From 5afc4138ca0d25292f778b221bd0cdafd5fccc0bde2922d0bb66f753b1b05637 Mon Sep 17 00:00:00 2001 From: Pedro Monreal Gonzalez Date: Thu, 2 Jan 2025 08:25:49 +0000 Subject: [PATCH 1/2] - Add support for userspace livepatching on ppc64le (jsc#PED-10952). - Use gcc-13 for ppc64le. OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=127 --- .gitattributes | 23 + .gitignore | 1 + baselibs.conf | 12 + ...S-Deny-SHA-1-sigver-in-FIPS-provider.patch | 570 +++++ ...lement-explicit-indicator-for-IV-gen.patch | 98 + openssl-3-FIPS-PCT_rsa_keygen.patch | 28 + openssl-3-add-defines-CPACF-funcs.patch | 82 + openssl-3-add-hw-acceleration-hmac.patch | 506 ++++ ...l-3-add-xof-state-handling-s3_absorb.patch | 32 + openssl-3-add_EVP_DigestSqueeze_api.patch | 1781 ++++++++++++++ ...c-hw-acceleration-with-engine-digest.patch | 90 + ...sl-3-fix-hmac-digest-detection-s390x.patch | 49 + ...sl-3-fix-memleak-s390x_HMAC_CTX_copy.patch | 28 + openssl-3-fix-quic_multistream_test.patch | 25 + openssl-3-fix-s390x_sha3_absorb.patch | 50 + openssl-3-fix-s390x_shake_squeeze.patch | 98 + openssl-3-fix-sha3-squeeze-ppc64.patch | 31 + ...ix-state-handling-keccak_final_s390x.patch | 32 + ...fix-state-handling-sha3_absorb_s390x.patch | 32 + ...-fix-state-handling-sha3_final_s390x.patch | 32 + ...fix-state-handling-shake_final_s390x.patch | 32 + openssl-3-hw-acceleration-aes-xts-s390x.patch | 327 +++ openssl-3-jitterentropy-3.4.0.patch | 364 +++ ...rt-CPACF-sha3-shake-perf-improvement.patch | 196 ++ ...P_DigestSqueeze-in-digest-prov-s390x.patch | 160 ++ ...-support-multiple-sha3_squeeze_s390x.patch | 46 + openssl-3-use-include-directive.patch | 35 + openssl-3.1.4.tar.gz | 3 + openssl-3.1.4.tar.gz.asc | 16 + openssl-3.1.7.tar.gz | 3 + openssl-3.1.7.tar.gz.asc | 16 + openssl-3.2.3.tar.gz | 3 + openssl-3.2.3.tar.gz.asc | 16 + openssl-3.changes | 2010 +++++++++++++++ openssl-3.spec | 460 ++++ ...Add-FIPS-indicator-parameter-to-HKDF.patch | 911 +++++++ ...sl-Add-FIPS_mode-compatibility-macro.patch | 83 + ...sl-Add-Kernel-FIPS-mode-flag-support.patch | 82 + ...sl-Add-changes-to-ectest-and-eccurve.patch | 1147 +++++++++ ...PROFILE-SYSTEM-system-default-cipher.patch | 348 +++ ...ort_for_Windows_CA_certificate_store.patch | 743 ++++++ ...clevel-2-if-rh-allow-sha1-signatures.patch | 217 ++ ...l-Allow-disabling-of-SHA1-signatures.patch | 521 ++++ openssl-CVE-2023-50782.patch | 1354 +++++++++++ openssl-CVE-2023-5678.patch | 172 ++ openssl-CVE-2023-6129.patch | 109 + openssl-CVE-2023-6237.patch | 122 + openssl-CVE-2024-0727.patch | 120 + openssl-CVE-2024-2511.patch | 116 + openssl-CVE-2024-41996.patch | 41 + openssl-CVE-2024-4603.patch | 199 ++ openssl-CVE-2024-4741.patch | 28 + openssl-CVE-2024-5535.patch | 326 +++ openssl-CVE-2024-6119.patch | 255 ++ openssl-CVE-2024-9143.patch | 198 ++ openssl-DEFAULT_SUSE_cipher.patch | 64 + ...S-186-4-type-parameters-in-FIPS-mode.patch | 330 +++ ...able-default-provider-for-test-suite.patch | 19 + openssl-Disable-explicit-ec.patch | 235 ++ ...nable-BTI-feature-for-md5-on-aarch64.patch | 28 + openssl-FIPS-140-3-DRBG.patch | 137 ++ openssl-FIPS-140-3-keychecks.patch | 404 +++ openssl-FIPS-140-3-zeroization.patch | 81 + ...-Add-SP800-56Br2-6.4.1.2.1-3.c-check.patch | 16 + ...dd-explicit-indicator-for-key-length.patch | 108 + openssl-FIPS-Enforce-error-state.patch | 20 + openssl-FIPS-Expose-a-FIPS-indicator.patch | 462 ++++ openssl-FIPS-RSA-disable-shake.patch | 98 + openssl-FIPS-RSA-encapsulate.patch | 47 + ...-Remove-X9.31-padding-from-FIPS-prov.patch | 270 +++ openssl-FIPS-Use-FFDHE2048-in-self-test.patch | 378 +++ ...OAEP-in-KATs-support-fixed-OAEP-seed.patch | 348 +++ ...gest_sign-digest_verify-in-self-test.patch | 312 +++ openssl-FIPS-early-KATS.patch | 54 + openssl-FIPS-embed-hmac.patch | 392 +++ openssl-FIPS-enforce-EMS-support.patch | 242 ++ ...ecurity-checks-during-initialization.patch | 22 + openssl-FIPS-limit-rsa-encrypt.patch | 949 ++++++++ ...l-FIPS-release_num_in_version_string.patch | 27 + openssl-FIPS-services-minimize.patch | 782 ++++++ ...re-Add-indicator-for-PSS-salt-length.patch | 113 + ...EVP_PKEY_CTX_add1_hkdf_info-behavior.patch | 309 +++ openssl-Force-FIPS.patch | 77 + ...param-in-EVP_PKEY_CTX_add1_hkdf_info.patch | 94 + ...nce-for-6x-unrolling-with-vpermxor-i.patch | 495 ++++ openssl-Remove-EC-curves.patch | 267 ++ ...-Improve-FIPS-RSA-keygen-performance.patch | 171 ++ ...ble-default-provider-crypto-policies.patch | 41 + openssl-crypto-policies-support.patch | 35 + openssl-disable-fipsinstall.patch | 470 ++++ ...-Limb-Solinas-Strategy-for-secp384r1.patch | 2159 +++++++++++++++++ ...nkage-on-nistp521-felem_-square-mul-.patch | 65 + ...dd-asm-implementation-of-felem_-squa.patch | 428 ++++ ...-extraneous-parentheses-in-secp384r1.patch | 76 + openssl-load-legacy-provider.patch | 92 + openssl-no-date.patch | 13 + openssl-no-html-docs.patch | 13 + ...cator-if-pkcs5-param-disabled-checks.patch | 75 + ...t-minimum-password-length-of-8-bytes.patch | 66 + openssl-pkgconfig.patch | 22 + ...c-Fix-stack-allocation-secp384r1-asm.patch | 96 + openssl-ppc64-config.patch | 32 + ...-truncated-hashes-SHA-3-in-FIPS-prov.patch | 1102 +++++++++ openssl-skip-quic-pairwise.patch | 85 + openssl-skipped-tests-EC-curves.patch | 55 + openssl-truststore.patch | 17 + openssl.keyring | 31 + reproducible.patch | 929 +++++++ showciphers.c | 27 + 109 files changed, 27659 insertions(+) create mode 100644 .gitattributes create mode 100644 .gitignore create mode 100644 baselibs.conf create mode 100644 openssl-3-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch create mode 100644 openssl-3-FIPS-GCM-Implement-explicit-indicator-for-IV-gen.patch create mode 100644 openssl-3-FIPS-PCT_rsa_keygen.patch create mode 100644 openssl-3-add-defines-CPACF-funcs.patch create mode 100644 openssl-3-add-hw-acceleration-hmac.patch create mode 100644 openssl-3-add-xof-state-handling-s3_absorb.patch create mode 100644 openssl-3-add_EVP_DigestSqueeze_api.patch create mode 100644 openssl-3-disable-hmac-hw-acceleration-with-engine-digest.patch create mode 100644 openssl-3-fix-hmac-digest-detection-s390x.patch create mode 100644 openssl-3-fix-memleak-s390x_HMAC_CTX_copy.patch create mode 100644 openssl-3-fix-quic_multistream_test.patch create mode 100644 openssl-3-fix-s390x_sha3_absorb.patch create mode 100644 openssl-3-fix-s390x_shake_squeeze.patch create mode 100644 openssl-3-fix-sha3-squeeze-ppc64.patch create mode 100644 openssl-3-fix-state-handling-keccak_final_s390x.patch create mode 100644 openssl-3-fix-state-handling-sha3_absorb_s390x.patch create mode 100644 openssl-3-fix-state-handling-sha3_final_s390x.patch create mode 100644 openssl-3-fix-state-handling-shake_final_s390x.patch create mode 100644 openssl-3-hw-acceleration-aes-xts-s390x.patch create mode 100644 openssl-3-jitterentropy-3.4.0.patch create mode 100644 openssl-3-support-CPACF-sha3-shake-perf-improvement.patch create mode 100644 openssl-3-support-EVP_DigestSqueeze-in-digest-prov-s390x.patch create mode 100644 openssl-3-support-multiple-sha3_squeeze_s390x.patch create mode 100644 openssl-3-use-include-directive.patch create mode 100644 openssl-3.1.4.tar.gz create mode 100644 openssl-3.1.4.tar.gz.asc create mode 100644 openssl-3.1.7.tar.gz create mode 100644 openssl-3.1.7.tar.gz.asc create mode 100644 openssl-3.2.3.tar.gz create mode 100644 openssl-3.2.3.tar.gz.asc create mode 100644 openssl-3.changes create mode 100644 openssl-3.spec create mode 100644 openssl-Add-FIPS-indicator-parameter-to-HKDF.patch create mode 100644 openssl-Add-FIPS_mode-compatibility-macro.patch create mode 100644 openssl-Add-Kernel-FIPS-mode-flag-support.patch create mode 100644 openssl-Add-changes-to-ectest-and-eccurve.patch create mode 100644 openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch create mode 100644 openssl-Add_support_for_Windows_CA_certificate_store.patch create mode 100644 openssl-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch create mode 100644 openssl-Allow-disabling-of-SHA1-signatures.patch create mode 100644 openssl-CVE-2023-50782.patch create mode 100644 openssl-CVE-2023-5678.patch create mode 100644 openssl-CVE-2023-6129.patch create mode 100644 openssl-CVE-2023-6237.patch create mode 100644 openssl-CVE-2024-0727.patch create mode 100644 openssl-CVE-2024-2511.patch create mode 100644 openssl-CVE-2024-41996.patch create mode 100644 openssl-CVE-2024-4603.patch create mode 100644 openssl-CVE-2024-4741.patch create mode 100644 openssl-CVE-2024-5535.patch create mode 100644 openssl-CVE-2024-6119.patch create mode 100644 openssl-CVE-2024-9143.patch create mode 100644 openssl-DEFAULT_SUSE_cipher.patch create mode 100644 openssl-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch create mode 100644 openssl-Disable-default-provider-for-test-suite.patch create mode 100644 openssl-Disable-explicit-ec.patch create mode 100644 openssl-Enable-BTI-feature-for-md5-on-aarch64.patch create mode 100644 openssl-FIPS-140-3-DRBG.patch create mode 100644 openssl-FIPS-140-3-keychecks.patch create mode 100644 openssl-FIPS-140-3-zeroization.patch create mode 100644 openssl-FIPS-Add-SP800-56Br2-6.4.1.2.1-3.c-check.patch create mode 100644 openssl-FIPS-Add-explicit-indicator-for-key-length.patch create mode 100644 openssl-FIPS-Enforce-error-state.patch create mode 100644 openssl-FIPS-Expose-a-FIPS-indicator.patch create mode 100644 openssl-FIPS-RSA-disable-shake.patch create mode 100644 openssl-FIPS-RSA-encapsulate.patch create mode 100644 openssl-FIPS-Remove-X9.31-padding-from-FIPS-prov.patch create mode 100644 openssl-FIPS-Use-FFDHE2048-in-self-test.patch create mode 100644 openssl-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch create mode 100644 openssl-FIPS-Use-digest_sign-digest_verify-in-self-test.patch create mode 100644 openssl-FIPS-early-KATS.patch create mode 100644 openssl-FIPS-embed-hmac.patch create mode 100644 openssl-FIPS-enforce-EMS-support.patch create mode 100644 openssl-FIPS-enforce-security-checks-during-initialization.patch create mode 100644 openssl-FIPS-limit-rsa-encrypt.patch create mode 100644 openssl-FIPS-release_num_in_version_string.patch create mode 100644 openssl-FIPS-services-minimize.patch create mode 100644 openssl-FIPS-signature-Add-indicator-for-PSS-salt-length.patch create mode 100644 openssl-Fix-EVP_PKEY_CTX_add1_hkdf_info-behavior.patch create mode 100644 openssl-Force-FIPS.patch create mode 100644 openssl-Handle-empty-param-in-EVP_PKEY_CTX_add1_hkdf_info.patch create mode 100644 openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.patch create mode 100644 openssl-Remove-EC-curves.patch create mode 100644 openssl-Revert-Improve-FIPS-RSA-keygen-performance.patch create mode 100644 openssl-TESTS-Disable-default-provider-crypto-policies.patch create mode 100644 openssl-crypto-policies-support.patch create mode 100644 openssl-disable-fipsinstall.patch create mode 100644 openssl-ec-56-bit-Limb-Solinas-Strategy-for-secp384r1.patch create mode 100644 openssl-ec-Use-static-linkage-on-nistp521-felem_-square-mul-.patch create mode 100644 openssl-ec-powerpc64le-Add-asm-implementation-of-felem_-squa.patch create mode 100644 openssl-ecc-Remove-extraneous-parentheses-in-secp384r1.patch create mode 100644 openssl-load-legacy-provider.patch create mode 100644 openssl-no-date.patch create mode 100644 openssl-no-html-docs.patch create mode 100644 openssl-pbkdf2-Set-indicator-if-pkcs5-param-disabled-checks.patch create mode 100644 openssl-pbkdf2-Set-minimum-password-length-of-8-bytes.patch create mode 100644 openssl-pkgconfig.patch create mode 100644 openssl-powerpc-ecc-Fix-stack-allocation-secp384r1-asm.patch create mode 100644 openssl-ppc64-config.patch create mode 100644 openssl-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch create mode 100644 openssl-skip-quic-pairwise.patch create mode 100644 openssl-skipped-tests-EC-curves.patch create mode 100644 openssl-truststore.patch create mode 100644 openssl.keyring create mode 100644 reproducible.patch create mode 100644 showciphers.c diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000..9b03811 --- /dev/null +++ b/.gitattributes @@ -0,0 +1,23 @@ +## Default LFS +*.7z filter=lfs diff=lfs merge=lfs -text +*.bsp filter=lfs diff=lfs merge=lfs -text +*.bz2 filter=lfs diff=lfs merge=lfs -text +*.gem filter=lfs diff=lfs merge=lfs -text +*.gz filter=lfs diff=lfs merge=lfs -text +*.jar filter=lfs diff=lfs merge=lfs -text +*.lz filter=lfs diff=lfs merge=lfs -text +*.lzma filter=lfs diff=lfs merge=lfs -text +*.obscpio filter=lfs diff=lfs merge=lfs -text +*.oxt filter=lfs diff=lfs merge=lfs -text +*.pdf filter=lfs diff=lfs merge=lfs -text +*.png filter=lfs diff=lfs merge=lfs -text +*.rpm filter=lfs diff=lfs merge=lfs -text +*.tbz filter=lfs diff=lfs merge=lfs -text +*.tbz2 filter=lfs diff=lfs merge=lfs -text +*.tgz filter=lfs diff=lfs merge=lfs -text +*.ttf filter=lfs diff=lfs merge=lfs -text +*.txz filter=lfs diff=lfs merge=lfs -text +*.whl filter=lfs diff=lfs merge=lfs -text +*.xz filter=lfs diff=lfs merge=lfs -text +*.zip filter=lfs diff=lfs merge=lfs -text +*.zst filter=lfs diff=lfs merge=lfs -text diff --git a/.gitignore b/.gitignore new file mode 100644 index 0000000..57affb6 --- /dev/null +++ b/.gitignore @@ -0,0 +1 @@ +.osc diff --git a/baselibs.conf b/baselibs.conf new file mode 100644 index 0000000..0c211d7 --- /dev/null +++ b/baselibs.conf @@ -0,0 +1,12 @@ +libopenssl3 + obsoletes "libopenssl1_1_0-" + provides "libopenssl3-hmac- = -%release" + obsoletes "libopenssl3-hmac- < -%release" +libopenssl-3-devel + provides "libopenssl-devel- = " + conflicts "otherproviders(libopenssl-devel-)" + conflicts "libopenssl-1_1-devel-" + requires -"openssl-3-" + requires "libopenssl3- = " +libopenssl-3-fips-provider + requires "libopenssl3- >= " diff --git a/openssl-3-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch b/openssl-3-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch new file mode 100644 index 0000000..4b141ca --- /dev/null +++ b/openssl-3-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch @@ -0,0 +1,570 @@ +From 5f4f350ce797a7cd2fdca84c474ee196da9d6fae Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Wed, 18 May 2022 17:25:59 +0200 +Subject: [PATCH] Deny SHA-1 signature verification in FIPS provider + +For RHEL, we already disable SHA-1 signatures by default in the default +provider, so it is unexpected that the FIPS provider would have a more +lenient configuration in this regard. Additionally, we do not think +continuing to accept SHA-1 signatures is a good idea due to the +published chosen-prefix collision attacks. + +As a consequence, disable verification of SHA-1 signatures in the FIPS +provider. + +This requires adjusting a few tests that would otherwise fail: +- 30-test_acvp: Remove the test vectors that use SHA-1. +- 30-test_evp: Mark tests in evppkey_rsa_common.txt and + evppkey_ecdsa.txt that use SHA-1 digests as "Availablein = default", + which will not run them when the FIPS provider is enabled. +- 80-test_cms: Re-create all certificates in test/smime-certificates + with SHA256 signatures while keeping the same private keys. These + certificates were signed with SHA-1 and thus fail verification in the + FIPS provider. + Fix some other tests by explicitly running them in the default + provider, where SHA-1 is available. +- 80-test_ssl_old: Skip tests that rely on SSLv3 and SHA-1 when run with + the FIPS provider. + +Signed-off-by: Clemens Lang +--- + providers/implementations/signature/dsa_sig.c | 4 -- + .../implementations/signature/ecdsa_sig.c | 4 -- + providers/implementations/signature/rsa_sig.c | 8 +-- + test/acvp_test.inc | 20 ------- + .../30-test_evp_data/evppkey_ecdsa.txt | 7 +++ + .../30-test_evp_data/evppkey_rsa_common.txt | 51 +++++++++++++++- + test/recipes/80-test_cms.t | 4 +- + test/recipes/80-test_ssl_old.t | 4 ++ + test/smime-certs/smdh.pem | 18 +++--- + test/smime-certs/smdsa1.pem | 60 +++++++++---------- + test/smime-certs/smdsa2.pem | 60 +++++++++---------- + test/smime-certs/smdsa3.pem | 60 +++++++++---------- + test/smime-certs/smec1.pem | 30 +++++----- + test/smime-certs/smec2.pem | 30 +++++----- + test/smime-certs/smec3.pem | 30 +++++----- + test/smime-certs/smroot.pem | 38 ++++++------ + test/smime-certs/smrsa1.pem | 38 ++++++------ + test/smime-certs/smrsa2.pem | 38 ++++++------ + test/smime-certs/smrsa3.pem | 38 ++++++------ + 19 files changed, 286 insertions(+), 256 deletions(-) + +Index: openssl-3.2.3/providers/implementations/signature/dsa_sig.c +=================================================================== +--- openssl-3.2.3.orig/providers/implementations/signature/dsa_sig.c ++++ openssl-3.2.3/providers/implementations/signature/dsa_sig.c +@@ -129,11 +129,7 @@ static int dsa_setup_md(PROV_DSA_CTX *ct + EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops); + int md_nid; + size_t mdname_len = strlen(mdname); +-#ifdef FIPS_MODULE +- int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN); +-#else + int sha1_allowed = 0; +-#endif + md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md, + sha1_allowed); + +Index: openssl-3.2.3/providers/implementations/signature/ecdsa_sig.c +=================================================================== +--- openssl-3.2.3.orig/providers/implementations/signature/ecdsa_sig.c ++++ openssl-3.2.3/providers/implementations/signature/ecdsa_sig.c +@@ -247,11 +247,7 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX + "%s could not be fetched", mdname); + return 0; + } +-#ifdef FIPS_MODULE +- sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN); +-#else + sha1_allowed = 0; +-#endif + md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md, + sha1_allowed); + if (md_nid < 0) { +Index: openssl-3.2.3/providers/implementations/signature/rsa_sig.c +=================================================================== +--- openssl-3.2.3.orig/providers/implementations/signature/rsa_sig.c ++++ openssl-3.2.3/providers/implementations/signature/rsa_sig.c +@@ -321,11 +321,7 @@ static int rsa_setup_md(PROV_RSA_CTX *ct + EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops); + int md_nid; + size_t mdname_len = strlen(mdname); +-#ifdef FIPS_MODULE +- int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN); +-#else + int sha1_allowed = 0; +-#endif + md_nid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md, + sha1_allowed); + +@@ -1416,8 +1412,10 @@ static int rsa_set_ctx_params(void *vprs + + if (prsactx->md == NULL && pmdname == NULL + && pad_mode == RSA_PKCS1_PSS_PADDING) { ++#ifdef FIPS_MODULE ++ pmdname = RSA_DEFAULT_DIGEST_NAME_NONLEGACY; ++#else + pmdname = RSA_DEFAULT_DIGEST_NAME; +-#ifndef FIPS_MODULE + if (!ossl_ctx_legacy_digest_signatures_allowed(prsactx->libctx, 0)) { + pmdname = RSA_DEFAULT_DIGEST_NAME_NONLEGACY; + } +Index: openssl-3.2.3/test/recipes/30-test_evp_data/evppkey_ecdsa.txt +=================================================================== +--- openssl-3.2.3.orig/test/recipes/30-test_evp_data/evppkey_ecdsa.txt ++++ openssl-3.2.3/test/recipes/30-test_evp_data/evppkey_ecdsa.txt +@@ -37,12 +37,14 @@ PrivPubKeyPair = P-256:P-256-PUBLIC + + Title = ECDSA tests + ++Availablein = default + Verify = P-256 + Ctrl = digest:SHA1 + Input = "0123456789ABCDEF1234" + Output = 3045022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec8 + + # Digest too long ++Availablein = default + Verify = P-256 + Ctrl = digest:SHA1 + Input = "0123456789ABCDEF12345" +@@ -50,6 +52,7 @@ Output = 3045022100b1d1cb1a577035bccdd5a + Result = VERIFY_ERROR + + # Digest too short ++Availablein = default + Verify = P-256 + Ctrl = digest:SHA1 + Input = "0123456789ABCDEF123" +@@ -57,6 +60,7 @@ Output = 3045022100b1d1cb1a577035bccdd5a + Result = VERIFY_ERROR + + # Digest invalid ++Availablein = default + Verify = P-256 + Ctrl = digest:SHA1 + Input = "0123456789ABCDEF1235" +@@ -64,6 +68,7 @@ Output = 3045022100b1d1cb1a577035bccdd5a + Result = VERIFY_ERROR + + # Invalid signature ++Availablein = default + Verify = P-256 + Ctrl = digest:SHA1 + Input = "0123456789ABCDEF1234" +@@ -79,12 +84,14 @@ Output = 3045022100b1d1cb1a577035bccdd5a + Result = VERIFY_ERROR + + # BER signature ++Availablein = default + Verify = P-256 + Ctrl = digest:SHA1 + Input = "0123456789ABCDEF1234" + Output = 3080022100b1d1cb1a577035bccdd5a86c6148c2cc7c633cd42b7234139b593076d041e15202201898cdd52b41ca502098184b409cf83a21bc945006746e3b7cea52234e043ec80000 + Result = VERIFY_ERROR + ++Availablein = default + Verify = P-256-PUBLIC + Ctrl = digest:SHA1 + Input = "0123456789ABCDEF1234" +Index: openssl-3.2.3/test/recipes/30-test_evp_data/evppkey_rsa_common.txt +=================================================================== +--- openssl-3.2.3.orig/test/recipes/30-test_evp_data/evppkey_rsa_common.txt ++++ openssl-3.2.3/test/recipes/30-test_evp_data/evppkey_rsa_common.txt +@@ -96,6 +96,7 @@ NDL6WCBbets= + + Title = RSA tests + ++Availablein = default + Verify = RSA-2048 + Ctrl = digest:SHA1 + Input = "0123456789ABCDEF1234" +@@ -112,24 +113,28 @@ Ctrl = digest:SHA512-224 + Input = "0123456789ABCDEF123456789ABC" + Output = 5f720e9488139bb21e1c2f027fd5ce5993e6d31c5a8faaee833487b3a944d66891178868ace8070cad3ee2ffbe54aa4885a15fd1a7cc5166970fe1fd8c0423e72bd3e3b56fc4a53ed80aaaeca42497f0ec3c62113edc05cd006608f5eef7ce3ad4cba1069f68731dd28a524a1f93fcdc5547112d48d45586dd943ba0d443be9635720d8a61697c54c96627f0d85c5fbeaa3b4af86a65cf2fc3800dd5de34c046985f25d0efc0bb6edccc1d08b3a4fb9c8faffe181c7e68b31e374ad1440a4a664eec9ca0dc53a9d2f5bc7d9940d866f64201bcbc63612754df45727ea24b531d7de83d1bb707444859fa35521320c33bf6f4dbeb6fb56e653adbf7af15843f17 + ++Availablein = default + VerifyRecover = RSA-2048 + Ctrl = digest:SHA1 + Input = c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad + Output = "0123456789ABCDEF1234" + + # Leading zero in the signature ++Availablein = default + Verify = RSA-2048 + Ctrl = digest:SHA1 + Input = "0123456789ABCDEF1234" + Output = 00c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad + Result = VERIFY_ERROR + ++Availablein = default + VerifyRecover = RSA-2048 + Ctrl = digest:SHA1 + Input = 00c09d402423cbf233d26cae21f954547bc43fe80fd41360a0336cfdbe9aedad05bef6fd2eaee6cd60089a52482d4809a238149520df3bdde4cb9e23d9307b05c0a6f327052325a29adf2cc95b66523be7024e2a585c3d4db15dfbe146efe0ecdc0402e33fe5d40324ee96c5c3edd374a15cdc0f5d84aa243c0f07e188c6518fbfceae158a9943be398e31097da81b62074f626eff738be6160741d5a26957a482b3251fd85d8df78b98148459de10aa93305dbb4a5230aa1da291a9b0e481918f99b7638d72bb687f97661d304ae145d64a474437a4ef39d7b8059332ddeb07e92bf6e0e3acaf8afedc93795e4511737ec1e7aab6d5bc9466afc950c1c17b48ad + Result = KEYOP_ERROR + + # Mismatched digest ++Availablein = default + Verify = RSA-2048 + Ctrl = digest:SHA1 + Input = "0123456789ABCDEF1233" +@@ -137,6 +142,7 @@ Output = c09d402423cbf233d26cae21f954547 + Result = VERIFY_ERROR + + # Corrupted signature ++Availablein = default + Verify = RSA-2048 + Ctrl = digest:SHA1 + Input = "0123456789ABCDEF1233" +@@ -144,6 +150,7 @@ Output = c09d402423cbf233d26cae21f954547 + Result = VERIFY_ERROR + + # parameter is not NULLt ++Availablein = default + Verify = RSA-2048 + Ctrl = digest:sha1 + Input = "0123456789ABCDEF1234" +@@ -151,42 +158,49 @@ Output = 3ec3fc29eb6e122bd7aa361cd09fe1b + Result = VERIFY_ERROR + + # embedded digest too long ++Availablein = default + Verify = RSA-2048 + Ctrl = digest:sha1 + Input = "0123456789ABCDEF1234" + Output = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d + Result = VERIFY_ERROR + ++Availablein = default + VerifyRecover = RSA-2048 + Ctrl = digest:sha1 + Input = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d + Result = KEYOP_ERROR + + # embedded digest too short ++Availablein = default + Verify = RSA-2048 + Ctrl = digest:sha1 + Input = "0123456789ABCDEF1234" + Output = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d + Result = VERIFY_ERROR + ++Availablein = default + VerifyRecover = RSA-2048 + Ctrl = digest:sha1 + Input = afec9a0d5330a08f54283bb4a9d4e7e7e70fc1342336c4c766fba713f66970151c6e27413c48c33864ea45a0238787004f338ed3e21b53b0fe9c1151c42c388cbc7cba5a06b706c407a5b48324fbe994dc7afc3a19fb3d2841e66222596c14cd72a0f0a7455a019d8eb554f59c0183f9552b75aa96fee8bf935945e079ca283d2bd3534a86f11351f6d6181fbf433e5b01a6d1422145c7a72214d3aacdd5d3af12b2d6bf6438f9f9a64010d8aeed801c87f0859412b236150b86a545f7239be022f4a7ad246b59df87514294cb4a4c7c5a997ee53c66054d9f38ca4e76c1f7af83c30f737ef70f83a45aebe18238ddb95e1998814ca4fc72388f1533147c169d + Result = KEYOP_ERROR + + # Garbage after DigestInfo ++Availablein = default + Verify = RSA-2048 + Ctrl = digest:sha1 + Input = "0123456789ABCDEF1234" + Output = 9ee34872d4271a7d8808af0a4052a145a6d6a8437d00da3ed14428c7f087cd39f4d43334c41af63e7fa1ba363fee7bcef401d9d36a662abbab55ce89a696e1be0dfa19a5d09ca617dd488787b6048baaefeb29bc8688b2fe3882de2b77c905b5a8b56cf9616041e5ec934ba6de863efe93acc4eef783fe7f72a00fa65d6093ed32bf98ce527e62ccb1d56317f4be18b7e0f55d7c36617d2d0678a306e3350956b662ac15df45215dd8f6b314babb9788e6c272fa461e4c9b512a11a4b92bc77c3a4c95c903fccb238794eca5c750477bf56ea6ee6a167367d881b485ae3889e7c489af8fdf38e0c0f2aed780831182e34abedd43c39281b290774bf35cc25274 + Result = VERIFY_ERROR + ++Availablein = default + VerifyRecover = RSA-2048 + Ctrl = digest:sha1 + Input = 9ee34872d4271a7d8808af0a4052a145a6d6a8437d00da3ed14428c7f087cd39f4d43334c41af63e7fa1ba363fee7bcef401d9d36a662abbab55ce89a696e1be0dfa19a5d09ca617dd488787b6048baaefeb29bc8688b2fe3882de2b77c905b5a8b56cf9616041e5ec934ba6de863efe93acc4eef783fe7f72a00fa65d6093ed32bf98ce527e62ccb1d56317f4be18b7e0f55d7c36617d2d0678a306e3350956b662ac15df45215dd8f6b314babb9788e6c272fa461e4c9b512a11a4b92bc77c3a4c95c903fccb238794eca5c750477bf56ea6ee6a167367d881b485ae3889e7c489af8fdf38e0c0f2aed780831182e34abedd43c39281b290774bf35cc25274 + Result = KEYOP_ERROR + + # invalid tag for parameter ++Availablein = default + Verify = RSA-2048 + Ctrl = digest:sha1 + Input = "0123456789ABCDEF1234" +@@ -195,6 +209,7 @@ Result = VERIFY_ERROR + + # Verify using public key + ++Availablein = default + Verify = RSA-2048-PUBLIC + Ctrl = digest:SHA1 + Input = "0123456789ABCDEF1234" +@@ -858,6 +873,8 @@ Input="0123456789ABCDEF0123456789ABCDEF" + Output=4DE433D5844043EF08D354DA03CB29068780D52706D7D1E4D50EFB7D58C9D547D83A747DDD0635A96B28F854E50145518482CB49E963054621B53C60C498D07C16E9C2789C893CF38D4D86900DE71BDE463BD2761D1271E358C7480A1AC0BAB930DDF39602AD1BC165B5D7436B516B7A7858E8EB7AB1C420EEB482F4D207F0E462B1724959320A084E13848D11D10FB593E66BF680BF6D3F345FC3E9C3DE60ABBAC37E1C6EC80A268C8D9FC49626C679097AA690BC1AA662B95EB8DB70390861AA0898229F9349B4B5FDD030D4928C47084708A933144BE23BD3C6E661B85B2C0EF9ED36D498D5B7320E8194D363D4AD478C059BAE804181965E0B81B663158A + + # Verify using salt length auto detect ++# In the FIPS provider on SUSE/openSUSE, the default digest for PSS signatures is SHA-256 ++Availablein = default + Verify = RSA-2048-PUBLIC + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_pss_saltlen:auto +@@ -892,6 +909,10 @@ Output=4DE433D5844043EF08D354DA03CB29068 + Result = VERIFY_ERROR + + # Verify using default parameters, explicitly setting parameters ++# NOTE: RSA-PSS-DEFAULT contains a restriction to use SHA1 as digest, which ++# SUSE/openSUSE do not support in FIPS mode; all these tests are thus marked ++# Availablein = default. ++Availablein = default + Verify = RSA-PSS-DEFAULT + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_pss_saltlen:20 +@@ -900,6 +921,7 @@ Input="0123456789ABCDEF0123" + Output = 3EFE09D88509027D837BFA5F8471CF7B69E6DF395DD999BB9CA42021F15722D9AC76670507C6BCFB73F64FB2211B611B8F140E76EBDB064BD762FDBA89D019E304A0D6B274E1C2FE1DF50005598A0306AF805416094E2A5BA60BC72BDE38CE061E853ED40F14967A8B9CA4DC739B462F89558F12FDF2D8D19FBEF16AD66FE2DDDA8BEE983ECBD873064244849D8D94B5B33F45E076871A47ED653E73257A2BE2DB3C0878094B0D2B6B682C8007DFD989425FB39A1FEEC9EED5876414601A49176EC344F5E3EDEE81CA2DDD29B7364F4638112CB3A547E2BC170E28CB66BDABE863754BE8AD5BA230567B575266F4B6B4CF81F28310ABF05351CC9E2DB85D00BF + + # Verify explicitly setting parameters "digest" salt length ++Availablein = default + Verify = RSA-PSS-DEFAULT + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_pss_saltlen:digest +@@ -908,18 +930,21 @@ Input="0123456789ABCDEF0123" + Output = 3EFE09D88509027D837BFA5F8471CF7B69E6DF395DD999BB9CA42021F15722D9AC76670507C6BCFB73F64FB2211B611B8F140E76EBDB064BD762FDBA89D019E304A0D6B274E1C2FE1DF50005598A0306AF805416094E2A5BA60BC72BDE38CE061E853ED40F14967A8B9CA4DC739B462F89558F12FDF2D8D19FBEF16AD66FE2DDDA8BEE983ECBD873064244849D8D94B5B33F45E076871A47ED653E73257A2BE2DB3C0878094B0D2B6B682C8007DFD989425FB39A1FEEC9EED5876414601A49176EC344F5E3EDEE81CA2DDD29B7364F4638112CB3A547E2BC170E28CB66BDABE863754BE8AD5BA230567B575266F4B6B4CF81F28310ABF05351CC9E2DB85D00BF + + # Verify using salt length larger than minimum ++Availablein = default + Verify = RSA-PSS-DEFAULT + Ctrl = rsa_pss_saltlen:30 + Input="0123456789ABCDEF0123" + Output = 6BF7EDC63A0BA184EEEC7F3020FEC8F5EBF38C2B76481881F48BCCE5796E7AB294548BA9AE810457C7723CABD1BDE94CF59CF7C0FC7461B22760C8ED703DD98E97BFDD61FA8D1181C411F6DEE5FF159F4850746D78EDEE385A363DC28E2CB373D5CAD7953F3BD5E639BE345732C03A1BDEA268814DA036EB1891C82D4012F3B903D86636055F87B96FC98806AD1B217685A4D754046A5DE0B0D7870664BE07902153EC85BA457BE7D7F89D7FE0F626D02A9CBBB2BB479DDA1A5CAE75247FB7BF6BFB15C1D3FD9E6B1573CCDBC72011C3B97716058BB11C7EA2E4E56ADAFE1F5DE6A7FD405AC5890100F9C3408EFFB5C73BF73F48177FF743B4B819D0699D507B + + # Verify using maximum salt length ++Availablein = default + Verify = RSA-PSS-DEFAULT + Ctrl = rsa_pss_saltlen:max + Input="0123456789ABCDEF0123" + Output = 4470DCFE812DEE2E58E4301D4ED274AB348FE040B724B2CD1D8CD0914BFF375F0B86FCB32BFA8AEA9BD22BD7C4F1ADD4F3D215A5CFCC99055BAFECFC23800E9BECE19A08C66BEBC5802122D13A732E5958FC228DCC0B49B5B4B1154F032D8FA2F3564AA949C1310CC9266B0C47F86D449AC9D2E7678347E7266E2D7C888CCE1ADF44A109A293F8516AE2BD94CE220F26E137DB8E7A66BB9FCE052CDC1D0BE24D8CEBB20D10125F26B069F117044B9E1D16FDDAABCA5340AE1702F37D0E1C08A2E93801C0A41035C6C73DA02A0E32227EAFB0B85E79107B59650D0EE7DC32A6772CCCE90F06369B2880FE87ED76997BA61F5EA818091EE88F8B0D6F24D02A3FC6 + + # Attempt to change salt length below minimum ++Availablein = default + Verify = RSA-PSS-DEFAULT + Ctrl = rsa_pss_saltlen:0 + Result = PKEY_CTRL_ERROR +@@ -927,21 +952,25 @@ Result = PKEY_CTRL_ERROR + # Attempt to change padding mode + # Note this used to return PKEY_CTRL_INVALID + # but it is limited because setparams only returns 0 or 1. ++Availablein = default + Verify = RSA-PSS-DEFAULT + Ctrl = rsa_padding_mode:pkcs1 + Result = PKEY_CTRL_ERROR + + # Attempt to change digest ++Availablein = default + Verify = RSA-PSS-DEFAULT + Ctrl = digest:sha256 + Result = PKEY_CTRL_ERROR + + # Invalid key: rejected when we try to init ++Availablein = default + Verify = RSA-PSS-BAD + Result = KEYOP_INIT_ERROR + Reason = invalid salt length + + # Invalid key: rejected when we try to init ++Availablein = default + Verify = RSA-PSS-BAD2 + Result = KEYOP_INIT_ERROR + Reason = invalid salt length +@@ -960,36 +989,42 @@ CAltWyuLbfXWce9jd8CSHLI8Jwpw4lmOb/idGfEF + 4fINDOjP+yJJvZohNwIDAQAB + -----END PUBLIC KEY----- + ++Availablein = default + Verify=RSA-PSS-1 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=cd8b6538cb8e8de566b68bd067569dbf1ee2718e + Output=9074308fb598e9701b2294388e52f971faac2b60a5145af185df5287b5ed2887e57ce7fd44dc8634e407c8e0e4360bc226f3ec227f9d9e54638e8d31f5051215df6ebb9c2f9579aa77598a38f914b5b9c1bd83c4e2f9f382a0d0aa3542ffee65984a601bc69eb28deb27dca12c82c2d4c3f66cd500f1ff2b994d8a4e30cbb33c + ++Availablein = default + Verify=RSA-PSS-1 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=e35befc17a1d160b9ce35fbd8eb16e7ee491d3fd + Output=3ef7f46e831bf92b32274142a585ffcefbdca7b32ae90d10fb0f0c729984f04ef29a9df0780775ce43739b97838390db0a5505e63de927028d9d29b219ca2c4517832558a55d694a6d25b9dab66003c4cccd907802193be5170d26147d37b93590241be51c25055f47ef62752cfbe21418fafe98c22c4d4d47724fdb5669e843 + ++Availablein = default + Verify=RSA-PSS-1 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=0652ec67bcee30f9d2699122b91c19abdba89f91 + Output=666026fba71bd3e7cf13157cc2c51a8e4aa684af9778f91849f34335d141c00154c4197621f9624a675b5abc22ee7d5baaffaae1c9baca2cc373b3f33e78e6143c395a91aa7faca664eb733afd14d8827259d99a7550faca501ef2b04e33c23aa51f4b9e8282efdb728cc0ab09405a91607c6369961bc8270d2d4f39fce612b1 + ++Availablein = default + Verify=RSA-PSS-1 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=39c21c4cceda9c1adf839c744e1212a6437575ec + Output=4609793b23e9d09362dc21bb47da0b4f3a7622649a47d464019b9aeafe53359c178c91cd58ba6bcb78be0346a7bc637f4b873d4bab38ee661f199634c547a1ad8442e03da015b136e543f7ab07c0c13e4225b8de8cce25d4f6eb8400f81f7e1833b7ee6e334d370964ca79fdb872b4d75223b5eeb08101591fb532d155a6de87 + ++Availablein = default + Verify=RSA-PSS-1 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=36dae913b77bd17cae6e7b09453d24544cebb33c + Output=1d2aad221ca4d31ddf13509239019398e3d14b32dc34dc5af4aeaea3c095af73479cf0a45e5629635a53a018377615b16cb9b13b3e09d671eb71e387b8545c5960da5a64776e768e82b2c93583bf104c3fdb23512b7b4e89f633dd0063a530db4524b01c3f384c09310e315a79dcd3d684022a7f31c865a664e316978b759fad + ++Availablein = default + Verify=RSA-PSS-1 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 +@@ -1005,36 +1040,42 @@ swU7R97S7NSkyu/WFIM9yLtiLzF+0Ha4BX/o3j+E + 0w5GMTmBXG/U/VrFuBcqRSMOy2MYoE8UVdhOWosCAwEAAQ== + -----END PUBLIC KEY----- + ++Availablein = default + Verify=RSA-PSS-9 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=2715a49b8b0012cd7aee84c116446e6dfe3faec0 + Output=586107226c3ce013a7c8f04d1a6a2959bb4b8e205ba43a27b50f124111bc35ef589b039f5932187cb696d7d9a32c0c38300a5cdda4834b62d2eb240af33f79d13dfbf095bf599e0d9686948c1964747b67e89c9aba5cd85016236f566cc5802cb13ead51bc7ca6bef3b94dcbdbb1d570469771df0e00b1a8a06777472d2316279edae86474668d4e1efff95f1de61c6020da32ae92bbf16520fef3cf4d88f61121f24bbd9fe91b59caf1235b2a93ff81fc403addf4ebdea84934a9cdaf8e1a9e + ++Availablein = default + Verify=RSA-PSS-9 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=2dac956d53964748ac364d06595827c6b4f143cd + Output=80b6d643255209f0a456763897ac9ed259d459b49c2887e5882ecb4434cfd66dd7e1699375381e51cd7f554f2c271704b399d42b4be2540a0eca61951f55267f7c2878c122842dadb28b01bd5f8c025f7e228418a673c03d6bc0c736d0a29546bd67f786d9d692ccea778d71d98c2063b7a71092187a4d35af108111d83e83eae46c46aa34277e06044589903788f1d5e7cee25fb485e92949118814d6f2c3ee361489016f327fb5bc517eb50470bffa1afa5f4ce9aa0ce5b8ee19bf5501b958 + ++Availablein = default + Verify=RSA-PSS-9 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=28d98c46cccafbd3bc04e72f967a54bd3ea12298 + Output=484408f3898cd5f53483f80819efbf2708c34d27a8b2a6fae8b322f9240237f981817aca1846f1084daa6d7c0795f6e5bf1af59c38e1858437ce1f7ec419b98c8736adf6dd9a00b1806d2bd3ad0a73775e05f52dfef3a59ab4b08143f0df05cd1ad9d04bececa6daa4a2129803e200cbc77787caf4c1d0663a6c5987b605952019782caf2ec1426d68fb94ed1d4be816a7ed081b77e6ab330b3ffc073820fecde3727fcbe295ee61a050a343658637c3fd659cfb63736de32d9f90d3c2f63eca + ++Availablein = default + Verify=RSA-PSS-9 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=0866d2ff5a79f25ef668cd6f31b42dee421e4c0e + Output=84ebeb481be59845b46468bafb471c0112e02b235d84b5d911cbd1926ee5074ae0424495cb20e82308b8ebb65f419a03fb40e72b78981d88aad143053685172c97b29c8b7bf0ae73b5b2263c403da0ed2f80ff7450af7828eb8b86f0028bd2a8b176a4d228cccea18394f238b09ff758cc00bc04301152355742f282b54e663a919e709d8da24ade5500a7b9aa50226e0ca52923e6c2d860ec50ff480fa57477e82b0565f4379f79c772d5c2da80af9fbf325ece6fc20b00961614bee89a183e + ++Availablein = default + Verify=RSA-PSS-9 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=6a5b4be4cd36cc97dfde9995efbf8f097a4a991a + Output=82102df8cb91e7179919a04d26d335d64fbc2f872c44833943241de8454810274cdf3db5f42d423db152af7135f701420e39b494a67cbfd19f9119da233a23da5c6439b5ba0d2bc373eee3507001378d4a4073856b7fe2aba0b5ee93b27f4afec7d4d120921c83f606765b02c19e4d6a1a3b95fa4c422951be4f52131077ef17179729cddfbdb56950dbaceefe78cb16640a099ea56d24389eef10f8fecb31ba3ea3b227c0a86698bb89e3e9363905bf22777b2a3aa521b65b4cef76d83bde4c + ++Availablein = default + Verify=RSA-PSS-9 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 +@@ -1052,36 +1093,42 @@ F7jfF3jbOB3OCctK0FilEQAac4GY7ifPVaE7dUU5 + BQIDAQAB + -----END PUBLIC KEY----- + ++Availablein = default + Verify=RSA-PSS-10 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=9596bb630cf6a8d4ea4600422b9eba8b13675dd4 + Output=82c2b160093b8aa3c0f7522b19f87354066c77847abf2a9fce542d0e84e920c5afb49ffdfdace16560ee94a1369601148ebad7a0e151cf16331791a5727d05f21e74e7eb811440206935d744765a15e79f015cb66c532c87a6a05961c8bfad741a9a6657022894393e7223739796c02a77455d0f555b0ec01ddf259b6207fd0fd57614cef1a5573baaff4ec00069951659b85f24300a25160ca8522dc6e6727e57d019d7e63629b8fe5e89e25cc15beb3a647577559299280b9b28f79b0409000be25bbd96408ba3b43cc486184dd1c8e62553fa1af4040f60663de7f5e49c04388e257f1ce89c95dab48a315d9b66b1b7628233876ff2385230d070d07e1666 + ++Availablein = default + Verify=RSA-PSS-10 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=b503319399277fd6c1c8f1033cbf04199ea21716 + Output=14ae35d9dd06ba92f7f3b897978aed7cd4bf5ff0b585a40bd46ce1b42cd2703053bb9044d64e813d8f96db2dd7007d10118f6f8f8496097ad75e1ff692341b2892ad55a633a1c55e7f0a0ad59a0e203a5b8278aec54dd8622e2831d87174f8caff43ee6c46445345d84a59659bfb92ecd4c818668695f34706f66828a89959637f2bf3e3251c24bdba4d4b7649da0022218b119c84e79a6527ec5b8a5f861c159952e23ec05e1e717346faefe8b1686825bd2b262fb2531066c0de09acde2e4231690728b5d85e115a2f6b92b79c25abc9bd9399ff8bcf825a52ea1f56ea76dd26f43baafa18bfa92a504cbd35699e26d1dcc5a2887385f3c63232f06f3244c3 + ++Availablein = default + Verify=RSA-PSS-10 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=50aaede8536b2c307208b275a67ae2df196c7628 + Output=6e3e4d7b6b15d2fb46013b8900aa5bbb3939cf2c095717987042026ee62c74c54cffd5d7d57efbbf950a0f5c574fa09d3fc1c9f513b05b4ff50dd8df7edfa20102854c35e592180119a70ce5b085182aa02d9ea2aa90d1df03f2daae885ba2f5d05afdac97476f06b93b5bc94a1a80aa9116c4d615f333b098892b25fface266f5db5a5a3bcc10a824ed55aad35b727834fb8c07da28fcf416a5d9b2224f1f8b442b36f91e456fdea2d7cfe3367268de0307a4c74e924159ed33393d5e0655531c77327b89821bdedf880161c78cd4196b5419f7acc3f13e5ebf161b6e7c6724716ca33b85c2e25640192ac2859651d50bde7eb976e51cec828b98b6563b86bb + ++Availablein = default + Verify=RSA-PSS-10 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=aa0b72b8b371ddd10c8ae474425ccccf8842a294 + Output=34047ff96c4dc0dc90b2d4ff59a1a361a4754b255d2ee0af7d8bf87c9bc9e7ddeede33934c63ca1c0e3d262cb145ef932a1f2c0a997aa6a34f8eaee7477d82ccf09095a6b8acad38d4eec9fb7eab7ad02da1d11d8e54c1825e55bf58c2a23234b902be124f9e9038a8f68fa45dab72f66e0945bf1d8bacc9044c6f07098c9fcec58a3aab100c805178155f030a124c450e5acbda47d0e4f10b80a23f803e774d023b0015c20b9f9bbe7c91296338d5ecb471cafb032007b67a60be5f69504a9f01abb3cb467b260e2bce860be8d95bf92c0c8e1496ed1e528593a4abb6df462dde8a0968dffe4683116857a232f5ebf6c85be238745ad0f38f767a5fdbf486fb + ++Availablein = default + Verify=RSA-PSS-10 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 + Input=fad3902c9750622a2bc672622c48270cc57d3ea8 + Output=7e0935ea18f4d6c1d17ce82eb2b3836c55b384589ce19dfe743363ac9948d1f346b7bfddfe92efd78adb21faefc89ade42b10f374003fe122e67429a1cb8cbd1f8d9014564c44d120116f4990f1a6e38774c194bd1b8213286b077b0499d2e7b3f434ab12289c556684deed78131934bb3dd6537236f7c6f3dcb09d476be07721e37e1ceed9b2f7b406887bd53157305e1c8b4f84d733bc1e186fe06cc59b6edb8f4bd7ffefdf4f7ba9cfb9d570689b5a1a4109a746a690893db3799255a0cb9215d2d1cd490590e952e8c8786aa0011265252470c041dfbc3eec7c3cbf71c24869d115c0cb4a956f56d530b80ab589acfefc690751ddf36e8d383f83cedd2cc + ++Availablein = default + Verify=RSA-PSS-10 + Ctrl = rsa_padding_mode:pss + Ctrl = rsa_mgf1_md:sha1 +@@ -1817,11 +1864,13 @@ Title = RSA FIPS tests + + # FIPS tests + +-# Verifying with SHA1 is permitted in fips mode for older applications ++# Verifying with SHA1 is not permitted on SUSE/openSUSE in FIPS mode ++Availablein = fips + DigestVerify = SHA1 + Key = RSA-2048 + Input = "Hello " + Output = 87ea0e2226ef35e5a2aec9ca1222fcbe39ba723f05b3203564f671dd3601271806ead3240e61d424359ee3b17bd3e32f54b82df83998a8ac4148410710361de0400f9ddf98278618fbc87747a0531972543e6e5f18ab2fdfbfda02952f6ac69690e43864690af271bf43d4be9705b303d4ff994ab3abd4d5851562b73e59be3edc01cec41a4cc13b68206329bad1a46c6608d3609e951faa321d0fdbc765d54e9a7c59248d2f67913c9903e932b769c9c8a45520cabea06e8c0b231dd3bcc7f7ec55b46b0157ccb5fc5011fa57353cd3df32edcbadcb8d168133cbd0acfb64444cb040e1298f621508a38f79e14ae8c2c5c857f90aa9d24ef5fc07d34bf23859 ++Result = DIGESTVERIFYINIT_ERROR + + # Verifying with a 1024 bit key is permitted in fips mode for older applications + DigestVerify = SHA256 +Index: openssl-3.2.3/test/recipes/80-test_cms.t +=================================================================== +--- openssl-3.2.3.orig/test/recipes/80-test_cms.t ++++ openssl-3.2.3/test/recipes/80-test_cms.t +@@ -163,7 +163,7 @@ my @smime_pkcs7_tests = ( + [ "{cmd1}", @defaultprov, "-sign", "-in", $smcont, "-md", "sha1", + "-certfile", $smroot, + "-signer", $smrsa1, "-out", "{output}.cms" ], +- [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", ++ [ "{cmd2}", @defaultprov, "-verify", "-in", "{output}.cms", + "-CAfile", $smroot, "-out", "{output}.txt" ], + \&final_compare + ], +@@ -171,7 +171,7 @@ my @smime_pkcs7_tests = ( + [ "signed zero-length content S/MIME format, RSA key SHA1", + [ "{cmd1}", @defaultprov, "-sign", "-in", $smcont_zero, "-md", "sha1", + "-certfile", $smroot, "-signer", $smrsa1, "-out", "{output}.cms" ], +- [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", ++ [ "{cmd2}", @defaultprov, "-verify", "-in", "{output}.cms", + "-CAfile", $smroot, "-out", "{output}.txt" ], + \&zero_compare + ], +Index: openssl-3.2.3/test/recipes/80-test_ssl_old.t +=================================================================== +--- openssl-3.2.3.orig/test/recipes/80-test_ssl_old.t ++++ openssl-3.2.3/test/recipes/80-test_ssl_old.t +@@ -394,6 +394,9 @@ sub testssl { + 'test sslv2/sslv3 with 1024bit DHE via BIO pair'); + } + ++ SKIP: { ++ skip "SSLv3 is not supported by the FIPS provider", 4 ++ if $provider eq "fips"; + ok(run(test([@ssltest, "-bio_pair", "-server_auth", @CA])), + 'test sslv2/sslv3 with server authentication'); + ok(run(test([@ssltest, "-bio_pair", "-client_auth", @CA])), +@@ -402,6 +405,7 @@ sub testssl { + 'test sslv2/sslv3 with both client and server authentication via BIO pair'); + ok(run(test([@ssltest, "-bio_pair", "-server_auth", "-client_auth", "-app_verify", @CA])), + 'test sslv2/sslv3 with both client and server authentication via BIO pair and app verify'); ++ } + + SKIP: { + skip "No IPv4 available on this machine", 4 +Index: openssl-3.2.3/test/acvp_test.inc +=================================================================== +--- openssl-3.2.3.orig/test/acvp_test.inc ++++ openssl-3.2.3/test/acvp_test.inc +@@ -1844,17 +1844,6 @@ static const struct rsa_sigver_st rsa_si + { + "x931", + 3072, +- "SHA1", +- ITM(rsa_sigverx931_0_msg), +- ITM(rsa_sigverx931_0_n), +- ITM(rsa_sigverx931_0_e), +- ITM(rsa_sigverx931_0_sig), +- NO_PSS_SALT_LEN, +- PASS +- }, +- { +- "x931", +- 3072, + "SHA256", + ITM(rsa_sigverx931_1_msg), + ITM(rsa_sigverx931_1_n), diff --git a/openssl-3-FIPS-GCM-Implement-explicit-indicator-for-IV-gen.patch b/openssl-3-FIPS-GCM-Implement-explicit-indicator-for-IV-gen.patch new file mode 100644 index 0000000..32a7105 --- /dev/null +++ b/openssl-3-FIPS-GCM-Implement-explicit-indicator-for-IV-gen.patch @@ -0,0 +1,98 @@ +From 589eb3898896c1ac916bc20069ecd5adb8534850 Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Fri, 17 Feb 2023 15:31:08 +0100 +Subject: [PATCH] GCM: Implement explicit FIPS indicator for IV gen + +Implementation Guidance for FIPS 140-3 and the Cryptographic Module +Verification Program, Section C.H requires guarantees about the +uniqueness of key/iv pairs, and proposes a few approaches to ensure +this. Provide an indicator for option 2 "The IV may be generated +internally at its entirety randomly." + +Resolves: rhbz#2168289 +Signed-off-by: Clemens Lang +--- + include/openssl/core_names.h | 1 + + include/openssl/evp.h | 4 +++ + .../implementations/ciphers/ciphercommon.c | 4 +++ + .../ciphers/ciphercommon_gcm.c | 25 +++++++++++++++++++ + 4 files changed, 34 insertions(+) + +Index: openssl-3.2.3/include/openssl/evp.h +=================================================================== +--- openssl-3.2.3.orig/include/openssl/evp.h ++++ openssl-3.2.3/include/openssl/evp.h +@@ -753,6 +753,10 @@ void EVP_CIPHER_CTX_set_flags(EVP_CIPHER + void EVP_CIPHER_CTX_clear_flags(EVP_CIPHER_CTX *ctx, int flags); + int EVP_CIPHER_CTX_test_flags(const EVP_CIPHER_CTX *ctx, int flags); + ++# define EVP_CIPHER_SUSE_FIPS_INDICATOR_UNDETERMINED 0 ++# define EVP_CIPHER_SUSE_FIPS_INDICATOR_APPROVED 1 ++# define EVP_CIPHER_SUSE_FIPS_INDICATOR_NOT_APPROVED 2 ++ + __owur int EVP_EncryptInit(EVP_CIPHER_CTX *ctx, const EVP_CIPHER *cipher, + const unsigned char *key, const unsigned char *iv); + __owur int EVP_EncryptInit_ex(EVP_CIPHER_CTX *ctx, +Index: openssl-3.2.3/providers/implementations/ciphers/ciphercommon.c +=================================================================== +--- openssl-3.2.3.orig/providers/implementations/ciphers/ciphercommon.c ++++ openssl-3.2.3/providers/implementations/ciphers/ciphercommon.c +@@ -152,6 +152,10 @@ static const OSSL_PARAM cipher_aead_know + OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TAG, NULL, 0), + OSSL_PARAM_size_t(OSSL_CIPHER_PARAM_AEAD_TLS1_AAD_PAD, NULL), + OSSL_PARAM_octet_string(OSSL_CIPHER_PARAM_AEAD_TLS1_GET_IV_GEN, NULL, 0), ++ /* normally we would hide this under an #ifdef FIPS_MODULE, but that does ++ * not work in ciphercommon.c because it is compiled only once into ++ * libcommon.a */ ++ OSSL_PARAM_int(OSSL_CIPHER_PARAM_SUSE_FIPS_INDICATOR, NULL), + OSSL_PARAM_END + }; + const OSSL_PARAM *ossl_cipher_aead_gettable_ctx_params( +Index: openssl-3.2.3/providers/implementations/ciphers/ciphercommon_gcm.c +=================================================================== +--- openssl-3.2.3.orig/providers/implementations/ciphers/ciphercommon_gcm.c ++++ openssl-3.2.3/providers/implementations/ciphers/ciphercommon_gcm.c +@@ -238,6 +238,31 @@ int ossl_gcm_get_ctx_params(void *vctx, + break; + } + } ++ ++ /* We would usually hide this under #ifdef FIPS_MODULE, but ++ * ciphercommon_gcm.c is only compiled once into libcommon.a, so ifdefs do ++ * not work here. */ ++ p = OSSL_PARAM_locate(params, OSSL_CIPHER_PARAM_SUSE_FIPS_INDICATOR); ++ if (p != NULL) { ++ int fips_indicator = EVP_CIPHER_SUSE_FIPS_INDICATOR_APPROVED; ++ ++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module ++ * Verification Program, Section C.H requires guarantees about the ++ * uniqueness of key/iv pairs, and proposes a few approaches to ensure ++ * this. This provides an indicator for option 2 "The IV may be ++ * generated internally at its entirety randomly." Note that one of the ++ * conditions of this option is that "The IV length shall be at least ++ * 96 bits (per SP 800-38D)." We do not specically check for this ++ * condition here, because gcm_iv_generate will fail in this case. */ ++ if (ctx->enc && !ctx->iv_gen_rand) ++ fips_indicator = EVP_CIPHER_SUSE_FIPS_INDICATOR_NOT_APPROVED; ++ ++ if (!OSSL_PARAM_set_int(p, fips_indicator)) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_FAILED_TO_SET_PARAMETER); ++ return 0; ++ } ++ } ++ + return 1; + } + +Index: openssl-3.2.3/util/perl/OpenSSL/paramnames.pm +=================================================================== +--- openssl-3.2.3.orig/util/perl/OpenSSL/paramnames.pm ++++ openssl-3.2.3/util/perl/OpenSSL/paramnames.pm +@@ -102,6 +102,7 @@ my %params = ( + 'CIPHER_PARAM_CTS_MODE' => "cts_mode", # utf8_string + # For passing the AlgorithmIdentifier parameter in DER form + 'CIPHER_PARAM_ALGORITHM_ID_PARAMS' => "alg_id_param",# octet_string ++ 'CIPHER_PARAM_SUSE_FIPS_INDICATOR' => "suse-fips-indicator",# int + 'CIPHER_PARAM_XTS_STANDARD' => "xts_standard",# utf8_string + + 'CIPHER_PARAM_TLS1_MULTIBLOCK_MAX_SEND_FRAGMENT' => "tls1multi_maxsndfrag",# uint diff --git a/openssl-3-FIPS-PCT_rsa_keygen.patch b/openssl-3-FIPS-PCT_rsa_keygen.patch new file mode 100644 index 0000000..55dbe54 --- /dev/null +++ b/openssl-3-FIPS-PCT_rsa_keygen.patch @@ -0,0 +1,28 @@ +Index: openssl-3.1.4/crypto/rsa/rsa_gen.c +=================================================================== +--- openssl-3.1.4.orig/crypto/rsa/rsa_gen.c ++++ openssl-3.1.4/crypto/rsa/rsa_gen.c +@@ -428,7 +428,12 @@ static int rsa_keygen(OSSL_LIB_CTX *libc + + #ifdef FIPS_MODULE + ok = ossl_rsa_sp800_56b_generate_key(rsa, bits, e_value, cb); +- pairwise_test = 1; /* FIPS MODE needs to always run the pairwise test */ ++ /* FIPS MODE needs to always run the pairwise test. But, the ++ * rsa_keygen_pairwise_test() PCT as self-test requirements will be ++ * covered by do_rsa_pct() for both RSA-OAEP and RSA signatures and ++ * this PCT can be skipped here. See bsc#1221760 for more info. ++ */ ++ pairwise_test = 0; + #else + /* + * Only multi-prime keys or insecure keys with a small key length or a +@@ -463,6 +468,9 @@ static int rsa_keygen(OSSL_LIB_CTX *libc + rsa->dmp1 = NULL; + rsa->dmq1 = NULL; + rsa->iqmp = NULL; ++#ifdef FIPS_MODULE ++ abort(); ++#endif /* FIPS_MODULE */ + } + } + return ok; diff --git a/openssl-3-add-defines-CPACF-funcs.patch b/openssl-3-add-defines-CPACF-funcs.patch new file mode 100644 index 0000000..22776fc --- /dev/null +++ b/openssl-3-add-defines-CPACF-funcs.patch @@ -0,0 +1,82 @@ +commit 518b53b139d7b4ac082ccedd401d2ee08fc66985 +Author: Ingo Franzki +Date: Wed Jan 31 16:26:52 2024 +0100 + + s390x: Add defines for new CPACF functions + + Add defines for new CPACF functions codes, its required MSA levels, and + document how to disable these functions via the OPENSSL_s390xcap environment + variable. + + Signed-off-by: Ingo Franzki + + Reviewed-by: Paul Dale + Reviewed-by: Tomas Mraz + (Merged from https://github.com/openssl/openssl/pull/25161) + +diff --git a/crypto/s390x_arch.h b/crypto/s390x_arch.h +index fdc682af06..88ed866b0d 100644 +--- a/crypto/s390x_arch.h ++++ b/crypto/s390x_arch.h +@@ -1,5 +1,5 @@ + /* +- * Copyright 2017-2023 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 2017-2024 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -115,6 +115,7 @@ extern int OPENSSL_s390xcex; + # define S390X_MSA5 57 /* message-security-assist-ext. 5 */ + # define S390X_MSA3 76 /* message-security-assist-ext. 3 */ + # define S390X_MSA4 77 /* message-security-assist-ext. 4 */ ++# define S390X_MSA12 86 /* message-security-assist-ext. 12 */ + # define S390X_VX 129 /* vector */ + # define S390X_VXD 134 /* vector packed decimal */ + # define S390X_VXE 135 /* vector enhancements 1 */ +@@ -150,6 +151,14 @@ extern int OPENSSL_s390xcex; + /* km */ + # define S390X_XTS_AES_128 50 + # define S390X_XTS_AES_256 52 ++# define S390X_XTS_AES_128_MSA10 82 ++# define S390X_XTS_AES_256_MSA10 84 ++ ++/* kmac */ ++# define S390X_HMAC_SHA_224 112 ++# define S390X_HMAC_SHA_256 113 ++# define S390X_HMAC_SHA_384 114 ++# define S390X_HMAC_SHA_512 115 + + /* prno */ + # define S390X_SHA_512_DRNG 3 +diff --git a/doc/man3/OPENSSL_s390xcap.pod b/doc/man3/OPENSSL_s390xcap.pod +index d7185530ec..363003d8d3 100644 +--- a/doc/man3/OPENSSL_s390xcap.pod ++++ b/doc/man3/OPENSSL_s390xcap.pod +@@ -74,6 +74,7 @@ the numbering is continuous across 64-bit mask boundaries. + : + # 76 1<<51 message-security assist extension 3 + # 77 1<<50 message-security assist extension 4 ++ # 86 1<<41 message-security-assist extension 12 + : + #129 1<<62 vector facility + #134 1<<57 vector packed decimal facility +@@ -110,6 +111,8 @@ the numbering is continuous across 64-bit mask boundaries. + # 50 1<<13 KM-XTS-AES-128 + # 52 1<<11 KM-XTS-AES-256 + : ++ # 82 1<<45 KM-XTS-AES-128-MSA10 ++ # 84 1<<43 KM-XTS-AES-256-MSA10 + + kmc : + # 18 1<<45 KMC-AES-128 +@@ -122,6 +125,10 @@ the numbering is continuous across 64-bit mask boundaries. + # 19 1<<44 KMAC-AES-192 + # 20 1<<43 KMAC-AES-256 + : ++ # 112 1<<15 KMAC-SHA-224 ++ # 113 1<<14 KMAC-SHA-256 ++ # 114 1<<13 KMAC-SHA-384 ++ # 115 1<<12 KMAC-SHA-512 + + kmctr: + : diff --git a/openssl-3-add-hw-acceleration-hmac.patch b/openssl-3-add-hw-acceleration-hmac.patch new file mode 100644 index 0000000..e2368be --- /dev/null +++ b/openssl-3-add-hw-acceleration-hmac.patch @@ -0,0 +1,506 @@ +commit 0499de5adda26b1ef09660f70c12b4710b5f7c8a +Author: Ingo Franzki +Date: Thu Feb 1 15:15:27 2024 +0100 + + s390x: Add hardware acceleration for HMAC + + The CPACF instruction KMAC provides support for accelerating the HMAC + algorithm on newer machines for HMAC with SHA-224, SHA-256, SHA-384, and + SHA-512. + + Preliminary measurements showed performance improvements of up to a factor + of 2, dependent on the message size, whether chunking is used and the size + of the chunks. + + Signed-off-by: Ingo Franzki + + Reviewed-by: Paul Dale + Reviewed-by: Tomas Mraz + (Merged from https://github.com/openssl/openssl/pull/25161) + +Index: openssl-3.2.3/crypto/hmac/build.info +=================================================================== +--- openssl-3.2.3.orig/crypto/hmac/build.info ++++ openssl-3.2.3/crypto/hmac/build.info +@@ -2,5 +2,22 @@ LIBS=../../libcrypto + + $COMMON=hmac.c + +-SOURCE[../../libcrypto]=$COMMON +-SOURCE[../../providers/libfips.a]=$COMMON ++IF[{- !$disabled{asm} -}] ++ IF[{- ($target{perlasm_scheme} // '') ne '31' -}] ++ $HMACASM_s390x=hmac_s390x.c ++ $HMACDEF_s390x=OPENSSL_HMAC_S390X ++ ENDIF ++ ++ # Now that we have defined all the arch specific variables, use the ++ # appropriate ones, and define the appropriate macros ++ IF[$HMACASM_{- $target{asm_arch} -}] ++ $HMACASM=$HMACASM_{- $target{asm_arch} -} ++ $HMACDEF=$HMACDEF_{- $target{asm_arch} -} ++ ENDIF ++ENDIF ++ ++DEFINE[../../libcrypto]=$HMACDEF ++DEFINE[../../providers/libfips.a]=$HMACDEF ++ ++SOURCE[../../libcrypto]=$COMMON $HMACASM ++SOURCE[../../providers/libfips.a]=$COMMON $HMACASM +Index: openssl-3.2.3/crypto/hmac/hmac.c +=================================================================== +--- openssl-3.2.3.orig/crypto/hmac/hmac.c ++++ openssl-3.2.3/crypto/hmac/hmac.c +@@ -1,5 +1,5 @@ + /* +- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -49,6 +49,12 @@ int HMAC_Init_ex(HMAC_CTX *ctx, const vo + if ((EVP_MD_get_flags(md) & EVP_MD_FLAG_XOF) != 0) + return 0; + ++#ifdef OPENSSL_HMAC_S390X ++ rv = s390x_HMAC_init(ctx, key, len, impl); ++ if (rv >= 1) ++ return rv; ++#endif ++ + if (key != NULL) { + reset = 1; + +@@ -111,6 +117,12 @@ int HMAC_Update(HMAC_CTX *ctx, const uns + { + if (!ctx->md) + return 0; ++ ++#ifdef OPENSSL_HMAC_S390X ++ if (ctx->plat.s390x.fc) ++ return s390x_HMAC_update(ctx, data, len); ++#endif ++ + return EVP_DigestUpdate(ctx->md_ctx, data, len); + } + +@@ -122,6 +134,11 @@ int HMAC_Final(HMAC_CTX *ctx, unsigned c + if (!ctx->md) + goto err; + ++#ifdef OPENSSL_HMAC_S390X ++ if (ctx->plat.s390x.fc) ++ return s390x_HMAC_final(ctx, md, len); ++#endif ++ + if (!EVP_DigestFinal_ex(ctx->md_ctx, buf, &i)) + goto err; + if (!EVP_MD_CTX_copy_ex(ctx->md_ctx, ctx->o_ctx)) +@@ -161,6 +178,10 @@ static void hmac_ctx_cleanup(HMAC_CTX *c + EVP_MD_CTX_reset(ctx->o_ctx); + EVP_MD_CTX_reset(ctx->md_ctx); + ctx->md = NULL; ++ ++#ifdef OPENSSL_HMAC_S390X ++ s390x_HMAC_CTX_cleanup(ctx); ++#endif + } + + void HMAC_CTX_free(HMAC_CTX *ctx) +@@ -212,6 +233,12 @@ int HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_C + if (!EVP_MD_CTX_copy_ex(dctx->md_ctx, sctx->md_ctx)) + goto err; + dctx->md = sctx->md; ++ ++#ifdef OPENSSL_HMAC_S390X ++ if (s390x_HMAC_CTX_copy(dctx, sctx) == 0) ++ goto err; ++#endif ++ + return 1; + err: + hmac_ctx_cleanup(dctx); +Index: openssl-3.2.3/crypto/hmac/hmac_local.h +=================================================================== +--- openssl-3.2.3.orig/crypto/hmac/hmac_local.h ++++ openssl-3.2.3/crypto/hmac/hmac_local.h +@@ -1,5 +1,5 @@ + /* +- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -10,6 +10,10 @@ + #ifndef OSSL_CRYPTO_HMAC_LOCAL_H + # define OSSL_CRYPTO_HMAC_LOCAL_H + ++# include "internal/common.h" ++# include "internal/numbers.h" ++# include "openssl/sha.h" ++ + /* The current largest case is for SHA3-224 */ + #define HMAC_MAX_MD_CBLOCK_SIZE 144 + +@@ -18,6 +22,45 @@ struct hmac_ctx_st { + EVP_MD_CTX *md_ctx; + EVP_MD_CTX *i_ctx; + EVP_MD_CTX *o_ctx; ++ ++ /* Platform specific data */ ++ union { ++ int dummy; ++# ifdef OPENSSL_HMAC_S390X ++ struct { ++ unsigned int fc; /* 0 if not supported by kmac instruction */ ++ int blk_size; ++ int ikp; ++ int iimp; ++ unsigned char *buf; ++ size_t size; /* must be multiple of digest block size */ ++ size_t num; ++ union { ++ OSSL_UNION_ALIGN; ++ struct { ++ uint32_t h[8]; ++ uint64_t imbl; ++ unsigned char key[64]; ++ } hmac_224_256; ++ struct { ++ uint64_t h[8]; ++ uint128_t imbl; ++ unsigned char key[128]; ++ } hmac_384_512; ++ } param; ++ } s390x; ++# endif /* OPENSSL_HMAC_S390X */ ++ } plat; + }; + ++# ifdef OPENSSL_HMAC_S390X ++# define HMAC_S390X_BUF_NUM_BLOCKS 64 ++ ++int s390x_HMAC_init(HMAC_CTX *ctx, const void *key, int key_len, ENGINE *impl); ++int s390x_HMAC_update(HMAC_CTX *ctx, const unsigned char *data, size_t len); ++int s390x_HMAC_final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len); ++int s390x_HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_CTX *sctx); ++int s390x_HMAC_CTX_cleanup(HMAC_CTX *ctx); ++# endif /* OPENSSL_HMAC_S390X */ ++ + #endif +Index: openssl-3.2.3/crypto/hmac/hmac_s390x.c +=================================================================== +--- /dev/null ++++ openssl-3.2.3/crypto/hmac/hmac_s390x.c +@@ -0,0 +1,298 @@ ++/* ++ * Copyright 2024 The OpenSSL Project Authors. All Rights Reserved. ++ * ++ * Licensed under the Apache License 2.0 (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ */ ++ ++#include "crypto/s390x_arch.h" ++#include "hmac_local.h" ++#include "openssl/obj_mac.h" ++#include "openssl/evp.h" ++ ++#ifdef OPENSSL_HMAC_S390X ++ ++static int s390x_fc_from_md(const EVP_MD *md) ++{ ++ int fc; ++ ++ switch (EVP_MD_get_type(md)) { ++ case NID_sha224: ++ fc = S390X_HMAC_SHA_224; ++ break; ++ case NID_sha256: ++ fc = S390X_HMAC_SHA_256; ++ break; ++ case NID_sha384: ++ fc = S390X_HMAC_SHA_384; ++ break; ++ case NID_sha512: ++ fc = S390X_HMAC_SHA_512; ++ break; ++ default: ++ return 0; ++ } ++ ++ if ((OPENSSL_s390xcap_P.kmac[1] & S390X_CAPBIT(fc)) == 0) ++ return 0; ++ ++ return fc; ++} ++ ++static void s390x_call_kmac(HMAC_CTX *ctx, const unsigned char *in, size_t len) ++{ ++ unsigned int fc = ctx->plat.s390x.fc; ++ ++ if (ctx->plat.s390x.ikp) ++ fc |= S390X_KMAC_IKP; ++ ++ if (ctx->plat.s390x.iimp) ++ fc |= S390X_KMAC_IIMP; ++ ++ switch (ctx->plat.s390x.fc) { ++ case S390X_HMAC_SHA_224: ++ case S390X_HMAC_SHA_256: ++ ctx->plat.s390x.param.hmac_224_256.imbl += ((uint64_t)len * 8); ++ break; ++ case S390X_HMAC_SHA_384: ++ case S390X_HMAC_SHA_512: ++ ctx->plat.s390x.param.hmac_384_512.imbl += ((uint128_t)len * 8); ++ break; ++ default: ++ break; ++ } ++ ++ s390x_kmac(in, len, fc, &ctx->plat.s390x.param); ++ ++ ctx->plat.s390x.ikp = 1; ++} ++ ++int s390x_HMAC_init(HMAC_CTX *ctx, const void *key, int key_len, ENGINE *impl) ++{ ++ unsigned char *key_param; ++ unsigned int key_param_len; ++ ++ ctx->plat.s390x.fc = s390x_fc_from_md(ctx->md); ++ if (ctx->plat.s390x.fc == 0) ++ return -1; /* Not supported by kmac instruction */ ++ ++ ctx->plat.s390x.blk_size = EVP_MD_get_block_size(ctx->md); ++ if (ctx->plat.s390x.blk_size < 0) ++ return 0; ++ ++ if (ctx->plat.s390x.size != ++ (size_t)(ctx->plat.s390x.blk_size * HMAC_S390X_BUF_NUM_BLOCKS)) { ++ OPENSSL_clear_free(ctx->plat.s390x.buf, ctx->plat.s390x.size); ++ ctx->plat.s390x.size = 0; ++ ctx->plat.s390x.buf = OPENSSL_zalloc(ctx->plat.s390x.blk_size * ++ HMAC_S390X_BUF_NUM_BLOCKS); ++ if (ctx->plat.s390x.buf == NULL) ++ return 0; ++ ctx->plat.s390x.size = ctx->plat.s390x.blk_size * ++ HMAC_S390X_BUF_NUM_BLOCKS; ++ } ++ ctx->plat.s390x.num = 0; ++ ++ ctx->plat.s390x.ikp = 0; ++ ctx->plat.s390x.iimp = 1; ++ ++ switch (ctx->plat.s390x.fc) { ++ case S390X_HMAC_SHA_224: ++ case S390X_HMAC_SHA_256: ++ ctx->plat.s390x.param.hmac_224_256.imbl = 0; ++ OPENSSL_cleanse(ctx->plat.s390x.param.hmac_224_256.h, ++ sizeof(ctx->plat.s390x.param.hmac_224_256.h)); ++ break; ++ case S390X_HMAC_SHA_384: ++ case S390X_HMAC_SHA_512: ++ ctx->plat.s390x.param.hmac_384_512.imbl = 0; ++ OPENSSL_cleanse(ctx->plat.s390x.param.hmac_384_512.h, ++ sizeof(ctx->plat.s390x.param.hmac_384_512.h)); ++ break; ++ default: ++ return 0; ++ } ++ ++ if (key != NULL) { ++ switch (ctx->plat.s390x.fc) { ++ case S390X_HMAC_SHA_224: ++ case S390X_HMAC_SHA_256: ++ OPENSSL_cleanse(&ctx->plat.s390x.param.hmac_224_256.key, ++ sizeof(ctx->plat.s390x.param.hmac_224_256.key)); ++ key_param = ctx->plat.s390x.param.hmac_224_256.key; ++ key_param_len = sizeof(ctx->plat.s390x.param.hmac_224_256.key); ++ break; ++ case S390X_HMAC_SHA_384: ++ case S390X_HMAC_SHA_512: ++ OPENSSL_cleanse(&ctx->plat.s390x.param.hmac_384_512.key, ++ sizeof(ctx->plat.s390x.param.hmac_384_512.key)); ++ key_param = ctx->plat.s390x.param.hmac_384_512.key; ++ key_param_len = sizeof(ctx->plat.s390x.param.hmac_384_512.key); ++ break; ++ default: ++ return 0; ++ } ++ ++ if (!ossl_assert(ctx->plat.s390x.blk_size <= (int)key_param_len)) ++ return 0; ++ ++ if (key_len > ctx->plat.s390x.blk_size) { ++ if (!EVP_DigestInit_ex(ctx->md_ctx, ctx->md, impl) ++ || !EVP_DigestUpdate(ctx->md_ctx, key, key_len) ++ || !EVP_DigestFinal_ex(ctx->md_ctx, key_param, ++ &key_param_len)) ++ return 0; ++ } else { ++ if (key_len < 0 || key_len > (int)key_param_len) ++ return 0; ++ memcpy(key_param, key, key_len); ++ /* remaining key bytes already zeroed out above */ ++ } ++ } ++ ++ return 1; ++} ++ ++int s390x_HMAC_update(HMAC_CTX *ctx, const unsigned char *data, size_t len) ++{ ++ size_t remain, num; ++ ++ if (len == 0) ++ return 1; ++ ++ /* buffer is full, process it now */ ++ if (ctx->plat.s390x.num == ctx->plat.s390x.size) { ++ s390x_call_kmac(ctx, ctx->plat.s390x.buf, ctx->plat.s390x.num); ++ ++ ctx->plat.s390x.num = 0; ++ } ++ ++ remain = ctx->plat.s390x.size - ctx->plat.s390x.num; ++ if (len > remain) { ++ /* data does not fit into buffer */ ++ if (ctx->plat.s390x.num > 0) { ++ /* first fill buffer and process it */ ++ memcpy(&ctx->plat.s390x.buf[ctx->plat.s390x.num], data, remain); ++ ctx->plat.s390x.num += remain; ++ ++ s390x_call_kmac(ctx, ctx->plat.s390x.buf, ctx->plat.s390x.num); ++ ++ ctx->plat.s390x.num = 0; ++ ++ data += remain; ++ len -= remain; ++ } ++ ++ if (!ossl_assert(ctx->plat.s390x.num == 0)) ++ return 0; ++ ++ if (len > ctx->plat.s390x.size) { ++ /* ++ * remaining data is still larger than buffer, process remaining ++ * full blocks of input directly ++ */ ++ remain = len % ctx->plat.s390x.blk_size; ++ num = len - remain; ++ ++ s390x_call_kmac(ctx, data, num); ++ ++ data += num; ++ len -= num; ++ } ++ } ++ ++ /* add remaining input data (which is < buffer size) to buffer */ ++ if (!ossl_assert(len <= ctx->plat.s390x.size)) ++ return 0; ++ ++ if (len > 0) { ++ memcpy(&ctx->plat.s390x.buf[ctx->plat.s390x.num], data, len); ++ ctx->plat.s390x.num += len; ++ } ++ ++ return 1; ++} ++ ++int s390x_HMAC_final(HMAC_CTX *ctx, unsigned char *md, unsigned int *len) ++{ ++ void *result; ++ unsigned int res_len; ++ ++ ctx->plat.s390x.iimp = 0; /* last block */ ++ s390x_call_kmac(ctx, ctx->plat.s390x.buf, ctx->plat.s390x.num); ++ ++ ctx->plat.s390x.num = 0; ++ ++ switch (ctx->plat.s390x.fc) { ++ case S390X_HMAC_SHA_224: ++ result = &ctx->plat.s390x.param.hmac_224_256.h[0]; ++ res_len = SHA224_DIGEST_LENGTH; ++ break; ++ case S390X_HMAC_SHA_256: ++ result = &ctx->plat.s390x.param.hmac_224_256.h[0]; ++ res_len = SHA256_DIGEST_LENGTH; ++ break; ++ case S390X_HMAC_SHA_384: ++ result = &ctx->plat.s390x.param.hmac_384_512.h[0]; ++ res_len = SHA384_DIGEST_LENGTH; ++ break; ++ case S390X_HMAC_SHA_512: ++ result = &ctx->plat.s390x.param.hmac_384_512.h[0]; ++ res_len = SHA512_DIGEST_LENGTH; ++ break; ++ default: ++ return 0; ++ } ++ ++ memcpy(md, result, res_len); ++ if (len != NULL) ++ *len = res_len; ++ ++ return 1; ++} ++ ++int s390x_HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_CTX *sctx) ++{ ++ dctx->plat.s390x.fc = sctx->plat.s390x.fc; ++ dctx->plat.s390x.blk_size = sctx->plat.s390x.blk_size; ++ dctx->plat.s390x.ikp = sctx->plat.s390x.ikp; ++ dctx->plat.s390x.iimp = sctx->plat.s390x.iimp; ++ ++ memcpy(&dctx->plat.s390x.param, &sctx->plat.s390x.param, ++ sizeof(dctx->plat.s390x.param)); ++ ++ dctx->plat.s390x.buf = NULL; ++ if (sctx->plat.s390x.buf != NULL) { ++ dctx->plat.s390x.buf = OPENSSL_memdup(sctx->plat.s390x.buf, ++ sctx->plat.s390x.size); ++ if (dctx->plat.s390x.buf == NULL) ++ return 0; ++ } ++ ++ dctx->plat.s390x.size = sctx->plat.s390x.size; ++ dctx->plat.s390x.num = sctx->plat.s390x.num; ++ ++ return 1; ++} ++ ++int s390x_HMAC_CTX_cleanup(HMAC_CTX *ctx) ++{ ++ OPENSSL_clear_free(ctx->plat.s390x.buf, ctx->plat.s390x.size); ++ ctx->plat.s390x.buf = NULL; ++ ctx->plat.s390x.size = 0; ++ ctx->plat.s390x.num = 0; ++ ++ OPENSSL_cleanse(&ctx->plat.s390x.param, sizeof(ctx->plat.s390x.param)); ++ ++ ctx->plat.s390x.blk_size = 0; ++ ctx->plat.s390x.ikp = 0; ++ ctx->plat.s390x.iimp = 1; ++ ++ ctx->plat.s390x.fc = 0; ++ ++ return 1; ++} ++ ++#endif +Index: openssl-3.2.3/crypto/s390x_arch.h +=================================================================== +--- openssl-3.2.3.orig/crypto/s390x_arch.h ++++ openssl-3.2.3/crypto/s390x_arch.h +@@ -192,5 +192,8 @@ extern int OPENSSL_s390xcex; + # define S390X_KMA_HS 0x400 + # define S390X_KDSA_D 0x80 + # define S390X_KLMD_PS 0x100 ++# define S390X_KMAC_IKP 0x8000 ++# define S390X_KMAC_IIMP 0x4000 ++# define S390X_KMAC_CCUP 0x2000 + + #endif diff --git a/openssl-3-add-xof-state-handling-s3_absorb.patch b/openssl-3-add-xof-state-handling-s3_absorb.patch new file mode 100644 index 0000000..ae73e9f --- /dev/null +++ b/openssl-3-add-xof-state-handling-s3_absorb.patch @@ -0,0 +1,32 @@ +commit 1337b50936ed190a98af1ee6601d857b42a3d296 +Author: Holger Dengler +Date: Wed Sep 27 21:54:34 2023 +0200 + + Add xof state handing for generic sha3 absorb. + + The digest life-cycle diagram specifies state transitions to `updated` + (aka XOF_STATE_ABSORB) only from `initialised` and `updated`. Add this + checking to the generic sha3 absorb implementation. + + Signed-off-by: Holger Dengler + + Reviewed-by: Shane Lontis + Reviewed-by: Todd Short + Reviewed-by: Tomas Mraz + (Merged from https://github.com/openssl/openssl/pull/22221) + +Index: openssl-3.2.3/providers/implementations/digests/sha3_prov.c +=================================================================== +--- openssl-3.2.3.orig/providers/implementations/digests/sha3_prov.c ++++ openssl-3.2.3/providers/implementations/digests/sha3_prov.c +@@ -143,6 +143,10 @@ static size_t generic_sha3_absorb(void * + { + KECCAK1600_CTX *ctx = vctx; + ++ if (!(ctx->xof_state == XOF_STATE_INIT || ++ ctx->xof_state == XOF_STATE_ABSORB)) ++ return 0; ++ ctx->xof_state = XOF_STATE_ABSORB; + return SHA3_absorb(ctx->A, inp, len, ctx->block_size); + } + diff --git a/openssl-3-add_EVP_DigestSqueeze_api.patch b/openssl-3-add_EVP_DigestSqueeze_api.patch new file mode 100644 index 0000000..58b4713 --- /dev/null +++ b/openssl-3-add_EVP_DigestSqueeze_api.patch @@ -0,0 +1,1781 @@ +commit 536649082212e7c643ab8d7bab89f620fbcd37f0 +Author: slontis +Date: Fri Jul 21 15:05:38 2023 +1000 + + Add EVP_DigestSqueeze() API. + + Fixes #7894 + + This allows SHAKE to squeeze multiple times with different output sizes. + + The existing EVP_DigestFinalXOF() API has been left as a one shot + operation. A similar interface is used by another toolkit. + + The low level SHA3_Squeeze() function needed to change slightly so + that it can handle multiple squeezes. This involves changing the + assembler code so that it passes a boolean to indicate whether + the Keccak function should be called on entry. + At the provider level, the squeeze is buffered, so that it only requests + a multiple of the blocksize when SHA3_Squeeze() is called. On the first + call the value is zero, on subsequent calls the value passed is 1. + + This PR is derived from the excellent work done by @nmathewson in + https://github.com/openssl/openssl/pull/7921 + + Reviewed-by: Paul Dale + Reviewed-by: Tomas Mraz + (Merged from https://github.com/openssl/openssl/pull/21511) + +Index: openssl-3.2.3/crypto/evp/digest.c +=================================================================== +--- openssl-3.2.3.orig/crypto/evp/digest.c ++++ openssl-3.2.3/crypto/evp/digest.c +@@ -502,6 +502,7 @@ int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, + return ret; + } + ++/* This is a one shot operation */ + int EVP_DigestFinalXOF(EVP_MD_CTX *ctx, unsigned char *md, size_t size) + { + int ret = 0; +@@ -526,10 +527,15 @@ int EVP_DigestFinalXOF(EVP_MD_CTX *ctx, + return 0; + } + ++ /* ++ * For backward compatibility we pass the XOFLEN via a param here so that ++ * older providers can use the supplied value. Ideally we should have just ++ * used the size passed into ctx->digest->dfinal(). ++ */ + params[i++] = OSSL_PARAM_construct_size_t(OSSL_DIGEST_PARAM_XOFLEN, &size); + params[i++] = OSSL_PARAM_construct_end(); + +- if (EVP_MD_CTX_set_params(ctx, params) > 0) ++ if (EVP_MD_CTX_set_params(ctx, params) >= 0) + ret = ctx->digest->dfinal(ctx->algctx, md, &size, size); + + ctx->flags |= EVP_MD_CTX_FLAG_FINALISED; +@@ -553,6 +559,27 @@ legacy: + return ret; + } + ++/* EVP_DigestSqueeze() can be called multiple times */ ++int EVP_DigestSqueeze(EVP_MD_CTX *ctx, unsigned char *md, size_t size) ++{ ++ if (ctx->digest == NULL) { ++ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_NULL_ALGORITHM); ++ return 0; ++ } ++ ++ if (ctx->digest->prov == NULL) { ++ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_OPERATION); ++ return 0; ++ } ++ ++ if (ctx->digest->dsqueeze == NULL) { ++ ERR_raise(ERR_LIB_EVP, EVP_R_METHOD_NOT_SUPPORTED); ++ return 0; ++ } ++ ++ return ctx->digest->dsqueeze(ctx->algctx, md, &size, size); ++} ++ + EVP_MD_CTX *EVP_MD_CTX_dup(const EVP_MD_CTX *in) + { + EVP_MD_CTX *out = EVP_MD_CTX_new(); +@@ -1032,6 +1059,12 @@ static void *evp_md_from_algorithm(int n + fncnt++; + } + break; ++ case OSSL_FUNC_DIGEST_SQUEEZE: ++ if (md->dsqueeze == NULL) { ++ md->dsqueeze = OSSL_FUNC_digest_squeeze(fns); ++ fncnt++; ++ } ++ break; + case OSSL_FUNC_DIGEST_DIGEST: + if (md->digest == NULL) + md->digest = OSSL_FUNC_digest_digest(fns); +@@ -1075,7 +1108,7 @@ static void *evp_md_from_algorithm(int n + break; + } + } +- if ((fncnt != 0 && fncnt != 5) ++ if ((fncnt != 0 && fncnt != 5 && fncnt != 6) + || (fncnt == 0 && md->digest == NULL)) { + /* + * In order to be a consistent set of functions we either need the +Index: openssl-3.2.3/crypto/evp/legacy_sha.c +=================================================================== +--- openssl-3.2.3.orig/crypto/evp/legacy_sha.c ++++ openssl-3.2.3/crypto/evp/legacy_sha.c +@@ -37,7 +37,8 @@ static int nm##_update(EVP_MD_CTX *ctx, + } \ + static int nm##_final(EVP_MD_CTX *ctx, unsigned char *md) \ + { \ +- return fn##_final(md, EVP_MD_CTX_get0_md_data(ctx)); \ ++ KECCAK1600_CTX *kctx = EVP_MD_CTX_get0_md_data(ctx); \ ++ return fn##_final(kctx, md, kctx->md_size); \ + } + #define IMPLEMENT_LEGACY_EVP_MD_METH_SHAKE(nm, fn, tag) \ + static int nm##_init(EVP_MD_CTX *ctx) \ +Index: openssl-3.2.3/crypto/sha/asm/keccak1600-armv4.pl +=================================================================== +--- openssl-3.2.3.orig/crypto/sha/asm/keccak1600-armv4.pl ++++ openssl-3.2.3/crypto/sha/asm/keccak1600-armv4.pl +@@ -966,6 +966,8 @@ SHA3_squeeze: + stmdb sp!,{r6-r9} + + mov r14,$A_flat ++ cmp r4, #0 @ r4 = 'next' argument ++ bne .Lnext_block + b .Loop_squeeze + + .align 4 +@@ -1037,7 +1039,7 @@ SHA3_squeeze: + + subs $bsz,$bsz,#8 @ bsz -= 8 + bhi .Loop_squeeze +- ++.Lnext_block: + mov r0,r14 @ original $A_flat + + bl KeccakF1600 +Index: openssl-3.2.3/crypto/sha/asm/keccak1600-armv8.pl +=================================================================== +--- openssl-3.2.3.orig/crypto/sha/asm/keccak1600-armv8.pl ++++ openssl-3.2.3/crypto/sha/asm/keccak1600-armv8.pl +@@ -483,6 +483,8 @@ SHA3_squeeze: + mov $out,x1 + mov $len,x2 + mov $bsz,x3 ++ cmp x4, #0 // x4 = 'next' argument ++ bne .Lnext_block + + .Loop_squeeze: + ldr x4,[x0],#8 +@@ -497,7 +499,7 @@ SHA3_squeeze: + + subs x3,x3,#8 + bhi .Loop_squeeze +- ++.Lnext_block: + mov x0,$A_flat + bl KeccakF1600 + mov x0,$A_flat +Index: openssl-3.2.3/crypto/sha/asm/keccak1600-ppc64.pl +=================================================================== +--- openssl-3.2.3.orig/crypto/sha/asm/keccak1600-ppc64.pl ++++ openssl-3.2.3/crypto/sha/asm/keccak1600-ppc64.pl +@@ -668,6 +668,8 @@ SHA3_squeeze: + subi $out,r4,1 ; prepare for stbu + mr $len,r5 + mr $bsz,r6 ++ ${UCMP}i r7,1 ; r7 = 'next' argument ++ blt .Lnext_block + b .Loop_squeeze + + .align 4 +@@ -698,6 +700,7 @@ SHA3_squeeze: + subic. r6,r6,8 + bgt .Loop_squeeze + ++.Lnext_block: + mr r3,$A_flat + bl KeccakF1600 + subi r3,$A_flat,8 ; prepare for ldu +Index: openssl-3.2.3/crypto/sha/asm/keccak1600-x86_64.pl +=================================================================== +--- openssl-3.2.3.orig/crypto/sha/asm/keccak1600-x86_64.pl ++++ openssl-3.2.3/crypto/sha/asm/keccak1600-x86_64.pl +@@ -503,12 +503,12 @@ SHA3_absorb: + .size SHA3_absorb,.-SHA3_absorb + ___ + } +-{ my ($A_flat,$out,$len,$bsz) = ("%rdi","%rsi","%rdx","%rcx"); ++{ my ($A_flat,$out,$len,$bsz,$next) = ("%rdi","%rsi","%rdx","%rcx","%r8"); + ($out,$len,$bsz) = ("%r12","%r13","%r14"); + + $code.=<<___; + .globl SHA3_squeeze +-.type SHA3_squeeze,\@function,4 ++.type SHA3_squeeze,\@function,5 + .align 32 + SHA3_squeeze: + .cfi_startproc +@@ -520,10 +520,12 @@ SHA3_squeeze: + .cfi_push %r14 + + shr \$3,%rcx +- mov $A_flat,%r8 ++ mov $A_flat,%r9 + mov %rsi,$out + mov %rdx,$len + mov %rcx,$bsz ++ bt \$0,$next ++ jc .Lnext_block + jmp .Loop_squeeze + + .align 32 +@@ -531,8 +533,8 @@ SHA3_squeeze: + cmp \$8,$len + jb .Ltail_squeeze + +- mov (%r8),%rax +- lea 8(%r8),%r8 ++ mov (%r9),%rax ++ lea 8(%r9),%r9 + mov %rax,($out) + lea 8($out),$out + sub \$8,$len # len -= 8 +@@ -540,14 +542,14 @@ SHA3_squeeze: + + sub \$1,%rcx # bsz-- + jnz .Loop_squeeze +- ++.Lnext_block: + call KeccakF1600 +- mov $A_flat,%r8 ++ mov $A_flat,%r9 + mov $bsz,%rcx + jmp .Loop_squeeze + + .Ltail_squeeze: +- mov %r8, %rsi ++ mov %r9, %rsi + mov $out,%rdi + mov $len,%rcx + .byte 0xf3,0xa4 # rep movsb +Index: openssl-3.2.3/crypto/sha/keccak1600.c +=================================================================== +--- openssl-3.2.3.orig/crypto/sha/keccak1600.c ++++ openssl-3.2.3/crypto/sha/keccak1600.c +@@ -13,7 +13,7 @@ + + size_t SHA3_absorb(uint64_t A[5][5], const unsigned char *inp, size_t len, + size_t r); +-void SHA3_squeeze(uint64_t A[5][5], unsigned char *out, size_t len, size_t r); ++void SHA3_squeeze(uint64_t A[5][5], unsigned char *out, size_t len, size_t r, int next); + + #if !defined(KECCAK1600_ASM) || !defined(SELFTEST) + +@@ -1090,10 +1090,16 @@ size_t SHA3_absorb(uint64_t A[5][5], con + } + + /* +- * sha3_squeeze is called once at the end to generate |out| hash value +- * of |len| bytes. ++ * SHA3_squeeze may be called after SHA3_absorb to generate |out| hash value of ++ * |len| bytes. ++ * If multiple SHA3_squeeze calls are required the output length |len| must be a ++ * multiple of the blocksize, with |next| being 0 on the first call and 1 on ++ * subsequent calls. It is the callers responsibility to buffer the results. ++ * When only a single call to SHA3_squeeze is required, |len| can be any size ++ * and |next| must be 0. + */ +-void SHA3_squeeze(uint64_t A[5][5], unsigned char *out, size_t len, size_t r) ++void SHA3_squeeze(uint64_t A[5][5], unsigned char *out, size_t len, size_t r, ++ int next) + { + uint64_t *A_flat = (uint64_t *)A; + size_t i, w = r / 8; +@@ -1101,6 +1107,9 @@ void SHA3_squeeze(uint64_t A[5][5], unsi + assert(r < (25 * sizeof(A[0][0])) && (r % 8) == 0); + + while (len != 0) { ++ if (next) ++ KeccakF1600(A); ++ next = 1; + for (i = 0; i < w && len != 0; i++) { + uint64_t Ai = BitDeinterleave(A_flat[i]); + +@@ -1123,8 +1132,6 @@ void SHA3_squeeze(uint64_t A[5][5], unsi + out += 8; + len -= 8; + } +- if (len) +- KeccakF1600(A); + } + } + #endif +Index: openssl-3.2.3/crypto/sha/sha3.c +=================================================================== +--- openssl-3.2.3.orig/crypto/sha/sha3.c ++++ openssl-3.2.3/crypto/sha/sha3.c +@@ -10,12 +10,13 @@ + #include + #include "internal/sha3.h" + +-void SHA3_squeeze(uint64_t A[5][5], unsigned char *out, size_t len, size_t r); ++void SHA3_squeeze(uint64_t A[5][5], unsigned char *out, size_t len, size_t r, int next); + + void ossl_sha3_reset(KECCAK1600_CTX *ctx) + { + memset(ctx->A, 0, sizeof(ctx->A)); + ctx->bufsz = 0; ++ ctx->xof_state = XOF_STATE_INIT; + } + + int ossl_sha3_init(KECCAK1600_CTX *ctx, unsigned char pad, size_t bitlen) +@@ -51,6 +52,10 @@ int ossl_sha3_update(KECCAK1600_CTX *ctx + if (len == 0) + return 1; + ++ if (ctx->xof_state == XOF_STATE_SQUEEZE ++ || ctx->xof_state == XOF_STATE_FINAL) ++ return 0; ++ + if ((num = ctx->bufsz) != 0) { /* process intermediate buffer? */ + rem = bsz - num; + +@@ -84,13 +89,21 @@ int ossl_sha3_update(KECCAK1600_CTX *ctx + return 1; + } + +-int ossl_sha3_final(unsigned char *md, KECCAK1600_CTX *ctx) ++/* ++ * ossl_sha3_final()is a single shot method ++ * (Use ossl_sha3_squeeze for multiple calls). ++ * outlen is the variable size output. ++ */ ++int ossl_sha3_final(KECCAK1600_CTX *ctx, unsigned char *out, size_t outlen) + { + size_t bsz = ctx->block_size; + size_t num = ctx->bufsz; + +- if (ctx->md_size == 0) ++ if (outlen == 0) + return 1; ++ if (ctx->xof_state == XOF_STATE_SQUEEZE ++ || ctx->xof_state == XOF_STATE_FINAL) ++ return 0; + + /* + * Pad the data with 10*1. Note that |num| can be |bsz - 1| +@@ -103,7 +116,86 @@ int ossl_sha3_final(unsigned char *md, K + + (void)SHA3_absorb(ctx->A, ctx->buf, bsz, bsz); + +- SHA3_squeeze(ctx->A, md, ctx->md_size, bsz); ++ ctx->xof_state = XOF_STATE_FINAL; ++ SHA3_squeeze(ctx->A, out, outlen, bsz, 0); ++ return 1; ++} ++ ++/* ++ * This method can be called multiple times. ++ * Rather than heavily modifying assembler for SHA3_squeeze(), ++ * we instead just use the limitations of the existing function. ++ * i.e. Only request multiples of the ctx->block_size when calling ++ * SHA3_squeeze(). For output length requests smaller than the ++ * ctx->block_size just request a single ctx->block_size bytes and ++ * buffer the results. The next request will use the buffer first ++ * to grab output bytes. ++ */ ++int ossl_sha3_squeeze(KECCAK1600_CTX *ctx, unsigned char *out, size_t outlen) ++{ ++ size_t bsz = ctx->block_size; ++ size_t num = ctx->bufsz; ++ size_t len; ++ int next = 1; ++ ++ if (outlen == 0) ++ return 1; ++ ++ if (ctx->xof_state == XOF_STATE_FINAL) ++ return 0; ++ ++ /* ++ * On the first squeeze call, finish the absorb process, ++ * by adding the trailing padding and then doing ++ * a final absorb. ++ */ ++ if (ctx->xof_state != XOF_STATE_SQUEEZE) { ++ /* ++ * Pad the data with 10*1. Note that |num| can be |bsz - 1| ++ * in which case both byte operations below are performed on ++ * same byte... ++ */ ++ memset(ctx->buf + num, 0, bsz - num); ++ ctx->buf[num] = ctx->pad; ++ ctx->buf[bsz - 1] |= 0x80; ++ (void)SHA3_absorb(ctx->A, ctx->buf, bsz, bsz); ++ ctx->xof_state = XOF_STATE_SQUEEZE; ++ num = ctx->bufsz = 0; ++ next = 0; ++ } ++ ++ /* ++ * Step 1. Consume any bytes left over from a previous squeeze ++ * (See Step 4 below). ++ */ ++ if (num != 0) { ++ if (outlen > ctx->bufsz) ++ len = ctx->bufsz; ++ else ++ len = outlen; ++ memcpy(out, ctx->buf + bsz - ctx->bufsz, len); ++ out += len; ++ outlen -= len; ++ ctx->bufsz -= len; ++ } ++ if (outlen == 0) ++ return 1; ++ ++ /* Step 2. Copy full sized squeezed blocks to the output buffer directly */ ++ if (outlen >= bsz) { ++ len = bsz * (outlen / bsz); ++ SHA3_squeeze(ctx->A, out, len, bsz, next); ++ next = 1; ++ out += len; ++ outlen -= len; ++ } ++ if (outlen > 0) { ++ /* Step 3. Squeeze one more block into a buffer */ ++ SHA3_squeeze(ctx->A, ctx->buf, bsz, bsz, next); ++ memcpy(out, ctx->buf, outlen); ++ /* Step 4. Remember the leftover part of the squeezed block */ ++ ctx->bufsz = bsz - outlen; ++ } + + return 1; + } +Index: openssl-3.2.3/doc/life-cycles/digest.dot +=================================================================== +--- openssl-3.2.3.orig/doc/life-cycles/digest.dot ++++ openssl-3.2.3/doc/life-cycles/digest.dot +@@ -6,28 +6,30 @@ digraph digest { + initialised [label=initialised, fontcolor="#c94c4c"]; + updated [label=updated, fontcolor="#c94c4c"]; + finaled [label="finaled", fontcolor="#c94c4c"]; ++ squeezed [label="squeezed", fontcolor="#c94c4c"]; + end [label="freed", color="#deeaee", style="filled"]; + + begin -> newed [label="EVP_MD_CTX_new"]; +- newed -> initialised [label="EVP_DigestInit"]; +- initialised -> updated [label="EVP_DigestUpdate", weight=3]; ++ newed -> initialised [label="EVP_DigestInit", weight=100]; ++ initialised -> updated [label="EVP_DigestUpdate", weight=100]; + updated -> updated [label="EVP_DigestUpdate"]; +- updated -> finaled [label="EVP_DigestFinal"]; ++ updated -> finaled [label="EVP_DigestFinal", weight=2]; + updated -> finaled [label="EVP_DigestFinalXOF", + fontcolor="#808080", color="#808080"]; +- /* Once this works it should go back in: +- finaled -> finaled [taillabel="EVP_DigestFinalXOF", +- labeldistance=9, labelangle=345, +- labelfontcolor="#808080", color="#808080"]; +- */ ++ updated -> squeezed [label="EVP_DigestSqueeze", weight=3]; + finaled -> end [label="EVP_MD_CTX_free"]; +- finaled -> newed [label="EVP_MD_CTX_reset", style=dashed, weight=2, ++ finaled -> newed [label="EVP_MD_CTX_reset", style=dashed, + color="#034f84", fontcolor="#034f84"]; + updated -> newed [label="EVP_MD_CTX_reset", style=dashed, + color="#034f84", fontcolor="#034f84"]; +- updated -> initialised [label="EVP_DigestInit", weight=0, style=dashed, ++ updated -> initialised [label="EVP_DigestInit", style=dashed, + color="#034f84", fontcolor="#034f84"]; + finaled -> initialised [label="EVP_DigestInit", style=dashed, + color="#034f84", fontcolor="#034f84"]; ++ squeezed -> squeezed [label="EVP_DigestSqueeze"]; ++ squeezed -> end [label="EVP_MD_CTX_free", weight=1]; ++ squeezed -> newed [label="EVP_MD_CTX_reset", style=dashed, ++ color="#034f84", fontcolor="#034f84"]; ++ squeezed -> initialised [label="EVP_DigestInit", style=dashed, ++ color="#034f84", fontcolor="#034f84"]; + } +- +Index: openssl-3.2.3/doc/man3/EVP_DigestInit.pod +=================================================================== +--- openssl-3.2.3.orig/doc/man3/EVP_DigestInit.pod ++++ openssl-3.2.3/doc/man3/EVP_DigestInit.pod +@@ -12,6 +12,7 @@ EVP_MD_CTX_settable_params, EVP_MD_CTX_g + EVP_MD_CTX_set_flags, EVP_MD_CTX_clear_flags, EVP_MD_CTX_test_flags, + EVP_Q_digest, EVP_Digest, EVP_DigestInit_ex2, EVP_DigestInit_ex, EVP_DigestInit, + EVP_DigestUpdate, EVP_DigestFinal_ex, EVP_DigestFinalXOF, EVP_DigestFinal, ++EVP_DigestSqueeze, + EVP_MD_is_a, EVP_MD_get0_name, EVP_MD_get0_description, + EVP_MD_names_do_all, EVP_MD_get0_provider, EVP_MD_get_type, + EVP_MD_get_pkey_type, EVP_MD_get_size, EVP_MD_get_block_size, EVP_MD_get_flags, +@@ -61,7 +62,8 @@ EVP_MD_CTX_type, EVP_MD_CTX_pkey_ctx, EV + int EVP_DigestInit_ex(EVP_MD_CTX *ctx, const EVP_MD *type, ENGINE *impl); + int EVP_DigestUpdate(EVP_MD_CTX *ctx, const void *d, size_t cnt); + int EVP_DigestFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s); +- int EVP_DigestFinalXOF(EVP_MD_CTX *ctx, unsigned char *md, size_t len); ++ int EVP_DigestFinalXOF(EVP_MD_CTX *ctx, unsigned char *out, size_t outlen); ++ int EVP_DigestSqueeze(EVP_MD_CTX *ctx, unsigned char *out, size_t outlen); + + EVP_MD_CTX *EVP_MD_CTX_dup(const EVP_MD_CTX *in); + int EVP_MD_CTX_copy_ex(EVP_MD_CTX *out, const EVP_MD_CTX *in); +@@ -293,9 +295,16 @@ initialize a new digest operation. + =item EVP_DigestFinalXOF() + + Interfaces to extendable-output functions, XOFs, such as SHAKE128 and SHAKE256. +-It retrieves the digest value from I and places it in I-sized I. ++It retrieves the digest value from I and places it in I-sized I. + After calling this function no additional calls to EVP_DigestUpdate() can be + made, but EVP_DigestInit_ex2() can be called to initialize a new operation. ++EVP_DigestFinalXOF() may only be called once ++ ++=item EVP_DigestSqueeze() ++ ++Similar to EVP_DigestFinalXOF() but allows multiple calls to be made to ++squeeze variable length output data. ++EVP_DigestFinalXOF() should not be called after this. + + =item EVP_MD_CTX_dup() + +@@ -480,8 +489,9 @@ EVP_MD_CTX_set_params() can be used with + =item "xoflen" (B) + + Sets the digest length for extendable output functions. +-It is used by the SHAKE algorithm and should not exceed what can be given +-using a B. ++The value should not exceed what can be given using a B. ++It may be used by BLAKE2B-512, SHAKE-128 and SHAKE-256 to set the ++output length used by EVP_DigestFinal_ex() and EVP_DigestFinal(). + + =item "pad-type" (B) + +@@ -801,7 +811,8 @@ EVP_MD_CTX_get0_md() instead. + EVP_MD_CTX_update_fn() and EVP_MD_CTX_set_update_fn() were deprecated + in OpenSSL 3.0. + +-EVP_MD_CTX_dup() was added in OpenSSL 3.2. ++The functions EVP_MD_CTX_dup() and EVP_DigestSqueeze() were added in ++OpenSSL 3.2. + + =head1 COPYRIGHT + +Index: openssl-3.2.3/doc/man7/EVP_MD-BLAKE2.pod +=================================================================== +--- openssl-3.2.3.orig/doc/man7/EVP_MD-BLAKE2.pod ++++ openssl-3.2.3/doc/man7/EVP_MD-BLAKE2.pod +@@ -25,6 +25,17 @@ Known names are "BLAKE2B-512" and "BLAKE + + =back + ++=head2 Settable Parameters ++ ++"BLAKE2B-512" supports the following EVP_MD_CTX_set_params() key ++described in L. ++ ++=over 4 ++ ++=item "xoflen" (B) ++ ++=back ++ + =head2 Gettable Parameters + + This implementation supports the common gettable parameters described +Index: openssl-3.2.3/doc/man7/EVP_MD-SHAKE.pod +=================================================================== +--- openssl-3.2.3.orig/doc/man7/EVP_MD-SHAKE.pod ++++ openssl-3.2.3/doc/man7/EVP_MD-SHAKE.pod +@@ -70,8 +70,21 @@ For backwards compatibility reasons the + 32 (bytes) which results in a security strength of only 128 bits. To ensure the + maximum security strength of 256 bits, the xoflen should be set to at least 64. + ++This parameter may be used when calling either EVP_DigestFinal_ex() or ++EVP_DigestFinal(), since these functions were not designed to handle variable ++length output. It is recommended to either use EVP_DigestSqueeze() or ++EVP_DigestFinalXOF() instead. ++ + =back + ++=head1 NOTES ++ ++For SHAKE-128, to ensure the maximum security strength of 128 bits, the output ++length passed to EVP_DigestFinalXOF() should be at least 32. ++ ++For SHAKE-256, to ensure the maximum security strength of 256 bits, the output ++length passed to EVP_DigestFinalXOF() should be at least 64. ++ + =head1 SEE ALSO + + L, L, L +Index: openssl-3.2.3/doc/man7/life_cycle-digest.pod +=================================================================== +--- openssl-3.2.3.orig/doc/man7/life_cycle-digest.pod ++++ openssl-3.2.3/doc/man7/life_cycle-digest.pod +@@ -32,6 +32,14 @@ additional input or generating output. + =item finaled + + This state represents the MD when it has generated output. ++For an XOF digest, this state represents the MD when it has generated a ++single-shot output. ++ ++=item squeezed ++ ++For an XOF digest, this state represents the MD when it has generated output. ++It can be called multiple times to generate more output. The output length is ++variable for each call. + + =item freed + +@@ -46,39 +54,57 @@ The usual life-cycle of a MD is illustra + + =begin man + +- +-------------------+ +- | start | +- +-------------------+ +- | +- | EVP_MD_CTX_new +- v +- +-------------------+ EVP_MD_CTX_reset +- | newed | <------------------------------+ +- +-------------------+ | +- | | +- | EVP_DigestInit | +- v | +- +-------------------+ | +- +--> | initialised | <+ EVP_DigestInit | +- | +-------------------+ | | +- | | | EVP_DigestUpdate | +- | | EVP_DigestUpdate | +------------------+ | +- | v | v | | +- | +------------------------------------------------+ | +- EVP_DigestInit | | updated | --+ +- | +------------------------------------------------+ | +- | | | | +- | | EVP_DigestFinal | EVP_DigestFinalXOF | +- | v v | +- | +------------------------------------------------+ | +- +--- | finaled | --+ +- +------------------------------------------------+ +- | +- | EVP_MD_CTX_free +- v +- +-------------------+ +- | freed | +- +-------------------+ ++ +--------------------+ ++ | start | ++ +--------------------+ ++ | EVP_MD_CTX_reset ++ | EVP_MD_CTX_new +-------------------------------------------------+ ++ v v | ++ EVP_MD_CTX_reset + - - - - - - - - - - - - - - - - - - - - - - + EVP_MD_CTX_reset | ++ +-------------------> ' newed ' <--------------------+ | ++ | + - - - - - - - - - - - - - - - - - - - - - - + | | ++ | | | | ++ | | EVP_DigestInit | | ++ | v | | ++ | EVP_DigestInit + - - - - - - - - - - - - - - - - - - - - - - + | | ++ +----+-------------------> ' initialised ' <+ EVP_DigestInit | | ++ | | + - - - - - - - - - - - - - - - - - - - - - - + | | | ++ | | | ^ | | | ++ | | | EVP_DigestUpdate | EVP_DigestInit | | | ++ | | v | | | | ++ | | +---------------------------------------------+ | | | ++ | +-------------------- | | | | | ++ | | | | | | ++ | EVP_DigestUpdate | | | | | ++ | +-------------------- | | | | | ++ | | | updated | | | | ++ | +-------------------> | | | | | ++ | | | | | | ++ | | | | | | ++ +----+------------------------- | | -+-------------------+----+ | ++ | | +---------------------------------------------+ | | | | ++ | | | | | | | ++ | | | EVP_DigestSqueeze +-------------------+ | | | ++ | | v | | | | ++ | | EVP_DigestSqueeze +---------------------------------------------+ | | | ++ | | +-------------------- | | | | | ++ | | | | squeezed | | | | ++ | | +-------------------> | | ---------------------+ | | ++ | | +---------------------------------------------+ | | ++ | | | | | ++ | | +---------------------------------------+ | | ++ | | | | | ++ | | +---------------------------------------------+ EVP_DigestFinalXOF | | | ++ | +------------------------- | finaled | <--------------------+----+ | ++ | +---------------------------------------------+ | | ++ | EVP_DigestFinal ^ | | | | ++ +---------------------------------+ | | EVP_MD_CTX_free | | ++ | v | | ++ | +------------------+ EVP_MD_CTX_free | | ++ | | freed | <--------------------+ | ++ | +------------------+ | ++ | | ++ +------------------------------------------------------+ + + =end man + +@@ -91,19 +117,21 @@ This is the canonical list. + + =begin man + +- Function Call --------------------- Current State ---------------------- +- start newed initialised updated finaled freed ++ Function Call --------------------- Current State ----------------------------------- ++ start newed initialised updated finaled squeezed freed + EVP_MD_CTX_new newed +- EVP_DigestInit initialised initialised initialised initialised ++ EVP_DigestInit initialised initialised initialised initialised initialised + EVP_DigestUpdate updated updated + EVP_DigestFinal finaled + EVP_DigestFinalXOF finaled ++ EVP_DigestSqueeze squeezed squeezed + EVP_MD_CTX_free freed freed freed freed freed + EVP_MD_CTX_reset newed newed newed newed + EVP_MD_CTX_get_params newed initialised updated + EVP_MD_CTX_set_params newed initialised updated + EVP_MD_CTX_gettable_params newed initialised updated + EVP_MD_CTX_settable_params newed initialised updated ++ EVP_MD_CTX_copy_ex newed initialised updated squeezed + + =end man + +@@ -118,6 +146,7 @@ This is the canonical list. + initialised + updated + finaled ++ squeezed + freed + EVP_MD_CTX_new + newed +@@ -125,6 +154,7 @@ This is the canonical list. + + + ++ + + EVP_DigestInit + +@@ -132,6 +162,7 @@ This is the canonical list. + initialised + initialised + initialised ++ initialised + + EVP_DigestUpdate + +@@ -139,6 +170,7 @@ This is the canonical list. + updated + updated + ++ + + EVP_DigestFinal + +@@ -146,6 +178,15 @@ This is the canonical list. + + finaled + ++ ++ ++EVP_DigestSqueeze ++ ++ ++ ++ squeezed ++ ++ squeezed + + EVP_DigestFinalXOF + +@@ -153,6 +194,7 @@ This is the canonical list. + + finaled + ++ + + EVP_MD_CTX_free + freed +@@ -160,6 +202,7 @@ This is the canonical list. + freed + freed + freed ++ + + EVP_MD_CTX_reset + +@@ -167,6 +210,7 @@ This is the canonical list. + newed + newed + newed ++ + + EVP_MD_CTX_get_params + +@@ -174,6 +218,7 @@ This is the canonical list. + initialised + updated + ++ + + EVP_MD_CTX_set_params + +@@ -181,6 +226,7 @@ This is the canonical list. + initialised + updated + ++ + + EVP_MD_CTX_gettable_params + +@@ -188,6 +234,7 @@ This is the canonical list. + initialised + updated + ++ + + EVP_MD_CTX_settable_params + +@@ -195,6 +242,15 @@ This is the canonical list. + initialised + updated + ++ ++ ++EVP_MD_CTX_copy_ex ++ ++ newed ++ initialised ++ updated ++ ++ squeezed + + + +@@ -211,7 +267,7 @@ L, L + +-This digest method is an extensible-output function (XOF) and supports +-setting the B parameter. ++This digest method is an extensible-output function (XOF). + + =item B + +Index: openssl-3.2.3/include/crypto/evp.h +=================================================================== +--- openssl-3.2.3.orig/include/crypto/evp.h ++++ openssl-3.2.3/include/crypto/evp.h +@@ -296,6 +296,7 @@ struct evp_md_st { + OSSL_FUNC_digest_init_fn *dinit; + OSSL_FUNC_digest_update_fn *dupdate; + OSSL_FUNC_digest_final_fn *dfinal; ++ OSSL_FUNC_digest_squeeze_fn *dsqueeze; + OSSL_FUNC_digest_digest_fn *digest; + OSSL_FUNC_digest_freectx_fn *freectx; + OSSL_FUNC_digest_dupctx_fn *dupctx; +Index: openssl-3.2.3/include/internal/sha3.h +=================================================================== +--- openssl-3.2.3.orig/include/internal/sha3.h ++++ openssl-3.2.3/include/internal/sha3.h +@@ -22,23 +22,31 @@ + + typedef struct keccak_st KECCAK1600_CTX; + +-typedef size_t (sha3_absorb_fn)(void *vctx, const void *inp, size_t len); +-typedef int (sha3_final_fn)(unsigned char *md, void *vctx); ++typedef size_t (sha3_absorb_fn)(void *vctx, const void *in, size_t inlen); ++typedef int (sha3_final_fn)(void *vctx, unsigned char *out, size_t outlen); ++typedef int (sha3_squeeze_fn)(void *vctx, unsigned char *out, size_t outlen); + + typedef struct prov_sha3_meth_st + { + sha3_absorb_fn *absorb; + sha3_final_fn *final; ++ sha3_squeeze_fn *squeeze; + } PROV_SHA3_METHOD; + ++#define XOF_STATE_INIT 0 ++#define XOF_STATE_ABSORB 1 ++#define XOF_STATE_FINAL 2 ++#define XOF_STATE_SQUEEZE 3 ++ + struct keccak_st { + uint64_t A[5][5]; ++ unsigned char buf[KECCAK1600_WIDTH / 8 - 32]; + size_t block_size; /* cached ctx->digest->block_size */ + size_t md_size; /* output length, variable in XOF */ + size_t bufsz; /* used bytes in below buffer */ +- unsigned char buf[KECCAK1600_WIDTH / 8 - 32]; + unsigned char pad; + PROV_SHA3_METHOD meth; ++ int xof_state; + }; + + void ossl_sha3_reset(KECCAK1600_CTX *ctx); +@@ -46,7 +54,8 @@ int ossl_sha3_init(KECCAK1600_CTX *ctx, + int ossl_keccak_kmac_init(KECCAK1600_CTX *ctx, unsigned char pad, + size_t bitlen); + int ossl_sha3_update(KECCAK1600_CTX *ctx, const void *_inp, size_t len); +-int ossl_sha3_final(unsigned char *md, KECCAK1600_CTX *ctx); ++int ossl_sha3_final(KECCAK1600_CTX *ctx, unsigned char *out, size_t outlen); ++int ossl_sha3_squeeze(KECCAK1600_CTX *ctx, unsigned char *out, size_t outlen); + + size_t SHA3_absorb(uint64_t A[5][5], const unsigned char *inp, size_t len, + size_t r); +Index: openssl-3.2.3/include/openssl/core_dispatch.h +=================================================================== +--- openssl-3.2.3.orig/include/openssl/core_dispatch.h ++++ openssl-3.2.3/include/openssl/core_dispatch.h +@@ -300,6 +300,7 @@ OSSL_CORE_MAKE_FUNC(int, provider_self_t + # define OSSL_FUNC_DIGEST_GETTABLE_PARAMS 11 + # define OSSL_FUNC_DIGEST_SETTABLE_CTX_PARAMS 12 + # define OSSL_FUNC_DIGEST_GETTABLE_CTX_PARAMS 13 ++# define OSSL_FUNC_DIGEST_SQUEEZE 14 + + OSSL_CORE_MAKE_FUNC(void *, digest_newctx, (void *provctx)) + OSSL_CORE_MAKE_FUNC(int, digest_init, (void *dctx, const OSSL_PARAM params[])) +@@ -308,6 +309,9 @@ OSSL_CORE_MAKE_FUNC(int, digest_update, + OSSL_CORE_MAKE_FUNC(int, digest_final, + (void *dctx, + unsigned char *out, size_t *outl, size_t outsz)) ++OSSL_CORE_MAKE_FUNC(int, digest_squeeze, ++ (void *dctx, ++ unsigned char *out, size_t *outl, size_t outsz)) + OSSL_CORE_MAKE_FUNC(int, digest_digest, + (void *provctx, const unsigned char *in, size_t inl, + unsigned char *out, size_t *outl, size_t outsz)) +Index: openssl-3.2.3/include/openssl/evp.h +=================================================================== +--- openssl-3.2.3.orig/include/openssl/evp.h ++++ openssl-3.2.3/include/openssl/evp.h +@@ -729,8 +729,10 @@ __owur int EVP_MD_CTX_copy(EVP_MD_CTX *o + __owur int EVP_DigestInit(EVP_MD_CTX *ctx, const EVP_MD *type); + __owur int EVP_DigestFinal(EVP_MD_CTX *ctx, unsigned char *md, + unsigned int *s); +-__owur int EVP_DigestFinalXOF(EVP_MD_CTX *ctx, unsigned char *md, +- size_t len); ++__owur int EVP_DigestFinalXOF(EVP_MD_CTX *ctx, unsigned char *out, ++ size_t outlen); ++__owur int EVP_DigestSqueeze(EVP_MD_CTX *ctx, unsigned char *out, ++ size_t outlen); + + __owur EVP_MD *EVP_MD_fetch(OSSL_LIB_CTX *ctx, const char *algorithm, + const char *properties); +Index: openssl-3.2.3/providers/implementations/digests/sha3_prov.c +=================================================================== +--- openssl-3.2.3.orig/providers/implementations/digests/sha3_prov.c ++++ openssl-3.2.3/providers/implementations/digests/sha3_prov.c +@@ -33,10 +33,12 @@ static OSSL_FUNC_digest_update_fn keccak + static OSSL_FUNC_digest_final_fn keccak_final; + static OSSL_FUNC_digest_freectx_fn keccak_freectx; + static OSSL_FUNC_digest_dupctx_fn keccak_dupctx; ++static OSSL_FUNC_digest_squeeze_fn shake_squeeze; + static OSSL_FUNC_digest_set_ctx_params_fn shake_set_ctx_params; + static OSSL_FUNC_digest_settable_ctx_params_fn shake_settable_ctx_params; + static sha3_absorb_fn generic_sha3_absorb; + static sha3_final_fn generic_sha3_final; ++static sha3_squeeze_fn generic_sha3_squeeze; + + #if defined(OPENSSL_CPUID_OBJ) && defined(__s390__) && defined(KECCAK1600_ASM) + /* +@@ -103,20 +105,37 @@ static int keccak_update(void *vctx, con + } + + static int keccak_final(void *vctx, unsigned char *out, size_t *outl, +- size_t outsz) ++ size_t outlen) + { + int ret = 1; + KECCAK1600_CTX *ctx = vctx; + + if (!ossl_prov_is_running()) + return 0; +- if (outsz > 0) +- ret = ctx->meth.final(out, ctx); ++ if (outlen > 0) ++ ret = ctx->meth.final(ctx, out, ctx->md_size); + + *outl = ctx->md_size; + return ret; + } + ++static int shake_squeeze(void *vctx, unsigned char *out, size_t *outl, ++ size_t outlen) ++{ ++ int ret = 1; ++ KECCAK1600_CTX *ctx = vctx; ++ ++ if (!ossl_prov_is_running()) ++ return 0; ++ if (ctx->meth.squeeze == NULL) ++ return 0; ++ if (outlen > 0) ++ ret = ctx->meth.squeeze(ctx, out, outlen); ++ ++ *outl = outlen; ++ return ret; ++} ++ + /*- + * Generic software version of the absorb() and final(). + */ +@@ -127,15 +146,28 @@ static size_t generic_sha3_absorb(void * + return SHA3_absorb(ctx->A, inp, len, ctx->block_size); + } + +-static int generic_sha3_final(unsigned char *md, void *vctx) ++static int generic_sha3_final(void *vctx, unsigned char *out, size_t outlen) + { +- return ossl_sha3_final(md, (KECCAK1600_CTX *)vctx); ++ return ossl_sha3_final((KECCAK1600_CTX *)vctx, out, outlen); ++} ++ ++static int generic_sha3_squeeze(void *vctx, unsigned char *out, size_t outlen) ++{ ++ return ossl_sha3_squeeze((KECCAK1600_CTX *)vctx, out, outlen); + } + + static PROV_SHA3_METHOD sha3_generic_md = + { + generic_sha3_absorb, +- generic_sha3_final ++ generic_sha3_final, ++ NULL ++}; ++ ++static PROV_SHA3_METHOD shake_generic_md = ++{ ++ generic_sha3_absorb, ++ generic_sha3_final, ++ generic_sha3_squeeze + }; + + #if defined(S390_SHA3) +@@ -156,59 +188,60 @@ static size_t s390x_sha3_absorb(void *vc + return rem; + } + +-static int s390x_sha3_final(unsigned char *md, void *vctx) ++static int s390x_sha3_final(void *vctx, unsigned char *out, size_t outlen) + { + KECCAK1600_CTX *ctx = vctx; + + if (!ossl_prov_is_running()) + return 0; + s390x_klmd(ctx->buf, ctx->bufsz, NULL, 0, ctx->pad, ctx->A); +- memcpy(md, ctx->A, ctx->md_size); ++ memcpy(out, ctx->A, outlen); + return 1; + } + +-static int s390x_shake_final(unsigned char *md, void *vctx) ++static int s390x_shake_final(void *vctx, unsigned char *out, size_t outlen) + { + KECCAK1600_CTX *ctx = vctx; + + if (!ossl_prov_is_running()) + return 0; +- s390x_klmd(ctx->buf, ctx->bufsz, md, ctx->md_size, ctx->pad, ctx->A); ++ s390x_klmd(ctx->buf, ctx->bufsz, out, outlen, ctx->pad, ctx->A); + return 1; + } + +-static int s390x_keccakc_final(unsigned char *md, void *vctx, int padding) ++static int s390x_keccakc_final(void *vctx, unsigned char *out, size_t outlen, ++ int padding) + { + KECCAK1600_CTX *ctx = vctx; + size_t bsz = ctx->block_size; + size_t num = ctx->bufsz; +- size_t needed = ctx->md_size; ++ size_t needed = outlen; + + if (!ossl_prov_is_running()) + return 0; +- if (ctx->md_size == 0) ++ if (outlen == 0) + return 1; + memset(ctx->buf + num, 0, bsz - num); + ctx->buf[num] = padding; + ctx->buf[bsz - 1] |= 0x80; + s390x_kimd(ctx->buf, bsz, ctx->pad, ctx->A); + num = needed > bsz ? bsz : needed; +- memcpy(md, ctx->A, num); ++ memcpy(out, ctx->A, num); + needed -= num; + if (needed > 0) +- s390x_klmd(NULL, 0, md + bsz, needed, ctx->pad | S390X_KLMD_PS, ctx->A); ++ s390x_klmd(NULL, 0, out + bsz, needed, ctx->pad | S390X_KLMD_PS, ctx->A); + + return 1; + } + +-static int s390x_keccak_final(unsigned char *md, void *vctx) ++static int s390x_keccak_final(void *vctx, unsigned char *out, size_t outlen) + { +- return s390x_keccakc_final(md, vctx, 0x01); ++ return s390x_keccakc_final(vctx, out, outlen, 0x01); + } + +-static int s390x_kmac_final(unsigned char *md, void *vctx) ++static int s390x_kmac_final(void *vctx, unsigned char *out, size_t outlen) + { +- return s390x_keccakc_final(md, vctx, 0x04); ++ return s390x_keccakc_final(vctx, out, outlen, 0x04); + } + + static PROV_SHA3_METHOD sha3_s390x_md = +@@ -220,7 +253,7 @@ static PROV_SHA3_METHOD sha3_s390x_md = + static PROV_SHA3_METHOD keccak_s390x_md = + { + s390x_sha3_absorb, +- s390x_keccak_final ++ s390x_keccak_final, + }; + + static PROV_SHA3_METHOD shake_s390x_md = +@@ -235,6 +268,14 @@ static PROV_SHA3_METHOD kmac_s390x_md = + s390x_kmac_final + }; + ++# define SHAKE_SET_MD(uname, typ) \ ++ if (S390_SHA3_CAPABLE(uname)) { \ ++ ctx->pad = S390X_##uname; \ ++ ctx->meth = typ##_s390x_md; \ ++ } else { \ ++ ctx->meth = shake_generic_md; \ ++ } ++ + # define SHA3_SET_MD(uname, typ) \ + if (S390_SHA3_CAPABLE(uname)) { \ + ctx->pad = S390X_##uname; \ +@@ -255,7 +296,7 @@ static PROV_SHA3_METHOD kmac_s390x_md = + static sha3_absorb_fn armsha3_sha3_absorb; + + size_t SHA3_absorb_cext(uint64_t A[5][5], const unsigned char *inp, size_t len, +- size_t r); ++ size_t r); + /*- + * Hardware-assisted ARMv8.2 SHA3 extension version of the absorb() + */ +@@ -271,6 +312,19 @@ static PROV_SHA3_METHOD sha3_ARMSHA3_md + armsha3_sha3_absorb, + generic_sha3_final + }; ++static PROV_SHA3_METHOD shake_ARMSHA3_md = ++{ ++ armsha3_sha3_absorb, ++ generic_sha3_final, ++ generic_sha3_squeeze ++}; ++# define SHAKE_SET_MD(uname, typ) \ ++ if (OPENSSL_armcap_P & ARMV8_HAVE_SHA3_AND_WORTH_USING) { \ ++ ctx->meth = shake_ARMSHA3_md; \ ++ } else { \ ++ ctx->meth = shake_generic_md; \ ++ } ++ + # define SHA3_SET_MD(uname, typ) \ + if (OPENSSL_armcap_P & ARMV8_HAVE_SHA3_AND_WORTH_USING) { \ + ctx->meth = sha3_ARMSHA3_md; \ +@@ -286,6 +340,7 @@ static PROV_SHA3_METHOD sha3_ARMSHA3_md + #else + # define SHA3_SET_MD(uname, typ) ctx->meth = sha3_generic_md; + # define KMAC_SET_MD(bitlen) ctx->meth = sha3_generic_md; ++# define SHAKE_SET_MD(uname, typ) ctx->meth = shake_generic_md; + #endif /* S390_SHA3 */ + + #define SHA3_newctx(typ, uname, name, bitlen, pad) \ +@@ -302,6 +357,20 @@ static void *name##_newctx(void *provctx + return ctx; \ + } + ++#define SHAKE_newctx(typ, uname, name, bitlen, pad) \ ++static OSSL_FUNC_digest_newctx_fn name##_newctx; \ ++static void *name##_newctx(void *provctx) \ ++{ \ ++ KECCAK1600_CTX *ctx = ossl_prov_is_running() ? OPENSSL_zalloc(sizeof(*ctx))\ ++ : NULL; \ ++ \ ++ if (ctx == NULL) \ ++ return NULL; \ ++ ossl_sha3_init(ctx, pad, bitlen); \ ++ SHAKE_SET_MD(uname, typ) \ ++ return ctx; \ ++} ++ + #define KMAC_newctx(uname, bitlen, pad) \ + static OSSL_FUNC_digest_newctx_fn uname##_newctx; \ + static void *uname##_newctx(void *provctx) \ +@@ -333,6 +402,7 @@ const OSSL_DISPATCH ossl_##name##_functi + + #define PROV_FUNC_SHAKE_DIGEST(name, bitlen, blksize, dgstsize, flags) \ + PROV_FUNC_SHA3_DIGEST_COMMON(name, bitlen, blksize, dgstsize, flags), \ ++ { OSSL_FUNC_DIGEST_SQUEEZE, (void (*)(void))shake_squeeze }, \ + { OSSL_FUNC_DIGEST_INIT, (void (*)(void))keccak_init_params }, \ + { OSSL_FUNC_DIGEST_SET_CTX_PARAMS, (void (*)(void))shake_set_ctx_params }, \ + { OSSL_FUNC_DIGEST_SETTABLE_CTX_PARAMS, \ +@@ -398,7 +468,7 @@ static int shake_set_ctx_params(void *vc + SHA3_FLAGS) + + #define IMPLEMENT_SHAKE_functions(bitlen) \ +- SHA3_newctx(shake, SHAKE_##bitlen, shake_##bitlen, bitlen, '\x1f') \ ++ SHAKE_newctx(shake, SHAKE_##bitlen, shake_##bitlen, bitlen, '\x1f') \ + PROV_FUNC_SHAKE_DIGEST(shake_##bitlen, bitlen, \ + SHA3_BLOCKSIZE(bitlen), SHA3_MDSIZE(bitlen), \ + SHAKE_FLAGS) +Index: openssl-3.2.3/test/build.info +=================================================================== +--- openssl-3.2.3.orig/test/build.info ++++ openssl-3.2.3/test/build.info +@@ -63,7 +63,7 @@ IF[{- !$disabled{tests} -}] + provfetchtest prov_config_test rand_test ca_internals_test \ + bio_tfo_test membio_test bio_dgram_test list_test fips_version_test \ + x509_test hpke_test pairwise_fail_test nodefltctxtest \ +- x509_load_cert_file_test ++ evp_xof_test x509_load_cert_file_test + + IF[{- !$disabled{'rpk'} -}] + PROGRAMS{noinst}=rpktest +@@ -571,6 +571,10 @@ IF[{- !$disabled{tests} -}] + INCLUDE[evp_kdf_test]=../include ../apps/include + DEPEND[evp_kdf_test]=../libcrypto libtestutil.a + ++ SOURCE[evp_xof_test]=evp_xof_test.c ++ INCLUDE[evp_xof_test]=../include ../apps/include ++ DEPEND[evp_xof_test]=../libcrypto libtestutil.a ++ + SOURCE[evp_pkey_dparams_test]=evp_pkey_dparams_test.c + INCLUDE[evp_pkey_dparams_test]=../include ../apps/include + DEPEND[evp_pkey_dparams_test]=../libcrypto libtestutil.a +Index: openssl-3.2.3/test/evp_xof_test.c +=================================================================== +--- /dev/null ++++ openssl-3.2.3/test/evp_xof_test.c +@@ -0,0 +1,492 @@ ++/* ++ * Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. ++ * ++ * Licensed under the Apache License 2.0 (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ */ ++ ++#include ++#include ++#include ++#include "testutil.h" ++#include "internal/nelem.h" ++ ++static const unsigned char shake256_input[] = { ++ 0x8d, 0x80, 0x01, 0xe2, 0xc0, 0x96, 0xf1, 0xb8, ++ 0x8e, 0x7c, 0x92, 0x24, 0xa0, 0x86, 0xef, 0xd4, ++ 0x79, 0x7f, 0xbf, 0x74, 0xa8, 0x03, 0x3a, 0x2d, ++ 0x42, 0x2a, 0x2b, 0x6b, 0x8f, 0x67, 0x47, 0xe4 ++}; ++ ++/* ++ * This KAT output is 250 bytes, which is more than ++ * the SHAKE256 block size (136 bytes). ++ */ ++static const unsigned char shake256_output[] = { ++ 0x2e, 0x97, 0x5f, 0x6a, 0x8a, 0x14, 0xf0, 0x70, ++ 0x4d, 0x51, 0xb1, 0x36, 0x67, 0xd8, 0x19, 0x5c, ++ 0x21, 0x9f, 0x71, 0xe6, 0x34, 0x56, 0x96, 0xc4, ++ 0x9f, 0xa4, 0xb9, 0xd0, 0x8e, 0x92, 0x25, 0xd3, ++ 0xd3, 0x93, 0x93, 0x42, 0x51, 0x52, 0xc9, 0x7e, ++ 0x71, 0xdd, 0x24, 0x60, 0x1c, 0x11, 0xab, 0xcf, ++ 0xa0, 0xf1, 0x2f, 0x53, 0xc6, 0x80, 0xbd, 0x3a, ++ 0xe7, 0x57, 0xb8, 0x13, 0x4a, 0x9c, 0x10, 0xd4, ++ 0x29, 0x61, 0x58, 0x69, 0x21, 0x7f, 0xdd, 0x58, ++ 0x85, 0xc4, 0xdb, 0x17, 0x49, 0x85, 0x70, 0x3a, ++ 0x6d, 0x6d, 0xe9, 0x4a, 0x66, 0x7e, 0xac, 0x30, ++ 0x23, 0x44, 0x3a, 0x83, 0x37, 0xae, 0x1b, 0xc6, ++ 0x01, 0xb7, 0x6d, 0x7d, 0x38, 0xec, 0x3c, 0x34, ++ 0x46, 0x31, 0x05, 0xf0, 0xd3, 0x94, 0x9d, 0x78, ++ 0xe5, 0x62, 0xa0, 0x39, 0xe4, 0x46, 0x95, 0x48, ++ 0xb6, 0x09, 0x39, 0x5d, 0xe5, 0xa4, 0xfd, 0x43, ++ 0xc4, 0x6c, 0xa9, 0xfd, 0x6e, 0xe2, 0x9a, 0xda, ++ 0x5e, 0xfc, 0x07, 0xd8, 0x4d, 0x55, 0x32, 0x49, ++ 0x45, 0x0d, 0xab, 0x4a, 0x49, 0xc4, 0x83, 0xde, ++ 0xd2, 0x50, 0xc9, 0x33, 0x8f, 0x85, 0xcd, 0x93, ++ 0x7a, 0xe6, 0x6b, 0xb4, 0x36, 0xf3, 0xb4, 0x02, ++ 0x6e, 0x85, 0x9f, 0xda, 0x1c, 0xa5, 0x71, 0x43, ++ 0x2f, 0x3b, 0xfc, 0x09, 0xe7, 0xc0, 0x3c, 0xa4, ++ 0xd1, 0x83, 0xb7, 0x41, 0x11, 0x1c, 0xa0, 0x48, ++ 0x3d, 0x0e, 0xda, 0xbc, 0x03, 0xfe, 0xb2, 0x3b, ++ 0x17, 0xee, 0x48, 0xe8, 0x44, 0xba, 0x24, 0x08, ++ 0xd9, 0xdc, 0xfd, 0x01, 0x39, 0xd2, 0xe8, 0xc7, ++ 0x31, 0x01, 0x25, 0xae, 0xe8, 0x01, 0xc6, 0x1a, ++ 0xb7, 0x90, 0x0d, 0x1e, 0xfc, 0x47, 0xc0, 0x78, ++ 0x28, 0x17, 0x66, 0xf3, 0x61, 0xc5, 0xe6, 0x11, ++ 0x13, 0x46, 0x23, 0x5e, 0x1d, 0xc3, 0x83, 0x25, ++ 0x66, 0x6c ++}; ++ ++static const unsigned char shake256_largemsg_input[] = { ++ 0xb2, 0xd2, 0x38, 0x65, 0xaf, 0x8f, 0x25, 0x6e, ++ 0x64, 0x40, 0xe2, 0x0d, 0x49, 0x8e, 0x3e, 0x64, ++ 0x46, 0xd2, 0x03, 0xa4, 0x19, 0xe3, 0x7b, 0x80, ++ 0xf7, 0x2b, 0x32, 0xe2, 0x76, 0x01, 0xfe, 0xdd, ++ 0xaa, 0x33, 0x3d, 0xe4, 0x8e, 0xe1, 0x5e, 0x39, ++ 0xa6, 0x92, 0xa3, 0xa7, 0xe3, 0x81, 0x24, 0x74, ++ 0xc7, 0x38, 0x18, 0x92, 0xc9, 0x60, 0x50, 0x15, ++ 0xfb, 0xd8, 0x04, 0xea, 0xea, 0x04, 0xd2, 0xc5, ++ 0xc6, 0x68, 0x04, 0x5b, 0xc3, 0x75, 0x12, 0xd2, ++ 0xbe, 0xa2, 0x67, 0x75, 0x24, 0xbf, 0x68, 0xad, ++ 0x10, 0x86, 0xb3, 0x2c, 0xb3, 0x74, 0xa4, 0x6c, ++ 0xf9, 0xd7, 0x1e, 0x58, 0x69, 0x27, 0x88, 0x49, ++ 0x4e, 0x99, 0x15, 0x33, 0x14, 0xf2, 0x49, 0x21, ++ 0xf4, 0x99, 0xb9, 0xde, 0xd4, 0xf1, 0x12, 0xf5, ++ 0x68, 0xe5, 0x5c, 0xdc, 0x9e, 0xc5, 0x80, 0x6d, ++ 0x39, 0x50, 0x08, 0x95, 0xbb, 0x12, 0x27, 0x50, ++ 0x89, 0xf0, 0xf9, 0xd5, 0x4a, 0x01, 0x0b, 0x0d, ++ 0x90, 0x9f, 0x1e, 0x4a, 0xba, 0xbe, 0x28, 0x36, ++ 0x19, 0x7d, 0x9c, 0x0a, 0x51, 0xfb, 0xeb, 0x00, ++ 0x02, 0x6c, 0x4b, 0x0a, 0xa8, 0x6c, 0xb7, 0xc4, ++ 0xc0, 0x92, 0x37, 0xa7, 0x2d, 0x49, 0x61, 0x80, ++ 0xd9, 0xdb, 0x20, 0x21, 0x9f, 0xcf, 0xb4, 0x57, ++ 0x69, 0x75, 0xfa, 0x1c, 0x95, 0xbf, 0xee, 0x0d, ++ 0x9e, 0x52, 0x6e, 0x1e, 0xf8, 0xdd, 0x41, 0x8c, ++ 0x3b, 0xaa, 0x57, 0x13, 0x84, 0x73, 0x52, 0x62, ++ 0x18, 0x76, 0x46, 0xcc, 0x4b, 0xcb, 0xbd, 0x40, ++ 0xa1, 0xf6, 0xff, 0x7b, 0x32, 0xb9, 0x90, 0x7c, ++ 0x53, 0x2c, 0xf9, 0x38, 0x72, 0x0f, 0xcb, 0x90, ++ 0x42, 0x5e, 0xe2, 0x80, 0x19, 0x26, 0xe7, 0x99, ++ 0x96, 0x98, 0x18, 0xb1, 0x86, 0x5b, 0x4c, 0xd9, ++ 0x08, 0x27, 0x31, 0x8f, 0xf0, 0x90, 0xd9, 0x35, ++ 0x6a, 0x1f, 0x75, 0xc2, 0xe0, 0xa7, 0x60, 0xb8, ++ 0x1d, 0xd6, 0x5f, 0x56, 0xb2, 0x0b, 0x27, 0x0e, ++ 0x98, 0x67, 0x1f, 0x39, 0x18, 0x27, 0x68, 0x0a, ++ 0xe8, 0x31, 0x1b, 0xc0, 0x97, 0xec, 0xd1, 0x20, ++ 0x2a, 0x55, 0x69, 0x23, 0x08, 0x50, 0x05, 0xec, ++ 0x13, 0x3b, 0x56, 0xfc, 0x18, 0xc9, 0x1a, 0xa9, ++ 0x69, 0x0e, 0xe2, 0xcc, 0xc8, 0xd6, 0x19, 0xbb, ++ 0x87, 0x3b, 0x42, 0x77, 0xee, 0x77, 0x81, 0x26, ++ 0xdd, 0xf6, 0x5d, 0xc3, 0xb2, 0xb0, 0xc4, 0x14, ++ 0x6d, 0xb5, 0x4f, 0xdc, 0x13, 0x09, 0xc8, 0x53, ++ 0x50, 0xb3, 0xea, 0xd3, 0x5f, 0x11, 0x67, 0xd4, ++ 0x2f, 0x6e, 0x30, 0x1a, 0xbe, 0xd6, 0xf0, 0x2d, ++ 0xc9, 0x29, 0xd9, 0x0a, 0xa8, 0x6f, 0xa4, 0x18, ++ 0x74, 0x6b, 0xd3, 0x5d, 0x6a, 0x73, 0x3a, 0xf2, ++ 0x94, 0x7f, 0xbd, 0xb4, 0xa6, 0x7f, 0x5b, 0x3d, ++ 0x26, 0xf2, 0x6c, 0x13, 0xcf, 0xb4, 0x26, 0x1e, ++ 0x38, 0x17, 0x66, 0x60, 0xb1, 0x36, 0xae, 0xe0, ++ 0x6d, 0x86, 0x69, 0xe7, 0xe7, 0xae, 0x77, 0x6f, ++ 0x7e, 0x99, 0xe5, 0xd9, 0x62, 0xc9, 0xfc, 0xde, ++ 0xb4, 0xee, 0x7e, 0xc8, 0xe9, 0xb7, 0x2c, 0xe2, ++ 0x70, 0xe8, 0x8b, 0x2d, 0x94, 0xad, 0xe8, 0x54, ++ 0xa3, 0x2d, 0x9a, 0xe2, 0x50, 0x63, 0x87, 0xb3, ++ 0x56, 0x29, 0xea, 0xa8, 0x5e, 0x96, 0x53, 0x9f, ++ 0x23, 0x8a, 0xef, 0xa3, 0xd4, 0x87, 0x09, 0x5f, ++ 0xba, 0xc3, 0xd1, 0xd9, 0x1a, 0x7b, 0x5c, 0x5d, ++ 0x5d, 0x89, 0xed, 0xb6, 0x6e, 0x39, 0x73, 0xa5, ++ 0x64, 0x59, 0x52, 0x8b, 0x61, 0x8f, 0x66, 0x69, ++ 0xb9, 0xf0, 0x45, 0x0a, 0x57, 0xcd, 0xc5, 0x7f, ++ 0x5d, 0xd0, 0xbf, 0xcc, 0x0b, 0x48, 0x12, 0xe1, ++ 0xe2, 0xc2, 0xea, 0xcc, 0x09, 0xd9, 0x42, 0x2c, ++ 0xef, 0x4f, 0xa7, 0xe9, 0x32, 0x5c, 0x3f, 0x22, ++ 0xc0, 0x45, 0x0b, 0x67, 0x3c, 0x31, 0x69, 0x29, ++ 0xa3, 0x39, 0xdd, 0x6e, 0x2f, 0xbe, 0x10, 0xc9, ++ 0x7b, 0xff, 0x19, 0x8a, 0xe9, 0xea, 0xfc, 0x32, ++ 0x41, 0x33, 0x70, 0x2a, 0x9a, 0xa4, 0xe6, 0xb4, ++ 0x7e, 0xb4, 0xc6, 0x21, 0x49, 0x5a, 0xfc, 0x45, ++ 0xd2, 0x23, 0xb3, 0x28, 0x4d, 0x83, 0x60, 0xfe, ++ 0x70, 0x68, 0x03, 0x59, 0xd5, 0x15, 0xaa, 0x9e, ++ 0xa0, 0x2e, 0x36, 0xb5, 0x61, 0x0f, 0x61, 0x05, ++ 0x3c, 0x62, 0x00, 0xa0, 0x47, 0xf1, 0x86, 0xba, ++ 0x33, 0xb8, 0xca, 0x60, 0x2f, 0x3f, 0x0a, 0x67, ++ 0x09, 0x27, 0x2f, 0xa2, 0x96, 0x02, 0x52, 0x58, ++ 0x55, 0x68, 0x80, 0xf4, 0x4f, 0x47, 0xba, 0xff, ++ 0x41, 0x7a, 0x40, 0x4c, 0xfd, 0x9d, 0x10, 0x72, ++ 0x0e, 0x20, 0xa9, 0x7f, 0x9b, 0x9b, 0x14, 0xeb, ++ 0x8e, 0x61, 0x25, 0xcb, 0xf4, 0x58, 0xff, 0x47, ++ 0xa7, 0x08, 0xd6, 0x4e, 0x2b, 0xf1, 0xf9, 0x89, ++ 0xd7, 0x22, 0x0f, 0x8d, 0x35, 0x07, 0xa0, 0x54, ++ 0xab, 0x83, 0xd8, 0xee, 0x5a, 0x3e, 0x88, 0x74, ++ 0x46, 0x41, 0x6e, 0x3e, 0xb7, 0xc0, 0xb6, 0x55, ++ 0xe0, 0x36, 0xc0, 0x2b, 0xbf, 0xb8, 0x24, 0x8a, ++ 0x44, 0x82, 0xf4, 0xcb, 0xb5, 0xd7, 0x41, 0x48, ++ 0x51, 0x08, 0xe0, 0x14, 0x34, 0xd2, 0x6d, 0xe9, ++ 0x7a, 0xec, 0x91, 0x61, 0xa7, 0xe1, 0x81, 0x69, ++ 0x47, 0x1c, 0xc7, 0xf3 ++}; ++ ++static const unsigned char shake256_largemsg_output[] = { ++ 0x64, 0xea, 0x24, 0x6a, 0xab, 0x80, 0x37, 0x9e, ++ 0x08, 0xe2, 0x19, 0x9e, 0x09, 0x69, 0xe2, 0xee, ++ 0x1a, 0x5d, 0xd1, 0x68, 0x68, 0xec, 0x8d, 0x42, ++ 0xd0, 0xf8, 0xb8, 0x44, 0x74, 0x54, 0x87, 0x3e, ++}; ++ ++static EVP_MD_CTX *shake_setup(const char *name) ++{ ++ EVP_MD_CTX *ctx = NULL; ++ EVP_MD *md = NULL; ++ ++ if (!TEST_ptr(md = EVP_MD_fetch(NULL, name, NULL))) ++ return NULL; ++ ++ if (!TEST_ptr(ctx = EVP_MD_CTX_new())) ++ goto err; ++ if (!TEST_true(EVP_DigestInit_ex2(ctx, md, NULL))) ++ goto err; ++ EVP_MD_free(md); ++ return ctx; ++err: ++ EVP_MD_free(md); ++ EVP_MD_CTX_free(ctx); ++ return NULL; ++} ++ ++static int shake_kat_test(void) ++{ ++ int ret = 0; ++ EVP_MD_CTX *ctx = NULL; ++ unsigned char out[sizeof(shake256_output)]; ++ ++ if (!TEST_ptr(ctx = shake_setup("SHAKE256"))) ++ return 0; ++ if (!TEST_true(EVP_DigestUpdate(ctx, shake256_input, ++ sizeof(shake256_input))) ++ || !TEST_true(EVP_DigestFinalXOF(ctx, out, sizeof(out))) ++ || !TEST_mem_eq(out, sizeof(out), ++ shake256_output,sizeof(shake256_output)) ++ /* Test that a second call to EVP_DigestFinalXOF fails */ ++ || !TEST_false(EVP_DigestFinalXOF(ctx, out, sizeof(out))) ++ /* Test that a call to EVP_DigestSqueeze fails */ ++ || !TEST_false(EVP_DigestSqueeze(ctx, out, sizeof(out)))) ++ goto err; ++ ret = 1; ++err: ++ EVP_MD_CTX_free(ctx); ++ return ret; ++} ++ ++static int shake_kat_digestfinal_test(void) ++{ ++ int ret = 0; ++ unsigned int digest_length = 0; ++ EVP_MD_CTX *ctx = NULL; ++ unsigned char out[sizeof(shake256_output)]; ++ ++ if (!TEST_ptr(ctx = shake_setup("SHAKE256"))) ++ return 0; ++ if (!TEST_true(EVP_DigestUpdate(ctx, shake256_input, ++ sizeof(shake256_input))) ++ || !TEST_true(EVP_DigestFinal(ctx, out, &digest_length)) ++ || !TEST_uint_eq(digest_length, 32) ++ || !TEST_mem_eq(out, digest_length, ++ shake256_output, digest_length) ++ || !TEST_false(EVP_DigestFinalXOF(ctx, out, sizeof(out)))) ++ goto err; ++ ret = 1; ++err: ++ EVP_MD_CTX_free(ctx); ++ return ret; ++} ++ ++/* ++ * Test that EVP_DigestFinal() returns the output length ++ * set by the OSSL_DIGEST_PARAM_XOFLEN param. ++ */ ++static int shake_kat_digestfinal_xoflen_test(void) ++{ ++ int ret = 0; ++ unsigned int digest_length = 0; ++ EVP_MD_CTX *ctx = NULL; ++ unsigned char out[sizeof(shake256_output)]; ++ OSSL_PARAM params[2]; ++ size_t sz = 12; ++ ++ if (!TEST_ptr(ctx = shake_setup("SHAKE256"))) ++ return 0; ++ ++ memset(out, 0, sizeof(out)); ++ params[0] = OSSL_PARAM_construct_size_t(OSSL_DIGEST_PARAM_XOFLEN, &sz); ++ params[1] = OSSL_PARAM_construct_end(); ++ ++ if (!TEST_int_eq(EVP_MD_CTX_set_params(ctx, params), 1) ++ || !TEST_true(EVP_DigestUpdate(ctx, shake256_input, ++ sizeof(shake256_input))) ++ || !TEST_true(EVP_DigestFinal(ctx, out, &digest_length)) ++ || !TEST_uint_eq(digest_length, (unsigned int)sz) ++ || !TEST_mem_eq(out, digest_length, ++ shake256_output, digest_length) ++ || !TEST_uchar_eq(out[digest_length], 0)) ++ goto err; ++ ret = 1; ++err: ++ EVP_MD_CTX_free(ctx); ++ return ret; ++} ++ ++/* ++ * Test that multiple absorb calls gives the expected result. ++ * This is a nested test that uses multiple strides for the input. ++ */ ++static int shake_absorb_test(void) ++{ ++ int ret = 0; ++ EVP_MD_CTX *ctx = NULL; ++ unsigned char out[sizeof(shake256_largemsg_output)]; ++ size_t total = sizeof(shake256_largemsg_input); ++ size_t i, stride, sz; ++ ++ if (!TEST_ptr(ctx = shake_setup("SHAKE256"))) ++ return 0; ++ ++ for (stride = 1; stride < total; ++stride) { ++ sz = 0; ++ for (i = 0; i < total; i += sz) { ++ sz += stride; ++ if ((i + sz) > total) ++ sz = total - i; ++ if (!TEST_true(EVP_DigestUpdate(ctx, shake256_largemsg_input + i, ++ sz))) ++ goto err; ++ } ++ if (!TEST_true(EVP_DigestFinalXOF(ctx, out, sizeof(out))) ++ || !TEST_mem_eq(out, sizeof(out), ++ shake256_largemsg_output, ++ sizeof(shake256_largemsg_output))) ++ goto err; ++ if (!TEST_true(EVP_DigestInit_ex2(ctx, NULL, NULL))) ++ goto err; ++ } ++ ret = 1; ++err: ++ EVP_MD_CTX_free(ctx); ++ return ret; ++} ++ ++/* ++ * Table containing the size of the output to squeeze for the ++ * initially call, followed by a size for each subsequent call. ++ */ ++static const struct { ++ size_t startsz, incsz; ++} stride_tests[] = { ++ { 1, 1 }, ++ { 1, 136 }, ++ { 1, 136/2 }, ++ { 1, 136/2-1 }, ++ { 1, 136/2+1 }, ++ { 1, 136*3 }, ++ { 8, 8 }, ++ { 9, 9 }, ++ { 10, 10 }, ++ { 136/2 - 1, 136 }, ++ { 136/2 - 1, 136-1 }, ++ { 136/2 - 1, 136+1 }, ++ { 136/2, 136 }, ++ { 136/2, 136-1 }, ++ { 136/2, 136+1 }, ++ { 136/2 + 1, 136 }, ++ { 136/2 + 1, 136-1 }, ++ { 136/2 + 1, 136+1 }, ++ { 136, 2 }, ++ { 136, 136 }, ++ { 136-1, 136 }, ++ { 136-1, 136-1 }, ++ { 136-1, 136+1 }, ++ { 136+1, 136 }, ++ { 136+1, 136-1 }, ++ { 136+1, 136+1 }, ++ { 136*3, 136 }, ++ { 136*3, 136 + 1 }, ++ { 136*3, 136 - 1 }, ++ { 136*3, 136/2 }, ++ { 136*3, 136/2 + 1 }, ++ { 136*3, 136/2 - 1 }, ++}; ++ ++/* ++ * Helper to do multiple squeezes of output data using SHAKE256. ++ * tst is an index into the stride_tests[] containing an initial starting ++ * output length, followed by a second output length to use for all remaining ++ * squeezes. expected_outlen contains the total number of bytes to squeeze. ++ * in and inlen represent the input to absorb. expected_out and expected_outlen ++ * represent the expected output. ++ */ ++static int do_shake_squeeze_test(int tst, ++ const unsigned char *in, size_t inlen, ++ const unsigned char *expected_out, ++ size_t expected_outlen) ++{ ++ int ret = 0; ++ EVP_MD_CTX *ctx = NULL; ++ unsigned char *out = NULL; ++ size_t i = 0, sz = stride_tests[tst].startsz; ++ ++ if (!TEST_ptr(ctx = shake_setup("SHAKE256"))) ++ return 0; ++ if (!TEST_ptr(out = OPENSSL_malloc(expected_outlen))) ++ goto err; ++ if (!TEST_true(EVP_DigestUpdate(ctx, in, inlen))) ++ goto err; ++ ++ while (i < expected_outlen) { ++ if ((i + sz) > expected_outlen) ++ sz = expected_outlen - i; ++ if (!TEST_true(EVP_DigestSqueeze(ctx, out + i, sz))) ++ goto err; ++ i += sz; ++ sz = stride_tests[tst].incsz; ++ } ++ if (!TEST_mem_eq(out, expected_outlen, expected_out, expected_outlen)) ++ goto err; ++ ret = 1; ++err: ++ OPENSSL_free(out); ++ EVP_MD_CTX_free(ctx); ++ return ret; ++} ++ ++static int shake_squeeze_kat_test(int tst) ++{ ++ return do_shake_squeeze_test(tst, shake256_input, sizeof(shake256_input), ++ shake256_output, sizeof(shake256_output)); ++} ++ ++/* ++ * Generate some random input to absorb, and then ++ * squeeze it out in one operation to get a expected ++ * output. Use this to test that multiple squeeze calls ++ * on the same input gives the same output. ++ */ ++static int shake_squeeze_large_test(int tst) ++{ ++ int ret = 0; ++ EVP_MD_CTX *ctx = NULL; ++ unsigned char msg[16]; ++ unsigned char out[2000]; ++ ++ if (!TEST_int_gt(RAND_bytes(msg, sizeof(msg)), 0) ++ || !TEST_ptr(ctx = shake_setup("SHAKE256")) ++ || !TEST_true(EVP_DigestUpdate(ctx, msg, sizeof(msg))) ++ || !TEST_true(EVP_DigestFinalXOF(ctx, out, sizeof(out)))) ++ goto err; ++ ++ ret = do_shake_squeeze_test(tst, msg, sizeof(msg), out, sizeof(out)); ++err: ++ EVP_MD_CTX_free(ctx); ++ return ret; ++} ++ ++static const size_t dupoffset_tests[] = { ++ 1, 135, 136, 137, 136*3-1, 136*3, 136*3+1 ++}; ++ ++/* Helper function to test that EVP_MD_CTX_dup() copies the internal state */ ++static int do_shake_squeeze_dup_test(int tst, const char *alg, ++ const unsigned char *in, size_t inlen, ++ const unsigned char *expected_out, ++ size_t expected_outlen) ++{ ++ int ret = 0; ++ EVP_MD_CTX *cur, *ctx = NULL, *dupctx = NULL; ++ unsigned char *out = NULL; ++ size_t i = 0, sz = 10; ++ size_t dupoffset = dupoffset_tests[tst]; ++ ++ if (!TEST_ptr(ctx = shake_setup(alg))) ++ return 0; ++ cur = ctx; ++ if (!TEST_ptr(out = OPENSSL_malloc(expected_outlen))) ++ goto err; ++ if (!TEST_true(EVP_DigestUpdate(ctx, in, inlen))) ++ goto err; ++ ++ while (i < expected_outlen) { ++ if ((i + sz) > expected_outlen) ++ sz = expected_outlen - i; ++ if (!TEST_true(EVP_DigestSqueeze(cur, out + i, sz))) ++ goto err; ++ i += sz; ++ /* At a certain offset we swap to a new ctx that copies the state */ ++ if (dupctx == NULL && i >= dupoffset) { ++ if (!TEST_ptr(dupctx = EVP_MD_CTX_dup(ctx))) ++ goto err; ++ cur = dupctx; ++ } ++ } ++ if (!TEST_mem_eq(out, expected_outlen, expected_out, expected_outlen)) ++ goto err; ++ ret = 1; ++err: ++ OPENSSL_free(out); ++ EVP_MD_CTX_free(ctx); ++ EVP_MD_CTX_free(dupctx); ++ return ret; ++} ++ ++/* Test that the internal state can be copied */ ++static int shake_squeeze_dup_test(int tst) ++{ ++ int ret = 0; ++ EVP_MD_CTX *ctx = NULL; ++ unsigned char msg[16]; ++ unsigned char out[1000]; ++ const char *alg = "SHAKE128"; ++ ++ if (!TEST_int_gt(RAND_bytes(msg, sizeof(msg)), 0) ++ || !TEST_ptr(ctx = shake_setup(alg)) ++ || !TEST_true(EVP_DigestUpdate(ctx, msg, sizeof(msg))) ++ || !TEST_true(EVP_DigestFinalXOF(ctx, out, sizeof(out)))) ++ goto err; ++ ++ ret = do_shake_squeeze_dup_test(tst, alg, msg, sizeof(msg), ++ out, sizeof(out)); ++err: ++ EVP_MD_CTX_free(ctx); ++ return ret; ++} ++ ++int setup_tests(void) ++{ ++ ADD_TEST(shake_kat_test); ++ ADD_TEST(shake_kat_digestfinal_test); ++ ADD_TEST(shake_kat_digestfinal_xoflen_test); ++ ADD_TEST(shake_absorb_test); ++ ADD_ALL_TESTS(shake_squeeze_kat_test, OSSL_NELEM(stride_tests)); ++ ADD_ALL_TESTS(shake_squeeze_large_test, OSSL_NELEM(stride_tests)); ++ ADD_ALL_TESTS(shake_squeeze_dup_test, OSSL_NELEM(dupoffset_tests)); ++ return 1; ++} +Index: openssl-3.2.3/test/recipes/30-test_evp_xof.t +=================================================================== +--- /dev/null ++++ openssl-3.2.3/test/recipes/30-test_evp_xof.t +@@ -0,0 +1,12 @@ ++#! /usr/bin/env perl ++# Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. ++# ++# Licensed under the Apache License 2.0 (the "License"). You may not use ++# this file except in compliance with the License. You can obtain a copy ++# in the file LICENSE in the source distribution or at ++# https://www.openssl.org/source/license.html ++ ++ ++use OpenSSL::Test::Simple; ++ ++simple_test("test_evp_xof", "evp_xof_test"); +Index: openssl-3.2.3/util/libcrypto.num +=================================================================== +--- openssl-3.2.3.orig/util/libcrypto.num ++++ openssl-3.2.3/util/libcrypto.num +@@ -5536,6 +5536,7 @@ X509_STORE_CTX_set_get_crl + X509_STORE_CTX_set_current_reasons 5664 3_2_0 EXIST::FUNCTION: + OSSL_STORE_delete 5665 3_2_0 EXIST::FUNCTION: + BIO_ADDR_copy 5666 3_2_0 EXIST::FUNCTION:SOCK ++EVP_DigestSqueeze ? 3_2_0 EXIST::FUNCTION: + ossl_safe_getenv ? 3_2_0 EXIST::FUNCTION: + ossl_ctx_legacy_digest_signatures_allowed ? 3_0_1 EXIST::FUNCTION: + ossl_ctx_legacy_digest_signatures_allowed_set ? 3_0_1 EXIST::FUNCTION: diff --git a/openssl-3-disable-hmac-hw-acceleration-with-engine-digest.patch b/openssl-3-disable-hmac-hw-acceleration-with-engine-digest.patch new file mode 100644 index 0000000..26523be --- /dev/null +++ b/openssl-3-disable-hmac-hw-acceleration-with-engine-digest.patch @@ -0,0 +1,90 @@ +commit a75d62637aa165a7f37e39a3a36e2a8b089913bc +Author: Ingo Franzki +Date: Mon Aug 26 11:26:03 2024 +0200 + + s390x: Disable HMAC hardware acceleration when an engine is used for the digest + + The TLSProxy uses the 'ossltest' engine to produce known output for digests + and HMAC calls. However, when running on a s390x system that supports + hardware acceleration of HMAC, the engine is not used for calculating HMACs, + but the s390x specific HMAC implementation is used, which does produce correct + output, but not the known output that the engine would produce. This causes + some tests (i.e. test_key_share, test_sslextension, test_sslrecords, + test_sslvertol, and test_tlsextms) to fail. + + Disable the s390x HMAC hardware acceleration if an engine is used for the + digest of the HMAC calculation. This provides compatibility for engines that + provide digest implementations, and assume that these implementations are also + used when calculating an HMAC. + + Signed-off-by: Ingo Franzki + + Reviewed-by: Neil Horman + Reviewed-by: Tomas Mraz + (Merged from https://github.com/openssl/openssl/pull/25287) + +diff --git a/crypto/hmac/hmac_s390x.c b/crypto/hmac/hmac_s390x.c +index 5db7e9a221..02e1cd1dd6 100644 +--- a/crypto/hmac/hmac_s390x.c ++++ b/crypto/hmac/hmac_s390x.c +@@ -7,10 +7,16 @@ + * https://www.openssl.org/source/license.html + */ + ++/* We need to use some engine deprecated APIs */ ++#define OPENSSL_SUPPRESS_DEPRECATED ++ + #include "crypto/s390x_arch.h" + #include "hmac_local.h" + #include "openssl/obj_mac.h" + #include "openssl/evp.h" ++#if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE) ++# include ++#endif + + #ifdef OPENSSL_HMAC_S390X + +@@ -63,6 +69,31 @@ static void s390x_call_kmac(HMAC_CTX *ctx, const unsigned char *in, size_t len) + ctx->plat.s390x.ikp = 1; + } + ++static int s390x_check_engine_used(const EVP_MD *md, ENGINE *impl) ++{ ++# if !defined(OPENSSL_NO_ENGINE) && !defined(FIPS_MODULE) ++ const EVP_MD *d; ++ ++ if (impl != NULL) { ++ if (!ENGINE_init(impl)) ++ return 0; ++ } else { ++ impl = ENGINE_get_digest_engine(EVP_MD_get_type(md)); ++ } ++ ++ if (impl == NULL) ++ return 0; ++ ++ d = ENGINE_get_digest(impl, EVP_MD_get_type(md)); ++ ENGINE_finish(impl); ++ ++ if (d != NULL) ++ return 1; ++# endif ++ ++ return 0; ++} ++ + int s390x_HMAC_init(HMAC_CTX *ctx, const void *key, int key_len, ENGINE *impl) + { + unsigned char *key_param; +@@ -72,6 +103,11 @@ int s390x_HMAC_init(HMAC_CTX *ctx, const void *key, int key_len, ENGINE *impl) + if (ctx->plat.s390x.fc == 0) + return -1; /* Not supported by kmac instruction */ + ++ if (s390x_check_engine_used(ctx->md, impl)) { ++ ctx->plat.s390x.fc = 0; ++ return -1; /* An engine handles the digest, disable acceleration */ ++ } ++ + ctx->plat.s390x.blk_size = EVP_MD_get_block_size(ctx->md); + if (ctx->plat.s390x.blk_size < 0) + return 0; diff --git a/openssl-3-fix-hmac-digest-detection-s390x.patch b/openssl-3-fix-hmac-digest-detection-s390x.patch new file mode 100644 index 0000000..7e2d4e5 --- /dev/null +++ b/openssl-3-fix-hmac-digest-detection-s390x.patch @@ -0,0 +1,49 @@ +commit d5b3c0e24bc56614e92ffafdd705622beaef420a +Author: Ingo Franzki +Date: Wed Aug 28 14:56:33 2024 +0200 + + s390x: Fix HMAC digest detection + + Use EVP_MD_is_a() instead of EVP_MD_get_type() to detect the digest + type. EVP_MD_get_type() does not always return the expected NID, e.g. + when running in the FIPS provider, EVP_MD_get_type() returns zero, + causing to skip the HMAC acceleration path. + + Signed-off-by: Ingo Franzki + + Reviewed-by: Paul Dale + Reviewed-by: Tomas Mraz + (Merged from https://github.com/openssl/openssl/pull/25304) + +diff --git a/crypto/hmac/hmac_s390x.c b/crypto/hmac/hmac_s390x.c +index 8b0da0d59d..5db7e9a221 100644 +--- a/crypto/hmac/hmac_s390x.c ++++ b/crypto/hmac/hmac_s390x.c +@@ -18,22 +18,16 @@ static int s390x_fc_from_md(const EVP_MD *md) + { + int fc; + +- switch (EVP_MD_get_type(md)) { +- case NID_sha224: ++ if (EVP_MD_is_a(md, "SHA2-224")) + fc = S390X_HMAC_SHA_224; +- break; +- case NID_sha256: ++ else if (EVP_MD_is_a(md, "SHA2-256")) + fc = S390X_HMAC_SHA_256; +- break; +- case NID_sha384: ++ else if (EVP_MD_is_a(md, "SHA2-384")) + fc = S390X_HMAC_SHA_384; +- break; +- case NID_sha512: ++ else if (EVP_MD_is_a(md, "SHA2-512")) + fc = S390X_HMAC_SHA_512; +- break; +- default: ++ else + return 0; +- } + + if ((OPENSSL_s390xcap_P.kmac[1] & S390X_CAPBIT(fc)) == 0) + return 0; diff --git a/openssl-3-fix-memleak-s390x_HMAC_CTX_copy.patch b/openssl-3-fix-memleak-s390x_HMAC_CTX_copy.patch new file mode 100644 index 0000000..452f5e0 --- /dev/null +++ b/openssl-3-fix-memleak-s390x_HMAC_CTX_copy.patch @@ -0,0 +1,28 @@ +commit 19b87d2d2b022c20dd9043c3b6d021315011b45f +Author: Ingo Franzki +Date: Tue Aug 20 11:35:20 2024 +0200 + + s390x: Fix memory leak in s390x_HMAC_CTX_copy() + + When s390x_HMAC_CTX_copy() is called, but the destination context already + has a buffer allocated, it is not freed before duplicating the buffer from + the source context. + + Signed-off-by: Ingo Franzki + + Reviewed-by: Paul Dale + Reviewed-by: Shane Lontis + (Merged from https://github.com/openssl/openssl/pull/25238) + +diff --git a/crypto/hmac/hmac_s390x.c b/crypto/hmac/hmac_s390x.c +index 1124d9bc5d..8b0da0d59d 100644 +--- a/crypto/hmac/hmac_s390x.c ++++ b/crypto/hmac/hmac_s390x.c +@@ -263,6 +263,7 @@ int s390x_HMAC_CTX_copy(HMAC_CTX *dctx, HMAC_CTX *sctx) + memcpy(&dctx->plat.s390x.param, &sctx->plat.s390x.param, + sizeof(dctx->plat.s390x.param)); + ++ OPENSSL_clear_free(dctx->plat.s390x.buf, dctx->plat.s390x.size); + dctx->plat.s390x.buf = NULL; + if (sctx->plat.s390x.buf != NULL) { + dctx->plat.s390x.buf = OPENSSL_memdup(sctx->plat.s390x.buf, diff --git a/openssl-3-fix-quic_multistream_test.patch b/openssl-3-fix-quic_multistream_test.patch new file mode 100644 index 0000000..fb1102b --- /dev/null +++ b/openssl-3-fix-quic_multistream_test.patch @@ -0,0 +1,25 @@ +From b5795e3ed3ec38ef4686a5b7ff03bfd60183cb71 Mon Sep 17 00:00:00 2001 +From: "Randall S. Becker" +Date: Mon, 20 May 2024 22:23:04 +0000 +Subject: [PATCH] Added an explicit yield (OP_SLEEP) to QUIC testing for + cooperative threading. + +Fixes: #24442 + +Signed-off-by: Randall S. Becker +--- + test/quic_multistream_test.c | 1 + + 1 file changed, 1 insertion(+) + +Index: openssl-3.2.3/test/quic_multistream_test.c +=================================================================== +--- openssl-3.2.3.orig/test/quic_multistream_test.c ++++ openssl-3.2.3/test/quic_multistream_test.c +@@ -2397,6 +2397,7 @@ static const struct script_op script_13_ + + OP_C_ACCEPT_STREAM_WAIT (a) + OP_C_READ_EXPECT (a, "foo", 3) ++ OP_SLEEP (10) + OP_C_EXPECT_FIN (a) + OP_C_FREE_STREAM (a) + diff --git a/openssl-3-fix-s390x_sha3_absorb.patch b/openssl-3-fix-s390x_sha3_absorb.patch new file mode 100644 index 0000000..b7bf778 --- /dev/null +++ b/openssl-3-fix-s390x_sha3_absorb.patch @@ -0,0 +1,50 @@ +From 979dc530010e3c0f045edf6e38c7ab894ffba7f2 Mon Sep 17 00:00:00 2001 +From: Ingo Franzki +Date: Thu, 5 Sep 2024 08:45:29 +0200 +Subject: [PATCH] s390x: Fix s390x_sha3_absorb() when no data is processed by + KIMD + +If the data to absorb is less than a block, then the KIMD instruction is +called with zero bytes. This is superfluous, and causes incorrect hash +output later on if this is the very first absorb call, i.e. when the +xof_state is still XOF_STATE_INIT and MSA 12 is available. In this case +the NIP flag is set in the function code for KIMD, but KIMD ignores the +NIP flag when it is called with zero bytes to process. + +Skip any KIMD calls for zero length data. Also do not set the xof_state +to XOF_STATE_ABSORB until the first call to KIMD with data. That way, +the next KIMD (with non-zero length data) or KLMD call will get the NIP +flag set and will then honor it to produce correct output. + +Fixes: https://github.com/openssl/openssl/commit/25f5d7b85f6657cd2f9f1ab7ae87f319d9bafe54 + +Signed-off-by: Ingo Franzki + +Reviewed-by: Viktor Dukhovni +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/25388) +--- + providers/implementations/digests/sha3_prov.c | 10 ++++++---- + 1 file changed, 6 insertions(+), 4 deletions(-) + +Index: openssl-3.2.3/providers/implementations/digests/sha3_prov.c +=================================================================== +--- openssl-3.2.3.orig/providers/implementations/digests/sha3_prov.c ++++ openssl-3.2.3/providers/implementations/digests/sha3_prov.c +@@ -192,10 +192,12 @@ static size_t s390x_sha3_absorb(void *vc + if (!(ctx->xof_state == XOF_STATE_INIT || + ctx->xof_state == XOF_STATE_ABSORB)) + return 0; +- fc = ctx->pad; +- fc |= ctx->xof_state == XOF_STATE_INIT ? S390X_KIMD_NIP : 0; +- ctx->xof_state = XOF_STATE_ABSORB; +- s390x_kimd(inp, len - rem, fc, ctx->A); ++ if (len - rem > 0) { ++ fc = ctx->pad; ++ fc |= ctx->xof_state == XOF_STATE_INIT ? S390X_KIMD_NIP : 0; ++ ctx->xof_state = XOF_STATE_ABSORB; ++ s390x_kimd(inp, len - rem, fc, ctx->A); ++ } + return rem; + } + diff --git a/openssl-3-fix-s390x_shake_squeeze.patch b/openssl-3-fix-s390x_shake_squeeze.patch new file mode 100644 index 0000000..a2757ed --- /dev/null +++ b/openssl-3-fix-s390x_shake_squeeze.patch @@ -0,0 +1,98 @@ +From dc5afb7e87ee448f4fecad0dc624c643505ba7f1 Mon Sep 17 00:00:00 2001 +From: Ingo Franzki +Date: Wed, 4 Sep 2024 13:42:09 +0200 +Subject: [PATCH] s390x: Fix s390x_shake_squeeze() when MSA 12 is available + +On the first squeeze call, when finishing the absorb process, also set +the NIP flag, if we are still in XOF_STATE_INIT state. When MSA 12 is +available, the state buffer A has not been zeroed during initialization, +thus we must also pass the NIP flag here. This situation can happen +when a squeeze is performed without a preceding absorb (i.e. a SHAKE +of the empty message). + +Add a test that performs a squeeze without a preceding absorb and check +if the result is correct. + +Fixes: https://github.com/openssl/openssl/commit/25f5d7b85f6657cd2f9f1ab7ae87f319d9bafe54 + +Signed-off-by: Ingo Franzki + +Reviewed-by: Viktor Dukhovni +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/25388) +--- + providers/implementations/digests/sha3_prov.c | 5 +++- + test/evp_xof_test.c | 29 +++++++++++++++++++ + 2 files changed, 33 insertions(+), 1 deletion(-) + +Index: openssl-3.2.3/providers/implementations/digests/sha3_prov.c +=================================================================== +--- openssl-3.2.3.orig/providers/implementations/digests/sha3_prov.c ++++ openssl-3.2.3/providers/implementations/digests/sha3_prov.c +@@ -239,6 +239,7 @@ static int s390x_shake_final(void *vctx, + static int s390x_shake_squeeze(void *vctx, unsigned char *out, size_t outlen) + { + KECCAK1600_CTX *ctx = vctx; ++ unsigned int fc; + size_t len; + + if (!ossl_prov_is_running()) +@@ -249,8 +250,10 @@ static int s390x_shake_squeeze(void *vct + * On the first squeeze call, finish the absorb process (incl. padding). + */ + if (ctx->xof_state != XOF_STATE_SQUEEZE) { ++ fc = ctx->pad; ++ fc |= ctx->xof_state == XOF_STATE_INIT ? S390X_KLMD_NIP : 0; + ctx->xof_state = XOF_STATE_SQUEEZE; +- s390x_klmd(ctx->buf, ctx->bufsz, out, outlen, ctx->pad, ctx->A); ++ s390x_klmd(ctx->buf, ctx->bufsz, out, outlen, fc, ctx->A); + ctx->bufsz = outlen % ctx->block_size; + /* reuse ctx->bufsz to count bytes squeezed from current sponge */ + return 1; +Index: openssl-3.2.3/test/evp_xof_test.c +=================================================================== +--- openssl-3.2.3.orig/test/evp_xof_test.c ++++ openssl-3.2.3/test/evp_xof_test.c +@@ -479,6 +479,34 @@ err: + return ret; + } + ++/* Test that a squeeze without a preceding absorb works */ ++static int shake_squeeze_no_absorb_test(void) ++{ ++ int ret = 0; ++ EVP_MD_CTX *ctx = NULL; ++ unsigned char out[1000]; ++ unsigned char out2[1000]; ++ const char *alg = "SHAKE128"; ++ ++ if (!TEST_ptr(ctx = shake_setup(alg)) ++ || !TEST_true(EVP_DigestFinalXOF(ctx, out, sizeof(out)))) ++ goto err; ++ ++ if (!TEST_true(EVP_DigestInit_ex2(ctx, NULL, NULL)) ++ || !TEST_true(EVP_DigestSqueeze(ctx, out2, sizeof(out2) / 2)) ++ || !TEST_true(EVP_DigestSqueeze(ctx, out2 + sizeof(out2) / 2, ++ sizeof(out2) / 2))) ++ goto err; ++ ++ if (!TEST_mem_eq(out2, sizeof(out2), out, sizeof(out))) ++ goto err; ++ ret = 1; ++ ++err: ++ EVP_MD_CTX_free(ctx); ++ return ret; ++} ++ + int setup_tests(void) + { + ADD_TEST(shake_kat_test); +@@ -488,5 +516,7 @@ int setup_tests(void) + ADD_ALL_TESTS(shake_squeeze_kat_test, OSSL_NELEM(stride_tests)); + ADD_ALL_TESTS(shake_squeeze_large_test, OSSL_NELEM(stride_tests)); + ADD_ALL_TESTS(shake_squeeze_dup_test, OSSL_NELEM(dupoffset_tests)); ++ ADD_TEST(shake_squeeze_no_absorb_test); ++ + return 1; + } diff --git a/openssl-3-fix-sha3-squeeze-ppc64.patch b/openssl-3-fix-sha3-squeeze-ppc64.patch new file mode 100644 index 0000000..cedf5f2 --- /dev/null +++ b/openssl-3-fix-sha3-squeeze-ppc64.patch @@ -0,0 +1,31 @@ +commit ed5e478261127cafe9c3f86c4992eab1e5c7ebb1 +Author: Rohan McLure +Date: Tue Nov 14 14:14:33 2023 +1100 + + ppc64: Fix SHA3_squeeze + + Fix the conditional on the 'next' parameter passed into SHA3_squeeze. + + Reported-by: David Benjamin + Signed-off-by: Rohan McLure + + Reviewed-by: Shane Lontis + Reviewed-by: Paul Dale + Reviewed-by: Tomas Mraz + (Merged from https://github.com/openssl/openssl/pull/22722) + +diff --git a/crypto/sha/asm/keccak1600-ppc64.pl b/crypto/sha/asm/keccak1600-ppc64.pl +index 3f8ba817f8..fe7d6db20e 100755 +--- a/crypto/sha/asm/keccak1600-ppc64.pl ++++ b/crypto/sha/asm/keccak1600-ppc64.pl +@@ -668,8 +668,8 @@ SHA3_squeeze: + subi $out,r4,1 ; prepare for stbu + mr $len,r5 + mr $bsz,r6 +- ${UCMP}i r7,1 ; r7 = 'next' argument +- blt .Lnext_block ++ ${UCMP}i r7,0 ; r7 = 'next' argument ++ bne .Lnext_block + b .Loop_squeeze + + .align 4 diff --git a/openssl-3-fix-state-handling-keccak_final_s390x.patch b/openssl-3-fix-state-handling-keccak_final_s390x.patch new file mode 100644 index 0000000..7f68786 --- /dev/null +++ b/openssl-3-fix-state-handling-keccak_final_s390x.patch @@ -0,0 +1,32 @@ +commit 1022131d16e30cfbf896e02419019de48e8e1149 +Author: Holger Dengler +Date: Wed Sep 27 15:43:18 2023 +0200 + + Fix state handling of keccak_final for s390x. + + The digest life-cycle state diagram has been updated for XOF. Fix the + state handling in s390x_keccac_final() according to the updated state + diagram. + + Signed-off-by: Holger Dengler + + Reviewed-by: Shane Lontis + Reviewed-by: Todd Short + Reviewed-by: Tomas Mraz + (Merged from https://github.com/openssl/openssl/pull/22221) + +diff --git a/providers/implementations/digests/sha3_prov.c b/providers/implementations/digests/sha3_prov.c +index 34620cf95a..f691273baf 100644 +--- a/providers/implementations/digests/sha3_prov.c ++++ b/providers/implementations/digests/sha3_prov.c +@@ -235,6 +235,10 @@ static int s390x_keccakc_final(void *vctx, unsigned char *out, size_t outlen, + + if (!ossl_prov_is_running()) + return 0; ++ if (!(ctx->xof_state == XOF_STATE_INIT || ++ ctx->xof_state == XOF_STATE_ABSORB)) ++ return 0; ++ ctx->xof_state = XOF_STATE_FINAL; + if (outlen == 0) + return 1; + memset(ctx->buf + num, 0, bsz - num); diff --git a/openssl-3-fix-state-handling-sha3_absorb_s390x.patch b/openssl-3-fix-state-handling-sha3_absorb_s390x.patch new file mode 100644 index 0000000..35b0b30 --- /dev/null +++ b/openssl-3-fix-state-handling-sha3_absorb_s390x.patch @@ -0,0 +1,32 @@ +commit 7aa45b8bb3269e881d0378aa785ff344efdd2897 +Author: Holger Dengler +Date: Wed Sep 27 15:36:23 2023 +0200 + + Fix state handling of sha3_absorb for s390x. + + The digest life-cycle state diagram has been updated for XOF. Fix the + state handling in s390x_sha3_aborb() according to the updated state + diagram. + + Signed-off-by: Holger Dengler + + Reviewed-by: Shane Lontis + Reviewed-by: Todd Short + Reviewed-by: Tomas Mraz + (Merged from https://github.com/openssl/openssl/pull/22221) + +Index: openssl-3.2.3/providers/implementations/digests/sha3_prov.c +=================================================================== +--- openssl-3.2.3.orig/providers/implementations/digests/sha3_prov.c ++++ openssl-3.2.3/providers/implementations/digests/sha3_prov.c +@@ -188,6 +188,10 @@ static size_t s390x_sha3_absorb(void *vc + KECCAK1600_CTX *ctx = vctx; + size_t rem = len % ctx->block_size; + ++ if (!(ctx->xof_state == XOF_STATE_INIT || ++ ctx->xof_state == XOF_STATE_ABSORB)) ++ return 0; ++ ctx->xof_state = XOF_STATE_ABSORB; + s390x_kimd(inp, len - rem, ctx->pad, ctx->A); + return rem; + } diff --git a/openssl-3-fix-state-handling-sha3_final_s390x.patch b/openssl-3-fix-state-handling-sha3_final_s390x.patch new file mode 100644 index 0000000..2752a90 --- /dev/null +++ b/openssl-3-fix-state-handling-sha3_final_s390x.patch @@ -0,0 +1,32 @@ +commit 017acc58f6b67d5b347db411a7a1c4e890434f42 +Author: Holger Dengler +Date: Wed Sep 27 15:36:59 2023 +0200 + + Fix state handling of sha3_final for s390x. + + The digest life-cycle state diagram has been updated for XOF. Fix the + state handling in s390x_sha3_final() according to the updated state + diagram. + + Signed-off-by: Holger Dengler + + Reviewed-by: Shane Lontis + Reviewed-by: Todd Short + Reviewed-by: Tomas Mraz + (Merged from https://github.com/openssl/openssl/pull/22221) + +Index: openssl-3.2.3/providers/implementations/digests/sha3_prov.c +=================================================================== +--- openssl-3.2.3.orig/providers/implementations/digests/sha3_prov.c ++++ openssl-3.2.3/providers/implementations/digests/sha3_prov.c +@@ -202,6 +202,10 @@ static int s390x_sha3_final(void *vctx, + + if (!ossl_prov_is_running()) + return 0; ++ if (!(ctx->xof_state == XOF_STATE_INIT || ++ ctx->xof_state == XOF_STATE_ABSORB)) ++ return 0; ++ ctx->xof_state = XOF_STATE_FINAL; + s390x_klmd(ctx->buf, ctx->bufsz, NULL, 0, ctx->pad, ctx->A); + memcpy(out, ctx->A, outlen); + return 1; diff --git a/openssl-3-fix-state-handling-shake_final_s390x.patch b/openssl-3-fix-state-handling-shake_final_s390x.patch new file mode 100644 index 0000000..51a52ce --- /dev/null +++ b/openssl-3-fix-state-handling-shake_final_s390x.patch @@ -0,0 +1,32 @@ +commit 288fbb4b71343516cee6f6a44b9ec55d82fb1532 +Author: Holger Dengler +Date: Wed Sep 27 15:37:29 2023 +0200 + + Fix state handling of shake_final for s390x. + + The digest life-cycle state diagram has been updated for XOF. Fix the + state handling in s390x_shake_final() according to the updated state + diagram. + + Signed-off-by: Holger Dengler + + Reviewed-by: Shane Lontis + Reviewed-by: Todd Short + Reviewed-by: Tomas Mraz + (Merged from https://github.com/openssl/openssl/pull/22221) + +Index: openssl-3.2.3/providers/implementations/digests/sha3_prov.c +=================================================================== +--- openssl-3.2.3.orig/providers/implementations/digests/sha3_prov.c ++++ openssl-3.2.3/providers/implementations/digests/sha3_prov.c +@@ -217,6 +217,10 @@ static int s390x_shake_final(void *vctx, + + if (!ossl_prov_is_running()) + return 0; ++ if (!(ctx->xof_state == XOF_STATE_INIT || ++ ctx->xof_state == XOF_STATE_ABSORB)) ++ return 0; ++ ctx->xof_state = XOF_STATE_FINAL; + s390x_klmd(ctx->buf, ctx->bufsz, out, outlen, ctx->pad, ctx->A); + return 1; + } diff --git a/openssl-3-hw-acceleration-aes-xts-s390x.patch b/openssl-3-hw-acceleration-aes-xts-s390x.patch new file mode 100644 index 0000000..ddef97f --- /dev/null +++ b/openssl-3-hw-acceleration-aes-xts-s390x.patch @@ -0,0 +1,327 @@ +commit 9cd4051e47c8da8398f93f42f0f56750552965f4 +Author: Holger Dengler +Date: Tue Aug 6 14:00:49 2024 +0200 + + s390x: Add hardware acceleration for full AES-XTS + + The CPACF instruction KM provides support for accelerating the full + AES-XTS algorithm on newer machines for AES_XTS_128 and AES_XTS_256. + + Preliminary measurements showed performance improvements of up to 50%, + dependent on the message size. + + Signed-off-by: Holger Dengler + + Reviewed-by: Tomas Mraz + Reviewed-by: Paul Dale + (Merged from https://github.com/openssl/openssl/pull/25414) + +diff --git a/providers/implementations/ciphers/build.info b/providers/implementations/ciphers/build.info +index 5eb705969f..1837070c21 100644 +--- a/providers/implementations/ciphers/build.info ++++ b/providers/implementations/ciphers/build.info +@@ -71,6 +71,19 @@ IF[{- !$disabled{asm} -}] + ENDIF + ENDIF + ++IF[{- !$disabled{asm} -}] ++ IF[{- ($target{perlasm_scheme} // '') ne '31' -}] ++ $AESXTSDEF_s390x=AES_XTS_S390X ++ ENDIF ++ ++ # Now that we have defined all the arch specific variables, use the ++ # appropriate one, and define the appropriate macros ++ ++ IF[$AESXTSDEF_{- $target{asm_arch} -}] ++ $AESXTSDEF=$AESXTSDEF_{- $target{asm_arch} -} ++ ENDIF ++ENDIF ++ + # This source is common building blocks for all ciphers in all our providers. + SOURCE[$COMMON_GOAL]=\ + ciphercommon.c ciphercommon_hw.c ciphercommon_block.c \ +@@ -93,6 +106,7 @@ SOURCE[$AES_GOAL]=\ + cipher_aes_cbc_hmac_sha.c \ + cipher_aes_cbc_hmac_sha256_hw.c cipher_aes_cbc_hmac_sha1_hw.c \ + cipher_cts.c ++DEFINE[$AES_GOAL]=$AESXTSDEF + + # Extra code to satisfy the FIPS and non-FIPS separation. + # When the AES-xxx-XTS moves to legacy, cipher_aes_xts_fips.c can be removed. +diff --git a/providers/implementations/ciphers/cipher_aes_xts.c b/providers/implementations/ciphers/cipher_aes_xts.c +index cce2537ea7..2287834d62 100644 +--- a/providers/implementations/ciphers/cipher_aes_xts.c ++++ b/providers/implementations/ciphers/cipher_aes_xts.c +@@ -62,6 +62,10 @@ static int aes_xts_check_keys_differ(const unsigned char *key, size_t bytes, + return 1; + } + ++#ifdef AES_XTS_S390X ++# include "cipher_aes_xts_s390x.inc" ++#endif ++ + /*- + * Provider dispatch functions + */ +@@ -98,6 +102,10 @@ static int aes_xts_einit(void *vctx, const unsigned char *key, size_t keylen, + const unsigned char *iv, size_t ivlen, + const OSSL_PARAM params[]) + { ++#ifdef AES_XTS_S390X ++ if (s390x_aes_xts_einit(vctx, key, keylen, iv, ivlen, params) == 1) ++ return 1; ++#endif + return aes_xts_init(vctx, key, keylen, iv, ivlen, params, 1); + } + +@@ -105,6 +113,10 @@ static int aes_xts_dinit(void *vctx, const unsigned char *key, size_t keylen, + const unsigned char *iv, size_t ivlen, + const OSSL_PARAM params[]) + { ++#ifdef AES_XTS_S390X ++ if (s390x_aes_xts_dinit(vctx, key, keylen, iv, ivlen, params) == 1) ++ return 1; ++#endif + return aes_xts_init(vctx, key, keylen, iv, ivlen, params, 0); + } + +@@ -137,6 +149,11 @@ static void *aes_xts_dupctx(void *vctx) + if (!ossl_prov_is_running()) + return NULL; + ++#ifdef AES_XTS_S390X ++ if (in->plat.s390x.fc) ++ return s390x_aes_xts_dupctx(vctx); ++#endif ++ + if (in->xts.key1 != NULL) { + if (in->xts.key1 != &in->ks1) + return NULL; +@@ -157,6 +174,11 @@ static int aes_xts_cipher(void *vctx, unsigned char *out, size_t *outl, + { + PROV_AES_XTS_CTX *ctx = (PROV_AES_XTS_CTX *)vctx; + ++#ifdef AES_XTS_S390X ++ if (ctx->plat.s390x.fc) ++ return s390x_aes_xts_cipher(vctx, out, outl, outsize, in, inl); ++#endif ++ + if (!ossl_prov_is_running() + || ctx->xts.key1 == NULL + || ctx->xts.key2 == NULL +diff --git a/providers/implementations/ciphers/cipher_aes_xts.h b/providers/implementations/ciphers/cipher_aes_xts.h +index afc42ef444..56891ca98c 100644 +--- a/providers/implementations/ciphers/cipher_aes_xts.h ++++ b/providers/implementations/ciphers/cipher_aes_xts.h +@@ -22,6 +22,14 @@ PROV_CIPHER_FUNC(void, xts_stream, + const AES_KEY *key1, const AES_KEY *key2, + const unsigned char iv[16])); + ++#if defined(OPENSSL_CPUID_OBJ) && defined(__s390__) ++typedef struct S390X_km_xts_params_st { ++ unsigned char key[64]; ++ unsigned char tweak[16]; ++ unsigned char nap[16]; ++} S390X_KM_XTS_PARAMS; ++#endif ++ + typedef struct prov_aes_xts_ctx_st { + PROV_CIPHER_CTX base; /* Must be first */ + union { +@@ -30,6 +38,23 @@ typedef struct prov_aes_xts_ctx_st { + } ks1, ks2; /* AES key schedules to use */ + XTS128_CONTEXT xts; + OSSL_xts_stream_fn stream; ++ ++ /* Platform specific data */ ++ union { ++ int dummy; ++#if defined(OPENSSL_CPUID_OBJ) && defined(__s390__) ++ struct { ++ union { ++ OSSL_UNION_ALIGN; ++ S390X_KM_XTS_PARAMS km; ++ } param; ++ size_t offset; ++ unsigned int fc; ++ unsigned int iv_set : 1; ++ unsigned int key_set : 1; ++ } s390x; ++#endif ++ } plat; + } PROV_AES_XTS_CTX; + + const PROV_CIPHER_HW *ossl_prov_cipher_hw_aes_xts(size_t keybits); +diff --git a/providers/implementations/ciphers/cipher_aes_xts_s390x.inc b/providers/implementations/ciphers/cipher_aes_xts_s390x.inc +new file mode 100644 +index 0000000000..77341b3bbd +--- /dev/null ++++ b/providers/implementations/ciphers/cipher_aes_xts_s390x.inc +@@ -0,0 +1,167 @@ ++/* ++ * Copyright 2024 The OpenSSL Project Authors. All Rights Reserved. ++ * ++ * Licensed under the Apache License 2.0 (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ */ ++ ++#include "crypto/s390x_arch.h" ++ ++static OSSL_FUNC_cipher_encrypt_init_fn s390x_aes_xts_einit; ++static OSSL_FUNC_cipher_decrypt_init_fn s390x_aes_xts_dinit; ++static OSSL_FUNC_cipher_cipher_fn s390x_aes_xts_cipher; ++static OSSL_FUNC_cipher_dupctx_fn s390x_aes_xts_dupctx; ++ ++static int s390x_aes_xts_init(void *vctx, const unsigned char *key, ++ size_t keylen, const unsigned char *iv, ++ size_t ivlen, const OSSL_PARAM params[], ++ unsigned int dec) ++{ ++ PROV_AES_XTS_CTX *xctx = (PROV_AES_XTS_CTX *)vctx; ++ S390X_KM_XTS_PARAMS *km = &xctx->plat.s390x.param.km; ++ unsigned int fc, offs; ++ ++ switch (xctx->base.keylen) { ++ case 128 / 8 * 2: ++ fc = S390X_XTS_AES_128_MSA10; ++ offs = 32; ++ break; ++ case 256 / 8 * 2: ++ fc = S390X_XTS_AES_256_MSA10; ++ offs = 0; ++ break; ++ default: ++ goto not_supported; ++ } ++ ++ if (!(OPENSSL_s390xcap_P.km[1] && S390X_CAPBIT(fc))) ++ goto not_supported; ++ ++ if (iv != NULL) { ++ if (ivlen != xctx->base.ivlen ++ || ivlen > sizeof(km->tweak)) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_IV_LENGTH); ++ return 0; ++ } ++ memcpy(km->tweak, iv, ivlen); ++ xctx->plat.s390x.iv_set = 1; ++ } ++ ++ if (key != NULL) { ++ if (keylen != xctx->base.keylen) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); ++ return 0; ++ } ++ if (!aes_xts_check_keys_differ(key, keylen / 2, !dec)) ++ return 0; ++ ++ memcpy(km->key + offs, key, keylen); ++ xctx->plat.s390x.key_set = 1; ++ } ++ ++ xctx->plat.s390x.fc = fc | dec; ++ xctx->plat.s390x.offset = offs; ++ ++ memset(km->nap, 0, sizeof(km->nap)); ++ km->nap[0] = 0x1; ++ ++ return aes_xts_set_ctx_params(xctx, params); ++ ++not_supported: ++ xctx->plat.s390x.fc = 0; ++ xctx->plat.s390x.offset = 0; ++ return 0; ++} ++ ++static int s390x_aes_xts_einit(void *vctx, const unsigned char *key, ++ size_t keylen, const unsigned char *iv, ++ size_t ivlen, const OSSL_PARAM params[]) ++{ ++ return s390x_aes_xts_init(vctx, key, keylen, iv, ivlen, params, 0); ++} ++ ++static int s390x_aes_xts_dinit(void *vctx, const unsigned char *key, ++ size_t keylen, const unsigned char *iv, ++ size_t ivlen, const OSSL_PARAM params[]) ++{ ++ return s390x_aes_xts_init(vctx, key, keylen, iv, ivlen, params, ++ S390X_DECRYPT); ++} ++ ++static void *s390x_aes_xts_dupctx(void *vctx) ++{ ++ PROV_AES_XTS_CTX *in = (PROV_AES_XTS_CTX *)vctx; ++ PROV_AES_XTS_CTX *ret = OPENSSL_zalloc(sizeof(*in)); ++ ++ if (ret != NULL) ++ *ret = *in; ++ ++ return ret; ++} ++ ++static int s390x_aes_xts_cipher(void *vctx, unsigned char *out, size_t *outl, ++ size_t outsize, const unsigned char *in, ++ size_t inl) ++{ ++ PROV_AES_XTS_CTX *xctx = (PROV_AES_XTS_CTX *)vctx; ++ S390X_KM_XTS_PARAMS *km = &xctx->plat.s390x.param.km; ++ unsigned char *param = (unsigned char *)km + xctx->plat.s390x.offset; ++ unsigned int fc = xctx->plat.s390x.fc; ++ unsigned char tmp[2][AES_BLOCK_SIZE]; ++ unsigned char nap_n1[AES_BLOCK_SIZE]; ++ unsigned char drop[AES_BLOCK_SIZE]; ++ size_t len_incomplete, len_complete; ++ ++ if (!ossl_prov_is_running() ++ || inl < AES_BLOCK_SIZE ++ || in == NULL ++ || out == NULL ++ || !xctx->plat.s390x.iv_set ++ || !xctx->plat.s390x.key_set) ++ return 0; ++ ++ /* ++ * Impose a limit of 2^20 blocks per data unit as specified by ++ * IEEE Std 1619-2018. The earlier and obsolete IEEE Std 1619-2007 ++ * indicated that this was a SHOULD NOT rather than a MUST NOT. ++ * NIST SP 800-38E mandates the same limit. ++ */ ++ if (inl > XTS_MAX_BLOCKS_PER_DATA_UNIT * AES_BLOCK_SIZE) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_XTS_DATA_UNIT_IS_TOO_LARGE); ++ return 0; ++ } ++ ++ len_incomplete = inl % AES_BLOCK_SIZE; ++ len_complete = (len_incomplete == 0) ? inl : ++ (inl / AES_BLOCK_SIZE - 1) * AES_BLOCK_SIZE; ++ ++ if (len_complete > 0) ++ s390x_km(in, len_complete, out, fc, param); ++ if (len_incomplete == 0) ++ goto out; ++ ++ memcpy(tmp, in + len_complete, AES_BLOCK_SIZE + len_incomplete); ++ /* swap NAP for decrypt */ ++ if (fc & S390X_DECRYPT) { ++ memcpy(nap_n1, km->nap, AES_BLOCK_SIZE); ++ s390x_km(tmp[0], AES_BLOCK_SIZE, drop, fc, param); ++ } ++ s390x_km(tmp[0], AES_BLOCK_SIZE, tmp[0], fc, param); ++ if (fc & S390X_DECRYPT) ++ memcpy(km->nap, nap_n1, AES_BLOCK_SIZE); ++ ++ memcpy(tmp[1] + len_incomplete, tmp[0] + len_incomplete, ++ AES_BLOCK_SIZE - len_incomplete); ++ s390x_km(tmp[1], AES_BLOCK_SIZE, out + len_complete, fc, param); ++ memcpy(out + len_complete + AES_BLOCK_SIZE, tmp[0], len_incomplete); ++ ++ /* do not expose temporary data */ ++ OPENSSL_cleanse(tmp, sizeof(tmp)); ++out: ++ memcpy(xctx->base.iv, km->tweak, AES_BLOCK_SIZE); ++ *outl = inl; ++ ++ return 1; ++} diff --git a/openssl-3-jitterentropy-3.4.0.patch b/openssl-3-jitterentropy-3.4.0.patch new file mode 100644 index 0000000..d59016e --- /dev/null +++ b/openssl-3-jitterentropy-3.4.0.patch @@ -0,0 +1,364 @@ +Index: openssl-3.2.3/Configurations/00-base-templates.conf +=================================================================== +--- openssl-3.2.3.orig/Configurations/00-base-templates.conf ++++ openssl-3.2.3/Configurations/00-base-templates.conf +@@ -88,6 +88,7 @@ my %targets=( + sub { + my @libs = (); + push(@libs, "-lz") if !defined($disabled{zlib}) && defined($disabled{"zlib-dynamic"}); ++ push(@libs, "-ljitterentropy") if !defined($disabled{jitterentropy}); + if (!defined($disabled{brotli}) && defined($disabled{"brotli-dynamic"})) { + push(@libs, "-lbrotlienc"); + push(@libs, "-lbrotlidec"); +Index: openssl-3.2.3/crypto/rand/rand_jitter_entropy.c +=================================================================== +--- /dev/null ++++ openssl-3.2.3/crypto/rand/rand_jitter_entropy.c +@@ -0,0 +1,97 @@ ++# include "jitterentropy.h" ++# include "prov/jitter_entropy.h" ++ ++struct rand_data* ec = NULL; ++CRYPTO_RWLOCK *jent_lock = NULL; ++int stop = 0; ++ ++struct rand_data* FIPS_entropy_init(void) ++{ ++ if (ec != NULL) { ++ /* Entropy source has been initiated and collector allocated */ ++ return ec; ++ } ++ if (stop != 0) { ++ /* FIPS_entropy_cleanup() already called, don't initialize it again */ ++ return NULL; ++ } ++ if (jent_lock == NULL) { ++ /* Allocates a new lock to serialize access to jent library */ ++ jent_lock = CRYPTO_THREAD_lock_new(); ++ if (jent_lock == NULL) { ++ return NULL; ++ } ++ } ++ if (CRYPTO_THREAD_write_lock(jent_lock) == 0) { ++ return NULL; ++ } ++ /* If the initialization is successful, the call returns with 0 */ ++ if (jent_entropy_init_ex(1, JENT_FORCE_FIPS) == 0) { ++ /* Allocate entropy collector */ ++ ec = jent_entropy_collector_alloc(1, JENT_FORCE_FIPS); ++ } else { ++ /* abort if jitter rng fails initialization */ ++ abort(); ++ } ++ if (ec == NULL) { ++ /* abort if jitter rng fails initialization */ ++ abort(); ++ } ++ CRYPTO_THREAD_unlock(jent_lock); ++ ++ return ec; ++} ++ ++/* ++ * The following error codes can be returned by jent_read_entropy_safe(): ++ * -1 entropy_collector is NULL ++ * -2 RCT failed ++ * -3 APT failed ++ * -4 The timer cannot be initialized ++ * -5 LAG failure ++ * -6 RCT permanent failure ++ * -7 APT permanent failure ++ * -8 LAG permanent failure ++ */ ++ssize_t FIPS_jitter_entropy(unsigned char *buf, size_t buflen) ++{ ++ ssize_t ent_bytes = -1; ++ ++ /* ++ * Order is important. We need to call FIPS_entropy_init() before we ++ * acquire jent_lock, otherwise it can lead to deadlock. Once we have ++ * jent_lock, we need to ensure that FIPS_entropy_cleanup() was not called ++ * in the meantime. Then it's safe to read entropy. ++ */ ++ if (buf != NULL ++ && buflen != 0 ++ && FIPS_entropy_init() ++ && CRYPTO_THREAD_write_lock(jent_lock) != 0 ++ && stop == 0) { ++ /* Get entropy */ ++ ent_bytes = jent_read_entropy_safe(&ec, (char *)buf, buflen); ++ if (ent_bytes < 0) { ++ /* abort if jitter rng fails entropy gathering because health tests failed. */ ++ abort(); ++ } ++ CRYPTO_THREAD_unlock(jent_lock); ++ } ++ ++ return ent_bytes; ++} ++ ++void FIPS_entropy_cleanup(void) ++{ ++ if (jent_lock != NULL && stop == 0) { ++ CRYPTO_THREAD_write_lock(jent_lock); ++ } ++ /* Disable re-initialization in FIPS_entropy_init() */ ++ stop = 1; ++ /* Free entropy collector */ ++ if (ec != NULL) { ++ jent_entropy_collector_free(ec); ++ ec = NULL; ++ } ++ CRYPTO_THREAD_lock_free(jent_lock); ++ jent_lock = NULL; ++} +Index: openssl-3.2.3/providers/implementations/rands/seeding/rand_unix.c +=================================================================== +--- openssl-3.2.3.orig/providers/implementations/rands/seeding/rand_unix.c ++++ openssl-3.2.3/providers/implementations/rands/seeding/rand_unix.c +@@ -20,6 +20,7 @@ + #include "internal/dso.h" + #include "internal/nelem.h" + #include "prov/seeding.h" ++#include "prov/jitter_entropy.h" + + #ifdef __linux + # include +@@ -633,6 +634,31 @@ size_t ossl_pool_acquire_entropy(RAND_PO + + (void)entropy_available; /* avoid compiler warning */ + ++ /* Use jitter entropy in FIPS mode */ ++ if (EVP_default_properties_is_fips_enabled(NULL)) ++ { ++ size_t bytes_needed; ++ unsigned char *buffer; ++ ssize_t bytes; ++ /* Maximum allowed number of consecutive unsuccessful attempts */ ++ int attempts = 3; ++ ++ bytes_needed = ossl_rand_pool_bytes_needed(pool, 1 /*entropy_factor*/); ++ while (bytes_needed != 0 && attempts-- > 0) { ++ buffer = ossl_rand_pool_add_begin(pool, bytes_needed); ++ bytes = FIPS_jitter_entropy(buffer, bytes_needed); ++ if (bytes > 0) { ++ ossl_rand_pool_add_end(pool, bytes, 8 * bytes); ++ bytes_needed -= bytes; ++ attempts = 3; /* reset counter after successful attempt */ ++ } else if (bytes < 0) { ++ break; ++ } ++ } ++ entropy_available = ossl_rand_pool_entropy_available(pool); ++ return entropy_available; ++ } ++ + # if defined(OPENSSL_RAND_SEED_GETRANDOM) + { + size_t bytes_needed; +Index: openssl-3.2.3/providers/implementations/include/prov/jitter_entropy.h +=================================================================== +--- /dev/null ++++ openssl-3.2.3/providers/implementations/include/prov/jitter_entropy.h +@@ -0,0 +1,17 @@ ++#ifndef OSSL_PROVIDERS_JITTER_ENTROPY_H ++# define OSSL_PROVIDERS_JITTER_ENTROPY_H ++ ++# include ++# include ++# include ++# include ++ ++extern struct rand_data* ec; ++extern CRYPTO_RWLOCK *jent_lock; ++extern int stop; ++ ++struct rand_data* FIPS_entropy_init(void); ++ssize_t FIPS_jitter_entropy(unsigned char *buf, size_t buflen); ++void FIPS_entropy_cleanup(void); ++ ++#endif +Index: openssl-3.2.3/providers/fips/self_test.c +=================================================================== +--- openssl-3.2.3.orig/providers/fips/self_test.c ++++ openssl-3.2.3/providers/fips/self_test.c +@@ -20,6 +20,7 @@ + #include "internal/tsan_assist.h" + #include "prov/providercommon.h" + #include "crypto/rand.h" ++#include "prov/jitter_entropy.h" + + /* + * We're cheating here. Normally we don't allow RUN_ONCE usage inside the FIPS +@@ -498,6 +499,11 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS + return 0; + } + ++ if (!FIPS_entropy_init()) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_FIPS_ENTROPY_INIT_FAILED); ++ goto end; ++ } ++ + if (st == NULL) { + ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA); + goto end; +Index: openssl-3.2.3/include/openssl/proverr.h +=================================================================== +--- openssl-3.2.3.orig/include/openssl/proverr.h ++++ openssl-3.2.3/include/openssl/proverr.h +@@ -44,6 +44,7 @@ + # define PROV_R_FAILED_TO_GET_PARAMETER 103 + # define PROV_R_FAILED_TO_SET_PARAMETER 104 + # define PROV_R_FAILED_TO_SIGN 175 ++# define PROV_R_FIPS_ENTROPY_INIT_FAILED 234 + # define PROV_R_FIPS_MODULE_CONDITIONAL_ERROR 227 + # define PROV_R_FIPS_MODULE_ENTERING_ERROR_STATE 224 + # define PROV_R_FIPS_MODULE_IN_ERROR_STATE 225 +Index: openssl-3.2.3/providers/common/provider_err.c +=================================================================== +--- openssl-3.2.3.orig/providers/common/provider_err.c ++++ openssl-3.2.3/providers/common/provider_err.c +@@ -54,6 +54,8 @@ static const ERR_STRING_DATA PROV_str_re + {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FAILED_TO_SET_PARAMETER), + "failed to set parameter"}, + {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FAILED_TO_SIGN), "failed to sign"}, ++ {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FIPS_ENTROPY_INIT_FAILED), ++ "fips module jitter entropy init failed"}, + {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FIPS_MODULE_CONDITIONAL_ERROR), + "fips module conditional error"}, + {ERR_PACK(ERR_LIB_PROV, 0, PROV_R_FIPS_MODULE_ENTERING_ERROR_STATE), +Index: openssl-3.2.3/crypto/rand/build.info +=================================================================== +--- openssl-3.2.3.orig/crypto/rand/build.info ++++ openssl-3.2.3/crypto/rand/build.info +@@ -1,6 +1,6 @@ + LIBS=../../libcrypto + +-$COMMON=rand_lib.c ++$COMMON=rand_lib.c rand_jitter_entropy.c + $CRYPTO=randfile.c rand_err.c rand_deprecated.c prov_seed.c rand_pool.c \ + rand_uniform.c + +Index: openssl-3.2.3/providers/fips/fipsprov.c +=================================================================== +--- openssl-3.2.3.orig/providers/fips/fipsprov.c ++++ openssl-3.2.3/providers/fips/fipsprov.c +@@ -27,6 +27,7 @@ + #include "crypto/context.h" + #include "internal/core.h" + #include "indicator.h" ++#include "prov/jitter_entropy.h" + + static const char FIPS_DEFAULT_PROPERTIES[] = "provider=fips,fips=yes"; + static const char FIPS_UNAPPROVED_PROPERTIES[] = "provider=fips,fips=no"; +@@ -609,6 +610,7 @@ const OSSL_SUSE_FIPSINDICATOR_ALGORITHM + + static void fips_teardown(void *provctx) + { ++ FIPS_entropy_cleanup(); + OSSL_LIB_CTX_free(PROV_LIBCTX_OF(provctx)); + ossl_prov_ctx_free(provctx); + } +Index: openssl-3.2.3/util/libcrypto.num +=================================================================== +--- openssl-3.2.3.orig/util/libcrypto.num ++++ openssl-3.2.3/util/libcrypto.num +@@ -5539,3 +5539,5 @@ BIO_ADDR_copy + ossl_safe_getenv ? 3_2_0 EXIST::FUNCTION: + ossl_ctx_legacy_digest_signatures_allowed ? 3_0_1 EXIST::FUNCTION: + ossl_ctx_legacy_digest_signatures_allowed_set ? 3_0_1 EXIST::FUNCTION: ++FIPS_entropy_init ? 3_1_4 EXIST::FUNCTION: ++FIPS_entropy_cleanup ? 3_1_4 EXIST::FUNCTION: +Index: openssl-3.2.3/Configure +=================================================================== +--- openssl-3.2.3.orig/Configure ++++ openssl-3.2.3/Configure +@@ -469,6 +469,7 @@ my @disablables = ( + "gost", + "http", + "idea", ++ "jitterentropy", + "ktls", + "legacy", + "loadereng", +@@ -573,6 +574,7 @@ our %disabled = ( # "what" => "c + "external-tests" => "default", + "fuzz-afl" => "default", + "fuzz-libfuzzer" => "default", ++ "jitterentropy" => "default", + "ktls" => "default", + "md2" => "default", + "msan" => "default", +@@ -801,7 +803,7 @@ my %cmdvars = (); # Stores + my %unsupported_options = (); + my %deprecated_options = (); + # If you change this, update apps/version.c +-my @known_seed_sources = qw(getrandom devrandom os egd none rdcpu librandom); ++my @known_seed_sources = qw(getrandom devrandom os egd none rdcpu librandom jitterentropy); + my @seed_sources = (); + while (@argvcopy) + { +@@ -1291,6 +1293,9 @@ if (scalar(@seed_sources) == 0) { + if (scalar(grep { $_ eq 'egd' } @seed_sources) > 0) { + delete $disabled{'egd'}; + } ++if (scalar(grep { $_ eq 'jitterentropy' } @seed_sources) > 0) { ++ delete $disabled{'jitterentropy'}; ++} + if (scalar(grep { $_ eq 'none' } @seed_sources) > 0) { + die "Cannot seed with none and anything else" if scalar(@seed_sources) > 1; + warn <<_____ if scalar(@seed_sources) == 1; +Index: openssl-3.2.3/crypto/info.c +=================================================================== +--- openssl-3.2.3.orig/crypto/info.c ++++ openssl-3.2.3/crypto/info.c +@@ -15,6 +15,9 @@ + #include "internal/e_os.h" + #include "buildinf.h" + ++# include ++# include ++ + #if defined(__arm__) || defined(__arm) || defined(__aarch64__) + # include "arm_arch.h" + # define CPU_INFO_STR_LEN 128 +@@ -128,6 +131,14 @@ DEFINE_RUN_ONCE_STATIC(init_info_strings + OPENSSL_strlcat(seeds, ")", sizeof(seeds)); \ + } while (0) + ++ /* In FIPS mode, only jitterentropy is used for seeding and ++ * reseeding the primary DRBG. ++ */ ++ if (EVP_default_properties_is_fips_enabled(NULL)) { ++ char jent_version_string[32]; ++ sprintf(jent_version_string, "jitterentropy (%d)", jent_version()); ++ add_seeds_string(jent_version_string); ++ } else { + #ifdef OPENSSL_RAND_SEED_NONE + add_seeds_string("none"); + #endif +@@ -156,6 +167,7 @@ DEFINE_RUN_ONCE_STATIC(init_info_strings + #ifdef OPENSSL_RAND_SEED_OS + add_seeds_string("os-specific"); + #endif ++ } + seed_sources = seeds; + } + return 1; +Index: openssl-3.2.3/INSTALL.md +=================================================================== +--- openssl-3.2.3.orig/INSTALL.md ++++ openssl-3.2.3/INSTALL.md +@@ -511,6 +511,12 @@ if provided by the CPU. + Use librandom (not implemented yet). + This source is ignored by the FIPS provider. + ++### jitterentropy ++ ++Use [jitterentropy-library](https://github.com/smuellerDD/jitterentropy-library) ++dynamically linked. In FIPS mode, only the jitter RNG is used to seed and reseed ++the primary DRBG. ++ + ### none + + Disable automatic seeding. This is the default on some operating systems where diff --git a/openssl-3-support-CPACF-sha3-shake-perf-improvement.patch b/openssl-3-support-CPACF-sha3-shake-perf-improvement.patch new file mode 100644 index 0000000..e0d7132 --- /dev/null +++ b/openssl-3-support-CPACF-sha3-shake-perf-improvement.patch @@ -0,0 +1,196 @@ +From 25f5d7b85f6657cd2f9f1ab7ae87f319d9bafe54 Mon Sep 17 00:00:00 2001 +From: Joerg Schmidbauer +Date: Thu, 29 Feb 2024 12:50:05 +0100 +Subject: [PATCH] s390x: support CPACF sha3/shake performance improvements + +On newer machines the SHA3/SHAKE performance of CPACF instructions KIMD and KLMD +can be enhanced by using additional modifier bits. This allows the application +to omit initializing the ICV, but also affects the internal processing of the +instructions. Performance is mostly gained when processing short messages. + +The new CPACF feature is backwards compatible with older machines, i.e. the new +modifier bits are ignored on older machines. However, to save the ICV +initialization, the application must detect the MSA level and omit the ICV +initialization only if this feature is supported. + +Signed-off-by: Joerg Schmidbauer + +Reviewed-by: Paul Dale +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/25235) +--- + crypto/s390x_arch.h | 3 ++ + crypto/s390xcpuid.pl | 4 +-- + crypto/sha/sha3.c | 8 +++++- + providers/implementations/digests/sha3_prov.c | 28 +++++++++++++++---- + 4 files changed, 34 insertions(+), 9 deletions(-) + +Index: openssl-3.2.3/crypto/s390x_arch.h +=================================================================== +--- openssl-3.2.3.orig/crypto/s390x_arch.h ++++ openssl-3.2.3/crypto/s390x_arch.h +@@ -191,6 +191,9 @@ extern int OPENSSL_s390xcex; + # define S390X_KMA_LAAD 0x200 + # define S390X_KMA_HS 0x400 + # define S390X_KDSA_D 0x80 ++# define S390X_KIMD_NIP 0x8000 ++# define S390X_KLMD_DUFOP 0x4000 ++# define S390X_KLMD_NIP 0x8000 + # define S390X_KLMD_PS 0x100 + # define S390X_KMAC_IKP 0x8000 + # define S390X_KMAC_IIMP 0x4000 +Index: openssl-3.2.3/crypto/s390xcpuid.pl +=================================================================== +--- openssl-3.2.3.orig/crypto/s390xcpuid.pl ++++ openssl-3.2.3/crypto/s390xcpuid.pl +@@ -308,7 +308,7 @@ s390x_kimd: + llgfr %r0,$fc + lgr %r1,$param + +- .long 0xb93e0002 # kimd %r0,%r2 ++ .long 0xb93e8002 # kimd %r0,%r2[,M3] + brc 1,.-4 # pay attention to "partial completion" + + br $ra +@@ -329,7 +329,7 @@ s390x_klmd: + llgfr %r0,$fc + l${g} %r1,$stdframe($sp) + +- .long 0xb93f0042 # klmd %r4,%r2 ++ .long 0xb93f8042 # klmd %r4,%r2[,M3] + brc 1,.-4 # pay attention to "partial completion" + + br $ra +Index: openssl-3.2.3/crypto/sha/sha3.c +=================================================================== +--- openssl-3.2.3.orig/crypto/sha/sha3.c ++++ openssl-3.2.3/crypto/sha/sha3.c +@@ -8,13 +8,19 @@ + */ + + #include ++#if defined(__s390x__) && defined(OPENSSL_CPUID_OBJ) ++# include "crypto/s390x_arch.h" ++#endif + #include "internal/sha3.h" + + void SHA3_squeeze(uint64_t A[5][5], unsigned char *out, size_t len, size_t r, int next); + + void ossl_sha3_reset(KECCAK1600_CTX *ctx) + { +- memset(ctx->A, 0, sizeof(ctx->A)); ++#if defined(__s390x__) && defined(OPENSSL_CPUID_OBJ) ++ if (!(OPENSSL_s390xcap_P.stfle[1] & S390X_CAPBIT(S390X_MSA12))) ++#endif ++ memset(ctx->A, 0, sizeof(ctx->A)); + ctx->bufsz = 0; + ctx->xof_state = XOF_STATE_INIT; + } +Index: openssl-3.2.3/providers/implementations/digests/sha3_prov.c +=================================================================== +--- openssl-3.2.3.orig/providers/implementations/digests/sha3_prov.c ++++ openssl-3.2.3/providers/implementations/digests/sha3_prov.c +@@ -187,26 +187,32 @@ static size_t s390x_sha3_absorb(void *vc + { + KECCAK1600_CTX *ctx = vctx; + size_t rem = len % ctx->block_size; ++ unsigned int fc; + + if (!(ctx->xof_state == XOF_STATE_INIT || + ctx->xof_state == XOF_STATE_ABSORB)) + return 0; ++ fc = ctx->pad; ++ fc |= ctx->xof_state == XOF_STATE_INIT ? S390X_KIMD_NIP : 0; + ctx->xof_state = XOF_STATE_ABSORB; +- s390x_kimd(inp, len - rem, ctx->pad, ctx->A); ++ s390x_kimd(inp, len - rem, fc, ctx->A); + return rem; + } + + static int s390x_sha3_final(void *vctx, unsigned char *out, size_t outlen) + { + KECCAK1600_CTX *ctx = vctx; ++ unsigned int fc; + + if (!ossl_prov_is_running()) + return 0; + if (!(ctx->xof_state == XOF_STATE_INIT || + ctx->xof_state == XOF_STATE_ABSORB)) + return 0; ++ fc = ctx->pad | S390X_KLMD_DUFOP; ++ fc |= ctx->xof_state == XOF_STATE_INIT ? S390X_KLMD_NIP : 0; + ctx->xof_state = XOF_STATE_FINAL; +- s390x_klmd(ctx->buf, ctx->bufsz, NULL, 0, ctx->pad, ctx->A); ++ s390x_klmd(ctx->buf, ctx->bufsz, NULL, 0, fc, ctx->A); + memcpy(out, ctx->A, outlen); + return 1; + } +@@ -214,14 +220,17 @@ static int s390x_sha3_final(void *vctx, + static int s390x_shake_final(void *vctx, unsigned char *out, size_t outlen) + { + KECCAK1600_CTX *ctx = vctx; ++ unsigned int fc; + + if (!ossl_prov_is_running()) + return 0; + if (!(ctx->xof_state == XOF_STATE_INIT || + ctx->xof_state == XOF_STATE_ABSORB)) + return 0; ++ fc = ctx->pad | S390X_KLMD_DUFOP; ++ fc |= ctx->xof_state == XOF_STATE_INIT ? S390X_KLMD_NIP : 0; + ctx->xof_state = XOF_STATE_FINAL; +- s390x_klmd(ctx->buf, ctx->bufsz, out, outlen, ctx->pad, ctx->A); ++ s390x_klmd(ctx->buf, ctx->bufsz, out, outlen, fc, ctx->A); + return 1; + } + +@@ -271,24 +280,28 @@ static int s390x_keccakc_final(void *vct + size_t bsz = ctx->block_size; + size_t num = ctx->bufsz; + size_t needed = outlen; ++ unsigned int fc; + + if (!ossl_prov_is_running()) + return 0; + if (!(ctx->xof_state == XOF_STATE_INIT || + ctx->xof_state == XOF_STATE_ABSORB)) + return 0; ++ fc = ctx->pad; ++ fc |= ctx->xof_state == XOF_STATE_INIT ? S390X_KIMD_NIP : 0; + ctx->xof_state = XOF_STATE_FINAL; + if (outlen == 0) + return 1; + memset(ctx->buf + num, 0, bsz - num); + ctx->buf[num] = padding; + ctx->buf[bsz - 1] |= 0x80; +- s390x_kimd(ctx->buf, bsz, ctx->pad, ctx->A); ++ s390x_kimd(ctx->buf, bsz, fc, ctx->A); + num = needed > bsz ? bsz : needed; + memcpy(out, ctx->A, num); + needed -= num; + if (needed > 0) +- s390x_klmd(NULL, 0, out + bsz, needed, ctx->pad | S390X_KLMD_PS, ctx->A); ++ s390x_klmd(NULL, 0, out + bsz, needed, ++ ctx->pad | S390X_KLMD_PS | S390X_KLMD_DUFOP, ctx->A); + + return 1; + } +@@ -308,6 +321,7 @@ static int s390x_keccakc_squeeze(void *v + { + KECCAK1600_CTX *ctx = vctx; + size_t len; ++ unsigned int fc; + + if (!ossl_prov_is_running()) + return 0; +@@ -323,7 +337,9 @@ static int s390x_keccakc_squeeze(void *v + memset(ctx->buf + ctx->bufsz, 0, len); + ctx->buf[ctx->bufsz] = padding; + ctx->buf[ctx->block_size - 1] |= 0x80; +- s390x_kimd(ctx->buf, ctx->block_size, ctx->pad, ctx->A); ++ fc = ctx->pad; ++ fc |= ctx->xof_state == XOF_STATE_INIT ? S390X_KIMD_NIP : 0; ++ s390x_kimd(ctx->buf, ctx->block_size, fc, ctx->A); + ctx->bufsz = 0; + /* reuse ctx->bufsz to count bytes squeezed from current sponge */ + } diff --git a/openssl-3-support-EVP_DigestSqueeze-in-digest-prov-s390x.patch b/openssl-3-support-EVP_DigestSqueeze-in-digest-prov-s390x.patch new file mode 100644 index 0000000..2d8f8dd --- /dev/null +++ b/openssl-3-support-EVP_DigestSqueeze-in-digest-prov-s390x.patch @@ -0,0 +1,160 @@ +commit 94898923538f686b74b6ddef34571f804d9b3811 +Author: Holger Dengler +Date: Wed Sep 27 15:40:47 2023 +0200 + + Support EVP_DigestSqueeze() for in the digest provider for s390x. + + The new EVP_DigestSqueeze() API requires changes to all keccak-based + digest provider implementations. Update the s390x-part of the SHA3 + digest provider. + + Squeeze for SHA3 is not supported, so add an empty function pointer + (NULL). + + Signed-off-by: Holger Dengler + + Reviewed-by: Shane Lontis + Reviewed-by: Todd Short + Reviewed-by: Tomas Mraz + (Merged from https://github.com/openssl/openssl/pull/22221) + +diff --git a/providers/implementations/digests/sha3_prov.c b/providers/implementations/digests/sha3_prov.c +index f691273baf..2fd0f928e7 100644 +--- a/providers/implementations/digests/sha3_prov.c ++++ b/providers/implementations/digests/sha3_prov.c +@@ -225,6 +225,45 @@ static int s390x_shake_final(void *vctx, unsigned char *out, size_t outlen) + return 1; + } + ++static int s390x_shake_squeeze(void *vctx, unsigned char *out, size_t outlen) ++{ ++ KECCAK1600_CTX *ctx = vctx; ++ size_t len; ++ ++ if (!ossl_prov_is_running()) ++ return 0; ++ if (ctx->xof_state == XOF_STATE_FINAL) ++ return 0; ++ /* ++ * On the first squeeze call, finish the absorb process (incl. padding). ++ */ ++ if (ctx->xof_state != XOF_STATE_SQUEEZE) { ++ ctx->xof_state = XOF_STATE_SQUEEZE; ++ s390x_klmd(ctx->buf, ctx->bufsz, out, outlen, ctx->pad, ctx->A); ++ ctx->bufsz = outlen % ctx->block_size; ++ /* reuse ctx->bufsz to count bytes squeezed from current sponge */ ++ return 1; ++ } ++ ctx->xof_state = XOF_STATE_SQUEEZE; ++ if (ctx->bufsz != 0) { ++ len = ctx->block_size - ctx->bufsz; ++ if (outlen < len) ++ len = outlen; ++ memcpy(out, (char *)ctx->A + ctx->bufsz, len); ++ out += len; ++ outlen -= len; ++ ctx->bufsz += len; ++ if (ctx->bufsz == ctx->block_size) ++ ctx->bufsz = 0; ++ } ++ if (outlen == 0) ++ return 1; ++ s390x_klmd(NULL, 0, out, outlen, ctx->pad | S390X_KLMD_PS, ctx->A); ++ ctx->bufsz = outlen % ctx->block_size; ++ ++ return 1; ++} ++ + static int s390x_keccakc_final(void *vctx, unsigned char *out, size_t outlen, + int padding) + { +@@ -264,28 +303,86 @@ static int s390x_kmac_final(void *vctx, unsigned char *out, size_t outlen) + return s390x_keccakc_final(vctx, out, outlen, 0x04); + } + ++static int s390x_keccakc_squeeze(void *vctx, unsigned char *out, size_t outlen, ++ int padding) ++{ ++ KECCAK1600_CTX *ctx = vctx; ++ size_t len; ++ ++ if (!ossl_prov_is_running()) ++ return 0; ++ if (ctx->xof_state == XOF_STATE_FINAL) ++ return 0; ++ /* ++ * On the first squeeze call, finish the absorb process ++ * by adding the trailing padding and then doing ++ * a final absorb. ++ */ ++ if (ctx->xof_state != XOF_STATE_SQUEEZE) { ++ len = ctx->block_size - ctx->bufsz; ++ memset(ctx->buf + ctx->bufsz, 0, len); ++ ctx->buf[ctx->bufsz] = padding; ++ ctx->buf[ctx->block_size - 1] |= 0x80; ++ s390x_kimd(ctx->buf, ctx->block_size, ctx->pad, ctx->A); ++ ctx->bufsz = 0; ++ /* reuse ctx->bufsz to count bytes squeezed from current sponge */ ++ } ++ if (ctx->bufsz != 0 || ctx->xof_state != XOF_STATE_SQUEEZE) { ++ len = ctx->block_size - ctx->bufsz; ++ if (outlen < len) ++ len = outlen; ++ memcpy(out, (char *)ctx->A + ctx->bufsz, len); ++ out += len; ++ outlen -= len; ++ ctx->bufsz += len; ++ if (ctx->bufsz == ctx->block_size) ++ ctx->bufsz = 0; ++ } ++ ctx->xof_state = XOF_STATE_SQUEEZE; ++ if (outlen == 0) ++ return 1; ++ s390x_klmd(NULL, 0, out, outlen, ctx->pad | S390X_KLMD_PS, ctx->A); ++ ctx->bufsz = outlen % ctx->block_size; ++ ++ return 1; ++} ++ ++static int s390x_keccak_squeeze(void *vctx, unsigned char *out, size_t outlen) ++{ ++ return s390x_keccakc_squeeze(vctx, out, outlen, 0x01); ++} ++ ++static int s390x_kmac_squeeze(void *vctx, unsigned char *out, size_t outlen) ++{ ++ return s390x_keccakc_squeeze(vctx, out, outlen, 0x04); ++} ++ + static PROV_SHA3_METHOD sha3_s390x_md = + { + s390x_sha3_absorb, +- s390x_sha3_final ++ s390x_sha3_final, ++ NULL, + }; + + static PROV_SHA3_METHOD keccak_s390x_md = + { + s390x_sha3_absorb, + s390x_keccak_final, ++ s390x_keccak_squeeze, + }; + + static PROV_SHA3_METHOD shake_s390x_md = + { + s390x_sha3_absorb, +- s390x_shake_final ++ s390x_shake_final, ++ s390x_shake_squeeze, + }; + + static PROV_SHA3_METHOD kmac_s390x_md = + { + s390x_sha3_absorb, +- s390x_kmac_final ++ s390x_kmac_final, ++ s390x_kmac_squeeze, + }; + + # define SHAKE_SET_MD(uname, typ) \ diff --git a/openssl-3-support-multiple-sha3_squeeze_s390x.patch b/openssl-3-support-multiple-sha3_squeeze_s390x.patch new file mode 100644 index 0000000..2f037a9 --- /dev/null +++ b/openssl-3-support-multiple-sha3_squeeze_s390x.patch @@ -0,0 +1,46 @@ +commit bff62480333680463c82e88fdc67ed5ec14a0017 +Author: Holger Dengler +Date: Wed Sep 27 11:18:18 2023 +0200 + + Support multiple calls of low level SHA3_squeeze() for s390x. + + The low level SHA3_Squeeze() function needed to change slightly so + that it can handle multiple squeezes. Support this on s390x + architecture as well. + + Signed-off-by: Holger Dengler + + Reviewed-by: Shane Lontis + Reviewed-by: Todd Short + Reviewed-by: Tomas Mraz + (Merged from https://github.com/openssl/openssl/pull/22221) + +diff --git a/crypto/sha/asm/keccak1600-s390x.pl b/crypto/sha/asm/keccak1600-s390x.pl +index 86233c7e38..7d5ebde117 100755 +--- a/crypto/sha/asm/keccak1600-s390x.pl ++++ b/crypto/sha/asm/keccak1600-s390x.pl +@@ -472,7 +472,7 @@ SHA3_absorb: + .size SHA3_absorb,.-SHA3_absorb + ___ + } +-{ my ($A_flat,$out,$len,$bsz) = map("%r$_",(2..5)); ++{ my ($A_flat,$out,$len,$bsz,$next) = map("%r$_",(2..6)); + + $code.=<<___; + .globl SHA3_squeeze +@@ -484,6 +484,7 @@ SHA3_squeeze: + lghi %r14,8 + st${g} $bsz,5*$SIZE_T($sp) + la %r1,0($A_flat) ++ cijne $next,0,.Lnext_block + + j .Loop_squeeze + +@@ -501,6 +502,7 @@ SHA3_squeeze: + + brct $bsz,.Loop_squeeze # bsz-- + ++.Lnext_block: + stm${g} $out,$len,3*$SIZE_T($sp) + bras %r14,.LKeccakF1600 + lm${g} $out,$bsz,3*$SIZE_T($sp) diff --git a/openssl-3-use-include-directive.patch b/openssl-3-use-include-directive.patch new file mode 100644 index 0000000..d3ed451 --- /dev/null +++ b/openssl-3-use-include-directive.patch @@ -0,0 +1,35 @@ +--- + apps/openssl.cnf | 13 +++++++++++++ + 1 file changed, 13 insertions(+) + +Index: openssl-3.1.4/apps/openssl.cnf +=================================================================== +--- openssl-3.1.4.orig/apps/openssl.cnf ++++ openssl-3.1.4/apps/openssl.cnf +@@ -19,6 +19,7 @@ openssl_conf = openssl_init + # Comment out the next line to ignore configuration errors + config_diagnostics = 1 + ++[ oid_section ] + # Extra OBJECT IDENTIFIER info: + # oid_file = $ENV::HOME/.oid + oid_section = new_oids +@@ -47,6 +48,18 @@ providers = provider_sect + # Load default TLS policy configuration + ssl_conf = ssl_module + ++engines = engine_section ++ ++[ engine_section ] ++ ++# This include will look through the directory that will contain the ++# engine declarations for any engines provided by other packages. ++.include /etc/ssl/engines3.d ++ ++# This include will look through the directory that will contain the ++# definitions of the engines declared in the engine section. ++.include /etc/ssl/engdef3.d ++ + # Uncomment the sections that start with ## below to enable the legacy provider. + # Loading the legacy provider enables support for the following algorithms: + # Hashing Algorithms / Message Digests: MD2, MD4, MDC2, WHIRLPOOL, RIPEMD160 diff --git a/openssl-3.1.4.tar.gz b/openssl-3.1.4.tar.gz new file mode 100644 index 0000000..dde84fd --- /dev/null +++ b/openssl-3.1.4.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:840af5366ab9b522bde525826be3ef0fb0af81c6a9ebd84caa600fea1731eee3 +size 15569450 diff --git a/openssl-3.1.4.tar.gz.asc b/openssl-3.1.4.tar.gz.asc new file mode 100644 index 0000000..d7c5025 --- /dev/null +++ b/openssl-3.1.4.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEE78CkZ9YTy4PH7W0w2JTizos9efUFAmU3yaoACgkQ2JTizos9 +efXt8BAAqcF9RBzduklMCXSfG4Rzs2KcWmR1+BB0izxG3KwPr+r54qBbSRCCImHA +U22An//xsDsQZ0K4rrkkkumpJCxLV/4F3TlEBdoCS4wzDXz/LfONzTuZ8Z3QP/Si +ElHTKdqPo2tp6LrDIUSGa9BmK1AsxkhOoC/uJlGpLP0mLJGI3PGo5ordyERAjL/C +hTumE16ErrXY3kHVPAeD6tJlxtV3M9UxsZAOK6LVfnhXLzz8hWMu2H5ZigXZWCDx +NG6ylV4xxfqO9eLxT2wUrJzg24w0VZzmbD+ZeZ24v9aAxGsbl3ZHLgMKkDehNNuP +0ADh3aGq9FkIg5n53UQu0pbOc6aBPgWwVuaNfxOheG2GqBCoca42ikW20QZyJAec +h3uLQ76vnWOjUIjeRCjpw0+OCUaWr0wx5WzzfdgYc813VwN6FaC9ZmB46oaLfIeD +MBAyuUxdTif/7SXmGgUIQDIf4Vxr2H7I0NyyDxD+y+C2gwn+zVvuVcBBc2cNq4QN +UINxZvm75CwaCsys+MDjSneDhpcSlAPqTJqM3DvKf/r3+27buz+sFw463fTHnv0F +FpyBPgvvusY4Z4h/jqLcfkl2MBOxlo+lpZJdPpQoEvGz751GsKmmtb0YgZ7BjrYs +5vFvo0EJ066J9bWLbp6VZd825B9P2Uy7u3sUz+E5nuavT4eHv7o= +=EH33 +-----END PGP SIGNATURE----- diff --git a/openssl-3.1.7.tar.gz b/openssl-3.1.7.tar.gz new file mode 100644 index 0000000..40b50ce --- /dev/null +++ b/openssl-3.1.7.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:053a31fa80cf4aebe1068c987d2ef1e44ce418881427c4464751ae800c31d06c +size 15684836 diff --git a/openssl-3.1.7.tar.gz.asc b/openssl-3.1.7.tar.gz.asc new file mode 100644 index 0000000..f9e9b5d --- /dev/null +++ b/openssl-3.1.7.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEEulRzorBYewf7J88tIWCU39DLge8FAmbXB9UACgkQIWCU39DL +ge/wjg/+MwugS9yaSCXXeqfRDYphyyblQ915j30Zo4kOdxr/ZBkrrzExxQaAN9tC +NR+w33NPmiQQk8MPKKx3dcOZ3giHv7uGlBbo8fHihoUJ5cM9jDLd0UnqSUKU6C7h +mK0BcGBj+Y5Sj2wH0NLPbFgfqbk2rbFRyDDoszj/ZahdE/dr1m1W8vI+FFqqqLjO +hc4J26Dn/oTA1FWgXhIAPQDjG/sUy2waF1Q/nelVkeCwrL5modcW8CXGiwZa5Wan +93cAgk0VUVq20FGQLVVxhGJ9wMGv48nS/hJKugJci1CFqX1eLc5NrbDah3sejGpA +9ZgNoguolbxVe+pFDF+Qj5tLM34+ONI4m2wqtKNAA9UN/W2NuQxatDlHYU2u718C +YpiEodIuNz5ktGAtHAe0fI36rvMJGy/6nKuzMXNF+QmbFzWhtnQRXJuC6uY7dIOa +QHHYmKboVJCb9Ak2gSuTEJvov8HFnlCRzzXBEN2sP6Xd86flERRcMH41VtEu0u2c +wB54o5+9l/7PQ3TOSdNUD6JakjraE05KMHB0KwEUIvAEMceaIrp1q6BnVrEzRjdV +WMsagkvHiv4dUP8lT1DpCEhq7jHyzvHtFrrQq+SAHITgnYiENF6K89w2QLkqoK33 +Co/eerwMazO3+qxASYz7pFODPyVAsTIWvuWAJ6CmtubJBinjVnM= +=Z8CX +-----END PGP SIGNATURE----- diff --git a/openssl-3.2.3.tar.gz b/openssl-3.2.3.tar.gz new file mode 100644 index 0000000..961fe1a --- /dev/null +++ b/openssl-3.2.3.tar.gz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:52b5f1c6b8022bc5868c308c54fb77705e702d6c6f4594f99a0df216acf46239 +size 17762604 diff --git a/openssl-3.2.3.tar.gz.asc b/openssl-3.2.3.tar.gz.asc new file mode 100644 index 0000000..4061984 --- /dev/null +++ b/openssl-3.2.3.tar.gz.asc @@ -0,0 +1,16 @@ +-----BEGIN PGP SIGNATURE----- + +iQIzBAABCAAdFiEEulRzorBYewf7J88tIWCU39DLge8FAmbXBpkACgkQIWCU39DL +ge81Ww//d6tE9XznGxx/+xfBFADDTALPDaO8yogJtECMMxixXn1zuWYheH40z5zO +MTmIeHVLowXlfBl4YO8I+SDGbZy4CKFix3j+r/dojvteiPXrBKd83e67e0mDotAD +w3NYar1Gh8kXnq63zEV8JRBjRhLb2b7uJhi1UUtaCgOfK/wvRVWiBDWyVAkVjR0V +NGCQg6FXCjxXY9G01wyqBlZt4T/h/SxN+iZUWRRPrekTxVNAQxFsMLYupuULpeaz +uHvXXJ1Os/Mh4zD8a/SHrbdw3ncHb7JmCNZu4cPUkNVw0Dc0y64SP+Wviet1oOio +/pTnfq6ptUTpzkSFiI9ZmTS1eiqQ24BLdwu3J/6ss9hZUlFZPUozsH6HTVpRxWhI +edp5fa8rpQ5wX+ftGNxA1tRhWjCrR1VgFhdZX5T4rS5fU3OX5TXPwHKqaFyGlxQd +GV467+BgxixgEU5xMirkJ/WbYrcSEFS1i9EbL6HwJ2vO02jHNfK7Biy+krOZKnx1 +Oniv4DoPR1s2De+OinDI30Zo9STizpiFiv27vw+l8Wj6+SnCFoyAZMVYcdYXSAws +Im054SFCpw1cqhhHMBMOodqUv2CEMyBLuUyjjOF6oFteUp/VEe8JUrkQBA+LhDgX +kPNzpSTnX9lB/ALvaedOUyIQf8sV3IEGn7zWGOTBp1QLu6hiId8= +=1Xgs +-----END PGP SIGNATURE----- diff --git a/openssl-3.changes b/openssl-3.changes new file mode 100644 index 0000000..b64dd85 --- /dev/null +++ b/openssl-3.changes @@ -0,0 +1,2010 @@ +------------------------------------------------------------------- +Mon Dec 23 20:14:08 UTC 2024 - Giuliano Belinassi + +- Add support for userspace livepatching on ppc64le (jsc#PED-10952). +- Use gcc-13 for ppc64le. + +------------------------------------------------------------------- +Tue Nov 12 15:46:20 UTC 2024 - Pedro Monreal + +- Do not use HASHBANGPERL to avoid introducing a dependency on the + perl-base package. [bsc#1233235] + +------------------------------------------------------------------- +Thu Nov 7 16:43:15 UTC 2024 - Angel Yankov + +- Add missing fixes for SHA3_squeeze and quic_multistream_test on + pcc64 arch. [jsc#PED-10280] + * Added openssl-3-fix-sha3-squeeze-ppc64.patch + * Added openssl-3-fix-quic_multistream_test.patch + +------------------------------------------------------------------- +Tue Nov 5 15:11:46 UTC 2024 - Angel Yankov + +- Support MSA 11 HMAC on s390x [jsc#PED-10274] + * Add openssl-3-disable-hmac-hw-acceleration-with-engine-digest.patch + * Add openssl-3-fix-hmac-digest-detection-s390x.patch + * Add openssl-3-fix-memleak-s390x_HMAC_CTX_copy.patch + +------------------------------------------------------------------- +Tue Nov 5 10:39:14 UTC 2024 - Angel Yankov + +- Add hardware acceleration for full AES-XTS [jsc#PED-10273] + * Add openssl-3-hw-acceleration-aes-xts-s390x.patch + +------------------------------------------------------------------- +Fri Nov 1 14:32:50 UTC 2024 - Angel Yankov + +- Support MSA 12 SHA3 on s390x [jsc#PED-10280] + * Add openssl-3-add_EVP_DigestSqueeze_api.patch + * Add openssl-3-support-multiple-sha3_squeeze_s390x.patch + * Add openssl-3-add-xof-state-handling-s3_absorb.patch + * Add openssl-3-fix-state-handling-sha3_absorb_s390x.patch + * Add openssl-3-fix-state-handling-sha3_final_s390x.patch + * Add openssl-3-fix-state-handling-shake_final_s390x.patch + * Add openssl-3-fix-state-handling-keccak_final_s390x.patch + * Add openssl-3-support-EVP_DigestSqueeze-in-digest-prov-s390x.patch + * Add openssl-3-add-defines-CPACF-funcs.patch + * Add openssl-3-add-hw-acceleration-hmac.patch + * Add openssl-3-support-CPACF-sha3-shake-perf-improvement.patch + * Add openssl-3-fix-s390x_sha3_absorb.patch + * Add openssl-3-fix-s390x_shake_squeeze.patch + +------------------------------------------------------------------- +Mon Oct 28 09:38:20 UTC 2024 - Pedro Monreal + +- Update to 3.2.3: + * Changes between 3.2.2 and 3.2.3: + - Fixed possible denial of service in X.509 name checks. [CVE-2024-6119] + - Fixed possible buffer overread in SSL_select_next_proto(). [CVE-2024-5535] + * Changes between 3.2.1 and 3.2.2: + - Fixed potential use after free after SSL_free_buffers() is called. [CVE-2024-4741] + - Fixed an issue where checking excessively long DSA keys or parameters may + be very slow. [CVE-2024-4603] + - Improved EC/DSA nonce generation routines to avoid bias and timing + side channel leaks. + - Fixed an issue where some non-default TLS server configurations can cause + unbounded memory growth when processing TLSv1.3 sessions. [CVE-2024-2511] + - New atexit configuration switch, which controls whether the OPENSSL_cleanup + is registered when libcrypto is unloaded. This can be used on platforms + where using atexit() from shared libraries causes crashes on exit. + - Fixed bug where SSL_export_keying_material() could not be used with QUIC + connections. + * Add openssl-skip-quic-pairwise.patch to adapt the pairwise tests. + * Merge openssl-FIPS-release_num_in_version_string.patch into + openssl-FIPS-services-minimize.patch + * Rebase patches: + - openssl-Add-changes-to-ectest-and-eccurve.patch + - openssl-FIPS-140-3-keychecks.patch + - openssl-FIPS-embed-hmac.patch + - openssl-Remove-EC-curves.patch + - openssl-skipped-tests-EC-curves.patch + - openssl-FIPS-early-KATS.patch + - openssl-Allow-disabling-of-SHA1-signatures.patch + - openssl-3-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch + - openssl-FIPS-limit-rsa-encrypt.patch + - openssl-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch + - openssl-FIPS-Use-digest_sign-digest_verify-in-self-test.patch + - openssl-FIPS-140-3-DRBG.patch + - openssl-FIPS-140-3-zeroization.patch + - openssl-Add-FIPS-indicator-parameter-to-HKDF.patch + - openssl-FIPS-Remove-X9.31-padding-from-FIPS-prov.patch + - openssl-FIPS-Add-explicit-indicator-for-key-length.patch + - openssl-pbkdf2-Set-minimum-password-length-of-8-bytes.patch + - openssl-FIPS-signature-Add-indicator-for-PSS-salt-length.patch + - openssl-3-FIPS-GCM-Implement-explicit-indicator-for-IV-gen.patch + - openssl-FIPS-enforce-EMS-support.patch + - openssl-3-jitterentropy-3.4.0.patch + * Remove not needed patches: + - openssl-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch + - openssl-3-FIPS-PCT_rsa_keygen.patch + +------------------------------------------------------------------- +Mon Oct 28 09:22:33 UTC 2024 - Pedro Monreal + +- Remove the engines' directories and symlinks that were added to + allow parallel installations with openssl-1_1. + * Remove openssl-3-use-include-directive.patch + +------------------------------------------------------------------- +Mon Oct 28 08:43:34 UTC 2024 - Pedro Monreal + +- Remove the hardcoded DEFAULT_SUSE cipherlist selection. + * Remove openssl-DEFAULT_SUSE_cipher.patch + +------------------------------------------------------------------- +Fri Oct 25 09:32:01 UTC 2024 - Pedro Monreal + +- Update to 3.2.1: + * Changes between 3.2.0 and 3.2.1: + - A file in PKCS12 format can contain certificates and keys and may come from + an untrusted source. The PKCS12 specification allows certain fields to be + NULL, but OpenSSL did not correctly check for this case. [CVE-2024-0727] + - When function EVP_PKEY_public_check() is called on RSA public keys, + a computation is done to confirm that the RSA modulus, n, is composite. + For valid RSA keys, n is a product of two or more large primes and this + computation completes quickly. However, if n is an overly large prime, + then this computation would take a long time. [CVE-2023-6237] + - Restore the encoding of SM2 PrivateKeyInfo and SubjectPublicKeyInfo to + have the contained AlgorithmIdentifier.algorithm set to id-ecPublicKey + rather than SM2. + - The POLY1305 MAC (message authentication code) implementation in OpenSSL + for PowerPC CPUs saves the contents of vector registers in different + order than they are restored. [CVE-2023-6129] + - Disable building QUIC server utility when OpenSSL is configured with 'no-apps'. + * The openssl-crypto-policies-support.patch has been merged into + openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch + * Rename openssl-Disable-default-provider-for-test-suite.patch and rebase to + openssl-TESTS-Disable-default-provider-crypto-policies.patch + * Patches removed in the update: + - openssl-Add_support_for_Windows_CA_certificate_store.patch + - openssl-ec-56-bit-Limb-Solinas-Strategy-for-secp384r1.patch + - openssl-ec-Use-static-linkage-on-nistp521-felem_-square-mul-.patch + - openssl-ec-powerpc64le-Add-asm-implementation-of-felem_-squa.patch + - openssl-ecc-Remove-extraneous-parentheses-in-secp384r1.patch + - openssl-powerpc-ecc-Fix-stack-allocation-secp384r1-asm.patch + - openssl-CVE-2024-41996.patch + - openssl-CVE-2023-50782.patch + - openssl-CVE-2024-9143.patch + * Patches rebased: + - openssl-3-use-include-directive.patch + - openssl-Add-Kernel-FIPS-mode-flag-support.patch + - openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch + - openssl-DEFAULT_SUSE_cipher.patch + - openssl-FIPS-embed-hmac.patch + - openssl-Force-FIPS.patch + - openssl-load-legacy-provider.patch + - openssl-no-html-docs.patch + - openssl-pkgconfig.patch + - openssl-ppc64-config.patch + - openssl-truststore.patch + +------------------------------------------------------------------- +Fri Oct 25 09:14:20 UTC 2024 - Pedro Monreal + +- Update to 3.2.0: + * Changes between 3.1.x and 3.2.0: + - Fix excessive time spent in DH check/ generation with large Q parameter + value. [CVE-2023-5678] + - The BLAKE2b hash algorithm supports a configurable output length + by setting the "size" parameter. + - Added a function to delete objects from store by URI - OSSL_STORE_delete() + and the corresponding provider-storemgmt API function OSSL_FUNC_store_delete(). + - Added OSSL_FUNC_store_open_ex() provider-storemgmt API function to pass + a passphrase callback when opening a store. + - Changed the default salt length used by PBES2 KDF's (PBKDF2 and scrypt) + from 8 bytes to 16 bytes. + - Changed the default value of the 'ess_cert_id_alg' configuration + option which is used to calculate the TSA's public key certificate + identifier. The default algorithm is updated to be sha256 instead of sha1. + - Added optimization for SM2 algorithm on aarch64. A new configure option + 'no-sm2-precomp' has been added to disable the precomputed table. + - Added client side support for QUIC + - Added secp384r1 implementation using Solinas' reduction to improve + speed of the NIST P-384 elliptic curve. To enable the implementation + the build option 'enable-ec_nistp_64_gcc_128' must be used. + - Improved RFC7468 compliance of the asn1parse command. + - Added SHA256/192 algorithm support. + - Added support for securely getting root CA certificate update in CMP. + - Improved contention on global write locks by using more read locks where + appropriate. + - Improved performance of OSSL_PARAM lookups in performance critical + provider functions. + - Added the SSL_get0_group_name() function to provide access to the + name of the group used for the TLS key exchange. + - Provide a new configure option 'no-http' that can be used to disable the + HTTP support. Provide new configure options 'no-apps' and 'no-docs' to + disable building the openssl command line application and the documentation. + - Provide a new configure option 'no-ecx' that can be used to disable the + X25519, X448, and EdDSA support. + - When multiple OSSL_KDF_PARAM_INFO parameters are passed to + the EVP_KDF_CTX_set_params() function they are now concatenated not just + for the HKDF algorithm but also for SSKDF and X9.63 KDF algorithms. + - Added OSSL_FUNC_keymgmt_im/export_types_ex() provider functions that get + the provider context as a parameter. + - TLS round-trip time calculation was added by a Brigham Young University + Capstone team partnering with Sandia National Laboratories. A new function + in ssl_lib titled SSL_get_handshake_rtt will calculate and retrieve this + value. + - Added the "-quic" option to s_client to enable connectivity to QUIC servers. + QUIC requires the use of ALPN, so this must be specified via the "-alpn" + option. Use of the "advanced" s_client command command via the "-adv" option + is recommended. + - Added an "advanced" command mode to s_client. Use this with the "-adv" option. + - Add Raw Public Key (RFC7250) support. + - Added support for modular exponentiation and CRT offloading for the + S390x architecture. + - Added further assembler code for the RISC-V architecture. + - Added EC_GROUP_to_params() which creates an OSSL_PARAM array + from a given EC_GROUP. + - Improved support for non-default library contexts and property queries + when parsing PKCS#12 files. + - Implemented support for all five instances of EdDSA from RFC8032: + Ed25519, Ed25519ctx, Ed25519ph, Ed448, and Ed448ph. + The streaming is not yet supported for the HashEdDSA variants + (Ed25519ph and Ed448ph). + - Added SM4 optimization for ARM processors using ASIMD and AES HW instructions. + - Implemented SM4-XTS support. + - Added platform-agnostic OSSL_sleep() function. + - Implemented deterministic ECDSA signatures (RFC6979) support. + - Implemented AES-GCM-SIV (RFC8452) support. + - Added support for pluggable (provider-based) TLS signature algorithms. + This enables TLS 1.3 authentication operations with algorithms embedded + in providers not included by default in OpenSSL. In combination with + the already available pluggable KEM and X.509 support, this enables + for example suitable providers to deliver post-quantum or quantum-safe + cryptography to OpenSSL users. + - Added support for pluggable (provider-based) CMS signature algorithms. + This enables CMS sign and verify operations with algorithms embedded + in providers not included by default in OpenSSL. + - Implemented HPKE DHKEM support in providers used by HPKE (RFC9180) API. + - Add support for certificate compression (RFC8879), including + library support for Brotli and Zstandard compression. + - Add the ability to add custom attributes to PKCS12 files. Add a new API + PKCS12_create_ex2, identical to the existing PKCS12_create_ex but allows + for a user specified callback and optional argument. + Added a new PKCS12_SAFEBAG_set0_attr, which allows for a new attr to be + added to the existing STACK_OF attrs. + - Major refactor of the libssl record layer. + - Add a mac salt length option for the pkcs12 command. + - Add more SRTP protection profiles from RFC8723 and RFC8269. + - Extended Kernel TLS (KTLS) to support TLS 1.3 receive offload. + - Add support for TCP Fast Open (RFC7413) to macOS, Linux, and FreeBSD where + supported and enabled. + - Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK (RFC 5489) + to the list of ciphersuites providing Perfect Forward Secrecy as + required by SECLEVEL >= 3. + - Add new SSL APIs to aid in efficiently implementing TLS/SSL fingerprinting. + The SSL_CTRL_GET_IANA_GROUPS control code, exposed as the + SSL_get0_iana_groups() function-like macro, retrieves the list of + supported groups sent by the peer. + - Fixed PEM_write_bio_PKCS8PrivateKey() and PEM_write_bio_PKCS8PrivateKey_nid() + to make it possible to use empty passphrase strings. + - The PKCS12_parse() function now supports MAC-less PKCS12 files. + - Added ASYNC_set_mem_functions() and ASYNC_get_mem_functions() calls to be able + to change functions used for allocating the memory of asynchronous call stack. + - Added support for signed BIGNUMs in the OSSL_PARAM APIs. + - A failure exit code is returned when using the openssl x509 command to check + certificate attributes and the checks fail. + - The default SSL/TLS security level has been changed from 1 to 2. RSA, + DSA and DH keys of 1024 bits and above and less than 2048 bits and ECC keys + of 160 bits and above and less than 224 bits were previously accepted by + default but are now no longer allowed. By default TLS compression was + already disabled in previous OpenSSL versions. At security level 2 it cannot + be enabled. + - The SSL_CTX_set_cipher_list family functions now accept ciphers using their + IANA standard names. + - The PVK key derivation function has been moved from b2i_PVK_bio_ex() into + the legacy crypto provider as an EVP_KDF. Applications requiring this KDF + will need to load the legacy crypto provider. + - CCM8 cipher suites in TLS have been downgraded to security level zero + because they use a short authentication tag which lowers their strength. + - Subject or issuer names in X.509 objects are now displayed as UTF-8 strings + by default. Also spaces surrounding '=' in DN output are removed. + - Add X.509 certificate codeSigning purpose and related checks on key usage and + extended key usage of the leaf certificate according to the CA/Browser Forum. + - The 'x509', 'ca', and 'req' apps now produce X.509 v3 certificates. + The '-x509v1' option of 'req' prefers generation of X.509 v1 certificates. + 'X509_sign()' and 'X509_sign_ctx()' make sure that the certificate has + X.509 version 3 if the certificate information includes X.509 extensions. + - Fix and extend certificate handling and the apps 'x509', 'verify' etc. + such as adding a trace facility for debugging certificate chain building. + - Various fixes and extensions to the CMP+CRMF implementation and the 'cmp' app + in particular supporting requests for central key generation, generalized + polling, and various types of genm/genp exchanges defined in CMP Updates. + - Fixes and extensions to the HTTP client and to the HTTP server in 'apps/' + like correcting the TLS and proxy support and adding tracing for debugging. + - Extended the CMS API for handling 'CMS_SignedData' and 'CMS_EnvelopedData'. + - 'CMS_add0_cert()' and 'CMS_add1_cert()' no longer throw an error if + a certificate to be added is already present. 'CMS_sign_ex()' and + 'CMS_sign()' now ignore any duplicate certificates in their 'certs' argument + and no longer throw an error for them. + - Added BIO_s_dgram_pair() and BIO_s_dgram_mem() that provide memory-based + BIOs with datagram semantics and support for BIO_sendmmsg() and BIO_recvmmsg() + calls. They can be used as the transport BIOs for QUIC. + - Add new BIO_sendmmsg() and BIO_recvmmsg() BIO methods which allow + sending and receiving multiple messages in a single call. An implementation + is provided for BIO_dgram. For further details, see BIO_sendmmsg(3). + - Support for loading root certificates from the Windows certificate store + has been added. + - Enable KTLS with the TLS 1.3 CCM mode ciphersuites. Note that some linux + kernel versions that support KTLS have a known bug in CCM processing. That + has been fixed in stable releases starting from 5.4.164, 5.10.84, 5.15.7, + and all releases since 5.16. KTLS with CCM ciphersuites should be only used + on these releases. + - Added '-ktls' option to 's_server' and 's_client' commands to enable the + KTLS support. + - Zerocopy KTLS sendfile() support on Linux. + - The OBJ_ calls are now thread safe using a global lock. + - New parameter '-digest' for openssl cms command allowing signing + pre-computed digests and new CMS API functions supporting that + functionality. + - OPENSSL_malloc() and other allocation functions now raise errors on + allocation failures. The callers do not need to explicitly raise errors + unless they want to for tracing purposes. + - Added support for Brainpool curves in TLS-1.3. + - Support for Argon2d, Argon2i, Argon2id KDFs has been added along with + a basic thread pool implementation for select platforms. + +------------------------------------------------------------------- +Mon Oct 21 11:01:59 UTC 2024 - Pedro Monreal + +- Update to 3.1.7: + * Major changes between OpenSSL 3.1.6 and OpenSSL 3.1.7 [3 Sep 2024] + - Fixed possible denial of service in X.509 name checks (CVE-2024-6119) + - Fixed possible buffer overread in SSL_select_next_proto() + (CVE-2024-5535) + * Major changes between OpenSSL 3.1.5 and OpenSSL 3.1.6 [4 Jun 2024] + - Fixed potential use after free after SSL_free_buffers() is + called (CVE-2024-4741) + - Fixed an issue where checking excessively long DSA keys or + parameters may be very slow (CVE-2024-4603) + - Fixed unbounded memory growth with session handling in TLSv1.3 + (CVE-2024-2511) + * Major changes between OpenSSL 3.1.4 and OpenSSL 3.1.5 [30 Jan 2024] + - Fixed PKCS12 Decoding crashes (CVE-2024-0727) + - Fixed Excessive time spent checking invalid RSA public keys + [CVE-2023-6237) + - Fixed POLY1305 MAC implementation corrupting vector registers + on PowerPC CPUs which support PowerISA 2.07 (CVE-2023-6129) + - Fix excessive time spent in DH check / generation with large + Q parameter value (CVE-2023-5678) + * Update openssl.keyring with BA5473A2B0587B07FB27CF2D216094DFD0CB81EF + * Rebase patches: + - openssl-Force-FIPS.patch + - openssl-FIPS-embed-hmac.patch + - openssl-FIPS-services-minimize.patch + - openssl-FIPS-RSA-disable-shake.patch + - openssl-CVE-2023-50782.patch + * Remove patches fixed in the update: + - openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.patch + - openssl-CVE-2024-6119.patch openssl-CVE-2024-5535.patch + - openssl-CVE-2024-4741.patch openssl-CVE-2024-4603.patch + - openssl-CVE-2024-2511.patch openssl-CVE-2024-0727.patch + - openssl-CVE-2023-6237.patch openssl-CVE-2023-6129.patch + - openssl-CVE-2023-5678.patch + - openssl-Enable-BTI-feature-for-md5-on-aarch64.patch + - openssl-Fix-EVP_PKEY_CTX_add1_hkdf_info-behavior.patch + - openssl-Handle-empty-param-in-EVP_PKEY_CTX_add1_hkdf_info.patch + - reproducible.patch + +------------------------------------------------------------------- +Thu Oct 17 12:32:21 UTC 2024 - Pedro Monreal + +- Security fix: [bsc#1231741, CVE-2024-9143] + * Low-level invalid GF(2^m) parameters lead to OOB memory access + * Add openssl-CVE-2024-9143.patch + +------------------------------------------------------------------- +Thu Oct 17 12:21:14 UTC 2024 - Pedro Monreal + +- Security fix: [bsc#1220262, CVE-2023-50782] + * Implicit rejection in PKCS#1 v1.5 + * Add openssl-CVE-2023-50782.patch + +------------------------------------------------------------------- +Thu Sep 19 08:05:52 UTC 2024 - Angel Yankov + +- Security fix: [bsc#1230698, CVE-2024-41996] + * Validating the order of the public keys in the Diffie-Hellman + Key Agreement Protocol, when an approved safe prime is used. + * Added openssl-CVE-2024-41996.patch + +------------------------------------------------------------------- +Thu Aug 22 15:18:03 UTC 2024 - Alexander Bergmann + +- Security fix: [bsc#1229465, CVE-2024-6119] + * possible denial of service in X.509 name checks + * openssl-CVE-2024-6119.patch + +------------------------------------------------------------------- +Mon Jul 22 16:42:52 UTC 2024 - Pedro Monreal + +- Build with no-afalgeng [bsc#1226463] + +------------------------------------------------------------------- +Mon Jul 22 08:30:16 UTC 2024 - Pedro Monreal + +- Security fix: [bsc#1227138, CVE-2024-5535] + * SSL_select_next_proto buffer overread + * Add openssl-CVE-2024-5535.patch + +------------------------------------------------------------------- +Wed Jul 17 12:55:39 UTC 2024 - Pedro Monreal + +- Build with enabled sm2 and sm4 support [bsc#1222899] + +------------------------------------------------------------------- +Mon Jul 15 05:52:07 UTC 2024 - Bernhard Wiedemann + +- Add reproducible.patch to fix bsc#1223336 + aes-gcm-avx512.pl: fix non-reproducibility issue + +------------------------------------------------------------------- +Tue Jul 2 13:20:21 UTC 2024 - Pedro Monreal + +- FIPS: Deny SHA-1 signature verification in FIPS provider [bsc#1221365] + * SHA-1 is not allowed anymore in FIPS 186-5 for signature + verification operations. After 12/31/2030, NIST will disallow + SHA-1 for all of its usages. + * Add openssl-3-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch + +------------------------------------------------------------------- +Mon Jul 1 09:41:11 UTC 2024 - Pedro Monreal + +- FIPS: RSA keygen PCT requirements. + * Skip the rsa_keygen_pairwise_test() PCT in rsa_keygen() as the + self-test requirements are covered by do_rsa_pct() for both + RSA-OAEP and RSA signatures [bsc#1221760] + * Enforce error state if rsa_keygen PCT is run and fails [bsc#1221753] + * Add openssl-3-FIPS-PCT_rsa_keygen.patch + +------------------------------------------------------------------- +Wed Jun 19 15:51:52 UTC 2024 - Pedro Monreal + +- FIPS: Check that the fips provider is available before setting + it as the default provider in FIPS mode. [bsc#1220523] + * Rebase openssl-Force-FIPS.patch + +------------------------------------------------------------------- +Thu Jun 10 20:50:41 UTC 2024 - Pedro Monreal + +- FIPS: Port openssl to use jitterentropy [bsc#1220523] + * Set the module in error state if the jitter RNG fails either on + initialization or entropy gathering because health tests failed. + * Add jitterentropy as a seeding source output also in crypto/info.c + * Move the jitter entropy collector and the associated lock out + of the header file to avoid redefinitions. + * Add the fips_local.cnf symlink to the spec file. This simlink + points to the openssl_fips.config file that is provided by the + crypto-policies package. + * Rebase openssl-3-jitterentropy-3.4.0.patch + * Rebase openssl-FIPS-enforce-EMS-support.patch + +------------------------------------------------------------------- +Fri Jun 7 14:51:08 UTC 2024 - Otto Hollmann + +- FIPS: Block non-Approved Elliptic Curves [bsc#1221786] + * Add patches + - openssl-Add-changes-to-ectest-and-eccurve.patch + - openssl-Remove-EC-curves.patch + - openssl-Disable-explicit-ec.patch + - openssl-skipped-tests-EC-curves.patch + - openssl-FIPS-services-minimize.patch +- FIPS: Service Level Indicator [bsc#1221365] + * Add patches: + - openssl-FIPS-Expose-a-FIPS-indicator.patch + - openssl-FIPS-Remove-X9.31-padding-from-FIPS-prov.patch + - openssl-FIPS-Use-digest_sign-digest_verify-in-self-test.patch + - openssl-FIPS-RSA-disable-shake.patch + - openssl-FIPS-signature-Add-indicator-for-PSS-salt-length.patch + - openssl-FIPS-Add-explicit-indicator-for-key-length.patch + - openssl-FIPS-limit-rsa-encrypt.patch + - openssl-FIPS-enforce-EMS-support.patch + - openssl-3-FIPS-GCM-Implement-explicit-indicator-for-IV-gen.patch + - openssl-FIPS-services-minimize.patch + - openssl-Add-FIPS-indicator-parameter-to-HKDF.patch + - openssl-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch + - openssl-FIPS-enforce-security-checks-during-initialization.patch + - TODO: incomplete +- FIPS: Output the FIPS-validation name and module version which uniquely + identify the FIPS validated module. [bsc#1221751] + * Add openssl-FIPS-release_num_in_version_string.patch +- FIPS: Add required selftests: [bsc#1221760] + * Add patches + - openssl-FIPS-Use-digest_sign-digest_verify-in-self-test.patch + - openssl-FIPS-Use-FFDHE2048-in-self-test.patch + - openssl-FIPS-early-KATS.patch + - openssl-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch + - openssl-FIPS-140-3-keychecks.patch +- FIPS: DH: Disable FIPS 186-4 Domain Parameters [bsc#1221821] + Add openssl-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch +- FIPS: Recommendation for Password-Based Key Derivation [bsc#1221827] + * Add additional check required by FIPS 140-3. Minimum value for + PBKDF2 password is 20 characters. + * Add patches: + - openssl-pbkdf2-Set-minimum-password-length-of-8-bytes.patch + - openssl-pbkdf2-Set-indicator-if-pkcs5-param-disabled-checks.patch +- FIPS: Zeroization is required [bsc#1221752] + * Add openssl-FIPS-140-3-zeroization.patch +- FIPS: Reseed DRBG [bsc#1220690, bsc#1220693, bsc#1220696] + * Enable prediction resistance for primary DRBG + * Add oversampling of the noise source to comply with requirements of + NIST SP 800-90C + * Change CRNG buf size to align with output size of the Jitter RNG + * Add openssl-FIPS-140-3-DRBG.patch +- FIPS: NIST SP 800-56Brev2 [bsc#1221824] + * Add patches: + - openssl-FIPS-limit-rsa-encrypt.patch + - openssl-FIPS-RSA-encapsulate.patch + - openssl-FIPS-Add-SP800-56Br2-6.4.1.2.1-3.c-check.patch +- FIPS: Approved Modulus Sizes for RSA Digital Signature for FIPS 186-4 [bsc#1221787] + * Add patches: + - openssl-FIPS-services-minimize.patch + - openssl-Revert-Improve-FIPS-RSA-keygen-performance.patch + - openssl-Allow-disabling-of-SHA1-signatures.patch + - openssl-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch +- FIPS: Port openssl to use jitterentropy [bsc#1220523] + * Add openssl-3-jitterentropy-3.4.0.patch + * Add build dependency on jitterentropy-devel >= 3.4.0 and + libjitterentropy3 >= 3.4.0 +- FIPS: NIST SP 800-56Arev3 [bsc#1221822] + * Add openssl-FIPS-140-3-keychecks.patch +- FIPS: Error state has to be enforced [bsc#1221753] + * Add patches: + - openssl-FIPS-140-3-keychecks.patch + - openssl-FIPS-Enforce-error-state.patch + +------------------------------------------------------------------- +Thu Jun 6 15:12:10 UTC 2024 - Peter Simons + +- Apply "openssl-CVE-2024-4741.patch" to fix a use-after-free + security vulnerability. Calling the function SSL_free_buffers() + potentially caused memory to be accessed that was previously + freed in some situations and a malicious attacker could attempt + to engineer a stituation where this occurs to facilitate a + denial-of-service attack. [CVE-2024-4741, bsc#1225551] + +------------------------------------------------------------------- +Wed May 29 13:30:21 UTC 2024 - Martin Wilck + +- Fix HDKF key derivation (bsc#1225291, gh#openssl/openssl#23448, + gh#openssl/openssl#23456) + * Add openssl-Fix-EVP_PKEY_CTX_add1_hkdf_info-behavior.patch + * Add openssl-Handle-empty-param-in-EVP_PKEY_CTX_add1_hkdf_info.patch + +------------------------------------------------------------------- +Mon May 20 12:24:03 UTC 2024 - Otto Hollmann + +- Security fix: [bsc#1224388, CVE-2024-4603] + * Check DSA parameters for excessive sizes before validating + * Add openssl-CVE-2024-4603.patch + +------------------------------------------------------------------- +Tue May 7 13:35:31 UTC 2024 - Giuliano Belinassi + +- Enable livepatching support (bsc#1223428) + +------------------------------------------------------------------- +Tue May 7 11:51:38 UTC 2024 - Otto Hollmann + +- Add ktls capability [bsc#1216950] + Already added in January, but not mentioned in this changelog. + +------------------------------------------------------------------- +Mon May 6 12:11:02 UTC 2024 - Otto Hollmann + +- Security fix: [bsc#1222548, CVE-2024-2511] + * Fix unconstrained session cache growth in TLSv1.3 + * Add openssl-CVE-2024-2511.patch + +------------------------------------------------------------------- +Fri Feb 23 11:31:44 UTC 2024 - Pedro Monreal + +- Build the 32bit flavor of libopenssl-3-fips-provider [bsc#1220232] + * Update baselibs.conf + +------------------------------------------------------------------- +Mon Feb 5 16:29:26 UTC 2024 - Otto Hollmann + +- Add migration script to move old files (bsc#1219562) + /etc/ssl/engines.d/* -> /etc/ssl/engines1.1.d.rpmsave + /etc/ssl/engdef.d/* -> /etc/ssl/engdef1.1.d.rpmsave + They will be later restored by openssl-1_1 package + to engines1.1.d and engdef1.1.d + +------------------------------------------------------------------- +Tue Jan 30 14:15:25 UTC 2024 - Otto Hollmann + +- Security fix: [bsc#1219243, CVE-2024-0727] + * Add NULL checks where ContentInfo data can be NULL + * Add openssl-CVE-2024-0727.patch + +------------------------------------------------------------------- +Mon Jan 29 15:17:22 UTC 2024 - Pedro Monreal + +- Encapsulate the fips provider into a new package called + libopenssl-3-fips-provider. + +------------------------------------------------------------------- +Mon Jan 22 09:34:28 UTC 2024 - Otto Hollmann + +- Added openssl-3-use-include-directive.patch so that the default + /etc/ssl/openssl.cnf file will include any configuration files that + other packages might place into /etc/ssl/engines3.d/ and + /etc/ssl/engdef3.d/. Also create symbolic links /etc/ssl/engines.d/ + and /etc/ssl/engdef.d/ to above versioned directories. +- Updated spec file to create the two new necessary directores for + the above patch and two symbolic links to above directories. + [bsc#1194187, bsc#1207472, bsc#1218933] + +------------------------------------------------------------------- +Tue Jan 16 09:45:24 UTC 2024 - Otto Hollmann + +- Security fix: [bsc#1218810, CVE-2023-6237] + * Limit the execution time of RSA public key check + * Add openssl-CVE-2023-6237.patch + +------------------------------------------------------------------- +Sun Jan 14 13:36:33 UTC 2024 - Pedro Monreal + +- Rename openssl-Override-default-paths-for-the-CA-directory-tree.patch + to openssl-crypto-policies-support.patch + +------------------------------------------------------------------- +Sat Jan 13 23:59:27 UTC 2024 - Pedro Monreal + +- Embed the FIPS hmac. Add openssl-FIPS-embed-hmac.patch + +------------------------------------------------------------------- +Sat Jan 13 22:31:15 UTC 2024 - Pedro Monreal + +- Load the FIPS provider and set FIPS properties implicitly. + * Add openssl-Force-FIPS.patch [bsc#1217934] +- Disable the fipsinstall command-line utility. + * Add openssl-disable-fipsinstall.patch +- Add instructions to load legacy provider in openssl.cnf. + * openssl-load-legacy-provider.patch +- Disable the default provider for the test suite. + * openssl-Disable-default-provider-for-test-suite.patch + +------------------------------------------------------------------- +Thu Jan 11 08:07:48 UTC 2024 - Otto Hollmann + +- Security fix: [bsc#1218690, CVE-2023-6129] + * POLY1305: Fix vector register clobbering on PowerPC + * Add openssl-CVE-2023-6129.patch + +------------------------------------------------------------------- +Thu Dec 7 09:54:17 UTC 2023 - Guillaume GARDET + +- Add patch to fix BTI enablement on aarch64: + * openssl-Enable-BTI-feature-for-md5-on-aarch64.patch + +------------------------------------------------------------------- +Mon Nov 13 09:29:26 UTC 2023 - Otto Hollmann + +- Security fix: [bsc#1216922, CVE-2023-5678] + * Fix excessive time spent in DH check / generation with large Q + parameter value. + * Applications that use the functions DH_generate_key() to generate + an X9.42 DH key may experience long delays. Likewise, + applications that use DH_check_pub_key(), DH_check_pub_key_ex + () or EVP_PKEY_public_check() to check an X9.42 DH key or X9.42 + DH parameters may experience long delays. Where the key or + parameters that are being checked have been obtained from an + untrusted source this may lead to a Denial of Service. + * Add openssl-CVE-2023-5678.patch + +------------------------------------------------------------------- +Tue Oct 24 14:53:41 UTC 2023 - Otto Hollmann + +- Update to 3.1.4: + * Fix incorrect key and IV resizing issues when calling + EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() or EVP_CipherInit_ex2() + with OSSL_PARAM parameters that alter the key or IV length + [bsc#1216163, CVE-2023-5363]. + +------------------------------------------------------------------- +Thu Oct 19 15:03:14 UTC 2023 - Otto Hollmann + +- Performance enhancements for cryptography from OpenSSL 3.2 + [jsc#PED-5086, jsc#PED-3514] + * Add patches: + - openssl-ec-Use-static-linkage-on-nistp521-felem_-square-mul-.patch + - openssl-ec-56-bit-Limb-Solinas-Strategy-for-secp384r1.patch + - openssl-ec-powerpc64le-Add-asm-implementation-of-felem_-squa.patch + - openssl-ecc-Remove-extraneous-parentheses-in-secp384r1.patch + - openssl-powerpc-ecc-Fix-stack-allocation-secp384r1-asm.patch + - openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.patch + +------------------------------------------------------------------- +Thu Oct 19 11:53:29 UTC 2023 - Pedro Monreal + +- FIPS: Add the FIPS_mode() compatibility macro and flag support. + * Add patches: + - openssl-Add-FIPS_mode-compatibility-macro.patch + - openssl-Add-Kernel-FIPS-mode-flag-support.patch + +------------------------------------------------------------------- +Thu Oct 12 09:44:19 UTC 2023 - + +- As of openssl 3.1.3, the devel package installs at least 5200 + manpage files and is the owner of the most files in the man3 + directory (in second place after lapack-man); move these manpages + off to the -doc subpackage to reduce the walltime to install just + openssl-3-devel (because there is also an invocation of mandb + that runs at some point). + +------------------------------------------------------------------- +Tue Sep 19 14:17:56 UTC 2023 - Otto Hollmann + +- Update to 3.1.3: + * Fix POLY1305 MAC implementation corrupting XMM registers on + Windows (CVE-2023-4807) + +------------------------------------------------------------------- +Tue Aug 1 15:24:46 UTC 2023 - Pedro Monreal + +- Update to 3.1.2: + * Fix excessive time spent checking DH q parameter value + (bsc#1213853, CVE-2023-3817). The function DH_check() performs + various checks on DH parameters. After fixing CVE-2023-3446 it + was discovered that a large q parameter value can also trigger + an overly long computation during some of these checks. A + correct q value, if present, cannot be larger than the modulus + p parameter, thus it is unnecessary to perform these checks if + q is larger than p. If DH_check() is called with such q parameter + value, DH_CHECK_INVALID_Q_VALUE return flag is set and the + computationally intensive checks are skipped. + * Fix DH_check() excessive time with over sized modulus + (bsc#1213487, CVE-2023-3446). The function DH_check() performs + various checks on DH parameters. One of those checks confirms + that the modulus ("p" parameter) is not too large. Trying to use + a very large modulus is slow and OpenSSL will not normally use + a modulus which is over 10,000 bits in length. However the + DH_check() function checks numerous aspects of the key or + parameters that have been supplied. Some of those checks use the + supplied modulus value even if it has already been found to be + too large. A new limit has been added to DH_check of 32,768 bits. + Supplying a key/parameters with a modulus over this size will + simply cause DH_check() to fail. + * Do not ignore empty associated data entries with AES-SIV + (bsc#1213383, CVE-2023-2975). The AES-SIV algorithm allows for + authentication of multiple associated data entries along with the + encryption. To authenticate empty data the application has to call + EVP_EncryptUpdate() (or EVP_CipherUpdate()) with NULL pointer as + the output buffer and 0 as the input buffer length. The AES-SIV + implementation in OpenSSL just returns success for such call + instead of performing the associated data authentication operation. + The empty data thus will not be authenticated. The fix changes the + authentication tag value and the ciphertext for applications that + use empty associated data entries with AES-SIV. To decrypt data + encrypted with previous versions of OpenSSL the application has to + skip calls to EVP_DecryptUpdate() for empty associated data entries. + * When building with the enable-fips option and using the resulting + FIPS provider, TLS 1.2 will, by default, mandate the use of an + extended master secret (FIPS 140-3 IG G.Q) and the Hash and HMAC + DRBGs will not operate with truncated digests (FIPS 140-3 IG G.R). + * Update openssl.keyring with the OTC members that sign releases + * Remove openssl-z16-s390x.patch fixed upstream in + https://github.com/openssl/openssl/pull/21284 + * Remove security patches fixed upstream: + - openssl-CVE-2023-2975.patch + - openssl-CVE-2023-3446.patch + - openssl-CVE-2023-3446-test.patch + +------------------------------------------------------------------- +Thu Jul 20 07:48:20 UTC 2023 - Pedro Monreal + +- Security fix: [bsc#1213487, CVE-2023-3446] + * Fix DH_check() excessive time with over sized modulus. + * The function DH_check() performs various checks on DH parameters. + One of those checks confirms that the modulus ("p" parameter) is + not too large. Trying to use a very large modulus is slow and + OpenSSL will not normally use a modulus which is over 10,000 bits + in length. + However the DH_check() function checks numerous aspects of the + key or parameters that have been supplied. Some of those checks + use the supplied modulus value even if it has already been found + to be too large. + A new limit has been added to DH_check of 32,768 bits. Supplying + a key/parameters with a modulus over this size will simply cause + DH_check() to fail. + * Add openssl-CVE-2023-3446.patch openssl-CVE-2023-3446-test.patch + +------------------------------------------------------------------- +Tue Jul 18 07:32:49 UTC 2023 - Pedro Monreal + +- Security fix: [bsc#1213383, CVE-2023-2975] + * AES-SIV implementation ignores empty associated data entries + * Add openssl-CVE-2023-2975.patch + +------------------------------------------------------------------- +Tue Jun 20 15:18:56 UTC 2023 - Otto Hollmann + +- Improve cross-package provides/conflicts [boo#1210313] + * Add Provides/Conflicts: ssl-devel + * Remove explicit conflicts with other devel-libraries + * Remove Provides: openssl(cli) - it's managed by meta package + +------------------------------------------------------------------- +Tue May 30 15:14:51 UTC 2023 - Otto Hollmann + +- Update to 3.1.1: + * Restrict the size of OBJECT IDENTIFIERs that OBJ_obj2txt will translate + (CVE-2023-2650, bsc#1211430) + * Multiple algorithm implementation fixes for ARM BE platforms. + * Added a -pedantic option to fipsinstall that adjusts the various settings + to ensure strict FIPS compliance rather than backwards compatibility. + * Fixed buffer overread in AES-XTS decryption on ARM 64 bit platforms which + happens if the buffer size is 4 mod 5 in 16 byte AES blocks. This can + trigger a crash of an application using AES-XTS decryption if the memory + just after the buffer being decrypted is not mapped. Thanks to Anton + Romanov (Amazon) for discovering the issue. (CVE-2023-1255, bsc#1210714) + * Add FIPS provider configuration option to disallow the use of truncated + digests with Hash and HMAC DRBGs (q.v. FIPS 140-3 IG D.R.). The + option '-no_drbg_truncated_digests' can optionally be supplied + to 'openssl fipsinstall'. + * Corrected documentation of X509_VERIFY_PARAM_add0_policy() to mention that + it does not enable policy checking. Thanks to David Benjamin for + discovering this issue. (CVE-2023-0466, bsc#1209873) + * Fixed an issue where invalid certificate policies in leaf certificates are + silently ignored by OpenSSL and other certificate policy checks are + skipped for that certificate. A malicious CA could use this to + deliberately assert invalid certificate policies in order to circumvent + policy checking on the certificate altogether. (CVE-2023-0465, bsc#1209878) + * Limited the number of nodes created in a policy tree to mitigate against + CVE-2023-0464. The default limit is set to 1000 nodes, which should be + sufficient for most installations. If required, the limit can be adjusted + by setting the OPENSSL_POLICY_TREE_NODES_MAX build time define to a + desired maximum number of nodes or zero to allow unlimited growth. + (CVE-2023-0464, bsc#1209624) + * Update openssl.keyring with key + A21F AB74 B008 8AA3 6115 2586 B8EF 1A6B A9DA 2D5C (Tomas Mraz) + * Rebased patches: + - openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch + - openssl-Add_support_for_Windows_CA_certificate_store.patch + * Removed patches: + - openssl-CVE-2023-0464.patch + - openssl-Fix-OBJ_nid2obj-regression.patch + - openssl-CVE-2023-0465.patch + - openssl-CVE-2023-0466.patch + +------------------------------------------------------------------- +Mon May 29 07:31:07 UTC 2023 - Pedro Monreal + +- FIPS: Merge libopenssl3-hmac package into the library [bsc#1185116] + +------------------------------------------------------------------- +Mon May 15 09:00:04 UTC 2023 - Otto Hollmann + +- Add support for Windows CA certificate store [bsc#1209430] + https://github.com/openssl/openssl/pull/18070 + * Add openssl-Add_support_for_Windows_CA_certificate_store.patch + +------------------------------------------------------------------- +Wed Mar 29 12:11:10 UTC 2023 - Otto Hollmann + +- Security Fix: [CVE-2023-0465, bsc#1209878] + * Invalid certificate policies in leaf certificates are silently ignored + * Add openssl-CVE-2023-0465.patch +- Security Fix: [CVE-2023-0466, bsc#1209873] + * Certificate policy check not enabled + * Add openssl-CVE-2023-0466.patch + +------------------------------------------------------------------- +Tue Mar 28 12:19:06 UTC 2023 - Pedro Monreal + +- Fix regression in the OBJ_nid2obj() function: [bsc#1209430] + * Upstream https://github.com/openssl/openssl/issues/20555 + * Add openssl-Fix-OBJ_nid2obj-regression.patch + +------------------------------------------------------------------- +Mon Mar 27 14:44:32 UTC 2023 - Otto Hollmann + +- Fix compiler error "initializer element is not constant" on s390 + * Add openssl-z16-s390x.patch + +------------------------------------------------------------------- +Fri Mar 24 13:55:25 UTC 2023 - Otto Hollmann + +- Security Fix: [CVE-2023-0464, bsc#1209624] + * Excessive Resource Usage Verifying X.509 Policy Constraints + * Add openssl-CVE-2023-0464.patch + +------------------------------------------------------------------- +Wed Mar 15 14:55:29 UTC 2023 - Otto Hollmann + +- Pass over with spec-cleaner + +------------------------------------------------------------------- +Tue Mar 14 13:34:13 UTC 2023 - Otto Hollmann + +- Update to 3.1.0: + * Add FIPS provider configuration option to enforce the Extended Master + Secret (EMS) check during the TLS1_PRF KDF. The option '-ems-check' can + optionally be supplied to 'openssl fipsinstall'. + * The FIPS provider includes a few non-approved algorithms for backward + compatibility purposes and the "fips=yes" property query must be used for + all algorithm fetches to ensure FIPS compliance. The algorithms that are + included but not approved are Triple DES ECB, Triple DES CBC and EdDSA. + * Added support for KMAC in KBKDF. + * RNDR and RNDRRS support in provider functions to provide random number + generation for Arm CPUs (aarch64). + * s_client and s_server apps now explicitly say when the TLS version does not + include the renegotiation mechanism. This avoids confusion between that + scenario versus when the TLS version includes secure renegotiation but the + peer lacks support for it. + * AES-GCM enabled with AVX512 vAES and vPCLMULQDQ. + * The various OBJ_* functions have been made thread safe. + * Parallel dual-prime 1536/2048-bit modular exponentiation for AVX512_IFMA + capable processors. + * The functions OPENSSL_LH_stats, OPENSSL_LH_node_stats, + OPENSSL_LH_node_usage_stats, OPENSSL_LH_stats_bio, + OPENSSL_LH_node_stats_bio and OPENSSL_LH_node_usage_stats_bio are now + marked deprecated from OpenSSL 3.1 onwards and can be disabled by defining + OPENSSL_NO_DEPRECATED_3_1. The macro DEFINE_LHASH_OF is now deprecated in + favour of the macro DEFINE_LHASH_OF_EX, which omits the corresponding + type-specific function definitions for these functions regardless of + whether OPENSSL_NO_DEPRECATED_3_1 is defined. Users of DEFINE_LHASH_OF may + start receiving deprecation warnings for these functions regardless of + whether they are using them. It is recommended that users transition to the + new macro, DEFINE_LHASH_OF_EX. + * When generating safe-prime DH parameters set the recommended private key + length equivalent to minimum key lengths as in RFC 7919. + * Change the default salt length for PKCS#1 RSASSA-PSS signatures to the + maximum size that is smaller or equal to the digest length to comply with + FIPS 186-4 section 5. This is implemented by a new option + OSSL_PKEY_RSA_PSS_SALT_LEN_AUTO_DIGEST_MAX ("auto-digestmax") for the + rsa_pss_saltlen parameter, which is now the default. Signature verification + is not affected by this change and continues to work as before. + * Update openssl.keyring with key + 8657 ABB2 60F0 56B1 E519 0839 D9C4 D26D 0E60 4491 (Matt Caswell) + +------------------------------------------------------------------- +Wed Mar 8 10:37:09 UTC 2023 - Martin Pluskal + +- Build AVX2 enabled hwcaps library for x86_64-v3 + +------------------------------------------------------------------- +Tue Feb 7 15:43:22 UTC 2023 - Otto Hollmann + +- Update to 3.0.8: + * Fixed NULL dereference during PKCS7 data verification. + A NULL pointer can be dereferenced when signatures are being + verified on PKCS7 signed or signedAndEnveloped data. In case the hash + algorithm used for the signature is known to the OpenSSL library but + the implementation of the hash algorithm is not available the digest + initialization will fail. There is a missing check for the return + value from the initialization function which later leads to invalid + usage of the digest API most likely leading to a crash. + ([bsc#1207541, CVE-2023-0401]) + + PKCS7 data is processed by the SMIME library calls and also by the + time stamp (TS) library calls. The TLS implementation in OpenSSL does + not call these functions however third party applications would be + affected if they call these functions to verify signatures on untrusted + data. + * Fixed X.400 address type confusion in X.509 GeneralName. + There is a type confusion vulnerability relating to X.400 address processing + inside an X.509 GeneralName. X.400 addresses were parsed as an ASN1_STRING + but the public structure definition for GENERAL_NAME incorrectly specified + the type of the x400Address field as ASN1_TYPE. This field is subsequently + interpreted by the OpenSSL function GENERAL_NAME_cmp as an ASN1_TYPE rather + than an ASN1_STRING. + + When CRL checking is enabled (i.e. the application sets the + X509_V_FLAG_CRL_CHECK flag), this vulnerability may allow an attacker to + pass arbitrary pointers to a memcmp call, enabling them to read memory + contents or enact a denial of service. + ([bsc#1207533, CVE-2023-0286]) + * Fixed NULL dereference validating DSA public key. + An invalid pointer dereference on read can be triggered when an + application tries to check a malformed DSA public key by the + EVP_PKEY_public_check() function. This will most likely lead + to an application crash. This function can be called on public + keys supplied from untrusted sources which could allow an attacker + to cause a denial of service attack. + + The TLS implementation in OpenSSL does not call this function + but applications might call the function if there are additional + security requirements imposed by standards such as FIPS 140-3. + ([bsc#1207540, CVE-2023-0217]) + * Fixed Invalid pointer dereference in d2i_PKCS7 functions. + An invalid pointer dereference on read can be triggered when an + application tries to load malformed PKCS7 data with the + d2i_PKCS7(), d2i_PKCS7_bio() or d2i_PKCS7_fp() functions. + + The result of the dereference is an application crash which could + lead to a denial of service attack. The TLS implementation in OpenSSL + does not call this function however third party applications might + call these functions on untrusted data. + ([bsc#1207539, CVE-2023-0216]) + * Fixed Use-after-free following BIO_new_NDEF. + The public API function BIO_new_NDEF is a helper function used for + streaming ASN.1 data via a BIO. It is primarily used internally to OpenSSL + to support the SMIME, CMS and PKCS7 streaming capabilities, but may also + be called directly by end user applications. + + The function receives a BIO from the caller, prepends a new BIO_f_asn1 + filter BIO onto the front of it to form a BIO chain, and then returns + the new head of the BIO chain to the caller. Under certain conditions, + for example if a CMS recipient public key is invalid, the new filter BIO + is freed and the function returns a NULL result indicating a failure. + However, in this case, the BIO chain is not properly cleaned up and the + BIO passed by the caller still retains internal pointers to the previously + freed filter BIO. If the caller then goes on to call BIO_pop() on the BIO + then a use-after-free will occur. This will most likely result in a crash. + ([bsc#1207536, CVE-2023-0215]) + * Fixed Double free after calling PEM_read_bio_ex. + The function PEM_read_bio_ex() reads a PEM file from a BIO and parses and + decodes the "name" (e.g. "CERTIFICATE"), any header data and the payload + data. If the function succeeds then the "name_out", "header" and "data" + arguments are populated with pointers to buffers containing the relevant + decoded data. The caller is responsible for freeing those buffers. It is + possible to construct a PEM file that results in 0 bytes of payload data. + In this case PEM_read_bio_ex() will return a failure code but will populate + the header argument with a pointer to a buffer that has already been freed. + If the caller also frees this buffer then a double free will occur. This + will most likely lead to a crash. + + The functions PEM_read_bio() and PEM_read() are simple wrappers around + PEM_read_bio_ex() and therefore these functions are also directly affected. + + These functions are also called indirectly by a number of other OpenSSL + functions including PEM_X509_INFO_read_bio_ex() and + SSL_CTX_use_serverinfo_file() which are also vulnerable. Some OpenSSL + internal uses of these functions are not vulnerable because the caller does + not free the header argument if PEM_read_bio_ex() returns a failure code. + ([bsc#1207538, CVE-2022-4450]) + * Fixed Timing Oracle in RSA Decryption. + A timing based side channel exists in the OpenSSL RSA Decryption + implementation which could be sufficient to recover a plaintext across + a network in a Bleichenbacher style attack. To achieve a successful + decryption an attacker would have to be able to send a very large number + of trial messages for decryption. The vulnerability affects all RSA padding + modes: PKCS#1 v1.5, RSA-OEAP and RSASVE. + ([bsc#1207534, CVE-2022-4304]) + * Fixed X.509 Name Constraints Read Buffer Overflow. + A read buffer overrun can be triggered in X.509 certificate verification, + specifically in name constraint checking. The read buffer overrun might + result in a crash which could lead to a denial of service attack. + In a TLS client, this can be triggered by connecting to a malicious + server. In a TLS server, this can be triggered if the server requests + client authentication and a malicious client connects. + ([bsc#1207535, CVE-2022-4203]) + * Fixed X.509 Policy Constraints Double Locking security issue. + If an X.509 certificate contains a malformed policy constraint and + policy processing is enabled, then a write lock will be taken twice + recursively. On some operating systems (most widely: Windows) this + results in a denial of service when the affected process hangs. Policy + processing being enabled on a publicly facing server is not considered + to be a common setup. + ([CVE-2022-3996]) + * Our provider implementations of `OSSL_FUNC_KEYMGMT_EXPORT` and + `OSSL_FUNC_KEYMGMT_GET_PARAMS` for EC and SM2 keys now honor + `OSSL_PKEY_PARAM_EC_POINT_CONVERSION_FORMAT` as set (and + default to `POINT_CONVERSION_UNCOMPRESSED`) when exporting + `OSSL_PKEY_PARAM_PUB_KEY`, instead of unconditionally using + `POINT_CONVERSION_COMPRESSED` as in previous 3.x releases. + For symmetry, our implementation of `EVP_PKEY_ASN1_METHOD->export_to` + for legacy EC and SM2 keys is also changed similarly to honor the + equivalent conversion format flag as specified in the underlying + `EC_KEY` object being exported to a provider, when this function is + called through `EVP_PKEY_export()`. + * Removed openssl-3-Fix-double-locking-problem.patch, + contained in upstream. + * Rebased openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch + * Update openssl.keyring with key + 7953 AC1F BC3D C8B3 B292 393E D5E9 E43F 7DF9 EE8C (Richard Levitte) + +------------------------------------------------------------------- +Thu Jan 26 08:17:50 UTC 2023 - Pedro Monreal + +- Relax the crypto-policies requirements for the regression tests + +------------------------------------------------------------------- +Wed Jan 25 11:09:52 UTC 2023 - Pedro Monreal + +- Set OpenSSL 3.0.7 as the default openssl [bsc#1205042] + * Rename openssl-1.1.0-no-html.patch to openssl-no-html-docs.patch + * Rebase openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch + * Package a copy of the original default config file called + openssl.cnf and name it as openssl-orig.cnf and warn the user + if the files differ. + * Add openssl-3-devel as conflicting with libopenssl-1_1-devel + * Remove patches: + - fix-config-in-tests.patch + - openssl-use-versioned-config.patch + +------------------------------------------------------------------- +Wed Jan 25 09:10:06 UTC 2023 - Pedro Monreal + +- Create the openssl ca-certificates directory in case the + ca-certificates package is not installed. This directory is + required by the nodejs regression tests. [bsc#1207484] + +------------------------------------------------------------------- +Wed Dec 14 16:38:05 UTC 2022 - Otto Hollmann + +- Fix X.509 Policy Constraints Double Locking [bsc#1206374, CVE-2022-3996] + * Add patch: openssl-3-Fix-double-locking-problem.patch + +------------------------------------------------------------------- +Wed Dec 14 12:40:04 UTC 2022 - Pedro Monreal + +- Compute the hmac files for FIPS 140-3 integrity checking of the + openssl shared libraries using the brp-50-generate-fips-hmac + script. Also computed for the 32bit package. + +------------------------------------------------------------------- +Tue Nov 1 18:29:41 UTC 2022 - Otto Hollmann + +- Temporary disable tests test_ssl_new and test_sslapi because they are + failing in openSUSE_Tumbleweed + +------------------------------------------------------------------- +Tue Nov 1 15:46:44 UTC 2022 - Otto Hollmann + +- Update to 3.0.7: [bsc#1204714, CVE-2022-3602,CVE-2022-3786] + * Fixed two buffer overflows in punycode decoding functions. + A buffer overrun can be triggered in X.509 certificate verification, + specifically in name constraint checking. Note that this occurs after + certificate chain signature verification and requires either a CA to + have signed the malicious certificate or for the application to continue + certificate verification despite failure to construct a path to a trusted + issuer. + + In a TLS client, this can be triggered by connecting to a malicious + server. In a TLS server, this can be triggered if the server requests + client authentication and a malicious client connects. + + An attacker can craft a malicious email address to overflow + an arbitrary number of bytes containing the `.` character (decimal 46) + on the stack. This buffer overflow could result in a crash (causing a + denial of service). + ([CVE-2022-3786]) + + An attacker can craft a malicious email address to overflow four + attacker-controlled bytes on the stack. This buffer overflow could + result in a crash (causing a denial of service) or potentially remote code + execution depending on stack layout for any given platform/compiler. + ([CVE-2022-3602]) + * Removed all references to invalid OSSL_PKEY_PARAM_RSA names for CRT + parameters in OpenSSL code. + Applications should not use the names OSSL_PKEY_PARAM_RSA_FACTOR, + OSSL_PKEY_PARAM_RSA_EXPONENT and OSSL_PKEY_PARAM_RSA_COEFFICIENT. + Use the numbered names such as OSSL_PKEY_PARAM_RSA_FACTOR1 instead. + Using these invalid names may cause algorithms to use slower methods + that ignore the CRT parameters. + * Fixed a regression introduced in 3.0.6 version raising errors on some stack + operations. + * Fixed a regression introduced in 3.0.6 version not refreshing the certificate + data to be signed before signing the certificate. + * Added RIPEMD160 to the default provider. + * Ensured that the key share group sent or accepted for the key exchange + is allowed for the protocol version. + +------------------------------------------------------------------- +Tue Nov 1 10:42:00 UTC 2022 - Otto Hollmann + +- Update to 3.0.6: [bsc#1204226, CVE-2022-3358] + * OpenSSL supports creating a custom cipher via the legacy + EVP_CIPHER_meth_new() function and associated function calls. This function + was deprecated in OpenSSL 3.0 and application authors are instead encouraged + to use the new provider mechanism in order to implement custom ciphers. + * OpenSSL versions 3.0.0 to 3.0.5 incorrectly handle legacy custom ciphers + passed to the EVP_EncryptInit_ex2(), EVP_DecryptInit_ex2() and + EVP_CipherInit_ex2() functions (as well as other similarly named encryption + and decryption initialisation functions). Instead of using the custom cipher + directly it incorrectly tries to fetch an equivalent cipher from the + available providers. An equivalent cipher is found based on the NID passed + to EVP_CIPHER_meth_new(). This NID is supposed to represent the unique NID + for a given cipher. However it is possible for an application to incorrectly + pass NID_undef as this value in the call to EVP_CIPHER_meth_new(). When + NID_undef is used in this way the OpenSSL encryption/decryption + initialisation function will match the NULL cipher as being equivalent and + will fetch this from the available providers. This will succeed if the + default provider has been loaded (or if a third party provider has been + loaded that offers this cipher). Using the NULL cipher means that the + plaintext is emitted as the ciphertext. + * Applications are only affected by this issue if they call + EVP_CIPHER_meth_new() using NID_undef and subsequently use it in a call to + an encryption/decryption initialisation function. Applications that only use + SSL/TLS are not impacted by this issue. ([CVE-2022-3358]) + * Fix LLVM vs Apple LLVM version numbering confusion that caused build + failures on MacOS 10.11 + * Fixed the linux-mips64 Configure target which was missing the SIXTY_FOUR_BIT + bn_ops flag. This was causing heap corruption on that platform. + * Fix handling of a ticket key callback that returns 0 in TLSv1.3 to not send + a ticket + * Correctly handle a retransmitted ClientHello in DTLS + * Fixed detection of ktls support in cross-compile environment on Linux + * Fixed some regressions and test failures when running the 3.0.0 FIPS + provider against 3.0.x + * Fixed SSL_pending() and SSL_has_pending() with DTLS which were failing to + report correct results in some cases + * Fix UWP builds by defining VirtualLock + * For known safe primes use the minimum key length according to RFC 7919. + Longer private key sizes unnecessarily raise the cycles needed to compute + the shared secret without any increase of the real security. This fixes a + regression from 1.1.1 where these shorter keys were generated for the known + safe primes. + * Added the loongarch64 target + * Fixed EC ASM flag passing. Flags for ASM implementations of EC curves were + only passed to the FIPS provider and not to the default or legacy provider. + * Fixed reported performance degradation on aarch64. Restored the + implementation prior to commit 2621751 ("aes/asm/aesv8-armx.pl: avoid 32-bit + lane assignment in CTR mode") for 64bit targets only, since it is reportedly + 2-17% slower and the silicon errata only affects 32bit targets. The new + algorithm is still used for 32 bit targets. + * Added a missing header for memcmp that caused compilation failure on some + platforms + +------------------------------------------------------------------- +Wed Sep 14 09:22:14 UTC 2022 - Bruno Pitrus + +- Do not make libopenssl3-32bit obsolete libopenssl1_1-32bit. + They are independent libraries and can be installed simultaneously. + +------------------------------------------------------------------- +Thu Jul 21 09:09:07 UTC 2022 - Pedro Monreal + +- Update to 3.0.5: + * The OpenSSL 3.0.4 release introduced a serious bug in the RSA + implementation for X86_64 CPUs supporting the AVX512IFMA instructions. + This issue makes the RSA implementation with 2048 bit private keys + incorrect on such machines and memory corruption will happen during + the computation. As a consequence of the memory corruption an attacker + may be able to trigger a remote code execution on the machine performing + the computation. + SSL/TLS servers or other servers using 2048 bit RSA private keys running + on machines supporting AVX512IFMA instructions of the X86_64 architecture + are affected by this issue. [bsc#1201148, CVE-2022-2274] + * AES OCB mode for 32-bit x86 platforms using the AES-NI assembly optimised + implementation would not encrypt the entirety of the data under some + circumstances. This could reveal sixteen bytes of data that was + preexisting in the memory that wasn't written. In the special case of + "in place" encryption, sixteen bytes of the plaintext would be revealed. + Since OpenSSL does not support OCB based cipher suites for TLS and DTLS, + they are both unaffected. [bsc#1201099, CVE-2022-2097] +- Rebase patches: + * openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch + +------------------------------------------------------------------- +Mon Jul 18 12:03:55 UTC 2022 - Pedro Monreal + +- Update to 3.0.4: [bsc#1199166, CVE-2022-1292] + * In addition to the c_rehash shell command injection identified in + CVE-2022-1292, further bugs where the c_rehash script does not + properly sanitise shell metacharacters to prevent command injection + have been fixed. + When the CVE-2022-1292 was fixed it was not discovered that there + are other places in the script where the file names of certificates + being hashed were possibly passed to a command executed through the shell. + This script is distributed by some operating systems in a manner where + it is automatically executed. On such operating systems, an attacker + could execute arbitrary commands with the privileges of the script. + Use of the c_rehash script is considered obsolete and should be replaced + by the OpenSSL rehash command line tool. + * Case insensitive string comparison no longer uses locales. + It has instead been directly implemented. + +------------------------------------------------------------------- +Mon Jul 18 12:03:21 UTC 2022 - Pedro Monreal + +- Update to 3.0.3: + * Case insensitive string comparison is reimplemented via new locale-agnostic + comparison functions OPENSSL_str[n]casecmp always using the POSIX locale for + comparison. The previous implementation had problems when the Turkish locale + was used. + * Fixed a bug in the c_rehash script which was not properly sanitising shell + metacharacters to prevent command injection. This script is distributed by + some operating systems in a manner where it is automatically executed. On + such operating systems, an attacker could execute arbitrary commands with the + privileges of the script. + Use of the c_rehash script is considered obsolete and should be replaced + by the OpenSSL rehash command line tool. [bsc#1199166, CVE-2022-1292] + * Fixed a bug in the function 'OCSP_basic_verify' that verifies the signer + certificate on an OCSP response. The bug caused the function in the case + where the (non-default) flag OCSP_NOCHECKS is used to return a postivie + response (meaning a successful verification) even in the case where the + response signing certificate fails to verify. + It is anticipated that most users of 'OCSP_basic_verify' will not use the + OCSP_NOCHECKS flag. In this case the 'OCSP_basic_verify' function will return + a negative value (indicating a fatal error) in the case of a certificate + verification failure. The normal expected return value in this case would be 0. + This issue also impacts the command line OpenSSL "ocsp" application. When + verifying an ocsp response with the "-no_cert_checks" option the command line + application will report that the verification is successful even though it + has in fact failed. In this case the incorrect successful response will also + be accompanied by error messages showing the failure and contradicting the + apparently successful result. [bsc#1199167, CVE-2022-1343] + * Fixed a bug where the RC4-MD5 ciphersuite incorrectly used the + AAD data as the MAC key. This made the MAC key trivially predictable. + An attacker could exploit this issue by performing a man-in-the-middle attack + to modify data being sent from one endpoint to an OpenSSL 3.0 recipient such + that the modified data would still pass the MAC integrity check. + Note that data sent from an OpenSSL 3.0 endpoint to a non-OpenSSL 3.0 + endpoint will always be rejected by the recipient and the connection will + fail at that point. Many application protocols require data to be sent from + the client to the server first. Therefore, in such a case, only an OpenSSL + 3.0 server would be impacted when talking to a non-OpenSSL 3.0 client. + [bsc#1199168, CVE-2022-1434] + * Fix a bug in the OPENSSL_LH_flush() function that breaks reuse of the memory + occuppied by the removed hash table entries. + This function is used when decoding certificates or keys. If a long lived + process periodically decodes certificates or keys its memory usage will + expand without bounds and the process might be terminated by the operating + system causing a denial of service. Also traversing the empty hash table + entries will take increasingly more time. Typically such long lived processes + might be TLS clients or TLS servers configured to accept client certificate + authentication. [bsc#1199169, CVE-2022-1473] + * The functions 'OPENSSL_LH_stats' and 'OPENSSL_LH_stats_bio' now only report + the 'num_items', 'num_nodes' and 'num_alloc_nodes' statistics. All other + statistics are no longer supported. For compatibility, these statistics are + still listed in the output but are now always reported as zero. + +------------------------------------------------------------------- +Sat Mar 19 10:05:22 UTC 2022 - Pedro Monreal + +- Enable zlib compression support [bsc#1195149] + +------------------------------------------------------------------- +Fri Mar 18 22:27:34 UTC 2022 - Pedro Monreal + +- Add crypto-policies support. + * Fix some tests that couldn't find the openssl3.cnf location + * Rebase patch: + openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch + +------------------------------------------------------------------- +Tue Mar 15 17:41:47 UTC 2022 - Pedro Monreal + +- Update to 3.0.2: [bsc#1196877, CVE-2022-0778] + * Security fix [CVE-2022-0778]: Infinite loop for non-prime moduli + in BN_mod_sqrt() reachable when parsing certificates. + * Add ciphersuites based on DHE_PSK (RFC 4279) and ECDHE_PSK + (RFC 5489) to the list of ciphersuites providing Perfect Forward + Secrecy as required by SECLEVEL >= 3. + * Made the AES constant time code for no-asm configurations + optional due to the resulting 95% performance degradation. + The AES constant time code can be enabled, for no assembly + builds, with: ./config no-asm -DOPENSSL_AES_CONST_TIME + * Fixed PEM_write_bio_PKCS8PrivateKey() to make it possible to + use empty passphrase strings. + * The negative return value handling of the certificate + verification callback was reverted. The replacement is to set + the verification retry state with the SSL_set_retry_verify() + function. + * Rebase openssl-use-versioned-config.patch + +------------------------------------------------------------------- +Tue Feb 22 18:46:13 UTC 2022 - Pedro Monreal + +- Keep CA_default and tsa_config1 default paths in openssl3.cnf +- Rebase patches: + * openssl-Override-default-paths-for-the-CA-directory-tree.patch + * openssl-use-versioned-config.patch + +------------------------------------------------------------------- +Tue Feb 1 13:55:24 UTC 2022 - Danilo Spinella + +- Fix conflict with openssl and libressl + +------------------------------------------------------------------- +Fri Jan 28 08:32:43 UTC 2022 - Simon Lees + +- Remove /etc/pki/CA from the [jsc#SLE-17856, jsc#SLE-19044] + openssl-Override-default-paths-for-the-CA-directory-tree.patch +- Remove unused patches + +------------------------------------------------------------------- +Fri Jan 21 08:18:28 UTC 2022 - Simon Lees + +- Ship openssl-3 as binary names [jsc#SLE-17856, jsc#SLE-19044] +- Use openssl3.cnf + * openssl-use-versioned-config.patch + * fix-config-in-tests.patch +- Support crypto policies + * openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch + * openssl-Override-default-paths-for-the-CA-directory-tree.patch +- Remove obsolets, not ready to force an upgrade yet + +------------------------------------------------------------------- +Thu Jan 13 10:49:26 UTC 2022 - Pedro Monreal + +- Update to 3.0.1: [bsc#1193740, CVE-2021-4044] + * RNDR and RNDRRS support in provider functions to provide + random number generation for Arm CPUs (aarch64). + * s_client and s_server apps now explicitly say when the TLS + version does not include the renegotiation mechanism. This + avoids confusion between that scenario versus when the TLS + version includes secure renegotiation but the peer lacks + support for it. + * The default SSL/TLS security level has been changed from 1 to 2. + RSA, DSA and DH keys of 1024 bits and above and less than 2048 + bits and ECC keys of 160 bits and above and less than 224 bits + were previously accepted by default but are now no longer + allowed. By default TLS compression was already disabled in + previous OpenSSL versions. At security level 2 it cannot be + enabled. + * The SSL_CTX_set_cipher_list family functions now accept + ciphers using their IANA standard names. + * The PVK key derivation function has been moved from + b2i_PVK_bio_ex() into the legacy crypto provider as an + EVP_KDF. Applications requiring this KDF will need to load + the legacy crypto provider. + * The various OBJ_* functions have been made thread safe. + * CCM8 cipher suites in TLS have been downgraded to security + level zero because they use a short authentication tag which + lowers their strength. + * Subject or issuer names in X.509 objects are now displayed + as UTF-8 strings by default. + * Parallel dual-prime 1536/2048-bit modular exponentiation + for AVX512_IFMA capable processors. + +------------------------------------------------------------------- +Tue Sep 7 14:58:35 UTC 2021 - Pedro Monreal + +- Update to 3.0.0 + * The full list of changes since version 1.1.1 can be found in: + https://github.com/openssl/openssl/blob/master/CHANGES.md#openssl-30 + * OpenSSL 3.0 wiki: https://wiki.openssl.org/index.php/OpenSSL_3.0 + * The Migration guide: + https://github.com/openssl/openssl/blob/master/doc/man7/migration_guide.pod + +------------------------------------------------------------------- +Thu Jul 29 16:46:14 UTC 2021 - Pedro Monreal + +- Update to 3.0.0 Beta 2 + * The ERR_GET_FUNC() function was removed. With the loss of + meaningful function codes, this function can only cause problems + for calling applications. + * While a callback function set via 'SSL_CTX_set_cert_verify_callback()' + is not allowed to return a value > 1, this is no more taken as + failure. + * Deprecated the obsolete X9.31 RSA key generation related + functions BN_X931_generate_Xpq(), BN_X931_derive_prime_ex(), + and BN_X931_generate_prime_ex(). +- Remove openssl-ppc64-fix-build.patch fixed upstream + +------------------------------------------------------------------- +Mon Jul 5 14:29:05 UTC 2021 - Pedro Monreal + +- Update to 3.0.0 Beta 1 + * Add a configurable flag to output date formats as ISO 8601. + Does not change the default date format. + * Version of MSVC earlier than 1300 could get link warnings, which + could be suppressed if the undocumented -DI_CAN_LIVE_WITH_LNK4049 + was set. Support for this flag has been removed. + * Rework and make DEBUG macros consistent. Remove unused + -DCONF_DEBUG, -DBN_CTX_DEBUG, and REF_PRINT. Add a new tracing + category and use it for printing reference counts. Rename + -DDEBUG_UNUSED to -DUNUSED_RESULT_DEBUG. Fix BN_DEBUG_RAND so it + compiles and, when set, force DEBUG_RAND to be set also. Rename + engine_debug_ref to be ENGINE_REF_PRINT also for consistency. + * The public definitions of conf_method_st and conf_st have been + deprecated. They will be made opaque in a future release. + * Many functions in the EVP_ namespace that are getters of values + from implementations or contexts were renamed to include get or + get0 in their names. Old names are provided as macro aliases for + compatibility and are not deprecated. + * PKCS#5 PBKDF1 key derivation has been moved from PKCS5_PBE_keyivgen() + into the legacy crypto provider as an EVP_KDF. Applications requiring + this KDF will need to load the legacy crypto provider. This includes + these PBE algorithms which use this KDF: + - NID_pbeWithMD2AndDES_CBC - NID_pbeWithMD5AndDES_CBC + - NID_pbeWithSHA1AndRC2_CBC - NID_pbeWithMD2AndRC2_CBC + - NID_pbeWithMD5AndRC2_CBC - NID_pbeWithSHA1AndDES_CBC + * Deprecated obsolete BIO_set_callback(), BIO_get_callback(), and + BIO_debug_callback() functions. +- Fix build on ppc and ppc64 + * Add openssl-ppc64-fix-build.patch + * See https://github.com/openssl/openssl/issues/15923 + +------------------------------------------------------------------- +Fri Jun 11 13:17:54 UTC 2021 - Pedro Monreal + +- Update to 3.0.0 Alpha 17 + * Added migration guide to man7 + * Implemented support for fully "pluggable" TLSv1.3 groups + * Added convenience functions for generating asymmetric key pairs. + * Added a proper HTTP client supporting GET with optional redirection, + POST, arbitrary request and response content types, TLS, persistent + connections, connections via HTTP(s) proxies, connections and + exchange via user-defined BIOs (allowing implicit connections), and + timeout checks. + +------------------------------------------------------------------- +Mon May 10 02:13:06 UTC 2021 - Jason Sikes + +- Update to 3.0.0. Alpha 16 + * Mark pop/clear error stack in der2key_decode_p8 + +------------------------------------------------------------------- +Sat May 1 19:58:48 UTC 2021 - Jason Sikes + +- Update to 3.0.0 Alpha 15 + * The default manual page suffix ($MANSUFFIX) has been changed to "ossl" + * Added support for Kernel TLS (KTLS). In order to use KTLS, support for it + must be compiled in using the "enable-ktls" compile time option. It must + also be enabled at run time using the SSL_OP_ENABLE_KTLS option. + * The error return values from some control calls (ctrl) have changed. + One significant change is that controls which used to return -2 for + invalid inputs, now return -1 indicating a generic error condition instead. + * Removed EVP_PKEY_set_alias_type(). + * All of these low level RSA functions have been deprecated without + replacement: + RSA_blinding_off, RSA_blinding_on, RSA_clear_flags, RSA_get_version, + RSAPrivateKey_dup, RSAPublicKey_dup, RSA_set_flags, RSA_setup_blinding and + RSA_test_flags. + * All of these RSA flags have been deprecated without replacement: + RSA_FLAG_BLINDING, RSA_FLAG_CACHE_PRIVATE, RSA_FLAG_CACHE_PUBLIC, + RSA_FLAG_EXT_PKEY, RSA_FLAG_NO_BLINDING, RSA_FLAG_THREAD_SAFE and + RSA_METHOD_FLAG_NO_CHECK. + * These low level DH functions have been deprecated without replacement: + DH_clear_flags, DH_get_1024_160, DH_get_2048_224, DH_get_2048_256, + DH_set_flags and DH_test_flags. + The DH_FLAG_CACHE_MONT_P flag has been deprecated without replacement. + The DH_FLAG_TYPE_DH and DH_FLAG_TYPE_DHX have been deprecated. Use + EVP_PKEY_is_a() to determine the type of a key. There is no replacement for + setting these flags. + * These low level DSA functions have been deprecated without replacement: + DSA_clear_flags, DSA_dup_DH, DSAparams_dup, DSA_set_flags and + DSA_test_flags. + * The DSA_FLAG_CACHE_MONT_P flag has been deprecated without replacement. + * Reworked the treatment of EC EVP_PKEYs with the SM2 curve to + automatically become EVP_PKEY_SM2 rather than EVP_PKEY_EC. This is a breaking + change from previous OpenSSL versions. + Unlike in previous OpenSSL versions, this means that applications must not + call 'EVP_PKEY_set_alias_type(pkey, EVP_PKEY_SM2)' to get SM2 computations. + The 'EVP_PKEY_set_alias_type' function has now been removed. + * Parameter and key generation is also reworked to make it possible + to generate EVP_PKEY_SM2 parameters and keys. Applications must now generate + SM2 keys directly and must not create an EVP_PKEY_EC key first. + +------------------------------------------------------------------- +Mon Apr 19 12:35:57 UTC 2021 - Pedro Monreal + +- Update to 3.0.0 Alpha 14 + * A public key check is now performed during EVP_PKEY_derive_set_peer(). + Previously DH was internally doing this during EVP_PKEY_derive(). + * The EVP_PKEY_CTRL_PKCS7_ENCRYPT, EVP_PKEY_CTRL_PKCS7_DECRYPT, + EVP_PKEY_CTRL_PKCS7_SIGN, EVP_PKEY_CTRL_CMS_ENCRYPT, + EVP_PKEY_CTRL_CMS_DECRYPT, and EVP_PKEY_CTRL_CMS_SIGN control operations + are deprecated. They are not invoked by the OpenSSL library anymore and + are replaced by direct checks of the key operation against the key type + when the operation is initialized. + * The EVP_PKEY_public_check() and EVP_PKEY_param_check() functions now work for + more key types including RSA, DSA, ED25519, X25519, ED448 and X448. + Previously (in 1.1.1) they would return -2. For key types that do not have + parameters then EVP_PKEY_param_check() will always return 1. + * The output from numerous "printing" functions such as X509_signature_print(), + X509_print_ex(), X509_CRL_print_ex(), and other similar functions has been + amended such that there may be cosmetic differences between the output + observed in 1.1.1 and 3.0. This also applies to the "-text" output from the + x509 and crl applications. + * Improved adherence to Enhanced Security Services (ESS, RFC 2634 and RFC 5035) + for the TSP and CMS Advanced Electronic Signatures (CAdES) implementations. + As required by RFC 5035 check both ESSCertID and ESSCertIDv2 if both present. + Correct the semantics of checking the validation chain in case ESSCertID{,v2} + contains more than one certificate identifier: This means that all + certificates referenced there MUST be part of the validation chain. + * Parallel dual-prime 1024-bit modular exponentiation for AVX512_IFMA + capable processors. + * Added the AuthEnvelopedData content type structure (RFC 5083) with AES-GCM + parameter (RFC 5084) for the Cryptographic Message Syntax (CMS). Its purpose + is to support encryption and decryption of a digital envelope that is both + authenticated and encrypted using AES GCM mode. + +------------------------------------------------------------------- +Wed Apr 14 17:55:21 UTC 2021 - Pedro Monreal + +- Update to 3.0.0 Alpha 13 + * A public key check is now performed during EVP_PKEY_derive_set_peer(). + Previously DH was internally doing this during EVP_PKEY_derive(). + To disable this check use EVP_PKEY_derive_set_peer_ex(dh, peer, 0). This + may mean that an error can occur in EVP_PKEY_derive_set_peer() rather than + during EVP_PKEY_derive(). + * The EVP_PKEY_CTRL_PKCS7_ENCRYPT, EVP_PKEY_CTRL_PKCS7_DECRYPT, + EVP_PKEY_CTRL_PKCS7_SIGN, EVP_PKEY_CTRL_CMS_ENCRYPT, + EVP_PKEY_CTRL_CMS_DECRYPT, and EVP_PKEY_CTRL_CMS_SIGN control operations + are deprecated. They are not invoked by the OpenSSL library anymore and + are replaced by direct checks of the key operation against the key type + when the operation is initialized. + * The EVP_PKEY_public_check() and EVP_PKEY_param_check() functions now work for + more key types including RSA, DSA, ED25519, X25519, ED448 and X448. + Previously (in 1.1.1) they would return -2. For key types that do not have + parameters then EVP_PKEY_param_check() will always return 1. + * The output from numerous "printing" functions such as X509_signature_print(), + X509_print_ex(), X509_CRL_print_ex(), and other similar functions has been + amended such that there may be cosmetic differences between the output + observed in 1.1.1 and 3.0. This also applies to the "-text" output from the + x509 and crl applications. + * Improved adherence to Enhanced Security Services (ESS, RFC 2634 and RFC 5035) + for the TSP and CMS Advanced Electronic Signatures (CAdES) implementations. + As required by RFC 5035 check both ESSCertID and ESSCertIDv2 if both present. + Correct the semantics of checking the validation chain in case ESSCertID{,v2} + contains more than one certificate identifier: This means that all + certificates referenced there MUST be part of the validation chain. + * Parallel dual-prime 1024-bit modular exponentiation for AVX512_IFMA + capable processors. + * Added the AuthEnvelopedData content type structure (RFC 5083) with AES-GCM + parameter (RFC 5084) for the Cryptographic Message Syntax (CMS). Its purpose + is to support encryption and decryption of a digital envelope that is both + authenticated and encrypted using AES GCM mode. + +------------------------------------------------------------------- +Fri Feb 19 08:58:35 UTC 2021 - Pedro Monreal + +- Update to 3.0.0 Alpha 12 + * The SRP APIs have been deprecated. The old APIs do not work via + providers, and there is no EVP interface to them. Unfortunately + there is no replacement for these APIs at this time. + * Add a compile time option to prevent the caching of provider + fetched algorithms. This is enabled by including the + no-cached-fetch option at configuration time. + * Combining the Configure options no-ec and no-dh no longer + disables TLSv1.3. Typically if OpenSSL has no EC or DH algorithms + then it cannot support connections with TLSv1.3. However OpenSSL + now supports "pluggable" groups through providers. + * The undocumented function X509_certificate_type() has been + deprecated; applications can use X509_get0_pubkey() and + X509_get0_signature() to get the same information. + * Deprecated the obsolete BN_pseudo_rand() and BN_pseudo_rand_range() + functions. They are identical to BN_rand() and BN_rand_range() + respectively. + * The default key generation method for the regular 2-prime RSA keys + was changed to the FIPS 186-4 B.3.6 method (Generation of Probable + Primes with Conditions Based on Auxiliary Probable Primes). This + method is slower than the original method. + * Deprecated the BN_is_prime_ex() and BN_is_prime_fasttest_ex() + functions. They are replaced with the BN_check_prime() function + that avoids possible misuse and always uses at least 64 rounds of + the Miller-Rabin primality test. + * Deprecated EVP_MD_CTX_set_update_fn() and EVP_MD_CTX_update_fn() + as they are not useful with non-deprecated functions. + +------------------------------------------------------------------- +Fri Feb 12 11:47:35 UTC 2021 - Pedro Monreal + +- Update to 3.0.0 Alpha 11 + * Deprecated the obsolete X9.31 RSA key generation related + functions BN_X931_generate_Xpq(), BN_X931_derive_prime_ex(), + and BN_X931_generate_prime_ex(). + * Deprecated the type OCSP_REQ_CTX and the functions OCSP_REQ_CTX_*(). + These were used to collect all necessary data to form a HTTP + request, and to perform the HTTP transfer with that request. + With OpenSSL 3.0, the type is OSSL_HTTP_REQ_CTX, and the + deprecated functions are replaced with OSSL_HTTP_REQ_CTX_*(). + * Validation of SM2 keys has been separated from the validation of + regular EC keys, allowing to improve the SM2 validation process + to reject loaded private keys that are not conforming to the SM2 + ISO standard. In particular, a private scalar 'k' outside the + range '1 <= k < n-1' is now correctly rejected. + * Behavior of the 'pkey' app is changed, when using the '-check' + or '-pubcheck' switches: a validation failure triggers an early + exit, returning a failure exit status to the parent process. + * Changed behavior of SSL_CTX_set_ciphersuites() and + SSL_set_ciphersuites() to ignore unknown ciphers. + * All of the low level EC_KEY functions have been deprecated. + * Functions that read and write EC_KEY objects and that assign or + obtain EC_KEY objects from an EVP_PKEY are also deprecated. + * Added the '-copy_extensions' option to the 'x509' command for use + with '-req' and '-x509toreq'. When given with the 'copy' or + 'copyall' argument, all extensions in the request are copied to + the certificate or vice versa. + * Added the '-copy_extensions' option to the 'req' command for use + with '-x509'. When given with the 'copy' or 'copyall' argument, + all extensions in the certification request are copied to the + certificate. + * The 'x509', 'req', and 'ca' commands now make sure that X.509v3 + certificates they generate are by default RFC 5280 compliant in + the following sense: There is a subjectKeyIdentifier extension + with a hash value of the public key and for not self-signed certs + there is an authorityKeyIdentifier extension with a keyIdentifier + field or issuer information identifying the signing key. This is + done unless some configuration overrides the new default behavior, + such as 'subjectKeyIdentifier = none' and 'authorityKeyIdentifier + = none'. + +------------------------------------------------------------------- +Sat Jan 9 10:05:06 UTC 2021 - Pedro Monreal + +- Update to 3.0.0 Alpha 10 (CVE-2020-1971) + * See full changelog: www.openssl.org/news/changelog.html + * Fixed NULL pointer deref in the GENERAL_NAME_cmp function + This function could crash if both GENERAL_NAMEs contain an + EDIPARTYNAME. If an attacker can control both items being + compared then this could lead to a possible denial of service + attack. OpenSSL itself uses the GENERAL_NAME_cmp function for + two purposes: + 1) Comparing CRL distribution point names between an available + CRL and a CRL distribution point embedded in an X509 certificate + 2) When verifying that a timestamp response token signer matches + the timestamp authority name (exposed via the API functions + TS_RESP_verify_response and TS_RESP_verify_token) + * The -cipher-commands and -digest-commands options of the + command line utility list has been deprecated. Instead use + the -cipher-algorithms and -digest-algorithms options. + * Additionally functions that read and write DH objects such as + d2i_DHparams, i2d_DHparams, PEM_read_DHparam, PEM_write_DHparams + and other similar functions have also been deprecated. + Applications should instead use the OSSL_DECODER and OSSL_ENCODER + APIs to read and write DH files. + +------------------------------------------------------------------- +Thu Dec 17 09:26:56 UTC 2020 - Pedro Monreal + +- Update to 3.0.0 Alpha 9 + * See also https://www.openssl.org/news/changelog.html + * Deprecated all the libcrypto and libssl error string loading + functions. Calling these functions is not necessary since + OpenSSL 1.1.0, as OpenSSL now loads error strings automatically. + * The functions SSL_CTX_set_tmp_dh_callback and SSL_set_tmp_dh_callback, as + well as the macros SSL_CTX_set_tmp_dh() and SSL_set_tmp_dh() have been + deprecated. These are used to set the Diffie-Hellman (DH) parameters that + are to be used by servers requiring ephemeral DH keys. Instead applications + should consider using the built-in DH parameters that are available by + calling SSL_CTX_set_dh_auto() or SSL_set_dh_auto(). + * The -crypt option to the passwd command line tool has been removed. + * The -C option to the x509, dhparam, dsaparam, and ecparam commands + has been removed. + * Added several checks to X509_verify_cert() according to requirements in + RFC 5280 in case 'X509_V_FLAG_X509_STRICT' is set (which may be done by + using the CLI option '-x509_strict'): + - The basicConstraints of CA certificates must be marked critical. + - CA certificates must explicitly include the keyUsage extension. + - If a pathlenConstraint is given the key usage keyCertSign must be allowed. + - The issuer name of any certificate must not be empty. + - The subject name of CA certs, certs with keyUsage crlSign, + and certs without subjectAlternativeName must not be empty. + - If a subjectAlternativeName extension is given it must not be empty. + - The signatureAlgorithm field and the cert signature must be consistent. + - Any given authorityKeyIdentifier and any given subjectKeyIdentifier + must not be marked critical. + - The authorityKeyIdentifier must be given for X.509v3 certs + unless they are self-signed. + - The subjectKeyIdentifier must be given for all X.509v3 CA certs. + * Certificate verification using X509_verify_cert() meanwhile rejects EC keys + with explicit curve parameters (specifiedCurve) as required by RFC 5480. + +------------------------------------------------------------------- +Thu Nov 5 18:36:23 UTC 2020 - Pedro Monreal + +- Update to 3.0.0 Alpha 8 + * Add support for AES Key Wrap inverse ciphers to the EVP layer. + The algorithms are: "AES-128-WRAP-INV", "AES-192-WRAP-INV", + "AES-256-WRAP-INV", "AES-128-WRAP-PAD-INV", "AES-192-WRAP-PAD-INV" + and "AES-256-WRAP-PAD-INV". The inverse ciphers use AES decryption + for wrapping, and AES encryption for unwrapping. + * Deprecated EVP_PKEY_set1_tls_encodedpoint() and + EVP_PKEY_get1_tls_encodedpoint(). These functions were previously + used by libssl to set or get an encoded public key in/from an + EVP_PKEY object. With OpenSSL 3.0 these are replaced by the more + generic functions EVP_PKEY_set1_encoded_public_key() and + EVP_PKEY_get1_encoded_public_key(). The old versions have been + converted to deprecated macros that just call the new functions. + * The security callback, which can be customised by application + code, supports the security operation SSL_SECOP_TMP_DH. This is + defined to take an EVP_PKEY in the "other" parameter. In most + places this is what is passed. All these places occur server side. + However there was one client side call of this security operation + and it passed a DH object instead. This is incorrect according to + the definition of SSL_SECOP_TMP_DH, and is inconsistent with all + of the other locations. Therefore this client side call has been + changed to pass an EVP_PKEY instead. + * Added new option for 'openssl list', '-providers', which will + display the list of loaded providers, their names, version and + status. It optionally displays their gettable parameters. + * Deprecated pthread fork support methods. These were unused so no + replacement is required. OPENSSL_fork_prepare(), + OPENSSL_fork_parent() and OPENSSL_fork_child(). +- Remove openssl-AES_XTS.patch fixed upstream + +------------------------------------------------------------------- +Fri Oct 16 10:58:53 UTC 2020 - Pedro Monreal + +- Fix build on ppc* architectures + * Fix tests failing: 30-test_acvp.t and 30-test_evp.t + * https://github.com/openssl/openssl/pull/13133 +- Add openssl-AES_XTS.patch for ppc64, ppc64le and aarch64 + +------------------------------------------------------------------- +Fri Oct 16 08:43:10 UTC 2020 - Pedro Monreal + +- Re-enable test 81-test_cmp_cli.t fixed upstream + +------------------------------------------------------------------- +Thu Oct 15 16:44:44 UTC 2020 - Pedro Monreal + +- Update to 3.0.0 Alpha 7 + * Add PKCS7_get_octet_string() and PKCS7_type_is_other() to the public + interface. Their functionality remains unchanged. + * Deprecated EVP_PKEY_set_alias_type(). This function was previously + needed as a workaround to recognise SM2 keys. With OpenSSL 3.0, this key + type is internally recognised so the workaround is no longer needed. + * Deprecated EVP_PKEY_CTX_set_rsa_keygen_pubexp() & introduced + EVP_PKEY_CTX_set1_rsa_keygen_pubexp(), which is now preferred. + * Changed all "STACK" functions to be macros instead of inline functions. + Macro parameters are still checked for type safety at compile time via + helper inline functions. + * Remove the RAND_DRBG API: + The RAND_DRBG API did not fit well into the new provider concept as + implemented by EVP_RAND and EVP_RAND_CTX. The main reason is that the + RAND_DRBG API is a mixture of 'front end' and 'back end' API calls + and some of its API calls are rather low-level. This holds in particular + for the callback mechanism (RAND_DRBG_set_callbacks()). + Adding a compatibility layer to continue supporting the RAND_DRBG API as + a legacy API for a regular deprecation period turned out to come at the + price of complicating the new provider API unnecessarily. Since the + RAND_DRBG API exists only since version 1.1.1, it was decided by the OMC + to drop it entirely. + * Added the options '-crl_lastupdate' and '-crl_nextupdate' to 'openssl ca', + allowing the 'lastUpdate' and 'nextUpdate' fields in the generated CRL to + be set explicitly. + * 'PKCS12_parse' now maintains the order of the parsed certificates + when outputting them via '*ca' (rather than reversing it). +- Update openssl-DEFAULT_SUSE_cipher.patch + +------------------------------------------------------------------- +Fri Aug 7 14:42:42 UTC 2020 - Callum Farmer + +- Removed 0001-Fix-typo-for-SSL_get_peer_certificate.patch: + contained in upstream. +- Update to 3.0.0 Alpha 6 + * Added util/check-format.pl for checking adherence to the coding guidelines. + * Allow SSL_set1_host() and SSL_add1_host() to take IP literal addresses + as well as actual hostnames. + * The 'MinProtocol' and 'MaxProtocol' configuration commands now silently + ignore TLS protocol version bounds when configuring DTLS-based contexts, and + conversely, silently ignore DTLS protocol version bounds when configuring + TLS-based contexts. The commands can be repeated to set bounds of both + types. The same applies with the corresponding "min_protocol" and + "max_protocol" command-line switches, in case some application uses both TLS + and DTLS. SSL_CTX instances that are created for a fixed protocol version (e.g. + TLSv1_server_method()) also silently ignore version bounds. Previously + attempts to apply bounds to these protocol versions would result in an + error. Now only the "version-flexible" SSL_CTX instances are subject to + limits in configuration files in command-line options. + +------------------------------------------------------------------- +Mon Jul 20 08:40:26 UTC 2020 - Vítězslav Čížek + +- Fix linking when the deprecated SSL_get_per_certificate() is in use + * https://github.com/openssl/openssl/pull/12468 + * add 0001-Fix-typo-for-SSL_get_peer_certificate.patch + +------------------------------------------------------------------- +Fri Jul 17 08:34:45 UTC 2020 - Pedro Monreal Gonzalez + +- Update to 3.0.0 Alpha 5 + * Deprecated the 'ENGINE' API. Engines should be replaced with + providers going forward. + * Reworked the recorded ERR codes to make better space for system errors. + To distinguish them, the macro 'ERR_SYSTEM_ERROR()' indicates + if the given code is a system error (true) or an OpenSSL error (false). + * Reworked the test perl framework to better allow parallel testing. + * Added ciphertext stealing algorithms AES-128-CBC-CTS, AES-192-CBC-CTS and + AES-256-CBC-CTS to the providers. CS1, CS2 and CS3 variants are supported. + * 'Configure' has been changed to figure out the configuration target if + none is given on the command line. Consequently, the 'config' script is + now only a mere wrapper. All documentation is changed to only mention + 'Configure'. + * Added a library context that applications as well as other libraries can use + to form a separate context within which libcrypto operations are performed. + - There are two ways this can be used: + 1) Directly, by passing a library context to functions that take + such an argument, such as 'EVP_CIPHER_fetch' and similar algorithm + fetching functions. + 2) Indirectly, by creating a new library context and then assigning + it as the new default, with 'OPENSSL_CTX_set0_default'. + - All public OpenSSL functions that take an 'OPENSSL_CTX' pointer, + apart from the functions directly related to 'OPENSSL_CTX', accept + NULL to indicate that the default library context should be used. + - Library code that changes the default library context using + 'OPENSSL_CTX_set0_default' should take care to restore it with a + second call before returning to the caller. + * The security strength of SHA1 and MD5 based signatures in TLS has been + reduced. This results in SSL 3, TLS 1.0, TLS 1.1 and DTLS 1.0 no longer + working at the default security level of 1 and instead requires security + level 0. The security level can be changed either using the cipher string + with @SECLEVEL, or calling SSL_CTX_set_security_level(). + * The SSL option SSL_OP_CLEANSE_PLAINTEXT is introduced. If that option is + set, openssl cleanses (zeroize) plaintext bytes from internal buffers + after delivering them to the application. Note, the application is still + responsible for cleansing other copies (e.g.: data received by SSL_read(3)). +- Update openssl-ppc64-config.patch + +------------------------------------------------------------------- +Fri Jun 26 07:20:40 UTC 2020 - Vítězslav Čížek + +- Update to 3.0.0 Alpha 4 + * general improvements to the built-in providers, the providers API and the internal plumbing and the provider-aware mechanisms for libssl + * general improvements and fixes in the CLI apps + * support for Automated Cryptographic Validation Protocol (ACVP) tests + * fully pluggable TLS key exchange capability from providers + * finalization of the Certificate Management Protocol (CMP) contribution, adding an impressive amount of tests for the new features + * default to the newer SP800-56B compliant algorithm for RSA keygen + * provider-rand: PRNG functionality backed by providers + * refactored naming scheme for dispatched functions (#12222) + * fixes for various issues + * extended and improved test coverage + * additions and improvements to the documentations +- Fix license: Apache-2.0 +- temporarily disable broken 81-test_cmp_cli.t test + * https://github.com/openssl/openssl/issues/12324 + +------------------------------------------------------------------- +Thu Jun 4 20:24:04 UTC 2020 - Vítězslav Čížek + +- Update to 3.0.0 Alpha 3 + * general improvements to the built-in providers, the providers API and the internal plumbing and the provider-aware mechanisms for libssl; + * general improvements and fixes in the CLI apps; + * cleanup of the EC API: + EC_METHOD became an internal-only concept, and functions using or returning EC_METHOD arguments have been deprecated; + EC_POINT_make_affine() and EC_POINTs_make_affine() have been deprecated in favor of automatic internal handling of conversions when needed; + EC_GROUP_precompute_mult(), EC_GROUP_have_precompute_mult(), and EC_KEY_precompute_mult() have been deprecated, as such precomputation data is now rarely used; + EC_POINTs_mul() has been deprecated, as for cryptographic applications EC_POINT_mul() is enough. + * the CMS API got support for CAdES-BES signature verification; + * introduction of a new SSL_OP_IGNORE_UNEXPECTED_EOF option; + * improvements to the RSA OAEP support; + * FFDH support in the speed app; + * CI: added external testing through the GOST engine; + * fixes for various issues; + * extended and improved test coverage; + * additions and improvements to the documentations. + +------------------------------------------------------------------- +Sat May 23 14:06:54 UTC 2020 - Jan Engelhardt + +- Use find -exec +. Replace 'pwd' by simply $PWD. +- Drop Obsoletes on libopenssl1*. libopenssl3 has a new SONAME and + does not conflict with anything previously. + +------------------------------------------------------------------- +Wed May 20 12:46:24 UTC 2020 - Vítězslav Čížek + +- Obsolete openssl 1.1 +- Update baselibs.conf +- Set man page permissions to 644 + +------------------------------------------------------------------- +Fri May 15 15:29:05 UTC 2020 - Vítězslav Čížek + +- Update to 3.0.0 Alpha 2 + * general improvements to the built-in providers, the providers API and the internal plumbing; + * the removal of legacy API functions related to FIPS mode, replaced by new provider-based mechanisms; + * the addition of a new cmp app for RFC 4210; + * extended and improved test coverage; + * improvements to the documentations; + * fixes for various issues. +- drop obsolete version.patch + +------------------------------------------------------------------- +Thu Apr 23 19:49:05 UTC 2020 - Vítězslav Čížek + +- Initial packaging 3.0.0 Alpha 1 + * Major Release + OpenSSL 3.0 is a major release and consequently any application + that currently uses an older version of OpenSSL will at the + very least need to be recompiled in order to work with the new version. + It is the intention that the large majority of applications will + work unchanged with OpenSSL 3.0 if those applications previously + worked with OpenSSL 1.1.1. However this is not guaranteed and + some changes may be required in some cases. + * Providers and FIPS support + Providers collect together and make available algorithm implementations. + With OpenSSL 3.0 it is possible to specify, either programmatically + or via a config file, which providers you want to use for any given application + * Low Level APIs + Use of the low level APIs have been deprecated. + * Legacy Algorithms + Some cryptographic algorithms that were available via the EVP APIs + are now considered legacy and their use is strongly discouraged. + These legacy EVP algorithms are still available in OpenSSL 3.0 but not by default. + If you want to use them then you must load the legacy provider. + * Engines and "METHOD" APIs + The ENGINE API and any function that creates or modifies custom "METHODS" + are being deprecated in OpenSSL 3.0 + Authors and maintainers of external engines are strongly encouraged to + refactor their code transforming engines into providers using + the new Provider API and avoiding deprecated methods. + * Versioning Scheme + The OpenSSL versioning scheme has changed with the 3.0 release. + The new versioning scheme has this format: MAJOR.MINOR.PATCH + The patch level is indicated by the third number instead of a letter + at the end of the release version number. + A change in the second (MINOR) number indicates that new features may have been added. + OpenSSL versions with the same major number are API and ABI compatible. + If the major number changes then API and ABI compatibility is not guaranteed. + * Other major new features + Implementation of the Certificate Management Protocol (CMP, RFC 4210) + also covering CRMF (RFC 4211) and HTTP transfer (RFC 6712). + A proper HTTP(S) client in libcrypto supporting GET and POST, + redirection, plain and ASN.1-encoded contents, proxies, and timeouts + EVP_KDF APIs have been introduced for working with Key Derivation Functions + EVP_MAC APIs have been introduced for working with MACs + Support for Linux Kernel TLS diff --git a/openssl-3.spec b/openssl-3.spec new file mode 100644 index 0000000..06653ca --- /dev/null +++ b/openssl-3.spec @@ -0,0 +1,460 @@ +# +# spec file for package openssl-3 +# +# Copyright (c) 2024 SUSE LLC +# +# All modifications and additions to the file contributed by third parties +# remain the property of their copyright owners, unless otherwise agreed +# upon. The license for this file, and modifications and additions to the +# file, is the same license as for the pristine package itself (unless the +# license for the pristine package is not an Open Source License, in which +# case the license is the MIT License). An "Open Source License" is a +# license that conforms to the Open Source Definition (Version 1.9) +# published by the Open Source Initiative. + +# Please submit bugfixes or comments via https://bugs.opensuse.org/ +# + + +%define ssletcdir %{_sysconfdir}/ssl +%define sover 3 +%define _rname openssl +%define man_suffix 3ssl + +# Enable userspace livepatching. +%define livepatchable 1 + +Name: openssl-3 +Version: 3.2.3 +Release: 0 +Summary: Secure Sockets and Transport Layer Security +License: Apache-2.0 +URL: https://www.openssl.org/ +Source: https://www.%{_rname}.org/source/%{_rname}-%{version}.tar.gz +Source1: https://www.%{_rname}.org/source/%{_rname}-%{version}.tar.gz.asc +# https://keys.openpgp.org/search?q=openssl@openssl.org +# BA54 73A2 B058 7B07 FB27 CF2D 2160 94DF D0CB 81EF +Source2: %{_rname}.keyring +# to get mtime of file: +Source3: %{name}.changes +Source4: baselibs.conf +Source5: showciphers.c +Source6: openssl-TESTS-Disable-default-provider-crypto-policies.patch +# PATCH-FIX-OPENSUSE: Do not install html docs as it takes ages +Patch1: openssl-no-html-docs.patch +Patch2: openssl-truststore.patch +Patch3: openssl-pkgconfig.patch +Patch4: openssl-ppc64-config.patch +Patch5: openssl-no-date.patch +# Add crypto-policies support +Patch6: openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch +# PATCH-FIX-FEDORA Add FIPS_mode compatibility macro and flag support +Patch7: openssl-Add-FIPS_mode-compatibility-macro.patch +Patch8: openssl-Add-Kernel-FIPS-mode-flag-support.patch +# PATCH-FIX-FEDORA Load FIPS the provider and set FIPS properties implicitly +Patch9: openssl-Force-FIPS.patch +# PATCH-FIX-FEDORA Disable the fipsinstall command-line utility +Patch10: openssl-disable-fipsinstall.patch +# PATCH-FIX-FEDORA Instructions to load legacy provider in openssl.cnf +Patch11: openssl-load-legacy-provider.patch +# PATCH-FIX-FEDORA Embed the FIPS hmac +Patch12: openssl-FIPS-embed-hmac.patch +# PATCH-FIX-FEDORA bsc#1221786 FIPS: Use of non-Approved Elliptic Curves +Patch13: openssl-Add-changes-to-ectest-and-eccurve.patch +Patch14: openssl-Remove-EC-curves.patch +Patch15: openssl-Disable-explicit-ec.patch +Patch16: openssl-skipped-tests-EC-curves.patch +# PATCH-FIX-FEDORA bsc#1221753 bsc#1221760 bsc#1221822 FIPS: Extra public/private key checks required by FIPS-140-3 +Patch17: openssl-FIPS-140-3-keychecks.patch +# PATCH-FIX-FEDORA bsc#1221365 bsc#1221786 bsc#1221787 FIPS: Minimize fips services +Patch18: openssl-FIPS-services-minimize.patch +# PATCH-FIX-FEDORA bsc#1221760 FIPS: Execute KATS before HMAC verification +Patch19: openssl-FIPS-early-KATS.patch +# PATCH-FIX-SUSE bsc#1221787 FIPS: Approved Modulus Sizes for RSA Digital Signature for FIPS 186-4 +Patch20: openssl-Revert-Improve-FIPS-RSA-keygen-performance.patch +# PATCH-FIX-FEDORA bsc#1221787 FIPS: Selectively disallow SHA1 signatures +Patch21: openssl-Allow-disabling-of-SHA1-signatures.patch +# # PATCH-FIX-FEDORA bsc#1221365 FIPS: Deny SHA-1 signature verification in FIPS provider +Patch22: openssl-3-FIPS-Deny-SHA-1-sigver-in-FIPS-provider.patch +# PATCH-FIX-FEDORA bsc#1221365 bsc#1221824 FIPS: Service Level Indicator is needed +Patch23: openssl-FIPS-limit-rsa-encrypt.patch +Patch24: openssl-FIPS-Expose-a-FIPS-indicator.patch +# PATCH-FIX-FEDORA bsc#1221760 FIPS: Execute KATS before HMAC verification +Patch25: openssl-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch +# PATCH-FIX-FEDORA bsc#1221365 bsc#1221760 FIPS: Selftests are required +Patch26: openssl-FIPS-Use-digest_sign-digest_verify-in-self-test.patch +# PATCH-FIX-FEDORA bsc#1221760 FIPS: Selftests are required +Patch27: openssl-FIPS-Use-FFDHE2048-in-self-test.patch +# PATCH-FIX-FEDORA bsc#1220690 bsc#1220693 bsc#1220696 FIPS: Reseed DRBG +Patch28: openssl-FIPS-140-3-DRBG.patch +# PATCH-FIX-FEDORA bsc#1221752 FIPS: Zeroisation is required +Patch29: openssl-FIPS-140-3-zeroization.patch +# PATCH-FIX-FEDORA bsc#1221365 FIPS: Service Level Indicator is needed +Patch30: openssl-Add-FIPS-indicator-parameter-to-HKDF.patch +Patch31: openssl-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch +# PATCH-FIX-FEDORA bsc#1221365 bsc#1221365 FIPS: Service Level Indicator is needed +Patch32: openssl-FIPS-Remove-X9.31-padding-from-FIPS-prov.patch +# PATCH-FIX-FEDORA bsc#1221365 FIPS: Service Level Indicator is needed +Patch33: openssl-FIPS-Add-explicit-indicator-for-key-length.patch +# PATCH-FIX-FEDORA bsc#1221827 FIPS: Recommendation for Password-Based Key Derivation +Patch34: openssl-pbkdf2-Set-minimum-password-length-of-8-bytes.patch +# PATCH-FIX-FEDORA bsc#1221365 FIPS: Service Level Indicator is needed +Patch35: openssl-FIPS-RSA-disable-shake.patch +Patch36: openssl-FIPS-signature-Add-indicator-for-PSS-salt-length.patch +# PATCH-FIX-FEDORA bsc#1221824 FIPS: NIST SP 800-56Brev2 Section 6.4.1.2.1 +Patch37: openssl-FIPS-RSA-encapsulate.patch +# PATCH-FIX-FEDORA bsc#1221821 FIPS: Disable FIPS 186-4 Domain Parameters +Patch38: openssl-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch +# PATCH-FIX-SUSE bsc#1221365 FIPS: Service Level Indicator is needed +Patch39: openssl-3-FIPS-GCM-Implement-explicit-indicator-for-IV-gen.patch +# PATCH-FIX-FEDORA bsc#1221827 FIPS: Recommendation for Password-Based Key Derivation +Patch40: openssl-pbkdf2-Set-indicator-if-pkcs5-param-disabled-checks.patch +# PATCH-FIX-FEDORA bsc#1221365 FIPS: Service Level Indicator is needed +Patch41: openssl-FIPS-enforce-EMS-support.patch +# PATCH-FIX-SUSE bsc#1221824 FIPS: Add check for SP 800-56Brev2 Section 6.4.1.2.1 +Patch42: openssl-FIPS-Add-SP800-56Br2-6.4.1.2.1-3.c-check.patch +# PATCH-FIX-SUSE bsc#1220523 FIPS: Port openssl to use jitterentropy +Patch43: openssl-3-jitterentropy-3.4.0.patch +# PATCH-FIX-SUSE bsc#1221753 FIPS: Enforce error state +Patch44: openssl-FIPS-Enforce-error-state.patch +# PATCH-FIX-SUSE bsc#1221365 FIPS: Service Level Indicator is needed +Patch45: openssl-FIPS-enforce-security-checks-during-initialization.patch +# PATCH-FIX-FEDORA Adapt pairwise tests +Patch46: openssl-skip-quic-pairwise.patch +# PATCH-FIX-UPSTREAM support MSA 12 (SHA3) jsc#PED-10280 +Patch48: openssl-3-add_EVP_DigestSqueeze_api.patch +Patch49: openssl-3-support-multiple-sha3_squeeze_s390x.patch +Patch50: openssl-3-add-xof-state-handling-s3_absorb.patch +Patch51: openssl-3-fix-state-handling-sha3_absorb_s390x.patch +Patch52: openssl-3-fix-state-handling-sha3_final_s390x.patch +Patch53: openssl-3-fix-state-handling-shake_final_s390x.patch +Patch54: openssl-3-fix-state-handling-keccak_final_s390x.patch +Patch55: openssl-3-support-EVP_DigestSqueeze-in-digest-prov-s390x.patch +Patch56: openssl-3-add-defines-CPACF-funcs.patch +Patch57: openssl-3-add-hw-acceleration-hmac.patch +Patch58: openssl-3-support-CPACF-sha3-shake-perf-improvement.patch +Patch59: openssl-3-fix-s390x_sha3_absorb.patch +Patch60: openssl-3-fix-s390x_shake_squeeze.patch +# PATCH-FIX-UPSTREAM: support MSA 10 XTS jsc#PED-10273 +Patch61: openssl-3-hw-acceleration-aes-xts-s390x.patch +# PATCH-FIX-UPSTREAM: support MSA 11 HMAC jsc#PED-10274 +Patch62: openssl-3-disable-hmac-hw-acceleration-with-engine-digest.patch +Patch63: openssl-3-fix-hmac-digest-detection-s390x.patch +Patch64: openssl-3-fix-memleak-s390x_HMAC_CTX_copy.patch +# PATCH-FIX-UPSTREAM: Fix failing tests on ppc64 jsc#PED-10280 +Patch65: openssl-3-fix-sha3-squeeze-ppc64.patch +Patch66: openssl-3-fix-quic_multistream_test.patch + +BuildRequires: pkgconfig + +# ulp-macros is available according to SUSE version. +%ifarch x86_64 +%if 0%{?sle_version} >= 150400 || 0%{?suse_version} >= 1540 +BuildRequires: ulp-macros +%endif +%endif +%ifarch ppc64le +%if 0%{?sle_version} >= 150700 || 0%{?suse_version} >= 1570 +BuildRequires: gcc13 +BuildRequires: ulp-macros +%endif +%endif + +BuildRequires: pkgconfig +BuildRequires: pkgconfig(zlib) +Requires: libopenssl3 = %{version}-%{release} +Requires: openssl +Provides: ssl +# Needed for clean upgrade path, boo#1070003 +Obsoletes: openssl-1_0_0 +# Needed for clean upgrade from former openssl-1_1_0, boo#1081335 +Obsoletes: openssl-1_1_0 +%{?suse_build_hwcaps_libs} +%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400 +Requires: crypto-policies +%endif + +%description +OpenSSL is a software library to be used in applications that need to +secure communications over computer networks against eavesdropping or +need to ascertain the identity of the party at the other end. +OpenSSL contains an implementation of the SSL and TLS protocols. + +%package -n libopenssl3 +Summary: Secure Sockets and Transport Layer Security +Recommends: ca-certificates-mozilla +Conflicts: %{name} < %{version}-%{release} +# Needed for clean upgrade from former openssl-1_1_0, boo#1081335 +Obsoletes: libopenssl1_1_0 +%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150400 +Requires: crypto-policies +%endif +# Merge back the hmac files bsc#1185116 +Provides: libopenssl3-hmac = %{version}-%{release} +Obsoletes: libopenssl3-hmac < %{version}-%{release} +# Needed for clean upgrade from former openssl-1_1_0, boo#1081335 +Obsoletes: libopenssl1_1_0-hmac +# Needed for clean upgrade from SLE-12 openssl-1_0_0, bsc#1158499 +Obsoletes: libopenssl-1_0_0-hmac + +%description -n libopenssl3 +OpenSSL is a software library to be used in applications that need to +secure communications over computer networks against eavesdropping or +need to ascertain the identity of the party at the other end. +OpenSSL contains an implementation of the SSL and TLS protocols. + +%package -n libopenssl-3-devel +Summary: Development files for OpenSSL +Requires: jitterentropy-devel >= 3.4.0 +Requires: libopenssl3 = %{version} +Requires: pkgconfig(zlib) +Recommends: %{name} = %{version} +Provides: ssl-devel +Conflicts: ssl-devel +# Needed for clean upgrade from former openssl-1_1_0, boo#1081335 +Obsoletes: libopenssl-1_1_0-devel +# Needed for clean upgrade from SLE-12 openssl-1_0_0, bsc#1158499 +Obsoletes: libopenssl-1_0_0-devel + +%description -n libopenssl-3-devel +This subpackage contains header files for developing applications +that want to make use of the OpenSSL C API. + +%package -n libopenssl-3-fips-provider +Summary: OpenSSL FIPS provider +Requires: libjitterentropy3 >= 3.4.0 +Requires: libopenssl3 >= %{version} +BuildRequires: fipscheck +BuildRequires: jitterentropy-devel >= 3.4.0 + +%description -n libopenssl-3-fips-provider +This package contains the OpenSSL FIPS provider. + +%package doc +Summary: Manpages and additional documentation for openssl +Conflicts: libopenssl-3-devel < %{version}-%{release} +Conflicts: openssl-doc +Provides: openssl-doc = %{version} +Obsoletes: openssl-doc < %{version} +BuildArch: noarch + +%description doc +This package contains optional documentation provided in addition to +this package's base documentation. + +%prep +%autosetup -p1 -n %{_rname}-%{version} + +%build +%ifarch armv5el armv5tel +export MACHINE=armv5el +%endif +%ifarch armv6l armv6hl +export MACHINE=armv6l +%endif + +# In ppc64le we need gcc-13 for userspace livepatching until we have the +# required -fpatchable-functions-entry patch merged into the mainline +%ifarch ppc64le +%if 0%{?sle_version} >= 150700 || 0%{?suse_version} >= 1570 +export CC=gcc-13 +export CXX=g++-13 +%endif +%endif +./Configure \ + enable-camellia \ +%ifarch x86_64 aarch64 ppc64le + enable-ec_nistp_64_gcc_128 \ +%endif + enable-fips \ + enable-jitterentropy \ + enable-ktls \ + enable-rfc3779 \ + enable-seed \ + no-afalgeng \ + no-ec2m \ + no-mdc2 \ + zlib \ + --prefix=%{_prefix} \ + --libdir=%{_lib} \ + --openssldir=%{ssletcdir} \ + %{optflags} \ + %{?cflags_livepatching} \ + -Wa,--noexecstack \ + -Wl,-z,relro,-z,now \ + -fno-common \ + -DTERMIO \ + -DPURIFY \ + -D_GNU_SOURCE \ + '-DSUSE_OPENSSL_RELEASE="\"%{release}\""' \ + -DOPENSSL_NO_BUF_FREELISTS \ + $(getconf LFS_CFLAGS) \ + -Wall \ + --with-rand-seed=getrandom,jitterentropy \ + --system-ciphers-file=%{_sysconfdir}/crypto-policies/back-ends/openssl.config + +# Show build configuration +perl configdata.pm --dump + +# Do not run this in a production package the FIPS symbols must be patched-in +# util/mkdef.pl crypto update + +%make_build depend +%make_build all + +%check +# Relax the crypto-policies requirements and disable the default +# provider for the test suite regression tests +patch -p1 < %{SOURCE6} +export OPENSSL_SYSTEM_CIPHERS_OVERRIDE=xyz_nonexistent_file +export MALLOC_CHECK_=3 +export MALLOC_PERTURB_=$(($RANDOM % 255 + 1)) +# export HARNESS_VERBOSE=yes +# Embed HMAC into fips provider for test run +OPENSSL_CONF=/dev/null LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < providers/fips.so > providers/fips.so.hmac +objcopy --update-section .rodata1=providers/fips.so.hmac providers/fips.so providers/fips.so.mac +mv providers/fips.so.mac providers/fips.so + +# Run the tests in non FIPS mode +LD_LIBRARY_PATH="$PWD" make test -j16 + +# Run the tests also in FIPS mode +# OPENSSL_FORCE_FIPS_MODE=1 LD_LIBRARY_PATH="$PWD" make TESTS='-test_evp_fetch_prov -test_tsa' test -j16 || : + +# Add generation of HMAC checksum of the final stripped library +# We manually copy standard definition of __spec_install_post +# and add hmac calculation/embedding to fips.so +%define __spec_install_post \ + %{?__debug_package:%{__debug_install_post}} \ + %{__arch_install_post} \ + %{__os_install_post} \ + OPENSSL_CONF=/dev/null LD_LIBRARY_PATH=. apps/openssl dgst -binary -sha256 -mac HMAC -macopt hexkey:f4556650ac31d35461610bac4ed81b1a181b2d8a43ea2854cbae22ca74560813 < %{buildroot}%{_libdir}/ossl-modules/fips.so > %{buildroot}%{_libdir}/ossl-modules/fips.so.hmac \ + objcopy --update-section .rodata1=%{buildroot}%{_libdir}/ossl-modules/fips.so.hmac %{buildroot}%{_libdir}/ossl-modules/fips.so %{buildroot}%{_libdir}/ossl-modules/fips.so.mac \ + mv %{buildroot}%{_libdir}/ossl-modules/fips.so.mac %{buildroot}%{_libdir}/ossl-modules/fips.so \ + rm %{buildroot}%{_libdir}/ossl-modules/fips.so.hmac \ +%{nil} + +# show ciphers +gcc -o showciphers %{optflags} -I%{buildroot}%{_includedir} %{SOURCE5} -L%{buildroot}%{_libdir} -lssl -lcrypto +LD_LIBRARY_PATH=%{buildroot}%{_libdir} ./showciphers + +%install +%{?pack_ipa_dumps} +%make_install %{?_smp_mflags} MANSUFFIX=%{man_suffix} + +rename so.%{sover} so.%{version} %{buildroot}%{_libdir}/*.so.%{sover} +for lib in %{buildroot}%{_libdir}/*.so.%{version} ; do + chmod 755 ${lib} + ln -sf $(basename ${lib}) %{buildroot}%{_libdir}/$(basename ${lib} .%{version}) + ln -sf $(basename ${lib}) %{buildroot}%{_libdir}/$(basename ${lib} .%{version}).%{sover} +done + +# Remove static libraries +rm -f %{buildroot}%{_libdir}/*.a + +# Remove the cnf.dist +rm -f %{buildroot}%{ssletcdir}/openssl.cnf.dist +rm -f %{buildroot}%{ssletcdir}/ct_log_list.cnf.dist + +# Make a copy of the default openssl.cnf file +cp %{buildroot}%{ssletcdir}/openssl.cnf %{buildroot}%{ssletcdir}/openssl-orig.cnf + +# Create openssl ca-certificates dir required by nodejs regression tests [bsc#1207484] +mkdir -p %{buildroot}%{_localstatedir}/lib/ca-certificates/openssl +install -d -m 555 %{buildroot}%{_localstatedir}/lib/ca-certificates/openssl + +# Remove the fipsmodule.cnf because FIPS module is loaded automatically in FIPS mode +rm -f %{buildroot}%{ssletcdir}/fipsmodule.cnf + +ln -sf ./%{_rname} %{buildroot}/%{_includedir}/ssl +mkdir %{buildroot}/%{_datadir}/ssl +mv %{buildroot}/%{ssletcdir}/misc %{buildroot}/%{_datadir}/ssl/ + +# Add the FIPS module configuration from crypto-policies since SP6 +%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150600 +ln -s %{_sysconfdir}/crypto-policies/back-ends/openssl_fips.config %{buildroot}%{ssletcdir}/fips_local.cnf +%endif + +# Avoid file conflicts with man pages from other packages +pushd %{buildroot}/%{_mandir} +find . -type f -exec chmod 644 {} + +mv man5/config.5%{man_suffix} man5/openssl.cnf.5 +popd + +# Do not install demo scripts executable under /usr/share/doc +find demos -type f -perm /111 -exec chmod 644 {} + + +# Place showciphers.c for %%doc macro +cp %{SOURCE5} . + +# Compute the FIPS hmac using the brp-50-generate-fips-hmac script +export BRP_FIPSHMAC_FILES="%{buildroot}%{_libdir}/libssl.so.%{sover} %{buildroot}%{_libdir}/libcrypto.so.%{sover}" + +%post -p "/bin/bash" +if [ "$1" -gt 1 ] ; then + # Check if the packaged default config file for openssl-3, called openssl.cnf, + # is the original or if it has been modified and alert the user in that case + # that a copy of the original file openssl-orig.cnf can be used if needed. + cmp --silent %{ssletcdir}/openssl.cnf %{ssletcdir}/openssl-orig.cnf 2>/dev/null + if [ "$?" -eq 1 ] ; then + echo -e " The openssl-3 default config file openssl.cnf is different from" ; + echo -e " the original one shipped by the package. A copy of the original" ; + echo -e " file is packaged and named as openssl-orig.cnf if needed." + fi +fi + +%pre + +%post -n libopenssl3 -p /sbin/ldconfig +%postun -n libopenssl3 -p /sbin/ldconfig + +%files -n libopenssl3 +%license LICENSE.txt +%attr(0755,root,root) %{_libdir}/libssl.so.%{version} +%{_libdir}/libssl.so.%{sover} +%attr(0755,root,root) %{_libdir}/libcrypto.so.%{version} +%{_libdir}/libcrypto.so.%{sover} +%{_libdir}/engines-%{sover} +%dir %{_libdir}/ossl-modules +%{_libdir}/ossl-modules/legacy.so +%{_libdir}/.libssl.so.%{sover}.hmac +%{_libdir}/.libcrypto.so.%{sover}.hmac + +%files -n libopenssl-3-fips-provider +%{_libdir}/ossl-modules/fips.so + +%files -n libopenssl-3-devel +%doc NOTES*.md CONTRIBUTING.md HACKING.md AUTHORS.md ACKNOWLEDGEMENTS.md +%{_includedir}/%{_rname}/ +%{_includedir}/ssl +%{_libdir}/*.so +%{_libdir}/pkgconfig/*.pc + +%files doc +%doc README.md +%doc doc/html/* doc/HOWTO/* demos +%doc showciphers.c +%{_mandir}/man3/* + +%files +%license LICENSE.txt +%doc CHANGES.md NEWS.md README.md +%dir %{ssletcdir} +%config %{ssletcdir}/openssl-orig.cnf +%config (noreplace) %{ssletcdir}/openssl.cnf +%config (noreplace) %{ssletcdir}/ct_log_list.cnf +%if 0%{?suse_version} >= 1550 || 0%{?sle_version} >= 150600 +%config %{ssletcdir}/fips_local.cnf +%endif +%attr(700,root,root) %{ssletcdir}/private +%dir %{_datadir}/ssl +%{_datadir}/ssl/misc +%dir %{_localstatedir}/lib/ca-certificates/ +%dir %{_localstatedir}/lib/ca-certificates/openssl +%{_bindir}/%{_rname} +%{_bindir}/c_rehash +%{_mandir}/man1/* +%{_mandir}/man5/* +%{_mandir}/man7/* + +%changelog diff --git a/openssl-Add-FIPS-indicator-parameter-to-HKDF.patch b/openssl-Add-FIPS-indicator-parameter-to-HKDF.patch new file mode 100644 index 0000000..02399c6 --- /dev/null +++ b/openssl-Add-FIPS-indicator-parameter-to-HKDF.patch @@ -0,0 +1,911 @@ +From 2290280617183863eb15425b8925765966723725 Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Thu, 11 Aug 2022 09:27:12 +0200 +Subject: KDF: Add FIPS indicators + +FIPS requires a number of restrictions on the parameters of the various +key derivation functions implemented in OpenSSL. The KDFs that use +digest algorithms usually should not allow SHAKE (due to FIPS 140-3 IG +C.C). Additionally, some application-specific KDFs have further +restrictions defined in SP 800-135r1. + +Generally, all KDFs shall use a key-derivation key length of at least +112 bits due to SP 800-131Ar2 section 8. Additionally any use of a KDF +to generate and output length of less than 112 bits will also set the +indicator to unapproved. + +Add explicit indicators to all KDFs usable in FIPS mode except for +PBKDF2 (which has its specific FIPS limits already implemented). The +indicator can be queried using EVP_KDF_CTX_get_params() after setting +the required parameters and keys for the KDF. + +Our FIPS provider implements SHA1, SHA2 (both -256 and -512, and the +truncated variants -224 and -384) and SHA3 (-256 and -512, and the +truncated versions -224 and -384), as well as SHAKE-128 and -256. + +The SHAKE functions are generally not allowed in KDFs. For the rest, the +support matrix is: + + KDF | SHA-1 | SHA-2 | SHA-2 truncated | SHA-3 | SHA-3 truncated +========================================================================== +KBKDF | x | x | x | x | x +HKDF | x | x | x | x | x +TLS1PRF | | SHA-{256,384,512} only | | +SSHKDF | x | x | x | | +SSKDF | x | x | x | x | x +X9.63KDF | | x | x | x | x +X9.42-ASN1 | x | x | x | x | x +TLS1.3PRF | | SHA-{256,384} only | | + +Signed-off-by: Clemens Lang +Resolves: rhbz#2160733 rhbz#2164763 +Related: rhbz#2114772 rhbz#2141695 +--- + include/crypto/evp.h | 7 ++ + include/openssl/kdf.h | 4 + + providers/implementations/kdfs/hkdf.c | 100 +++++++++++++++++++++- + providers/implementations/kdfs/kbkdf.c | 82 ++++++++++++++++-- + providers/implementations/kdfs/sshkdf.c | 75 +++++++++++++++- + providers/implementations/kdfs/sskdf.c | 100 +++++++++++++++++++++- + providers/implementations/kdfs/tls1_prf.c | 74 +++++++++++++++- + providers/implementations/kdfs/x942kdf.c | 66 +++++++++++++- + util/perl/OpenSSL/paramnames.pm | 1 + + 9 files changed, 487 insertions(+), 22 deletions(-) + +diff --git a/include/crypto/evp.h b/include/crypto/evp.h +index e70d8e9e84..76fb990de4 100644 +--- a/include/crypto/evp.h ++++ b/include/crypto/evp.h +@@ -219,6 +219,13 @@ struct evp_mac_st { + OSSL_FUNC_mac_set_ctx_params_fn *set_ctx_params; + }; + ++#ifdef FIPS_MODULE ++/* According to NIST Special Publication 800-131Ar2, Section 8: Deriving ++ * Additional Keys from a Cryptographic Key, "[t]he length of the ++ * key-derivation key [i.e., the input key] shall be at least 112 bits". */ ++# define EVP_KDF_FIPS_MIN_KEY_LEN (112 / 8) ++#endif ++ + struct evp_kdf_st { + OSSL_PROVIDER *prov; + int name_id; +diff --git a/include/openssl/kdf.h b/include/openssl/kdf.h +index 0983230a48..86171635ea 100644 +--- a/include/openssl/kdf.h ++++ b/include/openssl/kdf.h +@@ -63,6 +63,10 @@ int EVP_KDF_names_do_all(const EVP_KDF *kdf, + # define EVP_KDF_HKDF_MODE_EXTRACT_ONLY 1 + # define EVP_KDF_HKDF_MODE_EXPAND_ONLY 2 + ++# define EVP_KDF_SUSE_FIPS_INDICATOR_UNDETERMINED 0 ++# define EVP_KDF_SUSE_FIPS_INDICATOR_APPROVED 1 ++# define EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED 2 ++ + #define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_CLI_TO_SRV 65 + #define EVP_KDF_SSHKDF_TYPE_INITIAL_IV_SRV_TO_CLI 66 + #define EVP_KDF_SSHKDF_TYPE_ENCRYPTION_KEY_CLI_TO_SRV 67 +diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c +index dfa7786bde..f01e40ff5a 100644 +--- a/providers/implementations/kdfs/hkdf.c ++++ b/providers/implementations/kdfs/hkdf.c +@@ -42,6 +42,7 @@ static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_hkdf_settable_ctx_params; + static OSSL_FUNC_kdf_set_ctx_params_fn kdf_hkdf_set_ctx_params; + static OSSL_FUNC_kdf_gettable_ctx_params_fn kdf_hkdf_gettable_ctx_params; + static OSSL_FUNC_kdf_get_ctx_params_fn kdf_hkdf_get_ctx_params; ++static OSSL_FUNC_kdf_newctx_fn kdf_tls1_3_new; + static OSSL_FUNC_kdf_derive_fn kdf_tls1_3_derive; + static OSSL_FUNC_kdf_settable_ctx_params_fn kdf_tls1_3_settable_ctx_params; + static OSSL_FUNC_kdf_set_ctx_params_fn kdf_tls1_3_set_ctx_params; +@@ -85,6 +86,10 @@ typedef struct { + size_t data_len; + unsigned char *info; + size_t info_len; ++ int is_tls13; ++#ifdef FIPS_MODULE ++ int fips_indicator; ++#endif /* defined(FIPS_MODULE) */ + } KDF_HKDF; + + static void *kdf_hkdf_new(void *provctx) +@@ -170,6 +175,11 @@ static int kdf_hkdf_derive(void *vctx, unsigned char *key, size_t keylen, + return 0; + } + ++#ifdef FIPS_MODULE ++ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN) ++ ctx->fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED; ++#endif /* defined(FIPS_MODULE) */ ++ + switch (ctx->mode) { + case EVP_KDF_HKDF_MODE_EXTRACT_AND_EXPAND: + default: +@@ -318,22 +318,85 @@ static int kdf_hkdf_get_ctx_params(void + { + KDF_HKDF *ctx = (KDF_HKDF *)vctx; + OSSL_PARAM *p; ++ int any_valid = 0; /* set to 1 when at least one parameter was valid */ + + if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) { + size_t sz = kdf_hkdf_size(ctx); + ++ any_valid = 1; + if (sz == 0) + return 0; + return OSSL_PARAM_set_size_t(p, sz); + } + if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_INFO)) != NULL) { ++ any_valid = 1; + if (ctx->info == NULL || ctx->info_len == 0) { + p->return_size = 0; + return 1; + } + return OSSL_PARAM_set_octet_string(p, ctx->info, ctx->info_len); + } +- return -2; ++#ifdef FIPS_MODULE ++ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR)) ++ != NULL) { ++ int fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_APPROVED; ++ const EVP_MD *md = ossl_prov_digest_md(&ctx->digest); ++ ++ any_valid = 1; ++ ++ /* According to NIST Special Publication 800-131Ar2, Section 8: ++ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of ++ * the key-derivation key [i.e., the input key] shall be at least 112 ++ * bits". */ ++ if (ctx->key_len < EVP_KDF_FIPS_MIN_KEY_LEN) ++ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED; ++ ++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module ++ * Verification Program, Section D.B and NIST Special Publication ++ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security ++ * strength < 112 bits is legacy use only, so all derived keys should ++ * be longer than that. If a derived key has ever been shorter than ++ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we ++ * should also set the returned FIPS indicator to unapproved. */ ++ if (ctx->fips_indicator == EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED) ++ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED; ++ ++ if (ctx->is_tls13) { ++ if (md != NULL ++ && !EVP_MD_is_a(md, "SHA2-256") ++ && !EVP_MD_is_a(md, "SHA2-384")) { ++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic ++ * Module Validation Program, Section 2.4.B, (5): "The TLS 1.3 ++ * key derivation function documented in Section 7.1 of RFC ++ * 8446. This is considered an approved CVL because the ++ * underlying functions performed within the TLS 1.3 KDF map to ++ * NIST approved standards, namely: SP 800-133rev2 (Section 6.3 ++ * Option #3), SP 800-56Crev2, and SP 800-108." ++ * ++ * RFC 8446 appendix B.4 only lists SHA-256 and SHA-384. */ ++ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED; ++ } ++ } else { ++ if (md != NULL ++ && (EVP_MD_is_a(md, "SHAKE-128") || ++ EVP_MD_is_a(md, "SHAKE-256"))) { ++ /* HKDF is a SP 800-56Cr2 TwoStep KDF, for which all SHA-1, ++ * SHA-2 and SHA-3 are approved. SHAKE is not approved, because ++ * of FIPS 140-3 IG, section C.C: "The SHAKE128 and SHAKE256 ++ * extendable-output functions may only be used as the ++ * standalone algorithms." */ ++ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED; ++ } ++ } ++ if (!OSSL_PARAM_set_int(p, fips_indicator)) ++ return 0; ++ } ++#endif /* defined(FIPS_MODULE) */ ++ ++ if (!any_valid) ++ return -2; ++ ++ return 1; + } + + static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx, +@@ -348,6 +421,9 @@ static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx, + static const OSSL_PARAM known_gettable_ctx_params[] = { + OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), + OSSL_PARAM_octet_string(OSSL_KDF_PARAM_INFO, NULL, 0), ++#ifdef FIPS_MODULE ++ OSSL_PARAM_int(OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR, NULL), ++#endif /* defined(FIPS_MODULE) */ + OSSL_PARAM_END + }; + return known_gettable_ctx_params; +@@ -677,6 +753,17 @@ static int prov_tls13_hkdf_generate_secret(OSSL_LIB_CTX *libctx, + return ret; + } + ++static void *kdf_tls1_3_new(void *provctx) ++{ ++ KDF_HKDF *hkdf = kdf_hkdf_new(provctx); ++ ++ if (hkdf != NULL) ++ hkdf->is_tls13 = 1; ++ ++ return hkdf; ++} ++ ++ + static int kdf_tls1_3_derive(void *vctx, unsigned char *key, size_t keylen, + const OSSL_PARAM params[]) + { +@@ -692,6 +779,11 @@ static int kdf_tls1_3_derive(void *vctx, unsigned char *key, size_t keylen, + return 0; + } + ++#ifdef FIPS_MODULE ++ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN) ++ ctx->fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED; ++#endif /* defined(FIPS_MODULE) */ ++ + switch (ctx->mode) { + default: + return 0; +@@ -769,7 +861,7 @@ static const OSSL_PARAM *kdf_tls1_3_settable_ctx_params(ossl_unused void *ctx, + } + + const OSSL_DISPATCH ossl_kdf_tls1_3_kdf_functions[] = { +- { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_hkdf_new }, ++ { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))kdf_tls1_3_new }, + { OSSL_FUNC_KDF_DUPCTX, (void(*)(void))kdf_hkdf_dup }, + { OSSL_FUNC_KDF_FREECTX, (void(*)(void))kdf_hkdf_free }, + { OSSL_FUNC_KDF_RESET, (void(*)(void))kdf_hkdf_reset }, +diff --git a/providers/implementations/kdfs/kbkdf.c b/providers/implementations/kdfs/kbkdf.c +index a542f84dfa..6b6dfb94ac 100644 +--- a/providers/implementations/kdfs/kbkdf.c ++++ b/providers/implementations/kdfs/kbkdf.c +@@ -59,6 +59,9 @@ typedef struct { + kbkdf_mode mode; + EVP_MAC_CTX *ctx_init; + ++ /* HMAC digest algorithm, if any; used to compute FIPS indicator */ ++ PROV_DIGEST digest; ++ + /* Names are lowercased versions of those found in SP800-108. */ + int r; + unsigned char *ki; +@@ -73,6 +76,9 @@ typedef struct { + int use_l; + int is_kmac; + int use_separator; ++#ifdef FIPS_MODULE ++ int fips_indicator; ++#endif /* defined(FIPS_MODULE) */ + } KBKDF; + + /* Definitions needed for typechecking. */ +@@ -138,6 +144,7 @@ static void kbkdf_reset(void *vctx) + void *provctx = ctx->provctx; + + EVP_MAC_CTX_free(ctx->ctx_init); ++ ossl_prov_digest_reset(&ctx->digest); + OPENSSL_clear_free(ctx->context, ctx->context_len); + OPENSSL_clear_free(ctx->label, ctx->label_len); + OPENSSL_clear_free(ctx->ki, ctx->ki_len); +@@ -240,6 +247,11 @@ static int kbkdf_derive(void *vctx, unsigned char *key, size_t keylen, + goto done; + } + ++#ifdef FIPS_MODULE ++ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN) ++ ctx->fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED; ++#endif /* defined(FIPS_MODULE) */ ++ + h = EVP_MAC_CTX_get_mac_size(ctx->ctx_init); + if (h == 0) + goto done; +@@ -297,6 +309,9 @@ static int kbkdf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) + } + } + ++ if (!ossl_prov_digest_load_from_params(&ctx->digest, params, libctx)) ++ return 0; ++ + p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_MODE); + if (p != NULL + && OPENSSL_strncasecmp("counter", p->data, p->data_size) == 0) { +@@ -363,20 +378,77 @@ static const OSSL_PARAM *kbkdf_settable_ctx_params(ossl_unused void *ctx, + static int kbkdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) + { + OSSL_PARAM *p; ++ int any_valid = 0; /* set to 1 when at least one parameter was valid */ + + p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE); +- if (p == NULL) ++ if (p != NULL) { ++ any_valid = 1; ++ ++ /* KBKDF can produce results as large as you like. */ ++ if (!OSSL_PARAM_set_size_t(p, SIZE_MAX)) ++ return 0; ++ } ++ ++#ifdef FIPS_MODULE ++ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR); ++ if (p != NULL) { ++ KBKDF *ctx = (KBKDF *)vctx; ++ int fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_APPROVED; ++ ++ any_valid = 1; ++ ++ /* According to NIST Special Publication 800-131Ar2, Section 8: ++ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of ++ * the key-derivation key [i.e., the input key] shall be at least 112 ++ * bits". */ ++ if (ctx->ki_len < EVP_KDF_FIPS_MIN_KEY_LEN) ++ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED; ++ ++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module ++ * Verification Program, Section D.B and NIST Special Publication ++ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security ++ * strength < 112 bits is legacy use only, so all derived keys should ++ * be longer than that. If a derived key has ever been shorter than ++ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we ++ * should also set the returned FIPS indicator to unapproved. */ ++ if (ctx->fips_indicator == EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED) ++ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED; ++ ++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module ++ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256 ++ * extendable-output functions may only be used as the standalone ++ * algorithms." Note that the digest is only used when the MAC ++ * algorithm is HMAC. */ ++ if (ctx->ctx_init != NULL ++ && EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx->ctx_init), OSSL_MAC_NAME_HMAC)) { ++ const EVP_MD *md = ossl_prov_digest_md(&ctx->digest); ++ if (md != NULL ++ && (EVP_MD_is_a(md, "SHAKE-128") || EVP_MD_is_a(md, "SHAKE-256"))) { ++ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED; ++ } ++ } ++ ++ if (!OSSL_PARAM_set_int(p, fips_indicator)) ++ return 0; ++ } ++#endif ++ ++ if (!any_valid) + return -2; + +- /* KBKDF can produce results as large as you like. */ +- return OSSL_PARAM_set_size_t(p, SIZE_MAX); ++ return 1; + } + + static const OSSL_PARAM *kbkdf_gettable_ctx_params(ossl_unused void *ctx, + ossl_unused void *provctx) + { +- static const OSSL_PARAM known_gettable_ctx_params[] = +- { OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), OSSL_PARAM_END }; ++ static const OSSL_PARAM known_gettable_ctx_params[] = { ++ OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), ++#ifdef FIPS_MODULE ++ OSSL_PARAM_int(OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR, NULL), ++#endif /* defined(FIPS_MODULE) */ ++ OSSL_PARAM_END ++ }; + return known_gettable_ctx_params; + } + +diff --git a/providers/implementations/kdfs/sshkdf.c b/providers/implementations/kdfs/sshkdf.c +index c592ba72f1..4a52b38266 100644 +--- a/providers/implementations/kdfs/sshkdf.c ++++ b/providers/implementations/kdfs/sshkdf.c +@@ -48,6 +48,9 @@ typedef struct { + char type; /* X */ + unsigned char *session_id; + size_t session_id_len; ++#ifdef FIPS_MODULE ++ int fips_indicator; ++#endif /* defined(FIPS_MODULE) */ + } KDF_SSHKDF; + + static void *kdf_sshkdf_new(void *provctx) +@@ -126,6 +129,12 @@ static int kdf_sshkdf_derive(void *vctx, unsigned char *key, size_t keylen, + ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_TYPE); + return 0; + } ++ ++#ifdef FIPS_MODULE ++ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN) ++ ctx->fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED; ++#endif /* defined(FIPS_MODULE) */ ++ + return SSHKDF(md, ctx->key, ctx->key_len, + ctx->xcghash, ctx->xcghash_len, + ctx->session_id, ctx->session_id_len, +@@ -194,10 +203,67 @@ static const OSSL_PARAM *kdf_sshkdf_settable_ctx_params(ossl_unused void *ctx, + static int kdf_sshkdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) + { + OSSL_PARAM *p; ++ int any_valid = 0; /* set to 1 when at least one parameter was valid */ + +- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) +- return OSSL_PARAM_set_size_t(p, SIZE_MAX); +- return -2; ++ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) { ++ any_valid = 1; ++ ++ if (!OSSL_PARAM_set_size_t(p, SIZE_MAX)) ++ return 0; ++ } ++ ++#ifdef FIPS_MODULE ++ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR); ++ if (p != NULL) { ++ KDF_SSHKDF *ctx = vctx; ++ int fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_APPROVED; ++ ++ any_valid = 1; ++ ++ /* According to NIST Special Publication 800-131Ar2, Section 8: ++ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of ++ * the key-derivation key [i.e., the input key] shall be at least 112 ++ * bits". */ ++ if (ctx->key_len < EVP_KDF_FIPS_MIN_KEY_LEN) ++ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED; ++ ++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module ++ * Verification Program, Section D.B and NIST Special Publication ++ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security ++ * strength < 112 bits is legacy use only, so all derived keys should ++ * be longer than that. If a derived key has ever been shorter than ++ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we ++ * should also set the returned FIPS indicator to unapproved. */ ++ if (ctx->fips_indicator == EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED) ++ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED; ++ ++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module ++ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256 ++ * extendable-output functions may only be used as the standalone ++ * algorithms." ++ * ++ * Additionally, SP 800-135r1 section 5.2 specifies that the hash ++ * function used in SSHKDF "is one of the hash functions specified in ++ * FIPS 180-3.", which rules out SHA-3 and truncated variants of SHA-2. ++ * */ ++ if (ctx->digest.md != NULL ++ && !EVP_MD_is_a(ctx->digest.md, "SHA-1") ++ && !EVP_MD_is_a(ctx->digest.md, "SHA2-224") ++ && !EVP_MD_is_a(ctx->digest.md, "SHA2-256") ++ && !EVP_MD_is_a(ctx->digest.md, "SHA2-384") ++ && !EVP_MD_is_a(ctx->digest.md, "SHA2-512")) { ++ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED; ++ } ++ ++ if (!OSSL_PARAM_set_int(p, fips_indicator)) ++ return 0; ++ } ++#endif ++ ++ if (!any_valid) ++ return -2; ++ ++ return 1; + } + + static const OSSL_PARAM *kdf_sshkdf_gettable_ctx_params(ossl_unused void *ctx, +@@ -205,6 +271,9 @@ static const OSSL_PARAM *kdf_sshkdf_gettable_ctx_params(ossl_unused void *ctx, + { + static const OSSL_PARAM known_gettable_ctx_params[] = { + OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), ++#ifdef FIPS_MODULE ++ OSSL_PARAM_int(OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR, NULL), ++#endif /* defined(FIPS_MODULE) */ + OSSL_PARAM_END + }; + return known_gettable_ctx_params; +diff --git a/providers/implementations/kdfs/sskdf.c b/providers/implementations/kdfs/sskdf.c +index eb54972e1c..23865cd70f 100644 +--- a/providers/implementations/kdfs/sskdf.c ++++ b/providers/implementations/kdfs/sskdf.c +@@ -64,6 +64,10 @@ typedef struct { + size_t salt_len; + size_t out_len; /* optional KMAC parameter */ + int is_kmac; ++ int is_x963kdf; ++#ifdef FIPS_MODULE ++ int fips_indicator; ++#endif /* defined(FIPS_MODULE) */ + } KDF_SSKDF; + + #define SSKDF_MAX_INLEN (1<<30) +@@ -73,6 +77,7 @@ typedef struct { + static const unsigned char kmac_custom_str[] = { 0x4B, 0x44, 0x46 }; + + static OSSL_FUNC_kdf_newctx_fn sskdf_new; ++static OSSL_FUNC_kdf_newctx_fn x963kdf_new; + static OSSL_FUNC_kdf_dupctx_fn sskdf_dup; + static OSSL_FUNC_kdf_freectx_fn sskdf_free; + static OSSL_FUNC_kdf_reset_fn sskdf_reset; +@@ -296,6 +301,16 @@ static void *sskdf_new(void *provctx) + return ctx; + } + ++static void *x963kdf_new(void *provctx) ++{ ++ KDF_SSKDF *ctx = sskdf_new(provctx); ++ ++ if (ctx) ++ ctx->is_x963kdf = 1; ++ ++ return ctx; ++} ++ + static void sskdf_reset(void *vctx) + { + KDF_SSKDF *ctx = (KDF_SSKDF *)vctx; +@@ -361,6 +376,11 @@ static int sskdf_derive(void *vctx, unsigned char *key, size_t keylen, + } + md = ossl_prov_digest_md(&ctx->digest); + ++#ifdef FIPS_MODULE ++ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN) ++ ctx->fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED; ++#endif /* defined(FIPS_MODULE) */ ++ + if (ctx->macctx != NULL) { + /* H(x) = KMAC or H(x) = HMAC */ + int ret; +@@ -442,6 +462,11 @@ static int x963kdf_derive(void *vctx, unsigned char *key, size_t keylen, + return 0; + } + ++#ifdef FIPS_MODULE ++ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN) ++ ctx->fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED; ++#endif /* defined(FIPS_MODULE) */ ++ + return SSKDF_hash_kdm(md, ctx->secret, ctx->secret_len, + ctx->info, ctx->info_len, 1, key, keylen); + } +@@ -514,10 +539,74 @@ static int sskdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) + { + KDF_SSKDF *ctx = (KDF_SSKDF *)vctx; + OSSL_PARAM *p; ++ int any_valid = 0; /* set to 1 when at least one parameter was valid */ ++ ++ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) { ++ any_valid = 1; ++ ++ if (!OSSL_PARAM_set_size_t(p, sskdf_size(ctx))) ++ return 0; ++ } + +- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) +- return OSSL_PARAM_set_size_t(p, sskdf_size(ctx)); +- return -2; ++#ifdef FIPS_MODULE ++ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR); ++ if (p != NULL) { ++ int fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_APPROVED; ++ ++ any_valid = 1; ++ ++ /* According to NIST Special Publication 800-131Ar2, Section 8: ++ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of ++ * the key-derivation key [i.e., the input key] shall be at least 112 ++ * bits". */ ++ if (ctx->secret_len < EVP_KDF_FIPS_MIN_KEY_LEN) ++ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED; ++ ++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module ++ * Verification Program, Section D.B and NIST Special Publication ++ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security ++ * strength < 112 bits is legacy use only, so all derived keys should ++ * be longer than that. If a derived key has ever been shorter than ++ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we ++ * should also set the returned FIPS indicator to unapproved. */ ++ if (ctx->fips_indicator == EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED) ++ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED; ++ ++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module ++ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256 ++ * extendable-output functions may only be used as the standalone ++ * algorithms." */ ++ if (ctx->macctx == NULL ++ || (ctx->macctx != NULL && ++ EVP_MAC_is_a(EVP_MAC_CTX_get0_mac(ctx->macctx), OSSL_MAC_NAME_HMAC))) { ++ if (ctx->digest.md != NULL ++ && (EVP_MD_is_a(ctx->digest.md, "SHAKE-128") || ++ EVP_MD_is_a(ctx->digest.md, "SHAKE-256"))) { ++ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED; ++ } ++ ++ /* Table H-3 in ANS X9.63-2001 says that 160-bit hash functions ++ * should only be used for 80-bit key agreement, but FIPS 140-3 ++ * requires a security strength of 112 bits, so SHA-1 cannot be ++ * used with X9.63. See the discussion in ++ * https://github.com/usnistgov/ACVP/issues/1403#issuecomment-1435300395. ++ */ ++ if (ctx->is_x963kdf ++ && ctx->digest.md != NULL ++ && EVP_MD_is_a(ctx->digest.md, "SHA-1")) { ++ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED; ++ } ++ } ++ ++ if (!OSSL_PARAM_set_int(p, fips_indicator)) ++ return 0; ++ } ++#endif ++ ++ if (!any_valid) ++ return -2; ++ ++ return 1; + } + + static const OSSL_PARAM *sskdf_gettable_ctx_params(ossl_unused void *ctx, +@@ -525,6 +614,9 @@ static const OSSL_PARAM *sskdf_gettable_ctx_params(ossl_unused void *ctx, + { + static const OSSL_PARAM known_gettable_ctx_params[] = { + OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), ++#ifdef FIPS_MODULE ++ OSSL_PARAM_int(OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR, 0), ++#endif /* defined(FIPS_MODULE) */ + OSSL_PARAM_END + }; + return known_gettable_ctx_params; +@@ -545,7 +637,7 @@ const OSSL_DISPATCH ossl_kdf_sskdf_functions[] = { + }; + + const OSSL_DISPATCH ossl_kdf_x963_kdf_functions[] = { +- { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))sskdf_new }, ++ { OSSL_FUNC_KDF_NEWCTX, (void(*)(void))x963kdf_new }, + { OSSL_FUNC_KDF_DUPCTX, (void(*)(void))sskdf_dup }, + { OSSL_FUNC_KDF_FREECTX, (void(*)(void))sskdf_free }, + { OSSL_FUNC_KDF_RESET, (void(*)(void))sskdf_reset }, +diff --git a/providers/implementations/kdfs/tls1_prf.c b/providers/implementations/kdfs/tls1_prf.c +index a4d64b9352..f6782a6ca2 100644 +--- a/providers/implementations/kdfs/tls1_prf.c ++++ b/providers/implementations/kdfs/tls1_prf.c +@@ -93,6 +93,13 @@ typedef struct { + /* Buffer of concatenated seed data */ + unsigned char seed[TLS1_PRF_MAXBUF]; + size_t seedlen; ++ ++ /* MAC digest algorithm; used to compute FIPS indicator */ ++ PROV_DIGEST digest; ++ ++#ifdef FIPS_MODULE ++ int fips_indicator; ++#endif /* defined(FIPS_MODULE) */ + } TLS1_PRF; + + static void *kdf_tls1_prf_new(void *provctx) +@@ -129,6 +136,7 @@ static void kdf_tls1_prf_reset(void *vctx) + EVP_MAC_CTX_free(ctx->P_sha1); + OPENSSL_clear_free(ctx->sec, ctx->seclen); + OPENSSL_cleanse(ctx->seed, ctx->seedlen); ++ ossl_prov_digest_reset(&ctx->digest); + memset(ctx, 0, sizeof(*ctx)); + ctx->provctx = provctx; + } +@@ -157,6 +165,10 @@ static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, size_t keylen, + ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); + return 0; + } ++#ifdef FIPS_MODULE ++ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN) ++ ctx->fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED; ++#endif /* defined(FIPS_MODULE) */ + + /* + * The seed buffer is prepended with a label. +@@ -191,6 +203,9 @@ static int kdf_tls1_prf_set_ctx_params(void *vctx, const OSSL_PARAM params[]) + } + } + ++ if (!ossl_prov_digest_load_from_params(&ctx->digest, params, libctx)) ++ return 0; ++ + if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SECRET)) != NULL) { + OPENSSL_clear_free(ctx->sec, ctx->seclen); + ctx->sec = NULL; +@@ -232,10 +247,60 @@ static const OSSL_PARAM *kdf_tls1_prf_settable_ctx_params( + static int kdf_tls1_prf_get_ctx_params(void *vctx, OSSL_PARAM params[]) + { + OSSL_PARAM *p; ++#ifdef FIPS_MODULE ++ TLS1_PRF *ctx = vctx; ++#endif /* defined(FIPS_MODULE) */ ++ int any_valid = 0; /* set to 1 when at least one parameter was valid */ ++ ++ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) { ++ any_valid = 1; ++ ++ if (!OSSL_PARAM_set_size_t(p, SIZE_MAX)) ++ return 0; ++ } ++ ++#ifdef FIPS_MODULE ++ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR); ++ if (p != NULL) { ++ int fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_APPROVED; ++ ++ any_valid = 1; ++ ++ /* According to NIST Special Publication 800-131Ar2, Section 8: ++ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of ++ * the key-derivation key [i.e., the input key] shall be at least 112 ++ * bits". */ ++ if (ctx->seclen < EVP_KDF_FIPS_MIN_KEY_LEN) ++ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED; ++ ++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module ++ * Verification Program, Section D.B and NIST Special Publication ++ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security ++ * strength < 112 bits is legacy use only, so all derived keys should ++ * be longer than that. If a derived key has ever been shorter than ++ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we ++ * should also set the returned FIPS indicator to unapproved. */ ++ if (ctx->fips_indicator == EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED) ++ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED; ++ ++ /* SP 800-135r1 section 4.2.2 says TLS 1.2 KDF is approved when "(3) ++ * P_HASH uses either SHA-256, SHA-384 or SHA-512." */ ++ if (ctx->digest.md != NULL ++ && !EVP_MD_is_a(ctx->digest.md, "SHA2-256") ++ && !EVP_MD_is_a(ctx->digest.md, "SHA2-384") ++ && !EVP_MD_is_a(ctx->digest.md, "SHA2-512")) { ++ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED; ++ } ++ ++ if (!OSSL_PARAM_set_int(p, fips_indicator)) ++ return 0; ++ } ++#endif + +- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) +- return OSSL_PARAM_set_size_t(p, SIZE_MAX); +- return -2; ++ if (!any_valid) ++ return -2; ++ ++ return 1; + } + + static const OSSL_PARAM *kdf_tls1_prf_gettable_ctx_params( +@@ -243,6 +308,9 @@ static const OSSL_PARAM *kdf_tls1_prf_gettable_ctx_params( + { + static const OSSL_PARAM known_gettable_ctx_params[] = { + OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), ++#ifdef FIPS_MODULE ++ OSSL_PARAM_int(OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR, 0), ++#endif /* defined(FIPS_MODULE) */ + OSSL_PARAM_END + }; + return known_gettable_ctx_params; +diff --git a/providers/implementations/kdfs/x942kdf.c b/providers/implementations/kdfs/x942kdf.c +index b1bc6f7e1b..8173fc2cc7 100644 +--- a/providers/implementations/kdfs/x942kdf.c ++++ b/providers/implementations/kdfs/x942kdf.c +@@ -13,11 +13,13 @@ + #include + #include + #include ++#include + #include + #include + #include "internal/packet.h" + #include "internal/der.h" + #include "internal/nelem.h" ++#include "crypto/evp.h" + #include "prov/provider_ctx.h" + #include "prov/providercommon.h" + #include "prov/implementations.h" +@@ -47,6 +50,9 @@ typedef struct { + const unsigned char *cek_oid; + size_t cek_oid_len; + int use_keybits; ++#ifdef FIPS_MODULE ++ int fips_indicator; ++#endif /* defined(FIPS_MODULE) */ + } KDF_X942; + + /* +@@ -460,6 +466,10 @@ static int x942kdf_derive(void *vctx, unsigned char *key, size_t keylen, + ERR_raise(ERR_LIB_PROV, PROV_R_BAD_ENCODING); + return 0; + } ++#ifdef FIPS_MODULE ++ if (keylen < EVP_KDF_FIPS_MIN_KEY_LEN) ++ ctx->fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED; ++#endif /* defined(FIPS_MODULE) */ + ret = x942kdf_hash_kdm(md, ctx->secret, ctx->secret_len, + der, der_len, ctr, key, keylen); + OPENSSL_free(der); +@@ -563,10 +573,58 @@ static int x942kdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) + { + KDF_X942 *ctx = (KDF_X942 *)vctx; + OSSL_PARAM *p; ++ int any_valid = 0; /* set to 1 when at least one parameter was valid */ + +- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) +- return OSSL_PARAM_set_size_t(p, x942kdf_size(ctx)); +- return -2; ++ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) { ++ any_valid = 1; ++ ++ if (!OSSL_PARAM_set_size_t(p, x942kdf_size(ctx))) ++ return 0; ++ } ++ ++#ifdef FIPS_MODULE ++ p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR); ++ if (p != NULL) { ++ int fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_APPROVED; ++ ++ any_valid = 1; ++ ++ /* According to NIST Special Publication 800-131Ar2, Section 8: ++ * Deriving Additional Keys from a Cryptographic Key, "[t]he length of ++ * the key-derivation key [i.e., the input key] shall be at least 112 ++ * bits". */ ++ if (ctx->secret_len < EVP_KDF_FIPS_MIN_KEY_LEN) ++ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED; ++ ++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module ++ * Verification Program, Section D.B and NIST Special Publication ++ * 800-131Ar2, Section 1.2.2 say that any algorithm at a security ++ * strength < 112 bits is legacy use only, so all derived keys should ++ * be longer than that. If a derived key has ever been shorter than ++ * that, ctx->output_keyelen_indicator will be NOT_APPROVED, and we ++ * should also set the returned FIPS indicator to unapproved. */ ++ if (ctx->fips_indicator == EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED) ++ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED; ++ ++ /* Implementation Guidance for FIPS 140-3 and the Cryptographic Module ++ * Validation Program, Section C.C: "The SHAKE128 and SHAKE256 ++ * extendable-output functions may only be used as the standalone ++ * algorithms." */ ++ if (ctx->digest.md != NULL ++ && (EVP_MD_is_a(ctx->digest.md, "SHAKE-128") || ++ EVP_MD_is_a(ctx->digest.md, "SHAKE-256"))) { ++ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED; ++ } ++ ++ if (!OSSL_PARAM_set_int(p, fips_indicator)) ++ return 0; ++ } ++#endif ++ ++ if (!any_valid) ++ return -2; ++ ++ return 1; + } + + static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx, +@@ -574,6 +632,9 @@ static const OSSL_PARAM *x942kdf_gettable_ctx_params(ossl_unused void *ctx, + { + static const OSSL_PARAM known_gettable_ctx_params[] = { + OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), ++#ifdef FIPS_MODULE ++ OSSL_PARAM_int(OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR, 0), ++#endif /* defined(FIPS_MODULE) */ + OSSL_PARAM_END + }; + return known_gettable_ctx_params; +diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm +index 70f7c50fe4..6618122417 100644 +--- a/util/perl/OpenSSL/paramnames.pm ++++ b/util/perl/OpenSSL/paramnames.pm +@@ -183,6 +183,7 @@ my %params = ( + 'KDF_PARAM_X942_SUPP_PUBINFO' => "supp-pubinfo", + 'KDF_PARAM_X942_SUPP_PRIVINFO' => "supp-privinfo", + 'KDF_PARAM_X942_USE_KEYBITS' => "use-keybits", ++ 'KDF_PARAM_SUSE_FIPS_INDICATOR' => "suse-fips-indicator", + 'KDF_PARAM_HMACDRBG_ENTROPY' => "entropy", + 'KDF_PARAM_HMACDRBG_NONCE' => "nonce", + 'KDF_PARAM_THREADS' => "threads", # uint32_t +-- +2.39.2 + diff --git a/openssl-Add-FIPS_mode-compatibility-macro.patch b/openssl-Add-FIPS_mode-compatibility-macro.patch new file mode 100644 index 0000000..76abdf2 --- /dev/null +++ b/openssl-Add-FIPS_mode-compatibility-macro.patch @@ -0,0 +1,83 @@ +From 8e29a10b39a649d751870eb1fd1b8c388e66acc3 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Mon, 31 Jul 2023 09:41:27 +0200 +Subject: [PATCH 08/35] 0008-Add-FIPS_mode-compatibility-macro.patch + +Patch-name: 0008-Add-FIPS_mode-compatibility-macro.patch +Patch-id: 8 +Patch-status: | + # Add FIPS_mode() compatibility macro +From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd +--- + include/openssl/fips.h | 26 ++++++++++++++++++++++++++ + test/property_test.c | 14 ++++++++++++++ + 2 files changed, 40 insertions(+) + create mode 100644 include/openssl/fips.h + +diff --git a/include/openssl/fips.h b/include/openssl/fips.h +new file mode 100644 +index 0000000000..4162cbf88e +--- /dev/null ++++ b/include/openssl/fips.h +@@ -0,0 +1,26 @@ ++/* ++ * Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved. ++ * ++ * Licensed under the Apache License 2.0 (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ */ ++ ++#ifndef OPENSSL_FIPS_H ++# define OPENSSL_FIPS_H ++# pragma once ++ ++# include ++# include ++ ++# ifdef __cplusplus ++extern "C" { ++# endif ++ ++# define FIPS_mode() EVP_default_properties_is_fips_enabled(NULL) ++ ++# ifdef __cplusplus ++} ++# endif ++#endif +diff --git a/test/property_test.c b/test/property_test.c +index 45b1db3e85..8894c1c1cb 100644 +--- a/test/property_test.c ++++ b/test/property_test.c +@@ -677,6 +677,19 @@ static int test_property_list_to_string(int i) + return ret; + } + ++#include ++static int test_downstream_FIPS_mode(void) ++{ ++ int ret = 0; ++ ++ ret = TEST_true(EVP_set_default_properties(NULL, "fips=yes")) ++ && TEST_true(FIPS_mode()) ++ && TEST_true(EVP_set_default_properties(NULL, "fips=no")) ++ && TEST_false(FIPS_mode()); ++ ++ return ret; ++} ++ + int setup_tests(void) + { + ADD_TEST(test_property_string); +@@ -690,6 +703,7 @@ int setup_tests(void) + ADD_TEST(test_property); + ADD_TEST(test_query_cache_stochastic); + ADD_TEST(test_fips_mode); ++ ADD_TEST(test_downstream_FIPS_mode); + ADD_ALL_TESTS(test_property_list_to_string, OSSL_NELEM(to_string_tests)); + return 1; + } +-- +2.41.0 + diff --git a/openssl-Add-Kernel-FIPS-mode-flag-support.patch b/openssl-Add-Kernel-FIPS-mode-flag-support.patch new file mode 100644 index 0000000..3f2da76 --- /dev/null +++ b/openssl-Add-Kernel-FIPS-mode-flag-support.patch @@ -0,0 +1,82 @@ +From aa3aebf132959e7e44876042efaf9ff24ffe0f2b Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Mon, 31 Jul 2023 09:41:27 +0200 +Subject: [PATCH 09/35] 0009-Add-Kernel-FIPS-mode-flag-support.patch + +Patch-name: 0009-Add-Kernel-FIPS-mode-flag-support.patch +Patch-id: 9 +Patch-status: | + # Add check to see if fips flag is enabled in kernel +From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd +--- + crypto/context.c | 36 ++++++++++++++++++++++++++++++++++++ + include/internal/provider.h | 3 +++ + 2 files changed, 39 insertions(+) + +Index: openssl-3.2.3/crypto/context.c +=================================================================== +--- openssl-3.2.3.orig/crypto/context.c ++++ openssl-3.2.3/crypto/context.c +@@ -17,6 +17,40 @@ + #include "crypto/decoder.h" + #include "crypto/context.h" + ++# include ++# include ++# include ++# include ++# include ++ ++# define FIPS_MODE_SWITCH_FILE "/proc/sys/crypto/fips_enabled" ++ ++static int kernel_fips_flag; ++ ++static void read_kernel_fips_flag(void) ++{ ++ char buf[2] = "0"; ++ int fd; ++ ++ if (ossl_safe_getenv("OPENSSL_FORCE_FIPS_MODE") != NULL) { ++ buf[0] = '1'; ++ } else if ((fd = open(FIPS_MODE_SWITCH_FILE, O_RDONLY)) >= 0) { ++ while (read(fd, buf, sizeof(buf)) < 0 && errno == EINTR) ; ++ close(fd); ++ } ++ ++ if (buf[0] == '1') { ++ kernel_fips_flag = 1; ++ } ++ ++ return; ++} ++ ++int ossl_get_kernel_fips_flag() ++{ ++ return kernel_fips_flag; ++} ++ + struct ossl_lib_ctx_st { + CRYPTO_RWLOCK *lock, *rand_crngt_lock; + OSSL_EX_DATA_GLOBAL global; +@@ -368,6 +402,7 @@ static int default_context_inited = 0; + + DEFINE_RUN_ONCE_STATIC(default_context_do_init) + { ++ read_kernel_fips_flag(); + if (!CRYPTO_THREAD_init_local(&default_context_thread_local, NULL)) + goto err; + +Index: openssl-3.2.3/include/internal/provider.h +=================================================================== +--- openssl-3.2.3.orig/include/internal/provider.h ++++ openssl-3.2.3/include/internal/provider.h +@@ -112,6 +112,9 @@ int ossl_provider_init_as_child(OSSL_LIB + const OSSL_DISPATCH *in); + void ossl_provider_deinit_child(OSSL_LIB_CTX *ctx); + ++/* FIPS flag access */ ++int ossl_get_kernel_fips_flag(void); ++ + # ifdef __cplusplus + } + # endif diff --git a/openssl-Add-changes-to-ectest-and-eccurve.patch b/openssl-Add-changes-to-ectest-and-eccurve.patch new file mode 100644 index 0000000..0fb737c --- /dev/null +++ b/openssl-Add-changes-to-ectest-and-eccurve.patch @@ -0,0 +1,1147 @@ +From 37fae351c6fef272baf383469181aecfcac87592 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Mon, 31 Jul 2023 09:41:27 +0200 +Subject: [PATCH 10/35] 0010-Add-changes-to-ectest-and-eccurve.patch + +Patch-name: 0010-Add-changes-to-ectest-and-eccurve.patch +Patch-id: 10 +Patch-status: | + # Instead of replacing ectest.c and ec_curve.c, add the changes as a patch so + # that new modifications made to these files by upstream are not lost. +From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd +--- + crypto/ec/ec_curve.c | 844 ------------------------------------------- + test/ectest.c | 174 +-------- + 2 files changed, 8 insertions(+), 1010 deletions(-) + +diff --git a/crypto/ec/ec_curve.c b/crypto/ec/ec_curve.c +index b5b2f3342d..d32a768fe6 100644 +--- a/crypto/ec/ec_curve.c ++++ b/crypto/ec/ec_curve.c +@@ -30,38 +30,6 @@ typedef struct { + } EC_CURVE_DATA; + + /* the nist prime curves */ +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[20 + 24 * 6]; +-} _EC_NIST_PRIME_192 = { +- { +- NID_X9_62_prime_field, 20, 24, 1 +- }, +- { +- /* seed */ +- 0x30, 0x45, 0xAE, 0x6F, 0xC8, 0x42, 0x2F, 0x64, 0xED, 0x57, 0x95, 0x28, +- 0xD3, 0x81, 0x20, 0xEA, 0xE1, 0x21, 0x96, 0xD5, +- /* p */ +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- /* a */ +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC, +- /* b */ +- 0x64, 0x21, 0x05, 0x19, 0xE5, 0x9C, 0x80, 0xE7, 0x0F, 0xA7, 0xE9, 0xAB, +- 0x72, 0x24, 0x30, 0x49, 0xFE, 0xB8, 0xDE, 0xEC, 0xC1, 0x46, 0xB9, 0xB1, +- /* x */ +- 0x18, 0x8D, 0xA8, 0x0E, 0xB0, 0x30, 0x90, 0xF6, 0x7C, 0xBF, 0x20, 0xEB, +- 0x43, 0xA1, 0x88, 0x00, 0xF4, 0xFF, 0x0A, 0xFD, 0x82, 0xFF, 0x10, 0x12, +- /* y */ +- 0x07, 0x19, 0x2b, 0x95, 0xff, 0xc8, 0xda, 0x78, 0x63, 0x10, 0x11, 0xed, +- 0x6b, 0x24, 0xcd, 0xd5, 0x73, 0xf9, 0x77, 0xa1, 0x1e, 0x79, 0x48, 0x11, +- /* order */ +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0x99, 0xDE, 0xF8, 0x36, 0x14, 0x6B, 0xC9, 0xB1, 0xB4, 0xD2, 0x28, 0x31 +- } +-}; +- + static const struct { + EC_CURVE_DATA h; + unsigned char data[20 + 28 * 6]; +@@ -200,187 +168,6 @@ static const struct { + } + }; + +-# ifndef FIPS_MODULE +-/* the x9.62 prime curves (minus the nist prime curves) */ +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[20 + 24 * 6]; +-} _EC_X9_62_PRIME_192V2 = { +- { +- NID_X9_62_prime_field, 20, 24, 1 +- }, +- { +- /* seed */ +- 0x31, 0xA9, 0x2E, 0xE2, 0x02, 0x9F, 0xD1, 0x0D, 0x90, 0x1B, 0x11, 0x3E, +- 0x99, 0x07, 0x10, 0xF0, 0xD2, 0x1A, 0xC6, 0xB6, +- /* p */ +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- /* a */ +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC, +- /* b */ +- 0xCC, 0x22, 0xD6, 0xDF, 0xB9, 0x5C, 0x6B, 0x25, 0xE4, 0x9C, 0x0D, 0x63, +- 0x64, 0xA4, 0xE5, 0x98, 0x0C, 0x39, 0x3A, 0xA2, 0x16, 0x68, 0xD9, 0x53, +- /* x */ +- 0xEE, 0xA2, 0xBA, 0xE7, 0xE1, 0x49, 0x78, 0x42, 0xF2, 0xDE, 0x77, 0x69, +- 0xCF, 0xE9, 0xC9, 0x89, 0xC0, 0x72, 0xAD, 0x69, 0x6F, 0x48, 0x03, 0x4A, +- /* y */ +- 0x65, 0x74, 0xd1, 0x1d, 0x69, 0xb6, 0xec, 0x7a, 0x67, 0x2b, 0xb8, 0x2a, +- 0x08, 0x3d, 0xf2, 0xf2, 0xb0, 0x84, 0x7d, 0xe9, 0x70, 0xb2, 0xde, 0x15, +- /* order */ +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, +- 0x5F, 0xB1, 0xA7, 0x24, 0xDC, 0x80, 0x41, 0x86, 0x48, 0xD8, 0xDD, 0x31 +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[20 + 24 * 6]; +-} _EC_X9_62_PRIME_192V3 = { +- { +- NID_X9_62_prime_field, 20, 24, 1 +- }, +- { +- /* seed */ +- 0xC4, 0x69, 0x68, 0x44, 0x35, 0xDE, 0xB3, 0x78, 0xC4, 0xB6, 0x5C, 0xA9, +- 0x59, 0x1E, 0x2A, 0x57, 0x63, 0x05, 0x9A, 0x2E, +- /* p */ +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- /* a */ +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC, +- /* b */ +- 0x22, 0x12, 0x3D, 0xC2, 0x39, 0x5A, 0x05, 0xCA, 0xA7, 0x42, 0x3D, 0xAE, +- 0xCC, 0xC9, 0x47, 0x60, 0xA7, 0xD4, 0x62, 0x25, 0x6B, 0xD5, 0x69, 0x16, +- /* x */ +- 0x7D, 0x29, 0x77, 0x81, 0x00, 0xC6, 0x5A, 0x1D, 0xA1, 0x78, 0x37, 0x16, +- 0x58, 0x8D, 0xCE, 0x2B, 0x8B, 0x4A, 0xEE, 0x8E, 0x22, 0x8F, 0x18, 0x96, +- /* y */ +- 0x38, 0xa9, 0x0f, 0x22, 0x63, 0x73, 0x37, 0x33, 0x4b, 0x49, 0xdc, 0xb6, +- 0x6a, 0x6d, 0xc8, 0xf9, 0x97, 0x8a, 0xca, 0x76, 0x48, 0xa9, 0x43, 0xb0, +- /* order */ +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0x7A, 0x62, 0xD0, 0x31, 0xC8, 0x3F, 0x42, 0x94, 0xF6, 0x40, 0xEC, 0x13 +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[20 + 30 * 6]; +-} _EC_X9_62_PRIME_239V1 = { +- { +- NID_X9_62_prime_field, 20, 30, 1 +- }, +- { +- /* seed */ +- 0xE4, 0x3B, 0xB4, 0x60, 0xF0, 0xB8, 0x0C, 0xC0, 0xC0, 0xB0, 0x75, 0x79, +- 0x8E, 0x94, 0x80, 0x60, 0xF8, 0x32, 0x1B, 0x7D, +- /* p */ +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- /* a */ +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC, +- /* b */ +- 0x6B, 0x01, 0x6C, 0x3B, 0xDC, 0xF1, 0x89, 0x41, 0xD0, 0xD6, 0x54, 0x92, +- 0x14, 0x75, 0xCA, 0x71, 0xA9, 0xDB, 0x2F, 0xB2, 0x7D, 0x1D, 0x37, 0x79, +- 0x61, 0x85, 0xC2, 0x94, 0x2C, 0x0A, +- /* x */ +- 0x0F, 0xFA, 0x96, 0x3C, 0xDC, 0xA8, 0x81, 0x6C, 0xCC, 0x33, 0xB8, 0x64, +- 0x2B, 0xED, 0xF9, 0x05, 0xC3, 0xD3, 0x58, 0x57, 0x3D, 0x3F, 0x27, 0xFB, +- 0xBD, 0x3B, 0x3C, 0xB9, 0xAA, 0xAF, +- /* y */ +- 0x7d, 0xeb, 0xe8, 0xe4, 0xe9, 0x0a, 0x5d, 0xae, 0x6e, 0x40, 0x54, 0xca, +- 0x53, 0x0b, 0xa0, 0x46, 0x54, 0xb3, 0x68, 0x18, 0xce, 0x22, 0x6b, 0x39, +- 0xfc, 0xcb, 0x7b, 0x02, 0xf1, 0xae, +- /* order */ +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0x7F, 0xFF, 0xFF, 0x9E, 0x5E, 0x9A, 0x9F, 0x5D, 0x90, 0x71, 0xFB, 0xD1, +- 0x52, 0x26, 0x88, 0x90, 0x9D, 0x0B +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[20 + 30 * 6]; +-} _EC_X9_62_PRIME_239V2 = { +- { +- NID_X9_62_prime_field, 20, 30, 1 +- }, +- { +- /* seed */ +- 0xE8, 0xB4, 0x01, 0x16, 0x04, 0x09, 0x53, 0x03, 0xCA, 0x3B, 0x80, 0x99, +- 0x98, 0x2B, 0xE0, 0x9F, 0xCB, 0x9A, 0xE6, 0x16, +- /* p */ +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- /* a */ +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC, +- /* b */ +- 0x61, 0x7F, 0xAB, 0x68, 0x32, 0x57, 0x6C, 0xBB, 0xFE, 0xD5, 0x0D, 0x99, +- 0xF0, 0x24, 0x9C, 0x3F, 0xEE, 0x58, 0xB9, 0x4B, 0xA0, 0x03, 0x8C, 0x7A, +- 0xE8, 0x4C, 0x8C, 0x83, 0x2F, 0x2C, +- /* x */ +- 0x38, 0xAF, 0x09, 0xD9, 0x87, 0x27, 0x70, 0x51, 0x20, 0xC9, 0x21, 0xBB, +- 0x5E, 0x9E, 0x26, 0x29, 0x6A, 0x3C, 0xDC, 0xF2, 0xF3, 0x57, 0x57, 0xA0, +- 0xEA, 0xFD, 0x87, 0xB8, 0x30, 0xE7, +- /* y */ +- 0x5b, 0x01, 0x25, 0xe4, 0xdb, 0xea, 0x0e, 0xc7, 0x20, 0x6d, 0xa0, 0xfc, +- 0x01, 0xd9, 0xb0, 0x81, 0x32, 0x9f, 0xb5, 0x55, 0xde, 0x6e, 0xf4, 0x60, +- 0x23, 0x7d, 0xff, 0x8b, 0xe4, 0xba, +- /* order */ +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0x80, 0x00, 0x00, 0xCF, 0xA7, 0xE8, 0x59, 0x43, 0x77, 0xD4, 0x14, 0xC0, +- 0x38, 0x21, 0xBC, 0x58, 0x20, 0x63 +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[20 + 30 * 6]; +-} _EC_X9_62_PRIME_239V3 = { +- { +- NID_X9_62_prime_field, 20, 30, 1 +- }, +- { +- /* seed */ +- 0x7D, 0x73, 0x74, 0x16, 0x8F, 0xFE, 0x34, 0x71, 0xB6, 0x0A, 0x85, 0x76, +- 0x86, 0xA1, 0x94, 0x75, 0xD3, 0xBF, 0xA2, 0xFF, +- /* p */ +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- /* a */ +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x80, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC, +- /* b */ +- 0x25, 0x57, 0x05, 0xFA, 0x2A, 0x30, 0x66, 0x54, 0xB1, 0xF4, 0xCB, 0x03, +- 0xD6, 0xA7, 0x50, 0xA3, 0x0C, 0x25, 0x01, 0x02, 0xD4, 0x98, 0x87, 0x17, +- 0xD9, 0xBA, 0x15, 0xAB, 0x6D, 0x3E, +- /* x */ +- 0x67, 0x68, 0xAE, 0x8E, 0x18, 0xBB, 0x92, 0xCF, 0xCF, 0x00, 0x5C, 0x94, +- 0x9A, 0xA2, 0xC6, 0xD9, 0x48, 0x53, 0xD0, 0xE6, 0x60, 0xBB, 0xF8, 0x54, +- 0xB1, 0xC9, 0x50, 0x5F, 0xE9, 0x5A, +- /* y */ +- 0x16, 0x07, 0xe6, 0x89, 0x8f, 0x39, 0x0c, 0x06, 0xbc, 0x1d, 0x55, 0x2b, +- 0xad, 0x22, 0x6f, 0x3b, 0x6f, 0xcf, 0xe4, 0x8b, 0x6e, 0x81, 0x84, 0x99, +- 0xaf, 0x18, 0xe3, 0xed, 0x6c, 0xf3, +- /* order */ +- 0x7F, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0x7F, 0xFF, 0xFF, 0x97, 0x5D, 0xEB, 0x41, 0xB3, 0xA6, 0x05, 0x7C, 0x3C, +- 0x43, 0x21, 0x46, 0x52, 0x65, 0x51 +- } +-}; +-#endif /* FIPS_MODULE */ +- + static const struct { + EC_CURVE_DATA h; + unsigned char data[20 + 32 * 6]; +@@ -421,294 +208,6 @@ static const struct { + + #ifndef FIPS_MODULE + /* the secg prime curves (minus the nist and x9.62 prime curves) */ +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[20 + 14 * 6]; +-} _EC_SECG_PRIME_112R1 = { +- { +- NID_X9_62_prime_field, 20, 14, 1 +- }, +- { +- /* seed */ +- 0x00, 0xF5, 0x0B, 0x02, 0x8E, 0x4D, 0x69, 0x6E, 0x67, 0x68, 0x75, 0x61, +- 0x51, 0x75, 0x29, 0x04, 0x72, 0x78, 0x3F, 0xB1, +- /* p */ +- 0xDB, 0x7C, 0x2A, 0xBF, 0x62, 0xE3, 0x5E, 0x66, 0x80, 0x76, 0xBE, 0xAD, +- 0x20, 0x8B, +- /* a */ +- 0xDB, 0x7C, 0x2A, 0xBF, 0x62, 0xE3, 0x5E, 0x66, 0x80, 0x76, 0xBE, 0xAD, +- 0x20, 0x88, +- /* b */ +- 0x65, 0x9E, 0xF8, 0xBA, 0x04, 0x39, 0x16, 0xEE, 0xDE, 0x89, 0x11, 0x70, +- 0x2B, 0x22, +- /* x */ +- 0x09, 0x48, 0x72, 0x39, 0x99, 0x5A, 0x5E, 0xE7, 0x6B, 0x55, 0xF9, 0xC2, +- 0xF0, 0x98, +- /* y */ +- 0xa8, 0x9c, 0xe5, 0xaf, 0x87, 0x24, 0xc0, 0xa2, 0x3e, 0x0e, 0x0f, 0xf7, +- 0x75, 0x00, +- /* order */ +- 0xDB, 0x7C, 0x2A, 0xBF, 0x62, 0xE3, 0x5E, 0x76, 0x28, 0xDF, 0xAC, 0x65, +- 0x61, 0xC5 +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[20 + 14 * 6]; +-} _EC_SECG_PRIME_112R2 = { +- { +- NID_X9_62_prime_field, 20, 14, 4 +- }, +- { +- /* seed */ +- 0x00, 0x27, 0x57, 0xA1, 0x11, 0x4D, 0x69, 0x6E, 0x67, 0x68, 0x75, 0x61, +- 0x51, 0x75, 0x53, 0x16, 0xC0, 0x5E, 0x0B, 0xD4, +- /* p */ +- 0xDB, 0x7C, 0x2A, 0xBF, 0x62, 0xE3, 0x5E, 0x66, 0x80, 0x76, 0xBE, 0xAD, +- 0x20, 0x8B, +- /* a */ +- 0x61, 0x27, 0xC2, 0x4C, 0x05, 0xF3, 0x8A, 0x0A, 0xAA, 0xF6, 0x5C, 0x0E, +- 0xF0, 0x2C, +- /* b */ +- 0x51, 0xDE, 0xF1, 0x81, 0x5D, 0xB5, 0xED, 0x74, 0xFC, 0xC3, 0x4C, 0x85, +- 0xD7, 0x09, +- /* x */ +- 0x4B, 0xA3, 0x0A, 0xB5, 0xE8, 0x92, 0xB4, 0xE1, 0x64, 0x9D, 0xD0, 0x92, +- 0x86, 0x43, +- /* y */ +- 0xad, 0xcd, 0x46, 0xf5, 0x88, 0x2e, 0x37, 0x47, 0xde, 0xf3, 0x6e, 0x95, +- 0x6e, 0x97, +- /* order */ +- 0x36, 0xDF, 0x0A, 0xAF, 0xD8, 0xB8, 0xD7, 0x59, 0x7C, 0xA1, 0x05, 0x20, +- 0xD0, 0x4B +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[20 + 16 * 6]; +-} _EC_SECG_PRIME_128R1 = { +- { +- NID_X9_62_prime_field, 20, 16, 1 +- }, +- { +- /* seed */ +- 0x00, 0x0E, 0x0D, 0x4D, 0x69, 0x6E, 0x67, 0x68, 0x75, 0x61, 0x51, 0x75, +- 0x0C, 0xC0, 0x3A, 0x44, 0x73, 0xD0, 0x36, 0x79, +- /* p */ +- 0xFF, 0xFF, 0xFF, 0xFD, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFF, +- /* a */ +- 0xFF, 0xFF, 0xFF, 0xFD, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFC, +- /* b */ +- 0xE8, 0x75, 0x79, 0xC1, 0x10, 0x79, 0xF4, 0x3D, 0xD8, 0x24, 0x99, 0x3C, +- 0x2C, 0xEE, 0x5E, 0xD3, +- /* x */ +- 0x16, 0x1F, 0xF7, 0x52, 0x8B, 0x89, 0x9B, 0x2D, 0x0C, 0x28, 0x60, 0x7C, +- 0xA5, 0x2C, 0x5B, 0x86, +- /* y */ +- 0xcf, 0x5a, 0xc8, 0x39, 0x5b, 0xaf, 0xeb, 0x13, 0xc0, 0x2d, 0xa2, 0x92, +- 0xdd, 0xed, 0x7a, 0x83, +- /* order */ +- 0xFF, 0xFF, 0xFF, 0xFE, 0x00, 0x00, 0x00, 0x00, 0x75, 0xA3, 0x0D, 0x1B, +- 0x90, 0x38, 0xA1, 0x15 +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[20 + 16 * 6]; +-} _EC_SECG_PRIME_128R2 = { +- { +- NID_X9_62_prime_field, 20, 16, 4 +- }, +- { +- /* seed */ +- 0x00, 0x4D, 0x69, 0x6E, 0x67, 0x68, 0x75, 0x61, 0x51, 0x75, 0x12, 0xD8, +- 0xF0, 0x34, 0x31, 0xFC, 0xE6, 0x3B, 0x88, 0xF4, +- /* p */ +- 0xFF, 0xFF, 0xFF, 0xFD, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFF, +- /* a */ +- 0xD6, 0x03, 0x19, 0x98, 0xD1, 0xB3, 0xBB, 0xFE, 0xBF, 0x59, 0xCC, 0x9B, +- 0xBF, 0xF9, 0xAE, 0xE1, +- /* b */ +- 0x5E, 0xEE, 0xFC, 0xA3, 0x80, 0xD0, 0x29, 0x19, 0xDC, 0x2C, 0x65, 0x58, +- 0xBB, 0x6D, 0x8A, 0x5D, +- /* x */ +- 0x7B, 0x6A, 0xA5, 0xD8, 0x5E, 0x57, 0x29, 0x83, 0xE6, 0xFB, 0x32, 0xA7, +- 0xCD, 0xEB, 0xC1, 0x40, +- /* y */ +- 0x27, 0xb6, 0x91, 0x6a, 0x89, 0x4d, 0x3a, 0xee, 0x71, 0x06, 0xfe, 0x80, +- 0x5f, 0xc3, 0x4b, 0x44, +- /* order */ +- 0x3F, 0xFF, 0xFF, 0xFF, 0x7F, 0xFF, 0xFF, 0xFF, 0xBE, 0x00, 0x24, 0x72, +- 0x06, 0x13, 0xB5, 0xA3 +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[0 + 21 * 6]; +-} _EC_SECG_PRIME_160K1 = { +- { +- NID_X9_62_prime_field, 0, 21, 1 +- }, +- { +- /* no seed */ +- /* p */ +- 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xAC, 0x73, +- /* a */ +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- /* b */ +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x07, +- /* x */ +- 0x00, 0x3B, 0x4C, 0x38, 0x2C, 0xE3, 0x7A, 0xA1, 0x92, 0xA4, 0x01, 0x9E, +- 0x76, 0x30, 0x36, 0xF4, 0xF5, 0xDD, 0x4D, 0x7E, 0xBB, +- /* y */ +- 0x00, 0x93, 0x8c, 0xf9, 0x35, 0x31, 0x8f, 0xdc, 0xed, 0x6b, 0xc2, 0x82, +- 0x86, 0x53, 0x17, 0x33, 0xc3, 0xf0, 0x3c, 0x4f, 0xee, +- /* order */ +- 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0xB8, +- 0xFA, 0x16, 0xDF, 0xAB, 0x9A, 0xCA, 0x16, 0xB6, 0xB3 +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[20 + 21 * 6]; +-} _EC_SECG_PRIME_160R1 = { +- { +- NID_X9_62_prime_field, 20, 21, 1 +- }, +- { +- /* seed */ +- 0x10, 0x53, 0xCD, 0xE4, 0x2C, 0x14, 0xD6, 0x96, 0xE6, 0x76, 0x87, 0x56, +- 0x15, 0x17, 0x53, 0x3B, 0xF3, 0xF8, 0x33, 0x45, +- /* p */ +- 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x7F, 0xFF, 0xFF, 0xFF, +- /* a */ +- 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0x7F, 0xFF, 0xFF, 0xFC, +- /* b */ +- 0x00, 0x1C, 0x97, 0xBE, 0xFC, 0x54, 0xBD, 0x7A, 0x8B, 0x65, 0xAC, 0xF8, +- 0x9F, 0x81, 0xD4, 0xD4, 0xAD, 0xC5, 0x65, 0xFA, 0x45, +- /* x */ +- 0x00, 0x4A, 0x96, 0xB5, 0x68, 0x8E, 0xF5, 0x73, 0x28, 0x46, 0x64, 0x69, +- 0x89, 0x68, 0xC3, 0x8B, 0xB9, 0x13, 0xCB, 0xFC, 0x82, +- /* y */ +- 0x00, 0x23, 0xa6, 0x28, 0x55, 0x31, 0x68, 0x94, 0x7d, 0x59, 0xdc, 0xc9, +- 0x12, 0x04, 0x23, 0x51, 0x37, 0x7a, 0xc5, 0xfb, 0x32, +- /* order */ +- 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0xF4, +- 0xC8, 0xF9, 0x27, 0xAE, 0xD3, 0xCA, 0x75, 0x22, 0x57 +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[20 + 21 * 6]; +-} _EC_SECG_PRIME_160R2 = { +- { +- NID_X9_62_prime_field, 20, 21, 1 +- }, +- { +- /* seed */ +- 0xB9, 0x9B, 0x99, 0xB0, 0x99, 0xB3, 0x23, 0xE0, 0x27, 0x09, 0xA4, 0xD6, +- 0x96, 0xE6, 0x76, 0x87, 0x56, 0x15, 0x17, 0x51, +- /* p */ +- 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xAC, 0x73, +- /* a */ +- 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xAC, 0x70, +- /* b */ +- 0x00, 0xB4, 0xE1, 0x34, 0xD3, 0xFB, 0x59, 0xEB, 0x8B, 0xAB, 0x57, 0x27, +- 0x49, 0x04, 0x66, 0x4D, 0x5A, 0xF5, 0x03, 0x88, 0xBA, +- /* x */ +- 0x00, 0x52, 0xDC, 0xB0, 0x34, 0x29, 0x3A, 0x11, 0x7E, 0x1F, 0x4F, 0xF1, +- 0x1B, 0x30, 0xF7, 0x19, 0x9D, 0x31, 0x44, 0xCE, 0x6D, +- /* y */ +- 0x00, 0xfe, 0xaf, 0xfe, 0xf2, 0xe3, 0x31, 0xf2, 0x96, 0xe0, 0x71, 0xfa, +- 0x0d, 0xf9, 0x98, 0x2c, 0xfe, 0xa7, 0xd4, 0x3f, 0x2e, +- /* order */ +- 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x35, +- 0x1E, 0xE7, 0x86, 0xA8, 0x18, 0xF3, 0xA1, 0xA1, 0x6B +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[0 + 24 * 6]; +-} _EC_SECG_PRIME_192K1 = { +- { +- NID_X9_62_prime_field, 0, 24, 1 +- }, +- { +- /* no seed */ +- /* p */ +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xEE, 0x37, +- /* a */ +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- /* b */ +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, +- /* x */ +- 0xDB, 0x4F, 0xF1, 0x0E, 0xC0, 0x57, 0xE9, 0xAE, 0x26, 0xB0, 0x7D, 0x02, +- 0x80, 0xB7, 0xF4, 0x34, 0x1D, 0xA5, 0xD1, 0xB1, 0xEA, 0xE0, 0x6C, 0x7D, +- /* y */ +- 0x9b, 0x2f, 0x2f, 0x6d, 0x9c, 0x56, 0x28, 0xa7, 0x84, 0x41, 0x63, 0xd0, +- 0x15, 0xbe, 0x86, 0x34, 0x40, 0x82, 0xaa, 0x88, 0xd9, 0x5e, 0x2f, 0x9d, +- /* order */ +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, +- 0x26, 0xF2, 0xFC, 0x17, 0x0F, 0x69, 0x46, 0x6A, 0x74, 0xDE, 0xFD, 0x8D +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[0 + 29 * 6]; +-} _EC_SECG_PRIME_224K1 = { +- { +- NID_X9_62_prime_field, 0, 29, 1 +- }, +- { +- /* no seed */ +- /* p */ +- 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFE, 0xFF, 0xFF, 0xE5, 0x6D, +- /* a */ +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x00, 0x00, 0x00, +- /* b */ +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x00, 0x00, 0x05, +- /* x */ +- 0x00, 0xA1, 0x45, 0x5B, 0x33, 0x4D, 0xF0, 0x99, 0xDF, 0x30, 0xFC, 0x28, +- 0xA1, 0x69, 0xA4, 0x67, 0xE9, 0xE4, 0x70, 0x75, 0xA9, 0x0F, 0x7E, 0x65, +- 0x0E, 0xB6, 0xB7, 0xA4, 0x5C, +- /* y */ +- 0x00, 0x7e, 0x08, 0x9f, 0xed, 0x7f, 0xba, 0x34, 0x42, 0x82, 0xca, 0xfb, +- 0xd6, 0xf7, 0xe3, 0x19, 0xf7, 0xc0, 0xb0, 0xbd, 0x59, 0xe2, 0xca, 0x4b, +- 0xdb, 0x55, 0x6d, 0x61, 0xa5, +- /* order */ +- 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x01, 0xDC, 0xE8, 0xD2, 0xEC, 0x61, 0x84, 0xCA, 0xF0, 0xA9, +- 0x71, 0x76, 0x9F, 0xB1, 0xF7 +- } +-}; +- + static const struct { + EC_CURVE_DATA h; + unsigned char data[0 + 32 * 6]; +@@ -745,102 +244,6 @@ static const struct { + } + }; + +-/* some wap/wtls curves */ +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[0 + 15 * 6]; +-} _EC_WTLS_8 = { +- { +- NID_X9_62_prime_field, 0, 15, 1 +- }, +- { +- /* no seed */ +- /* p */ +- 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFD, 0xE7, +- /* a */ +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x00, +- /* b */ +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x03, +- /* x */ +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x01, +- /* y */ +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x02, +- /* order */ +- 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0xEC, 0xEA, 0x55, 0x1A, +- 0xD8, 0x37, 0xE9 +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[0 + 21 * 6]; +-} _EC_WTLS_9 = { +- { +- NID_X9_62_prime_field, 0, 21, 1 +- }, +- { +- /* no seed */ +- /* p */ +- 0x00, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFC, 0x80, 0x8F, +- /* a */ +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- /* b */ +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, +- /* x */ +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, +- /* y */ +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, +- /* order */ +- 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0xCD, +- 0xC9, 0x8A, 0xE0, 0xE2, 0xDE, 0x57, 0x4A, 0xBF, 0x33 +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[0 + 28 * 6]; +-} _EC_WTLS_12 = { +- { +- NID_X9_62_prime_field, 0, 28, 1 +- }, +- { +- /* no seed */ +- /* p */ +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, +- 0x00, 0x00, 0x00, 0x01, +- /* a */ +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0xFF, 0xFE, +- /* b */ +- 0xB4, 0x05, 0x0A, 0x85, 0x0C, 0x04, 0xB3, 0xAB, 0xF5, 0x41, 0x32, 0x56, +- 0x50, 0x44, 0xB0, 0xB7, 0xD7, 0xBF, 0xD8, 0xBA, 0x27, 0x0B, 0x39, 0x43, +- 0x23, 0x55, 0xFF, 0xB4, +- /* x */ +- 0xB7, 0x0E, 0x0C, 0xBD, 0x6B, 0xB4, 0xBF, 0x7F, 0x32, 0x13, 0x90, 0xB9, +- 0x4A, 0x03, 0xC1, 0xD3, 0x56, 0xC2, 0x11, 0x22, 0x34, 0x32, 0x80, 0xD6, +- 0x11, 0x5C, 0x1D, 0x21, +- /* y */ +- 0xbd, 0x37, 0x63, 0x88, 0xb5, 0xf7, 0x23, 0xfb, 0x4c, 0x22, 0xdf, 0xe6, +- 0xcd, 0x43, 0x75, 0xa0, 0x5a, 0x07, 0x47, 0x64, 0x44, 0xd5, 0x81, 0x99, +- 0x85, 0x00, 0x7e, 0x34, +- /* order */ +- 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, +- 0xFF, 0xFF, 0x16, 0xA2, 0xE0, 0xB8, 0xF0, 0x3E, 0x13, 0xDD, 0x29, 0x45, +- 0x5C, 0x5C, 0x2A, 0x3D +- } +-}; + #endif /* FIPS_MODULE */ + + #ifndef OPENSSL_NO_EC2M +@@ -2236,198 +1639,6 @@ static const struct { + */ + + #ifndef FIPS_MODULE +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[0 + 20 * 6]; +-} _EC_brainpoolP160r1 = { +- { +- NID_X9_62_prime_field, 0, 20, 1 +- }, +- { +- /* no seed */ +- /* p */ +- 0xE9, 0x5E, 0x4A, 0x5F, 0x73, 0x70, 0x59, 0xDC, 0x60, 0xDF, 0xC7, 0xAD, +- 0x95, 0xB3, 0xD8, 0x13, 0x95, 0x15, 0x62, 0x0F, +- /* a */ +- 0x34, 0x0E, 0x7B, 0xE2, 0xA2, 0x80, 0xEB, 0x74, 0xE2, 0xBE, 0x61, 0xBA, +- 0xDA, 0x74, 0x5D, 0x97, 0xE8, 0xF7, 0xC3, 0x00, +- /* b */ +- 0x1E, 0x58, 0x9A, 0x85, 0x95, 0x42, 0x34, 0x12, 0x13, 0x4F, 0xAA, 0x2D, +- 0xBD, 0xEC, 0x95, 0xC8, 0xD8, 0x67, 0x5E, 0x58, +- /* x */ +- 0xBE, 0xD5, 0xAF, 0x16, 0xEA, 0x3F, 0x6A, 0x4F, 0x62, 0x93, 0x8C, 0x46, +- 0x31, 0xEB, 0x5A, 0xF7, 0xBD, 0xBC, 0xDB, 0xC3, +- /* y */ +- 0x16, 0x67, 0xCB, 0x47, 0x7A, 0x1A, 0x8E, 0xC3, 0x38, 0xF9, 0x47, 0x41, +- 0x66, 0x9C, 0x97, 0x63, 0x16, 0xDA, 0x63, 0x21, +- /* order */ +- 0xE9, 0x5E, 0x4A, 0x5F, 0x73, 0x70, 0x59, 0xDC, 0x60, 0xDF, 0x59, 0x91, +- 0xD4, 0x50, 0x29, 0x40, 0x9E, 0x60, 0xFC, 0x09 +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[0 + 20 * 6]; +-} _EC_brainpoolP160t1 = { +- { +- NID_X9_62_prime_field, 0, 20, 1 +- }, +- { +- /* no seed */ +- /* p */ +- 0xE9, 0x5E, 0x4A, 0x5F, 0x73, 0x70, 0x59, 0xDC, 0x60, 0xDF, 0xC7, 0xAD, +- 0x95, 0xB3, 0xD8, 0x13, 0x95, 0x15, 0x62, 0x0F, +- /* a */ +- 0xE9, 0x5E, 0x4A, 0x5F, 0x73, 0x70, 0x59, 0xDC, 0x60, 0xDF, 0xC7, 0xAD, +- 0x95, 0xB3, 0xD8, 0x13, 0x95, 0x15, 0x62, 0x0C, +- /* b */ +- 0x7A, 0x55, 0x6B, 0x6D, 0xAE, 0x53, 0x5B, 0x7B, 0x51, 0xED, 0x2C, 0x4D, +- 0x7D, 0xAA, 0x7A, 0x0B, 0x5C, 0x55, 0xF3, 0x80, +- /* x */ +- 0xB1, 0x99, 0xB1, 0x3B, 0x9B, 0x34, 0xEF, 0xC1, 0x39, 0x7E, 0x64, 0xBA, +- 0xEB, 0x05, 0xAC, 0xC2, 0x65, 0xFF, 0x23, 0x78, +- /* y */ +- 0xAD, 0xD6, 0x71, 0x8B, 0x7C, 0x7C, 0x19, 0x61, 0xF0, 0x99, 0x1B, 0x84, +- 0x24, 0x43, 0x77, 0x21, 0x52, 0xC9, 0xE0, 0xAD, +- /* order */ +- 0xE9, 0x5E, 0x4A, 0x5F, 0x73, 0x70, 0x59, 0xDC, 0x60, 0xDF, 0x59, 0x91, +- 0xD4, 0x50, 0x29, 0x40, 0x9E, 0x60, 0xFC, 0x09 +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[0 + 24 * 6]; +-} _EC_brainpoolP192r1 = { +- { +- NID_X9_62_prime_field, 0, 24, 1 +- }, +- { +- /* no seed */ +- /* p */ +- 0xC3, 0x02, 0xF4, 0x1D, 0x93, 0x2A, 0x36, 0xCD, 0xA7, 0xA3, 0x46, 0x30, +- 0x93, 0xD1, 0x8D, 0xB7, 0x8F, 0xCE, 0x47, 0x6D, 0xE1, 0xA8, 0x62, 0x97, +- /* a */ +- 0x6A, 0x91, 0x17, 0x40, 0x76, 0xB1, 0xE0, 0xE1, 0x9C, 0x39, 0xC0, 0x31, +- 0xFE, 0x86, 0x85, 0xC1, 0xCA, 0xE0, 0x40, 0xE5, 0xC6, 0x9A, 0x28, 0xEF, +- /* b */ +- 0x46, 0x9A, 0x28, 0xEF, 0x7C, 0x28, 0xCC, 0xA3, 0xDC, 0x72, 0x1D, 0x04, +- 0x4F, 0x44, 0x96, 0xBC, 0xCA, 0x7E, 0xF4, 0x14, 0x6F, 0xBF, 0x25, 0xC9, +- /* x */ +- 0xC0, 0xA0, 0x64, 0x7E, 0xAA, 0xB6, 0xA4, 0x87, 0x53, 0xB0, 0x33, 0xC5, +- 0x6C, 0xB0, 0xF0, 0x90, 0x0A, 0x2F, 0x5C, 0x48, 0x53, 0x37, 0x5F, 0xD6, +- /* y */ +- 0x14, 0xB6, 0x90, 0x86, 0x6A, 0xBD, 0x5B, 0xB8, 0x8B, 0x5F, 0x48, 0x28, +- 0xC1, 0x49, 0x00, 0x02, 0xE6, 0x77, 0x3F, 0xA2, 0xFA, 0x29, 0x9B, 0x8F, +- /* order */ +- 0xC3, 0x02, 0xF4, 0x1D, 0x93, 0x2A, 0x36, 0xCD, 0xA7, 0xA3, 0x46, 0x2F, +- 0x9E, 0x9E, 0x91, 0x6B, 0x5B, 0xE8, 0xF1, 0x02, 0x9A, 0xC4, 0xAC, 0xC1 +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[0 + 24 * 6]; +-} _EC_brainpoolP192t1 = { +- { +- NID_X9_62_prime_field, 0, 24, 1 +- }, +- { +- /* no seed */ +- /* p */ +- 0xC3, 0x02, 0xF4, 0x1D, 0x93, 0x2A, 0x36, 0xCD, 0xA7, 0xA3, 0x46, 0x30, +- 0x93, 0xD1, 0x8D, 0xB7, 0x8F, 0xCE, 0x47, 0x6D, 0xE1, 0xA8, 0x62, 0x97, +- /* a */ +- 0xC3, 0x02, 0xF4, 0x1D, 0x93, 0x2A, 0x36, 0xCD, 0xA7, 0xA3, 0x46, 0x30, +- 0x93, 0xD1, 0x8D, 0xB7, 0x8F, 0xCE, 0x47, 0x6D, 0xE1, 0xA8, 0x62, 0x94, +- /* b */ +- 0x13, 0xD5, 0x6F, 0xFA, 0xEC, 0x78, 0x68, 0x1E, 0x68, 0xF9, 0xDE, 0xB4, +- 0x3B, 0x35, 0xBE, 0xC2, 0xFB, 0x68, 0x54, 0x2E, 0x27, 0x89, 0x7B, 0x79, +- /* x */ +- 0x3A, 0xE9, 0xE5, 0x8C, 0x82, 0xF6, 0x3C, 0x30, 0x28, 0x2E, 0x1F, 0xE7, +- 0xBB, 0xF4, 0x3F, 0xA7, 0x2C, 0x44, 0x6A, 0xF6, 0xF4, 0x61, 0x81, 0x29, +- /* y */ +- 0x09, 0x7E, 0x2C, 0x56, 0x67, 0xC2, 0x22, 0x3A, 0x90, 0x2A, 0xB5, 0xCA, +- 0x44, 0x9D, 0x00, 0x84, 0xB7, 0xE5, 0xB3, 0xDE, 0x7C, 0xCC, 0x01, 0xC9, +- /* order */ +- 0xC3, 0x02, 0xF4, 0x1D, 0x93, 0x2A, 0x36, 0xCD, 0xA7, 0xA3, 0x46, 0x2F, +- 0x9E, 0x9E, 0x91, 0x6B, 0x5B, 0xE8, 0xF1, 0x02, 0x9A, 0xC4, 0xAC, 0xC1 +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[0 + 28 * 6]; +-} _EC_brainpoolP224r1 = { +- { +- NID_X9_62_prime_field, 0, 28, 1 +- }, +- { +- /* no seed */ +- /* p */ +- 0xD7, 0xC1, 0x34, 0xAA, 0x26, 0x43, 0x66, 0x86, 0x2A, 0x18, 0x30, 0x25, +- 0x75, 0xD1, 0xD7, 0x87, 0xB0, 0x9F, 0x07, 0x57, 0x97, 0xDA, 0x89, 0xF5, +- 0x7E, 0xC8, 0xC0, 0xFF, +- /* a */ +- 0x68, 0xA5, 0xE6, 0x2C, 0xA9, 0xCE, 0x6C, 0x1C, 0x29, 0x98, 0x03, 0xA6, +- 0xC1, 0x53, 0x0B, 0x51, 0x4E, 0x18, 0x2A, 0xD8, 0xB0, 0x04, 0x2A, 0x59, +- 0xCA, 0xD2, 0x9F, 0x43, +- /* b */ +- 0x25, 0x80, 0xF6, 0x3C, 0xCF, 0xE4, 0x41, 0x38, 0x87, 0x07, 0x13, 0xB1, +- 0xA9, 0x23, 0x69, 0xE3, 0x3E, 0x21, 0x35, 0xD2, 0x66, 0xDB, 0xB3, 0x72, +- 0x38, 0x6C, 0x40, 0x0B, +- /* x */ +- 0x0D, 0x90, 0x29, 0xAD, 0x2C, 0x7E, 0x5C, 0xF4, 0x34, 0x08, 0x23, 0xB2, +- 0xA8, 0x7D, 0xC6, 0x8C, 0x9E, 0x4C, 0xE3, 0x17, 0x4C, 0x1E, 0x6E, 0xFD, +- 0xEE, 0x12, 0xC0, 0x7D, +- /* y */ +- 0x58, 0xAA, 0x56, 0xF7, 0x72, 0xC0, 0x72, 0x6F, 0x24, 0xC6, 0xB8, 0x9E, +- 0x4E, 0xCD, 0xAC, 0x24, 0x35, 0x4B, 0x9E, 0x99, 0xCA, 0xA3, 0xF6, 0xD3, +- 0x76, 0x14, 0x02, 0xCD, +- /* order */ +- 0xD7, 0xC1, 0x34, 0xAA, 0x26, 0x43, 0x66, 0x86, 0x2A, 0x18, 0x30, 0x25, +- 0x75, 0xD0, 0xFB, 0x98, 0xD1, 0x16, 0xBC, 0x4B, 0x6D, 0xDE, 0xBC, 0xA3, +- 0xA5, 0xA7, 0x93, 0x9F +- } +-}; +- +-static const struct { +- EC_CURVE_DATA h; +- unsigned char data[0 + 28 * 6]; +-} _EC_brainpoolP224t1 = { +- { +- NID_X9_62_prime_field, 0, 28, 1 +- }, +- { +- /* no seed */ +- /* p */ +- 0xD7, 0xC1, 0x34, 0xAA, 0x26, 0x43, 0x66, 0x86, 0x2A, 0x18, 0x30, 0x25, +- 0x75, 0xD1, 0xD7, 0x87, 0xB0, 0x9F, 0x07, 0x57, 0x97, 0xDA, 0x89, 0xF5, +- 0x7E, 0xC8, 0xC0, 0xFF, +- /* a */ +- 0xD7, 0xC1, 0x34, 0xAA, 0x26, 0x43, 0x66, 0x86, 0x2A, 0x18, 0x30, 0x25, +- 0x75, 0xD1, 0xD7, 0x87, 0xB0, 0x9F, 0x07, 0x57, 0x97, 0xDA, 0x89, 0xF5, +- 0x7E, 0xC8, 0xC0, 0xFC, +- /* b */ +- 0x4B, 0x33, 0x7D, 0x93, 0x41, 0x04, 0xCD, 0x7B, 0xEF, 0x27, 0x1B, 0xF6, +- 0x0C, 0xED, 0x1E, 0xD2, 0x0D, 0xA1, 0x4C, 0x08, 0xB3, 0xBB, 0x64, 0xF1, +- 0x8A, 0x60, 0x88, 0x8D, +- /* x */ +- 0x6A, 0xB1, 0xE3, 0x44, 0xCE, 0x25, 0xFF, 0x38, 0x96, 0x42, 0x4E, 0x7F, +- 0xFE, 0x14, 0x76, 0x2E, 0xCB, 0x49, 0xF8, 0x92, 0x8A, 0xC0, 0xC7, 0x60, +- 0x29, 0xB4, 0xD5, 0x80, +- /* y */ +- 0x03, 0x74, 0xE9, 0xF5, 0x14, 0x3E, 0x56, 0x8C, 0xD2, 0x3F, 0x3F, 0x4D, +- 0x7C, 0x0D, 0x4B, 0x1E, 0x41, 0xC8, 0xCC, 0x0D, 0x1C, 0x6A, 0xBD, 0x5F, +- 0x1A, 0x46, 0xDB, 0x4C, +- /* order */ +- 0xD7, 0xC1, 0x34, 0xAA, 0x26, 0x43, 0x66, 0x86, 0x2A, 0x18, 0x30, 0x25, +- 0x75, 0xD0, 0xFB, 0x98, 0xD1, 0x16, 0xBC, 0x4B, 0x6D, 0xDE, 0xBC, 0xA3, +- 0xA5, 0xA7, 0x93, 0x9F +- } +-}; +- + static const struct { + EC_CURVE_DATA h; + unsigned char data[0 + 32 * 6]; +@@ -2854,8 +2065,6 @@ static const ec_list_element curve_list[] = { + "NIST/SECG curve over a 521 bit prime field"}, + + /* X9.62 curves */ +- {NID_X9_62_prime192v1, &_EC_NIST_PRIME_192.h, 0, +- "NIST/X9.62/SECG curve over a 192 bit prime field"}, + {NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h, + # if defined(ECP_NISTZ256_ASM) + EC_GFp_nistz256_method, +@@ -2899,25 +2108,6 @@ static const ec_list_element curve_list[] = { + static const ec_list_element curve_list[] = { + /* prime field curves */ + /* secg curves */ +- {NID_secp112r1, &_EC_SECG_PRIME_112R1.h, 0, +- "SECG/WTLS curve over a 112 bit prime field"}, +- {NID_secp112r2, &_EC_SECG_PRIME_112R2.h, 0, +- "SECG curve over a 112 bit prime field"}, +- {NID_secp128r1, &_EC_SECG_PRIME_128R1.h, 0, +- "SECG curve over a 128 bit prime field"}, +- {NID_secp128r2, &_EC_SECG_PRIME_128R2.h, 0, +- "SECG curve over a 128 bit prime field"}, +- {NID_secp160k1, &_EC_SECG_PRIME_160K1.h, 0, +- "SECG curve over a 160 bit prime field"}, +- {NID_secp160r1, &_EC_SECG_PRIME_160R1.h, 0, +- "SECG curve over a 160 bit prime field"}, +- {NID_secp160r2, &_EC_SECG_PRIME_160R2.h, 0, +- "SECG/WTLS curve over a 160 bit prime field"}, +- /* SECG secp192r1 is the same as X9.62 prime192v1 and hence omitted */ +- {NID_secp192k1, &_EC_SECG_PRIME_192K1.h, 0, +- "SECG curve over a 192 bit prime field"}, +- {NID_secp224k1, &_EC_SECG_PRIME_224K1.h, 0, +- "SECG curve over a 224 bit prime field"}, + # ifndef OPENSSL_NO_EC_NISTP_64_GCC_128 + {NID_secp224r1, &_EC_NIST_PRIME_224.h, EC_GFp_nistp224_method, + "NIST/SECG curve over a 224 bit prime field"}, +@@ -2945,18 +2135,6 @@ static const ec_list_element curve_list[] = { + # endif + "NIST/SECG curve over a 521 bit prime field"}, + /* X9.62 curves */ +- {NID_X9_62_prime192v1, &_EC_NIST_PRIME_192.h, 0, +- "NIST/X9.62/SECG curve over a 192 bit prime field"}, +- {NID_X9_62_prime192v2, &_EC_X9_62_PRIME_192V2.h, 0, +- "X9.62 curve over a 192 bit prime field"}, +- {NID_X9_62_prime192v3, &_EC_X9_62_PRIME_192V3.h, 0, +- "X9.62 curve over a 192 bit prime field"}, +- {NID_X9_62_prime239v1, &_EC_X9_62_PRIME_239V1.h, 0, +- "X9.62 curve over a 239 bit prime field"}, +- {NID_X9_62_prime239v2, &_EC_X9_62_PRIME_239V2.h, 0, +- "X9.62 curve over a 239 bit prime field"}, +- {NID_X9_62_prime239v3, &_EC_X9_62_PRIME_239V3.h, 0, +- "X9.62 curve over a 239 bit prime field"}, + {NID_X9_62_prime256v1, &_EC_X9_62_PRIME_256V1.h, + # if defined(ECP_NISTZ256_ASM) + EC_GFp_nistz256_method, +@@ -3053,22 +2231,12 @@ static const ec_list_element curve_list[] = { + {NID_wap_wsg_idm_ecid_wtls5, &_EC_X9_62_CHAR2_163V1.h, 0, + "X9.62 curve over a 163 bit binary field"}, + # endif +- {NID_wap_wsg_idm_ecid_wtls6, &_EC_SECG_PRIME_112R1.h, 0, +- "SECG/WTLS curve over a 112 bit prime field"}, +- {NID_wap_wsg_idm_ecid_wtls7, &_EC_SECG_PRIME_160R2.h, 0, +- "SECG/WTLS curve over a 160 bit prime field"}, +- {NID_wap_wsg_idm_ecid_wtls8, &_EC_WTLS_8.h, 0, +- "WTLS curve over a 112 bit prime field"}, +- {NID_wap_wsg_idm_ecid_wtls9, &_EC_WTLS_9.h, 0, +- "WTLS curve over a 160 bit prime field"}, + # ifndef OPENSSL_NO_EC2M + {NID_wap_wsg_idm_ecid_wtls10, &_EC_NIST_CHAR2_233K.h, 0, + "NIST/SECG/WTLS curve over a 233 bit binary field"}, + {NID_wap_wsg_idm_ecid_wtls11, &_EC_NIST_CHAR2_233B.h, 0, + "NIST/SECG/WTLS curve over a 233 bit binary field"}, + # endif +- {NID_wap_wsg_idm_ecid_wtls12, &_EC_WTLS_12.h, 0, +- "WTLS curve over a 224 bit prime field"}, + # ifndef OPENSSL_NO_EC2M + /* IPSec curves */ + {NID_ipsec3, &_EC_IPSEC_155_ID3.h, 0, +@@ -3079,18 +2247,6 @@ static const ec_list_element curve_list[] = { + "\tNot suitable for ECDSA.\n\tQuestionable extension field!"}, + # endif + /* brainpool curves */ +- {NID_brainpoolP160r1, &_EC_brainpoolP160r1.h, 0, +- "RFC 5639 curve over a 160 bit prime field"}, +- {NID_brainpoolP160t1, &_EC_brainpoolP160t1.h, 0, +- "RFC 5639 curve over a 160 bit prime field"}, +- {NID_brainpoolP192r1, &_EC_brainpoolP192r1.h, 0, +- "RFC 5639 curve over a 192 bit prime field"}, +- {NID_brainpoolP192t1, &_EC_brainpoolP192t1.h, 0, +- "RFC 5639 curve over a 192 bit prime field"}, +- {NID_brainpoolP224r1, &_EC_brainpoolP224r1.h, 0, +- "RFC 5639 curve over a 224 bit prime field"}, +- {NID_brainpoolP224t1, &_EC_brainpoolP224t1.h, 0, +- "RFC 5639 curve over a 224 bit prime field"}, + {NID_brainpoolP256r1, &_EC_brainpoolP256r1.h, 0, + "RFC 5639 curve over a 256 bit prime field"}, + {NID_brainpoolP256t1, &_EC_brainpoolP256t1.h, 0, +diff --git a/test/ectest.c b/test/ectest.c +index afef85b0e6..4890b0555e 100644 +--- a/test/ectest.c ++++ b/test/ectest.c +@@ -175,184 +175,26 @@ static int prime_field_tests(void) + || !TEST_ptr(p = BN_new()) + || !TEST_ptr(a = BN_new()) + || !TEST_ptr(b = BN_new()) +- || !TEST_true(BN_hex2bn(&p, "17")) +- || !TEST_true(BN_hex2bn(&a, "1")) +- || !TEST_true(BN_hex2bn(&b, "1")) +- || !TEST_ptr(group = EC_GROUP_new_curve_GFp(p, a, b, ctx)) +- || !TEST_true(EC_GROUP_get_curve(group, p, a, b, ctx))) ++ /* ++ * applications should use EC_GROUP_new_curve_GFp so ++ * that the library gets to choose the EC_METHOD ++ */ ++ || !TEST_ptr(group = EC_GROUP_new(EC_GFp_mont_method()))) + goto err; + +- TEST_info("Curve defined by Weierstrass equation"); +- TEST_note(" y^2 = x^3 + a*x + b (mod p)"); +- test_output_bignum("a", a); +- test_output_bignum("b", b); +- test_output_bignum("p", p); +- + buf[0] = 0; + if (!TEST_ptr(P = EC_POINT_new(group)) + || !TEST_ptr(Q = EC_POINT_new(group)) + || !TEST_ptr(R = EC_POINT_new(group)) +- || !TEST_true(EC_POINT_set_to_infinity(group, P)) +- || !TEST_true(EC_POINT_is_at_infinity(group, P)) +- || !TEST_true(EC_POINT_oct2point(group, Q, buf, 1, ctx)) +- || !TEST_true(EC_POINT_add(group, P, P, Q, ctx)) +- || !TEST_true(EC_POINT_is_at_infinity(group, P)) + || !TEST_ptr(x = BN_new()) + || !TEST_ptr(y = BN_new()) + || !TEST_ptr(z = BN_new()) +- || !TEST_ptr(yplusone = BN_new()) +- || !TEST_true(BN_hex2bn(&x, "D")) +- || !TEST_true(EC_POINT_set_compressed_coordinates(group, Q, x, 1, ctx))) +- goto err; +- +- if (!TEST_int_gt(EC_POINT_is_on_curve(group, Q, ctx), 0)) { +- if (!TEST_true(EC_POINT_get_affine_coordinates(group, Q, x, y, ctx))) +- goto err; +- TEST_info("Point is not on curve"); +- test_output_bignum("x", x); +- test_output_bignum("y", y); +- goto err; +- } +- +- TEST_note("A cyclic subgroup:"); +- k = 100; +- do { +- if (!TEST_int_ne(k--, 0)) +- goto err; +- +- if (EC_POINT_is_at_infinity(group, P)) { +- TEST_note(" point at infinity"); +- } else { +- if (!TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, +- ctx))) +- goto err; +- +- test_output_bignum("x", x); +- test_output_bignum("y", y); +- } +- +- if (!TEST_true(EC_POINT_copy(R, P)) +- || !TEST_true(EC_POINT_add(group, P, P, Q, ctx))) +- goto err; +- +- } while (!EC_POINT_is_at_infinity(group, P)); +- +- if (!TEST_true(EC_POINT_add(group, P, Q, R, ctx)) +- || !TEST_true(EC_POINT_is_at_infinity(group, P))) +- goto err; +- +- len = +- EC_POINT_point2oct(group, Q, POINT_CONVERSION_COMPRESSED, buf, +- sizeof(buf), ctx); +- if (!TEST_size_t_ne(len, 0) +- || !TEST_true(EC_POINT_oct2point(group, P, buf, len, ctx)) +- || !TEST_int_eq(0, EC_POINT_cmp(group, P, Q, ctx))) +- goto err; +- test_output_memory("Generator as octet string, compressed form:", +- buf, len); +- +- len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_UNCOMPRESSED, +- buf, sizeof(buf), ctx); +- if (!TEST_size_t_ne(len, 0) +- || !TEST_true(EC_POINT_oct2point(group, P, buf, len, ctx)) +- || !TEST_int_eq(0, EC_POINT_cmp(group, P, Q, ctx))) +- goto err; +- test_output_memory("Generator as octet string, uncompressed form:", +- buf, len); +- +- len = EC_POINT_point2oct(group, Q, POINT_CONVERSION_HYBRID, +- buf, sizeof(buf), ctx); +- if (!TEST_size_t_ne(len, 0) +- || !TEST_true(EC_POINT_oct2point(group, P, buf, len, ctx)) +- || !TEST_int_eq(0, EC_POINT_cmp(group, P, Q, ctx))) +- goto err; +- test_output_memory("Generator as octet string, hybrid form:", +- buf, len); +- +- if (!TEST_true(EC_POINT_invert(group, P, ctx)) +- || !TEST_int_eq(0, EC_POINT_cmp(group, P, R, ctx)) +- +- /* +- * Curve secp160r1 (Certicom Research SEC 2 Version 1.0, section 2.4.2, +- * 2000) -- not a NIST curve, but commonly used +- */ +- +- || !TEST_true(BN_hex2bn(&p, "FFFFFFFF" +- "FFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFF")) +- || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL)) +- || !TEST_true(BN_hex2bn(&a, "FFFFFFFF" +- "FFFFFFFFFFFFFFFFFFFFFFFF7FFFFFFC")) +- || !TEST_true(BN_hex2bn(&b, "1C97BEFC" +- "54BD7A8B65ACF89F81D4D4ADC565FA45")) +- || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx)) +- || !TEST_true(BN_hex2bn(&x, "4A96B568" +- "8EF573284664698968C38BB913CBFC82")) +- || !TEST_true(BN_hex2bn(&y, "23a62855" +- "3168947d59dcc912042351377ac5fb32")) +- || !TEST_true(BN_add(yplusone, y, BN_value_one())) +- /* +- * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, +- * and therefore setting the coordinates should fail. +- */ +- || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone, +- ctx)) +- || !TEST_true(EC_POINT_set_affine_coordinates(group, P, x, y, ctx)) +- || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0) +- || !TEST_true(BN_hex2bn(&z, "0100000000" +- "000000000001F4C8F927AED3CA752257")) +- || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one())) +- || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx))) +- goto err; +- TEST_info("SEC2 curve secp160r1 -- Generator"); +- test_output_bignum("x", x); +- test_output_bignum("y", y); +- /* G_y value taken from the standard: */ +- if (!TEST_true(BN_hex2bn(&z, "23a62855" +- "3168947d59dcc912042351377ac5fb32")) +- || !TEST_BN_eq(y, z) +- || !TEST_int_eq(EC_GROUP_get_degree(group), 160) +- || !group_order_tests(group) +- +- /* Curve P-192 (FIPS PUB 186-2, App. 6) */ +- +- || !TEST_true(BN_hex2bn(&p, "FFFFFFFFFFFFFFFF" +- "FFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFF")) +- || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL)) +- || !TEST_true(BN_hex2bn(&a, "FFFFFFFFFFFFFFFF" +- "FFFFFFFFFFFFFFFEFFFFFFFFFFFFFFFC")) +- || !TEST_true(BN_hex2bn(&b, "64210519E59C80E7" +- "0FA7E9AB72243049FEB8DEECC146B9B1")) +- || !TEST_true(EC_GROUP_set_curve(group, p, a, b, ctx)) +- || !TEST_true(BN_hex2bn(&x, "188DA80EB03090F6" +- "7CBF20EB43A18800F4FF0AFD82FF1012")) +- || !TEST_true(EC_POINT_set_compressed_coordinates(group, P, x, 1, ctx)) +- || !TEST_int_gt(EC_POINT_is_on_curve(group, P, ctx), 0) +- || !TEST_true(BN_hex2bn(&z, "FFFFFFFFFFFFFFFF" +- "FFFFFFFF99DEF836146BC9B1B4D22831")) +- || !TEST_true(EC_GROUP_set_generator(group, P, z, BN_value_one())) +- || !TEST_true(EC_POINT_get_affine_coordinates(group, P, x, y, ctx))) ++ || !TEST_ptr(yplusone = BN_new())) + goto err; + +- TEST_info("NIST curve P-192 -- Generator"); +- test_output_bignum("x", x); +- test_output_bignum("y", y); +- /* G_y value taken from the standard: */ +- if (!TEST_true(BN_hex2bn(&z, "07192B95FFC8DA78" +- "631011ED6B24CDD573F977A11E794811")) +- || !TEST_BN_eq(y, z) +- || !TEST_true(BN_add(yplusone, y, BN_value_one())) +- /* +- * When (x, y) is on the curve, (x, y + 1) is, as it happens, not, +- * and therefore setting the coordinates should fail. +- */ +- || !TEST_false(EC_POINT_set_affine_coordinates(group, P, x, yplusone, +- ctx)) +- || !TEST_int_eq(EC_GROUP_get_degree(group), 192) +- || !group_order_tests(group) +- + /* Curve P-224 (FIPS PUB 186-2, App. 6) */ + +- || !TEST_true(BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFF" ++ if (!TEST_true(BN_hex2bn(&p, "FFFFFFFFFFFFFFFFFFFFFFFF" + "FFFFFFFF000000000000000000000001")) + || !TEST_int_eq(1, BN_check_prime(p, ctx, NULL)) + || !TEST_true(BN_hex2bn(&a, "FFFFFFFFFFFFFFFFFFFFFFFF" +@@ -3015,7 +2857,7 @@ int setup_tests(void) + + ADD_TEST(parameter_test); + ADD_TEST(ossl_parameter_test); +- ADD_TEST(cofactor_range_test); ++ /* ADD_TEST(cofactor_range_test); */ + ADD_ALL_TESTS(cardinality_test, crv_len); + ADD_TEST(prime_field_tests); + #ifndef OPENSSL_NO_EC2M +-- +2.41.0 diff --git a/openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch b/openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch new file mode 100644 index 0000000..ae72609 --- /dev/null +++ b/openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch @@ -0,0 +1,348 @@ +From 736d709ec194b3a763e004696df22792c62a11fc Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Thu, 24 Sep 2020 10:16:46 +0200 +Subject: Add support for PROFILE=SYSTEM system default cipherlist + +(was openssl-1.1.1-system-cipherlist.patch) +--- + Configurations/unix-Makefile.tmpl | 5 ++ + Configure | 11 ++++ + doc/man1/openssl-ciphers.pod.in | 9 +++ + include/openssl/ssl.h.in | 5 ++ + ssl/ssl_ciph.c | 87 +++++++++++++++++++++++++++++++++----- + ssl/ssl_lib.c | 4 - + test/cipherlist_test.c | 2 + util/libcrypto.num | 1 + 8 files changed, 110 insertions(+), 14 deletions(-) + +Index: openssl-3.2.3/Configurations/unix-Makefile.tmpl +=================================================================== +--- openssl-3.2.3.orig/Configurations/unix-Makefile.tmpl ++++ openssl-3.2.3/Configurations/unix-Makefile.tmpl +@@ -324,6 +324,10 @@ MANDIR=$(INSTALLTOP)/share/man + DOCDIR=$(INSTALLTOP)/share/doc/$(BASENAME) + HTMLDIR=$(DOCDIR)/html + ++{- output_off() if $config{system_ciphers_file} eq ""; "" -} ++SYSTEM_CIPHERS_FILE_DEFINE=-DSYSTEM_CIPHERS_FILE="\"{- $config{system_ciphers_file} -}\"" ++{- output_on() if $config{system_ciphers_file} eq ""; "" -} ++ + # MANSUFFIX is for the benefit of anyone who may want to have a suffix + # appended after the manpage file section number. "ssl" is popular, + # resulting in files such as config.5ssl rather than config.5. +@@ -347,6 +351,7 @@ CC=$(CROSS_COMPILE){- $config{CC} -} + CXX={- $config{CXX} ? "\$(CROSS_COMPILE)$config{CXX}" : '' -} + CPPFLAGS={- our $cppflags1 = join(" ", + (map { "-D".$_} @{$config{CPPDEFINES}}), ++ "\$(SYSTEM_CIPHERS_FILE_DEFINE)", + (map { "-I".$_} @{$config{CPPINCLUDES}}), + @{$config{CPPFLAGS}}) -} + CFLAGS={- join(' ', @{$config{CFLAGS}}) -} +Index: openssl-3.2.3/Configure +=================================================================== +--- openssl-3.2.3.orig/Configure ++++ openssl-3.2.3/Configure +@@ -27,7 +27,7 @@ use OpenSSL::config; + my $orig_death_handler = $SIG{__DIE__}; + $SIG{__DIE__} = \&death_handler; + +-my $usage="Usage: Configure [no- ...] [enable- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]thread-pool] [[no-]default-thread-pool] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n"; ++my $usage="Usage: Configure [no- ...] [enable- ...] [-Dxxx] [-lxxx] [-Lxxx] [-fxxx] [-Kxxx] [no-hw-xxx|no-hw] [[no-]threads] [[no-]thread-pool] [[no-]default-thread-pool] [[no-]shared] [[no-]zlib|zlib-dynamic] [no-asm] [no-egd] [sctp] [386] [--prefix=DIR] [--openssldir=OPENSSLDIR] [--system-ciphers-file=SYSTEMCIPHERFILE] [--with-xxx[=vvv]] [--config=FILE] os/compiler[:flags]\n"; + + my $banner = <<"EOF"; + +@@ -61,6 +61,10 @@ EOF + # given with --prefix. + # This becomes the value of OPENSSLDIR in Makefile and in C. + # (Default: PREFIX/ssl) ++# ++# --system-ciphers-file A file to read cipher string from when the PROFILE=SYSTEM ++# cipher is specified (default). ++# + # --banner=".." Output specified text instead of default completion banner + # + # -w Don't wait after showing a Configure warning +@@ -393,6 +397,7 @@ $config{prefix}=""; + $config{openssldir}=""; + $config{processor}=""; + $config{libdir}=""; ++$config{system_ciphers_file}=""; + my $auto_threads=1; # enable threads automatically? true by default + my $default_ranlib; + +@@ -1047,6 +1052,10 @@ while (@argvcopy) + die "FIPS key too long (64 bytes max)\n" + if length $1 > 64; + } ++ elsif (/^--system-ciphers-file=(.*)$/) ++ { ++ $config{system_ciphers_file}=$1; ++ } + elsif (/^--banner=(.*)$/) + { + $banner = $1 . "\n"; +Index: openssl-3.2.3/doc/man1/openssl-ciphers.pod.in +=================================================================== +--- openssl-3.2.3.orig/doc/man1/openssl-ciphers.pod.in ++++ openssl-3.2.3/doc/man1/openssl-ciphers.pod.in +@@ -190,6 +190,15 @@ As of OpenSSL 1.0.0, the B cipher s + + The cipher suites not enabled by B, currently B. + ++=item B ++ ++The list of enabled cipher suites will be loaded from the system crypto policy ++configuration file B. ++See also L. ++This is the default behavior unless an application explicitly sets a cipher ++list. If used in a cipher list configuration value this string must be at the ++beginning of the cipher list, otherwise it will not be recognized. ++ + =item B + + "High" encryption cipher suites. This currently means those with key lengths +Index: openssl-3.2.3/include/openssl/ssl.h.in +=================================================================== +--- openssl-3.2.3.orig/include/openssl/ssl.h.in ++++ openssl-3.2.3/include/openssl/ssl.h.in +@@ -214,6 +214,11 @@ extern "C" { + * throwing out anonymous and unencrypted ciphersuites! (The latter are not + * actually enabled by ALL, but "ALL:RSA" would enable some of them.) + */ ++# ifdef SYSTEM_CIPHERS_FILE ++# define SSL_SYSTEM_DEFAULT_CIPHER_LIST "PROFILE=SYSTEM" ++# else ++# define SSL_SYSTEM_DEFAULT_CIPHER_LIST OSSL_default_cipher_list() ++# endif + + /* Used in SSL_set_shutdown()/SSL_get_shutdown(); */ + # define SSL_SENT_SHUTDOWN 1 +Index: openssl-3.2.3/ssl/ssl_ciph.c +=================================================================== +--- openssl-3.2.3.orig/ssl/ssl_ciph.c ++++ openssl-3.2.3/ssl/ssl_ciph.c +@@ -1455,6 +1455,53 @@ int SSL_set_ciphersuites(SSL *s, const c + return ret; + } + ++#ifdef SYSTEM_CIPHERS_FILE ++static char *load_system_str(const char *suffix) ++{ ++ FILE *fp; ++ char buf[1024]; ++ char *new_rules; ++ const char *ciphers_path; ++ unsigned len, slen; ++ ++ if ((ciphers_path = ossl_safe_getenv("OPENSSL_SYSTEM_CIPHERS_OVERRIDE")) == NULL) ++ ciphers_path = SYSTEM_CIPHERS_FILE; ++ fp = fopen(ciphers_path, "r"); ++ if (fp == NULL || fgets(buf, sizeof(buf), fp) == NULL) { ++ /* cannot open or file is empty */ ++ snprintf(buf, sizeof(buf), "%s", SSL_DEFAULT_CIPHER_LIST); ++ } ++ ++ if (fp) ++ fclose(fp); ++ ++ slen = strlen(suffix); ++ len = strlen(buf); ++ ++ if (buf[len - 1] == '\n') { ++ len--; ++ buf[len] = 0; ++ } ++ if (buf[len - 1] == '\r') { ++ len--; ++ buf[len] = 0; ++ } ++ ++ new_rules = OPENSSL_malloc(len + slen + 1); ++ if (new_rules == 0) ++ return NULL; ++ ++ memcpy(new_rules, buf, len); ++ if (slen > 0) { ++ memcpy(&new_rules[len], suffix, slen); ++ len += slen; ++ } ++ new_rules[len] = 0; ++ ++ return new_rules; ++} ++#endif ++ + STACK_OF(SSL_CIPHER) *ssl_create_cipher_list(SSL_CTX *ctx, + STACK_OF(SSL_CIPHER) *tls13_ciphersuites, + STACK_OF(SSL_CIPHER) **cipher_list, +@@ -1469,15 +1516,25 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ + CIPHER_ORDER *co_list = NULL, *head = NULL, *tail = NULL, *curr; + const SSL_CIPHER **ca_list = NULL; + const SSL_METHOD *ssl_method = ctx->method; ++#ifdef SYSTEM_CIPHERS_FILE ++ char *new_rules = NULL; ++ ++ if (rule_str != NULL && strncmp(rule_str, "PROFILE=SYSTEM", 14) == 0) { ++ char *p = rule_str + 14; ++ ++ new_rules = load_system_str(p); ++ rule_str = new_rules; ++ } ++#endif + + /* + * Return with error if nothing to do. + */ + if (rule_str == NULL || cipher_list == NULL || cipher_list_by_id == NULL) +- return NULL; ++ goto err; + + if (!check_suiteb_cipher_list(ssl_method, c, &rule_str)) +- return NULL; ++ goto err; + + /* + * To reduce the work to do we only want to process the compiled +@@ -1499,7 +1556,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ + if (num_of_ciphers > 0) { + co_list = OPENSSL_malloc(sizeof(*co_list) * num_of_ciphers); + if (co_list == NULL) +- return NULL; /* Failure */ ++ goto err; + } + + ssl_cipher_collect_ciphers(ssl_method, num_of_ciphers, +@@ -1565,8 +1622,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ + * in force within each class + */ + if (!ssl_cipher_strength_sort(&head, &tail)) { +- OPENSSL_free(co_list); +- return NULL; ++ goto err; + } + + /* +@@ -1610,8 +1666,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ + num_of_alias_max = num_of_ciphers + num_of_group_aliases + 1; + ca_list = OPENSSL_malloc(sizeof(*ca_list) * num_of_alias_max); + if (ca_list == NULL) { +- OPENSSL_free(co_list); +- return NULL; /* Failure */ ++ goto err; + } + ssl_cipher_collect_aliases(ca_list, num_of_group_aliases, + disabled_mkey, disabled_auth, disabled_enc, +@@ -1644,8 +1699,7 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ + OPENSSL_free(ca_list); /* Not needed anymore */ + + if (!ok) { /* Rule processing failure */ +- OPENSSL_free(co_list); +- return NULL; ++ goto err; + } + + /* +@@ -1653,10 +1707,13 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ + * if we cannot get one. + */ + if ((cipherstack = sk_SSL_CIPHER_new_null()) == NULL) { +- OPENSSL_free(co_list); +- return NULL; ++ goto err; + } + ++#ifdef SYSTEM_CIPHERS_FILE ++ OPENSSL_free(new_rules); /* Not needed anymore */ ++#endif ++ + /* Add TLSv1.3 ciphers first - we always prefer those if possible */ + for (i = 0; i < sk_SSL_CIPHER_num(tls13_ciphersuites); i++) { + const SSL_CIPHER *sslc = sk_SSL_CIPHER_value(tls13_ciphersuites, i); +@@ -1708,6 +1765,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ + *cipher_list = cipherstack; + + return cipherstack; ++ ++err: ++ OPENSSL_free(co_list); ++#ifdef SYSTEM_CIPHERS_FILE ++ OPENSSL_free(new_rules); ++#endif ++ return NULL; ++ + } + + char *SSL_CIPHER_description(const SSL_CIPHER *cipher, char *buf, int len) +Index: openssl-3.2.3/ssl/ssl_lib.c +=================================================================== +--- openssl-3.2.3.orig/ssl/ssl_lib.c ++++ openssl-3.2.3/ssl/ssl_lib.c +@@ -670,7 +670,7 @@ int SSL_CTX_set_ssl_version(SSL_CTX *ctx + ctx->tls13_ciphersuites, + &(ctx->cipher_list), + &(ctx->cipher_list_by_id), +- OSSL_default_cipher_list(), ctx->cert); ++ SSL_SYSTEM_DEFAULT_CIPHER_LIST, ctx->cert); + if ((sk == NULL) || (sk_SSL_CIPHER_num(sk) <= 0)) { + ERR_raise(ERR_LIB_SSL, SSL_R_SSL_LIBRARY_HAS_NO_CIPHERS); + return 0; +@@ -3955,7 +3955,7 @@ SSL_CTX *SSL_CTX_new_ex(OSSL_LIB_CTX *li + if (!ssl_create_cipher_list(ret, + ret->tls13_ciphersuites, + &ret->cipher_list, &ret->cipher_list_by_id, +- OSSL_default_cipher_list(), ret->cert) ++ SSL_SYSTEM_DEFAULT_CIPHER_LIST, ret->cert) + || sk_SSL_CIPHER_num(ret->cipher_list) <= 0) { + ERR_raise(ERR_LIB_SSL, SSL_R_LIBRARY_HAS_NO_CIPHERS); + goto err; +Index: openssl-3.2.3/test/cipherlist_test.c +=================================================================== +--- openssl-3.2.3.orig/test/cipherlist_test.c ++++ openssl-3.2.3/test/cipherlist_test.c +@@ -261,7 +261,9 @@ end: + + int setup_tests(void) + { ++#ifndef SYSTEM_CIPHERS_FILE + ADD_TEST(test_default_cipherlist_implicit); ++#endif + ADD_TEST(test_default_cipherlist_explicit); + ADD_TEST(test_default_cipherlist_clear); + ADD_TEST(test_stdname_cipherlist); +Index: openssl-3.2.3/util/libcrypto.num +=================================================================== +--- openssl-3.2.3.orig/util/libcrypto.num ++++ openssl-3.2.3/util/libcrypto.num +@@ -5536,3 +5536,4 @@ X509_STORE_CTX_set_get_crl + X509_STORE_CTX_set_current_reasons 5664 3_2_0 EXIST::FUNCTION: + OSSL_STORE_delete 5665 3_2_0 EXIST::FUNCTION: + BIO_ADDR_copy 5666 3_2_0 EXIST::FUNCTION:SOCK ++ossl_safe_getenv ? 3_2_0 EXIST::FUNCTION: +Index: openssl-3.2.3/apps/openssl.cnf +=================================================================== +--- openssl-3.2.3.orig/apps/openssl.cnf ++++ openssl-3.2.3/apps/openssl.cnf +@@ -52,6 +52,11 @@ tsa_policy3 = 1.2.3.4.5.7 + + [openssl_init] + providers = provider_sect ++# Load default TLS policy configuration ++ssl_conf = ssl_module ++ ++[ evp_properties ] ++# This section is intentionally added empty here to be tuned on particular systems + + # List of providers to load + [provider_sect] +@@ -71,6 +76,11 @@ default = default_sect + [default_sect] + # activate = 1 + ++[ ssl_module ] ++system_default = crypto_policy ++ ++[ crypto_policy ] ++.include = /etc/crypto-policies/back-ends/opensslcnf.config + + #################################################################### + [ ca ] diff --git a/openssl-Add_support_for_Windows_CA_certificate_store.patch b/openssl-Add_support_for_Windows_CA_certificate_store.patch new file mode 100644 index 0000000..cd143e0 --- /dev/null +++ b/openssl-Add_support_for_Windows_CA_certificate_store.patch @@ -0,0 +1,743 @@ +From 2a071544f7d2e963a1f68f266f4e375568909d38 Mon Sep 17 00:00:00 2001 +From: Hugo Landau +Date: Fri, 8 Apr 2022 13:10:52 +0100 +Subject: [PATCH 1/8] Fix URI handling in SSL_CERT_DIR/introduce SSL_CERT_URI + env + +Fixes #18068. +--- + CHANGES.md | 21 + Configure | 7 + crypto/x509/by_dir.c | 17 + crypto/x509/by_store.c | 14 + crypto/x509/x509_def.c | 15 + doc/build.info | 6 + doc/man3/X509_get_default_cert_file.pod | 113 +++++ + include/internal/cryptlib.h | 11 + include/internal/e_os.h | 2 + include/openssl/x509.h.in | 3 + providers/implementations/include/prov/implementations.h | 1 + providers/implementations/storemgmt/build.info | 3 + providers/implementations/storemgmt/winstore_store.c | 327 +++++++++++++++ + providers/stores.inc | 3 + util/libcrypto.num | 3 + util/missingcrypto.txt | 4 + 16 files changed, 536 insertions(+), 14 deletions(-) + +--- a/CHANGES.md ++++ b/CHANGES.md +@@ -24,6 +24,27 @@ OpenSSL 3.1 + + ### Changes between 3.1.0 and 3.1.1 [30 May 2023] + ++ * The `SSL_CERT_PATH` and `SSL_CERT_URI` environment variables are introduced. ++ `SSL_CERT_URI` can be used to specify a URI for a root certificate store. The ++ `SSL_CERT_PATH` environment variable specifies a delimiter-separated list of ++ paths which are searched for root certificates. ++ ++ The existing `SSL_CERT_DIR` environment variable is deprecated. ++ `SSL_CERT_DIR` was previously used to specify either a delimiter-separated ++ list of paths or an URI, which is ambiguous. Setting `SSL_CERT_PATH` causes ++ `SSL_CERT_DIR` to be ignored for the purposes of determining root certificate ++ directories, and setting `SSL_CERT_URI` causes `SSL_CERT_DIR` to be ignored ++ for the purposes of determining root certificate stores. ++ ++ *Hugo Landau* ++ ++ * Support for loading root certificates from the Windows certificate store ++ has been added. The support is in the form of a store which recognises the ++ URI string of `org.openssl.winstore://`. This store is enabled by default and ++ can be disabled using the new compile-time option `no-winstore`. ++ ++ *Hugo Landau* ++ + * Mitigate for the time it takes for `OBJ_obj2txt` to translate gigantic + OBJECT IDENTIFIER sub-identifiers to canonical numeric text form. + +--- a/Configure ++++ b/Configure +@@ -420,6 +420,7 @@ my @disablables = ( + "cached-fetch", + "camellia", + "capieng", ++ "winstore", + "cast", + "chacha", + "cmac", +@@ -1726,6 +1727,12 @@ unless ($disabled{ktls}) { + } + } + ++unless ($disabled{winstore}) { ++ unless ($target =~ /^(?:Cygwin|mingw|VC-|BC-)/) { ++ disable('not-windows', 'winstore'); ++ } ++} ++ + push @{$config{openssl_other_defines}}, "OPENSSL_NO_KTLS" if ($disabled{ktls}); + + # Get the extra flags used when building shared libraries and modules. We +--- a/crypto/x509/by_dir.c ++++ b/crypto/x509/by_dir.c +@@ -88,13 +88,18 @@ static int dir_ctrl(X509_LOOKUP *ctx, in + switch (cmd) { + case X509_L_ADD_DIR: + if (argl == X509_FILETYPE_DEFAULT) { +- const char *dir = ossl_safe_getenv(X509_get_default_cert_dir_env()); ++ /* If SSL_CERT_PATH is provided and non-empty, use that. */ ++ const char *dir = ossl_safe_getenv(X509_get_default_cert_path_env()); + +- if (dir) +- ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM); +- else +- ret = add_cert_dir(ld, X509_get_default_cert_dir(), +- X509_FILETYPE_PEM); ++ /* Fallback to SSL_CERT_DIR. */ ++ if (dir == NULL) ++ dir = ossl_safe_getenv(X509_get_default_cert_dir_env()); ++ ++ /* Fallback to built-in default. */ ++ if (dir == NULL) ++ dir = X509_get_default_cert_dir(); ++ ++ ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM); + if (!ret) { + ERR_raise(ERR_LIB_X509, X509_R_LOADING_CERT_DIR); + } +--- a/crypto/x509/by_store.c ++++ b/crypto/x509/by_store.c +@@ -111,11 +111,21 @@ static int by_store_ctrl_ex(X509_LOOKUP + { + switch (cmd) { + case X509_L_ADD_STORE: +- /* If no URI is given, use the default cert dir as default URI */ ++ /* First try the newer default cert URI envvar. */ ++ if (argp == NULL) ++ argp = ossl_safe_getenv(X509_get_default_cert_uri_env()); ++ ++ /* If not set, see if we have a URI in the older cert dir envvar. */ + if (argp == NULL) + argp = ossl_safe_getenv(X509_get_default_cert_dir_env()); ++ ++ /* Fallback to default store URI. */ + if (argp == NULL) +- argp = X509_get_default_cert_dir(); ++ argp = X509_get_default_cert_uri(); ++ ++ /* No point adding an empty URI. */ ++ if (!*argp) ++ return 1; + + { + STACK_OF(OPENSSL_STRING) *uris = X509_LOOKUP_get_method_data(ctx); +--- a/crypto/x509/x509_def.c ++++ b/crypto/x509/x509_def.c +@@ -22,6 +22,11 @@ const char *X509_get_default_cert_area(v + return X509_CERT_AREA; + } + ++const char *X509_get_default_cert_uri(void) ++{ ++ return X509_CERT_URI; ++} ++ + const char *X509_get_default_cert_dir(void) + { + return X509_CERT_DIR; +@@ -32,6 +37,16 @@ const char *X509_get_default_cert_file(v + return X509_CERT_FILE; + } + ++const char *X509_get_default_cert_uri_env(void) ++{ ++ return X509_CERT_URI_EVP; ++} ++ ++const char *X509_get_default_cert_path_env(void) ++{ ++ return X509_CERT_PATH_EVP; ++} ++ + const char *X509_get_default_cert_dir_env(void) + { + return X509_CERT_DIR_EVP; +--- a/doc/build.info ++++ b/doc/build.info +@@ -2791,6 +2791,10 @@ DEPEND[html/man3/X509_get0_uids.html]=ma + GENERATE[html/man3/X509_get0_uids.html]=man3/X509_get0_uids.pod + DEPEND[man/man3/X509_get0_uids.3]=man3/X509_get0_uids.pod + GENERATE[man/man3/X509_get0_uids.3]=man3/X509_get0_uids.pod ++DEPEND[html/man3/X509_get_default_cert_file.html]=man3/X509_get_default_cert_file.pod ++GENERATE[html/man3/X509_get_default_cert_file.html]=man3/X509_get_default_cert_file.pod ++DEPEND[man/man3/X509_get_default_cert_file.3]=man3/X509_get_default_cert_file.pod ++GENERATE[man/man3/X509_get_default_cert_file.3]=man3/X509_get_default_cert_file.pod + DEPEND[html/man3/X509_get_extension_flags.html]=man3/X509_get_extension_flags.pod + GENERATE[html/man3/X509_get_extension_flags.html]=man3/X509_get_extension_flags.pod + DEPEND[man/man3/X509_get_extension_flags.3]=man3/X509_get_extension_flags.pod +@@ -3461,6 +3465,7 @@ html/man3/X509_get0_distinguishing_id.ht + html/man3/X509_get0_notBefore.html \ + html/man3/X509_get0_signature.html \ + html/man3/X509_get0_uids.html \ ++html/man3/X509_get_default_cert_file.html \ + html/man3/X509_get_extension_flags.html \ + html/man3/X509_get_pubkey.html \ + html/man3/X509_get_serialNumber.html \ +@@ -4064,6 +4069,7 @@ man/man3/X509_get0_distinguishing_id.3 \ + man/man3/X509_get0_notBefore.3 \ + man/man3/X509_get0_signature.3 \ + man/man3/X509_get0_uids.3 \ ++man/man3/X509_get_default_cert_file.3 \ + man/man3/X509_get_extension_flags.3 \ + man/man3/X509_get_pubkey.3 \ + man/man3/X509_get_serialNumber.3 \ +--- /dev/null ++++ b/doc/man3/X509_get_default_cert_file.pod +@@ -0,0 +1,113 @@ ++=pod ++ ++=head1 NAME ++ ++X509_get_default_cert_file, X509_get_default_cert_file_env, ++X509_get_default_cert_path_env, ++X509_get_default_cert_dir, X509_get_default_cert_dir_env, ++X509_get_default_cert_uri, X509_get_default_cert_uri_env - ++retrieve default locations for trusted CA certificates ++ ++=head1 SYNOPSIS ++ ++ #include ++ ++ const char *X509_get_default_cert_file(void); ++ const char *X509_get_default_cert_dir(void); ++ const char *X509_get_default_cert_uri(void); ++ ++ const char *X509_get_default_cert_file_env(void); ++ const char *X509_get_default_cert_path_env(void); ++ const char *X509_get_default_cert_dir_env(void); ++ const char *X509_get_default_cert_uri_env(void); ++ ++=head1 DESCRIPTION ++ ++The X509_get_default_cert_file() function returns the default path ++to a file containing trusted CA certificates. OpenSSL will use this as ++the default path when it is asked to load trusted CA certificates ++from a file and no other path is specified. If the file exists, CA certificates ++are loaded from the file. ++ ++The X509_get_default_cert_dir() function returns a default delimeter-separated ++list of paths to a directories containing trusted CA certificates named in the ++hashed format. OpenSSL will use this as the default list of paths when it is ++asked to load trusted CA certificates from a directory and no other path is ++specified. If a given directory in the list exists, OpenSSL attempts to lookup ++CA certificates in this directory by calculating a filename based on a hash of ++the certificate's subject name. ++ ++The X509_get_default_cert_uri() function returns the default URI for a ++certificate store accessed programmatically via an OpenSSL provider. If there is ++no default store applicable to the system for which OpenSSL was compiled, this ++returns an empty string. ++ ++X509_get_default_cert_file_env() and X509_get_default_cert_uri_env() return ++environment variable names which are recommended to specify nondefault values to ++be used instead of the values returned by X509_get_default_cert_file() and ++X509_get_default_cert_uri() respectively. The values returned by the latter ++functions are not affected by these environment variables; you must check for ++these environment variables yourself, using these functions to retrieve the ++correct environment variable names. If an environment variable is not set, the ++value returned by the corresponding function above should be used. ++ ++X509_get_default_cert_path_env() returns the environment variable name which is ++recommended to specify a nondefault value to be used instead of the value ++returned by X509_get_default_cert_dir(). This environment variable supercedes ++the deprecated environment variable whose name is returned by ++X509_get_default_cert_dir_env(). This environment variable was deprecated as its ++contents can be interpreted ambiguously; see NOTES. ++ ++By default, OpenSSL uses the path list specified in the environment variable ++whose name is returned by X509_get_default_cert_path_env() if it is set; ++otherwise, it uses the path list specified in the environment variable whose ++name is returned by X509_get_default_cert_dir_env() if it is set; otherwise, it ++uses the value returned by X509_get_default_cert_dir()). ++ ++=head1 NOTES ++ ++X509_get_default_cert_uri(), X509_get_default_cert_uri_env() and ++X509_get_default_cert_path_env() were introduced in OpenSSL 3.1. Prior to this ++release, store URIs were expressed via the environment variable returned by ++X509_get_default_cert_dir_env(); this environment variable could be used to ++specify either a list of directories or a store URI. This creates an ambiguity ++in which the environment variable returned by X509_get_default_cert_dir_env() is ++interpreted both as a list of directories and as a store URI. ++ ++This usage and the environment variable returned by ++X509_get_default_cert_dir_env() are now deprecated; to specify a store URI, use ++the environment variable returned by X509_get_default_cert_uri_env(), and to ++specify a list of directories, use the environment variable returned by ++X509_get_default_cert_path_env(). ++ ++=head1 RETURN VALUES ++ ++These functions return pointers to constant strings with static storage ++duration. ++ ++=head1 SEE ALSO ++ ++L, ++L, ++L, ++L, ++L, ++L, ++L, ++L ++ ++=head1 HISTORY ++ ++X509_get_default_cert_uri(), X509_get_default_cert_path_env() and ++X509_get_default_cert_uri_env() were introduced in OpenSSL 3.1. ++ ++=head1 COPYRIGHT ++ ++Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. ++ ++Licensed under the Apache License 2.0 (the "License"). You may not use ++this file except in compliance with the License. You can obtain a copy ++in the file LICENSE in the source distribution or at ++L. ++ ++=cut +--- a/include/internal/cryptlib.h ++++ b/include/internal/cryptlib.h +@@ -13,6 +13,8 @@ + + # include + # include ++# include "openssl/configuration.h" ++# include "internal/e_os.h" /* ossl_inline in many files */ + + # ifdef OPENSSL_USE_APPLINK + # define BIO_FLAGS_UPLINK_INTERNAL 0x8000 +@@ -77,6 +79,14 @@ DEFINE_LHASH_OF_EX(MEM); + # define CTLOG_FILE "OSSL$DATAROOT:[000000]ct_log_list.cnf" + # endif + ++#ifndef OPENSSL_NO_WINSTORE ++# define X509_CERT_URI "org.openssl.winstore://" ++#else ++# define X509_CERT_URI "" ++#endif ++ ++# define X509_CERT_URI_EVP "SSL_CERT_URI" ++# define X509_CERT_PATH_EVP "SSL_CERT_PATH" + # define X509_CERT_DIR_EVP "SSL_CERT_DIR" + # define X509_CERT_FILE_EVP "SSL_CERT_FILE" + # define CTLOG_FILE_EVP "CTLOG_FILE" +@@ -240,5 +250,4 @@ static ossl_inline int ossl_is_absolute_ + # endif + return path[0] == '/'; + } +- + #endif +--- a/include/internal/e_os.h ++++ b/include/internal/e_os.h +@@ -249,7 +249,7 @@ FILE *__iob_func(); + /***********************************************/ + + # if defined(OPENSSL_SYS_WINDOWS) +-# if (_MSC_VER >= 1310) && !defined(_WIN32_WCE) ++# if defined(_MSC_VER) && (_MSC_VER >= 1310) && !defined(_WIN32_WCE) + # define open _open + # define fdopen _fdopen + # define close _close +--- a/include/openssl/x509.h.in ++++ b/include/openssl/x509.h.in +@@ -491,8 +491,11 @@ ASN1_TIME *X509_time_adj_ex(ASN1_TIME *s + ASN1_TIME *X509_gmtime_adj(ASN1_TIME *s, long adj); + + const char *X509_get_default_cert_area(void); ++const char *X509_get_default_cert_uri(void); + const char *X509_get_default_cert_dir(void); + const char *X509_get_default_cert_file(void); ++const char *X509_get_default_cert_uri_env(void); ++const char *X509_get_default_cert_path_env(void); + const char *X509_get_default_cert_dir_env(void); + const char *X509_get_default_cert_file_env(void); + const char *X509_get_default_private_dir(void); +--- a/providers/implementations/include/prov/implementations.h ++++ b/providers/implementations/include/prov/implementations.h +@@ -517,3 +517,4 @@ extern const OSSL_DISPATCH ossl_SubjectP + extern const OSSL_DISPATCH ossl_pem_to_der_decoder_functions[]; + + extern const OSSL_DISPATCH ossl_file_store_functions[]; ++extern const OSSL_DISPATCH ossl_winstore_store_functions[]; +--- a/providers/implementations/storemgmt/build.info ++++ b/providers/implementations/storemgmt/build.info +@@ -4,3 +4,6 @@ + $STORE_GOAL=../../libdefault.a + + SOURCE[$STORE_GOAL]=file_store.c file_store_any2obj.c ++IF[{- !$disabled{winstore} -}] ++ SOURCE[$STORE_GOAL]=winstore_store.c ++ENDIF +--- /dev/null ++++ b/providers/implementations/storemgmt/winstore_store.c +@@ -0,0 +1,327 @@ ++/* ++ * Copyright 2022 The OpenSSL Project Authors. All Rights Reserved. ++ * ++ * Licensed under the Apache License 2.0 (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ */ ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include ++#include /* The OSSL_STORE_INFO type numbers */ ++#include "internal/cryptlib.h" ++#include "internal/o_dir.h" ++#include "crypto/decoder.h" ++#include "crypto/ctype.h" /* ossl_isdigit() */ ++#include "prov/implementations.h" ++#include "prov/bio.h" ++#include "file_store_local.h" ++ ++#include ++ ++enum { ++ STATE_IDLE, ++ STATE_READ, ++ STATE_EOF, ++}; ++ ++struct winstore_ctx_st { ++ void *provctx; ++ char *propq; ++ unsigned char *subject; ++ size_t subject_len; ++ ++ HCERTSTORE win_store; ++ const CERT_CONTEXT *win_ctx; ++ int state; ++ ++ OSSL_DECODER_CTX *dctx; ++}; ++ ++static void winstore_win_reset(struct winstore_ctx_st *ctx) ++{ ++ if (ctx->win_ctx != NULL) { ++ CertFreeCertificateContext(ctx->win_ctx); ++ ctx->win_ctx = NULL; ++ } ++ ++ ctx->state = STATE_IDLE; ++} ++ ++static void winstore_win_advance(struct winstore_ctx_st *ctx) ++{ ++ CERT_NAME_BLOB name = {0}; ++ ++ if (ctx->state == STATE_EOF) ++ return; ++ ++ name.cbData = ctx->subject_len; ++ name.pbData = ctx->subject; ++ ++ ctx->win_ctx = (name.cbData == 0 ? NULL : ++ CertFindCertificateInStore(ctx->win_store, ++ X509_ASN_ENCODING | PKCS_7_ASN_ENCODING, ++ 0, CERT_FIND_SUBJECT_NAME, ++ &name, ctx->win_ctx)); ++ ++ ctx->state = (ctx->win_ctx == NULL) ? STATE_EOF : STATE_READ; ++} ++ ++static void *winstore_open(void *provctx, const char *uri) ++{ ++ struct winstore_ctx_st *ctx = NULL; ++ ++ if (!HAS_CASE_PREFIX(uri, "org.openssl.winstore:")) ++ return NULL; ++ ++ ctx = OPENSSL_zalloc(sizeof(*ctx)); ++ if (ctx == NULL) ++ return NULL; ++ ++ ctx->provctx = provctx; ++ ctx->win_store = CertOpenSystemStoreW(0, L"ROOT"); ++ if (ctx->win_store == NULL) { ++ OPENSSL_free(ctx); ++ return NULL; ++ } ++ ++ winstore_win_reset(ctx); ++ return ctx; ++} ++ ++static void *winstore_attach(void *provctx, OSSL_CORE_BIO *cin) ++{ ++ return NULL; /* not supported */ ++} ++ ++static const OSSL_PARAM *winstore_settable_ctx_params(void *loaderctx, const OSSL_PARAM params[]) ++{ ++ static const OSSL_PARAM known_settable_ctx_params[] = { ++ OSSL_PARAM_octet_string(OSSL_STORE_PARAM_SUBJECT, NULL, 0), ++ OSSL_PARAM_utf8_string(OSSL_STORE_PARAM_PROPERTIES, NULL, 0), ++ OSSL_PARAM_END ++ }; ++ return known_settable_ctx_params; ++} ++ ++static int winstore_set_ctx_params(void *loaderctx, const OSSL_PARAM params[]) ++{ ++ struct winstore_ctx_st *ctx = loaderctx; ++ const OSSL_PARAM *p; ++ int do_reset = 0; ++ ++ if (params == NULL) ++ return 1; ++ ++ p = OSSL_PARAM_locate_const(params, OSSL_STORE_PARAM_PROPERTIES); ++ if (p != NULL) { ++ do_reset = 1; ++ OPENSSL_free(ctx->propq); ++ ctx->propq = NULL; ++ if (!OSSL_PARAM_get_utf8_string(p, &ctx->propq, 0)) ++ return 0; ++ } ++ ++ p = OSSL_PARAM_locate_const(params, OSSL_STORE_PARAM_SUBJECT); ++ if (p != NULL) { ++ const unsigned char *der = NULL; ++ size_t der_len = 0; ++ ++ if (!OSSL_PARAM_get_octet_string_ptr(p, (const void **)&der, &der_len)) ++ return 0; ++ ++ do_reset = 1; ++ ++ OPENSSL_free(ctx->subject); ++ ++ ctx->subject = OPENSSL_malloc(der_len); ++ if (ctx->subject == NULL) { ++ ctx->subject_len = 0; ++ return 0; ++ } ++ ++ ctx->subject_len = der_len; ++ memcpy(ctx->subject, der, der_len); ++ } ++ ++ if (do_reset) { ++ winstore_win_reset(ctx); ++ winstore_win_advance(ctx); ++ } ++ ++ return 1; ++} ++ ++struct load_data_st { ++ OSSL_CALLBACK *object_cb; ++ void *object_cbarg; ++}; ++ ++static int load_construct(OSSL_DECODER_INSTANCE *decoder_inst, ++ const OSSL_PARAM *params, void *construct_data) ++{ ++ struct load_data_st *data = construct_data; ++ return data->object_cb(params, data->object_cbarg); ++} ++ ++static void load_cleanup(void *construct_data) ++{ ++ /* No-op. */ ++} ++ ++static int setup_decoder(struct winstore_ctx_st *ctx) ++{ ++ OSSL_LIB_CTX *libctx = ossl_prov_ctx_get0_libctx(ctx->provctx); ++ const OSSL_ALGORITHM *to_algo = NULL; ++ ++ if (ctx->dctx != NULL) ++ return 1; ++ ++ ctx->dctx = OSSL_DECODER_CTX_new(); ++ if (ctx->dctx == NULL) { ++ ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); ++ return 0; ++ } ++ ++ if (!OSSL_DECODER_CTX_set_input_type(ctx->dctx, "DER")) { ++ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB); ++ goto err; ++ } ++ ++ if (!OSSL_DECODER_CTX_set_input_structure(ctx->dctx, "Certificate")) { ++ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB); ++ goto err; ++ } ++ ++ for (to_algo = ossl_any_to_obj_algorithm; ++ to_algo->algorithm_names != NULL; ++ to_algo++) { ++ OSSL_DECODER *to_obj = NULL; ++ OSSL_DECODER_INSTANCE *to_obj_inst = NULL; ++ ++ /* ++ * Create the internal last resort decoder implementation ++ * together with a "decoder instance". ++ * The decoder doesn't need any identification or to be ++ * attached to any provider, since it's only used locally. ++ */ ++ to_obj = ossl_decoder_from_algorithm(0, to_algo, NULL); ++ if (to_obj != NULL) ++ to_obj_inst = ossl_decoder_instance_new(to_obj, ctx->provctx); ++ ++ OSSL_DECODER_free(to_obj); ++ if (to_obj_inst == NULL) ++ goto err; ++ ++ if (!ossl_decoder_ctx_add_decoder_inst(ctx->dctx, ++ to_obj_inst)) { ++ ossl_decoder_instance_free(to_obj_inst); ++ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB); ++ goto err; ++ } ++ } ++ ++ if (!OSSL_DECODER_CTX_add_extra(ctx->dctx, libctx, ctx->propq)) { ++ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB); ++ goto err; ++ } ++ ++ if (!OSSL_DECODER_CTX_set_construct(ctx->dctx, load_construct)) { ++ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB); ++ goto err; ++ } ++ ++ if (!OSSL_DECODER_CTX_set_cleanup(ctx->dctx, load_cleanup)) { ++ ERR_raise(ERR_LIB_PROV, ERR_R_OSSL_DECODER_LIB); ++ goto err; ++ } ++ ++ return 1; ++ ++err: ++ OSSL_DECODER_CTX_free(ctx->dctx); ++ ctx->dctx = NULL; ++ return 0; ++} ++ ++static int winstore_load_using(struct winstore_ctx_st *ctx, ++ OSSL_CALLBACK *object_cb, void *object_cbarg, ++ OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg, ++ const void *der, size_t der_len) ++{ ++ struct load_data_st data; ++ const unsigned char *der_ = der; ++ size_t der_len_ = der_len; ++ ++ if (setup_decoder(ctx) == 0) ++ return 0; ++ ++ data.object_cb = object_cb; ++ data.object_cbarg = object_cbarg; ++ ++ OSSL_DECODER_CTX_set_construct_data(ctx->dctx, &data); ++ OSSL_DECODER_CTX_set_passphrase_cb(ctx->dctx, pw_cb, pw_cbarg); ++ ++ if (OSSL_DECODER_from_data(ctx->dctx, &der_, &der_len_) == 0) ++ return 0; ++ ++ return 1; ++} ++ ++static int winstore_load(void *loaderctx, ++ OSSL_CALLBACK *object_cb, void *object_cbarg, ++ OSSL_PASSPHRASE_CALLBACK *pw_cb, void *pw_cbarg) ++{ ++ int ret = 0; ++ struct winstore_ctx_st *ctx = loaderctx; ++ ++ if (ctx->state != STATE_READ) ++ return 0; ++ ++ ret = winstore_load_using(ctx, object_cb, object_cbarg, pw_cb, pw_cbarg, ++ ctx->win_ctx->pbCertEncoded, ++ ctx->win_ctx->cbCertEncoded); ++ ++ if (ret == 1) ++ winstore_win_advance(ctx); ++ ++ return ret; ++} ++ ++static int winstore_eof(void *loaderctx) ++{ ++ struct winstore_ctx_st *ctx = loaderctx; ++ ++ return ctx->state != STATE_READ; ++} ++ ++static int winstore_close(void *loaderctx) ++{ ++ struct winstore_ctx_st *ctx = loaderctx; ++ ++ winstore_win_reset(ctx); ++ CertCloseStore(ctx->win_store, 0); ++ OSSL_DECODER_CTX_free(ctx->dctx); ++ OPENSSL_free(ctx->propq); ++ OPENSSL_free(ctx->subject); ++ OPENSSL_free(ctx); ++ return 1; ++} ++ ++const OSSL_DISPATCH ossl_winstore_store_functions[] = { ++ { OSSL_FUNC_STORE_OPEN, (void (*)(void))winstore_open }, ++ { OSSL_FUNC_STORE_ATTACH, (void (*)(void))winstore_attach }, ++ { OSSL_FUNC_STORE_SETTABLE_CTX_PARAMS, (void (*)(void))winstore_settable_ctx_params }, ++ { OSSL_FUNC_STORE_SET_CTX_PARAMS, (void (*)(void))winstore_set_ctx_params }, ++ { OSSL_FUNC_STORE_LOAD, (void (*)(void))winstore_load }, ++ { OSSL_FUNC_STORE_EOF, (void (*)(void))winstore_eof }, ++ { OSSL_FUNC_STORE_CLOSE, (void (*)(void))winstore_close }, ++ { 0, NULL }, ++}; +--- a/providers/stores.inc ++++ b/providers/stores.inc +@@ -12,3 +12,6 @@ + #endif + + STORE("file", "yes", ossl_file_store_functions) ++#ifndef OPENSSL_NO_WINSTORE ++STORE("org.openssl.winstore", "yes", ossl_winstore_store_functions) ++#endif +--- a/util/libcrypto.num ++++ b/util/libcrypto.num +@@ -5435,4 +5435,7 @@ EVP_MD_CTX_dup + EVP_CIPHER_CTX_dup 5563 3_1_0 EXIST::FUNCTION: + BN_are_coprime 5564 3_1_0 EXIST::FUNCTION: + OSSL_CMP_MSG_update_recipNonce 5565 3_0_9 EXIST::FUNCTION:CMP ++X509_get_default_cert_uri ? 3_1_0 EXIST::FUNCTION: ++X509_get_default_cert_uri_env ? 3_1_0 EXIST::FUNCTION: ++X509_get_default_cert_path_env ? 3_1_0 EXIST::FUNCTION: + ossl_safe_getenv ? 3_0_0 EXIST::FUNCTION: +--- a/util/missingcrypto.txt ++++ b/util/missingcrypto.txt +@@ -1273,10 +1273,6 @@ X509_get0_trust_objects(3) + X509_get1_email(3) + X509_get1_ocsp(3) + X509_get_default_cert_area(3) +-X509_get_default_cert_dir(3) +-X509_get_default_cert_dir_env(3) +-X509_get_default_cert_file(3) +-X509_get_default_cert_file_env(3) + X509_get_default_private_dir(3) + X509_get_pubkey_parameters(3) + X509_get_signature_type(3) diff --git a/openssl-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch b/openssl-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch new file mode 100644 index 0000000..7779fba --- /dev/null +++ b/openssl-Allow-SHA1-in-seclevel-2-if-rh-allow-sha1-signatures.patch @@ -0,0 +1,217 @@ +From f470b130139919f32926b3f5a75ba4d161cbcf88 Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Tue, 1 Mar 2022 15:44:18 +0100 +Subject: Allow SHA1 in seclevel 1 if rh-allow-sha1-signatures = yes + +NOTE: This patch is ported from CentOS 9 / RHEL 9, where it allows SHA1 +in seclevel 2 if rh-allow-sha1-signatures = yes. This was chosen because +on CentOS 9 and RHEL 9, the LEGACY crypto policy sets the security level +to 2. + +On Fedora 35 (with OpenSSL 1.1) the legacy crypto policy uses security +level 1. Because Fedora 36 supports both OpenSSL 1.1 and OpenSSL 3, and +we want the legacy crypto policy to allow SHA-1 in TLS, the only option +to make this happen consistently in both OpenSSL 1.1 and OpenSSL 3 is +SECLEVEL=1 (which will allow SHA-1 in OpenSSL 1.1) and this change to +allow SHA-1 in SECLEVEL=1 with rh-allow-sha1-signatures = yes (which +will allow SHA-1 in OpenSSL 3). + +The change from CentOS 9 / RHEL 9 cannot be applied unmodified, because +rh-allow-sha1-signatures will default to yes in Fedora (according to our +current plans including until F38), and the security level in the +DEFAULT crypto policy is 2, i.e., the unmodified change would weaken the +default configuration. + +Related: rhbz#2055796 +Related: rhbz#2070977 +--- + crypto/x509/x509_vfy.c | 20 ++++++++++- + doc/man5/config.pod | 7 ++++ + ssl/t1_lib.c | 67 ++++++++++++++++++++++++++++------- + test/recipes/25-test_verify.t | 4 +-- + 4 files changed, 82 insertions(+), 16 deletions(-) + +Index: openssl-3.1.4/crypto/x509/x509_vfy.c +=================================================================== +--- openssl-3.1.4.orig/crypto/x509/x509_vfy.c ++++ openssl-3.1.4/crypto/x509/x509_vfy.c +@@ -25,6 +25,7 @@ + #include + #include + #include "internal/dane.h" ++#include "internal/sslconf.h" + #include "crypto/x509.h" + #include "x509_local.h" + +@@ -3438,14 +3439,31 @@ static int check_sig_level(X509_STORE_CT + { + int secbits = -1; + int level = ctx->param->auth_level; ++ int nid; ++ OSSL_LIB_CTX *libctx = NULL; + + if (level <= 0) + return 1; + if (level > NUM_AUTH_LEVELS) + level = NUM_AUTH_LEVELS; + +- if (!X509_get_signature_info(cert, NULL, NULL, &secbits, NULL)) ++ if (ctx->libctx) ++ libctx = ctx->libctx; ++ else if (cert->libctx) ++ libctx = cert->libctx; ++ else ++ libctx = OSSL_LIB_CTX_get0_global_default(); ++ ++ if (!X509_get_signature_info(cert, &nid, NULL, &secbits, NULL)) + return 0; + ++ if ((nid == NID_sha1 || nid == NID_md5_sha1) ++ && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0) ++ && ctx->param->auth_level < 2) ++ /* When rh-allow-sha1-signatures = yes and security level <= 1, ++ * explicitly allow SHA1 for backwards compatibility. Also allow ++ * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */ ++ return 1; ++ + return secbits >= minbits_table[level - 1]; + } +Index: openssl-3.1.4/doc/man5/config.pod +=================================================================== +--- openssl-3.1.4.orig/doc/man5/config.pod ++++ openssl-3.1.4/doc/man5/config.pod +@@ -317,6 +317,13 @@ this option is set to B. Because TL + pseudorandom function (PRF) to derive key material, disabling + B requires the use of TLS 1.2 or newer. + ++Note that enabling B will allow TLS signature ++algorithms that use SHA1 in security level 1, despite the definition of ++security level 1 of 80 bits of security, which SHA1 and MD5-SHA1 do not meet. ++This allows using SHA1 and MD5-SHA1 in TLS in the LEGACY crypto-policy on ++Fedora without requiring to set the security level to 0, which would include ++further insecure algorithms, and thus restores support for TLS 1.0 and 1.1. ++ + This is a downstream specific option, and normally it should be set up via crypto-policies. + + =item B (deprecated) +Index: openssl-3.1.4/ssl/t1_lib.c +=================================================================== +--- openssl-3.1.4.orig/ssl/t1_lib.c ++++ openssl-3.1.4/ssl/t1_lib.c +@@ -20,6 +20,7 @@ + #include + #include + #include ++#include "crypto/x509.h" + #include "internal/sslconf.h" + #include "internal/nelem.h" + #include "internal/sizes.h" +@@ -1588,19 +1589,28 @@ int tls12_check_peer_sigalg(SSL *s, uint + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_UNKNOWN_DIGEST); + return 0; + } +- /* +- * Make sure security callback allows algorithm. For historical +- * reasons we have to pass the sigalg as a two byte char array. +- */ +- sigalgstr[0] = (sig >> 8) & 0xff; +- sigalgstr[1] = sig & 0xff; +- secbits = sigalg_security_bits(s->ctx, lu); +- if (secbits == 0 || +- !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits, +- md != NULL ? EVP_MD_get_type(md) : NID_undef, +- (void *)sigalgstr)) { +- SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE); +- return 0; ++ ++ if ((lu->hash == NID_sha1 || lu->hash == NID_md5_sha1) ++ && ossl_ctx_legacy_digest_signatures_allowed(s->ctx->libctx, 0) ++ && SSL_get_security_level(s) < 2) { ++ /* When rh-allow-sha1-signatures = yes and security level <= 1, ++ * explicitly allow SHA1 for backwards compatibility. Also allow ++ * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */ ++ } else { ++ /* ++ * Make sure security callback allows algorithm. For historical ++ * reasons we have to pass the sigalg as a two byte char array. ++ */ ++ sigalgstr[0] = (sig >> 8) & 0xff; ++ sigalgstr[1] = sig & 0xff; ++ secbits = sigalg_security_bits(s->ctx, lu); ++ if (secbits == 0 || ++ !ssl_security(s, SSL_SECOP_SIGALG_CHECK, secbits, ++ md != NULL ? EVP_MD_get_type(md) : NID_undef, ++ (void *)sigalgstr)) { ++ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_WRONG_SIGNATURE_TYPE); ++ return 0; ++ } + } + /* Store the sigalg the peer uses */ + s->s3.tmp.peer_sigalg = lu; +@@ -2138,6 +2148,15 @@ static int tls12_sigalg_allowed(const SS + } + } + ++ if ((lu->hash == NID_sha1 || lu->hash == NID_md5_sha1) ++ && ossl_ctx_legacy_digest_signatures_allowed(s->ctx->libctx, 0) ++ && SSL_get_security_level(s) < 2) { ++ /* When rh-allow-sha1-signatures = yes and security level <= 1, ++ * explicitly allow SHA1 for backwards compatibility. Also allow ++ * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */ ++ return 1; ++ } ++ + /* Finally see if security callback allows it */ + secbits = sigalg_security_bits(s->ctx, lu); + sigalgstr[0] = (lu->sigalg >> 8) & 0xff; +@@ -3007,6 +3026,8 @@ static int ssl_security_cert_sig(SSL *s, + { + /* Lookup signature algorithm digest */ + int secbits, nid, pknid; ++ OSSL_LIB_CTX *libctx = NULL; ++ + /* Don't check signature if self signed */ + if ((X509_get_extension_flags(x) & EXFLAG_SS) != 0) + return 1; +@@ -3015,6 +3036,26 @@ static int ssl_security_cert_sig(SSL *s, + /* If digest NID not defined use signature NID */ + if (nid == NID_undef) + nid = pknid; ++ ++ if (x && x->libctx) ++ libctx = x->libctx; ++ else if (ctx && ctx->libctx) ++ libctx = ctx->libctx; ++ else if (s && s->ctx && s->ctx->libctx) ++ libctx = s->ctx->libctx; ++ else ++ libctx = OSSL_LIB_CTX_get0_global_default(); ++ ++ if ((nid == NID_sha1 || nid == NID_md5_sha1) ++ && ossl_ctx_legacy_digest_signatures_allowed(libctx, 0) ++ && ((s != NULL && SSL_get_security_level(s) < 2) ++ || (ctx != NULL && SSL_CTX_get_security_level(ctx) < 2) ++ )) ++ /* When rh-allow-sha1-signatures = yes and security level <= 1, ++ * explicitly allow SHA1 for backwards compatibility. Also allow ++ * MD5-SHA1 because TLS 1.0 is still supported, which uses it. */ ++ return 1; ++ + if (s) + return ssl_security(s, op, secbits, nid, x); + else +Index: openssl-3.1.4/test/recipes/25-test_verify.t +=================================================================== +--- openssl-3.1.4.orig/test/recipes/25-test_verify.t ++++ openssl-3.1.4/test/recipes/25-test_verify.t +@@ -439,8 +439,8 @@ ok(verify("ee-pss-sha1-cert", "", ["root + ok(verify("ee-pss-sha256-cert", "", ["root-cert"], ["ca-cert"], ), + "CA with PSS signature using SHA256"); + +-ok(!verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "1"), +- "Reject PSS signature using SHA1 and auth level 1"); ++ok(!verify("ee-pss-sha1-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "2"), ++ "Reject PSS signature using SHA1 and auth level 2"); + + ok(verify("ee-pss-sha256-cert", "", ["root-cert"], ["ca-cert"], "-auth_level", "2"), + "PSS signature using SHA256 and auth level 2"); diff --git a/openssl-Allow-disabling-of-SHA1-signatures.patch b/openssl-Allow-disabling-of-SHA1-signatures.patch new file mode 100644 index 0000000..b6e93f8 --- /dev/null +++ b/openssl-Allow-disabling-of-SHA1-signatures.patch @@ -0,0 +1,521 @@ +From 2e8388e06eafb703aeb315498915bf079561bdb5 Mon Sep 17 00:00:00 2001 +From: Dmitry Belyavskiy +Date: Mon, 21 Aug 2023 13:07:07 +0200 +Subject: 0049-Allow-disabling-of-SHA1-signatures.patch + +Patch-name: 0049-Allow-disabling-of-SHA1-signatures.patch +Patch-id: 49 +Patch-status: | + # Selectively disallow SHA1 signatures rhbz#2070977 +From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd +--- + crypto/context.c | 14 ++++ + crypto/evp/evp_cnf.c | 13 +++ + crypto/evp/m_sigver.c | 79 +++++++++++++++++++ + crypto/evp/pmeth_lib.c | 15 ++++ + doc/man5/config.pod | 13 +++ + include/crypto/context.h | 3 + + include/internal/cryptlib.h | 3 +- + include/internal/sslconf.h | 4 + + providers/common/securitycheck.c | 20 +++++ + providers/common/securitycheck_default.c | 9 ++- + providers/implementations/signature/dsa_sig.c | 11 ++- + .../implementations/signature/ecdsa_sig.c | 4 + + providers/implementations/signature/rsa_sig.c | 20 ++++- + ssl/t1_lib.c | 8 ++ + util/libcrypto.num | 2 + + 15 files changed, 209 insertions(+), 9 deletions(-) + +Index: openssl-3.2.3/crypto/context.c +=================================================================== +--- openssl-3.2.3.orig/crypto/context.c ++++ openssl-3.2.3/crypto/context.c +@@ -82,6 +82,8 @@ struct ossl_lib_ctx_st { + void *fips_prov; + #endif + ++ void *legacy_digest_signatures; ++ + unsigned int ischild:1; + }; + +@@ -222,6 +224,10 @@ static int context_init(OSSL_LIB_CTX *ct + goto err; + #endif + ++ ctx->legacy_digest_signatures = ossl_ctx_legacy_digest_signatures_new(ctx); ++ if (ctx->legacy_digest_signatures == NULL) ++ goto err; ++ + /* Low priority. */ + #ifndef FIPS_MODULE + ctx->child_provider = ossl_child_prov_ctx_new(ctx); +@@ -365,6 +371,11 @@ static void context_deinit_objs(OSSL_LIB + } + #endif + ++ if (ctx->legacy_digest_signatures != NULL) { ++ ossl_ctx_legacy_digest_signatures_free(ctx->legacy_digest_signatures); ++ ctx->legacy_digest_signatures = NULL; ++ } ++ + /* Low priority. */ + #ifndef FIPS_MODULE + if (ctx->child_provider != NULL) { +@@ -662,6 +673,9 @@ void *ossl_lib_ctx_get_data(OSSL_LIB_CTX + return ctx->fips_prov; + #endif + ++ case OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES_INDEX: ++ return ctx->legacy_digest_signatures; ++ + default: + return NULL; + } +Index: openssl-3.2.3/crypto/evp/evp_cnf.c +=================================================================== +--- openssl-3.2.3.orig/crypto/evp/evp_cnf.c ++++ openssl-3.2.3/crypto/evp/evp_cnf.c +@@ -10,6 +10,7 @@ + #include + #include + #include "internal/cryptlib.h" ++#include "internal/sslconf.h" + #include + #include + #include +@@ -57,6 +58,18 @@ static int alg_module_init(CONF_IMODULE + ERR_raise(ERR_LIB_EVP, EVP_R_SET_DEFAULT_PROPERTY_FAILURE); + return 0; + } ++ } else if (strcmp(oval->name, "rh-allow-sha1-signatures") == 0) { ++ int m; ++ ++ /* Detailed error already reported. */ ++ if (!X509V3_get_value_bool(oval, &m)) ++ return 0; ++ ++ if (!ossl_ctx_legacy_digest_signatures_allowed_set( ++ NCONF_get0_libctx((CONF *)cnf), m > 0, 0)) { ++ ERR_raise(ERR_LIB_EVP, EVP_R_SET_DEFAULT_PROPERTY_FAILURE); ++ return 0; ++ } + } else { + ERR_raise_data(ERR_LIB_EVP, EVP_R_UNKNOWN_OPTION, + "name=%s, value=%s", oval->name, oval->value); +Index: openssl-3.2.3/crypto/evp/m_sigver.c +=================================================================== +--- openssl-3.2.3.orig/crypto/evp/m_sigver.c ++++ openssl-3.2.3/crypto/evp/m_sigver.c +@@ -15,6 +15,69 @@ + #include "internal/provider.h" + #include "internal/numbers.h" /* includes SIZE_MAX */ + #include "evp_local.h" ++#include "crypto/context.h" ++ ++typedef struct ossl_legacy_digest_signatures_st { ++ int allowed; ++} OSSL_LEGACY_DIGEST_SIGNATURES; ++ ++void ossl_ctx_legacy_digest_signatures_free(void *vldsigs) ++{ ++ OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs = vldsigs; ++ ++ if (ldsigs != NULL) { ++ OPENSSL_free(ldsigs); ++ } ++} ++ ++void *ossl_ctx_legacy_digest_signatures_new(OSSL_LIB_CTX *ctx) ++{ ++ OSSL_LEGACY_DIGEST_SIGNATURES* ldsigs = OPENSSL_zalloc(sizeof(OSSL_LEGACY_DIGEST_SIGNATURES)); ++ /* Default to allow SHA-1 and support disabling it via config. */ ++ ldsigs->allowed = 1; ++ return ldsigs; ++} ++ ++static OSSL_LEGACY_DIGEST_SIGNATURES *ossl_ctx_legacy_digest_signatures( ++ OSSL_LIB_CTX *libctx, int loadconfig) ++{ ++#ifndef FIPS_MODULE ++ if (loadconfig && !OPENSSL_init_crypto(OPENSSL_INIT_LOAD_CONFIG, NULL)) ++ return NULL; ++#endif ++ ++ return ossl_lib_ctx_get_data(libctx, OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES_INDEX); ++} ++ ++int ossl_ctx_legacy_digest_signatures_allowed(OSSL_LIB_CTX *libctx, int loadconfig) ++{ ++ OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs ++ = ossl_ctx_legacy_digest_signatures(libctx, loadconfig); ++ ++#ifndef FIPS_MODULE ++ if (ossl_safe_getenv("OPENSSL_ENABLE_SHA1_SIGNATURES") != NULL) ++ /* This is to be used in tests if SHA-1 is disabled. */ ++ return 1; ++#endif ++ ++ /* Default to allow SHA-1 and support disabling it via config. */ ++ return ldsigs != NULL ? ldsigs->allowed : 1; ++} ++ ++int ossl_ctx_legacy_digest_signatures_allowed_set(OSSL_LIB_CTX *libctx, int allow, ++ int loadconfig) ++{ ++ OSSL_LEGACY_DIGEST_SIGNATURES *ldsigs ++ = ossl_ctx_legacy_digest_signatures(libctx, loadconfig); ++ ++ if (ldsigs == NULL) { ++ ERR_raise(ERR_LIB_EVP, ERR_R_INTERNAL_ERROR); ++ return 0; ++ } ++ ++ ldsigs->allowed = allow; ++ return 1; ++} + + #ifndef FIPS_MODULE + +@@ -253,6 +316,18 @@ static int do_sigver_init(EVP_MD_CTX *ct + } + } + ++ if (ctx->reqdigest != NULL ++ && !EVP_PKEY_is_a(locpctx->pkey, SN_hmac) ++ && !EVP_PKEY_is_a(locpctx->pkey, SN_tls1_prf) ++ && !EVP_PKEY_is_a(locpctx->pkey, SN_hkdf)) { ++ int mdnid = EVP_MD_nid(ctx->reqdigest); ++ if (!ossl_ctx_legacy_digest_signatures_allowed(locpctx->libctx, 0) ++ && (mdnid == NID_sha1 || mdnid == NID_md5_sha1)) { ++ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_DIGEST); ++ goto err; ++ } ++ } ++ + if (ver) { + if (signature->digest_verify_init == NULL) { + ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); +Index: openssl-3.2.3/crypto/evp/pmeth_lib.c +=================================================================== +--- openssl-3.2.3.orig/crypto/evp/pmeth_lib.c ++++ openssl-3.2.3/crypto/evp/pmeth_lib.c +@@ -33,6 +33,7 @@ + #include "internal/ffc.h" + #include "internal/numbers.h" + #include "internal/provider.h" ++#include "internal/sslconf.h" + #include "evp_local.h" + + #ifndef FIPS_MODULE +@@ -951,6 +952,20 @@ static int evp_pkey_ctx_set_md(EVP_PKEY_ + return -2; + } + ++ if (EVP_PKEY_CTX_IS_SIGNATURE_OP(ctx) ++ && md != NULL ++ && ctx->pkey != NULL ++ && !EVP_PKEY_is_a(ctx->pkey, SN_hmac) ++ && !EVP_PKEY_is_a(ctx->pkey, SN_tls1_prf) ++ && !EVP_PKEY_is_a(ctx->pkey, SN_hkdf)) { ++ int mdnid = EVP_MD_nid(md); ++ if ((mdnid == NID_sha1 || mdnid == NID_md5_sha1) ++ && !ossl_ctx_legacy_digest_signatures_allowed(ctx->libctx, 0)) { ++ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_DIGEST); ++ return -1; ++ } ++ } ++ + if (fallback) + return EVP_PKEY_CTX_ctrl(ctx, -1, op, ctrl, 0, (void *)(md)); + +Index: openssl-3.2.3/doc/man5/config.pod +=================================================================== +--- openssl-3.2.3.orig/doc/man5/config.pod ++++ openssl-3.2.3/doc/man5/config.pod +@@ -304,6 +304,21 @@ Within the algorithm properties section, + The value may be anything that is acceptable as a property query + string for EVP_set_default_properties(). + ++=item B ++ ++The value is a boolean that can be B or B. If the value is not set, ++it behaves as if it was set to B. ++ ++When set to B, any attempt to create or verify a signature with a SHA1 ++digest will fail. To test whether your software will work with future versions ++of OpenSSL, set this option to B. This setting also affects TLS, where ++signature algorithms that use SHA1 as digest will no longer be supported if ++this option is set to B. Because TLS 1.1 or lower use MD5-SHA1 as ++pseudorandom function (PRF) to derive key material, disabling ++B requires the use of TLS 1.2 or newer. ++ ++This is a downstream specific option, and normally it should be set up via crypto-policies. ++ + =item B (deprecated) + + The value is a boolean that can be B or B. If the value is +Index: openssl-3.2.3/include/crypto/context.h +=================================================================== +--- openssl-3.2.3.orig/include/crypto/context.h ++++ openssl-3.2.3/include/crypto/context.h +@@ -46,3 +46,6 @@ void ossl_release_default_drbg_ctx(void) + #if defined(OPENSSL_THREADS) + void ossl_threads_ctx_free(void *); + #endif ++ ++void *ossl_ctx_legacy_digest_signatures_new(OSSL_LIB_CTX *); ++void ossl_ctx_legacy_digest_signatures_free(void *); +Index: openssl-3.2.3/include/internal/cryptlib.h +=================================================================== +--- openssl-3.2.3.orig/include/internal/cryptlib.h ++++ openssl-3.2.3/include/internal/cryptlib.h +@@ -117,7 +117,8 @@ typedef struct ossl_ex_data_global_st { + # define OSSL_LIB_CTX_CHILD_PROVIDER_INDEX 18 + # define OSSL_LIB_CTX_THREAD_INDEX 19 + # define OSSL_LIB_CTX_DECODER_CACHE_INDEX 20 +-# define OSSL_LIB_CTX_MAX_INDEXES 20 ++# define OSSL_LIB_CTX_LEGACY_DIGEST_SIGNATURES_INDEX 21 ++# define OSSL_LIB_CTX_MAX_INDEXES 21 + + OSSL_LIB_CTX *ossl_lib_ctx_get_concrete(OSSL_LIB_CTX *ctx); + int ossl_lib_ctx_is_default(OSSL_LIB_CTX *ctx); +Index: openssl-3.2.3/include/internal/sslconf.h +=================================================================== +--- openssl-3.2.3.orig/include/internal/sslconf.h ++++ openssl-3.2.3/include/internal/sslconf.h +@@ -18,4 +18,8 @@ int conf_ssl_name_find(const char *name, + void conf_ssl_get_cmd(const SSL_CONF_CMD *cmd, size_t idx, char **cmdstr, + char **arg); + ++/* Methods to support disabling all signatures with legacy digests */ ++int ossl_ctx_legacy_digest_signatures_allowed(OSSL_LIB_CTX *libctx, int loadconfig); ++int ossl_ctx_legacy_digest_signatures_allowed_set(OSSL_LIB_CTX *libctx, int allow, ++ int loadconfig); + #endif +Index: openssl-3.2.3/providers/common/securitycheck.c +=================================================================== +--- openssl-3.2.3.orig/providers/common/securitycheck.c ++++ openssl-3.2.3/providers/common/securitycheck.c +@@ -19,6 +19,7 @@ + #include + #include + #include "prov/securitycheck.h" ++#include "internal/sslconf.h" + + /* + * FIPS requires a minimum security strength of 112 bits (for encryption or +@@ -243,6 +244,14 @@ int ossl_digest_get_approved_nid_with_sh + mdnid = -1; /* disallowed by security checks */ + } + # endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */ ++ ++#ifndef FIPS_MODULE ++ if (!ossl_ctx_legacy_digest_signatures_allowed(ctx, 0)) ++ /* SHA1 is globally enabled by default, check whether we want to locally disable it. */ ++ if (mdnid == NID_sha1 && !sha1_allowed) ++ mdnid = -1; ++#endif ++ + return mdnid; + } + +@@ -252,5 +261,15 @@ int ossl_digest_is_allowed(OSSL_LIB_CTX + if (ossl_securitycheck_enabled(ctx)) + return ossl_digest_get_approved_nid(md) != NID_undef; + # endif /* OPENSSL_NO_FIPS_SECURITYCHECKS */ ++ ++#ifndef FIPS_MODULE ++ { ++ int mdnid = EVP_MD_nid(md); ++ if ((mdnid == NID_sha1 || mdnid == NID_md5_sha1) ++ && !ossl_ctx_legacy_digest_signatures_allowed(ctx, 0)) ++ return 0; ++ } ++#endif ++ + return 1; + } +Index: openssl-3.2.3/providers/common/securitycheck_default.c +=================================================================== +--- openssl-3.2.3.orig/providers/common/securitycheck_default.c ++++ openssl-3.2.3/providers/common/securitycheck_default.c +@@ -15,6 +15,7 @@ + #include + #include "prov/securitycheck.h" + #include "internal/nelem.h" ++#include "internal/sslconf.h" + + /* Disable the security checks in the default provider */ + int ossl_securitycheck_enabled(OSSL_LIB_CTX *libctx) +@@ -29,9 +30,10 @@ int ossl_tls1_prf_ems_check_enabled(OSSL + } + + int ossl_digest_rsa_sign_get_md_nid(OSSL_LIB_CTX *ctx, const EVP_MD *md, +- ossl_unused int sha1_allowed) ++ int sha1_allowed) + { + int mdnid; ++ int ldsigs_allowed; + + static const OSSL_ITEM name_to_nid[] = { + { NID_md5, OSSL_DIGEST_NAME_MD5 }, +@@ -42,8 +44,11 @@ int ossl_digest_rsa_sign_get_md_nid(OSSL + { NID_ripemd160, OSSL_DIGEST_NAME_RIPEMD160 }, + }; + +- mdnid = ossl_digest_get_approved_nid_with_sha1(ctx, md, 1); ++ ldsigs_allowed = ossl_ctx_legacy_digest_signatures_allowed(ctx, 0); ++ mdnid = ossl_digest_get_approved_nid_with_sha1(ctx, md, sha1_allowed || ldsigs_allowed); + if (mdnid == NID_undef) + mdnid = ossl_digest_md_to_nid(md, name_to_nid, OSSL_NELEM(name_to_nid)); ++ if (mdnid == NID_md5_sha1 && !ldsigs_allowed) ++ mdnid = -1; + return mdnid; + } +Index: openssl-3.2.3/providers/implementations/signature/dsa_sig.c +=================================================================== +--- openssl-3.2.3.orig/providers/implementations/signature/dsa_sig.c ++++ openssl-3.2.3/providers/implementations/signature/dsa_sig.c +@@ -125,12 +125,17 @@ static int dsa_setup_md(PROV_DSA_CTX *ct + mdprops = ctx->propq; + + if (mdname != NULL) { +- int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN); + WPACKET pkt; + EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops); +- int md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md, +- sha1_allowed); ++ int md_nid; + size_t mdname_len = strlen(mdname); ++#ifdef FIPS_MODULE ++ int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN); ++#else ++ int sha1_allowed = 0; ++#endif ++ md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md, ++ sha1_allowed); + + if (md == NULL || md_nid < 0) { + if (md == NULL) +Index: openssl-3.2.3/providers/implementations/signature/ecdsa_sig.c +=================================================================== +--- openssl-3.2.3.orig/providers/implementations/signature/ecdsa_sig.c ++++ openssl-3.2.3/providers/implementations/signature/ecdsa_sig.c +@@ -247,7 +247,11 @@ static int ecdsa_setup_md(PROV_ECDSA_CTX + "%s could not be fetched", mdname); + return 0; + } ++#ifdef FIPS_MODULE + sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN); ++#else ++ sha1_allowed = 0; ++#endif + md_nid = ossl_digest_get_approved_nid_with_sha1(ctx->libctx, md, + sha1_allowed); + if (md_nid < 0) { +Index: openssl-3.2.3/providers/implementations/signature/rsa_sig.c +=================================================================== +--- openssl-3.2.3.orig/providers/implementations/signature/rsa_sig.c ++++ openssl-3.2.3/providers/implementations/signature/rsa_sig.c +@@ -25,6 +25,7 @@ + #include "internal/cryptlib.h" + #include "internal/nelem.h" + #include "internal/sizes.h" ++#include "internal/sslconf.h" + #include "crypto/rsa.h" + #include "prov/providercommon.h" + #include "prov/implementations.h" +@@ -33,6 +34,7 @@ + #include "prov/securitycheck.h" + + #define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1 ++#define RSA_DEFAULT_DIGEST_NAME_NONLEGACY OSSL_DIGEST_NAME_SHA2_256 + + OSSL_FUNC_signature_newctx_fn rsa_newctx; + static OSSL_FUNC_signature_sign_init_fn rsa_sign_init; +@@ -317,10 +319,15 @@ static int rsa_setup_md(PROV_RSA_CTX *ct + + if (mdname != NULL) { + EVP_MD *md = EVP_MD_fetch(ctx->libctx, mdname, mdprops); ++ int md_nid; ++ size_t mdname_len = strlen(mdname); ++#ifdef FIPS_MODULE + int sha1_allowed = (ctx->operation != EVP_PKEY_OP_SIGN); +- int md_nid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md, ++#else ++ int sha1_allowed = 0; ++#endif ++ md_nid = ossl_digest_rsa_sign_get_md_nid(ctx->libctx, md, + sha1_allowed); +- size_t mdname_len = strlen(mdname); + + if (md == NULL + || md_nid <= 0 +@@ -1408,8 +1415,15 @@ static int rsa_set_ctx_params(void *vprs + prsactx->pad_mode = pad_mode; + + if (prsactx->md == NULL && pmdname == NULL +- && pad_mode == RSA_PKCS1_PSS_PADDING) ++ && pad_mode == RSA_PKCS1_PSS_PADDING) { + pmdname = RSA_DEFAULT_DIGEST_NAME; ++#ifndef FIPS_MODULE ++ if (!ossl_ctx_legacy_digest_signatures_allowed(prsactx->libctx, 0)) { ++ pmdname = RSA_DEFAULT_DIGEST_NAME_NONLEGACY; ++ } ++#endif ++ } ++ + + if (pmgf1mdname != NULL + && !rsa_setup_mgf1_md(prsactx, pmgf1mdname, pmgf1mdprops)) +Index: openssl-3.2.3/ssl/t1_lib.c +=================================================================== +--- openssl-3.2.3.orig/ssl/t1_lib.c ++++ openssl-3.2.3/ssl/t1_lib.c +@@ -20,6 +20,7 @@ + #include + #include + #include ++#include "internal/sslconf.h" + #include "internal/nelem.h" + #include "internal/sizes.h" + #include "internal/tlsgroups.h" +@@ -1508,6 +1509,7 @@ int ssl_setup_sigalgs(SSL_CTX *ctx) + uint16_t *tls12_sigalgs_list = NULL; + EVP_PKEY *tmpkey = EVP_PKEY_new(); + int ret = 0; ++ int ldsigs_allowed; + + if (ctx == NULL) + goto err; +@@ -1523,6 +1525,7 @@ int ssl_setup_sigalgs(SSL_CTX *ctx) + goto err; + + ERR_set_mark(); ++ ldsigs_allowed = ossl_ctx_legacy_digest_signatures_allowed(ctx->libctx, 0); + /* First fill cache and tls12_sigalgs list from legacy algorithm list */ + for (i = 0, lu = sigalg_lookup_tbl; + i < OSSL_NELEM(sigalg_lookup_tbl); lu++, i++) { +@@ -1544,6 +1547,11 @@ int ssl_setup_sigalgs(SSL_CTX *ctx) + cache[i].enabled = 0; + continue; + } ++ if ((lu->hash == NID_sha1 || lu->hash == NID_md5_sha1) ++ && !ldsigs_allowed) { ++ cache[i].enabled = 0; ++ continue; ++ } + + if (!EVP_PKEY_set_type(tmpkey, lu->sig)) { + cache[i].enabled = 0; +Index: openssl-3.2.3/util/libcrypto.num +=================================================================== +--- openssl-3.2.3.orig/util/libcrypto.num ++++ openssl-3.2.3/util/libcrypto.num +@@ -5537,3 +5537,5 @@ X509_STORE_CTX_set_current_reasons + OSSL_STORE_delete 5665 3_2_0 EXIST::FUNCTION: + BIO_ADDR_copy 5666 3_2_0 EXIST::FUNCTION:SOCK + ossl_safe_getenv ? 3_2_0 EXIST::FUNCTION: ++ossl_ctx_legacy_digest_signatures_allowed ? 3_0_1 EXIST::FUNCTION: ++ossl_ctx_legacy_digest_signatures_allowed_set ? 3_0_1 EXIST::FUNCTION: diff --git a/openssl-CVE-2023-50782.patch b/openssl-CVE-2023-50782.patch new file mode 100644 index 0000000..0556d9a --- /dev/null +++ b/openssl-CVE-2023-50782.patch @@ -0,0 +1,1354 @@ +Index: openssl-3.1.7/crypto/cms/cms_env.c +=================================================================== +--- openssl-3.1.7.orig/crypto/cms/cms_env.c ++++ openssl-3.1.7/crypto/cms/cms_env.c +@@ -590,6 +590,13 @@ static int cms_RecipientInfo_ktri_decryp + if (!ossl_cms_env_asn1_ctrl(ri, 1)) + goto err; + ++ if (EVP_PKEY_is_a(pkey, "RSA")) ++ /* upper layer CMS code incorrectly assumes that a successful RSA ++ * decryption means that the key matches ciphertext (which never ++ * was the case, implicit rejection or not), so to make it work ++ * disable implicit rejection for RSA keys */ ++ EVP_PKEY_CTX_ctrl_str(ktri->pctx, "rsa_pkcs1_implicit_rejection", "0"); ++ + if (EVP_PKEY_decrypt(ktri->pctx, NULL, &eklen, + ktri->encryptedKey->data, + ktri->encryptedKey->length) <= 0) +Index: openssl-3.1.7/crypto/evp/ctrl_params_translate.c +=================================================================== +--- openssl-3.1.7.orig/crypto/evp/ctrl_params_translate.c ++++ openssl-3.1.7/crypto/evp/ctrl_params_translate.c +@@ -2265,6 +2265,12 @@ static const struct translation_st evp_p + EVP_PKEY_CTRL_GET_RSA_OAEP_LABEL, NULL, NULL, + OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL, OSSL_PARAM_OCTET_PTR, NULL }, + ++ { SET, EVP_PKEY_RSA, 0, EVP_PKEY_OP_TYPE_CRYPT, ++ EVP_PKEY_CTRL_RSA_IMPLICIT_REJECTION, NULL, ++ "rsa_pkcs1_implicit_rejection", ++ OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, OSSL_PARAM_UNSIGNED_INTEGER, ++ NULL }, ++ + { SET, EVP_PKEY_RSA_PSS, 0, EVP_PKEY_OP_TYPE_GEN, + EVP_PKEY_CTRL_MD, "rsa_pss_keygen_md", NULL, + OSSL_ALG_PARAM_DIGEST, OSSL_PARAM_UTF8_STRING, fix_md }, +Index: openssl-3.1.7/crypto/pkcs7/pk7_doit.c +=================================================================== +--- openssl-3.1.7.orig/crypto/pkcs7/pk7_doit.c ++++ openssl-3.1.7/crypto/pkcs7/pk7_doit.c +@@ -170,6 +170,13 @@ static int pkcs7_decrypt_rinfo(unsigned + if (EVP_PKEY_decrypt_init(pctx) <= 0) + goto err; + ++ if (EVP_PKEY_is_a(pkey, "RSA")) ++ /* upper layer pkcs7 code incorrectly assumes that a successful RSA ++ * decryption means that the key matches ciphertext (which never ++ * was the case, implicit rejection or not), so to make it work ++ * disable implicit rejection for RSA keys */ ++ EVP_PKEY_CTX_ctrl_str(pctx, "rsa_pkcs1_implicit_rejection", "0"); ++ + if (EVP_PKEY_decrypt(pctx, NULL, &eklen, + ri->enc_key->data, ri->enc_key->length) <= 0) + goto err; +Index: openssl-3.1.7/crypto/rsa/rsa_ossl.c +=================================================================== +--- openssl-3.1.7.orig/crypto/rsa/rsa_ossl.c ++++ openssl-3.1.7/crypto/rsa/rsa_ossl.c +@@ -17,6 +17,9 @@ + #include "crypto/bn.h" + #include "rsa_local.h" + #include "internal/constant_time.h" ++#include ++#include ++#include + + static int rsa_ossl_public_encrypt(int flen, const unsigned char *from, + unsigned char *to, RSA *rsa, int padding); +@@ -377,8 +380,13 @@ static int rsa_ossl_private_decrypt(int + BIGNUM *f, *ret; + int j, num = 0, r = -1; + unsigned char *buf = NULL; ++ unsigned char d_hash[SHA256_DIGEST_LENGTH] = {0}; ++ HMAC_CTX *hmac = NULL; ++ unsigned int md_len = SHA256_DIGEST_LENGTH; ++ unsigned char kdk[SHA256_DIGEST_LENGTH] = {0}; + BN_CTX *ctx = NULL; + int local_blinding = 0; ++ EVP_MD *md = NULL; + /* + * Used only if the blinding structure is shared. A non-NULL unblind + * instructs rsa_blinding_convert() and rsa_blinding_invert() to store +@@ -387,6 +395,12 @@ static int rsa_ossl_private_decrypt(int + BIGNUM *unblind = NULL; + BN_BLINDING *blinding = NULL; + ++ /* ++ * we need the value of the private exponent to perform implicit rejection ++ */ ++ if ((rsa->flags & RSA_FLAG_EXT_PKEY) && (padding == RSA_PKCS1_PADDING)) ++ padding = RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING; ++ + if ((ctx = BN_CTX_new_ex(rsa->libctx)) == NULL) + goto err; + BN_CTX_start(ctx); +@@ -408,6 +422,11 @@ static int rsa_ossl_private_decrypt(int + goto err; + } + ++ if (flen < 1) { ++ ERR_raise(ERR_LIB_RSA, RSA_R_DATA_TOO_SMALL); ++ goto err; ++ } ++ + /* make data into a big number */ + if (BN_bin2bn(from, (int)flen, f) == NULL) + goto err; +@@ -467,6 +486,81 @@ static int rsa_ossl_private_decrypt(int + /* We MUST free d before any further use of rsa->d */ + BN_free(d); + } ++ ++ /* ++ * derive the Key Derivation Key from private exponent and public ++ * ciphertext ++ */ ++ if (padding == RSA_PKCS1_PADDING) { ++ /* ++ * because we use d as a handle to rsa->d we need to keep it local and ++ * free before any further use of rsa->d ++ */ ++ BIGNUM *d = BN_new(); ++ if (d == NULL) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE); ++ goto err; ++ } ++ if (rsa->d == NULL) { ++ ERR_raise(ERR_LIB_RSA, RSA_R_MISSING_PRIVATE_KEY); ++ BN_free(d); ++ goto err; ++ } ++ BN_with_flags(d, rsa->d, BN_FLG_CONSTTIME); ++ if (BN_bn2binpad(d, buf, num) < 0) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ BN_free(d); ++ goto err; ++ } ++ BN_free(d); ++ ++ /* ++ * we use hardcoded hash so that migrating between versions that use ++ * different hash doesn't provide a Bleichenbacher oracle: ++ * if the attacker can see that different versions return different ++ * messages for the same ciphertext, they'll know that the message is ++ * syntethically generated, which means that the padding check failed ++ */ ++ md = EVP_MD_fetch(rsa->libctx, "sha256", NULL); ++ if (md == NULL) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ goto err; ++ } ++ ++ if (EVP_Digest(buf, num, d_hash, NULL, md, NULL) <= 0) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ goto err; ++ } ++ ++ hmac = HMAC_CTX_new(); ++ if (hmac == NULL) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE); ++ goto err; ++ } ++ ++ if (HMAC_Init_ex(hmac, d_hash, sizeof(d_hash), md, NULL) <= 0) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ goto err; ++ } ++ ++ if (flen < num) { ++ memset(buf, 0, num - flen); ++ if (HMAC_Update(hmac, buf, num - flen) <= 0) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ goto err; ++ } ++ } ++ if (HMAC_Update(hmac, from, flen) <= 0) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ goto err; ++ } ++ ++ md_len = SHA256_DIGEST_LENGTH; ++ if (HMAC_Final(hmac, kdk, &md_len) <= 0) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ goto err; ++ } ++ } + + if (blinding) + if (!rsa_blinding_invert(blinding, ret, unblind, ctx)) +@@ -477,9 +571,12 @@ static int rsa_ossl_private_decrypt(int + goto err; + + switch (padding) { +- case RSA_PKCS1_PADDING: ++ case RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING: + r = RSA_padding_check_PKCS1_type_2(to, num, buf, j, num); + break; ++ case RSA_PKCS1_PADDING: ++ r = ossl_rsa_padding_check_PKCS1_type_2(rsa->libctx, to, num, buf, j, num, kdk); ++ break; + case RSA_PKCS1_OAEP_PADDING: + r = RSA_padding_check_PKCS1_OAEP(to, num, buf, j, num, NULL, 0); + break; +@@ -501,6 +598,8 @@ static int rsa_ossl_private_decrypt(int + #endif + + err: ++ HMAC_CTX_free(hmac); ++ EVP_MD_free(md); + BN_CTX_end(ctx); + BN_CTX_free(ctx); + OPENSSL_clear_free(buf, num); +Index: openssl-3.1.7/crypto/rsa/rsa_pk1.c +=================================================================== +--- openssl-3.1.7.orig/crypto/rsa/rsa_pk1.c ++++ openssl-3.1.7/crypto/rsa/rsa_pk1.c +@@ -21,10 +21,14 @@ + #include + /* Just for the SSL_MAX_MASTER_KEY_LENGTH value */ + #include ++#include ++#include ++#include + #include "internal/cryptlib.h" + #include "crypto/rsa.h" + #include "rsa_local.h" + ++ + int RSA_padding_add_PKCS1_type_1(unsigned char *to, int tlen, + const unsigned char *from, int flen) + { +@@ -273,6 +277,254 @@ int RSA_padding_check_PKCS1_type_2(unsig + return constant_time_select_int(good, mlen, -1); + } + ++ ++static int ossl_rsa_prf(OSSL_LIB_CTX *ctx, ++ unsigned char *to, int tlen, ++ const char *label, int llen, ++ const unsigned char *kdk, ++ uint16_t bitlen) ++{ ++ int pos; ++ int ret = -1; ++ uint16_t iter = 0; ++ unsigned char be_iter[sizeof(iter)]; ++ unsigned char be_bitlen[sizeof(bitlen)]; ++ HMAC_CTX *hmac = NULL; ++ EVP_MD *md = NULL; ++ unsigned char hmac_out[SHA256_DIGEST_LENGTH]; ++ unsigned int md_len; ++ ++ if (tlen * 8 != bitlen) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ return ret; ++ } ++ ++ be_bitlen[0] = (bitlen >> 8) & 0xff; ++ be_bitlen[1] = bitlen & 0xff; ++ ++ hmac = HMAC_CTX_new(); ++ if (hmac == NULL) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ goto err; ++ } ++ ++ /* ++ * we use hardcoded hash so that migrating between versions that use ++ * different hash doesn't provide a Bleichenbacher oracle: ++ * if the attacker can see that different versions return different ++ * messages for the same ciphertext, they'll know that the message is ++ * syntethically generated, which means that the padding check failed ++ */ ++ md = EVP_MD_fetch(ctx, "sha256", NULL); ++ if (md == NULL) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ goto err; ++ } ++ ++ if (HMAC_Init_ex(hmac, kdk, SHA256_DIGEST_LENGTH, md, NULL) <= 0) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ goto err; ++ } ++ ++ for (pos = 0; pos < tlen; pos += SHA256_DIGEST_LENGTH, iter++) { ++ if (HMAC_Init_ex(hmac, NULL, 0, NULL, NULL) <= 0) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ goto err; ++ } ++ ++ be_iter[0] = (iter >> 8) & 0xff; ++ be_iter[1] = iter & 0xff; ++ ++ if (HMAC_Update(hmac, be_iter, sizeof(be_iter)) <= 0) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ goto err; ++ } ++ if (HMAC_Update(hmac, (unsigned char *)label, llen) <= 0) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ goto err; ++ } ++ if (HMAC_Update(hmac, be_bitlen, sizeof(be_bitlen)) <= 0) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ goto err; ++ } ++ ++ /* ++ * HMAC_Final requires the output buffer to fit the whole MAC ++ * value, so we need to use the intermediate buffer for the last ++ * unaligned block ++ */ ++ md_len = SHA256_DIGEST_LENGTH; ++ if (pos + SHA256_DIGEST_LENGTH > tlen) { ++ if (HMAC_Final(hmac, hmac_out, &md_len) <= 0) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ goto err; ++ } ++ memcpy(to + pos, hmac_out, tlen - pos); ++ } else { ++ if (HMAC_Final(hmac, to + pos, &md_len) <= 0) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ goto err; ++ } ++ } ++ } ++ ++ ret = 0; ++ ++err: ++ HMAC_CTX_free(hmac); ++ EVP_MD_free(md); ++ return ret; ++} ++ ++/* ++ * ossl_rsa_padding_check_PKCS1_type_2() checks and removes the PKCS#1 type 2 ++ * padding from a decrypted RSA message. Unlike the ++ * RSA_padding_check_PKCS1_type_2() it will not return an error in case it ++ * detects a padding error, rather it will return a deterministically generated ++ * random message. In other words it will perform an implicit rejection ++ * of an invalid padding. This means that the returned value does not indicate ++ * if the padding of the encrypted message was correct or not, making ++ * side channel attacks like the ones described by Bleichenbacher impossible ++ * without access to the full decrypted value and a brute-force search of ++ * remaining padding bytes ++ */ ++int ossl_rsa_padding_check_PKCS1_type_2(OSSL_LIB_CTX *ctx, ++ unsigned char *to, int tlen, ++ const unsigned char *from, int flen, ++ int num, unsigned char *kdk) ++{ ++/* ++ * We need to generate a random length for the synthethic message, to avoid ++ * bias towards zero and avoid non-constant timeness of DIV, we prepare ++ * 128 values to check if they are not too large for the used key size, ++ * and use 0 in case none of them are small enough, as 2^-128 is a good enough ++ * safety margin ++ */ ++#define MAX_LEN_GEN_TRIES 128 ++ unsigned char *synthetic = NULL; ++ int synthethic_length; ++ uint16_t len_candidate; ++ unsigned char candidate_lengths[MAX_LEN_GEN_TRIES * sizeof(len_candidate)]; ++ uint16_t len_mask; ++ uint16_t max_sep_offset; ++ int synth_msg_index = 0; ++ int ret = -1; ++ int i, j; ++ unsigned int good, found_zero_byte; ++ int zero_index = 0, msg_index; ++ ++ /* ++ * If these checks fail then either the message in publicly invalid, or ++ * we've been called incorrectly. We can fail immediately. ++ * Since this code is called only internally by openssl, those are just ++ * sanity checks ++ */ ++ if (num != flen || tlen <= 0 || flen <= 0) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ return -1; ++ } ++ ++ /* Generate a random message to return in case the padding checks fail */ ++ synthetic = OPENSSL_malloc(flen); ++ if (synthetic == NULL) { ++ ERR_raise(ERR_LIB_RSA, ERR_R_MALLOC_FAILURE); ++ return -1; ++ } ++ ++ if (ossl_rsa_prf(ctx, synthetic, flen, "message", 7, kdk, flen * 8) < 0) ++ goto err; ++ ++ /* decide how long the random message should be */ ++ if (ossl_rsa_prf(ctx, candidate_lengths, sizeof(candidate_lengths), ++ "length", 6, kdk, ++ MAX_LEN_GEN_TRIES * sizeof(len_candidate) * 8) < 0) ++ goto err; ++ ++ /* ++ * max message size is the size of the modulus size less 2 bytes for ++ * version and padding type and a minimum of 8 bytes padding ++ */ ++ len_mask = max_sep_offset = flen - 2 - 8; ++ /* ++ * we want a mask so lets propagate the high bit to all positions less ++ * significant than it ++ */ ++ len_mask |= len_mask >> 1; ++ len_mask |= len_mask >> 2; ++ len_mask |= len_mask >> 4; ++ len_mask |= len_mask >> 8; ++ ++ synthethic_length = 0; ++ for (i = 0; i < MAX_LEN_GEN_TRIES * (int)sizeof(len_candidate); ++ i += sizeof(len_candidate)) { ++ len_candidate = (candidate_lengths[i] << 8) | candidate_lengths[i + 1]; ++ len_candidate &= len_mask; ++ ++ synthethic_length = constant_time_select_int( ++ constant_time_lt(len_candidate, max_sep_offset), ++ len_candidate, synthethic_length); ++ } ++ ++ synth_msg_index = flen - synthethic_length; ++ ++ /* we have alternative message ready, check the real one */ ++ good = constant_time_is_zero(from[0]); ++ good &= constant_time_eq(from[1], 2); ++ ++ /* then look for the padding|message separator (the first zero byte) */ ++ found_zero_byte = 0; ++ for (i = 2; i < flen; i++) { ++ unsigned int equals0 = constant_time_is_zero(from[i]); ++ zero_index = constant_time_select_int(~found_zero_byte & equals0, ++ i, zero_index); ++ found_zero_byte |= equals0; ++ } ++ ++ /* ++ * padding must be at least 8 bytes long, and it starts two bytes into ++ * |from|. If we never found a 0-byte, then |zero_index| is 0 and the check ++ * also fails. ++ */ ++ good &= constant_time_ge(zero_index, 2 + 8); ++ ++ /* ++ * Skip the zero byte. This is incorrect if we never found a zero-byte ++ * but in this case we also do not copy the message out. ++ */ ++ msg_index = zero_index + 1; ++ ++ /* ++ * old code returned an error in case the decrypted message wouldn't fit ++ * into the |to|, since that would leak information, return the synthethic ++ * message instead ++ */ ++ good &= constant_time_ge(tlen, num - msg_index); ++ ++ msg_index = constant_time_select_int(good, msg_index, synth_msg_index); ++ ++ /* ++ * since at this point the |msg_index| does not provide the signal ++ * indicating if the padding check failed or not, we don't have to worry ++ * about leaking the length of returned message, we still need to ensure ++ * that we read contents of both buffers so that cache accesses don't leak ++ * the value of |good| ++ */ ++ for (i = msg_index, j = 0; i < flen && j < tlen; i++, j++) ++ to[j] = constant_time_select_8(good, from[i], synthetic[i]); ++ ret = j; ++ ++err: ++ /* ++ * the only time ret < 0 is when the ciphertext is publicly invalid ++ * or we were called with invalid parameters, so we don't have to perform ++ * a side-channel secure raising of the error ++ */ ++ if (ret < 0) ++ ERR_raise(ERR_LIB_RSA, ERR_R_INTERNAL_ERROR); ++ OPENSSL_free(synthetic); ++ return ret; ++} ++ + /* + * ossl_rsa_padding_check_PKCS1_type_2_TLS() checks and removes the PKCS1 type 2 + * padding from a decrypted RSA message in a TLS signature. The result is stored +Index: openssl-3.1.7/crypto/rsa/rsa_pmeth.c +=================================================================== +--- openssl-3.1.7.orig/crypto/rsa/rsa_pmeth.c ++++ openssl-3.1.7/crypto/rsa/rsa_pmeth.c +@@ -52,6 +52,8 @@ typedef struct { + /* OAEP label */ + unsigned char *oaep_label; + size_t oaep_labellen; ++ /* if to use implicit rejection in PKCS#1 v1.5 decryption */ ++ int implicit_rejection; + } RSA_PKEY_CTX; + + /* True if PSS parameters are restricted */ +@@ -72,6 +74,7 @@ static int pkey_rsa_init(EVP_PKEY_CTX *c + /* Maximum for sign, auto for verify */ + rctx->saltlen = RSA_PSS_SALTLEN_AUTO; + rctx->min_saltlen = -1; ++ rctx->implicit_rejection = 1; + ctx->data = rctx; + ctx->keygen_info = rctx->gentmp; + ctx->keygen_info_count = 2; +@@ -97,6 +100,7 @@ static int pkey_rsa_copy(EVP_PKEY_CTX *d + dctx->md = sctx->md; + dctx->mgf1md = sctx->mgf1md; + dctx->saltlen = sctx->saltlen; ++ dctx->implicit_rejection = sctx->implicit_rejection; + if (sctx->oaep_label) { + OPENSSL_free(dctx->oaep_label); + dctx->oaep_label = OPENSSL_memdup(sctx->oaep_label, sctx->oaep_labellen); +@@ -347,6 +351,7 @@ static int pkey_rsa_decrypt(EVP_PKEY_CTX + const unsigned char *in, size_t inlen) + { + int ret; ++ int pad_mode; + RSA_PKEY_CTX *rctx = ctx->data; + /* + * Discard const. Its marked as const because this may be a cached copy of +@@ -367,7 +372,12 @@ static int pkey_rsa_decrypt(EVP_PKEY_CTX + rctx->oaep_labellen, + rctx->md, rctx->mgf1md); + } else { +- ret = RSA_private_decrypt(inlen, in, out, rsa, rctx->pad_mode); ++ if (rctx->pad_mode == RSA_PKCS1_PADDING && ++ rctx->implicit_rejection == 0) ++ pad_mode = RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING; ++ else ++ pad_mode = rctx->pad_mode; ++ ret = RSA_private_decrypt(inlen, in, out, rsa, pad_mode); + } + *outlen = constant_time_select_s(constant_time_msb_s(ret), *outlen, ret); + ret = constant_time_select_int(constant_time_msb(ret), ret, 1); +@@ -591,6 +601,14 @@ static int pkey_rsa_ctrl(EVP_PKEY_CTX *c + *(unsigned char **)p2 = rctx->oaep_label; + return rctx->oaep_labellen; + ++ case EVP_PKEY_CTRL_RSA_IMPLICIT_REJECTION: ++ if (rctx->pad_mode != RSA_PKCS1_PADDING) { ++ ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_PADDING_MODE); ++ return -2; ++ } ++ rctx->implicit_rejection = p1; ++ return 1; ++ + case EVP_PKEY_CTRL_DIGESTINIT: + case EVP_PKEY_CTRL_PKCS7_SIGN: + #ifndef OPENSSL_NO_CMS +Index: openssl-3.1.7/doc/man1/openssl-pkeyutl.pod.in +=================================================================== +--- openssl-3.1.7.orig/doc/man1/openssl-pkeyutl.pod.in ++++ openssl-3.1.7/doc/man1/openssl-pkeyutl.pod.in +@@ -240,6 +240,11 @@ signed or verified directly instead of u + digest is set, then the B structure is used and its length + must correspond to the digest type. + ++Note, for B padding, as a protection against Bleichenbacher attack, ++the decryption will not fail in case of padding check failures. Use B ++and manual inspection of the decrypted message to verify if the decrypted ++value has correct PKCS#1 v1.5 padding. ++ + For B mode only encryption and decryption is supported. + + For B if the digest type is set it is used to format the block data +@@ -267,6 +272,16 @@ explicitly set in PSS mode then the sign + Sets the digest used for the OAEP hash function. If not explicitly set then + SHA1 is used. + ++=item BI ++ ++Disables (when set to 0) or enables (when set to 1) the use of implicit ++rejection with PKCS#1 v1.5 decryption. When enabled (the default), as a ++protection against Bleichenbacher attack, the library will generate a ++deterministic random plaintext that it will return to the caller in case ++of padding check failure. ++When disabled, it's the callers' responsibility to handle the returned ++errors in a side-channel free manner. ++ + =back + + =head1 RSA-PSS ALGORITHM +Index: openssl-3.1.7/doc/man1/openssl-rsautl.pod.in +=================================================================== +--- openssl-3.1.7.orig/doc/man1/openssl-rsautl.pod.in ++++ openssl-3.1.7/doc/man1/openssl-rsautl.pod.in +@@ -105,6 +105,11 @@ The padding to use: PKCS#1 v1.5 (the def + ANSI X9.31, or no padding, respectively. + For signatures, only B<-pkcs> and B<-raw> can be used. + ++Note: because of protection against Bleichenbacher attacks, decryption ++using PKCS#1 v1.5 mode will not return errors in case padding check failed. ++Use B<-raw> and inspect the returned value manually to check if the ++padding is correct. ++ + =item B<-hexdump> + + Hex dump the output data. +Index: openssl-3.1.7/doc/man3/EVP_PKEY_CTX_ctrl.pod +=================================================================== +--- openssl-3.1.7.orig/doc/man3/EVP_PKEY_CTX_ctrl.pod ++++ openssl-3.1.7/doc/man3/EVP_PKEY_CTX_ctrl.pod +@@ -393,6 +393,15 @@ this behaviour should be tolerated then + OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION should be set to the actual + negotiated protocol version. Otherwise it should be left unset. + ++Similarly to the B above, since OpenSSL version ++3.1.0, the use of B will return a randomly generated message ++instead of padding errors in case padding checks fail. Applications that ++want to remain secure while using earlier versions of OpenSSL, still need to ++handle both the error code from the RSA decryption operation and the ++returned message in a side channel secure manner. ++This protection against Bleichenbacher attacks can be disabled by setting ++the OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION (an unsigned integer) to 0. ++ + =head2 DSA parameters + + EVP_PKEY_CTX_set_dsa_paramgen_bits() sets the number of bits used for DSA +Index: openssl-3.1.7/doc/man3/EVP_PKEY_decrypt.pod +=================================================================== +--- openssl-3.1.7.orig/doc/man3/EVP_PKEY_decrypt.pod ++++ openssl-3.1.7/doc/man3/EVP_PKEY_decrypt.pod +@@ -51,6 +51,18 @@ return 1 for success and 0 or a negative + return value of -2 indicates the operation is not supported by the public key + algorithm. + ++=head1 WARNINGS ++ ++In OpenSSL versions before 3.1.0, when used in PKCS#1 v1.5 padding, ++both the return value from the EVP_PKEY_decrypt() and the B provided ++information useful in mounting a Bleichenbacher attack against the ++used private key. They had to processed in a side-channel free way. ++ ++Since version 3.1.0, the EVP_PKEY_decrypt() method when used with PKCS#1 ++v1.5 padding doesn't return an error in case it detects an error in padding, ++instead it returns a pseudo-randomly generated message, removing the need ++of side-channel secure code from applications using OpenSSL. ++ + =head1 EXAMPLES + + Decrypt data using OAEP (for RSA keys): +Index: openssl-3.1.7/doc/man3/RSA_padding_add_PKCS1_type_1.pod +=================================================================== +--- openssl-3.1.7.orig/doc/man3/RSA_padding_add_PKCS1_type_1.pod ++++ openssl-3.1.7/doc/man3/RSA_padding_add_PKCS1_type_1.pod +@@ -121,8 +121,8 @@ L. + + =head1 WARNINGS + +-The result of RSA_padding_check_PKCS1_type_2() is a very sensitive +-information which can potentially be used to mount a Bleichenbacher ++The result of RSA_padding_check_PKCS1_type_2() is exactly the ++information which is used to mount a classical Bleichenbacher + padding oracle attack. This is an inherent weakness in the PKCS #1 + v1.5 padding design. Prefer PKCS1_OAEP padding. If that is not + possible, the result of RSA_padding_check_PKCS1_type_2() should be +@@ -137,6 +137,9 @@ as this would create a small timing side + used to mount a Bleichenbacher attack against any padding mode + including PKCS1_OAEP. + ++You should prefer the use of EVP PKEY APIs for PKCS#1 v1.5 decryption ++as they implement the necessary workarounds internally. ++ + =head1 SEE ALSO + + L, +Index: openssl-3.1.7/doc/man3/RSA_public_encrypt.pod +=================================================================== +--- openssl-3.1.7.orig/doc/man3/RSA_public_encrypt.pod ++++ openssl-3.1.7/doc/man3/RSA_public_encrypt.pod +@@ -52,8 +52,8 @@ Encrypting user data directly with RSA i + + =back + +-B must not be more than RSA_size(B) - 11 for the PKCS #1 v1.5 +-based padding modes, not more than RSA_size(B) - 42 for ++When encrypting B must not be more than RSA_size(B) - 11 for the ++PKCS #1 v1.5 based padding modes, not more than RSA_size(B) - 42 for + RSA_PKCS1_OAEP_PADDING and exactly RSA_size(B) for RSA_NO_PADDING. + When a padding mode other than RSA_NO_PADDING is in use, then + RSA_public_encrypt() will include some random bytes into the ciphertext +@@ -92,6 +92,13 @@ which can potentially be used to mount a + attack. This is an inherent weakness in the PKCS #1 v1.5 padding + design. Prefer RSA_PKCS1_OAEP_PADDING. + ++In OpenSSL before version 3.1.0, both the return value and the length of ++returned value could be used to mount the Bleichenbacher attack. ++Since version 3.1.0, OpenSSL does not return an error in case of padding ++checks failed. Instead it generates a random message based on used private ++key and provided ciphertext so that application code doesn't have to implement ++a side-channel secure error handling. ++ + =head1 CONFORMING TO + + SSL, PKCS #1 v2.0 +Index: openssl-3.1.7/doc/man7/provider-asym_cipher.pod +=================================================================== +--- openssl-3.1.7.orig/doc/man7/provider-asym_cipher.pod ++++ openssl-3.1.7/doc/man7/provider-asym_cipher.pod +@@ -234,6 +234,15 @@ The TLS protocol version first requested + + The negotiated TLS protocol version. + ++=item "implicit-rejection" (B) ++ ++Gets of sets the use of the implicit rejection mechanism for RSA PKCS#1 v1.5 ++decryption. When set (non zero value), the decryption API will return ++a deterministically random value if the PKCS#1 v1.5 padding check fails. ++This makes explotation of the Bleichenbacher significantly harder, even ++if the code using the RSA decryption API is not implemented in side-channel ++free manner. Set by default. ++ + =back + + OSSL_FUNC_asym_cipher_gettable_ctx_params() and OSSL_FUNC_asym_cipher_settable_ctx_params() +Index: openssl-3.1.7/include/crypto/rsa.h +=================================================================== +--- openssl-3.1.7.orig/include/crypto/rsa.h ++++ openssl-3.1.7/include/crypto/rsa.h +@@ -83,6 +83,10 @@ int ossl_rsa_param_decode(RSA *rsa, cons + RSA *ossl_rsa_key_from_pkcs8(const PKCS8_PRIV_KEY_INFO *p8inf, + OSSL_LIB_CTX *libctx, const char *propq); + ++int ossl_rsa_padding_check_PKCS1_type_2(OSSL_LIB_CTX *ctx, ++ unsigned char *to, int tlen, ++ const unsigned char *from, int flen, ++ int num, unsigned char *kdk); + int ossl_rsa_padding_check_PKCS1_type_2_TLS(OSSL_LIB_CTX *ctx, unsigned char *to, + size_t tlen, + const unsigned char *from, +Index: openssl-3.1.7/include/openssl/core_names.h +=================================================================== +--- openssl-3.1.7.orig/include/openssl/core_names.h ++++ openssl-3.1.7/include/openssl/core_names.h +@@ -299,6 +299,7 @@ extern "C" { + #define OSSL_PKEY_PARAM_DIST_ID "distid" + #define OSSL_PKEY_PARAM_PUB_KEY "pub" + #define OSSL_PKEY_PARAM_PRIV_KEY "priv" ++#define OSSL_PKEY_PARAM_IMPLICIT_REJECTION "implicit-rejection" + + /* Diffie-Hellman/DSA Parameters */ + #define OSSL_PKEY_PARAM_FFC_P "p" +@@ -476,6 +477,7 @@ extern "C" { + #define OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL "oaep-label" + #define OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION "tls-client-version" + #define OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION "tls-negotiated-version" ++#define OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION "implicit-rejection" + #ifdef FIPS_MODULE + #define OSSL_ASYM_CIPHER_PARAM_SUSE_KAT_OEAP_SEED "suse-kat-oaep-seed" + #endif +Index: openssl-3.1.7/include/openssl/rsa.h +=================================================================== +--- openssl-3.1.7.orig/include/openssl/rsa.h ++++ openssl-3.1.7/include/openssl/rsa.h +@@ -189,6 +189,8 @@ int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP + + # define EVP_PKEY_CTRL_RSA_KEYGEN_PRIMES (EVP_PKEY_ALG_CTRL + 13) + ++# define EVP_PKEY_CTRL_RSA_IMPLICIT_REJECTION (EVP_PKEY_ALG_CTRL + 14) ++ + # define RSA_PKCS1_PADDING 1 + # define RSA_NO_PADDING 3 + # define RSA_PKCS1_OAEP_PADDING 4 +@@ -198,6 +200,9 @@ int EVP_PKEY_CTX_get0_rsa_oaep_label(EVP + # define RSA_PKCS1_PSS_PADDING 6 + # define RSA_PKCS1_WITH_TLS_PADDING 7 + ++/* internal RSA_ only */ ++# define RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING 8 ++ + # define RSA_PKCS1_PADDING_SIZE 11 + + # define RSA_set_app_data(s,arg) RSA_set_ex_data(s,0,arg) +Index: openssl-3.1.7/providers/implementations/asymciphers/rsa_enc.c +=================================================================== +--- openssl-3.1.7.orig/providers/implementations/asymciphers/rsa_enc.c ++++ openssl-3.1.7/providers/implementations/asymciphers/rsa_enc.c +@@ -78,6 +78,8 @@ typedef struct { + /* TLS padding */ + unsigned int client_version; + unsigned int alt_version; ++ /* PKCS#1 v1.5 decryption mode */ ++ unsigned int implicit_rejection; + #ifdef FIPS_MODULE + char *suse_st_oaep_seed; + #endif /* FIPS_MODULE */ +@@ -113,6 +115,7 @@ static int rsa_init(void *vprsactx, void + RSA_free(prsactx->rsa); + prsactx->rsa = vrsa; + prsactx->operation = operation; ++ prsactx->implicit_rejection = 1; + + switch (RSA_test_flags(prsactx->rsa, RSA_FLAG_TYPE_MASK)) { + case RSA_FLAG_TYPE_RSA: +@@ -237,6 +240,7 @@ static int rsa_decrypt(void *vprsactx, u + { + PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; + int ret; ++ int pad_mode; + size_t len = RSA_size(prsactx->rsa); + + if (!ossl_prov_is_running()) +@@ -326,8 +330,12 @@ static int rsa_decrypt(void *vprsactx, u + } + OPENSSL_free(tbuf); + } else { +- ret = RSA_private_decrypt(inlen, in, out, prsactx->rsa, +- prsactx->pad_mode); ++ if ((prsactx->implicit_rejection == 0) && ++ (prsactx->pad_mode == RSA_PKCS1_PADDING)) ++ pad_mode = RSA_PKCS1_NO_IMPLICIT_REJECT_PADDING; ++ else ++ pad_mode = prsactx->pad_mode; ++ ret = RSA_private_decrypt(inlen, in, out, prsactx->rsa, pad_mode); + } + *outlen = constant_time_select_s(constant_time_msb_s(ret), *outlen, ret); + ret = constant_time_select_int(constant_time_msb(ret), 0, 1); +@@ -454,6 +462,10 @@ static int rsa_get_ctx_params(void *vprs + if (p != NULL && !OSSL_PARAM_set_uint(p, prsactx->alt_version)) + return 0; + ++ p = OSSL_PARAM_locate(params, OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION); ++ if (p != NULL && !OSSL_PARAM_set_uint(p, prsactx->implicit_rejection)) ++ return 0; ++ + return 1; + } + +@@ -465,6 +477,7 @@ static const OSSL_PARAM known_gettable_c + NULL, 0), + OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION, NULL), + OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL), ++ OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, NULL), + #ifdef FIPS_MODULE + OSSL_PARAM_octet_string(OSSL_ASYM_CIPHER_PARAM_SUSE_KAT_OEAP_SEED, NULL, 0), + #endif /* FIPS_MODULE */ +@@ -621,6 +634,14 @@ static int rsa_set_ctx_params(void *vprs + return 0; + prsactx->alt_version = alt_version; + } ++ p = OSSL_PARAM_locate_const(params, OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION); ++ if (p != NULL) { ++ unsigned int implicit_rejection; ++ ++ if (!OSSL_PARAM_get_uint(p, &implicit_rejection)) ++ return 0; ++ prsactx->implicit_rejection = implicit_rejection; ++ } + + return 1; + } +@@ -634,6 +655,7 @@ static const OSSL_PARAM known_settable_c + OSSL_PARAM_octet_string(OSSL_ASYM_CIPHER_PARAM_OAEP_LABEL, NULL, 0), + OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION, NULL), + OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL), ++ OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, NULL), + OSSL_PARAM_END + }; + +Index: openssl-3.1.7/test/recipes/30-test_evp_data/evppkey_rsa_common.txt +=================================================================== +--- openssl-3.1.7.orig/test/recipes/30-test_evp_data/evppkey_rsa_common.txt ++++ openssl-3.1.7/test/recipes/30-test_evp_data/evppkey_rsa_common.txt +@@ -268,9 +268,25 @@ Decrypt = RSA-2048 + Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A78 + Output = "Hello World" + ++Availablein = default ++# Note: disable the Bleichenbacher workaround to see if it passes ++Decrypt = RSA-2048 ++Ctrl = rsa_pkcs1_implicit_rejection:0 ++Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A78 ++Output = "Hello World" ++ ++Availablein = default ++# Corrupted ciphertext ++# Note: output is generated synthethically by the Bleichenbacher workaround ++Decrypt = RSA-2048 ++Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A79 ++Output = 4cbb988d6a46228379132b0b5f8c249b3860043848c93632fb982c807c7c82fffc7a9ef83f4908f890373ac181ffea6381e103bcaa27e65638b6ecebef38b59ed4226a9d12af675cfcb634d8c40e7a7aff ++ + # Corrupted ciphertext + Availablein = default ++# Note: disable the Bleichenbacher workaround to see if it fails + Decrypt = RSA-2048 ++Ctrl = rsa_pkcs1_implicit_rejection:0 + Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A79 + Output = "Hello World" + Result = KEYOP_ERROR +@@ -293,6 +309,462 @@ Derive = RSA-2048 + Result = KEYOP_INIT_ERROR + Reason = operation not supported for this keytype + ++# Test vectors for the Bleichenbacher workaround ++ ++PrivateKey = RSA-2048-2 ++-----BEGIN RSA PRIVATE KEY----- ++MIIEowIBAAKCAQEAyMyDlxQJjaVsqiNkD5PciZfBY3KWj8Gwxt9RE8HJTosh5IrS ++KX5lQZARtObY9ec7G3iyV0ADIdHva2AtTsjOjRQclJBetK0wZjmkkgZTS25/JgdC ++Ppff/RM8iNchOZ3vvH6WzNy9fzquH+iScSv7SSmBfVEWZkQKH6y3ogj16hZZEK3Y ++o/LUlyAjYMy2MgJPDQcWnBkY8xb3lLFDrvVOyHUipMApePlomYC/+/ZJwwfoGBm/ +++IQJY41IvZS+FStZ/2SfoL1inQ/6GBPDq/S1a9PC6lRl3/oUWJKSqdiiStJr5+4F ++EHQbY4LUPIPVv6QKRmE9BivkRVF9vK8MtOGnaQIDAQABAoIBABRVAQ4PLVh2Y6Zm ++pv8czbvw7dgQBkbQKgI5IpCJksStOeVWWSlybvZQjDpxFY7wtv91HTnQdYC7LS8G ++MhBELQYD/1DbvXs1/iybsZpHoa+FpMJJAeAsqLWLeRmyDt8yqs+/Ua20vEthubfp ++aMqk1XD3DvGNgGMiiJPkfUOe/KeTJZvPLNEIo9hojN8HjnrHmZafIznSwfUiuWlo ++RimpM7quwmgWJeq4T05W9ER+nYj7mhmc9xAj4OJXsURBszyE07xnyoAx0mEmGBA6 ++egpAhEJi912IkM1hblH5A1SI/W4Jnej/bWWk/xGCVIB8n1jS+7qLoVHcjGi+NJyX ++eiBOBMECgYEA+PWta6gokxvqRZuKP23AQdI0gkCcJXHpY/MfdIYColY3GziD7UWe ++z5cFJkWe3RbgVSL1pF2UdRsuwtrycsf4gWpSwA0YCAFxY02omdeXMiL1G5N2MFSG ++lqn32MJKWUl8HvzUVc+5fuhtK200lyszL9owPwSZm062tcwLsz53Yd0CgYEAznou ++O0mpC5YzChLcaCvfvfuujdbcA7YUeu+9V1dD8PbaTYYjUGG3Gv2crS00Al5WrIaw ++93Q+s14ay8ojeJVCRGW3Bu0iF15XGMjHC2cD6o9rUQ+UW+SOWja7PDyRcytYnfwF ++1y2AkDGURSvaITSGR+xylD8RqEbmL66+jrU2sP0CgYB2/hXxiuI5zfHfa0RcpLxr ++uWjXiMIZM6T13NKAAz1nEgYswIpt8gTB+9C+RjB0Q+bdSmRWN1Qp1OA4yiVvrxyb ++3pHGsXt2+BmV+RxIy768e/DjSUwINZ5OjNalh9e5bWIh/X4PtcVXXwgu5XdpeYBx ++sru0oyI4FRtHMUu2VHkDEQKBgQCZiEiwVUmaEAnLx9KUs2sf/fICDm5zZAU+lN4a ++AA3JNAWH9+JydvaM32CNdTtjN3sDtvQITSwCfEs4lgpiM7qe2XOLdvEOp1vkVgeL ++9wH2fMaz8/3BhuZDNsdrNy6AkQ7ICwrcwj0C+5rhBIaigkgHW06n5W3fzziC5FFW ++FHGikQKBgGQ790ZCn32DZnoGUwITR++/wF5jUfghqd67YODszeUAWtnp7DHlWPfp ++LCkyjnRWnXzvfHTKvCs1XtQBoaCRS048uwZITlgZYFEWntFMqi76bqBE4FTSYUTM ++FinFUBBVigThM/RLfCRNrCW/kTxXuJDuSfVIJZzWNAT+9oWdz5da ++-----END RSA PRIVATE KEY----- ++ ++# corresponding public key ++PublicKey = RSA-2048-2-PUBLIC ++-----BEGIN PUBLIC KEY----- ++MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyMyDlxQJjaVsqiNkD5Pc ++iZfBY3KWj8Gwxt9RE8HJTosh5IrSKX5lQZARtObY9ec7G3iyV0ADIdHva2AtTsjO ++jRQclJBetK0wZjmkkgZTS25/JgdCPpff/RM8iNchOZ3vvH6WzNy9fzquH+iScSv7 ++SSmBfVEWZkQKH6y3ogj16hZZEK3Yo/LUlyAjYMy2MgJPDQcWnBkY8xb3lLFDrvVO ++yHUipMApePlomYC/+/ZJwwfoGBm/+IQJY41IvZS+FStZ/2SfoL1inQ/6GBPDq/S1 ++a9PC6lRl3/oUWJKSqdiiStJr5+4FEHQbY4LUPIPVv6QKRmE9BivkRVF9vK8MtOGn ++aQIDAQAB ++-----END PUBLIC KEY----- ++ ++PrivPubKeyPair = RSA-2048-2:RSA-2048-2-PUBLIC ++ ++# RSA decrypt ++ ++# a random positive test case ++Availablein = default ++Decrypt = RSA-2048-2 ++Input = 8bfe264e85d3bdeaa6b8851b8e3b956ee3d226fd3f69063a86880173a273d9f283b2eebdd1ed35f7e02d91c571981b6737d5320bd8396b0f3ad5b019daec1b0aab3cbbc026395f4fd14f13673f2dfc81f9b660ec26ac381e6db3299b4e460b43fab9955df2b3cfaa20e900e19c856238fd371899c2bf2ce8c868b76754e5db3b036533fd603746be13c10d4e3e6022ebc905d20c2a7f32b215a4cd53b3f44ca1c327d2c2b651145821c08396c89071f665349c25e44d2733cd9305985ceef6430c3cf57af5fa224089221218fa34737c79c446d28a94c41c96e4e92ac53fbcf384dea8419ea089f8784445a492c812eb0d409467f75afd7d4d1078886205a066 ++Output = "lorem ipsum dolor sit amet" ++ ++Availablein = default ++# a random negative test case decrypting to empty ++Decrypt = RSA-2048-2 ++Input = 20aaa8adbbc593a924ba1c5c7990b5c2242ae4b99d0fe636a19a4cf754edbcee774e472fe028160ed42634f8864900cb514006da642cae6ae8c7d087caebcfa6dad1551301e130344989a1d462d4164505f6393933450c67bc6d39d8f5160907cabc251b737925a1cf21e5c6aa5781b7769f6a2a583d97cce008c0f8b6add5f0b2bd80bee60237aa39bb20719fe75749f4bc4e42466ef5a861ae3a92395c7d858d430bfe38040f445ea93fa2958b503539800ffa5ce5f8cf51fa8171a91f36cb4f4575e8de6b4d3f096ee140b938fd2f50ee13f0d050222e2a72b0a3069ff3a6738e82c87090caa5aed4fcbe882c49646aa250b98f12f83c8d528113614a29e7 ++Output = ++ ++Availablein = default ++# invalid decrypting to max length message ++Decrypt = RSA-2048-2 ++Input = 48cceab10f39a4db32f60074feea473cbcdb7accf92e150417f76b44756b190e843e79ec12aa85083a21f5437e7bad0a60482e601198f9d86923239c8786ee728285afd0937f7dde12717f28389843d7375912b07b991f4fdb0190fced8ba665314367e8c5f9d2981d0f5128feeb46cb50fc237e64438a86df198dd0209364ae3a842d77532b66b7ef263b83b1541ed671b120dfd660462e2107a4ee7b964e734a7bd68d90dda61770658a3c242948532da32648687e0318286473f675b412d6468f013f14d760a358dfcad3cda2afeec5e268a37d250c37f722f468a70dfd92d7294c3c1ee1e7f8843b7d16f9f37ef35748c3ae93aa155cdcdfeb4e78567303 ++Output = 22d850137b9eebe092b24f602dc5bb7918c16bd89ddbf20467b119d205f9c2e4bd7d2592cf1e532106e0f33557565923c73a02d4f09c0c22bea89148183e60317f7028b3aa1f261f91c979393101d7e15f4067e63979b32751658ef769610fe97cf9cef3278b3117d384051c3b1d82c251c2305418c8f6840530e631aad63e70e20e025bcd8efb54c92ec6d3b106a2f8e64eeff7d38495b0fc50c97138af4b1c0a67a1c4e27b077b8439332edfa8608dfeae653cd6a628ac550395f7e74390e42c11682234870925eeaa1fa71b76cf1f2ee3bda69f6717033ff8b7c95c9799e7a3bea5e7e4a1c359772fb6b1c6e6c516661dfe30c3 ++ ++Availablein = default ++# invalid decrypting to message with length specified by second to last value from PRF ++Decrypt = RSA-2048-2 ++Input = 1439e08c3f84c1a7fec74ce07614b20e01f6fa4e8c2a6cffdc3520d8889e5d9a950c6425798f85d4be38d300ea5695f13ecd4cb389d1ff5b82484b494d6280ab7fa78e645933981cb934cce8bfcd114cc0e6811eefa47aae20af638a1cd163d2d3366186d0a07df0c81f6c9f3171cf3561472e98a6006bf75ddb457bed036dcce199369de7d94ef2c68e8467ee0604eea2b3009479162a7891ba5c40cab17f49e1c438cb6eaea4f76ce23cce0e483ff0e96fa790ea15be67671814342d0a23f4a20262b6182e72f3a67cd289711503c85516a9ed225422f98b116f1ab080a80abd6f0216df88d8cfd67c139243be8dd78502a7aaf6bc99d7da71bcdf627e7354 ++Output = 0f9b ++ ++Availablein = default ++# invalid decrypting to message with length specified by third to last value from PRF ++Decrypt = RSA-2048-2 ++Input = 1690ebcceece2ce024f382e467cf8510e74514120937978576caf684d4a02ad569e8d76cbe365a060e00779de2f0865ccf0d923de3b4783a4e2c74f422e2f326086c390b658ba47f31ab013aa80f468c71256e5fa5679b24e83cd82c3d1e05e398208155de2212993cd2b8bab6987cf4cc1293f19909219439d74127545e9ed8a706961b8ee2119f6bfacafbef91b75a789ba65b8b833bc6149cf49b5c4d2c6359f62808659ba6541e1cd24bf7f7410486b5103f6c0ea29334ea6f4975b17387474fe920710ea61568d7b7c0a7916acf21665ad5a31c4eabcde44f8fb6120d8457afa1f3c85d517cda364af620113ae5a3c52a048821731922737307f77a1081 ++Output = 4f02 ++ ++# positive test with 11 byte long value ++Availablein = default ++Decrypt = RSA-2048-2 ++Input = 6213634593332c485cef783ea2846e3d6e8b0e005cd8293eaebbaa5079712fd681579bdfbbda138ae4d9d952917a03c92398ec0cb2bb0c6b5a8d55061fed0d0d8d72473563152648cfe640b335dc95331c21cb133a91790fa93ae44497c128708970d2beeb77e8721b061b1c44034143734a77be8220877415a6dba073c3871605380542a9f25252a4babe8331cdd53cf828423f3cc70b560624d0581fb126b2ed4f4ed358f0eb8065cf176399ac1a846a31055f9ae8c9c24a1ba050bc20842125bc1753158f8065f3adb9cc16bfdf83816bdf38b624f12022c5a6fbfe29bc91542be8c0208a770bcd677dc597f5557dc2ce28a11bf3e3857f158717a33f6592 ++Output = "lorem ipsum" ++ ++# positive test with 11 byte long value and zero padded ciphertext ++Availablein = default ++Decrypt = RSA-2048-2 ++Input = 00a2e8f114ea8d05d12dc843e3cc3b2edc8229ff2a028bda29ba9d55e3cd02911902fef1f42a075bf05e8016e8567213d6f260fa49e360779dd81aeea3e04c2cb567e0d72b98bf754014561b7511e083d20e0bfb9cd23f8a0d3c88900c49d2fcd5843ff0765607b2026f28202a87aa94678aed22a0c20724541394cd8f44e373eba1d2bae98f516c1e2ba3d86852d064f856b1daf24795e767a2b90396e50743e3150664afab131fe40ea405dcf572dd1079af1d3f0392ccadcca0a12740dbb213b925ca2a06b1bc1383e83a658c82ba2e7427342379084d5f66b544579f07664cb26edd4f10fd913fdbc0de05ef887d4d1ec1ac95652397ea7fd4e4759fda8b ++Output = "lorem ipsum" ++ ++# positive test with 11 byte long value and zero truncated ciphertext ++Availablein = default ++Decrypt = RSA-2048-2 ++Input = a2e8f114ea8d05d12dc843e3cc3b2edc8229ff2a028bda29ba9d55e3cd02911902fef1f42a075bf05e8016e8567213d6f260fa49e360779dd81aeea3e04c2cb567e0d72b98bf754014561b7511e083d20e0bfb9cd23f8a0d3c88900c49d2fcd5843ff0765607b2026f28202a87aa94678aed22a0c20724541394cd8f44e373eba1d2bae98f516c1e2ba3d86852d064f856b1daf24795e767a2b90396e50743e3150664afab131fe40ea405dcf572dd1079af1d3f0392ccadcca0a12740dbb213b925ca2a06b1bc1383e83a658c82ba2e7427342379084d5f66b544579f07664cb26edd4f10fd913fdbc0de05ef887d4d1ec1ac95652397ea7fd4e4759fda8b ++Output = "lorem ipsum" ++ ++# positive test with 11 byte long value and double zero padded ciphertext ++Availablein = default ++Decrypt = RSA-2048-2 ++Input = 00001f71879b426127f7dead621f7380a7098cf7d22173aa27991b143c46d53383c209bd0c9c00d84078037e715f6b98c65005a77120070522ede51d472c87ef94b94ead4c5428ee108a345561658301911ec5a8f7dd43ed4a3957fd29fb02a3529bf63f8040d3953490939bd8f78b2a3404b6fb5ff70a4bfdaac5c541d6bcce49c9778cc390be24cbef1d1eca7e870457241d3ff72ca44f9f56bdf31a890fa5eb3a9107b603ccc9d06a5dd911a664c82b6abd4fe036f8db8d5a070c2d86386ae18d97adc1847640c211d91ff5c3387574a26f8ef27ca7f48d2dd1f0c7f14b81cc9d33ee6853031d3ecf10a914ffd90947909c8011fd30249219348ebff76bfc ++Output = "lorem ipsum" ++ ++# positive test with 11 byte long value and double zero truncated ciphertext ++Availablein = default ++Decrypt = RSA-2048-2 ++Input = 1f71879b426127f7dead621f7380a7098cf7d22173aa27991b143c46d53383c209bd0c9c00d84078037e715f6b98c65005a77120070522ede51d472c87ef94b94ead4c5428ee108a345561658301911ec5a8f7dd43ed4a3957fd29fb02a3529bf63f8040d3953490939bd8f78b2a3404b6fb5ff70a4bfdaac5c541d6bcce49c9778cc390be24cbef1d1eca7e870457241d3ff72ca44f9f56bdf31a890fa5eb3a9107b603ccc9d06a5dd911a664c82b6abd4fe036f8db8d5a070c2d86386ae18d97adc1847640c211d91ff5c3387574a26f8ef27ca7f48d2dd1f0c7f14b81cc9d33ee6853031d3ecf10a914ffd90947909c8011fd30249219348ebff76bfc ++Output = "lorem ipsum" ++ ++# positive that generates a 0 byte long synthethic message internally ++Availablein = default ++Decrypt = RSA-2048-2 ++Input = b5e49308f6e9590014ffaffc5b8560755739dd501f1d4e9227a7d291408cf4b753f292322ff8bead613bf2caa181b221bc38caf6392deafb28eb21ad60930841ed02fd6225cc9c463409adbe7d8f32440212fbe3881c51375bb09565efb22e62b071472fb38676e5b4e23a0617db5d14d93519ac0007a30a9c822eb31c38b57fcb1be29608fcf1ca2abdcaf5d5752bbc2b5ac7dba5afcff4a5641da360dd01f7112539b1ed46cdb550a3b1006559b9fe1891030ec80f0727c42401ddd6cbb5e3c80f312df6ec89394c5a7118f573105e7ab00fe57833c126141b50a935224842addfb479f75160659ba28877b512bb9a93084ad8bec540f92640f63a11a010e0 ++Output = "lorem ipsum" ++ ++# positive that generates a 245 byte long synthethic message internally ++Availablein = default ++Decrypt = RSA-2048-2 ++Input = 1ea0b50ca65203d0a09280d39704b24fe6e47800189db5033f202761a78bafb270c5e25abd1f7ecc6e7abc4f26d1b0cd9b8c648d529416ee64ccbdd7aa72a771d0353262b543f0e436076f40a1095f5c7dfd10dcf0059ccb30e92dfa5e0156618215f1c3ff3aa997a9d999e506924f5289e3ac72e5e2086cc7b499d71583ed561028671155db4005bee01800a7cdbdae781dd32199b8914b5d4011dd6ff11cd26d46aad54934d293b0bc403dd211bf13b5a5c6836a5e769930f437ffd8634fb7371776f4bc88fa6c271d8aa6013df89ae6470154497c4ac861be2a1c65ebffec139bf7aaba3a81c7c5cdd84da9af5d3edfb957848074686b5837ecbcb6a41c50 ++Output = "lorem ipsum" ++ ++Availablein = default ++# a random negative test that generates an 11 byte long message ++Decrypt = RSA-2048-2 ++Input = 5f02f4b1f46935c742ebe62b6f05aa0a3286aab91a49b34780adde6410ab46f7386e05748331864ac98e1da63686e4babe3a19ed40a7f5ceefb89179596aab07ab1015e03b8f825084dab028b6731288f2e511a4b314b6ea3997d2e8fe2825cef8897cbbdfb6c939d441d6e04948414bb69e682927ef8576c9a7090d4aad0e74c520d6d5ce63a154720f00b76de8cc550b1aa14f016d63a7b6d6eaa1f7dbe9e50200d3159b3d099c900116bf4eba3b94204f18b1317b07529751abf64a26b0a0bf1c8ce757333b3d673211b67cc0653f2fe2620d57c8b6ee574a0323a167eab1106d9bc7fd90d415be5f1e9891a0e6c709f4fc0404e8226f8477b4e939b36eb2 ++Output = af9ac70191c92413cb9f2d ++ ++Availablein = default ++# an otherwise correct plaintext, but with wrong first byte ++# (0x01 instead of 0x00), generates a random 11 byte long plaintext ++Decrypt = RSA-2048-2 ++Input = 9b2ec9c0c917c98f1ad3d0119aec6be51ae3106e9af1914d48600ab6a2c0c0c8ae02a2dc3039906ff3aac904af32ec798fd65f3ad1afa2e69400e7c1de81f5728f3b3291f38263bc7a90a0563e43ce7a0d4ee9c0d8a716621ca5d3d081188769ce1b131af7d35b13dea99153579c86db31fe07d5a2c14d621b77854e48a8df41b5798563af489a291e417b6a334c63222627376118c02c53b6e86310f728734ffc86ef9d7c8bf56c0c841b24b82b59f51aee4526ba1c4268506d301e4ebc498c6aebb6fd5258c876bf900bac8ca4d309dd522f6a6343599a8bc3760f422c10c72d0ad527ce4af1874124ace3d99bb74db8d69d2528db22c3a37644640f95c05f ++Output = a1f8c9255c35cfba403ccc ++ ++Availablein = default ++# an otherwise correct plaintext, but with wrong second byte ++# (0x01 instead of 0x02), generates a random 11 byte long plaintext ++Decrypt = RSA-2048-2 ++Input = 782c2b59a21a511243820acedd567c136f6d3090c115232a82a5efb0b178285f55b5ec2d2bac96bf00d6592ea7cdc3341610c8fb07e527e5e2d20cfaf2c7f23e375431f45e998929a02f25fd95354c33838090bca838502259e92d86d568bc2cdb132fab2a399593ca60a015dc2bb1afcd64fef8a3834e17e5358d822980dc446e845b3ab4702b1ee41fe5db716d92348d5091c15d35a110555a35deb4650a5a1d2c98025d42d4544f8b32aa6a5e02dc02deaed9a7313b73b49b0d4772a3768b0ea0db5846ace6569cae677bf67fb0acf3c255dc01ec8400c963b6e49b1067728b4e563d7e1e1515664347b92ee64db7efb5452357a02fff7fcb7437abc2e579 ++Output = e6d700309ca0ed62452254 ++ ++Availablein = default ++# an invalid ciphertext, with a zero byte in first byte of ++# ciphertext, decrypts to a random 11 byte long synthethic ++# plaintext ++Decrypt = RSA-2048-2 ++Input = 0096136621faf36d5290b16bd26295de27f895d1faa51c800dafce73d001d60796cd4e2ac3fa2162131d859cd9da5a0c8a42281d9a63e5f353971b72e36b5722e4ac444d77f892a5443deb3dca49fa732fe855727196e23c26eeac55eeced8267a209ebc0f92f4656d64a6c13f7f7ce544ebeb0f668fe3a6c0f189e4bcd5ea12b73cf63e0c8350ee130dd62f01e5c97a1e13f52fde96a9a1bc9936ce734fdd61f27b18216f1d6de87f49cf4f2ea821fb8efd1f92cdad529baf7e31aff9bff4074f2cad2b4243dd15a711adcf7de900851fbd6bcb53dac399d7c880531d06f25f7002e1aaf1722765865d2c2b902c7736acd27bc6cbd3e38b560e2eecf7d4b576 ++Output = ba27b1842e7c21c0e7ef6a ++ ++Availablein = default ++# an invalid ciphertext, with a zero byte removed from first byte of ++# ciphertext, decrypts to a random 11 byte long synthethic ++# plaintext ++Decrypt = RSA-2048-2 ++Input = 96136621faf36d5290b16bd26295de27f895d1faa51c800dafce73d001d60796cd4e2ac3fa2162131d859cd9da5a0c8a42281d9a63e5f353971b72e36b5722e4ac444d77f892a5443deb3dca49fa732fe855727196e23c26eeac55eeced8267a209ebc0f92f4656d64a6c13f7f7ce544ebeb0f668fe3a6c0f189e4bcd5ea12b73cf63e0c8350ee130dd62f01e5c97a1e13f52fde96a9a1bc9936ce734fdd61f27b18216f1d6de87f49cf4f2ea821fb8efd1f92cdad529baf7e31aff9bff4074f2cad2b4243dd15a711adcf7de900851fbd6bcb53dac399d7c880531d06f25f7002e1aaf1722765865d2c2b902c7736acd27bc6cbd3e38b560e2eecf7d4b576 ++Output = ba27b1842e7c21c0e7ef6a ++ ++Availablein = default ++# an invalid ciphertext, with two zero bytes in first bytes of ++# ciphertext, decrypts to a random 11 byte long synthethic ++# plaintext ++Decrypt = RSA-2048-2 ++Input = 0000587cccc6b264bdfe0dc2149a988047fa921801f3502ea64624c510c6033d2f427e3f136c26e88ea9f6519e86a542cec96aad1e5e9013c3cc203b6de15a69183050813af5c9ad79703136d4b92f50ce171eefc6aa7988ecf02f319ffc5eafd6ee7a137f8fce64b255bb1b8dd19cfe767d64fdb468b9b2e9e7a0c24dae03239c8c714d3f40b7ee9c4e59ac15b17e4d328f1100756bce17133e8e7493b54e5006c3cbcdacd134130c5132a1edebdbd01a0c41452d16ed7a0788003c34730d0808e7e14c797a21f2b45a8aa1644357fd5e988f99b017d9df37563a354c788dc0e2f9466045622fa3f3e17db63414d27761f57392623a2bef6467501c63e8d645 ++Output = d5cf555b1d6151029a429a ++ ++Availablein = default ++# an invalid ciphertext, with two zero bytes removed from first bytes of ++# ciphertext, decrypts to a random 11 byte long synthethic ++# plaintext ++Decrypt = RSA-2048-2 ++Input = 587cccc6b264bdfe0dc2149a988047fa921801f3502ea64624c510c6033d2f427e3f136c26e88ea9f6519e86a542cec96aad1e5e9013c3cc203b6de15a69183050813af5c9ad79703136d4b92f50ce171eefc6aa7988ecf02f319ffc5eafd6ee7a137f8fce64b255bb1b8dd19cfe767d64fdb468b9b2e9e7a0c24dae03239c8c714d3f40b7ee9c4e59ac15b17e4d328f1100756bce17133e8e7493b54e5006c3cbcdacd134130c5132a1edebdbd01a0c41452d16ed7a0788003c34730d0808e7e14c797a21f2b45a8aa1644357fd5e988f99b017d9df37563a354c788dc0e2f9466045622fa3f3e17db63414d27761f57392623a2bef6467501c63e8d645 ++Output = d5cf555b1d6151029a429a ++ ++Availablein = default ++# and invalid ciphertext, otherwise valid but starting with 000002, decrypts ++# to random 11 byte long synthethic plaintext ++Decrypt = RSA-2048-2 ++Input = 1786550ce8d8433052e01ecba8b76d3019f1355b212ac9d0f5191b023325a7e7714b7802f8e9a17c4cb3cd3a84041891471b10ca1fcfb5d041d34c82e6d0011cf4dc76b90e9c2e0743590579d55bcd7857057152c4a8040361343d1d22ba677d62b011407c652e234b1d663af25e2386251d7409190f19fc8ec3f9374fdf1254633874ce2ec2bff40ad0cb473f9761ec7b68da45a4bd5e33f5d7dac9b9a20821df9406b653f78a95a6c0ea0a4d57f867e4db22c17bf9a12c150f809a7b72b6db86c22a8732241ebf3c6a4f2cf82671d917aba8bc61052b40ccddd743a94ea9b538175106201971cca9d136d25081739aaf6cd18b2aecf9ad320ea3f89502f955 ++Output = 3d4a054d9358209e9cbbb9 ++ ++Availablein = default ++# negative test with otherwise valid padding but a zero byte in first byte ++# of padding ++Decrypt = RSA-2048-2 ++Input = 179598823812d2c58a7eb50521150a48bcca8b4eb53414018b6bca19f4801456c5e36a940037ac516b0d6412ba44ec6b4f268a55ef1c5ffbf18a2f4e3522bb7b6ed89774b79bffa22f7d3102165565642de0d43a955e96a1f2e80e5430671d7266eb4f905dc8ff5e106dc5588e5b0289e49a4913940e392a97062616d2bda38155471b7d360cfb94681c702f60ed2d4de614ea72bf1c53160e63179f6c5b897b59492bee219108309f0b7b8cb2b136c346a5e98b8b4b8415fb1d713bae067911e3057f1c335b4b7e39101eafd5d28f0189037e4334f4fdb9038427b1d119a6702aa8233319cc97d496cc289ae8c956ddc84042659a2d43d6aa22f12b81ab884e ++Output = 1f037dd717b07d3e7f7359 ++ ++Availablein = default ++# negative test with otherwise valid padding but a zero byte at the eigth ++# byte of padding ++Decrypt = RSA-2048-2 ++Input = a7a340675a82c30e22219a55bc07cdf36d47d01834c1834f917f18b517419ce9de2a96460e745024436470ed85e94297b283537d52189c406a3f533cb405cc6a9dba46b482ce98b6e3dd52d8fce2237425617e38c11fbc46b61897ef200d01e4f25f5f6c4c5b38cd0de38ba11908b86595a8036a08a42a3d05b79600a97ac18ba368a08d6cf6ccb624f6e8002afc75599fba4de3d4f3ba7d208391ebe8d21f8282b18e2c10869eb2702e68f9176b42b0ddc9d763f0c86ba0ff92c957aaeab76d9ab8da52ea297ec11d92d770146faa1b300e0f91ef969b53e7d2907ffc984e9a9c9d11fb7d6cba91972059b46506b035efec6575c46d7114a6b935864858445f ++Output = 63cb0bf65fc8255dd29e17 ++ ++Availablein = default ++# negative test with an otherwise valid plaintext but with missing separator ++# byte ++Decrypt = RSA-2048-2 ++Input = 3d1b97e7aa34eaf1f4fc171ceb11dcfffd9a46a5b6961205b10b302818c1fcc9f4ec78bf18ea0cee7e9fa5b16fb4c611463b368b3312ac11cf9c06b7cf72b54e284848a508d3f02328c62c2999d0fb60929f81783c7a256891bc2ff4d91df2af96a24fc5701a1823af939ce6dbdc510608e3d41eec172ad2d51b9fc61b4217c923cadcf5bac321355ef8be5e5f090cdc2bd0c697d9058247db3ad613fdce87d2955a6d1c948a5160f93da21f731d74137f5d1f53a1923adb513d2e6e1589d44cc079f4c6ddd471d38ac82d20d8b1d21f8d65f3b6907086809f4123e08d86fb38729585de026a485d8f0e703fd4772f6668febf67df947b82195fa3867e3a3065 ++Output = 6f09a0b62699337c497b0b ++ ++# Test vectors for the Bleichenbacher workaround (2049 bit key size) ++ ++PrivateKey = RSA-2049 ++-----BEGIN RSA PRIVATE KEY----- ++MIIEpQIBAAKCAQEBVfiJVWoXdfHHp3hqULGLwoyemG7eVmfKs5uEEk6Q66dcHbCD ++rD5EO7qU3CNWD3XjqBaToqQ73HQm2MTq/mjIXeD+dX9uSbue1EfmAkMIANuwTOsi ++5/pXoY0zj7ZgJs20Z+cMwEDn02fvQDx78ePfYkZQCUYx8h6v0vtbyRX/BDeazRES ++9zLAtGYHwXjTiiD1LtpQny+cBAXVEGnoDM+UFVTQRwRnUFw89UHqCJffyfQAzssp ++j/x1M3LZ9pM68XTMQO2W1GcDFzO5f4zd0/krw6A+qFdsQX8kAHteT3UBEFtUTen6 ++3N/635jftLsFuBmfP4Ws/ZH3qaCUuaOD9QSQlwIDAQABAoIBAQEZwrP1CnrWFSZ5 ++1/9RCVisLYym8AKFkvMy1VoWc2F4qOZ/F+cFzjAOPodUclEAYBP5dNCj20nvNEyl ++omo0wEUHBNDkIuDOI6aUJcFf77bybhBu7/ZMyLnXRC5NpOjIUAjq6zZYWaIpT6OT ++e8Jr5WMy59geLBYO9jXMUoqnvlXmM6cj28Hha6KeUrKa7y+eVlT9wGZrsPwlSsvo ++DmOHTw9fAgeC48nc/CUg0MnEp7Y05FA/u0k+Gq/us/iL16EzmHJdrm/jmed1zV1M ++8J/IODR8TJjasaSIPM5iBRNhWvqhCmM2jm17ed9BZqsWJznvUVpEAu4eBgHFpVvH ++HfDjDt+BAoGBAYj2k2DwHhjZot4pUlPSUsMeRHbOpf97+EE99/3jVlI83JdoBfhP ++wN3sdw3wbO0GXIETSHVLNGrxaXVod/07PVaGgsh4fQsxTvasZ9ZegTM5i2Kgg8D4 ++dlxa1A1agfm73OJSftfpUAjLECnLTKvR+em+38KGyWVSJV2n6rGSF473AoGBAN7H ++zxHa3oOkxD0vgBl/If1dRv1XtDH0T+gaHeN/agkf/ARk7ZcdyFCINa3mzF9Wbzll ++YTqLNnmMkubiP1LvkH6VZ+NBvrxTNxiWJfu+qx87ez+S/7JoHm71p4SowtePfC2J ++qqok0s7b0GaBz+ZcNse/o8W6E1FiIi71wukUyYNhAoGAEgk/OnPK7dkPYKME5FQC +++HGrMsjJVbCa9GOjvkNw8tVYSpq7q2n9sDHqRPmEBl0EYehAqyGIhmAONxVUbIsL ++ha0m04y0MI9S0H+ZRH2R8IfzndNAONsuk46XrQU6cfvtZ3Xh3IcY5U5sr35lRn2c ++ut3H52XIWJ4smN/cJcpOyoECgYEAjM5hNHnPlgj392wkXPkbtJXWHp3mSISQVLTd ++G0MW8/mBQg3AlXi/eRb+RpHPrppk5jQLhgMjRSPyXXe2amb8PuWTqfGN6l32PtX3 ++3+udILpppb71Wf+w7JTbcl9v9uq7o9SVR8DKdPA+AeweSQ0TmqCnlHuNZizOSjwP ++G16GF0ECgYEA+ZWbNMS8qM5IiHgbMbHptdit9dDT4+1UXoNn0/hUW6ZEMriHMDXv ++iBwrzeANGAn5LEDYeDe1xPms9Is2uNxTpZVhpFZSNALR6Po68wDlTJG2PmzuBv5t ++5mbzkpWCoD4fRU53ifsHgaTW+7Um74gWIf0erNIUZuTN2YrtEPTnb3k= ++-----END RSA PRIVATE KEY----- ++ ++# corresponding public key ++PublicKey = RSA-2049-PUBLIC ++-----BEGIN PUBLIC KEY----- ++MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEBVfiJVWoXdfHHp3hqULGL ++woyemG7eVmfKs5uEEk6Q66dcHbCDrD5EO7qU3CNWD3XjqBaToqQ73HQm2MTq/mjI ++XeD+dX9uSbue1EfmAkMIANuwTOsi5/pXoY0zj7ZgJs20Z+cMwEDn02fvQDx78ePf ++YkZQCUYx8h6v0vtbyRX/BDeazRES9zLAtGYHwXjTiiD1LtpQny+cBAXVEGnoDM+U ++FVTQRwRnUFw89UHqCJffyfQAzsspj/x1M3LZ9pM68XTMQO2W1GcDFzO5f4zd0/kr ++w6A+qFdsQX8kAHteT3UBEFtUTen63N/635jftLsFuBmfP4Ws/ZH3qaCUuaOD9QSQ ++lwIDAQAB ++-----END PUBLIC KEY----- ++ ++PrivPubKeyPair = RSA-2049:RSA-2049-PUBLIC ++ ++# RSA decrypt ++ ++Availablein = default ++# malformed that generates length specified by 3rd last value from PRF ++Decrypt = RSA-2049 ++Input = 00b26f6404b82649629f2704494282443776929122e279a9cf30b0c6fe8122a0a9042870d97cc8ef65490fe58f031eb2442352191f5fbc311026b5147d32df914599f38b825ebb824af0d63f2d541a245c5775d1c4b78630e4996cc5fe413d38455a776cf4edcc0aa7fccb31c584d60502ed2b77398f536e137ff7ba6430e9258e21c2db5b82f5380f566876110ac4c759178900fbad7ab70ea07b1daf7a1639cbb4196543a6cbe8271f35dddb8120304f6eef83059e1c5c5678710f904a6d760c4d1d8ad076be17904b9e69910040b47914a0176fb7eea0c06444a6c4b86d674d19a556a1de5490373cb01ce31bbd15a5633362d3d2cd7d4af1b4c5121288b894 ++Output = 42 ++ ++# simple positive test case ++Availablein = default ++Decrypt = RSA-2049 ++Input = 013300edbf0bb3571e59889f7ed76970bf6d57e1c89bbb6d1c3991d9df8e65ed54b556d928da7d768facb395bbcc81e9f8573b45cf8195dbd85d83a59281cddf4163aec11b53b4140053e3bd109f787a7c3cec31d535af1f50e0598d85d96d91ea01913d07097d25af99c67464ebf2bb396fb28a9233e56f31f7e105d71a23e9ef3b736d1e80e713d1691713df97334779552fc94b40dd733c7251bc522b673d3ec9354af3dd4ad44fa71c0662213a57ada1d75149697d0eb55c053aaed5ffd0b815832f454179519d3736fb4faf808416071db0d0f801aca8548311ee708c131f4be658b15f6b54256872c2903ac708bd43b017b073b5707bc84c2cd9da70e967 ++Output = "lorem ipsum" ++ ++# positive test case with null padded ciphertext ++Availablein = default ++Decrypt = RSA-2049 ++Input = 0002aadf846a329fadc6760980303dbd87bfadfa78c2015ce4d6c5782fd9d3f1078bd3c0a2c5bfbdd1c024552e5054d98b5bcdc94e476dd280e64d650089326542ce7c61d4f1ab40004c2e6a88a883613568556a10f3f9edeab67ae8dddc1e6b0831c2793d2715de943f7ce34c5c05d1b09f14431fde566d17e76c9feee90d86a2c158616ec81dda0c642f58c0ba8fa4495843124a7235d46fb4069715a51bf710fd024259131ba94da73597ace494856c94e7a3ec261545793b0990279b15fa91c7fd13dbfb1df2f221dab9fa9f7c1d21e48aa49f6aaecbabf5ee76dc6c2af2317ffb4e303115386a97f8729afc3d0c89419669235f1a3a69570e0836c79fc162 ++Output = "lorem ipsum" ++ ++# positive test case with null truncated ciphertext ++Availablein = default ++Decrypt = RSA-2049 ++Input = 02aadf846a329fadc6760980303dbd87bfadfa78c2015ce4d6c5782fd9d3f1078bd3c0a2c5bfbdd1c024552e5054d98b5bcdc94e476dd280e64d650089326542ce7c61d4f1ab40004c2e6a88a883613568556a10f3f9edeab67ae8dddc1e6b0831c2793d2715de943f7ce34c5c05d1b09f14431fde566d17e76c9feee90d86a2c158616ec81dda0c642f58c0ba8fa4495843124a7235d46fb4069715a51bf710fd024259131ba94da73597ace494856c94e7a3ec261545793b0990279b15fa91c7fd13dbfb1df2f221dab9fa9f7c1d21e48aa49f6aaecbabf5ee76dc6c2af2317ffb4e303115386a97f8729afc3d0c89419669235f1a3a69570e0836c79fc162 ++Output = "lorem ipsum" ++ ++# positive test case with double null padded ciphertext ++Availablein = default ++Decrypt = RSA-2049 ++Input = 0000f36da3b72d8ff6ded74e7efd08c01908f3f5f0de7b55eab92b5f875190809c39d4162e1e6649618f854fd84aeab03970d16bb814e999852c06de38d82b95c0f32e2a7b5714021fe303389be9c0eac24c90a6b7210f929d390fabf903d44e04110bb7a7fd6c383c275804721efa6d7c93aa64c0bb2b18d97c5220a846c66a4895ae52adddbe2a9996825e013585adcec4b32ba61d782737bd343e5fabd68e8a95b8b1340318559860792dd70dffbe05a1052b54cbfb48cfa7bb3c19cea52076bddac5c25ee276f153a610f6d06ed696d192d8ae4507ffae4e5bdda10a625d6b67f32f7cffcd48dee2431fe66f6105f9d17e611cdcc674868e81692a360f4052 ++Output = "lorem ipsum" ++ ++# positive test case with double null truncated ciphertext ++Availablein = default ++Decrypt = RSA-2049 ++Input = f36da3b72d8ff6ded74e7efd08c01908f3f5f0de7b55eab92b5f875190809c39d4162e1e6649618f854fd84aeab03970d16bb814e999852c06de38d82b95c0f32e2a7b5714021fe303389be9c0eac24c90a6b7210f929d390fabf903d44e04110bb7a7fd6c383c275804721efa6d7c93aa64c0bb2b18d97c5220a846c66a4895ae52adddbe2a9996825e013585adcec4b32ba61d782737bd343e5fabd68e8a95b8b1340318559860792dd70dffbe05a1052b54cbfb48cfa7bb3c19cea52076bddac5c25ee276f153a610f6d06ed696d192d8ae4507ffae4e5bdda10a625d6b67f32f7cffcd48dee2431fe66f6105f9d17e611cdcc674868e81692a360f4052 ++Output = "lorem ipsum" ++ ++Availablein = default ++# a random negative test case that generates an 11 byte long message ++Decrypt = RSA-2049 ++Input = 00f910200830fc8fff478e99e145f1474b312e2512d0f90b8cef77f8001d09861688c156d1cbaf8a8957f7ebf35f724466952d0524cad48aad4fba1e45ce8ea27e8f3ba44131b7831b62d60c0762661f4c1d1a88cd06263a259abf1ba9e6b0b172069afb86a7e88387726f8ab3adb30bfd6b3f6be6d85d5dfd044e7ef052395474a9cbb1c3667a92780b43a22693015af6c513041bdaf87d43b24ddd244e791eeaea1066e1f4917117b3a468e22e0f7358852bb981248de4d720add2d15dccba6280355935b67c96f9dcb6c419cc38ab9f6fba2d649ef2066e0c34c9f788ae49babd9025fa85b21113e56ce4f43aa134c512b030dd7ac7ce82e76f0be9ce09ebca ++Output = 1189b6f5498fd6df532b00 ++ ++Availablein = default ++# otherwise correct plaintext, but with wrong first byte (0x01 instead of 0x00) ++Decrypt = RSA-2049 ++Input = 002c9ddc36ba4cf0038692b2d3a1c61a4bb3786a97ce2e46a3ba74d03158aeef456ce0f4db04dda3fe062268a1711250a18c69778a6280d88e133a16254e1f0e30ce8dac9b57d2e39a2f7d7be3ee4e08aec2fdbe8dadad7fdbf442a29a8fb40857407bf6be35596b8eefb5c2b3f58b894452c2dc54a6123a1a38d642e23751746597e08d71ac92704adc17803b19e131b4d1927881f43b0200e6f95658f559f912c889b4cd51862784364896cd6e8618f485a992f82997ad6a0917e32ae5872eaf850092b2d6c782ad35f487b79682333c1750c685d7d32ab3e1538f31dcaa5e7d5d2825875242c83947308dcf63ba4bfff20334c9c140c837dbdbae7a8dee72ff ++Output = f6d0f5b78082fe61c04674 ++ ++Availablein = default ++# otherwise correct plaintext, but with wrong second byte (0x01 instead of 0x02) ++Decrypt = RSA-2049 ++Input = 00c5d77826c1ab7a34d6390f9d342d5dbe848942e2618287952ba0350d7de6726112e9cebc391a0fae1839e2bf168229e3e0d71d4161801509f1f28f6e1487ca52df05c466b6b0a6fbbe57a3268a970610ec0beac39ec0fa67babce1ef2a86bf77466dc127d7d0d2962c20e66593126f276863cd38dc6351428f884c1384f67cad0a0ffdbc2af16711fb68dc559b96b37b4f04cd133ffc7d79c43c42ca4948fa895b9daeb853150c8a5169849b730cc77d68b0217d6c0e3dbf38d751a1998186633418367e7576530566c23d6d4e0da9b038d0bb5169ce40133ea076472d055001f0135645940fd08ea44269af2604c8b1ba225053d6db9ab43577689401bdc0f3 ++Output = 1ab287fcef3ff17067914d ++ ++# RSA decrypt with 3072 bit keys ++PrivateKey = RSA-3072 ++-----BEGIN RSA PRIVATE KEY----- ++MIIG5AIBAAKCAYEAr9ccqtXp9bjGw2cHCkfxnX5mrt4YpbJ0H7PE0zQ0VgaSotkJ ++72iI7GAv9rk68ljudDA8MBr81O2+xDMR3cjdvwDdu+OG0zuNDiKxtEk23EiYcbhS ++N7NM50etj9sMTk0dqnqt8HOFxchzLMt9Wkni5QyIPH16wQ7Wp02ayQ35EpkFoX1K ++CHIQ/Hi20EseuWlILBGm7recUOWxbz8lT3VxUosvFxargW1uygcnveqYBZMpcw64 ++wzznHWHdSsOTtiVuB6wdEk8CANHD4FpMG8fx7S/IPlcZnP5ZCLEAh+J/vZfSwkIU ++YZxxR8j778o5vCVnYqaCNTH34jTWjq56DZ+vEN0V6VI3gMfVrlgJStUlqQY7TDP5 ++XhAG2i6xLTdDaJSVwfICPkBzU8XrPkyhxIz/gaEJANFIIOuAGvTxpZbEuc6aUx/P ++ilTZ/9ckJYtu7CAQjfb9/XbUrgO6fqWY3LDkooCElYcob01/JWzoXl61Z5sdrMH5 ++CVZJty5foHKusAN5AgMBAAECggGAJRfqyzr+9L/65gOY35lXpdKhVKgzaNjhWEKy ++9Z7gn3kZe9LvHprdr4eG9rQSdEdAXjBCsh8vULeqc3cWgMO7y2wiWl1f9rVsRxwY ++gqCjOwrxZaPtbCSdx3g+a8dYrDfmVy0z/jJQeO2VJlDy65YEkC75mlEaERnRPE/J ++pDoXXc37+xoUAP4XCTtpzTzbiV9lQy6iGV+QURxzNrWKaF2s/y2vTF6S5WWxZlrm ++DlErqplluAjV/xGc63zWksv5IAZ6+s2An2a+cG2iaBCseQ2xVslI5v5YG8mEkVf0 ++2kk/OmSwxuEZ4DGxB/hDbOKRYLRYuPnxCV/esZJjOE/1OHVXvE8QtANN6EFwO60s ++HnacI4U+tjCjbRBh3UbipruvdDqX8LMsNvUMGjci3vOjlNkcLgeL8J15Xs3l5WuC ++Avl0Am91/FbpoN1qiPLny3jvEpjMbGUgfKRb03GIgHtPzbHmDdjluFZI+376i2/d ++RI85dBqNmAn+Fjrz3kW6wkpahByBAoHBAOSj2DDXPosxxoLidP/J/RKsMT0t0FE9 ++UFcNt+tHYv6hk+e7VAuUqUpd3XQqz3P13rnK4xvSOsVguyeU/WgmH4ID9XGSgpBP ++Rh6s7izn4KAJeqfI26vTPxvyaZEqB4JxT6k7SerENus95zSn1v/f2MLBQ16EP8cJ +++QSOVCoZfEhUK+srherQ9eZKpj0OwBUrP4VhLdymv96r8xddWX1AVj4OBi2RywKI ++gAgv6fjwkb292jFu6x6FjKRNKwKK6c3jqQKBwQDE4c0Oz0KYYV4feJun3iL9UJSv ++StGsKVDuljA4WiBAmigMZTii/u0DFEjibiLWcJOnH53HTr0avA6c6D1nCwJ2qxyF ++rHNN2L+cdMx/7L1zLR11+InvRgpIGbpeGwHeIzJVUYG3b6llRJMZimBvAMr9ipM1 ++bkVvIjt1G9W1ypeuKzm6d/t8F0yC7AIYZWDV4nvxiiY8whLZzGawHR2iZz8pfUwb ++7URbTvxdsGE27Kq9gstU0PzEJpnU1goCJ7/gA1ECgcBA8w5B6ZM5xV0H5z6nPwDm ++IgYmw/HucgV1hU8exfuoK8wxQvTACW4B0yJKkrK11T1899aGG7VYRn9D4j4OLO48 ++Z9V8esseJXbc1fEezovvymGOci984xiFXtqAQzk44+lmQJJh33VeZApe2eLocvVH ++ddEmc1kOuJWFpszf3LeCcG69cnKrXsrLrZ8Frz//g3aa9B0sFi5hGeWHWJxISVN2 ++c1Nr9IN/57i/GqVTcztjdCAcdM7Tr8phDg7OvRlnxGkCgcEAuYhMFBuulyiSaTff ++/3ZvJKYOJ45rPkEFGoD/2ercn+RlvyCYGcoAEjnIYVEGlWwrSH+b0NlbjVkQsD6O ++to8CeE/RpgqX8hFCqC7NE/RFp8cpDyXy3j/zqnRMUyhCP1KNuScBBZs9V8gikxv6 ++ukBWCk3PYbeTySHKRBbB8vmCrMfhM96jaBIQsQO1CcZnVceDo1/bnsAIwaREVMxr ++Q8LmG7QOx/Z0x1MMsUFoqzilwccC09/JgxMZPh+h+Nv6jiCxAoHBAOEqQgFAfSdR ++ya60LLH55q803NRFMamuKiPbVJLzwiKfbjOiiopmQOS/LxxqIzeMXlYV4OsSvxTo ++G7mcTOFRtU5hKCK+t8qeQQpa/dsMpiHllwArnRyBjIVgL5lFKRpHUGLsavU/T1IH ++mtgaxZo32dXvcAh1+ndCHVBwbHTOF4conA+g+Usp4bZSSWn5nU4oIizvSVpG7SGe ++0GngdxH9Usdqbvzcip1EKeHRTZrHIEYmB+x0LaRIB3dwZNidK3TkKw== ++-----END RSA PRIVATE KEY----- ++ ++PublicKey = RSA-3072-PUBLIC ++-----BEGIN PUBLIC KEY----- ++MIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAr9ccqtXp9bjGw2cHCkfx ++nX5mrt4YpbJ0H7PE0zQ0VgaSotkJ72iI7GAv9rk68ljudDA8MBr81O2+xDMR3cjd ++vwDdu+OG0zuNDiKxtEk23EiYcbhSN7NM50etj9sMTk0dqnqt8HOFxchzLMt9Wkni ++5QyIPH16wQ7Wp02ayQ35EpkFoX1KCHIQ/Hi20EseuWlILBGm7recUOWxbz8lT3Vx ++UosvFxargW1uygcnveqYBZMpcw64wzznHWHdSsOTtiVuB6wdEk8CANHD4FpMG8fx ++7S/IPlcZnP5ZCLEAh+J/vZfSwkIUYZxxR8j778o5vCVnYqaCNTH34jTWjq56DZ+v ++EN0V6VI3gMfVrlgJStUlqQY7TDP5XhAG2i6xLTdDaJSVwfICPkBzU8XrPkyhxIz/ ++gaEJANFIIOuAGvTxpZbEuc6aUx/PilTZ/9ckJYtu7CAQjfb9/XbUrgO6fqWY3LDk ++ooCElYcob01/JWzoXl61Z5sdrMH5CVZJty5foHKusAN5AgMBAAE= ++-----END PUBLIC KEY----- ++ ++PrivPubKeyPair = RSA-3072:RSA-3072-PUBLIC ++ ++Availablein = default ++# a random invalid ciphertext that generates an empty synthethic one ++Decrypt = RSA-3072 ++Input = 5e956cd9652f4a2ece902931013e09662b6a9257ad1e987fb75f73a0606df2a4b04789770820c2e02322c4e826f767bd895734a01e20609c3be4517a7a2a589ea1cdc137beb73eb38dac781b52e863de9620f79f9b90fd5b953651fcbfef4a9f1cc07421d511a87dd6942caab6a5a0f4df473e62defb529a7de1509ab99c596e1dff1320402298d8be73a896cc86c38ae3f2f576e9ea70cc28ad575cb0f854f0be43186baa9c18e29c47c6ca77135db79c811231b7c1730955887d321fdc06568382b86643cf089b10e35ab23e827d2e5aa7b4e99ff2e914f302351819eb4d1693243b35f8bf1d42d08f8ec4acafa35f747a4a975a28643ec630d8e4fa5be59d81995660a14bb64c1fea5146d6b11f92da6a3956dd5cb5e0d747cf2ea23f81617769185336263d46ef4c144b754de62a6337342d6c85a95f19f015724546ee3fc4823eca603dbc1dc01c2d5ed50bd72d8e96df2dc048edde0081284068283fc5e73a6139851abf2f29977d0b3d160c883a42a37efba1be05c1a0b1741d7ddf59 ++Output = ++ ++Availablein = default ++# a random invalid that has PRF output with a length one byte too long ++# in the last value ++Decrypt = RSA-3072 ++Input = 7db0390d75fcf9d4c59cf27b264190d856da9abd11e92334d0e5f71005cfed865a711dfa28b791188374b61916dbc11339bf14b06f5f3f68c206c5607380e13da3129bfb744157e1527dd6fdf6651248b028a496ae1b97702d44706043cdaa7a59c0f41367303f21f268968bf3bd2904db3ae5239b55f8b438d93d7db9d1666c071c0857e2ec37757463769c54e51f052b2a71b04c2869e9e7049a1037b8429206c99726f07289bac18363e7eb2a5b417f47c37a55090cda676517b3549c873f2fe95da9681752ec9864b069089a2ed2f340c8b04ee00079055a817a3355b46ac7dc00d17f4504ccfbcfcadb0c04cb6b22069e179385ae1eafabad5521bac2b8a8ee1dfff59a22eb3fdacfc87175d10d7894cfd869d056057dd9944b869c1784fcc27f731bc46171d39570fbffbadf082d33f6352ecf44aca8d9478e53f5a5b7c852b401e8f5f74da49da91e65bdc97765a9523b7a0885a6f8afe5759d58009fbfa837472a968e6ae92026a5e0202a395483095302d6c3985b5f5831c521a271 ++Output = 56a3bea054e01338be9b7d7957539c ++ ++Availablein = default ++# a random invalid that generates a synthethic of maximum size ++Decrypt = RSA-3072 ++Input = 1715065322522dff85049800f6a29ab5f98c465020467414b2a44127fe9446da47fa18047900f99afe67c2df6f50160bb8e90bff296610fde632b3859d4d0d2e644f23835028c46cca01b84b88231d7e03154edec6627bcba23de76740d839851fa12d74c8f92e540c73fe837b91b7d699b311997d5f0f7864c486d499c3a79c111faaacbe4799597a25066c6200215c3d158f3817c1aa57f18bdaad0be1658da9da93f5cc6c3c4dd72788af57adbb6a0c26f42d32d95b8a4f95e8c6feb2f8a5d53b19a50a0b7cbc25e055ad03e5ace8f3f7db13e57759f67b65d143f08cca15992c6b2aae643390483de111c2988d4e76b42596266005103c8de6044fb7398eb3c28a864fa672de5fd8774510ff45e05969a11a4c7d3f343e331190d2dcf24fb9154ba904dc94af98afc5774a9617d0418fe6d13f8245c7d7626c176138dd698a23547c25f27c2b98ea4d8a45c7842b81888e4cc14e5b72e9cf91f56956c93dbf2e5f44a8282a7813157fc481ff1371a0f66b31797e81ebdb09a673d4db96d6 ++Output = 7b036fcd6243900e4236c894e2462c17738acc87e01a76f4d95cb9a328d9acde81650283b8e8f60a217e3bdee835c7b222ad4c85d0acdb9a309bd2a754609a65dec50f3aa04c6d5891034566b9563d42668ede1f8992b17753a2132e28970584e255efc8b45a41c5dbd7567f014acec5fe6fdb6d484790360a913ebb9defcd74ff377f2a8ba46d2ed85f733c9a3da08eb57ecedfafda806778f03c66b2c5d2874cec1c291b2d49eb194c7b5d0dd2908ae90f4843268a2c45563092ade08acb6ab481a08176102fc803fbb2f8ad11b0e1531bd37df543498daf180b12017f4d4d426ca29b4161075534bfb914968088a9d13785d0adc0e2580d3548494b2a9e91605f2b27e6cc701c796f0de7c6f471f6ab6cb9272a1ed637ca32a60d117505d82af3c1336104afb537d01a8f70b510e1eebf4869cb976c419473795a66c7f5e6e20a8094b1bb603a74330c537c5c0698c31538bd2e138c1275a1bdf24c5fa8ab3b7b526324e7918a382d1363b3d463764222150e04 ++ ++# a positive test case that decrypts to 9 byte long value ++Availablein = default ++Decrypt = RSA-3072 ++Input = 6c60845a854b4571f678941ae35a2ac03f67c21e21146f9db1f2306be9f136453b86ad55647d4f7b5c9e62197aaff0c0e40a3b54c4cde14e774b1c5959b6c2a2302896ffae1f73b00b862a20ff4304fe06cea7ff30ecb3773ca9af27a0b54547350d7c07dfb0a39629c7e71e83fc5af9b2adbaf898e037f1de696a3f328cf45af7ec9aff7173854087fb8fbf34be981efbd8493f9438d1b2ba2a86af082662aa46ae9adfbec51e5f3d9550a4dd1dcb7c8969c9587a6edc82a8cabbc785c40d9fbd12064559fb769450ac3e47e87bc046148130d7eaa843e4b3ccef3675d0630500803cb7ffee3882378c1a404e850c3e20707bb745e42b13c18786c4976076ed9fa8fd0ff15e571bef02cbbe2f90c908ac3734a433b73e778d4d17fcc28f49185ebc6e8536a06d293202d94496453bfdf1c2c7833a3f99fa38ca8a81f42eaa529d603b890308a319c0ab63a35ff8ebac965f6278f5a7e5d622be5d5fe55f0ca3ec993d55430d2bf59c5d3e860e90c16d91a04596f6fdf60d89ed95d88c036dde ++Output = "forty two" ++ ++# a positive test case with null padded ciphertext ++Availablein = default ++Decrypt = RSA-3072 ++Input = 00f4d565a3286784dbb85327db8807ae557ead229f92aba945cecda5225f606a7d6130edeeb6f26724d1eff1110f9eb18dc3248140ee3837e6688391e78796c526791384f045e21b6b853fb6342a11f309eb77962f37ce23925af600847fbd30e6e07e57de50b606e6b7f288cc777c1a6834f27e6edace508452128916eef7788c8bb227e3548c6a761cc4e9dd1a3584176dc053ba3500adb1d5e1611291654f12dfc5722832f635db3002d73f9defc310ace62c63868d341619c7ee15b20243b3371e05078e11219770c701d9f341af35df1bc729de294825ff2e416aa11526612852777eb131f9c45151eb144980d70608d2fc4043477368369aa0fe487a48bd57e66b00c3c58f941549f5ec050fca64449debe7a0c4ac51e55cb71620a70312aa4bd85fac1410c9c7f9d6ec610b7d11bf8faeffa20255d1a1bead9297d0aa8765cd2805847d639bc439f4a6c896e2008f746f9590ff4596de5ddde000ed666c452c978043ff4298461eb5a26d5e63d821438627f91201924bf7f2aeee1727 ++Output = "forty two" ++ ++# a positive test case with null truncated ciphertext ++Availablein = default ++Decrypt = RSA-3072 ++Input = f4d565a3286784dbb85327db8807ae557ead229f92aba945cecda5225f606a7d6130edeeb6f26724d1eff1110f9eb18dc3248140ee3837e6688391e78796c526791384f045e21b6b853fb6342a11f309eb77962f37ce23925af600847fbd30e6e07e57de50b606e6b7f288cc777c1a6834f27e6edace508452128916eef7788c8bb227e3548c6a761cc4e9dd1a3584176dc053ba3500adb1d5e1611291654f12dfc5722832f635db3002d73f9defc310ace62c63868d341619c7ee15b20243b3371e05078e11219770c701d9f341af35df1bc729de294825ff2e416aa11526612852777eb131f9c45151eb144980d70608d2fc4043477368369aa0fe487a48bd57e66b00c3c58f941549f5ec050fca64449debe7a0c4ac51e55cb71620a70312aa4bd85fac1410c9c7f9d6ec610b7d11bf8faeffa20255d1a1bead9297d0aa8765cd2805847d639bc439f4a6c896e2008f746f9590ff4596de5ddde000ed666c452c978043ff4298461eb5a26d5e63d821438627f91201924bf7f2aeee1727 ++Output = "forty two" ++ ++# a positive test case with double null padded ciphertext ++Availablein = default ++Decrypt = RSA-3072 ++Input = 00001ec97ac981dfd9dcc7a7389fdfa9d361141dac80c23a060410d472c16094e6cdffc0c3684d84aa402d7051dfccb2f6da33f66985d2a259f5b7fbf39ac537e95c5b7050eb18844a0513abef812cc8e74a3c5240009e6e805dcadf532bc1a2702d5acc9e585fad5b89d461fcc1397351cdce35171523758b171dc041f412e42966de7f94856477356d06f2a6b40e3ff0547562a4d91bbf1338e9e049facbee8b20171164505468cd308997447d3dc4b0acb49e7d368fedd8c734251f30a83491d2506f3f87318cc118823244a393dc7c5c739a2733d93e1b13db6840a9429947357f47b23fbe39b7d2d61e5ee26f9946c4632f6c4699e452f412a26641d4751135400713cd56ec66f0370423d55d2af70f5e7ad0adea8e4a0d904a01e4ac272eba4af1a029dd53eb71f115bf31f7a6c8b19a6523adeecc0d4c3c107575e38572a8f8474ccad163e46e2e8b08111132aa97a16fb588c9b7e37b3b3d7490381f3c55d1a9869a0fd42cd86fed59ecec78cb6b2dfd06a497f5afe3419691314ba0 ++Output = "forty two" ++ ++# a positive test case with double null truncated ciphertext ++Availablein = default ++Decrypt = RSA-3072 ++Input = 1ec97ac981dfd9dcc7a7389fdfa9d361141dac80c23a060410d472c16094e6cdffc0c3684d84aa402d7051dfccb2f6da33f66985d2a259f5b7fbf39ac537e95c5b7050eb18844a0513abef812cc8e74a3c5240009e6e805dcadf532bc1a2702d5acc9e585fad5b89d461fcc1397351cdce35171523758b171dc041f412e42966de7f94856477356d06f2a6b40e3ff0547562a4d91bbf1338e9e049facbee8b20171164505468cd308997447d3dc4b0acb49e7d368fedd8c734251f30a83491d2506f3f87318cc118823244a393dc7c5c739a2733d93e1b13db6840a9429947357f47b23fbe39b7d2d61e5ee26f9946c4632f6c4699e452f412a26641d4751135400713cd56ec66f0370423d55d2af70f5e7ad0adea8e4a0d904a01e4ac272eba4af1a029dd53eb71f115bf31f7a6c8b19a6523adeecc0d4c3c107575e38572a8f8474ccad163e46e2e8b08111132aa97a16fb588c9b7e37b3b3d7490381f3c55d1a9869a0fd42cd86fed59ecec78cb6b2dfd06a497f5afe3419691314ba0 ++Output = "forty two" ++ ++Availablein = default ++# a random negative test case that generates a 9 byte long message ++Decrypt = RSA-3072 ++Input = 5c8555f5cef627c15d37f85c7f5fd6e499264ea4b8e3f9112023aeb722eb38d8eac2be3751fd5a3785ab7f2d59fa3728e5be8c3de78a67464e30b21ee23b5484bb3cd06d0e1c6ad25649c8518165653eb80488bfb491b20c04897a6772f69292222fc5ef50b5cf9efc6d60426a449b6c489569d48c83488df629d695653d409ce49a795447fcec2c58a1a672e4a391401d428baaf781516e11e323d302fcf20f6eab2b2dbe53a48c987e407c4d7e1cb41131329138313d330204173a4f3ff06c6fadf970f0ed1005d0b27e35c3d11693e0429e272d583e57b2c58d24315c397856b34485dcb077665592b747f889d34febf2be8fce66c265fd9fc3575a6286a5ce88b4b413a08efc57a07a8f57a999605a837b0542695c0d189e678b53662ecf7c3d37d9dbeea585eebfaf79141118e06762c2381fe27ca6288edddc19fd67cd64f16b46e06d8a59ac530f22cd83cc0bc4e37feb52015cbb2283043ccf5e78a4eb7146827d7a466b66c8a4a4826c1bad68123a7f2d00fc1736525ff90c058f56 ++Output = 257906ca6de8307728 ++ ++Availablein = default ++# a random negative test case that generates a 9 byte long message based on ++# second to last value from PRF ++Decrypt = RSA-3072 ++Input = 758c215aa6acd61248062b88284bf43c13cb3b3d02410be4238607442f1c0216706e21a03a2c10eb624a63322d854da195c017b76fea83e274fa371834dcd2f3b7accf433fc212ad76c0bac366e1ed32e25b279f94129be7c64d6e162adc08ccebc0cfe8e926f01c33ab9c065f0e0ac83ae5137a4cb66702615ad68a35707d8676d2740d7c1a954680c83980e19778ed11eed3a7c2dbdfc461a9bbef671c1bc00c882d361d29d5f80c42bdf5efec886c34138f83369c6933b2ac4e93e764265351b4a0083f040e14f511f09b22f96566138864e4e6ff24da4810095da98e0585410951538ced2f757a277ff8e17172f06572c9024eeae503f176fd46eb6c5cd9ba07af11cde31dccac12eb3a4249a7bfd3b19797ad1656984bfcbf6f74e8f99d8f1ac420811f3d166d87f935ef15ae858cf9e72c8e2b547bf16c3fb09a8c9bf88fd2e5d38bf24ed610896131a84df76b9f920fe76d71fff938e9199f3b8cd0c11fd0201f9139d7673a871a9e7d4adc3bbe360c8813617cd60a90128fbe34c9d5 ++Output = 043383c929060374ed ++ ++Availablein = default ++# a random negative test that generates message based on 3rd last value from ++# PRF ++Decrypt = RSA-3072 ++Input = 7b22d5e62d287968c6622171a1f75db4b0fd15cdf3134a1895d235d56f8d8fe619f2bf4868174a91d7601a82975d2255190d28b869141d7c395f0b8c4e2be2b2c1b4ffc12ce749a6f6803d4cfe7fba0a8d6949c04151f981c0d84592aa2ff25d1bd3ce5d10cb03daca6b496c6ad40d30bfa8acdfd02cdb9326c4bdd93b949c9dc46caa8f0e5f429785bce64136a429a3695ee674b647452bea1b0c6de9c5f1e8760d5ef6d5a9cfff40457b023d3c233c1dcb323e7808103e73963b2eafc928c9eeb0ee3294955415c1ddd9a1bb7e138fecd79a3cb89c57bd2305524624814aaf0fd1acbf379f7f5b39421f12f115ba488d380586095bb53f174fae424fa4c8e3b299709cd344b9f949b1ab57f1c645d7ed3c8f81d5594197355029fee8960970ff59710dc0e5eb50ea6f4c3938e3f89ed7933023a2c2ddffaba07be147f686828bd7d520f300507ed6e71bdaee05570b27bc92741108ac2eb433f028e138dd6d63067bc206ea2d826a7f41c0d613daed020f0f30f4e272e9618e0a8c39018a83 ++Output = 70263fa6050534b9e0 ++ ++Availablein = default ++# an otherwise valid plaintext, but with wrong first byte (0x01 instead of 0x00) ++Decrypt = RSA-3072 ++Input = 6db80adb5ff0a768caf1378ecc382a694e7d1bde2eff4ba12c48aaf794ded7a994a5b2b57acec20dbec4ae385c9dd531945c0f197a5496908725fc99d88601a17d3bb0b2d38d2c1c3100f39955a4cb3dbed5a38bf900f23d91e173640e4ec655c84fdfe71fcdb12a386108fcf718c9b7af37d39703e882436224c877a2235e8344fba6c951eb7e2a4d1d1de81fb463ac1b880f6cc0e59ade05c8ce35179ecd09546731fc07b141d3d6b342a97ae747e61a9130f72d37ac5a2c30215b6cbd66c7db893810df58b4c457b4b54f34428247d584e0fa71062446210db08254fb9ead1ba1a393c724bd291f0cf1a7143f32df849051dc896d7d176fef3b57ab6dffd626d0c3044e9edb2e3d012ace202d2581df01bec7e9aa0727a6650dd373d374f0bc0f4a611f8139dfe97d63e70c6188f4df5b672e47c51d8aa567097293fbff127c75ec690b43407578b73c85451710a0cece58fd497d7f7bd36a8a92783ef7dc6265dff52aac8b70340b996508d39217f2783ce6fc91a1cc94bb2ac487b84f62 ++Output = 6d8d3a094ff3afff4c ++ ++Availablein = default ++# an otherwise valid plaintext, but with wrong second byte (0x01 instead of 0x02) ++Decrypt = RSA-3072 ++Input = 417328c034458563079a4024817d0150340c34e25ae16dcad690623f702e5c748a6ebb3419ff48f486f83ba9df35c05efbd7f40613f0fc996c53706c30df6bba6dcd4a40825f96133f3c21638a342bd4663dffbd0073980dac47f8c1dd8e97ce1412e4f91f2a8adb1ac2b1071066efe8d718bbb88ca4a59bd61500e826f2365255a409bece0f972df97c3a55e09289ef5fa815a2353ef393fd1aecfc888d611c16aec532e5148be15ef1bf2834b8f75bb26db08b66d2baad6464f8439d1986b533813321dbb180080910f233bcc4dd784fb21871aef41be08b7bfad4ecc3b68f228cb5317ac6ec1227bc7d0e452037ba918ee1da9fdb8393ae93b1e937a8d4691a17871d5092d2384b6190a53df888f65b951b05ed4ad57fe4b0c6a47b5b22f32a7f23c1a234c9feb5d8713d949686760680da4db454f4acad972470033472b9864d63e8d23eefc87ebcf464ecf33f67fbcdd48eab38c5292586b36aef5981ed2fa07b2f9e23fc57d9eb71bfff4111c857e9fff23ceb31e72592e70c874b4936 ++Output = c6ae80ffa80bc184b0 ++ ++Availablein = default ++# an otherwise valid plaintext, but with zero byte in first byte of padding ++Decrypt = RSA-3072 ++Input = 8542c626fe533467acffcd4e617692244c9b5a3bf0a215c5d64891ced4bf4f9591b4b2aedff9843057986d81631b0acb3704ec2180e5696e8bd15b217a0ec36d2061b0e2182faa3d1c59bd3f9086a10077a3337a3f5da503ec3753535ffd25b837a12f2541afefd0cffb0224b8f874e4bed13949e105c075ed44e287c5ae03b155e06b90ed247d2c07f1ef3323e3508cce4e4074606c54172ad74d12f8c3a47f654ad671104bf7681e5b061862747d9afd37e07d8e0e2291e01f14a95a1bb4cbb47c304ef067595a3947ee2d722067e38a0f046f43ec29cac6a8801c6e3e9a2331b1d45a7aa2c6af3205be382dd026e389614ee095665a611ab2e8dced2ee1c9d08ac9de11aef5b3803fc9a9ce8231ec87b5fed386fb92ee3db995a89307bcba844bd0a691c29ae51216e949dfc813133cb06a07265fd807bcb3377f6adb0a481d9b7f442003115895939773e6b95371c4febef29edae946fa245e7c50729e2e558cfaad773d1fd5f67b457a6d9d17a847c6fcbdb103a86f35f228cefc06cea0 ++Output = a8a9301daa01bb25c7 ++ ++Availablein = default ++# an otherwise valid plaintext, but with zero byte in eight byte of padding ++Decrypt = RSA-3072 ++Input = 449dfa237a70a99cb0351793ec8677882021c2aa743580bf6a0ea672055cffe8303ac42855b1d1f3373aae6af09cb9074180fc963e9d1478a4f98b3b4861d3e7f0aa8560cf603711f139db77667ca14ba3a1acdedfca9ef4603d6d7eb0645bfc805304f9ad9d77d34762ce5cd84bd3ec9d35c30e3be72a1e8d355d5674a141b5530659ad64ebb6082e6f73a80832ab6388912538914654d34602f4b3b1c78589b4a5d964b2efcca1dc7004c41f6cafcb5a7159a7fc7c0398604d0edbd4c8f4f04067da6a153a05e7cbeea13b5ee412400ef7d4f3106f4798da707ec37a11286df2b7a204856d5ff773613fd1e453a7114b78e347d3e8078e1cb3276b3562486ba630bf719697e0073a123c3e60ebb5c7a1ccff4279faffa2402bc1109f8d559d6766e73591943dfcf25ba10c3762f02af85187799b8b4b135c3990793a6fd32642f1557405ba55cc7cf7336a0e967073c5fa50743f9cc5e3017c172d9898d2af83345e71b3e0c22ab791eacb6484a32ec60ebc226ec9deaee91b1a0560c2b571 ++Output = 6c716fe01d44398018 ++ ++Availablein = default ++# an otherwise valid plaintext, but with null separator missing ++Decrypt = RSA-3072 ++Input = a7a5c99e50da48769ecb779d9abe86ef9ec8c38c6f43f17c7f2d7af608a4a1bd6cf695b47e97c191c61fb5a27318d02f495a176b9fae5a55b5d3fabd1d8aae4957e3879cb0c60f037724e11be5f30f08fc51c033731f14b44b414d11278cd3dba7e1c8bfe208d2b2bb7ec36366dacb6c88b24cd79ab394adf19dbbc21dfa5788bacbadc6a62f79cf54fd8cf585c615b5c0eb94c35aa9de25321c8ffefb8916bbaa2697cb2dd82ee98939df9b6704cee77793edd2b4947d82e00e5749664970736c59a84197bd72b5c71e36aae29cd39af6ac73a368edbc1ca792e1309f442aafcd77c992c88f8e4863149f221695cb7b0236e75b2339a02c4ea114854372c306b9412d8eedb600a31532002f2cea07b4df963a093185e4607732e46d753b540974fb5a5c3f9432df22e85bb17611370966c5522fd23f2ad3484341ba7fd8885fc8e6d379a611d13a2aca784fba2073208faad2137bf1979a0fa146c1880d4337db3274269493bab44a1bcd0681f7227ffdf589c2e925ed9d36302509d1109ba4 ++Output = aa2de6cde4e2442884 ++ + # RSA PSS key tests + + # PSS only key, no parameter restrictions diff --git a/openssl-CVE-2023-5678.patch b/openssl-CVE-2023-5678.patch new file mode 100644 index 0000000..f4cd8eb --- /dev/null +++ b/openssl-CVE-2023-5678.patch @@ -0,0 +1,172 @@ +From ddeb4b6c6d527e54ce9a99cba785c0f7776e54b6 Mon Sep 17 00:00:00 2001 +From: Richard Levitte +Date: Fri, 20 Oct 2023 09:18:19 +0200 +Subject: [PATCH] Make DH_check_pub_key() and DH_generate_key() safer yet + +We already check for an excessively large P in DH_generate_key(), but not in +DH_check_pub_key(), and none of them check for an excessively large Q. + +This change adds all the missing excessive size checks of P and Q. + +It's to be noted that behaviours surrounding excessively sized P and Q +differ. DH_check() raises an error on the excessively sized P, but only +sets a flag for the excessively sized Q. This behaviour is mimicked in +DH_check_pub_key(). + +Reviewed-by: Tomas Mraz +Reviewed-by: Matt Caswell +Reviewed-by: Hugo Landau +(Merged from https://github.com/openssl/openssl/pull/22518) +--- + crypto/dh/dh_check.c | 12 ++++++++++++ + crypto/dh/dh_err.c | 3 ++- + crypto/dh/dh_key.c | 12 ++++++++++++ + crypto/err/openssl.txt | 1 + + include/crypto/dherr.h | 2 +- + include/openssl/dh.h | 6 +++--- + include/openssl/dherr.h | 3 ++- + 7 files changed, 33 insertions(+), 6 deletions(-) + +diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c +index 7ba2beae7fd6b..e20eb62081c5e 100644 +--- a/crypto/dh/dh_check.c ++++ b/crypto/dh/dh_check.c +@@ -249,6 +249,18 @@ int DH_check_pub_key_ex(const DH *dh, const BIGNUM *pub_key) + */ + int DH_check_pub_key(const DH *dh, const BIGNUM *pub_key, int *ret) + { ++ /* Don't do any checks at all with an excessively large modulus */ ++ if (BN_num_bits(dh->params.p) > OPENSSL_DH_CHECK_MAX_MODULUS_BITS) { ++ ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE); ++ *ret = DH_MODULUS_TOO_LARGE | DH_CHECK_PUBKEY_INVALID; ++ return 0; ++ } ++ ++ if (dh->params.q != NULL && BN_ucmp(dh->params.p, dh->params.q) < 0) { ++ *ret |= DH_CHECK_INVALID_Q_VALUE | DH_CHECK_PUBKEY_INVALID; ++ return 1; ++ } ++ + return ossl_ffc_validate_public_key(&dh->params, pub_key, ret); + } + +diff --git a/crypto/dh/dh_err.c b/crypto/dh/dh_err.c +index 4152397426cc9..f76ac0dd1463f 100644 +--- a/crypto/dh/dh_err.c ++++ b/crypto/dh/dh_err.c +@@ -1,6 +1,6 @@ + /* + * Generated by util/mkerr.pl DO NOT EDIT +- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -54,6 +54,7 @@ static const ERR_STRING_DATA DH_str_reasons[] = { + {ERR_PACK(ERR_LIB_DH, 0, DH_R_PARAMETER_ENCODING_ERROR), + "parameter encoding error"}, + {ERR_PACK(ERR_LIB_DH, 0, DH_R_PEER_KEY_ERROR), "peer key error"}, ++ {ERR_PACK(ERR_LIB_DH, 0, DH_R_Q_TOO_LARGE), "q too large"}, + {ERR_PACK(ERR_LIB_DH, 0, DH_R_SHARED_INFO_ERROR), "shared info error"}, + {ERR_PACK(ERR_LIB_DH, 0, DH_R_UNABLE_TO_CHECK_GENERATOR), + "unable to check generator"}, +diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c +index d84ea99241b9e..afc49f5cdc87d 100644 +--- a/crypto/dh/dh_key.c ++++ b/crypto/dh/dh_key.c +@@ -49,6 +49,12 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) + goto err; + } + ++ if (dh->params.q != NULL ++ && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) { ++ ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE); ++ goto err; ++ } ++ + if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) { + ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL); + return 0; +@@ -267,6 +273,12 @@ static int generate_key(DH *dh) + return 0; + } + ++ if (dh->params.q != NULL ++ && BN_num_bits(dh->params.q) > OPENSSL_DH_MAX_MODULUS_BITS) { ++ ERR_raise(ERR_LIB_DH, DH_R_Q_TOO_LARGE); ++ return 0; ++ } ++ + if (BN_num_bits(dh->params.p) < DH_MIN_MODULUS_BITS) { + ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_SMALL); + return 0; +diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt +index a1e6bbb617fcb..69e4f61aa1801 100644 +--- a/crypto/err/openssl.txt ++++ b/crypto/err/openssl.txt +@@ -513,6 +513,7 @@ DH_R_NO_PARAMETERS_SET:107:no parameters set + DH_R_NO_PRIVATE_VALUE:100:no private value + DH_R_PARAMETER_ENCODING_ERROR:105:parameter encoding error + DH_R_PEER_KEY_ERROR:111:peer key error ++DH_R_Q_TOO_LARGE:130:q too large + DH_R_SHARED_INFO_ERROR:113:shared info error + DH_R_UNABLE_TO_CHECK_GENERATOR:121:unable to check generator + DSA_R_BAD_FFC_PARAMETERS:114:bad ffc parameters +diff --git a/include/crypto/dherr.h b/include/crypto/dherr.h +index bb24d131eb887..519327f795742 100644 +--- a/include/crypto/dherr.h ++++ b/include/crypto/dherr.h +@@ -1,6 +1,6 @@ + /* + * Generated by util/mkerr.pl DO NOT EDIT +- * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 2020-2023 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +diff --git a/include/openssl/dh.h b/include/openssl/dh.h +index 8bc17448a0817..f1c0ed06b375a 100644 +--- a/include/openssl/dh.h ++++ b/include/openssl/dh.h +@@ -144,7 +144,7 @@ DECLARE_ASN1_ITEM(DHparams) + # define DH_GENERATOR_3 3 + # define DH_GENERATOR_5 5 + +-/* DH_check error codes */ ++/* DH_check error codes, some of them shared with DH_check_pub_key */ + /* + * NB: These values must align with the equivalently named macros in + * internal/ffc.h. +@@ -154,10 +154,10 @@ DECLARE_ASN1_ITEM(DHparams) + # define DH_UNABLE_TO_CHECK_GENERATOR 0x04 + # define DH_NOT_SUITABLE_GENERATOR 0x08 + # define DH_CHECK_Q_NOT_PRIME 0x10 +-# define DH_CHECK_INVALID_Q_VALUE 0x20 ++# define DH_CHECK_INVALID_Q_VALUE 0x20 /* +DH_check_pub_key */ + # define DH_CHECK_INVALID_J_VALUE 0x40 + # define DH_MODULUS_TOO_SMALL 0x80 +-# define DH_MODULUS_TOO_LARGE 0x100 ++# define DH_MODULUS_TOO_LARGE 0x100 /* +DH_check_pub_key */ + + /* DH_check_pub_key error codes */ + # define DH_CHECK_PUBKEY_TOO_SMALL 0x01 +diff --git a/include/openssl/dherr.h b/include/openssl/dherr.h +index 5d2a762a96f8c..074a70145f9f5 100644 +--- a/include/openssl/dherr.h ++++ b/include/openssl/dherr.h +@@ -1,6 +1,6 @@ + /* + * Generated by util/mkerr.pl DO NOT EDIT +- * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved. ++ * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved. + * + * Licensed under the Apache License 2.0 (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy +@@ -50,6 +50,7 @@ + # define DH_R_NO_PRIVATE_VALUE 100 + # define DH_R_PARAMETER_ENCODING_ERROR 105 + # define DH_R_PEER_KEY_ERROR 111 ++# define DH_R_Q_TOO_LARGE 130 + # define DH_R_SHARED_INFO_ERROR 113 + # define DH_R_UNABLE_TO_CHECK_GENERATOR 121 + diff --git a/openssl-CVE-2023-6129.patch b/openssl-CVE-2023-6129.patch new file mode 100644 index 0000000..84cdec0 --- /dev/null +++ b/openssl-CVE-2023-6129.patch @@ -0,0 +1,109 @@ +From 050d26383d4e264966fb83428e72d5d48f402d35 Mon Sep 17 00:00:00 2001 +From: Rohan McLure +Date: Thu, 4 Jan 2024 10:25:50 +0100 +Subject: [PATCH] poly1305-ppc.pl: Fix vector register clobbering + +Fixes CVE-2023-6129 + +The POLY1305 MAC (message authentication code) implementation in OpenSSL for +PowerPC CPUs saves the the contents of vector registers in different order +than they are restored. Thus the contents of some of these vector registers +is corrupted when returning to the caller. The vulnerable code is used only +on newer PowerPC processors supporting the PowerISA 2.07 instructions. + +Reviewed-by: Matt Caswell +Reviewed-by: Richard Levitte +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/23200) + +(cherry picked from commit 8d847a3ffd4f0b17ee33962cf69c36224925b34f) +--- + crypto/poly1305/asm/poly1305-ppc.pl | 42 ++++++++++++++--------------- + 1 file changed, 21 insertions(+), 21 deletions(-) + +diff --git a/crypto/poly1305/asm/poly1305-ppc.pl b/crypto/poly1305/asm/poly1305-ppc.pl +index 9f86134d923fb..2e601bb9c24be 100755 +--- a/crypto/poly1305/asm/poly1305-ppc.pl ++++ b/crypto/poly1305/asm/poly1305-ppc.pl +@@ -744,7 +744,7 @@ + my $LOCALS= 6*$SIZE_T; + my $VSXFRAME = $LOCALS + 6*$SIZE_T; + $VSXFRAME += 128; # local variables +- $VSXFRAME += 13*16; # v20-v31 offload ++ $VSXFRAME += 12*16; # v20-v31 offload + + my $BIG_ENDIAN = ($flavour !~ /le/) ? 4 : 0; + +@@ -919,12 +919,12 @@ + addi r11,r11,32 + stvx v22,r10,$sp + addi r10,r10,32 +- stvx v23,r10,$sp +- addi r10,r10,32 +- stvx v24,r11,$sp ++ stvx v23,r11,$sp + addi r11,r11,32 +- stvx v25,r10,$sp ++ stvx v24,r10,$sp + addi r10,r10,32 ++ stvx v25,r11,$sp ++ addi r11,r11,32 + stvx v26,r10,$sp + addi r10,r10,32 + stvx v27,r11,$sp +@@ -1153,12 +1153,12 @@ + addi r11,r11,32 + stvx v22,r10,$sp + addi r10,r10,32 +- stvx v23,r10,$sp +- addi r10,r10,32 +- stvx v24,r11,$sp ++ stvx v23,r11,$sp + addi r11,r11,32 +- stvx v25,r10,$sp ++ stvx v24,r10,$sp + addi r10,r10,32 ++ stvx v25,r11,$sp ++ addi r11,r11,32 + stvx v26,r10,$sp + addi r10,r10,32 + stvx v27,r11,$sp +@@ -1899,26 +1899,26 @@ + mtspr 256,r12 # restore vrsave + lvx v20,r10,$sp + addi r10,r10,32 +- lvx v21,r10,$sp +- addi r10,r10,32 +- lvx v22,r11,$sp ++ lvx v21,r11,$sp + addi r11,r11,32 +- lvx v23,r10,$sp ++ lvx v22,r10,$sp + addi r10,r10,32 +- lvx v24,r11,$sp ++ lvx v23,r11,$sp + addi r11,r11,32 +- lvx v25,r10,$sp ++ lvx v24,r10,$sp + addi r10,r10,32 +- lvx v26,r11,$sp ++ lvx v25,r11,$sp + addi r11,r11,32 +- lvx v27,r10,$sp ++ lvx v26,r10,$sp + addi r10,r10,32 +- lvx v28,r11,$sp ++ lvx v27,r11,$sp + addi r11,r11,32 +- lvx v29,r10,$sp ++ lvx v28,r10,$sp + addi r10,r10,32 +- lvx v30,r11,$sp +- lvx v31,r10,$sp ++ lvx v29,r11,$sp ++ addi r11,r11,32 ++ lvx v30,r10,$sp ++ lvx v31,r11,$sp + $POP r27,`$VSXFRAME-$SIZE_T*5`($sp) + $POP r28,`$VSXFRAME-$SIZE_T*4`($sp) + $POP r29,`$VSXFRAME-$SIZE_T*3`($sp) diff --git a/openssl-CVE-2023-6237.patch b/openssl-CVE-2023-6237.patch new file mode 100644 index 0000000..17459be --- /dev/null +++ b/openssl-CVE-2023-6237.patch @@ -0,0 +1,122 @@ +From 18c02492138d1eb8b6548cb26e7b625fb2414a2a Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Fri, 22 Dec 2023 16:25:56 +0100 +Subject: [PATCH] Limit the execution time of RSA public key check + +Fixes CVE-2023-6237 + +If a large and incorrect RSA public key is checked with +EVP_PKEY_public_check() the computation could take very long time +due to no limit being applied to the RSA public key size and +unnecessarily high number of Miller-Rabin algorithm rounds +used for non-primality check of the modulus. + +Now the keys larger than 16384 bits (OPENSSL_RSA_MAX_MODULUS_BITS) +will fail the check with RSA_R_MODULUS_TOO_LARGE error reason. +Also the number of Miller-Rabin rounds was set to 5. + +Reviewed-by: Neil Horman +Reviewed-by: Matt Caswell +(Merged from https://github.com/openssl/openssl/pull/23243) + +(cherry picked from commit e09fc1d746a4fd15bb5c3d7bbbab950aadd005db) +--- + crypto/rsa/rsa_sp800_56b_check.c | 8 +++- + test/recipes/91-test_pkey_check.t | 2 +- + .../91-test_pkey_check_data/rsapub_17k.pem | 48 +++++++++++++++++++ + 3 files changed, 56 insertions(+), 2 deletions(-) + create mode 100644 test/recipes/91-test_pkey_check_data/rsapub_17k.pem + +diff --git a/crypto/rsa/rsa_sp800_56b_check.c b/crypto/rsa/rsa_sp800_56b_check.c +index fc8f19b48770b..bcbdd24fb8199 100644 +--- a/crypto/rsa/rsa_sp800_56b_check.c ++++ b/crypto/rsa/rsa_sp800_56b_check.c +@@ -289,6 +289,11 @@ int ossl_rsa_sp800_56b_check_public(const RSA *rsa) + return 0; + + nbits = BN_num_bits(rsa->n); ++ if (nbits > OPENSSL_RSA_MAX_MODULUS_BITS) { ++ ERR_raise(ERR_LIB_RSA, RSA_R_MODULUS_TOO_LARGE); ++ return 0; ++ } ++ + #ifdef FIPS_MODULE + /* + * (Step a): modulus must be 2048 or 3072 (caveat from SP800-56Br1) +@@ -324,7 +329,8 @@ int ossl_rsa_sp800_56b_check_public(const RSA *rsa) + goto err; + } + +- ret = ossl_bn_miller_rabin_is_prime(rsa->n, 0, ctx, NULL, 1, &status); ++ /* Highest number of MR rounds from FIPS 186-5 Section B.3 Table B.1 */ ++ ret = ossl_bn_miller_rabin_is_prime(rsa->n, 5, ctx, NULL, 1, &status); + #ifdef FIPS_MODULE + if (ret != 1 || status != BN_PRIMETEST_COMPOSITE_NOT_POWER_OF_PRIME) { + #else +diff --git a/test/recipes/91-test_pkey_check.t b/test/recipes/91-test_pkey_check.t +index dc7cc64533af2..f8088df14d36c 100644 +--- a/test/recipes/91-test_pkey_check.t ++++ b/test/recipes/91-test_pkey_check.t +@@ -70,7 +70,7 @@ push(@positive_tests, ( + "dhpkey.pem" + )) unless disabled("dh"); + +-my @negative_pubtests = (); ++my @negative_pubtests = ("rsapub_17k.pem"); # Too big RSA public key + + push(@negative_pubtests, ( + "dsapub_noparam.der" +diff --git a/test/recipes/91-test_pkey_check_data/rsapub_17k.pem b/test/recipes/91-test_pkey_check_data/rsapub_17k.pem +new file mode 100644 +index 0000000000000..9a2eaedaf1b22 +--- /dev/null ++++ b/test/recipes/91-test_pkey_check_data/rsapub_17k.pem +@@ -0,0 +1,48 @@ ++-----BEGIN PUBLIC KEY----- ++MIIIbzANBgkqhkiG9w0BAQEFAAOCCFwAMIIIVwKCCE4Ang+cE5H+hg3RbapDAHqR ++B9lUnp2MlAwsZxQ/FhYepaR60bFQeumbu7817Eo5YLMObVI99hF1C4u/qcpD4Jph ++gZt87/JAYDbP+DIh/5gUXCL9m5Fp4u7mvZaZdnlcftBvR1uKUTCAwc9pZ/Cfr8W2 ++GzrRODzsNYnk2DcZMfe2vRDuDZRopE+Y+I72rom2SZLxoN547N1daM/M/CL9KVQ/ ++XMI/YOpJrBI0jI3brMRhLkvLckwies9joufydlGbJkeil9H7/grj3fQZtFkZ2Pkj ++b87XDzRVX7wsEpAgPJxskL3jApokCp1kQYKG+Uc3dKM9Ade6IAPK7VKcmbAQTYw2 ++gZxsc28dtstazmfGz0ACCTSMrmbgWAM3oPL7RRzhrXDWgmYQ0jHefGh8SNTIgtPq ++TuHxPYkDMQNaf0LmDGCxqlnf4b5ld3YaU8zZ/RqIRx5v/+w0rJUvU53qY1bYSnL1 ++vbqKSnN2mip0GYyQ4AUgkS1NBV4rGYU/VTvzEjLfkg02KOtHKandvEoUjmZPzCT0 ++V2ZhGc8K1UJNGYlIiHqCdwCBoghvly/pYajTkDXyd6BsukzA5H3IkZB1xDgl035j ++/0Cr7QeZLEOdi9fPdSSaBT6OmD0WFuZfJF0wMr7ucRhWzPXvSensD9v7MBE7tNfH ++SLeTSx8tLt8UeWriiM+0CnkPR1IOqMOxubOyf1eV8NQqEWm5wEQG/0IskbOKnaHa ++PqLFJZn/bvyL3XK5OxVIJG3z6bnRDOMS9SzkjqgPdIO8tkySEHVSi/6iuGUltx3Y ++Fmq6ye/r34ekyHPbfn6UuTON7joM6SIXb5bHM64x4iMVWx4hMvDjfy0UqfywAUyu ++C1o7BExSMxxFG8GJcqR0K8akpPp7EM588PC+YuItoxzXgfUJnP3BQ1Beev2Ve7/J ++xeGZH0N4ntfr+cuaLAakAER9zDglwChWflw3NNFgIdAgSxXv3XXx5xDXpdP4lxUo ++F5zAN4Mero3yV90FaJl7Vhq/UFVidbwFc15jUDwaE0mKRcsBeVd3GOhoECAgE0id ++aIPT20z8oVY0FyTJlRk7QSjo8WjJSrHY/Fn14gctX07ZdfkufyL6w+NijBdYluvB ++nIrgHEvpkDEWoIa8qcx0EppoIcmqgMV2mTShfFYSybsO33Pm8WXec2FXjwhzs1Pi ++R/BuIW8rHPI67xqWm0h8dEw11vtfi9a/BBBikFHe59KBjMTG+lW/gADNvRoTzGh7 ++kN4+UVDS3jlSisRZZOn1XoeQtpubNYWgUsecjKy45IwIj8h1SHgn3wkmUesY0woN ++mOdoNtq+NezN4RFtbCOHhxFVpKKDi/HQP2ro0ykkXMDjwEIVf2Lii1Mg9UP8m+Ux ++AOqkTrIkdogkRx+70h7/wUOfDIFUq2JbKzqxJYamyEphcdAko7/B8efQKc61Z93O ++f2SHa4++4WI7wIIx18v5KV4M/cRmrfc8w9WRkQN3gBT5AJMuqwcSHVXBWvNQeGmi ++ScMh7X6cCZ0daEujqb8svq4WgsJ8UT4GaGBRIYtt7QUKEh+JQwNJzneRYZ3pzpaH ++UJeeoYobMlkp3rM9cYzdq90nBQiI9Jsbim9m9ggb2dMOS5CsI9S/IuG2O5uTjfxx ++wkwsd5nLDFtNXHYZ7W6XlVJ1Rc6zShnEmdCn3mmibb6OaMUmun2yl9ryEjVSoXLP ++fSA8W9K9yNhKTRkzdXJfqlC+s/ovX2xBGxsuOoUDaXhRVz0qmpKIHeSFjIP4iXq4 ++y8gDiwvM3HbZfvVonbg6siPwpn4uvw3hesojk1DKAENS52i6U3uK2fs1ALVxsFNS ++Yh914rDu0Q3e4RXVhURaYzoEbLCot6WGYeCCfQOK0rkETMv+sTYYscC8/THuW7SL ++HG5zy9Ed95N1Xmf8J+My7gM7ZFodGdHsWvdzEmqsdOFh6IVx/VfHFX0MDBq0t6lZ ++eRvVgVCfu3gkYLwPScn/04E02vOom51ISKHsF/I11erC66jjNYV9BSpH8O7sAHxZ ++EmPT2ZVVRSgivOHdQW/FZ3UZQQhVaVSympo2Eb4yWEMFn84Q8T+9Honj6gnB5PXz ++chmeCsOMlcg1mwWwhn0k+OAWEZy7VRUk5Ahp0fBAGJgwBdqrZ3kM356DjUkVBiYq ++4eHyvafNKmjf2mnFsI3g2NKRNyl1Lh63wyCFx60yYvBUfXF/W9PFJbD9CiP83kEW ++gV36gxTsbOSfhpO1OXR90ODy0kx06XzWmJCUugK8u9bx4F/CjV+LIHExuNJiethC ++A8sIup/MT0fWp4RO/SsVblGqfoqJTaPnhptQzeH2N07pbWkxeMuL6ppPuwFmfVjK ++FJndqCVrAukcPEOQ16iVURuloJMudqYRc9QKkJFsnv0W/iMNbqQGmXe8Q/5qFiys ++26NIQBiE2ad9hNLnoccEnmYSRgnW3ZPSKuq5TDdYyDqTZH2r8cam65pr3beKw2XC ++xw4cc7VaxiwGC2Mg2wRmwwPaTjrcEt6sMa3RjwFEVBxBFyM26wnTEZsTBquCxV0J ++pgERaeplkixP2Q0m7XAdlDaob973SM2vOoUgypzDchWmpx7u775bnOfU5CihwXl+ ++k0i09WZuT8bPmhEAiGCw5sNzMkz1BC2cCZFfJIkE2vc/wXYOrGxBTJo0EKaUFswa ++2dnP/u0bn+VksBUM7ywW9LJSXh4mN+tpzdeJtxEObKwX1I0dQxSPWmjd2++wMr9q ++Unre5fCrDToy2H7C2VKSpuOCT2/Kv4JDQRWwI4KxQOpn0UknAGNmfBoTtpIZ3LEb ++77oBUJdMQD7tQBBLL0a6f1TdK0dHVprWWawJ+gGFMiMQXqAqblHcxFKWuHv9bQID ++AQAB ++-----END PUBLIC KEY----- diff --git a/openssl-CVE-2024-0727.patch b/openssl-CVE-2024-0727.patch new file mode 100644 index 0000000..6e1eb5b --- /dev/null +++ b/openssl-CVE-2024-0727.patch @@ -0,0 +1,120 @@ +From 09df4395b5071217b76dc7d3d2e630eb8c5a79c2 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Fri, 19 Jan 2024 11:28:58 +0000 +Subject: [PATCH] Add NULL checks where ContentInfo data can be NULL + +PKCS12 structures contain PKCS7 ContentInfo fields. These fields are +optional and can be NULL even if the "type" is a valid value. OpenSSL +was not properly accounting for this and a NULL dereference can occur +causing a crash. + +CVE-2024-0727 + +Reviewed-by: Tomas Mraz +Reviewed-by: Hugo Landau +Reviewed-by: Neil Horman +(Merged from https://github.com/openssl/openssl/pull/23362) + +(cherry picked from commit d135eeab8a5dbf72b3da5240bab9ddb7678dbd2c) +--- + crypto/pkcs12/p12_add.c | 18 ++++++++++++++++++ + crypto/pkcs12/p12_mutl.c | 5 +++++ + crypto/pkcs12/p12_npas.c | 5 +++-- + crypto/pkcs7/pk7_mime.c | 7 +++++-- + 4 files changed, 31 insertions(+), 4 deletions(-) + +diff --git a/crypto/pkcs12/p12_add.c b/crypto/pkcs12/p12_add.c +index 6fd4184af5a52..80ce31b3bca66 100644 +--- a/crypto/pkcs12/p12_add.c ++++ b/crypto/pkcs12/p12_add.c +@@ -78,6 +78,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7data(PKCS7 *p7) + ERR_raise(ERR_LIB_PKCS12, PKCS12_R_CONTENT_TYPE_NOT_DATA); + return NULL; + } ++ ++ if (p7->d.data == NULL) { ++ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR); ++ return NULL; ++ } ++ + return ASN1_item_unpack(p7->d.data, ASN1_ITEM_rptr(PKCS12_SAFEBAGS)); + } + +@@ -150,6 +156,12 @@ STACK_OF(PKCS12_SAFEBAG) *PKCS12_unpack_p7encdata(PKCS7 *p7, const char *pass, + { + if (!PKCS7_type_is_encrypted(p7)) + return NULL; ++ ++ if (p7->d.encrypted == NULL) { ++ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR); ++ return NULL; ++ } ++ + return PKCS12_item_decrypt_d2i_ex(p7->d.encrypted->enc_data->algorithm, + ASN1_ITEM_rptr(PKCS12_SAFEBAGS), + pass, passlen, +@@ -188,6 +200,12 @@ STACK_OF(PKCS7) *PKCS12_unpack_authsafes(const PKCS12 *p12) + ERR_raise(ERR_LIB_PKCS12, PKCS12_R_CONTENT_TYPE_NOT_DATA); + return NULL; + } ++ ++ if (p12->authsafes->d.data == NULL) { ++ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR); ++ return NULL; ++ } ++ + p7s = ASN1_item_unpack(p12->authsafes->d.data, + ASN1_ITEM_rptr(PKCS12_AUTHSAFES)); + if (p7s != NULL) { +diff --git a/crypto/pkcs12/p12_mutl.c b/crypto/pkcs12/p12_mutl.c +index 67a885a45f89e..68ff54d0e90ee 100644 +--- a/crypto/pkcs12/p12_mutl.c ++++ b/crypto/pkcs12/p12_mutl.c +@@ -98,6 +98,11 @@ static int pkcs12_gen_mac(PKCS12 *p12, const char *pass, int passlen, + return 0; + } + ++ if (p12->authsafes->d.data == NULL) { ++ ERR_raise(ERR_LIB_PKCS12, PKCS12_R_DECODE_ERROR); ++ return 0; ++ } ++ + salt = p12->mac->salt->data; + saltlen = p12->mac->salt->length; + if (p12->mac->iter == NULL) +diff --git a/crypto/pkcs12/p12_npas.c b/crypto/pkcs12/p12_npas.c +index 62230bc6187ff..1e5b5495991a4 100644 +--- a/crypto/pkcs12/p12_npas.c ++++ b/crypto/pkcs12/p12_npas.c +@@ -77,8 +77,9 @@ static int newpass_p12(PKCS12 *p12, const char *oldpass, const char *newpass) + bags = PKCS12_unpack_p7data(p7); + } else if (bagnid == NID_pkcs7_encrypted) { + bags = PKCS12_unpack_p7encdata(p7, oldpass, -1); +- if (!alg_get(p7->d.encrypted->enc_data->algorithm, +- &pbe_nid, &pbe_iter, &pbe_saltlen)) ++ if (p7->d.encrypted == NULL ++ || !alg_get(p7->d.encrypted->enc_data->algorithm, ++ &pbe_nid, &pbe_iter, &pbe_saltlen)) + goto err; + } else { + continue; +diff --git a/crypto/pkcs7/pk7_mime.c b/crypto/pkcs7/pk7_mime.c +index 49a0da5f819c4..8228315eeaa3a 100644 +--- a/crypto/pkcs7/pk7_mime.c ++++ b/crypto/pkcs7/pk7_mime.c +@@ -33,10 +33,13 @@ int SMIME_write_PKCS7(BIO *bio, PKCS7 *p7, BIO *data, int flags) + int ctype_nid = OBJ_obj2nid(p7->type); + const PKCS7_CTX *ctx = ossl_pkcs7_get0_ctx(p7); + +- if (ctype_nid == NID_pkcs7_signed) ++ if (ctype_nid == NID_pkcs7_signed) { ++ if (p7->d.sign == NULL) ++ return 0; + mdalgs = p7->d.sign->md_algs; +- else ++ } else { + mdalgs = NULL; ++ } + + flags ^= SMIME_OLDMIME; + diff --git a/openssl-CVE-2024-2511.patch b/openssl-CVE-2024-2511.patch new file mode 100644 index 0000000..0ffdd7f --- /dev/null +++ b/openssl-CVE-2024-2511.patch @@ -0,0 +1,116 @@ +From 7e4d731b1c07201ad9374c1cd9ac5263bdf35bce Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Tue, 5 Mar 2024 15:43:53 +0000 +Subject: [PATCH] Fix unconstrained session cache growth in TLSv1.3 + +In TLSv1.3 we create a new session object for each ticket that we send. +We do this by duplicating the original session. If SSL_OP_NO_TICKET is in +use then the new session will be added to the session cache. However, if +early data is not in use (and therefore anti-replay protection is being +used), then multiple threads could be resuming from the same session +simultaneously. If this happens and a problem occurs on one of the threads, +then the original session object could be marked as not_resumable. When we +duplicate the session object this not_resumable status gets copied into the +new session object. The new session object is then added to the session +cache even though it is not_resumable. + +Subsequently, another bug means that the session_id_length is set to 0 for +sessions that are marked as not_resumable - even though that session is +still in the cache. Once this happens the session can never be removed from +the cache. When that object gets to be the session cache tail object the +cache never shrinks again and grows indefinitely. + +CVE-2024-2511 + +Reviewed-by: Neil Horman +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/24044) +--- + ssl/ssl_lib.c | 5 +++-- + ssl/ssl_sess.c | 28 ++++++++++++++++++++++------ + ssl/statem/statem_srvr.c | 5 ++--- + 3 files changed, 27 insertions(+), 11 deletions(-) + +diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c +index b5cc4af2f0302..e747b7f90aa71 100644 +--- a/ssl/ssl_lib.c ++++ b/ssl/ssl_lib.c +@@ -3737,9 +3737,10 @@ void ssl_update_cache(SSL *s, int mode) + + /* + * If the session_id_length is 0, we are not supposed to cache it, and it +- * would be rather hard to do anyway :-) ++ * would be rather hard to do anyway :-). Also if the session has already ++ * been marked as not_resumable we should not cache it for later reuse. + */ +- if (s->session->session_id_length == 0) ++ if (s->session->session_id_length == 0 || s->session->not_resumable) + return; + + /* +diff --git a/ssl/ssl_sess.c b/ssl/ssl_sess.c +index bf84e792251b8..241cf43c46296 100644 +--- a/ssl/ssl_sess.c ++++ b/ssl/ssl_sess.c +@@ -154,16 +154,11 @@ SSL_SESSION *SSL_SESSION_new(void) + return ss; + } + +-SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src) +-{ +- return ssl_session_dup(src, 1); +-} +- + /* + * Create a new SSL_SESSION and duplicate the contents of |src| into it. If + * ticket == 0 then no ticket information is duplicated, otherwise it is. + */ +-SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket) ++static SSL_SESSION *ssl_session_dup_intern(const SSL_SESSION *src, int ticket) + { + SSL_SESSION *dest; + +@@ -287,6 +282,27 @@ SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket) + return NULL; + } + ++SSL_SESSION *SSL_SESSION_dup(const SSL_SESSION *src) ++{ ++ return ssl_session_dup_intern(src, 1); ++} ++ ++/* ++ * Used internally when duplicating a session which might be already shared. ++ * We will have resumed the original session. Subsequently we might have marked ++ * it as non-resumable (e.g. in another thread) - but this copy should be ok to ++ * resume from. ++ */ ++SSL_SESSION *ssl_session_dup(const SSL_SESSION *src, int ticket) ++{ ++ SSL_SESSION *sess = ssl_session_dup_intern(src, ticket); ++ ++ if (sess != NULL) ++ sess->not_resumable = 0; ++ ++ return sess; ++} ++ + const unsigned char *SSL_SESSION_get_id(const SSL_SESSION *s, unsigned int *len) + { + if (len) +diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c +index 5d59d53563ed8..8e493176f658e 100644 +--- a/ssl/statem/statem_srvr.c ++++ b/ssl/statem/statem_srvr.c +@@ -2338,9 +2338,8 @@ int tls_construct_server_hello(SSL *s, WPACKET *pkt) + * so the following won't overwrite an ID that we're supposed + * to send back. + */ +- if (s->session->not_resumable || +- (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER) +- && !s->hit)) ++ if (!(s->ctx->session_cache_mode & SSL_SESS_CACHE_SERVER) ++ && !s->hit) + s->session->session_id_length = 0; + + if (usetls13) { diff --git a/openssl-CVE-2024-41996.patch b/openssl-CVE-2024-41996.patch new file mode 100644 index 0000000..81fc3e0 --- /dev/null +++ b/openssl-CVE-2024-41996.patch @@ -0,0 +1,41 @@ +From e70e34d857d4003199bcb5d3b52ca8102ccc1b98 Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Mon, 5 Aug 2024 17:54:14 +0200 +Subject: [PATCH] dh_kmgmt.c: Avoid expensive public key validation for known + safe-prime groups +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +The partial validation is fully sufficient to check the key validity. + +Thanks to Szilárd Pfeiffer for reporting the issue. + +Reviewed-by: Neil Horman +Reviewed-by: Matt Caswell +Reviewed-by: Paul Dale +(Merged from https://github.com/openssl/openssl/pull/25088) +--- + providers/implementations/keymgmt/dh_kmgmt.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c +index 82c3093b122c2..ebdce767102ee 100644 +--- a/providers/implementations/keymgmt/dh_kmgmt.c ++++ b/providers/implementations/keymgmt/dh_kmgmt.c +@@ -388,9 +388,11 @@ static int dh_validate_public(const DH *dh, int checktype) + if (pub_key == NULL) + return 0; + +- /* The partial test is only valid for named group's with q = (p - 1) / 2 */ +- if (checktype == OSSL_KEYMGMT_VALIDATE_QUICK_CHECK +- && ossl_dh_is_named_safe_prime_group(dh)) ++ /* ++ * The partial test is only valid for named group's with q = (p - 1) / 2 ++ * but for that case it is also fully sufficient to check the key validity. ++ */ ++ if (ossl_dh_is_named_safe_prime_group(dh)) + return ossl_dh_check_pub_key_partial(dh, pub_key, &res); + + return DH_check_pub_key_ex(dh, pub_key); + diff --git a/openssl-CVE-2024-4603.patch b/openssl-CVE-2024-4603.patch new file mode 100644 index 0000000..23fa5d3 --- /dev/null +++ b/openssl-CVE-2024-4603.patch @@ -0,0 +1,199 @@ +From 9c39b3858091c152f52513c066ff2c5a47969f0d Mon Sep 17 00:00:00 2001 +From: Tomas Mraz +Date: Wed, 8 May 2024 15:23:45 +0200 +Subject: [PATCH] Check DSA parameters for excessive sizes before validating + +This avoids overly long computation of various validation +checks. + +Fixes CVE-2024-4603 + +Reviewed-by: Paul Dale +Reviewed-by: Matt Caswell +Reviewed-by: Neil Horman +Reviewed-by: Shane Lontis +(Merged from https://github.com/openssl/openssl/pull/24346) + +(cherry picked from commit 85ccbab216da245cf9a6503dd327072f21950d9b) +--- + CHANGES.md | 17 ++++++ + crypto/dsa/dsa_check.c | 44 ++++++++++++-- + .../invalid/p10240_q256_too_big.pem | 57 +++++++++++++++++++ + 3 files changed, 114 insertions(+), 4 deletions(-) + create mode 100644 test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem + +Index: openssl-3.1.4/crypto/dsa/dsa_check.c +=================================================================== +--- openssl-3.1.4.orig/crypto/dsa/dsa_check.c ++++ openssl-3.1.4/crypto/dsa/dsa_check.c +@@ -19,8 +19,34 @@ + #include "dsa_local.h" + #include "crypto/dsa.h" + ++static int dsa_precheck_params(const DSA *dsa, int *ret) ++{ ++ if (dsa->params.p == NULL || dsa->params.q == NULL) { ++ ERR_raise(ERR_LIB_DSA, DSA_R_BAD_FFC_PARAMETERS); ++ *ret = FFC_CHECK_INVALID_PQ; ++ return 0; ++ } ++ ++ if (BN_num_bits(dsa->params.p) > OPENSSL_DSA_MAX_MODULUS_BITS) { ++ ERR_raise(ERR_LIB_DSA, DSA_R_MODULUS_TOO_LARGE); ++ *ret = FFC_CHECK_INVALID_PQ; ++ return 0; ++ } ++ ++ if (BN_num_bits(dsa->params.q) >= BN_num_bits(dsa->params.p)) { ++ ERR_raise(ERR_LIB_DSA, DSA_R_BAD_Q_VALUE); ++ *ret = FFC_CHECK_INVALID_PQ; ++ return 0; ++ } ++ ++ return 1; ++} ++ + int ossl_dsa_check_params(const DSA *dsa, int checktype, int *ret) + { ++ if (!dsa_precheck_params(dsa, ret)) ++ return 0; ++ + if (checktype == OSSL_KEYMGMT_VALIDATE_QUICK_CHECK) + return ossl_ffc_params_simple_validate(dsa->libctx, &dsa->params, + FFC_PARAM_TYPE_DSA, ret); +@@ -39,6 +65,9 @@ int ossl_dsa_check_params(const DSA *dsa + */ + int ossl_dsa_check_pub_key(const DSA *dsa, const BIGNUM *pub_key, int *ret) + { ++ if (!dsa_precheck_params(dsa, ret)) ++ return 0; ++ + return ossl_ffc_validate_public_key(&dsa->params, pub_key, ret) + && *ret == 0; + } +@@ -50,6 +79,9 @@ int ossl_dsa_check_pub_key(const DSA *ds + */ + int ossl_dsa_check_pub_key_partial(const DSA *dsa, const BIGNUM *pub_key, int *ret) + { ++ if (!dsa_precheck_params(dsa, ret)) ++ return 0; ++ + return ossl_ffc_validate_public_key_partial(&dsa->params, pub_key, ret) + && *ret == 0; + } +@@ -58,8 +90,10 @@ int ossl_dsa_check_priv_key(const DSA *d + { + *ret = 0; + +- return (dsa->params.q != NULL +- && ossl_ffc_validate_private_key(dsa->params.q, priv_key, ret)); ++ if (!dsa_precheck_params(dsa, ret)) ++ return 0; ++ ++ return ossl_ffc_validate_private_key(dsa->params.q, priv_key, ret); + } + + /* +@@ -72,8 +106,10 @@ int ossl_dsa_check_pairwise(const DSA *d + BN_CTX *ctx = NULL; + BIGNUM *pub_key = NULL; + +- if (dsa->params.p == NULL +- || dsa->params.g == NULL ++ if (!dsa_precheck_params(dsa, &ret)) ++ return 0; ++ ++ if (dsa->params.g == NULL + || dsa->priv_key == NULL + || dsa->pub_key == NULL) + return 0; +Index: openssl-3.1.4/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem +=================================================================== +--- /dev/null ++++ openssl-3.1.4/test/recipes/15-test_dsaparam_data/invalid/p10240_q256_too_big.pem +@@ -0,0 +1,57 @@ ++-----BEGIN DSA PARAMETERS----- ++MIIKLAKCBQEAym47LzPFZdbz16WvjczLKuzLtsP8yRk/exxL4bBthJhP1qOwctja ++p1586SF7gDxCMn7yWVEYdfRbFefGoq0gj1XOE917XqlbnkmZhMgxut2KbNJo/xil ++XNFUjGvKs3F413U9rAodC8f07cWHP1iTcWL+vPe6u2yilKWYYfnLWHQH+Z6aPrrF ++x/R08LI6DZ6nEsIo+hxaQnEtx+iqNTJC6Q1RIjWDqxQkFVTkJ0Y7miRDXmRdneWk ++oLrMZRpaXr5l5tSjEghh1pBgJcdyOv0lh4dlDy/alAiqE2Qlb667yHl6A9dDPlpW ++dAntpffy4LwOxfbuEhISvKjjQoBwIvYE4TBPqL0Q6bC6HgQ4+tqd9b44pQjdIQjb ++Xcjc6azheITSnPEex3OdKtKoQeRq01qCeLBpMXu1c+CTf4ApKArZvT3vZSg0hM1O ++pR71bRZrEEegDj0LH2HCgI5W6H3blOS9A0kUTddCoQXr2lsVdiPtRbPKH1gcd9FQ ++P8cGrvbakpTiC0dCczOMDaCteM1QNILlkM7ZoV6VghsKvDnFPxFsiIr5GgjasXP5 ++hhbn3g7sDoq1LiTEo+IKQY28pBWx7etSOSRuXW/spnvCkivZla7lSEGljoy9QlQ2 ++UZmsEQI9G3YyzgpxHvKZBK1CiZVTywdYKTZ4TYCxvqzhYhjv2bqbpjI12HRFLojB ++koyEmMSp53lldCzp158PrIanqSp2rksMR8SmmCL3FwfAp2OjqFMEglG9DT8x0WaN ++TLSkjGC6t2csMte7WyU1ekNoFDKfMjDSAz0+xIx21DEmZtYqFOg1DNPK1xYLS0pl ++RSMRRkJVN2mk/G7/1oxlB8Wb9wgi3GKUqqCYT11SnBjzq0NdoJ3E4GMedp5Lx3AZ ++4mFuRPUd4iV86tE0XDSHSFE7Y3ZkrOjD7Q/26/L53L/UH5z4HW6CHP5os7QERJjg ++c1S3x87wXWo9QXbB9b2xmf+c+aWwAAr1cviw38tru58jF3/IGyduj9H8claKQqBG ++cIOUF4aNe1hK2K3ArAOApUxr4KE+tCvrltRfiTmVFip0g9Jt1CPY3Zu7Bd4Z2ZkE ++DtSztpwa49HrWF5E9xpquvBL2U8jQ68E7Xd8Wp4orI/TIChriamBmdkgRz3H2LvN ++Ozb6+hsnEGrz3sp2RVAToSqA9ysa6nHZdfufPNtMEbQdO/k1ehmGRb0ljBRsO6b2 ++rsG2eYuC8tg8eCrIkua0TGRI7g6a4K32AJdzaX6NsISaaIW+OYJuoDSscvD3oOg8 ++PPEhU+zM7xJskTA+jxvPlikKx8V7MNHOCQECldJlUBwzJvqp40JvwfnDsF+8VYwd ++UaiieR3pzMzyTjpReXRmZbnRPusRcsVzxb2OhB79wmuy4UPjjQBX+7eD0rs8xxvW ++5a5q1Cjq4AvbwmmcA/wDrHDOjcbD/zodad2O1QtBWa/R4xyWea4zKsflgACE1zY9 ++wW2br7+YQFekcrXkkkEzgxd6zxv8KVEDpXRZjmAM1cI5LvkoN64To4GedN8Qe/G7 ++R9SZh9gnS17PTP64hK+aYqhFafMdu87q/+qLfxaSux727qE5hiW01u4nnWhACf9s ++xuOozowKqxZxkolMIyZv6Lddwy1Zv5qjCyd0DvM/1skpXWkb9kfabYC+OhjsjVhs ++0Ktfs6a5B3eixiw5x94hhIcTEcS4hmvhGUL72FiTca6ZeSERTKmNBy8CIQC9/ZUN ++uU/V5JTcnYyUGHzm7+XcZBjyGBagBj9rCmW3SQKCBQAJ/k9rb39f1cO+/3XDEMjy ++9bIEXSuS48g5RAc1UGd5nrrBQwuDxGWFyz0yvAY7LgyidZuJS21+MAp9EY7AOMmx ++TDttifNaBJYt4GZ8of166PcqTKkHQwq5uBpxeSDv/ZE8YbYfaCtLTcUC8KlO+l36 ++gjJHSkdkflSsGy1yObSNDQDfVAAwQs//TjDMnuEtvlNXZllsTvFFBceXVETn10K2 ++ZMmdSIJNfLnjReUKEN6PfeGqv7F4xoyGwUybEfRE4u5RmXrqCODaIjY3SNMrOq8B ++R3Ata/cCozsM1jIdIW2z+OybDJH+BYsYm2nkSZQjZS6javTYClLrntEKG/hAQwL8 ++F16YLOQXpHhgiAaWnTZzANtLppB2+5qCVy5ElzKongOwT8JTjTFXOaRnqe/ngm9W ++SSbrxfDaoWUOyK9XD8Cydzpv3n4Y8nWNGayi7/yAFCU36Ri040ufgv/TZLuKacnl +++3ga3ZUpRlSigzx0kb1+KjTSWeQ8vE/psdWjvBukVEbzdUauMLyRLo/6znSVvvPX ++UGhviThE5uhrsUg+wEPFINriSHfF7JDKVhDcJnLBdaXvfN52pkF/naLBF5Rt3Gvq ++fjCxjx0Sy9Lag1hDN4dor7dzuO7wmwOS01DJW1PtNLuuH0Bbqh1kYSaQkmyXBZWX ++qo8K3nkoDM0niOtJJubOhTNrGmSaZpNXkK3Mcy9rBbdvEs5O0Jmqaax/eOdU0Yot ++B3lX+3ddOseT2ZEFjzObqTtkWuFBeBxuYNcRTsu3qMdIBsEb8URQdsTtjoIja2fK ++hreVgjK36GW70KXEl8V/vq5qjQulmqkBEjmilcDuiREKqQuyeagUOnhQaBplqVco ++4xznh5DMBMRbpGb5lHxKv4cPNi+uNAJ5i98zWUM1JRt6aXnRCuWcll1z8fRZ+5kD ++vK9FaZU3VRMK/eknEG49cGr8OuJ6ZRSaC+tKwV1y+amkSZpKPWnk2bUnQI3ApJv3 ++k1e1EToeECpMUkLMDgNbpKBoz4nqMEvAAlYgw9xKNbLlQlahqTVEAmaJHh4yDMDy ++i7IZ9Wrn47IGoR7s3cvhDHUpRPeW4nsmgzj+tf5EAxemI61STZJTTWo0iaPGJxct ++9nhOOhw1I38Mvm4vkAbFH7YJ0B6QrjjYL2MbOTp5JiIh4vdOeWwNo9/y4ffyaN5+ ++ADpxuuIAmcbdr6GPOhkOFFixRJa0B2eP1i032HESlLs8RB9oYtdTXdXQotnIgJGd ++Y8tSKOa1zjzeLHn3AVpRZTUW++/BxmApV3GKIeG8fsUjg/df0QRrBcdC/1uccdaG ++KKlAOwlywVn5jUlwHkTmDiTM9w5AqVVGHZ2b+4ZgQW8jnPKN0SrKf6U555D+zp7E ++x4uXoE8ojN9y8m8UKf0cTLnujH2XgZorjPfuMOt5VZEhQFMS2QaljSeni5CJJ8gk ++XtztNqfBlAtWR4V5iAHeQOfIB2YaOy8GESda89tyKraKeaez41VblpTVHTeq9IIF ++YB4cQA2PfuNaGVRGLMAgT3Dvl+mxxxeJyxnGAiUcETU/jJJt9QombiuszBlYGQ5d ++ELOSm/eQSRARV9zNSt5jaQlMSjMBqenIEM09BzYqa7jDwqoztFxNdO8bcuQPuKwa ++4z3bBZ1yYm63WFdNbQqqGEwc0OYmqg1raJ0zltgHyjFyw8IGu4g/wETs+nVQcH7D ++vKuje86bePD6kD/LH3wmkA== ++-----END DSA PARAMETERS----- +Index: openssl-3.1.4/CHANGES.md +=================================================================== +--- openssl-3.1.4.orig/CHANGES.md ++++ openssl-3.1.4/CHANGES.md +@@ -22,6 +22,23 @@ OpenSSL Releases + OpenSSL 3.1 + ----------- + ++ * Fixed an issue where checking excessively long DSA keys or parameters may ++ be very slow. ++ ++ Applications that use the functions EVP_PKEY_param_check() or ++ EVP_PKEY_public_check() to check a DSA public key or DSA parameters may ++ experience long delays. Where the key or parameters that are being checked ++ have been obtained from an untrusted source this may lead to a Denial of ++ Service. ++ ++ To resolve this issue DSA keys larger than OPENSSL_DSA_MAX_MODULUS_BITS ++ will now fail the check immediately with a DSA_R_MODULUS_TOO_LARGE error ++ reason. ++ ++ ([CVE-2024-4603]) ++ ++ *Tomáš Mráz* ++ + ### Changes between 3.1.3 and 3.1.4 [24 Oct 2023] + + * Fix incorrect key and IV resizing issues when calling EVP_EncryptInit_ex2(), diff --git a/openssl-CVE-2024-4741.patch b/openssl-CVE-2024-4741.patch new file mode 100644 index 0000000..2e87ae8 --- /dev/null +++ b/openssl-CVE-2024-4741.patch @@ -0,0 +1,28 @@ +@@ -, +, @@ +--- + ssl/record/methods/tls_common.c | 8 ++++++++ + 1 file changed, 8 insertions(+) +--- openssl-3.0.8/ssl/record/ssl3_buffer.c ++++ openssl-3.0.8/ssl/record/ssl3_buffer.c +@@ -186,5 +186,7 @@ int ssl3_release_read_buffer(SSL *s) + OPENSSL_cleanse(b->buf, b->len); + OPENSSL_free(b->buf); + b->buf = NULL; ++ s->rlayer.packet = NULL; ++ s->rlayer.packet_length = 0; + return 1; + } +--- openssl-3.0.8/ssl/record/rec_layer_s3.c ++++ openssl-3.0.8/ssl/record/rec_layer_s3.c +@@ -238,6 +238,11 @@ int ssl3_read_n(SSL *s, size_t n, size_t + s->rlayer.packet_length = 0; + /* ... now we can act as if 'extend' was set */ + } ++ if (!ossl_assert(s->rlayer.packet != NULL)) { ++ /* does not happen */ ++ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); ++ return -1; ++ } + + len = s->rlayer.packet_length; + pkt = rb->buf + align; diff --git a/openssl-CVE-2024-5535.patch b/openssl-CVE-2024-5535.patch new file mode 100644 index 0000000..b8ee00a --- /dev/null +++ b/openssl-CVE-2024-5535.patch @@ -0,0 +1,326 @@ +From 4ada436a1946cbb24db5ab4ca082b69c1bc10f37 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Fri, 31 May 2024 11:14:33 +0100 +Subject: [PATCH] Fix SSL_select_next_proto + +Ensure that the provided client list is non-NULL and starts with a valid +entry. When called from the ALPN callback the client list should already +have been validated by OpenSSL so this should not cause a problem. When +called from the NPN callback the client list is locally configured and +will not have already been validated. Therefore SSL_select_next_proto +should not assume that it is correctly formatted. + +We implement stricter checking of the client protocol list. We also do the +same for the server list while we are about it. + +CVE-2024-5535 + +Reviewed-by: Neil Horman +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/24718) +--- + ssl/ssl_lib.c | 63 ++++++++++++++++++++++++++++++++------------------- + 1 file changed, 40 insertions(+), 23 deletions(-) + +diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c +index 5493d9b9c7..f218dcf1db 100644 +--- a/ssl/ssl_lib.c ++++ b/ssl/ssl_lib.c +@@ -2953,37 +2953,54 @@ int SSL_select_next_proto(unsigned char **out, unsigned char *outlen, + unsigned int server_len, + const unsigned char *client, unsigned int client_len) + { +- unsigned int i, j; +- const unsigned char *result; +- int status = OPENSSL_NPN_UNSUPPORTED; ++ PACKET cpkt, csubpkt, spkt, ssubpkt; ++ ++ if (!PACKET_buf_init(&cpkt, client, client_len) ++ || !PACKET_get_length_prefixed_1(&cpkt, &csubpkt) ++ || PACKET_remaining(&csubpkt) == 0) { ++ *out = NULL; ++ *outlen = 0; ++ return OPENSSL_NPN_NO_OVERLAP; ++ } ++ ++ /* ++ * Set the default opportunistic protocol. Will be overwritten if we find ++ * a match. ++ */ ++ *out = (unsigned char *)PACKET_data(&csubpkt); ++ *outlen = (unsigned char)PACKET_remaining(&csubpkt); + + /* + * For each protocol in server preference order, see if we support it. + */ +- for (i = 0; i < server_len;) { +- for (j = 0; j < client_len;) { +- if (server[i] == client[j] && +- memcmp(&server[i + 1], &client[j + 1], server[i]) == 0) { +- /* We found a match */ +- result = &server[i]; +- status = OPENSSL_NPN_NEGOTIATED; +- goto found; ++ if (PACKET_buf_init(&spkt, server, server_len)) { ++ while (PACKET_get_length_prefixed_1(&spkt, &ssubpkt)) { ++ if (PACKET_remaining(&ssubpkt) == 0) ++ continue; /* Invalid - ignore it */ ++ if (PACKET_buf_init(&cpkt, client, client_len)) { ++ while (PACKET_get_length_prefixed_1(&cpkt, &csubpkt)) { ++ if (PACKET_equal(&csubpkt, PACKET_data(&ssubpkt), ++ PACKET_remaining(&ssubpkt))) { ++ /* We found a match */ ++ *out = (unsigned char *)PACKET_data(&ssubpkt); ++ *outlen = (unsigned char)PACKET_remaining(&ssubpkt); ++ return OPENSSL_NPN_NEGOTIATED; ++ } ++ } ++ /* Ignore spurious trailing bytes in the client list */ ++ } else { ++ /* This should never happen */ ++ return OPENSSL_NPN_NO_OVERLAP; + } +- j += client[j]; +- j++; + } +- i += server[i]; +- i++; ++ /* Ignore spurious trailing bytes in the server list */ + } + +- /* There's no overlap between our protocols and the server's list. */ +- result = client; +- status = OPENSSL_NPN_NO_OVERLAP; +- +- found: +- *out = (unsigned char *)result + 1; +- *outlen = result[0]; +- return status; ++ /* ++ * There's no overlap between our protocols and the server's list. We use ++ * the default opportunistic protocol selected earlier ++ */ ++ return OPENSSL_NPN_NO_OVERLAP; + } + + #ifndef OPENSSL_NO_NEXTPROTONEG +-- +2.45.2 + +From 4279c89a726025c758db3dafb263b17e52211304 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Fri, 31 May 2024 11:18:27 +0100 +Subject: [PATCH] More correctly handle a selected_len of 0 when + processing NPN + +In the case where the NPN callback returns with SSL_TLEXT_ERR_OK, but +the selected_len is 0 we should fail. Previously this would fail with an +internal_error alert because calling OPENSSL_malloc(selected_len) will +return NULL when selected_len is 0. We make this error detection more +explicit and return a handshake failure alert. + +Follow on from CVE-2024-5535 + +Reviewed-by: Neil Horman +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/24718) +--- + ssl/statem/extensions_clnt.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c +index 842be0722b..a07dc62e9a 100644 +--- a/ssl/statem/extensions_clnt.c ++++ b/ssl/statem/extensions_clnt.c +@@ -1536,7 +1536,8 @@ int tls_parse_stoc_npn(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + PACKET_data(pkt), + PACKET_remaining(pkt), + s->ctx->ext.npn_select_cb_arg) != +- SSL_TLSEXT_ERR_OK) { ++ SSL_TLSEXT_ERR_OK ++ || selected_len == 0) { + SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, SSL_R_BAD_EXTENSION); + return 0; + } +-- +2.45.2 + +From 889ed19ba25abebd2690997acd6d4791cbe5c493 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Fri, 31 May 2024 11:46:38 +0100 +Subject: [PATCH] Clarify the SSL_select_next_proto() documentation + +We clarify the input preconditions and the expected behaviour in the event +of no overlap. + +Follow on from CVE-2024-5535 + +Reviewed-by: Neil Horman +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/24718) +--- + doc/man3/SSL_CTX_set_alpn_select_cb.pod | 26 +++++++++++++++++-------- + 1 file changed, 18 insertions(+), 8 deletions(-) + +diff --git a/doc/man3/SSL_CTX_set_alpn_select_cb.pod b/doc/man3/SSL_CTX_set_alpn_select_cb.pod +index 102e657851..a29557dd91 100644 +--- a/doc/man3/SSL_CTX_set_alpn_select_cb.pod ++++ b/doc/man3/SSL_CTX_set_alpn_select_cb.pod +@@ -52,7 +52,8 @@ SSL_select_next_proto, SSL_get0_alpn_selected, SSL_get0_next_proto_negotiated + SSL_CTX_set_alpn_protos() and SSL_set_alpn_protos() are used by the client to + set the list of protocols available to be negotiated. The B must be in + protocol-list format, described below. The length of B is specified in +-B. ++B. Setting B to 0 clears any existing list of ALPN ++protocols and no ALPN extension will be sent to the server. + + SSL_CTX_set_alpn_select_cb() sets the application callback B used by a + server to select which protocol to use for the incoming connection. When B +@@ -73,9 +74,16 @@ B and B, B must be in the protocol-list format + described below. The first item in the B, B list that + matches an item in the B, B list is selected, and returned + in B, B. The B value will point into either B or +-B, so it should be copied immediately. If no match is found, the first +-item in B, B is returned in B, B. This +-function can also be used in the NPN callback. ++B, so it should be copied immediately. The client list must include at ++least one valid (nonempty) protocol entry in the list. ++ ++The SSL_select_next_proto() helper function can be useful from either the ALPN ++callback or the NPN callback (described below). If no match is found, the first ++item in B, B is returned in B, B and ++B is returned. This can be useful when implementating ++the NPN callback. In the ALPN case, the value returned in B and B ++must be ignored if B has been returned from ++SSL_select_next_proto(). + + SSL_CTX_set_next_proto_select_cb() sets a callback B that is called when a + client needs to select a protocol from the server's provided list, and a +@@ -85,9 +93,10 @@ must be set to point to the selected protocol (which may be within B). + The length of the protocol name must be written into B. The + server's advertised protocols are provided in B and B. The + callback can assume that B is syntactically valid. The client must +-select a protocol. It is fatal to the connection if this callback returns +-a value other than B. The B parameter is the pointer +-set via SSL_CTX_set_next_proto_select_cb(). ++select a protocol (although it may be an empty, zero length protocol). It is ++fatal to the connection if this callback returns a value other than ++B or if the zero length protocol is selected. The B ++parameter is the pointer set via SSL_CTX_set_next_proto_select_cb(). + + SSL_CTX_set_next_protos_advertised_cb() sets a callback B that is called + when a TLS server needs a list of supported protocols for Next Protocol +@@ -149,7 +158,8 @@ A match was found and is returned in B, B. + =item OPENSSL_NPN_NO_OVERLAP + + No match was found. The first item in B, B is returned in +-B, B. ++B, B (or B and 0 in the case where the first entry in ++B is invalid). + + =back + +-- +2.45.2 + +From 087501b4f572825e27ca8cc2c5874fcf6fd47cf7 Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Fri, 21 Jun 2024 10:41:55 +0100 +Subject: [PATCH] Correct return values for + tls_construct_stoc_next_proto_neg + +Return EXT_RETURN_NOT_SENT in the event that we don't send the extension, +rather than EXT_RETURN_SENT. This actually makes no difference at all to +the current control flow since this return value is ignored in this case +anyway. But lets make it correct anyway. + +Follow on from CVE-2024-5535 + +Reviewed-by: Neil Horman +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/24718) +--- + ssl/statem/extensions_srvr.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c +index 4ea085e1a1..2da880450f 100644 +--- a/ssl/statem/extensions_srvr.c ++++ b/ssl/statem/extensions_srvr.c +@@ -1476,9 +1476,10 @@ EXT_RETURN tls_construct_stoc_next_proto_neg(SSL *s, WPACKET *pkt, + return EXT_RETURN_FAIL; + } + s->s3.npn_seen = 1; ++ return EXT_RETURN_SENT; + } + +- return EXT_RETURN_SENT; ++ return EXT_RETURN_NOT_SENT; + } + #endif + +-- +2.45.2 + +From 017e54183b95617825fb9316d618c154a34c634e Mon Sep 17 00:00:00 2001 +From: Matt Caswell +Date: Fri, 21 Jun 2024 11:51:54 +0100 +Subject: [PATCH] Add ALPN validation in the client + +The ALPN protocol selected by the server must be one that we originally +advertised. We should verify that it is. + +Follow on from CVE-2024-5535 + +Reviewed-by: Neil Horman +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/24718) +--- + ssl/statem/extensions_clnt.c | 24 ++++++++++++++++++++++++ + 1 file changed, 24 insertions(+) + +diff --git a/ssl/statem/extensions_clnt.c b/ssl/statem/extensions_clnt.c +index a07dc62e9a..b21ccf9273 100644 +--- a/ssl/statem/extensions_clnt.c ++++ b/ssl/statem/extensions_clnt.c +@@ -1566,6 +1566,8 @@ int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + size_t chainidx) + { + size_t len; ++ PACKET confpkt, protpkt; ++ int valid = 0; + + /* We must have requested it. */ + if (!s->s3.alpn_sent) { +@@ -1584,6 +1586,28 @@ int tls_parse_stoc_alpn(SSL *s, PACKET *pkt, unsigned int context, X509 *x, + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); + return 0; + } ++ ++ /* It must be a protocol that we sent */ ++ if (!PACKET_buf_init(&confpkt, s->ext.alpn, s->ext.alpn_len)) { ++ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); ++ return 0; ++ } ++ while (PACKET_get_length_prefixed_1(&confpkt, &protpkt)) { ++ if (PACKET_remaining(&protpkt) != len) ++ continue; ++ if (memcmp(PACKET_data(pkt), PACKET_data(&protpkt), len) == 0) { ++ /* Valid protocol found */ ++ valid = 1; ++ break; ++ } ++ } ++ ++ if (!valid) { ++ /* The protocol sent from the server does not match one we advertised */ ++ SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_R_BAD_EXTENSION); ++ return 0; ++ } ++ + OPENSSL_free(s->s3.alpn_selected); + s->s3.alpn_selected = OPENSSL_malloc(len); + if (s->s3.alpn_selected == NULL) { +-- +2.45.2 + diff --git a/openssl-CVE-2024-6119.patch b/openssl-CVE-2024-6119.patch new file mode 100644 index 0000000..f7aadcf --- /dev/null +++ b/openssl-CVE-2024-6119.patch @@ -0,0 +1,255 @@ +commit 97ebe37033e8884f4cca5544a74376633c665e11 +Author: Viktor Dukhovni +Date: Wed Jun 19 21:04:11 2024 +1000 + + Avoid type errors in EAI-related name check logic. + + The incorrectly typed data is read only, used in a compare operation, so + neither remote code execution, nor memory content disclosure were possible. + However, applications performing certificate name checks were vulnerable to + denial of service. + + The GENERAL_TYPE data type is a union, and we must take care to access the + correct member, based on `gen->type`, not all the member fields have the same + structure, and a segfault is possible if the wrong member field is read. + + The code in question was lightly refactored with the intent to make it more + obviously correct. + + CVE-2024-6119 + + (cherry picked from commit 1486960d6cdb052e4fc0109a56a0597b4e902ba1) + +diff --git a/crypto/x509/v3_utl.c b/crypto/x509/v3_utl.c +index 1a18174995..a09414c972 100644 +--- a/crypto/x509/v3_utl.c ++++ b/crypto/x509/v3_utl.c +@@ -916,36 +916,64 @@ static int do_x509_check(X509 *x, const char *chk, size_t chklen, + ASN1_STRING *cstr; + + gen = sk_GENERAL_NAME_value(gens, i); +- if ((gen->type == GEN_OTHERNAME) && (check_type == GEN_EMAIL)) { +- if (OBJ_obj2nid(gen->d.otherName->type_id) == +- NID_id_on_SmtpUTF8Mailbox) { +- san_present = 1; +- +- /* +- * If it is not a UTF8String then that is unexpected and we +- * treat it as no match +- */ +- if (gen->d.otherName->value->type == V_ASN1_UTF8STRING) { +- cstr = gen->d.otherName->value->value.utf8string; +- +- /* Positive on success, negative on error! */ +- if ((rv = do_check_string(cstr, 0, equal, flags, +- chk, chklen, peername)) != 0) +- break; +- } +- } else ++ switch (gen->type) { ++ default: ++ continue; ++ case GEN_OTHERNAME: ++ switch (OBJ_obj2nid(gen->d.otherName->type_id)) { ++ default: + continue; +- } else { +- if ((gen->type != check_type) && (gen->type != GEN_OTHERNAME)) ++ case NID_id_on_SmtpUTF8Mailbox: ++ /*- ++ * https://datatracker.ietf.org/doc/html/rfc8398#section-3 ++ * ++ * Due to name constraint compatibility reasons described ++ * in Section 6, SmtpUTF8Mailbox subjectAltName MUST NOT ++ * be used unless the local-part of the email address ++ * contains non-ASCII characters. When the local-part is ++ * ASCII, rfc822Name subjectAltName MUST be used instead ++ * of SmtpUTF8Mailbox. This is compatible with legacy ++ * software that supports only rfc822Name (and not ++ * SmtpUTF8Mailbox). [...] ++ * ++ * SmtpUTF8Mailbox is encoded as UTF8String. ++ * ++ * If it is not a UTF8String then that is unexpected, and ++ * we ignore the invalid SAN (neither set san_present nor ++ * consider it a candidate for equality). This does mean ++ * that the subject CN may be considered, as would be the ++ * case when the malformed SmtpUtf8Mailbox SAN is instead ++ * simply absent. ++ * ++ * When CN-ID matching is not desirable, applications can ++ * choose to turn it off, doing so is at this time a best ++ * practice. ++ */ ++ if (check_type != GEN_EMAIL ++ || gen->d.otherName->value->type != V_ASN1_UTF8STRING) ++ continue; ++ alt_type = 0; ++ cstr = gen->d.otherName->value->value.utf8string; ++ break; ++ } ++ break; ++ case GEN_EMAIL: ++ if (check_type != GEN_EMAIL) + continue; +- } +- san_present = 1; +- if (check_type == GEN_EMAIL) + cstr = gen->d.rfc822Name; +- else if (check_type == GEN_DNS) ++ break; ++ case GEN_DNS: ++ if (check_type != GEN_DNS) ++ continue; + cstr = gen->d.dNSName; +- else ++ break; ++ case GEN_IPADD: ++ if (check_type != GEN_IPADD) ++ continue; + cstr = gen->d.iPAddress; ++ break; ++ } ++ san_present = 1; + /* Positive on success, negative on error! */ + if ((rv = do_check_string(cstr, alt_type, equal, flags, + chk, chklen, peername)) != 0) +diff --git a/test/recipes/25-test_eai_data.t b/test/recipes/25-test_eai_data.t +index 522982ddfb..e18735d89a 100644 +--- a/test/recipes/25-test_eai_data.t ++++ b/test/recipes/25-test_eai_data.t +@@ -21,16 +21,18 @@ setup("test_eai_data"); + #./util/wrap.pl apps/openssl verify -nameopt utf8 -no_check_time -CAfile test/recipes/25-test_eai_data/utf8_chain.pem test/recipes/25-test_eai_data/ascii_leaf.pem + #./util/wrap.pl apps/openssl verify -nameopt utf8 -no_check_time -CAfile test/recipes/25-test_eai_data/ascii_chain.pem test/recipes/25-test_eai_data/utf8_leaf.pem + +-plan tests => 12; ++plan tests => 16; + + require_ok(srctop_file('test','recipes','tconversion.pl')); + my $folder = "test/recipes/25-test_eai_data"; + + my $ascii_pem = srctop_file($folder, "ascii_leaf.pem"); + my $utf8_pem = srctop_file($folder, "utf8_leaf.pem"); ++my $kdc_pem = srctop_file($folder, "kdc-cert.pem"); + + my $ascii_chain_pem = srctop_file($folder, "ascii_chain.pem"); + my $utf8_chain_pem = srctop_file($folder, "utf8_chain.pem"); ++my $kdc_chain_pem = srctop_file($folder, "kdc-root-cert.pem"); + + my $out; + my $outcnt = 0; +@@ -56,10 +58,18 @@ SKIP: { + + ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $ascii_chain_pem, $ascii_pem]))); + ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $utf8_chain_pem, $utf8_pem]))); ++ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $kdc_chain_pem, $kdc_pem]))); + + ok(!run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $ascii_chain_pem, $utf8_pem]))); + ok(!run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-CAfile", $utf8_chain_pem, $ascii_pem]))); + ++# Check an otherName does not get misparsed as an DNS name, (should trigger ASAN errors if violated). ++ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-verify_hostname", 'mx1.example.com', "-CAfile", $kdc_chain_pem, $kdc_pem]))); ++# Check an otherName does not get misparsed as an email address, (should trigger ASAN errors if violated). ++ok(run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-verify_email", 'joe@example.com', "-CAfile", $kdc_chain_pem, $kdc_pem]))); ++# We expect SmtpUTF8Mailbox to be a UTF8 String, not an IA5String. ++ok(!run(app(["openssl", "verify", "-nameopt", "utf8", "-no_check_time", "-verify_email", 'moe@example.com', "-CAfile", $kdc_chain_pem, $kdc_pem]))); ++ + #Check that we get the expected failure return code + with({ exit_checker => sub { return shift == 2; } }, + sub { +diff --git a/test/recipes/25-test_eai_data/kdc-cert.pem b/test/recipes/25-test_eai_data/kdc-cert.pem +new file mode 100644 +index 0000000000..e8a2c6f55d +--- /dev/null ++++ b/test/recipes/25-test_eai_data/kdc-cert.pem +@@ -0,0 +1,21 @@ ++-----BEGIN CERTIFICATE----- ++MIIDbDCCAlSgAwIBAgIBAjANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARSb290 ++MCAXDTI0MDYyMDA2MTQxNVoYDzIxMjQwNjIwMDYxNDE1WjAXMRUwEwYDVQQDDAxU ++RVNULkVYQU1QTEUwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6wfP+ ++6go79dkpo/dGLMlPZ7Gw/Q6gUYrCWZWUEgEeRVHCrqOlgUEyA+PcWas/XDPUxXry ++BQlJHLvlqamAQn8gs4QPBARFYWKNiTVGyaRkgNA1N5gqyZdrP9UE+ZJmdqxRAAe8 ++vvpGZWSgevPhLUiSCFYDiD0Rtji2Hm3rGUrReQFBQDEw2pNGwz9zIaxUs08kQZcx ++Yzyiplz5Oau+R/6sAgUwDlrD9xOlUxx/tA/MSDIfkK8qioU11uUZtO5VjkNQy/bT ++7zQMmXxWgm2MIgOs1u4YN7YGOtgqHE9v9iPHHfgrkbQDtVDGQsa8AQEhkUDSCtW9 ++3VFAKx6dGNXYzFwfAgMBAAGjgcgwgcUwHQYDVR0OBBYEFFR5tZycW19DmtbL4Zqj ++te1c2vZLMAkGA1UdIwQCMAAwCQYDVR0TBAIwADCBjQYDVR0RBIGFMIGCoD8GBisG ++AQUCAqA1MDOgDhsMVEVTVC5FWEFNUExFoSEwH6ADAgEBoRgwFhsGa3JidGd0GwxU ++RVNULkVYQU1QTEWgHQYIKwYBBQUHCAmgERYPbW9lQGV4YW1wbGUuY29tgQ9qb2VA ++ZXhhbXBsZS5jb22CD214MS5leGFtcGxlLmNvbTANBgkqhkiG9w0BAQsFAAOCAQEA ++T0xzVtVpRtaOzIhgzw7XQUdzWD5UEGSJJ1cBCOmKUWwDLTAouCYLFB4TbEE7MMUb ++iuMy60bjmVtvfJIXorGUgSadRe5RWJ5DamJWvPA0Q9x7blnEcXqEF+9Td+ypevgU ++UYHFmg83OYwxOsFXZ5cRuXMk3WCsDHQIBi6D1L6oDDZ2pfArs5mqm3thQKVlqyl1 ++El3XRYEdqAz/5eCOFNfwxF0ALxjxVr/Z50StUZU8I7Zfev6+kHhyrR7dqzYJImv9 ++0fTCOBEMjIETDsrA70OxAMu4V16nrWZdJdvzblS2qrt97Omkj+2kiPAJFB76RpwI ++oDQ9fKfUOAmUFth2/R/eGA== ++-----END CERTIFICATE----- +diff --git a/test/recipes/25-test_eai_data/kdc-root-cert.pem b/test/recipes/25-test_eai_data/kdc-root-cert.pem +new file mode 100644 +index 0000000000..a74c96bf31 +--- /dev/null ++++ b/test/recipes/25-test_eai_data/kdc-root-cert.pem +@@ -0,0 +1,16 @@ ++-----BEGIN CERTIFICATE----- ++MIICnDCCAYQCCQCBswYcrlZSHjANBgkqhkiG9w0BAQsFADAPMQ0wCwYDVQQDDARS ++b290MCAXDTI0MDYyMDA2MTQxNVoYDzIxMjQwNjIwMDYxNDE1WjAPMQ0wCwYDVQQD ++DARSb290MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqRj8S4kBbIUj ++61kZfi6nE35Q38U140+qt4uAiwAhKumfVHlBM0zQ98WFt5zMHIBQwIb3yjc2zj+0 ++qzUnQfwm1r/RfcMmBPEti9Ge+aEMSsds2gMXziOFM8wd2aAFPy7UVE0XpEWofsRK ++MGi61MKVdPSbGIxBwY9VW38/7D/wf1HtJe7y0xpuecR7GB2XAs+qST59NjuF+7wS ++dLM8Hb3TATgeYbXXWsRJgwz+SPzExg5WmLnU+7y4brZ32dHtdSmkRVSgSlaIf7Xj ++3Tc6Zi7I+W/JYk7hy1zUexVdWCak4PHcoWrXe0gNNN/t8VfLfMExt5z/HIylXnU7 ++pGUyqZlTGQIDAQABMA0GCSqGSIb3DQEBCwUAA4IBAQAHpLF1UCRy7b6Hk0rLokxI ++lgwiH9BU9mktigAGASvkbllpt+YbUbWnuYAvpHBGiP1qZtfX2r96UrSJaGO9BEzT ++Gp9ThnSjoj4Srul0+s/NArU22irFLmDzbalgevAmm9gMGkdqkiIm/mXbwrPj0ncl ++KGicevXryVpvaP62eZ8cc3C4p97frMmXxRX8sTdQpD/gRI7prdEILRSKveqT+AEW ++7rFGM5AOevb4U8ddop8A3D/kX0wcCAIBF6jCNk3uEJ57jVcagL04kPnVfdRiedTS ++vfq1DRNcD29d1H/9u0fHdSn1/+8Ep3X+afQ3C6//5NvOEaXcIGO4QSwkprQydfv8 ++-----END CERTIFICATE----- +diff --git a/test/recipes/25-test_eai_data/kdc.sh b/test/recipes/25-test_eai_data/kdc.sh +new file mode 100755 +index 0000000000..7a8dbc719f +--- /dev/null ++++ b/test/recipes/25-test_eai_data/kdc.sh +@@ -0,0 +1,41 @@ ++#! /usr/bin/env bash ++ ++# Create a root CA, signing a leaf cert with a KDC principal otherName SAN, and ++# also a non-UTF8 smtpUtf8Mailbox SAN followed by an rfc822Name SAN and a DNS ++# name SAN. In the vulnerable EAI code, the KDC principal `otherName` should ++# trigger ASAN errors in DNS name checks, while the non-UTF8 `smtpUtf8Mailbox` ++# should likewise lead to ASAN issues with email name checks. ++ ++rm -f root-key.pem root-cert.pem ++openssl req -nodes -new -newkey rsa:2048 -keyout kdc-root-key.pem \ ++ -x509 -subj /CN=Root -days 36524 -out kdc-root-cert.pem ++ ++exts=$( ++ printf "%s\n%s\n%s\n%s = " \ ++ "subjectKeyIdentifier = hash" \ ++ "authorityKeyIdentifier = keyid" \ ++ "basicConstraints = CA:false" \ ++ "subjectAltName" ++ printf "%s, " "otherName:1.3.6.1.5.2.2;SEQUENCE:kdc_princ_name" ++ printf "%s, " "otherName:1.3.6.1.5.5.7.8.9;IA5:moe@example.com" ++ printf "%s, " "email:joe@example.com" ++ printf "%s\n" "DNS:mx1.example.com" ++ printf "[kdc_princ_name]\n" ++ printf "realm = EXP:0, GeneralString:TEST.EXAMPLE\n" ++ printf "principal_name = EXP:1, SEQUENCE:kdc_principal_seq\n" ++ printf "[kdc_principal_seq]\n" ++ printf "name_type = EXP:0, INTEGER:1\n" ++ printf "name_string = EXP:1, SEQUENCE:kdc_principal_components\n" ++ printf "[kdc_principal_components]\n" ++ printf "princ1 = GeneralString:krbtgt\n" ++ printf "princ2 = GeneralString:TEST.EXAMPLE\n" ++ ) ++ ++printf "%s\n" "$exts" ++ ++openssl req -nodes -new -newkey rsa:2048 -keyout kdc-key.pem \ ++ -subj "/CN=TEST.EXAMPLE" | ++ openssl x509 -req -out kdc-cert.pem \ ++ -CA "kdc-root-cert.pem" -CAkey "kdc-root-key.pem" \ ++ -set_serial 2 -days 36524 \ ++ -extfile <(printf "%s\n" "$exts") diff --git a/openssl-CVE-2024-9143.patch b/openssl-CVE-2024-9143.patch new file mode 100644 index 0000000..726d902 --- /dev/null +++ b/openssl-CVE-2024-9143.patch @@ -0,0 +1,198 @@ +From fdf6723362ca51bd883295efe206cb5b1cfa5154 Mon Sep 17 00:00:00 2001 +From: Viktor Dukhovni +Date: Thu, 19 Sep 2024 01:02:40 +1000 +Subject: [PATCH] Harden BN_GF2m_poly2arr against misuse. + +The BN_GF2m_poly2arr() function converts characteristic-2 field +(GF_{2^m}) Galois polynomials from a representation as a BIGNUM bitmask, +to a compact array with just the exponents of the non-zero terms. + +These polynomials are then used in BN_GF2m_mod_arr() to perform modular +reduction. A precondition of calling BN_GF2m_mod_arr() is that the +polynomial must have a non-zero constant term (i.e. the array has `0` as +its final element). + +Internally, callers of BN_GF2m_poly2arr() did not verify that +precondition, and binary EC curve parameters with an invalid polynomial +could lead to out of bounds memory reads and writes in BN_GF2m_mod_arr(). + +The precondition is always true for polynomials that arise from the +standard form of EC parameters for characteristic-two fields (X9.62). +See the "Finite Field Identification" section of: + + https://www.itu.int/ITU-T/formal-language/itu-t/x/x894/2018-cor1/ANSI-X9-62.html + +The OpenSSL GF(2^m) code supports only the trinomial and pentanomial +basis X9.62 forms. + +This commit updates BN_GF2m_poly2arr() to return `0` (failure) when +the constant term is zero (i.e. the input bitmask BIGNUM is not odd). + +Additionally, the return value is made unambiguous when there is not +enough space to also pad the array with a final `-1` sentinel value. +The return value is now always the number of elements (including the +final `-1`) that would be filled when the output array is sufficiently +large. Previously the same count was returned both when the array has +just enough room for the final `-1` and when it had only enough space +for non-sentinel values. + +Finally, BN_GF2m_poly2arr() is updated to reject polynomials whose +degree exceeds `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against +CPU exhausition attacks via excessively large inputs. + +The above issues do not arise in processing X.509 certificates. These +generally have EC keys from "named curves", and RFC5840 (Section 2.1.1) +disallows explicit EC parameters. The TLS code in OpenSSL enforces this +constraint only after the certificate is decoded, but, even if explicit +parameters are specified, they are in X9.62 form, which cannot represent +problem values as noted above. + +Initially reported as oss-fuzz issue 71623. + +A closely related issue was earlier reported in +. + +Severity: Low, CVE-2024-9143 + +Reviewed-by: Matt Caswell +Reviewed-by: Bernd Edlinger +Reviewed-by: Paul Dale +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/25639) + +(cherry picked from commit 8e008cb8b23ec7dc75c45a66eeed09c815b11cd2) +--- + crypto/bn/bn_gf2m.c | 28 +++++++++++++++------- + test/ec_internal_test.c | 51 +++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 71 insertions(+), 8 deletions(-) + +diff --git a/crypto/bn/bn_gf2m.c b/crypto/bn/bn_gf2m.c +index c811ae82d6b15..bcc66613cc14d 100644 +--- a/crypto/bn/bn_gf2m.c ++++ b/crypto/bn/bn_gf2m.c +@@ -15,6 +15,7 @@ + #include "bn_local.h" + + #ifndef OPENSSL_NO_EC2M ++# include + + /* + * Maximum number of iterations before BN_GF2m_mod_solve_quad_arr should +@@ -1140,16 +1141,26 @@ int BN_GF2m_mod_solve_quad(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, + /* + * Convert the bit-string representation of a polynomial ( \sum_{i=0}^n a_i * + * x^i) into an array of integers corresponding to the bits with non-zero +- * coefficient. Array is terminated with -1. Up to max elements of the array +- * will be filled. Return value is total number of array elements that would +- * be filled if array was large enough. ++ * coefficient. The array is intended to be suitable for use with ++ * `BN_GF2m_mod_arr()`, and so the constant term of the polynomial must not be ++ * zero. This translates to a requirement that the input BIGNUM `a` is odd. ++ * ++ * Given sufficient room, the array is terminated with -1. Up to max elements ++ * of the array will be filled. ++ * ++ * The return value is total number of array elements that would be filled if ++ * array was large enough, including the terminating `-1`. It is `0` when `a` ++ * is not odd or the constant term is zero contrary to requirement. ++ * ++ * The return value is also `0` when the leading exponent exceeds ++ * `OPENSSL_ECC_MAX_FIELD_BITS`, this guards against CPU exhaustion attacks, + */ + int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max) + { + int i, j, k = 0; + BN_ULONG mask; + +- if (BN_is_zero(a)) ++ if (!BN_is_odd(a)) + return 0; + + for (i = a->top - 1; i >= 0; i--) { +@@ -1167,12 +1178,13 @@ int BN_GF2m_poly2arr(const BIGNUM *a, int p[], int max) + } + } + +- if (k < max) { ++ if (k > 0 && p[0] > OPENSSL_ECC_MAX_FIELD_BITS) ++ return 0; ++ ++ if (k < max) + p[k] = -1; +- k++; +- } + +- return k; ++ return k + 1; + } + + /* +diff --git a/test/ec_internal_test.c b/test/ec_internal_test.c +index 8c2cd05631696..02cfd4e9d8858 100644 +--- a/test/ec_internal_test.c ++++ b/test/ec_internal_test.c +@@ -155,6 +155,56 @@ static int field_tests_ecp_mont(void) + } + + #ifndef OPENSSL_NO_EC2M ++/* Test that decoding of invalid GF2m field parameters fails. */ ++static int ec2m_field_sanity(void) ++{ ++ int ret = 0; ++ BN_CTX *ctx = BN_CTX_new(); ++ BIGNUM *p, *a, *b; ++ EC_GROUP *group1 = NULL, *group2 = NULL, *group3 = NULL; ++ ++ TEST_info("Testing GF2m hardening\n"); ++ ++ BN_CTX_start(ctx); ++ p = BN_CTX_get(ctx); ++ a = BN_CTX_get(ctx); ++ if (!TEST_ptr(b = BN_CTX_get(ctx)) ++ || !TEST_true(BN_one(a)) ++ || !TEST_true(BN_one(b))) ++ goto out; ++ ++ /* Even pentanomial value should be rejected */ ++ if (!TEST_true(BN_set_word(p, 0xf2))) ++ goto out; ++ if (!TEST_ptr_null(group1 = EC_GROUP_new_curve_GF2m(p, a, b, ctx))) ++ TEST_error("Zero constant term accepted in GF2m polynomial"); ++ ++ /* Odd hexanomial should also be rejected */ ++ if (!TEST_true(BN_set_word(p, 0xf3))) ++ goto out; ++ if (!TEST_ptr_null(group2 = EC_GROUP_new_curve_GF2m(p, a, b, ctx))) ++ TEST_error("Hexanomial accepted as GF2m polynomial"); ++ ++ /* Excessive polynomial degree should also be rejected */ ++ if (!TEST_true(BN_set_word(p, 0x71)) ++ || !TEST_true(BN_set_bit(p, OPENSSL_ECC_MAX_FIELD_BITS + 1))) ++ goto out; ++ if (!TEST_ptr_null(group3 = EC_GROUP_new_curve_GF2m(p, a, b, ctx))) ++ TEST_error("GF2m polynomial degree > %d accepted", ++ OPENSSL_ECC_MAX_FIELD_BITS); ++ ++ ret = group1 == NULL && group2 == NULL && group3 == NULL; ++ ++ out: ++ EC_GROUP_free(group1); ++ EC_GROUP_free(group2); ++ EC_GROUP_free(group3); ++ BN_CTX_end(ctx); ++ BN_CTX_free(ctx); ++ ++ return ret; ++} ++ + /* test EC_GF2m_simple_method directly */ + static int field_tests_ec2_simple(void) + { +@@ -443,6 +493,7 @@ int setup_tests(void) + ADD_TEST(field_tests_ecp_simple); + ADD_TEST(field_tests_ecp_mont); + #ifndef OPENSSL_NO_EC2M ++ ADD_TEST(ec2m_field_sanity); + ADD_TEST(field_tests_ec2_simple); + #endif + ADD_ALL_TESTS(field_tests_default, crv_len); diff --git a/openssl-DEFAULT_SUSE_cipher.patch b/openssl-DEFAULT_SUSE_cipher.patch new file mode 100644 index 0000000..b8d8688 --- /dev/null +++ b/openssl-DEFAULT_SUSE_cipher.patch @@ -0,0 +1,64 @@ +Index: openssl-3.0.0-alpha7/ssl/ssl_ciph.c +=================================================================== +--- openssl-3.0.0-alpha7.orig/ssl/ssl_ciph.c ++++ openssl-3.0.0-alpha7/ssl/ssl_ciph.c +@@ -1592,7 +1592,14 @@ STACK_OF(SSL_CIPHER) *ssl_create_cipher_ + */ + ok = 1; + rule_p = rule_str; +- if (strncmp(rule_str, "DEFAULT", 7) == 0) { ++ if (strncmp(rule_str,"DEFAULT_SUSE", 12) == 0) { ++ ok = ssl_cipher_process_rulestr(SSL_DEFAULT_SUSE_CIPHER_LIST, ++ &head, &tail, ca_list, c); ++ rule_p += 12; ++ if (*rule_p == ':') ++ rule_p++; ++ } ++ else if (strncmp(rule_str, "DEFAULT", 7) == 0) { + ok = ssl_cipher_process_rulestr(OSSL_default_cipher_list(), + &head, &tail, ca_list, c); + rule_p += 7; +Index: openssl-3.0.0-alpha7/test/recipes/99-test_suse_default_ciphers.t +=================================================================== +--- /dev/null ++++ openssl-3.0.0-alpha7/test/recipes/99-test_suse_default_ciphers.t +@@ -0,0 +1,23 @@ ++#! /usr/bin/env perl ++ ++use strict; ++use warnings; ++ ++use OpenSSL::Test qw/:DEFAULT/; ++use OpenSSL::Test::Utils; ++ ++setup("test_default_ciphersuites"); ++ ++plan tests => 6; ++ ++my @cipher_suites = ("DEFAULT_SUSE", "DEFAULT"); ++ ++foreach my $cipherlist (@cipher_suites) { ++ ok(run(app(["openssl", "ciphers", "-s", $cipherlist])), ++ "openssl ciphers works with ciphersuite $cipherlist"); ++ ok(!grep(/(MD5|RC4|DES)/, run(app(["openssl", "ciphers", "-s", $cipherlist]), capture => 1)), ++ "$cipherlist shouldn't contain MD5, DES or RC4\n"); ++ ok(grep(/(TLSv1.3)/, run(app(["openssl", "ciphers", "-tls1_3", "-s", "-v", $cipherlist]), capture => 1)), ++ "$cipherlist should contain TLSv1.3 ciphers\n"); ++} ++ +Index: openssl-3.0.0-alpha7/include/openssl/ssl.h.in +=================================================================== +--- openssl-3.0.0-alpha7.orig/include/openssl/ssl.h.in ++++ openssl-3.0.0-alpha7/include/openssl/ssl.h.in +@@ -189,6 +189,11 @@ extern "C" { + */ + # ifndef OPENSSL_NO_DEPRECATED_3_0 + # define SSL_DEFAULT_CIPHER_LIST "ALL:!COMPLEMENTOFDEFAULT:!eNULL" ++# define SSL_DEFAULT_SUSE_CIPHER_LIST "ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:"\ ++ "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:"\ ++ "ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:"\ ++ "DHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-CAMELLIA256-SHA:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-CAMELLIA128-SHA:"\ ++ "AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:CAMELLIA256-SHA:AES128-GCM-SHA256:AES128-SHA256:AES128-SHA:CAMELLIA128-SHA" + /* + * This is the default set of TLSv1.3 ciphersuites + * DEPRECATED IN 3.0.0, in favor of OSSL_default_ciphersuites() diff --git a/openssl-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch b/openssl-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch new file mode 100644 index 0000000..17f8da2 --- /dev/null +++ b/openssl-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch @@ -0,0 +1,330 @@ +From 590babb35e3aa399c889282747965e301333a656 Mon Sep 17 00:00:00 2001 +From: Dmitry Belyavskiy +Date: Mon, 21 Aug 2023 16:07:18 +0200 +Subject: [PATCH 43/48] + 0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch + +Patch-name: 0093-DH-Disable-FIPS-186-4-type-parameters-in-FIPS-mode.patch +Patch-id: 93 +--- + crypto/dh/dh_backend.c | 10 ++++ + crypto/dh/dh_check.c | 12 ++-- + crypto/dh/dh_gen.c | 12 +++- + crypto/dh/dh_key.c | 13 ++-- + crypto/dh/dh_pmeth.c | 10 +++- + providers/implementations/keymgmt/dh_kmgmt.c | 5 ++ + test/endecode_test.c | 4 +- + test/evp_libctx_test.c | 2 +- + test/helpers/predefined_dhparams.c | 62 ++++++++++++++++++++ + test/helpers/predefined_dhparams.h | 1 + + test/recipes/80-test_cms.t | 4 +- + test/recipes/80-test_ssl_old.t | 3 + + 12 files changed, 118 insertions(+), 20 deletions(-) + +diff --git a/crypto/dh/dh_backend.c b/crypto/dh/dh_backend.c +index 726843fd30..24c65ca84f 100644 +--- a/crypto/dh/dh_backend.c ++++ b/crypto/dh/dh_backend.c +@@ -53,6 +53,16 @@ int ossl_dh_params_fromdata(DH *dh, const OSSL_PARAM params[]) + if (!dh_ffc_params_fromdata(dh, params)) + return 0; + ++#ifdef FIPS_MODULE ++ if (!ossl_dh_is_named_safe_prime_group(dh)) { ++ ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS, ++ "FIPS 186-4 type domain parameters no longer allowed in" ++ " FIPS mode, since the required validation routines" ++ " were removed from FIPS 186-5"); ++ return 0; ++ } ++#endif ++ + param_priv_len = + OSSL_PARAM_locate_const(params, OSSL_PKEY_PARAM_DH_PRIV_LEN); + if (param_priv_len != NULL +diff --git a/crypto/dh/dh_check.c b/crypto/dh/dh_check.c +index 0b391910d6..75581ca347 100644 +--- a/crypto/dh/dh_check.c ++++ b/crypto/dh/dh_check.c +@@ -57,13 +57,15 @@ int DH_check_params(const DH *dh, int *ret) + nid = DH_get_nid((DH *)dh); + if (nid != NID_undef) + return 1; ++ + /* +- * OR +- * (2b) FFC domain params conform to FIPS-186-4 explicit domain param +- * validity tests. ++ * FIPS 186-4 explicit domain parameters are no longer supported in FIPS mode. + */ +- return ossl_ffc_params_FIPS186_4_validate(dh->libctx, &dh->params, +- FFC_PARAM_TYPE_DH, ret, NULL); ++ ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS, ++ "FIPS 186-4 type domain parameters no longer allowed in" ++ " FIPS mode, since the required validation routines were" ++ " removed from FIPS 186-5"); ++ return 0; + } + #else + int DH_check_params(const DH *dh, int *ret) +diff --git a/crypto/dh/dh_gen.c b/crypto/dh/dh_gen.c +index 204662a81c..9961f21920 100644 +--- a/crypto/dh/dh_gen.c ++++ b/crypto/dh/dh_gen.c +@@ -39,18 +39,26 @@ static int dh_builtin_genparams(DH *ret, int prime_len, int generator, + int ossl_dh_generate_ffc_parameters(DH *dh, int type, int pbits, int qbits, + BN_GENCB *cb) + { +- int ret, res; ++ int ret = 0; + + #ifndef FIPS_MODULE ++ int res; ++ + if (type == DH_PARAMGEN_TYPE_FIPS_186_2) + ret = ossl_ffc_params_FIPS186_2_generate(dh->libctx, &dh->params, + FFC_PARAM_TYPE_DH, + pbits, qbits, &res, cb); + else +-#endif + ret = ossl_ffc_params_FIPS186_4_generate(dh->libctx, &dh->params, + FFC_PARAM_TYPE_DH, + pbits, qbits, &res, cb); ++#else ++ /* In FIPS mode, we no longer support FIPS 186-4 domain parameters */ ++ ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS, ++ "FIPS 186-4 type domain parameters no longer allowed in" ++ " FIPS mode, since the required generation routines were" ++ " removed from FIPS 186-5"); ++#endif + if (ret > 0) + dh->dirty_cnt++; + return ret; +diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c +index 83773cceea..7e988368d3 100644 +--- a/crypto/dh/dh_key.c ++++ b/crypto/dh/dh_key.c +@@ -321,8 +321,12 @@ static int generate_key(DH *dh) + goto err; + } else { + #ifdef FIPS_MODULE +- if (dh->params.q == NULL) +- goto err; ++ ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS, ++ "FIPS 186-4 type domain parameters no longer" ++ " allowed in FIPS mode, since the required" ++ " generation routines were removed from FIPS" ++ " 186-5"); ++ goto err; + #else + if (dh->params.q == NULL) { + /* secret exponent length, must satisfy 2^(l-1) <= p */ +@@ -343,9 +347,7 @@ static int generate_key(DH *dh) + if (!BN_clear_bit(priv_key, 0)) + goto err; + } +- } else +-#endif +- { ++ } else { + /* Do a partial check for invalid p, q, g */ + if (!ossl_ffc_params_simple_validate(dh->libctx, &dh->params, + FFC_PARAM_TYPE_DH, NULL)) +@@ -361,6 +363,7 @@ static int generate_key(DH *dh) + priv_key)) + goto err; + } ++#endif + } + } + +diff --git a/crypto/dh/dh_pmeth.c b/crypto/dh/dh_pmeth.c +index f201eede0d..30f90d15be 100644 +--- a/crypto/dh/dh_pmeth.c ++++ b/crypto/dh/dh_pmeth.c +@@ -305,13 +305,17 @@ static DH *ffc_params_generate(OSSL_LIB_CTX *libctx, DH_PKEY_CTX *dctx, + prime_len, subprime_len, &res, + pcb); + else +-# endif +- /* For FIPS we always use the DH_PARAMGEN_TYPE_FIPS_186_4 generator */ +- if (dctx->paramgen_type >= DH_PARAMGEN_TYPE_FIPS_186_2) + rv = ossl_ffc_params_FIPS186_4_generate(libctx, &ret->params, + FFC_PARAM_TYPE_DH, + prime_len, subprime_len, &res, + pcb); ++# else ++ /* In FIPS mode, we no longer support FIPS 186-4 domain parameters */ ++ ERR_raise_data(ERR_LIB_DH, DH_R_BAD_FFC_PARAMETERS, ++ "FIPS 186-4 type domain parameters no longer allowed in" ++ " FIPS mode, since the required generation routines were" ++ " removed from FIPS 186-5"); ++# endif + if (rv <= 0) { + DH_free(ret); + return NULL; +diff --git a/providers/implementations/keymgmt/dh_kmgmt.c b/providers/implementations/keymgmt/dh_kmgmt.c +index 9a7dde7c66..b3e7bca5ac 100644 +--- a/providers/implementations/keymgmt/dh_kmgmt.c ++++ b/providers/implementations/keymgmt/dh_kmgmt.c +@@ -414,6 +414,11 @@ static int dh_validate(const void *keydata, int selection, int checktype) + if ((selection & DH_POSSIBLE_SELECTIONS) == 0) + return 1; /* nothing to validate */ + ++#ifdef FIPS_MODULE ++ /* In FIPS provider, always check the domain parameters to disallow ++ * operations on keys with FIPS 186-4 params. */ ++ selection |= OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS; ++#endif + if ((selection & OSSL_KEYMGMT_SELECT_DOMAIN_PARAMETERS) != 0) { + /* + * Both of these functions check parameters. DH_check_params_ex() +diff --git a/test/endecode_test.c b/test/endecode_test.c +index 53385028fc..169f3ccd73 100644 +--- a/test/endecode_test.c ++++ b/test/endecode_test.c +@@ -84,10 +84,10 @@ static EVP_PKEY *make_template(const char *type, OSSL_PARAM *genparams) + * for testing only. Use a minimum key size of 2048 for security purposes. + */ + if (strcmp(type, "DH") == 0) +- return get_dh512(keyctx); ++ return get_dh2048(keyctx); + + if (strcmp(type, "X9.42 DH") == 0) +- return get_dhx512(keyctx); ++ return get_dhx_ffdhe2048(keyctx); + # endif + + /* +diff --git a/test/evp_libctx_test.c b/test/evp_libctx_test.c +index a7913cda4c..96a35ac1cc 100644 +--- a/test/evp_libctx_test.c ++++ b/test/evp_libctx_test.c +@@ -189,7 +189,7 @@ static int do_dh_param_keygen(int tstid, const BIGNUM **bn) + + if (!TEST_ptr(gen_ctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey_parm, NULL)) + || !TEST_int_gt(EVP_PKEY_keygen_init(gen_ctx), 0) +- || !TEST_int_eq(EVP_PKEY_keygen(gen_ctx, &pkey), expected)) ++ || !TEST_int_eq(EVP_PKEY_keygen(gen_ctx, &pkey) == 1, expected)) + goto err; + + if (expected) { +diff --git a/test/helpers/predefined_dhparams.c b/test/helpers/predefined_dhparams.c +index 4bdadc4143..e5186e4b4a 100644 +--- a/test/helpers/predefined_dhparams.c ++++ b/test/helpers/predefined_dhparams.c +@@ -116,6 +116,68 @@ EVP_PKEY *get_dhx512(OSSL_LIB_CTX *libctx) + dhx512_q, sizeof(dhx512_q)); + } + ++EVP_PKEY *get_dhx_ffdhe2048(OSSL_LIB_CTX *libctx) ++{ ++ /* This is RFC 7919 ffdhe2048, since Red Hat removes support for ++ * non-well-known groups in FIPS mode. */ ++ static unsigned char dhx_p[] = { ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xad, 0xf8, 0x54, 0x58, ++ 0xa2, 0xbb, 0x4a, 0x9a, 0xaf, 0xdc, 0x56, 0x20, 0x27, 0x3d, 0x3c, 0xf1, ++ 0xd8, 0xb9, 0xc5, 0x83, 0xce, 0x2d, 0x36, 0x95, 0xa9, 0xe1, 0x36, 0x41, ++ 0x14, 0x64, 0x33, 0xfb, 0xcc, 0x93, 0x9d, 0xce, 0x24, 0x9b, 0x3e, 0xf9, ++ 0x7d, 0x2f, 0xe3, 0x63, 0x63, 0x0c, 0x75, 0xd8, 0xf6, 0x81, 0xb2, 0x02, ++ 0xae, 0xc4, 0x61, 0x7a, 0xd3, 0xdf, 0x1e, 0xd5, 0xd5, 0xfd, 0x65, 0x61, ++ 0x24, 0x33, 0xf5, 0x1f, 0x5f, 0x06, 0x6e, 0xd0, 0x85, 0x63, 0x65, 0x55, ++ 0x3d, 0xed, 0x1a, 0xf3, 0xb5, 0x57, 0x13, 0x5e, 0x7f, 0x57, 0xc9, 0x35, ++ 0x98, 0x4f, 0x0c, 0x70, 0xe0, 0xe6, 0x8b, 0x77, 0xe2, 0xa6, 0x89, 0xda, ++ 0xf3, 0xef, 0xe8, 0x72, 0x1d, 0xf1, 0x58, 0xa1, 0x36, 0xad, 0xe7, 0x35, ++ 0x30, 0xac, 0xca, 0x4f, 0x48, 0x3a, 0x79, 0x7a, 0xbc, 0x0a, 0xb1, 0x82, ++ 0xb3, 0x24, 0xfb, 0x61, 0xd1, 0x08, 0xa9, 0x4b, 0xb2, 0xc8, 0xe3, 0xfb, ++ 0xb9, 0x6a, 0xda, 0xb7, 0x60, 0xd7, 0xf4, 0x68, 0x1d, 0x4f, 0x42, 0xa3, ++ 0xde, 0x39, 0x4d, 0xf4, 0xae, 0x56, 0xed, 0xe7, 0x63, 0x72, 0xbb, 0x19, ++ 0x0b, 0x07, 0xa7, 0xc8, 0xee, 0x0a, 0x6d, 0x70, 0x9e, 0x02, 0xfc, 0xe1, ++ 0xcd, 0xf7, 0xe2, 0xec, 0xc0, 0x34, 0x04, 0xcd, 0x28, 0x34, 0x2f, 0x61, ++ 0x91, 0x72, 0xfe, 0x9c, 0xe9, 0x85, 0x83, 0xff, 0x8e, 0x4f, 0x12, 0x32, ++ 0xee, 0xf2, 0x81, 0x83, 0xc3, 0xfe, 0x3b, 0x1b, 0x4c, 0x6f, 0xad, 0x73, ++ 0x3b, 0xb5, 0xfc, 0xbc, 0x2e, 0xc2, 0x20, 0x05, 0xc5, 0x8e, 0xf1, 0x83, ++ 0x7d, 0x16, 0x83, 0xb2, 0xc6, 0xf3, 0x4a, 0x26, 0xc1, 0xb2, 0xef, 0xfa, ++ 0x88, 0x6b, 0x42, 0x38, 0x61, 0x28, 0x5c, 0x97, 0xff, 0xff, 0xff, 0xff, ++ 0xff, 0xff, 0xff, 0xff ++ }; ++ static unsigned char dhx_g[] = { ++ 0x02 ++ }; ++ static unsigned char dhx_q[] = { ++ 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xd6, 0xfc, 0x2a, 0x2c, ++ 0x51, 0x5d, 0xa5, 0x4d, 0x57, 0xee, 0x2b, 0x10, 0x13, 0x9e, 0x9e, 0x78, ++ 0xec, 0x5c, 0xe2, 0xc1, 0xe7, 0x16, 0x9b, 0x4a, 0xd4, 0xf0, 0x9b, 0x20, ++ 0x8a, 0x32, 0x19, 0xfd, 0xe6, 0x49, 0xce, 0xe7, 0x12, 0x4d, 0x9f, 0x7c, ++ 0xbe, 0x97, 0xf1, 0xb1, 0xb1, 0x86, 0x3a, 0xec, 0x7b, 0x40, 0xd9, 0x01, ++ 0x57, 0x62, 0x30, 0xbd, 0x69, 0xef, 0x8f, 0x6a, 0xea, 0xfe, 0xb2, 0xb0, ++ 0x92, 0x19, 0xfa, 0x8f, 0xaf, 0x83, 0x37, 0x68, 0x42, 0xb1, 0xb2, 0xaa, ++ 0x9e, 0xf6, 0x8d, 0x79, 0xda, 0xab, 0x89, 0xaf, 0x3f, 0xab, 0xe4, 0x9a, ++ 0xcc, 0x27, 0x86, 0x38, 0x70, 0x73, 0x45, 0xbb, 0xf1, 0x53, 0x44, 0xed, ++ 0x79, 0xf7, 0xf4, 0x39, 0x0e, 0xf8, 0xac, 0x50, 0x9b, 0x56, 0xf3, 0x9a, ++ 0x98, 0x56, 0x65, 0x27, 0xa4, 0x1d, 0x3c, 0xbd, 0x5e, 0x05, 0x58, 0xc1, ++ 0x59, 0x92, 0x7d, 0xb0, 0xe8, 0x84, 0x54, 0xa5, 0xd9, 0x64, 0x71, 0xfd, ++ 0xdc, 0xb5, 0x6d, 0x5b, 0xb0, 0x6b, 0xfa, 0x34, 0x0e, 0xa7, 0xa1, 0x51, ++ 0xef, 0x1c, 0xa6, 0xfa, 0x57, 0x2b, 0x76, 0xf3, 0xb1, 0xb9, 0x5d, 0x8c, ++ 0x85, 0x83, 0xd3, 0xe4, 0x77, 0x05, 0x36, 0xb8, 0x4f, 0x01, 0x7e, 0x70, ++ 0xe6, 0xfb, 0xf1, 0x76, 0x60, 0x1a, 0x02, 0x66, 0x94, 0x1a, 0x17, 0xb0, ++ 0xc8, 0xb9, 0x7f, 0x4e, 0x74, 0xc2, 0xc1, 0xff, 0xc7, 0x27, 0x89, 0x19, ++ 0x77, 0x79, 0x40, 0xc1, 0xe1, 0xff, 0x1d, 0x8d, 0xa6, 0x37, 0xd6, 0xb9, ++ 0x9d, 0xda, 0xfe, 0x5e, 0x17, 0x61, 0x10, 0x02, 0xe2, 0xc7, 0x78, 0xc1, ++ 0xbe, 0x8b, 0x41, 0xd9, 0x63, 0x79, 0xa5, 0x13, 0x60, 0xd9, 0x77, 0xfd, ++ 0x44, 0x35, 0xa1, 0x1c, 0x30, 0x94, 0x2e, 0x4b, 0xff, 0xff, 0xff, 0xff, ++ 0xff, 0xff, 0xff, 0xff ++ }; ++ ++ return get_dh_from_pg(libctx, "X9.42 DH", ++ dhx_p, sizeof(dhx_p), ++ dhx_g, sizeof(dhx_g), ++ dhx_q, sizeof(dhx_q)); ++} ++ + EVP_PKEY *get_dh1024dsa(OSSL_LIB_CTX *libctx) + { + static unsigned char dh1024_p[] = { +diff --git a/test/helpers/predefined_dhparams.h b/test/helpers/predefined_dhparams.h +index f0e8709062..2ff6d6e721 100644 +--- a/test/helpers/predefined_dhparams.h ++++ b/test/helpers/predefined_dhparams.h +@@ -12,6 +12,7 @@ + #ifndef OPENSSL_NO_DH + EVP_PKEY *get_dh512(OSSL_LIB_CTX *libctx); + EVP_PKEY *get_dhx512(OSSL_LIB_CTX *libctx); ++EVP_PKEY *get_dhx_ffdhe2048(OSSL_LIB_CTX *libctx); + EVP_PKEY *get_dh1024dsa(OSSL_LIB_CTX *libct); + EVP_PKEY *get_dh2048(OSSL_LIB_CTX *libctx); + EVP_PKEY *get_dh4096(OSSL_LIB_CTX *libctx); +diff --git a/test/recipes/80-test_cms.t b/test/recipes/80-test_cms.t +index 2a459856f0..afac836fa3 100644 +--- a/test/recipes/80-test_cms.t ++++ b/test/recipes/80-test_cms.t +@@ -627,10 +627,10 @@ my @smime_cms_param_tests = ( + ], + + [ "enveloped content test streaming S/MIME format, X9.42 DH", +- [ "{cmd1}", @prov, "-encrypt", "-in", $smcont, ++ [ "{cmd1}", @defaultprov, "-encrypt", "-in", $smcont, + "-stream", "-out", "{output}.cms", + "-recip", catfile($smdir, "smdh.pem"), "-aes128" ], +- [ "{cmd2}", @prov, "-decrypt", "-recip", catfile($smdir, "smdh.pem"), ++ [ "{cmd2}", @defaultprov, "-decrypt", "-recip", catfile($smdir, "smdh.pem"), + "-in", "{output}.cms", "-out", "{output}.txt" ], + \&final_compare + ] +diff --git a/test/recipes/80-test_ssl_old.t b/test/recipes/80-test_ssl_old.t +index 527abcea6e..e1d38b1e62 100644 +--- a/test/recipes/80-test_ssl_old.t ++++ b/test/recipes/80-test_ssl_old.t +@@ -390,6 +390,9 @@ sub testssl { + skip "skipping dhe1024dsa test", 1 + if ($no_dh); + ++ skip "FIPS 186-4 type DH groups are no longer supported by the FIPS provider", 1 ++ if $provider eq "fips"; ++ + ok(run(test([@ssltest, "-bio_pair", "-dhe1024dsa", "-v"])), + 'test sslv2/sslv3 with 1024bit DHE via BIO pair'); + } +-- +2.41.0 + diff --git a/openssl-Disable-default-provider-for-test-suite.patch b/openssl-Disable-default-provider-for-test-suite.patch new file mode 100644 index 0000000..719a289 --- /dev/null +++ b/openssl-Disable-default-provider-for-test-suite.patch @@ -0,0 +1,19 @@ +Index: openssl-3.1.4/apps/openssl.cnf +=================================================================== +--- openssl-3.1.4.orig/apps/openssl.cnf ++++ openssl-3.1.4/apps/openssl.cnf +@@ -70,11 +70,11 @@ engines = engine_section + # to side-channel attacks and as such have been deprecated. + + [provider_sect] +-default = default_sect ++##default = default_sect + ##legacy = legacy_sect + +-[default_sect] +-activate = 1 ++##[default_sect] ++##activate = 1 + + ##[legacy_sect] + ##activate = 1 diff --git a/openssl-Disable-explicit-ec.patch b/openssl-Disable-explicit-ec.patch new file mode 100644 index 0000000..5eb1a67 --- /dev/null +++ b/openssl-Disable-explicit-ec.patch @@ -0,0 +1,235 @@ +From 91bdd9b816b22bc1464ec323f3272b866b24114d Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Mon, 31 Jul 2023 09:41:28 +0200 +Subject: [PATCH 12/35] 0012-Disable-explicit-ec.patch + +Patch-name: 0012-Disable-explicit-ec.patch +Patch-id: 12 +Patch-status: | + # Disable explicit EC curves + # https://bugzilla.redhat.com/show_bug.cgi?id=2066412 +From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd +--- + crypto/ec/ec_asn1.c | 11 ++++++++++ + crypto/ec/ec_lib.c | 6 +++++ + test/ectest.c | 22 ++++++++++--------- + test/endecode_test.c | 20 ++++++++--------- + .../30-test_evp_data/evppkey_ecdsa.txt | 12 ---------- + 5 files changed, 39 insertions(+), 32 deletions(-) + +diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c +index 7a0b35a594..d19d57344e 100644 +--- a/crypto/ec/ec_asn1.c ++++ b/crypto/ec/ec_asn1.c +@@ -905,6 +905,12 @@ EC_GROUP *d2i_ECPKParameters(EC_GROUP **a, const unsigned char **in, long len) + if (params->type == ECPKPARAMETERS_TYPE_EXPLICIT) + group->decoded_from_explicit_params = 1; + ++ if (EC_GROUP_check_named_curve(group, 0, NULL) == NID_undef) { ++ EC_GROUP_free(group); ++ ECPKPARAMETERS_free(params); ++ return NULL; ++ } ++ + if (a) { + EC_GROUP_free(*a); + *a = group; +@@ -964,6 +970,11 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, const unsigned char **in, long len) + goto err; + } + ++ if (EC_GROUP_check_named_curve(ret->group, 0, NULL) == NID_undef) { ++ ERR_raise(ERR_LIB_EC, EC_R_UNKNOWN_GROUP); ++ goto err; ++ } ++ + ret->version = priv_key->version; + + if (priv_key->privateKey) { +diff --git a/crypto/ec/ec_lib.c b/crypto/ec/ec_lib.c +index a84e088c19..6c37bf78ae 100644 +--- a/crypto/ec/ec_lib.c ++++ b/crypto/ec/ec_lib.c +@@ -1724,6 +1724,11 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[], + goto err; + } + if (named_group == group) { ++ if (EC_GROUP_check_named_curve(group, 0, NULL) == NID_undef) { ++ ERR_raise(ERR_LIB_EC, EC_R_UNKNOWN_GROUP); ++ goto err; ++ } ++#if 0 + /* + * If we did not find a named group then the encoding should be explicit + * if it was specified +@@ -1739,6 +1744,7 @@ EC_GROUP *EC_GROUP_new_from_params(const OSSL_PARAM params[], + goto err; + } + EC_GROUP_set_asn1_flag(group, OPENSSL_EC_EXPLICIT_CURVE); ++#endif + } else { + EC_GROUP_free(group); + group = named_group; +diff --git a/test/ectest.c b/test/ectest.c +index 4890b0555e..e11aec5b3b 100644 +--- a/test/ectest.c ++++ b/test/ectest.c +@@ -2301,10 +2301,11 @@ static int do_test_custom_explicit_fromdata(EC_GROUP *group, BN_CTX *ctx, + if (!TEST_ptr(params = OSSL_PARAM_BLD_to_param(bld)) + || !TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(NULL, "EC", NULL)) + || !TEST_int_gt(EVP_PKEY_fromdata_init(pctx), 0) +- || !TEST_int_gt(EVP_PKEY_fromdata(pctx, &pkeyparam, ++ || !TEST_int_le(EVP_PKEY_fromdata(pctx, &pkeyparam, + EVP_PKEY_KEY_PARAMETERS, params), 0)) + goto err; +- ++/* As creating the key should fail, the rest of the test is pointless */ ++# if 0 + /*- Check that all the set values are retrievable -*/ + + /* There should be no match to a group name since the generator changed */ +@@ -2433,6 +2434,7 @@ static int do_test_custom_explicit_fromdata(EC_GROUP *group, BN_CTX *ctx, + #endif + ) + goto err; ++#endif + ret = 1; + err: + BN_free(order_out); +@@ -2714,21 +2716,21 @@ static int custom_params_test(int id) + + /* Compute keyexchange in both directions */ + if (!TEST_ptr(pctx1 = EVP_PKEY_CTX_new(pkey1, NULL)) +- || !TEST_int_eq(EVP_PKEY_derive_init(pctx1), 1) +- || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx1, pkey2), 1) ++ || !TEST_int_le(EVP_PKEY_derive_init(pctx1), 0) ++/* || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx1, pkey2), 1) + || !TEST_int_eq(EVP_PKEY_derive(pctx1, NULL, &sslen), 1) + || !TEST_int_gt(bsize, sslen) +- || !TEST_int_eq(EVP_PKEY_derive(pctx1, buf1, &sslen), 1)) ++ || !TEST_int_eq(EVP_PKEY_derive(pctx1, buf1, &sslen), 1)*/) + goto err; + if (!TEST_ptr(pctx2 = EVP_PKEY_CTX_new(pkey2, NULL)) +- || !TEST_int_eq(EVP_PKEY_derive_init(pctx2), 1) +- || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx2, pkey1), 1) ++ || !TEST_int_le(EVP_PKEY_derive_init(pctx2), 1) ++/* || !TEST_int_eq(EVP_PKEY_derive_set_peer(pctx2, pkey1), 1) + || !TEST_int_eq(EVP_PKEY_derive(pctx2, NULL, &t), 1) + || !TEST_int_gt(bsize, t) + || !TEST_int_le(sslen, t) +- || !TEST_int_eq(EVP_PKEY_derive(pctx2, buf2, &t), 1)) ++ || !TEST_int_eq(EVP_PKEY_derive(pctx2, buf2, &t), 1) */) + goto err; +- ++#if 0 + /* Both sides should expect the same shared secret */ + if (!TEST_mem_eq(buf1, sslen, buf2, t)) + goto err; +@@ -2780,7 +2782,7 @@ static int custom_params_test(int id) + /* compare with previous result */ + || !TEST_mem_eq(buf1, t, buf2, sslen)) + goto err; +- ++#endif + ret = 1; + + err: +diff --git a/test/endecode_test.c b/test/endecode_test.c +index 14648287eb..9a437d8c64 100644 +--- a/test/endecode_test.c ++++ b/test/endecode_test.c +@@ -62,7 +62,7 @@ static BN_CTX *bnctx = NULL; + static OSSL_PARAM_BLD *bld_prime_nc = NULL; + static OSSL_PARAM_BLD *bld_prime = NULL; + static OSSL_PARAM *ec_explicit_prime_params_nc = NULL; +-static OSSL_PARAM *ec_explicit_prime_params_explicit = NULL; ++/*static OSSL_PARAM *ec_explicit_prime_params_explicit = NULL;*/ + + # ifndef OPENSSL_NO_EC2M + static OSSL_PARAM_BLD *bld_tri_nc = NULL; +@@ -1009,9 +1009,9 @@ IMPLEMENT_TEST_SUITE_LEGACY(EC, "EC") + DOMAIN_KEYS(ECExplicitPrimeNamedCurve); + IMPLEMENT_TEST_SUITE(ECExplicitPrimeNamedCurve, "EC", 1) + IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrimeNamedCurve, "EC") +-DOMAIN_KEYS(ECExplicitPrime2G); +-IMPLEMENT_TEST_SUITE(ECExplicitPrime2G, "EC", 0) +-IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrime2G, "EC") ++/*DOMAIN_KEYS(ECExplicitPrime2G);*/ ++/*IMPLEMENT_TEST_SUITE(ECExplicitPrime2G, "EC", 0)*/ ++/*IMPLEMENT_TEST_SUITE_LEGACY(ECExplicitPrime2G, "EC")*/ + # ifndef OPENSSL_NO_EC2M + DOMAIN_KEYS(ECExplicitTriNamedCurve); + IMPLEMENT_TEST_SUITE(ECExplicitTriNamedCurve, "EC", 1) +@@ -1352,7 +1352,7 @@ int setup_tests(void) + || !create_ec_explicit_prime_params_namedcurve(bld_prime_nc) + || !create_ec_explicit_prime_params(bld_prime) + || !TEST_ptr(ec_explicit_prime_params_nc = OSSL_PARAM_BLD_to_param(bld_prime_nc)) +- || !TEST_ptr(ec_explicit_prime_params_explicit = OSSL_PARAM_BLD_to_param(bld_prime)) ++/* || !TEST_ptr(ec_explicit_prime_params_explicit = OSSL_PARAM_BLD_to_param(bld_prime))*/ + # ifndef OPENSSL_NO_EC2M + || !TEST_ptr(bld_tri_nc = OSSL_PARAM_BLD_new()) + || !TEST_ptr(bld_tri = OSSL_PARAM_BLD_new()) +@@ -1380,7 +1380,7 @@ int setup_tests(void) + TEST_info("Generating EC keys..."); + MAKE_DOMAIN_KEYS(EC, "EC", EC_params); + MAKE_DOMAIN_KEYS(ECExplicitPrimeNamedCurve, "EC", ec_explicit_prime_params_nc); +- MAKE_DOMAIN_KEYS(ECExplicitPrime2G, "EC", ec_explicit_prime_params_explicit); ++/* MAKE_DOMAIN_KEYS(ECExplicitPrime2G, "EC", ec_explicit_prime_params_explicit);*/ + # ifndef OPENSSL_NO_EC2M + MAKE_DOMAIN_KEYS(ECExplicitTriNamedCurve, "EC", ec_explicit_tri_params_nc); + MAKE_DOMAIN_KEYS(ECExplicitTri2G, "EC", ec_explicit_tri_params_explicit); +@@ -1423,8 +1423,8 @@ int setup_tests(void) + ADD_TEST_SUITE_LEGACY(EC); + ADD_TEST_SUITE(ECExplicitPrimeNamedCurve); + ADD_TEST_SUITE_LEGACY(ECExplicitPrimeNamedCurve); +- ADD_TEST_SUITE(ECExplicitPrime2G); +- ADD_TEST_SUITE_LEGACY(ECExplicitPrime2G); ++/* ADD_TEST_SUITE(ECExplicitPrime2G);*/ ++/* ADD_TEST_SUITE_LEGACY(ECExplicitPrime2G);*/ + # ifndef OPENSSL_NO_EC2M + ADD_TEST_SUITE(ECExplicitTriNamedCurve); + ADD_TEST_SUITE_LEGACY(ECExplicitTriNamedCurve); +@@ -1461,7 +1461,7 @@ void cleanup_tests(void) + { + #ifndef OPENSSL_NO_EC + OSSL_PARAM_free(ec_explicit_prime_params_nc); +- OSSL_PARAM_free(ec_explicit_prime_params_explicit); ++/* OSSL_PARAM_free(ec_explicit_prime_params_explicit);*/ + OSSL_PARAM_BLD_free(bld_prime_nc); + OSSL_PARAM_BLD_free(bld_prime); + # ifndef OPENSSL_NO_EC2M +@@ -1483,7 +1483,7 @@ void cleanup_tests(void) + #ifndef OPENSSL_NO_EC + FREE_DOMAIN_KEYS(EC); + FREE_DOMAIN_KEYS(ECExplicitPrimeNamedCurve); +- FREE_DOMAIN_KEYS(ECExplicitPrime2G); ++/* FREE_DOMAIN_KEYS(ECExplicitPrime2G);*/ + # ifndef OPENSSL_NO_EC2M + FREE_DOMAIN_KEYS(ECExplicitTriNamedCurve); + FREE_DOMAIN_KEYS(ECExplicitTri2G); +diff --git a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt +index ec3c032aba..584ecee0eb 100644 +--- a/test/recipes/30-test_evp_data/evppkey_ecdsa.txt ++++ b/test/recipes/30-test_evp_data/evppkey_ecdsa.txt +@@ -133,18 +133,6 @@ AAAA//////////+85vqtpxeehPO5ysL8YyVRAgEBBG0wawIBAQQgiUTxtr5vLVjj + 3ev1gTwRBduzqqlwd54AUSgI+pjttW8zrWNitO8H1sf59MPWOESKxNtZ1+Nl + -----END PRIVATE KEY----- + +-PrivateKey = EC_EXPLICIT +------BEGIN PRIVATE KEY----- +-MIIBeQIBADCCAQMGByqGSM49AgEwgfcCAQEwLAYHKoZIzj0BAQIhAP////8AAAAB +-AAAAAAAAAAAAAAAA////////////////MFsEIP////8AAAABAAAAAAAAAAAAAAAA +-///////////////8BCBaxjXYqjqT57PrvVV2mIa8ZR0GsMxTsPY7zjw+J9JgSwMV +-AMSdNgiG5wSTamZ44ROdJreBn36QBEEE5JcIvn36opqjEm/k59Al40rBAxWM2TPG +-l0L13Je51zHpfXQ9Z2o7IQicMXP4wSfJ0qCgg2bgydqoxlYrlLGuVQIhAP////8A +-AAAA//////////+85vqtpxeehPO5ysL8YyVRAgEBBG0wawIBAQQgec92jwduadCk +-OjoNRI+YT5Be5TkzZXzYCyTLkMOikDmhRANCAATtECEhQbLEaiUj/Wu0qjcr81lL +-46dx5zYgArz/iaSNJ3W80oO+F7v04jlQ7wxQzg96R0bwKiMeq5CcW9ZFt6xg +------END PRIVATE KEY----- +- + PrivateKey = B-163 + -----BEGIN PRIVATE KEY----- + MGMCAQAwEAYHKoZIzj0CAQYFK4EEAA8ETDBKAgEBBBUDnQW0mLiHVha/jqFznX/K +-- +2.41.0 + diff --git a/openssl-Enable-BTI-feature-for-md5-on-aarch64.patch b/openssl-Enable-BTI-feature-for-md5-on-aarch64.patch new file mode 100644 index 0000000..031bef4 --- /dev/null +++ b/openssl-Enable-BTI-feature-for-md5-on-aarch64.patch @@ -0,0 +1,28 @@ +From d2bfec6e464aeb247a2d6853668d4e473f19e15f Mon Sep 17 00:00:00 2001 +From: "fangming.fang" +Date: Thu, 7 Dec 2023 06:17:51 +0000 +Subject: [PATCH] Enable BTI feature for md5 on aarch64 + +Fixes: #22959 +--- + crypto/md5/asm/md5-aarch64.pl | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/crypto/md5/asm/md5-aarch64.pl b/crypto/md5/asm/md5-aarch64.pl +index 3200a0fa9bff0..5a8608069691d 100755 +--- a/crypto/md5/asm/md5-aarch64.pl ++++ b/crypto/md5/asm/md5-aarch64.pl +@@ -28,10 +28,13 @@ + *STDOUT=*OUT; + + $code .= <seed == NULL) { +- ERR_set_mark(); +- dgbl->seed = rand_new_seed(ctx); +- ERR_pop_to_mark(); +- } +-#endif +- +- ret = dgbl->primary = rand_new_drbg(ctx, dgbl->seed, ++ ret = dgbl->primary = rand_new_drbg(ctx, NULL, + PRIMARY_RESEED_INTERVAL, + PRIMARY_RESEED_TIME_INTERVAL, 1); + /* +Index: openssl-3.2.3/providers/implementations/rands/crngt.c +=================================================================== +--- openssl-3.2.3.orig/providers/implementations/rands/crngt.c ++++ openssl-3.2.3/providers/implementations/rands/crngt.c +@@ -133,7 +133,11 @@ size_t ossl_crngt_get_entropy(PROV_DRBG + * to the nearest byte. If the entropy is of less than full quality, + * the amount required should be scaled up appropriately here. + */ +- bytes_needed = (entropy + 7) / 8; ++ /* ++ * FIPS 140-3: the yet draft SP800-90C requires requested entropy ++ * + 128 bits during initial seeding ++ */ ++ bytes_needed = (entropy + 128 + 7) / 8; + if (bytes_needed < min_len) + bytes_needed = min_len; + if (bytes_needed > max_len) +Index: openssl-3.2.3/providers/implementations/rands/drbg.c +=================================================================== +--- openssl-3.2.3.orig/providers/implementations/rands/drbg.c ++++ openssl-3.2.3/providers/implementations/rands/drbg.c +@@ -569,6 +569,9 @@ static int ossl_prov_drbg_reseed_unlocke + #endif + } + ++#ifdef FIPS_MODULE ++ prediction_resistance = 1; ++#endif + /* Reseed using our sources in addition */ + entropylen = get_entropy(drbg, &entropy, drbg->strength, + drbg->min_entropylen, drbg->max_entropylen, +@@ -690,8 +693,14 @@ int ossl_prov_drbg_generate(PROV_DRBG *d + reseed_required = 1; + } + if (drbg->parent != NULL +- && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter) ++ && get_parent_reseed_count(drbg) != drbg->parent_reseed_counter) { ++#ifdef FIPS_MODULE ++ /* SUSE patches provide chain reseeding when necessary so just sync counters*/ ++ drbg->parent_reseed_counter = get_parent_reseed_count(drbg); ++#else + reseed_required = 1; ++#endif ++ } + + if (reseed_required || prediction_resistance) { + if (!ossl_prov_drbg_reseed_unlocked(drbg, prediction_resistance, NULL, +Index: openssl-3.2.3/providers/implementations/rands/drbg_local.h +=================================================================== +--- openssl-3.2.3.orig/providers/implementations/rands/drbg_local.h ++++ openssl-3.2.3/providers/implementations/rands/drbg_local.h +@@ -38,7 +38,7 @@ + * + * The value is in bytes. + */ +-#define CRNGT_BUFSIZ 16 ++#define CRNGT_BUFSIZ 32 + + /* + * Maximum input size for the DRBG (entropy, nonce, personalization string) +Index: openssl-3.2.3/providers/implementations/rands/seed_src.c +=================================================================== +--- openssl-3.2.3.orig/providers/implementations/rands/seed_src.c ++++ openssl-3.2.3/providers/implementations/rands/seed_src.c +@@ -102,7 +102,14 @@ static int seed_src_generate(void *vseed + return 0; + } + +- pool = ossl_rand_pool_new(strength, 1, outlen, outlen); ++ /* ++ * OpenSSL still implements an internal entropy pool of ++ * some size that is hashed to get seed data. ++ * Note that this is a conditioning step for which SP800-90C requires ++ * 64 additional bits from the entropy source to claim the requested ++ * amount of entropy. ++ */ ++ pool = ossl_rand_pool_new(strength + 64, 1, outlen, outlen); + if (pool == NULL) { + ERR_raise(ERR_LIB_PROV, ERR_R_RAND_LIB); + return 0; +@@ -182,7 +189,14 @@ static size_t seed_get_seed(void *vseed, + size_t i; + RAND_POOL *pool; + +- pool = ossl_rand_pool_new(entropy, 1, min_len, max_len); ++ /* ++ * OpenSSL still implements an internal entropy pool of ++ * some size that is hashed to get seed data. ++ * Note that this is a conditioning step for which SP800-90C requires ++ * 64 additional bits from the entropy source to claim the requested ++ * amount of entropy. ++ */ ++ pool = ossl_rand_pool_new(entropy + 64, 1, min_len, max_len); + if (pool == NULL) { + ERR_raise(ERR_LIB_PROV, ERR_R_RAND_LIB); + return 0; diff --git a/openssl-FIPS-140-3-keychecks.patch b/openssl-FIPS-140-3-keychecks.patch new file mode 100644 index 0000000..9fc5232 --- /dev/null +++ b/openssl-FIPS-140-3-keychecks.patch @@ -0,0 +1,404 @@ +From 4512f620199126e6b87433ef184f0450652ee28a Mon Sep 17 00:00:00 2001 +From: Dmitry Belyavskiy +Date: Thu, 4 Apr 2024 11:42:18 +0200 +Subject: [PATCH 19/50] 0044-FIPS-140-3-keychecks.patch + +Patch-name: 0044-FIPS-140-3-keychecks.patch +Patch-id: 44 +Patch-status: | + # Extra public/private key checks required by FIPS-140-3 +From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce +--- + crypto/dh/dh_key.c | 26 ++++++++++ + crypto/rsa/rsa_gen.c | 3 ++ + .../implementations/exchange/ecdh_exch.c | 19 ++++++++ + providers/implementations/keymgmt/ec_kmgmt.c | 24 +++++++++- + providers/implementations/keymgmt/rsa_kmgmt.c | 18 +++++++ + .../implementations/signature/ecdsa_sig.c | 37 +++++++++++++-- + providers/implementations/signature/rsa_sig.c | 47 +++++++++++++++++-- + 7 files changed, 165 insertions(+), 9 deletions(-) + +diff --git a/crypto/dh/dh_key.c b/crypto/dh/dh_key.c +index 7132b9b68e..189bfc3e8b 100644 +--- a/crypto/dh/dh_key.c ++++ b/crypto/dh/dh_key.c +@@ -43,6 +43,9 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) + BN_MONT_CTX *mont = NULL; + BIGNUM *z = NULL, *pminus1; + int ret = -1; ++#ifdef FIPS_MODULE ++ int validate = 0; ++#endif + + if (BN_num_bits(dh->params.p) > OPENSSL_DH_MAX_MODULUS_BITS) { + ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE); +@@ -60,6 +63,13 @@ int ossl_dh_compute_key(unsigned char *key, const BIGNUM *pub_key, DH *dh) + return 0; + } + ++#ifdef FIPS_MODULE ++ if (DH_check_pub_key(dh, pub_key, &validate) <= 0) { ++ ERR_raise(ERR_LIB_DH, DH_R_CHECK_PUBKEY_INVALID); ++ return 0; ++ } ++#endif ++ + ctx = BN_CTX_new_ex(dh->libctx); + if (ctx == NULL) + goto err; +@@ -271,6 +281,9 @@ static int generate_key(DH *dh) + #endif + BN_CTX *ctx = NULL; + BIGNUM *pub_key = NULL, *priv_key = NULL; ++#ifdef FIPS_MODULE ++ int validate = 0; ++#endif + + if (BN_num_bits(dh->params.p) > OPENSSL_DH_MAX_MODULUS_BITS) { + ERR_raise(ERR_LIB_DH, DH_R_MODULUS_TOO_LARGE); +@@ -369,8 +382,21 @@ static int generate_key(DH *dh) + if (!ossl_dh_generate_public_key(ctx, dh, priv_key, pub_key)) + goto err; + ++#ifdef FIPS_MODULE ++ if (DH_check_pub_key(dh, pub_key, &validate) <= 0) { ++ ERR_raise(ERR_LIB_DH, DH_R_CHECK_PUBKEY_INVALID); ++ goto err; ++ } ++#endif ++ + dh->pub_key = pub_key; + dh->priv_key = priv_key; ++#ifdef FIPS_MODULE ++ if (ossl_dh_check_pairwise(dh) <= 0) { ++ abort(); ++ } ++#endif ++ + dh->dirty_cnt++; + ok = 1; + err: +diff --git a/crypto/rsa/rsa_gen.c b/crypto/rsa/rsa_gen.c +index 0cdbb3fde2..65ff9d2d47 100644 +--- a/crypto/rsa/rsa_gen.c ++++ b/crypto/rsa/rsa_gen.c +@@ -464,6 +464,9 @@ static int rsa_keygen(OSSL_LIB_CTX *libctx, RSA *rsa, int bits, int primes, + rsa->dmp1 = NULL; + rsa->dmq1 = NULL; + rsa->iqmp = NULL; ++#ifdef FIPS_MODULE ++ abort(); ++#endif /* defined(FIPS_MODULE) */ + } + } + return ok; +diff --git a/providers/implementations/exchange/ecdh_exch.c b/providers/implementations/exchange/ecdh_exch.c +index 5b8412aba1..1d98eba132 100644 +--- a/providers/implementations/exchange/ecdh_exch.c ++++ b/providers/implementations/exchange/ecdh_exch.c +@@ -489,6 +489,25 @@ int ecdh_plain_derive(void *vpecdhctx, unsigned char *secret, + } + + ppubkey = EC_KEY_get0_public_key(pecdhctx->peerk); ++#ifdef FIPS_MODULE ++ { ++ BN_CTX *bn_ctx = BN_CTX_new_ex(ossl_ec_key_get_libctx(privk)); ++ int check = 0; ++ ++ if (bn_ctx == NULL) { ++ ERR_raise(ERR_LIB_PROV, ERR_R_MALLOC_FAILURE); ++ goto end; ++ } ++ ++ check = ossl_ec_key_public_check(pecdhctx->peerk, bn_ctx); ++ BN_CTX_free(bn_ctx); ++ ++ if (check <= 0) { ++ ERR_raise(ERR_LIB_PROV, EC_R_INVALID_PEER_KEY); ++ goto end; ++ } ++ } ++#endif + + retlen = ECDH_compute_key(secret, size, ppubkey, privk, NULL); + +diff --git a/providers/implementations/keymgmt/ec_kmgmt.c b/providers/implementations/keymgmt/ec_kmgmt.c +index 9390935394..1399be1751 100644 +--- a/providers/implementations/keymgmt/ec_kmgmt.c ++++ b/providers/implementations/keymgmt/ec_kmgmt.c +@@ -991,8 +991,17 @@ struct ec_gen_ctx { + EC_GROUP *gen_group; + unsigned char *dhkem_ikm; + size_t dhkem_ikmlen; ++#ifdef FIPS_MODULE ++ void *ecdsa_sig_ctx; ++#endif + }; + ++#ifdef FIPS_MODULE ++void *ecdsa_newctx(void *provctx, const char *propq); ++void ecdsa_freectx(void *vctx); ++int do_ec_pct(void *, const char *, void *); ++#endif ++ + static void *ec_gen_init(void *provctx, int selection, + const OSSL_PARAM params[]) + { +@@ -1011,6 +1020,10 @@ static void *ec_gen_init(void *provctx, int selection, + gctx = NULL; + } + } ++#ifdef FIPS_MODULE ++ if (gctx != NULL) ++ gctx->ecdsa_sig_ctx = ecdsa_newctx(provctx, NULL); ++#endif + return gctx; + } + +@@ -1291,6 +1304,12 @@ static void *ec_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg) + + if (gctx->ecdh_mode != -1) + ret = ret && ossl_ec_set_ecdh_cofactor_mode(ec, gctx->ecdh_mode); ++#ifdef FIPS_MODULE ++ /* Pairwise consistency test */ ++ if ((gctx->selection & OSSL_KEYMGMT_SELECT_KEYPAIR) != 0 ++ && do_ec_pct(gctx->ecdsa_sig_ctx, "sha256", ec) != 1) ++ abort(); ++#endif + + if (gctx->group_check != NULL) + ret = ret && ossl_ec_set_check_group_type_from_name(ec, +@@ -1361,7 +1380,10 @@ static void ec_gen_cleanup(void *genctx) + + if (gctx == NULL) + return; +- ++#ifdef FIPS_MODULE ++ ecdsa_freectx(gctx->ecdsa_sig_ctx); ++ gctx->ecdsa_sig_ctx = NULL; ++#endif + OPENSSL_clear_free(gctx->dhkem_ikm, gctx->dhkem_ikmlen); + EC_GROUP_free(gctx->gen_group); + BN_free(gctx->p); +diff --git a/providers/implementations/keymgmt/rsa_kmgmt.c b/providers/implementations/keymgmt/rsa_kmgmt.c +index c24cb8da88..4462afa041 100644 +--- a/providers/implementations/keymgmt/rsa_kmgmt.c ++++ b/providers/implementations/keymgmt/rsa_kmgmt.c +@@ -434,6 +434,7 @@ struct rsa_gen_ctx { + #if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS) + /* ACVP test parameters */ + OSSL_PARAM *acvp_test_params; ++ void *prov_rsa_ctx; + #endif + }; + +@@ -447,6 +448,12 @@ static int rsa_gencb(int p, int n, BN_GENCB *cb) + return gctx->cb(params, gctx->cbarg); + } + ++#ifdef FIPS_MODULE ++void *rsa_newctx(void *provctx, const char *propq); ++void rsa_freectx(void *vctx); ++int do_rsa_pct(void *, const char *, void *); ++#endif ++ + static void *gen_init(void *provctx, int selection, int rsa_type, + const OSSL_PARAM params[]) + { +@@ -474,6 +481,10 @@ static void *gen_init(void *provctx, int selection, int rsa_type, + + if (!rsa_gen_set_params(gctx, params)) + goto err; ++#ifdef FIPS_MODULE ++ if (gctx != NULL) ++ gctx->prov_rsa_ctx = rsa_newctx(provctx, NULL); ++#endif + return gctx; + + err: +@@ -630,6 +641,11 @@ static void *rsa_gen(void *genctx, OSSL_CALLBACK *osslcb, void *cbarg) + + rsa = rsa_tmp; + rsa_tmp = NULL; ++#ifdef FIPS_MODULE ++ /* Pairwise consistency test */ ++ if (do_rsa_pct(gctx->prov_rsa_ctx, "sha256", rsa) != 1) ++ abort(); ++#endif + err: + BN_GENCB_free(gencb); + RSA_free(rsa_tmp); +@@ -645,6 +661,8 @@ static void rsa_gen_cleanup(void *genctx) + #if defined(FIPS_MODULE) && !defined(OPENSSL_NO_ACVP_TESTS) + ossl_rsa_acvp_test_gen_params_free(gctx->acvp_test_params); + gctx->acvp_test_params = NULL; ++ rsa_freectx(gctx->prov_rsa_ctx); ++ gctx->prov_rsa_ctx = NULL; + #endif + BN_clear_free(gctx->pub_exp); + OPENSSL_free(gctx); +diff --git a/providers/implementations/signature/ecdsa_sig.c b/providers/implementations/signature/ecdsa_sig.c +index fe65ed8dc6..f158105e71 100644 +--- a/providers/implementations/signature/ecdsa_sig.c ++++ b/providers/implementations/signature/ecdsa_sig.c +@@ -33,7 +33,7 @@ + #include "crypto/ec.h" + #include "prov/der_ec.h" + +-static OSSL_FUNC_signature_newctx_fn ecdsa_newctx; ++OSSL_FUNC_signature_newctx_fn ecdsa_newctx; + static OSSL_FUNC_signature_sign_init_fn ecdsa_sign_init; + static OSSL_FUNC_signature_verify_init_fn ecdsa_verify_init; + static OSSL_FUNC_signature_sign_fn ecdsa_sign; +@@ -44,7 +44,7 @@ static OSSL_FUNC_signature_digest_sign_final_fn ecdsa_digest_sign_final; + static OSSL_FUNC_signature_digest_verify_init_fn ecdsa_digest_verify_init; + static OSSL_FUNC_signature_digest_verify_update_fn ecdsa_digest_signverify_update; + static OSSL_FUNC_signature_digest_verify_final_fn ecdsa_digest_verify_final; +-static OSSL_FUNC_signature_freectx_fn ecdsa_freectx; ++OSSL_FUNC_signature_freectx_fn ecdsa_freectx; + static OSSL_FUNC_signature_dupctx_fn ecdsa_dupctx; + static OSSL_FUNC_signature_get_ctx_params_fn ecdsa_get_ctx_params; + static OSSL_FUNC_signature_gettable_ctx_params_fn ecdsa_gettable_ctx_params; +@@ -107,7 +107,7 @@ typedef struct { + unsigned int nonce_type; + } PROV_ECDSA_CTX; + +-static void *ecdsa_newctx(void *provctx, const char *propq) ++void *ecdsa_newctx(void *provctx, const char *propq) + { + PROV_ECDSA_CTX *ctx; + +@@ -380,7 +380,7 @@ int ecdsa_digest_verify_final(void *vctx, const unsigned char *sig, + return ecdsa_verify(ctx, sig, siglen, digest, (size_t)dlen); + } + +-static void ecdsa_freectx(void *vctx) ++void ecdsa_freectx(void *vctx) + { + PROV_ECDSA_CTX *ctx = (PROV_ECDSA_CTX *)vctx; + +@@ -601,6 +601,35 @@ static const OSSL_PARAM *ecdsa_settable_ctx_md_params(void *vctx) + return EVP_MD_settable_ctx_params(ctx->md); + } + ++#ifdef FIPS_MODULE ++int do_ec_pct(void *vctx, const char *mdname, void *ec) ++{ ++ static const unsigned char data[32]; ++ unsigned char sigbuf[256]; ++ size_t siglen = sizeof(sigbuf); ++ ++ if (ecdsa_digest_sign_init(vctx, mdname, ec, NULL) <= 0) ++ return 0; ++ ++ if (ecdsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0) ++ return 0; ++ ++ if (ecdsa_digest_sign_final(vctx, sigbuf, &siglen, sizeof(sigbuf)) <= 0) ++ return 0; ++ ++ if (ecdsa_digest_verify_init(vctx, mdname, ec, NULL) <= 0) ++ return 0; ++ ++ if (ecdsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0) ++ return 0; ++ ++ if (ecdsa_digest_verify_final(vctx, sigbuf, siglen) <= 0) ++ return 0; ++ ++ return 1; ++} ++#endif ++ + const OSSL_DISPATCH ossl_ecdsa_signature_functions[] = { + { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))ecdsa_newctx }, + { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))ecdsa_sign_init }, +diff --git a/providers/implementations/signature/rsa_sig.c b/providers/implementations/signature/rsa_sig.c +index 76db37dd02..22d93ead53 100644 +--- a/providers/implementations/signature/rsa_sig.c ++++ b/providers/implementations/signature/rsa_sig.c +@@ -34,7 +34,7 @@ + + #define RSA_DEFAULT_DIGEST_NAME OSSL_DIGEST_NAME_SHA1 + +-static OSSL_FUNC_signature_newctx_fn rsa_newctx; ++OSSL_FUNC_signature_newctx_fn rsa_newctx; + static OSSL_FUNC_signature_sign_init_fn rsa_sign_init; + static OSSL_FUNC_signature_verify_init_fn rsa_verify_init; + static OSSL_FUNC_signature_verify_recover_init_fn rsa_verify_recover_init; +@@ -47,7 +47,7 @@ static OSSL_FUNC_signature_digest_sign_final_fn rsa_digest_sign_final; + static OSSL_FUNC_signature_digest_verify_init_fn rsa_digest_verify_init; + static OSSL_FUNC_signature_digest_verify_update_fn rsa_digest_signverify_update; + static OSSL_FUNC_signature_digest_verify_final_fn rsa_digest_verify_final; +-static OSSL_FUNC_signature_freectx_fn rsa_freectx; ++OSSL_FUNC_signature_freectx_fn rsa_freectx; + static OSSL_FUNC_signature_dupctx_fn rsa_dupctx; + static OSSL_FUNC_signature_get_ctx_params_fn rsa_get_ctx_params; + static OSSL_FUNC_signature_gettable_ctx_params_fn rsa_gettable_ctx_params; +@@ -170,7 +170,7 @@ static int rsa_check_parameters(PROV_RSA_CTX *prsactx, int min_saltlen) + return 1; + } + +-static void *rsa_newctx(void *provctx, const char *propq) ++void *rsa_newctx(void *provctx, const char *propq) + { + PROV_RSA_CTX *prsactx = NULL; + char *propq_copy = NULL; +@@ -974,7 +974,7 @@ int rsa_digest_verify_final(void *vprsactx, const unsigned char *sig, + return rsa_verify(vprsactx, sig, siglen, digest, (size_t)dlen); + } + +-static void rsa_freectx(void *vprsactx) ++void rsa_freectx(void *vprsactx) + { + PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; + +@@ -1451,6 +1451,45 @@ static const OSSL_PARAM *rsa_settable_ctx_md_params(void *vprsactx) + return EVP_MD_settable_ctx_params(prsactx->md); + } + ++#ifdef FIPS_MODULE ++int do_rsa_pct(void *vctx, const char *mdname, void *rsa) ++{ ++ static const unsigned char data[32]; ++ unsigned char *sigbuf = NULL; ++ size_t siglen = 0; ++ int ret = 0; ++ ++ if (rsa_digest_sign_init(vctx, mdname, rsa, NULL) <= 0) ++ return 0; ++ ++ if (rsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0) ++ return 0; ++ ++ if (rsa_digest_sign_final(vctx, NULL, &siglen, 0) <= 0) ++ return 0; ++ ++ if ((sigbuf = OPENSSL_malloc(siglen)) == NULL) ++ return 0; ++ ++ if (rsa_digest_sign_final(vctx, sigbuf, &siglen, siglen) <= 0) ++ goto err; ++ ++ if (rsa_digest_verify_init(vctx, mdname, rsa, NULL) <= 0) ++ goto err; ++ ++ if (rsa_digest_signverify_update(vctx, data, sizeof(data)) <= 0) ++ goto err; ++ ++ if (rsa_digest_verify_final(vctx, sigbuf, siglen) <= 0) ++ goto err; ++ ret = 1; ++ ++ err: ++ OPENSSL_free(sigbuf); ++ return ret; ++} ++#endif ++ + const OSSL_DISPATCH ossl_rsa_signature_functions[] = { + { OSSL_FUNC_SIGNATURE_NEWCTX, (void (*)(void))rsa_newctx }, + { OSSL_FUNC_SIGNATURE_SIGN_INIT, (void (*)(void))rsa_sign_init }, +-- +2.44.0 + diff --git a/openssl-FIPS-140-3-zeroization.patch b/openssl-FIPS-140-3-zeroization.patch new file mode 100644 index 0000000..54fc9ad --- /dev/null +++ b/openssl-FIPS-140-3-zeroization.patch @@ -0,0 +1,81 @@ +Index: openssl-3.2.3/crypto/ec/ec_lib.c +=================================================================== +--- openssl-3.2.3.orig/crypto/ec/ec_lib.c ++++ openssl-3.2.3/crypto/ec/ec_lib.c +@@ -743,12 +743,16 @@ EC_POINT *EC_POINT_new(const EC_GROUP *g + + void EC_POINT_free(EC_POINT *point) + { ++#ifdef FIPS_MODULE ++ EC_POINT_clear_free(point); ++#else + if (point == NULL) + return; + + if (point->meth->point_finish != 0) + point->meth->point_finish(point); + OPENSSL_free(point); ++#endif + } + + void EC_POINT_clear_free(EC_POINT *point) +Index: openssl-3.2.3/crypto/ffc/ffc_params.c +=================================================================== +--- openssl-3.2.3.orig/crypto/ffc/ffc_params.c ++++ openssl-3.2.3/crypto/ffc/ffc_params.c +@@ -27,10 +27,10 @@ void ossl_ffc_params_init(FFC_PARAMS *pa + + void ossl_ffc_params_cleanup(FFC_PARAMS *params) + { +- BN_free(params->p); +- BN_free(params->q); +- BN_free(params->g); +- BN_free(params->j); ++ BN_clear_free(params->p); ++ BN_clear_free(params->q); ++ BN_clear_free(params->g); ++ BN_clear_free(params->j); + OPENSSL_free(params->seed); + ossl_ffc_params_init(params); + } +Index: openssl-3.2.3/crypto/rsa/rsa_lib.c +=================================================================== +--- openssl-3.2.3.orig/crypto/rsa/rsa_lib.c ++++ openssl-3.2.3/crypto/rsa/rsa_lib.c +@@ -159,8 +159,8 @@ void RSA_free(RSA *r) + CRYPTO_THREAD_lock_free(r->lock); + CRYPTO_FREE_REF(&r->references); + +- BN_free(r->n); +- BN_free(r->e); ++ BN_clear_free(r->n); ++ BN_clear_free(r->e); + BN_clear_free(r->d); + BN_clear_free(r->p); + BN_clear_free(r->q); +Index: openssl-3.2.3/providers/implementations/kdfs/hkdf.c +=================================================================== +--- openssl-3.2.3.orig/providers/implementations/kdfs/hkdf.c ++++ openssl-3.2.3/providers/implementations/kdfs/hkdf.c +@@ -117,7 +117,7 @@ static void kdf_hkdf_reset(void *vctx) + void *provctx = ctx->provctx; + + ossl_prov_digest_reset(&ctx->digest); +- OPENSSL_free(ctx->salt); ++ OPENSSL_clear_free(ctx->salt, ctx->salt_len); + OPENSSL_free(ctx->prefix); + OPENSSL_free(ctx->label); + OPENSSL_clear_free(ctx->data, ctx->data_len); +Index: openssl-3.2.3/providers/implementations/kdfs/pbkdf2.c +=================================================================== +--- openssl-3.2.3.orig/providers/implementations/kdfs/pbkdf2.c ++++ openssl-3.2.3/providers/implementations/kdfs/pbkdf2.c +@@ -90,7 +90,7 @@ static void *kdf_pbkdf2_new(void *provct + static void kdf_pbkdf2_cleanup(KDF_PBKDF2 *ctx) + { + ossl_prov_digest_reset(&ctx->digest); +- OPENSSL_free(ctx->salt); ++ OPENSSL_clear_free(ctx->salt, ctx->salt_len); + OPENSSL_clear_free(ctx->pass, ctx->pass_len); + memset(ctx, 0, sizeof(*ctx)); + } diff --git a/openssl-FIPS-Add-SP800-56Br2-6.4.1.2.1-3.c-check.patch b/openssl-FIPS-Add-SP800-56Br2-6.4.1.2.1-3.c-check.patch new file mode 100644 index 0000000..8fd975c --- /dev/null +++ b/openssl-FIPS-Add-SP800-56Br2-6.4.1.2.1-3.c-check.patch @@ -0,0 +1,16 @@ +Index: openssl-3.1.4/crypto/rsa/rsa_sp800_56b_check.c +=================================================================== +--- openssl-3.1.4.orig/crypto/rsa/rsa_sp800_56b_check.c ++++ openssl-3.1.4/crypto/rsa/rsa_sp800_56b_check.c +@@ -405,7 +405,10 @@ int ossl_rsa_sp800_56b_check_keypair(con + return 0; + } + /* (Step 3.b): check the modulus */ +- if (nbits != BN_num_bits(rsa->n)) { ++ /* If nBits is not a positive even integer, output an indication of an ++ * invalid key pair, and exit without further processing. ++ */ ++ if (nbits <= 0 || nbits % 2 || nbits != BN_num_bits(rsa->n)) { + ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_KEYPAIR); + return 0; + } diff --git a/openssl-FIPS-Add-explicit-indicator-for-key-length.patch b/openssl-FIPS-Add-explicit-indicator-for-key-length.patch new file mode 100644 index 0000000..3a40b60 --- /dev/null +++ b/openssl-FIPS-Add-explicit-indicator-for-key-length.patch @@ -0,0 +1,108 @@ +From e1eba21921ceeffa45ffd2115868c14e4c7fb8d9 Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Thu, 17 Nov 2022 18:08:24 +0100 +Subject: [PATCH] hmac: Add explicit FIPS indicator for key length + +NIST SP 800-131Ar2, table 9 "Approval Status of MAC Algorithms" +specifies key lengths < 112 bytes are disallowed for HMAC generation and +are legacy use for HMAC verification. + +Add an explicit indicator that will mark shorter key lengths as +unsupported. The indicator can be queries from the EVP_MAC_CTX object +using EVP_MAC_CTX_get_params() with the + OSSL_MAC_PARAM_SUSE_FIPS_INDICATOR +parameter. + +Signed-off-by: Clemens Lang +--- + include/crypto/evp.h | 7 +++++++ + include/openssl/evp.h | 3 +++ + providers/implementations/macs/hmac_prov.c | 17 +++++++++++++++++ + 4 files changed, 28 insertions(+) + +Index: openssl-3.2.3/include/crypto/evp.h +=================================================================== +--- openssl-3.2.3.orig/include/crypto/evp.h ++++ openssl-3.2.3/include/crypto/evp.h +@@ -206,6 +206,13 @@ const EVP_PKEY_METHOD *ossl_ed448_pkey_m + const EVP_PKEY_METHOD *ossl_rsa_pkey_method(void); + const EVP_PKEY_METHOD *ossl_rsa_pss_pkey_method(void); + ++#ifdef FIPS_MODULE ++/* NIST SP 800-131Ar2, Table 9: Approval Status of MAC Algorithms specifies key ++ * lengths < 112 bytes are disallowed for HMAC generation and legacy use for ++ * HMAC verification. */ ++# define EVP_HMAC_GEN_FIPS_MIN_KEY_LEN (112 / 8) ++#endif ++ + struct evp_mac_st { + OSSL_PROVIDER *prov; + int name_id; +Index: openssl-3.2.3/include/openssl/evp.h +=================================================================== +--- openssl-3.2.3.orig/include/openssl/evp.h ++++ openssl-3.2.3/include/openssl/evp.h +@@ -1199,6 +1199,9 @@ void EVP_MD_do_all_provided(OSSL_LIB_CTX + void *arg); + + /* MAC stuff */ ++# define EVP_MAC_SUSE_FIPS_INDICATOR_UNDETERMINED 0 ++# define EVP_MAC_SUSE_FIPS_INDICATOR_APPROVED 1 ++# define EVP_MAC_SUSE_FIPS_INDICATOR_NOT_APPROVED 2 + + EVP_MAC *EVP_MAC_fetch(OSSL_LIB_CTX *libctx, const char *algorithm, + const char *properties); +Index: openssl-3.2.3/providers/implementations/macs/hmac_prov.c +=================================================================== +--- openssl-3.2.3.orig/providers/implementations/macs/hmac_prov.c ++++ openssl-3.2.3/providers/implementations/macs/hmac_prov.c +@@ -23,6 +23,8 @@ + + #include "internal/ssl3_cbc.h" + ++#include "crypto/evp.h" ++ + #include "prov/implementations.h" + #include "prov/provider_ctx.h" + #include "prov/provider_util.h" +@@ -235,6 +237,9 @@ static int hmac_final(void *vmacctx, uns + static const OSSL_PARAM known_gettable_ctx_params[] = { + OSSL_PARAM_size_t(OSSL_MAC_PARAM_SIZE, NULL), + OSSL_PARAM_size_t(OSSL_MAC_PARAM_BLOCK_SIZE, NULL), ++#ifdef FIPS_MODULE ++ OSSL_PARAM_int(OSSL_MAC_PARAM_SUSE_FIPS_INDICATOR, NULL), ++#endif /* defined(FIPS_MODULE) */ + OSSL_PARAM_END + }; + static const OSSL_PARAM *hmac_gettable_ctx_params(ossl_unused void *ctx, +@@ -256,6 +261,18 @@ static int hmac_get_ctx_params(void *vma + && !OSSL_PARAM_set_int(p, hmac_block_size(macctx))) + return 0; + ++#ifdef FIPS_MODULE ++ if ((p = OSSL_PARAM_locate(params, OSSL_MAC_PARAM_SUSE_FIPS_INDICATOR)) != NULL) { ++ int fips_indicator = EVP_MAC_SUSE_FIPS_INDICATOR_APPROVED; ++ /* NIST SP 800-131Ar2, Table 9: Approval Status of MAC Algorithms ++ * specifies key lengths < 112 bytes are disallowed for HMAC generation ++ * and legacy use for HMAC verification. */ ++ if (macctx->keylen < EVP_HMAC_GEN_FIPS_MIN_KEY_LEN) ++ fips_indicator = EVP_MAC_SUSE_FIPS_INDICATOR_NOT_APPROVED; ++ return OSSL_PARAM_set_int(p, fips_indicator); ++ } ++#endif /* defined(FIPS_MODULE) */ ++ + return 1; + } + +Index: openssl-3.2.3/util/perl/OpenSSL/paramnames.pm +=================================================================== +--- openssl-3.2.3.orig/util/perl/OpenSSL/paramnames.pm ++++ openssl-3.2.3/util/perl/OpenSSL/paramnames.pm +@@ -143,6 +143,7 @@ my %params = ( + 'MAC_PARAM_SIZE' => "size", # size_t + 'MAC_PARAM_BLOCK_SIZE' => "block-size", # size_t + 'MAC_PARAM_TLS_DATA_SIZE' => "tls-data-size", # size_t ++ 'MAC_PARAM_SUSE_FIPS_INDICATOR' => "suse-fips-indicator", # size_t + + # KDF / PRF parameters + 'KDF_PARAM_SECRET' => "secret", # octet string diff --git a/openssl-FIPS-Enforce-error-state.patch b/openssl-FIPS-Enforce-error-state.patch new file mode 100644 index 0000000..76f35ba --- /dev/null +++ b/openssl-FIPS-Enforce-error-state.patch @@ -0,0 +1,20 @@ +Index: openssl-3.1.4/providers/fips/fipsprov.c +=================================================================== +--- openssl-3.1.4.orig/providers/fips/fipsprov.c ++++ openssl-3.1.4/providers/fips/fipsprov.c +@@ -805,6 +805,7 @@ int OSSL_provider_init_int(const OSSL_CO + /* Error already raised */ + goto err; + } ++#if 0 /* Don't allow to skip the error state */ + /* + * Disable the conditional error check if it's disabled in the fips config + * file. +@@ -812,6 +813,7 @@ int OSSL_provider_init_int(const OSSL_CO + if (fgbl->selftest_params.conditional_error_check != NULL + && strcmp(fgbl->selftest_params.conditional_error_check, "0") == 0) + SELF_TEST_disable_conditional_error_state(); ++#endif + + /* Enable or disable FIPS provider options */ + #define FIPS_SET_OPTION(fgbl, field) \ diff --git a/openssl-FIPS-Expose-a-FIPS-indicator.patch b/openssl-FIPS-Expose-a-FIPS-indicator.patch new file mode 100644 index 0000000..aba120e --- /dev/null +++ b/openssl-FIPS-Expose-a-FIPS-indicator.patch @@ -0,0 +1,462 @@ +From e3d6fca1af033d00c47bcd8f9ba28fcf1aa476aa Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Tue, 7 Jun 2022 12:02:49 +0200 +Subject: [PATCH] fips: Expose a FIPS indicator + +FIPS 140-3 requires us to indicate whether an operation was using +approved services or not. The FIPS 140-3 implementation guidelines +provide two basic approaches to doing this: implicit indicators, and +explicit indicators. + +Implicit indicators are basically the concept of "if the operation +passes, it was approved". We were originally aiming for implicit +indicators in our copy of OpenSSL. However, this proved to be a problem, +because we wanted to certify a signature service, and FIPS 140-3 +requires that a signature service computes the digest to be signed +within the boundaries of the FIPS module. Since we were planning to +certify fips.so only, this means that EVP_PKEY_sign/EVP_PKEY_verify +would have to be blocked. Unfortunately, EVP_SignFinal uses +EVP_PKEY_sign internally, but outside of fips.so and thus outside of the +FIPS module boundary. This means that using implicit indicators in +combination with certifying only fips.so would require us to block both +EVP_PKEY_sign and EVP_SignFinal, which are the two APIs currently used +by most users of OpenSSL for signatures. + +EVP_DigestSign would be acceptable, but has only been added in 3.0 and +is thus not yet widely used. + +As a consequence, we've decided to introduce explicit indicators so that +EVP_PKEY_sign and EVP_SignFinal can continue to work for now, but +FIPS-aware applications can query the explicit indicator to check +whether the operation was approved. + +To avoid affecting the ABI and public API too much, this is implemented +as an exported symbol in fips.so and a private header, so applications +that wish to use this will have to dlopen(3) fips.so, locate the +function using dlsym(3), and then call it. These applications will have +to build against the private header in order to use the returned +pointer. + +Modify util/mkdef.pl to support exposing a symbol only for a specific +provider identified by its name and path. + +Signed-off-by: Clemens Lang +--- + doc/build.info | 6 ++ + doc/man7/fips_module_indicators.pod | 154 ++++++++++++++++++++++++++++ + providers/fips/fipsprov.c | 71 +++++++++++++ + providers/fips/indicator.h | 66 ++++++++++++ + util/mkdef.pl | 25 ++++- + util/providers.num | 1 + + 6 files changed, 322 insertions(+), 1 deletion(-) + create mode 100644 doc/man7/fips_module_indicators.pod + create mode 100644 providers/fips/indicator.h + +Index: openssl-3.1.4/doc/build.info +=================================================================== +--- openssl-3.1.4.orig/doc/build.info ++++ openssl-3.1.4/doc/build.info +@@ -4467,6 +4467,10 @@ DEPEND[html/man7/fips_module.html]=man7/ + GENERATE[html/man7/fips_module.html]=man7/fips_module.pod + DEPEND[man/man7/fips_module.7]=man7/fips_module.pod + GENERATE[man/man7/fips_module.7]=man7/fips_module.pod ++DEPEND[html/man7/fips_module_indicators.html]=man7/fips_module_indicators.pod ++GENERATE[html/man7/fips_module_indicators.html]=man7/fips_module_indicators.pod ++DEPEND[man/man7/fips_module_indicators.7]=man7/fips_module_indicators.pod ++GENERATE[man/man7/fips_module_indicators.7]=man7/fips_module_indicators.pod + DEPEND[html/man7/life_cycle-cipher.html]=man7/life_cycle-cipher.pod + GENERATE[html/man7/life_cycle-cipher.html]=man7/life_cycle-cipher.pod + DEPEND[man/man7/life_cycle-cipher.7]=man7/life_cycle-cipher.pod +@@ -4712,6 +4716,7 @@ html/man7/ct.html \ + html/man7/des_modes.html \ + html/man7/evp.html \ + html/man7/fips_module.html \ ++html/man7/fips_module_indicators.html \ + html/man7/life_cycle-cipher.html \ + html/man7/life_cycle-digest.html \ + html/man7/life_cycle-kdf.html \ +@@ -4838,6 +4843,7 @@ man/man7/ct.7 \ + man/man7/des_modes.7 \ + man/man7/evp.7 \ + man/man7/fips_module.7 \ ++man/man7/fips_module_indicators.7 \ + man/man7/life_cycle-cipher.7 \ + man/man7/life_cycle-digest.7 \ + man/man7/life_cycle-kdf.7 \ +Index: openssl-3.1.4/doc/man7/fips_module_indicators.pod +=================================================================== +--- /dev/null ++++ openssl-3.1.4/doc/man7/fips_module_indicators.pod +@@ -0,0 +1,155 @@ ++=pod ++ ++=head1 NAME ++ ++fips_module_indicators - SUSE OpenSSL FIPS module indicators guide ++ ++=head1 DESCRIPTION ++ ++This guide documents how the SUSE Linux Enterprise OpenSSL FIPS provider ++implements Approved Security Service Indicators according to the FIPS 140-3 ++Implementation Guidelines, section 2.4.C. See ++L ++for the FIPS 140-3 Implementation Guidelines. ++ ++For all approved services except signatures, the SUSE OpenSSL FIPS provider ++uses the return code as the indicator as understood by FIPS 140-3. That means ++that every operation that succeeds denotes use of an approved security service. ++Operations that do not succeed may not have been approved security services, or ++may have been used incorrectly. ++ ++For signatures, an explicit indicator API is available to determine whether ++a selected operation is an approved security service, in combination with the ++return code of the operation. For a signature operation to be approved, the ++explicit indicator must claim it as approved, and it must succeed. ++ ++=head2 Querying the explicit indicator ++ ++The SUSE OpenSSL FIPS provider exports a symbol named ++I that provides information on which signature ++operations are approved security functions. To use this function, either link ++against I directly, or load it at runtime using dlopen(3) and ++dlsym(3). ++ ++ #include ++ #include "providers/fips/indicator.h" ++ ++ void *provider = dlopen("/usr/lib64/ossl-modules/fips.so", RTLD_LAZY); ++ if (provider == NULL) { ++ fprintf(stderr, "%s\n", dlerror()); ++ // handle error ++ } ++ ++ const OSSL_SUSE_FIPSINDICATOR_ALGORITHM *(*suse_ossl_query_fipsindicator)(int) \ ++ = dlsym(provider, "suse_ossl_query_fipsindicator"); ++ if (suse_ossl_query_fipsindicator == NULL) { ++ fprintf(stderr, "%s\n", dlerror()); ++ fprintf(stderr, "Does your copy of fips.so have the required SUSE" ++ " patches?\n"); ++ // handle error ++ } ++ ++Note that this uses the I header, which is not ++public. Install the I package from the I ++repository using I and include ++I in the compiler's include path. ++ ++I expects an operation ID as its only ++argument. Currently, the only supported operation ID is I to ++obtain the indicators for signature operations. On success, the return value is ++a pointer to an array of Is. On failure, NULL is ++returned. The last entry in the array is indicated by I being ++NULL. ++ ++ typedef struct ossl_suse_fipsindicator_algorithm_st { ++ const char *algorithm_names; /* key */ ++ const char *property_definition; /* key */ ++ const OSSL_SUSE_FIPSINDICATOR_DISPATCH *indicators; ++ } OSSL_SUSE_FIPSINDICATOR_ALGORITHM; ++ ++ typedef struct ossl_suse_fipsindicator_dispatch_st { ++ int function_id; ++ int approved; ++ } OSSL_SUSE_FIPSINDICATOR_DISPATCH; ++ ++The I field is a colon-separated list of algorithm names from ++one of the I constants, e.g., I. strtok(3) can ++be used to locate the appropriate entry. See the example below, where ++I contains the algorithm name to search for: ++ ++ const OSSL_SUSE_FIPSINDICATOR_DISPATCH *indicator_dispatch = NULL; ++ const OSSL_SUSE_FIPSINDICATOR_ALGORITHM *indicator = ++ suse_ossl_query_fipsindicator(operation_id); ++ if (indicator == NULL) { ++ fprintf(stderr, "No indicator for operation, probably using implicit" ++ " indicators.\n"); ++ // handle error ++ } ++ ++ for (; indicator->algorithm_names != NULL; ++indicator) { ++ char *algorithm_names = strdup(indicator->algorithm_names); ++ if (algorithm_names == NULL) { ++ perror("strdup(3)"); ++ // handle error ++ } ++ ++ const char *algorithm_name = strtok(algorithm_names, ":"); ++ for (; algorithm_name != NULL; algorithm_name = strtok(NULL, ":")) { ++ if (strcasecmp(algorithm_name, algorithm) == 0) { ++ indicator_dispatch = indicator->indicators; ++ free(algorithm_names); ++ algorithm_names = NULL; ++ break; ++ } ++ } ++ free(algorithm_names); ++ } ++ if (indicator_dispatch == NULL) { ++ fprintf(stderr, "No indicator for algorithm %s.\n", algorithm); ++ // handle error ++ } ++ ++If an appropriate I array is available for the ++given algorithm name, it maps function IDs to their approval status. The last ++entry is indicated by a zero I. I is ++I if the operation is an approved security ++service, or part of an approved security service, or ++I otherwise. Any other value is invalid. ++Function IDs are I constants from I, ++e.g., I or I. ++ ++Assuming I is the function in question, the following code can be ++used to query the approval status: ++ ++ for (; indicator_dispatch->function_id != 0; ++indicator_dispatch) { ++ if (indicator_dispatch->function_id == function_id) { ++ switch (indicator_dispatch->approved) { ++ case OSSL_SUSE_FIPSINDICATOR_APPROVED: ++ // approved security service ++ break; ++ case OSSL_SUSE_FIPSINDICATOR_UNAPPROVED: ++ // unapproved security service ++ break; ++ default: ++ // invalid result ++ break; ++ } ++ break; ++ } ++ } ++ ++=head1 SEE ALSO ++ ++L, L ++ ++=head1 COPYRIGHT ++ ++Copyright 2022 Red Hat, Inc. All Rights Reserved. ++Copyright 2024 SUSE LLC. All Rights Reserved. ++ ++Licensed under the Apache License 2.0 (the "License"). You may not use ++this file except in compliance with the License. You can obtain a copy ++in the file LICENSE in the source distribution or at ++L. ++ ++=cut +Index: openssl-3.1.4/providers/fips/fipsprov.c +=================================================================== +--- openssl-3.1.4.orig/providers/fips/fipsprov.c ++++ openssl-3.1.4/providers/fips/fipsprov.c +@@ -26,6 +26,7 @@ + #include "self_test.h" + #include "crypto/context.h" + #include "internal/core.h" ++#include "indicator.h" + + static const char FIPS_DEFAULT_PROPERTIES[] = "provider=fips,fips=yes"; + static const char FIPS_UNAPPROVED_PROPERTIES[] = "provider=fips,fips=no"; +@@ -438,6 +439,68 @@ static const OSSL_ALGORITHM fips_signatu + { NULL, NULL, NULL } + }; + ++static const OSSL_SUSE_FIPSINDICATOR_DISPATCH suse_rsa_signature_indicators[] = { ++ { OSSL_FUNC_SIGNATURE_NEWCTX, OSSL_SUSE_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_SIGN_INIT, OSSL_SUSE_FIPSINDICATOR_UNAPPROVED }, ++ { OSSL_FUNC_SIGNATURE_SIGN, OSSL_SUSE_FIPSINDICATOR_UNAPPROVED }, ++ { OSSL_FUNC_SIGNATURE_VERIFY_INIT, OSSL_SUSE_FIPSINDICATOR_UNAPPROVED }, ++ { OSSL_FUNC_SIGNATURE_VERIFY, OSSL_SUSE_FIPSINDICATOR_UNAPPROVED }, ++ { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER_INIT, OSSL_SUSE_FIPSINDICATOR_UNAPPROVED }, ++ { OSSL_FUNC_SIGNATURE_VERIFY_RECOVER, OSSL_SUSE_FIPSINDICATOR_UNAPPROVED }, ++ { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT, OSSL_SUSE_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_UPDATE, OSSL_SUSE_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_FINAL, OSSL_SUSE_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT, OSSL_SUSE_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_UPDATE, OSSL_SUSE_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_FINAL, OSSL_SUSE_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_FREECTX, OSSL_SUSE_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_DUPCTX, OSSL_SUSE_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, OSSL_SUSE_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS, OSSL_SUSE_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, OSSL_SUSE_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS, OSSL_SUSE_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_GET_CTX_MD_PARAMS, OSSL_SUSE_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_MD_PARAMS, OSSL_SUSE_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_SET_CTX_MD_PARAMS, OSSL_SUSE_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_MD_PARAMS, OSSL_SUSE_FIPSINDICATOR_APPROVED }, ++ { 0, OSSL_SUSE_FIPSINDICATOR_UNAPPROVED } ++}; ++ ++static const OSSL_SUSE_FIPSINDICATOR_DISPATCH suse_ecdsa_signature_indicators[] = { ++ { OSSL_FUNC_SIGNATURE_NEWCTX, OSSL_SUSE_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_SIGN_INIT, OSSL_SUSE_FIPSINDICATOR_UNAPPROVED }, ++ { OSSL_FUNC_SIGNATURE_SIGN, OSSL_SUSE_FIPSINDICATOR_UNAPPROVED }, ++ { OSSL_FUNC_SIGNATURE_VERIFY_INIT, OSSL_SUSE_FIPSINDICATOR_UNAPPROVED }, ++ { OSSL_FUNC_SIGNATURE_VERIFY, OSSL_SUSE_FIPSINDICATOR_UNAPPROVED }, ++ { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_INIT, OSSL_SUSE_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_UPDATE, OSSL_SUSE_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_DIGEST_SIGN_FINAL, OSSL_SUSE_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_INIT, OSSL_SUSE_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_UPDATE, OSSL_SUSE_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_DIGEST_VERIFY_FINAL, OSSL_SUSE_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_FREECTX, OSSL_SUSE_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_DUPCTX, OSSL_SUSE_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_GET_CTX_PARAMS, OSSL_SUSE_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_PARAMS, OSSL_SUSE_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_SET_CTX_PARAMS, OSSL_SUSE_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_PARAMS, OSSL_SUSE_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_GET_CTX_MD_PARAMS, OSSL_SUSE_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_GETTABLE_CTX_MD_PARAMS, OSSL_SUSE_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_SET_CTX_MD_PARAMS, OSSL_SUSE_FIPSINDICATOR_APPROVED }, ++ { OSSL_FUNC_SIGNATURE_SETTABLE_CTX_MD_PARAMS, OSSL_SUSE_FIPSINDICATOR_APPROVED }, ++ { 0, OSSL_SUSE_FIPSINDICATOR_UNAPPROVED } ++}; ++ ++static const OSSL_SUSE_FIPSINDICATOR_ALGORITHM suse_indicator_fips_signature[] = { ++ { PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ++ suse_rsa_signature_indicators }, ++#ifndef OPENSSL_NO_EC ++ { PROV_NAMES_ECDSA, FIPS_DEFAULT_PROPERTIES, ++ suse_ecdsa_signature_indicators }, ++#endif ++ { NULL, NULL, NULL } ++}; ++ + static const OSSL_ALGORITHM fips_asym_cipher[] = { + { PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_asym_cipher_functions }, + { NULL, NULL, NULL } +@@ -520,6 +583,14 @@ static const OSSL_ALGORITHM *fips_query( + } + return NULL; + } ++ ++const OSSL_SUSE_FIPSINDICATOR_ALGORITHM *suse_ossl_query_fipsindicator(int operation_id) { ++ switch (operation_id) { ++ case OSSL_OP_SIGNATURE: ++ return suse_indicator_fips_signature; ++ } ++ return NULL; ++} + + static void fips_teardown(void *provctx) + { +Index: openssl-3.1.4/providers/fips/indicator.h +=================================================================== +--- /dev/null ++++ openssl-3.1.4/providers/fips/indicator.h +@@ -0,0 +1,66 @@ ++/* ++ * Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. ++ * ++ * Licensed under the Apache License 2.0 (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ */ ++ ++#ifndef OPENSSL_FIPS_INDICATOR_H ++# define OPENSSL_FIPS_INDICATOR_H ++# pragma once ++ ++# ifdef __cplusplus ++extern "C" { ++# endif ++ ++# define OSSL_SUSE_FIPSINDICATOR_UNAPPROVED (0) ++# define OSSL_SUSE_FIPSINDICATOR_APPROVED (1) ++ ++/* ++ * FIPS indicator dispatch table element. function_id numbers and the ++ * functions are defined in core_dispatch.h, see macros with ++ * 'OSSL_CORE_MAKE_FUNC' in their names. ++ * ++ * An array of these is always terminated by function_id == 0 ++ */ ++typedef struct ossl_suse_fipsindicator_dispatch_st { ++ int function_id; ++ int approved; ++} OSSL_SUSE_FIPSINDICATOR_DISPATCH; ++ ++/* ++ * Type to tie together algorithm names, property definition string and the ++ * algorithm implementation's FIPS indicator status in the form of a FIPS ++ * indicator dispatch table. ++ * ++ * An array of these is always terminated by algorithm_names == NULL ++ */ ++typedef struct ossl_suse_fipsindicator_algorithm_st { ++ const char *algorithm_names; /* key */ ++ const char *property_definition; /* key */ ++ const OSSL_SUSE_FIPSINDICATOR_DISPATCH *indicators; ++} OSSL_SUSE_FIPSINDICATOR_ALGORITHM; ++ ++/** ++ * Query FIPS indicator status for the given operation. Possible values for ++ * 'operation_id' are currently only OSSL_OP_SIGNATURE, as all other algorithms ++ * use implicit indicators. The return value is an array of ++ * OSSL_SUSE_FIPSINDICATOR_ALGORITHMs, terminated by an entry with ++ * algorithm_names == NULL. 'algorithm_names' is a colon-separated list of ++ * algorithm names, 'property_definition' a comma-separated list of properties, ++ * and 'indicators' is a list of OSSL_SUSE_FIPSINDICATOR_DISPATCH structs. This ++ * list is terminated by function_id == 0. 'function_id' is one of the ++ * OSSL_FUNC_* constants, e.g., OSSL_FUNC_SIGNATURE_DIGEST_SIGN_FINAL. ++ * ++ * If there is no entry in the returned struct for the given operation_id, ++ * algorithm name, or function_id, the algorithm is unapproved. ++ */ ++const OSSL_SUSE_FIPSINDICATOR_ALGORITHM *suse_ossl_query_fipsindicator(int operation_id); ++ ++# ifdef __cplusplus ++} ++# endif ++ ++#endif +Index: openssl-3.1.4/util/mkdef.pl +=================================================================== +--- openssl-3.1.4.orig/util/mkdef.pl ++++ openssl-3.1.4/util/mkdef.pl +@@ -153,7 +153,8 @@ $ordinal_opts{filter} = + return + $item->exists() + && platform_filter($item) +- && feature_filter($item); ++ && feature_filter($item) ++ && fips_filter($item, $name); + }; + my $ordinals = OpenSSL::Ordinals->new(from => $ordinals_file); + +@@ -209,6 +210,28 @@ sub feature_filter { + return $verdict; + } + ++sub fips_filter { ++ my $item = shift; ++ my $name = uc(shift); ++ my @features = ( $item->features() ); ++ ++ # True if no features are defined ++ return 1 if scalar @features == 0; ++ ++ my @matches = grep(/^ONLY_.*$/, @features); ++ if (@matches) { ++ # There is at least one only_* flag on this symbol, check if any of ++ # them match the name ++ for (@matches) { ++ if ($_ eq "ONLY_${name}") { ++ return 1; ++ } ++ } ++ return 0; ++ } ++ return 1; ++} ++ + sub sorter_unix { + my $by_name = OpenSSL::Ordinals::by_name(); + my %weight = ( +Index: openssl-3.1.4/util/providers.num +=================================================================== +--- openssl-3.1.4.orig/util/providers.num ++++ openssl-3.1.4/util/providers.num +@@ -1 +1,2 @@ + OSSL_provider_init 1 * EXIST::FUNCTION: ++suse_ossl_query_fipsindicator 1 * EXIST::FUNCTION:ONLY_PROVIDERS/FIPS diff --git a/openssl-FIPS-RSA-disable-shake.patch b/openssl-FIPS-RSA-disable-shake.patch new file mode 100644 index 0000000..226f786 --- /dev/null +++ b/openssl-FIPS-RSA-disable-shake.patch @@ -0,0 +1,98 @@ +From 2306fde5556cbcb875d095c09fed01a0f16fe7ec Mon Sep 17 00:00:00 2001 +From: Dmitry Belyavskiy +Date: Mon, 21 Aug 2023 15:51:55 +0200 +Subject: [PATCH 40/48] 0085-FIPS-RSA-disable-shake.patch + +Patch-name: 0085-FIPS-RSA-disable-shake.patch +Patch-id: 85 +--- + crypto/rsa/rsa_oaep.c | 28 ++++++++++++++++++++++++++++ + crypto/rsa/rsa_pss.c | 16 ++++++++++++++++ + 2 files changed, 44 insertions(+) + +Index: openssl-3.1.7/crypto/rsa/rsa_oaep.c +=================================================================== +--- openssl-3.1.7.orig/crypto/rsa/rsa_oaep.c ++++ openssl-3.1.7/crypto/rsa/rsa_oaep.c +@@ -78,9 +78,23 @@ int ossl_rsa_padding_add_PKCS1_OAEP_mgf1 + return 0; + #endif + } ++ ++#ifdef FIPS_MODULE ++ if (EVP_MD_is_a(md, "SHAKE-128") || EVP_MD_is_a(md, "SHAKE-256")) { ++ ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_NOT_ALLOWED); ++ return 0; ++ } ++#endif + if (mgf1md == NULL) + mgf1md = md; + ++#ifdef FIPS_MODULE ++ if (EVP_MD_is_a(mgf1md, "SHAKE-128") || EVP_MD_is_a(mgf1md, "SHAKE-256")) { ++ ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_NOT_ALLOWED); ++ return 0; ++ } ++#endif ++ + mdlen = EVP_MD_get_size(md); + if (mdlen <= 0) { + ERR_raise(ERR_LIB_RSA, RSA_R_INVALID_LENGTH); +@@ -203,9 +217,23 @@ int RSA_padding_check_PKCS1_OAEP_mgf1(un + #endif + } + ++#ifdef FIPS_MODULE ++ if (EVP_MD_is_a(md, "SHAKE-128") || EVP_MD_is_a(md, "SHAKE-256")) { ++ ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_NOT_ALLOWED); ++ return -1; ++ } ++#endif ++ + if (mgf1md == NULL) + mgf1md = md; + ++#ifdef FIPS_MODULE ++ if (EVP_MD_is_a(mgf1md, "SHAKE-128") || EVP_MD_is_a(mgf1md, "SHAKE-256")) { ++ ERR_raise(ERR_LIB_RSA, RSA_R_DIGEST_NOT_ALLOWED); ++ return -1; ++ } ++#endif ++ + mdlen = EVP_MD_get_size(md); + + if (tlen <= 0 || flen <= 0 || mdlen <= 0) +Index: openssl-3.1.7/crypto/rsa/rsa_pss.c +=================================================================== +--- openssl-3.1.7.orig/crypto/rsa/rsa_pss.c ++++ openssl-3.1.7/crypto/rsa/rsa_pss.c +@@ -53,6 +53,14 @@ int RSA_verify_PKCS1_PSS_mgf1(RSA *rsa, + if (mgf1Hash == NULL) + mgf1Hash = Hash; + ++#ifdef FIPS_MODULE ++ if (EVP_MD_is_a(Hash, "SHAKE-128") || EVP_MD_is_a(Hash, "SHAKE-256")) ++ goto err; ++ ++ if (EVP_MD_is_a(mgf1Hash, "SHAKE-128") || EVP_MD_is_a(mgf1Hash, "SHAKE-256")) ++ goto err; ++#endif ++ + hLen = EVP_MD_get_size(Hash); + if (hLen < 0) + goto err; +@@ -168,6 +176,14 @@ int RSA_padding_add_PKCS1_PSS_mgf1(RSA * + if (mgf1Hash == NULL) + mgf1Hash = Hash; + ++#ifdef FIPS_MODULE ++ if (EVP_MD_is_a(Hash, "SHAKE-128") || EVP_MD_is_a(Hash, "SHAKE-256")) ++ goto err; ++ ++ if (EVP_MD_is_a(mgf1Hash, "SHAKE-128") || EVP_MD_is_a(mgf1Hash, "SHAKE-256")) ++ goto err; ++#endif ++ + hLen = EVP_MD_get_size(Hash); + if (hLen < 0) + goto err; diff --git a/openssl-FIPS-RSA-encapsulate.patch b/openssl-FIPS-RSA-encapsulate.patch new file mode 100644 index 0000000..3e87529 --- /dev/null +++ b/openssl-FIPS-RSA-encapsulate.patch @@ -0,0 +1,47 @@ +From afab56d09edb525dd794fcb2ae2295ab7f39400a Mon Sep 17 00:00:00 2001 +From: Dmitry Belyavskiy +Date: Mon, 21 Aug 2023 16:01:48 +0200 +Subject: [PATCH 42/48] 0091-FIPS-RSA-encapsulate.patch + +Patch-name: 0091-FIPS-RSA-encapsulate.patch +Patch-id: 91 +--- + providers/implementations/kem/rsa_kem.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git a/providers/implementations/kem/rsa_kem.c b/providers/implementations/kem/rsa_kem.c +index 365ae3d7d6..8a6f585d0b 100644 +--- a/providers/implementations/kem/rsa_kem.c ++++ b/providers/implementations/kem/rsa_kem.c +@@ -265,6 +265,14 @@ static int rsasve_generate(PROV_RSA_CTX *prsactx, + *secretlen = nlen; + return 1; + } ++ ++#ifdef FIPS_MODULE ++ if (nlen < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS/8) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL); ++ return 0; ++ } ++#endif ++ + /* + * Step (2): Generate a random byte string z of nlen bytes where + * 1 < z < n - 1 +@@ -308,6 +316,13 @@ static int rsasve_recover(PROV_RSA_CTX *prsactx, + return 1; + } + ++#ifdef FIPS_MODULE ++ if (nlen < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS/8) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL); ++ return 0; ++ } ++#endif ++ + /* Step (2): check the input ciphertext 'inlen' matches the nlen */ + if (inlen != nlen) { + ERR_raise(ERR_LIB_PROV, PROV_R_BAD_LENGTH); +-- +2.41.0 + diff --git a/openssl-FIPS-Remove-X9.31-padding-from-FIPS-prov.patch b/openssl-FIPS-Remove-X9.31-padding-from-FIPS-prov.patch new file mode 100644 index 0000000..bb1888d --- /dev/null +++ b/openssl-FIPS-Remove-X9.31-padding-from-FIPS-prov.patch @@ -0,0 +1,270 @@ +From 930e7acf7dd225102b6e88d23f5e2a3f4acea9fa Mon Sep 17 00:00:00 2001 +From: Dmitry Belyavskiy +Date: Mon, 21 Aug 2023 15:43:57 +0200 +Subject: [PATCH 37/48] + 0081-signature-Remove-X9.31-padding-from-FIPS-prov.patch + +Patch-name: 0081-signature-Remove-X9.31-padding-from-FIPS-prov.patch +Patch-id: 81 +--- + providers/implementations/signature/rsa_sig.c | 6 + + test/acvp_test.inc | 214 ------------------ + 2 files changed, 6 insertions(+), 214 deletions(-) + +Index: openssl-3.2.3/providers/implementations/signature/rsa_sig.c +=================================================================== +--- openssl-3.2.3.orig/providers/implementations/signature/rsa_sig.c ++++ openssl-3.2.3/providers/implementations/signature/rsa_sig.c +@@ -1291,7 +1291,13 @@ static int rsa_set_ctx_params(void *vprs + err_extra_text = "No padding not allowed with RSA-PSS"; + goto cont; + case RSA_X931_PADDING: ++#ifndef FIPS_MODULE + err_extra_text = "X.931 padding not allowed with RSA-PSS"; ++#else /* !defined(FIPS_MODULE) */ ++ err_extra_text = "X.931 padding no longer allowed in FIPS mode," ++ " since it was removed from FIPS 186-5"; ++ goto bad_pad; ++#endif /* !defined(FIPS_MODULE) */ + cont: + if (RSA_test_flags(prsactx->rsa, + RSA_FLAG_TYPE_MASK) == RSA_FLAG_TYPE_RSA) +Index: openssl-3.2.3/test/acvp_test.inc +=================================================================== +--- openssl-3.2.3.orig/test/acvp_test.inc ++++ openssl-3.2.3/test/acvp_test.inc +@@ -1214,13 +1214,6 @@ static const struct rsa_siggen_st rsa_si + NO_PSS_SALT_LEN, + }, + { +- "x931", +- 2048, +- "SHA384", +- ITM(rsa_siggen0_msg), +- NO_PSS_SALT_LEN, +- }, +- { + "pss", + 2048, + "SHA384", +@@ -1631,202 +1624,6 @@ static const unsigned char rsa_sigverpss + 0x5c, 0xea, 0x8a, 0x92, 0x31, 0xd2, 0x11, 0x4b, + }; + +-static const unsigned char rsa_sigverx931_0_n[] = { +- 0xa0, 0x16, 0x14, 0x80, 0x8b, 0x17, 0x2b, 0xad, +- 0xd7, 0x07, 0x31, 0x6d, 0xfc, 0xba, 0x25, 0x83, +- 0x09, 0xa0, 0xf7, 0x71, 0xc6, 0x06, 0x22, 0x87, +- 0xd6, 0xbd, 0x13, 0xd9, 0xfe, 0x7c, 0xf7, 0xe6, +- 0x48, 0xdb, 0x27, 0xd8, 0xa5, 0x49, 0x8e, 0x8c, +- 0xea, 0xbe, 0xe0, 0x04, 0x6f, 0x3d, 0x3b, 0x73, +- 0xdc, 0xc5, 0xd4, 0xdc, 0x85, 0xef, 0xea, 0x10, +- 0x46, 0xf3, 0x88, 0xb9, 0x93, 0xbc, 0xa0, 0xb6, +- 0x06, 0x02, 0x82, 0xb4, 0x2d, 0x54, 0xec, 0x79, +- 0x50, 0x8a, 0xfc, 0xfa, 0x62, 0x45, 0xbb, 0xd7, +- 0x26, 0xcd, 0x88, 0xfa, 0xe8, 0x0f, 0x26, 0x5b, +- 0x1f, 0x21, 0x3f, 0x3b, 0x5d, 0x98, 0x3f, 0x02, +- 0x8c, 0xa1, 0xbf, 0xc0, 0x70, 0x4d, 0xd1, 0x41, +- 0xfd, 0xb9, 0x55, 0x12, 0x90, 0xc8, 0x6e, 0x0f, +- 0x19, 0xa8, 0x5c, 0x31, 0xd6, 0x16, 0x0e, 0xdf, +- 0x08, 0x84, 0xcd, 0x4b, 0xfd, 0x28, 0x8d, 0x7d, +- 0x6e, 0xea, 0xc7, 0x95, 0x4a, 0xc3, 0x84, 0x54, +- 0x7f, 0xb0, 0x20, 0x29, 0x96, 0x39, 0x4c, 0x3e, +- 0x85, 0xec, 0x22, 0xdd, 0xb9, 0x14, 0xbb, 0x04, +- 0x2f, 0x4c, 0x0c, 0xe3, 0xfa, 0xae, 0x47, 0x79, +- 0x59, 0x8e, 0x4e, 0x7d, 0x4a, 0x17, 0xae, 0x16, +- 0x38, 0x66, 0x4e, 0xff, 0x45, 0x7f, 0xac, 0x5e, +- 0x75, 0x9f, 0x51, 0x18, 0xe6, 0xad, 0x6b, 0x8b, +- 0x3d, 0x08, 0x4d, 0x9a, 0xd2, 0x11, 0xba, 0xa8, +- 0xc3, 0xb5, 0x17, 0xb5, 0xdf, 0xe7, 0x39, 0x89, +- 0x27, 0x7b, 0xeb, 0xf4, 0xe5, 0x7e, 0xa9, 0x7b, +- 0x39, 0x40, 0x6f, 0xe4, 0x82, 0x14, 0x3d, 0x62, +- 0xb6, 0xd4, 0x43, 0xd0, 0x0a, 0x2f, 0xc1, 0x73, +- 0x3d, 0x99, 0x37, 0xbe, 0x62, 0x13, 0x6a, 0x8b, +- 0xeb, 0xc5, 0x64, 0xd5, 0x2a, 0x8b, 0x4f, 0x7f, +- 0x82, 0x48, 0x69, 0x3e, 0x08, 0x1b, 0xb5, 0x77, +- 0xd3, 0xdc, 0x1b, 0x2c, 0xe5, 0x59, 0xf6, 0x33, +- 0x47, 0xa0, 0x0f, 0xff, 0x8a, 0x6a, 0x1d, 0x66, +- 0x24, 0x67, 0x36, 0x7d, 0x21, 0xda, 0xc1, 0xd4, +- 0x11, 0x6c, 0xe8, 0x5f, 0xd7, 0x8a, 0x53, 0x5c, +- 0xb2, 0xe2, 0xf9, 0x14, 0x29, 0x0f, 0xcf, 0x28, +- 0x32, 0x4f, 0xc6, 0x17, 0xf6, 0xbc, 0x0e, 0xb8, +- 0x99, 0x7c, 0x14, 0xa3, 0x40, 0x3f, 0xf3, 0xe4, +- 0x31, 0xbe, 0x54, 0x64, 0x5a, 0xad, 0x1d, 0xb0, +- 0x37, 0xcc, 0xd9, 0x0b, 0xa4, 0xbc, 0xe0, 0x07, +- 0x37, 0xd1, 0xe1, 0x65, 0xc6, 0x53, 0xfe, 0x60, +- 0x6a, 0x64, 0xa4, 0x01, 0x00, 0xf3, 0x5b, 0x9a, +- 0x28, 0x61, 0xde, 0x7a, 0xd7, 0x0d, 0x56, 0x1e, +- 0x4d, 0xa8, 0x6a, 0xb5, 0xf2, 0x86, 0x2a, 0x4e, +- 0xaa, 0x37, 0x23, 0x5a, 0x3b, 0x69, 0x66, 0x81, +- 0xc8, 0x8e, 0x1b, 0x31, 0x0f, 0x28, 0x31, 0x9a, +- 0x2d, 0xe5, 0x79, 0xcc, 0xa4, 0xca, 0x60, 0x45, +- 0xf7, 0x83, 0x73, 0x5a, 0x01, 0x29, 0xda, 0xf7, +- +-}; +-static const unsigned char rsa_sigverx931_0_e[] = { +- 0x01, 0x00, 0x01, +-}; +-static const unsigned char rsa_sigverx931_0_msg[] = { +- 0x82, 0x2e, 0x41, 0x70, 0x9d, 0x1f, 0xe9, 0x47, +- 0xec, 0xf1, 0x79, 0xcc, 0x05, 0xef, 0xdb, 0xcd, +- 0xca, 0x8b, 0x8e, 0x61, 0x45, 0xad, 0xa6, 0xd9, +- 0xd7, 0x4b, 0x15, 0xf4, 0x92, 0x3a, 0x2a, 0x52, +- 0xe3, 0x44, 0x57, 0x2b, 0x74, 0x7a, 0x37, 0x41, +- 0x50, 0xcb, 0xcf, 0x13, 0x49, 0xd6, 0x15, 0x54, +- 0x97, 0xfd, 0xae, 0x9b, 0xc1, 0xbb, 0xfc, 0x5c, +- 0xc1, 0x37, 0x58, 0x17, 0x63, 0x19, 0x9c, 0xcf, +- 0xee, 0x9c, 0xe5, 0xbe, 0x06, 0xe4, 0x97, 0x47, +- 0xd1, 0x93, 0xa1, 0x2c, 0x59, 0x97, 0x02, 0x01, +- 0x31, 0x45, 0x8c, 0xe1, 0x5c, 0xac, 0xe7, 0x5f, +- 0x6a, 0x23, 0xda, 0xbf, 0xe4, 0x25, 0xc6, 0x67, +- 0xea, 0x5f, 0x73, 0x90, 0x1b, 0x06, 0x0f, 0x41, +- 0xb5, 0x6e, 0x74, 0x7e, 0xfd, 0xd9, 0xaa, 0xbd, +- 0xe2, 0x8d, 0xad, 0x99, 0xdd, 0x29, 0x70, 0xca, +- 0x1b, 0x38, 0x21, 0x55, 0xde, 0x07, 0xaf, 0x00, +- +-}; +-static const unsigned char rsa_sigverx931_0_sig[] = { +- 0x29, 0xa9, 0x3a, 0x8e, 0x9e, 0x90, 0x1b, 0xdb, +- 0xaf, 0x0b, 0x47, 0x5b, 0xb5, 0xc3, 0x8c, 0xc3, +- 0x70, 0xbe, 0x73, 0xf9, 0x65, 0x8e, 0xc6, 0x1e, +- 0x95, 0x0b, 0xdb, 0x24, 0x76, 0x79, 0xf1, 0x00, +- 0x71, 0xcd, 0xc5, 0x6a, 0x7b, 0xd2, 0x8b, 0x18, +- 0xc4, 0xdd, 0xf1, 0x2a, 0x31, 0x04, 0x3f, 0xfc, +- 0x36, 0x06, 0x20, 0x71, 0x3d, 0x62, 0xf2, 0xb5, +- 0x79, 0x0a, 0xd5, 0xd2, 0x81, 0xf1, 0xb1, 0x4f, +- 0x9a, 0x17, 0xe8, 0x67, 0x64, 0x48, 0x09, 0x75, +- 0xff, 0x2d, 0xee, 0x36, 0xca, 0xca, 0x1d, 0x74, +- 0x99, 0xbe, 0x5c, 0x94, 0x31, 0xcc, 0x12, 0xf4, +- 0x59, 0x7e, 0x17, 0x00, 0x4f, 0x7b, 0xa4, 0xb1, +- 0xda, 0xdb, 0x3e, 0xa4, 0x34, 0x10, 0x4a, 0x19, +- 0x0a, 0xd2, 0xa7, 0xa0, 0xc5, 0xe6, 0xef, 0x82, +- 0xd4, 0x2e, 0x21, 0xbe, 0x15, 0x73, 0xac, 0xef, +- 0x05, 0xdb, 0x6a, 0x8a, 0x1a, 0xcb, 0x8e, 0xa5, +- 0xee, 0xfb, 0x28, 0xbf, 0x96, 0xa4, 0x2b, 0xd2, +- 0x85, 0x2b, 0x20, 0xc3, 0xaf, 0x9a, 0x32, 0x04, +- 0xa0, 0x49, 0x24, 0x47, 0xd0, 0x09, 0xf7, 0xcf, +- 0x73, 0xb6, 0xf6, 0x70, 0xda, 0x3b, 0xf8, 0x5a, +- 0x28, 0x2e, 0x14, 0x6c, 0x52, 0xbd, 0x2a, 0x7c, +- 0x8e, 0xc1, 0xa8, 0x0e, 0xb1, 0x1e, 0x6b, 0x8d, +- 0x76, 0xea, 0x70, 0x81, 0xa0, 0x02, 0x63, 0x74, +- 0xbc, 0x7e, 0xb9, 0xac, 0x0e, 0x7b, 0x1b, 0x75, +- 0x82, 0xe2, 0x98, 0x4e, 0x24, 0x55, 0xd4, 0xbd, +- 0x14, 0xde, 0x58, 0x56, 0x3a, 0x5d, 0x4e, 0x57, +- 0x0d, 0x54, 0x74, 0xe8, 0x86, 0x8c, 0xcb, 0x07, +- 0x9f, 0x0b, 0xfb, 0xc2, 0x08, 0x5c, 0xd7, 0x05, +- 0x3b, 0xc8, 0xd2, 0x15, 0x68, 0x8f, 0x3d, 0x3c, +- 0x4e, 0x85, 0xa9, 0x25, 0x6f, 0xf5, 0x2e, 0xca, +- 0xca, 0xa8, 0x27, 0x89, 0x61, 0x4e, 0x1f, 0x57, +- 0x2d, 0x99, 0x10, 0x3f, 0xbc, 0x9e, 0x96, 0x5e, +- 0x2f, 0x0a, 0x25, 0xa7, 0x5c, 0xea, 0x65, 0x2a, +- 0x22, 0x35, 0xa3, 0xf9, 0x13, 0x89, 0x05, 0x2e, +- 0x19, 0x73, 0x1d, 0x70, 0x74, 0x98, 0x15, 0x4b, +- 0xab, 0x56, 0x52, 0xe0, 0x01, 0x42, 0x95, 0x6a, +- 0x46, 0x2c, 0x78, 0xff, 0x26, 0xbc, 0x48, 0x10, +- 0x38, 0x25, 0xab, 0x32, 0x7c, 0x79, 0x7c, 0x5d, +- 0x6f, 0x45, 0x54, 0x74, 0x2d, 0x93, 0x56, 0x52, +- 0x11, 0x34, 0x1e, 0xe3, 0x4b, 0x6a, 0x17, 0x4f, +- 0x37, 0x14, 0x75, 0xac, 0xa3, 0xa1, 0xca, 0xda, +- 0x38, 0x06, 0xa9, 0x78, 0xb9, 0x5d, 0xd0, 0x59, +- 0x1b, 0x5d, 0x1e, 0xc2, 0x0b, 0xfb, 0x39, 0x37, +- 0x44, 0x85, 0xb6, 0x36, 0x06, 0x95, 0xbc, 0x15, +- 0x35, 0xb9, 0xe6, 0x27, 0x42, 0xe3, 0xc8, 0xec, +- 0x30, 0x37, 0x20, 0x26, 0x9a, 0x11, 0x61, 0xc0, +- 0xdb, 0xb2, 0x5a, 0x26, 0x78, 0x27, 0xb9, 0x13, +- 0xc9, 0x1a, 0xa7, 0x67, 0x93, 0xe8, 0xbe, 0xcb, +-}; +- +-#define rsa_sigverx931_1_n rsa_sigverx931_0_n +-#define rsa_sigverx931_1_e rsa_sigverx931_0_e +-static const unsigned char rsa_sigverx931_1_msg[] = { +- 0x79, 0x02, 0xb9, 0xd2, 0x3e, 0x84, 0x02, 0xc8, +- 0x2a, 0x94, 0x92, 0x14, 0x8d, 0xd5, 0xd3, 0x8d, +- 0xb2, 0xf6, 0x00, 0x8b, 0x61, 0x2c, 0xd2, 0xf9, +- 0xa8, 0xe0, 0x5d, 0xac, 0xdc, 0xa5, 0x34, 0xf3, +- 0xda, 0x6c, 0xd4, 0x70, 0x92, 0xfb, 0x40, 0x26, +- 0xc7, 0x9b, 0xe8, 0xd2, 0x10, 0x11, 0xcf, 0x7f, +- 0x23, 0xd0, 0xed, 0x55, 0x52, 0x6d, 0xd3, 0xb2, +- 0x56, 0x53, 0x8d, 0x7c, 0x4c, 0xb8, 0xcc, 0xb5, +- 0xfd, 0xd0, 0x45, 0x4f, 0x62, 0x40, 0x54, 0x42, +- 0x68, 0xd5, 0xe5, 0xdd, 0xf0, 0x76, 0x94, 0x59, +- 0x1a, 0x57, 0x13, 0xb4, 0xc3, 0x70, 0xcc, 0xbd, +- 0x4c, 0x2e, 0xc8, 0x6b, 0x9d, 0x68, 0xd0, 0x72, +- 0x6a, 0x94, 0xd2, 0x18, 0xb5, 0x3b, 0x86, 0x45, +- 0x95, 0xaa, 0x50, 0xda, 0x35, 0xeb, 0x69, 0x44, +- 0x1f, 0xf3, 0x3a, 0x51, 0xbb, 0x1d, 0x08, 0x42, +- 0x12, 0xd7, 0xd6, 0x21, 0xd8, 0x9b, 0x87, 0x55, +-}; +- +-static const unsigned char rsa_sigverx931_1_sig[] = { +- 0x3b, 0xba, 0xb3, 0xb1, 0xb2, 0x6a, 0x29, 0xb5, +- 0xf9, 0x94, 0xf1, 0x00, 0x5c, 0x16, 0x67, 0x67, +- 0x73, 0xd3, 0xde, 0x7e, 0x07, 0xfa, 0xaa, 0x95, +- 0xeb, 0x5a, 0x55, 0xdc, 0xb2, 0xa9, 0x70, 0x5a, +- 0xee, 0x8f, 0x8d, 0x69, 0x85, 0x2b, 0x00, 0xe3, +- 0xdc, 0xe2, 0x73, 0x9b, 0x68, 0xeb, 0x93, 0x69, +- 0x08, 0x03, 0x17, 0xd6, 0x50, 0x21, 0x14, 0x23, +- 0x8c, 0xe6, 0x54, 0x3a, 0xd9, 0xfc, 0x8b, 0x14, +- 0x81, 0xb1, 0x8b, 0x9d, 0xd2, 0xbe, 0x58, 0x75, +- 0x94, 0x74, 0x93, 0xc9, 0xbb, 0x4e, 0xf6, 0x1f, +- 0x73, 0x7d, 0x1a, 0x5f, 0xbd, 0xbf, 0x59, 0x37, +- 0x5b, 0x98, 0x54, 0xad, 0x3a, 0xef, 0xa0, 0xef, +- 0xcb, 0xc3, 0xe8, 0x84, 0xd8, 0x3d, 0xf5, 0x60, +- 0xb8, 0xc3, 0x8d, 0x1e, 0x78, 0xa0, 0x91, 0x94, +- 0xb7, 0xd7, 0xb1, 0xd4, 0xe2, 0xee, 0x81, 0x93, +- 0xfc, 0x41, 0xf0, 0x31, 0xbb, 0x03, 0x52, 0xde, +- 0x80, 0x20, 0x3a, 0x68, 0xe6, 0xc5, 0x50, 0x1b, +- 0x08, 0x3f, 0x40, 0xde, 0xb3, 0xe5, 0x81, 0x99, +- 0x7f, 0xdb, 0xb6, 0x5d, 0x61, 0x27, 0xd4, 0xfb, +- 0xcd, 0xc5, 0x7a, 0xea, 0xde, 0x7a, 0x66, 0xef, +- 0x55, 0x3f, 0x85, 0xea, 0x84, 0xc5, 0x0a, 0xf6, +- 0x3c, 0x40, 0x38, 0xf7, 0x6c, 0x66, 0xe5, 0xbe, +- 0x61, 0x41, 0xd3, 0xb1, 0x08, 0xe1, 0xb4, 0xf9, +- 0x6e, 0xf6, 0x0e, 0x4a, 0x72, 0x6c, 0x61, 0x63, +- 0x3e, 0x41, 0x33, 0x94, 0xd6, 0x27, 0xa4, 0xd9, +- 0x3a, 0x20, 0x2b, 0x39, 0xea, 0xe5, 0x82, 0x48, +- 0xd6, 0x5b, 0x58, 0x85, 0x44, 0xb0, 0xd2, 0xfd, +- 0xfb, 0x3e, 0xeb, 0x78, 0xac, 0xbc, 0xba, 0x16, +- 0x92, 0x0e, 0x20, 0xc1, 0xb2, 0xd1, 0x92, 0xa8, +- 0x00, 0x88, 0xc0, 0x41, 0x46, 0x38, 0xb6, 0x54, +- 0x70, 0x0c, 0x00, 0x62, 0x97, 0x6a, 0x8e, 0x66, +- 0x5a, 0xa1, 0x6c, 0xf7, 0x6d, 0xc2, 0x27, 0x56, +- 0x60, 0x5b, 0x0c, 0x52, 0xac, 0x5c, 0xae, 0x99, +- 0x55, 0x11, 0x62, 0x52, 0x09, 0x48, 0x53, 0x90, +- 0x3c, 0x0b, 0xd4, 0xdc, 0x7b, 0xe3, 0x4c, 0xe3, +- 0xa8, 0x6d, 0xc5, 0xdf, 0xc1, 0x5c, 0x59, 0x25, +- 0x99, 0x30, 0xde, 0x57, 0x6a, 0x84, 0x25, 0x34, +- 0x3e, 0x64, 0x11, 0xdb, 0x7a, 0x82, 0x8e, 0x70, +- 0xd2, 0x5c, 0x0e, 0x81, 0xa0, 0x24, 0x53, 0x75, +- 0x98, 0xd6, 0x10, 0x01, 0x6a, 0x14, 0xed, 0xc3, +- 0x6f, 0xc4, 0x18, 0xb8, 0xd2, 0x9f, 0x59, 0x53, +- 0x81, 0x3a, 0x86, 0x31, 0xfc, 0x9e, 0xbf, 0x6c, +- 0x52, 0x93, 0x86, 0x9c, 0xaa, 0x6c, 0x6f, 0x07, +- 0x8a, 0x40, 0x33, 0x64, 0xb2, 0x70, 0x48, 0x85, +- 0x05, 0x59, 0x65, 0x2d, 0x6b, 0x9a, 0xad, 0xab, +- 0x20, 0x7e, 0x02, 0x6d, 0xde, 0xcf, 0x22, 0x0b, +- 0xea, 0x6e, 0xbd, 0x1c, 0x39, 0x3a, 0xfd, 0xa4, +- 0xde, 0x54, 0xae, 0xde, 0x5e, 0xf7, 0xb0, 0x6d, +-}; +- + static const struct rsa_sigver_st rsa_sigver_data[] = { + { + "pkcs1", /* pkcs1v1.5 */ +@@ -1850,17 +1647,6 @@ static const struct rsa_sigver_st rsa_si + NO_PSS_SALT_LEN, + FAIL + }, +- { +- "x931", +- 3072, +- "SHA256", +- ITM(rsa_sigverx931_1_msg), +- ITM(rsa_sigverx931_1_n), +- ITM(rsa_sigverx931_1_e), +- ITM(rsa_sigverx931_1_sig), +- NO_PSS_SALT_LEN, +- FAIL +- }, + { + "pss", + 4096, diff --git a/openssl-FIPS-Use-FFDHE2048-in-self-test.patch b/openssl-FIPS-Use-FFDHE2048-in-self-test.patch new file mode 100644 index 0000000..4e5d3dc --- /dev/null +++ b/openssl-FIPS-Use-FFDHE2048-in-self-test.patch @@ -0,0 +1,378 @@ +From e385647549c467fe263b68b72dd21bdfb875ee88 Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Fri, 22 Jul 2022 17:51:16 +0200 +Subject: [PATCH 2/2] FIPS: Use FFDHE2048 in self test + +Signed-off-by: Clemens Lang +--- + providers/fips/self_test_data.inc | 342 +++++++++++++++--------------- + 1 file changed, 172 insertions(+), 170 deletions(-) + +diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc +index a29cc650b5..1b5623833f 100644 +--- a/providers/fips/self_test_data.inc ++++ b/providers/fips/self_test_data.inc +@@ -821,188 +821,190 @@ static const ST_KAT_DRBG st_kat_drbg_tests[] = + + #ifndef OPENSSL_NO_DH + /* DH KAT */ ++/* RFC7919 FFDHE2048 p */ + static const unsigned char dh_p[] = { +- 0xdc, 0xca, 0x15, 0x11, 0xb2, 0x31, 0x32, 0x25, +- 0xf5, 0x21, 0x16, 0xe1, 0x54, 0x27, 0x89, 0xe0, +- 0x01, 0xf0, 0x42, 0x5b, 0xcc, 0xc7, 0xf3, 0x66, +- 0xf7, 0x40, 0x64, 0x07, 0xf1, 0xc9, 0xfa, 0x8b, +- 0xe6, 0x10, 0xf1, 0x77, 0x8b, 0xb1, 0x70, 0xbe, +- 0x39, 0xdb, 0xb7, 0x6f, 0x85, 0xbf, 0x24, 0xce, +- 0x68, 0x80, 0xad, 0xb7, 0x62, 0x9f, 0x7c, 0x6d, +- 0x01, 0x5e, 0x61, 0xd4, 0x3f, 0xa3, 0xee, 0x4d, +- 0xe1, 0x85, 0xf2, 0xcf, 0xd0, 0x41, 0xff, 0xde, +- 0x9d, 0x41, 0x84, 0x07, 0xe1, 0x51, 0x38, 0xbb, +- 0x02, 0x1d, 0xae, 0xb3, 0x5f, 0x76, 0x2d, 0x17, +- 0x82, 0xac, 0xc6, 0x58, 0xd3, 0x2b, 0xd4, 0xb0, +- 0x23, 0x2c, 0x92, 0x7d, 0xd3, 0x8f, 0xa0, 0x97, +- 0xb3, 0xd1, 0x85, 0x9f, 0xa8, 0xac, 0xaf, 0xb9, +- 0x8f, 0x06, 0x66, 0x08, 0xfc, 0x64, 0x4e, 0xc7, +- 0xdd, 0xb6, 0xf0, 0x85, 0x99, 0xf9, 0x2a, 0xc1, +- 0xb5, 0x98, 0x25, 0xda, 0x84, 0x32, 0x07, 0x7d, +- 0xef, 0x69, 0x56, 0x46, 0x06, 0x3c, 0x20, 0x82, +- 0x3c, 0x95, 0x07, 0xab, 0x6f, 0x01, 0x76, 0xd4, +- 0x73, 0x0d, 0x99, 0x0d, 0xbb, 0xe6, 0x36, 0x1c, +- 0xd8, 0xb2, 0xb9, 0x4d, 0x3d, 0x2f, 0x32, 0x9b, +- 0x82, 0x09, 0x9b, 0xd6, 0x61, 0xf4, 0x29, 0x50, +- 0xf4, 0x03, 0xdf, 0x3e, 0xde, 0x62, 0xa3, 0x31, +- 0x88, 0xb0, 0x27, 0x98, 0xba, 0x82, 0x3f, 0x44, +- 0xb9, 0x46, 0xfe, 0x9d, 0xf6, 0x77, 0xa0, 0xc5, +- 0xa1, 0x23, 0x8e, 0xaa, 0x97, 0xb7, 0x0f, 0x80, +- 0xda, 0x8c, 0xac, 0x88, 0xe0, 0x92, 0xb1, 0x12, +- 0x70, 0x60, 0xff, 0xbf, 0x45, 0x57, 0x99, 0x94, +- 0x01, 0x1d, 0xc2, 0xfa, 0xa5, 0xe7, 0xf6, 0xc7, +- 0x62, 0x45, 0xe1, 0xcc, 0x31, 0x22, 0x31, 0xc1, +- 0x7d, 0x1c, 0xa6, 0xb1, 0x90, 0x07, 0xef, 0x0d, +- 0xb9, 0x9f, 0x9c, 0xb6, 0x0e, 0x1d, 0x5f, 0x69 +-}; ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, ++ 0xad, 0xf8, 0x54, 0x58, 0xa2, 0xbb, 0x4a, 0x9a, ++ 0xaf, 0xdc, 0x56, 0x20, 0x27, 0x3d, 0x3c, 0xf1, ++ 0xd8, 0xb9, 0xc5, 0x83, 0xce, 0x2d, 0x36, 0x95, ++ 0xa9, 0xe1, 0x36, 0x41, 0x14, 0x64, 0x33, 0xfb, ++ 0xcc, 0x93, 0x9d, 0xce, 0x24, 0x9b, 0x3e, 0xf9, ++ 0x7d, 0x2f, 0xe3, 0x63, 0x63, 0x0c, 0x75, 0xd8, ++ 0xf6, 0x81, 0xb2, 0x02, 0xae, 0xc4, 0x61, 0x7a, ++ 0xd3, 0xdf, 0x1e, 0xd5, 0xd5, 0xfd, 0x65, 0x61, ++ 0x24, 0x33, 0xf5, 0x1f, 0x5f, 0x06, 0x6e, 0xd0, ++ 0x85, 0x63, 0x65, 0x55, 0x3d, 0xed, 0x1a, 0xf3, ++ 0xb5, 0x57, 0x13, 0x5e, 0x7f, 0x57, 0xc9, 0x35, ++ 0x98, 0x4f, 0x0c, 0x70, 0xe0, 0xe6, 0x8b, 0x77, ++ 0xe2, 0xa6, 0x89, 0xda, 0xf3, 0xef, 0xe8, 0x72, ++ 0x1d, 0xf1, 0x58, 0xa1, 0x36, 0xad, 0xe7, 0x35, ++ 0x30, 0xac, 0xca, 0x4f, 0x48, 0x3a, 0x79, 0x7a, ++ 0xbc, 0x0a, 0xb1, 0x82, 0xb3, 0x24, 0xfb, 0x61, ++ 0xd1, 0x08, 0xa9, 0x4b, 0xb2, 0xc8, 0xe3, 0xfb, ++ 0xb9, 0x6a, 0xda, 0xb7, 0x60, 0xd7, 0xf4, 0x68, ++ 0x1d, 0x4f, 0x42, 0xa3, 0xde, 0x39, 0x4d, 0xf4, ++ 0xae, 0x56, 0xed, 0xe7, 0x63, 0x72, 0xbb, 0x19, ++ 0x0b, 0x07, 0xa7, 0xc8, 0xee, 0x0a, 0x6d, 0x70, ++ 0x9e, 0x02, 0xfc, 0xe1, 0xcd, 0xf7, 0xe2, 0xec, ++ 0xc0, 0x34, 0x04, 0xcd, 0x28, 0x34, 0x2f, 0x61, ++ 0x91, 0x72, 0xfe, 0x9c, 0xe9, 0x85, 0x83, 0xff, ++ 0x8e, 0x4f, 0x12, 0x32, 0xee, 0xf2, 0x81, 0x83, ++ 0xc3, 0xfe, 0x3b, 0x1b, 0x4c, 0x6f, 0xad, 0x73, ++ 0x3b, 0xb5, 0xfc, 0xbc, 0x2e, 0xc2, 0x20, 0x05, ++ 0xc5, 0x8e, 0xf1, 0x83, 0x7d, 0x16, 0x83, 0xb2, ++ 0xc6, 0xf3, 0x4a, 0x26, 0xc1, 0xb2, 0xef, 0xfa, ++ 0x88, 0x6b, 0x42, 0x38, 0x61, 0x28, 0x5c, 0x97, ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff ++}; ++/* RFC7919 FFDHE2048 q */ + static const unsigned char dh_q[] = { +- 0x89, 0x8b, 0x22, 0x67, 0x17, 0xef, 0x03, 0x9e, +- 0x60, 0x3e, 0x82, 0xe5, 0xc7, 0xaf, 0xe4, 0x83, +- 0x74, 0xac, 0x5f, 0x62, 0x5c, 0x54, 0xf1, 0xea, +- 0x11, 0xac, 0xb5, 0x7d +-}; ++ 0x7f, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, ++ 0xd6, 0xfc, 0x2a, 0x2c, 0x51, 0x5d, 0xa5, 0x4d, ++ 0x57, 0xee, 0x2b, 0x10, 0x13, 0x9e, 0x9e, 0x78, ++ 0xec, 0x5c, 0xe2, 0xc1, 0xe7, 0x16, 0x9b, 0x4a, ++ 0xd4, 0xf0, 0x9b, 0x20, 0x8a, 0x32, 0x19, 0xfd, ++ 0xe6, 0x49, 0xce, 0xe7, 0x12, 0x4d, 0x9f, 0x7c, ++ 0xbe, 0x97, 0xf1, 0xb1, 0xb1, 0x86, 0x3a, 0xec, ++ 0x7b, 0x40, 0xd9, 0x01, 0x57, 0x62, 0x30, 0xbd, ++ 0x69, 0xef, 0x8f, 0x6a, 0xea, 0xfe, 0xb2, 0xb0, ++ 0x92, 0x19, 0xfa, 0x8f, 0xaf, 0x83, 0x37, 0x68, ++ 0x42, 0xb1, 0xb2, 0xaa, 0x9e, 0xf6, 0x8d, 0x79, ++ 0xda, 0xab, 0x89, 0xaf, 0x3f, 0xab, 0xe4, 0x9a, ++ 0xcc, 0x27, 0x86, 0x38, 0x70, 0x73, 0x45, 0xbb, ++ 0xf1, 0x53, 0x44, 0xed, 0x79, 0xf7, 0xf4, 0x39, ++ 0x0e, 0xf8, 0xac, 0x50, 0x9b, 0x56, 0xf3, 0x9a, ++ 0x98, 0x56, 0x65, 0x27, 0xa4, 0x1d, 0x3c, 0xbd, ++ 0x5e, 0x05, 0x58, 0xc1, 0x59, 0x92, 0x7d, 0xb0, ++ 0xe8, 0x84, 0x54, 0xa5, 0xd9, 0x64, 0x71, 0xfd, ++ 0xdc, 0xb5, 0x6d, 0x5b, 0xb0, 0x6b, 0xfa, 0x34, ++ 0x0e, 0xa7, 0xa1, 0x51, 0xef, 0x1c, 0xa6, 0xfa, ++ 0x57, 0x2b, 0x76, 0xf3, 0xb1, 0xb9, 0x5d, 0x8c, ++ 0x85, 0x83, 0xd3, 0xe4, 0x77, 0x05, 0x36, 0xb8, ++ 0x4f, 0x01, 0x7e, 0x70, 0xe6, 0xfb, 0xf1, 0x76, ++ 0x60, 0x1a, 0x02, 0x66, 0x94, 0x1a, 0x17, 0xb0, ++ 0xc8, 0xb9, 0x7f, 0x4e, 0x74, 0xc2, 0xc1, 0xff, ++ 0xc7, 0x27, 0x89, 0x19, 0x77, 0x79, 0x40, 0xc1, ++ 0xe1, 0xff, 0x1d, 0x8d, 0xa6, 0x37, 0xd6, 0xb9, ++ 0x9d, 0xda, 0xfe, 0x5e, 0x17, 0x61, 0x10, 0x02, ++ 0xe2, 0xc7, 0x78, 0xc1, 0xbe, 0x8b, 0x41, 0xd9, ++ 0x63, 0x79, 0xa5, 0x13, 0x60, 0xd9, 0x77, 0xfd, ++ 0x44, 0x35, 0xa1, 0x1c, 0x30, 0x94, 0x2e, 0x4b, ++ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff ++}; ++/* RFC7919 FFDHE2048 g */ + static const unsigned char dh_g[] = { +- 0x5e, 0xf7, 0xb8, 0x8f, 0x2d, 0xf6, 0x01, 0x39, +- 0x35, 0x1d, 0xfb, 0xfe, 0x12, 0x66, 0x80, 0x5f, +- 0xdf, 0x35, 0x6c, 0xdf, 0xd1, 0x3a, 0x4d, 0xa0, +- 0x05, 0x0c, 0x7e, 0xde, 0x24, 0x6d, 0xf5, 0x9f, +- 0x6a, 0xbf, 0x96, 0xad, 0xe5, 0xf2, 0xb2, 0x8f, +- 0xfe, 0x88, 0xd6, 0xbc, 0xe7, 0xf7, 0x89, 0x4a, +- 0x3d, 0x53, 0x5f, 0xc8, 0x21, 0x26, 0xdd, 0xd4, +- 0x24, 0x87, 0x2e, 0x16, 0xb8, 0x38, 0xdf, 0x8c, +- 0x51, 0xe9, 0x01, 0x6f, 0x88, 0x9c, 0x7c, 0x20, +- 0x3e, 0x98, 0xa8, 0xb6, 0x31, 0xf9, 0xc7, 0x25, +- 0x63, 0xd3, 0x8a, 0x49, 0x58, 0x9a, 0x07, 0x53, +- 0xd3, 0x58, 0xe7, 0x83, 0x31, 0x8c, 0xef, 0xd9, +- 0x67, 0x7c, 0x7b, 0x2d, 0xbb, 0x77, 0xd6, 0xdc, +- 0xe2, 0xa1, 0x96, 0x37, 0x95, 0xca, 0x64, 0xb9, +- 0x2d, 0x1c, 0x9a, 0xac, 0x6d, 0x0e, 0x8d, 0x43, +- 0x1d, 0xe5, 0xe5, 0x00, 0x60, 0xdf, 0xf7, 0x86, +- 0x89, 0xc9, 0xec, 0xa1, 0xc1, 0x24, 0x8c, 0x16, +- 0xed, 0x09, 0xc7, 0xad, 0x41, 0x2a, 0x17, 0x40, +- 0x6d, 0x2b, 0x52, 0x5a, 0xa1, 0xca, 0xbb, 0x23, +- 0x7b, 0x97, 0x34, 0xec, 0x7b, 0x8c, 0xe3, 0xfa, +- 0xe0, 0x2f, 0x29, 0xc5, 0xef, 0xed, 0x30, 0xd6, +- 0x91, 0x87, 0xda, 0x10, 0x9c, 0x2c, 0x9f, 0xe2, +- 0xaa, 0xdb, 0xb0, 0xc2, 0x2a, 0xf5, 0x4c, 0x61, +- 0x66, 0x55, 0x00, 0x0c, 0x43, 0x1c, 0x6b, 0x4a, +- 0x37, 0x97, 0x63, 0xb0, 0xa9, 0x16, 0x58, 0xef, +- 0xc8, 0x4e, 0x8b, 0x06, 0x35, 0x8c, 0x8b, 0x4f, +- 0x21, 0x37, 0x10, 0xfd, 0x10, 0x17, 0x2c, 0xf3, +- 0x9b, 0x83, 0x0c, 0x2d, 0xd8, 0x4a, 0x0c, 0x8a, +- 0xb8, 0x25, 0x16, 0xec, 0xab, 0x99, 0x5f, 0xa4, +- 0x21, 0x5e, 0x02, 0x3e, 0x4e, 0xcf, 0x80, 0x74, +- 0xc3, 0x9d, 0x6c, 0x88, 0xb7, 0x0d, 0x1e, 0xe4, +- 0xe9, 0x6f, 0xdc, 0x20, 0xea, 0x11, 0x5c, 0x32 ++ 0x02 + }; + static const unsigned char dh_priv[] = { +- 0x14, 0x33, 0xe0, 0xb5, 0xa9, 0x17, 0xb6, 0x0a, +- 0x30, 0x23, 0xf2, 0xf8, 0xaa, 0x2c, 0x2d, 0x70, +- 0xd2, 0x96, 0x8a, 0xba, 0x9a, 0xea, 0xc8, 0x15, +- 0x40, 0xb8, 0xfc, 0xe6 ++ 0x01, 0xdc, 0x2a, 0xb9, 0x87, 0x71, 0x57, 0x0f, ++ 0xcd, 0x93, 0x65, 0x4c, 0xa1, 0xd6, 0x56, 0x6d, ++ 0xc5, 0x35, 0xd5, 0xcb, 0x4c, 0xb8, 0xad, 0x8d, ++ 0x6c, 0xdc, 0x5d, 0x6e, 0x94 + }; + static const unsigned char dh_pub[] = { +- 0x95, 0xdd, 0x33, 0x8d, 0x29, 0xe5, 0x71, 0x04, +- 0x92, 0xb9, 0x18, 0x31, 0x7b, 0x72, 0xa3, 0x69, +- 0x36, 0xe1, 0x95, 0x1a, 0x2e, 0xe5, 0xa5, 0x59, +- 0x16, 0x99, 0xc0, 0x48, 0x6d, 0x0d, 0x4f, 0x9b, +- 0xdd, 0x6d, 0x5a, 0x3f, 0x6b, 0x98, 0x89, 0x0c, +- 0x62, 0xb3, 0x76, 0x52, 0xd3, 0x6e, 0x71, 0x21, +- 0x11, 0xe6, 0x8a, 0x73, 0x55, 0x37, 0x25, 0x06, +- 0x99, 0xef, 0xe3, 0x30, 0x53, 0x73, 0x91, 0xfb, +- 0xc2, 0xc5, 0x48, 0xbc, 0x5a, 0xc3, 0xe5, 0xb2, +- 0x33, 0x86, 0xc3, 0xee, 0xf5, 0xeb, 0x43, 0xc0, +- 0x99, 0xd7, 0x0a, 0x52, 0x02, 0x68, 0x7e, 0x83, +- 0x96, 0x42, 0x48, 0xfc, 0xa9, 0x1f, 0x40, 0x90, +- 0x8e, 0x8f, 0xb3, 0x31, 0x93, 0x15, 0xf6, 0xd2, +- 0x60, 0x6d, 0x7f, 0x7c, 0xd5, 0x2c, 0xc6, 0xe7, +- 0xc5, 0x84, 0x3a, 0xfb, 0x22, 0x51, 0x9c, 0xf0, +- 0xf0, 0xf9, 0xd3, 0xa0, 0xa4, 0xe8, 0xc8, 0x88, +- 0x99, 0xef, 0xed, 0xe7, 0x36, 0x43, 0x51, 0xfb, +- 0x6a, 0x36, 0x3e, 0xe7, 0x17, 0xe5, 0x44, 0x5a, +- 0xda, 0xb4, 0xc9, 0x31, 0xa6, 0x48, 0x39, 0x97, +- 0xb8, 0x7d, 0xad, 0x83, 0x67, 0x7e, 0x4d, 0x1d, +- 0x3a, 0x77, 0x75, 0xe0, 0xf6, 0xd0, 0x0f, 0xdf, +- 0x73, 0xc7, 0xad, 0x80, 0x1e, 0x66, 0x5a, 0x0e, +- 0x5a, 0x79, 0x6d, 0x0a, 0x03, 0x80, 0xa1, 0x9f, +- 0xa1, 0x82, 0xef, 0xc8, 0xa0, 0x4f, 0x5e, 0x4d, +- 0xb9, 0x0d, 0x1a, 0x86, 0x37, 0xf9, 0x5d, 0xb1, +- 0x64, 0x36, 0xbd, 0xc8, 0xf3, 0xfc, 0x09, 0x6c, +- 0x4f, 0xf7, 0xf2, 0x34, 0xbe, 0x8f, 0xef, 0x47, +- 0x9a, 0xc4, 0xb0, 0xdc, 0x4b, 0x77, 0x26, 0x3e, +- 0x07, 0xd9, 0x95, 0x9d, 0xe0, 0xf1, 0xbf, 0x3f, +- 0x0a, 0xe3, 0xd9, 0xd5, 0x0e, 0x4b, 0x89, 0xc9, +- 0x9e, 0x3e, 0xa1, 0x21, 0x73, 0x43, 0xdd, 0x8c, +- 0x65, 0x81, 0xac, 0xc4, 0x95, 0x9c, 0x91, 0xd3 ++ 0x00, 0xc4, 0x82, 0x14, 0x69, 0x16, 0x4c, 0x05, ++ 0x55, 0x2a, 0x7e, 0x55, 0x6d, 0x02, 0xbb, 0x7f, ++ 0xcc, 0x63, 0x74, 0xee, 0xcb, 0xb4, 0x98, 0x43, ++ 0x0e, 0x29, 0x43, 0x0d, 0x44, 0xc7, 0xf1, 0x23, ++ 0x81, 0xca, 0x1c, 0x5c, 0xc3, 0xff, 0x01, 0x4a, ++ 0x1a, 0x03, 0x9e, 0x5f, 0xd1, 0x4e, 0xa0, 0x0b, ++ 0xb9, 0x5c, 0x0d, 0xef, 0x14, 0x01, 0x62, 0x3c, ++ 0x8a, 0x8e, 0x60, 0xbb, 0x39, 0xd6, 0x38, 0x63, ++ 0xb7, 0x65, 0xd0, 0x0b, 0x1a, 0xaf, 0x53, 0x38, ++ 0x10, 0x0f, 0x3e, 0xeb, 0x9d, 0x0c, 0x24, 0xf6, ++ 0xe3, 0x70, 0x08, 0x8a, 0x4d, 0x01, 0xf8, 0x7a, ++ 0x87, 0x49, 0x64, 0x72, 0xb1, 0x75, 0x3b, 0x94, ++ 0xc8, 0x09, 0x2d, 0x6a, 0x63, 0xd8, 0x9a, 0x92, ++ 0xb9, 0x5b, 0x1a, 0xc3, 0x47, 0x0b, 0x63, 0x44, ++ 0x3b, 0xe3, 0xc0, 0x09, 0xc9, 0xf9, 0x02, 0x53, ++ 0xd8, 0xfb, 0x06, 0x44, 0xdb, 0xdf, 0xe8, 0x13, ++ 0x2b, 0x40, 0x6a, 0xd4, 0x13, 0x4e, 0x52, 0x30, ++ 0xd6, 0xc1, 0xd8, 0x59, 0x9d, 0x59, 0xba, 0x1b, ++ 0xbf, 0xaa, 0x6f, 0xe9, 0x3d, 0xfd, 0xff, 0x01, ++ 0x0b, 0x54, 0xe0, 0x6a, 0x4e, 0x27, 0x2b, 0x3d, ++ 0xe8, 0xef, 0xb0, 0xbe, 0x52, 0xc3, 0x52, 0x18, ++ 0x6f, 0xa3, 0x27, 0xab, 0x6c, 0x12, 0xc3, 0x81, ++ 0xcb, 0xae, 0x23, 0x11, 0xa0, 0x5d, 0xc3, 0x6f, ++ 0x23, 0x17, 0x40, 0xb3, 0x05, 0x4f, 0x5d, 0xb7, ++ 0x34, 0xbe, 0x87, 0x2c, 0xa9, 0x9e, 0x98, 0x39, ++ 0xbf, 0x2e, 0x9d, 0xad, 0x4f, 0x70, 0xad, 0xed, ++ 0x1b, 0x5e, 0x47, 0x90, 0x49, 0x2e, 0x61, 0x71, ++ 0x5f, 0x07, 0x0b, 0x35, 0x04, 0xfc, 0x53, 0xce, ++ 0x58, 0x60, 0x6c, 0x5b, 0x8b, 0xfe, 0x70, 0x04, ++ 0x2a, 0x6a, 0x98, 0x0a, 0xd0, 0x80, 0xae, 0x69, ++ 0x95, 0xf9, 0x99, 0x18, 0xfc, 0xe4, 0x8e, 0xed, ++ 0x61, 0xd9, 0x02, 0x9d, 0x4e, 0x05, 0xe9, 0xf2, ++ 0x32 + }; + static const unsigned char dh_peer_pub[] = { +- 0x1f, 0xc1, 0xda, 0x34, 0x1d, 0x1a, 0x84, 0x6a, +- 0x96, 0xb7, 0xbe, 0x24, 0x34, 0x0f, 0x87, 0x7d, +- 0xd0, 0x10, 0xaa, 0x03, 0x56, 0xd5, 0xad, 0x58, +- 0xaa, 0xe9, 0xc7, 0xb0, 0x8f, 0x74, 0x9a, 0x32, +- 0x23, 0x51, 0x10, 0xb5, 0xd8, 0x8e, 0xb5, 0xdb, +- 0xfa, 0x97, 0x8d, 0x27, 0xec, 0xc5, 0x30, 0xf0, +- 0x2d, 0x31, 0x14, 0x00, 0x5b, 0x64, 0xb1, 0xc0, +- 0xe0, 0x24, 0xcb, 0x8a, 0xe2, 0x16, 0x98, 0xbc, +- 0xa9, 0xe6, 0x0d, 0x42, 0x80, 0x86, 0x22, 0xf1, +- 0x81, 0xc5, 0x6e, 0x1d, 0xe7, 0xa9, 0x6e, 0x6e, +- 0xfe, 0xe9, 0xd6, 0x65, 0x67, 0xe9, 0x1b, 0x97, +- 0x70, 0x42, 0xc7, 0xe3, 0xd0, 0x44, 0x8f, 0x05, +- 0xfb, 0x77, 0xf5, 0x22, 0xb9, 0xbf, 0xc8, 0xd3, +- 0x3c, 0xc3, 0xc3, 0x1e, 0xd3, 0xb3, 0x1f, 0x0f, +- 0xec, 0xb6, 0xdb, 0x4f, 0x6e, 0xa3, 0x11, 0xe7, +- 0x7a, 0xfd, 0xbc, 0xd4, 0x7a, 0xee, 0x1b, 0xb1, +- 0x50, 0xf2, 0x16, 0x87, 0x35, 0x78, 0xfb, 0x96, +- 0x46, 0x8e, 0x8f, 0x9f, 0x3d, 0xe8, 0xef, 0xbf, +- 0xce, 0x75, 0x62, 0x4b, 0x1d, 0xf0, 0x53, 0x22, +- 0xa3, 0x4f, 0x14, 0x63, 0xe8, 0x39, 0xe8, 0x98, +- 0x4c, 0x4a, 0xd0, 0xa9, 0x6e, 0x1a, 0xc8, 0x42, +- 0xe5, 0x31, 0x8c, 0xc2, 0x3c, 0x06, 0x2a, 0x8c, +- 0xa1, 0x71, 0xb8, 0xd5, 0x75, 0x98, 0x0d, 0xde, +- 0x7f, 0xc5, 0x6f, 0x15, 0x36, 0x52, 0x38, 0x20, +- 0xd4, 0x31, 0x92, 0xbf, 0xd5, 0x1e, 0x8e, 0x22, +- 0x89, 0x78, 0xac, 0xa5, 0xb9, 0x44, 0x72, 0xf3, +- 0x39, 0xca, 0xeb, 0x99, 0x31, 0xb4, 0x2b, 0xe3, +- 0x01, 0x26, 0x8b, 0xc9, 0x97, 0x89, 0xc9, 0xb2, +- 0x55, 0x71, 0xc3, 0xc0, 0xe4, 0xcb, 0x3f, 0x00, +- 0x7f, 0x1a, 0x51, 0x1c, 0xbb, 0x53, 0xc8, 0x51, +- 0x9c, 0xdd, 0x13, 0x02, 0xab, 0xca, 0x6c, 0x0f, +- 0x34, 0xf9, 0x67, 0x39, 0xf1, 0x7f, 0xf4, 0x8b ++ 0x00, 0xef, 0x15, 0x02, 0xf5, 0x56, 0xa3, 0x79, ++ 0x40, 0x58, 0xbc, 0xeb, 0x56, 0xad, 0xcb, 0xda, ++ 0x8c, 0xda, 0xb8, 0xd1, 0xda, 0x6f, 0x25, 0x29, ++ 0x9e, 0x43, 0x76, 0x2d, 0xb2, 0xd8, 0xbc, 0x84, ++ 0xbc, 0x85, 0xd0, 0x94, 0x8d, 0x44, 0x27, 0x57, ++ 0xe4, 0xdf, 0xc1, 0x78, 0x42, 0x8f, 0x08, 0xf5, ++ 0x74, 0xfe, 0x02, 0x56, 0xd2, 0x09, 0xc8, 0x68, ++ 0xef, 0xed, 0x18, 0xc9, 0xfd, 0x2e, 0x95, 0x6c, ++ 0xba, 0x6c, 0x00, 0x0e, 0xf5, 0xd1, 0x1b, 0xf6, ++ 0x15, 0x14, 0x5b, 0x67, 0x22, 0x7c, 0x6a, 0x20, ++ 0x76, 0x43, 0x51, 0xef, 0x5e, 0x1e, 0xf9, 0x2d, ++ 0xd6, 0xb4, 0xc5, 0xc6, 0x18, 0x33, 0xd1, 0xa3, ++ 0x3b, 0xe6, 0xdd, 0x57, 0x9d, 0xad, 0x13, 0x7a, ++ 0x53, 0xde, 0xb3, 0x97, 0xc0, 0x7e, 0xd7, 0x77, ++ 0x6b, 0xf8, 0xbd, 0x13, 0x70, 0x8c, 0xba, 0x73, ++ 0x80, 0xb3, 0x80, 0x6f, 0xfb, 0x1c, 0xda, 0x53, ++ 0x4d, 0x3c, 0x8a, 0x2e, 0xa1, 0x37, 0xce, 0xb1, ++ 0xde, 0x45, 0x97, 0x58, 0x65, 0x4d, 0xcf, 0x05, ++ 0xbb, 0xc3, 0xd7, 0x38, 0x6d, 0x0a, 0x59, 0x7a, ++ 0x99, 0x15, 0xb7, 0x9a, 0x3d, 0xfd, 0x61, 0xe5, ++ 0x1a, 0xa2, 0xcc, 0xf6, 0xfe, 0xb1, 0xee, 0xe9, ++ 0xa9, 0xe2, 0xeb, 0x06, 0xbc, 0x14, 0x6e, 0x91, ++ 0x0d, 0xf1, 0xe3, 0xbb, 0xe0, 0x7e, 0x1d, 0x31, ++ 0x79, 0xf1, 0x6d, 0x5f, 0xcb, 0xaf, 0xb2, 0x4f, ++ 0x22, 0x12, 0xbf, 0x72, 0xbd, 0xd0, 0x30, 0xe4, ++ 0x1c, 0x35, 0x96, 0x61, 0x98, 0x39, 0xfb, 0x7e, ++ 0x6d, 0x66, 0xc4, 0x69, 0x41, 0x0d, 0x0d, 0x59, ++ 0xbb, 0xa7, 0xbf, 0x34, 0xe0, 0x39, 0x36, 0x84, ++ 0x5e, 0x0e, 0x03, 0x2d, 0xcf, 0xaa, 0x02, 0x8a, ++ 0xba, 0x59, 0x88, 0x47, 0xc4, 0x4d, 0xd7, 0xbd, ++ 0x78, 0x76, 0x24, 0xf1, 0x45, 0x56, 0x44, 0xc2, ++ 0x4a, 0xc2, 0xd5, 0x3a, 0x59, 0x40, 0xab, 0x87, ++ 0x64 + }; + + static const unsigned char dh_secret_expected[] = { +- 0x08, 0xff, 0x33, 0xbb, 0x2e, 0xcf, 0xf4, 0x9a, +- 0x7d, 0x4a, 0x79, 0x12, 0xae, 0xb1, 0xbb, 0x6a, +- 0xb5, 0x11, 0x64, 0x1b, 0x4a, 0x76, 0x77, 0x0c, +- 0x8c, 0xc1, 0xbc, 0xc2, 0x33, 0x34, 0x3d, 0xfe, +- 0x70, 0x0d, 0x11, 0x81, 0x3d, 0x2c, 0x9e, 0xd2, +- 0x3b, 0x21, 0x1c, 0xa9, 0xe8, 0x78, 0x69, 0x21, +- 0xed, 0xca, 0x28, 0x3c, 0x68, 0xb1, 0x61, 0x53, +- 0xfa, 0x01, 0xe9, 0x1a, 0xb8, 0x2c, 0x90, 0xdd, +- 0xab, 0x4a, 0x95, 0x81, 0x67, 0x70, 0xa9, 0x87, +- 0x10, 0xe1, 0x4c, 0x92, 0xab, 0x83, 0xb6, 0xe4, +- 0x6e, 0x1e, 0x42, 0x6e, 0xe8, 0x52, 0x43, 0x0d, +- 0x61, 0x87, 0xda, 0xa3, 0x72, 0x0a, 0x6b, 0xcd, +- 0x73, 0x23, 0x5c, 0x6b, 0x0f, 0x94, 0x1f, 0x33, +- 0x64, 0xf5, 0x04, 0x20, 0x55, 0x1a, 0x4b, 0xfe, +- 0xaf, 0xe2, 0xbc, 0x43, 0x85, 0x05, 0xa5, 0x9a, +- 0x4a, 0x40, 0xda, 0xca, 0x7a, 0x89, 0x5a, 0x73, +- 0xdb, 0x57, 0x5c, 0x74, 0xc1, 0x3a, 0x23, 0xad, +- 0x88, 0x32, 0x95, 0x7d, 0x58, 0x2d, 0x38, 0xf0, +- 0xa6, 0x16, 0x5f, 0xb0, 0xd7, 0xe9, 0xb8, 0x79, +- 0x9e, 0x42, 0xfd, 0x32, 0x20, 0xe3, 0x32, 0xe9, +- 0x81, 0x85, 0xa0, 0xc9, 0x42, 0x97, 0x57, 0xb2, +- 0xd0, 0xd0, 0x2c, 0x17, 0xdb, 0xaa, 0x1f, 0xf6, +- 0xed, 0x93, 0xd7, 0xe7, 0x3e, 0x24, 0x1e, 0xae, +- 0xd9, 0x0c, 0xaf, 0x39, 0x4d, 0x2b, 0xc6, 0x57, +- 0x0f, 0x18, 0xc8, 0x1f, 0x2b, 0xe5, 0xd0, 0x1a, +- 0x2c, 0xa9, 0x9f, 0xf1, 0x42, 0xb5, 0xd9, 0x63, +- 0xf9, 0xf5, 0x00, 0x32, 0x5e, 0x75, 0x56, 0xf9, +- 0x58, 0x49, 0xb3, 0xff, 0xc7, 0x47, 0x94, 0x86, +- 0xbe, 0x1d, 0x45, 0x96, 0xa3, 0x10, 0x6b, 0xd5, +- 0xcb, 0x4f, 0x61, 0xc5, 0x7e, 0xc5, 0xf1, 0x00, +- 0xfb, 0x7a, 0x0c, 0x82, 0xa1, 0x0b, 0x82, 0x52, +- 0x6a, 0x97, 0xd1, 0xd9, 0x7d, 0x98, 0xea, 0xf6 ++ 0x56, 0x13, 0xe3, 0x12, 0x6b, 0x5f, 0x67, 0xe5, ++ 0x08, 0xe5, 0x35, 0x0e, 0x11, 0x90, 0x9d, 0xf5, ++ 0x1a, 0x24, 0xfa, 0x42, 0xd1, 0x4a, 0x50, 0x93, ++ 0x5b, 0xf4, 0x11, 0x6f, 0xd0, 0xc3, 0xc5, 0xa5, ++ 0x80, 0xae, 0x01, 0x3d, 0x66, 0x92, 0xc0, 0x3e, ++ 0x5f, 0xe9, 0x75, 0xb6, 0x5b, 0x37, 0x82, 0x39, ++ 0x72, 0x66, 0x0b, 0xa2, 0x73, 0x94, 0xe5, 0x04, ++ 0x7c, 0x0c, 0x19, 0x9a, 0x03, 0x53, 0xc4, 0x9d, ++ 0xc1, 0x0f, 0xc3, 0xec, 0x0e, 0x2e, 0xa3, 0x7c, ++ 0x07, 0x0e, 0xaf, 0x18, 0x1d, 0xc7, 0x8b, 0x47, ++ 0x4b, 0x94, 0x05, 0x6d, 0xec, 0xdd, 0xa1, 0xae, ++ 0x7b, 0x21, 0x86, 0x53, 0xd3, 0x62, 0x38, 0x08, ++ 0xea, 0xda, 0xdc, 0xb2, 0x5a, 0x7c, 0xef, 0x19, ++ 0xf8, 0x29, 0xef, 0xf8, 0xd0, 0xfb, 0xde, 0xe8, ++ 0xb8, 0x2f, 0xb3, 0xa1, 0x16, 0xa2, 0xd0, 0x8f, ++ 0x48, 0xdc, 0x7d, 0xcb, 0xee, 0x5c, 0x06, 0x1e, ++ 0x2a, 0x66, 0xe8, 0x1f, 0xdb, 0x18, 0xe9, 0xd2, ++ 0xfd, 0xa2, 0x4e, 0x39, 0xa3, 0x2e, 0x88, 0x3d, ++ 0x7d, 0xac, 0x15, 0x18, 0x25, 0xe6, 0xba, 0xd4, ++ 0x0e, 0x89, 0x26, 0x60, 0x8f, 0xdc, 0x4a, 0xb4, ++ 0x49, 0x8f, 0x98, 0xe8, 0x62, 0x8c, 0xc6, 0x66, ++ 0x20, 0x4c, 0xe1, 0xed, 0xfc, 0x01, 0x88, 0x46, ++ 0xa7, 0x67, 0x48, 0x39, 0xc5, 0x22, 0x95, 0xa0, ++ 0x23, 0xb9, 0xd1, 0xed, 0x87, 0xcf, 0xa7, 0x70, ++ 0x1c, 0xac, 0xd3, 0xaf, 0x5c, 0x26, 0x50, 0x3c, ++ 0xe4, 0x23, 0xb6, 0xcc, 0xd7, 0xc5, 0xda, 0x2f, ++ 0xf4, 0x45, 0xf1, 0xe4, 0x40, 0xb5, 0x0a, 0x25, ++ 0x86, 0xe6, 0xde, 0x11, 0x3c, 0x46, 0x16, 0xbc, ++ 0x41, 0xc2, 0x28, 0x19, 0x81, 0x5a, 0x46, 0x02, ++ 0x87, 0xd0, 0x15, 0x0c, 0xd2, 0xfe, 0x75, 0x04, ++ 0x82, 0xd2, 0x0a, 0xb7, 0xbc, 0xc5, 0x6c, 0xb1, ++ 0x41, 0xa8, 0x2b, 0x28, 0xbb, 0x86, 0x0c, 0x89 + }; + + static const ST_KAT_PARAM dh_group[] = { +-- +2.35.3 + diff --git a/openssl-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch b/openssl-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch new file mode 100644 index 0000000..1a756d1 --- /dev/null +++ b/openssl-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch @@ -0,0 +1,348 @@ +From 62721a92ebec8746888d94bea0082c8d8763219e Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 6 Mar 2024 19:17:15 +0100 +Subject: [PATCH 27/49] + 0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch + +Patch-name: 0073-FIPS-Use-OAEP-in-KATs-support-fixed-OAEP-seed.patch +Patch-id: 73 +Patch-status: | + # # https://bugzilla.redhat.com/show_bug.cgi?id=2102535 +From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce +--- + crypto/rsa/rsa_local.h | 8 ++ + crypto/rsa/rsa_oaep.c | 34 ++++++-- + providers/fips/self_test_data.inc | 79 ++++++++++--------- + providers/fips/self_test_kats.c | 7 ++ + .../implementations/asymciphers/rsa_enc.c | 41 +++++++++- + util/perl/OpenSSL/paramnames.pm | 1 + + 6 files changed, 126 insertions(+), 44 deletions(-) + +diff --git a/crypto/rsa/rsa_local.h b/crypto/rsa/rsa_local.h +index ea70da05ad..dde57a1a0e 100644 +--- a/crypto/rsa/rsa_local.h ++++ b/crypto/rsa/rsa_local.h +@@ -193,4 +193,12 @@ int ossl_rsa_padding_add_PKCS1_type_2_ex(OSSL_LIB_CTX *libctx, unsigned char *to + int tlen, const unsigned char *from, + int flen); + ++int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2(OSSL_LIB_CTX *libctx, ++ unsigned char *to, int tlen, ++ const unsigned char *from, int flen, ++ const unsigned char *param, ++ int plen, const EVP_MD *md, ++ const EVP_MD *mgf1md, ++ const char *suse_st_seed); ++ + #endif /* OSSL_CRYPTO_RSA_LOCAL_H */ +diff --git a/crypto/rsa/rsa_oaep.c b/crypto/rsa/rsa_oaep.c +index b9030440c4..3d665c3860 100644 +--- a/crypto/rsa/rsa_oaep.c ++++ b/crypto/rsa/rsa_oaep.c +@@ -44,6 +44,10 @@ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen, + param, plen, NULL, NULL); + } + ++#ifdef FIPS_MODULE ++extern int SUSE_FIPS_asym_cipher_st; ++#endif /* FIPS_MODULE */ ++ + /* + * Perform the padding as per NIST 800-56B 7.2.2.3 + * from (K) is the key material. +@@ -51,12 +55,13 @@ int RSA_padding_add_PKCS1_OAEP(unsigned char *to, int tlen, + * Step numbers are included here but not in the constant time inverse below + * to avoid complicating an already difficult enough function. + */ +-int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx, +- unsigned char *to, int tlen, +- const unsigned char *from, int flen, +- const unsigned char *param, +- int plen, const EVP_MD *md, +- const EVP_MD *mgf1md) ++int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2(OSSL_LIB_CTX *libctx, ++ unsigned char *to, int tlen, ++ const unsigned char *from, int flen, ++ const unsigned char *param, ++ int plen, const EVP_MD *md, ++ const EVP_MD *mgf1md, ++ const char *suse_st_seed) + { + int rv = 0; + int i, emlen = tlen - 1; +@@ -107,6 +112,11 @@ int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx, + db[emlen - flen - mdlen - 1] = 0x01; + memcpy(db + emlen - flen - mdlen, from, (unsigned int)flen); + /* step 3d: generate random byte string */ ++#ifdef FIPS_MODULE ++ if (suse_st_seed != NULL && SUSE_FIPS_asym_cipher_st) { ++ memcpy(seed, suse_st_seed, mdlen); ++ } else ++#endif + if (RAND_bytes_ex(libctx, seed, mdlen, 0) <= 0) + goto err; + +@@ -136,6 +146,18 @@ int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx, + return rv; + } + ++int ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(OSSL_LIB_CTX *libctx, ++ unsigned char *to, int tlen, ++ const unsigned char *from, int flen, ++ const unsigned char *param, ++ int plen, const EVP_MD *md, ++ const EVP_MD *mgf1md) ++{ ++ return ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2(libctx, to, tlen, from, ++ flen, param, plen, md, ++ mgf1md, NULL); ++} ++ + int RSA_padding_add_PKCS1_OAEP_mgf1(unsigned char *to, int tlen, + const unsigned char *from, int flen, + const unsigned char *param, int plen, +diff --git a/providers/fips/self_test_data.inc b/providers/fips/self_test_data.inc +index 4b80bb70b9..c33ecd0791 100644 +--- a/providers/fips/self_test_data.inc ++++ b/providers/fips/self_test_data.inc +@@ -1296,14 +1296,21 @@ static const ST_KAT_PARAM rsa_priv_key[] = { + }; + + /*- +- * Using OSSL_PKEY_RSA_PAD_MODE_NONE directly in the expansion of the ++ * Using OSSL_PKEY_RSA_PAD_MODE_OAEP directly in the expansion of the + * ST_KAT_PARAM_UTF8STRING macro below causes a failure on ancient + * HP/UX PA-RISC compilers. + */ +-static const char pad_mode_none[] = OSSL_PKEY_RSA_PAD_MODE_NONE; ++static const char pad_mode_oaep[] = OSSL_PKEY_RSA_PAD_MODE_OAEP; ++static const char oaep_fixed_seed[] = { ++ 0xf6, 0x10, 0xef, 0x0a, 0x97, 0xbf, 0x91, 0x25, ++ 0x97, 0xcf, 0x8e, 0x0a, 0x75, 0x51, 0x2f, 0xab, ++ 0x2e, 0x4b, 0x2c, 0xe6 ++}; + + static const ST_KAT_PARAM rsa_enc_params[] = { +- ST_KAT_PARAM_UTF8STRING(OSSL_ASYM_CIPHER_PARAM_PAD_MODE, pad_mode_none), ++ ST_KAT_PARAM_UTF8STRING(OSSL_ASYM_CIPHER_PARAM_PAD_MODE, pad_mode_oaep), ++ ST_KAT_PARAM_OCTET(OSSL_ASYM_CIPHER_PARAM_SUSE_KAT_OEAP_SEED, ++ oaep_fixed_seed), + ST_KAT_PARAM_END() + }; + +@@ -1342,43 +1349,43 @@ static const unsigned char rsa_expected_sig[256] = { + 0x2c, 0x68, 0xf0, 0x37, 0xa9, 0xd2, 0x56, 0xd6 + }; + +-static const unsigned char rsa_asym_plaintext_encrypt[256] = { ++static const unsigned char rsa_asym_plaintext_encrypt[208] = { + 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07, 0x08, + 0x09, 0x0a, 0x0b, 0x0c, 0x0d, 0x0e, 0x0f, 0x10, + }; + static const unsigned char rsa_asym_expected_encrypt[256] = { +- 0x54, 0xac, 0x23, 0x96, 0x1d, 0x82, 0x5d, 0x8b, +- 0x8f, 0x36, 0x33, 0xd0, 0xf4, 0x02, 0xa2, 0x61, +- 0xb1, 0x13, 0xd4, 0x4a, 0x46, 0x06, 0x37, 0x3c, +- 0xbf, 0x40, 0x05, 0x3c, 0xc6, 0x3b, 0x64, 0xdc, +- 0x22, 0x22, 0xaf, 0x36, 0x79, 0x62, 0x45, 0xf0, +- 0x97, 0x82, 0x22, 0x44, 0x86, 0x4a, 0x7c, 0xfa, +- 0xac, 0x03, 0x21, 0x84, 0x3f, 0x31, 0xad, 0x2a, +- 0xa4, 0x6e, 0x7a, 0xc5, 0x93, 0xf3, 0x0f, 0xfc, +- 0xf1, 0x62, 0xce, 0x82, 0x12, 0x45, 0xc9, 0x35, +- 0xb0, 0x7a, 0xcd, 0x99, 0x8c, 0x91, 0x6b, 0x5a, +- 0xd3, 0x46, 0xdb, 0xf9, 0x9e, 0x52, 0x49, 0xbd, +- 0x1e, 0xe8, 0xda, 0xac, 0x61, 0x47, 0xc2, 0xda, +- 0xfc, 0x1e, 0xfb, 0x74, 0xd7, 0xd6, 0xc1, 0x18, +- 0x86, 0x3e, 0x20, 0x9c, 0x7a, 0xe1, 0x04, 0xb7, +- 0x38, 0x43, 0xb1, 0x4e, 0xa0, 0xd8, 0xc1, 0x39, +- 0x4d, 0xe1, 0xd3, 0xb0, 0xb3, 0xf1, 0x82, 0x87, +- 0x1f, 0x74, 0xb5, 0x69, 0xfd, 0x33, 0xd6, 0x21, +- 0x7c, 0x61, 0x60, 0x28, 0xca, 0x70, 0xdb, 0xa0, +- 0xbb, 0xc8, 0x73, 0xa9, 0x82, 0xf8, 0x6b, 0xd8, +- 0xf0, 0xc9, 0x7b, 0x20, 0xdf, 0x9d, 0xfb, 0x8c, +- 0xd4, 0xa2, 0x89, 0xe1, 0x9b, 0x04, 0xad, 0xaa, +- 0x11, 0x6c, 0x8f, 0xce, 0x83, 0x29, 0x56, 0x69, +- 0xbb, 0x00, 0x3b, 0xef, 0xca, 0x2d, 0xcd, 0x52, +- 0xc8, 0xf1, 0xb3, 0x9b, 0xb4, 0x4f, 0x6d, 0x9c, +- 0x3d, 0x69, 0xcc, 0x6d, 0x1f, 0x38, 0x4d, 0xe6, +- 0xbb, 0x0c, 0x87, 0xdc, 0x5f, 0xa9, 0x24, 0x93, +- 0x03, 0x46, 0xa2, 0x33, 0x6c, 0xf4, 0xd8, 0x5d, +- 0x68, 0xf3, 0xd3, 0xe0, 0xf2, 0x30, 0xdb, 0xf5, +- 0x4f, 0x0f, 0xad, 0xc7, 0xd0, 0xaa, 0x47, 0xd9, +- 0x9f, 0x85, 0x1b, 0x2e, 0x6c, 0x3c, 0x57, 0x04, +- 0x29, 0xf4, 0xf5, 0x66, 0x7d, 0x93, 0x4a, 0xaa, +- 0x05, 0x52, 0x55, 0xc1, 0xc6, 0x06, 0x90, 0xab, ++ 0x6c, 0x21, 0xc1, 0x9e, 0x94, 0xee, 0xdf, 0x74, ++ 0x3a, 0x3c, 0x7c, 0x04, 0x1a, 0x53, 0x9e, 0x7c, ++ 0x42, 0xac, 0x7e, 0x28, 0x9a, 0xb7, 0xe2, 0x4e, ++ 0x87, 0xd4, 0x00, 0x69, 0x71, 0xf0, 0x3e, 0x0b, ++ 0xc1, 0xda, 0xd6, 0xbd, 0x21, 0x39, 0x4f, 0x25, ++ 0x22, 0x1f, 0x76, 0x0d, 0x62, 0x1f, 0xa2, 0x89, ++ 0xdb, 0x38, 0x32, 0x88, 0x21, 0x1d, 0x89, 0xf1, ++ 0xe0, 0x14, 0xd4, 0xb7, 0x90, 0xfc, 0xbc, 0x50, ++ 0xb0, 0x8d, 0x5c, 0x2f, 0x49, 0x9e, 0x90, 0x17, ++ 0x9e, 0x60, 0x9f, 0xe1, 0x77, 0x4f, 0x11, 0xa2, ++ 0xcf, 0x16, 0x65, 0x2d, 0x4a, 0x2c, 0x12, 0xcb, ++ 0x1e, 0x3c, 0x29, 0x8b, 0xdc, 0x27, 0x06, 0x9d, ++ 0xf4, 0x0d, 0xe1, 0xc9, 0xeb, 0x14, 0x6a, 0x7e, ++ 0xfd, 0xa7, 0xa8, 0xa7, 0x51, 0x82, 0x62, 0x0f, ++ 0x29, 0x8d, 0x8c, 0x5e, 0xf2, 0xb8, 0xcd, 0xd3, ++ 0x51, 0x92, 0xa7, 0x25, 0x39, 0x9d, 0xdd, 0x06, ++ 0xff, 0xb1, 0xb0, 0xd5, 0x61, 0x03, 0x8f, 0x25, ++ 0x5c, 0x49, 0x12, 0xc1, 0x50, 0x67, 0x61, 0x78, ++ 0xb3, 0xe3, 0xc4, 0xf6, 0x36, 0x16, 0xa9, 0x04, ++ 0x91, 0x0a, 0x4b, 0x27, 0x28, 0x97, 0x50, 0x7c, ++ 0x65, 0x2d, 0xd0, 0x08, 0x71, 0x84, 0xe7, 0x47, ++ 0x79, 0x83, 0x91, 0x46, 0xd9, 0x8f, 0x79, 0xce, ++ 0x49, 0xcb, 0xcd, 0x8b, 0x34, 0xac, 0x61, 0xe0, ++ 0xe6, 0x55, 0xbf, 0x10, 0xe4, 0xac, 0x9a, 0xd6, ++ 0xed, 0xc1, 0xc2, 0xb6, 0xb6, 0xf7, 0x41, 0x99, ++ 0xde, 0xfa, 0xde, 0x11, 0x16, 0xa2, 0x18, 0x30, ++ 0x30, 0xdc, 0x95, 0x76, 0x2f, 0x46, 0x43, 0x20, ++ 0xc4, 0xe7, 0x50, 0xb9, 0x1e, 0xcd, 0x69, 0xbb, ++ 0x29, 0x94, 0x27, 0x9c, 0xc9, 0xab, 0xb4, 0x27, ++ 0x8b, 0x4d, 0xe1, 0xcb, 0xc1, 0x04, 0x2c, 0x66, ++ 0x41, 0x3a, 0x4d, 0xeb, 0x61, 0x4c, 0x77, 0x5a, ++ 0xee, 0xb0, 0xca, 0x99, 0x0e, 0x7f, 0xbe, 0x06 + }; + + #ifndef OPENSSL_NO_EC +diff --git a/providers/fips/self_test_kats.c b/providers/fips/self_test_kats.c +index f13c41abd6..4ea10670c0 100644 +--- a/providers/fips/self_test_kats.c ++++ b/providers/fips/self_test_kats.c +@@ -642,14 +642,21 @@ static int self_test_ciphers(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx) + return ret; + } + ++int SUSE_FIPS_asym_cipher_st = 0; ++ + static int self_test_asym_ciphers(OSSL_SELF_TEST *st, OSSL_LIB_CTX *libctx) + { + int i, ret = 1; + ++ SUSE_FIPS_asym_cipher_st = 1; ++ + for (i = 0; i < (int)OSSL_NELEM(st_kat_asym_cipher_tests); ++i) { + if (!self_test_asym_cipher(&st_kat_asym_cipher_tests[i], st, libctx)) + ret = 0; + } ++ ++ SUSE_FIPS_asym_cipher_st = 0; ++ + return ret; + } + +diff --git a/providers/implementations/asymciphers/rsa_enc.c b/providers/implementations/asymciphers/rsa_enc.c +index d548560f1f..f3443b0c66 100644 +--- a/providers/implementations/asymciphers/rsa_enc.c ++++ b/providers/implementations/asymciphers/rsa_enc.c +@@ -30,6 +30,9 @@ + #include "prov/implementations.h" + #include "prov/providercommon.h" + #include "prov/securitycheck.h" ++#ifdef FIPS_MODULE ++# include "crypto/rsa/rsa_local.h" ++#endif + + #include + +@@ -75,6 +78,9 @@ typedef struct { + /* TLS padding */ + unsigned int client_version; + unsigned int alt_version; ++#ifdef FIPS_MODULE ++ char *suse_st_oaep_seed; ++#endif /* FIPS_MODULE */ + /* PKCS#1 v1.5 decryption mode */ + unsigned int implicit_rejection; + } PROV_RSA_CTX; +@@ -193,12 +199,21 @@ static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen, + } + } + ret = +- ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex(prsactx->libctx, tbuf, ++#ifdef FIPS_MODULE ++ ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex2( ++#else ++ ossl_rsa_padding_add_PKCS1_OAEP_mgf1_ex( ++#endif ++ prsactx->libctx, tbuf, + rsasize, in, inlen, + prsactx->oaep_label, + prsactx->oaep_labellen, + prsactx->oaep_md, +- prsactx->mgf1_md); ++ prsactx->mgf1_md ++#ifdef FIPS_MODULE ++ , prsactx->suse_st_oaep_seed ++#endif ++ ); + + if (!ret) { + OPENSSL_free(tbuf); +@@ -332,6 +347,9 @@ static void rsa_freectx(void *vprsactx) + EVP_MD_free(prsactx->oaep_md); + EVP_MD_free(prsactx->mgf1_md); + OPENSSL_free(prsactx->oaep_label); ++#ifdef FIPS_MODULE ++ OPENSSL_free(prsactx->suse_st_oaep_seed); ++#endif /* FIPS_MODULE */ + + OPENSSL_free(prsactx); + } +@@ -455,6 +473,9 @@ static const OSSL_PARAM known_gettable_ctx_params[] = { + NULL, 0), + OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION, NULL), + OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION, NULL), ++#ifdef FIPS_MODULE ++ OSSL_PARAM_octet_string(OSSL_ASYM_CIPHER_PARAM_SUSE_KAT_OEAP_SEED, NULL, 0), ++#endif /* FIPS_MODULE */ + OSSL_PARAM_uint(OSSL_ASYM_CIPHER_PARAM_IMPLICIT_REJECTION, NULL), + OSSL_PARAM_END + }; +@@ -465,6 +486,10 @@ static const OSSL_PARAM *rsa_gettable_ctx_params(ossl_unused void *vprsactx, + return known_gettable_ctx_params; + } + ++#ifdef FIPS_MODULE ++extern int SUSE_FIPS_asym_cipher_st; ++#endif /* FIPS_MODULE */ ++ + static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) + { + PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; +@@ -576,6 +601,18 @@ static int rsa_set_ctx_params(void *vprsactx, const OSSL_PARAM params[]) + prsactx->oaep_labellen = tmp_labellen; + } + ++#ifdef FIPS_MODULE ++ p = OSSL_PARAM_locate_const(params, OSSL_ASYM_CIPHER_PARAM_SUSE_KAT_OEAP_SEED); ++ if (p != NULL && SUSE_FIPS_asym_cipher_st) { ++ void *tmp_oaep_seed = NULL; ++ ++ if (!OSSL_PARAM_get_octet_string(p, &tmp_oaep_seed, 0, NULL)) ++ return 0; ++ OPENSSL_free(prsactx->suse_st_oaep_seed); ++ prsactx->suse_st_oaep_seed = (char *)tmp_oaep_seed; ++ } ++#endif /* FIPS_MODULE */ ++ + p = OSSL_PARAM_locate_const(params, OSSL_ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION); + if (p != NULL) { + unsigned int client_version; +diff --git a/util/perl/OpenSSL/paramnames.pm b/util/perl/OpenSSL/paramnames.pm +index c37ed7815f..70f7c50fe4 100644 +--- a/util/perl/OpenSSL/paramnames.pm ++++ b/util/perl/OpenSSL/paramnames.pm +@@ -401,6 +401,7 @@ my %params = ( + 'ASYM_CIPHER_PARAM_TLS_CLIENT_VERSION' => "tls-client-version", + 'ASYM_CIPHER_PARAM_TLS_NEGOTIATED_VERSION' => "tls-negotiated-version", + 'ASYM_CIPHER_PARAM_IMPLICIT_REJECTION' => "implicit-rejection", ++ 'ASYM_CIPHER_PARAM_SUSE_KAT_OEAP_SEED' => "suse-kat-oaep-seed", + + # Encoder / decoder parameters + +-- +2.44.0 + diff --git a/openssl-FIPS-Use-digest_sign-digest_verify-in-self-test.patch b/openssl-FIPS-Use-digest_sign-digest_verify-in-self-test.patch new file mode 100644 index 0000000..4467399 --- /dev/null +++ b/openssl-FIPS-Use-digest_sign-digest_verify-in-self-test.patch @@ -0,0 +1,312 @@ +From dc41625dc4a793f0e21188165711181ca085339b Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 6 Mar 2024 19:17:16 +0100 +Subject: [PATCH 28/49] + 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch + +Patch-name: 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch +Patch-id: 74 +Patch-status: | + # [PATCH 29/46] + # 0074-FIPS-Use-digest_sign-digest_verify-in-self-test.patch +From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce +--- + crypto/evp/m_sigver.c | 54 ++++++++++++++++++++++++++++----- + providers/fips/self_test_kats.c | 43 +++++++++++++++----------- + 2 files changed, 73 insertions(+), 24 deletions(-) + +Index: openssl-3.2.3/crypto/evp/m_sigver.c +=================================================================== +--- openssl-3.2.3.orig/crypto/evp/m_sigver.c ++++ openssl-3.2.3/crypto/evp/m_sigver.c +@@ -86,6 +86,7 @@ static int update(EVP_MD_CTX *ctx, const + ERR_raise(ERR_LIB_EVP, EVP_R_ONLY_ONESHOT_SUPPORTED); + return 0; + } ++#endif /* !defined(FIPS_MODULE) */ + + /* + * If we get the "NULL" md then the name comes back as "UNDEF". We want to use +@@ -121,8 +122,10 @@ static int do_sigver_init(EVP_MD_CTX *ct + reinit = 0; + if (e == NULL) + ctx->pctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, props); ++#ifndef FIPS_MODULE + else + ctx->pctx = EVP_PKEY_CTX_new(pkey, e); ++#endif /* !defined(FIPS_MODULE) */ + } + if (ctx->pctx == NULL) + return 0; +@@ -132,8 +135,10 @@ static int do_sigver_init(EVP_MD_CTX *ct + locpctx = ctx->pctx; + ERR_set_mark(); + ++#ifndef FIPS_MODULE + if (evp_pkey_ctx_is_legacy(locpctx)) + goto legacy; ++#endif /* !defined(FIPS_MODULE) */ + + /* do not reinitialize if pkey is set or operation is different */ + if (reinit +@@ -218,8 +223,10 @@ static int do_sigver_init(EVP_MD_CTX *ct + signature = + evp_signature_fetch_from_prov((OSSL_PROVIDER *)tmp_prov, + supported_sig, locpctx->propquery); ++#ifndef FIPS_MODULE + if (signature == NULL) + goto legacy; ++#endif /* !defined(FIPS_MODULE) */ + break; + } + if (signature == NULL) +@@ -303,6 +310,7 @@ static int do_sigver_init(EVP_MD_CTX *ct + ctx->fetched_digest = EVP_MD_fetch(locpctx->libctx, mdname, props); + if (ctx->fetched_digest != NULL) { + ctx->digest = ctx->reqdigest = ctx->fetched_digest; ++#ifndef FIPS_MODULE + } else { + /* legacy engine support : remove the mark when this is deleted */ + ctx->reqdigest = ctx->digest = EVP_get_digestbyname(mdname); +@@ -311,11 +319,13 @@ static int do_sigver_init(EVP_MD_CTX *ct + ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); + goto err; + } ++#endif /* !defined(FIPS_MODULE) */ + } + (void)ERR_pop_to_mark(); + } + } + ++#ifndef FIPS_MODULE + if (ctx->reqdigest != NULL + && !EVP_PKEY_is_a(locpctx->pkey, SN_hmac) + && !EVP_PKEY_is_a(locpctx->pkey, SN_tls1_prf) +@@ -327,6 +337,7 @@ static int do_sigver_init(EVP_MD_CTX *ct + goto err; + } + } ++#endif /* !defined(FIPS_MODULE) */ + + if (ver) { + if (signature->digest_verify_init == NULL) { +@@ -359,6 +370,7 @@ static int do_sigver_init(EVP_MD_CTX *ct + EVP_KEYMGMT_free(tmp_keymgmt); + return 0; + ++#ifndef FIPS_MODULE + legacy: + /* + * If we don't have the full support we need with provided methods, +@@ -430,6 +442,7 @@ static int do_sigver_init(EVP_MD_CTX *ct + ctx->pctx->flag_call_digest_custom = 1; + + ret = 1; ++#endif /* !defined(FIPS_MODULE) */ + + end: + #ifndef FIPS_MODULE +@@ -472,7 +485,6 @@ int EVP_DigestVerifyInit(EVP_MD_CTX *ctx + return do_sigver_init(ctx, pctx, type, NULL, NULL, NULL, e, pkey, 1, + NULL); + } +-#endif /* FIPS_MDOE */ + + int EVP_DigestSignUpdate(EVP_MD_CTX *ctx, const void *data, size_t dsize) + { +@@ -544,24 +556,30 @@ int EVP_DigestVerifyUpdate(EVP_MD_CTX *c + return EVP_DigestUpdate(ctx, data, dsize); + } + +-#ifndef FIPS_MODULE + int EVP_DigestSignFinal(EVP_MD_CTX *ctx, unsigned char *sigret, + size_t *siglen) + { +- int sctx = 0, r = 0; +- EVP_PKEY_CTX *dctx = NULL, *pctx = ctx->pctx; ++ int r = 0; ++#ifndef FIPS_MODULE ++ int sctx = 0; ++ EVP_PKEY_CTX *dctx = NULL; ++#endif /* !defined(FIPS_MODULE) */ ++ EVP_PKEY_CTX *pctx = ctx->pctx; + + if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISED) != 0) { + ERR_raise(ERR_LIB_EVP, EVP_R_FINAL_ERROR); + return 0; + } + ++#ifndef FIPS_MODULE + if (pctx == NULL + || pctx->operation != EVP_PKEY_OP_SIGNCTX + || pctx->op.sig.algctx == NULL + || pctx->op.sig.signature == NULL) + goto legacy; ++#endif /* !defined(FIPS_MODULE) */ + ++#ifndef FIPS_MODULE + if (sigret != NULL && (ctx->flags & EVP_MD_CTX_FLAG_FINALISE) == 0) { + /* try dup */ + dctx = EVP_PKEY_CTX_dup(pctx); +@@ -576,7 +594,14 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, + else + EVP_PKEY_CTX_free(dctx); + return r; ++#else ++ r = pctx->op.sig.signature->digest_sign_final(pctx->op.sig.algctx, ++ sigret, siglen, ++ sigret == NULL ? 0 : *siglen); ++ return r; ++#endif /* !defined(FIPS_MODULE) */ + ++#ifndef FIPS_MODULE + legacy: + if (pctx == NULL || pctx->pmeth == NULL) { + ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); +@@ -649,6 +674,7 @@ int EVP_DigestSignFinal(EVP_MD_CTX *ctx, + } + } + return 1; ++#endif /* !defined(FIPS_MODULE) */ + } + + int EVP_DigestSign(EVP_MD_CTX *ctx, unsigned char *sigret, size_t *siglen, +@@ -687,23 +713,29 @@ int EVP_DigestSign(EVP_MD_CTX *ctx, unsi + int EVP_DigestVerifyFinal(EVP_MD_CTX *ctx, const unsigned char *sig, + size_t siglen) + { +- unsigned char md[EVP_MAX_MD_SIZE]; + int r = 0; ++#ifndef FIPS_MODULE ++ unsigned char md[EVP_MAX_MD_SIZE]; + unsigned int mdlen = 0; + int vctx = 0; +- EVP_PKEY_CTX *dctx = NULL, *pctx = ctx->pctx; ++ EVP_PKEY_CTX *dctx = NULL; ++#endif /* !defined(FIPS_MODULE) */ ++ EVP_PKEY_CTX *pctx = ctx->pctx; + + if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISED) != 0) { + ERR_raise(ERR_LIB_EVP, EVP_R_FINAL_ERROR); + return 0; + } + ++#ifndef FIPS_MODULE + if (pctx == NULL + || pctx->operation != EVP_PKEY_OP_VERIFYCTX + || pctx->op.sig.algctx == NULL + || pctx->op.sig.signature == NULL) + goto legacy; ++#endif /* !defined(FIPS_MODULE) */ + ++#ifndef FIPS_MODULE + if ((ctx->flags & EVP_MD_CTX_FLAG_FINALISE) == 0) { + /* try dup */ + dctx = EVP_PKEY_CTX_dup(pctx); +@@ -717,7 +749,13 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ct + else + EVP_PKEY_CTX_free(dctx); + return r; ++#else ++ r = pctx->op.sig.signature->digest_verify_final(pctx->op.sig.algctx, ++ sig, siglen); ++ return r; ++#endif /* !defined(FIPS_MODULE) */ + ++#ifndef FIPS_MODULE + legacy: + if (pctx == NULL || pctx->pmeth == NULL) { + ERR_raise(ERR_LIB_EVP, EVP_R_INITIALIZATION_ERROR); +@@ -758,6 +796,7 @@ int EVP_DigestVerifyFinal(EVP_MD_CTX *ct + if (vctx || !r) + return r; + return EVP_PKEY_verify(pctx, sig, siglen, md, mdlen); ++#endif /* !defined(FIPS_MODULE) */ + } + + int EVP_DigestVerify(EVP_MD_CTX *ctx, const unsigned char *sigret, +@@ -790,4 +829,3 @@ int EVP_DigestVerify(EVP_MD_CTX *ctx, co + return -1; + return EVP_DigestVerifyFinal(ctx, sigret, siglen); + } +-#endif /* FIPS_MODULE */ +Index: openssl-3.2.3/providers/fips/self_test_kats.c +=================================================================== +--- openssl-3.2.3.orig/providers/fips/self_test_kats.c ++++ openssl-3.2.3/providers/fips/self_test_kats.c +@@ -450,10 +450,13 @@ static int self_test_sign(const ST_KAT_S + int ret = 0; + OSSL_PARAM *params = NULL, *params_sig = NULL; + OSSL_PARAM_BLD *bld = NULL; ++ EVP_MD *md = NULL; ++ EVP_MD_CTX *ctx = NULL; + EVP_PKEY_CTX *sctx = NULL, *kctx = NULL; + EVP_PKEY *pkey = NULL; +- unsigned char sig[256]; + BN_CTX *bnctx = NULL; ++ const char *msg = "Hello World!"; ++ unsigned char sig[256]; + size_t siglen = sizeof(sig); + static const unsigned char dgst[] = { + 0x7f, 0x83, 0xb1, 0x65, 0x7f, 0xf1, 0xfc, 0x53, 0xb9, 0x2d, 0xc1, 0x81, +@@ -487,23 +490,26 @@ static int self_test_sign(const ST_KAT_S + || EVP_PKEY_fromdata(kctx, &pkey, EVP_PKEY_KEYPAIR, params) <= 0) + goto err; + +- /* Create a EVP_PKEY_CTX to use for the signing operation */ +- sctx = EVP_PKEY_CTX_new_from_pkey(libctx, pkey, NULL); +- if (sctx == NULL +- || EVP_PKEY_sign_init(sctx) <= 0) +- goto err; +- +- /* set signature parameters */ +- if (!OSSL_PARAM_BLD_push_utf8_string(bld, OSSL_SIGNATURE_PARAM_DIGEST, +- t->mdalgorithm, +- strlen(t->mdalgorithm) + 1)) +- goto err; ++ /* Create a EVP_MD_CTX to use for the signature operation, assign signature ++ * parameters and sign */ + params_sig = OSSL_PARAM_BLD_to_param(bld); +- if (EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0) ++ md = EVP_MD_fetch(libctx, "SHA256", NULL); ++ ctx = EVP_MD_CTX_new(); ++ if (md == NULL || ctx == NULL) ++ goto err; ++ EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_FINALISE | EVP_MD_CTX_FLAG_ONESHOT); ++ if (EVP_DigestSignInit(ctx, &sctx, md, NULL, pkey) <= 0 ++ || EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0 ++ || EVP_DigestSign(ctx, sig, &siglen, (const unsigned char *)msg, strlen(msg)) <= 0 ++ || EVP_MD_CTX_reset(ctx) <= 0) + goto err; + +- if (EVP_PKEY_sign(sctx, sig, &siglen, dgst, sizeof(dgst)) <= 0 +- || EVP_PKEY_verify_init(sctx) <= 0 ++ /* sctx is not freed automatically inside the FIPS module */ ++ EVP_PKEY_CTX_free(sctx); ++ sctx = NULL; ++ ++ EVP_MD_CTX_set_flags(ctx, EVP_MD_CTX_FLAG_FINALISE | EVP_MD_CTX_FLAG_ONESHOT); ++ if (EVP_DigestVerifyInit(ctx, &sctx, md, NULL, pkey) <= 0 + || EVP_PKEY_CTX_set_params(sctx, params_sig) <= 0) + goto err; + +@@ -513,14 +519,17 @@ static int self_test_sign(const ST_KAT_S + goto err; + + OSSL_SELF_TEST_oncorrupt_byte(st, sig); +- if (EVP_PKEY_verify(sctx, sig, siglen, dgst, sizeof(dgst)) <= 0) ++ if (EVP_DigestVerify(ctx, sig, siglen, (const unsigned char *)msg, strlen(msg)) <= 0) + goto err; + ret = 1; + err: + BN_CTX_free(bnctx); + EVP_PKEY_free(pkey); +- EVP_PKEY_CTX_free(kctx); ++ EVP_MD_free(md); ++ EVP_MD_CTX_free(ctx); ++ /* sctx is not freed automatically inside the FIPS module */ + EVP_PKEY_CTX_free(sctx); ++ EVP_PKEY_CTX_free(kctx); + OSSL_PARAM_free(params); + OSSL_PARAM_free(params_sig); + OSSL_PARAM_BLD_free(bld); diff --git a/openssl-FIPS-early-KATS.patch b/openssl-FIPS-early-KATS.patch new file mode 100644 index 0000000..c18bfc8 --- /dev/null +++ b/openssl-FIPS-early-KATS.patch @@ -0,0 +1,54 @@ +From ba6e65e2f7e7fe8d9cd62e1e7e345bc41dda424f Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Thu, 19 Oct 2023 13:12:40 +0200 +Subject: [PATCH 21/46] 0047-FIPS-early-KATS.patch + +Patch-name: 0047-FIPS-early-KATS.patch +Patch-id: 47 +Patch-status: | + # # Execute KATS before HMAC verification +From-dist-git-commit: 5c67b5adc311af297f425c09e3e1ac7ca8483911 +--- + providers/fips/self_test.c | 22 ++++++++++------------ + 1 file changed, 10 insertions(+), 12 deletions(-) + +Index: openssl-3.2.3/providers/fips/self_test.c +=================================================================== +--- openssl-3.2.3.orig/providers/fips/self_test.c ++++ openssl-3.2.3/providers/fips/self_test.c +@@ -507,6 +507,16 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS + if (ev == NULL) + goto end; + ++ /* ++ * Run the KAT's before HMAC verification according to FIPS-140-3 requirements ++ */ ++ if (kats_already_passed == 0) { ++ if (!SELF_TEST_kats(ev, st->libctx)) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE); ++ goto end; ++ } ++ } ++ + if (st->module_checksum_data == NULL) { + module_checksum = fips_hmac_container; + checksum_len = sizeof(fips_hmac_container); +@@ -575,18 +585,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS + } + } + +- /* +- * Only runs the KAT's during installation OR on_demand(). +- * NOTE: If the installation option 'self_test_onload' is chosen then this +- * path will always be run, since kats_already_passed will always be 0. +- */ +- if (on_demand_test || kats_already_passed == 0) { +- if (!SELF_TEST_kats(ev, st->libctx)) { +- ERR_raise(ERR_LIB_PROV, PROV_R_SELF_TEST_KAT_FAILURE); +- goto end; +- } +- } +- + /* Verify that the RNG has been restored properly */ + rng = ossl_rand_get0_private_noncreating(st->libctx); + if (rng != NULL) diff --git a/openssl-FIPS-embed-hmac.patch b/openssl-FIPS-embed-hmac.patch new file mode 100644 index 0000000..4ab0e3a --- /dev/null +++ b/openssl-FIPS-embed-hmac.patch @@ -0,0 +1,392 @@ +From 831d0025257fd3746ab3fe30c05dbbfc0043f78e Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 6 Mar 2024 19:17:15 +0100 +Subject: [PATCH 16/49] 0033-FIPS-embed-hmac.patch + +Patch-name: 0033-FIPS-embed-hmac.patch +Patch-id: 33 +Patch-status: | + # # Embed HMAC into the fips.so + # Modify fips self test as per + # https://github.com/simo5/openssl/commit/9b95ef8bd2f5ac862e5eee74c724b535f1a8578a +From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce +--- + providers/fips/self_test.c | 204 ++++++++++++++++++++++++-- + test/fipsmodule.cnf | 2 + + test/recipes/00-prep_fipsmodule_cnf.t | 2 +- + test/recipes/01-test_fipsmodule_cnf.t | 2 +- + test/recipes/03-test_fipsinstall.t | 2 +- + test/recipes/30-test_defltfips.t | 2 +- + test/recipes/80-test_ssl_new.t | 2 +- + test/recipes/90-test_sslapi.t | 2 +- + 8 files changed, 200 insertions(+), 18 deletions(-) + create mode 100644 test/fipsmodule.cnf + +Index: openssl-3.2.3/providers/fips/self_test.c +=================================================================== +--- openssl-3.2.3.orig/providers/fips/self_test.c ++++ openssl-3.2.3/providers/fips/self_test.c +@@ -230,11 +230,133 @@ err: + return ok; + } + ++#define HMAC_LEN 32 ++/* ++ * The __attribute__ ensures we've created the .rodata1 section ++ * static ensures it's zero filled ++*/ ++static const unsigned char __attribute__ ((section (".rodata1"))) fips_hmac_container[HMAC_LEN] = {0}; ++ + /* + * Calculate the HMAC SHA256 of data read using a BIO and read_cb, and verify + * the result matches the expected value. + * Return 1 if verified, or 0 if it fails. + */ ++ ++#ifndef __USE_GNU ++#define __USE_GNU ++#include ++#undef __USE_GNU ++#else ++#include ++#endif ++#include ++ ++static int verify_integrity_rodata(OSSL_CORE_BIO *bio, ++ OSSL_FUNC_BIO_read_ex_fn read_ex_cb, ++ unsigned char *expected, size_t expected_len, ++ OSSL_LIB_CTX *libctx, OSSL_SELF_TEST *ev, ++ const char *event_type) ++{ ++ int ret = 0, status; ++ unsigned char out[MAX_MD_SIZE]; ++ unsigned char buf[INTEGRITY_BUF_SIZE]; ++ size_t bytes_read = 0, out_len = 0; ++ EVP_MAC *mac = NULL; ++ EVP_MAC_CTX *ctx = NULL; ++ OSSL_PARAM params[2], *p = params; ++ Dl_info info; ++ void *extra_info = NULL; ++ struct link_map *lm = NULL; ++ unsigned long paddr; ++ unsigned long off = 0; ++ ++ if (expected_len != HMAC_LEN) ++ goto err; ++ ++ if (!integrity_self_test(ev, libctx)) ++ goto err; ++ ++ OSSL_SELF_TEST_onbegin(ev, event_type, OSSL_SELF_TEST_DESC_INTEGRITY_HMAC); ++ ++ if (!dladdr1 ((const void *)fips_hmac_container, ++ &info, &extra_info, RTLD_DL_LINKMAP)) ++ goto err; ++ lm = extra_info; ++ paddr = (unsigned long)fips_hmac_container - lm->l_addr; ++ ++ mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL); ++ if (mac == NULL) ++ goto err; ++ ctx = EVP_MAC_CTX_new(mac); ++ if (ctx == NULL) ++ goto err; ++ ++ *p++ = OSSL_PARAM_construct_utf8_string("digest", DIGEST_NAME, 0); ++ *p = OSSL_PARAM_construct_end(); ++ ++ if (!EVP_MAC_init(ctx, fixed_key, sizeof(fixed_key), params)) ++ goto err; ++ ++ while ((off + INTEGRITY_BUF_SIZE) <= paddr) { ++ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read); ++ if (status != 1) ++ break; ++ if (!EVP_MAC_update(ctx, buf, bytes_read)) ++ goto err; ++ off += bytes_read; ++ } ++ ++ if (off < paddr) { ++ int delta = paddr - off; ++ status = read_ex_cb(bio, buf, delta, &bytes_read); ++ if (status != 1) ++ goto err; ++ if (!EVP_MAC_update(ctx, buf, bytes_read)) ++ goto err; ++ off += bytes_read; ++ } ++ ++ /* read away the buffer */ ++ status = read_ex_cb(bio, buf, HMAC_LEN, &bytes_read); ++ if (status != 1) ++ goto err; ++ ++ /* check that it is the expect bytes, no point in continuing otherwise */ ++ if (memcmp(expected, buf, HMAC_LEN) != 0) ++ goto err; ++ ++ /* replace in-file HMAC buffer with the original zeros */ ++ memset(buf, 0, HMAC_LEN); ++ if (!EVP_MAC_update(ctx, buf, HMAC_LEN)) ++ goto err; ++ off += HMAC_LEN; ++ ++ while (bytes_read > 0) { ++ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read); ++ if (status != 1) ++ break; ++ if (!EVP_MAC_update(ctx, buf, bytes_read)) ++ goto err; ++ off += bytes_read; ++ } ++ ++ if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out))) ++ goto err; ++ ++ OSSL_SELF_TEST_oncorrupt_byte(ev, out); ++ if (expected_len != out_len ++ || memcmp(expected, out, out_len) != 0) ++ goto err; ++ ret = 1; ++err: ++ OPENSSL_cleanse(out, MAX_MD_SIZE); ++ OSSL_SELF_TEST_onend(ev, ret); ++ EVP_MAC_CTX_free(ctx); ++ EVP_MAC_free(mac); ++ return ret; ++} ++ + static int verify_integrity(OSSL_CORE_BIO *bio, OSSL_FUNC_BIO_read_ex_fn read_ex_cb, + unsigned char *expected, size_t expected_len, + OSSL_LIB_CTX *libctx, OSSL_SELF_TEST *ev, +@@ -247,12 +369,23 @@ static int verify_integrity(OSSL_CORE_BI + EVP_MAC *mac = NULL; + EVP_MAC_CTX *ctx = NULL; + OSSL_PARAM params[2], *p = params; ++ Dl_info info; ++ void *extra_info = NULL; ++ struct link_map *lm = NULL; ++ unsigned long paddr; ++ unsigned long off = 0; + + if (!integrity_self_test(ev, libctx)) + goto err; + + OSSL_SELF_TEST_onbegin(ev, event_type, OSSL_SELF_TEST_DESC_INTEGRITY_HMAC); + ++ if (!dladdr1 ((const void *)fips_hmac_container, ++ &info, &extra_info, RTLD_DL_LINKMAP)) ++ goto err; ++ lm = extra_info; ++ paddr = (unsigned long)fips_hmac_container - lm->l_addr; ++ + mac = EVP_MAC_fetch(libctx, MAC_NAME, NULL); + if (mac == NULL) + goto err; +@@ -266,13 +399,42 @@ static int verify_integrity(OSSL_CORE_BI + if (!EVP_MAC_init(ctx, fixed_key, sizeof(fixed_key), params)) + goto err; + +- while (1) { +- status = read_ex_cb(bio, buf, sizeof(buf), &bytes_read); ++ while ((off + INTEGRITY_BUF_SIZE) <= paddr) { ++ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read); + if (status != 1) + break; + if (!EVP_MAC_update(ctx, buf, bytes_read)) + goto err; ++ off += bytes_read; + } ++ ++ if (off + INTEGRITY_BUF_SIZE > paddr) { ++ int delta = paddr - off; ++ status = read_ex_cb(bio, buf, delta, &bytes_read); ++ if (status != 1) ++ goto err; ++ if (!EVP_MAC_update(ctx, buf, bytes_read)) ++ goto err; ++ off += bytes_read; ++ ++ status = read_ex_cb(bio, buf, HMAC_LEN, &bytes_read); ++ memset(buf, 0, HMAC_LEN); ++ if (status != 1) ++ goto err; ++ if (!EVP_MAC_update(ctx, buf, bytes_read)) ++ goto err; ++ off += bytes_read; ++ } ++ ++ while (bytes_read > 0) { ++ status = read_ex_cb(bio, buf, INTEGRITY_BUF_SIZE, &bytes_read); ++ if (status != 1) ++ break; ++ if (!EVP_MAC_update(ctx, buf, bytes_read)) ++ goto err; ++ off += bytes_read; ++ } ++ + if (!EVP_MAC_final(ctx, out, &out_len, sizeof(out))) + goto err; + +@@ -282,6 +444,7 @@ static int verify_integrity(OSSL_CORE_BI + goto err; + ret = 1; + err: ++ OPENSSL_cleanse(out, sizeof(out)); + OSSL_SELF_TEST_onend(ev, ret); + EVP_MAC_CTX_free(ctx); + EVP_MAC_free(mac); +@@ -335,8 +498,7 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS + return 0; + } + +- if (st == NULL +- || st->module_checksum_data == NULL) { ++ if (st == NULL) { + ERR_raise(ERR_LIB_PROV, PROV_R_MISSING_CONFIG_DATA); + goto end; + } +@@ -345,8 +507,14 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS + if (ev == NULL) + goto end; + +- module_checksum = OPENSSL_hexstr2buf(st->module_checksum_data, +- &checksum_len); ++ if (st->module_checksum_data == NULL) { ++ module_checksum = fips_hmac_container; ++ checksum_len = sizeof(fips_hmac_container); ++ } else { ++ module_checksum = OPENSSL_hexstr2buf(st->module_checksum_data, ++ &checksum_len); ++ } ++ + if (module_checksum == NULL) { + ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_CONFIG_DATA); + goto end; +@@ -354,14 +522,27 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS + bio_module = (*st->bio_new_file_cb)(st->module_filename, "rb"); + + /* Always check the integrity of the fips module */ +- if (bio_module == NULL +- || !verify_integrity(bio_module, st->bio_read_ex_cb, +- module_checksum, checksum_len, st->libctx, +- ev, OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY)) { ++ if (bio_module == NULL) { + ERR_raise(ERR_LIB_PROV, PROV_R_MODULE_INTEGRITY_FAILURE); + goto end; + } +- ++ if (st->module_checksum_data == NULL) { ++ if (!verify_integrity_rodata(bio_module, st->bio_read_ex_cb, ++ module_checksum, checksum_len, ++ st->libctx, ev, ++ OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY)) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_MODULE_INTEGRITY_FAILURE); ++ goto end; ++ } ++ } else { ++ if (!verify_integrity(bio_module, st->bio_read_ex_cb, ++ module_checksum, checksum_len, ++ st->libctx, ev, ++ OSSL_SELF_TEST_TYPE_MODULE_INTEGRITY)) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_MODULE_INTEGRITY_FAILURE); ++ goto end; ++ } ++ } + /* This will be NULL during installation - so the self test KATS will run */ + if (st->indicator_data != NULL) { + /* +@@ -420,7 +601,6 @@ int SELF_TEST_post(SELF_TEST_POST_PARAMS + end: + EVP_RAND_free(testrand); + OSSL_SELF_TEST_free(ev); +- OPENSSL_free(module_checksum); + OPENSSL_free(indicator_checksum); + + if (st != NULL) { +Index: openssl-3.2.3/test/fipsmodule.cnf +=================================================================== +--- /dev/null ++++ openssl-3.2.3/test/fipsmodule.cnf +@@ -0,0 +1,2 @@ ++[fips_sect] ++activate = 1 +Index: openssl-3.2.3/test/recipes/00-prep_fipsmodule_cnf.t +=================================================================== +--- openssl-3.2.3.orig/test/recipes/00-prep_fipsmodule_cnf.t ++++ openssl-3.2.3/test/recipes/00-prep_fipsmodule_cnf.t +@@ -20,7 +20,7 @@ use lib srctop_dir('Configurations'); + use lib bldtop_dir('.'); + use platform; + +-my $no_check = disabled("fips"); ++my $no_check = 1; + plan skip_all => "FIPS module config file only supported in a fips build" + if $no_check; + +Index: openssl-3.2.3/test/recipes/01-test_fipsmodule_cnf.t +=================================================================== +--- openssl-3.2.3.orig/test/recipes/01-test_fipsmodule_cnf.t ++++ openssl-3.2.3/test/recipes/01-test_fipsmodule_cnf.t +@@ -23,7 +23,7 @@ use lib srctop_dir('Configurations'); + use lib bldtop_dir('.'); + use platform; + +-my $no_check = disabled("fips"); ++my $no_check = 1; + plan skip_all => "Test only supported in a fips build" + if $no_check; + plan tests => 1; +Index: openssl-3.2.3/test/recipes/03-test_fipsinstall.t +=================================================================== +--- openssl-3.2.3.orig/test/recipes/03-test_fipsinstall.t ++++ openssl-3.2.3/test/recipes/03-test_fipsinstall.t +@@ -22,7 +22,7 @@ use lib srctop_dir('Configurations'); + use lib bldtop_dir('.'); + use platform; + +-plan skip_all => "Test only supported in a fips build" if disabled("fips"); ++plan skip_all => "Test only supported in a fips build" if 1; + + # Compatible options for pedantic FIPS compliance + my @pedantic_okay = +Index: openssl-3.2.3/test/recipes/30-test_defltfips.t +=================================================================== +--- openssl-3.2.3.orig/test/recipes/30-test_defltfips.t ++++ openssl-3.2.3/test/recipes/30-test_defltfips.t +@@ -24,7 +24,7 @@ use lib bldtop_dir('.'); + plan skip_all => "Configuration loading is turned off" + if disabled("autoload-config"); + +-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); ++my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0); + + plan tests => + ($no_fips ? 1 : 5); +Index: openssl-3.2.3/test/recipes/80-test_ssl_new.t +=================================================================== +--- openssl-3.2.3.orig/test/recipes/80-test_ssl_new.t ++++ openssl-3.2.3/test/recipes/80-test_ssl_new.t +@@ -27,7 +27,7 @@ setup("test_ssl_new"); + use lib srctop_dir('Configurations'); + use lib bldtop_dir('.'); + +-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); ++my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0); + + $ENV{TEST_CERTS_DIR} = srctop_dir("test", "certs"); + +Index: openssl-3.2.3/test/recipes/90-test_sslapi.t +=================================================================== +--- openssl-3.2.3.orig/test/recipes/90-test_sslapi.t ++++ openssl-3.2.3/test/recipes/90-test_sslapi.t +@@ -14,7 +14,7 @@ BEGIN { + setup("test_sslapi"); + } + +-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); ++my $no_fips = 1; #disabled('fips') || ($ENV{NO_FIPS} // 0); + my $fipsmodcfg_filename = "fipsmodule.cnf"; + my $fipsmodcfg = bldtop_file("test", $fipsmodcfg_filename); + diff --git a/openssl-FIPS-enforce-EMS-support.patch b/openssl-FIPS-enforce-EMS-support.patch new file mode 100644 index 0000000..19475d6 --- /dev/null +++ b/openssl-FIPS-enforce-EMS-support.patch @@ -0,0 +1,242 @@ +From 9b02ad7225b74a5b9088b361caead0a41e570e93 Mon Sep 17 00:00:00 2001 +From: Dmitry Belyavskiy +Date: Mon, 21 Aug 2023 16:40:56 +0200 +Subject: [PATCH 48/48] 0114-FIPS-enforce-EMS-support.patch + +Patch-name: 0114-FIPS-enforce-EMS-support.patch +Patch-id: 114 +Patch-status: | + # We believe that some changes present in CentOS are not necessary + # because ustream has a check for FIPS version +--- + doc/man3/SSL_CONF_cmd.pod | 3 +++ + doc/man5/fips_config.pod | 13 +++++++++++ + include/openssl/fips_names.h | 8 +++++++ + include/openssl/ssl.h.in | 1 + + providers/fips/fipsprov.c | 2 +- + providers/implementations/kdfs/tls1_prf.c | 22 +++++++++++++++++++ + ssl/ssl_conf.c | 1 + + ssl/statem/extensions_srvr.c | 8 ++++++- + ssl/t1_enc.c | 11 ++++++++-- + .../30-test_evp_data/evpkdf_tls12_prf.txt | 10 +++++++++ + test/sslapitest.c | 2 +- + 11 files changed, 76 insertions(+), 5 deletions(-) + +diff --git a/doc/man3/SSL_CONF_cmd.pod b/doc/man3/SSL_CONF_cmd.pod +index ae6ca43282..b83c04a308 100644 +--- a/doc/man3/SSL_CONF_cmd.pod ++++ b/doc/man3/SSL_CONF_cmd.pod +@@ -524,6 +524,9 @@ B: use extended master secret extension, enabled by + default. Inverse of B: that is, + B<-ExtendedMasterSecret> is the same as setting B. + ++B: allow establishing connections without EMS in FIPS mode. ++This is a downstream specific option, and normally it should be set up via crypto policies. ++ + B: use CA names extension, enabled by + default. Inverse of B: that is, + B<-CANames> is the same as setting B. +diff --git a/doc/man5/fips_config.pod b/doc/man5/fips_config.pod +index 1c15e32a5c..f2cedaf88d 100644 +--- a/doc/man5/fips_config.pod ++++ b/doc/man5/fips_config.pod +@@ -15,6 +15,19 @@ for more information. + + This functionality was added in OpenSSL 3.0. + ++SUSE Enterprise Linux uses a supplementary config for FIPS module located in ++OpenSSL configuration directory and managed by crypto policies. If present, it ++should have format ++ ++ [fips_sect] ++ tls1-prf-ems-check = 0 ++ activate = 1 ++ ++The B option specifies whether FIPS module will require the ++presence of extended master secret or not. ++ ++The B option enforces FIPS provider activation. ++ + =head1 COPYRIGHT + + Copyright 2019-2021 The OpenSSL Project Authors. All Rights Reserved. +diff --git a/include/openssl/fips_names.h b/include/openssl/fips_names.h +index 5c77f6d691..8cdd5a6bf7 100644 +--- a/include/openssl/fips_names.h ++++ b/include/openssl/fips_names.h +@@ -70,6 +70,14 @@ extern "C" { + */ + # define OSSL_PROV_FIPS_PARAM_DRBG_TRUNC_DIGEST "drbg-no-trunc-md" + ++/* ++ * A boolean that determines if the runtime FIPS check for TLS1_PRF EMS is performed. ++ * This is disabled by default. ++ * ++ * Type: OSSL_PARAM_UTF8_STRING ++ */ ++# define OSSL_PROV_FIPS_PARAM_TLS1_PRF_EMS_CHECK "tls1-prf-ems-check" ++ + # ifdef __cplusplus + } + # endif +diff --git a/include/openssl/ssl.h.in b/include/openssl/ssl.h.in +index 0b6de603e2..26a69ca282 100644 +--- a/include/openssl/ssl.h.in ++++ b/include/openssl/ssl.h.in +@@ -415,6 +415,7 @@ typedef int (*SSL_async_callback_fn)(SSL *s, void *arg); + * interoperability with CryptoPro CSP 3.x + */ + # define SSL_OP_CRYPTOPRO_TLSEXT_BUG SSL_OP_BIT(31) ++# define SSL_OP_PERMIT_NOEMS_FIPS SSL_OP_BIT(48) + /* + * Disable RFC8879 certificate compression + * SSL_OP_NO_TX_CERTIFICATE_COMPRESSION: don't send compressed certificates, +diff --git a/providers/fips/fipsprov.c b/providers/fips/fipsprov.c +index 5ff9872bd8..eb9653a9df 100644 +--- a/providers/fips/fipsprov.c ++++ b/providers/fips/fipsprov.c +@@ -105,7 +105,7 @@ void *ossl_fips_prov_ossl_ctx_new(OSSL_LIB_CTX *libctx) + if (fgbl == NULL) + return NULL; + init_fips_option(&fgbl->fips_security_checks, 1); +- init_fips_option(&fgbl->fips_tls1_prf_ems_check, 0); /* Disabled by default */ ++ init_fips_option(&fgbl->fips_tls1_prf_ems_check, 1); /* Enabled by default */ + init_fips_option(&fgbl->fips_restricted_drgb_digests, 0); + return fgbl; + } +diff --git a/providers/implementations/kdfs/tls1_prf.c b/providers/implementations/kdfs/tls1_prf.c +index 25a6c79a2e..79bc7a9719 100644 +--- a/providers/implementations/kdfs/tls1_prf.c ++++ b/providers/implementations/kdfs/tls1_prf.c +@@ -222,6 +223,27 @@ static int kdf_tls1_prf_derive(void *vctx, unsigned char *key, size_t keylen, + } + } + ++ /* ++ * The seed buffer is prepended with a label. ++ * If EMS mode is enforced then the label "master secret" is not allowed, ++ * We do the check this way since the PRF is used for other purposes, as well ++ * as "extended master secret". ++ */ ++#ifdef FIPS_MODULE ++ if (ctx->seedlen >= TLS_MD_MASTER_SECRET_CONST_SIZE ++ && memcmp(ctx->seed, TLS_MD_MASTER_SECRET_CONST, ++ TLS_MD_MASTER_SECRET_CONST_SIZE) == 0) ++ ctx->fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED; ++#endif /* defined(FIPS_MODULE) */ ++ if (ossl_tls1_prf_ems_check_enabled(libctx)) { ++ if (ctx->seedlen >= TLS_MD_MASTER_SECRET_CONST_SIZE ++ && memcmp(ctx->seed, TLS_MD_MASTER_SECRET_CONST, ++ TLS_MD_MASTER_SECRET_CONST_SIZE) == 0) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_EMS_NOT_ENABLED); ++ return 0; ++ } ++ } ++ + return tls1_prf_alg(ctx->P_hash, ctx->P_sha1, + ctx->sec, ctx->seclen, + ctx->seed, ctx->seedlen, +diff --git a/ssl/ssl_conf.c b/ssl/ssl_conf.c +index 5146cedb96..086db98c33 100644 +--- a/ssl/ssl_conf.c ++++ b/ssl/ssl_conf.c +@@ -389,6 +389,7 @@ static int cmd_Options(SSL_CONF_CTX *cctx, const char *value) + SSL_FLAG_TBL("ClientRenegotiation", + SSL_OP_ALLOW_CLIENT_RENEGOTIATION), + SSL_FLAG_TBL_INV("EncryptThenMac", SSL_OP_NO_ENCRYPT_THEN_MAC), ++ SSL_FLAG_TBL("RHNoEnforceEMSinFIPS", SSL_OP_PERMIT_NOEMS_FIPS), + SSL_FLAG_TBL("NoRenegotiation", SSL_OP_NO_RENEGOTIATION), + SSL_FLAG_TBL("AllowNoDHEKEX", SSL_OP_ALLOW_NO_DHE_KEX), + SSL_FLAG_TBL("PrioritizeChaCha", SSL_OP_PRIORITIZE_CHACHA), +diff --git a/ssl/statem/extensions_srvr.c b/ssl/statem/extensions_srvr.c +index 00b1ee531e..22cdabb308 100644 +--- a/ssl/statem/extensions_srvr.c ++++ b/ssl/statem/extensions_srvr.c +@@ -11,6 +11,7 @@ + #include "../ssl_local.h" + #include "statem_local.h" + #include "internal/cryptlib.h" ++#include + + #define COOKIE_STATE_FORMAT_VERSION 1 + +@@ -1552,8 +1553,13 @@ EXT_RETURN tls_construct_stoc_etm(SSL *s, WPACKET *pkt, unsigned int context, + unsigned int context, + X509 *x, size_t chainidx) + { +- if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0) ++ if ((s->s3.flags & TLS1_FLAGS_RECEIVED_EXTMS) == 0) { ++ if (FIPS_mode() && !(SSL_get_options(SSL_CONNECTION_GET_SSL(s)) & SSL_OP_PERMIT_NOEMS_FIPS) ) { ++ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_UNSUPPORTED); ++ return EXT_RETURN_FAIL; ++ } + return EXT_RETURN_NOT_SENT; ++ } + + if (!WPACKET_put_bytes_u16(pkt, TLSEXT_TYPE_extended_master_secret) + || !WPACKET_put_bytes_u16(pkt, 0)) { +diff --git a/ssl/t1_enc.c b/ssl/t1_enc.c +index 91238e6457..e8ad8ecd9e 100644 +--- a/ssl/t1_enc.c ++++ b/ssl/t1_enc.c +@@ -20,6 +20,7 @@ + #include + #include + #include ++#include + + /* seed1 through seed5 are concatenated */ + static int tls1_PRF(SSL_CONNECTION *s, +@@ -75,8 +76,14 @@ static int tls1_PRF(SSL *s, + } + + err: +- if (fatal) +- SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); ++ if (fatal) { ++ /* The calls to this function are local so it's safe to implement the check */ ++ if (FIPS_mode() && seed1_len >= TLS_MD_MASTER_SECRET_CONST_SIZE ++ && memcmp(seed1, TLS_MD_MASTER_SECRET_CONST, TLS_MD_MASTER_SECRET_CONST_SIZE) == 0) ++ SSLfatal(s, SSL_AD_HANDSHAKE_FAILURE, ERR_R_UNSUPPORTED); ++ else ++ SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); ++ } + else + ERR_raise(ERR_LIB_SSL, ERR_R_INTERNAL_ERROR); + EVP_KDF_CTX_free(kctx); +diff --git a/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt b/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt +index 44040ff66b..deb6bf3fcb 100644 +--- a/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt ++++ b/test/recipes/30-test_evp_data/evpkdf_tls12_prf.txt +@@ -22,6 +22,16 @@ Ctrl.client_random = hexseed:36c129d01a3200894b9179faac589d9835d58775f9b5ea3587c + Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae043abfb50053fce + Output = 202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf + ++Availablein = fips ++KDF = TLS1-PRF ++Ctrl.digest = digest:SHA256 ++Ctrl.Secret = hexsecret:f8938ecc9edebc5030c0c6a441e213cd24e6f770a50dda07876f8d55da062bcadb386b411fd4fe4313a604fce6c17fbc ++Ctrl.label = seed:master secret ++Ctrl.client_random = hexseed:36c129d01a3200894b9179faac589d9835d58775f9b5ea3587cb8fd0364cae8c ++Ctrl.server_random = hexseed:f6c9575ed7ddd73e1f7d16eca115415812a43c2b747daaaae043abfb50053fce ++Output = 202c88c00f84a17a20027079604787461176455539e705be730890602c289a5001e34eeb3a043e5d52a65e66125188bf ++Result = KDF_DERIVE_ERROR ++ + FIPSversion = <=3.1.0 + KDF = TLS1-PRF + Ctrl.digest = digest:SHA256 +diff --git a/test/sslapitest.c b/test/sslapitest.c +index 169e3c7466..e67b5bb44c 100644 +--- a/test/sslapitest.c ++++ b/test/sslapitest.c +@@ -574,7 +574,7 @@ static int test_client_cert_verify_cb(void) + STACK_OF(X509) *server_chain; + SSL_CTX *cctx = NULL, *sctx = NULL; + SSL *clientssl = NULL, *serverssl = NULL; +- int testresult = 0; ++ int testresult = 0, status; + + if (!TEST_true(create_ssl_ctx_pair(libctx, TLS_server_method(), + TLS_client_method(), TLS1_VERSION, 0, +-- +2.41.0 diff --git a/openssl-FIPS-enforce-security-checks-during-initialization.patch b/openssl-FIPS-enforce-security-checks-during-initialization.patch new file mode 100644 index 0000000..8278135 --- /dev/null +++ b/openssl-FIPS-enforce-security-checks-during-initialization.patch @@ -0,0 +1,22 @@ +Index: openssl-3.1.4/providers/fips/fipsprov.c +=================================================================== +--- openssl-3.1.4.orig/providers/fips/fipsprov.c ++++ openssl-3.1.4/providers/fips/fipsprov.c +@@ -107,7 +107,7 @@ void *ossl_fips_prov_ossl_ctx_new(OSSL_L + return NULL; + init_fips_option(&fgbl->fips_security_checks, 1); + init_fips_option(&fgbl->fips_tls1_prf_ems_check, 1); /* Enabled by default */ +- init_fips_option(&fgbl->fips_restricted_drgb_digests, 0); ++ init_fips_option(&fgbl->fips_restricted_drgb_digests, 1); /* Enabled by default */ + return fgbl; + } + +@@ -820,8 +820,6 @@ int OSSL_provider_init_int(const OSSL_CO + if (fgbl->field.option != NULL) { \ + if (strcmp(fgbl->field.option, "1") == 0) \ + fgbl->field.enabled = 1; \ +- else if (strcmp(fgbl->field.option, "0") == 0) \ +- fgbl->field.enabled = 0; \ + else \ + goto err; \ + } diff --git a/openssl-FIPS-limit-rsa-encrypt.patch b/openssl-FIPS-limit-rsa-encrypt.patch new file mode 100644 index 0000000..d17ae3d --- /dev/null +++ b/openssl-FIPS-limit-rsa-encrypt.patch @@ -0,0 +1,949 @@ +From 012e319b3d5b936a9208b1c75c13d9c4a2d0cc04 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 6 Mar 2024 19:17:15 +0100 +Subject: [PATCH 24/49] 0058-FIPS-limit-rsa-encrypt.patch + +Patch-name: 0058-FIPS-limit-rsa-encrypt.patch +Patch-id: 58 +Patch-status: | + # # https://bugzilla.redhat.com/show_bug.cgi?id=2053289 +From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce +--- + providers/common/securitycheck.c | 1 + + .../implementations/asymciphers/rsa_enc.c | 35 +++++ + .../30-test_evp_data/evppkey_rsa_common.txt | 140 +++++++++++++----- + test/recipes/80-test_cms.t | 5 +- + test/recipes/80-test_ssl_old.t | 27 +++- + 5 files changed, 168 insertions(+), 40 deletions(-) + +Index: openssl-3.2.3/providers/common/securitycheck.c +=================================================================== +--- openssl-3.2.3.orig/providers/common/securitycheck.c ++++ openssl-3.2.3/providers/common/securitycheck.c +@@ -27,6 +27,10 @@ + * Set protect = 1 for encryption or signing operations, or 0 otherwise. See + * https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-131Ar2.pdf. + */ ++/* ++ * SUSE/openSUSE builds implement some extra limitations in ++ * providers/implementations/asymciphers/rsa_enc.c ++ */ + int ossl_rsa_check_key(OSSL_LIB_CTX *ctx, const RSA *rsa, int operation) + { + int protect = 0; +Index: openssl-3.2.3/providers/implementations/asymciphers/rsa_enc.c +=================================================================== +--- openssl-3.2.3.orig/providers/implementations/asymciphers/rsa_enc.c ++++ openssl-3.2.3/providers/implementations/asymciphers/rsa_enc.c +@@ -135,6 +135,17 @@ static int rsa_decrypt_init(void *vprsac + return rsa_init(vprsactx, vrsa, params, EVP_PKEY_OP_DECRYPT); + } + ++# ifdef FIPS_MODULE ++static int fips_padding_allowed(const PROV_RSA_CTX *prsactx) ++{ ++ if (prsactx->pad_mode == RSA_PKCS1_PADDING || prsactx->pad_mode == RSA_NO_PADDING ++ || prsactx->pad_mode == RSA_PKCS1_WITH_TLS_PADDING) ++ return 0; ++ ++ return 1; ++} ++# endif ++ + static int rsa_encrypt(void *vprsactx, unsigned char *out, size_t *outlen, + size_t outsize, const unsigned char *in, size_t inlen) + { +@@ -144,6 +155,18 @@ static int rsa_encrypt(void *vprsactx, u + if (!ossl_prov_is_running()) + return 0; + ++# ifdef FIPS_MODULE ++ if (fips_padding_allowed(prsactx) == 0) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE); ++ return 0; ++ } ++ ++ if (RSA_bits(prsactx->rsa) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); ++ return 0; ++ } ++# endif ++ + if (out == NULL) { + size_t len = RSA_size(prsactx->rsa); + +@@ -206,6 +229,18 @@ static int rsa_decrypt(void *vprsactx, u + if (!ossl_prov_is_running()) + return 0; + ++# ifdef FIPS_MODULE ++ if (fips_padding_allowed(prsactx) == 0) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_ILLEGAL_OR_UNSUPPORTED_PADDING_MODE); ++ return 0; ++ } ++ ++ if (RSA_bits(prsactx->rsa) < OPENSSL_RSA_FIPS_MIN_MODULUS_BITS) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); ++ return 0; ++ } ++# endif ++ + if (prsactx->pad_mode == RSA_PKCS1_WITH_TLS_PADDING) { + if (out == NULL) { + *outlen = SSL_MAX_MASTER_KEY_LENGTH; +Index: openssl-3.2.3/test/recipes/30-test_evp_data/evppkey_rsa_common.txt +=================================================================== +--- openssl-3.2.3.orig/test/recipes/30-test_evp_data/evppkey_rsa_common.txt ++++ openssl-3.2.3/test/recipes/30-test_evp_data/evppkey_rsa_common.txt +@@ -263,13 +263,13 @@ Input = 64b0e9f9892371110c40ba5739dc0974 + Output = 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef + + # RSA decrypt +- ++Availablein = default + Decrypt = RSA-2048 + Input = 550AF55A2904E7B9762352F8FB7FA235A9CB053AACB2D5FCB8CA48453CB2EE3619746C701ABF2D4CC67003471A187900B05AA812BD25ED05C675DFC8C97A24A7BF49BD6214992CAD766D05A9A2B57B74F26A737E0237B8B76C45F1F226A836D7CFBC75BA999BDBE48DBC09227AA46C88F21DCCBA7840141AD5A5D71FD122E6BD6AC3E564780DFE623FC1CA9B995A6037BF0BBD43B205A84AC5444F34202C05CE9113087176432476576DE6FFFF9A52EA57C08BE3EC2F49676CB8E12F762AC71FA3C321E00AC988910C85FF52F93825666CE0D40FFAA0592078919D4493F46D95CCF76364C6D57760DD0B64805F9AFC76A2365A5575CA301D5103F0EA76CB9A78 + Output = "Hello World" + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # Note: disable the Bleichenbacher workaround to see if it passes + Decrypt = RSA-2048 + Ctrl = rsa_pkcs1_implicit_rejection:0 +@@ -277,7 +277,7 @@ Input = 550AF55A2904E7B9762352F8FB7FA235 + Output = "Hello World" + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # Corrupted ciphertext + # Note: output is generated synthethically by the Bleichenbacher workaround + Decrypt = RSA-2048 +@@ -285,7 +285,7 @@ Input = 550AF55A2904E7B9762352F8FB7FA235 + Output = 4cbb988d6a46228379132b0b5f8c249b3860043848c93632fb982c807c7c82fffc7a9ef83f4908f890373ac181ffea6381e103bcaa27e65638b6ecebef38b59ed4226a9d12af675cfcb634d8c40e7a7aff + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # Corrupted ciphertext + # Note: disable the Bleichenbacher workaround to see if it fails + Decrypt = RSA-2048 +@@ -360,82 +360,90 @@ PrivPubKeyPair = RSA-2048-2:RSA-2048-2-P + # RSA decrypt + + # a random positive test case ++Availablein = default + Decrypt = RSA-2048-2 + Input = 8bfe264e85d3bdeaa6b8851b8e3b956ee3d226fd3f69063a86880173a273d9f283b2eebdd1ed35f7e02d91c571981b6737d5320bd8396b0f3ad5b019daec1b0aab3cbbc026395f4fd14f13673f2dfc81f9b660ec26ac381e6db3299b4e460b43fab9955df2b3cfaa20e900e19c856238fd371899c2bf2ce8c868b76754e5db3b036533fd603746be13c10d4e3e6022ebc905d20c2a7f32b215a4cd53b3f44ca1c327d2c2b651145821c08396c89071f665349c25e44d2733cd9305985ceef6430c3cf57af5fa224089221218fa34737c79c446d28a94c41c96e4e92ac53fbcf384dea8419ea089f8784445a492c812eb0d409467f75afd7d4d1078886205a066 + Output = "lorem ipsum dolor sit amet" + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # a random negative test case decrypting to empty + Decrypt = RSA-2048-2 + Input = 20aaa8adbbc593a924ba1c5c7990b5c2242ae4b99d0fe636a19a4cf754edbcee774e472fe028160ed42634f8864900cb514006da642cae6ae8c7d087caebcfa6dad1551301e130344989a1d462d4164505f6393933450c67bc6d39d8f5160907cabc251b737925a1cf21e5c6aa5781b7769f6a2a583d97cce008c0f8b6add5f0b2bd80bee60237aa39bb20719fe75749f4bc4e42466ef5a861ae3a92395c7d858d430bfe38040f445ea93fa2958b503539800ffa5ce5f8cf51fa8171a91f36cb4f4575e8de6b4d3f096ee140b938fd2f50ee13f0d050222e2a72b0a3069ff3a6738e82c87090caa5aed4fcbe882c49646aa250b98f12f83c8d528113614a29e7 + Output = + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # invalid decrypting to max length message + Decrypt = RSA-2048-2 + Input = 48cceab10f39a4db32f60074feea473cbcdb7accf92e150417f76b44756b190e843e79ec12aa85083a21f5437e7bad0a60482e601198f9d86923239c8786ee728285afd0937f7dde12717f28389843d7375912b07b991f4fdb0190fced8ba665314367e8c5f9d2981d0f5128feeb46cb50fc237e64438a86df198dd0209364ae3a842d77532b66b7ef263b83b1541ed671b120dfd660462e2107a4ee7b964e734a7bd68d90dda61770658a3c242948532da32648687e0318286473f675b412d6468f013f14d760a358dfcad3cda2afeec5e268a37d250c37f722f468a70dfd92d7294c3c1ee1e7f8843b7d16f9f37ef35748c3ae93aa155cdcdfeb4e78567303 + Output = 22d850137b9eebe092b24f602dc5bb7918c16bd89ddbf20467b119d205f9c2e4bd7d2592cf1e532106e0f33557565923c73a02d4f09c0c22bea89148183e60317f7028b3aa1f261f91c979393101d7e15f4067e63979b32751658ef769610fe97cf9cef3278b3117d384051c3b1d82c251c2305418c8f6840530e631aad63e70e20e025bcd8efb54c92ec6d3b106a2f8e64eeff7d38495b0fc50c97138af4b1c0a67a1c4e27b077b8439332edfa8608dfeae653cd6a628ac550395f7e74390e42c11682234870925eeaa1fa71b76cf1f2ee3bda69f6717033ff8b7c95c9799e7a3bea5e7e4a1c359772fb6b1c6e6c516661dfe30c3 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 + # invalid decrypting to message with length specified by second to last value from PRF ++Availablein = default + Decrypt = RSA-2048-2 + Input = 1439e08c3f84c1a7fec74ce07614b20e01f6fa4e8c2a6cffdc3520d8889e5d9a950c6425798f85d4be38d300ea5695f13ecd4cb389d1ff5b82484b494d6280ab7fa78e645933981cb934cce8bfcd114cc0e6811eefa47aae20af638a1cd163d2d3366186d0a07df0c81f6c9f3171cf3561472e98a6006bf75ddb457bed036dcce199369de7d94ef2c68e8467ee0604eea2b3009479162a7891ba5c40cab17f49e1c438cb6eaea4f76ce23cce0e483ff0e96fa790ea15be67671814342d0a23f4a20262b6182e72f3a67cd289711503c85516a9ed225422f98b116f1ab080a80abd6f0216df88d8cfd67c139243be8dd78502a7aaf6bc99d7da71bcdf627e7354 + Output = 0f9b + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # invalid decrypting to message with length specified by third to last value from PRF + Decrypt = RSA-2048-2 + Input = 1690ebcceece2ce024f382e467cf8510e74514120937978576caf684d4a02ad569e8d76cbe365a060e00779de2f0865ccf0d923de3b4783a4e2c74f422e2f326086c390b658ba47f31ab013aa80f468c71256e5fa5679b24e83cd82c3d1e05e398208155de2212993cd2b8bab6987cf4cc1293f19909219439d74127545e9ed8a706961b8ee2119f6bfacafbef91b75a789ba65b8b833bc6149cf49b5c4d2c6359f62808659ba6541e1cd24bf7f7410486b5103f6c0ea29334ea6f4975b17387474fe920710ea61568d7b7c0a7916acf21665ad5a31c4eabcde44f8fb6120d8457afa1f3c85d517cda364af620113ae5a3c52a048821731922737307f77a1081 + Output = 4f02 + + # positive test with 11 byte long value ++Availablein = default + Decrypt = RSA-2048-2 + Input = 6213634593332c485cef783ea2846e3d6e8b0e005cd8293eaebbaa5079712fd681579bdfbbda138ae4d9d952917a03c92398ec0cb2bb0c6b5a8d55061fed0d0d8d72473563152648cfe640b335dc95331c21cb133a91790fa93ae44497c128708970d2beeb77e8721b061b1c44034143734a77be8220877415a6dba073c3871605380542a9f25252a4babe8331cdd53cf828423f3cc70b560624d0581fb126b2ed4f4ed358f0eb8065cf176399ac1a846a31055f9ae8c9c24a1ba050bc20842125bc1753158f8065f3adb9cc16bfdf83816bdf38b624f12022c5a6fbfe29bc91542be8c0208a770bcd677dc597f5557dc2ce28a11bf3e3857f158717a33f6592 + Output = "lorem ipsum" + + # positive test with 11 byte long value and zero padded ciphertext ++Availablein = default + Decrypt = RSA-2048-2 + Input = 00a2e8f114ea8d05d12dc843e3cc3b2edc8229ff2a028bda29ba9d55e3cd02911902fef1f42a075bf05e8016e8567213d6f260fa49e360779dd81aeea3e04c2cb567e0d72b98bf754014561b7511e083d20e0bfb9cd23f8a0d3c88900c49d2fcd5843ff0765607b2026f28202a87aa94678aed22a0c20724541394cd8f44e373eba1d2bae98f516c1e2ba3d86852d064f856b1daf24795e767a2b90396e50743e3150664afab131fe40ea405dcf572dd1079af1d3f0392ccadcca0a12740dbb213b925ca2a06b1bc1383e83a658c82ba2e7427342379084d5f66b544579f07664cb26edd4f10fd913fdbc0de05ef887d4d1ec1ac95652397ea7fd4e4759fda8b + Output = "lorem ipsum" + + # positive test with 11 byte long value and zero truncated ciphertext ++Availablein = default + Decrypt = RSA-2048-2 + Input = a2e8f114ea8d05d12dc843e3cc3b2edc8229ff2a028bda29ba9d55e3cd02911902fef1f42a075bf05e8016e8567213d6f260fa49e360779dd81aeea3e04c2cb567e0d72b98bf754014561b7511e083d20e0bfb9cd23f8a0d3c88900c49d2fcd5843ff0765607b2026f28202a87aa94678aed22a0c20724541394cd8f44e373eba1d2bae98f516c1e2ba3d86852d064f856b1daf24795e767a2b90396e50743e3150664afab131fe40ea405dcf572dd1079af1d3f0392ccadcca0a12740dbb213b925ca2a06b1bc1383e83a658c82ba2e7427342379084d5f66b544579f07664cb26edd4f10fd913fdbc0de05ef887d4d1ec1ac95652397ea7fd4e4759fda8b + Output = "lorem ipsum" + + # positive test with 11 byte long value and double zero padded ciphertext ++Availablein = default + Decrypt = RSA-2048-2 + Input = 00001f71879b426127f7dead621f7380a7098cf7d22173aa27991b143c46d53383c209bd0c9c00d84078037e715f6b98c65005a77120070522ede51d472c87ef94b94ead4c5428ee108a345561658301911ec5a8f7dd43ed4a3957fd29fb02a3529bf63f8040d3953490939bd8f78b2a3404b6fb5ff70a4bfdaac5c541d6bcce49c9778cc390be24cbef1d1eca7e870457241d3ff72ca44f9f56bdf31a890fa5eb3a9107b603ccc9d06a5dd911a664c82b6abd4fe036f8db8d5a070c2d86386ae18d97adc1847640c211d91ff5c3387574a26f8ef27ca7f48d2dd1f0c7f14b81cc9d33ee6853031d3ecf10a914ffd90947909c8011fd30249219348ebff76bfc + Output = "lorem ipsum" + + # positive test with 11 byte long value and double zero truncated ciphertext ++Availablein = default + Decrypt = RSA-2048-2 + Input = 1f71879b426127f7dead621f7380a7098cf7d22173aa27991b143c46d53383c209bd0c9c00d84078037e715f6b98c65005a77120070522ede51d472c87ef94b94ead4c5428ee108a345561658301911ec5a8f7dd43ed4a3957fd29fb02a3529bf63f8040d3953490939bd8f78b2a3404b6fb5ff70a4bfdaac5c541d6bcce49c9778cc390be24cbef1d1eca7e870457241d3ff72ca44f9f56bdf31a890fa5eb3a9107b603ccc9d06a5dd911a664c82b6abd4fe036f8db8d5a070c2d86386ae18d97adc1847640c211d91ff5c3387574a26f8ef27ca7f48d2dd1f0c7f14b81cc9d33ee6853031d3ecf10a914ffd90947909c8011fd30249219348ebff76bfc + Output = "lorem ipsum" + + # positive that generates a 0 byte long synthetic message internally ++Availablein = default + Decrypt = RSA-2048-2 + Input = b5e49308f6e9590014ffaffc5b8560755739dd501f1d4e9227a7d291408cf4b753f292322ff8bead613bf2caa181b221bc38caf6392deafb28eb21ad60930841ed02fd6225cc9c463409adbe7d8f32440212fbe3881c51375bb09565efb22e62b071472fb38676e5b4e23a0617db5d14d93519ac0007a30a9c822eb31c38b57fcb1be29608fcf1ca2abdcaf5d5752bbc2b5ac7dba5afcff4a5641da360dd01f7112539b1ed46cdb550a3b1006559b9fe1891030ec80f0727c42401ddd6cbb5e3c80f312df6ec89394c5a7118f573105e7ab00fe57833c126141b50a935224842addfb479f75160659ba28877b512bb9a93084ad8bec540f92640f63a11a010e0 + Output = "lorem ipsum" + + # positive that generates a 245 byte long synthetic message internally ++Availablein = default + Decrypt = RSA-2048-2 + Input = 1ea0b50ca65203d0a09280d39704b24fe6e47800189db5033f202761a78bafb270c5e25abd1f7ecc6e7abc4f26d1b0cd9b8c648d529416ee64ccbdd7aa72a771d0353262b543f0e436076f40a1095f5c7dfd10dcf0059ccb30e92dfa5e0156618215f1c3ff3aa997a9d999e506924f5289e3ac72e5e2086cc7b499d71583ed561028671155db4005bee01800a7cdbdae781dd32199b8914b5d4011dd6ff11cd26d46aad54934d293b0bc403dd211bf13b5a5c6836a5e769930f437ffd8634fb7371776f4bc88fa6c271d8aa6013df89ae6470154497c4ac861be2a1c65ebffec139bf7aaba3a81c7c5cdd84da9af5d3edfb957848074686b5837ecbcb6a41c50 + Output = "lorem ipsum" + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # a random negative test that generates an 11 byte long message + Decrypt = RSA-2048-2 + Input = 5f02f4b1f46935c742ebe62b6f05aa0a3286aab91a49b34780adde6410ab46f7386e05748331864ac98e1da63686e4babe3a19ed40a7f5ceefb89179596aab07ab1015e03b8f825084dab028b6731288f2e511a4b314b6ea3997d2e8fe2825cef8897cbbdfb6c939d441d6e04948414bb69e682927ef8576c9a7090d4aad0e74c520d6d5ce63a154720f00b76de8cc550b1aa14f016d63a7b6d6eaa1f7dbe9e50200d3159b3d099c900116bf4eba3b94204f18b1317b07529751abf64a26b0a0bf1c8ce757333b3d673211b67cc0653f2fe2620d57c8b6ee574a0323a167eab1106d9bc7fd90d415be5f1e9891a0e6c709f4fc0404e8226f8477b4e939b36eb2 + Output = af9ac70191c92413cb9f2d + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # an otherwise correct plaintext, but with wrong first byte + # (0x01 instead of 0x00), generates a random 11 byte long plaintext + Decrypt = RSA-2048-2 +@@ -443,7 +451,7 @@ Input = 9b2ec9c0c917c98f1ad3d0119aec6be5 + Output = a1f8c9255c35cfba403ccc + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # an otherwise correct plaintext, but with wrong second byte + # (0x01 instead of 0x02), generates a random 11 byte long plaintext + Decrypt = RSA-2048-2 +@@ -451,7 +459,7 @@ Input = 782c2b59a21a511243820acedd567c13 + Output = e6d700309ca0ed62452254 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # an invalid ciphertext, with a zero byte in first byte of + # ciphertext, decrypts to a random 11 byte long synthetic + # plaintext +@@ -460,7 +468,7 @@ Input = 0096136621faf36d5290b16bd26295de + Output = ba27b1842e7c21c0e7ef6a + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # an invalid ciphertext, with a zero byte removed from first byte of + # ciphertext, decrypts to a random 11 byte long synthetic + # plaintext +@@ -469,7 +477,7 @@ Input = 96136621faf36d5290b16bd26295de27 + Output = ba27b1842e7c21c0e7ef6a + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # an invalid ciphertext, with two zero bytes in first bytes of + # ciphertext, decrypts to a random 11 byte long synthetic + # plaintext +@@ -478,7 +486,7 @@ Input = 0000587cccc6b264bdfe0dc2149a9880 + Output = d5cf555b1d6151029a429a + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # an invalid ciphertext, with two zero bytes removed from first bytes of + # ciphertext, decrypts to a random 11 byte long synthetic + # plaintext +@@ -487,7 +495,7 @@ Input = 587cccc6b264bdfe0dc2149a988047fa + Output = d5cf555b1d6151029a429a + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # and invalid ciphertext, otherwise valid but starting with 000002, decrypts + # to random 11 byte long synthetic plaintext + Decrypt = RSA-2048-2 +@@ -495,7 +503,7 @@ Input = 1786550ce8d8433052e01ecba8b76d30 + Output = 3d4a054d9358209e9cbbb9 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # negative test with otherwise valid padding but a zero byte in first byte + # of padding + Decrypt = RSA-2048-2 +@@ -503,7 +511,7 @@ Input = 179598823812d2c58a7eb50521150a48 + Output = 1f037dd717b07d3e7f7359 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # negative test with otherwise valid padding but a zero byte at the eighth + # byte of padding + Decrypt = RSA-2048-2 +@@ -511,7 +519,7 @@ Input = a7a340675a82c30e22219a55bc07cdf3 + Output = 63cb0bf65fc8255dd29e17 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # negative test with an otherwise valid plaintext but with missing separator + # byte + Decrypt = RSA-2048-2 +@@ -566,53 +574,58 @@ PrivPubKeyPair = RSA-2049:RSA-2049-PUBLI + # RSA decrypt + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # malformed that generates length specified by 3rd last value from PRF + Decrypt = RSA-2049 + Input = 00b26f6404b82649629f2704494282443776929122e279a9cf30b0c6fe8122a0a9042870d97cc8ef65490fe58f031eb2442352191f5fbc311026b5147d32df914599f38b825ebb824af0d63f2d541a245c5775d1c4b78630e4996cc5fe413d38455a776cf4edcc0aa7fccb31c584d60502ed2b77398f536e137ff7ba6430e9258e21c2db5b82f5380f566876110ac4c759178900fbad7ab70ea07b1daf7a1639cbb4196543a6cbe8271f35dddb8120304f6eef83059e1c5c5678710f904a6d760c4d1d8ad076be17904b9e69910040b47914a0176fb7eea0c06444a6c4b86d674d19a556a1de5490373cb01ce31bbd15a5633362d3d2cd7d4af1b4c5121288b894 + Output = 42 + + # simple positive test case ++Availablein = default + Decrypt = RSA-2049 + Input = 013300edbf0bb3571e59889f7ed76970bf6d57e1c89bbb6d1c3991d9df8e65ed54b556d928da7d768facb395bbcc81e9f8573b45cf8195dbd85d83a59281cddf4163aec11b53b4140053e3bd109f787a7c3cec31d535af1f50e0598d85d96d91ea01913d07097d25af99c67464ebf2bb396fb28a9233e56f31f7e105d71a23e9ef3b736d1e80e713d1691713df97334779552fc94b40dd733c7251bc522b673d3ec9354af3dd4ad44fa71c0662213a57ada1d75149697d0eb55c053aaed5ffd0b815832f454179519d3736fb4faf808416071db0d0f801aca8548311ee708c131f4be658b15f6b54256872c2903ac708bd43b017b073b5707bc84c2cd9da70e967 + Output = "lorem ipsum" + + # positive test case with null padded ciphertext ++Availablein = default + Decrypt = RSA-2049 + Input = 0002aadf846a329fadc6760980303dbd87bfadfa78c2015ce4d6c5782fd9d3f1078bd3c0a2c5bfbdd1c024552e5054d98b5bcdc94e476dd280e64d650089326542ce7c61d4f1ab40004c2e6a88a883613568556a10f3f9edeab67ae8dddc1e6b0831c2793d2715de943f7ce34c5c05d1b09f14431fde566d17e76c9feee90d86a2c158616ec81dda0c642f58c0ba8fa4495843124a7235d46fb4069715a51bf710fd024259131ba94da73597ace494856c94e7a3ec261545793b0990279b15fa91c7fd13dbfb1df2f221dab9fa9f7c1d21e48aa49f6aaecbabf5ee76dc6c2af2317ffb4e303115386a97f8729afc3d0c89419669235f1a3a69570e0836c79fc162 + Output = "lorem ipsum" + + # positive test case with null truncated ciphertext ++Availablein = default + Decrypt = RSA-2049 + Input = 02aadf846a329fadc6760980303dbd87bfadfa78c2015ce4d6c5782fd9d3f1078bd3c0a2c5bfbdd1c024552e5054d98b5bcdc94e476dd280e64d650089326542ce7c61d4f1ab40004c2e6a88a883613568556a10f3f9edeab67ae8dddc1e6b0831c2793d2715de943f7ce34c5c05d1b09f14431fde566d17e76c9feee90d86a2c158616ec81dda0c642f58c0ba8fa4495843124a7235d46fb4069715a51bf710fd024259131ba94da73597ace494856c94e7a3ec261545793b0990279b15fa91c7fd13dbfb1df2f221dab9fa9f7c1d21e48aa49f6aaecbabf5ee76dc6c2af2317ffb4e303115386a97f8729afc3d0c89419669235f1a3a69570e0836c79fc162 + Output = "lorem ipsum" + + # positive test case with double null padded ciphertext ++Availablein = default + Decrypt = RSA-2049 + Input = 0000f36da3b72d8ff6ded74e7efd08c01908f3f5f0de7b55eab92b5f875190809c39d4162e1e6649618f854fd84aeab03970d16bb814e999852c06de38d82b95c0f32e2a7b5714021fe303389be9c0eac24c90a6b7210f929d390fabf903d44e04110bb7a7fd6c383c275804721efa6d7c93aa64c0bb2b18d97c5220a846c66a4895ae52adddbe2a9996825e013585adcec4b32ba61d782737bd343e5fabd68e8a95b8b1340318559860792dd70dffbe05a1052b54cbfb48cfa7bb3c19cea52076bddac5c25ee276f153a610f6d06ed696d192d8ae4507ffae4e5bdda10a625d6b67f32f7cffcd48dee2431fe66f6105f9d17e611cdcc674868e81692a360f4052 + Output = "lorem ipsum" + + # positive test case with double null truncated ciphertext ++Availablein = default + Decrypt = RSA-2049 + Input = f36da3b72d8ff6ded74e7efd08c01908f3f5f0de7b55eab92b5f875190809c39d4162e1e6649618f854fd84aeab03970d16bb814e999852c06de38d82b95c0f32e2a7b5714021fe303389be9c0eac24c90a6b7210f929d390fabf903d44e04110bb7a7fd6c383c275804721efa6d7c93aa64c0bb2b18d97c5220a846c66a4895ae52adddbe2a9996825e013585adcec4b32ba61d782737bd343e5fabd68e8a95b8b1340318559860792dd70dffbe05a1052b54cbfb48cfa7bb3c19cea52076bddac5c25ee276f153a610f6d06ed696d192d8ae4507ffae4e5bdda10a625d6b67f32f7cffcd48dee2431fe66f6105f9d17e611cdcc674868e81692a360f4052 + Output = "lorem ipsum" + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # a random negative test case that generates an 11 byte long message + Decrypt = RSA-2049 + Input = 00f910200830fc8fff478e99e145f1474b312e2512d0f90b8cef77f8001d09861688c156d1cbaf8a8957f7ebf35f724466952d0524cad48aad4fba1e45ce8ea27e8f3ba44131b7831b62d60c0762661f4c1d1a88cd06263a259abf1ba9e6b0b172069afb86a7e88387726f8ab3adb30bfd6b3f6be6d85d5dfd044e7ef052395474a9cbb1c3667a92780b43a22693015af6c513041bdaf87d43b24ddd244e791eeaea1066e1f4917117b3a468e22e0f7358852bb981248de4d720add2d15dccba6280355935b67c96f9dcb6c419cc38ab9f6fba2d649ef2066e0c34c9f788ae49babd9025fa85b21113e56ce4f43aa134c512b030dd7ac7ce82e76f0be9ce09ebca + Output = 1189b6f5498fd6df532b00 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # otherwise correct plaintext, but with wrong first byte (0x01 instead of 0x00) + Decrypt = RSA-2049 + Input = 002c9ddc36ba4cf0038692b2d3a1c61a4bb3786a97ce2e46a3ba74d03158aeef456ce0f4db04dda3fe062268a1711250a18c69778a6280d88e133a16254e1f0e30ce8dac9b57d2e39a2f7d7be3ee4e08aec2fdbe8dadad7fdbf442a29a8fb40857407bf6be35596b8eefb5c2b3f58b894452c2dc54a6123a1a38d642e23751746597e08d71ac92704adc17803b19e131b4d1927881f43b0200e6f95658f559f912c889b4cd51862784364896cd6e8618f485a992f82997ad6a0917e32ae5872eaf850092b2d6c782ad35f487b79682333c1750c685d7d32ab3e1538f31dcaa5e7d5d2825875242c83947308dcf63ba4bfff20334c9c140c837dbdbae7a8dee72ff + Output = f6d0f5b78082fe61c04674 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # otherwise correct plaintext, but with wrong second byte (0x01 instead of 0x02) + Decrypt = RSA-2049 + Input = 00c5d77826c1ab7a34d6390f9d342d5dbe848942e2618287952ba0350d7de6726112e9cebc391a0fae1839e2bf168229e3e0d71d4161801509f1f28f6e1487ca52df05c466b6b0a6fbbe57a3268a970610ec0beac39ec0fa67babce1ef2a86bf77466dc127d7d0d2962c20e66593126f276863cd38dc6351428f884c1384f67cad0a0ffdbc2af16711fb68dc559b96b37b4f04cd133ffc7d79c43c42ca4948fa895b9daeb853150c8a5169849b730cc77d68b0217d6c0e3dbf38d751a1998186633418367e7576530566c23d6d4e0da9b038d0bb5169ce40133ea076472d055001f0135645940fd08ea44269af2604c8b1ba225053d6db9ab43577689401bdc0f3 +@@ -676,14 +689,14 @@ ooCElYcob01/JWzoXl61Z5sdrMH5CVZJty5foHKu + PrivPubKeyPair = RSA-3072:RSA-3072-PUBLIC + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # a random invalid ciphertext that generates an empty synthetic one + Decrypt = RSA-3072 + Input = 5e956cd9652f4a2ece902931013e09662b6a9257ad1e987fb75f73a0606df2a4b04789770820c2e02322c4e826f767bd895734a01e20609c3be4517a7a2a589ea1cdc137beb73eb38dac781b52e863de9620f79f9b90fd5b953651fcbfef4a9f1cc07421d511a87dd6942caab6a5a0f4df473e62defb529a7de1509ab99c596e1dff1320402298d8be73a896cc86c38ae3f2f576e9ea70cc28ad575cb0f854f0be43186baa9c18e29c47c6ca77135db79c811231b7c1730955887d321fdc06568382b86643cf089b10e35ab23e827d2e5aa7b4e99ff2e914f302351819eb4d1693243b35f8bf1d42d08f8ec4acafa35f747a4a975a28643ec630d8e4fa5be59d81995660a14bb64c1fea5146d6b11f92da6a3956dd5cb5e0d747cf2ea23f81617769185336263d46ef4c144b754de62a6337342d6c85a95f19f015724546ee3fc4823eca603dbc1dc01c2d5ed50bd72d8e96df2dc048edde0081284068283fc5e73a6139851abf2f29977d0b3d160c883a42a37efba1be05c1a0b1741d7ddf59 + Output = + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # a random invalid that has PRF output with a length one byte too long + # in the last value + Decrypt = RSA-3072 +@@ -691,46 +704,51 @@ Input = 7db0390d75fcf9d4c59cf27b264190d8 + Output = 56a3bea054e01338be9b7d7957539c + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # a random invalid that generates a synthetic of maximum size + Decrypt = RSA-3072 + Input = 1715065322522dff85049800f6a29ab5f98c465020467414b2a44127fe9446da47fa18047900f99afe67c2df6f50160bb8e90bff296610fde632b3859d4d0d2e644f23835028c46cca01b84b88231d7e03154edec6627bcba23de76740d839851fa12d74c8f92e540c73fe837b91b7d699b311997d5f0f7864c486d499c3a79c111faaacbe4799597a25066c6200215c3d158f3817c1aa57f18bdaad0be1658da9da93f5cc6c3c4dd72788af57adbb6a0c26f42d32d95b8a4f95e8c6feb2f8a5d53b19a50a0b7cbc25e055ad03e5ace8f3f7db13e57759f67b65d143f08cca15992c6b2aae643390483de111c2988d4e76b42596266005103c8de6044fb7398eb3c28a864fa672de5fd8774510ff45e05969a11a4c7d3f343e331190d2dcf24fb9154ba904dc94af98afc5774a9617d0418fe6d13f8245c7d7626c176138dd698a23547c25f27c2b98ea4d8a45c7842b81888e4cc14e5b72e9cf91f56956c93dbf2e5f44a8282a7813157fc481ff1371a0f66b31797e81ebdb09a673d4db96d6 + Output = 7b036fcd6243900e4236c894e2462c17738acc87e01a76f4d95cb9a328d9acde81650283b8e8f60a217e3bdee835c7b222ad4c85d0acdb9a309bd2a754609a65dec50f3aa04c6d5891034566b9563d42668ede1f8992b17753a2132e28970584e255efc8b45a41c5dbd7567f014acec5fe6fdb6d484790360a913ebb9defcd74ff377f2a8ba46d2ed85f733c9a3da08eb57ecedfafda806778f03c66b2c5d2874cec1c291b2d49eb194c7b5d0dd2908ae90f4843268a2c45563092ade08acb6ab481a08176102fc803fbb2f8ad11b0e1531bd37df543498daf180b12017f4d4d426ca29b4161075534bfb914968088a9d13785d0adc0e2580d3548494b2a9e91605f2b27e6cc701c796f0de7c6f471f6ab6cb9272a1ed637ca32a60d117505d82af3c1336104afb537d01a8f70b510e1eebf4869cb976c419473795a66c7f5e6e20a8094b1bb603a74330c537c5c0698c31538bd2e138c1275a1bdf24c5fa8ab3b7b526324e7918a382d1363b3d463764222150e04 + + # a positive test case that decrypts to 9 byte long value ++Availablein = default + Decrypt = RSA-3072 + Input = 6c60845a854b4571f678941ae35a2ac03f67c21e21146f9db1f2306be9f136453b86ad55647d4f7b5c9e62197aaff0c0e40a3b54c4cde14e774b1c5959b6c2a2302896ffae1f73b00b862a20ff4304fe06cea7ff30ecb3773ca9af27a0b54547350d7c07dfb0a39629c7e71e83fc5af9b2adbaf898e037f1de696a3f328cf45af7ec9aff7173854087fb8fbf34be981efbd8493f9438d1b2ba2a86af082662aa46ae9adfbec51e5f3d9550a4dd1dcb7c8969c9587a6edc82a8cabbc785c40d9fbd12064559fb769450ac3e47e87bc046148130d7eaa843e4b3ccef3675d0630500803cb7ffee3882378c1a404e850c3e20707bb745e42b13c18786c4976076ed9fa8fd0ff15e571bef02cbbe2f90c908ac3734a433b73e778d4d17fcc28f49185ebc6e8536a06d293202d94496453bfdf1c2c7833a3f99fa38ca8a81f42eaa529d603b890308a319c0ab63a35ff8ebac965f6278f5a7e5d622be5d5fe55f0ca3ec993d55430d2bf59c5d3e860e90c16d91a04596f6fdf60d89ed95d88c036dde + Output = "forty two" + + # a positive test case with null padded ciphertext ++Availablein = default + Decrypt = RSA-3072 + Input = 00f4d565a3286784dbb85327db8807ae557ead229f92aba945cecda5225f606a7d6130edeeb6f26724d1eff1110f9eb18dc3248140ee3837e6688391e78796c526791384f045e21b6b853fb6342a11f309eb77962f37ce23925af600847fbd30e6e07e57de50b606e6b7f288cc777c1a6834f27e6edace508452128916eef7788c8bb227e3548c6a761cc4e9dd1a3584176dc053ba3500adb1d5e1611291654f12dfc5722832f635db3002d73f9defc310ace62c63868d341619c7ee15b20243b3371e05078e11219770c701d9f341af35df1bc729de294825ff2e416aa11526612852777eb131f9c45151eb144980d70608d2fc4043477368369aa0fe487a48bd57e66b00c3c58f941549f5ec050fca64449debe7a0c4ac51e55cb71620a70312aa4bd85fac1410c9c7f9d6ec610b7d11bf8faeffa20255d1a1bead9297d0aa8765cd2805847d639bc439f4a6c896e2008f746f9590ff4596de5ddde000ed666c452c978043ff4298461eb5a26d5e63d821438627f91201924bf7f2aeee1727 + Output = "forty two" + + # a positive test case with null truncated ciphertext ++Availablein = default + Decrypt = RSA-3072 + Input = f4d565a3286784dbb85327db8807ae557ead229f92aba945cecda5225f606a7d6130edeeb6f26724d1eff1110f9eb18dc3248140ee3837e6688391e78796c526791384f045e21b6b853fb6342a11f309eb77962f37ce23925af600847fbd30e6e07e57de50b606e6b7f288cc777c1a6834f27e6edace508452128916eef7788c8bb227e3548c6a761cc4e9dd1a3584176dc053ba3500adb1d5e1611291654f12dfc5722832f635db3002d73f9defc310ace62c63868d341619c7ee15b20243b3371e05078e11219770c701d9f341af35df1bc729de294825ff2e416aa11526612852777eb131f9c45151eb144980d70608d2fc4043477368369aa0fe487a48bd57e66b00c3c58f941549f5ec050fca64449debe7a0c4ac51e55cb71620a70312aa4bd85fac1410c9c7f9d6ec610b7d11bf8faeffa20255d1a1bead9297d0aa8765cd2805847d639bc439f4a6c896e2008f746f9590ff4596de5ddde000ed666c452c978043ff4298461eb5a26d5e63d821438627f91201924bf7f2aeee1727 + Output = "forty two" + + # a positive test case with double null padded ciphertext ++Availablein = default + Decrypt = RSA-3072 + Input = 00001ec97ac981dfd9dcc7a7389fdfa9d361141dac80c23a060410d472c16094e6cdffc0c3684d84aa402d7051dfccb2f6da33f66985d2a259f5b7fbf39ac537e95c5b7050eb18844a0513abef812cc8e74a3c5240009e6e805dcadf532bc1a2702d5acc9e585fad5b89d461fcc1397351cdce35171523758b171dc041f412e42966de7f94856477356d06f2a6b40e3ff0547562a4d91bbf1338e9e049facbee8b20171164505468cd308997447d3dc4b0acb49e7d368fedd8c734251f30a83491d2506f3f87318cc118823244a393dc7c5c739a2733d93e1b13db6840a9429947357f47b23fbe39b7d2d61e5ee26f9946c4632f6c4699e452f412a26641d4751135400713cd56ec66f0370423d55d2af70f5e7ad0adea8e4a0d904a01e4ac272eba4af1a029dd53eb71f115bf31f7a6c8b19a6523adeecc0d4c3c107575e38572a8f8474ccad163e46e2e8b08111132aa97a16fb588c9b7e37b3b3d7490381f3c55d1a9869a0fd42cd86fed59ecec78cb6b2dfd06a497f5afe3419691314ba0 + Output = "forty two" + + # a positive test case with double null truncated ciphertext ++Availablein = default + Decrypt = RSA-3072 + Input = 1ec97ac981dfd9dcc7a7389fdfa9d361141dac80c23a060410d472c16094e6cdffc0c3684d84aa402d7051dfccb2f6da33f66985d2a259f5b7fbf39ac537e95c5b7050eb18844a0513abef812cc8e74a3c5240009e6e805dcadf532bc1a2702d5acc9e585fad5b89d461fcc1397351cdce35171523758b171dc041f412e42966de7f94856477356d06f2a6b40e3ff0547562a4d91bbf1338e9e049facbee8b20171164505468cd308997447d3dc4b0acb49e7d368fedd8c734251f30a83491d2506f3f87318cc118823244a393dc7c5c739a2733d93e1b13db6840a9429947357f47b23fbe39b7d2d61e5ee26f9946c4632f6c4699e452f412a26641d4751135400713cd56ec66f0370423d55d2af70f5e7ad0adea8e4a0d904a01e4ac272eba4af1a029dd53eb71f115bf31f7a6c8b19a6523adeecc0d4c3c107575e38572a8f8474ccad163e46e2e8b08111132aa97a16fb588c9b7e37b3b3d7490381f3c55d1a9869a0fd42cd86fed59ecec78cb6b2dfd06a497f5afe3419691314ba0 + Output = "forty two" + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # a random negative test case that generates a 9 byte long message + Decrypt = RSA-3072 + Input = 5c8555f5cef627c15d37f85c7f5fd6e499264ea4b8e3f9112023aeb722eb38d8eac2be3751fd5a3785ab7f2d59fa3728e5be8c3de78a67464e30b21ee23b5484bb3cd06d0e1c6ad25649c8518165653eb80488bfb491b20c04897a6772f69292222fc5ef50b5cf9efc6d60426a449b6c489569d48c83488df629d695653d409ce49a795447fcec2c58a1a672e4a391401d428baaf781516e11e323d302fcf20f6eab2b2dbe53a48c987e407c4d7e1cb41131329138313d330204173a4f3ff06c6fadf970f0ed1005d0b27e35c3d11693e0429e272d583e57b2c58d24315c397856b34485dcb077665592b747f889d34febf2be8fce66c265fd9fc3575a6286a5ce88b4b413a08efc57a07a8f57a999605a837b0542695c0d189e678b53662ecf7c3d37d9dbeea585eebfaf79141118e06762c2381fe27ca6288edddc19fd67cd64f16b46e06d8a59ac530f22cd83cc0bc4e37feb52015cbb2283043ccf5e78a4eb7146827d7a466b66c8a4a4826c1bad68123a7f2d00fc1736525ff90c058f56 + Output = 257906ca6de8307728 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # a random negative test case that generates a 9 byte long message based on + # second to last value from PRF + Decrypt = RSA-3072 +@@ -738,7 +756,7 @@ Input = 758c215aa6acd61248062b88284bf43c + Output = 043383c929060374ed + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # a random negative test that generates message based on 3rd last value from + # PRF + Decrypt = RSA-3072 +@@ -746,35 +764,35 @@ Input = 7b22d5e62d287968c6622171a1f75db4 + Output = 70263fa6050534b9e0 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # an otherwise valid plaintext, but with wrong first byte (0x01 instead of 0x00) + Decrypt = RSA-3072 + Input = 6db80adb5ff0a768caf1378ecc382a694e7d1bde2eff4ba12c48aaf794ded7a994a5b2b57acec20dbec4ae385c9dd531945c0f197a5496908725fc99d88601a17d3bb0b2d38d2c1c3100f39955a4cb3dbed5a38bf900f23d91e173640e4ec655c84fdfe71fcdb12a386108fcf718c9b7af37d39703e882436224c877a2235e8344fba6c951eb7e2a4d1d1de81fb463ac1b880f6cc0e59ade05c8ce35179ecd09546731fc07b141d3d6b342a97ae747e61a9130f72d37ac5a2c30215b6cbd66c7db893810df58b4c457b4b54f34428247d584e0fa71062446210db08254fb9ead1ba1a393c724bd291f0cf1a7143f32df849051dc896d7d176fef3b57ab6dffd626d0c3044e9edb2e3d012ace202d2581df01bec7e9aa0727a6650dd373d374f0bc0f4a611f8139dfe97d63e70c6188f4df5b672e47c51d8aa567097293fbff127c75ec690b43407578b73c85451710a0cece58fd497d7f7bd36a8a92783ef7dc6265dff52aac8b70340b996508d39217f2783ce6fc91a1cc94bb2ac487b84f62 + Output = 6d8d3a094ff3afff4c + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # an otherwise valid plaintext, but with wrong second byte (0x01 instead of 0x02) + Decrypt = RSA-3072 + Input = 417328c034458563079a4024817d0150340c34e25ae16dcad690623f702e5c748a6ebb3419ff48f486f83ba9df35c05efbd7f40613f0fc996c53706c30df6bba6dcd4a40825f96133f3c21638a342bd4663dffbd0073980dac47f8c1dd8e97ce1412e4f91f2a8adb1ac2b1071066efe8d718bbb88ca4a59bd61500e826f2365255a409bece0f972df97c3a55e09289ef5fa815a2353ef393fd1aecfc888d611c16aec532e5148be15ef1bf2834b8f75bb26db08b66d2baad6464f8439d1986b533813321dbb180080910f233bcc4dd784fb21871aef41be08b7bfad4ecc3b68f228cb5317ac6ec1227bc7d0e452037ba918ee1da9fdb8393ae93b1e937a8d4691a17871d5092d2384b6190a53df888f65b951b05ed4ad57fe4b0c6a47b5b22f32a7f23c1a234c9feb5d8713d949686760680da4db454f4acad972470033472b9864d63e8d23eefc87ebcf464ecf33f67fbcdd48eab38c5292586b36aef5981ed2fa07b2f9e23fc57d9eb71bfff4111c857e9fff23ceb31e72592e70c874b4936 + Output = c6ae80ffa80bc184b0 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # an otherwise valid plaintext, but with zero byte in first byte of padding + Decrypt = RSA-3072 + Input = 8542c626fe533467acffcd4e617692244c9b5a3bf0a215c5d64891ced4bf4f9591b4b2aedff9843057986d81631b0acb3704ec2180e5696e8bd15b217a0ec36d2061b0e2182faa3d1c59bd3f9086a10077a3337a3f5da503ec3753535ffd25b837a12f2541afefd0cffb0224b8f874e4bed13949e105c075ed44e287c5ae03b155e06b90ed247d2c07f1ef3323e3508cce4e4074606c54172ad74d12f8c3a47f654ad671104bf7681e5b061862747d9afd37e07d8e0e2291e01f14a95a1bb4cbb47c304ef067595a3947ee2d722067e38a0f046f43ec29cac6a8801c6e3e9a2331b1d45a7aa2c6af3205be382dd026e389614ee095665a611ab2e8dced2ee1c9d08ac9de11aef5b3803fc9a9ce8231ec87b5fed386fb92ee3db995a89307bcba844bd0a691c29ae51216e949dfc813133cb06a07265fd807bcb3377f6adb0a481d9b7f442003115895939773e6b95371c4febef29edae946fa245e7c50729e2e558cfaad773d1fd5f67b457a6d9d17a847c6fcbdb103a86f35f228cefc06cea0 + Output = a8a9301daa01bb25c7 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # an otherwise valid plaintext, but with zero byte in eight byte of padding + Decrypt = RSA-3072 + Input = 449dfa237a70a99cb0351793ec8677882021c2aa743580bf6a0ea672055cffe8303ac42855b1d1f3373aae6af09cb9074180fc963e9d1478a4f98b3b4861d3e7f0aa8560cf603711f139db77667ca14ba3a1acdedfca9ef4603d6d7eb0645bfc805304f9ad9d77d34762ce5cd84bd3ec9d35c30e3be72a1e8d355d5674a141b5530659ad64ebb6082e6f73a80832ab6388912538914654d34602f4b3b1c78589b4a5d964b2efcca1dc7004c41f6cafcb5a7159a7fc7c0398604d0edbd4c8f4f04067da6a153a05e7cbeea13b5ee412400ef7d4f3106f4798da707ec37a11286df2b7a204856d5ff773613fd1e453a7114b78e347d3e8078e1cb3276b3562486ba630bf719697e0073a123c3e60ebb5c7a1ccff4279faffa2402bc1109f8d559d6766e73591943dfcf25ba10c3762f02af85187799b8b4b135c3990793a6fd32642f1557405ba55cc7cf7336a0e967073c5fa50743f9cc5e3017c172d9898d2af83345e71b3e0c22ab791eacb6484a32ec60ebc226ec9deaee91b1a0560c2b571 + Output = 6c716fe01d44398018 + + # The old FIPS provider doesn't include the workaround (#13817) +-FIPSversion = >=3.2.0 ++Availablein = default + # an otherwise valid plaintext, but with null separator missing + Decrypt = RSA-3072 + Input = a7a5c99e50da48769ecb779d9abe86ef9ec8c38c6f43f17c7f2d7af608a4a1bd6cf695b47e97c191c61fb5a27318d02f495a176b9fae5a55b5d3fabd1d8aae4957e3879cb0c60f037724e11be5f30f08fc51c033731f14b44b414d11278cd3dba7e1c8bfe208d2b2bb7ec36366dacb6c88b24cd79ab394adf19dbbc21dfa5788bacbadc6a62f79cf54fd8cf585c615b5c0eb94c35aa9de25321c8ffefb8916bbaa2697cb2dd82ee98939df9b6704cee77793edd2b4947d82e00e5749664970736c59a84197bd72b5c71e36aae29cd39af6ac73a368edbc1ca792e1309f442aafcd77c992c88f8e4863149f221695cb7b0236e75b2339a02c4ea114854372c306b9412d8eedb600a31532002f2cea07b4df963a093185e4607732e46d753b540974fb5a5c3f9432df22e85bb17611370966c5522fd23f2ad3484341ba7fd8885fc8e6d379a611d13a2aca784fba2073208faad2137bf1979a0fa146c1880d4337db3274269493bab44a1bcd0681f7227ffdf589c2e925ed9d36302509d1109ba4 +@@ -1153,36 +1171,42 @@ vcDtKrdWo6btTWc1Kml9QhbpMhKxJ6Y9VBHOb6mN + h90qjKHS9PvY4Q== + -----END PRIVATE KEY----- + ++Availablein = default + Decrypt=RSA-OAEP-1 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=354fe67b4a126d5d35fe36c777791a3f7ba13def484e2d3908aff722fad468fb21696de95d0be911c2d3174f8afcc201035f7b6d8e69402de5451618c21a535fa9d7bfc5b8dd9fc243f8cf927db31322d6e881eaa91a996170e657a05a266426d98c88003f8477c1227094a0d9fa1e8c4024309ce1ecccb5210035d47ac72e8a + Output=6628194e12073db03ba94cda9ef9532397d50dba79b987004afefe34 + ++Availablein = default + Decrypt=RSA-OAEP-1 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=640db1acc58e0568fe5407e5f9b701dff8c3c91e716c536fc7fcec6cb5b71c1165988d4a279e1577d730fc7a29932e3f00c81515236d8d8e31017a7a09df4352d904cdeb79aa583adcc31ea698a4c05283daba9089be5491f67c1a4ee48dc74bbbe6643aef846679b4cb395a352d5ed115912df696ffe0702932946d71492b44 + Output=750c4047f547e8e41411856523298ac9bae245efaf1397fbe56f9dd5 + ++Availablein = default + Decrypt=RSA-OAEP-1 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=423736ed035f6026af276c35c0b3741b365e5f76ca091b4e8c29e2f0befee603595aa8322d602d2e625e95eb81b2f1c9724e822eca76db8618cf09c5343503a4360835b5903bc637e3879fb05e0ef32685d5aec5067cd7cc96fe4b2670b6eac3066b1fcf5686b68589aafb7d629b02d8f8625ca3833624d4800fb081b1cf94eb + Output=d94ae0832e6445ce42331cb06d531a82b1db4baad30f746dc916df24d4e3c2451fff59a6423eb0e1d02d4fe646cf699dfd818c6e97b051 + ++Availablein = default + Decrypt=RSA-OAEP-1 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=45ead4ca551e662c9800f1aca8283b0525e6abae30be4b4aba762fa40fd3d38e22abefc69794f6ebbbc05ddbb11216247d2f412fd0fba87c6e3acd888813646fd0e48e785204f9c3f73d6d8239562722dddd8771fec48b83a31ee6f592c4cfd4bc88174f3b13a112aae3b9f7b80e0fc6f7255ba880dc7d8021e22ad6a85f0755 + Output=52e650d98e7f2a048b4f86852153b97e01dd316f346a19f67a85 + ++Availablein = default + Decrypt=RSA-OAEP-1 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=36f6e34d94a8d34daacba33a2139d00ad85a9345a86051e73071620056b920e219005855a213a0f23897cdcd731b45257c777fe908202befdd0b58386b1244ea0cf539a05d5d10329da44e13030fd760dcd644cfef2094d1910d3f433e1c7c6dd18bc1f2df7f643d662fb9dd37ead9059190f4fa66ca39e869c4eb449cbdc439 + Output=8da89fd9e5f974a29feffb462b49180f6cf9e802 + ++Availablein = default + Decrypt=RSA-OAEP-1 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 +@@ -1207,36 +1231,42 @@ SwGNdhGLJDiac1Dsg2sAY6IXISNv2O222JtR5+64 + eG2e4XlBcKjI6A== + -----END PRIVATE KEY----- + ++Availablein = default + Decrypt=RSA-OAEP-2 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=0181af8922b9fcb4d79d92ebe19815992fc0c1439d8bcd491398a0f4ad3a329a5bd9385560db532683c8b7da04e4b12aed6aacdf471c34c9cda891addcc2df3456653aa6382e9ae59b54455257eb099d562bbe10453f2b6d13c59c02e10f1f8abb5da0d0570932dacf2d0901db729d0fefcc054e70968ea540c81b04bcaefe720e + Output=8ff00caa605c702830634d9a6c3d42c652b58cf1d92fec570beee7 + ++Availablein = default + Decrypt=RSA-OAEP-2 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=018759ff1df63b2792410562314416a8aeaf2ac634b46f940ab82d64dbf165eee33011da749d4bab6e2fcd18129c9e49277d8453112b429a222a8471b070993998e758861c4d3f6d749d91c4290d332c7a4ab3f7ea35ff3a07d497c955ff0ffc95006b62c6d296810d9bfab024196c7934012c2df978ef299aba239940cba10245 + Output=2d + ++Availablein = default + Decrypt=RSA-OAEP-2 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=018802bab04c60325e81c4962311f2be7c2adce93041a00719c88f957575f2c79f1b7bc8ced115c706b311c08a2d986ca3b6a9336b147c29c6f229409ddec651bd1fdd5a0b7f610c9937fdb4a3a762364b8b3206b4ea485fd098d08f63d4aa8bb2697d027b750c32d7f74eaf5180d2e9b66b17cb2fa55523bc280da10d14be2053 + Output=74fc88c51bc90f77af9d5e9a4a70133d4b4e0b34da3c37c7ef8e + ++Availablein = default + Decrypt=RSA-OAEP-2 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=00a4578cbc176318a638fba7d01df15746af44d4f6cd96d7e7c495cbf425b09c649d32bf886da48fbaf989a2117187cafb1fb580317690e3ccd446920b7af82b31db5804d87d01514acbfa9156e782f867f6bed9449e0e9a2c09bcecc6aa087636965e34b3ec766f2fe2e43018a2fddeb140616a0e9d82e5331024ee0652fc7641 + Output=a7eb2a5036931d27d4e891326d99692ffadda9bf7efd3e34e622c4adc085f721dfe885072c78a203b151739be540fa8c153a10f00a + ++Availablein = default + Decrypt=RSA-OAEP-2 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=00ebc5f5fda77cfdad3c83641a9025e77d72d8a6fb33a810f5950f8d74c73e8d931e8634d86ab1246256ae07b6005b71b7f2fb98351218331ce69b8ffbdc9da08bbc9c704f876deb9df9fc2ec065cad87f9090b07acc17aa7f997b27aca48806e897f771d95141fe4526d8a5301b678627efab707fd40fbebd6e792a25613e7aec + Output=2ef2b066f854c33f3bdcbb5994a435e73d6c6c + ++Availablein = default + Decrypt=RSA-OAEP-2 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 +@@ -1261,36 +1291,42 @@ iUGx07dw5a0x7jc7KKzaaf+bb0D+V4ufGvuFg2+W + Ya4qnqZe1onjY5o= + -----END PRIVATE KEY----- + ++Availablein = default + Decrypt=RSA-OAEP-3 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=026a0485d96aebd96b4382085099b962e6a2bdec3d90c8db625e14372de85e2d5b7baab65c8faf91bb5504fb495afce5c988b3f6a52e20e1d6cbd3566c5cd1f2b8318bb542cc0ea25c4aab9932afa20760eaddec784396a07ea0ef24d4e6f4d37e5052a7a31e146aa480a111bbe926401307e00f410033842b6d82fe5ce4dfae80 + Output=087820b569e8fa8d + ++Availablein = default + Decrypt=RSA-OAEP-3 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=024db89c7802989be0783847863084941bf209d761987e38f97cb5f6f1bc88da72a50b73ebaf11c879c4f95df37b850b8f65d7622e25b1b889e80fe80baca2069d6e0e1d829953fc459069de98ea9798b451e557e99abf8fe3d9ccf9096ebbf3e5255d3b4e1c6d2ecadf067a359eea86405acd47d5e165517ccafd47d6dbee4bf5 + Output=4653acaf171960b01f52a7be63a3ab21dc368ec43b50d82ec3781e04 + ++Availablein = default + Decrypt=RSA-OAEP-3 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=0239bce681032441528877d6d1c8bb28aa3bc97f1df584563618995797683844ca86664732f4bed7a0aab083aaabfb7238f582e30958c2024e44e57043b97950fd543da977c90cdde5337d618442f99e60d7783ab59ce6dd9d69c47ad1e962bec22d05895cff8d3f64ed5261d92b2678510393484990ba3f7f06818ae6ffce8a3a + Output=d94cd0e08fa404ed89 + ++Availablein = default + Decrypt=RSA-OAEP-3 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=02994c62afd76f498ba1fd2cf642857fca81f4373cb08f1cbaee6f025c3b512b42c3e8779113476648039dbe0493f9246292fac28950600e7c0f32edf9c81b9dec45c3bde0cc8d8847590169907b7dc5991ceb29bb0714d613d96df0f12ec5d8d3507c8ee7ae78dd83f216fa61de100363aca48a7e914ae9f42ddfbe943b09d9a0 + Output=6cc641b6b61e6f963974dad23a9013284ef1 + ++Availablein = default + Decrypt=RSA-OAEP-3 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=0162042ff6969592a6167031811a239834ce638abf54fec8b99478122afe2ee67f8c5b18b0339805bfdbc5a4e6720b37c59cfba942464c597ff532a119821545fd2e59b114e61daf71820529f5029cf524954327c34ec5e6f5ba7efcc4de943ab8ad4ed787b1454329f70db798a3a8f4d92f8274e2b2948ade627ce8ee33e43c60 + Output=df5151832b61f4f25891fb4172f328d2eddf8371ffcfdbe997939295f30eca6918017cfda1153bf7a6af87593223 + ++Availablein = default + Decrypt=RSA-OAEP-3 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 +@@ -1315,36 +1351,42 @@ s/XkIiO6MDAcQabYfLtw4wy308Z9JUc9sfbL8D4/ + aD0x7TDrmEvkEro= + -----END PRIVATE KEY----- + ++Availablein = default + Decrypt=RSA-OAEP-4 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=04cce19614845e094152a3fe18e54e3330c44e5efbc64ae16886cb1869014cc5781b1f8f9e045384d0112a135ca0d12e9c88a8e4063416deaae3844f60d6e96fe155145f4525b9a34431ca3766180f70e15a5e5d8e8b1a516ff870609f13f896935ced188279a58ed13d07114277d75c6568607e0ab092fd803a223e4a8ee0b1a8 + Output=4a86609534ee434a6cbca3f7e962e76d455e3264c19f605f6e5ff6137c65c56d7fb344cd52bc93374f3d166c9f0c6f9c506bad19330972d2 + ++Availablein = default + Decrypt=RSA-OAEP-4 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=0097b698c6165645b303486fbf5a2a4479c0ee85889b541a6f0b858d6b6597b13b854eb4f839af03399a80d79bda6578c841f90d645715b280d37143992dd186c80b949b775cae97370e4ec97443136c6da484e970ffdb1323a20847821d3b18381de13bb49aaea66530c4a4b8271f3eae172cd366e07e6636f1019d2a28aed15e + Output=b0adc4f3fe11da59ce992773d9059943c03046497ee9d9f9a06df1166db46d98f58d27ec074c02eee6cbe2449c8b9fc5080c5c3f4433092512ec46aa793743c8 + ++Availablein = default + Decrypt=RSA-OAEP-4 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=0301f935e9c47abcb48acbbe09895d9f5971af14839da4ff95417ee453d1fd77319072bb7297e1b55d7561cd9d1bb24c1a9a37c619864308242804879d86ebd001dce5183975e1506989b70e5a83434154d5cbfd6a24787e60eb0c658d2ac193302d1192c6e622d4a12ad4b53923bca246df31c6395e37702c6a78ae081fb9d065 + Output=bf6d42e701707b1d0206b0c8b45a1c72641ff12889219a82bdea965b5e79a96b0d0163ed9d578ec9ada20f2fbcf1ea3c4089d83419ba81b0c60f3606da99 + ++Availablein = default + Decrypt=RSA-OAEP-4 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=02d110ad30afb727beb691dd0cf17d0af1a1e7fa0cc040ec1a4ba26a42c59d0a796a2e22c8f357ccc98b6519aceb682e945e62cb734614a529407cd452bee3e44fece8423cc19e55548b8b994b849c7ecde4933e76037e1d0ce44275b08710c68e430130b929730ed77e09b015642c5593f04e4ffb9410798102a8e96ffdfe11e4 + Output=fb2ef112f5e766eb94019297934794f7be2f6fc1c58e + ++Availablein = default + Decrypt=RSA-OAEP-4 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=00dbb8a7439d90efd919a377c54fae8fe11ec58c3b858362e23ad1b8a44310799066b99347aa525691d2adc58d9b06e34f288c170390c5f0e11c0aa3645959f18ee79e8f2be8d7ac5c23d061f18dd74b8c5f2a58fcb5eb0c54f99f01a83247568292536583340948d7a8c97c4acd1e98d1e29dc320e97a260532a8aa7a758a1ec2 + Output=28ccd447bb9e85166dabb9e5b7d1adadc4b9d39f204e96d5e440ce9ad928bc1c2284 + ++Availablein = default + Decrypt=RSA-OAEP-4 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 +@@ -1369,36 +1411,42 @@ OPlAQGLrhaQpJFILOPW7iGoBlvSLuNzqYP2SzAJ/ + MSwGUGLx60i3nRyDyw== + -----END PRIVATE KEY----- + ++Availablein = default + Decrypt=RSA-OAEP-5 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=036046a4a47d9ed3ba9a89139c105038eb7492b05a5d68bfd53accff4597f7a68651b47b4a4627d927e485eed7b4566420e8b409879e5d606eae251d22a5df799f7920bfc117b992572a53b1263146bcea03385cc5e853c9a101c8c3e1bda31a519807496c6cb5e5efb408823a352b8fa0661fb664efadd593deb99fff5ed000e5 + Output=af71a901e3a61d3132f0fc1fdb474f9ea6579257ffc24d164170145b3dbde8 + ++Availablein = default + Decrypt=RSA-OAEP-5 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=03d6eb654edce615bc59f455265ed4e5a18223cbb9be4e4069b473804d5de96f54dcaaa603d049c5d94aa1470dfcd2254066b7c7b61ff1f6f6770e3215c51399fd4e34ec5082bc48f089840ad04354ae66dc0f1bd18e461a33cc1258b443a2837a6df26759aa2302334986f87380c9cc9d53be9f99605d2c9a97da7b0915a4a7ad + Output=a3b844a08239a8ac41605af17a6cfda4d350136585903a417a79268760519a4b4ac3303ec73f0f87cfb32399 + ++Availablein = default + Decrypt=RSA-OAEP-5 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=0770952181649f9f9f07ff626ff3a22c35c462443d905d456a9fd0bff43cac2ca7a9f554e9478b9acc3ac838b02040ffd3e1847de2e4253929f9dd9ee4044325a9b05cabb808b2ee840d34e15d105a3f1f7b27695a1a07a2d73fe08ecaaa3c9c9d4d5a89ff890d54727d7ae40c0ec1a8dd86165d8ee2c6368141016a48b55b6967 + Output=308b0ecbd2c76cb77fc6f70c5edd233fd2f20929d629f026953bb62a8f4a3a314bde195de85b5f816da2aab074d26cb6acddf323ae3b9c678ac3cf12fbdde7 + ++Availablein = default + Decrypt=RSA-OAEP-5 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=0812b76768ebcb642d040258e5f4441a018521bd96687e6c5e899fcd6c17588ff59a82cc8ae03a4b45b31299af1788c329f7dcd285f8cf4ced82606b97612671a45bedca133442144d1617d114f802857f0f9d739751c57a3f9ee400912c61e2e6992be031a43dd48fa6ba14eef7c422b5edc4e7afa04fdd38f402d1c8bb719abf + Output=15c5b9ee1185 + ++Availablein = default + Decrypt=RSA-OAEP-5 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=07b60e14ec954bfd29e60d0047e789f51d57186c63589903306793ced3f68241c743529aba6a6374f92e19e0163efa33697e196f7661dfaaa47aac6bde5e51deb507c72c589a2ca1693d96b1460381249b2cdb9eac44769f2489c5d3d2f99f0ee3c7ee5bf64a5ac79c42bd433f149be8cb59548361640595513c97af7bc2509723 + Output=21026e6800c7fa728fcaaba0d196ae28d7a2ac4ffd8abce794f0985f60c8a6737277365d3fea11db8923a2029a + ++Availablein = default + Decrypt=RSA-OAEP-5 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 +@@ -1423,36 +1471,42 @@ xT1F29tenZbQ/s9Cdd8JdLxKBza0p0wyaQU++2hq + Yejn5Ly8mU2q+jBcRQ== + -----END PRIVATE KEY----- + ++Availablein = default + Decrypt=RSA-OAEP-6 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=0630eebcd2856c24f798806e41f9e67345eda9ceda386acc9facaea1eeed06ace583709718d9d169fadf414d5c76f92996833ef305b75b1e4b95f662a20faedc3bae0c4827a8bf8a88edbd57ec203a27a841f02e43a615bab1a8cac0701de34debdef62a088089b55ec36ea7522fd3ec8d06b6a073e6df833153bc0aefd93bd1a3 + Output=4046ca8baa3347ca27f49e0d81f9cc1d71be9ba517d4 + ++Availablein = default + Decrypt=RSA-OAEP-6 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=0ebc37376173a4fd2f89cc55c2ca62b26b11d51c3c7ce49e8845f74e7607317c436bc8d23b9667dfeb9d087234b47bc6837175ae5c0559f6b81d7d22416d3e50f4ac533d8f0812f2db9e791fe9c775ac8b6ad0f535ad9ceb23a4a02014c58ab3f8d3161499a260f39348e714ae2a1d3443208fd8b722ccfdfb393e98011f99e63f + Output=5cc72c60231df03b3d40f9b57931bc31109f972527f28b19e7480c7288cb3c92b22512214e4be6c914792ddabdf57faa8aa7 + ++Availablein = default + Decrypt=RSA-OAEP-6 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=0a98bf1093619394436cf68d8f38e2f158fde8ea54f3435f239b8d06b8321844202476aeed96009492480ce3a8d705498c4c8c68f01501dc81db608f60087350c8c3b0bd2e9ef6a81458b7c801b89f2e4fe99d4900ba6a4b5e5a96d865dc676c7755928794130d6280a8160a190f2df3ea7cf9aa0271d88e9e6905ecf1c5152d65 + Output=b20e651303092f4bccb43070c0f86d23049362ed96642fc5632c27db4a52e3d831f2ab068b23b149879c002f6bf3feee97591112562c + ++Availablein = default + Decrypt=RSA-OAEP-6 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=008e7a67cacfb5c4e24bec7dee149117f19598ce8c45808fef88c608ff9cd6e695263b9a3c0ad4b8ba4c95238e96a8422b8535629c8d5382374479ad13fa39974b242f9a759eeaf9c83ad5a8ca18940a0162ba755876df263f4bd50c6525c56090267c1f0e09ce0899a0cf359e88120abd9bf893445b3cae77d3607359ae9a52f8 + Output=684e3038c5c041f7 + ++Availablein = default + Decrypt=RSA-OAEP-6 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=00003474416c7b68bdf961c385737944d7f1f40cb395343c693cc0b4fe63b31fedf1eaeeac9ccc0678b31dc32e0977489514c4f09085f6298a9653f01aea4045ff582ee887be26ae575b73eef7f3774921e375a3d19adda0ca31aa1849887c1f42cac9677f7a2f4e923f6e5a868b38c084ef187594dc9f7f048fea2e02955384ab + Output=32488cb262d041d6e4dd35f987bf3ca696db1f06ac29a44693 + ++Availablein = default + Decrypt=RSA-OAEP-6 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 +@@ -1477,36 +1531,42 @@ tu4XIedy0DiaVZw9PN+VUNRXxGsDe3RkGx1SFmr4 + FMlxv0gq65dqc3DC + -----END PRIVATE KEY----- + ++Availablein = default + Decrypt=RSA-OAEP-7 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=1688e4ce7794bba6cb7014169ecd559cede2a30b56a52b68d9fe18cf1973ef97b2a03153951c755f6294aa49adbdb55845ab6875fb3986c93ecf927962840d282f9e54ce8b690f7c0cb8bbd73440d9571d1b16cd9260f9eab4783cc482e5223dc60973871783ec27b0ae0fd47732cbc286a173fc92b00fb4ba6824647cd93c85c1 + Output=47aae909 + ++Availablein = default + Decrypt=RSA-OAEP-7 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=1052ed397b2e01e1d0ee1c50bf24363f95e504f4a03434a08fd822574ed6b9736edbb5f390db10321479a8a139350e2bd4977c3778ef331f3e78ae118b268451f20a2f01d471f5d53c566937171b2dbc2d4bde459a5799f0372d6574239b2323d245d0bb81c286b63c89a361017337e4902f88a467f4c7f244bfd5ab46437ff3b6 + Output=1d9b2e2223d9bc13bfb9f162ce735db48ba7c68f6822a0a1a7b6ae165834e7 + ++Availablein = default + Decrypt=RSA-OAEP-7 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=2155cd843ff24a4ee8badb7694260028a490813ba8b369a4cbf106ec148e5298707f5965be7d101c1049ea8584c24cd63455ad9c104d686282d3fb803a4c11c1c2e9b91c7178801d1b6640f003f5728df007b8a4ccc92bce05e41a27278d7c85018c52414313a5077789001d4f01910b72aad05d220aa14a58733a7489bc54556b + Output=d976fc + ++Availablein = default + Decrypt=RSA-OAEP-7 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=0ab14c373aeb7d4328d0aaad8c094d88b9eb098b95f21054a29082522be7c27a312878b637917e3d819e6c3c568db5d843802b06d51d9e98a2be0bf40c031423b00edfbff8320efb9171bd2044653a4cb9c5122f6c65e83cda2ec3c126027a9c1a56ba874d0fea23f380b82cf240b8cf540004758c4c77d934157a74f3fc12bfac + Output=d4738623df223aa43843df8467534c41d013e0c803c624e263666b239bde40a5f29aeb8de79e3daa61dd0370f49bd4b013834b98212aef6b1c5ee373b3cb + ++Availablein = default + Decrypt=RSA-OAEP-7 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=028387a318277434798b4d97f460068df5298faba5041ba11761a1cb7316b24184114ec500257e2589ed3b607a1ebbe97a6cc2e02bf1b681f42312a33b7a77d8e7855c4a6de03e3c04643f786b91a264a0d6805e2cea91e68177eb7a64d9255e4f27e713b7ccec00dc200ebd21c2ea2bb890feae4942df941dc3f97890ed347478 + Output=bb47231ca5ea1d3ad46c99345d9a8a61 + ++Availablein = default + Decrypt=RSA-OAEP-7 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 +@@ -1531,36 +1591,42 @@ njraT2MgdSwJ2AX/fR8a4NAXru7pzvoNfdf/d15E + 2MiPa249Z+lh3Luj0A== + -----END PRIVATE KEY----- + ++Availablein = default + Decrypt=RSA-OAEP-8 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=09b3683d8a2eb0fb295b62ed1fb9290b714457b7825319f4647872af889b30409472020ad12912bf19b11d4819f49614824ffd84d09c0a17e7d17309d12919790410aa2995699f6a86dbe3242b5acc23af45691080d6b1ae810fb3e3057087f0970092ce00be9562ff4053b6262ce0caa93e13723d2e3a5ba075d45f0d61b54b61 + Output=050b755e5e6880f7b9e9d692a74c37aae449b31bfea6deff83747a897f6c2c825bb1adbf850a3c96994b5de5b33cbc7d4a17913a7967 + ++Availablein = default + Decrypt=RSA-OAEP-8 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=2ecf15c97c5a15b1476ae986b371b57a24284f4a162a8d0c8182e7905e792256f1812ba5f83f1f7a130e42dcc02232844edc14a31a68ee97ae564a383a3411656424c5f62ddb646093c367be1fcda426cf00a06d8acb7e57776fbbd855ac3df506fc16b1d7c3f2110f3d8068e91e186363831c8409680d8da9ecd8cf1fa20ee39d + Output=4eb68dcd93ca9b19df111bd43608f557026fe4aa1d5cfac227a3eb5ab9548c18a06dded23f81825986b2fcd71109ecef7eff88873f075c2aa0c469f69c92bc + ++Availablein = default + Decrypt=RSA-OAEP-8 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=4bc89130a5b2dabb7c2fcf90eb5d0eaf9e681b7146a38f3173a3d9cfec52ea9e0a41932e648a9d69344c50da763f51a03c95762131e8052254dcd2248cba40fd31667786ce05a2b7b531ac9dac9ed584a59b677c1a8aed8c5d15d68c05569e2be780bf7db638fd2bfd2a85ab276860f3777338fca989ffd743d13ee08e0ca9893f + Output=8604ac56328c1ab5ad917861 + ++Availablein = default + Decrypt=RSA-OAEP-8 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=2e456847d8fc36ff0147d6993594b9397227d577752c79d0f904fcb039d4d812fea605a7b574dd82ca786f93752348438ee9f5b5454985d5f0e1699e3e7ad175a32e15f03deb042ab9fe1dd9db1bb86f8c089ccb45e7ef0c5ee7ca9b7290ca6b15bed47039788a8a93ff83e0e8d6244c71006362deef69b6f416fb3c684383fbd0 + Output=fdda5fbf6ec361a9d9a4ac68af216a0686f438b1e0e5c36b955f74e107f39c0dddcc + ++Availablein = default + Decrypt=RSA-OAEP-8 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=1fb9356fd5c4b1796db2ebf7d0d393cc810adf6145defc2fce714f79d93800d5e2ac211ea8bbecca4b654b94c3b18b30dd576ce34dc95436ef57a09415645923359a5d7b4171ef22c24670f1b229d3603e91f76671b7df97e7317c97734476d5f3d17d21cf82b5ba9f83df2e588d36984fd1b584468bd23b2e875f32f68953f7b2 + Output=4a5f4914bee25de3c69341de07 + ++Availablein = default + Decrypt=RSA-OAEP-8 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 +@@ -1591,36 +1657,42 @@ Z7CDuaemy2HkLbNiuMmJbbcGTgKtWuYVh9oVtGSc + tKo5Eb69iFQvBb4= + -----END PRIVATE KEY----- + ++Availablein = default + Decrypt=RSA-OAEP-9 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=267bcd118acab1fc8ba81c85d73003cb8610fa55c1d97da8d48a7c7f06896a4db751aa284255b9d36ad65f37653d829f1b37f97b8001942545b2fc2c55a7376ca7a1be4b1760c8e05a33e5aa2526b8d98e317088e7834c755b2a59b12631a182c05d5d43ab1779264f8456f515ce57dfdf512d5493dab7b7338dc4b7d78db9c091ac3baf537a69fc7f549d979f0eff9a94fda4169bd4d1d19a69c99e33c3b55490d501b39b1edae118ff6793a153261584d3a5f39f6e682e3d17c8cd1261fa72 + Output=f735fd55ba92592c3b52b8f9c4f69aaa1cbef8fe88add095595412467f9cf4ec0b896c59eda16210e7549c8abb10cdbc21a12ec9b6b5b8fd2f10399eb6 + ++Availablein = default + Decrypt=RSA-OAEP-9 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=93ac9f0671ec29acbb444effc1a5741351d60fdb0e393fbf754acf0de49761a14841df7772e9bc82773966a1584c4d72baea00118f83f35cca6e537cbd4d811f5583b29783d8a6d94cd31be70d6f526c10ff09c6fa7ce069795a3fcd0511fd5fcb564bcc80ea9c78f38b80012539d8a4ddf6fe81e9cddb7f50dbbbbcc7e5d86097ccf4ec49189fb8bf318be6d5a0715d516b49af191258cd32dc833ce6eb4673c03a19bbace88cc54895f636cc0c1ec89096d11ce235a265ca1764232a689ae8 + Output=81b906605015a63aabe42ddf11e1978912f5404c7474b26dce3ed482bf961ecc818bf420c54659 + ++Availablein = default + Decrypt=RSA-OAEP-9 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=81ebdd95054b0c822ef9ad7693f5a87adfb4b4c4ce70df2df84ed49c04da58ba5fc20a19e1a6e8b7a3900b22796dc4e869ee6b42792d15a8eceb56c09c69914e813cea8f6931e4b8ed6f421af298d595c97f4789c7caa612c7ef360984c21b93edc5401068b5af4c78a8771b984d53b8ea8adf2f6a7d4a0ba76c75e1dd9f658f20ded4a46071d46d7791b56803d8fea7f0b0f8e41ae3f09383a6f9585fe7753eaaffd2bf94563108beecc207bbb535f5fcc705f0dde9f708c62f49a9c90371d3 + Output=fd326429df9b890e09b54b18b8f34f1e24 + ++Availablein = default + Decrypt=RSA-OAEP-9 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=bcc35f94cde66cb1136625d625b94432a35b22f3d2fa11a613ff0fca5bd57f87b902ccdc1cd0aebcb0715ee869d1d1fe395f6793003f5eca465059c88660d446ff5f0818552022557e38c08a67ead991262254f10682975ec56397768537f4977af6d5f6aaceb7fb25dec5937230231fd8978af49119a29f29e424ab8272b47562792d5c94f774b8829d0b0d9f1a8c9eddf37574d5fa248eefa9c5271fc5ec2579c81bdd61b410fa61fe36e424221c113addb275664c801d34ca8c6351e4a858 + Output=f1459b5f0c92f01a0f723a2e5662484d8f8c0a20fc29dad6acd43bb5f3effdf4e1b63e07fdfe6628d0d74ca19bf2d69e4a0abf86d293925a796772f8088e + ++Availablein = default + Decrypt=RSA-OAEP-9 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 + Input=232afbc927fa08c2f6a27b87d4a5cb09c07dc26fae73d73a90558839f4fd66d281b87ec734bce237ba166698ed829106a7de6942cd6cdce78fed8d2e4d81428e66490d036264cef92af941d3e35055fe3981e14d29cbb9a4f67473063baec79a1179f5a17c9c1832f2838fd7d5e59bb9659d56dce8a019edef1bb3accc697cc6cc7a778f60a064c7f6f5d529c6210262e003de583e81e3167b89971fb8c0e15d44fffef89b53d8d64dd797d159b56d2b08ea5307ea12c241bd58d4ee278a1f2e + Output=53e6e8c729d6f9c319dd317e74b0db8e4ccca25f3c8305746e137ac63a63ef3739e7b595abb96e8d55e54f7bd41ab433378ffb911d + ++Availablein = default + Decrypt=RSA-OAEP-9 + Ctrl = rsa_padding_mode:oaep + Ctrl = rsa_mgf1_md:sha1 +Index: openssl-3.2.3/test/recipes/80-test_cms.t +=================================================================== +--- openssl-3.2.3.orig/test/recipes/80-test_cms.t ++++ openssl-3.2.3/test/recipes/80-test_cms.t +@@ -235,7 +235,7 @@ my @smime_pkcs7_tests = ( + \&final_compare + ], + +- [ "enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients", ++ [ "enveloped content test streaming S/MIME format, AES-256 cipher, 3 recipients, no SUSE FIPS", + [ "{cmd1}", @prov, "-encrypt", "-in", $smcont, + "-aes256", "-stream", "-out", "{output}.cms", + $smrsa1, +@@ -1125,6 +1125,9 @@ sub check_availability { + return "$tnam: skipped, DSA disabled\n" + if ($no_dsa && $tnam =~ / DSA/); + ++ return "$tnam: skipped, SUSE FIPS\n" ++ if ($tnam =~ /no SUSE FIPS/); ++ + return ""; + } + +Index: openssl-3.2.3/test/recipes/80-test_ssl_old.t +=================================================================== +--- openssl-3.2.3.orig/test/recipes/80-test_ssl_old.t ++++ openssl-3.2.3/test/recipes/80-test_ssl_old.t +@@ -497,6 +497,18 @@ sub testssl { + # the default choice if TLSv1.3 enabled + my $flag = $protocol eq "-tls1_3" ? "" : $protocol; + my $ciphersuites = ""; ++ my %FIPS_skip_cipher = map {$_ => 1} qw( ++ AES256-GCM-SHA384:@SECLEVEL=0 ++ AES256-CCM8:@SECLEVEL=0 ++ AES256-CCM:@SECLEVEL=0 ++ AES128-GCM-SHA256:@SECLEVEL=0 ++ AES128-CCM8:@SECLEVEL=0 ++ AES128-CCM:@SECLEVEL=0 ++ AES256-SHA256:@SECLEVEL=0 ++ AES128-SHA256:@SECLEVEL=0 ++ AES256-SHA:@SECLEVEL=0 ++ AES128-SHA:@SECLEVEL=0 ++ ); + foreach my $cipher (@{$ciphersuites{$protocol}}) { + if ($protocol eq "-ssl3" && $cipher =~ /ECDH/ ) { + note "*****SKIPPING $protocol $cipher"; +@@ -508,11 +520,16 @@ sub testssl { + } else { + $cipher = $cipher.':@SECLEVEL=0'; + } +- ok(run(test([@ssltest, @exkeys, "-cipher", +- $cipher, +- "-ciphersuites", $ciphersuites, +- $flag || ()])), +- "Testing $cipher"); ++ if ($provider eq "fips" && exists $FIPS_skip_cipher{$cipher}) { ++ note "*****SKIPPING $cipher in SUSE FIPS mode"; ++ ok(1); ++ } else { ++ ok(run(test([@ssltest, @exkeys, "-cipher", ++ $cipher, ++ "-ciphersuites", $ciphersuites, ++ $flag || ()])), ++ "Testing $cipher"); ++ } + } + } + next if $protocol eq "-tls1_3"; diff --git a/openssl-FIPS-release_num_in_version_string.patch b/openssl-FIPS-release_num_in_version_string.patch new file mode 100644 index 0000000..bf852d1 --- /dev/null +++ b/openssl-FIPS-release_num_in_version_string.patch @@ -0,0 +1,27 @@ +Index: openssl-3.1.4/providers/fips/fipsprov.c +=================================================================== +--- openssl-3.1.4.orig/providers/fips/fipsprov.c ++++ openssl-3.1.4/providers/fips/fipsprov.c +@@ -194,18 +194,19 @@ static const OSSL_PARAM *fips_gettable_p + + static int fips_get_params(void *provctx, OSSL_PARAM params[]) + { ++#define SUSE_OPENSSL_VERSION_STR OPENSSL_VERSION_STR " SUSE release " SUSE_OPENSSL_RELEASE + OSSL_PARAM *p; + FIPS_GLOBAL *fgbl = ossl_lib_ctx_get_data(ossl_prov_ctx_get0_libctx(provctx), + OSSL_LIB_CTX_FIPS_PROV_INDEX); + + p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME); +- if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "OpenSSL FIPS Provider")) ++ if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "SUSE Linux Enterprise - OpenSSL FIPS Provider")) + return 0; + p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_VERSION); +- if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_VERSION_STR)) ++ if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, SUSE_OPENSSL_VERSION_STR)) + return 0; + p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_BUILDINFO); +- if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_FULL_VERSION_STR)) ++ if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, SUSE_OPENSSL_VERSION_STR)) + return 0; + p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_STATUS); + if (p != NULL && !OSSL_PARAM_set_int(p, ossl_prov_is_running())) diff --git a/openssl-FIPS-services-minimize.patch b/openssl-FIPS-services-minimize.patch new file mode 100644 index 0000000..89b2914 --- /dev/null +++ b/openssl-FIPS-services-minimize.patch @@ -0,0 +1,782 @@ +From e25b25227043a2b2cf156527c31d7686a4265bf3 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Wed, 6 Mar 2024 19:17:15 +0100 +Subject: [PATCH 20/49] 0045-FIPS-services-minimize.patch + +Patch-name: 0045-FIPS-services-minimize.patch +Patch-id: 45 +Patch-status: | + # # Minimize fips services +From-dist-git-commit: 4334bc837fbc64d14890fdc51679a80770d498ce +--- + apps/ecparam.c | 7 +++ + apps/req.c | 2 +- + providers/common/capabilities.c | 2 +- + providers/fips/fipsprov.c | 44 +++++++++++-------- + providers/fips/self_test_data.inc | 9 +++- + providers/implementations/signature/rsa_sig.c | 26 +++++++++++ + ssl/ssl_ciph.c | 3 ++ + test/acvp_test.c | 2 + + test/endecode_test.c | 4 ++ + test/evp_libctx_test.c | 9 +++- + test/recipes/15-test_gendsa.t | 2 +- + test/recipes/20-test_cli_fips.t | 3 +- + test/recipes/30-test_evp.t | 20 ++++----- + .../30-test_evp_data/evpmac_common.txt | 22 ++++++++++ + test/recipes/80-test_cms.t | 22 +++++----- + test/recipes/80-test_ssl_old.t | 2 +- + 16 files changed, 128 insertions(+), 51 deletions(-) + +Index: openssl-3.2.3/apps/ecparam.c +=================================================================== +--- openssl-3.2.3.orig/apps/ecparam.c ++++ openssl-3.2.3/apps/ecparam.c +@@ -79,6 +79,13 @@ static int list_builtin_curves(BIO *out) + const char *comment = curves[n].comment; + const char *sname = OBJ_nid2sn(curves[n].nid); + ++ if (((curves[n].nid == NID_secp256k1) || (curves[n].nid == NID_brainpoolP256r1) ++ || (curves[n].nid == NID_brainpoolP256t1) || (curves[n].nid == NID_brainpoolP320r1) ++ || (curves[n].nid == NID_brainpoolP320t1) || (curves[n].nid == NID_brainpoolP384r1) ++ || (curves[n].nid == NID_brainpoolP384t1) || (curves[n].nid == NID_brainpoolP512r1) ++ || (curves[n].nid == NID_brainpoolP512t1)) && EVP_default_properties_is_fips_enabled(NULL)) ++ continue; ++ + if (comment == NULL) + comment = "CURVE DESCRIPTION NOT AVAILABLE"; + if (sname == NULL) +Index: openssl-3.2.3/apps/req.c +=================================================================== +--- openssl-3.2.3.orig/apps/req.c ++++ openssl-3.2.3/apps/req.c +@@ -268,7 +268,7 @@ int req_main(int argc, char **argv) + unsigned long chtype = MBSTRING_ASC, reqflag = 0; + + #ifndef OPENSSL_NO_DES +- cipher = (EVP_CIPHER *)EVP_des_ede3_cbc(); ++ cipher = (EVP_CIPHER *)EVP_aes_256_cbc(); + #endif + + opt_set_unknown_name("digest"); +Index: openssl-3.2.3/providers/common/capabilities.c +=================================================================== +--- openssl-3.2.3.orig/providers/common/capabilities.c ++++ openssl-3.2.3/providers/common/capabilities.c +@@ -189,9 +189,9 @@ static const OSSL_PARAM param_group_list + TLS_GROUP_ENTRY("brainpoolP256r1", "brainpoolP256r1", "EC", 25), + TLS_GROUP_ENTRY("brainpoolP384r1", "brainpoolP384r1", "EC", 26), + TLS_GROUP_ENTRY("brainpoolP512r1", "brainpoolP512r1", "EC", 27), +-# endif + TLS_GROUP_ENTRY("x25519", "X25519", "X25519", 28), + TLS_GROUP_ENTRY("x448", "X448", "X448", 29), ++# endif + # ifndef FIPS_MODULE + TLS_GROUP_ENTRY("brainpoolP256r1tls13", "brainpoolP256r1", "EC", 30), + TLS_GROUP_ENTRY("brainpoolP384r1tls13", "brainpoolP384r1", "EC", 31), +Index: openssl-3.2.3/providers/fips/fipsprov.c +=================================================================== +--- openssl-3.2.3.orig/providers/fips/fipsprov.c ++++ openssl-3.2.3/providers/fips/fipsprov.c +@@ -194,18 +194,19 @@ static const OSSL_PARAM *fips_gettable_p + + static int fips_get_params(void *provctx, OSSL_PARAM params[]) + { ++#define SUSE_OPENSSL_VERSION_STR OPENSSL_VERSION_STR " SUSE release " SUSE_OPENSSL_RELEASE + OSSL_PARAM *p; + FIPS_GLOBAL *fgbl = ossl_lib_ctx_get_data(ossl_prov_ctx_get0_libctx(provctx), + OSSL_LIB_CTX_FIPS_PROV_INDEX); + + p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_NAME); +- if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "OpenSSL FIPS Provider")) ++ if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, "SUSE Linux Enterprise - OpenSSL FIPS Provider")) + return 0; + p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_VERSION); +- if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_VERSION_STR)) ++ if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, SUSE_OPENSSL_VERSION_STR)) + return 0; + p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_BUILDINFO); +- if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, OPENSSL_FULL_VERSION_STR)) ++ if (p != NULL && !OSSL_PARAM_set_utf8_ptr(p, SUSE_OPENSSL_VERSION_STR)) + return 0; + p = OSSL_PARAM_locate(params, OSSL_PROV_PARAM_STATUS); + if (p != NULL && !OSSL_PARAM_set_int(p, ossl_prov_is_running())) +@@ -298,10 +299,11 @@ static const OSSL_ALGORITHM fips_digests + * KECCAK-KMAC-128 and KECCAK-KMAC-256 as hashes are mostly useful for + * KMAC128 and KMAC256. + */ +- { PROV_NAMES_KECCAK_KMAC_128, FIPS_DEFAULT_PROPERTIES, ++ /* We don't certify KECCAK in our FIPS provider */ ++ /* { PROV_NAMES_KECCAK_KMAC_128, FIPS_DEFAULT_PROPERTIES, + ossl_keccak_kmac_128_functions }, + { PROV_NAMES_KECCAK_KMAC_256, FIPS_DEFAULT_PROPERTIES, +- ossl_keccak_kmac_256_functions }, ++ ossl_keccak_kmac_256_functions }, */ + { NULL, NULL, NULL } + }; + +@@ -360,8 +362,9 @@ static const OSSL_ALGORITHM_CAPABLE fips + ALGC(PROV_NAMES_AES_256_CBC_HMAC_SHA256, ossl_aes256cbc_hmac_sha256_functions, + ossl_cipher_capable_aes_cbc_hmac_sha256), + #ifndef OPENSSL_NO_DES +- UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions), +- UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions), ++ /* We don't certify 3DES in our FIPS provider */ ++ /* UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_ECB, ossl_tdes_ede3_ecb_functions), ++ UNAPPROVED_ALG(PROV_NAMES_DES_EDE3_CBC, ossl_tdes_ede3_cbc_functions), */ + #endif /* OPENSSL_NO_DES */ + { { NULL, NULL, NULL }, NULL } + }; +@@ -373,8 +376,9 @@ static const OSSL_ALGORITHM fips_macs[] + #endif + { PROV_NAMES_GMAC, FIPS_DEFAULT_PROPERTIES, ossl_gmac_functions }, + { PROV_NAMES_HMAC, FIPS_DEFAULT_PROPERTIES, ossl_hmac_functions }, +- { PROV_NAMES_KMAC_128, FIPS_DEFAULT_PROPERTIES, ossl_kmac128_functions }, +- { PROV_NAMES_KMAC_256, FIPS_DEFAULT_PROPERTIES, ossl_kmac256_functions }, ++ /* We don't certify KMAC in our FIPS provider */ ++ /*{ PROV_NAMES_KMAC_128, FIPS_DEFAULT_PROPERTIES, ossl_kmac128_functions }, ++ { PROV_NAMES_KMAC_256, FIPS_DEFAULT_PROPERTIES, ossl_kmac256_functions }, */ + { NULL, NULL, NULL } + }; + +@@ -410,8 +414,9 @@ static const OSSL_ALGORITHM fips_keyexch + #ifndef OPENSSL_NO_EC + { PROV_NAMES_ECDH, FIPS_DEFAULT_PROPERTIES, ossl_ecdh_keyexch_functions }, + # ifndef OPENSSL_NO_ECX +- { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keyexch_functions }, +- { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keyexch_functions }, ++ /* We don't certify Edwards curves in our FIPS provider */ ++ /*{ PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keyexch_functions }, ++ { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keyexch_functions },*/ + # endif + #endif + { PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES, +@@ -422,14 +427,16 @@ static const OSSL_ALGORITHM fips_keyexch + + static const OSSL_ALGORITHM fips_signature[] = { + #ifndef OPENSSL_NO_DSA +- { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_signature_functions }, ++ /* We don't certify DSA in our FIPS provider */ ++ /* { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_signature_functions },*/ + #endif + { PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_signature_functions }, + #ifndef OPENSSL_NO_EC + # ifndef OPENSSL_NO_ECX +- { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES, ++ /* We don't certify Edwards curves in our FIPS provider */ ++ /* { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES, + ossl_ed25519_signature_functions }, +- { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_signature_functions }, ++ { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_signature_functions },*/ + # endif + { PROV_NAMES_ECDSA, FIPS_DEFAULT_PROPERTIES, ossl_ecdsa_signature_functions }, + #endif +@@ -460,8 +467,9 @@ static const OSSL_ALGORITHM fips_keymgmt + PROV_DESCS_DHX }, + #endif + #ifndef OPENSSL_NO_DSA +- { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_keymgmt_functions, +- PROV_DESCS_DSA }, ++ /* We don't certify DSA in our FIPS provider */ ++ /* { PROV_NAMES_DSA, FIPS_DEFAULT_PROPERTIES, ossl_dsa_keymgmt_functions, ++ PROV_DESCS_DSA }, */ + #endif + { PROV_NAMES_RSA, FIPS_DEFAULT_PROPERTIES, ossl_rsa_keymgmt_functions, + PROV_DESCS_RSA }, +@@ -471,14 +479,15 @@ static const OSSL_ALGORITHM fips_keymgmt + { PROV_NAMES_EC, FIPS_DEFAULT_PROPERTIES, ossl_ec_keymgmt_functions, + PROV_DESCS_EC }, + # ifndef OPENSSL_NO_ECX +- { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keymgmt_functions, ++ /* We don't certify Edwards curves in our FIPS provider */ ++ /* { PROV_NAMES_X25519, FIPS_DEFAULT_PROPERTIES, ossl_x25519_keymgmt_functions, + PROV_DESCS_X25519 }, + { PROV_NAMES_X448, FIPS_DEFAULT_PROPERTIES, ossl_x448_keymgmt_functions, + PROV_DESCS_X448 }, + { PROV_NAMES_ED25519, FIPS_UNAPPROVED_PROPERTIES, ossl_ed25519_keymgmt_functions, + PROV_DESCS_ED25519 }, + { PROV_NAMES_ED448, FIPS_UNAPPROVED_PROPERTIES, ossl_ed448_keymgmt_functions, +- PROV_DESCS_ED448 }, ++ PROV_DESCS_ED448 }, */ + # endif + #endif + { PROV_NAMES_TLS1_PRF, FIPS_DEFAULT_PROPERTIES, ossl_kdf_keymgmt_functions, +Index: openssl-3.2.3/providers/fips/self_test_data.inc +=================================================================== +--- openssl-3.2.3.orig/providers/fips/self_test_data.inc ++++ openssl-3.2.3/providers/fips/self_test_data.inc +@@ -177,6 +177,7 @@ static const ST_KAT_DIGEST st_kat_digest + /*- CIPHER TEST DATA */ + + /* DES3 test data */ ++#if 0 + static const unsigned char des_ede3_cbc_pt[] = { + 0x6B, 0xC1, 0xBE, 0xE2, 0x2E, 0x40, 0x9F, 0x96, + 0xE9, 0x3D, 0x7E, 0x11, 0x73, 0x93, 0x17, 0x2A, +@@ -197,7 +198,7 @@ static const unsigned char des_ede3_cbc_ + 0x51, 0x65, 0x70, 0x48, 0x1F, 0x25, 0xB5, 0x0F, + 0x73, 0xC0, 0xBD, 0xA8, 0x5C, 0x8E, 0x0D, 0xA7 + }; +- ++#endif + /* AES-256 GCM test data */ + static const unsigned char aes_256_gcm_key[] = { + 0x92, 0xe1, 0x1d, 0xcd, 0xaa, 0x86, 0x6f, 0x5c, +@@ -1454,8 +1455,9 @@ static const ST_KAT_PARAM ecdsa_bin_key[ + # endif /* OPENSSL_NO_EC2M */ + #endif /* OPENSSL_NO_EC */ + +-#ifndef OPENSSL_NO_DSA + /* dsa 2048 */ ++#if 0 ++#ifndef OPENSSL_NO_DSA + static const unsigned char dsa_p[] = { + 0xa2, 0x9b, 0x88, 0x72, 0xce, 0x8b, 0x84, 0x23, + 0xb7, 0xd5, 0xd2, 0x1d, 0x4b, 0x02, 0xf5, 0x7e, +@@ -1590,6 +1592,7 @@ static const ST_KAT_PARAM dsa_key[] = { + ST_KAT_PARAM_END() + }; + #endif /* OPENSSL_NO_DSA */ ++#endif + + /* Hash DRBG inputs for signature KATs */ + static const unsigned char sig_kat_entropyin[] = { +@@ -1642,6 +1645,7 @@ static const ST_KAT_SIGN st_kat_sign_tes + }, + # endif + #endif /* OPENSSL_NO_EC */ ++#if 0 + #ifndef OPENSSL_NO_DSA + { + OSSL_SELF_TEST_DESC_SIGN_DSA, +@@ -1654,6 +1658,7 @@ static const ST_KAT_SIGN st_kat_sign_tes + ITM(dsa_expected_sig) + }, + #endif /* OPENSSL_NO_DSA */ ++#endif + }; + + static const ST_KAT_ASYM_CIPHER st_kat_asym_cipher_tests[] = { +Index: openssl-3.2.3/providers/implementations/signature/rsa_sig.c +=================================================================== +--- openssl-3.2.3.orig/providers/implementations/signature/rsa_sig.c ++++ openssl-3.2.3/providers/implementations/signature/rsa_sig.c +@@ -702,6 +702,19 @@ static int rsa_verify_recover(void *vprs + { + PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; + int ret; ++# ifdef FIPS_MODULE ++ size_t rsabits = RSA_bits(prsactx->rsa); ++ ++ if (rsabits < 2048) { ++ if (rsabits != 1024 ++ && rsabits != 1280 ++ && rsabits != 1536 ++ && rsabits != 1792) { ++ ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH); ++ return 0; ++ } ++ } ++# endif + + if (!ossl_prov_is_running()) + return 0; +@@ -790,6 +803,19 @@ static int rsa_verify(void *vprsactx, co + { + PROV_RSA_CTX *prsactx = (PROV_RSA_CTX *)vprsactx; + size_t rslen; ++# ifdef FIPS_MODULE ++ size_t rsabits = RSA_bits(prsactx->rsa); ++ ++ if (rsabits < 2048) { ++ if (rsabits != 1024 ++ && rsabits != 1280 ++ && rsabits != 1536 ++ && rsabits != 1792) { ++ ERR_raise(ERR_LIB_FIPS, PROV_R_INVALID_KEY_LENGTH); ++ return 0; ++ } ++ } ++# endif + + if (!ossl_prov_is_running()) + return 0; +Index: openssl-3.2.3/ssl/ssl_ciph.c +=================================================================== +--- openssl-3.2.3.orig/ssl/ssl_ciph.c ++++ openssl-3.2.3/ssl/ssl_ciph.c +@@ -356,6 +356,9 @@ int ssl_load_ciphers(SSL_CTX *ctx) + ctx->disabled_mkey_mask = 0; + ctx->disabled_auth_mask = 0; + ++ if (EVP_default_properties_is_fips_enabled(ctx->libctx)) ++ ctx->disabled_mkey_mask |= SSL_kRSA | SSL_kRSAPSK; ++ + /* + * We ignore any errors from the fetches below. They are expected to fail + * if these algorithms are not available. +Index: openssl-3.2.3/test/acvp_test.c +=================================================================== +--- openssl-3.2.3.orig/test/acvp_test.c ++++ openssl-3.2.3/test/acvp_test.c +@@ -1478,6 +1478,7 @@ int setup_tests(void) + OSSL_NELEM(dh_safe_prime_keyver_data)); + #endif /* OPENSSL_NO_DH */ + ++#if 0 /* SUSE FIPS provider doesn't have fips=yes property on DSA */ + #ifndef OPENSSL_NO_DSA + ADD_ALL_TESTS(dsa_keygen_test, OSSL_NELEM(dsa_keygen_data)); + ADD_ALL_TESTS(dsa_paramgen_test, OSSL_NELEM(dsa_paramgen_data)); +@@ -1485,6 +1486,7 @@ int setup_tests(void) + ADD_ALL_TESTS(dsa_siggen_test, OSSL_NELEM(dsa_siggen_data)); + ADD_ALL_TESTS(dsa_sigver_test, OSSL_NELEM(dsa_sigver_data)); + #endif /* OPENSSL_NO_DSA */ ++#endif + + #ifndef OPENSSL_NO_EC + ADD_ALL_TESTS(ecdsa_keygen_test, OSSL_NELEM(ecdsa_keygen_data)); +Index: openssl-3.2.3/test/endecode_test.c +=================================================================== +--- openssl-3.2.3.orig/test/endecode_test.c ++++ openssl-3.2.3/test/endecode_test.c +@@ -1424,6 +1424,7 @@ int setup_tests(void) + * so no legacy tests. + */ + #endif ++ if (is_fips == 0) { + #ifndef OPENSSL_NO_DSA + ADD_TEST_SUITE(DSA); + ADD_TEST_SUITE_PARAMS(DSA); +@@ -1434,6 +1435,7 @@ int setup_tests(void) + ADD_TEST_SUITE_PROTECTED_PVK(DSA); + # endif + #endif ++ } + #ifndef OPENSSL_NO_EC + ADD_TEST_SUITE(EC); + ADD_TEST_SUITE_PARAMS(EC); +@@ -1454,10 +1456,12 @@ int setup_tests(void) + ADD_TEST_SUITE(SM2); + } + # endif ++ if (is_fips == 0) { + ADD_TEST_SUITE(ED25519); + ADD_TEST_SUITE(ED448); + ADD_TEST_SUITE(X25519); + ADD_TEST_SUITE(X448); ++ } + /* + * ED25519, ED448, X25519 and X448 have no support for + * PEM_write_bio_PrivateKey_traditional(), so no legacy tests. +Index: openssl-3.2.3/test/evp_libctx_test.c +=================================================================== +--- openssl-3.2.3.orig/test/evp_libctx_test.c ++++ openssl-3.2.3/test/evp_libctx_test.c +@@ -21,6 +21,7 @@ + */ + #include "internal/deprecated.h" + #include ++#include + #include + #include + #include +@@ -726,7 +727,9 @@ int setup_tests(void) + return 0; + + #if !defined(OPENSSL_NO_DSA) && !defined(OPENSSL_NO_DH) +- ADD_ALL_TESTS(test_dsa_param_keygen, 3 * 3 * 3); ++ if (strcmp(prov_name, "fips") != 0) { ++ ADD_ALL_TESTS(test_dsa_param_keygen, 3 * 3 * 3); ++ } + #endif + #ifndef OPENSSL_NO_DH + ADD_ALL_TESTS(test_dh_safeprime_param_keygen, 3 * 3 * 3); +@@ -746,7 +749,9 @@ int setup_tests(void) + ADD_TEST(kem_invalid_keytype); + #endif + #ifndef OPENSSL_NO_DES +- ADD_TEST(test_cipher_tdes_randkey); ++ if (strcmp(prov_name, "fips") != 0) { ++ ADD_TEST(test_cipher_tdes_randkey); ++ } + #endif + return 1; + } +Index: openssl-3.2.3/test/recipes/15-test_gendsa.t +=================================================================== +--- openssl-3.2.3.orig/test/recipes/15-test_gendsa.t ++++ openssl-3.2.3/test/recipes/15-test_gendsa.t +@@ -24,7 +24,7 @@ use lib bldtop_dir('.'); + plan skip_all => "This test is unsupported in a no-dsa build" + if disabled("dsa"); + +-my $no_fips = disabled('fips') || ($ENV{NO_FIPS} // 0); ++my $no_fips = 1; + + plan tests => + ($no_fips ? 0 : 2) # FIPS related tests +Index: openssl-3.2.3/test/recipes/20-test_cli_fips.t +=================================================================== +--- openssl-3.2.3.orig/test/recipes/20-test_cli_fips.t ++++ openssl-3.2.3/test/recipes/20-test_cli_fips.t +@@ -278,8 +278,7 @@ SKIP: { + } + + SKIP : { +- skip "FIPS DSA tests because of no dsa in this build", 1 +- if disabled("dsa"); ++ skip "FIPS DSA tests because of no dsa in this build", 1; + + subtest DSA => sub { + my $testtext_prefix = 'DSA'; +Index: openssl-3.2.3/test/recipes/30-test_evp.t +=================================================================== +--- openssl-3.2.3.orig/test/recipes/30-test_evp.t ++++ openssl-3.2.3/test/recipes/30-test_evp.t +@@ -46,10 +46,8 @@ my @files = qw( + evpciph_aes_cts.txt + evpciph_aes_wrap.txt + evpciph_aes_stitched.txt +- evpciph_des3_common.txt + evpkdf_hkdf.txt + evpkdf_kbkdf_counter.txt +- evpkdf_kbkdf_kmac.txt + evpkdf_pbkdf1.txt + evpkdf_pbkdf2.txt + evpkdf_ss.txt +@@ -70,15 +68,6 @@ push @files, qw( + evppkey_dh.txt + ) unless $no_dh; + push @files, qw( +- evpkdf_x942_des.txt +- evpmac_cmac_des.txt +- ) unless $no_des; +-push @files, qw(evppkey_dsa.txt) unless $no_dsa; +-push @files, qw( +- evppkey_ecx.txt +- evppkey_mismatch_ecx.txt +- ) unless $no_ecx; +-push @files, qw( + evppkey_ecc.txt + evppkey_ecdh.txt + evppkey_ecdsa.txt +@@ -97,6 +86,7 @@ my @defltfiles = qw( + evpciph_cast5.txt + evpciph_chacha.txt + evpciph_des.txt ++ evpciph_des3_common.txt + evpciph_idea.txt + evpciph_rc2.txt + evpciph_rc4.txt +@@ -121,13 +111,19 @@ my @defltfiles = qw( + evpmd_whirlpool.txt + evppbe_scrypt.txt + evppbe_pkcs12.txt ++ evpkdf_kbkdf_kmac.txt + evppkey_kdf_scrypt.txt + evppkey_kdf_tls1_prf.txt + evppkey_rsa.txt + ); ++push @defltfiles, qw(evppkey_dsa.txt) unless $no_dsa; ++push @defltfiles, qw(evppkey_ecx.txt) unless $no_ec; ++push @defltfiles, qw( ++ evpkdf_x942_des.txt ++ evpmac_cmac_des.txt ++ ) unless $no_des; + push @defltfiles, qw(evppkey_brainpool.txt) unless $no_ec; + push @defltfiles, qw(evppkey_ecdsa_rfc6979.txt) unless $no_ec; +-push @defltfiles, qw(evppkey_dsa_rfc6979.txt) unless $no_dsa; + push @defltfiles, qw(evppkey_sm2.txt) unless $no_sm2; + push @defltfiles, qw(evpciph_aes_gcm_siv.txt) unless $no_siv; + push @defltfiles, qw(evpciph_aes_siv.txt) unless $no_siv; +Index: openssl-3.2.3/test/recipes/30-test_evp_data/evpmac_common.txt +=================================================================== +--- openssl-3.2.3.orig/test/recipes/30-test_evp_data/evpmac_common.txt ++++ openssl-3.2.3/test/recipes/30-test_evp_data/evpmac_common.txt +@@ -363,6 +363,7 @@ IV = 7AE8E2CA4EC500012E58495C + Input = 68F2E77696CE7AE8E2CA4EC588E541002E58495C08000F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D0007 + Result = MAC_INIT_ERROR + ++Availablein = default + Title = KMAC Tests (From NIST) + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F +@@ -373,12 +374,14 @@ Ctrl = xof:0 + OutputSize = 32 + BlockSize = 168 + ++Availablein = default + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 00010203 + Custom = "My Tagged Application" + Output = 3B1FBA963CD8B0B59E8C1A6D71888B7143651AF8BA0A7070C0979E2811324AA5 + ++Availablein = default + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +@@ -386,6 +389,7 @@ Custom = "My Tagged Application" + Output = 1F5B4E6CCA02209E0DCB5CA635B89A15E271ECC760071DFD805FAA38F9729230 + Ctrl = size:32 + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 00010203 +@@ -394,12 +398,14 @@ Output = 20C570C31346F703C9AC36C61C03CB6 + OutputSize = 64 + BlockSize = 136 + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 + Custom = "" + Output = 75358CF39E41494E949707927CEE0AF20A3FF553904C86B08F21CC414BCFD691589D27CF5E15369CBBFF8B9A4C2EB17800855D0235FF635DA82533EC6B759B69 + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +@@ -409,12 +415,14 @@ Ctrl = size:64 + + Title = KMAC XOF Tests (From NIST) + ++Availablein = default + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 00010203 + Output = CD83740BBD92CCC8CF032B1481A0F4460E7CA9DD12B08A0C4031178BACD6EC35 + XOF = 1 + ++Availablein = default + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 00010203 +@@ -422,6 +430,7 @@ Custom = "My Tagged Application" + Output = 31A44527B4ED9F5C6101D11DE6D26F0620AA5C341DEF41299657FE9DF1A3B16C + XOF = 1 + ++Availablein = default + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +@@ -430,6 +439,7 @@ Output = 47026C7CD793084AA0283C253EF6584 + XOF = 1 + Ctrl = size:32 + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 00010203 +@@ -437,6 +447,7 @@ Custom = "My Tagged Application" + Output = 1755133F1534752AAD0748F2C706FB5C784512CAB835CD15676B16C0C6647FA96FAA7AF634A0BF8FF6DF39374FA00FAD9A39E322A7C92065A64EB1FB0801EB2B + XOF = 1 + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +@@ -444,6 +455,7 @@ Custom = "" + Output = FF7B171F1E8A2B24683EED37830EE797538BA8DC563F6DA1E667391A75EDC02CA633079F81CE12A25F45615EC89972031D18337331D24CEB8F8CA8E6A19FD98B + XOF = 1 + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +@@ -454,6 +466,7 @@ XOF = 1 + + Title = KMAC long customisation string (from NIST ACVP) + ++Availablein = default + MAC = KMAC256 + Key = 9743DBF93102FAF11227B154B8ACD16CF142671F7AA16C559A393A38B4CEF461ED29A6A328D7379C99718790E38B54CA25E9E831CBEA463EE704D1689F94629AB795DF0C77F756DA743309C0E054596BA2D9CC1768ACF7CD351D9A7EB1ABD0A3 + Input = BA63AC9C711F143CCE7FF92D0322649D1BE437D805FD225C0A2879A008373EC3BCCDB09971FAD2BCE5F4347AF7E5238EF01A90ED34193D6AFC1D +@@ -464,12 +477,14 @@ XOF = 1 + + Title = KMAC XOF Tests via ctrl (From NIST) + ++Availablein = default + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 00010203 + Output = CD83740BBD92CCC8CF032B1481A0F4460E7CA9DD12B08A0C4031178BACD6EC35 + Ctrl = xof:1 + ++Availablein = default + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 00010203 +@@ -477,6 +492,7 @@ Custom = "My Tagged Application" + Output = 31A44527B4ED9F5C6101D11DE6D26F0620AA5C341DEF41299657FE9DF1A3B16C + Ctrl = xof:1 + ++Availablein = default + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +@@ -485,6 +501,7 @@ Output = 47026C7CD793084AA0283C253EF6584 + Ctrl = xof:1 + Ctrl = size:32 + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 00010203 +@@ -492,6 +509,7 @@ Custom = "My Tagged Application" + Output = 1755133F1534752AAD0748F2C706FB5C784512CAB835CD15676B16C0C6647FA96FAA7AF634A0BF8FF6DF39374FA00FAD9A39E322A7C92065A64EB1FB0801EB2B + Ctrl = xof:1 + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +@@ -499,6 +517,7 @@ Custom = "" + Output = FF7B171F1E8A2B24683EED37830EE797538BA8DC563F6DA1E667391A75EDC02CA633079F81CE12A25F45615EC89972031D18337331D24CEB8F8CA8E6A19FD98B + Ctrl = xof:1 + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +@@ -509,6 +528,7 @@ Ctrl = xof:1 + + Title = KMAC long customisation string via ctrl (from NIST ACVP) + ++Availablein = default + MAC = KMAC256 + Key = 9743DBF93102FAF11227B154B8ACD16CF142671F7AA16C559A393A38B4CEF461ED29A6A328D7379C99718790E38B54CA25E9E831CBEA463EE704D1689F94629AB795DF0C77F756DA743309C0E054596BA2D9CC1768ACF7CD351D9A7EB1ABD0A3 + Input = BA63AC9C711F143CCE7FF92D0322649D1BE437D805FD225C0A2879A008373EC3BCCDB09971FAD2BCE5F4347AF7E5238EF01A90ED34193D6AFC1D +@@ -519,6 +539,7 @@ Ctrl = xof:1 + + Title = KMAC long customisation string negative test + ++Availablein = default + MAC = KMAC128 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +@@ -527,6 +548,7 @@ Result = MAC_INIT_ERROR + + Title = KMAC output is too large + ++Availablein = default + MAC = KMAC256 + Key = 404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F + Input = 000102030405060708090A0B0C0D0E0F101112131415161718191A1B1C1D1E1F202122232425262728292A2B2C2D2E2F303132333435363738393A3B3C3D3E3F404142434445464748494A4B4C4D4E4F505152535455565758595A5B5C5D5E5F606162636465666768696A6B6C6D6E6F707172737475767778797A7B7C7D7E7F808182838485868788898A8B8C8D8E8F909192939495969798999A9B9C9D9E9FA0A1A2A3A4A5A6A7A8A9AAABACADAEAFB0B1B2B3B4B5B6B7B8B9BABBBCBDBEBFC0C1C2C3C4C5C6C7 +Index: openssl-3.2.3/test/recipes/80-test_cms.t +=================================================================== +--- openssl-3.2.3.orig/test/recipes/80-test_cms.t ++++ openssl-3.2.3/test/recipes/80-test_cms.t +@@ -96,7 +96,7 @@ my @smime_pkcs7_tests = ( + \&final_compare + ], + +- [ "signed content DER format, DSA key", ++ [ "signed content DER format, DSA key, no SUSE FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", "-nodetach", + "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ], + [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER", +@@ -104,7 +104,7 @@ my @smime_pkcs7_tests = ( + \&final_compare + ], + +- [ "signed detached content DER format, DSA key", ++ [ "signed detached content DER format, DSA key, no SUSE FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", + "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ], + [ "{cmd2}", @prov, "-verify", "-in", "{output}.cms", "-inform", "DER", +@@ -113,7 +113,7 @@ my @smime_pkcs7_tests = ( + \&final_compare + ], + +- [ "signed detached content DER format, add RSA signer (with DSA existing)", ++ [ "signed detached content DER format, add RSA signer (with DSA existing), no SUSE FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", + "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ], + [ "{cmd1}", @prov, "-resign", "-in", "{output}.cms", "-inform", "DER", "-outform", "DER", +@@ -124,7 +124,7 @@ my @smime_pkcs7_tests = ( + \&final_compare + ], + +- [ "signed content test streaming BER format, DSA key", ++ [ "signed content test streaming BER format, DSA key, no SUSE FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", + "-nodetach", "-stream", + "-signer", catfile($smdir, "smdsa1.pem"), "-out", "{output}.cms" ], +@@ -133,7 +133,7 @@ my @smime_pkcs7_tests = ( + \&final_compare + ], + +- [ "signed content test streaming BER format, 2 DSA and 2 RSA keys", ++ [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no SUSE FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", + "-nodetach", "-stream", + "-signer", $smrsa1, +@@ -146,7 +146,7 @@ my @smime_pkcs7_tests = ( + \&final_compare + ], + +- [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes", ++ [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, no attributes, no SUSE FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", + "-noattr", "-nodetach", "-stream", + "-signer", $smrsa1, +@@ -176,7 +176,7 @@ my @smime_pkcs7_tests = ( + \&zero_compare + ], + +- [ "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys", ++ [ "signed content test streaming S/MIME format, 2 DSA and 2 RSA keys, no SUSE FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-nodetach", + "-signer", $smrsa1, + "-signer", catfile($smdir, "smrsa2.pem"), +@@ -188,7 +188,7 @@ my @smime_pkcs7_tests = ( + \&final_compare + ], + +- [ "signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys", ++ [ "signed content test streaming multipart S/MIME format, 2 DSA and 2 RSA keys, no SUSE FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, + "-signer", $smrsa1, + "-signer", catfile($smdir, "smrsa2.pem"), +@@ -250,7 +250,7 @@ my @smime_pkcs7_tests = ( + + my @smime_cms_tests = ( + +- [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid", ++ [ "signed content test streaming BER format, 2 DSA and 2 RSA keys, keyid, no SUSE FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "DER", + "-nodetach", "-keyid", + "-signer", $smrsa1, +@@ -263,7 +263,7 @@ my @smime_cms_tests = ( + \&final_compare + ], + +- [ "signed content test streaming PEM format, 2 DSA and 2 RSA keys", ++ [ "signed content test streaming PEM format, 2 DSA and 2 RSA keys, no SUSE FIPS", + [ "{cmd1}", @prov, "-sign", "-in", $smcont, "-outform", "PEM", "-nodetach", + "-signer", $smrsa1, + "-signer", catfile($smdir, "smrsa2.pem"), +@@ -373,7 +373,7 @@ my @smime_cms_tests = ( + \&final_compare + ], + +- [ "encrypted content test streaming PEM format, triple DES key", ++ [ "encrypted content test streaming PEM format, triple DES key, no SUSE FIPS", + [ "{cmd1}", @prov, "-EncryptedData_encrypt", "-in", $smcont, "-outform", "PEM", + "-des3", "-secretkey", "000102030405060708090A0B0C0D0E0F1011121314151617", + "-stream", "-out", "{output}.cms" ], +Index: openssl-3.2.3/test/recipes/80-test_ssl_old.t +=================================================================== +--- openssl-3.2.3.orig/test/recipes/80-test_ssl_old.t ++++ openssl-3.2.3/test/recipes/80-test_ssl_old.t +@@ -436,7 +436,7 @@ sub testssl { + my @exkeys = (); + my $ciphers = '-PSK:-SRP:@SECLEVEL=0'; + +- if (!$no_dsa) { ++ if (!$no_dsa && $provider ne "fips") { + push @exkeys, "-s_cert", "certD.ss", "-s_key", $Dkey; + } + diff --git a/openssl-FIPS-signature-Add-indicator-for-PSS-salt-length.patch b/openssl-FIPS-signature-Add-indicator-for-PSS-salt-length.patch new file mode 100644 index 0000000..7b8f762 --- /dev/null +++ b/openssl-FIPS-signature-Add-indicator-for-PSS-salt-length.patch @@ -0,0 +1,113 @@ +From a325a23bc83f4efd60130001c417ca5b96bdbff1 Mon Sep 17 00:00:00 2001 +From: Clemens Lang +Date: Thu, 17 Nov 2022 19:33:02 +0100 +Subject: [PATCH] signature: Add indicator for PSS salt length +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +FIPS 186-4 section 5 "The RSA Digital Signature Algorithm", subsection +5.5 "PKCS #1" says: "For RSASSA-PSS [...] the length (in bytes) of the +salt (sLen) shall satisfy 0 <= sLen <= hLen, where hLen is the length of +the hash function output block (in bytes)." + +It is not exactly clear from this text whether hLen refers to the +message digest or the hash function used for the mask generation +function MGF1. PKCS#1 v2.1 suggests it is the former: + +| Typical salt lengths in octets are hLen (the length of the output of +| the hash function Hash) and 0. In both cases the security of +| RSASSA-PSS can be closely related to the hardness of inverting RSAVP1. +| Bellare and Rogaway [4] give a tight lower bound for the security of +| the original RSA-PSS scheme, which corresponds roughly to the former +| case, while Coron [12] gives a lower bound for the related Full Domain +| Hashing scheme, which corresponds roughly to the latter case. In [13] +| Coron provides a general treatment with various salt lengths ranging +| from 0 to hLen; see [27] for discussion. See also [31], which adapts +| the security proofs in [4][13] to address the differences between the +| original and the present version of RSA-PSS as listed in Note 1 above. + +Since OpenSSL defaults to creating signatures with the maximum salt +length, blocking the use of longer salts would probably lead to +significant problems in practice. Instead, introduce an explicit +indicator that can be obtained from the EVP_PKEY_CTX object using +EVP_PKEY_CTX_get_params() with the + OSSL_SIGNATURE_PARAM_SUSE_FIPS_INDICATOR +parameter. + +We also add indicator for RSA_NO_PADDING here to avoid patch-over-patch. +Dmitry Belyavskiy + +Signed-off-by: Clemens Lang +--- + include/openssl/evp.h | 4 ++++ + providers/implementations/signature/rsa_sig.c | 21 +++++++++++++++++ + util/perl/OpenSSL/paramnames.pm | 23 ++++++++++--------- + 3 files changed, 37 insertions(+), 11 deletions(-) + +Index: openssl-3.2.3/include/openssl/evp.h +=================================================================== +--- openssl-3.2.3.orig/include/openssl/evp.h ++++ openssl-3.2.3/include/openssl/evp.h +@@ -804,6 +804,10 @@ __owur int EVP_CipherFinal(EVP_CIPHER_CT + __owur int EVP_CipherFinal_ex(EVP_CIPHER_CTX *ctx, unsigned char *outm, + int *outl); + ++# define EVP_SIGNATURE_SUSE_FIPS_INDICATOR_UNDETERMINED 0 ++# define EVP_SIGNATURE_SUSE_FIPS_INDICATOR_APPROVED 1 ++# define EVP_SIGNATURE_SUSE_FIPS_INDICATOR_NOT_APPROVED 2 ++ + __owur int EVP_SignFinal(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s, + EVP_PKEY *pkey); + __owur int EVP_SignFinal_ex(EVP_MD_CTX *ctx, unsigned char *md, unsigned int *s, +Index: openssl-3.2.3/providers/implementations/signature/rsa_sig.c +=================================================================== +--- openssl-3.2.3.orig/providers/implementations/signature/rsa_sig.c ++++ openssl-3.2.3/providers/implementations/signature/rsa_sig.c +@@ -1185,6 +1185,24 @@ static int rsa_get_ctx_params(void *vprs + } + } + ++#ifdef FIPS_MODULE ++ p = OSSL_PARAM_locate(params, OSSL_SIGNATURE_PARAM_SUSE_FIPS_INDICATOR); ++ if (p != NULL) { ++ int fips_indicator = EVP_SIGNATURE_SUSE_FIPS_INDICATOR_APPROVED; ++ if (prsactx->pad_mode == RSA_PKCS1_PSS_PADDING) { ++ if (prsactx->md == NULL) { ++ fips_indicator = EVP_SIGNATURE_SUSE_FIPS_INDICATOR_UNDETERMINED; ++ } else if (rsa_pss_compute_saltlen(prsactx) > EVP_MD_get_size(prsactx->md)) { ++ fips_indicator = EVP_SIGNATURE_SUSE_FIPS_INDICATOR_NOT_APPROVED; ++ } ++ } else if (prsactx->pad_mode == RSA_NO_PADDING) { ++ if (prsactx->md == NULL) /* Should always be the case */ ++ fips_indicator = EVP_SIGNATURE_SUSE_FIPS_INDICATOR_NOT_APPROVED; ++ } ++ return OSSL_PARAM_set_int(p, fips_indicator); ++ } ++#endif ++ + return 1; + } + +@@ -1194,6 +1212,9 @@ static const OSSL_PARAM known_gettable_c + OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_DIGEST, NULL, 0), + OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_MGF1_DIGEST, NULL, 0), + OSSL_PARAM_utf8_string(OSSL_SIGNATURE_PARAM_PSS_SALTLEN, NULL, 0), ++#ifdef FIPS_MODULE ++ OSSL_PARAM_int(OSSL_SIGNATURE_PARAM_SUSE_FIPS_INDICATOR, NULL), ++#endif + OSSL_PARAM_END + }; + +Index: openssl-3.2.3/util/perl/OpenSSL/paramnames.pm +=================================================================== +--- openssl-3.2.3.orig/util/perl/OpenSSL/paramnames.pm ++++ openssl-3.2.3/util/perl/OpenSSL/paramnames.pm +@@ -386,6 +386,7 @@ my %params = ( + 'SIGNATURE_PARAM_MGF1_PROPERTIES' => '*PKEY_PARAM_MGF1_PROPERTIES', + 'SIGNATURE_PARAM_DIGEST_SIZE' => '*PKEY_PARAM_DIGEST_SIZE', + 'SIGNATURE_PARAM_NONCE_TYPE' => "nonce-type", ++ 'SIGNATURE_PARAM_SUSE_FIPS_INDICATOR' => "suse-fips-indicator", + 'SIGNATURE_PARAM_INSTANCE' => "instance", + 'SIGNATURE_PARAM_CONTEXT_STRING' => "context-string", + diff --git a/openssl-Fix-EVP_PKEY_CTX_add1_hkdf_info-behavior.patch b/openssl-Fix-EVP_PKEY_CTX_add1_hkdf_info-behavior.patch new file mode 100644 index 0000000..e79c626 --- /dev/null +++ b/openssl-Fix-EVP_PKEY_CTX_add1_hkdf_info-behavior.patch @@ -0,0 +1,309 @@ +From 4580c303fa88f77a98461fee5fe26b5db725967c Mon Sep 17 00:00:00 2001 +From: Todd Short +Date: Thu, 1 Feb 2024 23:09:38 -0500 +Subject: [PATCH 1/2] Fix EVP_PKEY_CTX_add1_hkdf_info() behavior + +Fix #23448 + +`EVP_PKEY_CTX_add1_hkdf_info()` behaves like a `set1` function. + +Fix the setting of the parameter in the params code. +Update the TLS_PRF code to also use the params code. +Add tests. + +Reviewed-by: Shane Lontis +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/23456) + +(cherry picked from commit 6b566687b58fde08b28e3331377f050768fad89b) +--- + crypto/evp/pmeth_lib.c | 65 ++++++++++++++++++- + providers/implementations/exchange/kdf_exch.c | 42 ++++++++++++ + providers/implementations/kdfs/hkdf.c | 8 +++ + test/pkey_meth_kdf_test.c | 53 +++++++++++---- + 4 files changed, 156 insertions(+), 12 deletions(-) + +diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c +index ba1971c..d0eeaf7 100644 +--- a/crypto/evp/pmeth_lib.c ++++ b/crypto/evp/pmeth_lib.c +@@ -1028,6 +1028,69 @@ static int evp_pkey_ctx_set1_octet_string(EVP_PKEY_CTX *ctx, int fallback, + return EVP_PKEY_CTX_set_params(ctx, octet_string_params); + } + ++static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback, ++ const char *param, int op, int ctrl, ++ const unsigned char *data, ++ int datalen) ++{ ++ OSSL_PARAM os_params[2]; ++ unsigned char *info = NULL; ++ size_t info_len = 0; ++ size_t info_alloc = 0; ++ int ret = 0; ++ ++ if (ctx == NULL || (ctx->operation & op) == 0) { ++ ERR_raise(ERR_LIB_EVP, EVP_R_COMMAND_NOT_SUPPORTED); ++ /* Uses the same return values as EVP_PKEY_CTX_ctrl */ ++ return -2; ++ } ++ ++ /* Code below to be removed when legacy support is dropped. */ ++ if (fallback) ++ return EVP_PKEY_CTX_ctrl(ctx, -1, op, ctrl, datalen, (void *)(data)); ++ /* end of legacy support */ ++ ++ if (datalen < 0) { ++ ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_LENGTH); ++ return 0; ++ } ++ ++ /* Get the original value length */ ++ os_params[0] = OSSL_PARAM_construct_octet_string(param, NULL, 0); ++ os_params[1] = OSSL_PARAM_construct_end(); ++ ++ if (!EVP_PKEY_CTX_get_params(ctx, os_params)) ++ return 0; ++ ++ /* Older provider that doesn't support getting this parameter */ ++ if (os_params[0].return_size == OSSL_PARAM_UNMODIFIED) ++ return evp_pkey_ctx_set1_octet_string(ctx, fallback, param, op, ctrl, data, datalen); ++ ++ info_alloc = os_params[0].return_size + datalen; ++ if (info_alloc == 0) ++ return 0; ++ info = OPENSSL_zalloc(info_alloc); ++ if (info == NULL) ++ return 0; ++ info_len = os_params[0].return_size; ++ ++ os_params[0] = OSSL_PARAM_construct_octet_string(param, info, info_alloc); ++ ++ /* if we have data, then go get it */ ++ if (info_len > 0) { ++ if (!EVP_PKEY_CTX_get_params(ctx, os_params)) ++ goto error; ++ } ++ ++ /* Copy the input data */ ++ memcpy(&info[info_len], data, datalen); ++ ret = EVP_PKEY_CTX_set_params(ctx, os_params); ++ ++ error: ++ OPENSSL_clear_free(info, info_alloc); ++ return ret; ++} ++ + int EVP_PKEY_CTX_set1_tls1_prf_secret(EVP_PKEY_CTX *ctx, + const unsigned char *sec, int seclen) + { +@@ -1078,7 +1141,7 @@ int EVP_PKEY_CTX_set1_hkdf_key(EVP_PKEY_CTX *ctx, + int EVP_PKEY_CTX_add1_hkdf_info(EVP_PKEY_CTX *ctx, + const unsigned char *info, int infolen) + { +- return evp_pkey_ctx_set1_octet_string(ctx, ctx->op.kex.algctx == NULL, ++ return evp_pkey_ctx_add1_octet_string(ctx, ctx->op.kex.algctx == NULL, + OSSL_KDF_PARAM_INFO, + EVP_PKEY_OP_DERIVE, + EVP_PKEY_CTRL_HKDF_INFO, +diff --git a/providers/implementations/exchange/kdf_exch.c b/providers/implementations/exchange/kdf_exch.c +index 527a866..4bc8102 100644 +--- a/providers/implementations/exchange/kdf_exch.c ++++ b/providers/implementations/exchange/kdf_exch.c +@@ -28,9 +28,13 @@ static OSSL_FUNC_keyexch_derive_fn kdf_derive; + static OSSL_FUNC_keyexch_freectx_fn kdf_freectx; + static OSSL_FUNC_keyexch_dupctx_fn kdf_dupctx; + static OSSL_FUNC_keyexch_set_ctx_params_fn kdf_set_ctx_params; ++static OSSL_FUNC_keyexch_get_ctx_params_fn kdf_get_ctx_params; + static OSSL_FUNC_keyexch_settable_ctx_params_fn kdf_tls1_prf_settable_ctx_params; + static OSSL_FUNC_keyexch_settable_ctx_params_fn kdf_hkdf_settable_ctx_params; + static OSSL_FUNC_keyexch_settable_ctx_params_fn kdf_scrypt_settable_ctx_params; ++static OSSL_FUNC_keyexch_gettable_ctx_params_fn kdf_tls1_prf_gettable_ctx_params; ++static OSSL_FUNC_keyexch_gettable_ctx_params_fn kdf_hkdf_gettable_ctx_params; ++static OSSL_FUNC_keyexch_gettable_ctx_params_fn kdf_scrypt_gettable_ctx_params; + + typedef struct { + void *provctx; +@@ -169,6 +173,13 @@ static int kdf_set_ctx_params(void *vpkdfctx, const OSSL_PARAM params[]) + return EVP_KDF_CTX_set_params(pkdfctx->kdfctx, params); + } + ++static int kdf_get_ctx_params(void *vpkdfctx, OSSL_PARAM params[]) ++{ ++ PROV_KDF_CTX *pkdfctx = (PROV_KDF_CTX *)vpkdfctx; ++ ++ return EVP_KDF_CTX_get_params(pkdfctx->kdfctx, params); ++} ++ + static const OSSL_PARAM *kdf_settable_ctx_params(ossl_unused void *vpkdfctx, + void *provctx, + const char *kdfname) +@@ -197,6 +208,34 @@ KDF_SETTABLE_CTX_PARAMS(tls1_prf, "TLS1-PRF") + KDF_SETTABLE_CTX_PARAMS(hkdf, "HKDF") + KDF_SETTABLE_CTX_PARAMS(scrypt, "SCRYPT") + ++static const OSSL_PARAM *kdf_gettable_ctx_params(ossl_unused void *vpkdfctx, ++ void *provctx, ++ const char *kdfname) ++{ ++ EVP_KDF *kdf = EVP_KDF_fetch(PROV_LIBCTX_OF(provctx), kdfname, ++ NULL); ++ const OSSL_PARAM *params; ++ ++ if (kdf == NULL) ++ return NULL; ++ ++ params = EVP_KDF_gettable_ctx_params(kdf); ++ EVP_KDF_free(kdf); ++ ++ return params; ++} ++ ++#define KDF_GETTABLE_CTX_PARAMS(funcname, kdfname) \ ++ static const OSSL_PARAM *kdf_##funcname##_gettable_ctx_params(void *vpkdfctx, \ ++ void *provctx) \ ++ { \ ++ return kdf_gettable_ctx_params(vpkdfctx, provctx, kdfname); \ ++ } ++ ++KDF_GETTABLE_CTX_PARAMS(tls1_prf, "TLS1-PRF") ++KDF_GETTABLE_CTX_PARAMS(hkdf, "HKDF") ++KDF_GETTABLE_CTX_PARAMS(scrypt, "SCRYPT") ++ + #define KDF_KEYEXCH_FUNCTIONS(funcname) \ + const OSSL_DISPATCH ossl_kdf_##funcname##_keyexch_functions[] = { \ + { OSSL_FUNC_KEYEXCH_NEWCTX, (void (*)(void))kdf_##funcname##_newctx }, \ +@@ -205,8 +244,11 @@ KDF_SETTABLE_CTX_PARAMS(scrypt, "SCRYPT") + { OSSL_FUNC_KEYEXCH_FREECTX, (void (*)(void))kdf_freectx }, \ + { OSSL_FUNC_KEYEXCH_DUPCTX, (void (*)(void))kdf_dupctx }, \ + { OSSL_FUNC_KEYEXCH_SET_CTX_PARAMS, (void (*)(void))kdf_set_ctx_params }, \ ++ { OSSL_FUNC_KEYEXCH_GET_CTX_PARAMS, (void (*)(void))kdf_get_ctx_params }, \ + { OSSL_FUNC_KEYEXCH_SETTABLE_CTX_PARAMS, \ + (void (*)(void))kdf_##funcname##_settable_ctx_params }, \ ++ { OSSL_FUNC_KEYEXCH_GETTABLE_CTX_PARAMS, \ ++ (void (*)(void))kdf_##funcname##_gettable_ctx_params }, \ + { 0, NULL } \ + }; + +diff --git a/providers/implementations/kdfs/hkdf.c b/providers/implementations/kdfs/hkdf.c +index daa619b..dd65a2a 100644 +--- a/providers/implementations/kdfs/hkdf.c ++++ b/providers/implementations/kdfs/hkdf.c +@@ -371,6 +371,13 @@ static int kdf_hkdf_get_ctx_params(void *vctx, OSSL_PARAM params[]) + return 0; + return OSSL_PARAM_set_size_t(p, sz); + } ++ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_INFO)) != NULL) { ++ if (ctx->info == NULL || ctx->info_len == 0) { ++ p->return_size = 0; ++ return 1; ++ } ++ return OSSL_PARAM_set_octet_string(p, ctx->info, ctx->info_len); ++ } + return -2; + } + +@@ -379,6 +386,7 @@ static const OSSL_PARAM *kdf_hkdf_gettable_ctx_params(ossl_unused void *ctx, + { + static const OSSL_PARAM known_gettable_ctx_params[] = { + OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), ++ OSSL_PARAM_octet_string(OSSL_KDF_PARAM_INFO, NULL, 0), + OSSL_PARAM_END + }; + return known_gettable_ctx_params; +diff --git a/test/pkey_meth_kdf_test.c b/test/pkey_meth_kdf_test.c +index f816d24..c09e2f3 100644 +--- a/test/pkey_meth_kdf_test.c ++++ b/test/pkey_meth_kdf_test.c +@@ -16,7 +16,7 @@ + #include + #include "testutil.h" + +-static int test_kdf_tls1_prf(void) ++static int test_kdf_tls1_prf(int index) + { + int ret = 0; + EVP_PKEY_CTX *pctx; +@@ -40,10 +40,23 @@ static int test_kdf_tls1_prf(void) + TEST_error("EVP_PKEY_CTX_set1_tls1_prf_secret"); + goto err; + } +- if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, +- (unsigned char *)"seed", 4) <= 0) { +- TEST_error("EVP_PKEY_CTX_add1_tls1_prf_seed"); +- goto err; ++ if (index == 0) { ++ if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, ++ (unsigned char *)"seed", 4) <= 0) { ++ TEST_error("EVP_PKEY_CTX_add1_tls1_prf_seed"); ++ goto err; ++ } ++ } else { ++ if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, ++ (unsigned char *)"se", 2) <= 0) { ++ TEST_error("EVP_PKEY_CTX_add1_tls1_prf_seed"); ++ goto err; ++ } ++ if (EVP_PKEY_CTX_add1_tls1_prf_seed(pctx, ++ (unsigned char *)"ed", 2) <= 0) { ++ TEST_error("EVP_PKEY_CTX_add1_tls1_prf_seed"); ++ goto err; ++ } + } + if (EVP_PKEY_derive(pctx, out, &outlen) <= 0) { + TEST_error("EVP_PKEY_derive"); +@@ -65,7 +78,7 @@ err: + return ret; + } + +-static int test_kdf_hkdf(void) ++static int test_kdf_hkdf(int index) + { + int ret = 0; + EVP_PKEY_CTX *pctx; +@@ -94,10 +107,23 @@ static int test_kdf_hkdf(void) + TEST_error("EVP_PKEY_CTX_set1_hkdf_key"); + goto err; + } +- if (EVP_PKEY_CTX_add1_hkdf_info(pctx, (const unsigned char *)"label", 5) ++ if (index == 0) { ++ if (EVP_PKEY_CTX_add1_hkdf_info(pctx, (const unsigned char *)"label", 5) + <= 0) { +- TEST_error("EVP_PKEY_CTX_set1_hkdf_info"); +- goto err; ++ TEST_error("EVP_PKEY_CTX_add1_hkdf_info"); ++ goto err; ++ } ++ } else { ++ if (EVP_PKEY_CTX_add1_hkdf_info(pctx, (const unsigned char *)"lab", 3) ++ <= 0) { ++ TEST_error("EVP_PKEY_CTX_add1_hkdf_info"); ++ goto err; ++ } ++ if (EVP_PKEY_CTX_add1_hkdf_info(pctx, (const unsigned char *)"el", 2) ++ <= 0) { ++ TEST_error("EVP_PKEY_CTX_add1_hkdf_info"); ++ goto err; ++ } + } + if (EVP_PKEY_derive(pctx, out, &outlen) <= 0) { + TEST_error("EVP_PKEY_derive"); +@@ -195,8 +221,13 @@ err: + + int setup_tests(void) + { +- ADD_TEST(test_kdf_tls1_prf); +- ADD_TEST(test_kdf_hkdf); ++ int tests = 1; ++ ++ if (fips_provider_version_ge(NULL, 3, 3, 1)) ++ tests = 2; ++ ++ ADD_ALL_TESTS(test_kdf_tls1_prf, tests); ++ ADD_ALL_TESTS(test_kdf_hkdf, tests); + #ifndef OPENSSL_NO_SCRYPT + ADD_TEST(test_kdf_scrypt); + #endif +-- +2.45.1 + diff --git a/openssl-Force-FIPS.patch b/openssl-Force-FIPS.patch new file mode 100644 index 0000000..60a7040 --- /dev/null +++ b/openssl-Force-FIPS.patch @@ -0,0 +1,77 @@ +From 2c110cf5551a3869514e697d8dc06682b62ca57d Mon Sep 17 00:00:00 2001 +From: Dmitry Belyavskiy +Date: Mon, 21 Aug 2023 11:59:02 +0200 +Subject: [PATCH 16/48] 0032-Force-fips.patch + +Patch-name: 0032-Force-fips.patch +Patch-id: 32 +Patch-status: | + # We load FIPS provider and set FIPS properties implicitly +--- + crypto/provider_conf.c | 28 +++++++++++++++++++++++++++- + 1 file changed, 27 insertions(+), 1 deletion(-) + +Index: openssl-3.1.7/crypto/provider_conf.c +=================================================================== +--- openssl-3.1.7.orig/crypto/provider_conf.c ++++ openssl-3.1.7/crypto/provider_conf.c +@@ -10,6 +10,8 @@ + #include + #include + #include ++#include ++#include + #include + #include + #include +@@ -237,7 +239,7 @@ static int provider_conf_activate(OSSL_L + if (path != NULL) + ossl_provider_set_module_path(prov, path); + +- ok = provider_conf_params(prov, NULL, NULL, value, cnf); ++ ok = cnf ? provider_conf_params(prov, NULL, NULL, value, cnf) : 1; + + if (ok == 1) { + if (!ossl_provider_activate(prov, 1, 0)) { +@@ -266,6 +268,8 @@ static int provider_conf_activate(OSSL_L + + if (ok <= 0) + ossl_provider_free(prov); ++ } else { ++ ok = 1; + } + CRYPTO_THREAD_unlock(pcgbl->lock); + +@@ -383,6 +387,32 @@ static int provider_conf_init(CONF_IMODU + return 0; + } + ++ if (ossl_get_kernel_fips_flag() != 0) { /* XXX from provider_conf_load */ ++ OSSL_LIB_CTX *libctx = NCONF_get0_libctx((CONF *)cnf); ++# define FIPS_LOCAL_CONF OPENSSLDIR "/fips_local.cnf" ++ ++ if (access(FIPS_LOCAL_CONF, R_OK) == 0) { ++ CONF *fips_conf = NCONF_new_ex(libctx, NCONF_default()); ++ if (NCONF_load(fips_conf, FIPS_LOCAL_CONF, NULL) <= 0) ++ return 0; ++ if (provider_conf_load(libctx, "fips", "fips_sect", fips_conf) != 1) { ++ NCONF_free(fips_conf); ++ return 0; ++ } ++ NCONF_free(fips_conf); ++ } else { ++ if (provider_conf_activate(libctx, "fips", NULL, NULL, 0, NULL) != 1) ++ return 0; ++ } ++ /* provider_conf_load can return 1 even when the test is failed so check explicitly */ ++ if (OSSL_PROVIDER_available(libctx, "fips") != 1) ++ return 0; ++ if (provider_conf_activate(libctx, "base", NULL, NULL, 0, NULL) != 1) ++ return 0; ++ if (EVP_default_properties_enable_fips(libctx, 1) != 1) ++ return 0; ++ } ++ + return 1; + } + diff --git a/openssl-Handle-empty-param-in-EVP_PKEY_CTX_add1_hkdf_info.patch b/openssl-Handle-empty-param-in-EVP_PKEY_CTX_add1_hkdf_info.patch new file mode 100644 index 0000000..0ad7660 --- /dev/null +++ b/openssl-Handle-empty-param-in-EVP_PKEY_CTX_add1_hkdf_info.patch @@ -0,0 +1,94 @@ +From d6a9c21302e01c33a9a919e7ba380ba3b0ed65b0 Mon Sep 17 00:00:00 2001 +From: trinity-1686a +Date: Mon, 15 Apr 2024 11:13:14 +0200 +Subject: [PATCH 2/2] Handle empty param in EVP_PKEY_CTX_add1_hkdf_info + +Fixes #24130 +The regression was introduced in PR #23456. + +Reviewed-by: Paul Dale +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/24141) + +(cherry picked from commit 299996fb1fcd76eeadfd547958de2a1b822f37f5) +--- + crypto/evp/pmeth_lib.c | 2 ++ + test/evp_extra_test.c | 42 ++++++++++++++++++++++++++++++++++++++++++ + 2 files changed, 44 insertions(+) + +diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c +index d0eeaf7..bce1ebc 100644 +--- a/crypto/evp/pmeth_lib.c ++++ b/crypto/evp/pmeth_lib.c +@@ -1053,6 +1053,8 @@ static int evp_pkey_ctx_add1_octet_string(EVP_PKEY_CTX *ctx, int fallback, + if (datalen < 0) { + ERR_raise(ERR_LIB_EVP, EVP_R_INVALID_LENGTH); + return 0; ++ } else if (datalen == 0) { ++ return 1; + } + + /* Get the original value length */ +diff --git a/test/evp_extra_test.c b/test/evp_extra_test.c +index 9b3bee7..22121ce 100644 +--- a/test/evp_extra_test.c ++++ b/test/evp_extra_test.c +@@ -2565,6 +2565,47 @@ static int test_emptyikm_HKDF(void) + return ret; + } + ++static int test_empty_salt_info_HKDF(void) ++{ ++ EVP_PKEY_CTX *pctx; ++ unsigned char out[20]; ++ size_t outlen; ++ int ret = 0; ++ unsigned char salt[] = ""; ++ unsigned char key[] = "012345678901234567890123456789"; ++ unsigned char info[] = ""; ++ const unsigned char expected[] = { ++ 0x67, 0x12, 0xf9, 0x27, 0x8a, 0x8a, 0x3a, 0x8f, 0x7d, 0x2c, 0xa3, 0x6a, ++ 0xaa, 0xe9, 0xb3, 0xb9, 0x52, 0x5f, 0xe0, 0x06, ++ }; ++ size_t expectedlen = sizeof(expected); ++ ++ if (!TEST_ptr(pctx = EVP_PKEY_CTX_new_from_name(testctx, "HKDF", testpropq))) ++ goto done; ++ ++ outlen = sizeof(out); ++ memset(out, 0, outlen); ++ ++ if (!TEST_int_gt(EVP_PKEY_derive_init(pctx), 0) ++ || !TEST_int_gt(EVP_PKEY_CTX_set_hkdf_md(pctx, EVP_sha256()), 0) ++ || !TEST_int_gt(EVP_PKEY_CTX_set1_hkdf_salt(pctx, salt, ++ sizeof(salt) - 1), 0) ++ || !TEST_int_gt(EVP_PKEY_CTX_set1_hkdf_key(pctx, key, ++ sizeof(key) - 1), 0) ++ || !TEST_int_gt(EVP_PKEY_CTX_add1_hkdf_info(pctx, info, ++ sizeof(info) - 1), 0) ++ || !TEST_int_gt(EVP_PKEY_derive(pctx, out, &outlen), 0) ++ || !TEST_mem_eq(out, outlen, expected, expectedlen)) ++ goto done; ++ ++ ret = 1; ++ ++ done: ++ EVP_PKEY_CTX_free(pctx); ++ ++ return ret; ++} ++ + #ifndef OPENSSL_NO_EC + static int test_X509_PUBKEY_inplace(void) + { +@@ -5166,6 +5207,7 @@ int setup_tests(void) + #endif + ADD_TEST(test_HKDF); + ADD_TEST(test_emptyikm_HKDF); ++ ADD_TEST(test_empty_salt_info_HKDF); + #ifndef OPENSSL_NO_EC + ADD_TEST(test_X509_PUBKEY_inplace); + ADD_TEST(test_X509_PUBKEY_dup); +-- +2.45.1 + diff --git a/openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.patch b/openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.patch new file mode 100644 index 0000000..7c57d6b --- /dev/null +++ b/openssl-Improve-performance-for-6x-unrolling-with-vpermxor-i.patch @@ -0,0 +1,495 @@ +From 3d3a7ecd1ae5ab08d22041f7b3b035c34f12fa02 Mon Sep 17 00:00:00 2001 +From: Danny Tsen +Date: Tue, 22 Aug 2023 15:58:53 -0400 +Subject: [PATCH] Improve performance for 6x unrolling with vpermxor + instruction + +Reviewed-by: Paul Dale +Reviewed-by: Tomas Mraz +(Merged from https://github.com/openssl/openssl/pull/21812) +--- + crypto/aes/asm/aesp8-ppc.pl | 145 +++++++++++++++++++++++------------- + 1 file changed, 95 insertions(+), 50 deletions(-) + +diff --git a/crypto/aes/asm/aesp8-ppc.pl b/crypto/aes/asm/aesp8-ppc.pl +index 60cf86f52aed2..38b9405a283b7 100755 +--- a/crypto/aes/asm/aesp8-ppc.pl ++++ b/crypto/aes/asm/aesp8-ppc.pl +@@ -99,11 +99,12 @@ + .long 0x1b000000, 0x1b000000, 0x1b000000, 0x1b000000 ?rev + .long 0x0d0e0f0c, 0x0d0e0f0c, 0x0d0e0f0c, 0x0d0e0f0c ?rev + .long 0,0,0,0 ?asis ++.long 0x0f102132, 0x43546576, 0x8798a9ba, 0xcbdcedfe + Lconsts: + mflr r0 + bcl 20,31,\$+4 + mflr $ptr #vvvvv "distance between . and rcon +- addi $ptr,$ptr,-0x48 ++ addi $ptr,$ptr,-0x58 + mtlr r0 + blr + .long 0 +@@ -2405,7 +2406,7 @@ () + my $key_=$key2; + my ($x00,$x10,$x20,$x30,$x40,$x50,$x60,$x70)=map("r$_",(0,3,26..31)); + $x00=0 if ($flavour =~ /osx/); +-my ($in0, $in1, $in2, $in3, $in4, $in5 )=map("v$_",(0..5)); ++my ($in0, $in1, $in2, $in3, $in4, $in5)=map("v$_",(0..5)); + my ($out0, $out1, $out2, $out3, $out4, $out5)=map("v$_",(7,12..16)); + my ($twk0, $twk1, $twk2, $twk3, $twk4, $twk5)=map("v$_",(17..22)); + my $rndkey0="v23"; # v24-v25 rotating buffer for first found keys +@@ -2460,6 +2461,18 @@ () + li $x70,0x70 + mtspr 256,r0 + ++ # Reverse eighty7 to 0x010101..87 ++ xxlor 2, 32+$eighty7, 32+$eighty7 ++ vsldoi $eighty7,$tmp,$eighty7,1 # 0x010101..87 ++ xxlor 1, 32+$eighty7, 32+$eighty7 ++ ++ # Load XOR contents. 0xf102132435465768798a9bacbdcedfe ++ mr $x70, r6 ++ bl Lconsts ++ lxvw4x 0, $x40, r6 # load XOR contents ++ mr r6, $x70 ++ li $x70,0x70 ++ + subi $rounds,$rounds,3 # -4 in total + + lvx $rndkey0,$x00,$key1 # load key schedule +@@ -2502,69 +2515,77 @@ () + ?vperm v31,v31,$twk5,$keyperm + lvx v25,$x10,$key_ # pre-load round[2] + ++ # Switch to use the following codes with 0x010101..87 to generate tweak. ++ # eighty7 = 0x010101..87 ++ # vsrab tmp, tweak, seven # next tweak value, right shift 7 bits ++ # vand tmp, tmp, eighty7 # last byte with carry ++ # vaddubm tweak, tweak, tweak # left shift 1 bit (x2) ++ # xxlor vsx, 0, 0 ++ # vpermxor tweak, tweak, tmp, vsx ++ + vperm $in0,$inout,$inptail,$inpperm + subi $inp,$inp,31 # undo "caller" + vxor $twk0,$tweak,$rndkey0 + vsrab $tmp,$tweak,$seven # next tweak value + vaddubm $tweak,$tweak,$tweak +- vsldoi $tmp,$tmp,$tmp,15 + vand $tmp,$tmp,$eighty7 + vxor $out0,$in0,$twk0 +- vxor $tweak,$tweak,$tmp ++ xxlor 32+$in1, 0, 0 ++ vpermxor $tweak, $tweak, $tmp, $in1 + + lvx_u $in1,$x10,$inp + vxor $twk1,$tweak,$rndkey0 + vsrab $tmp,$tweak,$seven # next tweak value + vaddubm $tweak,$tweak,$tweak +- vsldoi $tmp,$tmp,$tmp,15 + le?vperm $in1,$in1,$in1,$leperm + vand $tmp,$tmp,$eighty7 + vxor $out1,$in1,$twk1 +- vxor $tweak,$tweak,$tmp ++ xxlor 32+$in2, 0, 0 ++ vpermxor $tweak, $tweak, $tmp, $in2 + + lvx_u $in2,$x20,$inp + andi. $taillen,$len,15 + vxor $twk2,$tweak,$rndkey0 + vsrab $tmp,$tweak,$seven # next tweak value + vaddubm $tweak,$tweak,$tweak +- vsldoi $tmp,$tmp,$tmp,15 + le?vperm $in2,$in2,$in2,$leperm + vand $tmp,$tmp,$eighty7 + vxor $out2,$in2,$twk2 +- vxor $tweak,$tweak,$tmp ++ xxlor 32+$in3, 0, 0 ++ vpermxor $tweak, $tweak, $tmp, $in3 + + lvx_u $in3,$x30,$inp + sub $len,$len,$taillen + vxor $twk3,$tweak,$rndkey0 + vsrab $tmp,$tweak,$seven # next tweak value + vaddubm $tweak,$tweak,$tweak +- vsldoi $tmp,$tmp,$tmp,15 + le?vperm $in3,$in3,$in3,$leperm + vand $tmp,$tmp,$eighty7 + vxor $out3,$in3,$twk3 +- vxor $tweak,$tweak,$tmp ++ xxlor 32+$in4, 0, 0 ++ vpermxor $tweak, $tweak, $tmp, $in4 + + lvx_u $in4,$x40,$inp + subi $len,$len,0x60 + vxor $twk4,$tweak,$rndkey0 + vsrab $tmp,$tweak,$seven # next tweak value + vaddubm $tweak,$tweak,$tweak +- vsldoi $tmp,$tmp,$tmp,15 + le?vperm $in4,$in4,$in4,$leperm + vand $tmp,$tmp,$eighty7 + vxor $out4,$in4,$twk4 +- vxor $tweak,$tweak,$tmp ++ xxlor 32+$in5, 0, 0 ++ vpermxor $tweak, $tweak, $tmp, $in5 + + lvx_u $in5,$x50,$inp + addi $inp,$inp,0x60 + vxor $twk5,$tweak,$rndkey0 + vsrab $tmp,$tweak,$seven # next tweak value + vaddubm $tweak,$tweak,$tweak +- vsldoi $tmp,$tmp,$tmp,15 + le?vperm $in5,$in5,$in5,$leperm + vand $tmp,$tmp,$eighty7 + vxor $out5,$in5,$twk5 +- vxor $tweak,$tweak,$tmp ++ xxlor 32+$in0, 0, 0 ++ vpermxor $tweak, $tweak, $tmp, $in0 + + vxor v31,v31,$rndkey0 + mtctr $rounds +@@ -2590,6 +2611,8 @@ () + lvx v25,$x10,$key_ # round[4] + bdnz Loop_xts_enc6x + ++ xxlor 32+$eighty7, 1, 1 # 0x010101..87 ++ + subic $len,$len,96 # $len-=96 + vxor $in0,$twk0,v31 # xor with last round key + vcipher $out0,$out0,v24 +@@ -2599,7 +2622,6 @@ () + vaddubm $tweak,$tweak,$tweak + vcipher $out2,$out2,v24 + vcipher $out3,$out3,v24 +- vsldoi $tmp,$tmp,$tmp,15 + vcipher $out4,$out4,v24 + vcipher $out5,$out5,v24 + +@@ -2607,7 +2629,8 @@ () + vand $tmp,$tmp,$eighty7 + vcipher $out0,$out0,v25 + vcipher $out1,$out1,v25 +- vxor $tweak,$tweak,$tmp ++ xxlor 32+$in1, 0, 0 ++ vpermxor $tweak, $tweak, $tmp, $in1 + vcipher $out2,$out2,v25 + vcipher $out3,$out3,v25 + vxor $in1,$twk1,v31 +@@ -2618,13 +2641,13 @@ () + + and r0,r0,$len + vaddubm $tweak,$tweak,$tweak +- vsldoi $tmp,$tmp,$tmp,15 + vcipher $out0,$out0,v26 + vcipher $out1,$out1,v26 + vand $tmp,$tmp,$eighty7 + vcipher $out2,$out2,v26 + vcipher $out3,$out3,v26 +- vxor $tweak,$tweak,$tmp ++ xxlor 32+$in2, 0, 0 ++ vpermxor $tweak, $tweak, $tmp, $in2 + vcipher $out4,$out4,v26 + vcipher $out5,$out5,v26 + +@@ -2638,7 +2661,6 @@ () + vaddubm $tweak,$tweak,$tweak + vcipher $out0,$out0,v27 + vcipher $out1,$out1,v27 +- vsldoi $tmp,$tmp,$tmp,15 + vcipher $out2,$out2,v27 + vcipher $out3,$out3,v27 + vand $tmp,$tmp,$eighty7 +@@ -2646,7 +2668,8 @@ () + vcipher $out5,$out5,v27 + + addi $key_,$sp,$FRAME+15 # rewind $key_ +- vxor $tweak,$tweak,$tmp ++ xxlor 32+$in3, 0, 0 ++ vpermxor $tweak, $tweak, $tmp, $in3 + vcipher $out0,$out0,v28 + vcipher $out1,$out1,v28 + vxor $in3,$twk3,v31 +@@ -2655,7 +2678,6 @@ () + vcipher $out2,$out2,v28 + vcipher $out3,$out3,v28 + vaddubm $tweak,$tweak,$tweak +- vsldoi $tmp,$tmp,$tmp,15 + vcipher $out4,$out4,v28 + vcipher $out5,$out5,v28 + lvx v24,$x00,$key_ # re-pre-load round[1] +@@ -2663,7 +2685,8 @@ () + + vcipher $out0,$out0,v29 + vcipher $out1,$out1,v29 +- vxor $tweak,$tweak,$tmp ++ xxlor 32+$in4, 0, 0 ++ vpermxor $tweak, $tweak, $tmp, $in4 + vcipher $out2,$out2,v29 + vcipher $out3,$out3,v29 + vxor $in4,$twk4,v31 +@@ -2673,14 +2696,14 @@ () + vcipher $out5,$out5,v29 + lvx v25,$x10,$key_ # re-pre-load round[2] + vaddubm $tweak,$tweak,$tweak +- vsldoi $tmp,$tmp,$tmp,15 + + vcipher $out0,$out0,v30 + vcipher $out1,$out1,v30 + vand $tmp,$tmp,$eighty7 + vcipher $out2,$out2,v30 + vcipher $out3,$out3,v30 +- vxor $tweak,$tweak,$tmp ++ xxlor 32+$in5, 0, 0 ++ vpermxor $tweak, $tweak, $tmp, $in5 + vcipher $out4,$out4,v30 + vcipher $out5,$out5,v30 + vxor $in5,$twk5,v31 +@@ -2690,7 +2713,6 @@ () + vcipherlast $out0,$out0,$in0 + lvx_u $in0,$x00,$inp # load next input block + vaddubm $tweak,$tweak,$tweak +- vsldoi $tmp,$tmp,$tmp,15 + vcipherlast $out1,$out1,$in1 + lvx_u $in1,$x10,$inp + vcipherlast $out2,$out2,$in2 +@@ -2703,7 +2725,10 @@ () + vcipherlast $out4,$out4,$in4 + le?vperm $in2,$in2,$in2,$leperm + lvx_u $in4,$x40,$inp +- vxor $tweak,$tweak,$tmp ++ xxlor 10, 32+$in0, 32+$in0 ++ xxlor 32+$in0, 0, 0 ++ vpermxor $tweak, $tweak, $tmp, $in0 ++ xxlor 32+$in0, 10, 10 + vcipherlast $tmp,$out5,$in5 # last block might be needed + # in stealing mode + le?vperm $in3,$in3,$in3,$leperm +@@ -2736,6 +2761,8 @@ () + mtctr $rounds + beq Loop_xts_enc6x # did $len-=96 borrow? + ++ xxlor 32+$eighty7, 2, 2 # 0x870101..01 ++ + addic. $len,$len,0x60 + beq Lxts_enc6x_zero + cmpwi $len,0x20 +@@ -3112,6 +3139,18 @@ () + li $x70,0x70 + mtspr 256,r0 + ++ # Reverse eighty7 to 0x010101..87 ++ xxlor 2, 32+$eighty7, 32+$eighty7 ++ vsldoi $eighty7,$tmp,$eighty7,1 # 0x010101..87 ++ xxlor 1, 32+$eighty7, 32+$eighty7 ++ ++ # Load XOR contents. 0xf102132435465768798a9bacbdcedfe ++ mr $x70, r6 ++ bl Lconsts ++ lxvw4x 0, $x40, r6 # load XOR contents ++ mr r6, $x70 ++ li $x70,0x70 ++ + subi $rounds,$rounds,3 # -4 in total + + lvx $rndkey0,$x00,$key1 # load key schedule +@@ -3159,64 +3198,64 @@ () + vxor $twk0,$tweak,$rndkey0 + vsrab $tmp,$tweak,$seven # next tweak value + vaddubm $tweak,$tweak,$tweak +- vsldoi $tmp,$tmp,$tmp,15 + vand $tmp,$tmp,$eighty7 + vxor $out0,$in0,$twk0 +- vxor $tweak,$tweak,$tmp ++ xxlor 32+$in1, 0, 0 ++ vpermxor $tweak, $tweak, $tmp, $in1 + + lvx_u $in1,$x10,$inp + vxor $twk1,$tweak,$rndkey0 + vsrab $tmp,$tweak,$seven # next tweak value + vaddubm $tweak,$tweak,$tweak +- vsldoi $tmp,$tmp,$tmp,15 + le?vperm $in1,$in1,$in1,$leperm + vand $tmp,$tmp,$eighty7 + vxor $out1,$in1,$twk1 +- vxor $tweak,$tweak,$tmp ++ xxlor 32+$in2, 0, 0 ++ vpermxor $tweak, $tweak, $tmp, $in2 + + lvx_u $in2,$x20,$inp + andi. $taillen,$len,15 + vxor $twk2,$tweak,$rndkey0 + vsrab $tmp,$tweak,$seven # next tweak value + vaddubm $tweak,$tweak,$tweak +- vsldoi $tmp,$tmp,$tmp,15 + le?vperm $in2,$in2,$in2,$leperm + vand $tmp,$tmp,$eighty7 + vxor $out2,$in2,$twk2 +- vxor $tweak,$tweak,$tmp ++ xxlor 32+$in3, 0, 0 ++ vpermxor $tweak, $tweak, $tmp, $in3 + + lvx_u $in3,$x30,$inp + sub $len,$len,$taillen + vxor $twk3,$tweak,$rndkey0 + vsrab $tmp,$tweak,$seven # next tweak value + vaddubm $tweak,$tweak,$tweak +- vsldoi $tmp,$tmp,$tmp,15 + le?vperm $in3,$in3,$in3,$leperm + vand $tmp,$tmp,$eighty7 + vxor $out3,$in3,$twk3 +- vxor $tweak,$tweak,$tmp ++ xxlor 32+$in4, 0, 0 ++ vpermxor $tweak, $tweak, $tmp, $in4 + + lvx_u $in4,$x40,$inp + subi $len,$len,0x60 + vxor $twk4,$tweak,$rndkey0 + vsrab $tmp,$tweak,$seven # next tweak value + vaddubm $tweak,$tweak,$tweak +- vsldoi $tmp,$tmp,$tmp,15 + le?vperm $in4,$in4,$in4,$leperm + vand $tmp,$tmp,$eighty7 + vxor $out4,$in4,$twk4 +- vxor $tweak,$tweak,$tmp ++ xxlor 32+$in5, 0, 0 ++ vpermxor $tweak, $tweak, $tmp, $in5 + + lvx_u $in5,$x50,$inp + addi $inp,$inp,0x60 + vxor $twk5,$tweak,$rndkey0 + vsrab $tmp,$tweak,$seven # next tweak value + vaddubm $tweak,$tweak,$tweak +- vsldoi $tmp,$tmp,$tmp,15 + le?vperm $in5,$in5,$in5,$leperm + vand $tmp,$tmp,$eighty7 + vxor $out5,$in5,$twk5 +- vxor $tweak,$tweak,$tmp ++ xxlor 32+$in0, 0, 0 ++ vpermxor $tweak, $tweak, $tmp, $in0 + + vxor v31,v31,$rndkey0 + mtctr $rounds +@@ -3242,6 +3281,8 @@ () + lvx v25,$x10,$key_ # round[4] + bdnz Loop_xts_dec6x + ++ xxlor 32+$eighty7, 1, 1 ++ + subic $len,$len,96 # $len-=96 + vxor $in0,$twk0,v31 # xor with last round key + vncipher $out0,$out0,v24 +@@ -3251,7 +3292,6 @@ () + vaddubm $tweak,$tweak,$tweak + vncipher $out2,$out2,v24 + vncipher $out3,$out3,v24 +- vsldoi $tmp,$tmp,$tmp,15 + vncipher $out4,$out4,v24 + vncipher $out5,$out5,v24 + +@@ -3259,7 +3299,8 @@ () + vand $tmp,$tmp,$eighty7 + vncipher $out0,$out0,v25 + vncipher $out1,$out1,v25 +- vxor $tweak,$tweak,$tmp ++ xxlor 32+$in1, 0, 0 ++ vpermxor $tweak, $tweak, $tmp, $in1 + vncipher $out2,$out2,v25 + vncipher $out3,$out3,v25 + vxor $in1,$twk1,v31 +@@ -3270,13 +3311,13 @@ () + + and r0,r0,$len + vaddubm $tweak,$tweak,$tweak +- vsldoi $tmp,$tmp,$tmp,15 + vncipher $out0,$out0,v26 + vncipher $out1,$out1,v26 + vand $tmp,$tmp,$eighty7 + vncipher $out2,$out2,v26 + vncipher $out3,$out3,v26 +- vxor $tweak,$tweak,$tmp ++ xxlor 32+$in2, 0, 0 ++ vpermxor $tweak, $tweak, $tmp, $in2 + vncipher $out4,$out4,v26 + vncipher $out5,$out5,v26 + +@@ -3290,7 +3331,6 @@ () + vaddubm $tweak,$tweak,$tweak + vncipher $out0,$out0,v27 + vncipher $out1,$out1,v27 +- vsldoi $tmp,$tmp,$tmp,15 + vncipher $out2,$out2,v27 + vncipher $out3,$out3,v27 + vand $tmp,$tmp,$eighty7 +@@ -3298,7 +3338,8 @@ () + vncipher $out5,$out5,v27 + + addi $key_,$sp,$FRAME+15 # rewind $key_ +- vxor $tweak,$tweak,$tmp ++ xxlor 32+$in3, 0, 0 ++ vpermxor $tweak, $tweak, $tmp, $in3 + vncipher $out0,$out0,v28 + vncipher $out1,$out1,v28 + vxor $in3,$twk3,v31 +@@ -3307,7 +3348,6 @@ () + vncipher $out2,$out2,v28 + vncipher $out3,$out3,v28 + vaddubm $tweak,$tweak,$tweak +- vsldoi $tmp,$tmp,$tmp,15 + vncipher $out4,$out4,v28 + vncipher $out5,$out5,v28 + lvx v24,$x00,$key_ # re-pre-load round[1] +@@ -3315,7 +3355,8 @@ () + + vncipher $out0,$out0,v29 + vncipher $out1,$out1,v29 +- vxor $tweak,$tweak,$tmp ++ xxlor 32+$in4, 0, 0 ++ vpermxor $tweak, $tweak, $tmp, $in4 + vncipher $out2,$out2,v29 + vncipher $out3,$out3,v29 + vxor $in4,$twk4,v31 +@@ -3325,14 +3366,14 @@ () + vncipher $out5,$out5,v29 + lvx v25,$x10,$key_ # re-pre-load round[2] + vaddubm $tweak,$tweak,$tweak +- vsldoi $tmp,$tmp,$tmp,15 + + vncipher $out0,$out0,v30 + vncipher $out1,$out1,v30 + vand $tmp,$tmp,$eighty7 + vncipher $out2,$out2,v30 + vncipher $out3,$out3,v30 +- vxor $tweak,$tweak,$tmp ++ xxlor 32+$in5, 0, 0 ++ vpermxor $tweak, $tweak, $tmp, $in5 + vncipher $out4,$out4,v30 + vncipher $out5,$out5,v30 + vxor $in5,$twk5,v31 +@@ -3342,7 +3383,6 @@ () + vncipherlast $out0,$out0,$in0 + lvx_u $in0,$x00,$inp # load next input block + vaddubm $tweak,$tweak,$tweak +- vsldoi $tmp,$tmp,$tmp,15 + vncipherlast $out1,$out1,$in1 + lvx_u $in1,$x10,$inp + vncipherlast $out2,$out2,$in2 +@@ -3355,7 +3395,10 @@ () + vncipherlast $out4,$out4,$in4 + le?vperm $in2,$in2,$in2,$leperm + lvx_u $in4,$x40,$inp +- vxor $tweak,$tweak,$tmp ++ xxlor 10, 32+$in0, 32+$in0 ++ xxlor 32+$in0, 0, 0 ++ vpermxor $tweak, $tweak, $tmp, $in0 ++ xxlor 32+$in0, 10, 10 + vncipherlast $out5,$out5,$in5 + le?vperm $in3,$in3,$in3,$leperm + lvx_u $in5,$x50,$inp +@@ -3386,6 +3429,8 @@ () + mtctr $rounds + beq Loop_xts_dec6x # did $len-=96 borrow? + ++ xxlor 32+$eighty7, 2, 2 ++ + addic. $len,$len,0x60 + beq Lxts_dec6x_zero + cmpwi $len,0x20 diff --git a/openssl-Remove-EC-curves.patch b/openssl-Remove-EC-curves.patch new file mode 100644 index 0000000..fa4efdf --- /dev/null +++ b/openssl-Remove-EC-curves.patch @@ -0,0 +1,267 @@ +From 4a275f852b61238161c053774736dc07b3ade200 Mon Sep 17 00:00:00 2001 +From: Dmitry Belyavskiy +Date: Mon, 21 Aug 2023 11:46:40 +0200 +Subject: [PATCH 11/48] 0011-Remove-EC-curves.patch + +Patch-name: 0011-Remove-EC-curves.patch +Patch-id: 11 +Patch-status: | + # remove unsupported EC curves +--- + apps/speed.c | 8 +--- + crypto/evp/ec_support.c | 87 ------------------------------------ + test/acvp_test.inc | 9 ---- + test/ecdsatest.h | 17 ------- + test/recipes/15-test_genec.t | 27 ----------- + 5 files changed, 1 insertion(+), 147 deletions(-) + +Index: openssl-3.2.3/apps/speed.c +=================================================================== +--- openssl-3.2.3.orig/apps/speed.c ++++ openssl-3.2.3/apps/speed.c +@@ -401,7 +401,7 @@ static double ffdh_results[FFDH_NUM][1]; + #endif /* OPENSSL_NO_DH */ + + enum ec_curves_t { +- R_EC_P160, R_EC_P192, R_EC_P224, R_EC_P256, R_EC_P384, R_EC_P521, ++ R_EC_P224, R_EC_P256, R_EC_P384, R_EC_P521, + #ifndef OPENSSL_NO_EC2M + R_EC_K163, R_EC_K233, R_EC_K283, R_EC_K409, R_EC_K571, + R_EC_B163, R_EC_B233, R_EC_B283, R_EC_B409, R_EC_B571, +@@ -411,8 +411,6 @@ enum ec_curves_t { + }; + /* list of ecdsa curves */ + static const OPT_PAIR ecdsa_choices[ECDSA_NUM] = { +- {"ecdsap160", R_EC_P160}, +- {"ecdsap192", R_EC_P192}, + {"ecdsap224", R_EC_P224}, + {"ecdsap256", R_EC_P256}, + {"ecdsap384", R_EC_P384}, +@@ -445,8 +443,6 @@ enum { + }; + /* list of ecdh curves, extension of |ecdsa_choices| list above */ + static const OPT_PAIR ecdh_choices[EC_NUM] = { +- {"ecdhp160", R_EC_P160}, +- {"ecdhp192", R_EC_P192}, + {"ecdhp224", R_EC_P224}, + {"ecdhp256", R_EC_P256}, + {"ecdhp384", R_EC_P384}, +@@ -1781,8 +1777,6 @@ int speed_main(int argc, char **argv) + */ + static const EC_CURVE ec_curves[EC_NUM] = { + /* Prime Curves */ +- {"secp160r1", NID_secp160r1, 160}, +- {"nistp192", NID_X9_62_prime192v1, 192}, + {"nistp224", NID_secp224r1, 224}, + {"nistp256", NID_X9_62_prime256v1, 256}, + {"nistp384", NID_secp384r1, 384}, +Index: openssl-3.2.3/crypto/evp/ec_support.c +=================================================================== +--- openssl-3.2.3.orig/crypto/evp/ec_support.c ++++ openssl-3.2.3/crypto/evp/ec_support.c +@@ -20,89 +20,15 @@ typedef struct ec_name2nid_st { + static const EC_NAME2NID curve_list[] = { + /* prime field curves */ + /* secg curves */ +- {"secp112r1", NID_secp112r1 }, +- {"secp112r2", NID_secp112r2 }, +- {"secp128r1", NID_secp128r1 }, +- {"secp128r2", NID_secp128r2 }, +- {"secp160k1", NID_secp160k1 }, +- {"secp160r1", NID_secp160r1 }, +- {"secp160r2", NID_secp160r2 }, +- {"secp192k1", NID_secp192k1 }, +- {"secp224k1", NID_secp224k1 }, + {"secp224r1", NID_secp224r1 }, + {"secp256k1", NID_secp256k1 }, + {"secp384r1", NID_secp384r1 }, + {"secp521r1", NID_secp521r1 }, + /* X9.62 curves */ +- {"prime192v1", NID_X9_62_prime192v1 }, +- {"prime192v2", NID_X9_62_prime192v2 }, +- {"prime192v3", NID_X9_62_prime192v3 }, +- {"prime239v1", NID_X9_62_prime239v1 }, +- {"prime239v2", NID_X9_62_prime239v2 }, +- {"prime239v3", NID_X9_62_prime239v3 }, + {"prime256v1", NID_X9_62_prime256v1 }, + /* characteristic two field curves */ + /* NIST/SECG curves */ +- {"sect113r1", NID_sect113r1 }, +- {"sect113r2", NID_sect113r2 }, +- {"sect131r1", NID_sect131r1 }, +- {"sect131r2", NID_sect131r2 }, +- {"sect163k1", NID_sect163k1 }, +- {"sect163r1", NID_sect163r1 }, +- {"sect163r2", NID_sect163r2 }, +- {"sect193r1", NID_sect193r1 }, +- {"sect193r2", NID_sect193r2 }, +- {"sect233k1", NID_sect233k1 }, +- {"sect233r1", NID_sect233r1 }, +- {"sect239k1", NID_sect239k1 }, +- {"sect283k1", NID_sect283k1 }, +- {"sect283r1", NID_sect283r1 }, +- {"sect409k1", NID_sect409k1 }, +- {"sect409r1", NID_sect409r1 }, +- {"sect571k1", NID_sect571k1 }, +- {"sect571r1", NID_sect571r1 }, +- /* X9.62 curves */ +- {"c2pnb163v1", NID_X9_62_c2pnb163v1 }, +- {"c2pnb163v2", NID_X9_62_c2pnb163v2 }, +- {"c2pnb163v3", NID_X9_62_c2pnb163v3 }, +- {"c2pnb176v1", NID_X9_62_c2pnb176v1 }, +- {"c2tnb191v1", NID_X9_62_c2tnb191v1 }, +- {"c2tnb191v2", NID_X9_62_c2tnb191v2 }, +- {"c2tnb191v3", NID_X9_62_c2tnb191v3 }, +- {"c2pnb208w1", NID_X9_62_c2pnb208w1 }, +- {"c2tnb239v1", NID_X9_62_c2tnb239v1 }, +- {"c2tnb239v2", NID_X9_62_c2tnb239v2 }, +- {"c2tnb239v3", NID_X9_62_c2tnb239v3 }, +- {"c2pnb272w1", NID_X9_62_c2pnb272w1 }, +- {"c2pnb304w1", NID_X9_62_c2pnb304w1 }, +- {"c2tnb359v1", NID_X9_62_c2tnb359v1 }, +- {"c2pnb368w1", NID_X9_62_c2pnb368w1 }, +- {"c2tnb431r1", NID_X9_62_c2tnb431r1 }, +- /* +- * the WAP/WTLS curves [unlike SECG, spec has its own OIDs for curves +- * from X9.62] +- */ +- {"wap-wsg-idm-ecid-wtls1", NID_wap_wsg_idm_ecid_wtls1 }, +- {"wap-wsg-idm-ecid-wtls3", NID_wap_wsg_idm_ecid_wtls3 }, +- {"wap-wsg-idm-ecid-wtls4", NID_wap_wsg_idm_ecid_wtls4 }, +- {"wap-wsg-idm-ecid-wtls5", NID_wap_wsg_idm_ecid_wtls5 }, +- {"wap-wsg-idm-ecid-wtls6", NID_wap_wsg_idm_ecid_wtls6 }, +- {"wap-wsg-idm-ecid-wtls7", NID_wap_wsg_idm_ecid_wtls7 }, +- {"wap-wsg-idm-ecid-wtls8", NID_wap_wsg_idm_ecid_wtls8 }, +- {"wap-wsg-idm-ecid-wtls9", NID_wap_wsg_idm_ecid_wtls9 }, +- {"wap-wsg-idm-ecid-wtls10", NID_wap_wsg_idm_ecid_wtls10 }, +- {"wap-wsg-idm-ecid-wtls11", NID_wap_wsg_idm_ecid_wtls11 }, +- {"wap-wsg-idm-ecid-wtls12", NID_wap_wsg_idm_ecid_wtls12 }, +- /* IPSec curves */ +- {"Oakley-EC2N-3", NID_ipsec3 }, +- {"Oakley-EC2N-4", NID_ipsec4 }, + /* brainpool curves */ +- {"brainpoolP160r1", NID_brainpoolP160r1 }, +- {"brainpoolP160t1", NID_brainpoolP160t1 }, +- {"brainpoolP192r1", NID_brainpoolP192r1 }, +- {"brainpoolP192t1", NID_brainpoolP192t1 }, +- {"brainpoolP224r1", NID_brainpoolP224r1 }, +- {"brainpoolP224t1", NID_brainpoolP224t1 }, + {"brainpoolP256r1", NID_brainpoolP256r1 }, + {"brainpoolP256t1", NID_brainpoolP256t1 }, + {"brainpoolP320r1", NID_brainpoolP320r1 }, +@@ -150,17 +76,6 @@ int ossl_ec_curve_name2nid(const char *n + /* Functions to translate between common NIST curve names and NIDs */ + + static const EC_NAME2NID nist_curves[] = { +- {"B-163", NID_sect163r2}, +- {"B-233", NID_sect233r1}, +- {"B-283", NID_sect283r1}, +- {"B-409", NID_sect409r1}, +- {"B-571", NID_sect571r1}, +- {"K-163", NID_sect163k1}, +- {"K-233", NID_sect233k1}, +- {"K-283", NID_sect283k1}, +- {"K-409", NID_sect409k1}, +- {"K-571", NID_sect571k1}, +- {"P-192", NID_X9_62_prime192v1}, + {"P-224", NID_secp224r1}, + {"P-256", NID_X9_62_prime256v1}, + {"P-384", NID_secp384r1}, +Index: openssl-3.2.3/test/acvp_test.inc +=================================================================== +--- openssl-3.2.3.orig/test/acvp_test.inc ++++ openssl-3.2.3/test/acvp_test.inc +@@ -212,15 +212,6 @@ static const unsigned char ecdsa_sigver_ + }; + static const struct ecdsa_sigver_st ecdsa_sigver_data[] = { + { +- "SHA-1", +- "P-192", +- ITM(ecdsa_sigver_msg0), +- ITM(ecdsa_sigver_pub0), +- ITM(ecdsa_sigver_r0), +- ITM(ecdsa_sigver_s0), +- PASS, +- }, +- { + "SHA2-512", + "P-521", + ITM(ecdsa_sigver_msg1), +Index: openssl-3.2.3/test/ecdsatest.h +=================================================================== +--- openssl-3.2.3.orig/test/ecdsatest.h ++++ openssl-3.2.3/test/ecdsatest.h +@@ -32,23 +32,6 @@ typedef struct { + } ecdsa_cavs_kat_t; + + static const ecdsa_cavs_kat_t ecdsa_cavs_kats[] = { +- /* prime KATs from X9.62 */ +- {NID_X9_62_prime192v1, NID_sha1, +- "616263", /* "abc" */ +- "1a8d598fc15bf0fd89030b5cb1111aeb92ae8baf5ea475fb", +- "0462b12d60690cdcf330babab6e69763b471f994dd702d16a563bf5ec08069705ffff65e" +- "5ca5c0d69716dfcb3474373902", +- "fa6de29746bbeb7f8bb1e761f85f7dfb2983169d82fa2f4e", +- "885052380ff147b734c330c43d39b2c4a89f29b0f749fead", +- "e9ecc78106def82bf1070cf1d4d804c3cb390046951df686"}, +- {NID_X9_62_prime239v1, NID_sha1, +- "616263", /* "abc" */ +- "7ef7c6fabefffdea864206e80b0b08a9331ed93e698561b64ca0f7777f3d", +- "045b6dc53bc61a2548ffb0f671472de6c9521a9d2d2534e65abfcbd5fe0c707fd9f1ed2e" +- "65f09f6ce0893baf5e8e31e6ae82ea8c3592335be906d38dee", +- "656c7196bf87dcc5d1f1020906df2782360d36b2de7a17ece37d503784af", +- "2cb7f36803ebb9c427c58d8265f11fc5084747133078fc279de874fbecb0", +- "2eeae988104e9c2234a3c2beb1f53bfa5dc11ff36a875d1e3ccb1f7e45cf"}, + /* prime KATs from NIST CAVP */ + {NID_secp224r1, NID_sha224, + "699325d6fc8fbbb4981a6ded3c3a54ad2e4e3db8a5669201912064c64e700c139248cdc1" +Index: openssl-3.2.3/test/recipes/15-test_genec.t +=================================================================== +--- openssl-3.2.3.orig/test/recipes/15-test_genec.t ++++ openssl-3.2.3/test/recipes/15-test_genec.t +@@ -41,37 +41,11 @@ plan skip_all => "This test is unsupport + if disabled("ec"); + + my @prime_curves = qw( +- secp112r1 +- secp112r2 +- secp128r1 +- secp128r2 +- secp160k1 +- secp160r1 +- secp160r2 +- secp192k1 +- secp224k1 + secp224r1 + secp256k1 + secp384r1 + secp521r1 +- prime192v1 +- prime192v2 +- prime192v3 +- prime239v1 +- prime239v2 +- prime239v3 + prime256v1 +- wap-wsg-idm-ecid-wtls6 +- wap-wsg-idm-ecid-wtls7 +- wap-wsg-idm-ecid-wtls8 +- wap-wsg-idm-ecid-wtls9 +- wap-wsg-idm-ecid-wtls12 +- brainpoolP160r1 +- brainpoolP160t1 +- brainpoolP192r1 +- brainpoolP192t1 +- brainpoolP224r1 +- brainpoolP224t1 + brainpoolP256r1 + brainpoolP256t1 + brainpoolP320r1 +@@ -136,7 +110,6 @@ push(@other_curves, 'SM2') + if !disabled("sm2"); + + my @curve_aliases = qw( +- P-192 + P-224 + P-256 + P-384 diff --git a/openssl-Revert-Improve-FIPS-RSA-keygen-performance.patch b/openssl-Revert-Improve-FIPS-RSA-keygen-performance.patch new file mode 100644 index 0000000..15e9dd1 --- /dev/null +++ b/openssl-Revert-Improve-FIPS-RSA-keygen-performance.patch @@ -0,0 +1,171 @@ +Subject: [PATCH] Revert "Improve FIPS RSA keygen performance." + +This reverts commit 3431dd4b3ee7933822586aab62972de4d8c0e9e5. +--- + crypto/bn/bn_prime.c | 11 -------- + crypto/bn/bn_rsa_fips186_4.c | 49 ++++++------------------------------ + include/crypto/bn.h | 2 -- + 3 files changed, 8 insertions(+), 54 deletions(-) + +diff --git a/crypto/bn/bn_prime.c b/crypto/bn/bn_prime.c +index 79776f1ce5..ddd31a0252 100644 +--- a/crypto/bn/bn_prime.c ++++ b/crypto/bn/bn_prime.c +@@ -252,17 +252,6 @@ int ossl_bn_check_prime(const BIGNUM *w, int checks, BN_CTX *ctx, + return bn_is_prime_int(w, checks, ctx, do_trial_division, cb); + } + +-/* +- * Use this only for key generation. +- * It always uses trial division. The number of checks +- * (MR rounds) passed in is used without being clamped to a minimum value. +- */ +-int ossl_bn_check_generated_prime(const BIGNUM *w, int checks, BN_CTX *ctx, +- BN_GENCB *cb) +-{ +- return bn_is_prime_int(w, checks, ctx, 1, cb); +-} +- + int BN_check_prime(const BIGNUM *p, BN_CTX *ctx, BN_GENCB *cb) + { + return ossl_bn_check_prime(p, 0, ctx, 1, cb); +diff --git a/crypto/bn/bn_rsa_fips186_4.c b/crypto/bn/bn_rsa_fips186_4.c +index e9f0d4038c..8a7b2ecf2f 100644 +--- a/crypto/bn/bn_rsa_fips186_4.c ++++ b/crypto/bn/bn_rsa_fips186_4.c +@@ -48,34 +48,6 @@ const BIGNUM ossl_bn_inv_sqrt_2 = { + BN_FLG_STATIC_DATA + }; + +-/* +- * Refer to FIPS 186-5 Table B.1 for minimum rounds of Miller Rabin +- * required for generation of RSA aux primes (p1, p2, q1 and q2). +- */ +-static int bn_rsa_fips186_5_aux_prime_MR_rounds(int nbits) +-{ +- if (nbits >= 4096) +- return 44; +- if (nbits >= 3072) +- return 41; +- if (nbits >= 2048) +- return 38; +- return 0; /* Error */ +-} +- +-/* +- * Refer to FIPS 186-5 Table B.1 for minimum rounds of Miller Rabin +- * required for generation of RSA primes (p and q) +- */ +-static int bn_rsa_fips186_5_prime_MR_rounds(int nbits) +-{ +- if (nbits >= 3072) +- return 4; +- if (nbits >= 2048) +- return 5; +- return 0; /* Error */ +-} +- + /* + * FIPS 186-5 Table A.1. "Min length of auxiliary primes p1, p2, q1, q2". + * (FIPS 186-5 has an entry for >= 4096 bits). +@@ -125,13 +97,11 @@ static int bn_rsa_fips186_5_aux_prime_max_sum_size_for_prob_primes(int nbits) + * Xp1 The passed in starting point to find a probably prime. + * p1 The returned probable prime (first odd integer >= Xp1) + * ctx A BN_CTX object. +- * rounds The number of Miller Rabin rounds + * cb An optional BIGNUM callback. + * Returns: 1 on success otherwise it returns 0. + */ + static int bn_rsa_fips186_4_find_aux_prob_prime(const BIGNUM *Xp1, + BIGNUM *p1, BN_CTX *ctx, +- int rounds, + BN_GENCB *cb) + { + int ret = 0; +@@ -147,7 +117,7 @@ static int bn_rsa_fips186_4_find_aux_prob_prime(const BIGNUM *Xp1, + i++; + BN_GENCB_call(cb, 0, i); + /* MR test with trial division */ +- tmp = ossl_bn_check_generated_prime(p1, rounds, ctx, cb); ++ tmp = BN_check_prime(p1, ctx, cb); + if (tmp > 0) + break; + if (tmp < 0) +@@ -190,7 +160,7 @@ int ossl_bn_rsa_fips186_4_gen_prob_primes(BIGNUM *p, BIGNUM *Xpout, + { + int ret = 0; + BIGNUM *p1i = NULL, *p2i = NULL, *Xp1i = NULL, *Xp2i = NULL; +- int bitlen, rounds; ++ int bitlen; + + if (p == NULL || Xpout == NULL) + return 0; +@@ -207,7 +177,6 @@ int ossl_bn_rsa_fips186_4_gen_prob_primes(BIGNUM *p, BIGNUM *Xpout, + bitlen = bn_rsa_fips186_5_aux_prime_min_size(nlen); + if (bitlen == 0) + goto err; +- rounds = bn_rsa_fips186_5_aux_prime_MR_rounds(nlen); + + /* (Steps 4.1/5.1): Randomly generate Xp1 if it is not passed in */ + if (Xp1 == NULL) { +@@ -225,8 +194,8 @@ int ossl_bn_rsa_fips186_4_gen_prob_primes(BIGNUM *p, BIGNUM *Xpout, + } + + /* (Steps 4.2/5.2) - find first auxiliary probable primes */ +- if (!bn_rsa_fips186_4_find_aux_prob_prime(Xp1i, p1i, ctx, rounds, cb) +- || !bn_rsa_fips186_4_find_aux_prob_prime(Xp2i, p2i, ctx, rounds, cb)) ++ if (!bn_rsa_fips186_4_find_aux_prob_prime(Xp1i, p1i, ctx, cb) ++ || !bn_rsa_fips186_4_find_aux_prob_prime(Xp2i, p2i, ctx, cb)) + goto err; + /* (Table B.1) auxiliary prime Max length check */ + if ((BN_num_bits(p1i) + BN_num_bits(p2i)) >= +@@ -274,11 +243,11 @@ err: + */ + int ossl_bn_rsa_fips186_4_derive_prime(BIGNUM *Y, BIGNUM *X, const BIGNUM *Xin, + const BIGNUM *r1, const BIGNUM *r2, +- int nlen, const BIGNUM *e, +- BN_CTX *ctx, BN_GENCB *cb) ++ int nlen, const BIGNUM *e, BN_CTX *ctx, ++ BN_GENCB *cb) + { + int ret = 0; +- int i, imax, rounds; ++ int i, imax; + int bits = nlen >> 1; + BIGNUM *tmp, *R, *r1r2x2, *y1, *r1x2; + BIGNUM *base, *range; +@@ -348,7 +317,6 @@ int ossl_bn_rsa_fips186_4_derive_prime(BIGNUM *Y, BIGNUM *X, const BIGNUM *Xin, + * The number has been updated to 20 * nlen/2 as used in + * FIPS186-5 Appendix B.9 Step 9. + */ +- rounds = bn_rsa_fips186_5_prime_MR_rounds(nlen); + imax = 20 * bits; /* max = 20/2 * nbits */ + for (;;) { + if (Xin == NULL) { +@@ -378,9 +346,8 @@ int ossl_bn_rsa_fips186_4_derive_prime(BIGNUM *Y, BIGNUM *X, const BIGNUM *Xin, + if (BN_copy(y1, Y) == NULL + || !BN_sub_word(y1, 1)) + goto err; +- + if (BN_are_coprime(y1, e, ctx)) { +- int rv = ossl_bn_check_generated_prime(Y, rounds, ctx, cb); ++ int rv = BN_check_prime(Y, ctx, cb); + + if (rv > 0) + goto end; +diff --git a/include/crypto/bn.h b/include/crypto/bn.h +index 4d11e0e4b1..cf69bea848 100644 +--- a/include/crypto/bn.h ++++ b/include/crypto/bn.h +@@ -95,8 +95,6 @@ int bn_div_fixed_top(BIGNUM *dv, BIGNUM *rem, const BIGNUM *m, + + int ossl_bn_miller_rabin_is_prime(const BIGNUM *w, int iterations, BN_CTX *ctx, + BN_GENCB *cb, int enhanced, int *status); +-int ossl_bn_check_generated_prime(const BIGNUM *w, int checks, BN_CTX *ctx, +- BN_GENCB *cb); + + const BIGNUM *ossl_bn_get0_small_factors(void); + +-- +2.44.0 + diff --git a/openssl-TESTS-Disable-default-provider-crypto-policies.patch b/openssl-TESTS-Disable-default-provider-crypto-policies.patch new file mode 100644 index 0000000..de884ed --- /dev/null +++ b/openssl-TESTS-Disable-default-provider-crypto-policies.patch @@ -0,0 +1,41 @@ +Index: openssl-3.2.3/apps/openssl.cnf +=================================================================== +--- openssl-3.2.3.orig/apps/openssl.cnf ++++ openssl-3.2.3/apps/openssl.cnf +@@ -45,7 +45,7 @@ tsa_policy3 = 1.2.3.4.5.7 + [openssl_init] + providers = provider_sect + # Load default TLS policy configuration +-ssl_conf = ssl_module ++##ssl_conf = ssl_module + + [ evp_properties ] + # This section is intentionally added empty here to be tuned on particular systems +@@ -60,20 +60,20 @@ ssl_conf = ssl_module + # to side-channel attacks and as such have been deprecated. + + [provider_sect] +-default = default_sect ++##default = default_sect + ##legacy = legacy_sect + +-[default_sect] +-activate = 1 ++##[default_sect] ++##activate = 1 + + ##[legacy_sect] + ##activate = 1 + +-[ ssl_module ] +-system_default = crypto_policy ++##[ ssl_module ] ++##system_default = crypto_policy + +-[ crypto_policy ] +-.include = /etc/crypto-policies/back-ends/opensslcnf.config ++##[ crypto_policy ] ++##.include = /etc/crypto-policies/back-ends/opensslcnf.config + + #################################################################### + [ ca ] diff --git a/openssl-crypto-policies-support.patch b/openssl-crypto-policies-support.patch new file mode 100644 index 0000000..c7f3f16 --- /dev/null +++ b/openssl-crypto-policies-support.patch @@ -0,0 +1,35 @@ +Add default section to load crypto-policies configuration for TLS. + +It needs to be reverted before running tests. + +--- + apps/openssl.cnf | 20 ++++++++++++++++++-- + 2 files changed, 19 insertions(+), 3 deletions(-) + +Index: openssl-3.2.0/apps/openssl.cnf +=================================================================== +--- openssl-3.2.0.orig/apps/openssl.cnf ++++ openssl-3.2.0/apps/openssl.cnf +@@ -52,6 +52,8 @@ tsa_policy3 = 1.2.3.4.5.7 + + [openssl_init] + providers = provider_sect ++# Load default TLS policy configuration ++ssl_conf = ssl_module + + # List of providers to load + [provider_sect] +@@ -71,6 +73,13 @@ default = default_sect + [default_sect] + # activate = 1 + ++[ ssl_module ] ++ ++system_default = crypto_policy ++ ++[ crypto_policy ] ++ ++.include = /etc/crypto-policies/back-ends/opensslcnf.config + + #################################################################### + [ ca ] diff --git a/openssl-disable-fipsinstall.patch b/openssl-disable-fipsinstall.patch new file mode 100644 index 0000000..b5f0593 --- /dev/null +++ b/openssl-disable-fipsinstall.patch @@ -0,0 +1,470 @@ +From a9825123e7ab3474d2794a5706d9bed047959c9c Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Mon, 31 Jul 2023 09:41:28 +0200 +Subject: [PATCH 18/35] 0034.fipsinstall_disable.patch + +Patch-name: 0034.fipsinstall_disable.patch +Patch-id: 34 +Patch-status: | + # Comment out fipsinstall command-line utility +From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd +--- + apps/fipsinstall.c | 3 + + doc/man1/openssl-fipsinstall.pod.in | 272 +--------------------------- + doc/man1/openssl.pod | 4 - + doc/man5/config.pod | 1 - + doc/man5/fips_config.pod | 104 +---------- + doc/man7/OSSL_PROVIDER-FIPS.pod | 1 - + 6 files changed, 10 insertions(+), 375 deletions(-) + +Index: openssl-3.1.4/apps/fipsinstall.c +=================================================================== +--- openssl-3.1.4.orig/apps/fipsinstall.c ++++ openssl-3.1.4/apps/fipsinstall.c +@@ -375,6 +375,9 @@ int fipsinstall_main(int argc, char **ar + EVP_MAC *mac = NULL; + CONF *conf = NULL; + ++ BIO_printf(bio_err, "This command is not enabled in SUSE/openSUSE OpenSSL build, please see 'man 8 fips-mode-setup' to learn how to enable FIPS mode\n"); ++ return 1; ++ + if ((opts = sk_OPENSSL_STRING_new_null()) == NULL) + goto end; + +Index: openssl-3.1.4/doc/man1/openssl-fipsinstall.pod.in +=================================================================== +--- openssl-3.1.4.orig/doc/man1/openssl-fipsinstall.pod.in ++++ openssl-3.1.4/doc/man1/openssl-fipsinstall.pod.in +@@ -8,275 +8,9 @@ openssl-fipsinstall - perform FIPS confi + =head1 SYNOPSIS + + B +-[B<-help>] +-[B<-in> I] +-[B<-out> I] +-[B<-module> I] +-[B<-provider_name> I] +-[B<-section_name> I] +-[B<-verify>] +-[B<-mac_name> I] +-[B<-macopt> I:I] +-[B<-noout>] +-[B<-quiet>] +-[B<-pedantic>] +-[B<-no_conditional_errors>] +-[B<-no_security_checks>] +-[B<-ems_check>] +-[B<-no_drbg_truncated_digests>] +-[B<-self_test_onload>] +-[B<-self_test_oninstall>] +-[B<-corrupt_desc> I] +-[B<-corrupt_type> I] +-[B<-config> I] +- +-=head1 DESCRIPTION +- +-This command is used to generate a FIPS module configuration file. +-This configuration file can be used each time a FIPS module is loaded +-in order to pass data to the FIPS module self tests. The FIPS module always +-verifies its MAC, but optionally only needs to run the KAT's once, +-at installation. +- +-The generated configuration file consists of: +- +-=over 4 +- +-=item - A MAC of the FIPS module file. +- +-=item - A test status indicator. +- +-This indicates if the Known Answer Self Tests (KAT's) have successfully run. +- +-=item - A MAC of the status indicator. +- +-=item - A control for conditional self tests errors. +- +-By default if a continuous test (e.g a key pair test) fails then the FIPS module +-will enter an error state, and no services or cryptographic algorithms will be +-able to be accessed after this point. +-The default value of '1' will cause the fips module error state to be entered. +-If the value is '0' then the module error state will not be entered. +-Regardless of whether the error state is entered or not, the current operation +-(e.g. key generation) will return an error. The user is responsible for retrying +-the operation if the module error state is not entered. +- +-=item - A control to indicate whether run-time security checks are done. +- +-This indicates if run-time checks related to enforcement of security parameters +-such as minimum security strength of keys and approved curve names are used. +-The default value of '1' will perform the checks. +-If the value is '0' the checks are not performed and FIPS compliance must +-be done by procedures documented in the relevant Security Policy. +- +-=back +- +-This file is described in L. +- +-=head1 OPTIONS +- +-=over 4 +- +-=item B<-help> +- +-Print a usage message. +- +-=item B<-module> I +- +-Filename of the FIPS module to perform an integrity check on. +-The path provided in the filename is used to load the module when it is +-activated, and this overrides the environment variable B. +- +-=item B<-out> I +- +-Filename to output the configuration data to; the default is standard output. +- +-=item B<-in> I +- +-Input filename to load configuration data from. +-Must be used if the B<-verify> option is specified. +- +-=item B<-verify> +- +-Verify that the input configuration file contains the correct information. +- +-=item B<-provider_name> I +- +-Name of the provider inside the configuration file. +-The default value is C. +- +-=item B<-section_name> I +- +-Name of the section inside the configuration file. +-The default value is C. +- +-=item B<-mac_name> I +- +-Specifies the name of a supported MAC algorithm which will be used. +-The MAC mechanisms that are available will depend on the options +-used when building OpenSSL. +-To see the list of supported MAC's use the command +-C. The default is B. +- +-=item B<-macopt> I:I +- +-Passes options to the MAC algorithm. +-A comprehensive list of controls can be found in the EVP_MAC implementation +-documentation. +-Common control strings used for this command are: +- +-=over 4 +- +-=item B:I +- +-Specifies the MAC key as an alphanumeric string (use if the key contains +-printable characters only). +-The string length must conform to any restrictions of the MAC algorithm. +-A key must be specified for every MAC algorithm. +-If no key is provided, the default that was specified when OpenSSL was +-configured is used. +- +-=item B:I +- +-Specifies the MAC key in hexadecimal form (two hex digits per byte). +-The key length must conform to any restrictions of the MAC algorithm. +-A key must be specified for every MAC algorithm. +-If no key is provided, the default that was specified when OpenSSL was +-configured is used. +- +-=item B:I +- +-Used by HMAC as an alphanumeric string (use if the key contains printable +-characters only). +-The string length must conform to any restrictions of the MAC algorithm. +-To see the list of supported digests, use the command +-C. +-The default digest is SHA-256. +- +-=back +- +-=item B<-noout> +- +-Disable logging of the self tests. +- +-=item B<-pedantic> +- +-Configure the module so that it is strictly FIPS compliant rather +-than being backwards compatible. This enables conditional errors, +-security checks etc. Note that any previous configuration options will +-be overwritten and any subsequent configuration options that violate +-FIPS compliance will result in an error. +- +-=item B<-no_conditional_errors> +- +-Configure the module to not enter an error state if a conditional self test +-fails as described above. +- +-=item B<-no_security_checks> +- +-Configure the module to not perform run-time security checks as described above. +- +-Enabling the configuration option "no-fips-securitychecks" provides another way to +-turn off the check at compile time. +- +-=item B<-ems_check> +- +-Configure the module to enable a run-time Extended Master Secret (EMS) check +-when using the TLS1_PRF KDF algorithm. This check is disabled by default. +-See RFC 7627 for information related to EMS. +- +-=item B<-no_drbg_truncated_digests> +- +-Configure the module to not allow truncated digests to be used with Hash and +-HMAC DRBGs. See FIPS 140-3 IG D.R for details. +- +-=item B<-self_test_onload> +- +-Do not write the two fields related to the "test status indicator" and +-"MAC status indicator" to the output configuration file. Without these fields +-the self tests KATS will run each time the module is loaded. This option could be +-used for cross compiling, since the self tests need to run at least once on each +-target machine. Once the self tests have run on the target machine the user +-could possibly then add the 2 fields into the configuration using some other +-mechanism. +- +-This is the default. +- +-=item B<-self_test_oninstall> +- +-The converse of B<-self_test_oninstall>. The two fields related to the +-"test status indicator" and "MAC status indicator" are written to the +-output configuration file. +- +-=item B<-quiet> +- +-Do not output pass/fail messages. Implies B<-noout>. +- +-=item B<-corrupt_desc> I, +-B<-corrupt_type> I +- +-The corrupt options can be used to test failure of one or more self tests by +-name. +-Either option or both may be used to select the tests to corrupt. +-Refer to the entries for B and B in L for +-values that can be used. +- +-=item B<-config> I +- +-Test that a FIPS provider can be loaded from the specified configuration file. +-A previous call to this application needs to generate the extra configuration +-data that is included by the base C configuration file. +-See L for further information on how to set up a provider section. +-All other options are ignored if '-config' is used. +- +-=back +- +-=head1 NOTES +- +-Self tests results are logged by default if the options B<-quiet> and B<-noout> +-are not specified, or if either of the options B<-corrupt_desc> or +-B<-corrupt_type> are used. +-If the base configuration file is set up to autoload the fips module, then the +-fips module will be loaded and self tested BEFORE the fipsinstall application +-has a chance to set up its own self test callback. As a result of this the self +-test output and the options B<-corrupt_desc> and B<-corrupt_type> will be ignored. +-For normal usage the base configuration file should use the default provider +-when generating the fips configuration file. +- +-The B<-self_test_oninstall> option was added and the +-B<-self_test_onload> option was made the default in OpenSSL 3.1. +- +-The command and all remaining options were added in OpenSSL 3.0. +- +-=head1 EXAMPLES +- +-Calculate the mac of a FIPS module F and run a FIPS self test +-for the module, and save the F configuration file: +- +- openssl fipsinstall -module ./fips.so -out fips.cnf -provider_name fips +- +-Verify that the configuration file F contains the correct info: +- +- openssl fipsinstall -module ./fips.so -in fips.cnf -provider_name fips -verify +- +-Corrupt any self tests which have the description C: +- +- openssl fipsinstall -module ./fips.so -out fips.cnf -provider_name fips \ +- -corrupt_desc 'SHA1' +- +-Validate that the fips module can be loaded from a base configuration file: +- +- export OPENSSL_CONF_INCLUDE= +- export OPENSSL_MODULES= +- openssl fipsinstall -config' 'default.cnf' +- +- +-=head1 SEE ALSO +- +-L, +-L, +-L, +-L ++This command is disabled. ++Please consult the SUSE/openSUSE documentation to learn how to correctly ++enable FIPS mode. + + =head1 COPYRIGHT + +Index: openssl-3.1.4/doc/man1/openssl.pod +=================================================================== +--- openssl-3.1.4.orig/doc/man1/openssl.pod ++++ openssl-3.1.4/doc/man1/openssl.pod +@@ -135,10 +135,6 @@ Engine (loadable module) information and + + Error Number to Error String Conversion. + +-=item B +- +-FIPS configuration installation. +- + =item B + + Generation of DSA Private Key from Parameters. Superseded by +Index: openssl-3.1.4/doc/man5/config.pod +=================================================================== +--- openssl-3.1.4.orig/doc/man5/config.pod ++++ openssl-3.1.4/doc/man5/config.pod +@@ -565,7 +565,6 @@ configuration files using that syntax wi + =head1 SEE ALSO + + L, L, L, +-L, + L, + L, + L, +Index: openssl-3.1.4/doc/man5/fips_config.pod +=================================================================== +--- openssl-3.1.4.orig/doc/man5/fips_config.pod ++++ openssl-3.1.4/doc/man5/fips_config.pod +@@ -6,106 +6,10 @@ fips_config - OpenSSL FIPS configuration + + =head1 DESCRIPTION + +-A separate configuration file, using the OpenSSL L syntax, +-is used to hold information about the FIPS module. This includes a digest +-of the shared library file, and status about the self-testing. +-This data is used automatically by the module itself for two +-purposes: +- +-=over 4 +- +-=item - Run the startup FIPS self-test known answer tests (KATS). +- +-This is normally done once, at installation time, but may also be set up to +-run each time the module is used. +- +-=item - Verify the module's checksum. +- +-This is done each time the module is used. +- +-=back +- +-This file is generated by the L program, and +-used internally by the FIPS module during its initialization. +- +-The following options are supported. They should all appear in a section +-whose name is identified by the B option in the B +-section, as described in L. +- +-=over 4 +- +-=item B +- +-If present, the module is activated. The value assigned to this name is not +-significant. +- +-=item B +- +-A version number for the fips install process. Should be 1. +- +-=item B +- +-The FIPS module normally enters an internal error mode if any self test fails. +-Once this error mode is active, no services or cryptographic algorithms are +-accessible from this point on. +-Continuous tests are a subset of the self tests (e.g., a key pair test during key +-generation, or the CRNG output test). +-Setting this value to C<0> allows the error mode to not be triggered if any +-continuous test fails. The default value of C<1> will trigger the error mode. +-Regardless of the value, the operation (e.g., key generation) that called the +-continuous test will return an error code if its continuous test fails. The +-operation may then be retried if the error mode has not been triggered. +- +-=item B +- +-This indicates if run-time checks related to enforcement of security parameters +-such as minimum security strength of keys and approved curve names are used. +-A value of '1' will perform the checks, otherwise if the value is '0' the checks +-are not performed and FIPS compliance must be done by procedures documented in +-the relevant Security Policy. +- +-=item B +- +-The calculated MAC of the FIPS provider file. +- +-=item B +- +-An indicator that the self-tests were successfully run. +-This should only be written after the module has +-successfully passed its self tests during installation. +-If this field is not present, then the self tests will run when the module +-loads. +- +-=item B +- +-A MAC of the value of the B option, to prevent accidental +-changes to that value. +-It is written-to at the same time as B is updated. +- +-=back +- +-For example: +- +- [fips_sect] +- activate = 1 +- install-version = 1 +- conditional-errors = 1 +- security-checks = 1 +- module-mac = 41:D0:FA:C2:5D:41:75:CD:7D:C3:90:55:6F:A4:DC +- install-mac = FE:10:13:5A:D3:B4:C7:82:1B:1E:17:4C:AC:84:0C +- install-status = INSTALL_SELF_TEST_KATS_RUN +- +-=head1 NOTES +- +-When using the FIPS provider, it is recommended that the +-B option is enabled to prevent accidental use of +-non-FIPS validated algorithms via broken or mistaken configuration. +-See L. +- +-=head1 SEE ALSO +- +-L +-L ++This command is disabled in SUSE/openSUSE. The FIPS provider is ++automatically loaded when the system is booted in FIPS mode, or when the ++environment variable B is set. ++See the documentation for more information. + + =head1 HISTORY + +Index: openssl-3.1.4/doc/man7/OSSL_PROVIDER-FIPS.pod +=================================================================== +--- openssl-3.1.4.orig/doc/man7/OSSL_PROVIDER-FIPS.pod ++++ openssl-3.1.4/doc/man7/OSSL_PROVIDER-FIPS.pod +@@ -455,7 +455,6 @@ want to operate in a FIPS approved manne + + =head1 SEE ALSO + +-L, + L, + L, + L, diff --git a/openssl-ec-56-bit-Limb-Solinas-Strategy-for-secp384r1.patch b/openssl-ec-56-bit-Limb-Solinas-Strategy-for-secp384r1.patch new file mode 100644 index 0000000..3bb9496 --- /dev/null +++ b/openssl-ec-56-bit-Limb-Solinas-Strategy-for-secp384r1.patch @@ -0,0 +1,2159 @@ +From 01d901e470d9e035a3bd78e77b9438a4cc0da785 Mon Sep 17 00:00:00 2001 +From: Rohan McLure +Date: Wed, 12 Jul 2023 12:25:22 +1000 +Subject: [PATCH] ec: 56-bit Limb Solinas' Strategy for secp384r1 + +Adopt a 56-bit redundant-limb Solinas' reduction approach for efficient +modular multiplication in P384. This has the affect of accelerating +digital signing by 446% and verification by 106%. The implementation +strategy and names of methods are the same as that provided in +ecp_nistp224 and ecp_nistp521. + +As in Commit 1036749883cc ("ec: Add run time code selection for p521 +field operations"), allow for run time selection of implementation for +felem_{square,mul}, where an assembly implementation is proclaimed to +be present when ECP_NISTP384_ASM is present. + +Signed-off-by: Rohan McLure + +Reviewed-by: Paul Dale +Reviewed-by: Shane Lontis +Reviewed-by: Dmitry Belyavskiy +Reviewed-by: Todd Short +(Merged from https://github.com/openssl/openssl/pull/21471) +--- + crypto/ec/build.info | 2 + crypto/ec/ec_curve.c | 4 + crypto/ec/ec_lib.c | 8 + crypto/ec/ec_local.h | 27 + crypto/ec/ecp_nistp384.c | 1988 +++++++++++++++++++++++++++++++++++++++++++++++ + 5 files changed, 2027 insertions(+), 2 deletions(-) + create mode 100644 crypto/ec/ecp_nistp384.c + +--- a/crypto/ec/build.info ++++ b/crypto/ec/build.info +@@ -59,7 +59,7 @@ $COMMON=ec_lib.c ecp_smpl.c ecp_mont.c e + curve448/arch_32/f_impl32.c + + IF[{- !$disabled{'ec_nistp_64_gcc_128'} -}] +- $COMMON=$COMMON ecp_nistp224.c ecp_nistp256.c ecp_nistp521.c ecp_nistputil.c ++ $COMMON=$COMMON ecp_nistp224.c ecp_nistp256.c ecp_nistp384.c ecp_nistp521.c ecp_nistputil.c + ENDIF + + SOURCE[../../libcrypto]=$COMMON ec_ameth.c ec_pmeth.c ecx_meth.c \ +--- a/crypto/ec/ec_curve.c ++++ b/crypto/ec/ec_curve.c +@@ -2838,6 +2838,8 @@ static const ec_list_element curve_list[ + {NID_secp384r1, &_EC_NIST_PRIME_384.h, + # if defined(S390X_EC_ASM) + EC_GFp_s390x_nistp384_method, ++# elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128) ++ ossl_ec_GFp_nistp384_method, + # else + 0, + # endif +@@ -2931,6 +2933,8 @@ static const ec_list_element curve_list[ + {NID_secp384r1, &_EC_NIST_PRIME_384.h, + # if defined(S390X_EC_ASM) + EC_GFp_s390x_nistp384_method, ++# elif !defined(OPENSSL_NO_EC_NISTP_64_GCC_128) ++ ossl_ec_GFp_nistp384_method, + # else + 0, + # endif +--- a/crypto/ec/ec_lib.c ++++ b/crypto/ec/ec_lib.c +@@ -102,12 +102,16 @@ void EC_pre_comp_free(EC_GROUP *group) + case PCT_nistp256: + EC_nistp256_pre_comp_free(group->pre_comp.nistp256); + break; ++ case PCT_nistp384: ++ ossl_ec_nistp384_pre_comp_free(group->pre_comp.nistp384); ++ break; + case PCT_nistp521: + EC_nistp521_pre_comp_free(group->pre_comp.nistp521); + break; + #else + case PCT_nistp224: + case PCT_nistp256: ++ case PCT_nistp384: + case PCT_nistp521: + break; + #endif +@@ -191,12 +195,16 @@ int EC_GROUP_copy(EC_GROUP *dest, const + case PCT_nistp256: + dest->pre_comp.nistp256 = EC_nistp256_pre_comp_dup(src->pre_comp.nistp256); + break; ++ case PCT_nistp384: ++ dest->pre_comp.nistp384 = ossl_ec_nistp384_pre_comp_dup(src->pre_comp.nistp384); ++ break; + case PCT_nistp521: + dest->pre_comp.nistp521 = EC_nistp521_pre_comp_dup(src->pre_comp.nistp521); + break; + #else + case PCT_nistp224: + case PCT_nistp256: ++ case PCT_nistp384: + case PCT_nistp521: + break; + #endif +--- a/crypto/ec/ec_local.h ++++ b/crypto/ec/ec_local.h +@@ -203,6 +203,7 @@ struct ec_method_st { + */ + typedef struct nistp224_pre_comp_st NISTP224_PRE_COMP; + typedef struct nistp256_pre_comp_st NISTP256_PRE_COMP; ++typedef struct nistp384_pre_comp_st NISTP384_PRE_COMP; + typedef struct nistp521_pre_comp_st NISTP521_PRE_COMP; + typedef struct nistz256_pre_comp_st NISTZ256_PRE_COMP; + typedef struct ec_pre_comp_st EC_PRE_COMP; +@@ -264,12 +265,13 @@ struct ec_group_st { + */ + enum { + PCT_none, +- PCT_nistp224, PCT_nistp256, PCT_nistp521, PCT_nistz256, ++ PCT_nistp224, PCT_nistp256, PCT_nistp384, PCT_nistp521, PCT_nistz256, + PCT_ec + } pre_comp_type; + union { + NISTP224_PRE_COMP *nistp224; + NISTP256_PRE_COMP *nistp256; ++ NISTP384_PRE_COMP *nistp384; + NISTP521_PRE_COMP *nistp521; + NISTZ256_PRE_COMP *nistz256; + EC_PRE_COMP *ec; +@@ -333,6 +335,7 @@ static ossl_inline int ec_point_is_compa + + NISTP224_PRE_COMP *EC_nistp224_pre_comp_dup(NISTP224_PRE_COMP *); + NISTP256_PRE_COMP *EC_nistp256_pre_comp_dup(NISTP256_PRE_COMP *); ++NISTP384_PRE_COMP *ossl_ec_nistp384_pre_comp_dup(NISTP384_PRE_COMP *); + NISTP521_PRE_COMP *EC_nistp521_pre_comp_dup(NISTP521_PRE_COMP *); + NISTZ256_PRE_COMP *EC_nistz256_pre_comp_dup(NISTZ256_PRE_COMP *); + NISTP256_PRE_COMP *EC_nistp256_pre_comp_dup(NISTP256_PRE_COMP *); +@@ -341,6 +344,7 @@ EC_PRE_COMP *EC_ec_pre_comp_dup(EC_PRE_C + void EC_pre_comp_free(EC_GROUP *group); + void EC_nistp224_pre_comp_free(NISTP224_PRE_COMP *); + void EC_nistp256_pre_comp_free(NISTP256_PRE_COMP *); ++void ossl_ec_nistp384_pre_comp_free(NISTP384_PRE_COMP *); + void EC_nistp521_pre_comp_free(NISTP521_PRE_COMP *); + void EC_nistz256_pre_comp_free(NISTZ256_PRE_COMP *); + void EC_ec_pre_comp_free(EC_PRE_COMP *); +@@ -552,6 +556,27 @@ int ossl_ec_GFp_nistp256_points_mul(cons + int ossl_ec_GFp_nistp256_precompute_mult(EC_GROUP *group, BN_CTX *ctx); + int ossl_ec_GFp_nistp256_have_precompute_mult(const EC_GROUP *group); + ++/* method functions in ecp_nistp384.c */ ++int ossl_ec_GFp_nistp384_group_init(EC_GROUP *group); ++int ossl_ec_GFp_nistp384_group_set_curve(EC_GROUP *group, const BIGNUM *p, ++ const BIGNUM *a, const BIGNUM *n, ++ BN_CTX *); ++int ossl_ec_GFp_nistp384_point_get_affine_coordinates(const EC_GROUP *group, ++ const EC_POINT *point, ++ BIGNUM *x, BIGNUM *y, ++ BN_CTX *ctx); ++int ossl_ec_GFp_nistp384_mul(const EC_GROUP *group, EC_POINT *r, ++ const BIGNUM *scalar, size_t num, ++ const EC_POINT *points[], const BIGNUM *scalars[], ++ BN_CTX *); ++int ossl_ec_GFp_nistp384_points_mul(const EC_GROUP *group, EC_POINT *r, ++ const BIGNUM *scalar, size_t num, ++ const EC_POINT *points[], ++ const BIGNUM *scalars[], BN_CTX *ctx); ++int ossl_ec_GFp_nistp384_precompute_mult(EC_GROUP *group, BN_CTX *ctx); ++int ossl_ec_GFp_nistp384_have_precompute_mult(const EC_GROUP *group); ++const EC_METHOD *ossl_ec_GFp_nistp384_method(void); ++ + /* method functions in ecp_nistp521.c */ + int ossl_ec_GFp_nistp521_group_init(EC_GROUP *group); + int ossl_ec_GFp_nistp521_group_set_curve(EC_GROUP *group, const BIGNUM *p, +--- /dev/null ++++ b/crypto/ec/ecp_nistp384.c +@@ -0,0 +1,1988 @@ ++/* ++ * Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. ++ * ++ * Licensed under the Apache License 2.0 (the "License"). You may not use ++ * this file except in compliance with the License. You can obtain a copy ++ * in the file LICENSE in the source distribution or at ++ * https://www.openssl.org/source/license.html ++ */ ++ ++/* Copyright 2023 IBM Corp. ++ * ++ * Licensed under the Apache License, Version 2.0 (the "License"); ++ * ++ * you may not use this file except in compliance with the License. ++ * You may obtain a copy of the License at ++ * ++ * http://www.apache.org/licenses/LICENSE-2.0 ++ * ++ * Unless required by applicable law or agreed to in writing, software ++ * distributed under the License is distributed on an "AS IS" BASIS, ++ * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. ++ * See the License for the specific language governing permissions and ++ * limitations under the License. ++ */ ++ ++/* ++ * Designed for 56-bit limbs by Rohan McLure . ++ * The layout is based on that of ecp_nistp{224,521}.c, allowing even for asm ++ * acceleration of felem_{square,mul} as supported in these files. ++ */ ++ ++#include ++ ++#include ++#include ++#include "ec_local.h" ++ ++#include "internal/numbers.h" ++ ++#ifndef INT128_MAX ++# error "Your compiler doesn't appear to support 128-bit integer types" ++#endif ++ ++typedef uint8_t u8; ++typedef uint64_t u64; ++ ++/* ++ * The underlying field. P384 operates over GF(2^384-2^128-2^96+2^32-1). We ++ * can serialize an element of this field into 48 bytes. We call this an ++ * felem_bytearray. ++ */ ++ ++typedef u8 felem_bytearray[48]; ++ ++/* ++ * These are the parameters of P384, taken from FIPS 186-3, section D.1.2.4. ++ * These values are big-endian. ++ */ ++static const felem_bytearray nistp384_curve_params[5] = { ++ {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* p */ ++ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFF}, ++ {0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, /* a = -3 */ ++ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, ++ 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFF, 0xFE, 0xFF, 0xFF, 0xFF, 0xFF, ++ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF, 0xFC}, ++ {0xB3, 0x31, 0x2F, 0xA7, 0xE2, 0x3E, 0xE7, 0xE4, 0x98, 0x8E, 0x05, 0x6B, /* b */ ++ 0xE3, 0xF8, 0x2D, 0x19, 0x18, 0x1D, 0x9C, 0x6E, 0xFE, 0x81, 0x41, 0x12, ++ 0x03, 0x14, 0x08, 0x8F, 0x50, 0x13, 0x87, 0x5A, 0xC6, 0x56, 0x39, 0x8D, ++ 0x8A, 0x2E, 0xD1, 0x9D, 0x2A, 0x85, 0xC8, 0xED, 0xD3, 0xEC, 0x2A, 0xEF}, ++ {0xAA, 0x87, 0xCA, 0x22, 0xBE, 0x8B, 0x05, 0x37, 0x8E, 0xB1, 0xC7, 0x1E, /* x */ ++ 0xF3, 0x20, 0xAD, 0x74, 0x6E, 0x1D, 0x3B, 0x62, 0x8B, 0xA7, 0x9B, 0x98, ++ 0x59, 0xF7, 0x41, 0xE0, 0x82, 0x54, 0x2A, 0x38, 0x55, 0x02, 0xF2, 0x5D, ++ 0xBF, 0x55, 0x29, 0x6C, 0x3A, 0x54, 0x5E, 0x38, 0x72, 0x76, 0x0A, 0xB7}, ++ {0x36, 0x17, 0xDE, 0x4A, 0x96, 0x26, 0x2C, 0x6F, 0x5D, 0x9E, 0x98, 0xBF, /* y */ ++ 0x92, 0x92, 0xDC, 0x29, 0xF8, 0xF4, 0x1D, 0xBD, 0x28, 0x9A, 0x14, 0x7C, ++ 0xE9, 0xDA, 0x31, 0x13, 0xB5, 0xF0, 0xB8, 0xC0, 0x0A, 0x60, 0xB1, 0xCE, ++ 0x1D, 0x7E, 0x81, 0x9D, 0x7A, 0x43, 0x1D, 0x7C, 0x90, 0xEA, 0x0E, 0x5F}, ++}; ++ ++/*- ++ * The representation of field elements. ++ * ------------------------------------ ++ * ++ * We represent field elements with seven values. These values are either 64 or ++ * 128 bits and the field element represented is: ++ * v[0]*2^0 + v[1]*2^56 + v[2]*2^112 + ... + v[6]*2^336 (mod p) ++ * Each of the seven values is called a 'limb'. Since the limbs are spaced only ++ * 56 bits apart, but are greater than 56 bits in length, the most significant ++ * bits of each limb overlap with the least significant bits of the next ++ * ++ * This representation is considered to be 'redundant' in the sense that ++ * intermediate values can each contain more than a 56-bit value in each limb. ++ * Reduction causes all but the final limb to be reduced to contain a value less ++ * than 2^56, with the final value represented allowed to be larger than 2^384, ++ * inasmuch as we can be sure that arithmetic overflow remains impossible. The ++ * reduced value must of course be congruent to the unreduced value. ++ * ++ * A field element with 64-bit limbs is an 'felem'. One with 128-bit limbs is a ++ * 'widefelem', featuring enough bits to store the result of a multiplication ++ * and even some further arithmetic without need for immediate reduction. ++ */ ++ ++#define NLIMBS 7 ++ ++typedef uint64_t limb; ++typedef uint128_t widelimb; ++typedef limb limb_aX __attribute((__aligned__(1))); ++typedef limb felem[NLIMBS]; ++typedef widelimb widefelem[2*NLIMBS-1]; ++ ++static const limb bottom56bits = 0xffffffffffffff; ++ ++/* Helper functions (de)serialising reduced field elements in little endian */ ++static void bin48_to_felem(felem out, const u8 in[48]) ++{ ++ memset(out, 0, 56); ++ out[0] = (*((limb *) & in[0])) & bottom56bits; ++ out[1] = (*((limb_aX *) & in[7])) & bottom56bits; ++ out[2] = (*((limb_aX *) & in[14])) & bottom56bits; ++ out[3] = (*((limb_aX *) & in[21])) & bottom56bits; ++ out[4] = (*((limb_aX *) & in[28])) & bottom56bits; ++ out[5] = (*((limb_aX *) & in[35])) & bottom56bits; ++ memmove(&out[6], &in[42], 6); ++} ++ ++static void felem_to_bin48(u8 out[48], const felem in) ++{ ++ memset(out, 0, 48); ++ (*((limb *) & out[0])) |= (in[0] & bottom56bits); ++ (*((limb_aX *) & out[7])) |= (in[1] & bottom56bits); ++ (*((limb_aX *) & out[14])) |= (in[2] & bottom56bits); ++ (*((limb_aX *) & out[21])) |= (in[3] & bottom56bits); ++ (*((limb_aX *) & out[28])) |= (in[4] & bottom56bits); ++ (*((limb_aX *) & out[35])) |= (in[5] & bottom56bits); ++ memmove(&out[42], &in[6], 6); ++} ++ ++/* BN_to_felem converts an OpenSSL BIGNUM into an felem */ ++static int BN_to_felem(felem out, const BIGNUM *bn) ++{ ++ felem_bytearray b_out; ++ int num_bytes; ++ ++ if (BN_is_negative(bn)) { ++ ERR_raise(ERR_LIB_EC, EC_R_BIGNUM_OUT_OF_RANGE); ++ return 0; ++ } ++ num_bytes = BN_bn2lebinpad(bn, b_out, sizeof(b_out)); ++ if (num_bytes < 0) { ++ ERR_raise(ERR_LIB_EC, EC_R_BIGNUM_OUT_OF_RANGE); ++ return 0; ++ } ++ bin48_to_felem(out, b_out); ++ return 1; ++} ++ ++/* felem_to_BN converts an felem into an OpenSSL BIGNUM */ ++static BIGNUM *felem_to_BN(BIGNUM *out, const felem in) ++{ ++ felem_bytearray b_out; ++ ++ felem_to_bin48(b_out, in); ++ return BN_lebin2bn(b_out, sizeof(b_out), out); ++} ++ ++/*- ++ * Field operations ++ * ---------------- ++ */ ++ ++static void felem_one(felem out) ++{ ++ out[0] = 1; ++ memset(&out[1], 0, sizeof(limb) * (NLIMBS-1)); ++} ++ ++static void felem_assign(felem out, const felem in) ++{ ++ memcpy(out, in, sizeof(felem)); ++} ++ ++/* felem_sum64 sets out = out + in. */ ++static void felem_sum64(felem out, const felem in) ++{ ++ unsigned int i; ++ ++ for (i = 0; i < NLIMBS; i++) ++ out[i] += in[i]; ++} ++ ++/* felem_scalar sets out = in * scalar */ ++static void felem_scalar(felem out, const felem in, limb scalar) ++{ ++ unsigned int i; ++ ++ for (i = 0; i < NLIMBS; i++) ++ out[i] = in[i] * scalar; ++} ++ ++/* felem_scalar64 sets out = out * scalar */ ++static void felem_scalar64(felem out, limb scalar) ++{ ++ unsigned int i; ++ ++ for (i = 0; i < NLIMBS; i++) ++ out[i] *= scalar; ++} ++ ++/* felem_scalar128 sets out = out * scalar */ ++static void felem_scalar128(widefelem out, limb scalar) ++{ ++ unsigned int i; ++ ++ for (i = 0; i < 2*NLIMBS-1; i++) ++ out[i] *= scalar; ++} ++ ++/*- ++ * felem_neg sets |out| to |-in| ++ * On entry: ++ * in[i] < 2^60 - 2^29 ++ * On exit: ++ * out[i] < 2^60 ++ */ ++static void felem_neg(felem out, const felem in) ++{ ++ /* ++ * In order to prevent underflow, we add a multiple of p before subtracting. ++ * Use telescopic sums to represent 2^12 * p redundantly with each limb ++ * of the form 2^60 + ... ++ */ ++ static const limb two60m52m4 = (((limb) 1) << 60) ++ - (((limb) 1) << 52) ++ - (((limb) 1) << 4); ++ static const limb two60p44m12 = (((limb) 1) << 60) ++ + (((limb) 1) << 44) ++ - (((limb) 1) << 12); ++ static const limb two60m28m4 = (((limb) 1) << 60) ++ - (((limb) 1) << 28) ++ - (((limb) 1) << 4); ++ static const limb two60m4 = (((limb) 1) << 60) ++ - (((limb) 1) << 4); ++ ++ out[0] = two60p44m12 - in[0]; ++ out[1] = two60m52m4 - in[1]; ++ out[2] = two60m28m4 - in[2]; ++ out[3] = two60m4 - in[3]; ++ out[4] = two60m4 - in[4]; ++ out[5] = two60m4 - in[5]; ++ out[6] = two60m4 - in[6]; ++} ++ ++/*- ++ * felem_diff64 subtracts |in| from |out| ++ * On entry: ++ * in[i] < 2^60 - 2^52 - 2^4 ++ * On exit: ++ * out[i] < out_orig[i] + 2^60 + 2^44 ++ */ ++static void felem_diff64(felem out, const felem in) ++{ ++ /* ++ * In order to prevent underflow, we add a multiple of p before subtracting. ++ * Use telescopic sums to represent 2^12 * p redundantly with each limb ++ * of the form 2^60 + ... ++ */ ++ ++ static const limb two60m52m4 = (((limb) 1) << 60) ++ - (((limb) 1) << 52) ++ - (((limb) 1) << 4); ++ static const limb two60p44m12 = (((limb) 1) << 60) ++ + (((limb) 1) << 44) ++ - (((limb) 1) << 12); ++ static const limb two60m28m4 = (((limb) 1) << 60) ++ - (((limb) 1) << 28) ++ - (((limb) 1) << 4); ++ static const limb two60m4 = (((limb) 1) << 60) ++ - (((limb) 1) << 4); ++ ++ out[0] += two60p44m12 - in[0]; ++ out[1] += two60m52m4 - in[1]; ++ out[2] += two60m28m4 - in[2]; ++ out[3] += two60m4 - in[3]; ++ out[4] += two60m4 - in[4]; ++ out[5] += two60m4 - in[5]; ++ out[6] += two60m4 - in[6]; ++} ++ ++/* ++ * in[i] < 2^63 ++ * out[i] < out_orig[i] + 2^64 + 2^48 ++ */ ++static void felem_diff_128_64(widefelem out, const felem in) ++{ ++ /* ++ * In order to prevent underflow, we add a multiple of p before subtracting. ++ * Use telescopic sums to represent 2^16 * p redundantly with each limb ++ * of the form 2^64 + ... ++ */ ++ ++ static const widelimb two64m56m8 = (((widelimb) 1) << 64) ++ - (((widelimb) 1) << 56) ++ - (((widelimb) 1) << 8); ++ static const widelimb two64m32m8 = (((widelimb) 1) << 64) ++ - (((widelimb) 1) << 32) ++ - (((widelimb) 1) << 8); ++ static const widelimb two64m8 = (((widelimb) 1) << 64) ++ - (((widelimb) 1) << 8); ++ static const widelimb two64p48m16 = (((widelimb) 1) << 64) ++ + (((widelimb) 1) << 48) ++ - (((widelimb) 1) << 16); ++ unsigned int i; ++ ++ out[0] += two64p48m16; ++ out[1] += two64m56m8; ++ out[2] += two64m32m8; ++ out[3] += two64m8; ++ out[4] += two64m8; ++ out[5] += two64m8; ++ out[6] += two64m8; ++ ++ for (i = 0; i < NLIMBS; i++) ++ out[i] -= in[i]; ++} ++ ++/* ++ * in[i] < 2^127 - 2^119 - 2^71 ++ * out[i] < out_orig[i] + 2^127 + 2^111 ++ */ ++static void felem_diff128(widefelem out, const widefelem in) ++{ ++ /* ++ * In order to prevent underflow, we add a multiple of p before subtracting. ++ * Use telescopic sums to represent 2^415 * p redundantly with each limb ++ * of the form 2^127 + ... ++ */ ++ ++ static const widelimb two127 = ((widelimb) 1) << 127; ++ static const widelimb two127m71 = (((widelimb) 1) << 127) ++ - (((widelimb) 1) << 71); ++ static const widelimb two127p111m79m71 = (((widelimb) 1) << 127) ++ + (((widelimb) 1) << 111) ++ - (((widelimb) 1) << 79) ++ - (((widelimb) 1) << 71); ++ static const widelimb two127m119m71 = (((widelimb) 1) << 127) ++ - (((widelimb) 1) << 119) ++ - (((widelimb) 1) << 71); ++ static const widelimb two127m95m71 = (((widelimb) 1) << 127) ++ - (((widelimb) 1) << 95) ++ - (((widelimb) 1) << 71); ++ unsigned int i; ++ ++ out[0] += two127; ++ out[1] += two127m71; ++ out[2] += two127m71; ++ out[3] += two127m71; ++ out[4] += two127m71; ++ out[5] += two127m71; ++ out[6] += two127p111m79m71; ++ out[7] += two127m119m71; ++ out[8] += two127m95m71; ++ out[9] += two127m71; ++ out[10] += two127m71; ++ out[11] += two127m71; ++ out[12] += two127m71; ++ ++ for (i = 0; i < 2*NLIMBS-1; i++) ++ out[i] -= in[i]; ++} ++ ++static void felem_square_ref(widefelem out, const felem in) ++{ ++ felem inx2; ++ felem_scalar(inx2, in, 2); ++ ++ out[0] = ((uint128_t) in[0]) * in[0]; ++ ++ out[1] = ((uint128_t) in[0]) * inx2[1]; ++ ++ out[2] = ((uint128_t) in[0]) * inx2[2] ++ + ((uint128_t) in[1]) * in[1]; ++ ++ out[3] = ((uint128_t) in[0]) * inx2[3] ++ + ((uint128_t) in[1]) * inx2[2]; ++ ++ out[4] = ((uint128_t) in[0]) * inx2[4] ++ + ((uint128_t) in[1]) * inx2[3] ++ + ((uint128_t) in[2]) * in[2]; ++ ++ out[5] = ((uint128_t) in[0]) * inx2[5] ++ + ((uint128_t) in[1]) * inx2[4] ++ + ((uint128_t) in[2]) * inx2[3]; ++ ++ out[6] = ((uint128_t) in[0]) * inx2[6] ++ + ((uint128_t) in[1]) * inx2[5] ++ + ((uint128_t) in[2]) * inx2[4] ++ + ((uint128_t) in[3]) * in[3]; ++ ++ out[7] = ((uint128_t) in[1]) * inx2[6] ++ + ((uint128_t) in[2]) * inx2[5] ++ + ((uint128_t) in[3]) * inx2[4]; ++ ++ out[8] = ((uint128_t) in[2]) * inx2[6] ++ + ((uint128_t) in[3]) * inx2[5] ++ + ((uint128_t) in[4]) * in[4]; ++ ++ out[9] = ((uint128_t) in[3]) * inx2[6] ++ + ((uint128_t) in[4]) * inx2[5]; ++ ++ out[10] = ((uint128_t) in[4]) * inx2[6] ++ + ((uint128_t) in[5]) * in[5]; ++ ++ out[11] = ((uint128_t) in[5]) * inx2[6]; ++ ++ out[12] = ((uint128_t) in[6]) * in[6]; ++} ++ ++static void felem_mul_ref(widefelem out, const felem in1, const felem in2) ++{ ++ out[0] = ((uint128_t) in1[0]) * in2[0]; ++ ++ out[1] = ((uint128_t) in1[0]) * in2[1] ++ + ((uint128_t) in1[1]) * in2[0]; ++ ++ out[2] = ((uint128_t) in1[0]) * in2[2] ++ + ((uint128_t) in1[1]) * in2[1] ++ + ((uint128_t) in1[2]) * in2[0]; ++ ++ out[3] = ((uint128_t) in1[0]) * in2[3] ++ + ((uint128_t) in1[1]) * in2[2] ++ + ((uint128_t) in1[2]) * in2[1] ++ + ((uint128_t) in1[3]) * in2[0]; ++ ++ out[4] = ((uint128_t) in1[0]) * in2[4] ++ + ((uint128_t) in1[1]) * in2[3] ++ + ((uint128_t) in1[2]) * in2[2] ++ + ((uint128_t) in1[3]) * in2[1] ++ + ((uint128_t) in1[4]) * in2[0]; ++ ++ out[5] = ((uint128_t) in1[0]) * in2[5] ++ + ((uint128_t) in1[1]) * in2[4] ++ + ((uint128_t) in1[2]) * in2[3] ++ + ((uint128_t) in1[3]) * in2[2] ++ + ((uint128_t) in1[4]) * in2[1] ++ + ((uint128_t) in1[5]) * in2[0]; ++ ++ out[6] = ((uint128_t) in1[0]) * in2[6] ++ + ((uint128_t) in1[1]) * in2[5] ++ + ((uint128_t) in1[2]) * in2[4] ++ + ((uint128_t) in1[3]) * in2[3] ++ + ((uint128_t) in1[4]) * in2[2] ++ + ((uint128_t) in1[5]) * in2[1] ++ + ((uint128_t) in1[6]) * in2[0]; ++ ++ out[7] = ((uint128_t) in1[1]) * in2[6] ++ + ((uint128_t) in1[2]) * in2[5] ++ + ((uint128_t) in1[3]) * in2[4] ++ + ((uint128_t) in1[4]) * in2[3] ++ + ((uint128_t) in1[5]) * in2[2] ++ + ((uint128_t) in1[6]) * in2[1]; ++ ++ out[8] = ((uint128_t) in1[2]) * in2[6] ++ + ((uint128_t) in1[3]) * in2[5] ++ + ((uint128_t) in1[4]) * in2[4] ++ + ((uint128_t) in1[5]) * in2[3] ++ + ((uint128_t) in1[6]) * in2[2]; ++ ++ out[9] = ((uint128_t) in1[3]) * in2[6] ++ + ((uint128_t) in1[4]) * in2[5] ++ + ((uint128_t) in1[5]) * in2[4] ++ + ((uint128_t) in1[6]) * in2[3]; ++ ++ out[10] = ((uint128_t) in1[4]) * in2[6] ++ + ((uint128_t) in1[5]) * in2[5] ++ + ((uint128_t) in1[6]) * in2[4]; ++ ++ out[11] = ((uint128_t) in1[5]) * in2[6] ++ + ((uint128_t) in1[6]) * in2[5]; ++ ++ out[12] = ((uint128_t) in1[6]) * in2[6]; ++} ++ ++/*- ++ * Reduce thirteen 128-bit coefficients to seven 64-bit coefficients. ++ * in[i] < 2^128 - 2^125 ++ * out[i] < 2^56 for i < 6, ++ * out[6] <= 2^48 ++ * ++ * The technique in use here stems from the format of the prime modulus: ++ * P384 = 2^384 - delta ++ * ++ * Thus we can reduce numbers of the form (X + 2^384 * Y) by substituting ++ * them with (X + delta Y), with delta = 2^128 + 2^96 + (-2^32 + 1). These ++ * coefficients are still quite large, and so we repeatedly apply this ++ * technique on high-order bits in order to guarantee the desired bounds on ++ * the size of our output. ++ * ++ * The three phases of elimination are as follows: ++ * [1]: Y = 2^120 (in[12] | in[11] | in[10] | in[9]) ++ * [2]: Y = 2^8 (acc[8] | acc[7]) ++ * [3]: Y = 2^48 (acc[6] >> 48) ++ * (Where a | b | c | d = (2^56)^3 a + (2^56)^2 b + (2^56) c + d) ++ */ ++static void felem_reduce(felem out, const widefelem in) ++{ ++ /* ++ * In order to prevent underflow, we add a multiple of p before subtracting. ++ * Use telescopic sums to represent 2^76 * p redundantly with each limb ++ * of the form 2^124 + ... ++ */ ++ static const widelimb two124m68 = (((widelimb) 1) << 124) ++ - (((widelimb) 1) << 68); ++ static const widelimb two124m116m68 = (((widelimb) 1) << 124) ++ - (((widelimb) 1) << 116) ++ - (((widelimb) 1) << 68); ++ static const widelimb two124p108m76 = (((widelimb) 1) << 124) ++ + (((widelimb) 1) << 108) ++ - (((widelimb) 1) << 76); ++ static const widelimb two124m92m68 = (((widelimb) 1) << 124) ++ - (((widelimb) 1) << 92) ++ - (((widelimb) 1) << 68); ++ widelimb temp, acc[9]; ++ unsigned int i; ++ ++ memcpy(acc, in, sizeof(widelimb) * 9); ++ ++ acc[0] += two124p108m76; ++ acc[1] += two124m116m68; ++ acc[2] += two124m92m68; ++ acc[3] += two124m68; ++ acc[4] += two124m68; ++ acc[5] += two124m68; ++ acc[6] += two124m68; ++ ++ /* [1]: Eliminate in[9], ..., in[12] */ ++ acc[8] += in[12] >> 32; ++ acc[7] += (in[12] & 0xffffffff) << 24; ++ acc[7] += in[12] >> 8; ++ acc[6] += (in[12] & 0xff) << 48; ++ acc[6] -= in[12] >> 16; ++ acc[5] -= ((in[12] & 0xffff) << 40); ++ acc[6] += in[12] >> 48; ++ acc[5] += (in[12] & 0xffffffffffff) << 8; ++ ++ acc[7] += in[11] >> 32; ++ acc[6] += (in[11] & 0xffffffff) << 24; ++ acc[6] += in[11] >> 8; ++ acc[5] += (in[11] & 0xff) << 48; ++ acc[5] -= in[11] >> 16; ++ acc[4] -= ((in[11] & 0xffff) << 40); ++ acc[5] += in[11] >> 48; ++ acc[4] += (in[11] & 0xffffffffffff) << 8; ++ ++ acc[6] += in[10] >> 32; ++ acc[5] += (in[10] & 0xffffffff) << 24; ++ acc[5] += in[10] >> 8; ++ acc[4] += (in[10] & 0xff) << 48; ++ acc[4] -= in[10] >> 16; ++ acc[3] -= ((in[10] & 0xffff) << 40); ++ acc[4] += in[10] >> 48; ++ acc[3] += (in[10] & 0xffffffffffff) << 8; ++ ++ acc[5] += in[9] >> 32; ++ acc[4] += (in[9] & 0xffffffff) << 24; ++ acc[4] += in[9] >> 8; ++ acc[3] += (in[9] & 0xff) << 48; ++ acc[3] -= in[9] >> 16; ++ acc[2] -= ((in[9] & 0xffff) << 40); ++ acc[3] += in[9] >> 48; ++ acc[2] += (in[9] & 0xffffffffffff) << 8; ++ ++ /* ++ * [2]: Eliminate acc[7], acc[8], that is the 7 and eighth limbs, as ++ * well as the contributions made from eliminating higher limbs. ++ * acc[7] < in[7] + 2^120 + 2^56 < in[7] + 2^121 ++ * acc[8] < in[8] + 2^96 ++ */ ++ acc[4] += acc[8] >> 32; ++ acc[3] += (acc[8] & 0xffffffff) << 24; ++ acc[3] += acc[8] >> 8; ++ acc[2] += (acc[8] & 0xff) << 48; ++ acc[2] -= acc[8] >> 16; ++ acc[1] -= ((acc[8] & 0xffff) << 40); ++ acc[2] += acc[8] >> 48; ++ acc[1] += (acc[8] & 0xffffffffffff) << 8; ++ ++ acc[3] += acc[7] >> 32; ++ acc[2] += (acc[7] & 0xffffffff) << 24; ++ acc[2] += acc[7] >> 8; ++ acc[1] += (acc[7] & 0xff) << 48; ++ acc[1] -= acc[7] >> 16; ++ acc[0] -= ((acc[7] & 0xffff) << 40); ++ acc[1] += acc[7] >> 48; ++ acc[0] += (acc[7] & 0xffffffffffff) << 8; ++ ++ /*- ++ * acc[k] < in[k] + 2^124 + 2^121 ++ * < in[k] + 2^125 ++ * < 2^128, for k <= 6 ++ */ ++ ++ /* ++ * Carry 4 -> 5 -> 6 ++ * This has the effect of ensuring that these more significant limbs ++ * will be small in value after eliminating high bits from acc[6]. ++ */ ++ acc[5] += acc[4] >> 56; ++ acc[4] &= 0x00ffffffffffffff; ++ ++ acc[6] += acc[5] >> 56; ++ acc[5] &= 0x00ffffffffffffff; ++ ++ /*- ++ * acc[6] < in[6] + 2^124 + 2^121 + 2^72 + 2^16 ++ * < in[6] + 2^125 ++ * < 2^128 ++ */ ++ ++ /* [3]: Eliminate high bits of acc[6] */ ++ temp = acc[6] >> 48; ++ acc[6] &= 0x0000ffffffffffff; ++ ++ /* temp < 2^80 */ ++ ++ acc[3] += temp >> 40; ++ acc[2] += (temp & 0xffffffffff) << 16; ++ acc[2] += temp >> 16; ++ acc[1] += (temp & 0xffff) << 40; ++ acc[1] -= temp >> 24; ++ acc[0] -= (temp & 0xffffff) << 32; ++ acc[0] += temp; ++ ++ /*- ++ * acc[k] < acc_old[k] + 2^64 + 2^56 ++ * < in[k] + 2^124 + 2^121 + 2^72 + 2^64 + 2^56 + 2^16 , k < 4 ++ */ ++ ++ /* Carry 0 -> 1 -> 2 -> 3 -> 4 -> 5 -> 6 */ ++ acc[1] += acc[0] >> 56; /* acc[1] < acc_old[1] + 2^72 */ ++ acc[0] &= 0x00ffffffffffffff; ++ ++ acc[2] += acc[1] >> 56; /* acc[2] < acc_old[2] + 2^72 + 2^16 */ ++ acc[1] &= 0x00ffffffffffffff; ++ ++ acc[3] += acc[2] >> 56; /* acc[3] < acc_old[3] + 2^72 + 2^16 */ ++ acc[2] &= 0x00ffffffffffffff; ++ ++ /*- ++ * acc[k] < acc_old[k] + 2^72 + 2^16 ++ * < in[k] + 2^124 + 2^121 + 2^73 + 2^64 + 2^56 + 2^17 ++ * < in[k] + 2^125 ++ * < 2^128 , k < 4 ++ */ ++ ++ acc[4] += acc[3] >> 56; /*- ++ * acc[4] < acc_old[4] + 2^72 + 2^16 ++ * < 2^72 + 2^56 + 2^16 ++ */ ++ acc[3] &= 0x00ffffffffffffff; ++ ++ acc[5] += acc[4] >> 56; /*- ++ * acc[5] < acc_old[5] + 2^16 + 1 ++ * < 2^56 + 2^16 + 1 ++ */ ++ acc[4] &= 0x00ffffffffffffff; ++ ++ acc[6] += acc[5] >> 56; /* acc[6] < 2^48 + 1 <= 2^48 */ ++ acc[5] &= 0x00ffffffffffffff; ++ ++ for (i = 0; i < NLIMBS; i++) ++ out[i] = acc[i]; ++} ++ ++#if defined(ECP_NISTP384_ASM) ++static void felem_square_wrapper(widefelem out, const felem in); ++static void felem_mul_wrapper(widefelem out, const felem in1, const felem in2); ++ ++static void (*felem_square_p)(widefelem out, const felem in) = ++ felem_square_wrapper; ++static void (*felem_mul_p)(widefelem out, const felem in1, const felem in2) = ++ felem_mul_wrapper; ++ ++void p384_felem_square(widefelem out, const felem in); ++void p384_felem_mul(widefelem out, const felem in1, const felem in2); ++ ++# if defined(_ARCH_PPC64) ++# include "crypto/ppc_arch.h" ++# endif ++ ++static void felem_select(void) ++{ ++ /* Default */ ++ felem_square_p = felem_square_ref; ++ felem_mul_p = felem_mul_ref; ++} ++ ++static void felem_square_wrapper(widefelem out, const felem in) ++{ ++ felem_select(); ++ felem_square_p(out, in); ++} ++ ++static void felem_mul_wrapper(widefelem out, const felem in1, const felem in2) ++{ ++ felem_select(); ++ felem_mul_p(out, in1, in2); ++} ++ ++# define felem_square felem_square_p ++# define felem_mul felem_mul_p ++#else ++# define felem_square felem_square_ref ++# define felem_mul felem_mul_ref ++#endif ++ ++static ossl_inline void felem_square_reduce(felem out, const felem in) ++{ ++ widefelem tmp; ++ ++ felem_square(tmp, in); ++ felem_reduce(out, tmp); ++} ++ ++static ossl_inline void felem_mul_reduce(felem out, const felem in1, const felem in2) ++{ ++ widefelem tmp; ++ ++ felem_mul(tmp, in1, in2); ++ felem_reduce(out, tmp); ++} ++ ++/*- ++ * felem_inv calculates |out| = |in|^{-1} ++ * ++ * Based on Fermat's Little Theorem: ++ * a^p = a (mod p) ++ * a^{p-1} = 1 (mod p) ++ * a^{p-2} = a^{-1} (mod p) ++ */ ++static void felem_inv(felem out, const felem in) ++{ ++ felem ftmp, ftmp2, ftmp3, ftmp4, ftmp5, ftmp6; ++ unsigned int i = 0; ++ ++ felem_square_reduce(ftmp, in); /* 2^1 */ ++ felem_mul_reduce(ftmp, ftmp, in); /* 2^1 + 2^0 */ ++ felem_assign(ftmp2, ftmp); ++ ++ felem_square_reduce(ftmp, ftmp); /* 2^2 + 2^1 */ ++ felem_mul_reduce(ftmp, ftmp, in); /* 2^2 + 2^1 * 2^0 */ ++ felem_assign(ftmp3, ftmp); ++ ++ for (i = 0; i < 3; i++) ++ felem_square_reduce(ftmp, ftmp); /* 2^5 + 2^4 + 2^3 */ ++ felem_mul_reduce(ftmp, ftmp3, ftmp); /* 2^5 + 2^4 + 2^3 + 2^2 + 2^1 + 2^0 */ ++ felem_assign(ftmp4, ftmp); ++ ++ for (i = 0; i < 6; i++) ++ felem_square_reduce(ftmp, ftmp); /* 2^11 + ... + 2^6 */ ++ felem_mul_reduce(ftmp, ftmp4, ftmp); /* 2^11 + ... + 2^0 */ ++ ++ for (i = 0; i < 3; i++) ++ felem_square_reduce(ftmp, ftmp); /* 2^14 + ... + 2^3 */ ++ felem_mul_reduce(ftmp, ftmp3, ftmp); /* 2^14 + ... + 2^0 */ ++ felem_assign(ftmp5, ftmp); ++ ++ for (i = 0; i < 15; i++) ++ felem_square_reduce(ftmp, ftmp); /* 2^29 + ... + 2^15 */ ++ felem_mul_reduce(ftmp, ftmp5, ftmp); /* 2^29 + ... + 2^0 */ ++ felem_assign(ftmp6, ftmp); ++ ++ for (i = 0; i < 30; i++) ++ felem_square_reduce(ftmp, ftmp); /* 2^59 + ... + 2^30 */ ++ felem_mul_reduce(ftmp, ftmp6, ftmp); /* 2^59 + ... + 2^0 */ ++ felem_assign(ftmp4, ftmp); ++ ++ for (i = 0; i < 60; i++) ++ felem_square_reduce(ftmp, ftmp); /* 2^119 + ... + 2^60 */ ++ felem_mul_reduce(ftmp, ftmp4, ftmp); /* 2^119 + ... + 2^0 */ ++ felem_assign(ftmp4, ftmp); ++ ++ for (i = 0; i < 120; i++) ++ felem_square_reduce(ftmp, ftmp); /* 2^239 + ... + 2^120 */ ++ felem_mul_reduce(ftmp, ftmp4, ftmp); /* 2^239 + ... + 2^0 */ ++ ++ for (i = 0; i < 15; i++) ++ felem_square_reduce(ftmp, ftmp); /* 2^254 + ... + 2^15 */ ++ felem_mul_reduce(ftmp, ftmp5, ftmp); /* 2^254 + ... + 2^0 */ ++ ++ for (i = 0; i < 31; i++) ++ felem_square_reduce(ftmp, ftmp); /* 2^285 + ... + 2^31 */ ++ felem_mul_reduce(ftmp, ftmp6, ftmp); /* 2^285 + ... + 2^31 + 2^29 + ... + 2^0 */ ++ ++ for (i = 0; i < 2; i++) ++ felem_square_reduce(ftmp, ftmp); /* 2^287 + ... + 2^33 + 2^31 + ... + 2^2 */ ++ felem_mul_reduce(ftmp, ftmp2, ftmp); /* 2^287 + ... + 2^33 + 2^31 + ... + 2^0 */ ++ ++ for (i = 0; i < 94; i++) ++ felem_square_reduce(ftmp, ftmp); /* 2^381 + ... + 2^127 + 2^125 + ... + 2^94 */ ++ felem_mul_reduce(ftmp, ftmp6, ftmp); /* 2^381 + ... + 2^127 + 2^125 + ... + 2^94 + 2^29 + ... + 2^0 */ ++ ++ for (i = 0; i < 2; i++) ++ felem_square_reduce(ftmp, ftmp); /* 2^383 + ... + 2^129 + 2^127 + ... + 2^96 + 2^31 + ... + 2^2 */ ++ felem_mul_reduce(ftmp, in, ftmp); /* 2^383 + ... + 2^129 + 2^127 + ... + 2^96 + 2^31 + ... + 2^2 + 2^0 */ ++ ++ memcpy(out, ftmp, sizeof(felem)); ++} ++ ++/* ++ * Zero-check: returns a limb with all bits set if |in| == 0 (mod p) ++ * and 0 otherwise. We know that field elements are reduced to ++ * 0 < in < 2p, so we only need to check two cases: ++ * 0 and 2^384 - 2^128 - 2^96 + 2^32 - 1 ++ * in[k] < 2^56, k < 6 ++ * in[6] <= 2^48 ++ */ ++static limb felem_is_zero(const felem in) ++{ ++ limb zero, p384; ++ ++ zero = in[0] | in[1] | in[2] | in[3] | in[4] | in[5] | in[6]; ++ zero = ((int64_t) (zero) - 1) >> 63; ++ p384 = (in[0] ^ 0x000000ffffffff) | (in[1] ^ 0xffff0000000000) ++ | (in[2] ^ 0xfffffffffeffff) | (in[3] ^ 0xffffffffffffff) ++ | (in[4] ^ 0xffffffffffffff) | (in[5] ^ 0xffffffffffffff) ++ | (in[6] ^ 0xffffffffffff); ++ p384 = ((int64_t) (p384) - 1) >> 63; ++ ++ return (zero | p384); ++} ++ ++static int felem_is_zero_int(const void *in) ++{ ++ return (int)(felem_is_zero(in) & ((limb) 1)); ++} ++ ++/*- ++ * felem_contract converts |in| to its unique, minimal representation. ++ * Assume we've removed all redundant bits. ++ * On entry: ++ * in[k] < 2^56, k < 6 ++ * in[6] <= 2^48 ++ */ ++static void felem_contract(felem out, const felem in) ++{ ++ static const int64_t two56 = ((limb) 1) << 56; ++ ++ /* ++ * We know for a fact that 0 <= |in| < 2*p, for p = 2^384 - 2^128 - 2^96 + 2^32 - 1 ++ * Perform two successive, idempotent subtractions to reduce if |in| >= p. ++ */ ++ ++ int64_t tmp[NLIMBS], cond[5], a; ++ unsigned int i; ++ ++ memcpy(tmp, in, sizeof(felem)); ++ ++ /* Case 1: a = 1 iff |in| >= 2^384 */ ++ a = (in[6] >> 48); ++ tmp[0] += a; ++ tmp[0] -= a << 32; ++ tmp[1] += a << 40; ++ tmp[2] += a << 16; ++ tmp[6] &= 0x0000ffffffffffff; ++ ++ /* ++ * eliminate negative coefficients: if tmp[0] is negative, tmp[1] must be ++ * non-zero, so we only need one step ++ */ ++ ++ a = tmp[0] >> 63; ++ tmp[0] += a & two56; ++ tmp[1] -= a & 1; ++ ++ /* Carry 1 -> 2 -> 3 -> 4 -> 5 -> 6 */ ++ tmp[2] += tmp[1] >> 56; ++ tmp[1] &= 0x00ffffffffffffff; ++ ++ tmp[3] += tmp[2] >> 56; ++ tmp[2] &= 0x00ffffffffffffff; ++ ++ tmp[4] += tmp[3] >> 56; ++ tmp[3] &= 0x00ffffffffffffff; ++ ++ tmp[5] += tmp[4] >> 56; ++ tmp[4] &= 0x00ffffffffffffff; ++ ++ tmp[6] += tmp[5] >> 56; /* tmp[6] < 2^48 */ ++ tmp[5] &= 0x00ffffffffffffff; ++ ++ /* ++ * Case 2: a = all ones if p <= |in| < 2^384, 0 otherwise ++ */ ++ ++ /* 0 iff (2^129..2^383) are all one */ ++ cond[0] = ((tmp[6] | 0xff000000000000) & tmp[5] & tmp[4] & tmp[3] & (tmp[2] | 0x0000000001ffff)) + 1; ++ /* 0 iff 2^128 bit is one */ ++ cond[1] = (tmp[2] | ~0x00000000010000) + 1; ++ /* 0 iff (2^96..2^127) bits are all one */ ++ cond[2] = ((tmp[2] | 0xffffffffff0000) & (tmp[1] | 0x0000ffffffffff)) + 1; ++ /* 0 iff (2^32..2^95) bits are all zero */ ++ cond[3] = (tmp[1] & ~0xffff0000000000) | (tmp[0] & ~((int64_t) 0x000000ffffffff)); ++ /* 0 iff (2^0..2^31) bits are all one */ ++ cond[4] = (tmp[0] | 0xffffff00000000) + 1; ++ ++ /* ++ * In effect, invert our conditions, so that 0 values become all 1's, ++ * any non-zero value in the low-order 56 bits becomes all 0's ++ */ ++ for (i = 0; i < 5; i++) ++ cond[i] = ((cond[i] & 0x00ffffffffffffff) - 1) >> 63; ++ ++ /* ++ * The condition for determining whether in is greater than our ++ * prime is given by the following condition. ++ */ ++ ++ /* First subtract 2^384 - 2^129 cheaply */ ++ a = cond[0] & (cond[1] | (cond[2] & (~cond[3] | cond[4]))); ++ tmp[6] &= ~a; ++ tmp[5] &= ~a; ++ tmp[4] &= ~a; ++ tmp[3] &= ~a; ++ tmp[2] &= ~a | 0x0000000001ffff; ++ ++ /* ++ * Subtract 2^128 - 2^96 by ++ * means of disjoint cases. ++ */ ++ ++ /* subtract 2^128 if that bit is present, and add 2^96 */ ++ a = cond[0] & cond[1]; ++ tmp[2] &= ~a | 0xfffffffffeffff; ++ tmp[1] += a & ((int64_t) 1 << 40); ++ ++ /* otherwise, clear bits 2^127 .. 2^96 */ ++ a = cond[0] & ~cond[1] & (cond[2] & (~cond[3] | cond[4])); ++ tmp[2] &= ~a | 0xffffffffff0000; ++ tmp[1] &= ~a | 0x0000ffffffffff; ++ ++ /* finally, subtract the last 2^32 - 1 */ ++ a = cond[0] & (cond[1] | (cond[2] & (~cond[3] | cond[4]))); ++ tmp[0] += a & (-((int64_t) 1 << 32) + 1); ++ ++ /* ++ * eliminate negative coefficients: if tmp[0] is negative, tmp[1] must be ++ * non-zero, so we only need one step ++ */ ++ a = tmp[0] >> 63; ++ tmp[0] += a & two56; ++ tmp[1] -= a & 1; ++ ++ /* Carry 1 -> 2 -> 3 -> 4 -> 5 -> 6 */ ++ tmp[2] += tmp[1] >> 56; ++ tmp[1] &= 0x00ffffffffffffff; ++ ++ tmp[3] += tmp[2] >> 56; ++ tmp[2] &= 0x00ffffffffffffff; ++ ++ tmp[4] += tmp[3] >> 56; ++ tmp[3] &= 0x00ffffffffffffff; ++ ++ tmp[5] += tmp[4] >> 56; ++ tmp[4] &= 0x00ffffffffffffff; ++ ++ tmp[6] += tmp[5] >> 56; ++ tmp[5] &= 0x00ffffffffffffff; ++ ++ memcpy(out, tmp, sizeof(felem)); ++} ++ ++/*- ++ * Group operations ++ * ---------------- ++ * ++ * Building on top of the field operations we have the operations on the ++ * elliptic curve group itself. Points on the curve are represented in Jacobian ++ * coordinates ++ */ ++ ++/*- ++ * point_double calculates 2*(x_in, y_in, z_in) ++ * ++ * The method is taken from: ++ * http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#doubling-dbl-2001-b ++ * ++ * Outputs can equal corresponding inputs, i.e., x_out == x_in is allowed. ++ * while x_out == y_in is not (maybe this works, but it's not tested). ++ */ ++static void ++point_double(felem x_out, felem y_out, felem z_out, ++ const felem x_in, const felem y_in, const felem z_in) ++{ ++ widefelem tmp, tmp2; ++ felem delta, gamma, beta, alpha, ftmp, ftmp2; ++ ++ felem_assign(ftmp, x_in); ++ felem_assign(ftmp2, x_in); ++ ++ /* delta = z^2 */ ++ felem_square_reduce(delta, z_in); /* delta[i] < 2^56 */ ++ ++ /* gamma = y^2 */ ++ felem_square_reduce(gamma, y_in); /* gamma[i] < 2^56 */ ++ ++ /* beta = x*gamma */ ++ felem_mul_reduce(beta, x_in, gamma); /* beta[i] < 2^56 */ ++ ++ /* alpha = 3*(x-delta)*(x+delta) */ ++ felem_diff64(ftmp, delta); /* ftmp[i] < 2^60 + 2^58 + 2^44 */ ++ felem_sum64(ftmp2, delta); /* ftmp2[i] < 2^59 */ ++ felem_scalar64(ftmp2, 3); /* ftmp2[i] < 2^61 */ ++ felem_mul_reduce(alpha, ftmp, ftmp2); /* alpha[i] < 2^56 */ ++ ++ /* x' = alpha^2 - 8*beta */ ++ felem_square(tmp, alpha); /* tmp[i] < 2^115 */ ++ felem_assign(ftmp, beta); /* ftmp[i] < 2^56 */ ++ felem_scalar64(ftmp, 8); /* ftmp[i] < 2^59 */ ++ felem_diff_128_64(tmp, ftmp); /* tmp[i] < 2^115 + 2^64 + 2^48 */ ++ felem_reduce(x_out, tmp); /* x_out[i] < 2^56 */ ++ ++ /* z' = (y + z)^2 - gamma - delta */ ++ felem_sum64(delta, gamma); /* delta[i] < 2^57 */ ++ felem_assign(ftmp, y_in); /* ftmp[i] < 2^56 */ ++ felem_sum64(ftmp, z_in); /* ftmp[i] < 2^56 */ ++ felem_square(tmp, ftmp); /* tmp[i] < 2^115 */ ++ felem_diff_128_64(tmp, delta); /* tmp[i] < 2^115 + 2^64 + 2^48 */ ++ felem_reduce(z_out, tmp); /* z_out[i] < 2^56 */ ++ ++ /* y' = alpha*(4*beta - x') - 8*gamma^2 */ ++ felem_scalar64(beta, 4); /* beta[i] < 2^58 */ ++ felem_diff64(beta, x_out); /* beta[i] < 2^60 + 2^58 + 2^44 */ ++ felem_mul(tmp, alpha, beta); /* tmp[i] < 2^119 */ ++ felem_square(tmp2, gamma); /* tmp2[i] < 2^115 */ ++ felem_scalar128(tmp2, 8); /* tmp2[i] < 2^118 */ ++ felem_diff128(tmp, tmp2); /* tmp[i] < 2^127 + 2^119 + 2^111 */ ++ felem_reduce(y_out, tmp); /* tmp[i] < 2^56 */ ++} ++ ++/* copy_conditional copies in to out iff mask is all ones. */ ++static void copy_conditional(felem out, const felem in, limb mask) ++{ ++ unsigned int i; ++ ++ for (i = 0; i < NLIMBS; i++) ++ out[i] ^= mask & (in[i] ^ out[i]); ++} ++ ++/*- ++ * point_add calculates (x1, y1, z1) + (x2, y2, z2) ++ * ++ * The method is taken from ++ * http://hyperelliptic.org/EFD/g1p/auto-shortw-jacobian-3.html#addition-add-2007-bl, ++ * adapted for mixed addition (z2 = 1, or z2 = 0 for the point at infinity). ++ * ++ * This function includes a branch for checking whether the two input points ++ * are equal (while not equal to the point at infinity). See comment below ++ * on constant-time. ++ */ ++static void point_add(felem x3, felem y3, felem z3, ++ const felem x1, const felem y1, const felem z1, ++ const int mixed, const felem x2, const felem y2, ++ const felem z2) ++{ ++ felem ftmp, ftmp2, ftmp3, ftmp4, ftmp5, ftmp6, x_out, y_out, z_out; ++ widefelem tmp, tmp2; ++ limb x_equal, y_equal, z1_is_zero, z2_is_zero; ++ limb points_equal; ++ ++ z1_is_zero = felem_is_zero(z1); ++ z2_is_zero = felem_is_zero(z2); ++ ++ /* ftmp = z1z1 = z1**2 */ ++ felem_square_reduce(ftmp, z1); /* ftmp[i] < 2^56 */ ++ ++ if (!mixed) { ++ /* ftmp2 = z2z2 = z2**2 */ ++ felem_square_reduce(ftmp2, z2); /* ftmp2[i] < 2^56 */ ++ ++ /* u1 = ftmp3 = x1*z2z2 */ ++ felem_mul_reduce(ftmp3, x1, ftmp2); /* ftmp3[i] < 2^56 */ ++ ++ /* ftmp5 = z1 + z2 */ ++ felem_assign(ftmp5, z1); /* ftmp5[i] < 2^56 */ ++ felem_sum64(ftmp5, z2); /* ftmp5[i] < 2^57 */ ++ ++ /* ftmp5 = (z1 + z2)**2 - z1z1 - z2z2 = 2*z1z2 */ ++ felem_square(tmp, ftmp5); /* tmp[i] < 2^117 */ ++ felem_diff_128_64(tmp, ftmp); /* tmp[i] < 2^117 + 2^64 + 2^48 */ ++ felem_diff_128_64(tmp, ftmp2); /* tmp[i] < 2^117 + 2^65 + 2^49 */ ++ felem_reduce(ftmp5, tmp); /* ftmp5[i] < 2^56 */ ++ ++ /* ftmp2 = z2 * z2z2 */ ++ felem_mul_reduce(ftmp2, ftmp2, z2); /* ftmp2[i] < 2^56 */ ++ ++ /* s1 = ftmp6 = y1 * z2**3 */ ++ felem_mul_reduce(ftmp6, y1, ftmp2); /* ftmp6[i] < 2^56 */ ++ } else { ++ /* ++ * We'll assume z2 = 1 (special case z2 = 0 is handled later) ++ */ ++ ++ /* u1 = ftmp3 = x1*z2z2 */ ++ felem_assign(ftmp3, x1); /* ftmp3[i] < 2^56 */ ++ ++ /* ftmp5 = 2*z1z2 */ ++ felem_scalar(ftmp5, z1, 2); /* ftmp5[i] < 2^57 */ ++ ++ /* s1 = ftmp6 = y1 * z2**3 */ ++ felem_assign(ftmp6, y1); /* ftmp6[i] < 2^56 */ ++ } ++ /* ftmp3[i] < 2^56, ftmp5[i] < 2^57, ftmp6[i] < 2^56 */ ++ ++ /* u2 = x2*z1z1 */ ++ felem_mul(tmp, x2, ftmp); /* tmp[i] < 2^115 */ ++ ++ /* h = ftmp4 = u2 - u1 */ ++ felem_diff_128_64(tmp, ftmp3); /* tmp[i] < 2^115 + 2^64 + 2^48 */ ++ felem_reduce(ftmp4, tmp); /* ftmp[4] < 2^56 */ ++ ++ x_equal = felem_is_zero(ftmp4); ++ ++ /* z_out = ftmp5 * h */ ++ felem_mul_reduce(z_out, ftmp5, ftmp4); /* z_out[i] < 2^56 */ ++ ++ /* ftmp = z1 * z1z1 */ ++ felem_mul_reduce(ftmp, ftmp, z1); /* ftmp[i] < 2^56 */ ++ ++ /* s2 = tmp = y2 * z1**3 */ ++ felem_mul(tmp, y2, ftmp); /* tmp[i] < 2^115 */ ++ ++ /* r = ftmp5 = (s2 - s1)*2 */ ++ felem_diff_128_64(tmp, ftmp6); /* tmp[i] < 2^115 + 2^64 + 2^48 */ ++ felem_reduce(ftmp5, tmp); /* ftmp5[i] < 2^56 */ ++ y_equal = felem_is_zero(ftmp5); ++ felem_scalar64(ftmp5, 2); /* ftmp5[i] < 2^57 */ ++ ++ /* ++ * The formulae are incorrect if the points are equal, in affine coordinates ++ * (X_1, Y_1) == (X_2, Y_2), so we check for this and do doubling if this ++ * happens. ++ * ++ * We use bitwise operations to avoid potential side-channels introduced by ++ * the short-circuiting behaviour of boolean operators. ++ * ++ * The special case of either point being the point at infinity (z1 and/or ++ * z2 are zero), is handled separately later on in this function, so we ++ * avoid jumping to point_double here in those special cases. ++ * ++ * Notice the comment below on the implications of this branching for timing ++ * leaks and why it is considered practically irrelevant. ++ */ ++ points_equal = (x_equal & y_equal & (~z1_is_zero) & (~z2_is_zero)); ++ ++ if (points_equal) { ++ /* ++ * This is obviously not constant-time but it will almost-never happen ++ * for ECDH / ECDSA. ++ */ ++ point_double(x3, y3, z3, x1, y1, z1); ++ return; ++ } ++ ++ /* I = ftmp = (2h)**2 */ ++ felem_assign(ftmp, ftmp4); /* ftmp[i] < 2^56 */ ++ felem_scalar64(ftmp, 2); /* ftmp[i] < 2^57 */ ++ felem_square_reduce(ftmp, ftmp); /* ftmp[i] < 2^56 */ ++ ++ /* J = ftmp2 = h * I */ ++ felem_mul_reduce(ftmp2, ftmp4, ftmp); /* ftmp2[i] < 2^56 */ ++ ++ /* V = ftmp4 = U1 * I */ ++ felem_mul_reduce(ftmp4, ftmp3, ftmp); /* ftmp4[i] < 2^56 */ ++ ++ /* x_out = r**2 - J - 2V */ ++ felem_square(tmp, ftmp5); /* tmp[i] < 2^117 */ ++ felem_diff_128_64(tmp, ftmp2); /* tmp[i] < 2^117 + 2^64 + 2^48 */ ++ felem_assign(ftmp3, ftmp4); /* ftmp3[i] < 2^56 */ ++ felem_scalar64(ftmp4, 2); /* ftmp4[i] < 2^57 */ ++ felem_diff_128_64(tmp, ftmp4); /* tmp[i] < 2^117 + 2^65 + 2^49 */ ++ felem_reduce(x_out, tmp); /* x_out[i] < 2^56 */ ++ ++ /* y_out = r(V-x_out) - 2 * s1 * J */ ++ felem_diff64(ftmp3, x_out); /* ftmp3[i] < 2^60 + 2^56 + 2^44 */ ++ felem_mul(tmp, ftmp5, ftmp3); /* tmp[i] < 2^116 */ ++ felem_mul(tmp2, ftmp6, ftmp2); /* tmp2[i] < 2^115 */ ++ felem_scalar128(tmp2, 2); /* tmp2[i] < 2^116 */ ++ felem_diff128(tmp, tmp2); /* tmp[i] < 2^127 + 2^116 + 2^111 */ ++ felem_reduce(y_out, tmp); /* y_out[i] < 2^56 */ ++ ++ copy_conditional(x_out, x2, z1_is_zero); ++ copy_conditional(x_out, x1, z2_is_zero); ++ copy_conditional(y_out, y2, z1_is_zero); ++ copy_conditional(y_out, y1, z2_is_zero); ++ copy_conditional(z_out, z2, z1_is_zero); ++ copy_conditional(z_out, z1, z2_is_zero); ++ felem_assign(x3, x_out); ++ felem_assign(y3, y_out); ++ felem_assign(z3, z_out); ++} ++ ++/*- ++ * Base point pre computation ++ * -------------------------- ++ * ++ * Two different sorts of precomputed tables are used in the following code. ++ * Each contain various points on the curve, where each point is three field ++ * elements (x, y, z). ++ * ++ * For the base point table, z is usually 1 (0 for the point at infinity). ++ * This table has 16 elements: ++ * index | bits | point ++ * ------+---------+------------------------------ ++ * 0 | 0 0 0 0 | 0G ++ * 1 | 0 0 0 1 | 1G ++ * 2 | 0 0 1 0 | 2^95G ++ * 3 | 0 0 1 1 | (2^95 + 1)G ++ * 4 | 0 1 0 0 | 2^190G ++ * 5 | 0 1 0 1 | (2^190 + 1)G ++ * 6 | 0 1 1 0 | (2^190 + 2^95)G ++ * 7 | 0 1 1 1 | (2^190 + 2^95 + 1)G ++ * 8 | 1 0 0 0 | 2^285G ++ * 9 | 1 0 0 1 | (2^285 + 1)G ++ * 10 | 1 0 1 0 | (2^285 + 2^95)G ++ * 11 | 1 0 1 1 | (2^285 + 2^95 + 1)G ++ * 12 | 1 1 0 0 | (2^285 + 2^190)G ++ * 13 | 1 1 0 1 | (2^285 + 2^190 + 1)G ++ * 14 | 1 1 1 0 | (2^285 + 2^190 + 2^95)G ++ * 15 | 1 1 1 1 | (2^285 + 2^190 + 2^95 + 1)G ++ * ++ * The reason for this is so that we can clock bits into four different ++ * locations when doing simple scalar multiplies against the base point. ++ * ++ * Tables for other points have table[i] = iG for i in 0 .. 16. ++ */ ++ ++/* gmul is the table of precomputed base points */ ++static const felem gmul[16][3] = { ++{{0, 0, 0, 0, 0, 0, 0}, ++ {0, 0, 0, 0, 0, 0, 0}, ++ {0, 0, 0, 0, 0, 0, 0}}, ++{{0x00545e3872760ab7, 0x00f25dbf55296c3a, 0x00e082542a385502, 0x008ba79b9859f741, ++ 0x0020ad746e1d3b62, 0x0005378eb1c71ef3, 0x0000aa87ca22be8b}, ++ {0x00431d7c90ea0e5f, 0x00b1ce1d7e819d7a, 0x0013b5f0b8c00a60, 0x00289a147ce9da31, ++ 0x0092dc29f8f41dbd, 0x002c6f5d9e98bf92, 0x00003617de4a9626}, ++ {1, 0, 0, 0, 0, 0, 0}}, ++{{0x00024711cc902a90, 0x00acb2e579ab4fe1, 0x00af818a4b4d57b1, 0x00a17c7bec49c3de, ++ 0x004280482d726a8b, 0x00128dd0f0a90f3b, 0x00004387c1c3fa3c}, ++ {0x002ce76543cf5c3a, 0x00de6cee5ef58f0a, 0x00403e42fa561ca6, 0x00bc54d6f9cb9731, ++ 0x007155f925fb4ff1, 0x004a9ce731b7b9bc, 0x00002609076bd7b2}, ++ {1, 0, 0, 0, 0, 0, 0}}, ++{{0x00e74c9182f0251d, 0x0039bf54bb111974, 0x00b9d2f2eec511d2, 0x0036b1594eb3a6a4, ++ 0x00ac3bb82d9d564b, 0x00f9313f4615a100, 0x00006716a9a91b10}, ++ {0x0046698116e2f15c, 0x00f34347067d3d33, 0x008de4ccfdebd002, 0x00e838c6b8e8c97b, ++ 0x006faf0798def346, 0x007349794a57563c, 0x00002629e7e6ad84}, ++ {1, 0, 0, 0, 0, 0, 0}}, ++{{0x0075300e34fd163b, 0x0092e9db4e8d0ad3, 0x00254be9f625f760, 0x00512c518c72ae68, ++ 0x009bfcf162bede5a, 0x00bf9341566ce311, 0x0000cd6175bd41cf}, ++ {0x007dfe52af4ac70f, 0x0002159d2d5c4880, 0x00b504d16f0af8d0, 0x0014585e11f5e64c, ++ 0x0089c6388e030967, 0x00ffb270cbfa5f71, 0x00009a15d92c3947}, ++ {1, 0, 0, 0, 0, 0, 0}}, ++{{0x0033fc1278dc4fe5, 0x00d53088c2caa043, 0x0085558827e2db66, 0x00c192bef387b736, ++ 0x00df6405a2225f2c, 0x0075205aa90fd91a, 0x0000137e3f12349d}, ++ {0x00ce5b115efcb07e, 0x00abc3308410deeb, 0x005dc6fc1de39904, 0x00907c1c496f36b4, ++ 0x0008e6ad3926cbe1, 0x00110747b787928c, 0x0000021b9162eb7e}, ++ {1, 0, 0, 0, 0, 0, 0}}, ++{{0x008180042cfa26e1, 0x007b826a96254967, 0x0082473694d6b194, 0x007bd6880a45b589, ++ 0x00c0a5097072d1a3, 0x0019186555e18b4e, 0x000020278190e5ca}, ++ {0x00b4bef17de61ac0, 0x009535e3c38ed348, 0x002d4aa8e468ceab, 0x00ef40b431036ad3, ++ 0x00defd52f4542857, 0x0086edbf98234266, 0x00002025b3a7814d}, ++ {1, 0, 0, 0, 0, 0, 0}}, ++{{0x00b238aa97b886be, 0x00ef3192d6dd3a32, 0x0079f9e01fd62df8, 0x00742e890daba6c5, ++ 0x008e5289144408ce, 0x0073bbcc8e0171a5, 0x0000c4fd329d3b52}, ++ {0x00c6f64a15ee23e7, 0x00dcfb7b171cad8b, 0x00039f6cbd805867, 0x00de024e428d4562, ++ 0x00be6a594d7c64c5, 0x0078467b70dbcd64, 0x0000251f2ed7079b}, ++ {1, 0, 0, 0, 0, 0, 0}}, ++{{0x000e5cc25fc4b872, 0x005ebf10d31ef4e1, 0x0061e0ebd11e8256, 0x0076e026096f5a27, ++ 0x0013e6fc44662e9a, 0x0042b00289d3597e, 0x000024f089170d88}, ++ {0x001604d7e0effbe6, 0x0048d77cba64ec2c, 0x008166b16da19e36, 0x006b0d1a0f28c088, ++ 0x000259fcd47754fd, 0x00cc643e4d725f9a, 0x00007b10f3c79c14}, ++ {1, 0, 0, 0, 0, 0, 0}}, ++{{0x00430155e3b908af, 0x00b801e4fec25226, 0x00b0d4bcfe806d26, 0x009fc4014eb13d37, ++ 0x0066c94e44ec07e8, 0x00d16adc03874ba2, 0x000030c917a0d2a7}, ++ {0x00edac9e21eb891c, 0x00ef0fb768102eff, 0x00c088cef272a5f3, 0x00cbf782134e2964, ++ 0x0001044a7ba9a0e3, 0x00e363f5b194cf3c, 0x00009ce85249e372}, ++ {1, 0, 0, 0, 0, 0, 0}}, ++{{0x001dd492dda5a7eb, 0x008fd577be539fd1, 0x002ff4b25a5fc3f1, 0x0074a8a1b64df72f, ++ 0x002ba3d8c204a76c, 0x009d5cff95c8235a, 0x0000e014b9406e0f}, ++ {0x008c2e4dbfc98aba, 0x00f30bb89f1a1436, 0x00b46f7aea3e259c, 0x009224454ac02f54, ++ 0x00906401f5645fa2, 0x003a1d1940eabc77, 0x00007c9351d680e6}, ++ {1, 0, 0, 0, 0, 0, 0}}, ++{{0x005a35d872ef967c, 0x0049f1b7884e1987, 0x0059d46d7e31f552, 0x00ceb4869d2d0fb6, ++ 0x00e8e89eee56802a, 0x0049d806a774aaf2, 0x0000147e2af0ae24}, ++ {0x005fd1bd852c6e5e, 0x00b674b7b3de6885, 0x003b9ea5eb9b6c08, 0x005c9f03babf3ef7, ++ 0x00605337fecab3c7, 0x009a3f85b11bbcc8, 0x0000455470f330ec}, ++ {1, 0, 0, 0, 0, 0, 0}}, ++{{0x002197ff4d55498d, 0x00383e8916c2d8af, 0x00eb203f34d1c6d2, 0x0080367cbd11b542, ++ 0x00769b3be864e4f5, 0x0081a8458521c7bb, 0x0000c531b34d3539}, ++ {0x00e2a3d775fa2e13, 0x00534fc379573844, 0x00ff237d2a8db54a, 0x00d301b2335a8882, ++ 0x000f75ea96103a80, 0x0018fecb3cdd96fa, 0x0000304bf61e94eb}, ++ {1, 0, 0, 0, 0, 0, 0}}, ++{{0x00b2afc332a73dbd, 0x0029a0d5bb007bc5, 0x002d628eb210f577, 0x009f59a36dd05f50, ++ 0x006d339de4eca613, 0x00c75a71addc86bc, 0x000060384c5ea93c}, ++ {0x00aa9641c32a30b4, 0x00cc73ae8cce565d, 0x00ec911a4df07f61, 0x00aa4b762ea4b264, ++ 0x0096d395bb393629, 0x004efacfb7632fe0, 0x00006f252f46fa3f}, ++ {1, 0, 0, 0, 0, 0, 0}}, ++{{0x00567eec597c7af6, 0x0059ba6795204413, 0x00816d4e6f01196f, 0x004ae6b3eb57951d, ++ 0x00420f5abdda2108, 0x003401d1f57ca9d9, 0x0000cf5837b0b67a}, ++ {0x00eaa64b8aeeabf9, 0x00246ddf16bcb4de, 0x000e7e3c3aecd751, 0x0008449f04fed72e, ++ 0x00307b67ccf09183, 0x0017108c3556b7b1, 0x0000229b2483b3bf}, ++ {1, 0, 0, 0, 0, 0, 0}}, ++{{0x00e7c491a7bb78a1, 0x00eafddd1d3049ab, 0x00352c05e2bc7c98, 0x003d6880c165fa5c, ++ 0x00b6ac61cc11c97d, 0x00beeb54fcf90ce5, 0x0000dc1f0b455edc}, ++ {0x002db2e7aee34d60, 0x0073b5f415a2d8c0, 0x00dd84e4193e9a0c, 0x00d02d873467c572, ++ 0x0018baaeda60aee5, 0x0013fb11d697c61e, 0x000083aafcc3a973}, ++ {1, 0, 0, 0, 0, 0, 0}} ++}; ++ ++/* ++ * select_point selects the |idx|th point from a precomputation table and ++ * copies it to out. ++ * ++ * pre_comp below is of the size provided in |size|. ++ */ ++static void select_point(const limb idx, unsigned int size, ++ const felem pre_comp[][3], felem out[3]) ++{ ++ unsigned int i, j; ++ limb *outlimbs = &out[0][0]; ++ ++ memset(out, 0, sizeof(*out) * 3); ++ ++ for (i = 0; i < size; i++) { ++ const limb *inlimbs = &pre_comp[i][0][0]; ++ limb mask = i ^ idx; ++ ++ mask |= mask >> 4; ++ mask |= mask >> 2; ++ mask |= mask >> 1; ++ mask &= 1; ++ mask--; ++ for (j = 0; j < NLIMBS * 3; j++) ++ outlimbs[j] |= inlimbs[j] & mask; ++ } ++} ++ ++/* get_bit returns the |i|th bit in |in| */ ++static char get_bit(const felem_bytearray in, int i) ++{ ++ if (i < 0 || i >= 384) ++ return 0; ++ return (in[i >> 3] >> (i & 7)) & 1; ++} ++ ++/* ++ * Interleaved point multiplication using precomputed point multiples: The ++ * small point multiples 0*P, 1*P, ..., 16*P are in pre_comp[], the scalars ++ * in scalars[]. If g_scalar is non-NULL, we also add this multiple of the ++ * generator, using certain (large) precomputed multiples in g_pre_comp. ++ * Output point (X, Y, Z) is stored in x_out, y_out, z_out ++ */ ++static void batch_mul(felem x_out, felem y_out, felem z_out, ++ const felem_bytearray scalars[], ++ const unsigned int num_points, const u8 *g_scalar, ++ const int mixed, const felem pre_comp[][17][3], ++ const felem g_pre_comp[16][3]) ++{ ++ int i, skip; ++ unsigned int num, gen_mul = (g_scalar != NULL); ++ felem nq[3], tmp[4]; ++ limb bits; ++ u8 sign, digit; ++ ++ /* set nq to the point at infinity */ ++ memset(nq, 0, sizeof(nq)); ++ ++ /* ++ * Loop over all scalars msb-to-lsb, interleaving additions of multiples ++ * of the generator (last quarter of rounds) and additions of other ++ * points multiples (every 5th round). ++ */ ++ skip = 1; /* save two point operations in the first ++ * round */ ++ for (i = (num_points ? 380 : 98); i >= 0; --i) { ++ /* double */ ++ if (!skip) ++ point_double(nq[0], nq[1], nq[2], nq[0], nq[1], nq[2]); ++ ++ /* add multiples of the generator */ ++ if (gen_mul && (i <= 98)) { ++ bits = get_bit(g_scalar, i + 285) << 3; ++ if (i < 95) { ++ bits |= get_bit(g_scalar, i + 190) << 2; ++ bits |= get_bit(g_scalar, i + 95) << 1; ++ bits |= get_bit(g_scalar, i); ++ } ++ /* select the point to add, in constant time */ ++ select_point(bits, 16, g_pre_comp, tmp); ++ if (!skip) { ++ /* The 1 argument below is for "mixed" */ ++ point_add(nq[0], nq[1], nq[2], ++ nq[0], nq[1], nq[2], 1, ++ tmp[0], tmp[1], tmp[2]); ++ } else { ++ memcpy(nq, tmp, 3 * sizeof(felem)); ++ skip = 0; ++ } ++ } ++ ++ /* do other additions every 5 doublings */ ++ if (num_points && (i % 5 == 0)) { ++ /* loop over all scalars */ ++ for (num = 0; num < num_points; ++num) { ++ bits = get_bit(scalars[num], i + 4) << 5; ++ bits |= get_bit(scalars[num], i + 3) << 4; ++ bits |= get_bit(scalars[num], i + 2) << 3; ++ bits |= get_bit(scalars[num], i + 1) << 2; ++ bits |= get_bit(scalars[num], i) << 1; ++ bits |= get_bit(scalars[num], i - 1); ++ ossl_ec_GFp_nistp_recode_scalar_bits(&sign, &digit, bits); ++ ++ /* ++ * select the point to add or subtract, in constant time ++ */ ++ select_point(digit, 17, pre_comp[num], tmp); ++ felem_neg(tmp[3], tmp[1]); /* (X, -Y, Z) is the negative ++ * point */ ++ copy_conditional(tmp[1], tmp[3], (-(limb) sign)); ++ ++ if (!skip) { ++ point_add(nq[0], nq[1], nq[2], ++ nq[0], nq[1], nq[2], mixed, ++ tmp[0], tmp[1], tmp[2]); ++ } else { ++ memcpy(nq, tmp, 3 * sizeof(felem)); ++ skip = 0; ++ } ++ } ++ } ++ } ++ felem_assign(x_out, nq[0]); ++ felem_assign(y_out, nq[1]); ++ felem_assign(z_out, nq[2]); ++} ++ ++/* Precomputation for the group generator. */ ++struct nistp384_pre_comp_st { ++ felem g_pre_comp[16][3]; ++ CRYPTO_REF_COUNT refcnt; ++ CRYPTO_RWLOCK *refcnt_lock; ++}; ++ ++const EC_METHOD *ossl_ec_GFp_nistp384_method(void) ++{ ++ static const EC_METHOD ret = { ++ EC_FLAGS_DEFAULT_OCT, ++ NID_X9_62_prime_field, ++ ossl_ec_GFp_nistp384_group_init, ++ ossl_ec_GFp_simple_group_finish, ++ ossl_ec_GFp_simple_group_clear_finish, ++ ossl_ec_GFp_nist_group_copy, ++ ossl_ec_GFp_nistp384_group_set_curve, ++ ossl_ec_GFp_simple_group_get_curve, ++ ossl_ec_GFp_simple_group_get_degree, ++ ossl_ec_group_simple_order_bits, ++ ossl_ec_GFp_simple_group_check_discriminant, ++ ossl_ec_GFp_simple_point_init, ++ ossl_ec_GFp_simple_point_finish, ++ ossl_ec_GFp_simple_point_clear_finish, ++ ossl_ec_GFp_simple_point_copy, ++ ossl_ec_GFp_simple_point_set_to_infinity, ++ ossl_ec_GFp_simple_point_set_affine_coordinates, ++ ossl_ec_GFp_nistp384_point_get_affine_coordinates, ++ 0, /* point_set_compressed_coordinates */ ++ 0, /* point2oct */ ++ 0, /* oct2point */ ++ ossl_ec_GFp_simple_add, ++ ossl_ec_GFp_simple_dbl, ++ ossl_ec_GFp_simple_invert, ++ ossl_ec_GFp_simple_is_at_infinity, ++ ossl_ec_GFp_simple_is_on_curve, ++ ossl_ec_GFp_simple_cmp, ++ ossl_ec_GFp_simple_make_affine, ++ ossl_ec_GFp_simple_points_make_affine, ++ ossl_ec_GFp_nistp384_points_mul, ++ ossl_ec_GFp_nistp384_precompute_mult, ++ ossl_ec_GFp_nistp384_have_precompute_mult, ++ ossl_ec_GFp_nist_field_mul, ++ ossl_ec_GFp_nist_field_sqr, ++ 0, /* field_div */ ++ ossl_ec_GFp_simple_field_inv, ++ 0, /* field_encode */ ++ 0, /* field_decode */ ++ 0, /* field_set_to_one */ ++ ossl_ec_key_simple_priv2oct, ++ ossl_ec_key_simple_oct2priv, ++ 0, /* set private */ ++ ossl_ec_key_simple_generate_key, ++ ossl_ec_key_simple_check_key, ++ ossl_ec_key_simple_generate_public_key, ++ 0, /* keycopy */ ++ 0, /* keyfinish */ ++ ossl_ecdh_simple_compute_key, ++ ossl_ecdsa_simple_sign_setup, ++ ossl_ecdsa_simple_sign_sig, ++ ossl_ecdsa_simple_verify_sig, ++ 0, /* field_inverse_mod_ord */ ++ 0, /* blind_coordinates */ ++ 0, /* ladder_pre */ ++ 0, /* ladder_step */ ++ 0 /* ladder_post */ ++ }; ++ ++ return &ret; ++} ++ ++/******************************************************************************/ ++/* ++ * FUNCTIONS TO MANAGE PRECOMPUTATION ++ */ ++ ++static NISTP384_PRE_COMP *nistp384_pre_comp_new(void) ++{ ++ NISTP384_PRE_COMP *ret = OPENSSL_zalloc(sizeof(*ret)); ++ ++ if (ret == NULL || (ret->refcnt_lock = CRYPTO_THREAD_lock_new()) == NULL) { ++ OPENSSL_free(ret); ++ return NULL; ++ } ++ ++ ret->refcnt = 1; ++ return ret; ++} ++ ++NISTP384_PRE_COMP *ossl_ec_nistp384_pre_comp_dup(NISTP384_PRE_COMP *p) ++{ ++ int i; ++ ++ if (p != NULL) ++ CRYPTO_UP_REF(&p->refcnt, &i, p->refcnt_lock); ++ return p; ++} ++ ++void ossl_ec_nistp384_pre_comp_free(NISTP384_PRE_COMP *p) ++{ ++ int i; ++ ++ if (p == NULL) ++ return; ++ ++ CRYPTO_DOWN_REF(&p->refcnt, &i, p->refcnt_lock); ++ REF_PRINT_COUNT("ossl_ec_nistp384", p); ++ if (i > 0) ++ return; ++ REF_ASSERT_ISNT(i < 0); ++ ++ CRYPTO_THREAD_lock_free(p->refcnt_lock); ++ OPENSSL_free(p); ++} ++ ++/******************************************************************************/ ++/* ++ * OPENSSL EC_METHOD FUNCTIONS ++ */ ++ ++int ossl_ec_GFp_nistp384_group_init(EC_GROUP *group) ++{ ++ int ret; ++ ++ ret = ossl_ec_GFp_simple_group_init(group); ++ group->a_is_minus3 = 1; ++ return ret; ++} ++ ++int ossl_ec_GFp_nistp384_group_set_curve(EC_GROUP *group, const BIGNUM *p, ++ const BIGNUM *a, const BIGNUM *b, ++ BN_CTX *ctx) ++{ ++ int ret = 0; ++ BIGNUM *curve_p, *curve_a, *curve_b; ++#ifndef FIPS_MODULE ++ BN_CTX *new_ctx = NULL; ++ ++ if (ctx == NULL) ++ ctx = new_ctx = BN_CTX_new(); ++#endif ++ if (ctx == NULL) ++ return 0; ++ ++ BN_CTX_start(ctx); ++ curve_p = BN_CTX_get(ctx); ++ curve_a = BN_CTX_get(ctx); ++ curve_b = BN_CTX_get(ctx); ++ if (curve_b == NULL) ++ goto err; ++ BN_bin2bn(nistp384_curve_params[0], sizeof(felem_bytearray), curve_p); ++ BN_bin2bn(nistp384_curve_params[1], sizeof(felem_bytearray), curve_a); ++ BN_bin2bn(nistp384_curve_params[2], sizeof(felem_bytearray), curve_b); ++ if ((BN_cmp(curve_p, p)) || (BN_cmp(curve_a, a)) || (BN_cmp(curve_b, b))) { ++ ERR_raise(ERR_LIB_EC, EC_R_WRONG_CURVE_PARAMETERS); ++ goto err; ++ } ++ group->field_mod_func = BN_nist_mod_384; ++ ret = ossl_ec_GFp_simple_group_set_curve(group, p, a, b, ctx); ++ err: ++ BN_CTX_end(ctx); ++#ifndef FIPS_MODULE ++ BN_CTX_free(new_ctx); ++#endif ++ return ret; ++} ++ ++/* ++ * Takes the Jacobian coordinates (X, Y, Z) of a point and returns (X', Y') = ++ * (X/Z^2, Y/Z^3) ++ */ ++int ossl_ec_GFp_nistp384_point_get_affine_coordinates(const EC_GROUP *group, ++ const EC_POINT *point, ++ BIGNUM *x, BIGNUM *y, ++ BN_CTX *ctx) ++{ ++ felem z1, z2, x_in, y_in, x_out, y_out; ++ widefelem tmp; ++ ++ if (EC_POINT_is_at_infinity(group, point)) { ++ ERR_raise(ERR_LIB_EC, EC_R_POINT_AT_INFINITY); ++ return 0; ++ } ++ if ((!BN_to_felem(x_in, point->X)) || (!BN_to_felem(y_in, point->Y)) || ++ (!BN_to_felem(z1, point->Z))) ++ return 0; ++ felem_inv(z2, z1); ++ felem_square(tmp, z2); ++ felem_reduce(z1, tmp); ++ felem_mul(tmp, x_in, z1); ++ felem_reduce(x_in, tmp); ++ felem_contract(x_out, x_in); ++ if (x != NULL) { ++ if (!felem_to_BN(x, x_out)) { ++ ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); ++ return 0; ++ } ++ } ++ felem_mul(tmp, z1, z2); ++ felem_reduce(z1, tmp); ++ felem_mul(tmp, y_in, z1); ++ felem_reduce(y_in, tmp); ++ felem_contract(y_out, y_in); ++ if (y != NULL) { ++ if (!felem_to_BN(y, y_out)) { ++ ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); ++ return 0; ++ } ++ } ++ return 1; ++} ++ ++/* points below is of size |num|, and tmp_felems is of size |num+1/ */ ++static void make_points_affine(size_t num, felem points[][3], ++ felem tmp_felems[]) ++{ ++ /* ++ * Runs in constant time, unless an input is the point at infinity (which ++ * normally shouldn't happen). ++ */ ++ ossl_ec_GFp_nistp_points_make_affine_internal(num, ++ points, ++ sizeof(felem), ++ tmp_felems, ++ (void (*)(void *))felem_one, ++ felem_is_zero_int, ++ (void (*)(void *, const void *)) ++ felem_assign, ++ (void (*)(void *, const void *)) ++ felem_square_reduce, ++ (void (*)(void *, const void *, const void*)) ++ felem_mul_reduce, ++ (void (*)(void *, const void *)) ++ felem_inv, ++ (void (*)(void *, const void *)) ++ felem_contract); ++} ++ ++/* ++ * Computes scalar*generator + \sum scalars[i]*points[i], ignoring NULL ++ * values Result is stored in r (r can equal one of the inputs). ++ */ ++int ossl_ec_GFp_nistp384_points_mul(const EC_GROUP *group, EC_POINT *r, ++ const BIGNUM *scalar, size_t num, ++ const EC_POINT *points[], ++ const BIGNUM *scalars[], BN_CTX *ctx) ++{ ++ int ret = 0; ++ int j; ++ int mixed = 0; ++ BIGNUM *x, *y, *z, *tmp_scalar; ++ felem_bytearray g_secret; ++ felem_bytearray *secrets = NULL; ++ felem (*pre_comp)[17][3] = NULL; ++ felem *tmp_felems = NULL; ++ unsigned int i; ++ int num_bytes; ++ int have_pre_comp = 0; ++ size_t num_points = num; ++ felem x_in, y_in, z_in, x_out, y_out, z_out; ++ NISTP384_PRE_COMP *pre = NULL; ++ felem(*g_pre_comp)[3] = NULL; ++ EC_POINT *generator = NULL; ++ const EC_POINT *p = NULL; ++ const BIGNUM *p_scalar = NULL; ++ ++ BN_CTX_start(ctx); ++ x = BN_CTX_get(ctx); ++ y = BN_CTX_get(ctx); ++ z = BN_CTX_get(ctx); ++ tmp_scalar = BN_CTX_get(ctx); ++ if (tmp_scalar == NULL) ++ goto err; ++ ++ if (scalar != NULL) { ++ pre = group->pre_comp.nistp384; ++ if (pre) ++ /* we have precomputation, try to use it */ ++ g_pre_comp = &pre->g_pre_comp[0]; ++ else ++ /* try to use the standard precomputation */ ++ g_pre_comp = (felem(*)[3]) gmul; ++ generator = EC_POINT_new(group); ++ if (generator == NULL) ++ goto err; ++ /* get the generator from precomputation */ ++ if (!felem_to_BN(x, g_pre_comp[1][0]) || ++ !felem_to_BN(y, g_pre_comp[1][1]) || ++ !felem_to_BN(z, g_pre_comp[1][2])) { ++ ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); ++ goto err; ++ } ++ if (!ossl_ec_GFp_simple_set_Jprojective_coordinates_GFp(group, ++ generator, ++ x, y, z, ctx)) ++ goto err; ++ if (0 == EC_POINT_cmp(group, generator, group->generator, ctx)) ++ /* precomputation matches generator */ ++ have_pre_comp = 1; ++ else ++ /* ++ * we don't have valid precomputation: treat the generator as a ++ * random point ++ */ ++ num_points++; ++ } ++ ++ if (num_points > 0) { ++ if (num_points >= 2) { ++ /* ++ * unless we precompute multiples for just one point, converting ++ * those into affine form is time well spent ++ */ ++ mixed = 1; ++ } ++ secrets = OPENSSL_zalloc(sizeof(*secrets) * num_points); ++ pre_comp = OPENSSL_zalloc(sizeof(*pre_comp) * num_points); ++ if (mixed) ++ tmp_felems = ++ OPENSSL_malloc(sizeof(*tmp_felems) * (num_points * 17 + 1)); ++ if ((secrets == NULL) || (pre_comp == NULL) ++ || (mixed && (tmp_felems == NULL))) ++ goto err; ++ ++ /* ++ * we treat NULL scalars as 0, and NULL points as points at infinity, ++ * i.e., they contribute nothing to the linear combination ++ */ ++ for (i = 0; i < num_points; ++i) { ++ if (i == num) { ++ /* ++ * we didn't have a valid precomputation, so we pick the ++ * generator ++ */ ++ p = EC_GROUP_get0_generator(group); ++ p_scalar = scalar; ++ } else { ++ /* the i^th point */ ++ p = points[i]; ++ p_scalar = scalars[i]; ++ } ++ if (p_scalar != NULL && p != NULL) { ++ /* reduce scalar to 0 <= scalar < 2^384 */ ++ if ((BN_num_bits(p_scalar) > 384) ++ || (BN_is_negative(p_scalar))) { ++ /* ++ * this is an unusual input, and we don't guarantee ++ * constant-timeness ++ */ ++ if (!BN_nnmod(tmp_scalar, p_scalar, group->order, ctx)) { ++ ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); ++ goto err; ++ } ++ num_bytes = BN_bn2lebinpad(tmp_scalar, ++ secrets[i], sizeof(secrets[i])); ++ } else { ++ num_bytes = BN_bn2lebinpad(p_scalar, ++ secrets[i], sizeof(secrets[i])); ++ } ++ if (num_bytes < 0) { ++ ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); ++ goto err; ++ } ++ /* precompute multiples */ ++ if ((!BN_to_felem(x_out, p->X)) || ++ (!BN_to_felem(y_out, p->Y)) || ++ (!BN_to_felem(z_out, p->Z))) ++ goto err; ++ memcpy(pre_comp[i][1][0], x_out, sizeof(felem)); ++ memcpy(pre_comp[i][1][1], y_out, sizeof(felem)); ++ memcpy(pre_comp[i][1][2], z_out, sizeof(felem)); ++ for (j = 2; j <= 16; ++j) { ++ if (j & 1) { ++ point_add(pre_comp[i][j][0], pre_comp[i][j][1], pre_comp[i][j][2], ++ pre_comp[i][1][0], pre_comp[i][1][1], pre_comp[i][1][2], 0, ++ pre_comp[i][j - 1][0], pre_comp[i][j - 1][1], pre_comp[i][j - 1][2]); ++ } else { ++ point_double(pre_comp[i][j][0], pre_comp[i][j][1], pre_comp[i][j][2], ++ pre_comp[i][j / 2][0], pre_comp[i][j / 2][1], pre_comp[i][j / 2][2]); ++ } ++ } ++ } ++ } ++ if (mixed) ++ make_points_affine(num_points * 17, pre_comp[0], tmp_felems); ++ } ++ ++ /* the scalar for the generator */ ++ if (scalar != NULL && have_pre_comp) { ++ memset(g_secret, 0, sizeof(g_secret)); ++ /* reduce scalar to 0 <= scalar < 2^384 */ ++ if ((BN_num_bits(scalar) > 384) || (BN_is_negative(scalar))) { ++ /* ++ * this is an unusual input, and we don't guarantee ++ * constant-timeness ++ */ ++ if (!BN_nnmod(tmp_scalar, scalar, group->order, ctx)) { ++ ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); ++ goto err; ++ } ++ num_bytes = BN_bn2lebinpad(tmp_scalar, g_secret, sizeof(g_secret)); ++ } else { ++ num_bytes = BN_bn2lebinpad(scalar, g_secret, sizeof(g_secret)); ++ } ++ /* do the multiplication with generator precomputation */ ++ batch_mul(x_out, y_out, z_out, ++ (const felem_bytearray(*))secrets, num_points, ++ g_secret, ++ mixed, (const felem(*)[17][3])pre_comp, ++ (const felem(*)[3])g_pre_comp); ++ } else { ++ /* do the multiplication without generator precomputation */ ++ batch_mul(x_out, y_out, z_out, ++ (const felem_bytearray(*))secrets, num_points, ++ NULL, mixed, (const felem(*)[17][3])pre_comp, NULL); ++ } ++ /* reduce the output to its unique minimal representation */ ++ felem_contract(x_in, x_out); ++ felem_contract(y_in, y_out); ++ felem_contract(z_in, z_out); ++ if ((!felem_to_BN(x, x_in)) || (!felem_to_BN(y, y_in)) || ++ (!felem_to_BN(z, z_in))) { ++ ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); ++ goto err; ++ } ++ ret = ossl_ec_GFp_simple_set_Jprojective_coordinates_GFp(group, r, x, y, z, ++ ctx); ++ ++ err: ++ BN_CTX_end(ctx); ++ EC_POINT_free(generator); ++ OPENSSL_free(secrets); ++ OPENSSL_free(pre_comp); ++ OPENSSL_free(tmp_felems); ++ return ret; ++} ++ ++int ossl_ec_GFp_nistp384_precompute_mult(EC_GROUP *group, BN_CTX *ctx) ++{ ++ int ret = 0; ++ NISTP384_PRE_COMP *pre = NULL; ++ int i, j; ++ BIGNUM *x, *y; ++ EC_POINT *generator = NULL; ++ felem tmp_felems[16]; ++#ifndef FIPS_MODULE ++ BN_CTX *new_ctx = NULL; ++#endif ++ ++ /* throw away old precomputation */ ++ EC_pre_comp_free(group); ++ ++#ifndef FIPS_MODULE ++ if (ctx == NULL) ++ ctx = new_ctx = BN_CTX_new(); ++#endif ++ if (ctx == NULL) ++ return 0; ++ ++ BN_CTX_start(ctx); ++ x = BN_CTX_get(ctx); ++ y = BN_CTX_get(ctx); ++ if (y == NULL) ++ goto err; ++ /* get the generator */ ++ if (group->generator == NULL) ++ goto err; ++ generator = EC_POINT_new(group); ++ if (generator == NULL) ++ goto err; ++ BN_bin2bn(nistp384_curve_params[3], sizeof(felem_bytearray), x); ++ BN_bin2bn(nistp384_curve_params[4], sizeof(felem_bytearray), y); ++ if (!EC_POINT_set_affine_coordinates(group, generator, x, y, ctx)) ++ goto err; ++ if ((pre = nistp384_pre_comp_new()) == NULL) ++ goto err; ++ /* ++ * if the generator is the standard one, use built-in precomputation ++ */ ++ if (0 == EC_POINT_cmp(group, generator, group->generator, ctx)) { ++ memcpy(pre->g_pre_comp, gmul, sizeof(pre->g_pre_comp)); ++ goto done; ++ } ++ if ((!BN_to_felem(pre->g_pre_comp[1][0], group->generator->X)) || ++ (!BN_to_felem(pre->g_pre_comp[1][1], group->generator->Y)) || ++ (!BN_to_felem(pre->g_pre_comp[1][2], group->generator->Z))) ++ goto err; ++ /* compute 2^95*G, 2^190*G, 2^285*G */ ++ for (i = 1; i <= 4; i <<= 1) { ++ point_double(pre->g_pre_comp[2 * i][0], pre->g_pre_comp[2 * i][1], pre->g_pre_comp[2 * i][2], ++ pre->g_pre_comp[i][0], pre->g_pre_comp[i][1], pre->g_pre_comp[i][2]); ++ for (j = 0; j < 94; ++j) { ++ point_double(pre->g_pre_comp[2 * i][0], pre->g_pre_comp[2 * i][1], pre->g_pre_comp[2 * i][2], ++ pre->g_pre_comp[2 * i][0], pre->g_pre_comp[2 * i][1], pre->g_pre_comp[2 * i][2]); ++ } ++ } ++ /* g_pre_comp[0] is the point at infinity */ ++ memset(pre->g_pre_comp[0], 0, sizeof(pre->g_pre_comp[0])); ++ /* the remaining multiples */ ++ /* 2^95*G + 2^190*G */ ++ point_add(pre->g_pre_comp[6][0], pre->g_pre_comp[6][1], pre->g_pre_comp[6][2], ++ pre->g_pre_comp[4][0], pre->g_pre_comp[4][1], pre->g_pre_comp[4][2], 0, ++ pre->g_pre_comp[2][0], pre->g_pre_comp[2][1], pre->g_pre_comp[2][2]); ++ /* 2^95*G + 2^285*G */ ++ point_add(pre->g_pre_comp[10][0], pre->g_pre_comp[10][1], pre->g_pre_comp[10][2], ++ pre->g_pre_comp[8][0], pre->g_pre_comp[8][1], pre->g_pre_comp[8][2], 0, ++ pre->g_pre_comp[2][0], pre->g_pre_comp[2][1], pre->g_pre_comp[2][2]); ++ /* 2^190*G + 2^285*G */ ++ point_add(pre->g_pre_comp[12][0], pre->g_pre_comp[12][1], pre->g_pre_comp[12][2], ++ pre->g_pre_comp[8][0], pre->g_pre_comp[8][1], pre->g_pre_comp[8][2], 0, ++ pre->g_pre_comp[4][0], pre->g_pre_comp[4][1], pre->g_pre_comp[4][2]); ++ /* 2^95*G + 2^190*G + 2^285*G */ ++ point_add(pre->g_pre_comp[14][0], pre->g_pre_comp[14][1], pre->g_pre_comp[14][2], ++ pre->g_pre_comp[12][0], pre->g_pre_comp[12][1], pre->g_pre_comp[12][2], 0, ++ pre->g_pre_comp[2][0], pre->g_pre_comp[2][1], pre->g_pre_comp[2][2]); ++ for (i = 1; i < 8; ++i) { ++ /* odd multiples: add G */ ++ point_add(pre->g_pre_comp[2 * i + 1][0], pre->g_pre_comp[2 * i + 1][1], pre->g_pre_comp[2 * i + 1][2], ++ pre->g_pre_comp[2 * i][0], pre->g_pre_comp[2 * i][1], pre->g_pre_comp[2 * i][2], 0, ++ pre->g_pre_comp[1][0], pre->g_pre_comp[1][1], pre->g_pre_comp[1][2]); ++ } ++ make_points_affine(15, &(pre->g_pre_comp[1]), tmp_felems); ++ ++ done: ++ SETPRECOMP(group, nistp384, pre); ++ ret = 1; ++ pre = NULL; ++ err: ++ BN_CTX_end(ctx); ++ EC_POINT_free(generator); ++#ifndef FIPS_MODULE ++ BN_CTX_free(new_ctx); ++#endif ++ ossl_ec_nistp384_pre_comp_free(pre); ++ return ret; ++} ++ ++int ossl_ec_GFp_nistp384_have_precompute_mult(const EC_GROUP *group) ++{ ++ return HAVEPRECOMP(group, nistp384); ++} diff --git a/openssl-ec-Use-static-linkage-on-nistp521-felem_-square-mul-.patch b/openssl-ec-Use-static-linkage-on-nistp521-felem_-square-mul-.patch new file mode 100644 index 0000000..90f12cd --- /dev/null +++ b/openssl-ec-Use-static-linkage-on-nistp521-felem_-square-mul-.patch @@ -0,0 +1,65 @@ +From 3e47a286dc3274bda72a196c3a4030a1fc8302f1 Mon Sep 17 00:00:00 2001 +From: Rohan McLure +Date: Fri, 23 Jun 2023 16:41:48 +1000 +Subject: [PATCH] ec: Use static linkage on nistp521 felem_{square,mul} + wrappers + +Runtime selection of implementations for felem_{square,mul} depends on +felem_{square,mul}_wrapper functions, which overwrite function points in +a similar design to that of .plt.got sections used by program loaders +during dynamic linking. + +There's no reason why these functions need to have external linkage. +Mark static. + +Signed-off-by: Rohan McLure + +Reviewed-by: Paul Dale +Reviewed-by: Shane Lontis +Reviewed-by: Dmitry Belyavskiy +Reviewed-by: Todd Short +(Merged from https://github.com/openssl/openssl/pull/21471) +--- + crypto/ec/ecp_nistp521.c | 10 +++++----- + 1 file changed, 5 insertions(+), 5 deletions(-) + +diff --git a/crypto/ec/ecp_nistp521.c b/crypto/ec/ecp_nistp521.c +index 97815cac1f13..32a9268ecf17 100644 +--- a/crypto/ec/ecp_nistp521.c ++++ b/crypto/ec/ecp_nistp521.c +@@ -676,8 +676,8 @@ static void felem_reduce(felem out, const largefelem in) + } + + #if defined(ECP_NISTP521_ASM) +-void felem_square_wrapper(largefelem out, const felem in); +-void felem_mul_wrapper(largefelem out, const felem in1, const felem in2); ++static void felem_square_wrapper(largefelem out, const felem in); ++static void felem_mul_wrapper(largefelem out, const felem in1, const felem in2); + + static void (*felem_square_p)(largefelem out, const felem in) = + felem_square_wrapper; +@@ -691,7 +691,7 @@ void p521_felem_mul(largefelem out, const felem in1, const felem in2); + # include "crypto/ppc_arch.h" + # endif + +-void felem_select(void) ++static void felem_select(void) + { + # if defined(_ARCH_PPC64) + if ((OPENSSL_ppccap_P & PPC_MADD300) && (OPENSSL_ppccap_P & PPC_ALTIVEC)) { +@@ -707,13 +707,13 @@ void felem_select(void) + felem_mul_p = felem_mul_ref; + } + +-void felem_square_wrapper(largefelem out, const felem in) ++static void felem_square_wrapper(largefelem out, const felem in) + { + felem_select(); + felem_square_p(out, in); + } + +-void felem_mul_wrapper(largefelem out, const felem in1, const felem in2) ++static void felem_mul_wrapper(largefelem out, const felem in1, const felem in2) + { + felem_select(); + felem_mul_p(out, in1, in2); diff --git a/openssl-ec-powerpc64le-Add-asm-implementation-of-felem_-squa.patch b/openssl-ec-powerpc64le-Add-asm-implementation-of-felem_-squa.patch new file mode 100644 index 0000000..91bb470 --- /dev/null +++ b/openssl-ec-powerpc64le-Add-asm-implementation-of-felem_-squa.patch @@ -0,0 +1,428 @@ +From 966047ee13188e8634af25af348940acceb9316d Mon Sep 17 00:00:00 2001 +From: Rohan McLure +Date: Wed, 31 May 2023 14:32:26 +1000 +Subject: [PATCH] ec: powerpc64le: Add asm implementation of felem_{square,mul} + +Add an assembly implementation of felem_{square,mul}, which will be +implemented whenever Altivec support is present and the core implements +ISA 3.0 (Power 9) or greater. + +Signed-off-by: Rohan McLure + +Reviewed-by: Paul Dale +Reviewed-by: Shane Lontis +Reviewed-by: Dmitry Belyavskiy +Reviewed-by: Todd Short +(Merged from https://github.com/openssl/openssl/pull/21471) +--- + crypto/ec/asm/ecp_nistp384-ppc64.pl | 355 ++++++++++++++++++++++++++++ + crypto/ec/build.info | 6 +- + crypto/ec/ecp_nistp384.c | 9 + + 3 files changed, 368 insertions(+), 2 deletions(-) + create mode 100755 crypto/ec/asm/ecp_nistp384-ppc64.pl + +diff --git a/crypto/ec/asm/ecp_nistp384-ppc64.pl b/crypto/ec/asm/ecp_nistp384-ppc64.pl +new file mode 100755 +index 000000000000..3f86b391af69 +--- /dev/null ++++ b/crypto/ec/asm/ecp_nistp384-ppc64.pl +@@ -0,0 +1,355 @@ ++#! /usr/bin/env perl ++# Copyright 2023 The OpenSSL Project Authors. All Rights Reserved. ++# ++# Licensed under the Apache License 2.0 (the "License"). You may not use ++# this file except in compliance with the License. You can obtain a copy ++# in the file LICENSE in the source distribution or at ++# https://www.openssl.org/source/license.html ++# ++# ==================================================================== ++# Written by Rohan McLure for the OpenSSL ++# project. ++# ==================================================================== ++# ++# p384 lower-level primitives for PPC64 using vector instructions. ++# ++ ++use strict; ++use warnings; ++ ++my $flavour = shift; ++my $output = ""; ++while (($output=shift) && ($output!~/\w[\w\-]*\.\w+$/)) {} ++if (!$output) { ++ $output = "-"; ++} ++ ++my ($xlate, $dir); ++$0 =~ m/(.*[\/\\])[^\/\\]+$/; $dir=$1; ++( $xlate="${dir}ppc-xlate.pl" and -f $xlate ) or ++( $xlate="${dir}../../perlasm/ppc-xlate.pl" and -f $xlate) or ++die "can't locate ppc-xlate.pl"; ++ ++open OUT,"| \"$^X\" $xlate $flavour $output"; ++*STDOUT=*OUT; ++ ++my $code = ""; ++ ++my ($sp, $outp, $savelr, $savesp) = ("r1", "r3", "r10", "r12"); ++ ++my $vzero = "v32"; ++ ++sub startproc($) ++{ ++ my ($name) = @_; ++ ++ $code.=<<___; ++ .globl ${name} ++ .align 5 ++${name}: ++ ++___ ++} ++ ++sub endproc($) ++{ ++ my ($name) = @_; ++ ++ $code.=<<___; ++ blr ++ .size ${name},.-${name} ++ ++___ ++} ++ ++ ++sub push_vrs($$) ++{ ++ my ($min, $max) = @_; ++ ++ my $count = $max - $min + 1; ++ ++ $code.=<<___; ++ mr $savesp,$sp ++ stdu $sp,-16*`$count+1`($sp) ++ ++___ ++ for (my $i = $min; $i <= $max; $i++) { ++ my $mult = $max - $i + 1; ++ $code.=<<___; ++ stxv $i,-16*$mult($savesp) ++___ ++ ++ } ++ ++ $code.=<<___; ++ ++___ ++} ++ ++sub pop_vrs($$) ++{ ++ my ($min, $max) = @_; ++ ++ $code.=<<___; ++ ld $savesp,0($sp) ++___ ++ for (my $i = $min; $i <= $max; $i++) { ++ my $mult = $max - $i + 1; ++ $code.=<<___; ++ lxv $i,-16*$mult($savesp) ++___ ++ } ++ ++ $code.=<<___; ++ mr $sp,$savesp ++ ++___ ++} ++ ++sub load_vrs($$) ++{ ++ my ($pointer, $reg_list) = @_; ++ ++ for (my $i = 0; $i <= 6; $i++) { ++ my $offset = $i * 8; ++ $code.=<<___; ++ lxsd $reg_list->[$i],$offset($pointer) ++___ ++ } ++ ++ $code.=<<___; ++ ++___ ++} ++ ++sub store_vrs($$) ++{ ++ my ($pointer, $reg_list) = @_; ++ ++ for (my $i = 0; $i <= 12; $i++) { ++ my $offset = $i * 16; ++ $code.=<<___; ++ stxv $reg_list->[$i],$offset($pointer) ++___ ++ } ++ ++ $code.=<<___; ++ ++___ ++} ++ ++$code.=<<___; ++.machine "any" ++.text ++ ++___ ++ ++{ ++ # mul/square common ++ my ($t1, $t2, $t3, $t4) = ("v33", "v34", "v42", "v43"); ++ my ($zero, $one) = ("r8", "r9"); ++ my $out = "v51"; ++ ++ { ++ # ++ # p384_felem_mul ++ # ++ ++ my ($in1p, $in2p) = ("r4", "r5"); ++ my @in1 = map("v$_",(44..50)); ++ my @in2 = map("v$_",(35..41)); ++ ++ startproc("p384_felem_mul"); ++ ++ push_vrs(52, 63); ++ ++ $code.=<<___; ++ vspltisw $vzero,0 ++ ++___ ++ ++ load_vrs($in1p, \@in1); ++ load_vrs($in2p, \@in2); ++ ++ $code.=<<___; ++ vmsumudm $out,$in1[0],$in2[0],$vzero ++ stxv $out,0($outp) ++ ++ xxpermdi $t1,$in1[0],$in1[1],0b00 ++ xxpermdi $t2,$in2[1],$in2[0],0b00 ++ vmsumudm $out,$t1,$t2,$vzero ++ stxv $out,16($outp) ++ ++ xxpermdi $t2,$in2[2],$in2[1],0b00 ++ vmsumudm $out,$t1,$t2,$vzero ++ vmsumudm $out,$in1[2],$in2[0],$out ++ stxv $out,32($outp) ++ ++ xxpermdi $t2,$in2[1],$in2[0],0b00 ++ xxpermdi $t3,$in1[2],$in1[3],0b00 ++ xxpermdi $t4,$in2[3],$in2[2],0b00 ++ vmsumudm $out,$t1,$t4,$vzero ++ vmsumudm $out,$t3,$t2,$out ++ stxv $out,48($outp) ++ ++ xxpermdi $t2,$in2[4],$in2[3],0b00 ++ xxpermdi $t4,$in2[2],$in2[1],0b00 ++ vmsumudm $out,$t1,$t2,$vzero ++ vmsumudm $out,$t3,$t4,$out ++ vmsumudm $out,$in1[4],$in2[0],$out ++ stxv $out,64($outp) ++ ++ xxpermdi $t2,$in2[5],$in2[4],0b00 ++ xxpermdi $t4,$in2[3],$in2[2],0b00 ++ vmsumudm $out,$t1,$t2,$vzero ++ vmsumudm $out,$t3,$t4,$out ++ xxpermdi $t4,$in2[1],$in2[0],0b00 ++ xxpermdi $t1,$in1[4],$in1[5],0b00 ++ vmsumudm $out,$t1,$t4,$out ++ stxv $out,80($outp) ++ ++ xxpermdi $t1,$in1[0],$in1[1],0b00 ++ xxpermdi $t2,$in2[6],$in2[5],0b00 ++ xxpermdi $t4,$in2[4],$in2[3],0b00 ++ vmsumudm $out,$t1,$t2,$vzero ++ vmsumudm $out,$t3,$t4,$out ++ xxpermdi $t2,$in2[2],$in2[1],0b00 ++ xxpermdi $t1,$in1[4],$in1[5],0b00 ++ vmsumudm $out,$t1,$t2,$out ++ vmsumudm $out,$in1[6],$in2[0],$out ++ stxv $out,96($outp) ++ ++ xxpermdi $t1,$in1[1],$in1[2],0b00 ++ xxpermdi $t2,$in2[6],$in2[5],0b00 ++ xxpermdi $t3,$in1[3],$in1[4],0b00 ++ vmsumudm $out,$t1,$t2,$vzero ++ vmsumudm $out,$t3,$t4,$out ++ xxpermdi $t3,$in2[2],$in2[1],0b00 ++ xxpermdi $t1,$in1[5],$in1[6],0b00 ++ vmsumudm $out,$t1,$t3,$out ++ stxv $out,112($outp) ++ ++ xxpermdi $t1,$in1[2],$in1[3],0b00 ++ xxpermdi $t3,$in1[4],$in1[5],0b00 ++ vmsumudm $out,$t1,$t2,$vzero ++ vmsumudm $out,$t3,$t4,$out ++ vmsumudm $out,$in1[6],$in2[2],$out ++ stxv $out,128($outp) ++ ++ xxpermdi $t1,$in1[3],$in1[4],0b00 ++ vmsumudm $out,$t1,$t2,$vzero ++ xxpermdi $t1,$in1[5],$in1[6],0b00 ++ vmsumudm $out,$t1,$t4,$out ++ stxv $out,144($outp) ++ ++ vmsumudm $out,$t3,$t2,$vzero ++ vmsumudm $out,$in1[6],$in2[4],$out ++ stxv $out,160($outp) ++ ++ vmsumudm $out,$t1,$t2,$vzero ++ stxv $out,176($outp) ++ ++ vmsumudm $out,$in1[6],$in2[6],$vzero ++ stxv $out,192($outp) ++___ ++ ++ endproc("p384_felem_mul"); ++ } ++ ++ { ++ # ++ # p384_felem_square ++ # ++ ++ my ($inp) = ("r4"); ++ my @in = map("v$_",(44..50)); ++ my @inx2 = map("v$_",(35..41)); ++ ++ startproc("p384_felem_square"); ++ ++ push_vrs(52, 63); ++ ++ $code.=<<___; ++ vspltisw $vzero,0 ++ ++___ ++ ++ load_vrs($inp, \@in); ++ ++ $code.=<<___; ++ li $zero,0 ++ li $one,1 ++ mtvsrdd $t1,$one,$zero ++___ ++ ++ for (my $i = 0; $i <= 6; $i++) { ++ $code.=<<___; ++ vsld $inx2[$i],$in[$i],$t1 ++___ ++ } ++ ++ $code.=<<___; ++ vmsumudm $out,$in[0],$in[0],$vzero ++ stxv $out,0($outp) ++ ++ vmsumudm $out,$in[0],$inx2[1],$vzero ++ stxv $out,16($outp) ++ ++ vmsumudm $out,$in[0],$inx2[2],$vzero ++ vmsumudm $out,$in[1],$in[1],$out ++ stxv $out,32($outp) ++ ++ xxpermdi $t1,$in[0],$in[1],0b00 ++ xxpermdi $t2,$inx2[3],$inx2[2],0b00 ++ vmsumudm $out,$t1,$t2,$vzero ++ stxv $out,48($outp) ++ ++ xxpermdi $t4,$inx2[4],$inx2[3],0b00 ++ vmsumudm $out,$t1,$t4,$vzero ++ vmsumudm $out,$in[2],$in[2],$out ++ stxv $out,64($outp) ++ ++ xxpermdi $t2,$inx2[5],$inx2[4],0b00 ++ vmsumudm $out,$t1,$t2,$vzero ++ vmsumudm $out,$in[2],$inx2[3],$out ++ stxv $out,80($outp) ++ ++ xxpermdi $t2,$inx2[6],$inx2[5],0b00 ++ vmsumudm $out,$t1,$t2,$vzero ++ vmsumudm $out,$in[2],$inx2[4],$out ++ vmsumudm $out,$in[3],$in[3],$out ++ stxv $out,96($outp) ++ ++ xxpermdi $t3,$in[1],$in[2],0b00 ++ vmsumudm $out,$t3,$t2,$vzero ++ vmsumudm $out,$in[3],$inx2[4],$out ++ stxv $out,112($outp) ++ ++ xxpermdi $t1,$in[2],$in[3],0b00 ++ vmsumudm $out,$t1,$t2,$vzero ++ vmsumudm $out,$in[4],$in[4],$out ++ stxv $out,128($outp) ++ ++ xxpermdi $t1,$in[3],$in[4],0b00 ++ vmsumudm $out,$t1,$t2,$vzero ++ stxv $out,144($outp) ++ ++ vmsumudm $out,$in[4],$inx2[6],$vzero ++ vmsumudm $out,$in[5],$in[5],$out ++ stxv $out,160($outp) ++ ++ vmsumudm $out,$in[5],$inx2[6],$vzero ++ stxv $out,176($outp) ++ ++ vmsumudm $out,$in[6],$in[6],$vzero ++ stxv $out,192($outp) ++___ ++ ++ endproc("p384_felem_square"); ++ } ++} ++ ++$code =~ s/\`([^\`]*)\`/eval $1/gem; ++print $code; ++close STDOUT or die "error closing STDOUT: $!"; +diff --git a/crypto/ec/build.info b/crypto/ec/build.info +index 1fa60a1deddd..4077bead7bdb 100644 +--- a/crypto/ec/build.info ++++ b/crypto/ec/build.info +@@ -39,8 +39,9 @@ IF[{- !$disabled{asm} -}] + $ECASM_ppc64=ecp_nistz256.c ecp_ppc.c ecp_nistz256-ppc64.s x25519-ppc64.s + $ECDEF_ppc64=ECP_NISTZ256_ASM X25519_ASM + IF[{- !$disabled{'ec_nistp_64_gcc_128'} -}] +- $ECASM_ppc64=$ECASM_ppc64 ecp_nistp521-ppc64.s +- $ECDEF_ppc64=$ECDEF_ppc64 ECP_NISTP521_ASM ++ $ECASM_ppc64=$ECASM_ppc64 ecp_nistp384-ppc64.s ecp_nistp521-ppc64.s ++ $ECDEF_ppc64=$ECDEF_ppc64 ECP_NISTP384_ASM ECP_NISTP521_ASM ++ INCLUDE[ecp_nistp384.o]=.. + INCLUDE[ecp_nistp521.o]=.. + ENDIF + +@@ -119,6 +120,7 @@ GENERATE[ecp_nistz256-armv8.S]=asm/ecp_nistz256-armv8.pl + INCLUDE[ecp_nistz256-armv8.o]=.. + GENERATE[ecp_nistz256-ppc64.s]=asm/ecp_nistz256-ppc64.pl + ++GENERATE[ecp_nistp384-ppc64.s]=asm/ecp_nistp384-ppc64.pl + GENERATE[ecp_nistp521-ppc64.s]=asm/ecp_nistp521-ppc64.pl + + GENERATE[x25519-x86_64.s]=asm/x25519-x86_64.pl +diff --git a/crypto/ec/ecp_nistp384.c b/crypto/ec/ecp_nistp384.c +index a0559487ed4e..14f9530d07c6 100644 +--- a/crypto/ec/ecp_nistp384.c ++++ b/crypto/ec/ecp_nistp384.c +@@ -691,6 +691,15 @@ void p384_felem_mul(widefelem out, const felem in1, const felem in2); + + static void felem_select(void) + { ++# if defined(_ARCH_PPC64) ++ if ((OPENSSL_ppccap_P & PPC_MADD300) && (OPENSSL_ppccap_P & PPC_ALTIVEC)) { ++ felem_square_p = p384_felem_square; ++ felem_mul_p = p384_felem_mul; ++ ++ return; ++ } ++# endif ++ + /* Default */ + felem_square_p = felem_square_ref; + felem_mul_p = felem_mul_ref; diff --git a/openssl-ecc-Remove-extraneous-parentheses-in-secp384r1.patch b/openssl-ecc-Remove-extraneous-parentheses-in-secp384r1.patch new file mode 100644 index 0000000..a2918d9 --- /dev/null +++ b/openssl-ecc-Remove-extraneous-parentheses-in-secp384r1.patch @@ -0,0 +1,76 @@ +From 670e73d9084465384b11ef24802ca4a313e1d2f4 Mon Sep 17 00:00:00 2001 +From: Rohan McLure +Date: Tue, 15 Aug 2023 15:20:20 +1000 +Subject: [PATCH] ecc: Remove extraneous parentheses in secp384r1 + +Substitutions in the felem_reduce() method feature unecessary +parentheses, remove them. + +Signed-off-by: Rohan McLure + +Reviewed-by: Tomas Mraz +Reviewed-by: Shane Lontis +Reviewed-by: Hugo Landau +(Merged from https://github.com/openssl/openssl/pull/21749) +--- + crypto/ec/ecp_nistp384.c | 12 ++++++------ + 1 file changed, 6 insertions(+), 6 deletions(-) + +diff --git a/crypto/ec/ecp_nistp384.c b/crypto/ec/ecp_nistp384.c +index 14f9530d07c6..ff68f9cc7ad0 100644 +--- a/crypto/ec/ecp_nistp384.c ++++ b/crypto/ec/ecp_nistp384.c +@@ -540,7 +540,7 @@ static void felem_reduce(felem out, const widefelem in) + acc[7] += in[12] >> 8; + acc[6] += (in[12] & 0xff) << 48; + acc[6] -= in[12] >> 16; +- acc[5] -= ((in[12] & 0xffff) << 40); ++ acc[5] -= (in[12] & 0xffff) << 40; + acc[6] += in[12] >> 48; + acc[5] += (in[12] & 0xffffffffffff) << 8; + +@@ -549,7 +549,7 @@ static void felem_reduce(felem out, const widefelem in) + acc[6] += in[11] >> 8; + acc[5] += (in[11] & 0xff) << 48; + acc[5] -= in[11] >> 16; +- acc[4] -= ((in[11] & 0xffff) << 40); ++ acc[4] -= (in[11] & 0xffff) << 40; + acc[5] += in[11] >> 48; + acc[4] += (in[11] & 0xffffffffffff) << 8; + +@@ -558,7 +558,7 @@ static void felem_reduce(felem out, const widefelem in) + acc[5] += in[10] >> 8; + acc[4] += (in[10] & 0xff) << 48; + acc[4] -= in[10] >> 16; +- acc[3] -= ((in[10] & 0xffff) << 40); ++ acc[3] -= (in[10] & 0xffff) << 40; + acc[4] += in[10] >> 48; + acc[3] += (in[10] & 0xffffffffffff) << 8; + +@@ -567,7 +567,7 @@ static void felem_reduce(felem out, const widefelem in) + acc[4] += in[9] >> 8; + acc[3] += (in[9] & 0xff) << 48; + acc[3] -= in[9] >> 16; +- acc[2] -= ((in[9] & 0xffff) << 40); ++ acc[2] -= (in[9] & 0xffff) << 40; + acc[3] += in[9] >> 48; + acc[2] += (in[9] & 0xffffffffffff) << 8; + +@@ -582,7 +582,7 @@ static void felem_reduce(felem out, const widefelem in) + acc[3] += acc[8] >> 8; + acc[2] += (acc[8] & 0xff) << 48; + acc[2] -= acc[8] >> 16; +- acc[1] -= ((acc[8] & 0xffff) << 40); ++ acc[1] -= (acc[8] & 0xffff) << 40; + acc[2] += acc[8] >> 48; + acc[1] += (acc[8] & 0xffffffffffff) << 8; + +@@ -591,7 +591,7 @@ static void felem_reduce(felem out, const widefelem in) + acc[2] += acc[7] >> 8; + acc[1] += (acc[7] & 0xff) << 48; + acc[1] -= acc[7] >> 16; +- acc[0] -= ((acc[7] & 0xffff) << 40); ++ acc[0] -= (acc[7] & 0xffff) << 40; + acc[1] += acc[7] >> 48; + acc[0] += (acc[7] & 0xffffffffffff) << 8; + diff --git a/openssl-load-legacy-provider.patch b/openssl-load-legacy-provider.patch new file mode 100644 index 0000000..f112006 --- /dev/null +++ b/openssl-load-legacy-provider.patch @@ -0,0 +1,92 @@ +287863366dcdd6548dee78c7a4 Mon Sep 17 00:00:00 2001 +From: rpm-build <rpm-build> +Date: Mon, 31 Jul 2023 09:41:28 +0200 +Subject: [PATCH 14/35] 0024-load-legacy-prov.patch + +Patch-name: 0024-load-legacy-prov.patch +Patch-id: 24 +Patch-status: | + # Instructions to load legacy provider in openssl.cnf +From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd +--- + apps/openssl.cnf | 37 +++++++++++++++---------------------- + doc/man5/config.pod | 8 ++++++++ + 2 files changed, 23 insertions(+), 22 deletions(-) + +Index: openssl-3.2.3/apps/openssl.cnf +=================================================================== +--- openssl-3.2.3.orig/apps/openssl.cnf ++++ openssl-3.2.3/apps/openssl.cnf +@@ -42,14 +42,6 @@ tsa_policy1 = 1.2.3.4.1 + tsa_policy2 = 1.2.3.4.5.6 + tsa_policy3 = 1.2.3.4.5.7 + +-# For FIPS +-# Optionally include a file that is generated by the OpenSSL fipsinstall +-# application. This file contains configuration data required by the OpenSSL +-# fips provider. It contains a named section e.g. [fips_sect] which is +-# referenced from the [provider_sect] below. +-# Refer to the OpenSSL security policy for more information. +-# .include fipsmodule.cnf +- + [openssl_init] + providers = provider_sect + # Load default TLS policy configuration +@@ -58,23 +50,24 @@ ssl_conf = ssl_module + [ evp_properties ] + # This section is intentionally added empty here to be tuned on particular systems + +-# List of providers to load ++# Uncomment the sections that start with ## below to enable the legacy provider. ++# Loading the legacy provider enables support for the following algorithms: ++# Hashing Algorithms / Message Digests: MD2, MD4, MDC2, WHIRLPOOL, RIPEMD160 ++# Symmetric Ciphers: Blowfish, CAST, DES, IDEA, RC2, RC4,RC5, SEED ++# Key Derivation Function (KDF): PBKDF1 ++# In general it is not recommended to use the above mentioned algorithms for ++# security critical operations, as they are cryptographically weak or vulnerable ++# to side-channel attacks and as such have been deprecated. ++ + [provider_sect] + default = default_sect +-# The fips section name should match the section name inside the +-# included fipsmodule.cnf. +-# fips = fips_sect +- +-# If no providers are activated explicitly, the default one is activated implicitly. +-# See man 7 OSSL_PROVIDER-default for more details. +-# +-# If you add a section explicitly activating any other provider(s), you most +-# probably need to explicitly activate the default provider, otherwise it +-# becomes unavailable in openssl. As a consequence applications depending on +-# OpenSSL may not work correctly which could lead to significant system +-# problems including inability to remotely access the system. ++##legacy = legacy_sect ++ + [default_sect] +-# activate = 1 ++activate = 1 ++ ++##[legacy_sect] ++##activate = 1 + + [ ssl_module ] + system_default = crypto_policy +Index: openssl-3.2.3/doc/man5/config.pod +=================================================================== +--- openssl-3.2.3.orig/doc/man5/config.pod ++++ openssl-3.2.3/doc/man5/config.pod +@@ -273,6 +273,14 @@ significant. + All parameters in the section as well as sub-sections are made + available to the provider. + ++=head3 Loading the legacy provider ++ ++Uncomment the sections that start with ## in openssl.cnf ++to enable the legacy provider. ++Note: In general it is not recommended to use the above mentioned algorithms for ++security critical operations, as they are cryptographically weak or vulnerable ++to side-channel attacks and as such have been deprecated. ++ + =head3 Default provider and its activation + + If no providers are activated explicitly, the default one is activated implicitly. diff --git a/openssl-no-date.patch b/openssl-no-date.patch new file mode 100644 index 0000000..c910674 --- /dev/null +++ b/openssl-no-date.patch @@ -0,0 +1,13 @@ +Index: openssl-1.1.1-pre1/util/mkbuildinf.pl +=================================================================== +--- openssl-1.1.1-pre1.orig/util/mkbuildinf.pl 2018-02-13 16:31:28.011389734 +0100 ++++ openssl-1.1.1-pre1/util/mkbuildinf.pl 2018-02-13 16:31:51.539764582 +0100 +@@ -28,7 +28,7 @@ print <<"END_OUTPUT"; + */ + + #define PLATFORM "platform: $platform" +-#define DATE "built on: $date" ++#define DATE "" + + /* + * Generate compiler_flags as an array of individual characters. This is a diff --git a/openssl-no-html-docs.patch b/openssl-no-html-docs.patch new file mode 100644 index 0000000..41ca968 --- /dev/null +++ b/openssl-no-html-docs.patch @@ -0,0 +1,13 @@ +Index: openssl-3.2.3/Configurations/unix-Makefile.tmpl +=================================================================== +--- openssl-3.2.3.orig/Configurations/unix-Makefile.tmpl ++++ openssl-3.2.3/Configurations/unix-Makefile.tmpl +@@ -633,7 +633,7 @@ install_sw: install_dev install_engines + + uninstall_sw: uninstall_runtime uninstall_modules uninstall_engines uninstall_dev ## Uninstall the software and libraries + +-install_docs: install_man_docs install_html_docs ## Install manpages and HTML documentation ++install_docs: install_man_docs # install_html_docs ## Install manpages and HTML documentation + + uninstall_docs: uninstall_man_docs uninstall_html_docs ## Uninstall manpages and HTML documentation + $(RM) -r "$(DESTDIR)$(DOCDIR)" diff --git a/openssl-pbkdf2-Set-indicator-if-pkcs5-param-disabled-checks.patch b/openssl-pbkdf2-Set-indicator-if-pkcs5-param-disabled-checks.patch new file mode 100644 index 0000000..dc86604 --- /dev/null +++ b/openssl-pbkdf2-Set-indicator-if-pkcs5-param-disabled-checks.patch @@ -0,0 +1,75 @@ +From 48c763ed9cc889806bc01222382ce6f918a408a2 Mon Sep 17 00:00:00 2001 +From: Dmitry Belyavskiy +Date: Mon, 21 Aug 2023 16:12:33 +0200 +Subject: [PATCH 46/48] + 0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch + +Patch-name: 0112-pbdkf2-Set-indicator-if-pkcs5-param-disabled-checks.patch +Patch-id: 112 +--- + providers/implementations/kdfs/pbkdf2.c | 40 +++++++++++++++++++++++-- + 1 file changed, 37 insertions(+), 3 deletions(-) + +diff --git a/providers/implementations/kdfs/pbkdf2.c b/providers/implementations/kdfs/pbkdf2.c +index 11820d1e69..bae2238ab5 100644 +--- a/providers/implementations/kdfs/pbkdf2.c ++++ b/providers/implementations/kdfs/pbkdf2.c +@@ -284,11 +284,42 @@ static const OSSL_PARAM *kdf_pbkdf2_settable_ctx_params(ossl_unused void *ctx, + + static int kdf_pbkdf2_get_ctx_params(void *vctx, OSSL_PARAM params[]) + { ++#ifdef FIPS_MODULE ++ KDF_PBKDF2 *ctx = (KDF_PBKDF2 *)vctx; ++#endif /* defined(FIPS_MODULE) */ + OSSL_PARAM *p; ++ int any_valid = 0; /* set to 1 when at least one parameter was valid */ ++ ++ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) { ++ any_valid = 1; ++ ++ if (!OSSL_PARAM_set_size_t(p, SIZE_MAX)) ++ return 0; ++ } ++ ++#ifdef FIPS_MODULE ++ if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR)) ++ != NULL) { ++ int fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_APPROVED; ++ ++ /* The lower_bound_checks parameter enables checks required by FIPS. If ++ * those checks are disabled, the PBKDF2 implementation will also ++ * support non-approved parameters (e.g., salt lengths < 16 bytes, see ++ * NIST SP 800-132 section 5.1). */ ++ if (!ctx->lower_bound_checks) ++ fips_indicator = EVP_KDF_SUSE_FIPS_INDICATOR_NOT_APPROVED; + +- if ((p = OSSL_PARAM_locate(params, OSSL_KDF_PARAM_SIZE)) != NULL) +- return OSSL_PARAM_set_size_t(p, SIZE_MAX); +- return -2; ++ if (!OSSL_PARAM_set_int(p, fips_indicator)) ++ return 0; ++ ++ any_valid = 1; ++ } ++#endif /* defined(FIPS_MODULE) */ ++ ++ if (!any_valid) ++ return -2; ++ ++ return 1; + } + + static const OSSL_PARAM *kdf_pbkdf2_gettable_ctx_params(ossl_unused void *ctx, +@@ -296,6 +327,9 @@ static const OSSL_PARAM *kdf_pbkdf2_gettable_ctx_params(ossl_unused void *ctx, + { + static const OSSL_PARAM known_gettable_ctx_params[] = { + OSSL_PARAM_size_t(OSSL_KDF_PARAM_SIZE, NULL), ++#ifdef FIPS_MODULE ++ OSSL_PARAM_int(OSSL_KDF_PARAM_SUSE_FIPS_INDICATOR, NULL), ++#endif /* defined(FIPS_MODULE) */ + OSSL_PARAM_END + }; + return known_gettable_ctx_params; +-- +2.41.0 + diff --git a/openssl-pbkdf2-Set-minimum-password-length-of-8-bytes.patch b/openssl-pbkdf2-Set-minimum-password-length-of-8-bytes.patch new file mode 100644 index 0000000..82d5ab4 --- /dev/null +++ b/openssl-pbkdf2-Set-minimum-password-length-of-8-bytes.patch @@ -0,0 +1,66 @@ +From 915990e450e769e370fcacbfd8ed58ab6afaf2bf Mon Sep 17 00:00:00 2001 +From: Dmitry Belyavskiy +Date: Mon, 21 Aug 2023 15:47:55 +0200 +Subject: [PATCH 39/48] + 0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch + +Patch-name: 0084-pbkdf2-Set-minimum-password-length-of-8-bytes.patch +Patch-id: 84 +--- + providers/implementations/kdfs/pbkdf2.c | 27 ++++++++++++++++++++++++- + 1 file changed, 26 insertions(+), 1 deletion(-) + +Index: openssl-3.2.3/providers/implementations/kdfs/pbkdf2.c +=================================================================== +--- openssl-3.2.3.orig/providers/implementations/kdfs/pbkdf2.c ++++ openssl-3.2.3/providers/implementations/kdfs/pbkdf2.c +@@ -35,6 +35,21 @@ + #define KDF_PBKDF2_MAX_KEY_LEN_DIGEST_RATIO 0xFFFFFFFF + #define KDF_PBKDF2_MIN_ITERATIONS 1000 + #define KDF_PBKDF2_MIN_SALT_LEN (128 / 8) ++/* The Implementation Guidance for FIPS 140-3 says in section D.N ++ * "Password-Based Key Derivation for Storage Applications" that "the vendor ++ * shall document in the module’s Security Policy the length of ++ * a password/passphrase used in key derivation and establish an upper bound ++ * for the probability of having this parameter guessed at random. This ++ * probability shall take into account not only the length of the ++ * password/passphrase, but also the difficulty of guessing it. The decision on ++ * the minimum length of a password used for key derivation is the vendor’s, ++ * but the vendor shall at a minimum informally justify the decision." ++ * ++ * We are choosing a minimum password length of 8 bytes, because NIST's ACVP ++ * testing uses passwords as short as 8 bytes, and requiring longer passwords ++ * combined with an implicit indicator (i.e., returning an error) would cause ++ * the module to fail ACVP testing. */ ++#define KDF_PBKDF2_MIN_PASSWORD_LEN (8) + + static OSSL_FUNC_kdf_newctx_fn kdf_pbkdf2_new; + static OSSL_FUNC_kdf_dupctx_fn kdf_pbkdf2_dup; +@@ -215,9 +230,15 @@ static int kdf_pbkdf2_set_ctx_params(voi + ctx->lower_bound_checks = pkcs5 == 0; + } + +- if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PASSWORD)) != NULL) ++ if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_PASSWORD)) != NULL) { ++ if (ctx->lower_bound_checks != 0 ++ && p->data_size < KDF_PBKDF2_MIN_PASSWORD_LEN) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); ++ return 0; ++ } + if (!pbkdf2_set_membuf(&ctx->pass, &ctx->pass_len, p)) + return 0; ++ } + + if ((p = OSSL_PARAM_locate_const(params, OSSL_KDF_PARAM_SALT)) != NULL) { + if (ctx->lower_bound_checks != 0 +@@ -327,6 +348,10 @@ static int pbkdf2_derive(const char *pas + } + + if (lower_bound_checks) { ++ if (passlen < KDF_PBKDF2_MIN_PASSWORD_LEN) { ++ ERR_raise(ERR_LIB_PROV, PROV_R_INVALID_KEY_LENGTH); ++ return 0; ++ } + if ((keylen * 8) < KDF_PBKDF2_MIN_KEY_LEN_BITS) { + ERR_raise(ERR_LIB_PROV, PROV_R_KEY_SIZE_TOO_SMALL); + return 0; diff --git a/openssl-pkgconfig.patch b/openssl-pkgconfig.patch new file mode 100644 index 0000000..b1536f7 --- /dev/null +++ b/openssl-pkgconfig.patch @@ -0,0 +1,22 @@ +Index: openssl-3.2.3/Configurations/unix-Makefile.tmpl +=================================================================== +--- openssl-3.2.3.orig/Configurations/unix-Makefile.tmpl ++++ openssl-3.2.3/Configurations/unix-Makefile.tmpl +@@ -1453,7 +1453,7 @@ libcrypto.pc: + echo 'Version: '$(VERSION); \ + echo 'Libs: -L$${libdir} -lcrypto'; \ + echo 'Libs.private: $(LIB_EX_LIBS)'; \ +- echo 'Cflags: -I$${includedir}' ) > libcrypto.pc ++ echo 'Cflags: -DOPENSSL_LOAD_CONF -I$${includedir}' ) > libcrypto.pc + + libssl.pc: + @ ( echo 'prefix=$(INSTALLTOP)'; \ +@@ -1470,7 +1470,7 @@ libssl.pc: + echo 'Version: '$(VERSION); \ + echo 'Requires.private: libcrypto'; \ + echo 'Libs: -L$${libdir} -lssl'; \ +- echo 'Cflags: -I$${includedir}' ) > libssl.pc ++ echo 'Cflags: -DOPENSSL_LOAD_CONF -I$${includedir}' ) > libssl.pc + + openssl.pc: + @ ( echo 'prefix=$(INSTALLTOP)'; \ diff --git a/openssl-powerpc-ecc-Fix-stack-allocation-secp384r1-asm.patch b/openssl-powerpc-ecc-Fix-stack-allocation-secp384r1-asm.patch new file mode 100644 index 0000000..ecfecb5 --- /dev/null +++ b/openssl-powerpc-ecc-Fix-stack-allocation-secp384r1-asm.patch @@ -0,0 +1,96 @@ +From 50f8b936b00dc18ce1f622a7a6aa46daf03da48b Mon Sep 17 00:00:00 2001 +From: Rohan McLure +Date: Wed, 16 Aug 2023 16:52:47 +1000 +Subject: [PATCH] powerpc: ecc: Fix stack allocation secp384r1 asm + +Assembly acceleration secp384r1 opts to not use any callee-save VSRs, as +VSX enabled systems make extensive use of renaming, and so writebacks in +felem_{mul,square}() can be reordered for best cache effects. + +Remove stack allocations. This in turn fixes unmatched push/pops in +felem_{mul,square}(). + +Signed-off-by: Rohan McLure + +Reviewed-by: Tomas Mraz +Reviewed-by: Shane Lontis +Reviewed-by: Hugo Landau +(Merged from https://github.com/openssl/openssl/pull/21749) +--- + crypto/ec/asm/ecp_nistp384-ppc64.pl | 49 ----------------------------- + 1 file changed, 49 deletions(-) + +diff --git a/crypto/ec/asm/ecp_nistp384-ppc64.pl b/crypto/ec/asm/ecp_nistp384-ppc64.pl +index 3f86b391af69..28f4168e5218 100755 +--- a/crypto/ec/asm/ecp_nistp384-ppc64.pl ++++ b/crypto/ec/asm/ecp_nistp384-ppc64.pl +@@ -62,51 +62,6 @@ ($) + ___ + } + +- +-sub push_vrs($$) +-{ +- my ($min, $max) = @_; +- +- my $count = $max - $min + 1; +- +- $code.=<<___; +- mr $savesp,$sp +- stdu $sp,-16*`$count+1`($sp) +- +-___ +- for (my $i = $min; $i <= $max; $i++) { +- my $mult = $max - $i + 1; +- $code.=<<___; +- stxv $i,-16*$mult($savesp) +-___ +- +- } +- +- $code.=<<___; +- +-___ +-} +- +-sub pop_vrs($$) +-{ +- my ($min, $max) = @_; +- +- $code.=<<___; +- ld $savesp,0($sp) +-___ +- for (my $i = $min; $i <= $max; $i++) { +- my $mult = $max - $i + 1; +- $code.=<<___; +- lxv $i,-16*$mult($savesp) +-___ +- } +- +- $code.=<<___; +- mr $sp,$savesp +- +-___ +-} +- + sub load_vrs($$) + { + my ($pointer, $reg_list) = @_; +@@ -162,8 +117,6 @@ ($$) + + startproc("p384_felem_mul"); + +- push_vrs(52, 63); +- + $code.=<<___; + vspltisw $vzero,0 + +@@ -268,8 +221,6 @@ ($$) + + startproc("p384_felem_square"); + +- push_vrs(52, 63); +- + $code.=<<___; + vspltisw $vzero,0 + diff --git a/openssl-ppc64-config.patch b/openssl-ppc64-config.patch new file mode 100644 index 0000000..1312db2 --- /dev/null +++ b/openssl-ppc64-config.patch @@ -0,0 +1,32 @@ +Index: openssl-3.2.3/util/perl/OpenSSL/config.pm +=================================================================== +--- openssl-3.2.3.orig/util/perl/OpenSSL/config.pm ++++ openssl-3.2.3/util/perl/OpenSSL/config.pm +@@ -592,14 +592,19 @@ EOF + return { target => "linux-ppc64" } if $KERNEL_BITS eq '64'; + + my %config = (); +- if (!okrun('echo __LP64__', +- 'gcc -E -x c - 2>/dev/null', +- 'grep "^__LP64__" 2>&1 >/dev/null') ) { +- %config = ( cflags => [ '-m32' ], +- cxxflags => [ '-m32' ] ); +- } +- return { target => "linux-ppc", +- %config }; ++ # ## ++ # if (!okrun('echo __LP64__', 'gcc -E -x c - 2>/dev/null', 'grep "^__LP64__" 2>&1 >/dev/null') ) { %config = ( cflags => [ '-m32' ], cxxflags => [ '-m32' ] ); } ++ # return { target => "linux-ppc", ++ # %config }; ++ # ## ++ if (okrun('echo __LP64__', 'gcc -E -x c - 2>/dev/null', ++ 'grep "^__LP64__" 2>&1 >/dev/null') ) ++ { ++ return { target => "linux-ppc", %config }; ++ } else { ++ return { target => "linux-ppc64", %config }; ++ } ++ ## + } + ], + [ 'ppc64le-.*-linux2', { target => "linux-ppc64le" } ], diff --git a/openssl-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch b/openssl-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch new file mode 100644 index 0000000..ceeac76 --- /dev/null +++ b/openssl-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch @@ -0,0 +1,1102 @@ +From 936e081bd752ca0a883568aaf3b5752c9eaccb12 Mon Sep 17 00:00:00 2001 +From: Dmitry Belyavskiy +Date: Mon, 21 Aug 2023 15:38:21 +0200 +Subject: [PATCH 36/48] + 0080-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch + +Patch-name: 0080-rand-Forbid-truncated-hashes-SHA-3-in-FIPS-prov.patch +Patch-id: 80 +Patch-status: | + # We believe that some changes present in CentOS are not necessary + # because ustream has a check for FIPS version +--- + providers/implementations/rands/drbg_hash.c | 12 ++ + providers/implementations/rands/drbg_hmac.c | 12 ++ + test/recipes/30-test_evp_data/evprand.txt | 129 ++++++++++++++++++++ + 3 files changed, 153 insertions(+) + +diff --git a/providers/implementations/rands/drbg_hash.c b/providers/implementations/rands/drbg_hash.c +index fb824abfa6..b90fee6dec 100644 +--- a/providers/implementations/rands/drbg_hash.c ++++ b/providers/implementations/rands/drbg_hash.c +@@ -471,6 +471,18 @@ static int drbg_hash_set_ctx_params(void *vctx, const OSSL_PARAM params[]) + if (!ossl_drbg_verify_digest(libctx, md)) + return 0; /* Error already raised for us */ + ++#ifdef FIPS_MODULE ++ if (!EVP_MD_is_a(md, SN_sha1) ++ && !EVP_MD_is_a(md, SN_sha256) ++ && !EVP_MD_is_a(md, SN_sha512)) { ++ ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED, ++ "%s is not an acceptable hash function for an SP 800-90A" ++ " DRBG according to FIPS 140-3 IG, section D.R", ++ EVP_MD_get0_name(md)); ++ return 0; ++ } ++#endif /* defined(FIPS_MODULE) */ ++ + /* These are taken from SP 800-90 10.1 Table 2 */ + hash->blocklen = EVP_MD_get_size(md); + /* See SP800-57 Part1 Rev4 5.6.1 Table 3 */ +diff --git a/providers/implementations/rands/drbg_hmac.c b/providers/implementations/rands/drbg_hmac.c +index 664a074639..cbd4d0f519 100644 +--- a/providers/implementations/rands/drbg_hmac.c ++++ b/providers/implementations/rands/drbg_hmac.c +@@ -367,6 +367,18 @@ static int drbg_hmac_set_ctx_params(void *vctx, const OSSL_PARAM params[]) + if (md != NULL && !ossl_drbg_verify_digest(libctx, md)) + return 0; /* Error already raised for us */ + ++#ifdef FIPS_MODULE ++ if (!EVP_MD_is_a(md, SN_sha1) ++ && !EVP_MD_is_a(md, SN_sha256) ++ && !EVP_MD_is_a(md, SN_sha512)) { ++ ERR_raise_data(ERR_LIB_PROV, PROV_R_DIGEST_NOT_ALLOWED, ++ "%s is not an acceptable hash function for an SP 800-90A" ++ " DRBG according to FIPS 140-3 IG, section D.R", ++ EVP_MD_get0_name(md)); ++ return 0; ++ } ++#endif /* defined(FIPS_MODULE) */ ++ + if (!ossl_prov_macctx_load_from_params(&hmac->ctx, params, + NULL, NULL, NULL, libctx)) + return 0; +diff --git a/test/recipes/30-test_evp_data/evprand.txt b/test/recipes/30-test_evp_data/evprand.txt +index 0e2ee82c58..7a17e7b3e1 100644 +--- a/test/recipes/30-test_evp_data/evprand.txt ++++ b/test/recipes/30-test_evp_data/evprand.txt +@@ -7388,6 +7388,7 @@ Nonce.14 = 7239f92b63fb3dbe + PersonalisationString.14 = 8d2e2ca3985bd2538a71f02cc3eb5568 + Output.14 = 0e4cb328c03faaedbec7215725851069bceae4332de6a70e3521dd065f2f7923485969571ebd7f24be460fd901c6b3e356da6ee5262ef2d76ad14eb0f697f8fb92af2f46630198c5f7018860886147b3 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-1 + PredictionResistance = 0 +@@ -8659,6 +8660,7 @@ AdditionalInputA.14 = e5c633ca50dcd83e0a34d397df53f6d7a6f7170a3f81f0e6 + AdditionalInputB.14 = 5f0beb5a2d2968e83ba87c92bfa420fd6e8526fbbfdea128 + Output.14 = 8bec11df1022aa50d95daeaf23d78d6ee45c43c5768b90181e106c7df8ff333d7cb87ca1ab83f8742370db1c8c0c0c22f141ff4de33ae8bdb14fee7e6c069819320629c66d94c7c97ff52930a3c1dcd501b60f0f84bda4720ee187ae858a6e068326eda5809716e366d1b608c61b0100 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -8709,6 +8711,7 @@ Entropy.14 = 1194beb668839c47c73e7516f9ba09d23dec3553b3b5532f75b260106dcc2abf + Nonce.14 = 3c8a77351e93065d584feeb08c8424a9 + Output.14 = fabd48bfcdd07968239fe538c2d8c9bde2e257b9b244078f39287c7ee90de167fff56a693c4e64f45081635511b5fd031c0270a31b4a014e44c0516a55ae72345aa11dffcda4ccf8cda50f6948d5ae425d8d53ad5c74cef1364277990156796e1c5dfa1ef095c0d8983477eb24241135760b02c86c86d4ec3627edac8c1a7e32 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -8789,6 +8792,7 @@ AdditionalInputA.14 = 626385595bef7103af0af700e1df048d7572286af709289b7894d2ab09 + AdditionalInputB.14 = bfe8946dbf27d3a2127ec600351c3920d2531eb9419408233e0a888059b5eb68 + Output.14 = ee6d07661828213e6453d94faaf76345c70949eca4965714c350313b0bcd8e079e6a07f8b2f7a91bcb7ef39a61568fd1c40ab78f154b3582f830095d571de29f81f9565e46b560d34c32bff55341a991f8e863bd9242c7cdd366be12538bb6922f1abfa19e7998aac61d465fc46538ee9142acc66786f4516ef4105fe1d80372 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -8854,6 +8858,7 @@ Nonce.14 = de2186bafa82b0d08a0b8215e3424512 + PersonalisationString.14 = d96db27febe22db935b117dc3068374e39c5b2119b497e3c1d858ef649e01de5 + Output.14 = d04435a8aab397cfcee5151f7aa24298ffc6eee4f577cda42d5e154b8d28cb2f0f945f11a15ed5b76486c88f03081cfd262d94a8e0b332e3c9c608461dcc8eba20d7db209810d25c226fda9fe218022a9b2c96876cb16c06c0553dd84ce57e20338c3d3e03c59ce22e668e25c2c50d5cc9afab91f50a28680964c2dacb9d2fb3 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -8949,6 +8954,7 @@ AdditionalInputA.14 = 5d9446eff72d59529a90b498d8f40983b3b2904f63664fc0aa1de8700d + AdditionalInputB.14 = e19707aafa391e8622539d52a05d930292bd0f7c17825dbed5fb7a2f8734081b + Output.14 = 6ce2ae37349cbef9ebd1f9b85485810a22d430d94abf66912dd7b6cc751400e777be2f1cebc19d65694a456b2c6429cefd95eb934030846708d50be3b274c2f7de299f3c311038491f271448c7d02ff51de048fa1184e8ee06b7b46a9f123daecbebae4a2183dc8eb6976abf0dae7cdbea6017cd1500f37dfadcce0c1956ea87 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -8999,6 +9005,7 @@ Entropy.14 = a7a1dbf7f828555610197e71e0ad563b8691589c5289ced03e9ef83b6f9ff938 + Nonce.14 = 4274788c5d80e26ec1ac3a57b9c7c0df + Output.14 = 5a907a26c1ef588219d4c69fcf4c5c283ab148a77588a40b323bd24e6dfb29551c4b6116c4d61349f5f8bd9ed497f38b239c37283902beb3c9700c768fa289ee4573f92316efb860a5ca4267b328f03c13138b774b4b9f7516003a699f7a0854a0efb045a5932753a771c2cc6119202b33336f10edb715bcce1d20ff503dda01 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -9079,6 +9086,7 @@ AdditionalInputA.14 = de1bbca12357943b4489cc7209b3f063b51b91acc168ec5e0ad88048b6 + AdditionalInputB.14 = 6ddd9aba4f100ef902ba50adee53ef44a4f45564c13e774e69557e36a357e7cf + Output.14 = 544ec80a966644454886fb97a0f05eb6a4a25fcbce795b5e5b27ee06ba14b7de18dbf54f80a670b87c76c336ac9af16c8958ad6c1bde9a97aa4c1ab5823d24a53c64f6766ce6eb9b7085cf7282499c37fc1e2e825f53bc357bf36d5901e0ae93cd3bd821fa18b5aa17548560f7ad6ef38124814fccf9b2b89de61cfc27c7269b + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -9144,6 +9152,7 @@ Nonce.14 = ab7843b73ecb4858f2cc5e9dfca803ef + PersonalisationString.14 = dee559515084d8ac49c3803f09f3d5fed3b307946a2752c267677f22786a0125 + Output.14 = a12f5e8ea3bb174934c15e5d114ba615da33210c98c38d7fde4b5aef9aecdeaef311d929d7fece7fee11db67134c3326b413b8dc17766ba4fb881105db68688b148fd95d812f6538b14f25afaae84d39025336136d270bd643f2a6c7164930372fb1c8f4f0dab60283e9d8d3440ce8dc66761c5d5c4c13cc3a367feb4869b559 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -9239,6 +9248,7 @@ AdditionalInputA.14 = ead8c0dcf4ddc909aab96eadab509a46908ee5f090983af609f08d8a8b + AdditionalInputB.14 = f357bda8f2048929a4e31969ec978cc333d58b4fc09a8aa1b73ec9bdfaa1a8f6 + Output.14 = 901aabb3f065be08e2f8072d5d3ffcb28ab291420644e407e7a6a3346b75a5be535bdbdd5a8245998689450292df877233ef0783e0bd1765413193790995d884ffcb2c8dc35fe4cfc12def2f091866d735b1dcfc9d8d8c26903d50e9397b1bbd674bb81fc908361b2bddb68f02031d87588cc3e94210422674e93fea6a5329af + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -9289,6 +9299,7 @@ Entropy.14 = dfa94c198483c5daa046f1dd1e4e83f854fd6c5cbc3465f671bdfd36837779ab + Nonce.14 = 298de64bbd817d009a71c1424ae839f9 + Output.14 = bfb9a54ce31406a82608aebc826441f8f633813a0c3bad723b802f3e905a6ee3512ff3513062aea51f93be17aebf1cfcd81868e85db3db9aa98680f974001fda8fe6a644f5efbb9d6e52e99ff606ef1ed7cd3b17fa6c6844790ed58da6df61aba0c200d7dff943588f4520891798098bddc65797b2f99c05efa090c60dc48a4e + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -9369,6 +9380,7 @@ AdditionalInputA.14 = 066b072d48f6cc6bb00273e0bc0ebc086235fe79af1fbdb46318f56c62 + AdditionalInputB.14 = cfb58f59c6d56993b9f0b5ba1643554072cf4ae8013c236120044ae909083f5f + Output.14 = d5dd7f55ffa7d53fc0f679cddadeb869f39b29a6d394c9f1185b11ebefbcb43419c6a26ae3c9ab9d456e2cdba1aead05e67eabd3596526ee431ba7cab7f94838062fcec2363cf0e19849ffef30064263b3a059ce38aa02c2729bff5af9450e035161816724163906112205196c642bfd70f36abb4639fd6e4f7f6a879ebbcc62 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -9434,6 +9446,7 @@ Nonce.14 = ea7d3c3b8f6da0667d7f0d543c68d7d1 + PersonalisationString.14 = 86c20a7e794c887898d5bc00e98398276a4e3ad8d674fb808a63a44330490d2b + Output.14 = ee8e21ff48af611a17d33e130f4e4224330efcc1402b6d55aaf1f514553b880f18df68c0e4279854eb2e9b904c552f69f0e1badc347ebe336b70456f221e07a2fc78df72551d99df3755997029ee1461e2b6e396370096d7e8c2dfceb73214a72ae2b25ccc60b92dd71988eda811ceac4b7c335528249aaf82826a14c142007c + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -9529,6 +9542,7 @@ AdditionalInputA.14 = ea12ddcafa4f578b8b43337508dd8627844d185b10af7de7e907d113c6 + AdditionalInputB.14 = 0cc670275cd2b0eac5df123eb1fd73c2f2b093b76806943918cf49930fa97515 + Output.14 = 88dc727007c0e03c8d27d00c87876f8990b271964a5275f636ecd7f18cac9c869e5f9df5fb2d34e7f89c2e9819af562a706a03d9be9318896f5ab16573aebbfd94a681cbf27e7202b8674437667893246c267785d0deca5033de88a61bf5158177391c2e3232ea6f812c468d5629ed9f89ad0bec0f6c7a469f56331f9eba1cd2 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -9579,6 +9593,7 @@ Entropy.14 = 6b9f904ac4b16d36e06a1bddc501d7ef98d5685c1ceadd0a6e1622e0c1e73716 + Nonce.14 = 4a42f39e5a241a2b96db29055159c91f + Output.14 = 785014b0460831b7b67346c6997217b0f6c8e7313687ea6ff4d0b09a0786bd6ac362a0b1ddc6ab8c9c624625a379cbec7f11cf30ddab23cdec054b986175cdae0ca4ba4610e0711bc94e9ab706539d5fa2c1a4fd3cd49042696b58dce465f8e09a200e7d214cda357021c62248a01aeb95f8ffa8bd49d354fdccf4c71eec3491 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -9659,6 +9674,7 @@ AdditionalInputA.14 = 147d51711ae8a420f165db0000d9d0cb9e9cd5447311eed43d7cc9217d + AdditionalInputB.14 = 2910968bb1976a1b8ced116e673f408da6fc563695c918ac0a230b0bb800c707 + Output.14 = 357a7269b30ca744e213d894f5c45d0db9fba897e0c863a56062f5018ad9be9f37b8d550014ed68f2c34bf5195c0b7460df171ff3bd4a590578670c92470d876c8de19d48a6d7fa15fc7996be78d3cc8a5c657439f4bb9865bd56e187d5df2531a405e3e0f4b87c611aa8e226b8b0266290f06f8062456a7a4bf0896e4ddd948 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -10995,6 +11011,7 @@ AdditionalInputA.14 = 23e4e6b0e0c1b28a6f9731f8b09960ce7adac17527b3bbaca7c811daea + AdditionalInputB.14 = dc7fac6aeded9e17b5bb5e2bcad9424d42dc07e809da59d52caecba6e75ca457 + Output.14 = 5a42b35cf1b72d2520d92719a94ef1a7ca5b6d6c7eef2de25c8ea44c1fc3a9a5ff2128f47bbe58084a0c7a3fc790626eff5666b4c1e68fb2f53de3370b29c398d5067b255f5f7f29fdb0f8bc256ee3afbe78a33981626837c55f981e56eb2e1bdd89ca081e48f6da7ce6576fbd37dbd57a3f41cf410cb375614af239f2e10218e777fb97a55d9cc73243882b8d8d2a2c812fbdeaaed90b5bd71a274b4b171cd7e661912c9b3de1714a3fe4931d8fc7cb1c9f64f4e37d4e5dbc31602d2f8699e0 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512 + PredictionResistance = 0 +@@ -11045,6 +11062,7 @@ Entropy.14 = 471746177fa3ebbc1f1e06fa42d61d5d491abc82eb7d66e749b87d562a7eff34 + Nonce.14 = 42f8a1ee9b09940e9e1dc64f51a78b4b + Output.14 = 238c9889284139945e657d2c4312ee3ca2013de69be10bdc8b90d54867889f2c15c6cc933913457d4f5a00bd52b0216d90c56bcb341dde7496218861b083f80d8c933627e19b7bd8b73d6dda1bb0b2b0f1f90e2b453cd063938cec3a08f34e5581c1322329d87709e552a97e8a8c8e8e598a5c5cd6623ad1eb9f7ddd12739b1d157b1020cb8cef19402938d31b74e490c0ce75a9f57a17476df1cffa55de73bb8151071edf396c3b9e4607b07c7e2b45c249f5a8194cca1e97af78be47cec0ab0096cf588f3d4432393a8f5423a165d585e2e5f98fe47510d9415418aba28aab1193261036214c35d8ba04650b4539be6b9f7377e3c75ed236d0e69cce004906 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512 + PredictionResistance = 0 +@@ -11125,6 +11143,7 @@ AdditionalInputA.14 = 4b69404b80b6f2fec36a7dff1b194a228761694129efa6c6b9a044f553 + AdditionalInputB.14 = 519c4cf1b30500f729e5426d76373c291e26cafceb594c10c96bdb9aef4b42fa + Output.14 = 53568141a5c09b6b02ac4ab674d341aa6300f8be93c0f36a7376a6850abfce068927510a1b98301aaa29252cfadfe5a2f241abc677e9e70fbca287c579acd276c2eec5c8b508f2b119a40164c6a12c0e0ca1d3d53595bbebe32fda2eef2b613329a614a28d3b374a7b031b49dba74b465a7db60a8dbdcc9e952ea143e9d5a3a651c1b0d6dad79341a7c3fd5816933f2579cc005f3c5655eb8d3f9d1e4562a756ecca3fc1d688c9824391ec8444c6024774a295c44c17fe592694dcf41f305f50a16e07fc28e247bb3d9dd0c52c6fde79df84c8d521606cec9a55f909691f5cfd797b69304dff5b60ac816b0d5046a47c2434127da1fbaa86d2844f5164a9dbdd + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512 + PredictionResistance = 0 +@@ -11190,6 +11209,7 @@ Nonce.14 = 8680d7b3f0a8ae576bb0f75364b463ea + PersonalisationString.14 = c0bf8f2ca4efb48b8dca73ca7148da3cd5981c5a459be32db5a14fc7762c68d6 + Output.14 = 269b3b656e58f9aeed32c80700d9d1b863b0253b3b33155cc0849efbedfa51cff82262c9342cff7f1a7a58a5954fe66547baa1831fee55ae0d322674c6c784095f43b30c1887fb9fa5e7e7f1905da2808ab810ecd224ab403b6f562bac54e65cf7f0473991ce7d7cbc1a669a022fde3141a9880d974b7ede2fad24a3263570443cab0e8017d242fb4c2032dc8be56d8fc1e0e8f92254c7480e4941259ecc29ea47a1d11e074148b259ff95a94711d767f0655f1e0574dfdc4ae4f27b12015af86aefd36f6c10056c3d83e639e3641cdd8ba178f7779dcf502bab3d7588cffb72f6489981aaa7139c255df0e76bf6bba32e4f547327da4597745b15042869b2c2 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512 + PredictionResistance = 0 +@@ -11285,6 +11305,7 @@ AdditionalInputA.14 = 64278bb6b8224b93c0b5339726fb752f6d81e85b204d76376d99779ff1 + AdditionalInputB.14 = 4995815c060c80e9bead55dfe823b869862bd0e5b4357afe810a53c68d4b0e7b + Output.14 = 9b4249e1e692153ecd20e968f86eb31bf9a22d3671d0ce9d3eea243bfc70890644a95d551cb9956cc3770e95c2f14ff154760cba1b24c51c41f7a961a4502aa053068751618eaaf743e0d37fd41ab4969444519c22c8fd96f9eb1be6ff3ae01a25abba84a259dad8bbc78f47dcab3ac2242e6974a56454999b4c59243102b731fc4bb4e01c92d36f232ca8cfe00fcbc0ac200c2e403d17d5d1dd3d6c2095ddd15ad58a070f18b69a5f5d3f240435d298bd48bd9be028ccaeb10997f88857a848882f51a193522bb0b979b37b5508775fe150cab8ce97c0760b7418b5bbe496562fe639540e77c1025c0e191fe000aa5d1e49bf02a5a3c6f46b40dd2c47786d45 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512 + PredictionResistance = 0 +@@ -11335,6 +11356,7 @@ Entropy.14 = 337373a24fe76f025575b3dbd7eeedd03d3459d6ef44cd53335a9c4963cc45de + Nonce.14 = ebbea7e8e1a3a45c58044b65ab7688b9 + Output.14 = 21ae4510a133fa0906c873eb73e00d777b68a45a1de8759b1497f5146f0c45cf612b02e972ec93ebccbb85c9adaf0f5942fcfbb3b808482f05497f2f4734dd6d42c8413e1bd1bad10463dd4b4cf29f1662c15efc6d24955b1e54a60508d9ed008c9d29f8a6bddfe564c21473271350137452f4601179af37e19d553ec738539cfd7a8df17f07e1f9db5df776256e3c00199997307de394a8ba41be2829defbd8105fcb3cda215219fecb607eb1e7137a29eef188ca7eb349d2d1fe27edc2526ccc6d8f1af7eec9c06910f3909907f966d5904b32577f2715cc32ac08f1b5e25a734716ffddf60c57d422b515ce817b605ead2f875db7a789e351b660704f0cbc + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512 + PredictionResistance = 0 +@@ -11415,6 +11437,7 @@ AdditionalInputA.14 = 771e91743429c40a2e3ececc9a3d73a92336c9c988c5d9dde47563b631 + AdditionalInputB.14 = ae1a58611aa54df3c655a1f20985552ed9e3610e92170a0de1a4573a5a1f93d7 + Output.14 = b2534bf690444513bdfecb35bd616b0de47b7cca7f8ab9c5e823b468da62855601b59c6bb75cf34fe3dbc7f795536b9619d243c0f6960895d6710130fbfda2a0bff803e856f1cf21a63e86e59be0d6da7516b697e9ff95c341913ff27c8abe10e6af1b7ad8dec9f7aab46b8d35c103f9bff3016b39ec24026a7b582f6e95261031f734e29a1b64c65639cf238381e5f7e31da624ad24290930501132c860118b6c59052aaa7cf982486219431311453a431a1cf50deaf068e2f9993c0ab851c9aec72be8f7c5c57ed03c488befe6ffc256efe6db52b7734c042b69a5ed74e2593c4788c5fa8a03a5017b927bb8f1c8262925d734c5604639a9b441187b0d95e3 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512 + PredictionResistance = 0 +@@ -11480,6 +11503,7 @@ Nonce.14 = 78e7f6e9e8e1511bc0ba7f230b65fe47 + PersonalisationString.14 = 37544eb1992fc569ff259946d639a00230ec1196c5565b8f9da62d9ce552e09a + Output.14 = 0ddbb84e21d4d7110b933bbeaddb35ad81dc1f331ac8293695b30924f2713eca6f93a13d520da4486f32a12412a927d00e3f27009a944056a5805b0e050f5bf6c6bd32c523c1d607d6e3e97b59fd059a610d664396f69961599ce7f0a0cbd1dcff15474ac267e36c0b871c559fd13b7ff0c3fcc11ff8dac26761a42697c3744981cc5c5ac10cd0f3b285c4ceb4a550ecead095f90fb6f53aa302218ede7ed5ae5deac91a83f957d15ee901746d11777b23c327ee811966690f5f253c7c314a2bf2bea73ca46c6c8cc332c3493f9d023029d762fc90e5dddbb838f2225c521f196332812570a17455b3db45306aa9100ca83185395435137a0b961531cbcafc03 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512 + PredictionResistance = 0 +@@ -11575,6 +11599,7 @@ AdditionalInputA.14 = 8dab17e96142c890eb16981b97364223e815130bdb0c0c284e50dd3349 + AdditionalInputB.14 = 1439e2d19a99703fc35607b5bde55331eca67b2b9a9f7587ddba0dd1fe690ab2 + Output.14 = aa088ba4682bd2285e90c7967a7b8a518e0ec45afd490d367022893e3822c09d967d06ff28748b5de3fb33b071b73c581bd893b6641a72cd5db35540b904eae19765cc121ca4dc9404530114c3369fa80d20dd63c8c09559c4be48aa26ca77b47579dc52fdf0eb2f2db84ab688b87f63097140aef65410fcd7a81c2bddb2c92f9d67b2e46647aadd9b85c9e17ff8b579cd672708282981ba54d854e7c9a1de66621845ae2d337a90025ccbdd1b0d695790b1f977b1e944bbc04d16a9a399628bfb33f98b40e13567514d8ce0b23340803718ea3da44fa84c923f2a85ba21495c2f9541cbe8cadc0b230b1b942e934eb4fe95c3754a77a09641ad730a550fc24e + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512 + PredictionResistance = 0 +@@ -11625,6 +11650,7 @@ Entropy.14 = 5f72e390aa960846a0004d266e3741b6fe0aaac98d9d87b4cbaaa7a2af0d0bdf + Nonce.14 = 2074991cf0c22cd34b2de48ea1f9ec66 + Output.14 = 7bf54b69e455c7941e8e24ef59b5525dc1ed3b7f934333713b9dc305dcae2cd1b74648149e04bb4f4e00b110926a6bfead7adef954b6d7e180ff820192677efa3c0c8af6a3e201d8d555cc599cdd2626d8778ea2c7a2a8e0c99e719929ae9ac4fb9a7e5176da8987508d1152909f456a4ce9461188e264cda1c879af1a8cca6c182e73c164986cbf07f441756791fa1fae40b784800335d94b0b54135831044bf0cb5dbb5c0c71de6b6ae33d6b87782d34be3cbc2991ad109d6c0440916d91baf96c4375ecdc9f09dca79671a45309c408062cd08ee623c8de007cda3b3d110425d7e8fee13b2a14215033d9ea2397cc6b5c995f37273a00dbcdf9437bc77857 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512 + PredictionResistance = 0 +@@ -11705,6 +11731,7 @@ AdditionalInputA.14 = 97f8c1e98fd25289be846d80f667341a095dfbabd610c691ad6b2b901c + AdditionalInputB.14 = 136912d2805ab8ffcb4e7d6a81e37e14b7f7bb65dd0241d56f11d7c72dd5de1d + Output.14 = 2e1f4954107f3654f51024f032518ba91512c9d8005265ff35248487b8c87d8862b8caaae27898a22f9ba7a0297fc071ceb6a1612bb99c0f15210a11f5a0725158832996f15106a7c43a216f90501c0dfb36933be940a875d4f6b0e5c29edb01614a26cb3ff7b906762fd6435eb7cec8c88f5fd7c4d76fcb018c08987108117c95d4d35c1c59efc06358c7abe7a73012ae4440b2ec86c3664e5549b8b0a30d6c8538d6e5151f9c17f9ce026556508b8b3d926e4364839bb526a94c7d8abf4c1241cd844bc6227a01d024affaedd4701129fb0f9b5ae853c7085ca13ec78ffa3476ddb1c1e71942c351c3ce9a855ccfa4c3c7f92b59d5b67e8eab16b699b7ed5b + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512 + PredictionResistance = 0 +@@ -11770,6 +11797,7 @@ Nonce.14 = fe9dfa1b683fa9cc70b7c7f8c81185b2 + PersonalisationString.14 = 7e86cf4111fbea8fa9b180a1bd9ff3e9d233304b1d293adffa49ce8e77f400ab + Output.14 = ca0a6268d034f6817edcb6875b4754b5e9b2061ce0bc2bcd27c28065d8258b40ae63bf6d1e15521196da0afea8139c10d7bf3b54694a82d24476c578991fce1371e40b78087d95b1117650af7134567513a017353bb4af85cdc98db757cec9f92df42b7323b1e5d05387debb02750683a5553bdfb5f9fa34e14d29e09ad18bc6ef2380c173a19631abde085369ff47fa8b4fdfebe13b95b90c6f5841fe5aa6334edcfae26c13cc5d14d17a02d684b64bd55841831bde4c75de7d49bdc1a405d4e3e0d327bec44644e972349a49cbd48a4d3b8e984f5847ffeba950fff55bba9b287d51d8475f7799752208da31d91853fe6d04d97ea2a33d53b07a4fc787be2a + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512 + PredictionResistance = 0 +@@ -11865,6 +11893,7 @@ AdditionalInputA.14 = 91e14e178a033e26e6f6a0b0f3890fa46f83731a14cf31445c51a92166 + AdditionalInputB.14 = 20299371a1de6f994260d1c59c1d3f731d8f70fea6e9389b3ede54d47594414d + Output.14 = 1b4efcce136b40bdc792d1607d4ab4fadc10d5e2b22eacca6f412d3aa1c60320bf825778e7ff8296db9ea360e068350f90d7d4947dc9a2e2a4074653458784059ceebf2a97db0e4a29f7c6107783fa3683b6846b8c8ce7161082405643bb84d602c6c36ca79b2b6562417f0d15f46a4fbdc445d50935f49eedf01bb131d104385369fdf88d91518618134a37c5bf73140400cced73795910ad0d2a89db2d79355ecedbcdabf135219d2afd7ac28cd7e45c6fd4e913ce5d464fd6de6e4c62b76ff86c28b0ab27a3c2622cacec075c790a7ff2f57f99ccb89c590a1dfb5a1862200c9cdf97f94eef18ddc85cf9830be662cec1885a629a6603add9396fb26341d9 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512 + PredictionResistance = 0 +@@ -11915,6 +11944,7 @@ Entropy.14 = c5ebb2ae08a03815e496c2db1e2a650b40893ea78fbd7ca8434edcde4432a43e + Nonce.14 = 0cede46aca7d2a60f2e98eb3c7d1dba7 + Output.14 = 6d8eeb5ba130de7dca993b44b46e08894fd84ab8c347992aeeac56ce5fb5f435bba92f1129aaf9b3035aa117301a1289acc222cdac043dac58b62567102dd5a57483d79fd703e188a0fe47254bb20b361281b5b8cedded86ba9b6d86deb30e539eb7ee007131ab2af99408f38ec7fd66bec4f1ed71251c149dbf8393b6dbe96cdeb9a3b5ee065ec8636444e72339ed2cb27fbbe5421f7f141940d6fa1cf570b8dd0393625ae16b10df2f1f6fe35dba15a732357dcdf4f56abcbb47a4640dcef618e27d049e27f2af7b8634faad00280e004cfe3f52d63185eccd6c4937a026830c38e1ed6aa9bfeaf739416706f63bb8b1475ac25d734db28e39163aa0c69c52 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512 + PredictionResistance = 0 +@@ -11995,6 +12025,7 @@ AdditionalInputA.14 = def9d8f7b18023b69c6cd4121c0adbc2a89b3ca37333d4523261d5eb20 + AdditionalInputB.14 = 06051dec796525094018b436605bd2ddd66359a2836a5996e8262bb7763fadc0 + Output.14 = 29e8184e37a5c26670bdc95c842c602ed8b0cf102ca144133e8cc841e1dc32fd038a72c26b8be8a568db60a4cfbd52b0d8b74cdf180a4931d6dd19a255104db105b3366d75e8f6afd0e5fab4dc14f6deac82e7703eb6a61f22b79bdad8ac7fab95a58a71f80fa510542615c305f7cbf84790060f17e7d78ab5d4b0ca34fad47133a0627b803c1caee3b97fe47626a8590672e2211f39cbe1b79d1999fb772b884122c8e50c59fdd3de13a53e805f40f8aa35501571a4c4cce79a8f738e60a43a11afdbed94e26f474ba5cd6ff5cdaf00d0fb84109aeb3510f1ea576c70ae78cdd0415a0521f3ff4083f9160011dcd6e2802cfbbbdfe9c4a3b114dd47b3a6cddb + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512 + PredictionResistance = 0 +@@ -12060,6 +12091,7 @@ Nonce.14 = 7b9a876017e5e14bd6a19719c73035da + PersonalisationString.14 = eb97028b093f820b182384baafa56ecf196dc11ebc515a405ac24f73e465ae9a + Output.14 = 3791ee66e505257b0bebc4319897e80ea8a70577b8a85d809cc7e4c77a458e8517368e2eaa7c0623b91ab3ebc4de3240e00e5f0cd20524d73b8000f00a3cecf869bee26763db9689dfaad9b5f21e3975f750e0c6b694d7df35fea26b2ff3c2bc679b5ecaf129320dde8245677aab9fb54b8faa97d394adae687a35b00f026430ef29bc7226957dac5edbc4a70dc82fcac00bf89d97e11d2a3e6ecfc4af4536c329ed3f4dda201db47236b03f30daf71e6368a18ab6224a023fca2ead589d9ea165d66fbce2b37a630d18ef1c97a619cd8949f16f44a9bc0f5837737d7fa4355587af5ab452f53fb82dd8b8b4706cf04e77938d7e0c3a9744c353edd0c6931591 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-512 + PredictionResistance = 0 +@@ -31145,6 +31177,7 @@ Output.14 = 01f11971835819c1148aa079eea09fd5b1aa3ac6ba557ae3317b1a33f4505174cf9d + + Title = Hash DRBG No Reseed Tests (from NIST test vectors) + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-1 + PredictionResistance = 0 +@@ -31195,6 +31228,7 @@ Entropy.14 = 6fe9597b59903b1af4012a15368af7b1 + Nonce.14 = fd3e84b3a96caaff + Output.14 = 1eee4c786476d488e58d0e065bb025db548787fafbe757f29ee2bd4781cf69216091ba2b68919b54ad3070ac72a2342320eb1e697b9115acbe07e194d060562e4d0fd966ab29e2c5e560574b2dac04ce + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-1 + PredictionResistance = 0 +@@ -31275,6 +31309,7 @@ AdditionalInputA.14 = 93dc424bd0d266879601745a23317141 + AdditionalInputB.14 = a17321015d327c5dc0bc1e130aad81ee + Output.14 = f682834b5b492e09ff8e0f2c80683b032a3b262d16bc609c550dc0e74a4b7d8ebc0e3b8f2c9970d90aec9a82497dded20422b17b9e3cc3bca771cbe717ddaed5a7a6ae2601c7f765eaa719b71624e83b + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-1 + PredictionResistance = 0 +@@ -31340,6 +31375,7 @@ Nonce.14 = fa9adae924417150 + PersonalisationString.14 = dbad22c389c527715d21a5bdf38c1fad + Output.14 = a18d57e672218956e6c8cb9901d02888f3587177c3e11e1a99ea72370347b953a9f122c9446dfa109723b27f36fbf15edf103a56741c24968592479cfe30bc0053fa7b9818e9debcc494db64d15d038b + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-1 + PredictionResistance = 0 +@@ -31435,6 +31471,7 @@ AdditionalInputA.14 = e488e16f48c61dd2152afe925eceee92 + AdditionalInputB.14 = 12c692abd90ab485f4d9499680a6893f + Output.14 = 8ba04617a135d8abe0c3c0a170e7472e7ed750eac706e5c3ed8305d6f6f8a1a53e0c52d4853b21ab8951e80970b426008ae11952ff364817b6856ef0810860dc65faea487b5d7c3f3d63fd443756d2a8 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-1 + PredictionResistance = 0 +@@ -31485,6 +31522,7 @@ Entropy.14 = ceb354444d1a29c0c3e8a1cc24d02846 + Nonce.14 = 86d3fd9fc51f8b19 + Output.14 = 6f90ad611987a37bac54bea0782ac78215b7d17ecdd3991a81a36d0e263c6f0dda2c102cfba56b26c7b74b5dd2548be9bc81c7958e9d19821583c6f388132b9e19ae7609add9a296c1e92d66a2ef5464 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-1 + PredictionResistance = 0 +@@ -31565,6 +31603,7 @@ AdditionalInputA.14 = 32d09b604a65dc8daa35cdc34141b751 + AdditionalInputB.14 = b8186a294c7824b7c550c1054badec00 + Output.14 = ae9a091cfafbf0e74c2be8ad4b984e824a24e65ba7610b0f3ab1750e2f12de1620db6bb8c493b3d8b06ab78e69cf2dffd73d4322a67ee7725aad84fb458b8f26cf04846850202e53c874213221e761e5 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-1 + PredictionResistance = 0 +@@ -31630,6 +31669,7 @@ Nonce.14 = 8368ee0e29d35c67 + PersonalisationString.14 = f189a80d5619f53cce878ed57522a468 + Output.14 = aeac5933065c33ce2ace2531a193e367f73c83fc328f61ee2627f6f3841914c6b8a3ff767f96b3c3b685bac931af9ec10c6f3efe25b5109bb647b120e3a3f6971a4ec41f4ef0c7a900fdb09d7ff3b247 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-1 + PredictionResistance = 0 +@@ -31725,6 +31765,7 @@ AdditionalInputA.14 = af578fbbb8a830947e9b4e2c9e729336 + AdditionalInputB.14 = 5a69864ca39da1ba4719dfe1dc850a4a + Output.14 = 8b846f03cb66f7e49fdddf7cc449a5f3f6ccdc17ae7e2265a5d0e39ea10fc3e6cffefc04147b773a1584e429fe99e885f278aff74a49d8c842e7ccd870f1330692fc9c4836dac5046c544be74652da26 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-1 + PredictionResistance = 0 +@@ -31775,6 +31816,7 @@ Entropy.14 = b7ddb82f5664834b4fb17778d22e62f2 + Nonce.14 = 52461924becab175 + Output.14 = 8735d06e26814ee54b5daca4e1da3e321a5a19b062ec0c3afbe3b16f23332a687fadb29e65208130c3d667c075660ff70aea96430fee254c472686b8e82ca359a57bbdc3004bb3eb641c1f97e4b19e02 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-1 + PredictionResistance = 0 +@@ -31855,6 +31897,7 @@ AdditionalInputA.14 = 7725ef70592c362d70b088ed639f9d9b + AdditionalInputB.14 = 5ab2e0067c3b384e55a78492f0f6ed44 + Output.14 = ca095da39d9c21d7da073d9c95d2e415503b33c327d739f1838bbea4fc6f0254fdaf8ef6152e9263f46b864f39c7104d1d337d99fee588061152e623d7e00a27e03b5d16fe6e543453a31d4dafeda3b5 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-1 + PredictionResistance = 0 +@@ -31920,6 +31963,7 @@ Nonce.14 = 4e838a124e4b53df + PersonalisationString.14 = 163e393b290a4d390ab0beb392f52d26 + Output.14 = 76234afc296ea36a44254f999ac31fca258a24427cf4bfe2c54495fc41478ec4a00b540659b3b9461cc6188bc1f57c19ae414bd18aa81eca7b9d765a784f0ef24335e46c2c77b8dc915f5d12c26bc653 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-1 + PredictionResistance = 0 +@@ -32015,6 +32059,7 @@ AdditionalInputA.14 = 27486f8dae1b36462639ff7eee869a29 + AdditionalInputB.14 = d1bfc7eabd8eddf622297012169f351b + Output.14 = 4c893c3d1ed3a190fa88e159d6c99f26a02fb5fccb98bdef9fe43f1f492f490109224ba6c317db9569f618984409f2fb3db0b1e2cd4b95746f159cca76f1204f6d2a4c455c547a39a5f79fec95c8f4cd + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-1 + PredictionResistance = 0 +@@ -32065,6 +32110,7 @@ Entropy.14 = f484b922f492d19b58407c242ab90e76 + Nonce.14 = 8952a0a4b666b0c8 + Output.14 = 2d77235fa273cab3c1bb176d44817cc25300b3f0172a0b5aaa66b282c015d426edec5f1ebbfc0269956b85994167992a71002586923ea234be6c5df09f47d89132e440827b89f7ff97e032b3f74fe32f + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-1 + PredictionResistance = 0 +@@ -32145,6 +32191,7 @@ AdditionalInputA.14 = 9e3ea6eac120d663e330d282ca9b9d7c + AdditionalInputB.14 = b8d71fce7779a9906b9790cd1d4e48d5 + Output.14 = 63d28a300a329ca202b98498c9f46912620bc85c246f034dca4186cd9b0e0810a363785878effde90aec8cb584862524eebf940c44fed21cb580d4115f3e0dda07e0e4a66689c2ff3e9b87edfaa4d051 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-1 + PredictionResistance = 0 +@@ -32210,6 +32257,7 @@ Nonce.14 = 7239f92b63fb3dbe + PersonalisationString.14 = 8d2e2ca3985bd2538a71f02cc3eb5568 + Output.14 = 0e4cb328c03faaedbec7215725851069bceae4332de6a70e3521dd065f2f7923485969571ebd7f24be460fd901c6b3e356da6ee5262ef2d76ad14eb0f697f8fb92af2f46630198c5f7018860886147b3 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-1 + PredictionResistance = 0 +@@ -33481,6 +33529,7 @@ AdditionalInputA.14 = e5c633ca50dcd83e0a34d397df53f6d7a6f7170a3f81f0e6 + AdditionalInputB.14 = 5f0beb5a2d2968e83ba87c92bfa420fd6e8526fbbfdea128 + Output.14 = 8bec11df1022aa50d95daeaf23d78d6ee45c43c5768b90181e106c7df8ff333d7cb87ca1ab83f8742370db1c8c0c0c22f141ff4de33ae8bdb14fee7e6c069819320629c66d94c7c97ff52930a3c1dcd501b60f0f84bda4720ee187ae858a6e068326eda5809716e366d1b608c61b0100 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -33531,6 +33580,7 @@ Entropy.14 = 1194beb668839c47c73e7516f9ba09d23dec3553b3b5532f75b260106dcc2abf + Nonce.14 = 3c8a77351e93065d584feeb08c8424a9 + Output.14 = fabd48bfcdd07968239fe538c2d8c9bde2e257b9b244078f39287c7ee90de167fff56a693c4e64f45081635511b5fd031c0270a31b4a014e44c0516a55ae72345aa11dffcda4ccf8cda50f6948d5ae425d8d53ad5c74cef1364277990156796e1c5dfa1ef095c0d8983477eb24241135760b02c86c86d4ec3627edac8c1a7e32 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -33611,6 +33661,7 @@ AdditionalInputA.14 = 626385595bef7103af0af700e1df048d7572286af709289b7894d2ab09 + AdditionalInputB.14 = bfe8946dbf27d3a2127ec600351c3920d2531eb9419408233e0a888059b5eb68 + Output.14 = ee6d07661828213e6453d94faaf76345c70949eca4965714c350313b0bcd8e079e6a07f8b2f7a91bcb7ef39a61568fd1c40ab78f154b3582f830095d571de29f81f9565e46b560d34c32bff55341a991f8e863bd9242c7cdd366be12538bb6922f1abfa19e7998aac61d465fc46538ee9142acc66786f4516ef4105fe1d80372 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -33676,6 +33727,7 @@ Nonce.14 = de2186bafa82b0d08a0b8215e3424512 + PersonalisationString.14 = d96db27febe22db935b117dc3068374e39c5b2119b497e3c1d858ef649e01de5 + Output.14 = d04435a8aab397cfcee5151f7aa24298ffc6eee4f577cda42d5e154b8d28cb2f0f945f11a15ed5b76486c88f03081cfd262d94a8e0b332e3c9c608461dcc8eba20d7db209810d25c226fda9fe218022a9b2c96876cb16c06c0553dd84ce57e20338c3d3e03c59ce22e668e25c2c50d5cc9afab91f50a28680964c2dacb9d2fb3 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -33771,6 +33823,7 @@ AdditionalInputA.14 = 5d9446eff72d59529a90b498d8f40983b3b2904f63664fc0aa1de8700d + AdditionalInputB.14 = e19707aafa391e8622539d52a05d930292bd0f7c17825dbed5fb7a2f8734081b + Output.14 = 6ce2ae37349cbef9ebd1f9b85485810a22d430d94abf66912dd7b6cc751400e777be2f1cebc19d65694a456b2c6429cefd95eb934030846708d50be3b274c2f7de299f3c311038491f271448c7d02ff51de048fa1184e8ee06b7b46a9f123daecbebae4a2183dc8eb6976abf0dae7cdbea6017cd1500f37dfadcce0c1956ea87 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -33821,6 +33874,7 @@ Entropy.14 = a7a1dbf7f828555610197e71e0ad563b8691589c5289ced03e9ef83b6f9ff938 + Nonce.14 = 4274788c5d80e26ec1ac3a57b9c7c0df + Output.14 = 5a907a26c1ef588219d4c69fcf4c5c283ab148a77588a40b323bd24e6dfb29551c4b6116c4d61349f5f8bd9ed497f38b239c37283902beb3c9700c768fa289ee4573f92316efb860a5ca4267b328f03c13138b774b4b9f7516003a699f7a0854a0efb045a5932753a771c2cc6119202b33336f10edb715bcce1d20ff503dda01 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -33901,6 +33955,7 @@ AdditionalInputA.14 = de1bbca12357943b4489cc7209b3f063b51b91acc168ec5e0ad88048b6 + AdditionalInputB.14 = 6ddd9aba4f100ef902ba50adee53ef44a4f45564c13e774e69557e36a357e7cf + Output.14 = 544ec80a966644454886fb97a0f05eb6a4a25fcbce795b5e5b27ee06ba14b7de18dbf54f80a670b87c76c336ac9af16c8958ad6c1bde9a97aa4c1ab5823d24a53c64f6766ce6eb9b7085cf7282499c37fc1e2e825f53bc357bf36d5901e0ae93cd3bd821fa18b5aa17548560f7ad6ef38124814fccf9b2b89de61cfc27c7269b + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -33966,6 +34021,7 @@ Nonce.14 = ab7843b73ecb4858f2cc5e9dfca803ef + PersonalisationString.14 = dee559515084d8ac49c3803f09f3d5fed3b307946a2752c267677f22786a0125 + Output.14 = a12f5e8ea3bb174934c15e5d114ba615da33210c98c38d7fde4b5aef9aecdeaef311d929d7fece7fee11db67134c3326b413b8dc17766ba4fb881105db68688b148fd95d812f6538b14f25afaae84d39025336136d270bd643f2a6c7164930372fb1c8f4f0dab60283e9d8d3440ce8dc66761c5d5c4c13cc3a367feb4869b559 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -34061,6 +34117,7 @@ AdditionalInputA.14 = ead8c0dcf4ddc909aab96eadab509a46908ee5f090983af609f08d8a8b + AdditionalInputB.14 = f357bda8f2048929a4e31969ec978cc333d58b4fc09a8aa1b73ec9bdfaa1a8f6 + Output.14 = 901aabb3f065be08e2f8072d5d3ffcb28ab291420644e407e7a6a3346b75a5be535bdbdd5a8245998689450292df877233ef0783e0bd1765413193790995d884ffcb2c8dc35fe4cfc12def2f091866d735b1dcfc9d8d8c26903d50e9397b1bbd674bb81fc908361b2bddb68f02031d87588cc3e94210422674e93fea6a5329af + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -34111,6 +34168,7 @@ Entropy.14 = dfa94c198483c5daa046f1dd1e4e83f854fd6c5cbc3465f671bdfd36837779ab + Nonce.14 = 298de64bbd817d009a71c1424ae839f9 + Output.14 = bfb9a54ce31406a82608aebc826441f8f633813a0c3bad723b802f3e905a6ee3512ff3513062aea51f93be17aebf1cfcd81868e85db3db9aa98680f974001fda8fe6a644f5efbb9d6e52e99ff606ef1ed7cd3b17fa6c6844790ed58da6df61aba0c200d7dff943588f4520891798098bddc65797b2f99c05efa090c60dc48a4e + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -34191,6 +34249,7 @@ AdditionalInputA.14 = 066b072d48f6cc6bb00273e0bc0ebc086235fe79af1fbdb46318f56c62 + AdditionalInputB.14 = cfb58f59c6d56993b9f0b5ba1643554072cf4ae8013c236120044ae909083f5f + Output.14 = d5dd7f55ffa7d53fc0f679cddadeb869f39b29a6d394c9f1185b11ebefbcb43419c6a26ae3c9ab9d456e2cdba1aead05e67eabd3596526ee431ba7cab7f94838062fcec2363cf0e19849ffef30064263b3a059ce38aa02c2729bff5af9450e035161816724163906112205196c642bfd70f36abb4639fd6e4f7f6a879ebbcc62 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -34256,6 +34315,7 @@ Nonce.14 = ea7d3c3b8f6da0667d7f0d543c68d7d1 + PersonalisationString.14 = 86c20a7e794c887898d5bc00e98398276a4e3ad8d674fb808a63a44330490d2b + Output.14 = ee8e21ff48af611a17d33e130f4e4224330efcc1402b6d55aaf1f514553b880f18df68c0e4279854eb2e9b904c552f69f0e1badc347ebe336b70456f221e07a2fc78df72551d99df3755997029ee1461e2b6e396370096d7e8c2dfceb73214a72ae2b25ccc60b92dd71988eda811ceac4b7c335528249aaf82826a14c142007c + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -34351,6 +34411,7 @@ AdditionalInputA.14 = ea12ddcafa4f578b8b43337508dd8627844d185b10af7de7e907d113c6 + AdditionalInputB.14 = 0cc670275cd2b0eac5df123eb1fd73c2f2b093b76806943918cf49930fa97515 + Output.14 = 88dc727007c0e03c8d27d00c87876f8990b271964a5275f636ecd7f18cac9c869e5f9df5fb2d34e7f89c2e9819af562a706a03d9be9318896f5ab16573aebbfd94a681cbf27e7202b8674437667893246c267785d0deca5033de88a61bf5158177391c2e3232ea6f812c468d5629ed9f89ad0bec0f6c7a469f56331f9eba1cd2 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -34401,6 +34462,7 @@ Entropy.14 = 6b9f904ac4b16d36e06a1bddc501d7ef98d5685c1ceadd0a6e1622e0c1e73716 + Nonce.14 = 4a42f39e5a241a2b96db29055159c91f + Output.14 = 785014b0460831b7b67346c6997217b0f6c8e7313687ea6ff4d0b09a0786bd6ac362a0b1ddc6ab8c9c624625a379cbec7f11cf30ddab23cdec054b986175cdae0ca4ba4610e0711bc94e9ab706539d5fa2c1a4fd3cd49042696b58dce465f8e09a200e7d214cda357021c62248a01aeb95f8ffa8bd49d354fdccf4c71eec3491 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -34481,6 +34543,7 @@ AdditionalInputA.14 = 147d51711ae8a420f165db0000d9d0cb9e9cd5447311eed43d7cc9217d + AdditionalInputB.14 = 2910968bb1976a1b8ced116e673f408da6fc563695c918ac0a230b0bb800c707 + Output.14 = 357a7269b30ca744e213d894f5c45d0db9fba897e0c863a56062f5018ad9be9f37b8d550014ed68f2c34bf5195c0b7460df171ff3bd4a590578670c92470d876c8de19d48a6d7fa15fc7996be78d3cc8a5c657439f4bb9865bd56e187d5df2531a405e3e0f4b87c611aa8e226b8b0266290f06f8062456a7a4bf0896e4ddd948 + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -34546,6 +34609,7 @@ Nonce.14 = 66ad2a0d5de624f3d709cc95e5c99220 + PersonalisationString.14 = 6f7f8f1ffdcf859adcf6020d5cffdd8e3e1bdcaef0b22e9e61384b888f1b3537 + Output.14 = 1bc4cd76787f031df8e4f592f56a845f7d8aa200aca0b910e68f149cde112d0f1e127faa7fae25ca4299eacf9e49e132f3e4083f1c5fb0304b714f06cea122bc1392cbe18289d2411ae08642a9196b654a8b177c127b9215f9df815eceb254b8d9b4f632d25d123ceec686124e58b3606ff1ce51fce0752f42232c03694a1d8a + ++Availablein = default + RAND = HASH-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -39331,6 +39395,7 @@ Output.14 = c731cc7b21c42730bd3cca61fc5250b507ad08b24ac471d526f2217f15dc4d1fea85 + + Title = HMAC DRBG No Reseed Tests (from NIST test vectors) + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-1 + PredictionResistance = 0 +@@ -39381,6 +39446,7 @@ Entropy.14 = 5d80883ce24feb3911fdeb8e730f9588 + Nonce.14 = 6a63c01478ecd62b + Output.14 = 9e351b853091add2047e9ea2da07d41fa4ace03db3d4a43217e802352f1c97382ed7afee5cb2cf5848a93ce0a25a28cdc8e96ccdf14875cb9f845790800d542bac81d0be53376385baa5e7cbe2c3b469 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-1 + PredictionResistance = 0 +@@ -39461,6 +39527,7 @@ AdditionalInputA.14 = 7206a271499fb2ef9087fb8843b1ed64 + AdditionalInputB.14 = f14b17febd813294b3c4b22b7bae71b0 + Output.14 = 49c35814f44b54bf13f0db52bd8a7651d060ddae0b6dde8edbeb003dbc30a7ffea1ea5b08ebe1d50b52410b972bec51fd174190671eecae201568b73deb0454194ef5c7b57b13320a0ac4dd60c04ae3b + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-1 + PredictionResistance = 0 +@@ -39526,6 +39593,7 @@ Nonce.14 = 296bfe331b6578e6 + PersonalisationString.14 = 4fccbf2d3c73a8e1e92273a33e648eaa + Output.14 = 90dc6e1532022a9fe2161604fc79536b4afd9af06ab8adbb77f7490b355d0db3368d102d723a0d0f70d10475f9e99771fb774f7ad0ba7b5fe22a50bfda89e0215a014dc1f1605939590aa783360eb52e + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-1 + PredictionResistance = 0 +@@ -39621,6 +39689,7 @@ AdditionalInputA.14 = 4de6c923346d7adc16bbe89b9a184a79 + AdditionalInputB.14 = 9e9e3412635aec6fcfb9d00da0c49fb3 + Output.14 = 48ac8646b334e7434e5f73d60a8f6741e472baabe525257b78151c20872f331c169abe25faf800991f3d0a45c65e71261be0c8e14a1a8a6df9c6a80834a4f2237e23abd750f845ccbb4a46250ab1bb63 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-1 + PredictionResistance = 0 +@@ -39671,6 +39740,7 @@ Entropy.14 = f41d60edb7749acb68111045000ccef2 + Nonce.14 = bb5fb8962ca3002f + Output.14 = 262821119be1ee0bceedc1bcfd04f7fa2e199b2a7522c4a3a98c4174e0ac4ddcf7323dee2fcf9fbd2fe26c4fad347f7199be105730441f042865aeef50b89c00aa661361b6a1f20849bc7c70aa294543 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-1 + PredictionResistance = 0 +@@ -39751,6 +39821,7 @@ AdditionalInputA.14 = b4894bbb6435ffeb710bf5ae440bd744 + AdditionalInputB.14 = 689fb48c27983ededdd56d5a6b2c0345 + Output.14 = dfe8a9e17b938a1782fc3dba4f234dd9c9e36b67b28e1d901ca6b3628689aa4d2ae6b005ae3ce97e0d1e645da2710162294606ce51638b91e9c46d8f7f4f1a217e44c36b560f78b0541fececcf49b9b9 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-1 + PredictionResistance = 0 +@@ -39816,6 +39887,7 @@ Nonce.14 = 3c9434b7d7e18472 + PersonalisationString.14 = 55bfc33da17f712877829b7f8a134e55 + Output.14 = 705950e4790ada95b99ace57e31115610ebc65d755fe587eae8fb1aeae463bea8b50a278f45e61d3433272ec31b0d48afcf219f5f4a0adb20537be9c7cb65911df28976aed4b4278cc524639a1ca5f40 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-1 + PredictionResistance = 0 +@@ -39911,6 +39983,7 @@ AdditionalInputA.14 = 7ee4f3670c4671f128cbd743c408bdd1 + AdditionalInputB.14 = 38f8003e8fb8c119534a2c3400a87f8d + Output.14 = fedbb1636b83c5cc5379c9aa4d1319df6d30770e469c2f7bd65b4b74d9bc880d520e11b2c3642a7c4cb6d6138d1d92f716317dd762c0a841e56e7e0226971a7f470e918d44b4f374f9e7e3b5209516d3 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-1 + PredictionResistance = 0 +@@ -39961,6 +40034,7 @@ Entropy.14 = 5b6aaaf5c4e5acdacd2c0c14648eeb3f + Nonce.14 = 353cc1174da7f766 + Output.14 = f7664dd99fb870dad1a45a4ddb870c9936fb42b3a063336e447f15703c5a95dd79eacd9f41cd0c1b4f2e1a45229aca140f463c1beab47aa0525e5bd6e1accf360bc8525430ba05fd14d1f008009fd586 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-1 + PredictionResistance = 0 +@@ -40041,6 +40115,7 @@ AdditionalInputA.14 = 4eb5c1192fa86b355237b5a8bd43ebf9 + AdditionalInputB.14 = 7323d1a6f983b7d16df6b0aa9d14adb4 + Output.14 = cd41a0d7371b2eeb790fa8335660385c418ba84507ba94d1d1015b3353cdcad556993c19388461fd2cce38cc9fbc00e707b18dea9d712ac0616b443b23aee8131c295a1a741ffde36b2032bdb8ae2f6f + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-1 + PredictionResistance = 0 +@@ -40106,6 +40181,7 @@ Nonce.14 = 9bee7502db25ae7f + PersonalisationString.14 = d0e8fa47aed6b67ca4e8e521f733921c + Output.14 = 3c649d295fd9b98082706f3f841f5275834143698c202da4c881c7d0a3c9995329a54d440fc4d21ab596e95e5b6651c6e7138b332c97ef771bc6e3b0b3fa09090ffb402ed1116d8395e5f1cfea3eae6b + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-1 + PredictionResistance = 0 +@@ -40201,6 +40277,7 @@ AdditionalInputA.14 = d56ade0d74ea34577eb12a899d18d382 + AdditionalInputB.14 = ea83bdba8490ffd136def5f7d9240c59 + Output.14 = cd3d8174d8af97387ff02707d2757ce685ffb5d8dd91d95b8af4a3a757f9321b0e908096cd1321de0599640b7d81f43606b12e029ae158ed568ce1db429be75285c655e15f88da859f09b4cd843a0b61 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-1 + PredictionResistance = 0 +@@ -40251,6 +40328,7 @@ Entropy.14 = 1c3fc8de26ddc78651c9c2e4ba874ee0 + Nonce.14 = ca6a2d3cc5495dd0 + Output.14 = d00ff8d3b8ca273cf7c3650e36c892018c0f765da45ab5b902c5accb30ffe01a99d3b86752195dc9aa1232fc852790ef51860fd114bdc78ae02acb5ab2021ec726829591d623b0b66329e641c1f915ce + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-1 + PredictionResistance = 0 +@@ -40331,6 +40409,7 @@ AdditionalInputA.14 = b180d77e0ef217268d2d4dc9d4a9532f + AdditionalInputB.14 = b192957f3e98f7595768d00834eee1d9 + Output.14 = 7d4791ccae7980ad19e5d8eb8932ea8ea1756710349ab8b771558cfe471a278dcc263b737486179a4ffad12d5311d23912c3a46f07152808d288be2dfd2b315fc4f6df6418029be52daed643dd3c6110 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-1 + PredictionResistance = 0 +@@ -40396,6 +40475,7 @@ Nonce.14 = 84f7310a7ab653e6 + PersonalisationString.14 = 0fb2233c2cea27d17b6dd93bc4621285 + Output.14 = a2f373a523ac9f2524b059d0c23bcaa905e15948c7ebf71b6e82150aef562dae4003c1a8a3748cfd553d9a51a8f9450b9d569d96d897fed50eee23978e49b364c64db63fac9dc0fe9e8b58836aa04a74 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-1 + PredictionResistance = 0 +@@ -41667,6 +41747,7 @@ AdditionalInputA.14 = a58757b98280d90e84d6cf4e2fa89c01a9e6aad22d6cff0d + AdditionalInputB.14 = a3f5de1ec6d0ccd39fa153899f0c1a414106a2aa182acf31 + Output.14 = b1797707f1217d81c8463b44957df350dd139073b056c50d1c912fa111f9cb488bfb7d2ec6faebd078171cd6b71171ae33698ff96c7225d7fd36ddcfeb2630464974d12b3e03877bc73ce1a2f89aea7ff7ddc8ac85708b35dd94d3972875e2d3e7237ec33871e99301202b52e2ff89db + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -41717,6 +41798,7 @@ Entropy.14 = 451ed024bc4b95f1025b14ec3616f5e42e80824541dc795a2f07500f92adc665 + Nonce.14 = 2f28e6ee8de5879db1eccd58c994e5f0 + Output.14 = 3fb637085ab75f4e95655faae95885166a5fbb423bb03dbf0543be063bcd48799c4f05d4e522634d9275fe02e1edd920e26d9accd43709cb0d8f6e50aa54a5f3bdd618be23cf73ef736ed0ef7524b0d14d5bef8c8aec1cf1ed3e1c38a808b35e61a44078127c7cb3a8fd7addfa50fcf3ff3bc6d6bc355d5436fe9b71eb44f7fd + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -41797,6 +41879,7 @@ AdditionalInputA.14 = 4f53db89b9ba7fc00767bc751fb8f3c103fe0f76acd6d5c7891ab15b2b + AdditionalInputB.14 = 582c2a7d34679088cca6bd28723c99aac07db46c332dc0153d1673256903b446 + Output.14 = 6311f4c0c4cd1f86bd48349abb9eb930d4f63df5e5f7217d1d1b91a71d8a6938b0ad2b3e897bd7e3d8703db125fab30e03464fad41e5ddf5bf9aeeb5161b244468cfb26a9d956931a5412c97d64188b0da1bd907819c686f39af82e91cfeef0cbffb5d1e229e383bed26d06412988640706815a6e820796876f416653e464961 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -41862,6 +41945,7 @@ Nonce.14 = a59394e0af764e2f21cf751f623ffa6c + PersonalisationString.14 = eb8164b3bf6c1750a8de8528af16cffdf400856d82260acd5958894a98afeed5 + Output.14 = fc5701b508f0264f4fdb88414768e1afb0a5b445400dcfdeddd0eba67b4fea8c056d79a69fd050759fb3d626b29adb8438326fd583f1ba0475ce7707bd294ab01743d077605866425b1cbd0f6c7bba972b30fbe9fce0a719b044fcc1394354895a9f8304a2b5101909808ddfdf66df6237142b6566588e4e1e8949b90c27fc1f + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -41957,6 +42041,7 @@ AdditionalInputA.14 = 288e948a551284eb3cb23e26299955c2fb8f063c132a92683c1615ecae + AdditionalInputB.14 = d975b22f79e34acf5db25a2a167ef60a10682dd9964e15533d75f7fa9efc5dcb + Output.14 = ee8d707eea9bc7080d58768c8c64a991606bb808600cafab834db8bc884f866941b4a7eb8d0334d876c0f1151bccc7ce8970593dad0c1809075ce6dbca54c4d4667227331eeac97f83ccb76901762f153c5e8562a8ccf12c8a1f2f480ec6f1975ac097a49770219107d4edea54fb5ee23a8403874929d073d7ef0526a647011a + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -42007,6 +42092,7 @@ Entropy.14 = 17da1efd3e5250dfde3ef1683bd9cf4d4432a2f223399664f7645763bebd5ebd + Nonce.14 = 0b160c67b97d5302972b5c517bed5a7c + Output.14 = 859bab959dd16f2cddb05376b3d3e46cd13c191c18203bf3c0bbd5803cc559aacce48d88564166fd5f43c22d08cda1acd8004f36915739796a39ca96f8e7def14b58a8ee55ff72de7e2e2727389e027657447e32e47d4ea2f0fda48e86046d111cc334bebf4ee1019199c94fdb26169661cec0b0c47176cb5fb7aed8ad35afb1 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -42087,6 +42173,7 @@ AdditionalInputA.14 = 50687524beffed38fe27963340483886645153311dbd4d10d86e7d6b26 + AdditionalInputB.14 = 1e3ebe4a54c3092d540ad2898ec3be1af84a1d515c013632402ffdeede7caa8b + Output.14 = 007139a46072d9dbb6589b8ecf5f287d3aebb13b480ffcd6e95f0b2f916cd99e75f30a21971298257a80c17e9e41f8e0874dc9da8f6c18007a6e4cd5971df083ae62bb7b9f1bd4926f17e5574535f6009c0068b4ea3a50e2ba6c6aa6c7729fbe8ba58b4b795740ff6ae2f3d6fbe3e06828080cd1dcfb11771ec98ad9e0bac0b7 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -42152,6 +42239,7 @@ Nonce.14 = 2b653a89e549e3b1ee7817f5864fa684 + PersonalisationString.14 = 814146b3b340e042557b0e8482fcc496a14c02d89195782679172e99654991ed + Output.14 = 3ea100cf50c25d7b2ef286b5fa0720f344de2d568979e7349befa23589083e835205cdf6a4670722fff04260e54618c9c00af75cc26eee665b64e7e628ec4c56a8086dcd583681170f60d565bd97d0f416e4c231e281081b0fcd16c8db63ea9029abbfcb068bf57a36364aa9e27603f447adf337baa35f049a129abdc899f808 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -42247,6 +42335,7 @@ AdditionalInputA.14 = 95f6df9905b652de6d08399f61956acf943fe412bc71de60d6b69881f8 + AdditionalInputB.14 = 87b818568ed80f7c2e8f5b5d7be403f8badf9fa0e716aaf1d6409957b242aa07 + Output.14 = 45b5182f313a26008bb4ab82f68a12e7c783c243ba1ac6d8bfaed44ddddb607f964ace9c3505d59ef5a3691143a4845491661a1dff8ac4de2e56b54e263ac3aef86966fd656b5a65d4f3b89731d50fa919663bd5691678ee5f8f499e84b1822bd0b91409b62cf98c176df7e812513f3252d25d15fe13ef9f253af477d16bcfcd + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -42297,6 +42386,7 @@ Entropy.14 = 32695b2c55839eb3a048fabedcae1f23bf0c7206280ba4ba0d08b9bd9f119908 + Nonce.14 = 01f2a4cf8a9311abe5ecf58d6661dc5a + Output.14 = 4a4f44f418d585e03f508f2ff05345abffeafd75f610a957be7f3ccaae31ba28e69bf8ae441a405fdbc0ee761e39c76b69062f5a3866fc296be1ad306e6584ab2d250d717605c70a17c46a298f714e4e820c85a1fb84f4d61b9857a40c2902193ad703c78635a2791abe6abca6124229ed75827135c27f1a04d244e1d73ff059 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -42377,6 +42467,7 @@ AdditionalInputA.14 = 2e51dbbfda8c92f2c838bd85ca5dfd7f35504fae1ad438431b61c2f062 + AdditionalInputB.14 = 00f507a359585778988b6bb6b91f23d4ab29d2adbe632e4cd4646c8cd5f1b76a + Output.14 = b7adbbf07414551464711ad9a718315b0587db2782d34179b70b4c0e323a91ad9de40933023e3a6be71cd50dc58953ad1bf66354bc45dcd9ea23682d487b43903a8f426182536e170af8b04460c586d8ca56e4c307ab7116d8130634dc9a58e1c3077bbddd6bd58c8a0fb9b18c4b839aacf5fcd711c611db120e6a605745e86a + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -42442,6 +42533,7 @@ Nonce.14 = 3f9e88b93a6e69d070328c2c570c3be9 + PersonalisationString.14 = bbe702bbd2265e73aa073f47ce55fb65902abbe51635b414df688c60868546e1 + Output.14 = 0280555ba6b2379dce7cd56615d7d86feadb8ad995e2852a0607e663a34b1e0342c7bc649adcb204e271eeb87521591fad74b3bd841971cb100ae5f21599b732d8c5f9d578c1113da7034b580013720e62b1d013e28205d5024f8b1eb3219e6cf821792713354cf1349d32a64f32ecdbd7578c55e401fbea57f21ea3ebef0f9f + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -42537,6 +42629,7 @@ AdditionalInputA.14 = 38684dfa6edbd61e464e49f7d01932802a5a5d824db6b1df6087e84a8e + AdditionalInputB.14 = 4949b08a12656c497cc6760791982c0d4e674b0f8a14be730a91689ee77e981a + Output.14 = fda39bf8dc1aa785422281dec946bad99d5ead17cac55d47bdb9bd0a80a72f3c611f92bcf29e3e45475426a7a9f139b755f332cf75035b047697f4131c9bbc9ee825ede9a743b14f02dea122194405864aa2b538ed5cdf40ecf81e02bed1556ce0e7974548f050b084b8f3626c0fb2c7272d42cdcb039af4c7d957e285b53b5b + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -42587,6 +42680,7 @@ Entropy.14 = 1006646f977b83f4d90870f24b3b72d0b4947037f7671a64ce3b52829506a519 + Nonce.14 = 5698d50f59c42b26339d218fc985a41d + Output.14 = 44ab1d22fd3a84f8847c33d0fb0aea66408d5181b8ea95416beddd9784d86d72d2851857b503253016036246cea11f2ad2bd18fe56508697a50b14e7c85bd9b002deadbce5ff9f72508b6ebce741dd7803a2d8633dbec235cccd37c089c9d747a52000ed4cc1dc8545ddb65e784a698bdc74a6ff4fd7b3dbed31a22f83b4fd8f + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -42667,6 +42761,7 @@ AdditionalInputA.14 = 8d72118578abbd90ddbe6115ab10b499afa26c2360eaf6fa118ba590ac + AdditionalInputB.14 = 6ca4d45fcbd0c7e964557b2bd7622a528b4722335b47383f7bca004b7cd5cf04 + Output.14 = 360d9ff3111c6b713fc641b571b582770991885f2fea806a485006a1b4f41ece4ce83dcabfd403edde77780c044c96e85ce5d1f1a368ad881a64be8c41e87f0a682ab67170ae05a24b08b4a9178d13ac9928ecb3b5e23e745d93aaa5f111c335c77cb9a5c3da8163cb428fef60da737b884105ae57616637b0e40bad9594bd51 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -42732,6 +42827,7 @@ Nonce.14 = 50f723edc4f658862758e149e7ae4f20 + PersonalisationString.14 = 39d43e627ab7c7a6d12fce4cd8c001678bfadd9d07d4086674e5d8bdef4ac62e + Output.14 = 02e68bf3f78812aa270619b307dc0e57b05b8310084ecd1914a67d93b77127e0b3ec40e359adc451eac8788ac708fde70575fc1b9bbfd291bf5b8d7bda7bcc23a0271ba0bb0e6d617132399bd6cedf5a9a683ea98b3b0dd3bc6d811e4f66c9ec751012992cf54e3ce474e09b31ba9c01ea231d4fa8f09441e204c4d3285c78d0 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-256 + PredictionResistance = 0 +@@ -44003,6 +44099,7 @@ AdditionalInputA.14 = 73cd5580972f69bb4b0d0cd8915a5b594c3a9fa40b82d6b37446dff4c0 + AdditionalInputB.14 = 304c2001d8bfb9f1b23f3b336db9f5da17752cbaba782d8932d2641aab4c34b8 + Output.14 = 5771705c788e15fd5f656d4b5555d532ee4c48453be651a69c30fa706abe7719d9842028c667fab59aab97fe64a6140baa5d42dbfb7ecd58f2ce557a7b8b2c01669232e0b8bb0ddc6ef8dbe627ec5b370ec74553640982a14bd38ad9824b9651b717f8e90f539c42d04f7cff648c38b26abf38dd2a777348a4c2872f6551ef0f9e148bec810025779e7cbe1055cb0250a764fca5a1feba53bba64b7ea0c4dd3d56a7e6b4f8a157264e6666d356fe5a7a29fde7f4391662c4e69f471c21c6beeb + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512 + PredictionResistance = 0 +@@ -44053,6 +44150,7 @@ Entropy.14 = 2c13e44674e89aa105fc11b05e8526769a53ab0b4688f3d0d9cf23af4c8469bb + Nonce.14 = 700ac6a616c1d1bb7bd8ff7e96a4d250 + Output.14 = f778161306fc5f1d9e649b2a26983f31266a84bc79dd1b0016c8de53706f9812c4cebdbde78a3592bc7752303154acd7f4d27c2d5751fc7b1fee62677a71fc90e259dfb4b6a9c372515fac6efe01958d199888c360504ffa4c7cf4517918c430f5640fedc738e0cc1fcec33945a34a62ca61a71a9067298d34ac4a93751ddcd9a0f142748a1f0a81a948c6c6a16179e70b6f13633fd03b838da20f81450b4fdc1752e98e71296f1941ca58e71b73ea93e99a98f58d0892fa16de6a16c602036ac857dd75f9ac2c9185932103db5430e80cde9131e814a0bf3f3e7a2200a7152424472fd27f791a854f29aecc448f8d3fca3f93290266df3193d9e13e08907ab2 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512 + PredictionResistance = 0 +@@ -44133,6 +44231,7 @@ AdditionalInputA.14 = 6cfccdd8253cc5b284701ef8d16f8888f79100373a7df50f43a122591b + AdditionalInputB.14 = 5795ae5be47a7f793423820352505e3890bac3805c102020e48226deab70140a + Output.14 = 4a398c114f2e0ac330893d103b585cadcf9cd3b2ac7e46cde15b2f32cc4b9a7c7172b1a73f86d6d12d02973e561fa7f615e30195f7715022df75157f41dc7f9a50029350e308e3345c9ab2029bdc0f1b72c195db098c26c1ab1864224504c72f48a64d722e41b00707c7f2f6cdfe8634d06abe838c85b419c02bf419b88cde35324b1bfdaddff8b7e95f6af0e55b5ff3f5475feb354f2a7a490597b36080322265b213541682572616f3d3276c713a978259d607c6d69eec26d524ba38163a329103e39e3b0a8ec989eca74f287d6d39c7ceda4df8558faeb9d25149963430f33b108dc136a4f9bfa416b3ceaa6632cd5505fe14fb0d78cf15f2acfa03b9c307 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512 + PredictionResistance = 0 +@@ -44198,6 +44297,7 @@ Nonce.14 = fff1f2e2ac117af8b2cb023f0dd6c6ea + PersonalisationString.14 = 0a4c2df69d6c69df0a9c58ab7c886ed9db294f5fe98eb066fde543b409ee91e0 + Output.14 = ae35e947a538e7da73f944b4dea689c064b144b753fe597369e58ec4868099c0f000995949e82dc3e5c00555a2cfe48c8a87e87ae5e7402e2b1679e413cc556f08796269ef3ea83d6a49116349a31710964fb2f936cccf249472eab3267cc1ca0073ff4d964eefc82dd1559c3737661f8b206757a64c756680fb7ab6be8cb433b93f21a04c1e99c777ac26c1f34918794085ee593ca27ae991c53d141e52f90e7872bbb036dce78e6a33e2d638360f9c15d5746d6ff13c1bcdff1cd01749fa51c3c72e68c0ce57423d4915abe84c15cfb3301d0c3b8ffc6a1962c1fd981790fa2a3da60d70e8e8557e4b2e7458ad85f5141ad46e1db751893e8327c8197571e8 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512 + PredictionResistance = 0 +@@ -44293,6 +44393,7 @@ AdditionalInputA.14 = 2b2dbe3834d8be93f1396b19be83bd96823dd82740da71c5eeb7b21865 + AdditionalInputB.14 = 49c322fc1bec86d3e20628d9bdc1644e6f5e0237c7c694746bfee32a00145696 + Output.14 = 9110cec7d07e6e32724bf043e73021b3ca0e4516b619d036ac9a00914e12f01ece71989f55c1caccd542c60a9cccffb91e203fd39dca2d92c8eb03ee7ee88abf21dc6891de326c3190f25ee9ab44ca72d178db0f846969465b25a07dcc83777e6b63a7f9f1a8246dd31ce50cd9eb70e6e383c9ad4dae19f7cec8bfe079b36d309c28b10161c28b8d66c357c7ee01f07403a596366725fd5bd3a5de3cb40dcf60aac10635615b866ae633fbdb7ece41695d533757d9d16c6d44fd170fae77c15b7426ed6ec8c9d6e9245cd5e19e8dc3c8c7e671007ce8454413bd07407e8a2248bee95a7669db6ee47377b4490a6251abb60cd4e2e404ab88aa4948e71ecec50c + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512 + PredictionResistance = 0 +@@ -44343,6 +44444,7 @@ Entropy.14 = 1436be35237c34bac5b5b36b24c998380883fb52621daa420112cb57bc84745c + Nonce.14 = ed884f91a94c1b0a51f316df776283af + Output.14 = c74ce568f0c465e79ef3700857cc8857b74ec8c075cada3f2698ff69569318b130b5b079ac5b69814d057097b0a107a546b011db601b2f7aa1708effd6479f383d7d484a5df76b63f1419eb360991475b2cd97590a1887487a76cd6fde7764cba5f101e4614c635ba7b1e18724a0a8fb39ca0948bffc441b6aa0216cf3c28ae6c06a24ad1bbe68970e06884d3b68325a3d7c1dce9a2fe87d565dccdcee7c62ed32b577763f510f0029a99530209628359bedf4bbfed1a13c222692d8cae60ca736df834a6e316db27642ed5839d2e11716a5c06e8d067e8548d7ac0687da801d292e2a6f414d7470d2e72261188347878d18e00fab3d4c15cb4c4a73cf963437 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512 + PredictionResistance = 0 +@@ -44423,6 +44525,7 @@ AdditionalInputA.14 = 48e994654ab1d109511a3b34f5fa9f12b8da17da510d7a71e3839ba86b + AdditionalInputB.14 = 949ee0617b277a3ddf4a51343104704775d91797be1826d78051496a87d9113d + Output.14 = c4bce916b00a8583ebe1e85feaa1f076315ec9433e18afa1252061a62fc7558491678cb31048e4b4551b697e8dcb58dff951337f0fb7a41546d9a7838a1da149cb44558d324eab9e7ae147e8ead666e3d4eabc9978626efc8710ba8b5eb485d5693e5d6cac36ddd3a1a878ffbc77e9ec5d333cdae2b5803dcbba70d4e0dc60366dae5cf25990f3ae6147c99ec6c998397a1ac02b1b6ef6867aa897ca90b7fb938e3ddeef57e40897a644a4f08e37c995210e00f07145d5b3620ce673072525f9f74adf79ad703c4a09adc6eadcf77e76c6b032270d4c68f01672decf9aa0e941086188304fc33a28f53bf121df747b7dfdc00ddfe68f6d06ab7e82295f70652e + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512 + PredictionResistance = 0 +@@ -44488,6 +44591,7 @@ Nonce.14 = 70916df78dd9ea799230435b3e48686b + PersonalisationString.14 = bf755696adb9c92839798798f836b063cbbe987f0163ef3f4a97222c888f5da0 + Output.14 = 411cd8e76e711447e8a93ca95aa3aac5e51f559d65a8385a15e71877ac8472a347d9d453bd6761655711ce2133900d28e41cfd1292d28848646e5cbdcac1e60e49e62aab169b1735e701e38d65ccc073f277972ca85444dea86c19c0c08317dbbeca4fbd5d4295c9da71b89623d0028cebf1ab68fd0aef5b37e76e2e0b3e7f72eee04c01b6afb180b1fa0c370975526b788ec4db076a16a798671451af3e20d323684e232a25d78aaa8ee43f734f1555bf0a324053c7c895dc3e098621e189962a914f486cd7a5ff330f39316afb762b1a06cf8b593ca00d7edf739e2e6827a7af662f33bb09fad09d6bdb3a565f2bd32512c79927d390c79a1cc6db968b13a0 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512 + PredictionResistance = 0 +@@ -44583,6 +44687,7 @@ AdditionalInputA.14 = 6f9f47857a60b6f3f9fe9a83ebcec5f16ca73e236d2af5b0daab45c0b9 + AdditionalInputB.14 = e6628fbe4a774bc5383218302b7c565da5a5bd9f19db6182b444af5ae5f62739 + Output.14 = d701c1824a82ff1803c4b59f490c3f37850ce85b5905059ac4484f5049f31772ab8401bc9b8fc1fd6ca06d01f01caecb3cbd914ea9574f497df0316a0d56e2830c8a908ba78d1dbe243d0fbc560c407052ec02e9c77f7b12264a46316a777955ae87a71f2da9cef2811f6328ccb288343abb65a36359c07122cb4e6639397829c48dbf8a821ddf00ddec2f294e48d05adfd0f7a706bfc337387bb7923641d08c288d23ed5a2a20f34684549f9f6b3d74ac0f04e10c7dec04aceac369f505d7ccacdf30ea0662cbab001740922e9ac32b6968e0c5a640345d1132e883e07fc82858980489893d0e38960883e989c41e72ee967c00b9a943f0666d1f5e93e848ef + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512 + PredictionResistance = 0 +@@ -44633,6 +44738,7 @@ Entropy.14 = f5ee32b61bd57a4a4d51309e846f636560a8bb2a576c65d37a3f715ff1878014 + Nonce.14 = c638557dae4f9ab6e078c61d54d0f566 + Output.14 = e929e6c5c4a629c49fbb8623aea903ea129bb6484ed542cf940dd97bedc292e8bce924ef0cc57fa9b50b17b82618a840375874735560aea57e4e9701e4ecd0e812d1bf9fdecf67f431e4d7f6f455dfe4bd3b9a1553c574b0bfbc933a31580319c97682dd990c7081b711c2fa67a4eb54472be39f634c5dd901848c012c309c43f34d189a72c219acf8ca393d3f2cb292d62bb4d5e88f2b6e5e0422dafeac17415af623473f26ec24e65082123db9b9c00dbce3ca1942269fdf66f14add6c486a00527a39b050c2f3a6bc461e750f6e33236de198742284998bff98b7b3f6566e66679b3d8a1e63561fb5f8228867b8ff92230a9f2a6b9427821b6d55a359994d + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512 + PredictionResistance = 0 +@@ -44713,6 +44819,7 @@ AdditionalInputA.14 = db7b290176b65f826aac2190a912672f8a9c97815706af33732f68b1f7 + AdditionalInputB.14 = 13425f17d8fbcca3b4d7793a53507a85813f6f50d3365d680c0620d5fe1bfc33 + Output.14 = 12d4cfe6574dddbf9de82b8a357bbd6e32a3addb7022c313ac401d0aecfbdfbc7229822f7db9012e8bb0e2907fd48d3eb435ef8368802e5eb948f1bd8d47569b694e23979652f6978b568d7e2288b596afbc67b6c1e0d662240356dc6257d9d273a9ca9f7dfc9bd4175a50ad5b328056c37046e734a76384d7418591a7604f332a457f2fbb277dce4fd2729fdd1319dc3a56b9901a50dc90feaf5969cd9e450bd8716e44253ca55c4e1dcf791658cc467cfba613c27a96f67bd68dd8ccf46bbca4294a0f548b919626d1712ed4290ec90c1098a082699450738d32a8c6516d83bd54a42413bc0ea0b37fe5d6b0663806df67f61d2c553aba3aed3f9aff111d2d + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512 + PredictionResistance = 0 +@@ -44778,6 +44885,7 @@ Nonce.14 = c600da30d68cddd9b823433845111880 + PersonalisationString.14 = 8896ff67866ff1f59c8e5074d91e6b9112410c9b6a1eefbcf05a1b8c7123dc89 + Output.14 = ad8150de910a0bbdad0a674d032919ac3304d5977fc43ad5d5b1fa9be46f22e94f5c2747db228315b0d0505867fd97f9b1582f97b4693ed542c416df1847a85bcd4ad07d6348a4df78412e3df4e675def7f44b1895a8a2156c811040a46198a863c0107aebc3a426b4c2b9ac294b227d323879a70cdf7ceeee7f6f51f102c3ba4ae9a7343aff295b664c869f2c2d6e4396362fdae7d9b5eb0802f37ff7a3a7f1c944044b1bd9b21fbf23f191c6f538398164c2d1b67390e7b059b1c9f5bb031b89a23895ac65770182c8072fb0ad4a7be055d9a4653d08e6b22a61ebdfb66adec2629030f47aca70a06d68c9e1c041ceb2dc9bcd1ceaf61655ef7bbb1653f3d6 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512 + PredictionResistance = 0 +@@ -44873,6 +44981,7 @@ AdditionalInputA.14 = 4adc98c66aa72da2c63172aba2a6c59fb20aa7b195a0b79edc709bfa99 + AdditionalInputB.14 = 83485ecbf938b8035d047956a3a1bea5adb66c4a7a24b21dfce4269681c31bae + Output.14 = 6c69a58a3b27c73ac396840a93ff914219fa80241d39d65890ea612017d7b92b12062fbc0e3c39508c86023f7d70e9b156b4a766465c01c554acd6b5d78568d2087834b3b14f3fdc4d4b959e78ae2fa5298c87321b777afaea4a5c271a584a23a262f8b679cc8198ccd116c88dcf529a6677ebf5189d287f56eb445ad7313acce013b3fe49fb5212cdc3cf8c5ed15aa26b1135d7d9e0570719c4230c104a652fb36ffc57e219e735c03346d18eb57bcba813965bcb39b6a81da624838ba7b9a65d3b684a021f4071c66ce705974f2bd0ce1ad6727136d77529e3b400db0d14ffeabbac877cdf6a38ca66d83492a90482343a5a427ae8b8f77a2f724aa30c11b9 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512 + PredictionResistance = 0 +@@ -44923,6 +45032,7 @@ Entropy.14 = 60da58990a377a615436ef43b1199f88c7a4629653dde2350a4c5115c42e52f6 + Nonce.14 = 592033d0de138ae7082c03553e3bfdf9 + Output.14 = 7a770dbe8e1d3af1dae5b93acd9e6f1748a4a6a88229a875d23b37665e0cc96d888dfdc428a32cab378a9ebe22409709cd9d11f0c751c08d98eeac13b6f76f0f51ccea254cae23177c3aa207c59b5ce221b93442d037256d553275a6c4b5c83c1fe555a630e37d8277e02c050c19e145a71ec98b96ae3ae44c9ff87c4501c1ff7fd5231510ac9df623b3fb178e147f07d1fe02b48e877cba89a822c91b5af56b71d60116c49f80d87656144854909a7d718b5aa8f071f18357c2c9f9b6c0fac3195040f26b86aa936fd35ff37287aa140cd01ca6c5e577d815790d6fcb1a57569d23e801e2eb2b669ae7cf17d87f9ee66e0b515bcab09087e111da199b6a15b2 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512 + PredictionResistance = 0 +@@ -45003,6 +45113,7 @@ AdditionalInputA.14 = 967911f9412d40f2c62e43f48ff965bb1579a2ace388c781e125fe70f4 + AdditionalInputB.14 = 052c401de1053b8dea309196bb8e326d4b643371976d1ff6be0a6ea4ad27e5e9 + Output.14 = f7e8cdc3f8d2796414b9c83486d746cb8b1675b37d0d7546392c59622c693045dbcb10e9343524a6e7a9cc757717af22ddb8127bcdfb29cb8da409bd69d42aed9708cb2f904dff562a695be004ab25d31b8485bdd677c96d156ce8037726519d1949cc15e91acfd1c7c0bd58058b72c7d340b2f0bb12115ef44af6d20ce5f429d681b614e06bcddbf8ba00b40732b4dd425d1a87b663afce0e9a87b942a543b055f00b2428de12464a1309fccd0a15d512691e3858666ea4dc6084283deb075877c0162dbaf8318c9cda01ca611d72fac0b386a753ef35f438757cdf732a61a1f6123d1de3f61eb072d022f56c679a86f7a05bd6fa420ba39ed2973d4007b9cc + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512 + PredictionResistance = 0 +@@ -45068,6 +45179,7 @@ Nonce.14 = 0a6bef6b736129740978e31c3fa279e8 + PersonalisationString.14 = a5ca2491479bda16341b2c14339a5307fc2e2f5df4fa625e0ea351a95a14f588 + Output.14 = df587647f8d440a6c8034e757cd47f28d0e58f8aad9a047cdc8a70a8b1cd0d8185240d47bc5d2f4657205ed218ec38307e68efad94714630cd490b939719a4a07ab994793112c021969a8c69872903315c74b00b677648673e5883b5f46e075550092914cfeab05454226ee3d2154698f368bfda0b8b99eff5d111c1649a0f7e67ec0f637c6d3466994d655066a95732590e521ca055b048dbafd219be1a04fcd047c3722c4adf29ebd8486e7171359292e11ac6b740b4d51093383d64d2a45e51115c689ae29357366f2013eb9b420c6bd069d22c2110182e842eccadae81797a5f57d9ff47311f094ea0a25d7e329fcccb93c28b92ed85ccc2d690a84f2b2a + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512 + PredictionResistance = 0 +@@ -68233,6 +68345,7 @@ Output.14 = 6af689cec62a633492f6e24b754d38dd6ab0b556e91802d72f14dc8c0e9ff50df728 + + Title = HMAC DRBG Prediction Resistance Tests (from NIST test vectors) + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-1 + PredictionResistance = 1 +@@ -68313,6 +68426,7 @@ EntropyPredictionResistanceA.14 = ae706e740dda50209b20acf90dfa8cec + EntropyPredictionResistanceB.14 = b4d4b4bc7cba4daa285ff88ce9e8d451 + Output.14 = 74acba48f0216087f18042ff14101707c27d281e5ddbc19c722bec3f77bf17ca31239382f4fc1d4dd0f44c296bc2f10f74864951f7da19a23e3e598ac43fb8bbdd1fca8047b98689ef1c05bc81102bb5 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-1 + PredictionResistance = 1 +@@ -68423,6 +68537,7 @@ AdditionalInputB.14 = ccdb3f7d7f6a4d169f5f2e24ec481fcb + EntropyPredictionResistanceB.14 = be4a2c87c875be0e1be01aadf2efeef6 + Output.14 = bfcc8f2ece23d22545ec2176aabd083855923ca9a673b54b66a3e2562212aad3cc74c4c8976de259cc95a2f09a85b7acd1f18c343eff0368a80e73a547efdcd954816b38df1c19556d714897e317d69f + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-1 + PredictionResistance = 1 +@@ -68518,6 +68633,7 @@ EntropyPredictionResistanceA.14 = f324c09f96434ceea7e756fc2f55a0b3 + EntropyPredictionResistanceB.14 = f043b6e11fc2f671ec00f4d478b791c6 + Output.14 = 40e87b822b1000441884a38b8776baa69fbea99962571e8a20d8af012d50c8c211860ad579869ec880320ea8057d5cb0de9496ec57d8b594ca8be5b94219eaa800af7205f8a83b66c87e0fee9aa9732f + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-1 + PredictionResistance = 1 +@@ -68643,6 +68759,7 @@ AdditionalInputB.14 = 0d5a2183c9f9ca6941f6a617892f5e47 + EntropyPredictionResistanceB.14 = 998f9cde45b1dc22db6d2d7bfd4f3930 + Output.14 = 934fe82b0951b97dafc5ba16e87b0459691156b42ff2dbbbd8f6ed9b04be952af267c6a17fbfc86de91f9f07eed482a5362b176216a8963af485503ba93b2e82c03a3ee6225077d90cd961e24f6026f6 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-1 + PredictionResistance = 1 +@@ -68723,6 +68840,7 @@ EntropyPredictionResistanceA.14 = 427b47ed008e489cfd06e1a6e0a9f07b + EntropyPredictionResistanceB.14 = e5ee8df96c0e929446502a4bbd23ab22 + Output.14 = a544ea7c3362570f48a42635f4b79f615d11a5d8a480d85ac71e4be90074fbd5e2d368d00755e95a262d79ed262003d3e2a26f82c37d091ae763a01fba08c87b3ec0ce817bbab8d1905f91f021b7d7d0 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-1 + PredictionResistance = 1 +@@ -68833,6 +68951,7 @@ AdditionalInputB.14 = 3e95f86a7168410eac0c84995c187fd9 + EntropyPredictionResistanceB.14 = fd15dfdd8cfeeb7ce0c76f759dfd47df + Output.14 = 480d9cbbfa6c923866179318b293c52c9ad86c2ee27faa745873a77d0242afe669d1773fd9c17284097ee8e644aa054deefbb9c73732ba6b5004623df15edeb49ef2e1bc8dbe023f7104ea1395d9fd38 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-1 + PredictionResistance = 1 +@@ -68928,6 +69047,7 @@ EntropyPredictionResistanceA.14 = 845decbe6e03e423b3660bfe7db383bf + EntropyPredictionResistanceB.14 = f4ee7409c076201255bc78ec82ca5530 + Output.14 = ac57a08b77c528b834df2757069b6330f05a9196fbbb17300f9c31ef596f551ecc56fa3256c0ab1534df4955f2da1e8d98026b7c5e07290faa5131a95d0fa35a56b075752656ab61a74f889fbb735c58 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-1 + PredictionResistance = 1 +@@ -69053,6 +69173,7 @@ AdditionalInputB.14 = 063e444dc2990f59e04839fd5e9eaeb6 + EntropyPredictionResistanceB.14 = e059229538a827fe9b7e5caa44fb1e3d + Output.14 = 62efebd7730c6999fd052b98e2bf26eebc96b617a03fe2f1aa7ea3be1aea833f705a3ef3776adc7578f5bb6955a60853ef267fbc18aa3d57b8e0d9134c81e8ffadd0c66d385e5d535d74a615fa896757 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-1 + PredictionResistance = 1 +@@ -69133,6 +69254,7 @@ EntropyPredictionResistanceA.14 = 74b72e7e1c5f16bf0389dafed9a86ae4 + EntropyPredictionResistanceB.14 = adef9418a342b4717e93df6450429a38 + Output.14 = eae51f34bfaa2970f41c3211ec228cfccc1d3c0fcc077d1d9ba159b3bac8685bc5783f61c67fdd4beca05dd4f14afcfc4d554ae75f73842637671102c3b81cabc9a0638cecad5a6615171be5265d5454 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-1 + PredictionResistance = 1 +@@ -69243,6 +69365,7 @@ AdditionalInputB.14 = 696d9380b814b456ca59ed58ea765400 + EntropyPredictionResistanceB.14 = d57fb196a634da13ba8695098ed79f9c + Output.14 = 069848aef419759b75896cd507a109f685228b5639470afeac0caa853f1c3dbe373f99db76bf06fe8bac356bedf6bf18787043970fb0a185c8a0a4d8482aa3059eeba0d244fc03c9b72857dc5188d44b + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-1 + PredictionResistance = 1 +@@ -69338,6 +69461,7 @@ EntropyPredictionResistanceA.14 = 015ef1f359f60a391b3720d578731070 + EntropyPredictionResistanceB.14 = 963736987090fe71e69b4a2480d9b314 + Output.14 = c75a102bea830a8a58d9a9a43cb03b21aea75d8d2a08c37aaae9180a5e1c78e5700b20a5fe1c7ef0a7e3d2adcf539c4c1357946a328a057e719b97d802b586910f804c166d4884d8bbb3bbc03074c53a + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-1 + PredictionResistance = 1 +@@ -69463,6 +69587,7 @@ AdditionalInputB.14 = e0b7ad60c542e6c2b324652fd2d7cdc6 + EntropyPredictionResistanceB.14 = dc7ea852c3e5467977c7946e77223567 + Output.14 = 0e2e5f47ca8ce1c7fdae1b49d6bc8594da1458eb8dfb35e0602d3812df7532cf6213eba8e75302444529565c40d23d0a336c4cadde37f0def2c3d412984360b65c668ef43263fada16b28860f6ee6ceb + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-1 + PredictionResistance = 1 +@@ -69543,6 +69668,7 @@ EntropyPredictionResistanceA.14 = 4912a46c447c2de26dbbaec01817d2a6 + EntropyPredictionResistanceB.14 = c182dc35363cd7e04394c28030e6d6b9 + Output.14 = 976daafdf1dd5163e88a928d91933678cda9c8ef9a8251070ee8a6b42efda3c00a73303d0426da4a4af7c587174dce9936bfbb68a73979afee9f3a5b4fb4da2eb2b2f2f1c0948b63b45bf583412b2890 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-1 + PredictionResistance = 1 +@@ -69653,6 +69779,7 @@ AdditionalInputB.14 = 8022a4985c745515682102a25b379301 + EntropyPredictionResistanceB.14 = 8cc2d8a789d343547ee48869f57ae225 + Output.14 = 5707c544445358767b1c4d6c319b6a8d9be38afbf945dd4e869e9136d63c9d74aa872139e8bdd374510ebcf8c36c39e45ff31596fa58721c2a089dea7b418b3f7a00d78c6ba531adbb59ae2ab44bb683 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-1 + PredictionResistance = 1 +@@ -69748,6 +69875,7 @@ EntropyPredictionResistanceA.14 = 701b8e70583effd1c4e901c50966127e + EntropyPredictionResistanceB.14 = 40e9ad701b63ee7bd6132d7f056a1f09 + Output.14 = a76b3e058ed1a8ca5860b15abe08a607894207d3d3be5bf6c3dc99c01523c85bf18927bc6d3f66cfef63a238aaef1ee87998100faabeef0d2518f3ccc0423d776a440ec9a87c5601fdf45c309c264dcd + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-1 + PredictionResistance = 1 +@@ -76340,6 +76468,7 @@ EntropyPredictionResistanceA.14 = a918ec35414b0bf1d9ba3b80ef838e75b9504fb6b77e40 + EntropyPredictionResistanceB.14 = c25de5d8b1f17acb7303c4a652ea1bcf284bfdc08a12c40ece16e3125fc8757e + Output.14 = a3072880e72e76ec1e467d7c4f4ab8013eca926c96f075a0a25f5550931f4d6b3aff2057ae6fc1382d579e8963ee24459d76d7414d250aaf5b302a539775862e26596176de2891589defa7aa66f763126c7fb7ced0fa80f3f5e1f0d15295e6025fad617e554838876c8c8efb4bef1e1227a1c967afe99540c1992328a70798167eaea5a768f1f4395178dc914cde01b8e6b98266a66c5c079e19e5d3b6599c6dec24e8e155b310164299d1b4d31ab2e0c3b917b0cb627a4cc19c86061c74c849aab764feacd33de7472b7c4e1403cb38f8f1c3062e75966b2e2c0b2d7d966271f3d180440aa2ed2194bbf7d8b9415a5c5bb7f3df7cf2d02740cd4366ee3781a9 + ++Availablein = default + RAND = HMAC-DRBG + Digest = SHA-512 + PredictionResistance = 1 +-- +2.41.0 + diff --git a/openssl-skip-quic-pairwise.patch b/openssl-skip-quic-pairwise.patch new file mode 100644 index 0000000..088f284 --- /dev/null +++ b/openssl-skip-quic-pairwise.patch @@ -0,0 +1,85 @@ +From 42ed594a3a905830374fb65cced431748f8c639c Mon Sep 17 00:00:00 2001 +From: Dmitry Belyavskiy +Date: Thu, 4 Apr 2024 11:50:58 +0200 +Subject: [PATCH 45/50] 0115-skip-quic-pairwise.patch + +Patch-name: 0115-skip-quic-pairwise.patch +Patch-id: 115 +Patch-status: | + # Amend tests according to Fedora/RHEL code +--- + test/quicapitest.c | 4 +++- + test/recipes/01-test_symbol_presence.t | 1 + + test/recipes/30-test_pairwise_fail.t | 13 +++++++++++-- + 3 files changed, 15 insertions(+), 3 deletions(-) + +diff --git a/test/quicapitest.c b/test/quicapitest.c +index 41cf0fc7a8..0fb7492700 100644 +--- a/test/quicapitest.c ++++ b/test/quicapitest.c +@@ -2139,7 +2139,9 @@ int setup_tests(void) + ADD_TEST(test_cipher_find); + ADD_TEST(test_version); + #if defined(DO_SSL_TRACE_TEST) +- ADD_TEST(test_ssl_trace); ++ if (is_fips == 0) { ++ ADD_TEST(test_ssl_trace); ++ } + #endif + ADD_TEST(test_quic_forbidden_apis_ctx); + ADD_TEST(test_quic_forbidden_apis); +diff --git a/test/recipes/30-test_pairwise_fail.t b/test/recipes/30-test_pairwise_fail.t +index c837d48fb4..f06ef04b1a 100644 +--- a/test/recipes/30-test_pairwise_fail.t ++++ b/test/recipes/30-test_pairwise_fail.t +@@ -9,7 +9,7 @@ + use strict; + use warnings; + +-use OpenSSL::Test qw(:DEFAULT bldtop_dir srctop_file srctop_dir data_file); ++use OpenSSL::Test qw(:DEFAULT bldtop_dir srctop_file srctop_dir data_file with); + use OpenSSL::Test::Utils; + + BEGIN { +@@ -31,28 +31,37 @@ run(test(["fips_version_test", "-config", $provconf, ">=3.1.0"]), + SKIP: { + skip "Skip RSA test because of no rsa in this build", 1 + if disabled("rsa"); ++ with({ exit_checker => sub {my $val = shift; return $val == 134; } }, ++ sub { + ok(run(test(["pairwise_fail_test", "-config", $provconf, + "-pairwise", "rsa"])), + "fips provider rsa keygen pairwise failure test"); ++ }); + } + + SKIP: { + skip "Skip EC test because of no ec in this build", 2 + if disabled("ec"); ++ with({ exit_checker => sub {my $val = shift; return $val == 134; } }, ++ sub { + ok(run(test(["pairwise_fail_test", "-config", $provconf, + "-pairwise", "ec"])), + "fips provider ec keygen pairwise failure test"); ++ }); + + skip "FIPS provider version is too old", 1 + if !$fips_exit; ++ with({ exit_checker => sub {my $val = shift; return $val == 134; } }, ++ sub { + ok(run(test(["pairwise_fail_test", "-config", $provconf, + "-pairwise", "eckat"])), + "fips provider ec keygen kat failure test"); ++ }); + } + + SKIP: { + skip "Skip DSA tests because of no dsa in this build", 2 +- if disabled("dsa"); ++ if 1; #if disabled("dsa"); + ok(run(test(["pairwise_fail_test", "-config", $provconf, + "-pairwise", "dsa", "-dsaparam", data_file("dsaparam.pem")])), + "fips provider dsa keygen pairwise failure test"); +-- +2.44.0 + diff --git a/openssl-skipped-tests-EC-curves.patch b/openssl-skipped-tests-EC-curves.patch new file mode 100644 index 0000000..d500b5e --- /dev/null +++ b/openssl-skipped-tests-EC-curves.patch @@ -0,0 +1,55 @@ +From 9ede2b1e13f72db37718853faff74b4429084d59 Mon Sep 17 00:00:00 2001 +From: rpm-build +Date: Mon, 31 Jul 2023 09:41:28 +0200 +Subject: [PATCH 13/35] 0013-skipped-tests-EC-curves.patch + +Patch-name: 0013-skipped-tests-EC-curves.patch +Patch-id: 13 +Patch-status: | + # Skipped tests from former 0011-Remove-EC-curves.patch +From-dist-git-commit: 9409bc7044cf4b5773639cce20f51399888c45fd +--- + test/recipes/15-test_ec.t | 2 +- + test/recipes/65-test_cmp_protect.t | 2 +- + test/recipes/65-test_cmp_vfy.t | 2 +- + 3 files changed, 3 insertions(+), 3 deletions(-) + +Index: openssl-3.2.3/test/recipes/15-test_ec.t +=================================================================== +--- openssl-3.2.3.orig/test/recipes/15-test_ec.t ++++ openssl-3.2.3/test/recipes/15-test_ec.t +@@ -94,7 +94,7 @@ SKIP: { + + subtest 'Check loading of fips and non-fips keys' => sub { + plan skip_all => "FIPS is disabled" +- if $no_fips; ++ if 1; #SUSE specific, original value is $no_fips; + + plan tests => 2; + +Index: openssl-3.2.3/test/recipes/65-test_cmp_protect.t +=================================================================== +--- openssl-3.2.3.orig/test/recipes/65-test_cmp_protect.t ++++ openssl-3.2.3/test/recipes/65-test_cmp_protect.t +@@ -27,7 +27,7 @@ plan skip_all => "This test is not suppo + plan skip_all => "This test is not supported in a shared library build on Windows" + if $^O eq 'MSWin32' && !disabled("shared"); + +-plan tests => 2 + ($no_fips ? 0 : 1); #fips test ++plan skip_all => 2 + ($no_fips ? 0 : 1); #fips test + + my @basic_cmd = ("cmp_protect_test", + data_file("prot_RSA.pem"), +Index: openssl-3.2.3/test/recipes/65-test_cmp_vfy.t +=================================================================== +--- openssl-3.2.3.orig/test/recipes/65-test_cmp_vfy.t ++++ openssl-3.2.3/test/recipes/65-test_cmp_vfy.t +@@ -27,7 +27,7 @@ plan skip_all => "This test is not suppo + plan skip_all => "This test is not supported in a no-ec build" + if disabled("ec"); + +-plan tests => 2 + ($no_fips ? 0 : 1); #fips test ++plan skip_all => 2 + ($no_fips ? 0 : 1); #fips test + + my @basic_cmd = ("cmp_vfy_test", + data_file("server.crt"), data_file("client.crt"), diff --git a/openssl-truststore.patch b/openssl-truststore.patch new file mode 100644 index 0000000..53f0b82 --- /dev/null +++ b/openssl-truststore.patch @@ -0,0 +1,17 @@ +Don't use the legacy /etc/ssl/certs directory anymore but rather the +p11-kit generated /var/lib/ca-certificates/openssl one (fate#314991) +Index: openssl-3.2.3/include/internal/common.h +=================================================================== +--- openssl-3.2.3.orig/include/internal/common.h ++++ openssl-3.2.3/include/internal/common.h +@@ -82,8 +82,8 @@ __owur static ossl_inline int ossl_asser + + # ifndef OPENSSL_SYS_VMS + # define X509_CERT_AREA OPENSSLDIR +-# define X509_CERT_DIR OPENSSLDIR "/certs" +-# define X509_CERT_FILE OPENSSLDIR "/cert.pem" ++# define X509_CERT_DIR "/var/lib/ca-certificates/openssl" ++# define X509_CERT_FILE "/var/lib/ca-certificates/ca-bundle.pem" + # define X509_PRIVATE_DIR OPENSSLDIR "/private" + # define CTLOG_FILE OPENSSLDIR "/ct_log_list.cnf" + # else diff --git a/openssl.keyring b/openssl.keyring new file mode 100644 index 0000000..84cbddc --- /dev/null +++ b/openssl.keyring @@ -0,0 +1,31 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- +Comment: BA54 73A2 B058 7B07 FB27 CF2D 2160 94DF D0CB 81EF +Comment: OpenSSL + +xsFNBGYT46cBEADnGgpkGwVTO5hu+sqoC3UWXM1nxr3v+tLveHQQlMA/MLDwK+TS +1sMFSsOEE1ehAlhaEVCaiHSh+8PSqs8bvxrkbC8FXj6UkHvdZOoBgoDqEVUXawen +UmW/3OEQtC/815ByacwHsbgabTY+bXQBAvKnDsKMIg04YlE1UVLnO6Rf0v/AvnlK +400c0J/KOPOXP2+e5dYMxRN/8CMFA+Jo8m1N2/gDKb3y1Ga6Ug9Qg/7VmL+zp/9A ++JnVQFhVQgpt2hVGKcKteJvDJODRAmBG371E+KV+lnh0jvALUxGiC+h/XrHmm8Em +7hQM7LLoVKGDPxYYUQKA6U6+//Q3J7JgrstLTxAZ6Xz3516o8gM4EeNXo/rXNqNw +Ng4zKeYAU0klk0hDIf7JHluT/Xxy9ezgRK6V3RJEvvjA1RjpsTVe7uDw5GPEoRO/ +xXtcLghhPixbL6y1FOspZqx3BzroX6Ic4V03Ub61YL6Zx3Q3tTcaj+4QFGXVA3SN +WL6is2XBdvZAiOgO/7lbRXGq/vFtvynYPLEx6LbZdKtdfADUCgD7If4gvif5yaL2 +isSfD3UmoXPdDDLGdga5/dhmg2658AigHw6t0fPWnxPx4EUc1tL2bb+dEG+soRoj +s4QHHoAhEeVEKdeFfu7lE3i0omS/mp63IFUFI7AybnHYiZ2ujyc5sBBsnwARAQAB +zR1PcGVuU1NMIDxvcGVuc3NsQG9wZW5zc2wub3JnPsLBlAQTAQoAPhYhBLpUc6Kw +WHsH+yfPLSFglN/Qy4HvBQJmE+OnAhsDBQkDwmcABQsJCAcCBhUKCQgLAgQWAgMB +Ah4BAheAAAoJECFglN/Qy4HvXIcP/jCgVgZ7wMwMaDqbwBJOVKQ7sVzNvjy1xMr+ +XkXn1FHme1MlRl4Uw9Wzeh8TUckzx59+CAqe/pRRYhR9kL0S8WUhoa4VK61c47WS +0wFWzOOuQ4JQO9v9zP6hsKubnQdA9ggq3rvkFrRDIV0DPU6iFxXs2/kYmuqHxIkO +GgLx+aCWPx0XNAdJyov46EbQnIjJOdialeC2dIEdIU0Vk5N0jWYv6MKweAmXRVLM +Jusz3yfNZ0FmydSo90aNQcQz4fp3vgF8qP7Z5BmMOSWOnXJawJd8+ic0RXRWdsMS +oxyAEKH/98IUPZII8N8c5u8pAJ52m7LQRm8CKk4GzylStaV+Pe6PuNTVkx1sIE62 +Sv0RFbd2yJ5Wou5Z/1lRZvzjF5R3G+dobKZLym2HwNkJtFROODFqiPkcKYCSSd4c +sqlOVh2X6/8VlJZ9Q4r7pAm/ulPnf/PSEo8l7kr/JS7Q09nlwNaa5l9nwvrt2z+u ++5dNZt5syyVgpNd4mPZMFb9TXqoFrhrZfLGZ2I3GQ7tLX2boHhBXNl32a1sb2Qsv +9fbz++sFbYrfDhsjH5eEwBjW7o4Kkd/cTMJGufLczy3Cb+RyrjyBrSwfMQf0xHkp +QKidfWOKv9j+yeEhGVCHaIPilYNVeZFRHzL1H9oIkda2BZamj7iYveVnnDBjgpN7 +k6YNfbUM +=Fi54 +-----END PGP PUBLIC KEY BLOCK----- diff --git a/reproducible.patch b/reproducible.patch new file mode 100644 index 0000000..6c40942 --- /dev/null +++ b/reproducible.patch @@ -0,0 +1,929 @@ +commit 0fbc50ef0cb8894973d4739af62e95be825b7ccf +Author: trigpolynom +Date: Tue Oct 17 22:44:45 2023 -0400 + + aes-gcm-avx512.pl: fix non-reproducibility issue + + Replace the random suffix with a counter, to make the + build reproducible. + + Fixes #20954 + + Reviewed-by: Richard Levitte + Reviewed-by: Matthias St. Pierre + Reviewed-by: Tom Cosgrove + Reviewed-by: Hugo Landau + (Merged from https://github.com/openssl/openssl/pull/22415) + +diff --git a/crypto/modes/asm/aes-gcm-avx512.pl b/crypto/modes/asm/aes-gcm-avx512.pl +index afd2af941a..9f9124373b 100644 +--- a/crypto/modes/asm/aes-gcm-avx512.pl ++++ b/crypto/modes/asm/aes-gcm-avx512.pl +@@ -155,6 +155,9 @@ my $STACK_LOCAL_OFFSET = ($STACK_HKEYS_OFFSET + $HKEYS_STORAGE); + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + my ($arg1, $arg2, $arg3, $arg4, $arg5, $arg6, $arg7, $arg8, $arg9, $arg10, $arg11); + ++# ; Counter used for assembly label generation ++my $label_count = 0; ++ + # ; This implementation follows the convention: for non-leaf functions (they + # ; must call PROLOG) %rbp is used as a frame pointer, and has fixed offset from + # ; the function entry: $GP_STORAGE + [8 bytes alignment (Windows only)]. This +@@ -200,15 +203,6 @@ my $CTX_OFFSET_HTable = (16 * 6); # ; (Htable) Precomputed table (a + # ;;; Helper functions + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + +-# ; Generates "random" local labels +-sub random_string() { +- my @chars = ('a' .. 'z', 'A' .. 'Z', '0' .. '9', '_'); +- my $length = 15; +- my $str; +- map { $str .= $chars[rand(33)] } 1 .. $length; +- return $str; +-} +- + sub BYTE { + my ($reg) = @_; + if ($reg =~ /%r[abcd]x/i) { +@@ -417,7 +411,7 @@ ___ + sub EPILOG { + my ($hkeys_storage_on_stack, $payload_len) = @_; + +- my $rndsuffix = &random_string(); ++ my $label_suffix = $label_count++; + + if ($hkeys_storage_on_stack && $CLEAR_HKEYS_STORAGE_ON_EXIT) { + +@@ -425,13 +419,13 @@ sub EPILOG { + # ; were stored in the local frame storage + $code .= <<___; + cmpq \$`16*16`,$payload_len +- jbe .Lskip_hkeys_cleanup_${rndsuffix} ++ jbe .Lskip_hkeys_cleanup_${label_suffix} + vpxor %xmm0,%xmm0,%xmm0 + ___ + for (my $i = 0; $i < int($HKEYS_STORAGE / 64); $i++) { + $code .= "vmovdqa64 %zmm0,`$STACK_HKEYS_OFFSET + 64*$i`(%rsp)\n"; + } +- $code .= ".Lskip_hkeys_cleanup_${rndsuffix}:\n"; ++ $code .= ".Lskip_hkeys_cleanup_${label_suffix}:\n"; + } + + if ($CLEAR_SCRATCH_REGISTERS) { +@@ -537,11 +531,11 @@ sub precompute_hkeys_on_stack { + && $HKEYS_RANGE ne "first32" + && $HKEYS_RANGE ne "last32"); + +- my $rndsuffix = &random_string(); ++ my $label_suffix = $label_count++; + + $code .= <<___; + test $HKEYS_READY,$HKEYS_READY +- jnz .L_skip_hkeys_precomputation_${rndsuffix} ++ jnz .L_skip_hkeys_precomputation_${label_suffix} + ___ + + if ($HKEYS_RANGE eq "first16" || $HKEYS_RANGE eq "first32" || $HKEYS_RANGE eq "all") { +@@ -615,7 +609,7 @@ ___ + } + } + +- $code .= ".L_skip_hkeys_precomputation_${rndsuffix}:\n"; ++ $code .= ".L_skip_hkeys_precomputation_${label_suffix}:\n"; + } + + # ;; ============================================================================= +@@ -1418,20 +1412,20 @@ sub CALC_AAD_HASH { + + my $SHFMSK = $ZT13; + +- my $rndsuffix = &random_string(); ++ my $label_suffix = $label_count++; + + $code .= <<___; + mov $A_IN,$T1 # ; T1 = AAD + mov $A_LEN,$T2 # ; T2 = aadLen + or $T2,$T2 +- jz .L_CALC_AAD_done_${rndsuffix} ++ jz .L_CALC_AAD_done_${label_suffix} + + xor $HKEYS_READY,$HKEYS_READY + vmovdqa64 SHUF_MASK(%rip),$SHFMSK + +-.L_get_AAD_loop48x16_${rndsuffix}: ++.L_get_AAD_loop48x16_${label_suffix}: + cmp \$`(48*16)`,$T2 +- jl .L_exit_AAD_loop48x16_${rndsuffix} ++ jl .L_exit_AAD_loop48x16_${label_suffix} + ___ + + $code .= <<___; +@@ -1499,15 +1493,15 @@ ___ + + $code .= <<___; + sub \$`(48*16)`,$T2 +- je .L_CALC_AAD_done_${rndsuffix} ++ je .L_CALC_AAD_done_${label_suffix} + + add \$`(48*16)`,$T1 +- jmp .L_get_AAD_loop48x16_${rndsuffix} ++ jmp .L_get_AAD_loop48x16_${label_suffix} + +-.L_exit_AAD_loop48x16_${rndsuffix}: ++.L_exit_AAD_loop48x16_${label_suffix}: + # ; Less than 48x16 bytes remaining + cmp \$`(32*16)`,$T2 +- jl .L_less_than_32x16_${rndsuffix} ++ jl .L_less_than_32x16_${label_suffix} + ___ + + $code .= <<___; +@@ -1556,14 +1550,14 @@ ___ + + $code .= <<___; + sub \$`(32*16)`,$T2 +- je .L_CALC_AAD_done_${rndsuffix} ++ je .L_CALC_AAD_done_${label_suffix} + + add \$`(32*16)`,$T1 +- jmp .L_less_than_16x16_${rndsuffix} ++ jmp .L_less_than_16x16_${label_suffix} + +-.L_less_than_32x16_${rndsuffix}: ++.L_less_than_32x16_${label_suffix}: + cmp \$`(16*16)`,$T2 +- jl .L_less_than_16x16_${rndsuffix} ++ jl .L_less_than_16x16_${label_suffix} + # ; Get next 16 blocks + vmovdqu64 `64*0`($T1),$ZT1 + vmovdqu64 `64*1`($T1),$ZT2 +@@ -1588,11 +1582,11 @@ ___ + + $code .= <<___; + sub \$`(16*16)`,$T2 +- je .L_CALC_AAD_done_${rndsuffix} ++ je .L_CALC_AAD_done_${label_suffix} + + add \$`(16*16)`,$T1 + # ; Less than 16x16 bytes remaining +-.L_less_than_16x16_${rndsuffix}: ++.L_less_than_16x16_${label_suffix}: + # ;; prep mask source address + lea byte64_len_to_mask_table(%rip),$T3 + lea ($T3,$T2,8),$T3 +@@ -1601,28 +1595,28 @@ ___ + add \$15,@{[DWORD($T2)]} + shr \$4,@{[DWORD($T2)]} + cmp \$2,@{[DWORD($T2)]} +- jb .L_AAD_blocks_1_${rndsuffix} +- je .L_AAD_blocks_2_${rndsuffix} ++ jb .L_AAD_blocks_1_${label_suffix} ++ je .L_AAD_blocks_2_${label_suffix} + cmp \$4,@{[DWORD($T2)]} +- jb .L_AAD_blocks_3_${rndsuffix} +- je .L_AAD_blocks_4_${rndsuffix} ++ jb .L_AAD_blocks_3_${label_suffix} ++ je .L_AAD_blocks_4_${label_suffix} + cmp \$6,@{[DWORD($T2)]} +- jb .L_AAD_blocks_5_${rndsuffix} +- je .L_AAD_blocks_6_${rndsuffix} ++ jb .L_AAD_blocks_5_${label_suffix} ++ je .L_AAD_blocks_6_${label_suffix} + cmp \$8,@{[DWORD($T2)]} +- jb .L_AAD_blocks_7_${rndsuffix} +- je .L_AAD_blocks_8_${rndsuffix} ++ jb .L_AAD_blocks_7_${label_suffix} ++ je .L_AAD_blocks_8_${label_suffix} + cmp \$10,@{[DWORD($T2)]} +- jb .L_AAD_blocks_9_${rndsuffix} +- je .L_AAD_blocks_10_${rndsuffix} ++ jb .L_AAD_blocks_9_${label_suffix} ++ je .L_AAD_blocks_10_${label_suffix} + cmp \$12,@{[DWORD($T2)]} +- jb .L_AAD_blocks_11_${rndsuffix} +- je .L_AAD_blocks_12_${rndsuffix} ++ jb .L_AAD_blocks_11_${label_suffix} ++ je .L_AAD_blocks_12_${label_suffix} + cmp \$14,@{[DWORD($T2)]} +- jb .L_AAD_blocks_13_${rndsuffix} +- je .L_AAD_blocks_14_${rndsuffix} ++ jb .L_AAD_blocks_13_${label_suffix} ++ je .L_AAD_blocks_14_${label_suffix} + cmp \$15,@{[DWORD($T2)]} +- je .L_AAD_blocks_15_${rndsuffix} ++ je .L_AAD_blocks_15_${label_suffix} + ___ + + # ;; fall through for 16 blocks +@@ -1635,7 +1629,7 @@ ___ + # ;; - jump to reduction code + + for (my $aad_blocks = 16; $aad_blocks > 0; $aad_blocks--) { +- $code .= ".L_AAD_blocks_${aad_blocks}_${rndsuffix}:\n"; ++ $code .= ".L_AAD_blocks_${aad_blocks}_${label_suffix}:\n"; + if ($aad_blocks > 12) { + $code .= "sub \$`12*16*8`, $T3\n"; + } elsif ($aad_blocks > 8) { +@@ -1656,11 +1650,11 @@ ___ + if ($aad_blocks > 1) { + + # ;; fall through to CALC_AAD_done in 1 block case +- $code .= "jmp .L_CALC_AAD_done_${rndsuffix}\n"; ++ $code .= "jmp .L_CALC_AAD_done_${label_suffix}\n"; + } + + } +- $code .= ".L_CALC_AAD_done_${rndsuffix}:\n"; ++ $code .= ".L_CALC_AAD_done_${label_suffix}:\n"; + + # ;; result in AAD_HASH + } +@@ -1710,13 +1704,13 @@ sub PARTIAL_BLOCK { + my $IA1 = $GPTMP2; + my $IA2 = $GPTMP0; + +- my $rndsuffix = &random_string(); ++ my $label_suffix = $label_count++; + + $code .= <<___; + # ;; if no partial block present then LENGTH/DATA_OFFSET will be set to zero + mov ($PBLOCK_LEN),$LENGTH + or $LENGTH,$LENGTH +- je .L_partial_block_done_${rndsuffix} # ;Leave Macro if no partial blocks ++ je .L_partial_block_done_${label_suffix} # ;Leave Macro if no partial blocks + ___ + + &READ_SMALL_DATA_INPUT($XTMP0, $PLAIN_CIPH_IN, $PLAIN_CIPH_LEN, $IA0, $IA2, $MASKREG); +@@ -1755,9 +1749,9 @@ ___ + } + $code .= <<___; + sub \$16,$IA1 +- jge .L_no_extra_mask_${rndsuffix} ++ jge .L_no_extra_mask_${label_suffix} + sub $IA1,$IA0 +-.L_no_extra_mask_${rndsuffix}: ++.L_no_extra_mask_${label_suffix}: + # ;; get the appropriate mask to mask out bottom $LENGTH bytes of $XTMP1 + # ;; - mask out bottom $LENGTH bytes of $XTMP1 + # ;; sizeof(SHIFT_MASK) == 16 bytes +@@ -1781,7 +1775,7 @@ ___ + } + $code .= <<___; + cmp \$0,$IA1 +- jl .L_partial_incomplete_${rndsuffix} ++ jl .L_partial_incomplete_${label_suffix} + ___ + + # ;; GHASH computation for the last <16 Byte block +@@ -1793,9 +1787,9 @@ ___ + mov $LENGTH,$IA0 + mov \$16,$LENGTH + sub $IA0,$LENGTH +- jmp .L_enc_dec_done_${rndsuffix} ++ jmp .L_enc_dec_done_${label_suffix} + +-.L_partial_incomplete_${rndsuffix}: ++.L_partial_incomplete_${label_suffix}: + ___ + if ($win64) { + $code .= <<___; +@@ -1808,7 +1802,7 @@ ___ + $code .= <<___; + mov $PLAIN_CIPH_LEN,$LENGTH + +-.L_enc_dec_done_${rndsuffix}: ++.L_enc_dec_done_${label_suffix}: + # ;; output encrypted Bytes + + lea byte_len_to_mask_table(%rip),$IA0 +@@ -1826,7 +1820,7 @@ ___ + $code .= <<___; + mov $CIPH_PLAIN_OUT,$IA0 + vmovdqu8 $XTMP1,($IA0){$MASKREG} +-.L_partial_block_done_${rndsuffix}: ++.L_partial_block_done_${label_suffix}: + ___ + } + +@@ -2016,7 +2010,7 @@ sub INITIAL_BLOCKS_PARTIAL_GHASH { + my $GM = $_[23]; # [in] ZMM with mid prodcut part + my $GL = $_[24]; # [in] ZMM with lo product part + +- my $rndsuffix = &random_string(); ++ my $label_suffix = $label_count++; + + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + # ;;; - Hash all but the last partial block of data +@@ -2034,7 +2028,7 @@ sub INITIAL_BLOCKS_PARTIAL_GHASH { + # ;; NOTE: the 'jl' is always taken for num_initial_blocks = 16. + # ;; This is run in the context of GCM_ENC_DEC_SMALL for length < 256. + cmp \$16,$LENGTH +- jl .L_small_initial_partial_block_${rndsuffix} ++ jl .L_small_initial_partial_block_${label_suffix} + + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + # ;;; Handle a full length final block - encrypt and hash all blocks +@@ -2056,11 +2050,11 @@ ___ + &GHASH_1_TO_16($GCM128_CTX, $HASH_IN_OUT, $ZT0, $ZT1, $ZT2, $ZT3, $ZT4, + $ZT5, $ZT6, $ZT7, $ZT8, &ZWORD($HASH_IN_OUT), $DAT0, $DAT1, $DAT2, $DAT3, $NUM_BLOCKS, $GH, $GM, $GL); + } +- $code .= "jmp .L_small_initial_compute_done_${rndsuffix}\n"; ++ $code .= "jmp .L_small_initial_compute_done_${label_suffix}\n"; + } + + $code .= <<___; +-.L_small_initial_partial_block_${rndsuffix}: ++.L_small_initial_partial_block_${label_suffix}: + + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + # ;;; Handle ghash for a <16B final block +@@ -2125,7 +2119,7 @@ ___ + # ;; a partial block of data, so xor that into the hash. + vpxorq $LAST_GHASH_BLK,$HASH_IN_OUT,$HASH_IN_OUT + # ;; The result is in $HASH_IN_OUT +- jmp .L_after_reduction_${rndsuffix} ++ jmp .L_after_reduction_${label_suffix} + ___ + } + +@@ -2133,7 +2127,7 @@ ___ + # ;;; After GHASH reduction + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + +- $code .= ".L_small_initial_compute_done_${rndsuffix}:\n"; ++ $code .= ".L_small_initial_compute_done_${label_suffix}:\n"; + + # ;; If using init/update/finalize, we need to xor any partial block data + # ;; into the hash. +@@ -2144,13 +2138,13 @@ ___ + $code .= <<___; + # ;; NOTE: for $NUM_BLOCKS = 16, $LENGTH, stored in [PBlockLen] is never zero + or $LENGTH,$LENGTH +- je .L_after_reduction_${rndsuffix} ++ je .L_after_reduction_${label_suffix} + ___ + } + $code .= "vpxorq $LAST_GHASH_BLK,$HASH_IN_OUT,$HASH_IN_OUT\n"; + } + +- $code .= ".L_after_reduction_${rndsuffix}:\n"; ++ $code .= ".L_after_reduction_${label_suffix}:\n"; + + # ;; Final hash is now in HASH_IN_OUT + } +@@ -2266,7 +2260,7 @@ sub GHASH_16_ENCRYPT_N_GHASH_N { + die "GHASH_16_ENCRYPT_N_GHASH_N: num_blocks is out of bounds = $NUM_BLOCKS\n" + if ($NUM_BLOCKS > 16 || $NUM_BLOCKS < 0); + +- my $rndsuffix = &random_string(); ++ my $label_suffix = $label_count++; + + my $GH1H = $HASH_IN_OUT; + +@@ -2326,16 +2320,16 @@ ___ + + $code .= <<___; + cmp \$`(256 - $NUM_BLOCKS)`,@{[DWORD($CTR_CHECK)]} +- jae .L_16_blocks_overflow_${rndsuffix} ++ jae .L_16_blocks_overflow_${label_suffix} + ___ + + &ZMM_OPCODE3_DSTR_SRC1R_SRC2R_BLOCKS_0_16( + $NUM_BLOCKS, "vpaddd", $B00_03, $B04_07, $B08_11, $B12_15, $CTR_BE, + $B00_03, $B04_07, $B08_11, $ADDBE_1234, $ADDBE_4x4, $ADDBE_4x4, $ADDBE_4x4); + $code .= <<___; +- jmp .L_16_blocks_ok_${rndsuffix} ++ jmp .L_16_blocks_ok_${label_suffix} + +-.L_16_blocks_overflow_${rndsuffix}: ++.L_16_blocks_overflow_${label_suffix}: + vpshufb $SHFMSK,$CTR_BE,$CTR_BE + vpaddd ddq_add_1234(%rip),$CTR_BE,$B00_03 + ___ +@@ -2355,7 +2349,7 @@ ___ + $NUM_BLOCKS, "vpshufb", $B00_03, $B04_07, $B08_11, $B12_15, $B00_03, + $B04_07, $B08_11, $B12_15, $SHFMSK, $SHFMSK, $SHFMSK, $SHFMSK); + $code .= <<___; +-.L_16_blocks_ok_${rndsuffix}: ++.L_16_blocks_ok_${label_suffix}: + + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + # ;; - pre-load constants +@@ -2805,53 +2799,53 @@ sub GCM_ENC_DEC_LAST { + my $MASKREG = $_[44]; # [clobbered] mask register + my $PBLOCK_LEN = $_[45]; # [in] partial block length + +- my $rndsuffix = &random_string(); ++ my $label_suffix = $label_count++; + + $code .= <<___; + mov @{[DWORD($LENGTH)]},@{[DWORD($IA0)]} + add \$15,@{[DWORD($IA0)]} + shr \$4,@{[DWORD($IA0)]} +- je .L_last_num_blocks_is_0_${rndsuffix} ++ je .L_last_num_blocks_is_0_${label_suffix} + + cmp \$8,@{[DWORD($IA0)]} +- je .L_last_num_blocks_is_8_${rndsuffix} +- jb .L_last_num_blocks_is_7_1_${rndsuffix} ++ je .L_last_num_blocks_is_8_${label_suffix} ++ jb .L_last_num_blocks_is_7_1_${label_suffix} + + + cmp \$12,@{[DWORD($IA0)]} +- je .L_last_num_blocks_is_12_${rndsuffix} +- jb .L_last_num_blocks_is_11_9_${rndsuffix} ++ je .L_last_num_blocks_is_12_${label_suffix} ++ jb .L_last_num_blocks_is_11_9_${label_suffix} + + # ;; 16, 15, 14 or 13 + cmp \$15,@{[DWORD($IA0)]} +- je .L_last_num_blocks_is_15_${rndsuffix} +- ja .L_last_num_blocks_is_16_${rndsuffix} ++ je .L_last_num_blocks_is_15_${label_suffix} ++ ja .L_last_num_blocks_is_16_${label_suffix} + cmp \$14,@{[DWORD($IA0)]} +- je .L_last_num_blocks_is_14_${rndsuffix} +- jmp .L_last_num_blocks_is_13_${rndsuffix} ++ je .L_last_num_blocks_is_14_${label_suffix} ++ jmp .L_last_num_blocks_is_13_${label_suffix} + +-.L_last_num_blocks_is_11_9_${rndsuffix}: ++.L_last_num_blocks_is_11_9_${label_suffix}: + # ;; 11, 10 or 9 + cmp \$10,@{[DWORD($IA0)]} +- je .L_last_num_blocks_is_10_${rndsuffix} +- ja .L_last_num_blocks_is_11_${rndsuffix} +- jmp .L_last_num_blocks_is_9_${rndsuffix} ++ je .L_last_num_blocks_is_10_${label_suffix} ++ ja .L_last_num_blocks_is_11_${label_suffix} ++ jmp .L_last_num_blocks_is_9_${label_suffix} + +-.L_last_num_blocks_is_7_1_${rndsuffix}: ++.L_last_num_blocks_is_7_1_${label_suffix}: + cmp \$4,@{[DWORD($IA0)]} +- je .L_last_num_blocks_is_4_${rndsuffix} +- jb .L_last_num_blocks_is_3_1_${rndsuffix} ++ je .L_last_num_blocks_is_4_${label_suffix} ++ jb .L_last_num_blocks_is_3_1_${label_suffix} + # ;; 7, 6 or 5 + cmp \$6,@{[DWORD($IA0)]} +- ja .L_last_num_blocks_is_7_${rndsuffix} +- je .L_last_num_blocks_is_6_${rndsuffix} +- jmp .L_last_num_blocks_is_5_${rndsuffix} ++ ja .L_last_num_blocks_is_7_${label_suffix} ++ je .L_last_num_blocks_is_6_${label_suffix} ++ jmp .L_last_num_blocks_is_5_${label_suffix} + +-.L_last_num_blocks_is_3_1_${rndsuffix}: ++.L_last_num_blocks_is_3_1_${label_suffix}: + # ;; 3, 2 or 1 + cmp \$2,@{[DWORD($IA0)]} +- ja .L_last_num_blocks_is_3_${rndsuffix} +- je .L_last_num_blocks_is_2_${rndsuffix} ++ ja .L_last_num_blocks_is_3_${label_suffix} ++ je .L_last_num_blocks_is_2_${label_suffix} + ___ + + # ;; fall through for `jmp .L_last_num_blocks_is_1` +@@ -2859,7 +2853,7 @@ ___ + # ;; Use rep to generate different block size variants + # ;; - one block size has to be the first one + for my $num_blocks (1 .. 16) { +- $code .= ".L_last_num_blocks_is_${num_blocks}_${rndsuffix}:\n"; ++ $code .= ".L_last_num_blocks_is_${num_blocks}_${label_suffix}:\n"; + &GHASH_16_ENCRYPT_N_GHASH_N( + $AES_KEYS, $GCM128_CTX, $CIPH_PLAIN_OUT, $PLAIN_CIPH_IN, $DATA_OFFSET, + $LENGTH, $CTR_BE, $CTR_CHECK, $HASHKEY_OFFSET, $GHASHIN_BLK_OFFSET, +@@ -2872,10 +2866,10 @@ ___ + $ENC_DEC, $HASH_IN_OUT, $IA0, $IA1, $MASKREG, + $num_blocks, $PBLOCK_LEN); + +- $code .= "jmp .L_last_blocks_done_${rndsuffix}\n"; ++ $code .= "jmp .L_last_blocks_done_${label_suffix}\n"; + } + +- $code .= ".L_last_num_blocks_is_0_${rndsuffix}:\n"; ++ $code .= ".L_last_num_blocks_is_0_${label_suffix}:\n"; + + # ;; if there is 0 blocks to cipher then there are only 16 blocks for ghash and reduction + # ;; - convert mid into end_reduce +@@ -2891,7 +2885,7 @@ ___ + $GHASHIN_BLK_OFFSET, 0, "%rsp", $HASHKEY_OFFSET, 0, $HASH_IN_OUT, $ZT00, $ZT01, + $ZT02, $ZT03, $ZT04, $ZT05, $ZT06, $ZT07, $ZT08, $ZT09); + +- $code .= ".L_last_blocks_done_${rndsuffix}:\n"; ++ $code .= ".L_last_blocks_done_${label_suffix}:\n"; + } + + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +@@ -2985,20 +2979,20 @@ sub GHASH_16_ENCRYPT_16_PARALLEL { + my $GHDAT1 = $ZT21; + my $GHDAT2 = $ZT22; + +- my $rndsuffix = &random_string(); ++ my $label_suffix = $label_count++; + + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; + # ;; prepare counter blocks + + $code .= <<___; + cmpb \$`(256 - 16)`,@{[BYTE($CTR_CHECK)]} +- jae .L_16_blocks_overflow_${rndsuffix} ++ jae .L_16_blocks_overflow_${label_suffix} + vpaddd $ADDBE_1234,$CTR_BE,$B00_03 + vpaddd $ADDBE_4x4,$B00_03,$B04_07 + vpaddd $ADDBE_4x4,$B04_07,$B08_11 + vpaddd $ADDBE_4x4,$B08_11,$B12_15 +- jmp .L_16_blocks_ok_${rndsuffix} +-.L_16_blocks_overflow_${rndsuffix}: ++ jmp .L_16_blocks_ok_${label_suffix} ++.L_16_blocks_overflow_${label_suffix}: + vpshufb $SHFMSK,$CTR_BE,$CTR_BE + vmovdqa64 ddq_add_4444(%rip),$B12_15 + vpaddd ddq_add_1234(%rip),$CTR_BE,$B00_03 +@@ -3009,7 +3003,7 @@ sub GHASH_16_ENCRYPT_16_PARALLEL { + vpshufb $SHFMSK,$B04_07,$B04_07 + vpshufb $SHFMSK,$B08_11,$B08_11 + vpshufb $SHFMSK,$B12_15,$B12_15 +-.L_16_blocks_ok_${rndsuffix}: ++.L_16_blocks_ok_${label_suffix}: + ___ + + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +@@ -3338,25 +3332,25 @@ sub ENCRYPT_SINGLE_BLOCK { + my $XMM0 = $_[1]; # ; [in/out] + my $GPR1 = $_[2]; # ; [clobbered] + +- my $rndsuffix = &random_string(); ++ my $label_suffix = $label_count++; + + $code .= <<___; + # ; load number of rounds from AES_KEY structure (offset in bytes is + # ; size of the |rd_key| buffer) + mov `4*15*4`($AES_KEY),@{[DWORD($GPR1)]} + cmp \$9,@{[DWORD($GPR1)]} +- je .Laes_128_${rndsuffix} ++ je .Laes_128_${label_suffix} + cmp \$11,@{[DWORD($GPR1)]} +- je .Laes_192_${rndsuffix} ++ je .Laes_192_${label_suffix} + cmp \$13,@{[DWORD($GPR1)]} +- je .Laes_256_${rndsuffix} +- jmp .Lexit_aes_${rndsuffix} ++ je .Laes_256_${label_suffix} ++ jmp .Lexit_aes_${label_suffix} + ___ + for my $keylen (sort keys %aes_rounds) { + my $nr = $aes_rounds{$keylen}; + $code .= <<___; + .align 32 +-.Laes_${keylen}_${rndsuffix}: ++.Laes_${keylen}_${label_suffix}: + ___ + $code .= "vpxorq `16*0`($AES_KEY),$XMM0, $XMM0\n\n"; + for (my $i = 1; $i <= $nr; $i++) { +@@ -3364,10 +3358,10 @@ ___ + } + $code .= <<___; + vaesenclast `16*($nr+1)`($AES_KEY),$XMM0,$XMM0 +- jmp .Lexit_aes_${rndsuffix} ++ jmp .Lexit_aes_${label_suffix} + ___ + } +- $code .= ".Lexit_aes_${rndsuffix}:\n\n"; ++ $code .= ".Lexit_aes_${label_suffix}:\n\n"; + } + + sub CALC_J0 { +@@ -3562,52 +3556,52 @@ sub GCM_ENC_DEC_SMALL { + my $SHUFMASK = $_[29]; # [in] ZMM with BE/LE shuffle mask + my $PBLOCK_LEN = $_[30]; # [in] partial block length + +- my $rndsuffix = &random_string(); ++ my $label_suffix = $label_count++; + + $code .= <<___; + cmp \$8,$NUM_BLOCKS +- je .L_small_initial_num_blocks_is_8_${rndsuffix} +- jl .L_small_initial_num_blocks_is_7_1_${rndsuffix} ++ je .L_small_initial_num_blocks_is_8_${label_suffix} ++ jl .L_small_initial_num_blocks_is_7_1_${label_suffix} + + + cmp \$12,$NUM_BLOCKS +- je .L_small_initial_num_blocks_is_12_${rndsuffix} +- jl .L_small_initial_num_blocks_is_11_9_${rndsuffix} ++ je .L_small_initial_num_blocks_is_12_${label_suffix} ++ jl .L_small_initial_num_blocks_is_11_9_${label_suffix} + + # ;; 16, 15, 14 or 13 + cmp \$16,$NUM_BLOCKS +- je .L_small_initial_num_blocks_is_16_${rndsuffix} ++ je .L_small_initial_num_blocks_is_16_${label_suffix} + cmp \$15,$NUM_BLOCKS +- je .L_small_initial_num_blocks_is_15_${rndsuffix} ++ je .L_small_initial_num_blocks_is_15_${label_suffix} + cmp \$14,$NUM_BLOCKS +- je .L_small_initial_num_blocks_is_14_${rndsuffix} +- jmp .L_small_initial_num_blocks_is_13_${rndsuffix} ++ je .L_small_initial_num_blocks_is_14_${label_suffix} ++ jmp .L_small_initial_num_blocks_is_13_${label_suffix} + +-.L_small_initial_num_blocks_is_11_9_${rndsuffix}: ++.L_small_initial_num_blocks_is_11_9_${label_suffix}: + # ;; 11, 10 or 9 + cmp \$11,$NUM_BLOCKS +- je .L_small_initial_num_blocks_is_11_${rndsuffix} ++ je .L_small_initial_num_blocks_is_11_${label_suffix} + cmp \$10,$NUM_BLOCKS +- je .L_small_initial_num_blocks_is_10_${rndsuffix} +- jmp .L_small_initial_num_blocks_is_9_${rndsuffix} ++ je .L_small_initial_num_blocks_is_10_${label_suffix} ++ jmp .L_small_initial_num_blocks_is_9_${label_suffix} + +-.L_small_initial_num_blocks_is_7_1_${rndsuffix}: ++.L_small_initial_num_blocks_is_7_1_${label_suffix}: + cmp \$4,$NUM_BLOCKS +- je .L_small_initial_num_blocks_is_4_${rndsuffix} +- jl .L_small_initial_num_blocks_is_3_1_${rndsuffix} ++ je .L_small_initial_num_blocks_is_4_${label_suffix} ++ jl .L_small_initial_num_blocks_is_3_1_${label_suffix} + # ;; 7, 6 or 5 + cmp \$7,$NUM_BLOCKS +- je .L_small_initial_num_blocks_is_7_${rndsuffix} ++ je .L_small_initial_num_blocks_is_7_${label_suffix} + cmp \$6,$NUM_BLOCKS +- je .L_small_initial_num_blocks_is_6_${rndsuffix} +- jmp .L_small_initial_num_blocks_is_5_${rndsuffix} ++ je .L_small_initial_num_blocks_is_6_${label_suffix} ++ jmp .L_small_initial_num_blocks_is_5_${label_suffix} + +-.L_small_initial_num_blocks_is_3_1_${rndsuffix}: ++.L_small_initial_num_blocks_is_3_1_${label_suffix}: + # ;; 3, 2 or 1 + cmp \$3,$NUM_BLOCKS +- je .L_small_initial_num_blocks_is_3_${rndsuffix} ++ je .L_small_initial_num_blocks_is_3_${label_suffix} + cmp \$2,$NUM_BLOCKS +- je .L_small_initial_num_blocks_is_2_${rndsuffix} ++ je .L_small_initial_num_blocks_is_2_${label_suffix} + + # ;; for $NUM_BLOCKS == 1, just fall through and no 'jmp' needed + +@@ -3616,7 +3610,7 @@ sub GCM_ENC_DEC_SMALL { + ___ + + for (my $num_blocks = 1; $num_blocks <= 16; $num_blocks++) { +- $code .= ".L_small_initial_num_blocks_is_${num_blocks}_${rndsuffix}:\n"; ++ $code .= ".L_small_initial_num_blocks_is_${num_blocks}_${label_suffix}:\n"; + &INITIAL_BLOCKS_PARTIAL( + $AES_KEYS, $GCM128_CTX, $CIPH_PLAIN_OUT, $PLAIN_CIPH_IN, $LENGTH, $DATA_OFFSET, + $num_blocks, $CTR, $HASH_IN_OUT, $ENC_DEC, $ZTMP0, $ZTMP1, +@@ -3625,11 +3619,11 @@ ___ + $ZTMP14, $IA0, $IA1, $MASKREG, $SHUFMASK, $PBLOCK_LEN); + + if ($num_blocks != 16) { +- $code .= "jmp .L_small_initial_blocks_encrypted_${rndsuffix}\n"; ++ $code .= "jmp .L_small_initial_blocks_encrypted_${label_suffix}\n"; + } + } + +- $code .= ".L_small_initial_blocks_encrypted_${rndsuffix}:\n"; ++ $code .= ".L_small_initial_blocks_encrypted_${label_suffix}:\n"; + } + + # ;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; +@@ -3710,7 +3704,7 @@ sub GCM_ENC_DEC { + + my $MASKREG = "%k1"; + +- my $rndsuffix = &random_string(); ++ my $label_suffix = $label_count++; + + # ;; reduction every 48 blocks, depth 32 blocks + # ;; @note 48 blocks is the maximum capacity of the stack frame +@@ -3751,7 +3745,7 @@ sub GCM_ENC_DEC { + } else { + $code .= "or $PLAIN_CIPH_LEN,$PLAIN_CIPH_LEN\n"; + } +- $code .= "je .L_enc_dec_done_${rndsuffix}\n"; ++ $code .= "je .L_enc_dec_done_${label_suffix}\n"; + + # Length value from context $CTX_OFFSET_InLen`($GCM128_CTX) is updated in + # 'providers/implementations/ciphers/cipher_aes_gcm_hw_vaes_avx512.inc' +@@ -3778,12 +3772,12 @@ sub GCM_ENC_DEC { + # ;; There may be no more data if it was consumed in the partial block. + $code .= <<___; + sub $DATA_OFFSET,$LENGTH +- je .L_enc_dec_done_${rndsuffix} ++ je .L_enc_dec_done_${label_suffix} + ___ + + $code .= <<___; + cmp \$`(16 * 16)`,$LENGTH +- jbe .L_message_below_equal_16_blocks_${rndsuffix} ++ jbe .L_message_below_equal_16_blocks_${label_suffix} + + vmovdqa64 SHUF_MASK(%rip),$SHUF_MASK + vmovdqa64 ddq_addbe_4444(%rip),$ADDBE_4x4 +@@ -3815,7 +3809,7 @@ ___ + + $code .= <<___; + cmp \$`(32 * 16)`,$LENGTH +- jb .L_message_below_32_blocks_${rndsuffix} ++ jb .L_message_below_32_blocks_${label_suffix} + ___ + + # ;; ==== AES-CTR - next 16 blocks +@@ -3836,13 +3830,13 @@ ___ + sub \$`(32 * 16)`,$LENGTH + + cmp \$`($big_loop_nblocks * 16)`,$LENGTH +- jb .L_no_more_big_nblocks_${rndsuffix} ++ jb .L_no_more_big_nblocks_${label_suffix} + ___ + + # ;; ==== + # ;; ==== AES-CTR + GHASH - 48 blocks loop + # ;; ==== +- $code .= ".L_encrypt_big_nblocks_${rndsuffix}:\n"; ++ $code .= ".L_encrypt_big_nblocks_${label_suffix}:\n"; + + # ;; ==== AES-CTR + GHASH - 16 blocks, start + $aesout_offset = ($STACK_LOCAL_OFFSET + (32 * 16)); +@@ -3893,15 +3887,15 @@ ___ + add \$`($big_loop_nblocks * 16)`,$DATA_OFFSET + sub \$`($big_loop_nblocks * 16)`,$LENGTH + cmp \$`($big_loop_nblocks * 16)`,$LENGTH +- jae .L_encrypt_big_nblocks_${rndsuffix} ++ jae .L_encrypt_big_nblocks_${label_suffix} + +-.L_no_more_big_nblocks_${rndsuffix}: ++.L_no_more_big_nblocks_${label_suffix}: + + cmp \$`(32 * 16)`,$LENGTH +- jae .L_encrypt_32_blocks_${rndsuffix} ++ jae .L_encrypt_32_blocks_${label_suffix} + + cmp \$`(16 * 16)`,$LENGTH +- jae .L_encrypt_16_blocks_${rndsuffix} ++ jae .L_encrypt_16_blocks_${label_suffix} + ___ + + # ;; ===================================================== +@@ -3909,7 +3903,7 @@ ___ + # ;; ==== GHASH 1 x 16 blocks + # ;; ==== GHASH 1 x 16 blocks (reduction) & encrypt N blocks + # ;; ==== then GHASH N blocks +- $code .= ".L_encrypt_0_blocks_ghash_32_${rndsuffix}:\n"; ++ $code .= ".L_encrypt_0_blocks_ghash_32_${label_suffix}:\n"; + + # ;; calculate offset to the right hash key + $code .= <<___; +@@ -3937,7 +3931,7 @@ ___ + $IA0, $IA5, $MASKREG, $PBLOCK_LEN); + + $code .= "vpshufb @{[XWORD($SHUF_MASK)]},$CTR_BLOCKx,$CTR_BLOCKx\n"; +- $code .= "jmp .L_ghash_done_${rndsuffix}\n"; ++ $code .= "jmp .L_ghash_done_${label_suffix}\n"; + + # ;; ===================================================== + # ;; ===================================================== +@@ -3946,7 +3940,7 @@ ___ + # ;; ==== GHASH 1 x 16 blocks (reduction) + # ;; ==== GHASH 1 x 16 blocks (reduction) & encrypt N blocks + # ;; ==== then GHASH N blocks +- $code .= ".L_encrypt_32_blocks_${rndsuffix}:\n"; ++ $code .= ".L_encrypt_32_blocks_${label_suffix}:\n"; + + # ;; ==== AES-CTR + GHASH - 16 blocks, start + $aesout_offset = ($STACK_LOCAL_OFFSET + (32 * 16)); +@@ -4007,7 +4001,7 @@ ___ + $IA0, $IA5, $MASKREG, $PBLOCK_LEN); + + $code .= "vpshufb @{[XWORD($SHUF_MASK)]},$CTR_BLOCKx,$CTR_BLOCKx\n"; +- $code .= "jmp .L_ghash_done_${rndsuffix}\n"; ++ $code .= "jmp .L_ghash_done_${label_suffix}\n"; + + # ;; ===================================================== + # ;; ===================================================== +@@ -4015,7 +4009,7 @@ ___ + # ;; ==== GHASH 1 x 16 blocks + # ;; ==== GHASH 1 x 16 blocks (reduction) & encrypt N blocks + # ;; ==== then GHASH N blocks +- $code .= ".L_encrypt_16_blocks_${rndsuffix}:\n"; ++ $code .= ".L_encrypt_16_blocks_${label_suffix}:\n"; + + # ;; ==== AES-CTR + GHASH - 16 blocks, start + $aesout_offset = ($STACK_LOCAL_OFFSET + (32 * 16)); +@@ -4059,9 +4053,9 @@ ___ + + $code .= "vpshufb @{[XWORD($SHUF_MASK)]},$CTR_BLOCKx,$CTR_BLOCKx\n"; + $code .= <<___; +- jmp .L_ghash_done_${rndsuffix} ++ jmp .L_ghash_done_${label_suffix} + +-.L_message_below_32_blocks_${rndsuffix}: ++.L_message_below_32_blocks_${label_suffix}: + # ;; 32 > number of blocks > 16 + + sub \$`(16 * 16)`,$LENGTH +@@ -4094,9 +4088,9 @@ ___ + + $code .= "vpshufb @{[XWORD($SHUF_MASK)]},$CTR_BLOCKx,$CTR_BLOCKx\n"; + $code .= <<___; +- jmp .L_ghash_done_${rndsuffix} ++ jmp .L_ghash_done_${label_suffix} + +-.L_message_below_equal_16_blocks_${rndsuffix}: ++.L_message_below_equal_16_blocks_${label_suffix}: + # ;; Determine how many blocks to process + # ;; - process one additional block if there is a partial block + mov @{[DWORD($LENGTH)]},@{[DWORD($IA1)]} +@@ -4113,13 +4107,13 @@ ___ + + # ;; fall through to exit + +- $code .= ".L_ghash_done_${rndsuffix}:\n"; ++ $code .= ".L_ghash_done_${label_suffix}:\n"; + + # ;; save the last counter block + $code .= "vmovdqu64 $CTR_BLOCKx,`$CTX_OFFSET_CurCount`($GCM128_CTX)\n"; + $code .= <<___; + vmovdqu64 $AAD_HASHx,`$CTX_OFFSET_AadHash`($GCM128_CTX) +-.L_enc_dec_done_${rndsuffix}: ++.L_enc_dec_done_${label_suffix}: + ___ + } + +@@ -4155,7 +4149,7 @@ sub INITIAL_BLOCKS_16 { + my $B08_11 = $T7; + my $B12_15 = $T8; + +- my $rndsuffix = &random_string(); ++ my $label_suffix = $label_count++; + + my $stack_offset = $BLK_OFFSET; + $code .= <<___; +@@ -4163,13 +4157,13 @@ sub INITIAL_BLOCKS_16 { + # ;; prepare counter blocks + + cmpb \$`(256 - 16)`,@{[BYTE($CTR_CHECK)]} +- jae .L_next_16_overflow_${rndsuffix} ++ jae .L_next_16_overflow_${label_suffix} + vpaddd $ADDBE_1234,$CTR,$B00_03 + vpaddd $ADDBE_4x4,$B00_03,$B04_07 + vpaddd $ADDBE_4x4,$B04_07,$B08_11 + vpaddd $ADDBE_4x4,$B08_11,$B12_15 +- jmp .L_next_16_ok_${rndsuffix} +-.L_next_16_overflow_${rndsuffix}: ++ jmp .L_next_16_ok_${label_suffix} ++.L_next_16_overflow_${label_suffix}: + vpshufb $SHUF_MASK,$CTR,$CTR + vmovdqa64 ddq_add_4444(%rip),$B12_15 + vpaddd ddq_add_1234(%rip),$CTR,$B00_03 +@@ -4180,7 +4174,7 @@ sub INITIAL_BLOCKS_16 { + vpshufb $SHUF_MASK,$B04_07,$B04_07 + vpshufb $SHUF_MASK,$B08_11,$B08_11 + vpshufb $SHUF_MASK,$B12_15,$B12_15 +-.L_next_16_ok_${rndsuffix}: ++.L_next_16_ok_${label_suffix}: + vshufi64x2 \$0b11111111,$B12_15,$B12_15,$CTR + addb \$16,@{[BYTE($CTR_CHECK)]} + # ;; === load 16 blocks of data +@@ -4264,7 +4258,7 @@ sub GCM_COMPLETE { + my $GCM128_CTX = $_[0]; + my $PBLOCK_LEN = $_[1]; + +- my $rndsuffix = &random_string(); ++ my $label_suffix = $label_count++; + + $code .= <<___; + vmovdqu @{[HashKeyByIdx(1,$GCM128_CTX)]},%xmm2 +@@ -4276,14 +4270,14 @@ ___ + + # ;; Process the final partial block. + cmp \$0,$PBLOCK_LEN +- je .L_partial_done_${rndsuffix} ++ je .L_partial_done_${label_suffix} + ___ + + # ;GHASH computation for the last <16 Byte block + &GHASH_MUL("%xmm4", "%xmm2", "%xmm0", "%xmm16", "%xmm17"); + + $code .= <<___; +-.L_partial_done_${rndsuffix}: ++.L_partial_done_${label_suffix}: + vmovq `$CTX_OFFSET_InLen`($GCM128_CTX), %xmm5 + vpinsrq \$1, `$CTX_OFFSET_AadLen`($GCM128_CTX), %xmm5, %xmm5 # ; xmm5 = len(A)||len(C) + vpsllq \$3, %xmm5, %xmm5 # ; convert bytes into bits +@@ -4297,7 +4291,7 @@ ___ + vpshufb SHUF_MASK(%rip),%xmm4,%xmm4 # ; perform a 16Byte swap + vpxor %xmm4,%xmm3,%xmm3 + +-.L_return_T_${rndsuffix}: ++.L_return_T_${label_suffix}: + vmovdqu %xmm3,`$CTX_OFFSET_AadHash`($GCM128_CTX) + ___ + } diff --git a/showciphers.c b/showciphers.c new file mode 100644 index 0000000..9001c31 --- /dev/null +++ b/showciphers.c @@ -0,0 +1,27 @@ +#include +#include + +int main() { + SSL_CTX *ctx = NULL; + SSL *ssl = NULL; + STACK_OF(SSL_CIPHER) *sk = NULL; + const SSL_METHOD *meth = TLS_server_method(); + int i; + const char *p; + + ctx = SSL_CTX_new(meth); + if (ctx == NULL) + return 1; + ssl = SSL_new(ctx); + if (ssl == NULL) + return 1; + sk = SSL_get_ciphers(ssl); + for (i = 0; i < sk_SSL_CIPHER_num(sk); i++) { + const SSL_CIPHER *c = sk_SSL_CIPHER_value(sk, i); + p = SSL_CIPHER_get_name(c); + if (p == NULL) + break; + printf("%s\n", p); + } + return 0; +} From b062a1d507729ae9e8d2d6a73417aaa3d2b0cdfbbde0b0177d16c703fc32ba4c Mon Sep 17 00:00:00 2001 From: Pedro Monreal Gonzalez Date: Thu, 2 Jan 2025 18:17:13 +0000 Subject: [PATCH 2/2] - Add support for userspace livepatching on ppc64le (jsc#PED-11850). - Fix evp_properties section in the openssl.cnf file [bsc#1234647] * Rebase patches: - openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch - openssl-TESTS-Disable-default-provider-crypto-policies.patch OBS-URL: https://build.opensuse.org/package/show/security:tls/openssl-3?expand=0&rev=128 --- openssl-3.changes | 10 +++++++++- openssl-3.spec | 2 +- ...port-for-PROFILE-SYSTEM-system-default-cipher.patch | 3 ++- ...ESTS-Disable-default-provider-crypto-policies.patch | 6 ++++-- 4 files changed, 16 insertions(+), 5 deletions(-) diff --git a/openssl-3.changes b/openssl-3.changes index b64dd85..4267466 100644 --- a/openssl-3.changes +++ b/openssl-3.changes @@ -1,9 +1,17 @@ ------------------------------------------------------------------- Mon Dec 23 20:14:08 UTC 2024 - Giuliano Belinassi -- Add support for userspace livepatching on ppc64le (jsc#PED-10952). +- Add support for userspace livepatching on ppc64le (jsc#PED-11850). - Use gcc-13 for ppc64le. +------------------------------------------------------------------- +Tue Dec 17 12:42:19 UTC 2024 - Pedro Monreal + +- Fix evp_properties section in the openssl.cnf file [bsc#1234647] + * Rebase patches: + - openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch + - openssl-TESTS-Disable-default-provider-crypto-policies.patch + ------------------------------------------------------------------- Tue Nov 12 15:46:20 UTC 2024 - Pedro Monreal diff --git a/openssl-3.spec b/openssl-3.spec index 06653ca..054b34c 100644 --- a/openssl-3.spec +++ b/openssl-3.spec @@ -1,7 +1,7 @@ # # spec file for package openssl-3 # -# Copyright (c) 2024 SUSE LLC +# Copyright (c) 2025 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed diff --git a/openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch b/openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch index ae72609..ab6ed6d 100644 --- a/openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch +++ b/openssl-Add-support-for-PROFILE-SYSTEM-system-default-cipher.patch @@ -322,12 +322,13 @@ Index: openssl-3.2.3/apps/openssl.cnf =================================================================== --- openssl-3.2.3.orig/apps/openssl.cnf +++ openssl-3.2.3/apps/openssl.cnf -@@ -52,6 +52,11 @@ tsa_policy3 = 1.2.3.4.5.7 +@@ -52,6 +52,12 @@ tsa_policy3 = 1.2.3.4.5.7 [openssl_init] providers = provider_sect +# Load default TLS policy configuration +ssl_conf = ssl_module ++alg_section = evp_properties + +[ evp_properties ] +# This section is intentionally added empty here to be tuned on particular systems diff --git a/openssl-TESTS-Disable-default-provider-crypto-policies.patch b/openssl-TESTS-Disable-default-provider-crypto-policies.patch index de884ed..6a011f0 100644 --- a/openssl-TESTS-Disable-default-provider-crypto-policies.patch +++ b/openssl-TESTS-Disable-default-provider-crypto-policies.patch @@ -2,16 +2,18 @@ Index: openssl-3.2.3/apps/openssl.cnf =================================================================== --- openssl-3.2.3.orig/apps/openssl.cnf +++ openssl-3.2.3/apps/openssl.cnf -@@ -45,7 +45,7 @@ tsa_policy3 = 1.2.3.4.5.7 +@@ -45,8 +45,8 @@ tsa_policy3 = 1.2.3.4.5.7 [openssl_init] providers = provider_sect # Load default TLS policy configuration -ssl_conf = ssl_module +-alg_section = evp_properties +##ssl_conf = ssl_module ++##alg_section = evp_properties [ evp_properties ] # This section is intentionally added empty here to be tuned on particular systems -@@ -60,20 +60,20 @@ ssl_conf = ssl_module +@@ -61,20 +61,20 @@ alg_section = evp_properties # to side-channel attacks and as such have been deprecated. [provider_sect]