From 8f01c56ec82b6f9f85537279f9b0b372963b1c959018969dbffb7a89be953de6 Mon Sep 17 00:00:00 2001 From: Pedro Monreal Gonzalez Date: Thu, 14 Sep 2023 19:44:42 +0000 Subject: [PATCH] Accepting request 1111331 from home:ohollmann:branches:security:tls - Update to 1.1.1w: * Fix POLY1305 MAC implementation corrupting XMM registers on Windows. The POLY1305 MAC (message authentication code) implementation in OpenSSL does not save the contents of non-volatile XMM registers on Windows 64 platform when calculating the MAC of data larger than 64 bytes. Before returning to the caller all the XMM registers are set to zero rather than restoring their previous content. The vulnerable code is used only on newer x86_64 processors supporting the AVX512-IFMA instructions. The consequences of this kind of internal application state corruption can be various - from no consequences, if the calling application does not depend on the contents of non-volatile XMM registers at all, to the worst consequences, where the attacker could get complete control of the application process. However given the contents of the registers are just zeroized so the attacker cannot put arbitrary values inside, the most likely consequence, if any, would be an incorrect result of some application dependent calculations or a crash leading to a denial of service. (CVE-2023-4807) - Add missing FIPS patches from SLE: * Add patches: - bsc1185319-FIPS-KAT-for-ECDSA.patch - bsc1198207-FIPS-add-hash_hmac-drbg-kat.patch - openssl-1.1.1-fips-fix-memory-leaks.patch - openssl-1_1-FIPS-PBKDF2-KAT-requirements.patch - openssl-1_1-FIPS_drbg-rewire.patch - openssl-1_1-Zeroization.patch - openssl-1_1-fips-drbg-selftest.patch - openssl-1_1-fips-list-only-approved-digest-and-pubkey-algorithms.patch - openssl-1_1-jitterentropy-3.4.0.patch - openssl-1_1-ossl-sli-000-fix-build-error.patch OBS-URL: https://build.opensuse.org/request/show/1111331 OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-1_1?expand=0&rev=144 --- bsc1185319-FIPS-KAT-for-ECDSA.patch | 399 ++ bsc1198207-FIPS-add-hash_hmac-drbg-kat.patch | 13 + openssl-1.1.1-fips-fix-memory-leaks.patch | 80 + openssl-1.1.1-fips.patch | 41 +- openssl-1.1.1v.tar.gz | 3 - openssl-1.1.1v.tar.gz.asc | 16 - openssl-1.1.1w.tar.gz | 3 + openssl-1.1.1w.tar.gz.asc | 16 + ...ssl-1_1-FIPS-PBKDF2-KAT-requirements.patch | 45 + openssl-1_1-FIPS-fix-error-reason-codes.patch | 2 +- openssl-1_1-FIPS_drbg-rewire.patch | 182 + openssl-1_1-Zeroization.patch | 25 + openssl-1_1-fips-drbg-selftest.patch | 588 +++ ...pproved-digest-and-pubkey-algorithms.patch | 104 + openssl-1_1-jitterentropy-3.4.0.patch | 203 + ...ssl-1_1-ossl-sli-000-fix-build-error.patch | 10 + ...01-fix-faults-preventing-make-update.patch | 111 + ...ssl-1_1-ossl-sli-002-ran-make-update.patch | 946 +++++ openssl-1_1-ossl-sli-003-add-sli.patch | 3333 +++++++++++++++++ ...l-1_1-ossl-sli-004-allow-aes-xts-256.patch | 39 + ...1_1-ossl-sli-005-EC_group_order_bits.patch | 24 + ...l-1_1-ossl-sli-006-rsa_pkcs1_padding.patch | 52 + openssl-1_1-ossl-sli-007-pbkdf2-keylen.patch | 14 + ...l-sli-008-pbkdf2-salt_pass_iteration.patch | 136 + ...sl-1_1-serialize-jitterentropy-calls.patch | 80 + openssl-1_1-shortcut-test_afalg_aes_cbc.patch | 14 + openssl-1_1.changes | 68 + openssl-1_1.spec | 142 +- openssl-DH.patch | 3294 ++++++++++++++++ openssl-FIPS-KAT-before-integrity-tests.patch | 26 + openssl-add_rfc3526_rfc7919.patch | 726 ---- ...l-fips-DH_selftest_shared_secret_KAT.patch | 82 + ...-fips-dont_run_FIPS_module_installed.patch | 14 - openssl-fips-kdf-hkdf-selftest.patch | 103 + openssl-fips_fix_selftests_return_value.patch | 27 - openssl-kdf-selftest.patch | 131 + openssl-kdf-ssh-selftest.patch | 122 + openssl-kdf-tls-selftest.patch | 99 + openssl-no-date.patch | 13 + openssl-s_client-check-ocsp-status.patch | 492 +++ 40 files changed, 10972 insertions(+), 846 deletions(-) create mode 100644 bsc1185319-FIPS-KAT-for-ECDSA.patch create mode 100644 bsc1198207-FIPS-add-hash_hmac-drbg-kat.patch create mode 100644 openssl-1.1.1-fips-fix-memory-leaks.patch delete mode 100644 openssl-1.1.1v.tar.gz delete mode 100644 openssl-1.1.1v.tar.gz.asc create mode 100644 openssl-1.1.1w.tar.gz create mode 100644 openssl-1.1.1w.tar.gz.asc create mode 100644 openssl-1_1-FIPS-PBKDF2-KAT-requirements.patch create mode 100644 openssl-1_1-FIPS_drbg-rewire.patch create mode 100644 openssl-1_1-Zeroization.patch create mode 100644 openssl-1_1-fips-drbg-selftest.patch create mode 100644 openssl-1_1-fips-list-only-approved-digest-and-pubkey-algorithms.patch create mode 100644 openssl-1_1-jitterentropy-3.4.0.patch create mode 100644 openssl-1_1-ossl-sli-000-fix-build-error.patch create mode 100644 openssl-1_1-ossl-sli-001-fix-faults-preventing-make-update.patch create mode 100644 openssl-1_1-ossl-sli-002-ran-make-update.patch create mode 100644 openssl-1_1-ossl-sli-003-add-sli.patch create mode 100644 openssl-1_1-ossl-sli-004-allow-aes-xts-256.patch create mode 100644 openssl-1_1-ossl-sli-005-EC_group_order_bits.patch create mode 100644 openssl-1_1-ossl-sli-006-rsa_pkcs1_padding.patch create mode 100644 openssl-1_1-ossl-sli-007-pbkdf2-keylen.patch create mode 100644 openssl-1_1-ossl-sli-008-pbkdf2-salt_pass_iteration.patch create mode 100644 openssl-1_1-serialize-jitterentropy-calls.patch create mode 100644 openssl-1_1-shortcut-test_afalg_aes_cbc.patch create mode 100644 openssl-DH.patch create mode 100644 openssl-FIPS-KAT-before-integrity-tests.patch delete mode 100644 openssl-add_rfc3526_rfc7919.patch create mode 100644 openssl-fips-DH_selftest_shared_secret_KAT.patch delete mode 100644 openssl-fips-dont_run_FIPS_module_installed.patch create mode 100644 openssl-fips-kdf-hkdf-selftest.patch delete mode 100644 openssl-fips_fix_selftests_return_value.patch create mode 100644 openssl-kdf-selftest.patch create mode 100644 openssl-kdf-ssh-selftest.patch create mode 100644 openssl-kdf-tls-selftest.patch create mode 100644 openssl-no-date.patch create mode 100644 openssl-s_client-check-ocsp-status.patch diff --git a/bsc1185319-FIPS-KAT-for-ECDSA.patch b/bsc1185319-FIPS-KAT-for-ECDSA.patch new file mode 100644 index 0000000..d96832a --- /dev/null +++ b/bsc1185319-FIPS-KAT-for-ECDSA.patch @@ -0,0 +1,399 @@ +diff --git a/crypto/fips/fips_ecdsa_selftest.c b/crypto/fips/fips_ecdsa_selftest.c +index 9895aa8..77a1c77 100644 +--- a/crypto/fips/fips_ecdsa_selftest.c ++++ b/crypto/fips/fips_ecdsa_selftest.c +@@ -65,102 +65,319 @@ + #include + + #ifdef OPENSSL_FIPS ++#include ++#include "internal/nelem.h" ++#include "fips_locl.h" + +-static const char P_256_name[] = "ECDSA P-256"; ++/* functions to change the RAND_METHOD */ ++static int fbytes(unsigned char *buf, int num); + +-static const unsigned char P_256_d[] = { +- 0x51, 0xbd, 0x06, 0xa1, 0x1c, 0xda, 0xe2, 0x12, 0x99, 0xc9, 0x52, 0x3f, +- 0xea, 0xa4, 0xd2, 0xd1, 0xf4, 0x7f, 0xd4, 0x3e, 0xbd, 0xf8, 0xfc, 0x87, +- 0xdc, 0x82, 0x53, 0x21, 0xee, 0xa0, 0xdc, 0x64 +-}; ++static RAND_METHOD fake_rand; ++static const RAND_METHOD *old_rand; ++static int use_fake = 0; ++static const unsigned char *numbers[2]; ++static int numbers_len[2]; + +-static const unsigned char P_256_qx[] = { +- 0x23, 0x89, 0xe0, 0xf4, 0x69, 0xe0, 0x49, 0xe5, 0xc7, 0xe5, 0x40, 0x6e, +- 0x8f, 0x25, 0xdd, 0xad, 0x11, 0x16, 0x14, 0x9b, 0xab, 0x44, 0x06, 0x31, +- 0xbf, 0x5e, 0xa6, 0x44, 0xac, 0x86, 0x00, 0x07 +-}; ++static int change_rand(void) ++{ ++ /* save old rand method */ ++ old_rand = RAND_get_rand_method(); ++ if (!old_rand) ++ return 0; ++ ++ fake_rand = *old_rand; ++ /* use own random function */ ++ fake_rand.bytes = fbytes; ++ /* set new RAND_METHOD */ ++ if (!RAND_set_rand_method(&fake_rand)) ++ return 0; ++ ++ return 1; ++} + +-static const unsigned char P_256_qy[] = { +- 0xb3, 0x05, 0x0d, 0xd0, 0xdc, 0xf7, 0x40, 0xe6, 0xf9, 0xd8, 0x6d, 0x7b, +- 0x63, 0xca, 0x97, 0xe6, 0x12, 0xf9, 0xd4, 0x18, 0x59, 0xbe, 0xb2, 0x5e, +- 0x4a, 0x6a, 0x77, 0x23, 0xf4, 0x11, 0x9d, 0xeb +-}; ++static int restore_rand(void) ++{ ++ if (!RAND_set_rand_method(old_rand)) ++ return 0; ++ ++ return 1; ++} ++ ++static int fbytes(unsigned char *buf, int num) ++{ ++ int ret = 0; ++ static int fbytes_counter = 0; ++ ++ if (use_fake == 0) ++ return old_rand->bytes(buf, num); ++ ++ use_fake = 0; ++ ++ if (fbytes_counter >= OSSL_NELEM(numbers)) ++ goto err; ++ ++ if (numbers_len[fbytes_counter] > num) ++ goto err; ++ ++ /* first zero out the buffer */ ++ memset(buf, 0, num); ++ ++ /* Now set the "random" values */ ++ memcpy(buf + (num - numbers_len[fbytes_counter]), numbers[fbytes_counter], numbers_len[fbytes_counter]); ++ ++ fbytes_counter = (fbytes_counter + 1) % OSSL_NELEM(numbers); ++ ret = 1; ++err: ++ return ret; ++} ++ ++ ++ ++/*- ++ * NIST CAVP ECDSA KATs ++ * 2 X9.62 KATs; one for prime fields and one for binary fields. ++ * ++ * Taken from: ++ * https://csrc.nist.gov/CSRC/media/Projects/Cryptographic-Algorithm-Validation-Program/documents/dss/186-3ecdsatestvectors.zip ++ */ + + typedef struct { +- int curve; +- const char *name; +- const unsigned char *x; +- size_t xlen; +- const unsigned char *y; +- size_t ylen; +- const unsigned char *d; +- size_t dlen; +-} EC_SELFTEST_DATA; +- +-# define make_ecdsa_test(nid, pr) { nid, pr##_name, \ +- pr##_qx, sizeof(pr##_qx), \ +- pr##_qy, sizeof(pr##_qy), \ +- pr##_d, sizeof(pr##_d)} +- +-static EC_SELFTEST_DATA test_ec_data[] = { +- make_ecdsa_test(NID_X9_62_prime256v1, P_256), +-}; ++ const int nid; /* curve NID */ ++ const int md_nid; /* hash function NID */ ++ const unsigned char *msg; /* message to sign */ ++ size_t msglen; ++ const unsigned char *d; /* ECDSA private key */ ++ size_t dlen; ++ const unsigned char *Q; /* ECDSA public key: (Qx,Qy) */ ++ size_t Qlen; ++ const unsigned char *k; /* ECDSA nonce */ ++ size_t klen; ++ const unsigned char *r; /* ECDSA signature (r,s) */ ++ size_t rlen; ++ const unsigned char *s; ++ size_t slen; ++} ECDSA_KAT_SELFTEST_DATA; + +-int FIPS_selftest_ecdsa() +-{ +- EC_KEY *ec = NULL; +- BIGNUM *x = NULL, *y = NULL, *d = NULL; +- EVP_PKEY *pk = NULL; +- int rv = 0; +- size_t i; + +- for (i = 0; i < sizeof(test_ec_data) / sizeof(EC_SELFTEST_DATA); i++) { +- EC_SELFTEST_DATA *ecd = test_ec_data + i; ++static const unsigned char data1_msg[] = { ++ 0x59, 0x05, 0x23, 0x88, 0x77, 0xc7, 0x74, 0x21, ++ 0xf7, 0x3e, 0x43, 0xee, 0x3d, 0xa6, 0xf2, 0xd9, ++ 0xe2, 0xcc, 0xad, 0x5f, 0xc9, 0x42, 0xdc, 0xec, ++ 0x0c, 0xbd, 0x25, 0x48, 0x29, 0x35, 0xfa, 0xaf, ++ 0x41, 0x69, 0x83, 0xfe, 0x16, 0x5b, 0x1a, 0x04, ++ 0x5e, 0xe2, 0xbc, 0xd2, 0xe6, 0xdc, 0xa3, 0xbd, ++ 0xf4, 0x6c, 0x43, 0x10, 0xa7, 0x46, 0x1f, 0x9a, ++ 0x37, 0x96, 0x0c, 0xa6, 0x72, 0xd3, 0xfe, 0xb5, ++ 0x47, 0x3e, 0x25, 0x36, 0x05, 0xfb, 0x1d, 0xdf, ++ 0xd2, 0x80, 0x65, 0xb5, 0x3c, 0xb5, 0x85, 0x8a, ++ 0x8a, 0xd2, 0x81, 0x75, 0xbf, 0x9b, 0xd3, 0x86, ++ 0xa5, 0xe4, 0x71, 0xea, 0x7a, 0x65, 0xc1, 0x7c, ++ 0xc9, 0x34, 0xa9, 0xd7, 0x91, 0xe9, 0x14, 0x91, ++ 0xeb, 0x37, 0x54, 0xd0, 0x37, 0x99, 0x79, 0x0f, ++ 0xe2, 0xd3, 0x08, 0xd1, 0x61, 0x46, 0xd5, 0xc9, ++ 0xb0, 0xd0, 0xde, 0xbd, 0x97, 0xd7, 0x9c, 0xe8 ++}; + +- x = BN_bin2bn(ecd->x, ecd->xlen, x); +- y = BN_bin2bn(ecd->y, ecd->ylen, y); +- d = BN_bin2bn(ecd->d, ecd->dlen, d); ++static const unsigned char data1_d[] = { ++ 0x51, 0x9b, 0x42, 0x3d, 0x71, 0x5f, 0x8b, 0x58, ++ 0x1f, 0x4f, 0xa8, 0xee, 0x59, 0xf4, 0x77, 0x1a, ++ 0x5b, 0x44, 0xc8, 0x13, 0x0b, 0x4e, 0x3e, 0xac, ++ 0xca, 0x54, 0xa5, 0x6d, 0xda, 0x72, 0xb4, 0x64 ++}; + +- if (!x || !y || !d) +- goto err; ++static const unsigned char data1_Q[] = { ++ 0x04, 0x0c, 0xec, 0x02, 0x8e, 0xe0, 0x8d, 0x09, ++ 0xe0, 0x26, 0x72, 0xa6, 0x83, 0x10, 0x81, 0x43, ++ 0x54, 0xf9, 0xea, 0xbf, 0xff, 0x0d, 0xe6, 0xda, ++ 0xcc, 0x1c, 0xd3, 0xa7, 0x74, 0x49, 0x60, 0x76, ++ 0xae, 0xef, 0xf4, 0x71, 0xfb, 0xa0, 0x40, 0x98, ++ 0x97, 0xb6, 0xa4, 0x8e, 0x88, 0x01, 0xad, 0x12, ++ 0xf9, 0x5d, 0x00, 0x09, 0xb7, 0x53, 0xcf, 0x8f, ++ 0x51, 0xc1, 0x28, 0xbf, 0x6b, 0x0b, 0xd2, 0x7f, ++ 0xbd ++}; + +- ec = EC_KEY_new_by_curve_name(ecd->curve); +- if (!ec) +- goto err; ++static const unsigned char data1_k[] = { ++ 0x94, 0xa1, 0xbb, 0xb1, 0x4b, 0x90, 0x6a, 0x61, ++ 0xa2, 0x80, 0xf2, 0x45, 0xf9, 0xe9, 0x3c, 0x7f, ++ 0x3b, 0x4a, 0x62, 0x47, 0x82, 0x4f, 0x5d, 0x33, ++ 0xb9, 0x67, 0x07, 0x87, 0x64, 0x2a, 0x68, 0xde ++}; + +- if (!EC_KEY_set_public_key_affine_coordinates(ec, x, y)) +- goto err; ++static const unsigned char data1_r[] = { ++ 0xe3, 0x95, 0xf6, 0xdb, 0x12, 0x71, 0x90, 0xfa, ++ 0x70, 0xa6, 0x80, 0xeb, 0xf6, 0x8a, 0x18, 0x35, ++ 0x6f, 0xef, 0xf2, 0x36, 0x65, 0xb9, 0x31, 0xc3, ++ 0xa2, 0x14, 0x80, 0xdf, 0x86, 0xc4, 0xec, 0xbc ++}; + +- if (!EC_KEY_set_private_key(ec, d)) +- goto err; ++static const unsigned char data1_s[] = { ++ 0xa5, 0x01, 0x04, 0x78, 0x93, 0xd9, 0x60, 0xcc, ++ 0x20, 0xce, 0xbd, 0xbb, 0x6f, 0x79, 0xb9, 0x7e, ++ 0x45, 0x23, 0x80, 0x73, 0x87, 0x83, 0x53, 0x63, ++ 0xe3, 0x80, 0x2b, 0x68, 0xcf, 0x32, 0xa1, 0xa2 ++}; + +- if ((pk = EVP_PKEY_new()) == NULL) +- goto err; + +- EVP_PKEY_assign_EC_KEY(pk, ec); ++# define make_ecdsa_kat_test(nid, md_nid, pr) { \ ++nid, md_nid, \ ++pr##_msg, sizeof(pr##_msg), \ ++pr##_d, sizeof(pr##_d), \ ++pr##_Q, sizeof(pr##_Q), \ ++pr##_k, sizeof(pr##_k), \ ++pr##_r, sizeof(pr##_r), \ ++pr##_s, sizeof(pr##_s) \ ++} + +- if (!fips_pkey_signature_test(pk, NULL, 0, +- NULL, 0, EVP_sha256(), 0, ecd->name)) +- goto err; +- } ++static ECDSA_KAT_SELFTEST_DATA test_ecdsa_data[] = { ++ make_ecdsa_kat_test(NID_secp256k1, NID_sha256, data1) ++}; + +- rv = 1; ++int FIPS_selftest_ecdsa() ++{ ++ int rv; ++ size_t i, siglen, p_len; ++ ++ for (i = 0; i < sizeof(test_ecdsa_data) / sizeof(ECDSA_KAT_SELFTEST_DATA); i++) { ++ EC_KEY *ec = NULL; ++ BIGNUM *r = NULL, *s = NULL; ++ BIGNUM *sig_r = NULL, *sig_s = NULL; ++ EVP_PKEY *pk = NULL; ++ unsigned char *sig = NULL; ++ unsigned char *tsig = NULL; ++ unsigned char *p_buf = NULL; ++ ECDSA_SIG *dsa_sig = NULL; ++ rv = 0; ++ ++ ECDSA_KAT_SELFTEST_DATA *ecd = test_ecdsa_data + i; ++ ++ /* Create the Message Digest Context */ ++ EVP_MD_CTX *mdctx = EVP_MD_CTX_new(); ++ if (!mdctx) goto err; ++ ++ r = BN_bin2bn(ecd->r, ecd->rlen, r); ++ s = BN_bin2bn(ecd->s, ecd->slen, s); ++ ++ if (!r || !s) ++ goto err; ++ ++ /* d[] will be used to generate a key. */ ++ /* k[] will be used for signature generation. */ ++ numbers[0] = ecd->d; ++ numbers_len[0] = ecd->dlen; ++ numbers[1] = ecd->k; ++ numbers_len[1] = ecd->klen; ++ /* swap the RNG source */ ++ if (!change_rand()) ++ goto err; ++ ++ ec = EC_KEY_new_by_curve_name(ecd->nid); ++ if (!ec) ++ goto err; ++ ++ /* Use d[] to generate key. */ ++ use_fake = 1; ++ if (EC_KEY_generate_key(ec) != 1) ++ goto err; ++ ++ if ((pk = EVP_PKEY_new()) == NULL) ++ goto err; ++ ++ EVP_PKEY_assign_EC_KEY(pk, ec); ++ ++ p_len = EC_KEY_key2buf(ec, POINT_CONVERSION_UNCOMPRESSED, &p_buf, NULL); ++ if (!p_len) ++ goto err; ++ ++ /* Make sure generated public key matches */ ++ if (p_len != ecd->Qlen) ++ goto err; ++ if (memcmp(p_buf, ecd->Q, p_len)) ++ goto err; ++ ++ /* Initialise the DigestSign operation */ ++ if(1 != EVP_DigestSignInit(mdctx, NULL, EVP_get_digestbynid(ecd->md_nid), NULL, pk)) ++ goto err; ++ ++ /* Call update with the message */ ++ if(1 != EVP_DigestSignUpdate(mdctx, ecd->msg, ecd->msglen)) ++ goto err; ++ ++ /* Finalise the DigestSign operation */ ++ /* First call EVP_DigestSignFinal with a NULL sig parameter to */ ++ /* obtain the length of the signature. Length is returned in slen */ ++ if(1 != EVP_DigestSignFinal(mdctx, NULL, &siglen)) ++ goto err; ++ ++ /* Allocate memory for the signature based on size in slen */ ++ if(!(sig = OPENSSL_malloc(siglen))) ++ goto err; ++ ++ /* Use k[] for signature. */ ++ use_fake = 1; ++ ++ /* Obtain the signature */ ++ if(1 != EVP_DigestSignFinal(mdctx, sig, &siglen)) ++ goto err; + +- err: ++ /* extract r and s */ ++ tsig = sig; ++ dsa_sig = d2i_ECDSA_SIG(NULL, &tsig, siglen); ++ if (dsa_sig == NULL) ++ goto err; ++ ++ sig_r = ECDSA_SIG_get0_r(dsa_sig); ++ sig_s = ECDSA_SIG_get0_s(dsa_sig); ++ if ((sig_r == NULL) || (sig_s == NULL)) ++ goto err; + +- if (x) +- BN_clear_free(x); +- if (y) +- BN_clear_free(y); +- if (d) +- BN_clear_free(d); ++ /* Compare r and s against known. */ ++ if ((BN_cmp(sig_r, r) != 0) || (BN_cmp(sig_s, s) != 0)) ++ goto err; ++ ++ /* Verify signature */ ++ if(1 != EVP_DigestVerifyInit(mdctx, NULL, EVP_get_digestbynid(ecd->md_nid), NULL, pk)) ++ goto err; ++ ++ if (EVP_DigestVerify(mdctx, sig, siglen, ecd->msg, ecd->msglen) != 1) ++ goto err; ++ ++ if (1 != restore_rand()) ++ goto err; ++ ++ /* Success */ ++ rv = 1; ++ ++ ++ err: ++ ++ if (mdctx) ++ EVP_MD_CTX_free(mdctx); ++ if (r) ++ BN_clear_free(r); ++ if (s) ++ BN_clear_free(s); ++ if (sig) ++ OPENSSL_free(sig); ++ if (dsa_sig) ++ ECDSA_SIG_free(dsa_sig); ++ if (p_buf) ++ OPENSSL_free(p_buf); + if (pk) +- EVP_PKEY_free(pk); ++ EVP_PKEY_free(pk); + else if (ec) +- EC_KEY_free(ec); +- +- return rv; ++ EC_KEY_free(ec); ++ ++ if (rv != 1) { ++ FIPSerr(FIPS_F_FIPS_SELFTEST_ECDSA, FIPS_R_SELFTEST_FAILED); ++ break; ++ } ++ ++ } + ++ return rv; ++ + } + ++ + #endif + diff --git a/bsc1198207-FIPS-add-hash_hmac-drbg-kat.patch b/bsc1198207-FIPS-add-hash_hmac-drbg-kat.patch new file mode 100644 index 0000000..16b9623 --- /dev/null +++ b/bsc1198207-FIPS-add-hash_hmac-drbg-kat.patch @@ -0,0 +1,13 @@ +diff --git a/crypto/fips/fips_post.c b/crypto/fips/fips_post.c +index 80de6f6..46003d1 100644 +--- a/crypto/fips/fips_post.c ++++ b/crypto/fips/fips_post.c +@@ -72,7 +72,7 @@ + int FIPS_selftest(void) + { + int rv = 1; +- if (!FIPS_selftest_drbg()) ++ if (!FIPS_selftest_drbg_all()) + rv = 0; + if (!FIPS_selftest_sha1()) + rv = 0; diff --git a/openssl-1.1.1-fips-fix-memory-leaks.patch b/openssl-1.1.1-fips-fix-memory-leaks.patch new file mode 100644 index 0000000..4f6bc33 --- /dev/null +++ b/openssl-1.1.1-fips-fix-memory-leaks.patch @@ -0,0 +1,80 @@ +--- + crypto/fips/fips.c | 8 ++++++++ + crypto/fips/fips_drbg_rand.c | 6 ++++++ + crypto/init.c | 4 ++++ + include/crypto/fips_int.h | 1 + + include/openssl/fips_rand.h | 1 + + 5 files changed, 20 insertions(+) + +--- a/crypto/fips/fips.c ++++ b/crypto/fips/fips.c +@@ -93,6 +93,14 @@ DEFINE_RUN_ONCE_STATIC(do_fips_lock_init + return fips_lock != NULL && fips_owning_lock != NULL; + } + ++void FIPS_owning_thread_lock_cleanup(void) ++{ ++ CRYPTO_THREAD_lock_free(fips_lock); ++ fips_lock = NULL; ++ CRYPTO_THREAD_lock_free(fips_owning_lock); ++ fips_owning_lock = NULL; ++} ++ + # define fips_w_lock() CRYPTO_THREAD_write_lock(fips_lock) + # define fips_w_unlock() CRYPTO_THREAD_unlock(fips_lock) + # define fips_r_lock() CRYPTO_THREAD_read_lock(fips_lock) +--- a/crypto/fips/fips_drbg_rand.c ++++ b/crypto/fips/fips_drbg_rand.c +@@ -84,6 +84,12 @@ DRBG_CTX *FIPS_get_default_drbg(void) + return &ossl_dctx; + } + ++void FIPS_drbg_lock_cleanup(void) ++{ ++ CRYPTO_THREAD_lock_free(fips_rand_lock); ++ fips_rand_lock = NULL; ++} ++ + static int fips_drbg_bytes(unsigned char *out, int count) + { + DRBG_CTX *dctx = &ossl_dctx; +--- a/crypto/init.c ++++ b/crypto/init.c +@@ -28,6 +28,8 @@ + #include "internal/dso.h" + #include "crypto/store.h" + #include "openssl/fips.h" ++#include "openssl/fips_rand.h" ++#include "crypto/fips_int.h" + + static int stopped = 0; + +@@ -591,6 +593,8 @@ void OPENSSL_cleanup(void) + conf_modules_free_int(); + #ifdef OPENSSL_FIPS + FIPS_entropy_cleanup(); ++ FIPS_drbg_lock_cleanup(); ++ FIPS_owning_thread_lock_cleanup(); + #endif + #ifndef OPENSSL_NO_ENGINE + engine_cleanup_int(); +--- a/include/crypto/fips_int.h ++++ b/include/crypto/fips_int.h +@@ -56,6 +56,7 @@ + + #ifdef OPENSSL_FIPS + ++void FIPS_owning_thread_lock_cleanup(void); + int FIPS_module_mode_set(int onoff); + int FIPS_module_mode(void); + int FIPS_module_installed(void); +--- a/include/openssl/fips_rand.h ++++ b/include/openssl/fips_rand.h +@@ -125,6 +125,7 @@ extern "C" { + + DRBG_CTX *FIPS_get_default_drbg(void); + const RAND_METHOD *FIPS_drbg_method(void); ++ void FIPS_drbg_lock_cleanup(void); + + int FIPS_rand_set_method(const RAND_METHOD *meth); + const RAND_METHOD *FIPS_rand_get_method(void); diff --git a/openssl-1.1.1-fips.patch b/openssl-1.1.1-fips.patch index 6dbc095..7c4631f 100644 --- a/openssl-1.1.1-fips.patch +++ b/openssl-1.1.1-fips.patch @@ -288,7 +288,7 @@ Index: openssl-1.1.1n/crypto/dh/dh_key.c +#ifdef OPENSSL_FIPS + if (FIPS_mode() && !(dh->meth->flags & DH_FLAG_FIPS_METHOD) + && !(dh->flags & DH_FLAG_NON_FIPS_ALLOW)) { -+ DHerr(DH_F_DH_GENERATE_KEY, DH_R_NON_FIPS_METHOD); ++ DHerr(DH_F_DH_COMPUTE_KEY, DH_R_NON_FIPS_METHOD); + return 0; + } +#endif @@ -2341,7 +2341,7 @@ Index: openssl-1.1.1n/crypto/fips/fips.c + rv = 0; + + /* Installed == true */ -+ return !rv; ++ return !rv || FIPS_module_mode(); +} + +int FIPS_module_mode_set(int onoff) @@ -7491,7 +7491,7 @@ Index: openssl-1.1.1n/crypto/fips/fips_dsa_selftest.c +{ + DSA *dsa = NULL; + EVP_PKEY *pk = NULL; -+ int ret = -1; ++ int ret = 0; + BIGNUM *p = NULL, *q = NULL, *g = NULL, *pub_key = NULL, *priv_key = NULL; + + fips_load_key_component(p, dsa_test_2048); @@ -7692,24 +7692,24 @@ Index: openssl-1.1.1n/crypto/fips/fips_ecdh_selftest.c + d = BN_bin2bn(ecd->d1, ecd->d1len, d); + + if (!x || !y || !d || !ztmp) { -+ rv = -1; ++ rv = 0; + goto err; + } + + ec1 = EC_KEY_new_by_curve_name(ecd->curve); + if (!ec1) { -+ rv = -1; ++ rv = 0; + goto err; + } + EC_KEY_set_flags(ec1, EC_FLAG_COFACTOR_ECDH); + + if (!EC_KEY_set_public_key_affine_coordinates(ec1, x, y)) { -+ rv = -1; ++ rv = 0; + goto err; + } + + if (!EC_KEY_set_private_key(ec1, d)) { -+ rv = -1; ++ rv = 0; + goto err; + } + @@ -7717,30 +7717,30 @@ Index: openssl-1.1.1n/crypto/fips/fips_ecdh_selftest.c + y = BN_bin2bn(ecd->y2, ecd->y2len, y); + + if (!x || !y) { -+ rv = -1; ++ rv = 0; + goto err; + } + + ec2 = EC_KEY_new_by_curve_name(ecd->curve); + if (!ec2) { -+ rv = -1; ++ rv = 0; + goto err; + } + EC_KEY_set_flags(ec1, EC_FLAG_COFACTOR_ECDH); + + if (!EC_KEY_set_public_key_affine_coordinates(ec2, x, y)) { -+ rv = -1; ++ rv = 0; + goto err; + } + + ecp = EC_KEY_get0_public_key(ec2); + if (!ecp) { -+ rv = -1; ++ rv = 0; + goto err; + } + + if (!ECDH_compute_key(ztmp, ecd->zlen, ecp, ec1, 0)) { -+ rv = -1; ++ rv = 0; + goto err; + } + @@ -9933,7 +9933,7 @@ Index: openssl-1.1.1n/crypto/o_init.c =================================================================== --- openssl-1.1.1n.orig/crypto/o_init.c +++ openssl-1.1.1n/crypto/o_init.c -@@ -7,8 +7,68 @@ +@@ -7,8 +7,69 @@ * https://www.openssl.org/source/license.html */ @@ -9959,16 +9959,20 @@ Index: openssl-1.1.1n/crypto/o_init.c + char buf[2] = "0"; + int fd; + -+ /* Ensure the selftests always run */ -+ /* XXX: TO SOLVE - premature initialization due to selftests */ -+ FIPS_mode_set(1); -+ + if (secure_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) { + buf[0] = '1'; + } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) { + while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ; + close(fd); + } ++ ++ if (buf[0] != '1' && !FIPS_module_installed()) ++ return; ++ ++ /* Ensure the selftests always run */ ++ /* XXX: TO SOLVE - premature initialization due to selftests */ ++ FIPS_mode_set(1); ++ + /* Failure reading the fips mode switch file means just not + * switching into FIPS mode. We would break too many things + * otherwise.. @@ -9993,9 +9997,6 @@ Index: openssl-1.1.1n/crypto/o_init.c + if (done) + return; + done = 1; -+ if (!FIPS_module_installed()) { -+ return; -+ } + init_fips_mode(); +} +#endif diff --git a/openssl-1.1.1v.tar.gz b/openssl-1.1.1v.tar.gz deleted file mode 100644 index f4d327a..0000000 --- a/openssl-1.1.1v.tar.gz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:d6697e2871e77238460402e9362d47d18382b15ef9f246aba6c7bd780d38a6b0 -size 9893443 diff --git a/openssl-1.1.1v.tar.gz.asc b/openssl-1.1.1v.tar.gz.asc deleted file mode 100644 index b5d3f7a..0000000 --- a/openssl-1.1.1v.tar.gz.asc +++ /dev/null @@ -1,16 +0,0 @@ ------BEGIN PGP SIGNATURE----- - -iQIzBAABCAAdFiEE78CkZ9YTy4PH7W0w2JTizos9efUFAmTJDewACgkQ2JTizos9 -efVPDBAAjgNq842XSAhmH3CBHHFtMuVlg5RV+tAV7PF7tDm/Bu0VPxZecvDhEHyk -y1bIzYki9kPQrnDc5Cz3UYHjnBp2n2GH+JDShedSJMH3qbsAlSB4j5b15UFjE8b4 -yDl4rlcug3SydqEdYJAGnOD3QBghsX7GiS6S9BgnU1D1XDZ1LYF6NumrjeypGm2r -vodcjel0tD+Xu2Du398sGmXLZLfK7eBT8dYtzWHAZubf+dNQmfRRDALo2Q5Xux6p -xIDlEQvTUkt5mF+Rx0CI1boIKeaFoZFOReUW0zkKYfwNkfq1WvGj3sGA+StQsgn1 -Dvfx6ONoS9UT+6KTegsLOIX2xOAHa8k4UgtW19eCovYzJNkBwNnq83lrvIEMoLY7 -brALTqBmlFq4prPgzpDHlTeC78uDcf/Ao95CeBw5yKVsKAN7W7vA2u6Gr2ZgUWsF -zVnrxJ9difkrvkFxm6uO2qu1qA/84Bow77M6/7FSHFZ+oDB3tjGXtq4Tf6iBkhpf -XIRu79S1LxCY7HxKVHHfpKuGSfefV/tgPeOac8CvucIq6r1Be20h0crRnDEGJt8G -Otznvt04iX+FkSVC7PjiAVZqubQQWjXUZxDngQgUOye/suExGwEoaTMmhj95eiVu -ufee+jDrVGOjhLLoEClP/+zpl2Wplq3KzLVsvvJa8v5KTVot9r4= -=mu7b ------END PGP SIGNATURE----- diff --git a/openssl-1.1.1w.tar.gz b/openssl-1.1.1w.tar.gz new file mode 100644 index 0000000..04883c9 --- /dev/null +++ b/openssl-1.1.1w.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:cf3098950cb4d853ad95c0841f1f9c6d3dc102dccfcacd521d93925208b76ac8 +size 9893384 diff --git a/openssl-1.1.1w.tar.gz.asc b/openssl-1.1.1w.tar.gz.asc new file mode 100644 index 0000000..0091ceb --- /dev/null +++ b/openssl-1.1.1w.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEE78CkZ9YTy4PH7W0w2JTizos9efUFAmT/H2QACgkQ2JTizos9 +efVL8A//XiYVgTnhAtnBs8W5+8fTJ2WUh+lcG7I+GF1wi1PRMaA9YddmXu70b9VF +x5EOcAVo7RsjlQ/VeWUtVuyTjd6eXCzoKRlbAwo9YovEsWcIo5sb6lSzuN17bIJi +NOrALx3+TF7SZfuOdd/czohfJfFUX/5mfEmcrkwY67UvIDFgO6E04+S2eFnU9HdC +KEF4kK10IObHRfvnAj+nSfUrnq5xtAAIpj2PBg9GFIEIxKBU72vvJYGdJ0HKFN8/ +352rNVIxGMXlwsAtWY2L09S0kt4iFST4fANM4CkxTnvloimmCtcWJvcst6tTgCMD +PKqXJ4hJpElzCVJJJBNQxz+T2dxc97Upvense/lkB6h8bwQgYaZNgk6B8UsSZyE8 +5v1p1HcOCJBNKc8zW86a3RvGCfxOfjrFz2CC7QPdT84Rv4S/xeCeUqM5b63Ws7pZ +3kA5jHUkP0yXsVOjxdMdqlJxqQ1wE2Q459fklLnsoHERrEQtsoaEW0DG6Kgima58 +YGwY8GxQ/QFLPxYRMjsfaLO54pdSlXa2EZ3nmL6WTY1ScdzN8K+huXz8Ok2lbi7O +oPZCVaDl8cpO9Kh8y5Hc8KAqCU72eTgx4kDGmEou9z//bl33fq0s5+PAjaz0XDvZ +gdOlsOngaAlvcVF50ZkVERBvfVb41O0uWD8MSk+vvBKQvuecrQ0= +=ZcG7 +-----END PGP SIGNATURE----- diff --git a/openssl-1_1-FIPS-PBKDF2-KAT-requirements.patch b/openssl-1_1-FIPS-PBKDF2-KAT-requirements.patch new file mode 100644 index 0000000..fb58237 --- /dev/null +++ b/openssl-1_1-FIPS-PBKDF2-KAT-requirements.patch @@ -0,0 +1,45 @@ +Index: openssl-1.1.1l/crypto/fips/fips_kdf_selftest.c +=================================================================== +--- openssl-1.1.1l.orig/crypto/fips/fips_kdf_selftest.c ++++ openssl-1.1.1l/crypto/fips/fips_kdf_selftest.c +@@ -63,18 +63,20 @@ int FIPS_selftest_pbkdf2(void) + { + int ret = 0; + EVP_KDF_CTX *kctx; +- unsigned char out[32]; ++ unsigned char out[40]; + + if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_PBKDF2)) == NULL) { + goto err; + } +- if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PASS, "password", (size_t)8) <= 0) { ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PASS, ++ "passwordPASSWORDpassword", (size_t)24) <= 0) { + goto err; + } +- if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "salt", (size_t)4) <= 0) { ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, ++ "saltSALTsaltSALTsaltSALTsaltSALTsalt", (size_t)36) <= 0) { + goto err; + } +- if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_ITER, 2) <= 0) { ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_ITER, 4096) <= 0) { + goto err; + } + if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) { +@@ -86,10 +88,11 @@ int FIPS_selftest_pbkdf2(void) + + { + const unsigned char expected[sizeof(out)] = { +- 0xae, 0x4d, 0x0c, 0x95, 0xaf, 0x6b, 0x46, 0xd3, +- 0x2d, 0x0a, 0xdf, 0xf9, 0x28, 0xf0, 0x6d, 0xd0, +- 0x2a, 0x30, 0x3f, 0x8e, 0xf3, 0xc2, 0x51, 0xdf, +- 0xd6, 0xe2, 0xd8, 0x5a, 0x95, 0x47, 0x4c, 0x43 ++ 0x34, 0x8c, 0x89, 0xdb, 0xcb, 0xd3, 0x2b, 0x2f, ++ 0x32, 0xd8, 0x14, 0xb8, 0x11, 0x6e, 0x84, 0xcf, ++ 0x2b, 0x17, 0x34, 0x7e, 0xbc, 0x18, 0x00, 0x18, ++ 0x1c, 0x4e, 0x2a, 0x1f, 0xb8, 0xdd, 0x53, 0xe1, ++ 0xc6, 0x35, 0x51, 0x8c, 0x7d, 0xac, 0x47, 0xe9 + }; + if (memcmp(out, expected, sizeof(expected))) { + goto err; diff --git a/openssl-1_1-FIPS-fix-error-reason-codes.patch b/openssl-1_1-FIPS-fix-error-reason-codes.patch index a7bb4e1..54f063f 100644 --- a/openssl-1_1-FIPS-fix-error-reason-codes.patch +++ b/openssl-1_1-FIPS-fix-error-reason-codes.patch @@ -32,7 +32,7 @@ Index: openssl-1.1.1l/crypto/err/openssl.ec L KDF include/openssl/kdf.h crypto/kdf/kdf_err.c L SM2 include/crypto/sm2.h crypto/sm2/sm2_err.c L OSSL_STORE include/openssl/store.h crypto/store/store_err.c -+L FIPS include/crypto/fips.h crypto/fips/fips_ers.c ++L FIPS include/crypto/fips_int.h crypto/fips/fips_ers.c # additional header files to be scanned for function names L NONE include/openssl/x509_vfy.h NONE diff --git a/openssl-1_1-FIPS_drbg-rewire.patch b/openssl-1_1-FIPS_drbg-rewire.patch new file mode 100644 index 0000000..48358b7 --- /dev/null +++ b/openssl-1_1-FIPS_drbg-rewire.patch @@ -0,0 +1,182 @@ +Index: openssl-1.1.1l/crypto/fips/fips_drbg_lib.c +=================================================================== +--- openssl-1.1.1l.orig/crypto/fips/fips_drbg_lib.c ++++ openssl-1.1.1l/crypto/fips/fips_drbg_lib.c +@@ -337,6 +337,19 @@ static int drbg_reseed(DRBG_CTX *dctx, + int FIPS_drbg_reseed(DRBG_CTX *dctx, + const unsigned char *adin, size_t adinlen) + { ++ int len = (int)adinlen; ++ ++ if (len < 0 || (size_t)len != adinlen) { ++ FIPSerr(FIPS_F_DRBG_RESEED, FIPS_R_ADDITIONAL_INPUT_TOO_LONG); ++ return 0; ++ } ++ RAND_seed(adin, len); ++ return 1; ++} ++ ++int FIPS_drbg_reseed_internal(DRBG_CTX *dctx, ++ const unsigned char *adin, size_t adinlen) ++{ + return drbg_reseed(dctx, adin, adinlen, 1); + } + +@@ -358,6 +371,19 @@ int FIPS_drbg_generate(DRBG_CTX *dctx, u + int prediction_resistance, + const unsigned char *adin, size_t adinlen) + { ++ int len = (int)outlen; ++ ++ if (len < 0 || (size_t)len != outlen) { ++ FIPSerr(FIPS_F_FIPS_DRBG_GENERATE, FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG); ++ return 0; ++ } ++ return RAND_bytes(out, len); ++} ++ ++int FIPS_drbg_generate_internal(DRBG_CTX *dctx, unsigned char *out, size_t outlen, ++ int prediction_resistance, ++ const unsigned char *adin, size_t adinlen) ++{ + int r = 0; + + if (FIPS_selftest_failed()) { +Index: openssl-1.1.1l/crypto/fips/fips_drbg_rand.c +=================================================================== +--- openssl-1.1.1l.orig/crypto/fips/fips_drbg_rand.c ++++ openssl-1.1.1l/crypto/fips/fips_drbg_rand.c +@@ -57,6 +57,8 @@ + #include + #include + #include ++#define FIPS_DRBG_generate FIPS_DRBG_generate_internal ++#define FIPS_DRBG_reseed FIPS_DRBG_reseed_internal + #include + #include "fips_rand_lcl.h" + +Index: openssl-1.1.1l/crypto/fips/fips_drbg_selftest.c +=================================================================== +--- openssl-1.1.1l.orig/crypto/fips/fips_drbg_selftest.c ++++ openssl-1.1.1l/crypto/fips/fips_drbg_selftest.c +@@ -55,6 +55,8 @@ + #include + #include + #include ++#define FIPS_DRBG_generate FIPS_DRBG_generate_internal ++#define FIPS_DRBG_reseed FIPS_DRBG_reseed_internal + #include + #include "fips_rand_lcl.h" + #include "fips_locl.h" +Index: openssl-1.1.1l/crypto/fips/fips_rand_lib.c +=================================================================== +--- openssl-1.1.1l.orig/crypto/fips/fips_rand_lib.c ++++ openssl-1.1.1l/crypto/fips/fips_rand_lib.c +@@ -120,6 +120,7 @@ void FIPS_rand_reset(void) + + int FIPS_rand_seed(const void *buf, int num) + { ++#if 0 + if (!fips_approved_rand_meth && FIPS_module_mode()) { + FIPSerr(FIPS_F_FIPS_RAND_SEED, FIPS_R_NON_FIPS_METHOD); + return 0; +@@ -127,10 +128,15 @@ int FIPS_rand_seed(const void *buf, int + if (fips_rand_meth && fips_rand_meth->seed) + fips_rand_meth->seed(buf, num); + return 1; ++#else ++ RAND_seed(buf, num); ++ return 1; ++#endif + } + + int FIPS_rand_bytes(unsigned char *buf, int num) + { ++#if 0 + if (!fips_approved_rand_meth && FIPS_module_mode()) { + FIPSerr(FIPS_F_FIPS_RAND_BYTES, FIPS_R_NON_FIPS_METHOD); + return 0; +@@ -138,10 +144,14 @@ int FIPS_rand_bytes(unsigned char *buf, + if (fips_rand_meth && fips_rand_meth->bytes) + return fips_rand_meth->bytes(buf, num); + return 0; ++#else ++ return RAND_bytes(buf, num); ++#endif + } + + int FIPS_rand_status(void) + { ++#if 0 + if (!fips_approved_rand_meth && FIPS_module_mode()) { + FIPSerr(FIPS_F_FIPS_RAND_STATUS, FIPS_R_NON_FIPS_METHOD); + return 0; +@@ -149,6 +159,9 @@ int FIPS_rand_status(void) + if (fips_rand_meth && fips_rand_meth->status) + return fips_rand_meth->status(); + return 0; ++#else ++ return RAND_status(); ++#endif + } + + /* Return instantiated strength of PRNG. For DRBG this is an internal +Index: openssl-1.1.1l/include/openssl/fips.h +=================================================================== +--- openssl-1.1.1l.orig/include/openssl/fips.h ++++ openssl-1.1.1l/include/openssl/fips.h +@@ -64,6 +64,11 @@ extern "C" { + + int FIPS_selftest(void); + int FIPS_selftest_failed(void); ++ ++ /* ++ * This function is deprecated as it performs selftest of the old FIPS drbg ++ * implementation that is not validated. ++ */ + int FIPS_selftest_drbg_all(void); + void NONFIPS_selftest_check(void); + +Index: openssl-1.1.1l/include/openssl/fips_rand.h +=================================================================== +--- openssl-1.1.1l.orig/include/openssl/fips_rand.h ++++ openssl-1.1.1l/include/openssl/fips_rand.h +@@ -60,6 +60,20 @@ + # ifdef __cplusplus + extern "C" { + # endif ++ ++/* ++ * IMPORTANT NOTE: ++ * All functions in this header file are deprecated and should not be used ++ * as they use the old FIPS_drbg implementation that is not FIPS validated ++ * anymore. ++ * To provide backwards compatibility for applications that need FIPS compliant ++ * RNG number generation and use FIPS_drbg_generate, this function was ++ * re-wired to call the FIPS validated DRBG instance instead through ++ * the RAND_bytes() call. ++ * ++ * All these functions will be removed in future. ++ */ ++ + typedef struct drbg_ctx_st DRBG_CTX; + /* DRBG external flags */ + /* Flag for CTR mode only: use derivation function ctr_df */ +Index: openssl-1.1.1l/crypto/fips/fips_post.c +=================================================================== +--- openssl-1.1.1l.orig/crypto/fips/fips_post.c ++++ openssl-1.1.1l/crypto/fips/fips_post.c +@@ -72,8 +72,13 @@ + int FIPS_selftest(void) + { + int rv = 1; ++#if 0 ++ /* This selftest is deprecated as it uses the old FIPS_drbg ++ * implementation that is not FIPS validated. ++ */ + if (!FIPS_selftest_drbg_all()) + rv = 0; ++#endif + if (!FIPS_selftest_sha1()) + rv = 0; + if (!FIPS_selftest_sha2()) diff --git a/openssl-1_1-Zeroization.patch b/openssl-1_1-Zeroization.patch new file mode 100644 index 0000000..2f13470 --- /dev/null +++ b/openssl-1_1-Zeroization.patch @@ -0,0 +1,25 @@ +--- openssl-1.1.1l/crypto/fips/fips.c ++++ openssl-1.1.1l/crypto/fips/fips.c +@@ -350,6 +350,10 @@ static int FIPSCHECK_verify(const char * + if (strcmp(hex, hmac) != 0) { + rv = -1; + } ++ if (hmaclen != 0) { ++ OPENSSL_cleanse(buf, hmaclen); ++ OPENSSL_cleanse(hex, hmaclen * 2 + 1); ++ } + free(buf); + free(hex); + } else { +@@ -357,7 +360,11 @@ static int FIPSCHECK_verify(const char * + } + + end: ++ if (n != 0) ++ OPENSSL_cleanse(hmac, n); + free(hmac); ++ if (strlen(hmacpath) != 0) ++ OPENSSL_cleanse(hmacpath, strlen(hmacpath)); + free(hmacpath); + fclose(hf); + diff --git a/openssl-1_1-fips-drbg-selftest.patch b/openssl-1_1-fips-drbg-selftest.patch new file mode 100644 index 0000000..81f2a83 --- /dev/null +++ b/openssl-1_1-fips-drbg-selftest.patch @@ -0,0 +1,588 @@ +--- + crypto/fips/fips_post.c | 3 + crypto/rand/build.info | 2 + crypto/rand/drbg_selftest.c | 537 ++++++++++++++++++++++++++++++++++++++++++++ + include/crypto/rand.h | 5 + 4 files changed, 546 insertions(+), 1 deletion(-) + +--- a/crypto/fips/fips_post.c ++++ b/crypto/fips/fips_post.c +@@ -66,6 +66,7 @@ + + # include + # include "crypto/fips_int.h" ++# include "crypto/rand.h" + # include "fips_locl.h" + + /* Run all selftests */ +@@ -79,6 +80,8 @@ int FIPS_selftest(void) + if (!FIPS_selftest_drbg_all()) + rv = 0; + #endif ++ if (!FIPS_selftest_drbg_new()) ++ rv = 0; + if (!FIPS_selftest_sha1()) + rv = 0; + if (!FIPS_selftest_sha2()) +--- a/crypto/rand/build.info ++++ b/crypto/rand/build.info +@@ -1,6 +1,6 @@ + LIBS=../../libcrypto + SOURCE[../../libcrypto]=\ + randfile.c rand_lib.c rand_err.c rand_crng_test.c rand_egd.c \ +- rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_ctr.c ++ rand_win.c rand_unix.c rand_vms.c drbg_lib.c drbg_ctr.c drbg_selftest.c + + INCLUDE[drbg_ctr.o]=../modes +--- /dev/null ++++ b/crypto/rand/drbg_selftest.c +@@ -0,0 +1,537 @@ ++/* ++ * Copyright 2017-2019 The OpenSSL Project Authors. All Rights Reserved. ++ * ++ * Licensed under the OpenSSL license (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ */ ++ ++#include ++#include ++#include "internal/nelem.h" ++#include ++#include ++#include ++#include ++#include "internal/thread_once.h" ++#include "crypto/rand.h" ++ ++typedef struct test_ctx_st { ++ const unsigned char *entropy; ++ size_t entropylen; ++ int entropycnt; ++ const unsigned char *nonce; ++ size_t noncelen; ++ int noncecnt; ++} TEST_CTX; ++ ++static int app_data_index = -1; ++static CRYPTO_ONCE get_index_once = CRYPTO_ONCE_STATIC_INIT; ++DEFINE_RUN_ONCE_STATIC(drbg_app_data_index_init) ++{ ++ app_data_index = RAND_DRBG_get_ex_new_index(0L, NULL, NULL, NULL, NULL); ++ ++ return 1; ++} ++ ++enum drbg_kat_type { ++ NO_RESEED, ++ PR_FALSE, ++ PR_TRUE ++}; ++ ++enum drbg_df { ++ USE_DF, ++ NO_DF, ++ NA ++}; ++ ++struct drbg_kat_no_reseed { ++ size_t count; ++ const unsigned char *entropyin; ++ const unsigned char *nonce; ++ const unsigned char *persstr; ++ const unsigned char *addin1; ++ const unsigned char *addin2; ++ const unsigned char *retbytes; ++}; ++ ++struct drbg_kat_pr_false { ++ size_t count; ++ const unsigned char *entropyin; ++ const unsigned char *nonce; ++ const unsigned char *persstr; ++ const unsigned char *entropyinreseed; ++ const unsigned char *addinreseed; ++ const unsigned char *addin1; ++ const unsigned char *addin2; ++ const unsigned char *retbytes; ++}; ++ ++struct drbg_kat_pr_true { ++ size_t count; ++ const unsigned char *entropyin; ++ const unsigned char *nonce; ++ const unsigned char *persstr; ++ const unsigned char *entropyinpr1; ++ const unsigned char *addin1; ++ const unsigned char *entropyinpr2; ++ const unsigned char *addin2; ++ const unsigned char *retbytes; ++}; ++ ++struct drbg_kat { ++ enum drbg_kat_type type; ++ enum drbg_df df; ++ int nid; ++ ++ size_t entropyinlen; ++ size_t noncelen; ++ size_t persstrlen; ++ size_t addinlen; ++ size_t retbyteslen; ++ ++ const void *t; ++}; ++ ++/* ++ * Excerpt from test/drbg_cavs_data.c ++ * DRBG test vectors from: ++ * https://csrc.nist.gov/projects/cryptographic-algorithm-validation-program/ ++ */ ++ ++static const unsigned char kat1308_entropyin[] = { ++ 0x7c, 0x5d, 0x90, 0x70, 0x3b, 0x8a, 0xc7, 0x0f, 0x23, 0x73, 0x24, 0x9c, ++ 0xa7, 0x15, 0x41, 0x71, 0x7a, 0x31, 0xea, 0x32, 0xfc, 0x28, 0x0d, 0xd7, ++ 0x5b, 0x09, 0x01, 0x98, 0x1b, 0xe2, 0xa5, 0x53, 0xd9, 0x05, 0x32, 0x97, ++ 0xec, 0xbe, 0x86, 0xfd, 0x1c, 0x1c, 0x71, 0x4c, 0x52, 0x29, 0x9e, 0x52, ++}; ++static const unsigned char kat1308_nonce[] = {0}; ++static const unsigned char kat1308_persstr[] = { ++ 0xdc, 0x07, 0x2f, 0x68, 0xfa, 0x77, 0x03, 0x23, 0x42, 0xb0, 0xf5, 0xa2, ++ 0xd9, 0xad, 0xa1, 0xd0, 0xad, 0xa2, 0x14, 0xb4, 0xd0, 0x8e, 0xfb, 0x39, ++ 0xdd, 0xc2, 0xac, 0xfb, 0x98, 0xdf, 0x7f, 0xce, 0x4c, 0x75, 0x56, 0x45, ++ 0xcd, 0x86, 0x93, 0x74, 0x90, 0x6e, 0xf6, 0x9e, 0x85, 0x7e, 0xfb, 0xc3, ++}; ++static const unsigned char kat1308_addin0[] = { ++ 0x52, 0x25, 0xc4, 0x2f, 0x03, 0xce, 0x29, 0x71, 0xc5, 0x0b, 0xc3, 0x4e, ++ 0xad, 0x8d, 0x6f, 0x17, 0x82, 0xe1, 0xf3, 0xfd, 0xfd, 0x9b, 0x94, 0x9a, ++ 0x1d, 0xac, 0xd0, 0xd4, 0x3f, 0x2b, 0xe3, 0xab, 0x7c, 0x3d, 0x3e, 0x5a, ++ 0x68, 0xbb, 0xa4, 0x74, 0x68, 0x1a, 0xc6, 0x27, 0xff, 0xe0, 0xc0, 0x6c, ++}; ++static const unsigned char kat1308_addin1[] = { ++ 0xdc, 0x91, 0xd7, 0xb7, 0xb9, 0x94, 0x79, 0x0f, 0x06, 0xc4, 0x70, 0x19, ++ 0x33, 0x25, 0x7c, 0x96, 0x01, 0xa0, 0x62, 0xb0, 0x50, 0xe6, 0xc0, 0x3a, ++ 0x56, 0x8f, 0xc5, 0x50, 0x48, 0xc6, 0xf4, 0x49, 0xe5, 0x70, 0x16, 0x2e, ++ 0xae, 0xf2, 0x99, 0xb4, 0x2d, 0x70, 0x18, 0x16, 0xcd, 0xe0, 0x24, 0xe4, ++}; ++static const unsigned char kat1308_retbits[] = { ++ 0xde, 0xf8, 0x91, 0x1b, 0xf1, 0xe1, 0xa9, 0x97, 0xd8, 0x61, 0x84, 0xe2, ++ 0xdb, 0x83, 0x3e, 0x60, 0x45, 0xcd, 0xc8, 0x66, 0x93, 0x28, 0xc8, 0x92, ++ 0xbc, 0x25, 0xae, 0xe8, 0xb0, 0xed, 0xed, 0x16, 0x3d, 0xa5, 0xf9, 0x0f, ++ 0xb3, 0x72, 0x08, 0x84, 0xac, 0x3c, 0x3b, 0xaa, 0x5f, 0xf9, 0x7d, 0x63, ++ 0x3e, 0xde, 0x59, 0x37, 0x0e, 0x40, 0x12, 0x2b, 0xbc, 0x6c, 0x96, 0x53, ++ 0x26, 0x32, 0xd0, 0xb8, ++}; ++static const struct drbg_kat_no_reseed kat1308_t = { ++ 2, kat1308_entropyin, kat1308_nonce, kat1308_persstr, ++ kat1308_addin0, kat1308_addin1, kat1308_retbits ++}; ++static const struct drbg_kat kat1308 = { ++ NO_RESEED, NO_DF, NID_aes_256_ctr, 48, 0, 48, 48, 64, &kat1308_t ++}; ++ ++static const unsigned char kat1465_entropyin[] = { ++ 0xc9, 0x96, 0x3a, 0x15, 0x51, 0x76, 0x4f, 0xe0, 0x45, 0x82, 0x8a, 0x64, ++ 0x87, 0xbe, 0xaa, 0xc0, ++}; ++static const unsigned char kat1465_nonce[] = { ++ 0x08, 0xcd, 0x69, 0x39, 0xf8, 0x58, 0x9a, 0x85, ++}; ++static const unsigned char kat1465_persstr[] = {0}; ++static const unsigned char kat1465_entropyinreseed[] = { ++ 0x16, 0xcc, 0x35, 0x15, 0xb1, 0x17, 0xf5, 0x33, 0x80, 0x9a, 0x80, 0xc5, ++ 0x1f, 0x4b, 0x7b, 0x51, ++}; ++static const unsigned char kat1465_addinreseed[] = { ++ 0xf5, 0x3d, 0xf1, 0x2e, 0xdb, 0x28, 0x1c, 0x00, 0x7b, 0xcb, 0xb6, 0x12, ++ 0x61, 0x9f, 0x26, 0x5f, ++}; ++static const unsigned char kat1465_addin0[] = { ++ 0xe2, 0x67, 0x06, 0x62, 0x09, 0xa7, 0xcf, 0xd6, 0x84, 0x8c, 0x20, 0xf6, ++ 0x10, 0x5a, 0x73, 0x9c, ++}; ++static const unsigned char kat1465_addin1[] = { ++ 0x26, 0xfa, 0x50, 0xe1, 0xb3, 0xcb, 0x65, 0xed, 0xbc, 0x6d, 0xda, 0x18, ++ 0x47, 0x99, 0x1f, 0xeb, ++}; ++static const unsigned char kat1465_retbits[] = { ++ 0xf9, 0x47, 0xc6, 0xb0, 0x58, 0xa8, 0x66, 0x8a, 0xf5, 0x2b, 0x2a, 0x6d, ++ 0x4e, 0x24, 0x6f, 0x65, 0xbf, 0x51, 0x22, 0xbf, 0xe8, 0x8d, 0x6c, 0xeb, ++ 0xf9, 0x68, 0x7f, 0xed, 0x3b, 0xdd, 0x6b, 0xd5, 0x28, 0x47, 0x56, 0x52, ++ 0xda, 0x50, 0xf0, 0x90, 0x73, 0x95, 0x06, 0x58, 0xaf, 0x08, 0x98, 0x6e, ++ 0x24, 0x18, 0xfd, 0x2f, 0x48, 0x72, 0x57, 0xd6, 0x59, 0xab, 0xe9, 0x41, ++ 0x58, 0xdb, 0x27, 0xba, ++}; ++static const struct drbg_kat_pr_false kat1465_t = { ++ 9, kat1465_entropyin, kat1465_nonce, kat1465_persstr, ++ kat1465_entropyinreseed, kat1465_addinreseed, kat1465_addin0, ++ kat1465_addin1, kat1465_retbits ++}; ++static const struct drbg_kat kat1465 = { ++ PR_FALSE, USE_DF, NID_aes_128_ctr, 16, 8, 0, 16, 64, &kat1465_t ++}; ++ ++static const unsigned char kat3146_entropyin[] = { ++ 0xd7, 0x08, 0x42, 0x82, 0xc2, 0xd2, 0xd1, 0xde, 0x01, 0xb4, 0x36, 0xb3, ++ 0x7f, 0xbd, 0xd3, 0xdd, 0xb3, 0xc4, 0x31, 0x4f, 0x8f, 0xa7, 0x10, 0xf4, ++}; ++static const unsigned char kat3146_nonce[] = { ++ 0x7b, 0x9e, 0xcd, 0x49, 0x4f, 0x46, 0xa0, 0x08, 0x32, 0xff, 0x2e, 0xc3, ++ 0x50, 0x86, 0xca, 0xca, ++}; ++static const unsigned char kat3146_persstr[] = {0}; ++static const unsigned char kat3146_entropyinpr1[] = { ++ 0x68, 0xd0, 0x7b, 0xa4, 0xe7, 0x22, 0x19, 0xe6, 0xb6, 0x46, 0x6a, 0xda, ++ 0x8e, 0x67, 0xea, 0x63, 0x3f, 0xaf, 0x2f, 0x6c, 0x9d, 0x5e, 0x48, 0x15, ++}; ++static const unsigned char kat3146_addinpr1[] = { ++ 0x70, 0x0f, 0x54, 0xf4, 0x53, 0xde, 0xca, 0x61, 0x5c, 0x49, 0x51, 0xd1, ++ 0x41, 0xc4, 0xf1, 0x2f, 0x65, 0xfb, 0x7e, 0xbc, 0x9b, 0x14, 0xba, 0x90, ++ 0x05, 0x33, 0x7e, 0x64, 0xb7, 0x2b, 0xaf, 0x99, ++}; ++static const unsigned char kat3146_entropyinpr2[] = { ++ 0xeb, 0x77, 0xb0, 0xe9, 0x2d, 0x31, 0xc8, 0x66, 0xc5, 0xc4, 0xa7, 0xf7, ++ 0x6c, 0xb2, 0x74, 0x36, 0x4b, 0x25, 0x78, 0x04, 0xd8, 0xd7, 0xd2, 0x34, ++}; ++static const unsigned char kat3146_addinpr2[] = { ++ 0x05, 0xcd, 0x2a, 0x97, 0x5a, 0x5d, 0xfb, 0x98, 0xc1, 0xf1, 0x00, 0x0c, ++ 0xed, 0xe6, 0x2a, 0xba, 0xf0, 0x89, 0x1f, 0x5a, 0x4f, 0xd7, 0x48, 0xb3, ++ 0x24, 0xc0, 0x8a, 0x3d, 0x60, 0x59, 0x5d, 0xb6, ++}; ++static const unsigned char kat3146_retbits[] = { ++ 0x29, 0x94, 0xa4, 0xa8, 0x17, 0x3e, 0x62, 0x2f, 0x94, 0xdd, 0x40, 0x1f, ++ 0xe3, 0x7e, 0x77, 0xd4, 0x38, 0xbc, 0x0e, 0x49, 0x46, 0xf6, 0x0e, 0x28, ++ 0x91, 0xc6, 0x9c, 0xc4, 0xa6, 0xa1, 0xf8, 0x9a, 0x64, 0x5e, 0x99, 0x76, ++ 0xd0, 0x2d, 0xee, 0xde, 0xe1, 0x2c, 0x93, 0x29, 0x4b, 0x12, 0xcf, 0x87, ++ 0x03, 0x98, 0xb9, 0x74, 0x41, 0xdb, 0x3a, 0x49, 0x9f, 0x92, 0xd0, 0x45, ++ 0xd4, 0x30, 0x73, 0xbb, ++}; ++static const struct drbg_kat_pr_true kat3146_t = { ++ 10, kat3146_entropyin, kat3146_nonce, kat3146_persstr, ++ kat3146_entropyinpr1, kat3146_addinpr1, kat3146_entropyinpr2, ++ kat3146_addinpr2, kat3146_retbits ++}; ++static const struct drbg_kat kat3146 = { ++ PR_TRUE, USE_DF, NID_aes_192_ctr, 24, 16, 0, 32, 64, &kat3146_t ++}; ++ ++static const struct drbg_kat *drbg_test[] = { &kat1308, &kat1465, &kat3146 }; ++ ++static const size_t drbg_test_nelem = OSSL_NELEM(drbg_test); ++ ++static size_t kat_entropy(RAND_DRBG *drbg, unsigned char **pout, ++ int entropy, size_t min_len, size_t max_len, ++ int prediction_resistance) ++{ ++ TEST_CTX *t = (TEST_CTX *)RAND_DRBG_get_ex_data(drbg, app_data_index); ++ ++ t->entropycnt++; ++ *pout = (unsigned char *)t->entropy; ++ return t->entropylen; ++} ++ ++static size_t kat_nonce(RAND_DRBG *drbg, unsigned char **pout, ++ int entropy, size_t min_len, size_t max_len) ++{ ++ TEST_CTX *t = (TEST_CTX *)RAND_DRBG_get_ex_data(drbg, app_data_index); ++ ++ t->noncecnt++; ++ *pout = (unsigned char *)t->nonce; ++ return t->noncelen; ++} ++ ++/* ++ * Do a single NO_RESEED KAT: ++ * ++ * Instantiate ++ * Generate Random Bits (pr=false) ++ * Generate Random Bits (pr=false) ++ * Uninstantiate ++ * ++ * Return 0 on failure. ++ */ ++static int single_kat_no_reseed(const struct drbg_kat *td) ++{ ++ struct drbg_kat_no_reseed *data = (struct drbg_kat_no_reseed *)td->t; ++ RAND_DRBG *drbg = NULL; ++ unsigned char *buff = NULL; ++ unsigned int flags = 0; ++ int failures = 0; ++ TEST_CTX t; ++ ++ if (td->df != USE_DF) ++ flags |= RAND_DRBG_FLAG_CTR_NO_DF; ++ ++ if ((drbg = RAND_DRBG_new(td->nid, flags, NULL)) == NULL) ++ return 0; ++ ++ if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL, ++ kat_nonce, NULL)) { ++ failures++; ++ goto err; ++ } ++ memset(&t, 0, sizeof(t)); ++ t.entropy = data->entropyin; ++ t.entropylen = td->entropyinlen; ++ t.nonce = data->nonce; ++ t.noncelen = td->noncelen; ++ RAND_DRBG_set_ex_data(drbg, app_data_index, &t); ++ ++ buff = OPENSSL_malloc(td->retbyteslen); ++ if (buff == NULL) { ++ failures++; ++ goto err; ++ } ++ ++ if (!RAND_DRBG_instantiate(drbg, data->persstr, td->persstrlen) ++ || !RAND_DRBG_generate(drbg, buff, td->retbyteslen, 0, ++ data->addin1, td->addinlen) ++ || !RAND_DRBG_generate(drbg, buff, td->retbyteslen, 0, ++ data->addin2, td->addinlen) ++ || memcmp(data->retbytes, buff, ++ td->retbyteslen) != 0) ++ failures++; ++ ++err: ++ OPENSSL_free(buff); ++ RAND_DRBG_uninstantiate(drbg); ++ RAND_DRBG_free(drbg); ++ return failures == 0; ++} ++ ++/*- ++ * Do a single PR_FALSE KAT: ++ * ++ * Instantiate ++ * Reseed ++ * Generate Random Bits (pr=false) ++ * Generate Random Bits (pr=false) ++ * Uninstantiate ++ * ++ * Return 0 on failure. ++ */ ++static int single_kat_pr_false(const struct drbg_kat *td) ++{ ++ struct drbg_kat_pr_false *data = (struct drbg_kat_pr_false *)td->t; ++ RAND_DRBG *drbg = NULL; ++ unsigned char *buff = NULL; ++ unsigned int flags = 0; ++ int failures = 0; ++ TEST_CTX t; ++ ++ if (td->df != USE_DF) ++ flags |= RAND_DRBG_FLAG_CTR_NO_DF; ++ ++ if ((drbg = RAND_DRBG_new(td->nid, flags, NULL)) == NULL) ++ return 0; ++ ++ if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL, ++ kat_nonce, NULL)) { ++ failures++; ++ goto err; ++ } ++ memset(&t, 0, sizeof(t)); ++ t.entropy = data->entropyin; ++ t.entropylen = td->entropyinlen; ++ t.nonce = data->nonce; ++ t.noncelen = td->noncelen; ++ RAND_DRBG_set_ex_data(drbg, app_data_index, &t); ++ ++ buff = OPENSSL_malloc(td->retbyteslen); ++ if (buff == NULL) { ++ failures++; ++ goto err; ++ } ++ ++ if (!RAND_DRBG_instantiate(drbg, data->persstr, td->persstrlen)) ++ failures++; ++ ++ t.entropy = data->entropyinreseed; ++ t.entropylen = td->entropyinlen; ++ ++ if (!RAND_DRBG_reseed(drbg, data->addinreseed, td->addinlen, 0) ++ || !RAND_DRBG_generate(drbg, buff, td->retbyteslen, 0, ++ data->addin1, td->addinlen) ++ || !RAND_DRBG_generate(drbg, buff, td->retbyteslen, 0, ++ data->addin2, td->addinlen) ++ || memcmp(data->retbytes, buff, ++ td->retbyteslen) != 0) ++ failures++; ++ ++err: ++ OPENSSL_free(buff); ++ RAND_DRBG_uninstantiate(drbg); ++ RAND_DRBG_free(drbg); ++ return failures == 0; ++} ++ ++/*- ++ * Do a single PR_TRUE KAT: ++ * ++ * Instantiate ++ * Generate Random Bits (pr=true) ++ * Generate Random Bits (pr=true) ++ * Uninstantiate ++ * ++ * Return 0 on failure. ++ */ ++static int single_kat_pr_true(const struct drbg_kat *td) ++{ ++ struct drbg_kat_pr_true *data = (struct drbg_kat_pr_true *)td->t; ++ RAND_DRBG *drbg = NULL; ++ unsigned char *buff = NULL; ++ unsigned int flags = 0; ++ int failures = 0; ++ TEST_CTX t; ++ ++ if (td->df != USE_DF) ++ flags |= RAND_DRBG_FLAG_CTR_NO_DF; ++ ++ if ((drbg = RAND_DRBG_new(td->nid, flags, NULL)) == NULL) ++ return 0; ++ ++ if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL, ++ kat_nonce, NULL)) { ++ failures++; ++ goto err; ++ } ++ memset(&t, 0, sizeof(t)); ++ t.nonce = data->nonce; ++ t.noncelen = td->noncelen; ++ t.entropy = data->entropyin; ++ t.entropylen = td->entropyinlen; ++ RAND_DRBG_set_ex_data(drbg, app_data_index, &t); ++ ++ buff = OPENSSL_malloc(td->retbyteslen); ++ if (buff == NULL) { ++ failures++; ++ goto err; ++ } ++ ++ if (!RAND_DRBG_instantiate(drbg, data->persstr, td->persstrlen)) ++ failures++; ++ ++ t.entropy = data->entropyinpr1; ++ t.entropylen = td->entropyinlen; ++ ++ if (!RAND_DRBG_generate(drbg, buff, td->retbyteslen, 1, ++ data->addin1, td->addinlen)) ++ failures++; ++ ++ t.entropy = data->entropyinpr2; ++ t.entropylen = td->entropyinlen; ++ ++ if (!RAND_DRBG_generate(drbg, buff, td->retbyteslen, 1, ++ data->addin2, td->addinlen) ++ || memcmp(data->retbytes, buff, ++ td->retbyteslen) != 0) ++ failures++; ++ ++err: ++ OPENSSL_free(buff); ++ RAND_DRBG_uninstantiate(drbg); ++ RAND_DRBG_free(drbg); ++ return failures == 0; ++} ++ ++static int test_kats(int i) ++{ ++ const struct drbg_kat *td = drbg_test[i]; ++ int rv = 0; ++ ++ switch (td->type) { ++ case NO_RESEED: ++ if (!single_kat_no_reseed(td)) ++ goto err; ++ break; ++ case PR_FALSE: ++ if (!single_kat_pr_false(td)) ++ goto err; ++ break; ++ case PR_TRUE: ++ if (!single_kat_pr_true(td)) ++ goto err; ++ break; ++ default: /* cant happen */ ++ goto err; ++ } ++ rv = 1; ++err: ++ return rv; ++} ++ ++/*- ++ * Do one expected-error test: ++ * ++ * Instantiate with no entropy supplied ++ * ++ * Return 0 on failure. ++ */ ++static int test_drbg_sanity(const struct drbg_kat *td) ++{ ++ struct drbg_kat_pr_false *data = (struct drbg_kat_pr_false *)td->t; ++ RAND_DRBG *drbg = NULL; ++ unsigned int flags = 0; ++ int failures = 0; ++ TEST_CTX t; ++ ++ if (td->df != USE_DF) ++ flags |= RAND_DRBG_FLAG_CTR_NO_DF; ++ ++ if ((drbg = RAND_DRBG_new(td->nid, flags, NULL)) == NULL) ++ return 0; ++ ++ if (!RAND_DRBG_set_callbacks(drbg, kat_entropy, NULL, ++ kat_nonce, NULL)) { ++ failures++; ++ goto err; ++ } ++ memset(&t, 0, sizeof(t)); ++ t.entropy = data->entropyin; ++ t.entropylen = 0; /* No entropy */ ++ t.nonce = data->nonce; ++ t.noncelen = td->noncelen; ++ RAND_DRBG_set_ex_data(drbg, app_data_index, &t); ++ ++ ERR_set_mark(); ++ /* This must fail. */ ++ if (RAND_DRBG_instantiate(drbg, data->persstr, td->persstrlen)) ++ failures++; ++ RAND_DRBG_uninstantiate(drbg); ++ ERR_pop_to_mark(); ++ ++err: ++ RAND_DRBG_free(drbg); ++ return failures == 0; ++} ++ ++ ++int FIPS_selftest_drbg_new(void) ++{ ++ int i; ++ ++ if (!RUN_ONCE(&get_index_once, drbg_app_data_index_init)) ++ return 0; ++ ++ for (i = 0; i < drbg_test_nelem; i++) { ++ if (test_kats(i) <= 0) ++ return 0; ++ } ++ ++ if (test_drbg_sanity(&kat1465) <= 0) ++ return 0; ++ ++ return 1; ++} +--- a/include/crypto/rand.h ++++ b/include/crypto/rand.h +@@ -150,4 +150,9 @@ void rand_pool_cleanup(void); + */ + void rand_pool_keep_random_devices_open(int keep); + ++/* ++ * Perform the DRBG KAT selftests ++ */ ++int FIPS_selftest_drbg_new(void); ++ + #endif diff --git a/openssl-1_1-fips-list-only-approved-digest-and-pubkey-algorithms.patch b/openssl-1_1-fips-list-only-approved-digest-and-pubkey-algorithms.patch new file mode 100644 index 0000000..27fb624 --- /dev/null +++ b/openssl-1_1-fips-list-only-approved-digest-and-pubkey-algorithms.patch @@ -0,0 +1,104 @@ +--- + crypto/asn1/ameth_lib.c | 18 ++++++++++++++++++ + crypto/asn1/standard_methods.h | 29 +++++++++++++++++++++++++++++ + crypto/evp/c_alld.c | 6 +++++- + 3 files changed, 52 insertions(+), 1 deletion(-) + +--- a/crypto/asn1/ameth_lib.c ++++ b/crypto/asn1/ameth_lib.c +@@ -35,7 +35,11 @@ IMPLEMENT_OBJ_BSEARCH_CMP_FN(const EVP_P + + int EVP_PKEY_asn1_get_count(void) + { ++#ifdef OPENSSL_FIPS ++ int num = FIPS_mode() ? OSSL_NELEM(standard_fips_methods) : OSSL_NELEM(standard_methods); ++#else + int num = OSSL_NELEM(standard_methods); ++#endif + if (app_methods) + num += sk_EVP_PKEY_ASN1_METHOD_num(app_methods); + return num; +@@ -43,11 +47,19 @@ int EVP_PKEY_asn1_get_count(void) + + const EVP_PKEY_ASN1_METHOD *EVP_PKEY_asn1_get0(int idx) + { ++#ifdef OPENSSL_FIPS ++ int num = FIPS_mode() ? OSSL_NELEM(standard_fips_methods) : OSSL_NELEM(standard_methods); ++#else + int num = OSSL_NELEM(standard_methods); ++#endif + if (idx < 0) + return NULL; + if (idx < num) ++#ifdef OPENSSL_FIPS ++ return FIPS_mode() ? standard_fips_methods[idx] : standard_methods[idx]; ++#else + return standard_methods[idx]; ++#endif + idx -= num; + return sk_EVP_PKEY_ASN1_METHOD_value(app_methods, idx); + } +@@ -63,7 +75,13 @@ static const EVP_PKEY_ASN1_METHOD *pkey_ + if (idx >= 0) + return sk_EVP_PKEY_ASN1_METHOD_value(app_methods, idx); + } ++#ifdef OPENSSL_FIPS ++ ret = FIPS_mode() ? \ ++ OBJ_bsearch_ameth(&t, standard_fips_methods, OSSL_NELEM(standard_fips_methods)) : \ ++ OBJ_bsearch_ameth(&t, standard_methods, OSSL_NELEM(standard_methods)); ++#else + ret = OBJ_bsearch_ameth(&t, standard_methods, OSSL_NELEM(standard_methods)); ++#endif + if (!ret || !*ret) + return NULL; + return *ret; +--- a/crypto/asn1/standard_methods.h ++++ b/crypto/asn1/standard_methods.h +@@ -59,3 +59,32 @@ static const EVP_PKEY_ASN1_METHOD *stand + #endif + }; + ++static const EVP_PKEY_ASN1_METHOD *standard_fips_methods[] = { ++#ifndef OPENSSL_NO_RSA ++ &rsa_asn1_meths[0], ++ &rsa_asn1_meths[1], ++#endif ++#ifndef OPENSSL_NO_DH ++ &dh_asn1_meth, ++#endif ++#ifndef OPENSSL_NO_DSA ++ &dsa_asn1_meths[0], ++ &dsa_asn1_meths[1], ++ &dsa_asn1_meths[2], ++ &dsa_asn1_meths[3], ++ &dsa_asn1_meths[4], ++#endif ++#ifndef OPENSSL_NO_EC ++ &eckey_asn1_meth, ++#endif ++ &hmac_asn1_meth, ++#ifndef OPENSSL_NO_CMAC ++ &cmac_asn1_meth, ++#endif ++#ifndef OPENSSL_NO_RSA ++ &rsa_pss_asn1_meth, ++#endif ++#ifndef OPENSSL_NO_DH ++ &dhx_asn1_meth, ++#endif ++}; +--- a/crypto/evp/c_alld.c ++++ b/crypto/evp/c_alld.c +@@ -17,7 +17,11 @@ + void openssl_add_all_digests_int(void) + { + #ifdef OPENSSL_FIPS +- if (!FIPS_mode()) { ++ /* ++ * This function is called from FIPS_selftest_ecdsa() before FIPS mode is ++ * turned on. That is the reason why we need to also check fips_in_post(). ++ */ ++ if (!FIPS_mode() && !fips_in_post()) { + #endif + #ifndef OPENSSL_NO_MD4 + EVP_add_digest(EVP_md4()); diff --git a/openssl-1_1-jitterentropy-3.4.0.patch b/openssl-1_1-jitterentropy-3.4.0.patch new file mode 100644 index 0000000..b4b9d6e --- /dev/null +++ b/openssl-1_1-jitterentropy-3.4.0.patch @@ -0,0 +1,203 @@ +--- + Configurations/00-base-templates.conf | 2 - + crypto/fips/build.info | 3 +- + crypto/fips/fips.c | 8 +++++++ + crypto/fips/fips_entropy.c | 38 ++++++++++++++++++++++++++++++++++ + crypto/fips/fips_err.h | 1 + crypto/init.c | 4 +++ + crypto/rand/rand_unix.c | 30 +++++++++++++++++++++++++- + include/crypto/fips_int.h | 2 + + include/openssl/fips.h | 4 +++ + util/libcrypto.num | 2 + + 10 files changed, 91 insertions(+), 3 deletions(-) + +--- a/Configurations/00-base-templates.conf ++++ b/Configurations/00-base-templates.conf +@@ -96,7 +96,7 @@ my %targets=( + ex_libs => + sub { !defined($disabled{zlib}) + && defined($disabled{"zlib-dynamic"}) +- ? "-lz" : () }, ++ ? "-lz -ljitterentropy" : "-ljitterentropy" }, + HASHBANGPERL => "/usr/bin/env perl", # Only Unix actually cares + RANLIB => sub { which("$config{cross_compile_prefix}ranlib") + ? "ranlib" : "" }, +--- a/crypto/fips/build.info ++++ b/crypto/fips/build.info +@@ -5,7 +5,8 @@ SOURCE[../../libcrypto]=\ + fips_post.c drbgtest.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \ + fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \ + fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c \ +- fips_dh_selftest.c fips_kdf_selftest.c fips_ers.c fips_sli.c ++ fips_dh_selftest.c fips_kdf_selftest.c fips_ers.c fips_sli.c \ ++ fips_entropy.c + + PROGRAMS=\ + fips_standalone_hmac +--- a/crypto/fips/fips.c ++++ b/crypto/fips/fips.c +@@ -461,6 +461,14 @@ int FIPS_module_mode_set(int onoff) + + fips_post = 1; + ++ if (!FIPS_entropy_init()) { ++ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET, ++ FIPS_R_ENTROPY_INIT_FAILED); ++ fips_selftest_fail = 1; ++ ret = 0; ++ goto end; ++ } ++ + /* Run the KATs before the HMAC verification for FIPS 140-3 compliance */ + if (!FIPS_selftest()) { + fips_selftest_fail = 1; +--- /dev/null ++++ b/crypto/fips/fips_entropy.c +@@ -0,0 +1,38 @@ ++#include ++ ++#include "crypto/fips_int.h" ++#include "jitterentropy.h" ++ ++static struct rand_data* ec = NULL; ++ ++struct rand_data* FIPS_entropy_init(void) ++{ ++ if (ec != NULL) ++ /* Entropy source has been initiated and collector allocated */ ++ return ec; ++ /* If the initialization is successful, the call returns with 0 */ ++ if (jent_entropy_init_ex(1, JENT_FORCE_FIPS) == 0) ++ /* Allocate entropy collector */ ++ ec = jent_entropy_collector_alloc(1, JENT_FORCE_FIPS); ++ return ec; ++} ++ ++void FIPS_entropy_cleanup(void) ++{ ++ /* Free entropy collector */ ++ if (ec != NULL) { ++ jent_entropy_collector_free(ec); ++ ec = NULL; ++ } ++} ++ ++ssize_t FIPS_jitter_entropy(unsigned char *buf, size_t buflen) ++{ ++ ssize_t ent_bytes = -1; ++ ++ if (buf != NULL && buflen != 0 && FIPS_entropy_init()) { ++ /* Get entropy */ ++ ent_bytes = jent_read_entropy_safe(&ec, (char *)buf, buflen); ++ } ++ return ent_bytes; ++} +--- a/crypto/fips/fips_err.h ++++ b/crypto/fips/fips_err.h +@@ -135,6 +135,7 @@ static ERR_STRING_DATA FIPS_str_reasons[ + {ERR_REASON(FIPS_R_DRBG_NOT_INITIALISED), "drbg not initialised"}, + {ERR_REASON(FIPS_R_DRBG_STUCK), "drbg stuck"}, + {ERR_REASON(FIPS_R_ENTROPY_ERROR_UNDETECTED), "entropy error undetected"}, ++ {ERR_REASON(FIPS_R_ENTROPY_INIT_FAILED), "entropy init failed"}, + {ERR_REASON(FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED), + "entropy not requested for reseed"}, + {ERR_REASON(FIPS_R_ENTROPY_SOURCE_STUCK), "entropy source stuck"}, +--- a/crypto/init.c ++++ b/crypto/init.c +@@ -27,6 +27,7 @@ + #include "crypto/dso_conf.h" + #include "internal/dso.h" + #include "crypto/store.h" ++#include "openssl/fips.h" + + static int stopped = 0; + +@@ -597,6 +598,9 @@ void OPENSSL_cleanup(void) + rand_cleanup_int(); + rand_drbg_cleanup_int(); + conf_modules_free_int(); ++#ifdef OPENSSL_FIPS ++ FIPS_entropy_cleanup(); ++#endif + #ifndef OPENSSL_NO_ENGINE + engine_cleanup_int(); + #endif +--- a/crypto/rand/rand_unix.c ++++ b/crypto/rand/rand_unix.c +@@ -642,9 +642,37 @@ size_t rand_pool_acquire_entropy(RAND_PO + return rand_pool_entropy_available(pool); + # else + size_t entropy_available; ++ int in_post; ++ ++# ifdef OPENSSL_FIPS ++ if (FIPS_mode()) { ++ /* Use jitter entropy in FIPS mode */ ++ for (in_post = fips_in_post(); in_post >= 0; --in_post) { ++ size_t bytes_needed; ++ unsigned char *buffer; ++ ssize_t bytes; ++ /* Maximum allowed number of consecutive unsuccessful attempts */ ++ int attempts = 3; ++ ++ bytes_needed = rand_pool_bytes_needed(pool, 1 /*entropy_factor*/); ++ while (bytes_needed != 0 && attempts-- > 0) { ++ buffer = rand_pool_add_begin(pool, bytes_needed); ++ bytes = FIPS_jitter_entropy(buffer, bytes_needed); ++ if (bytes > 0) { ++ rand_pool_add_end(pool, bytes, 8 * bytes); ++ bytes_needed -= bytes; ++ attempts = 3; /* reset counter after successful attempt */ ++ } else if (bytes < 0) { ++ break; ++ } ++ } ++ } ++ entropy_available = rand_pool_entropy_available(pool); ++ return entropy_available; ++ } ++# endif + + # if defined(OPENSSL_RAND_SEED_GETRANDOM) +- int in_post; + + for (in_post = fips_in_post(); in_post >= 0; --in_post) { + { +--- a/include/crypto/fips_int.h ++++ b/include/crypto/fips_int.h +@@ -101,4 +101,6 @@ void fips_set_selftest_fail(void); + + void FIPS_get_timevec(unsigned char *buf, unsigned long *pctr); + ++ssize_t FIPS_jitter_entropy(unsigned char *buf, size_t buflen); ++ + #endif +--- a/include/openssl/fips.h ++++ b/include/openssl/fips.h +@@ -74,6 +74,9 @@ extern "C" { + BN_GENCB *cb); + int FIPS_dsa_paramgen_check_g(DSA *dsa); + ++ struct rand_data* FIPS_entropy_init(void); ++ void FIPS_entropy_cleanup(void); ++ + /* BEGIN ERROR CODES */ + /* The following lines are auto generated by the script mkerr.pl. Any changes + * made after this point may be overwritten when the script is next run. +@@ -151,6 +154,7 @@ extern "C" { + # define FIPS_R_DRBG_NOT_INITIALISED 152 + # define FIPS_R_DRBG_STUCK 103 + # define FIPS_R_ENTROPY_ERROR_UNDETECTED 104 ++# define FIPS_R_ENTROPY_INIT_FAILED 161 + # define FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED 105 + # define FIPS_R_ENTROPY_SOURCE_STUCK 142 + # define FIPS_R_ERROR_INITIALISING_DRBG 115 +--- a/util/libcrypto.num ++++ b/util/libcrypto.num +@@ -4647,3 +4647,5 @@ fips_sli_PKCS5_PBKDF2_HMAC_is_approved + fips_sli_HMAC_is_approved 6608 1_1_1l EXIST::FUNCTION: + fips_sli_RAND_bytes_is_approved 6609 1_1_1l EXIST::FUNCTION: + fips_sli_RAND_priv_bytes_is_approved 6610 1_1_1l EXIST::FUNCTION: ++FIPS_entropy_init 6611 1_1_1l EXIST::FUNCTION: ++FIPS_entropy_cleanup 6612 1_1_1l EXIST::FUNCTION: + diff --git a/openssl-1_1-ossl-sli-000-fix-build-error.patch b/openssl-1_1-ossl-sli-000-fix-build-error.patch new file mode 100644 index 0000000..3714d48 --- /dev/null +++ b/openssl-1_1-ossl-sli-000-fix-build-error.patch @@ -0,0 +1,10 @@ +diff --git a/util/libcrypto.num b/util/libcrypto.num +index e4a490a82..2a778ce92 100644 +--- a/util/libcrypto.num ++++ b/util/libcrypto.num +@@ -4634,3 +4634,5 @@ EVP_KDF_vctrl 6594 1_1_1d EXIST::FUNCTION: + EVP_KDF_ctrl_str 6595 1_1_1d EXIST::FUNCTION: + EVP_KDF_size 6596 1_1_1d EXIST::FUNCTION: + EVP_KDF_derive 6597 1_1_1d EXIST::FUNCTION: ++EC_GROUP_get0_field 6598 1_1_1l EXIST::FUNCTION:EC ++NONFIPS_selftest_check 6599 1_1_1l EXIST::FUNCTION: diff --git a/openssl-1_1-ossl-sli-001-fix-faults-preventing-make-update.patch b/openssl-1_1-ossl-sli-001-fix-faults-preventing-make-update.patch new file mode 100644 index 0000000..babe1cf --- /dev/null +++ b/openssl-1_1-ossl-sli-001-fix-faults-preventing-make-update.patch @@ -0,0 +1,111 @@ +diff --git a/crypto/ec/ec_key.c b/crypto/ec/ec_key.c +index 43c916fc1..fab410b9e 100644 +--- a/crypto/ec/ec_key.c ++++ b/crypto/ec/ec_key.c +@@ -472,16 +472,16 @@ int ec_key_public_check(const EC_KEY *eckey, BN_CTX *ctx) + */ + if (eckey->priv_key != NULL) { + if (BN_cmp(eckey->priv_key, order) >= 0) { +- ECerr(EC_F_EC_KEY_SIMPLE_CHECK_KEY, EC_R_WRONG_ORDER); ++ ECerr(EC_F_EC_KEY_PUBLIC_CHECK, EC_R_WRONG_ORDER); + goto err; + } + if (!EC_POINT_mul(eckey->group, point, eckey->priv_key, + NULL, NULL, ctx)) { +- ECerr(EC_F_EC_KEY_SIMPLE_CHECK_KEY, ERR_R_EC_LIB); ++ ECerr(EC_F_EC_KEY_PUBLIC_CHECK, ERR_R_EC_LIB); + goto err; + } + if (EC_POINT_cmp(eckey->group, point, eckey->pub_key, ctx) != 0) { +- ECerr(EC_F_EC_KEY_SIMPLE_CHECK_KEY, EC_R_INVALID_PRIVATE_KEY); ++ ECerr(EC_F_EC_KEY_PUBLIC_CHECK, EC_R_INVALID_PRIVATE_KEY); + goto err; + } + } +diff --git a/crypto/ec/ecdh_ossl.c b/crypto/ec/ecdh_ossl.c +index 8794a6781..f38137388 100644 +--- a/crypto/ec/ecdh_ossl.c ++++ b/crypto/ec/ecdh_ossl.c +@@ -28,7 +28,7 @@ int ossl_ecdh_compute_key(unsigned char **psec, size_t *pseclen, + { + #ifdef OPENSSL_FIPS + if (FIPS_selftest_failed()) { +- FIPSerr(FIPS_F_ECDH_COMPUTE_KEY, FIPS_R_FIPS_SELFTEST_FAILED); ++ FIPSerr(FIPS_F_OSSL_ECDH_COMPUTE_KEY, FIPS_R_FIPS_SELFTEST_FAILED); + return -1; + } + #endif +diff --git a/crypto/ec/ecdsa_ossl.c b/crypto/ec/ecdsa_ossl.c +index 3445abd02..9e9526241 100644 +--- a/crypto/ec/ecdsa_ossl.c ++++ b/crypto/ec/ecdsa_ossl.c +@@ -204,7 +204,7 @@ ECDSA_SIG *ecdsa_simple_sign_sig(const unsigned char *dgst, int dgst_len, + + #ifdef OPENSSL_FIPS + if (FIPS_selftest_failed()) { +- FIPSerr(FIPS_F_OSSL_ECDSA_SIGN_SIG, FIPS_R_FIPS_SELFTEST_FAILED); ++ FIPSerr(FIPS_F_ECDSA_SIMPLE_SIGN_SIG, FIPS_R_FIPS_SELFTEST_FAILED); + return NULL; + } + #endif +@@ -373,7 +373,7 @@ int ecdsa_simple_verify_sig(const unsigned char *dgst, int dgst_len, + + #ifdef OPENSSL_FIPS + if (FIPS_selftest_failed()) { +- FIPSerr(FIPS_F_OSSL_ECDSA_VERIFY_SIG, FIPS_R_FIPS_SELFTEST_FAILED); ++ FIPSerr(FIPS_F_ECDSA_SIMPLE_VERIFY_SIG, FIPS_R_FIPS_SELFTEST_FAILED); + return -1; + } + #endif +diff --git a/crypto/fips/fips_sha_selftest.c b/crypto/fips/fips_sha_selftest.c +index 035c2c092..4a6336248 100644 +--- a/crypto/fips/fips_sha_selftest.c ++++ b/crypto/fips/fips_sha_selftest.c +@@ -195,25 +195,25 @@ int FIPS_selftest_sha3(void) + + EVP_Digest(msg_sha3_256, sizeof(msg_sha3_256), md, NULL, EVP_sha3_256(), NULL); + if (memcmp(dig_sha3_256, md, sizeof(dig_sha3_256))) { +- FIPSerr(FIPS_F_FIPS_SELFTEST, FIPS_R_SELFTEST_FAILED); ++ FIPSerr(FIPS_F_FIPS_SELFTEST_SHA3, FIPS_R_SELFTEST_FAILED); + return 0; + } + + EVP_Digest(msg_sha3_512, sizeof(msg_sha3_512), md, NULL, EVP_sha3_512(), NULL); + if (memcmp(dig_sha3_512, md, sizeof(dig_sha3_512))) { +- FIPSerr(FIPS_F_FIPS_SELFTEST, FIPS_R_SELFTEST_FAILED); ++ FIPSerr(FIPS_F_FIPS_SELFTEST_SHA3, FIPS_R_SELFTEST_FAILED); + return 0; + } + + EVP_Digest(msg_shake_128, sizeof(msg_shake_128), md, NULL, EVP_shake128(), NULL); + if (memcmp(dig_shake_128, md, sizeof(dig_shake_128))) { +- FIPSerr(FIPS_F_FIPS_SELFTEST, FIPS_R_SELFTEST_FAILED); ++ FIPSerr(FIPS_F_FIPS_SELFTEST_SHA3, FIPS_R_SELFTEST_FAILED); + return 0; + } + + EVP_Digest(msg_shake_256, sizeof(msg_shake_256), md, NULL, EVP_shake256(), NULL); + if (memcmp(dig_shake_256, md, sizeof(dig_shake_256))) { +- FIPSerr(FIPS_F_FIPS_SELFTEST, FIPS_R_SELFTEST_FAILED); ++ FIPSerr(FIPS_F_FIPS_SELFTEST_SHA3, FIPS_R_SELFTEST_FAILED); + return 0; + } + +diff --git a/include/openssl/fips.h b/include/openssl/fips.h +index e4208cbfa..7af006e7b 100644 +--- a/include/openssl/fips.h ++++ b/include/openssl/fips.h +@@ -130,8 +130,13 @@ extern "C" { + # define FIPS_F_FIPS_SELFTEST_HKDF 155 + # define FIPS_F_FIPS_SELFTEST_SHA1 115 + # define FIPS_F_FIPS_SELFTEST_SHA2 105 ++# define FIPS_F_FIPS_SELFTEST_SHA3 156 ++# define FIPS_F_ECDSA_SIMPLE_VERIFY_SIG 157 ++# define FIPS_F_ECDSA_SIMPLE_SIGN_SIG 158 + # define FIPS_F_OSSL_ECDSA_SIGN_SIG 143 + # define FIPS_F_OSSL_ECDSA_VERIFY_SIG 148 ++# define FIPS_F_OSSL_ECDSA_SIMPLE_VERIFY_SIG 159 ++# define FIPS_F_OSSL_ECDH_COMPUTE_KEY 160 + # define FIPS_F_RSA_BUILTIN_KEYGEN 116 + # define FIPS_F_RSA_OSSL_INIT 149 + # define FIPS_F_RSA_OSSL_PRIVATE_DECRYPT 117 diff --git a/openssl-1_1-ossl-sli-002-ran-make-update.patch b/openssl-1_1-ossl-sli-002-ran-make-update.patch new file mode 100644 index 0000000..ccb5bba --- /dev/null +++ b/openssl-1_1-ossl-sli-002-ran-make-update.patch @@ -0,0 +1,946 @@ +--- + apps/openssl-vms.cnf | 18 ++++ + crypto/dh/dh_err.c | 8 - + crypto/dsa/dsa_err.c | 8 + + crypto/ec/ec_err.c | 29 ++++++- + crypto/err/openssl.txt | 40 +++++++++ + crypto/evp/evp_err.c | 6 - + crypto/fips/fips_ers.c | 189 +++++++++++++++++++++++++++++++++++++++++++++-- + crypto/rsa/rsa_err.c | 23 +++-- + include/openssl/dherr.h | 15 +-- + include/openssl/dsaerr.h | 18 +--- + include/openssl/ecerr.h | 7 - + include/openssl/evperr.h | 19 ++-- + include/openssl/rsaerr.h | 32 +++---- + 13 files changed, 333 insertions(+), 79 deletions(-) + +--- a/apps/openssl-vms.cnf ++++ b/apps/openssl-vms.cnf +@@ -11,6 +11,24 @@ + # defined. + HOME = . + ++openssl_conf = openssl_init ++ ++[ openssl_init ] ++ ++engines = engine_section ++ ++[ engine_section ] ++ ++# This include will look through the directory that will contain the ++# engine declarations for any engines provided by other packages. ++.include /etc/ssl/engines.d ++ ++# This include will look through the directory that will contain the ++# definitions of the engines declared in the engine section. ++.include /etc/ssl/engdef.d ++ ++[ oid_section ] ++ + # Extra OBJECT IDENTIFIER info: + #oid_file = $ENV::HOME/.oid + oid_section = new_oids +--- a/crypto/dh/dh_err.c ++++ b/crypto/dh/dh_err.c +@@ -26,8 +26,8 @@ static const ERR_STRING_DATA DH_str_func + {ERR_PACK(ERR_LIB_DH, DH_F_DH_CMS_SET_SHARED_INFO, 0), + "dh_cms_set_shared_info"}, + {ERR_PACK(ERR_LIB_DH, DH_F_DH_COMPUTE_KEY, 0), "DH_compute_key"}, +- {ERR_PACK(ERR_LIB_DH, DH_F_DH_GENERATE_KEY, 0), "DH_generate_key"}, +- {ERR_PACK(ERR_LIB_DH, DH_F_DH_GENERATE_PARAMETERS_EX, 0), "DH_generate_parameters_ex"}, ++ {ERR_PACK(ERR_LIB_DH, DH_F_DH_GENERATE_PARAMETERS_EX, 0), ++ "DH_generate_parameters_ex"}, + {ERR_PACK(ERR_LIB_DH, DH_F_DH_METH_DUP, 0), "DH_meth_dup"}, + {ERR_PACK(ERR_LIB_DH, DH_F_DH_METH_NEW, 0), "DH_meth_new"}, + {ERR_PACK(ERR_LIB_DH, DH_F_DH_METH_SET1_NAME, 0), "DH_meth_set1_name"}, +@@ -78,11 +78,11 @@ static const ERR_STRING_DATA DH_str_reas + {ERR_PACK(ERR_LIB_DH, 0, DH_R_KEY_SIZE_TOO_SMALL), "key size too small"}, + {ERR_PACK(ERR_LIB_DH, 0, DH_R_MISSING_PUBKEY), "missing pubkey"}, + {ERR_PACK(ERR_LIB_DH, 0, DH_R_MODULUS_TOO_LARGE), "modulus too large"}, ++ {ERR_PACK(ERR_LIB_DH, 0, DH_R_NON_FIPS_METHOD), "non fips method"}, + {ERR_PACK(ERR_LIB_DH, 0, DH_R_NOT_SUITABLE_GENERATOR), + "not suitable generator"}, + {ERR_PACK(ERR_LIB_DH, 0, DH_R_NO_PARAMETERS_SET), "no parameters set"}, + {ERR_PACK(ERR_LIB_DH, 0, DH_R_NO_PRIVATE_VALUE), "no private value"}, +- {ERR_PACK(ERR_LIB_DH, 0, DH_R_NON_FIPS_METHOD), "non FIPS method"}, + {ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR), + "parameter encoding error"}, + {ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"}, +--- a/crypto/dsa/dsa_err.c ++++ b/crypto/dsa/dsa_err.c +@@ -1,6 +1,6 @@ + /* + * Generated by util/mkerr.pl DO NOT EDIT +- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -24,7 +24,8 @@ static const ERR_STRING_DATA DSA_str_fun + {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_DO_SIGN, 0), "DSA_do_sign"}, + {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_DO_VERIFY, 0), "DSA_do_verify"}, + {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_GENERATE_KEY, 0), "DSA_generate_key"}, +- {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_GENERATE_PARAMETERS_EX, 0), "DSA_generate_parameters_ex"}, ++ {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_GENERATE_PARAMETERS_EX, 0), ++ "DSA_generate_parameters_ex"}, + {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_METH_DUP, 0), "DSA_meth_dup"}, + {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_METH_NEW, 0), "DSA_meth_new"}, + {ERR_PACK(ERR_LIB_DSA, DSA_F_DSA_METH_SET1_NAME, 0), "DSA_meth_set1_name"}, +@@ -60,8 +61,9 @@ static const ERR_STRING_DATA DSA_str_rea + {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_MISSING_PRIVATE_KEY), + "missing private key"}, + {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_MODULUS_TOO_LARGE), "modulus too large"}, ++ {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_NON_FIPS_DSA_METHOD), ++ "non fips dsa method"}, + {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_NO_PARAMETERS_SET), "no parameters set"}, +- {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_NON_FIPS_DSA_METHOD), "non FIPS DSA method"}, + {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_PARAMETER_ENCODING_ERROR), + "parameter encoding error"}, + {ERR_PACK(ERR_LIB_DSA, 0, DSA_R_Q_NOT_PRIME), "q not prime"}, +--- a/crypto/ec/ec_err.c ++++ b/crypto/ec/ec_err.c +@@ -1,6 +1,6 @@ + /* + * Generated by util/mkerr.pl DO NOT EDIT +- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -27,9 +27,19 @@ static const ERR_STRING_DATA EC_str_func + "ecdh_simple_compute_key"}, + {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_DO_SIGN_EX, 0), "ECDSA_do_sign_ex"}, + {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_DO_VERIFY, 0), "ECDSA_do_verify"}, ++ {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_S390X_NISTP_SIGN_SIG, 0), ++ "ecdsa_s390x_nistp_sign_sig"}, ++ {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_S390X_NISTP_VERIFY_SIG, 0), ++ "ecdsa_s390x_nistp_verify_sig"}, + {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_SIGN_EX, 0), "ECDSA_sign_ex"}, + {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_SIGN_SETUP, 0), "ECDSA_sign_setup"}, + {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_SIG_NEW, 0), "ECDSA_SIG_new"}, ++ {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_SIMPLE_SIGN_SETUP, 0), ++ "ecdsa_simple_sign_setup"}, ++ {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_SIMPLE_SIGN_SIG, 0), ++ "ecdsa_simple_sign_sig"}, ++ {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_SIMPLE_VERIFY_SIG, 0), ++ "ecdsa_simple_verify_sig"}, + {ERR_PACK(ERR_LIB_EC, EC_F_ECDSA_VERIFY, 0), "ECDSA_verify"}, + {ERR_PACK(ERR_LIB_EC, EC_F_ECD_ITEM_VERIFY, 0), "ecd_item_verify"}, + {ERR_PACK(ERR_LIB_EC, EC_F_ECKEY_PARAM2TYPE, 0), "eckey_param2type"}, +@@ -193,6 +203,7 @@ static const ERR_STRING_DATA EC_str_func + {ERR_PACK(ERR_LIB_EC, EC_F_EC_KEY_PRINT_FP, 0), "EC_KEY_print_fp"}, + {ERR_PACK(ERR_LIB_EC, EC_F_EC_KEY_PRIV2BUF, 0), "EC_KEY_priv2buf"}, + {ERR_PACK(ERR_LIB_EC, EC_F_EC_KEY_PRIV2OCT, 0), "EC_KEY_priv2oct"}, ++ {ERR_PACK(ERR_LIB_EC, EC_F_EC_KEY_PUBLIC_CHECK, 0), "ec_key_public_check"}, + {ERR_PACK(ERR_LIB_EC, EC_F_EC_KEY_SET_PUBLIC_KEY_AFFINE_COORDINATES, 0), + "EC_KEY_set_public_key_affine_coordinates"}, + {ERR_PACK(ERR_LIB_EC, EC_F_EC_KEY_SIMPLE_CHECK_KEY, 0), +@@ -266,6 +277,8 @@ static const ERR_STRING_DATA EC_str_func + {ERR_PACK(ERR_LIB_EC, EC_F_OLD_EC_PRIV_DECODE, 0), "old_ec_priv_decode"}, + {ERR_PACK(ERR_LIB_EC, EC_F_OSSL_ECDH_COMPUTE_KEY, 0), + "ossl_ecdh_compute_key"}, ++ {ERR_PACK(ERR_LIB_EC, EC_F_OSSL_ECDSA_SIGN_SETUP, 0), ++ "ossl_ecdsa_sign_setup"}, + {ERR_PACK(ERR_LIB_EC, EC_F_OSSL_ECDSA_SIGN_SIG, 0), "ossl_ecdsa_sign_sig"}, + {ERR_PACK(ERR_LIB_EC, EC_F_OSSL_ECDSA_VERIFY_SIG, 0), + "ossl_ecdsa_verify_sig"}, +@@ -284,6 +297,18 @@ static const ERR_STRING_DATA EC_str_func + {ERR_PACK(ERR_LIB_EC, EC_F_PKEY_EC_KEYGEN, 0), "pkey_ec_keygen"}, + {ERR_PACK(ERR_LIB_EC, EC_F_PKEY_EC_PARAMGEN, 0), "pkey_ec_paramgen"}, + {ERR_PACK(ERR_LIB_EC, EC_F_PKEY_EC_SIGN, 0), "pkey_ec_sign"}, ++ {ERR_PACK(ERR_LIB_EC, EC_F_S390X_PKEY_ECD_DIGESTSIGN25519, 0), ++ "s390x_pkey_ecd_digestsign25519"}, ++ {ERR_PACK(ERR_LIB_EC, EC_F_S390X_PKEY_ECD_DIGESTSIGN448, 0), ++ "s390x_pkey_ecd_digestsign448"}, ++ {ERR_PACK(ERR_LIB_EC, EC_F_S390X_PKEY_ECD_KEYGEN25519, 0), ++ "s390x_pkey_ecd_keygen25519"}, ++ {ERR_PACK(ERR_LIB_EC, EC_F_S390X_PKEY_ECD_KEYGEN448, 0), ++ "s390x_pkey_ecd_keygen448"}, ++ {ERR_PACK(ERR_LIB_EC, EC_F_S390X_PKEY_ECX_KEYGEN25519, 0), ++ "s390x_pkey_ecx_keygen25519"}, ++ {ERR_PACK(ERR_LIB_EC, EC_F_S390X_PKEY_ECX_KEYGEN448, 0), ++ "s390x_pkey_ecx_keygen448"}, + {ERR_PACK(ERR_LIB_EC, EC_F_VALIDATE_ECX_DERIVE, 0), "validate_ecx_derive"}, + {0, NULL} + }; +@@ -298,6 +323,8 @@ static const ERR_STRING_DATA EC_str_reas + "coordinates out of range"}, + {ERR_PACK(ERR_LIB_EC, 0, EC_R_CURVE_DOES_NOT_SUPPORT_ECDH), + "curve does not support ecdh"}, ++ {ERR_PACK(ERR_LIB_EC, 0, EC_R_CURVE_DOES_NOT_SUPPORT_ECDSA), ++ "curve does not support ecdsa"}, + {ERR_PACK(ERR_LIB_EC, 0, EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING), + "curve does not support signing"}, + {ERR_PACK(ERR_LIB_EC, 0, EC_R_D2I_ECPKPARAMETERS_FAILURE), +--- a/crypto/err/openssl.txt ++++ b/crypto/err/openssl.txt +@@ -408,6 +408,8 @@ DH_F_DH_CHECK_PUB_KEY_EX:123:DH_check_pu + DH_F_DH_CMS_DECRYPT:114:dh_cms_decrypt + DH_F_DH_CMS_SET_PEERKEY:115:dh_cms_set_peerkey + DH_F_DH_CMS_SET_SHARED_INFO:116:dh_cms_set_shared_info ++DH_F_DH_COMPUTE_KEY:126:DH_compute_key ++DH_F_DH_GENERATE_PARAMETERS_EX:127:DH_generate_parameters_ex + DH_F_DH_METH_DUP:117:DH_meth_dup + DH_F_DH_METH_NEW:118:DH_meth_new + DH_F_DH_METH_SET1_NAME:119:DH_meth_set1_name +@@ -427,10 +429,13 @@ DH_F_PKEY_DH_INIT:125:pkey_dh_init + DH_F_PKEY_DH_KEYGEN:113:pkey_dh_keygen + DSA_F_DSAPARAMS_PRINT:100:DSAparams_print + DSA_F_DSAPARAMS_PRINT_FP:101:DSAparams_print_fp ++DSA_F_DSA_BUILTIN_KEYGEN:108:dsa_builtin_keygen + DSA_F_DSA_BUILTIN_PARAMGEN:125:dsa_builtin_paramgen + DSA_F_DSA_BUILTIN_PARAMGEN2:126:dsa_builtin_paramgen2 + DSA_F_DSA_DO_SIGN:112:DSA_do_sign + DSA_F_DSA_DO_VERIFY:113:DSA_do_verify ++DSA_F_DSA_GENERATE_KEY:109:DSA_generate_key ++DSA_F_DSA_GENERATE_PARAMETERS_EX:110:DSA_generate_parameters_ex + DSA_F_DSA_METH_DUP:127:DSA_meth_dup + DSA_F_DSA_METH_NEW:128:DSA_meth_new + DSA_F_DSA_METH_SET1_NAME:129:DSA_meth_set1_name +@@ -494,15 +499,15 @@ EC_F_ECDH_COMPUTE_KEY:246:ECDH_compute_k + EC_F_ECDH_SIMPLE_COMPUTE_KEY:257:ecdh_simple_compute_key + EC_F_ECDSA_DO_SIGN_EX:251:ECDSA_do_sign_ex + EC_F_ECDSA_DO_VERIFY:252:ECDSA_do_verify ++EC_F_ECDSA_S390X_NISTP_SIGN_SIG:313:ecdsa_s390x_nistp_sign_sig ++EC_F_ECDSA_S390X_NISTP_VERIFY_SIG:314:ecdsa_s390x_nistp_verify_sig + EC_F_ECDSA_SIGN_EX:254:ECDSA_sign_ex + EC_F_ECDSA_SIGN_SETUP:248:ECDSA_sign_setup + EC_F_ECDSA_SIG_NEW:265:ECDSA_SIG_new +-EC_F_ECDSA_VERIFY:253:ECDSA_verify + EC_F_ECDSA_SIMPLE_SIGN_SETUP:310:ecdsa_simple_sign_setup + EC_F_ECDSA_SIMPLE_SIGN_SIG:311:ecdsa_simple_sign_sig + EC_F_ECDSA_SIMPLE_VERIFY_SIG:312:ecdsa_simple_verify_sig +-EC_F_ECDSA_S390X_NISTP_SIGN_SIG:313:ecdsa_s390x_nistp_sign_sig +-EC_F_ECDSA_S390X_NISTP_VERIFY_SIG:314:ecdsa_s390x_nistp_verify_sig ++EC_F_ECDSA_VERIFY:253:ECDSA_verify + EC_F_ECD_ITEM_VERIFY:270:ecd_item_verify + EC_F_ECKEY_PARAM2TYPE:223:eckey_param2type + EC_F_ECKEY_PARAM_DECODE:212:eckey_param_decode +@@ -610,6 +615,7 @@ EC_F_EC_KEY_PRINT:180:EC_KEY_print + EC_F_EC_KEY_PRINT_FP:181:EC_KEY_print_fp + EC_F_EC_KEY_PRIV2BUF:279:EC_KEY_priv2buf + EC_F_EC_KEY_PRIV2OCT:256:EC_KEY_priv2oct ++EC_F_EC_KEY_PUBLIC_CHECK:299:ec_key_public_check + EC_F_EC_KEY_SET_PUBLIC_KEY_AFFINE_COORDINATES:229:\ + EC_KEY_set_public_key_affine_coordinates + EC_F_EC_KEY_SIMPLE_CHECK_KEY:258:ec_key_simple_check_key +@@ -735,6 +741,7 @@ EVP_F_AES_OCB_CIPHER:169:aes_ocb_cipher + EVP_F_AES_T4_INIT_KEY:178:aes_t4_init_key + EVP_F_AES_T4_XTS_INIT_KEY:208:aes_t4_xts_init_key + EVP_F_AES_WRAP_CIPHER:170:aes_wrap_cipher ++EVP_F_AES_XTS_CIPHER:210:aes_xts_cipher + EVP_F_AES_XTS_INIT_KEY:209:aes_xts_init_key + EVP_F_ALG_MODULE_INIT:177:alg_module_init + EVP_F_ARIA_CCM_INIT_KEY:175:aria_ccm_init_key +@@ -844,6 +851,8 @@ FIPS_F_EVP_CIPHER_CTX_NEW:137:EVP_CIPHER + FIPS_F_EVP_CIPHER_CTX_RESET:122:EVP_CIPHER_CTX_reset + FIPS_F_EVP_CIPHERINIT_EX:124:EVP_CipherInit_ex + FIPS_F_EVP_DIGESTINIT_EX:125:EVP_DigestInit_ex ++FIPS_F_ECDSA_SIMPLE_SIGN_SIG:104:ecdsa_simple_sign_sig ++FIPS_F_ECDSA_SIMPLE_VERIFY_SIG:105:ecdsa_simple_verify_sig + FIPS_F_FIPS_CHECK_DSA:104:fips_check_dsa + FIPS_F_FIPS_CHECK_EC:142:fips_check_ec + FIPS_F_FIPS_CHECK_RSA:106:fips_check_rsa +@@ -874,9 +883,15 @@ FIPS_F_FIPS_SELFTEST_CMAC:130:FIPS_selft + FIPS_F_FIPS_SELFTEST_DES:111:FIPS_selftest_des + FIPS_F_FIPS_SELFTEST_DSA:112:FIPS_selftest_dsa + FIPS_F_FIPS_SELFTEST_ECDSA:133:FIPS_selftest_ecdsa ++FIPS_F_FIPS_SELFTEST_HKDF:136:FIPS_selftest_hkdf + FIPS_F_FIPS_SELFTEST_HMAC:113:FIPS_selftest_hmac ++FIPS_F_FIPS_SELFTEST_PBKDF2:138:FIPS_selftest_pbkdf2 + FIPS_F_FIPS_SELFTEST_SHA1:115:FIPS_selftest_sha1 + FIPS_F_FIPS_SELFTEST_SHA2:105:FIPS_selftest_sha2 ++FIPS_F_FIPS_SELFTEST_SHA3:141:FIPS_selftest_sha3 ++FIPS_F_FIPS_SELFTEST_SSH:142:FIPS_selftest_ssh ++FIPS_F_FIPS_SELFTEST_TLS:143:FIPS_selftest_tls ++FIPS_F_OSSL_ECDH_COMPUTE_KEY:144:ossl_ecdh_compute_key + FIPS_F_OSSL_ECDSA_SIGN_SIG:143:ossl_ecdsa_sign_sig + FIPS_F_OSSL_ECDSA_VERIFY_SIG:148:ossl_ecdsa_verify_sig + FIPS_F_RSA_BUILTIN_KEYGEN:116:rsa_builtin_keygen +@@ -1126,6 +1141,7 @@ RAND_F_RAND_PSEUDO_BYTES:126:RAND_pseudo + RAND_F_RAND_WRITE_FILE:112:RAND_write_file + RSA_F_CHECK_PADDING_MD:140:check_padding_md + RSA_F_ENCODE_PKCS1:146:encode_pkcs1 ++RSA_F_FIPS_RSA_BUILTIN_KEYGEN:168:fips_rsa_builtin_keygen + RSA_F_INT_RSA_VERIFY:145:int_rsa_verify + RSA_F_OLD_RSA_PRIV_DECODE:147:old_rsa_priv_decode + RSA_F_PKEY_PSS_INIT:165:pkey_pss_init +@@ -1140,6 +1156,8 @@ RSA_F_RSA_CHECK_KEY:123:RSA_check_key + RSA_F_RSA_CHECK_KEY_EX:160:RSA_check_key_ex + RSA_F_RSA_CMS_DECRYPT:159:rsa_cms_decrypt + RSA_F_RSA_CMS_VERIFY:158:rsa_cms_verify ++RSA_F_RSA_GENERATE_KEY_EX:169:RSA_generate_key_ex ++RSA_F_RSA_GENERATE_MULTI_PRIME_KEY:170:RSA_generate_multi_prime_key + RSA_F_RSA_ITEM_VERIFY:148:rsa_item_verify + RSA_F_RSA_METH_DUP:161:RSA_meth_dup + RSA_F_RSA_METH_NEW:162:RSA_meth_new +@@ -1175,12 +1193,18 @@ RSA_F_RSA_PADDING_CHECK_X931:128:RSA_pad + RSA_F_RSA_PARAM_DECODE:164:rsa_param_decode + RSA_F_RSA_PRINT:115:RSA_print + RSA_F_RSA_PRINT_FP:116:RSA_print_fp ++RSA_F_RSA_PRIVATE_DECRYPT:171:RSA_private_decrypt ++RSA_F_RSA_PRIVATE_ENCRYPT:172:RSA_private_encrypt + RSA_F_RSA_PRIV_DECODE:150:rsa_priv_decode + RSA_F_RSA_PRIV_ENCODE:138:rsa_priv_encode + RSA_F_RSA_PSS_GET_PARAM:151:rsa_pss_get_param + RSA_F_RSA_PSS_TO_CTX:155:rsa_pss_to_ctx ++RSA_F_RSA_PUBLIC_DECRYPT:173:RSA_public_decrypt ++RSA_F_RSA_PUBLIC_ENCRYPT:174:RSA_public_encrypt + RSA_F_RSA_PUB_DECODE:139:rsa_pub_decode + RSA_F_RSA_SETUP_BLINDING:136:RSA_setup_blinding ++RSA_F_RSA_SET_DEFAULT_METHOD:175:RSA_set_default_method ++RSA_F_RSA_SET_METHOD:176:RSA_set_method + RSA_F_RSA_SIGN:117:RSA_sign + RSA_F_RSA_SIGN_ASN1_OCTET_STRING:118:RSA_sign_ASN1_OCTET_STRING + RSA_F_RSA_VERIFY:119:RSA_verify +@@ -2189,8 +2213,10 @@ DH_R_INVALID_PARAMETER_NID:114:invalid p + DH_R_INVALID_PUBKEY:102:invalid public key + DH_R_KDF_PARAMETER_ERROR:112:kdf parameter error + DH_R_KEYS_NOT_SET:108:keys not set ++DH_R_KEY_SIZE_TOO_SMALL:126:key size too small + DH_R_MISSING_PUBKEY:125:missing pubkey + DH_R_MODULUS_TOO_LARGE:103:modulus too large ++DH_R_NON_FIPS_METHOD:127:non fips method + DH_R_NOT_SUITABLE_GENERATOR:120:not suitable generator + DH_R_NO_PARAMETERS_SET:107:no parameters set + DH_R_NO_PRIVATE_VALUE:100:no private value +@@ -2204,9 +2230,12 @@ DSA_R_BN_ERROR:109:bn error + DSA_R_DECODE_ERROR:104:decode error + DSA_R_INVALID_DIGEST_TYPE:106:invalid digest type + DSA_R_INVALID_PARAMETERS:112:invalid parameters ++DSA_R_KEY_SIZE_INVALID:114:key size invalid ++DSA_R_KEY_SIZE_TOO_SMALL:115:key size too small + DSA_R_MISSING_PARAMETERS:101:missing parameters + DSA_R_MISSING_PRIVATE_KEY:111:missing private key + DSA_R_MODULUS_TOO_LARGE:103:modulus too large ++DSA_R_NON_FIPS_DSA_METHOD:116:non fips dsa method + DSA_R_NO_PARAMETERS_SET:107:no parameters set + DSA_R_PARAMETER_ENCODING_ERROR:105:parameter encoding error + DSA_R_Q_NOT_PRIME:113:q not prime +@@ -2344,6 +2373,7 @@ EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH: + EVP_R_DECODE_ERROR:114:decode error + EVP_R_DIFFERENT_KEY_TYPES:101:different key types + EVP_R_DIFFERENT_PARAMETERS:153:different parameters ++EVP_R_DISABLED_FOR_FIPS:185:disabled for fips + EVP_R_ERROR_LOADING_SECTION:165:error loading section + EVP_R_ERROR_SETTING_FIPS_MODE:166:error setting fips mode + EVP_R_EXPECTING_AN_HMAC_KEY:174:expecting an hmac key +@@ -2389,6 +2419,7 @@ EVP_R_PKEY_APPLICATION_ASN1_METHOD_ALREA + EVP_R_PRIVATE_KEY_DECODE_ERROR:145:private key decode error + EVP_R_PRIVATE_KEY_ENCODE_ERROR:146:private key encode error + EVP_R_PUBLIC_KEY_NOT_RSA:106:public key not rsa ++EVP_R_TOO_LARGE:186:too large + EVP_R_UNKNOWN_CIPHER:160:unknown cipher + EVP_R_UNKNOWN_DIGEST:161:unknown digest + EVP_R_UNKNOWN_OPTION:169:unknown option +@@ -2711,11 +2742,13 @@ RSA_R_MODULUS_TOO_LARGE:105:modulus too + RSA_R_MP_COEFFICIENT_NOT_INVERSE_OF_R:168:mp coefficient not inverse of r + RSA_R_MP_EXPONENT_NOT_CONGRUENT_TO_D:169:mp exponent not congruent to d + RSA_R_MP_R_NOT_PRIME:170:mp r not prime ++RSA_R_NON_FIPS_RSA_METHOD:171:non fips rsa method + RSA_R_NO_PUBLIC_EXPONENT:140:no public exponent + RSA_R_NULL_BEFORE_BLOCK_MISSING:113:null before block missing + RSA_R_N_DOES_NOT_EQUAL_PRODUCT_OF_PRIMES:172:n does not equal product of primes + RSA_R_N_DOES_NOT_EQUAL_P_Q:127:n does not equal p q + RSA_R_OAEP_DECODING_ERROR:121:oaep decoding error ++RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE:173:operation not allowed in fips mode + RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE:148:\ + operation not supported for this keytype + RSA_R_PADDING_CHECK_FAILED:114:padding check failed +@@ -2737,6 +2770,7 @@ RSA_R_UNSUPPORTED_ENCRYPTION_TYPE:162:un + RSA_R_UNSUPPORTED_LABEL_SOURCE:163:unsupported label source + RSA_R_UNSUPPORTED_MASK_ALGORITHM:153:unsupported mask algorithm + RSA_R_UNSUPPORTED_MASK_PARAMETER:154:unsupported mask parameter ++RSA_R_UNSUPPORTED_PARAMETERS:174:unsupported parameters + RSA_R_UNSUPPORTED_SIGNATURE_TYPE:155:unsupported signature type + RSA_R_VALUE_MISSING:147:value missing + RSA_R_WRONG_SIGNATURE_LENGTH:119:wrong signature length +--- a/crypto/evp/evp_err.c ++++ b/crypto/evp/evp_err.c +@@ -1,6 +1,6 @@ + /* + * Generated by util/mkerr.pl DO NOT EDIT +- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -192,7 +192,7 @@ static const ERR_STRING_DATA EVP_str_rea + "different key types"}, + {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_DIFFERENT_PARAMETERS), + "different parameters"}, +- {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_DISABLED_FOR_FIPS), "disabled for FIPS"}, ++ {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_DISABLED_FOR_FIPS), "disabled for fips"}, + {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_ERROR_LOADING_SECTION), + "error loading section"}, + {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_ERROR_SETTING_FIPS_MODE), +@@ -286,8 +286,6 @@ static const ERR_STRING_DATA EVP_str_rea + "wrap mode not allowed"}, + {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_WRONG_FINAL_BLOCK_LENGTH), + "wrong final block length"}, +- {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_XTS_DATA_UNIT_IS_TOO_LARGE), +- "xts data unit is too large"}, + {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_XTS_DUPLICATED_KEYS), + "xts duplicated keys"}, + {0, NULL} +--- a/crypto/fips/fips_ers.c ++++ b/crypto/fips/fips_ers.c +@@ -1,7 +1,186 @@ +-#include ++/* ++ * Generated by util/mkerr.pl DO NOT EDIT ++ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. ++ * ++ * Licensed under the OpenSSL license (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ */ + +-#ifdef OPENSSL_FIPS +-# include "fips_err.h" +-#else +-static void *dummy = &dummy; ++#include ++#include "crypto/fipserr.h" ++ ++#ifndef OPENSSL_NO_ERR ++ ++static const ERR_STRING_DATA FIPS_str_functs[] = { ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_DRBG_RESEED, 0), "drbg_reseed"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_DSA_BUILTIN_PARAMGEN2, 0), ++ "dsa_builtin_paramgen2"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_DSA_DO_SIGN, 0), "DSA_do_sign"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_DSA_DO_VERIFY, 0), "DSA_do_verify"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_ECDSA_SIMPLE_SIGN_SIG, 0), ++ "ecdsa_simple_sign_sig"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_ECDSA_SIMPLE_VERIFY_SIG, 0), ++ "ecdsa_simple_verify_sig"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_EVP_CIPHERINIT_EX, 0), "EVP_CipherInit_ex"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_EVP_CIPHER_CTX_NEW, 0), ++ "EVP_CIPHER_CTX_new"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_EVP_CIPHER_CTX_RESET, 0), ++ "EVP_CIPHER_CTX_reset"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_EVP_DIGESTINIT_EX, 0), "EVP_DigestInit_ex"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_CHECK_DSA, 0), "fips_check_dsa"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_CHECK_EC, 0), "fips_check_ec"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_CHECK_RSA, 0), "fips_check_rsa"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_DRBG_BYTES, 0), "fips_drbg_bytes"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_DRBG_CHECK, 0), "fips_drbg_check"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_DRBG_ERROR_CHECK, 0), ++ "fips_drbg_error_check"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_DRBG_GENERATE, 0), ++ "FIPS_drbg_generate"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_DRBG_INIT, 0), "FIPS_drbg_init"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_DRBG_INSTANTIATE, 0), ++ "FIPS_drbg_instantiate"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_DRBG_NEW, 0), "FIPS_drbg_new"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_DRBG_SINGLE_KAT, 0), ++ "fips_drbg_single_kat"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_GET_ENTROPY, 0), "fips_get_entropy"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_MODULE_MODE_SET, 0), ++ "FIPS_module_mode_set"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_PKEY_SIGNATURE_TEST, 0), ++ "fips_pkey_signature_test"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_RAND_BYTES, 0), "FIPS_rand_bytes"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_RAND_SEED, 0), "FIPS_rand_seed"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_RAND_SET_METHOD, 0), ++ "FIPS_rand_set_method"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_RAND_STATUS, 0), "FIPS_rand_status"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_RSA_BUILTIN_KEYGEN, 0), ++ "fips_rsa_builtin_keygen"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_SELFTEST_AES, 0), "FIPS_selftest_aes"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_SELFTEST_AES_CCM, 0), ++ "FIPS_selftest_aes_ccm"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_SELFTEST_AES_GCM, 0), ++ "FIPS_selftest_aes_gcm"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_SELFTEST_AES_XTS, 0), ++ "FIPS_selftest_aes_xts"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_SELFTEST_CMAC, 0), ++ "FIPS_selftest_cmac"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_SELFTEST_DES, 0), "FIPS_selftest_des"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_SELFTEST_ECDSA, 0), ++ "FIPS_selftest_ecdsa"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_SELFTEST_HKDF, 0), ++ "FIPS_selftest_hkdf"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_SELFTEST_HMAC, 0), ++ "FIPS_selftest_hmac"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_SELFTEST_PBKDF2, 0), ++ "FIPS_selftest_pbkdf2"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_SELFTEST_SHA1, 0), ++ "FIPS_selftest_sha1"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_SELFTEST_SHA2, 0), ++ "FIPS_selftest_sha2"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_SELFTEST_SHA3, 0), ++ "FIPS_selftest_sha3"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_SELFTEST_SSH, 0), "FIPS_selftest_ssh"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_FIPS_SELFTEST_TLS, 0), "FIPS_selftest_tls"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_OSSL_ECDH_COMPUTE_KEY, 0), ++ "ossl_ecdh_compute_key"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_RSA_OSSL_PRIVATE_DECRYPT, 0), ++ "rsa_ossl_private_decrypt"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_RSA_OSSL_PRIVATE_ENCRYPT, 0), ++ "rsa_ossl_private_encrypt"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_RSA_OSSL_PUBLIC_DECRYPT, 0), ++ "rsa_ossl_public_decrypt"}, ++ {ERR_PACK(ERR_LIB_FIPS, FIPS_F_RSA_OSSL_PUBLIC_ENCRYPT, 0), ++ "rsa_ossl_public_encrypt"}, ++ {0, NULL} ++}; ++ ++static const ERR_STRING_DATA FIPS_str_reasons[] = { ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED), ++ "additional input error undetected"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_ADDITIONAL_INPUT_TOO_LONG), ++ "additional input too long"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_ALREADY_INSTANTIATED), ++ "already instantiated"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_DRBG_NOT_INITIALISED), ++ "drbg not initialised"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_ENTROPY_ERROR_UNDETECTED), ++ "entropy error undetected"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED), ++ "entropy not requested for reseed"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_ENTROPY_SOURCE_STUCK), ++ "entropy source stuck"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_ERROR_INITIALISING_DRBG), ++ "error initialising drbg"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_ERROR_INSTANTIATING_DRBG), ++ "error instantiating drbg"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_ERROR_RETRIEVING_ADDITIONAL_INPUT), ++ "error retrieving additional input"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_ERROR_RETRIEVING_ENTROPY), ++ "error retrieving entropy"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_ERROR_RETRIEVING_NONCE), ++ "error retrieving nonce"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_FINGERPRINT_DOES_NOT_MATCH), ++ "fingerprint does not match"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_FIPS_MODE_ALREADY_SET), ++ "fips mode already set"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_FIPS_SELFTEST_FAILED), ++ "fips selftest failed"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_FUNCTION_ERROR), "function error"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_GENERATE_ERROR), "generate error"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_GENERATE_ERROR_UNDETECTED), ++ "generate error undetected"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_INSTANTIATE_ERROR), "instantiate error"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_INVALID_KEY_LENGTH), ++ "invalid key length"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_IN_ERROR_STATE), "in error state"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_KEY_TOO_SHORT), "key too short"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_NONCE_ERROR_UNDETECTED), ++ "nonce error undetected"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_NON_FIPS_METHOD), "non fips method"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_NOPR_TEST1_FAILURE), ++ "nopr test1 failure"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_NOPR_TEST2_FAILURE), ++ "nopr test2 failure"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_NOT_INSTANTIATED), "not instantiated"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_PAIRWISE_TEST_FAILED), ++ "pairwise test failed"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_PERSONALISATION_ERROR_UNDETECTED), ++ "personalisation error undetected"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_PERSONALISATION_STRING_TOO_LONG), ++ "personalisation string too long"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_PR_TEST1_FAILURE), "pr test1 failure"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_PR_TEST2_FAILURE), "pr test2 failure"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED), ++ "request length error undetected"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG), ++ "request too large for drbg"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_RESEED_COUNTER_ERROR), ++ "reseed counter error"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_RESEED_ERROR), "reseed error"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_SELFTEST_FAILED), "selftest failed"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_SELFTEST_FAILURE), "selftest failure"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_TEST_FAILURE), "test failure"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_UNINSTANTIATE_ERROR), ++ "uninstantiate error"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_UNINSTANTIATE_ZEROISE_ERROR), ++ "uninstantiate zeroise error"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_UNSUPPORTED_DRBG_TYPE), ++ "unsupported drbg type"}, ++ {ERR_PACK(ERR_LIB_FIPS, 0, FIPS_R_UNSUPPORTED_PLATFORM), ++ "unsupported platform"}, ++ {0, NULL} ++}; ++ ++#endif ++ ++int ERR_load_FIPS_strings(void) ++{ ++#ifndef OPENSSL_NO_ERR ++ if (ERR_func_error_string(FIPS_str_functs[0].error) == NULL) { ++ ERR_load_strings_const(FIPS_str_functs); ++ ERR_load_strings_const(FIPS_str_reasons); ++ } + #endif ++ return 1; ++} +--- a/crypto/rsa/rsa_err.c ++++ b/crypto/rsa/rsa_err.c +@@ -1,6 +1,6 @@ + /* + * Generated by util/mkerr.pl DO NOT EDIT +- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -34,7 +34,8 @@ static const ERR_STRING_DATA RSA_str_fun + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_CHECK_KEY_EX, 0), "RSA_check_key_ex"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_CMS_DECRYPT, 0), "rsa_cms_decrypt"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_CMS_VERIFY, 0), "rsa_cms_verify"}, +- {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_GENERATE_KEY_EX, 0), "RSA_generate_key_ex"}, ++ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_GENERATE_KEY_EX, 0), ++ "RSA_generate_key_ex"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_GENERATE_MULTI_PRIME_KEY, 0), + "RSA_generate_multi_prime_key"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_ITEM_VERIFY, 0), "rsa_item_verify"}, +@@ -93,16 +94,21 @@ static const ERR_STRING_DATA RSA_str_fun + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PARAM_DECODE, 0), "rsa_param_decode"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRINT, 0), "RSA_print"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRINT_FP, 0), "RSA_print_fp"}, ++ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRIVATE_DECRYPT, 0), ++ "RSA_private_decrypt"}, ++ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRIVATE_ENCRYPT, 0), ++ "RSA_private_encrypt"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRIV_DECODE, 0), "rsa_priv_decode"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRIV_ENCODE, 0), "rsa_priv_encode"}, +- {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRIVATE_DECRYPT, 0), "RSA_private_decrypt"}, +- {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PRIVATE_ENCRYPT, 0), "RSA_private_encrypt"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PSS_GET_PARAM, 0), "rsa_pss_get_param"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PSS_TO_CTX, 0), "rsa_pss_to_ctx"}, +- {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PUB_DECODE, 0), "rsa_pub_decode"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PUBLIC_DECRYPT, 0), "RSA_public_decrypt"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PUBLIC_ENCRYPT, 0), "RSA_public_encrypt"}, ++ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_PUB_DECODE, 0), "rsa_pub_decode"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_SETUP_BLINDING, 0), "RSA_setup_blinding"}, ++ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_SET_DEFAULT_METHOD, 0), ++ "RSA_set_default_method"}, ++ {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_SET_METHOD, 0), "RSA_set_method"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_SIGN, 0), "RSA_sign"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_SIGN_ASN1_OCTET_STRING, 0), + "RSA_sign_ASN1_OCTET_STRING"}, +@@ -111,8 +117,6 @@ static const ERR_STRING_DATA RSA_str_fun + "RSA_verify_ASN1_OCTET_STRING"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_VERIFY_PKCS1_PSS_MGF1, 0), + "RSA_verify_PKCS1_PSS_mgf1"}, +- {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_SET_DEFAULT_METHOD, 0), "RSA_set_default_method"}, +- {ERR_PACK(ERR_LIB_RSA, RSA_F_RSA_SET_METHOD, 0), "RSA_set_method"}, + {ERR_PACK(ERR_LIB_RSA, RSA_F_SETUP_TBUF, 0), "setup_tbuf"}, + {0, NULL} + }; +@@ -193,8 +197,9 @@ static const ERR_STRING_DATA RSA_str_rea + {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_MP_EXPONENT_NOT_CONGRUENT_TO_D), + "mp exponent not congruent to d"}, + {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_MP_R_NOT_PRIME), "mp r not prime"}, ++ {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_NON_FIPS_RSA_METHOD), ++ "non fips rsa method"}, + {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_NO_PUBLIC_EXPONENT), "no public exponent"}, +- {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_NON_FIPS_RSA_METHOD), "non FIPS rsa method"}, + {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_NULL_BEFORE_BLOCK_MISSING), + "null before block missing"}, + {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_N_DOES_NOT_EQUAL_PRODUCT_OF_PRIMES), +@@ -204,7 +209,7 @@ static const ERR_STRING_DATA RSA_str_rea + {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_OAEP_DECODING_ERROR), + "oaep decoding error"}, + {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE), +- "operation not allowed in FIPS mode"}, ++ "operation not allowed in fips mode"}, + {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE), + "operation not supported for this keytype"}, + {ERR_PACK(ERR_LIB_RSA, 0, RSA_R_PADDING_CHECK_FAILED), +--- a/include/openssl/dherr.h ++++ b/include/openssl/dherr.h +@@ -11,9 +11,7 @@ + #ifndef HEADER_DHERR_H + # define HEADER_DHERR_H + +-# ifndef HEADER_SYMHACKS_H +-# include +-# endif ++# include + + # include + +@@ -36,9 +34,8 @@ int ERR_load_DH_strings(void); + # define DH_F_DH_CMS_DECRYPT 114 + # define DH_F_DH_CMS_SET_PEERKEY 115 + # define DH_F_DH_CMS_SET_SHARED_INFO 116 +-# define DH_F_DH_COMPUTE_KEY 203 +-# define DH_F_DH_GENERATE_KEY 202 +-# define DH_F_DH_GENERATE_PARAMETERS_EX 201 ++# define DH_F_DH_COMPUTE_KEY 126 ++# define DH_F_DH_GENERATE_PARAMETERS_EX 127 + # define DH_F_DH_METH_DUP 117 + # define DH_F_DH_METH_NEW 118 + # define DH_F_DH_METH_SET1_NAME 119 +@@ -76,14 +73,14 @@ int ERR_load_DH_strings(void); + # define DH_R_INVALID_PARAMETER_NID 114 + # define DH_R_INVALID_PUBKEY 102 + # define DH_R_KDF_PARAMETER_ERROR 112 +-# define DH_R_KEY_SIZE_TOO_SMALL 201 + # define DH_R_KEYS_NOT_SET 108 ++# define DH_R_KEY_SIZE_TOO_SMALL 126 + # define DH_R_MISSING_PUBKEY 125 + # define DH_R_MODULUS_TOO_LARGE 103 ++# define DH_R_NON_FIPS_METHOD 127 + # define DH_R_NOT_SUITABLE_GENERATOR 120 + # define DH_R_NO_PARAMETERS_SET 107 + # define DH_R_NO_PRIVATE_VALUE 100 +-# define DH_R_NON_FIPS_METHOD 202 + # define DH_R_PARAMETER_ENCODING_ERROR 105 + # define DH_R_PEER_KEY_ERROR 111 + # define DH_R_SHARED_INFO_ERROR 113 +--- a/include/openssl/dsaerr.h ++++ b/include/openssl/dsaerr.h +@@ -1,6 +1,6 @@ + /* + * Generated by util/mkerr.pl DO NOT EDIT +- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -11,9 +11,7 @@ + #ifndef HEADER_DSAERR_H + # define HEADER_DSAERR_H + +-# ifndef HEADER_SYMHACKS_H +-# include +-# endif ++# include + + # include + +@@ -29,13 +27,13 @@ int ERR_load_DSA_strings(void); + */ + # define DSA_F_DSAPARAMS_PRINT 100 + # define DSA_F_DSAPARAMS_PRINT_FP 101 +-# define DSA_F_DSA_BUILTIN_KEYGEN 202 ++# define DSA_F_DSA_BUILTIN_KEYGEN 108 + # define DSA_F_DSA_BUILTIN_PARAMGEN 125 + # define DSA_F_DSA_BUILTIN_PARAMGEN2 126 +-# define DSA_F_DSA_GENERATE_KEY 201 +-# define DSA_F_DSA_GENERATE_PARAMETERS_EX 200 + # define DSA_F_DSA_DO_SIGN 112 + # define DSA_F_DSA_DO_VERIFY 113 ++# define DSA_F_DSA_GENERATE_KEY 109 ++# define DSA_F_DSA_GENERATE_PARAMETERS_EX 110 + # define DSA_F_DSA_METH_DUP 127 + # define DSA_F_DSA_METH_NEW 128 + # define DSA_F_DSA_METH_SET1_NAME 129 +@@ -63,13 +61,13 @@ int ERR_load_DSA_strings(void); + # define DSA_R_DECODE_ERROR 104 + # define DSA_R_INVALID_DIGEST_TYPE 106 + # define DSA_R_INVALID_PARAMETERS 112 +-# define DSA_R_KEY_SIZE_INVALID 201 +-# define DSA_R_KEY_SIZE_TOO_SMALL 202 ++# define DSA_R_KEY_SIZE_INVALID 114 ++# define DSA_R_KEY_SIZE_TOO_SMALL 115 + # define DSA_R_MISSING_PARAMETERS 101 + # define DSA_R_MISSING_PRIVATE_KEY 111 + # define DSA_R_MODULUS_TOO_LARGE 103 ++# define DSA_R_NON_FIPS_DSA_METHOD 116 + # define DSA_R_NO_PARAMETERS_SET 107 +-# define DSA_R_NON_FIPS_DSA_METHOD 200 + # define DSA_R_PARAMETER_ENCODING_ERROR 105 + # define DSA_R_Q_NOT_PRIME 113 + # define DSA_R_SEED_LEN_SMALL 110 +--- a/include/openssl/ecerr.h ++++ b/include/openssl/ecerr.h +@@ -1,6 +1,6 @@ + /* + * Generated by util/mkerr.pl DO NOT EDIT +- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -11,9 +11,7 @@ + #ifndef HEADER_ECERR_H + # define HEADER_ECERR_H + +-# ifndef HEADER_SYMHACKS_H +-# include +-# endif ++# include + + # include + +@@ -143,6 +141,7 @@ int ERR_load_EC_strings(void); + # define EC_F_EC_KEY_PRINT_FP 181 + # define EC_F_EC_KEY_PRIV2BUF 279 + # define EC_F_EC_KEY_PRIV2OCT 256 ++# define EC_F_EC_KEY_PUBLIC_CHECK 299 + # define EC_F_EC_KEY_SET_PUBLIC_KEY_AFFINE_COORDINATES 229 + # define EC_F_EC_KEY_SIMPLE_CHECK_KEY 258 + # define EC_F_EC_KEY_SIMPLE_OCT2PRIV 259 +--- a/include/openssl/evperr.h ++++ b/include/openssl/evperr.h +@@ -1,6 +1,6 @@ + /* + * Generated by util/mkerr.pl DO NOT EDIT +- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -22,15 +22,15 @@ int ERR_load_EVP_strings(void); + * EVP function codes. + */ + # define EVP_F_AESNI_INIT_KEY 165 +-# define EVP_F_AESNI_XTS_INIT_KEY 233 ++# define EVP_F_AESNI_XTS_INIT_KEY 207 + # define EVP_F_AES_GCM_CTRL 196 + # define EVP_F_AES_INIT_KEY 133 + # define EVP_F_AES_OCB_CIPHER 169 + # define EVP_F_AES_T4_INIT_KEY 178 +-# define EVP_F_AES_T4_XTS_INIT_KEY 234 ++# define EVP_F_AES_T4_XTS_INIT_KEY 208 + # define EVP_F_AES_WRAP_CIPHER 170 +-# define EVP_F_AES_XTS_CIPHER 229 +-# define EVP_F_AES_XTS_INIT_KEY 235 ++# define EVP_F_AES_XTS_CIPHER 210 ++# define EVP_F_AES_XTS_INIT_KEY 209 + # define EVP_F_ALG_MODULE_INIT 177 + # define EVP_F_ARIA_CCM_INIT_KEY 175 + # define EVP_F_ARIA_GCM_CTRL 197 +@@ -146,9 +146,9 @@ int ERR_load_EVP_strings(void); + # define EVP_R_CTRL_OPERATION_NOT_IMPLEMENTED 133 + # define EVP_R_DATA_NOT_MULTIPLE_OF_BLOCK_LENGTH 138 + # define EVP_R_DECODE_ERROR 114 +-# define EVP_R_DISABLED_FOR_FIPS 200 + # define EVP_R_DIFFERENT_KEY_TYPES 101 + # define EVP_R_DIFFERENT_PARAMETERS 153 ++# define EVP_R_DISABLED_FOR_FIPS 185 + # define EVP_R_ERROR_LOADING_SECTION 165 + # define EVP_R_ERROR_SETTING_FIPS_MODE 166 + # define EVP_R_EXPECTING_AN_HMAC_KEY 174 +@@ -184,15 +184,15 @@ int ERR_load_EVP_strings(void); + # define EVP_R_ONLY_ONESHOT_SUPPORTED 177 + # define EVP_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 150 + # define EVP_R_OPERATON_NOT_INITIALIZED 151 +-# define EVP_R_PARAMETER_TOO_LARGE 187 + # define EVP_R_OUTPUT_WOULD_OVERFLOW 184 ++# define EVP_R_PARAMETER_TOO_LARGE 187 + # define EVP_R_PARTIALLY_OVERLAPPING 162 + # define EVP_R_PBKDF2_ERROR 181 + # define EVP_R_PKEY_APPLICATION_ASN1_METHOD_ALREADY_REGISTERED 179 + # define EVP_R_PRIVATE_KEY_DECODE_ERROR 145 + # define EVP_R_PRIVATE_KEY_ENCODE_ERROR 146 + # define EVP_R_PUBLIC_KEY_NOT_RSA 106 +-# define EVP_R_TOO_LARGE 201 ++# define EVP_R_TOO_LARGE 186 + # define EVP_R_UNKNOWN_CIPHER 160 + # define EVP_R_UNKNOWN_DIGEST 161 + # define EVP_R_UNKNOWN_OPTION 169 +@@ -208,7 +208,6 @@ int ERR_load_EVP_strings(void); + # define EVP_R_UNSUPPORTED_SALT_TYPE 126 + # define EVP_R_WRAP_MODE_NOT_ALLOWED 170 + # define EVP_R_WRONG_FINAL_BLOCK_LENGTH 109 +-# define EVP_R_XTS_DATA_UNIT_IS_TOO_LARGE 191 +-# define EVP_R_XTS_DUPLICATED_KEYS 192 ++# define EVP_R_XTS_DUPLICATED_KEYS 183 + + #endif +--- a/include/openssl/rsaerr.h ++++ b/include/openssl/rsaerr.h +@@ -1,6 +1,6 @@ + /* + * Generated by util/mkerr.pl DO NOT EDIT +- * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -11,9 +11,7 @@ + #ifndef HEADER_RSAERR_H + # define HEADER_RSAERR_H + +-# ifndef HEADER_SYMHACKS_H +-# include +-# endif ++# include + + # ifdef __cplusplus + extern "C" +@@ -25,7 +23,7 @@ int ERR_load_RSA_strings(void); + */ + # define RSA_F_CHECK_PADDING_MD 140 + # define RSA_F_ENCODE_PKCS1 146 +-# define RSA_F_FIPS_RSA_BUILTIN_KEYGEN 206 ++# define RSA_F_FIPS_RSA_BUILTIN_KEYGEN 168 + # define RSA_F_INT_RSA_VERIFY 145 + # define RSA_F_OLD_RSA_PRIV_DECODE 147 + # define RSA_F_PKEY_PSS_INIT 165 +@@ -40,8 +38,8 @@ int ERR_load_RSA_strings(void); + # define RSA_F_RSA_CHECK_KEY_EX 160 + # define RSA_F_RSA_CMS_DECRYPT 159 + # define RSA_F_RSA_CMS_VERIFY 158 +-# define RSA_F_RSA_GENERATE_KEY_EX 204 +-# define RSA_F_RSA_GENERATE_MULTI_PRIME_KEY 207 ++# define RSA_F_RSA_GENERATE_KEY_EX 169 ++# define RSA_F_RSA_GENERATE_MULTI_PRIME_KEY 170 + # define RSA_F_RSA_ITEM_VERIFY 148 + # define RSA_F_RSA_METH_DUP 161 + # define RSA_F_RSA_METH_NEW 162 +@@ -77,18 +75,18 @@ int ERR_load_RSA_strings(void); + # define RSA_F_RSA_PARAM_DECODE 164 + # define RSA_F_RSA_PRINT 115 + # define RSA_F_RSA_PRINT_FP 116 ++# define RSA_F_RSA_PRIVATE_DECRYPT 171 ++# define RSA_F_RSA_PRIVATE_ENCRYPT 172 + # define RSA_F_RSA_PRIV_DECODE 150 + # define RSA_F_RSA_PRIV_ENCODE 138 +-# define RSA_F_RSA_PRIVATE_DECRYPT 200 +-# define RSA_F_RSA_PRIVATE_ENCRYPT 201 + # define RSA_F_RSA_PSS_GET_PARAM 151 + # define RSA_F_RSA_PSS_TO_CTX 155 ++# define RSA_F_RSA_PUBLIC_DECRYPT 173 ++# define RSA_F_RSA_PUBLIC_ENCRYPT 174 + # define RSA_F_RSA_PUB_DECODE 139 +-# define RSA_F_RSA_PUBLIC_DECRYPT 202 +-# define RSA_F_RSA_PUBLIC_ENCRYPT 203 + # define RSA_F_RSA_SETUP_BLINDING 136 +-# define RSA_F_RSA_SET_DEFAULT_METHOD 205 +-# define RSA_F_RSA_SET_METHOD 204 ++# define RSA_F_RSA_SET_DEFAULT_METHOD 175 ++# define RSA_F_RSA_SET_METHOD 176 + # define RSA_F_RSA_SIGN 117 + # define RSA_F_RSA_SIGN_ASN1_OCTET_STRING 118 + # define RSA_F_RSA_VERIFY 119 +@@ -139,19 +137,19 @@ int ERR_load_RSA_strings(void); + # define RSA_R_KEY_PRIME_NUM_INVALID 165 + # define RSA_R_KEY_SIZE_TOO_SMALL 120 + # define RSA_R_LAST_OCTET_INVALID 134 +-# define RSA_R_MISSING_PRIVATE_KEY 179 + # define RSA_R_MGF1_DIGEST_NOT_ALLOWED 152 ++# define RSA_R_MISSING_PRIVATE_KEY 179 + # define RSA_R_MODULUS_TOO_LARGE 105 + # define RSA_R_MP_COEFFICIENT_NOT_INVERSE_OF_R 168 + # define RSA_R_MP_EXPONENT_NOT_CONGRUENT_TO_D 169 + # define RSA_R_MP_R_NOT_PRIME 170 ++# define RSA_R_NON_FIPS_RSA_METHOD 171 + # define RSA_R_NO_PUBLIC_EXPONENT 140 +-# define RSA_R_NON_FIPS_RSA_METHOD 200 + # define RSA_R_NULL_BEFORE_BLOCK_MISSING 113 + # define RSA_R_N_DOES_NOT_EQUAL_PRODUCT_OF_PRIMES 172 + # define RSA_R_N_DOES_NOT_EQUAL_P_Q 127 + # define RSA_R_OAEP_DECODING_ERROR 121 +-# define RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE 201 ++# define RSA_R_OPERATION_NOT_ALLOWED_IN_FIPS_MODE 173 + # define RSA_R_OPERATION_NOT_SUPPORTED_FOR_THIS_KEYTYPE 148 + # define RSA_R_PADDING_CHECK_FAILED 114 + # define RSA_R_PKCS_DECODING_ERROR 159 +@@ -171,7 +169,7 @@ int ERR_load_RSA_strings(void); + # define RSA_R_UNSUPPORTED_LABEL_SOURCE 163 + # define RSA_R_UNSUPPORTED_MASK_ALGORITHM 153 + # define RSA_R_UNSUPPORTED_MASK_PARAMETER 154 +-# define RSA_R_UNSUPPORTED_PARAMETERS 202 ++# define RSA_R_UNSUPPORTED_PARAMETERS 174 + # define RSA_R_UNSUPPORTED_SIGNATURE_TYPE 155 + # define RSA_R_VALUE_MISSING 147 + # define RSA_R_WRONG_SIGNATURE_LENGTH 119 diff --git a/openssl-1_1-ossl-sli-003-add-sli.patch b/openssl-1_1-ossl-sli-003-add-sli.patch new file mode 100644 index 0000000..5509b3d --- /dev/null +++ b/openssl-1_1-ossl-sli-003-add-sli.patch @@ -0,0 +1,3333 @@ +--- + crypto/cmac/cm_pmeth.c | 5 + crypto/cmac/cmac.c | 16 + crypto/dh/dh_pmeth.c | 4 + crypto/dsa/dsa_pmeth.c | 5 + crypto/ec/ec_pmeth.c | 13 + crypto/ec/ecx_meth.c | 2 + crypto/evp/digest.c | 2 + crypto/evp/e_aes.c | 70 +++ + crypto/evp/evp_enc.c | 3 + crypto/evp/evp_local.h | 4 + crypto/evp/kdf_lib.c | 11 + crypto/evp/m_sigver.c | 54 ++ + crypto/evp/p5_crpt2.c | 38 + + crypto/evp/p_open.c | 3 + crypto/evp/p_seal.c | 3 + crypto/evp/p_sign.c | 5 + crypto/evp/p_verify.c | 4 + crypto/evp/pkey_kdf.c | 5 + crypto/evp/pmeth_lib.c | 2 + crypto/fips/build.info | 2 + crypto/fips/fips_sli.c | 371 ++++++++++++++++ + crypto/hmac/hm_pmeth.c | 5 + crypto/hmac/hmac.c | 49 +- + crypto/hmac/hmac_local.h | 4 + crypto/kdf/hkdf.c | 8 + crypto/kdf/pbkdf2.c | 14 + crypto/kdf/scrypt.c | 7 + crypto/kdf/sshkdf.c | 13 + crypto/kdf/tls1_prf.c | 12 + crypto/poly1305/poly1305_pmeth.c | 4 + crypto/rand/rand_lib.c | 12 + crypto/rsa/rsa_pmeth.c | 61 ++ + crypto/sha/sha1_one.c | 5 + crypto/siphash/siphash_pmeth.c | 4 + crypto/sm2/sm2_pmeth.c | 5 + doc/man3/FIPS_service_level_indicator.pod | 110 +++++ + include/crypto/evp.h | 5 + include/crypto/fipserr.h | 121 +++++ + include/internal/fips_sli_local.h | 96 ++++ + include/openssl/fips_sli.h | 32 + + test/build.info | 6 + test/fips_slitest.c | 659 ++++++++++++++++++++++++++++++ + test/fips_slitest_helper.c | 489 ++++++++++++++++++++++ + test/fips_slitest_helper.h | 29 + + test/recipes/30-test_fips_sli.t | 4 + util/libcrypto.num | 11 + 46 files changed, 2345 insertions(+), 42 deletions(-) + +--- a/crypto/cmac/cm_pmeth.c ++++ b/crypto/cmac/cm_pmeth.c +@@ -72,7 +72,10 @@ static int cmac_signctx_init(EVP_PKEY_CT + static int cmac_signctx(EVP_PKEY_CTX *ctx, unsigned char *sig, size_t *siglen, + EVP_MD_CTX *mctx) + { +- return CMAC_Final(ctx->data, sig, siglen); ++ const int r = CMAC_Final(ctx->data, sig, siglen); ++ if (!fips_sli_is_approved_CMAC_CTX(ctx->data)) ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); ++ return r; + } + + static int pkey_cmac_ctrl(EVP_PKEY_CTX *ctx, int type, int p1, void *p2) +--- a/crypto/cmac/cmac.c ++++ b/crypto/cmac/cmac.c +@@ -13,6 +13,7 @@ + #include "internal/cryptlib.h" + #include + #include ++#include "internal/fips_sli_local.h" + + struct CMAC_CTX_st { + /* Cipher context to use */ +@@ -26,8 +27,11 @@ struct CMAC_CTX_st { + unsigned char last_block[EVP_MAX_BLOCK_LENGTH]; + /* Number of bytes in last block: -1 means context not initialised */ + int nlast_block; ++ FIPS_STATUS sli; /* Service Level Indicator */ + }; + ++fips_sli_define_for(CMAC_CTX) ++ + /* Make temporary keys K1 and K2 */ + + static void make_kn(unsigned char *k1, const unsigned char *l, int bl) +@@ -62,6 +66,7 @@ CMAC_CTX *CMAC_CTX_new(void) + + void CMAC_CTX_cleanup(CMAC_CTX *ctx) + { ++ ctx->sli = FIPS_UNSET; + EVP_CIPHER_CTX_reset(ctx->cctx); + OPENSSL_cleanse(ctx->tbl, EVP_MAX_BLOCK_LENGTH); + OPENSSL_cleanse(ctx->k1, EVP_MAX_BLOCK_LENGTH); +@@ -97,6 +102,7 @@ int CMAC_CTX_copy(CMAC_CTX *out, const C + memcpy(out->tbl, in->tbl, bl); + memcpy(out->last_block, in->last_block, bl); + out->nlast_block = in->nlast_block; ++ out->sli = in->sli; + return 1; + } + +@@ -104,6 +110,7 @@ int CMAC_Init(CMAC_CTX *ctx, const void + const EVP_CIPHER *cipher, ENGINE *impl) + { + static const unsigned char zero_iv[EVP_MAX_BLOCK_LENGTH] = { 0 }; ++ ctx->sli = FIPS_UNSET; + /* All zeros means restart */ + if (!key && !cipher && !impl && keylen == 0) { + /* Not initialised */ +@@ -215,6 +222,15 @@ int CMAC_Final(CMAC_CTX *ctx, unsigned c + OPENSSL_cleanse(out, bl); + return 0; + } ++ switch (EVP_CIPHER_nid(EVP_CIPHER_CTX_cipher(ctx->cctx))) { ++ case NID_aes_128_cbc: ++ case NID_aes_192_cbc: ++ case NID_aes_256_cbc: ++ fips_sli_approve_CMAC_CTX(ctx); ++ break; ++ default: ++ fips_sli_disapprove_CMAC_CTX(ctx); ++ } + return 1; + } + +--- a/crypto/dh/dh_pmeth.c ++++ b/crypto/dh/dh_pmeth.c +@@ -466,6 +466,8 @@ static int pkey_dh_derive(EVP_PKEY_CTX * + if (ret < 0) + return ret; + *keylen = ret; ++ fips_sli_check_key_dh_EVP_PKEY_CTX(ctx, ctx->peerkey->pkey.dh); ++ fips_sli_check_key_dh_EVP_PKEY_CTX(ctx, dh); + return 1; + } + #ifndef OPENSSL_NO_CMS +@@ -493,6 +495,8 @@ static int pkey_dh_derive(EVP_PKEY_CTX * + dctx->kdf_ukm, dctx->kdf_ukmlen, dctx->kdf_md)) + goto err; + *keylen = dctx->kdf_outlen; ++ fips_sli_check_key_dh_EVP_PKEY_CTX(ctx, ctx->peerkey->pkey.dh); ++ fips_sli_check_key_dh_EVP_PKEY_CTX(ctx, dh); + ret = 1; + err: + OPENSSL_clear_free(Z, Zlen); +--- a/crypto/dsa/dsa_pmeth.c ++++ b/crypto/dsa/dsa_pmeth.c +@@ -77,6 +77,8 @@ static int pkey_dsa_sign(EVP_PKEY_CTX *c + DSA_PKEY_CTX *dctx = ctx->data; + DSA *dsa = ctx->pkey->pkey.dsa; + ++ fips_sli_check_key_dsa_siggen_EVP_PKEY_CTX(ctx, dsa); ++ + if (dctx->md != NULL && tbslen != (size_t)EVP_MD_size(dctx->md)) + return 0; + +@@ -96,6 +98,8 @@ static int pkey_dsa_verify(EVP_PKEY_CTX + DSA_PKEY_CTX *dctx = ctx->data; + DSA *dsa = ctx->pkey->pkey.dsa; + ++ fips_sli_check_key_dsa_sigver_EVP_PKEY_CTX(ctx, dsa); ++ + if (dctx->md != NULL && tbslen != (size_t)EVP_MD_size(dctx->md)) + return 0; + +@@ -224,6 +228,7 @@ static int pkey_dsa_paramgen(EVP_PKEY_CT + static int pkey_dsa_keygen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) + { + DSA *dsa = NULL; ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); + + if (ctx->pkey == NULL) { + DSAerr(DSA_F_PKEY_DSA_KEYGEN, DSA_R_NO_PARAMETERS_SET); +--- a/crypto/ec/ec_pmeth.c ++++ b/crypto/ec/ec_pmeth.c +@@ -122,6 +122,7 @@ static int pkey_ec_sign(EVP_PKEY_CTX *ct + + type = (dctx->md != NULL) ? EVP_MD_type(dctx->md) : NID_sha1; + ++ fips_sli_check_curve_siggen_EVP_PKEY_CTX(ctx, EC_KEY_get0_group(ec)); + ret = ECDSA_sign(type, tbs, tbslen, sig, &sltmp, ec); + + if (ret <= 0) +@@ -143,6 +144,7 @@ static int pkey_ec_verify(EVP_PKEY_CTX * + else + type = NID_sha1; + ++ fips_sli_check_curve_sigver_EVP_PKEY_CTX(ctx, EC_KEY_get0_group(ec)); + ret = ECDSA_verify(type, tbs, tbslen, sig, siglen, ec); + + return ret; +@@ -182,6 +184,8 @@ static int pkey_ec_derive(EVP_PKEY_CTX * + if (ret <= 0) + return 0; + *keylen = ret; ++ fips_sli_check_key_ecdh_EVP_PKEY_CTX(ctx, eckey); ++ fips_sli_check_key_ecdh_EVP_PKEY_CTX(ctx, ctx->peerkey->pkey.ec); + return 1; + } + +@@ -208,6 +212,8 @@ static int pkey_ec_kdf_derive(EVP_PKEY_C + } + if (!pkey_ec_derive(ctx, ktmp, &ktmplen)) + goto err; ++ /* ANSI-X9.63-KDF (X9_62) is FIPS-approved, but we don't have a selftest */ ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); + /* Do KDF stuff */ + if (!ecdh_KDF_X9_63(key, *keylen, ktmp, ktmplen, + dctx->kdf_ukm, dctx->kdf_ukmlen, dctx->kdf_md)) +@@ -433,7 +439,12 @@ static int pkey_ec_keygen(EVP_PKEY_CTX * + else + ret = EC_KEY_set_group(ec, dctx->gen_group); + +- return ret ? EC_KEY_generate_key(ec) : 0; ++ if (ret) { ++ fips_sli_check_key_ec_keygen_EVP_PKEY_CTX(ctx, ec); ++ return EC_KEY_generate_key(ec); ++ } else { ++ return 0; ++ } + } + + static const EVP_PKEY_METHOD ec_pkey_meth = { +--- a/crypto/ec/ecx_meth.c ++++ b/crypto/ec/ecx_meth.c +@@ -691,6 +691,7 @@ static int pkey_ecx_derive25519(EVP_PKEY + && X25519(key, privkey, pubkey) == 0)) + return 0; + *keylen = X25519_KEYLEN; ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); + return 1; + } + +@@ -704,6 +705,7 @@ static int pkey_ecx_derive448(EVP_PKEY_C + && X448(key, privkey, pubkey) == 0)) + return 0; + *keylen = X448_KEYLEN; ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); + return 1; + } + +--- a/crypto/evp/digest.c ++++ b/crypto/evp/digest.c +@@ -40,6 +40,7 @@ int EVP_MD_CTX_reset(EVP_MD_CTX *ctx) + if (ctx == NULL) + return 1; + ++ ctx->sli = FIPS_UNSET; + /* + * Don't assume ctx->md_data was cleaned in EVP_Digest_Final, because + * sometimes only copies of the context are ever finalised. +@@ -80,6 +81,7 @@ int EVP_DigestInit(EVP_MD_CTX *ctx, cons + int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl) + { + EVP_MD_CTX_clear_flags(ctx, EVP_MD_CTX_FLAG_CLEANED); ++ ctx->sli = FIPS_UNSET; + #ifdef OPENSSL_FIPS + if (FIPS_selftest_failed()) { + FIPSerr(FIPS_F_EVP_DIGESTINIT_EX, FIPS_R_FIPS_SELFTEST_FAILED); +--- a/crypto/evp/e_aes.c ++++ b/crypto/evp/e_aes.c +@@ -4303,3 +4303,73 @@ BLOCK_CIPHER_custom(NID_aes, 192, 16, 12 + BLOCK_CIPHER_custom(NID_aes, 256, 16, 12, ocb, OCB, + EVP_CIPH_FLAG_AEAD_CIPHER | CUSTOM_FLAGS) + #endif /* OPENSSL_NO_OCB */ ++ ++/* Use an explicit whitelist here (due to the number of ciphers and modes) */ ++FIPS_STATUS EVP_CIPHER_get_fips_status(const EVP_CIPHER *cipher) { ++ /* switch on pointers is not entirely portable */ ++ if (cipher->do_cipher == aes_cbc_cipher ++ || cipher->do_cipher == aes_ecb_cipher ++ || cipher->do_cipher == aes_xts_cipher ++ || cipher->do_cipher == aes_ofb_cipher ++ || cipher->do_cipher == aes_cfb_cipher ++ || cipher->do_cipher == aes_cfb1_cipher ++ || cipher->do_cipher == aes_cfb8_cipher ++ || cipher->do_cipher == aes_ctr_cipher ++ || cipher->do_cipher == aes_gcm_cipher ++ || cipher->do_cipher == aes_gcm_tls_cipher ++ || cipher->do_cipher == aes_ccm_cipher ++ #if defined(OPENSSL_CPUID_OBJ) && ( \ ++ ((defined(__i386) || defined(__i386__) || defined(_M_IX86))\ ++ && defined(OPENSSL_IA32_SSE2)) \ ++ || defined(__x86_64) || defined(__x86_64__) \ ++ || defined(_M_AMD64) || defined(_M_X64)) ++ || cipher->do_cipher == aesni_cbc_cipher /* AES-NI */ ++ || cipher->do_cipher == aesni_ecb_cipher ++ || cipher->do_cipher == aesni_xts_cipher ++ || cipher->do_cipher == aesni_ofb_cipher ++ || cipher->do_cipher == aesni_cfb_cipher ++ || cipher->do_cipher == aesni_cfb1_cipher ++ || cipher->do_cipher == aesni_cfb8_cipher ++ || cipher->do_cipher == aesni_ctr_cipher ++ || cipher->do_cipher == aesni_gcm_cipher ++ || cipher->do_cipher == aesni_ccm_cipher ++ #elif defined(OPENSSL_CPUID_OBJ) && defined(__s390__) ++ || cipher->do_cipher == s390x_aes_cbc_cipher /* System/390 */ ++ || cipher->do_cipher == s390x_aes_ecb_cipher ++ || cipher->do_cipher == s390x_aes_xts_cipher ++ || cipher->do_cipher == s390x_aes_ofb_cipher ++ || cipher->do_cipher == s390x_aes_cfb_cipher ++ || cipher->do_cipher == s390x_aes_cfb1_cipher ++ || cipher->do_cipher == s390x_aes_cfb8_cipher ++ || cipher->do_cipher == s390x_aes_ctr_cipher ++ || cipher->do_cipher == s390x_aes_gcm_cipher ++ || cipher->do_cipher == s390x_aes_gcm_tls_cipher ++ || cipher->do_cipher == s390x_aes_ccm_cipher ++ #endif ++ || cipher->do_cipher == aes_wrap_cipher /* key wrapping */ ++ ) { ++ switch (EVP_CIPHER_key_length(cipher) * 8) { ++ case 128: ++ case 192: ++ if (cipher->do_cipher == aes_xts_cipher ++ #if defined(OPENSSL_CPUID_OBJ) && ( \ ++ ((defined(__i386) || defined(__i386__) || defined(_M_IX86))\ ++ && defined(OPENSSL_IA32_SSE2)) \ ++ || defined(__x86_64) || defined(__x86_64__) \ ++ || defined(_M_AMD64) || defined(_M_X64)) ++ || cipher->do_cipher == aesni_xts_cipher ++ #elif defined(OPENSSL_CPUID_OBJ) && defined(__s390__) ++ || cipher->do_cipher == s390x_aes_xts_cipher ++ #endif ++ ) ++ return FIPS_NONAPPROVED; ++ /* intended fall-through */ ++ case 256: ++ return FIPS_APPROVED; ++ } ++ } ++ /* disapproved for enc and dec: all others, including ++ * 3DES and AES modes ++ * aes_ocb_cipher */ ++ return FIPS_NONAPPROVED; ++} +--- a/crypto/evp/evp_enc.c ++++ b/crypto/evp/evp_enc.c +@@ -32,6 +32,7 @@ int EVP_CIPHER_CTX_reset(EVP_CIPHER_CTX + #endif + if (c == NULL) + return 1; ++ c->sli = FIPS_UNSET; + if (c->cipher != NULL) { + if (c->cipher->cleanup && !c->cipher->cleanup(c)) + return 0; +@@ -116,6 +117,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct + /* Restore encrypt and flags */ + ctx->encrypt = enc; + ctx->flags = flags; ++ ctx->sli = FIPS_UNSET; + } + #ifndef OPENSSL_NO_ENGINE + if (impl) { +@@ -237,6 +239,7 @@ int EVP_CipherInit_ex(EVP_CIPHER_CTX *ct + ctx->buf_len = 0; + ctx->final_used = 0; + ctx->block_mask = ctx->cipher->block_size - 1; ++ fips_sli_check_cipher_EVP_CIPHER_CTX(ctx, ctx->cipher); + return 1; + } + +--- a/crypto/evp/evp_local.h ++++ b/crypto/evp/evp_local.h +@@ -1,3 +1,4 @@ ++#include "internal/fips_sli_local.h" + /* + * Copyright 2000-2022 The OpenSSL Project Authors. All Rights Reserved. + * +@@ -19,6 +20,7 @@ struct evp_md_ctx_st { + EVP_PKEY_CTX *pctx; + /* Update function: usually copied from EVP_MD */ + int (*update) (EVP_MD_CTX *ctx, const void *data, size_t count); ++ FIPS_STATUS sli; /* Service Level Indicator */ + } /* EVP_MD_CTX */ ; + + struct evp_cipher_ctx_st { +@@ -39,11 +41,13 @@ struct evp_cipher_ctx_st { + int final_used; + int block_mask; + unsigned char final[EVP_MAX_BLOCK_LENGTH]; /* possible final block */ ++ FIPS_STATUS sli; /* Service Level Indicator */ + } /* EVP_CIPHER_CTX */ ; + + struct evp_kdf_ctx_st { + const EVP_KDF_METHOD *kmeth; + EVP_KDF_IMPL *impl; /* Algorithm-specific data */ ++ FIPS_STATUS sli; /* Service Level Indicator */ + } /* EVP_KDF_CTX */ ; + + int PKCS5_v2_PBKDF2_keyivgen(EVP_CIPHER_CTX *ctx, const char *pass, +--- a/crypto/evp/kdf_lib.c ++++ b/crypto/evp/kdf_lib.c +@@ -17,6 +17,7 @@ + #include + #include "crypto/asn1.h" + #include "crypto/evp.h" ++#include "internal/fips_sli_local.h" + #include "internal/numbers.h" + #include "evp_local.h" + +@@ -82,6 +83,7 @@ EVP_KDF_CTX *EVP_KDF_CTX_new_id(int id) + } + + ret->kmeth = kmeth; ++ ret->sli = FIPS_UNSET; + return ret; + } + +@@ -101,6 +103,7 @@ void EVP_KDF_reset(EVP_KDF_CTX *ctx) + + if (ctx->kmeth->reset != NULL) + ctx->kmeth->reset(ctx->impl); ++ ctx->sli = FIPS_UNSET; + } + + int EVP_KDF_ctrl(EVP_KDF_CTX *ctx, int cmd, ...) +@@ -161,6 +164,12 @@ int EVP_KDF_derive(EVP_KDF_CTX *ctx, uns + if (ctx == NULL) + return 0; + +- return ctx->kmeth->derive(ctx->impl, key, keylen); ++ int ret = ctx->kmeth->derive(ctx->impl, key, keylen); ++ if (ctx->kmeth->fips_sli_is_approved(ctx->impl)) ++ fips_sli_approve_EVP_KDF_CTX(ctx); ++ else ++ fips_sli_disapprove_EVP_KDF_CTX(ctx); ++ ++ return ret; + } + +--- a/crypto/evp/m_sigver.c ++++ b/crypto/evp/m_sigver.c +@@ -105,15 +105,21 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, + if (pctx->pmeth->flags & EVP_PKEY_FLAG_SIGCTX_CUSTOM) { + if (!sigret) + return pctx->pmeth->signctx(pctx, sigret, siglen, ctx); +- if (ctx->flags & EVP_MD_CTX_FLAG_FINALISE) ++ if (ctx->flags & EVP_MD_CTX_FLAG_FINALISE) { + r = pctx->pmeth->signctx(pctx, sigret, siglen, ctx); +- else { ++ if (!fips_sli_is_approved_EVP_PKEY_CTX(pctx)) ++ fips_sli_disapprove_EVP_MD_CTX(ctx); ++ } else { + EVP_PKEY_CTX *dctx = EVP_PKEY_CTX_dup(ctx->pctx); + if (!dctx) + return 0; + r = dctx->pmeth->signctx(dctx, sigret, siglen, ctx); ++ if (!fips_sli_is_approved_EVP_PKEY_CTX(dctx)) ++ fips_sli_disapprove_EVP_MD_CTX(ctx); + EVP_PKEY_CTX_free(dctx); + } ++ /* stricter than necessary, ctx->digest might be set but unused */ ++ fips_sli_check_hash_siggen_EVP_MD_CTX(ctx, ctx->digest); + return r; + } + if (pctx->pmeth->signctx) +@@ -124,8 +130,11 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, + unsigned char md[EVP_MAX_MD_SIZE]; + unsigned int mdlen = 0; + if (ctx->flags & EVP_MD_CTX_FLAG_FINALISE) { +- if (sctx) ++ if (sctx) { + r = ctx->pctx->pmeth->signctx(ctx->pctx, sigret, siglen, ctx); ++ if (!fips_sli_is_approved_EVP_PKEY_CTX(ctx->pctx)) ++ fips_sli_disapprove_EVP_MD_CTX(ctx); ++ } + else + r = EVP_DigestFinal_ex(ctx, md, &mdlen); + } else { +@@ -136,16 +145,25 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, + EVP_MD_CTX_free(tmp_ctx); + return 0; + } +- if (sctx) ++ if (sctx) { + r = tmp_ctx->pctx->pmeth->signctx(tmp_ctx->pctx, + sigret, siglen, tmp_ctx); ++ if (!fips_sli_is_approved_EVP_PKEY_CTX(tmp_ctx->pctx)) ++ fips_sli_disapprove_EVP_MD_CTX(ctx); ++ } + else + r = EVP_DigestFinal_ex(tmp_ctx, md, &mdlen); + EVP_MD_CTX_free(tmp_ctx); + } ++ /* stricter than necessary, ctx->digest might be set but unused */ ++ fips_sli_check_hash_siggen_EVP_MD_CTX(ctx, ctx->digest); ++ + if (sctx || !r) + return r; +- if (EVP_PKEY_sign(ctx->pctx, sigret, siglen, md, mdlen) <= 0) ++ r = EVP_PKEY_sign(ctx->pctx, sigret, siglen, md, mdlen); ++ if (!fips_sli_is_approved_EVP_PKEY_CTX(ctx->pctx)) ++ fips_sli_disapprove_EVP_MD_CTX(ctx); ++ if (r <= 0) + return 0; + } else { + if (sctx) { +@@ -163,8 +181,12 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, + int EVP_DigestSign(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen, + const unsigned char *tbs, size_t tbslen) + { +- if (ctx->pctx->pmeth->digestsign != NULL) ++ if (ctx->pctx->pmeth->digestsign != NULL) { ++ /* digestsign is only used for ed25519 and ed448 signatures, so should ++ * be safe to disapprove it completely */ ++ fips_sli_disapprove_EVP_MD_CTX(ctx); + return ctx->pctx->pmeth->digestsign(ctx, sigret, siglen, tbs, tbslen); ++ } + if (sigret != NULL && EVP_DigestSignUpdate(ctx, tbs, tbslen) <= 0) + return 0; + return EVP_DigestSignFinal(ctx, sigret, siglen); +@@ -178,9 +200,14 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ct + unsigned int mdlen = 0; + int vctx = 0; + +- if (ctx->pctx->pmeth->verifyctx) ++ fips_sli_check_hash_sigver_EVP_MD_CTX(ctx, EVP_MD_CTX_md(ctx)); ++ ++ if (ctx->pctx->pmeth->verifyctx) { + vctx = 1; +- else ++ /* verifyctx seems to be unused by openssl, so should be safe to ++ * disapprove it */ ++ fips_sli_disapprove_EVP_MD_CTX(ctx); ++ } else + vctx = 0; + if (ctx->flags & EVP_MD_CTX_FLAG_FINALISE) { + if (vctx) +@@ -204,14 +231,21 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ct + } + if (vctx || !r) + return r; +- return EVP_PKEY_verify(ctx->pctx, sig, siglen, md, mdlen); ++ const int res = EVP_PKEY_verify(ctx->pctx, sig, siglen, md, mdlen); ++ if (!fips_sli_is_approved_EVP_PKEY_CTX(ctx->pctx)) ++ fips_sli_disapprove_EVP_MD_CTX(ctx); ++ return res; + } + + int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret, + size_t siglen, const unsigned char *tbs, size_t tbslen) + { +- if (ctx->pctx->pmeth->digestverify != NULL) ++ if (ctx->pctx->pmeth->digestverify != NULL) { ++ /* digestverify is only used for ed25519 and ed448 signatures, so should ++ * be safe to disapprove it completely */ ++ fips_sli_disapprove_EVP_MD_CTX(ctx); + return ctx->pctx->pmeth->digestverify(ctx, sigret, siglen, tbs, tbslen); ++ } + if (EVP_DigestVerifyUpdate(ctx, tbs, tbslen) <= 0) + return -1; + return EVP_DigestVerifyFinal(ctx, sigret, siglen); +--- a/crypto/evp/p5_crpt2.c ++++ b/crypto/evp/p5_crpt2.c +@@ -10,6 +10,7 @@ + #include + #include + #include "internal/cryptlib.h" ++#include "internal/fips_sli_local.h" + #include + #include + #include +@@ -24,13 +25,13 @@ + static void h__dump(const unsigned char *p, int len); + #endif + +-int PKCS5_PBKDF2_HMAC(const char *pass, int passlen, ++static int PKCS5_PBKDF2_HMAC_internal(const char *pass, int passlen, + const unsigned char *salt, int saltlen, int iter, +- const EVP_MD *digest, int keylen, unsigned char *out) ++ const EVP_MD *digest, int keylen, unsigned char *out, ++ EVP_KDF_CTX *kctx) + { + const char *empty = ""; + int rv = 1; +- EVP_KDF_CTX *kctx; + + /* Keep documented behaviour. */ + if (pass == NULL) { +@@ -42,9 +43,6 @@ int PKCS5_PBKDF2_HMAC(const char *pass, + if (salt == NULL && saltlen == 0) + salt = (unsigned char *)empty; + +- kctx = EVP_KDF_CTX_new_id(EVP_KDF_PBKDF2); +- if (kctx == NULL) +- return 0; + if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PASS, pass, (size_t)passlen) != 1 + || EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, + salt, (size_t)saltlen) != 1 +@@ -53,8 +51,6 @@ int PKCS5_PBKDF2_HMAC(const char *pass, + || EVP_KDF_derive(kctx, out, keylen) != 1) + rv = 0; + +- EVP_KDF_CTX_free(kctx); +- + # ifdef OPENSSL_DEBUG_PKCS5V2 + fprintf(stderr, "Password:\n"); + h__dump(pass, passlen); +@@ -67,6 +63,32 @@ int PKCS5_PBKDF2_HMAC(const char *pass, + return rv; + } + ++int PKCS5_PBKDF2_HMAC(const char *pass, int passlen, ++ const unsigned char *salt, int saltlen, int iter, ++ const EVP_MD *digest, int keylen, unsigned char *out) ++{ ++ EVP_KDF_CTX *kctx; ++ kctx = EVP_KDF_CTX_new_id(EVP_KDF_PBKDF2); ++ if (kctx == NULL) ++ return 0; ++ int ret = PKCS5_PBKDF2_HMAC_internal(pass, passlen, salt, saltlen, iter, digest, keylen, out, kctx); ++ EVP_KDF_CTX_free(kctx); ++ return ret; ++} ++ ++int fips_sli_PKCS5_PBKDF2_HMAC_is_approved(const char *pass, int passlen, ++ const unsigned char *salt, int saltlen, int iter, ++ const EVP_MD *digest, int keylen, unsigned char *out) ++{ ++ EVP_KDF_CTX *kctx = EVP_KDF_CTX_new_id(EVP_KDF_PBKDF2); ++ if (kctx == NULL) ++ return 0; ++ PKCS5_PBKDF2_HMAC_internal(pass, passlen, salt, saltlen, iter, digest, keylen, out, kctx); ++ int ret = fips_sli_is_approved_EVP_KDF_CTX(kctx); ++ EVP_KDF_CTX_free(kctx); ++ return ret; ++} ++ + int PKCS5_PBKDF2_HMAC_SHA1(const char *pass, int passlen, + const unsigned char *salt, int saltlen, int iter, + int keylen, unsigned char *out) +--- a/crypto/evp/p_open.c ++++ b/crypto/evp/p_open.c +@@ -8,6 +8,7 @@ + */ + + #include "internal/cryptlib.h" ++#include "internal/fips_sli_local.h" + #ifdef OPENSSL_NO_RSA + NON_EMPTY_TRANSLATION_UNIT + #else +@@ -47,6 +48,8 @@ int EVP_OpenInit(EVP_CIPHER_CTX *ctx, co + goto err; + } + ++ // EVP_PKEY_decrypt_old always uses RSA dec ++ fips_sli_disapprove_EVP_CIPHER_CTX(ctx); + i = EVP_PKEY_decrypt_old(key, ek, ekl, priv); + if ((i <= 0) || !EVP_CIPHER_CTX_set_key_length(ctx, i)) { + /* ERROR */ +--- a/crypto/evp/p_seal.c ++++ b/crypto/evp/p_seal.c +@@ -9,6 +9,7 @@ + + #include + #include "internal/cryptlib.h" ++#include "internal/fips_sli_local.h" + #include + #include + #include +@@ -44,6 +45,8 @@ int EVP_SealInit(EVP_CIPHER_CTX *ctx, co + ekl[i] = + EVP_PKEY_encrypt_old(ek[i], key, EVP_CIPHER_CTX_key_length(ctx), + pubk[i]); ++ // EVP_PKEY_encrypt_old always uses RSA encryption ++ fips_sli_disapprove_EVP_CIPHER_CTX(ctx); + if (ekl[i] <= 0) { + rv = -1; + goto err; +--- a/crypto/evp/p_sign.c ++++ b/crypto/evp/p_sign.c +@@ -23,6 +23,8 @@ int EVP_SignFinal(EVP_MD_CTX *ctx, unsig + size_t sltmp; + EVP_PKEY_CTX *pkctx = NULL; + ++ fips_sli_check_hash_sigver_EVP_MD_CTX(ctx, EVP_MD_CTX_md(ctx)); ++ + *siglen = 0; + if (EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_FINALISE)) { + if (!EVP_DigestFinal_ex(ctx, m, &m_len)) +@@ -37,6 +39,7 @@ int EVP_SignFinal(EVP_MD_CTX *ctx, unsig + rv = EVP_MD_CTX_copy_ex(tmp_ctx, ctx); + if (rv) + rv = EVP_DigestFinal_ex(tmp_ctx, m, &m_len); ++ + EVP_MD_CTX_free(tmp_ctx); + if (!rv) + return 0; +@@ -53,6 +56,8 @@ int EVP_SignFinal(EVP_MD_CTX *ctx, unsig + goto err; + if (EVP_PKEY_sign(pkctx, sigret, &sltmp, m, m_len) <= 0) + goto err; ++ if (!fips_sli_is_approved_EVP_PKEY_CTX(pkctx)) ++ fips_sli_disapprove_EVP_MD_CTX(ctx); + *siglen = sltmp; + i = 1; + err: +--- a/crypto/evp/p_verify.c ++++ b/crypto/evp/p_verify.c +@@ -22,6 +22,8 @@ int EVP_VerifyFinal(EVP_MD_CTX *ctx, con + int i = 0; + EVP_PKEY_CTX *pkctx = NULL; + ++ fips_sli_check_hash_sigver_EVP_MD_CTX(ctx, EVP_MD_CTX_md(ctx)); ++ + if (EVP_MD_CTX_test_flags(ctx, EVP_MD_CTX_FLAG_FINALISE)) { + if (!EVP_DigestFinal_ex(ctx, m, &m_len)) + goto err; +@@ -49,6 +51,8 @@ int EVP_VerifyFinal(EVP_MD_CTX *ctx, con + if (EVP_PKEY_CTX_set_signature_md(pkctx, EVP_MD_CTX_md(ctx)) <= 0) + goto err; + i = EVP_PKEY_verify(pkctx, sigbuf, siglen, m, m_len); ++ if (!fips_sli_is_approved_EVP_PKEY_CTX(pkctx)) ++ fips_sli_disapprove_EVP_MD_CTX(ctx); + err: + EVP_PKEY_CTX_free(pkctx); + return i; +--- a/crypto/evp/pkey_kdf.c ++++ b/crypto/evp/pkey_kdf.c +@@ -158,7 +158,10 @@ static int pkey_kdf_derive(EVP_PKEY_CTX + if (key == NULL) + return 1; + } +- return EVP_KDF_derive(kctx, key, *keylen); ++ int ret = EVP_KDF_derive(kctx, key, *keylen); ++ if (!fips_sli_is_approved_EVP_KDF_CTX(kctx)) ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); ++ return ret; + } + + #ifndef OPENSSL_NO_SCRYPT +--- a/crypto/evp/pmeth_lib.c ++++ b/crypto/evp/pmeth_lib.c +@@ -162,6 +162,7 @@ static EVP_PKEY_CTX *int_ctx_new(EVP_PKE + EVPerr(EVP_F_INT_CTX_NEW, ERR_R_MALLOC_FAILURE); + return NULL; + } ++ ret->sli = FIPS_UNSET; + ret->engine = e; + ret->pmeth = pmeth; + ret->operation = EVP_PKEY_OP_UNDEFINED; +@@ -299,6 +300,7 @@ EVP_PKEY_CTX *EVP_PKEY_CTX_dup(EVP_PKEY_ + rctx->data = NULL; + rctx->app_data = NULL; + rctx->operation = pctx->operation; ++ rctx->sli = pctx->sli; + + if (pctx->pmeth->copy(rctx, pctx) > 0) + return rctx; +--- a/crypto/fips/build.info ++++ b/crypto/fips/build.info +@@ -5,7 +5,7 @@ SOURCE[../../libcrypto]=\ + fips_post.c drbgtest.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \ + fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \ + fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c \ +- fips_dh_selftest.c fips_kdf_selftest.c fips_ers.c ++ fips_dh_selftest.c fips_kdf_selftest.c fips_ers.c fips_sli.c + + PROGRAMS=\ + fips_standalone_hmac +--- /dev/null ++++ b/crypto/fips/fips_sli.c +@@ -0,0 +1,371 @@ ++#include ++#include ++#include ++#include "crypto/evp.h" ++#include "../evp/evp_local.h" ++#include "../hmac/hmac_local.h" ++#include "internal/fips_sli_local.h" ++ ++/* Main part of the FIPS Service Level Indicator ++ If you want to quickly change its behaviour, you most likely want to start here ++ - beware of some exceptions, though... */ ++ ++FIPS_STATUS fips_sli_fsm_transition(FIPS_STATUS state, FIPS_STATUS input) { ++ switch (state) { ++ case FIPS_UNSET: ++ switch (input) { ++ case FIPS_UNSET: /* ignore */ ++ return state; ++ case FIPS_APPROVED: ++ case FIPS_NONAPPROVED: ++ case FIPS_ERROR: ++ return input; ++ } ++ break; ++ case FIPS_APPROVED: ++ switch (input) { ++ case FIPS_UNSET: /* ignore */ ++ case FIPS_APPROVED: ++ return state; ++ case FIPS_NONAPPROVED: ++ case FIPS_ERROR: ++ return input; ++ } ++ break; ++ case FIPS_NONAPPROVED: ++ return state; ++ case FIPS_ERROR: ++ switch (input) { ++ case FIPS_UNSET: /* ignore */ ++ case FIPS_APPROVED: ++ case FIPS_ERROR: ++ return state; ++ case FIPS_NONAPPROVED: ++ return input; ++ } ++ } ++ abort(); ++} ++ ++fips_sli_define_for(EVP_CIPHER_CTX) ++fips_sli_define_for(EVP_KDF_CTX) ++fips_sli_define_for(EVP_MD_CTX) ++fips_sli_define_for(EVP_PKEY_CTX) ++fips_sli_define_for(HMAC_CTX) ++ ++typedef enum curve_usage_e { ++ CURVE_KEYGEN, ++ CURVE_SIGGEN, ++ CURVE_SIGVER, ++ CURVE_DH ++} CURVE_USAGE; ++ ++/* Check whether a curve is okay for some type of usage */ ++static FIPS_STATUS get_fips_curve_status(const EC_GROUP *group, CURVE_USAGE u) { ++ if (group == NULL) { ++ return FIPS_ERROR; ++ } ++ ++ switch (u) { ++ case CURVE_KEYGEN: ++ switch (EC_GROUP_get_curve_name(group)) { ++ /* ACVP-tested curves for keygen: */ ++ case NID_secp224r1: ++ /* SECG secp256r1 is the same as X9.62 prime256v1 (P-256) and hence omitted */ ++ case NID_X9_62_prime256v1: ++ case NID_secp384r1: ++ case NID_secp521r1: ++ return FIPS_APPROVED; ++ default: ++ return FIPS_NONAPPROVED; ++ } ++ case CURVE_SIGVER: ++ switch (EC_GROUP_get_curve_name(group)) { ++ case NID_X9_62_prime192v1: /* NIST P-192 */ ++ case NID_secp224r1: ++ /* SECG secp256r1 is the same as X9.62 prime256v1 (P-256) and hence omitted */ ++ case NID_X9_62_prime256v1: ++ case NID_secp384r1: ++ case NID_secp521r1: ++ /* nist k curves */ ++ case NID_sect233k1: ++ case NID_sect283k1: ++ case NID_sect409k1: ++ case NID_sect571k1: ++ /* nist b curves */ ++ case NID_sect233r1: ++ case NID_sect283r1: ++ case NID_sect409r1: ++ case NID_sect571r1: ++ return FIPS_APPROVED; ++ default: ++ return FIPS_NONAPPROVED; ++ } ++ case CURVE_SIGGEN: ++ case CURVE_DH: ++ switch (EC_GROUP_get_curve_name(group)) { ++ /* see crypto/ec/ec_curve.c:2800 */ ++ /* nist P curves*/ ++ case NID_secp224r1: ++ /* SECG secp256r1 is the same as X9.62 prime256v1 and hence omitted */ ++ case NID_X9_62_prime256v1: ++ case NID_secp384r1: ++ case NID_secp521r1: ++ return FIPS_APPROVED; ++ default: ++ return FIPS_NONAPPROVED; ++ } ++ } ++ return FIPS_NONAPPROVED; ++} ++ ++#define make_fips_sli_check_curve(CTXTYPE, fn, usage) \ ++void fips_sli_check_curve_##fn##_##CTXTYPE(CTXTYPE *ctx, const EC_GROUP *group)\ ++{ \ ++ fips_sli_fsm_##CTXTYPE(ctx, get_fips_curve_status(group, usage)); \ ++} ++ ++make_fips_sli_check_curve(EVP_MD_CTX, siggen, CURVE_SIGGEN) ++make_fips_sli_check_curve(EVP_MD_CTX, sigver, CURVE_SIGVER) ++/* keygen missing because in this case we need more info than available here*/ ++make_fips_sli_check_curve(EVP_PKEY_CTX, siggen, CURVE_SIGGEN) ++make_fips_sli_check_curve(EVP_PKEY_CTX, sigver, CURVE_SIGVER) ++ ++typedef enum hash_usage_e { ++ HASH_SIGGEN, ++ HASH_SIGVER, ++ HASH_KDF_SSHKDF, ++ HASH_KDF_PBKDF2, ++ HASH_KDF_TLS, ++ HASH_RNG, ++ HASH_MAC ++} HASH_USAGE; ++ ++static FIPS_STATUS get_fips_hash_status(const EVP_MD *md, HASH_USAGE u) { ++ if (md == NULL) { ++ return FIPS_ERROR; ++ } ++ ++ switch (u) { ++ case HASH_KDF_TLS: ++ switch (EVP_MD_type(md)) { ++ case NID_sha256: /* TLSv1.2 */ ++ case NID_sha384: ++ case NID_sha512: ++ case NID_md5_sha1: /* used in TLS v1.0 / v1.1 */ ++ return FIPS_APPROVED; ++ default: ++ return FIPS_NONAPPROVED; ++ } ++ case HASH_KDF_PBKDF2: ++ case HASH_KDF_SSHKDF: ++ case HASH_MAC: ++ switch (EVP_MD_type(md)) { ++ case NID_sha1: ++ case NID_sha224: ++ case NID_sha256: ++ case NID_sha384: ++ case NID_sha512: ++ case NID_sha512_224: ++ case NID_sha512_256: ++ case NID_sha3_224: ++ case NID_sha3_256: ++ case NID_sha3_384: ++ case NID_sha3_512: ++ case NID_shake128: ++ case NID_shake256: ++ return FIPS_APPROVED; ++ default: ++ return FIPS_NONAPPROVED; ++ } ++ case HASH_RNG: ++ case HASH_SIGGEN: ++ case HASH_SIGVER: ++ switch (EVP_MD_type(md)) { ++ case NID_sha224: ++ case NID_sha256: ++ case NID_sha384: ++ case NID_sha512: ++ case NID_sha512_224: ++ case NID_sha512_256: ++ case NID_sha3_224: ++ case NID_sha3_256: ++ case NID_sha3_384: ++ case NID_sha3_512: ++ case NID_shake128: ++ case NID_shake256: ++ return FIPS_APPROVED; ++ default: ++ return FIPS_NONAPPROVED; ++ } ++ } ++ return FIPS_ERROR; ++} ++ ++#define make_fips_sli_check_hash(CTXTYPE, fn, usage) \ ++void fips_sli_check_hash_##fn##_##CTXTYPE(CTXTYPE *ctx, const EVP_MD *md) \ ++{ \ ++ fips_sli_fsm_##CTXTYPE(ctx, get_fips_hash_status(md, usage)); \ ++} ++ ++make_fips_sli_check_hash(EVP_MD_CTX, siggen, HASH_SIGGEN) ++make_fips_sli_check_hash(EVP_MD_CTX, sigver, HASH_SIGVER) ++make_fips_sli_check_hash(EVP_PKEY_CTX, siggen, HASH_SIGGEN) ++make_fips_sli_check_hash(EVP_PKEY_CTX, sigver, HASH_SIGVER) ++make_fips_sli_check_hash(HMAC_CTX, mac, HASH_MAC) ++/* KDF impl is a bit special - avoid changing everything just because of that */ ++FIPS_STATUS fips_sli_get_hash_status_sshkdf(const EVP_MD * md) { ++ return get_fips_hash_status(md, HASH_KDF_SSHKDF); ++} ++FIPS_STATUS fips_sli_get_hash_status_pbkdf2(const EVP_MD * md) { ++ return get_fips_hash_status(md, HASH_KDF_PBKDF2); ++} ++FIPS_STATUS fips_sli_get_hash_status_kdf_tls1_prf(const EVP_MD * md) { ++ return get_fips_hash_status(md, HASH_KDF_TLS); ++} ++ ++FIPS_STATUS fips_sli_get_kdf_keylen_status(size_t keylen_bytes) { ++ if (keylen_bytes >= 112/8) ++ return FIPS_APPROVED; ++ else ++ return FIPS_NONAPPROVED; ++} ++ ++void fips_sli_check_key_rsa_keygen_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const RSA * rsa) { ++ fips_sli_check_key_rsa_siggen_EVP_PKEY_CTX(ctx, rsa); ++} ++ ++void fips_sli_check_key_rsa_siggen_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const RSA * rsa) { ++ if (RSA_bits(rsa) >= 2048) ++ fips_sli_approve_EVP_PKEY_CTX(ctx); ++ else ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); ++} ++ ++void fips_sli_check_key_rsa_sigver_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const RSA * rsa) { ++ const int len_n = RSA_bits(rsa); ++ ++ if (1024 <= len_n && len_n < 2048) ++ fips_sli_approve_EVP_PKEY_CTX(ctx); // legacy use ++ else if (2048 <= len_n) ++ fips_sli_approve_EVP_PKEY_CTX(ctx); ++ else ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); ++} ++ ++void fips_sli_check_key_rsa_enc_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const RSA * rsa) { ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); ++} ++ ++void fips_sli_check_key_rsa_dec_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const RSA * rsa) { ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); ++} ++ ++void fips_sli_check_key_dsa_siggen_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const DSA * dsa) { ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); ++} ++ ++void fips_sli_check_key_dsa_sigver_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const DSA * dsa) { ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); ++} ++ ++void fips_sli_check_key_dh_EVP_PKEY_CTX(EVP_PKEY_CTX *ctx, const DH *dh) { ++ switch (DH_get_nid(dh)) { ++ /* RFC 3526 */ ++ case NID_modp_2048: ++ case NID_modp_3072: ++ case NID_modp_4096: ++ case NID_modp_6144: ++ case NID_modp_8192: ++ /* RFC 7919 */ ++ case NID_ffdhe2048: ++ case NID_ffdhe3072: ++ case NID_ffdhe4096: ++ case NID_ffdhe6144: ++ case NID_ffdhe8192: ++ fips_sli_approve_EVP_PKEY_CTX(ctx); ++ break; ++ default: ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); ++ } ++} ++ ++void fips_sli_check_key_ecdh_EVP_PKEY_CTX(EVP_PKEY_CTX *ctx, const EC_KEY *ecdh) { ++ fips_sli_fsm_EVP_PKEY_CTX(ctx, get_fips_curve_status(EC_KEY_get0_group(ecdh), CURVE_DH)); ++} ++ ++void fips_sli_check_cipher_EVP_CIPHER_CTX(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher) { ++ fips_sli_fsm_EVP_CIPHER_CTX(ctx, EVP_CIPHER_get_fips_status(cipher)); ++} ++ ++/** According to FIPS PUB 186-5. ++ * Not really helpful because nist P curves are the only allowed curves for ++ * KeyGen, and have h=1 anyway - but allow for future extensibility */ ++static FIPS_STATUS get_fips_keygen_ecdsa_order_status(const EC_KEY *ec) { ++ BN_CTX *ctx = BN_CTX_new(); ++ BIGNUM *pwr14, *pwr16, *pwr24, *pwr32; ++ const BIGNUM * cofactor = EC_GROUP_get0_cofactor(EC_KEY_get0_group(ec)); ++ const int n = EC_GROUP_order_bits(EC_KEY_get0_group(ec)); ++ FIPS_STATUS ret = FIPS_NONAPPROVED; ++ ++ if (ctx == NULL) { ++ ret = FIPS_ERROR; ++ goto end; ++ } ++ ++ BN_CTX_start(ctx); ++ pwr14 = BN_CTX_get(ctx); ++ pwr16 = BN_CTX_get(ctx); ++ pwr24 = BN_CTX_get(ctx); ++ pwr32 = BN_CTX_get(ctx); ++ if (pwr32 == NULL) { ++ /* Sufficient to check the return value of the last BN_CTX_get() */ ++ ret = FIPS_ERROR; ++ goto end; ++ } ++ BN_set_bit(pwr14, 14); ++ BN_set_bit(pwr16, 16); ++ BN_set_bit(pwr24, 24); ++ BN_set_bit(pwr32, 32); ++ ++ if (224 < n && n <= 255) { ++ if (BN_cmp(cofactor, pwr14) != 1) ++ ret = FIPS_APPROVED; ++ } else if (256 < n && n <= 383) { ++ if (BN_cmp(cofactor, pwr16) != 1) ++ ret = FIPS_APPROVED; ++ ++ } else if (384 < n && n <= 511) { ++ if (BN_cmp(cofactor, pwr24) != 1) ++ ret = FIPS_APPROVED; ++ ++ } else if (n >= 512) { ++ if (BN_cmp(cofactor, pwr32) != 1) ++ ret = FIPS_APPROVED; ++ } ++ ++end: ++ BN_CTX_end(ctx); ++ BN_CTX_free(ctx); ++ return ret; ++} ++ ++void fips_sli_check_key_ec_keygen_EVP_PKEY_CTX(EVP_PKEY_CTX *ctx, ++ const EC_KEY *ec) { ++ fips_sli_fsm_EVP_PKEY_CTX(ctx, get_fips_curve_status( ++ EC_KEY_get0_group(ec), CURVE_KEYGEN)); ++ fips_sli_fsm_EVP_PKEY_CTX(ctx, get_fips_keygen_ecdsa_order_status(ec)); ++} ++ ++/* MINOR: refactor for sign/verify, too. See crypto/rsa/rsa_pmeth.c */ ++static FIPS_STATUS get_fips_padding_rsa_encdec_status(int pad_mode/*,usg: enc/dec*/) { ++ return FIPS_NONAPPROVED; ++} ++ ++void fips_sli_check_padding_rsa_enc_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, int pad_mode) { ++ fips_sli_fsm_EVP_PKEY_CTX(ctx, get_fips_padding_rsa_encdec_status(pad_mode)); ++} ++ ++void fips_sli_check_padding_rsa_dec_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, int pad_mode) { ++ fips_sli_check_padding_rsa_enc_EVP_PKEY_CTX(ctx, pad_mode); ++} +--- a/crypto/hmac/hm_pmeth.c ++++ b/crypto/hmac/hm_pmeth.c +@@ -128,8 +128,11 @@ static int hmac_signctx(EVP_PKEY_CTX *ct + if (!sig) + return 1; + +- if (!HMAC_Final(hctx->ctx, sig, &hlen)) ++ if (!HMAC_Final(hctx->ctx, sig, &hlen)) { ++ if (!fips_sli_is_approved_HMAC_CTX(hctx->ctx)) ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); + return 0; ++ } + *siglen = (size_t)hlen; + return 1; + } +--- a/crypto/hmac/hmac.c ++++ b/crypto/hmac/hmac.c +@@ -23,6 +23,7 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo + unsigned char pad[HMAC_MAX_MD_CBLOCK_SIZE]; + unsigned int keytmp_length; + unsigned char keytmp[HMAC_MAX_MD_CBLOCK_SIZE]; ++ ctx->sli = FIPS_UNSET; + + /* If we are changing MD then we must have a key */ + if (md != NULL && md != ctx->md && (key == NULL || len < 0)) +@@ -83,9 +84,17 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo + if (!EVP_DigestInit_ex(ctx->o_ctx, md, impl) + || !EVP_DigestUpdate(ctx->o_ctx, pad, EVP_MD_block_size(md))) + goto err; ++ ctx->sli_key_len = len; + } + if (!EVP_MD_CTX_copy_ex(ctx->md_ctx, ctx->i_ctx)) + goto err; ++ /* On reuse, key/key_len might be NULL. Use cached value. */ ++ if (ctx->sli_key_len >= 112/8) { ++ fips_sli_approve_HMAC_CTX(ctx); ++ } else { ++ fips_sli_disapprove_HMAC_CTX(ctx); ++ } ++ fips_sli_check_hash_mac_HMAC_CTX(ctx, md); + rv = 1; + err: + if (reset) { +@@ -190,6 +199,7 @@ static int hmac_ctx_alloc_mds(HMAC_CTX * + + int HMAC_CTX_reset(HMAC_CTX *ctx) + { ++ ctx->sli = FIPS_UNSET; + hmac_ctx_cleanup(ctx); + if (!hmac_ctx_alloc_mds(ctx)) { + hmac_ctx_cleanup(ctx); +@@ -209,24 +219,22 @@ int HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_C + if (!EVP_MD_CTX_copy_ex(dctx->md_ctx, sctx->md_ctx)) + goto err; + dctx->md = sctx->md; ++ dctx->sli = sctx->sli; + return 1; + err: + hmac_ctx_cleanup(dctx); + return 0; + } + +-unsigned char *HMAC(const EVP_MD *evp_md, const void *key, int key_len, ++static unsigned char *HMAC_internal(const EVP_MD *evp_md, const void *key, int key_len, + const unsigned char *d, size_t n, unsigned char *md, +- unsigned int *md_len) ++ unsigned int *md_len, HMAC_CTX *c) + { +- HMAC_CTX *c = NULL; + static unsigned char m[EVP_MAX_MD_SIZE]; + static const unsigned char dummy_key[1] = {'\0'}; + + if (md == NULL) + md = m; +- if ((c = HMAC_CTX_new()) == NULL) +- goto err; + + /* For HMAC_Init_ex, NULL key signals reuse. */ + if (key == NULL && key_len == 0) { +@@ -239,13 +247,40 @@ unsigned char *HMAC(const EVP_MD *evp_md + goto err; + if (!HMAC_Final(c, md, md_len)) + goto err; +- HMAC_CTX_free(c); + return md; + err: +- HMAC_CTX_free(c); + return NULL; + } + ++unsigned char *HMAC(const EVP_MD *evp_md, const void *key, int key_len, ++ const unsigned char *d, size_t n, unsigned char *md, ++ unsigned int *md_len) ++{ ++ HMAC_CTX *c = HMAC_CTX_new(); ++ unsigned char *ret = NULL; ++ if (c == NULL) ++ goto err; ++ ret = HMAC_internal(evp_md, key, key_len, d, n, md, md_len, c); ++ HMAC_CTX_free(c); ++ err: ++ return ret; ++} ++ ++int fips_sli_HMAC_is_approved(const EVP_MD *evp_md, const void *key, int key_len, ++ const unsigned char *d, size_t n, unsigned char *md, ++ unsigned int *md_len) ++{ ++ HMAC_CTX *c = HMAC_CTX_new(); ++ int ret = 0; ++ if (c == NULL) ++ goto err; ++ HMAC_internal(evp_md, key, key_len, d, n, md, md_len, c); ++ ret = fips_sli_is_approved_HMAC_CTX(c); ++ HMAC_CTX_free(c); ++ err: ++ return ret; ++} ++ + void HMAC_CTX_set_flags(HMAC_CTX *ctx, unsigned long flags) + { + EVP_MD_CTX_set_flags(ctx->i_ctx, flags); +--- a/crypto/hmac/hmac_local.h ++++ b/crypto/hmac/hmac_local.h +@@ -10,6 +10,8 @@ + #ifndef OSSL_CRYPTO_HMAC_LOCAL_H + # define OSSL_CRYPTO_HMAC_LOCAL_H + ++#include "internal/fips_sli_local.h" ++ + /* The current largest case is for SHA3-224 */ + #define HMAC_MAX_MD_CBLOCK_SIZE 144 + +@@ -18,6 +20,8 @@ struct hmac_ctx_st { + EVP_MD_CTX *md_ctx; + EVP_MD_CTX *i_ctx; + EVP_MD_CTX *o_ctx; ++ FIPS_STATUS sli; /* Service Level Indicator */ ++ size_t sli_key_len; /* SLI needs to cache keylen in case of context reuse */ + }; + + #endif +--- a/crypto/kdf/hkdf.c ++++ b/crypto/kdf/hkdf.c +@@ -222,6 +222,11 @@ static int kdf_hkdf_derive(EVP_KDF_IMPL + } + } + ++static int kdf_hkdf_fips_sli_is_approved(ossl_unused const EVP_KDF_IMPL *impl) { ++ return 0; /* can't check whether this is only used for DH / TLS1.3 because ++ this is handled by the application. Thus label HKDF as non-approved. */ ++} ++ + const EVP_KDF_METHOD hkdf_kdf_meth = { + EVP_KDF_HKDF, + kdf_hkdf_new, +@@ -230,7 +235,8 @@ const EVP_KDF_METHOD hkdf_kdf_meth = { + kdf_hkdf_ctrl, + kdf_hkdf_ctrl_str, + kdf_hkdf_size, +- kdf_hkdf_derive ++ kdf_hkdf_derive, ++ kdf_hkdf_fips_sli_is_approved + }; + + static int HKDF(const EVP_MD *evp_md, +--- a/crypto/kdf/pbkdf2.c ++++ b/crypto/kdf/pbkdf2.c +@@ -31,8 +31,16 @@ struct evp_kdf_impl_st { + size_t salt_len; + int iter; + const EVP_MD *md; ++ FIPS_STATUS sli; /* Service Level Indicator */ + }; + ++static ossl_unused int fips_sli_is_approved_struct_evp_kdf_impl_st(const struct evp_kdf_impl_st *ctx); ++fips_sli_define_basic_for(static, struct_evp_kdf_impl_st, struct evp_kdf_impl_st) ++ ++static void fips_sli_check_hash_kdf_struct_evp_kdf_impl_st(struct evp_kdf_impl_st *ctx) { ++ fips_sli_fsm_struct_evp_kdf_impl_st(ctx, fips_sli_get_hash_status_pbkdf2(ctx->md)); ++} ++ + static EVP_KDF_IMPL *kdf_pbkdf2_new(void) + { + EVP_KDF_IMPL *impl; +@@ -64,6 +72,7 @@ static void kdf_pbkdf2_init(EVP_KDF_IMPL + { + impl->iter = PKCS5_DEFAULT_ITER; + impl->md = EVP_sha1(); ++ impl->sli = FIPS_UNSET; + } + + static int pbkdf2_set_membuf(unsigned char **buffer, size_t *buflen, +@@ -175,6 +184,8 @@ static int kdf_pbkdf2_derive(EVP_KDF_IMP + return 0; + } + ++ fips_sli_check_hash_kdf_struct_evp_kdf_impl_st(impl); ++ + return pkcs5_pbkdf2_alg((char *)impl->pass, impl->pass_len, + impl->salt, impl->salt_len, impl->iter, + impl->md, key, keylen); +@@ -188,7 +199,8 @@ const EVP_KDF_METHOD pbkdf2_kdf_meth = { + kdf_pbkdf2_ctrl, + kdf_pbkdf2_ctrl_str, + NULL, +- kdf_pbkdf2_derive ++ kdf_pbkdf2_derive, ++ fips_sli_is_approved_struct_evp_kdf_impl_st + }; + + /* +--- a/crypto/kdf/scrypt.c ++++ b/crypto/kdf/scrypt.c +@@ -266,6 +266,10 @@ static int kdf_scrypt_derive(EVP_KDF_IMP + impl->maxmem_bytes, key, keylen); + } + ++static int kdf_scrypt_fips_sli_is_approved(ossl_unused const EVP_KDF_IMPL *impl) { ++ return 0; /* not FIPS-approved */ ++} ++ + const EVP_KDF_METHOD scrypt_kdf_meth = { + EVP_KDF_SCRYPT, + kdf_scrypt_new, +@@ -274,7 +278,8 @@ const EVP_KDF_METHOD scrypt_kdf_meth = { + kdf_scrypt_ctrl, + kdf_scrypt_ctrl_str, + NULL, +- kdf_scrypt_derive ++ kdf_scrypt_derive, ++ kdf_scrypt_fips_sli_is_approved + }; + + #define R(a,b) (((a) << (b)) | ((a) >> (32 - (b)))) +--- a/crypto/kdf/sshkdf.c ++++ b/crypto/kdf/sshkdf.c +@@ -34,8 +34,19 @@ struct evp_kdf_impl_st { + char type; /* X */ + unsigned char *session_id; + size_t session_id_len; ++ FIPS_STATUS sli; /* Service Level Indicator */ + }; + ++ ++fips_sli_define_basic_for(static, struct_evp_kdf_impl_st, struct evp_kdf_impl_st) ++ ++static void fips_sli_check_hash_kdf_struct_evp_kdf_impl_st(struct evp_kdf_impl_st *ctx) { ++ fips_sli_fsm_struct_evp_kdf_impl_st(ctx, ++ fips_sli_get_hash_status_sshkdf(ctx->md)); ++ fips_sli_fsm_struct_evp_kdf_impl_st(ctx, ++ fips_sli_get_kdf_keylen_status(ctx->key_len)); ++} ++ + static EVP_KDF_IMPL *kdf_sshkdf_new(void) + { + EVP_KDF_IMPL *impl; +@@ -196,6 +207,7 @@ static int kdf_sshkdf_derive(EVP_KDF_IMP + KDFerr(KDF_F_KDF_SSHKDF_DERIVE, KDF_R_MISSING_TYPE); + return 0; + } ++ fips_sli_check_hash_kdf_struct_evp_kdf_impl_st(impl); + return SSHKDF(impl->md, impl->key, impl->key_len, + impl->xcghash, impl->xcghash_len, + impl->session_id, impl->session_id_len, +@@ -211,6 +223,7 @@ const EVP_KDF_METHOD sshkdf_kdf_meth = { + kdf_sshkdf_ctrl_str, + kdf_sshkdf_size, + kdf_sshkdf_derive, ++ fips_sli_is_approved_struct_evp_kdf_impl_st + }; + + static int SSHKDF(const EVP_MD *evp_md, +--- a/crypto/kdf/tls1_prf.c ++++ b/crypto/kdf/tls1_prf.c +@@ -35,8 +35,16 @@ struct evp_kdf_impl_st { + /* Buffer of concatenated seed data */ + unsigned char seed[TLS1_PRF_MAXBUF]; + size_t seedlen; ++ FIPS_STATUS sli; /* Service Level Indicator */ + }; + ++fips_sli_define_basic_for(static, struct_evp_kdf_impl_st, struct evp_kdf_impl_st) ++ ++static void fips_sli_check_hash_kdf_struct_evp_kdf_impl_st(struct evp_kdf_impl_st *ctx) { ++ fips_sli_fsm_struct_evp_kdf_impl_st(ctx, ++ fips_sli_get_hash_status_kdf_tls1_prf(ctx->md)); ++} ++ + static EVP_KDF_IMPL *kdf_tls1_prf_new(void) + { + EVP_KDF_IMPL *impl; +@@ -152,6 +160,7 @@ static int kdf_tls1_prf_derive(EVP_KDF_I + KDFerr(KDF_F_KDF_TLS1_PRF_DERIVE, KDF_R_MISSING_SEED); + return 0; + } ++ fips_sli_check_hash_kdf_struct_evp_kdf_impl_st(impl); + return tls1_prf_alg(impl->md, impl->sec, impl->seclen, + impl->seed, impl->seedlen, + key, keylen); +@@ -165,7 +174,8 @@ const EVP_KDF_METHOD tls1_prf_kdf_meth = + kdf_tls1_prf_ctrl, + kdf_tls1_prf_ctrl_str, + NULL, +- kdf_tls1_prf_derive ++ kdf_tls1_prf_derive, ++ fips_sli_is_approved_struct_evp_kdf_impl_st + }; + + static int tls1_prf_P_hash(const EVP_MD *md, +--- a/crypto/poly1305/poly1305_pmeth.c ++++ b/crypto/poly1305/poly1305_pmeth.c +@@ -108,8 +108,10 @@ static int poly1305_signctx(EVP_PKEY_CTX + POLY1305_PKEY_CTX *pctx = ctx->data; + + *siglen = POLY1305_DIGEST_SIZE; +- if (sig != NULL) ++ if (sig != NULL) { + Poly1305_Final(&pctx->ctx, sig); ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); // Poly1305 isn't an approved MAC ++ } + return 1; + } + +--- a/crypto/rand/rand_lib.c ++++ b/crypto/rand/rand_lib.c +@@ -937,6 +937,13 @@ int RAND_priv_bytes(unsigned char *buf, + return 0; + } + ++int fips_sli_RAND_priv_bytes_is_approved(unsigned char *buf, int num) { ++ const RAND_METHOD *meth = RAND_get_rand_method(); ++ if (meth != NULL && meth != RAND_OpenSSL()) ++ return 0; ++ return 1; ++} ++ + int RAND_bytes(unsigned char *buf, int num) + { + const RAND_METHOD *meth = RAND_get_rand_method(); +@@ -947,6 +954,11 @@ int RAND_bytes(unsigned char *buf, int n + return -1; + } + ++int fips_sli_RAND_bytes_is_approved(unsigned char *buf, int num) { ++ const RAND_METHOD *meth = RAND_get_rand_method(); ++ return meth == RAND_OpenSSL(); ++} ++ + #if OPENSSL_API_COMPAT < 0x10100000L + int RAND_pseudo_bytes(unsigned char *buf, int num) + { +--- a/crypto/rsa/rsa_pmeth.c ++++ b/crypto/rsa/rsa_pmeth.c +@@ -129,6 +129,7 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *c + RSA_PKEY_CTX *rctx = ctx->data; + RSA *rsa = ctx->pkey->pkey.rsa; + ++ fips_sli_check_key_rsa_siggen_EVP_PKEY_CTX(ctx, rsa); + if (rctx->md) { + if (tbslen != (size_t)EVP_MD_size(rctx->md)) { + RSAerr(RSA_F_PKEY_RSA_SIGN, RSA_R_INVALID_DIGEST_LENGTH); +@@ -139,6 +140,8 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *c + unsigned int sltmp; + if (rctx->pad_mode != RSA_PKCS1_PADDING) + return -1; ++ /* PKCS1-v1.5 padding is disallowed after 2023 */ ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); + ret = RSA_sign_ASN1_OCTET_STRING(0, + tbs, tbslen, sig, &sltmp, rsa); + +@@ -154,11 +157,30 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *c + RSAerr(RSA_F_PKEY_RSA_SIGN, ERR_R_MALLOC_FAILURE); + return -1; + } ++ /* MINOR fips: refactor out? May have to read rctx->pad_mode (RSA_PKEY_CTX), though */ ++ /* ANSI X9.31 */ ++ switch (EVP_MD_type(rctx->md)) { ++ case NID_sha256: ++ case NID_sha384: ++ case NID_sha512: ++ case NID_sha3_224: ++ case NID_sha3_256: ++ case NID_sha3_384: ++ case NID_sha3_512: ++ case NID_shake128: ++ case NID_shake256: ++ fips_sli_approve_EVP_PKEY_CTX(ctx); ++ break; ++ default: ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); ++ } + memcpy(rctx->tbuf, tbs, tbslen); + rctx->tbuf[tbslen] = RSA_X931_hash_id(EVP_MD_type(rctx->md)); + ret = RSA_private_encrypt(tbslen + 1, rctx->tbuf, + sig, rsa, RSA_X931_PADDING); + } else if (rctx->pad_mode == RSA_PKCS1_PADDING) { ++ /* PKCS1-v1.5 padding is disallowed after 2023 */ ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); + unsigned int sltmp; + ret = RSA_sign(EVP_MD_type(rctx->md), + tbs, tbslen, sig, &sltmp, rsa); +@@ -173,12 +195,14 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *c + rctx->md, rctx->mgf1md, + rctx->saltlen)) + return -1; ++ fips_sli_check_hash_siggen_EVP_PKEY_CTX(ctx, rctx->md); + ret = RSA_private_encrypt(RSA_size(rsa), rctx->tbuf, + sig, rsa, RSA_NO_PADDING); + } else { + return -1; + } + } else { ++ fips_sli_approve_EVP_PKEY_CTX(ctx); /* plain sig without hash */ + ret = RSA_private_encrypt(tbslen, tbs, sig, ctx->pkey->pkey.rsa, + rctx->pad_mode); + } +@@ -199,6 +223,23 @@ static int pkey_rsa_verifyrecover(EVP_PK + if (rctx->pad_mode == RSA_X931_PADDING) { + if (!setup_tbuf(rctx, ctx)) + return -1; ++ /* MINOR fips: refactor out? May have to read rctx->pad_mode (RSA_PKEY_CTX), though */ ++ /* ANSI X9.31 */ ++ switch (EVP_MD_type(rctx->md)) { ++ case NID_sha256: ++ case NID_sha384: ++ case NID_sha512: ++ case NID_sha3_224: ++ case NID_sha3_256: ++ case NID_sha3_384: ++ case NID_sha3_512: ++ case NID_shake128: ++ case NID_shake256: ++ fips_sli_approve_EVP_PKEY_CTX(ctx); ++ break; ++ default: ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); ++ } + ret = RSA_public_decrypt(siglen, sig, + rctx->tbuf, ctx->pkey->pkey.rsa, + RSA_X931_PADDING); +@@ -245,11 +286,15 @@ static int pkey_rsa_verify(EVP_PKEY_CTX + RSA_PKEY_CTX *rctx = ctx->data; + RSA *rsa = ctx->pkey->pkey.rsa; + size_t rslen; ++ fips_sli_check_key_rsa_sigver_EVP_PKEY_CTX(ctx, rsa); + + if (rctx->md) { +- if (rctx->pad_mode == RSA_PKCS1_PADDING) ++ if (rctx->pad_mode == RSA_PKCS1_PADDING) { ++ /* PKCS1-v1.5 padding is disallowed after 2023 */ ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); + return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen, + sig, siglen, rsa); ++ } + if (tbslen != (size_t)EVP_MD_size(rctx->md)) { + RSAerr(RSA_F_PKEY_RSA_VERIFY, RSA_R_INVALID_DIGEST_LENGTH); + return -1; +@@ -270,6 +315,7 @@ static int pkey_rsa_verify(EVP_PKEY_CTX + rctx->tbuf, rctx->saltlen); + if (ret <= 0) + return 0; ++ fips_sli_check_hash_sigver_EVP_PKEY_CTX(ctx, rctx->md); + return 1; + } else { + return -1; +@@ -277,6 +323,7 @@ static int pkey_rsa_verify(EVP_PKEY_CTX + } else { + if (!setup_tbuf(rctx, ctx)) + return -1; ++ fips_sli_approve_EVP_PKEY_CTX(ctx); /* plain sig without hash */ + rslen = RSA_public_decrypt(siglen, sig, rctx->tbuf, + rsa, rctx->pad_mode); + if (rslen == 0) +@@ -313,6 +360,8 @@ static int pkey_rsa_encrypt(EVP_PKEY_CTX + ret = RSA_public_encrypt(inlen, in, out, ctx->pkey->pkey.rsa, + rctx->pad_mode); + } ++ fips_sli_check_padding_rsa_enc_EVP_PKEY_CTX(ctx, rctx->pad_mode); ++ fips_sli_check_key_rsa_enc_EVP_PKEY_CTX(ctx, ctx->pkey->pkey.rsa); + if (ret < 0) + return ret; + *outlen = ret; +@@ -342,6 +391,8 @@ static int pkey_rsa_decrypt(EVP_PKEY_CTX + ret = RSA_private_decrypt(inlen, in, out, ctx->pkey->pkey.rsa, + rctx->pad_mode); + } ++ fips_sli_check_padding_rsa_dec_EVP_PKEY_CTX(ctx, rctx->pad_mode); ++ fips_sli_check_key_rsa_dec_EVP_PKEY_CTX(ctx, ctx->pkey->pkey.rsa); + *outlen = constant_time_select_s(constant_time_msb_s(ret), *outlen, ret); + ret = constant_time_select_int(constant_time_msb(ret), ret, 1); + return ret; +@@ -747,9 +798,13 @@ static int pkey_rsa_keygen(EVP_PKEY_CTX + RSA_free(rsa); + return 0; + } +- if (ret > 0) ++ if (rctx->primes != 2) ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); ++ ++ if (ret > 0) { ++ fips_sli_check_key_rsa_keygen_EVP_PKEY_CTX(ctx, rsa); + EVP_PKEY_assign(pkey, ctx->pmeth->pkey_id, rsa); +- else ++ } else + RSA_free(rsa); + return ret; + } +--- a/crypto/sha/sha1_one.c ++++ b/crypto/sha/sha1_one.c +@@ -26,3 +26,8 @@ unsigned char *SHA1(const unsigned char + OPENSSL_cleanse(&c, sizeof(c)); + return md; + } ++ ++int fips_sli_SHA1_is_approved(const unsigned char *d, size_t n, unsigned char *md) { ++ /* Only approved depending on usage context, so default to false */ ++ return 0; ++} +--- a/crypto/siphash/siphash_pmeth.c ++++ b/crypto/siphash/siphash_pmeth.c +@@ -109,8 +109,10 @@ static int siphash_signctx(EVP_PKEY_CTX + SIPHASH_PKEY_CTX *pctx = ctx->data; + + *siglen = SipHash_hash_size(&pctx->ctx); +- if (sig != NULL) ++ if (sig != NULL) { ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); + return SipHash_Final(&pctx->ctx, sig, *siglen); ++ } + return 1; + } + +--- a/crypto/sm2/sm2_pmeth.c ++++ b/crypto/sm2/sm2_pmeth.c +@@ -107,6 +107,7 @@ static int pkey_sm2_sign(EVP_PKEY_CTX *c + return 0; + } + ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); + ret = sm2_sign(tbs, tbslen, sig, &sltmp, ec); + + if (ret <= 0) +@@ -120,7 +121,7 @@ static int pkey_sm2_verify(EVP_PKEY_CTX + const unsigned char *tbs, size_t tbslen) + { + EC_KEY *ec = ctx->pkey->pkey.ec; +- ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); + return sm2_verify(tbs, tbslen, sig, siglen, ec); + } + +@@ -139,6 +140,7 @@ static int pkey_sm2_encrypt(EVP_PKEY_CTX + return 1; + } + ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); + return sm2_encrypt(ec, md, in, inlen, out, outlen); + } + +@@ -157,6 +159,7 @@ static int pkey_sm2_decrypt(EVP_PKEY_CTX + return 1; + } + ++ fips_sli_disapprove_EVP_PKEY_CTX(ctx); + return sm2_decrypt(ec, md, in, inlen, out, outlen); + } + +--- /dev/null ++++ b/doc/man3/FIPS_service_level_indicator.pod +@@ -0,0 +1,110 @@ ++=pod ++ ++=head1 NAME ++ ++C - get status of the FIPS Service Level Indicator (SLI) for context operations ++ ++C - get status of the FIPS SLI for standalone operations ++ ++=head1 SYNOPSIS ++ ++ #include ++ ++ int fips_sli_is_approved_EVP_CIPHER_CTX(const EVP_CIPHER_CTX *ctx); ++ ++ int fips_sli_is_approved_EVP_KDF_CTX(const EVP_KDF_CTX *ctx); ++ ++ int fips_sli_is_approved_EVP_MD_CTX(const EVP_MD_CTX *ctx); ++ ++ int fips_sli_is_approved_EVP_PKEY_CTX(const EVP_PKEY_CTX *ctx); ++ ++ int fips_sli_is_approved_CMAC_CTX(const CMAC_CTX *ctx); ++ ++ int fips_sli_is_approved_HMAC_CTX(const HMAC_CTX *ctx); ++ ++ int fips_sli_SHA1_is_approved(const unsigned char *d, size_t n, unsigned char *md); ++ ++ int fips_sli_HMAC_is_approved(const EVP_MD *evp_md, const void *key, int key_len, ++ const unsigned char *d, size_t n, unsigned char *md, ++ unsigned int *md_len); ++ ++ int fips_sli_PKCS5_PBKDF2_HMAC_is_approved(const char *pass, int passlen, ++ const unsigned char *salt, int saltlen, int iter, ++ const EVP_MD *digest, int keylen, unsigned char *out); ++ ++ int fips_sli_RAND_bytes_is_approved(unsigned char *buf, int num); ++ ++ int fips_sli_RAND_priv_bytes_is_approved(unsigned char *buf, int num); ++ ++=head1 DESCRIPTION ++ ++The service level indicator has two different usage scenarios. ++ ++=over 1 ++ ++=item C ++ ++Most operations happen on some form of a context, which also holds the SLI. ++This function returns whether the FIPS SLI indicates an approved operation or not. ++ ++After a disapproved operation is encountered, the SLI will continue to indicate this disapproved state. The SLI can only ++be reset by the various existing resetting functions such as C or reinitializing the ++context, e.g. via L. ++ ++=item C ++ ++Operations without a context (standalone functions) have a separate SLI with the name fips_sli_FNNAME_is_approved(). ++These indicator functions take the same parameters as their corresponding operation ++and may modify them just like their corresponding function might do. ++ ++In order to check the SLI status of an operation C, the function ++C must be called with the same set of parameters as C. ++Note that applications must check the return value of C according to its documentation B the return value of the SLI (see below for L). ++Both are orthogonal: the former reports about success and failure of C, and the latter whether a disapproved operation happened or not. ++Well-behaving applications check for both. ++ ++The following explicit indicators exist: ++ ++C ++ ++C ++ ++C ++ ++C ++ ++C ++ ++=back ++ ++=head1 Notes on the RNG ++ ++OpenSSL 1.1.1l implements a CTR DRBG with AES 128/192/256 (defaults to AES-256). ++See L/RAND_priv_bytes(). ++ ++Swapping out OPENSSL's RNG implementation (e.g. via L) is NOT allowed. ++ ++=head1 RETURN VALUES ++ ++C returns 0 if the previous operation(s) was unapproved or B was B, and returns 1 ++if the previous operation(s) were approved (or rather, no non-approved operations happened). ++ ++C returns 0 if an operation with a given set of parameters was unapproved, and returns 1 ++if the operation is approved with the given set of parameters. ++ ++These functions can be invoked at any time. ++ ++=head1 HISTORY ++ ++The FIPS SLI was added in OpenSSL 1.1.1.l. ++ ++=head1 COPYRIGHT ++ ++Copyright 2022 ++ ++Licensed under the OpenSSL license (the "License"). You may not use ++this file except in compliance with the License. You can obtain a copy ++in the file LICENSE in the source distribution or at ++L. ++ ++=cut +--- a/include/crypto/evp.h ++++ b/include/crypto/evp.h +@@ -9,6 +9,7 @@ + + #include + #include "internal/refcount.h" ++#include "internal/fips_sli_local.h" + + /* + * Don't free up md_ctx->pctx in EVP_MD_CTX_reset, use the reserved flag +@@ -36,6 +37,7 @@ struct evp_pkey_ctx_st { + /* implementation specific keygen data */ + int *keygen_info; + int keygen_info_count; ++ FIPS_STATUS sli; /* Service Level Indicator */ + } /* EVP_PKEY_CTX */ ; + + #define EVP_PKEY_FLAG_DYNAMIC 1 +@@ -123,6 +125,9 @@ typedef struct { + int (*ctrl_str) (EVP_KDF_IMPL *impl, const char *type, const char *value); + size_t (*size) (EVP_KDF_IMPL *impl); + int (*derive) (EVP_KDF_IMPL *impl, unsigned char *key, size_t keylen); ++ /* KDFs are handled differently by the SLI because the EVP_KDF_IMPL, which ++ holds the required information, is defined implementation-dependent */ ++ int (*fips_sli_is_approved) (const EVP_KDF_IMPL *impl); + } EVP_KDF_METHOD; + + extern const EVP_KDF_METHOD pbkdf2_kdf_meth; +--- /dev/null ++++ b/include/crypto/fipserr.h +@@ -0,0 +1,121 @@ ++/* ++ * Generated by util/mkerr.pl DO NOT EDIT ++ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. ++ * ++ * Licensed under the OpenSSL license (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ */ ++ ++#ifndef HEADER_FIPSERR_H ++# define HEADER_FIPSERR_H ++ ++# include ++ ++# ifdef __cplusplus ++extern "C" ++# endif ++int ERR_load_FIPS_strings(void); ++ ++/* ++ * FIPS function codes. ++ */ ++# define FIPS_F_DRBG_RESEED 100 ++# define FIPS_F_DSA_BUILTIN_PARAMGEN2 101 ++# define FIPS_F_DSA_DO_SIGN 102 ++# define FIPS_F_DSA_DO_VERIFY 103 ++# define FIPS_F_ECDSA_SIMPLE_SIGN_SIG 104 ++# define FIPS_F_ECDSA_SIMPLE_VERIFY_SIG 105 ++# define FIPS_F_EVP_CIPHERINIT_EX 106 ++# define FIPS_F_EVP_CIPHER_CTX_NEW 107 ++# define FIPS_F_EVP_CIPHER_CTX_RESET 108 ++# define FIPS_F_EVP_DIGESTINIT_EX 109 ++# define FIPS_F_FIPS_CHECK_DSA 110 ++# define FIPS_F_FIPS_CHECK_EC 111 ++# define FIPS_F_FIPS_CHECK_RSA 112 ++# define FIPS_F_FIPS_DRBG_BYTES 113 ++# define FIPS_F_FIPS_DRBG_CHECK 114 ++# define FIPS_F_FIPS_DRBG_ERROR_CHECK 115 ++# define FIPS_F_FIPS_DRBG_GENERATE 116 ++# define FIPS_F_FIPS_DRBG_INIT 117 ++# define FIPS_F_FIPS_DRBG_INSTANTIATE 118 ++# define FIPS_F_FIPS_DRBG_NEW 119 ++# define FIPS_F_FIPS_DRBG_SINGLE_KAT 120 ++# define FIPS_F_FIPS_GET_ENTROPY 121 ++# define FIPS_F_FIPS_MODULE_MODE_SET 122 ++# define FIPS_F_FIPS_PKEY_SIGNATURE_TEST 123 ++# define FIPS_F_FIPS_RAND_BYTES 124 ++# define FIPS_F_FIPS_RAND_SEED 125 ++# define FIPS_F_FIPS_RAND_SET_METHOD 126 ++# define FIPS_F_FIPS_RAND_STATUS 127 ++# define FIPS_F_FIPS_RSA_BUILTIN_KEYGEN 128 ++# define FIPS_F_FIPS_SELFTEST_AES 129 ++# define FIPS_F_FIPS_SELFTEST_AES_CCM 130 ++# define FIPS_F_FIPS_SELFTEST_AES_GCM 131 ++# define FIPS_F_FIPS_SELFTEST_AES_XTS 132 ++# define FIPS_F_FIPS_SELFTEST_CMAC 133 ++# define FIPS_F_FIPS_SELFTEST_DES 134 ++# define FIPS_F_FIPS_SELFTEST_ECDSA 135 ++# define FIPS_F_FIPS_SELFTEST_HKDF 136 ++# define FIPS_F_FIPS_SELFTEST_HMAC 137 ++# define FIPS_F_FIPS_SELFTEST_PBKDF2 138 ++# define FIPS_F_FIPS_SELFTEST_SHA1 139 ++# define FIPS_F_FIPS_SELFTEST_SHA2 140 ++# define FIPS_F_FIPS_SELFTEST_SHA3 141 ++# define FIPS_F_FIPS_SELFTEST_SSH 142 ++# define FIPS_F_FIPS_SELFTEST_TLS 143 ++# define FIPS_F_OSSL_ECDH_COMPUTE_KEY 144 ++# define FIPS_F_RSA_OSSL_PRIVATE_DECRYPT 145 ++# define FIPS_F_RSA_OSSL_PRIVATE_ENCRYPT 146 ++# define FIPS_F_RSA_OSSL_PUBLIC_DECRYPT 147 ++# define FIPS_F_RSA_OSSL_PUBLIC_ENCRYPT 148 ++ ++/* ++ * FIPS reason codes. ++ */ ++# define FIPS_R_ADDITIONAL_INPUT_ERROR_UNDETECTED 100 ++# define FIPS_R_ADDITIONAL_INPUT_TOO_LONG 101 ++# define FIPS_R_ALREADY_INSTANTIATED 102 ++# define FIPS_R_DRBG_NOT_INITIALISED 103 ++# define FIPS_R_ENTROPY_ERROR_UNDETECTED 104 ++# define FIPS_R_ENTROPY_NOT_REQUESTED_FOR_RESEED 105 ++# define FIPS_R_ENTROPY_SOURCE_STUCK 106 ++# define FIPS_R_ERROR_INITIALISING_DRBG 107 ++# define FIPS_R_ERROR_INSTANTIATING_DRBG 108 ++# define FIPS_R_ERROR_RETRIEVING_ADDITIONAL_INPUT 109 ++# define FIPS_R_ERROR_RETRIEVING_ENTROPY 110 ++# define FIPS_R_ERROR_RETRIEVING_NONCE 111 ++# define FIPS_R_FINGERPRINT_DOES_NOT_MATCH 112 ++# define FIPS_R_FIPS_MODE_ALREADY_SET 113 ++# define FIPS_R_FIPS_SELFTEST_FAILED 114 ++# define FIPS_R_FUNCTION_ERROR 115 ++# define FIPS_R_GENERATE_ERROR 116 ++# define FIPS_R_GENERATE_ERROR_UNDETECTED 117 ++# define FIPS_R_INSTANTIATE_ERROR 118 ++# define FIPS_R_INVALID_KEY_LENGTH 119 ++# define FIPS_R_IN_ERROR_STATE 120 ++# define FIPS_R_KEY_TOO_SHORT 121 ++# define FIPS_R_NONCE_ERROR_UNDETECTED 122 ++# define FIPS_R_NON_FIPS_METHOD 123 ++# define FIPS_R_NOPR_TEST1_FAILURE 124 ++# define FIPS_R_NOPR_TEST2_FAILURE 125 ++# define FIPS_R_NOT_INSTANTIATED 126 ++# define FIPS_R_PAIRWISE_TEST_FAILED 127 ++# define FIPS_R_PERSONALISATION_ERROR_UNDETECTED 128 ++# define FIPS_R_PERSONALISATION_STRING_TOO_LONG 129 ++# define FIPS_R_PR_TEST1_FAILURE 130 ++# define FIPS_R_PR_TEST2_FAILURE 131 ++# define FIPS_R_REQUEST_LENGTH_ERROR_UNDETECTED 132 ++# define FIPS_R_REQUEST_TOO_LARGE_FOR_DRBG 133 ++# define FIPS_R_RESEED_COUNTER_ERROR 134 ++# define FIPS_R_RESEED_ERROR 135 ++# define FIPS_R_SELFTEST_FAILED 136 ++# define FIPS_R_SELFTEST_FAILURE 137 ++# define FIPS_R_TEST_FAILURE 138 ++# define FIPS_R_UNINSTANTIATE_ERROR 139 ++# define FIPS_R_UNINSTANTIATE_ZEROISE_ERROR 140 ++# define FIPS_R_UNSUPPORTED_DRBG_TYPE 141 ++# define FIPS_R_UNSUPPORTED_PLATFORM 142 ++ ++#endif +--- /dev/null ++++ b/include/internal/fips_sli_local.h +@@ -0,0 +1,96 @@ ++#ifndef FIPS_SLI_LOCAL_H_INCLUDED ++#define FIPS_SLI_LOCAL_H_INCLUDED ++ ++#include ++#include ++#include ++ ++/* status for SLI */ ++typedef enum fips_status_e { ++ FIPS_UNSET, ++ FIPS_APPROVED, ++ FIPS_NONAPPROVED, ++ FIPS_ERROR, ++} FIPS_STATUS; ++ ++ ++void fips_sli_approve_EVP_KDF_CTX(EVP_KDF_CTX *ctx); ++void fips_sli_approve_EVP_MD_CTX(EVP_MD_CTX *ctx); ++void fips_sli_approve_EVP_PKEY_CTX(EVP_PKEY_CTX *ctx); ++void fips_sli_approve_HMAC_CTX(HMAC_CTX *ctx); ++ ++/* Unused: ++ * void fips_sli_approve_EVP_CIPHER_CTX(EVP_CIPHER_CTX *ctx); ++ */ ++void fips_sli_disapprove_EVP_CIPHER_CTX(EVP_CIPHER_CTX *ctx); ++void fips_sli_disapprove_EVP_KDF_CTX(EVP_KDF_CTX *ctx); ++void fips_sli_disapprove_EVP_MD_CTX(EVP_MD_CTX *ctx); ++void fips_sli_disapprove_EVP_PKEY_CTX(EVP_PKEY_CTX *ctx); ++void fips_sli_disapprove_HMAC_CTX(HMAC_CTX *ctx); ++ ++//void fips_sli_error_EVP_KDF_CTX(EVP_KDF_CTX *ctx); /* unused */ ++//void fips_sli_error_HMAC_CTX(HMAC_CTX *ctx); ++//void fips_sli_error_EVP_CIPHER_CTX(EVP_CIPHER_CTX *ctx); ++void fips_sli_error_EVP_MD_CTX(EVP_MD_CTX *ctx); ++void fips_sli_error_EVP_PKEY_CTX(EVP_PKEY_CTX *ctx); ++ ++FIPS_STATUS fips_sli_fsm_transition(FIPS_STATUS state, FIPS_STATUS input); ++ ++#define fips_sli_define_basic_for(LNKG, FNNAME, CTXTYPE) \ ++static void fips_sli_fsm_##FNNAME(CTXTYPE *ctx, FIPS_STATUS input) { \ ++ if (ctx == NULL) \ ++ return; \ ++ ctx->sli = fips_sli_fsm_transition(ctx->sli, input); \ ++} \ ++LNKG int fips_sli_is_approved_##FNNAME(const CTXTYPE *ctx) { \ ++ if (ctx == NULL) \ ++ return 0; \ ++ return (ctx->sli == FIPS_UNSET) || (ctx->sli == FIPS_APPROVED); \ ++} ++ ++#define fips_sli_define_for(CTXTYPE) \ ++fips_sli_define_basic_for(, CTXTYPE, CTXTYPE) \ ++void fips_sli_approve_##CTXTYPE(CTXTYPE *ctx) { \ ++ fips_sli_fsm_##CTXTYPE(ctx, FIPS_APPROVED); \ ++} \ ++void fips_sli_disapprove_##CTXTYPE(CTXTYPE *ctx) { \ ++ fips_sli_fsm_##CTXTYPE(ctx, FIPS_NONAPPROVED); \ ++} \ ++void fips_sli_error_##CTXTYPE(CTXTYPE *ctx) { \ ++ fips_sli_fsm_##CTXTYPE(ctx, FIPS_ERROR); \ ++} ++ ++void fips_sli_check_hash_siggen_EVP_MD_CTX(EVP_MD_CTX * ctx, const EVP_MD * md); ++void fips_sli_check_hash_sigver_EVP_MD_CTX(EVP_MD_CTX * ctx, const EVP_MD * md); ++void fips_sli_check_hash_siggen_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const EVP_MD * md); ++void fips_sli_check_hash_sigver_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const EVP_MD * md); ++void fips_sli_check_hash_mac_HMAC_CTX(HMAC_CTX * ctx, const EVP_MD * md); ++ ++FIPS_STATUS fips_sli_get_hash_status_sshkdf(const EVP_MD * md); ++FIPS_STATUS fips_sli_get_hash_status_pbkdf2(const EVP_MD * md); ++FIPS_STATUS fips_sli_get_hash_status_kdf_tls1_prf(const EVP_MD * md); ++FIPS_STATUS fips_sli_get_kdf_keylen_status(size_t keylen_bytes); ++ ++/* Check if used curve is okay for and in this context */ ++void fips_sli_check_curve_siggen_EVP_PKEY_CTX(EVP_PKEY_CTX *ctx, const EC_GROUP *group); ++void fips_sli_check_curve_sigver_EVP_PKEY_CTX(EVP_PKEY_CTX *ctx, const EC_GROUP *group); ++ ++void fips_sli_check_key_ec_keygen_EVP_PKEY_CTX(EVP_PKEY_CTX *ctx, const EC_KEY *ec); ++void fips_sli_check_key_rsa_keygen_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const RSA * rsa); ++void fips_sli_check_key_rsa_siggen_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const RSA * rsa); ++void fips_sli_check_key_rsa_sigver_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const RSA * rsa); ++void fips_sli_check_key_rsa_enc_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const RSA * rsa); ++void fips_sli_check_key_rsa_dec_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const RSA * rsa); ++void fips_sli_check_key_dsa_siggen_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const DSA * dsa); ++void fips_sli_check_key_dsa_sigver_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const DSA * dsa); ++ ++void fips_sli_check_key_dh_EVP_PKEY_CTX(EVP_PKEY_CTX *ctx, const DH *dh); ++void fips_sli_check_key_ecdh_EVP_PKEY_CTX(EVP_PKEY_CTX *ctx, const EC_KEY *ecdh); ++ ++void fips_sli_check_padding_rsa_enc_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, int pad_mode); ++void fips_sli_check_padding_rsa_dec_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, int pad_mode); ++ ++FIPS_STATUS EVP_CIPHER_get_fips_status(const EVP_CIPHER *cipher); ++void fips_sli_check_cipher_EVP_CIPHER_CTX(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher); ++ ++#endif /* FIPS_SLI_LOCAL_H_INCLUDED */ +--- /dev/null ++++ b/include/openssl/fips_sli.h +@@ -0,0 +1,32 @@ ++#ifndef FIPS_SLI_H_INCLUDED ++#define FIPS_SLI_H_INCLUDED ++ ++#include ++#include ++# ifdef __cplusplus ++extern "C" { ++# endif ++ ++/* Interface for consumers to check if their usage of the services offered by ++ * this ctx was approved */ ++int fips_sli_is_approved_EVP_CIPHER_CTX(const EVP_CIPHER_CTX *ctx); ++int fips_sli_is_approved_EVP_KDF_CTX(const EVP_KDF_CTX *ctx); ++int fips_sli_is_approved_EVP_MD_CTX(const EVP_MD_CTX *ctx); ++int fips_sli_is_approved_EVP_PKEY_CTX(const EVP_PKEY_CTX *ctx); ++int fips_sli_is_approved_CMAC_CTX(const CMAC_CTX *ctx); ++int fips_sli_is_approved_HMAC_CTX(const HMAC_CTX *ctx); ++ ++int fips_sli_SHA1_is_approved(const unsigned char *d, size_t n, unsigned char *md); ++int fips_sli_HMAC_is_approved(const EVP_MD *evp_md, const void *key, int key_len, ++ const unsigned char *d, size_t n, unsigned char *md, ++ unsigned int *md_len); ++int fips_sli_PKCS5_PBKDF2_HMAC_is_approved(const char *pass, int passlen, ++ const unsigned char *salt, int saltlen, int iter, ++ const EVP_MD *digest, int keylen, unsigned char *out); ++int fips_sli_RAND_bytes_is_approved(unsigned char *buf, int num); ++int fips_sli_RAND_priv_bytes_is_approved(unsigned char *buf, int num); ++ ++# ifdef __cplusplus ++} ++# endif ++#endif // FIPS_SLI_H_INCLUDED +--- a/test/build.info ++++ b/test/build.info +@@ -52,7 +52,7 @@ INCLUDE_MAIN___test_libtestutil_OLB = /I + recordlentest drbgtest drbg_cavs_test sslbuffertest \ + time_offset_test pemtest ssl_cert_table_internal_test ciphername_test \ + servername_test ocspapitest rsa_mp_test fatalerrtest tls13ccstest \ +- sysdefaulttest errtest ssl_ctx_test gosttest ++ sysdefaulttest errtest ssl_ctx_test gosttest fips_slitest + + SOURCE[versions]=versions.c + INCLUDE[versions]=../include +@@ -575,6 +575,10 @@ INCLUDE_MAIN___test_libtestutil_OLB = /I + INCLUDE[gosttest]=../include .. + DEPEND[gosttest]=../libcrypto ../libssl libtestutil.a + ++ SOURCE[fips_slitest]=fips_slitest.c fips_slitest_helper.c ++ INCLUDE[fips_slitest]=../include ++ DEPEND[fips_slitest]=../libcrypto libtestutil.a ++ + SOURCE[ssl_ctx_test]=ssl_ctx_test.c + INCLUDE[ssl_ctx_test]=../include + DEPEND[ssl_ctx_test]=../libcrypto ../libssl libtestutil.a +--- /dev/null ++++ b/test/fips_slitest.c +@@ -0,0 +1,659 @@ ++#include ++#include ++#include ++#include /* To see if OPENSSL_NO_EC is defined */ ++#ifndef OPENSSL_NO_EC ++# include ++#endif ++#ifndef OPENSSL_NO_RSA ++# include ++#endif ++#include ++ ++#include "testutil.h" ++#include "fips_slitest_helper.h" ++ ++static int test_sli_noop(void) { ++ int res = 0; /* 0 means test failure */ ++ EVP_MD_CTX* ctx = NULL; ++ if (!TEST_ptr(ctx = EVP_MD_CTX_new())) ++ goto end; ++ if (!TEST_true(fips_sli_is_approved_EVP_MD_CTX(ctx))) ++ goto end; ++ if (!TEST_false(fips_sli_is_approved_EVP_MD_CTX(NULL))) ++ goto end; ++ res = 1; /* test case successful */ ++end: ++ EVP_MD_CTX_free(ctx); ++ return res; ++} ++ ++static int cmac_aes_cbc(void) { ++ int success = 0; ++ CMAC_CTX *ctx = NULL; ++ size_t maclen = 0; ++ ++ if (!TEST_ptr(ctx = CMAC_CTX_new())) ++ return 0; ++ if (!TEST_true(CMAC_Init(ctx, get_key_16(), 16, EVP_aes_128_cbc(), NULL)) ++ || !TEST_true(CMAC_Final(ctx, NULL, &maclen)) ++ ) { ++ CMAC_CTX_free(ctx); ++ return 0; ++ } ++ ++ uint8_t mac[maclen]; ++ ++ if (!TEST_true(maclen > 0) ++ || !TEST_true(CMAC_Update(ctx, get_msg_16(), 16)) ++ || !TEST_true(CMAC_Final(ctx, mac, &maclen)) ++ || !TEST_true(fips_sli_is_approved_CMAC_CTX(ctx)) ++ ) ++ goto end; ++ success = 1; ++end: ++ CMAC_CTX_free(ctx); ++ return success; ++} ++ ++static int cmac_no_des(void) { ++ int success = 0; ++ CMAC_CTX *ctx = NULL; ++ size_t maclen = 0; ++ ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode()) { ++ TEST_note("Skipping test because DES is disabled in FIPS mode"); ++ return 1; ++ } ++#endif ++ ++ if (!TEST_ptr(ctx = CMAC_CTX_new())) ++ return 0; ++ if (!TEST_true(CMAC_Init(ctx, get_key_16(), 16, EVP_des_ede_cbc(), NULL)) ++ || !TEST_true(CMAC_Final(ctx, NULL, &maclen)) ++ ) { ++ CMAC_CTX_free(ctx); ++ return 0; ++ } ++ ++ uint8_t mac[maclen]; ++ ++ if (!TEST_true(maclen > 0) ++ || !TEST_int_eq(16, EVP_CIPHER_key_length(EVP_des_ede_cbc())) ++ || !TEST_true(CMAC_Update(ctx, get_msg_16(), 16)) ++ || !TEST_true(CMAC_Final(ctx, mac, &maclen)) ++ || !TEST_false(fips_sli_is_approved_CMAC_CTX(ctx)) ++ ) ++ goto end; ++ success = 1; ++end: ++ CMAC_CTX_free(ctx); ++ return success; ++} ++ ++typedef struct { ++ int fips_approved; ++ int cipher_nid; ++} SLI_CMAC_TEST; ++ ++static const SLI_CMAC_TEST cmac_tests[] = { ++ // Cipher must fit to key length of 32 B ++ {1, NID_aes_256_cbc}, ++ {0, NID_camellia_256_cbc}, ++}; ++static const size_t cmac_tests_len = sizeof(cmac_tests) / sizeof(cmac_tests[0]); ++ ++static int cmac_via_md_ctx(int cmac_test_index) { ++ int success = 0; ++ EVP_MD_CTX *ctx = NULL; ++ const EVP_MD* md = NULL; ++ unsigned char* mac = NULL; ++ size_t maclen = 0; ++ ++ EVP_PKEY *key = NULL; ++ ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode() ++ && cmac_tests[cmac_test_index].cipher_nid == NID_camellia_256_cbc) { ++ TEST_note("Skipping test because Camellia is disabled in FIPS mode"); ++ success = 1; ++ goto end; ++ } ++#endif ++ ++ if (!TEST_true(get_cmac_key(cmac_tests[cmac_test_index].cipher_nid, ++ &key) == 1)) ++ goto end; ++ if (!TEST_ptr(ctx = EVP_MD_CTX_new())) ++ goto end; ++ // hash doesn't matter here but must be present... ++ if (!TEST_true(EVP_DigestInit_ex(ctx, EVP_sha256(), NULL))) ++ goto end; ++ if (!TEST_true(EVP_DigestSignInit(ctx, NULL, md, NULL, key))) ++ goto end; ++ if (!TEST_true(EVP_DigestSignUpdate(ctx, get_msg_16(), 16))) ++ goto end; ++ size_t req = 0; ++ if (!TEST_true(EVP_DigestSignFinal(ctx, NULL, &req))) ++ goto end; ++ if (!TEST_true(req > 0)) ++ goto end; ++ if (!TEST_ptr(mac = OPENSSL_malloc(req))) ++ goto end; ++ maclen = req; ++ if (!TEST_true(EVP_DigestSignFinal(ctx, mac, &maclen))) ++ goto end; ++ if (cmac_tests[cmac_test_index].fips_approved) { ++ if (!TEST_true(fips_sli_is_approved_EVP_MD_CTX(ctx))) ++ goto end; ++ } else { ++ if (!TEST_false(fips_sli_is_approved_EVP_MD_CTX(ctx))) ++ goto end; ++ } ++ ++ success = 1; ++end: ++ if (mac) ++ OPENSSL_free(mac); ++ EVP_MD_CTX_free(ctx); ++ return success; ++} ++ ++#ifndef OPENSSL_NO_EC ++typedef struct { ++ int fips_approved; ++ int curve_nid; ++} SLI_ECDSA_TEST; ++ ++static const SLI_ECDSA_TEST ecdsa_tests[] = { ++ {0, NID_secp112r2}, ++ {1, NID_secp521r1}, ++#ifndef OPENSSL_NO_EC2M ++ {0, NID_sect163r1}, ++#endif ++ {0, NID_brainpoolP512r1}, ++}; ++static const size_t ecdsa_tests_len = sizeof(ecdsa_tests) / sizeof(ecdsa_tests[0]); ++ ++/* Adapted from openssl/test/ecdsatest.c */ ++static int ecdsa_via_EVP_DigestSign(int ecdsa_test_index) { ++ unsigned char *sig = NULL; ++ EC_KEY *eckey = NULL; ++ EVP_PKEY *pkey = NULL; ++ EVP_MD_CTX *mctx = NULL; ++ size_t sig_len; ++ const int nid = ecdsa_tests[ecdsa_test_index].curve_nid; ++ int success = 0; ++ const uint8_t* tbs = get_msg_128(); ++ ++ TEST_note("testing ECDSA for curve %s", OBJ_nid2sn(nid)); ++ ++ if (!TEST_ptr(mctx = EVP_MD_CTX_new()) ++ || !TEST_ptr(eckey = EC_KEY_new_by_curve_name(nid)) ++ || !TEST_true(EC_KEY_generate_key(eckey)) ++ || !TEST_ptr(pkey = EVP_PKEY_new()) ++ || !TEST_true(EVP_PKEY_assign_EC_KEY(pkey, eckey))) ++ goto err; ++ ++ sig_len = ECDSA_size(eckey); ++ ++ if (!TEST_ptr(sig = OPENSSL_malloc(sig_len)) ++ /* create a signature */ ++ || !TEST_true(EVP_DigestSignInit(mctx, NULL, NULL, NULL, pkey)) ++ || !TEST_true(EVP_DigestSign(mctx, sig, &sig_len, tbs, sizeof(tbs))) ++ || !TEST_int_le(sig_len, ECDSA_size(eckey))) ++ goto err; ++ ++ // SLI shows proper status for sign() ++ if (ecdsa_tests[ecdsa_test_index].fips_approved) { ++ if (!TEST_true(fips_sli_is_approved_EVP_MD_CTX(mctx))) ++ goto err; ++ } else { ++ if (!TEST_false(fips_sli_is_approved_EVP_MD_CTX(mctx))) ++ goto err; ++ } ++ ++ /* positive test, verify with correct key, 1 return */ ++ if (!TEST_true(EVP_MD_CTX_reset(mctx)) ++ || !TEST_true(EVP_DigestVerifyInit(mctx, NULL, NULL, NULL, pkey))) ++ goto err; ++ ++ /* a resetted and initialised ctx should be okay again */ ++ if (!TEST_true(fips_sli_is_approved_EVP_MD_CTX(mctx))) ++ goto err; ++ ++ if (!TEST_int_eq(EVP_DigestVerify(mctx, sig, sig_len, tbs, sizeof(tbs)), 1)) ++ goto err; ++ ++ // SLI shows proper status for verify() ++ if (ecdsa_tests[ecdsa_test_index].fips_approved) { ++ if (!TEST_true(fips_sli_is_approved_EVP_MD_CTX(mctx))) ++ goto err; ++ } else { ++ if (!TEST_false(fips_sli_is_approved_EVP_MD_CTX(mctx))) ++ goto err; ++ } ++ ++ success = 1; ++err: ++ EVP_PKEY_free(pkey); ++ if (mctx != NULL) ++ EVP_MD_CTX_free(mctx); ++ if (sig != NULL) ++ OPENSSL_free(sig); ++ return success; ++} ++#endif ++ ++typedef struct { ++ int fips_approved; ++ int cipher_nid; ++} SLI_CIPHER_TEST; ++ ++static const SLI_CIPHER_TEST cipher_tests[] = { ++ {1, NID_aes_128_cfb128}, ++ {1, NID_aes_256_gcm}, ++ {0, NID_des_ede3_cbc}, ++ {0, NID_des_ede3_cfb8}, ++ {0, NID_des_ofb64}, ++ {0, NID_des_ede_ecb}, ++ {0, NID_des_ede_ofb64}, ++ {0, NID_idea_cbc}, ++}; ++static const size_t cipher_tests_len = sizeof(cipher_tests) / sizeof(cipher_tests[0]); ++ ++static size_t get_ciphertext_len(size_t plaintextlen, const EVP_CIPHER *cipher) { ++ /* maximum value according to manpage */ ++ return plaintextlen + EVP_CIPHER_block_size(cipher); ++} ++ ++static int cipher(int cipher_test_index) { ++ int success = 0; ++ unsigned char *key = NULL, *iv = NULL, *ctext = NULL; ++ int ctext_written_len = 0; ++ const EVP_CIPHER *cipher = NULL; ++ EVP_CIPHER_CTX *ctx = NULL; ++ const uint8_t* const ptext = get_msg_16(); ++ const size_t ptext_len = 16; ++ const int cipher_nid = cipher_tests[cipher_test_index].cipher_nid; ++ ++ TEST_note("testing SLI for cipher %s", OBJ_nid2sn(cipher_nid)); ++ ++#ifdef OPENSSL_NO_IDEA ++ switch (cipher_nid) { ++ case NID_idea_cbc: ++ TEST_note("Skipping test since IDEA is not supported in this build"); ++ success = 1; ++ goto end; ++ } ++#endif ++ ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode()) { ++ switch (cipher_nid) { ++ case NID_des_ofb64: ++ case NID_des_ede_ecb: ++ case NID_des_ede_ofb64: ++ case NID_idea_cbc: ++ TEST_note("Skipping test since DES/IDEA are disabled in FIPS mode"); ++ success = 1; ++ goto end; ++ } ++ } ++#endif ++ ++ if (!TEST_ptr(cipher = EVP_get_cipherbynid(cipher_nid))) { ++ goto end; ++ } ++ ++ const size_t key_len = EVP_CIPHER_key_length(cipher); ++ const size_t iv_len = EVP_CIPHER_iv_length(cipher); ++ TEST_note("have keylen = %zd, ivlen = %zd", key_len, iv_len); ++ ++ if (!TEST_ptr(key = OPENSSL_malloc(key_len)) ++ || !TEST_ptr(ctext = OPENSSL_malloc(get_ciphertext_len(ptext_len, cipher))) ++ || !TEST_true(RAND_bytes(key, key_len) == 1)) ++ goto end; ++ ++ if (iv_len != 0) { ++ if (!TEST_ptr(iv = OPENSSL_malloc(iv_len)) ++ || !TEST_true(RAND_bytes(iv, iv_len) == 1)) ++ goto end; ++ } ++ ++ int tmp_len = 0; ++ if (!TEST_ptr(ctx = EVP_CIPHER_CTX_new()) ++ || !TEST_true(EVP_EncryptInit_ex(ctx, cipher, NULL, key, iv) == 1) ++ || !TEST_true(EVP_EncryptUpdate(ctx, ctext, &ctext_written_len, ptext, ptext_len) == 1) ++ || !TEST_true(ctext_written_len <= get_ciphertext_len(ptext_len, cipher)) ++ || !TEST_true(EVP_EncryptFinal_ex(ctx, ctext + ctext_written_len, &tmp_len) == 1)) ++ goto end; ++ ++ if (!TEST_true(ctext_written_len + tmp_len <= get_ciphertext_len(ptext_len, cipher))) ++ goto end; ++ ++ if (cipher_tests[cipher_test_index].fips_approved) { ++ if (!TEST_true(fips_sli_is_approved_EVP_CIPHER_CTX(ctx))) ++ goto end; ++ } else { ++ if (!TEST_false(fips_sli_is_approved_EVP_CIPHER_CTX(ctx))) ++ goto end; ++ } ++ ++ success = 1; ++end: ++ EVP_CIPHER_CTX_free(ctx); ++ if (key != NULL) ++ OPENSSL_free(key); ++ if (iv != NULL) ++ OPENSSL_free(iv); ++ if (ctext != NULL) ++ OPENSSL_free(ctext); ++ return success; ++} ++ ++#ifndef OPENSSL_NO_RSA ++typedef struct { ++ int fips_approved; ++ int cipher_nid; ++ uint8_t rsa_key_id; ++} SLI_SEALENV_TEST; ++ ++static const SLI_SEALENV_TEST sealenv_tests[] = { ++ // consider RSA enc/dec as always disapproved ++ {0, NID_aes_128_cfb128, 0}, ++ {0, NID_aes_256_gcm, 1}, ++ {0, NID_idea_cbc, 0}, ++ {0, NID_des_ede3_cbc, 2}, ++ {0, NID_aes_128_ecb, 0}, ++ {0, NID_aes_128_ecb, 3}, ++ {0, NID_aes_128_ccm, 3}, ++}; ++static const size_t sealenv_tests_len = sizeof(sealenv_tests) / sizeof(sealenv_tests[0]); ++ ++/* Asymmetric enc/dec */ ++static int sealenv(int sealenv_test_index) { ++ int success = 0; ++ RSA *rsa_pkey = RSA_new(); ++ EVP_PKEY *pkey = NULL; ++ const EVP_CIPHER *cipher = NULL; ++ const int cipher_nid = sealenv_tests[sealenv_test_index].cipher_nid; ++ EVP_CIPHER_CTX *ctx = NULL; ++ ++ uint8_t* enc_sym_key = NULL; ++ int enc_sym_key_len = 0; ++ ++ const uint8_t* const ptext = get_msg_128(); ++ const size_t ptext_len = 128; ++ unsigned char *iv = NULL, *ctext = NULL; ++ size_t ctext_len = 0; ++ int ctext_written_len = 0; ++ ++ switch (sealenv_tests[sealenv_test_index].rsa_key_id) { ++ case 0: ++ get_rsa_key1(rsa_pkey); ++ break; ++ case 1: ++ get_rsa_key2(rsa_pkey); ++ break; ++ case 2: ++ get_rsa_key3(rsa_pkey); ++ break; ++ case 3: ++ if (!TEST_int_eq(256, get_rsa_key2048p3(rsa_pkey))) ++ goto end; ++ break; ++ default: ++ goto end; ++ } ++ ++ TEST_note("RSA enc with key #%d, cipher %s", ++ sealenv_tests[sealenv_test_index].rsa_key_id, ++ OBJ_nid2sn(cipher_nid)); ++ ++#ifdef OPENSSL_NO_IDEA ++ switch (cipher_nid) { ++ case NID_idea_cbc: ++ TEST_note("Skipping test since IDEA is not supported in this build"); ++ success = 1; ++ goto end; ++ } ++#endif ++ ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode()) { ++ switch (cipher_nid) { ++ case NID_idea_cbc: ++ TEST_note("Skipping test since IDEA is disabled in FIPS mode"); ++ success = 1; ++ goto end; ++ } ++ } ++#endif ++ ++ if (!TEST_ptr(pkey = EVP_PKEY_new()) ++ || !TEST_true(EVP_PKEY_assign_RSA(pkey, rsa_pkey)) ++ || !TEST_ptr(cipher = EVP_get_cipherbynid(cipher_nid)) ++ || !TEST_ptr(enc_sym_key = OPENSSL_malloc(EVP_PKEY_size(pkey))) ++ || !TEST_ptr(ctext = OPENSSL_malloc(get_ciphertext_len(ptext_len, cipher))) ++ ) ++ goto end; ++ ++ const size_t iv_len = EVP_CIPHER_iv_length(cipher); ++ if (iv_len != 0) { ++ if (!TEST_ptr(iv = OPENSSL_malloc(iv_len))) ++ goto end; ++ } ++ ++ if (!TEST_ptr(ctx = EVP_CIPHER_CTX_new()) ++ || !TEST_true(1 == EVP_SealInit(ctx, cipher, &enc_sym_key, &enc_sym_key_len, iv, &pkey, 1)) ++ || !TEST_true(enc_sym_key_len > 0 && enc_sym_key_len <= EVP_PKEY_size(pkey)) ++ || !TEST_true(1 == EVP_SealUpdate(ctx, ctext, &ctext_written_len, ptext, ptext_len)) ++ ) ++ goto end; ++ ctext_len += ctext_written_len; ++ if (!TEST_true(1 == EVP_SealFinal(ctx, ctext + ctext_len, &ctext_written_len))) ++ goto end; ++ ctext_len += ctext_written_len; ++ if (!TEST_true(ctext_len <= get_ciphertext_len(ptext_len, cipher))) ++ goto end; ++ ++ if (sealenv_tests[sealenv_test_index].fips_approved) { ++ if (!TEST_true(fips_sli_is_approved_EVP_CIPHER_CTX(ctx))) ++ goto end; ++ } else { ++ if (!TEST_false(fips_sli_is_approved_EVP_CIPHER_CTX(ctx))) ++ goto end; ++ } ++ ++ success = 1; ++end: ++ EVP_PKEY_free(pkey); /* also frees rsa_pkey */ ++ if (ctx != NULL) ++ EVP_CIPHER_CTX_free(ctx); ++ if (enc_sym_key != NULL) ++ OPENSSL_free(enc_sym_key); ++ if (iv != NULL) ++ OPENSSL_free(iv); ++ if (ctext != NULL) ++ OPENSSL_free(ctext); ++ return success; ++} ++#endif ++ ++typedef struct { ++ int fips_approved; ++ int iterations; ++ int nid_digest; ++ const uint8_t key_expected[32]; // length has to be 32 ++} SLI_PBKDF2_TEST; ++ ++static const SLI_PBKDF2_TEST pbkdf2_tests[] = { ++ { ++ 1, 4200, NID_sha256, { ++ 0xE7, 0xBE, 0x37, 0x75, 0x9D, 0x53, 0x3E, 0x5A, 0x06, 0x20, 0xC9, 0xA5, 0x3A, 0x8D, 0xA2, 0x9E, ++ 0x9C, 0x27, 0xDF, 0x26, 0x24, 0xAB, 0xD8, 0x8E, 0x56, 0xE5, 0xB9, 0xF5, 0xA0, 0xD6, 0xD5, 0xEE ++ } ++ }, ++ { ++ 1, 1347, NID_sha256, { ++ 0xFB, 0xBB, 0xEC, 0x28, 0x5B, 0x48, 0xE7, 0xC2, 0x54, 0x4E, 0x65, 0x0F, 0x1E, 0xC8, 0xB5, 0x1C, ++ 0xF5, 0xAD, 0xAE, 0x2A, 0x21, 0x56, 0x94, 0xD2, 0xE1, 0xB7, 0xC8, 0x7D, 0x7A, 0x0D, 0x63, 0x86 ++ } ++ }, ++ { ++ 1, 4200, NID_sha1, { ++ 0x45, 0x96, 0x78, 0xF3, 0x92, 0x74, 0xAC, 0x5B, 0x1F, 0x2B, 0xD3, 0x75, 0x1A, 0xBA, 0x5D, 0xBE, ++ 0xF2, 0xDE, 0xE9, 0x88, 0x16, 0x4B, 0x0B, 0x84, 0x94, 0xD9, 0xC2, 0x2D, 0xC1, 0xB9, 0xB0, 0x8A ++ } ++ }, ++ { ++ 1, 4200, NID_sha3_512, { ++ 0x1E, 0x77, 0xC8, 0x28, 0x9A, 0x79, 0x2E, 0x25, 0x85, 0x8D, 0x73, 0xB3, 0x0D, 0xA1, 0x26, 0x65, ++ 0xC0, 0x04, 0x7D, 0x91, 0xB6, 0x5F, 0x89, 0x5E, 0x01, 0x82, 0x23, 0x35, 0x19, 0x2E, 0x5C, 0x09 ++ } ++ }, ++ { ++ 0, 1347, NID_md5, { ++ 0xC2, 0x78, 0x16, 0xDC, 0xD1, 0xC5, 0x71, 0xBD, 0x4A, 0x06, 0x2B, 0x38, 0x50, 0xE7, 0x4E, 0xC2, ++ 0x0E, 0x74, 0x9D, 0xB1, 0x59, 0xA8, 0xFF, 0x11, 0x24, 0x68, 0xD0, 0xCF, 0x69, 0xE5, 0x30, 0x36 ++ } ++ } ++}; ++static const size_t pbkdf2_tests_len = sizeof(pbkdf2_tests) / sizeof(pbkdf2_tests[0]); ++ ++static int test_PKCS5_PBKDF2_HMAC(int pbkdf2_tests_idx) { ++ int success = 0; ++ const char password[] = "password"; ++ const unsigned char salt[] = {'s', 'a', 'l', 't'}; ++ const size_t password_len = sizeof(password) / sizeof(password[0]); ++ const size_t salt_len = sizeof(salt) / sizeof(salt[0]); ++ ++ int iter = pbkdf2_tests[pbkdf2_tests_idx].iterations; ++ const EVP_MD *digest = EVP_get_digestbynid(pbkdf2_tests[pbkdf2_tests_idx].nid_digest); ++ const size_t key_len = 32; ++ const size_t key_expected_len = key_len; ++ uint8_t* key = NULL; ++ ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode()) { ++ switch (pbkdf2_tests[pbkdf2_tests_idx].nid_digest) { ++ case NID_md5: ++ TEST_note("Skipping test since MD5 is disabled in FIPS mode"); ++ success = 1; ++ goto end; ++ } ++ } ++#endif ++ ++ if (!TEST_ptr(key = OPENSSL_malloc(key_len)) ++ || !TEST_true(1 == PKCS5_PBKDF2_HMAC(password, password_len, salt, salt_len, ++ iter, digest, ++ key_len, key)) ++ || !TEST_true(fips_sli_PKCS5_PBKDF2_HMAC_is_approved(password, password_len, ++ salt, salt_len, ++ iter, digest, ++ key_len, key) == pbkdf2_tests[pbkdf2_tests_idx].fips_approved) ++ || !TEST_mem_eq(key, key_len, pbkdf2_tests[pbkdf2_tests_idx].key_expected, key_expected_len)) ++ goto end; ++ success = 1; ++end: ++ return success; ++} ++ ++typedef struct { ++ int fips_approved; ++ int digest_nid; ++} SLI_SSHKDF_TEST; ++ ++static const SLI_SSHKDF_TEST sshkdf_tests[] = { ++ {1, NID_sha256}, ++ {0, NID_md5}, ++}; ++static const size_t sshkdf_tests_len = sizeof(sshkdf_tests) / sizeof(sshkdf_tests[0]); ++ ++static int sshkdf(int sshkdf_test_idx) { ++ int success = 0; ++ const uint8_t *key = get_key_32(); ++ const uint8_t *xcghash = get_msg_128(); ++ const uint8_t *session_id = get_key_32(); ++ uint8_t kdfout[16]; ++ size_t kdfoutlen = sizeof(kdfout) / sizeof(kdfout[0]); ++ const int digest_nid = sshkdf_tests[sshkdf_test_idx].digest_nid; ++ EVP_KDF_CTX *ctx = NULL; ++ ++ TEST_note("SSHKDF with %s", OBJ_nid2sn(digest_nid)); ++ ++#ifdef OPENSSL_FIPS ++ if (FIPS_mode()) { ++ switch (digest_nid) { ++ case NID_md5: ++ TEST_note("Skipping test since MD5 is disabled in FIPS mode"); ++ success = 1; ++ goto end; ++ } ++ } ++#endif ++ ++ if (!TEST_ptr(ctx = EVP_KDF_CTX_new_id(NID_sshkdf)) ++ || !TEST_true(EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_MD, EVP_get_digestbynid(digest_nid)) == 1) ++ || !TEST_true(EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_KEY, key, 32) == 1) ++ || !TEST_true(EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID, session_id, 32) == 1) ++ || !TEST_true(EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_TYPE, EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV) == 1) ++ || !TEST_true(EVP_KDF_ctrl(ctx, EVP_KDF_CTRL_SET_SSHKDF_XCGHASH, xcghash, 128) == 1) ++ || !TEST_true(fips_sli_is_approved_EVP_KDF_CTX(ctx)) ++ || !TEST_true(EVP_KDF_derive(ctx, kdfout, kdfoutlen) == 1) ++ || !TEST_true(fips_sli_is_approved_EVP_KDF_CTX(ctx) == sshkdf_tests[sshkdf_test_idx].fips_approved) ++ ) ++ goto end; ++ ++ EVP_KDF_reset(ctx); ++ ++ if (!TEST_true(fips_sli_is_approved_EVP_KDF_CTX(ctx))) ++ goto end; ++ ++ success = 1; ++end: ++ EVP_KDF_CTX_free(ctx); ++ return success; ++} ++ ++static int rand_bytes() { ++ int success = 0; ++ unsigned char r[1]; ++ size_t rlen = sizeof(r) / sizeof(r[0]); ++ if (!TEST_true(fips_sli_RAND_bytes_is_approved(r, rlen) == 1) ++ || !TEST_true(RAND_bytes(r, rlen) == 1) ++ || !TEST_true(fips_sli_RAND_priv_bytes_is_approved(r, rlen) == 1) ++ || !TEST_true(RAND_priv_bytes(r, rlen) == 1) ++ || !TEST_true(fips_sli_RAND_priv_bytes_is_approved(r, rlen) == 1) ++ ) ++ goto end; ++ success = 1; ++end: ++ return success; ++} ++ ++int setup_tests(void) { ++ ADD_TEST(test_sli_noop); ++ ADD_TEST(cmac_aes_cbc); ++ ADD_TEST(cmac_no_des); ++ ADD_ALL_TESTS(cmac_via_md_ctx, cmac_tests_len); ++#ifdef OPENSSL_NO_EC ++ TEST_note("Elliptic curves are disabled."); ++#else ++ ADD_ALL_TESTS(ecdsa_via_EVP_DigestSign, ecdsa_tests_len); ++#endif ++ ADD_ALL_TESTS(cipher, cipher_tests_len); ++#ifdef OPENSSL_NO_RSA ++ TEST_note("RSA is disabled."); ++#else ++ ADD_ALL_TESTS(sealenv, sealenv_tests_len); ++#endif ++ ADD_ALL_TESTS(test_PKCS5_PBKDF2_HMAC, pbkdf2_tests_len); ++ ADD_ALL_TESTS(sshkdf, sshkdf_tests_len); ++ ADD_TEST(rand_bytes); ++ ++ return 1; /* success */ ++} +--- /dev/null ++++ b/test/fips_slitest_helper.c +@@ -0,0 +1,489 @@ ++#include ++#include ++#include ++#include ++#include ++ ++#include ++#include ++#include ++ ++#include "testutil.h" ++#include "fips_slitest_helper.h" ++ ++int make_hmac_keys(EVP_PKEY** skey, EVP_PKEY** vkey) { ++ byte hkey[EVP_MAX_MD_SIZE]; ++ ++ int result = -1; ++ ++ if (!skey || !vkey) ++ return -1; ++ ++ if (*skey != NULL) { ++ EVP_PKEY_free(*skey); ++ *skey = NULL; ++ } ++ ++ if (*vkey != NULL) { ++ EVP_PKEY_free(*vkey); ++ *vkey = NULL; ++ } ++ ++ do { ++ const EVP_MD* md = EVP_sha256(); ++ int size = EVP_MD_size(md); ++ assert(size >= 16); ++ if (!(size >= 16)) { ++ printf("EVP_MD_size failed, error 0x%lx\n", ERR_get_error()); ++ break; /* failed */ ++ } ++ ++ assert(size <= sizeof(hkey)); ++ if (!(size <= sizeof(hkey))) { ++ printf("EVP_MD_size is too large\n"); ++ break; /* failed */ ++ } ++ ++ /* Generate bytes */ ++ int rc = RAND_bytes(hkey, size); ++ assert(rc == 1); ++ if (rc != 1) { ++ printf("RAND_bytes failed, error 0x%lx\n", ERR_get_error()); ++ break; ++ } ++ ++ //print_it("HMAC key", hkey, size); ++ ++ *skey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, hkey, size); ++ assert(*skey != NULL); ++ if (*skey == NULL) { ++ printf("EVP_PKEY_new_mac_key 1st failed, error 0x%lx\n", ERR_get_error()); ++ break; ++ } ++ ++ *vkey = EVP_PKEY_new_mac_key(EVP_PKEY_HMAC, NULL, hkey, size); ++ assert(*vkey != NULL); ++ if (*vkey == NULL) { ++ printf("EVP_PKEY_new_mac_key 2nd failed, error 0x%lx\n", ERR_get_error()); ++ break; ++ } ++ ++ result = 0; ++ ++ } while (0); ++ ++ OPENSSL_cleanse(hkey, sizeof(hkey)); ++ ++ /* Convert to 0/1 result */ ++ return !!result; ++} ++static const uint8_t msg[16] = { 0x71, 0x50, 0x00, 0x00, ++ 0xc0, 0xff, 0xee, 0x00, ++ 0xde, 0xad, 0xbe, 0xef, ++ 0x01, 0x02, 0x03, 0x04 ++ }; ++static const uint8_t msg128[128] = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, ++ 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, ++ 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, ++ 35, 36, 37, 38, 39, 40, 41, 42, 43, 44, 45, ++ 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, ++ 57, 58, 59, 60, 61, 62, 63, 64, 65, 66, 67, ++ 68, 69, 70, 71, 72, 73, 74, 75, 76, 77, 78, ++ 79, 80, 81, 82, 83, 84, 85, 86, 87, 88, 89, ++ 90, 91, 92, 93, 94, 95, 96, 97, 98, 99, 100, ++ 101, 102, 103, 104, 105, 106, 107, 108, 109, ++ 110, 111, 112, 113, 114, 115, 116, 117, 118, ++ 119, 120, 121, 122, 123, 124, 125, 126, 127 ++ }; ++ ++static const uint8_t key16[16] = { 0xaa, 0xbb, 0xcc, 0xdd, ++ 0x01, 0x02, 0x03, 0x04, ++ 0xaa, 0xbb, 0xcc, 0xdd, ++ 0xde, 0xad, 0xbe, 0xef ++ }; ++static const uint8_t key32[32] = { 0xaa, 0xbb, 0xcc, 0xdd, ++ 0x01, 0x02, 0x03, 0x04, ++ 0xaa, 0xbb, 0xcc, 0xdd, ++ 0xde, 0xad, 0xbe, 0xef, ++ 0xaa, 0xbb, 0xcc, 0xdd, ++ 0x01, 0x02, 0x03, 0x04, ++ 0xaa, 0xbb, 0xcc, 0xdd, ++ 0xde, 0xad, 0xbe, 0xef ++ }; ++ ++const uint8_t* get_msg_16() { ++ return msg; ++} ++ ++const uint8_t* get_msg_128() { ++ return msg128; ++} ++ ++const uint8_t* get_key_16() { ++ return key16; ++} ++ ++const uint8_t* get_key_32() { ++ return key32; ++} ++ ++void print_it(const char* label, const byte* buff, size_t len) { ++ if (!buff || !len) ++ return; ++ ++ if (label) ++ printf("%s: ", label); ++ ++ for (size_t i = 0; i < len; ++i) ++ printf("%02X", buff[i]); ++ ++ printf("\n"); ++} ++ ++int get_cmac_key(int cipher_nid, EVP_PKEY** out) { ++ int success = 0; ++ EVP_PKEY_CTX *ctx = NULL; ++ const size_t key_len = 32; ++ const uint8_t *key = get_key_32(); ++ const EVP_CIPHER *cipher = EVP_get_cipherbynid(cipher_nid); ++ ++ if (!(ctx = EVP_PKEY_CTX_new_id(EVP_PKEY_CMAC, NULL))) ++ goto end; ++ if (EVP_PKEY_keygen_init(ctx) != 1) ++ goto end; ++ if (cipher == NULL) ++ goto end; ++ if (EVP_PKEY_CTX_ctrl(ctx, -1, EVP_PKEY_OP_KEYGEN, EVP_PKEY_CTRL_CIPHER, 0, (void*)cipher) <= 0) ++ goto end; ++ if (EVP_PKEY_CTX_ctrl(ctx, -1, EVP_PKEY_OP_KEYGEN, EVP_PKEY_CTRL_SET_MAC_KEY, key_len, (void*)key) <= 0) ++ goto end; ++ if (!EVP_PKEY_keygen(ctx, out)) ++ goto end; ++ ++ success = 1; ++end: ++ ++ if (ctx) ++ EVP_PKEY_CTX_free(ctx); ++ return success; ++} ++ ++#ifndef OPENSSL_NO_RSA ++# include ++ ++/* adapted from openssl/test/rsa_test.c */ ++# define SetKey \ ++ RSA_set0_key(key, \ ++ BN_bin2bn(n, sizeof(n)-1, NULL), \ ++ BN_bin2bn(e, sizeof(e)-1, NULL), \ ++ BN_bin2bn(d, sizeof(d)-1, NULL)); \ ++ RSA_set0_factors(key, \ ++ BN_bin2bn(p, sizeof(p)-1, NULL), \ ++ BN_bin2bn(q, sizeof(q)-1, NULL)); \ ++ RSA_set0_crt_params(key, \ ++ BN_bin2bn(dmp1, sizeof(dmp1)-1, NULL), \ ++ BN_bin2bn(dmq1, sizeof(dmq1)-1, NULL), \ ++ BN_bin2bn(iqmp, sizeof(iqmp)-1, NULL)); ++ ++void get_rsa_key1(RSA *key) { ++ static unsigned char n[] = ++ "\x00\xAA\x36\xAB\xCE\x88\xAC\xFD\xFF\x55\x52\x3C\x7F\xC4\x52\x3F" ++ "\x90\xEF\xA0\x0D\xF3\x77\x4A\x25\x9F\x2E\x62\xB4\xC5\xD9\x9C\xB5" ++ "\xAD\xB3\x00\xA0\x28\x5E\x53\x01\x93\x0E\x0C\x70\xFB\x68\x76\x93" ++ "\x9C\xE6\x16\xCE\x62\x4A\x11\xE0\x08\x6D\x34\x1E\xBC\xAC\xA0\xA1" ++ "\xF5"; ++ ++ static unsigned char e[] = "\x11"; ++ ++ static unsigned char d[] = ++ "\x0A\x03\x37\x48\x62\x64\x87\x69\x5F\x5F\x30\xBC\x38\xB9\x8B\x44" ++ "\xC2\xCD\x2D\xFF\x43\x40\x98\xCD\x20\xD8\xA1\x38\xD0\x90\xBF\x64" ++ "\x79\x7C\x3F\xA7\xA2\xCD\xCB\x3C\xD1\xE0\xBD\xBA\x26\x54\xB4\xF9" ++ "\xDF\x8E\x8A\xE5\x9D\x73\x3D\x9F\x33\xB3\x01\x62\x4A\xFD\x1D\x51"; ++ ++ static unsigned char p[] = ++ "\x00\xD8\x40\xB4\x16\x66\xB4\x2E\x92\xEA\x0D\xA3\xB4\x32\x04\xB5" ++ "\xCF\xCE\x33\x52\x52\x4D\x04\x16\xA5\xA4\x41\xE7\x00\xAF\x46\x12" ++ "\x0D"; ++ ++ static unsigned char q[] = ++ "\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9" ++ "\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5A\x0F\x20\x35\x02\x8B\x9D" ++ "\x89"; ++ ++ static unsigned char dmp1[] = ++ "\x59\x0B\x95\x72\xA2\xC2\xA9\xC4\x06\x05\x9D\xC2\xAB\x2F\x1D\xAF" ++ "\xEB\x7E\x8B\x4F\x10\xA7\x54\x9E\x8E\xED\xF5\xB4\xFC\xE0\x9E\x05"; ++ ++ static unsigned char dmq1[] = ++ "\x00\x8E\x3C\x05\x21\xFE\x15\xE0\xEA\x06\xA3\x6F\xF0\xF1\x0C\x99" ++ "\x52\xC3\x5B\x7A\x75\x14\xFD\x32\x38\xB8\x0A\xAD\x52\x98\x62\x8D" ++ "\x51"; ++ ++ static unsigned char iqmp[] = ++ "\x36\x3F\xF7\x18\x9D\xA8\xE9\x0B\x1D\x34\x1F\x71\xD0\x9B\x76\xA8" ++ "\xA9\x43\xE1\x1D\x10\xB2\x4D\x24\x9F\x2D\xEA\xFE\xF8\x0C\x18\x26"; ++ ++ SetKey; ++} ++ ++void get_rsa_key2(RSA *key) { ++ static unsigned char n[] = ++ "\x00\xA3\x07\x9A\x90\xDF\x0D\xFD\x72\xAC\x09\x0C\xCC\x2A\x78\xB8" ++ "\x74\x13\x13\x3E\x40\x75\x9C\x98\xFA\xF8\x20\x4F\x35\x8A\x0B\x26" ++ "\x3C\x67\x70\xE7\x83\xA9\x3B\x69\x71\xB7\x37\x79\xD2\x71\x7B\xE8" ++ "\x34\x77\xCF"; ++ ++ static unsigned char e[] = "\x3"; ++ ++ static unsigned char d[] = ++ "\x6C\xAF\xBC\x60\x94\xB3\xFE\x4C\x72\xB0\xB3\x32\xC6\xFB\x25\xA2" ++ "\xB7\x62\x29\x80\x4E\x68\x65\xFC\xA4\x5A\x74\xDF\x0F\x8F\xB8\x41" ++ "\x3B\x52\xC0\xD0\xE5\x3D\x9B\x59\x0F\xF1\x9B\xE7\x9F\x49\xDD\x21" ++ "\xE5\xEB"; ++ ++ static unsigned char p[] = ++ "\x00\xCF\x20\x35\x02\x8B\x9D\x86\x98\x40\xB4\x16\x66\xB4\x2E\x92" ++ "\xEA\x0D\xA3\xB4\x32\x04\xB5\xCF\xCE\x91"; ++ ++ static unsigned char q[] = ++ "\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9" ++ "\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5F"; ++ ++ static unsigned char dmp1[] = ++ "\x00\x8A\x15\x78\xAC\x5D\x13\xAF\x10\x2B\x22\xB9\x99\xCD\x74\x61" ++ "\xF1\x5E\x6D\x22\xCC\x03\x23\xDF\xDF\x0B"; ++ ++ static unsigned char dmq1[] = ++ "\x00\x86\x55\x21\x4A\xC5\x4D\x8D\x4E\xCD\x61\x77\xF1\xC7\x36\x90" ++ "\xCE\x2A\x48\x2C\x8B\x05\x99\xCB\xE0\x3F"; ++ ++ static unsigned char iqmp[] = ++ "\x00\x83\xEF\xEF\xB8\xA9\xA4\x0D\x1D\xB6\xED\x98\xAD\x84\xED\x13" ++ "\x35\xDC\xC1\x08\xF3\x22\xD0\x57\xCF\x8D"; ++ ++ SetKey; ++} ++ ++void get_rsa_key3(RSA *key) { ++ static unsigned char n[] = ++ "\x00\xBB\xF8\x2F\x09\x06\x82\xCE\x9C\x23\x38\xAC\x2B\x9D\xA8\x71" ++ "\xF7\x36\x8D\x07\xEE\xD4\x10\x43\xA4\x40\xD6\xB6\xF0\x74\x54\xF5" ++ "\x1F\xB8\xDF\xBA\xAF\x03\x5C\x02\xAB\x61\xEA\x48\xCE\xEB\x6F\xCD" ++ "\x48\x76\xED\x52\x0D\x60\xE1\xEC\x46\x19\x71\x9D\x8A\x5B\x8B\x80" ++ "\x7F\xAF\xB8\xE0\xA3\xDF\xC7\x37\x72\x3E\xE6\xB4\xB7\xD9\x3A\x25" ++ "\x84\xEE\x6A\x64\x9D\x06\x09\x53\x74\x88\x34\xB2\x45\x45\x98\x39" ++ "\x4E\xE0\xAA\xB1\x2D\x7B\x61\xA5\x1F\x52\x7A\x9A\x41\xF6\xC1\x68" ++ "\x7F\xE2\x53\x72\x98\xCA\x2A\x8F\x59\x46\xF8\xE5\xFD\x09\x1D\xBD" ++ "\xCB"; ++ ++ static unsigned char e[] = "\x11"; ++ ++ static unsigned char d[] = ++ "\x00\xA5\xDA\xFC\x53\x41\xFA\xF2\x89\xC4\xB9\x88\xDB\x30\xC1\xCD" ++ "\xF8\x3F\x31\x25\x1E\x06\x68\xB4\x27\x84\x81\x38\x01\x57\x96\x41" ++ "\xB2\x94\x10\xB3\xC7\x99\x8D\x6B\xC4\x65\x74\x5E\x5C\x39\x26\x69" ++ "\xD6\x87\x0D\xA2\xC0\x82\xA9\x39\xE3\x7F\xDC\xB8\x2E\xC9\x3E\xDA" ++ "\xC9\x7F\xF3\xAD\x59\x50\xAC\xCF\xBC\x11\x1C\x76\xF1\xA9\x52\x94" ++ "\x44\xE5\x6A\xAF\x68\xC5\x6C\x09\x2C\xD3\x8D\xC3\xBE\xF5\xD2\x0A" ++ "\x93\x99\x26\xED\x4F\x74\xA1\x3E\xDD\xFB\xE1\xA1\xCE\xCC\x48\x94" ++ "\xAF\x94\x28\xC2\xB7\xB8\x88\x3F\xE4\x46\x3A\x4B\xC8\x5B\x1C\xB3" ++ "\xC1"; ++ ++ static unsigned char p[] = ++ "\x00\xEE\xCF\xAE\x81\xB1\xB9\xB3\xC9\x08\x81\x0B\x10\xA1\xB5\x60" ++ "\x01\x99\xEB\x9F\x44\xAE\xF4\xFD\xA4\x93\xB8\x1A\x9E\x3D\x84\xF6" ++ "\x32\x12\x4E\xF0\x23\x6E\x5D\x1E\x3B\x7E\x28\xFA\xE7\xAA\x04\x0A" ++ "\x2D\x5B\x25\x21\x76\x45\x9D\x1F\x39\x75\x41\xBA\x2A\x58\xFB\x65" ++ "\x99"; ++ ++ static unsigned char q[] = ++ "\x00\xC9\x7F\xB1\xF0\x27\xF4\x53\xF6\x34\x12\x33\xEA\xAA\xD1\xD9" ++ "\x35\x3F\x6C\x42\xD0\x88\x66\xB1\xD0\x5A\x0F\x20\x35\x02\x8B\x9D" ++ "\x86\x98\x40\xB4\x16\x66\xB4\x2E\x92\xEA\x0D\xA3\xB4\x32\x04\xB5" ++ "\xCF\xCE\x33\x52\x52\x4D\x04\x16\xA5\xA4\x41\xE7\x00\xAF\x46\x15" ++ "\x03"; ++ ++ static unsigned char dmp1[] = ++ "\x54\x49\x4C\xA6\x3E\xBA\x03\x37\xE4\xE2\x40\x23\xFC\xD6\x9A\x5A" ++ "\xEB\x07\xDD\xDC\x01\x83\xA4\xD0\xAC\x9B\x54\xB0\x51\xF2\xB1\x3E" ++ "\xD9\x49\x09\x75\xEA\xB7\x74\x14\xFF\x59\xC1\xF7\x69\x2E\x9A\x2E" ++ "\x20\x2B\x38\xFC\x91\x0A\x47\x41\x74\xAD\xC9\x3C\x1F\x67\xC9\x81"; ++ ++ static unsigned char dmq1[] = ++ "\x47\x1E\x02\x90\xFF\x0A\xF0\x75\x03\x51\xB7\xF8\x78\x86\x4C\xA9" ++ "\x61\xAD\xBD\x3A\x8A\x7E\x99\x1C\x5C\x05\x56\xA9\x4C\x31\x46\xA7" ++ "\xF9\x80\x3F\x8F\x6F\x8A\xE3\x42\xE9\x31\xFD\x8A\xE4\x7A\x22\x0D" ++ "\x1B\x99\xA4\x95\x84\x98\x07\xFE\x39\xF9\x24\x5A\x98\x36\xDA\x3D"; ++ ++ static unsigned char iqmp[] = ++ "\x00\xB0\x6C\x4F\xDA\xBB\x63\x01\x19\x8D\x26\x5B\xDB\xAE\x94\x23" ++ "\xB3\x80\xF2\x71\xF7\x34\x53\x88\x50\x93\x07\x7F\xCD\x39\xE2\x11" ++ "\x9F\xC9\x86\x32\x15\x4F\x58\x83\xB1\x67\xA9\x67\xBF\x40\x2B\x4E" ++ "\x9E\x2E\x0F\x96\x56\xE6\x98\xEA\x36\x66\xED\xFB\x25\x79\x80\x39" ++ "\xF7"; ++ ++ SetKey; ++} ++ ++/* taken from openssl/test/rsa_mp_test.c */ ++#define NUM_EXTRA_PRIMES 1 ++/* Returns the public key length (256) on success */ ++int get_rsa_key2048p3(RSA *key) { ++ /* C90 requires string should <= 509 bytes */ ++ static const unsigned char n[] = ++ "\x92\x60\xd0\x75\x0a\xe1\x17\xee\xe5\x5c\x3f\x3d\xea\xba\x74\x91" ++ "\x75\x21\xa2\x62\xee\x76\x00\x7c\xdf\x8a\x56\x75\x5a\xd7\x3a\x15" ++ "\x98\xa1\x40\x84\x10\xa0\x14\x34\xc3\xf5\xbc\x54\xa8\x8b\x57\xfa" ++ "\x19\xfc\x43\x28\xda\xea\x07\x50\xa4\xc4\x4e\x88\xcf\xf3\xb2\x38" ++ "\x26\x21\xb8\x0f\x67\x04\x64\x43\x3e\x43\x36\xe6\xd0\x03\xe8\xcd" ++ "\x65\xbf\xf2\x11\xda\x14\x4b\x88\x29\x1c\x22\x59\xa0\x0a\x72\xb7" ++ "\x11\xc1\x16\xef\x76\x86\xe8\xfe\xe3\x4e\x4d\x93\x3c\x86\x81\x87" ++ "\xbd\xc2\x6f\x7b\xe0\x71\x49\x3c\x86\xf7\xa5\x94\x1c\x35\x10\x80" ++ "\x6a\xd6\x7b\x0f\x94\xd8\x8f\x5c\xf5\xc0\x2a\x09\x28\x21\xd8\x62" ++ "\x6e\x89\x32\xb6\x5c\x5b\xd8\xc9\x20\x49\xc2\x10\x93\x2b\x7a\xfa" ++ "\x7a\xc5\x9c\x0e\x88\x6a\xe5\xc1\xed\xb0\x0d\x8c\xe2\xc5\x76\x33" ++ "\xdb\x26\xbd\x66\x39\xbf\xf7\x3c\xee\x82\xbe\x92\x75\xc4\x02\xb4" ++ "\xcf\x2a\x43\x88\xda\x8c\xf8\xc6\x4e\xef\xe1\xc5\xa0\xf5\xab\x80" ++ "\x57\xc3\x9f\xa5\xc0\x58\x9c\x3e\x25\x3f\x09\x60\x33\x23\x00\xf9" ++ "\x4b\xea\x44\x87\x7b\x58\x8e\x1e\xdb\xde\x97\xcf\x23\x60\x72\x7a" ++ "\x09\xb7\x75\x26\x2d\x7e\xe5\x52\xb3\x31\x9b\x92\x66\xf0\x5a\x25"; ++ ++ static const unsigned char e[] = "\x01\x00\x01"; ++ ++ static const unsigned char d[] = ++ "\x6a\x7d\xf2\xca\x63\xea\xd4\xdd\xa1\x91\xd6\x14\xb6\xb3\x85\xe0" ++ "\xd9\x05\x6a\x3d\x6d\x5c\xfe\x07\xdb\x1d\xaa\xbe\xe0\x22\xdb\x08" ++ "\x21\x2d\x97\x61\x3d\x33\x28\xe0\x26\x7c\x9d\xd2\x3d\x78\x7a\xbd" ++ "\xe2\xaf\xcb\x30\x6a\xeb\x7d\xfc\xe6\x92\x46\xcc\x73\xf5\xc8\x7f" ++ "\xdf\x06\x03\x01\x79\xa2\x11\x4b\x76\x7d\xb1\xf0\x83\xff\x84\x1c" ++ "\x02\x5d\x7d\xc0\x0c\xd8\x24\x35\xb9\xa9\x0f\x69\x53\x69\xe9\x4d" ++ "\xf2\x3d\x2c\xe4\x58\xbc\x3b\x32\x83\xad\x8b\xba\x2b\x8f\xa1\xba" ++ "\x62\xe2\xdc\xe9\xac\xcf\xf3\x79\x9a\xae\x7c\x84\x00\x16\xf3\xba" ++ "\x8e\x00\x48\xc0\xb6\xcc\x43\x39\xaf\x71\x61\x00\x3a\x5b\xeb\x86" ++ "\x4a\x01\x64\xb2\xc1\xc9\x23\x7b\x64\xbc\x87\x55\x69\x94\x35\x1b" ++ "\x27\x50\x6c\x33\xd4\xbc\xdf\xce\x0f\x9c\x49\x1a\x7d\x6b\x06\x28" ++ "\xc7\xc8\x52\xbe\x4f\x0a\x9c\x31\x32\xb2\xed\x3a\x2c\x88\x81\xe9" ++ "\xaa\xb0\x7e\x20\xe1\x7d\xeb\x07\x46\x91\xbe\x67\x77\x76\xa7\x8b" ++ "\x5c\x50\x2e\x05\xd9\xbd\xde\x72\x12\x6b\x37\x38\x69\x5e\x2d\xd1" ++ "\xa0\xa9\x8a\x14\x24\x7c\x65\xd8\xa7\xee\x79\x43\x2a\x09\x2c\xb0" ++ "\x72\x1a\x12\xdf\x79\x8e\x44\xf7\xcf\xce\x0c\x49\x81\x47\xa9\xb1"; ++ ++ static const unsigned char p[] = ++ "\x06\x77\xcd\xd5\x46\x9b\xc1\xd5\x58\x00\x81\xe2\xf3\x0a\x36\xb1" ++ "\x6e\x29\x89\xd5\x2f\x31\x5f\x92\x22\x3b\x9b\x75\x30\x82\xfa\xc5" ++ "\xf5\xde\x8a\x36\xdb\xc6\xe5\x8f\xef\x14\x37\xd6\x00\xf9\xab\x90" ++ "\x9b\x5d\x57\x4c\xf5\x1f\x77\xc4\xbb\x8b\xdd\x9b\x67\x11\x45\xb2" ++ "\x64\xe8\xac\xa8\x03\x0f\x16\x0d\x5d\x2d\x53\x07\x23\xfb\x62\x0d" ++ "\xe6\x16\xd3\x23\xe8\xb3"; ++ ++ static const unsigned char q[] = ++ "\x06\x66\x9a\x70\x53\xd6\x72\x74\xfd\xea\x45\xc3\xc0\x17\xae\xde" ++ "\x79\x17\xae\x79\xde\xfc\x0e\xf7\xa4\x3a\x8c\x43\x8f\xc7\x8a\xa2" ++ "\x2c\x51\xc4\xd0\x72\x89\x73\x5c\x61\xbe\xfd\x54\x3f\x92\x65\xde" ++ "\x4d\x65\x71\x70\xf6\xf2\xe5\x98\xb9\x0f\xd1\x0b\xe6\x95\x09\x4a" ++ "\x7a\xdf\xf3\x10\x16\xd0\x60\xfc\xa5\x10\x34\x97\x37\x6f\x0a\xd5" ++ "\x5d\x8f\xd4\xc3\xa0\x5b"; ++ ++ static const unsigned char dmp1[] = ++ "\x05\x7c\x9e\x1c\xbd\x90\x25\xe7\x40\x86\xf5\xa8\x3b\x7a\x3f\x99" ++ "\x56\x95\x60\x3a\x7b\x95\x4b\xb8\xa0\xd7\xa5\xf1\xcc\xdc\x5f\xb5" ++ "\x8c\xf4\x62\x95\x54\xed\x2e\x12\x62\xc2\xe8\xf6\xde\xce\xed\x8e" ++ "\x77\x6d\xc0\x40\x25\x74\xb3\x5a\x2d\xaa\xe1\xac\x11\xcb\xe2\x2f" ++ "\x0a\x51\x23\x1e\x47\xb2\x05\x88\x02\xb2\x0f\x4b\xf0\x67\x30\xf0" ++ "\x0f\x6e\xef\x5f\xf7\xe7"; ++ ++ static const unsigned char dmq1[] = ++ "\x01\xa5\x6b\xbc\xcd\xe3\x0e\x46\xc6\x72\xf5\x04\x56\x28\x01\x22" ++ "\x58\x74\x5d\xbc\x1c\x3c\x29\x41\x49\x6c\x81\x5c\x72\xe2\xf7\xe5" ++ "\xa3\x8e\x58\x16\xe0\x0e\x37\xac\x1f\xbb\x75\xfd\xaf\xe7\xdf\xe9" ++ "\x1f\x70\xa2\x8f\x52\x03\xc0\x46\xd9\xf9\x96\x63\x00\x27\x7e\x5f" ++ "\x38\x60\xd6\x6b\x61\xe2\xaf\xbe\xea\x58\xd3\x9d\xbc\x75\x03\x8d" ++ "\x42\x65\xd6\x6b\x85\x97"; ++ ++ static const unsigned char iqmp[] = ++ "\x03\xa1\x8b\x80\xe4\xd8\x87\x25\x17\x5d\xcc\x8d\xa9\x8a\x22\x2b" ++ "\x6c\x15\x34\x6f\x80\xcc\x1c\x44\x04\x68\xbc\x03\xcd\x95\xbb\x69" ++ "\x37\x61\x48\xb4\x23\x13\x08\x16\x54\x6a\xa1\x7c\xf5\xd4\x3a\xe1" ++ "\x4f\xa4\x0c\xf5\xaf\x80\x85\x27\x06\x0d\x70\xc0\xc5\x19\x28\xfe" ++ "\xee\x8e\x86\x21\x98\x8a\x37\xb7\xe5\x30\x25\x70\x93\x51\x2d\x49" ++ "\x85\x56\xb3\x0c\x2b\x96"; ++ ++ static const unsigned char ex_prime[] = ++ "\x03\x89\x22\xa0\xb7\x3a\x91\xcb\x5e\x0c\xfd\x73\xde\xa7\x38\xa9" ++ "\x47\x43\xd6\x02\xbf\x2a\xb9\x3c\x48\xf3\x06\xd6\x58\x35\x50\x56" ++ "\x16\x5c\x34\x9b\x61\x87\xc8\xaa\x0a\x5d\x8a\x0a\xcd\x9c\x41\xd9" ++ "\x96\x24\xe0\xa9\x9b\x26\xb7\xa8\x08\xc9\xea\xdc\xa7\x15\xfb\x62" ++ "\xa0\x2d\x90\xe6\xa7\x55\x6e\xc6\x6c\xff\xd6\x10\x6d\xfa\x2e\x04" ++ "\x50\xec\x5c\x66\xe4\x05"; ++ ++ static const unsigned char ex_exponent[] = ++ "\x02\x0a\xcd\xc3\x82\xd2\x03\xb0\x31\xac\xd3\x20\x80\x34\x9a\x57" ++ "\xbc\x60\x04\x57\x25\xd0\x29\x9a\x16\x90\xb9\x1c\x49\x6a\xd1\xf2" ++ "\x47\x8c\x0e\x9e\xc9\x20\xc2\xd8\xe4\x8f\xce\xd2\x1a\x9c\xec\xb4" ++ "\x1f\x33\x41\xc8\xf5\x62\xd1\xa5\xef\x1d\xa1\xd8\xbd\x71\xc6\xf7" ++ "\xda\x89\x37\x2e\xe2\xec\x47\xc5\xb8\xe3\xb4\xe3\x5c\x82\xaa\xdd" ++ "\xb7\x58\x2e\xaf\x07\x79"; ++ ++ static const unsigned char ex_coefficient[] = ++ "\x00\x9c\x09\x88\x9b\xc8\x57\x08\x69\x69\xab\x2d\x9e\x29\x1c\x3c" ++ "\x6d\x59\x33\x12\x0d\x2b\x09\x2e\xaf\x01\x2c\x27\x01\xfc\xbd\x26" ++ "\x13\xf9\x2d\x09\x22\x4e\x49\x11\x03\x82\x88\x87\xf4\x43\x1d\xac" ++ "\xca\xec\x86\xf7\x23\xf1\x64\xf3\xf5\x81\xf0\x37\x36\xcf\x67\xff" ++ "\x1a\xff\x7a\xc7\xf9\xf9\x67\x2d\xa0\x9d\x61\xf8\xf6\x47\x5c\x2f" ++ "\xe7\x66\xe8\x3c\x3a\xe8"; ++ ++ BIGNUM **pris = NULL, **exps = NULL, **coeffs = NULL; ++ int rv = 256; /* public key length */ ++ ++ if (!TEST_int_eq(RSA_set0_key(key, ++ BN_bin2bn(n, sizeof(n) - 1, NULL), ++ BN_bin2bn(e, sizeof(e) - 1, NULL), ++ BN_bin2bn(d, sizeof(d) - 1, NULL)), 1)) ++ goto err; ++ ++ if (!TEST_int_eq(RSA_set0_factors(key, ++ BN_bin2bn(p, sizeof(p) - 1, NULL), ++ BN_bin2bn(q, sizeof(q) - 1, NULL)), 1)) ++ goto err; ++ ++ if (!TEST_int_eq(RSA_set0_crt_params(key, ++ BN_bin2bn(dmp1, sizeof(dmp1) - 1, NULL), ++ BN_bin2bn(dmq1, sizeof(dmq1) - 1, NULL), ++ BN_bin2bn(iqmp, sizeof(iqmp) - 1, ++ NULL)), 1)) ++ return 0; ++ ++ pris = OPENSSL_zalloc(sizeof(BIGNUM *)); ++ exps = OPENSSL_zalloc(sizeof(BIGNUM *)); ++ coeffs = OPENSSL_zalloc(sizeof(BIGNUM *)); ++ if (!TEST_ptr(pris) || !TEST_ptr(exps) || !TEST_ptr(coeffs)) ++ goto err; ++ ++ pris[0] = BN_bin2bn(ex_prime, sizeof(ex_prime) - 1, NULL); ++ exps[0] = BN_bin2bn(ex_exponent, sizeof(ex_exponent) - 1, NULL); ++ coeffs[0] = BN_bin2bn(ex_coefficient, sizeof(ex_coefficient) - 1, NULL); ++ if (!TEST_ptr(pris[0]) || !TEST_ptr(exps[0]) || !TEST_ptr(coeffs[0])) ++ goto err; ++ ++ if (!TEST_true(RSA_set0_multi_prime_params(key, pris, exps, ++ coeffs, NUM_EXTRA_PRIMES))) ++ goto err; ++ ++ret: ++ OPENSSL_free(pris); ++ OPENSSL_free(exps); ++ OPENSSL_free(coeffs); ++ return rv; ++err: ++ if (pris != NULL) ++ BN_free(pris[0]); ++ if (exps != NULL) ++ BN_free(exps[0]); ++ if (coeffs != NULL) ++ BN_free(coeffs[0]); ++ rv = 0; ++ goto ret; ++} ++ ++#endif +--- /dev/null ++++ b/test/fips_slitest_helper.h +@@ -0,0 +1,29 @@ ++#ifndef __FIPS_SLITEST_HELPER_H__ ++#define __FIPS_SLITEST_HELPER_H__ ++ ++#include ++ ++typedef unsigned char byte; ++ ++/** Create a MAC key: one copy for macgen, one for macver (verification) ++ * Adapted from https://wiki.openssl.org/images/1/1b/T-hmac.c.tar.gz ++ */ ++int make_hmac_keys(EVP_PKEY** skey, EVP_PKEY** vkey); ++ ++/* Adapted from https://wiki.openssl.org/images/1/1b/T-hmac.c.tar.gz */ ++void print_it(const char* label, const byte* buff, size_t len); ++ ++int get_cmac_key(int cipher_nid, EVP_PKEY** out); ++ ++const uint8_t* get_msg_16(); ++const uint8_t* get_msg_128(); ++/* Get constant keys of specified length */ ++const uint8_t* get_key_16(); ++const uint8_t* get_key_32(); ++ ++void get_rsa_key1(RSA *key); ++void get_rsa_key2(RSA *key); ++void get_rsa_key3(RSA *key); ++int get_rsa_key2048p3(RSA *key); ++ ++#endif /* __FIPS_SLITEST_HELPER_H__ */ +--- /dev/null ++++ b/test/recipes/30-test_fips_sli.t +@@ -0,0 +1,4 @@ ++#!/usr/bin/env perl ++use OpenSSL::Test::Simple; ++ ++simple_test("test_fips_sli", "fips_slitest", "fips_sli"); +--- a/util/libcrypto.num ++++ b/util/libcrypto.num +@@ -4636,3 +4636,14 @@ EVP_KDF_size + EVP_KDF_derive 6597 1_1_1d EXIST::FUNCTION: + EC_GROUP_get0_field 6598 1_1_1l EXIST::FUNCTION:EC + NONFIPS_selftest_check 6599 1_1_1l EXIST::FUNCTION: ++fips_sli_is_approved_EVP_MD_CTX 6600 1_1_1l EXIST::FUNCTION: ++fips_sli_is_approved_CMAC_CTX 6601 1_1_1l EXIST::FUNCTION: ++fips_sli_is_approved_HMAC_CTX 6602 1_1_1l EXIST::FUNCTION: ++fips_sli_is_approved_EVP_PKEY_CTX 6603 1_1_1l EXIST::FUNCTION: ++fips_sli_is_approved_EVP_CIPHER_CTX 6604 1_1_1l EXIST::FUNCTION: ++fips_sli_is_approved_EVP_KDF_CTX 6605 1_1_1l EXIST::FUNCTION: ++fips_sli_SHA1_is_approved 6606 1_1_1l EXIST::FUNCTION: ++fips_sli_PKCS5_PBKDF2_HMAC_is_approved 6607 1_1_1l EXIST::FUNCTION: ++fips_sli_HMAC_is_approved 6608 1_1_1l EXIST::FUNCTION: ++fips_sli_RAND_bytes_is_approved 6609 1_1_1l EXIST::FUNCTION: ++fips_sli_RAND_priv_bytes_is_approved 6610 1_1_1l EXIST::FUNCTION: diff --git a/openssl-1_1-ossl-sli-004-allow-aes-xts-256.patch b/openssl-1_1-ossl-sli-004-allow-aes-xts-256.patch new file mode 100644 index 0000000..949e7cb --- /dev/null +++ b/openssl-1_1-ossl-sli-004-allow-aes-xts-256.patch @@ -0,0 +1,39 @@ +diff --git a/crypto/evp/e_aes.c b/crypto/evp/e_aes.c +index 6adff696c..29b23f9f7 100644 +--- a/crypto/evp/e_aes.c ++++ b/crypto/evp/e_aes.c +@@ -4366,6 +4366,21 @@ FIPS_STATUS EVP_CIPHER_get_fips_status(const EVP_CIPHER *cipher) { + /* intended fall-through */ + case 256: + return FIPS_APPROVED; ++ case 512: ++ if (cipher->do_cipher == aes_xts_cipher ++ #if defined(OPENSSL_CPUID_OBJ) && ( \ ++ ((defined(__i386) || defined(__i386__) || defined(_M_IX86))\ ++ && defined(OPENSSL_IA32_SSE2)) \ ++ || defined(__x86_64) || defined(__x86_64__) \ ++ || defined(_M_AMD64) || defined(_M_X64)) ++ || cipher->do_cipher == aesni_xts_cipher ++ #elif defined(OPENSSL_CPUID_OBJ) && defined(__s390__) ++ || cipher->do_cipher == s390x_aes_xts_cipher ++ #endif ++ ) ++ return FIPS_APPROVED; ++ else ++ return FIPS_ERROR; + } + } + /* disapproved for enc and dec: all others, including +diff --git a/test/fips_slitest.c b/test/fips_slitest.c +index d32f748a6..9e37cf36b 100644 +--- a/test/fips_slitest.c ++++ b/test/fips_slitest.c +@@ -260,6 +260,8 @@ static const SLI_CIPHER_TEST cipher_tests[] = { + {0, NID_des_ede_ecb}, + {0, NID_des_ede_ofb64}, + {0, NID_idea_cbc}, ++ {1, NID_aes_128_xts}, ++ {1, NID_aes_256_xts}, + }; + static const size_t cipher_tests_len = sizeof(cipher_tests) / sizeof(cipher_tests[0]); + diff --git a/openssl-1_1-ossl-sli-005-EC_group_order_bits.patch b/openssl-1_1-ossl-sli-005-EC_group_order_bits.patch new file mode 100644 index 0000000..08f8aeb --- /dev/null +++ b/openssl-1_1-ossl-sli-005-EC_group_order_bits.patch @@ -0,0 +1,24 @@ +--- + crypto/fips/fips_sli.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/crypto/fips/fips_sli.c ++++ b/crypto/fips/fips_sli.c +@@ -328,14 +328,14 @@ static FIPS_STATUS get_fips_keygen_ecdsa + BN_set_bit(pwr24, 24); + BN_set_bit(pwr32, 32); + +- if (224 < n && n <= 255) { ++ if (224 <= n && n <= 255) { + if (BN_cmp(cofactor, pwr14) != 1) + ret = FIPS_APPROVED; +- } else if (256 < n && n <= 383) { ++ } else if (256 <= n && n <= 383) { + if (BN_cmp(cofactor, pwr16) != 1) + ret = FIPS_APPROVED; + +- } else if (384 < n && n <= 511) { ++ } else if (384 <= n && n <= 511) { + if (BN_cmp(cofactor, pwr24) != 1) + ret = FIPS_APPROVED; + diff --git a/openssl-1_1-ossl-sli-006-rsa_pkcs1_padding.patch b/openssl-1_1-ossl-sli-006-rsa_pkcs1_padding.patch new file mode 100644 index 0000000..21e5b42 --- /dev/null +++ b/openssl-1_1-ossl-sli-006-rsa_pkcs1_padding.patch @@ -0,0 +1,52 @@ +Index: openssl-1.1.1l/crypto/rsa/rsa_pmeth.c +=================================================================== +--- openssl-1.1.1l.orig/crypto/rsa/rsa_pmeth.c ++++ openssl-1.1.1l/crypto/rsa/rsa_pmeth.c +@@ -140,13 +140,11 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *c + unsigned int sltmp; + if (rctx->pad_mode != RSA_PKCS1_PADDING) + return -1; +- /* PKCS1-v1.5 padding is disallowed after 2023 */ +- fips_sli_disapprove_EVP_PKEY_CTX(ctx); + ret = RSA_sign_ASN1_OCTET_STRING(0, + tbs, tbslen, sig, &sltmp, rsa); +- + if (ret <= 0) + return ret; ++ fips_sli_check_hash_siggen_EVP_PKEY_CTX(ctx, rctx->md); + ret = sltmp; + } else if (rctx->pad_mode == RSA_X931_PADDING) { + if ((size_t)EVP_PKEY_size(ctx->pkey) < tbslen + 1) { +@@ -179,13 +177,12 @@ static int pkey_rsa_sign(EVP_PKEY_CTX *c + ret = RSA_private_encrypt(tbslen + 1, rctx->tbuf, + sig, rsa, RSA_X931_PADDING); + } else if (rctx->pad_mode == RSA_PKCS1_PADDING) { +- /* PKCS1-v1.5 padding is disallowed after 2023 */ +- fips_sli_disapprove_EVP_PKEY_CTX(ctx); + unsigned int sltmp; + ret = RSA_sign(EVP_MD_type(rctx->md), + tbs, tbslen, sig, &sltmp, rsa); + if (ret <= 0) + return ret; ++ fips_sli_check_hash_siggen_EVP_PKEY_CTX(ctx, rctx->md); + ret = sltmp; + } else if (rctx->pad_mode == RSA_PKCS1_PSS_PADDING) { + if (!setup_tbuf(rctx, ctx)) +@@ -290,10 +287,13 @@ static int pkey_rsa_verify(EVP_PKEY_CTX + + if (rctx->md) { + if (rctx->pad_mode == RSA_PKCS1_PADDING) { +- /* PKCS1-v1.5 padding is disallowed after 2023 */ +- fips_sli_disapprove_EVP_PKEY_CTX(ctx); +- return RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen, +- sig, siglen, rsa); ++ int ret; ++ ret = RSA_verify(EVP_MD_type(rctx->md), tbs, tbslen, ++ sig, siglen, rsa); ++ if (ret <= 0) ++ return 0; ++ fips_sli_check_hash_sigver_EVP_PKEY_CTX(ctx, rctx->md); ++ return ret; + } + if (tbslen != (size_t)EVP_MD_size(rctx->md)) { + RSAerr(RSA_F_PKEY_RSA_VERIFY, RSA_R_INVALID_DIGEST_LENGTH); diff --git a/openssl-1_1-ossl-sli-007-pbkdf2-keylen.patch b/openssl-1_1-ossl-sli-007-pbkdf2-keylen.patch new file mode 100644 index 0000000..409b39b --- /dev/null +++ b/openssl-1_1-ossl-sli-007-pbkdf2-keylen.patch @@ -0,0 +1,14 @@ +Index: openssl-1.1.1l/crypto/kdf/pbkdf2.c +=================================================================== +--- openssl-1.1.1l.orig/crypto/kdf/pbkdf2.c ++++ openssl-1.1.1l/crypto/kdf/pbkdf2.c +@@ -185,7 +185,8 @@ static int kdf_pbkdf2_derive(EVP_KDF_IMP + } + + fips_sli_check_hash_kdf_struct_evp_kdf_impl_st(impl); +- ++ fips_sli_fsm_struct_evp_kdf_impl_st(impl, ++ fips_sli_get_kdf_keylen_status(keylen)); + return pkcs5_pbkdf2_alg((char *)impl->pass, impl->pass_len, + impl->salt, impl->salt_len, impl->iter, + impl->md, key, keylen); diff --git a/openssl-1_1-ossl-sli-008-pbkdf2-salt_pass_iteration.patch b/openssl-1_1-ossl-sli-008-pbkdf2-salt_pass_iteration.patch new file mode 100644 index 0000000..07216f6 --- /dev/null +++ b/openssl-1_1-ossl-sli-008-pbkdf2-salt_pass_iteration.patch @@ -0,0 +1,136 @@ +--- + crypto/fips/fips_sli.c | 21 +++++++++++++++++++ + crypto/kdf/pbkdf2.c | 6 +++++ + include/internal/fips_sli_local.h | 3 ++ + test/fips_slitest.c | 41 ++++++++++++++++++++++---------------- + 4 files changed, 54 insertions(+), 17 deletions(-) + +--- a/crypto/fips/fips_sli.c ++++ b/crypto/fips/fips_sli.c +@@ -231,6 +231,27 @@ FIPS_STATUS fips_sli_get_kdf_keylen_stat + return FIPS_NONAPPROVED; + } + ++FIPS_STATUS fips_sli_get_kdf_saltlen_status(size_t saltlen_bytes) { ++ if (saltlen_bytes >= 128/8) ++ return FIPS_APPROVED; ++ else ++ return FIPS_NONAPPROVED; ++} ++ ++FIPS_STATUS fips_sli_get_kdf_iteration_status(size_t iter) { ++ if (iter >= 1000) ++ return FIPS_APPROVED; ++ else ++ return FIPS_NONAPPROVED; ++} ++ ++FIPS_STATUS fips_sli_get_kdf_passlen_status(size_t passlen_bytes) { ++ if (passlen_bytes >= 20) ++ return FIPS_APPROVED; ++ else ++ return FIPS_NONAPPROVED; ++} ++ + void fips_sli_check_key_rsa_keygen_EVP_PKEY_CTX(EVP_PKEY_CTX * ctx, const RSA * rsa) { + fips_sli_check_key_rsa_siggen_EVP_PKEY_CTX(ctx, rsa); + } +--- a/crypto/kdf/pbkdf2.c ++++ b/crypto/kdf/pbkdf2.c +@@ -187,6 +187,12 @@ static int kdf_pbkdf2_derive(EVP_KDF_IMP + fips_sli_check_hash_kdf_struct_evp_kdf_impl_st(impl); + fips_sli_fsm_struct_evp_kdf_impl_st(impl, + fips_sli_get_kdf_keylen_status(keylen)); ++ fips_sli_fsm_struct_evp_kdf_impl_st(impl, ++ fips_sli_get_kdf_saltlen_status(impl->salt_len)); ++ fips_sli_fsm_struct_evp_kdf_impl_st(impl, ++ fips_sli_get_kdf_iteration_status(impl->iter)); ++ fips_sli_fsm_struct_evp_kdf_impl_st(impl, ++ fips_sli_get_kdf_passlen_status(impl->pass_len)); + return pkcs5_pbkdf2_alg((char *)impl->pass, impl->pass_len, + impl->salt, impl->salt_len, impl->iter, + impl->md, key, keylen); +--- a/include/internal/fips_sli_local.h ++++ b/include/internal/fips_sli_local.h +@@ -70,6 +70,9 @@ FIPS_STATUS fips_sli_get_hash_status_ssh + FIPS_STATUS fips_sli_get_hash_status_pbkdf2(const EVP_MD * md); + FIPS_STATUS fips_sli_get_hash_status_kdf_tls1_prf(const EVP_MD * md); + FIPS_STATUS fips_sli_get_kdf_keylen_status(size_t keylen_bytes); ++FIPS_STATUS fips_sli_get_kdf_saltlen_status(size_t saltlen_bytes); ++FIPS_STATUS fips_sli_get_kdf_iteration_status(size_t iter); ++FIPS_STATUS fips_sli_get_kdf_passlen_status(size_t passlen_bytes); + + /* Check if used curve is okay for and in this context */ + void fips_sli_check_curve_siggen_EVP_PKEY_CTX(EVP_PKEY_CTX *ctx, const EC_GROUP *group); +--- a/test/fips_slitest.c ++++ b/test/fips_slitest.c +@@ -490,36 +490,41 @@ typedef struct { + int nid_digest; + const uint8_t key_expected[32]; // length has to be 32 + } SLI_PBKDF2_TEST; +- + static const SLI_PBKDF2_TEST pbkdf2_tests[] = { + { +- 1, 4200, NID_sha256, { +- 0xE7, 0xBE, 0x37, 0x75, 0x9D, 0x53, 0x3E, 0x5A, 0x06, 0x20, 0xC9, 0xA5, 0x3A, 0x8D, 0xA2, 0x9E, +- 0x9C, 0x27, 0xDF, 0x26, 0x24, 0xAB, 0xD8, 0x8E, 0x56, 0xE5, 0xB9, 0xF5, 0xA0, 0xD6, 0xD5, 0xEE ++ 1, 4096, NID_sha1, { ++ 0x3D, 0x2E, 0xEC, 0x4F, 0xE4, 0x1C, 0x84, 0x9B, 0x80, 0xC8, 0xD8, 0x36, 0x62, 0xC0, 0xE4, 0x4A, ++ 0x8B, 0x29, 0x1A, 0x96, 0x4C, 0xF2, 0xF0, 0x70, 0x38, 0xB6, 0xB8, 0x9A, 0x48, 0x61, 0x2C, 0x5A ++ } ++ }, ++ { ++ 1, 4096, NID_sha256, { ++ 0x34, 0x8C, 0x89, 0xDB, 0xCB, 0xD3, 0x2B, 0x2F, 0x32, 0xD8, 0x14, 0xB8, 0x11, 0x6E, 0x84, 0xCF, ++ 0x2B, 0x17, 0x34, 0x7E, 0xBC, 0x18, 0x00, 0x18, 0x1C, 0x4E, 0x2A, 0x1F, 0xB8, 0xDD, 0x53, 0xE1 + } + }, + { + 1, 1347, NID_sha256, { +- 0xFB, 0xBB, 0xEC, 0x28, 0x5B, 0x48, 0xE7, 0xC2, 0x54, 0x4E, 0x65, 0x0F, 0x1E, 0xC8, 0xB5, 0x1C, +- 0xF5, 0xAD, 0xAE, 0x2A, 0x21, 0x56, 0x94, 0xD2, 0xE1, 0xB7, 0xC8, 0x7D, 0x7A, 0x0D, 0x63, 0x86 ++ 0xD5, 0x99, 0x16, 0xFF, 0x8A, 0xBC, 0x26, 0x37, 0xAF, 0x4B, 0x26, 0xF1, 0x7E, 0x56, 0x8B, 0x7A, ++ 0x00, 0x16, 0xA9, 0xF2, 0x7D, 0x96, 0xDB, 0x33, 0x0A, 0xD0, 0x5F, 0xC3, 0x0C, 0x22, 0xA2, 0xD0 + } + }, + { +- 1, 4200, NID_sha1, { +- 0x45, 0x96, 0x78, 0xF3, 0x92, 0x74, 0xAC, 0x5B, 0x1F, 0x2B, 0xD3, 0x75, 0x1A, 0xBA, 0x5D, 0xBE, +- 0xF2, 0xDE, 0xE9, 0x88, 0x16, 0x4B, 0x0B, 0x84, 0x94, 0xD9, 0xC2, 0x2D, 0xC1, 0xB9, 0xB0, 0x8A ++ 1, 4096, NID_sha512, { ++ 0x8C, 0x05, 0x11, 0xF4, 0xC6, 0xE5, 0x97, 0xC6, 0xAC, 0x63, 0x15, 0xD8, 0xF0, 0x36, 0x2E, 0x22, ++ 0x5F, 0x3C, 0x50, 0x14, 0x95, 0xBA, 0x23, 0xB8, 0x68, 0xC0, 0x05, 0x17, 0x4D, 0xC4, 0xEE, 0x71 + } + }, + { +- 1, 4200, NID_sha3_512, { +- 0x1E, 0x77, 0xC8, 0x28, 0x9A, 0x79, 0x2E, 0x25, 0x85, 0x8D, 0x73, 0xB3, 0x0D, 0xA1, 0x26, 0x65, +- 0xC0, 0x04, 0x7D, 0x91, 0xB6, 0x5F, 0x89, 0x5E, 0x01, 0x82, 0x23, 0x35, 0x19, 0x2E, 0x5C, 0x09 ++ 1, 4096, NID_sha3_512, { ++ 0xD6, 0x07, 0x91, 0xA4, 0xED, 0x27, 0x19, 0x5D, 0x81, 0x3F, 0x35, 0x51, 0x03, 0x51, 0xB9, 0xD1, ++ 0xFF, 0x9A, 0xD4, 0x26, 0x21, 0x53, 0x94, 0x46, 0x09, 0x50, 0xA4, 0xFE, 0x03, 0xDD, 0x9F, 0x54 + } + }, + { +- 0, 1347, NID_md5, { +- 0xC2, 0x78, 0x16, 0xDC, 0xD1, 0xC5, 0x71, 0xBD, 0x4A, 0x06, 0x2B, 0x38, 0x50, 0xE7, 0x4E, 0xC2, +- 0x0E, 0x74, 0x9D, 0xB1, 0x59, 0xA8, 0xFF, 0x11, 0x24, 0x68, 0xD0, 0xCF, 0x69, 0xE5, 0x30, 0x36 ++ 0, 4096, NID_md5, { ++ 0x8D, 0x5D, 0x0A, 0xAD, 0x94, 0xD1, 0x44, 0x20, 0x42, 0x9F, 0xBC, 0x7E, 0x5B, 0x08, 0x7D, 0x7A, ++ 0x55, 0x27, 0xE6, 0x5D, 0xFD, 0x0D, 0x48, 0x6A, 0x31, 0x0E, 0x8A, 0x7B, 0x6F, 0xF5, 0xA2, 0x1B + } + } + }; +@@ -527,8 +532,10 @@ static const size_t pbkdf2_tests_len = s + + static int test_PKCS5_PBKDF2_HMAC(int pbkdf2_tests_idx) { + int success = 0; +- const char password[] = "password"; +- const unsigned char salt[] = {'s', 'a', 'l', 't'}; ++ const char password[] = "passwordPASSWORDpassword"; ++ const unsigned char salt[] = {'s', 'a', 'l', 't', 'S', 'A', 'L', 'T', 's', 'a', 'l', 't', 'S', 'A', 'L', 'T', ++ 's', 'a', 'l', 't', 'S', 'A', 'L', 'T', 's', 'a', 'l', 't', 'S', 'A', 'L', 'T', ++ 's', 'a', 'l', 't'}; + const size_t password_len = sizeof(password) / sizeof(password[0]); + const size_t salt_len = sizeof(salt) / sizeof(salt[0]); + diff --git a/openssl-1_1-serialize-jitterentropy-calls.patch b/openssl-1_1-serialize-jitterentropy-calls.patch new file mode 100644 index 0000000..367554f --- /dev/null +++ b/openssl-1_1-serialize-jitterentropy-calls.patch @@ -0,0 +1,80 @@ +--- + crypto/fips/fips_entropy.c | 40 ++++++++++++++++++++++++++++++++++++++-- + 1 file changed, 38 insertions(+), 2 deletions(-) + +--- a/crypto/fips/fips_entropy.c ++++ b/crypto/fips/fips_entropy.c +@@ -4,35 +4,71 @@ + #include "jitterentropy.h" + + static struct rand_data* ec = NULL; ++static CRYPTO_RWLOCK *jent_lock = NULL; ++static int stop = 0; + + struct rand_data* FIPS_entropy_init(void) + { +- if (ec != NULL) ++ if (ec != NULL) { + /* Entropy source has been initiated and collector allocated */ + return ec; ++ } ++ if (stop != 0) { ++ /* FIPS_entropy_cleanup() already called, don't initialize it again */ ++ return NULL; ++ } ++ if (jent_lock == NULL) { ++ /* Allocates a new lock to serialize access to jent library */ ++ jent_lock = CRYPTO_THREAD_lock_new(); ++ if (jent_lock == NULL) { ++ return NULL; ++ } ++ } ++ if (CRYPTO_THREAD_write_lock(jent_lock) == 0) { ++ return NULL; ++ } + /* If the initialization is successful, the call returns with 0 */ + if (jent_entropy_init_ex(1, JENT_FORCE_FIPS) == 0) + /* Allocate entropy collector */ + ec = jent_entropy_collector_alloc(1, JENT_FORCE_FIPS); ++ CRYPTO_THREAD_unlock(jent_lock); + return ec; + } + + void FIPS_entropy_cleanup(void) + { ++ if (jent_lock != NULL && stop == 0) { ++ CRYPTO_THREAD_write_lock(jent_lock); ++ } ++ /* Disable re-initialization in FIPS_entropy_init() */ ++ stop = 1; + /* Free entropy collector */ + if (ec != NULL) { + jent_entropy_collector_free(ec); + ec = NULL; + } ++ CRYPTO_THREAD_lock_free(jent_lock); ++ jent_lock = NULL; + } + + ssize_t FIPS_jitter_entropy(unsigned char *buf, size_t buflen) + { + ssize_t ent_bytes = -1; + +- if (buf != NULL && buflen != 0 && FIPS_entropy_init()) { ++ /* ++ * Order is important. We need to call FIPS_entropy_init() before we ++ * acquire jent_lock, otherwise it can lead to deadlock. Once we have ++ * jent_lock, we need to ensure that FIPS_entropy_cleanup() was not called ++ * in the meantime. Then it's safe to read entropy. ++ */ ++ if (buf != NULL ++ && buflen != 0 ++ && FIPS_entropy_init() ++ && CRYPTO_THREAD_write_lock(jent_lock) != 0 ++ && stop == 0) { + /* Get entropy */ + ent_bytes = jent_read_entropy_safe(&ec, (char *)buf, buflen); ++ CRYPTO_THREAD_unlock(jent_lock); + } + return ent_bytes; + } diff --git a/openssl-1_1-shortcut-test_afalg_aes_cbc.patch b/openssl-1_1-shortcut-test_afalg_aes_cbc.patch new file mode 100644 index 0000000..cf62f44 --- /dev/null +++ b/openssl-1_1-shortcut-test_afalg_aes_cbc.patch @@ -0,0 +1,14 @@ +diff --git a/test/afalgtest.c b/test/afalgtest.c +index adb2977..c4f848a 100644 +--- a/test/afalgtest.c ++++ b/test/afalgtest.c +@@ -43,6 +43,9 @@ static ENGINE *e; + + static int test_afalg_aes_cbc(int keysize_idx) + { ++ /* This test fails in fips mode, so just shortcut out. */ ++ if ( FIPS_mode()) return 1; ++ + EVP_CIPHER_CTX *ctx; + const EVP_CIPHER *cipher; + unsigned char key[] = "\x06\xa9\x21\x40\x36\xb8\xa1\x5b" diff --git a/openssl-1_1.changes b/openssl-1_1.changes index 0d6c6ba..0627937 100644 --- a/openssl-1_1.changes +++ b/openssl-1_1.changes @@ -1,3 +1,71 @@ +------------------------------------------------------------------- +Tue Sep 12 05:09:28 UTC 2023 - Otto Hollmann + +- Update to 1.1.1w: + * Fix POLY1305 MAC implementation corrupting XMM registers on Windows. + + The POLY1305 MAC (message authentication code) implementation in OpenSSL + does not save the contents of non-volatile XMM registers on Windows 64 + platform when calculating the MAC of data larger than 64 bytes. Before + returning to the caller all the XMM registers are set to zero rather than + restoring their previous content. The vulnerable code is used only on newer + x86_64 processors supporting the AVX512-IFMA instructions. + + The consequences of this kind of internal application state corruption can + be various - from no consequences, if the calling application does not + depend on the contents of non-volatile XMM registers at all, to the worst + consequences, where the attacker could get complete control of the + application process. However given the contents of the registers are just + zeroized so the attacker cannot put arbitrary values inside, the most likely + consequence, if any, would be an incorrect result of some application + dependent calculations or a crash leading to a denial of service. + + (CVE-2023-4807) + +------------------------------------------------------------------- +Tue Aug 8 10:34:14 UTC 2023 - Otto Hollmann + +- Add missing FIPS patches from SLE: + * Add patches: + - bsc1185319-FIPS-KAT-for-ECDSA.patch + - bsc1198207-FIPS-add-hash_hmac-drbg-kat.patch + - openssl-1.1.1-fips-fix-memory-leaks.patch + - openssl-1_1-FIPS-PBKDF2-KAT-requirements.patch + - openssl-1_1-FIPS_drbg-rewire.patch + - openssl-1_1-Zeroization.patch + - openssl-1_1-fips-drbg-selftest.patch + - openssl-1_1-fips-list-only-approved-digest-and-pubkey-algorithms.patch + - openssl-1_1-jitterentropy-3.4.0.patch + - openssl-1_1-ossl-sli-000-fix-build-error.patch + - openssl-1_1-ossl-sli-001-fix-faults-preventing-make-update.patch + - openssl-1_1-ossl-sli-002-ran-make-update.patch + - openssl-1_1-ossl-sli-003-add-sli.patch + - openssl-1_1-ossl-sli-004-allow-aes-xts-256.patch + - openssl-1_1-ossl-sli-005-EC_group_order_bits.patch + - openssl-1_1-ossl-sli-006-rsa_pkcs1_padding.patch + - openssl-1_1-ossl-sli-007-pbkdf2-keylen.patch + - openssl-1_1-ossl-sli-008-pbkdf2-salt_pass_iteration.patch + - openssl-1_1-serialize-jitterentropy-calls.patch + - openssl-1_1-shortcut-test_afalg_aes_cbc.patch + - openssl-DH.patch + - openssl-FIPS-KAT-before-integrity-tests.patch + - openssl-fips-DH_selftest_shared_secret_KAT.patch + - openssl-fips-kdf-hkdf-selftest.patch + - openssl-kdf-selftest.patch + - openssl-kdf-ssh-selftest.patch + - openssl-kdf-tls-selftest.patch + - openssl-no-date.patch + - openssl-s_client-check-ocsp-status.patch + * Modify patches: + - openssl-1.1.1-fips.patch + - openssl-1_1-FIPS-fix-error-reason-codes.patch + * Remove patches: + - openssl-add_rfc3526_rfc7919.patch + - openssl-fips-dont_run_FIPS_module_installed.patch + - openssl-fips_fix_selftests_return_value.patch + * Add build and runtime dependency on jitterentropy +- Pass over with spec-cleaner + ------------------------------------------------------------------- Tue Aug 1 16:12:36 UTC 2023 - Pedro Monreal diff --git a/openssl-1_1.spec b/openssl-1_1.spec index 5a44979..842a9f4 100644 --- a/openssl-1_1.spec +++ b/openssl-1_1.spec @@ -16,11 +16,13 @@ # +%define ssletcdir %{_sysconfdir}/ssl +%define maj_min 1.1 +%define _rname openssl %if 0%{?sle_version} >= 150400 || 0%{?suse_version} >= 1550 # Enable livepatching support for SLE15-SP4 onwards. It requires # compiler support introduced there. %define livepatchable 1 - # Set variables for livepatching. %define _other %{_topdir}/OTHER %define tar_basename %{_rname}-livepatch-%{version}-%{release} @@ -30,18 +32,13 @@ # Unsupported operating system. %define livepatchable 0 %endif - %ifnarch x86_64 # Unsupported architectures must have livepatch disabled. %define livepatchable 0 %endif - -%define ssletcdir %{_sysconfdir}/ssl -%define maj_min 1.1 -%define _rname openssl Name: openssl-1_1 # Don't forget to update the version in the "openssl" meta-package! -Version: 1.1.1v +Version: 1.1.1w Release: 0 Summary: Secure Sockets and Transport Layer Security License: OpenSSL @@ -63,6 +60,7 @@ Patch3: openssl-pkgconfig.patch Patch4: openssl-DEFAULT_SUSE_cipher.patch Patch5: openssl-ppc64-config.patch Patch6: openssl-riscv64-config.patch +Patch7: openssl-no-date.patch # PATCH-FIX-UPSTREAM jsc#SLE-6126 and jsc#SLE-6129 Patch8: 0001-s390x-assembly-pack-perlasm-support.patch Patch9: 0002-crypto-chacha-asm-chacha-s390x.pl-add-vx-code-path.patch @@ -94,57 +92,103 @@ Patch35: openssl-ship_fips_standalone_hmac.patch Patch36: openssl-fips_mode.patch Patch37: openssl-1.1.1-evp-kdf.patch Patch38: openssl-1.1.1-ssh-kdf.patch -Patch39: openssl-fips-dont_run_FIPS_module_installed.patch Patch40: openssl-fips-selftests_in_nonfips_mode.patch Patch41: openssl-fips-clearerror.patch Patch42: openssl-fips-ignore_broken_atexit_test.patch Patch43: openssl-keep_EVP_KDF_functions_version.patch -Patch44: openssl-fips_fix_selftests_return_value.patch Patch45: openssl-fips-add-SHA3-selftest.patch Patch46: openssl-fips_selftest_upstream_drbg.patch Patch47: openssl-unknown_dgst.patch # PATCH-FIX-UPSTREAM jsc#SLE-7403 Support for CPACF enhancements - part 2 (crypto) Patch50: openssl-s390x-assembly-pack-accelerate-X25519-X448-Ed25519-and-Ed448.patch Patch51: openssl-s390x-fix-x448-and-x448-test-vector-ctime-for-x25519-and-x448.patch -Patch52: openssl-1.1.1-system-cipherlist.patch +# PATCH-FIX-UPSTREAM bsc#1175844 FIPS: (EC)Diffie-Hellman requirements +# from SP800-56Arev3 SLE-15-SP2 +Patch52: openssl-DH.patch +Patch53: openssl-kdf-selftest.patch +Patch54: openssl-kdf-tls-selftest.patch +Patch55: openssl-kdf-ssh-selftest.patch +Patch56: openssl-fips-DH_selftest_shared_secret_KAT.patch +# PATCH-FIX-UPSTREAM bsc#1192442 FIPS: missing KAT for HKDF/TLS 1.3/IPSEC IKEv2 +Patch57: openssl-fips-kdf-hkdf-selftest.patch +Patch58: openssl-1.1.1-system-cipherlist.patch # PATCH-FIX-OPENSUSE jsc#SLE-15832 Centralized Crypto Compliance Configuration -Patch53: openssl-1_1-seclevel.patch -Patch54: openssl-1_1-use-seclevel2-in-tests.patch -Patch55: openssl-1_1-disable-test_srp-sslapi.patch -Patch56: openssl-add_rfc3526_rfc7919.patch -Patch57: openssl-1_1-use-include-directive.patch -#PATCH-FIX-UPSTREAM jsc#SLE-18136 POWER10 performance enhancements for cryptography +Patch59: openssl-1_1-seclevel.patch +Patch60: openssl-1_1-use-seclevel2-in-tests.patch +Patch61: openssl-1_1-disable-test_srp-sslapi.patch +# PATCH-FIX-UPSTREAM jsc#SLE-18136 POWER10 performance enhancements for cryptography Patch69: openssl-1_1-Optimize-ppc64.patch -#PATCH-FIX-UPSTREAM jsc#SLE-19742 Backport Arm improvements from OpenSSL 3 +# PATCH-FIX-UPSTREAM jsc#SLE-19742 Backport Arm improvements from OpenSSL 3 Patch70: openssl-1_1-Optimize-RSA-armv8.patch Patch71: openssl-1_1-Optimize-AES-XTS-aarch64.patch Patch72: openssl-1_1-Optimize-AES-GCM-uarchs.patch -#PATCH-FIX-SUSE bsc#1182959 FIPS: Fix function and reason error codes -Patch73: openssl-1_1-FIPS-fix-error-reason-codes.patch -#PATCH-FIX-SUSE bsc#1180995 Default to RFC7919 groups in FIPS mode -Patch74: openssl-1_1-paramgen-default_to_rfc7919.patch +# PATCH-FIX-SUSE bsc#1185320 FIPS: move the HMAC-SHA2-256 used for integrity test +Patch73: openssl-FIPS-KAT-before-integrity-tests.patch +# PATCH-FIX-SUSE bsc#1182959 FIPS: Fix function and reason error codes +Patch74: openssl-1_1-FIPS-fix-error-reason-codes.patch +# PATCH-FIX-SUSE bsc#1180995 Default to RFC7919 groups in FIPS mode +Patch75: openssl-1_1-paramgen-default_to_rfc7919.patch +# PATCH-FIX-SUSE bsc#1194187 bsc#1004463 Add engines section in openssl.cnf +Patch76: openssl-1_1-use-include-directive.patch +# PATCH-FIX-SUSE bsc#1197280 FIPS: Additional PBKDF2 requirements for KAT +Patch77: openssl-1_1-FIPS-PBKDF2-KAT-requirements.patch +Patch78: bsc1185319-FIPS-KAT-for-ECDSA.patch +Patch79: bsc1198207-FIPS-add-hash_hmac-drbg-kat.patch +Patch81: openssl-1_1-shortcut-test_afalg_aes_cbc.patch +# PATCH-FIX-SUSE bsc#1190653 FIPS: Provide methods to zeroize all unprotected SSPs and key components +Patch84: openssl-1_1-Zeroization.patch +# PATCH-FIX-SUSE bsc#1190651 FIPS: Provide a service-level indicator +Patch85: openssl-1_1-ossl-sli-000-fix-build-error.patch +Patch86: openssl-1_1-ossl-sli-001-fix-faults-preventing-make-update.patch +Patch87: openssl-1_1-ossl-sli-002-ran-make-update.patch +Patch88: openssl-1_1-ossl-sli-003-add-sli.patch +# PATCH-FIX-SUSE bsc#1202148 FIPS: Port openssl to use jitterentropy +Patch89: openssl-1_1-jitterentropy-3.4.0.patch +# PATCH-FIX-SUSE bsc#1203046 FIPS: Fix memory leak when FIPS mode is enabled +Patch90: openssl-1.1.1-fips-fix-memory-leaks.patch +# PATCH-FIX-FEDORA bsc#1201293 FIPS: RAND api should call into FIPS DRBG +Patch91: openssl-1_1-FIPS_drbg-rewire.patch +# PATCH-FIX-FEDORA bsc#1203069 FIPS: Add KAT for the RAND_DRBG implementation +Patch92: openssl-1_1-fips-drbg-selftest.patch +# PATCH-FIX-SUSE bsc#1121365, bsc#1190888, bsc#1193859, bsc#1198471, bsc#1198472 +# FIPS: List only approved digest and pubkey algorithms +Patch93: openssl-1_1-fips-list-only-approved-digest-and-pubkey-algorithms.patch +# PATCH-FIX-SUSE bsc#1190651 FIPS: Provide a service-level indicator +Patch94: openssl-1_1-ossl-sli-004-allow-aes-xts-256.patch +Patch95: openssl-1_1-ossl-sli-005-EC_group_order_bits.patch +Patch96: openssl-1_1-ossl-sli-006-rsa_pkcs1_padding.patch +Patch97: openssl-1_1-ossl-sli-007-pbkdf2-keylen.patch # PATCH-FIX-UPSTREAM jsc#PED-512 # POWER10 performance enhancements for cryptography -Patch75: openssl-1_1-AES-GCM-performance-optimzation-with-stitched-method.patch -Patch76: openssl-1_1-Fixed-counter-overflow.patch -Patch77: openssl-1_1-chacha20-performance-optimizations-for-ppc64le-with-.patch -Patch78: openssl-1_1-Fixed-conditional-statement-testing-64-and-256-bytes.patch -Patch79: openssl-1_1-Fix-AES-GCM-on-Power-8-CPUs.patch -#PATCH-FIX-OPENSUSE bsc#1205042 Set OpenSSL 3.0 as the default openssl -Patch80: openssl-1_1-openssl-config.patch +Patch98: openssl-1_1-AES-GCM-performance-optimzation-with-stitched-method.patch +Patch99: openssl-1_1-Fixed-counter-overflow.patch +Patch100: openssl-1_1-chacha20-performance-optimizations-for-ppc64le-with-.patch +Patch101: openssl-1_1-Fixed-conditional-statement-testing-64-and-256-bytes.patch +Patch102: openssl-1_1-Fix-AES-GCM-on-Power-8-CPUs.patch +# PATCH-FIX-OPENSUSE bsc#1205042 Set OpenSSL 3.0 as the default openssl +Patch103: openssl-1_1-openssl-config.patch +# PATCH-FIX-SUSE bsc#1207994 FIPS Make jitterentropy calls thread-safe +Patch104: openssl-1_1-serialize-jitterentropy-calls.patch +# PATCH-FIX-SUSE bsc#1208998 FIPS: PBKDF2 requirements for openssl +Patch105: openssl-1_1-ossl-sli-008-pbkdf2-salt_pass_iteration.patch +# PATCH-FIX-SUSE bsc#1212623 openssl s_client does not honor ocsp revocation status +Patch106: openssl-s_client-check-ocsp-status.patch # PATCH-FIX-SUSE bsc#1213517 Dont pass zero length input to EVP_Cipher -Patch81: openssl-dont-pass-zero-length-input-to-EVP_Cipher.patch +Patch107: openssl-dont-pass-zero-length-input-to-EVP_Cipher.patch + +BuildRequires: jitterentropy-devel >= 3.4.0 BuildRequires: pkgconfig BuildRequires: pkgconfig(zlib) +Requires: libjitterentropy3 >= 3.4.0 Provides: ssl Requires: libopenssl1_1 = %{version}-%{release} -%if 0%{?sle_version} >= 150400 || 0%{?suse_version} >= 1550 -Requires: crypto-policies -%endif # Needed for clean upgrade path, boo#1070003 Obsoletes: openssl-1_0_0 # Needed for clean upgrade from former openssl-1_1_0, boo#1081335 Obsoletes: openssl-1_1_0 +%if 0%{?sle_version} >= 150400 || 0%{?suse_version} >= 1550 +Requires: crypto-policies +%endif %description OpenSSL is a software library to be used in applications that need to @@ -155,12 +199,12 @@ OpenSSL contains an implementation of the SSL and TLS protocols. %package -n libopenssl1_1 Summary: Secure Sockets and Transport Layer Security Group: Productivity/Networking/Security -%if 0%{?sle_version} >= 150400 || 0%{?suse_version} >= 1550 -Requires: crypto-policies -%endif Recommends: ca-certificates-mozilla # Needed for clean upgrade from former openssl-1_1_0, boo#1081335 Obsoletes: libopenssl1_1_0 +%if 0%{?sle_version} >= 150400 || 0%{?suse_version} >= 1550 +Requires: crypto-policies +%endif Conflicts: %{name} < %{version}-%{release} # Merge back the hmac files bsc#1185116 Provides: libopenssl1_1-hmac = %{version}-%{release} @@ -179,6 +223,7 @@ OpenSSL contains an implementation of the SSL and TLS protocols. %package -n libopenssl-1_1-devel Summary: Development files for OpenSSL Group: Development/Libraries/C and C++ +Requires: jitterentropy-devel >= 3.4.0 Requires: libopenssl1_1 = %{version} Requires: pkgconfig(zlib) Recommends: %{name} = %{version} @@ -250,21 +295,40 @@ export MACHINE=armv6l perl configdata.pm --dump util/mkdef.pl crypto update -make depend %{?_smp_mflags} -make all %{?_smp_mflags} +%make_build depend +%make_build all %check export MALLOC_CHECK_=3 export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) -#export HARNESS_VERBOSE=1 -#export OPENSSL_FORCE_FIPS_MODE=1 LD_LIBRARY_PATH=`pwd` make test -j1 +# Create the hmac files required to run the regression tests in FIPS mode +#%{buildroot}%{_bindir}/fips_standalone_hmac \ +# libssl.so.%{maj_min} > .libssl.so.%{maj_min}.hmac +#%{buildroot}%{_bindir}/fips_standalone_hmac \ +# libcrypto.so.%{maj_min} > .libcrypto.so.%{maj_min}.hmac +#OPENSSL_FORCE_FIPS_MODE=1 LD_LIBRARY_PATH=`pwd` make TESTS='-test_pem \ +# -test_hmac -test_mdc2 -test_dh -test_dsa -test_genrsa \ +# -test_mp_rsa -test_enc -test_enc_more -test_passwd -test_req \ +# -test_verify -test_evp -test_evp_extra -test_pkey_meth_kdf \ +# -test_bad_dtls -test_comp -test_key_share -test_renegotiation \ +# -test_sslcbcpadding -test_sslcertstatus -test_sslextension \ +# -test_sslmessages -test_sslrecords -test_sslsessiontick \ +# -test_sslsigalgs -test_sslsignature -test_sslskewith0p \ +# -test_sslversions -test_sslvertol -test_tls13alerts \ +# -test_tls13cookie -test_tls13downgrade -test_tls13hrr \ +# -test_tls13kexmodes -test_tls13messages -test_tls13psk \ +# -test_tlsextms -test_ca -test_cipherlist -test_cms \ +# -test_dtls_mtu -test_ssl_new -test_ssl_old -test_bio_enc \ +# -test_sslapi -test_tls13ccs -test_ec' test -j1 + # show ciphers gcc -o showciphers %{optflags} -I%{buildroot}%{_includedir} %{SOURCE5} -L%{buildroot}%{_libdir} -lssl -lcrypto LD_LIBRARY_PATH=%{buildroot}%{_libdir} ./showciphers %install + %if %{livepatchable} # Ipa-clones are files generated by gcc which logs changes made across diff --git a/openssl-DH.patch b/openssl-DH.patch new file mode 100644 index 0000000..173d1bf --- /dev/null +++ b/openssl-DH.patch @@ -0,0 +1,3294 @@ +Index: openssl-1.1.1m/crypto/bn/bn_const.c +=================================================================== +--- openssl-1.1.1m.orig/crypto/bn/bn_const.c ++++ openssl-1.1.1m/crypto/bn/bn_const.c +@@ -8,6 +8,10 @@ + */ + + #include ++#include "crypto/bn_dh.h" ++ ++#define COPY_BN(dst, src) (dst != NULL) ? BN_copy(dst, &src) : BN_dup(&src) ++ + + /*- + * "First Oakley Default Group" from RFC2409, section 6.1. +@@ -80,33 +84,7 @@ BIGNUM *BN_get_rfc2409_prime_1024(BIGNUM + + BIGNUM *BN_get_rfc3526_prime_1536(BIGNUM *bn) + { +- static const unsigned char RFC3526_PRIME_1536[] = { +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34, +- 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, +- 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, +- 0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22, +- 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, +- 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, +- 0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37, +- 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, +- 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, +- 0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B, +- 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED, +- 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, +- 0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6, +- 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, +- 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, +- 0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A, +- 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F, +- 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, +- 0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB, +- 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, +- 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, +- 0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x23, 0x73, 0x27, +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- }; +- return BN_bin2bn(RFC3526_PRIME_1536, sizeof(RFC3526_PRIME_1536), bn); ++ return COPY_BN(bn, _bignum_modp_1536_p); + } + + /*- +@@ -119,41 +97,7 @@ BIGNUM *BN_get_rfc3526_prime_1536(BIGNUM + + BIGNUM *BN_get_rfc3526_prime_2048(BIGNUM *bn) + { +- static const unsigned char RFC3526_PRIME_2048[] = { +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34, +- 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, +- 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, +- 0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22, +- 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, +- 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, +- 0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37, +- 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, +- 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, +- 0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B, +- 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED, +- 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, +- 0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6, +- 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, +- 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, +- 0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A, +- 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F, +- 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, +- 0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB, +- 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, +- 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, +- 0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, 0x21, 0x7C, +- 0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B, +- 0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, +- 0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, 0x8F, +- 0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9, +- 0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, +- 0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, 0xE5, +- 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10, +- 0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAC, 0xAA, 0x68, +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- }; +- return BN_bin2bn(RFC3526_PRIME_2048, sizeof(RFC3526_PRIME_2048), bn); ++ return COPY_BN(bn, _bignum_modp_2048_p); + } + + /*- +@@ -166,57 +110,7 @@ BIGNUM *BN_get_rfc3526_prime_2048(BIGNUM + + BIGNUM *BN_get_rfc3526_prime_3072(BIGNUM *bn) + { +- static const unsigned char RFC3526_PRIME_3072[] = { +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34, +- 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, +- 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, +- 0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22, +- 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, +- 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, +- 0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37, +- 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, +- 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, +- 0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B, +- 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED, +- 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, +- 0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6, +- 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, +- 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, +- 0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A, +- 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F, +- 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, +- 0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB, +- 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, +- 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, +- 0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, 0x21, 0x7C, +- 0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B, +- 0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, +- 0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, 0x8F, +- 0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9, +- 0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, +- 0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, 0xE5, +- 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10, +- 0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAA, 0xC4, 0x2D, +- 0xAD, 0x33, 0x17, 0x0D, 0x04, 0x50, 0x7A, 0x33, +- 0xA8, 0x55, 0x21, 0xAB, 0xDF, 0x1C, 0xBA, 0x64, +- 0xEC, 0xFB, 0x85, 0x04, 0x58, 0xDB, 0xEF, 0x0A, +- 0x8A, 0xEA, 0x71, 0x57, 0x5D, 0x06, 0x0C, 0x7D, +- 0xB3, 0x97, 0x0F, 0x85, 0xA6, 0xE1, 0xE4, 0xC7, +- 0xAB, 0xF5, 0xAE, 0x8C, 0xDB, 0x09, 0x33, 0xD7, +- 0x1E, 0x8C, 0x94, 0xE0, 0x4A, 0x25, 0x61, 0x9D, +- 0xCE, 0xE3, 0xD2, 0x26, 0x1A, 0xD2, 0xEE, 0x6B, +- 0xF1, 0x2F, 0xFA, 0x06, 0xD9, 0x8A, 0x08, 0x64, +- 0xD8, 0x76, 0x02, 0x73, 0x3E, 0xC8, 0x6A, 0x64, +- 0x52, 0x1F, 0x2B, 0x18, 0x17, 0x7B, 0x20, 0x0C, +- 0xBB, 0xE1, 0x17, 0x57, 0x7A, 0x61, 0x5D, 0x6C, +- 0x77, 0x09, 0x88, 0xC0, 0xBA, 0xD9, 0x46, 0xE2, +- 0x08, 0xE2, 0x4F, 0xA0, 0x74, 0xE5, 0xAB, 0x31, +- 0x43, 0xDB, 0x5B, 0xFC, 0xE0, 0xFD, 0x10, 0x8E, +- 0x4B, 0x82, 0xD1, 0x20, 0xA9, 0x3A, 0xD2, 0xCA, +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- }; +- return BN_bin2bn(RFC3526_PRIME_3072, sizeof(RFC3526_PRIME_3072), bn); ++ return COPY_BN(bn, _bignum_modp_3072_p); + } + + /*- +@@ -229,73 +123,7 @@ BIGNUM *BN_get_rfc3526_prime_3072(BIGNUM + + BIGNUM *BN_get_rfc3526_prime_4096(BIGNUM *bn) + { +- static const unsigned char RFC3526_PRIME_4096[] = { +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34, +- 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, +- 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, +- 0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22, +- 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, +- 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, +- 0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37, +- 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, +- 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, +- 0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B, +- 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED, +- 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, +- 0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6, +- 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, +- 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, +- 0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A, +- 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F, +- 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, +- 0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB, +- 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, +- 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, +- 0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, 0x21, 0x7C, +- 0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B, +- 0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, +- 0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, 0x8F, +- 0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9, +- 0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, +- 0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, 0xE5, +- 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10, +- 0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAA, 0xC4, 0x2D, +- 0xAD, 0x33, 0x17, 0x0D, 0x04, 0x50, 0x7A, 0x33, +- 0xA8, 0x55, 0x21, 0xAB, 0xDF, 0x1C, 0xBA, 0x64, +- 0xEC, 0xFB, 0x85, 0x04, 0x58, 0xDB, 0xEF, 0x0A, +- 0x8A, 0xEA, 0x71, 0x57, 0x5D, 0x06, 0x0C, 0x7D, +- 0xB3, 0x97, 0x0F, 0x85, 0xA6, 0xE1, 0xE4, 0xC7, +- 0xAB, 0xF5, 0xAE, 0x8C, 0xDB, 0x09, 0x33, 0xD7, +- 0x1E, 0x8C, 0x94, 0xE0, 0x4A, 0x25, 0x61, 0x9D, +- 0xCE, 0xE3, 0xD2, 0x26, 0x1A, 0xD2, 0xEE, 0x6B, +- 0xF1, 0x2F, 0xFA, 0x06, 0xD9, 0x8A, 0x08, 0x64, +- 0xD8, 0x76, 0x02, 0x73, 0x3E, 0xC8, 0x6A, 0x64, +- 0x52, 0x1F, 0x2B, 0x18, 0x17, 0x7B, 0x20, 0x0C, +- 0xBB, 0xE1, 0x17, 0x57, 0x7A, 0x61, 0x5D, 0x6C, +- 0x77, 0x09, 0x88, 0xC0, 0xBA, 0xD9, 0x46, 0xE2, +- 0x08, 0xE2, 0x4F, 0xA0, 0x74, 0xE5, 0xAB, 0x31, +- 0x43, 0xDB, 0x5B, 0xFC, 0xE0, 0xFD, 0x10, 0x8E, +- 0x4B, 0x82, 0xD1, 0x20, 0xA9, 0x21, 0x08, 0x01, +- 0x1A, 0x72, 0x3C, 0x12, 0xA7, 0x87, 0xE6, 0xD7, +- 0x88, 0x71, 0x9A, 0x10, 0xBD, 0xBA, 0x5B, 0x26, +- 0x99, 0xC3, 0x27, 0x18, 0x6A, 0xF4, 0xE2, 0x3C, +- 0x1A, 0x94, 0x68, 0x34, 0xB6, 0x15, 0x0B, 0xDA, +- 0x25, 0x83, 0xE9, 0xCA, 0x2A, 0xD4, 0x4C, 0xE8, +- 0xDB, 0xBB, 0xC2, 0xDB, 0x04, 0xDE, 0x8E, 0xF9, +- 0x2E, 0x8E, 0xFC, 0x14, 0x1F, 0xBE, 0xCA, 0xA6, +- 0x28, 0x7C, 0x59, 0x47, 0x4E, 0x6B, 0xC0, 0x5D, +- 0x99, 0xB2, 0x96, 0x4F, 0xA0, 0x90, 0xC3, 0xA2, +- 0x23, 0x3B, 0xA1, 0x86, 0x51, 0x5B, 0xE7, 0xED, +- 0x1F, 0x61, 0x29, 0x70, 0xCE, 0xE2, 0xD7, 0xAF, +- 0xB8, 0x1B, 0xDD, 0x76, 0x21, 0x70, 0x48, 0x1C, +- 0xD0, 0x06, 0x91, 0x27, 0xD5, 0xB0, 0x5A, 0xA9, +- 0x93, 0xB4, 0xEA, 0x98, 0x8D, 0x8F, 0xDD, 0xC1, +- 0x86, 0xFF, 0xB7, 0xDC, 0x90, 0xA6, 0xC0, 0x8F, +- 0x4D, 0xF4, 0x35, 0xC9, 0x34, 0x06, 0x31, 0x99, +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- }; +- return BN_bin2bn(RFC3526_PRIME_4096, sizeof(RFC3526_PRIME_4096), bn); ++ return COPY_BN(bn, _bignum_modp_4096_p); + } + + /*- +@@ -308,105 +136,7 @@ BIGNUM *BN_get_rfc3526_prime_4096(BIGNUM + + BIGNUM *BN_get_rfc3526_prime_6144(BIGNUM *bn) + { +- static const unsigned char RFC3526_PRIME_6144[] = { +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34, +- 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, +- 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, +- 0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22, +- 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, +- 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, +- 0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37, +- 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, +- 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, +- 0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B, +- 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED, +- 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, +- 0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6, +- 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, +- 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, +- 0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A, +- 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F, +- 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, +- 0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB, +- 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, +- 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, +- 0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, 0x21, 0x7C, +- 0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B, +- 0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, +- 0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, 0x8F, +- 0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9, +- 0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, +- 0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, 0xE5, +- 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10, +- 0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAA, 0xC4, 0x2D, +- 0xAD, 0x33, 0x17, 0x0D, 0x04, 0x50, 0x7A, 0x33, +- 0xA8, 0x55, 0x21, 0xAB, 0xDF, 0x1C, 0xBA, 0x64, +- 0xEC, 0xFB, 0x85, 0x04, 0x58, 0xDB, 0xEF, 0x0A, +- 0x8A, 0xEA, 0x71, 0x57, 0x5D, 0x06, 0x0C, 0x7D, +- 0xB3, 0x97, 0x0F, 0x85, 0xA6, 0xE1, 0xE4, 0xC7, +- 0xAB, 0xF5, 0xAE, 0x8C, 0xDB, 0x09, 0x33, 0xD7, +- 0x1E, 0x8C, 0x94, 0xE0, 0x4A, 0x25, 0x61, 0x9D, +- 0xCE, 0xE3, 0xD2, 0x26, 0x1A, 0xD2, 0xEE, 0x6B, +- 0xF1, 0x2F, 0xFA, 0x06, 0xD9, 0x8A, 0x08, 0x64, +- 0xD8, 0x76, 0x02, 0x73, 0x3E, 0xC8, 0x6A, 0x64, +- 0x52, 0x1F, 0x2B, 0x18, 0x17, 0x7B, 0x20, 0x0C, +- 0xBB, 0xE1, 0x17, 0x57, 0x7A, 0x61, 0x5D, 0x6C, +- 0x77, 0x09, 0x88, 0xC0, 0xBA, 0xD9, 0x46, 0xE2, +- 0x08, 0xE2, 0x4F, 0xA0, 0x74, 0xE5, 0xAB, 0x31, +- 0x43, 0xDB, 0x5B, 0xFC, 0xE0, 0xFD, 0x10, 0x8E, +- 0x4B, 0x82, 0xD1, 0x20, 0xA9, 0x21, 0x08, 0x01, +- 0x1A, 0x72, 0x3C, 0x12, 0xA7, 0x87, 0xE6, 0xD7, +- 0x88, 0x71, 0x9A, 0x10, 0xBD, 0xBA, 0x5B, 0x26, +- 0x99, 0xC3, 0x27, 0x18, 0x6A, 0xF4, 0xE2, 0x3C, +- 0x1A, 0x94, 0x68, 0x34, 0xB6, 0x15, 0x0B, 0xDA, +- 0x25, 0x83, 0xE9, 0xCA, 0x2A, 0xD4, 0x4C, 0xE8, +- 0xDB, 0xBB, 0xC2, 0xDB, 0x04, 0xDE, 0x8E, 0xF9, +- 0x2E, 0x8E, 0xFC, 0x14, 0x1F, 0xBE, 0xCA, 0xA6, +- 0x28, 0x7C, 0x59, 0x47, 0x4E, 0x6B, 0xC0, 0x5D, +- 0x99, 0xB2, 0x96, 0x4F, 0xA0, 0x90, 0xC3, 0xA2, +- 0x23, 0x3B, 0xA1, 0x86, 0x51, 0x5B, 0xE7, 0xED, +- 0x1F, 0x61, 0x29, 0x70, 0xCE, 0xE2, 0xD7, 0xAF, +- 0xB8, 0x1B, 0xDD, 0x76, 0x21, 0x70, 0x48, 0x1C, +- 0xD0, 0x06, 0x91, 0x27, 0xD5, 0xB0, 0x5A, 0xA9, +- 0x93, 0xB4, 0xEA, 0x98, 0x8D, 0x8F, 0xDD, 0xC1, +- 0x86, 0xFF, 0xB7, 0xDC, 0x90, 0xA6, 0xC0, 0x8F, +- 0x4D, 0xF4, 0x35, 0xC9, 0x34, 0x02, 0x84, 0x92, +- 0x36, 0xC3, 0xFA, 0xB4, 0xD2, 0x7C, 0x70, 0x26, +- 0xC1, 0xD4, 0xDC, 0xB2, 0x60, 0x26, 0x46, 0xDE, +- 0xC9, 0x75, 0x1E, 0x76, 0x3D, 0xBA, 0x37, 0xBD, +- 0xF8, 0xFF, 0x94, 0x06, 0xAD, 0x9E, 0x53, 0x0E, +- 0xE5, 0xDB, 0x38, 0x2F, 0x41, 0x30, 0x01, 0xAE, +- 0xB0, 0x6A, 0x53, 0xED, 0x90, 0x27, 0xD8, 0x31, +- 0x17, 0x97, 0x27, 0xB0, 0x86, 0x5A, 0x89, 0x18, +- 0xDA, 0x3E, 0xDB, 0xEB, 0xCF, 0x9B, 0x14, 0xED, +- 0x44, 0xCE, 0x6C, 0xBA, 0xCE, 0xD4, 0xBB, 0x1B, +- 0xDB, 0x7F, 0x14, 0x47, 0xE6, 0xCC, 0x25, 0x4B, +- 0x33, 0x20, 0x51, 0x51, 0x2B, 0xD7, 0xAF, 0x42, +- 0x6F, 0xB8, 0xF4, 0x01, 0x37, 0x8C, 0xD2, 0xBF, +- 0x59, 0x83, 0xCA, 0x01, 0xC6, 0x4B, 0x92, 0xEC, +- 0xF0, 0x32, 0xEA, 0x15, 0xD1, 0x72, 0x1D, 0x03, +- 0xF4, 0x82, 0xD7, 0xCE, 0x6E, 0x74, 0xFE, 0xF6, +- 0xD5, 0x5E, 0x70, 0x2F, 0x46, 0x98, 0x0C, 0x82, +- 0xB5, 0xA8, 0x40, 0x31, 0x90, 0x0B, 0x1C, 0x9E, +- 0x59, 0xE7, 0xC9, 0x7F, 0xBE, 0xC7, 0xE8, 0xF3, +- 0x23, 0xA9, 0x7A, 0x7E, 0x36, 0xCC, 0x88, 0xBE, +- 0x0F, 0x1D, 0x45, 0xB7, 0xFF, 0x58, 0x5A, 0xC5, +- 0x4B, 0xD4, 0x07, 0xB2, 0x2B, 0x41, 0x54, 0xAA, +- 0xCC, 0x8F, 0x6D, 0x7E, 0xBF, 0x48, 0xE1, 0xD8, +- 0x14, 0xCC, 0x5E, 0xD2, 0x0F, 0x80, 0x37, 0xE0, +- 0xA7, 0x97, 0x15, 0xEE, 0xF2, 0x9B, 0xE3, 0x28, +- 0x06, 0xA1, 0xD5, 0x8B, 0xB7, 0xC5, 0xDA, 0x76, +- 0xF5, 0x50, 0xAA, 0x3D, 0x8A, 0x1F, 0xBF, 0xF0, +- 0xEB, 0x19, 0xCC, 0xB1, 0xA3, 0x13, 0xD5, 0x5C, +- 0xDA, 0x56, 0xC9, 0xEC, 0x2E, 0xF2, 0x96, 0x32, +- 0x38, 0x7F, 0xE8, 0xD7, 0x6E, 0x3C, 0x04, 0x68, +- 0x04, 0x3E, 0x8F, 0x66, 0x3F, 0x48, 0x60, 0xEE, +- 0x12, 0xBF, 0x2D, 0x5B, 0x0B, 0x74, 0x74, 0xD6, +- 0xE6, 0x94, 0xF9, 0x1E, 0x6D, 0xCC, 0x40, 0x24, +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- }; +- return BN_bin2bn(RFC3526_PRIME_6144, sizeof(RFC3526_PRIME_6144), bn); ++ return COPY_BN(bn, _bignum_modp_6144_p); + } + + /*- +@@ -419,135 +149,5 @@ BIGNUM *BN_get_rfc3526_prime_6144(BIGNUM + + BIGNUM *BN_get_rfc3526_prime_8192(BIGNUM *bn) + { +- static const unsigned char RFC3526_PRIME_8192[] = { +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xC9, 0x0F, 0xDA, 0xA2, 0x21, 0x68, 0xC2, 0x34, +- 0xC4, 0xC6, 0x62, 0x8B, 0x80, 0xDC, 0x1C, 0xD1, +- 0x29, 0x02, 0x4E, 0x08, 0x8A, 0x67, 0xCC, 0x74, +- 0x02, 0x0B, 0xBE, 0xA6, 0x3B, 0x13, 0x9B, 0x22, +- 0x51, 0x4A, 0x08, 0x79, 0x8E, 0x34, 0x04, 0xDD, +- 0xEF, 0x95, 0x19, 0xB3, 0xCD, 0x3A, 0x43, 0x1B, +- 0x30, 0x2B, 0x0A, 0x6D, 0xF2, 0x5F, 0x14, 0x37, +- 0x4F, 0xE1, 0x35, 0x6D, 0x6D, 0x51, 0xC2, 0x45, +- 0xE4, 0x85, 0xB5, 0x76, 0x62, 0x5E, 0x7E, 0xC6, +- 0xF4, 0x4C, 0x42, 0xE9, 0xA6, 0x37, 0xED, 0x6B, +- 0x0B, 0xFF, 0x5C, 0xB6, 0xF4, 0x06, 0xB7, 0xED, +- 0xEE, 0x38, 0x6B, 0xFB, 0x5A, 0x89, 0x9F, 0xA5, +- 0xAE, 0x9F, 0x24, 0x11, 0x7C, 0x4B, 0x1F, 0xE6, +- 0x49, 0x28, 0x66, 0x51, 0xEC, 0xE4, 0x5B, 0x3D, +- 0xC2, 0x00, 0x7C, 0xB8, 0xA1, 0x63, 0xBF, 0x05, +- 0x98, 0xDA, 0x48, 0x36, 0x1C, 0x55, 0xD3, 0x9A, +- 0x69, 0x16, 0x3F, 0xA8, 0xFD, 0x24, 0xCF, 0x5F, +- 0x83, 0x65, 0x5D, 0x23, 0xDC, 0xA3, 0xAD, 0x96, +- 0x1C, 0x62, 0xF3, 0x56, 0x20, 0x85, 0x52, 0xBB, +- 0x9E, 0xD5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6D, +- 0x67, 0x0C, 0x35, 0x4E, 0x4A, 0xBC, 0x98, 0x04, +- 0xF1, 0x74, 0x6C, 0x08, 0xCA, 0x18, 0x21, 0x7C, +- 0x32, 0x90, 0x5E, 0x46, 0x2E, 0x36, 0xCE, 0x3B, +- 0xE3, 0x9E, 0x77, 0x2C, 0x18, 0x0E, 0x86, 0x03, +- 0x9B, 0x27, 0x83, 0xA2, 0xEC, 0x07, 0xA2, 0x8F, +- 0xB5, 0xC5, 0x5D, 0xF0, 0x6F, 0x4C, 0x52, 0xC9, +- 0xDE, 0x2B, 0xCB, 0xF6, 0x95, 0x58, 0x17, 0x18, +- 0x39, 0x95, 0x49, 0x7C, 0xEA, 0x95, 0x6A, 0xE5, +- 0x15, 0xD2, 0x26, 0x18, 0x98, 0xFA, 0x05, 0x10, +- 0x15, 0x72, 0x8E, 0x5A, 0x8A, 0xAA, 0xC4, 0x2D, +- 0xAD, 0x33, 0x17, 0x0D, 0x04, 0x50, 0x7A, 0x33, +- 0xA8, 0x55, 0x21, 0xAB, 0xDF, 0x1C, 0xBA, 0x64, +- 0xEC, 0xFB, 0x85, 0x04, 0x58, 0xDB, 0xEF, 0x0A, +- 0x8A, 0xEA, 0x71, 0x57, 0x5D, 0x06, 0x0C, 0x7D, +- 0xB3, 0x97, 0x0F, 0x85, 0xA6, 0xE1, 0xE4, 0xC7, +- 0xAB, 0xF5, 0xAE, 0x8C, 0xDB, 0x09, 0x33, 0xD7, +- 0x1E, 0x8C, 0x94, 0xE0, 0x4A, 0x25, 0x61, 0x9D, +- 0xCE, 0xE3, 0xD2, 0x26, 0x1A, 0xD2, 0xEE, 0x6B, +- 0xF1, 0x2F, 0xFA, 0x06, 0xD9, 0x8A, 0x08, 0x64, +- 0xD8, 0x76, 0x02, 0x73, 0x3E, 0xC8, 0x6A, 0x64, +- 0x52, 0x1F, 0x2B, 0x18, 0x17, 0x7B, 0x20, 0x0C, +- 0xBB, 0xE1, 0x17, 0x57, 0x7A, 0x61, 0x5D, 0x6C, +- 0x77, 0x09, 0x88, 0xC0, 0xBA, 0xD9, 0x46, 0xE2, +- 0x08, 0xE2, 0x4F, 0xA0, 0x74, 0xE5, 0xAB, 0x31, +- 0x43, 0xDB, 0x5B, 0xFC, 0xE0, 0xFD, 0x10, 0x8E, +- 0x4B, 0x82, 0xD1, 0x20, 0xA9, 0x21, 0x08, 0x01, +- 0x1A, 0x72, 0x3C, 0x12, 0xA7, 0x87, 0xE6, 0xD7, +- 0x88, 0x71, 0x9A, 0x10, 0xBD, 0xBA, 0x5B, 0x26, +- 0x99, 0xC3, 0x27, 0x18, 0x6A, 0xF4, 0xE2, 0x3C, +- 0x1A, 0x94, 0x68, 0x34, 0xB6, 0x15, 0x0B, 0xDA, +- 0x25, 0x83, 0xE9, 0xCA, 0x2A, 0xD4, 0x4C, 0xE8, +- 0xDB, 0xBB, 0xC2, 0xDB, 0x04, 0xDE, 0x8E, 0xF9, +- 0x2E, 0x8E, 0xFC, 0x14, 0x1F, 0xBE, 0xCA, 0xA6, +- 0x28, 0x7C, 0x59, 0x47, 0x4E, 0x6B, 0xC0, 0x5D, +- 0x99, 0xB2, 0x96, 0x4F, 0xA0, 0x90, 0xC3, 0xA2, +- 0x23, 0x3B, 0xA1, 0x86, 0x51, 0x5B, 0xE7, 0xED, +- 0x1F, 0x61, 0x29, 0x70, 0xCE, 0xE2, 0xD7, 0xAF, +- 0xB8, 0x1B, 0xDD, 0x76, 0x21, 0x70, 0x48, 0x1C, +- 0xD0, 0x06, 0x91, 0x27, 0xD5, 0xB0, 0x5A, 0xA9, +- 0x93, 0xB4, 0xEA, 0x98, 0x8D, 0x8F, 0xDD, 0xC1, +- 0x86, 0xFF, 0xB7, 0xDC, 0x90, 0xA6, 0xC0, 0x8F, +- 0x4D, 0xF4, 0x35, 0xC9, 0x34, 0x02, 0x84, 0x92, +- 0x36, 0xC3, 0xFA, 0xB4, 0xD2, 0x7C, 0x70, 0x26, +- 0xC1, 0xD4, 0xDC, 0xB2, 0x60, 0x26, 0x46, 0xDE, +- 0xC9, 0x75, 0x1E, 0x76, 0x3D, 0xBA, 0x37, 0xBD, +- 0xF8, 0xFF, 0x94, 0x06, 0xAD, 0x9E, 0x53, 0x0E, +- 0xE5, 0xDB, 0x38, 0x2F, 0x41, 0x30, 0x01, 0xAE, +- 0xB0, 0x6A, 0x53, 0xED, 0x90, 0x27, 0xD8, 0x31, +- 0x17, 0x97, 0x27, 0xB0, 0x86, 0x5A, 0x89, 0x18, +- 0xDA, 0x3E, 0xDB, 0xEB, 0xCF, 0x9B, 0x14, 0xED, +- 0x44, 0xCE, 0x6C, 0xBA, 0xCE, 0xD4, 0xBB, 0x1B, +- 0xDB, 0x7F, 0x14, 0x47, 0xE6, 0xCC, 0x25, 0x4B, +- 0x33, 0x20, 0x51, 0x51, 0x2B, 0xD7, 0xAF, 0x42, +- 0x6F, 0xB8, 0xF4, 0x01, 0x37, 0x8C, 0xD2, 0xBF, +- 0x59, 0x83, 0xCA, 0x01, 0xC6, 0x4B, 0x92, 0xEC, +- 0xF0, 0x32, 0xEA, 0x15, 0xD1, 0x72, 0x1D, 0x03, +- 0xF4, 0x82, 0xD7, 0xCE, 0x6E, 0x74, 0xFE, 0xF6, +- 0xD5, 0x5E, 0x70, 0x2F, 0x46, 0x98, 0x0C, 0x82, +- 0xB5, 0xA8, 0x40, 0x31, 0x90, 0x0B, 0x1C, 0x9E, +- 0x59, 0xE7, 0xC9, 0x7F, 0xBE, 0xC7, 0xE8, 0xF3, +- 0x23, 0xA9, 0x7A, 0x7E, 0x36, 0xCC, 0x88, 0xBE, +- 0x0F, 0x1D, 0x45, 0xB7, 0xFF, 0x58, 0x5A, 0xC5, +- 0x4B, 0xD4, 0x07, 0xB2, 0x2B, 0x41, 0x54, 0xAA, +- 0xCC, 0x8F, 0x6D, 0x7E, 0xBF, 0x48, 0xE1, 0xD8, +- 0x14, 0xCC, 0x5E, 0xD2, 0x0F, 0x80, 0x37, 0xE0, +- 0xA7, 0x97, 0x15, 0xEE, 0xF2, 0x9B, 0xE3, 0x28, +- 0x06, 0xA1, 0xD5, 0x8B, 0xB7, 0xC5, 0xDA, 0x76, +- 0xF5, 0x50, 0xAA, 0x3D, 0x8A, 0x1F, 0xBF, 0xF0, +- 0xEB, 0x19, 0xCC, 0xB1, 0xA3, 0x13, 0xD5, 0x5C, +- 0xDA, 0x56, 0xC9, 0xEC, 0x2E, 0xF2, 0x96, 0x32, +- 0x38, 0x7F, 0xE8, 0xD7, 0x6E, 0x3C, 0x04, 0x68, +- 0x04, 0x3E, 0x8F, 0x66, 0x3F, 0x48, 0x60, 0xEE, +- 0x12, 0xBF, 0x2D, 0x5B, 0x0B, 0x74, 0x74, 0xD6, +- 0xE6, 0x94, 0xF9, 0x1E, 0x6D, 0xBE, 0x11, 0x59, +- 0x74, 0xA3, 0x92, 0x6F, 0x12, 0xFE, 0xE5, 0xE4, +- 0x38, 0x77, 0x7C, 0xB6, 0xA9, 0x32, 0xDF, 0x8C, +- 0xD8, 0xBE, 0xC4, 0xD0, 0x73, 0xB9, 0x31, 0xBA, +- 0x3B, 0xC8, 0x32, 0xB6, 0x8D, 0x9D, 0xD3, 0x00, +- 0x74, 0x1F, 0xA7, 0xBF, 0x8A, 0xFC, 0x47, 0xED, +- 0x25, 0x76, 0xF6, 0x93, 0x6B, 0xA4, 0x24, 0x66, +- 0x3A, 0xAB, 0x63, 0x9C, 0x5A, 0xE4, 0xF5, 0x68, +- 0x34, 0x23, 0xB4, 0x74, 0x2B, 0xF1, 0xC9, 0x78, +- 0x23, 0x8F, 0x16, 0xCB, 0xE3, 0x9D, 0x65, 0x2D, +- 0xE3, 0xFD, 0xB8, 0xBE, 0xFC, 0x84, 0x8A, 0xD9, +- 0x22, 0x22, 0x2E, 0x04, 0xA4, 0x03, 0x7C, 0x07, +- 0x13, 0xEB, 0x57, 0xA8, 0x1A, 0x23, 0xF0, 0xC7, +- 0x34, 0x73, 0xFC, 0x64, 0x6C, 0xEA, 0x30, 0x6B, +- 0x4B, 0xCB, 0xC8, 0x86, 0x2F, 0x83, 0x85, 0xDD, +- 0xFA, 0x9D, 0x4B, 0x7F, 0xA2, 0xC0, 0x87, 0xE8, +- 0x79, 0x68, 0x33, 0x03, 0xED, 0x5B, 0xDD, 0x3A, +- 0x06, 0x2B, 0x3C, 0xF5, 0xB3, 0xA2, 0x78, 0xA6, +- 0x6D, 0x2A, 0x13, 0xF8, 0x3F, 0x44, 0xF8, 0x2D, +- 0xDF, 0x31, 0x0E, 0xE0, 0x74, 0xAB, 0x6A, 0x36, +- 0x45, 0x97, 0xE8, 0x99, 0xA0, 0x25, 0x5D, 0xC1, +- 0x64, 0xF3, 0x1C, 0xC5, 0x08, 0x46, 0x85, 0x1D, +- 0xF9, 0xAB, 0x48, 0x19, 0x5D, 0xED, 0x7E, 0xA1, +- 0xB1, 0xD5, 0x10, 0xBD, 0x7E, 0xE7, 0x4D, 0x73, +- 0xFA, 0xF3, 0x6B, 0xC3, 0x1E, 0xCF, 0xA2, 0x68, +- 0x35, 0x90, 0x46, 0xF4, 0xEB, 0x87, 0x9F, 0x92, +- 0x40, 0x09, 0x43, 0x8B, 0x48, 0x1C, 0x6C, 0xD7, +- 0x88, 0x9A, 0x00, 0x2E, 0xD5, 0xEE, 0x38, 0x2B, +- 0xC9, 0x19, 0x0D, 0xA6, 0xFC, 0x02, 0x6E, 0x47, +- 0x95, 0x58, 0xE4, 0x47, 0x56, 0x77, 0xE9, 0xAA, +- 0x9E, 0x30, 0x50, 0xE2, 0x76, 0x56, 0x94, 0xDF, +- 0xC8, 0x1F, 0x56, 0xE8, 0x80, 0xB9, 0x6E, 0x71, +- 0x60, 0xC9, 0x80, 0xDD, 0x98, 0xED, 0xD3, 0xDF, +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- }; +- return BN_bin2bn(RFC3526_PRIME_8192, sizeof(RFC3526_PRIME_8192), bn); ++ return COPY_BN(bn, _bignum_modp_8192_p); + } +Index: openssl-1.1.1m/crypto/bn/bn_dh.c +=================================================================== +--- openssl-1.1.1m.orig/crypto/bn/bn_dh.c ++++ openssl-1.1.1m/crypto/bn/bn_dh.c +@@ -11,474 +11,995 @@ + #include "internal/nelem.h" + + #ifndef OPENSSL_NO_DH +-#include +-#include "crypto/bn_dh.h" +-/* DH parameters from RFC5114 */ ++# include ++# include "crypto/bn_dh.h" + + # if BN_BITS2 == 64 +-static const BN_ULONG dh1024_160_p[] = { +- 0xDF1FB2BC2E4A4371ULL, 0xE68CFDA76D4DA708ULL, 0x45BF37DF365C1A65ULL, +- 0xA151AF5F0DC8B4BDULL, 0xFAA31A4FF55BCCC0ULL, 0x4EFFD6FAE5644738ULL, +- 0x98488E9C219A7372ULL, 0xACCBDD7D90C4BD70ULL, 0x24975C3CD49B83BFULL, +- 0x13ECB4AEA9061123ULL, 0x9838EF1E2EE652C0ULL, 0x6073E28675A23D18ULL, +- 0x9A6A9DCA52D23B61ULL, 0x52C99FBCFB06A3C6ULL, 0xDE92DE5EAE5D54ECULL, +- 0xB10B8F96A080E01DULL +-}; +- +-static const BN_ULONG dh1024_160_g[] = { +- 0x855E6EEB22B3B2E5ULL, 0x858F4DCEF97C2A24ULL, 0x2D779D5918D08BC8ULL, +- 0xD662A4D18E73AFA3ULL, 0x1DBF0A0169B6A28AULL, 0xA6A24C087A091F53ULL, +- 0x909D0D2263F80A76ULL, 0xD7FBD7D3B9A92EE1ULL, 0x5E91547F9E2749F4ULL, +- 0x160217B4B01B886AULL, 0x777E690F5504F213ULL, 0x266FEA1E5C41564BULL, +- 0xD6406CFF14266D31ULL, 0xF8104DD258AC507FULL, 0x6765A442EFB99905ULL, +- 0xA4D1CBD5C3FD3412ULL +-}; +- +-static const BN_ULONG dh1024_160_q[] = { +- 0x64B7CB9D49462353ULL, 0x81A8DF278ABA4E7DULL, 0x00000000F518AA87ULL +-}; +- +-static const BN_ULONG dh2048_224_p[] = { +- 0x0AC4DFFE0C10E64FULL, 0xCF9DE5384E71B81CULL, 0x7EF363E2FFA31F71ULL, +- 0xE3FB73C16B8E75B9ULL, 0xC9B53DCF4BA80A29ULL, 0x23F10B0E16E79763ULL, +- 0xC52172E413042E9BULL, 0xBE60E69CC928B2B9ULL, 0x80CD86A1B9E587E8ULL, +- 0x315D75E198C641A4ULL, 0xCDF93ACC44328387ULL, 0x15987D9ADC0A486DULL, +- 0x7310F7121FD5A074ULL, 0x278273C7DE31EFDCULL, 0x1602E714415D9330ULL, +- 0x81286130BC8985DBULL, 0xB3BF8A3170918836ULL, 0x6A00E0A0B9C49708ULL, +- 0xC6BA0B2C8BBC27BEULL, 0xC9F98D11ED34DBF6ULL, 0x7AD5B7D0B6C12207ULL, +- 0xD91E8FEF55B7394BULL, 0x9037C9EDEFDA4DF8ULL, 0x6D3F8152AD6AC212ULL, +- 0x1DE6B85A1274A0A6ULL, 0xEB3D688A309C180EULL, 0xAF9A3C407BA1DF15ULL, +- 0xE6FA141DF95A56DBULL, 0xB54B1597B61D0A75ULL, 0xA20D64E5683B9FD1ULL, +- 0xD660FAA79559C51FULL, 0xAD107E1E9123A9D0ULL +-}; +- +-static const BN_ULONG dh2048_224_g[] = { +- 0x84B890D3191F2BFAULL, 0x81BC087F2A7065B3ULL, 0x19C418E1F6EC0179ULL, +- 0x7B5A0F1C71CFFF4CULL, 0xEDFE72FE9B6AA4BDULL, 0x81E1BCFE94B30269ULL, +- 0x566AFBB48D6C0191ULL, 0xB539CCE3409D13CDULL, 0x6AA21E7F5F2FF381ULL, +- 0xD9E263E4770589EFULL, 0x10E183EDD19963DDULL, 0xB70A8137150B8EEBULL, +- 0x051AE3D428C8F8ACULL, 0xBB77A86F0C1AB15BULL, 0x6E3025E316A330EFULL, +- 0x19529A45D6F83456ULL, 0xF180EB34118E98D1ULL, 0xB5F6C6B250717CBEULL, +- 0x09939D54DA7460CDULL, 0xE247150422EA1ED4ULL, 0xB8A762D0521BC98AULL, +- 0xF4D027275AC1348BULL, 0xC17669101999024AULL, 0xBE5E9001A8D66AD7ULL, +- 0xC57DB17C620A8652ULL, 0xAB739D7700C29F52ULL, 0xDD921F01A70C4AFAULL, +- 0xA6824A4E10B9A6F0ULL, 0x74866A08CFE4FFE3ULL, 0x6CDEBE7B89998CAFULL, +- 0x9DF30B5C8FFDAC50ULL, 0xAC4032EF4F2D9AE3ULL +-}; +- +-static const BN_ULONG dh2048_224_q[] = { +- 0xBF389A99B36371EBULL, 0x1F80535A4738CEBCULL, 0xC58D93FE99717710ULL, +- 0x00000000801C0D34ULL +-}; +- +-static const BN_ULONG dh2048_256_p[] = { +- 0xDB094AE91E1A1597ULL, 0x693877FAD7EF09CAULL, 0x6116D2276E11715FULL, +- 0xA4B54330C198AF12ULL, 0x75F26375D7014103ULL, 0xC3A3960A54E710C3ULL, +- 0xDED4010ABD0BE621ULL, 0xC0B857F689962856ULL, 0xB3CA3F7971506026ULL, +- 0x1CCACB83E6B486F6ULL, 0x67E144E514056425ULL, 0xF6A167B5A41825D9ULL, +- 0x3AD8347796524D8EULL, 0xF13C6D9A51BFA4ABULL, 0x2D52526735488A0EULL, +- 0xB63ACAE1CAA6B790ULL, 0x4FDB70C581B23F76ULL, 0xBC39A0BF12307F5CULL, +- 0xB941F54EB1E59BB8ULL, 0x6C5BFC11D45F9088ULL, 0x22E0B1EF4275BF7BULL, +- 0x91F9E6725B4758C0ULL, 0x5A8A9D306BCF67EDULL, 0x209E0C6497517ABDULL, +- 0x3BF4296D830E9A7CULL, 0x16C3D91134096FAAULL, 0xFAF7DF4561B2AA30ULL, +- 0xE00DF8F1D61957D4ULL, 0x5D2CEED4435E3B00ULL, 0x8CEEF608660DD0F2ULL, +- 0xFFBBD19C65195999ULL, 0x87A8E61DB4B6663CULL +-}; +- +-static const BN_ULONG dh2048_256_g[] = { +- 0x664B4C0F6CC41659ULL, 0x5E2327CFEF98C582ULL, 0xD647D148D4795451ULL, +- 0x2F63078490F00EF8ULL, 0x184B523D1DB246C3ULL, 0xC7891428CDC67EB6ULL, +- 0x7FD028370DF92B52ULL, 0xB3353BBB64E0EC37ULL, 0xECD06E1557CD0915ULL, +- 0xB7D2BBD2DF016199ULL, 0xC8484B1E052588B9ULL, 0xDB2A3B7313D3FE14ULL, +- 0xD052B985D182EA0AULL, 0xA4BD1BFFE83B9C80ULL, 0xDFC967C1FB3F2E55ULL, +- 0xB5045AF2767164E1ULL, 0x1D14348F6F2F9193ULL, 0x64E67982428EBC83ULL, +- 0x8AC376D282D6ED38ULL, 0x777DE62AAAB8A862ULL, 0xDDF463E5E9EC144BULL, +- 0x0196F931C77A57F2ULL, 0xA55AE31341000A65ULL, 0x901228F8C28CBB18ULL, +- 0xBC3773BF7E8C6F62ULL, 0xBE3A6C1B0C6B47B1ULL, 0xFF4FED4AAC0BB555ULL, +- 0x10DBC15077BE463FULL, 0x07F4793A1A0BA125ULL, 0x4CA7B18F21EF2054ULL, +- 0x2E77506660EDBD48ULL, 0x3FB32C9B73134D0BULL +-}; +- +-static const BN_ULONG dh2048_256_q[] = { +- 0xA308B0FE64F5FBD3ULL, 0x99B1A47D1EB3750BULL, 0xB447997640129DA2ULL, +- 0x8CF83642A709A097ULL +-}; +- +-/* Primes from RFC 7919 */ +-static const BN_ULONG ffdhe2048_p[] = { +- 0xFFFFFFFFFFFFFFFFULL, 0x886B423861285C97ULL, 0xC6F34A26C1B2EFFAULL, +- 0xC58EF1837D1683B2ULL, 0x3BB5FCBC2EC22005ULL, 0xC3FE3B1B4C6FAD73ULL, +- 0x8E4F1232EEF28183ULL, 0x9172FE9CE98583FFULL, 0xC03404CD28342F61ULL, +- 0x9E02FCE1CDF7E2ECULL, 0x0B07A7C8EE0A6D70ULL, 0xAE56EDE76372BB19ULL, +- 0x1D4F42A3DE394DF4ULL, 0xB96ADAB760D7F468ULL, 0xD108A94BB2C8E3FBULL, +- 0xBC0AB182B324FB61ULL, 0x30ACCA4F483A797AULL, 0x1DF158A136ADE735ULL, +- 0xE2A689DAF3EFE872ULL, 0x984F0C70E0E68B77ULL, 0xB557135E7F57C935ULL, +- 0x856365553DED1AF3ULL, 0x2433F51F5F066ED0ULL, 0xD3DF1ED5D5FD6561ULL, +- 0xF681B202AEC4617AULL, 0x7D2FE363630C75D8ULL, 0xCC939DCE249B3EF9ULL, +- 0xA9E13641146433FBULL, 0xD8B9C583CE2D3695ULL, 0xAFDC5620273D3CF1ULL, +- 0xADF85458A2BB4A9AULL, 0xFFFFFFFFFFFFFFFFULL +-}; +- +-static const BN_ULONG ffdhe3072_p[] = { +- 0xFFFFFFFFFFFFFFFFULL, 0x25E41D2B66C62E37ULL, 0x3C1B20EE3FD59D7CULL, +- 0x0ABCD06BFA53DDEFULL, 0x1DBF9A42D5C4484EULL, 0xABC521979B0DEADAULL, +- 0xE86D2BC522363A0DULL, 0x5CAE82AB9C9DF69EULL, 0x64F2E21E71F54BFFULL, +- 0xF4FD4452E2D74DD3ULL, 0xB4130C93BC437944ULL, 0xAEFE130985139270ULL, +- 0x598CB0FAC186D91CULL, 0x7AD91D2691F7F7EEULL, 0x61B46FC9D6E6C907ULL, +- 0xBC34F4DEF99C0238ULL, 0xDE355B3B6519035BULL, 0x886B4238611FCFDCULL, +- 0xC6F34A26C1B2EFFAULL, 0xC58EF1837D1683B2ULL, 0x3BB5FCBC2EC22005ULL, +- 0xC3FE3B1B4C6FAD73ULL, 0x8E4F1232EEF28183ULL, 0x9172FE9CE98583FFULL, +- 0xC03404CD28342F61ULL, 0x9E02FCE1CDF7E2ECULL, 0x0B07A7C8EE0A6D70ULL, +- 0xAE56EDE76372BB19ULL, 0x1D4F42A3DE394DF4ULL, 0xB96ADAB760D7F468ULL, +- 0xD108A94BB2C8E3FBULL, 0xBC0AB182B324FB61ULL, 0x30ACCA4F483A797AULL, +- 0x1DF158A136ADE735ULL, 0xE2A689DAF3EFE872ULL, 0x984F0C70E0E68B77ULL, +- 0xB557135E7F57C935ULL, 0x856365553DED1AF3ULL, 0x2433F51F5F066ED0ULL, +- 0xD3DF1ED5D5FD6561ULL, 0xF681B202AEC4617AULL, 0x7D2FE363630C75D8ULL, +- 0xCC939DCE249B3EF9ULL, 0xA9E13641146433FBULL, 0xD8B9C583CE2D3695ULL, +- 0xAFDC5620273D3CF1ULL, 0xADF85458A2BB4A9AULL, 0xFFFFFFFFFFFFFFFFULL +-}; +- +-static const BN_ULONG ffdhe4096_p[] = { +- 0xFFFFFFFFFFFFFFFFULL, 0xC68A007E5E655F6AULL, 0x4DB5A851F44182E1ULL, +- 0x8EC9B55A7F88A46BULL, 0x0A8291CDCEC97DCFULL, 0x2A4ECEA9F98D0ACCULL, +- 0x1A1DB93D7140003CULL, 0x092999A333CB8B7AULL, 0x6DC778F971AD0038ULL, +- 0xA907600A918130C4ULL, 0xED6A1E012D9E6832ULL, 0x7135C886EFB4318AULL, +- 0x87F55BA57E31CC7AULL, 0x7763CF1D55034004ULL, 0xAC7D5F42D69F6D18ULL, +- 0x7930E9E4E58857B6ULL, 0x6E6F52C3164DF4FBULL, 0x25E41D2B669E1EF1ULL, +- 0x3C1B20EE3FD59D7CULL, 0x0ABCD06BFA53DDEFULL, 0x1DBF9A42D5C4484EULL, +- 0xABC521979B0DEADAULL, 0xE86D2BC522363A0DULL, 0x5CAE82AB9C9DF69EULL, +- 0x64F2E21E71F54BFFULL, 0xF4FD4452E2D74DD3ULL, 0xB4130C93BC437944ULL, +- 0xAEFE130985139270ULL, 0x598CB0FAC186D91CULL, 0x7AD91D2691F7F7EEULL, +- 0x61B46FC9D6E6C907ULL, 0xBC34F4DEF99C0238ULL, 0xDE355B3B6519035BULL, +- 0x886B4238611FCFDCULL, 0xC6F34A26C1B2EFFAULL, 0xC58EF1837D1683B2ULL, +- 0x3BB5FCBC2EC22005ULL, 0xC3FE3B1B4C6FAD73ULL, 0x8E4F1232EEF28183ULL, +- 0x9172FE9CE98583FFULL, 0xC03404CD28342F61ULL, 0x9E02FCE1CDF7E2ECULL, +- 0x0B07A7C8EE0A6D70ULL, 0xAE56EDE76372BB19ULL, 0x1D4F42A3DE394DF4ULL, +- 0xB96ADAB760D7F468ULL, 0xD108A94BB2C8E3FBULL, 0xBC0AB182B324FB61ULL, +- 0x30ACCA4F483A797AULL, 0x1DF158A136ADE735ULL, 0xE2A689DAF3EFE872ULL, +- 0x984F0C70E0E68B77ULL, 0xB557135E7F57C935ULL, 0x856365553DED1AF3ULL, +- 0x2433F51F5F066ED0ULL, 0xD3DF1ED5D5FD6561ULL, 0xF681B202AEC4617AULL, +- 0x7D2FE363630C75D8ULL, 0xCC939DCE249B3EF9ULL, 0xA9E13641146433FBULL, +- 0xD8B9C583CE2D3695ULL, 0xAFDC5620273D3CF1ULL, 0xADF85458A2BB4A9AULL, +- 0xFFFFFFFFFFFFFFFFULL +-}; ++# define BN_DEF(lo, hi) (BN_ULONG)hi << 32 | lo ++# else ++# define BN_DEF(lo, hi) lo, hi ++# endif + +-static const BN_ULONG ffdhe6144_p[] = { +- 0xFFFFFFFFFFFFFFFFULL, 0xA40E329CD0E40E65ULL, 0xA41D570D7938DAD4ULL, +- 0x62A69526D43161C1ULL, 0x3FDD4A8E9ADB1E69ULL, 0x5B3B71F9DC6B80D6ULL, +- 0xEC9D1810C6272B04ULL, 0x8CCF2DD5CACEF403ULL, 0xE49F5235C95B9117ULL, +- 0x505DC82DB854338AULL, 0x62292C311562A846ULL, 0xD72B03746AE77F5EULL, +- 0xF9C9091B462D538CULL, 0x0AE8DB5847A67CBEULL, 0xB3A739C122611682ULL, +- 0xEEAAC0232A281BF6ULL, 0x94C6651E77CAF992ULL, 0x763E4E4B94B2BBC1ULL, +- 0x587E38DA0077D9B4ULL, 0x7FB29F8C183023C3ULL, 0x0ABEC1FFF9E3A26EULL, +- 0xA00EF092350511E3ULL, 0xB855322EDB6340D8ULL, 0xA52471F7A9A96910ULL, +- 0x388147FB4CFDB477ULL, 0x9B1F5C3E4E46041FULL, 0xCDAD0657FCCFEC71ULL, +- 0xB38E8C334C701C3AULL, 0x917BDD64B1C0FD4CULL, 0x3BB454329B7624C8ULL, +- 0x23BA4442CAF53EA6ULL, 0x4E677D2C38532A3AULL, 0x0BFD64B645036C7AULL, +- 0xC68A007E5E0DD902ULL, 0x4DB5A851F44182E1ULL, 0x8EC9B55A7F88A46BULL, +- 0x0A8291CDCEC97DCFULL, 0x2A4ECEA9F98D0ACCULL, 0x1A1DB93D7140003CULL, +- 0x092999A333CB8B7AULL, 0x6DC778F971AD0038ULL, 0xA907600A918130C4ULL, +- 0xED6A1E012D9E6832ULL, 0x7135C886EFB4318AULL, 0x87F55BA57E31CC7AULL, +- 0x7763CF1D55034004ULL, 0xAC7D5F42D69F6D18ULL, 0x7930E9E4E58857B6ULL, +- 0x6E6F52C3164DF4FBULL, 0x25E41D2B669E1EF1ULL, 0x3C1B20EE3FD59D7CULL, +- 0x0ABCD06BFA53DDEFULL, 0x1DBF9A42D5C4484EULL, 0xABC521979B0DEADAULL, +- 0xE86D2BC522363A0DULL, 0x5CAE82AB9C9DF69EULL, 0x64F2E21E71F54BFFULL, +- 0xF4FD4452E2D74DD3ULL, 0xB4130C93BC437944ULL, 0xAEFE130985139270ULL, +- 0x598CB0FAC186D91CULL, 0x7AD91D2691F7F7EEULL, 0x61B46FC9D6E6C907ULL, +- 0xBC34F4DEF99C0238ULL, 0xDE355B3B6519035BULL, 0x886B4238611FCFDCULL, +- 0xC6F34A26C1B2EFFAULL, 0xC58EF1837D1683B2ULL, 0x3BB5FCBC2EC22005ULL, +- 0xC3FE3B1B4C6FAD73ULL, 0x8E4F1232EEF28183ULL, 0x9172FE9CE98583FFULL, +- 0xC03404CD28342F61ULL, 0x9E02FCE1CDF7E2ECULL, 0x0B07A7C8EE0A6D70ULL, +- 0xAE56EDE76372BB19ULL, 0x1D4F42A3DE394DF4ULL, 0xB96ADAB760D7F468ULL, +- 0xD108A94BB2C8E3FBULL, 0xBC0AB182B324FB61ULL, 0x30ACCA4F483A797AULL, +- 0x1DF158A136ADE735ULL, 0xE2A689DAF3EFE872ULL, 0x984F0C70E0E68B77ULL, +- 0xB557135E7F57C935ULL, 0x856365553DED1AF3ULL, 0x2433F51F5F066ED0ULL, +- 0xD3DF1ED5D5FD6561ULL, 0xF681B202AEC4617AULL, 0x7D2FE363630C75D8ULL, +- 0xCC939DCE249B3EF9ULL, 0xA9E13641146433FBULL, 0xD8B9C583CE2D3695ULL, +- 0xAFDC5620273D3CF1ULL, 0xADF85458A2BB4A9AULL, 0xFFFFFFFFFFFFFFFFULL +-}; ++/* DH parameters from RFC3526 */ + +-static const BN_ULONG ffdhe8192_p[] = { +- 0xFFFFFFFFFFFFFFFFULL, 0xD68C8BB7C5C6424CULL, 0x011E2A94838FF88CULL, +- 0x0822E506A9F4614EULL, 0x97D11D49F7A8443DULL, 0xA6BBFDE530677F0DULL, +- 0x2F741EF8C1FE86FEULL, 0xFAFABE1C5D71A87EULL, 0xDED2FBABFBE58A30ULL, +- 0xB6855DFE72B0A66EULL, 0x1EFC8CE0BA8A4FE8ULL, 0x83F81D4A3F2FA457ULL, +- 0xA1FE3075A577E231ULL, 0xD5B8019488D9C0A0ULL, 0x624816CDAD9A95F9ULL, +- 0x99E9E31650C1217BULL, 0x51AA691E0E423CFCULL, 0x1C217E6C3826E52CULL, +- 0x51A8A93109703FEEULL, 0xBB7099876A460E74ULL, 0x541FC68C9C86B022ULL, +- 0x59160CC046FD8251ULL, 0x2846C0BA35C35F5CULL, 0x54504AC78B758282ULL, +- 0x29388839D2AF05E4ULL, 0xCB2C0F1CC01BD702ULL, 0x555B2F747C932665ULL, +- 0x86B63142A3AB8829ULL, 0x0B8CC3BDF64B10EFULL, 0x687FEB69EDD1CC5EULL, +- 0xFDB23FCEC9509D43ULL, 0x1E425A31D951AE64ULL, 0x36AD004CF600C838ULL, +- 0xA40E329CCFF46AAAULL, 0xA41D570D7938DAD4ULL, 0x62A69526D43161C1ULL, +- 0x3FDD4A8E9ADB1E69ULL, 0x5B3B71F9DC6B80D6ULL, 0xEC9D1810C6272B04ULL, +- 0x8CCF2DD5CACEF403ULL, 0xE49F5235C95B9117ULL, 0x505DC82DB854338AULL, +- 0x62292C311562A846ULL, 0xD72B03746AE77F5EULL, 0xF9C9091B462D538CULL, +- 0x0AE8DB5847A67CBEULL, 0xB3A739C122611682ULL, 0xEEAAC0232A281BF6ULL, +- 0x94C6651E77CAF992ULL, 0x763E4E4B94B2BBC1ULL, 0x587E38DA0077D9B4ULL, +- 0x7FB29F8C183023C3ULL, 0x0ABEC1FFF9E3A26EULL, 0xA00EF092350511E3ULL, +- 0xB855322EDB6340D8ULL, 0xA52471F7A9A96910ULL, 0x388147FB4CFDB477ULL, +- 0x9B1F5C3E4E46041FULL, 0xCDAD0657FCCFEC71ULL, 0xB38E8C334C701C3AULL, +- 0x917BDD64B1C0FD4CULL, 0x3BB454329B7624C8ULL, 0x23BA4442CAF53EA6ULL, +- 0x4E677D2C38532A3AULL, 0x0BFD64B645036C7AULL, 0xC68A007E5E0DD902ULL, +- 0x4DB5A851F44182E1ULL, 0x8EC9B55A7F88A46BULL, 0x0A8291CDCEC97DCFULL, +- 0x2A4ECEA9F98D0ACCULL, 0x1A1DB93D7140003CULL, 0x092999A333CB8B7AULL, +- 0x6DC778F971AD0038ULL, 0xA907600A918130C4ULL, 0xED6A1E012D9E6832ULL, +- 0x7135C886EFB4318AULL, 0x87F55BA57E31CC7AULL, 0x7763CF1D55034004ULL, +- 0xAC7D5F42D69F6D18ULL, 0x7930E9E4E58857B6ULL, 0x6E6F52C3164DF4FBULL, +- 0x25E41D2B669E1EF1ULL, 0x3C1B20EE3FD59D7CULL, 0x0ABCD06BFA53DDEFULL, +- 0x1DBF9A42D5C4484EULL, 0xABC521979B0DEADAULL, 0xE86D2BC522363A0DULL, +- 0x5CAE82AB9C9DF69EULL, 0x64F2E21E71F54BFFULL, 0xF4FD4452E2D74DD3ULL, +- 0xB4130C93BC437944ULL, 0xAEFE130985139270ULL, 0x598CB0FAC186D91CULL, +- 0x7AD91D2691F7F7EEULL, 0x61B46FC9D6E6C907ULL, 0xBC34F4DEF99C0238ULL, +- 0xDE355B3B6519035BULL, 0x886B4238611FCFDCULL, 0xC6F34A26C1B2EFFAULL, +- 0xC58EF1837D1683B2ULL, 0x3BB5FCBC2EC22005ULL, 0xC3FE3B1B4C6FAD73ULL, +- 0x8E4F1232EEF28183ULL, 0x9172FE9CE98583FFULL, 0xC03404CD28342F61ULL, +- 0x9E02FCE1CDF7E2ECULL, 0x0B07A7C8EE0A6D70ULL, 0xAE56EDE76372BB19ULL, +- 0x1D4F42A3DE394DF4ULL, 0xB96ADAB760D7F468ULL, 0xD108A94BB2C8E3FBULL, +- 0xBC0AB182B324FB61ULL, 0x30ACCA4F483A797AULL, 0x1DF158A136ADE735ULL, +- 0xE2A689DAF3EFE872ULL, 0x984F0C70E0E68B77ULL, 0xB557135E7F57C935ULL, +- 0x856365553DED1AF3ULL, 0x2433F51F5F066ED0ULL, 0xD3DF1ED5D5FD6561ULL, +- 0xF681B202AEC4617AULL, 0x7D2FE363630C75D8ULL, 0xCC939DCE249B3EF9ULL, +- 0xA9E13641146433FBULL, 0xD8B9C583CE2D3695ULL, 0xAFDC5620273D3CF1ULL, +- 0xADF85458A2BB4A9AULL, 0xFFFFFFFFFFFFFFFFULL ++/* ++ * "1536-bit MODP Group" from RFC3526, Section 2. ++ * ++ * The prime is: 2^1536 - 2^1472 - 1 + 2^64 * { [2^1406 pi] + 741804 } ++ * ++ * RFC3526 specifies a generator of 2. ++ * RFC2312 specifies a generator of 22. ++ */ ++static const BN_ULONG modp_1536_p[] = { ++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0xCA237327, 0xF1746C08), ++ BN_DEF(0x4ABC9804, 0x670C354E), BN_DEF(0x7096966D, 0x9ED52907), ++ BN_DEF(0x208552BB, 0x1C62F356), BN_DEF(0xDCA3AD96, 0x83655D23), ++ BN_DEF(0xFD24CF5F, 0x69163FA8), BN_DEF(0x1C55D39A, 0x98DA4836), ++ BN_DEF(0xA163BF05, 0xC2007CB8), BN_DEF(0xECE45B3D, 0x49286651), ++ BN_DEF(0x7C4B1FE6, 0xAE9F2411), BN_DEF(0x5A899FA5, 0xEE386BFB), ++ BN_DEF(0xF406B7ED, 0x0BFF5CB6), BN_DEF(0xA637ED6B, 0xF44C42E9), ++ BN_DEF(0x625E7EC6, 0xE485B576), BN_DEF(0x6D51C245, 0x4FE1356D), ++ BN_DEF(0xF25F1437, 0x302B0A6D), BN_DEF(0xCD3A431B, 0xEF9519B3), ++ BN_DEF(0x8E3404DD, 0x514A0879), BN_DEF(0x3B139B22, 0x020BBEA6), ++ BN_DEF(0x8A67CC74, 0x29024E08), BN_DEF(0x80DC1CD1, 0xC4C6628B), ++ BN_DEF(0x2168C234, 0xC90FDAA2), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) ++}; ++/* q = (p - 1) / 2 */ ++static const BN_ULONG modp_1536_q[] = { ++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x6511B993, 0x78BA3604), ++ BN_DEF(0x255E4C02, 0xB3861AA7), BN_DEF(0xB84B4B36, 0xCF6A9483), ++ BN_DEF(0x1042A95D, 0x0E3179AB), BN_DEF(0xEE51D6CB, 0xC1B2AE91), ++ BN_DEF(0x7E9267AF, 0x348B1FD4), BN_DEF(0x0E2AE9CD, 0xCC6D241B), ++ BN_DEF(0x50B1DF82, 0xE1003E5C), BN_DEF(0xF6722D9E, 0x24943328), ++ BN_DEF(0xBE258FF3, 0xD74F9208), BN_DEF(0xAD44CFD2, 0xF71C35FD), ++ BN_DEF(0x7A035BF6, 0x85FFAE5B), BN_DEF(0xD31BF6B5, 0x7A262174), ++ BN_DEF(0x312F3F63, 0xF242DABB), BN_DEF(0xB6A8E122, 0xA7F09AB6), ++ BN_DEF(0xF92F8A1B, 0x98158536), BN_DEF(0xE69D218D, 0xF7CA8CD9), ++ BN_DEF(0xC71A026E, 0x28A5043C), BN_DEF(0x1D89CD91, 0x0105DF53), ++ BN_DEF(0x4533E63A, 0x94812704), BN_DEF(0xC06E0E68, 0x62633145), ++ BN_DEF(0x10B4611A, 0xE487ED51), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF) ++}; ++ ++/*- ++ * "2048-bit MODP Group" from RFC3526, Section 3. ++ * ++ * The prime is: 2^2048 - 2^1984 - 1 + 2^64 * { [2^1918 pi] + 124476 } ++ * ++ * RFC3526 specifies a generator of 2. ++ */ ++static const BN_ULONG modp_2048_p[] = { ++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x8AACAA68, 0x15728E5A), ++ BN_DEF(0x98FA0510, 0x15D22618), BN_DEF(0xEA956AE5, 0x3995497C), ++ BN_DEF(0x95581718, 0xDE2BCBF6), BN_DEF(0x6F4C52C9, 0xB5C55DF0), ++ BN_DEF(0xEC07A28F, 0x9B2783A2), BN_DEF(0x180E8603, 0xE39E772C), ++ BN_DEF(0x2E36CE3B, 0x32905E46), BN_DEF(0xCA18217C, 0xF1746C08), ++ BN_DEF(0x4ABC9804, 0x670C354E), BN_DEF(0x7096966D, 0x9ED52907), ++ BN_DEF(0x208552BB, 0x1C62F356), BN_DEF(0xDCA3AD96, 0x83655D23), ++ BN_DEF(0xFD24CF5F, 0x69163FA8), BN_DEF(0x1C55D39A, 0x98DA4836), ++ BN_DEF(0xA163BF05, 0xC2007CB8), BN_DEF(0xECE45B3D, 0x49286651), ++ BN_DEF(0x7C4B1FE6, 0xAE9F2411), BN_DEF(0x5A899FA5, 0xEE386BFB), ++ BN_DEF(0xF406B7ED, 0x0BFF5CB6), BN_DEF(0xA637ED6B, 0xF44C42E9), ++ BN_DEF(0x625E7EC6, 0xE485B576), BN_DEF(0x6D51C245, 0x4FE1356D), ++ BN_DEF(0xF25F1437, 0x302B0A6D), BN_DEF(0xCD3A431B, 0xEF9519B3), ++ BN_DEF(0x8E3404DD, 0x514A0879), BN_DEF(0x3B139B22, 0x020BBEA6), ++ BN_DEF(0x8A67CC74, 0x29024E08), BN_DEF(0x80DC1CD1, 0xC4C6628B), ++ BN_DEF(0x2168C234, 0xC90FDAA2), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) ++}; ++/* q = (p - 1) / 2 */ ++static const BN_ULONG modp_2048_q[] = { ++ BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), BN_DEF(0x45565534, 0x0AB9472D), ++ BN_DEF(0x4C7D0288, 0x8AE9130C), BN_DEF(0x754AB572, 0x1CCAA4BE), ++ BN_DEF(0x4AAC0B8C, 0xEF15E5FB), BN_DEF(0x37A62964, 0xDAE2AEF8), ++ BN_DEF(0x7603D147, 0xCD93C1D1), BN_DEF(0x0C074301, 0xF1CF3B96), ++ BN_DEF(0x171B671D, 0x19482F23), BN_DEF(0x650C10BE, 0x78BA3604), ++ BN_DEF(0x255E4C02, 0xB3861AA7), BN_DEF(0xB84B4B36, 0xCF6A9483), ++ BN_DEF(0x1042A95D, 0x0E3179AB), BN_DEF(0xEE51D6CB, 0xC1B2AE91), ++ BN_DEF(0x7E9267AF, 0x348B1FD4), BN_DEF(0x0E2AE9CD, 0xCC6D241B), ++ BN_DEF(0x50B1DF82, 0xE1003E5C), BN_DEF(0xF6722D9E, 0x24943328), ++ BN_DEF(0xBE258FF3, 0xD74F9208), BN_DEF(0xAD44CFD2, 0xF71C35FD), ++ BN_DEF(0x7A035BF6, 0x85FFAE5B), BN_DEF(0xD31BF6B5, 0x7A262174), ++ BN_DEF(0x312F3F63, 0xF242DABB), BN_DEF(0xB6A8E122, 0xA7F09AB6), ++ BN_DEF(0xF92F8A1B, 0x98158536), BN_DEF(0xE69D218D, 0xF7CA8CD9), ++ BN_DEF(0xC71A026E, 0x28A5043C), BN_DEF(0x1D89CD91, 0x0105DF53), ++ BN_DEF(0x4533E63A, 0x94812704), BN_DEF(0xC06E0E68, 0x62633145), ++ BN_DEF(0x10B4611A, 0xE487ED51), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), ++}; ++ ++/*- ++ * "3072-bit MODP Group" from RFC3526, Section 4. ++ * ++ * The prime is: 2^3072 - 2^3008 - 1 + 2^64 * { [2^2942 pi] + 1690314 } ++ * ++ * RFC3526 specifies a generator of 2. ++ */ ++static const BN_ULONG modp_3072_p[] = { ++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0xA93AD2CA, 0x4B82D120), ++ BN_DEF(0xE0FD108E, 0x43DB5BFC), BN_DEF(0x74E5AB31, 0x08E24FA0), ++ BN_DEF(0xBAD946E2, 0x770988C0), BN_DEF(0x7A615D6C, 0xBBE11757), ++ BN_DEF(0x177B200C, 0x521F2B18), BN_DEF(0x3EC86A64, 0xD8760273), ++ BN_DEF(0xD98A0864, 0xF12FFA06), BN_DEF(0x1AD2EE6B, 0xCEE3D226), ++ BN_DEF(0x4A25619D, 0x1E8C94E0), BN_DEF(0xDB0933D7, 0xABF5AE8C), ++ BN_DEF(0xA6E1E4C7, 0xB3970F85), BN_DEF(0x5D060C7D, 0x8AEA7157), ++ BN_DEF(0x58DBEF0A, 0xECFB8504), BN_DEF(0xDF1CBA64, 0xA85521AB), ++ BN_DEF(0x04507A33, 0xAD33170D), BN_DEF(0x8AAAC42D, 0x15728E5A), ++ BN_DEF(0x98FA0510, 0x15D22618), BN_DEF(0xEA956AE5, 0x3995497C), ++ BN_DEF(0x95581718, 0xDE2BCBF6), BN_DEF(0x6F4C52C9, 0xB5C55DF0), ++ BN_DEF(0xEC07A28F, 0x9B2783A2), BN_DEF(0x180E8603, 0xE39E772C), ++ BN_DEF(0x2E36CE3B, 0x32905E46), BN_DEF(0xCA18217C, 0xF1746C08), ++ BN_DEF(0x4ABC9804, 0x670C354E), BN_DEF(0x7096966D, 0x9ED52907), ++ BN_DEF(0x208552BB, 0x1C62F356), BN_DEF(0xDCA3AD96, 0x83655D23), ++ BN_DEF(0xFD24CF5F, 0x69163FA8), BN_DEF(0x1C55D39A, 0x98DA4836), ++ BN_DEF(0xA163BF05, 0xC2007CB8), BN_DEF(0xECE45B3D, 0x49286651), ++ BN_DEF(0x7C4B1FE6, 0xAE9F2411), BN_DEF(0x5A899FA5, 0xEE386BFB), ++ BN_DEF(0xF406B7ED, 0x0BFF5CB6), BN_DEF(0xA637ED6B, 0xF44C42E9), ++ BN_DEF(0x625E7EC6, 0xE485B576), BN_DEF(0x6D51C245, 0x4FE1356D), ++ BN_DEF(0xF25F1437, 0x302B0A6D), BN_DEF(0xCD3A431B, 0xEF9519B3), ++ BN_DEF(0x8E3404DD, 0x514A0879), BN_DEF(0x3B139B22, 0x020BBEA6), ++ BN_DEF(0x8A67CC74, 0x29024E08), BN_DEF(0x80DC1CD1, 0xC4C6628B), ++ BN_DEF(0x2168C234, 0xC90FDAA2), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) ++}; ++/* q = (p - 1) / 2 */ ++static const BN_ULONG modp_3072_q[] = { ++ BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), BN_DEF(0x549D6965, 0x25C16890), ++ BN_DEF(0x707E8847, 0xA1EDADFE), BN_DEF(0x3A72D598, 0x047127D0), ++ BN_DEF(0x5D6CA371, 0x3B84C460), BN_DEF(0xBD30AEB6, 0x5DF08BAB), ++ BN_DEF(0x0BBD9006, 0x290F958C), BN_DEF(0x9F643532, 0x6C3B0139), ++ BN_DEF(0x6CC50432, 0xF897FD03), BN_DEF(0x0D697735, 0xE771E913), ++ BN_DEF(0x2512B0CE, 0x8F464A70), BN_DEF(0x6D8499EB, 0xD5FAD746), ++ BN_DEF(0xD370F263, 0xD9CB87C2), BN_DEF(0xAE83063E, 0x457538AB), ++ BN_DEF(0x2C6DF785, 0x767DC282), BN_DEF(0xEF8E5D32, 0xD42A90D5), ++ BN_DEF(0x82283D19, 0xD6998B86), BN_DEF(0x45556216, 0x0AB9472D), ++ BN_DEF(0x4C7D0288, 0x8AE9130C), BN_DEF(0x754AB572, 0x1CCAA4BE), ++ BN_DEF(0x4AAC0B8C, 0xEF15E5FB), BN_DEF(0x37A62964, 0xDAE2AEF8), ++ BN_DEF(0x7603D147, 0xCD93C1D1), BN_DEF(0x0C074301, 0xF1CF3B96), ++ BN_DEF(0x171B671D, 0x19482F23), BN_DEF(0x650C10BE, 0x78BA3604), ++ BN_DEF(0x255E4C02, 0xB3861AA7), BN_DEF(0xB84B4B36, 0xCF6A9483), ++ BN_DEF(0x1042A95D, 0x0E3179AB), BN_DEF(0xEE51D6CB, 0xC1B2AE91), ++ BN_DEF(0x7E9267AF, 0x348B1FD4), BN_DEF(0x0E2AE9CD, 0xCC6D241B), ++ BN_DEF(0x50B1DF82, 0xE1003E5C), BN_DEF(0xF6722D9E, 0x24943328), ++ BN_DEF(0xBE258FF3, 0xD74F9208), BN_DEF(0xAD44CFD2, 0xF71C35FD), ++ BN_DEF(0x7A035BF6, 0x85FFAE5B), BN_DEF(0xD31BF6B5, 0x7A262174), ++ BN_DEF(0x312F3F63, 0xF242DABB), BN_DEF(0xB6A8E122, 0xA7F09AB6), ++ BN_DEF(0xF92F8A1B, 0x98158536), BN_DEF(0xE69D218D, 0xF7CA8CD9), ++ BN_DEF(0xC71A026E, 0x28A5043C), BN_DEF(0x1D89CD91, 0x0105DF53), ++ BN_DEF(0x4533E63A, 0x94812704), BN_DEF(0xC06E0E68, 0x62633145), ++ BN_DEF(0x10B4611A, 0xE487ED51), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), ++}; ++ ++/*- ++ * "4096-bit MODP Group" from RFC3526, Section 5. ++ * ++ * The prime is: 2^4096 - 2^4032 - 1 + 2^64 * { [2^3966 pi] + 240904 } ++ * ++ * RFC3526 specifies a generator of 2. ++ */ ++static const BN_ULONG modp_4096_p[] = { ++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x34063199, 0x4DF435C9), ++ BN_DEF(0x90A6C08F, 0x86FFB7DC), BN_DEF(0x8D8FDDC1, 0x93B4EA98), ++ BN_DEF(0xD5B05AA9, 0xD0069127), BN_DEF(0x2170481C, 0xB81BDD76), ++ BN_DEF(0xCEE2D7AF, 0x1F612970), BN_DEF(0x515BE7ED, 0x233BA186), ++ BN_DEF(0xA090C3A2, 0x99B2964F), BN_DEF(0x4E6BC05D, 0x287C5947), ++ BN_DEF(0x1FBECAA6, 0x2E8EFC14), BN_DEF(0x04DE8EF9, 0xDBBBC2DB), ++ BN_DEF(0x2AD44CE8, 0x2583E9CA), BN_DEF(0xB6150BDA, 0x1A946834), ++ BN_DEF(0x6AF4E23C, 0x99C32718), BN_DEF(0xBDBA5B26, 0x88719A10), ++ BN_DEF(0xA787E6D7, 0x1A723C12), BN_DEF(0xA9210801, 0x4B82D120), ++ BN_DEF(0xE0FD108E, 0x43DB5BFC), BN_DEF(0x74E5AB31, 0x08E24FA0), ++ BN_DEF(0xBAD946E2, 0x770988C0), BN_DEF(0x7A615D6C, 0xBBE11757), ++ BN_DEF(0x177B200C, 0x521F2B18), BN_DEF(0x3EC86A64, 0xD8760273), ++ BN_DEF(0xD98A0864, 0xF12FFA06), BN_DEF(0x1AD2EE6B, 0xCEE3D226), ++ BN_DEF(0x4A25619D, 0x1E8C94E0), BN_DEF(0xDB0933D7, 0xABF5AE8C), ++ BN_DEF(0xA6E1E4C7, 0xB3970F85), BN_DEF(0x5D060C7D, 0x8AEA7157), ++ BN_DEF(0x58DBEF0A, 0xECFB8504), BN_DEF(0xDF1CBA64, 0xA85521AB), ++ BN_DEF(0x04507A33, 0xAD33170D), BN_DEF(0x8AAAC42D, 0x15728E5A), ++ BN_DEF(0x98FA0510, 0x15D22618), BN_DEF(0xEA956AE5, 0x3995497C), ++ BN_DEF(0x95581718, 0xDE2BCBF6), BN_DEF(0x6F4C52C9, 0xB5C55DF0), ++ BN_DEF(0xEC07A28F, 0x9B2783A2), BN_DEF(0x180E8603, 0xE39E772C), ++ BN_DEF(0x2E36CE3B, 0x32905E46), BN_DEF(0xCA18217C, 0xF1746C08), ++ BN_DEF(0x4ABC9804, 0x670C354E), BN_DEF(0x7096966D, 0x9ED52907), ++ BN_DEF(0x208552BB, 0x1C62F356), BN_DEF(0xDCA3AD96, 0x83655D23), ++ BN_DEF(0xFD24CF5F, 0x69163FA8), BN_DEF(0x1C55D39A, 0x98DA4836), ++ BN_DEF(0xA163BF05, 0xC2007CB8), BN_DEF(0xECE45B3D, 0x49286651), ++ BN_DEF(0x7C4B1FE6, 0xAE9F2411), BN_DEF(0x5A899FA5, 0xEE386BFB), ++ BN_DEF(0xF406B7ED, 0x0BFF5CB6), BN_DEF(0xA637ED6B, 0xF44C42E9), ++ BN_DEF(0x625E7EC6, 0xE485B576), BN_DEF(0x6D51C245, 0x4FE1356D), ++ BN_DEF(0xF25F1437, 0x302B0A6D), BN_DEF(0xCD3A431B, 0xEF9519B3), ++ BN_DEF(0x8E3404DD, 0x514A0879), BN_DEF(0x3B139B22, 0x020BBEA6), ++ BN_DEF(0x8A67CC74, 0x29024E08), BN_DEF(0x80DC1CD1, 0xC4C6628B), ++ BN_DEF(0x2168C234, 0xC90FDAA2), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) ++}; ++/* q = (p - 1) / 2 */ ++static const BN_ULONG modp_4096_q[] = { ++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x9A0318CC, 0xA6FA1AE4), ++ BN_DEF(0x48536047, 0xC37FDBEE), BN_DEF(0x46C7EEE0, 0xC9DA754C), ++ BN_DEF(0xEAD82D54, 0x68034893), BN_DEF(0x10B8240E, 0xDC0DEEBB), ++ BN_DEF(0x67716BD7, 0x8FB094B8), BN_DEF(0x28ADF3F6, 0x119DD0C3), ++ BN_DEF(0xD04861D1, 0xCCD94B27), BN_DEF(0xA735E02E, 0x143E2CA3), ++ BN_DEF(0x0FDF6553, 0x97477E0A), BN_DEF(0x826F477C, 0x6DDDE16D), ++ BN_DEF(0x156A2674, 0x12C1F4E5), BN_DEF(0x5B0A85ED, 0x0D4A341A), ++ BN_DEF(0x357A711E, 0x4CE1938C), BN_DEF(0x5EDD2D93, 0xC438CD08), ++ BN_DEF(0x53C3F36B, 0x8D391E09), BN_DEF(0x54908400, 0x25C16890), ++ BN_DEF(0x707E8847, 0xA1EDADFE), BN_DEF(0x3A72D598, 0x047127D0), ++ BN_DEF(0x5D6CA371, 0x3B84C460), BN_DEF(0xBD30AEB6, 0x5DF08BAB), ++ BN_DEF(0x0BBD9006, 0x290F958C), BN_DEF(0x9F643532, 0x6C3B0139), ++ BN_DEF(0x6CC50432, 0xF897FD03), BN_DEF(0x0D697735, 0xE771E913), ++ BN_DEF(0x2512B0CE, 0x8F464A70), BN_DEF(0x6D8499EB, 0xD5FAD746), ++ BN_DEF(0xD370F263, 0xD9CB87C2), BN_DEF(0xAE83063E, 0x457538AB), ++ BN_DEF(0x2C6DF785, 0x767DC282), BN_DEF(0xEF8E5D32, 0xD42A90D5), ++ BN_DEF(0x82283D19, 0xD6998B86), BN_DEF(0x45556216, 0x0AB9472D), ++ BN_DEF(0x4C7D0288, 0x8AE9130C), BN_DEF(0x754AB572, 0x1CCAA4BE), ++ BN_DEF(0x4AAC0B8C, 0xEF15E5FB), BN_DEF(0x37A62964, 0xDAE2AEF8), ++ BN_DEF(0x7603D147, 0xCD93C1D1), BN_DEF(0x0C074301, 0xF1CF3B96), ++ BN_DEF(0x171B671D, 0x19482F23), BN_DEF(0x650C10BE, 0x78BA3604), ++ BN_DEF(0x255E4C02, 0xB3861AA7), BN_DEF(0xB84B4B36, 0xCF6A9483), ++ BN_DEF(0x1042A95D, 0x0E3179AB), BN_DEF(0xEE51D6CB, 0xC1B2AE91), ++ BN_DEF(0x7E9267AF, 0x348B1FD4), BN_DEF(0x0E2AE9CD, 0xCC6D241B), ++ BN_DEF(0x50B1DF82, 0xE1003E5C), BN_DEF(0xF6722D9E, 0x24943328), ++ BN_DEF(0xBE258FF3, 0xD74F9208), BN_DEF(0xAD44CFD2, 0xF71C35FD), ++ BN_DEF(0x7A035BF6, 0x85FFAE5B), BN_DEF(0xD31BF6B5, 0x7A262174), ++ BN_DEF(0x312F3F63, 0xF242DABB), BN_DEF(0xB6A8E122, 0xA7F09AB6), ++ BN_DEF(0xF92F8A1B, 0x98158536), BN_DEF(0xE69D218D, 0xF7CA8CD9), ++ BN_DEF(0xC71A026E, 0x28A5043C), BN_DEF(0x1D89CD91, 0x0105DF53), ++ BN_DEF(0x4533E63A, 0x94812704), BN_DEF(0xC06E0E68, 0x62633145), ++ BN_DEF(0x10B4611A, 0xE487ED51), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), ++}; ++ ++/*- ++ * "6144-bit MODP Group" from RFC3526, Section 6. ++ * ++ * The prime is: 2^6144 - 2^6080 - 1 + 2^64 * { [2^6014 pi] + 929484 } ++ * ++ * RFC3526 specifies a generator of 2. ++ */ ++static const BN_ULONG modp_6144_p[] = { ++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x6DCC4024, 0xE694F91E), ++ BN_DEF(0x0B7474D6, 0x12BF2D5B), BN_DEF(0x3F4860EE, 0x043E8F66), ++ BN_DEF(0x6E3C0468, 0x387FE8D7), BN_DEF(0x2EF29632, 0xDA56C9EC), ++ BN_DEF(0xA313D55C, 0xEB19CCB1), BN_DEF(0x8A1FBFF0, 0xF550AA3D), ++ BN_DEF(0xB7C5DA76, 0x06A1D58B), BN_DEF(0xF29BE328, 0xA79715EE), ++ BN_DEF(0x0F8037E0, 0x14CC5ED2), BN_DEF(0xBF48E1D8, 0xCC8F6D7E), ++ BN_DEF(0x2B4154AA, 0x4BD407B2), BN_DEF(0xFF585AC5, 0x0F1D45B7), ++ BN_DEF(0x36CC88BE, 0x23A97A7E), BN_DEF(0xBEC7E8F3, 0x59E7C97F), ++ BN_DEF(0x900B1C9E, 0xB5A84031), BN_DEF(0x46980C82, 0xD55E702F), ++ BN_DEF(0x6E74FEF6, 0xF482D7CE), BN_DEF(0xD1721D03, 0xF032EA15), ++ BN_DEF(0xC64B92EC, 0x5983CA01), BN_DEF(0x378CD2BF, 0x6FB8F401), ++ BN_DEF(0x2BD7AF42, 0x33205151), BN_DEF(0xE6CC254B, 0xDB7F1447), ++ BN_DEF(0xCED4BB1B, 0x44CE6CBA), BN_DEF(0xCF9B14ED, 0xDA3EDBEB), ++ BN_DEF(0x865A8918, 0x179727B0), BN_DEF(0x9027D831, 0xB06A53ED), ++ BN_DEF(0x413001AE, 0xE5DB382F), BN_DEF(0xAD9E530E, 0xF8FF9406), ++ BN_DEF(0x3DBA37BD, 0xC9751E76), BN_DEF(0x602646DE, 0xC1D4DCB2), ++ BN_DEF(0xD27C7026, 0x36C3FAB4), BN_DEF(0x34028492, 0x4DF435C9), ++ BN_DEF(0x90A6C08F, 0x86FFB7DC), BN_DEF(0x8D8FDDC1, 0x93B4EA98), ++ BN_DEF(0xD5B05AA9, 0xD0069127), BN_DEF(0x2170481C, 0xB81BDD76), ++ BN_DEF(0xCEE2D7AF, 0x1F612970), BN_DEF(0x515BE7ED, 0x233BA186), ++ BN_DEF(0xA090C3A2, 0x99B2964F), BN_DEF(0x4E6BC05D, 0x287C5947), ++ BN_DEF(0x1FBECAA6, 0x2E8EFC14), BN_DEF(0x04DE8EF9, 0xDBBBC2DB), ++ BN_DEF(0x2AD44CE8, 0x2583E9CA), BN_DEF(0xB6150BDA, 0x1A946834), ++ BN_DEF(0x6AF4E23C, 0x99C32718), BN_DEF(0xBDBA5B26, 0x88719A10), ++ BN_DEF(0xA787E6D7, 0x1A723C12), BN_DEF(0xA9210801, 0x4B82D120), ++ BN_DEF(0xE0FD108E, 0x43DB5BFC), BN_DEF(0x74E5AB31, 0x08E24FA0), ++ BN_DEF(0xBAD946E2, 0x770988C0), BN_DEF(0x7A615D6C, 0xBBE11757), ++ BN_DEF(0x177B200C, 0x521F2B18), BN_DEF(0x3EC86A64, 0xD8760273), ++ BN_DEF(0xD98A0864, 0xF12FFA06), BN_DEF(0x1AD2EE6B, 0xCEE3D226), ++ BN_DEF(0x4A25619D, 0x1E8C94E0), BN_DEF(0xDB0933D7, 0xABF5AE8C), ++ BN_DEF(0xA6E1E4C7, 0xB3970F85), BN_DEF(0x5D060C7D, 0x8AEA7157), ++ BN_DEF(0x58DBEF0A, 0xECFB8504), BN_DEF(0xDF1CBA64, 0xA85521AB), ++ BN_DEF(0x04507A33, 0xAD33170D), BN_DEF(0x8AAAC42D, 0x15728E5A), ++ BN_DEF(0x98FA0510, 0x15D22618), BN_DEF(0xEA956AE5, 0x3995497C), ++ BN_DEF(0x95581718, 0xDE2BCBF6), BN_DEF(0x6F4C52C9, 0xB5C55DF0), ++ BN_DEF(0xEC07A28F, 0x9B2783A2), BN_DEF(0x180E8603, 0xE39E772C), ++ BN_DEF(0x2E36CE3B, 0x32905E46), BN_DEF(0xCA18217C, 0xF1746C08), ++ BN_DEF(0x4ABC9804, 0x670C354E), BN_DEF(0x7096966D, 0x9ED52907), ++ BN_DEF(0x208552BB, 0x1C62F356), BN_DEF(0xDCA3AD96, 0x83655D23), ++ BN_DEF(0xFD24CF5F, 0x69163FA8), BN_DEF(0x1C55D39A, 0x98DA4836), ++ BN_DEF(0xA163BF05, 0xC2007CB8), BN_DEF(0xECE45B3D, 0x49286651), ++ BN_DEF(0x7C4B1FE6, 0xAE9F2411), BN_DEF(0x5A899FA5, 0xEE386BFB), ++ BN_DEF(0xF406B7ED, 0x0BFF5CB6), BN_DEF(0xA637ED6B, 0xF44C42E9), ++ BN_DEF(0x625E7EC6, 0xE485B576), BN_DEF(0x6D51C245, 0x4FE1356D), ++ BN_DEF(0xF25F1437, 0x302B0A6D), BN_DEF(0xCD3A431B, 0xEF9519B3), ++ BN_DEF(0x8E3404DD, 0x514A0879), BN_DEF(0x3B139B22, 0x020BBEA6), ++ BN_DEF(0x8A67CC74, 0x29024E08), BN_DEF(0x80DC1CD1, 0xC4C6628B), ++ BN_DEF(0x2168C234, 0xC90FDAA2), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) ++}; ++/* q = (p - 1) / 2 */ ++static const BN_ULONG modp_6144_q[] = { ++ BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), BN_DEF(0x36E62012, 0x734A7C8F), ++ BN_DEF(0x85BA3A6B, 0x095F96AD), BN_DEF(0x1FA43077, 0x021F47B3), ++ BN_DEF(0xB71E0234, 0x1C3FF46B), BN_DEF(0x17794B19, 0x6D2B64F6), ++ BN_DEF(0xD189EAAE, 0x758CE658), BN_DEF(0xC50FDFF8, 0x7AA8551E), ++ BN_DEF(0xDBE2ED3B, 0x0350EAC5), BN_DEF(0x794DF194, 0x53CB8AF7), ++ BN_DEF(0x07C01BF0, 0x0A662F69), BN_DEF(0x5FA470EC, 0x6647B6BF), ++ BN_DEF(0x15A0AA55, 0xA5EA03D9), BN_DEF(0xFFAC2D62, 0x078EA2DB), ++ BN_DEF(0x1B66445F, 0x91D4BD3F), BN_DEF(0xDF63F479, 0x2CF3E4BF), ++ BN_DEF(0xC8058E4F, 0x5AD42018), BN_DEF(0xA34C0641, 0x6AAF3817), ++ BN_DEF(0x373A7F7B, 0xFA416BE7), BN_DEF(0xE8B90E81, 0x7819750A), ++ BN_DEF(0xE325C976, 0xACC1E500), BN_DEF(0x9BC6695F, 0x37DC7A00), ++ BN_DEF(0x95EBD7A1, 0x999028A8), BN_DEF(0xF36612A5, 0xEDBF8A23), ++ BN_DEF(0x676A5D8D, 0xA267365D), BN_DEF(0xE7CD8A76, 0x6D1F6DF5), ++ BN_DEF(0x432D448C, 0x8BCB93D8), BN_DEF(0xC813EC18, 0x583529F6), ++ BN_DEF(0xA09800D7, 0x72ED9C17), BN_DEF(0x56CF2987, 0xFC7FCA03), ++ BN_DEF(0x1EDD1BDE, 0x64BA8F3B), BN_DEF(0x3013236F, 0x60EA6E59), ++ BN_DEF(0x693E3813, 0x1B61FD5A), BN_DEF(0x9A014249, 0xA6FA1AE4), ++ BN_DEF(0x48536047, 0xC37FDBEE), BN_DEF(0x46C7EEE0, 0xC9DA754C), ++ BN_DEF(0xEAD82D54, 0x68034893), BN_DEF(0x10B8240E, 0xDC0DEEBB), ++ BN_DEF(0x67716BD7, 0x8FB094B8), BN_DEF(0x28ADF3F6, 0x119DD0C3), ++ BN_DEF(0xD04861D1, 0xCCD94B27), BN_DEF(0xA735E02E, 0x143E2CA3), ++ BN_DEF(0x0FDF6553, 0x97477E0A), BN_DEF(0x826F477C, 0x6DDDE16D), ++ BN_DEF(0x156A2674, 0x12C1F4E5), BN_DEF(0x5B0A85ED, 0x0D4A341A), ++ BN_DEF(0x357A711E, 0x4CE1938C), BN_DEF(0x5EDD2D93, 0xC438CD08), ++ BN_DEF(0x53C3F36B, 0x8D391E09), BN_DEF(0x54908400, 0x25C16890), ++ BN_DEF(0x707E8847, 0xA1EDADFE), BN_DEF(0x3A72D598, 0x047127D0), ++ BN_DEF(0x5D6CA371, 0x3B84C460), BN_DEF(0xBD30AEB6, 0x5DF08BAB), ++ BN_DEF(0x0BBD9006, 0x290F958C), BN_DEF(0x9F643532, 0x6C3B0139), ++ BN_DEF(0x6CC50432, 0xF897FD03), BN_DEF(0x0D697735, 0xE771E913), ++ BN_DEF(0x2512B0CE, 0x8F464A70), BN_DEF(0x6D8499EB, 0xD5FAD746), ++ BN_DEF(0xD370F263, 0xD9CB87C2), BN_DEF(0xAE83063E, 0x457538AB), ++ BN_DEF(0x2C6DF785, 0x767DC282), BN_DEF(0xEF8E5D32, 0xD42A90D5), ++ BN_DEF(0x82283D19, 0xD6998B86), BN_DEF(0x45556216, 0x0AB9472D), ++ BN_DEF(0x4C7D0288, 0x8AE9130C), BN_DEF(0x754AB572, 0x1CCAA4BE), ++ BN_DEF(0x4AAC0B8C, 0xEF15E5FB), BN_DEF(0x37A62964, 0xDAE2AEF8), ++ BN_DEF(0x7603D147, 0xCD93C1D1), BN_DEF(0x0C074301, 0xF1CF3B96), ++ BN_DEF(0x171B671D, 0x19482F23), BN_DEF(0x650C10BE, 0x78BA3604), ++ BN_DEF(0x255E4C02, 0xB3861AA7), BN_DEF(0xB84B4B36, 0xCF6A9483), ++ BN_DEF(0x1042A95D, 0x0E3179AB), BN_DEF(0xEE51D6CB, 0xC1B2AE91), ++ BN_DEF(0x7E9267AF, 0x348B1FD4), BN_DEF(0x0E2AE9CD, 0xCC6D241B), ++ BN_DEF(0x50B1DF82, 0xE1003E5C), BN_DEF(0xF6722D9E, 0x24943328), ++ BN_DEF(0xBE258FF3, 0xD74F9208), BN_DEF(0xAD44CFD2, 0xF71C35FD), ++ BN_DEF(0x7A035BF6, 0x85FFAE5B), BN_DEF(0xD31BF6B5, 0x7A262174), ++ BN_DEF(0x312F3F63, 0xF242DABB), BN_DEF(0xB6A8E122, 0xA7F09AB6), ++ BN_DEF(0xF92F8A1B, 0x98158536), BN_DEF(0xE69D218D, 0xF7CA8CD9), ++ BN_DEF(0xC71A026E, 0x28A5043C), BN_DEF(0x1D89CD91, 0x0105DF53), ++ BN_DEF(0x4533E63A, 0x94812704), BN_DEF(0xC06E0E68, 0x62633145), ++ BN_DEF(0x10B4611A, 0xE487ED51), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), ++}; ++ ++/* ++ * "8192-bit MODP Group" from RFC3526, Section 7. ++ * ++ * The prime is: 2^8192 - 2^8128 - 1 + 2^64 * { [2^8062 pi] + 4743158 } ++ * ++ * RFC3526 specifies a generator of 2. ++ */ ++static const BN_ULONG modp_8192_p[] = { ++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x98EDD3DF, 0x60C980DD), ++ BN_DEF(0x80B96E71, 0xC81F56E8), BN_DEF(0x765694DF, 0x9E3050E2), ++ BN_DEF(0x5677E9AA, 0x9558E447), BN_DEF(0xFC026E47, 0xC9190DA6), ++ BN_DEF(0xD5EE382B, 0x889A002E), BN_DEF(0x481C6CD7, 0x4009438B), ++ BN_DEF(0xEB879F92, 0x359046F4), BN_DEF(0x1ECFA268, 0xFAF36BC3), ++ BN_DEF(0x7EE74D73, 0xB1D510BD), BN_DEF(0x5DED7EA1, 0xF9AB4819), ++ BN_DEF(0x0846851D, 0x64F31CC5), BN_DEF(0xA0255DC1, 0x4597E899), ++ BN_DEF(0x74AB6A36, 0xDF310EE0), BN_DEF(0x3F44F82D, 0x6D2A13F8), ++ BN_DEF(0xB3A278A6, 0x062B3CF5), BN_DEF(0xED5BDD3A, 0x79683303), ++ BN_DEF(0xA2C087E8, 0xFA9D4B7F), BN_DEF(0x2F8385DD, 0x4BCBC886), ++ BN_DEF(0x6CEA306B, 0x3473FC64), BN_DEF(0x1A23F0C7, 0x13EB57A8), ++ BN_DEF(0xA4037C07, 0x22222E04), BN_DEF(0xFC848AD9, 0xE3FDB8BE), ++ BN_DEF(0xE39D652D, 0x238F16CB), BN_DEF(0x2BF1C978, 0x3423B474), ++ BN_DEF(0x5AE4F568, 0x3AAB639C), BN_DEF(0x6BA42466, 0x2576F693), ++ BN_DEF(0x8AFC47ED, 0x741FA7BF), BN_DEF(0x8D9DD300, 0x3BC832B6), ++ BN_DEF(0x73B931BA, 0xD8BEC4D0), BN_DEF(0xA932DF8C, 0x38777CB6), ++ BN_DEF(0x12FEE5E4, 0x74A3926F), BN_DEF(0x6DBE1159, 0xE694F91E), ++ BN_DEF(0x0B7474D6, 0x12BF2D5B), BN_DEF(0x3F4860EE, 0x043E8F66), ++ BN_DEF(0x6E3C0468, 0x387FE8D7), BN_DEF(0x2EF29632, 0xDA56C9EC), ++ BN_DEF(0xA313D55C, 0xEB19CCB1), BN_DEF(0x8A1FBFF0, 0xF550AA3D), ++ BN_DEF(0xB7C5DA76, 0x06A1D58B), BN_DEF(0xF29BE328, 0xA79715EE), ++ BN_DEF(0x0F8037E0, 0x14CC5ED2), BN_DEF(0xBF48E1D8, 0xCC8F6D7E), ++ BN_DEF(0x2B4154AA, 0x4BD407B2), BN_DEF(0xFF585AC5, 0x0F1D45B7), ++ BN_DEF(0x36CC88BE, 0x23A97A7E), BN_DEF(0xBEC7E8F3, 0x59E7C97F), ++ BN_DEF(0x900B1C9E, 0xB5A84031), BN_DEF(0x46980C82, 0xD55E702F), ++ BN_DEF(0x6E74FEF6, 0xF482D7CE), BN_DEF(0xD1721D03, 0xF032EA15), ++ BN_DEF(0xC64B92EC, 0x5983CA01), BN_DEF(0x378CD2BF, 0x6FB8F401), ++ BN_DEF(0x2BD7AF42, 0x33205151), BN_DEF(0xE6CC254B, 0xDB7F1447), ++ BN_DEF(0xCED4BB1B, 0x44CE6CBA), BN_DEF(0xCF9B14ED, 0xDA3EDBEB), ++ BN_DEF(0x865A8918, 0x179727B0), BN_DEF(0x9027D831, 0xB06A53ED), ++ BN_DEF(0x413001AE, 0xE5DB382F), BN_DEF(0xAD9E530E, 0xF8FF9406), ++ BN_DEF(0x3DBA37BD, 0xC9751E76), BN_DEF(0x602646DE, 0xC1D4DCB2), ++ BN_DEF(0xD27C7026, 0x36C3FAB4), BN_DEF(0x34028492, 0x4DF435C9), ++ BN_DEF(0x90A6C08F, 0x86FFB7DC), BN_DEF(0x8D8FDDC1, 0x93B4EA98), ++ BN_DEF(0xD5B05AA9, 0xD0069127), BN_DEF(0x2170481C, 0xB81BDD76), ++ BN_DEF(0xCEE2D7AF, 0x1F612970), BN_DEF(0x515BE7ED, 0x233BA186), ++ BN_DEF(0xA090C3A2, 0x99B2964F), BN_DEF(0x4E6BC05D, 0x287C5947), ++ BN_DEF(0x1FBECAA6, 0x2E8EFC14), BN_DEF(0x04DE8EF9, 0xDBBBC2DB), ++ BN_DEF(0x2AD44CE8, 0x2583E9CA), BN_DEF(0xB6150BDA, 0x1A946834), ++ BN_DEF(0x6AF4E23C, 0x99C32718), BN_DEF(0xBDBA5B26, 0x88719A10), ++ BN_DEF(0xA787E6D7, 0x1A723C12), BN_DEF(0xA9210801, 0x4B82D120), ++ BN_DEF(0xE0FD108E, 0x43DB5BFC), BN_DEF(0x74E5AB31, 0x08E24FA0), ++ BN_DEF(0xBAD946E2, 0x770988C0), BN_DEF(0x7A615D6C, 0xBBE11757), ++ BN_DEF(0x177B200C, 0x521F2B18), BN_DEF(0x3EC86A64, 0xD8760273), ++ BN_DEF(0xD98A0864, 0xF12FFA06), BN_DEF(0x1AD2EE6B, 0xCEE3D226), ++ BN_DEF(0x4A25619D, 0x1E8C94E0), BN_DEF(0xDB0933D7, 0xABF5AE8C), ++ BN_DEF(0xA6E1E4C7, 0xB3970F85), BN_DEF(0x5D060C7D, 0x8AEA7157), ++ BN_DEF(0x58DBEF0A, 0xECFB8504), BN_DEF(0xDF1CBA64, 0xA85521AB), ++ BN_DEF(0x04507A33, 0xAD33170D), BN_DEF(0x8AAAC42D, 0x15728E5A), ++ BN_DEF(0x98FA0510, 0x15D22618), BN_DEF(0xEA956AE5, 0x3995497C), ++ BN_DEF(0x95581718, 0xDE2BCBF6), BN_DEF(0x6F4C52C9, 0xB5C55DF0), ++ BN_DEF(0xEC07A28F, 0x9B2783A2), BN_DEF(0x180E8603, 0xE39E772C), ++ BN_DEF(0x2E36CE3B, 0x32905E46), BN_DEF(0xCA18217C, 0xF1746C08), ++ BN_DEF(0x4ABC9804, 0x670C354E), BN_DEF(0x7096966D, 0x9ED52907), ++ BN_DEF(0x208552BB, 0x1C62F356), BN_DEF(0xDCA3AD96, 0x83655D23), ++ BN_DEF(0xFD24CF5F, 0x69163FA8), BN_DEF(0x1C55D39A, 0x98DA4836), ++ BN_DEF(0xA163BF05, 0xC2007CB8), BN_DEF(0xECE45B3D, 0x49286651), ++ BN_DEF(0x7C4B1FE6, 0xAE9F2411), BN_DEF(0x5A899FA5, 0xEE386BFB), ++ BN_DEF(0xF406B7ED, 0x0BFF5CB6), BN_DEF(0xA637ED6B, 0xF44C42E9), ++ BN_DEF(0x625E7EC6, 0xE485B576), BN_DEF(0x6D51C245, 0x4FE1356D), ++ BN_DEF(0xF25F1437, 0x302B0A6D), BN_DEF(0xCD3A431B, 0xEF9519B3), ++ BN_DEF(0x8E3404DD, 0x514A0879), BN_DEF(0x3B139B22, 0x020BBEA6), ++ BN_DEF(0x8A67CC74, 0x29024E08), BN_DEF(0x80DC1CD1, 0xC4C6628B), ++ BN_DEF(0x2168C234, 0xC90FDAA2), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) ++}; ++/* q = (p - 1) / 2 */ ++static const BN_ULONG modp_8192_q[] = { ++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0xCC76E9EF, 0xB064C06E), ++ BN_DEF(0x405CB738, 0xE40FAB74), BN_DEF(0x3B2B4A6F, 0x4F182871), ++ BN_DEF(0xAB3BF4D5, 0xCAAC7223), BN_DEF(0x7E013723, 0xE48C86D3), ++ BN_DEF(0x6AF71C15, 0xC44D0017), BN_DEF(0xA40E366B, 0x2004A1C5), ++ BN_DEF(0x75C3CFC9, 0x1AC8237A), BN_DEF(0x8F67D134, 0xFD79B5E1), ++ BN_DEF(0xBF73A6B9, 0xD8EA885E), BN_DEF(0xAEF6BF50, 0xFCD5A40C), ++ BN_DEF(0x8423428E, 0xB2798E62), BN_DEF(0xD012AEE0, 0x22CBF44C), ++ BN_DEF(0x3A55B51B, 0xEF988770), BN_DEF(0x1FA27C16, 0x369509FC), ++ BN_DEF(0xD9D13C53, 0x03159E7A), BN_DEF(0xF6ADEE9D, 0x3CB41981), ++ BN_DEF(0xD16043F4, 0xFD4EA5BF), BN_DEF(0x17C1C2EE, 0xA5E5E443), ++ BN_DEF(0x36751835, 0x9A39FE32), BN_DEF(0x0D11F863, 0x89F5ABD4), ++ BN_DEF(0x5201BE03, 0x91111702), BN_DEF(0x7E42456C, 0xF1FEDC5F), ++ BN_DEF(0xF1CEB296, 0x11C78B65), BN_DEF(0x15F8E4BC, 0x1A11DA3A), ++ BN_DEF(0x2D727AB4, 0x1D55B1CE), BN_DEF(0xB5D21233, 0x92BB7B49), ++ BN_DEF(0xC57E23F6, 0x3A0FD3DF), BN_DEF(0x46CEE980, 0x1DE4195B), ++ BN_DEF(0x39DC98DD, 0x6C5F6268), BN_DEF(0x54996FC6, 0x1C3BBE5B), ++ BN_DEF(0x897F72F2, 0xBA51C937), BN_DEF(0x36DF08AC, 0x734A7C8F), ++ BN_DEF(0x85BA3A6B, 0x095F96AD), BN_DEF(0x1FA43077, 0x021F47B3), ++ BN_DEF(0xB71E0234, 0x1C3FF46B), BN_DEF(0x17794B19, 0x6D2B64F6), ++ BN_DEF(0xD189EAAE, 0x758CE658), BN_DEF(0xC50FDFF8, 0x7AA8551E), ++ BN_DEF(0xDBE2ED3B, 0x0350EAC5), BN_DEF(0x794DF194, 0x53CB8AF7), ++ BN_DEF(0x07C01BF0, 0x0A662F69), BN_DEF(0x5FA470EC, 0x6647B6BF), ++ BN_DEF(0x15A0AA55, 0xA5EA03D9), BN_DEF(0xFFAC2D62, 0x078EA2DB), ++ BN_DEF(0x1B66445F, 0x91D4BD3F), BN_DEF(0xDF63F479, 0x2CF3E4BF), ++ BN_DEF(0xC8058E4F, 0x5AD42018), BN_DEF(0xA34C0641, 0x6AAF3817), ++ BN_DEF(0x373A7F7B, 0xFA416BE7), BN_DEF(0xE8B90E81, 0x7819750A), ++ BN_DEF(0xE325C976, 0xACC1E500), BN_DEF(0x9BC6695F, 0x37DC7A00), ++ BN_DEF(0x95EBD7A1, 0x999028A8), BN_DEF(0xF36612A5, 0xEDBF8A23), ++ BN_DEF(0x676A5D8D, 0xA267365D), BN_DEF(0xE7CD8A76, 0x6D1F6DF5), ++ BN_DEF(0x432D448C, 0x8BCB93D8), BN_DEF(0xC813EC18, 0x583529F6), ++ BN_DEF(0xA09800D7, 0x72ED9C17), BN_DEF(0x56CF2987, 0xFC7FCA03), ++ BN_DEF(0x1EDD1BDE, 0x64BA8F3B), BN_DEF(0x3013236F, 0x60EA6E59), ++ BN_DEF(0x693E3813, 0x1B61FD5A), BN_DEF(0x9A014249, 0xA6FA1AE4), ++ BN_DEF(0x48536047, 0xC37FDBEE), BN_DEF(0x46C7EEE0, 0xC9DA754C), ++ BN_DEF(0xEAD82D54, 0x68034893), BN_DEF(0x10B8240E, 0xDC0DEEBB), ++ BN_DEF(0x67716BD7, 0x8FB094B8), BN_DEF(0x28ADF3F6, 0x119DD0C3), ++ BN_DEF(0xD04861D1, 0xCCD94B27), BN_DEF(0xA735E02E, 0x143E2CA3), ++ BN_DEF(0x0FDF6553, 0x97477E0A), BN_DEF(0x826F477C, 0x6DDDE16D), ++ BN_DEF(0x156A2674, 0x12C1F4E5), BN_DEF(0x5B0A85ED, 0x0D4A341A), ++ BN_DEF(0x357A711E, 0x4CE1938C), BN_DEF(0x5EDD2D93, 0xC438CD08), ++ BN_DEF(0x53C3F36B, 0x8D391E09), BN_DEF(0x54908400, 0x25C16890), ++ BN_DEF(0x707E8847, 0xA1EDADFE), BN_DEF(0x3A72D598, 0x047127D0), ++ BN_DEF(0x5D6CA371, 0x3B84C460), BN_DEF(0xBD30AEB6, 0x5DF08BAB), ++ BN_DEF(0x0BBD9006, 0x290F958C), BN_DEF(0x9F643532, 0x6C3B0139), ++ BN_DEF(0x6CC50432, 0xF897FD03), BN_DEF(0x0D697735, 0xE771E913), ++ BN_DEF(0x2512B0CE, 0x8F464A70), BN_DEF(0x6D8499EB, 0xD5FAD746), ++ BN_DEF(0xD370F263, 0xD9CB87C2), BN_DEF(0xAE83063E, 0x457538AB), ++ BN_DEF(0x2C6DF785, 0x767DC282), BN_DEF(0xEF8E5D32, 0xD42A90D5), ++ BN_DEF(0x82283D19, 0xD6998B86), BN_DEF(0x45556216, 0x0AB9472D), ++ BN_DEF(0x4C7D0288, 0x8AE9130C), BN_DEF(0x754AB572, 0x1CCAA4BE), ++ BN_DEF(0x4AAC0B8C, 0xEF15E5FB), BN_DEF(0x37A62964, 0xDAE2AEF8), ++ BN_DEF(0x7603D147, 0xCD93C1D1), BN_DEF(0x0C074301, 0xF1CF3B96), ++ BN_DEF(0x171B671D, 0x19482F23), BN_DEF(0x650C10BE, 0x78BA3604), ++ BN_DEF(0x255E4C02, 0xB3861AA7), BN_DEF(0xB84B4B36, 0xCF6A9483), ++ BN_DEF(0x1042A95D, 0x0E3179AB), BN_DEF(0xEE51D6CB, 0xC1B2AE91), ++ BN_DEF(0x7E9267AF, 0x348B1FD4), BN_DEF(0x0E2AE9CD, 0xCC6D241B), ++ BN_DEF(0x50B1DF82, 0xE1003E5C), BN_DEF(0xF6722D9E, 0x24943328), ++ BN_DEF(0xBE258FF3, 0xD74F9208), BN_DEF(0xAD44CFD2, 0xF71C35FD), ++ BN_DEF(0x7A035BF6, 0x85FFAE5B), BN_DEF(0xD31BF6B5, 0x7A262174), ++ BN_DEF(0x312F3F63, 0xF242DABB), BN_DEF(0xB6A8E122, 0xA7F09AB6), ++ BN_DEF(0xF92F8A1B, 0x98158536), BN_DEF(0xE69D218D, 0xF7CA8CD9), ++ BN_DEF(0xC71A026E, 0x28A5043C), BN_DEF(0x1D89CD91, 0x0105DF53), ++ BN_DEF(0x4533E63A, 0x94812704), BN_DEF(0xC06E0E68, 0x62633145), ++ BN_DEF(0x10B4611A, 0xE487ED51), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), + }; + +-# elif BN_BITS2 == 32 +- ++/* DH parameters from RFC5114 */ + static const BN_ULONG dh1024_160_p[] = { +- 0x2E4A4371, 0xDF1FB2BC, 0x6D4DA708, 0xE68CFDA7, 0x365C1A65, 0x45BF37DF, +- 0x0DC8B4BD, 0xA151AF5F, 0xF55BCCC0, 0xFAA31A4F, 0xE5644738, 0x4EFFD6FA, +- 0x219A7372, 0x98488E9C, 0x90C4BD70, 0xACCBDD7D, 0xD49B83BF, 0x24975C3C, +- 0xA9061123, 0x13ECB4AE, 0x2EE652C0, 0x9838EF1E, 0x75A23D18, 0x6073E286, +- 0x52D23B61, 0x9A6A9DCA, 0xFB06A3C6, 0x52C99FBC, 0xAE5D54EC, 0xDE92DE5E, +- 0xA080E01D, 0xB10B8F96 +-}; +- +-static const BN_ULONG dh1024_160_g[] = { +- 0x22B3B2E5, 0x855E6EEB, 0xF97C2A24, 0x858F4DCE, 0x18D08BC8, 0x2D779D59, +- 0x8E73AFA3, 0xD662A4D1, 0x69B6A28A, 0x1DBF0A01, 0x7A091F53, 0xA6A24C08, +- 0x63F80A76, 0x909D0D22, 0xB9A92EE1, 0xD7FBD7D3, 0x9E2749F4, 0x5E91547F, +- 0xB01B886A, 0x160217B4, 0x5504F213, 0x777E690F, 0x5C41564B, 0x266FEA1E, +- 0x14266D31, 0xD6406CFF, 0x58AC507F, 0xF8104DD2, 0xEFB99905, 0x6765A442, +- 0xC3FD3412, 0xA4D1CBD5 ++ BN_DEF(0x2E4A4371, 0xDF1FB2BC), BN_DEF(0x6D4DA708, 0xE68CFDA7), ++ BN_DEF(0x365C1A65, 0x45BF37DF), BN_DEF(0x0DC8B4BD, 0xA151AF5F), ++ BN_DEF(0xF55BCCC0, 0xFAA31A4F), BN_DEF(0xE5644738, 0x4EFFD6FA), ++ BN_DEF(0x219A7372, 0x98488E9C), BN_DEF(0x90C4BD70, 0xACCBDD7D), ++ BN_DEF(0xD49B83BF, 0x24975C3C), BN_DEF(0xA9061123, 0x13ECB4AE), ++ BN_DEF(0x2EE652C0, 0x9838EF1E), BN_DEF(0x75A23D18, 0x6073E286), ++ BN_DEF(0x52D23B61, 0x9A6A9DCA), BN_DEF(0xFB06A3C6, 0x52C99FBC), ++ BN_DEF(0xAE5D54EC, 0xDE92DE5E), BN_DEF(0xA080E01D, 0xB10B8F96) + }; +- + static const BN_ULONG dh1024_160_q[] = { +- 0x49462353, 0x64B7CB9D, 0x8ABA4E7D, 0x81A8DF27, 0xF518AA87 ++ BN_DEF(0x49462353, 0x64B7CB9D), BN_DEF(0x8ABA4E7D, 0x81A8DF27), ++ (BN_ULONG)0xF518AA87 + }; +- +-static const BN_ULONG dh2048_224_p[] = { +- 0x0C10E64F, 0x0AC4DFFE, 0x4E71B81C, 0xCF9DE538, 0xFFA31F71, 0x7EF363E2, +- 0x6B8E75B9, 0xE3FB73C1, 0x4BA80A29, 0xC9B53DCF, 0x16E79763, 0x23F10B0E, +- 0x13042E9B, 0xC52172E4, 0xC928B2B9, 0xBE60E69C, 0xB9E587E8, 0x80CD86A1, +- 0x98C641A4, 0x315D75E1, 0x44328387, 0xCDF93ACC, 0xDC0A486D, 0x15987D9A, +- 0x1FD5A074, 0x7310F712, 0xDE31EFDC, 0x278273C7, 0x415D9330, 0x1602E714, +- 0xBC8985DB, 0x81286130, 0x70918836, 0xB3BF8A31, 0xB9C49708, 0x6A00E0A0, +- 0x8BBC27BE, 0xC6BA0B2C, 0xED34DBF6, 0xC9F98D11, 0xB6C12207, 0x7AD5B7D0, +- 0x55B7394B, 0xD91E8FEF, 0xEFDA4DF8, 0x9037C9ED, 0xAD6AC212, 0x6D3F8152, +- 0x1274A0A6, 0x1DE6B85A, 0x309C180E, 0xEB3D688A, 0x7BA1DF15, 0xAF9A3C40, +- 0xF95A56DB, 0xE6FA141D, 0xB61D0A75, 0xB54B1597, 0x683B9FD1, 0xA20D64E5, +- 0x9559C51F, 0xD660FAA7, 0x9123A9D0, 0xAD107E1E ++static const BN_ULONG dh1024_160_g[] = { ++ BN_DEF(0x22B3B2E5, 0x855E6EEB), BN_DEF(0xF97C2A24, 0x858F4DCE), ++ BN_DEF(0x18D08BC8, 0x2D779D59), BN_DEF(0x8E73AFA3, 0xD662A4D1), ++ BN_DEF(0x69B6A28A, 0x1DBF0A01), BN_DEF(0x7A091F53, 0xA6A24C08), ++ BN_DEF(0x63F80A76, 0x909D0D22), BN_DEF(0xB9A92EE1, 0xD7FBD7D3), ++ BN_DEF(0x9E2749F4, 0x5E91547F), BN_DEF(0xB01B886A, 0x160217B4), ++ BN_DEF(0x5504F213, 0x777E690F), BN_DEF(0x5C41564B, 0x266FEA1E), ++ BN_DEF(0x14266D31, 0xD6406CFF), BN_DEF(0x58AC507F, 0xF8104DD2), ++ BN_DEF(0xEFB99905, 0x6765A442), BN_DEF(0xC3FD3412, 0xA4D1CBD5) + }; + +-static const BN_ULONG dh2048_224_g[] = { +- 0x191F2BFA, 0x84B890D3, 0x2A7065B3, 0x81BC087F, 0xF6EC0179, 0x19C418E1, +- 0x71CFFF4C, 0x7B5A0F1C, 0x9B6AA4BD, 0xEDFE72FE, 0x94B30269, 0x81E1BCFE, +- 0x8D6C0191, 0x566AFBB4, 0x409D13CD, 0xB539CCE3, 0x5F2FF381, 0x6AA21E7F, +- 0x770589EF, 0xD9E263E4, 0xD19963DD, 0x10E183ED, 0x150B8EEB, 0xB70A8137, +- 0x28C8F8AC, 0x051AE3D4, 0x0C1AB15B, 0xBB77A86F, 0x16A330EF, 0x6E3025E3, +- 0xD6F83456, 0x19529A45, 0x118E98D1, 0xF180EB34, 0x50717CBE, 0xB5F6C6B2, +- 0xDA7460CD, 0x09939D54, 0x22EA1ED4, 0xE2471504, 0x521BC98A, 0xB8A762D0, +- 0x5AC1348B, 0xF4D02727, 0x1999024A, 0xC1766910, 0xA8D66AD7, 0xBE5E9001, +- 0x620A8652, 0xC57DB17C, 0x00C29F52, 0xAB739D77, 0xA70C4AFA, 0xDD921F01, +- 0x10B9A6F0, 0xA6824A4E, 0xCFE4FFE3, 0x74866A08, 0x89998CAF, 0x6CDEBE7B, +- 0x8FFDAC50, 0x9DF30B5C, 0x4F2D9AE3, 0xAC4032EF ++static const BN_ULONG dh2048_224_p[] = { ++ BN_DEF(0x0C10E64F, 0x0AC4DFFE), BN_DEF(0x4E71B81C, 0xCF9DE538), ++ BN_DEF(0xFFA31F71, 0x7EF363E2), BN_DEF(0x6B8E75B9, 0xE3FB73C1), ++ BN_DEF(0x4BA80A29, 0xC9B53DCF), BN_DEF(0x16E79763, 0x23F10B0E), ++ BN_DEF(0x13042E9B, 0xC52172E4), BN_DEF(0xC928B2B9, 0xBE60E69C), ++ BN_DEF(0xB9E587E8, 0x80CD86A1), BN_DEF(0x98C641A4, 0x315D75E1), ++ BN_DEF(0x44328387, 0xCDF93ACC), BN_DEF(0xDC0A486D, 0x15987D9A), ++ BN_DEF(0x1FD5A074, 0x7310F712), BN_DEF(0xDE31EFDC, 0x278273C7), ++ BN_DEF(0x415D9330, 0x1602E714), BN_DEF(0xBC8985DB, 0x81286130), ++ BN_DEF(0x70918836, 0xB3BF8A31), BN_DEF(0xB9C49708, 0x6A00E0A0), ++ BN_DEF(0x8BBC27BE, 0xC6BA0B2C), BN_DEF(0xED34DBF6, 0xC9F98D11), ++ BN_DEF(0xB6C12207, 0x7AD5B7D0), BN_DEF(0x55B7394B, 0xD91E8FEF), ++ BN_DEF(0xEFDA4DF8, 0x9037C9ED), BN_DEF(0xAD6AC212, 0x6D3F8152), ++ BN_DEF(0x1274A0A6, 0x1DE6B85A), BN_DEF(0x309C180E, 0xEB3D688A), ++ BN_DEF(0x7BA1DF15, 0xAF9A3C40), BN_DEF(0xF95A56DB, 0xE6FA141D), ++ BN_DEF(0xB61D0A75, 0xB54B1597), BN_DEF(0x683B9FD1, 0xA20D64E5), ++ BN_DEF(0x9559C51F, 0xD660FAA7), BN_DEF(0x9123A9D0, 0xAD107E1E) + }; +- + static const BN_ULONG dh2048_224_q[] = { +- 0xB36371EB, 0xBF389A99, 0x4738CEBC, 0x1F80535A, 0x99717710, 0xC58D93FE, +- 0x801C0D34 ++ BN_DEF(0xB36371EB, 0xBF389A99), BN_DEF(0x4738CEBC, 0x1F80535A), ++ BN_DEF(0x99717710, 0xC58D93FE), (BN_ULONG)0x801C0D34 + }; +- +-static const BN_ULONG dh2048_256_p[] = { +- 0x1E1A1597, 0xDB094AE9, 0xD7EF09CA, 0x693877FA, 0x6E11715F, 0x6116D227, +- 0xC198AF12, 0xA4B54330, 0xD7014103, 0x75F26375, 0x54E710C3, 0xC3A3960A, +- 0xBD0BE621, 0xDED4010A, 0x89962856, 0xC0B857F6, 0x71506026, 0xB3CA3F79, +- 0xE6B486F6, 0x1CCACB83, 0x14056425, 0x67E144E5, 0xA41825D9, 0xF6A167B5, +- 0x96524D8E, 0x3AD83477, 0x51BFA4AB, 0xF13C6D9A, 0x35488A0E, 0x2D525267, +- 0xCAA6B790, 0xB63ACAE1, 0x81B23F76, 0x4FDB70C5, 0x12307F5C, 0xBC39A0BF, +- 0xB1E59BB8, 0xB941F54E, 0xD45F9088, 0x6C5BFC11, 0x4275BF7B, 0x22E0B1EF, +- 0x5B4758C0, 0x91F9E672, 0x6BCF67ED, 0x5A8A9D30, 0x97517ABD, 0x209E0C64, +- 0x830E9A7C, 0x3BF4296D, 0x34096FAA, 0x16C3D911, 0x61B2AA30, 0xFAF7DF45, +- 0xD61957D4, 0xE00DF8F1, 0x435E3B00, 0x5D2CEED4, 0x660DD0F2, 0x8CEEF608, +- 0x65195999, 0xFFBBD19C, 0xB4B6663C, 0x87A8E61D ++static const BN_ULONG dh2048_224_g[] = { ++ BN_DEF(0x191F2BFA, 0x84B890D3), BN_DEF(0x2A7065B3, 0x81BC087F), ++ BN_DEF(0xF6EC0179, 0x19C418E1), BN_DEF(0x71CFFF4C, 0x7B5A0F1C), ++ BN_DEF(0x9B6AA4BD, 0xEDFE72FE), BN_DEF(0x94B30269, 0x81E1BCFE), ++ BN_DEF(0x8D6C0191, 0x566AFBB4), BN_DEF(0x409D13CD, 0xB539CCE3), ++ BN_DEF(0x5F2FF381, 0x6AA21E7F), BN_DEF(0x770589EF, 0xD9E263E4), ++ BN_DEF(0xD19963DD, 0x10E183ED), BN_DEF(0x150B8EEB, 0xB70A8137), ++ BN_DEF(0x28C8F8AC, 0x051AE3D4), BN_DEF(0x0C1AB15B, 0xBB77A86F), ++ BN_DEF(0x16A330EF, 0x6E3025E3), BN_DEF(0xD6F83456, 0x19529A45), ++ BN_DEF(0x118E98D1, 0xF180EB34), BN_DEF(0x50717CBE, 0xB5F6C6B2), ++ BN_DEF(0xDA7460CD, 0x09939D54), BN_DEF(0x22EA1ED4, 0xE2471504), ++ BN_DEF(0x521BC98A, 0xB8A762D0), BN_DEF(0x5AC1348B, 0xF4D02727), ++ BN_DEF(0x1999024A, 0xC1766910), BN_DEF(0xA8D66AD7, 0xBE5E9001), ++ BN_DEF(0x620A8652, 0xC57DB17C), BN_DEF(0x00C29F52, 0xAB739D77), ++ BN_DEF(0xA70C4AFA, 0xDD921F01), BN_DEF(0x10B9A6F0, 0xA6824A4E), ++ BN_DEF(0xCFE4FFE3, 0x74866A08), BN_DEF(0x89998CAF, 0x6CDEBE7B), ++ BN_DEF(0x8FFDAC50, 0x9DF30B5C), BN_DEF(0x4F2D9AE3, 0xAC4032EF) + }; + +-static const BN_ULONG dh2048_256_g[] = { +- 0x6CC41659, 0x664B4C0F, 0xEF98C582, 0x5E2327CF, 0xD4795451, 0xD647D148, +- 0x90F00EF8, 0x2F630784, 0x1DB246C3, 0x184B523D, 0xCDC67EB6, 0xC7891428, +- 0x0DF92B52, 0x7FD02837, 0x64E0EC37, 0xB3353BBB, 0x57CD0915, 0xECD06E15, +- 0xDF016199, 0xB7D2BBD2, 0x052588B9, 0xC8484B1E, 0x13D3FE14, 0xDB2A3B73, +- 0xD182EA0A, 0xD052B985, 0xE83B9C80, 0xA4BD1BFF, 0xFB3F2E55, 0xDFC967C1, +- 0x767164E1, 0xB5045AF2, 0x6F2F9193, 0x1D14348F, 0x428EBC83, 0x64E67982, +- 0x82D6ED38, 0x8AC376D2, 0xAAB8A862, 0x777DE62A, 0xE9EC144B, 0xDDF463E5, +- 0xC77A57F2, 0x0196F931, 0x41000A65, 0xA55AE313, 0xC28CBB18, 0x901228F8, +- 0x7E8C6F62, 0xBC3773BF, 0x0C6B47B1, 0xBE3A6C1B, 0xAC0BB555, 0xFF4FED4A, +- 0x77BE463F, 0x10DBC150, 0x1A0BA125, 0x07F4793A, 0x21EF2054, 0x4CA7B18F, +- 0x60EDBD48, 0x2E775066, 0x73134D0B, 0x3FB32C9B ++static const BN_ULONG dh2048_256_p[] = { ++ BN_DEF(0x1E1A1597, 0xDB094AE9), BN_DEF(0xD7EF09CA, 0x693877FA), ++ BN_DEF(0x6E11715F, 0x6116D227), BN_DEF(0xC198AF12, 0xA4B54330), ++ BN_DEF(0xD7014103, 0x75F26375), BN_DEF(0x54E710C3, 0xC3A3960A), ++ BN_DEF(0xBD0BE621, 0xDED4010A), BN_DEF(0x89962856, 0xC0B857F6), ++ BN_DEF(0x71506026, 0xB3CA3F79), BN_DEF(0xE6B486F6, 0x1CCACB83), ++ BN_DEF(0x14056425, 0x67E144E5), BN_DEF(0xA41825D9, 0xF6A167B5), ++ BN_DEF(0x96524D8E, 0x3AD83477), BN_DEF(0x51BFA4AB, 0xF13C6D9A), ++ BN_DEF(0x35488A0E, 0x2D525267), BN_DEF(0xCAA6B790, 0xB63ACAE1), ++ BN_DEF(0x81B23F76, 0x4FDB70C5), BN_DEF(0x12307F5C, 0xBC39A0BF), ++ BN_DEF(0xB1E59BB8, 0xB941F54E), BN_DEF(0xD45F9088, 0x6C5BFC11), ++ BN_DEF(0x4275BF7B, 0x22E0B1EF), BN_DEF(0x5B4758C0, 0x91F9E672), ++ BN_DEF(0x6BCF67ED, 0x5A8A9D30), BN_DEF(0x97517ABD, 0x209E0C64), ++ BN_DEF(0x830E9A7C, 0x3BF4296D), BN_DEF(0x34096FAA, 0x16C3D911), ++ BN_DEF(0x61B2AA30, 0xFAF7DF45), BN_DEF(0xD61957D4, 0xE00DF8F1), ++ BN_DEF(0x435E3B00, 0x5D2CEED4), BN_DEF(0x660DD0F2, 0x8CEEF608), ++ BN_DEF(0x65195999, 0xFFBBD19C), BN_DEF(0xB4B6663C, 0x87A8E61D) + }; +- + static const BN_ULONG dh2048_256_q[] = { +- 0x64F5FBD3, 0xA308B0FE, 0x1EB3750B, 0x99B1A47D, 0x40129DA2, 0xB4479976, +- 0xA709A097, 0x8CF83642 ++ BN_DEF(0x64F5FBD3, 0xA308B0FE), BN_DEF(0x1EB3750B, 0x99B1A47D), ++ BN_DEF(0x40129DA2, 0xB4479976), BN_DEF(0xA709A097, 0x8CF83642) ++}; ++static const BN_ULONG dh2048_256_g[] = { ++ BN_DEF(0x6CC41659, 0x664B4C0F), BN_DEF(0xEF98C582, 0x5E2327CF), ++ BN_DEF(0xD4795451, 0xD647D148), BN_DEF(0x90F00EF8, 0x2F630784), ++ BN_DEF(0x1DB246C3, 0x184B523D), BN_DEF(0xCDC67EB6, 0xC7891428), ++ BN_DEF(0x0DF92B52, 0x7FD02837), BN_DEF(0x64E0EC37, 0xB3353BBB), ++ BN_DEF(0x57CD0915, 0xECD06E15), BN_DEF(0xDF016199, 0xB7D2BBD2), ++ BN_DEF(0x052588B9, 0xC8484B1E), BN_DEF(0x13D3FE14, 0xDB2A3B73), ++ BN_DEF(0xD182EA0A, 0xD052B985), BN_DEF(0xE83B9C80, 0xA4BD1BFF), ++ BN_DEF(0xFB3F2E55, 0xDFC967C1), BN_DEF(0x767164E1, 0xB5045AF2), ++ BN_DEF(0x6F2F9193, 0x1D14348F), BN_DEF(0x428EBC83, 0x64E67982), ++ BN_DEF(0x82D6ED38, 0x8AC376D2), BN_DEF(0xAAB8A862, 0x777DE62A), ++ BN_DEF(0xE9EC144B, 0xDDF463E5), BN_DEF(0xC77A57F2, 0x0196F931), ++ BN_DEF(0x41000A65, 0xA55AE313), BN_DEF(0xC28CBB18, 0x901228F8), ++ BN_DEF(0x7E8C6F62, 0xBC3773BF), BN_DEF(0x0C6B47B1, 0xBE3A6C1B), ++ BN_DEF(0xAC0BB555, 0xFF4FED4A), BN_DEF(0x77BE463F, 0x10DBC150), ++ BN_DEF(0x1A0BA125, 0x07F4793A), BN_DEF(0x21EF2054, 0x4CA7B18F), ++ BN_DEF(0x60EDBD48, 0x2E775066), BN_DEF(0x73134D0B, 0x3FB32C9B) + }; + + /* Primes from RFC 7919 */ +- + static const BN_ULONG ffdhe2048_p[] = { +- 0xFFFFFFFF, 0xFFFFFFFF, 0x61285C97, 0x886B4238, 0xC1B2EFFA, 0xC6F34A26, +- 0x7D1683B2, 0xC58EF183, 0x2EC22005, 0x3BB5FCBC, 0x4C6FAD73, 0xC3FE3B1B, +- 0xEEF28183, 0x8E4F1232, 0xE98583FF, 0x9172FE9C, 0x28342F61, 0xC03404CD, +- 0xCDF7E2EC, 0x9E02FCE1, 0xEE0A6D70, 0x0B07A7C8, 0x6372BB19, 0xAE56EDE7, +- 0xDE394DF4, 0x1D4F42A3, 0x60D7F468, 0xB96ADAB7, 0xB2C8E3FB, 0xD108A94B, +- 0xB324FB61, 0xBC0AB182, 0x483A797A, 0x30ACCA4F, 0x36ADE735, 0x1DF158A1, +- 0xF3EFE872, 0xE2A689DA, 0xE0E68B77, 0x984F0C70, 0x7F57C935, 0xB557135E, +- 0x3DED1AF3, 0x85636555, 0x5F066ED0, 0x2433F51F, 0xD5FD6561, 0xD3DF1ED5, +- 0xAEC4617A, 0xF681B202, 0x630C75D8, 0x7D2FE363, 0x249B3EF9, 0xCC939DCE, +- 0x146433FB, 0xA9E13641, 0xCE2D3695, 0xD8B9C583, 0x273D3CF1, 0xAFDC5620, +- 0xA2BB4A9A, 0xADF85458, 0xFFFFFFFF, 0xFFFFFFFF ++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x61285C97, 0x886B4238), ++ BN_DEF(0xC1B2EFFA, 0xC6F34A26), BN_DEF(0x7D1683B2, 0xC58EF183), ++ BN_DEF(0x2EC22005, 0x3BB5FCBC), BN_DEF(0x4C6FAD73, 0xC3FE3B1B), ++ BN_DEF(0xEEF28183, 0x8E4F1232), BN_DEF(0xE98583FF, 0x9172FE9C), ++ BN_DEF(0x28342F61, 0xC03404CD), BN_DEF(0xCDF7E2EC, 0x9E02FCE1), ++ BN_DEF(0xEE0A6D70, 0x0B07A7C8), BN_DEF(0x6372BB19, 0xAE56EDE7), ++ BN_DEF(0xDE394DF4, 0x1D4F42A3), BN_DEF(0x60D7F468, 0xB96ADAB7), ++ BN_DEF(0xB2C8E3FB, 0xD108A94B), BN_DEF(0xB324FB61, 0xBC0AB182), ++ BN_DEF(0x483A797A, 0x30ACCA4F), BN_DEF(0x36ADE735, 0x1DF158A1), ++ BN_DEF(0xF3EFE872, 0xE2A689DA), BN_DEF(0xE0E68B77, 0x984F0C70), ++ BN_DEF(0x7F57C935, 0xB557135E), BN_DEF(0x3DED1AF3, 0x85636555), ++ BN_DEF(0x5F066ED0, 0x2433F51F), BN_DEF(0xD5FD6561, 0xD3DF1ED5), ++ BN_DEF(0xAEC4617A, 0xF681B202), BN_DEF(0x630C75D8, 0x7D2FE363), ++ BN_DEF(0x249B3EF9, 0xCC939DCE), BN_DEF(0x146433FB, 0xA9E13641), ++ BN_DEF(0xCE2D3695, 0xD8B9C583), BN_DEF(0x273D3CF1, 0xAFDC5620), ++ BN_DEF(0xA2BB4A9A, 0xADF85458), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) ++}; ++/* q = (p - 1) / 2 */ ++static const BN_ULONG ffdhe2048_q[] = { ++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x30942E4B, 0x4435A11C), ++ BN_DEF(0x60D977FD, 0x6379A513), BN_DEF(0xBE8B41D9, 0xE2C778C1), ++ BN_DEF(0x17611002, 0x9DDAFE5E), BN_DEF(0xA637D6B9, 0xE1FF1D8D), ++ BN_DEF(0x777940C1, 0xC7278919), BN_DEF(0x74C2C1FF, 0xC8B97F4E), ++ BN_DEF(0x941A17B0, 0x601A0266), BN_DEF(0xE6FBF176, 0x4F017E70), ++ BN_DEF(0x770536B8, 0x8583D3E4), BN_DEF(0xB1B95D8C, 0x572B76F3), ++ BN_DEF(0xEF1CA6FA, 0x0EA7A151), BN_DEF(0xB06BFA34, 0xDCB56D5B), ++ BN_DEF(0xD96471FD, 0xE88454A5), BN_DEF(0x59927DB0, 0x5E0558C1), ++ BN_DEF(0xA41D3CBD, 0x98566527), BN_DEF(0x9B56F39A, 0x0EF8AC50), ++ BN_DEF(0x79F7F439, 0xF15344ED), BN_DEF(0x707345BB, 0xCC278638), ++ BN_DEF(0x3FABE49A, 0xDAAB89AF), BN_DEF(0x9EF68D79, 0x42B1B2AA), ++ BN_DEF(0xAF833768, 0x9219FA8F), BN_DEF(0xEAFEB2B0, 0x69EF8F6A), ++ BN_DEF(0x576230BD, 0x7B40D901), BN_DEF(0xB1863AEC, 0xBE97F1B1), ++ BN_DEF(0x124D9F7C, 0xE649CEE7), BN_DEF(0x8A3219FD, 0xD4F09B20), ++ BN_DEF(0xE7169B4A, 0xEC5CE2C1), BN_DEF(0x139E9E78, 0x57EE2B10), ++ BN_DEF(0x515DA54D, 0xD6FC2A2C), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), + }; + + static const BN_ULONG ffdhe3072_p[] = { +- 0xFFFFFFFF, 0xFFFFFFFF, 0x66C62E37, 0x25E41D2B, 0x3FD59D7C, 0x3C1B20EE, +- 0xFA53DDEF, 0x0ABCD06B, 0xD5C4484E, 0x1DBF9A42, 0x9B0DEADA, 0xABC52197, +- 0x22363A0D, 0xE86D2BC5, 0x9C9DF69E, 0x5CAE82AB, 0x71F54BFF, 0x64F2E21E, +- 0xE2D74DD3, 0xF4FD4452, 0xBC437944, 0xB4130C93, 0x85139270, 0xAEFE1309, +- 0xC186D91C, 0x598CB0FA, 0x91F7F7EE, 0x7AD91D26, 0xD6E6C907, 0x61B46FC9, +- 0xF99C0238, 0xBC34F4DE, 0x6519035B, 0xDE355B3B, 0x611FCFDC, 0x886B4238, +- 0xC1B2EFFA, 0xC6F34A26, 0x7D1683B2, 0xC58EF183, 0x2EC22005, 0x3BB5FCBC, +- 0x4C6FAD73, 0xC3FE3B1B, 0xEEF28183, 0x8E4F1232, 0xE98583FF, 0x9172FE9C, +- 0x28342F61, 0xC03404CD, 0xCDF7E2EC, 0x9E02FCE1, 0xEE0A6D70, 0x0B07A7C8, +- 0x6372BB19, 0xAE56EDE7, 0xDE394DF4, 0x1D4F42A3, 0x60D7F468, 0xB96ADAB7, +- 0xB2C8E3FB, 0xD108A94B, 0xB324FB61, 0xBC0AB182, 0x483A797A, 0x30ACCA4F, +- 0x36ADE735, 0x1DF158A1, 0xF3EFE872, 0xE2A689DA, 0xE0E68B77, 0x984F0C70, +- 0x7F57C935, 0xB557135E, 0x3DED1AF3, 0x85636555, 0x5F066ED0, 0x2433F51F, +- 0xD5FD6561, 0xD3DF1ED5, 0xAEC4617A, 0xF681B202, 0x630C75D8, 0x7D2FE363, +- 0x249B3EF9, 0xCC939DCE, 0x146433FB, 0xA9E13641, 0xCE2D3695, 0xD8B9C583, +- 0x273D3CF1, 0xAFDC5620, 0xA2BB4A9A, 0xADF85458, 0xFFFFFFFF, 0xFFFFFFFF ++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x66C62E37, 0x25E41D2B), ++ BN_DEF(0x3FD59D7C, 0x3C1B20EE), BN_DEF(0xFA53DDEF, 0x0ABCD06B), ++ BN_DEF(0xD5C4484E, 0x1DBF9A42), BN_DEF(0x9B0DEADA, 0xABC52197), ++ BN_DEF(0x22363A0D, 0xE86D2BC5), BN_DEF(0x9C9DF69E, 0x5CAE82AB), ++ BN_DEF(0x71F54BFF, 0x64F2E21E), BN_DEF(0xE2D74DD3, 0xF4FD4452), ++ BN_DEF(0xBC437944, 0xB4130C93), BN_DEF(0x85139270, 0xAEFE1309), ++ BN_DEF(0xC186D91C, 0x598CB0FA), BN_DEF(0x91F7F7EE, 0x7AD91D26), ++ BN_DEF(0xD6E6C907, 0x61B46FC9), BN_DEF(0xF99C0238, 0xBC34F4DE), ++ BN_DEF(0x6519035B, 0xDE355B3B), BN_DEF(0x611FCFDC, 0x886B4238), ++ BN_DEF(0xC1B2EFFA, 0xC6F34A26), BN_DEF(0x7D1683B2, 0xC58EF183), ++ BN_DEF(0x2EC22005, 0x3BB5FCBC), BN_DEF(0x4C6FAD73, 0xC3FE3B1B), ++ BN_DEF(0xEEF28183, 0x8E4F1232), BN_DEF(0xE98583FF, 0x9172FE9C), ++ BN_DEF(0x28342F61, 0xC03404CD), BN_DEF(0xCDF7E2EC, 0x9E02FCE1), ++ BN_DEF(0xEE0A6D70, 0x0B07A7C8), BN_DEF(0x6372BB19, 0xAE56EDE7), ++ BN_DEF(0xDE394DF4, 0x1D4F42A3), BN_DEF(0x60D7F468, 0xB96ADAB7), ++ BN_DEF(0xB2C8E3FB, 0xD108A94B), BN_DEF(0xB324FB61, 0xBC0AB182), ++ BN_DEF(0x483A797A, 0x30ACCA4F), BN_DEF(0x36ADE735, 0x1DF158A1), ++ BN_DEF(0xF3EFE872, 0xE2A689DA), BN_DEF(0xE0E68B77, 0x984F0C70), ++ BN_DEF(0x7F57C935, 0xB557135E), BN_DEF(0x3DED1AF3, 0x85636555), ++ BN_DEF(0x5F066ED0, 0x2433F51F), BN_DEF(0xD5FD6561, 0xD3DF1ED5), ++ BN_DEF(0xAEC4617A, 0xF681B202), BN_DEF(0x630C75D8, 0x7D2FE363), ++ BN_DEF(0x249B3EF9, 0xCC939DCE), BN_DEF(0x146433FB, 0xA9E13641), ++ BN_DEF(0xCE2D3695, 0xD8B9C583), BN_DEF(0x273D3CF1, 0xAFDC5620), ++ BN_DEF(0xA2BB4A9A, 0xADF85458), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) ++}; ++/* q = (p - 1) / 2 */ ++static const BN_ULONG ffdhe3072_q[] = { ++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0xB363171B, 0x12F20E95), ++ BN_DEF(0x1FEACEBE, 0x9E0D9077), BN_DEF(0xFD29EEF7, 0x055E6835), ++ BN_DEF(0x6AE22427, 0x0EDFCD21), BN_DEF(0xCD86F56D, 0xD5E290CB), ++ BN_DEF(0x911B1D06, 0x743695E2), BN_DEF(0xCE4EFB4F, 0xAE574155), ++ BN_DEF(0x38FAA5FF, 0xB279710F), BN_DEF(0x716BA6E9, 0x7A7EA229), ++ BN_DEF(0xDE21BCA2, 0x5A098649), BN_DEF(0xC289C938, 0x577F0984), ++ BN_DEF(0x60C36C8E, 0x2CC6587D), BN_DEF(0x48FBFBF7, 0xBD6C8E93), ++ BN_DEF(0xEB736483, 0x30DA37E4), BN_DEF(0x7CCE011C, 0xDE1A7A6F), ++ BN_DEF(0xB28C81AD, 0x6F1AAD9D), BN_DEF(0x308FE7EE, 0x4435A11C), ++ BN_DEF(0x60D977FD, 0x6379A513), BN_DEF(0xBE8B41D9, 0xE2C778C1), ++ BN_DEF(0x17611002, 0x9DDAFE5E), BN_DEF(0xA637D6B9, 0xE1FF1D8D), ++ BN_DEF(0x777940C1, 0xC7278919), BN_DEF(0x74C2C1FF, 0xC8B97F4E), ++ BN_DEF(0x941A17B0, 0x601A0266), BN_DEF(0xE6FBF176, 0x4F017E70), ++ BN_DEF(0x770536B8, 0x8583D3E4), BN_DEF(0xB1B95D8C, 0x572B76F3), ++ BN_DEF(0xEF1CA6FA, 0x0EA7A151), BN_DEF(0xB06BFA34, 0xDCB56D5B), ++ BN_DEF(0xD96471FD, 0xE88454A5), BN_DEF(0x59927DB0, 0x5E0558C1), ++ BN_DEF(0xA41D3CBD, 0x98566527), BN_DEF(0x9B56F39A, 0x0EF8AC50), ++ BN_DEF(0x79F7F439, 0xF15344ED), BN_DEF(0x707345BB, 0xCC278638), ++ BN_DEF(0x3FABE49A, 0xDAAB89AF), BN_DEF(0x9EF68D79, 0x42B1B2AA), ++ BN_DEF(0xAF833768, 0x9219FA8F), BN_DEF(0xEAFEB2B0, 0x69EF8F6A), ++ BN_DEF(0x576230BD, 0x7B40D901), BN_DEF(0xB1863AEC, 0xBE97F1B1), ++ BN_DEF(0x124D9F7C, 0xE649CEE7), BN_DEF(0x8A3219FD, 0xD4F09B20), ++ BN_DEF(0xE7169B4A, 0xEC5CE2C1), BN_DEF(0x139E9E78, 0x57EE2B10), ++ BN_DEF(0x515DA54D, 0xD6FC2A2C), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), + }; + + static const BN_ULONG ffdhe4096_p[] = { +- 0xFFFFFFFF, 0xFFFFFFFF, 0x5E655F6A, 0xC68A007E, 0xF44182E1, 0x4DB5A851, +- 0x7F88A46B, 0x8EC9B55A, 0xCEC97DCF, 0x0A8291CD, 0xF98D0ACC, 0x2A4ECEA9, +- 0x7140003C, 0x1A1DB93D, 0x33CB8B7A, 0x092999A3, 0x71AD0038, 0x6DC778F9, +- 0x918130C4, 0xA907600A, 0x2D9E6832, 0xED6A1E01, 0xEFB4318A, 0x7135C886, +- 0x7E31CC7A, 0x87F55BA5, 0x55034004, 0x7763CF1D, 0xD69F6D18, 0xAC7D5F42, +- 0xE58857B6, 0x7930E9E4, 0x164DF4FB, 0x6E6F52C3, 0x669E1EF1, 0x25E41D2B, +- 0x3FD59D7C, 0x3C1B20EE, 0xFA53DDEF, 0x0ABCD06B, 0xD5C4484E, 0x1DBF9A42, +- 0x9B0DEADA, 0xABC52197, 0x22363A0D, 0xE86D2BC5, 0x9C9DF69E, 0x5CAE82AB, +- 0x71F54BFF, 0x64F2E21E, 0xE2D74DD3, 0xF4FD4452, 0xBC437944, 0xB4130C93, +- 0x85139270, 0xAEFE1309, 0xC186D91C, 0x598CB0FA, 0x91F7F7EE, 0x7AD91D26, +- 0xD6E6C907, 0x61B46FC9, 0xF99C0238, 0xBC34F4DE, 0x6519035B, 0xDE355B3B, +- 0x611FCFDC, 0x886B4238, 0xC1B2EFFA, 0xC6F34A26, 0x7D1683B2, 0xC58EF183, +- 0x2EC22005, 0x3BB5FCBC, 0x4C6FAD73, 0xC3FE3B1B, 0xEEF28183, 0x8E4F1232, +- 0xE98583FF, 0x9172FE9C, 0x28342F61, 0xC03404CD, 0xCDF7E2EC, 0x9E02FCE1, +- 0xEE0A6D70, 0x0B07A7C8, 0x6372BB19, 0xAE56EDE7, 0xDE394DF4, 0x1D4F42A3, +- 0x60D7F468, 0xB96ADAB7, 0xB2C8E3FB, 0xD108A94B, 0xB324FB61, 0xBC0AB182, +- 0x483A797A, 0x30ACCA4F, 0x36ADE735, 0x1DF158A1, 0xF3EFE872, 0xE2A689DA, +- 0xE0E68B77, 0x984F0C70, 0x7F57C935, 0xB557135E, 0x3DED1AF3, 0x85636555, +- 0x5F066ED0, 0x2433F51F, 0xD5FD6561, 0xD3DF1ED5, 0xAEC4617A, 0xF681B202, +- 0x630C75D8, 0x7D2FE363, 0x249B3EF9, 0xCC939DCE, 0x146433FB, 0xA9E13641, +- 0xCE2D3695, 0xD8B9C583, 0x273D3CF1, 0xAFDC5620, 0xA2BB4A9A, 0xADF85458, +- 0xFFFFFFFF, 0xFFFFFFFF ++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x5E655F6A, 0xC68A007E), ++ BN_DEF(0xF44182E1, 0x4DB5A851), BN_DEF(0x7F88A46B, 0x8EC9B55A), ++ BN_DEF(0xCEC97DCF, 0x0A8291CD), BN_DEF(0xF98D0ACC, 0x2A4ECEA9), ++ BN_DEF(0x7140003C, 0x1A1DB93D), BN_DEF(0x33CB8B7A, 0x092999A3), ++ BN_DEF(0x71AD0038, 0x6DC778F9), BN_DEF(0x918130C4, 0xA907600A), ++ BN_DEF(0x2D9E6832, 0xED6A1E01), BN_DEF(0xEFB4318A, 0x7135C886), ++ BN_DEF(0x7E31CC7A, 0x87F55BA5), BN_DEF(0x55034004, 0x7763CF1D), ++ BN_DEF(0xD69F6D18, 0xAC7D5F42), BN_DEF(0xE58857B6, 0x7930E9E4), ++ BN_DEF(0x164DF4FB, 0x6E6F52C3), BN_DEF(0x669E1EF1, 0x25E41D2B), ++ BN_DEF(0x3FD59D7C, 0x3C1B20EE), BN_DEF(0xFA53DDEF, 0x0ABCD06B), ++ BN_DEF(0xD5C4484E, 0x1DBF9A42), BN_DEF(0x9B0DEADA, 0xABC52197), ++ BN_DEF(0x22363A0D, 0xE86D2BC5), BN_DEF(0x9C9DF69E, 0x5CAE82AB), ++ BN_DEF(0x71F54BFF, 0x64F2E21E), BN_DEF(0xE2D74DD3, 0xF4FD4452), ++ BN_DEF(0xBC437944, 0xB4130C93), BN_DEF(0x85139270, 0xAEFE1309), ++ BN_DEF(0xC186D91C, 0x598CB0FA), BN_DEF(0x91F7F7EE, 0x7AD91D26), ++ BN_DEF(0xD6E6C907, 0x61B46FC9), BN_DEF(0xF99C0238, 0xBC34F4DE), ++ BN_DEF(0x6519035B, 0xDE355B3B), BN_DEF(0x611FCFDC, 0x886B4238), ++ BN_DEF(0xC1B2EFFA, 0xC6F34A26), BN_DEF(0x7D1683B2, 0xC58EF183), ++ BN_DEF(0x2EC22005, 0x3BB5FCBC), BN_DEF(0x4C6FAD73, 0xC3FE3B1B), ++ BN_DEF(0xEEF28183, 0x8E4F1232), BN_DEF(0xE98583FF, 0x9172FE9C), ++ BN_DEF(0x28342F61, 0xC03404CD), BN_DEF(0xCDF7E2EC, 0x9E02FCE1), ++ BN_DEF(0xEE0A6D70, 0x0B07A7C8), BN_DEF(0x6372BB19, 0xAE56EDE7), ++ BN_DEF(0xDE394DF4, 0x1D4F42A3), BN_DEF(0x60D7F468, 0xB96ADAB7), ++ BN_DEF(0xB2C8E3FB, 0xD108A94B), BN_DEF(0xB324FB61, 0xBC0AB182), ++ BN_DEF(0x483A797A, 0x30ACCA4F), BN_DEF(0x36ADE735, 0x1DF158A1), ++ BN_DEF(0xF3EFE872, 0xE2A689DA), BN_DEF(0xE0E68B77, 0x984F0C70), ++ BN_DEF(0x7F57C935, 0xB557135E), BN_DEF(0x3DED1AF3, 0x85636555), ++ BN_DEF(0x5F066ED0, 0x2433F51F), BN_DEF(0xD5FD6561, 0xD3DF1ED5), ++ BN_DEF(0xAEC4617A, 0xF681B202), BN_DEF(0x630C75D8, 0x7D2FE363), ++ BN_DEF(0x249B3EF9, 0xCC939DCE), BN_DEF(0x146433FB, 0xA9E13641), ++ BN_DEF(0xCE2D3695, 0xD8B9C583), BN_DEF(0x273D3CF1, 0xAFDC5620), ++ BN_DEF(0xA2BB4A9A, 0xADF85458), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) ++}; ++/* q = (p - 1) / 2 */ ++static const BN_ULONG ffdhe4096_q[] = { ++ BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), BN_DEF(0x2F32AFB5, 0xE345003F), ++ BN_DEF(0xFA20C170, 0xA6DAD428), BN_DEF(0x3FC45235, 0xC764DAAD), ++ BN_DEF(0xE764BEE7, 0x054148E6), BN_DEF(0xFCC68566, 0x15276754), ++ BN_DEF(0xB8A0001E, 0x0D0EDC9E), BN_DEF(0x99E5C5BD, 0x0494CCD1), ++ BN_DEF(0xB8D6801C, 0x36E3BC7C), BN_DEF(0x48C09862, 0x5483B005), ++ BN_DEF(0x96CF3419, 0x76B50F00), BN_DEF(0x77DA18C5, 0x389AE443), ++ BN_DEF(0xBF18E63D, 0x43FAADD2), BN_DEF(0xAA81A002, 0x3BB1E78E), ++ BN_DEF(0x6B4FB68C, 0x563EAFA1), BN_DEF(0x72C42BDB, 0xBC9874F2), ++ BN_DEF(0x8B26FA7D, 0xB737A961), BN_DEF(0xB34F0F78, 0x12F20E95), ++ BN_DEF(0x1FEACEBE, 0x9E0D9077), BN_DEF(0xFD29EEF7, 0x055E6835), ++ BN_DEF(0x6AE22427, 0x0EDFCD21), BN_DEF(0xCD86F56D, 0xD5E290CB), ++ BN_DEF(0x911B1D06, 0x743695E2), BN_DEF(0xCE4EFB4F, 0xAE574155), ++ BN_DEF(0x38FAA5FF, 0xB279710F), BN_DEF(0x716BA6E9, 0x7A7EA229), ++ BN_DEF(0xDE21BCA2, 0x5A098649), BN_DEF(0xC289C938, 0x577F0984), ++ BN_DEF(0x60C36C8E, 0x2CC6587D), BN_DEF(0x48FBFBF7, 0xBD6C8E93), ++ BN_DEF(0xEB736483, 0x30DA37E4), BN_DEF(0x7CCE011C, 0xDE1A7A6F), ++ BN_DEF(0xB28C81AD, 0x6F1AAD9D), BN_DEF(0x308FE7EE, 0x4435A11C), ++ BN_DEF(0x60D977FD, 0x6379A513), BN_DEF(0xBE8B41D9, 0xE2C778C1), ++ BN_DEF(0x17611002, 0x9DDAFE5E), BN_DEF(0xA637D6B9, 0xE1FF1D8D), ++ BN_DEF(0x777940C1, 0xC7278919), BN_DEF(0x74C2C1FF, 0xC8B97F4E), ++ BN_DEF(0x941A17B0, 0x601A0266), BN_DEF(0xE6FBF176, 0x4F017E70), ++ BN_DEF(0x770536B8, 0x8583D3E4), BN_DEF(0xB1B95D8C, 0x572B76F3), ++ BN_DEF(0xEF1CA6FA, 0x0EA7A151), BN_DEF(0xB06BFA34, 0xDCB56D5B), ++ BN_DEF(0xD96471FD, 0xE88454A5), BN_DEF(0x59927DB0, 0x5E0558C1), ++ BN_DEF(0xA41D3CBD, 0x98566527), BN_DEF(0x9B56F39A, 0x0EF8AC50), ++ BN_DEF(0x79F7F439, 0xF15344ED), BN_DEF(0x707345BB, 0xCC278638), ++ BN_DEF(0x3FABE49A, 0xDAAB89AF), BN_DEF(0x9EF68D79, 0x42B1B2AA), ++ BN_DEF(0xAF833768, 0x9219FA8F), BN_DEF(0xEAFEB2B0, 0x69EF8F6A), ++ BN_DEF(0x576230BD, 0x7B40D901), BN_DEF(0xB1863AEC, 0xBE97F1B1), ++ BN_DEF(0x124D9F7C, 0xE649CEE7), BN_DEF(0x8A3219FD, 0xD4F09B20), ++ BN_DEF(0xE7169B4A, 0xEC5CE2C1), BN_DEF(0x139E9E78, 0x57EE2B10), ++ BN_DEF(0x515DA54D, 0xD6FC2A2C), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), + }; + + static const BN_ULONG ffdhe6144_p[] = { +- 0xFFFFFFFF, 0xFFFFFFFF, 0xD0E40E65, 0xA40E329C, 0x7938DAD4, 0xA41D570D, +- 0xD43161C1, 0x62A69526, 0x9ADB1E69, 0x3FDD4A8E, 0xDC6B80D6, 0x5B3B71F9, +- 0xC6272B04, 0xEC9D1810, 0xCACEF403, 0x8CCF2DD5, 0xC95B9117, 0xE49F5235, +- 0xB854338A, 0x505DC82D, 0x1562A846, 0x62292C31, 0x6AE77F5E, 0xD72B0374, +- 0x462D538C, 0xF9C9091B, 0x47A67CBE, 0x0AE8DB58, 0x22611682, 0xB3A739C1, +- 0x2A281BF6, 0xEEAAC023, 0x77CAF992, 0x94C6651E, 0x94B2BBC1, 0x763E4E4B, +- 0x0077D9B4, 0x587E38DA, 0x183023C3, 0x7FB29F8C, 0xF9E3A26E, 0x0ABEC1FF, +- 0x350511E3, 0xA00EF092, 0xDB6340D8, 0xB855322E, 0xA9A96910, 0xA52471F7, +- 0x4CFDB477, 0x388147FB, 0x4E46041F, 0x9B1F5C3E, 0xFCCFEC71, 0xCDAD0657, +- 0x4C701C3A, 0xB38E8C33, 0xB1C0FD4C, 0x917BDD64, 0x9B7624C8, 0x3BB45432, +- 0xCAF53EA6, 0x23BA4442, 0x38532A3A, 0x4E677D2C, 0x45036C7A, 0x0BFD64B6, +- 0x5E0DD902, 0xC68A007E, 0xF44182E1, 0x4DB5A851, 0x7F88A46B, 0x8EC9B55A, +- 0xCEC97DCF, 0x0A8291CD, 0xF98D0ACC, 0x2A4ECEA9, 0x7140003C, 0x1A1DB93D, +- 0x33CB8B7A, 0x092999A3, 0x71AD0038, 0x6DC778F9, 0x918130C4, 0xA907600A, +- 0x2D9E6832, 0xED6A1E01, 0xEFB4318A, 0x7135C886, 0x7E31CC7A, 0x87F55BA5, +- 0x55034004, 0x7763CF1D, 0xD69F6D18, 0xAC7D5F42, 0xE58857B6, 0x7930E9E4, +- 0x164DF4FB, 0x6E6F52C3, 0x669E1EF1, 0x25E41D2B, 0x3FD59D7C, 0x3C1B20EE, +- 0xFA53DDEF, 0x0ABCD06B, 0xD5C4484E, 0x1DBF9A42, 0x9B0DEADA, 0xABC52197, +- 0x22363A0D, 0xE86D2BC5, 0x9C9DF69E, 0x5CAE82AB, 0x71F54BFF, 0x64F2E21E, +- 0xE2D74DD3, 0xF4FD4452, 0xBC437944, 0xB4130C93, 0x85139270, 0xAEFE1309, +- 0xC186D91C, 0x598CB0FA, 0x91F7F7EE, 0x7AD91D26, 0xD6E6C907, 0x61B46FC9, +- 0xF99C0238, 0xBC34F4DE, 0x6519035B, 0xDE355B3B, 0x611FCFDC, 0x886B4238, +- 0xC1B2EFFA, 0xC6F34A26, 0x7D1683B2, 0xC58EF183, 0x2EC22005, 0x3BB5FCBC, +- 0x4C6FAD73, 0xC3FE3B1B, 0xEEF28183, 0x8E4F1232, 0xE98583FF, 0x9172FE9C, +- 0x28342F61, 0xC03404CD, 0xCDF7E2EC, 0x9E02FCE1, 0xEE0A6D70, 0x0B07A7C8, +- 0x6372BB19, 0xAE56EDE7, 0xDE394DF4, 0x1D4F42A3, 0x60D7F468, 0xB96ADAB7, +- 0xB2C8E3FB, 0xD108A94B, 0xB324FB61, 0xBC0AB182, 0x483A797A, 0x30ACCA4F, +- 0x36ADE735, 0x1DF158A1, 0xF3EFE872, 0xE2A689DA, 0xE0E68B77, 0x984F0C70, +- 0x7F57C935, 0xB557135E, 0x3DED1AF3, 0x85636555, 0x5F066ED0, 0x2433F51F, +- 0xD5FD6561, 0xD3DF1ED5, 0xAEC4617A, 0xF681B202, 0x630C75D8, 0x7D2FE363, +- 0x249B3EF9, 0xCC939DCE, 0x146433FB, 0xA9E13641, 0xCE2D3695, 0xD8B9C583, +- 0x273D3CF1, 0xAFDC5620, 0xA2BB4A9A, 0xADF85458, 0xFFFFFFFF, 0xFFFFFFFF ++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0xD0E40E65, 0xA40E329C), ++ BN_DEF(0x7938DAD4, 0xA41D570D), BN_DEF(0xD43161C1, 0x62A69526), ++ BN_DEF(0x9ADB1E69, 0x3FDD4A8E), BN_DEF(0xDC6B80D6, 0x5B3B71F9), ++ BN_DEF(0xC6272B04, 0xEC9D1810), BN_DEF(0xCACEF403, 0x8CCF2DD5), ++ BN_DEF(0xC95B9117, 0xE49F5235), BN_DEF(0xB854338A, 0x505DC82D), ++ BN_DEF(0x1562A846, 0x62292C31), BN_DEF(0x6AE77F5E, 0xD72B0374), ++ BN_DEF(0x462D538C, 0xF9C9091B), BN_DEF(0x47A67CBE, 0x0AE8DB58), ++ BN_DEF(0x22611682, 0xB3A739C1), BN_DEF(0x2A281BF6, 0xEEAAC023), ++ BN_DEF(0x77CAF992, 0x94C6651E), BN_DEF(0x94B2BBC1, 0x763E4E4B), ++ BN_DEF(0x0077D9B4, 0x587E38DA), BN_DEF(0x183023C3, 0x7FB29F8C), ++ BN_DEF(0xF9E3A26E, 0x0ABEC1FF), BN_DEF(0x350511E3, 0xA00EF092), ++ BN_DEF(0xDB6340D8, 0xB855322E), BN_DEF(0xA9A96910, 0xA52471F7), ++ BN_DEF(0x4CFDB477, 0x388147FB), BN_DEF(0x4E46041F, 0x9B1F5C3E), ++ BN_DEF(0xFCCFEC71, 0xCDAD0657), BN_DEF(0x4C701C3A, 0xB38E8C33), ++ BN_DEF(0xB1C0FD4C, 0x917BDD64), BN_DEF(0x9B7624C8, 0x3BB45432), ++ BN_DEF(0xCAF53EA6, 0x23BA4442), BN_DEF(0x38532A3A, 0x4E677D2C), ++ BN_DEF(0x45036C7A, 0x0BFD64B6), BN_DEF(0x5E0DD902, 0xC68A007E), ++ BN_DEF(0xF44182E1, 0x4DB5A851), BN_DEF(0x7F88A46B, 0x8EC9B55A), ++ BN_DEF(0xCEC97DCF, 0x0A8291CD), BN_DEF(0xF98D0ACC, 0x2A4ECEA9), ++ BN_DEF(0x7140003C, 0x1A1DB93D), BN_DEF(0x33CB8B7A, 0x092999A3), ++ BN_DEF(0x71AD0038, 0x6DC778F9), BN_DEF(0x918130C4, 0xA907600A), ++ BN_DEF(0x2D9E6832, 0xED6A1E01), BN_DEF(0xEFB4318A, 0x7135C886), ++ BN_DEF(0x7E31CC7A, 0x87F55BA5), BN_DEF(0x55034004, 0x7763CF1D), ++ BN_DEF(0xD69F6D18, 0xAC7D5F42), BN_DEF(0xE58857B6, 0x7930E9E4), ++ BN_DEF(0x164DF4FB, 0x6E6F52C3), BN_DEF(0x669E1EF1, 0x25E41D2B), ++ BN_DEF(0x3FD59D7C, 0x3C1B20EE), BN_DEF(0xFA53DDEF, 0x0ABCD06B), ++ BN_DEF(0xD5C4484E, 0x1DBF9A42), BN_DEF(0x9B0DEADA, 0xABC52197), ++ BN_DEF(0x22363A0D, 0xE86D2BC5), BN_DEF(0x9C9DF69E, 0x5CAE82AB), ++ BN_DEF(0x71F54BFF, 0x64F2E21E), BN_DEF(0xE2D74DD3, 0xF4FD4452), ++ BN_DEF(0xBC437944, 0xB4130C93), BN_DEF(0x85139270, 0xAEFE1309), ++ BN_DEF(0xC186D91C, 0x598CB0FA), BN_DEF(0x91F7F7EE, 0x7AD91D26), ++ BN_DEF(0xD6E6C907, 0x61B46FC9), BN_DEF(0xF99C0238, 0xBC34F4DE), ++ BN_DEF(0x6519035B, 0xDE355B3B), BN_DEF(0x611FCFDC, 0x886B4238), ++ BN_DEF(0xC1B2EFFA, 0xC6F34A26), BN_DEF(0x7D1683B2, 0xC58EF183), ++ BN_DEF(0x2EC22005, 0x3BB5FCBC), BN_DEF(0x4C6FAD73, 0xC3FE3B1B), ++ BN_DEF(0xEEF28183, 0x8E4F1232), BN_DEF(0xE98583FF, 0x9172FE9C), ++ BN_DEF(0x28342F61, 0xC03404CD), BN_DEF(0xCDF7E2EC, 0x9E02FCE1), ++ BN_DEF(0xEE0A6D70, 0x0B07A7C8), BN_DEF(0x6372BB19, 0xAE56EDE7), ++ BN_DEF(0xDE394DF4, 0x1D4F42A3), BN_DEF(0x60D7F468, 0xB96ADAB7), ++ BN_DEF(0xB2C8E3FB, 0xD108A94B), BN_DEF(0xB324FB61, 0xBC0AB182), ++ BN_DEF(0x483A797A, 0x30ACCA4F), BN_DEF(0x36ADE735, 0x1DF158A1), ++ BN_DEF(0xF3EFE872, 0xE2A689DA), BN_DEF(0xE0E68B77, 0x984F0C70), ++ BN_DEF(0x7F57C935, 0xB557135E), BN_DEF(0x3DED1AF3, 0x85636555), ++ BN_DEF(0x5F066ED0, 0x2433F51F), BN_DEF(0xD5FD6561, 0xD3DF1ED5), ++ BN_DEF(0xAEC4617A, 0xF681B202), BN_DEF(0x630C75D8, 0x7D2FE363), ++ BN_DEF(0x249B3EF9, 0xCC939DCE), BN_DEF(0x146433FB, 0xA9E13641), ++ BN_DEF(0xCE2D3695, 0xD8B9C583), BN_DEF(0x273D3CF1, 0xAFDC5620), ++ BN_DEF(0xA2BB4A9A, 0xADF85458), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) ++}; ++/* q = (p - 1) / 2 */ ++static const BN_ULONG ffdhe6144_q[] = { ++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x68720732, 0x5207194E), ++ BN_DEF(0xBC9C6D6A, 0xD20EAB86), BN_DEF(0x6A18B0E0, 0xB1534A93), ++ BN_DEF(0x4D6D8F34, 0x1FEEA547), BN_DEF(0xEE35C06B, 0x2D9DB8FC), ++ BN_DEF(0x63139582, 0xF64E8C08), BN_DEF(0xE5677A01, 0xC66796EA), ++ BN_DEF(0xE4ADC88B, 0x724FA91A), BN_DEF(0xDC2A19C5, 0x282EE416), ++ BN_DEF(0x8AB15423, 0x31149618), BN_DEF(0x3573BFAF, 0x6B9581BA), ++ BN_DEF(0xA316A9C6, 0x7CE4848D), BN_DEF(0x23D33E5F, 0x05746DAC), ++ BN_DEF(0x91308B41, 0x59D39CE0), BN_DEF(0x95140DFB, 0x77556011), ++ BN_DEF(0x3BE57CC9, 0xCA63328F), BN_DEF(0xCA595DE0, 0x3B1F2725), ++ BN_DEF(0x003BECDA, 0xAC3F1C6D), BN_DEF(0x0C1811E1, 0x3FD94FC6), ++ BN_DEF(0xFCF1D137, 0x855F60FF), BN_DEF(0x1A8288F1, 0x50077849), ++ BN_DEF(0x6DB1A06C, 0x5C2A9917), BN_DEF(0xD4D4B488, 0xD29238FB), ++ BN_DEF(0xA67EDA3B, 0x9C40A3FD), BN_DEF(0x2723020F, 0xCD8FAE1F), ++ BN_DEF(0xFE67F638, 0x66D6832B), BN_DEF(0xA6380E1D, 0x59C74619), ++ BN_DEF(0x58E07EA6, 0x48BDEEB2), BN_DEF(0x4DBB1264, 0x1DDA2A19), ++ BN_DEF(0x657A9F53, 0x11DD2221), BN_DEF(0x1C29951D, 0x2733BE96), ++ BN_DEF(0x2281B63D, 0x05FEB25B), BN_DEF(0x2F06EC81, 0xE345003F), ++ BN_DEF(0xFA20C170, 0xA6DAD428), BN_DEF(0x3FC45235, 0xC764DAAD), ++ BN_DEF(0xE764BEE7, 0x054148E6), BN_DEF(0xFCC68566, 0x15276754), ++ BN_DEF(0xB8A0001E, 0x0D0EDC9E), BN_DEF(0x99E5C5BD, 0x0494CCD1), ++ BN_DEF(0xB8D6801C, 0x36E3BC7C), BN_DEF(0x48C09862, 0x5483B005), ++ BN_DEF(0x96CF3419, 0x76B50F00), BN_DEF(0x77DA18C5, 0x389AE443), ++ BN_DEF(0xBF18E63D, 0x43FAADD2), BN_DEF(0xAA81A002, 0x3BB1E78E), ++ BN_DEF(0x6B4FB68C, 0x563EAFA1), BN_DEF(0x72C42BDB, 0xBC9874F2), ++ BN_DEF(0x8B26FA7D, 0xB737A961), BN_DEF(0xB34F0F78, 0x12F20E95), ++ BN_DEF(0x1FEACEBE, 0x9E0D9077), BN_DEF(0xFD29EEF7, 0x055E6835), ++ BN_DEF(0x6AE22427, 0x0EDFCD21), BN_DEF(0xCD86F56D, 0xD5E290CB), ++ BN_DEF(0x911B1D06, 0x743695E2), BN_DEF(0xCE4EFB4F, 0xAE574155), ++ BN_DEF(0x38FAA5FF, 0xB279710F), BN_DEF(0x716BA6E9, 0x7A7EA229), ++ BN_DEF(0xDE21BCA2, 0x5A098649), BN_DEF(0xC289C938, 0x577F0984), ++ BN_DEF(0x60C36C8E, 0x2CC6587D), BN_DEF(0x48FBFBF7, 0xBD6C8E93), ++ BN_DEF(0xEB736483, 0x30DA37E4), BN_DEF(0x7CCE011C, 0xDE1A7A6F), ++ BN_DEF(0xB28C81AD, 0x6F1AAD9D), BN_DEF(0x308FE7EE, 0x4435A11C), ++ BN_DEF(0x60D977FD, 0x6379A513), BN_DEF(0xBE8B41D9, 0xE2C778C1), ++ BN_DEF(0x17611002, 0x9DDAFE5E), BN_DEF(0xA637D6B9, 0xE1FF1D8D), ++ BN_DEF(0x777940C1, 0xC7278919), BN_DEF(0x74C2C1FF, 0xC8B97F4E), ++ BN_DEF(0x941A17B0, 0x601A0266), BN_DEF(0xE6FBF176, 0x4F017E70), ++ BN_DEF(0x770536B8, 0x8583D3E4), BN_DEF(0xB1B95D8C, 0x572B76F3), ++ BN_DEF(0xEF1CA6FA, 0x0EA7A151), BN_DEF(0xB06BFA34, 0xDCB56D5B), ++ BN_DEF(0xD96471FD, 0xE88454A5), BN_DEF(0x59927DB0, 0x5E0558C1), ++ BN_DEF(0xA41D3CBD, 0x98566527), BN_DEF(0x9B56F39A, 0x0EF8AC50), ++ BN_DEF(0x79F7F439, 0xF15344ED), BN_DEF(0x707345BB, 0xCC278638), ++ BN_DEF(0x3FABE49A, 0xDAAB89AF), BN_DEF(0x9EF68D79, 0x42B1B2AA), ++ BN_DEF(0xAF833768, 0x9219FA8F), BN_DEF(0xEAFEB2B0, 0x69EF8F6A), ++ BN_DEF(0x576230BD, 0x7B40D901), BN_DEF(0xB1863AEC, 0xBE97F1B1), ++ BN_DEF(0x124D9F7C, 0xE649CEE7), BN_DEF(0x8A3219FD, 0xD4F09B20), ++ BN_DEF(0xE7169B4A, 0xEC5CE2C1), BN_DEF(0x139E9E78, 0x57EE2B10), ++ BN_DEF(0x515DA54D, 0xD6FC2A2C), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), + }; + + static const BN_ULONG ffdhe8192_p[] = { +- 0xFFFFFFFF, 0xFFFFFFFF, 0xC5C6424C, 0xD68C8BB7, 0x838FF88C, 0x011E2A94, +- 0xA9F4614E, 0x0822E506, 0xF7A8443D, 0x97D11D49, 0x30677F0D, 0xA6BBFDE5, +- 0xC1FE86FE, 0x2F741EF8, 0x5D71A87E, 0xFAFABE1C, 0xFBE58A30, 0xDED2FBAB, +- 0x72B0A66E, 0xB6855DFE, 0xBA8A4FE8, 0x1EFC8CE0, 0x3F2FA457, 0x83F81D4A, +- 0xA577E231, 0xA1FE3075, 0x88D9C0A0, 0xD5B80194, 0xAD9A95F9, 0x624816CD, +- 0x50C1217B, 0x99E9E316, 0x0E423CFC, 0x51AA691E, 0x3826E52C, 0x1C217E6C, +- 0x09703FEE, 0x51A8A931, 0x6A460E74, 0xBB709987, 0x9C86B022, 0x541FC68C, +- 0x46FD8251, 0x59160CC0, 0x35C35F5C, 0x2846C0BA, 0x8B758282, 0x54504AC7, +- 0xD2AF05E4, 0x29388839, 0xC01BD702, 0xCB2C0F1C, 0x7C932665, 0x555B2F74, +- 0xA3AB8829, 0x86B63142, 0xF64B10EF, 0x0B8CC3BD, 0xEDD1CC5E, 0x687FEB69, +- 0xC9509D43, 0xFDB23FCE, 0xD951AE64, 0x1E425A31, 0xF600C838, 0x36AD004C, +- 0xCFF46AAA, 0xA40E329C, 0x7938DAD4, 0xA41D570D, 0xD43161C1, 0x62A69526, +- 0x9ADB1E69, 0x3FDD4A8E, 0xDC6B80D6, 0x5B3B71F9, 0xC6272B04, 0xEC9D1810, +- 0xCACEF403, 0x8CCF2DD5, 0xC95B9117, 0xE49F5235, 0xB854338A, 0x505DC82D, +- 0x1562A846, 0x62292C31, 0x6AE77F5E, 0xD72B0374, 0x462D538C, 0xF9C9091B, +- 0x47A67CBE, 0x0AE8DB58, 0x22611682, 0xB3A739C1, 0x2A281BF6, 0xEEAAC023, +- 0x77CAF992, 0x94C6651E, 0x94B2BBC1, 0x763E4E4B, 0x0077D9B4, 0x587E38DA, +- 0x183023C3, 0x7FB29F8C, 0xF9E3A26E, 0x0ABEC1FF, 0x350511E3, 0xA00EF092, +- 0xDB6340D8, 0xB855322E, 0xA9A96910, 0xA52471F7, 0x4CFDB477, 0x388147FB, +- 0x4E46041F, 0x9B1F5C3E, 0xFCCFEC71, 0xCDAD0657, 0x4C701C3A, 0xB38E8C33, +- 0xB1C0FD4C, 0x917BDD64, 0x9B7624C8, 0x3BB45432, 0xCAF53EA6, 0x23BA4442, +- 0x38532A3A, 0x4E677D2C, 0x45036C7A, 0x0BFD64B6, 0x5E0DD902, 0xC68A007E, +- 0xF44182E1, 0x4DB5A851, 0x7F88A46B, 0x8EC9B55A, 0xCEC97DCF, 0x0A8291CD, +- 0xF98D0ACC, 0x2A4ECEA9, 0x7140003C, 0x1A1DB93D, 0x33CB8B7A, 0x092999A3, +- 0x71AD0038, 0x6DC778F9, 0x918130C4, 0xA907600A, 0x2D9E6832, 0xED6A1E01, +- 0xEFB4318A, 0x7135C886, 0x7E31CC7A, 0x87F55BA5, 0x55034004, 0x7763CF1D, +- 0xD69F6D18, 0xAC7D5F42, 0xE58857B6, 0x7930E9E4, 0x164DF4FB, 0x6E6F52C3, +- 0x669E1EF1, 0x25E41D2B, 0x3FD59D7C, 0x3C1B20EE, 0xFA53DDEF, 0x0ABCD06B, +- 0xD5C4484E, 0x1DBF9A42, 0x9B0DEADA, 0xABC52197, 0x22363A0D, 0xE86D2BC5, +- 0x9C9DF69E, 0x5CAE82AB, 0x71F54BFF, 0x64F2E21E, 0xE2D74DD3, 0xF4FD4452, +- 0xBC437944, 0xB4130C93, 0x85139270, 0xAEFE1309, 0xC186D91C, 0x598CB0FA, +- 0x91F7F7EE, 0x7AD91D26, 0xD6E6C907, 0x61B46FC9, 0xF99C0238, 0xBC34F4DE, +- 0x6519035B, 0xDE355B3B, 0x611FCFDC, 0x886B4238, 0xC1B2EFFA, 0xC6F34A26, +- 0x7D1683B2, 0xC58EF183, 0x2EC22005, 0x3BB5FCBC, 0x4C6FAD73, 0xC3FE3B1B, +- 0xEEF28183, 0x8E4F1232, 0xE98583FF, 0x9172FE9C, 0x28342F61, 0xC03404CD, +- 0xCDF7E2EC, 0x9E02FCE1, 0xEE0A6D70, 0x0B07A7C8, 0x6372BB19, 0xAE56EDE7, +- 0xDE394DF4, 0x1D4F42A3, 0x60D7F468, 0xB96ADAB7, 0xB2C8E3FB, 0xD108A94B, +- 0xB324FB61, 0xBC0AB182, 0x483A797A, 0x30ACCA4F, 0x36ADE735, 0x1DF158A1, +- 0xF3EFE872, 0xE2A689DA, 0xE0E68B77, 0x984F0C70, 0x7F57C935, 0xB557135E, +- 0x3DED1AF3, 0x85636555, 0x5F066ED0, 0x2433F51F, 0xD5FD6561, 0xD3DF1ED5, +- 0xAEC4617A, 0xF681B202, 0x630C75D8, 0x7D2FE363, 0x249B3EF9, 0xCC939DCE, +- 0x146433FB, 0xA9E13641, 0xCE2D3695, 0xD8B9C583, 0x273D3CF1, 0xAFDC5620, +- 0xA2BB4A9A, 0xADF85458, 0xFFFFFFFF, 0xFFFFFFFF ++ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0xC5C6424C, 0xD68C8BB7), ++ BN_DEF(0x838FF88C, 0x011E2A94), BN_DEF(0xA9F4614E, 0x0822E506), ++ BN_DEF(0xF7A8443D, 0x97D11D49), BN_DEF(0x30677F0D, 0xA6BBFDE5), ++ BN_DEF(0xC1FE86FE, 0x2F741EF8), BN_DEF(0x5D71A87E, 0xFAFABE1C), ++ BN_DEF(0xFBE58A30, 0xDED2FBAB), BN_DEF(0x72B0A66E, 0xB6855DFE), ++ BN_DEF(0xBA8A4FE8, 0x1EFC8CE0), BN_DEF(0x3F2FA457, 0x83F81D4A), ++ BN_DEF(0xA577E231, 0xA1FE3075), BN_DEF(0x88D9C0A0, 0xD5B80194), ++ BN_DEF(0xAD9A95F9, 0x624816CD), BN_DEF(0x50C1217B, 0x99E9E316), ++ BN_DEF(0x0E423CFC, 0x51AA691E), BN_DEF(0x3826E52C, 0x1C217E6C), ++ BN_DEF(0x09703FEE, 0x51A8A931), BN_DEF(0x6A460E74, 0xBB709987), ++ BN_DEF(0x9C86B022, 0x541FC68C), BN_DEF(0x46FD8251, 0x59160CC0), ++ BN_DEF(0x35C35F5C, 0x2846C0BA), BN_DEF(0x8B758282, 0x54504AC7), ++ BN_DEF(0xD2AF05E4, 0x29388839), BN_DEF(0xC01BD702, 0xCB2C0F1C), ++ BN_DEF(0x7C932665, 0x555B2F74), BN_DEF(0xA3AB8829, 0x86B63142), ++ BN_DEF(0xF64B10EF, 0x0B8CC3BD), BN_DEF(0xEDD1CC5E, 0x687FEB69), ++ BN_DEF(0xC9509D43, 0xFDB23FCE), BN_DEF(0xD951AE64, 0x1E425A31), ++ BN_DEF(0xF600C838, 0x36AD004C), BN_DEF(0xCFF46AAA, 0xA40E329C), ++ BN_DEF(0x7938DAD4, 0xA41D570D), BN_DEF(0xD43161C1, 0x62A69526), ++ BN_DEF(0x9ADB1E69, 0x3FDD4A8E), BN_DEF(0xDC6B80D6, 0x5B3B71F9), ++ BN_DEF(0xC6272B04, 0xEC9D1810), BN_DEF(0xCACEF403, 0x8CCF2DD5), ++ BN_DEF(0xC95B9117, 0xE49F5235), BN_DEF(0xB854338A, 0x505DC82D), ++ BN_DEF(0x1562A846, 0x62292C31), BN_DEF(0x6AE77F5E, 0xD72B0374), ++ BN_DEF(0x462D538C, 0xF9C9091B), BN_DEF(0x47A67CBE, 0x0AE8DB58), ++ BN_DEF(0x22611682, 0xB3A739C1), BN_DEF(0x2A281BF6, 0xEEAAC023), ++ BN_DEF(0x77CAF992, 0x94C6651E), BN_DEF(0x94B2BBC1, 0x763E4E4B), ++ BN_DEF(0x0077D9B4, 0x587E38DA), BN_DEF(0x183023C3, 0x7FB29F8C), ++ BN_DEF(0xF9E3A26E, 0x0ABEC1FF), BN_DEF(0x350511E3, 0xA00EF092), ++ BN_DEF(0xDB6340D8, 0xB855322E), BN_DEF(0xA9A96910, 0xA52471F7), ++ BN_DEF(0x4CFDB477, 0x388147FB), BN_DEF(0x4E46041F, 0x9B1F5C3E), ++ BN_DEF(0xFCCFEC71, 0xCDAD0657), BN_DEF(0x4C701C3A, 0xB38E8C33), ++ BN_DEF(0xB1C0FD4C, 0x917BDD64), BN_DEF(0x9B7624C8, 0x3BB45432), ++ BN_DEF(0xCAF53EA6, 0x23BA4442), BN_DEF(0x38532A3A, 0x4E677D2C), ++ BN_DEF(0x45036C7A, 0x0BFD64B6), BN_DEF(0x5E0DD902, 0xC68A007E), ++ BN_DEF(0xF44182E1, 0x4DB5A851), BN_DEF(0x7F88A46B, 0x8EC9B55A), ++ BN_DEF(0xCEC97DCF, 0x0A8291CD), BN_DEF(0xF98D0ACC, 0x2A4ECEA9), ++ BN_DEF(0x7140003C, 0x1A1DB93D), BN_DEF(0x33CB8B7A, 0x092999A3), ++ BN_DEF(0x71AD0038, 0x6DC778F9), BN_DEF(0x918130C4, 0xA907600A), ++ BN_DEF(0x2D9E6832, 0xED6A1E01), BN_DEF(0xEFB4318A, 0x7135C886), ++ BN_DEF(0x7E31CC7A, 0x87F55BA5), BN_DEF(0x55034004, 0x7763CF1D), ++ BN_DEF(0xD69F6D18, 0xAC7D5F42), BN_DEF(0xE58857B6, 0x7930E9E4), ++ BN_DEF(0x164DF4FB, 0x6E6F52C3), BN_DEF(0x669E1EF1, 0x25E41D2B), ++ BN_DEF(0x3FD59D7C, 0x3C1B20EE), BN_DEF(0xFA53DDEF, 0x0ABCD06B), ++ BN_DEF(0xD5C4484E, 0x1DBF9A42), BN_DEF(0x9B0DEADA, 0xABC52197), ++ BN_DEF(0x22363A0D, 0xE86D2BC5), BN_DEF(0x9C9DF69E, 0x5CAE82AB), ++ BN_DEF(0x71F54BFF, 0x64F2E21E), BN_DEF(0xE2D74DD3, 0xF4FD4452), ++ BN_DEF(0xBC437944, 0xB4130C93), BN_DEF(0x85139270, 0xAEFE1309), ++ BN_DEF(0xC186D91C, 0x598CB0FA), BN_DEF(0x91F7F7EE, 0x7AD91D26), ++ BN_DEF(0xD6E6C907, 0x61B46FC9), BN_DEF(0xF99C0238, 0xBC34F4DE), ++ BN_DEF(0x6519035B, 0xDE355B3B), BN_DEF(0x611FCFDC, 0x886B4238), ++ BN_DEF(0xC1B2EFFA, 0xC6F34A26), BN_DEF(0x7D1683B2, 0xC58EF183), ++ BN_DEF(0x2EC22005, 0x3BB5FCBC), BN_DEF(0x4C6FAD73, 0xC3FE3B1B), ++ BN_DEF(0xEEF28183, 0x8E4F1232), BN_DEF(0xE98583FF, 0x9172FE9C), ++ BN_DEF(0x28342F61, 0xC03404CD), BN_DEF(0xCDF7E2EC, 0x9E02FCE1), ++ BN_DEF(0xEE0A6D70, 0x0B07A7C8), BN_DEF(0x6372BB19, 0xAE56EDE7), ++ BN_DEF(0xDE394DF4, 0x1D4F42A3), BN_DEF(0x60D7F468, 0xB96ADAB7), ++ BN_DEF(0xB2C8E3FB, 0xD108A94B), BN_DEF(0xB324FB61, 0xBC0AB182), ++ BN_DEF(0x483A797A, 0x30ACCA4F), BN_DEF(0x36ADE735, 0x1DF158A1), ++ BN_DEF(0xF3EFE872, 0xE2A689DA), BN_DEF(0xE0E68B77, 0x984F0C70), ++ BN_DEF(0x7F57C935, 0xB557135E), BN_DEF(0x3DED1AF3, 0x85636555), ++ BN_DEF(0x5F066ED0, 0x2433F51F), BN_DEF(0xD5FD6561, 0xD3DF1ED5), ++ BN_DEF(0xAEC4617A, 0xF681B202), BN_DEF(0x630C75D8, 0x7D2FE363), ++ BN_DEF(0x249B3EF9, 0xCC939DCE), BN_DEF(0x146433FB, 0xA9E13641), ++ BN_DEF(0xCE2D3695, 0xD8B9C583), BN_DEF(0x273D3CF1, 0xAFDC5620), ++ BN_DEF(0xA2BB4A9A, 0xADF85458), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) ++}; ++/* q = (p - 1) / 2 */ ++static const BN_ULONG ffdhe8192_q[] = { ++ BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), BN_DEF(0xE2E32126, 0x6B4645DB), ++ BN_DEF(0x41C7FC46, 0x008F154A), BN_DEF(0x54FA30A7, 0x84117283), ++ BN_DEF(0xFBD4221E, 0xCBE88EA4), BN_DEF(0x9833BF86, 0x535DFEF2), ++ BN_DEF(0x60FF437F, 0x17BA0F7C), BN_DEF(0x2EB8D43F, 0x7D7D5F0E), ++ BN_DEF(0xFDF2C518, 0x6F697DD5), BN_DEF(0x39585337, 0x5B42AEFF), ++ BN_DEF(0x5D4527F4, 0x8F7E4670), BN_DEF(0x1F97D22B, 0xC1FC0EA5), ++ BN_DEF(0xD2BBF118, 0x50FF183A), BN_DEF(0x446CE050, 0xEADC00CA), ++ BN_DEF(0xD6CD4AFC, 0xB1240B66), BN_DEF(0x286090BD, 0x4CF4F18B), ++ BN_DEF(0x07211E7E, 0x28D5348F), BN_DEF(0x1C137296, 0x0E10BF36), ++ BN_DEF(0x84B81FF7, 0x28D45498), BN_DEF(0xB523073A, 0x5DB84CC3), ++ BN_DEF(0x4E435811, 0xAA0FE346), BN_DEF(0x237EC128, 0x2C8B0660), ++ BN_DEF(0x1AE1AFAE, 0x1423605D), BN_DEF(0xC5BAC141, 0x2A282563), ++ BN_DEF(0xE95782F2, 0x149C441C), BN_DEF(0x600DEB81, 0xE596078E), ++ BN_DEF(0x3E499332, 0xAAAD97BA), BN_DEF(0x51D5C414, 0xC35B18A1), ++ BN_DEF(0xFB258877, 0x05C661DE), BN_DEF(0xF6E8E62F, 0xB43FF5B4), ++ BN_DEF(0x64A84EA1, 0x7ED91FE7), BN_DEF(0xECA8D732, 0x0F212D18), ++ BN_DEF(0x7B00641C, 0x1B568026), BN_DEF(0x67FA3555, 0x5207194E), ++ BN_DEF(0xBC9C6D6A, 0xD20EAB86), BN_DEF(0x6A18B0E0, 0xB1534A93), ++ BN_DEF(0x4D6D8F34, 0x1FEEA547), BN_DEF(0xEE35C06B, 0x2D9DB8FC), ++ BN_DEF(0x63139582, 0xF64E8C08), BN_DEF(0xE5677A01, 0xC66796EA), ++ BN_DEF(0xE4ADC88B, 0x724FA91A), BN_DEF(0xDC2A19C5, 0x282EE416), ++ BN_DEF(0x8AB15423, 0x31149618), BN_DEF(0x3573BFAF, 0x6B9581BA), ++ BN_DEF(0xA316A9C6, 0x7CE4848D), BN_DEF(0x23D33E5F, 0x05746DAC), ++ BN_DEF(0x91308B41, 0x59D39CE0), BN_DEF(0x95140DFB, 0x77556011), ++ BN_DEF(0x3BE57CC9, 0xCA63328F), BN_DEF(0xCA595DE0, 0x3B1F2725), ++ BN_DEF(0x003BECDA, 0xAC3F1C6D), BN_DEF(0x0C1811E1, 0x3FD94FC6), ++ BN_DEF(0xFCF1D137, 0x855F60FF), BN_DEF(0x1A8288F1, 0x50077849), ++ BN_DEF(0x6DB1A06C, 0x5C2A9917), BN_DEF(0xD4D4B488, 0xD29238FB), ++ BN_DEF(0xA67EDA3B, 0x9C40A3FD), BN_DEF(0x2723020F, 0xCD8FAE1F), ++ BN_DEF(0xFE67F638, 0x66D6832B), BN_DEF(0xA6380E1D, 0x59C74619), ++ BN_DEF(0x58E07EA6, 0x48BDEEB2), BN_DEF(0x4DBB1264, 0x1DDA2A19), ++ BN_DEF(0x657A9F53, 0x11DD2221), BN_DEF(0x1C29951D, 0x2733BE96), ++ BN_DEF(0x2281B63D, 0x05FEB25B), BN_DEF(0x2F06EC81, 0xE345003F), ++ BN_DEF(0xFA20C170, 0xA6DAD428), BN_DEF(0x3FC45235, 0xC764DAAD), ++ BN_DEF(0xE764BEE7, 0x054148E6), BN_DEF(0xFCC68566, 0x15276754), ++ BN_DEF(0xB8A0001E, 0x0D0EDC9E), BN_DEF(0x99E5C5BD, 0x0494CCD1), ++ BN_DEF(0xB8D6801C, 0x36E3BC7C), BN_DEF(0x48C09862, 0x5483B005), ++ BN_DEF(0x96CF3419, 0x76B50F00), BN_DEF(0x77DA18C5, 0x389AE443), ++ BN_DEF(0xBF18E63D, 0x43FAADD2), BN_DEF(0xAA81A002, 0x3BB1E78E), ++ BN_DEF(0x6B4FB68C, 0x563EAFA1), BN_DEF(0x72C42BDB, 0xBC9874F2), ++ BN_DEF(0x8B26FA7D, 0xB737A961), BN_DEF(0xB34F0F78, 0x12F20E95), ++ BN_DEF(0x1FEACEBE, 0x9E0D9077), BN_DEF(0xFD29EEF7, 0x055E6835), ++ BN_DEF(0x6AE22427, 0x0EDFCD21), BN_DEF(0xCD86F56D, 0xD5E290CB), ++ BN_DEF(0x911B1D06, 0x743695E2), BN_DEF(0xCE4EFB4F, 0xAE574155), ++ BN_DEF(0x38FAA5FF, 0xB279710F), BN_DEF(0x716BA6E9, 0x7A7EA229), ++ BN_DEF(0xDE21BCA2, 0x5A098649), BN_DEF(0xC289C938, 0x577F0984), ++ BN_DEF(0x60C36C8E, 0x2CC6587D), BN_DEF(0x48FBFBF7, 0xBD6C8E93), ++ BN_DEF(0xEB736483, 0x30DA37E4), BN_DEF(0x7CCE011C, 0xDE1A7A6F), ++ BN_DEF(0xB28C81AD, 0x6F1AAD9D), BN_DEF(0x308FE7EE, 0x4435A11C), ++ BN_DEF(0x60D977FD, 0x6379A513), BN_DEF(0xBE8B41D9, 0xE2C778C1), ++ BN_DEF(0x17611002, 0x9DDAFE5E), BN_DEF(0xA637D6B9, 0xE1FF1D8D), ++ BN_DEF(0x777940C1, 0xC7278919), BN_DEF(0x74C2C1FF, 0xC8B97F4E), ++ BN_DEF(0x941A17B0, 0x601A0266), BN_DEF(0xE6FBF176, 0x4F017E70), ++ BN_DEF(0x770536B8, 0x8583D3E4), BN_DEF(0xB1B95D8C, 0x572B76F3), ++ BN_DEF(0xEF1CA6FA, 0x0EA7A151), BN_DEF(0xB06BFA34, 0xDCB56D5B), ++ BN_DEF(0xD96471FD, 0xE88454A5), BN_DEF(0x59927DB0, 0x5E0558C1), ++ BN_DEF(0xA41D3CBD, 0x98566527), BN_DEF(0x9B56F39A, 0x0EF8AC50), ++ BN_DEF(0x79F7F439, 0xF15344ED), BN_DEF(0x707345BB, 0xCC278638), ++ BN_DEF(0x3FABE49A, 0xDAAB89AF), BN_DEF(0x9EF68D79, 0x42B1B2AA), ++ BN_DEF(0xAF833768, 0x9219FA8F), BN_DEF(0xEAFEB2B0, 0x69EF8F6A), ++ BN_DEF(0x576230BD, 0x7B40D901), BN_DEF(0xB1863AEC, 0xBE97F1B1), ++ BN_DEF(0x124D9F7C, 0xE649CEE7), BN_DEF(0x8A3219FD, 0xD4F09B20), ++ BN_DEF(0xE7169B4A, 0xEC5CE2C1), BN_DEF(0x139E9E78, 0x57EE2B10), ++ BN_DEF(0x515DA54D, 0xD6FC2A2C), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), + }; + +-# else +-# error "unsupported BN_BITS2" +-# endif +- + /* Macro to make a BIGNUM from static data */ + + # define make_dh_bn(x) extern const BIGNUM _bignum_##x; \ +@@ -489,24 +1010,42 @@ static const BN_ULONG ffdhe8192_p[] = { + + static const BN_ULONG value_2 = 2; + +-const BIGNUM _bignum_const_2 = +- { (BN_ULONG *)&value_2, 1, 1, 0, BN_FLG_STATIC_DATA }; ++const BIGNUM _bignum_const_2 = { ++ (BN_ULONG *)&value_2, 1, 1, 0, BN_FLG_STATIC_DATA ++}; + + make_dh_bn(dh1024_160_p) +-make_dh_bn(dh1024_160_g) + make_dh_bn(dh1024_160_q) ++make_dh_bn(dh1024_160_g) + make_dh_bn(dh2048_224_p) +-make_dh_bn(dh2048_224_g) + make_dh_bn(dh2048_224_q) ++make_dh_bn(dh2048_224_g) + make_dh_bn(dh2048_256_p) +-make_dh_bn(dh2048_256_g) + make_dh_bn(dh2048_256_q) ++make_dh_bn(dh2048_256_g) + + make_dh_bn(ffdhe2048_p) ++make_dh_bn(ffdhe2048_q) + make_dh_bn(ffdhe3072_p) ++make_dh_bn(ffdhe3072_q) + make_dh_bn(ffdhe4096_p) ++make_dh_bn(ffdhe4096_q) + make_dh_bn(ffdhe6144_p) ++make_dh_bn(ffdhe6144_q) + make_dh_bn(ffdhe8192_p) ++make_dh_bn(ffdhe8192_q) + ++make_dh_bn(modp_1536_p) ++make_dh_bn(modp_1536_q) ++make_dh_bn(modp_2048_p) ++make_dh_bn(modp_2048_q) ++make_dh_bn(modp_3072_p) ++make_dh_bn(modp_3072_q) ++make_dh_bn(modp_4096_p) ++make_dh_bn(modp_4096_q) ++make_dh_bn(modp_6144_p) ++make_dh_bn(modp_6144_q) ++make_dh_bn(modp_8192_p) ++make_dh_bn(modp_8192_q) + +-#endif ++#endif /* OPENSSL_NO_DH */ +Index: openssl-1.1.1m/crypto/dh/dh_check.c +=================================================================== +--- openssl-1.1.1m.orig/crypto/dh/dh_check.c ++++ openssl-1.1.1m/crypto/dh/dh_check.c +@@ -10,6 +10,7 @@ + #include + #include "internal/cryptlib.h" + #include ++#include + #include "dh_local.h" + + # define DH_NUMBER_ITERATIONS_FOR_PRIME 64 +@@ -41,6 +42,12 @@ int DH_check_params(const DH *dh, int *r + BIGNUM *tmp = NULL; + BN_CTX *ctx = NULL; + ++ if (FIPS_mode()) { ++ int nid = dh->nid == NID_undef ? DH_get_nid(dh) : dh->nid; ++ ++ return nid != NID_undef; ++ } ++ + *ret = 0; + ctx = BN_CTX_new(); + if (ctx == NULL) +@@ -95,6 +102,7 @@ int DH_check_ex(const DH *dh) + return errflags == 0; + } + ++/* Note: according to documentation - this only checks the params */ + int DH_check(const DH *dh, int *ret) + { + int ok = 0, r, q_good = 0; +@@ -104,6 +112,9 @@ int DH_check(const DH *dh, int *ret) + if (!DH_check_params(dh, ret)) + return 0; + ++ if (FIPS_mode()) /* we allow only well-known params */ ++ return 1; ++ + ctx = BN_CTX_new(); + if (ctx == NULL) + goto err; +@@ -177,7 +188,7 @@ int DH_check_pub_key_ex(const DH *dh, co + return errflags == 0; + } + +-int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret) ++static int dh_check_pub_key_int(const DH *dh, const BIGNUM *q, const BIGNUM *pub_key, int *ret) + { + int ok = 0; + BIGNUM *tmp = NULL; +@@ -187,28 +198,68 @@ int DH_check_pub_key(const DH *dh, const + ctx = BN_CTX_new(); + if (ctx == NULL) + goto err; ++ + BN_CTX_start(ctx); + tmp = BN_CTX_get(ctx); ++ /* Step(1): Verify pub_key >= 2 */ + if (tmp == NULL || !BN_set_word(tmp, 1)) + goto err; +- if (BN_cmp(pub_key, tmp) <= 0) ++ if (BN_cmp(pub_key, tmp) <= 0) { + *ret |= DH_CHECK_PUBKEY_TOO_SMALL; ++ goto err; ++ } ++ /* Step(1): Verify pub_key <= p-2 */ + if (BN_copy(tmp, dh->p) == NULL || !BN_sub_word(tmp, 1)) + goto err; +- if (BN_cmp(pub_key, tmp) >= 0) ++ if (BN_cmp(pub_key, tmp) >= 0) { + *ret |= DH_CHECK_PUBKEY_TOO_LARGE; ++ goto err; ++ } ++ ++ if (q != NULL) { ++ ctx = BN_CTX_new(); ++ if (ctx == NULL) ++ goto err; ++ BN_CTX_start(ctx); ++ tmp = BN_CTX_get(ctx); + +- if (dh->q != NULL) { + /* Check pub_key^q == 1 mod p */ +- if (!BN_mod_exp(tmp, pub_key, dh->q, dh->p, ctx)) ++ if (tmp == NULL || !BN_mod_exp(tmp, pub_key, q, dh->p, ctx)) + goto err; +- if (!BN_is_one(tmp)) ++ if (!BN_is_one(tmp)) { + *ret |= DH_CHECK_PUBKEY_INVALID; ++ goto err; ++ } + } + + ok = 1; + err: +- BN_CTX_end(ctx); +- BN_CTX_free(ctx); ++ if (ctx != NULL) { ++ BN_CTX_end(ctx); ++ BN_CTX_free(ctx); ++ } + return ok; + } ++ ++/* ++ * See SP800-56Ar3 Section 5.6.2.3.1 : FFC Full public key validation. ++ */ ++int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret) ++{ ++ return dh_check_pub_key_int(dh, dh->q, pub_key, ret); ++} ++ ++int dh_check_pub_key_full(const DH *dh, const BIGNUM *pub_key, int *ret) ++{ ++ BIGNUM *q = dh->q; ++ ++ if (q == NULL) { ++ if (dh_get_known_q(dh, &q) == 0) { ++ *ret |= DH_CHECK_INVALID_Q_VALUE; ++ return 0; ++ } ++ } ++ ++ return dh_check_pub_key_int(dh, q, pub_key, ret); ++} ++ +Index: openssl-1.1.1m/crypto/dh/dh_gen.c +=================================================================== +--- openssl-1.1.1m.orig/crypto/dh/dh_gen.c ++++ openssl-1.1.1m/crypto/dh/dh_gen.c +@@ -27,8 +27,7 @@ int DH_generate_parameters_ex(DH *ret, i + BN_GENCB *cb) + { + #ifdef OPENSSL_FIPS +- if (FIPS_mode() && !(ret->meth->flags & DH_FLAG_FIPS_METHOD) +- && !(ret->flags & DH_FLAG_NON_FIPS_ALLOW)) { ++ if (FIPS_mode()) { + DHerr(DH_F_DH_GENERATE_PARAMETERS_EX, DH_R_NON_FIPS_METHOD); + return 0; + } +@@ -75,18 +74,6 @@ static int dh_builtin_genparams(DH *ret, + int g, ok = -1; + BN_CTX *ctx = NULL; + +-#ifdef OPENSSL_FIPS +- if (FIPS_selftest_failed()) { +- FIPSerr(FIPS_F_DH_BUILTIN_GENPARAMS, FIPS_R_FIPS_SELFTEST_FAILED); +- return 0; +- } +- +- if (FIPS_mode() && (prime_len < OPENSSL_DH_FIPS_MIN_MODULUS_BITS_GEN)) { +- DHerr(DH_F_DH_BUILTIN_GENPARAMS, DH_R_KEY_SIZE_TOO_SMALL); +- goto err; +- } +-#endif +- + ctx = BN_CTX_new(); + if (ctx == NULL) + goto err; +Index: openssl-1.1.1m/crypto/dh/dh_key.c +=================================================================== +--- openssl-1.1.1m.orig/crypto/dh/dh_key.c ++++ openssl-1.1.1m/crypto/dh/dh_key.c +@@ -128,10 +128,18 @@ static int generate_key(DH *dh) + BIGNUM *pub_key = NULL, *priv_key = NULL; + + #ifdef OPENSSL_FIPS +- if (FIPS_mode() +- && (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS)) { +- DHerr(DH_F_GENERATE_KEY, DH_R_KEY_SIZE_TOO_SMALL); +- return 0; ++ if (FIPS_mode()) { ++ if (BN_num_bits(dh->p) < OPENSSL_DH_FIPS_MIN_MODULUS_BITS) { ++ DHerr(DH_F_GENERATE_KEY, DH_R_KEY_SIZE_TOO_SMALL); ++ return 0; ++ } ++ if (dh->nid == NID_undef) ++ dh_cache_nid(dh); ++ if (dh->nid == NID_undef || dh->length > BN_num_bits(dh->p) - 2 ++ || dh->length < 224) { ++ DHerr(DH_F_GENERATE_KEY, DH_R_NON_FIPS_METHOD); ++ return 0; ++ } + } + #endif + +@@ -167,7 +175,15 @@ static int generate_key(DH *dh) + } + + if (generate_new_key) { +- if (dh->q) { ++ if (FIPS_mode()) { ++ do { ++ if (!BN_priv_rand(priv_key, dh->length, BN_RAND_TOP_ANY, BN_RAND_BOTTOM_ANY)) ++ goto err; ++ if (!BN_add_word(priv_key, 1)) ++ goto err; ++ } ++ while (BN_num_bits(priv_key) > dh->length); ++ } else if (dh->q) { + do { + if (!BN_priv_rand_range(priv_key, dh->q)) + goto err; +@@ -203,6 +219,15 @@ static int generate_key(DH *dh) + } + /* We MUST free prk before any further use of priv_key */ + BN_clear_free(prk); ++ ++ if (FIPS_mode()) { ++ int check_result; ++ ++ if (!dh_check_pub_key_full(dh, pub_key, &check_result) || check_result) { ++ DHerr(DH_F_GENERATE_KEY, DH_R_INVALID_PUBKEY); ++ goto err; ++ } ++ } + } + + dh->pub_key = pub_key; +@@ -225,6 +250,7 @@ static int compute_key(unsigned char *ke + BN_CTX *ctx = NULL; + BN_MONT_CTX *mont = NULL; + BIGNUM *tmp; ++ BIGNUM *p1; + int ret = -1; + int check_result; + +@@ -271,6 +297,18 @@ static int compute_key(unsigned char *ke + DHerr(DH_F_COMPUTE_KEY, ERR_R_BN_LIB); + goto err; + } ++ ++ if (BN_is_zero(tmp) || BN_is_one(tmp) || BN_is_negative(tmp)) { ++ DHerr(DH_F_COMPUTE_KEY, ERR_R_BN_LIB); ++ goto err; ++ } ++ ++ if ((p1 = BN_CTX_get(ctx)) == NULL ++ || !BN_sub(p1, dh->p, BN_value_one()) ++ || BN_cmp(p1, tmp) <= 0) { ++ DHerr(DH_F_COMPUTE_KEY, ERR_R_BN_LIB); ++ goto err; ++ } + + ret = BN_bn2binpad(tmp, key, BN_num_bytes(dh->p)); + err: +Index: openssl-1.1.1m/crypto/dh/dh_lib.c +=================================================================== +--- openssl-1.1.1m.orig/crypto/dh/dh_lib.c ++++ openssl-1.1.1m/crypto/dh/dh_lib.c +@@ -8,6 +8,7 @@ + */ + + #include ++#include + #include "internal/cryptlib.h" + #include "internal/refcount.h" + #include +@@ -86,6 +87,8 @@ DH *DH_new_method(ENGINE *engine) + goto err; + } + ++ ret->nid = NID_undef; ++ + return ret; + + err: +@@ -205,7 +208,10 @@ int DH_set0_pqg(DH *dh, BIGNUM *p, BIGNU + dh->g = g; + } + +- if (q != NULL) { ++ dh->nid = NID_undef; ++ dh_cache_nid(dh); ++ ++ if (q != NULL && dh->nid == NID_undef) { + dh->length = BN_num_bits(q); + } + +Index: openssl-1.1.1m/crypto/dh/dh_local.h +=================================================================== +--- openssl-1.1.1m.orig/crypto/dh/dh_local.h ++++ openssl-1.1.1m/crypto/dh/dh_local.h +@@ -35,6 +35,7 @@ struct dh_st { + const DH_METHOD *meth; + ENGINE *engine; + CRYPTO_RWLOCK *lock; ++ int nid; + }; + + struct dh_method { +@@ -55,3 +56,12 @@ struct dh_method { + int (*generate_params) (DH *dh, int prime_len, int generator, + BN_GENCB *cb); + }; ++ ++void dh_cache_nid(DH *dh); ++ ++/* Obtain known q value based on nid or p */ ++int dh_get_known_q(const DH *dh, BIGNUM **q); ++ ++/* FIPS mode only check which requires nid set and looks up q based on it. */ ++int dh_check_pub_key_full(const DH *dh, const BIGNUM *pub_key, int *ret); ++ +Index: openssl-1.1.1m/crypto/dh/dh_rfc7919.c +=================================================================== +--- openssl-1.1.1m.orig/crypto/dh/dh_rfc7919.c ++++ openssl-1.1.1m/crypto/dh/dh_rfc7919.c +@@ -7,6 +7,8 @@ + * https://www.openssl.org/source/license.html + */ + ++/* DH parameters from RFC7919 and RFC3526 */ ++ + #include + #include "internal/cryptlib.h" + #include "dh_local.h" +@@ -14,14 +16,19 @@ + #include + #include "crypto/bn_dh.h" + +-static DH *dh_param_init(const BIGNUM *p, int32_t nbits) ++static DH *dh_param_init(int nid, const BIGNUM *p, const BIGNUM *q, int32_t nbits) + { + DH *dh = DH_new(); + if (dh == NULL) + return NULL; + dh->p = (BIGNUM *)p; ++ /* ++ * We do not set q as it would enable the inefficient and ++ * unnecessary pubkey modular exponentiation check. ++ */ + dh->g = (BIGNUM *)&_bignum_const_2; + dh->length = nbits; ++ dh->nid = nid; + return dh; + } + +@@ -29,46 +36,121 @@ DH *DH_new_by_nid(int nid) + { + switch (nid) { + case NID_ffdhe2048: +- return dh_param_init(&_bignum_ffdhe2048_p, 225); ++ return dh_param_init(nid, &_bignum_ffdhe2048_p, &_bignum_ffdhe2048_q, 225); + case NID_ffdhe3072: +- return dh_param_init(&_bignum_ffdhe3072_p, 275); ++ return dh_param_init(nid, &_bignum_ffdhe3072_p, &_bignum_ffdhe3072_q, 275); + case NID_ffdhe4096: +- return dh_param_init(&_bignum_ffdhe4096_p, 325); ++ return dh_param_init(nid, &_bignum_ffdhe4096_p, &_bignum_ffdhe4096_q, 325); + case NID_ffdhe6144: +- return dh_param_init(&_bignum_ffdhe6144_p, 375); ++ return dh_param_init(nid, &_bignum_ffdhe6144_p, &_bignum_ffdhe6144_q, 375); + case NID_ffdhe8192: +- return dh_param_init(&_bignum_ffdhe8192_p, 400); ++ return dh_param_init(nid, &_bignum_ffdhe8192_p, &_bignum_ffdhe8192_q, 400); ++ case NID_modp_2048: ++ return dh_param_init(nid, &_bignum_modp_2048_p, &_bignum_modp_2048_q, 225); ++ case NID_modp_3072: ++ return dh_param_init(nid, &_bignum_modp_3072_p, &_bignum_modp_3072_q, 275); ++ case NID_modp_4096: ++ return dh_param_init(nid, &_bignum_modp_4096_p, &_bignum_modp_4096_q, 325); ++ case NID_modp_6144: ++ return dh_param_init(nid, &_bignum_modp_6144_p, &_bignum_modp_6144_q, 375); ++ case NID_modp_8192: ++ return dh_param_init(nid, &_bignum_modp_8192_p, &_bignum_modp_8192_q, 400); ++ case NID_modp_1536: ++ if (!FIPS_mode()) ++ return dh_param_init(nid, &_bignum_modp_1536_p, &_bignum_modp_1536_q, 175); ++ /* fallthrough */ + default: + DHerr(DH_F_DH_NEW_BY_NID, DH_R_INVALID_PARAMETER_NID); + return NULL; + } + } + +-int DH_get_nid(const DH *dh) ++static int dh_match_group(const DH *dh, BIGNUM **qout, int *lout) + { + int nid; ++ const BIGNUM *q; ++ int length; + + if (BN_get_word(dh->g) != 2) + return NID_undef; +- if (!BN_cmp(dh->p, &_bignum_ffdhe2048_p)) ++ ++ if (dh->nid == NID_ffdhe2048 || !BN_cmp(dh->p, &_bignum_ffdhe2048_p)) { + nid = NID_ffdhe2048; +- else if (!BN_cmp(dh->p, &_bignum_ffdhe3072_p)) ++ q = &_bignum_ffdhe2048_q; ++ length = 225; ++ } else if (dh->nid == NID_ffdhe3072 || !BN_cmp(dh->p, &_bignum_ffdhe3072_p)) { + nid = NID_ffdhe3072; +- else if (!BN_cmp(dh->p, &_bignum_ffdhe4096_p)) ++ q = &_bignum_ffdhe3072_q; ++ length = 275; ++ } else if (dh->nid == NID_ffdhe4096 || !BN_cmp(dh->p, &_bignum_ffdhe4096_p)) { + nid = NID_ffdhe4096; +- else if (!BN_cmp(dh->p, &_bignum_ffdhe6144_p)) ++ q = &_bignum_ffdhe4096_q; ++ length = 325; ++ } else if (dh->nid == NID_ffdhe6144 || !BN_cmp(dh->p, &_bignum_ffdhe6144_p)) { + nid = NID_ffdhe6144; +- else if (!BN_cmp(dh->p, &_bignum_ffdhe8192_p)) ++ q = &_bignum_ffdhe6144_q; ++ length = 375; ++ } else if (dh->nid == NID_ffdhe8192 || !BN_cmp(dh->p, &_bignum_ffdhe8192_p)) { + nid = NID_ffdhe8192; +- else ++ q = &_bignum_ffdhe8192_q; ++ length = 400; ++ } else if (dh->nid == NID_modp_2048 || !BN_cmp(dh->p, &_bignum_modp_2048_p)) { ++ nid = NID_modp_2048; ++ q = &_bignum_modp_2048_q; ++ length = 225; ++ } else if (dh->nid == NID_modp_3072 || !BN_cmp(dh->p, &_bignum_modp_3072_p)) { ++ nid = NID_modp_3072; ++ q = &_bignum_modp_3072_q; ++ length = 275; ++ } else if (dh->nid == NID_modp_4096 || !BN_cmp(dh->p, &_bignum_modp_4096_p)) { ++ nid = NID_modp_4096; ++ q = &_bignum_modp_4096_q; ++ length = 325; ++ } else if (dh->nid == NID_modp_6144 || !BN_cmp(dh->p, &_bignum_modp_6144_p)) { ++ nid = NID_modp_6144; ++ q = &_bignum_modp_6144_q; ++ length = 375; ++ } else if (dh->nid == NID_modp_8192 || !BN_cmp(dh->p, &_bignum_modp_8192_p)) { ++ nid = NID_modp_8192; ++ q = &_bignum_modp_8192_q; ++ length = 400; ++ } else if (!FIPS_mode() && (dh->nid == NID_modp_1536 || !BN_cmp(dh->p, &_bignum_modp_1536_p))) { ++ nid = NID_modp_1536; ++ q = &_bignum_modp_1536_q; ++ length = 175; ++ } else { + return NID_undef; ++ } ++ + if (dh->q != NULL) { +- BIGNUM *q = BN_dup(dh->p); ++ /* Check that q matches the known q. */ ++ if (BN_cmp(dh->q, q)) ++ return NID_undef; ++ } else if (qout != NULL) { ++ *qout = (BIGNUM *)q; ++ } + +- /* Check q = p * 2 + 1 we already know q is odd, so just shift right */ +- if (q == NULL || !BN_rshift1(q, q) || !BN_cmp(dh->q, q)) +- nid = NID_undef; +- BN_free(q); ++ if (lout != NULL) { ++ *lout = length; + } + return nid; + } ++ ++int DH_get_nid(const DH *dh) ++{ ++ if (dh->nid != NID_undef) { ++ return dh->nid; ++ } ++ return dh_match_group(dh, NULL, NULL); ++} ++ ++void dh_cache_nid(DH *dh) ++{ ++ dh->nid = dh_match_group(dh, NULL, &dh->length); ++} ++ ++int dh_get_known_q(const DH *dh, BIGNUM **q) ++{ ++ return dh_match_group(dh, q, NULL) != NID_undef; ++} ++ +Index: openssl-1.1.1m/crypto/ec/ecdh_ossl.c +=================================================================== +--- openssl-1.1.1m.orig/crypto/ec/ecdh_ossl.c ++++ openssl-1.1.1m/crypto/ec/ecdh_ossl.c +@@ -42,9 +42,14 @@ int ossl_ecdh_compute_key(unsigned char + } + + /*- +- * This implementation is based on the following primitives in the IEEE 1363 standard: ++ * This implementation is based on the following primitives in the ++ * IEEE 1363 standard: + * - ECKAS-DH1 + * - ECSVDP-DH ++ * ++ * It also conforms to SP800-56A r3 ++ * See Section 5.7.1.2 "Elliptic Curve Cryptography Cofactor Diffie-Hellman ++ * (ECC CDH) Primitive:". The steps listed below refer to SP800-56A. + */ + int ecdh_simple_compute_key(unsigned char **pout, size_t *poutlen, + const EC_POINT *pub_key, const EC_KEY *ecdh) +@@ -75,6 +80,10 @@ int ecdh_simple_compute_key(unsigned cha + + group = EC_KEY_get0_group(ecdh); + ++ /* ++ * Step(1) - Compute the point tmp = cofactor * owners_private_key ++ * * peer_public_key. ++ */ + if (EC_KEY_get_flags(ecdh) & EC_FLAG_COFACTOR_ECDH) { + if (!EC_GROUP_get_cofactor(group, x, NULL) || + !BN_mul(x, x, priv_key, ctx)) { +@@ -94,11 +103,20 @@ int ecdh_simple_compute_key(unsigned cha + goto err; + } + ++ /* ++ * Step(2) : If point tmp is at infinity then clear intermediate values and ++ * exit. Note: getting affine coordinates returns 0 if point is at infinity. ++ * Step(3a) : Get x-coordinate of point x = tmp.x ++ */ + if (!EC_POINT_get_affine_coordinates(group, tmp, x, NULL, ctx)) { + ECerr(EC_F_ECDH_SIMPLE_COMPUTE_KEY, EC_R_POINT_ARITHMETIC_FAILURE); + goto err; + } + ++ /* ++ * Step(3b) : convert x to a byte string, using the field-element-to-byte ++ * string conversion routine defined in Appendix C.2 ++ */ + buflen = (EC_GROUP_get_degree(group) + 7) / 8; + len = BN_num_bytes(x); + if (len > buflen) { +@@ -123,6 +141,8 @@ int ecdh_simple_compute_key(unsigned cha + ret = 1; + + err: ++ /* Step(4) : Destroy all intermediate calculations */ ++ BN_clear(x); + EC_POINT_clear_free(tmp); + BN_CTX_end(ctx); + BN_CTX_free(ctx); +Index: openssl-1.1.1m/crypto/ec/ecdsa_ossl.c +=================================================================== +--- openssl-1.1.1m.orig/crypto/ec/ecdsa_ossl.c ++++ openssl-1.1.1m/crypto/ec/ecdsa_ossl.c +@@ -104,7 +104,7 @@ static int ecdsa_sign_setup(EC_KEY *ecke + } + } + +- k = BN_new(); /* this value is later returned in *kinvp */ ++ k = BN_secure_new(); /* this value is later returned in *kinvp */ + r = BN_new(); /* this value is later returned in *rp */ + X = BN_new(); + if (k == NULL || r == NULL || X == NULL) { +Index: openssl-1.1.1m/crypto/ec/ec_key.c +=================================================================== +--- openssl-1.1.1m.orig/crypto/ec/ec_key.c ++++ openssl-1.1.1m/crypto/ec/ec_key.c +@@ -244,61 +244,117 @@ int ossl_ec_key_gen(EC_KEY *eckey) + return eckey->group->meth->keygen(eckey); + } + ++/* ++ * ECC Key generation. ++ * See SP800-56AR3 5.6.1.2.2 "Key Pair Generation by Testing Candidates" ++ * ++ * Params: ++ * eckey An EC key object that contains domain params. The generated keypair ++ * is stored in this object. ++ * Returns 1 if the keypair was generated or 0 otherwise. ++ */ + int ec_key_simple_generate_key(EC_KEY *eckey) + { + int ok = 0; +- BN_CTX *ctx = NULL; + BIGNUM *priv_key = NULL; + const BIGNUM *order = NULL; + EC_POINT *pub_key = NULL; +- +- if ((ctx = BN_CTX_new()) == NULL) +- goto err; ++ const EC_GROUP *group = eckey->group; + + if (eckey->priv_key == NULL) { +- priv_key = BN_new(); ++ priv_key = BN_secure_new(); + if (priv_key == NULL) + goto err; + } else + priv_key = eckey->priv_key; + +- order = EC_GROUP_get0_order(eckey->group); ++ /* ++ * Steps (1-2): Check domain parameters and security strength. ++ * These steps must be done by the user. This would need to be ++ * stated in the security policy. ++ */ ++ ++ order = EC_GROUP_get0_order(group); + if (order == NULL) + goto err; + ++ /* ++ * Steps (3-7): priv_key = DRBG_RAND(order_n_bits) (range [1, n-1]). ++ * Although this is slightly different from the standard, it is effectively ++ * equivalent as it gives an unbiased result ranging from 1..n-1. It is also ++ * faster as the standard needs to retry more often. Also doing ++ * 1 + rand[0..n-2] would effect the way that tests feed dummy entropy into ++ * rand so the simpler backward compatible method has been used here. ++ */ + do + if (!BN_priv_rand_range(priv_key, order)) + goto err; + while (BN_is_zero(priv_key)) ; + + if (eckey->pub_key == NULL) { +- pub_key = EC_POINT_new(eckey->group); ++ pub_key = EC_POINT_new(group); + if (pub_key == NULL) + goto err; + } else + pub_key = eckey->pub_key; + +- if (!EC_POINT_mul(eckey->group, pub_key, priv_key, NULL, NULL, ctx)) ++ /* Step (8) : pub_key = priv_key * G (where G is a point on the curve) */ ++ if (!EC_POINT_mul(group, pub_key, priv_key, NULL, NULL, NULL)) + goto err; + +- eckey->priv_key = priv_key; + eckey->pub_key = pub_key; ++ pub_key = NULL; ++ ++ if (FIPS_mode()) { ++ eckey->priv_key = NULL; ++ if (EC_KEY_check_key(eckey) <= 0) { ++ eckey->pub_key = NULL; ++ goto err; ++ } ++ } ++ ++ eckey->priv_key = priv_key; ++ priv_key = NULL; + + ok = 1; + + err: +- if (eckey->pub_key == NULL) +- EC_POINT_free(pub_key); +- if (eckey->priv_key != priv_key) +- BN_free(priv_key); +- BN_CTX_free(ctx); ++ /* Step (9): If there is an error return an invalid keypair. */ ++ if (!ok) { ++ BN_clear(eckey->priv_key); ++ if (eckey->pub_key != NULL) ++ EC_POINT_set_to_infinity(group, eckey->pub_key); ++ } ++ ++ EC_POINT_free(pub_key); ++ BN_clear_free(priv_key); + return ok; + } + + int ec_key_simple_generate_public_key(EC_KEY *eckey) + { +- return EC_POINT_mul(eckey->group, eckey->pub_key, eckey->priv_key, NULL, ++ BIGNUM *priv_key; ++ ++ /* ++ * See SP800-56AR3 5.6.1.2.2: Step (8) ++ * pub_key = priv_key * G (where G is a point on the curve) ++ */ ++ int ret = EC_POINT_mul(eckey->group, eckey->pub_key, eckey->priv_key, NULL, + NULL, NULL); ++ ++ if (ret <= 0 || !FIPS_mode()) ++ return ret; ++ ++ /* no need to perform private key test, temporarily hide it */ ++ priv_key = eckey->priv_key; ++ eckey->priv_key = NULL; ++ ret = EC_KEY_check_key(eckey); ++ eckey->priv_key = priv_key; ++ ++ if (ret <= 0) ++ EC_POINT_set_to_infinity(eckey->group, eckey->pub_key); ++ ++ return ret; + } + + int EC_KEY_check_key(const EC_KEY *eckey) +@@ -316,47 +372,100 @@ int EC_KEY_check_key(const EC_KEY *eckey + return eckey->group->meth->keycheck(eckey); + } + +-int ec_key_simple_check_key(const EC_KEY *eckey) ++/* ++ * Check the range of the EC public key. ++ * See SP800-56A R3 Section 5.6.2.3.3 (Part 2) ++ * i.e. ++ * - If q = odd prime p: Verify that xQ and yQ are integers in the ++ * interval[0, p − 1], OR ++ * - If q = 2m: Verify that xQ and yQ are bit strings of length m bits. ++ * Returns 1 if the public key has a valid range, otherwise it returns 0. ++ */ ++static int ec_key_public_range_check(BN_CTX *ctx, const EC_KEY *key) + { +- int ok = 0; +- BN_CTX *ctx = NULL; +- const BIGNUM *order = NULL; ++ int ret = 0; ++ BIGNUM *x, *y; ++ ++ BN_CTX_start(ctx); ++ x = BN_CTX_get(ctx); ++ y = BN_CTX_get(ctx); ++ if (y == NULL) ++ goto err; ++ ++ if (!EC_POINT_get_affine_coordinates(key->group, key->pub_key, x, y, ctx)) ++ goto err; ++ ++ if (EC_METHOD_get_field_type(key->group->meth) == NID_X9_62_prime_field) { ++ if (BN_is_negative(x) ++ || BN_cmp(x, key->group->field) >= 0 ++ || BN_is_negative(y) ++ || BN_cmp(y, key->group->field) >= 0) { ++ goto err; ++ } ++ } else { ++ int m = EC_GROUP_get_degree(key->group); ++ if (BN_num_bits(x) > m || BN_num_bits(y) > m) { ++ goto err; ++ } ++ } ++ ret = 1; ++err: ++ BN_CTX_end(ctx); ++ return ret; ++} ++ ++/* ++ * ECC Key validation as specified in SP800-56A R3. ++ * Section 5.6.2.3.3 ECC Full Public-Key Validation. ++ */ ++int ec_key_public_check(const EC_KEY *eckey, BN_CTX *ctx) ++{ ++ int ret = 0; + EC_POINT *point = NULL; ++ const BIGNUM *order = NULL; + + if (eckey == NULL || eckey->group == NULL || eckey->pub_key == NULL) { +- ECerr(EC_F_EC_KEY_SIMPLE_CHECK_KEY, ERR_R_PASSED_NULL_PARAMETER); ++ ECerr(0, ERR_R_PASSED_NULL_PARAMETER); + return 0; + } + ++ /* 5.6.2.3.3 (Step 1): Q != infinity */ + if (EC_POINT_is_at_infinity(eckey->group, eckey->pub_key)) { +- ECerr(EC_F_EC_KEY_SIMPLE_CHECK_KEY, EC_R_POINT_AT_INFINITY); +- goto err; ++ ECerr(0, EC_R_POINT_AT_INFINITY); ++ return 0; + } + +- if ((ctx = BN_CTX_new()) == NULL) +- goto err; +- if ((point = EC_POINT_new(eckey->group)) == NULL) ++ point = EC_POINT_new(eckey->group); ++ if (point == NULL) ++ return 0; ++ ++ /* 5.6.2.3.3 (Step 2) Test if the public key is in range */ ++ if (!ec_key_public_range_check(ctx, eckey)) { ++ ECerr(0, EC_R_COORDINATES_OUT_OF_RANGE); + goto err; ++ } + +- /* testing whether the pub_key is on the elliptic curve */ ++ /* 5.6.2.3.3 (Step 3) is the pub_key on the elliptic curve */ + if (EC_POINT_is_on_curve(eckey->group, eckey->pub_key, ctx) <= 0) { +- ECerr(EC_F_EC_KEY_SIMPLE_CHECK_KEY, EC_R_POINT_IS_NOT_ON_CURVE); ++ ECerr(0, EC_R_POINT_IS_NOT_ON_CURVE); + goto err; + } +- /* testing whether pub_key * order is the point at infinity */ ++ + order = eckey->group->order; + if (BN_is_zero(order)) { +- ECerr(EC_F_EC_KEY_SIMPLE_CHECK_KEY, EC_R_INVALID_GROUP_ORDER); ++ ECerr(0, EC_R_INVALID_GROUP_ORDER); + goto err; + } ++ /* 5.6.2.3.3 (Step 4) : pub_key * order is the point at infinity. */ + if (!EC_POINT_mul(eckey->group, point, NULL, eckey->pub_key, order, ctx)) { +- ECerr(EC_F_EC_KEY_SIMPLE_CHECK_KEY, ERR_R_EC_LIB); ++ ECerr(0, ERR_R_EC_LIB); + goto err; + } + if (!EC_POINT_is_at_infinity(eckey->group, point)) { +- ECerr(EC_F_EC_KEY_SIMPLE_CHECK_KEY, EC_R_WRONG_ORDER); ++ ECerr(0, EC_R_WRONG_ORDER); + goto err; + } ++ + /* + * in case the priv_key is present : check if generator * priv_key == + * pub_key +@@ -376,10 +485,40 @@ int ec_key_simple_check_key(const EC_KEY + goto err; + } + } ++ ++ ret = 1; ++ err: ++ EC_POINT_free(point); ++ return ret; ++} ++ ++ ++/* ++ * ECC Key validation as specified in SP800-56A R3. ++ * Section 5.6.2.3.3 ECC Full Public-Key Validation ++ * NOTES: ++ * Before calling this method in fips mode, there should be an assurance that ++ * an approved elliptic-curve group is used. ++ * Returns 1 if the key is valid, otherwise it returns 0. ++ */ ++int ec_key_simple_check_key(const EC_KEY *eckey) ++{ ++ int ok = 0; ++ BN_CTX *ctx = NULL; ++ ++ if (eckey == NULL) { ++ ECerr(0, ERR_R_PASSED_NULL_PARAMETER); ++ return 0; ++ } ++ if ((ctx = BN_CTX_new()) == NULL) ++ return 0; ++ ++ if (!ec_key_public_check(eckey, ctx)) ++ goto err; ++ + ok = 1; + err: + BN_CTX_free(ctx); +- EC_POINT_free(point); + return ok; + } + +@@ -417,12 +556,10 @@ int EC_KEY_set_public_key_affine_coordin + goto err; + + /* +- * Check if retrieved coordinates match originals and are less than field +- * order: if not values are out of range. ++ * Check if retrieved coordinates match originals. The range check is done ++ * inside EC_KEY_check_key(). + */ +- if (BN_cmp(x, tx) || BN_cmp(y, ty) +- || (BN_cmp(x, key->group->field) >= 0) +- || (BN_cmp(y, key->group->field) >= 0)) { ++ if (BN_cmp(x, tx) || BN_cmp(y, ty)) { + ECerr(EC_F_EC_KEY_SET_PUBLIC_KEY_AFFINE_COORDINATES, + EC_R_COORDINATES_OUT_OF_RANGE); + goto err; +Index: openssl-1.1.1m/crypto/ec/ec_local.h +=================================================================== +--- openssl-1.1.1m.orig/crypto/ec/ec_local.h ++++ openssl-1.1.1m/crypto/ec/ec_local.h +@@ -610,6 +610,8 @@ int ec_key_simple_generate_key(EC_KEY *e + int ec_key_simple_generate_public_key(EC_KEY *eckey); + int ec_key_simple_check_key(const EC_KEY *eckey); + ++int ec_key_public_check(const EC_KEY *eckey, BN_CTX *ctx); ++ + int ec_curve_nid_from_params(const EC_GROUP *group, BN_CTX *ctx); + + /* EC_METHOD definitions */ +Index: openssl-1.1.1m/crypto/ec/ec_lib.c +=================================================================== +--- openssl-1.1.1m.orig/crypto/ec/ec_lib.c ++++ openssl-1.1.1m/crypto/ec/ec_lib.c +@@ -454,6 +454,11 @@ int EC_GROUP_get_curve_name(const EC_GRO + return group->curve_name; + } + ++const BIGNUM *EC_GROUP_get0_field(const EC_GROUP *group) ++{ ++ return group->field; ++} ++ + void EC_GROUP_set_asn1_flag(EC_GROUP *group, int flag) + { + group->asn1_flag = flag; +Index: openssl-1.1.1m/crypto/evp/p_lib.c +=================================================================== +--- openssl-1.1.1m.orig/crypto/evp/p_lib.c ++++ openssl-1.1.1m/crypto/evp/p_lib.c +@@ -545,7 +545,8 @@ EC_KEY *EVP_PKEY_get1_EC_KEY(EVP_PKEY *p + + int EVP_PKEY_set1_DH(EVP_PKEY *pkey, DH *key) + { +- int type = DH_get0_q(key) == NULL ? EVP_PKEY_DH : EVP_PKEY_DHX; ++ int type = DH_get0_q(key) == NULL || DH_get_nid(key) != NID_undef ? ++ EVP_PKEY_DH : EVP_PKEY_DHX; + int ret = EVP_PKEY_assign(pkey, type, key); + + if (ret) +Index: openssl-1.1.1m/include/crypto/bn_dh.h +=================================================================== +--- openssl-1.1.1m.orig/include/crypto/bn_dh.h ++++ openssl-1.1.1m/include/crypto/bn_dh.h +@@ -9,16 +9,35 @@ + + #define declare_dh_bn(x) \ + extern const BIGNUM _bignum_dh##x##_p; \ ++ extern const BIGNUM _bignum_dh##x##_q; \ + extern const BIGNUM _bignum_dh##x##_g; \ +- extern const BIGNUM _bignum_dh##x##_q; + + declare_dh_bn(1024_160) + declare_dh_bn(2048_224) + declare_dh_bn(2048_256) + ++extern const BIGNUM _bignum_const_2; ++ + extern const BIGNUM _bignum_ffdhe2048_p; + extern const BIGNUM _bignum_ffdhe3072_p; + extern const BIGNUM _bignum_ffdhe4096_p; + extern const BIGNUM _bignum_ffdhe6144_p; + extern const BIGNUM _bignum_ffdhe8192_p; +-extern const BIGNUM _bignum_const_2; ++extern const BIGNUM _bignum_ffdhe2048_q; ++extern const BIGNUM _bignum_ffdhe3072_q; ++extern const BIGNUM _bignum_ffdhe4096_q; ++extern const BIGNUM _bignum_ffdhe6144_q; ++extern const BIGNUM _bignum_ffdhe8192_q; ++ ++extern const BIGNUM _bignum_modp_1536_p; ++extern const BIGNUM _bignum_modp_2048_p; ++extern const BIGNUM _bignum_modp_3072_p; ++extern const BIGNUM _bignum_modp_4096_p; ++extern const BIGNUM _bignum_modp_6144_p; ++extern const BIGNUM _bignum_modp_8192_p; ++extern const BIGNUM _bignum_modp_1536_q; ++extern const BIGNUM _bignum_modp_2048_q; ++extern const BIGNUM _bignum_modp_3072_q; ++extern const BIGNUM _bignum_modp_4096_q; ++extern const BIGNUM _bignum_modp_6144_q; ++extern const BIGNUM _bignum_modp_8192_q; +Index: openssl-1.1.1m/crypto/objects/obj_dat.h +=================================================================== +--- openssl-1.1.1m.orig/crypto/objects/obj_dat.h ++++ openssl-1.1.1m/crypto/objects/obj_dat.h +@@ -1078,7 +1078,7 @@ static const unsigned char so[7762] = { + 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x0D, /* [ 7753] OBJ_hmacWithSHA512_256 */ + }; + +-#define NUM_NID 1196 ++#define NUM_NID 1202 + static const ASN1_OBJECT nid_objs[NUM_NID] = { + {"UNDEF", "undefined", NID_undef}, + {"rsadsi", "RSA Data Security, Inc.", NID_rsadsi, 6, &so[0]}, +@@ -2276,9 +2276,15 @@ static const ASN1_OBJECT nid_objs[NUM_NI + {"hmacWithSHA512-224", "hmacWithSHA512-224", NID_hmacWithSHA512_224, 8, &so[7745]}, + {"hmacWithSHA512-256", "hmacWithSHA512-256", NID_hmacWithSHA512_256, 8, &so[7753]}, + {"SSHKDF", "sshkdf", NID_sshkdf}, ++ {"modp_1536", "modp_1536", NID_modp_1536}, ++ {"modp_2048", "modp_2048", NID_modp_2048}, ++ {"modp_3072", "modp_3072", NID_modp_3072}, ++ {"modp_4096", "modp_4096", NID_modp_4096}, ++ {"modp_6144", "modp_6144", NID_modp_6144}, ++ {"modp_8192", "modp_8192", NID_modp_8192}, + }; + +-#define NUM_SN 1187 ++#define NUM_SN 1193 + static const unsigned int sn_objs[NUM_SN] = { + 364, /* "AD_DVCS" */ + 419, /* "AES-128-CBC" */ +@@ -3121,6 +3127,12 @@ static const unsigned int sn_objs[NUM_SN + 506, /* "mime-mhs-bodies" */ + 505, /* "mime-mhs-headings" */ + 488, /* "mobileTelephoneNumber" */ ++ 1196, /* "modp_1536" */ ++ 1197, /* "modp_2048" */ ++ 1198, /* "modp_3072" */ ++ 1199, /* "modp_4096" */ ++ 1200, /* "modp_6144" */ ++ 1201, /* "modp_8192" */ + 136, /* "msCTLSign" */ + 135, /* "msCodeCom" */ + 134, /* "msCodeInd" */ +@@ -3469,7 +3481,7 @@ static const unsigned int sn_objs[NUM_SN + 1093, /* "x509ExtAdmission" */ + }; + +-#define NUM_LN 1187 ++#define NUM_LN 1193 + static const unsigned int ln_objs[NUM_LN] = { + 363, /* "AD Time Stamping" */ + 405, /* "ANSI X9.62" */ +@@ -4305,6 +4317,12 @@ static const unsigned int ln_objs[NUM_LN + 506, /* "mime-mhs-bodies" */ + 505, /* "mime-mhs-headings" */ + 488, /* "mobileTelephoneNumber" */ ++ 1196, /* "modp_1536" */ ++ 1197, /* "modp_2048" */ ++ 1198, /* "modp_3072" */ ++ 1199, /* "modp_4096" */ ++ 1200, /* "modp_6144" */ ++ 1201, /* "modp_8192" */ + 481, /* "nSRecord" */ + 173, /* "name" */ + 681, /* "onBasis" */ +Index: openssl-1.1.1m/crypto/objects/objects.txt +=================================================================== +--- openssl-1.1.1m.orig/crypto/objects/objects.txt ++++ openssl-1.1.1m/crypto/objects/objects.txt +@@ -1648,6 +1648,13 @@ id-pkinit 5 : pkInit + : ffdhe4096 + : ffdhe6144 + : ffdhe8192 ++# NIDs for RFC3526 DH parameters ++ : modp_1536 ++ : modp_2048 ++ : modp_3072 ++ : modp_4096 ++ : modp_6144 ++ : modp_8192 + + # OIDs for DSTU-4145/DSTU-7564 (http://zakon2.rada.gov.ua/laws/show/z0423-17) + +Index: openssl-1.1.1m/crypto/objects/obj_mac.num +=================================================================== +--- openssl-1.1.1m.orig/crypto/objects/obj_mac.num ++++ openssl-1.1.1m/crypto/objects/obj_mac.num +@@ -1193,3 +1193,9 @@ magma_mac 1192 + hmacWithSHA512_224 1193 + hmacWithSHA512_256 1194 + sshkdf 1195 ++modp_1536 1196 ++modp_2048 1197 ++modp_3072 1198 ++modp_4096 1199 ++modp_6144 1200 ++modp_8192 1201 +Index: openssl-1.1.1m/doc/man3/DH_new_by_nid.pod +=================================================================== +--- openssl-1.1.1m.orig/doc/man3/DH_new_by_nid.pod ++++ openssl-1.1.1m/doc/man3/DH_new_by_nid.pod +@@ -8,13 +8,15 @@ DH_new_by_nid, DH_get_nid - get or find + + #include + DH *DH_new_by_nid(int nid); +- int *DH_get_nid(const DH *dh); ++ int DH_get_nid(const DH *dh); + + =head1 DESCRIPTION + + DH_new_by_nid() creates and returns a DH structure containing named parameters + B. Currently B must be B, B, +-B, B or B. ++B, B, B, ++B, B, B, ++B, B or B. + + DH_get_nid() determines if the parameters contained in B match + any named set. It returns the NID corresponding to the matching parameters or +Index: openssl-1.1.1m/doc/man3/EVP_PKEY_CTX_ctrl.pod +=================================================================== +--- openssl-1.1.1m.orig/doc/man3/EVP_PKEY_CTX_ctrl.pod ++++ openssl-1.1.1m/doc/man3/EVP_PKEY_CTX_ctrl.pod +@@ -294,10 +294,11 @@ The EVP_PKEY_CTX_set_dh_pad() macro sets + If B is zero (the default) then no padding is performed. + + EVP_PKEY_CTX_set_dh_nid() sets the DH parameters to values corresponding to +-B as defined in RFC7919. The B parameter must be B, +-B, B, B, B +-or B to clear the stored value. This macro can be called during +-parameter or key generation. ++I as defined in RFC7919 or RFC3526. The I parameter must be ++B, B, B, B, ++B, B, B, B, ++B, B, B or B to clear ++the stored value. This macro can be called during parameter or key generation. + The nid parameter and the rfc5114 parameter are mutually exclusive. + + The EVP_PKEY_CTX_set_dh_rfc5114() and EVP_PKEY_CTX_set_dhx_rfc5114() macros are +Index: openssl-1.1.1m/include/openssl/ec.h +=================================================================== +--- openssl-1.1.1m.orig/include/openssl/ec.h ++++ openssl-1.1.1m/include/openssl/ec.h +@@ -212,6 +212,12 @@ void EC_GROUP_set_curve_name(EC_GROUP *g + */ + int EC_GROUP_get_curve_name(const EC_GROUP *group); + ++/** Gets the field of an EC_GROUP ++ * \param group EC_GROUP object ++ * \return the group field ++ */ ++const BIGNUM *EC_GROUP_get0_field(const EC_GROUP *group); ++ + void EC_GROUP_set_asn1_flag(EC_GROUP *group, int flag); + int EC_GROUP_get_asn1_flag(const EC_GROUP *group); + +Index: openssl-1.1.1m/include/openssl/obj_mac.h +=================================================================== +--- openssl-1.1.1m.orig/include/openssl/obj_mac.h ++++ openssl-1.1.1m/include/openssl/obj_mac.h +@@ -5103,6 +5103,24 @@ + #define SN_ffdhe8192 "ffdhe8192" + #define NID_ffdhe8192 1130 + ++#define SN_modp_1536 "modp_1536" ++#define NID_modp_1536 1196 ++ ++#define SN_modp_2048 "modp_2048" ++#define NID_modp_2048 1197 ++ ++#define SN_modp_3072 "modp_3072" ++#define NID_modp_3072 1198 ++ ++#define SN_modp_4096 "modp_4096" ++#define NID_modp_4096 1199 ++ ++#define SN_modp_6144 "modp_6144" ++#define NID_modp_6144 1200 ++ ++#define SN_modp_8192 "modp_8192" ++#define NID_modp_8192 1201 ++ + #define SN_ISO_UA "ISO-UA" + #define NID_ISO_UA 1150 + #define OBJ_ISO_UA OBJ_member_body,804L +Index: openssl-1.1.1m/ssl/s3_lib.c +=================================================================== +--- openssl-1.1.1m.orig/ssl/s3_lib.c ++++ openssl-1.1.1m/ssl/s3_lib.c +@@ -4846,13 +4846,51 @@ int ssl_derive(SSL *s, EVP_PKEY *privkey + EVP_PKEY *ssl_dh_to_pkey(DH *dh) + { + EVP_PKEY *ret; ++ DH *dhp = NULL; ++ + if (dh == NULL) + return NULL; ++ ++ if (FIPS_mode() && DH_get_nid(dh) == NID_undef) { ++ int bits = DH_bits(dh); ++ BIGNUM *p, *g; ++ ++ dhp = DH_new(); ++ if (dhp == NULL) ++ return NULL; ++ g = BN_new(); ++ if (g == NULL || !BN_set_word(g, 2)) { ++ DH_free(dhp); ++ BN_free(g); ++ return NULL; ++ } ++ ++ if (bits >= 7000) ++ p = BN_get_rfc3526_prime_8192(NULL); ++ else if (bits >= 5000) ++ p = BN_get_rfc3526_prime_6144(NULL); ++ else if (bits >= 3800) ++ p = BN_get_rfc3526_prime_4096(NULL); ++ else if (bits >= 2500) ++ p = BN_get_rfc3526_prime_3072(NULL); ++ else ++ p = BN_get_rfc3526_prime_2048(NULL); ++ if (p == NULL || !DH_set0_pqg(dhp, p, NULL, g)) { ++ DH_free(dhp); ++ BN_free(p); ++ BN_free(g); ++ return NULL; ++ } ++ dh = dhp; ++ } ++ + ret = EVP_PKEY_new(); + if (EVP_PKEY_set1_DH(ret, dh) <= 0) { ++ DH_free(dhp); + EVP_PKEY_free(ret); + return NULL; + } ++ DH_free(dhp); + return ret; + } + #endif +Index: openssl-1.1.1m/test/ectest.c +=================================================================== +--- openssl-1.1.1m.orig/test/ectest.c ++++ openssl-1.1.1m/test/ectest.c +@@ -1208,6 +1208,42 @@ static int internal_curve_test_method(in + return r; + } + ++static int group_field_test(void) ++{ ++ int r = 1; ++ BIGNUM *secp521r1_field = NULL; ++ BIGNUM *sect163r2_field = NULL; ++ EC_GROUP *secp521r1_group = NULL; ++ EC_GROUP *sect163r2_group = NULL; ++ ++ BN_hex2bn(&secp521r1_field, ++ "01FFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" ++ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" ++ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" ++ "FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF" ++ "FFFF"); ++ ++ BN_hex2bn(§163r2_field, ++ "08000000000000000000000000000000" ++ "00000000C9"); ++ ++ secp521r1_group = EC_GROUP_new_by_curve_name(NID_secp521r1); ++ if (BN_cmp(secp521r1_field, EC_GROUP_get0_field(secp521r1_group))) ++ r = 0; ++ ++ # ifndef OPENSSL_NO_EC2M ++ sect163r2_group = EC_GROUP_new_by_curve_name(NID_sect163r2); ++ if (BN_cmp(sect163r2_field, EC_GROUP_get0_field(sect163r2_group))) ++ r = 0; ++ # endif ++ ++ EC_GROUP_free(secp521r1_group); ++ EC_GROUP_free(sect163r2_group); ++ BN_free(secp521r1_field); ++ BN_free(sect163r2_field); ++ return r; ++} ++ + # ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 + /* + * nistp_test_params contains magic numbers for testing our optimized +@@ -1876,6 +1912,61 @@ err: + return r; + } + ++static int check_ec_key_field_public_range_test(int id) ++{ ++ int ret = 0, type = 0; ++ const EC_POINT *pub = NULL; ++ const EC_GROUP *group = NULL; ++ const EC_METHOD *meth = NULL; ++ const BIGNUM *field = NULL; ++ BIGNUM *x = NULL, *y = NULL; ++ EC_KEY *key = NULL; ++ ++ if (!(TEST_ptr(x = BN_new()) ++ && TEST_ptr(y = BN_new()) ++ && TEST_ptr(key = EC_KEY_new_by_curve_name(curves[id].nid)) ++ && TEST_ptr(group = EC_KEY_get0_group(key)) ++ && TEST_ptr(meth = EC_GROUP_method_of(group)) ++ && TEST_ptr(field = EC_GROUP_get0_field(group)) ++ && TEST_int_gt(EC_KEY_generate_key(key), 0) ++ && TEST_int_gt(EC_KEY_check_key(key), 0) ++ && TEST_ptr(pub = EC_KEY_get0_public_key(key)) ++ && TEST_int_gt(EC_POINT_get_affine_coordinates(group, pub, x, y, ++ NULL), 0))) ++ goto err; ++ ++ /* ++ * Make the public point out of range by adding the field (which will still ++ * be the same point on the curve). The add is different for char2 fields. ++ */ ++ type = EC_METHOD_get_field_type(meth); ++#ifndef OPENSSL_NO_EC2M ++ if (type == NID_X9_62_characteristic_two_field) { ++ /* test for binary curves */ ++ if (!TEST_true(BN_GF2m_add(x, x, field))) ++ goto err; ++ } else ++#endif ++ if (type == NID_X9_62_prime_field) { ++ /* test for prime curves */ ++ if (!TEST_true(BN_add(x, x, field))) ++ goto err; ++ } else { ++ /* this should never happen */ ++ TEST_error("Unsupported EC_METHOD field_type"); ++ goto err; ++ } ++ if (!TEST_int_le(EC_KEY_set_public_key_affine_coordinates(key, x, y), 0)) ++ goto err; ++ ++ ret = 1; ++err: ++ BN_free(x); ++ BN_free(y); ++ EC_KEY_free(key); ++ return ret; ++} ++ + /*- + * random 256-bit explicit parameters curve, cofactor absent + * order: 0x0c38d96a9f892b88772ec2e39614a82f4f (132 bit) +@@ -2254,8 +2345,10 @@ int setup_tests(void) + # endif + ADD_ALL_TESTS(internal_curve_test, crv_len); + ADD_ALL_TESTS(internal_curve_test_method, crv_len); ++ ADD_TEST(group_field_test); + + ADD_ALL_TESTS(check_named_curve_from_ecparameters, crv_len); ++ ADD_ALL_TESTS(check_ec_key_field_public_range_test, crv_len); + ADD_ALL_TESTS(ec_point_hex2point_test, crv_len); + ADD_ALL_TESTS(custom_generator_test, crv_len); + #endif /* OPENSSL_NO_EC */ +Index: openssl-1.1.1m/crypto/ec/ec_kmeth.c +=================================================================== +--- openssl-1.1.1m.orig/crypto/ec/ec_kmeth.c ++++ openssl-1.1.1m/crypto/ec/ec_kmeth.c +@@ -148,6 +148,14 @@ int ECDH_compute_key(void *out, size_t o + outlen = seclen; + memcpy(out, sec, outlen); + } ++ ++ if (FIPS_mode()) { ++ if (EC_KEY_check_key(eckey) <= 0) { ++ EC_POINT_set_to_infinity(eckey->group, eckey->pub_key); ++ return 0; ++ } ++ } ++ + OPENSSL_clear_free(sec, seclen); + return outlen; + } +Index: openssl-1.1.1m/ssl/t1_lib.c +=================================================================== +--- openssl-1.1.1m.orig/ssl/t1_lib.c ++++ openssl-1.1.1m/ssl/t1_lib.c +@@ -2479,7 +2479,7 @@ DH *ssl_get_auto_dh(SSL *s) + p = BN_get_rfc3526_prime_4096(NULL); + else if (dh_secbits >= 128) + p = BN_get_rfc3526_prime_3072(NULL); +- else if (dh_secbits >= 112) ++ else if (dh_secbits >= 112 || FIPS_mode()) + p = BN_get_rfc3526_prime_2048(NULL); + else + p = BN_get_rfc2409_prime_1024(NULL); diff --git a/openssl-FIPS-KAT-before-integrity-tests.patch b/openssl-FIPS-KAT-before-integrity-tests.patch new file mode 100644 index 0000000..3f3a93f --- /dev/null +++ b/openssl-FIPS-KAT-before-integrity-tests.patch @@ -0,0 +1,26 @@ +Index: openssl-1.1.1l/crypto/fips/fips.c +=================================================================== +--- openssl-1.1.1l.orig/crypto/fips/fips.c ++++ openssl-1.1.1l/crypto/fips/fips.c +@@ -453,15 +453,17 @@ int FIPS_module_mode_set(int onoff) + + fips_post = 1; + +- if (!verify_checksums()) { +- FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET, +- FIPS_R_FINGERPRINT_DOES_NOT_MATCH); ++ /* Run the KATs before the HMAC verification for FIPS 140-3 compliance */ ++ if (!FIPS_selftest()) { + fips_selftest_fail = 1; + ret = 0; + goto end; + } + +- if (!FIPS_selftest()) { ++ /* Run the HMAC verification after the KATs for FIPS 140-3 compliance */ ++ if (!verify_checksums()) { ++ FIPSerr(FIPS_F_FIPS_MODULE_MODE_SET, ++ FIPS_R_FINGERPRINT_DOES_NOT_MATCH); + fips_selftest_fail = 1; + ret = 0; + goto end; diff --git a/openssl-add_rfc3526_rfc7919.patch b/openssl-add_rfc3526_rfc7919.patch deleted file mode 100644 index cd78c5b..0000000 --- a/openssl-add_rfc3526_rfc7919.patch +++ /dev/null @@ -1,726 +0,0 @@ -diff --git a/crypto/bn/bn_dh.c b/crypto/bn/bn_dh.c -index 58c44f0..1094716 100644 ---- a/crypto/bn/bn_dh.c -+++ b/crypto/bn/bn_dh.c -@@ -13,6 +13,488 @@ - #ifndef OPENSSL_NO_DH - #include - #include "crypto/bn_dh.h" -+ -+# if BN_BITS2 == 64 -+# define BN_DEF(lo, hi) (BN_ULONG)hi << 32 | lo -+# else -+# define BN_DEF(lo, hi) lo, hi -+# endif -+ -+/* DH parameters from RFC3526 */ -+ -+/* -+ * "1536-bit MODP Group" from RFC3526, Section 2. -+ * -+ * The prime is: 2^1536 - 2^1472 - 1 + 2^64 * { [2^1406 pi] + 741804 } -+ * -+ * RFC3526 specifies a generator of 2. -+ * RFC2412 specifies a generator of 22. -+ */ -+static const BN_ULONG modp_1536_p[] = { -+ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0xCA237327, 0xF1746C08), -+ BN_DEF(0x4ABC9804, 0x670C354E), BN_DEF(0x7096966D, 0x9ED52907), -+ BN_DEF(0x208552BB, 0x1C62F356), BN_DEF(0xDCA3AD96, 0x83655D23), -+ BN_DEF(0xFD24CF5F, 0x69163FA8), BN_DEF(0x1C55D39A, 0x98DA4836), -+ BN_DEF(0xA163BF05, 0xC2007CB8), BN_DEF(0xECE45B3D, 0x49286651), -+ BN_DEF(0x7C4B1FE6, 0xAE9F2411), BN_DEF(0x5A899FA5, 0xEE386BFB), -+ BN_DEF(0xF406B7ED, 0x0BFF5CB6), BN_DEF(0xA637ED6B, 0xF44C42E9), -+ BN_DEF(0x625E7EC6, 0xE485B576), BN_DEF(0x6D51C245, 0x4FE1356D), -+ BN_DEF(0xF25F1437, 0x302B0A6D), BN_DEF(0xCD3A431B, 0xEF9519B3), -+ BN_DEF(0x8E3404DD, 0x514A0879), BN_DEF(0x3B139B22, 0x020BBEA6), -+ BN_DEF(0x8A67CC74, 0x29024E08), BN_DEF(0x80DC1CD1, 0xC4C6628B), -+ BN_DEF(0x2168C234, 0xC90FDAA2), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) -+}; -+/* q = (p - 1) / 2 */ -+static const BN_ULONG modp_1536_q[] = { -+ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x6511B993, 0x78BA3604), -+ BN_DEF(0x255E4C02, 0xB3861AA7), BN_DEF(0xB84B4B36, 0xCF6A9483), -+ BN_DEF(0x1042A95D, 0x0E3179AB), BN_DEF(0xEE51D6CB, 0xC1B2AE91), -+ BN_DEF(0x7E9267AF, 0x348B1FD4), BN_DEF(0x0E2AE9CD, 0xCC6D241B), -+ BN_DEF(0x50B1DF82, 0xE1003E5C), BN_DEF(0xF6722D9E, 0x24943328), -+ BN_DEF(0xBE258FF3, 0xD74F9208), BN_DEF(0xAD44CFD2, 0xF71C35FD), -+ BN_DEF(0x7A035BF6, 0x85FFAE5B), BN_DEF(0xD31BF6B5, 0x7A262174), -+ BN_DEF(0x312F3F63, 0xF242DABB), BN_DEF(0xB6A8E122, 0xA7F09AB6), -+ BN_DEF(0xF92F8A1B, 0x98158536), BN_DEF(0xE69D218D, 0xF7CA8CD9), -+ BN_DEF(0xC71A026E, 0x28A5043C), BN_DEF(0x1D89CD91, 0x0105DF53), -+ BN_DEF(0x4533E63A, 0x94812704), BN_DEF(0xC06E0E68, 0x62633145), -+ BN_DEF(0x10B4611A, 0xE487ED51), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF) -+}; -+ -+/*- -+ * "2048-bit MODP Group" from RFC3526, Section 3. -+ * -+ * The prime is: 2^2048 - 2^1984 - 1 + 2^64 * { [2^1918 pi] + 124476 } -+ * -+ * RFC3526 specifies a generator of 2. -+ */ -+static const BN_ULONG modp_2048_p[] = { -+ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x8AACAA68, 0x15728E5A), -+ BN_DEF(0x98FA0510, 0x15D22618), BN_DEF(0xEA956AE5, 0x3995497C), -+ BN_DEF(0x95581718, 0xDE2BCBF6), BN_DEF(0x6F4C52C9, 0xB5C55DF0), -+ BN_DEF(0xEC07A28F, 0x9B2783A2), BN_DEF(0x180E8603, 0xE39E772C), -+ BN_DEF(0x2E36CE3B, 0x32905E46), BN_DEF(0xCA18217C, 0xF1746C08), -+ BN_DEF(0x4ABC9804, 0x670C354E), BN_DEF(0x7096966D, 0x9ED52907), -+ BN_DEF(0x208552BB, 0x1C62F356), BN_DEF(0xDCA3AD96, 0x83655D23), -+ BN_DEF(0xFD24CF5F, 0x69163FA8), BN_DEF(0x1C55D39A, 0x98DA4836), -+ BN_DEF(0xA163BF05, 0xC2007CB8), BN_DEF(0xECE45B3D, 0x49286651), -+ BN_DEF(0x7C4B1FE6, 0xAE9F2411), BN_DEF(0x5A899FA5, 0xEE386BFB), -+ BN_DEF(0xF406B7ED, 0x0BFF5CB6), BN_DEF(0xA637ED6B, 0xF44C42E9), -+ BN_DEF(0x625E7EC6, 0xE485B576), BN_DEF(0x6D51C245, 0x4FE1356D), -+ BN_DEF(0xF25F1437, 0x302B0A6D), BN_DEF(0xCD3A431B, 0xEF9519B3), -+ BN_DEF(0x8E3404DD, 0x514A0879), BN_DEF(0x3B139B22, 0x020BBEA6), -+ BN_DEF(0x8A67CC74, 0x29024E08), BN_DEF(0x80DC1CD1, 0xC4C6628B), -+ BN_DEF(0x2168C234, 0xC90FDAA2), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) -+}; -+/* q = (p - 1) / 2 */ -+static const BN_ULONG modp_2048_q[] = { -+ BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), BN_DEF(0x45565534, 0x0AB9472D), -+ BN_DEF(0x4C7D0288, 0x8AE9130C), BN_DEF(0x754AB572, 0x1CCAA4BE), -+ BN_DEF(0x4AAC0B8C, 0xEF15E5FB), BN_DEF(0x37A62964, 0xDAE2AEF8), -+ BN_DEF(0x7603D147, 0xCD93C1D1), BN_DEF(0x0C074301, 0xF1CF3B96), -+ BN_DEF(0x171B671D, 0x19482F23), BN_DEF(0x650C10BE, 0x78BA3604), -+ BN_DEF(0x255E4C02, 0xB3861AA7), BN_DEF(0xB84B4B36, 0xCF6A9483), -+ BN_DEF(0x1042A95D, 0x0E3179AB), BN_DEF(0xEE51D6CB, 0xC1B2AE91), -+ BN_DEF(0x7E9267AF, 0x348B1FD4), BN_DEF(0x0E2AE9CD, 0xCC6D241B), -+ BN_DEF(0x50B1DF82, 0xE1003E5C), BN_DEF(0xF6722D9E, 0x24943328), -+ BN_DEF(0xBE258FF3, 0xD74F9208), BN_DEF(0xAD44CFD2, 0xF71C35FD), -+ BN_DEF(0x7A035BF6, 0x85FFAE5B), BN_DEF(0xD31BF6B5, 0x7A262174), -+ BN_DEF(0x312F3F63, 0xF242DABB), BN_DEF(0xB6A8E122, 0xA7F09AB6), -+ BN_DEF(0xF92F8A1B, 0x98158536), BN_DEF(0xE69D218D, 0xF7CA8CD9), -+ BN_DEF(0xC71A026E, 0x28A5043C), BN_DEF(0x1D89CD91, 0x0105DF53), -+ BN_DEF(0x4533E63A, 0x94812704), BN_DEF(0xC06E0E68, 0x62633145), -+ BN_DEF(0x10B4611A, 0xE487ED51), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), -+}; -+ -+/*- -+ * "3072-bit MODP Group" from RFC3526, Section 4. -+ * -+ * The prime is: 2^3072 - 2^3008 - 1 + 2^64 * { [2^2942 pi] + 1690314 } -+ * -+ * RFC3526 specifies a generator of 2. -+ */ -+static const BN_ULONG modp_3072_p[] = { -+ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0xA93AD2CA, 0x4B82D120), -+ BN_DEF(0xE0FD108E, 0x43DB5BFC), BN_DEF(0x74E5AB31, 0x08E24FA0), -+ BN_DEF(0xBAD946E2, 0x770988C0), BN_DEF(0x7A615D6C, 0xBBE11757), -+ BN_DEF(0x177B200C, 0x521F2B18), BN_DEF(0x3EC86A64, 0xD8760273), -+ BN_DEF(0xD98A0864, 0xF12FFA06), BN_DEF(0x1AD2EE6B, 0xCEE3D226), -+ BN_DEF(0x4A25619D, 0x1E8C94E0), BN_DEF(0xDB0933D7, 0xABF5AE8C), -+ BN_DEF(0xA6E1E4C7, 0xB3970F85), BN_DEF(0x5D060C7D, 0x8AEA7157), -+ BN_DEF(0x58DBEF0A, 0xECFB8504), BN_DEF(0xDF1CBA64, 0xA85521AB), -+ BN_DEF(0x04507A33, 0xAD33170D), BN_DEF(0x8AAAC42D, 0x15728E5A), -+ BN_DEF(0x98FA0510, 0x15D22618), BN_DEF(0xEA956AE5, 0x3995497C), -+ BN_DEF(0x95581718, 0xDE2BCBF6), BN_DEF(0x6F4C52C9, 0xB5C55DF0), -+ BN_DEF(0xEC07A28F, 0x9B2783A2), BN_DEF(0x180E8603, 0xE39E772C), -+ BN_DEF(0x2E36CE3B, 0x32905E46), BN_DEF(0xCA18217C, 0xF1746C08), -+ BN_DEF(0x4ABC9804, 0x670C354E), BN_DEF(0x7096966D, 0x9ED52907), -+ BN_DEF(0x208552BB, 0x1C62F356), BN_DEF(0xDCA3AD96, 0x83655D23), -+ BN_DEF(0xFD24CF5F, 0x69163FA8), BN_DEF(0x1C55D39A, 0x98DA4836), -+ BN_DEF(0xA163BF05, 0xC2007CB8), BN_DEF(0xECE45B3D, 0x49286651), -+ BN_DEF(0x7C4B1FE6, 0xAE9F2411), BN_DEF(0x5A899FA5, 0xEE386BFB), -+ BN_DEF(0xF406B7ED, 0x0BFF5CB6), BN_DEF(0xA637ED6B, 0xF44C42E9), -+ BN_DEF(0x625E7EC6, 0xE485B576), BN_DEF(0x6D51C245, 0x4FE1356D), -+ BN_DEF(0xF25F1437, 0x302B0A6D), BN_DEF(0xCD3A431B, 0xEF9519B3), -+ BN_DEF(0x8E3404DD, 0x514A0879), BN_DEF(0x3B139B22, 0x020BBEA6), -+ BN_DEF(0x8A67CC74, 0x29024E08), BN_DEF(0x80DC1CD1, 0xC4C6628B), -+ BN_DEF(0x2168C234, 0xC90FDAA2), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) -+}; -+/* q = (p - 1) / 2 */ -+static const BN_ULONG modp_3072_q[] = { -+ BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), BN_DEF(0x549D6965, 0x25C16890), -+ BN_DEF(0x707E8847, 0xA1EDADFE), BN_DEF(0x3A72D598, 0x047127D0), -+ BN_DEF(0x5D6CA371, 0x3B84C460), BN_DEF(0xBD30AEB6, 0x5DF08BAB), -+ BN_DEF(0x0BBD9006, 0x290F958C), BN_DEF(0x9F643532, 0x6C3B0139), -+ BN_DEF(0x6CC50432, 0xF897FD03), BN_DEF(0x0D697735, 0xE771E913), -+ BN_DEF(0x2512B0CE, 0x8F464A70), BN_DEF(0x6D8499EB, 0xD5FAD746), -+ BN_DEF(0xD370F263, 0xD9CB87C2), BN_DEF(0xAE83063E, 0x457538AB), -+ BN_DEF(0x2C6DF785, 0x767DC282), BN_DEF(0xEF8E5D32, 0xD42A90D5), -+ BN_DEF(0x82283D19, 0xD6998B86), BN_DEF(0x45556216, 0x0AB9472D), -+ BN_DEF(0x4C7D0288, 0x8AE9130C), BN_DEF(0x754AB572, 0x1CCAA4BE), -+ BN_DEF(0x4AAC0B8C, 0xEF15E5FB), BN_DEF(0x37A62964, 0xDAE2AEF8), -+ BN_DEF(0x7603D147, 0xCD93C1D1), BN_DEF(0x0C074301, 0xF1CF3B96), -+ BN_DEF(0x171B671D, 0x19482F23), BN_DEF(0x650C10BE, 0x78BA3604), -+ BN_DEF(0x255E4C02, 0xB3861AA7), BN_DEF(0xB84B4B36, 0xCF6A9483), -+ BN_DEF(0x1042A95D, 0x0E3179AB), BN_DEF(0xEE51D6CB, 0xC1B2AE91), -+ BN_DEF(0x7E9267AF, 0x348B1FD4), BN_DEF(0x0E2AE9CD, 0xCC6D241B), -+ BN_DEF(0x50B1DF82, 0xE1003E5C), BN_DEF(0xF6722D9E, 0x24943328), -+ BN_DEF(0xBE258FF3, 0xD74F9208), BN_DEF(0xAD44CFD2, 0xF71C35FD), -+ BN_DEF(0x7A035BF6, 0x85FFAE5B), BN_DEF(0xD31BF6B5, 0x7A262174), -+ BN_DEF(0x312F3F63, 0xF242DABB), BN_DEF(0xB6A8E122, 0xA7F09AB6), -+ BN_DEF(0xF92F8A1B, 0x98158536), BN_DEF(0xE69D218D, 0xF7CA8CD9), -+ BN_DEF(0xC71A026E, 0x28A5043C), BN_DEF(0x1D89CD91, 0x0105DF53), -+ BN_DEF(0x4533E63A, 0x94812704), BN_DEF(0xC06E0E68, 0x62633145), -+ BN_DEF(0x10B4611A, 0xE487ED51), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), -+}; -+ -+/*- -+ * "4096-bit MODP Group" from RFC3526, Section 5. -+ * -+ * The prime is: 2^4096 - 2^4032 - 1 + 2^64 * { [2^3966 pi] + 240904 } -+ * -+ * RFC3526 specifies a generator of 2. -+ */ -+static const BN_ULONG modp_4096_p[] = { -+ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x34063199, 0x4DF435C9), -+ BN_DEF(0x90A6C08F, 0x86FFB7DC), BN_DEF(0x8D8FDDC1, 0x93B4EA98), -+ BN_DEF(0xD5B05AA9, 0xD0069127), BN_DEF(0x2170481C, 0xB81BDD76), -+ BN_DEF(0xCEE2D7AF, 0x1F612970), BN_DEF(0x515BE7ED, 0x233BA186), -+ BN_DEF(0xA090C3A2, 0x99B2964F), BN_DEF(0x4E6BC05D, 0x287C5947), -+ BN_DEF(0x1FBECAA6, 0x2E8EFC14), BN_DEF(0x04DE8EF9, 0xDBBBC2DB), -+ BN_DEF(0x2AD44CE8, 0x2583E9CA), BN_DEF(0xB6150BDA, 0x1A946834), -+ BN_DEF(0x6AF4E23C, 0x99C32718), BN_DEF(0xBDBA5B26, 0x88719A10), -+ BN_DEF(0xA787E6D7, 0x1A723C12), BN_DEF(0xA9210801, 0x4B82D120), -+ BN_DEF(0xE0FD108E, 0x43DB5BFC), BN_DEF(0x74E5AB31, 0x08E24FA0), -+ BN_DEF(0xBAD946E2, 0x770988C0), BN_DEF(0x7A615D6C, 0xBBE11757), -+ BN_DEF(0x177B200C, 0x521F2B18), BN_DEF(0x3EC86A64, 0xD8760273), -+ BN_DEF(0xD98A0864, 0xF12FFA06), BN_DEF(0x1AD2EE6B, 0xCEE3D226), -+ BN_DEF(0x4A25619D, 0x1E8C94E0), BN_DEF(0xDB0933D7, 0xABF5AE8C), -+ BN_DEF(0xA6E1E4C7, 0xB3970F85), BN_DEF(0x5D060C7D, 0x8AEA7157), -+ BN_DEF(0x58DBEF0A, 0xECFB8504), BN_DEF(0xDF1CBA64, 0xA85521AB), -+ BN_DEF(0x04507A33, 0xAD33170D), BN_DEF(0x8AAAC42D, 0x15728E5A), -+ BN_DEF(0x98FA0510, 0x15D22618), BN_DEF(0xEA956AE5, 0x3995497C), -+ BN_DEF(0x95581718, 0xDE2BCBF6), BN_DEF(0x6F4C52C9, 0xB5C55DF0), -+ BN_DEF(0xEC07A28F, 0x9B2783A2), BN_DEF(0x180E8603, 0xE39E772C), -+ BN_DEF(0x2E36CE3B, 0x32905E46), BN_DEF(0xCA18217C, 0xF1746C08), -+ BN_DEF(0x4ABC9804, 0x670C354E), BN_DEF(0x7096966D, 0x9ED52907), -+ BN_DEF(0x208552BB, 0x1C62F356), BN_DEF(0xDCA3AD96, 0x83655D23), -+ BN_DEF(0xFD24CF5F, 0x69163FA8), BN_DEF(0x1C55D39A, 0x98DA4836), -+ BN_DEF(0xA163BF05, 0xC2007CB8), BN_DEF(0xECE45B3D, 0x49286651), -+ BN_DEF(0x7C4B1FE6, 0xAE9F2411), BN_DEF(0x5A899FA5, 0xEE386BFB), -+ BN_DEF(0xF406B7ED, 0x0BFF5CB6), BN_DEF(0xA637ED6B, 0xF44C42E9), -+ BN_DEF(0x625E7EC6, 0xE485B576), BN_DEF(0x6D51C245, 0x4FE1356D), -+ BN_DEF(0xF25F1437, 0x302B0A6D), BN_DEF(0xCD3A431B, 0xEF9519B3), -+ BN_DEF(0x8E3404DD, 0x514A0879), BN_DEF(0x3B139B22, 0x020BBEA6), -+ BN_DEF(0x8A67CC74, 0x29024E08), BN_DEF(0x80DC1CD1, 0xC4C6628B), -+ BN_DEF(0x2168C234, 0xC90FDAA2), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) -+}; -+/* q = (p - 1) / 2 */ -+static const BN_ULONG modp_4096_q[] = { -+ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x9A0318CC, 0xA6FA1AE4), -+ BN_DEF(0x48536047, 0xC37FDBEE), BN_DEF(0x46C7EEE0, 0xC9DA754C), -+ BN_DEF(0xEAD82D54, 0x68034893), BN_DEF(0x10B8240E, 0xDC0DEEBB), -+ BN_DEF(0x67716BD7, 0x8FB094B8), BN_DEF(0x28ADF3F6, 0x119DD0C3), -+ BN_DEF(0xD04861D1, 0xCCD94B27), BN_DEF(0xA735E02E, 0x143E2CA3), -+ BN_DEF(0x0FDF6553, 0x97477E0A), BN_DEF(0x826F477C, 0x6DDDE16D), -+ BN_DEF(0x156A2674, 0x12C1F4E5), BN_DEF(0x5B0A85ED, 0x0D4A341A), -+ BN_DEF(0x357A711E, 0x4CE1938C), BN_DEF(0x5EDD2D93, 0xC438CD08), -+ BN_DEF(0x53C3F36B, 0x8D391E09), BN_DEF(0x54908400, 0x25C16890), -+ BN_DEF(0x707E8847, 0xA1EDADFE), BN_DEF(0x3A72D598, 0x047127D0), -+ BN_DEF(0x5D6CA371, 0x3B84C460), BN_DEF(0xBD30AEB6, 0x5DF08BAB), -+ BN_DEF(0x0BBD9006, 0x290F958C), BN_DEF(0x9F643532, 0x6C3B0139), -+ BN_DEF(0x6CC50432, 0xF897FD03), BN_DEF(0x0D697735, 0xE771E913), -+ BN_DEF(0x2512B0CE, 0x8F464A70), BN_DEF(0x6D8499EB, 0xD5FAD746), -+ BN_DEF(0xD370F263, 0xD9CB87C2), BN_DEF(0xAE83063E, 0x457538AB), -+ BN_DEF(0x2C6DF785, 0x767DC282), BN_DEF(0xEF8E5D32, 0xD42A90D5), -+ BN_DEF(0x82283D19, 0xD6998B86), BN_DEF(0x45556216, 0x0AB9472D), -+ BN_DEF(0x4C7D0288, 0x8AE9130C), BN_DEF(0x754AB572, 0x1CCAA4BE), -+ BN_DEF(0x4AAC0B8C, 0xEF15E5FB), BN_DEF(0x37A62964, 0xDAE2AEF8), -+ BN_DEF(0x7603D147, 0xCD93C1D1), BN_DEF(0x0C074301, 0xF1CF3B96), -+ BN_DEF(0x171B671D, 0x19482F23), BN_DEF(0x650C10BE, 0x78BA3604), -+ BN_DEF(0x255E4C02, 0xB3861AA7), BN_DEF(0xB84B4B36, 0xCF6A9483), -+ BN_DEF(0x1042A95D, 0x0E3179AB), BN_DEF(0xEE51D6CB, 0xC1B2AE91), -+ BN_DEF(0x7E9267AF, 0x348B1FD4), BN_DEF(0x0E2AE9CD, 0xCC6D241B), -+ BN_DEF(0x50B1DF82, 0xE1003E5C), BN_DEF(0xF6722D9E, 0x24943328), -+ BN_DEF(0xBE258FF3, 0xD74F9208), BN_DEF(0xAD44CFD2, 0xF71C35FD), -+ BN_DEF(0x7A035BF6, 0x85FFAE5B), BN_DEF(0xD31BF6B5, 0x7A262174), -+ BN_DEF(0x312F3F63, 0xF242DABB), BN_DEF(0xB6A8E122, 0xA7F09AB6), -+ BN_DEF(0xF92F8A1B, 0x98158536), BN_DEF(0xE69D218D, 0xF7CA8CD9), -+ BN_DEF(0xC71A026E, 0x28A5043C), BN_DEF(0x1D89CD91, 0x0105DF53), -+ BN_DEF(0x4533E63A, 0x94812704), BN_DEF(0xC06E0E68, 0x62633145), -+ BN_DEF(0x10B4611A, 0xE487ED51), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), -+}; -+ -+/*- -+ * "6144-bit MODP Group" from RFC3526, Section 6. -+ * -+ * The prime is: 2^6144 - 2^6080 - 1 + 2^64 * { [2^6014 pi] + 929484 } -+ * -+ * RFC3526 specifies a generator of 2. -+ */ -+static const BN_ULONG modp_6144_p[] = { -+ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x6DCC4024, 0xE694F91E), -+ BN_DEF(0x0B7474D6, 0x12BF2D5B), BN_DEF(0x3F4860EE, 0x043E8F66), -+ BN_DEF(0x6E3C0468, 0x387FE8D7), BN_DEF(0x2EF29632, 0xDA56C9EC), -+ BN_DEF(0xA313D55C, 0xEB19CCB1), BN_DEF(0x8A1FBFF0, 0xF550AA3D), -+ BN_DEF(0xB7C5DA76, 0x06A1D58B), BN_DEF(0xF29BE328, 0xA79715EE), -+ BN_DEF(0x0F8037E0, 0x14CC5ED2), BN_DEF(0xBF48E1D8, 0xCC8F6D7E), -+ BN_DEF(0x2B4154AA, 0x4BD407B2), BN_DEF(0xFF585AC5, 0x0F1D45B7), -+ BN_DEF(0x36CC88BE, 0x23A97A7E), BN_DEF(0xBEC7E8F3, 0x59E7C97F), -+ BN_DEF(0x900B1C9E, 0xB5A84031), BN_DEF(0x46980C82, 0xD55E702F), -+ BN_DEF(0x6E74FEF6, 0xF482D7CE), BN_DEF(0xD1721D03, 0xF032EA15), -+ BN_DEF(0xC64B92EC, 0x5983CA01), BN_DEF(0x378CD2BF, 0x6FB8F401), -+ BN_DEF(0x2BD7AF42, 0x33205151), BN_DEF(0xE6CC254B, 0xDB7F1447), -+ BN_DEF(0xCED4BB1B, 0x44CE6CBA), BN_DEF(0xCF9B14ED, 0xDA3EDBEB), -+ BN_DEF(0x865A8918, 0x179727B0), BN_DEF(0x9027D831, 0xB06A53ED), -+ BN_DEF(0x413001AE, 0xE5DB382F), BN_DEF(0xAD9E530E, 0xF8FF9406), -+ BN_DEF(0x3DBA37BD, 0xC9751E76), BN_DEF(0x602646DE, 0xC1D4DCB2), -+ BN_DEF(0xD27C7026, 0x36C3FAB4), BN_DEF(0x34028492, 0x4DF435C9), -+ BN_DEF(0x90A6C08F, 0x86FFB7DC), BN_DEF(0x8D8FDDC1, 0x93B4EA98), -+ BN_DEF(0xD5B05AA9, 0xD0069127), BN_DEF(0x2170481C, 0xB81BDD76), -+ BN_DEF(0xCEE2D7AF, 0x1F612970), BN_DEF(0x515BE7ED, 0x233BA186), -+ BN_DEF(0xA090C3A2, 0x99B2964F), BN_DEF(0x4E6BC05D, 0x287C5947), -+ BN_DEF(0x1FBECAA6, 0x2E8EFC14), BN_DEF(0x04DE8EF9, 0xDBBBC2DB), -+ BN_DEF(0x2AD44CE8, 0x2583E9CA), BN_DEF(0xB6150BDA, 0x1A946834), -+ BN_DEF(0x6AF4E23C, 0x99C32718), BN_DEF(0xBDBA5B26, 0x88719A10), -+ BN_DEF(0xA787E6D7, 0x1A723C12), BN_DEF(0xA9210801, 0x4B82D120), -+ BN_DEF(0xE0FD108E, 0x43DB5BFC), BN_DEF(0x74E5AB31, 0x08E24FA0), -+ BN_DEF(0xBAD946E2, 0x770988C0), BN_DEF(0x7A615D6C, 0xBBE11757), -+ BN_DEF(0x177B200C, 0x521F2B18), BN_DEF(0x3EC86A64, 0xD8760273), -+ BN_DEF(0xD98A0864, 0xF12FFA06), BN_DEF(0x1AD2EE6B, 0xCEE3D226), -+ BN_DEF(0x4A25619D, 0x1E8C94E0), BN_DEF(0xDB0933D7, 0xABF5AE8C), -+ BN_DEF(0xA6E1E4C7, 0xB3970F85), BN_DEF(0x5D060C7D, 0x8AEA7157), -+ BN_DEF(0x58DBEF0A, 0xECFB8504), BN_DEF(0xDF1CBA64, 0xA85521AB), -+ BN_DEF(0x04507A33, 0xAD33170D), BN_DEF(0x8AAAC42D, 0x15728E5A), -+ BN_DEF(0x98FA0510, 0x15D22618), BN_DEF(0xEA956AE5, 0x3995497C), -+ BN_DEF(0x95581718, 0xDE2BCBF6), BN_DEF(0x6F4C52C9, 0xB5C55DF0), -+ BN_DEF(0xEC07A28F, 0x9B2783A2), BN_DEF(0x180E8603, 0xE39E772C), -+ BN_DEF(0x2E36CE3B, 0x32905E46), BN_DEF(0xCA18217C, 0xF1746C08), -+ BN_DEF(0x4ABC9804, 0x670C354E), BN_DEF(0x7096966D, 0x9ED52907), -+ BN_DEF(0x208552BB, 0x1C62F356), BN_DEF(0xDCA3AD96, 0x83655D23), -+ BN_DEF(0xFD24CF5F, 0x69163FA8), BN_DEF(0x1C55D39A, 0x98DA4836), -+ BN_DEF(0xA163BF05, 0xC2007CB8), BN_DEF(0xECE45B3D, 0x49286651), -+ BN_DEF(0x7C4B1FE6, 0xAE9F2411), BN_DEF(0x5A899FA5, 0xEE386BFB), -+ BN_DEF(0xF406B7ED, 0x0BFF5CB6), BN_DEF(0xA637ED6B, 0xF44C42E9), -+ BN_DEF(0x625E7EC6, 0xE485B576), BN_DEF(0x6D51C245, 0x4FE1356D), -+ BN_DEF(0xF25F1437, 0x302B0A6D), BN_DEF(0xCD3A431B, 0xEF9519B3), -+ BN_DEF(0x8E3404DD, 0x514A0879), BN_DEF(0x3B139B22, 0x020BBEA6), -+ BN_DEF(0x8A67CC74, 0x29024E08), BN_DEF(0x80DC1CD1, 0xC4C6628B), -+ BN_DEF(0x2168C234, 0xC90FDAA2), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) -+}; -+/* q = (p - 1) / 2 */ -+static const BN_ULONG modp_6144_q[] = { -+ BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), BN_DEF(0x36E62012, 0x734A7C8F), -+ BN_DEF(0x85BA3A6B, 0x095F96AD), BN_DEF(0x1FA43077, 0x021F47B3), -+ BN_DEF(0xB71E0234, 0x1C3FF46B), BN_DEF(0x17794B19, 0x6D2B64F6), -+ BN_DEF(0xD189EAAE, 0x758CE658), BN_DEF(0xC50FDFF8, 0x7AA8551E), -+ BN_DEF(0xDBE2ED3B, 0x0350EAC5), BN_DEF(0x794DF194, 0x53CB8AF7), -+ BN_DEF(0x07C01BF0, 0x0A662F69), BN_DEF(0x5FA470EC, 0x6647B6BF), -+ BN_DEF(0x15A0AA55, 0xA5EA03D9), BN_DEF(0xFFAC2D62, 0x078EA2DB), -+ BN_DEF(0x1B66445F, 0x91D4BD3F), BN_DEF(0xDF63F479, 0x2CF3E4BF), -+ BN_DEF(0xC8058E4F, 0x5AD42018), BN_DEF(0xA34C0641, 0x6AAF3817), -+ BN_DEF(0x373A7F7B, 0xFA416BE7), BN_DEF(0xE8B90E81, 0x7819750A), -+ BN_DEF(0xE325C976, 0xACC1E500), BN_DEF(0x9BC6695F, 0x37DC7A00), -+ BN_DEF(0x95EBD7A1, 0x999028A8), BN_DEF(0xF36612A5, 0xEDBF8A23), -+ BN_DEF(0x676A5D8D, 0xA267365D), BN_DEF(0xE7CD8A76, 0x6D1F6DF5), -+ BN_DEF(0x432D448C, 0x8BCB93D8), BN_DEF(0xC813EC18, 0x583529F6), -+ BN_DEF(0xA09800D7, 0x72ED9C17), BN_DEF(0x56CF2987, 0xFC7FCA03), -+ BN_DEF(0x1EDD1BDE, 0x64BA8F3B), BN_DEF(0x3013236F, 0x60EA6E59), -+ BN_DEF(0x693E3813, 0x1B61FD5A), BN_DEF(0x9A014249, 0xA6FA1AE4), -+ BN_DEF(0x48536047, 0xC37FDBEE), BN_DEF(0x46C7EEE0, 0xC9DA754C), -+ BN_DEF(0xEAD82D54, 0x68034893), BN_DEF(0x10B8240E, 0xDC0DEEBB), -+ BN_DEF(0x67716BD7, 0x8FB094B8), BN_DEF(0x28ADF3F6, 0x119DD0C3), -+ BN_DEF(0xD04861D1, 0xCCD94B27), BN_DEF(0xA735E02E, 0x143E2CA3), -+ BN_DEF(0x0FDF6553, 0x97477E0A), BN_DEF(0x826F477C, 0x6DDDE16D), -+ BN_DEF(0x156A2674, 0x12C1F4E5), BN_DEF(0x5B0A85ED, 0x0D4A341A), -+ BN_DEF(0x357A711E, 0x4CE1938C), BN_DEF(0x5EDD2D93, 0xC438CD08), -+ BN_DEF(0x53C3F36B, 0x8D391E09), BN_DEF(0x54908400, 0x25C16890), -+ BN_DEF(0x707E8847, 0xA1EDADFE), BN_DEF(0x3A72D598, 0x047127D0), -+ BN_DEF(0x5D6CA371, 0x3B84C460), BN_DEF(0xBD30AEB6, 0x5DF08BAB), -+ BN_DEF(0x0BBD9006, 0x290F958C), BN_DEF(0x9F643532, 0x6C3B0139), -+ BN_DEF(0x6CC50432, 0xF897FD03), BN_DEF(0x0D697735, 0xE771E913), -+ BN_DEF(0x2512B0CE, 0x8F464A70), BN_DEF(0x6D8499EB, 0xD5FAD746), -+ BN_DEF(0xD370F263, 0xD9CB87C2), BN_DEF(0xAE83063E, 0x457538AB), -+ BN_DEF(0x2C6DF785, 0x767DC282), BN_DEF(0xEF8E5D32, 0xD42A90D5), -+ BN_DEF(0x82283D19, 0xD6998B86), BN_DEF(0x45556216, 0x0AB9472D), -+ BN_DEF(0x4C7D0288, 0x8AE9130C), BN_DEF(0x754AB572, 0x1CCAA4BE), -+ BN_DEF(0x4AAC0B8C, 0xEF15E5FB), BN_DEF(0x37A62964, 0xDAE2AEF8), -+ BN_DEF(0x7603D147, 0xCD93C1D1), BN_DEF(0x0C074301, 0xF1CF3B96), -+ BN_DEF(0x171B671D, 0x19482F23), BN_DEF(0x650C10BE, 0x78BA3604), -+ BN_DEF(0x255E4C02, 0xB3861AA7), BN_DEF(0xB84B4B36, 0xCF6A9483), -+ BN_DEF(0x1042A95D, 0x0E3179AB), BN_DEF(0xEE51D6CB, 0xC1B2AE91), -+ BN_DEF(0x7E9267AF, 0x348B1FD4), BN_DEF(0x0E2AE9CD, 0xCC6D241B), -+ BN_DEF(0x50B1DF82, 0xE1003E5C), BN_DEF(0xF6722D9E, 0x24943328), -+ BN_DEF(0xBE258FF3, 0xD74F9208), BN_DEF(0xAD44CFD2, 0xF71C35FD), -+ BN_DEF(0x7A035BF6, 0x85FFAE5B), BN_DEF(0xD31BF6B5, 0x7A262174), -+ BN_DEF(0x312F3F63, 0xF242DABB), BN_DEF(0xB6A8E122, 0xA7F09AB6), -+ BN_DEF(0xF92F8A1B, 0x98158536), BN_DEF(0xE69D218D, 0xF7CA8CD9), -+ BN_DEF(0xC71A026E, 0x28A5043C), BN_DEF(0x1D89CD91, 0x0105DF53), -+ BN_DEF(0x4533E63A, 0x94812704), BN_DEF(0xC06E0E68, 0x62633145), -+ BN_DEF(0x10B4611A, 0xE487ED51), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), -+}; -+ -+/* -+ * "8192-bit MODP Group" from RFC3526, Section 7. -+ * -+ * The prime is: 2^8192 - 2^8128 - 1 + 2^64 * { [2^8062 pi] + 4743158 } -+ * -+ * RFC3526 specifies a generator of 2. -+ */ -+static const BN_ULONG modp_8192_p[] = { -+ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0x98EDD3DF, 0x60C980DD), -+ BN_DEF(0x80B96E71, 0xC81F56E8), BN_DEF(0x765694DF, 0x9E3050E2), -+ BN_DEF(0x5677E9AA, 0x9558E447), BN_DEF(0xFC026E47, 0xC9190DA6), -+ BN_DEF(0xD5EE382B, 0x889A002E), BN_DEF(0x481C6CD7, 0x4009438B), -+ BN_DEF(0xEB879F92, 0x359046F4), BN_DEF(0x1ECFA268, 0xFAF36BC3), -+ BN_DEF(0x7EE74D73, 0xB1D510BD), BN_DEF(0x5DED7EA1, 0xF9AB4819), -+ BN_DEF(0x0846851D, 0x64F31CC5), BN_DEF(0xA0255DC1, 0x4597E899), -+ BN_DEF(0x74AB6A36, 0xDF310EE0), BN_DEF(0x3F44F82D, 0x6D2A13F8), -+ BN_DEF(0xB3A278A6, 0x062B3CF5), BN_DEF(0xED5BDD3A, 0x79683303), -+ BN_DEF(0xA2C087E8, 0xFA9D4B7F), BN_DEF(0x2F8385DD, 0x4BCBC886), -+ BN_DEF(0x6CEA306B, 0x3473FC64), BN_DEF(0x1A23F0C7, 0x13EB57A8), -+ BN_DEF(0xA4037C07, 0x22222E04), BN_DEF(0xFC848AD9, 0xE3FDB8BE), -+ BN_DEF(0xE39D652D, 0x238F16CB), BN_DEF(0x2BF1C978, 0x3423B474), -+ BN_DEF(0x5AE4F568, 0x3AAB639C), BN_DEF(0x6BA42466, 0x2576F693), -+ BN_DEF(0x8AFC47ED, 0x741FA7BF), BN_DEF(0x8D9DD300, 0x3BC832B6), -+ BN_DEF(0x73B931BA, 0xD8BEC4D0), BN_DEF(0xA932DF8C, 0x38777CB6), -+ BN_DEF(0x12FEE5E4, 0x74A3926F), BN_DEF(0x6DBE1159, 0xE694F91E), -+ BN_DEF(0x0B7474D6, 0x12BF2D5B), BN_DEF(0x3F4860EE, 0x043E8F66), -+ BN_DEF(0x6E3C0468, 0x387FE8D7), BN_DEF(0x2EF29632, 0xDA56C9EC), -+ BN_DEF(0xA313D55C, 0xEB19CCB1), BN_DEF(0x8A1FBFF0, 0xF550AA3D), -+ BN_DEF(0xB7C5DA76, 0x06A1D58B), BN_DEF(0xF29BE328, 0xA79715EE), -+ BN_DEF(0x0F8037E0, 0x14CC5ED2), BN_DEF(0xBF48E1D8, 0xCC8F6D7E), -+ BN_DEF(0x2B4154AA, 0x4BD407B2), BN_DEF(0xFF585AC5, 0x0F1D45B7), -+ BN_DEF(0x36CC88BE, 0x23A97A7E), BN_DEF(0xBEC7E8F3, 0x59E7C97F), -+ BN_DEF(0x900B1C9E, 0xB5A84031), BN_DEF(0x46980C82, 0xD55E702F), -+ BN_DEF(0x6E74FEF6, 0xF482D7CE), BN_DEF(0xD1721D03, 0xF032EA15), -+ BN_DEF(0xC64B92EC, 0x5983CA01), BN_DEF(0x378CD2BF, 0x6FB8F401), -+ BN_DEF(0x2BD7AF42, 0x33205151), BN_DEF(0xE6CC254B, 0xDB7F1447), -+ BN_DEF(0xCED4BB1B, 0x44CE6CBA), BN_DEF(0xCF9B14ED, 0xDA3EDBEB), -+ BN_DEF(0x865A8918, 0x179727B0), BN_DEF(0x9027D831, 0xB06A53ED), -+ BN_DEF(0x413001AE, 0xE5DB382F), BN_DEF(0xAD9E530E, 0xF8FF9406), -+ BN_DEF(0x3DBA37BD, 0xC9751E76), BN_DEF(0x602646DE, 0xC1D4DCB2), -+ BN_DEF(0xD27C7026, 0x36C3FAB4), BN_DEF(0x34028492, 0x4DF435C9), -+ BN_DEF(0x90A6C08F, 0x86FFB7DC), BN_DEF(0x8D8FDDC1, 0x93B4EA98), -+ BN_DEF(0xD5B05AA9, 0xD0069127), BN_DEF(0x2170481C, 0xB81BDD76), -+ BN_DEF(0xCEE2D7AF, 0x1F612970), BN_DEF(0x515BE7ED, 0x233BA186), -+ BN_DEF(0xA090C3A2, 0x99B2964F), BN_DEF(0x4E6BC05D, 0x287C5947), -+ BN_DEF(0x1FBECAA6, 0x2E8EFC14), BN_DEF(0x04DE8EF9, 0xDBBBC2DB), -+ BN_DEF(0x2AD44CE8, 0x2583E9CA), BN_DEF(0xB6150BDA, 0x1A946834), -+ BN_DEF(0x6AF4E23C, 0x99C32718), BN_DEF(0xBDBA5B26, 0x88719A10), -+ BN_DEF(0xA787E6D7, 0x1A723C12), BN_DEF(0xA9210801, 0x4B82D120), -+ BN_DEF(0xE0FD108E, 0x43DB5BFC), BN_DEF(0x74E5AB31, 0x08E24FA0), -+ BN_DEF(0xBAD946E2, 0x770988C0), BN_DEF(0x7A615D6C, 0xBBE11757), -+ BN_DEF(0x177B200C, 0x521F2B18), BN_DEF(0x3EC86A64, 0xD8760273), -+ BN_DEF(0xD98A0864, 0xF12FFA06), BN_DEF(0x1AD2EE6B, 0xCEE3D226), -+ BN_DEF(0x4A25619D, 0x1E8C94E0), BN_DEF(0xDB0933D7, 0xABF5AE8C), -+ BN_DEF(0xA6E1E4C7, 0xB3970F85), BN_DEF(0x5D060C7D, 0x8AEA7157), -+ BN_DEF(0x58DBEF0A, 0xECFB8504), BN_DEF(0xDF1CBA64, 0xA85521AB), -+ BN_DEF(0x04507A33, 0xAD33170D), BN_DEF(0x8AAAC42D, 0x15728E5A), -+ BN_DEF(0x98FA0510, 0x15D22618), BN_DEF(0xEA956AE5, 0x3995497C), -+ BN_DEF(0x95581718, 0xDE2BCBF6), BN_DEF(0x6F4C52C9, 0xB5C55DF0), -+ BN_DEF(0xEC07A28F, 0x9B2783A2), BN_DEF(0x180E8603, 0xE39E772C), -+ BN_DEF(0x2E36CE3B, 0x32905E46), BN_DEF(0xCA18217C, 0xF1746C08), -+ BN_DEF(0x4ABC9804, 0x670C354E), BN_DEF(0x7096966D, 0x9ED52907), -+ BN_DEF(0x208552BB, 0x1C62F356), BN_DEF(0xDCA3AD96, 0x83655D23), -+ BN_DEF(0xFD24CF5F, 0x69163FA8), BN_DEF(0x1C55D39A, 0x98DA4836), -+ BN_DEF(0xA163BF05, 0xC2007CB8), BN_DEF(0xECE45B3D, 0x49286651), -+ BN_DEF(0x7C4B1FE6, 0xAE9F2411), BN_DEF(0x5A899FA5, 0xEE386BFB), -+ BN_DEF(0xF406B7ED, 0x0BFF5CB6), BN_DEF(0xA637ED6B, 0xF44C42E9), -+ BN_DEF(0x625E7EC6, 0xE485B576), BN_DEF(0x6D51C245, 0x4FE1356D), -+ BN_DEF(0xF25F1437, 0x302B0A6D), BN_DEF(0xCD3A431B, 0xEF9519B3), -+ BN_DEF(0x8E3404DD, 0x514A0879), BN_DEF(0x3B139B22, 0x020BBEA6), -+ BN_DEF(0x8A67CC74, 0x29024E08), BN_DEF(0x80DC1CD1, 0xC4C6628B), -+ BN_DEF(0x2168C234, 0xC90FDAA2), BN_DEF(0xFFFFFFFF, 0xFFFFFFFF) -+}; -+/* q = (p - 1) / 2 */ -+static const BN_ULONG modp_8192_q[] = { -+ BN_DEF(0xFFFFFFFF, 0xFFFFFFFF), BN_DEF(0xCC76E9EF, 0xB064C06E), -+ BN_DEF(0x405CB738, 0xE40FAB74), BN_DEF(0x3B2B4A6F, 0x4F182871), -+ BN_DEF(0xAB3BF4D5, 0xCAAC7223), BN_DEF(0x7E013723, 0xE48C86D3), -+ BN_DEF(0x6AF71C15, 0xC44D0017), BN_DEF(0xA40E366B, 0x2004A1C5), -+ BN_DEF(0x75C3CFC9, 0x1AC8237A), BN_DEF(0x8F67D134, 0xFD79B5E1), -+ BN_DEF(0xBF73A6B9, 0xD8EA885E), BN_DEF(0xAEF6BF50, 0xFCD5A40C), -+ BN_DEF(0x8423428E, 0xB2798E62), BN_DEF(0xD012AEE0, 0x22CBF44C), -+ BN_DEF(0x3A55B51B, 0xEF988770), BN_DEF(0x1FA27C16, 0x369509FC), -+ BN_DEF(0xD9D13C53, 0x03159E7A), BN_DEF(0xF6ADEE9D, 0x3CB41981), -+ BN_DEF(0xD16043F4, 0xFD4EA5BF), BN_DEF(0x17C1C2EE, 0xA5E5E443), -+ BN_DEF(0x36751835, 0x9A39FE32), BN_DEF(0x0D11F863, 0x89F5ABD4), -+ BN_DEF(0x5201BE03, 0x91111702), BN_DEF(0x7E42456C, 0xF1FEDC5F), -+ BN_DEF(0xF1CEB296, 0x11C78B65), BN_DEF(0x15F8E4BC, 0x1A11DA3A), -+ BN_DEF(0x2D727AB4, 0x1D55B1CE), BN_DEF(0xB5D21233, 0x92BB7B49), -+ BN_DEF(0xC57E23F6, 0x3A0FD3DF), BN_DEF(0x46CEE980, 0x1DE4195B), -+ BN_DEF(0x39DC98DD, 0x6C5F6268), BN_DEF(0x54996FC6, 0x1C3BBE5B), -+ BN_DEF(0x897F72F2, 0xBA51C937), BN_DEF(0x36DF08AC, 0x734A7C8F), -+ BN_DEF(0x85BA3A6B, 0x095F96AD), BN_DEF(0x1FA43077, 0x021F47B3), -+ BN_DEF(0xB71E0234, 0x1C3FF46B), BN_DEF(0x17794B19, 0x6D2B64F6), -+ BN_DEF(0xD189EAAE, 0x758CE658), BN_DEF(0xC50FDFF8, 0x7AA8551E), -+ BN_DEF(0xDBE2ED3B, 0x0350EAC5), BN_DEF(0x794DF194, 0x53CB8AF7), -+ BN_DEF(0x07C01BF0, 0x0A662F69), BN_DEF(0x5FA470EC, 0x6647B6BF), -+ BN_DEF(0x15A0AA55, 0xA5EA03D9), BN_DEF(0xFFAC2D62, 0x078EA2DB), -+ BN_DEF(0x1B66445F, 0x91D4BD3F), BN_DEF(0xDF63F479, 0x2CF3E4BF), -+ BN_DEF(0xC8058E4F, 0x5AD42018), BN_DEF(0xA34C0641, 0x6AAF3817), -+ BN_DEF(0x373A7F7B, 0xFA416BE7), BN_DEF(0xE8B90E81, 0x7819750A), -+ BN_DEF(0xE325C976, 0xACC1E500), BN_DEF(0x9BC6695F, 0x37DC7A00), -+ BN_DEF(0x95EBD7A1, 0x999028A8), BN_DEF(0xF36612A5, 0xEDBF8A23), -+ BN_DEF(0x676A5D8D, 0xA267365D), BN_DEF(0xE7CD8A76, 0x6D1F6DF5), -+ BN_DEF(0x432D448C, 0x8BCB93D8), BN_DEF(0xC813EC18, 0x583529F6), -+ BN_DEF(0xA09800D7, 0x72ED9C17), BN_DEF(0x56CF2987, 0xFC7FCA03), -+ BN_DEF(0x1EDD1BDE, 0x64BA8F3B), BN_DEF(0x3013236F, 0x60EA6E59), -+ BN_DEF(0x693E3813, 0x1B61FD5A), BN_DEF(0x9A014249, 0xA6FA1AE4), -+ BN_DEF(0x48536047, 0xC37FDBEE), BN_DEF(0x46C7EEE0, 0xC9DA754C), -+ BN_DEF(0xEAD82D54, 0x68034893), BN_DEF(0x10B8240E, 0xDC0DEEBB), -+ BN_DEF(0x67716BD7, 0x8FB094B8), BN_DEF(0x28ADF3F6, 0x119DD0C3), -+ BN_DEF(0xD04861D1, 0xCCD94B27), BN_DEF(0xA735E02E, 0x143E2CA3), -+ BN_DEF(0x0FDF6553, 0x97477E0A), BN_DEF(0x826F477C, 0x6DDDE16D), -+ BN_DEF(0x156A2674, 0x12C1F4E5), BN_DEF(0x5B0A85ED, 0x0D4A341A), -+ BN_DEF(0x357A711E, 0x4CE1938C), BN_DEF(0x5EDD2D93, 0xC438CD08), -+ BN_DEF(0x53C3F36B, 0x8D391E09), BN_DEF(0x54908400, 0x25C16890), -+ BN_DEF(0x707E8847, 0xA1EDADFE), BN_DEF(0x3A72D598, 0x047127D0), -+ BN_DEF(0x5D6CA371, 0x3B84C460), BN_DEF(0xBD30AEB6, 0x5DF08BAB), -+ BN_DEF(0x0BBD9006, 0x290F958C), BN_DEF(0x9F643532, 0x6C3B0139), -+ BN_DEF(0x6CC50432, 0xF897FD03), BN_DEF(0x0D697735, 0xE771E913), -+ BN_DEF(0x2512B0CE, 0x8F464A70), BN_DEF(0x6D8499EB, 0xD5FAD746), -+ BN_DEF(0xD370F263, 0xD9CB87C2), BN_DEF(0xAE83063E, 0x457538AB), -+ BN_DEF(0x2C6DF785, 0x767DC282), BN_DEF(0xEF8E5D32, 0xD42A90D5), -+ BN_DEF(0x82283D19, 0xD6998B86), BN_DEF(0x45556216, 0x0AB9472D), -+ BN_DEF(0x4C7D0288, 0x8AE9130C), BN_DEF(0x754AB572, 0x1CCAA4BE), -+ BN_DEF(0x4AAC0B8C, 0xEF15E5FB), BN_DEF(0x37A62964, 0xDAE2AEF8), -+ BN_DEF(0x7603D147, 0xCD93C1D1), BN_DEF(0x0C074301, 0xF1CF3B96), -+ BN_DEF(0x171B671D, 0x19482F23), BN_DEF(0x650C10BE, 0x78BA3604), -+ BN_DEF(0x255E4C02, 0xB3861AA7), BN_DEF(0xB84B4B36, 0xCF6A9483), -+ BN_DEF(0x1042A95D, 0x0E3179AB), BN_DEF(0xEE51D6CB, 0xC1B2AE91), -+ BN_DEF(0x7E9267AF, 0x348B1FD4), BN_DEF(0x0E2AE9CD, 0xCC6D241B), -+ BN_DEF(0x50B1DF82, 0xE1003E5C), BN_DEF(0xF6722D9E, 0x24943328), -+ BN_DEF(0xBE258FF3, 0xD74F9208), BN_DEF(0xAD44CFD2, 0xF71C35FD), -+ BN_DEF(0x7A035BF6, 0x85FFAE5B), BN_DEF(0xD31BF6B5, 0x7A262174), -+ BN_DEF(0x312F3F63, 0xF242DABB), BN_DEF(0xB6A8E122, 0xA7F09AB6), -+ BN_DEF(0xF92F8A1B, 0x98158536), BN_DEF(0xE69D218D, 0xF7CA8CD9), -+ BN_DEF(0xC71A026E, 0x28A5043C), BN_DEF(0x1D89CD91, 0x0105DF53), -+ BN_DEF(0x4533E63A, 0x94812704), BN_DEF(0xC06E0E68, 0x62633145), -+ BN_DEF(0x10B4611A, 0xE487ED51), BN_DEF(0xFFFFFFFF, 0x7FFFFFFF), -+}; -+ -+ -+ - /* DH parameters from RFC5114 */ - - # if BN_BITS2 == 64 -@@ -508,5 +990,17 @@ make_dh_bn(ffdhe4096_p) - make_dh_bn(ffdhe6144_p) - make_dh_bn(ffdhe8192_p) - -+make_dh_bn(modp_1536_p) -+make_dh_bn(modp_1536_q) -+make_dh_bn(modp_2048_p) -+make_dh_bn(modp_2048_q) -+make_dh_bn(modp_3072_p) -+make_dh_bn(modp_3072_q) -+make_dh_bn(modp_4096_p) -+make_dh_bn(modp_4096_q) -+make_dh_bn(modp_6144_p) -+make_dh_bn(modp_6144_q) -+make_dh_bn(modp_8192_p) -+make_dh_bn(modp_8192_q) - - #endif -diff --git a/crypto/dh/dh_pmeth.c b/crypto/dh/dh_pmeth.c -index e0805e7..261c8a1 100644 ---- a/crypto/dh/dh_pmeth.c -+++ b/crypto/dh/dh_pmeth.c -@@ -351,6 +351,10 @@ static int pkey_dh_paramgen(EVP_PKEY_CTX *ctx, EVP_PKEY *pkey) - return 1; - } - -+ /* -+ * Look for a safe prime group for key establishment. Which uses -+ * either RFC_3526 (modp_XXXX) or RFC_7919 (ffdheXXXX). -+ */ - if (dctx->param_nid != 0) { - if ((dh = DH_new_by_nid(dctx->param_nid)) == NULL) - return 0; -diff --git a/crypto/dh/dh_rfc7919.c b/crypto/dh/dh_rfc7919.c -index 03d30a1..f339bd9 100644 ---- a/crypto/dh/dh_rfc7919.c -+++ b/crypto/dh/dh_rfc7919.c -@@ -38,6 +38,18 @@ DH *DH_new_by_nid(int nid) - return dh_param_init(&_bignum_ffdhe6144_p, 375); - case NID_ffdhe8192: - return dh_param_init(&_bignum_ffdhe8192_p, 400); -+ case NID_modp_1536: -+ return dh_param_init(&_bignum_modp_1536_p, 175); -+ case NID_modp_2048: -+ return dh_param_init(&_bignum_modp_2048_p, 225); -+ case NID_modp_3072: -+ return dh_param_init(&_bignum_modp_3072_p, 275); -+ case NID_modp_4096: -+ return dh_param_init(&_bignum_modp_4096_p, 325); -+ case NID_modp_6144: -+ return dh_param_init(&_bignum_modp_6144_p, 375); -+ case NID_modp_8192: -+ return dh_param_init(&_bignum_modp_8192_p, 400); - default: - DHerr(DH_F_DH_NEW_BY_NID, DH_R_INVALID_PARAMETER_NID); - return NULL; -@@ -60,6 +72,18 @@ int DH_get_nid(const DH *dh) - nid = NID_ffdhe6144; - else if (!BN_cmp(dh->p, &_bignum_ffdhe8192_p)) - nid = NID_ffdhe8192; -+ else if (!BN_cmp(dh->p, &_bignum_modp_1536_p)) -+ nid = NID_modp_1536; -+ else if (!BN_cmp(dh->p, &_bignum_modp_2048_p)) -+ nid = NID_modp_2048; -+ else if (!BN_cmp(dh->p, &_bignum_modp_3072_p)) -+ nid = NID_modp_3072; -+ else if (!BN_cmp(dh->p, &_bignum_modp_4096_p)) -+ nid = NID_modp_4096; -+ else if (!BN_cmp(dh->p, &_bignum_modp_6144_p)) -+ nid = NID_modp_6144; -+ else if (!BN_cmp(dh->p, &_bignum_modp_8192_p)) -+ nid = NID_modp_8192; - else - return NID_undef; - if (dh->q != NULL) { -diff --git a/crypto/objects/obj_dat.h b/crypto/objects/obj_dat.h -index 12ca5ec..2fbd9a9 100644 ---- a/crypto/objects/obj_dat.h -+++ b/crypto/objects/obj_dat.h -@@ -1078,7 +1078,7 @@ static const unsigned char so[7762] = { - 0x2A,0x86,0x48,0x86,0xF7,0x0D,0x02,0x0D, /* [ 7753] OBJ_hmacWithSHA512_256 */ - }; - --#define NUM_NID 1196 -+#define NUM_NID 1202 - static const ASN1_OBJECT nid_objs[NUM_NID] = { - {"UNDEF", "undefined", NID_undef}, - {"rsadsi", "RSA Data Security, Inc.", NID_rsadsi, 6, &so[0]}, -@@ -2276,9 +2276,15 @@ static const ASN1_OBJECT nid_objs[NUM_NID] = { - {"hmacWithSHA512-224", "hmacWithSHA512-224", NID_hmacWithSHA512_224, 8, &so[7745]}, - {"hmacWithSHA512-256", "hmacWithSHA512-256", NID_hmacWithSHA512_256, 8, &so[7753]}, - {"SSHKDF", "sshkdf", NID_sshkdf}, -+ {"modp_1536", "modp_1536", NID_modp_1536}, -+ {"modp_2048", "modp_2048", NID_modp_2048}, -+ {"modp_3072", "modp_3072", NID_modp_3072}, -+ {"modp_4096", "modp_4096", NID_modp_4096}, -+ {"modp_6144", "modp_6144", NID_modp_6144}, -+ {"modp_8192", "modp_8192", NID_modp_8192}, - }; - --#define NUM_SN 1187 -+#define NUM_SN 1193 - static const unsigned int sn_objs[NUM_SN] = { - 364, /* "AD_DVCS" */ - 419, /* "AES-128-CBC" */ -@@ -3121,6 +3127,12 @@ static const unsigned int sn_objs[NUM_SN] = { - 506, /* "mime-mhs-bodies" */ - 505, /* "mime-mhs-headings" */ - 488, /* "mobileTelephoneNumber" */ -+ 1196, /* "modp_1536" */ -+ 1197, /* "modp_2048" */ -+ 1198, /* "modp_3072" */ -+ 1199, /* "modp_4096" */ -+ 1200, /* "modp_6144" */ -+ 1201, /* "modp_8192" */ - 136, /* "msCTLSign" */ - 135, /* "msCodeCom" */ - 134, /* "msCodeInd" */ -@@ -3469,7 +3481,7 @@ static const unsigned int sn_objs[NUM_SN] = { - 1093, /* "x509ExtAdmission" */ - }; - --#define NUM_LN 1187 -+#define NUM_LN 1193 - static const unsigned int ln_objs[NUM_LN] = { - 363, /* "AD Time Stamping" */ - 405, /* "ANSI X9.62" */ -@@ -4305,6 +4317,12 @@ static const unsigned int ln_objs[NUM_LN] = { - 506, /* "mime-mhs-bodies" */ - 505, /* "mime-mhs-headings" */ - 488, /* "mobileTelephoneNumber" */ -+ 1196, /* "modp_1536" */ -+ 1197, /* "modp_2048" */ -+ 1198, /* "modp_3072" */ -+ 1199, /* "modp_4096" */ -+ 1200, /* "modp_6144" */ -+ 1201, /* "modp_8192" */ - 481, /* "nSRecord" */ - 173, /* "name" */ - 681, /* "onBasis" */ -diff --git a/crypto/objects/obj_mac.num b/crypto/objects/obj_mac.num -index 231c183..7ee5912 100644 ---- a/crypto/objects/obj_mac.num -+++ b/crypto/objects/obj_mac.num -@@ -1193,3 +1193,9 @@ magma_mac 1192 - hmacWithSHA512_224 1193 - hmacWithSHA512_256 1194 - sshkdf 1195 -+modp_1536 1196 -+modp_2048 1197 -+modp_3072 1198 -+modp_4096 1199 -+modp_6144 1200 -+modp_8192 1201 -diff --git a/doc/man3/DH_new_by_nid.pod b/doc/man3/DH_new_by_nid.pod -index 73636c5..fcea642 100644 ---- a/doc/man3/DH_new_by_nid.pod -+++ b/doc/man3/DH_new_by_nid.pod -@@ -14,7 +14,9 @@ DH_new_by_nid, DH_get_nid - get or find DH named parameters - - DH_new_by_nid() creates and returns a DH structure containing named parameters - B. Currently B must be B, B, --B, B or B. -+B, B or B, -+B, B, B, -+B, B or B. - - DH_get_nid() determines if the parameters contained in B match - any named set. It returns the NID corresponding to the matching parameters or -diff --git a/doc/man3/EVP_PKEY_CTX_ctrl.pod b/doc/man3/EVP_PKEY_CTX_ctrl.pod -index e475316..9c695b9 100644 ---- a/doc/man3/EVP_PKEY_CTX_ctrl.pod -+++ b/doc/man3/EVP_PKEY_CTX_ctrl.pod -@@ -294,10 +294,11 @@ The EVP_PKEY_CTX_set_dh_pad() macro sets the DH padding mode. If B is - If B is zero (the default) then no padding is performed. - - EVP_PKEY_CTX_set_dh_nid() sets the DH parameters to values corresponding to --B as defined in RFC7919. The B parameter must be B, --B, B, B, B --or B to clear the stored value. This macro can be called during --parameter or key generation. -+I as defined in RFC7919 or RFC3526. The I parameter must be -+B, B, B, B, -+B, B, B, B, -+B, B, B or B to clear -+the stored value. This function can be called during parameter or key generation. - The nid parameter and the rfc5114 parameter are mutually exclusive. - - The EVP_PKEY_CTX_set_dh_rfc5114() and EVP_PKEY_CTX_set_dhx_rfc5114() macros are -diff --git a/include/crypto/bn_dh.h b/include/crypto/bn_dh.h -index 70ebca2..5cb83d0 100644 ---- a/include/crypto/bn_dh.h -+++ b/include/crypto/bn_dh.h -@@ -22,3 +22,10 @@ extern const BIGNUM _bignum_ffdhe4096_p; - extern const BIGNUM _bignum_ffdhe6144_p; - extern const BIGNUM _bignum_ffdhe8192_p; - extern const BIGNUM _bignum_const_2; -+ -+extern const BIGNUM _bignum_modp_1536_p; -+extern const BIGNUM _bignum_modp_2048_p; -+extern const BIGNUM _bignum_modp_3072_p; -+extern const BIGNUM _bignum_modp_4096_p; -+extern const BIGNUM _bignum_modp_6144_p; -+extern const BIGNUM _bignum_modp_8192_p; -diff --git a/include/openssl/obj_mac.h b/include/openssl/obj_mac.h -index 4616eaf..cfaedf5 100644 ---- a/include/openssl/obj_mac.h -+++ b/include/openssl/obj_mac.h -@@ -5103,6 +5103,24 @@ - #define SN_ffdhe8192 "ffdhe8192" - #define NID_ffdhe8192 1130 - -+#define SN_modp_1536 "modp_1536" -+#define NID_modp_1536 1196 -+ -+#define SN_modp_2048 "modp_2048" -+#define NID_modp_2048 1197 -+ -+#define SN_modp_3072 "modp_3072" -+#define NID_modp_3072 1198 -+ -+#define SN_modp_4096 "modp_4096" -+#define NID_modp_4096 1199 -+ -+#define SN_modp_6144 "modp_6144" -+#define NID_modp_6144 1200 -+ -+#define SN_modp_8192 "modp_8192" -+#define NID_modp_8192 1201 -+ - #define SN_ISO_UA "ISO-UA" - #define NID_ISO_UA 1150 - #define OBJ_ISO_UA OBJ_member_body,804L diff --git a/openssl-fips-DH_selftest_shared_secret_KAT.patch b/openssl-fips-DH_selftest_shared_secret_KAT.patch new file mode 100644 index 0000000..279a0ef --- /dev/null +++ b/openssl-fips-DH_selftest_shared_secret_KAT.patch @@ -0,0 +1,82 @@ +Index: openssl-1.1.1d/crypto/fips/fips_dh_selftest.c +=================================================================== +--- openssl-1.1.1d.orig/crypto/fips/fips_dh_selftest.c 2020-09-08 20:40:41.313074570 +0200 ++++ openssl-1.1.1d/crypto/fips/fips_dh_selftest.c 2020-09-08 20:41:05.337219024 +0200 +@@ -119,6 +119,41 @@ static const unsigned char dh_test_2048_ + 0xEC, 0x55, 0xF6, 0xCC + }; + ++static const unsigned char dh_test_2048_shared_secret[] = { ++ 0x62, 0x68, 0x15, 0xbd, 0xc4, 0x9a, 0x3c, 0xfc, ++ 0xda, 0x5d, 0xc5, 0x81, 0xc9, 0xe7, 0x1b, 0xbb, ++ 0x94, 0x19, 0xb0, 0x5d, 0x95, 0xc3, 0x98, 0xd0, ++ 0xc6, 0x8b, 0x05, 0x34, 0xa5, 0xe2, 0xe4, 0xa8, ++ 0x7c, 0x4b, 0x7c, 0x41, 0xf9, 0x6d, 0xc1, 0xcc, ++ 0x6e, 0xb6, 0x34, 0xe1, 0x71, 0xc3, 0x00, 0x03, ++ 0x06, 0x08, 0x1d, 0x90, 0x88, 0x3c, 0x5d, 0x14, ++ 0x2d, 0x56, 0xac, 0x78, 0x83, 0xd6, 0xe9, 0x7c, ++ 0x6c, 0x34, 0xdf, 0xe0, 0x98, 0x14, 0xaa, 0xbe, ++ 0x3b, 0x83, 0xc5, 0xd1, 0xac, 0xec, 0xa6, 0x0b, ++ 0xc1, 0x94, 0x8d, 0x42, 0x3f, 0xb8, 0x63, 0xef, ++ 0xb1, 0x1b, 0x60, 0x4f, 0xfa, 0xfa, 0xbb, 0x57, ++ 0x28, 0x27, 0x4d, 0x78, 0xa4, 0x3d, 0x7a, 0xd8, ++ 0xab, 0x2e, 0x7d, 0x8b, 0xd3, 0xa9, 0x78, 0x74, ++ 0xfe, 0x3a, 0x08, 0x5f, 0xe3, 0xf5, 0x5a, 0xfa, ++ 0xa6, 0x93, 0x67, 0xea, 0xae, 0x5e, 0xd6, 0xc5, ++ 0xa1, 0xab, 0x0a, 0x1e, 0x78, 0xe7, 0xdd, 0xbc, ++ 0xae, 0xb7, 0x3e, 0x7d, 0x8b, 0xd8, 0x66, 0x92, ++ 0x38, 0x1b, 0x96, 0xeb, 0xcb, 0xcb, 0x6a, 0xcc, ++ 0xd8, 0x42, 0x80, 0x66, 0xa9, 0xa2, 0x75, 0xeb, ++ 0xe4, 0x79, 0x11, 0x7a, 0xca, 0x84, 0x77, 0x7a, ++ 0xe6, 0xe2, 0x13, 0xb1, 0x90, 0xd3, 0x0f, 0x87, ++ 0x2a, 0x0f, 0xf5, 0x17, 0x61, 0x15, 0x05, 0x31, ++ 0x5f, 0xdf, 0xb4, 0x8e, 0xf3, 0x21, 0x27, 0x6a, ++ 0x69, 0xdc, 0x52, 0x79, 0x64, 0x51, 0x1f, 0xc0, ++ 0xed, 0x55, 0x57, 0xd9, 0x5c, 0x6f, 0xdb, 0xaa, ++ 0x08, 0x44, 0xb9, 0x71, 0x71, 0x15, 0x27, 0xe8, ++ 0xe9, 0x42, 0x78, 0xc1, 0xc4, 0xc0, 0xbd, 0x28, ++ 0x23, 0xa1, 0x30, 0x57, 0xf0, 0x2e, 0x24, 0xf0, ++ 0x34, 0x17, 0x97, 0x1c, 0x4c, 0x2a, 0x98, 0x76, ++ 0x3d, 0x50, 0x7f, 0x32, 0xa2, 0x25, 0x94, 0x9e, ++ 0x1e, 0xbc, 0x97, 0x96, 0xd6, 0x14, 0x61, 0x5b ++}; ++ + int FIPS_selftest_dh() + { + DH *dh = NULL; +@@ -127,6 +162,7 @@ int FIPS_selftest_dh() + int len; + BIGNUM *p = NULL, *g = NULL, *priv_key = NULL, *tmp_pub_key = NULL; + const BIGNUM *pub_key; ++ unsigned char *shared_secret = NULL; + + fips_load_key_component(p, dh_test_2048); + fips_load_key_component(g, dh_test_2048); +@@ -162,6 +198,19 @@ int FIPS_selftest_dh() + memcmp(pub_key_bin, dh_test_2048_pub_key, len) != 0) + goto err; + ++ /* Shared secret KAT test */ ++ len = DH_size(dh); ++ if ((shared_secret = OPENSSL_malloc(len)) == NULL) ++ goto err; ++ ++ if ((len = DH_compute_key(shared_secret, pub_key, dh)) == -1) ++ goto err; ++ ++ if (len != sizeof(dh_test_2048_shared_secret) || ++ (memcmp(shared_secret, dh_test_2048_shared_secret, len) != 0)) { ++ goto err; ++ } ++ + ret = 1; + + err: +@@ -175,6 +224,7 @@ int FIPS_selftest_dh() + } + + OPENSSL_free(pub_key_bin); ++ OPENSSL_free(shared_secret); + return ret; + } + #endif diff --git a/openssl-fips-dont_run_FIPS_module_installed.patch b/openssl-fips-dont_run_FIPS_module_installed.patch deleted file mode 100644 index ad0d8d4..0000000 --- a/openssl-fips-dont_run_FIPS_module_installed.patch +++ /dev/null @@ -1,14 +0,0 @@ -Index: openssl-1.1.1d/crypto/o_init.c -=================================================================== ---- openssl-1.1.1d.orig/crypto/o_init.c 2020-01-23 13:45:11.336633643 +0100 -+++ openssl-1.1.1d/crypto/o_init.c 2020-01-23 13:45:21.316692954 +0100 -@@ -63,9 +63,6 @@ void __attribute__ ((constructor)) OPENS - if (done) - return; - done = 1; -- if (!FIPS_module_installed()) { -- return; -- } - init_fips_mode(); - } - #endif diff --git a/openssl-fips-kdf-hkdf-selftest.patch b/openssl-fips-kdf-hkdf-selftest.patch new file mode 100644 index 0000000..5e2a369 --- /dev/null +++ b/openssl-fips-kdf-hkdf-selftest.patch @@ -0,0 +1,103 @@ +Index: openssl-1.1.1m/crypto/fips/fips_err.h +=================================================================== +--- openssl-1.1.1m.orig/crypto/fips/fips_err.h ++++ openssl-1.1.1m/crypto/fips/fips_err.h +@@ -114,6 +114,7 @@ static ERR_STRING_DATA FIPS_str_functs[] + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_PBKDF2), "FIPS_selftest_pbkdf2"}, + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_TLS), "FIPS_selftest_tls"}, + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SSH), "FIPS_selftest_ssh"}, ++ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_HKDF), "FIPS_selftest_hkdf"}, + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA1), "FIPS_selftest_sha1"}, + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA2), "FIPS_selftest_sha2"}, + {ERR_FUNC(FIPS_F_OSSL_ECDSA_SIGN_SIG), "ossl_ecdsa_sign_sig"}, +Index: openssl-1.1.1m/crypto/fips/fips_kdf_selftest.c +=================================================================== +--- openssl-1.1.1m.orig/crypto/fips/fips_kdf_selftest.c ++++ openssl-1.1.1m/crypto/fips/fips_kdf_selftest.c +@@ -16,6 +16,49 @@ + #include + + #ifdef OPENSSL_FIPS ++ ++int FIPS_selftest_hkdf(void) ++{ ++ int ret = 0; ++ EVP_KDF_CTX *kctx; ++ unsigned char out[10]; ++ ++ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_HKDF)) == NULL) { ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) { ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "salt", (size_t)4) <= 0) { ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, "secret", (size_t)6) <= 0) { ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_ADD_HKDF_INFO, ++ "label", (size_t)5) <= 0) { ++ goto err; ++ } ++ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) { ++ goto err; ++ } ++ ++ { ++ const unsigned char expected[sizeof(out)] = { ++ 0x2a, 0xc4, 0x36, 0x9f, 0x52, 0x59, 0x96, 0xf8, 0xde, 0x13 ++ }; ++ if (memcmp(out, expected, sizeof(expected))) { ++ goto err; ++ } ++ } ++ ret = 1; ++err: ++ if (!ret) ++ FIPSerr(FIPS_F_FIPS_SELFTEST_HKDF, FIPS_R_SELFTEST_FAILED); ++ EVP_KDF_CTX_free(kctx); ++ return ret; ++} ++ + int FIPS_selftest_pbkdf2(void) + { + int ret = 0; +Index: openssl-1.1.1m/crypto/fips/fips_post.c +=================================================================== +--- openssl-1.1.1m.orig/crypto/fips/fips_post.c ++++ openssl-1.1.1m/crypto/fips/fips_post.c +@@ -110,6 +110,8 @@ int FIPS_selftest(void) + rv = 0; + if (!FIPS_selftest_ssh()) + rv = 0; ++ if (!FIPS_selftest_hkdf()) ++ rv = 0; + + return rv; + } +Index: openssl-1.1.1m/include/openssl/fips.h +=================================================================== +--- openssl-1.1.1m.orig/include/openssl/fips.h ++++ openssl-1.1.1m/include/openssl/fips.h +@@ -127,6 +127,7 @@ extern "C" { + # define FIPS_F_FIPS_SELFTEST_PBKDF2 152 + # define FIPS_F_FIPS_SELFTEST_TLS 153 + # define FIPS_F_FIPS_SELFTEST_SSH 154 ++# define FIPS_F_FIPS_SELFTEST_HKDF 155 + # define FIPS_F_FIPS_SELFTEST_SHA1 115 + # define FIPS_F_FIPS_SELFTEST_SHA2 105 + # define FIPS_F_OSSL_ECDSA_SIGN_SIG 143 +Index: openssl-1.1.1m/include/crypto/fips_int.h +=================================================================== +--- openssl-1.1.1m.orig/include/crypto/fips_int.h ++++ openssl-1.1.1m/include/crypto/fips_int.h +@@ -79,6 +79,7 @@ int FIPS_selftest_cmac(void); + int FIPS_selftest_pbkdf2(void); + int FIPS_selftest_tls(void); + int FIPS_selftest_ssh(void); ++int FIPS_selftest_hkdf(void); + + int fips_in_post(void); + diff --git a/openssl-fips_fix_selftests_return_value.patch b/openssl-fips_fix_selftests_return_value.patch deleted file mode 100644 index 1598f9a..0000000 --- a/openssl-fips_fix_selftests_return_value.patch +++ /dev/null @@ -1,27 +0,0 @@ -Index: openssl-1.1.1d/crypto/fips/fips_dsa_selftest.c -=================================================================== ---- openssl-1.1.1d.orig/crypto/fips/fips_dsa_selftest.c 2020-02-17 10:40:18.006796026 +0100 -+++ openssl-1.1.1d/crypto/fips/fips_dsa_selftest.c 2020-02-17 10:40:18.946801354 +0100 -@@ -150,7 +150,7 @@ int FIPS_selftest_dsa() - { - DSA *dsa = NULL; - EVP_PKEY *pk = NULL; -- int ret = -1; -+ int ret = 0; - BIGNUM *p = NULL, *q = NULL, *g = NULL, *pub_key = NULL, *priv_key = NULL; - - fips_load_key_component(p, dsa_test_2048); -Index: openssl-1.1.1d/crypto/fips/fips_ecdh_selftest.c -=================================================================== ---- openssl-1.1.1d.orig/crypto/fips/fips_ecdh_selftest.c 2020-02-17 10:40:18.006796026 +0100 -+++ openssl-1.1.1d/crypto/fips/fips_ecdh_selftest.c 2020-02-17 10:40:18.950801378 +0100 -@@ -221,6 +221,9 @@ int FIPS_selftest_ecdh(void) - } - - err: -+ if (rv == -1) { -+ rv = 0; -+ } - - if (x) - BN_clear_free(x); diff --git a/openssl-kdf-selftest.patch b/openssl-kdf-selftest.patch new file mode 100644 index 0000000..5fdcdf8 --- /dev/null +++ b/openssl-kdf-selftest.patch @@ -0,0 +1,131 @@ +Index: openssl-1.1.1m/crypto/fips/build.info +=================================================================== +--- openssl-1.1.1m.orig/crypto/fips/build.info ++++ openssl-1.1.1m/crypto/fips/build.info +@@ -5,7 +5,7 @@ SOURCE[../../libcrypto]=\ + fips_post.c drbgtest.c fips_drbg_ctr.c fips_drbg_hash.c fips_drbg_hmac.c \ + fips_drbg_lib.c fips_drbg_rand.c fips_drbg_selftest.c fips_rand_lib.c \ + fips_cmac_selftest.c fips_ecdh_selftest.c fips_ecdsa_selftest.c \ +- fips_dh_selftest.c fips_ers.c ++ fips_dh_selftest.c fips_kdf_selftest.c fips_ers.c + + PROGRAMS=\ + fips_standalone_hmac +Index: openssl-1.1.1m/crypto/fips/fips_kdf_selftest.c +=================================================================== +--- /dev/null ++++ openssl-1.1.1m/crypto/fips/fips_kdf_selftest.c +@@ -0,0 +1,64 @@ ++/* ++ * Copyright 2018-2019 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright (c) 2018-2019, Oracle and/or its affiliates. All rights reserved. ++ * ++ * Licensed under the Apache License 2.0 (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ */ ++ ++#include ++#include ++#include ++ ++#include ++#include ++ ++#ifdef OPENSSL_FIPS ++int FIPS_selftest_pbkdf2(void) ++{ ++ int ret = 0; ++ EVP_KDF_CTX *kctx; ++ unsigned char out[32]; ++ ++ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_PBKDF2)) == NULL) { ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_PASS, "password", (size_t)8) <= 0) { ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SALT, "salt", (size_t)4) <= 0) { ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_ITER, 2) <= 0) { ++ goto err; ++ } ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) { ++ goto err; ++ } ++ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) { ++ goto err; ++ } ++ ++ { ++ const unsigned char expected[sizeof(out)] = { ++ 0xae, 0x4d, 0x0c, 0x95, 0xaf, 0x6b, 0x46, 0xd3, ++ 0x2d, 0x0a, 0xdf, 0xf9, 0x28, 0xf0, 0x6d, 0xd0, ++ 0x2a, 0x30, 0x3f, 0x8e, 0xf3, 0xc2, 0x51, 0xdf, ++ 0xd6, 0xe2, 0xd8, 0x5a, 0x95, 0x47, 0x4c, 0x43 ++ }; ++ if (memcmp(out, expected, sizeof(expected))) { ++ goto err; ++ } ++ } ++ ret = 1; ++ ++err: ++ if (!ret) ++ FIPSerr(FIPS_F_FIPS_SELFTEST_PBKDF2, FIPS_R_SELFTEST_FAILED); ++ EVP_KDF_CTX_free(kctx); ++ return ret; ++} ++ ++#endif +Index: openssl-1.1.1m/crypto/fips/fips_post.c +=================================================================== +--- openssl-1.1.1m.orig/crypto/fips/fips_post.c ++++ openssl-1.1.1m/crypto/fips/fips_post.c +@@ -104,6 +104,8 @@ int FIPS_selftest(void) + rv = 0; + if (!FIPS_selftest_ecdh()) + rv = 0; ++ if (!FIPS_selftest_pbkdf2()) ++ rv = 0; + return rv; + } + +Index: openssl-1.1.1m/include/crypto/fips_int.h +=================================================================== +--- openssl-1.1.1m.orig/include/crypto/fips_int.h ++++ openssl-1.1.1m/include/crypto/fips_int.h +@@ -76,6 +76,7 @@ void FIPS_drbg_stick(int onoff); + int FIPS_selftest_hmac(void); + int FIPS_selftest_drbg(void); + int FIPS_selftest_cmac(void); ++int FIPS_selftest_pbkdf2(void); + + int fips_in_post(void); + +Index: openssl-1.1.1m/include/openssl/fips.h +=================================================================== +--- openssl-1.1.1m.orig/include/openssl/fips.h ++++ openssl-1.1.1m/include/openssl/fips.h +@@ -124,6 +124,7 @@ extern "C" { + # define FIPS_F_FIPS_SELFTEST_DSA 112 + # define FIPS_F_FIPS_SELFTEST_ECDSA 133 + # define FIPS_F_FIPS_SELFTEST_HMAC 113 ++# define FIPS_F_FIPS_SELFTEST_PBKDF2 152 + # define FIPS_F_FIPS_SELFTEST_SHA1 115 + # define FIPS_F_FIPS_SELFTEST_SHA2 105 + # define FIPS_F_OSSL_ECDSA_SIGN_SIG 143 +Index: openssl-1.1.1m/crypto/fips/fips_err.h +=================================================================== +--- openssl-1.1.1m.orig/crypto/fips/fips_err.h ++++ openssl-1.1.1m/crypto/fips/fips_err.h +@@ -111,6 +111,7 @@ static ERR_STRING_DATA FIPS_str_functs[] + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_DSA), "FIPS_selftest_dsa"}, + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_ECDSA), "FIPS_selftest_ecdsa"}, + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_HMAC), "FIPS_selftest_hmac"}, ++ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_PBKDF2), "FIPS_selftest_pbkdf2"}, + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA1), "FIPS_selftest_sha1"}, + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA2), "FIPS_selftest_sha2"}, + {ERR_FUNC(FIPS_F_OSSL_ECDSA_SIGN_SIG), "ossl_ecdsa_sign_sig"}, diff --git a/openssl-kdf-ssh-selftest.patch b/openssl-kdf-ssh-selftest.patch new file mode 100644 index 0000000..363e6b3 --- /dev/null +++ b/openssl-kdf-ssh-selftest.patch @@ -0,0 +1,122 @@ +Index: openssl-1.1.1m/crypto/fips/fips_kdf_selftest.c +=================================================================== +--- openssl-1.1.1m.orig/crypto/fips/fips_kdf_selftest.c ++++ openssl-1.1.1m/crypto/fips/fips_kdf_selftest.c +@@ -101,4 +101,68 @@ err: + return ret; + } + ++int FIPS_selftest_ssh(void) ++{ ++ int ret = 0; ++ EVP_KDF_CTX *kctx; ++ unsigned char out[8]; ++ ++ /* Test data from NIST CAVS 14.1 test vectors */ ++ const unsigned char key[] = { ++ 0x00, 0x00, 0x00, 0x81, 0x00, 0x87, 0x5c, 0x55, 0x1c, 0xef, 0x52, 0x6a, ++ 0x4a, 0x8b, 0xe1, 0xa7, 0xdf, 0x27, 0xe9, 0xed, 0x35, 0x4b, 0xac, 0x9a, ++ 0xfb, 0x71, 0xf5, 0x3d, 0xba, 0xe9, 0x05, 0x67, 0x9d, 0x14, 0xf9, 0xfa, ++ 0xf2, 0x46, 0x9c, 0x53, 0x45, 0x7c, 0xf8, 0x0a, 0x36, 0x6b, 0xe2, 0x78, ++ 0x96, 0x5b, 0xa6, 0x25, 0x52, 0x76, 0xca, 0x2d, 0x9f, 0x4a, 0x97, 0xd2, ++ 0x71, 0xf7, 0x1e, 0x50, 0xd8, 0xa9, 0xec, 0x46, 0x25, 0x3a, 0x6a, 0x90, ++ 0x6a, 0xc2, 0xc5, 0xe4, 0xf4, 0x8b, 0x27, 0xa6, 0x3c, 0xe0, 0x8d, 0x80, ++ 0x39, 0x0a, 0x49, 0x2a, 0xa4, 0x3b, 0xad, 0x9d, 0x88, 0x2c, 0xca, 0xc2, ++ 0x3d, 0xac, 0x88, 0xbc, 0xad, 0xa4, 0xb4, 0xd4, 0x26, 0xa3, 0x62, 0x08, ++ 0x3d, 0xab, 0x65, 0x69, 0xc5, 0x4c, 0x22, 0x4d, 0xd2, 0xd8, 0x76, 0x43, ++ 0xaa, 0x22, 0x76, 0x93, 0xe1, 0x41, 0xad, 0x16, 0x30, 0xce, 0x13, 0x14, ++ 0x4e ++ }; ++ const unsigned char xcghash[] = { ++ 0x0e, 0x68, 0x3f, 0xc8, 0xa9, 0xed, 0x7c, 0x2f, 0xf0, 0x2d, 0xef, 0x23, ++ 0xb2, 0x74, 0x5e, 0xbc, 0x99, 0xb2, 0x67, 0xda, 0xa8, 0x6a, 0x4a, 0xa7, ++ 0x69, 0x72, 0x39, 0x08, 0x82, 0x53, 0xf6, 0x42 ++ }; ++ const unsigned char sessid[] = { ++ 0x0e, 0x68, 0x3f, 0xc8, 0xa9, 0xed, 0x7c, 0x2f, 0xf0, 0x2d, 0xef, 0x23, ++ 0xb2, 0x74, 0x5e, 0xbc, 0x99, 0xb2, 0x67, 0xda, 0xa8, 0x6a, 0x4a, 0xa7, ++ 0x69, 0x72, 0x39, 0x08, 0x82, 0x53, 0xf6, 0x42 ++ }; ++ const unsigned char expected[sizeof(out)] = { ++ 0x41, 0xff, 0x2e, 0xad, 0x16, 0x83, 0xf1, 0xe6 ++ }; ++ ++ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_SSHKDF)) == NULL) ++ goto err; ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) ++ goto err; ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_KEY, key, sizeof(key)) <= 0) ++ goto err; ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSHKDF_XCGHASH, xcghash, ++ sizeof(xcghash)) <= 0) ++ goto err; ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSHKDF_SESSION_ID, sessid, ++ sizeof(sessid)) <= 0) ++ goto err; ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_SSHKDF_TYPE, ++ (int)EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV) <= 0) ++ goto err; ++ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) ++ goto err; ++ if (memcmp(out, expected, sizeof(expected))) ++ goto err; ++ ++ ret = 1; ++ ++ err: ++ if (!ret) ++ FIPSerr(FIPS_F_FIPS_SELFTEST_SSH, FIPS_R_SELFTEST_FAILED); ++ EVP_KDF_CTX_free(kctx); ++ return ret; ++} ++ + #endif +Index: openssl-1.1.1m/crypto/fips/fips_post.c +=================================================================== +--- openssl-1.1.1m.orig/crypto/fips/fips_post.c ++++ openssl-1.1.1m/crypto/fips/fips_post.c +@@ -108,6 +108,8 @@ int FIPS_selftest(void) + rv = 0; + if (!FIPS_selftest_tls()) + rv = 0; ++ if (!FIPS_selftest_ssh()) ++ rv = 0; + + return rv; + } +Index: openssl-1.1.1m/include/crypto/fips_int.h +=================================================================== +--- openssl-1.1.1m.orig/include/crypto/fips_int.h ++++ openssl-1.1.1m/include/crypto/fips_int.h +@@ -78,6 +78,7 @@ int FIPS_selftest_drbg(void); + int FIPS_selftest_cmac(void); + int FIPS_selftest_pbkdf2(void); + int FIPS_selftest_tls(void); ++int FIPS_selftest_ssh(void); + + int fips_in_post(void); + +Index: openssl-1.1.1m/include/openssl/fips.h +=================================================================== +--- openssl-1.1.1m.orig/include/openssl/fips.h ++++ openssl-1.1.1m/include/openssl/fips.h +@@ -126,6 +126,7 @@ extern "C" { + # define FIPS_F_FIPS_SELFTEST_HMAC 113 + # define FIPS_F_FIPS_SELFTEST_PBKDF2 152 + # define FIPS_F_FIPS_SELFTEST_TLS 153 ++# define FIPS_F_FIPS_SELFTEST_SSH 154 + # define FIPS_F_FIPS_SELFTEST_SHA1 115 + # define FIPS_F_FIPS_SELFTEST_SHA2 105 + # define FIPS_F_OSSL_ECDSA_SIGN_SIG 143 +Index: openssl-1.1.1m/crypto/fips/fips_err.h +=================================================================== +--- openssl-1.1.1m.orig/crypto/fips/fips_err.h ++++ openssl-1.1.1m/crypto/fips/fips_err.h +@@ -113,6 +113,7 @@ static ERR_STRING_DATA FIPS_str_functs[] + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_HMAC), "FIPS_selftest_hmac"}, + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_PBKDF2), "FIPS_selftest_pbkdf2"}, + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_TLS), "FIPS_selftest_tls"}, ++ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SSH), "FIPS_selftest_ssh"}, + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA1), "FIPS_selftest_sha1"}, + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA2), "FIPS_selftest_sha2"}, + {ERR_FUNC(FIPS_F_OSSL_ECDSA_SIGN_SIG), "ossl_ecdsa_sign_sig"}, diff --git a/openssl-kdf-tls-selftest.patch b/openssl-kdf-tls-selftest.patch new file mode 100644 index 0000000..9ee4659 --- /dev/null +++ b/openssl-kdf-tls-selftest.patch @@ -0,0 +1,99 @@ +Index: openssl-1.1.1m/crypto/fips/fips_kdf_selftest.c +=================================================================== +--- openssl-1.1.1m.orig/crypto/fips/fips_kdf_selftest.c ++++ openssl-1.1.1m/crypto/fips/fips_kdf_selftest.c +@@ -61,4 +61,44 @@ err: + return ret; + } + ++int FIPS_selftest_tls(void) ++{ ++ int ret = 0; ++ EVP_KDF_CTX *kctx; ++ unsigned char out[16]; ++ ++ if ((kctx = EVP_KDF_CTX_new_id(EVP_KDF_TLS1_PRF)) == NULL) ++ goto err; ++ ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_MD, EVP_sha256()) <= 0) ++ goto err; ++ ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_SET_TLS_SECRET, ++ "secret", (size_t)6) <= 0) ++ goto err; ++ ++ if (EVP_KDF_ctrl(kctx, EVP_KDF_CTRL_ADD_TLS_SEED, "seed", (size_t)4) <= 0) ++ goto err; ++ ++ if (EVP_KDF_derive(kctx, out, sizeof(out)) <= 0) ++ goto err; ++ ++ { ++ const unsigned char expected[sizeof(out)] = { ++ 0x8e, 0x4d, 0x93, 0x25, 0x30, 0xd7, 0x65, 0xa0, ++ 0xaa, 0xe9, 0x74, 0xc3, 0x04, 0x73, 0x5e, 0xcc ++ }; ++ if (memcmp(out, expected, sizeof(expected))) { ++ goto err; ++ } ++ } ++ ret = 1; ++ ++err: ++ if (!ret) ++ FIPSerr(FIPS_F_FIPS_SELFTEST_TLS, FIPS_R_SELFTEST_FAILED); ++ EVP_KDF_CTX_free(kctx); ++ return ret; ++} ++ + #endif +Index: openssl-1.1.1m/crypto/fips/fips_post.c +=================================================================== +--- openssl-1.1.1m.orig/crypto/fips/fips_post.c ++++ openssl-1.1.1m/crypto/fips/fips_post.c +@@ -106,6 +106,9 @@ int FIPS_selftest(void) + rv = 0; + if (!FIPS_selftest_pbkdf2()) + rv = 0; ++ if (!FIPS_selftest_tls()) ++ rv = 0; ++ + return rv; + } + +Index: openssl-1.1.1m/include/crypto/fips_int.h +=================================================================== +--- openssl-1.1.1m.orig/include/crypto/fips_int.h ++++ openssl-1.1.1m/include/crypto/fips_int.h +@@ -77,6 +77,7 @@ int FIPS_selftest_hmac(void); + int FIPS_selftest_drbg(void); + int FIPS_selftest_cmac(void); + int FIPS_selftest_pbkdf2(void); ++int FIPS_selftest_tls(void); + + int fips_in_post(void); + +Index: openssl-1.1.1m/include/openssl/fips.h +=================================================================== +--- openssl-1.1.1m.orig/include/openssl/fips.h ++++ openssl-1.1.1m/include/openssl/fips.h +@@ -125,6 +125,7 @@ extern "C" { + # define FIPS_F_FIPS_SELFTEST_ECDSA 133 + # define FIPS_F_FIPS_SELFTEST_HMAC 113 + # define FIPS_F_FIPS_SELFTEST_PBKDF2 152 ++# define FIPS_F_FIPS_SELFTEST_TLS 153 + # define FIPS_F_FIPS_SELFTEST_SHA1 115 + # define FIPS_F_FIPS_SELFTEST_SHA2 105 + # define FIPS_F_OSSL_ECDSA_SIGN_SIG 143 +Index: openssl-1.1.1m/crypto/fips/fips_err.h +=================================================================== +--- openssl-1.1.1m.orig/crypto/fips/fips_err.h ++++ openssl-1.1.1m/crypto/fips/fips_err.h +@@ -112,6 +112,7 @@ static ERR_STRING_DATA FIPS_str_functs[] + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_ECDSA), "FIPS_selftest_ecdsa"}, + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_HMAC), "FIPS_selftest_hmac"}, + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_PBKDF2), "FIPS_selftest_pbkdf2"}, ++ {ERR_FUNC(FIPS_F_FIPS_SELFTEST_TLS), "FIPS_selftest_tls"}, + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA1), "FIPS_selftest_sha1"}, + {ERR_FUNC(FIPS_F_FIPS_SELFTEST_SHA2), "FIPS_selftest_sha2"}, + {ERR_FUNC(FIPS_F_OSSL_ECDSA_SIGN_SIG), "ossl_ecdsa_sign_sig"}, diff --git a/openssl-no-date.patch b/openssl-no-date.patch new file mode 100644 index 0000000..c910674 --- /dev/null +++ b/openssl-no-date.patch @@ -0,0 +1,13 @@ +Index: openssl-1.1.1-pre1/util/mkbuildinf.pl +=================================================================== +--- openssl-1.1.1-pre1.orig/util/mkbuildinf.pl 2018-02-13 16:31:28.011389734 +0100 ++++ openssl-1.1.1-pre1/util/mkbuildinf.pl 2018-02-13 16:31:51.539764582 +0100 +@@ -28,7 +28,7 @@ print <<"END_OUTPUT"; + */ + + #define PLATFORM "platform: $platform" +-#define DATE "built on: $date" ++#define DATE "" + + /* + * Generate compiler_flags as an array of individual characters. This is a diff --git a/openssl-s_client-check-ocsp-status.patch b/openssl-s_client-check-ocsp-status.patch new file mode 100644 index 0000000..cbd4161 --- /dev/null +++ b/openssl-s_client-check-ocsp-status.patch @@ -0,0 +1,492 @@ +commit c43f598838acaf3b98df4fce4b6babb663d2f902 +Author: Otto Hollmann +Date: Fri Jun 30 11:15:30 2023 +0200 + + Add OCSP_RESPONSE_check_status(), a function to check OCSP response for revoked certificate in s_client. + +--- + apps/s_client.c | 10 + + crypto/ocsp/ocsp_vfy.c | 31 +++++ + doc/man3/OCSP_response_status.pod | 15 ++ + include/openssl/ocsp.h | 1 + test/recipes/80-test_ocsp_check.t | 90 +++++++++++++++++ + test/recipes/80-test_ocsp_check_data/ca.pem | 19 +++ + test/recipes/80-test_ocsp_check_data/index-revoked.txt | 2 + test/recipes/80-test_ocsp_check_data/index-valid.txt | 2 + test/recipes/80-test_ocsp_check_data/ocsp.key | 28 +++++ + test/recipes/80-test_ocsp_check_data/ocsp.pem | 75 ++++++++++++++ + test/recipes/80-test_ocsp_check_data/server.key | 28 +++++ + test/recipes/80-test_ocsp_check_data/server.pem | 75 ++++++++++++++ + util/libcrypto.num | 1 + 13 files changed, 372 insertions(+), 5 deletions(-) + +--- a/apps/s_client.c ++++ b/apps/s_client.c +@@ -3390,7 +3390,7 @@ static void print_stuff(BIO *bio, SSL *s + static int ocsp_resp_cb(SSL *s, void *arg) + { + const unsigned char *p; +- int len; ++ int len, ret; + OCSP_RESPONSE *rsp; + len = SSL_get_tlsext_status_ocsp_resp(s, &p); + BIO_puts(arg, "OCSP response: "); +@@ -3407,8 +3407,14 @@ static int ocsp_resp_cb(SSL *s, void *ar + BIO_puts(arg, "\n======================================\n"); + OCSP_RESPONSE_print(arg, rsp, 0); + BIO_puts(arg, "======================================\n"); ++ ret = OCSP_RESPONSE_check_status(rsp); + OCSP_RESPONSE_free(rsp); +- return 1; ++ if (ret <= -1) { ++ BIO_puts(arg, "unable to verify OCSP response\n"); ++ } else if (ret == 0) { ++ BIO_puts(arg, "revoked certificate found in OCSP response\n"); ++ } ++ return ret; + } + # endif + +--- a/crypto/ocsp/ocsp_vfy.c ++++ b/crypto/ocsp/ocsp_vfy.c +@@ -433,3 +433,34 @@ static int ocsp_req_find_signer(X509 **p + } + return 0; + } ++ ++/* ++ * Check an OCSP response for revoked certificate. Return a negative value on ++ * error; 0 if the response is not acceptable (in which case the handshake ++ * will fail) or a positive value if it is acceptable (no revoked certificate ++ * is found). ++ */ ++ ++int OCSP_RESPONSE_check_status(OCSP_RESPONSE *o) ++{ ++ int i; ++ OCSP_BASICRESP *br = NULL; ++ OCSP_RESPDATA *rd = NULL; ++ OCSP_SINGLERESP *single = NULL; ++ OCSP_RESPBYTES *rb = o->responseBytes; ++ if (rb == NULL) ++ return -1; ++ if (OBJ_obj2nid(rb->responseType) != NID_id_pkix_OCSP_basic) ++ return -1; ++ if ((br = OCSP_response_get1_basic(o)) == NULL) ++ return -1; ++ rd = &br->tbsResponseData; ++ for (i = 0; i < sk_OCSP_SINGLERESP_num(rd->responses); i++) { ++ if (!sk_OCSP_SINGLERESP_value(rd->responses, i)) ++ continue; ++ single = sk_OCSP_SINGLERESP_value(rd->responses, i); ++ if (single->certStatus->type == V_OCSP_CERTSTATUS_REVOKED) ++ return 0; ++ } ++ return 1; ++} +--- a/doc/man3/OCSP_response_status.pod ++++ b/doc/man3/OCSP_response_status.pod +@@ -2,8 +2,8 @@ + + =head1 NAME + +-OCSP_response_status, OCSP_response_get1_basic, OCSP_response_create, +-OCSP_RESPONSE_free, OCSP_RESPID_set_by_name, ++OCSP_response_status, OCSP_RESPONSE_check_status, OCSP_response_get1_basic, ++OCSP_response_create, OCSP_RESPONSE_free, OCSP_RESPID_set_by_name, + OCSP_RESPID_set_by_key, OCSP_RESPID_match, + OCSP_basic_sign, OCSP_basic_sign_ctx - OCSP response functions + +@@ -12,6 +12,7 @@ OCSP_basic_sign, OCSP_basic_sign_ctx - O + #include + + int OCSP_response_status(OCSP_RESPONSE *resp); ++ int OCSP_RESPONSE_check_status(OCSP_RESPONSE *resp); + OCSP_BASICRESP *OCSP_response_get1_basic(OCSP_RESPONSE *resp); + OCSP_RESPONSE *OCSP_response_create(int status, OCSP_BASICRESP *bs); + void OCSP_RESPONSE_free(OCSP_RESPONSE *resp); +@@ -34,6 +35,10 @@ B + B, B + B, or B. + ++OCSP_RESPONSE_check_status() check status of the OCSP response I. It ++returns a negative value on error; 0 if the response is not acceptable ++(e.g. contains revoked certificate) or a positive value if it is acceptable. ++ + OCSP_response_get1_basic() decodes and returns the B structure + contained in B. + +@@ -65,7 +70,11 @@ uses the parameters contained in digest + + =head1 RETURN VALUES + +-OCSP_RESPONSE_status() returns a status value. ++OCSP_response_status() returns a status value. ++ ++OCSP_RESPONSE_check_status() returns a result of check - negative value on ++error; 0 if the response is not acceptable; positive value if response is ++acceptable. + + OCSP_response_get1_basic() returns an B structure pointer or + B if an error occurred. +--- a/include/openssl/ocsp.h ++++ b/include/openssl/ocsp.h +@@ -340,6 +340,7 @@ const char *OCSP_crl_reason_str(long s); + + int OCSP_REQUEST_print(BIO *bp, OCSP_REQUEST *a, unsigned long flags); + int OCSP_RESPONSE_print(BIO *bp, OCSP_RESPONSE *o, unsigned long flags); ++int OCSP_RESPONSE_check_status(OCSP_RESPONSE *o); + + int OCSP_basic_verify(OCSP_BASICRESP *bs, STACK_OF(X509) *certs, + X509_STORE *st, unsigned long flags); +--- /dev/null ++++ b/test/recipes/80-test_ocsp_check.t +@@ -0,0 +1,90 @@ ++#! /usr/bin/env perl ++# Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. ++# ++# Licensed under the Apache License 2.0 (the "License"). You may not use ++# this file except in compliance with the License. You can obtain a copy ++# in the file LICENSE in the source distribution or at ++# https://www.openssl.org/source/license.html ++ ++use strict; ++use warnings; ++ ++use IPC::Open2; ++use OpenSSL::Test qw/:DEFAULT srctop_file bldtop_file/; ++use OpenSSL::Test::Utils; ++ ++setup("test_ocsp_check"); ++ ++plan tests => 2; ++ ++my $shlib_wrap = bldtop_file("util", "shlib_wrap.sh"); ++my $apps_openssl = bldtop_file("apps", "openssl"); ++my $ca = srctop_file("test", "recipes", "80-test_ocsp_check_data", "ca.pem"); ++my $ca_key = srctop_file("test", "recipes", "80-test_ocsp_check_data", "ca.key"); ++my $ocsp = srctop_file("test", "recipes", "80-test_ocsp_check_data", "ocsp.pem"); ++my $ocsp_key = srctop_file("test", "recipes", "80-test_ocsp_check_data", "ocsp.key"); ++my $server = srctop_file("test", "recipes", "80-test_ocsp_check_data", "server.pem"); ++my $server_key = srctop_file("test", "recipes", "80-test_ocsp_check_data", "server.key"); ++my $index; ++my $ocsp_port = 9999; ++my $https_port = 8443; ++# 20 July 2023 so we don't get certificate expiry errors. ++my @check_time=("-attime", "1689811200"); ++ ++sub run_test { ++ my $id = shift; ++ my $connect_good = 0; ++ ++ if ($id == 0) { ++ $index = srctop_file("test", "recipes", "80-test_ocsp_check_data", "index-valid.txt"); ++ } ++ if ($id == 1) { ++ $index = srctop_file("test", "recipes", "80-test_ocsp_check_data", "index-revoked.txt"); ++ } ++ # OCSP responder ++ my @o_cmd = ("ocsp", "-index", $index, "-port", "$ocsp_port", "-rsigner", $ocsp, "-rkey", $ocsp_key, "-CA", $ca, "-nrequest", "1", @check_time); ++ # server ++ my @s_cmd = ("s_server", "-www", "-status_url", "http://127.0.0.1:$ocsp_port", "-accept", "$https_port", "-cert", $server, "-key", $server_key, "-state", "-CAfile", $ca, "-naccept", "1", @check_time); ++ # client ++ my @c_cmd = ("s_client", "-connect", ":$https_port", "-CAfile", $ca, "-status", "-verify_return_error", "-strict", @check_time); ++ ++ # Run the OCSP responder ++ my $o_pid = open2(my $o_out, my $o_in, $shlib_wrap, $apps_openssl, @o_cmd); ++ ++ # Start up the server ++ my $s_pid = open2(my $s_out, my $s_in, $shlib_wrap, $apps_openssl, @s_cmd); ++ while (<$s_out>) { ++ chomp; ++ if (/^ACCEPT$/) { ++ print "Server ready\n"; ++ last; ++ } ++ } ++ ++ # Start up the client ++ my $c_pid = open2(my $c_out, my $c_in, $shlib_wrap, $apps_openssl, @c_cmd); ++ if ($id == 0) { ++ # Do the "GET", which will cause the client to finish ++ print $c_in "GET /\r\n"; ++ } ++ ++ waitpid($c_pid, 0); ++ waitpid($s_pid, 0); ++ waitpid($o_pid, 0); ++ ++ # Check the client output ++ while (<$c_out>) { ++ chomp; ++ if ($id == 0) { ++ $connect_good = 1 if /^Content-type: text/; ++ } ++ if ($id == 1) { ++ $connect_good = 1 if /^revoked certificate found in OCSP response/; ++ } ++ } ++ print STDERR "Connection failed\n" if ! ok($connect_good); ++} ++ ++for my $index (0..1) { ++ run_test($index) ++} +\ No newline at end of file +--- /dev/null ++++ b/test/recipes/80-test_ocsp_check_data/ca.pem +@@ -0,0 +1,19 @@ ++-----BEGIN CERTIFICATE----- ++MIIDBTCCAe2gAwIBAgIUZot4eag1ZaofYsMIB7HIzq8+zGEwDQYJKoZIhvcNAQEL ++BQAwEjEQMA4GA1UEAwwHUm9vdCBDQTAeFw0yMzA3MTIwOTI5NDdaFw0zMzA3MDkw ++OTI5NDdaMBIxEDAOBgNVBAMMB1Jvb3QgQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IB ++DwAwggEKAoIBAQDRRSlP0gUVVlzMkEtVzX95n5lM+P36lyNgevKqY1Dl3ygPAzaq ++HRUBsgcxdDwWwMPO2u5UJOWaQ80nwFGROwX8WrRoBTvsUZ+URyXx98tHrhnD6wI9 ++v30xYGN0RU2Ef2XnMvThhKRQVZJJWAHFPWZdPes0/g3H4FGJudOQJUHpiDD1UEF+ ++cWxyujhVbvBFCX+mBS+r/tn75axjsUqmbxwCE7TK3CD0JdvlLUYxtybvozYoONot ++/mFleCMmPaTzPHan+iXNHp4Tn+3Ssndo3uiTr0pEbGgSOy2PppbZmv0ml0+CSLN4 ++G8VaBBf7VTMayowEmmDgTpsOTi9tJqW2CcGzAgMBAAGjUzBRMB0GA1UdDgQWBBRj ++L87V9mqTdWYMCNNBb6Hay7OwPjAfBgNVHSMEGDAWgBRjL87V9mqTdWYMCNNBb6Ha ++y7OwPjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQC09qzufLI/ ++AoBscY8e9Q4pRhzeVVAKQ6yAZiO2O0o3trI5xKqD3iD0pOC7Mbfg0e0lneK6ovpd ++J178HwF4PMdiwvPH0KkAf0DaB96nC6U6oGQmItq8668jeVBjat0UCP3xiLmLhhAl ++mnnsgFC1eALmpWQPVlixUaXF4ri3R0QBUcc2kIV5zr1P3LJVboMSgCZULvrlfQLC ++kA0GdCCf6h08AFHRaIW8EE3I1IHNZc7eQcmnCLewHU5cPAYJ69GjhblSLS8kbpXK ++k7BllPLkk99zc/94okTasTjUkmha3RhRqMNL8jrYVc1m7H4U+4XUyh1y4C4Nmz18 ++fBbrMxN2SCXM ++-----END CERTIFICATE----- +--- /dev/null ++++ b/test/recipes/80-test_ocsp_check_data/index-revoked.txt +@@ -0,0 +1,2 @@ ++V 240711093229Z 1000 unknown /CN=OCSP ++R 240711093313Z 230621000000Z 1001 unknown /CN=Server +--- /dev/null ++++ b/test/recipes/80-test_ocsp_check_data/index-valid.txt +@@ -0,0 +1,2 @@ ++V 240711093229Z 1000 unknown /CN=OCSP ++V 240711093313Z 1001 unknown /CN=Server +--- /dev/null ++++ b/test/recipes/80-test_ocsp_check_data/ocsp.key +@@ -0,0 +1,28 @@ ++-----BEGIN PRIVATE KEY----- ++MIIEvgIBADANBgkqhkiG9w0BAQEFAASCBKgwggSkAgEAAoIBAQDZ2OLi8cpvoinQ ++bs4YEmk9GdQNcg9+zBRHy/YRJF+bbdreINweLYigHg2D3rcJnrjXkNAmd08aD0x+ ++4iq58Tvy5P48VZ+c1R3XUs1YQR20sKgnM8w+uF2SXxX18Idy31pNErYh3J8jVpBi ++moMP9dC22iNB4kTKf1ORM6HaKnHM8wg3JzXv9lVoIQgAgyAmJOoQXhQ8Kn1AOj3j ++vp1Jgm2hI4e2MTjgjraT9sKxPXIZkKnTwnZX88MpE9HvsQ7XV2CdYmMry+L69X68 ++bl3S1eisDjeIvHPtz6TenZs7wxbupy7OtdOKRxa/mDh9C76XHiNPoukUF1NVZ93S ++647ud7enAgMBAAECggEAFy+JbQxn9nwExZ2Cy4wWGFM0lF5vPhhmu4IpRTIhB4Vo ++gIYbIg5y6/vBhidWRYICUVXP2ZrkLTVd97kxlqBmuCzdeZAcEKXxavacoAfaK142 ++n2mDaP+CsgPzGJMfj2nXOLxvlxNd+qBey1J/oDC8+eEl/yqfwLT5hiA/2dz08hI6 ++IU0BudOB6H5iBK74MJsubdm0tsY4iqTykXeiR+n5dvVGDXLUX74BDHlD9O7AAo10 ++h74Vw22luigsV0spCVLoOYy6z9KMkOaHZRruPmF3UCsfJZFY2y6uMapvbdgUavr9 ++5fpsx40ep/mjRkYainHfJK1YkV/AoTxKjPQu2owJIQKBgQD0akN75lGXaAMQ0oEA ++1UrvZg75BQxPN+3qVtyynoQGVh58uRIaeG4DQdtc4nNPYI6o6NGbJk4T4wXU7W/3 ++XUr+U/LdSGpHfM9gXGCUNgoJeUKY3NLUGdE4DIGDiJrmJfd5NDj37+PAQUTLBO49 ++A0+BPnictZPffXuXCGL7lt7hYQKBgQDkLD9jV6HNtv8pAxFdQM+89NhWZCvpuTAs ++rihG3ebblBotMuGsrZDJ75UKq5wPEGCZWDc5q2h8L6CiyQF7Vht4/pi4NEhsA9My ++5hOGUJJVvvFmEIYz0GoCGqoDqag1XpKx8MYMvcc52bhzsYCy+dpnqraISeyiFPLM ++hdy+3jROBwKBgAqKEoLjOZ13xLoS+bEZgXO1SOwABbncxYuXV0j0gOjtCb+DE37E ++tqm5S0ZEFYjUtxIdh/xSuIcvAO9flbZq9XLmF9Dm8H5IqYCUOy3o7qHd8rs4unae ++7mCmWWdcmqFV/cfiMpquY3nE1rySZ9uFqwX9taG8SrYWaR/oIqyKou3BAoGBAJgX ++2oT4s/UxJzKKRffYLOEygEZN7WuVMsSFrnlWjv0M4soAIaf95gaFOd7r91GfRBTT ++VbSOSk6FXNlFjUROaG+lnd0jlKbTgeNqs9cTPAgGCFlVaG9/XDpc1bktTN+OU9Bi ++w1FY60TnmOkdh8FFhM0XYSbFyANeXV3xWOytp0XfAoGBAO2FkR3oGd3DSJmeljwJ ++HciEmlYCk38z93mZXiDTh4axS+mxAMYVRXt0dDUveyImlpcGi9coYmQPEzgk6spQ ++DOeRzRQcWQWfny9/UoGFU/Kv6QmpteAWaSjinBWKONx9d5AGzAkzms79tS8JMeL5 +++wlkyD8NclbRA+ILu+V8HLed ++-----END PRIVATE KEY----- +--- /dev/null ++++ b/test/recipes/80-test_ocsp_check_data/ocsp.pem +@@ -0,0 +1,75 @@ ++Certificate: ++ Data: ++ Version: 3 (0x2) ++ Serial Number: 4096 (0x1000) ++ Signature Algorithm: sha256WithRSAEncryption ++ Issuer: CN=Root CA ++ Validity ++ Not Before: Jul 12 09:32:29 2023 GMT ++ Not After : Jul 11 09:32:29 2024 GMT ++ Subject: CN=OCSP ++ Subject Public Key Info: ++ Public Key Algorithm: rsaEncryption ++ Public-Key: (2048 bit) ++ Modulus: ++ 00:d9:d8:e2:e2:f1:ca:6f:a2:29:d0:6e:ce:18:12: ++ 69:3d:19:d4:0d:72:0f:7e:cc:14:47:cb:f6:11:24: ++ 5f:9b:6d:da:de:20:dc:1e:2d:88:a0:1e:0d:83:de: ++ b7:09:9e:b8:d7:90:d0:26:77:4f:1a:0f:4c:7e:e2: ++ 2a:b9:f1:3b:f2:e4:fe:3c:55:9f:9c:d5:1d:d7:52: ++ cd:58:41:1d:b4:b0:a8:27:33:cc:3e:b8:5d:92:5f: ++ 15:f5:f0:87:72:df:5a:4d:12:b6:21:dc:9f:23:56: ++ 90:62:9a:83:0f:f5:d0:b6:da:23:41:e2:44:ca:7f: ++ 53:91:33:a1:da:2a:71:cc:f3:08:37:27:35:ef:f6: ++ 55:68:21:08:00:83:20:26:24:ea:10:5e:14:3c:2a: ++ 7d:40:3a:3d:e3:be:9d:49:82:6d:a1:23:87:b6:31: ++ 38:e0:8e:b6:93:f6:c2:b1:3d:72:19:90:a9:d3:c2: ++ 76:57:f3:c3:29:13:d1:ef:b1:0e:d7:57:60:9d:62: ++ 63:2b:cb:e2:fa:f5:7e:bc:6e:5d:d2:d5:e8:ac:0e: ++ 37:88:bc:73:ed:cf:a4:de:9d:9b:3b:c3:16:ee:a7: ++ 2e:ce:b5:d3:8a:47:16:bf:98:38:7d:0b:be:97:1e: ++ 23:4f:a2:e9:14:17:53:55:67:dd:d2:eb:8e:ee:77: ++ b7:a7 ++ Exponent: 65537 (0x10001) ++ X509v3 extensions: ++ X509v3 Basic Constraints: ++ CA:FALSE ++ X509v3 Subject Key Identifier: ++ 2B:C9:AC:45:83:BB:96:5B:73:77:1A:F8:DB:F9:98:44:C6:E8:55:95 ++ X509v3 Authority Key Identifier: ++ 63:2F:CE:D5:F6:6A:93:75:66:0C:08:D3:41:6F:A1:DA:CB:B3:B0:3E ++ Signature Algorithm: sha256WithRSAEncryption ++ Signature Value: ++ 02:87:49:a3:6f:c4:59:38:94:f9:f7:1a:ff:6f:4c:b4:6b:bd: ++ d2:79:98:5c:90:a8:49:45:ec:91:4e:ac:45:ec:8d:81:7f:ce: ++ ea:2f:93:c1:40:49:d4:c7:f2:ae:c0:60:1d:7d:65:91:83:63: ++ 51:4c:f0:ce:ef:81:dc:43:a6:b3:01:39:66:52:2d:1d:08:16: ++ a7:a7:54:78:e6:7a:06:49:5f:86:37:12:48:42:ab:37:a9:c0: ++ 04:98:70:45:50:9e:6d:30:6d:6d:81:05:79:1b:5c:2b:75:b9: ++ a8:46:22:4a:80:c9:ab:7c:f7:b2:63:69:ed:08:31:32:bd:8e: ++ f8:d7:8e:8e:29:8e:f6:b0:52:c2:a3:19:c1:e0:88:de:de:94: ++ 4f:f1:a5:9b:1c:1c:c0:11:79:7f:df:38:1b:97:a9:6c:26:fc: ++ 7e:31:f5:78:ba:c1:1d:e6:7c:e1:8e:b3:c5:91:fc:f6:5f:44: ++ 18:44:0b:15:c8:94:a5:a7:02:58:2f:be:f4:e4:80:0a:ce:8e: ++ 33:36:dd:0f:39:d3:b6:ae:57:d2:46:b4:a2:d1:49:c9:29:a7: ++ a0:a7:62:a7:2e:2d:7d:91:94:12:f7:55:13:54:d5:4e:4d:eb: ++ 1f:78:a7:9e:a9:93:f9:6c:a9:ec:97:2e:c6:04:67:fa:95:47: ++ 1e:2c:d2:74 ++-----BEGIN CERTIFICATE----- ++MIIC6jCCAdKgAwIBAgICEAAwDQYJKoZIhvcNAQELBQAwEjEQMA4GA1UEAwwHUm9v ++dCBDQTAeFw0yMzA3MTIwOTMyMjlaFw0yNDA3MTEwOTMyMjlaMA8xDTALBgNVBAMM ++BE9DU1AwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDZ2OLi8cpvoinQ ++bs4YEmk9GdQNcg9+zBRHy/YRJF+bbdreINweLYigHg2D3rcJnrjXkNAmd08aD0x+ ++4iq58Tvy5P48VZ+c1R3XUs1YQR20sKgnM8w+uF2SXxX18Idy31pNErYh3J8jVpBi ++moMP9dC22iNB4kTKf1ORM6HaKnHM8wg3JzXv9lVoIQgAgyAmJOoQXhQ8Kn1AOj3j ++vp1Jgm2hI4e2MTjgjraT9sKxPXIZkKnTwnZX88MpE9HvsQ7XV2CdYmMry+L69X68 ++bl3S1eisDjeIvHPtz6TenZs7wxbupy7OtdOKRxa/mDh9C76XHiNPoukUF1NVZ93S ++647ud7enAgMBAAGjTTBLMAkGA1UdEwQCMAAwHQYDVR0OBBYEFCvJrEWDu5Zbc3ca +++Nv5mETG6FWVMB8GA1UdIwQYMBaAFGMvztX2apN1ZgwI00FvodrLs7A+MA0GCSqG ++SIb3DQEBCwUAA4IBAQACh0mjb8RZOJT59xr/b0y0a73SeZhckKhJReyRTqxF7I2B ++f87qL5PBQEnUx/KuwGAdfWWRg2NRTPDO74HcQ6azATlmUi0dCBanp1R45noGSV+G ++NxJIQqs3qcAEmHBFUJ5tMG1tgQV5G1wrdbmoRiJKgMmrfPeyY2ntCDEyvY74146O ++KY72sFLCoxnB4Ije3pRP8aWbHBzAEXl/3zgbl6lsJvx+MfV4usEd5nzhjrPFkfz2 ++X0QYRAsVyJSlpwJYL7705IAKzo4zNt0POdO2rlfSRrSi0UnJKaegp2KnLi19kZQS ++91UTVNVOTesfeKeeqZP5bKnsly7GBGf6lUceLNJ0 ++-----END CERTIFICATE----- +--- /dev/null ++++ b/test/recipes/80-test_ocsp_check_data/server.key +@@ -0,0 +1,28 @@ ++-----BEGIN PRIVATE KEY----- ++MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQDb4qMIdALYSZd7 ++/RBJ5PTRZS23d4SkIxZuOGXiSdYNyDNqg+jZZ5HPJu1ZcZFZ7AYINCAnk/yv1rPd ++Aoz50sZKTjHacQZLhaSds0PlN5/TrkwU0WUbalFWm5D6LB+VlDdkOSWSO3UNo23n ++X3wBMCWL9tTqNCwzNx8o3P6L8gjEOyOU3lIB3DU0FgGZN0Fkk7ZrbZxoln78Hcgf ++wBxWC2SafOwU9zofjdcEQr4Q6kAKDK1M7EYbq8U67BUS7SRRoj2Ub6KNhTGCuH5f ++0M4umykvong4bvqYqmrpAM0qV/F0ngus8qJgAH21AeHAvG9iuP/AphbslKFl+Me5 ++3J3/2A/lAgMBAAECggEAAsC9Ist1B6kwNNSvwgUUTZTTNDNSXU21J68cE2+yNtz1 ++S9WX8jTaPfoySYbi93m9f5fLeUNgjAEHonI4Op55bg+5jw8QMZzcOT83z+RY42kQ ++ucf/WI8Fsqxi7cbkpFZFNUOD5WdKKWAM7bMj1c35Al4WP1Jk5UVA5h2SMEVY97/x ++2TeQIzxBVX7w8d3jSHQXizWLB06IRs0F1Kpp0qIXJ558GcWEYVLk7ORIcJACWJSh ++UmhmtUVXI5OoWTTk4Ac7wus5GlCaLkwZ1RxV8iSwlQ5dhEBdDPRofrH9QgeULJrq ++l+G+Cv32FizTzC3QuiPrXrbfPVxffYZuJ5g2RORh9wKBgQD4IqS3WzXYOoKwkA5d ++8rVAL55tTE8I7/GZCoMrmRsXKV/30gJjhDlf5TyKWpFB7gcxBBZhd+lK/daH8d+S ++EAeBdN45VM/xbQkVKyfOQMQ5JuKmLJUyUP7yevMDZ0TYWQGDWmnVMzhfICIKWQvM ++lnPqCHFeYx+zWFBTDukr+aitywKBgQDi2sY1KAJiC24M7DILvjF0vFQGIPCyoOfQ ++VKemT3O5BKXbEK/WgBmTHMZzGPUGCZ7dxjEeTpE1d6YIadSa3FMyA34PWi8+3jdn ++lGSnK5MBlfKnk8Qo5vYOKPMgVmRPzqyJ8gUorNvAUEKZeFjV+wZeX/0yxSunumCj ++dfOk2TWDDwKBgEQE0xxED32HhH2774RHXPIMW6Rgb6XmiFbIb+6KmMd/mwQG+Iqp ++G0UzRKY0b28gPa5tDWmIglYBQUagwgV7CWOuUqBqpFns5rl7y/yY+nEkPKsKu5dA ++ZrK3i1gafd/EfkqwhSRhVwmUeGBXyok5kOrNh641A+KYyeQKyVY5qMiDAoGALJgb ++DIn/5ewfRxULRXmu2SbIUagaCNNOnop1pmDJ+93pCKZAGqd135BxhmCqkfREMY5r ++S2zgaKVLky3SqFqVVCiRmEz/KpmeRJNMMfyD2nTyjXSjw/Ka/e+Y04uIDpQvILLd ++xsAsNqLQZMDenbnJ57Vw3ZEa4s7lflyKd6ZnOYsCgYEA5jRpE1+lw1mAieDNovqH ++Mp2VwrmuFWhkeC7RW0G8ngNRzP9K6p77cDZGuR8GO5OHhpC3JG14OhOGL5rmDcwc ++ufXRlGMeAfWSY6EOY2hPWltML4EiX0zRESipQty8ns/HekIVlmOh4sv+3N3EqLlE ++edJcYLfcg1FGwnVQLHuVhy4= ++-----END PRIVATE KEY----- +--- /dev/null ++++ b/test/recipes/80-test_ocsp_check_data/server.pem +@@ -0,0 +1,75 @@ ++Certificate: ++ Data: ++ Version: 3 (0x2) ++ Serial Number: 4097 (0x1001) ++ Signature Algorithm: sha256WithRSAEncryption ++ Issuer: CN=Root CA ++ Validity ++ Not Before: Jul 12 09:33:13 2023 GMT ++ Not After : Jul 11 09:33:13 2024 GMT ++ Subject: CN=Server ++ Subject Public Key Info: ++ Public Key Algorithm: rsaEncryption ++ Public-Key: (2048 bit) ++ Modulus: ++ 00:db:e2:a3:08:74:02:d8:49:97:7b:fd:10:49:e4: ++ f4:d1:65:2d:b7:77:84:a4:23:16:6e:38:65:e2:49: ++ d6:0d:c8:33:6a:83:e8:d9:67:91:cf:26:ed:59:71: ++ 91:59:ec:06:08:34:20:27:93:fc:af:d6:b3:dd:02: ++ 8c:f9:d2:c6:4a:4e:31:da:71:06:4b:85:a4:9d:b3: ++ 43:e5:37:9f:d3:ae:4c:14:d1:65:1b:6a:51:56:9b: ++ 90:fa:2c:1f:95:94:37:64:39:25:92:3b:75:0d:a3: ++ 6d:e7:5f:7c:01:30:25:8b:f6:d4:ea:34:2c:33:37: ++ 1f:28:dc:fe:8b:f2:08:c4:3b:23:94:de:52:01:dc: ++ 35:34:16:01:99:37:41:64:93:b6:6b:6d:9c:68:96: ++ 7e:fc:1d:c8:1f:c0:1c:56:0b:64:9a:7c:ec:14:f7: ++ 3a:1f:8d:d7:04:42:be:10:ea:40:0a:0c:ad:4c:ec: ++ 46:1b:ab:c5:3a:ec:15:12:ed:24:51:a2:3d:94:6f: ++ a2:8d:85:31:82:b8:7e:5f:d0:ce:2e:9b:29:2f:a2: ++ 78:38:6e:fa:98:aa:6a:e9:00:cd:2a:57:f1:74:9e: ++ 0b:ac:f2:a2:60:00:7d:b5:01:e1:c0:bc:6f:62:b8: ++ ff:c0:a6:16:ec:94:a1:65:f8:c7:b9:dc:9d:ff:d8: ++ 0f:e5 ++ Exponent: 65537 (0x10001) ++ X509v3 extensions: ++ X509v3 Basic Constraints: ++ CA:FALSE ++ X509v3 Subject Key Identifier: ++ 3E:48:4E:C9:24:FA:DE:27:EA:A4:98:81:2A:06:12:9A:F6:FA:17:4E ++ X509v3 Authority Key Identifier: ++ 63:2F:CE:D5:F6:6A:93:75:66:0C:08:D3:41:6F:A1:DA:CB:B3:B0:3E ++ Signature Algorithm: sha256WithRSAEncryption ++ Signature Value: ++ 22:fe:de:97:6e:e8:5d:65:91:f0:70:af:97:85:53:5e:8e:c8: ++ 88:9b:e5:b3:33:d4:21:b9:3b:09:b7:72:70:16:8c:a8:0e:80: ++ 0f:1b:03:cb:95:94:ae:40:e2:3b:54:06:ec:1e:f5:bc:58:8a: ++ 22:57:cf:fe:14:b0:15:8c:18:5d:9d:fe:0e:70:55:26:c5:cc: ++ 92:f3:bf:03:19:e6:bd:41:b5:c3:cf:15:d3:e9:10:df:65:2a: ++ 68:c0:a3:df:93:a4:b1:66:20:94:1d:df:0a:9c:05:e7:74:a1: ++ 1a:39:db:c2:5b:78:8c:0c:f6:5e:30:80:cc:39:04:8a:8c:db: ++ 81:c1:5b:b4:3e:c2:ba:ae:06:ec:19:91:b4:a5:46:05:e7:8c: ++ ef:88:3f:d1:38:d3:37:42:88:25:c2:43:9b:df:7f:7c:15:c3: ++ 7b:72:d2:b6:49:45:ce:c8:ce:f1:2d:be:7b:86:1c:31:8d:c9: ++ de:51:d4:06:9f:1d:f2:86:ac:bf:5f:4d:da:31:26:70:ce:e1: ++ 0a:87:1f:a9:73:24:78:a2:4a:c2:73:ea:4c:6b:2c:a7:b6:1c: ++ d7:c3:5e:3a:8a:f9:02:54:62:73:a2:a6:3e:e5:d6:2d:6f:6e: ++ ba:57:11:20:d1:41:2e:c7:6b:d8:7d:70:5e:1d:17:03:5e:a7: ++ 16:c9:4b:fb ++-----BEGIN CERTIFICATE----- ++MIIC7DCCAdSgAwIBAgICEAEwDQYJKoZIhvcNAQELBQAwEjEQMA4GA1UEAwwHUm9v ++dCBDQTAeFw0yMzA3MTIwOTMzMTNaFw0yNDA3MTEwOTMzMTNaMBExDzANBgNVBAMM ++BlNlcnZlcjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBANviowh0AthJ ++l3v9EEnk9NFlLbd3hKQjFm44ZeJJ1g3IM2qD6Nlnkc8m7VlxkVnsBgg0ICeT/K/W ++s90CjPnSxkpOMdpxBkuFpJ2zQ+U3n9OuTBTRZRtqUVabkPosH5WUN2Q5JZI7dQ2j ++bedffAEwJYv21Oo0LDM3Hyjc/ovyCMQ7I5TeUgHcNTQWAZk3QWSTtmttnGiWfvwd ++yB/AHFYLZJp87BT3Oh+N1wRCvhDqQAoMrUzsRhurxTrsFRLtJFGiPZRvoo2FMYK4 ++fl/Qzi6bKS+ieDhu+piqaukAzSpX8XSeC6zyomAAfbUB4cC8b2K4/8CmFuyUoWX4 ++x7ncnf/YD+UCAwEAAaNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQUPkhOyST63ifq ++pJiBKgYSmvb6F04wHwYDVR0jBBgwFoAUYy/O1fZqk3VmDAjTQW+h2suzsD4wDQYJ ++KoZIhvcNAQELBQADggEBACL+3pdu6F1lkfBwr5eFU16OyIib5bMz1CG5Owm3cnAW ++jKgOgA8bA8uVlK5A4jtUBuwe9bxYiiJXz/4UsBWMGF2d/g5wVSbFzJLzvwMZ5r1B ++tcPPFdPpEN9lKmjAo9+TpLFmIJQd3wqcBed0oRo528JbeIwM9l4wgMw5BIqM24HB ++W7Q+wrquBuwZkbSlRgXnjO+IP9E40zdCiCXCQ5vff3wVw3ty0rZJRc7IzvEtvnuG ++HDGNyd5R1AafHfKGrL9fTdoxJnDO4QqHH6lzJHiiSsJz6kxrLKe2HNfDXjqK+QJU ++YnOipj7l1i1vbrpXESDRQS7Ha9h9cF4dFwNepxbJS/s= ++-----END CERTIFICATE----- +--- a/util/libcrypto.num ++++ b/util/libcrypto.num +@@ -4649,3 +4649,4 @@ fips_sli_RAND_bytes_is_approved + fips_sli_RAND_priv_bytes_is_approved 6610 1_1_1l EXIST::FUNCTION: + FIPS_entropy_init 6611 1_1_1l EXIST::FUNCTION: + FIPS_entropy_cleanup 6612 1_1_1l EXIST::FUNCTION: ++OCSP_RESPONSE_check_status 6613 1_1_1l EXIST::FUNCTION:OCSP