_old always uses RSA encryption ++ fips_sli_disapprove_EVP_CIPHER_CTX(ctx); + if (ekl[i] <= 0) { + rv = -1; + goto err; +--- a/crypto/evp/p_sign.c ++++ b/crypto/evp/p_sign.c +@@ -23,6 +23,8 @@ int EVP_SignFinal(EVP_MD_CTX *ctx, unsig + size_t sltmp; + EVP_PKEY_CTX *pkctx = NULL; + ++ fips_sli_check_hash_sigver_EVP_MD_CTX(ctx, EVP_MD_CTX_md(ctx)); ++ + *siglen = 0; + if (EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_FINALISE)) { + if (!EVP_DigestFinal_ex(ctx, m, &m_len)) +@@ -37,6 +39,7 @@ int EVP_SignFinal(EVP_MD_CTX *ctx, unsig + rv = EVP_MD_CTX_copy_ex(tmp_ctx, ctx); + if (rv) + rv = EVP_DigestFinal_ex(tmp_ctx, m, &m_len); ++ + EVP_MD_CTX_free(tmp_ctx); + if (!rv) + return 0; +@@ -53,6 +56,8 @@ int EVP_SignFinal(EVP_MD_CTX *ctx, unsig + goto err; + if (EVP_PKEY_sign(pkctx, sigret, &sltmp, m, m_len) <= 0) + goto err; ++ if (!fips_sli_is_approved_EVP_PKEY_CTX(pkctx)) ++ fips_sli_disapprove_EVP_MD_CTX(ctx); + *siglen = sltmp; + i = 1; + err: +--- a/crypto/evp/p_verify.c ++++ b/crypto/evp/p_verify.c +@@ -22,6 +22,8 @@ int EVP_VerifyFinal(EVP_MD_CTX *ctx, con + int i = 0; + EVP_PKEY_CTX *pkctx = NULL; + ++ fips_sli_check_hash_sigver_EVP_MD_CTX(ctx, EVP_MD_CTX_md(ctx)); ++ + if (EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_FINALISE)) { + if (!EVP_DigestFinal_ex(ctx, m, &m_len)) + goto err; +@@ -49,6 +51,8 @@ int EVP_VerifyFinal(EVP_MD_CTX *ctx, con + if (EVP_PKEY_CTX_set_signature_md(pkctx, EVP_MD_CTX_md(ctx)) <= 0) + goto err; + i = EVP_PKEY_verify(pkctx, sigbuf, siglen, m, m_len); ++ if (!fips_sli_is_approved_EVP_PKEY_CTX(pkctx)) ++ fips_sli_disapprove_EVP_MD_CTX(ctx); + err: + EVP_PKEY_CTX_free(pkctx); + return i; +--- a/crypto/evp/pkey_kdf.c ++++ b/crypto/evp/pkey_kdf.c +@@ -158,7 +158,10 @@ static int pkey_kdf_derive(EVP_PKEY_CTX + if (key == NULL) + return 1; + } +- return EVP_KDF_derive(kctx, key, *keylen); ++ int ret = EVP_KDF_derive(kctx, key, *keylen); ++ if (!fips_sli_is_approved_EVP_KDF_CTX(kctx)) ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); ++ return ret; + } + + #ifndef OPENSSL_NO_SCRYPT +--- a/crypto/evp/pmeth_lib.c ++++ b/crypto/evp/pmeth_lib.c +@@ -162,6 +162,7 @@ static EVP_PKEY_CTX *int_ctx_new(EVP_PKE + EVPerr(EVP_F_INT_CTX_NEW, ERR_R_MALLOC_FAILURE); + return NULL; + } ++ ret->sli = FIPS_UNSET; + ret->engine = e; + ret->pmeth = pmeth; + ret->operation = EVP_PKEY_OP_UNDEFINED; +@@ -299,6 +300,7 @@ EVP_PKEY_CTX *EVP_PKEY_CTX_dup(EVP_PKEY_ + rctx->data = NULL; + rctx->app_data = NULL; + rctx->operation = pctx->operation; ++ rctx->sli = pctx->sli; + + if (pctx->pmeth->copy(rctx, pctx) > 0) + return rctx; +--- a/crypto/fips/build.info ++++ b/crypto/fips/build.info +@@ -5,7 +5,7 @@ SOURCE[../../libcrypto]=\ + fips_post.c drbgtest.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \ + fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \ + fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c \ +- fips_dh_selftest.c fips_kdf_selftest.c fips_ers.c ++ fips_dh_selftest.c fips_kdf_selftest.c fips_ers.c fips_sli.c + + PROGRAMS=\ + fips_standalone_hmac +--- /dev/null ++++ b/crypto/fips/fips_sli.c +@@ -0,0 +1,371 @@ ++#include ++#include ++#include ++#include "crypto/evp.h" ++#include "../evp/evp_local.h" ++#include "../hmac/hmac_local.h" ++#include "internal/fips_sli_local.h" ++ ++/* Main part of the FIPS Service Level Indicator ++ If you want to quickly change its behaviour, you most likely want to start here ++ - beware of some exceptions, though... */ ++ ++FIPS_STATUS fips_sli_fsm_transition(FIPS_STATUS state, FIPS_STATUS input) { ++ switch (state) { ++ case FIPS_UNSET: ++ switch (input) { ++ case FIPS_UNSET: /* ignore */ ++ return state; ++ case FIPS_APPROVED: ++ case FIPS_NONAPPROVED: ++ case FIPS_ERROR: ++ return input; ++ } ++ break; ++ case FIPS_APPROVED: ++ switch (input) { ++ case FIPS_UNSET: /* ignore */ ++ case FIPS_APPROVED: ++ return state; ++ case FIPS_NONAPPROVED: ++ case FIPS_ERROR: ++ return input; ++ } ++ break; ++ case FIPS_NONAPPROVED: ++ return state; ++ case FIPS_ERROR: ++ switch (input) { ++ case FIPS_UNSET: /* ignore */ ++ case FIPS_APPROVED: ++ case FIPS_ERROR: ++ return state; ++ case FIPS_NONAPPROVED: ++ return input; ++ } ++ } ++ abort(); ++} ++ ++fips_sli_define_for(EVP_CIPHER_CTX) ++fips_sli_define_for(EVP_KDF_CTX) ++fips_sli_define_for(EVP_MD_CTX) ++fips_sli_define_for(EVP_PKEY_CTX) ++fips_sli_define_for(HMAC_CTX) ++ ++typedef enum curve_usage_e { ++ CURVE_KEYGEN, ++ CURVE_SIGGEN, ++ CURVE_SIGVER, ++ CURVE_DH ++} CURVE_USAGE; ++ ++/* Check whether a curve is okay for some type of usage */ ++static FIPS_STATUS get_fips_curve_status(const EC_GROUP *group, CURVE_USAGE u) { ++ if (group == NULL) { ++ return FIPS_ERROR; ++ } ++ ++ switch (u) { ++ case CURVE_KEYGEN: ++ switch (EC_GROUP_get_curve_name(group)) { ++ /* ACVP-tested curves for keygen: */ ++ case NID_secp224r1: ++ /* SECG secp256r1 is the same as X9.62 prime256v1 (P-256) and hence omitted */ ++ case NID_X9_62_prime256v1: ++ case NID_secp384r1: ++ case NID_secp521r1: ++ return FIPS_APPROVED; ++ default: ++ return FIPS_NONAPPROVED; ++ } ++ case CURVE_SIGVER: ++ switch (EC_GROUP_get_curve_name(group)) { ++ case NID_X9_62_prime192v1: /* NIST P-192 */ ++ case NID_secp224r1: ++ /* SECG secp256r1 is the same as X9.62 prime256v1 (P-256) and hence omitted */ ++ case NID_X9_62_prime256v1: ++ case NID_secp384r1: ++ case NID_secp521r1: ++ /* nist k curves */ ++ case NID_sect233k1: ++ case NID_sect283k1: ++ case NID_sect409k1: ++ case NID_sect571k1: ++ /* nist b curves */ ++ case NID_sect233r1: ++ case NID_sect283r1: ++ case NID_sect409r1: ++ case NID_sect571r1: ++ return FIPS_APPROVED; ++ default: ++ return FIPS_NONAPPROVED; ++ } ++ case CURVE_SIGGEN: ++ case CURVE_DH: ++ switch (EC_GROUP_get_curve_name(group)) { ++ /* see crypto/ec/ec_curve.c:2800 */ ++ /* nist P curves*/ ++ case NID_secp224r1: ++ /* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */ ++ case NID_X9_62_prime256v1: ++ case NID_secp384r1: ++ case NID_secp521r1: ++ return FIPS_APPROVED; ++ default: ++ return FIPS_NONAPPROVED; ++ } ++ } ++ return FIPS_NONAPPROVED; ++} ++ ++#define make_fips_sli_check_curve(CTXTYPE, fn, usage) \ ++void fips_sli_check_curve_##fn##_##CTXTYPE(CTXTYPE *ctx, const EC_GROUP *group)\ ++{ \ ++ fips_sli_fsm_##CTXTYPE(ctx, get_fips_curve_status(group, usage)); \ ++} ++ ++make_fips_sli_check_curve(EVP_MD_CTX, siggen, CURVE_SIGGEN) ++make_fips_sli_check_curve(EVP_MD_CTX, sigver, CURVE_SIGVER) ++/* keygen missing because in this case we need more info than available here*/ ++make_fips_sli_check_curve(EVP_PKEY_CTX, siggen, CURVE_SIGGEN) ++make_fips_sli_check_curve(EVP_PKEY_CTX, sigver, CURVE_SIGVER) ++ ++typedef enum hash_usage_e { ++ HASH_SIGGEN, ++ HASH_SIGVER, ++ HASH_KDF_SSHKDF, ++ HASH_KDF_PBKDF2, ++ HASH_KDF_TLS, ++ HASH_RNG, ++ HASH_MAC ++} HASH_USAGE; ++ ++static FIPS_STATUS get_fips_hash_status(const EVP_MD *md, HASH_USAGE u) { ++ if (md == NULL) { ++ return FIPS_ERROR; ++ } ++ ++ switch (u) { ++ case HASH_KDF_TLS: ++ switch (EVP_MD_type(md)) { ++ case NID_sha256: /* TLSv1.2 */ ++ case NID_sha384: ++ case NID_sha512: ++ case NID_md5_sha1: /* used in TLS v1.0 / v1.1 */ ++ return FIPS_APPROVED; ++ default: ++ return FIPS_NONAPPROVED; ++ } ++ case HASH_KDF_PBKDF2: ++ case HASH_KDF_SSHKDF: ++ case HASH_MAC: ++ switch (EVP_MD_type(md)) { ++ case NID_sha1: ++ case NID_sha224: ++ case NID_sha256: ++ case NID_sha384: ++ case NID_sha512: ++ case NID_sha512_224: ++ case NID_sha512_256: ++ case NID_sha3_224: ++ case NID_sha3_256: ++ case NID_sha3_384: ++ case NID_sha3_512: ++ case NID_shake128: ++ case NID_shake256: ++ return FIPS_APPROVED; ++ default: ++ return FIPS_NONAPPROVED; ++ } ++ case HASH_RNG: ++ case HASH_SIGGEN: ++ case HASH_SIGVER: ++ switch (EVP_MD_type(md)) { ++ case NID_sha224: ++ case NID_sha256: ++ case NID_sha384: ++ case NID_sha512: ++ case NID_sha512_224: ++ case NID_sha512_256: ++ case NID_sha3_224: ++ case NID_sha3_256: ++ case NID_sha3_384: ++ case NID_sha3_512: ++ case NID_shake128: ++ case NID_shake256: ++ return FIPS_APPROVED; ++ default: ++ return FIPS_NONAPPROVED; ++ } ++ } ++ return FIPS_ERROR; ++} ++ ++#define make_fips_sli_check_hash(CTXTYPE, fn, usage) \ ++void fips_sli_check_hash_##fn##_##CTXTYPE(CTXTYPE *ctx, const EVP_MD *md) \ ++{ \ ++ fips_sli_fsm_##CTXTYPE(ctx, get_fips_hash_status(md, usage)); \ ++} ++ ++make_fips_sli_check_hash(EVP_MD_CTX, siggen, HASH_SIGGEN) ++make_fips_sli_check_hash(EVP_MD_CTX, sigver, HASH_SIGVER) ++make_fips_sli_check_hash(EVP_PKEY_CTX, siggen, HASH_SIGGEN) ++make_fips_sli_check_hash(EVP_PKEY_CTX, sigver, HASH_SIGVER) ++make_fips_sli_check_hash(HMAC_CTX, mac, HASH_MAC) ++/* KDF impl is a bit special - avoid changing everything just because of that */ ++FIPS_STATUS fips_sli_get_hash_status_sshkdf(const EVP_MD * md) { ++ return get_fips_hash_status(md, HASH_KDF_SSHKDF); ++} ++FIPS_STATUS fips_sli_get_hash_status_pbkdf2(const EVP_MD * md) { ++ return get_fips_hash_status(md, HASH_KDF_PBKDF2); ++} ++FIPS_STATUS fips_sli_get_hash_status_kdf_tls1_prf(const EVP_MD * md) { ++ return get_fips_hash_status(md, HASH_KDF_TLS); ++} ++ ++FIPS_STATUS fips_sli_get_kdf_keylen_status(size_t keylen_bytes) { ++ if (keylen_bytes >= 112/8) ++ return FIPS_APPROVED; ++ else ++ return FIPS_NONAPPROVED; ++} ++ ++void fips_sli_check_key_rsa_keygen_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const RSA * rsa) { ++ fips_sli_check_key_rsa_siggen_EVP_PKEY_CTX(ctx, rsa); ++} ++ ++void fips_sli_check_key_rsa_siggen_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const RSA * rsa) { ++ if (RSA_bits(rsa) >= 2048) ++ fips_sli_approve_EVP_PKEY_CTX(ctx); ++ else ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); ++} ++ ++void fips_sli_check_key_rsa_sigver_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const RSA * rsa) { ++ const int len_n = RSA_bits(rsa); ++ ++ if (1024 <= len_n && len_n < 2048) ++ fips_sli_approve_EVP_PKEY_CTX(ctx); // legacy use ++ else if (2048 <= len_n) ++ fips_sli_approve_EVP_PKEY_CTX(ctx); ++ else ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); ++} ++ ++void fips_sli_check_key_rsa_enc_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const RSA * rsa) { ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); ++} ++ ++void fips_sli_check_key_rsa_dec_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const RSA * rsa) { ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); ++} ++ ++void fips_sli_check_key_dsa_siggen_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const DSA * dsa) { ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); ++} ++ ++void fips_sli_check_key_dsa_sigver_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const DSA * dsa) { ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); ++} ++ ++void fips_sli_check_key_dh_EVP_PKEY_CTX(EVP_PKEY_CTX *ctx, const DH *dh) { ++ switch (DH_get_nid(dh)) { ++ /* RFC 3526 */ ++ case NID_modp_2048: ++ case NID_modp_3072: ++ case NID_modp_4096: ++ case NID_modp_6144: ++ case NID_modp_8192: ++ /* RFC 7919 */ ++ case NID_ffdhe2048: ++ case NID_ffdhe3072: ++ case NID_ffdhe4096: ++ case NID_ffdhe6144: ++ case NID_ffdhe8192: ++ fips_sli_approve_EVP_PKEY_CTX(ctx); ++ break; ++ default: ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); ++ } ++} ++ ++void fips_sli_check_key_ecdh_EVP_PKEY_CTX(EVP_PKEY_CTX *ctx, const EC_KEY *ecdh) { ++ fips_sli_fsm_EVP_PKEY_CTX(ctx, get_fips_curve_status(EC_KEY_get0_group(ecdh), CURVE_DH)); ++} ++ ++void fips_sli_check_cipher_EVP_CIPHER_CTX(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher) { ++ fips_sli_fsm_EVP_CIPHER_CTX(ctx, EVP_CIPHER_get_fips_status(cipher)); ++} ++ ++/** According to FIPS PUB 186-5. ++ * Not really helpful because nist P curves are the only allowed curves for ++ * KeyGen, and have h=1 anyway - but allow for future extensibility */ ++static FIPS_STATUS get_fips_keygen_ecdsa_order_status(const EC_KEY *ec) { ++ BN_CTX *ctx = BN_CTX_new(); ++ BIGNUM *pwr14, *pwr16, *pwr24, *pwr32; ++ const BIGNUM * cofactor = EC_GROUP_get0_cofactor(EC_KEY_get0_group(ec)); ++ const int n = EC_GROUP_order_bits(EC_KEY_get0_group(ec)); ++ FIPS_STATUS ret = FIPS_NONAPPROVED; ++ ++ if (ctx == NULL) { ++ ret = FIPS_ERROR; ++ goto end; ++ } ++ ++ BN_CTX_start(ctx); ++ pwr14 = BN_CTX_get(ctx); ++ pwr16 = BN_CTX_get(ctx); ++ pwr24 = BN_CTX_get(ctx); ++ pwr32 = BN_CTX_get(ctx); ++ if (pwr32 == NULL) { ++ /* Sufficient to check the return value of the last BN_CTX_get() */ ++ ret = FIPS_ERROR; ++ goto end; ++ } ++ BN_set_bit(pwr14, 14); ++ BN_set_bit(pwr16, 16); ++ BN_set_bit(pwr24, 24); ++ BN_set_bit(pwr32, 32); ++ ++ if (224 < n && n <= 255) { ++ if (BN_cmp(cofactor, pwr14) != 1) ++ ret = FIPS_APPROVED; ++ } else if (256 < n && n <= 383) { ++ if (BN_cmp(cofactor, pwr16) != 1) ++ ret = FIPS_APPROVED; ++ ++ } else if (384 < n && n <= 511) { ++ if (BN_cmp(cofactor, pwr24) != 1) ++ ret = FIPS_APPROVED; ++ ++ } else if (n >= 512) { ++ if (BN_cmp(cofactor, pwr32) != 1) ++ ret = FIPS_APPROVED; ++ } ++ ++end: ++ BN_CTX_end(ctx); ++ BN_CTX_free(ctx); ++ return ret; ++} ++ ++void fips_sli_check_key_ec_keygen_EVP_PKEY_CTX(EVP_PKEY_CTX *ctx, ++ const EC_KEY *ec) { ++ fips_sli_fsm_EVP_PKEY_CTX(ctx, get_fips_curve_status( ++ EC_KEY_get0_group(ec), CURVE_KEYGEN)); ++ fips_sli_fsm_EVP_PKEY_CTX(ctx, get_fips_keygen_ecdsa_order_status(ec)); ++} ++ ++/* MINOR: refactor for sign/verify, too. See crypto/rsa/rsa_pmeth.c */ ++static FIPS_STATUS get_fips_padding_rsa_encdec_status(int pad_mode/*,usg: enc/dec*/) { ++ return FIPS_NONAPPROVED; ++} ++ ++void fips_sli_check_padding_rsa_enc_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, int pad_mode) { ++ fips_sli_fsm_EVP_PKEY_CTX(ctx, get_fips_padding_rsa_encdec_status(pad_mode)); ++} ++ ++void fips_sli_check_padding_rsa_dec_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, int pad_mode) { ++ fips_sli_check_padding_rsa_enc_EVP_PKEY_CTX(ctx, pad_mode); ++} +--- a/crypto/hmac/hm_pmeth.c ++++ b/crypto/hmac/hm_pmeth.c +@@ -128,8 +128,11 @@ static int hmac_signctx(EVP_PKEY_CTX *ct + if (!sig) + return 1; + +- if (!HMAC_Final(hctx->ctx, sig, &hlen)) ++ if (!HMAC_Final(hctx->ctx, sig, &hlen)) { ++ if (!fips_sli_is_approved_HMAC_CTX(hctx->ctx)) ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); + return 0; ++ } + *siglen = (size_t)hlen; + return 1; + } +--- a/crypto/hmac/hmac.c ++++ b/crypto/hmac/hmac.c +@@ -23,6 +23,7 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo + unsigned char pad[HMAC_MAX_MD_CBLOCK_SIZE]; + unsigned int keytmp_length; + unsigned char keytmp[HMAC_MAX_MD_CBLOCK_SIZE]; ++ ctx->sli = FIPS_UNSET; + + /* If we are changing MD then we must have a key */ + if (md != NULL && md != ctx->md && (key == NULL || len < 0)) +@@ -83,9 +84,17 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo + if (!EVP_DigestInit_ex(ctx->o_ctx, md, impl) + || !EVP_DigestUpdate(ctx->o_ctx, pad, EVP_MD_block_size(md))) + goto err; ++ ctx->sli_key_len = len; + } + if (!EVP_MD_CTX_copy_ex(ctx->md_ctx, ctx->i_ctx)) + goto err; ++ /* On reuse, key/key_len might be NULL. Use cached value. */ ++ if (ctx->sli_key_len >= 112/8) { ++ fips_sli_approve_HMAC_CTX(ctx); ++ } else { ++ fips_sli_disapprove_HMAC_CTX(ctx); ++ } ++ fips_sli_check_hash_mac_HMAC_CTX(ctx, md); + rv = 1; + err: + if (reset) { +@@ -190,6 +199,7 @@ static int hmac_ctx_alloc_mds(HMAC_CTX * + + int HMAC_CTX_reset(HMAC_CTX *ctx) + { ++ ctx->sli = FIPS_UNSET; + hmac_ctx_cleanup(ctx); + if (!hmac_ctx_alloc_mds(ctx)) { + hmac_ctx_cleanup(ctx); +@@ -209,24 +219,22 @@ int HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_C + if (!EVP_MD_CTX_copy_ex(dctx->md_ctx, sctx->md_ctx)) + goto err; + dctx->md = sctx->md; ++ dctx->sli = sctx->sli; + return 1; + err: + hmac_ctx_cleanup(dctx); + return 0; + } + +-unsigned char *HMAC(const EVP_MD *evp_md, const void *key, int key_len, ++static unsigned char *HMAC_internal(const EVP_MD *evp_md, const void *key, int key_len, + const unsigned char *d, size_t n, unsigned char *md, +- unsigned int *md_len) ++ unsigned int *md_len, HMAC_CTX *c) + { +- HMAC_CTX *c = NULL; + static unsigned char m[EVP_MAX_MD_SIZE]; + static const unsigned char dummy_key[1] = {'\0'}; + + if (md == NULL) + md = m; +- if ((c = HMAC_CTX_new()) == NULL) +- goto err; + + /* For HMAC_Init_ex, NULL key signals reuse. */ + if (key == NULL && key_len == 0) { +@@ -239,13 +247,40 @@ unsigned char *HMAC(const EVP_MD *evp_md + goto err; + if (!HMAC_Final(c, md, md_len)) + goto err; +- HMAC_CTX_free(c); + return md; + err: +- HMAC_CTX_free(c); + return NULL; + } + ++unsigned char *HMAC(const EVP_MD *evp_md, const void *key, int key_len, ++ const unsigned char *d, size_t n, unsigned char *md, ++ unsigned int *md_len) ++{ ++ HMAC_CTX *c = HMAC_CTX_new(); ++ unsigned char *ret = NULL; ++ if (c == NULL) ++ goto err; ++ ret = HMAC_internal(evp_md, key, key_len, d, n, md, md_len, c); ++ HMAC_CTX_free(c); ++ err: ++ return ret; ++} ++ ++int fips_sli_HMAC_is_approved(const EVP_MD *evp_md, const void *key, int key_len, ++ const unsigned char *d, size_t n, unsigned char *md, ++ unsigned int *md_len) ++{ ++ HMAC_CTX *c = HMAC_CTX_new(); ++ int ret = 0; ++ if (c == NULL) ++ goto err; ++ HMAC_internal(evp_md, key, key_len, d, n, md, md_len, c); ++ ret = fips_sli_is_approved_HMAC_CTX(c); ++ HMAC_CTX_free(c); ++ err: ++ return ret; ++} ++ + void HMAC_CTX_set_flags(HMAC_CTX *ctx, unsigned long flags) + { + EVP_MD_CTX_set_flags(ctx->i_ctx, flags); +--- a/crypto/hmac/hmac_local.h ++++ b/crypto/hmac/hmac_local.h +@@ -10,6 +10,8 @@ + #ifndef OSSL_CRYPTO_HMAC_LOCAL_H + # define OSSL_CRYPTO_HMAC_LOCAL_H + ++#include "internal/fips_sli_local.h" ++ + /* The current largest case is for SHA3-224 */ + #define HMAC_MAX_MD_CBLOCK_SIZE 144 + +@@ -18,6 +20,8 @@ struct hmac_ctx_st { + EVP_MD_CTX *md_ctx; + EVP_MD_CTX *i_ctx; + EVP_MD_CTX *o_ctx; ++ FIPS_STATUS sli; /* Service Level Indicator */ ++ size_t sli_key_len; /* SLI needs to cache keylen in case of context reuse */ + }; + + #endif +--- a/crypto/kdf/hkdf.c ++++ b/crypto/kdf/hkdf.c +@@ -222,6 +222,11 @@ static int kdf_hkdf_derive(EVP_KDF_IMPL + } + } + ++static int kdf_hkdf_fips_sli_is_approved(ossl_unused const EVP_KDF_IMPL *impl) { ++ return 0; /* can't check whether this is only used for DH / TLS1.3 because ++ this is handled by the application. Thus label HKDF as non-approved. */ ++} ++ + const EVP_KDF_METHOD hkdf_kdf_meth = { + EVP_KDF_HKDF, + kdf_hkdf_new, +@@ -230,7 +235,8 @@ const EVP_KDF_METHOD hkdf_kdf_meth = { + kdf_hkdf_ctrl, + kdf_hkdf_ctrl_str, + kdf_hkdf_size, +- kdf_hkdf_derive ++ kdf_hkdf_derive, ++ kdf_hkdf_fips_sli_is_approved + }; + + static int HKDF(const EVP_MD *evp_md, +--- a/crypto/kdf/pbkdf2.c ++++ b/crypto/kdf/pbkdf2.c +@@ -31,8 +31,16 @@ struct evp_kdf_impl_st { + size_t salt_len; + int iter; + const EVP_MD *md; ++ FIPS_STATUS sli; /* Service Level Indicator */ + }; + ++static ossl_unused int fips_sli_is_approved_struct_evp_kdf_impl_st(const struct evp_kdf_impl_st *ctx); ++fips_sli_define_basic_for(static, struct_evp_kdf_impl_st, struct evp_kdf_impl_st) ++ ++static void fips_sli_check_hash_kdf_struct_evp_kdf_impl_st(struct evp_kdf_impl_st *ctx) { ++ fips_sli_fsm_struct_evp_kdf_impl_st(ctx, fips_sli_get_hash_status_pbkdf2(ctx->md)); ++} ++ + static EVP_KDF_IMPL *kdf_pbkdf2_new(void) + { + EVP_KDF_IMPL *impl; +@@ -64,6 +72,7 @@ static void kdf_pbkdf2_init(EVP_KDF_IMPL + { + impl->iter = PKCS5_DEFAULT_ITER; + impl->md = EVP_sha1(); ++ impl->sli = FIPS_UNSET; + } + + static int pbkdf2_set_membuf(unsigned char **buffer, size_t *buflen, +@@ -175,6 +184,8 @@ static int kdf_pbkdf2_derive(EVP_KDF_IMP + return 0; + } + ++ fips_sli_check_hash_kdf_struct_evp_kdf_impl_st(impl); ++ + return pkcs5_pbkdf2_alg((char *)impl->pass, impl->pass_len, + impl->salt, impl->salt_len, impl->iter, + impl->md, key, keylen); +@@ -188,7 +199,8 @@ const EVP_KDF_METHOD pbkdf2_kdf_meth = { + kdf_pbkdf2_ctrl, + kdf_pbkdf2_ctrl_str, + NULL, +- kdf_pbkdf2_derive ++ kdf_pbkdf2_derive, ++ fips_sli_is_approved_struct_evp_kdf_impl_st + }; + + /* +--- a/crypto/kdf/scrypt.c ++++ b/crypto/kdf/scrypt.c +@@ -266,6 +266,10 @@ static int kdf_scrypt_derive(EVP_KDF_IMP + impl->maxmem_bytes, key, keylen); + } + ++static int kdf_scrypt_fips_sli_is_approved(ossl_unused const EVP_KDF_IMPL *impl) { ++ return 0; /* not FIPS-approved */ ++} ++ + const EVP_KDF_METHOD scrypt_kdf_meth = { + EVP_KDF_SCRYPT, + kdf_scrypt_new, +@@ -274,7 +278,8 @@ const EVP_KDF_METHOD scrypt_kdf_meth = { + kdf_scrypt_ctrl, + kdf_scrypt_ctrl_str, + NULL, +- kdf_scrypt_derive ++ kdf_scrypt_derive, ++ kdf_scrypt_fips_sli_is_approved + }; + + #define R(a,b) (((a) << (b)) | ((a) >> (32 - (b)))) +--- a/crypto/kdf/sshkdf.c ++++ b/crypto/kdf/sshkdf.c +@@ -34,8 +34,19 @@ struct evp_kdf_impl_st { + char type; /* X */ + unsigned char *session_id; + size_t session_id_len; ++ FIPS_STATUS sli; /* Service Level Indicator */ + }; + ++ ++fips_sli_define_basic_for(static, struct_evp_kdf_impl_st, struct evp_kdf_impl_st) ++ ++static void fips_sli_check_hash_kdf_struct_evp_kdf_impl_st(struct evp_kdf_impl_st *ctx) { ++ fips_sli_fsm_struct_evp_kdf_impl_st(ctx, ++ fips_sli_get_hash_status_sshkdf(ctx->md)); ++ fips_sli_fsm_struct_evp_kdf_impl_st(ctx, ++ fips_sli_get_kdf_keylen_status(ctx->key_len)); ++} ++ + static EVP_KDF_IMPL *kdf_sshkdf_new(void) + { + EVP_KDF_IMPL *impl; +@@ -196,6 +207,7 @@ static int kdf_sshkdf_derive(EVP_KDF_IMP + KDFerr(KDF_F_KDF_SSHKDF_DERIVE, KDF_R_MISSING_TYPE); + return 0; + } ++ fips_sli_check_hash_kdf_struct_evp_kdf_impl_st(impl); + return SSHKDF(impl->md, impl->key, impl->key_len, + impl->xcghash, impl->xcghash_len, + impl->session_id, impl->session_id_len, +@@ -211,6 +223,7 @@ const EVP_KDF_METHOD sshkdf_kdf_meth = { + kdf_sshkdf_ctrl_str, + kdf_sshkdf_size, + kdf_sshkdf_derive, ++ fips_sli_is_approved_struct_evp_kdf_impl_st + }; + + static int SSHKDF(const EVP_MD *evp_md, +--- a/crypto/kdf/tls1_prf.c ++++ b/crypto/kdf/tls1_prf.c +@@ -35,8 +35,16 @@ struct evp_kdf_impl_st { + /* Buffer of concatenated seed data */ + unsigned char seed[TLS1_PRF_MAXBUF]; + size_t seedlen; ++ FIPS_STATUS sli; /* Service Level Indicator */ + }; + ++fips_sli_define_basic_for(static, struct_evp_kdf_impl_st, struct evp_kdf_impl_st) ++ ++static void fips_sli_check_hash_kdf_struct_evp_kdf_impl_st(struct evp_kdf_impl_st *ctx) { ++ fips_sli_fsm_struct_evp_kdf_impl_st(ctx, ++ fips_sli_get_hash_status_kdf_tls1_prf(ctx->md)); ++} ++ + static EVP_KDF_IMPL *kdf_tls1_prf_new(void) + { + EVP_KDF_IMPL *impl; +@@ -152,6 +160,7 @@ static int kdf_tls1_prf_derive(EVP_KDF_I + KDFerr(KDF_F_KDF_TLS1_PRF_DERIVE, KDF_R_MISSING_SEED); + return 0; + } ++ fips_sli_check_hash_kdf_struct_evp_kdf_impl_st(impl); + return tls1_prf_alg(impl->md, impl->sec, impl->seclen, + impl->seed, impl->seedlen, + key, keylen); +@@ -165,7 +174,8 @@ const EVP_KDF_METHOD tls1_prf_kdf_meth = + kdf_tls1_prf_ctrl, + kdf_tls1_prf_ctrl_str, + NULL, +- kdf_tls1_prf_derive ++ kdf_tls1_prf_derive, ++ fips_sli_is_approved_struct_evp_kdf_impl_st + }; + + static int tls1_prf_P_hash(const EVP_MD *md, +--- a/crypto/poly1305/poly1305_pmeth.c ++++ b/crypto/poly1305/poly1305_pmeth.c +@@ -108,8 +108,10 @@ static int poly1305_signctx(EVP_PKEY_CTX + POLY1305_PKEY_CTX *pctx = ctx->data; + + *siglen = POLY1305_DIGEST_SIZE; +- if (sig != NULL) ++ if (sig != NULL) { + Poly1305_Final(&pctx->ctx, sig); ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); // Poly1305 isn't an approved MAC ++ } + return 1; + } + +--- a/crypto/rand/rand_lib.c ++++ b/crypto/rand/rand_lib.c +@@ -937,6 +937,13 @@ int RAND_priv_bytes(unsigned char *buf, + return 0; + } + ++int fips_sli_RAND_priv_bytes_is_approved(unsigned char *buf, int num) { ++ const RAND_METHOD *meth = RAND_get_rand_method(); ++ if (meth != NULL && meth != RAND_OpenSSL()) ++ return 0; ++ return 1; ++} ++ + int RAND_bytes(unsigned char *buf, int num) + { + const RAND_METHOD *meth = RAND_get_rand_method(); +@@ -947,6 +954,11 @@ int RAND_bytes(unsigned char *buf, int n + return -1; + } + ++int fips_sli_RAND_bytes_is_approved(unsigned char *buf, int num) { ++ const RAND_METHOD *meth = RAND_get_rand_method(); ++ return meth == RAND_OpenSSL(); ++} ++ + #if OPENSSL_API_COMPAT < 0x10100000L + int RAND_pseudo_bytes(unsigned char *buf, int num) + { +--- a/crypto/rsa/rsa_pmeth.c ++++ b/crypto/rsa/rsa_pmeth.c +@@ -129,6 +129,7 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *c + RSA_PKEY_CTX *rctx = ctx->data; + RSA *rsa = ctx->pkey->pkey.rsa; + ++ fips_sli_check_key_rsa_siggen_EVP_PKEY_CTX(ctx, rsa); + if (rctx->md) { + if (tbslen != (size_t)EVP_MD_size(rctx->md)) { + RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_INVALID_DIGEST_LENGTH); +@@ -139,6 +140,8 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *c + unsigned int sltmp; + if (rctx->pad_mode != RSA_PKCS1_PADDING) + return -1; ++ /* PKCS1-v1.5 padding is disallowed after 2023 */ ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); + ret = RSA_sign_ASN1_OCTET_STRING(0, + tbs, tbslen, sig, &sltmp, rsa); + +@@ -154,11 +157,30 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *c + RSAerr(RSA_F_PKEY_RSA_SIGN, ERR_R_MALLOC_FAILURE); + return -1; + } ++ /* MINOR fips: refactor out? May have to read rctx->pad_mode (RSA_PKEY_CTX), though */ ++ /* ANSI X9.31 */ ++ switch (EVP_MD_type(rctx->md)) { ++ case NID_sha256: ++ case NID_sha384: ++ case NID_sha512: ++ case NID_sha3_224: ++ case NID_sha3_256: ++ case NID_sha3_384: ++ case NID_sha3_512: ++ case NID_shake128: ++ case NID_shake256: ++ fips_sli_approve_EVP_PKEY_CTX(ctx); ++ break; ++ default: ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); ++ } + memcpy(rctx->tbuf, tbs, tbslen); + rctx->tbuf[tbslen] = RSA_X931_hash_id(EVP_MD_type(rctx->md)); + ret = RSA_private_encrypt(tbslen + 1, rctx->tbuf, + sig, rsa, RSA_X931_PADDING); + } else if (rctx->pad_mode == RSA_PKCS1_PADDING) { ++ /* PKCS1-v1.5 padding is disallowed after 2023 */ ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); + unsigned int sltmp; + ret = RSA_sign(EVP_MD_type(rctx->md), + tbs, tbslen, sig, &sltmp, rsa); +@@ -173,12 +195,14 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *c + rctx->md, rctx->mgf1md, + rctx->saltlen)) + return -1; ++ fips_sli_check_hash_siggen_EVP_PKEY_CTX(ctx, rctx->md); + ret = RSA_private_encrypt(RSA_size(rsa), rctx->tbuf, + sig, rsa, RSA_NO_PADDING); + } else { + return -1; + } + } else { ++ fips_sli_approve_EVP_PKEY_CTX(ctx); /* plain sig without hash */ + ret = RSA_private_encrypt(tbslen, tbs, sig, ctx->pkey->pkey.rsa, + rctx->pad_mode); + } +@@ -199,6 +223,23 @@ static int pkey_rsa_verifyrecover(EVP_PK + if (rctx->pad_mode == RSA_X931_PADDING) { + if (!setup_tbuf(rctx, ctx)) + return -1; ++ /* MINOR fips: refactor out? May have to read rctx->pad_mode (RSA_PKEY_CTX), though */ ++ /* ANSI X9.31 */ ++ switch (EVP_MD_type(rctx->md)) { ++ case NID_sha256: ++ case NID_sha384: ++ case NID_sha512: ++ case NID_sha3_224: ++ case NID_sha3_256: ++ case NID_sha3_384: ++ case NID_sha3_512: ++ case NID_shake128: ++ case NID_shake256: ++ fips_sli_approve_EVP_PKEY_CTX(ctx); ++ break; ++ default: ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); ++ } + ret = RSA_public_decrypt(siglen, sig, + rctx->tbuf, ctx->pkey->pkey.rsa, + RSA_X931_PADDING); +@@ -245,11 +286,15 @@ static int pkey_rsa_verify(EVP_PKEY_CTX + RSA_PKEY_CTX *rctx = ctx->data; + RSA *rsa = ctx->pkey->pkey.rsa; + size_t rslen; ++ fips_sli_check_key_rsa_sigver_EVP_PKEY_CTX(ctx, rsa); + + if (rctx->md) { +- if (rctx->pad_mode == RSA_PKCS1_PADDING) ++ if (rctx->pad_mode == RSA_PKCS1_PADDING) { ++ /* PKCS1-v1.5 padding is disallowed after 2023 */ ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); + return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen, + sig, siglen, rsa); ++ } + if (tbslen != (size_t)EVP_MD_size(rctx->md)) { + RSAerr(RSA_F_PKEY_RSA_VERIFY, RSA_R_INVALID_DIGEST_LENGTH); + return -1; +@@ -270,6 +315,7 @@ static int pkey_rsa_verify(EVP_PKEY_CTX + rctx->tbuf, rctx->saltlen); + if (ret <= 0) + return 0; ++ fips_sli_check_hash_sigver_EVP_PKEY_CTX(ctx, rctx->md); + return 1; + } else { + return -1; +@@ -277,6 +323,7 @@ static int pkey_rsa_verify(EVP_PKEY_CTX + } else { + if (!setup_tbuf(rctx, ctx)) + return -1; ++ fips_sli_approve_EVP_PKEY_CTX(ctx); /* plain sig without hash */ + rslen = RSA_public_decrypt(siglen, sig, rctx->tbuf, + rsa, rctx->pad_mode); + if (rslen == 0) +@@ -313,6 +360,8 @@ static int pkey_rsa_encrypt(EVP_PKEY_CTX + ret = RSA_public_encrypt(inlen, in, out, ctx->pkey->pkey.rsa, + rctx->pad_mode); + } ++ fips_sli_check_padding_rsa_enc_EVP_PKEY_CTX(ctx, rctx->pad_mode); ++ fips_sli_check_key_rsa_enc_EVP_PKEY_CTX(ctx, ctx->pkey->pkey.rsa); + if (ret < 0) + return ret; + *outlen = ret; +@@ -342,6 +391,8 @@ static int pkey_rsa_decrypt(EVP_PKEY_CTX + ret = RSA_private_decrypt(inlen, in, out, ctx->pkey->pkey.rsa, + rctx->pad_mode); + } ++ fips_sli_check_padding_rsa_dec_EVP_PKEY_CTX(ctx, rctx->pad_mode); ++ fips_sli_check_key_rsa_dec_EVP_PKEY_CTX(ctx, ctx->pkey->pkey.rsa); + *outlen = constant_time_select_s(constant_time_msb_s(ret), *outlen, ret); + ret = constant_time_select_int(constant_time_msb(ret), ret, 1); + return ret; +@@ -747,9 +798,13 @@ static int pkey_rsa_keygen(EVP_PKEY_CTX + RSA_free(rsa); + return 0; + } +- if (ret > 0) ++ if (rctx->primes != 2) ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); ++ ++ if (ret > 0) { ++ fips_sli_check_key_rsa_keygen_EVP_PKEY_CTX(ctx, rsa); + EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, rsa); +- else ++ } else + RSA_free(rsa); + return ret; + } +--- a/crypto/sha/sha1_one.c ++++ b/crypto/sha/sha1_one.c +@@ -26,3 +26,8 @@ unsigned char *SHA1(const unsigned char + OPENSSL_cleanse(&c, sizeof(c)); + return md; + } ++ ++int fips_sli_SHA1_is_approved(const unsigned char *d, size_t n, unsigned char *md) { ++ /* Only approved depending on usage context, so default to false */ ++ return 0; ++} +--- a/crypto/siphash/siphash_pmeth.c ++++ b/crypto/siphash/siphash_pmeth.c +@@ -109,8 +109,10 @@ static int siphash_signctx(EVP_PKEY_CTX + SIPHASH_PKEY_CTX *pctx = ctx->data; + + *siglen = SipHash_hash_size(&pctx->ctx); +- if (sig != NULL) ++ if (sig != NULL) { ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); + return SipHash_Final(&pctx->ctx, sig, *siglen); ++ } + return 1; + } + +--- a/crypto/sm2/sm2_pmeth.c ++++ b/crypto/sm2/sm2_pmeth.c +@@ -107,6 +107,7 @@ static int pkey_sm2_sign(EVP_PKEY_CTX *c + return 0; + } + ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); + ret = sm2_sign(tbs, tbslen, sig, &sltmp, ec); + + if (ret <= 0) +@@ -120,7 +121,7 @@ static int pkey_sm2_verify(EVP_PKEY_CTX + const unsigned char *tbs, size_t tbslen) + { + EC_KEY *ec = ctx->pkey->pkey.ec; +- ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); + return sm2_verify(tbs, tbslen, sig, siglen, ec); + } + +@@ -139,6 +140,7 @@ static int pkey_sm2_encrypt(EVP_PKEY_CTX + return 1; + } + ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); + return sm2_encrypt(ec, md, in, inlen, out, outlen); + } + +@@ -157,6 +159,7 @@ static int pkey_sm2_decrypt(EVP_PKEY_CTX + return 1; + } + ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); + return sm2_decrypt(ec, md, in, inlen, out, outlen); + } + +--- /dev/null ++++ b/doc/man3/FIPS_service_level_indicator.pod +@@ -0,0 +1,110 @@ ++=pod ++ ++=head1 NAME ++ ++C - get status of the FIPS Service Level Indicator (SLI) for context operations ++ ++C - get status of the FIPS SLI for standalone operations ++ ++=head1 SYNOPSIS ++ ++ #include ++ ++ int fips_sli_is_approved_EVP_CIPHER_CTX(const EVP_CIPHER_CTX *ctx); ++ ++ int fips_sli_is_approved_EVP_KDF_CTX(const EVP_KDF_CTX *ctx); ++ ++ int fips_sli_is_approved_EVP_MD_CTX(const EVP_MD_CTX *ctx); ++ ++ int fips_sli_is_approved_EVP_PKEY_CTX(const EVP_PKEY_CTX *ctx); ++ ++ int fips_sli_is_approved_CMAC_CTX(const CMAC_CTX *ctx); ++ ++ int fips_sli_is_approved_HMAC_CTX(const HMAC_CTX *ctx); ++ ++ int fips_sli_SHA1_is_approved(const unsigned char *d, size_t n, unsigned char *md); ++ ++ int fips_sli_HMAC_is_approved(const EVP_MD *evp_md, const void *key, int key_len, ++ const unsigned char *d, size_t n, unsigned char *md, ++ unsigned int *md_len); ++ ++ int fips_sli_PKCS5_PBKDF2_HMAC_is_approved(const char *pass, int passlen, ++ const unsigned char *salt, int saltlen, int iter, ++ const EVP_MD *digest, int keylen, unsigned char *out); ++ ++ int fips_sli_RAND_bytes_is_approved(unsigned char *buf, int num); ++ ++ int fips_sli_RAND_priv_bytes_is_approved(unsigned char *buf, int num); ++ ++=head1 DESCRIPTION ++ ++The service level indicator has two different usage scenarios. ++ ++=over 1 ++ ++=item C ++ ++Most operations happen on some form of a context, which also holds the SLI. ++This function returns whether the FIPS SLI indicates an approved operation or not. ++ ++After a disapproved operation is encountered, the SLI will continue to indicate this disapproved state. The SLI can only ++be reset by the various existing resetting functions such as C or reinitializing the ++context, e.g. via L. ++ ++=item C ++ ++Operations without a context (standalone functions) have a separate SLI with the name fips_sli_FNNAME_is_approved(). ++These indicator functions take the same parameters as their corresponding operation ++and may modify them just like their corresponding function might do. ++ ++In order to check the SLI status of an operation C, the function ++C must be called with the same set of parameters as C. ++Note that applications must check the return value of C according to its documentation B the return value of the SLI (see below for L). ++Both are orthogonal: the former reports about success and failure of C, and the latter whether a disapproved operation happened or not. ++Well-behaving applications check for both. ++ ++The following explicit indicators exist: ++ ++C ++ ++C ++ ++C ++ ++C ++ ++C ++ ++=back ++ ++=head1 Notes on the RNG ++ ++OpenSSL 1.1.1l implements a CTR DRBG with AES 128/192/256 (defaults to AES-256). ++See L/RAND_priv_bytes(). ++ ++Swapping out OPENSSL's RNG implementation (e.g. via L) is NOT allowed. ++ ++=head1 RETURN VALUES ++ ++C returns 0 if the previous operation(s) was unapproved or B was B, and returns 1 ++if the previous operation(s) were approved (or rather, no non-approved operations happened). ++ ++C returns 0 if an operation with a given set of parameters was unapproved, and returns 1 ++if the operation is approved with the given set of parameters. ++ ++These functions can be invoked at any time. ++ ++=head1 HISTORY ++ ++The FIPS SLI was added in OpenSSL 1.1.1.l. ++ ++=head1 COPYRIGHT ++ ++Copyright 2022 ++ ++Licensed under the OpenSSL license (the "License"). You may not use ++this file except in compliance with the License. You can obtain a copy ++in the file LICENSE in the source distribution or at ++L. ++ ++=cut +--- a/include/crypto/evp.h ++++ b/include/crypto/evp.h +@@ -9,6 +9,7 @@ + + #include + #include "internal/refcount.h" ++#include "internal/fips_sli_local.h" + + /* + * Don't free up md_ctx->pctx in EVP_MD_CTX_reset, use the reserved flag +@@ -36,6 +37,7 @@ struct evp_pkey_ctx_st { + /* implementation specific keygen data */ + int *keygen_info; + int keygen_info_count; ++ FIPS_STATUS sli; /* Service Level Indicator */ + } /* EVP_PKEY_CTX */ ; + + #define EVP_PKEY_FLAG_DYNAMIC 1 +@@ -123,6 +125,9 @@ typedef struct { + int (*ctrl_str) (EVP_KDF_IMPL *impl, const char *type, const char *value); + size_t (*size) (EVP_KDF_IMPL *impl); + int (*derive) (EVP_KDF_IMPL *impl, unsigned char *key, size_t keylen); ++ /* KDFs are handled differently by the SLI because the EVP_KDF_IMPL, which ++ holds the required information, is defined implementation-dependent */ ++ int (*fips_sli_is_approved) (const EVP_KDF_IMPL *impl); + } EVP_KDF_METHOD; + + extern const EVP_KDF_METHOD pbkdf2_kdf_meth; +--- /dev/null ++++ b/include/crypto/fipserr.h +@@ -0,0 +1,121 @@ ++/* ++ * Generated by util/mkerr.pl DO NOT EDIT ++ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. ++ * ++ * Licensed under the OpenSSL license (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ */ ++ ++#ifndef HEADER_FIPSERR_H ++# define HEADER_FIPSERR_H ++ ++# include ++ ++# ifdef __cplusplus ++extern "C" ++# endif ++int ERR_load_FIPS_strings(void); ++ ++/* ++ * FIPS function codes. ++ */ ++# define FIPS_F_DRBG_RESEED 100 ++# define FIPS_F_DSA_BUILTIN_PARAMGEN2 101 ++# define FIPS_F_DSA_DO_SIGN 102 ++# define FIPS_F_DSA_DO_VERIFY 103 ++# define FIPS_F_ECDSA_SIMPLE_SIGN_SIG 104 ++# define FIPS_F_ECDSA_SIMPLE_VERIFY_SIG 105 ++# define FIPS_F_EVP_CIPHERINIT_EX 106 ++# define FIPS_F_EVP_CIPHER_CTX_NEW 107 ++# define FIPS_F_EVP_CIPHER_CTX_RESET 108 ++# define FIPS_F_EVP_DIGESTINIT_EX 109 ++# define FIPS_F_FIPS_CHECK_DSA 110 ++# define FIPS_F_FIPS_CHECK_EC 111 ++# define FIPS_F_FIPS_CHECK_RSA 112 ++# define FIPS_F_FIPS_DRBG_BYTES 113 ++# define FIPS_F_FIPS_DRBG_CHECK 114 ++# define FIPS_F_FIPS_DRBG_ERROR_CHECK 115 ++# define FIPS_F_FIPS_DRBG_GENERATE 116 ++# define FIPS_F_FIPS_DRBG_INIT 117 ++# define FIPS_F_FIPS_DRBG_INSTANTIATE 118 ++# define FIPS_F_FIPS_DRBG_NEW 119 ++# define FIPS_F_FIPS_DRBG_SINGLE_KAT 120 ++# define FIPS_F_FIPS_GET_ENTROPY 121 ++# define FIPS_F_FIPS_MODULE_MODE_SET 122 ++# define FIPS_F_FIPS_PKEY_SIGNATURE_TEST 123 ++# define FIPS_F_FIPS_RAND_BYTES 124 ++# define FIPS_F_FIPS_RAND_SEED 125 ++# define FIPS_F_FIPS_RAND_SET_METHOD 126 ++# define FIPS_F_FIPS_RAND_STATUS 127 ++# define FIPS_F_FIPS_RSA_BUILTIN_KEYGEN 128 ++# define FIPS_F_FIPS_SELFTEST_AES 129 ++# define FIPS_F_FIPS_SELFTEST_AES_CCM 130 ++# define FIPS_F_FIPS_SELFTEST_AES_GCM 131 ++# define FIPS_F_FIPS_SELFTEST_AES_XTS 132 ++# define FIPS_F_FIPS_SELFTEST_CMAC 133 ++# define FIPS_F_FIPS_SELFTEST_DES 134 ++# define FIPS_F_FIPS_SELFTEST_ECDSA 135 ++# define FIPS_F_FIPS_SELFTEST_HKDF 136 ++# define FIPS_F_FIPS_SELFTEST_HMAC 137 ++# define FIPS_F_FIPS_SELFTEST_PBKDF2 138 ++# define FIPS_F_FIPS_SELFTEST_SHA1 139 ++# define FIPS_F_FIPS_SELFTEST_SHA2 140 ++# define FIPS_F_FIPS_SELFTEST_SHA3 141 ++# define FIPS_F_FIPS_SELFTEST_SSH 142 ++# define FIPS_F_FIPS_SELFTEST_TLS 143 ++# define FIPS_F_OSSL_ECDH_COMPUTE_KEY 144 ++# define FIPS_F_RSA_OSSL_PRIVATE_DECRYPT 145 ++# define FIPS_F_RSA_OSSL_PRIVATE_ENCRYPT 146 ++# define FIPS_F_RSA_OSSL_PUBLIC_DECRYPT 147 ++# define FIPS_F_RSA_OSSL_PUBLIC_ENCRYPT 148 ++ ++/* ++ * FIPS reason codes. ++ */ ++# define FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED 100 ++# define FIPS_R_ADDITIONAL_INPUT_TOO_LONG 101 ++# define FIPS_R_ALREADY_INSTANTIATED 102 ++# define FIPS_R_DRBG_NOT_INITIALISED 103 ++# define FIPS_R_ENTROPY_ERROR_UNDETECTED 104 ++# define FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED 105 ++# define FIPS_R_ENTROPY_SOURCE_STUCK 106 ++# define FIPS_R_ERROR_INITIALISING_DRBG 107 ++# define FIPS_R_ERROR_INSTANTIATING_DRBG 108 ++# define FIPS_R_ERROR_RETRIEVING_ADDITIONAL_INPUT 109 ++# define FIPS_R_ERROR_RETRIEVING_ENTROPY 110 ++# define FIPS_R_ERROR_RETRIEVING_NONCE 111 ++# define FIPS_R_FINGERPRINT_DOES_NOT_MATCH 112 ++# define FIPS_R_FIPS_MODE_ALREADY_SET 113 ++# define FIPS_R_FIPS_SELFTEST_FAILED 114 ++# define FIPS_R_FUNCTION_ERROR 115 ++# define FIPS_R_GENERATE_ERROR 116 ++# define FIPS_R_GENERATE_ERROR_UNDETECTED 117 ++# define FIPS_R_INSTANTIATE_ERROR 118 ++# define FIPS_R_INVALID_KEY_LENGTH 119 ++# define FIPS_R_IN_ERROR_STATE 120 ++# define FIPS_R_KEY_TOO_SHORT 121 ++# define FIPS_R_NONCE_ERROR_UNDETECTED 122 ++# define FIPS_R_NON_FIPS_METHOD 123 ++# define FIPS_R_NOPR_TEST1_FAILURE 124 ++# define FIPS_R_NOPR_TEST2_FAILURE 125 ++# define FIPS_R_NOT_INSTANTIATED 126 ++# define FIPS_R_PAIRWISE_TEST_FAILED 127 ++# define FIPS_R_PERSONALISATION_ERROR_UNDETECTED 128 ++# define FIPS_R_PERSONALISATION_STRING_TOO_LONG 129 ++# define FIPS_R_PR_TEST1_FAILURE 130 ++# define FIPS_R_PR_TEST2_FAILURE 131 ++# define FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED 132 ++# define FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG 133 ++# define FIPS_R_RESEED_COUNTER_ERROR 134 ++# define FIPS_R_RESEED_ERROR 135 ++# define FIPS_R_SELFTEST_FAILED 136 ++# define FIPS_R_SELFTEST_FAILURE 137 ++# define FIPS_R_TEST_FAILURE 138 ++# define FIPS_R_UNINSTANTIATE_ERROR 139 ++# define FIPS_R_UNINSTANTIATE_ZEROISE_ERROR 140 ++# define FIPS_R_UNSUPPORTED_DRBG_TYPE 141 ++# define FIPS_R_UNSUPPORTED_PLATFORM 142 ++ ++#endif +--- /dev/null ++++ b/include/internal/fips_sli_local.h +@@ -0,0 +1,96 @@ ++#ifndef FIPS_SLI_LOCAL_H_INCLUDED ++#define FIPS_SLI_LOCAL_H_INCLUDED ++ ++#include ++#include ++#include ++ ++/* status for SLI */ ++typedef enum fips_status_e { ++ FIPS_UNSET, ++ FIPS_APPROVED, ++ FIPS_NONAPPROVED, ++ FIPS_ERROR, ++} FIPS_STATUS; ++ ++ ++void fips_sli_approve_EVP_KDF_CTX(EVP_KDF_CTX *ctx); ++void fips_sli_approve_EVP_MD_CTX(EVP_MD_CTX *ctx); ++void fips_sli_approve_EVP_PKEY_CTX(EVP_PKEY_CTX *ctx); ++void fips_sli_approve_HMAC_CTX(HMAC_CTX *ctx); ++ ++/* Unused: ++ * void fips_sli_approve_EVP_CIPHER_CTX(EVP_CIPHER_CTX *ctx); ++ */ ++void fips_sli_disapprove_EVP_CIPHER_CTX(EVP_CIPHER_CTX *ctx); ++void fips_sli_disapprove_EVP_KDF_CTX(EVP_KDF_CTX *ctx); ++void fips_sli_disapprove_EVP_MD_CTX(EVP_MD_CTX *ctx); ++void fips_sli_disapprove_EVP_PKEY_CTX(EVP_PKEY_CTX *ctx); ++void fips_sli_disapprove_HMAC_CTX(HMAC_CTX *ctx); ++ ++//void fips_sli_error_EVP_KDF_CTX(EVP_KDF_CTX *ctx); /* unused */ ++//void fips_sli_error_HMAC_CTX(HMAC_CTX *ctx); ++//void fips_sli_error_EVP_CIPHER_CTX(EVP_CIPHER_CTX *ctx); ++void fips_sli_error_EVP_MD_CTX(EVP_MD_CTX *ctx); ++void fips_sli_error_EVP_PKEY_CTX(EVP_PKEY_CTX *ctx); ++ ++FIPS_STATUS fips_sli_fsm_transition(FIPS_STATUS state, FIPS_STATUS input); ++ ++#define fips_sli_define_basic_for(LNKG, FNNAME, CTXTYPE) \ ++static void fips_sli_fsm_##FNNAME(CTXTYPE *ctx, FIPS_STATUS input) { \ ++ if (ctx == NULL) \ ++ return; \ ++ ctx->sli = fips_sli_fsm_transition(ctx->sli, input); \ ++} \ ++LNKG int fips_sli_is_approved_##FNNAME(const CTXTYPE *ctx) { \ ++ if (ctx == NULL) \ ++ return 0; \ ++ return (ctx->sli == FIPS_UNSET) || (ctx->sli == FIPS_APPROVED); \ ++} ++ ++#define fips_sli_define_for(CTXTYPE) \ ++fips_sli_define_basic_for(, CTXTYPE, CTXTYPE) \ ++void fips_sli_approve_##CTXTYPE(CTXTYPE *ctx) { \ ++ fips_sli_fsm_##CTXTYPE(ctx, FIPS_APPROVED); \ ++} \ ++void fips_sli_disapprove_##CTXTYPE(CTXTYPE *ctx) { \ ++ fips_sli_fsm_##CTXTYPE(ctx, FIPS_NONAPPROVED); \ ++} \ ++void fips_sli_error_##CTXTYPE(CTXTYPE *ctx) { \ ++ fips_sli_fsm_##CTXTYPE(ctx, FIPS_ERROR); \ ++} ++ ++void fips_sli_check_hash_siggen_EVP_MD_CTX(EVP_MD_CTX * ctx, const EVP_MD * md); ++void fips_sli_check_hash_sigver_EVP_MD_CTX(EVP_MD_CTX * ctx, const EVP_MD * md); ++void fips_sli_check_hash_siggen_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const EVP_MD * md); ++void fips_sli_check_hash_sigver_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const EVP_MD * md); ++void fips_sli_check_hash_mac_HMAC_CTX(HMAC_CTX * ctx, const EVP_MD * md); ++ ++FIPS_STATUS fips_sli_get_hash_status_sshkdf(const EVP_MD * md); ++FIPS_STATUS fips_sli_get_hash_status_pbkdf2(const EVP_MD * md); ++FIPS_STATUS fips_sli_get_hash_status_kdf_tls1_prf(const EVP_MD * md); ++FIPS_STATUS fips_sli_get_kdf_keylen_status(size_t keylen_bytes); ++ ++/* Check if used curve is okay for and in this context */ ++void fips_sli_check_curve_siggen_EVP_PKEY_CTX(EVP_PKEY_CTX *ctx, const EC_GROUP *group); ++void fips_sli_check_curve_sigver_EVP_PKEY_CTX(EVP_PKEY_CTX *ctx, const EC_GROUP *group); ++ ++void fips_sli_check_key_ec_keygen_EVP_PKEY_CTX(EVP_PKEY_CTX *ctx, const EC_KEY *ec); ++void fips_sli_check_key_rsa_keygen_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const RSA * rsa); ++void fips_sli_check_key_rsa_siggen_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const RSA * rsa); ++void fips_sli_check_key_rsa_sigver_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const RSA * rsa); ++void fips_sli_check_key_rsa_enc_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const RSA * rsa); ++void fips_sli_check_key_rsa_dec_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const RSA * rsa); ++void fips_sli_check_key_dsa_siggen_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const DSA * dsa); ++void fips_sli_check_key_dsa_sigver_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const DSA * dsa); ++ ++void fips_sli_check_key_dh_EVP_PKEY_CTX(EVP_PKEY_CTX *ctx, const DH *dh); ++void fips_sli_check_key_ecdh_EVP_PKEY_CTX(EVP_PKEY_CTX *ctx, const EC_KEY *ecdh); ++ ++void fips_sli_check_padding_rsa_enc_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, int pad_mode); ++void fips_sli_check_padding_rsa_dec_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, int pad_mode); ++ ++FIPS_STATUS EVP_CIPHER_get_fips_status(const EVP_CIPHER *cipher); ++void fips_sli_check_cipher_EVP_CIPHER_CTX(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher); ++ ++#endif /* FIPS_SLI_LOCAL_H_INCLUDED */ +--- /dev/null ++++ b/include/openssl/fips_sli.h +@@ -0,0 +1,32 @@ ++#ifndef FIPS_SLI_H_INCLUDED ++#define FIPS_SLI_H_INCLUDED ++ ++#include ++#include ++# ifdef __cplusplus ++extern "C" { ++# endif ++ ++/* Interface for consumers to check if their usage of the services offered by ++ * this ctx was approved */ ++int fips_sli_is_approved_EVP_CIPHER_CTX(const EVP_CIPHER_CTX *ctx); ++int fips_sli_is_approved_EVP_KDF_CTX(const EVP_KDF_CTX *ctx); ++int fips_sli_is_approved_EVP_MD_CTX(const EVP_MD_CTX *ctx); ++int fips_sli_is_approved_EVP_PKEY_CTX(const EVP_PKEY_CTX *ctx); ++int fips_sli_is_approved_CMAC_CTX(const CMAC_CTX *ctx); ++int fips_sli_is_approved_HMAC_CTX(const HMAC_CTX *ctx); ++ ++int fips_sli_SHA1_is_approved(const unsigned char *d, size_t n, unsigned char *md); ++int fips_sli_HMAC_is_approved(const EVP_MD *evp_md, const void *key, int key_len, ++ const unsigned char *d, size_t n, unsigned char *md, ++ unsigned int *md_len); ++int fips_sli_PKCS5_PBKDF2_HMAC_is_approved(const char *pass, int passlen, ++ const unsigned char *salt, int saltlen, int iter, ++ const EVP_MD *digest, int keylen, unsigned char *out); ++int fips_sli_RAND_bytes_is_approved(unsigned char *buf, int num); ++int fips_sli_RAND_priv_bytes_is_approved(unsigned char *buf, int num); ++ ++# ifdef __cplusplus ++} ++# endif ++#endif // FIPS_SLI_H_INCLUDED +--- a/test/build.info ++++ b/test/build.info +@@ -52,7 +52,7 @@ INCLUDE_MAIN___test_libtestutil_OLB = /I + recordlentest drbgtest drbg_cavs_test sslbuffertest \ + time_offset_test pemtest ssl_cert_table_internal_test ciphername_test \ + servername_test ocspapitest rsa_mp_test fatalerrtest tls13ccstest \ +- sysdefaulttest errtest ssl_ctx_test gosttest ++ sysdefaulttest errtest ssl_ctx_test gosttest fips_slitest + + SOURCE[versions]=versions.c + INCLUDE[versions]=../include +@@ -575,6 +575,10 @@ INCLUDE_MAIN___test_libtestutil_OLB = /I + INCLUDE[gosttest]=../include .. + DEPEND[gosttest]=../libcrypto ../libssl libtestutil.a + ++ SOURCE[fips_slitest]=fips_slitest.c fips_slitest_helper.c ++ INCLUDE[fips_slitest]=../include ++ DEPEND[fips_slitest]=../libcrypto libtestutil.a ++ + SOURCE[ssl_ctx_test]=ssl_ctx_test.c + INCLUDE[ssl_ctx_test]=../include + DEPEND[ssl_ctx_test]=../libcrypto ../libssl libtestutil.a +--- /dev/null ++++ b/test/fips_slitest.c +@@ -0,0 +1,659 @@ ++#include ++#include ++#include ++#include /* To see if OPENSSL_NO_EC is defined */ ++#ifndef OPENSSL_NO_EC ++# include ++#endif ++#ifndef OPENSSL_NO_RSA ++# include ++#endif ++#include ++ ++#include "testutil.h" ++#include "fips_slitest_helper.h" ++ ++static int test_sli_noop(void) { ++ int res = 0; /* 0 means test failure */ ++ EVP_MD_CTX* ctx = NULL; ++ if (!TEST_ptr(ctx = EVP_MD_CTX_new())) ++ goto end; ++ if (!TEST_true(fips_sli_is_approved_EVP_MD_CTX(ctx))) ++ goto end; ++ if (!TEST_false(fips_sli_is_approved_EVP_MD_CTX(NULL))) ++ goto end; ++ res = 1; /* test case successful */ ++end: ++ EVP_MD_CTX_free(ctx); ++ return res; ++} ++ ++static int cmac_aes_cbc(void) { ++ int success = 0; ++ CMAC_CTX *ctx = NULL; ++ size_t maclen = 0; ++ ++ if (!TEST_ptr(ctx = CMAC_CTX_new())) ++ return 0; ++ if (!TEST_true(CMAC_Init(ctx, get_key_16(), 16, EVP_aes_128_cbc(), NULL)) ++ || !TEST_true(CMAC_Final(ctx, NULL, &maclen)) ++ ) { ++ CMAC_CTX_free(ctx); ++ return 0; ++ } ++ ++ uint8_t mac[maclen]; ++ ++ if (!TEST_true(maclen > 0) ++ || !TEST_true(CMAC_Update(ctx, get_msg_16(), 16)) ++ || !TEST_true(CMAC_Final(ctx, mac, &maclen)) ++ || !TEST_true(fips_sli_is_approved_CMAC_CTX(ctx)) ++ ) ++ goto end; ++ success = 1; ++end: ++ CMAC_CTX_free(ctx); ++ return success; ++} ++ ++static int cmac_no_des(void) { ++ int success = 0; ++ CMAC_CTX *ctx = NULL; ++ size_t maclen = 0; ++ ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode()) { ++ TEST_note("Skipping test because DES is disabled in FIPS mode"); ++ return 1; ++ } ++#endif ++ ++ if (!TEST_ptr(ctx = CMAC_CTX_new())) ++ return 0; ++ if (!TEST_true(CMAC_Init(ctx, get_key_16(), 16, EVP_des_ede_cbc(), NULL)) ++ || !TEST_true(CMAC_Final(ctx, NULL, &maclen)) ++ ) { ++ CMAC_CTX_free(ctx); ++ return 0; ++ } ++ ++ uint8_t mac[maclen]; ++ ++ if (!TEST_true(maclen > 0) ++ || !TEST_int_eq(16, EVP_CIPHER_key_length(EVP_des_ede_cbc())) ++ || !TEST_true(CMAC_Update(ctx, get_msg_16(), 16)) ++ || !TEST_true(CMAC_Final(ctx, mac, &maclen)) ++ || !TEST_false(fips_sli_is_approved_CMAC_CTX(ctx)) ++ ) ++ goto end; ++ success = 1; ++end: ++ CMAC_CTX_free(ctx); ++ return success; ++} ++ ++typedef struct { ++ int fips_approved; ++ int cipher_nid; ++} SLI_CMAC_TEST; ++ ++static const SLI_CMAC_TEST cmac_tests[] = { ++ // Cipher must fit to key length of 32 B ++ {1, NID_aes_256_cbc}, ++ {0, NID_camellia_256_cbc}, ++}; ++static const size_t cmac_tests_len = sizeof(cmac_tests) / sizeof(cmac_tests[0]); ++ ++static int cmac_via_md_ctx(int cmac_test_index) { ++ int success = 0; ++ EVP_MD_CTX *ctx = NULL; ++ const EVP_MD* md = NULL; ++ unsigned char* mac = NULL; ++ size_t maclen = 0; ++ ++ EVP_PKEY *key = NULL; ++ ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode() ++ && cmac_tests[cmac_test_index].cipher_nid == NID_camellia_256_cbc) { ++ TEST_note("Skipping test because Camellia is disabled in FIPS mode"); ++ success = 1; ++ goto end; ++ } ++#endif ++ ++ if (!TEST_true(get_cmac_key(cmac_tests[cmac_test_index].cipher_nid, ++ &key) == 1)) ++ goto end; ++ if (!TEST_ptr(ctx = EVP_MD_CTX_new())) ++ goto end; ++ // hash doesn't matter here but must be present... ++ if (!TEST_true(EVP_DigestInit_ex(ctx, EVP_sha256(), NULL))) ++ goto end; ++ if (!TEST_true(EVP_DigestSignInit(ctx, NULL, md, NULL, key))) ++ goto end; ++ if (!TEST_true(EVP_DigestSignUpdate(ctx, get_msg_16(), 16))) ++ goto end; ++ size_t req = 0; ++ if (!TEST_true(EVP_DigestSignFinal(ctx, NULL, &req))) ++ goto end; ++ if (!TEST_true(req > 0)) ++ goto end; ++ if (!TEST_ptr(mac = OPENSSL_malloc(req))) ++ goto end; ++ maclen = req; ++ if (!TEST_true(EVP_DigestSignFinal(ctx, mac, &maclen))) ++ goto end; ++ if (cmac_tests[cmac_test_index].fips_approved) { ++ if (!TEST_true(fips_sli_is_approved_EVP_MD_CTX(ctx))) ++ goto end; ++ } else { ++ if (!TEST_false(fips_sli_is_approved_EVP_MD_CTX(ctx))) ++ goto end; ++ } ++ ++ success = 1; ++end: ++ if (mac) ++ OPENSSL_free(mac); ++ EVP_MD_CTX_free(ctx); ++ return success; ++} ++ ++#ifndef OPENSSL_NO_EC ++typedef struct { ++ int fips_approved; ++ int curve_nid; ++} SLI_ECDSA_TEST; ++ ++static const SLI_ECDSA_TEST ecdsa_tests[] = { ++ {0, NID_secp112r2}, ++ {1, NID_secp521r1}, ++#ifndef OPENSSL_NO_EC2M ++ {0, NID_sect163r1}, ++#endif ++ {0, NID_brainpoolP512r1}, ++}; ++static const size_t ecdsa_tests_len = sizeof(ecdsa_tests) / sizeof(ecdsa_tests[0]); ++ ++/* Adapted from openssl/test/ecdsatest.c */ ++static int ecdsa_via_EVP_DigestSign(int ecdsa_test_index) { ++ unsigned char *sig = NULL; ++ EC_KEY *eckey = NULL; ++ EVP_PKEY *pkey = NULL; ++ EVP_MD_CTX *mctx = NULL; ++ size_t sig_len; ++ const int nid = ecdsa_tests[ecdsa_test_index].curve_nid; ++ int success = 0; ++ const uint8_t* tbs = get_msg_128(); ++ ++ TEST_note("testing ECDSA for curve %s", OBJ_nid2sn(nid)); ++ ++ if (!TEST_ptr(mctx = EVP_MD_CTX_new()) ++ || !TEST_ptr(eckey = EC_KEY_new_by_curve_name(nid)) ++ || !TEST_true(EC_KEY_generate_key(eckey)) ++ || !TEST_ptr(pkey = EVP_PKEY_new()) ++ || !TEST_true(EVP_PKEY_assign_EC_KEY(pkey, eckey))) ++ goto err; ++ ++ sig_len = ECDSA_size(eckey); ++ ++ if (!TEST_ptr(sig = OPENSSL_malloc(sig_len)) ++ /* create a signature */ ++ || !TEST_true(EVP_DigestSignInit(mctx, NULL, NULL, NULL, pkey)) ++ || !TEST_true(EVP_DigestSign(mctx, sig, &sig_len, tbs, sizeof(tbs))) ++ || !TEST_int_le(sig_len, ECDSA_size(eckey))) ++ goto err; ++ ++ // SLI shows proper status for sign() ++ if (ecdsa_tests[ecdsa_test_index].fips_approved) { ++ if (!TEST_true(fips_sli_is_approved_EVP_MD_CTX(mctx))) ++ goto err; ++ } else { ++ if (!TEST_false(fips_sli_is_approved_EVP_MD_CTX(mctx))) ++ goto err; ++ } ++ ++ /* positive test, verify with correct key, 1 return */ ++ if (!TEST_true(EVP_MD_CTX_reset(mctx)) ++ || !TEST_true(EVP_DigestVerifyInit(mctx, NULL, NULL, NULL, pkey))) ++ goto err; ++ ++ /* a resetted and initialised ctx should be okay again */ ++ if (!TEST_true(fips_sli_is_approved_EVP_MD_CTX(mctx))) ++ goto err; ++ ++ if (!TEST_int_eq(EVP_DigestVerify(mctx, sig, sig_len, tbs, sizeof(tbs)), 1)) ++ goto err; ++ ++ // SLI shows proper status for verify() ++ if (ecdsa_tests[ecdsa_test_index].fips_approved) { ++ if (!TEST_true(fips_sli_is_approved_EVP_MD_CTX(mctx))) ++ goto err; ++ } else { ++ if (!TEST_false(fips_sli_is_approved_EVP_MD_CTX(mctx))) ++ goto err; ++ } ++ ++ success = 1; ++err: ++ EVP_PKEY_free(pkey); ++ if (mctx != NULL) ++ EVP_MD_CTX_free(mctx); ++ if (sig != NULL) ++ OPENSSL_free(sig); ++ return success; ++} ++#endif ++ ++typedef struct { ++ int fips_approved; ++ int cipher_nid; ++} SLI_CIPHER_TEST; ++ ++static const SLI_CIPHER_TEST cipher_tests[] = { ++ {1, NID_aes_128_cfb128}, ++ {1, NID_aes_256_gcm}, ++ {0, NID_des_ede3_cbc}, ++ {0, NID_des_ede3_cfb8}, ++ {0, NID_des_ofb64}, ++ {0, NID_des_ede_ecb}, ++ {0, NID_des_ede_ofb64}, ++ {0, NID_idea_cbc}, ++}; ++static const size_t cipher_tests_len = sizeof(cipher_tests) / sizeof(cipher_tests[0]); ++ ++static size_t get_ciphertext_len(size_t plaintextlen, const EVP_CIPHER *cipher) { ++ /* maximum value according to manpage */ ++ return plaintextlen + EVP_CIPHER_block_size(cipher); ++} ++ ++static int cipher(int cipher_test_index) { ++ int success = 0; ++ unsigned char *key = NULL, *iv = NULL, *ctext = NULL; ++ int ctext_written_len = 0; ++ const EVP_CIPHER *cipher = NULL; ++ EVP_CIPHER_CTX *ctx = NULL; ++ const uint8_t* const ptext = get_msg_16(); ++ const size_t ptext_len = 16; ++ const int cipher_nid = cipher_tests[cipher_test_index].cipher_nid; ++ ++ TEST_note("testing SLI for cipher %s", OBJ_nid2sn(cipher_nid)); ++ ++#ifdef OPENSSL_NO_IDEA ++ switch (cipher_nid) { ++ case NID_idea_cbc: ++ TEST_note("Skipping test since IDEA is not supported in this build"); ++ success = 1; ++ goto end; ++ } ++#endif ++ ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode()) { ++ switch (cipher_nid) { ++ case NID_des_ofb64: ++ case NID_des_ede_ecb: ++ case NID_des_ede_ofb64: ++ case NID_idea_cbc: ++ TEST_note("Skipping test since DES/IDEA are disabled in FIPS mode"); ++ success = 1; ++ goto end; ++ } ++ } ++#endif ++ ++ if (!TEST_ptr(cipher = EVP_get_cipherbynid(cipher_nid))) { ++ goto end; ++ } ++ ++ const size_t key_len = EVP_CIPHER_key_length(cipher); ++ const size_t iv_len = EVP_CIPHER_iv_length(cipher); ++ TEST_note("have keylen = %zd, ivlen = %zd", key_len, iv_len); ++ ++ if (!TEST_ptr(key = OPENSSL_malloc(key_len)) ++ || !TEST_ptr(ctext = OPENSSL_malloc(get_ciphertext_len(ptext_len, cipher))) ++ || !TEST_true(RAND_bytes(key, key_len) == 1)) ++ goto end; ++ ++ if (iv_len != 0) { ++ if (!TEST_ptr(iv = OPENSSL_malloc(iv_len)) ++ || !TEST_true(RAND_bytes(iv, iv_len) == 1)) ++ goto end; ++ } ++ ++ int tmp_len = 0; ++ if (!TEST_ptr(ctx = EVP_CIPHER_CTX_new()) ++ || !TEST_true(EVP_EncryptInit_ex(ctx, cipher, NULL, key, iv) == 1) ++ || !TEST_true(EVP_EncryptUpdate(ctx, ctext, &ctext_written_len, ptext, ptext_len) == 1) ++ || !TEST_true(ctext_written_len <= get_ciphertext_len(ptext_len, cipher)) ++ || !TEST_true(EVP_EncryptFinal_ex(ctx, ctext + ctext_written_len, &tmp_len) == 1)) ++ goto end; ++ ++ if (!TEST_true(ctext_written_len + tmp_len <= get_ciphertext_len(ptext_len, cipher))) ++ goto end; ++ ++ if (cipher_tests[cipher_test_index].fips_approved) { ++ if (!TEST_true(fips_sli_is_approved_EVP_CIPHER_CTX(ctx))) ++ goto end; ++ } else { ++ if (!TEST_false(fips_sli_is_approved_EVP_CIPHER_CTX(ctx))) ++ goto end; ++ } ++ ++ success = 1; ++end: ++ EVP_CIPHER_CTX_free(ctx); ++ if (key != NULL) ++ OPENSSL_free(key); ++ if (iv != NULL) ++ OPENSSL_free(iv); ++ if (ctext != NULL) ++ OPENSSL_free(ctext); ++ return success; ++} ++ ++#ifndef OPENSSL_NO_RSA ++typedef struct { ++ int fips_approved; ++ int cipher_nid; ++ uint8_t rsa_key_id; ++} SLI_SEALENV_TEST; ++ ++static const SLI_SEALENV_TEST sealenv_tests[] = { ++ // consider RSA enc/dec as always disapproved ++ {0, NID_aes_128_cfb128, 0}, ++ {0, NID_aes_256_gcm, 1}, ++ {0, NID_idea_cbc, 0}, ++ {0, NID_des_ede3_cbc, 2}, ++ {0, NID_aes_128_ecb, 0}, ++ {0, NID_aes_128_ecb, 3}, ++ {0, NID_aes_128_ccm, 3}, ++}; ++static const size_t sealenv_tests_len = sizeof(sealenv_tests) / sizeof(sealenv_tests[0]); ++ ++/* Asymmetric enc/dec */ ++static int sealenv(int sealenv_test_index) { ++ int success = 0; ++ RSA *rsa_pkey = RSA_new(); ++ EVP_PKEY *pkey = NULL; ++ const EVP_CIPHER *cipher = NULL; ++ const int cipher_nid = sealenv_tests[sealenv_test_index].cipher_nid; ++ EVP_CIPHER_CTX *ctx = NULL; ++ ++ uint8_t* enc_sym_key = NULL; ++ int enc_sym_key_len = 0; ++ ++ const uint8_t* const ptext = get_msg_128(); ++ const size_t ptext_len = 128; ++ unsigned char *iv = NULL, *ctext = NULL; ++ size_t ctext_len = 0; ++ int ctext_written_len = 0; ++ ++ switch (sealenv_tests[sealenv_test_index].rsa_key_id) { ++ case 0: ++ get_rsa_key1(rsa_pkey); ++ break; ++ case 1: ++ get_rsa_key2(rsa_pkey); ++ break; ++ case 2: ++ get_rsa_key3(rsa_pkey); ++ break; ++ case 3: ++ if (!TEST_int_eq(256, get_rsa_key2048p3(rsa_pkey))) ++ goto end; ++ break; ++ default: ++ goto end; ++ } ++ ++ TEST_note("RSA enc with key #%d, cipher %s", ++ sealenv_tests[sealenv_test_index].rsa_key_id, ++ OBJ_nid2sn(cipher_nid)); ++ ++#ifdef OPENSSL_NO_IDEA ++ switch (cipher_nid) { ++ case NID_idea_cbc: ++ TEST_note("Skipping test since IDEA is not supported in this build"); ++ success = 1; ++ goto end; ++ } ++#endif ++ ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode()) { ++ switch (cipher_nid) { ++ case NID_idea_cbc: ++ TEST_note("Skipping test since IDEA is disabled in FIPS mode"); ++ success = 1; ++ goto end; ++ } ++ } ++#endif ++ ++ if (!TEST_ptr(pkey = EVP_PKEY_new()) ++ || !TEST_true(EVP_PKEY_assign_RSA(pkey, rsa_pkey)) ++ || !TEST_ptr(cipher = EVP_get_cipherbynid(cipher_nid)) ++ || !TEST_ptr(enc_sym_key = OPENSSL_malloc(EVP_PKEY_size(pkey))) ++ || !TEST_ptr(ctext = OPENSSL_malloc(get_ciphertext_len(ptext_len, cipher))) ++ ) ++ goto end; ++ ++ const size_t iv_len = EVP_CIPHER_iv_length(cipher); ++ if (iv_len != 0) { ++ if (!TEST_ptr(iv = OPENSSL_malloc(iv_len))) ++ goto end; ++ } ++ ++ if (!TEST_ptr(ctx = EVP_CIPHER_CTX_new()) ++ || !TEST_true(1 == EVP_SealInit(ctx, cipher, &enc_sym_key, &enc_sym_key_len, iv, &pkey, 1)) ++ || !TEST_true(enc_sym_key_len > 0 && enc_sym_key_len <= EVP_PKEY_size(pkey)) ++ || !TEST_true(1 == EVP_SealUpdate(ctx, ctext, &ctext_written_len, ptext, ptext_len)) ++ ) ++ goto end; ++ ctext_len += ctext_written_len; ++ if (!TEST_true(1 == EVP_SealFinal(ctx, ctext + ctext_len, &ctext_written_len))) ++ goto end; ++ ctext_len += ctext_written_len; ++ if (!TEST_true(ctext_len <= get_ciphertext_len(ptext_len, cipher))) ++ goto end; ++ ++ if (sealenv_tests[sealenv_test_index].fips_approved) { ++ if (!TEST_true(fips_sli_is_approved_EVP_CIPHER_CTX(ctx))) ++ goto end; ++ } else { ++ if (!TEST_false(fips_sli_is_approved_EVP_CIPHER_CTX(ctx))) ++ goto end; ++ } ++ ++ success = 1; ++end: ++ EVP_PKEY_free(pkey); /* also frees rsa_pkey */ ++ if (ctx != NULL) ++ EVP_CIPHER_CTX_free(ctx); ++ if (enc_sym_key != NULL) ++ OPENSSL_free(enc_sym_key); ++ if (iv != NULL) ++ OPENSSL_free(iv); ++ if (ctext != NULL) ++ OPENSSL_free(ctext); ++ return success; ++} ++#endif ++ ++typedef struct { ++ int fips_approved; ++ int iterations; ++ int nid_digest; ++ const uint8_t key_expected[32]; // length has to be 32 ++} SLI_PBKDF2_TEST; ++ ++static const SLI_PBKDF2_TEST pbkdf2_tests[] = { ++ { ++ 1, 4200, NID_sha256, { ++ 0xE7, 0xBE, 0x37, 0x75, 0x9D, 0x53, 0x3E, 0x5A, 0x06, 0x20, 0xC9, 0xA5, 0x3A, 0x8D, 0xA2, 0x9E, ++ 0x9C, 0x27, 0xDF, 0x26, 0x24, 0xAB, 0xD8, 0x8E, 0x56, 0xE5, 0xB9, 0xF5, 0xA0, 0xD6, 0xD5, 0xEE ++ } ++ }, ++ { ++ 1, 1347, NID_sha256, { ++ 0xFB, 0xBB, 0xEC, 0x28, 0x5B, 0x48, 0xE7, 0xC2, 0x54, 0x4E, 0x65, 0x0F, 0x1E, 0xC8, 0xB5, 0x1C, ++ 0xF5, 0xAD, 0xAE, 0x2A, 0x21, 0x56, 0x94, 0xD2, 0xE1, 0xB7, 0xC8, 0x7D, 0x7A, 0x0D, 0x63, 0x86 ++ } ++ }, ++ { ++ 1, 4200, NID_sha1, { ++ 0x45, 0x96, 0x78, 0xF3, 0x92, 0x74, 0xAC, 0x5B, 0x1F, 0x2B, 0xD3, 0x75, 0x1A, 0xBA, 0x5D, 0xBE, ++ 0xF2, 0xDE, 0xE9, 0x88, 0x16, 0x4B, 0x0B, 0x84, 0x94, 0xD9, 0xC2, 0x2D, 0xC1, 0xB9, 0xB0, 0x8A ++ } ++ }, ++ { ++ 1, 4200, NID_sha3_512, { ++ 0x1E, 0x77, 0xC8, 0x28, 0x9A, 0x79, 0x2E, 0x25, 0x85, 0x8D, 0x73, 0xB3, 0x0D, 0xA1, 0x26, 0x65, ++ 0xC0, 0x04, 0x7D, 0x91, 0xB6, 0x5F, 0x89, 0x5E, 0x01, 0x82, 0x23, 0x35, 0x19, 0x2E, 0x5C, 0x09 ++ } ++ }, ++ { ++ 0, 1347, NID_md5, { ++ 0xC2, 0x78, 0x16, 0xDC, 0xD1, 0xC5, 0x71, 0xBD, 0x4A, 0x06, 0x2B, 0x38, 0x50, 0xE7, 0x4E, 0xC2, ++ 0x0E, 0x74, 0x9D, 0xB1, 0x59, 0xA8, 0xFF, 0x11, 0x24, 0x68, 0xD0, 0xCF, 0x69, 0xE5, 0x30, 0x36 ++ } ++ } ++}; ++static const size_t pbkdf2_tests_len = sizeof(pbkdf2_tests) / sizeof(pbkdf2_tests[0]); ++ ++static int test_PKCS5_PBKDF2_HMAC(int pbkdf2_tests_idx) { ++ int success = 0; ++ const char password[] = "password"; ++ const unsigned char salt[] = {'s', 'a', 'l', 't'}; ++ const size_t password_len = sizeof(password) / sizeof(password[0]); ++ const size_t salt_len = sizeof(salt) / sizeof(salt[0]); ++ ++ int iter = pbkdf2_tests[pbkdf2_tests_idx].iterations; ++ const EVP_MD *digest = EVP_get_digestbynid(pbkdf2_tests[pbkdf2_tests_idx].nid_digest); ++ const size_t key_len = 32; ++ const size_t key_expected_len = key_len; ++ uint8_t* key = NULL; ++ ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode()) { ++ switch (pbkdf2_tests[pbkdf2_tests_idx].nid_digest) { ++ case NID_md5: ++ TEST_note("Skipping test since MD5 is disabled in FIPS mode"); ++ success = 1; ++ goto end; ++ } ++ } ++#endif ++ ++ if (!TEST_ptr(key = OPENSSL_malloc(key_len)) ++ || !TEST_true(1 == PKCS5_PBKDF2_HMAC(password, password_len, salt, salt_len, ++ iter, digest, ++ key_len, key)) ++ || !TEST_true(fips_sli_PKCS5_PBKDF2_HMAC_is_approved(password, password_len, ++ salt, salt_len, ++ iter, digest, ++ key_len, key) == pbkdf2_tests[pbkdf2_tests_idx].fips_approved) ++ || !TEST_mem_eq(key, key_len, pbkdf2_tests[pbkdf2_tests_idx].key_expected, key_expected_len)) ++ goto end; ++ success = 1; ++end: ++ return success; ++} ++ ++typedef struct { ++ int fips_approved; ++ int digest_nid; ++} SLI_SSHKDF_TEST; ++ ++static const SLI_SSHKDF_TEST sshkdf_tests[] = { ++ {1, NID_sha256}, ++ {0, NID_md5}, ++}; ++static const size_t sshkdf_tests_len = sizeof(sshkdf_tests) / sizeof(sshkdf_tests[0]); ++ ++static int sshkdf(int sshkdf_test_idx) { ++ int success = 0; ++ const uint8_t *key = get_key_32(); ++ const uint8_t *xcghash = get_msg_128(); ++ const uint8_t *session_id = get_key_32(); ++ uint8_t kdfout[16]; ++ size_t kdfoutlen = sizeof(kdfout) / sizeof(kdfout[0]); ++ const int digest_nid = sshkdf_tests[sshkdf_test_idx].digest_nid; ++ EVP_KDF_CTX *ctx = NULL; ++ ++ TEST_note("SSHKDF with %s", OBJ_nid2sn(digest_nid)); ++ ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode()) { ++ switch (digest_nid) { ++ case NID_md5: ++ TEST_note("Skipping test since MD5 is disabled in FIPS mode"); ++ success = 1; ++ goto end; ++ } ++ } ++#endif ++ ++ if (!TEST_ptr(ctx = EVP_KDF_CTX_new_id(NID_sshkdf)) ++ || !TEST_true(EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_MD, EVP_get_digestbynid(digest_nid)) == 1) ++ || !TEST_true(EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_KEY, key, 32) == 1) ++ || !TEST_true(EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID, session_id, 32) == 1) ++ || !TEST_true(EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_TYPE, EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV) == 1) ++ || !TEST_true(EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_XCGHASH, xcghash, 128) == 1) ++ || !TEST_true(fips_sli_is_approved_EVP_KDF_CTX(ctx)) ++ || !TEST_true(EVP_KDF_derive(ctx, kdfout, kdfoutlen) == 1) ++ || !TEST_true(fips_sli_is_approved_EVP_KDF_CTX(ctx) == sshkdf_tests[sshkdf_test_idx].fips_approved) ++ ) ++ goto end; ++ ++ EVP_KDF_reset(ctx); ++ ++ if (!TEST_true(fips_sli_is_approved_EVP_KDF_CTX(ctx))) ++ goto end; ++ ++ success = 1; ++end: ++ EVP_KDF_CTX_free(ctx); ++ return success; ++} ++ ++static int rand_bytes() { ++ int success = 0; ++ unsigned char r[1]; ++ size_t rlen = sizeof(r) / sizeof(r[0]); ++ if (!TEST_true(fips_sli_RAND_bytes_is_approved(r, rlen) == 1) ++ || !TEST_true(RAND_bytes(r, rlen) == 1) ++ || !TEST_true(fips_sli_RAND_priv_bytes_is_approved(r, rlen) == 1) ++ || !TEST_true(RAND_priv_bytes(r, rlen) == 1) ++ || !TEST_true(fips_sli_RAND_priv_bytes_is_approved(r, rlen) == 1) ++ ) ++ goto end; ++ success = 1; ++end: ++ return success; ++} ++ ++int setup_tests(void) { ++ ADD_TEST(test_sli_noop); ++ ADD_TEST(cmac_aes_cbc); ++ ADD_TEST(cmac_no_des); ++ ADD_ALL_TESTS(cmac_via_md_ctx, cmac_tests_len); ++#ifdef OPENSSL_NO_EC ++ TEST_note("Elliptic curves are disabled."); ++#else ++ ADD_ALL_TESTS(ecdsa_via_EVP_DigestSign, ecdsa_tests_len); ++#endif ++ ADD_ALL_TESTS(cipher, cipher_tests_len); ++#ifdef OPENSSL_NO_RSA ++ TEST_note("RSA is disabled."); ++#else ++ ADD_ALL_TESTS(sealenv, sealenv_tests_len); ++#endif ++ ADD_ALL_TESTS(test_PKCS5_PBKDF2_HMAC, pbkdf2_tests_len); ++ ADD_ALL_TESTS(sshkdf, sshkdf_tests_len); ++ ADD_TEST(rand_bytes); ++ ++ return 1; /* success */ ++} +--- /dev/null ++++ b/test/fips_slitest_helper.c +@@ -0,0 +1,489 @@ ++#include ++#include ++#include ++#include ++#include ++ ++#include ++#include ++#include ++ ++#include "testutil.h" ++#include "fips_slitest_helper.h" ++ ++int make_hmac_keys(EVP_PKEY** skey, EVP_PKEY** vkey) { ++ byte hkey[EVP_MAX_MD_SIZE]; ++ ++ int result = -1; ++ ++ if (!skey || !vkey) ++ return -1; ++ ++ if (*skey != NULL) { ++ EVP_PKEY_free(*skey); ++ *skey = NULL; ++ } ++ ++ if (*vkey != NULL) { ++ EVP_PKEY_free(*vkey); ++ *vkey = NULL; ++ } ++ ++ do { ++ const EVP_MD* md = EVP_sha256(); ++ int size = EVP_MD_size(md); ++ assert(size >= 16); ++ if (!(size >= 16)) { ++ printf("EVP_MD_size failed, error 0x%lx\n", ERR_get_error()); ++ break; /* failed */ ++ } ++ ++ assert(size <= sizeof(hkey)); ++ if (!(size <= sizeof(hkey))) { ++ printf("EVP_MD_size is too large\n"); ++ break; /* failed */ ++ } ++ ++ /* Generate bytes */ ++ int rc = RAND_bytes(hkey, size); ++ assert(rc == 1); ++ if (rc != 1) { ++ printf("RAND_bytes failed, error 0x%lx\n", ERR_get_error()); ++ break; ++ } ++ ++ //print_it("HMAC key", hkey, size); ++ ++ *skey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, hkey, size); ++ assert(*skey != NULL); ++ if (*skey == NULL) { ++ printf("EVP_PKEY_new_mac_key 1st failed, error 0x%lx\n", ERR_get_error()); ++ break; ++ } ++ ++ *vkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, hkey, size); ++ assert(*vkey != NULL); ++ if (*vkey == NULL) { ++ printf("EVP_PKEY_new_mac_key 2nd failed, error 0x%lx\n", ERR_get_error()); ++ break; ++ } ++ ++ result = 0; ++ ++ } while (0); ++ ++ OPENSSL_cleanse(hkey, sizeof(hkey)); ++ ++ /* Convert to 0/1 result */ ++ return !!result; ++} ++static const uint8_t msg[16] = { 0x71, 0x50, 0x00, 0x00, ++ 0xc0, 0xff, 0xee, 0x00, ++ 0xde, 0xad, 0xbe, 0xef, ++ 0x01, 0x02, 0x03, 0x04 ++ }; ++static const uint8_t msg128[128] = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, ++ 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, ++ 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, ++ 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, ++ 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, ++ 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, ++ 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, ++ 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, ++ 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, ++ 101, 102, 103, 104, 105, 106, 107, 108, 109, ++ 110, 111, 112, 113, 114, 115, 116, 117, 118, ++ 119, 120, 121, 122, 123, 124, 125, 126, 127 ++ }; ++ ++static const uint8_t key16[16] = { 0xaa, 0xbb, 0xcc, 0xdd, ++ 0x01, 0x02, 0x03, 0x04, ++ 0xaa, 0xbb, 0xcc, 0xdd, ++ 0xde, 0xad, 0xbe, 0xef ++ }; ++static const uint8_t key32[32] = { 0xaa, 0xbb, 0xcc, 0xdd, ++ 0x01, 0x02, 0x03, 0x04, ++ 0xaa, 0xbb, 0xcc, 0xdd, ++ 0xde, 0xad, 0xbe, 0xef, ++ 0xaa, 0xbb, 0xcc, 0xdd, ++ 0x01, 0x02, 0x03, 0x04, ++ 0xaa, 0xbb, 0xcc, 0xdd, ++ 0xde, 0xad, 0xbe, 0xef ++ }; ++ ++const uint8_t* get_msg_16() { ++ return msg; ++} ++ ++const uint8_t* get_msg_128() { ++ return msg128; ++} ++ ++const uint8_t* get_key_16() { ++ return key16; ++} ++ ++const uint8_t* get_key_32() { ++ return key32; ++} ++ ++void print_it(const char* label, const byte* buff, size_t len) { ++ if (!buff || !len) ++ return; ++ ++ if (label) ++ printf("%s: ", label); ++ ++ for (size_t i = 0; i < len; ++i) ++ printf("%02X", buff[i]); ++ ++ printf("\n"); ++} ++ ++int get_cmac_key(int cipher_nid, EVP_PKEY** out) { ++ int success = 0; ++ EVP_PKEY_CTX *ctx = NULL; ++ const size_t key_len = 32; ++ const uint8_t *key = get_key_32(); ++ const EVP_CIPHER *cipher = EVP_get_cipherbynid(cipher_nid); ++ ++ if (!(ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_CMAC, NULL))) ++ goto end; ++ if (EVP_PKEY_keygen_init(ctx) != 1) ++ goto end; ++ if (cipher == NULL) ++ goto end; ++ if (EVP_PKEY_CTX_ctrl(ctx, -1, EVP_PKEY_OP_KEYGEN, EVP_PKEY_CTRL_CIPHER, 0, (void*)cipher) <= 0) ++ goto end; ++ if (EVP_PKEY_CTX_ctrl(ctx, -1, EVP_PKEY_OP_KEYGEN, EVP_PKEY_CTRL_SET_MAC_KEY, key_len, (void*)key) <= 0) ++ goto end; ++ if (!EVP_PKEY_keygen(ctx, out)) ++ goto end; ++ ++ success = 1; ++end: ++ ++ if (ctx) ++ EVP_PKEY_CTX_free(ctx); ++ return success; ++} ++ ++#ifndef OPENSSL_NO_RSA ++# include ++ ++/* adapted from openssl/test/rsa_test.c */ ++# define SetKey \ ++ RSA_set0_key(key, \ ++ BN_bin2bn(n, sizeof(n)-1, NULL), \ ++ BN_bin2bn(e, sizeof(e)-1, NULL), \ ++ BN_bin2bn(d, sizeof(d)-1, NULL)); \ ++ RSA_set0_factors(key, \ ++ BN_bin2bn(p, sizeof(p)-1, NULL), \ ++ BN_bin2bn(q, sizeof(q)-1, NULL)); \ ++ RSA_set0_crt_params(key, \ ++ BN_bin2bn(dmp1, sizeof(dmp1)-1, NULL), \ ++ BN_bin2bn(dmq1, sizeof(dmq1)-1, NULL), \ ++ BN_bin2bn(iqmp, sizeof(iqmp)-1, NULL)); ++ ++void get_rsa_key1(RSA *key) { ++ static unsigned char n[] = ++ "\x00\xAA\x36\xAB\xCE\x88\xAC\xFD\xFF\x55\x52\x3C\x7F\xC4\x52\x3F" ++ "\x90\xEF\xA0\x0D\xF3\x77\x4A\x25\x9F\x2E\x62\xB4\xC5\xD9\x9C\xB5" ++ "\xAD\xB3\x00\xA0\x28\x5E\x53\x01\x93\x0E\x0C\x70\xFB\x68\x76\x93" ++ "\x9C\xE6\x16\xCE\x62\x4A\x11\xE0\x08\x6D\x34\x1E\xBC\xAC\xA0\xA1" ++ "\xF5"; ++ ++ static unsigned char e[] = "\x11"; ++ ++ static unsigned char d[] = ++ "\x0A\x03\x37\x48\x62\x64\x87\x69\x5F\x5F\x30\xBC\x38\xB9\x8B\x44" ++ "\xC2\xCD\x2D\xFF\x43\x40\x98\xCD\x20\xD8\xA1\x38\xD0\x90\xBF\x64" ++ "\x79\x7C\x3F\xA7\xA2\xCD\xCB\x3C\xD1\xE0\xBD\xBA\x26\x54\xB4\xF9" ++ "\xDF\x8E\x8A\xE5\x9D\x73\x3D\x9F\x33\xB3\x01\x62\x4A\xFD\x1D\x51"; ++ ++ static unsigned char p[] = ++ "\x00\xD8\x40\xB4\x16\x66\xB4\x2E\x92\xEA\x0D\xA3\xB4\x32\x04\xB5" ++ "\xCF\xCE\x33\x52\x52\x4D\x04\x16\xA5\xA4\x41\xE7\x00\xAF\x46\x12" ++ "\x0D"; ++ ++ static unsigned char q[] = ++ "\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9" ++ "\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5A\x0F\x20\x35\x02\x8B\x9D" ++ "\x89"; ++ ++ static unsigned char dmp1[] = ++ "\x59\x0B\x95\x72\xA2\xC2\xA9\xC4\x06\x05\x9D\xC2\xAB\x2F\x1D\xAF" ++ "\xEB\x7E\x8B\x4F\x10\xA7\x54\x9E\x8E\xED\xF5\xB4\xFC\xE0\x9E\x05"; ++ ++ static unsigned char dmq1[] = ++ "\x00\x8E\x3C\x05\x21\xFE\x15\xE0\xEA\x06\xA3\x6F\xF0\xF1\x0C\x99" ++ "\x52\xC3\x5B\x7A\x75\x14\xFD\x32\x38\xB8\x0A\xAD\x52\x98\x62\x8D" ++ "\x51"; ++ ++ static unsigned char iqmp[] = ++ "\x36\x3F\xF7\x18\x9D\xA8\xE9\x0B\x1D\x34\x1F\x71\xD0\x9B\x76\xA8" ++ "\xA9\x43\xE1\x1D\x10\xB2\x4D\x24\x9F\x2D\xEA\xFE\xF8\x0C\x18\x26"; ++ ++ SetKey; ++} ++ ++void get_rsa_key2(RSA *key) { ++ static unsigned char n[] = ++ "\x00\xA3\x07\x9A\x90\xDF\x0D\xFD\x72\xAC\x09\x0C\xCC\x2A\x78\xB8" ++ "\x74\x13\x13\x3E\x40\x75\x9C\x98\xFA\xF8\x20\x4F\x35\x8A\x0B\x26" ++ "\x3C\x67\x70\xE7\x83\xA9\x3B\x69\x71\xB7\x37\x79\xD2\x71\x7B\xE8" ++ "\x34\x77\xCF"; ++ ++ static unsigned char e[] = "\x3"; ++ ++ static unsigned char d[] = ++ "\x6C\xAF\xBC\x60\x94\xB3\xFE\x4C\x72\xB0\xB3\x32\xC6\xFB\x25\xA2" ++ "\xB7\x62\x29\x80\x4E\x68\x65\xFC\xA4\x5A\x74\xDF\x0F\x8F\xB8\x41" ++ "\x3B\x52\xC0\xD0\xE5\x3D\x9B\x59\x0F\xF1\x9B\xE7\x9F\x49\xDD\x21" ++ "\xE5\xEB"; ++ ++ static unsigned char p[] = ++ "\x00\xCF\x20\x35\x02\x8B\x9D\x86\x98\x40\xB4\x16\x66\xB4\x2E\x92" ++ "\xEA\x0D\xA3\xB4\x32\x04\xB5\xCF\xCE\x91"; ++ ++ static unsigned char q[] = ++ "\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9" ++ "\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5F"; ++ ++ static unsigned char dmp1[] = ++ "\x00\x8A\x15\x78\xAC\x5D\x13\xAF\x10\x2B\x22\xB9\x99\xCD\x74\x61" ++ "\xF1\x5E\x6D\x22\xCC\x03\x23\xDF\xDF\x0B"; ++ ++ static unsigned char dmq1[] = ++ "\x00\x86\x55\x21\x4A\xC5\x4D\x8D\x4E\xCD\x61\x77\xF1\xC7\x36\x90" ++ "\xCE\x2A\x48\x2C\x8B\x05\x99\xCB\xE0\x3F"; ++ ++ static unsigned char iqmp[] = ++ "\x00\x83\xEF\xEF\xB8\xA9\xA4\x0D\x1D\xB6\xED\x98\xAD\x84\xED\x13" ++ "\x35\xDC\xC1\x08\xF3\x22\xD0\x57\xCF\x8D"; ++ ++ SetKey; ++} ++ ++void get_rsa_key3(RSA *key) { ++ static unsigned char n[] = ++ "\x00\xBB\xF8\x2F\x09\x06\x82\xCE\x9C\x23\x38\xAC\x2B\x9D\xA8\x71" ++ "\xF7\x36\x8D\x07\xEE\xD4\x10\x43\xA4\x40\xD6\xB6\xF0\x74\x54\xF5" ++ "\x1F\xB8\xDF\xBA\xAF\x03\x5C\x02\xAB\x61\xEA\x48\xCE\xEB\x6F\xCD" ++ "\x48\x76\xED\x52\x0D\x60\xE1\xEC\x46\x19\x71\x9D\x8A\x5B\x8B\x80" ++ "\x7F\xAF\xB8\xE0\xA3\xDF\xC7\x37\x72\x3E\xE6\xB4\xB7\xD9\x3A\x25" ++ "\x84\xEE\x6A\x64\x9D\x06\x09\x53\x74\x88\x34\xB2\x45\x45\x98\x39" ++ "\x4E\xE0\xAA\xB1\x2D\x7B\x61\xA5\x1F\x52\x7A\x9A\x41\xF6\xC1\x68" ++ "\x7F\xE2\x53\x72\x98\xCA\x2A\x8F\x59\x46\xF8\xE5\xFD\x09\x1D\xBD" ++ "\xCB"; ++ ++ static unsigned char e[] = "\x11"; ++ ++ static unsigned char d[] = ++ "\x00\xA5\xDA\xFC\x53\x41\xFA\xF2\x89\xC4\xB9\x88\xDB\x30\xC1\xCD" ++ "\xF8\x3F\x31\x25\x1E\x06\x68\xB4\x27\x84\x81\x38\x01\x57\x96\x41" ++ "\xB2\x94\x10\xB3\xC7\x99\x8D\x6B\xC4\x65\x74\x5E\x5C\x39\x26\x69" ++ "\xD6\x87\x0D\xA2\xC0\x82\xA9\x39\xE3\x7F\xDC\xB8\x2E\xC9\x3E\xDA" ++ "\xC9\x7F\xF3\xAD\x59\x50\xAC\xCF\xBC\x11\x1C\x76\xF1\xA9\x52\x94" ++ "\x44\xE5\x6A\xAF\x68\xC5\x6C\x09\x2C\xD3\x8D\xC3\xBE\xF5\xD2\x0A" ++ "\x93\x99\x26\xED\x4F\x74\xA1\x3E\xDD\xFB\xE1\xA1\xCE\xCC\x48\x94" ++ "\xAF\x94\x28\xC2\xB7\xB8\x88\x3F\xE4\x46\x3A\x4B\xC8\x5B\x1C\xB3" ++ "\xC1"; ++ ++ static unsigned char p[] = ++ "\x00\xEE\xCF\xAE\x81\xB1\xB9\xB3\xC9\x08\x81\x0B\x10\xA1\xB5\x60" ++ "\x01\x99\xEB\x9F\x44\xAE\xF4\xFD\xA4\x93\xB8\x1A\x9E\x3D\x84\xF6" ++ "\x32\x12\x4E\xF0\x23\x6E\x5D\x1E\x3B\x7E\x28\xFA\xE7\xAA\x04\x0A" ++ "\x2D\x5B\x25\x21\x76\x45\x9D\x1F\x39\x75\x41\xBA\x2A\x58\xFB\x65" ++ "\x99"; ++ ++ static unsigned char q[] = ++ "\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9" ++ "\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5A\x0F\x20\x35\x02\x8B\x9D" ++ "\x86\x98\x40\xB4\x16\x66\xB4\x2E\x92\xEA\x0D\xA3\xB4\x32\x04\xB5" ++ "\xCF\xCE\x33\x52\x52\x4D\x04\x16\xA5\xA4\x41\xE7\x00\xAF\x46\x15" ++ "\x03"; ++ ++ static unsigned char dmp1[] = ++ "\x54\x49\x4C\xA6\x3E\xBA\x03\x37\xE4\xE2\x40\x23\xFC\xD6\x9A\x5A" ++ "\xEB\x07\xDD\xDC\x01\x83\xA4\xD0\xAC\x9B\x54\xB0\x51\xF2\xB1\x3E" ++ "\xD9\x49\x09\x75\xEA\xB7\x74\x14\xFF\x59\xC1\xF7\x69\x2E\x9A\x2E" ++ "\x20\x2B\x38\xFC\x91\x0A\x47\x41\x74\xAD\xC9\x3C\x1F\x67\xC9\x81"; ++ ++ static unsigned char dmq1[] = ++ "\x47\x1E\x02\x90\xFF\x0A\xF0\x75\x03\x51\xB7\xF8\x78\x86\x4C\xA9" ++ "\x61\xAD\xBD\x3A\x8A\x7E\x99\x1C\x5C\x05\x56\xA9\x4C\x31\x46\xA7" ++ "\xF9\x80\x3F\x8F\x6F\x8A\xE3\x42\xE9\x31\xFD\x8A\xE4\x7A\x22\x0D" ++ "\x1B\x99\xA4\x95\x84\x98\x07\xFE\x39\xF9\x24\x5A\x98\x36\xDA\x3D"; ++ ++ static unsigned char iqmp[] = ++ "\x00\xB0\x6C\x4F\xDA\xBB\x63\x01\x19\x8D\x26\x5B\xDB\xAE\x94\x23" ++ "\xB3\x80\xF2\x71\xF7\x34\x53\x88\x50\x93\x07\x7F\xCD\x39\xE2\x11" ++ "\x9F\xC9\x86\x32\x15\x4F\x58\x83\xB1\x67\xA9\x67\xBF\x40\x2B\x4E" ++ "\x9E\x2E\x0F\x96\x56\xE6\x98\xEA\x36\x66\xED\xFB\x25\x79\x80\x39" ++ "\xF7"; ++ ++ SetKey; ++} ++ ++/* taken from openssl/test/rsa_mp_test.c */ ++#define NUM_EXTRA_PRIMES 1 ++/* Returns the public key length (256) on success */ ++int get_rsa_key2048p3(RSA *key) { ++ /* C90 requires string should <= 509 bytes */ ++ static const unsigned char n[] = ++ "\x92\x60\xd0\x75\x0a\xe1\x17\xee\xe5\x5c\x3f\x3d\xea\xba\x74\x91" ++ "\x75\x21\xa2\x62\xee\x76\x00\x7c\xdf\x8a\x56\x75\x5a\xd7\x3a\x15" ++ "\x98\xa1\x40\x84\x10\xa0\x14\x34\xc3\xf5\xbc\x54\xa8\x8b\x57\xfa" ++ "\x19\xfc\x43\x28\xda\xea\x07\x50\xa4\xc4\x4e\x88\xcf\xf3\xb2\x38" ++ "\x26\x21\xb8\x0f\x67\x04\x64\x43\x3e\x43\x36\xe6\xd0\x03\xe8\xcd" ++ "\x65\xbf\xf2\x11\xda\x14\x4b\x88\x29\x1c\x22\x59\xa0\x0a\x72\xb7" ++ "\x11\xc1\x16\xef\x76\x86\xe8\xfe\xe3\x4e\x4d\x93\x3c\x86\x81\x87" ++ "\xbd\xc2\x6f\x7b\xe0\x71\x49\x3c\x86\xf7\xa5\x94\x1c\x35\x10\x80" ++ "\x6a\xd6\x7b\x0f\x94\xd8\x8f\x5c\xf5\xc0\x2a\x09\x28\x21\xd8\x62" ++ "\x6e\x89\x32\xb6\x5c\x5b\xd8\xc9\x20\x49\xc2\x10\x93\x2b\x7a\xfa" ++ "\x7a\xc5\x9c\x0e\x88\x6a\xe5\xc1\xed\xb0\x0d\x8c\xe2\xc5\x76\x33" ++ "\xdb\x26\xbd\x66\x39\xbf\xf7\x3c\xee\x82\xbe\x92\x75\xc4\x02\xb4" ++ "\xcf\x2a\x43\x88\xda\x8c\xf8\xc6\x4e\xef\xe1\xc5\xa0\xf5\xab\x80" ++ "\x57\xc3\x9f\xa5\xc0\x58\x9c\x3e\x25\x3f\x09\x60\x33\x23\x00\xf9" ++ "\x4b\xea\x44\x87\x7b\x58\x8e\x1e\xdb\xde\x97\xcf\x23\x60\x72\x7a" ++ "\x09\xb7\x75\x26\x2d\x7e\xe5\x52\xb3\x31\x9b\x92\x66\xf0\x5a\x25"; ++ ++ static const unsigned char e[] = "\x01\x00\x01"; ++ ++ static const unsigned char d[] = ++ "\x6a\x7d\xf2\xca\x63\xea\xd4\xdd\xa1\x91\xd6\x14\xb6\xb3\x85\xe0" ++ "\xd9\x05\x6a\x3d\x6d\x5c\xfe\x07\xdb\x1d\xaa\xbe\xe0\x22\xdb\x08" ++ "\x21\x2d\x97\x61\x3d\x33\x28\xe0\x26\x7c\x9d\xd2\x3d\x78\x7a\xbd" ++ "\xe2\xaf\xcb\x30\x6a\xeb\x7d\xfc\xe6\x92\x46\xcc\x73\xf5\xc8\x7f" ++ "\xdf\x06\x03\x01\x79\xa2\x11\x4b\x76\x7d\xb1\xf0\x83\xff\x84\x1c" ++ "\x02\x5d\x7d\xc0\x0c\xd8\x24\x35\xb9\xa9\x0f\x69\x53\x69\xe9\x4d" ++ "\xf2\x3d\x2c\xe4\x58\xbc\x3b\x32\x83\xad\x8b\xba\x2b\x8f\xa1\xba" ++ "\x62\xe2\xdc\xe9\xac\xcf\xf3\x79\x9a\xae\x7c\x84\x00\x16\xf3\xba" ++ "\x8e\x00\x48\xc0\xb6\xcc\x43\x39\xaf\x71\x61\x00\x3a\x5b\xeb\x86" ++ "\x4a\x01\x64\xb2\xc1\xc9\x23\x7b\x64\xbc\x87\x55\x69\x94\x35\x1b" ++ "\x27\x50\x6c\x33\xd4\xbc\xdf\xce\x0f\x9c\x49\x1a\x7d\x6b\x06\x28" ++ "\xc7\xc8\x52\xbe\x4f\x0a\x9c\x31\x32\xb2\xed\x3a\x2c\x88\x81\xe9" ++ "\xaa\xb0\x7e\x20\xe1\x7d\xeb\x07\x46\x91\xbe\x67\x77\x76\xa7\x8b" ++ "\x5c\x50\x2e\x05\xd9\xbd\xde\x72\x12\x6b\x37\x38\x69\x5e\x2d\xd1" ++ "\xa0\xa9\x8a\x14\x24\x7c\x65\xd8\xa7\xee\x79\x43\x2a\x09\x2c\xb0" ++ "\x72\x1a\x12\xdf\x79\x8e\x44\xf7\xcf\xce\x0c\x49\x81\x47\xa9\xb1"; ++ ++ static const unsigned char p[] = ++ "\x06\x77\xcd\xd5\x46\x9b\xc1\xd5\x58\x00\x81\xe2\xf3\x0a\x36\xb1" ++ "\x6e\x29\x89\xd5\x2f\x31\x5f\x92\x22\x3b\x9b\x75\x30\x82\xfa\xc5" ++ "\xf5\xde\x8a\x36\xdb\xc6\xe5\x8f\xef\x14\x37\xd6\x00\xf9\xab\x90" ++ "\x9b\x5d\x57\x4c\xf5\x1f\x77\xc4\xbb\x8b\xdd\x9b\x67\x11\x45\xb2" ++ "\x64\xe8\xac\xa8\x03\x0f\x16\x0d\x5d\x2d\x53\x07\x23\xfb\x62\x0d" ++ "\xe6\x16\xd3\x23\xe8\xb3"; ++ ++ static const unsigned char q[] = ++ "\x06\x66\x9a\x70\x53\xd6\x72\x74\xfd\xea\x45\xc3\xc0\x17\xae\xde" ++ "\x79\x17\xae\x79\xde\xfc\x0e\xf7\xa4\x3a\x8c\x43\x8f\xc7\x8a\xa2" ++ "\x2c\x51\xc4\xd0\x72\x89\x73\x5c\x61\xbe\xfd\x54\x3f\x92\x65\xde" ++ "\x4d\x65\x71\x70\xf6\xf2\xe5\x98\xb9\x0f\xd1\x0b\xe6\x95\x09\x4a" ++ "\x7a\xdf\xf3\x10\x16\xd0\x60\xfc\xa5\x10\x34\x97\x37\x6f\x0a\xd5" ++ "\x5d\x8f\xd4\xc3\xa0\x5b"; ++ ++ static const unsigned char dmp1[] = ++ "\x05\x7c\x9e\x1c\xbd\x90\x25\xe7\x40\x86\xf5\xa8\x3b\x7a\x3f\x99" ++ "\x56\x95\x60\x3a\x7b\x95\x4b\xb8\xa0\xd7\xa5\xf1\xcc\xdc\x5f\xb5" ++ "\x8c\xf4\x62\x95\x54\xed\x2e\x12\x62\xc2\xe8\xf6\xde\xce\xed\x8e" ++ "\x77\x6d\xc0\x40\x25\x74\xb3\x5a\x2d\xaa\xe1\xac\x11\xcb\xe2\x2f" ++ "\x0a\x51\x23\x1e\x47\xb2\x05\x88\x02\xb2\x0f\x4b\xf0\x67\x30\xf0" ++ "\x0f\x6e\xef\x5f\xf7\xe7"; ++ ++ static const unsigned char dmq1[] = ++ "\x01\xa5\x6b\xbc\xcd\xe3\x0e\x46\xc6\x72\xf5\x04\x56\x28\x01\x22" ++ "\x58\x74\x5d\xbc\x1c\x3c\x29\x41\x49\x6c\x81\x5c\x72\xe2\xf7\xe5" ++ "\xa3\x8e\x58\x16\xe0\x0e\x37\xac\x1f\xbb\x75\xfd\xaf\xe7\xdf\xe9" ++ "\x1f\x70\xa2\x8f\x52\x03\xc0\x46\xd9\xf9\x96\x63\x00\x27\x7e\x5f" ++ "\x38\x60\xd6\x6b\x61\xe2\xaf\xbe\xea\x58\xd3\x9d\xbc\x75\x03\x8d" ++ "\x42\x65\xd6\x6b\x85\x97"; ++ ++ static const unsigned char iqmp[] = ++ "\x03\xa1\x8b\x80\xe4\xd8\x87\x25\x17\x5d\xcc\x8d\xa9\x8a\x22\x2b" ++ "\x6c\x15\x34\x6f\x80\xcc\x1c\x44\x04\x68\xbc\x03\xcd\x95\xbb\x69" ++ "\x37\x61\x48\xb4\x23\x13\x08\x16\x54\x6a\xa1\x7c\xf5\xd4\x3a\xe1" ++ "\x4f\xa4\x0c\xf5\xaf\x80\x85\x27\x06\x0d\x70\xc0\xc5\x19\x28\xfe" ++ "\xee\x8e\x86\x21\x98\x8a\x37\xb7\xe5\x30\x25\x70\x93\x51\x2d\x49" ++ "\x85\x56\xb3\x0c\x2b\x96"; ++ ++ static const unsigned char ex_prime[] = ++ "\x03\x89\x22\xa0\xb7\x3a\x91\xcb\x5e\x0c\xfd\x73\xde\xa7\x38\xa9" ++ "\x47\x43\xd6\x02\xbf\x2a\xb9\x3c\x48\xf3\x06\xd6\x58\x35\x50\x56" ++ "\x16\x5c\x34\x9b\x61\x87\xc8\xaa\x0a\x5d\x8a\x0a\xcd\x9c\x41\xd9" ++ "\x96\x24\xe0\xa9\x9b\x26\xb7\xa8\x08\xc9\xea\xdc\xa7\x15\xfb\x62" ++ "\xa0\x2d\x90\xe6\xa7\x55\x6e\xc6\x6c\xff\xd6\x10\x6d\xfa\x2e\x04" ++ "\x50\xec\x5c\x66\xe4\x05"; ++ ++ static const unsigned char ex_exponent[] = ++ "\x02\x0a\xcd\xc3\x82\xd2\x03\xb0\x31\xac\xd3\x20\x80\x34\x9a\x57" ++ "\xbc\x60\x04\x57\x25\xd0\x29\x9a\x16\x90\xb9\x1c\x49\x6a\xd1\xf2" ++ "\x47\x8c\x0e\x9e\xc9\x20\xc2\xd8\xe4\x8f\xce\xd2\x1a\x9c\xec\xb4" ++ "\x1f\x33\x41\xc8\xf5\x62\xd1\xa5\xef\x1d\xa1\xd8\xbd\x71\xc6\xf7" ++ "\xda\x89\x37\x2e\xe2\xec\x47\xc5\xb8\xe3\xb4\xe3\x5c\x82\xaa\xdd" ++ "\xb7\x58\x2e\xaf\x07\x79"; ++ ++ static const unsigned char ex_coefficient[] = ++ "\x00\x9c\x09\x88\x9b\xc8\x57\x08\x69\x69\xab\x2d\x9e\x29\x1c\x3c" ++ "\x6d\x59\x33\x12\x0d\x2b\x09\x2e\xaf\x01\x2c\x27\x01\xfc\xbd\x26" ++ "\x13\xf9\x2d\x09\x22\x4e\x49\x11\x03\x82\x88\x87\xf4\x43\x1d\xac" ++ "\xca\xec\x86\xf7\x23\xf1\x64\xf3\xf5\x81\xf0\x37\x36\xcf\x67\xff" ++ "\x1a\xff\x7a\xc7\xf9\xf9\x67\x2d\xa0\x9d\x61\xf8\xf6\x47\x5c\x2f" ++ "\xe7\x66\xe8\x3c\x3a\xe8"; ++ ++ BIGNUM **pris = NULL, **exps = NULL, **coeffs = NULL; ++ int rv = 256; /* public key length */ ++ ++ if (!TEST_int_eq(RSA_set0_key(key, ++ BN_bin2bn(n, sizeof(n) - 1, NULL), ++ BN_bin2bn(e, sizeof(e) - 1, NULL), ++ BN_bin2bn(d, sizeof(d) - 1, NULL)), 1)) ++ goto err; ++ ++ if (!TEST_int_eq(RSA_set0_factors(key, ++ BN_bin2bn(p, sizeof(p) - 1, NULL), ++ BN_bin2bn(q, sizeof(q) - 1, NULL)), 1)) ++ goto err; ++ ++ if (!TEST_int_eq(RSA_set0_crt_params(key, ++ BN_bin2bn(dmp1, sizeof(dmp1) - 1, NULL), ++ BN_bin2bn(dmq1, sizeof(dmq1) - 1, NULL), ++ BN_bin2bn(iqmp, sizeof(iqmp) - 1, ++ NULL)), 1)) ++ return 0; ++ ++ pris = OPENSSL_zalloc(sizeof(BIGNUM *)); ++ exps = OPENSSL_zalloc(sizeof(BIGNUM *)); ++ coeffs = OPENSSL_zalloc(sizeof(BIGNUM *)); ++ if (!TEST_ptr(pris) || !TEST_ptr(exps) || !TEST_ptr(coeffs)) ++ goto err; ++ ++ pris[0] = BN_bin2bn(ex_prime, sizeof(ex_prime) - 1, NULL); ++ exps[0] = BN_bin2bn(ex_exponent, sizeof(ex_exponent) - 1, NULL); ++ coeffs[0] = BN_bin2bn(ex_coefficient, sizeof(ex_coefficient) - 1, NULL); ++ if (!TEST_ptr(pris[0]) || !TEST_ptr(exps[0]) || !TEST_ptr(coeffs[0])) ++ goto err; ++ ++ if (!TEST_true(RSA_set0_multi_prime_params(key, pris, exps, ++ coeffs, NUM_EXTRA_PRIMES))) ++ goto err; ++ ++ret: ++ OPENSSL_free(pris); ++ OPENSSL_free(exps); ++ OPENSSL_free(coeffs); ++ return rv; ++err: ++ if (pris != NULL) ++ BN_free(pris[0]); ++ if (exps != NULL) ++ BN_free(exps[0]); ++ if (coeffs != NULL) ++ BN_free(coeffs[0]); ++ rv = 0; ++ goto ret; ++} ++ ++#endif +--- /dev/null ++++ b/test/fips_slitest_helper.h +@@ -0,0 +1,29 @@ ++#ifndef __FIPS_SLITEST_HELPER_H__ ++#define __FIPS_SLITEST_HELPER_H__ ++ ++#include ++ ++typedef unsigned char byte; ++ ++/** Create a MAC key: one copy for macgen, one for macver (verification) ++ * Adapted from https://wiki.openssl.org/images/1/1b/T-hmac.c.tar.gz ++ */ ++int make_hmac_keys(EVP_PKEY** skey, EVP_PKEY** vkey); ++ ++/* Adapted from https://wiki.openssl.org/images/1/1b/T-hmac.c.tar.gz */ ++void print_it(const char* label, const byte* buff, size_t len); ++ ++int get_cmac_key(int cipher_nid, EVP_PKEY** out); ++ ++const uint8_t* get_msg_16(); ++const uint8_t* get_msg_128(); ++/* Get constant keys of specified length */ ++const uint8_t* get_key_16(); ++const uint8_t* get_key_32(); ++ ++void get_rsa_key1(RSA *key); ++void get_rsa_key2(RSA *key); ++void get_rsa_key3(RSA *key); ++int get_rsa_key2048p3(RSA *key); ++ ++#endif /* __FIPS_SLITEST_HELPER_H__ */ +--- /dev/null ++++ b/test/recipes/30-test_fips_sli.t +@@ -0,0 +1,4 @@ ++#!/usr/bin/env perl ++use OpenSSL::Test::Simple; ++ ++simple_test("test_fips_sli", "fips_slitest", "fips_sli"); +--- a/util/libcrypto.num ++++ b/util/libcrypto.num +@@ -4636,3 +4636,14 @@ EVP_KDF_size + EVP_KDF_derive 6597 1_1_1d EXIST::FUNCTION: + EC_GROUP_get0_field 6598 1_1_1l EXIST::FUNCTION:EC + NONFIPS_selftest_check 6599 1_1_1l EXIST::FUNCTION: ++fips_sli_is_approved_EVP_MD_CTX 6600 1_1_1l EXIST::FUNCTION: ++fips_sli_is_approved_CMAC_CTX 6601 1_1_1l EXIST::FUNCTION: ++fips_sli_is_approved_HMAC_CTX 6602 1_1_1l EXIST::FUNCTION: ++fips_sli_is_approved_EVP_PKEY_CTX 6603 1_1_1l EXIST::FUNCTION: ++fips_sli_is_approved_EVP_CIPHER_CTX 6604 1_1_1l EXIST::FUNCTION: ++fips_sli_is_approved_EVP_KDF_CTX 6605 1_1_1l EXIST::FUNCTION: ++fips_sli_SHA1_is_approved 6606 1_1_1l EXIST::FUNCTION: ++fips_sli_PKCS5_PBKDF2_HMAC_is_approved 6607 1_1_1l EXIST::FUNCTION: ++fips_sli_HMAC_is_approved 6608 1_1_1l EXIST::FUNCTION: ++fips_sli_RAND_bytes_is_approved 6609 1_1_1l EXIST::FUNCTION: ++fips_sli_RAND_priv_bytes_is_approved 6610 1_1_1l EXIST::FUNCTION: diff --git a/openssl-1_1-ossl-sli-004-allow-aes-xts-256.patch b/openssl-1_1-ossl-sli-004-allow-aes-xts-256.patch new file mode 100644 index 0000000..949e7cb --- /dev/null +++ b/openssl-1_1-ossl-sli-004-allow-aes-xts-256.patch @@ -0,0 +1,39 @@ +diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c +index 6adff696c..29b23f9f7 100644 +--- a/crypto/evp/e_aes.c ++++ b/crypto/evp/e_aes.c +@@ -4366,6 +4366,21 @@ FIPS_STATUS EVP_CIPHER_get_fips_status(const EVP_CIPHER *cipher) { + /* intended fall-through */ + case 256: + return FIPS_APPROVED; ++ case 512: ++ if (cipher->do_cipher == aes_xts_cipher ++ #if defined(OPENSSL_CPUID_OBJ) && ( \ ++ ((defined(__i386) || defined(__i386__) || defined(_M_IX86))\ ++ && defined(OPENSSL_IA32_SSE2)) \ ++ || defined(__x86_64) || defined(__x86_64__) \ ++ || defined(_M_AMD64) || defined(_M_X64)) ++ || cipher->do_cipher == aesni_xts_cipher ++ #elif defined(OPENSSL_CPUID_OBJ) && defined(__s390__) ++ || cipher->do_cipher == s390x_aes_xts_cipher ++ #endif ++ ) ++ return FIPS_APPROVED; ++ else ++ return FIPS_ERROR; + } + } + /* disapproved for enc and dec: all others, including +diff --git a/test/fips_slitest.c b/test/fips_slitest.c +index d32f748a6..9e37cf36b 100644 +--- a/test/fips_slitest.c ++++ b/test/fips_slitest.c +@@ -260,6 +260,8 @@ static const SLI_CIPHER_TEST cipher_tests[] = { + {0, NID_des_ede_ecb}, + {0, NID_des_ede_ofb64}, + {0, NID_idea_cbc}, ++ {1, NID_aes_128_xts}, ++ {1, NID_aes_256_xts}, + }; + static const size_t cipher_tests_len = sizeof(cipher_tests) / sizeof(cipher_tests[0]); + diff --git a/openssl-1_1-ossl-sli-005-EC_group_order_bits.patch b/openssl-1_1-ossl-sli-005-EC_group_order_bits.patch new file mode 100644 index 0000000..08f8aeb --- /dev/null +++ b/openssl-1_1-ossl-sli-005-EC_group_order_bits.patch @@ -0,0 +1,24 @@ +--- + crypto/fips/fips_sli.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/crypto/fips/fips_sli.c ++++ b/crypto/fips/fips_sli.c +@@ -328,14 +328,14 @@ static FIPS_STATUS get_fips_keygen_ecdsa + BN_set_bit(pwr24, 24); + BN_set_bit(pwr32, 32); + +- if (224 < n && n <= 255) { ++ if (224 <= n && n <= 255) { + if (BN_cmp(cofactor, pwr14) != 1) + ret = FIPS_APPROVED; +- } else if (256 < n && n <= 383) { ++ } else if (256 <= n && n <= 383) { + if (BN_cmp(cofactor, pwr16) != 1) + ret = FIPS_APPROVED; + +- } else if (384 < n && n <= 511) { ++ } else if (384 <= n && n <= 511) { + if (BN_cmp(cofactor, pwr24) != 1) + ret = FIPS_APPROVED; + diff --git a/openssl-1_1-ossl-sli-006-rsa_pkcs1_padding.patch b/openssl-1_1-ossl-sli-006-rsa_pkcs1_padding.patch new file mode 100644 index 0000000..21e5b42 --- /dev/null +++ b/openssl-1_1-ossl-sli-006-rsa_pkcs1_padding.patch @@ -0,0 +1,52 @@ +Index: openssl-1.1.1l/crypto/rsa/rsa_pmeth.c +=================================================================== +--- openssl-1.1.1l.orig/crypto/rsa/rsa_pmeth.c ++++ openssl-1.1.1l/crypto/rsa/rsa_pmeth.c +@@ -140,13 +140,11 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *c + unsigned int sltmp; + if (rctx->pad_mode != RSA_PKCS1_PADDING) + return -1; +- /* PKCS1-v1.5 padding is disallowed after 2023 */ +- fips_sli_disapprove_EVP_PKEY_CTX(ctx); + ret = RSA_sign_ASN1_OCTET_STRING(0, + tbs, tbslen, sig, &sltmp, rsa); +- + if (ret <= 0) + return ret; ++ fips_sli_check_hash_siggen_EVP_PKEY_CTX(ctx, rctx->md); + ret = sltmp; + } else if (rctx->pad_mode == RSA_X931_PADDING) { + if ((size_t)EVP_PKEY_size(ctx->pkey) < tbslen + 1) { +@@ -179,13 +177,12 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *c + ret = RSA_private_encrypt(tbslen + 1, rctx->tbuf, + sig, rsa, RSA_X931_PADDING); + } else if (rctx->pad_mode == RSA_PKCS1_PADDING) { +- /* PKCS1-v1.5 padding is disallowed after 2023 */ +- fips_sli_disapprove_EVP_PKEY_CTX(ctx); + unsigned int sltmp; + ret = RSA_sign(EVP_MD_type(rctx->md), + tbs, tbslen, sig, &sltmp, rsa); + if (ret <= 0) + return ret; ++ fips_sli_check_hash_siggen_EVP_PKEY_CTX(ctx, rctx->md); + ret = sltmp; + } else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) { + if (!setup_tbuf(rctx, ctx)) +@@ -290,10 +287,13 @@ static int pkey_rsa_verify(EVP_PKEY_CTX + + if (rctx->md) { + if (rctx->pad_mode == RSA_PKCS1_PADDING) { +- /* PKCS1-v1.5 padding is disallowed after 2023 */ +- fips_sli_disapprove_EVP_PKEY_CTX(ctx); +- return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen, +- sig, siglen, rsa); ++ int ret; ++ ret = RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen, ++ sig, siglen, rsa); ++ if (ret <= 0) ++ return 0; ++ fips_sli_check_hash_sigver_EVP_PKEY_CTX(ctx, rctx->md); ++ return ret; + } + if (tbslen != (size_t)EVP_MD_size(rctx->md)) { + RSAerr(RSA_F_PKEY_RSA_VERIFY, RSA_R_INVALID_DIGEST_LENGTH); diff --git a/openssl-1_1-ossl-sli-007-pbkdf2-keylen.patch b/openssl-1_1-ossl-sli-007-pbkdf2-keylen.patch new file mode 100644 index 0000000..409b39b --- /dev/null +++ b/openssl-1_1-ossl-sli-007-pbkdf2-keylen.patch @@ -0,0 +1,14 @@ +Index: openssl-1.1.1l/crypto/kdf/pbkdf2.c +=================================================================== +--- openssl-1.1.1l.orig/crypto/kdf/pbkdf2.c ++++ openssl-1.1.1l/crypto/kdf/pbkdf2.c +@@ -185,7 +185,8 @@ static int kdf_pbkdf2_derive(EVP_KDF_IMP + } + + fips_sli_check_hash_kdf_struct_evp_kdf_impl_st(impl); +- ++ fips_sli_fsm_struct_evp_kdf_impl_st(impl, ++ fips_sli_get_kdf_keylen_status(keylen)); + return pkcs5_pbkdf2_alg((char *)impl->pass, impl->pass_len, + impl->salt, impl->salt_len, impl->iter, + impl->md, key, keylen); diff --git a/openssl-1_1-ossl-sli-008-pbkdf2-salt_pass_iteration.patch b/openssl-1_1-ossl-sli-008-pbkdf2-salt_pass_iteration.patch new file mode 100644 index 0000000..07216f6 --- /dev/null +++ b/openssl-1_1-ossl-sli-008-pbkdf2-salt_pass_iteration.patch @@ -0,0 +1,136 @@ +--- + crypto/fips/fips_sli.c | 21 +++++++++++++++++++ + crypto/kdf/pbkdf2.c | 6 +++++ + include/internal/fips_sli_local.h | 3 ++ + test/fips_slitest.c | 41 ++++++++++++++++++++++---------------- + 4 files changed, 54 insertions(+), 17 deletions(-) + +--- a/crypto/fips/fips_sli.c ++++ b/crypto/fips/fips_sli.c +@@ -231,6 +231,27 @@ FIPS_STATUS fips_sli_get_kdf_keylen_stat + return FIPS_NONAPPROVED; + } + ++FIPS_STATUS fips_sli_get_kdf_saltlen_status(size_t saltlen_bytes) { ++ if (saltlen_bytes >= 128/8) ++ return FIPS_APPROVED; ++ else ++ return FIPS_NONAPPROVED; ++} ++ ++FIPS_STATUS fips_sli_get_kdf_iteration_status(size_t iter) { ++ if (iter >= 1000) ++ return FIPS_APPROVED; ++ else ++ return FIPS_NONAPPROVED; ++} ++ ++FIPS_STATUS fips_sli_get_kdf_passlen_status(size_t passlen_bytes) { ++ if (passlen_bytes >= 20) ++ return FIPS_APPROVED; ++ else ++ return FIPS_NONAPPROVED; ++} ++ + void fips_sli_check_key_rsa_keygen_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const RSA * rsa) { + fips_sli_check_key_rsa_siggen_EVP_PKEY_CTX(ctx, rsa); + } +--- a/crypto/kdf/pbkdf2.c ++++ b/crypto/kdf/pbkdf2.c +@@ -187,6 +187,12 @@ static int kdf_pbkdf2_derive(EVP_KDF_IMP + fips_sli_check_hash_kdf_struct_evp_kdf_impl_st(impl); + fips_sli_fsm_struct_evp_kdf_impl_st(impl, + fips_sli_get_kdf_keylen_status(keylen)); ++ fips_sli_fsm_struct_evp_kdf_impl_st(impl, ++ fips_sli_get_kdf_saltlen_status(impl->salt_len)); ++ fips_sli_fsm_struct_evp_kdf_impl_st(impl, ++ fips_sli_get_kdf_iteration_status(impl->iter)); ++ fips_sli_fsm_struct_evp_kdf_impl_st(impl, ++ fips_sli_get_kdf_passlen_status(impl->pass_len)); + return pkcs5_pbkdf2_alg((char *)impl->pass, impl->pass_len, + impl->salt, impl->salt_len, impl->iter, + impl->md, key, keylen); +--- a/include/internal/fips_sli_local.h ++++ b/include/internal/fips_sli_local.h +@@ -70,6 +70,9 @@ FIPS_STATUS fips_sli_get_hash_status_ssh + FIPS_STATUS fips_sli_get_hash_status_pbkdf2(const EVP_MD * md); + FIPS_STATUS fips_sli_get_hash_status_kdf_tls1_prf(const EVP_MD * md); + FIPS_STATUS fips_sli_get_kdf_keylen_status(size_t keylen_bytes); ++FIPS_STATUS fips_sli_get_kdf_saltlen_status(size_t saltlen_bytes); ++FIPS_STATUS fips_sli_get_kdf_iteration_status(size_t iter); ++FIPS_STATUS fips_sli_get_kdf_passlen_status(size_t passlen_bytes); + + /* Check if used curve is okay for and in this context */ + void fips_sli_check_curve_siggen_EVP_PKEY_CTX(EVP_PKEY_CTX *ctx, const EC_GROUP *group); +--- a/test/fips_slitest.c ++++ b/test/fips_slitest.c +@@ -490,36 +490,41 @@ typedef struct { + int nid_digest; + const uint8_t key_expected[32]; // length has to be 32 + } SLI_PBKDF2_TEST; +- + static const SLI_PBKDF2_TEST pbkdf2_tests[] = { + { +- 1, 4200, NID_sha256, { +- 0xE7, 0xBE, 0x37, 0x75, 0x9D, 0x53, 0x3E, 0x5A, 0x06, 0x20, 0xC9, 0xA5, 0x3A, 0x8D, 0xA2, 0x9E, +- 0x9C, 0x27, 0xDF, 0x26, 0x24, 0xAB, 0xD8, 0x8E, 0x56, 0xE5, 0xB9, 0xF5, 0xA0, 0xD6, 0xD5, 0xEE ++ 1, 4096, NID_sha1, { ++ 0x3D, 0x2E, 0xEC, 0x4F, 0xE4, 0x1C, 0x84, 0x9B, 0x80, 0xC8, 0xD8, 0x36, 0x62, 0xC0, 0xE4, 0x4A, ++ 0x8B, 0x29, 0x1A, 0x96, 0x4C, 0xF2, 0xF0, 0x70, 0x38, 0xB6, 0xB8, 0x9A, 0x48, 0x61, 0x2C, 0x5A ++ } ++ }, ++ { ++ 1, 4096, NID_sha256, { ++ 0x34, 0x8C, 0x89, 0xDB, 0xCB, 0xD3, 0x2B, 0x2F, 0x32, 0xD8, 0x14, 0xB8, 0x11, 0x6E, 0x84, 0xCF, ++ 0x2B, 0x17, 0x34, 0x7E, 0xBC, 0x18, 0x00, 0x18, 0x1C, 0x4E, 0x2A, 0x1F, 0xB8, 0xDD, 0x53, 0xE1 + } + }, + { + 1, 1347, NID_sha256, { +- 0xFB, 0xBB, 0xEC, 0x28, 0x5B, 0x48, 0xE7, 0xC2, 0x54, 0x4E, 0x65, 0x0F, 0x1E, 0xC8, 0xB5, 0x1C, +- 0xF5, 0xAD, 0xAE, 0x2A, 0x21, 0x56, 0x94, 0xD2, 0xE1, 0xB7, 0xC8, 0x7D, 0x7A, 0x0D, 0x63, 0x86 ++ 0xD5, 0x99, 0x16, 0xFF, 0x8A, 0xBC, 0x26, 0x37, 0xAF, 0x4B, 0x26, 0xF1, 0x7E, 0x56, 0x8B, 0x7A, ++ 0x00, 0x16, 0xA9, 0xF2, 0x7D, 0x96, 0xDB, 0x33, 0x0A, 0xD0, 0x5F, 0xC3, 0x0C, 0x22, 0xA2, 0xD0 + } + }, + { +- 1, 4200, NID_sha1, { +- 0x45, 0x96, 0x78, 0xF3, 0x92, 0x74, 0xAC, 0x5B, 0x1F, 0x2B, 0xD3, 0x75, 0x1A, 0xBA, 0x5D, 0xBE, +- 0xF2, 0xDE, 0xE9, 0x88, 0x16, 0x4B, 0x0B, 0x84, 0x94, 0xD9, 0xC2, 0x2D, 0xC1, 0xB9, 0xB0, 0x8A ++ 1, 4096, NID_sha512, { ++ 0x8C, 0x05, 0x11, 0xF4, 0xC6, 0xE5, 0x97, 0xC6, 0xAC, 0x63, 0x15, 0xD8, 0xF0, 0x36, 0x2E, 0x22, ++ 0x5F, 0x3C, 0x50, 0x14, 0x95, 0xBA, 0x23, 0xB8, 0x68, 0xC0, 0x05, 0x17, 0x4D, 0xC4, 0xEE, 0x71 + } + }, + { +- 1, 4200, NID_sha3_512, { +- 0x1E, 0x77, 0xC8, 0x28, 0x9A, 0x79, 0x2E, 0x25, 0x85, 0x8D, 0x73, 0xB3, 0x0D, 0xA1, 0x26, 0x65, +- 0xC0, 0x04, 0x7D, 0x91, 0xB6, 0x5F, 0x89, 0x5E, 0x01, 0x82, 0x23, 0x35, 0x19, 0x2E, 0x5C, 0x09 ++ 1, 4096, NID_sha3_512, { ++ 0xD6, 0x07, 0x91, 0xA4, 0xED, 0x27, 0x19, 0x5D, 0x81, 0x3F, 0x35, 0x51, 0x03, 0x51, 0xB9, 0xD1, ++ 0xFF, 0x9A, 0xD4, 0x26, 0x21, 0x53, 0x94, 0x46, 0x09, 0x50, 0xA4, 0xFE, 0x03, 0xDD, 0x9F, 0x54 + } + }, + { +- 0, 1347, NID_md5, { +- 0xC2, 0x78, 0x16, 0xDC, 0xD1, 0xC5, 0x71, 0xBD, 0x4A, 0x06, 0x2B, 0x38, 0x50, 0xE7, 0x4E, 0xC2, +- 0x0E, 0x74, 0x9D, 0xB1, 0x59, 0xA8, 0xFF, 0x11, 0x24, 0x68, 0xD0, 0xCF, 0x69, 0xE5, 0x30, 0x36 ++ 0, 4096, NID_md5, { ++ 0x8D, 0x5D, 0x0A, 0xAD, 0x94, 0xD1, 0x44, 0x20, 0x42, 0x9F, 0xBC, 0x7E, 0x5B, 0x08, 0x7D, 0x7A, ++ 0x55, 0x27, 0xE6, 0x5D, 0xFD, 0x0D, 0x48, 0x6A, 0x31, 0x0E, 0x8A, 0x7B, 0x6F, 0xF5, 0xA2, 0x1B + } + } + }; +@@ -527,8 +532,10 @@ static const size_t pbkdf2_tests_len = s + + static int test_PKCS5_PBKDF2_HMAC(int pbkdf2_tests_idx) { + int success = 0; +- const char password[] = "password"; +- const unsigned char salt[] = {'s', 'a', 'l', 't'}; ++ const char password[] = "passwordPASSWORDpassword"; ++ const unsigned char salt[] = {'s', 'a', 'l', 't', 'S', 'A', 'L', 'T', 's', 'a', 'l', 't', 'S', 'A', 'L', 'T', ++ 's', 'a', 'l', 't', 'S', 'A', 'L', 'T', 's', 'a', 'l', 't', 'S', 'A', 'L', 'T', ++ 's', 'a', 'l', 't'}; + const size_t password_len = sizeof(password) / sizeof(password[0]); + const size_t salt_len = sizeof(salt) / sizeof(salt[0]); + diff --git a/openssl-1_1-serialize-jitterentropy-calls.patch b/openssl-1_1-serialize-jitterentropy-calls.patch new file mode 100644 index 0000000..367554f --- /dev/null +++ b/openssl-1_1-serialize-jitterentropy-calls.patch @@ -0,0 +1,80 @@ +--- + crypto/fips/fips_entropy.c | 40 ++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 38 insertions(+), 2 deletions(-) + +--- a/crypto/fips/fips_entropy.c ++++ b/crypto/fips/fips_entropy.c +@@ -4,35 +4,71 @@ + #include "jitterentropy.h" + + static struct rand_data* ec = NULL; ++static CRYPTO_RWLOCK *jent_lock = NULL; ++static int stop = 0; + + struct rand_data* FIPS_entropy_init(void) + { +- if (ec != NULL) ++ if (ec != NULL) { + /* Entropy source has been initiated and collector allocated */ + return ec; ++ } ++ if (stop != 0) { ++ /* FIPS_entropy_cleanup() already called, don't initialize it again */ ++ return NULL; ++ } ++ if (jent_lock == NULL) { ++ /* Allocates a new lock to serialize access to jent library */ ++ jent_lock = CRYPTO_THREAD_lock_new(); ++ if (jent_lock == NULL) { ++ return NULL; ++ } ++ } ++ if (CRYPTO_THREAD_write_lock(jent_lock) == 0) { ++ return NULL; ++ } + /* If the initialization is successful, the call returns with 0 */ + if (jent_entropy_init_ex(1, JENT_FORCE_FIPS) == 0) + /* Allocate entropy collector */ + ec = jent_entropy_collector_alloc(1, JENT_FORCE_FIPS); ++ CRYPTO_THREAD_unlock(jent_lock); + return ec; + } + + void FIPS_entropy_cleanup(void) + { ++ if (jent_lock != NULL && stop == 0) { ++ CRYPTO_THREAD_write_lock(jent_lock); ++ } ++ /* Disable re-initialization in FIPS_entropy_init() */ ++ stop = 1; + /* Free entropy collector */ + if (ec != NULL) { + jent_entropy_collector_free(ec); + ec = NULL; + } ++ CRYPTO_THREAD_lock_free(jent_lock); ++ jent_lock = NULL; + } + + ssize_t FIPS_jitter_entropy(unsigned char *buf, size_t buflen) + { + ssize_t ent_bytes = -1; + +- if (buf != NULL && buflen != 0 && FIPS_entropy_init()) { ++ /* ++ * Order is important. We need to call FIPS_entropy_init() before we ++ * acquire jent_lock, otherwise it can lead to deadlock. Once we have ++ * jent_lock, we need to ensure that FIPS_entropy_cleanup() was not called ++ * in the meantime. Then it's safe to read entropy. ++ */ ++ if (buf != NULL ++ && buflen != 0 ++ && FIPS_entropy_init() ++ && CRYPTO_THREAD_write_lock(jent_lock) != 0 ++ && stop == 0) { + /* Get entropy */ + ent_bytes = jent_read_entropy_safe(&ec, (char *)buf, buflen); ++ CRYPTO_THREAD_unlock(jent_lock); + } + return ent_bytes; + } diff --git a/openssl-1_1-shortcut-test_afalg_aes_cbc.patch b/openssl-1_1-shortcut-test_afalg_aes_cbc.patch new file mode 100644 index 0000000..cf62f44 --- /dev/null +++ b/openssl-1_1-shortcut-test_afalg_aes_cbc.patch @@ -0,0 +1,14 @@ +diff --git a/test/afalgtest.c b/test/afalgtest.c +index adb2977..c4f848a 100644 +--- a/test/afalgtest.c ++++ b/test/afalgtest.c +@@ -43,6 +43,9 @@ static ENGINE *e; + + static int test_afalg_aes_cbc(int keysize_idx) + { ++ /* This test fails in fips mode, so just shortcut out. */ ++ if ( FIPS_mode()) return 1; ++ + EVP_CIPHER_CTX *ctx; + const EVP_CIPHER *cipher; + unsigned char key[] = "\x06\xa9\x21\x40\x36\xb8\xa1\x5b" diff --git a/openssl-1_1.changes b/openssl-1_1.changes index 0d6c6ba..0627937 100644 --- a/openssl-1_1.changes +++ b/openssl-1_1.changes @@ -1,3 +1,71 @@ +------------------------------------------------------------------- +Tue Sep 12 05:09:28 UTC 2023 - Otto Hollmann + +- Update to 1.1.1w: + * Fix POLY1305 MAC implementation corrupting XMM registers on Windows. + + The POLY1305 MAC (message authentication code) implementation in OpenSSL + does not save the contents of non-volatile XMM registers on Windows 64 + platform when calculating the MAC of data larger than 64 bytes. Before + returning to the caller all the XMM registers are set to zero rather than + restoring their previous content. The vulnerable code is used only on newer + x86_64 processors supporting the AVX512-IFMA instructions. + + The consequences of this kind of internal application state corruption can + be various - from no consequences, if the calling application does not + depend on the contents of non-volatile XMM registers at all, to the worst + consequences, where the attacker could get complete control of the + application process. However given the contents of the registers are just + zeroized so the attacker cannot put arbitrary values inside, the most likely + consequence, if any, would be an incorrect result of some application + dependent calculations or a crash leading to a denial of service. + + (CVE-2023-4807) + +------------------------------------------------------------------- +Tue Aug 8 10:34:14 UTC 2023 - Otto Hollmann + +- Add missing FIPS patches from SLE: + * Add patches: + - bsc1185319-FIPS-KAT-for-ECDSA.patch + - bsc1198207-FIPS-add-hash_hmac-drbg-kat.patch + - openssl-1.1.1-fips-fix-memory-leaks.patch + - openssl-1_1-FIPS-PBKDF2-KAT-requirements.patch + - openssl-1_1-FIPS_drbg-rewire.patch + - openssl-1_1-Zeroization.patch + - openssl-1_1-fips-drbg-selftest.patch + - openssl-1_1-fips-list-only-approved-digest-and-pubkey-algorithms.patch + - openssl-1_1-jitterentropy-3.4.0.patch + - openssl-1_1-ossl-sli-000-fix-build-error.patch + - openssl-1_1-ossl-sli-001-fix-faults-preventing-make-update.patch + - openssl-1_1-ossl-sli-002-ran-make-update.patch + - openssl-1_1-ossl-sli-003-add-sli.patch + - openssl-1_1-ossl-sli-004-allow-aes-xts-256.patch + - openssl-1_1-ossl-sli-005-EC_group_order_bits.patch + - openssl-1_1-ossl-sli-006-rsa_pkcs1_padding.patch + - openssl-1_1-ossl-sli-007-pbkdf2-keylen.patch + - openssl-1_1-ossl-sli-008-pbkdf2-salt_pass_iteration.patch + - openssl-1_1-serialize-jitterentropy-calls.patch + - openssl-1_1-shortcut-test_afalg_aes_cbc.patch + - openssl-DH.patch + - openssl-FIPS-KAT-before-integrity-tests.patch + - openssl-fips-DH_selftest_shared_secret_KAT.patch + - openssl-fips-kdf-hkdf-selftest.patch + - openssl-kdf-selftest.patch + - openssl-kdf-ssh-selftest.patch + - openssl-kdf-tls-selftest.patch + - openssl-no-date.patch + - openssl-s_client-check-ocsp-status.patch + * Modify patches: + - openssl-1.1.1-fips.patch + - openssl-1_1-FIPS-fix-error-reason-codes.patch + * Remove patches: + - openssl-add_rfc3526_rfc7919.patch + - openssl-fips-dont_run_FIPS_module_installed.patch + - openssl-fips_fix_selftests_return_value.patch + * Add build and runtime dependency on jitterentropy +- Pass over with spec-cleaner + ------------------------------------------------------------------- Tue Aug 1 16:12:36 UTC 2023 - Pedro Monreal diff --git a/openssl-1_1.spec b/openssl-1_1.spec index 5a44979..842a9f4 100644 --- a/openssl-1_1.spec +++ b/openssl-1_1.spec @@ -16,11 +16,13 @@ # +%define ssletcdir %{_sysconfdir}/ssl +%define maj_min 1.1 +%define _rname openssl %if 0%{?sle_version} >= 150400 || 0%{?suse_version} >= 1550 # Enable livepatching support for SLE15-SP4 onwards. It requires # compiler support introduced there. %define livepatchable 1 - # Set variables for livepatching. %define _other %{_topdir}/OTHER %define tar_basename %{_rname}-livepatch-%{version}-%{release} @@ -30,18 +32,13 @@ # Unsupported operating system. %define livepatchable 0 %endif - %ifnarch x86_64 # Unsupported architectures must have livepatch disabled. %define livepatchable 0 %endif - -%define ssletcdir %{_sysconfdir}/ssl -%define maj_min 1.1 -%define _rname openssl Name: openssl-1_1 # Don't forget to update the version in the "openssl" meta-package! -Version: 1.1.1v +Version: 1.1.1w Release: 0 Summary: Secure Sockets and Transport Layer Security License: OpenSSL @@ -63,6 +60,7 @@ Patch3: openssl-pkgconfig.patch Patch4: openssl-DEFAULT_SUSE_cipher.patch Patch5: openssl-ppc64-config.patch Patch6: openssl-riscv64-config.patch +Patch7: openssl-no-date.patch # PATCH-FIX-UPSTREAM jsc#SLE-6126 and jsc#SLE-6129 Patch8: 0001-s390x-assembly-pack-perlasm-support.patch Patch9: 0002-crypto-chacha-asm-chacha-s390x.pl-add-vx-code-path.patch @@ -94,57 +92,103 @@ Patch35: openssl-ship_fips_standalone_hmac.patch Patch36: openssl-fips_mode.patch Patch37: openssl-1.1.1-evp-kdf.patch Patch38: openssl-1.1.1-ssh-kdf.patch -Patch39: openssl-fips-dont_run_FIPS_module_installed.patch Patch40: openssl-fips-selftests_in_nonfips_mode.patch Patch41: openssl-fips-clearerror.patch Patch42: openssl-fips-ignore_broken_atexit_test.patch Patch43: openssl-keep_EVP_KDF_functions_version.patch -Patch44: openssl-fips_fix_selftests_return_value.patch Patch45: openssl-fips-add-SHA3-selftest.patch Patch46: openssl-fips_selftest_upstream_drbg.patch Patch47: openssl-unknown_dgst.patch # PATCH-FIX-UPSTREAM jsc#SLE-7403 Support for CPACF enhancements - part 2 (crypto) Patch50: openssl-s390x-assembly-pack-accelerate-X25519-X448-Ed25519-and-Ed448.patch Patch51: openssl-s390x-fix-x448-and-x448-test-vector-ctime-for-x25519-and-x448.patch -Patch52: openssl-1.1.1-system-cipherlist.patch +# PATCH-FIX-UPSTREAM bsc#1175844 FIPS: (EC)Diffie-Hellman requirements +# from SP800-56Arev3 SLE-15-SP2 +Patch52: openssl-DH.patch +Patch53: openssl-kdf-selftest.patch +Patch54: openssl-kdf-tls-selftest.patch +Patch55: openssl-kdf-ssh-selftest.patch +Patch56: openssl-fips-DH_selftest_shared_secret_KAT.patch +# PATCH-FIX-UPSTREAM bsc#1192442 FIPS: missing KAT for HKDF/TLS 1.3/IPSEC IKEv2 +Patch57: openssl-fips-kdf-hkdf-selftest.patch +Patch58: openssl-1.1.1-system-cipherlist.patch # PATCH-FIX-OPENSUSE jsc#SLE-15832 Centralized Crypto Compliance Configuration -Patch53: openssl-1_1-seclevel.patch -Patch54: openssl-1_1-use-seclevel2-in-tests.patch -Patch55: openssl-1_1-disable-test_srp-sslapi.patch -Patch56: openssl-add_rfc3526_rfc7919.patch -Patch57: openssl-1_1-use-include-directive.patch -#PATCH-FIX-UPSTREAM jsc#SLE-18136 POWER10 performance enhancements for cryptography +Patch59: openssl-1_1-seclevel.patch +Patch60: openssl-1_1-use-seclevel2-in-tests.patch +Patch61: openssl-1_1-disable-test_srp-sslapi.patch +# PATCH-FIX-UPSTREAM jsc#SLE-18136 POWER10 performance enhancements for cryptography Patch69: openssl-1_1-Optimize-ppc64.patch -#PATCH-FIX-UPSTREAM jsc#SLE-19742 Backport Arm improvements from OpenSSL 3 +# PATCH-FIX-UPSTREAM jsc#SLE-19742 Backport Arm improvements from OpenSSL 3 Patch70: openssl-1_1-Optimize-RSA-armv8.patch Patch71: openssl-1_1-Optimize-AES-XTS-aarch64.patch Patch72: openssl-1_1-Optimize-AES-GCM-uarchs.patch -#PATCH-FIX-SUSE bsc#1182959 FIPS: Fix function and reason error codes -Patch73: openssl-1_1-FIPS-fix-error-reason-codes.patch -#PATCH-FIX-SUSE bsc#1180995 Default to RFC7919 groups in FIPS mode -Patch74: openssl-1_1-paramgen-default_to_rfc7919.patch +# PATCH-FIX-SUSE bsc#1185320 FIPS: move the HMAC-SHA2-256 used for integrity test +Patch73: openssl-FIPS-KAT-before-integrity-tests.patch +# PATCH-FIX-SUSE bsc#1182959 FIPS: Fix function and reason error codes +Patch74: openssl-1_1-FIPS-fix-error-reason-codes.patch +# PATCH-FIX-SUSE bsc#1180995 Default to RFC7919 groups in FIPS mode +Patch75: openssl-1_1-paramgen-default_to_rfc7919.patch +# PATCH-FIX-SUSE bsc#1194187 bsc#1004463 Add engines section in openssl.cnf +Patch76: openssl-1_1-use-include-directive.patch +# PATCH-FIX-SUSE bsc#1197280 FIPS: Additional PBKDF2 requirements for KAT +Patch77: openssl-1_1-FIPS-PBKDF2-KAT-requirements.patch +Patch78: bsc1185319-FIPS-KAT-for-ECDSA.patch +Patch79: bsc1198207-FIPS-add-hash_hmac-drbg-kat.patch +Patch81: openssl-1_1-shortcut-test_afalg_aes_cbc.patch +# PATCH-FIX-SUSE bsc#1190653 FIPS: Provide methods to zeroize all unprotected SSPs and key components +Patch84: openssl-1_1-Zeroization.patch +# PATCH-FIX-SUSE bsc#1190651 FIPS: Provide a service-level indicator +Patch85: openssl-1_1-ossl-sli-000-fix-build-error.patch +Patch86: openssl-1_1-ossl-sli-001-fix-faults-preventing-make-update.patch +Patch87: openssl-1_1-ossl-sli-002-ran-make-update.patch +Patch88: openssl-1_1-ossl-sli-003-add-sli.patch +# PATCH-FIX-SUSE bsc#1202148 FIPS: Port openssl to use jitterentropy +Patch89: openssl-1_1-jitterentropy-3.4.0.patch +# PATCH-FIX-SUSE bsc#1203046 FIPS: Fix memory leak when FIPS mode is enabled +Patch90: openssl-1.1.1-fips-fix-memory-leaks.patch +# PATCH-FIX-FEDORA bsc#1201293 FIPS: RAND api should call into FIPS DRBG +Patch91: openssl-1_1-FIPS_drbg-rewire.patch +# PATCH-FIX-FEDORA bsc#1203069 FIPS: Add KAT for the RAND_DRBG implementation +Patch92: openssl-1_1-fips-drbg-selftest.patch +# PATCH-FIX-SUSE bsc#1121365, bsc#1190888, bsc#1193859, bsc#1198471, bsc#1198472 +# FIPS: List only approved digest and pubkey algorithms +Patch93: openssl-1_1-fips-list-only-approved-digest-and-pubkey-algorithms.patch +# PATCH-FIX-SUSE bsc#1190651 FIPS: Provide a service-level indicator +Patch94: openssl-1_1-ossl-sli-004-allow-aes-xts-256.patch +Patch95: openssl-1_1-ossl-sli-005-EC_group_order_bits.patch +Patch96: openssl-1_1-ossl-sli-006-rsa_pkcs1_padding.patch +Patch97: openssl-1_1-ossl-sli-007-pbkdf2-keylen.patch # PATCH-FIX-UPSTREAM jsc#PED-512 # POWER10 performance enhancements for cryptography -Patch75: openssl-1_1-AES-GCM-performance-optimzation-with-stitched-method.patch -Patch76: openssl-1_1-Fixed-counter-overflow.patch -Patch77: openssl-1_1-chacha20-performance-optimizations-for-ppc64le-with-.patch -Patch78: openssl-1_1-Fixed-conditional-statement-testing-64-and-256-bytes.patch -Patch79: openssl-1_1-Fix-AES-GCM-on-Power-8-CPUs.patch -#PATCH-FIX-OPENSUSE bsc#1205042 Set OpenSSL 3.0 as the default openssl -Patch80: openssl-1_1-openssl-config.patch +Patch98: openssl-1_1-AES-GCM-performance-optimzation-with-stitched-method.patch +Patch99: openssl-1_1-Fixed-counter-overflow.patch +Patch100: openssl-1_1-chacha20-performance-optimizations-for-ppc64le-with-.patch +Patch101: openssl-1_1-Fixed-conditional-statement-testing-64-and-256-bytes.patch +Patch102: openssl-1_1-Fix-AES-GCM-on-Power-8-CPUs.patch +# PATCH-FIX-OPENSUSE bsc#1205042 Set OpenSSL 3.0 as the default openssl +Patch103: openssl-1_1-openssl-config.patch +# PATCH-FIX-SUSE bsc#1207994 FIPS Make jitterentropy calls thread-safe +Patch104: openssl-1_1-serialize-jitterentropy-calls.patch +# PATCH-FIX-SUSE bsc#1208998 FIPS: PBKDF2 requirements for openssl +Patch105: openssl-1_1-ossl-sli-008-pbkdf2-salt_pass_iteration.patch +# PATCH-FIX-SUSE bsc#1212623 openssl s_client does not honor ocsp revocation status +Patch106: openssl-s_client-check-ocsp-status.patch # PATCH-FIX-SUSE bsc#1213517 Dont pass zero length input to EVP_Cipher -Patch81: openssl-dont-pass-zero-length-input-to-EVP_Cipher.patch +Patch107: openssl-dont-pass-zero-length-input-to-EVP_Cipher.patch + +BuildRequires: jitterentropy-devel >= 3.4.0 BuildRequires: pkgconfig BuildRequires: pkgconfig(zlib) +Requires: libjitterentropy3 >= 3.4.0 Provides: ssl Requires: libopenssl1_1 = %{version}-%{release} -%if 0%{?sle_version} >= 150400 || 0%{?suse_version} >= 1550 -Requires: crypto-policies -%endif # Needed for clean upgrade path, boo#1070003 Obsoletes: openssl-1_0_0 # Needed for clean upgrade from former openssl-1_1_0, boo#1081335 Obsoletes: openssl-1_1_0 +%if 0%{?sle_version} >= 150400 || 0%{?suse_version} >= 1550 +Requires: crypto-policies +%endif %description OpenSSL is a software library to be used in applications that need to @@ -155,12 +199,12 @@ OpenSSL contains an implementation of the SSL and TLS protocols. %package -n libopenssl1_1 Summary: Secure Sockets and Transport Layer Security Group: Productivity/Networking/Security -%if 0%{?sle_version} >= 150400 || 0%{?suse_version} >= 1550 -Requires: crypto-policies -%endif Recommends: ca-certificates-mozilla # Needed for clean upgrade from former openssl-1_1_0, boo#1081335 Obsoletes: libopenssl1_1_0 +%if 0%{?sle_version} >= 150400 || 0%{?suse_version} >= 1550 +Requires: crypto-policies +%endif Conflicts: %{name} < %{version}-%{release} # Merge back the hmac files bsc#1185116 Provides: libopenssl1_1-hmac = %{version}-%{release} @@ -179,6 +223,7 @@ OpenSSL contains an implementation of the SSL and TLS protocols. %package -n libopenssl-1_1-devel Summary: Development files for OpenSSL Group: Development/Libraries/C and C++ +Requires: jitterentropy-devel >= 3.4.0 Requires: libopenssl1_1 = %{version} Requires: pkgconfig(zlib) Recommends: %{name} = %{version} @@ -250,21 +295,40 @@ export MACHINE=armv6l perl configdata.pm --dump util/mkdef.pl crypto update -make depend %{?_smp_mflags} -make all %{?_smp_mflags} +%make_build depend +%make_build all %check export MALLOC_CHECK_=3 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) -#export HARNESS_VERBOSE=1 -#export OPENSSL_FORCE_FIPS_MODE=1 LD_LIBRARY_PATH=`pwd` make test -j1 +# Create the hmac files required to run the regression tests in FIPS mode +#%{buildroot}%{_bindir}/fips_standalone_hmac \ +# libssl.so.%{maj_min} > .libssl.so.%{maj_min}.hmac +#%{buildroot}%{_bindir}/fips_standalone_hmac \ +# libcrypto.so.%{maj_min} > .libcrypto.so.%{maj_min}.hmac +#OPENSSL_FORCE_FIPS_MODE=1 LD_LIBRARY_PATH=`pwd` make TESTS='-test_pem \ +# -test_hmac -test_mdc2 -test_dh -test_dsa -test_genrsa \ +# -test_mp_rsa -test_enc -test_enc_more -test_passwd -test_req \ +# -test_verify -test_evp -test_evp_extra -test_pkey_meth_kdf \ +# -test_bad_dtls -test_comp -test_key_share -test_renegotiation \ +# -test_sslcbcpadding -test_sslcertstatus -test_sslextension \ +# -test_sslmessages -test_sslrecords -test_sslsessiontick \ +# -test_sslsigalgs -test_sslsignature -test_sslskewith0p \ +# -test_sslversions -test_sslvertol -test_tls13alerts \ +# -test_tls13cookie -test_tls13downgrade -test_tls13hrr \ +# -test_tls13kexmodes -test_tls13messages -test_tls13psk \ +# -test_tlsextms -test_ca -test_cipherlist -test_cms \ +# -test_dtls_mtu -test_ssl_new -test_ssl_old -test_bio_enc \ +# -test_sslapi -test_tls13ccs -test_ec' test -j1 + # show ciphers gcc -o showciphers %{optflags} -I%{buildroot}%{_includedir} %{SOURCE5} -L%{buildroot}%{_libdir} -lssl -lcrypto LD_LIBRARY_PATH=%{buildroot}%{_libdir} ./showciphers %install + %if %{livepatchable} # Ipa-clones are files generated by gcc which logs changes made across diff --git a/openssl-DH.patch b/openssl-DH.patch new file mode 100644 index 0000000..173d1bf --- /dev/null +++ b/openssl-DH.patch @@ -0,0 +1,3294 @@ +Index: openssl-1.1.1m/crypto/bn/bn_const.c +=================================================================== +--- openssl-1.1.1m.orig/crypto/bn/bn_const.c ++++ openssl-1.1.1m/crypto/bn/bn_const.c +@@ -8,6 +8,10 @@ + */ + + #include ++#include "crypto/bn_dh.h" ++ ++#define COPY_BN(dst, src) (dst != NULL) ? BN_copy(dst, &src) : BN_dup(&src) ++ + + /*- + * "First Oakley Default Group" from RFC2409, section 6.1. +@@ -80,33 +84,7 @@ BIGNUM *BN_get_rfc2409_prime_1024(BIGNUM + + BIGNUM *BN_get_rfc3526_prime_1536(BIGNUM *bn) + { +- static const unsigned char RFC3526_PRIME_1536[] = { +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34, +- 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, +- 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, +- 0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22, +- 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, +- 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, +- 0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37, +- 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, +- 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, +- 0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B, +- 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED, +- 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, +- 0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6, +- 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, +- 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, +- 0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A, +- 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F, +- 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, +- 0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB, +- 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, +- 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, +- 0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x23, 0x73, 0x27, +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- }; +- return BN_bin2bn(RFC3526_PRIME_1536, sizeof(RFC3526_PRIME_1536), bn); ++ return COPY_BN(bn, _bignum_modp_1536_p); + } + + /*- +@@ -119,41 +97,7 @@ BIGNUM *BN_get_rfc3526_prime_1536(BIGNUM + + BIGNUM *BN_get_rfc3526_prime_2048(BIGNUM *bn) + { +- static const unsigned char RFC3526_PRIME_2048[] = { +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34, +- 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, +- 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, +- 0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22, +- 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, +- 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, +- 0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37, +- 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, +- 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, +- 0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B, +- 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED, +- 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, +- 0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6, +- 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, +- 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, +- 0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A, +- 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F, +- 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, +- 0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB, +- 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, +- 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, +- 0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, 0x21, 0x7C, +- 0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B, +- 0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, +- 0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, 0x8F, +- 0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9, +- 0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, +- 0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, 0xE5, +- 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10, +- 0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAC, 0xAA, 0x68, +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- }; +- return BN_bin2bn(RFC3526_PRIME_2048, sizeof(RFC3526_PRIME_2048), bn); ++ return COPY_BN(bn, _bignum_modp_2048_p); + } + + /*- +@@ -166,57 +110,7 @@ BIGNUM *BN_get_rfc3526_prime_2048(BIGNUM + + BIGNUM *BN_get_rfc3526_prime_3072(BIGNUM *bn) + { +- static const unsigned char RFC3526_PRIME_3072[] = { +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34, +- 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, +- 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, +- 0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22, +- 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, +- 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, +- 0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37, +- 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, +- 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, +- 0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B, +- 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED, +- 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, +- 0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6, +- 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, +- 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, +- 0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A, +- 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F, +- 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, +- 0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB, +- 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, +- 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, +- 0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, 0x21, 0x7C, +- 0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B, +- 0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, +- 0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, 0x8F, +- 0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9, +- 0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, +- 0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, 0xE5, +- 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10, +- 0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAA, 0xC4, 0x2D, +- 0xAD, 0x33, 0x17, 0x0D, 0x04, 0x50, 0x7A, 0x33, +- 0xA8, 0x55, 0x21, 0xAB, 0xDF, 0x1C, 0xBA, 0x64, +- 0xEC, 0xFB, 0x85, 0x04, 0x58, 0xDB, 0xEF, 0x0A, +- 0x8A, 0xEA, 0x71, 0x57, 0x5D, 0x06, 0x0C, 0x7D, +- 0xB3, 0x97, 0x0F, 0x85, 0xA6, 0xE1, 0xE4, 0xC7, +- 0xAB, 0xF5, 0xAE, 0x8C, 0xDB, 0x09, 0x33, 0xD7, +- 0x1E, 0x8C, 0x94, 0xE0, 0x4A, 0x25, 0x61, 0x9D, +- 0xCE, 0xE3, 0xD2, 0x26, 0x1A, 0xD2, 0xEE, 0x6B, +- 0xF1, 0x2F, 0xFA, 0x06, 0xD9, 0x8A, 0x08, 0x64, +- 0xD8, 0x76, 0x02, 0x73, 0x3E, 0xC8, 0x6A, 0x64, +- 0x52, 0x1F, 0x2B, 0x18, 0x17, 0x7B, 0x20, 0x0C, +- 0xBB, 0xE1, 0x17, 0x57, 0x7A, 0x61, 0x5D, 0x6C, +- 0x77, 0x09, 0x88, 0xC0, 0xBA, 0xD9, 0x46, 0xE2, +- 0x08, 0xE2, 0x4F, 0xA0, 0x74, 0xE5, 0xAB, 0x31, +- 0x43, 0xDB, 0x5B, 0xFC, 0xE0, 0xFD, 0x10, 0x8E, +- 0x4B, 0x82, 0xD1, 0x20, 0xA9, 0x3A, 0xD2, 0xCA, +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- }; +- return BN_bin2bn(RFC3526_PRIME_3072, sizeof(RFC3526_PRIME_3072), bn); ++ return COPY_BN(bn, _bignum_modp_3072_p); + } + + /*- +@@ -229,73 +123,7 @@ BIGNUM *BN_get_rfc3526_prime_3072(BIGNUM + + BIGNUM *BN_get_rfc3526_prime_4096(BIGNUM *bn) + { +- static const unsigned char RFC3526_PRIME_4096[] = { +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34, +- 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, +- 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, +- 0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22, +- 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, +- 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, +- 0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37, +- 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, +- 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, +- 0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B, +- 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED, +- 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, +- 0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6, +- 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, +- 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, +- 0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A, +- 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F, +- 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, +- 0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB, +- 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, +- 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, +- 0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, 0x21, 0x7C, +- 0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B, +- 0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, +- 0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, 0x8F, +- 0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9, +- 0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, +- 0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, 0xE5, +- 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10, +- 0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAA, 0xC4, 0x2D, +- 0xAD, 0x33, 0x17, 0x0D, 0x04, 0x50, 0x7A, 0x33, +- 0xA8, 0x55, 0x21, 0xAB, 0xDF, 0x1C, 0xBA, 0x64, +- 0xEC, 0xFB, 0x85, 0x04, 0x58, 0xDB, 0xEF, 0x0A, +- 0x8A, 0xEA, 0x71, 0x57, 0x5D, 0x06, 0x0C, 0x7D, +- 0xB3, 0x97, 0x0F, 0x85, 0xA6, 0xE1, 0xE4, 0xC7, +- 0xAB, 0xF5, 0xAE, 0x8C, 0xDB, 0x09, 0x33, 0xD7, +- 0x1E, 0x8C, 0x94, 0xE0, 0x4A, 0x25, 0x61, 0x9D, +- 0xCE, 0xE3, 0xD2, 0x26, 0x1A, 0xD2, 0xEE, 0x6B, +- 0xF1, 0x2F, 0xFA, 0x06, 0xD9, 0x8A, 0x08, 0x64, +- 0xD8, 0x76, 0x02, 0x73, 0x3E, 0xC8, 0x6A, 0x64, +- 0x52, 0x1F, 0x2B, 0x18, 0x17, 0x7B, 0x20, 0x0C, +- 0xBB, 0xE1, 0x17, 0x57, 0x7A, 0x61, 0x5D, 0x6C, +- 0x77, 0x09, 0x88, 0xC0, 0xBA, 0xD9, 0x46, 0xE2, +- 0x08, 0xE2, 0x4F, 0xA0, 0x74, 0xE5, 0xAB, 0x31, +- 0x43, 0xDB, 0x5B, 0xFC, 0xE0, 0xFD, 0x10, 0x8E, +- 0x4B, 0x82, 0xD1, 0x20, 0xA9, 0x21, 0x08, 0x01, +- 0x1A, 0x72, 0x3C, 0x12, 0xA7, 0x87, 0xE6, 0xD7, +- 0x88, 0x71, 0x9A, 0x10, 0xBD, 0xBA, 0x5B, 0x26, +- 0x99, 0xC3, 0x27, 0x18, 0x6A, 0xF4, 0xE2, 0x3C, +- 0x1A, 0x94, 0x68, 0x34, 0xB6, 0x15, 0x0B, 0xDA, +- 0x25, 0x83, 0xE9, 0xCA, 0x2A, 0xD4, 0x4C, 0xE8, +- 0xDB, 0xBB, 0xC2, 0xDB, 0x04, 0xDE, 0x8E, 0xF9, +- 0x2E, 0x8E, 0xFC, 0x14, 0x1F, 0xBE, 0xCA, 0xA6, +- 0x28, 0x7C, 0x59, 0x47, 0x4E, 0x6B, 0xC0, 0x5D, +- 0x99, 0xB2, 0x96, 0x4F, 0xA0, 0x90, 0xC3, 0xA2, +- 0x23, 0x3B, 0xA1, 0x86, 0x51, 0x5B, 0xE7, 0xED, +- 0x1F, 0x61, 0x29, 0x70, 0xCE, 0xE2, 0xD7, 0xAF, +- 0xB8, 0x1B, 0xDD, 0x76, 0x21, 0x70, 0x48, 0x1C, +- 0xD0, 0x06, 0x91, 0x27, 0xD5, 0xB0, 0x5A, 0xA9, +- 0x93, 0xB4, 0xEA, 0x98, 0x8D, 0x8F, 0xDD, 0xC1, +- 0x86, 0xFF, 0xB7, 0xDC, 0x90, 0xA6, 0xC0, 0x8F, +- 0x4D, 0xF4, 0x35, 0xC9, 0x34, 0x06, 0x31, 0x99, +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- }; +- return BN_bin2bn(RFC3526_PRIME_4096, sizeof(RFC3526_PRIME_4096), bn); ++ return COPY_BN(bn, _bignum_modp_4096_p); + } + + /*- +@@ -308,105 +136,7 @@ BIGNUM *BN_get_rfc3526_prime_4096(BIGNUM + + BIGNUM *BN_get_rfc3526_prime_6144(BIGNUM *bn) + { +- static const unsigned char RFC3526_PRIME_6144[] = { +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34, +- 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, +- 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, +- 0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22, +- 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, +- 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, +- 0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37, +- 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, +- 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, +- 0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B, +- 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED, +- 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, +- 0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6, +- 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, +- 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, +- 0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A, +- 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F, +- 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, +- 0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB, +- 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, +- 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, +- 0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, 0x21, 0x7C, +- 0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B, +- 0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, +- 0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, 0x8F, +- 0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9, +- 0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, +- 0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, 0xE5, +- 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10, +- 0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAA, 0xC4, 0x2D, +- 0xAD, 0x33, 0x17, 0x0D, 0x04, 0x50, 0x7A, 0x33, +- 0xA8, 0x55, 0x21, 0xAB, 0xDF, 0x1C, 0xBA, 0x64, +- 0xEC, 0xFB, 0x85, 0x04, 0x58, 0xDB, 0xEF, 0x0A, +- 0x8A, 0xEA, 0x71, 0x57, 0x5D, 0x06, 0x0C, 0x7D, +- 0xB3, 0x97, 0x0F, 0x85, 0xA6, 0xE1, 0xE4, 0xC7, +- 0xAB, 0xF5, 0xAE, 0x8C, 0xDB, 0x09, 0x33, 0xD7, +- 0x1E, 0x8C, 0x94, 0xE0, 0x4A, 0x25, 0x61, 0x9D, +- 0xCE, 0xE3, 0xD2, 0x26, 0x1A, 0xD2, 0xEE, 0x6B, +- 0xF1, 0x2F, 0xFA, 0x06, 0xD9, 0x8A, 0x08, 0x64, +- 0xD8, 0x76, 0x02, 0x73, 0x3E, 0xC8, 0x6A, 0x64, +- 0x52, 0x1F, 0x2B, 0x18, 0x17, 0x7B, 0x20, 0x0C, +- 0xBB, 0xE1, 0x17, 0x57, 0x7A, 0x61, 0x5D, 0x6C, +- 0x77, 0x09, 0x88, 0xC0, 0xBA, 0xD9, 0x46, 0xE2, +- 0x08, 0xE2, 0x4F, 0xA0, 0x74, 0xE5, 0xAB, 0x31, +- 0x43, 0xDB, 0x5B, 0xFC, 0xE0, 0xFD, 0x10, 0x8E, +- 0x4B, 0x82, 0xD1, 0x20, 0xA9, 0x21, 0x08, 0x01, +- 0x1A, 0x72, 0x3C, 0x12, 0xA7, 0x87, 0xE6, 0xD7, +- 0x88, 0x71, 0x9A, 0x10, 0xBD, 0xBA, 0x5B, 0x26, +- 0x99, 0xC3, 0x27, 0x18, 0x6A, 0xF4, 0xE2, 0x3C, +- 0x1A, 0x94, 0x68, 0x34, 0xB6, 0x15, 0x0B, 0xDA, +- 0x25, 0x83, 0xE9, 0xCA, 0x2A, 0xD4, 0x4C, 0xE8, +- 0xDB, 0xBB, 0xC2, 0xDB, 0x04, 0xDE, 0x8E, 0xF9, +- 0x2E, 0x8E, 0xFC, 0x14, 0x1F, 0xBE, 0xCA, 0xA6, +- 0x28, 0x7C, 0x59, 0x47, 0x4E, 0x6B, 0xC0, 0x5D, +- 0x99, 0xB2, 0x96, 0x4F, 0xA0, 0x90, 0xC3, 0xA2, +- 0x23, 0x3B, 0xA1, 0x86, 0x51, 0x5B, 0xE7, 0xED, +- 0x1F, 0x61, 0x29, 0x70, 0xCE, 0xE2, 0xD7, 0xAF, +- 0xB8, 0x1B, 0xDD, 0x76, 0x21, 0x70, 0x48, 0x1C, +- 0xD0, 0x06, 0x91, 0x27, 0xD5, 0xB0, 0x5A, 0xA9, +- 0x93, 0xB4, 0xEA, 0x98, 0x8D, 0x8F, 0xDD, 0xC1, +- 0x86, 0xFF, 0xB7, 0xDC, 0x90, 0xA6, 0xC0, 0x8F, +- 0x4D, 0xF4, 0x35, 0xC9, 0x34, 0x02, 0x84, 0x92, +- 0x36, 0xC3, 0xFA, 0xB4, 0xD2, 0x7C, 0x70, 0x26, +- 0xC1, 0xD4, 0xDC, 0xB2, 0x60, 0x26, 0x46, 0xDE, +- 0xC9, 0x75, 0x1E, 0x76, 0x3D, 0xBA, 0x37, 0xBD, +- 0xF8, 0xFF, 0x94, 0x06, 0xAD, 0x9E, 0x53, 0x0E, +- 0xE5, 0xDB, 0x38, 0x2F, 0x41, 0x30, 0x01, 0xAE, +- 0xB0, 0x6A, 0x53, 0xED, 0x90, 0x27, 0xD8, 0x31, +- 0x17, 0x97, 0x27, 0xB0, 0x86, 0x5A, 0x89, 0x18, +- 0xDA, 0x3E, 0xDB, 0xEB, 0xCF, 0x9B, 0x14, 0xED, +- 0x44, 0xCE, 0x6C, 0xBA, 0xCE, 0xD4, 0xBB, 0x1B, +- 0xDB, 0x7F, 0x14, 0x47, 0xE6, 0xCC, 0x25, 0x4B, +- 0x33, 0x20, 0x51, 0x51, 0x2B, 0xD7, 0xAF, 0x42, +- 0x6F, 0xB8, 0xF4, 0x01, 0x37, 0x8C, 0xD2, 0xBF, +- 0x59, 0x83, 0xCA, 0x01, 0xC6, 0x4B, 0x92, 0xEC, +- 0xF0, 0x32, 0xEA, 0x15, 0xD1, 0x72, 0x1D, 0x03, +- 0xF4, 0x82, 0xD7, 0xCE, 0x6E, 0x74, 0xFE, 0xF6, +- 0xD5, 0x5E, 0x70, 0x2F, 0x46, 0x98, 0x0C, 0x82, +- 0xB5, 0xA8, 0x40, 0x31, 0x90, 0x0B, 0x1C, 0x9E, +- 0x59, 0xE7, 0xC9, 0x7F, 0xBE, 0xC7, 0xE8, 0xF3, +- 0x23, 0xA9, 0x7A, 0x7E, 0x36, 0xCC, 0x88, 0xBE, +- 0x0F, 0x1D, 0x45, 0xB7, 0xFF, 0x58, 0x5A, 0xC5, +- 0x4B, 0xD4, 0x07, 0xB2, 0x2B, 0x41, 0x54, 0xAA, +- 0xCC, 0x8F, 0x6D, 0x7E, 0xBF, 0x48, 0xE1, 0xD8, +- 0x14, 0xCC, 0x5E, 0xD2, 0x0F, 0x80, 0x37, 0xE0, +- 0xA7, 0x97, 0x15, 0xEE, 0xF2, 0x9B, 0xE3, 0x28, +- 0x06, 0xA1, 0xD5, 0x8B, 0xB7, 0xC5, 0xDA, 0x76, +- 0xF5, 0x50, 0xAA, 0x3D, 0x8A, 0x1F, 0xBF, 0xF0, +- 0xEB, 0x19, 0xCC, 0xB1, 0xA3, 0x13, 0xD5, 0x5C, +- 0xDA, 0x56, 0xC9, 0xEC, 0x2E, 0xF2, 0x96, 0x32, +- 0x38, 0x7F, 0xE8, 0xD7, 0x6E, 0x3C, 0x04, 0x68, +- 0x04, 0x3E, 0x8F, 0x66, 0x3F, 0x48, 0x60, 0xEE, +- 0x12, 0xBF, 0x2D, 0x5B, 0x0B, 0x74, 0x74, 0xD6, +- 0xE6, 0x94, 0xF9, 0x1E, 0x6D, 0xCC, 0x40, 0x24, +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- }; +- return BN_bin2bn(RFC3526_PRIME_6144, sizeof(RFC3526_PRIME_6144), bn); ++ return COPY_BN(bn, _bignum_modp_6144_p); + } + + /*- +@@ -419,135 +149,5 @@ BIGNUM *BN_get_rfc3526_prime_6144(BIGNUM + + BIGNUM *BN_get_rfc3526_prime_8192(BIGNUM *bn) + { +- static const unsigned char RFC3526_PRIME_8192[] = { +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34, +- 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, +- 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, +- 0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22, +- 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, +- 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, +- 0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37, +- 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, +- 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, +- 0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B, +- 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED, +- 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, +- 0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6, +- 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, +- 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, +- 0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A, +- 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F, +- 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, +- 0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB, +- 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, +- 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, +- 0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, 0x21, 0x7C, +- 0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B, +- 0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, +- 0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, 0x8F, +- 0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9, +- 0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, +- 0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, 0xE5, +- 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10, +- 0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAA, 0xC4, 0x2D, +- 0xAD, 0x33, 0x17, 0x0D, 0x04, 0x50, 0x7A, 0x33, +- 0xA8, 0x55, 0x21, 0xAB, 0xDF, 0x1C, 0xBA, 0x64, +- 0xEC, 0xFB, 0x85, 0x04, 0x58, 0xDB, 0xEF, 0x0A, +- 0x8A, 0xEA, 0x71, 0x57, 0x5D, 0x06, 0x0C, 0x7D, +- 0xB3, 0x97, 0x0F, 0x85, 0xA6, 0xE1, 0xE4, 0xC7, +- 0xAB, 0xF5, 0xAE, 0x8C, 0xDB, 0x09, 0x33, 0xD7, +- 0x1E, 0x8C, 0x94, 0xE0, 0x4A, 0x25, 0x61, 0x9D, +- 0xCE, 0xE3, 0xD2, 0x26, 0x1A, 0xD2, 0xEE, 0x6B, +- 0xF1, 0x2F, 0xFA, 0x06, 0xD9, 0x8A, 0x08, 0x64, +- 0xD8, 0x76, 0x02, 0x73, 0x3E, 0xC8, 0x6A, 0x64, +- 0x52, 0x1F, 0x2B, 0x18, 0x17, 0x7B, 0x20, 0x0C, +- 0xBB, 0xE1, 0x17, 0x57, 0x7A, 0x61, 0x5D, 0x6C, +- 0x77, 0x09, 0x88, 0xC0, 0xBA, 0xD9, 0x46, 0xE2, +- 0x08, 0xE2, 0x4F, 0xA0, 0x74, 0xE5, 0xAB, 0x31, +- 0x43, 0xDB, 0x5B, 0xFC, 0xE0, 0xFD, 0x10, 0x8E, +- 0x4B, 0x82, 0xD1, 0x20, 0xA9, 0x21, 0x08, 0x01, +- 0x1A, 0x72, 0x3C, 0x12, 0xA7, 0x87, 0xE6, 0xD7, +- 0x88, 0x71, 0x9A, 0x10, 0xBD, 0xBA, 0x5B, 0x26, +- 0x99, 0xC3, 0x27, 0x18, 0x6A, 0xF4, 0xE2, 0x3C, +- 0x1A, 0x94, 0x68, 0x34, 0xB6, 0x15, 0x0B, 0xDA, +- 0x25, 0x83, 0xE9, 0xCA, 0x2A, 0xD4, 0x4C, 0xE8, +- 0xDB, 0xBB, 0xC2, 0xDB, 0x04, 0xDE, 0x8E, 0xF9, +- 0x2E, 0x8E, 0xFC, 0x14, 0x1F, 0xBE, 0xCA, 0xA6, +- 0x28, 0x7C, 0x59, 0x47, 0x4E, 0x6B, 0xC0, 0x5D, +- 0x99, 0xB2, 0x96, 0x4F, 0xA0, 0x90, 0xC3, 0xA2, +- 0x23, 0x3B, 0xA1, 0x86, 0x51, 0x5B, 0xE7, 0xED, +- 0x1F, 0x61, 0x29, 0x70, 0xCE, 0xE2, 0xD7, 0xAF, +- 0xB8, 0x1B, 0xDD, 0x76, 0x21, 0x70, 0x48, 0x1C, +- 0xD0, 0x06, 0x91, 0x27, 0xD5, 0xB0, 0x5A, 0xA9, +- 0x93, 0xB4, 0xEA, 0x98, 0x8D, 0x8F, 0xDD, 0xC1, +- 0x86, 0xFF, 0xB7, 0xDC, 0x90, 0xA6, 0xC0, 0x8F, +- 0x4D, 0xF4, 0x35, 0xC9, 0x34, 0x02, 0x84, 0x92, +- 0x36, 0xC3, 0xFA, 0xB4, 0xD2, 0x7C, 0x70, 0x26, +- 0xC1, 0xD4, 0xDC, 0xB2, 0x60, 0x26, 0x46, 0xDE, +- 0xC9, 0x75, 0x1E, 0x76, 0x3D, 0xBA, 0x37, 0xBD, +- 0xF8, 0xFF, 0x94, 0x06, 0xAD, 0x9E, 0x53, 0x0E, +- 0xE5, 0xDB, 0x38, 0x2F, 0x41, 0x30, 0x01, 0xAE, +- 0xB0, 0x6A, 0x53, 0xED, 0x90, 0x27, 0xD8, 0x31, +- 0x17, 0x97, 0x27, 0xB0, 0x86, 0x5A, 0x89, 0x18, +- 0xDA, 0x3E, 0xDB, 0xEB, 0xCF, 0x9B, 0x14, 0xED, +- 0x44, 0xCE, 0x6C, 0xBA, 0xCE, 0xD4, 0xBB, 0x1B, +- 0xDB, 0x7F, 0x14, 0x47, 0xE6, 0xCC, 0x25, 0x4B, +- 0x33, 0x20, 0x51, 0x51, 0x2B, 0xD7, 0xAF, 0x42, +- 0x6F, 0xB8, 0xF4, 0x01, 0x37, 0x8C, 0xD2, 0xBF, +- 0x59, 0x83, 0xCA, 0x01, 0xC6, 0x4B, 0x92, 0xEC, +- 0xF0, 0x32, 0xEA, 0x15, 0xD1, 0x72, 0x1D, 0x03, +- 0xF4, 0x82, 0xD7, 0xCE, 0x6E, 0x74, 0xFE, 0xF6, +- 0xD5, 0x5E, 0x70, 0x2F, 0x46, 0x98, 0x0C, 0x82, +- 0xB5, 0xA8, 0x40, 0x31, 0x90, 0x0B, 0x1C, 0x9E, +- 0x59, 0xE7, 0xC9, 0x7F, 0xBE, 0xC7, 0xE8, 0xF3, +- 0x23, 0xA9, 0x7A, 0x7E, 0x36, 0xCC, 0x88, 0xBE, +- 0x0F, 0x1D, 0x45, 0xB7, 0xFF, 0x58, 0x5A, 0xC5, +- 0x4B, 0xD4, 0x07, 0xB2, 0x2B, 0x41, 0x54, 0xAA, +- 0xCC, 0x8F, 0x6D, 0x7E, 0xBF, 0x48, 0xE1, 0xD8, +- 0x14, 0xCC, 0x5E, 0xD2, 0x0F, 0x80, 0x37, 0xE0, +- 0xA7, 0x97, 0x15, 0xEE, 0xF2, 0x9B, 0xE3, 0x28, +- 0x06, 0xA1, 0xD5, 0x8B, 0xB7, 0xC5, 0xDA, 0x76, +- 0xF5, 0x50, 0xAA, 0x3D, 0x8A, 0x1F, 0xBF, 0xF0, +- 0xEB, 0x19, 0xCC, 0xB1, 0xA3, 0x13, 0xD5, 0x5C, +- 0xDA, 0x56, 0xC9, 0xEC, 0x2E, 0xF2, 0x96, 0x32, +- 0x38, 0x7F, 0xE8, 0xD7, 0x6E, 0x3C, 0x04, 0x68, +- 0x04, 0x3E, 0x8F, 0x66, 0x3F, 0x48, 0x60, 0xEE, +- 0x12, 0xBF, 0x2D, 0x5B, 0x0B, 0x74, 0x74, 0xD6, +- 0xE6, 0x94, 0xF9, 0x1E, 0x6D, 0xBE, 0x11, 0x59, +- 0x74, 0xA3, 0x92, 0x6F, 0x12, 0xFE, 0xE5, 0xE4, +- 0x38, 0x77, 0x7C, 0xB6, 0xA9, 0x32, 0xDF, 0x8C, +- 0xD8, 0xBE, 0xC4, 0xD0, 0x73, 0xB9, 0x31, 0xBA, +- 0x3B, 0xC8, 0x32, 0xB6, 0x8D, 0x9D, 0xD3, 0x00, +- 0x74, 0x1F, 0xA7, 0xBF, 0x8A, 0xFC, 0x47, 0xED, +- 0x25, 0x76, 0xF6, 0x93, 0x6B, 0xA4, 0x24, 0x66, +- 0x3A, 0xAB, 0x63, 0x9C, 0x5A, 0xE4, 0xF5, 0x68, +- 0x34, 0x23, 0xB4, 0x74, 0x2B, 0xF1, 0xC9, 0x78, +- 0x23, 0x8F, 0x16, 0xCB, 0xE3, 0x9D, 0x65, 0x2D, +- 0xE3, 0xFD, 0xB8, 0xBE, 0xFC, 0x84, 0x8A, 0xD9, +- 0x22, 0x22, 0x2E, 0x04, 0xA4, 0x03, 0x7C, 0x07, +- 0x13, 0xEB, 0x57, 0xA8, 0x1A, 0x23, 0xF0, 0xC7, +- 0x34, 0x73, 0xFC, 0x64, 0x6C, 0xEA, 0x30, 0x6B, +- 0x4B, 0xCB, 0xC8, 0x86, 0x2F, 0x83, 0x85, 0xDD, +- 0xFA, 0x9D, 0x4B, 0x7F, 0xA2, 0xC0, 0x87, 0xE8, +- 0x79, 0x68, 0x33, 0x03, 0xED, 0x5B, 0xDD, 0x3A, +- 0x06, 0x2B, 0x3C, 0xF5, 0xB3, 0xA2, 0x78, 0xA6, +- 0x6D, 0x2A, 0x13, 0xF8, 0x3F, 0x44, 0xF8, 0x2D, +- 0xDF, 0x31, 0x0E, 0xE0, 0x74, 0xAB, 0x6A, 0x36, +- 0x45, 0x97, 0xE8, 0x99, 0xA0, 0x25, 0x5D, 0xC1, +- 0x64, 0xF3, 0x1C, 0xC5, 0x08, 0x46, 0x85, 0x1D, +- 0xF9, 0xAB, 0x48, 0x19, 0x5D, 0xED, 0x7E, 0xA1, +- 0xB1, 0xD5, 0x10, 0xBD, 0x7E, 0xE7, 0x4D, 0x73, +- 0xFA, 0xF3, 0x6B, 0xC3, 0x1E, 0xCF, 0xA2, 0x68, +- 0x35, 0x90, 0x46, 0xF4, 0xEB, 0x87, 0x9F, 0x92, +- 0x40, 0x09, 0x43, 0x8B, 0x48, 0x1C, 0x6C, 0xD7, +- 0x88, 0x9A, 0x00, 0x2E, 0xD5, 0xEE, 0x38, 0x2B, +- 0xC9, 0x19, 0x0D, 0xA6, 0xFC, 0x02, 0x6E, 0x47, +- 0x95, 0x58, 0xE4, 0x47, 0x56, 0x77, 0xE9, 0xAA, +- 0x9E, 0x30, 0x50, 0xE2, 0x76, 0x56, 0x94, 0xDF, +- 0xC8, 0x1F, 0x56, 0xE8, 0x80, 0xB9, 0x6E, 0x71, +- 0x60, 0xC9, 0x80, 0xDD, 0x98, 0xED, 0xD3, 0xDF, +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- }; +- return BN_bin2bn(RFC3526_PRIME_8192, sizeof(RFC3526_PRIME_8192), bn); ++ return COPY_BN(bn, _bignum_modp_8192_p); + } +Index: openssl-1.1.1m/crypto/bn/bn_dh.c +=================================================================== +--- openssl-1.1.1m.orig/crypto/bn/bn_dh.c ++++ openssl-1.1.1m/crypto/bn/bn_dh.c +@@ -11,474 +11,995 @@ + #include "internal/nelem.h" + + #ifndef OPENSSL_NO_DH +-#include +-#include "crypto/bn_dh.h" +-/* DH parameters from RFC5114 */ ++# include ++# include "crypto/bn_dh.h" + + # if BN_BITS2 == 64 +-static const BN_ULONG dh1024_160_p[] = { +- 0xDF1FB2BC2E4A4371ULL, 0xE68CFDA76D4DA708ULL, 0x45BF37DF365C1A65ULL, +- 0xA151AF5F0DC8B4BDULL, 0xFAA31A4FF55BCCC0ULL, 0x4EFFD6FAE5644738ULL, +- 0x98488E9C219A7372ULL, 0xACCBDD7D90C4BD70ULL, 0x24975C3CD49B83BFULL, +- 0x13ECB4AEA9061123ULL, 0x9838EF1E2EE652C0ULL, 0x6073E28675A23D18ULL, +- 0x9A6A9DCA52D23B61ULL, 0x52C99FBCFB06A3C6ULL, 0xDE92DE5EAE5D54ECULL, +- 0xB10B8F96A080E01DULL +-}; +- +-static const BN_ULONG dh1024_160_g[] = { +- 0x855E6EEB22B3B2E5ULL, 0x858F4DCEF97C2A24ULL, 0x2D779D5918D08BC8ULL, +- 0xD662A4D18E73AFA3ULL, 0x1DBF0A0169B6A28AULL, 0xA6A24C087A091F53ULL, +- 0x909D0D2263F80A76ULL, 0xD7FBD7D3B9A92EE1ULL, 0x5E91547F9E2749F4ULL, +- 0x160217B4B01B886AULL, 0x777E690F5504F213ULL, 0x266FEA1E5C41564BULL, +- 0xD6406CFF14266D31ULL, 0xF8104DD258AC507FULL, 0x6765A442EFB99905ULL, +- 0xA4D1CBD5C3FD3412ULL +-}; +- +-static const BN_ULONG dh1024_160_q[] = { +- 0x64B7CB9D49462353ULL, 0x81A8DF278ABA4E7DULL, 0x00000000F518AA87ULL +-}; +- +-static const BN_ULONG dh2048_224_p[] = { +- 0x0AC4DFFE0C10E64FULL, 0xCF9DE5384E71B81CULL, 0x7EF363E2FFA31F71ULL, +- 0xE3FB73C16B8E75B9ULL, 0xC9B53DCF4BA80A29ULL, 0x23F10B0E16E79763ULL, +- 0xC52172E413042E9BULL, 0xBE60E69CC928B2B9ULL, 0x80CD86A1B9E587E8ULL, +- 0x315D75E198C641A4ULL, 0xCDF93ACC44328387ULL, 0x15987D9ADC0A486DULL, +- 0x7310F7121FD5A074ULL, 0x278273C7DE31EFDCULL, 0x1602E714415D9330ULL, +- 0x81286130BC8985DBULL, 0xB3BF8A3170918836ULL, 0x6A00E0A0B9C49708ULL, +- 0xC6BA0B2C8BBC27BEULL, 0xC9F98D11ED34DBF6ULL, 0x7AD5B7D0B6C12207ULL, +- 0xD91E8FEF55B7394BULL, 0x9037C9EDEFDA4DF8ULL, 0x6D3F8152AD6AC212ULL, +- 0x1DE6B85A1274A0A6ULL, 0xEB3D688A309C180EULL, 0xAF9A3C407BA1DF15ULL, +- 0xE6FA141DF95A56DBULL, 0xB54B1597B61D0A75ULL, 0xA20D64E5683B9FD1ULL, +- 0xD660FAA79559C51FULL, 0xAD107E1E9123A9D0ULL +-}; +- +-static const BN_ULONG dh2048_224_g[] = { +- 0x84B890D3191F2BFAULL, 0x81BC087F2A7065B3ULL, 0x19C418E1F6EC0179ULL, +- 0x7B5A0F1C71CFFF4CULL, 0xEDFE72FE9B6AA4BDULL, 0x81E1BCFE94B30269ULL, +- 0x566AFBB48D6C0191ULL, 0xB539CCE3409D13CDULL, 0x6AA21E7F5F2FF381ULL, +- 0xD9E263E4770589EFULL, 0x10E183EDD19963DDULL, 0xB70A8137150B8EEBULL, +- 0x051AE3D428C8F8ACULL, 0xBB77A86F0C1AB15BULL, 0x6E3025E316A330EFULL, +- 0x19529A45D6F83456ULL, 0xF180EB34118E98D1ULL, 0xB5F6C6B250717CBEULL, +- 0x09939D54DA7460CDULL, 0xE247150422EA1ED4ULL, 0xB8A762D0521BC98AULL, +- 0xF4D027275AC1348BULL, 0xC17669101999024AULL, 0xBE5E9001A8D66AD7ULL, +- 0xC57DB17C620A8652ULL, 0xAB739D7700C29F52ULL, 0xDD921F01A70C4AFAULL, +- 0xA6824A4E10B9A6F0ULL, 0x74866A08CFE4FFE3ULL, 0x6CDEBE7B89998CAFULL, +- 0x9DF30B5C8FFDAC50ULL, 0xAC4032EF4F2D9AE3ULL +-}; +- +-static const BN_ULONG dh2048_224_q[] = { +- 0xBF389A99B36371EBULL, 0x1F80535A4738CEBCULL, 0xC58D93FE99717710ULL, +- 0x00000000801C0D34ULL +-}; +- +-static const BN_ULONG dh2048_256_p[] = { +- 0xDB094AE91E1A1597ULL, 0x693877FAD7EF09CAULL, 0x6116D2276E11715FULL, +- 0xA4B54330C198AF12ULL, 0x75F26375D7014103ULL, 0xC3A3960A54E710C3ULL, +- 0xDED4010ABD0BE621ULL, 0xC0B857F689962856ULL, 0xB3CA3F7971506026ULL, +- 0x1CCACB83E6B486F6ULL, 0x67E144E514056425ULL, 0xF6A167B5A41825D9ULL, +- 0x3AD8347796524D8EULL, 0xF13C6D9A51BFA4ABULL, 0x2D52526735488A0EULL, +- 0xB63ACAE1CAA6B790ULL, 0x4FDB70C581B23F76ULL, 0xBC39A0BF12307F5CULL, +- 0xB941F54EB1E59BB8ULL, 0x6C5BFC11D45F9088ULL, 0x22E0B1EF4275BF7BULL, +- 0x91F9E6725B4758C0ULL, 0x5A8A9D306BCF67EDULL, 0x209E0C6497517ABDULL, +- 0x3BF4296D830E9A7CULL, 0x16C3D91134096FAAULL, 0xFAF7DF4561B2AA30ULL, +- 0xE00DF8F1D61957D4ULL, 0x5D2CEED4435E3B00ULL, 0x8CEEF608660DD0F2ULL, +- 0xFFBBD19C65195999ULL, 0x87A8E61DB4B6663CULL +-}; +- +-static const BN_ULONG dh2048_256_g[] = { +- 0x664B4C0F6CC41659ULL, 0x5E2327CFEF98C582ULL, 0xD647D148D4795451ULL, +- 0x2F63078490F00EF8ULL, 0x184B523D1DB246C3ULL, 0xC7891428CDC67EB6ULL, +- 0x7FD028370DF92B52ULL, 0xB3353BBB64E0EC37ULL, 0xECD06E1557CD0915ULL, +- 0xB7D2BBD2DF016199ULL, 0xC8484B1E052588B9ULL, 0xDB2A3B7313D3FE14ULL, +- 0xD052B985D182EA0AULL, 0xA4BD1BFFE83B9C80ULL, 0xDFC967C1FB3F2E55ULL, +- 0xB5045AF2767164E1ULL, 0x1D14348F6F2F9193ULL, 0x64E67982428EBC83ULL, +- 0x8AC376D282D6ED38ULL, 0x777DE62AAAB8A862ULL, 0xDDF463E5E9EC144BULL, +- 0x0196F931C77A57F2ULL, 0xA55AE31341000A65ULL, 0x901228F8C28CBB18ULL, +- 0xBC3773BF7E8C6F62ULL, 0xBE3A6C1B0C6B47B1ULL, 0xFF4FED4AAC0BB555ULL, +- 0x10DBC15077BE463FULL, 0x07F4793A1A0BA125ULL, 0x4CA7B18F21EF2054ULL, +- 0x2E77506660EDBD48ULL, 0x3FB32C9B73134D0BULL +-}; +- +-static const BN_ULONG dh2048_256_q[] = { +- 0xA308B0FE64F5FBD3ULL, 0x99B1A47D1EB3750BULL, 0xB447997640129DA2ULL, +- 0x8CF83642A709A097ULL +-}; +- +-/* Primes from RFC 7919 */ +-static const BN_ULONG ffdhe2048_p[] = { +- 0xFFFFFFFFFFFFFFFFULL, 0x886B423861285C97ULL, 0xC6F34A26C1B2EFFAULL, +- 0xC58EF1837D1683B2ULL, 0x3BB5FCBC2EC22005ULL, 0xC3FE3B1B4C6FAD73ULL, +- 0x8E4F1232EEF28183ULL, 0x9172FE9CE98583FFULL, 0xC03404CD28342F61ULL, +- 0x9E02FCE1CDF7E2ECULL, 0x0B07A7C8EE0A6D70ULL, 0xAE56EDE76372BB19ULL, +- 0x1D4F42A3DE394DF4ULL, 0xB96ADAB760D7F468ULL, 0xD108A94BB2C8E3FBULL, +- 0xBC0AB182B324FB61ULL, 0x30ACCA4F483A797AULL, 0x1DF158A136ADE735ULL, +- 0xE2A689DAF3EFE872ULL, 0x984F0C70E0E68B77ULL, 0xB557135E7F57C935ULL, +- 0x856365553DED1AF3ULL, 0x2433F51F5F066ED0ULL, 0xD3DF1ED5D5FD6561ULL, +- 0xF681B202AEC4617AULL, 0x7D2FE363630C75D8ULL, 0xCC939DCE249B3EF9ULL, +- 0xA9E13641146433FBULL, 0xD8B9C583CE2D3695ULL, 0xAFDC5620273D3CF1ULL, +- 0xADF85458A2BB4A9AULL, 0xFFFFFFFFFFFFFFFFULL +-}; +- +-static const BN_ULONG ffdhe3072_p[] = { +- 0xFFFFFFFFFFFFFFFFULL, 0x25E41D2B66C62E37ULL, 0x3C1B20EE3FD59D7CULL, +- 0x0ABCD06BFA53DDEFULL, 0x1DBF9A42D5C4484EULL, 0xABC521979B0DEADAULL, +- 0xE86D2BC522363A0DULL, 0x5CAE82AB9C9DF69EULL, 0x64F2E21E71F54BFFULL, +- 0xF4FD4452E2D74DD3ULL, 0xB4130C93BC437944ULL, 0xAEFE130985139270ULL, +- 0x598CB0FAC186D91CULL, 0x7AD91D2691F7F7EEULL, 0x61B46FC9D6E6C907ULL, +- 0xBC34F4DEF99C0238ULL, 0xDE355B3B6519035BULL, 0x886B4238611FCFDCULL, +- 0xC6F34A26C1B2EFFAULL, 0xC58EF1837D1683B2ULL, 0x3BB5FCBC2EC22005ULL, +- 0xC3FE3B1B4C6FAD73ULL, 0x8E4F1232EEF28183ULL, 0x9172FE9CE98583FFULL, +- 0xC03404CD28342F61ULL, 0x9E02FCE1CDF7E2ECULL, 0x0B07A7C8EE0A6D70ULL, +- 0xAE56EDE76372BB19ULL, 0x1D4F42A3DE394DF4ULL, 0xB96ADAB760D7F468ULL, +- 0xD108A94BB2C8E3FBULL, 0xBC0AB182B324FB61ULL, 0x30ACCA4F483A797AULL, +- 0x1DF158A136ADE735ULL, 0xE2A689DAF3EFE872ULL, 0x984F0C70E0E68B77ULL, +- 0xB557135E7F57C935ULL, 0x856365553DED1AF3ULL, 0x2433F51F5F066ED0ULL, +- 0xD3DF1ED5D5FD6561ULL, 0xF681B202AEC4617AULL, 0x7D2FE363630C75D8ULL, +- 0xCC939DCE249B3EF9ULL, 0xA9E13641146433FBULL, 0xD8B9C583CE2D3695ULL, +- 0xAFDC5620273D3CF1ULL, 0xADF85458A2BB4A9AULL, 0xFFFFFFFFFFFFFFFFULL +-}; +- +-static const BN_ULONG ffdhe4096_p[] = { +- 0xFFFFFFFFFFFFFFFFULL, 0xC68A007E5E655F6AULL, 0x4DB5A851F44182E1ULL, +- 0x8EC9B55A7F88A46BULL, 0x0A8291CDCEC97DCFULL, 0x2A4ECEA9F98D0ACCULL, +- 0x1A1DB93D7140003CULL, 0x092999A333CB8B7AULL, 0x6DC778F971AD0038ULL, +- 0xA907600A918130C4ULL, 0xED6A1E012D9E6832ULL, 0x7135C886EFB4318AULL, +- 0x87F55BA57E31CC7AULL, 0x7763CF1D55034004ULL, 0xAC7D5F42D69F6D18ULL, +- 0x7930E9E4E58857B6ULL, 0x6E6F52C3164DF4FBULL, 0x25E41D2B669E1EF1ULL, +- 0x3C1B20EE3FD59D7CULL, 0x0ABCD06BFA53DDEFULL, 0x1DBF9A42D5C4484EULL, +- 0xABC521979B0DEADAULL, 0xE86D2BC522363A0DULL, 0x5CAE82AB9C9DF69EULL, +- 0x64F2E21E71F54BFFULL, 0xF4FD4452E2D74DD3ULL, 0xB4130C93BC437944ULL, +- 0xAEFE130985139270ULL, 0x598CB0FAC186D91CULL, 0x7AD91D2691F7F7EEULL, +- 0x61B46FC9D6E6C907ULL, 0xBC34F4DEF99C0238ULL, 0xDE355B3B6519035BULL, +- 0x886B4238611FCFDCULL, 0xC6F34A26C1B2EFFAULL, 0xC58EF1837D1683B2ULL, +- 0x3BB5FCBC2EC22005ULL, 0xC3FE3B1B4C6FAD73ULL, 0x8E4F1232EEF28183ULL, +- 0x9172FE9CE98583FFULL, 0xC03404CD28342F61ULL, 0x9E02FCE1CDF7E2ECULL, +- 0x0B07A7C8EE0A6D70ULL, 0xAE56EDE76372BB19ULL, 0x1D4F42A3DE394DF4ULL, +- 0xB96ADAB760D7F468ULL, 0xD108A94BB2C8E3FBULL, 0xBC0AB182B324FB61ULL, +- 0x30ACCA4F483A797AULL, 0x1DF158A136ADE735ULL, 0xE2A689DAF3EFE872ULL, +- 0x984F0C70E0E68B77ULL, 0xB557135E7F57C935ULL, 0x856365553DED1AF3ULL, +- 0x2433F51F5F066ED0ULL, 0xD3DF1ED5D5FD6561ULL, 0xF681B202AEC4617AULL, +- 0x7D2FE363630C75D8ULL, 0xCC939DCE249B3EF9ULL, 0xA9E13641146433FBULL, +- 0xD8B9C583CE2D3695ULL, 0xAFDC5620273D3CF1ULL, 0xADF85458A2BB4A9AULL, +- 0xFFFFFFFFFFFFFFFFULL +-}; ++# define BN_DEF(lo, hi) (BN_ULONG)hi << 32 | lo ++# else ++# define BN_DEF(lo, hi) lo, hi ++# endif + +-static const BN_ULONG ffdhe6144_p[] = { +- 0xFFFFFFFFFFFFFFFFULL, 0xA40E329CD0E40E65ULL, 0xA41D570D7938DAD4ULL, +- 0x62A69526D43161C1ULL, 0x3FDD4A8E9ADB1E69ULL, 0x5B3B71F9DC6B80D6ULL, +- 0xEC9D1810C6272B04ULL, 0x8CCF2DD5CACEF403ULL, 0xE49F5235C95B9117ULL, +- 0x505DC82DB854338AULL, 0x62292C311562A846ULL, 0xD72B03746AE77F5EULL, +- 0xF9C9091B462D538CULL, 0x0AE8DB5847A67CBEULL, 0xB3A739C122611682ULL, +- 0xEEAAC0232A281BF6ULL, 0x94C6651E77CAF992ULL, 0x763E4E4B94B2BBC1ULL, +- 0x587E38DA0077D9B4ULL, 0x7FB29F8C183023C3ULL, 0x0ABEC1FFF9E3A26EULL, +- 0xA00EF092350511E3ULL, 0xB855322EDB6340D8ULL, 0xA52471F7A9A96910ULL, +- 0x388147FB4CFDB477ULL, 0x9B1F5C3E4E46041FULL, 0xCDAD0657FCCFEC71ULL, +- 0xB38E8C334C701C3AULL, 0x917BDD64B1C0FD4CULL, 0x3BB454329B7624C8ULL, +- 0x23BA4442CAF53EA6ULL, 0x4E677D2C38532A3AULL, 0x0BFD64B645036C7AULL, +- 0xC68A007E5E0DD902ULL, 0x4DB5A851F44182E1ULL, 0x8EC9B55A7F88A46BULL, +- 0x0A8291CDCEC97DCFULL, 0x2A4ECEA9F98D0ACCULL, 0x1A1DB93D7140003CULL, +- 0x092999A333CB8B7AULL, 0x6DC778F971AD0038ULL, 0xA907600A918130C4ULL, +- 0xED6A1E012D9E6832ULL, 0x7135C886EFB4318AULL, 0x87F55BA57E31CC7AULL, +- 0x7763CF1D55034004ULL, 0xAC7D5F42D69F6D18ULL, 0x7930E9E4E58857B6ULL, +- 0x6E6F52C3164DF4FBULL, 0x25E41D2B669E1EF1ULL, 0x3C1B20EE3FD59D7CULL, +- 0x0ABCD06BFA53DDEFULL, 0x1DBF9A42D5C4484EULL, 0xABC521979B0DEADAULL, +- 0xE86D2BC522363A0DULL, 0x5CAE82AB9C9DF69EULL, 0x64F2E21E71F54BFFULL, +- 0xF4FD4452E2D74DD3ULL, 0xB4130C93BC437944ULL, 0xAEFE130985139270ULL, +- 0x598CB0FAC186D91CULL, 0x7AD91D2691F7F7EEULL, 0x61B46FC9D6E6C907ULL, +- 0xBC34F4DEF99C0238ULL, 0xDE355B3B6519035BULL, 0x886B4238611FCFDCULL, +- 0xC6F34A26C1B2EFFAULL, 0xC58EF1837D1683B2ULL, 0x3BB5FCBC2EC22005ULL, +- 0xC3FE3B1B4C6FAD73ULL, 0x8E4F1232EEF28183ULL, 0x9172FE9CE98583FFULL, +- 0xC03404CD28342F61ULL, 0x9E02FCE1CDF7E2ECULL, 0x0B07A7C8EE0A6D70ULL, +- 0xAE56EDE76372BB19ULL, 0x1D4F42A3DE394DF4ULL, 0xB96ADAB760D7F468ULL, +- 0xD108A94BB2C8E3FBULL, 0xBC0AB182B324FB61ULL, 0x30ACCA4F483A797AULL, +- 0x1DF158A136ADE735ULL, 0xE2A689DAF3EFE872ULL, 0x984F0C70E0E68B77ULL, +- 0xB557135E7F57C935ULL, 0x856365553DED1AF3ULL, 0x2433F51F5F066ED0ULL, +- 0xD3DF1ED5D5FD6561ULL, 0xF681B202AEC4617AULL, 0x7D2FE363630C75D8ULL, +- 0xCC939DCE249B3EF9ULL, 0xA9E13641146433FBULL, 0xD8B9C583CE2D3695ULL, +- 0xAFDC5620273D3CF1ULL, 0xADF85458A2BB4A9AULL, 0xFFFFFFFFFFFFFFFFULL +-}; ++/* DH parameters from RFC3526 */ + +-static const BN_ULONG ffdhe8192_p[] = { +- 0xFFFFFFFFFFFFFFFFULL, 0xD68C8BB7C5C6424CULL, 0x011E2A94838FF88CULL, +- 0x0822E506A9F4614EULL, 0x97D11D49F7A8443DULL, 0xA6BBFDE530677F0DULL, +- 0x2F741EF8C1FE86FEULL, 0xFAFABE1C5D71A87EULL, 0xDED2FBABFBE58A30ULL, +- 0xB6855DFE72B0A66EULL, 0x1EFC8CE0BA8A4FE8ULL, 0x83F81D4A3F2FA457ULL, +- 0xA1FE3075A577E231ULL, 0xD5B8019488D9C0A0ULL, 0x624816CDAD9A95F9ULL, +- 0x99E9E31650C1217BULL, 0x51AA691E0E423CFCULL, 0x1C217E6C3826E52CULL, +- 0x51A8A93109703FEEULL, 0xBB7099876A460E74ULL, 0x541FC68C9C86B022ULL, +- 0x59160CC046FD8251ULL, 0x2846C0BA35C35F5CULL, 0x54504AC78B758282ULL, +- 0x29388839D2AF05E4ULL, 0xCB2C0F1CC01BD702ULL, 0x555B2F747C932665ULL, +- 0x86B63142A3AB8829ULL, 0x0B8CC3BDF64B10EFULL, 0x687FEB69EDD1CC5EULL, +- 0xFDB23FCEC9509D43ULL, 0x1E425A31D951AE64ULL, 0x36AD004CF600C838ULL, +- 0xA40E329CCFF46AAAULL, 0xA41D570D7938DAD4ULL, 0x62A69526D43161C1ULL, +- 0x3FDD4A8E9ADB1E69ULL, 0x5B3B71F9DC6B80D6ULL, 0xEC9D1810C6272B04ULL, +- 0x8CCF2DD5CACEF403ULL, 0xE49F5235C95B9117ULL, 0x505DC82DB854338AULL, +- 0x62292C311562A846ULL, 0xD72B03746AE77F5EULL, 0xF9C9091B462D538CULL, +- 0x0AE8DB5847A67CBEULL, 0xB3A739C122611682ULL, 0xEEAAC0232A281BF6ULL, +- 0x94C6651E77CAF992ULL, 0x763E4E4B94B2BBC1ULL, 0x587E38DA0077D9B4ULL, +- 0x7FB29F8C183023C3ULL, 0x0ABEC1FFF9E3A26EULL, 0xA00EF092350511E3ULL, +- 0xB855322EDB6340D8ULL, 0xA52471F7A9A96910ULL, 0x388147FB4CFDB477ULL, +- 0x9B1F5C3E4E46041FULL, 0xCDAD0657FCCFEC71ULL, 0xB38E8C334C701C3AULL, +- 0x917BDD64B1C0FD4CULL, 0x3BB454329B7624C8ULL, 0x23BA4442CAF53EA6ULL, +- 0x4E677D2C38532A3AULL, 0x0BFD64B645036C7AULL, 0xC68A007E5E0DD902ULL, +- 0x4DB5A851F44182E1ULL, 0x8EC9B55A7F88A46BULL, 0x0A8291CDCEC97DCFULL, +- 0x2A4ECEA9F98D0ACCULL, 0x1A1DB93D7140003CULL, 0x092999A333CB8B7AULL, +- 0x6DC778F971AD0038ULL, 0xA907600A918130C4ULL, 0xED6A1E012D9E6832ULL, +- 0x7135C886EFB4318AULL, 0x87F55BA57E31CC7AULL, 0x7763CF1D55034004ULL, +- 0xAC7D5F42D69F6D18ULL, 0x7930E9E4E58857B6ULL, 0x6E6F52C3164DF4FBULL, +- 0x25E41D2B669E1EF1ULL, 0x3C1B20EE3FD59D7CULL, 0x0ABCD06BFA53DDEFULL, +- 0x1DBF9A42D5C4484EULL, 0xABC521979B0DEADAULL, 0xE86D2BC522363A0DULL, +- 0x5CAE82AB9C9DF69EULL, 0x64F2E21E71F54BFFULL, 0xF4FD4452E2D74DD3ULL, +- 0xB4130C93BC437944ULL, 0xAEFE130985139270ULL, 0x598CB0FAC186D91CULL, +- 0x7AD91D2691F7F7EEULL, 0x61B46FC9D6E6C907ULL, 0xBC34F4DEF99C0238ULL, +- 0xDE355B3B6519035BULL, 0x886B4238611FCFDCULL, 0xC6F34A26C1B2EFFAULL, +- 0xC58EF1837D1683B2ULL, 0x3BB5FCBC2EC22005ULL, 0xC3FE3B1B4C6FAD73ULL, +- 0x8E4F1232EEF28183ULL, 0x9172FE9CE98583FFULL, 0xC03404CD28342F61ULL, +- 0x9E02FCE1CDF7E2ECULL, 0x0B07A7C8EE0A6D70ULL, 0xAE56EDE76372BB19ULL, +- 0x1D4F42A3DE394DF4ULL, 0xB96ADAB760D7F468ULL, 0xD108A94BB2C8E3FBULL, +- 0xBC0AB182B324FB61ULL, 0x30ACCA4F483A797AULL, 0x1DF158A136ADE735ULL, +- 0xE2A689DAF3EFE872ULL, 0x984F0C70E0E68B77ULL, 0xB557135E7F57C935ULL, +- 0x856365553DED1AF3ULL, 0x2433F51F5F066ED0ULL, 0xD3DF1ED5D5FD6561ULL, +- 0xF681B202AEC4617AULL, 0x7D2FE363630C75D8ULL, 0xCC939DCE249B3EF9ULL, +- 0xA9E13641146433FBULL, 0xD8B9C583CE2D3695ULL, 0xAFDC5620273D3CF1ULL, +- 0xADF85458A2BB4A9AULL, 0xFFFFFFFFFFFFFFFFULL ++/* ++ * "1536-bit MODP Group" from RFC3526, Section 2. ++ * ++ * The prime is: 2^1536 - 2^1472 - 1 + 2^64 * { [2^1406 pi] + 741804 } ++ * ++ * RFC3526 specifies a generator of 2. ++ * RFC2312 specifies a generator of 22. ++ */ ++static const BN_ULONG modp_1536_p[] = { ++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0xCA237327, 0xF1746C08), ++ BN_DEF(0x4ABC9804, 0x670C354E), BN_DEF(0x7096966D, 0x9ED52907), ++ BN_DEF(0x208552BB, 0x1C62F356), BN_DEF(0xDCA3AD96, 0x83655D23), ++ BN_DEF(0xFD24CF5F, 0x69163FA8), BN_DEF(0x1C55D39A, 0x98DA4836), ++ BN_DEF(0xA163BF05, 0xC2007CB8), BN_DEF(0xECE45B3D, 0x49286651), ++ BN_DEF(0x7C4B1FE6, 0xAE9F2411), BN_DEF(0x5A899FA5, 0xEE386BFB), ++ BN_DEF(0xF406B7ED, 0x0BFF5CB6), BN_DEF(0xA637ED6B, 0xF44C42E9), ++ BN_DEF(0x625E7EC6, 0xE485B576), BN_DEF(0x6D51C245, 0x4FE1356D), ++ BN_DEF(0xF25F1437, 0x302B0A6D), BN_DEF(0xCD3A431B, 0xEF9519B3), ++ BN_DEF(0x8E3404DD, 0x514A0879), BN_DEF(0x3B139B22, 0x020BBEA6), ++ BN_DEF(0x8A67CC74, 0x29024E08), BN_DEF(0x80DC1CD1, 0xC4C6628B), ++ BN_DEF(0x2168C234, 0xC90FDAA2), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) ++}; ++/* q = (p - 1) / 2 */ ++static const BN_ULONG modp_1536_q[] = { ++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x6511B993, 0x78BA3604), ++ BN_DEF(0x255E4C02, 0xB3861AA7), BN_DEF(0xB84B4B36, 0xCF6A9483), ++ BN_DEF(0x1042A95D, 0x0E3179AB), BN_DEF(0xEE51D6CB, 0xC1B2AE91), ++ BN_DEF(0x7E9267AF, 0x348B1FD4), BN_DEF(0x0E2AE9CD, 0xCC6D241B), ++ BN_DEF(0x50B1DF82, 0xE1003E5C), BN_DEF(0xF6722D9E, 0x24943328), ++ BN_DEF(0xBE258FF3, 0xD74F9208), BN_DEF(0xAD44CFD2, 0xF71C35FD), ++ BN_DEF(0x7A035BF6, 0x85FFAE5B), BN_DEF(0xD31BF6B5, 0x7A262174), ++ BN_DEF(0x312F3F63, 0xF242DABB), BN_DEF(0xB6A8E122, 0xA7F09AB6), ++ BN_DEF(0xF92F8A1B, 0x98158536), BN_DEF(0xE69D218D, 0xF7CA8CD9), ++ BN_DEF(0xC71A026E, 0x28A5043C), BN_DEF(0x1D89CD91, 0x0105DF53), ++ BN_DEF(0x4533E63A, 0x94812704), BN_DEF(0xC06E0E68, 0x62633145), ++ BN_DEF(0x10B4611A, 0xE487ED51), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF) ++}; ++ ++/*- ++ * "2048-bit MODP Group" from RFC3526, Section 3. ++ * ++ * The prime is: 2^2048 - 2^1984 - 1 + 2^64 * { [2^1918 pi] + 124476 } ++ * ++ * RFC3526 specifies a generator of 2. ++ */ ++static const BN_ULONG modp_2048_p[] = { ++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x8AACAA68, 0x15728E5A), ++ BN_DEF(0x98FA0510, 0x15D22618), BN_DEF(0xEA956AE5, 0x3995497C), ++ BN_DEF(0x95581718, 0xDE2BCBF6), BN_DEF(0x6F4C52C9, 0xB5C55DF0), ++ BN_DEF(0xEC07A28F, 0x9B2783A2), BN_DEF(0x180E8603, 0xE39E772C), ++ BN_DEF(0x2E36CE3B, 0x32905E46), BN_DEF(0xCA18217C, 0xF1746C08), ++ BN_DEF(0x4ABC9804, 0x670C354E), BN_DEF(0x7096966D, 0x9ED52907), ++ BN_DEF(0x208552BB, 0x1C62F356), BN_DEF(0xDCA3AD96, 0x83655D23), ++ BN_DEF(0xFD24CF5F, 0x69163FA8), BN_DEF(0x1C55D39A, 0x98DA4836), ++ BN_DEF(0xA163BF05, 0xC2007CB8), BN_DEF(0xECE45B3D, 0x49286651), ++ BN_DEF(0x7C4B1FE6, 0xAE9F2411), BN_DEF(0x5A899FA5, 0xEE386BFB), ++ BN_DEF(0xF406B7ED, 0x0BFF5CB6), BN_DEF(0xA637ED6B, 0xF44C42E9), ++ BN_DEF(0x625E7EC6, 0xE485B576), BN_DEF(0x6D51C245, 0x4FE1356D), ++ BN_DEF(0xF25F1437, 0x302B0A6D), BN_DEF(0xCD3A431B, 0xEF9519B3), ++ BN_DEF(0x8E3404DD, 0x514A0879), BN_DEF(0x3B139B22, 0x020BBEA6), ++ BN_DEF(0x8A67CC74, 0x29024E08), BN_DEF(0x80DC1CD1, 0xC4C6628B), ++ BN_DEF(0x2168C234, 0xC90FDAA2), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) ++}; ++/* q = (p - 1) / 2 */ ++static const BN_ULONG modp_2048_q[] = { ++ BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), BN_DEF(0x45565534, 0x0AB9472D), ++ BN_DEF(0x4C7D0288, 0x8AE9130C), BN_DEF(0x754AB572, 0x1CCAA4BE), ++ BN_DEF(0x4AAC0B8C, 0xEF15E5FB), BN_DEF(0x37A62964, 0xDAE2AEF8), ++ BN_DEF(0x7603D147, 0xCD93C1D1), BN_DEF(0x0C074301, 0xF1CF3B96), ++ BN_DEF(0x171B671D, 0x19482F23), BN_DEF(0x650C10BE, 0x78BA3604), ++ BN_DEF(0x255E4C02, 0xB3861AA7), BN_DEF(0xB84B4B36, 0xCF6A9483), ++ BN_DEF(0x1042A95D, 0x0E3179AB), BN_DEF(0xEE51D6CB, 0xC1B2AE91), ++ BN_DEF(0x7E9267AF, 0x348B1FD4), BN_DEF(0x0E2AE9CD, 0xCC6D241B), ++ BN_DEF(0x50B1DF82, 0xE1003E5C), BN_DEF(0xF6722D9E, 0x24943328), ++ BN_DEF(0xBE258FF3, 0xD74F9208), BN_DEF(0xAD44CFD2, 0xF71C35FD), ++ BN_DEF(0x7A035BF6, 0x85FFAE5B), BN_DEF(0xD31BF6B5, 0x7A262174), ++ BN_DEF(0x312F3F63, 0xF242DABB), BN_DEF(0xB6A8E122, 0xA7F09AB6), ++ BN_DEF(0xF92F8A1B, 0x98158536), BN_DEF(0xE69D218D, 0xF7CA8CD9), ++ BN_DEF(0xC71A026E, 0x28A5043C), BN_DEF(0x1D89CD91, 0x0105DF53), ++ BN_DEF(0x4533E63A, 0x94812704), BN_DEF(0xC06E0E68, 0x62633145), ++ BN_DEF(0x10B4611A, 0xE487ED51), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), ++}; ++ ++/*- ++ * "3072-bit MODP Group" from RFC3526, Section 4. ++ * ++ * The prime is: 2^3072 - 2^3008 - 1 + 2^64 * { [2^2942 pi] + 1690314 } ++ * ++ * RFC3526 specifies a generator of 2. ++ */ ++static const BN_ULONG modp_3072_p[] = { ++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0xA93AD2CA, 0x4B82D120), ++ BN_DEF(0xE0FD108E, 0x43DB5BFC), BN_DEF(0x74E5AB31, 0x08E24FA0), ++ BN_DEF(0xBAD946E2, 0x770988C0), BN_DEF(0x7A615D6C, 0xBBE11757), ++ BN_DEF(0x177B200C, 0x521F2B18), BN_DEF(0x3EC86A64, 0xD8760273), ++ BN_DEF(0xD98A0864, 0xF12FFA06), BN_DEF(0x1AD2EE6B, 0xCEE3D226), ++ BN_DEF(0x4A25619D, 0x1E8C94E0), BN_DEF(0xDB0933D7, 0xABF5AE8C), ++ BN_DEF(0xA6E1E4C7, 0xB3970F85), BN_DEF(0x5D060C7D, 0x8AEA7157), ++ BN_DEF(0x58DBEF0A, 0xECFB8504), BN_DEF(0xDF1CBA64, 0xA85521AB), ++ BN_DEF(0x04507A33, 0xAD33170D), BN_DEF(0x8AAAC42D, 0x15728E5A), ++ BN_DEF(0x98FA0510, 0x15D22618), BN_DEF(0xEA956AE5, 0x3995497C), ++ BN_DEF(0x95581718, 0xDE2BCBF6), BN_DEF(0x6F4C52C9, 0xB5C55DF0), ++ BN_DEF(0xEC07A28F, 0x9B2783A2), BN_DEF(0x180E8603, 0xE39E772C), ++ BN_DEF(0x2E36CE3B, 0x32905E46), BN_DEF(0xCA18217C, 0xF1746C08), ++ BN_DEF(0x4ABC9804, 0x670C354E), BN_DEF(0x7096966D, 0x9ED52907), ++ BN_DEF(0x208552BB, 0x1C62F356), BN_DEF(0xDCA3AD96, 0x83655D23), ++ BN_DEF(0xFD24CF5F, 0x69163FA8), BN_DEF(0x1C55D39A, 0x98DA4836), ++ BN_DEF(0xA163BF05, 0xC2007CB8), BN_DEF(0xECE45B3D, 0x49286651), ++ BN_DEF(0x7C4B1FE6, 0xAE9F2411), BN_DEF(0x5A899FA5, 0xEE386BFB), ++ BN_DEF(0xF406B7ED, 0x0BFF5CB6), BN_DEF(0xA637ED6B, 0xF44C42E9), ++ BN_DEF(0x625E7EC6, 0xE485B576), BN_DEF(0x6D51C245, 0x4FE1356D), ++ BN_DEF(0xF25F1437, 0x302B0A6D), BN_DEF(0xCD3A431B, 0xEF9519B3), ++ BN_DEF(0x8E3404DD, 0x514A0879), BN_DEF(0x3B139B22, 0x020BBEA6), ++ BN_DEF(0x8A67CC74, 0x29024E08), BN_DEF(0x80DC1CD1, 0xC4C6628B), ++ BN_DEF(0x2168C234, 0xC90FDAA2), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) ++}; ++/* q = (p - 1) / 2 */ ++static const BN_ULONG modp_3072_q[] = { ++ BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), BN_DEF(0x549D6965, 0x25C16890), ++ BN_DEF(0x707E8847, 0xA1EDADFE), BN_DEF(0x3A72D598, 0x047127D0), ++ BN_DEF(0x5D6CA371, 0x3B84C460), BN_DEF(0xBD30AEB6, 0x5DF08BAB), ++ BN_DEF(0x0BBD9006, 0x290F958C), BN_DEF(0x9F643532, 0x6C3B0139), ++ BN_DEF(0x6CC50432, 0xF897FD03), BN_DEF(0x0D697735, 0xE771E913), ++ BN_DEF(0x2512B0CE, 0x8F464A70), BN_DEF(0x6D8499EB, 0xD5FAD746), ++ BN_DEF(0xD370F263, 0xD9CB87C2), BN_DEF(0xAE83063E, 0x457538AB), ++ BN_DEF(0x2C6DF785, 0x767DC282), BN_DEF(0xEF8E5D32, 0xD42A90D5), ++ BN_DEF(0x82283D19, 0xD6998B86), BN_DEF(0x45556216, 0x0AB9472D), ++ BN_DEF(0x4C7D0288, 0x8AE9130C), BN_DEF(0x754AB572, 0x1CCAA4BE), ++ BN_DEF(0x4AAC0B8C, 0xEF15E5FB), BN_DEF(0x37A62964, 0xDAE2AEF8), ++ BN_DEF(0x7603D147, 0xCD93C1D1), BN_DEF(0x0C074301, 0xF1CF3B96), ++ BN_DEF(0x171B671D, 0x19482F23), BN_DEF(0x650C10BE, 0x78BA3604), ++ BN_DEF(0x255E4C02, 0xB3861AA7), BN_DEF(0xB84B4B36, 0xCF6A9483), ++ BN_DEF(0x1042A95D, 0x0E3179AB), BN_DEF(0xEE51D6CB, 0xC1B2AE91), ++ BN_DEF(0x7E9267AF, 0x348B1FD4), BN_DEF(0x0E2AE9CD, 0xCC6D241B), ++ BN_DEF(0x50B1DF82, 0xE1003E5C), BN_DEF(0xF6722D9E, 0x24943328), ++ BN_DEF(0xBE258FF3, 0xD74F9208), BN_DEF(0xAD44CFD2, 0xF71C35FD), ++ BN_DEF(0x7A035BF6, 0x85FFAE5B), BN_DEF(0xD31BF6B5, 0x7A262174), ++ BN_DEF(0x312F3F63, 0xF242DABB), BN_DEF(0xB6A8E122, 0xA7F09AB6), ++ BN_DEF(0xF92F8A1B, 0x98158536), BN_DEF(0xE69D218D, 0xF7CA8CD9), ++ BN_DEF(0xC71A026E, 0x28A5043C), BN_DEF(0x1D89CD91, 0x0105DF53), ++ BN_DEF(0x4533E63A, 0x94812704), BN_DEF(0xC06E0E68, 0x62633145), ++ BN_DEF(0x10B4611A, 0xE487ED51), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), ++}; ++ ++/*- ++ * "4096-bit MODP Group" from RFC3526, Section 5. ++ * ++ * The prime is: 2^4096 - 2^4032 - 1 + 2^64 * { [2^3966 pi] + 240904 } ++ * ++ * RFC3526 specifies a generator of 2. ++ */ ++static const BN_ULONG modp_4096_p[] = { ++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x34063199, 0x4DF435C9), ++ BN_DEF(0x90A6C08F, 0x86FFB7DC), BN_DEF(0x8D8FDDC1, 0x93B4EA98), ++ BN_DEF(0xD5B05AA9, 0xD0069127), BN_DEF(0x2170481C, 0xB81BDD76), ++ BN_DEF(0xCEE2D7AF, 0x1F612970), BN_DEF(0x515BE7ED, 0x233BA186), ++ BN_DEF(0xA090C3A2, 0x99B2964F), BN_DEF(0x4E6BC05D, 0x287C5947), ++ BN_DEF(0x1FBECAA6, 0x2E8EFC14), BN_DEF(0x04DE8EF9, 0xDBBBC2DB), ++ BN_DEF(0x2AD44CE8, 0x2583E9CA), BN_DEF(0xB6150BDA, 0x1A946834), ++ BN_DEF(0x6AF4E23C, 0x99C32718), BN_DEF(0xBDBA5B26, 0x88719A10), ++ BN_DEF(0xA787E6D7, 0x1A723C12), BN_DEF(0xA9210801, 0x4B82D120), ++ BN_DEF(0xE0FD108E, 0x43DB5BFC), BN_DEF(0x74E5AB31, 0x08E24FA0), ++ BN_DEF(0xBAD946E2, 0x770988C0), BN_DEF(0x7A615D6C, 0xBBE11757), ++ BN_DEF(0x177B200C, 0x521F2B18), BN_DEF(0x3EC86A64, 0xD8760273), ++ BN_DEF(0xD98A0864, 0xF12FFA06), BN_DEF(0x1AD2EE6B, 0xCEE3D226), ++ BN_DEF(0x4A25619D, 0x1E8C94E0), BN_DEF(0xDB0933D7, 0xABF5AE8C), ++ BN_DEF(0xA6E1E4C7, 0xB3970F85), BN_DEF(0x5D060C7D, 0x8AEA7157), ++ BN_DEF(0x58DBEF0A, 0xECFB8504), BN_DEF(0xDF1CBA64, 0xA85521AB), ++ BN_DEF(0x04507A33, 0xAD33170D), BN_DEF(0x8AAAC42D, 0x15728E5A), ++ BN_DEF(0x98FA0510, 0x15D22618), BN_DEF(0xEA956AE5, 0x3995497C), ++ BN_DEF(0x95581718, 0xDE2BCBF6), BN_DEF(0x6F4C52C9, 0xB5C55DF0), ++ BN_DEF(0xEC07A28F, 0x9B2783A2), BN_DEF(0x180E8603, 0xE39E772C), ++ BN_DEF(0x2E36CE3B, 0x32905E46), BN_DEF(0xCA18217C, 0xF1746C08), ++ BN_DEF(0x4ABC9804, 0x670C354E), BN_DEF(0x7096966D, 0x9ED52907), ++ BN_DEF(0x208552BB, 0x1C62F356), BN_DEF(0xDCA3AD96, 0x83655D23), ++ BN_DEF(0xFD24CF5F, 0x69163FA8), BN_DEF(0x1C55D39A, 0x98DA4836), ++ BN_DEF(0xA163BF05, 0xC2007CB8), BN_DEF(0xECE45B3D, 0x49286651), ++ BN_DEF(0x7C4B1FE6, 0xAE9F2411), BN_DEF(0x5A899FA5, 0xEE386BFB), ++ BN_DEF(0xF406B7ED, 0x0BFF5CB6), BN_DEF(0xA637ED6B, 0xF44C42E9), ++ BN_DEF(0x625E7EC6, 0xE485B576), BN_DEF(0x6D51C245, 0x4FE1356D), ++ BN_DEF(0xF25F1437, 0x302B0A6D), BN_DEF(0xCD3A431B, 0xEF9519B3), ++ BN_DEF(0x8E3404DD, 0x514A0879), BN_DEF(0x3B139B22, 0x020BBEA6), ++ BN_DEF(0x8A67CC74, 0x29024E08), BN_DEF(0x80DC1CD1, 0xC4C6628B), ++ BN_DEF(0x2168C234, 0xC90FDAA2), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) ++}; ++/* q = (p - 1) / 2 */ ++static const BN_ULONG modp_4096_q[] = { ++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x9A0318CC, 0xA6FA1AE4), ++ BN_DEF(0x48536047, 0xC37FDBEE), BN_DEF(0x46C7EEE0, 0xC9DA754C), ++ BN_DEF(0xEAD82D54, 0x68034893), BN_DEF(0x10B8240E, 0xDC0DEEBB), ++ BN_DEF(0x67716BD7, 0x8FB094B8), BN_DEF(0x28ADF3F6, 0x119DD0C3), ++ BN_DEF(0xD04861D1, 0xCCD94B27), BN_DEF(0xA735E02E, 0x143E2CA3), ++ BN_DEF(0x0FDF6553, 0x97477E0A), BN_DEF(0x826F477C, 0x6DDDE16D), ++ BN_DEF(0x156A2674, 0x12C1F4E5), BN_DEF(0x5B0A85ED, 0x0D4A341A), ++ BN_DEF(0x357A711E, 0x4CE1938C), BN_DEF(0x5EDD2D93, 0xC438CD08), ++ BN_DEF(0x53C3F36B, 0x8D391E09), BN_DEF(0x54908400, 0x25C16890), ++ BN_DEF(0x707E8847, 0xA1EDADFE), BN_DEF(0x3A72D598, 0x047127D0), ++ BN_DEF(0x5D6CA371, 0x3B84C460), BN_DEF(0xBD30AEB6, 0x5DF08BAB), ++ BN_DEF(0x0BBD9006, 0x290F958C), BN_DEF(0x9F643532, 0x6C3B0139), ++ BN_DEF(0x6CC50432, 0xF897FD03), BN_DEF(0x0D697735, 0xE771E913), ++ BN_DEF(0x2512B0CE, 0x8F464A70), BN_DEF(0x6D8499EB, 0xD5FAD746), ++ BN_DEF(0xD370F263, 0xD9CB87C2), BN_DEF(0xAE83063E, 0x457538AB), ++ BN_DEF(0x2C6DF785, 0x767DC282), BN_DEF(0xEF8E5D32, 0xD42A90D5), ++ BN_DEF(0x82283D19, 0xD6998B86), BN_DEF(0x45556216, 0x0AB9472D), ++ BN_DEF(0x4C7D0288, 0x8AE9130C), BN_DEF(0x754AB572, 0x1CCAA4BE), ++ BN_DEF(0x4AAC0B8C, 0xEF15E5FB), BN_DEF(0x37A62964, 0xDAE2AEF8), ++ BN_DEF(0x7603D147, 0xCD93C1D1), BN_DEF(0x0C074301, 0xF1CF3B96), ++ BN_DEF(0x171B671D, 0x19482F23), BN_DEF(0x650C10BE, 0x78BA3604), ++ BN_DEF(0x255E4C02, 0xB3861AA7), BN_DEF(0xB84B4B36, 0xCF6A9483), ++ BN_DEF(0x1042A95D, 0x0E3179AB), BN_DEF(0xEE51D6CB, 0xC1B2AE91), ++ BN_DEF(0x7E9267AF, 0x348B1FD4), BN_DEF(0x0E2AE9CD, 0xCC6D241B), ++ BN_DEF(0x50B1DF82, 0xE1003E5C), BN_DEF(0xF6722D9E, 0x24943328), ++ BN_DEF(0xBE258FF3, 0xD74F9208), BN_DEF(0xAD44CFD2, 0xF71C35FD), ++ BN_DEF(0x7A035BF6, 0x85FFAE5B), BN_DEF(0xD31BF6B5, 0x7A262174), ++ BN_DEF(0x312F3F63, 0xF242DABB), BN_DEF(0xB6A8E122, 0xA7F09AB6), ++ BN_DEF(0xF92F8A1B, 0x98158536), BN_DEF(0xE69D218D, 0xF7CA8CD9), ++ BN_DEF(0xC71A026E, 0x28A5043C), BN_DEF(0x1D89CD91, 0x0105DF53), ++ BN_DEF(0x4533E63A, 0x94812704), BN_DEF(0xC06E0E68, 0x62633145), ++ BN_DEF(0x10B4611A, 0xE487ED51), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), ++}; ++ ++/*- ++ * "6144-bit MODP Group" from RFC3526, Section 6. ++ * ++ * The prime is: 2^6144 - 2^6080 - 1 + 2^64 * { [2^6014 pi] + 929484 } ++ * ++ * RFC3526 specifies a generator of 2. ++ */ ++static const BN_ULONG modp_6144_p[] = { ++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x6DCC4024, 0xE694F91E), ++ BN_DEF(0x0B7474D6, 0x12BF2D5B), BN_DEF(0x3F4860EE, 0x043E8F66), ++ BN_DEF(0x6E3C0468, 0x387FE8D7), BN_DEF(0x2EF29632, 0xDA56C9EC), ++ BN_DEF(0xA313D55C, 0xEB19CCB1), BN_DEF(0x8A1FBFF0, 0xF550AA3D), ++ BN_DEF(0xB7C5DA76, 0x06A1D58B), BN_DEF(0xF29BE328, 0xA79715EE), ++ BN_DEF(0x0F8037E0, 0x14CC5ED2), BN_DEF(0xBF48E1D8, 0xCC8F6D7E), ++ BN_DEF(0x2B4154AA, 0x4BD407B2), BN_DEF(0xFF585AC5, 0x0F1D45B7), ++ BN_DEF(0x36CC88BE, 0x23A97A7E), BN_DEF(0xBEC7E8F3, 0x59E7C97F), ++ BN_DEF(0x900B1C9E, 0xB5A84031), BN_DEF(0x46980C82, 0xD55E702F), ++ BN_DEF(0x6E74FEF6, 0xF482D7CE), BN_DEF(0xD1721D03, 0xF032EA15), ++ BN_DEF(0xC64B92EC, 0x5983CA01), BN_DEF(0x378CD2BF, 0x6FB8F401), ++ BN_DEF(0x2BD7AF42, 0x33205151), BN_DEF(0xE6CC254B, 0xDB7F1447), ++ BN_DEF(0xCED4BB1B, 0x44CE6CBA), BN_DEF(0xCF9B14ED, 0xDA3EDBEB), ++ BN_DEF(0x865A8918, 0x179727B0), BN_DEF(0x9027D831, 0xB06A53ED), ++ BN_DEF(0x413001AE, 0xE5DB382F), BN_DEF(0xAD9E530E, 0xF8FF9406), ++ BN_DEF(0x3DBA37BD, 0xC9751E76), BN_DEF(0x602646DE, 0xC1D4DCB2), ++ BN_DEF(0xD27C7026, 0x36C3FAB4), BN_DEF(0x34028492, 0x4DF435C9), ++ BN_DEF(0x90A6C08F, 0x86FFB7DC), BN_DEF(0x8D8FDDC1, 0x93B4EA98), ++ BN_DEF(0xD5B05AA9, 0xD0069127), BN_DEF(0x2170481C, 0xB81BDD76), ++ BN_DEF(0xCEE2D7AF, 0x1F612970), BN_DEF(0x515BE7ED, 0x233BA186), ++ BN_DEF(0xA090C3A2, 0x99B2964F), BN_DEF(0x4E6BC05D, 0x287C5947), ++ BN_DEF(0x1FBECAA6, 0x2E8EFC14), BN_DEF(0x04DE8EF9, 0xDBBBC2DB), ++ BN_DEF(0x2AD44CE8, 0x2583E9CA), BN_DEF(0xB6150BDA, 0x1A946834), ++ BN_DEF(0x6AF4E23C, 0x99C32718), BN_DEF(0xBDBA5B26, 0x88719A10), ++ BN_DEF(0xA787E6D7, 0x1A723C12), BN_DEF(0xA9210801, 0x4B82D120), ++ BN_DEF(0xE0FD108E, 0x43DB5BFC), BN_DEF(0x74E5AB31, 0x08E24FA0), ++ BN_DEF(0xBAD946E2, 0x770988C0), BN_DEF(0x7A615D6C, 0xBBE11757), ++ BN_DEF(0x177B200C, 0x521F2B18), BN_DEF(0x3EC86A64, 0xD8760273), ++ BN_DEF(0xD98A0864, 0xF12FFA06), BN_DEF(0x1AD2EE6B, 0xCEE3D226), ++ BN_DEF(0x4A25619D, 0x1E8C94E0), BN_DEF(0xDB0933D7, 0xABF5AE8C), ++ BN_DEF(0xA6E1E4C7, 0xB3970F85), BN_DEF(0x5D060C7D, 0x8AEA7157), ++ BN_DEF(0x58DBEF0A, 0xECFB8504), BN_DEF(0xDF1CBA64, 0xA85521AB), ++ BN_DEF(0x04507A33, 0xAD33170D), BN_DEF(0x8AAAC42D, 0x15728E5A), ++ BN_DEF(0x98FA0510, 0x15D22618), BN_DEF(0xEA956AE5, 0x3995497C), ++ BN_DEF(0x95581718, 0xDE2BCBF6), BN_DEF(0x6F4C52C9, 0xB5C55DF0), ++ BN_DEF(0xEC07A28F, 0x9B2783A2), BN_DEF(0x180E8603, 0xE39E772C), ++ BN_DEF(0x2E36CE3B, 0x32905E46), BN_DEF(0xCA18217C, 0xF1746C08), ++ BN_DEF(0x4ABC9804, 0x670C354E), BN_DEF(0x7096966D, 0x9ED52907), ++ BN_DEF(0x208552BB, 0x1C62F356), BN_DEF(0xDCA3AD96, 0x83655D23), ++ BN_DEF(0xFD24CF5F, 0x69163FA8), BN_DEF(0x1C55D39A, 0x98DA4836), ++ BN_DEF(0xA163BF05, 0xC2007CB8), BN_DEF(0xECE45B3D, 0x49286651), ++ BN_DEF(0x7C4B1FE6, 0xAE9F2411), BN_DEF(0x5A899FA5, 0xEE386BFB), ++ BN_DEF(0xF406B7ED, 0x0BFF5CB6), BN_DEF(0xA637ED6B, 0xF44C42E9), ++ BN_DEF(0x625E7EC6, 0xE485B576), BN_DEF(0x6D51C245, 0x4FE1356D), ++ BN_DEF(0xF25F1437, 0x302B0A6D), BN_DEF(0xCD3A431B, 0xEF9519B3), ++ BN_DEF(0x8E3404DD, 0x514A0879), BN_DEF(0x3B139B22, 0x020BBEA6), ++ BN_DEF(0x8A67CC74, 0x29024E08), BN_DEF(0x80DC1CD1, 0xC4C6628B), ++ BN_DEF(0x2168C234, 0xC90FDAA2), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) ++}; ++/* q = (p - 1) / 2 */ ++static const BN_ULONG modp_6144_q[] = { ++ BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), BN_DEF(0x36E62012, 0x734A7C8F), ++ BN_DEF(0x85BA3A6B, 0x095F96AD), BN_DEF(0x1FA43077, 0x021F47B3), ++ BN_DEF(0xB71E0234, 0x1C3FF46B), BN_DEF(0x17794B19, 0x6D2B64F6), ++ BN_DEF(0xD189EAAE, 0x758CE658), BN_DEF(0xC50FDFF8, 0x7AA8551E), ++ BN_DEF(0xDBE2ED3B, 0x0350EAC5), BN_DEF(0x794DF194, 0x53CB8AF7), ++ BN_DEF(0x07C01BF0, 0x0A662F69), BN_DEF(0x5FA470EC, 0x6647B6BF), ++ BN_DEF(0x15A0AA55, 0xA5EA03D9), BN_DEF(0xFFAC2D62, 0x078EA2DB), ++ BN_DEF(0x1B66445F, 0x91D4BD3F), BN_DEF(0xDF63F479, 0x2CF3E4BF), ++ BN_DEF(0xC8058E4F, 0x5AD42018), BN_DEF(0xA34C0641, 0x6AAF3817), ++ BN_DEF(0x373A7F7B, 0xFA416BE7), BN_DEF(0xE8B90E81, 0x7819750A), ++ BN_DEF(0xE325C976, 0xACC1E500), BN_DEF(0x9BC6695F, 0x37DC7A00), ++ BN_DEF(0x95EBD7A1, 0x999028A8), BN_DEF(0xF36612A5, 0xEDBF8A23), ++ BN_DEF(0x676A5D8D, 0xA267365D), BN_DEF(0xE7CD8A76, 0x6D1F6DF5), ++ BN_DEF(0x432D448C, 0x8BCB93D8), BN_DEF(0xC813EC18, 0x583529F6), ++ BN_DEF(0xA09800D7, 0x72ED9C17), BN_DEF(0x56CF2987, 0xFC7FCA03), ++ BN_DEF(0x1EDD1BDE, 0x64BA8F3B), BN_DEF(0x3013236F, 0x60EA6E59), ++ BN_DEF(0x693E3813, 0x1B61FD5A), BN_DEF(0x9A014249, 0xA6FA1AE4), ++ BN_DEF(0x48536047, 0xC37FDBEE), BN_DEF(0x46C7EEE0, 0xC9DA754C), ++ BN_DEF(0xEAD82D54, 0x68034893), BN_DEF(0x10B8240E, 0xDC0DEEBB), ++ BN_DEF(0x67716BD7, 0x8FB094B8), BN_DEF(0x28ADF3F6, 0x119DD0C3), ++ BN_DEF(0xD04861D1, 0xCCD94B27), BN_DEF(0xA735E02E, 0x143E2CA3), ++ BN_DEF(0x0FDF6553, 0x97477E0A), BN_DEF(0x826F477C, 0x6DDDE16D), ++ BN_DEF(0x156A2674, 0x12C1F4E5), BN_DEF(0x5B0A85ED, 0x0D4A341A), ++ BN_DEF(0x357A711E, 0x4CE1938C), BN_DEF(0x5EDD2D93, 0xC438CD08), ++ BN_DEF(0x53C3F36B, 0x8D391E09), BN_DEF(0x54908400, 0x25C16890), ++ BN_DEF(0x707E8847, 0xA1EDADFE), BN_DEF(0x3A72D598, 0x047127D0), ++ BN_DEF(0x5D6CA371, 0x3B84C460), BN_DEF(0xBD30AEB6, 0x5DF08BAB), ++ BN_DEF(0x0BBD9006, 0x290F958C), BN_DEF(0x9F643532, 0x6C3B0139), ++ BN_DEF(0x6CC50432, 0xF897FD03), BN_DEF(0x0D697735, 0xE771E913), ++ BN_DEF(0x2512B0CE, 0x8F464A70), BN_DEF(0x6D8499EB, 0xD5FAD746), ++ BN_DEF(0xD370F263, 0xD9CB87C2), BN_DEF(0xAE83063E, 0x457538AB), ++ BN_DEF(0x2C6DF785, 0x767DC282), BN_DEF(0xEF8E5D32, 0xD42A90D5), ++ BN_DEF(0x82283D19, 0xD6998B86), BN_DEF(0x45556216, 0x0AB9472D), ++ BN_DEF(0x4C7D0288, 0x8AE9130C), BN_DEF(0x754AB572, 0x1CCAA4BE), ++ BN_DEF(0x4AAC0B8C, 0xEF15E5FB), BN_DEF(0x37A62964, 0xDAE2AEF8), ++ BN_DEF(0x7603D147, 0xCD93C1D1), BN_DEF(0x0C074301, 0xF1CF3B96), ++ BN_DEF(0x171B671D, 0x19482F23), BN_DEF(0x650C10BE, 0x78BA3604), ++ BN_DEF(0x255E4C02, 0xB3861AA7), BN_DEF(0xB84B4B36, 0xCF6A9483), ++ BN_DEF(0x1042A95D, 0x0E3179AB), BN_DEF(0xEE51D6CB, 0xC1B2AE91), ++ BN_DEF(0x7E9267AF, 0x348B1FD4), BN_DEF(0x0E2AE9CD, 0xCC6D241B), ++ BN_DEF(0x50B1DF82, 0xE1003E5C), BN_DEF(0xF6722D9E, 0x24943328), ++ BN_DEF(0xBE258FF3, 0xD74F9208), BN_DEF(0xAD44CFD2, 0xF71C35FD), ++ BN_DEF(0x7A035BF6, 0x85FFAE5B), BN_DEF(0xD31BF6B5, 0x7A262174), ++ BN_DEF(0x312F3F63, 0xF242DABB), BN_DEF(0xB6A8E122, 0xA7F09AB6), ++ BN_DEF(0xF92F8A1B, 0x98158536), BN_DEF(0xE69D218D, 0xF7CA8CD9), ++ BN_DEF(0xC71A026E, 0x28A5043C), BN_DEF(0x1D89CD91, 0x0105DF53), ++ BN_DEF(0x4533E63A, 0x94812704), BN_DEF(0xC06E0E68, 0x62633145), ++ BN_DEF(0x10B4611A, 0xE487ED51), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), ++}; ++ ++/* ++ * "8192-bit MODP Group" from RFC3526, Section 7. ++ * ++ * The prime is: 2^8192 - 2^8128 - 1 + 2^64 * { [2^8062 pi] + 4743158 } ++ * ++ * RFC3526 specifies a generator of 2. ++ */ ++static const BN_ULONG modp_8192_p[] = { ++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x98EDD3DF, 0x60C980DD), ++ BN_DEF(0x80B96E71, 0xC81F56E8), BN_DEF(0x765694DF, 0x9E3050E2), ++ BN_DEF(0x5677E9AA, 0x9558E447), BN_DEF(0xFC026E47, 0xC9190DA6), ++ BN_DEF(0xD5EE382B, 0x889A002E), BN_DEF(0x481C6CD7, 0x4009438B), ++ BN_DEF(0xEB879F92, 0x359046F4), BN_DEF(0x1ECFA268, 0xFAF36BC3), ++ BN_DEF(0x7EE74D73, 0xB1D510BD), BN_DEF(0x5DED7EA1, 0xF9AB4819), ++ BN_DEF(0x0846851D, 0x64F31CC5), BN_DEF(0xA0255DC1, 0x4597E899), ++ BN_DEF(0x74AB6A36, 0xDF310EE0), BN_DEF(0x3F44F82D, 0x6D2A13F8), ++ BN_DEF(0xB3A278A6, 0x062B3CF5), BN_DEF(0xED5BDD3A, 0x79683303), ++ BN_DEF(0xA2C087E8, 0xFA9D4B7F), BN_DEF(0x2F8385DD, 0x4BCBC886), ++ BN_DEF(0x6CEA306B, 0x3473FC64), BN_DEF(0x1A23F0C7, 0x13EB57A8), ++ BN_DEF(0xA4037C07, 0x22222E04), BN_DEF(0xFC848AD9, 0xE3FDB8BE), ++ BN_DEF(0xE39D652D, 0x238F16CB), BN_DEF(0x2BF1C978, 0x3423B474), ++ BN_DEF(0x5AE4F568, 0x3AAB639C), BN_DEF(0x6BA42466, 0x2576F693), ++ BN_DEF(0x8AFC47ED, 0x741FA7BF), BN_DEF(0x8D9DD300, 0x3BC832B6), ++ BN_DEF(0x73B931BA, 0xD8BEC4D0), BN_DEF(0xA932DF8C, 0x38777CB6), ++ BN_DEF(0x12FEE5E4, 0x74A3926F), BN_DEF(0x6DBE1159, 0xE694F91E), ++ BN_DEF(0x0B7474D6, 0x12BF2D5B), BN_DEF(0x3F4860EE, 0x043E8F66), ++ BN_DEF(0x6E3C0468, 0x387FE8D7), BN_DEF(0x2EF29632, 0xDA56C9EC), ++ BN_DEF(0xA313D55C, 0xEB19CCB1), BN_DEF(0x8A1FBFF0, 0xF550AA3D), ++ BN_DEF(0xB7C5DA76, 0x06A1D58B), BN_DEF(0xF29BE328, 0xA79715EE), ++ BN_DEF(0x0F8037E0, 0x14CC5ED2), BN_DEF(0xBF48E1D8, 0xCC8F6D7E), ++ BN_DEF(0x2B4154AA, 0x4BD407B2), BN_DEF(0xFF585AC5, 0x0F1D45B7), ++ BN_DEF(0x36CC88BE, 0x23A97A7E), BN_DEF(0xBEC7E8F3, 0x59E7C97F), ++ BN_DEF(0x900B1C9E, 0xB5A84031), BN_DEF(0x46980C82, 0xD55E702F), ++ BN_DEF(0x6E74FEF6, 0xF482D7CE), BN_DEF(0xD1721D03, 0xF032EA15), ++ BN_DEF(0xC64B92EC, 0x5983CA01), BN_DEF(0x378CD2BF, 0x6FB8F401), ++ BN_DEF(0x2BD7AF42, 0x33205151), BN_DEF(0xE6CC254B, 0xDB7F1447), ++ BN_DEF(0xCED4BB1B, 0x44CE6CBA), BN_DEF(0xCF9B14ED, 0xDA3EDBEB), ++ BN_DEF(0x865A8918, 0x179727B0), BN_DEF(0x9027D831, 0xB06A53ED), ++ BN_DEF(0x413001AE, 0xE5DB382F), BN_DEF(0xAD9E530E, 0xF8FF9406), ++ BN_DEF(0x3DBA37BD, 0xC9751E76), BN_DEF(0x602646DE, 0xC1D4DCB2), ++ BN_DEF(0xD27C7026, 0x36C3FAB4), BN_DEF(0x34028492, 0x4DF435C9), ++ BN_DEF(0x90A6C08F, 0x86FFB7DC), BN_DEF(0x8D8FDDC1, 0x93B4EA98), ++ BN_DEF(0xD5B05AA9, 0xD0069127), BN_DEF(0x2170481C, 0xB81BDD76), ++ BN_DEF(0xCEE2D7AF, 0x1F612970), BN_DEF(0x515BE7ED, 0x233BA186), ++ BN_DEF(0xA090C3A2, 0x99B2964F), BN_DEF(0x4E6BC05D, 0x287C5947), ++ BN_DEF(0x1FBECAA6, 0x2E8EFC14), BN_DEF(0x04DE8EF9, 0xDBBBC2DB), ++ BN_DEF(0x2AD44CE8, 0x2583E9CA), BN_DEF(0xB6150BDA, 0x1A946834), ++ BN_DEF(0x6AF4E23C, 0x99C32718), BN_DEF(0xBDBA5B26, 0x88719A10), ++ BN_DEF(0xA787E6D7, 0x1A723C12), BN_DEF(0xA9210801, 0x4B82D120), ++ BN_DEF(0xE0FD108E, 0x43DB5BFC), BN_DEF(0x74E5AB31, 0x08E24FA0), ++ BN_DEF(0xBAD946E2, 0x770988C0), BN_DEF(0x7A615D6C, 0xBBE11757), ++ BN_DEF(0x177B200C, 0x521F2B18), BN_DEF(0x3EC86A64, 0xD8760273), ++ BN_DEF(0xD98A0864, 0xF12FFA06), BN_DEF(0x1AD2EE6B, 0xCEE3D226), ++ BN_DEF(0x4A25619D, 0x1E8C94E0), BN_DEF(0xDB0933D7, 0xABF5AE8C), ++ BN_DEF(0xA6E1E4C7, 0xB3970F85), BN_DEF(0x5D060C7D, 0x8AEA7157), ++ BN_DEF(0x58DBEF0A, 0xECFB8504), BN_DEF(0xDF1CBA64, 0xA85521AB), ++ BN_DEF(0x04507A33, 0xAD33170D), BN_DEF(0x8AAAC42D, 0x15728E5A), ++ BN_DEF(0x98FA0510, 0x15D22618), BN_DEF(0xEA956AE5, 0x3995497C), ++ BN_DEF(0x95581718, 0xDE2BCBF6), BN_DEF(0x6F4C52C9, 0xB5C55DF0), ++ BN_DEF(0xEC07A28F, 0x9B2783A2), BN_DEF(0x180E8603, 0xE39E772C), ++ BN_DEF(0x2E36CE3B, 0x32905E46), BN_DEF(0xCA18217C, 0xF1746C08), ++ BN_DEF(0x4ABC9804, 0x670C354E), BN_DEF(0x7096966D, 0x9ED52907), ++ BN_DEF(0x208552BB, 0x1C62F356), BN_DEF(0xDCA3AD96, 0x83655D23), ++ BN_DEF(0xFD24CF5F, 0x69163FA8), BN_DEF(0x1C55D39A, 0x98DA4836), ++ BN_DEF(0xA163BF05, 0xC2007CB8), BN_DEF(0xECE45B3D, 0x49286651), ++ BN_DEF(0x7C4B1FE6, 0xAE9F2411), BN_DEF(0x5A899FA5, 0xEE386BFB), ++ BN_DEF(0xF406B7ED, 0x0BFF5CB6), BN_DEF(0xA637ED6B, 0xF44C42E9), ++ BN_DEF(0x625E7EC6, 0xE485B576), BN_DEF(0x6D51C245, 0x4FE1356D), ++ BN_DEF(0xF25F1437, 0x302B0A6D), BN_DEF(0xCD3A431B, 0xEF9519B3), ++ BN_DEF(0x8E3404DD, 0x514A0879), BN_DEF(0x3B139B22, 0x020BBEA6), ++ BN_DEF(0x8A67CC74, 0x29024E08), BN_DEF(0x80DC1CD1, 0xC4C6628B), ++ BN_DEF(0x2168C234, 0xC90FDAA2), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) ++}; ++/* q = (p - 1) / 2 */ ++static const BN_ULONG modp_8192_q[] = { ++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0xCC76E9EF, 0xB064C06E), ++ BN_DEF(0x405CB738, 0xE40FAB74), BN_DEF(0x3B2B4A6F, 0x4F182871), ++ BN_DEF(0xAB3BF4D5, 0xCAAC7223), BN_DEF(0x7E013723, 0xE48C86D3), ++ BN_DEF(0x6AF71C15, 0xC44D0017), BN_DEF(0xA40E366B, 0x2004A1C5), ++ BN_DEF(0x75C3CFC9, 0x1AC8237A), BN_DEF(0x8F67D134, 0xFD79B5E1), ++ BN_DEF(0xBF73A6B9, 0xD8EA885E), BN_DEF(0xAEF6BF50, 0xFCD5A40C), ++ BN_DEF(0x8423428E, 0xB2798E62), BN_DEF(0xD012AEE0, 0x22CBF44C), ++ BN_DEF(0x3A55B51B, 0xEF988770), BN_DEF(0x1FA27C16, 0x369509FC), ++ BN_DEF(0xD9D13C53, 0x03159E7A), BN_DEF(0xF6ADEE9D, 0x3CB41981), ++ BN_DEF(0xD16043F4, 0xFD4EA5BF), BN_DEF(0x17C1C2EE, 0xA5E5E443), ++ BN_DEF(0x36751835, 0x9A39FE32), BN_DEF(0x0D11F863, 0x89F5ABD4), ++ BN_DEF(0x5201BE03, 0x91111702), BN_DEF(0x7E42456C, 0xF1FEDC5F), ++ BN_DEF(0xF1CEB296, 0x11C78B65), BN_DEF(0x15F8E4BC, 0x1A11DA3A), ++ BN_DEF(0x2D727AB4, 0x1D55B1CE), BN_DEF(0xB5D21233, 0x92BB7B49), ++ BN_DEF(0xC57E23F6, 0x3A0FD3DF), BN_DEF(0x46CEE980, 0x1DE4195B), ++ BN_DEF(0x39DC98DD, 0x6C5F6268), BN_DEF(0x54996FC6, 0x1C3BBE5B), ++ BN_DEF(0x897F72F2, 0xBA51C937), BN_DEF(0x36DF08AC, 0x734A7C8F), ++ BN_DEF(0x85BA3A6B, 0x095F96AD), BN_DEF(0x1FA43077, 0x021F47B3), ++ BN_DEF(0xB71E0234, 0x1C3FF46B), BN_DEF(0x17794B19, 0x6D2B64F6), ++ BN_DEF(0xD189EAAE, 0x758CE658), BN_DEF(0xC50FDFF8, 0x7AA8551E), ++ BN_DEF(0xDBE2ED3B, 0x0350EAC5), BN_DEF(0x794DF194, 0x53CB8AF7), ++ BN_DEF(0x07C01BF0, 0x0A662F69), BN_DEF(0x5FA470EC, 0x6647B6BF), ++ BN_DEF(0x15A0AA55, 0xA5EA03D9), BN_DEF(0xFFAC2D62, 0x078EA2DB), ++ BN_DEF(0x1B66445F, 0x91D4BD3F), BN_DEF(0xDF63F479, 0x2CF3E4BF), ++ BN_DEF(0xC8058E4F, 0x5AD42018), BN_DEF(0xA34C0641, 0x6AAF3817), ++ BN_DEF(0x373A7F7B, 0xFA416BE7), BN_DEF(0xE8B90E81, 0x7819750A), ++ BN_DEF(0xE325C976, 0xACC1E500), BN_DEF(0x9BC6695F, 0x37DC7A00), ++ BN_DEF(0x95EBD7A1, 0x999028A8), BN_DEF(0xF36612A5, 0xEDBF8A23), ++ BN_DEF(0x676A5D8D, 0xA267365D), BN_DEF(0xE7CD8A76, 0x6D1F6DF5), ++ BN_DEF(0x432D448C, 0x8BCB93D8), BN_DEF(0xC813EC18, 0x583529F6), ++ BN_DEF(0xA09800D7, 0x72ED9C17), BN_DEF(0x56CF2987, 0xFC7FCA03), ++ BN_DEF(0x1EDD1BDE, 0x64BA8F3B), BN_DEF(0x3013236F, 0x60EA6E59), ++ BN_DEF(0x693E3813, 0x1B61FD5A), BN_DEF(0x9A014249, 0xA6FA1AE4), ++ BN_DEF(0x48536047, 0xC37FDBEE), BN_DEF(0x46C7EEE0, 0xC9DA754C), ++ BN_DEF(0xEAD82D54, 0x68034893), BN_DEF(0x10B8240E, 0xDC0DEEBB), ++ BN_DEF(0x67716BD7, 0x8FB094B8), BN_DEF(0x28ADF3F6, 0x119DD0C3), ++ BN_DEF(0xD04861D1, 0xCCD94B27), BN_DEF(0xA735E02E, 0x143E2CA3), ++ BN_DEF(0x0FDF6553, 0x97477E0A), BN_DEF(0x826F477C, 0x6DDDE16D), ++ BN_DEF(0x156A2674, 0x12C1F4E5), BN_DEF(0x5B0A85ED, 0x0D4A341A), ++ BN_DEF(0x357A711E, 0x4CE1938C), BN_DEF(0x5EDD2D93, 0xC438CD08), ++ BN_DEF(0x53C3F36B, 0x8D391E09), BN_DEF(0x54908400, 0x25C16890), ++ BN_DEF(0x707E8847, 0xA1EDADFE), BN_DEF(0x3A72D598, 0x047127D0), ++ BN_DEF(0x5D6CA371, 0x3B84C460), BN_DEF(0xBD30AEB6, 0x5DF08BAB), ++ BN_DEF(0x0BBD9006, 0x290F958C), BN_DEF(0x9F643532, 0x6C3B0139), ++ BN_DEF(0x6CC50432, 0xF897FD03), BN_DEF(0x0D697735, 0xE771E913), ++ BN_DEF(0x2512B0CE, 0x8F464A70), BN_DEF(0x6D8499EB, 0xD5FAD746), ++ BN_DEF(0xD370F263, 0xD9CB87C2), BN_DEF(0xAE83063E, 0x457538AB), ++ BN_DEF(0x2C6DF785, 0x767DC282), BN_DEF(0xEF8E5D32, 0xD42A90D5), ++ BN_DEF(0x82283D19, 0xD6998B86), BN_DEF(0x45556216, 0x0AB9472D), ++ BN_DEF(0x4C7D0288, 0x8AE9130C), BN_DEF(0x754AB572, 0x1CCAA4BE), ++ BN_DEF(0x4AAC0B8C, 0xEF15E5FB), BN_DEF(0x37A62964, 0xDAE2AEF8), ++ BN_DEF(0x7603D147, 0xCD93C1D1), BN_DEF(0x0C074301, 0xF1CF3B96), ++ BN_DEF(0x171B671D, 0x19482F23), BN_DEF(0x650C10BE, 0x78BA3604), ++ BN_DEF(0x255E4C02, 0xB3861AA7), BN_DEF(0xB84B4B36, 0xCF6A9483), ++ BN_DEF(0x1042A95D, 0x0E3179AB), BN_DEF(0xEE51D6CB, 0xC1B2AE91), ++ BN_DEF(0x7E9267AF, 0x348B1FD4), BN_DEF(0x0E2AE9CD, 0xCC6D241B), ++ BN_DEF(0x50B1DF82, 0xE1003E5C), BN_DEF(0xF6722D9E, 0x24943328), ++ BN_DEF(0xBE258FF3, 0xD74F9208), BN_DEF(0xAD44CFD2, 0xF71C35FD), ++ BN_DEF(0x7A035BF6, 0x85FFAE5B), BN_DEF(0xD31BF6B5, 0x7A262174), ++ BN_DEF(0x312F3F63, 0xF242DABB), BN_DEF(0xB6A8E122, 0xA7F09AB6), ++ BN_DEF(0xF92F8A1B, 0x98158536), BN_DEF(0xE69D218D, 0xF7CA8CD9), ++ BN_DEF(0xC71A026E, 0x28A5043C), BN_DEF(0x1D89CD91, 0x0105DF53), ++ BN_DEF(0x4533E63A, 0x94812704), BN_DEF(0xC06E0E68, 0x62633145), ++ BN_DEF(0x10B4611A, 0xE487ED51), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), + }; + +-# elif BN_BITS2 == 32 +- ++/* DH parameters from RFC5114 */ + static const BN_ULONG dh1024_160_p[] = { +- 0x2E4A4371, 0xDF1FB2BC, 0x6D4DA708, 0xE68CFDA7, 0x365C1A65, 0x45BF37DF, +- 0x0DC8B4BD, 0xA151AF5F, 0xF55BCCC0, 0xFAA31A4F, 0xE5644738, 0x4EFFD6FA, +- 0x219A7372, 0x98488E9C, 0x90C4BD70, 0xACCBDD7D, 0xD49B83BF, 0x24975C3C, +- 0xA9061123, 0x13ECB4AE, 0x2EE652C0, 0x9838EF1E, 0x75A23D18, 0x6073E286, +- 0x52D23B61, 0x9A6A9DCA, 0xFB06A3C6, 0x52C99FBC, 0xAE5D54EC, 0xDE92DE5E, +- 0xA080E01D, 0xB10B8F96 +-}; +- +-static const BN_ULONG dh1024_160_g[] = { +- 0x22B3B2E5, 0x855E6EEB, 0xF97C2A24, 0x858F4DCE, 0x18D08BC8, 0x2D779D59, +- 0x8E73AFA3, 0xD662A4D1, 0x69B6A28A, 0x1DBF0A01, 0x7A091F53, 0xA6A24C08, +- 0x63F80A76, 0x909D0D22, 0xB9A92EE1, 0xD7FBD7D3, 0x9E2749F4, 0x5E91547F, +- 0xB01B886A, 0x160217B4, 0x5504F213, 0x777E690F, 0x5C41564B, 0x266FEA1E, +- 0x14266D31, 0xD6406CFF, 0x58AC507F, 0xF8104DD2, 0xEFB99905, 0x6765A442, +- 0xC3FD3412, 0xA4D1CBD5 ++ BN_DEF(0x2E4A4371, 0xDF1FB2BC), BN_DEF(0x6D4DA708, 0xE68CFDA7), ++ BN_DEF(0x365C1A65, 0x45BF37DF), BN_DEF(0x0DC8B4BD, 0xA151AF5F), ++ BN_DEF(0xF55BCCC0, 0xFAA31A4F), BN_DEF(0xE5644738, 0x4EFFD6FA), ++ BN_DEF(0x219A7372, 0x98488E9C), BN_DEF(0x90C4BD70, 0xACCBDD7D), ++ BN_DEF(0xD49B83BF, 0x24975C3C), BN_DEF(0xA9061123, 0x13ECB4AE), ++ BN_DEF(0x2EE652C0, 0x9838EF1E), BN_DEF(0x75A23D18, 0x6073E286), ++ BN_DEF(0x52D23B61, 0x9A6A9DCA), BN_DEF(0xFB06A3C6, 0x52C99FBC), ++ BN_DEF(0xAE5D54EC, 0xDE92DE5E), BN_DEF(0xA080E01D, 0xB10B8F96) + }; +- + static const BN_ULONG dh1024_160_q[] = { +- 0x49462353, 0x64B7CB9D, 0x8ABA4E7D, 0x81A8DF27, 0xF518AA87 ++ BN_DEF(0x49462353, 0x64B7CB9D), BN_DEF(0x8ABA4E7D, 0x81A8DF27), ++ (BN_ULONG)0xF518AA87 + }; +- +-static const BN_ULONG dh2048_224_p[] = { +- 0x0C10E64F, 0x0AC4DFFE, 0x4E71B81C, 0xCF9DE538, 0xFFA31F71, 0x7EF363E2, +- 0x6B8E75B9, 0xE3FB73C1, 0x4BA80A29, 0xC9B53DCF, 0x16E79763, 0x23F10B0E, +- 0x13042E9B, 0xC52172E4, 0xC928B2B9, 0xBE60E69C, 0xB9E587E8, 0x80CD86A1, +- 0x98C641A4, 0x315D75E1, 0x44328387, 0xCDF93ACC, 0xDC0A486D, 0x15987D9A, +- 0x1FD5A074, 0x7310F712, 0xDE31EFDC, 0x278273C7, 0x415D9330, 0x1602E714, +- 0xBC8985DB, 0x81286130, 0x70918836, 0xB3BF8A31, 0xB9C49708, 0x6A00E0A0, +- 0x8BBC27BE, 0xC6BA0B2C, 0xED34DBF6, 0xC9F98D11, 0xB6C12207, 0x7AD5B7D0, +- 0x55B7394B, 0xD91E8FEF, 0xEFDA4DF8, 0x9037C9ED, 0xAD6AC212, 0x6D3F8152, +- 0x1274A0A6, 0x1DE6B85A, 0x309C180E, 0xEB3D688A, 0x7BA1DF15, 0xAF9A3C40, +- 0xF95A56DB, 0xE6FA141D, 0xB61D0A75, 0xB54B1597, 0x683B9FD1, 0xA20D64E5, +- 0x9559C51F, 0xD660FAA7, 0x9123A9D0, 0xAD107E1E ++static const BN_ULONG dh1024_160_g[] = { ++ BN_DEF(0x22B3B2E5, 0x855E6EEB), BN_DEF(0xF97C2A24, 0x858F4DCE), ++ BN_DEF(0x18D08BC8, 0x2D779D59), BN_DEF(0x8E73AFA3, 0xD662A4D1), ++ BN_DEF(0x69B6A28A, 0x1DBF0A01), BN_DEF(0x7A091F53, 0xA6A24C08), ++ BN_DEF(0x63F80A76, 0x909D0D22), BN_DEF(0xB9A92EE1, 0xD7FBD7D3), ++ BN_DEF(0x9E2749F4, 0x5E91547F), BN_DEF(0xB01B886A, 0x160217B4), ++ BN_DEF(0x5504F213, 0x777E690F), BN_DEF(0x5C41564B, 0x266FEA1E), ++ BN_DEF(0x14266D31, 0xD6406CFF), BN_DEF(0x58AC507F, 0xF8104DD2), ++ BN_DEF(0xEFB99905, 0x6765A442), BN_DEF(0xC3FD3412, 0xA4D1CBD5) + }; + +-static const BN_ULONG dh2048_224_g[] = { +- 0x191F2BFA, 0x84B890D3, 0x2A7065B3, 0x81BC087F, 0xF6EC0179, 0x19C418E1, +- 0x71CFFF4C, 0x7B5A0F1C, 0x9B6AA4BD, 0xEDFE72FE, 0x94B30269, 0x81E1BCFE, +- 0x8D6C0191, 0x566AFBB4, 0x409D13CD, 0xB539CCE3, 0x5F2FF381, 0x6AA21E7F, +- 0x770589EF, 0xD9E263E4, 0xD19963DD, 0x10E183ED, 0x150B8EEB, 0xB70A8137, +- 0x28C8F8AC, 0x051AE3D4, 0x0C1AB15B, 0xBB77A86F, 0x16A330EF, 0x6E3025E3, +- 0xD6F83456, 0x19529A45, 0x118E98D1, 0xF180EB34, 0x50717CBE, 0xB5F6C6B2, +- 0xDA7460CD, 0x09939D54, 0x22EA1ED4, 0xE2471504, 0x521BC98A, 0xB8A762D0, +- 0x5AC1348B, 0xF4D02727, 0x1999024A, 0xC1766910, 0xA8D66AD7, 0xBE5E9001, +- 0x620A8652, 0xC57DB17C, 0x00C29F52, 0xAB739D77, 0xA70C4AFA, 0xDD921F01, +- 0x10B9A6F0, 0xA6824A4E, 0xCFE4FFE3, 0x74866A08, 0x89998CAF, 0x6CDEBE7B, +- 0x8FFDAC50, 0x9DF30B5C, 0x4F2D9AE3, 0xAC4032EF ++static const BN_ULONG dh2048_224_p[] = { ++ BN_DEF(0x0C10E64F, 0x0AC4DFFE), BN_DEF(0x4E71B81C, 0xCF9DE538), ++ BN_DEF(0xFFA31F71, 0x7EF363E2), BN_DEF(0x6B8E75B9, 0xE3FB73C1), ++ BN_DEF(0x4BA80A29, 0xC9B53DCF), BN_DEF(0x16E79763, 0x23F10B0E), ++ BN_DEF(0x13042E9B, 0xC52172E4), BN_DEF(0xC928B2B9, 0xBE60E69C), ++ BN_DEF(0xB9E587E8, 0x80CD86A1), BN_DEF(0x98C641A4, 0x315D75E1), ++ BN_DEF(0x44328387, 0xCDF93ACC), BN_DEF(0xDC0A486D, 0x15987D9A), ++ BN_DEF(0x1FD5A074, 0x7310F712), BN_DEF(0xDE31EFDC, 0x278273C7), ++ BN_DEF(0x415D9330, 0x1602E714), BN_DEF(0xBC8985DB, 0x81286130), ++ BN_DEF(0x70918836, 0xB3BF8A31), BN_DEF(0xB9C49708, 0x6A00E0A0), ++ BN_DEF(0x8BBC27BE, 0xC6BA0B2C), BN_DEF(0xED34DBF6, 0xC9F98D11), ++ BN_DEF(0xB6C12207, 0x7AD5B7D0), BN_DEF(0x55B7394B, 0xD91E8FEF), ++ BN_DEF(0xEFDA4DF8, 0x9037C9ED), BN_DEF(0xAD6AC212, 0x6D3F8152), ++ BN_DEF(0x1274A0A6, 0x1DE6B85A), BN_DEF(0x309C180E, 0xEB3D688A), ++ BN_DEF(0x7BA1DF15, 0xAF9A3C40), BN_DEF(0xF95A56DB, 0xE6FA141D), ++ BN_DEF(0xB61D0A75, 0xB54B1597), BN_DEF(0x683B9FD1, 0xA20D64E5), ++ BN_DEF(0x9559C51F, 0xD660FAA7), BN_DEF(0x9123A9D0, 0xAD107E1E) + }; +- + static const BN_ULONG dh2048_224_q[] = { +- 0xB36371EB, 0xBF389A99, 0x4738CEBC, 0x1F80535A, 0x99717710, 0xC58D93FE, +- 0x801C0D34 ++ BN_DEF(0xB36371EB, 0xBF389A99), BN_DEF(0x4738CEBC, 0x1F80535A), ++ BN_DEF(0x99717710, 0xC58D93FE), (BN_ULONG)0x801C0D34 + }; +- +-static const BN_ULONG dh2048_256_p[] = { +- 0x1E1A1597, 0xDB094AE9, 0xD7EF09CA, 0x693877FA, 0x6E11715F, 0x6116D227, +- 0xC198AF12, 0xA4B54330, 0xD7014103, 0x75F26375, 0x54E710C3, 0xC3A3960A, +- 0xBD0BE621, 0xDED4010A, 0x89962856, 0xC0B857F6, 0x71506026, 0xB3CA3F79, +- 0xE6B486F6, 0x1CCACB83, 0x14056425, 0x67E144E5, 0xA41825D9, 0xF6A167B5, +- 0x96524D8E, 0x3AD83477, 0x51BFA4AB, 0xF13C6D9A, 0x35488A0E, 0x2D525267, +- 0xCAA6B790, 0xB63ACAE1, 0x81B23F76, 0x4FDB70C5, 0x12307F5C, 0xBC39A0BF, +- 0xB1E59BB8, 0xB941F54E, 0xD45F9088, 0x6C5BFC11, 0x4275BF7B, 0x22E0B1EF, +- 0x5B4758C0, 0x91F9E672, 0x6BCF67ED, 0x5A8A9D30, 0x97517ABD, 0x209E0C64, +- 0x830E9A7C, 0x3BF4296D, 0x34096FAA, 0x16C3D911, 0x61B2AA30, 0xFAF7DF45, +- 0xD61957D4, 0xE00DF8F1, 0x435E3B00, 0x5D2CEED4, 0x660DD0F2, 0x8CEEF608, +- 0x65195999, 0xFFBBD19C, 0xB4B6663C, 0x87A8E61D ++static const BN_ULONG dh2048_224_g[] = { ++ BN_DEF(0x191F2BFA, 0x84B890D3), BN_DEF(0x2A7065B3, 0x81BC087F), ++ BN_DEF(0xF6EC0179, 0x19C418E1), BN_DEF(0x71CFFF4C, 0x7B5A0F1C), ++ BN_DEF(0x9B6AA4BD, 0xEDFE72FE), BN_DEF(0x94B30269, 0x81E1BCFE), ++ BN_DEF(0x8D6C0191, 0x566AFBB4), BN_DEF(0x409D13CD, 0xB539CCE3), ++ BN_DEF(0x5F2FF381, 0x6AA21E7F), BN_DEF(0x770589EF, 0xD9E263E4), ++ BN_DEF(0xD19963DD, 0x10E183ED), BN_DEF(0x150B8EEB, 0xB70A8137), ++ BN_DEF(0x28C8F8AC, 0x051AE3D4), BN_DEF(0x0C1AB15B, 0xBB77A86F), ++ BN_DEF(0x16A330EF, 0x6E3025E3), BN_DEF(0xD6F83456, 0x19529A45), ++ BN_DEF(0x118E98D1, 0xF180EB34), BN_DEF(0x50717CBE, 0xB5F6C6B2), ++ BN_DEF(0xDA7460CD, 0x09939D54), BN_DEF(0x22EA1ED4, 0xE2471504), ++ BN_DEF(0x521BC98A, 0xB8A762D0), BN_DEF(0x5AC1348B, 0xF4D02727), ++ BN_DEF(0x1999024A, 0xC1766910), BN_DEF(0xA8D66AD7, 0xBE5E9001), ++ BN_DEF(0x620A8652, 0xC57DB17C), BN_DEF(0x00C29F52, 0xAB739D77), ++ BN_DEF(0xA70C4AFA, 0xDD921F01), BN_DEF(0x10B9A6F0, 0xA6824A4E), ++ BN_DEF(0xCFE4FFE3, 0x74866A08), BN_DEF(0x89998CAF, 0x6CDEBE7B), ++ BN_DEF(0x8FFDAC50, 0x9DF30B5C), BN_DEF(0x4F2D9AE3, 0xAC4032EF) + }; + +-static const BN_ULONG dh2048_256_g[] = { +- 0x6CC41659, 0x664B4C0F, 0xEF98C582, 0x5E2327CF, 0xD4795451, 0xD647D148, +- 0x90F00EF8, 0x2F630784, 0x1DB246C3, 0x184B523D, 0xCDC67EB6, 0xC7891428, +- 0x0DF92B52, 0x7FD02837, 0x64E0EC37, 0xB3353BBB, 0x57CD0915, 0xECD06E15, +- 0xDF016199, 0xB7D2BBD2, 0x052588B9, 0xC8484B1E, 0x13D3FE14, 0xDB2A3B73, +- 0xD182EA0A, 0xD052B985, 0xE83B9C80, 0xA4BD1BFF, 0xFB3F2E55, 0xDFC967C1, +- 0x767164E1, 0xB5045AF2, 0x6F2F9193, 0x1D14348F, 0x428EBC83, 0x64E67982, +- 0x82D6ED38, 0x8AC376D2, 0xAAB8A862, 0x777DE62A, 0xE9EC144B, 0xDDF463E5, +- 0xC77A57F2, 0x0196F931, 0x41000A65, 0xA55AE313, 0xC28CBB18, 0x901228F8, +- 0x7E8C6F62, 0xBC3773BF, 0x0C6B47B1, 0xBE3A6C1B, 0xAC0BB555, 0xFF4FED4A, +- 0x77BE463F, 0x10DBC150, 0x1A0BA125, 0x07F4793A, 0x21EF2054, 0x4CA7B18F, +- 0x60EDBD48, 0x2E775066, 0x73134D0B, 0x3FB32C9B ++static const BN_ULONG dh2048_256_p[] = { ++ BN_DEF(0x1E1A1597, 0xDB094AE9), BN_DEF(0xD7EF09CA, 0x693877FA), ++ BN_DEF(0x6E11715F, 0x6116D227), BN_DEF(0xC198AF12, 0xA4B54330), ++ BN_DEF(0xD7014103, 0x75F26375), BN_DEF(0x54E710C3, 0xC3A3960A), ++ BN_DEF(0xBD0BE621, 0xDED4010A), BN_DEF(0x89962856, 0xC0B857F6), ++ BN_DEF(0x71506026, 0xB3CA3F79), BN_DEF(0xE6B486F6, 0x1CCACB83), ++ BN_DEF(0x14056425, 0x67E144E5), BN_DEF(0xA41825D9, 0xF6A167B5), ++ BN_DEF(0x96524D8E, 0x3AD83477), BN_DEF(0x51BFA4AB, 0xF13C6D9A), ++ BN_DEF(0x35488A0E, 0x2D525267), BN_DEF(0xCAA6B790, 0xB63ACAE1), ++ BN_DEF(0x81B23F76, 0x4FDB70C5), BN_DEF(0x12307F5C, 0xBC39A0BF), ++ BN_DEF(0xB1E59BB8, 0xB941F54E), BN_DEF(0xD45F9088, 0x6C5BFC11), ++ BN_DEF(0x4275BF7B, 0x22E0B1EF), BN_DEF(0x5B4758C0, 0x91F9E672), ++ BN_DEF(0x6BCF67ED, 0x5A8A9D30), BN_DEF(0x97517ABD, 0x209E0C64), ++ BN_DEF(0x830E9A7C, 0x3BF4296D), BN_DEF(0x34096FAA, 0x16C3D911), ++ BN_DEF(0x61B2AA30, 0xFAF7DF45), BN_DEF(0xD61957D4, 0xE00DF8F1), ++ BN_DEF(0x435E3B00, 0x5D2CEED4), BN_DEF(0x660DD0F2, 0x8CEEF608), ++ BN_DEF(0x65195999, 0xFFBBD19C), BN_DEF(0xB4B6663C, 0x87A8E61D) + }; +- + static const BN_ULONG dh2048_256_q[] = { +- 0x64F5FBD3, 0xA308B0FE, 0x1EB3750B, 0x99B1A47D, 0x40129DA2, 0xB4479976, +- 0xA709A097, 0x8CF83642 ++ BN_DEF(0x64F5FBD3, 0xA308B0FE), BN_DEF(0x1EB3750B, 0x99B1A47D), ++ BN_DEF(0x40129DA2, 0xB4479976), BN_DEF(0xA709A097, 0x8CF83642) ++}; ++static const BN_ULONG dh2048_256_g[] = { ++ BN_DEF(0x6CC41659, 0x664B4C0F), BN_DEF(0xEF98C582, 0x5E2327CF), ++ BN_DEF(0xD4795451, 0xD647D148), BN_DEF(0x90F00EF8, 0x2F630784), ++ BN_DEF(0x1DB246C3, 0x184B523D), BN_DEF(0xCDC67EB6, 0xC7891428), ++ BN_DEF(0x0DF92B52, 0x7FD02837), BN_DEF(0x64E0EC37, 0xB3353BBB), ++ BN_DEF(0x57CD0915, 0xECD06E15), BN_DEF(0xDF016199, 0xB7D2BBD2), ++ BN_DEF(0x052588B9, 0xC8484B1E), BN_DEF(0x13D3FE14, 0xDB2A3B73), ++ BN_DEF(0xD182EA0A, 0xD052B985), BN_DEF(0xE83B9C80, 0xA4BD1BFF), ++ BN_DEF(0xFB3F2E55, 0xDFC967C1), BN_DEF(0x767164E1, 0xB5045AF2), ++ BN_DEF(0x6F2F9193, 0x1D14348F), BN_DEF(0x428EBC83, 0x64E67982), ++ BN_DEF(0x82D6ED38, 0x8AC376D2), BN_DEF(0xAAB8A862, 0x777DE62A), ++ BN_DEF(0xE9EC144B, 0xDDF463E5), BN_DEF(0xC77A57F2, 0x0196F931), ++ BN_DEF(0x41000A65, 0xA55AE313), BN_DEF(0xC28CBB18, 0x901228F8), ++ BN_DEF(0x7E8C6F62, 0xBC3773BF), BN_DEF(0x0C6B47B1, 0xBE3A6C1B), ++ BN_DEF(0xAC0BB555, 0xFF4FED4A), BN_DEF(0x77BE463F, 0x10DBC150), ++ BN_DEF(0x1A0BA125, 0x07F4793A), BN_DEF(0x21EF2054, 0x4CA7B18F), ++ BN_DEF(0x60EDBD48, 0x2E775066), BN_DEF(0x73134D0B, 0x3FB32C9B) + }; + + /* Primes from RFC 7919 */ +- + static const BN_ULONG ffdhe2048_p[] = { +- 0xFFFFFFFF, 0xFFFFFFFF, 0x61285C97, 0x886B4238, 0xC1B2EFFA, 0xC6F34A26, +- 0x7D1683B2, 0xC58EF183, 0x2EC22005, 0x3BB5FCBC, 0x4C6FAD73, 0xC3FE3B1B, +- 0xEEF28183, 0x8E4F1232, 0xE98583FF, 0x9172FE9C, 0x28342F61, 0xC03404CD, +- 0xCDF7E2EC, 0x9E02FCE1, 0xEE0A6D70, 0x0B07A7C8, 0x6372BB19, 0xAE56EDE7, +- 0xDE394DF4, 0x1D4F42A3, 0x60D7F468, 0xB96ADAB7, 0xB2C8E3FB, 0xD108A94B, +- 0xB324FB61, 0xBC0AB182, 0x483A797A, 0x30ACCA4F, 0x36ADE735, 0x1DF158A1, +- 0xF3EFE872, 0xE2A689DA, 0xE0E68B77, 0x984F0C70, 0x7F57C935, 0xB557135E, +- 0x3DED1AF3, 0x85636555, 0x5F066ED0, 0x2433F51F, 0xD5FD6561, 0xD3DF1ED5, +- 0xAEC4617A, 0xF681B202, 0x630C75D8, 0x7D2FE363, 0x249B3EF9, 0xCC939DCE, +- 0x146433FB, 0xA9E13641, 0xCE2D3695, 0xD8B9C583, 0x273D3CF1, 0xAFDC5620, +- 0xA2BB4A9A, 0xADF85458, 0xFFFFFFFF, 0xFFFFFFFF ++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x61285C97, 0x886B4238), ++ BN_DEF(0xC1B2EFFA, 0xC6F34A26), BN_DEF(0x7D1683B2, 0xC58EF183), ++ BN_DEF(0x2EC22005, 0x3BB5FCBC), BN_DEF(0x4C6FAD73, 0xC3FE3B1B), ++ BN_DEF(0xEEF28183, 0x8E4F1232), BN_DEF(0xE98583FF, 0x9172FE9C), ++ BN_DEF(0x28342F61, 0xC03404CD), BN_DEF(0xCDF7E2EC, 0x9E02FCE1), ++ BN_DEF(0xEE0A6D70, 0x0B07A7C8), BN_DEF(0x6372BB19, 0xAE56EDE7), ++ BN_DEF(0xDE394DF4, 0x1D4F42A3), BN_DEF(0x60D7F468, 0xB96ADAB7), ++ BN_DEF(0xB2C8E3FB, 0xD108A94B), BN_DEF(0xB324FB61, 0xBC0AB182), ++ BN_DEF(0x483A797A, 0x30ACCA4F), BN_DEF(0x36ADE735, 0x1DF158A1), ++ BN_DEF(0xF3EFE872, 0xE2A689DA), BN_DEF(0xE0E68B77, 0x984F0C70), ++ BN_DEF(0x7F57C935, 0xB557135E), BN_DEF(0x3DED1AF3, 0x85636555), ++ BN_DEF(0x5F066ED0, 0x2433F51F), BN_DEF(0xD5FD6561, 0xD3DF1ED5), ++ BN_DEF(0xAEC4617A, 0xF681B202), BN_DEF(0x630C75D8, 0x7D2FE363), ++ BN_DEF(0x249B3EF9, 0xCC939DCE), BN_DEF(0x146433FB, 0xA9E13641), ++ BN_DEF(0xCE2D3695, 0xD8B9C583), BN_DEF(0x273D3CF1, 0xAFDC5620), ++ BN_DEF(0xA2BB4A9A, 0xADF85458), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) ++}; ++/* q = (p - 1) / 2 */ ++static const BN_ULONG ffdhe2048_q[] = { ++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x30942E4B, 0x4435A11C), ++ BN_DEF(0x60D977FD, 0x6379A513), BN_DEF(0xBE8B41D9, 0xE2C778C1), ++ BN_DEF(0x17611002, 0x9DDAFE5E), BN_DEF(0xA637D6B9, 0xE1FF1D8D), ++ BN_DEF(0x777940C1, 0xC7278919), BN_DEF(0x74C2C1FF, 0xC8B97F4E), ++ BN_DEF(0x941A17B0, 0x601A0266), BN_DEF(0xE6FBF176, 0x4F017E70), ++ BN_DEF(0x770536B8, 0x8583D3E4), BN_DEF(0xB1B95D8C, 0x572B76F3), ++ BN_DEF(0xEF1CA6FA, 0x0EA7A151), BN_DEF(0xB06BFA34, 0xDCB56D5B), ++ BN_DEF(0xD96471FD, 0xE88454A5), BN_DEF(0x59927DB0, 0x5E0558C1), ++ BN_DEF(0xA41D3CBD, 0x98566527), BN_DEF(0x9B56F39A, 0x0EF8AC50), ++ BN_DEF(0x79F7F439, 0xF15344ED), BN_DEF(0x707345BB, 0xCC278638), ++ BN_DEF(0x3FABE49A, 0xDAAB89AF), BN_DEF(0x9EF68D79, 0x42B1B2AA), ++ BN_DEF(0xAF833768, 0x9219FA8F), BN_DEF(0xEAFEB2B0, 0x69EF8F6A), ++ BN_DEF(0x576230BD, 0x7B40D901), BN_DEF(0xB1863AEC, 0xBE97F1B1), ++ BN_DEF(0x124D9F7C, 0xE649CEE7), BN_DEF(0x8A3219FD, 0xD4F09B20), ++ BN_DEF(0xE7169B4A, 0xEC5CE2C1), BN_DEF(0x139E9E78, 0x57EE2B10), ++ BN_DEF(0x515DA54D, 0xD6FC2A2C), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), + }; + + static const BN_ULONG ffdhe3072_p[] = { +- 0xFFFFFFFF, 0xFFFFFFFF, 0x66C62E37, 0x25E41D2B, 0x3FD59D7C, 0x3C1B20EE, +- 0xFA53DDEF, 0x0ABCD06B, 0xD5C4484E, 0x1DBF9A42, 0x9B0DEADA, 0xABC52197, +- 0x22363A0D, 0xE86D2BC5, 0x9C9DF69E, 0x5CAE82AB, 0x71F54BFF, 0x64F2E21E, +- 0xE2D74DD3, 0xF4FD4452, 0xBC437944, 0xB4130C93, 0x85139270, 0xAEFE1309, +- 0xC186D91C, 0x598CB0FA, 0x91F7F7EE, 0x7AD91D26, 0xD6E6C907, 0x61B46FC9, +- 0xF99C0238, 0xBC34F4DE, 0x6519035B, 0xDE355B3B, 0x611FCFDC, 0x886B4238, +- 0xC1B2EFFA, 0xC6F34A26, 0x7D1683B2, 0xC58EF183, 0x2EC22005, 0x3BB5FCBC, +- 0x4C6FAD73, 0xC3FE3B1B, 0xEEF28183, 0x8E4F1232, 0xE98583FF, 0x9172FE9C, +- 0x28342F61, 0xC03404CD, 0xCDF7E2EC, 0x9E02FCE1, 0xEE0A6D70, 0x0B07A7C8, +- 0x6372BB19, 0xAE56EDE7, 0xDE394DF4, 0x1D4F42A3, 0x60D7F468, 0xB96ADAB7, +- 0xB2C8E3FB, 0xD108A94B, 0xB324FB61, 0xBC0AB182, 0x483A797A, 0x30ACCA4F, +- 0x36ADE735, 0x1DF158A1, 0xF3EFE872, 0xE2A689DA, 0xE0E68B77, 0x984F0C70, +- 0x7F57C935, 0xB557135E, 0x3DED1AF3, 0x85636555, 0x5F066ED0, 0x2433F51F, +- 0xD5FD6561, 0xD3DF1ED5, 0xAEC4617A, 0xF681B202, 0x630C75D8, 0x7D2FE363, +- 0x249B3EF9, 0xCC939DCE, 0x146433FB, 0xA9E13641, 0xCE2D3695, 0xD8B9C583, +- 0x273D3CF1, 0xAFDC5620, 0xA2BB4A9A, 0xADF85458, 0xFFFFFFFF, 0xFFFFFFFF ++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x66C62E37, 0x25E41D2B), ++ BN_DEF(0x3FD59D7C, 0x3C1B20EE), BN_DEF(0xFA53DDEF, 0x0ABCD06B), ++ BN_DEF(0xD5C4484E, 0x1DBF9A42), BN_DEF(0x9B0DEADA, 0xABC52197), ++ BN_DEF(0x22363A0D, 0xE86D2BC5), BN_DEF(0x9C9DF69E, 0x5CAE82AB), ++ BN_DEF(0x71F54BFF, 0x64F2E21E), BN_DEF(0xE2D74DD3, 0xF4FD4452), ++ BN_DEF(0xBC437944, 0xB4130C93), BN_DEF(0x85139270, 0xAEFE1309), ++ BN_DEF(0xC186D91C, 0x598CB0FA), BN_DEF(0x91F7F7EE, 0x7AD91D26), ++ BN_DEF(0xD6E6C907, 0x61B46FC9), BN_DEF(0xF99C0238, 0xBC34F4DE), ++ BN_DEF(0x6519035B, 0xDE355B3B), BN_DEF(0x611FCFDC, 0x886B4238), ++ BN_DEF(0xC1B2EFFA, 0xC6F34A26), BN_DEF(0x7D1683B2, 0xC58EF183), ++ BN_DEF(0x2EC22005, 0x3BB5FCBC), BN_DEF(0x4C6FAD73, 0xC3FE3B1B), ++ BN_DEF(0xEEF28183, 0x8E4F1232), BN_DEF(0xE98583FF, 0x9172FE9C), ++ BN_DEF(0x28342F61, 0xC03404CD), BN_DEF(0xCDF7E2EC, 0x9E02FCE1), ++ BN_DEF(0xEE0A6D70, 0x0B07A7C8), BN_DEF(0x6372BB19, 0xAE56EDE7), ++ BN_DEF(0xDE394DF4, 0x1D4F42A3), BN_DEF(0x60D7F468, 0xB96ADAB7), ++ BN_DEF(0xB2C8E3FB, 0xD108A94B), BN_DEF(0xB324FB61, 0xBC0AB182), ++ BN_DEF(0x483A797A, 0x30ACCA4F), BN_DEF(0x36ADE735, 0x1DF158A1), ++ BN_DEF(0xF3EFE872, 0xE2A689DA), BN_DEF(0xE0E68B77, 0x984F0C70), ++ BN_DEF(0x7F57C935, 0xB557135E), BN_DEF(0x3DED1AF3, 0x85636555), ++ BN_DEF(0x5F066ED0, 0x2433F51F), BN_DEF(0xD5FD6561, 0xD3DF1ED5), ++ BN_DEF(0xAEC4617A, 0xF681B202), BN_DEF(0x630C75D8, 0x7D2FE363), ++ BN_DEF(0x249B3EF9, 0xCC939DCE), BN_DEF(0x146433FB, 0xA9E13641), ++ BN_DEF(0xCE2D3695, 0xD8B9C583), BN_DEF(0x273D3CF1, 0xAFDC5620), ++ BN_DEF(0xA2BB4A9A, 0xADF85458), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) ++}; ++/* q = (p - 1) / 2 */ ++static const BN_ULONG ffdhe3072_q[] = { ++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0xB363171B, 0x12F20E95), ++ BN_DEF(0x1FEACEBE, 0x9E0D9077), BN_DEF(0xFD29EEF7, 0x055E6835), ++ BN_DEF(0x6AE22427, 0x0EDFCD21), BN_DEF(0xCD86F56D, 0xD5E290CB), ++ BN_DEF(0x911B1D06, 0x743695E2), BN_DEF(0xCE4EFB4F, 0xAE574155), ++ BN_DEF(0x38FAA5FF, 0xB279710F), BN_DEF(0x716BA6E9, 0x7A7EA229), ++ BN_DEF(0xDE21BCA2, 0x5A098649), BN_DEF(0xC289C938, 0x577F0984), ++ BN_DEF(0x60C36C8E, 0x2CC6587D), BN_DEF(0x48FBFBF7, 0xBD6C8E93), ++ BN_DEF(0xEB736483, 0x30DA37E4), BN_DEF(0x7CCE011C, 0xDE1A7A6F), ++ BN_DEF(0xB28C81AD, 0x6F1AAD9D), BN_DEF(0x308FE7EE, 0x4435A11C), ++ BN_DEF(0x60D977FD, 0x6379A513), BN_DEF(0xBE8B41D9, 0xE2C778C1), ++ BN_DEF(0x17611002, 0x9DDAFE5E), BN_DEF(0xA637D6B9, 0xE1FF1D8D), ++ BN_DEF(0x777940C1, 0xC7278919), BN_DEF(0x74C2C1FF, 0xC8B97F4E), ++ BN_DEF(0x941A17B0, 0x601A0266), BN_DEF(0xE6FBF176, 0x4F017E70), ++ BN_DEF(0x770536B8, 0x8583D3E4), BN_DEF(0xB1B95D8C, 0x572B76F3), ++ BN_DEF(0xEF1CA6FA, 0x0EA7A151), BN_DEF(0xB06BFA34, 0xDCB56D5B), ++ BN_DEF(0xD96471FD, 0xE88454A5), BN_DEF(0x59927DB0, 0x5E0558C1), ++ BN_DEF(0xA41D3CBD, 0x98566527), BN_DEF(0x9B56F39A, 0x0EF8AC50), ++ BN_DEF(0x79F7F439, 0xF15344ED), BN_DEF(0x707345BB, 0xCC278638), ++ BN_DEF(0x3FABE49A, 0xDAAB89AF), BN_DEF(0x9EF68D79, 0x42B1B2AA), ++ BN_DEF(0xAF833768, 0x9219FA8F), BN_DEF(0xEAFEB2B0, 0x69EF8F6A), ++ BN_DEF(0x576230BD, 0x7B40D901), BN_DEF(0xB1863AEC, 0xBE97F1B1), ++ BN_DEF(0x124D9F7C, 0xE649CEE7), BN_DEF(0x8A3219FD, 0xD4F09B20), ++ BN_DEF(0xE7169B4A, 0xEC5CE2C1), BN_DEF(0x139E9E78, 0x57EE2B10), ++ BN_DEF(0x515DA54D, 0xD6FC2A2C), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), + }; + + static const BN_ULONG ffdhe4096_p[] = { +- 0xFFFFFFFF, 0xFFFFFFFF, 0x5E655F6A, 0xC68A007E, 0xF44182E1, 0x4DB5A851, +- 0x7F88A46B, 0x8EC9B55A, 0xCEC97DCF, 0x0A8291CD, 0xF98D0ACC, 0x2A4ECEA9, +- 0x7140003C, 0x1A1DB93D, 0x33CB8B7A, 0x092999A3, 0x71AD0038, 0x6DC778F9, +- 0x918130C4, 0xA907600A, 0x2D9E6832, 0xED6A1E01, 0xEFB4318A, 0x7135C886, +- 0x7E31CC7A, 0x87F55BA5, 0x55034004, 0x7763CF1D, 0xD69F6D18, 0xAC7D5F42, +- 0xE58857B6, 0x7930E9E4, 0x164DF4FB, 0x6E6F52C3, 0x669E1EF1, 0x25E41D2B, +- 0x3FD59D7C, 0x3C1B20EE, 0xFA53DDEF, 0x0ABCD06B, 0xD5C4484E, 0x1DBF9A42, +- 0x9B0DEADA, 0xABC52197, 0x22363A0D, 0xE86D2BC5, 0x9C9DF69E, 0x5CAE82AB, +- 0x71F54BFF, 0x64F2E21E, 0xE2D74DD3, 0xF4FD4452, 0xBC437944, 0xB4130C93, +- 0x85139270, 0xAEFE1309, 0xC186D91C, 0x598CB0FA, 0x91F7F7EE, 0x7AD91D26, +- 0xD6E6C907, 0x61B46FC9, 0xF99C0238, 0xBC34F4DE, 0x6519035B, 0xDE355B3B, +- 0x611FCFDC, 0x886B4238, 0xC1B2EFFA, 0xC6F34A26, 0x7D1683B2, 0xC58EF183, +- 0x2EC22005, 0x3BB5FCBC, 0x4C6FAD73, 0xC3FE3B1B, 0xEEF28183, 0x8E4F1232, +- 0xE98583FF, 0x9172FE9C, 0x28342F61, 0xC03404CD, 0xCDF7E2EC, 0x9E02FCE1, +- 0xEE0A6D70, 0x0B07A7C8, 0x6372BB19, 0xAE56EDE7, 0xDE394DF4, 0x1D4F42A3, +- 0x60D7F468, 0xB96ADAB7, 0xB2C8E3FB, 0xD108A94B, 0xB324FB61, 0xBC0AB182, +- 0x483A797A, 0x30ACCA4F, 0x36ADE735, 0x1DF158A1, 0xF3EFE872, 0xE2A689DA, +- 0xE0E68B77, 0x984F0C70, 0x7F57C935, 0xB557135E, 0x3DED1AF3, 0x85636555, +- 0x5F066ED0, 0x2433F51F, 0xD5FD6561, 0xD3DF1ED5, 0xAEC4617A, 0xF681B202, +- 0x630C75D8, 0x7D2FE363, 0x249B3EF9, 0xCC939DCE, 0x146433FB, 0xA9E13641, +- 0xCE2D3695, 0xD8B9C583, 0x273D3CF1, 0xAFDC5620, 0xA2BB4A9A, 0xADF85458, +- 0xFFFFFFFF, 0xFFFFFFFF ++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x5E655F6A, 0xC68A007E), ++ BN_DEF(0xF44182E1, 0x4DB5A851), BN_DEF(0x7F88A46B, 0x8EC9B55A), ++ BN_DEF(0xCEC97DCF, 0x0A8291CD), BN_DEF(0xF98D0ACC, 0x2A4ECEA9), ++ BN_DEF(0x7140003C, 0x1A1DB93D), BN_DEF(0x33CB8B7A, 0x092999A3), ++ BN_DEF(0x71AD0038, 0x6DC778F9), BN_DEF(0x918130C4, 0xA907600A), ++ BN_DEF(0x2D9E6832, 0xED6A1E01), BN_DEF(0xEFB4318A, 0x7135C886), ++ BN_DEF(0x7E31CC7A, 0x87F55BA5), BN_DEF(0x55034004, 0x7763CF1D), ++ BN_DEF(0xD69F6D18, 0xAC7D5F42), BN_DEF(0xE58857B6, 0x7930E9E4), ++ BN_DEF(0x164DF4FB, 0x6E6F52C3), BN_DEF(0x669E1EF1, 0x25E41D2B), ++ BN_DEF(0x3FD59D7C, 0x3C1B20EE), BN_DEF(0xFA53DDEF, 0x0ABCD06B), ++ BN_DEF(0xD5C4484E, 0x1DBF9A42), BN_DEF(0x9B0DEADA, 0xABC52197), ++ BN_DEF(0x22363A0D, 0xE86D2BC5), BN_DEF(0x9C9DF69E, 0x5CAE82AB), ++ BN_DEF(0x71F54BFF, 0x64F2E21E), BN_DEF(0xE2D74DD3, 0xF4FD4452), ++ BN_DEF(0xBC437944, 0xB4130C93), BN_DEF(0x85139270, 0xAEFE1309), ++ BN_DEF(0xC186D91C, 0x598CB0FA), BN_DEF(0x91F7F7EE, 0x7AD91D26), ++ BN_DEF(0xD6E6C907, 0x61B46FC9), BN_DEF(0xF99C0238, 0xBC34F4DE), ++ BN_DEF(0x6519035B, 0xDE355B3B), BN_DEF(0x611FCFDC, 0x886B4238), ++ BN_DEF(0xC1B2EFFA, 0xC6F34A26), BN_DEF(0x7D1683B2, 0xC58EF183), ++ BN_DEF(0x2EC22005, 0x3BB5FCBC), BN_DEF(0x4C6FAD73, 0xC3FE3B1B), ++ BN_DEF(0xEEF28183, 0x8E4F1232), BN_DEF(0xE98583FF, 0x9172FE9C), ++ BN_DEF(0x28342F61, 0xC03404CD), BN_DEF(0xCDF7E2EC, 0x9E02FCE1), ++ BN_DEF(0xEE0A6D70, 0x0B07A7C8), BN_DEF(0x6372BB19, 0xAE56EDE7), ++ BN_DEF(0xDE394DF4, 0x1D4F42A3), BN_DEF(0x60D7F468, 0xB96ADAB7), ++ BN_DEF(0xB2C8E3FB, 0xD108A94B), BN_DEF(0xB324FB61, 0xBC0AB182), ++ BN_DEF(0x483A797A, 0x30ACCA4F), BN_DEF(0x36ADE735, 0x1DF158A1), ++ BN_DEF(0xF3EFE872, 0xE2A689DA), BN_DEF(0xE0E68B77, 0x984F0C70), ++ BN_DEF(0x7F57C935, 0xB557135E), BN_DEF(0x3DED1AF3, 0x85636555), ++ BN_DEF(0x5F066ED0, 0x2433F51F), BN_DEF(0xD5FD6561, 0xD3DF1ED5), ++ BN_DEF(0xAEC4617A, 0xF681B202), BN_DEF(0x630C75D8, 0x7D2FE363), ++ BN_DEF(0x249B3EF9, 0xCC939DCE), BN_DEF(0x146433FB, 0xA9E13641), ++ BN_DEF(0xCE2D3695, 0xD8B9C583), BN_DEF(0x273D3CF1, 0xAFDC5620), ++ BN_DEF(0xA2BB4A9A, 0xADF85458), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) ++}; ++/* q = (p - 1) / 2 */ ++static const BN_ULONG ffdhe4096_q[] = { ++ BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), BN_DEF(0x2F32AFB5, 0xE345003F), ++ BN_DEF(0xFA20C170, 0xA6DAD428), BN_DEF(0x3FC45235, 0xC764DAAD), ++ BN_DEF(0xE764BEE7, 0x054148E6), BN_DEF(0xFCC68566, 0x15276754), ++ BN_DEF(0xB8A0001E, 0x0D0EDC9E), BN_DEF(0x99E5C5BD, 0x0494CCD1), ++ BN_DEF(0xB8D6801C, 0x36E3BC7C), BN_DEF(0x48C09862, 0x5483B005), ++ BN_DEF(0x96CF3419, 0x76B50F00), BN_DEF(0x77DA18C5, 0x389AE443), ++ BN_DEF(0xBF18E63D, 0x43FAADD2), BN_DEF(0xAA81A002, 0x3BB1E78E), ++ BN_DEF(0x6B4FB68C, 0x563EAFA1), BN_DEF(0x72C42BDB, 0xBC9874F2), ++ BN_DEF(0x8B26FA7D, 0xB737A961), BN_DEF(0xB34F0F78, 0x12F20E95), ++ BN_DEF(0x1FEACEBE, 0x9E0D9077), BN_DEF(0xFD29EEF7, 0x055E6835), ++ BN_DEF(0x6AE22427, 0x0EDFCD21), BN_DEF(0xCD86F56D, 0xD5E290CB), ++ BN_DEF(0x911B1D06, 0x743695E2), BN_DEF(0xCE4EFB4F, 0xAE574155), ++ BN_DEF(0x38FAA5FF, 0xB279710F), BN_DEF(0x716BA6E9, 0x7A7EA229), ++ BN_DEF(0xDE21BCA2, 0x5A098649), BN_DEF(0xC289C938, 0x577F0984), ++ BN_DEF(0x60C36C8E, 0x2CC6587D), BN_DEF(0x48FBFBF7, 0xBD6C8E93), ++ BN_DEF(0xEB736483, 0x30DA37E4), BN_DEF(0x7CCE011C, 0xDE1A7A6F), ++ BN_DEF(0xB28C81AD, 0x6F1AAD9D), BN_DEF(0x308FE7EE, 0x4435A11C), ++ BN_DEF(0x60D977FD, 0x6379A513), BN_DEF(0xBE8B41D9, 0xE2C778C1), ++ BN_DEF(0x17611002, 0x9DDAFE5E), BN_DEF(0xA637D6B9, 0xE1FF1D8D), ++ BN_DEF(0x777940C1, 0xC7278919), BN_DEF(0x74C2C1FF, 0xC8B97F4E), ++ BN_DEF(0x941A17B0, 0x601A0266), BN_DEF(0xE6FBF176, 0x4F017E70), ++ BN_DEF(0x770536B8, 0x8583D3E4), BN_DEF(0xB1B95D8C, 0x572B76F3), ++ BN_DEF(0xEF1CA6FA, 0x0EA7A151), BN_DEF(0xB06BFA34, 0xDCB56D5B), ++ BN_DEF(0xD96471FD, 0xE88454A5), BN_DEF(0x59927DB0, 0x5E0558C1), ++ BN_DEF(0xA41D3CBD, 0x98566527), BN_DEF(0x9B56F39A, 0x0EF8AC50), ++ BN_DEF(0x79F7F439, 0xF15344ED), BN_DEF(0x707345BB, 0xCC278638), ++ BN_DEF(0x3FABE49A, 0xDAAB89AF), BN_DEF(0x9EF68D79, 0x42B1B2AA), ++ BN_DEF(0xAF833768, 0x9219FA8F), BN_DEF(0xEAFEB2B0, 0x69EF8F6A), ++ BN_DEF(0x576230BD, 0x7B40D901), BN_DEF(0xB1863AEC, 0xBE97F1B1), ++ BN_DEF(0x124D9F7C, 0xE649CEE7), BN_DEF(0x8A3219FD, 0xD4F09B20), ++ BN_DEF(0xE7169B4A, 0xEC5CE2C1), BN_DEF(0x139E9E78, 0x57EE2B10), ++ BN_DEF(0x515DA54D, 0xD6FC2A2C), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), + }; + + static const BN_ULONG ffdhe6144_p[] = { +- 0xFFFFFFFF, 0xFFFFFFFF, 0xD0E40E65, 0xA40E329C, 0x7938DAD4, 0xA41D570D, +- 0xD43161C1, 0x62A69526, 0x9ADB1E69, 0x3FDD4A8E, 0xDC6B80D6, 0x5B3B71F9, +- 0xC6272B04, 0xEC9D1810, 0xCACEF403, 0x8CCF2DD5, 0xC95B9117, 0xE49F5235, +- 0xB854338A, 0x505DC82D, 0x1562A846, 0x62292C31, 0x6AE77F5E, 0xD72B0374, +- 0x462D538C, 0xF9C9091B, 0x47A67CBE, 0x0AE8DB58, 0x22611682, 0xB3A739C1, +- 0x2A281BF6, 0xEEAAC023, 0x77CAF992, 0x94C6651E, 0x94B2BBC1, 0x763E4E4B, +- 0x0077D9B4, 0x587E38DA, 0x183023C3, 0x7FB29F8C, 0xF9E3A26E, 0x0ABEC1FF, +- 0x350511E3, 0xA00EF092, 0xDB6340D8, 0xB855322E, 0xA9A96910, 0xA52471F7, +- 0x4CFDB477, 0x388147FB, 0x4E46041F, 0x9B1F5C3E, 0xFCCFEC71, 0xCDAD0657, +- 0x4C701C3A, 0xB38E8C33, 0xB1C0FD4C, 0x917BDD64, 0x9B7624C8, 0x3BB45432, +- 0xCAF53EA6, 0x23BA4442, 0x38532A3A, 0x4E677D2C, 0x45036C7A, 0x0BFD64B6, +- 0x5E0DD902, 0xC68A007E, 0xF44182E1, 0x4DB5A851, 0x7F88A46B, 0x8EC9B55A, +- 0xCEC97DCF, 0x0A8291CD, 0xF98D0ACC, 0x2A4ECEA9, 0x7140003C, 0x1A1DB93D, +- 0x33CB8B7A, 0x092999A3, 0x71AD0038, 0x6DC778F9, 0x918130C4, 0xA907600A, +- 0x2D9E6832, 0xED6A1E01, 0xEFB4318A, 0x7135C886, 0x7E31CC7A, 0x87F55BA5, +- 0x55034004, 0x7763CF1D, 0xD69F6D18, 0xAC7D5F42, 0xE58857B6, 0x7930E9E4, +- 0x164DF4FB, 0x6E6F52C3, 0x669E1EF1, 0x25E41D2B, 0x3FD59D7C, 0x3C1B20EE, +- 0xFA53DDEF, 0x0ABCD06B, 0xD5C4484E, 0x1DBF9A42, 0x9B0DEADA, 0xABC52197, +- 0x22363A0D, 0xE86D2BC5, 0x9C9DF69E, 0x5CAE82AB, 0x71F54BFF, 0x64F2E21E, +- 0xE2D74DD3, 0xF4FD4452, 0xBC437944, 0xB4130C93, 0x85139270, 0xAEFE1309, +- 0xC186D91C, 0x598CB0FA, 0x91F7F7EE, 0x7AD91D26, 0xD6E6C907, 0x61B46FC9, +- 0xF99C0238, 0xBC34F4DE, 0x6519035B, 0xDE355B3B, 0x611FCFDC, 0x886B4238, +- 0xC1B2EFFA, 0xC6F34A26, 0x7D1683B2, 0xC58EF183, 0x2EC22005, 0x3BB5FCBC, +- 0x4C6FAD73, 0xC3FE3B1B, 0xEEF28183, 0x8E4F1232, 0xE98583FF, 0x9172FE9C, +- 0x28342F61, 0xC03404CD, 0xCDF7E2EC, 0x9E02FCE1, 0xEE0A6D70, 0x0B07A7C8, +- 0x6372BB19, 0xAE56EDE7, 0xDE394DF4, 0x1D4F42A3, 0x60D7F468, 0xB96ADAB7, +- 0xB2C8E3FB, 0xD108A94B, 0xB324FB61, 0xBC0AB182, 0x483A797A, 0x30ACCA4F, +- 0x36ADE735, 0x1DF158A1, 0xF3EFE872, 0xE2A689DA, 0xE0E68B77, 0x984F0C70, +- 0x7F57C935, 0xB557135E, 0x3DED1AF3, 0x85636555, 0x5F066ED0, 0x2433F51F, +- 0xD5FD6561, 0xD3DF1ED5, 0xAEC4617A, 0xF681B202, 0x630C75D8, 0x7D2FE363, +- 0x249B3EF9, 0xCC939DCE, 0x146433FB, 0xA9E13641, 0xCE2D3695, 0xD8B9C583, +- 0x273D3CF1, 0xAFDC5620, 0xA2BB4A9A, 0xADF85458, 0xFFFFFFFF, 0xFFFFFFFF ++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0xD0E40E65, 0xA40E329C), ++ BN_DEF(0x7938DAD4, 0xA41D570D), BN_DEF(0xD43161C1, 0x62A69526), ++ BN_DEF(0x9ADB1E69, 0x3FDD4A8E), BN_DEF(0xDC6B80D6, 0x5B3B71F9), ++ BN_DEF(0xC6272B04, 0xEC9D1810), BN_DEF(0xCACEF403, 0x8CCF2DD5), ++ BN_DEF(0xC95B9117, 0xE49F5235), BN_DEF(0xB854338A, 0x505DC82D), ++ BN_DEF(0x1562A846, 0x62292C31), BN_DEF(0x6AE77F5E, 0xD72B0374), ++ BN_DEF(0x462D538C, 0xF9C9091B), BN_DEF(0x47A67CBE, 0x0AE8DB58), ++ BN_DEF(0x22611682, 0xB3A739C1), BN_DEF(0x2A281BF6, 0xEEAAC023), ++ BN_DEF(0x77CAF992, 0x94C6651E), BN_DEF(0x94B2BBC1, 0x763E4E4B), ++ BN_DEF(0x0077D9B4, 0x587E38DA), BN_DEF(0x183023C3, 0x7FB29F8C), ++ BN_DEF(0xF9E3A26E, 0x0ABEC1FF), BN_DEF(0x350511E3, 0xA00EF092), ++ BN_DEF(0xDB6340D8, 0xB855322E), BN_DEF(0xA9A96910, 0xA52471F7), ++ BN_DEF(0x4CFDB477, 0x388147FB), BN_DEF(0x4E46041F, 0x9B1F5C3E), ++ BN_DEF(0xFCCFEC71, 0xCDAD0657), BN_DEF(0x4C701C3A, 0xB38E8C33), ++ BN_DEF(0xB1C0FD4C, 0x917BDD64), BN_DEF(0x9B7624C8, 0x3BB45432), ++ BN_DEF(0xCAF53EA6, 0x23BA4442), BN_DEF(0x38532A3A, 0x4E677D2C), ++ BN_DEF(0x45036C7A, 0x0BFD64B6), BN_DEF(0x5E0DD902, 0xC68A007E), ++ BN_DEF(0xF44182E1, 0x4DB5A851), BN_DEF(0x7F88A46B, 0x8EC9B55A), ++ BN_DEF(0xCEC97DCF, 0x0A8291CD), BN_DEF(0xF98D0ACC, 0x2A4ECEA9), ++ BN_DEF(0x7140003C, 0x1A1DB93D), BN_DEF(0x33CB8B7A, 0x092999A3), ++ BN_DEF(0x71AD0038, 0x6DC778F9), BN_DEF(0x918130C4, 0xA907600A), ++ BN_DEF(0x2D9E6832, 0xED6A1E01), BN_DEF(0xEFB4318A, 0x7135C886), ++ BN_DEF(0x7E31CC7A, 0x87F55BA5), BN_DEF(0x55034004, 0x7763CF1D), ++ BN_DEF(0xD69F6D18, 0xAC7D5F42), BN_DEF(0xE58857B6, 0x7930E9E4), ++ BN_DEF(0x164DF4FB, 0x6E6F52C3), BN_DEF(0x669E1EF1, 0x25E41D2B), ++ BN_DEF(0x3FD59D7C, 0x3C1B20EE), BN_DEF(0xFA53DDEF, 0x0ABCD06B), ++ BN_DEF(0xD5C4484E, 0x1DBF9A42), BN_DEF(0x9B0DEADA, 0xABC52197), ++ BN_DEF(0x22363A0D, 0xE86D2BC5), BN_DEF(0x9C9DF69E, 0x5CAE82AB), ++ BN_DEF(0x71F54BFF, 0x64F2E21E), BN_DEF(0xE2D74DD3, 0xF4FD4452), ++ BN_DEF(0xBC437944, 0xB4130C93), BN_DEF(0x85139270, 0xAEFE1309), ++ BN_DEF(0xC186D91C, 0x598CB0FA), BN_DEF(0x91F7F7EE, 0x7AD91D26), ++ BN_DEF(0xD6E6C907, 0x61B46FC9), BN_DEF(0xF99C0238, 0xBC34F4DE), ++ BN_DEF(0x6519035B, 0xDE355B3B), BN_DEF(0x611FCFDC, 0x886B4238), ++ BN_DEF(0xC1B2EFFA, 0xC6F34A26), BN_DEF(0x7D1683B2, 0xC58EF183), ++ BN_DEF(0x2EC22005, 0x3BB5FCBC), BN_DEF(0x4C6FAD73, 0xC3FE3B1B), ++ BN_DEF(0xEEF28183, 0x8E4F1232), BN_DEF(0xE98583FF, 0x9172FE9C), ++ BN_DEF(0x28342F61, 0xC03404CD), BN_DEF(0xCDF7E2EC, 0x9E02FCE1), ++ BN_DEF(0xEE0A6D70, 0x0B07A7C8), BN_DEF(0x6372BB19, 0xAE56EDE7), ++ BN_DEF(0xDE394DF4, 0x1D4F42A3), BN_DEF(0x60D7F468, 0xB96ADAB7), ++ BN_DEF(0xB2C8E3FB, 0xD108A94B), BN_DEF(0xB324FB61, 0xBC0AB182), ++ BN_DEF(0x483A797A, 0x30ACCA4F), BN_DEF(0x36ADE735, 0x1DF158A1), ++ BN_DEF(0xF3EFE872, 0xE2A689DA), BN_DEF(0xE0E68B77, 0x984F0C70), ++ BN_DEF(0x7F57C935, 0xB557135E), BN_DEF(0x3DED1AF3, 0x85636555), ++ BN_DEF(0x5F066ED0, 0x2433F51F), BN_DEF(0xD5FD6561, 0xD3DF1ED5), ++ BN_DEF(0xAEC4617A, 0xF681B202), BN_DEF(0x630C75D8, 0x7D2FE363), ++ BN_DEF(0x249B3EF9, 0xCC939DCE), BN_DEF(0x146433FB, 0xA9E13641), ++ BN_DEF(0xCE2D3695, 0xD8B9C583), BN_DEF(0x273D3CF1, 0xAFDC5620), ++ BN_DEF(0xA2BB4A9A, 0xADF85458), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) ++}; ++/* q = (p - 1) / 2 */ ++static const BN_ULONG ffdhe6144_q[] = { ++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x68720732, 0x5207194E), ++ BN_DEF(0xBC9C6D6A, 0xD20EAB86), BN_DEF(0x6A18B0E0, 0xB1534A93), ++ BN_DEF(0x4D6D8F34, 0x1FEEA547), BN_DEF(0xEE35C06B, 0x2D9DB8FC), ++ BN_DEF(0x63139582, 0xF64E8C08), BN_DEF(0xE5677A01, 0xC66796EA), ++ BN_DEF(0xE4ADC88B, 0x724FA91A), BN_DEF(0xDC2A19C5, 0x282EE416), ++ BN_DEF(0x8AB15423, 0x31149618), BN_DEF(0x3573BFAF, 0x6B9581BA), ++ BN_DEF(0xA316A9C6, 0x7CE4848D), BN_DEF(0x23D33E5F, 0x05746DAC), ++ BN_DEF(0x91308B41, 0x59D39CE0), BN_DEF(0x95140DFB, 0x77556011), ++ BN_DEF(0x3BE57CC9, 0xCA63328F), BN_DEF(0xCA595DE0, 0x3B1F2725), ++ BN_DEF(0x003BECDA, 0xAC3F1C6D), BN_DEF(0x0C1811E1, 0x3FD94FC6), ++ BN_DEF(0xFCF1D137, 0x855F60FF), BN_DEF(0x1A8288F1, 0x50077849), ++ BN_DEF(0x6DB1A06C, 0x5C2A9917), BN_DEF(0xD4D4B488, 0xD29238FB), ++ BN_DEF(0xA67EDA3B, 0x9C40A3FD), BN_DEF(0x2723020F, 0xCD8FAE1F), ++ BN_DEF(0xFE67F638, 0x66D6832B), BN_DEF(0xA6380E1D, 0x59C74619), ++ BN_DEF(0x58E07EA6, 0x48BDEEB2), BN_DEF(0x4DBB1264, 0x1DDA2A19), ++ BN_DEF(0x657A9F53, 0x11DD2221), BN_DEF(0x1C29951D, 0x2733BE96), ++ BN_DEF(0x2281B63D, 0x05FEB25B), BN_DEF(0x2F06EC81, 0xE345003F), ++ BN_DEF(0xFA20C170, 0xA6DAD428), BN_DEF(0x3FC45235, 0xC764DAAD), ++ BN_DEF(0xE764BEE7, 0x054148E6), BN_DEF(0xFCC68566, 0x15276754), ++ BN_DEF(0xB8A0001E, 0x0D0EDC9E), BN_DEF(0x99E5C5BD, 0x0494CCD1), ++ BN_DEF(0xB8D6801C, 0x36E3BC7C), BN_DEF(0x48C09862, 0x5483B005), ++ BN_DEF(0x96CF3419, 0x76B50F00), BN_DEF(0x77DA18C5, 0x389AE443), ++ BN_DEF(0xBF18E63D, 0x43FAADD2), BN_DEF(0xAA81A002, 0x3BB1E78E), ++ BN_DEF(0x6B4FB68C, 0x563EAFA1), BN_DEF(0x72C42BDB, 0xBC9874F2), ++ BN_DEF(0x8B26FA7D, 0xB737A961), BN_DEF(0xB34F0F78, 0x12F20E95), ++ BN_DEF(0x1FEACEBE, 0x9E0D9077), BN_DEF(0xFD29EEF7, 0x055E6835), ++ BN_DEF(0x6AE22427, 0x0EDFCD21), BN_DEF(0xCD86F56D, 0xD5E290CB), ++ BN_DEF(0x911B1D06, 0x743695E2), BN_DEF(0xCE4EFB4F, 0xAE574155), ++ BN_DEF(0x38FAA5FF, 0xB279710F), BN_DEF(0x716BA6E9, 0x7A7EA229), ++ BN_DEF(0xDE21BCA2, 0x5A098649), BN_DEF(0xC289C938, 0x577F0984), ++ BN_DEF(0x60C36C8E, 0x2CC6587D), BN_DEF(0x48FBFBF7, 0xBD6C8E93), ++ BN_DEF(0xEB736483, 0x30DA37E4), BN_DEF(0x7CCE011C, 0xDE1A7A6F), ++ BN_DEF(0xB28C81AD, 0x6F1AAD9D), BN_DEF(0x308FE7EE, 0x4435A11C), ++ BN_DEF(0x60D977FD, 0x6379A513), BN_DEF(0xBE8B41D9, 0xE2C778C1), ++ BN_DEF(0x17611002, 0x9DDAFE5E), BN_DEF(0xA637D6B9, 0xE1FF1D8D), ++ BN_DEF(0x777940C1, 0xC7278919), BN_DEF(0x74C2C1FF, 0xC8B97F4E), ++ BN_DEF(0x941A17B0, 0x601A0266), BN_DEF(0xE6FBF176, 0x4F017E70), ++ BN_DEF(0x770536B8, 0x8583D3E4), BN_DEF(0xB1B95D8C, 0x572B76F3), ++ BN_DEF(0xEF1CA6FA, 0x0EA7A151), BN_DEF(0xB06BFA34, 0xDCB56D5B), ++ BN_DEF(0xD96471FD, 0xE88454A5), BN_DEF(0x59927DB0, 0x5E0558C1), ++ BN_DEF(0xA41D3CBD, 0x98566527), BN_DEF(0x9B56F39A, 0x0EF8AC50), ++ BN_DEF(0x79F7F439, 0xF15344ED), BN_DEF(0x707345BB, 0xCC278638), ++ BN_DEF(0x3FABE49A, 0xDAAB89AF), BN_DEF(0x9EF68D79, 0x42B1B2AA), ++ BN_DEF(0xAF833768, 0x9219FA8F), BN_DEF(0xEAFEB2B0, 0x69EF8F6A), ++ BN_DEF(0x576230BD, 0x7B40D901), BN_DEF(0xB1863AEC, 0xBE97F1B1), ++ BN_DEF(0x124D9F7C, 0xE649CEE7), BN_DEF(0x8A3219FD, 0xD4F09B20), ++ BN_DEF(0xE7169B4A, 0xEC5CE2C1), BN_DEF(0x139E9E78, 0x57EE2B10), ++ BN_DEF(0x515DA54D, 0xD6FC2A2C), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), + }; + + static const BN_ULONG ffdhe8192_p[] = { +- 0xFFFFFFFF, 0xFFFFFFFF, 0xC5C6424C, 0xD68C8BB7, 0x838FF88C, 0x011E2A94, +- 0xA9F4614E, 0x0822E506, 0xF7A8443D, 0x97D11D49, 0x30677F0D, 0xA6BBFDE5, +- 0xC1FE86FE, 0x2F741EF8, 0x5D71A87E, 0xFAFABE1C, 0xFBE58A30, 0xDED2FBAB, +- 0x72B0A66E, 0xB6855DFE, 0xBA8A4FE8, 0x1EFC8CE0, 0x3F2FA457, 0x83F81D4A, +- 0xA577E231, 0xA1FE3075, 0x88D9C0A0, 0xD5B80194, 0xAD9A95F9, 0x624816CD, +- 0x50C1217B, 0x99E9E316, 0x0E423CFC, 0x51AA691E, 0x3826E52C, 0x1C217E6C, +- 0x09703FEE, 0x51A8A931, 0x6A460E74, 0xBB709987, 0x9C86B022, 0x541FC68C, +- 0x46FD8251, 0x59160CC0, 0x35C35F5C, 0x2846C0BA, 0x8B758282, 0x54504AC7, +- 0xD2AF05E4, 0x29388839, 0xC01BD702, 0xCB2C0F1C, 0x7C932665, 0x555B2F74, +- 0xA3AB8829, 0x86B63142, 0xF64B10EF, 0x0B8CC3BD, 0xEDD1CC5E, 0x687FEB69, +- 0xC9509D43, 0xFDB23FCE, 0xD951AE64, 0x1E425A31, 0xF600C838, 0x36AD004C, +- 0xCFF46AAA, 0xA40E329C, 0x7938DAD4, 0xA41D570D, 0xD43161C1, 0x62A69526, +- 0x9ADB1E69, 0x3FDD4A8E, 0xDC6B80D6, 0x5B3B71F9, 0xC6272B04, 0xEC9D1810, +- 0xCACEF403, 0x8CCF2DD5, 0xC95B9117, 0xE49F5235, 0xB854338A, 0x505DC82D, +- 0x1562A846, 0x62292C31, 0x6AE77F5E, 0xD72B0374, 0x462D538C, 0xF9C9091B, +- 0x47A67CBE, 0x0AE8DB58, 0x22611682, 0xB3A739C1, 0x2A281BF6, 0xEEAAC023, +- 0x77CAF992, 0x94C6651E, 0x94B2BBC1, 0x763E4E4B, 0x0077D9B4, 0x587E38DA, +- 0x183023C3, 0x7FB29F8C, 0xF9E3A26E, 0x0ABEC1FF, 0x350511E3, 0xA00EF092, +- 0xDB6340D8, 0xB855322E, 0xA9A96910, 0xA52471F7, 0x4CFDB477, 0x388147FB, +- 0x4E46041F, 0x9B1F5C3E, 0xFCCFEC71, 0xCDAD0657, 0x4C701C3A, 0xB38E8C33, +- 0xB1C0FD4C, 0x917BDD64, 0x9B7624C8, 0x3BB45432, 0xCAF53EA6, 0x23BA4442, +- 0x38532A3A, 0x4E677D2C, 0x45036C7A, 0x0BFD64B6, 0x5E0DD902, 0xC68A007E, +- 0xF44182E1, 0x4DB5A851, 0x7F88A46B, 0x8EC9B55A, 0xCEC97DCF, 0x0A8291CD, +- 0xF98D0ACC, 0x2A4ECEA9, 0x7140003C, 0x1A1DB93D, 0x33CB8B7A, 0x092999A3, +- 0x71AD0038, 0x6DC778F9, 0x918130C4, 0xA907600A, 0x2D9E6832, 0xED6A1E01, +- 0xEFB4318A, 0x7135C886, 0x7E31CC7A, 0x87F55BA5, 0x55034004, 0x7763CF1D, +- 0xD69F6D18, 0xAC7D5F42, 0xE58857B6, 0x7930E9E4, 0x164DF4FB, 0x6E6F52C3, +- 0x669E1EF1, 0x25E41D2B, 0x3FD59D7C, 0x3C1B20EE, 0xFA53DDEF, 0x0ABCD06B, +- 0xD5C4484E, 0x1DBF9A42, 0x9B0DEADA, 0xABC52197, 0x22363A0D, 0xE86D2BC5, +- 0x9C9DF69E, 0x5CAE82AB, 0x71F54BFF, 0x64F2E21E, 0xE2D74DD3, 0xF4FD4452, +- 0xBC437944, 0xB4130C93, 0x85139270, 0xAEFE1309, 0xC186D91C, 0x598CB0FA, +- 0x91F7F7EE, 0x7AD91D26, 0xD6E6C907, 0x61B46FC9, 0xF99C0238, 0xBC34F4DE, +- 0x6519035B, 0xDE355B3B, 0x611FCFDC, 0x886B4238, 0xC1B2EFFA, 0xC6F34A26, +- 0x7D1683B2, 0xC58EF183, 0x2EC22005, 0x3BB5FCBC, 0x4C6FAD73, 0xC3FE3B1B, +- 0xEEF28183, 0x8E4F1232, 0xE98583FF, 0x9172FE9C, 0x28342F61, 0xC03404CD, +- 0xCDF7E2EC, 0x9E02FCE1, 0xEE0A6D70, 0x0B07A7C8, 0x6372BB19, 0xAE56EDE7, +- 0xDE394DF4, 0x1D4F42A3, 0x60D7F468, 0xB96ADAB7, 0xB2C8E3FB, 0xD108A94B, +- 0xB324FB61, 0xBC0AB182, 0x483A797A, 0x30ACCA4F, 0x36ADE735, 0x1DF158A1, +- 0xF3EFE872, 0xE2A689DA, 0xE0E68B77, 0x984F0C70, 0x7F57C935, 0xB557135E, +- 0x3DED1AF3, 0x85636555, 0x5F066ED0, 0x2433F51F, 0xD5FD6561, 0xD3DF1ED5, +- 0xAEC4617A, 0xF681B202, 0x630C75D8, 0x7D2FE363, 0x249B3EF9, 0xCC939DCE, +- 0x146433FB, 0xA9E13641, 0xCE2D3695, 0xD8B9C583, 0x273D3CF1, 0xAFDC5620, +- 0xA2BB4A9A, 0xADF85458, 0xFFFFFFFF, 0xFFFFFFFF ++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0xC5C6424C, 0xD68C8BB7), ++ BN_DEF(0x838FF88C, 0x011E2A94), BN_DEF(0xA9F4614E, 0x0822E506), ++ BN_DEF(0xF7A8443D, 0x97D11D49), BN_DEF(0x30677F0D, 0xA6BBFDE5), ++ BN_DEF(0xC1FE86FE, 0x2F741EF8), BN_DEF(0x5D71A87E, 0xFAFABE1C), ++ BN_DEF(0xFBE58A30, 0xDED2FBAB), BN_DEF(0x72B0A66E, 0xB6855DFE), ++ BN_DEF(0xBA8A4FE8, 0x1EFC8CE0), BN_DEF(0x3F2FA457, 0x83F81D4A), ++ BN_DEF(0xA577E231, 0xA1FE3075), BN_DEF(0x88D9C0A0, 0xD5B80194), ++ BN_DEF(0xAD9A95F9, 0x624816CD), BN_DEF(0x50C1217B, 0x99E9E316), ++ BN_DEF(0x0E423CFC, 0x51AA691E), BN_DEF(0x3826E52C, 0x1C217E6C), ++ BN_DEF(0x09703FEE, 0x51A8A931), BN_DEF(0x6A460E74, 0xBB709987), ++ BN_DEF(0x9C86B022, 0x541FC68C), BN_DEF(0x46FD8251, 0x59160CC0), ++ BN_DEF(0x35C35F5C, 0x2846C0BA), BN_DEF(0x8B758282, 0x54504AC7), ++ BN_DEF(0xD2AF05E4, 0x29388839), BN_DEF(0xC01BD702, 0xCB2C0F1C), ++ BN_DEF(0x7C932665, 0x555B2F74), BN_DEF(0xA3AB8829, 0x86B63142), ++ BN_DEF(0xF64B10EF, 0x0B8CC3BD), BN_DEF(0xEDD1CC5E, 0x687FEB69), ++ BN_DEF(0xC9509D43, 0xFDB23FCE), BN_DEF(0xD951AE64, 0x1E425A31), ++ BN_DEF(0xF600C838, 0x36AD004C), BN_DEF(0xCFF46AAA, 0xA40E329C), ++ BN_DEF(0x7938DAD4, 0xA41D570D), BN_DEF(0xD43161C1, 0x62A69526), ++ BN_DEF(0x9ADB1E69, 0x3FDD4A8E), BN_DEF(0xDC6B80D6, 0x5B3B71F9), ++ BN_DEF(0xC6272B04, 0xEC9D1810), BN_DEF(0xCACEF403, 0x8CCF2DD5), ++ BN_DEF(0xC95B9117, 0xE49F5235), BN_DEF(0xB854338A, 0x505DC82D), ++ BN_DEF(0x1562A846, 0x62292C31), BN_DEF(0x6AE77F5E, 0xD72B0374), ++ BN_DEF(0x462D538C, 0xF9C9091B), BN_DEF(0x47A67CBE, 0x0AE8DB58), ++ BN_DEF(0x22611682, 0xB3A739C1), BN_DEF(0x2A281BF6, 0xEEAAC023), ++ BN_DEF(0x77CAF992, 0x94C6651E), BN_DEF(0x94B2BBC1, 0x763E4E4B), ++ BN_DEF(0x0077D9B4, 0x587E38DA), BN_DEF(0x183023C3, 0x7FB29F8C), ++ BN_DEF(0xF9E3A26E, 0x0ABEC1FF), BN_DEF(0x350511E3, 0xA00EF092), ++ BN_DEF(0xDB6340D8, 0xB855322E), BN_DEF(0xA9A96910, 0xA52471F7), ++ BN_DEF(0x4CFDB477, 0x388147FB), BN_DEF(0x4E46041F, 0x9B1F5C3E), ++ BN_DEF(0xFCCFEC71, 0xCDAD0657), BN_DEF(0x4C701C3A, 0xB38E8C33), ++ BN_DEF(0xB1C0FD4C, 0x917BDD64), BN_DEF(0x9B7624C8, 0x3BB45432), ++ BN_DEF(0xCAF53EA6, 0x23BA4442), BN_DEF(0x38532A3A, 0x4E677D2C), ++ BN_DEF(0x45036C7A, 0x0BFD64B6), BN_DEF(0x5E0DD902, 0xC68A007E), ++ BN_DEF(0xF44182E1, 0x4DB5A851), BN_DEF(0x7F88A46B, 0x8EC9B55A), ++ BN_DEF(0xCEC97DCF, 0x0A8291CD), BN_DEF(0xF98D0ACC, 0x2A4ECEA9), ++ BN_DEF(0x7140003C, 0x1A1DB93D), BN_DEF(0x33CB8B7A, 0x092999A3), ++ BN_DEF(0x71AD0038, 0x6DC778F9), BN_DEF(0x918130C4, 0xA907600A), ++ BN_DEF(0x2D9E6832, 0xED6A1E01), BN_DEF(0xEFB4318A, 0x7135C886), ++ BN_DEF(0x7E31CC7A, 0x87F55BA5), BN_DEF(0x55034004, 0x7763CF1D), ++ BN_DEF(0xD69F6D18, 0xAC7D5F42), BN_DEF(0xE58857B6, 0x7930E9E4), ++ BN_DEF(0x164DF4FB, 0x6E6F52C3), BN_DEF(0x669E1EF1, 0x25E41D2B), ++ BN_DEF(0x3FD59D7C, 0x3C1B20EE), BN_DEF(0xFA53DDEF, 0x0ABCD06B), ++ BN_DEF(0xD5C4484E, 0x1DBF9A42), BN_DEF(0x9B0DEADA, 0xABC52197), ++ BN_DEF(0x22363A0D, 0xE86D2BC5), BN_DEF(0x9C9DF69E, 0x5CAE82AB), ++ BN_DEF(0x71F54BFF, 0x64F2E21E), BN_DEF(0xE2D74DD3, 0xF4FD4452), ++ BN_DEF(0xBC437944, 0xB4130C93), BN_DEF(0x85139270, 0xAEFE1309), ++ BN_DEF(0xC186D91C, 0x598CB0FA), BN_DEF(0x91F7F7EE, 0x7AD91D26), ++ BN_DEF(0xD6E6C907, 0x61B46FC9), BN_DEF(0xF99C0238, 0xBC34F4DE), ++ BN_DEF(0x6519035B, 0xDE355B3B), BN_DEF(0x611FCFDC, 0x886B4238), ++ BN_DEF(0xC1B2EFFA, 0xC6F34A26), BN_DEF(0x7D1683B2, 0xC58EF183), ++ BN_DEF(0x2EC22005, 0x3BB5FCBC), BN_DEF(0x4C6FAD73, 0xC3FE3B1B), ++ BN_DEF(0xEEF28183, 0x8E4F1232), BN_DEF(0xE98583FF, 0x9172FE9C), ++ BN_DEF(0x28342F61, 0xC03404CD), BN_DEF(0xCDF7E2EC, 0x9E02FCE1), ++ BN_DEF(0xEE0A6D70, 0x0B07A7C8), BN_DEF(0x6372BB19, 0xAE56EDE7), ++ BN_DEF(0xDE394DF4, 0x1D4F42A3), BN_DEF(0x60D7F468, 0xB96ADAB7), ++ BN_DEF(0xB2C8E3FB, 0xD108A94B), BN_DEF(0xB324FB61, 0xBC0AB182), ++ BN_DEF(0x483A797A, 0x30ACCA4F), BN_DEF(0x36ADE735, 0x1DF158A1), ++ BN_DEF(0xF3EFE872, 0xE2A689DA), BN_DEF(0xE0E68B77, 0x984F0C70), ++ BN_DEF(0x7F57C935, 0xB557135E), BN_DEF(0x3DED1AF3, 0x85636555), ++ BN_DEF(0x5F066ED0, 0x2433F51F), BN_DEF(0xD5FD6561, 0xD3DF1ED5), ++ BN_DEF(0xAEC4617A, 0xF681B202), BN_DEF(0x630C75D8, 0x7D2FE363), ++ BN_DEF(0x249B3EF9, 0xCC939DCE), BN_DEF(0x146433FB, 0xA9E13641), ++ BN_DEF(0xCE2D3695, 0xD8B9C583), BN_DEF(0x273D3CF1, 0xAFDC5620), ++ BN_DEF(0xA2BB4A9A, 0xADF85458), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) ++}; ++/* q = (p - 1) / 2 */ ++static const BN_ULONG ffdhe8192_q[] = { ++ BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), BN_DEF(0xE2E32126, 0x6B4645DB), ++ BN_DEF(0x41C7FC46, 0x008F154A), BN_DEF(0x54FA30A7, 0x84117283), ++ BN_DEF(0xFBD4221E, 0xCBE88EA4), BN_DEF(0x9833BF86, 0x535DFEF2), ++ BN_DEF(0x60FF437F, 0x17BA0F7C), BN_DEF(0x2EB8D43F, 0x7D7D5F0E), ++ BN_DEF(0xFDF2C518, 0x6F697DD5), BN_DEF(0x39585337, 0x5B42AEFF), ++ BN_DEF(0x5D4527F4, 0x8F7E4670), BN_DEF(0x1F97D22B, 0xC1FC0EA5), ++ BN_DEF(0xD2BBF118, 0x50FF183A), BN_DEF(0x446CE050, 0xEADC00CA), ++ BN_DEF(0xD6CD4AFC, 0xB1240B66), BN_DEF(0x286090BD, 0x4CF4F18B), ++ BN_DEF(0x07211E7E, 0x28D5348F), BN_DEF(0x1C137296, 0x0E10BF36), ++ BN_DEF(0x84B81FF7, 0x28D45498), BN_DEF(0xB523073A, 0x5DB84CC3), ++ BN_DEF(0x4E435811, 0xAA0FE346), BN_DEF(0x237EC128, 0x2C8B0660), ++ BN_DEF(0x1AE1AFAE, 0x1423605D), BN_DEF(0xC5BAC141, 0x2A282563), ++ BN_DEF(0xE95782F2, 0x149C441C), BN_DEF(0x600DEB81, 0xE596078E), ++ BN_DEF(0x3E499332, 0xAAAD97BA), BN_DEF(0x51D5C414, 0xC35B18A1), ++ BN_DEF(0xFB258877, 0x05C661DE), BN_DEF(0xF6E8E62F, 0xB43FF5B4), ++ BN_DEF(0x64A84EA1, 0x7ED91FE7), BN_DEF(0xECA8D732, 0x0F212D18), ++ BN_DEF(0x7B00641C, 0x1B568026), BN_DEF(0x67FA3555, 0x5207194E), ++ BN_DEF(0xBC9C6D6A, 0xD20EAB86), BN_DEF(0x6A18B0E0, 0xB1534A93), ++ BN_DEF(0x4D6D8F34, 0x1FEEA547), BN_DEF(0xEE35C06B, 0x2D9DB8FC), ++ BN_DEF(0x63139582, 0xF64E8C08), BN_DEF(0xE5677A01, 0xC66796EA), ++ BN_DEF(0xE4ADC88B, 0x724FA91A), BN_DEF(0xDC2A19C5, 0x282EE416), ++ BN_DEF(0x8AB15423, 0x31149618), BN_DEF(0x3573BFAF, 0x6B9581BA), ++ BN_DEF(0xA316A9C6, 0x7CE4848D), BN_DEF(0x23D33E5F, 0x05746DAC), ++ BN_DEF(0x91308B41, 0x59D39CE0), BN_DEF(0x95140DFB, 0x77556011), ++ BN_DEF(0x3BE57CC9, 0xCA63328F), BN_DEF(0xCA595DE0, 0x3B1F2725), ++ BN_DEF(0x003BECDA, 0xAC3F1C6D), BN_DEF(0x0C1811E1, 0x3FD94FC6), ++ BN_DEF(0xFCF1D137, 0x855F60FF), BN_DEF(0x1A8288F1, 0x50077849), ++ BN_DEF(0x6DB1A06C, 0x5C2A9917), BN_DEF(0xD4D4B488, 0xD29238FB), ++ BN_DEF(0xA67EDA3B, 0x9C40A3FD), BN_DEF(0x2723020F, 0xCD8FAE1F), ++ BN_DEF(0xFE67F638, 0x66D6832B), BN_DEF(0xA6380E1D, 0x59C74619), ++ BN_DEF(0x58E07EA6, 0x48BDEEB2), BN_DEF(0x4DBB1264, 0x1DDA2A19), ++ BN_DEF(0x657A9F53, 0x11DD2221), BN_DEF(0x1C29951D, 0x2733BE96), ++ BN_DEF(0x2281B63D, 0x05FEB25B), BN_DEF(0x2F06EC81, 0xE345003F), ++ BN_DEF(0xFA20C170, 0xA6DAD428), BN_DEF(0x3FC45235, 0xC764DAAD), ++ BN_DEF(0xE764BEE7, 0x054148E6), BN_DEF(0xFCC68566, 0x15276754), ++ BN_DEF(0xB8A0001E, 0x0D0EDC9E), BN_DEF(0x99E5C5BD, 0x0494CCD1), ++ BN_DEF(0xB8D6801C, 0x36E3BC7C), BN_DEF(0x48C09862, 0x5483B005), ++ BN_DEF(0x96CF3419, 0x76B50F00), BN_DEF(0x77DA18C5, 0x389AE443), ++ BN_DEF(0xBF18E63D, 0x43FAADD2), BN_DEF(0xAA81A002, 0x3BB1E78E), ++ BN_DEF(0x6B4FB68C, 0x563EAFA1), BN_DEF(0x72C42BDB, 0xBC9874F2), ++ BN_DEF(0x8B26FA7D, 0xB737A961), BN_DEF(0xB34F0F78, 0x12F20E95), ++ BN_DEF(0x1FEACEBE, 0x9E0D9077), BN_DEF(0xFD29EEF7, 0x055E6835), ++ BN_DEF(0x6AE22427, 0x0EDFCD21), BN_DEF(0xCD86F56D, 0xD5E290CB), ++ BN_DEF(0x911B1D06, 0x743695E2), BN_DEF(0xCE4EFB4F, 0xAE574155), ++ BN_DEF(0x38FAA5FF, 0xB279710F), BN_DEF(0x716BA6E9, 0x7A7EA229), ++ BN_DEF(0xDE21BCA2, 0x5A098649), BN_DEF(0xC289C938, 0x577F0984), ++ BN_DEF(0x60C36C8E, 0x2CC6587D), BN_DEF(0x48FBFBF7, 0xBD6C8E93), ++ BN_DEF(0xEB736483, 0x30DA37E4), BN_DEF(0x7CCE011C, 0xDE1A7A6F), ++ BN_DEF(0xB28C81AD, 0x6F1AAD9D), BN_DEF(0x308FE7EE, 0x4435A11C), ++ BN_DEF(0x60D977FD, 0x6379A513), BN_DEF(0xBE8B41D9, 0xE2C778C1), ++ BN_DEF(0x17611002, 0x9DDAFE5E), BN_DEF(0xA637D6B9, 0xE1FF1D8D), ++ BN_DEF(0x777940C1, 0xC7278919), BN_DEF(0x74C2C1FF, 0xC8B97F4E), ++ BN_DEF(0x941A17B0, 0x601A0266), BN_DEF(0xE6FBF176, 0x4F017E70), ++ BN_DEF(0x770536B8, 0x8583D3E4), BN_DEF(0xB1B95D8C, 0x572B76F3), ++ BN_DEF(0xEF1CA6FA, 0x0EA7A151), BN_DEF(0xB06BFA34, 0xDCB56D5B), ++ BN_DEF(0xD96471FD, 0xE88454A5), BN_DEF(0x59927DB0, 0x5E0558C1), ++ BN_DEF(0xA41D3CBD, 0x98566527), BN_DEF(0x9B56F39A, 0x0EF8AC50), ++ BN_DEF(0x79F7F439, 0xF15344ED), BN_DEF(0x707345BB, 0xCC278638), ++ BN_DEF(0x3FABE49A, 0xDAAB89AF), BN_DEF(0x9EF68D79, 0x42B1B2AA), ++ BN_DEF(0xAF833768, 0x9219FA8F), BN_DEF(0xEAFEB2B0, 0x69EF8F6A), ++ BN_DEF(0x576230BD, 0x7B40D901), BN_DEF(0xB1863AEC, 0xBE97F1B1), ++ BN_DEF(0x124D9F7C, 0xE649CEE7), BN_DEF(0x8A3219FD, 0xD4F09B20), ++ BN_DEF(0xE7169B4A, 0xEC5CE2C1), BN_DEF(0x139E9E78, 0x57EE2B10), ++ BN_DEF(0x515DA54D, 0xD6FC2A2C), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), + }; + +-# else +-# error "unsupported BN_BITS2" +-# endif +- + /* Macro to make a BIGNUM from static data */ + + # define make_dh_bn(x) extern const BIGNUM _bignum_##x; \ +@@ -489,24 +1010,42 @@ static const BN_ULONG ffdhe8192_p[] = { + + static const BN_ULONG value_2 = 2; + +-const BIGNUM _bignum_const_2 = +- { (BN_ULONG *)&value_2, 1, 1, 0, BN_FLG_STATIC_DATA }; ++const BIGNUM _bignum_const_2 = { ++ (BN_ULONG *)&value_2, 1, 1, 0, BN_FLG_STATIC_DATA ++}; + + make_dh_bn(dh1024_160_p) +-make_dh_bn(dh1024_160_g) + make_dh_bn(dh1024_160_q) ++make_dh_bn(dh1024_160_g) + make_dh_bn(dh2048_224_p) +-make_dh_bn(dh2048_224_g) + make_dh_bn(dh2048_224_q) ++make_dh_bn(dh2048_224_g) + make_dh_bn(dh2048_256_p) +-make_dh_bn(dh2048_256_g) + make_dh_bn(dh2048_256_q) ++make_dh_bn(dh2048_256_g) + + make_dh_bn(ffdhe2048_p) ++make_dh_bn(ffdhe2048_q) + make_dh_bn(ffdhe3072_p) ++make_dh_bn(ffdhe3072_q) + make_dh_bn(ffdhe4096_p) ++make_dh_bn(ffdhe4096_q) + make_dh_bn(ffdhe6144_p) ++make_dh_bn(ffdhe6144_q) + make_dh_bn(ffdhe8192_p) ++make_dh_bn(ffdhe8192_q) + ++make_dh_bn(modp_1536_p) ++make_dh_bn(modp_1536_q) ++make_dh_bn(modp_2048_p) ++make_dh_bn(modp_2048_q) ++make_dh_bn(modp_3072_p) ++make_dh_bn(modp_3072_q) ++make_dh_bn(modp_4096_p) ++make_dh_bn(modp_4096_q) ++make_dh_bn(modp_6144_p) ++make_dh_bn(modp_6144_q) ++make_dh_bn(modp_8192_p) ++make_dh_bn(modp_8192_q) + +-#endif ++#endif /* OPENSSL_NO_DH */ +Index: openssl-1.1.1m/crypto/dh/dh_check.c +=================================================================== +--- openssl-1.1.1m.orig/crypto/dh/dh_check.c ++++ openssl-1.1.1m/crypto/dh/dh_check.c +@@ -10,6 +10,7 @@ + #include + #include "internal/cryptlib.h" + #include ++#include + #include "dh_local.h" + + # define DH_NUMBER_ITERATIONS_FOR_PRIME 64 +@@ -41,6 +42,12 @@ int DH_check_params(const DH *dh, int *r + BIGNUM *tmp = NULL; + BN_CTX *ctx = NULL; + ++ if (FIPS_mode()) { ++ int nid = dh->nid == NID_undef ? DH_get_nid(dh) : dh->nid; ++ ++ return nid != NID_undef; ++ } ++ + *ret = 0; + ctx = BN_CTX_new(); + if (ctx == NULL) +@@ -95,6 +102,7 @@ int DH_check_ex(const DH *dh) + return errflags == 0; + } + ++/* Note: according to documentation - this only checks the params */ + int DH_check(const DH *dh, int *ret) + { + int ok = 0, r, q_good = 0; +@@ -104,6 +112,9 @@ int DH_check(const DH *dh, int *ret) + if (!DH_check_params(dh, ret)) + return 0; + ++ if (FIPS_mode()) /* we allow only well-known params */ ++ return 1; ++ + ctx = BN_CTX_new(); + if (ctx == NULL) + goto err; +@@ -177,7 +188,7 @@ int DH_check_pub_key_ex(const DH *dh, co + return errflags == 0; + } + +-int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret) ++static int dh_check_pub_key_int(const DH *dh, const BIGNUM *q, const BIGNUM *pub_key, int *ret) + { + int ok = 0; + BIGNUM *tmp = NULL; +@@ -187,28 +198,68 @@ int DH_check_pub_key(const DH *dh, const + ctx = BN_CTX_new(); + if (ctx == NULL) + goto err; ++ + BN_CTX_start(ctx); + tmp = BN_CTX_get(ctx); ++ /* Step(1): Verify pub_key >= 2 */ + if (tmp == NULL || !BN_set_word(tmp, 1)) + goto err; +- if (BN_cmp(pub_key, tmp) <= 0) ++ if (BN_cmp(pub_key, tmp) <= 0) { + *ret |= DH_CHECK_PUBKEY_TOO_SMALL; ++ goto err; ++ } ++ /* Step(1): Verify pub_key <= p-2 */ + if (BN_copy(tmp, dh->p) == NULL || !BN_sub_word(tmp, 1)) + goto err; +- if (BN_cmp(pub_key, tmp) >= 0) ++ if (BN_cmp(pub_key, tmp) >= 0) { + *ret |= DH_CHECK_PUBKEY_TOO_LARGE; ++ goto err; ++ } ++ ++ if (q != NULL) { ++ ctx = BN_CTX_new(); ++ if (ctx == NULL) ++ goto err; ++ BN_CTX_start(ctx); ++ tmp = BN_CTX_get(ctx); + +- if (dh->q != NULL) { + /* Check pub_key^q == 1 mod p */ +- if (!BN_mod_exp(tmp, pub_key, dh->q, dh->p, ctx)) ++ if (tmp == NULL || !BN_mod_exp(tmp, pub_key, q, dh->p, ctx)) + goto err; +- if (!BN_is_one(tmp)) ++ if (!BN_is_one(tmp)) { + *ret |= DH_CHECK_PUBKEY_INVALID; ++ goto err; ++ } + } + + ok = 1; + err: +- BN_CTX_end(ctx); +- BN_CTX_free(ctx); ++ if (ctx != NULL) { ++ BN_CTX_end(ctx); ++ BN_CTX_free(ctx); ++ } + return ok; + } ++ ++/* ++ * See SP800-56Ar3 Section 5.6.2.3.1 : FFC Full public key validation. ++ */ ++int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret) ++{ ++ return dh_check_pub_key_int(dh, dh->q, pub_key, ret); ++} ++ ++int dh_check_pub_key_full(const DH *dh, const BIGNUM *pub_key, int *ret) ++{ ++ BIGNUM *q = dh->q; ++ ++ if (q == NULL) { ++ if (dh_get_known_q(dh, &q) == 0) { ++ *ret |= DH_CHECK_INVALID_Q_VALUE; ++ return 0; ++ } ++ } ++ ++ return dh_check_pub_key_int(dh, q, pub_key, ret); ++} ++ +Index: openssl-1.1.1m/crypto/dh/dh_gen.c +=================================================================== +--- openssl-1.1.1m.orig/crypto/dh/dh_gen.c ++++ openssl-1.1.1m/crypto/dh/dh_gen.c +@@ -27,8 +27,7 @@ int DH_generate_parameters_ex(DH *ret, i + BN_GENCB *cb) + { + #ifdef OPENSSL_FIPS +- if (FIPS_mode() && !(ret->meth->flags & DH_FLAG_FIPS_METHOD) +- && !(ret->flags & DH_FLAG_NON_FIPS_ALLOW)) { ++ if (FIPS_mode()) { + DHerr(DH_F_DH_GENERATE_PARAMETERS_EX, DH_R_NON_FIPS_METHOD); + return 0; + } +@@ -75,18 +74,6 @@ static int dh_builtin_genparams(DH *ret, + int g, ok = -1; + BN_CTX *ctx = NULL; + +-#ifdef OPENSSL_FIPS +- if (FIPS_selftest_failed()) { +- FIPSerr(FIPS_F_DH_BUILTIN_GENPARAMS, FIPS_R_FIPS_SELFTEST_FAILED); +- return 0; +- } +- +- if (FIPS_mode() && (prime_len < OPENSSL_DH_FIPS_MIN_MODULUS_BITS_GEN)) { +- DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_KEY_SIZE_TOO_SMALL); +- goto err; +- } +-#endif +- + ctx = BN_CTX_new(); + if (ctx == NULL) + goto err; +Index: openssl-1.1.1m/crypto/dh/dh_key.c +=================================================================== +--- openssl-1.1.1m.orig/crypto/dh/dh_key.c ++++ openssl-1.1.1m/crypto/dh/dh_key.c +@@ -128,10 +128,18 @@ static int generate_key(DH *dh) + BIGNUM *pub_key = NULL, *priv_key = NULL; + + #ifdef OPENSSL_FIPS +- if (FIPS_mode() +- && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) { +- DHerr(DH_F_GENERATE_KEY, DH_R_KEY_SIZE_TOO_SMALL); +- return 0; ++ if (FIPS_mode()) { ++ if (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS) { ++ DHerr(DH_F_GENERATE_KEY, DH_R_KEY_SIZE_TOO_SMALL); ++ return 0; ++ } ++ if (dh->nid == NID_undef) ++ dh_cache_nid(dh); ++ if (dh->nid == NID_undef || dh->length > BN_num_bits(dh->p) - 2 ++ || dh->length < 224) { ++ DHerr(DH_F_GENERATE_KEY, DH_R_NON_FIPS_METHOD); ++ return 0; ++ } + } + #endif + +@@ -167,7 +175,15 @@ static int generate_key(DH *dh) + } + + if (generate_new_key) { +- if (dh->q) { ++ if (FIPS_mode()) { ++ do { ++ if (!BN_priv_rand(priv_key, dh->length, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY)) ++ goto err; ++ if (!BN_add_word(priv_key, 1)) ++ goto err; ++ } ++ while (BN_num_bits(priv_key) > dh->length); ++ } else if (dh->q) { + do { + if (!BN_priv_rand_range(priv_key, dh->q)) + goto err; +@@ -203,6 +219,15 @@ static int generate_key(DH *dh) + } + /* We MUST free prk before any further use of priv_key */ + BN_clear_free(prk); ++ ++ if (FIPS_mode()) { ++ int check_result; ++ ++ if (!dh_check_pub_key_full(dh, pub_key, &check_result) || check_result) { ++ DHerr(DH_F_GENERATE_KEY, DH_R_INVALID_PUBKEY); ++ goto err; ++ } ++ } + } + + dh->pub_key = pub_key; +@@ -225,6 +250,7 @@ static int compute_key(unsigned char *ke + BN_CTX *ctx = NULL; + BN_MONT_CTX *mont = NULL; + BIGNUM *tmp; ++ BIGNUM *p1; + int ret = -1; + int check_result; + +@@ -271,6 +297,18 @@ static int compute_key(unsigned char *ke + DHerr(DH_F_COMPUTE_KEY, ERR_R_BN_LIB); + goto err; + } ++ ++ if (BN_is_zero(tmp) || BN_is_one(tmp) || BN_is_negative(tmp)) { ++ DHerr(DH_F_COMPUTE_KEY, ERR_R_BN_LIB); ++ goto err; ++ } ++ ++ if ((p1 = BN_CTX_get(ctx)) == NULL ++ || !BN_sub(p1, dh->p, BN_value_one()) ++ || BN_cmp(p1, tmp) <= 0) { ++ DHerr(DH_F_COMPUTE_KEY, ERR_R_BN_LIB); ++ goto err; ++ } + + ret = BN_bn2binpad(tmp, key, BN_num_bytes(dh->p)); + err: +Index: openssl-1.1.1m/crypto/dh/dh_lib.c +=================================================================== +--- openssl-1.1.1m.orig/crypto/dh/dh_lib.c ++++ openssl-1.1.1m/crypto/dh/dh_lib.c +@@ -8,6 +8,7 @@ + */ + + #include ++#include + #include "internal/cryptlib.h" + #include "internal/refcount.h" + #include +@@ -86,6 +87,8 @@ DH *DH_new_method(ENGINE *engine) + goto err; + } + ++ ret->nid = NID_undef; ++ + return ret; + + err: +@@ -205,7 +208,10 @@ int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNU + dh->g = g; + } + +- if (q != NULL) { ++ dh->nid = NID_undef; ++ dh_cache_nid(dh); ++ ++ if (q != NULL && dh->nid == NID_undef) { + dh->length = BN_num_bits(q); + } + +Index: openssl-1.1.1m/crypto/dh/dh_local.h +=================================================================== +--- openssl-1.1.1m.orig/crypto/dh/dh_local.h ++++ openssl-1.1.1m/crypto/dh/dh_local.h +@@ -35,6 +35,7 @@ struct dh_st { + const DH_METHOD *meth; + ENGINE *engine; + CRYPTO_RWLOCK *lock; ++ int nid; + }; + + struct dh_method { +@@ -55,3 +56,12 @@ struct dh_method { + int (*generate_params) (DH *dh, int prime_len, int generator, + BN_GENCB *cb); + }; ++ ++void dh_cache_nid(DH *dh); ++ ++/* Obtain known q value based on nid or p */ ++int dh_get_known_q(const DH *dh, BIGNUM **q); ++ ++/* FIPS mode only check which requires nid set and looks up q based on it. */ ++int dh_check_pub_key_full(const DH *dh, const BIGNUM *pub_key, int *ret); ++ +Index: openssl-1.1.1m/crypto/dh/dh_rfc7919.c +=================================================================== +--- openssl-1.1.1m.orig/crypto/dh/dh_rfc7919.c ++++ openssl-1.1.1m/crypto/dh/dh_rfc7919.c +@@ -7,6 +7,8 @@ + * https://www.openssl.org/source/license.html + */ + ++/* DH parameters from RFC7919 and RFC3526 */ ++ + #include + #include "internal/cryptlib.h" + #include "dh_local.h" +@@ -14,14 +16,19 @@ + #include + #include "crypto/bn_dh.h" + +-static DH *dh_param_init(const BIGNUM *p, int32_t nbits) ++static DH *dh_param_init(int nid, const BIGNUM *p, const BIGNUM *q, int32_t nbits) + { + DH *dh = DH_new(); + if (dh == NULL) + return NULL; + dh->p = (BIGNUM *)p; ++ /* ++ * We do not set q as it would enable the inefficient and ++ * unnecessary pubkey modular exponentiation check. ++ */ + dh->g = (BIGNUM *)&_bignum_const_2; + dh->length = nbits; ++ dh->nid = nid; + return dh; + } + +@@ -29,46 +36,121 @@ DH *DH_new_by_nid(int nid) + { + switch (nid) { + case NID_ffdhe2048: +- return dh_param_init(&_bignum_ffdhe2048_p, 225); ++ return dh_param_init(nid, &_bignum_ffdhe2048_p, &_bignum_ffdhe2048_q, 225); + case NID_ffdhe3072: +- return dh_param_init(&_bignum_ffdhe3072_p, 275); ++ return dh_param_init(nid, &_bignum_ffdhe3072_p, &_bignum_ffdhe3072_q, 275); + case NID_ffdhe4096: +- return dh_param_init(&_bignum_ffdhe4096_p, 325); ++ return dh_param_init(nid, &_bignum_ffdhe4096_p, &_bignum_ffdhe4096_q, 325); + case NID_ffdhe6144: +- return dh_param_init(&_bignum_ffdhe6144_p, 375); ++ return dh_param_init(nid, &_bignum_ffdhe6144_p, &_bignum_ffdhe6144_q, 375); + case NID_ffdhe8192: +- return dh_param_init(&_bignum_ffdhe8192_p, 400); ++ return dh_param_init(nid, &_bignum_ffdhe8192_p, &_bignum_ffdhe8192_q, 400); ++ case NID_modp_2048: ++ return dh_param_init(nid, &_bignum_modp_2048_p, &_bignum_modp_2048_q, 225); ++ case NID_modp_3072: ++ return dh_param_init(nid, &_bignum_modp_3072_p, &_bignum_modp_3072_q, 275); ++ case NID_modp_4096: ++ return dh_param_init(nid, &_bignum_modp_4096_p, &_bignum_modp_4096_q, 325); ++ case NID_modp_6144: ++ return dh_param_init(nid, &_bignum_modp_6144_p, &_bignum_modp_6144_q, 375); ++ case NID_modp_8192: ++ return dh_param_init(nid, &_bignum_modp_8192_p, &_bignum_modp_8192_q, 400); ++ case NID_modp_1536: ++ if (!FIPS_mode()) ++ return dh_param_init(nid, &_bignum_modp_1536_p, &_bignum_modp_1536_q, 175); ++ /* fallthrough */ + default: + DHerr(DH_F_DH_NEW_BY_NID, DH_R_INVALID_PARAMETER_NID); + return NULL; + } + } + +-int DH_get_nid(const DH *dh) ++static int dh_match_group(const DH *dh, BIGNUM **qout, int *lout) + { + int nid; ++ const BIGNUM *q; ++ int length; + + if (BN_get_word(dh->g) != 2) + return NID_undef; +- if (!BN_cmp(dh->p, &_bignum_ffdhe2048_p)) ++ ++ if (dh->nid == NID_ffdhe2048 || !BN_cmp(dh->p, &_bignum_ffdhe2048_p)) { + nid = NID_ffdhe2048; +- else if (!BN_cmp(dh->p, &_bignum_ffdhe3072_p)) ++ q = &_bignum_ffdhe2048_q; ++ length = 225; ++ } else if (dh->nid == NID_ffdhe3072 || !BN_cmp(dh->p, &_bignum_ffdhe3072_p)) { + nid = NID_ffdhe3072; +- else if (!BN_cmp(dh->p, &_bignum_ffdhe4096_p)) ++ q = &_bignum_ffdhe3072_q; ++ length = 275; ++ } else if (dh->nid == NID_ffdhe4096 || !BN_cmp(dh->p, &_bignum_ffdhe4096_p)) { + nid = NID_ffdhe4096; +- else if (!BN_cmp(dh->p, &_bignum_ffdhe6144_p)) ++ q = &_bignum_ffdhe4096_q; ++ length = 325; ++ } else if (dh->nid == NID_ffdhe6144 || !BN_cmp(dh->p, &_bignum_ffdhe6144_p)) { + nid = NID_ffdhe6144; +- else if (!BN_cmp(dh->p, &_bignum_ffdhe8192_p)) ++ q = &_bignum_ffdhe6144_q; ++ length = 375; ++ } else if (dh->nid == NID_ffdhe8192 || !BN_cmp(dh->p, &_bignum_ffdhe8192_p)) { + nid = NID_ffdhe8192; +- else ++ q = &_bignum_ffdhe8192_q; ++ length = 400; ++ } else if (dh->nid == NID_modp_2048 || !BN_cmp(dh->p, &_bignum_modp_2048_p)) { ++ nid = NID_modp_2048; ++ q = &_bignum_modp_2048_q; ++ length = 225; ++ } else if (dh->nid == NID_modp_3072 || !BN_cmp(dh->p, &_bignum_modp_3072_p)) { ++ nid = NID_modp_3072; ++ q = &_bignum_modp_3072_q; ++ length = 275; ++ } else if (dh->nid == NID_modp_4096 || !BN_cmp(dh->p, &_bignum_modp_4096_p)) { ++ nid = NID_modp_4096; ++ q = &_bignum_modp_4096_q; ++ length = 325; ++ } else if (dh->nid == NID_modp_6144 || !BN_cmp(dh->p, &_bignum_modp_6144_p)) { ++ nid = NID_modp_6144; ++ q = &_bignum_modp_6144_q; ++ length = 375; ++ } else if (dh->nid == NID_modp_8192 || !BN_cmp(dh->p, &_bignum_modp_8192_p)) { ++ nid = NID_modp_8192; ++ q = &_bignum_modp_8192_q; ++ length = 400; ++ } else if (!FIPS_mode() && (dh->nid == NID_modp_1536 || !BN_cmp(dh->p, &_bignum_modp_1536_p))) { ++ nid = NID_modp_1536; ++ q = &_bignum_modp_1536_q; ++ length = 175; ++ } else { + return NID_undef; ++ } ++ + if (dh->q != NULL) { +- BIGNUM *q = BN_dup(dh->p); ++ /* Check that q matches the known q. */ ++ if (BN_cmp(dh->q, q)) ++ return NID_undef; ++ } else if (qout != NULL) { ++ *qout = (BIGNUM *)q; ++ } + +- /* Check q = p * 2 + 1 we already know q is odd, so just shift right */ +- if (q == NULL || !BN_rshift1(q, q) || !BN_cmp(dh->q, q)) +- nid = NID_undef; +- BN_free(q); ++ if (lout != NULL) { ++ *lout = length; + } + return nid; + } ++ ++int DH_get_nid(const DH *dh) ++{ ++ if (dh->nid != NID_undef) { ++ return dh->nid; ++ } ++ return dh_match_group(dh, NULL, NULL); ++} ++ ++void dh_cache_nid(DH *dh) ++{ ++ dh->nid = dh_match_group(dh, NULL, &dh->length); ++} ++ ++int dh_get_known_q(const DH *dh, BIGNUM **q) ++{ ++ return dh_match_group(dh, q, NULL) != NID_undef; ++} ++ +Index: openssl-1.1.1m/crypto/ec/ecdh_ossl.c +=================================================================== +--- openssl-1.1.1m.orig/crypto/ec/ecdh_ossl.c ++++ openssl-1.1.1m/crypto/ec/ecdh_ossl.c +@@ -42,9 +42,14 @@ int ossl_ecdh_compute_key(unsigned char + } + + /*- +- * This implementation is based on the following primitives in the IEEE 1363 standard: ++ * This implementation is based on the following primitives in the ++ * IEEE 1363 standard: + * - ECKAS-DH1 + * - ECSVDP-DH ++ * ++ * It also conforms to SP800-56A r3 ++ * See Section 5.7.1.2 "Elliptic Curve Cryptography Cofactor Diffie-Hellman ++ * (ECC CDH) Primitive:". The steps listed below refer to SP800-56A. + */ + int ecdh_simple_compute_key(unsigned char **pout, size_t *poutlen, + const EC_POINT *pub_key, const EC_KEY *ecdh) +@@ -75,6 +80,10 @@ int ecdh_simple_compute_key(unsigned cha + + group = EC_KEY_get0_group(ecdh); + ++ /* ++ * Step(1) - Compute the point tmp = cofactor * owners_private_key ++ * * peer_public_key. ++ */ + if (EC_KEY_get_flags(ecdh) & EC_FLAG_COFACTOR_ECDH) { + if (!EC_GROUP_get_cofactor(group, x, NULL) || + !BN_mul(x, x, priv_key, ctx)) { +@@ -94,11 +103,20 @@ int ecdh_simple_compute_key(unsigned cha + goto err; + } + ++ /* ++ * Step(2) : If point tmp is at infinity then clear intermediate values and ++ * exit. Note: getting affine coordinates returns 0 if point is at infinity. ++ * Step(3a) : Get x-coordinate of point x = tmp.x ++ */ + if (!EC_POINT_get_affine_coordinates(group, tmp, x, NULL, ctx)) { + ECerr(EC_F_ECDH_SIMPLE_COMPUTE_KEY, EC_R_POINT_ARITHMETIC_FAILURE); + goto err; + } + ++ /* ++ * Step(3b) : convert x to a byte string, using the field-element-to-byte ++ * string conversion routine defined in Appendix C.2 ++ */ + buflen = (EC_GROUP_get_degree(group) + 7) / 8; + len = BN_num_bytes(x); + if (len > buflen) { +@@ -123,6 +141,8 @@ int ecdh_simple_compute_key(unsigned cha + ret = 1; + + err: ++ /* Step(4) : Destroy all intermediate calculations */ ++ BN_clear(x); + EC_POINT_clear_free(tmp); + BN_CTX_end(ctx); + BN_CTX_free(ctx); +Index: openssl-1.1.1m/crypto/ec/ecdsa_ossl.c +=================================================================== +--- openssl-1.1.1m.orig/crypto/ec/ecdsa_ossl.c ++++ openssl-1.1.1m/crypto/ec/ecdsa_ossl.c +@@ -104,7 +104,7 @@ static int ecdsa_sign_setup(EC_KEY *ecke + } + } + +- k = BN_new(); /* this value is later returned in *kinvp */ ++ k = BN_secure_new(); /* this value is later returned in *kinvp */ + r = BN_new(); /* this value is later returned in *rp */ + X = BN_new(); + if (k == NULL || r == NULL || X == NULL) { +Index: openssl-1.1.1m/crypto/ec/ec_key.c +=================================================================== +--- openssl-1.1.1m.orig/crypto/ec/ec_key.c ++++ openssl-1.1.1m/crypto/ec/ec_key.c +@@ -244,61 +244,117 @@ int ossl_ec_key_gen(EC_KEY *eckey) + return eckey->group->meth->keygen(eckey); + } + ++/* ++ * ECC Key generation. ++ * See SP800-56AR3 5.6.1.2.2 "Key Pair Generation by Testing Candidates" ++ * ++ * Params: ++ * eckey An EC key object that contains domain params. The generated keypair ++ * is stored in this object. ++ * Returns 1 if the keypair was generated or 0 otherwise. ++ */ + int ec_key_simple_generate_key(EC_KEY *eckey) + { + int ok = 0; +- BN_CTX *ctx = NULL; + BIGNUM *priv_key = NULL; + const BIGNUM *order = NULL; + EC_POINT *pub_key = NULL; +- +- if ((ctx = BN_CTX_new()) == NULL) +- goto err; ++ const EC_GROUP *group = eckey->group; + + if (eckey->priv_key == NULL) { +- priv_key = BN_new(); ++ priv_key = BN_secure_new(); + if (priv_key == NULL) + goto err; + } else + priv_key = eckey->priv_key; + +- order = EC_GROUP_get0_order(eckey->group); ++ /* ++ * Steps (1-2): Check domain parameters and security strength. ++ * These steps must be done by the user. This would need to be ++ * stated in the security policy. ++ */ ++ ++ order = EC_GROUP_get0_order(group); + if (order == NULL) + goto err; + ++ /* ++ * Steps (3-7): priv_key = DRBG_RAND(order_n_bits) (range [1, n-1]). ++ * Although this is slightly different from the standard, it is effectively ++ * equivalent as it gives an unbiased result ranging from 1..n-1. It is also ++ * faster as the standard needs to retry more often. Also doing ++ * 1 + rand[0..n-2] would effect the way that tests feed dummy entropy into ++ * rand so the simpler backward compatible method has been used here. ++ */ + do + if (!BN_priv_rand_range(priv_key, order)) + goto err; + while (BN_is_zero(priv_key)) ; + + if (eckey->pub_key == NULL) { +- pub_key = EC_POINT_new(eckey->group); ++ pub_key = EC_POINT_new(group); + if (pub_key == NULL) + goto err; + } else + pub_key = eckey->pub_key; + +- if (!EC_POINT_mul(eckey->group, pub_key, priv_key, NULL, NULL, ctx)) ++ /* Step (8) : pub_key = priv_key * G (where G is a point on the curve) */ ++ if (!EC_POINT_mul(group, pub_key, priv_key, NULL, NULL, NULL)) + goto err; + +- eckey->priv_key = priv_key; + eckey->pub_key = pub_key; ++ pub_key = NULL; ++ ++ if (FIPS_mode()) { ++ eckey->priv_key = NULL; ++ if (EC_KEY_check_key(eckey) <= 0) { ++ eckey->pub_key = NULL; ++ goto err; ++ } ++ } ++ ++ eckey->priv_key = priv_key; ++ priv_key = NULL; + + ok = 1; + + err: +- if (eckey->pub_key == NULL) +- EC_POINT_free(pub_key); +- if (eckey->priv_key != priv_key) +- BN_free(priv_key); +- BN_CTX_free(ctx); ++ /* Step (9): If there is an error return an invalid keypair. */ ++ if (!ok) { ++ BN_clear(eckey->priv_key); ++ if (eckey->pub_key != NULL) ++ EC_POINT_set_to_infinity(group, eckey->pub_key); ++ } ++ ++ EC_POINT_free(pub_key); ++ BN_clear_free(priv_key); + return ok; + } + + int ec_key_simple_generate_public_key(EC_KEY *eckey) + { +- return EC_POINT_mul(eckey->group, eckey->pub_key, eckey->priv_key, NULL, ++ BIGNUM *priv_key; ++ ++ /* ++ * See SP800-56AR3 5.6.1.2.2: Step (8) ++ * pub_key = priv_key * G (where G is a point on the curve) ++ */ ++ int ret = EC_POINT_mul(eckey->group, eckey->pub_key, eckey->priv_key, NULL, + NULL, NULL); ++ ++ if (ret <= 0 || !FIPS_mode()) ++ return ret; ++ ++ /* no need to perform private key test, temporarily hide it */ ++ priv_key = eckey->priv_key; ++ eckey->priv_key = NULL; ++ ret = EC_KEY_check_key(eckey); ++ eckey->priv_key = priv_key; ++ ++ if (ret <= 0) ++ EC_POINT_set_to_infinity(eckey->group, eckey->pub_key); ++ ++ return ret; + } + + int EC_KEY_check_key(const EC_KEY *eckey) +@@ -316,47 +372,100 @@ int EC_KEY_check_key(const EC_KEY *eckey + return eckey->group->meth->keycheck(eckey); + } + +-int ec_key_simple_check_key(const EC_KEY *eckey) ++/* ++ * Check the range of the EC public key. ++ * See SP800-56A R3 Section 5.6.2.3.3 (Part 2) ++ * i.e. ++ * - If q = odd prime p: Verify that xQ and yQ are integers in the ++ * interval[0, p − 1], OR ++ * - If q = 2m: Verify that xQ and yQ are bit strings of length m bits. ++ * Returns 1 if the public key has a valid range, otherwise it returns 0. ++ */ ++static int ec_key_public_range_check(BN_CTX *ctx, const EC_KEY *key) + { +- int ok = 0; +- BN_CTX *ctx = NULL; +- const BIGNUM *order = NULL; ++ int ret = 0; ++ BIGNUM *x, *y; ++ ++ BN_CTX_start(ctx); ++ x = BN_CTX_get(ctx); ++ y = BN_CTX_get(ctx); ++ if (y == NULL) ++ goto err; ++ ++ if (!EC_POINT_get_affine_coordinates(key->group, key->pub_key, x, y, ctx)) ++ goto err; ++ ++ if (EC_METHOD_get_field_type(key->group->meth) == NID_X9_62_prime_field) { ++ if (BN_is_negative(x) ++ || BN_cmp(x, key->group->field) >= 0 ++ || BN_is_negative(y) ++ || BN_cmp(y, key->group->field) >= 0) { ++ goto err; ++ } ++ } else { ++ int m = EC_GROUP_get_degree(key->group); ++ if (BN_num_bits(x) > m || BN_num_bits(y) > m) { ++ goto err; ++ } ++ } ++ ret = 1; ++err: ++ BN_CTX_end(ctx); ++ return ret; ++} ++ ++/* ++ * ECC Key validation as specified in SP800-56A R3. ++ * Section 5.6.2.3.3 ECC Full Public-Key Validation. ++ */ ++int ec_key_public_check(const EC_KEY *eckey, BN_CTX *ctx) ++{ ++ int ret = 0; + EC_POINT *point = NULL; ++ const BIGNUM *order = NULL; + + if (eckey == NULL || eckey->group == NULL || eckey->pub_key == NULL) { +- ECerr(EC_F_EC_KEY_SIMPLE_CHECK_KEY, ERR_R_PASSED_NULL_PARAMETER); ++ ECerr(0, ERR_R_PASSED_NULL_PARAMETER); + return 0; + } + ++ /* 5.6.2.3.3 (Step 1): Q != infinity */ + if (EC_POINT_is_at_infinity(eckey->group, eckey->pub_key)) { +- ECerr(EC_F_EC_KEY_SIMPLE_CHECK_KEY, EC_R_POINT_AT_INFINITY); +- goto err; ++ ECerr(0, EC_R_POINT_AT_INFINITY); ++ return 0; + } + +- if ((ctx = BN_CTX_new()) == NULL) +- goto err; +- if ((point = EC_POINT_new(eckey->group)) == NULL) ++ point = EC_POINT_new(eckey->group); ++ if (point == NULL) ++ return 0; ++ ++ /* 5.6.2.3.3 (Step 2) Test if the public key is in range */ ++ if (!ec_key_public_range_check(ctx, eckey)) { ++ ECerr(0, EC_R_COORDINATES_OUT_OF_RANGE); + goto err; ++ } + +- /* testing whether the pub_key is on the elliptic curve */ ++ /* 5.6.2.3.3 (Step 3) is the pub_key on the elliptic curve */ + if (EC_POINT_is_on_curve(eckey->group, eckey->pub_key, ctx) <= 0) { +- ECerr(EC_F_EC_KEY_SIMPLE_CHECK_KEY, EC_R_POINT_IS_NOT_ON_CURVE); ++ ECerr(0, EC_R_POINT_IS_NOT_ON_CURVE); + goto err; + } +- /* testing whether pub_key * order is the point at infinity */ ++ + order = eckey->group->order; + if (BN_is_zero(order)) { +- ECerr(EC_F_EC_KEY_SIMPLE_CHECK_KEY, EC_R_INVALID_GROUP_ORDER); ++ ECerr(0, EC_R_INVALID_GROUP_ORDER); + goto err; + } ++ /* 5.6.2.3.3 (Step 4) : pub_key * order is the point at infinity. */ + if (!EC_POINT_mul(eckey->group, point, NULL, eckey->pub_key, order, ctx)) { +- ECerr(EC_F_EC_KEY_SIMPLE_CHECK_KEY, ERR_R_EC_LIB); ++ ECerr(0, ERR_R_EC_LIB); + goto err; + } + if (!EC_POINT_is_at_infinity(eckey->group, point)) { +- ECerr(EC_F_EC_KEY_SIMPLE_CHECK_KEY, EC_R_WRONG_ORDER); ++ ECerr(0, EC_R_WRONG_ORDER); + goto err; + } ++ + /* + * in case the priv_key is present : check if generator * priv_key == + * pub_key +@@ -376,10 +485,40 @@ int ec_key_simple_check_key(const EC_KEY + goto err; + } + } ++ ++ ret = 1; ++ err: ++ EC_POINT_free(point); ++ return ret; ++} ++ ++ ++/* ++ * ECC Key validation as specified in SP800-56A R3. ++ * Section 5.6.2.3.3 ECC Full Public-Key Validation ++ * NOTES: ++ * Before calling this method in fips mode, there should be an assurance that ++ * an approved elliptic-curve group is used. ++ * Returns 1 if the key is valid, otherwise it returns 0. ++ */ ++int ec_key_simple_check_key(const EC_KEY *eckey) ++{ ++ int ok = 0; ++ BN_CTX *ctx = NULL; ++ ++ if (eckey == NULL) { ++ ECerr(0, ERR_R_PASSED_NULL_PARAMETER); ++ return 0; ++ } ++ if ((ctx = BN_CTX_new()) == NULL) ++ return 0; ++ ++ if (!ec_key_public_check(eckey, ctx)) ++ goto err; ++ + ok = 1; + err: + BN_CTX_free(ctx); +- EC_POINT_free(point); + return ok; + } + +@@ -417,12 +556,10 @@ int EC_KEY_set_public_key_affine_coordin + goto err; + + /* +- * Check if retrieved coordinates match originals and are less than field +- * order: if not values are out of range. ++ * Check if retrieved coordinates match originals. The range check is done ++ * inside EC_KEY_check_key(). + */ +- if (BN_cmp(x, tx) || BN_cmp(y, ty) +- || (BN_cmp(x, key->group->field) >= 0) +- || (BN_cmp(y, key->group->field) >= 0)) { ++ if (BN_cmp(x, tx) || BN_cmp(y, ty)) { + ECerr(EC_F_EC_KEY_SET_PUBLIC_KEY_AFFINE_COORDINATES, + EC_R_COORDINATES_OUT_OF_RANGE); + goto err; +Index: openssl-1.1.1m/crypto/ec/ec_local.h +=================================================================== +--- openssl-1.1.1m.orig/crypto/ec/ec_local.h ++++ openssl-1.1.1m/crypto/ec/ec_local.h +@@ -610,6 +610,8 @@ int ec_key_simple_generate_key(EC_KEY *e + int ec_key_simple_generate_public_key(EC_KEY *eckey); + int ec_key_simple_check_key(const EC_KEY *eckey); + ++int ec_key_public_check(const EC_KEY *eckey, BN_CTX *ctx); ++ + int ec_curve_nid_from_params(const EC_GROUP *group, BN_CTX *ctx); + + /* EC_METHOD definitions */ +Index: openssl-1.1.1m/crypto/ec/ec_lib.c +=================================================================== +--- openssl-1.1.1m.orig/crypto/ec/ec_lib.c ++++ openssl-1.1.1m/crypto/ec/ec_lib.c +@@ -454,6 +454,11 @@ int EC_GROUP_get_curve_name(const EC_GRO + return group->curve_name; + } + ++const BIGNUM *EC_GROUP_get0_field(const EC_GROUP *group) ++{ ++ return group->field; ++} ++ + void EC_GROUP_set_asn1_flag(EC_GROUP *group, int flag) + { + group->asn1_flag = flag; +Index: openssl-1.1.1m/crypto/evp/p_lib.c +=================================================================== +--- openssl-1.1.1m.orig/crypto/evp/p_lib.c ++++ openssl-1.1.1m/crypto/evp/p_lib.c +@@ -545,7 +545,8 @@ EC_KEY *EVP_PKEY_get1_EC_KEY(EVP_PKEY *p + + int EVP_PKEY_set1_DH(EVP_PKEY *pkey, DH *key) + { +- int type = DH_get0_q(key) == NULL ? EVP_PKEY_DH : EVP_PKEY_DHX; ++ int type = DH_get0_q(key) == NULL || DH_get_nid(key) != NID_undef ? ++ EVP_PKEY_DH : EVP_PKEY_DHX; + int ret = EVP_PKEY_assign(pkey, type, key); + + if (ret) +Index: openssl-1.1.1m/include/crypto/bn_dh.h +=================================================================== +--- openssl-1.1.1m.orig/include/crypto/bn_dh.h ++++ openssl-1.1.1m/include/crypto/bn_dh.h +@@ -9,16 +9,35 @@ + + #define declare_dh_bn(x) \ + extern const BIGNUM _bignum_dh##x##_p; \ ++ extern const BIGNUM _bignum_dh##x##_q; \ + extern const BIGNUM _bignum_dh##x##_g; \ +- extern const BIGNUM _bignum_dh##x##_q; + + declare_dh_bn(1024_160) + declare_dh_bn(2048_224) + declare_dh_bn(2048_256) + ++extern const BIGNUM _bignum_const_2; ++ + extern const BIGNUM _bignum_ffdhe2048_p; + extern const BIGNUM _bignum_ffdhe3072_p; + extern const BIGNUM _bignum_ffdhe4096_p; + extern const BIGNUM _bignum_ffdhe6144_p; + extern const BIGNUM _bignum_ffdhe8192_p; +-extern const BIGNUM _bignum_const_2; ++extern const BIGNUM _bignum_ffdhe2048_q; ++extern const BIGNUM _bignum_ffdhe3072_q; ++extern const BIGNUM _bignum_ffdhe4096_q; ++extern const BIGNUM _bignum_ffdhe6144_q; ++extern const BIGNUM _bignum_ffdhe8192_q; ++ ++extern const BIGNUM _bignum_modp_1536_p; ++extern const BIGNUM _bignum_modp_2048_p; ++extern const BIGNUM _bignum_modp_3072_p; ++extern const BIGNUM _bignum_modp_4096_p; ++extern const BIGNUM _bignum_modp_6144_p; ++extern const BIGNUM _bignum_modp_8192_p; ++extern const BIGNUM _bignum_modp_1536_q; ++extern const BIGNUM _bignum_modp_2048_q; ++extern const BIGNUM _bignum_modp_3072_q; ++extern const BIGNUM _bignum_modp_4096_q; ++extern const BIGNUM _bignum_modp_6144_q; ++extern const BIGNUM _bignum_modp_8192_q; +Index: openssl-1.1.1m/crypto/objects/obj_dat.h +=================================================================== +--- openssl-1.1.1m.orig/crypto/objects/obj_dat.h ++++ openssl-1.1.1m/crypto/objects/obj_dat.h +@@ -1078,7 +1078,7 @@ static const unsigned char so[7762] = { + 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x0D, /* [ 7753] OBJ_hmacWithSHA512_256 */ + }; + +-#define NUM_NID 1196 ++#define NUM_NID 1202 + static const ASN1_OBJECT nid_objs[NUM_NID] = { + {"UNDEF", "undefined", NID_undef}, + {"rsadsi", "RSA Data Security, Inc.", NID_rsadsi, 6, &so[0]}, +@@ -2276,9 +2276,15 @@ static const ASN1_OBJECT nid_objs[NUM_NI + {"hmacWithSHA512-224", "hmacWithSHA512-224", NID_hmacWithSHA512_224, 8, &so[7745]}, + {"hmacWithSHA512-256", "hmacWithSHA512-256", NID_hmacWithSHA512_256, 8, &so[7753]}, + {"SSHKDF", "sshkdf", NID_sshkdf}, ++ {"modp_1536", "modp_1536", NID_modp_1536}, ++ {"modp_2048", "modp_2048", NID_modp_2048}, ++ {"modp_3072", "modp_3072", NID_modp_3072}, ++ {"modp_4096", "modp_4096", NID_modp_4096}, ++ {"modp_6144", "modp_6144", NID_modp_6144}, ++ {"modp_8192", "modp_8192", NID_modp_8192}, + }; + +-#define NUM_SN 1187 ++#define NUM_SN 1193 + static const unsigned int sn_objs[NUM_SN] = { + 364, /* "AD_DVCS" */ + 419, /* "AES-128-CBC" */ +@@ -3121,6 +3127,12 @@ static const unsigned int sn_objs[NUM_SN + 506, /* "mime-mhs-bodies" */ + 505, /* "mime-mhs-headings" */ + 488, /* "mobileTelephoneNumber" */ ++ 1196, /* "modp_1536" */ ++ 1197, /* "modp_2048" */ ++ 1198, /* "modp_3072" */ ++ 1199, /* "modp_4096" */ ++ 1200, /* "modp_6144" */ ++ 1201, /* "modp_8192" */ + 136, /* "msCTLSign" */ + 135, /* "msCodeCom" */ + 134, /* "msCodeInd" */ +@@ -3469,7 +3481,7 @@ static const unsigned int sn_objs[NUM_SN + 1093, /* "x509ExtAdmission" */ + }; + +-#define NUM_LN 1187 ++#define NUM_LN 1193 + static const unsigned int ln_objs[NUM_LN] = { + 363, /* "AD Time Stamping" */ + 405, /* "ANSI X9.62" */ +@@ -4305,6 +4317,12 @@ static const unsigned int ln_objs[NUM_LN + 506, /* "mime-mhs-bodies" */ + 505, /* "mime-mhs-headings" */ + 488, /* "mobileTelephoneNumber" */ ++ 1196, /* "modp_1536" */ ++ 1197, /* "modp_2048" */ ++ 1198, /* "modp_3072" */ ++ 1199, /* "modp_4096" */ ++ 1200, /* "modp_6144" */ ++ 1201, /* "modp_8192" */ + 481, /* "nSRecord" */ + 173, /* "name" */ + 681, /* "onBasis" */ +Index: openssl-1.1.1m/crypto/objects/objects.txt +=================================================================== +--- openssl-1.1.1m.orig/crypto/objects/objects.txt ++++ openssl-1.1.1m/crypto/objects/objects.txt +@@ -1648,6 +1648,13 @@ id-pkinit 5 : pkInit + : ffdhe4096 + : ffdhe6144 + : ffdhe8192 ++# NIDs for RFC3526 DH parameters ++ : modp_1536 ++ : modp_2048 ++ : modp_3072 ++ : modp_4096 ++ : modp_6144 ++ : modp_8192 + + # OIDs for DSTU-4145/DSTU-7564 (http://zakon2.rada.gov.ua/laws/show/z0423-17) + +Index: openssl-1.1.1m/crypto/objects/obj_mac.num +=================================================================== +--- openssl-1.1.1m.orig/crypto/objects/obj_mac.num ++++ openssl-1.1.1m/crypto/objects/obj_mac.num +@@ -1193,3 +1193,9 @@ magma_mac 1192 + hmacWithSHA512_224 1193 + hmacWithSHA512_256 1194 + sshkdf 1195 ++modp_1536 1196 ++modp_2048 1197 ++modp_3072 1198 ++modp_4096 1199 ++modp_6144 1200 ++modp_8192 1201 +Index: openssl-1.1.1m/doc/man3/DH_new_by_nid.pod +=================================================================== +--- openssl-1.1.1m.orig/doc/man3/DH_new_by_nid.pod ++++ openssl-1.1.1m/doc/man3/DH_new_by_nid.pod +@@ -8,13 +8,15 @@ DH_new_by_nid, DH_get_nid - get or find + + #include + DH *DH_new_by_nid(int nid); +- int *DH_get_nid(const DH *dh); ++ int DH_get_nid(const DH *dh); + + =head1 DESCRIPTION + + DH_new_by_nid() creates and returns a DH structure containing named parameters + B. Currently B must be B, B, +-B, B or B. ++B, B, B, ++B, B, B, ++B, B or B. + + DH_get_nid() determines if the parameters contained in B match + any named set. It returns the NID corresponding to the matching parameters or +Index: openssl-1.1.1m/doc/man3/EVP_PKEY_CTX_ctrl.pod +=================================================================== +--- openssl-1.1.1m.orig/doc/man3/EVP_PKEY_CTX_ctrl.pod ++++ openssl-1.1.1m/doc/man3/EVP_PKEY_CTX_ctrl.pod +@@ -294,10 +294,11 @@ The EVP_PKEY_CTX_set_dh_pad() macro sets + If B is zero (the default) then no padding is performed. + + EVP_PKEY_CTX_set_dh_nid() sets the DH parameters to values corresponding to +-B as defined in RFC7919. The B parameter must be B, +-B, B, B, B +-or B to clear the stored value. This macro can be called during +-parameter or key generation. ++I as defined in RFC7919 or RFC3526. The I parameter must be ++B, B, B, B, ++B, B, B, B, ++B, B, B or B to clear ++the stored value. This macro can be called during parameter or key generation. + The nid parameter and the rfc5114 parameter are mutually exclusive. + + The EVP_PKEY_CTX_set_dh_rfc5114() and EVP_PKEY_CTX_set_dhx_rfc5114() macros are +Index: openssl-1.1.1m/include/openssl/ec.h +=================================================================== +--- openssl-1.1.1m.orig/include/openssl/ec.h ++++ openssl-1.1.1m/include/openssl/ec.h +@@ -212,6 +212,12 @@ void EC_GROUP_set_curve_name(EC_GROUP *g + */ + int EC_GROUP_get_curve_name(const EC_GROUP *group); + ++/** Gets the field of an EC_GROUP ++ * \param group EC_GROUP object ++ * \return the group field ++ */ ++const BIGNUM *EC_GROUP_get0_field(const EC_GROUP *group); ++ + void EC_GROUP_set_asn1_flag(EC_GROUP *group, int flag); + int EC_GROUP_get_asn1_flag(const EC_GROUP *group); + +Index: openssl-1.1.1m/include/openssl/obj_mac.h +=================================================================== +--- openssl-1.1.1m.orig/include/openssl/obj_mac.h ++++ openssl-1.1.1m/include/openssl/obj_mac.h +@@ -5103,6 +5103,24 @@ + #define SN_ffdhe8192 "ffdhe8192" + #define NID_ffdhe8192 1130 + ++#define SN_modp_1536 "modp_1536" ++#define NID_modp_1536 1196 ++ ++#define SN_modp_2048 "modp_2048" ++#define NID_modp_2048 1197 ++ ++#define SN_modp_3072 "modp_3072" ++#define NID_modp_3072 1198 ++ ++#define SN_modp_4096 "modp_4096" ++#define NID_modp_4096 1199 ++ ++#define SN_modp_6144 "modp_6144" ++#define NID_modp_6144 1200 ++ ++#define SN_modp_8192 "modp_8192" ++#define NID_modp_8192 1201 ++ + #define SN_ISO_UA "ISO-UA" + #define NID_ISO_UA 1150 + #define OBJ_ISO_UA OBJ_member_body,804L +Index: openssl-1.1.1m/ssl/s3_lib.c +=================================================================== +--- openssl-1.1.1m.orig/ssl/s3_lib.c ++++ openssl-1.1.1m/ssl/s3_lib.c +@@ -4846,13 +4846,51 @@ int ssl_derive(SSL *s, EVP_PKEY *privkey + EVP_PKEY *ssl_dh_to_pkey(DH *dh) + { + EVP_PKEY *ret; ++ DH *dhp = NULL; ++ + if (dh == NULL) + return NULL; ++ ++ if (FIPS_mode() && DH_get_nid(dh) == NID_undef) { ++ int bits = DH_bits(dh); ++ BIGNUM *p, *g; ++ ++ dhp = DH_new(); ++ if (dhp == NULL) ++ return NULL; ++ g = BN_new(); ++ if (g == NULL || !BN_set_word(g, 2)) { ++ DH_free(dhp); ++ BN_free(g); ++ return NULL; ++ } ++ ++ if (bits >= 7000) ++ p = BN_get_rfc3526_prime_8192(NULL); ++ else if (bits >= 5000) ++ p = BN_get_rfc3526_prime_6144(NULL); ++ else if (bits >= 3800) ++ p = BN_get_rfc3526_prime_4096(NULL); ++ else if (bits >= 2500) ++ p = BN_get_rfc3526_prime_3072(NULL); ++ else ++ p = BN_get_rfc3526_prime_2048(NULL); ++ if (p == NULL || !DH_set0_pqg(dhp, p, NULL, g)) { ++ DH_free(dhp); ++ BN_free(p); ++ BN_free(g); ++ return NULL; ++ } ++ dh = dhp; ++ } ++ + ret = EVP_PKEY_new(); + if (EVP_PKEY_set1_DH(ret, dh) <= 0) { ++ DH_free(dhp); + EVP_PKEY_free(ret); + return NULL; + } ++ DH_free(dhp); + return ret; + } + #endif +Index: openssl-1.1.1m/test/ectest.c +=================================================================== +--- openssl-1.1.1m.orig/test/ectest.c ++++ openssl-1.1.1m/test/ectest.c +@@ -1208,6 +1208,42 @@ static int internal_curve_test_method(in + return r; + } + ++static int group_field_test(void) ++{ ++ int r = 1; ++ BIGNUM *secp521r1_field = NULL; ++ BIGNUM *sect163r2_field = NULL; ++ EC_GROUP *secp521r1_group = NULL; ++ EC_GROUP *sect163r2_group = NULL; ++ ++ BN_hex2bn(&secp521r1_field, ++ "01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" ++ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" ++ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" ++ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" ++ "FFFF"); ++ ++ BN_hex2bn(§163r2_field, ++ "08000000000000000000000000000000" ++ "00000000C9"); ++ ++ secp521r1_group = EC_GROUP_new_by_curve_name(NID_secp521r1); ++ if (BN_cmp(secp521r1_field, EC_GROUP_get0_field(secp521r1_group))) ++ r = 0; ++ ++ # ifndef OPENSSL_NO_EC2M ++ sect163r2_group = EC_GROUP_new_by_curve_name(NID_sect163r2); ++ if (BN_cmp(sect163r2_field, EC_GROUP_get0_field(sect163r2_group))) ++ r = 0; ++ # endif ++ ++ EC_GROUP_free(secp521r1_group); ++ EC_GROUP_free(sect163r2_group); ++ BN_free(secp521r1_field); ++ BN_free(sect163r2_field); ++ return r; ++} ++ + # ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 + /* + * nistp_test_params contains magic numbers for testing our optimized +@@ -1876,6 +1912,61 @@ err: + return r; + } + ++static int check_ec_key_field_public_range_test(int id) ++{ ++ int ret = 0, type = 0; ++ const EC_POINT *pub = NULL; ++ const EC_GROUP *group = NULL; ++ const EC_METHOD *meth = NULL; ++ const BIGNUM *field = NULL; ++ BIGNUM *x = NULL, *y = NULL; ++ EC_KEY *key = NULL; ++ ++ if (!(TEST_ptr(x = BN_new()) ++ && TEST_ptr(y = BN_new()) ++ && TEST_ptr(key = EC_KEY_new_by_curve_name(curves[id].nid)) ++ && TEST_ptr(group = EC_KEY_get0_group(key)) ++ && TEST_ptr(meth = EC_GROUP_method_of(group)) ++ && TEST_ptr(field = EC_GROUP_get0_field(group)) ++ && TEST_int_gt(EC_KEY_generate_key(key), 0) ++ && TEST_int_gt(EC_KEY_check_key(key), 0) ++ && TEST_ptr(pub = EC_KEY_get0_public_key(key)) ++ && TEST_int_gt(EC_POINT_get_affine_coordinates(group, pub, x, y, ++ NULL), 0))) ++ goto err; ++ ++ /* ++ * Make the public point out of range by adding the field (which will still ++ * be the same point on the curve). The add is different for char2 fields. ++ */ ++ type = EC_METHOD_get_field_type(meth); ++#ifndef OPENSSL_NO_EC2M ++ if (type == NID_X9_62_characteristic_two_field) { ++ /* test for binary curves */ ++ if (!TEST_true(BN_GF2m_add(x, x, field))) ++ goto err; ++ } else ++#endif ++ if (type == NID_X9_62_prime_field) { ++ /* test for prime curves */ ++ if (!TEST_true(BN_add(x, x, field))) ++ goto err; ++ } else { ++ /* this should never happen */ ++ TEST_error("Unsupported EC_METHOD field_type"); ++ goto err; ++ } ++ if (!TEST_int_le(EC_KEY_set_public_key_affine_coordinates(key, x, y), 0)) ++ goto err; ++ ++ ret = 1; ++err: ++ BN_free(x); ++ BN_free(y); ++ EC_KEY_free(key); ++ return ret; ++} ++ + /*- + * random 256-bit explicit parameters curve, cofactor absent + * order: 0x0c38d96a9f892b88772ec2e39614a82f4f (132 bit) +@@ -2254,8 +2345,10 @@ int setup_tests(void) + # endif + ADD_ALL_TESTS(internal_curve_test, crv_len); + ADD_ALL_TESTS(internal_curve_test_method, crv_len); ++ ADD_TEST(group_field_test); + + ADD_ALL_TESTS(check_named_curve_from_ecparameters, crv_len); ++ ADD_ALL_TESTS(check_ec_key_field_public_range_test, crv_len); + ADD_ALL_TESTS(ec_point_hex2point_test, crv_len); + ADD_ALL_TESTS(custom_generator_test, crv_len); + #endif /* OPENSSL_NO_EC */ +Index: openssl-1.1.1m/crypto/ec/ec_kmeth.c +=================================================================== +--- openssl-1.1.1m.orig/crypto/ec/ec_kmeth.c ++++ openssl-1.1.1m/crypto/ec/ec_kmeth.c +@@ -148,6 +148,14 @@ int ECDH_compute_key(void *out, size_t o + outlen = seclen; + memcpy(out, sec, outlen); + } ++ ++ if (FIPS_mode()) { ++ if (EC_KEY_check_key(eckey) <= 0) { ++ EC_POINT_set_to_infinity(eckey->group, eckey->pub_key); ++ return 0; ++ } ++ } ++ + OPENSSL_clear_free(sec, seclen); + return outlen; + } +Index: openssl-1.1.1m/ssl/t1_lib.c +=================================================================== +--- openssl-1.1.1m.orig/ssl/t1_lib.c ++++ openssl-1.1.1m/ssl/t1_lib.c +@@ -2479,7 +2479,7 @@ DH *ssl_get_auto_dh(SSL *s) + p = BN_get_rfc3526_prime_4096(NULL); + else if (dh_secbits >= 128) + p = BN_get_rfc3526_prime_3072(NULL); +- else if (dh_secbits >= 112) ++ else if (dh_secbits >= 112 || FIPS_mode()) + p = BN_get_rfc3526_prime_2048(NULL); + else + p = BN_get_rfc2409_prime_1024(NULL); diff --git a/openssl-FIPS-KAT-before-integrity-tests.patch b/openssl-FIPS-KAT-before-integrity-tests.patch new file mode 100644 index 0000000..3f3a93f --- /dev/null +++ b/openssl-FIPS-KAT-before-integrity-tests.patch @@ -0,0 +1,26 @@ +Index: openssl-1.1.1l/crypto/fips/fips.c +=================================================================== +--- openssl-1.1.1l.orig/crypto/fips/fips.c ++++ openssl-1.1.1l/crypto/fips/fips.c +@@ -453,15 +453,17 @@ int FIPS_module_mode_set(int onoff) + + fips_post = 1; + +- if (!verify_checksums()) { +- FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET, +- FIPS_R_FINGERPRINT_DOES_NOT_MATCH); ++ /* Run the KATs before the HMAC verification for FIPS 140-3 compliance */ ++ if (!FIPS_selftest()) { + fips_selftest_fail = 1; + ret = 0; + goto end; + } + +- if (!FIPS_selftest()) { ++ /* Run the HMAC verification after the KATs for FIPS 140-3 compliance */ ++ if (!verify_checksums()) { ++ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET, ++ FIPS_R_FINGERPRINT_DOES_NOT_MATCH); + fips_selftest_fail = 1; + ret = 0; + goto end; diff --git a/openssl-add_rfc3526_rfc7919.patch b/openssl-add_rfc3526_rfc7919.patch deleted file mode 100644 index cd78c5b..0000000 --- a/openssl-add_rfc3526_rfc7919.patch +++ /dev/null @@ -1,726 +0,0 @@ -diff --git a/crypto/bn/bn_dh.c b/crypto/bn/bn_dh.c -index 58c44f0..1094716 100644 ---- a/crypto/bn/bn_dh.c -+++ b/crypto/bn/bn_dh.c -@@ -13,6 +13,488 @@ - #ifndef OPENSSL_NO_DH - #include - #include "crypto/bn_dh.h" -+ -+# if BN_BITS2 == 64 -+# define BN_DEF(lo, hi) (BN_ULONG)hi << 32 | lo -+# else -+# define BN_DEF(lo, hi) lo, hi -+# endif -+ -+/* DH parameters from RFC3526 */ -+ -+/* -+ * "1536-bit MODP Group" from RFC3526, Section 2. -+ * -+ * The prime is: 2^1536 - 2^1472 - 1 + 2^64 * { [2^1406 pi] + 741804 } -+ * -+ * RFC3526 specifies a generator of 2. -+ * RFC2412 specifies a generator of 22. -+ */ -+static const BN_ULONG modp_1536_p[] = { -+ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0xCA237327, 0xF1746C08), -+ BN_DEF(0x4ABC9804, 0x670C354E), BN_DEF(0x7096966D, 0x9ED52907), -+ BN_DEF(0x208552BB, 0x1C62F356), BN_DEF(0xDCA3AD96, 0x83655D23), -+ BN_DEF(0xFD24CF5F, 0x69163FA8), BN_DEF(0x1C55D39A, 0x98DA4836), -+ BN_DEF(0xA163BF05, 0xC2007CB8), BN_DEF(0xECE45B3D, 0x49286651), -+ BN_DEF(0x7C4B1FE6, 0xAE9F2411), BN_DEF(0x5A899FA5, 0xEE386BFB), -+ BN_DEF(0xF406B7ED, 0x0BFF5CB6), BN_DEF(0xA637ED6B, 0xF44C42E9), -+ BN_DEF(0x625E7EC6, 0xE485B576), BN_DEF(0x6D51C245, 0x4FE1356D), -+ BN_DEF(0xF25F1437, 0x302B0A6D), BN_DEF(0xCD3A431B, 0xEF9519B3), -+ BN_DEF(0x8E3404DD, 0x514A0879), BN_DEF(0x3B139B22, 0x020BBEA6), -+ BN_DEF(0x8A67CC74, 0x29024E08), BN_DEF(0x80DC1CD1, 0xC4C6628B), -+ BN_DEF(0x2168C234, 0xC90FDAA2), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) -+}; -+/* q = (p - 1) / 2 */ -+static const BN_ULONG modp_1536_q[] = { -+ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x6511B993, 0x78BA3604), -+ BN_DEF(0x255E4C02, 0xB3861AA7), BN_DEF(0xB84B4B36, 0xCF6A9483), -+ BN_DEF(0x1042A95D, 0x0E3179AB), BN_DEF(0xEE51D6CB, 0xC1B2AE91), -+ BN_DEF(0x7E9267AF, 0x348B1FD4), BN_DEF(0x0E2AE9CD, 0xCC6D241B), -+ BN_DEF(0x50B1DF82, 0xE1003E5C), BN_DEF(0xF6722D9E, 0x24943328), -+ BN_DEF(0xBE258FF3, 0xD74F9208), BN_DEF(0xAD44CFD2, 0xF71C35FD), -+ BN_DEF(0x7A035BF6, 0x85FFAE5B), BN_DEF(0xD31BF6B5, 0x7A262174), -+ BN_DEF(0x312F3F63, 0xF242DABB), BN_DEF(0xB6A8E122, 0xA7F09AB6), -+ BN_DEF(0xF92F8A1B, 0x98158536), BN_DEF(0xE69D218D, 0xF7CA8CD9), -+ BN_DEF(0xC71A026E, 0x28A5043C), BN_DEF(0x1D89CD91, 0x0105DF53), -+ BN_DEF(0x4533E63A, 0x94812704), BN_DEF(0xC06E0E68, 0x62633145), -+ BN_DEF(0x10B4611A, 0xE487ED51), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF) -+}; -+ -+/*- -+ * "2048-bit MODP Group" from RFC3526, Section 3. -+ * -+ * The prime is: 2^2048 - 2^1984 - 1 + 2^64 * { [2^1918 pi] + 124476 } -+ * -+ * RFC3526 specifies a generator of 2. -+ */ -+static const BN_ULONG modp_2048_p[] = { -+ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x8AACAA68, 0x15728E5A), -+ BN_DEF(0x98FA0510, 0x15D22618), BN_DEF(0xEA956AE5, 0x3995497C), -+ BN_DEF(0x95581718, 0xDE2BCBF6), BN_DEF(0x6F4C52C9, 0xB5C55DF0), -+ BN_DEF(0xEC07A28F, 0x9B2783A2), BN_DEF(0x180E8603, 0xE39E772C), -+ BN_DEF(0x2E36CE3B, 0x32905E46), BN_DEF(0xCA18217C, 0xF1746C08), -+ BN_DEF(0x4ABC9804, 0x670C354E), BN_DEF(0x7096966D, 0x9ED52907), -+ BN_DEF(0x208552BB, 0x1C62F356), BN_DEF(0xDCA3AD96, 0x83655D23), -+ BN_DEF(0xFD24CF5F, 0x69163FA8), BN_DEF(0x1C55D39A, 0x98DA4836), -+ BN_DEF(0xA163BF05, 0xC2007CB8), BN_DEF(0xECE45B3D, 0x49286651), -+ BN_DEF(0x7C4B1FE6, 0xAE9F2411), BN_DEF(0x5A899FA5, 0xEE386BFB), -+ BN_DEF(0xF406B7ED, 0x0BFF5CB6), BN_DEF(0xA637ED6B, 0xF44C42E9), -+ BN_DEF(0x625E7EC6, 0xE485B576), BN_DEF(0x6D51C245, 0x4FE1356D), -+ BN_DEF(0xF25F1437, 0x302B0A6D), BN_DEF(0xCD3A431B, 0xEF9519B3), -+ BN_DEF(0x8E3404DD, 0x514A0879), BN_DEF(0x3B139B22, 0x020BBEA6), -+ BN_DEF(0x8A67CC74, 0x29024E08), BN_DEF(0x80DC1CD1, 0xC4C6628B), -+ BN_DEF(0x2168C234, 0xC90FDAA2), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) -+}; -+/* q = (p - 1) / 2 */ -+static const BN_ULONG modp_2048_q[] = { -+ BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), BN_DEF(0x45565534, 0x0AB9472D), -+ BN_DEF(0x4C7D0288, 0x8AE9130C), BN_DEF(0x754AB572, 0x1CCAA4BE), -+ BN_DEF(0x4AAC0B8C, 0xEF15E5FB), BN_DEF(0x37A62964, 0xDAE2AEF8), -+ BN_DEF(0x7603D147, 0xCD93C1D1), BN_DEF(0x0C074301, 0xF1CF3B96), -+ BN_DEF(0x171B671D, 0x19482F23), BN_DEF(0x650C10BE, 0x78BA3604), -+ BN_DEF(0x255E4C02, 0xB3861AA7), BN_DEF(0xB84B4B36, 0xCF6A9483), -+ BN_DEF(0x1042A95D, 0x0E3179AB), BN_DEF(0xEE51D6CB, 0xC1B2AE91), -+ BN_DEF(0x7E9267AF, 0x348B1FD4), BN_DEF(0x0E2AE9CD, 0xCC6D241B), -+ BN_DEF(0x50B1DF82, 0xE1003E5C), BN_DEF(0xF6722D9E, 0x24943328), -+ BN_DEF(0xBE258FF3, 0xD74F9208), BN_DEF(0xAD44CFD2, 0xF71C35FD), -+ BN_DEF(0x7A035BF6, 0x85FFAE5B), BN_DEF(0xD31BF6B5, 0x7A262174), -+ BN_DEF(0x312F3F63, 0xF242DABB), BN_DEF(0xB6A8E122, 0xA7F09AB6), -+ BN_DEF(0xF92F8A1B, 0x98158536), BN_DEF(0xE69D218D, 0xF7CA8CD9), -+ BN_DEF(0xC71A026E, 0x28A5043C), BN_DEF(0x1D89CD91, 0x0105DF53), -+ BN_DEF(0x4533E63A, 0x94812704), BN_DEF(0xC06E0E68, 0x62633145), -+ BN_DEF(0x10B4611A, 0xE487ED51), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), -+}; -+ -+/*- -+ * "3072-bit MODP Group" from RFC3526, Section 4. -+ * -+ * The prime is: 2^3072 - 2^3008 - 1 + 2^64 * { [2^2942 pi] + 1690314 } -+ * -+ * RFC3526 specifies a generator of 2. -+ */ -+static const BN_ULONG modp_3072_p[] = { -+ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0xA93AD2CA, 0x4B82D120), -+ BN_DEF(0xE0FD108E, 0x43DB5BFC), BN_DEF(0x74E5AB31, 0x08E24FA0), -+ BN_DEF(0xBAD946E2, 0x770988C0), BN_DEF(0x7A615D6C, 0xBBE11757), -+ BN_DEF(0x177B200C, 0x521F2B18), BN_DEF(0x3EC86A64, 0xD8760273), -+ BN_DEF(0xD98A0864, 0xF12FFA06), BN_DEF(0x1AD2EE6B, 0xCEE3D226), -+ BN_DEF(0x4A25619D, 0x1E8C94E0), BN_DEF(0xDB0933D7, 0xABF5AE8C), -+ BN_DEF(0xA6E1E4C7, 0xB3970F85), BN_DEF(0x5D060C7D, 0x8AEA7157), -+ BN_DEF(0x58DBEF0A, 0xECFB8504), BN_DEF(0xDF1CBA64, 0xA85521AB), -+ BN_DEF(0x04507A33, 0xAD33170D), BN_DEF(0x8AAAC42D, 0x15728E5A), -+ BN_DEF(0x98FA0510, 0x15D22618), BN_DEF(0xEA956AE5, 0x3995497C), -+ BN_DEF(0x95581718, 0xDE2BCBF6), BN_DEF(0x6F4C52C9, 0xB5C55DF0), -+ BN_DEF(0xEC07A28F, 0x9B2783A2), BN_DEF(0x180E8603, 0xE39E772C), -+ BN_DEF(0x2E36CE3B, 0x32905E46), BN_DEF(0xCA18217C, 0xF1746C08), -+ BN_DEF(0x4ABC9804, 0x670C354E), BN_DEF(0x7096966D, 0x9ED52907), -+ BN_DEF(0x208552BB, 0x1C62F356), BN_DEF(0xDCA3AD96, 0x83655D23), -+ BN_DEF(0xFD24CF5F, 0x69163FA8), BN_DEF(0x1C55D39A, 0x98DA4836), -+ BN_DEF(0xA163BF05, 0xC2007CB8), BN_DEF(0xECE45B3D, 0x49286651), -+ BN_DEF(0x7C4B1FE6, 0xAE9F2411), BN_DEF(0x5A899FA5, 0xEE386BFB), -+ BN_DEF(0xF406B7ED, 0x0BFF5CB6), BN_DEF(0xA637ED6B, 0xF44C42E9), -+ BN_DEF(0x625E7EC6, 0xE485B576), BN_DEF(0x6D51C245, 0x4FE1356D), -+ BN_DEF(0xF25F1437, 0x302B0A6D), BN_DEF(0xCD3A431B, 0xEF9519B3), -+ BN_DEF(0x8E3404DD, 0x514A0879), BN_DEF(0x3B139B22, 0x020BBEA6), -+ BN_DEF(0x8A67CC74, 0x29024E08), BN_DEF(0x80DC1CD1, 0xC4C6628B), -+ BN_DEF(0x2168C234, 0xC90FDAA2), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) -+}; -+/* q = (p - 1) / 2 */ -+static const BN_ULONG modp_3072_q[] = { -+ BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), BN_DEF(0x549D6965, 0x25C16890), -+ BN_DEF(0x707E8847, 0xA1EDADFE), BN_DEF(0x3A72D598, 0x047127D0), -+ BN_DEF(0x5D6CA371, 0x3B84C460), BN_DEF(0xBD30AEB6, 0x5DF08BAB), -+ BN_DEF(0x0BBD9006, 0x290F958C), BN_DEF(0x9F643532, 0x6C3B0139), -+ BN_DEF(0x6CC50432, 0xF897FD03), BN_DEF(0x0D697735, 0xE771E913), -+ BN_DEF(0x2512B0CE, 0x8F464A70), BN_DEF(0x6D8499EB, 0xD5FAD746), -+ BN_DEF(0xD370F263, 0xD9CB87C2), BN_DEF(0xAE83063E, 0x457538AB), -+ BN_DEF(0x2C6DF785, 0x767DC282), BN_DEF(0xEF8E5D32, 0xD42A90D5), -+ BN_DEF(0x82283D19, 0xD6998B86), BN_DEF(0x45556216, 0x0AB9472D), -+ BN_DEF(0x4C7D0288, 0x8AE9130C), BN_DEF(0x754AB572, 0x1CCAA4BE), -+ BN_DEF(0x4AAC0B8C, 0xEF15E5FB), BN_DEF(0x37A62964, 0xDAE2AEF8), -+ BN_DEF(0x7603D147, 0xCD93C1D1), BN_DEF(0x0C074301, 0xF1CF3B96), -+ BN_DEF(0x171B671D, 0x19482F23), BN_DEF(0x650C10BE, 0x78BA3604), -+ BN_DEF(0x255E4C02, 0xB3861AA7), BN_DEF(0xB84B4B36, 0xCF6A9483), -+ BN_DEF(0x1042A95D, 0x0E3179AB), BN_DEF(0xEE51D6CB, 0xC1B2AE91), -+ BN_DEF(0x7E9267AF, 0x348B1FD4), BN_DEF(0x0E2AE9CD, 0xCC6D241B), -+ BN_DEF(0x50B1DF82, 0xE1003E5C), BN_DEF(0xF6722D9E, 0x24943328), -+ BN_DEF(0xBE258FF3, 0xD74F9208), BN_DEF(0xAD44CFD2, 0xF71C35FD), -+ BN_DEF(0x7A035BF6, 0x85FFAE5B), BN_DEF(0xD31BF6B5, 0x7A262174), -+ BN_DEF(0x312F3F63, 0xF242DABB), BN_DEF(0xB6A8E122, 0xA7F09AB6), -+ BN_DEF(0xF92F8A1B, 0x98158536), BN_DEF(0xE69D218D, 0xF7CA8CD9), -+ BN_DEF(0xC71A026E, 0x28A5043C), BN_DEF(0x1D89CD91, 0x0105DF53), -+ BN_DEF(0x4533E63A, 0x94812704), BN_DEF(0xC06E0E68, 0x62633145), -+ BN_DEF(0x10B4611A, 0xE487ED51), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), -+}; -+ -+/*- -+ * "4096-bit MODP Group" from RFC3526, Section 5. -+ * -+ * The prime is: 2^4096 - 2^4032 - 1 + 2^64 * { [2^3966 pi] + 240904 } -+ * -+ * RFC3526 specifies a generator of 2. -+ */ -+static const BN_ULONG modp_4096_p[] = { -+ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x34063199, 0x4DF435C9), -+ BN_DEF(0x90A6C08F, 0x86FFB7DC), BN_DEF(0x8D8FDDC1, 0x93B4EA98), -+ BN_DEF(0xD5B05AA9, 0xD0069127), BN_DEF(0x2170481C, 0xB81BDD76), -+ BN_DEF(0xCEE2D7AF, 0x1F612970), BN_DEF(0x515BE7ED, 0x233BA186), -+ BN_DEF(0xA090C3A2, 0x99B2964F), BN_DEF(0x4E6BC05D, 0x287C5947), -+ BN_DEF(0x1FBECAA6, 0x2E8EFC14), BN_DEF(0x04DE8EF9, 0xDBBBC2DB), -+ BN_DEF(0x2AD44CE8, 0x2583E9CA), BN_DEF(0xB6150BDA, 0x1A946834), -+ BN_DEF(0x6AF4E23C, 0x99C32718), BN_DEF(0xBDBA5B26, 0x88719A10), -+ BN_DEF(0xA787E6D7, 0x1A723C12), BN_DEF(0xA9210801, 0x4B82D120), -+ BN_DEF(0xE0FD108E, 0x43DB5BFC), BN_DEF(0x74E5AB31, 0x08E24FA0), -+ BN_DEF(0xBAD946E2, 0x770988C0), BN_DEF(0x7A615D6C, 0xBBE11757), -+ BN_DEF(0x177B200C, 0x521F2B18), BN_DEF(0x3EC86A64, 0xD8760273), -+ BN_DEF(0xD98A0864, 0xF12FFA06), BN_DEF(0x1AD2EE6B, 0xCEE3D226), -+ BN_DEF(0x4A25619D, 0x1E8C94E0), BN_DEF(0xDB0933D7, 0xABF5AE8C), -+ BN_DEF(0xA6E1E4C7, 0xB3970F85), BN_DEF(0x5D060C7D, 0x8AEA7157), -+ BN_DEF(0x58DBEF0A, 0xECFB8504), BN_DEF(0xDF1CBA64, 0xA85521AB), -+ BN_DEF(0x04507A33, 0xAD33170D), BN_DEF(0x8AAAC42D, 0x15728E5A), -+ BN_DEF(0x98FA0510, 0x15D22618), BN_DEF(0xEA956AE5, 0x3995497C), -+ BN_DEF(0x95581718, 0xDE2BCBF6), BN_DEF(0x6F4C52C9, 0xB5C55DF0), -+ BN_DEF(0xEC07A28F, 0x9B2783A2), BN_DEF(0x180E8603, 0xE39E772C), -+ BN_DEF(0x2E36CE3B, 0x32905E46), BN_DEF(0xCA18217C, 0xF1746C08), -+ BN_DEF(0x4ABC9804, 0x670C354E), BN_DEF(0x7096966D, 0x9ED52907), -+ BN_DEF(0x208552BB, 0x1C62F356), BN_DEF(0xDCA3AD96, 0x83655D23), -+ BN_DEF(0xFD24CF5F, 0x69163FA8), BN_DEF(0x1C55D39A, 0x98DA4836), -+ BN_DEF(0xA163BF05, 0xC2007CB8), BN_DEF(0xECE45B3D, 0x49286651), -+ BN_DEF(0x7C4B1FE6, 0xAE9F2411), BN_DEF(0x5A899FA5, 0xEE386BFB), -+ BN_DEF(0xF406B7ED, 0x0BFF5CB6), BN_DEF(0xA637ED6B, 0xF44C42E9), -+ BN_DEF(0x625E7EC6, 0xE485B576), BN_DEF(0x6D51C245, 0x4FE1356D), -+ BN_DEF(0xF25F1437, 0x302B0A6D), BN_DEF(0xCD3A431B, 0xEF9519B3), -+ BN_DEF(0x8E3404DD, 0x514A0879), BN_DEF(0x3B139B22, 0x020BBEA6), -+ BN_DEF(0x8A67CC74, 0x29024E08), BN_DEF(0x80DC1CD1, 0xC4C6628B), -+ BN_DEF(0x2168C234, 0xC90FDAA2), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) -+}; -+/* q = (p - 1) / 2 */ -+static const BN_ULONG modp_4096_q[] = { -+ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x9A0318CC, 0xA6FA1AE4), -+ BN_DEF(0x48536047, 0xC37FDBEE), BN_DEF(0x46C7EEE0, 0xC9DA754C), -+ BN_DEF(0xEAD82D54, 0x68034893), BN_DEF(0x10B8240E, 0xDC0DEEBB), -+ BN_DEF(0x67716BD7, 0x8FB094B8), BN_DEF(0x28ADF3F6, 0x119DD0C3), -+ BN_DEF(0xD04861D1, 0xCCD94B27), BN_DEF(0xA735E02E, 0x143E2CA3), -+ BN_DEF(0x0FDF6553, 0x97477E0A), BN_DEF(0x826F477C, 0x6DDDE16D), -+ BN_DEF(0x156A2674, 0x12C1F4E5), BN_DEF(0x5B0A85ED, 0x0D4A341A), -+ BN_DEF(0x357A711E, 0x4CE1938C), BN_DEF(0x5EDD2D93, 0xC438CD08), -+ BN_DEF(0x53C3F36B, 0x8D391E09), BN_DEF(0x54908400, 0x25C16890), -+ BN_DEF(0x707E8847, 0xA1EDADFE), BN_DEF(0x3A72D598, 0x047127D0), -+ BN_DEF(0x5D6CA371, 0x3B84C460), BN_DEF(0xBD30AEB6, 0x5DF08BAB), -+ BN_DEF(0x0BBD9006, 0x290F958C), BN_DEF(0x9F643532, 0x6C3B0139), -+ BN_DEF(0x6CC50432, 0xF897FD03), BN_DEF(0x0D697735, 0xE771E913), -+ BN_DEF(0x2512B0CE, 0x8F464A70), BN_DEF(0x6D8499EB, 0xD5FAD746), -+ BN_DEF(0xD370F263, 0xD9CB87C2), BN_DEF(0xAE83063E, 0x457538AB), -+ BN_DEF(0x2C6DF785, 0x767DC282), BN_DEF(0xEF8E5D32, 0xD42A90D5), -+ BN_DEF(0x82283D19, 0xD6998B86), BN_DEF(0x45556216, 0x0AB9472D), -+ BN_DEF(0x4C7D0288, 0x8AE9130C), BN_DEF(0x754AB572, 0x1CCAA4BE), -+ BN_DEF(0x4AAC0B8C, 0xEF15E5FB), BN_DEF(0x37A62964, 0xDAE2AEF8), -+ BN_DEF(0x7603D147, 0xCD93C1D1), BN_DEF(0x0C074301, 0xF1CF3B96), -+ BN_DEF(0x171B671D, 0x19482F23), BN_DEF(0x650C10BE, 0x78BA3604), -+ BN_DEF(0x255E4C02, 0xB3861AA7), BN_DEF(0xB84B4B36, 0xCF6A9483), -+ BN_DEF(0x1042A95D, 0x0E3179AB), BN_DEF(0xEE51D6CB, 0xC1B2AE91), -+ BN_DEF(0x7E9267AF, 0x348B1FD4), BN_DEF(0x0E2AE9CD, 0xCC6D241B), -+ BN_DEF(0x50B1DF82, 0xE1003E5C), BN_DEF(0xF6722D9E, 0x24943328), -+ BN_DEF(0xBE258FF3, 0xD74F9208), BN_DEF(0xAD44CFD2, 0xF71C35FD), -+ BN_DEF(0x7A035BF6, 0x85FFAE5B), BN_DEF(0xD31BF6B5, 0x7A262174), -+ BN_DEF(0x312F3F63, 0xF242DABB), BN_DEF(0xB6A8E122, 0xA7F09AB6), -+ BN_DEF(0xF92F8A1B, 0x98158536), BN_DEF(0xE69D218D, 0xF7CA8CD9), -+ BN_DEF(0xC71A026E, 0x28A5043C), BN_DEF(0x1D89CD91, 0x0105DF53), -+ BN_DEF(0x4533E63A, 0x94812704), BN_DEF(0xC06E0E68, 0x62633145), -+ BN_DEF(0x10B4611A, 0xE487ED51), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), -+}; -+ -+/*- -+ * "6144-bit MODP Group" from RFC3526, Section 6. -+ * -+ * The prime is: 2^6144 - 2^6080 - 1 + 2^64 * { [2^6014 pi] + 929484 } -+ * -+ * RFC3526 specifies a generator of 2. -+ */ -+static const BN_ULONG modp_6144_p[] = { -+ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x6DCC4024, 0xE694F91E), -+ BN_DEF(0x0B7474D6, 0x12BF2D5B), BN_DEF(0x3F4860EE, 0x043E8F66), -+ BN_DEF(0x6E3C0468, 0x387FE8D7), BN_DEF(0x2EF29632, 0xDA56C9EC), -+ BN_DEF(0xA313D55C, 0xEB19CCB1), BN_DEF(0x8A1FBFF0, 0xF550AA3D), -+ BN_DEF(0xB7C5DA76, 0x06A1D58B), BN_DEF(0xF29BE328, 0xA79715EE), -+ BN_DEF(0x0F8037E0, 0x14CC5ED2), BN_DEF(0xBF48E1D8, 0xCC8F6D7E), -+ BN_DEF(0x2B4154AA, 0x4BD407B2), BN_DEF(0xFF585AC5, 0x0F1D45B7), -+ BN_DEF(0x36CC88BE, 0x23A97A7E), BN_DEF(0xBEC7E8F3, 0x59E7C97F), -+ BN_DEF(0x900B1C9E, 0xB5A84031), BN_DEF(0x46980C82, 0xD55E702F), -+ BN_DEF(0x6E74FEF6, 0xF482D7CE), BN_DEF(0xD1721D03, 0xF032EA15), -+ BN_DEF(0xC64B92EC, 0x5983CA01), BN_DEF(0x378CD2BF, 0x6FB8F401), -+ BN_DEF(0x2BD7AF42, 0x33205151), BN_DEF(0xE6CC254B, 0xDB7F1447), -+ BN_DEF(0xCED4BB1B, 0x44CE6CBA), BN_DEF(0xCF9B14ED, 0xDA3EDBEB), -+ BN_DEF(0x865A8918, 0x179727B0), BN_DEF(0x9027D831, 0xB06A53ED), -+ BN_DEF(0x413001AE, 0xE5DB382F), BN_DEF(0xAD9E530E, 0xF8FF9406), -+ BN_DEF(0x3DBA37BD, 0xC9751E76), BN_DEF(0x602646DE, 0xC1D4DCB2), -+ BN_DEF(0xD27C7026, 0x36C3FAB4), BN_DEF(0x34028492, 0x4DF435C9), -+ BN_DEF(0x90A6C08F, 0x86FFB7DC), BN_DEF(0x8D8FDDC1, 0x93B4EA98), -+ BN_DEF(0xD5B05AA9, 0xD0069127), BN_DEF(0x2170481C, 0xB81BDD76), -+ BN_DEF(0xCEE2D7AF, 0x1F612970), BN_DEF(0x515BE7ED, 0x233BA186), -+ BN_DEF(0xA090C3A2, 0x99B2964F), BN_DEF(0x4E6BC05D, 0x287C5947), -+ BN_DEF(0x1FBECAA6, 0x2E8EFC14), BN_DEF(0x04DE8EF9, 0xDBBBC2DB), -+ BN_DEF(0x2AD44CE8, 0x2583E9CA), BN_DEF(0xB6150BDA, 0x1A946834), -+ BN_DEF(0x6AF4E23C, 0x99C32718), BN_DEF(0xBDBA5B26, 0x88719A10), -+ BN_DEF(0xA787E6D7, 0x1A723C12), BN_DEF(0xA9210801, 0x4B82D120), -+ BN_DEF(0xE0FD108E, 0x43DB5BFC), BN_DEF(0x74E5AB31, 0x08E24FA0), -+ BN_DEF(0xBAD946E2, 0x770988C0), BN_DEF(0x7A615D6C, 0xBBE11757), -+ BN_DEF(0x177B200C, 0x521F2B18), BN_DEF(0x3EC86A64, 0xD8760273), -+ BN_DEF(0xD98A0864, 0xF12FFA06), BN_DEF(0x1AD2EE6B, 0xCEE3D226), -+ BN_DEF(0x4A25619D, 0x1E8C94E0), BN_DEF(0xDB0933D7, 0xABF5AE8C), -+ BN_DEF(0xA6E1E4C7, 0xB3970F85), BN_DEF(0x5D060C7D, 0x8AEA7157), -+ BN_DEF(0x58DBEF0A, 0xECFB8504), BN_DEF(0xDF1CBA64, 0xA85521AB), -+ BN_DEF(0x04507A33, 0xAD33170D), BN_DEF(0x8AAAC42D, 0x15728E5A), -+ BN_DEF(0x98FA0510, 0x15D22618), BN_DEF(0xEA956AE5, 0x3995497C), -+ BN_DEF(0x95581718, 0xDE2BCBF6), BN_DEF(0x6F4C52C9, 0xB5C55DF0), -+ BN_DEF(0xEC07A28F, 0x9B2783A2), BN_DEF(0x180E8603, 0xE39E772C), -+ BN_DEF(0x2E36CE3B, 0x32905E46), BN_DEF(0xCA18217C, 0xF1746C08), -+ BN_DEF(0x4ABC9804, 0x670C354E), BN_DEF(0x7096966D, 0x9ED52907), -+ BN_DEF(0x208552BB, 0x1C62F356), BN_DEF(0xDCA3AD96, 0x83655D23), -+ BN_DEF(0xFD24CF5F, 0x69163FA8), BN_DEF(0x1C55D39A, 0x98DA4836), -+ BN_DEF(0xA163BF05, 0xC2007CB8), BN_DEF(0xECE45B3D, 0x49286651), -+ BN_DEF(0x7C4B1FE6, 0xAE9F2411), BN_DEF(0x5A899FA5, 0xEE386BFB), -+ BN_DEF(0xF406B7ED, 0x0BFF5CB6), BN_DEF(0xA637ED6B, 0xF44C42E9), -+ BN_DEF(0x625E7EC6, 0xE485B576), BN_DEF(0x6D51C245, 0x4FE1356D), -+ BN_DEF(0xF25F1437, 0x302B0A6D), BN_DEF(0xCD3A431B, 0xEF9519B3), -+ BN_DEF(0x8E3404DD, 0x514A0879), BN_DEF(0x3B139B22, 0x020BBEA6), -+ BN_DEF(0x8A67CC74, 0x29024E08), BN_DEF(0x80DC1CD1, 0xC4C6628B), -+ BN_DEF(0x2168C234, 0xC90FDAA2), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) -+}; -+/* q = (p - 1) / 2 */ -+static const BN_ULONG modp_6144_q[] = { -+ BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), BN_DEF(0x36E62012, 0x734A7C8F), -+ BN_DEF(0x85BA3A6B, 0x095F96AD), BN_DEF(0x1FA43077, 0x021F47B3), -+ BN_DEF(0xB71E0234, 0x1C3FF46B), BN_DEF(0x17794B19, 0x6D2B64F6), -+ BN_DEF(0xD189EAAE, 0x758CE658), BN_DEF(0xC50FDFF8, 0x7AA8551E), -+ BN_DEF(0xDBE2ED3B, 0x0350EAC5), BN_DEF(0x794DF194, 0x53CB8AF7), -+ BN_DEF(0x07C01BF0, 0x0A662F69), BN_DEF(0x5FA470EC, 0x6647B6BF), -+ BN_DEF(0x15A0AA55, 0xA5EA03D9), BN_DEF(0xFFAC2D62, 0x078EA2DB), -+ BN_DEF(0x1B66445F, 0x91D4BD3F), BN_DEF(0xDF63F479, 0x2CF3E4BF), -+ BN_DEF(0xC8058E4F, 0x5AD42018), BN_DEF(0xA34C0641, 0x6AAF3817), -+ BN_DEF(0x373A7F7B, 0xFA416BE7), BN_DEF(0xE8B90E81, 0x7819750A), -+ BN_DEF(0xE325C976, 0xACC1E500), BN_DEF(0x9BC6695F, 0x37DC7A00), -+ BN_DEF(0x95EBD7A1, 0x999028A8), BN_DEF(0xF36612A5, 0xEDBF8A23), -+ BN_DEF(0x676A5D8D, 0xA267365D), BN_DEF(0xE7CD8A76, 0x6D1F6DF5), -+ BN_DEF(0x432D448C, 0x8BCB93D8), BN_DEF(0xC813EC18, 0x583529F6), -+ BN_DEF(0xA09800D7, 0x72ED9C17), BN_DEF(0x56CF2987, 0xFC7FCA03), -+ BN_DEF(0x1EDD1BDE, 0x64BA8F3B), BN_DEF(0x3013236F, 0x60EA6E59), -+ BN_DEF(0x693E3813, 0x1B61FD5A), BN_DEF(0x9A014249, 0xA6FA1AE4), -+ BN_DEF(0x48536047, 0xC37FDBEE), BN_DEF(0x46C7EEE0, 0xC9DA754C), -+ BN_DEF(0xEAD82D54, 0x68034893), BN_DEF(0x10B8240E, 0xDC0DEEBB), -+ BN_DEF(0x67716BD7, 0x8FB094B8), BN_DEF(0x28ADF3F6, 0x119DD0C3), -+ BN_DEF(0xD04861D1, 0xCCD94B27), BN_DEF(0xA735E02E, 0x143E2CA3), -+ BN_DEF(0x0FDF6553, 0x97477E0A), BN_DEF(0x826F477C, 0x6DDDE16D), -+ BN_DEF(0x156A2674, 0x12C1F4E5), BN_DEF(0x5B0A85ED, 0x0D4A341A), -+ BN_DEF(0x357A711E, 0x4CE1938C), BN_DEF(0x5EDD2D93, 0xC438CD08), -+ BN_DEF(0x53C3F36B, 0x8D391E09), BN_DEF(0x54908400, 0x25C16890), -+ BN_DEF(0x707E8847, 0xA1EDADFE), BN_DEF(0x3A72D598, 0x047127D0), -+ BN_DEF(0x5D6CA371, 0x3B84C460), BN_DEF(0xBD30AEB6, 0x5DF08BAB), -+ BN_DEF(0x0BBD9006, 0x290F958C), BN_DEF(0x9F643532, 0x6C3B0139), -+ BN_DEF(0x6CC50432, 0xF897FD03), BN_DEF(0x0D697735, 0xE771E913), -+ BN_DEF(0x2512B0CE, 0x8F464A70), BN_DEF(0x6D8499EB, 0xD5FAD746), -+ BN_DEF(0xD370F263, 0xD9CB87C2), BN_DEF(0xAE83063E, 0x457538AB), -+ BN_DEF(0x2C6DF785, 0x767DC282), BN_DEF(0xEF8E5D32, 0xD42A90D5), -+ BN_DEF(0x82283D19, 0xD6998B86), BN_DEF(0x45556216, 0x0AB9472D), -+ BN_DEF(0x4C7D0288, 0x8AE9130C), BN_DEF(0x754AB572, 0x1CCAA4BE), -+ BN_DEF(0x4AAC0B8C, 0xEF15E5FB), BN_DEF(0x37A62964, 0xDAE2AEF8), -+ BN_DEF(0x7603D147, 0xCD93C1D1), BN_DEF(0x0C074301, 0xF1CF3B96), -+ BN_DEF(0x171B671D, 0x19482F23), BN_DEF(0x650C10BE, 0x78BA3604), -+ BN_DEF(0x255E4C02, 0xB3861AA7), BN_DEF(0xB84B4B36, 0xCF6A9483), -+ BN_DEF(0x1042A95D, 0x0E3179AB), BN_DEF(0xEE51D6CB, 0xC1B2AE91), -+ BN_DEF(0x7E9267AF, 0x348B1FD4), BN_DEF(0x0E2AE9CD, 0xCC6D241B), -+ BN_DEF(0x50B1DF82, 0xE1003E5C), BN_DEF(0xF6722D9E, 0x24943328), -+ BN_DEF(0xBE258FF3, 0xD74F9208), BN_DEF(0xAD44CFD2, 0xF71C35FD), -+ BN_DEF(0x7A035BF6, 0x85FFAE5B), BN_DEF(0xD31BF6B5, 0x7A262174), -+ BN_DEF(0x312F3F63, 0xF242DABB), BN_DEF(0xB6A8E122, 0xA7F09AB6), -+ BN_DEF(0xF92F8A1B, 0x98158536), BN_DEF(0xE69D218D, 0xF7CA8CD9), -+ BN_DEF(0xC71A026E, 0x28A5043C), BN_DEF(0x1D89CD91, 0x0105DF53), -+ BN_DEF(0x4533E63A, 0x94812704), BN_DEF(0xC06E0E68, 0x62633145), -+ BN_DEF(0x10B4611A, 0xE487ED51), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), -+}; -+ -+/* -+ * "8192-bit MODP Group" from RFC3526, Section 7. -+ * -+ * The prime is: 2^8192 - 2^8128 - 1 + 2^64 * { [2^8062 pi] + 4743158 } -+ * -+ * RFC3526 specifies a generator of 2. -+ */ -+static const BN_ULONG modp_8192_p[] = { -+ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x98EDD3DF, 0x60C980DD), -+ BN_DEF(0x80B96E71, 0xC81F56E8), BN_DEF(0x765694DF, 0x9E3050E2), -+ BN_DEF(0x5677E9AA, 0x9558E447), BN_DEF(0xFC026E47, 0xC9190DA6), -+ BN_DEF(0xD5EE382B, 0x889A002E), BN_DEF(0x481C6CD7, 0x4009438B), -+ BN_DEF(0xEB879F92, 0x359046F4), BN_DEF(0x1ECFA268, 0xFAF36BC3), -+ BN_DEF(0x7EE74D73, 0xB1D510BD), BN_DEF(0x5DED7EA1, 0xF9AB4819), -+ BN_DEF(0x0846851D, 0x64F31CC5), BN_DEF(0xA0255DC1, 0x4597E899), -+ BN_DEF(0x74AB6A36, 0xDF310EE0), BN_DEF(0x3F44F82D, 0x6D2A13F8), -+ BN_DEF(0xB3A278A6, 0x062B3CF5), BN_DEF(0xED5BDD3A, 0x79683303), -+ BN_DEF(0xA2C087E8, 0xFA9D4B7F), BN_DEF(0x2F8385DD, 0x4BCBC886), -+ BN_DEF(0x6CEA306B, 0x3473FC64), BN_DEF(0x1A23F0C7, 0x13EB57A8), -+ BN_DEF(0xA4037C07, 0x22222E04), BN_DEF(0xFC848AD9, 0xE3FDB8BE), -+ BN_DEF(0xE39D652D, 0x238F16CB), BN_DEF(0x2BF1C978, 0x3423B474), -+ BN_DEF(0x5AE4F568, 0x3AAB639C), BN_DEF(0x6BA42466, 0x2576F693), -+ BN_DEF(0x8AFC47ED, 0x741FA7BF), BN_DEF(0x8D9DD300, 0x3BC832B6), -+ BN_DEF(0x73B931BA, 0xD8BEC4D0), BN_DEF(0xA932DF8C, 0x38777CB6), -+ BN_DEF(0x12FEE5E4, 0x74A3926F), BN_DEF(0x6DBE1159, 0xE694F91E), -+ BN_DEF(0x0B7474D6, 0x12BF2D5B), BN_DEF(0x3F4860EE, 0x043E8F66), -+ BN_DEF(0x6E3C0468, 0x387FE8D7), BN_DEF(0x2EF29632, 0xDA56C9EC), -+ BN_DEF(0xA313D55C, 0xEB19CCB1), BN_DEF(0x8A1FBFF0, 0xF550AA3D), -+ BN_DEF(0xB7C5DA76, 0x06A1D58B), BN_DEF(0xF29BE328, 0xA79715EE), -+ BN_DEF(0x0F8037E0, 0x14CC5ED2), BN_DEF(0xBF48E1D8, 0xCC8F6D7E), -+ BN_DEF(0x2B4154AA, 0x4BD407B2), BN_DEF(0xFF585AC5, 0x0F1D45B7), -+ BN_DEF(0x36CC88BE, 0x23A97A7E), BN_DEF(0xBEC7E8F3, 0x59E7C97F), -+ BN_DEF(0x900B1C9E, 0xB5A84031), BN_DEF(0x46980C82, 0xD55E702F), -+ BN_DEF(0x6E74FEF6, 0xF482D7CE), BN_DEF(0xD1721D03, 0xF032EA15), -+ BN_DEF(0xC64B92EC, 0x5983CA01), BN_DEF(0x378CD2BF, 0x6FB8F401), -+ BN_DEF(0x2BD7AF42, 0x33205151), BN_DEF(0xE6CC254B, 0xDB7F1447), -+ BN_DEF(0xCED4BB1B, 0x44CE6CBA), BN_DEF(0xCF9B14ED, 0xDA3EDBEB), -+ BN_DEF(0x865A8918, 0x179727B0), BN_DEF(0x9027D831, 0xB06A53ED), -+ BN_DEF(0x413001AE, 0xE5DB382F), BN_DEF(0xAD9E530E, 0xF8FF9406), -+ BN_DEF(0x3DBA37BD, 0xC9751E76), BN_DEF(0x602646DE, 0xC1D4DCB2), -+ BN_DEF(0xD27C7026, 0x36C3FAB4), BN_DEF(0x34028492, 0x4DF435C9), -+ BN_DEF(0x90A6C08F, 0x86FFB7DC), BN_DEF(0x8D8FDDC1, 0x93B4EA98), -+ BN_DEF(0xD5B05AA9, 0xD0069127), BN_DEF(0x2170481C, 0xB81BDD76), -+ BN_DEF(0xCEE2D7AF, 0x1F612970), BN_DEF(0x515BE7ED, 0x233BA186), -+ BN_DEF(0xA090C3A2, 0x99B2964F), BN_DEF(0x4E6BC05D, 0x287C5947), -+ BN_DEF(0x1FBECAA6, 0x2E8EFC14), BN_DEF(0x04DE8EF9, 0xDBBBC2DB), -+ BN_DEF(0x2AD44CE8, 0x2583E9CA), BN_DEF(0xB6150BDA, 0x1A946834), -+ BN_DEF(0x6AF4E23C, 0x99C32718), BN_DEF(0xBDBA5B26, 0x88719A10), -+ BN_DEF(0xA787E6D7, 0x1A723C12), BN_DEF(0xA9210801, 0x4B82D120), -+ BN_DEF(0xE0FD108E, 0x43DB5BFC), BN_DEF(0x74E5AB31, 0x08E24FA0), -+ BN_DEF(0xBAD946E2, 0x770988C0), BN_DEF(0x7A615D6C, 0xBBE11757), -+ BN_DEF(0x177B200C, 0x521F2B18), BN_DEF(0x3EC86A64, 0xD8760273), -+ BN_DEF(0xD98A0864, 0xF12FFA06), BN_DEF(0x1AD2EE6B, 0xCEE3D226), -+ BN_DEF(0x4A25619D, 0x1E8C94E0), BN_DEF(0xDB0933D7, 0xABF5AE8C), -+ BN_DEF(0xA6E1E4C7, 0xB3970F85), BN_DEF(0x5D060C7D, 0x8AEA7157), -+ BN_DEF(0x58DBEF0A, 0xECFB8504), BN_DEF(0xDF1CBA64, 0xA85521AB), -+ BN_DEF(0x04507A33, 0xAD33170D), BN_DEF(0x8AAAC42D, 0x15728E5A), -+ BN_DEF(0x98FA0510, 0x15D22618), BN_DEF(0xEA956AE5, 0x3995497C), -+ BN_DEF(0x95581718, 0xDE2BCBF6), BN_DEF(0x6F4C52C9, 0xB5C55DF0), -+ BN_DEF(0xEC07A28F, 0x9B2783A2), BN_DEF(0x180E8603, 0xE39E772C), -+ BN_DEF(0x2E36CE3B, 0x32905E46), BN_DEF(0xCA18217C, 0xF1746C08), -+ BN_DEF(0x4ABC9804, 0x670C354E), BN_DEF(0x7096966D, 0x9ED52907), -+ BN_DEF(0x208552BB, 0x1C62F356), BN_DEF(0xDCA3AD96, 0x83655D23), -+ BN_DEF(0xFD24CF5F, 0x69163FA8), BN_DEF(0x1C55D39A, 0x98DA4836), -+ BN_DEF(0xA163BF05, 0xC2007CB8), BN_DEF(0xECE45B3D, 0x49286651), -+ BN_DEF(0x7C4B1FE6, 0xAE9F2411), BN_DEF(0x5A899FA5, 0xEE386BFB), -+ BN_DEF(0xF406B7ED, 0x0BFF5CB6), BN_DEF(0xA637ED6B, 0xF44C42E9), -+ BN_DEF(0x625E7EC6, 0xE485B576), BN_DEF(0x6D51C245, 0x4FE1356D), -+ BN_DEF(0xF25F1437, 0x302B0A6D), BN_DEF(0xCD3A431B, 0xEF9519B3), -+ BN_DEF(0x8E3404DD, 0x514A0879), BN_DEF(0x3B139B22, 0x020BBEA6), -+ BN_DEF(0x8A67CC74, 0x29024E08), BN_DEF(0x80DC1CD1, 0xC4C6628B), -+ BN_DEF(0x2168C234, 0xC90FDAA2), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) -+}; -+/* q = (p - 1) / 2 */ -+static const BN_ULONG modp_8192_q[] = { -+ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0xCC76E9EF, 0xB064C06E), -+ BN_DEF(0x405CB738, 0xE40FAB74), BN_DEF(0x3B2B4A6F, 0x4F182871), -+ BN_DEF(0xAB3BF4D5, 0xCAAC7223), BN_DEF(0x7E013723, 0xE48C86D3), -+ BN_DEF(0x6AF71C15, 0xC44D0017), BN_DEF(0xA40E366B, 0x2004A1C5), -+ BN_DEF(0x75C3CFC9, 0x1AC8237A), BN_DEF(0x8F67D134, 0xFD79B5E1), -+ BN_DEF(0xBF73A6B9, 0xD8EA885E), BN_DEF(0xAEF6BF50, 0xFCD5A40C), -+ BN_DEF(0x8423428E, 0xB2798E62), BN_DEF(0xD012AEE0, 0x22CBF44C), -+ BN_DEF(0x3A55B51B, 0xEF988770), BN_DEF(0x1FA27C16, 0x369509FC), -+ BN_DEF(0xD9D13C53, 0x03159E7A), BN_DEF(0xF6ADEE9D, 0x3CB41981), -+ BN_DEF(0xD16043F4, 0xFD4EA5BF), BN_DEF(0x17C1C2EE, 0xA5E5E443), -+ BN_DEF(0x36751835, 0x9A39FE32), BN_DEF(0x0D11F863, 0x89F5ABD4), -+ BN_DEF(0x5201BE03, 0x91111702), BN_DEF(0x7E42456C, 0xF1FEDC5F), -+ BN_DEF(0xF1CEB296, 0x11C78B65), BN_DEF(0x15F8E4BC, 0x1A11DA3A), -+ BN_DEF(0x2D727AB4, 0x1D55B1CE), BN_DEF(0xB5D21233, 0x92BB7B49), -+ BN_DEF(0xC57E23F6, 0x3A0FD3DF), BN_DEF(0x46CEE980, 0x1DE4195B), -+ BN_DEF(0x39DC98DD, 0x6C5F6268), BN_DEF(0x54996FC6, 0x1C3BBE5B), -+ BN_DEF(0x897F72F2, 0xBA51C937), BN_DEF(0x36DF08AC, 0x734A7C8F), -+ BN_DEF(0x85BA3A6B, 0x095F96AD), BN_DEF(0x1FA43077, 0x021F47B3), -+ BN_DEF(0xB71E0234, 0x1C3FF46B), BN_DEF(0x17794B19, 0x6D2B64F6), -+ BN_DEF(0xD189EAAE, 0x758CE658), BN_DEF(0xC50FDFF8, 0x7AA8551E), -+ BN_DEF(0xDBE2ED3B, 0x0350EAC5), BN_DEF(0x794DF194, 0x53CB8AF7), -+ BN_DEF(0x07C01BF0, 0x0A662F69), BN_DEF(0x5FA470EC, 0x6647B6BF), -+ BN_DEF(0x15A0AA55, 0xA5EA03D9), BN_DEF(0xFFAC2D62, 0x078EA2DB), -+ BN_DEF(0x1B66445F, 0x91D4BD3F), BN_DEF(0xDF63F479, 0x2CF3E4BF), -+ BN_DEF(0xC8058E4F, 0x5AD42018), BN_DEF(0xA34C0641, 0x6AAF3817), -+ BN_DEF(0x373A7F7B, 0xFA416BE7), BN_DEF(0xE8B90E81, 0x7819750A), -+ BN_DEF(0xE325C976, 0xACC1E500), BN_DEF(0x9BC6695F, 0x37DC7A00), -+ BN_DEF(0x95EBD7A1, 0x999028A8), BN_DEF(0xF36612A5, 0xEDBF8A23), -+ BN_DEF(0x676A5D8D, 0xA267365D), BN_DEF(0xE7CD8A76, 0x6D1F6DF5), -+ BN_DEF(0x432D448C, 0x8BCB93D8), BN_DEF(0xC813EC18, 0x583529F6), -+ BN_DEF(0xA09800D7, 0x72ED9C17), BN_DEF(0x56CF2987, 0xFC7FCA03), -+ BN_DEF(0x1EDD1BDE, 0x64BA8F3B), BN_DEF(0x3013236F, 0x60EA6E59), -+ BN_DEF(0x693E3813, 0x1B61FD5A), BN_DEF(0x9A014249, 0xA6FA1AE4), -+ BN_DEF(0x48536047, 0xC37FDBEE), BN_DEF(0x46C7EEE0, 0xC9DA754C), -+ BN_DEF(0xEAD82D54, 0x68034893), BN_DEF(0x10B8240E, 0xDC0DEEBB), -+ BN_DEF(0x67716BD7, 0x8FB094B8), BN_DEF(0x28ADF3F6, 0x119DD0C3), -+ BN_DEF(0xD04861D1, 0xCCD94B27), BN_DEF(0xA735E02E, 0x143E2CA3), -+ BN_DEF(0x0FDF6553, 0x97477E0A), BN_DEF(0x826F477C, 0x6DDDE16D), -+ BN_DEF(0x156A2674, 0x12C1F4E5), BN_DEF(0x5B0A85ED, 0x0D4A341A), -+ BN_DEF(0x357A711E, 0x4CE1938C), BN_DEF(0x5EDD2D93, 0xC438CD08), -+ BN_DEF(0x53C3F36B, 0x8D391E09), BN_DEF(0x54908400, 0x25C16890), -+ BN_DEF(0x707E8847, 0xA1EDADFE), BN_DEF(0x3A72D598, 0x047127D0), -+ BN_DEF(0x5D6CA371, 0x3B84C460), BN_DEF(0xBD30AEB6, 0x5DF08BAB), -+ BN_DEF(0x0BBD9006, 0x290F958C), BN_DEF(0x9F643532, 0x6C3B0139), -+ BN_DEF(0x6CC50432, 0xF897FD03), BN_DEF(0x0D697735, 0xE771E913), -+ BN_DEF(0x2512B0CE, 0x8F464A70), BN_DEF(0x6D8499EB, 0xD5FAD746), -+ BN_DEF(0xD370F263, 0xD9CB87C2), BN_DEF(0xAE83063E, 0x457538AB), -+ BN_DEF(0x2C6DF785, 0x767DC282), BN_DEF(0xEF8E5D32, 0xD42A90D5), -+ BN_DEF(0x82283D19, 0xD6998B86), BN_DEF(0x45556216, 0x0AB9472D), -+ BN_DEF(0x4C7D0288, 0x8AE9130C), BN_DEF(0x754AB572, 0x1CCAA4BE), -+ BN_DEF(0x4AAC0B8C, 0xEF15E5FB), BN_DEF(0x37A62964, 0xDAE2AEF8), -+ BN_DEF(0x7603D147, 0xCD93C1D1), BN_DEF(0x0C074301, 0xF1CF3B96), -+ BN_DEF(0x171B671D, 0x19482F23), BN_DEF(0x650C10BE, 0x78BA3604), -+ BN_DEF(0x255E4C02, 0xB3861AA7), BN_DEF(0xB84B4B36, 0xCF6A9483), -+ BN_DEF(0x1042A95D, 0x0E3179AB), BN_DEF(0xEE51D6CB, 0xC1B2AE91), -+ BN_DEF(0x7E9267AF, 0x348B1FD4), BN_DEF(0x0E2AE9CD, 0xCC6D241B), -+ BN_DEF(0x50B1DF82, 0xE1003E5C), BN_DEF(0xF6722D9E, 0x24943328), -+ BN_DEF(0xBE258FF3, 0xD74F9208), BN_DEF(0xAD44CFD2, 0xF71C35FD), -+ BN_DEF(0x7A035BF6, 0x85FFAE5B), BN_DEF(0xD31BF6B5, 0x7A262174), -+ BN_DEF(0x312F3F63, 0xF242DABB), BN_DEF(0xB6A8E122, 0xA7F09AB6), -+ BN_DEF(0xF92F8A1B, 0x98158536), BN_DEF(0xE69D218D, 0xF7CA8CD9), -+ BN_DEF(0xC71A026E, 0x28A5043C), BN_DEF(0x1D89CD91, 0x0105DF53), -+ BN_DEF(0x4533E63A, 0x94812704), BN_DEF(0xC06E0E68, 0x62633145), -+ BN_DEF(0x10B4611A, 0xE487ED51), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), -+}; -+ -+ -+ - /* DH parameters from RFC5114 */ - - # if BN_BITS2 == 64 -@@ -508,5 +990,17 @@ make_dh_bn(ffdhe4096_p) - make_dh_bn(ffdhe6144_p) - make_dh_bn(ffdhe8192_p) - -+make_dh_bn(modp_1536_p) -+make_dh_bn(modp_1536_q) -+make_dh_bn(modp_2048_p) -+make_dh_bn(modp_2048_q) -+make_dh_bn(modp_3072_p) -+make_dh_bn(modp_3072_q) -+make_dh_bn(modp_4096_p) -+make_dh_bn(modp_4096_q) -+make_dh_bn(modp_6144_p) -+make_dh_bn(modp_6144_q) -+make_dh_bn(modp_8192_p) -+make_dh_bn(modp_8192_q) - - #endif -diff --git a/crypto/dh/dh_pmeth.c b/crypto/dh/dh_pmeth.c -index e0805e7..261c8a1 100644 ---- a/crypto/dh/dh_pmeth.c -+++ b/crypto/dh/dh_pmeth.c -@@ -351,6 +351,10 @@ static int pkey_dh_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) - return 1; - } - -+ /* -+ * Look for a safe prime group for key establishment. Which uses -+ * either RFC_3526 (modp_XXXX) or RFC_7919 (ffdheXXXX). -+ */ - if (dctx->param_nid != 0) { - if ((dh = DH_new_by_nid(dctx->param_nid)) == NULL) - return 0; -diff --git a/crypto/dh/dh_rfc7919.c b/crypto/dh/dh_rfc7919.c -index 03d30a1..f339bd9 100644 ---- a/crypto/dh/dh_rfc7919.c -+++ b/crypto/dh/dh_rfc7919.c -@@ -38,6 +38,18 @@ DH *DH_new_by_nid(int nid) - return dh_param_init(&_bignum_ffdhe6144_p, 375); - case NID_ffdhe8192: - return dh_param_init(&_bignum_ffdhe8192_p, 400); -+ case NID_modp_1536: -+ return dh_param_init(&_bignum_modp_1536_p, 175); -+ case NID_modp_2048: -+ return dh_param_init(&_bignum_modp_2048_p, 225); -+ case NID_modp_3072: -+ return dh_param_init(&_bignum_modp_3072_p, 275); -+ case NID_modp_4096: -+ return dh_param_init(&_bignum_modp_4096_p, 325); -+ case NID_modp_6144: -+ return dh_param_init(&_bignum_modp_6144_p, 375); -+ case NID_modp_8192: -+ return dh_param_init(&_bignum_modp_8192_p, 400); - default: - DHerr(DH_F_DH_NEW_BY_NID, DH_R_INVALID_PARAMETER_NID); - return NULL; -@@ -60,6 +72,18 @@ int DH_get_nid(const DH *dh) - nid = NID_ffdhe6144; - else if (!BN_cmp(dh->p, &_bignum_ffdhe8192_p)) - nid = NID_ffdhe8192; -+ else if (!BN_cmp(dh->p, &_bignum_modp_1536_p)) -+ nid = NID_modp_1536; -+ else if (!BN_cmp(dh->p, &_bignum_modp_2048_p)) -+ nid = NID_modp_2048; -+ else if (!BN_cmp(dh->p, &_bignum_modp_3072_p)) -+ nid = NID_modp_3072; -+ else if (!BN_cmp(dh->p, &_bignum_modp_4096_p)) -+ nid = NID_modp_4096; -+ else if (!BN_cmp(dh->p, &_bignum_modp_6144_p)) -+ nid = NID_modp_6144; -+ else if (!BN_cmp(dh->p, &_bignum_modp_8192_p)) -+ nid = NID_modp_8192; - else - return NID_undef; - if (dh->q != NULL) { -diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h -index 12ca5ec..2fbd9a9 100644 ---- a/crypto/objects/obj_dat.h -+++ b/crypto/objects/obj_dat.h -@@ -1078,7 +1078,7 @@ static const unsigned char so[7762] = { - 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x0D, /* [ 7753] OBJ_hmacWithSHA512_256 */ - }; - --#define NUM_NID 1196 -+#define NUM_NID 1202 - static const ASN1_OBJECT nid_objs[NUM_NID] = { - {"UNDEF", "undefined", NID_undef}, - {"rsadsi", "RSA Data Security, Inc.", NID_rsadsi, 6, &so[0]}, -@@ -2276,9 +2276,15 @@ static const ASN1_OBJECT nid_objs[NUM_NID] = { - {"hmacWithSHA512-224", "hmacWithSHA512-224", NID_hmacWithSHA512_224, 8, &so[7745]}, - {"hmacWithSHA512-256", "hmacWithSHA512-256", NID_hmacWithSHA512_256, 8, &so[7753]}, - {"SSHKDF", "sshkdf", NID_sshkdf}, -+ {"modp_1536", "modp_1536", NID_modp_1536}, -+ {"modp_2048", "modp_2048", NID_modp_2048}, -+ {"modp_3072", "modp_3072", NID_modp_3072}, -+ {"modp_4096", "modp_4096", NID_modp_4096}, -+ {"modp_6144", "modp_6144", NID_modp_6144}, -+ {"modp_8192", "modp_8192", NID_modp_8192}, - }; - --#define NUM_SN 1187 -+#define NUM_SN 1193 - static const unsigned int sn_objs[NUM_SN] = { - 364, /* "AD_DVCS" */ - 419, /* "AES-128-CBC" */ -@@ -3121,6 +3127,12 @@ static const unsigned int sn_objs[NUM_SN] = { - 506, /* "mime-mhs-bodies" */ - 505, /* "mime-mhs-headings" */ - 488, /* "mobileTelephoneNumber" */ -+ 1196, /* "modp_1536" */ -+ 1197, /* "modp_2048" */ -+ 1198, /* "modp_3072" */ -+ 1199, /* "modp_4096" */ -+ 1200, /* "modp_6144" */ -+ 1201, /* "modp_8192" */ - 136, /* "msCTLSign" */ - 135, /* "msCodeCom" */ - 134, /* "msCodeInd" */ -@@ -3469,7 +3481,7 @@ static const unsigned int sn_objs[NUM_SN] = { - 1093, /* "x509ExtAdmission" */ - }; - --#define NUM_LN 1187 -+#define NUM_LN 1193 - static const unsigned int ln_objs[NUM_LN] = { - 363, /* "AD Time Stamping" */ - 405, /* "ANSI X9.62" */ -@@ -4305,6 +4317,12 @@ static const unsigned int ln_objs[NUM_LN] = { - 506, /* "mime-mhs-bodies" */ - 505, /* "mime-mhs-headings" */ - 488, /* "mobileTelephoneNumber" */ -+ 1196, /* "modp_1536" */ -+ 1197, /* "modp_2048" */ -+ 1198, /* "modp_3072" */ -+ 1199, /* "modp_4096" */ -+ 1200, /* "modp_6144" */ -+ 1201, /* "modp_8192" */ - 481, /* "nSRecord" */ - 173, /* "name" */ - 681, /* "onBasis" */ -diff --git a/crypto/objects/obj_mac.num b/crypto/objects/obj_mac.num -index 231c183..7ee5912 100644 ---- a/crypto/objects/obj_mac.num -+++ b/crypto/objects/obj_mac.num -@@ -1193,3 +1193,9 @@ magma_mac 1192 - hmacWithSHA512_224 1193 - hmacWithSHA512_256 1194 - sshkdf 1195 -+modp_1536 1196 -+modp_2048 1197 -+modp_3072 1198 -+modp_4096 1199 -+modp_6144 1200 -+modp_8192 1201 -diff --git a/doc/man3/DH_new_by_nid.pod b/doc/man3/DH_new_by_nid.pod -index 73636c5..fcea642 100644 ---- a/doc/man3/DH_new_by_nid.pod -+++ b/doc/man3/DH_new_by_nid.pod -@@ -14,7 +14,9 @@ DH_new_by_nid, DH_get_nid - get or find DH named parameters - - DH_new_by_nid() creates and returns a DH structure containing named parameters - B. Currently B must be B, B, --B, B or B. -+B, B or B, -+B, B, B, -+B, B or B. - - DH_get_nid() determines if the parameters contained in B match - any named set. It returns the NID corresponding to the matching parameters or -diff --git a/doc/man3/EVP_PKEY_CTX_ctrl.pod b/doc/man3/EVP_PKEY_CTX_ctrl.pod -index e475316..9c695b9 100644 ---- a/doc/man3/EVP_PKEY_CTX_ctrl.pod -+++ b/doc/man3/EVP_PKEY_CTX_ctrl.pod -@@ -294,10 +294,11 @@ The EVP_PKEY_CTX_set_dh_pad() macro sets the DH padding mode. If B is - If B is zero (the default) then no padding is performed. - - EVP_PKEY_CTX_set_dh_nid() sets the DH parameters to values corresponding to --B as defined in RFC7919. The B parameter must be B, --B, B, B, B --or B to clear the stored value. This macro can be called during --parameter or key generation. -+I as defined in RFC7919 or RFC3526. The I parameter must be -+B, B, B, B, -+B, B, B, B, -+B, B, B or B to clear -+the stored value. This function can be called during parameter or key generation. - The nid parameter and the rfc5114 parameter are mutually exclusive. - - The EVP_PKEY_CTX_set_dh_rfc5114() and EVP_PKEY_CTX_set_dhx_rfc5114() macros are -diff --git a/include/crypto/bn_dh.h b/include/crypto/bn_dh.h -index 70ebca2..5cb83d0 100644 ---- a/include/crypto/bn_dh.h -+++ b/include/crypto/bn_dh.h -@@ -22,3 +22,10 @@ extern const BIGNUM _bignum_ffdhe4096_p; - extern const BIGNUM _bignum_ffdhe6144_p; - extern const BIGNUM _bignum_ffdhe8192_p; - extern const BIGNUM _bignum_const_2; -+ -+extern const BIGNUM _bignum_modp_1536_p; -+extern const BIGNUM _bignum_modp_2048_p; -+extern const BIGNUM _bignum_modp_3072_p; -+extern const BIGNUM _bignum_modp_4096_p; -+extern const BIGNUM _bignum_modp_6144_p; -+extern const BIGNUM _bignum_modp_8192_p; -diff --git a/include/openssl/obj_mac.h b/include/openssl/obj_mac.h -index 4616eaf..cfaedf5 100644 ---- a/include/openssl/obj_mac.h -+++ b/include/openssl/obj_mac.h -@@ -5103,6 +5103,24 @@ - #define SN_ffdhe8192 "ffdhe8192" - #define NID_ffdhe8192 1130 - -+#define SN_modp_1536 "modp_1536" -+#define NID_modp_1536 1196 -+ -+#define SN_modp_2048 "modp_2048" -+#define NID_modp_2048 1197 -+ -+#define SN_modp_3072 "modp_3072" -+#define NID_modp_3072 1198 -+ -+#define SN_modp_4096 "modp_4096" -+#define NID_modp_4096 1199 -+ -+#define SN_modp_6144 "modp_6144" -+#define NID_modp_6144 1200 -+ -+#define SN_modp_8192 "modp_8192" -+#define NID_modp_8192 1201 -+ - #define SN_ISO_UA "ISO-UA" - #define NID_ISO_UA 1150 - #define OBJ_ISO_UA OBJ_member_body,804L diff --git a/openssl-fips-DH_selftest_shared_secret_KAT.patch b/openssl-fips-DH_selftest_shared_secret_KAT.patch new file mode 100644 index 0000000..279a0ef --- /dev/null +++ b/openssl-fips-DH_selftest_shared_secret_KAT.patch @@ -0,0 +1,82 @@ +Index: openssl-1.1.1d/crypto/fips/fips_dh_selftest.c +=================================================================== +--- openssl-1.1.1d.orig/crypto/fips/fips_dh_selftest.c 2020-09-08 20:40:41.313074570 +0200 ++++ openssl-1.1.1d/crypto/fips/fips_dh_selftest.c 2020-09-08 20:41:05.337219024 +0200 +@@ -119,6 +119,41 @@ static const unsigned char dh_test_2048_ + 0xEC, 0x55, 0xF6, 0xCC + }; + ++static const unsigned char dh_test_2048_shared_secret[] = { ++ 0x62, 0x68, 0x15, 0xbd, 0xc4, 0x9a, 0x3c, 0xfc, ++ 0xda, 0x5d, 0xc5, 0x81, 0xc9, 0xe7, 0x1b, 0xbb, ++ 0x94, 0x19, 0xb0, 0x5d, 0x95, 0xc3, 0x98, 0xd0, ++ 0xc6, 0x8b, 0x05, 0x34, 0xa5, 0xe2, 0xe4, 0xa8, ++ 0x7c, 0x4b, 0x7c, 0x41, 0xf9, 0x6d, 0xc1, 0xcc, ++ 0x6e, 0xb6, 0x34, 0xe1, 0x71, 0xc3, 0x00, 0x03, ++ 0x06, 0x08, 0x1d, 0x90, 0x88, 0x3c, 0x5d, 0x14, ++ 0x2d, 0x56, 0xac, 0x78, 0x83, 0xd6, 0xe9, 0x7c, ++ 0x6c, 0x34, 0xdf, 0xe0, 0x98, 0x14, 0xaa, 0xbe, ++ 0x3b, 0x83, 0xc5, 0xd1, 0xac, 0xec, 0xa6, 0x0b, ++ 0xc1, 0x94, 0x8d, 0x42, 0x3f, 0xb8, 0x63, 0xef, ++ 0xb1, 0x1b, 0x60, 0x4f, 0xfa, 0xfa, 0xbb, 0x57, ++ 0x28, 0x27, 0x4d, 0x78, 0xa4, 0x3d, 0x7a, 0xd8, ++ 0xab, 0x2e, 0x7d, 0x8b, 0xd3, 0xa9, 0x78, 0x74, ++ 0xfe, 0x3a, 0x08, 0x5f, 0xe3, 0xf5, 0x5a, 0xfa, ++ 0xa6, 0x93, 0x67, 0xea, 0xae, 0x5e, 0xd6, 0xc5, ++ 0xa1, 0xab, 0x0a, 0x1e, 0x78, 0xe7, 0xdd, 0xbc, ++ 0xae, 0xb7, 0x3e, 0x7d, 0x8b, 0xd8, 0x66, 0x92, ++ 0x38, 0x1b, 0x96, 0xeb, 0xcb, 0xcb, 0x6a, 0xcc, ++ 0xd8, 0x42, 0x80, 0x66, 0xa9, 0xa2, 0x75, 0xeb, ++ 0xe4, 0x79, 0x11, 0x7a, 0xca, 0x84, 0x77, 0x7a, ++ 0xe6, 0xe2, 0x13, 0xb1, 0x90, 0xd3, 0x0f, 0x87, ++ 0x2a, 0x0f, 0xf5, 0x17, 0x61, 0x15, 0x05, 0x31, ++ 0x5f, 0xdf, 0xb4, 0x8e, 0xf3, 0x21, 0x27, 0x6a, ++ 0x69, 0xdc, 0x52, 0x79, 0x64, 0x51, 0x1f, 0xc0, ++ 0xed, 0x55, 0x57, 0xd9, 0x5c, 0x6f, 0xdb, 0xaa, ++ 0x08, 0x44, 0xb9, 0x71, 0x71, 0x15, 0x27, 0xe8, ++ 0xe9, 0x42, 0x78, 0xc1, 0xc4, 0xc0, 0xbd, 0x28, ++ 0x23, 0xa1, 0x30, 0x57, 0xf0, 0x2e, 0x24, 0xf0, ++ 0x34, 0x17, 0x97, 0x1c, 0x4c, 0x2a, 0x98, 0x76, ++ 0x3d, 0x50, 0x7f, 0x32, 0xa2, 0x25, 0x94, 0x9e, ++ 0x1e, 0xbc, 0x97, 0x96, 0xd6, 0x14, 0x61, 0x5b ++}; ++ + int FIPS_selftest_dh() + { + DH *dh = NULL; +@@ -127,6 +162,7 @@ int FIPS_selftest_dh() + int len; + BIGNUM *p = NULL, *g = NULL, *priv_key = NULL, *tmp_pub_key = NULL; + const BIGNUM *pub_key; ++ unsigned char *shared_secret = NULL; + + fips_load_key_component(p, dh_test_2048); + fips_load_key_component(g, dh_test_2048); +@@ -162,6 +198,19 @@ int FIPS_selftest_dh() + memcmp(pub_key_bin, dh_test_2048_pub_key, len) != 0) + goto err; + ++ /* Shared secret KAT test */ ++ len = DH_size(dh); ++ if ((shared_secret = OPENSSL_malloc(len)) == NULL) ++ goto err; ++ ++ if ((len = DH_compute_key(shared_secret, pub_key, dh)) == -1) ++ goto err; ++ ++ if (len != sizeof(dh_test_2048_shared_secret) || ++ (memcmp(shared_secret, dh_test_2048_shared_secret, len) != 0)) { ++ goto err; ++ } ++ + ret = 1; + + err: +@@ -175,6 +224,7 @@ int FIPS_selftest_dh() + } + + OPENSSL_free(pub_key_bin); ++ OPENSSL_free(shared_secret); + return ret; + } + #endif diff --git a/openssl-fips-dont_run_FIPS_module_installed.patch b/openssl-fips-dont_run_FIPS_module_installed.patch deleted file mode 100644 index ad0d8d4..0000000 --- a/openssl-fips-dont_run_FIPS_module_installed.patch +++ /dev/null @@ -1,14 +0,0 @@ -Index: openssl-1.1.1d/crypto/o_init.c -=================================================================== ---- openssl-1.1.1d.orig/crypto/o_init.c 2020-01-23 13:45:11.336633643 +0100 -+++ openssl-1.1.1d/crypto/o_init.c 2020-01-23 13:45:21.316692954 +0100 -@@ -63,9 +63,6 @@ void __attribute__ ((constructor)) OPENS - if (done) - return; - done = 1; -- if (!FIPS_module_installed()) { -- return; -- } - init_fips_mode(); - } - #endif diff --git a/openssl-fips-kdf-hkdf-selftest.patch b/openssl-fips-kdf-hkdf-selftest.patch new file mode 100644 index 0000000..5e2a369 --- /dev/null +++ b/openssl-fips-kdf-hkdf-selftest.patch @@ -0,0 +1,103 @@ +Index: openssl-1.1.1m/crypto/fips/fips_err.h +=================================================================== +--- openssl-1.1.1m.orig/crypto/fips/fips_err.h ++++ openssl-1.1.1m/crypto/fips/fips_err.h +@@ -114,6 +114,7 @@ static ERR_STRING_DATA FIPS_str_functs[] + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_PBKDF2), "FIPS_selftest_pbkdf2"}, + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_TLS), "FIPS_selftest_tls"}, + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SSH), "FIPS_selftest_ssh"}, ++ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_HKDF), "FIPS_selftest_hkdf"}, + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA1), "FIPS_selftest_sha1"}, + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA2), "FIPS_selftest_sha2"}, + {ERR_FUNC(FIPS_F_OSSL_ECDSA_SIGN_SIG), "ossl_ecdsa_sign_sig"}, +Index: openssl-1.1.1m/crypto/fips/fips_kdf_selftest.c +=================================================================== +--- openssl-1.1.1m.orig/crypto/fips/fips_kdf_selftest.c ++++ openssl-1.1.1m/crypto/fips/fips_kdf_selftest.c +@@ -16,6 +16,49 @@ + #include + + #ifdef OPENSSL_FIPS ++ ++int FIPS_selftest_hkdf(void) ++{ ++ int ret = 0; ++ EVP_KDF_CTX *kctx; ++ unsigned char out[10]; ++ ++ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_HKDF)) == NULL) { ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) { ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "salt", (size_t)4) <= 0) { ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, "secret", (size_t)6) <= 0) { ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_ADD_HKDF_INFO, ++ "label", (size_t)5) <= 0) { ++ goto err; ++ } ++ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) { ++ goto err; ++ } ++ ++ { ++ const unsigned char expected[sizeof(out)] = { ++ 0x2a, 0xc4, 0x36, 0x9f, 0x52, 0x59, 0x96, 0xf8, 0xde, 0x13 ++ }; ++ if (memcmp(out, expected, sizeof(expected))) { ++ goto err; ++ } ++ } ++ ret = 1; ++err: ++ if (!ret) ++ FIPSerr(FIPS_F_FIPS_SELFTEST_HKDF, FIPS_R_SELFTEST_FAILED); ++ EVP_KDF_CTX_free(kctx); ++ return ret; ++} ++ + int FIPS_selftest_pbkdf2(void) + { + int ret = 0; +Index: openssl-1.1.1m/crypto/fips/fips_post.c +=================================================================== +--- openssl-1.1.1m.orig/crypto/fips/fips_post.c ++++ openssl-1.1.1m/crypto/fips/fips_post.c +@@ -110,6 +110,8 @@ int FIPS_selftest(void) + rv = 0; + if (!FIPS_selftest_ssh()) + rv = 0; ++ if (!FIPS_selftest_hkdf()) ++ rv = 0; + + return rv; + } +Index: openssl-1.1.1m/include/openssl/fips.h +=================================================================== +--- openssl-1.1.1m.orig/include/openssl/fips.h ++++ openssl-1.1.1m/include/openssl/fips.h +@@ -127,6 +127,7 @@ extern "C" { + # define FIPS_F_FIPS_SELFTEST_PBKDF2 152 + # define FIPS_F_FIPS_SELFTEST_TLS 153 + # define FIPS_F_FIPS_SELFTEST_SSH 154 ++# define FIPS_F_FIPS_SELFTEST_HKDF 155 + # define FIPS_F_FIPS_SELFTEST_SHA1 115 + # define FIPS_F_FIPS_SELFTEST_SHA2 105 + # define FIPS_F_OSSL_ECDSA_SIGN_SIG 143 +Index: openssl-1.1.1m/include/crypto/fips_int.h +=================================================================== +--- openssl-1.1.1m.orig/include/crypto/fips_int.h ++++ openssl-1.1.1m/include/crypto/fips_int.h +@@ -79,6 +79,7 @@ int FIPS_selftest_cmac(void); + int FIPS_selftest_pbkdf2(void); + int FIPS_selftest_tls(void); + int FIPS_selftest_ssh(void); ++int FIPS_selftest_hkdf(void); + + int fips_in_post(void); + diff --git a/openssl-fips_fix_selftests_return_value.patch b/openssl-fips_fix_selftests_return_value.patch deleted file mode 100644 index 1598f9a..0000000 --- a/openssl-fips_fix_selftests_return_value.patch +++ /dev/null @@ -1,27 +0,0 @@ -Index: openssl-1.1.1d/crypto/fips/fips_dsa_selftest.c -=================================================================== ---- openssl-1.1.1d.orig/crypto/fips/fips_dsa_selftest.c 2020-02-17 10:40:18.006796026 +0100 -+++ openssl-1.1.1d/crypto/fips/fips_dsa_selftest.c 2020-02-17 10:40:18.946801354 +0100 -@@ -150,7 +150,7 @@ int FIPS_selftest_dsa() - { - DSA *dsa = NULL; - EVP_PKEY *pk = NULL; -- int ret = -1; -+ int ret = 0; - BIGNUM *p = NULL, *q = NULL, *g = NULL, *pub_key = NULL, *priv_key = NULL; - - fips_load_key_component(p, dsa_test_2048); -Index: openssl-1.1.1d/crypto/fips/fips_ecdh_selftest.c -=================================================================== ---- openssl-1.1.1d.orig/crypto/fips/fips_ecdh_selftest.c 2020-02-17 10:40:18.006796026 +0100 -+++ openssl-1.1.1d/crypto/fips/fips_ecdh_selftest.c 2020-02-17 10:40:18.950801378 +0100 -@@ -221,6 +221,9 @@ int FIPS_selftest_ecdh(void) - } - - err: -+ if (rv == -1) { -+ rv = 0; -+ } - - if (x) - BN_clear_free(x); diff --git a/openssl-kdf-selftest.patch b/openssl-kdf-selftest.patch new file mode 100644 index 0000000..5fdcdf8 --- /dev/null +++ b/openssl-kdf-selftest.patch @@ -0,0 +1,131 @@ +Index: openssl-1.1.1m/crypto/fips/build.info +=================================================================== +--- openssl-1.1.1m.orig/crypto/fips/build.info ++++ openssl-1.1.1m/crypto/fips/build.info +@@ -5,7 +5,7 @@ SOURCE[../../libcrypto]=\ + fips_post.c drbgtest.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \ + fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \ + fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c \ +- fips_dh_selftest.c fips_ers.c ++ fips_dh_selftest.c fips_kdf_selftest.c fips_ers.c + + PROGRAMS=\ + fips_standalone_hmac +Index: openssl-1.1.1m/crypto/fips/fips_kdf_selftest.c +=================================================================== +--- /dev/null ++++ openssl-1.1.1m/crypto/fips/fips_kdf_selftest.c +@@ -0,0 +1,64 @@ ++/* ++ * Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright (c) 2018-2019, Oracle and/or its affiliates. All rights reserved. ++ * ++ * Licensed under the Apache License 2.0 (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ */ ++ ++#include ++#include ++#include ++ ++#include ++#include ++ ++#ifdef OPENSSL_FIPS ++int FIPS_selftest_pbkdf2(void) ++{ ++ int ret = 0; ++ EVP_KDF_CTX *kctx; ++ unsigned char out[32]; ++ ++ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_PBKDF2)) == NULL) { ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PASS, "password", (size_t)8) <= 0) { ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "salt", (size_t)4) <= 0) { ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_ITER, 2) <= 0) { ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) { ++ goto err; ++ } ++ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) { ++ goto err; ++ } ++ ++ { ++ const unsigned char expected[sizeof(out)] = { ++ 0xae, 0x4d, 0x0c, 0x95, 0xaf, 0x6b, 0x46, 0xd3, ++ 0x2d, 0x0a, 0xdf, 0xf9, 0x28, 0xf0, 0x6d, 0xd0, ++ 0x2a, 0x30, 0x3f, 0x8e, 0xf3, 0xc2, 0x51, 0xdf, ++ 0xd6, 0xe2, 0xd8, 0x5a, 0x95, 0x47, 0x4c, 0x43 ++ }; ++ if (memcmp(out, expected, sizeof(expected))) { ++ goto err; ++ } ++ } ++ ret = 1; ++ ++err: ++ if (!ret) ++ FIPSerr(FIPS_F_FIPS_SELFTEST_PBKDF2, FIPS_R_SELFTEST_FAILED); ++ EVP_KDF_CTX_free(kctx); ++ return ret; ++} ++ ++#endif +Index: openssl-1.1.1m/crypto/fips/fips_post.c +=================================================================== +--- openssl-1.1.1m.orig/crypto/fips/fips_post.c ++++ openssl-1.1.1m/crypto/fips/fips_post.c +@@ -104,6 +104,8 @@ int FIPS_selftest(void) + rv = 0; + if (!FIPS_selftest_ecdh()) + rv = 0; ++ if (!FIPS_selftest_pbkdf2()) ++ rv = 0; + return rv; + } + +Index: openssl-1.1.1m/include/crypto/fips_int.h +=================================================================== +--- openssl-1.1.1m.orig/include/crypto/fips_int.h ++++ openssl-1.1.1m/include/crypto/fips_int.h +@@ -76,6 +76,7 @@ void FIPS_drbg_stick(int onoff); + int FIPS_selftest_hmac(void); + int FIPS_selftest_drbg(void); + int FIPS_selftest_cmac(void); ++int FIPS_selftest_pbkdf2(void); + + int fips_in_post(void); + +Index: openssl-1.1.1m/include/openssl/fips.h +=================================================================== +--- openssl-1.1.1m.orig/include/openssl/fips.h ++++ openssl-1.1.1m/include/openssl/fips.h +@@ -124,6 +124,7 @@ extern "C" { + # define FIPS_F_FIPS_SELFTEST_DSA 112 + # define FIPS_F_FIPS_SELFTEST_ECDSA 133 + # define FIPS_F_FIPS_SELFTEST_HMAC 113 ++# define FIPS_F_FIPS_SELFTEST_PBKDF2 152 + # define FIPS_F_FIPS_SELFTEST_SHA1 115 + # define FIPS_F_FIPS_SELFTEST_SHA2 105 + # define FIPS_F_OSSL_ECDSA_SIGN_SIG 143 +Index: openssl-1.1.1m/crypto/fips/fips_err.h +=================================================================== +--- openssl-1.1.1m.orig/crypto/fips/fips_err.h ++++ openssl-1.1.1m/crypto/fips/fips_err.h +@@ -111,6 +111,7 @@ static ERR_STRING_DATA FIPS_str_functs[] + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_DSA), "FIPS_selftest_dsa"}, + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_ECDSA), "FIPS_selftest_ecdsa"}, + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_HMAC), "FIPS_selftest_hmac"}, ++ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_PBKDF2), "FIPS_selftest_pbkdf2"}, + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA1), "FIPS_selftest_sha1"}, + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA2), "FIPS_selftest_sha2"}, + {ERR_FUNC(FIPS_F_OSSL_ECDSA_SIGN_SIG), "ossl_ecdsa_sign_sig"}, diff --git a/openssl-kdf-ssh-selftest.patch b/openssl-kdf-ssh-selftest.patch new file mode 100644 index 0000000..363e6b3 --- /dev/null +++ b/openssl-kdf-ssh-selftest.patch @@ -0,0 +1,122 @@ +Index: openssl-1.1.1m/crypto/fips/fips_kdf_selftest.c +=================================================================== +--- openssl-1.1.1m.orig/crypto/fips/fips_kdf_selftest.c ++++ openssl-1.1.1m/crypto/fips/fips_kdf_selftest.c +@@ -101,4 +101,68 @@ err: + return ret; + } + ++int FIPS_selftest_ssh(void) ++{ ++ int ret = 0; ++ EVP_KDF_CTX *kctx; ++ unsigned char out[8]; ++ ++ /* Test data from NIST CAVS 14.1 test vectors */ ++ const unsigned char key[] = { ++ 0x00, 0x00, 0x00, 0x81, 0x00, 0x87, 0x5c, 0x55, 0x1c, 0xef, 0x52, 0x6a, ++ 0x4a, 0x8b, 0xe1, 0xa7, 0xdf, 0x27, 0xe9, 0xed, 0x35, 0x4b, 0xac, 0x9a, ++ 0xfb, 0x71, 0xf5, 0x3d, 0xba, 0xe9, 0x05, 0x67, 0x9d, 0x14, 0xf9, 0xfa, ++ 0xf2, 0x46, 0x9c, 0x53, 0x45, 0x7c, 0xf8, 0x0a, 0x36, 0x6b, 0xe2, 0x78, ++ 0x96, 0x5b, 0xa6, 0x25, 0x52, 0x76, 0xca, 0x2d, 0x9f, 0x4a, 0x97, 0xd2, ++ 0x71, 0xf7, 0x1e, 0x50, 0xd8, 0xa9, 0xec, 0x46, 0x25, 0x3a, 0x6a, 0x90, ++ 0x6a, 0xc2, 0xc5, 0xe4, 0xf4, 0x8b, 0x27, 0xa6, 0x3c, 0xe0, 0x8d, 0x80, ++ 0x39, 0x0a, 0x49, 0x2a, 0xa4, 0x3b, 0xad, 0x9d, 0x88, 0x2c, 0xca, 0xc2, ++ 0x3d, 0xac, 0x88, 0xbc, 0xad, 0xa4, 0xb4, 0xd4, 0x26, 0xa3, 0x62, 0x08, ++ 0x3d, 0xab, 0x65, 0x69, 0xc5, 0x4c, 0x22, 0x4d, 0xd2, 0xd8, 0x76, 0x43, ++ 0xaa, 0x22, 0x76, 0x93, 0xe1, 0x41, 0xad, 0x16, 0x30, 0xce, 0x13, 0x14, ++ 0x4e ++ }; ++ const unsigned char xcghash[] = { ++ 0x0e, 0x68, 0x3f, 0xc8, 0xa9, 0xed, 0x7c, 0x2f, 0xf0, 0x2d, 0xef, 0x23, ++ 0xb2, 0x74, 0x5e, 0xbc, 0x99, 0xb2, 0x67, 0xda, 0xa8, 0x6a, 0x4a, 0xa7, ++ 0x69, 0x72, 0x39, 0x08, 0x82, 0x53, 0xf6, 0x42 ++ }; ++ const unsigned char sessid[] = { ++ 0x0e, 0x68, 0x3f, 0xc8, 0xa9, 0xed, 0x7c, 0x2f, 0xf0, 0x2d, 0xef, 0x23, ++ 0xb2, 0x74, 0x5e, 0xbc, 0x99, 0xb2, 0x67, 0xda, 0xa8, 0x6a, 0x4a, 0xa7, ++ 0x69, 0x72, 0x39, 0x08, 0x82, 0x53, 0xf6, 0x42 ++ }; ++ const unsigned char expected[sizeof(out)] = { ++ 0x41, 0xff, 0x2e, 0xad, 0x16, 0x83, 0xf1, 0xe6 ++ }; ++ ++ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_SSHKDF)) == NULL) ++ goto err; ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) ++ goto err; ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, key, sizeof(key)) <= 0) ++ goto err; ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSHKDF_XCGHASH, xcghash, ++ sizeof(xcghash)) <= 0) ++ goto err; ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID, sessid, ++ sizeof(sessid)) <= 0) ++ goto err; ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSHKDF_TYPE, ++ (int)EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV) <= 0) ++ goto err; ++ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) ++ goto err; ++ if (memcmp(out, expected, sizeof(expected))) ++ goto err; ++ ++ ret = 1; ++ ++ err: ++ if (!ret) ++ FIPSerr(FIPS_F_FIPS_SELFTEST_SSH, FIPS_R_SELFTEST_FAILED); ++ EVP_KDF_CTX_free(kctx); ++ return ret; ++} ++ + #endif +Index: openssl-1.1.1m/crypto/fips/fips_post.c +=================================================================== +--- openssl-1.1.1m.orig/crypto/fips/fips_post.c ++++ openssl-1.1.1m/crypto/fips/fips_post.c +@@ -108,6 +108,8 @@ int FIPS_selftest(void) + rv = 0; + if (!FIPS_selftest_tls()) + rv = 0; ++ if (!FIPS_selftest_ssh()) ++ rv = 0; + + return rv; + } +Index: openssl-1.1.1m/include/crypto/fips_int.h +=================================================================== +--- openssl-1.1.1m.orig/include/crypto/fips_int.h ++++ openssl-1.1.1m/include/crypto/fips_int.h +@@ -78,6 +78,7 @@ int FIPS_selftest_drbg(void); + int FIPS_selftest_cmac(void); + int FIPS_selftest_pbkdf2(void); + int FIPS_selftest_tls(void); ++int FIPS_selftest_ssh(void); + + int fips_in_post(void); + +Index: openssl-1.1.1m/include/openssl/fips.h +=================================================================== +--- openssl-1.1.1m.orig/include/openssl/fips.h ++++ openssl-1.1.1m/include/openssl/fips.h +@@ -126,6 +126,7 @@ extern "C" { + # define FIPS_F_FIPS_SELFTEST_HMAC 113 + # define FIPS_F_FIPS_SELFTEST_PBKDF2 152 + # define FIPS_F_FIPS_SELFTEST_TLS 153 ++# define FIPS_F_FIPS_SELFTEST_SSH 154 + # define FIPS_F_FIPS_SELFTEST_SHA1 115 + # define FIPS_F_FIPS_SELFTEST_SHA2 105 + # define FIPS_F_OSSL_ECDSA_SIGN_SIG 143 +Index: openssl-1.1.1m/crypto/fips/fips_err.h +=================================================================== +--- openssl-1.1.1m.orig/crypto/fips/fips_err.h ++++ openssl-1.1.1m/crypto/fips/fips_err.h +@@ -113,6 +113,7 @@ static ERR_STRING_DATA FIPS_str_functs[] + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_HMAC), "FIPS_selftest_hmac"}, + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_PBKDF2), "FIPS_selftest_pbkdf2"}, + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_TLS), "FIPS_selftest_tls"}, ++ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SSH), "FIPS_selftest_ssh"}, + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA1), "FIPS_selftest_sha1"}, + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA2), "FIPS_selftest_sha2"}, + {ERR_FUNC(FIPS_F_OSSL_ECDSA_SIGN_SIG), "ossl_ecdsa_sign_sig"}, diff --git a/openssl-kdf-tls-selftest.patch b/openssl-kdf-tls-selftest.patch new file mode 100644 index 0000000..9ee4659 --- /dev/null +++ b/openssl-kdf-tls-selftest.patch @@ -0,0 +1,99 @@ +Index: openssl-1.1.1m/crypto/fips/fips_kdf_selftest.c +=================================================================== +--- openssl-1.1.1m.orig/crypto/fips/fips_kdf_selftest.c ++++ openssl-1.1.1m/crypto/fips/fips_kdf_selftest.c +@@ -61,4 +61,44 @@ err: + return ret; + } + ++int FIPS_selftest_tls(void) ++{ ++ int ret = 0; ++ EVP_KDF_CTX *kctx; ++ unsigned char out[16]; ++ ++ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_TLS1_PRF)) == NULL) ++ goto err; ++ ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) ++ goto err; ++ ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_TLS_SECRET, ++ "secret", (size_t)6) <= 0) ++ goto err; ++ ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_ADD_TLS_SEED, "seed", (size_t)4) <= 0) ++ goto err; ++ ++ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) ++ goto err; ++ ++ { ++ const unsigned char expected[sizeof(out)] = { ++ 0x8e, 0x4d, 0x93, 0x25, 0x30, 0xd7, 0x65, 0xa0, ++ 0xaa, 0xe9, 0x74, 0xc3, 0x04, 0x73, 0x5e, 0xcc ++ }; ++ if (memcmp(out, expected, sizeof(expected))) { ++ goto err; ++ } ++ } ++ ret = 1; ++ ++err: ++ if (!ret) ++ FIPSerr(FIPS_F_FIPS_SELFTEST_TLS, FIPS_R_SELFTEST_FAILED); ++ EVP_KDF_CTX_free(kctx); ++ return ret; ++} ++ + #endif +Index: openssl-1.1.1m/crypto/fips/fips_post.c +=================================================================== +--- openssl-1.1.1m.orig/crypto/fips/fips_post.c ++++ openssl-1.1.1m/crypto/fips/fips_post.c +@@ -106,6 +106,9 @@ int FIPS_selftest(void) + rv = 0; + if (!FIPS_selftest_pbkdf2()) + rv = 0; ++ if (!FIPS_selftest_tls()) ++ rv = 0; ++ + return rv; + } + +Index: openssl-1.1.1m/include/crypto/fips_int.h +=================================================================== +--- openssl-1.1.1m.orig/include/crypto/fips_int.h ++++ openssl-1.1.1m/include/crypto/fips_int.h +@@ -77,6 +77,7 @@ int FIPS_selftest_hmac(void); + int FIPS_selftest_drbg(void); + int FIPS_selftest_cmac(void); + int FIPS_selftest_pbkdf2(void); ++int FIPS_selftest_tls(void); + + int fips_in_post(void); + +Index: openssl-1.1.1m/include/openssl/fips.h +=================================================================== +--- openssl-1.1.1m.orig/include/openssl/fips.h ++++ openssl-1.1.1m/include/openssl/fips.h +@@ -125,6 +125,7 @@ extern "C" { + # define FIPS_F_FIPS_SELFTEST_ECDSA 133 + # define FIPS_F_FIPS_SELFTEST_HMAC 113 + # define FIPS_F_FIPS_SELFTEST_PBKDF2 152 ++# define FIPS_F_FIPS_SELFTEST_TLS 153 + # define FIPS_F_FIPS_SELFTEST_SHA1 115 + # define FIPS_F_FIPS_SELFTEST_SHA2 105 + # define FIPS_F_OSSL_ECDSA_SIGN_SIG 143 +Index: openssl-1.1.1m/crypto/fips/fips_err.h +=================================================================== +--- openssl-1.1.1m.orig/crypto/fips/fips_err.h ++++ openssl-1.1.1m/crypto/fips/fips_err.h +@@ -112,6 +112,7 @@ static ERR_STRING_DATA FIPS_str_functs[] + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_ECDSA), "FIPS_selftest_ecdsa"}, + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_HMAC), "FIPS_selftest_hmac"}, + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_PBKDF2), "FIPS_selftest_pbkdf2"}, ++ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_TLS), "FIPS_selftest_tls"}, + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA1), "FIPS_selftest_sha1"}, + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA2), "FIPS_selftest_sha2"}, + {ERR_FUNC(FIPS_F_OSSL_ECDSA_SIGN_SIG), "ossl_ecdsa_sign_sig"}, diff --git a/openssl-no-date.patch b/openssl-no-date.patch new file mode 100644 index 0000000..c910674 --- /dev/null +++ b/openssl-no-date.patch @@ -0,0 +1,13 @@ +Index: openssl-1.1.1-pre1/util/mkbuildinf.pl +=================================================================== +--- openssl-1.1.1-pre1.orig/util/mkbuildinf.pl 2018-02-13 16:31:28.011389734 +0100 ++++ openssl-1.1.1-pre1/util/mkbuildinf.pl 2018-02-13 16:31:51.539764582 +0100 +@@ -28,7 +28,7 @@ print <<"END_OUTPUT"; + */ + + #define PLATFORM "platform: $platform" +-#define DATE "built on: $date" ++#define DATE "" + + /* + * Generate compiler_flags as an array of individual characters. This is a diff --git a/openssl-s_client-check-ocsp-status.patch b/openssl-s_client-check-ocsp-status.patch new file mode 100644 index 0000000..cbd4161 --- /dev/null +++ b/openssl-s_client-check-ocsp-status.patch @@ -0,0 +1,492 @@ +commit c43f598838acaf3b98df4fce4b6babb663d2f902 +Author: Otto Hollmann +Date: Fri Jun 30 11:15:30 2023 +0200 + + Add OCSP_RESPONSE_check_status(), a function to check OCSP response for revoked certificate in s_client. + +--- + apps/s_client.c | 10 + + crypto/ocsp/ocsp_vfy.c | 31 +++++ + doc/man3/OCSP_response_status.pod | 15 ++ + include/openssl/ocsp.h | 1 + test/recipes/80-test_ocsp_check.t | 90 +++++++++++++++++ + test/recipes/80-test_ocsp_check_data/ca.pem | 19 +++ + test/recipes/80-test_ocsp_check_data/index-revoked.txt | 2 + test/recipes/80-test_ocsp_check_data/index-valid.txt | 2 + test/recipes/80-test_ocsp_check_data/ocsp.key | 28 +++++ + test/recipes/80-test_ocsp_check_data/ocsp.pem | 75 ++++++++++++++ + test/recipes/80-test_ocsp_check_data/server.key | 28 +++++ + test/recipes/80-test_ocsp_check_data/server.pem | 75 ++++++++++++++ + util/libcrypto.num | 1 + 13 files changed, 372 insertions(+), 5 deletions(-) + +--- a/apps/s_client.c ++++ b/apps/s_client.c +@@ -3390,7 +3390,7 @@ static void print_stuff(BIO *bio, SSL *s + static int ocsp_resp_cb(SSL *s, void *arg) + { + const unsigned char *p; +- int len; ++ int len, ret; + OCSP_RESPONSE *rsp; + len = SSL_get_tlsext_status_ocsp_resp(s, &p); + BIO_puts(arg, "OCSP response: "); +@@ -3407,8 +3407,14 @@ static int ocsp_resp_cb(SSL *s, void *ar + BIO_puts(arg, "\n======================================\n"); + OCSP_RESPONSE_print(arg, rsp, 0); + BIO_puts(arg, "======================================\n"); ++ ret = OCSP_RESPONSE_check_status(rsp); + OCSP_RESPONSE_free(rsp); +- return 1; ++ if (ret <= -1) { ++ BIO_puts(arg, "unable to verify OCSP response\n"); ++ } else if (ret == 0) { ++ BIO_puts(arg, "revoked certificate found in OCSP response\n"); ++ } ++ return ret; + } + # endif + +--- a/crypto/ocsp/ocsp_vfy.c ++++ b/crypto/ocsp/ocsp_vfy.c +@@ -433,3 +433,34 @@ static int ocsp_req_find_signer(X509 **p + } + return 0; + } ++ ++/* ++ * Check an OCSP response for revoked certificate. Return a negative value on ++ * error; 0 if the response is not acceptable (in which case the handshake ++ * will fail) or a positive value if it is acceptable (no revoked certificate ++ * is found). ++ */ ++ ++int OCSP_RESPONSE_check_status(OCSP_RESPONSE *o) ++{ ++ int i; ++ OCSP_BASICRESP *br = NULL; ++ OCSP_RESPDATA *rd = NULL; ++ OCSP_SINGLERESP *single = NULL; ++ OCSP_RESPBYTES *rb = o->responseBytes; ++ if (rb == NULL) ++ return -1; ++ if (OBJ_obj2nid(rb->responseType) != NID_id_pkix_OCSP_basic) ++ return -1; ++ if ((br = OCSP_response_get1_basic(o)) == NULL) ++ return -1; ++ rd = &br->tbsResponseData; ++ for (i = 0; i < sk_OCSP_SINGLERESP_num(rd->responses); i++) { ++ if (!sk_OCSP_SINGLERESP_value(rd->responses, i)) ++ continue; ++ single = sk_OCSP_SINGLERESP_value(rd->responses, i); ++ if (single->certStatus->type == V_OCSP_CERTSTATUS_REVOKED) ++ return 0; ++ } ++ return 1; ++} +--- a/doc/man3/OCSP_response_status.pod ++++ b/doc/man3/OCSP_response_status.pod +@@ -2,8 +2,8 @@ + + =head1 NAME + +-OCSP_response_status, OCSP_response_get1_basic, OCSP_response_create, +-OCSP_RESPONSE_free, OCSP_RESPID_set_by_name, ++OCSP_response_status, OCSP_RESPONSE_check_status, OCSP_response_get1_basic, ++OCSP_response_create, OCSP_RESPONSE_free, OCSP_RESPID_set_by_name, + OCSP_RESPID_set_by_key, OCSP_RESPID_match, + OCSP_basic_sign, OCSP_basic_sign_ctx - OCSP response functions + +@@ -12,6 +12,7 @@ OCSP_basic_sign, OCSP_basic_sign_ctx - O + #include + + int OCSP_response_status(OCSP_RESPONSE *resp); ++ int OCSP_RESPONSE_check_status(OCSP_RESPONSE *resp); + OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp); + OCSP_RESPONSE *OCSP_response_create(int status, OCSP_BASICRESP *bs); + void OCSP_RESPONSE_free(OCSP_RESPONSE *resp); +@@ -34,6 +35,10 @@ B + B, B + B, or B. + ++OCSP_RESPONSE_check_status() check status of the OCSP response I. It ++returns a negative value on error; 0 if the response is not acceptable ++(e.g. contains revoked certificate) or a positive value if it is acceptable. ++ + OCSP_response_get1_basic() decodes and returns the B structure + contained in B. + +@@ -65,7 +70,11 @@ uses the parameters contained in digest + + =head1 RETURN VALUES + +-OCSP_RESPONSE_status() returns a status value. ++OCSP_response_status() returns a status value. ++ ++OCSP_RESPONSE_check_status() returns a result of check - negative value on ++error; 0 if the response is not acceptable; positive value if response is ++acceptable. + + OCSP_response_get1_basic() returns an B structure pointer or + B if an error occurred. +--- a/include/openssl/ocsp.h ++++ b/include/openssl/ocsp.h +@@ -340,6 +340,7 @@ const char *OCSP_crl_reason_str(long s); + + int OCSP_REQUEST_print(BIO *bp, OCSP_REQUEST *a, unsigned long flags); + int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE *o, unsigned long flags); ++int OCSP_RESPONSE_check_status(OCSP_RESPONSE *o); + + int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, + X509_STORE *st, unsigned long flags); +--- /dev/null ++++ b/test/recipes/80-test_ocsp_check.t +@@ -0,0 +1,90 @@ ++#! /usr/bin/env perl ++# Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. ++# ++# Licensed under the Apache License 2.0 (the "License"). You may not use ++# this file except in compliance with the License. You can obtain a copy ++# in the file LICENSE in the source distribution or at ++# https://www.openssl.org/source/license.html ++ ++use strict; ++use warnings; ++ ++use IPC::Open2; ++use OpenSSL::Test qw/:DEFAULT srctop_file bldtop_file/; ++use OpenSSL::Test::Utils; ++ ++setup("test_ocsp_check"); ++ ++plan tests => 2; ++ ++my $shlib_wrap = bldtop_file("util", "shlib_wrap.sh"); ++my $apps_openssl = bldtop_file("apps", "openssl"); ++my $ca = srctop_file("test", "recipes", "80-test_ocsp_check_data", "ca.pem"); ++my $ca_key = srctop_file("test", "recipes", "80-test_ocsp_check_data", "ca.key"); ++my $ocsp = srctop_file("test", "recipes", "80-test_ocsp_check_data", "ocsp.pem"); ++my $ocsp_key = srctop_file("test", "recipes", "80-test_ocsp_check_data", "ocsp.key"); ++my $server = srctop_file("test", "recipes", "80-test_ocsp_check_data", "server.pem"); ++my $server_key = srctop_file("test", "recipes", "80-test_ocsp_check_data", "server.key"); ++my $index; ++my $ocsp_port = 9999; ++my $https_port = 8443; ++# 20 July 2023 so we don't get certificate expiry errors. ++my @check_time=("-attime", "1689811200"); ++ ++sub run_test { ++ my $id = shift; ++ my $connect_good = 0; ++ ++ if ($id == 0) { ++ $index = srctop_file("test", "recipes", "80-test_ocsp_check_data", "index-valid.txt"); ++ } ++ if ($id == 1) { ++ $index = srctop_file("test", "recipes", "80-test_ocsp_check_data", "index-revoked.txt"); ++ } ++ # OCSP responder ++ my @o_cmd = ("ocsp", "-index", $index, "-port", "$ocsp_port", "-rsigner", $ocsp, "-rkey", $ocsp_key, "-CA", $ca, "-nrequest", "1", @check_time); ++ # server ++ my @s_cmd = ("s_server", "-www", "-status_url", "http://127.0.0.1:$ocsp_port", "-accept", "$https_port", "-cert", $server, "-key", $server_key, "-state", "-CAfile", $ca, "-naccept", "1", @check_time); ++ # client ++ my @c_cmd = ("s_client", "-connect", ":$https_port", "-CAfile", $ca, "-status", "-verify_return_error", "-strict", @check_time); ++ ++ # Run the OCSP responder ++ my $o_pid = open2(my $o_out, my $o_in, $shlib_wrap, $apps_openssl, @o_cmd); ++ ++ # Start up the server ++ my $s_pid = open2(my $s_out, my $s_in, $shlib_wrap, $apps_openssl, @s_cmd); ++ while (<$s_out>) { ++ chomp; ++ if (/^ACCEPT$/) { ++ print "Server ready\n"; ++ last; ++ } ++ } ++ ++ # Start up the client ++ my $c_pid = open2(my $c_out, my $c_in, $shlib_wrap, $apps_openssl, @c_cmd); ++ if ($id == 0) { ++ # Do the "GET", which will cause the client to finish ++ print $c_in "GET /\r\n"; ++ } ++ ++ waitpid($c_pid, 0); ++ waitpid($s_pid, 0); ++ waitpid($o_pid, 0); ++ ++ # Check the client output ++ while (<$c_out>) { ++ chomp; ++ if ($id == 0) { ++ $connect_good = 1 if /^Content-type: text/; ++ } ++ if ($id == 1) { ++ $connect_good = 1 if /^revoked certificate found in OCSP response/; ++ } ++ } ++ print STDERR "Connection failed\n" if ! ok($connect_good); ++} ++ ++for my $index (0..1) { ++ run_test($index) ++} +\ No newline at end of file +--- /dev/null ++++ b/test/recipes/80-test_ocsp_check_data/ca.pem +@@ -0,0 +1,19 @@ ++-----BEGIN CERTIFICATE----- ++MIIDBTCCAe2gAwIBAgIUZot4eag1ZaofYsMIB7HIzq8+zGEwDQYJKoZIhvcNAQEL ++BQAwEjEQMA4GA1UEAwwHUm9vdCBDQTAeFw0yMzA3MTIwOTI5NDdaFw0zMzA3MDkw ++OTI5NDdaMBIxEDAOBgNVBAMMB1Jvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IB ++DwAwggEKAoIBAQDRRSlP0gUVVlzMkEtVzX95n5lM+P36lyNgevKqY1Dl3ygPAzaq ++HRUBsgcxdDwWwMPO2u5UJOWaQ80nwFGROwX8WrRoBTvsUZ+URyXx98tHrhnD6wI9 ++v30xYGN0RU2Ef2XnMvThhKRQVZJJWAHFPWZdPes0/g3H4FGJudOQJUHpiDD1UEF+ ++cWxyujhVbvBFCX+mBS+r/tn75axjsUqmbxwCE7TK3CD0JdvlLUYxtybvozYoONot ++/mFleCMmPaTzPHan+iXNHp4Tn+3Ssndo3uiTr0pEbGgSOy2PppbZmv0ml0+CSLN4 ++G8VaBBf7VTMayowEmmDgTpsOTi9tJqW2CcGzAgMBAAGjUzBRMB0GA1UdDgQWBBRj ++L87V9mqTdWYMCNNBb6Hay7OwPjAfBgNVHSMEGDAWgBRjL87V9mqTdWYMCNNBb6Ha ++y7OwPjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQC09qzufLI/ ++AoBscY8e9Q4pRhzeVVAKQ6yAZiO2O0o3trI5xKqD3iD0pOC7Mbfg0e0lneK6ovpd ++J178HwF4PMdiwvPH0KkAf0DaB96nC6U6oGQmItq8668jeVBjat0UCP3xiLmLhhAl ++mnnsgFC1eALmpWQPVlixUaXF4ri3R0QBUcc2kIV5zr1P3LJVboMSgCZULvrlfQLC ++kA0GdCCf6h08AFHRaIW8EE3I1IHNZc7eQcmnCLewHU5cPAYJ69GjhblSLS8kbpXK ++k7BllPLkk99zc/94okTasTjUkmha3RhRqMNL8jrYVc1m7H4U+4XUyh1y4C4Nmz18 ++fBbrMxN2SCXM ++-----END CERTIFICATE----- +--- /dev/null ++++ b/test/recipes/80-test_ocsp_check_data/index-revoked.txt +@@ -0,0 +1,2 @@ ++V 240711093229Z 1000 unknown /CN=OCSP ++R 240711093313Z 230621000000Z 1001 unknown /CN=Server +--- /dev/null ++++ b/test/recipes/80-test_ocsp_check_data/index-valid.txt +@@ -0,0 +1,2 @@ ++V 240711093229Z 1000 unknown /CN=OCSP ++V 240711093313Z 1001 unknown /CN=Server +--- /dev/null ++++ b/test/recipes/80-test_ocsp_check_data/ocsp.key +@@ -0,0 +1,28 @@ ++-----BEGIN PRIVATE KEY----- ++MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDZ2OLi8cpvoinQ ++bs4YEmk9GdQNcg9+zBRHy/YRJF+bbdreINweLYigHg2D3rcJnrjXkNAmd08aD0x+ ++4iq58Tvy5P48VZ+c1R3XUs1YQR20sKgnM8w+uF2SXxX18Idy31pNErYh3J8jVpBi ++moMP9dC22iNB4kTKf1ORM6HaKnHM8wg3JzXv9lVoIQgAgyAmJOoQXhQ8Kn1AOj3j ++vp1Jgm2hI4e2MTjgjraT9sKxPXIZkKnTwnZX88MpE9HvsQ7XV2CdYmMry+L69X68 ++bl3S1eisDjeIvHPtz6TenZs7wxbupy7OtdOKRxa/mDh9C76XHiNPoukUF1NVZ93S ++647ud7enAgMBAAECggEAFy+JbQxn9nwExZ2Cy4wWGFM0lF5vPhhmu4IpRTIhB4Vo ++gIYbIg5y6/vBhidWRYICUVXP2ZrkLTVd97kxlqBmuCzdeZAcEKXxavacoAfaK142 ++n2mDaP+CsgPzGJMfj2nXOLxvlxNd+qBey1J/oDC8+eEl/yqfwLT5hiA/2dz08hI6 ++IU0BudOB6H5iBK74MJsubdm0tsY4iqTykXeiR+n5dvVGDXLUX74BDHlD9O7AAo10 ++h74Vw22luigsV0spCVLoOYy6z9KMkOaHZRruPmF3UCsfJZFY2y6uMapvbdgUavr9 ++5fpsx40ep/mjRkYainHfJK1YkV/AoTxKjPQu2owJIQKBgQD0akN75lGXaAMQ0oEA ++1UrvZg75BQxPN+3qVtyynoQGVh58uRIaeG4DQdtc4nNPYI6o6NGbJk4T4wXU7W/3 ++XUr+U/LdSGpHfM9gXGCUNgoJeUKY3NLUGdE4DIGDiJrmJfd5NDj37+PAQUTLBO49 ++A0+BPnictZPffXuXCGL7lt7hYQKBgQDkLD9jV6HNtv8pAxFdQM+89NhWZCvpuTAs ++rihG3ebblBotMuGsrZDJ75UKq5wPEGCZWDc5q2h8L6CiyQF7Vht4/pi4NEhsA9My ++5hOGUJJVvvFmEIYz0GoCGqoDqag1XpKx8MYMvcc52bhzsYCy+dpnqraISeyiFPLM ++hdy+3jROBwKBgAqKEoLjOZ13xLoS+bEZgXO1SOwABbncxYuXV0j0gOjtCb+DE37E ++tqm5S0ZEFYjUtxIdh/xSuIcvAO9flbZq9XLmF9Dm8H5IqYCUOy3o7qHd8rs4unae ++7mCmWWdcmqFV/cfiMpquY3nE1rySZ9uFqwX9taG8SrYWaR/oIqyKou3BAoGBAJgX ++2oT4s/UxJzKKRffYLOEygEZN7WuVMsSFrnlWjv0M4soAIaf95gaFOd7r91GfRBTT ++VbSOSk6FXNlFjUROaG+lnd0jlKbTgeNqs9cTPAgGCFlVaG9/XDpc1bktTN+OU9Bi ++w1FY60TnmOkdh8FFhM0XYSbFyANeXV3xWOytp0XfAoGBAO2FkR3oGd3DSJmeljwJ ++HciEmlYCk38z93mZXiDTh4axS+mxAMYVRXt0dDUveyImlpcGi9coYmQPEzgk6spQ ++DOeRzRQcWQWfny9/UoGFU/Kv6QmpteAWaSjinBWKONx9d5AGzAkzms79tS8JMeL5 +++wlkyD8NclbRA+ILu+V8HLed ++-----END PRIVATE KEY----- +--- /dev/null ++++ b/test/recipes/80-test_ocsp_check_data/ocsp.pem +@@ -0,0 +1,75 @@ ++Certificate: ++ Data: ++ Version: 3 (0x2) ++ Serial Number: 4096 (0x1000) ++ Signature Algorithm: sha256WithRSAEncryption ++ Issuer: CN=Root CA ++ Validity ++ Not Before: Jul 12 09:32:29 2023 GMT ++ Not After : Jul 11 09:32:29 2024 GMT ++ Subject: CN=OCSP ++ Subject Public Key Info: ++ Public Key Algorithm: rsaEncryption ++ Public-Key: (2048 bit) ++ Modulus: ++ 00:d9:d8:e2:e2:f1:ca:6f:a2:29:d0:6e:ce:18:12: ++ 69:3d:19:d4:0d:72:0f:7e:cc:14:47:cb:f6:11:24: ++ 5f:9b:6d:da:de:20:dc:1e:2d:88:a0:1e:0d:83:de: ++ b7:09:9e:b8:d7:90:d0:26:77:4f:1a:0f:4c:7e:e2: ++ 2a:b9:f1:3b:f2:e4:fe:3c:55:9f:9c:d5:1d:d7:52: ++ cd:58:41:1d:b4:b0:a8:27:33:cc:3e:b8:5d:92:5f: ++ 15:f5:f0:87:72:df:5a:4d:12:b6:21:dc:9f:23:56: ++ 90:62:9a:83:0f:f5:d0:b6:da:23:41:e2:44:ca:7f: ++ 53:91:33:a1:da:2a:71:cc:f3:08:37:27:35:ef:f6: ++ 55:68:21:08:00:83:20:26:24:ea:10:5e:14:3c:2a: ++ 7d:40:3a:3d:e3:be:9d:49:82:6d:a1:23:87:b6:31: ++ 38:e0:8e:b6:93:f6:c2:b1:3d:72:19:90:a9:d3:c2: ++ 76:57:f3:c3:29:13:d1:ef:b1:0e:d7:57:60:9d:62: ++ 63:2b:cb:e2:fa:f5:7e:bc:6e:5d:d2:d5:e8:ac:0e: ++ 37:88:bc:73:ed:cf:a4:de:9d:9b:3b:c3:16:ee:a7: ++ 2e:ce:b5:d3:8a:47:16:bf:98:38:7d:0b:be:97:1e: ++ 23:4f:a2:e9:14:17:53:55:67:dd:d2:eb:8e:ee:77: ++ b7:a7 ++ Exponent: 65537 (0x10001) ++ X509v3 extensions: ++ X509v3 Basic Constraints: ++ CA:FALSE ++ X509v3 Subject Key Identifier: ++ 2B:C9:AC:45:83:BB:96:5B:73:77:1A:F8:DB:F9:98:44:C6:E8:55:95 ++ X509v3 Authority Key Identifier: ++ 63:2F:CE:D5:F6:6A:93:75:66:0C:08:D3:41:6F:A1:DA:CB:B3:B0:3E ++ Signature Algorithm: sha256WithRSAEncryption ++ Signature Value: ++ 02:87:49:a3:6f:c4:59:38:94:f9:f7:1a:ff:6f:4c:b4:6b:bd: ++ d2:79:98:5c:90:a8:49:45:ec:91:4e:ac:45:ec:8d:81:7f:ce: ++ ea:2f:93:c1:40:49:d4:c7:f2:ae:c0:60:1d:7d:65:91:83:63: ++ 51:4c:f0:ce:ef:81:dc:43:a6:b3:01:39:66:52:2d:1d:08:16: ++ a7:a7:54:78:e6:7a:06:49:5f:86:37:12:48:42:ab:37:a9:c0: ++ 04:98:70:45:50:9e:6d:30:6d:6d:81:05:79:1b:5c:2b:75:b9: ++ a8:46:22:4a:80:c9:ab:7c:f7:b2:63:69:ed:08:31:32:bd:8e: ++ f8:d7:8e:8e:29:8e:f6:b0:52:c2:a3:19:c1:e0:88:de:de:94: ++ 4f:f1:a5:9b:1c:1c:c0:11:79:7f:df:38:1b:97:a9:6c:26:fc: ++ 7e:31:f5:78:ba:c1:1d:e6:7c:e1:8e:b3:c5:91:fc:f6:5f:44: ++ 18:44:0b:15:c8:94:a5:a7:02:58:2f:be:f4:e4:80:0a:ce:8e: ++ 33:36:dd:0f:39:d3:b6:ae:57:d2:46:b4:a2:d1:49:c9:29:a7: ++ a0:a7:62:a7:2e:2d:7d:91:94:12:f7:55:13:54:d5:4e:4d:eb: ++ 1f:78:a7:9e:a9:93:f9:6c:a9:ec:97:2e:c6:04:67:fa:95:47: ++ 1e:2c:d2:74 ++-----BEGIN CERTIFICATE----- ++MIIC6jCCAdKgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwEjEQMA4GA1UEAwwHUm9v ++dCBDQTAeFw0yMzA3MTIwOTMyMjlaFw0yNDA3MTEwOTMyMjlaMA8xDTALBgNVBAMM ++BE9DU1AwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDZ2OLi8cpvoinQ ++bs4YEmk9GdQNcg9+zBRHy/YRJF+bbdreINweLYigHg2D3rcJnrjXkNAmd08aD0x+ ++4iq58Tvy5P48VZ+c1R3XUs1YQR20sKgnM8w+uF2SXxX18Idy31pNErYh3J8jVpBi ++moMP9dC22iNB4kTKf1ORM6HaKnHM8wg3JzXv9lVoIQgAgyAmJOoQXhQ8Kn1AOj3j ++vp1Jgm2hI4e2MTjgjraT9sKxPXIZkKnTwnZX88MpE9HvsQ7XV2CdYmMry+L69X68 ++bl3S1eisDjeIvHPtz6TenZs7wxbupy7OtdOKRxa/mDh9C76XHiNPoukUF1NVZ93S ++647ud7enAgMBAAGjTTBLMAkGA1UdEwQCMAAwHQYDVR0OBBYEFCvJrEWDu5Zbc3ca +++Nv5mETG6FWVMB8GA1UdIwQYMBaAFGMvztX2apN1ZgwI00FvodrLs7A+MA0GCSqG ++SIb3DQEBCwUAA4IBAQACh0mjb8RZOJT59xr/b0y0a73SeZhckKhJReyRTqxF7I2B ++f87qL5PBQEnUx/KuwGAdfWWRg2NRTPDO74HcQ6azATlmUi0dCBanp1R45noGSV+G ++NxJIQqs3qcAEmHBFUJ5tMG1tgQV5G1wrdbmoRiJKgMmrfPeyY2ntCDEyvY74146O ++KY72sFLCoxnB4Ije3pRP8aWbHBzAEXl/3zgbl6lsJvx+MfV4usEd5nzhjrPFkfz2 ++X0QYRAsVyJSlpwJYL7705IAKzo4zNt0POdO2rlfSRrSi0UnJKaegp2KnLi19kZQS ++91UTVNVOTesfeKeeqZP5bKnsly7GBGf6lUceLNJ0 ++-----END CERTIFICATE----- +--- /dev/null ++++ b/test/recipes/80-test_ocsp_check_data/server.key +@@ -0,0 +1,28 @@ ++-----BEGIN PRIVATE KEY----- ++MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDb4qMIdALYSZd7 ++/RBJ5PTRZS23d4SkIxZuOGXiSdYNyDNqg+jZZ5HPJu1ZcZFZ7AYINCAnk/yv1rPd ++Aoz50sZKTjHacQZLhaSds0PlN5/TrkwU0WUbalFWm5D6LB+VlDdkOSWSO3UNo23n ++X3wBMCWL9tTqNCwzNx8o3P6L8gjEOyOU3lIB3DU0FgGZN0Fkk7ZrbZxoln78Hcgf ++wBxWC2SafOwU9zofjdcEQr4Q6kAKDK1M7EYbq8U67BUS7SRRoj2Ub6KNhTGCuH5f ++0M4umykvong4bvqYqmrpAM0qV/F0ngus8qJgAH21AeHAvG9iuP/AphbslKFl+Me5 ++3J3/2A/lAgMBAAECggEAAsC9Ist1B6kwNNSvwgUUTZTTNDNSXU21J68cE2+yNtz1 ++S9WX8jTaPfoySYbi93m9f5fLeUNgjAEHonI4Op55bg+5jw8QMZzcOT83z+RY42kQ ++ucf/WI8Fsqxi7cbkpFZFNUOD5WdKKWAM7bMj1c35Al4WP1Jk5UVA5h2SMEVY97/x ++2TeQIzxBVX7w8d3jSHQXizWLB06IRs0F1Kpp0qIXJ558GcWEYVLk7ORIcJACWJSh ++UmhmtUVXI5OoWTTk4Ac7wus5GlCaLkwZ1RxV8iSwlQ5dhEBdDPRofrH9QgeULJrq ++l+G+Cv32FizTzC3QuiPrXrbfPVxffYZuJ5g2RORh9wKBgQD4IqS3WzXYOoKwkA5d ++8rVAL55tTE8I7/GZCoMrmRsXKV/30gJjhDlf5TyKWpFB7gcxBBZhd+lK/daH8d+S ++EAeBdN45VM/xbQkVKyfOQMQ5JuKmLJUyUP7yevMDZ0TYWQGDWmnVMzhfICIKWQvM ++lnPqCHFeYx+zWFBTDukr+aitywKBgQDi2sY1KAJiC24M7DILvjF0vFQGIPCyoOfQ ++VKemT3O5BKXbEK/WgBmTHMZzGPUGCZ7dxjEeTpE1d6YIadSa3FMyA34PWi8+3jdn ++lGSnK5MBlfKnk8Qo5vYOKPMgVmRPzqyJ8gUorNvAUEKZeFjV+wZeX/0yxSunumCj ++dfOk2TWDDwKBgEQE0xxED32HhH2774RHXPIMW6Rgb6XmiFbIb+6KmMd/mwQG+Iqp ++G0UzRKY0b28gPa5tDWmIglYBQUagwgV7CWOuUqBqpFns5rl7y/yY+nEkPKsKu5dA ++ZrK3i1gafd/EfkqwhSRhVwmUeGBXyok5kOrNh641A+KYyeQKyVY5qMiDAoGALJgb ++DIn/5ewfRxULRXmu2SbIUagaCNNOnop1pmDJ+93pCKZAGqd135BxhmCqkfREMY5r ++S2zgaKVLky3SqFqVVCiRmEz/KpmeRJNMMfyD2nTyjXSjw/Ka/e+Y04uIDpQvILLd ++xsAsNqLQZMDenbnJ57Vw3ZEa4s7lflyKd6ZnOYsCgYEA5jRpE1+lw1mAieDNovqH ++Mp2VwrmuFWhkeC7RW0G8ngNRzP9K6p77cDZGuR8GO5OHhpC3JG14OhOGL5rmDcwc ++ufXRlGMeAfWSY6EOY2hPWltML4EiX0zRESipQty8ns/HekIVlmOh4sv+3N3EqLlE ++edJcYLfcg1FGwnVQLHuVhy4= ++-----END PRIVATE KEY----- +--- /dev/null ++++ b/test/recipes/80-test_ocsp_check_data/server.pem +@@ -0,0 +1,75 @@ ++Certificate: ++ Data: ++ Version: 3 (0x2) ++ Serial Number: 4097 (0x1001) ++ Signature Algorithm: sha256WithRSAEncryption ++ Issuer: CN=Root CA ++ Validity ++ Not Before: Jul 12 09:33:13 2023 GMT ++ Not After : Jul 11 09:33:13 2024 GMT ++ Subject: CN=Server ++ Subject Public Key Info: ++ Public Key Algorithm: rsaEncryption ++ Public-Key: (2048 bit) ++ Modulus: ++ 00:db:e2:a3:08:74:02:d8:49:97:7b:fd:10:49:e4: ++ f4:d1:65:2d:b7:77:84:a4:23:16:6e:38:65:e2:49: ++ d6:0d:c8:33:6a:83:e8:d9:67:91:cf:26:ed:59:71: ++ 91:59:ec:06:08:34:20:27:93:fc:af:d6:b3:dd:02: ++ 8c:f9:d2:c6:4a:4e:31:da:71:06:4b:85:a4:9d:b3: ++ 43:e5:37:9f:d3:ae:4c:14:d1:65:1b:6a:51:56:9b: ++ 90:fa:2c:1f:95:94:37:64:39:25:92:3b:75:0d:a3: ++ 6d:e7:5f:7c:01:30:25:8b:f6:d4:ea:34:2c:33:37: ++ 1f:28:dc:fe:8b:f2:08:c4:3b:23:94:de:52:01:dc: ++ 35:34:16:01:99:37:41:64:93:b6:6b:6d:9c:68:96: ++ 7e:fc:1d:c8:1f:c0:1c:56:0b:64:9a:7c:ec:14:f7: ++ 3a:1f:8d:d7:04:42:be:10:ea:40:0a:0c:ad:4c:ec: ++ 46:1b:ab:c5:3a:ec:15:12:ed:24:51:a2:3d:94:6f: ++ a2:8d:85:31:82:b8:7e:5f:d0:ce:2e:9b:29:2f:a2: ++ 78:38:6e:fa:98:aa:6a:e9:00:cd:2a:57:f1:74:9e: ++ 0b:ac:f2:a2:60:00:7d:b5:01:e1:c0:bc:6f:62:b8: ++ ff:c0:a6:16:ec:94:a1:65:f8:c7:b9:dc:9d:ff:d8: ++ 0f:e5 ++ Exponent: 65537 (0x10001) ++ X509v3 extensions: ++ X509v3 Basic Constraints: ++ CA:FALSE ++ X509v3 Subject Key Identifier: ++ 3E:48:4E:C9:24:FA:DE:27:EA:A4:98:81:2A:06:12:9A:F6:FA:17:4E ++ X509v3 Authority Key Identifier: ++ 63:2F:CE:D5:F6:6A:93:75:66:0C:08:D3:41:6F:A1:DA:CB:B3:B0:3E ++ Signature Algorithm: sha256WithRSAEncryption ++ Signature Value: ++ 22:fe:de:97:6e:e8:5d:65:91:f0:70:af:97:85:53:5e:8e:c8: ++ 88:9b:e5:b3:33:d4:21:b9:3b:09:b7:72:70:16:8c:a8:0e:80: ++ 0f:1b:03:cb:95:94:ae:40:e2:3b:54:06:ec:1e:f5:bc:58:8a: ++ 22:57:cf:fe:14:b0:15:8c:18:5d:9d:fe:0e:70:55:26:c5:cc: ++ 92:f3:bf:03:19:e6:bd:41:b5:c3:cf:15:d3:e9:10:df:65:2a: ++ 68:c0:a3:df:93:a4:b1:66:20:94:1d:df:0a:9c:05:e7:74:a1: ++ 1a:39:db:c2:5b:78:8c:0c:f6:5e:30:80:cc:39:04:8a:8c:db: ++ 81:c1:5b:b4:3e:c2:ba:ae:06:ec:19:91:b4:a5:46:05:e7:8c: ++ ef:88:3f:d1:38:d3:37:42:88:25:c2:43:9b:df:7f:7c:15:c3: ++ 7b:72:d2:b6:49:45:ce:c8:ce:f1:2d:be:7b:86:1c:31:8d:c9: ++ de:51:d4:06:9f:1d:f2:86:ac:bf:5f:4d:da:31:26:70:ce:e1: ++ 0a:87:1f:a9:73:24:78:a2:4a:c2:73:ea:4c:6b:2c:a7:b6:1c: ++ d7:c3:5e:3a:8a:f9:02:54:62:73:a2:a6:3e:e5:d6:2d:6f:6e: ++ ba:57:11:20:d1:41:2e:c7:6b:d8:7d:70:5e:1d:17:03:5e:a7: ++ 16:c9:4b:fb ++-----BEGIN CERTIFICATE----- ++MIIC7DCCAdSgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwEjEQMA4GA1UEAwwHUm9v ++dCBDQTAeFw0yMzA3MTIwOTMzMTNaFw0yNDA3MTEwOTMzMTNaMBExDzANBgNVBAMM ++BlNlcnZlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANviowh0AthJ ++l3v9EEnk9NFlLbd3hKQjFm44ZeJJ1g3IM2qD6Nlnkc8m7VlxkVnsBgg0ICeT/K/W ++s90CjPnSxkpOMdpxBkuFpJ2zQ+U3n9OuTBTRZRtqUVabkPosH5WUN2Q5JZI7dQ2j ++bedffAEwJYv21Oo0LDM3Hyjc/ovyCMQ7I5TeUgHcNTQWAZk3QWSTtmttnGiWfvwd ++yB/AHFYLZJp87BT3Oh+N1wRCvhDqQAoMrUzsRhurxTrsFRLtJFGiPZRvoo2FMYK4 ++fl/Qzi6bKS+ieDhu+piqaukAzSpX8XSeC6zyomAAfbUB4cC8b2K4/8CmFuyUoWX4 ++x7ncnf/YD+UCAwEAAaNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQUPkhOyST63ifq ++pJiBKgYSmvb6F04wHwYDVR0jBBgwFoAUYy/O1fZqk3VmDAjTQW+h2suzsD4wDQYJ ++KoZIhvcNAQELBQADggEBACL+3pdu6F1lkfBwr5eFU16OyIib5bMz1CG5Owm3cnAW ++jKgOgA8bA8uVlK5A4jtUBuwe9bxYiiJXz/4UsBWMGF2d/g5wVSbFzJLzvwMZ5r1B ++tcPPFdPpEN9lKmjAo9+TpLFmIJQd3wqcBed0oRo528JbeIwM9l4wgMw5BIqM24HB ++W7Q+wrquBuwZkbSlRgXnjO+IP9E40zdCiCXCQ5vff3wVw3ty0rZJRc7IzvEtvnuG ++HDGNyd5R1AafHfKGrL9fTdoxJnDO4QqHH6lzJHiiSsJz6kxrLKe2HNfDXjqK+QJU ++YnOipj7l1i1vbrpXESDRQS7Ha9h9cF4dFwNepxbJS/s= ++-----END CERTIFICATE----- +--- a/util/libcrypto.num ++++ b/util/libcrypto.num +@@ -4649,3 +4649,4 @@ fips_sli_RAND_bytes_is_approved + fips_sli_RAND_priv_bytes_is_approved 6610 1_1_1l EXIST::FUNCTION: + FIPS_entropy_init 6611 1_1_1l EXIST::FUNCTION: + FIPS_entropy_cleanup 6612 1_1_1l EXIST::FUNCTION: ++OCSP_RESPONSE_check_status 6613 1_1_1l EXIST::FUNCTION:OCSP